From db67c87db3c9089ea8d2e14f617bf3d9e2af261f Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Wed, 9 Jul 2008 21:02:41 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.2.4)

---
 src/libstrongswan/plugins/aes/Makefile.am          |   10 +
 src/libstrongswan/plugins/aes/Makefile.in          |  494 ++++++
 src/libstrongswan/plugins/aes/aes_crypter.c        | 1580 ++++++++++++++++++++
 src/libstrongswan/plugins/aes/aes_crypter.h        |   50 +
 src/libstrongswan/plugins/aes/aes_plugin.c         |   60 +
 src/libstrongswan/plugins/aes/aes_plugin.h         |   47 +
 src/libstrongswan/plugins/curl/Makefile.am         |   11 +
 src/libstrongswan/plugins/curl/Makefile.in         |  495 ++++++
 src/libstrongswan/plugins/curl/curl_fetcher.c      |  176 +++
 src/libstrongswan/plugins/curl/curl_fetcher.h      |   47 +
 src/libstrongswan/plugins/curl/curl_plugin.c       |   79 +
 src/libstrongswan/plugins/curl/curl_plugin.h       |   47 +
 src/libstrongswan/plugins/des/Makefile.am          |   10 +
 src/libstrongswan/plugins/des/Makefile.in          |  494 ++++++
 src/libstrongswan/plugins/des/des_crypter.c        | 1517 +++++++++++++++++++
 src/libstrongswan/plugins/des/des_crypter.h        |   49 +
 src/libstrongswan/plugins/des/des_plugin.c         |   62 +
 src/libstrongswan/plugins/des/des_plugin.h         |   47 +
 src/libstrongswan/plugins/fips_prf/Makefile.am     |   10 +
 src/libstrongswan/plugins/fips_prf/Makefile.in     |  496 ++++++
 src/libstrongswan/plugins/fips_prf/fips_prf.c      |  252 ++++
 src/libstrongswan/plugins/fips_prf/fips_prf.h      |   59 +
 .../plugins/fips_prf/fips_prf_plugin.c             |   59 +
 .../plugins/fips_prf/fips_prf_plugin.h             |   47 +
 src/libstrongswan/plugins/gmp/Makefile.am          |   15 +
 src/libstrongswan/plugins/gmp/Makefile.in          |  502 +++++++
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c |  567 +++++++
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h |   49 +
 src/libstrongswan/plugins/gmp/gmp_plugin.c         |   85 ++
 src/libstrongswan/plugins/gmp/gmp_plugin.h         |   47 +
 .../plugins/gmp/gmp_rsa_private_key.c              |  842 +++++++++++
 .../plugins/gmp/gmp_rsa_private_key.h              |   48 +
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |  587 ++++++++
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h |   50 +
 src/libstrongswan/plugins/hmac/Makefile.am         |   11 +
 src/libstrongswan/plugins/hmac/Makefile.in         |  499 +++++++
 src/libstrongswan/plugins/hmac/hmac.c              |  214 +++
 src/libstrongswan/plugins/hmac/hmac.h              |   93 ++
 src/libstrongswan/plugins/hmac/hmac_plugin.c       |   84 ++
 src/libstrongswan/plugins/hmac/hmac_plugin.h       |   47 +
 src/libstrongswan/plugins/hmac/hmac_prf.c          |  137 ++
 src/libstrongswan/plugins/hmac/hmac_prf.h          |   51 +
 src/libstrongswan/plugins/hmac/hmac_signer.c       |  199 +++
 src/libstrongswan/plugins/hmac/hmac_signer.h       |   55 +
 src/libstrongswan/plugins/ldap/Makefile.am         |   11 +
 src/libstrongswan/plugins/ldap/Makefile.in         |  495 ++++++
 src/libstrongswan/plugins/ldap/ldap_fetcher.c      |  213 +++
 src/libstrongswan/plugins/ldap/ldap_fetcher.h      |   42 +
 src/libstrongswan/plugins/ldap/ldap_plugin.c       |   62 +
 src/libstrongswan/plugins/ldap/ldap_plugin.h       |   47 +
 src/libstrongswan/plugins/md5/Makefile.am          |   10 +
 src/libstrongswan/plugins/md5/Makefile.in          |  494 ++++++
 src/libstrongswan/plugins/md5/md5_hasher.c         |  392 +++++
 src/libstrongswan/plugins/md5/md5_hasher.h         |   48 +
 src/libstrongswan/plugins/md5/md5_plugin.c         |   60 +
 src/libstrongswan/plugins/md5/md5_plugin.h         |   47 +
 src/libstrongswan/plugins/mysql/Makefile.am        |   12 +
 src/libstrongswan/plugins/mysql/Makefile.in        |  497 ++++++
 src/libstrongswan/plugins/mysql/mysql_database.c   |  695 +++++++++
 src/libstrongswan/plugins/mysql/mysql_database.h   |   58 +
 src/libstrongswan/plugins/mysql/mysql_plugin.c     |   69 +
 src/libstrongswan/plugins/mysql/mysql_plugin.h     |   47 +
 src/libstrongswan/plugins/openssl/Makefile.am      |   21 +
 src/libstrongswan/plugins/openssl/Makefile.in      |  518 +++++++
 .../plugins/openssl/openssl_crypter.c              |  258 ++++
 .../plugins/openssl/openssl_crypter.h              |   51 +
 .../plugins/openssl/openssl_diffie_hellman.c       |  242 +++
 .../plugins/openssl/openssl_diffie_hellman.h       |   50 +
 .../plugins/openssl/openssl_ec_diffie_hellman.c    |  342 +++++
 .../plugins/openssl/openssl_ec_diffie_hellman.h    |   50 +
 .../plugins/openssl/openssl_ec_private_key.c       |  445 ++++++
 .../plugins/openssl/openssl_ec_private_key.h       |   49 +
 .../plugins/openssl/openssl_ec_public_key.c        |  447 ++++++
 .../plugins/openssl/openssl_ec_public_key.h        |   49 +
 src/libstrongswan/plugins/openssl/openssl_hasher.c |  185 +++
 src/libstrongswan/plugins/openssl/openssl_hasher.h |   50 +
 src/libstrongswan/plugins/openssl/openssl_plugin.c |  164 ++
 src/libstrongswan/plugins/openssl/openssl_plugin.h |   49 +
 .../plugins/openssl/openssl_rsa_private_key.c      |  422 ++++++
 .../plugins/openssl/openssl_rsa_private_key.h      |   49 +
 .../plugins/openssl/openssl_rsa_public_key.c       |  433 ++++++
 .../plugins/openssl/openssl_rsa_public_key.h       |   49 +
 src/libstrongswan/plugins/openssl/openssl_util.c   |  120 ++
 src/libstrongswan/plugins/openssl/openssl_util.h   |   70 +
 src/libstrongswan/plugins/padlock/Makefile.am      |   12 +
 src/libstrongswan/plugins/padlock/Makefile.in      |  500 +++++++
 .../plugins/padlock/padlock_aes_crypter.c          |  201 +++
 .../plugins/padlock/padlock_aes_crypter.h          |   50 +
 src/libstrongswan/plugins/padlock/padlock_plugin.c |   64 +
 src/libstrongswan/plugins/padlock/padlock_plugin.h |   47 +
 .../plugins/padlock/padlock_sha1_hasher.c          |  177 +++
 .../plugins/padlock/padlock_sha1_hasher.h          |   48 +
 src/libstrongswan/plugins/plugin.h                 |   49 +
 src/libstrongswan/plugins/plugin_loader.c          |  193 +++
 src/libstrongswan/plugins/plugin_loader.h          |   67 +
 src/libstrongswan/plugins/pubkey/Makefile.am       |   13 +
 src/libstrongswan/plugins/pubkey/Makefile.in       |  500 +++++++
 src/libstrongswan/plugins/pubkey/pubkey_cert.c     |  284 ++++
 src/libstrongswan/plugins/pubkey/pubkey_cert.h     |   51 +
 src/libstrongswan/plugins/pubkey/pubkey_plugin.c   |   65 +
 src/libstrongswan/plugins/pubkey/pubkey_plugin.h   |   47 +
 .../plugins/pubkey/pubkey_public_key.c             |  185 +++
 .../plugins/pubkey/pubkey_public_key.h             |   36 +
 src/libstrongswan/plugins/random/Makefile.am       |   11 +
 src/libstrongswan/plugins/random/Makefile.in       |  497 ++++++
 src/libstrongswan/plugins/random/random_plugin.c   |   62 +
 src/libstrongswan/plugins/random/random_plugin.h   |   47 +
 src/libstrongswan/plugins/random/random_rng.c      |  134 ++
 src/libstrongswan/plugins/random/random_rng.h      |   49 +
 src/libstrongswan/plugins/sha1/Makefile.am         |   10 +
 src/libstrongswan/plugins/sha1/Makefile.in         |  494 ++++++
 src/libstrongswan/plugins/sha1/sha1_hasher.c       |  366 +++++
 src/libstrongswan/plugins/sha1/sha1_hasher.h       |   69 +
 src/libstrongswan/plugins/sha1/sha1_plugin.c       |   64 +
 src/libstrongswan/plugins/sha1/sha1_plugin.h       |   47 +
 src/libstrongswan/plugins/sha2/Makefile.am         |   10 +
 src/libstrongswan/plugins/sha2/Makefile.in         |  494 ++++++
 src/libstrongswan/plugins/sha2/sha2_hasher.c       |  632 ++++++++
 src/libstrongswan/plugins/sha2/sha2_hasher.h       |   50 +
 src/libstrongswan/plugins/sha2/sha2_plugin.c       |   64 +
 src/libstrongswan/plugins/sha2/sha2_plugin.h       |   47 +
 src/libstrongswan/plugins/sqlite/Makefile.am       |   12 +
 src/libstrongswan/plugins/sqlite/Makefile.in       |  499 +++++++
 src/libstrongswan/plugins/sqlite/sqlite_database.c |  321 ++++
 src/libstrongswan/plugins/sqlite/sqlite_database.h |   46 +
 src/libstrongswan/plugins/sqlite/sqlite_plugin.c   |   60 +
 src/libstrongswan/plugins/sqlite/sqlite_plugin.h   |   47 +
 src/libstrongswan/plugins/x509/Makefile.am         |   16 +
 src/libstrongswan/plugins/x509/Makefile.in         |  508 +++++++
 src/libstrongswan/plugins/x509/ietf_attr_list.c    |  396 +++++
 src/libstrongswan/plugins/x509/ietf_attr_list.h    |   81 +
 src/libstrongswan/plugins/x509/x509_ac.c           | 1140 ++++++++++++++
 src/libstrongswan/plugins/x509/x509_ac.h           |   59 +
 src/libstrongswan/plugins/x509/x509_cert.c         | 1295 ++++++++++++++++
 src/libstrongswan/plugins/x509/x509_cert.h         |   49 +
 src/libstrongswan/plugins/x509/x509_crl.c          |  742 +++++++++
 src/libstrongswan/plugins/x509/x509_crl.h          |   48 +
 src/libstrongswan/plugins/x509/x509_ocsp_request.c |  612 ++++++++
 src/libstrongswan/plugins/x509/x509_ocsp_request.h |   54 +
 .../plugins/x509/x509_ocsp_response.c              |  990 ++++++++++++
 .../plugins/x509/x509_ocsp_response.h              |   47 +
 src/libstrongswan/plugins/x509/x509_plugin.c       |   80 +
 src/libstrongswan/plugins/x509/x509_plugin.h       |   47 +
 src/libstrongswan/plugins/xcbc/Makefile.am         |   11 +
 src/libstrongswan/plugins/xcbc/Makefile.in         |  499 +++++++
 src/libstrongswan/plugins/xcbc/xcbc.c              |  299 ++++
 src/libstrongswan/plugins/xcbc/xcbc.h              |   78 +
 src/libstrongswan/plugins/xcbc/xcbc_plugin.c       |   65 +
 src/libstrongswan/plugins/xcbc/xcbc_plugin.h       |   47 +
 src/libstrongswan/plugins/xcbc/xcbc_prf.c          |  131 ++
 src/libstrongswan/plugins/xcbc/xcbc_prf.h          |   50 +
 src/libstrongswan/plugins/xcbc/xcbc_signer.c       |  177 +++
 src/libstrongswan/plugins/xcbc/xcbc_signer.h       |   47 +
 153 files changed, 32081 insertions(+)
 create mode 100644 src/libstrongswan/plugins/aes/Makefile.am
 create mode 100644 src/libstrongswan/plugins/aes/Makefile.in
 create mode 100644 src/libstrongswan/plugins/aes/aes_crypter.c
 create mode 100644 src/libstrongswan/plugins/aes/aes_crypter.h
 create mode 100644 src/libstrongswan/plugins/aes/aes_plugin.c
 create mode 100644 src/libstrongswan/plugins/aes/aes_plugin.h
 create mode 100644 src/libstrongswan/plugins/curl/Makefile.am
 create mode 100644 src/libstrongswan/plugins/curl/Makefile.in
 create mode 100644 src/libstrongswan/plugins/curl/curl_fetcher.c
 create mode 100644 src/libstrongswan/plugins/curl/curl_fetcher.h
 create mode 100644 src/libstrongswan/plugins/curl/curl_plugin.c
 create mode 100644 src/libstrongswan/plugins/curl/curl_plugin.h
 create mode 100644 src/libstrongswan/plugins/des/Makefile.am
 create mode 100644 src/libstrongswan/plugins/des/Makefile.in
 create mode 100644 src/libstrongswan/plugins/des/des_crypter.c
 create mode 100644 src/libstrongswan/plugins/des/des_crypter.h
 create mode 100644 src/libstrongswan/plugins/des/des_plugin.c
 create mode 100644 src/libstrongswan/plugins/des/des_plugin.h
 create mode 100644 src/libstrongswan/plugins/fips_prf/Makefile.am
 create mode 100644 src/libstrongswan/plugins/fips_prf/Makefile.in
 create mode 100644 src/libstrongswan/plugins/fips_prf/fips_prf.c
 create mode 100644 src/libstrongswan/plugins/fips_prf/fips_prf.h
 create mode 100644 src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
 create mode 100644 src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h
 create mode 100644 src/libstrongswan/plugins/gmp/Makefile.am
 create mode 100644 src/libstrongswan/plugins/gmp/Makefile.in
 create mode 100644 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
 create mode 100644 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
 create mode 100644 src/libstrongswan/plugins/gmp/gmp_plugin.c
 create mode 100644 src/libstrongswan/plugins/gmp/gmp_plugin.h
 create mode 100644 src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
 create mode 100644 src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
 create mode 100644 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
 create mode 100644 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
 create mode 100644 src/libstrongswan/plugins/hmac/Makefile.am
 create mode 100644 src/libstrongswan/plugins/hmac/Makefile.in
 create mode 100644 src/libstrongswan/plugins/hmac/hmac.c
 create mode 100644 src/libstrongswan/plugins/hmac/hmac.h
 create mode 100644 src/libstrongswan/plugins/hmac/hmac_plugin.c
 create mode 100644 src/libstrongswan/plugins/hmac/hmac_plugin.h
 create mode 100644 src/libstrongswan/plugins/hmac/hmac_prf.c
 create mode 100644 src/libstrongswan/plugins/hmac/hmac_prf.h
 create mode 100644 src/libstrongswan/plugins/hmac/hmac_signer.c
 create mode 100644 src/libstrongswan/plugins/hmac/hmac_signer.h
 create mode 100644 src/libstrongswan/plugins/ldap/Makefile.am
 create mode 100644 src/libstrongswan/plugins/ldap/Makefile.in
 create mode 100644 src/libstrongswan/plugins/ldap/ldap_fetcher.c
 create mode 100644 src/libstrongswan/plugins/ldap/ldap_fetcher.h
 create mode 100644 src/libstrongswan/plugins/ldap/ldap_plugin.c
 create mode 100644 src/libstrongswan/plugins/ldap/ldap_plugin.h
 create mode 100644 src/libstrongswan/plugins/md5/Makefile.am
 create mode 100644 src/libstrongswan/plugins/md5/Makefile.in
 create mode 100644 src/libstrongswan/plugins/md5/md5_hasher.c
 create mode 100644 src/libstrongswan/plugins/md5/md5_hasher.h
 create mode 100644 src/libstrongswan/plugins/md5/md5_plugin.c
 create mode 100644 src/libstrongswan/plugins/md5/md5_plugin.h
 create mode 100644 src/libstrongswan/plugins/mysql/Makefile.am
 create mode 100644 src/libstrongswan/plugins/mysql/Makefile.in
 create mode 100644 src/libstrongswan/plugins/mysql/mysql_database.c
 create mode 100644 src/libstrongswan/plugins/mysql/mysql_database.h
 create mode 100644 src/libstrongswan/plugins/mysql/mysql_plugin.c
 create mode 100644 src/libstrongswan/plugins/mysql/mysql_plugin.h
 create mode 100644 src/libstrongswan/plugins/openssl/Makefile.am
 create mode 100644 src/libstrongswan/plugins/openssl/Makefile.in
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_crypter.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_crypter.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_hasher.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_hasher.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_plugin.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_plugin.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_util.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_util.h
 create mode 100644 src/libstrongswan/plugins/padlock/Makefile.am
 create mode 100644 src/libstrongswan/plugins/padlock/Makefile.in
 create mode 100644 src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
 create mode 100644 src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
 create mode 100644 src/libstrongswan/plugins/padlock/padlock_plugin.c
 create mode 100644 src/libstrongswan/plugins/padlock/padlock_plugin.h
 create mode 100644 src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
 create mode 100644 src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
 create mode 100644 src/libstrongswan/plugins/plugin.h
 create mode 100644 src/libstrongswan/plugins/plugin_loader.c
 create mode 100644 src/libstrongswan/plugins/plugin_loader.h
 create mode 100644 src/libstrongswan/plugins/pubkey/Makefile.am
 create mode 100644 src/libstrongswan/plugins/pubkey/Makefile.in
 create mode 100644 src/libstrongswan/plugins/pubkey/pubkey_cert.c
 create mode 100644 src/libstrongswan/plugins/pubkey/pubkey_cert.h
 create mode 100644 src/libstrongswan/plugins/pubkey/pubkey_plugin.c
 create mode 100644 src/libstrongswan/plugins/pubkey/pubkey_plugin.h
 create mode 100644 src/libstrongswan/plugins/pubkey/pubkey_public_key.c
 create mode 100644 src/libstrongswan/plugins/pubkey/pubkey_public_key.h
 create mode 100644 src/libstrongswan/plugins/random/Makefile.am
 create mode 100644 src/libstrongswan/plugins/random/Makefile.in
 create mode 100644 src/libstrongswan/plugins/random/random_plugin.c
 create mode 100644 src/libstrongswan/plugins/random/random_plugin.h
 create mode 100644 src/libstrongswan/plugins/random/random_rng.c
 create mode 100644 src/libstrongswan/plugins/random/random_rng.h
 create mode 100644 src/libstrongswan/plugins/sha1/Makefile.am
 create mode 100644 src/libstrongswan/plugins/sha1/Makefile.in
 create mode 100644 src/libstrongswan/plugins/sha1/sha1_hasher.c
 create mode 100644 src/libstrongswan/plugins/sha1/sha1_hasher.h
 create mode 100644 src/libstrongswan/plugins/sha1/sha1_plugin.c
 create mode 100644 src/libstrongswan/plugins/sha1/sha1_plugin.h
 create mode 100644 src/libstrongswan/plugins/sha2/Makefile.am
 create mode 100644 src/libstrongswan/plugins/sha2/Makefile.in
 create mode 100644 src/libstrongswan/plugins/sha2/sha2_hasher.c
 create mode 100644 src/libstrongswan/plugins/sha2/sha2_hasher.h
 create mode 100644 src/libstrongswan/plugins/sha2/sha2_plugin.c
 create mode 100644 src/libstrongswan/plugins/sha2/sha2_plugin.h
 create mode 100644 src/libstrongswan/plugins/sqlite/Makefile.am
 create mode 100644 src/libstrongswan/plugins/sqlite/Makefile.in
 create mode 100644 src/libstrongswan/plugins/sqlite/sqlite_database.c
 create mode 100644 src/libstrongswan/plugins/sqlite/sqlite_database.h
 create mode 100644 src/libstrongswan/plugins/sqlite/sqlite_plugin.c
 create mode 100644 src/libstrongswan/plugins/sqlite/sqlite_plugin.h
 create mode 100644 src/libstrongswan/plugins/x509/Makefile.am
 create mode 100644 src/libstrongswan/plugins/x509/Makefile.in
 create mode 100644 src/libstrongswan/plugins/x509/ietf_attr_list.c
 create mode 100644 src/libstrongswan/plugins/x509/ietf_attr_list.h
 create mode 100644 src/libstrongswan/plugins/x509/x509_ac.c
 create mode 100644 src/libstrongswan/plugins/x509/x509_ac.h
 create mode 100644 src/libstrongswan/plugins/x509/x509_cert.c
 create mode 100644 src/libstrongswan/plugins/x509/x509_cert.h
 create mode 100644 src/libstrongswan/plugins/x509/x509_crl.c
 create mode 100644 src/libstrongswan/plugins/x509/x509_crl.h
 create mode 100644 src/libstrongswan/plugins/x509/x509_ocsp_request.c
 create mode 100644 src/libstrongswan/plugins/x509/x509_ocsp_request.h
 create mode 100644 src/libstrongswan/plugins/x509/x509_ocsp_response.c
 create mode 100644 src/libstrongswan/plugins/x509/x509_ocsp_response.h
 create mode 100644 src/libstrongswan/plugins/x509/x509_plugin.c
 create mode 100644 src/libstrongswan/plugins/x509/x509_plugin.h
 create mode 100644 src/libstrongswan/plugins/xcbc/Makefile.am
 create mode 100644 src/libstrongswan/plugins/xcbc/Makefile.in
 create mode 100644 src/libstrongswan/plugins/xcbc/xcbc.c
 create mode 100644 src/libstrongswan/plugins/xcbc/xcbc.h
 create mode 100644 src/libstrongswan/plugins/xcbc/xcbc_plugin.c
 create mode 100644 src/libstrongswan/plugins/xcbc/xcbc_plugin.h
 create mode 100644 src/libstrongswan/plugins/xcbc/xcbc_prf.c
 create mode 100644 src/libstrongswan/plugins/xcbc/xcbc_prf.h
 create mode 100644 src/libstrongswan/plugins/xcbc/xcbc_signer.c
 create mode 100644 src/libstrongswan/plugins/xcbc/xcbc_signer.h

(limited to 'src/libstrongswan/plugins')

diff --git a/src/libstrongswan/plugins/aes/Makefile.am b/src/libstrongswan/plugins/aes/Makefile.am
new file mode 100644
index 000000000..e73040f27
--- /dev/null
+++ b/src/libstrongswan/plugins/aes/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-aes.la
+
+libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
+libstrongswan_aes_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
new file mode 100644
index 000000000..ed3dfb621
--- /dev/null
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -0,0 +1,494 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/aes
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_aes_la_LIBADD =
+am_libstrongswan_aes_la_OBJECTS = aes_plugin.lo aes_crypter.lo
+libstrongswan_aes_la_OBJECTS = $(am_libstrongswan_aes_la_OBJECTS)
+libstrongswan_aes_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_aes_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_aes_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_aes_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-aes.la
+libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
+libstrongswan_aes_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/aes/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/aes/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-aes.la: $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_DEPENDENCIES) 
+	$(libstrongswan_aes_la_LINK) -rpath $(plugindir) $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c
new file mode 100644
index 000000000..ce4c6da99
--- /dev/null
+++ b/src/libstrongswan/plugins/aes/aes_crypter.c
@@ -0,0 +1,1580 @@
+/*
+ * Copyright (C) 2001 Dr B. R. Gladman <brg@gladman.uk.net>
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: aes_crypter.c 3900 2008-04-30 14:02:25Z martin $
+ */
+ 
+#include "aes_crypter.h"
+
+/*
+ * The number of key schedule words for different block and key lengths
+ * allowing for method of computation which requires the length to be a
+ * multiple of the key length. This version of AES implementation supports
+ * all three keylengths 16, 24 and 32 bytes!
+ *
+ * Nk =       4   6   8
+ *        -------------
+ * Nb = 4 |  60  60  64
+ *      6 |  96  90  96
+ *      8 | 120 120 120
+ */
+#define AES_KS_LENGTH   120
+#define AES_RC_LENGTH    29
+
+#define AES_BLOCK_SIZE 16
+
+typedef struct private_aes_crypter_t private_aes_crypter_t;
+
+/**
+ * Class implementing the AES symmetric encryption algorithm.
+ * 
+ * @ingroup crypters
+ */
+struct private_aes_crypter_t {
+	
+	/**
+	 * Public part of this class.
+	 */
+	aes_crypter_t public;
+	
+	/**
+	 * Number of words in the key input block.
+	 */
+	u_int32_t    aes_Nkey;
+	
+	/**
+	 * The number of cipher rounds.
+	 */
+	u_int32_t    aes_Nrnd;
+	
+	/**
+	* The encryption key schedule.
+	*/
+	u_int32_t    aes_e_key[AES_KS_LENGTH];
+
+	/**
+	* The decryption key schedule.
+	*/
+	u_int32_t    aes_d_key[AES_KS_LENGTH];
+	
+	/**
+	* Key size of this AES cypher object.
+	*/
+	u_int32_t    key_size;
+};
+
+
+/* ugly macro stuff */
+
+/* 1.  Define UNROLL for full loop unrolling in encryption and decryption.
+ * 2.  Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
+ * 3.  Define FIXED_TABLES for compiled rather than dynamic tables.
+ * 4.  Define FF_TABLES to use tables for field multiplies and inverses.
+ *     Do not enable this without understanding stack space requirements.
+ * 5.  Define ARRAYS to use arrays to hold the local state block. If this
+ *     is not defined, individually declared 32-bit words are used.
+ * 6.  Define FAST_VARIABLE if a high speed variable block implementation
+ *     is needed (essentially three separate fixed block size code sequences)
+ * 7.  Define either ONE_TABLE or FOUR_TABLES for a fast table driven 
+ *     version using 1 table (2 kbytes of table space) or 4 tables (8
+ *     kbytes of table space) for higher speed.
+ * 8.  Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed 
+ *     increase by using tables for the last rounds but with more table
+ *     space (2 or 8 kbytes extra).
+ * 9.  If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but 
+ *     slower version is provided.
+ * 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
+ *     or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
+ */
+
+#define UNROLL
+//#define PARTIAL_UNROLL
+
+#define FIXED_TABLES
+//#define FF_TABLES
+//#define ARRAYS
+#define FAST_VARIABLE
+
+//#define ONE_TABLE
+#define FOUR_TABLES
+
+//#define ONE_LR_TABLE
+#define FOUR_LR_TABLES
+
+//#define ONE_IM_TABLE
+#define FOUR_IM_TABLES
+
+#if defined(UNROLL) && defined (PARTIAL_UNROLL)
+#error both UNROLL and PARTIAL_UNROLL are defined
+#endif
+
+#if defined(ONE_TABLE) && defined (FOUR_TABLES)
+#error both ONE_TABLE and FOUR_TABLES are defined
+#endif
+
+#if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
+#error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
+#endif
+
+#if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
+#error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
+#endif
+
+#if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
+#error an illegal block size has been specified
+#endif  
+
+/**
+ * Rotates bytes within words by n positions, moving bytes 
+ * to higher index positions with wrap around into low positions.
+ */ 
+#define upr(x,n)        (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
+/**
+ * Moves bytes by n positions to higher index positions in 
+ * words but without wrap around.
+ */ 
+#define ups(x,n)        ((x) << 8 * (n))
+
+/**
+ * Extracts a byte from a word.
+ */
+#define bval(x,n)       ((unsigned char)((x) >> 8 * (n)))
+#define bytes2word(b0, b1, b2, b3)  \
+        ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
+
+
+/* little endian processor without data alignment restrictions: AES_LE_OK */
+/* original code: i386 */
+#if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386) 
+#define	AES_LE_OK 1
+/* added (tested): alpha  --jjo */
+#elif defined(__alpha__)|| defined (__alpha)
+#define AES_LE_OK 1
+/* added (tested): ia64  --jjo */
+#elif defined(__ia64__)|| defined (__ia64)
+#define AES_LE_OK 1
+#endif
+
+#ifdef AES_LE_OK
+/* little endian processor without data alignment restrictions */
+#define word_in(x)      *(u_int32_t*)(x)
+#define const_word_in(x)      *(const u_int32_t*)(x)
+#define word_out(x,v)   *(u_int32_t*)(x) = (v)
+#define const_word_out(x,v)   *(const u_int32_t*)(x) = (v)
+#else
+/* slower but generic big endian or with data alignment restrictions */
+/* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
+#define word_in(x)      ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
+#define const_word_in(x)      ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
+#define word_out(x,v)   ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
+#define const_word_out(x,v)   ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
+#endif
+
+// Disable at least some poor combinations of options
+
+#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
+#define FIXED_TABLES
+#undef  UNROLL
+#undef  ONE_LR_TABLE
+#undef  FOUR_LR_TABLES
+#undef  ONE_IM_TABLE
+#undef  FOUR_IM_TABLES
+#elif !defined(FOUR_TABLES)
+#ifdef  FOUR_LR_TABLES
+#undef  FOUR_LR_TABLES
+#define ONE_LR_TABLE
+#endif
+#ifdef  FOUR_IM_TABLES
+#undef  FOUR_IM_TABLES
+#define ONE_IM_TABLE
+#endif
+#elif !defined(AES_BLOCK_SIZE)
+#if defined(UNROLL)
+#define PARTIAL_UNROLL
+#undef UNROLL
+#endif
+#endif
+
+// the finite field modular polynomial and elements
+
+#define ff_poly 0x011b
+#define ff_hi   0x80
+
+// multiply four bytes in GF(2^8) by 'x' {02} in parallel
+
+#define m1  0x80808080
+#define m2  0x7f7f7f7f
+#define m3  0x0000001b
+#define FFmulX(x)  ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
+
+// The following defines provide alternative definitions of FFmulX that might
+// give improved performance if a fast 32-bit multiply is not available. Note
+// that a temporary variable u needs to be defined where FFmulX is used.
+
+// #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6)) 
+// #define m4  0x1b1b1b1b
+// #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4) 
+
+// perform column mix operation on four bytes in parallel
+
+#define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
+
+#if defined(FIXED_TABLES)
+
+// the S-Box table
+
+static const unsigned char s_box[256] =
+{
+    0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
+    0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+    0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
+    0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
+    0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
+    0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
+    0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
+    0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
+    0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
+    0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
+    0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
+    0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
+    0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
+    0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
+    0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
+    0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
+    0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
+    0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
+    0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
+    0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
+    0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
+    0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
+    0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
+    0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
+    0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
+    0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
+    0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
+    0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
+    0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
+    0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
+    0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
+    0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
+};
+
+// the inverse S-Box table
+
+static const unsigned char inv_s_box[256] =
+{
+    0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
+    0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
+    0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
+    0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
+    0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
+    0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
+    0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
+    0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
+    0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
+    0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
+    0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
+    0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
+    0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
+    0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
+    0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
+    0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
+    0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
+    0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
+    0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
+    0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
+    0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
+    0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
+    0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
+    0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
+    0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
+    0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
+    0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
+    0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
+    0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
+    0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
+};
+
+#define w0(p)          0x000000##p
+
+// Number of elements required in this table for different
+// block and key lengths is:
+//
+// Nk =      4  6  8
+//        ----------
+// Nb = 4 | 10  8  7
+//      6 | 19 12 11
+//      8 | 29 19 14
+//
+// this table can be a table of bytes if the key schedule
+// code is adjusted accordingly
+
+static const u_int32_t rcon_tab[29] =
+{
+    w0(01), w0(02), w0(04), w0(08),
+    w0(10), w0(20), w0(40), w0(80),
+    w0(1b), w0(36), w0(6c), w0(d8),
+    w0(ab), w0(4d), w0(9a), w0(2f),
+    w0(5e), w0(bc), w0(63), w0(c6),
+    w0(97), w0(35), w0(6a), w0(d4),
+    w0(b3), w0(7d), w0(fa), w0(ef),
+    w0(c5)
+};
+
+#undef  w0
+
+#define r0(p,q,r,s) 0x##p##q##r##s
+#define r1(p,q,r,s) 0x##q##r##s##p
+#define r2(p,q,r,s) 0x##r##s##p##q
+#define r3(p,q,r,s) 0x##s##p##q##r
+#define w0(p)          0x000000##p
+#define w1(p)        0x0000##p##00
+#define w2(p)        0x00##p##0000
+#define w3(p)        0x##p##000000
+
+#if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES)) 
+
+//  data for forward tables (other than last round)
+
+#define f_table \
+    r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
+    r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
+    r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
+    r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
+    r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
+    r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
+    r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
+    r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
+    r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
+    r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
+    r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
+    r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
+    r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
+    r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
+    r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
+    r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
+    r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
+    r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
+    r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
+    r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
+    r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
+    r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
+    r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
+    r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
+    r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
+    r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
+    r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
+    r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
+    r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
+    r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
+    r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
+    r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
+    r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
+    r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
+    r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
+    r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
+    r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
+    r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
+    r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
+    r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
+    r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
+    r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
+    r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
+    r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
+    r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
+    r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
+    r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
+    r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
+    r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
+    r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
+    r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
+    r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
+    r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
+    r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
+    r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
+    r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
+    r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
+    r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
+    r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
+    r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
+    r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
+    r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
+    r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
+    r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
+
+//  data for inverse tables (other than last round)
+
+#define i_table \
+    r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
+    r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
+    r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
+    r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
+    r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
+    r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
+    r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
+    r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
+    r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
+    r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
+    r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
+    r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
+    r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
+    r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
+    r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
+    r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
+    r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
+    r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
+    r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
+    r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
+    r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
+    r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
+    r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
+    r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
+    r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
+    r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
+    r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
+    r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
+    r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
+    r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
+    r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
+    r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
+    r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
+    r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
+    r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
+    r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
+    r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
+    r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
+    r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
+    r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
+    r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
+    r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
+    r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
+    r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
+    r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
+    r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
+    r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
+    r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
+    r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
+    r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
+    r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
+    r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
+    r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
+    r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
+    r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
+    r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
+    r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
+    r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
+    r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
+    r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
+    r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
+    r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
+    r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
+    r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
+
+// generate the required tables in the desired endian format
+
+#undef  r
+#define r   r0
+
+#if defined(ONE_TABLE)
+static const u_int32_t ft_tab[256] =
+    {   f_table };
+#elif defined(FOUR_TABLES)
+static const u_int32_t ft_tab[4][256] =
+{   {   f_table },
+#undef  r
+#define r   r1
+    {   f_table },
+#undef  r
+#define r   r2
+    {   f_table },
+#undef  r
+#define r   r3
+    {   f_table }
+};
+#endif
+
+#undef  r
+#define r   r0
+#if defined(ONE_TABLE)
+static const u_int32_t it_tab[256] =
+    {   i_table };
+#elif defined(FOUR_TABLES)
+static const u_int32_t it_tab[4][256] =
+{   {   i_table },
+#undef  r
+#define r   r1
+    {   i_table },
+#undef  r
+#define r   r2
+    {   i_table },
+#undef  r
+#define r   r3
+    {   i_table }
+};
+#endif
+
+#endif
+
+#if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES)) 
+
+//  data for inverse tables (last round)
+
+#define li_table    \
+    w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
+    w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
+    w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
+    w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
+    w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
+    w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
+    w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
+    w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
+    w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
+    w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
+    w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
+    w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
+    w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
+    w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
+    w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
+    w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
+    w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
+    w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
+    w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
+    w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
+    w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
+    w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
+    w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
+    w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
+    w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
+    w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
+    w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
+    w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
+    w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
+    w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
+    w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
+    w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
+
+// generate the required tables in the desired endian format
+
+#undef  r
+#define r(p,q,r,s)  w0(q)
+#if defined(ONE_LR_TABLE)
+static const u_int32_t fl_tab[256] =
+    {   f_table     };
+#elif defined(FOUR_LR_TABLES)
+static const u_int32_t fl_tab[4][256] =
+{   {   f_table    },
+#undef  r
+#define r(p,q,r,s)   w1(q)
+    {   f_table    },
+#undef  r
+#define r(p,q,r,s)   w2(q)
+    {   f_table    },
+#undef  r
+#define r(p,q,r,s)   w3(q)
+    {   f_table    }
+};
+#endif
+
+#undef  w
+#define w   w0
+#if defined(ONE_LR_TABLE)
+static const u_int32_t il_tab[256] =
+    {   li_table    };
+#elif defined(FOUR_LR_TABLES)
+static const u_int32_t il_tab[4][256] =
+{   {   li_table    },
+#undef  w
+#define w   w1
+    {   li_table    },
+#undef  w
+#define w   w2
+    {   li_table    },
+#undef  w
+#define w   w3
+    {   li_table    }
+};
+#endif
+
+#endif
+
+#if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES)) 
+
+#define m_table \
+    r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
+    r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
+    r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
+    r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
+    r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
+    r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
+    r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
+    r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
+    r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
+    r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
+    r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
+    r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
+    r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
+    r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
+    r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
+    r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
+    r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
+    r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
+    r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
+    r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
+    r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
+    r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
+    r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
+    r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
+    r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
+    r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
+    r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
+    r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
+    r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
+    r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
+    r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
+    r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
+    r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
+    r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
+    r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
+    r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
+    r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
+    r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
+    r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
+    r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
+    r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
+    r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
+    r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
+    r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
+    r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
+    r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
+    r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
+    r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
+    r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
+    r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
+    r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
+    r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
+    r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
+    r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
+    r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
+    r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
+    r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
+    r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
+    r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
+    r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
+    r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
+    r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
+    r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
+    r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
+
+#undef r
+#define r   r0
+
+#if defined(ONE_IM_TABLE)
+static const u_int32_t im_tab[256] =
+    {   m_table };
+#elif defined(FOUR_IM_TABLES)
+static const u_int32_t im_tab[4][256] =
+{   {   m_table },
+#undef  r
+#define r   r1
+    {   m_table },
+#undef  r
+#define r   r2
+    {   m_table },
+#undef  r
+#define r   r3
+    {   m_table }
+};
+#endif
+
+#endif
+
+#else
+
+static int tab_gen = 0;
+
+static unsigned char  s_box[256];            // the S box
+static unsigned char  inv_s_box[256];        // the inverse S box
+static u_int32_t  rcon_tab[AES_RC_LENGTH];   // table of round constants
+
+#if defined(ONE_TABLE)
+static u_int32_t  ft_tab[256];
+static u_int32_t  it_tab[256];
+#elif defined(FOUR_TABLES)
+static u_int32_t  ft_tab[4][256];
+static u_int32_t  it_tab[4][256];
+#endif
+
+#if defined(ONE_LR_TABLE)
+static u_int32_t  fl_tab[256];
+static u_int32_t  il_tab[256];
+#elif defined(FOUR_LR_TABLES)
+static u_int32_t  fl_tab[4][256];
+static u_int32_t  il_tab[4][256];
+#endif
+
+#if defined(ONE_IM_TABLE)
+static u_int32_t  im_tab[256];
+#elif defined(FOUR_IM_TABLES)
+static u_int32_t  im_tab[4][256];
+#endif
+
+// Generate the tables for the dynamic table option
+
+#if !defined(FF_TABLES)
+
+// It will generally be sensible to use tables to compute finite 
+// field multiplies and inverses but where memory is scarse this 
+// code might sometimes be better.
+
+// return 2 ^ (n - 1) where n is the bit number of the highest bit
+// set in x with x in the range 1 < x < 0x00000200.   This form is
+// used so that locals within FFinv can be bytes rather than words
+
+static unsigned char hibit(const u_int32_t x)
+{   unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
+    
+    r |= (r >> 2);
+    r |= (r >> 4);
+    return (r + 1) >> 1;
+}
+
+// return the inverse of the finite field element x
+
+static unsigned char FFinv(const unsigned char x)
+{   unsigned char    p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
+
+    if(x < 2) return x;
+
+    for(;;)
+    {
+        if(!n1) return v1;
+
+        while(n2 >= n1)
+        {   
+            n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
+        }
+        
+        if(!n2) return v2;
+
+        while(n1 >= n2)
+        {   
+            n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
+        }
+    }
+}
+
+// define the finite field multiplies required for Rijndael
+
+#define FFmul02(x)  ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
+#define FFmul03(x)  ((x) ^ FFmul02(x))
+#define FFmul09(x)  ((x) ^ FFmul02(FFmul02(FFmul02(x))))
+#define FFmul0b(x)  ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
+#define FFmul0d(x)  ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
+#define FFmul0e(x)  FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
+
+#else
+
+#define FFinv(x)    ((x) ? pow[255 - log[x]]: 0)
+
+#define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
+#define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
+#define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
+#define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
+#define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
+#define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
+
+#endif
+
+// The forward and inverse affine transformations used in the S-box
+
+#define fwd_affine(x) \
+    (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
+
+#define inv_affine(x) \
+    (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
+
+static void gen_tabs(void)
+{   u_int32_t  i, w;
+
+#if defined(FF_TABLES)
+
+    unsigned char  pow[512], log[256];
+
+    // log and power tables for GF(2^8) finite field with
+    // 0x011b as modular polynomial - the simplest primitive
+    // root is 0x03, used here to generate the tables
+
+    i = 0; w = 1; 
+    do
+    {   
+        pow[i] = (unsigned char)w;
+        pow[i + 255] = (unsigned char)w;
+        log[w] = (unsigned char)i++;
+        w ^=  (w << 1) ^ (w & ff_hi ? ff_poly : 0);
+    }
+    while (w != 1);
+
+#endif
+
+    for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
+    {
+        rcon_tab[i] = bytes2word(w, 0, 0, 0);
+        w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
+    }
+
+    for(i = 0; i < 256; ++i)
+    {   unsigned char    b;
+
+        s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
+
+        w = bytes2word(b, 0, 0, 0);
+#if defined(ONE_LR_TABLE)
+        fl_tab[i] = w;
+#elif defined(FOUR_LR_TABLES)
+        fl_tab[0][i] = w;
+        fl_tab[1][i] = upr(w,1);
+        fl_tab[2][i] = upr(w,2);
+        fl_tab[3][i] = upr(w,3);
+#endif
+        w = bytes2word(FFmul02(b), b, b, FFmul03(b));
+#if defined(ONE_TABLE)
+        ft_tab[i] = w;
+#elif defined(FOUR_TABLES)
+        ft_tab[0][i] = w;
+        ft_tab[1][i] = upr(w,1);
+        ft_tab[2][i] = upr(w,2);
+        ft_tab[3][i] = upr(w,3);
+#endif
+        inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
+
+        w = bytes2word(b, 0, 0, 0);
+#if defined(ONE_LR_TABLE)
+        il_tab[i] = w;
+#elif defined(FOUR_LR_TABLES)
+        il_tab[0][i] = w;
+        il_tab[1][i] = upr(w,1);
+        il_tab[2][i] = upr(w,2);
+        il_tab[3][i] = upr(w,3);
+#endif
+        w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
+#if defined(ONE_TABLE)
+        it_tab[i] = w;
+#elif defined(FOUR_TABLES)
+        it_tab[0][i] = w;
+        it_tab[1][i] = upr(w,1);
+        it_tab[2][i] = upr(w,2);
+        it_tab[3][i] = upr(w,3);
+#endif
+#if defined(ONE_IM_TABLE)
+        im_tab[b] = w;
+#elif defined(FOUR_IM_TABLES)
+        im_tab[0][b] = w;
+        im_tab[1][b] = upr(w,1);
+        im_tab[2][b] = upr(w,2);
+        im_tab[3][b] = upr(w,3);
+#endif
+
+    }
+}
+
+#endif
+
+#define no_table(x,box,vf,rf,c) bytes2word( \
+    box[bval(vf(x,0,c),rf(0,c))], \
+    box[bval(vf(x,1,c),rf(1,c))], \
+    box[bval(vf(x,2,c),rf(2,c))], \
+    box[bval(vf(x,3,c),rf(3,c))])
+
+#define one_table(x,op,tab,vf,rf,c) \
+ (     tab[bval(vf(x,0,c),rf(0,c))] \
+  ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
+  ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
+  ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
+
+#define four_tables(x,tab,vf,rf,c) \
+ (  tab[0][bval(vf(x,0,c),rf(0,c))] \
+  ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
+  ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
+  ^ tab[3][bval(vf(x,3,c),rf(3,c))])
+
+#define vf1(x,r,c)  (x)
+#define rf1(r,c)    (r)
+#define rf2(r,c)    ((r-c)&3)
+
+#if defined(FOUR_LR_TABLES)
+#define ls_box(x,c)     four_tables(x,fl_tab,vf1,rf2,c)
+#elif defined(ONE_LR_TABLE)
+#define ls_box(x,c)     one_table(x,upr,fl_tab,vf1,rf2,c)
+#else
+#define ls_box(x,c)     no_table(x,s_box,vf1,rf2,c)
+#endif
+
+#if defined(FOUR_IM_TABLES)
+#define inv_mcol(x)     four_tables(x,im_tab,vf1,rf1,0)
+#elif defined(ONE_IM_TABLE)
+#define inv_mcol(x)     one_table(x,upr,im_tab,vf1,rf1,0)
+#else
+#define inv_mcol(x) \
+    (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
+    f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
+#endif
+
+#define nc   (AES_BLOCK_SIZE/4)
+
+// Initialise the key schedule from the user supplied key. The key
+// length is now specified in bytes - 16, 24 or 32 as appropriate.
+// This corresponds to bit lengths of 128, 192 and 256 bits, and
+// to Nk values of 4, 6 and 8 respectively.
+
+#define mx(t,f) (*t++ = inv_mcol(*f),f++)
+#define cp(t,f) *t++ = *f++
+
+#if   AES_BLOCK_SIZE == 16
+#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s)
+#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s)
+#elif AES_BLOCK_SIZE == 24
+#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
+                    cp(d,s); cp(d,s)
+#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
+                    mx(d,s); mx(d,s)
+#elif AES_BLOCK_SIZE == 32
+#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
+                    cp(d,s); cp(d,s); cp(d,s); cp(d,s)
+#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
+                    mx(d,s); mx(d,s); mx(d,s); mx(d,s)
+#else
+
+#define cpy(d,s) \
+switch(nc) \
+{   case 8: cp(d,s); cp(d,s); \
+    case 6: cp(d,s); cp(d,s); \
+    case 4: cp(d,s); cp(d,s); \
+            cp(d,s); cp(d,s); \
+}
+
+#define mix(d,s) \
+switch(nc) \
+{   case 8: mx(d,s); mx(d,s); \
+    case 6: mx(d,s); mx(d,s); \
+    case 4: mx(d,s); mx(d,s); \
+            mx(d,s); mx(d,s); \
+}
+
+#endif
+
+// y = output word, x = input word, r = row, c = column
+// for r = 0, 1, 2 and 3 = column accessed for row r
+
+#if defined(ARRAYS)
+#define s(x,c) x[c]
+#else
+#define s(x,c) x##c
+#endif
+
+// I am grateful to Frank Yellin for the following constructions
+// which, given the column (c) of the output state variable that
+// is being computed, return the input state variables which are
+// needed for each row (r) of the state
+
+// For the fixed block size options, compilers reduce these two 
+// expressions to fixed variable references. For variable block 
+// size code conditional clauses will sometimes be returned
+
+#define unused  77  // Sunset Strip
+
+#define fwd_var(x,r,c) \
+ ( r==0 ?			\
+    ( c==0 ? s(x,0) \
+    : c==1 ? s(x,1) \
+    : c==2 ? s(x,2) \
+    : c==3 ? s(x,3) \
+    : c==4 ? s(x,4) \
+    : c==5 ? s(x,5) \
+    : c==6 ? s(x,6) \
+    : s(x,7))		\
+ : r==1 ?			\
+    ( c==0 ? s(x,1) \
+    : c==1 ? s(x,2) \
+    : c==2 ? s(x,3) \
+    : c==3 ? nc==4 ? s(x,0) : s(x,4) \
+    : c==4 ? s(x,5) \
+    : c==5 ? nc==8 ? s(x,6) : s(x,0) \
+    : c==6 ? s(x,7) \
+    : s(x,0))		\
+ : r==2 ?			\
+    ( c==0 ? nc==8 ? s(x,3) : s(x,2) \
+    : c==1 ? nc==8 ? s(x,4) : s(x,3) \
+    : c==2 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
+    : c==3 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
+    : c==4 ? nc==8 ? s(x,7) : s(x,0) \
+    : c==5 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==6 ? s(x,1) \
+    : s(x,2))		\
+ :					\
+    ( c==0 ? nc==8 ? s(x,4) : s(x,3) \
+    : c==1 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
+    : c==2 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
+    : c==3 ? nc==4 ? s(x,2) : nc==8 ? s(x,7) : s(x,0) \
+    : c==4 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==5 ? nc==8 ? s(x,1) : s(x,2) \
+    : c==6 ? s(x,2) \
+    : s(x,3)))
+
+#define inv_var(x,r,c) \
+ ( r==0 ?			\
+    ( c==0 ? s(x,0) \
+    : c==1 ? s(x,1) \
+    : c==2 ? s(x,2) \
+    : c==3 ? s(x,3) \
+    : c==4 ? s(x,4) \
+    : c==5 ? s(x,5) \
+    : c==6 ? s(x,6) \
+    : s(x,7))		\
+ : r==1 ?			\
+    ( c==0 ? nc==4 ? s(x,3) : nc==8 ? s(x,7) : s(x,5) \
+    : c==1 ? s(x,0) \
+    : c==2 ? s(x,1) \
+    : c==3 ? s(x,2) \
+    : c==4 ? s(x,3) \
+    : c==5 ? s(x,4) \
+    : c==6 ? s(x,5) \
+    : s(x,6))		\
+ : r==2 ?			\
+    ( c==0 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
+    : c==1 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
+    : c==2 ? nc==8 ? s(x,7) : s(x,0) \
+    : c==3 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==4 ? nc==8 ? s(x,1) : s(x,2) \
+    : c==5 ? nc==8 ? s(x,2) : s(x,3) \
+    : c==6 ? s(x,3) \
+    : s(x,4))		\
+ :					\
+    ( c==0 ? nc==4 ? s(x,1) : nc==8 ? s(x,4) : s(x,3) \
+    : c==1 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
+    : c==2 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
+    : c==3 ? nc==8 ? s(x,7) : s(x,0) \
+    : c==4 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==5 ? nc==8 ? s(x,1) : s(x,2) \
+    : c==6 ? s(x,2) \
+    : s(x,3)))
+
+#define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
+#define so(y,x,c)   word_out(y + 4 * c, s(x,c))
+
+#if defined(FOUR_TABLES)
+#define fwd_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
+#define inv_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
+#elif defined(ONE_TABLE)
+#define fwd_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
+#define inv_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
+#else
+#define fwd_rnd(y,x,k,c)    s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
+#define inv_rnd(y,x,k,c)    s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
+#endif
+
+#if defined(FOUR_LR_TABLES)
+#define fwd_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
+#define inv_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
+#elif defined(ONE_LR_TABLE)
+#define fwd_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
+#define inv_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
+#else
+#define fwd_lrnd(y,x,k,c)   s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
+#define inv_lrnd(y,x,k,c)   s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
+#endif
+
+#if AES_BLOCK_SIZE == 16
+
+#if defined(ARRAYS)
+#define locals(y,x)     x[4],y[4]
+#else
+#define locals(y,x)     x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
+// the following defines prevent the compiler requiring the declaration
+// of generated but unused variables in the fwd_var and inv_var macros
+#define b04 unused
+#define b05 unused
+#define b06 unused
+#define b07 unused
+#define b14 unused
+#define b15 unused
+#define b16 unused
+#define b17 unused
+#endif
+#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
+                        s(y,2) = s(x,2); s(y,3) = s(x,3);
+#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
+#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
+#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
+
+#elif AES_BLOCK_SIZE == 24
+
+#if defined(ARRAYS)
+#define locals(y,x)     x[6],y[6]
+#else
+#define locals(y,x)     x##0,x##1,x##2,x##3,x##4,x##5, \
+                        y##0,y##1,y##2,y##3,y##4,y##5
+#define b06 unused
+#define b07 unused
+#define b16 unused
+#define b17 unused
+#endif
+#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
+                        s(y,2) = s(x,2); s(y,3) = s(x,3); \
+                        s(y,4) = s(x,4); s(y,5) = s(x,5);
+#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
+                        si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
+#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); \
+                        so(y,x,3); so(y,x,4); so(y,x,5)
+#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
+                        rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
+#else
+
+#if defined(ARRAYS)
+#define locals(y,x)     x[8],y[8]
+#else
+#define locals(y,x)     x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
+                        y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
+#endif
+#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
+                        s(y,2) = s(x,2); s(y,3) = s(x,3); \
+                        s(y,4) = s(x,4); s(y,5) = s(x,5); \
+                        s(y,6) = s(x,6); s(y,7) = s(x,7);
+
+#if AES_BLOCK_SIZE == 32
+
+#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
+                        si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
+#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
+                        so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
+#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
+                        rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
+#else
+
+#define state_in(y,x,k) \
+switch(nc) \
+{   case 8: si(y,x,k,7); si(y,x,k,6); \
+    case 6: si(y,x,k,5); si(y,x,k,4); \
+    case 4: si(y,x,k,3); si(y,x,k,2); \
+            si(y,x,k,1); si(y,x,k,0); \
+}
+
+#define state_out(y,x) \
+switch(nc) \
+{   case 8: so(y,x,7); so(y,x,6); \
+    case 6: so(y,x,5); so(y,x,4); \
+    case 4: so(y,x,3); so(y,x,2); \
+            so(y,x,1); so(y,x,0); \
+}
+
+#if defined(FAST_VARIABLE)
+
+#define round(rm,y,x,k) \
+switch(nc) \
+{   case 8: rm(y,x,k,7); rm(y,x,k,6); \
+            rm(y,x,k,5); rm(y,x,k,4); \
+            rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+            break; \
+    case 6: rm(y,x,k,5); rm(y,x,k,4); \
+            rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+            break; \
+    case 4: rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+            break; \
+}
+#else
+
+#define round(rm,y,x,k) \
+switch(nc) \
+{   case 8: rm(y,x,k,7); rm(y,x,k,6); \
+    case 6: rm(y,x,k,5); rm(y,x,k,4); \
+    case 4: rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+}
+
+#endif
+
+#endif
+#endif
+
+/**
+ * Encrypt a single block of data.
+ */
+static void encrypt_block(const private_aes_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
+{   u_int32_t        locals(b0, b1);
+    const u_int32_t  *kp = this->aes_e_key;
+
+#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
+    u_int32_t        f2;
+#endif
+
+    state_in(b0, in_blk, kp); kp += nc;
+
+#if defined(UNROLL)
+
+    switch(this->aes_Nrnd)
+    {
+    case 14:    round(fwd_rnd,  b1, b0, kp         ); 
+                round(fwd_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 12:    round(fwd_rnd,  b1, b0, kp         ); 
+                round(fwd_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 10:    round(fwd_rnd,  b1, b0, kp         );             
+                round(fwd_rnd,  b0, b1, kp +     nc);
+                round(fwd_rnd,  b1, b0, kp + 2 * nc); 
+                round(fwd_rnd,  b0, b1, kp + 3 * nc);
+                round(fwd_rnd,  b1, b0, kp + 4 * nc); 
+                round(fwd_rnd,  b0, b1, kp + 5 * nc);
+                round(fwd_rnd,  b1, b0, kp + 6 * nc); 
+                round(fwd_rnd,  b0, b1, kp + 7 * nc);
+                round(fwd_rnd,  b1, b0, kp + 8 * nc);
+                round(fwd_lrnd, b0, b1, kp + 9 * nc);
+    }
+
+#elif defined(PARTIAL_UNROLL)
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
+        {
+            round(fwd_rnd, b1, b0, kp); 
+            round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
+        }
+
+        round(fwd_rnd,  b1, b0, kp);
+        round(fwd_lrnd, b0, b1, kp + nc);
+    }
+#else
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
+        {
+            round(fwd_rnd, b1, b0, kp); 
+            l_copy(b0, b1); kp += nc;
+        }
+
+        round(fwd_lrnd, b0, b1, kp);
+    }
+#endif
+
+    state_out(out_blk, b0);
+}
+
+/**
+ * Decrypt a single block of data.
+ */
+static void decrypt_block(const private_aes_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
+{   u_int32_t        locals(b0, b1);
+    const u_int32_t  *kp = this->aes_d_key;
+
+#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
+    u_int32_t        f2, f4, f8, f9; 
+#endif
+
+    state_in(b0, in_blk, kp); kp += nc;
+
+#if defined(UNROLL)
+
+    switch(this->aes_Nrnd)
+    {
+    case 14:    round(inv_rnd,  b1, b0, kp         );
+                round(inv_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 12:    round(inv_rnd,  b1, b0, kp         );
+                round(inv_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 10:    round(inv_rnd,  b1, b0, kp         );             
+                round(inv_rnd,  b0, b1, kp +     nc);
+                round(inv_rnd,  b1, b0, kp + 2 * nc); 
+                round(inv_rnd,  b0, b1, kp + 3 * nc);
+                round(inv_rnd,  b1, b0, kp + 4 * nc); 
+                round(inv_rnd,  b0, b1, kp + 5 * nc);
+                round(inv_rnd,  b1, b0, kp + 6 * nc); 
+                round(inv_rnd,  b0, b1, kp + 7 * nc);
+                round(inv_rnd,  b1, b0, kp + 8 * nc);
+                round(inv_lrnd, b0, b1, kp + 9 * nc);
+    }
+
+#elif defined(PARTIAL_UNROLL)
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
+        {
+            round(inv_rnd, b1, b0, kp); 
+            round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
+        }
+
+        round(inv_rnd,  b1, b0, kp);
+        round(inv_lrnd, b0, b1, kp + nc);
+    }
+#else
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
+        {
+            round(inv_rnd, b1, b0, kp); 
+            l_copy(b0, b1); kp += nc;
+        }
+
+        round(inv_lrnd, b0, b1, kp);
+    }
+#endif
+
+    state_out(out_blk, b0);
+}
+
+/**
+ * Implementation of crypter_t.decrypt.
+ */
+static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv,
+					chunk_t *decrypted)
+{
+	int pos;
+	const u_int32_t *iv_i;
+	u_int8_t *in, *out;
+	
+	if (decrypted)
+	{
+		*decrypted = chunk_alloc(data.len);
+		out = decrypted->ptr;
+	}
+	else
+	{
+		out = data.ptr;
+	}
+	in = data.ptr;
+	
+	pos = data.len-16;
+	in += pos;
+	out += pos;
+	while (pos >= 0)
+	{
+		decrypt_block(this, in, out);
+		if (pos==0)
+		{
+			iv_i=(const u_int32_t*) (iv.ptr);
+		}
+		else
+		{
+			iv_i=(const u_int32_t*) (in-16);
+		}
+		*((u_int32_t *)(&out[ 0])) ^= iv_i[0];
+		*((u_int32_t *)(&out[ 4])) ^= iv_i[1];
+		*((u_int32_t *)(&out[ 8])) ^= iv_i[2];
+		*((u_int32_t *)(&out[12])) ^= iv_i[3];
+		in-=16;
+		out-=16;
+		pos-=16;
+	}
+}
+
+
+/**
+ * Implementation of crypter_t.decrypt.
+ */
+static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv,
+					 chunk_t *encrypted)
+{
+	int pos;
+	const u_int32_t *iv_i;
+	u_int8_t *in, *out;
+	
+	in = data.ptr;
+	out = data.ptr;
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(data.len);
+		out = encrypted->ptr;
+	}
+	
+	pos=0;
+	while(pos<data.len)
+	{
+		if (pos==0)
+		{
+			iv_i=(const u_int32_t*) iv.ptr;
+		}
+		else
+		{
+			iv_i=(const u_int32_t*) (out-16);
+		}
+		*((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0]));
+		*((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4]));
+		*((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8]));
+		*((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12]));
+		encrypt_block(this, out, out);
+		in+=16;
+		out+=16;
+		pos+=16;
+	}
+}
+
+/**
+ * Implementation of crypter_t.get_block_size.
+ */
+static size_t get_block_size (private_aes_crypter_t *this)
+{
+	return AES_BLOCK_SIZE;
+}
+
+/**
+ * Implementation of crypter_t.get_key_size.
+ */
+static size_t get_key_size (private_aes_crypter_t *this)
+{
+	return this->key_size;
+}
+
+/**
+ * Implementation of crypter_t.set_key.
+ */
+static void set_key (private_aes_crypter_t *this, chunk_t key)
+{
+	u_int32_t    *kf, *kt, rci, f = 0;
+	u_int8_t *in_key = key.ptr;
+	
+	this->aes_Nrnd = (this->aes_Nkey > (nc) ? this->aes_Nkey : (nc)) + 6; 
+	
+	this->aes_e_key[0] = const_word_in(in_key     );
+	this->aes_e_key[1] = const_word_in(in_key +  4);
+	this->aes_e_key[2] = const_word_in(in_key +  8);
+	this->aes_e_key[3] = const_word_in(in_key + 12);
+	
+	kf = this->aes_e_key; 
+	kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey; 
+	rci = 0;
+	
+	switch(this->aes_Nkey)
+	{
+	case 4: do
+			{   kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
+				kf[5] = kf[1] ^ kf[4];
+				kf[6] = kf[2] ^ kf[5];
+				kf[7] = kf[3] ^ kf[6];
+				kf += 4;
+			}
+			while(kf < kt);
+			break;
+	
+	case 6: this->aes_e_key[4] = const_word_in(in_key + 16);
+			this->aes_e_key[5] = const_word_in(in_key + 20);
+			do
+			{   kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
+				kf[ 7] = kf[1] ^ kf[ 6];
+				kf[ 8] = kf[2] ^ kf[ 7];
+				kf[ 9] = kf[3] ^ kf[ 8];
+				kf[10] = kf[4] ^ kf[ 9];
+				kf[11] = kf[5] ^ kf[10];
+				kf += 6;
+			}
+			while(kf < kt);
+			break;
+
+	case 8: this->aes_e_key[4] = const_word_in(in_key + 16);
+			this->aes_e_key[5] = const_word_in(in_key + 20);
+			this->aes_e_key[6] = const_word_in(in_key + 24);
+			this->aes_e_key[7] = const_word_in(in_key + 28);
+			do
+			{   kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
+				kf[ 9] = kf[1] ^ kf[ 8];
+				kf[10] = kf[2] ^ kf[ 9];
+				kf[11] = kf[3] ^ kf[10];
+				kf[12] = kf[4] ^ ls_box(kf[11],0);
+				kf[13] = kf[5] ^ kf[12];
+				kf[14] = kf[6] ^ kf[13];
+				kf[15] = kf[7] ^ kf[14];
+				kf += 8;
+			}
+			while (kf < kt);
+			break;
+	}
+	
+	if(!f)
+    {
+		u_int32_t    i;
+
+		kt = this->aes_d_key + nc * this->aes_Nrnd;
+		kf = this->aes_e_key;
+		
+		cpy(kt, kf); kt -= 2 * nc;
+		
+		for(i = 1; i < this->aes_Nrnd; ++i)
+		{ 
+#if defined(ONE_TABLE) || defined(FOUR_TABLES)
+#if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
+			u_int32_t    f2, f4, f8, f9;
+#endif
+			mix(kt, kf);
+#else
+			cpy(kt, kf);
+#endif
+			kt -= 2 * nc;
+        }
+		cpy(kt, kf);
+    }
+}
+
+/**
+ * Implementation of crypter_t.destroy and aes_crypter_t.destroy.
+ */
+static void destroy (private_aes_crypter_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_aes_crypter_t *this;
+	
+	if (algo != ENCR_AES_CBC)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_aes_crypter_t);
+	
+	#if !defined(FIXED_TABLES)
+	if(!tab_gen) { gen_tabs(); tab_gen = 1; }
+	#endif
+	
+	this->key_size = key_size;
+	switch(key_size)
+	{
+	case 32:        /* bytes */
+		this->aes_Nkey = 8;
+		break;
+	case 24:        /* bytes */
+		this->aes_Nkey = 6;
+		break;
+	case 16:        /* bytes */
+		this->aes_Nkey = 4;
+		break;
+	default:
+		free(this);
+		return NULL;
+	}
+	
+	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
+	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
+	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
+	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
+	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
+	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.h b/src/libstrongswan/plugins/aes/aes_crypter.h
new file mode 100644
index 000000000..e42a6bc5b
--- /dev/null
+++ b/src/libstrongswan/plugins/aes/aes_crypter.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup aes_crypter aes_crypter
+ * @{ @ingroup aes_p
+ */
+
+#ifndef AES_CRYPTER_H_
+#define AES_CRYPTER_H_
+
+typedef struct aes_crypter_t aes_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+/**
+ * Class implementing the AES encryption algorithm.
+ */
+struct aes_crypter_t {
+	
+	/**
+	 * The crypter_t interface.
+	 */
+	crypter_t crypter_interface;
+};
+
+/**
+ * Constructor to create aes_crypter_t objects.
+ * 
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement
+ * @return				aes_crypter_t object, NULL if not supported
+ */
+aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo,
+								  size_t key_size);
+
+#endif /* AES_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c
new file mode 100644
index 000000000..71e49ad73
--- /dev/null
+++ b/src/libstrongswan/plugins/aes/aes_plugin.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: aes_plugin.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include "aes_plugin.h"
+
+#include <library.h>
+#include "aes_crypter.h"
+
+typedef struct private_aes_plugin_t private_aes_plugin_t;
+
+/**
+ * private data of aes_plugin
+ */
+struct private_aes_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	aes_plugin_t public;
+};
+
+/**
+ * Implementation of aes_plugin_t.destroy
+ */
+static void destroy(private_aes_plugin_t *this)
+{
+	lib->crypto->remove_crypter(lib->crypto,
+								(crypter_constructor_t)aes_crypter_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_aes_plugin_t *this = malloc_thing(private_aes_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+							 (crypter_constructor_t)aes_crypter_create);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.h b/src/libstrongswan/plugins/aes/aes_plugin.h
new file mode 100644
index 000000000..4cf0bc15e
--- /dev/null
+++ b/src/libstrongswan/plugins/aes/aes_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup aes_p aes
+ * @ingroup plugins
+ *
+ * @defgroup aes_plugin aes_plugin
+ * @{ @ingroup aes_p
+ */
+
+#ifndef AES_PLUGIN_H_
+#define AES_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct aes_plugin_t aes_plugin_t;
+
+/**
+ * Plugin implementing AES based algorithms in software.
+ */
+struct aes_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a aes_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* AES_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/curl/Makefile.am b/src/libstrongswan/plugins/curl/Makefile.am
new file mode 100644
index 000000000..1b44516b2
--- /dev/null
+++ b/src/libstrongswan/plugins/curl/Makefile.am
@@ -0,0 +1,11 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-curl.la
+
+libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
+libstrongswan_curl_la_LDFLAGS = -module
+libstrongswan_curl_la_LIBADD  = -lcurl
+
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
new file mode 100644
index 000000000..d3f7b443d
--- /dev/null
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -0,0 +1,495 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/curl
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_curl_la_DEPENDENCIES =
+am_libstrongswan_curl_la_OBJECTS = curl_plugin.lo curl_fetcher.lo
+libstrongswan_curl_la_OBJECTS = $(am_libstrongswan_curl_la_OBJECTS)
+libstrongswan_curl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_curl_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_curl_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_curl_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-curl.la
+libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
+libstrongswan_curl_la_LDFLAGS = -module
+libstrongswan_curl_la_LIBADD = -lcurl
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/curl/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/curl/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-curl.la: $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_DEPENDENCIES) 
+	$(libstrongswan_curl_la_LINK) -rpath $(plugindir) $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_fetcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
new file mode 100644
index 000000000..4754d569e
--- /dev/null
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2007 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: curl_fetcher.c 3529 2008-03-05 15:26:24Z martin $
+ */
+
+#include <curl/curl.h>
+
+#include <library.h>
+#include <debug.h>
+
+#include "curl_fetcher.h"
+
+#define DEFAULT_TIMEOUT 10
+
+typedef struct private_curl_fetcher_t private_curl_fetcher_t;
+
+/**
+ * private data of a curl_fetcher_t object.
+ */
+struct private_curl_fetcher_t {
+	/**
+	 * Public data
+	 */
+	curl_fetcher_t public;
+
+	/**
+	 * CURL handle
+	 */
+	CURL* curl;
+	
+	/**
+	 * request type, as set with FETCH_REQUEST_TYPE
+	 */
+	char *request_type;
+};
+
+/**
+ * writes data into a dynamically resizeable chunk_t
+ */
+static size_t append(void *ptr, size_t size, size_t nmemb, chunk_t *data)
+{
+    size_t realsize = size * nmemb;
+
+    data->ptr = (u_char*)realloc(data->ptr, data->len + realsize);
+    if (data->ptr)
+    {
+		memcpy(&data->ptr[data->len], ptr, realsize);
+		data->len += realsize;
+    }
+    return realsize;
+}
+
+/**
+ * Implements fetcher_t.fetch.
+ */
+static status_t fetch(private_curl_fetcher_t *this, char *uri, chunk_t *result)
+{
+	struct curl_slist *headers = NULL;
+	char error[CURL_ERROR_SIZE];
+	char buf[256];;
+	status_t status;
+	
+	*result = chunk_empty;
+	
+	if (curl_easy_setopt(this->curl, CURLOPT_URL, uri) != CURLE_OK)
+	{	/* URL type not supported by curl */
+		return NOT_SUPPORTED;
+	}
+	curl_easy_setopt(this->curl, CURLOPT_ERRORBUFFER, error);
+	curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
+	curl_easy_setopt(this->curl, CURLOPT_NOSIGNAL, TRUE);
+	curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, DEFAULT_TIMEOUT);
+	curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, (void*)append);
+	curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, (void*)result);
+	if (this->request_type)
+	{
+		snprintf(buf, sizeof(buf), "Content-Type: %s", this->request_type);
+		headers = curl_slist_append(headers, buf);
+		curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, headers);
+	}
+
+	DBG2("sending http request to '%s'...", uri);
+	switch (curl_easy_perform(this->curl))
+	{
+		case CURLE_UNSUPPORTED_PROTOCOL:
+			status = NOT_SUPPORTED;
+			break;
+		case CURLE_OK:
+			status = SUCCESS;
+			break;
+		default:
+    		DBG1("libcurl http request failed: %s", error);
+			status = FAILED;
+			break;
+	}
+	curl_slist_free_all(headers);
+	return status;
+}
+
+/**
+ * Implementation of fetcher_t.set_option.
+ */
+static bool set_option(private_curl_fetcher_t *this, fetcher_option_t option, ...)
+{
+	va_list args;
+	
+	va_start(args, option);
+	switch (option)
+	{
+		case FETCH_REQUEST_DATA:
+		{
+			chunk_t data = va_arg(args, chunk_t);
+			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, data.ptr);
+			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, data.len);
+			return TRUE;
+		}
+		case FETCH_REQUEST_TYPE:
+		{
+			this->request_type = va_arg(args, char*);
+			return TRUE;
+		}
+		case FETCH_TIMEOUT:
+		{
+			curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT,
+							 va_arg(args, u_int));
+			return TRUE;
+		}
+		default:
+			return FALSE;
+	}
+}
+
+/**
+ * Implements fetcher_t.destroy
+ */
+static void destroy(private_curl_fetcher_t *this)
+{
+	curl_easy_cleanup(this->curl);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+curl_fetcher_t *curl_fetcher_create()
+{
+	private_curl_fetcher_t *this = malloc_thing(private_curl_fetcher_t);
+
+	this->curl = curl_easy_init();
+	if (this->curl == NULL)
+	{
+		free(this);
+		return NULL;
+	}
+	this->request_type = NULL;
+
+	this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch;
+	this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option;
+	this->public.interface.destroy = (void (*)(fetcher_t*))destroy;
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.h b/src/libstrongswan/plugins/curl/curl_fetcher.h
new file mode 100644
index 000000000..3028eac1b
--- /dev/null
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curl_fetcher curl_fetcher
+ * @{ @ingroup curl_p
+ */
+
+#ifndef CURL_FETCHER_H_
+#define CURL_FETCHER_H_
+
+typedef struct curl_fetcher_t curl_fetcher_t;
+
+/**
+ * Fetcher implementation using libcurl
+ */
+struct curl_fetcher_t {
+
+	/**
+	 * Implements fetcher interface
+	 */
+	fetcher_t interface;
+		
+	/**
+     * Destroy a curl_fetcher instance.
+     */
+    void (*destroy)(curl_fetcher_t *this);
+};
+
+/**
+ * Create a curl_fetcher instance.
+ */
+curl_fetcher_t *curl_fetcher_create();
+
+#endif /* CURL_FETCHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
new file mode 100644
index 000000000..a41c3815c
--- /dev/null
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: curl_plugin.c 3529 2008-03-05 15:26:24Z martin $
+ */
+
+#include "curl_plugin.h"
+
+#include <library.h>
+#include <debug.h>
+#include "curl_fetcher.h"
+
+#include <curl/curl.h>
+
+typedef struct private_curl_plugin_t private_curl_plugin_t;
+
+/**
+ * private data of curl_plugin
+ */
+struct private_curl_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	curl_plugin_t public;
+};
+
+/**
+ * Implementation of curl_plugin_t.curltroy
+ */
+static void destroy(private_curl_plugin_t *this)
+{
+	lib->fetcher->remove_fetcher(lib->fetcher,
+								 (fetcher_constructor_t)curl_fetcher_create);
+	curl_global_cleanup();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	CURLcode res;
+	private_curl_plugin_t *this = malloc_thing(private_curl_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	res = curl_global_init(CURL_GLOBAL_NOTHING);
+	if (res == CURLE_OK)
+	{
+		lib->fetcher->add_fetcher(lib->fetcher,
+						(fetcher_constructor_t)curl_fetcher_create, "file://");
+		lib->fetcher->add_fetcher(lib->fetcher, 
+						(fetcher_constructor_t)curl_fetcher_create, "http://");
+		lib->fetcher->add_fetcher(lib->fetcher,
+						(fetcher_constructor_t)curl_fetcher_create, "https://");
+		lib->fetcher->add_fetcher(lib->fetcher, 
+						(fetcher_constructor_t)curl_fetcher_create, "ftp://");
+    }
+    else
+    {
+    	DBG1("global libcurl initializing failed: %s, curl disabled", 
+			 curl_easy_strerror(res));
+    }
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.h b/src/libstrongswan/plugins/curl/curl_plugin.h
new file mode 100644
index 000000000..73166a25b
--- /dev/null
+++ b/src/libstrongswan/plugins/curl/curl_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curl_p curl
+ * @ingroup plugins
+ *
+ * @defgroup curl_plugin curl_plugin
+ * @{ @ingroup curl_p
+ */
+
+#ifndef CURL_PLUGIN_H_
+#define CURL_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct curl_plugin_t curl_plugin_t;
+
+/**
+ * Plugin implementing fetcher interface using libcurl http library.
+ */
+struct curl_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a curl_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* CURL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/des/Makefile.am b/src/libstrongswan/plugins/des/Makefile.am
new file mode 100644
index 000000000..ea94eda8a
--- /dev/null
+++ b/src/libstrongswan/plugins/des/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-des.la
+
+libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
+libstrongswan_des_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
new file mode 100644
index 000000000..5072a2cab
--- /dev/null
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -0,0 +1,494 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/des
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_des_la_LIBADD =
+am_libstrongswan_des_la_OBJECTS = des_plugin.lo des_crypter.lo
+libstrongswan_des_la_OBJECTS = $(am_libstrongswan_des_la_OBJECTS)
+libstrongswan_des_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_des_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_des_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_des_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-des.la
+libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
+libstrongswan_des_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/des/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/des/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-des.la: $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_DEPENDENCIES) 
+	$(libstrongswan_des_la_LINK) -rpath $(plugindir) $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
new file mode 100644
index 000000000..43aff4dd1
--- /dev/null
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -0,0 +1,1517 @@
+/* Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Derived from Plutos DES library by Eric Young.
+ *
+ * Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $Id: des_crypter.c 3910 2008-05-07 11:54:30Z martin $
+ */
+
+#include "des_crypter.h"
+
+typedef u_char des_cblock[8];
+
+typedef struct des_ks_struct {
+	des_cblock _;
+} des_key_schedule[16];
+
+
+typedef struct private_des_crypter_t private_des_crypter_t;
+
+/**
+ * Private data for des_crypter_t
+ */
+struct private_des_crypter_t {
+	
+	/**
+	 * Public part of this class.
+	 */
+	des_crypter_t public;
+	
+	/**
+	 * Key size, depends on algoritm...
+	 */
+	size_t key_size;
+	
+	union {
+		/** key schedule for single des */
+		des_key_schedule ks;
+		/** key schedule for 3des */
+		des_key_schedule ks3[3];
+	};
+};
+
+
+#define DES_ENCRYPT 1
+#define DES_DECRYPT 0
+
+#define DES_LONG u_int32_t
+
+#if defined(WIN32) || defined(WIN16)
+#ifndef MSDOS
+#define MSDOS
+#endif
+#endif
+
+#ifndef DES_DEFAULT_OPTIONS
+/* the following is tweaked from a config script, that is why it is a
+ * protected undef/define */
+#ifndef DES_PTR
+#define DES_PTR
+#endif
+
+/* This helps C compiler generate the correct code for multiple functional
+ * units.  It reduces register dependancies at the expense of 2 more
+ * registers */
+#ifndef DES_RISC1
+#define DES_RISC1
+#endif
+
+#ifndef DES_RISC2
+#undef DES_RISC2
+#endif
+
+#if defined(DES_RISC1) && defined(DES_RISC2)
+YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#endif
+
+/* Unroll the inner loop, this sometimes helps, sometimes hinders.
+ * Very mucy CPU dependant */
+#ifndef DES_UNROLL
+#define DES_UNROLL
+#endif
+
+/* These default values were supplied by
+ * Peter Gutman <pgut001@cs.auckland.ac.nz>
+ * They are only used if nothing else has been defined */
+#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
+/* Special defines which change the way the code is built depending on the
+   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
+   even newer MIPS CPU's, but at the moment one size fits all for
+   optimization options.  Older Sparc's work better with only UNROLL, but
+   there's no way to tell at compile time what it is you're running on */
+ 
+#if defined( sun )		/* Newer Sparc's */
+#define DES_PTR
+#define DES_RISC1
+#define DES_UNROLL
+#elif defined( __ultrix )	/* Older MIPS */
+#define DES_PTR
+#define DES_RISC2
+#define DES_UNROLL
+#elif defined( __osf1__ )	/* Alpha */
+#define DES_PTR
+#define DES_RISC2
+#elif defined ( _AIX )		/* RS6000 */
+  /* Unknown */
+#elif defined( __hpux )		/* HP-PA */
+  /* Unknown */
+#elif defined( __aux )		/* 68K */
+  /* Unknown */
+#elif defined( __dgux )		/* 88K (but P6 in latest boxes) */
+#define DES_UNROLL
+#elif defined( __sgi )		/* Newer MIPS */
+#define DES_PTR
+#define DES_RISC2
+#define DES_UNROLL
+#elif defined( i386 )		/* x86 boxes, should be gcc */
+#define DES_PTR
+#define DES_RISC1
+#define DES_UNROLL
+#endif /* Systems-specific speed defines */
+#endif
+
+#endif /* DES_DEFAULT_OPTIONS */
+
+#ifdef MSDOS		/* Visual C++ 2.1 (Windows NT/95) */
+#include <stdlib.h>
+#include <errno.h>
+#include <time.h>
+#include <io.h>
+#ifndef RAND
+#define RAND
+#endif
+#undef NOPROTO
+#endif
+
+#if defined(__STDC__) || defined(VMS) || defined(M_XENIX) || defined(MSDOS)
+#ifndef __KERNEL__
+#include <string.h>
+#else
+#include <linux/string.h>
+#endif
+#endif
+
+#ifndef RAND
+#define RAND
+#endif
+
+#ifdef linux
+#undef RAND
+#endif
+
+#ifdef MSDOS
+#define getpid() 2
+#define RAND
+#undef NOPROTO
+#endif
+
+#if defined(NOCONST)
+#define const
+#endif
+
+#ifdef __STDC__
+#undef NOPROTO
+#endif
+
+#ifdef RAND
+#define srandom(s) srand(s)
+#define random rand
+#endif
+
+#define ITERATIONS 16
+#define HALF_ITERATIONS 8
+
+/* used in des_read and des_write */
+#define MAXWRITE	(1024*16)
+#define BSIZE		(MAXWRITE+4)
+
+#define c2l(c,l)	(l =((DES_LONG)(*((c)++)))    , \
+			 l|=((DES_LONG)(*((c)++)))<< 8L, \
+			 l|=((DES_LONG)(*((c)++)))<<16L, \
+			 l|=((DES_LONG)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((DES_LONG)(*(--(c))))<<24L; \
+			case 7: l2|=((DES_LONG)(*(--(c))))<<16L; \
+			case 6: l2|=((DES_LONG)(*(--(c))))<< 8L; \
+			case 5: l2|=((DES_LONG)(*(--(c))));     \
+			case 4: l1 =((DES_LONG)(*(--(c))))<<24L; \
+			case 3: l1|=((DES_LONG)(*(--(c))))<<16L; \
+			case 2: l1|=((DES_LONG)(*(--(c))))<< 8L; \
+			case 1: l1|=((DES_LONG)(*(--(c))));     \
+} \
+}
+
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* replacements for htonl and ntohl since I have no idea what to do
+ * when faced with machines with 8 byte longs. */
+#define HDRSIZE 4
+
+#define n2l(c,l)	(l =((DES_LONG)(*((c)++)))<<24L, \
+			 l|=((DES_LONG)(*((c)++)))<<16L, \
+			 l|=((DES_LONG)(*((c)++)))<< 8L, \
+			 l|=((DES_LONG)(*((c)++))))
+
+#define l2n(l,c)	(*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)     )&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+} \
+}
+
+#if defined(WIN32)
+#define	ROTATE(a,n)	(_lrotr(a,n))
+#else
+#define	ROTATE(a,n)	(((a)>>(n))+((a)<<(32-(n))))
+#endif
+
+/* Don't worry about the LOAD_DATA() stuff, that is used by
+ * fcrypt() to add it's little bit to the front */
+
+#ifdef DES_FCRYPT
+
+#define LOAD_DATA_tmp(R,S,u,t,E0,E1) \
+{ DES_LONG tmp; LOAD_DATA(R,S,u,t,E0,E1,tmp); }
+
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+	t=R^(R>>16L); \
+	u=t&E0; t&=E1; \
+	tmp=(u<<16); u^=R^s[S  ]; u^=tmp; \
+	tmp=(t<<16); t^=R^s[S+1]; t^=tmp
+#else
+#define LOAD_DATA_tmp(a,b,c,d,e,f) LOAD_DATA(a,b,c,d,e,f,g)
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+	u=R^s[S  ]; \
+	t=R^s[S+1]
+#endif
+
+/* The changes to this macro may help or hinder, depending on the
+ * compiler and the achitecture.  gcc2 always seems to do well :-).
+ * Inspired by Dana How <how@isl.stanford.edu>
+ * DO NOT use the alternative version on machines with 8 byte longs.
+ * It does not seem to work on the Alpha, even when DES_LONG is 4
+ * bytes, probably an issue of accessing non-word aligned objects :-( */
+#ifdef DES_PTR
+
+/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there
+ * is no reason to not xor all the sub items together.  This potentially
+ * saves a register since things can be xored directly into L */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) { \
+	unsigned int u1,u2,u3; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0xfc; \
+	u2&=0xfc; \
+	t=ROTATE(t,4); \
+	u>>=16L; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP      +u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \
+	u3=(int)(u>>8L); \
+	u1=(int)u&0xfc; \
+	u3&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+u3); \
+	u2=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u2&=0xfc; \
+	t>>=16L; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \
+	u3=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u3&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+u3); }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) { \
+	unsigned int u1,u2,s1,s2; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0xfc; \
+	u2&=0xfc; \
+	t=ROTATE(t,4); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP      +u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \
+	s1=(int)(u>>16L); \
+	s2=(int)(u>>24L); \
+	s1&=0xfc; \
+	s2&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+s1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+s2); \
+	u2=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u2&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \
+	s1=(int)(t>>16L); \
+	s2=(int)(t>>24L); \
+	s1&=0xfc; \
+	s2&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+s1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+s2); }
+#endif
+#else
+#define D_ENCRYPT(LL,R,S) { \
+	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+	t=ROTATE(t,4); \
+	LL^= \
+	*(DES_LONG *)((unsigned char *)des_SP      +((u     )&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x200+((u>> 8L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x400+((u>>16L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x600+((u>>24L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x100+((t     )&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x300+((t>> 8L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x500+((t>>16L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x700+((t>>24L)&0xfc)); }
+#endif
+
+#else /* original version */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) {\
+	unsigned int u1,u2,u3; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u>>=2L; \
+	t=ROTATE(t,6); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u2&=0x3f; \
+	u>>=16L; \
+	LL^=des_SPtrans[0][u1]; \
+	LL^=des_SPtrans[2][u2]; \
+	u3=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u3&=0x3f; \
+	LL^=des_SPtrans[4][u1]; \
+	LL^=des_SPtrans[6][u3]; \
+	u2=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u2&=0x3f; \
+	t>>=16L; \
+	LL^=des_SPtrans[1][u1]; \
+	LL^=des_SPtrans[3][u2]; \
+	u3=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u3&=0x3f; \
+	LL^=des_SPtrans[5][u1]; \
+	LL^=des_SPtrans[7][u3]; }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) {\
+	unsigned int u1,u2,s1,s2; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u>>=2L; \
+	t=ROTATE(t,6); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u2&=0x3f; \
+	LL^=des_SPtrans[0][u1]; \
+	LL^=des_SPtrans[2][u2]; \
+	s1=(int)u>>16L; \
+	s2=(int)u>>24L; \
+	s1&=0x3f; \
+	s2&=0x3f; \
+	LL^=des_SPtrans[4][s1]; \
+	LL^=des_SPtrans[6][s2]; \
+	u2=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u2&=0x3f; \
+	LL^=des_SPtrans[1][u1]; \
+	LL^=des_SPtrans[3][u2]; \
+	s1=(int)t>>16; \
+	s2=(int)t>>24L; \
+	s1&=0x3f; \
+	s2&=0x3f; \
+	LL^=des_SPtrans[5][s1]; \
+	LL^=des_SPtrans[7][s2]; }
+#endif
+
+#else
+
+#define D_ENCRYPT(LL,R,S) {\
+	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+	t=ROTATE(t,4); \
+	LL^=\
+		des_SPtrans[0][(u>> 2L)&0x3f]^ \
+		des_SPtrans[2][(u>>10L)&0x3f]^ \
+		des_SPtrans[4][(u>>18L)&0x3f]^ \
+		des_SPtrans[6][(u>>26L)&0x3f]^ \
+		des_SPtrans[1][(t>> 2L)&0x3f]^ \
+		des_SPtrans[3][(t>>10L)&0x3f]^ \
+		des_SPtrans[5][(t>>18L)&0x3f]^ \
+		des_SPtrans[7][(t>>26L)&0x3f]; }
+#endif
+#endif
+
+	/* IP and FP
+	 * The problem is more of a geometric problem that random bit fiddling.
+	 0  1  2  3  4  5  6  7      62 54 46 38 30 22 14  6
+	 8  9 10 11 12 13 14 15      60 52 44 36 28 20 12  4
+	16 17 18 19 20 21 22 23      58 50 42 34 26 18 10  2
+	24 25 26 27 28 29 30 31  to  56 48 40 32 24 16  8  0
+
+	32 33 34 35 36 37 38 39      63 55 47 39 31 23 15  7
+	40 41 42 43 44 45 46 47      61 53 45 37 29 21 13  5
+	48 49 50 51 52 53 54 55      59 51 43 35 27 19 11  3
+	56 57 58 59 60 61 62 63      57 49 41 33 25 17  9  1
+
+	The output has been subject to swaps of the form
+	0 1 -> 3 1 but the odd and even bits have been put into
+	2 3    2 0
+	different words.  The main trick is to remember that
+	t=((l>>size)^r)&(mask);
+	r^=t;
+	l^=(t<<size);
+	can be used to swap and move bits between words.
+
+	So l =  0  1  2  3  r = 16 17 18 19
+	        4  5  6  7      20 21 22 23
+	        8  9 10 11      24 25 26 27
+	       12 13 14 15      28 29 30 31
+	becomes (for size == 2 and mask == 0x3333)
+	   t =   2^16  3^17 -- --   l =  0  1 16 17  r =  2  3 18 19
+		 6^20  7^21 -- --        4  5 20 21       6  7 22 23
+		10^24 11^25 -- --        8  9 24 25      10 11 24 25
+		14^28 15^29 -- --       12 13 28 29      14 15 28 29
+
+	Thanks for hints from Richard Outerbridge - he told me IP&FP
+	could be done in 15 xor, 10 shifts and 5 ands.
+	When I finally started to think of the problem in 2D
+	I first got ~42 operations without xors.  When I remembered
+	how to use xors :-) I got it to its final state.
+	*/
+#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
+	(b)^=(t),\
+	(a)^=((t)<<(n)))
+
+#define IP(l,r) \
+{ \
+	register DES_LONG tt; \
+	PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \
+	PERM_OP(l,r,tt,16,0x0000ffffL); \
+	PERM_OP(r,l,tt, 2,0x33333333L); \
+	PERM_OP(l,r,tt, 8,0x00ff00ffL); \
+	PERM_OP(r,l,tt, 1,0x55555555L); \
+}
+
+#define FP(l,r) \
+{ \
+	register DES_LONG tt; \
+	PERM_OP(l,r,tt, 1,0x55555555L); \
+	PERM_OP(r,l,tt, 8,0x00ff00ffL); \
+	PERM_OP(l,r,tt, 2,0x33333333L); \
+	PERM_OP(r,l,tt,16,0x0000ffffL); \
+	PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
+}
+
+#ifndef NOPROTO
+void fcrypt_body(DES_LONG *out,des_key_schedule ks,
+				 DES_LONG Eswap0, DES_LONG Eswap1);
+#else
+void fcrypt_body();
+#endif
+
+static const DES_LONG des_skb[8][64]={
+	{	/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+		0x00000000L,0x00000010L,0x20000000L,0x20000010L,
+		0x00010000L,0x00010010L,0x20010000L,0x20010010L,
+		0x00000800L,0x00000810L,0x20000800L,0x20000810L,
+		0x00010800L,0x00010810L,0x20010800L,0x20010810L,
+		0x00000020L,0x00000030L,0x20000020L,0x20000030L,
+		0x00010020L,0x00010030L,0x20010020L,0x20010030L,
+		0x00000820L,0x00000830L,0x20000820L,0x20000830L,
+		0x00010820L,0x00010830L,0x20010820L,0x20010830L,
+		0x00080000L,0x00080010L,0x20080000L,0x20080010L,
+		0x00090000L,0x00090010L,0x20090000L,0x20090010L,
+		0x00080800L,0x00080810L,0x20080800L,0x20080810L,
+		0x00090800L,0x00090810L,0x20090800L,0x20090810L,
+		0x00080020L,0x00080030L,0x20080020L,0x20080030L,
+		0x00090020L,0x00090030L,0x20090020L,0x20090030L,
+		0x00080820L,0x00080830L,0x20080820L,0x20080830L,
+		0x00090820L,0x00090830L,0x20090820L,0x20090830L,
+	},
+	{	/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */
+		0x00000000L,0x02000000L,0x00002000L,0x02002000L,
+		0x00200000L,0x02200000L,0x00202000L,0x02202000L,
+		0x00000004L,0x02000004L,0x00002004L,0x02002004L,
+		0x00200004L,0x02200004L,0x00202004L,0x02202004L,
+		0x00000400L,0x02000400L,0x00002400L,0x02002400L,
+		0x00200400L,0x02200400L,0x00202400L,0x02202400L,
+		0x00000404L,0x02000404L,0x00002404L,0x02002404L,
+		0x00200404L,0x02200404L,0x00202404L,0x02202404L,
+		0x10000000L,0x12000000L,0x10002000L,0x12002000L,
+		0x10200000L,0x12200000L,0x10202000L,0x12202000L,
+		0x10000004L,0x12000004L,0x10002004L,0x12002004L,
+		0x10200004L,0x12200004L,0x10202004L,0x12202004L,
+		0x10000400L,0x12000400L,0x10002400L,0x12002400L,
+		0x10200400L,0x12200400L,0x10202400L,0x12202400L,
+		0x10000404L,0x12000404L,0x10002404L,0x12002404L,
+		0x10200404L,0x12200404L,0x10202404L,0x12202404L,
+	},
+	{	/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */
+		0x00000000L,0x00000001L,0x00040000L,0x00040001L,
+		0x01000000L,0x01000001L,0x01040000L,0x01040001L,
+		0x00000002L,0x00000003L,0x00040002L,0x00040003L,
+		0x01000002L,0x01000003L,0x01040002L,0x01040003L,
+		0x00000200L,0x00000201L,0x00040200L,0x00040201L,
+		0x01000200L,0x01000201L,0x01040200L,0x01040201L,
+		0x00000202L,0x00000203L,0x00040202L,0x00040203L,
+		0x01000202L,0x01000203L,0x01040202L,0x01040203L,
+		0x08000000L,0x08000001L,0x08040000L,0x08040001L,
+		0x09000000L,0x09000001L,0x09040000L,0x09040001L,
+		0x08000002L,0x08000003L,0x08040002L,0x08040003L,
+		0x09000002L,0x09000003L,0x09040002L,0x09040003L,
+		0x08000200L,0x08000201L,0x08040200L,0x08040201L,
+		0x09000200L,0x09000201L,0x09040200L,0x09040201L,
+		0x08000202L,0x08000203L,0x08040202L,0x08040203L,
+		0x09000202L,0x09000203L,0x09040202L,0x09040203L,
+	},
+	{	/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */
+		0x00000000L,0x00100000L,0x00000100L,0x00100100L,
+		0x00000008L,0x00100008L,0x00000108L,0x00100108L,
+		0x00001000L,0x00101000L,0x00001100L,0x00101100L,
+		0x00001008L,0x00101008L,0x00001108L,0x00101108L,
+		0x04000000L,0x04100000L,0x04000100L,0x04100100L,
+		0x04000008L,0x04100008L,0x04000108L,0x04100108L,
+		0x04001000L,0x04101000L,0x04001100L,0x04101100L,
+		0x04001008L,0x04101008L,0x04001108L,0x04101108L,
+		0x00020000L,0x00120000L,0x00020100L,0x00120100L,
+		0x00020008L,0x00120008L,0x00020108L,0x00120108L,
+		0x00021000L,0x00121000L,0x00021100L,0x00121100L,
+		0x00021008L,0x00121008L,0x00021108L,0x00121108L,
+		0x04020000L,0x04120000L,0x04020100L,0x04120100L,
+		0x04020008L,0x04120008L,0x04020108L,0x04120108L,
+		0x04021000L,0x04121000L,0x04021100L,0x04121100L,
+		0x04021008L,0x04121008L,0x04021108L,0x04121108L,
+	},
+	{	/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+		0x00000000L,0x10000000L,0x00010000L,0x10010000L,
+		0x00000004L,0x10000004L,0x00010004L,0x10010004L,
+		0x20000000L,0x30000000L,0x20010000L,0x30010000L,
+		0x20000004L,0x30000004L,0x20010004L,0x30010004L,
+		0x00100000L,0x10100000L,0x00110000L,0x10110000L,
+		0x00100004L,0x10100004L,0x00110004L,0x10110004L,
+		0x20100000L,0x30100000L,0x20110000L,0x30110000L,
+		0x20100004L,0x30100004L,0x20110004L,0x30110004L,
+		0x00001000L,0x10001000L,0x00011000L,0x10011000L,
+		0x00001004L,0x10001004L,0x00011004L,0x10011004L,
+		0x20001000L,0x30001000L,0x20011000L,0x30011000L,
+		0x20001004L,0x30001004L,0x20011004L,0x30011004L,
+		0x00101000L,0x10101000L,0x00111000L,0x10111000L,
+		0x00101004L,0x10101004L,0x00111004L,0x10111004L,
+		0x20101000L,0x30101000L,0x20111000L,0x30111000L,
+		0x20101004L,0x30101004L,0x20111004L,0x30111004L,
+	},
+	{	/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */
+		0x00000000L,0x08000000L,0x00000008L,0x08000008L,
+		0x00000400L,0x08000400L,0x00000408L,0x08000408L,
+		0x00020000L,0x08020000L,0x00020008L,0x08020008L,
+		0x00020400L,0x08020400L,0x00020408L,0x08020408L,
+		0x00000001L,0x08000001L,0x00000009L,0x08000009L,
+		0x00000401L,0x08000401L,0x00000409L,0x08000409L,
+		0x00020001L,0x08020001L,0x00020009L,0x08020009L,
+		0x00020401L,0x08020401L,0x00020409L,0x08020409L,
+		0x02000000L,0x0A000000L,0x02000008L,0x0A000008L,
+		0x02000400L,0x0A000400L,0x02000408L,0x0A000408L,
+		0x02020000L,0x0A020000L,0x02020008L,0x0A020008L,
+		0x02020400L,0x0A020400L,0x02020408L,0x0A020408L,
+		0x02000001L,0x0A000001L,0x02000009L,0x0A000009L,
+		0x02000401L,0x0A000401L,0x02000409L,0x0A000409L,
+		0x02020001L,0x0A020001L,0x02020009L,0x0A020009L,
+		0x02020401L,0x0A020401L,0x02020409L,0x0A020409L,
+	},
+	{	/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */
+		0x00000000L,0x00000100L,0x00080000L,0x00080100L,
+		0x01000000L,0x01000100L,0x01080000L,0x01080100L,
+		0x00000010L,0x00000110L,0x00080010L,0x00080110L,
+		0x01000010L,0x01000110L,0x01080010L,0x01080110L,
+		0x00200000L,0x00200100L,0x00280000L,0x00280100L,
+		0x01200000L,0x01200100L,0x01280000L,0x01280100L,
+		0x00200010L,0x00200110L,0x00280010L,0x00280110L,
+		0x01200010L,0x01200110L,0x01280010L,0x01280110L,
+		0x00000200L,0x00000300L,0x00080200L,0x00080300L,
+		0x01000200L,0x01000300L,0x01080200L,0x01080300L,
+		0x00000210L,0x00000310L,0x00080210L,0x00080310L,
+		0x01000210L,0x01000310L,0x01080210L,0x01080310L,
+		0x00200200L,0x00200300L,0x00280200L,0x00280300L,
+		0x01200200L,0x01200300L,0x01280200L,0x01280300L,
+		0x00200210L,0x00200310L,0x00280210L,0x00280310L,
+		0x01200210L,0x01200310L,0x01280210L,0x01280310L,
+	},
+	{	/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */
+		0x00000000L,0x04000000L,0x00040000L,0x04040000L,
+		0x00000002L,0x04000002L,0x00040002L,0x04040002L,
+		0x00002000L,0x04002000L,0x00042000L,0x04042000L,
+		0x00002002L,0x04002002L,0x00042002L,0x04042002L,
+		0x00000020L,0x04000020L,0x00040020L,0x04040020L,
+		0x00000022L,0x04000022L,0x00040022L,0x04040022L,
+		0x00002020L,0x04002020L,0x00042020L,0x04042020L,
+		0x00002022L,0x04002022L,0x00042022L,0x04042022L,
+		0x00000800L,0x04000800L,0x00040800L,0x04040800L,
+		0x00000802L,0x04000802L,0x00040802L,0x04040802L,
+		0x00002800L,0x04002800L,0x00042800L,0x04042800L,
+		0x00002802L,0x04002802L,0x00042802L,0x04042802L,
+		0x00000820L,0x04000820L,0x00040820L,0x04040820L,
+		0x00000822L,0x04000822L,0x00040822L,0x04040822L,
+		0x00002820L,0x04002820L,0x00042820L,0x04042820L,
+		0x00002822L,0x04002822L,0x00042822L,0x04042822L,
+	}
+};
+
+const DES_LONG des_SPtrans[8][64]={
+	{
+		/* nibble 0 */
+		0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L,
+		0x02000000L, 0x00080802L, 0x00080002L, 0x02000002L,
+		0x00080802L, 0x02080800L, 0x02080000L, 0x00000802L,
+		0x02000802L, 0x02000000L, 0x00000000L, 0x00080002L,
+		0x00080000L, 0x00000002L, 0x02000800L, 0x00080800L,
+		0x02080802L, 0x02080000L, 0x00000802L, 0x02000800L,
+		0x00000002L, 0x00000800L, 0x00080800L, 0x02080002L,
+		0x00000800L, 0x02000802L, 0x02080002L, 0x00000000L,
+		0x00000000L, 0x02080802L, 0x02000800L, 0x00080002L,
+		0x02080800L, 0x00080000L, 0x00000802L, 0x02000800L,
+		0x02080002L, 0x00000800L, 0x00080800L, 0x02000002L,
+		0x00080802L, 0x00000002L, 0x02000002L, 0x02080000L,
+		0x02080802L, 0x00080800L, 0x02080000L, 0x02000802L,
+		0x02000000L, 0x00000802L, 0x00080002L, 0x00000000L,
+		0x00080000L, 0x02000000L, 0x02000802L, 0x02080800L,
+		0x00000002L, 0x02080002L, 0x00000800L, 0x00080802L,
+	},
+	{	/* nibble 1 */
+		0x40108010L, 0x00000000L, 0x00108000L, 0x40100000L,
+		0x40000010L, 0x00008010L, 0x40008000L, 0x00108000L,
+		0x00008000L, 0x40100010L, 0x00000010L, 0x40008000L,
+		0x00100010L, 0x40108000L, 0x40100000L, 0x00000010L,
+		0x00100000L, 0x40008010L, 0x40100010L, 0x00008000L,
+		0x00108010L, 0x40000000L, 0x00000000L, 0x00100010L,
+		0x40008010L, 0x00108010L, 0x40108000L, 0x40000010L,
+		0x40000000L, 0x00100000L, 0x00008010L, 0x40108010L,
+		0x00100010L, 0x40108000L, 0x40008000L, 0x00108010L,
+		0x40108010L, 0x00100010L, 0x40000010L, 0x00000000L,
+		0x40000000L, 0x00008010L, 0x00100000L, 0x40100010L,
+		0x00008000L, 0x40000000L, 0x00108010L, 0x40008010L,
+		0x40108000L, 0x00008000L, 0x00000000L, 0x40000010L,
+		0x00000010L, 0x40108010L, 0x00108000L, 0x40100000L,
+		0x40100010L, 0x00100000L, 0x00008010L, 0x40008000L,
+		0x40008010L, 0x00000010L, 0x40100000L, 0x00108000L,
+	},
+	{	/* nibble 2 */
+		0x04000001L, 0x04040100L, 0x00000100L, 0x04000101L,
+		0x00040001L, 0x04000000L, 0x04000101L, 0x00040100L,
+		0x04000100L, 0x00040000L, 0x04040000L, 0x00000001L,
+		0x04040101L, 0x00000101L, 0x00000001L, 0x04040001L,
+		0x00000000L, 0x00040001L, 0x04040100L, 0x00000100L,
+		0x00000101L, 0x04040101L, 0x00040000L, 0x04000001L,
+		0x04040001L, 0x04000100L, 0x00040101L, 0x04040000L,
+		0x00040100L, 0x00000000L, 0x04000000L, 0x00040101L,
+		0x04040100L, 0x00000100L, 0x00000001L, 0x00040000L,
+		0x00000101L, 0x00040001L, 0x04040000L, 0x04000101L,
+		0x00000000L, 0x04040100L, 0x00040100L, 0x04040001L,
+		0x00040001L, 0x04000000L, 0x04040101L, 0x00000001L,
+		0x00040101L, 0x04000001L, 0x04000000L, 0x04040101L,
+		0x00040000L, 0x04000100L, 0x04000101L, 0x00040100L,
+		0x04000100L, 0x00000000L, 0x04040001L, 0x00000101L,
+		0x04000001L, 0x00040101L, 0x00000100L, 0x04040000L,
+	},
+	{	/* nibble 3 */
+		0x00401008L, 0x10001000L, 0x00000008L, 0x10401008L,
+		0x00000000L, 0x10400000L, 0x10001008L, 0x00400008L,
+		0x10401000L, 0x10000008L, 0x10000000L, 0x00001008L,
+		0x10000008L, 0x00401008L, 0x00400000L, 0x10000000L,
+		0x10400008L, 0x00401000L, 0x00001000L, 0x00000008L,
+		0x00401000L, 0x10001008L, 0x10400000L, 0x00001000L,
+		0x00001008L, 0x00000000L, 0x00400008L, 0x10401000L,
+		0x10001000L, 0x10400008L, 0x10401008L, 0x00400000L,
+		0x10400008L, 0x00001008L, 0x00400000L, 0x10000008L,
+		0x00401000L, 0x10001000L, 0x00000008L, 0x10400000L,
+		0x10001008L, 0x00000000L, 0x00001000L, 0x00400008L,
+		0x00000000L, 0x10400008L, 0x10401000L, 0x00001000L,
+		0x10000000L, 0x10401008L, 0x00401008L, 0x00400000L,
+		0x10401008L, 0x00000008L, 0x10001000L, 0x00401008L,
+		0x00400008L, 0x00401000L, 0x10400000L, 0x10001008L,
+		0x00001008L, 0x10000000L, 0x10000008L, 0x10401000L,
+	},
+	{	/* nibble 4 */
+		0x08000000L, 0x00010000L, 0x00000400L, 0x08010420L,
+		0x08010020L, 0x08000400L, 0x00010420L, 0x08010000L,
+		0x00010000L, 0x00000020L, 0x08000020L, 0x00010400L,
+		0x08000420L, 0x08010020L, 0x08010400L, 0x00000000L,
+		0x00010400L, 0x08000000L, 0x00010020L, 0x00000420L,
+		0x08000400L, 0x00010420L, 0x00000000L, 0x08000020L,
+		0x00000020L, 0x08000420L, 0x08010420L, 0x00010020L,
+		0x08010000L, 0x00000400L, 0x00000420L, 0x08010400L,
+		0x08010400L, 0x08000420L, 0x00010020L, 0x08010000L,
+		0x00010000L, 0x00000020L, 0x08000020L, 0x08000400L,
+		0x08000000L, 0x00010400L, 0x08010420L, 0x00000000L,
+		0x00010420L, 0x08000000L, 0x00000400L, 0x00010020L,
+		0x08000420L, 0x00000400L, 0x00000000L, 0x08010420L,
+		0x08010020L, 0x08010400L, 0x00000420L, 0x00010000L,
+		0x00010400L, 0x08010020L, 0x08000400L, 0x00000420L,
+		0x00000020L, 0x00010420L, 0x08010000L, 0x08000020L,
+	},
+	{	/* nibble 5 */
+		0x80000040L, 0x00200040L, 0x00000000L, 0x80202000L,
+		0x00200040L, 0x00002000L, 0x80002040L, 0x00200000L,
+		0x00002040L, 0x80202040L, 0x00202000L, 0x80000000L,
+		0x80002000L, 0x80000040L, 0x80200000L, 0x00202040L,
+		0x00200000L, 0x80002040L, 0x80200040L, 0x00000000L,
+		0x00002000L, 0x00000040L, 0x80202000L, 0x80200040L,
+		0x80202040L, 0x80200000L, 0x80000000L, 0x00002040L,
+		0x00000040L, 0x00202000L, 0x00202040L, 0x80002000L,
+		0x00002040L, 0x80000000L, 0x80002000L, 0x00202040L,
+		0x80202000L, 0x00200040L, 0x00000000L, 0x80002000L,
+		0x80000000L, 0x00002000L, 0x80200040L, 0x00200000L,
+		0x00200040L, 0x80202040L, 0x00202000L, 0x00000040L,
+		0x80202040L, 0x00202000L, 0x00200000L, 0x80002040L,
+		0x80000040L, 0x80200000L, 0x00202040L, 0x00000000L,
+		0x00002000L, 0x80000040L, 0x80002040L, 0x80202000L,
+		0x80200000L, 0x00002040L, 0x00000040L, 0x80200040L,
+	},
+	{	/* nibble 6 */
+		0x00004000L, 0x00000200L, 0x01000200L, 0x01000004L,
+		0x01004204L, 0x00004004L, 0x00004200L, 0x00000000L,
+		0x01000000L, 0x01000204L, 0x00000204L, 0x01004000L,
+		0x00000004L, 0x01004200L, 0x01004000L, 0x00000204L,
+		0x01000204L, 0x00004000L, 0x00004004L, 0x01004204L,
+		0x00000000L, 0x01000200L, 0x01000004L, 0x00004200L,
+		0x01004004L, 0x00004204L, 0x01004200L, 0x00000004L,
+		0x00004204L, 0x01004004L, 0x00000200L, 0x01000000L,
+		0x00004204L, 0x01004000L, 0x01004004L, 0x00000204L,
+		0x00004000L, 0x00000200L, 0x01000000L, 0x01004004L,
+		0x01000204L, 0x00004204L, 0x00004200L, 0x00000000L,
+		0x00000200L, 0x01000004L, 0x00000004L, 0x01000200L,
+		0x00000000L, 0x01000204L, 0x01000200L, 0x00004200L,
+		0x00000204L, 0x00004000L, 0x01004204L, 0x01000000L,
+		0x01004200L, 0x00000004L, 0x00004004L, 0x01004204L,
+		0x01000004L, 0x01004200L, 0x01004000L, 0x00004004L,
+	},
+	{	/* nibble 7 */
+		0x20800080L, 0x20820000L, 0x00020080L, 0x00000000L,
+		0x20020000L, 0x00800080L, 0x20800000L, 0x20820080L,
+		0x00000080L, 0x20000000L, 0x00820000L, 0x00020080L,
+		0x00820080L, 0x20020080L, 0x20000080L, 0x20800000L,
+		0x00020000L, 0x00820080L, 0x00800080L, 0x20020000L,
+		0x20820080L, 0x20000080L, 0x00000000L, 0x00820000L,
+		0x20000000L, 0x00800000L, 0x20020080L, 0x20800080L,
+		0x00800000L, 0x00020000L, 0x20820000L, 0x00000080L,
+		0x00800000L, 0x00020000L, 0x20000080L, 0x20820080L,
+		0x00020080L, 0x20000000L, 0x00000000L, 0x00820000L,
+		0x20800080L, 0x20020080L, 0x20020000L, 0x00800080L,
+		0x20820000L, 0x00000080L, 0x00800080L, 0x20020000L,
+		0x20820080L, 0x00800000L, 0x20800000L, 0x20000080L,
+		0x00820000L, 0x00020080L, 0x20020080L, 0x20800000L,
+		0x00000080L, 0x20820000L, 0x00820080L, 0x00000000L,
+		0x20000000L, 0x20800080L, 0x00020000L, 0x00820080L,
+	}
+};
+
+#define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
+	(a)=(a)^(t)^(t>>(16-(n))))
+
+static const unsigned char odd_parity[256]={
+	1,  1,  2,  2,  4,  4,  7,  7,  8,  8, 11, 11, 13, 13, 14, 14,
+	16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
+	32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
+	49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
+	64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
+	81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
+	97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
+	112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
+	128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
+	145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
+	161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
+	176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
+	193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
+	208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
+	224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
+	241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
+};
+
+/**
+ * Create key schedule for a single DES 64Bit key
+ */
+static int des_set_key(des_cblock *key, des_key_schedule *schedule)
+{
+	static int shifts2[16] = {0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
+	register DES_LONG c,d,t,s,t2;
+	register unsigned char *in;
+	register DES_LONG *k;
+	register int i;
+	des_cblock odd;
+
+	for (i = 0; i < sizeof(des_cblock); i++)
+	{
+		odd[i] = odd_parity[(*key)[i]];
+	}
+
+	k=(DES_LONG *)schedule;
+	in=(unsigned char *)&odd;
+
+	c2l(in,c);
+	c2l(in,d);
+
+	/* do PC1 in 60 simple operations */ 
+/*	PERM_OP(d,c,t,4,0x0f0f0f0fL);
+	HPERM_OP(c,t,-2, 0xcccc0000L);
+	HPERM_OP(c,t,-1, 0xaaaa0000L);
+	HPERM_OP(c,t, 8, 0x00ff0000L);
+	HPERM_OP(c,t,-1, 0xaaaa0000L);
+	HPERM_OP(d,t,-8, 0xff000000L);
+	HPERM_OP(d,t, 8, 0x00ff0000L);
+	HPERM_OP(d,t, 2, 0x33330000L);
+	d=((d&0x00aa00aaL)<<7L)|((d&0x55005500L)>>7L)|(d&0xaa55aa55L);
+	d=(d>>8)|((c&0xf0000000L)>>4);
+	c&=0x0fffffffL; */
+
+	/* I now do it in 47 simple operations :-)
+	* Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
+	* for the inspiration. :-) */
+	PERM_OP (d,c,t,4,0x0f0f0f0fL);
+	HPERM_OP(c,t,-2,0xcccc0000L);
+	HPERM_OP(d,t,-2,0xcccc0000L);
+	PERM_OP (d,c,t,1,0x55555555L);
+	PERM_OP (c,d,t,8,0x00ff00ffL);
+	PERM_OP (d,c,t,1,0x55555555L);
+	d=	(((d&0x000000ffL)<<16L)| (d&0x0000ff00L)     |
+			((d&0x00ff0000L)>>16L)|((c&0xf0000000L)>>4L));
+	c&=0x0fffffffL;
+
+	for (i=0; i<ITERATIONS; i++)
+	{
+		if (shifts2[i])
+		{ c=((c>>2L)|(c<<26L)); d=((d>>2L)|(d<<26L)); }
+		else
+		{ c=((c>>1L)|(c<<27L)); d=((d>>1L)|(d<<27L)); }
+		c&=0x0fffffffL;
+		d&=0x0fffffffL;
+		/* could be a few less shifts but I am to lazy at this
+		* point in time to investigate */
+		s=	des_skb[0][ (c    )&0x3f                ]|
+				des_skb[1][((c>> 6)&0x03)|((c>> 7L)&0x3c)]|
+				des_skb[2][((c>>13)&0x0f)|((c>>14L)&0x30)]|
+				des_skb[3][((c>>20)&0x01)|((c>>21L)&0x06) |
+				((c>>22L)&0x38)];
+		t=	des_skb[4][ (d    )&0x3f                ]|
+				des_skb[5][((d>> 7L)&0x03)|((d>> 8L)&0x3c)]|
+				des_skb[6][ (d>>15L)&0x3f                ]|
+				des_skb[7][((d>>21L)&0x0f)|((d>>22L)&0x30)];
+
+		/* table contained 0213 4657 */
+		t2=((t<<16L)|(s&0x0000ffffL))&0xffffffffL;
+		*(k++)=ROTATE(t2,30)&0xffffffffL;
+
+		t2=((s>>16L)|(t&0xffff0000L));
+		*(k++)=ROTATE(t2,26)&0xffffffffL;
+	}
+	return(0);
+}
+
+
+static void des_encrypt(DES_LONG *data, des_key_schedule ks, int enc)
+{
+	register DES_LONG l,r,t,u;
+#ifdef DES_PTR
+	register unsigned char *des_SP=(unsigned char *)des_SPtrans;
+#endif
+#ifndef DES_UNROLL
+	register int i;
+#endif
+	register DES_LONG *s;
+
+	r=data[0];
+	l=data[1];
+
+	IP(r,l);
+	/* Things have been modified so that the initial rotate is
+	* done outside the loop.  This required the
+	* des_SPtrans values in sp.h to be rotated 1 bit to the right.
+	* One perl script later and things have a 5% speed up on a sparc2.
+	* Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
+	* for pointing this out. */
+	/* clear the top bits on machines with 8byte longs */
+	/* shift left by 2 */
+	r=ROTATE(r,29)&0xffffffffL;
+	l=ROTATE(l,29)&0xffffffffL;
+
+	s=(DES_LONG *)ks;
+	/* I don't know if it is worth the effort of loop unrolling the
+	* inner loop */
+	if (enc)
+	{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r, 0); /*  1 */
+		D_ENCRYPT(r,l, 2); /*  2 */
+		D_ENCRYPT(l,r, 4); /*  3 */
+		D_ENCRYPT(r,l, 6); /*  4 */
+		D_ENCRYPT(l,r, 8); /*  5 */
+		D_ENCRYPT(r,l,10); /*  6 */
+		D_ENCRYPT(l,r,12); /*  7 */
+		D_ENCRYPT(r,l,14); /*  8 */
+		D_ENCRYPT(l,r,16); /*  9 */
+		D_ENCRYPT(r,l,18); /*  10 */
+		D_ENCRYPT(l,r,20); /*  11 */
+		D_ENCRYPT(r,l,22); /*  12 */
+		D_ENCRYPT(l,r,24); /*  13 */
+		D_ENCRYPT(r,l,26); /*  14 */
+		D_ENCRYPT(l,r,28); /*  15 */
+		D_ENCRYPT(r,l,30); /*  16 */
+#else
+		for (i=0; i<32; i+=8)
+{
+	D_ENCRYPT(l,r,i+0); /*  1 */
+	D_ENCRYPT(r,l,i+2); /*  2 */
+	D_ENCRYPT(l,r,i+4); /*  3 */
+	D_ENCRYPT(r,l,i+6); /*  4 */
+}
+#endif
+	}
+	else
+{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r,30); /* 16 */
+		D_ENCRYPT(r,l,28); /* 15 */
+		D_ENCRYPT(l,r,26); /* 14 */
+		D_ENCRYPT(r,l,24); /* 13 */
+		D_ENCRYPT(l,r,22); /* 12 */
+		D_ENCRYPT(r,l,20); /* 11 */
+		D_ENCRYPT(l,r,18); /* 10 */
+		D_ENCRYPT(r,l,16); /*  9 */
+		D_ENCRYPT(l,r,14); /*  8 */
+		D_ENCRYPT(r,l,12); /*  7 */
+		D_ENCRYPT(l,r,10); /*  6 */
+		D_ENCRYPT(r,l, 8); /*  5 */
+		D_ENCRYPT(l,r, 6); /*  4 */
+		D_ENCRYPT(r,l, 4); /*  3 */
+		D_ENCRYPT(l,r, 2); /*  2 */
+		D_ENCRYPT(r,l, 0); /*  1 */
+#else
+		for (i=30; i>0; i-=8)
+{
+	D_ENCRYPT(l,r,i-0); /* 16 */
+	D_ENCRYPT(r,l,i-2); /* 15 */
+	D_ENCRYPT(l,r,i-4); /* 14 */
+	D_ENCRYPT(r,l,i-6); /* 13 */
+}
+#endif
+}
+
+	/* rotate and clear the top bits on machines with 8byte longs */
+	l=ROTATE(l,3)&0xffffffffL;
+	r=ROTATE(r,3)&0xffffffffL;
+
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+	l=r=t=u=0;
+}
+
+/**
+ * DES CBC encrypt decrypt routine
+ */
+static void des_cbc_encrypt(des_cblock *input, des_cblock *output, long length, 
+						    des_key_schedule schedule, des_cblock *ivec, int enc)
+{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1,xor0,xor1;
+	register unsigned char *in,*out;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *iv;
+
+	in=(unsigned char *)input;
+	out=(unsigned char *)output;
+	iv=(unsigned char *)ivec;
+
+	if (enc)
+	{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		for (l-=8; l>=0; l-=8)
+		{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0; tin[0]=tin0;
+			tin1^=tout1; tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+		}
+		if (l != -8)
+		{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0; tin[0]=tin0;
+			tin1^=tout1; tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+		}
+	}
+	else
+	{
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (l-=8; l>=0; l-=8)
+		{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+		}
+		if (l != -8)
+		{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2cn(tout0,tout1,out,l+8);
+		/*	xor0=tin0;
+			xor1=tin1; */
+		}
+	}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+}
+
+static void des_encrypt2(DES_LONG *data, des_key_schedule ks, int enc)
+{
+	register DES_LONG l,r,t,u;
+#ifdef DES_PTR
+	register unsigned char *des_SP=(unsigned char *)des_SPtrans;
+#endif
+#ifndef DES_UNROLL
+	register int i;
+#endif
+	register DES_LONG *s;
+
+	r=data[0];
+	l=data[1];
+
+	/* Things have been modified so that the initial rotate is
+	 * done outside the loop.  This required the
+	 * des_SPtrans values in sp.h to be rotated 1 bit to the right.
+	 * One perl script later and things have a 5% speed up on a sparc2.
+	 * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
+	 * for pointing this out.
+	 * clear the top bits on machines with 8byte longs */
+	r=ROTATE(r,29)&0xffffffffL;
+	l=ROTATE(l,29)&0xffffffffL;
+
+	s=(DES_LONG *)ks;
+	/* I don't know if it is worth the effort of loop unrolling the
+	* inner loop */
+	if (enc)
+	{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r, 0); /*  1 */
+		D_ENCRYPT(r,l, 2); /*  2 */
+		D_ENCRYPT(l,r, 4); /*  3 */
+		D_ENCRYPT(r,l, 6); /*  4 */
+		D_ENCRYPT(l,r, 8); /*  5 */
+		D_ENCRYPT(r,l,10); /*  6 */
+		D_ENCRYPT(l,r,12); /*  7 */
+		D_ENCRYPT(r,l,14); /*  8 */
+		D_ENCRYPT(l,r,16); /*  9 */
+		D_ENCRYPT(r,l,18); /*  10 */
+		D_ENCRYPT(l,r,20); /*  11 */
+		D_ENCRYPT(r,l,22); /*  12 */
+		D_ENCRYPT(l,r,24); /*  13 */
+		D_ENCRYPT(r,l,26); /*  14 */
+		D_ENCRYPT(l,r,28); /*  15 */
+		D_ENCRYPT(r,l,30); /*  16 */
+#else
+		for (i=0; i<32; i+=8)
+{
+	D_ENCRYPT(l,r,i+0); /*  1 */
+	D_ENCRYPT(r,l,i+2); /*  2 */
+	D_ENCRYPT(l,r,i+4); /*  3 */
+	D_ENCRYPT(r,l,i+6); /*  4 */
+}
+#endif
+	}
+	else
+{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r,30); /* 16 */
+		D_ENCRYPT(r,l,28); /* 15 */
+		D_ENCRYPT(l,r,26); /* 14 */
+		D_ENCRYPT(r,l,24); /* 13 */
+		D_ENCRYPT(l,r,22); /* 12 */
+		D_ENCRYPT(r,l,20); /* 11 */
+		D_ENCRYPT(l,r,18); /* 10 */
+		D_ENCRYPT(r,l,16); /*  9 */
+		D_ENCRYPT(l,r,14); /*  8 */
+		D_ENCRYPT(r,l,12); /*  7 */
+		D_ENCRYPT(l,r,10); /*  6 */
+		D_ENCRYPT(r,l, 8); /*  5 */
+		D_ENCRYPT(l,r, 6); /*  4 */
+		D_ENCRYPT(r,l, 4); /*  3 */
+		D_ENCRYPT(l,r, 2); /*  2 */
+		D_ENCRYPT(r,l, 0); /*  1 */
+#else
+		for (i=30; i>0; i-=8)
+{
+	D_ENCRYPT(l,r,i-0); /* 16 */
+	D_ENCRYPT(r,l,i-2); /* 15 */
+	D_ENCRYPT(l,r,i-4); /* 14 */
+	D_ENCRYPT(r,l,i-6); /* 13 */
+}
+#endif
+}
+	/* rotate and clear the top bits on machines with 8byte longs */
+	data[0]=ROTATE(l,3)&0xffffffffL;
+	data[1]=ROTATE(r,3)&0xffffffffL;
+	l=r=t=u=0;
+}
+
+/**
+ * Single block 3DES EDE encrypt routine
+ */
+static void des_encrypt3(DES_LONG *data, des_key_schedule ks1, 
+						 des_key_schedule ks2, des_key_schedule ks3)
+{
+	register DES_LONG l,r;
+
+	l=data[0];
+	r=data[1];
+	IP(l,r);
+	data[0]=l;
+	data[1]=r;
+	des_encrypt2((DES_LONG *)data,ks1,DES_ENCRYPT);
+	des_encrypt2((DES_LONG *)data,ks2,DES_DECRYPT);
+	des_encrypt2((DES_LONG *)data,ks3,DES_ENCRYPT);
+	l=data[0];
+	r=data[1];
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+}
+
+/**
+ * Single block 3DES EDE decrypt routine
+ */
+static void des_decrypt3(DES_LONG *data, des_key_schedule ks1, 
+						 des_key_schedule ks2, des_key_schedule ks3)
+{
+	register DES_LONG l,r;
+
+	l=data[0];
+	r=data[1];
+	IP(l,r);
+	data[0]=l;
+	data[1]=r;
+	des_encrypt2((DES_LONG *)data,ks3,DES_DECRYPT);
+	des_encrypt2((DES_LONG *)data,ks2,DES_ENCRYPT);
+	des_encrypt2((DES_LONG *)data,ks1,DES_DECRYPT);
+	l=data[0];
+	r=data[1];
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+}
+
+/**
+ * 3DES EDE CBC encrypt/decrypt routine
+ */
+static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long length,
+								 des_key_schedule ks1, des_key_schedule ks2,
+								 des_key_schedule ks3, des_cblock *ivec, int enc)
+{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1,xor0,xor1;
+	register unsigned char *in,*out;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *iv;
+
+	in=(unsigned char *)input;
+	out=(unsigned char *)output;
+	iv=(unsigned char *)ivec;
+
+	if (enc)
+	{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		for (l-=8; l>=0; l-=8)
+		{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			l2c(tout0,out);
+			l2c(tout1,out);
+		}
+		if (l != -8)
+		{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			l2c(tout0,out);
+			l2c(tout1,out);
+		}
+		iv=(unsigned char *)ivec;
+		l2c(tout0,iv);
+		l2c(tout1,iv);
+	}
+	else
+	{
+		register DES_LONG t0,t1;
+
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (l-=8; l>=0; l-=8)
+		{
+			c2l(in,tin0);
+			c2l(in,tin1);
+
+			t0=tin0;
+			t1=tin1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			tout0^=xor0;
+			tout1^=xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=t0;
+			xor1=t1;
+		}
+		if (l != -8)
+		{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			
+			t0=tin0;
+			t1=tin1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+		
+			tout0^=xor0;
+			tout1^=xor1;
+			l2cn(tout0,tout1,out,l+8);
+			xor0=t0;
+			xor1=t1;
+		}
+
+		iv=(unsigned char *)ivec;
+		l2c(xor0,iv);
+		l2c(xor1,iv);
+	}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+}
+
+/**
+ * Implementation of crypter_t.decrypt for DES.
+ */
+static void decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
+					chunk_t *decrypted)
+{
+	des_cblock ivb;
+	u_int8_t *out;
+	
+	out = data.ptr;
+	if (decrypted)
+	{
+		*decrypted = chunk_alloc(data.len);
+		out = decrypted->ptr;
+	}
+	memcpy(&ivb, iv.ptr, sizeof(des_cblock));
+	des_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
+					 data.len, this->ks, &ivb, DES_DECRYPT);
+}
+
+
+/**
+ * Implementation of crypter_t.decrypt for DES.
+ */
+static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
+						chunk_t *encrypted)
+{
+	des_cblock ivb;
+	u_int8_t *out;
+	
+	out = data.ptr;
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(data.len);
+		out = encrypted->ptr;
+	}
+	memcpy(&ivb, iv.ptr, sizeof(des_cblock));
+	des_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
+					 data.len, this->ks, &ivb, DES_ENCRYPT);
+}
+
+/**
+ * Implementation of crypter_t.decrypt for 3DES.
+ */
+static void decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
+					 chunk_t *decrypted)
+{
+	des_cblock ivb;
+	u_int8_t *out;
+	
+	out = data.ptr;
+	if (decrypted)
+	{
+		*decrypted = chunk_alloc(data.len);
+		out = decrypted->ptr;
+	}
+	memcpy(&ivb, iv.ptr, sizeof(des_cblock));
+	des_ede3_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
+						 data.len, this->ks3[0], this->ks3[1], this->ks3[2],
+						 &ivb, DES_DECRYPT);
+}
+
+/**
+ * Implementation of crypter_t.decrypt for 3DES.
+ */
+static void encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
+					 chunk_t *encrypted)
+{
+	des_cblock ivb;
+	u_int8_t *out;
+	
+	out = data.ptr;
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(data.len);
+		out = encrypted->ptr;
+	}
+	memcpy(&ivb, iv.ptr, sizeof(des_cblock));
+	des_ede3_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
+						  data.len, this->ks3[0], this->ks3[1], this->ks3[2],
+						  &ivb, DES_ENCRYPT);
+}
+
+/**
+ * Implementation of crypter_t.get_block_size.
+ */
+static size_t get_block_size (private_des_crypter_t *this)
+{
+	return sizeof(des_cblock);
+}
+
+/**
+ * Implementation of crypter_t.get_key_size.
+ */
+static size_t get_key_size (private_des_crypter_t *this)
+{
+	return this->key_size;
+}
+
+/**
+ * Implementation of crypter_t.set_key for DES.
+ */
+static void set_key(private_des_crypter_t *this, chunk_t key)
+{
+	des_set_key((des_cblock*)(key.ptr), &this->ks);
+}
+
+/**
+ * Implementation of crypter_t.set_key for 3DES.
+ */
+static void set_key3(private_des_crypter_t *this, chunk_t key)
+{	
+	des_set_key((des_cblock*)(key.ptr) + 0, &this->ks3[0]);
+	des_set_key((des_cblock*)(key.ptr) + 1, &this->ks3[1]);
+	des_set_key((des_cblock*)(key.ptr) + 2, &this->ks3[2]);
+}
+
+/**
+ * Implementation of crypter_t.destroy and des_crypter_t.destroy.
+ */
+static void destroy(private_des_crypter_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+des_crypter_t *des_crypter_create(encryption_algorithm_t algo)
+{
+	private_des_crypter_t *this = malloc_thing(private_des_crypter_t);
+	
+	/* functions of crypter_t interface */	
+	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
+	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
+	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
+	
+	/* use functions depending on algorithm */
+	switch (algo)
+	{
+		case ENCR_DES:
+			this->key_size = sizeof(des_cblock);
+			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
+			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
+			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
+			break;
+		case ENCR_3DES:
+			this->key_size = 3 * sizeof(des_cblock);
+			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key3;
+			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt3;
+			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt3;
+			break;
+		default:
+			free(this);
+			return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/des/des_crypter.h b/src/libstrongswan/plugins/des/des_crypter.h
new file mode 100644
index 000000000..d40d9cf2f
--- /dev/null
+++ b/src/libstrongswan/plugins/des/des_crypter.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup des_crypter des_crypter
+ * @{ @ingroup des_p
+ */
+
+#ifndef DES_CRYPTER_H_
+#define DES_CRYPTER_H_
+
+typedef struct des_crypter_t des_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+
+/**
+ * Class implementing the DES and 3DES encryption algorithms.
+ */
+struct des_crypter_t {
+	
+	/**
+	 * The crypter_t interface.
+	 */
+	crypter_t crypter_interface;
+};
+
+/**
+ * Constructor to create des_crypter_t objects.
+ * 
+ * @param algo		ENCR_DES for single DES, ENCR_3DES for triple DES
+ * @return			des_crypter_t object, NULL if algo not supported
+ */
+des_crypter_t *des_crypter_create(encryption_algorithm_t algo);
+
+
+#endif /* DES_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
new file mode 100644
index 000000000..c32096ad0
--- /dev/null
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: des_plugin.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include "des_plugin.h"
+
+#include <library.h>
+#include "des_crypter.h"
+
+typedef struct private_des_plugin_t private_des_plugin_t;
+
+/**
+ * private data of des_plugin
+ */
+struct private_des_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	des_plugin_t public;
+};
+
+/**
+ * Implementation of des_plugin_t.destroy
+ */
+static void destroy(private_des_plugin_t *this)
+{
+	lib->crypto->remove_crypter(lib->crypto,
+								(crypter_constructor_t)des_crypter_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_des_plugin_t *this = malloc_thing(private_des_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+							 (crypter_constructor_t)des_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
+							 (crypter_constructor_t)des_crypter_create);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/des/des_plugin.h b/src/libstrongswan/plugins/des/des_plugin.h
new file mode 100644
index 000000000..8cabd082b
--- /dev/null
+++ b/src/libstrongswan/plugins/des/des_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup des_p des
+ * @ingroup plugins
+ *
+ * @defgroup des_plugin des_plugin
+ * @{ @ingroup des_p
+ */
+
+#ifndef DES_PLUGIN_H_
+#define DES_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct des_plugin_t des_plugin_t;
+
+/**
+ * Plugin implementing DES based algorithms in software.
+ */
+struct des_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a des_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* DES_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.am b/src/libstrongswan/plugins/fips_prf/Makefile.am
new file mode 100644
index 000000000..73f28825a
--- /dev/null
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-fips-prf.la
+
+libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
+libstrongswan_fips_prf_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
new file mode 100644
index 000000000..fa51b0db5
--- /dev/null
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -0,0 +1,496 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/fips_prf
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_fips_prf_la_LIBADD =
+am_libstrongswan_fips_prf_la_OBJECTS = fips_prf_plugin.lo fips_prf.lo
+libstrongswan_fips_prf_la_OBJECTS =  \
+	$(am_libstrongswan_fips_prf_la_OBJECTS)
+libstrongswan_fips_prf_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_fips_prf_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_fips_prf_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_fips_prf_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-fips-prf.la
+libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
+libstrongswan_fips_prf_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/fips_prf/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/fips_prf/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-fips-prf.la: $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_DEPENDENCIES) 
+	$(libstrongswan_fips_prf_la_LINK) -rpath $(plugindir) $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
new file mode 100644
index 000000000..df3d130a9
--- /dev/null
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: fips_prf.c 3619 2008-03-19 14:02:52Z martin $
+ */
+
+#include "fips_prf.h"
+
+#include <arpa/inet.h>
+
+#include <debug.h>
+
+typedef struct private_fips_prf_t private_fips_prf_t;
+
+/**
+ * Private data of a fips_prf_t object.
+ */
+struct private_fips_prf_t {
+	/**
+	 * Public fips_prf_t interface.
+	 */
+	fips_prf_t public;
+	
+	/**
+	 * key of prf function, "b" long
+	 */
+	u_int8_t *key;
+	
+	/**
+	 * size of "b" in bytes
+	 */
+	size_t b;
+	
+	/**
+	 * Keyed SHA1 prf: It does not use SHA1Final operation
+	 */
+	prf_t *keyed_prf;
+	
+	/**
+	 * G function, either SHA1 or DES
+	 */
+	void (*g)(private_fips_prf_t *this, chunk_t c, u_int8_t res[]);
+};
+
+/**
+ * sum = (a + b) mod 2 ^ (length * 8)
+ */
+static void add_mod(size_t length, u_int8_t a[], u_int8_t b[], u_int8_t sum[])
+{
+	int i, c = 0;
+	
+	for(i = length - 1; i >= 0; i--)
+	{
+		u_int32_t tmp;
+		
+		tmp = a[i] + b[i] + c;
+		sum[i] = 0xff & tmp;
+		c = tmp >> 8;
+	}
+}
+
+/**
+ * calculate "chunk mod 2^(length*8)" and save it into buffer
+ */
+static void chunk_mod(size_t length, chunk_t chunk, u_int8_t buffer[])
+{
+	if (chunk.len < length)
+	{
+		/* apply seed as least significant bits, others are zero */
+		memset(buffer, 0, length - chunk.len);
+		memcpy(buffer + length - chunk.len, chunk.ptr, chunk.len);
+	}
+	else
+	{
+		/* use least significant bytes from seed, as we use mod 2^b */
+		memcpy(buffer, chunk.ptr + chunk.len - length, length);
+	}
+}
+
+/**
+ * Implementation of prf_t.get_bytes.
+ *
+ * Test vector:
+ *
+ * key:
+ * 0xbd, 0x02, 0x9b, 0xbe, 0x7f, 0x51, 0x96, 0x0b,
+ * 0xcf, 0x9e, 0xdb, 0x2b, 0x61, 0xf0, 0x6f, 0x0f,
+ * 0xeb, 0x5a, 0x38, 0xb6
+ *
+ * seed:
+ * 0x00
+ *
+ * result:
+ * 0x20, 0x70, 0xb3, 0x22, 0x3d, 0xba, 0x37, 0x2f,
+ * 0xde, 0x1c, 0x0f, 0xfc, 0x7b, 0x2e, 0x3b, 0x49,
+ * 0x8b, 0x26, 0x06, 0x14, 0x3c, 0x6c, 0x18, 0xba,
+ * 0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78,
+ * 0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16
+ */
+static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
+{
+	int i;
+	u_int8_t xval[this->b];
+	u_int8_t xseed[this->b];
+	u_int8_t sum[this->b];
+	u_int8_t *xkey = this->key;
+	u_int8_t one[this->b];
+	chunk_t xval_chunk = chunk_from_buf(xval);
+	
+	memset(one, 0, this->b);
+	one[this->b - 1] = 0x01;
+	
+	/* 3.1 */
+	chunk_mod(this->b, seed, xseed);
+	
+	/* 3.2 */
+	for (i = 0; i < 2; i++) /* twice */
+	{
+		/* a. XVAL = (XKEY + XSEED j) mod 2^b */
+		add_mod(this->b, xkey, xseed, xval);
+		DBG3("XVAL %b", xval, this->b);
+		/* b. wi = G(t, XVAL ) */
+		this->g(this, xval_chunk, &w[i * this->b]);
+		DBG3("w[%d] %b", i, &w[i * this->b], this->b);
+		/* c. XKEY = (1 + XKEY + wi) mod 2b */
+		add_mod(this->b, xkey, &w[i * this->b], sum);
+		add_mod(this->b, sum, one, xkey);
+		DBG3("XKEY %b", xkey, this->b);
+	}
+	
+	/* 3.3 done already, mod q not used */
+}
+
+/**
+ * Implementation of prf_t.get_block_size.
+ */
+static size_t get_block_size(private_fips_prf_t *this)
+{
+	return 2 * this->b;
+}
+/**
+ * Implementation of prf_t.allocate_bytes.
+ */
+static void allocate_bytes(private_fips_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(get_block_size(this));
+	get_bytes(this, seed, chunk->ptr);
+}
+
+/**
+ * Implementation of prf_t.get_key_size.
+ */
+static size_t get_key_size(private_fips_prf_t *this)
+{
+	return this->b;
+}
+
+/**
+ * Implementation of prf_t.set_key.
+ */
+static void set_key(private_fips_prf_t *this, chunk_t key)
+{
+	/* save key as "key mod 2^b" */
+	chunk_mod(this->b, key, this->key);
+}
+
+/**
+ * Implementation of the G() function based on SHA1
+ */
+void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[])
+{
+	u_int8_t buf[64];
+	
+	if (c.len < sizeof(buf))
+	{
+		/* pad c with zeros */
+		memset(buf, 0, sizeof(buf));
+		memcpy(buf, c.ptr, c.len);
+		c.ptr = buf;
+		c.len = sizeof(buf);
+	}
+	else
+	{
+		/* not more than 512 bits can be G()-ed */
+		c.len = sizeof(buf);
+	}
+	
+	/* use the keyed hasher, but use an empty key to use SHA1 IV */
+	this->keyed_prf->set_key(this->keyed_prf, chunk_empty);
+	this->keyed_prf->get_bytes(this->keyed_prf, c, res);
+}
+
+/**
+ * Implementation of prf_t.destroy.
+ */
+static void destroy(private_fips_prf_t *this)
+{
+	this->keyed_prf->destroy(this->keyed_prf);
+	free(this->key);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+fips_prf_t *fips_prf_create(pseudo_random_function_t algo)
+{
+	private_fips_prf_t *this = malloc_thing(private_fips_prf_t);
+	
+	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
+	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
+	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
+	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
+	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
+	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+	
+	switch (algo)
+	{
+		case PRF_FIPS_SHA1_160:
+		{
+			this->g = g_sha1;
+			this->b = 20;
+			this->keyed_prf = lib->crypto->create_prf(lib->crypto, PRF_KEYED_SHA1);
+			if (this->keyed_prf == NULL)
+			{
+				free(this);
+				return NULL;
+			}
+			break;
+		}
+		case PRF_FIPS_DES:
+			/* not implemented yet */
+		default:
+			free(this);
+			return NULL;
+	}
+	this->key = malloc(this->b);
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.h b/src/libstrongswan/plugins/fips_prf/fips_prf.h
new file mode 100644
index 000000000..3fead6b9b
--- /dev/null
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fips_prf fips_prf
+ * @{ @ingroup fips_prf_p
+ */
+
+#ifndef FIPS_PRF_H_
+#define FIPS_PRF_H_
+
+typedef struct fips_prf_t fips_prf_t;
+
+#include <library.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of prf_t using the FIPS 186-2-change1 standard.
+ *
+ * FIPS defines a "General Purpose Random Number Generator" (Revised
+ * Algorithm for Computing m values of x (Appendix 3.1 of FIPS 186-2)). This
+ * implementation is not intended for private key generation and therefore does
+ * not include the "mod q" operation (see FIPS 186-2-change1 p74).
+ * The FIPS PRF is stateful; the key changes every time when bytes are acquired.
+ */
+struct fips_prf_t {
+	
+	/**
+	 * Generic prf_t interface for this fips_prf_t class.
+	 */
+	prf_t prf_interface;
+};
+
+/**
+ * Creates a new fips_prf_t object.
+ * 
+ * FIPS 186-2 defines G() functions used in the PRF function. It can
+ * be implemented either based on SHA1 or DES.
+ * The G() function is selected using the algo parameter.
+ *
+ * @param algo		specific FIPS PRF implementation, specifies G() function
+ * @return			fips_prf_t object, NULL if not supported.
+ */
+fips_prf_t *fips_prf_create(pseudo_random_function_t algo);
+
+#endif /* FIPS_PRF_H_ @}*/
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
new file mode 100644
index 000000000..60fce8632
--- /dev/null
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: fips_prf_plugin.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include "fips_prf_plugin.h"
+
+#include <library.h>
+#include "fips_prf.h"
+
+typedef struct private_fips_prf_plugin_t private_fips_prf_plugin_t;
+
+/**
+ * private data of fips_prf_plugin
+ */
+struct private_fips_prf_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	fips_prf_plugin_t public;
+};
+
+/**
+ * Implementation of fips_prf_plugin_t.destroy
+ */
+static void destroy(private_fips_prf_plugin_t *this)
+{
+	lib->crypto->remove_prf(lib->crypto,
+							(prf_constructor_t)fips_prf_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_fips_prf_plugin_t *this = malloc_thing(private_fips_prf_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160,
+						 (prf_constructor_t)fips_prf_create);
+	
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h
new file mode 100644
index 000000000..6816eb66f
--- /dev/null
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fips_prf_p fips_prf
+ * @ingroup plugins
+ *
+ * @defgroup fips_prf_plugin fips_prf_plugin
+ * @{ @ingroup fips_prf_p
+ */
+
+#ifndef FIPS_PRF_PLUGIN_H_
+#define FIPS_PRF_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct fips_prf_plugin_t fips_prf_plugin_t;
+
+/**
+ * Plugin implementing the fips_prf algorithm in software.
+ */
+struct fips_prf_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a fips_prf_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* FIPS_PRF_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gmp/Makefile.am b/src/libstrongswan/plugins/gmp/Makefile.am
new file mode 100644
index 000000000..f073b5d48
--- /dev/null
+++ b/src/libstrongswan/plugins/gmp/Makefile.am
@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-gmp.la
+
+libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \
+  gmp_diffie_hellman.c gmp_diffie_hellman.h \
+  gmp_rsa_private_key.c gmp_rsa_private_key.h \
+  gmp_rsa_public_key.c gmp_rsa_public_key.h
+
+libstrongswan_gmp_la_LDFLAGS = -module
+libstrongswan_gmp_la_LIBADD = -lgmp
+
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
new file mode 100644
index 000000000..1d9bfb88e
--- /dev/null
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -0,0 +1,502 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/gmp
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_gmp_la_DEPENDENCIES =
+am_libstrongswan_gmp_la_OBJECTS = gmp_plugin.lo gmp_diffie_hellman.lo \
+	gmp_rsa_private_key.lo gmp_rsa_public_key.lo
+libstrongswan_gmp_la_OBJECTS = $(am_libstrongswan_gmp_la_OBJECTS)
+libstrongswan_gmp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_gmp_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_gmp_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_gmp_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-gmp.la
+libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \
+  gmp_diffie_hellman.c gmp_diffie_hellman.h \
+  gmp_rsa_private_key.c gmp_rsa_private_key.h \
+  gmp_rsa_public_key.c gmp_rsa_public_key.h
+
+libstrongswan_gmp_la_LDFLAGS = -module
+libstrongswan_gmp_la_LIBADD = -lgmp
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/gmp/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/gmp/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-gmp.la: $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_DEPENDENCIES) 
+	$(libstrongswan_gmp_la_LINK) -rpath $(plugindir) $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gmp_diffie_hellman.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gmp_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gmp_rsa_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gmp_rsa_public_key.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
new file mode 100644
index 000000000..3d9856b63
--- /dev/null
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -0,0 +1,567 @@
+/*
+ * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 1999, 2000, 2001  Henry Spencer.
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: gmp_diffie_hellman.c 3806 2008-04-15 05:56:35Z martin $
+ */
+
+#include <gmp.h>
+
+#include "gmp_diffie_hellman.h"
+
+#include <debug.h>
+
+
+/**
+ * Modulus of Group 1 (MODP_768_BIT).
+ */
+static u_int8_t group1_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80	,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x3A,0x36,0x20,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 2 (MODP_1024_BIT).
+ */
+static u_int8_t group2_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 5 (MODP_1536_BIT).
+ */
+static u_int8_t group5_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+/**
+ * Modulus of Group 14 (MODP_2048_BIT).
+ */
+static u_int8_t group14_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 15 (MODP_3072_BIT).
+ */
+static u_int8_t group15_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 16 (MODP_4096_BIT).
+ */
+static u_int8_t group16_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+	0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 17 (MODP_6144_BIT).
+ */
+static u_int8_t group17_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+	0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
+	0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
+	0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
+	0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
+	0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
+	0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
+	0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
+	0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
+	0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
+	0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
+	0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
+	0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
+	0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
+	0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
+	0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
+	0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
+	0xE6,0x94,0xF9,0x1E,0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 18 (MODP_8192_BIT).
+ */
+static u_int8_t group18_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+	0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
+	0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
+	0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
+	0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
+	0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
+	0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
+	0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
+	0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
+	0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
+	0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
+	0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
+	0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
+	0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
+	0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
+	0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
+	0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
+	0xE6,0x94,0xF9,0x1E,0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,
+	0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,0x73,0xB9,0x31,0xBA,
+	0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,
+	0x25,0x76,0xF6,0x93,0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,
+	0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,0xE3,0x9D,0x65,0x2D,
+	0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,
+	0x13,0xEB,0x57,0xA8,0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,
+	0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,0xA2,0xC0,0x87,0xE8,
+	0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,
+	0x6D,0x2A,0x13,0xF8,0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,
+	0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,0x08,0x46,0x85,0x1D,
+	0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,
+	0xFA,0xF3,0x6B,0xC3,0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,
+	0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,0xD5,0xEE,0x38,0x2B,
+	0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,
+	0x9E,0x30,0x50,0xE2,0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,
+	0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+};
+
+typedef struct modulus_entry_t modulus_entry_t;
+
+/** 
+ * Entry of the modulus list.
+ */
+struct modulus_entry_t {
+	/**
+	 * Group number as it is defined in file transform_substructure.h.
+	 */
+	diffie_hellman_group_t group;
+	
+	/**
+	 * Pointer to first byte of modulus (network order).
+	 */
+	u_int8_t *modulus;
+	
+	/* 
+	 * Length of modulus in bytes.
+	 */	
+	size_t modulus_len;
+	
+	/* 
+	 * Generator value.
+	 */	
+	u_int16_t generator;
+};
+
+/**
+ * All supported modulus values.
+ */
+static modulus_entry_t modulus_entries[] = {
+	{MODP_768_BIT, group1_modulus, sizeof(group1_modulus), 2},
+	{MODP_1024_BIT, group2_modulus, sizeof(group2_modulus), 2},
+	{MODP_1536_BIT, group5_modulus, sizeof(group5_modulus), 2},
+	{MODP_2048_BIT, group14_modulus, sizeof(group14_modulus), 2},
+	{MODP_3072_BIT, group15_modulus, sizeof(group15_modulus), 2},
+	{MODP_4096_BIT, group16_modulus, sizeof(group16_modulus), 2},
+	{MODP_6144_BIT, group17_modulus, sizeof(group17_modulus), 2},
+	{MODP_8192_BIT, group18_modulus, sizeof(group18_modulus), 2},
+};
+
+typedef struct private_gmp_diffie_hellman_t private_gmp_diffie_hellman_t;
+
+/**
+ * Private data of an gmp_diffie_hellman_t object.
+ */
+struct private_gmp_diffie_hellman_t {
+	/**
+	 * Public gmp_diffie_hellman_t interface.
+	 */
+	gmp_diffie_hellman_t public;
+	
+	/**
+	 * Diffie Hellman group number.
+	 */
+	u_int16_t group;
+	
+	/* 
+	 * Generator value.
+	 */	
+	mpz_t g;
+
+	/**
+	 * My private value.
+	 */
+	mpz_t xa;
+	
+	/**
+	 * My public value.
+	 */
+	mpz_t ya;
+
+	/**
+	 * Other public value.
+	 */	
+	mpz_t yb;
+	
+	/**
+	 * Shared secret.
+	 */	
+	mpz_t zz;
+
+	/**
+	 * Modulus.
+	 */
+	mpz_t p;
+	
+	/**
+	 * Modulus length.
+	 */
+	size_t p_len;
+
+	/**
+	 * True if shared secret is computed and stored in my_public_value.
+	 */
+	bool computed;
+};
+
+/**
+ * Implementation of gmp_diffie_hellman_t.set_other_public_value.
+ */
+static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t value)
+{
+	mpz_t p_min_1;
+	
+	mpz_init(p_min_1);
+	mpz_sub_ui(p_min_1, this->p, 1);
+	
+	mpz_import(this->yb, value.len, 1, 1, 1, 0, value.ptr);
+	
+	/* check public value: 
+	 * 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
+	 * 2. a public value larger or equal the modulus is invalid */
+	if (mpz_cmp_ui(this->yb, 1) > 0 ||
+		mpz_cmp(this->yb, p_min_1) < 0)
+	{
+#ifdef EXTENDED_DH_TEST
+		/* 3. test if y ^ q mod p = 1, where q = (p - 1)/2. */
+		mpz_t q, one;
+		
+		mpz_init(q);
+		mpz_init(one);
+		mpz_fdiv_q_2exp(q, p_min_1, 1);
+		mpz_powm(one, this->yb, q, this->p);
+		mpz_clear(q);
+		if (mpz_cmp_ui(one, 1) == 0)
+		{
+			mpz_powm(this->zz, this->yb, this->xa, this->p);
+			this->computed = TRUE;
+		}
+		else
+		{
+			DBG1("public DH value verification failed: y ^ q mod p != 1");
+		}
+		mpz_clear(one);
+#else
+		mpz_powm(this->zz, this->yb, this->xa, this->p);
+		this->computed = TRUE;
+#endif
+	}
+	else
+	{
+		DBG1("public DH value verification failed: y < 2 || y > p - 1 ");
+	}
+	mpz_clear(p_min_1);
+}
+
+/**
+ * Implementation of gmp_diffie_hellman_t.get_other_public_value.
+ */
+static status_t get_other_public_value(private_gmp_diffie_hellman_t *this, 
+									   chunk_t *value)
+{
+	if (!this->computed)
+	{
+		return FAILED;
+	}
+	value->len = this->p_len;
+    value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of gmp_diffie_hellman_t.get_my_public_value.
+ */
+static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *value)
+{
+	value->len = this->p_len;
+    value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
+}
+
+/**
+ * Implementation of gmp_diffie_hellman_t.get_shared_secret.
+ */
+static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *secret)
+{
+	if (!this->computed)
+	{
+		return FAILED;
+	}
+	secret->len = this->p_len;
+    secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of gmp_diffie_hellman_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(private_gmp_diffie_hellman_t *this)
+{
+	return this->group;
+}
+
+/**
+ * Lookup the modulus in modulo table
+ */
+static status_t set_modulus(private_gmp_diffie_hellman_t *this)
+{
+	int i;
+	status_t status = NOT_FOUND;
+	
+	for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
+	{
+		if (modulus_entries[i].group == this->group)
+		{
+			chunk_t chunk;
+			chunk.ptr = modulus_entries[i].modulus;
+			chunk.len = modulus_entries[i].modulus_len;
+			mpz_import(this->p, chunk.len, 1, 1, 1, 0, chunk.ptr);
+			this->p_len = chunk.len;
+			mpz_set_ui(this->g, modulus_entries[i].generator);
+			status = SUCCESS;
+			break;
+		}
+	}
+	return status;
+}
+
+/**
+ * Implementation of gmp_diffie_hellman_t.destroy.
+ */
+static void destroy(private_gmp_diffie_hellman_t *this)
+{
+	mpz_clear(this->p);
+	mpz_clear(this->xa);
+	mpz_clear(this->ya);
+	mpz_clear(this->yb);
+	mpz_clear(this->zz);
+	mpz_clear(this->g);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
+{
+	private_gmp_diffie_hellman_t *this = malloc_thing(private_gmp_diffie_hellman_t);
+	rng_t *rng;
+	chunk_t random;
+
+	/* public functions */
+	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
+	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
+	this->public.dh.get_other_public_value = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_other_public_value;
+	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
+	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
+	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	
+	/* private variables */
+	this->group = group;
+	mpz_init(this->p);
+	mpz_init(this->yb);
+	mpz_init(this->ya);
+	mpz_init(this->xa);
+	mpz_init(this->zz);
+	mpz_init(this->g);
+	
+	this->computed = FALSE;
+		
+	/* find a modulus according to group */	
+	if (set_modulus(this) != SUCCESS)
+	{
+		destroy(this);
+		return NULL;
+	}
+	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	if (!rng)
+	{
+		DBG1("no RNG found for quality %N", rng_quality_names, RNG_STRONG);
+		destroy(this);
+		return NULL;
+	}
+	rng->allocate_bytes(rng, this->p_len, &random);
+	rng->destroy(rng);
+	mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr);
+	chunk_free(&random);
+	
+	mpz_powm(this->ya, this->g, this->xa, this->p);
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
new file mode 100644
index 000000000..e2d4d6851
--- /dev/null
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gmp_diffie_hellman gmp_diffie_hellman
+ * @{ @ingroup gmp_p
+ */
+
+#ifndef GMP_DIFFIE_HELLMAN_H_
+#define GMP_DIFFIE_HELLMAN_H_
+
+typedef struct gmp_diffie_hellman_t gmp_diffie_hellman_t;
+
+#include <library.h>
+
+/**
+ * Implementation of the Diffie-Hellman algorithm, as in RFC2631. Uses libgmp.
+ */
+struct gmp_diffie_hellman_t {
+	
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new gmp_diffie_hellman_t object.
+ * 
+ * @param group			Diffie Hellman group number to use
+ * @return				gmp_diffie_hellman_t object, NULL if not supported
+ */
+gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group);
+
+#endif /*GMP_DIFFIE_HELLMAN_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
new file mode 100644
index 000000000..56fb0ddd8
--- /dev/null
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: gmp_plugin.c 3962 2008-05-15 12:39:35Z tobias $
+ */
+
+#include "gmp_plugin.h"
+
+#include <library.h>
+#include "gmp_diffie_hellman.h"
+#include "gmp_rsa_private_key.h"
+#include "gmp_rsa_public_key.h"
+
+typedef struct private_gmp_plugin_t private_gmp_plugin_t;
+
+/**
+ * private data of gmp_plugin
+ */
+struct private_gmp_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	gmp_plugin_t public;
+};
+
+/**
+ * Implementation of gmp_plugin_t.gmptroy
+ */
+static void destroy(private_gmp_plugin_t *this)
+{
+	lib->crypto->remove_dh(lib->crypto,
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->creds->remove_builder(lib->creds,
+						(builder_constructor_t)gmp_rsa_private_key_builder);
+	lib->creds->remove_builder(lib->creds,
+						(builder_constructor_t)gmp_rsa_public_key_builder);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_gmp_plugin_t *this = malloc_thing(private_gmp_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, 
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, 
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, 
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, 
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, 
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+						(builder_constructor_t)gmp_rsa_private_key_builder);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+						(builder_constructor_t)gmp_rsa_public_key_builder);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.h b/src/libstrongswan/plugins/gmp/gmp_plugin.h
new file mode 100644
index 000000000..a853064b7
--- /dev/null
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gmp_p gmp
+ * @ingroup plugins
+ * 
+ * @defgroup gmp_plugin gmp_plugin
+ * @{ @ingroup gmp_p
+ */
+
+#ifndef GMP_PLUGIN_H_
+#define GMP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct gmp_plugin_t gmp_plugin_t;
+
+/**
+ * Plugin implementing asymmetric crypto algorithms using the GNU MP library.
+ */
+struct gmp_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a gmp_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* GMP_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
new file mode 100644
index 000000000..cd951f0e4
--- /dev/null
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -0,0 +1,842 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: gmp_rsa_private_key.c 4014 2008-05-23 19:23:04Z andreas $
+ */
+
+#include <gmp.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <string.h>
+
+#include "gmp_rsa_private_key.h"
+#include "gmp_rsa_public_key.h"
+
+#include <debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+
+/**
+ *  Public exponent to use for key generation.
+ */
+#define PUBLIC_EXPONENT 0x10001
+
+typedef struct private_gmp_rsa_private_key_t private_gmp_rsa_private_key_t;
+
+/**
+ * Private data of a gmp_rsa_private_key_t object.
+ */
+struct private_gmp_rsa_private_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	gmp_rsa_private_key_t public;
+	
+	/**
+	 * Version of key, as encoded in PKCS#1
+	 */
+	u_int version;
+	
+	/**
+	 * Public modulus.
+	 */
+	mpz_t n;
+	
+	/**
+	 * Public exponent.
+	 */
+	mpz_t e;
+	
+	/**
+	 * Private prime 1.
+	 */
+	mpz_t p;
+	
+	/**
+	 * Private Prime 2.
+	 */
+	mpz_t q;
+	
+	/**
+	 * Private exponent.
+	 */
+	mpz_t d;
+	
+	/**
+	 * Private exponent 1.
+	 */
+	mpz_t exp1;
+	
+	/**
+	 * Private exponent 2.
+	 */
+	mpz_t exp2;
+	
+	/**
+	 * Private coefficient.
+	 */
+	mpz_t coeff;
+	
+	/**
+	 * Keysize in bytes.
+	 */
+	size_t k;
+
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKey object
+	 */
+	identification_t* keyid;
+
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
+	 */
+	identification_t* keyid_info;
+	
+	/**
+	 * reference count
+	 */
+	refcount_t ref;	
+};
+
+/**
+ * shared functions, implemented in gmp_rsa_public_key.c
+ */
+bool gmp_rsa_public_key_build_id(mpz_t n, mpz_t e, identification_t **keyid,
+								 identification_t **keyid_info);
+gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e);
+
+/**
+ * Auxiliary function overwriting private key material with zero bytes
+ */
+static void mpz_clear_randomized(mpz_t z)
+{
+	size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
+	u_int8_t *random = alloca(len);
+	
+	memset(random, 0, len);
+	/* overwrite mpz_t with zero bytes before clearing it */
+	mpz_import(z, len, 1, 1, 1, 0, random);
+	mpz_clear(z);
+}
+
+/**
+ * Create a mpz prime of at least prime_size
+ */
+static status_t compute_prime(private_gmp_rsa_private_key_t *this,
+							  size_t prime_size, mpz_t *prime)
+{
+	rng_t *rng;
+	chunk_t random_bytes;
+	
+	rng = lib->crypto->create_rng(lib->crypto, RNG_REAL);
+	if (!rng)
+	{
+		DBG1("no RNG of quality %N found", rng_quality_names, RNG_REAL);
+		return FAILED;
+	}
+	
+	mpz_init(*prime);
+	do
+	{
+		rng->allocate_bytes(rng, prime_size, &random_bytes);
+		/* make sure most significant bit is set */
+		random_bytes.ptr[0] = random_bytes.ptr[0] | 0x80;
+		
+		mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+		mpz_nextprime (*prime, *prime);
+		chunk_clear(&random_bytes);
+	}
+	/* check if it isn't too large */
+	while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
+	
+	rng->destroy(rng);
+	return SUCCESS;
+}
+
+/**
+ * PKCS#1 RSADP function
+ */
+static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
+{
+	mpz_t t1, t2;
+	chunk_t decrypted;
+	
+	mpz_init(t1);
+	mpz_init(t2);
+	
+	mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
+	
+	mpz_powm(t2, t1, this->exp1, this->p);	/* m1 = c^dP mod p */
+	mpz_powm(t1, t1, this->exp2, this->q);	/* m2 = c^dQ mod Q */
+	mpz_sub(t2, t2, t1);					/* h = qInv (m1 - m2) mod p */
+	mpz_mod(t2, t2, this->p);
+	mpz_mul(t2, t2, this->coeff);
+	mpz_mod(t2, t2, this->p);
+	
+	mpz_mul(t2, t2, this->q);				/* m = m2 + h q */
+	mpz_add(t1, t1, t2);
+	
+	decrypted.len = this->k;
+	decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
+	
+	mpz_clear_randomized(t1);
+	mpz_clear_randomized(t2);
+	
+	return decrypted;
+}
+
+/**
+ * PKCS#1 RSASP1 function
+ */
+static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
+{
+	return rsadp(this, data);
+}
+
+/**
+ * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature.
+ */
+static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
+									   hash_algorithm_t hash_algorithm,
+									   chunk_t data, chunk_t *signature)
+{
+	hasher_t *hasher;
+	chunk_t em, digestInfo, hash;
+	int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
+	
+	if (hash_oid == OID_UNKNOWN)
+	{
+		return FALSE;
+	}
+
+	/* get hasher */
+	hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
+	if (hasher == NULL)
+	{
+		return FALSE;
+	}
+	
+	/* build hash */
+	hasher->allocate_hash(hasher, data, &hash);
+	hasher->destroy(hasher);
+	
+	/* build DER-encoded digestInfo */
+	digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
+					asn1_algorithmIdentifier(hash_oid),
+					asn1_simple_object(ASN1_OCTET_STRING, hash)
+				  );
+	chunk_free(&hash);
+
+	/* build chunk to rsa-decrypt:
+	 * EM = 0x00 || 0x01 || PS || 0x00 || T. 
+	 * PS = 0xFF padding, with length to fill em
+	 * T = encoded_hash
+	 */
+	em.len = this->k;
+	em.ptr = malloc(em.len);
+	
+	/* fill em with padding */
+	memset(em.ptr, 0xFF, em.len);
+	/* set magic bytes */
+	*(em.ptr) = 0x00;
+	*(em.ptr+1) = 0x01;
+	*(em.ptr + em.len - digestInfo.len - 1) = 0x00;
+	/* set DER-encoded hash */
+	memcpy(em.ptr + em.len - digestInfo.len, digestInfo.ptr, digestInfo.len);
+
+	/* build signature */
+	*signature = rsasp1(this, em);
+	
+	free(digestInfo.ptr);
+	free(em.ptr);
+	
+	return TRUE;	
+}
+
+/**
+ * Implementation of gmp_rsa_private_key.destroy.
+ */
+static key_type_t get_type(private_gmp_rsa_private_key_t *this)
+{
+	return KEY_RSA;
+}
+
+/**
+ * Implementation of gmp_rsa_private_key.destroy.
+ */
+static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, 
+				 chunk_t data, chunk_t *signature)
+{
+	switch (scheme)
+	{
+		case SIGN_DEFAULT:
+			/* default is EMSA-PKCS1 using SHA1 */
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA256:
+			return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA384:
+			return build_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA512:
+			return build_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+			return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
+		default:
+			DBG1("signature scheme %N not supported in RSA",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+/**
+ * Implementation of gmp_rsa_private_key.destroy.
+ */
+static bool decrypt(private_gmp_rsa_private_key_t *this,
+					chunk_t crypto, chunk_t *plain)
+{
+	DBG1("RSA private key decryption not implemented");
+	return FALSE;
+}
+
+/**
+ * Implementation of gmp_rsa_private_key.destroy.
+ */
+static size_t get_keysize(private_gmp_rsa_private_key_t *this)
+{
+	return this->k;
+}
+
+/**
+ * Implementation of gmp_rsa_private_key.destroy.
+ */
+static identification_t* get_id(private_gmp_rsa_private_key_t *this,
+								id_type_t type)
+{
+	switch (type)
+	{
+		case ID_PUBKEY_INFO_SHA1:
+			return this->keyid_info;
+		case ID_PUBKEY_SHA1:
+			return this->keyid;
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Implementation of gmp_rsa_private_key.get_public_key.
+ */
+static gmp_rsa_public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
+{
+	return gmp_rsa_public_key_create_from_n_e(this->n, this->e);
+}
+
+/**
+ * Implementation of gmp_rsa_private_key.destroy.
+ */
+static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
+{
+	identification_t *keyid;
+
+	if (public->get_type(public) != KEY_RSA)
+	{
+		return FALSE;
+	}
+	keyid = public->get_id(public, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * convert a MP integer into a DER coded ASN.1 object
+ */
+chunk_t gmp_mpz_to_asn1(const mpz_t value)
+{
+	chunk_t n;
+	
+	n.len = 1 + mpz_sizeinbase(value, 2) / 8;  /* size in bytes */
+	n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
+	if (n.ptr == NULL)
+	{	/* if we have zero in "value", gmp returns NULL */
+		n.len = 0;
+	}
+	return asn1_wrap(ASN1_INTEGER, "m", n);
+}
+
+/**
+ * Implementation of private_key_t.get_encoding.
+ */
+static chunk_t get_encoding(private_gmp_rsa_private_key_t *this)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm",
+					 ASN1_INTEGER_0,
+					 gmp_mpz_to_asn1(this->n),
+					 gmp_mpz_to_asn1(this->e),
+					 gmp_mpz_to_asn1(this->d),
+					 gmp_mpz_to_asn1(this->p),
+					 gmp_mpz_to_asn1(this->q),
+					 gmp_mpz_to_asn1(this->exp1),
+					 gmp_mpz_to_asn1(this->exp2),
+					 gmp_mpz_to_asn1(this->coeff));
+}
+
+/**
+ * Implementation of gmp_rsa_private_key.destroy.
+ */
+static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+
+}
+
+/**
+ * Implementation of gmp_rsa_private_key.destroy.
+ */
+static void destroy(private_gmp_rsa_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		mpz_clear_randomized(this->n);
+		mpz_clear_randomized(this->e);
+		mpz_clear_randomized(this->p);
+		mpz_clear_randomized(this->q);
+		mpz_clear_randomized(this->d);
+		mpz_clear_randomized(this->exp1);
+		mpz_clear_randomized(this->exp2);
+		mpz_clear_randomized(this->coeff);
+		DESTROY_IF(this->keyid);
+		DESTROY_IF(this->keyid_info);
+		free(this);
+	}
+}
+
+/**
+ * Check the loaded key if it is valid and usable
+ */
+static status_t check(private_gmp_rsa_private_key_t *this)
+{
+	mpz_t t, u, q1;
+	status_t status = SUCCESS;
+	
+	/* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
+	 * We actually require more (for security).
+	 */
+	if (this->k < 512/8)
+	{
+		DBG1("key shorter than 512 bits");
+		return FAILED;
+	}
+	
+	/* we picked a max modulus size to simplify buffer allocation */
+	if (this->k > 8192/8)
+	{
+		DBG1("key larger than 8192 bits");
+		return FAILED;
+	}
+	
+	mpz_init(t);
+	mpz_init(u);
+	mpz_init(q1);
+	
+	/* check that n == p * q */
+	mpz_mul(u, this->p, this->q);
+	if (mpz_cmp(u, this->n) != 0)
+	{
+		status = FAILED;
+	}
+	
+	/* check that e divides neither p-1 nor q-1 */
+	mpz_sub_ui(t, this->p, 1);
+	mpz_mod(t, t, this->e);
+	if (mpz_cmp_ui(t, 0) == 0)
+	{
+		status = FAILED;
+	}
+	
+	mpz_sub_ui(t, this->q, 1);
+	mpz_mod(t, t, this->e);
+	if (mpz_cmp_ui(t, 0) == 0)
+	{
+		status = FAILED;
+	}
+	
+	/* check that d is e^-1 (mod lcm(p-1, q-1)) */
+	/* see PKCS#1v2, aka RFC 2437, for the "lcm" */
+	mpz_sub_ui(q1, this->q, 1);
+	mpz_sub_ui(u, this->p, 1);
+	mpz_gcd(t, u, q1);		/* t := gcd(p-1, q-1) */
+	mpz_mul(u, u, q1);		/* u := (p-1) * (q-1) */
+	mpz_divexact(u, u, t);	/* u := lcm(p-1, q-1) */
+	
+	mpz_mul(t, this->d, this->e);
+	mpz_mod(t, t, u);
+	if (mpz_cmp_ui(t, 1) != 0)
+	{
+		status = FAILED;
+	}
+	
+	/* check that exp1 is d mod (p-1) */
+	mpz_sub_ui(u, this->p, 1);
+	mpz_mod(t, this->d, u);
+	if (mpz_cmp(t, this->exp1) != 0)
+	{
+		status = FAILED;
+	}
+	
+	/* check that exp2 is d mod (q-1) */
+	mpz_sub_ui(u, this->q, 1);
+	mpz_mod(t, this->d, u);
+	if (mpz_cmp(t, this->exp2) != 0)
+	{
+		status = FAILED;
+	}
+	
+	/* check that coeff is (q^-1) mod p */
+	mpz_mul(t, this->coeff, this->q);
+	mpz_mod(t, t, this->p);
+	if (mpz_cmp_ui(t, 1) != 0)
+	{
+		status = FAILED;
+	}
+	
+	mpz_clear_randomized(t);
+	mpz_clear_randomized(u);
+	mpz_clear_randomized(q1);
+	if (status != SUCCESS)
+	{
+		DBG1("key integrity tests failed");
+	}
+	return status;
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
+{
+	private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
+	
+	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
+	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
+	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
+	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
+	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
+	this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
+	this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
+	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
+	
+	this->keyid = NULL;
+	this->keyid_info = NULL;
+	this->ref = 1;
+	
+	return this;
+}
+
+/**
+ * Generate an RSA key of specified key size
+ */
+static gmp_rsa_private_key_t *generate(size_t key_size)
+{
+	mpz_t p, q, n, e, d, exp1, exp2, coeff;
+	mpz_t m, q1, t;
+	private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
+	
+	key_size = key_size / 8;
+	
+	/* Get values of primes p and q  */
+	if (compute_prime(this, key_size/2, &p) != SUCCESS)
+	{
+		free(this);
+		return NULL;
+	}	
+	if (compute_prime(this, key_size/2, &q) != SUCCESS)
+	{
+		mpz_clear(p);
+		free(this);
+		return NULL;
+	}
+	
+	mpz_init(t);	
+	mpz_init(n);
+	mpz_init(d);
+	mpz_init(exp1);
+	mpz_init(exp2);
+	mpz_init(coeff);
+	
+	/* Swapping Primes so p is larger then q */
+	if (mpz_cmp(p, q) < 0)
+	{
+		mpz_swap(p, q);
+	}
+	
+	mpz_mul(n, p, q);						/* n = p*q */
+	mpz_init_set_ui(e, PUBLIC_EXPONENT);	/* assign public exponent */
+	mpz_init_set(m, p); 					/* m = p */
+	mpz_sub_ui(m, m, 1);					/* m = m -1 */
+	mpz_init_set(q1, q);					/* q1 = q */
+	mpz_sub_ui(q1, q1, 1);					/* q1 = q1 -1 */
+	mpz_gcd(t, m, q1);						/* t = gcd(p-1, q-1) */
+	mpz_mul(m, m, q1);						/* m = (p-1)*(q-1) */
+	mpz_divexact(m, m, t);					/* m = m / t */
+	mpz_gcd(t, m, e);						/* t = gcd(m, e) */
+
+	mpz_invert(d, e, m);					/* e has an inverse mod m */
+	if (mpz_cmp_ui(d, 0) < 0)				/* make sure d is positive */
+	{
+		mpz_add(d, d, m);
+	}
+	mpz_sub_ui(t, p, 1);					/* t = p-1 */
+	mpz_mod(exp1, d, t);					/* exp1 = d mod p-1 */
+	mpz_sub_ui(t, q, 1);					/* t = q-1 */
+	mpz_mod(exp2, d, t);					/* exp2 = d mod q-1 */
+	
+	mpz_invert(coeff, q, p);				/* coeff = q^-1 mod p */
+	if (mpz_cmp_ui(coeff, 0) < 0)			/* make coeff d is positive */
+	{
+		mpz_add(coeff, coeff, p);
+	}
+
+	mpz_clear_randomized(q1);
+	mpz_clear_randomized(m);
+	mpz_clear_randomized(t);
+
+	/* apply values */
+	*(this->p) = *p;
+	*(this->q) = *q;
+	*(this->n) = *n;
+	*(this->e) = *e;
+	*(this->d) = *d;
+	*(this->exp1) = *exp1;
+	*(this->exp2) = *exp2;
+	*(this->coeff) = *coeff;
+	
+	/* set key size in bytes */
+	this->k = key_size;
+	
+	return &this->public;
+}
+
+/**
+ * ASN.1 definition of a PKCS#1 RSA private key
+ */
+static const asn1Object_t privkeyObjects[] = {
+	{ 0, "RSAPrivateKey",		ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
+	{ 1,   "version",			ASN1_INTEGER,      ASN1_BODY }, /*  1 */
+	{ 1,   "modulus",			ASN1_INTEGER,      ASN1_BODY }, /*  2 */
+	{ 1,   "publicExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  3 */
+	{ 1,   "privateExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  4 */
+	{ 1,   "prime1",			ASN1_INTEGER,      ASN1_BODY }, /*  5 */
+	{ 1,   "prime2",			ASN1_INTEGER,      ASN1_BODY }, /*  6 */
+	{ 1,   "exponent1",			ASN1_INTEGER,      ASN1_BODY }, /*  7 */
+	{ 1,   "exponent2",			ASN1_INTEGER,      ASN1_BODY }, /*  8 */
+	{ 1,   "coefficient",		ASN1_INTEGER,      ASN1_BODY }, /*  9 */
+	{ 1,   "otherPrimeInfos",	ASN1_SEQUENCE,     ASN1_OPT |
+												   ASN1_LOOP }, /* 10 */
+	{ 2,     "otherPrimeInfo",	ASN1_SEQUENCE,     ASN1_NONE }, /* 11 */
+	{ 3,       "prime",			ASN1_INTEGER,      ASN1_BODY }, /* 12 */
+	{ 3,       "exponent",		ASN1_INTEGER,      ASN1_BODY }, /* 13 */
+	{ 3,       "coefficient",	ASN1_INTEGER,      ASN1_BODY }, /* 14 */
+	{ 1,   "end opt or loop",	ASN1_EOC,          ASN1_END  }, /* 15 */
+	{ 0, "exit",				ASN1_EOC,          ASN1_EXIT }
+};
+#define PRIV_KEY_VERSION		 1
+#define PRIV_KEY_MODULUS		 2
+#define PRIV_KEY_PUB_EXP		 3
+#define PRIV_KEY_PRIV_EXP		 4
+#define PRIV_KEY_PRIME1			 5
+#define PRIV_KEY_PRIME2			 6
+#define PRIV_KEY_EXP1			 7
+#define PRIV_KEY_EXP2			 8
+#define PRIV_KEY_COEFF			 9
+
+/**
+ * load private key from a ASN1 encoded blob
+ */
+static gmp_rsa_private_key_t *load(chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID ;
+	bool success = FALSE;
+
+	private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
+	
+	mpz_init(this->n);
+	mpz_init(this->e);
+	mpz_init(this->p);
+	mpz_init(this->q);
+	mpz_init(this->d);
+	mpz_init(this->exp1);
+	mpz_init(this->exp2);
+	mpz_init(this->coeff);
+	
+	parser = asn1_parser_create(privkeyObjects, blob);
+	parser->set_flags(parser, FALSE, TRUE);
+	
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PRIV_KEY_VERSION:
+				if (object.len > 0 && *object.ptr != 0)
+				{
+					goto end;
+				}
+				break;
+			case PRIV_KEY_MODULUS:
+				mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PUB_EXP:
+				mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PRIV_EXP:
+				mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PRIME1:
+				mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PRIME2:
+				mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_EXP1:
+				mpz_import(this->exp1, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_EXP2:
+				mpz_import(this->exp2, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_COEFF:
+				mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	chunk_clear(&blob);
+
+	if (!success)
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
+
+	if (!gmp_rsa_public_key_build_id(this->n, this->e,
+									 &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	if (check(this) != SUCCESS)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for key loading/generation
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded/generated private key */
+	gmp_rsa_private_key_t *key;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static gmp_rsa_private_key_t *build(private_builder_t *this)
+{
+	gmp_rsa_private_key_t *key = this->key;
+	
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	if (this->key)
+	{
+		DBG1("ignoring surplus build part %N", builder_part_names, part);
+		return;
+	}
+	
+	switch (part)
+	{
+		case BUILD_BLOB_ASN1_DER:
+		{
+			va_start(args, part);
+			this->key = load(va_arg(args, chunk_t));
+			va_end(args);
+			break;
+		}		
+		case BUILD_KEY_SIZE:
+		{
+			va_start(args, part);
+			this->key = generate(va_arg(args, u_int));
+			va_end(args);
+			break;
+		}
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *gmp_rsa_private_key_builder(key_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != KEY_RSA)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->key = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
new file mode 100644
index 000000000..6f59b2ad2
--- /dev/null
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gmp_rsa_private_key gmp_rsa_private_key
+ * @{ @ingroup gmp_p
+ */
+
+#ifndef GMP_RSA_PRIVATE_KEY_H_
+#define GMP_RSA_PRIVATE_KEY_H_
+
+#include <credentials/keys/private_key.h>
+
+typedef struct gmp_rsa_private_key_t gmp_rsa_private_key_t;
+
+/**
+ * Private_key_t implementation of RSA algorithm using libgmp.
+ */
+struct gmp_rsa_private_key_t {
+
+	/**
+	 * Implements private_key_t interface
+	 */
+	private_key_t interface;
+};
+
+/**
+ * Create the builder for a private key.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @return 			builder instance
+ */
+builder_t *gmp_rsa_private_key_builder(key_type_t type);
+
+#endif /*GMP_RSA_PRIVATE_KEY_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
new file mode 100644
index 000000000..e4f898ecc
--- /dev/null
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -0,0 +1,587 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: gmp_rsa_public_key.c 3988 2008-05-21 13:01:58Z martin $
+ */
+ 
+#include <gmp.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "gmp_rsa_public_key.h"
+
+#include <debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/pem.h>
+#include <crypto/hashers/hasher.h>
+
+/**
+ * defined in gmp_rsa_private_key.c
+ */
+extern chunk_t gmp_mpz_to_asn1(const mpz_t value);
+
+typedef struct private_gmp_rsa_public_key_t private_gmp_rsa_public_key_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_gmp_rsa_public_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	gmp_rsa_public_key_t public;
+	
+	/**
+	 * Public modulus.
+	 */
+	mpz_t n;
+	
+	/**
+	 * Public exponent.
+	 */
+	mpz_t e;
+	
+	/**
+	 * Keysize in bytes.
+	 */
+	size_t k;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
+	 */
+	identification_t *keyid_info;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKey object
+	 */
+	identification_t *keyid;
+	
+	/**
+	 * reference counter
+	 */
+	refcount_t ref;
+};
+
+/**
+ * RSAEP algorithm specified in PKCS#1.
+ */
+static chunk_t rsaep(private_gmp_rsa_public_key_t *this, chunk_t data)
+{
+	mpz_t m, c;
+	chunk_t encrypted;
+	
+	mpz_init(c);
+	mpz_init(m);
+	
+	mpz_import(m, data.len, 1, 1, 1, 0, data.ptr);
+	
+	mpz_powm(c, m, this->e, this->n);
+
+    encrypted.len = this->k;
+    encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c);
+	
+	mpz_clear(c);
+	mpz_clear(m);	
+	
+	return encrypted;
+}
+
+/**
+ * RSAVP1 algorithm specified in PKCS#1.
+ */
+static chunk_t rsavp1(private_gmp_rsa_public_key_t *this, chunk_t data)
+{
+	return rsaep(this, data);
+}
+
+/**
+ * ASN.1 definition of digestInfo
+ */
+static const asn1Object_t digestInfoObjects[] = {
+	{ 0, "digestInfo",			ASN1_SEQUENCE,		ASN1_OBJ  }, /*  0 */
+	{ 1,   "digestAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /*  1 */
+	{ 1,   "digest",			ASN1_OCTET_STRING,	ASN1_BODY }, /*  2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT }
+};
+#define DIGEST_INFO					0
+#define DIGEST_INFO_ALGORITHM		1
+#define DIGEST_INFO_DIGEST			2
+
+/**
+ * Verification of an EMPSA PKCS1 signature described in PKCS#1
+ */
+static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
+										hash_algorithm_t algorithm,
+										chunk_t data, chunk_t signature)
+{
+	chunk_t em_ori, em;
+	bool success = FALSE;
+	
+	/* remove any preceding 0-bytes from signature */
+	while (signature.len && *(signature.ptr) == 0x00)
+	{
+		signature.len -= 1;
+		signature.ptr++;
+	}
+	
+	if (signature.len > this->k)
+	{
+		return INVALID_ARG;
+	}
+	
+	/* unpack signature */
+	em_ori = em = rsavp1(this, signature);
+	
+	/* result should look like this:
+	 * EM = 0x00 || 0x01 || PS || 0x00 || T. 
+	 * PS = 0xFF padding, with length to fill em
+	 * T = oid || hash
+	 */
+	
+	/* check magic bytes */
+	if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x01)
+	{
+		goto end;
+	}
+	em.ptr += 2;
+	em.len -= 2;
+	
+	/* find magic 0x00 */
+	while (em.len > 0)
+	{
+		if (*em.ptr == 0x00)
+		{
+			/* found magic byte, stop */
+			em.ptr++;
+			em.len--;
+			break;
+		}
+		else if (*em.ptr != 0xFF)
+		{
+			/* bad padding, decryption failed ?!*/
+			goto end;
+		}
+		em.ptr++;
+		em.len--;
+	}
+
+	if (em.len == 0)
+	{
+		/* no digestInfo found */
+		goto end;
+	}
+
+	/* parse ASN.1-based digestInfo */
+	{
+		asn1_parser_t *parser;
+		chunk_t object;
+		int objectID;
+		hash_algorithm_t hash_algorithm = HASH_UNKNOWN;
+
+		parser = asn1_parser_create(digestInfoObjects, em);
+
+		while (parser->iterate(parser, &objectID, &object))
+		{
+			switch (objectID)
+			{
+				case DIGEST_INFO:
+				{
+					if (em.len > object.len)
+					{
+						DBG1("digestInfo field in signature is followed by %u surplus bytes",
+							 em.len - object.len);
+						goto end_parser;
+					}
+					break;
+				}
+				case DIGEST_INFO_ALGORITHM:
+				{
+					int hash_oid = asn1_parse_algorithmIdentifier(object,
+										 parser->get_level(parser)+1, NULL);
+
+					hash_algorithm = hasher_algorithm_from_oid(hash_oid);
+					if (hash_algorithm == HASH_UNKNOWN ||
+						(algorithm != HASH_UNKNOWN && hash_algorithm != algorithm))
+					{
+						DBG1("expected hash algorithm %N, but found %N (OID: %#B)",
+							 hash_algorithm_names, algorithm,
+							 hash_algorithm_names, hash_algorithm,  &object);
+						goto end_parser;
+					}
+					break;
+				}
+				case DIGEST_INFO_DIGEST:
+				{
+					chunk_t hash;
+					hasher_t *hasher;
+					
+					hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
+					if (hasher == NULL)
+					{
+						DBG1("hash algorithm %N not supported",
+							 hash_algorithm_names, hash_algorithm);
+						goto end_parser;
+					}
+
+					if (object.len != hasher->get_hash_size(hasher))
+					{
+						DBG1("hash size in signature is %u bytes instead of %u "
+							 "bytes", object.len, hasher->get_hash_size(hasher));
+						hasher->destroy(hasher);
+						goto end_parser;
+					}
+
+					/* build our own hash and compare */
+					hasher->allocate_hash(hasher, data, &hash);
+					hasher->destroy(hasher);
+					success = memeq(object.ptr, hash.ptr, hash.len);
+					free(hash.ptr);
+					break;
+				}
+				default:
+					break;
+			}
+		}
+
+end_parser:
+		success &= parser->success(parser);
+		parser->destroy(parser);
+	}
+
+end:
+	free(em_ori.ptr);
+	return success;
+}
+
+/**
+ * Implementation of public_key_t.get_type.
+ */
+static key_type_t get_type(private_gmp_rsa_public_key_t *this)
+{
+	return KEY_RSA;
+}
+
+/**
+ * Implementation of public_key_t.verify.
+ */
+static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme, 
+				   chunk_t data, chunk_t signature)
+{
+	switch (scheme)
+	{
+		case SIGN_DEFAULT: /* default is EMSA-PKCS1 using included OID */
+			return verify_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+			return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA256:
+			return verify_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA384:
+			return verify_emsa_pkcs1_signature(this, HASH_SHA384, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA512:
+			return verify_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
+		default:
+			DBG1("signature scheme %N not supported in RSA",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+/**
+ * Implementation of public_key_t.get_keysize.
+ */
+static bool encrypt(private_gmp_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain)
+{
+	DBG1("RSA public key encryption not implemented");
+	return FALSE;
+}
+
+/**
+ * Implementation of public_key_t.get_keysize.
+ */
+static size_t get_keysize(private_gmp_rsa_public_key_t *this)
+{
+	return this->k;
+}
+
+/**
+ * Implementation of public_key_t.get_id.
+ */
+static identification_t *get_id(private_gmp_rsa_public_key_t *this,
+								id_type_t type)
+{
+	switch (type)
+	{
+		case ID_PUBKEY_INFO_SHA1:
+			return this->keyid_info;
+		case ID_PUBKEY_SHA1:
+			return this->keyid;
+		default:
+			return NULL;
+	}
+}
+
+/*
+ * Implementation of public_key_t.get_encoding.
+ */
+static chunk_t get_encoding(private_gmp_rsa_public_key_t *this)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+					 gmp_mpz_to_asn1(this->n),
+					 gmp_mpz_to_asn1(this->e));
+}
+
+/**
+ * Implementation of public_key_t.get_ref.
+ */
+static private_gmp_rsa_public_key_t* get_ref(private_gmp_rsa_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of gmp_rsa_public_key.destroy.
+ */
+static void destroy(private_gmp_rsa_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		mpz_clear(this->n);
+		mpz_clear(this->e);
+		DESTROY_IF(this->keyid);
+		DESTROY_IF(this->keyid_info);
+		free(this);
+	}
+}
+
+/**
+ * Generic private constructor
+ */
+static private_gmp_rsa_public_key_t *gmp_rsa_public_key_create_empty()
+{
+	private_gmp_rsa_public_key_t *this = malloc_thing(private_gmp_rsa_public_key_t);
+	
+	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
+	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
+	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt;
+	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
+	this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
+	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
+	
+	this->keyid = NULL;
+	this->keyid_info = NULL;
+	this->ref = 1;
+	
+	return this;
+}
+
+/**
+ * Build the RSA key identifier from n and e using SHA1 hashed publicKey(Info).
+ * Also used in rsa_private_key.c.
+ */
+bool gmp_rsa_public_key_build_id(mpz_t n, mpz_t e, identification_t **keyid,
+								 identification_t **keyid_info)
+{
+	chunk_t publicKeyInfo, publicKey, hash;
+	hasher_t *hasher;
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1("SHA1 hash algorithm not supported, unable to use RSA");
+		return FALSE;
+	}
+	publicKey = asn1_wrap(ASN1_SEQUENCE, "mm",
+					gmp_mpz_to_asn1(n),
+					gmp_mpz_to_asn1(e));
+	hasher->allocate_hash(hasher, publicKey, &hash);
+	*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
+	chunk_free(&hash);
+	
+	publicKeyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
+						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+						asn1_bitstring("m", publicKey));
+	hasher->allocate_hash(hasher, publicKeyInfo, &hash);
+	*keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
+	chunk_free(&hash);
+	
+	hasher->destroy(hasher);
+	chunk_free(&publicKeyInfo);
+	
+	return TRUE;
+}
+
+/**
+ * Create a public key from mpz values, used in gmp_rsa_private_key
+ */
+gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e)
+{
+	private_gmp_rsa_public_key_t *this = gmp_rsa_public_key_create_empty();
+
+	mpz_init_set(this->n, n);
+	mpz_init_set(this->e, e);
+	
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8;
+	if (!gmp_rsa_public_key_build_id(this->n, this->e,
+									 &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/**
+ * ASN.1 definition of RSApublicKey
+ */
+static const asn1Object_t pubkeyObjects[] = {
+	{ 0, "RSAPublicKey",		ASN1_SEQUENCE,	ASN1_OBJ  }, /*  0 */
+	{ 1,   "modulus",			ASN1_INTEGER,	ASN1_BODY }, /*  1 */
+	{ 1,   "publicExponent",	ASN1_INTEGER,	ASN1_BODY }, /*  2 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
+};
+#define PUB_KEY_RSA_PUBLIC_KEY		0
+#define PUB_KEY_MODULUS				1
+#define PUB_KEY_EXPONENT			2
+
+/**
+ * Load a public key from an ASN1 encoded blob
+ */
+static gmp_rsa_public_key_t *load(chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success = FALSE;
+
+	private_gmp_rsa_public_key_t *this = gmp_rsa_public_key_create_empty();
+
+	mpz_init(this->n);
+	mpz_init(this->e);
+	
+	parser = asn1_parser_create(pubkeyObjects, blob);
+	
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PUB_KEY_MODULUS:
+				mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PUB_KEY_EXPONENT:
+				mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+		}
+	}
+	success = parser->success(parser);
+	free(blob.ptr);
+	parser->destroy(parser);
+
+	if (!success)
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8;
+
+	if (!gmp_rsa_public_key_build_id(this->n, this->e,
+									 &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for key loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded public key */
+	gmp_rsa_public_key_t *key;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static gmp_rsa_public_key_t *build(private_builder_t *this)
+{
+	gmp_rsa_public_key_t *key = this->key;
+	
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	if (this->key)
+	{
+		DBG1("ignoring surplus build part %N", builder_part_names, part);
+		return;
+	}
+	
+	switch (part)
+	{
+		case BUILD_BLOB_ASN1_DER:
+		{
+			va_start(args, part);
+			this->key = load(va_arg(args, chunk_t));
+			va_end(args);
+			break;
+		}
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *gmp_rsa_public_key_builder(key_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != KEY_RSA)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->key = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
new file mode 100644
index 000000000..2e502b7e6
--- /dev/null
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: gmp_rsa_public_key.h 3721 2008-04-01 14:51:31Z martin $
+ */
+
+/**
+ * @defgroup gmp_rsa_public_key gmp_rsa_public_key
+ * @{ @ingroup gmp_p
+ */
+
+#ifndef GMP_RSA_PUBLIC_KEY_H_
+#define GMP_RSA_PUBLIC_KEY_H_
+
+typedef struct gmp_rsa_public_key_t gmp_rsa_public_key_t;
+
+#include <credentials/keys/public_key.h>
+
+/**
+ * public_key_t implementation of RSA algorithm using libgmp.
+ */
+struct gmp_rsa_public_key_t {
+
+	/**
+	 * Implements the public_key_t interface
+	 */
+	public_key_t interface;
+};
+
+/**
+ * Create the builder for a public key.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @return 			builder instance
+ */
+builder_t *gmp_rsa_public_key_builder(key_type_t type);
+
+#endif /*GMP_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/Makefile.am b/src/libstrongswan/plugins/hmac/Makefile.am
new file mode 100644
index 000000000..89e0638f3
--- /dev/null
+++ b/src/libstrongswan/plugins/hmac/Makefile.am
@@ -0,0 +1,11 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-hmac.la
+
+libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
+	hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
+libstrongswan_hmac_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
new file mode 100644
index 000000000..b6e851cd4
--- /dev/null
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -0,0 +1,499 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/hmac
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_hmac_la_LIBADD =
+am_libstrongswan_hmac_la_OBJECTS = hmac_plugin.lo hmac.lo hmac_prf.lo \
+	hmac_signer.lo
+libstrongswan_hmac_la_OBJECTS = $(am_libstrongswan_hmac_la_OBJECTS)
+libstrongswan_hmac_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_hmac_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_hmac_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_hmac_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-hmac.la
+libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
+	hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
+
+libstrongswan_hmac_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/hmac/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/hmac/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-hmac.la: $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_DEPENDENCIES) 
+	$(libstrongswan_hmac_la_LINK) -rpath $(plugindir) $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_signer.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c
new file mode 100644
index 000000000..b2f99bdc3
--- /dev/null
+++ b/src/libstrongswan/plugins/hmac/hmac.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General hmac License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General hmac License
+ * for more details.
+ *
+ * $Id: hmac.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include <string.h>
+
+#include "hmac.h"
+
+
+typedef struct private_hmac_t private_hmac_t;
+
+/**
+ * Private data of a hmac_t object.
+ * 
+ * The variable names are the same as in the RFC.
+ */
+struct private_hmac_t {
+	/**
+	 * Public hmac_t interface.
+	 */
+	hmac_t hmac;
+	
+	/**
+	 * Block size, as in RFC.
+	 */
+	u_int8_t b;
+	
+	/**
+	 * Hash function.
+	 */
+	hasher_t *h;
+	
+	/**
+	 * Previously xor'ed key using opad.
+	 */
+	chunk_t opaded_key;
+	
+	/**
+	 * Previously xor'ed key using ipad.
+	 */
+	chunk_t ipaded_key;
+};
+
+/**
+ * Implementation of hmac_t.get_mac.
+ */
+static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
+{
+	/* H(K XOR opad, H(K XOR ipad, text)) 
+	 * 
+	 * if out is NULL, we append text to the inner hash.
+	 * else, we complete the inner and do the outer.
+	 * 
+	 */
+	
+	u_int8_t buffer[this->h->get_hash_size(this->h)];
+	chunk_t inner;
+	
+	if (out == NULL)
+	{
+		/* append data to inner */
+		this->h->get_hash(this->h, data, NULL);
+	}
+	else
+	{
+		/* append and do outer hash */
+		inner.ptr = buffer;
+		inner.len = this->h->get_hash_size(this->h);
+		
+		/* complete inner */
+		this->h->get_hash(this->h, data, buffer);
+		
+		/* do outer */
+		this->h->get_hash(this->h, this->opaded_key, NULL);
+		this->h->get_hash(this->h, inner, out);
+		
+		/* reinit for next call */
+		this->h->get_hash(this->h, this->ipaded_key, NULL);
+	}
+}
+
+/**
+ * Implementation of hmac_t.allocate_mac.
+ */
+static void allocate_mac(private_hmac_t *this, chunk_t data, chunk_t *out)
+{
+	/* allocate space and use get_mac */
+	if (out == NULL)
+	{
+		/* append mode */
+		this->hmac.get_mac(&(this->hmac), data, NULL);
+	}
+	else
+	{
+		out->len = this->h->get_hash_size(this->h);
+		out->ptr = malloc(out->len);
+		this->hmac.get_mac(&(this->hmac), data, out->ptr);
+	}
+}
+	
+/**
+ * Implementation of hmac_t.get_block_size.
+ */
+static size_t get_block_size(private_hmac_t *this)
+{
+	return this->h->get_hash_size(this->h);
+}
+
+/**
+ * Implementation of hmac_t.set_key.
+ */
+static void set_key(private_hmac_t *this, chunk_t key)
+{
+	int i;
+	u_int8_t buffer[this->b];
+	
+	memset(buffer, 0, this->b);
+	
+	if (key.len > this->b)
+	{	
+		/* if key is too long, it will be hashed */
+		this->h->get_hash(this->h, key, buffer);
+	}
+	else
+	{	
+		/* if not, just copy it in our pre-padded k */
+		memcpy(buffer, key.ptr, key.len);	
+	}
+			
+	/* apply ipad and opad to key */
+	for (i = 0; i < this->b; i++)
+	{
+		this->ipaded_key.ptr[i] = buffer[i] ^ 0x36;
+		this->opaded_key.ptr[i] = buffer[i] ^ 0x5C;
+	}
+	
+	/* begin hashing of inner pad */
+	this->h->reset(this->h);
+	this->h->get_hash(this->h, this->ipaded_key, NULL);
+}
+
+/**
+ * Implementation of hmac_t.destroy.
+ */
+static void destroy(private_hmac_t *this)
+{
+	this->h->destroy(this->h);
+	free(this->opaded_key.ptr);
+	free(this->ipaded_key.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
+{
+	private_hmac_t *this = malloc_thing(private_hmac_t);
+
+	/* set hmac_t methods */
+	this->hmac.get_mac = (void (*)(hmac_t *,chunk_t,u_int8_t*))get_mac;
+	this->hmac.allocate_mac = (void (*)(hmac_t *,chunk_t,chunk_t*))allocate_mac;
+	this->hmac.get_block_size = (size_t (*)(hmac_t *))get_block_size;
+	this->hmac.set_key = (void (*)(hmac_t *,chunk_t))set_key;
+	this->hmac.destroy = (void (*)(hmac_t *))destroy;
+	
+	/* set b, according to hasher */
+	switch (hash_algorithm)
+	{
+		case HASH_SHA1:
+		case HASH_MD5:
+		case HASH_SHA256:
+			this->b = 64;
+			break;
+		case HASH_SHA384:
+		case HASH_SHA512:
+			this->b = 128;
+			break;
+		default:
+			free(this);
+			return NULL;	
+	}
+	
+	/* build the hasher */
+	this->h = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
+	if (this->h == NULL)
+	{
+		free(this);
+		return NULL;	
+	}
+
+	/* build ipad and opad */
+	this->opaded_key.ptr = malloc(this->b);
+	this->opaded_key.len = this->b;
+
+	this->ipaded_key.ptr = malloc(this->b);
+	this->ipaded_key.len = this->b;
+
+	return &(this->hmac);
+}
diff --git a/src/libstrongswan/plugins/hmac/hmac.h b/src/libstrongswan/plugins/hmac/hmac.h
new file mode 100644
index 000000000..5f266e133
--- /dev/null
+++ b/src/libstrongswan/plugins/hmac/hmac.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hmac hmac
+ * @{ @ingroup hmac_p
+ */
+
+#ifndef HMAC_H_
+#define HMAC_H_
+
+typedef struct hmac_t hmac_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Message authentication using hash functions.
+ *
+ * This class implements the message authenticaion algorithm
+ * described in RFC2104. It uses a hash function, wich must
+ * be implemented as a hasher_t class.
+ */
+struct hmac_t {
+	/**
+	 * Generate message authentication code.
+	 * 
+	 * If buffer is NULL, no result is given back. A next call will
+	 * append the data to already supplied data. If buffer is not NULL, 
+	 * the mac of all apended data is calculated, returned and the
+	 * state of the hmac_t is reseted.
+	 * 
+	 * @param data		chunk of data to authenticate
+	 * @param buffer	pointer where the generated bytes will be written
+	 */
+	void (*get_mac) (hmac_t *this, chunk_t data, u_int8_t *buffer);
+	
+	/**
+	 * Generates message authentication code and allocate space for them.
+	 * 
+	 * If chunk is NULL, no result is given back. A next call will
+	 * append the data to already supplied. If chunk is not NULL, 
+	 * the mac of all apended data is calculated, returned and the
+	 * state of the hmac_t reset;
+	 * 
+	 * @param data		chunk of data to authenticate
+	 * @param chunk		chunk which will hold generated bytes
+	 */
+	void (*allocate_mac) (hmac_t *this, chunk_t data, chunk_t *chunk);
+	
+	/**
+	 * Get the block size of this hmac_t object.
+	 * 
+	 * @return			block size in bytes
+	 */
+	size_t (*get_block_size) (hmac_t *this);	
+	
+	/**
+	 * Set the key for this hmac_t object.
+	 * 
+	 * Any key length is accepted.
+	 * 
+	 * @param key		key to set
+	 */
+	void (*set_key) (hmac_t *this, chunk_t key);
+	
+	/**
+	 * Destroys a hmac_t object.
+	 */
+	void (*destroy) (hmac_t *this);
+};
+
+/**
+ * Creates a new hmac_t object.
+ * 
+ * @param hash_algorithm	hash algorithm to use
+ * @return					hmac_t object, NULL if not supported
+ */
+hmac_t *hmac_create(hash_algorithm_t hash_algorithm);
+
+#endif /*HMAC_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
new file mode 100644
index 000000000..bfa2df35f
--- /dev/null
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: hmac_plugin.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include "hmac_plugin.h"
+
+#include <library.h>
+#include "hmac_signer.h"
+#include "hmac_prf.h"
+
+typedef struct private_hmac_plugin_t private_hmac_plugin_t;
+
+/**
+ * private data of hmac_plugin
+ */
+struct private_hmac_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	hmac_plugin_t public;
+};
+
+/**
+ * Implementation of hmac_plugin_t.hmactroy
+ */
+static void destroy(private_hmac_plugin_t *this)
+{
+	lib->crypto->remove_prf(lib->crypto,
+							(prf_constructor_t)hmac_prf_create);
+	lib->crypto->remove_signer(lib->crypto,
+							   (signer_constructor_t)hmac_signer_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_hmac_plugin_t *this = malloc_thing(private_hmac_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, 
+						 (prf_constructor_t)hmac_prf_create);
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, 
+						 (prf_constructor_t)hmac_prf_create);
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, 
+						 (prf_constructor_t)hmac_prf_create);
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, 
+						 (prf_constructor_t)hmac_prf_create);
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, 
+						 (prf_constructor_t)hmac_prf_create);
+	
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, 
+							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, 
+							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, 
+							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, 
+							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, 
+							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, 
+							(signer_constructor_t)hmac_signer_create);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.h b/src/libstrongswan/plugins/hmac/hmac_plugin.h
new file mode 100644
index 000000000..55ba0b5f4
--- /dev/null
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hmac_p hmac
+ * @ingroup plugins
+ *
+ * @defgroup hmac_plugin hmac_plugin
+ * @{ @ingroup hmac_p
+ */
+
+#ifndef HMAC_PLUGIN_H_
+#define HMAC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct hmac_plugin_t hmac_plugin_t;
+
+/**
+ * Plugin implementing HMAC algorithm to prvoide hash based PRF and signers.
+ */
+struct hmac_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a hmac_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* HMAC_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.c b/src/libstrongswan/plugins/hmac/hmac_prf.c
new file mode 100644
index 000000000..8d843bc5a
--- /dev/null
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: hmac_prf.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include "hmac_prf.h"
+
+#include "hmac.h"
+
+
+typedef struct private_hmac_prf_t private_hmac_prf_t;
+
+/**
+ * Private data of a hma_prf_t object.
+ */
+struct private_hmac_prf_t {
+	/**
+	 * Public hmac_prf_t interface.
+	 */
+	hmac_prf_t public;	
+	
+	/**
+	 * Hmac to use for generation.
+	 */
+	hmac_t *hmac;
+};
+
+/**
+ * Implementation of prf_t.get_bytes.
+ */
+static void get_bytes(private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer)
+{
+	this->hmac->get_mac(this->hmac, seed, buffer);
+}
+
+/**
+ * Implementation of prf_t.allocate_bytes.
+ */
+static void allocate_bytes(private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+	this->hmac->allocate_mac(this->hmac, seed, chunk);
+}
+
+/**
+ * Implementation of prf_t.get_block_size.
+ */
+static size_t get_block_size(private_hmac_prf_t *this)
+{
+	return this->hmac->get_block_size(this->hmac);
+}
+
+/**
+ * Implementation of prf_t.get_block_size.
+ */
+static size_t get_key_size(private_hmac_prf_t *this)
+{
+	/* for HMAC prfs, IKEv2 uses block size as key size */
+	return this->hmac->get_block_size(this->hmac);
+}
+
+/**
+ * Implementation of prf_t.set_key.
+ */
+static void set_key(private_hmac_prf_t *this, chunk_t key)
+{
+	this->hmac->set_key(this->hmac, key);
+}
+
+/**
+ * Implementation of prf_t.destroy.
+ */
+static void destroy(private_hmac_prf_t *this)
+{
+	this->hmac->destroy(this->hmac);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo)
+{
+	private_hmac_prf_t *this;
+	hash_algorithm_t hash;
+	
+	switch (algo)
+	{
+		case PRF_HMAC_SHA1:
+			hash = HASH_SHA1;
+			break;
+		case PRF_HMAC_MD5:
+			hash = HASH_MD5;
+			break;
+		case PRF_HMAC_SHA2_256:
+			hash = HASH_SHA256;
+			break;
+		case PRF_HMAC_SHA2_384:
+			hash = HASH_SHA384;
+			break;
+		case PRF_HMAC_SHA2_512:
+			hash = HASH_SHA512;
+			break;
+		default:
+			return NULL;
+	}
+	
+	this = malloc_thing(private_hmac_prf_t);
+	this->hmac = hmac_create(hash);
+	if (this->hmac == NULL)
+	{
+		free(this);
+		return NULL;	
+	}
+	
+	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
+	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
+	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
+	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
+	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
+	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+	
+	return &(this->public);
+}
+
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.h b/src/libstrongswan/plugins/hmac/hmac_prf.h
new file mode 100644
index 000000000..46d05f03a
--- /dev/null
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hmac_prf hmac_prf
+ * @{ @ingroup hmac_p
+ */
+
+#ifndef PRF_HMAC_H_
+#define PRF_HMAC_H_
+
+typedef struct hmac_prf_t hmac_prf_t;
+
+#include <crypto/prfs/prf.h>
+
+/**
+ * Implementation of prf_t interface using the HMAC algorithm.
+ * 
+ * This simply wraps a hmac_t in a prf_t. More a question of
+ * interface matching.
+ */
+struct hmac_prf_t {
+	
+	/**
+	 * Generic prf_t interface for this hmac_prf_t class.
+	 */
+	prf_t prf_interface;
+};
+
+/**
+ * Creates a new hmac_prf_t object.
+ * 
+ * @param algo		algorithm to implement
+ * @return			hmac_prf_t object, NULL if hash not supported
+ */
+hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo);
+
+#endif /*PRF_HMAC_SHA1_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.c b/src/libstrongswan/plugins/hmac/hmac_signer.c
new file mode 100644
index 000000000..cdfc819f1
--- /dev/null
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: hmac_signer.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include <string.h>
+
+#include "hmac_signer.h"
+#include "hmac.h"
+
+typedef struct private_hmac_signer_t private_hmac_signer_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_hmac_signer_t {
+	/**
+	 * Public interface of hmac_signer_t.
+	 */
+	hmac_signer_t public;
+	
+	/**
+	 * Assigned hmac function.
+	 */
+	hmac_t *hmac;
+	
+	/**
+	 * Block size (truncation of HMAC Hash)
+	 */
+	size_t block_size;
+};
+
+/**
+ * Implementation of signer_t.get_signature.
+ */
+static void get_signature(private_hmac_signer_t *this,
+						  chunk_t data, u_int8_t *buffer)
+{
+	if (buffer == NULL)
+	{	/* append mode */
+		this->hmac->get_mac(this->hmac, data, NULL);
+	}
+	else
+	{
+		u_int8_t mac[this->hmac->get_block_size(this->hmac)];
+		
+		this->hmac->get_mac(this->hmac, data, mac);
+		memcpy(buffer, mac, this->block_size);
+	}
+}
+
+/**
+ * Implementation of signer_t.allocate_signature.
+ */
+static void allocate_signature (private_hmac_signer_t *this,
+								chunk_t data, chunk_t *chunk)
+{
+	if (chunk == NULL)
+	{	/* append mode */
+		this->hmac->get_mac(this->hmac, data, NULL);
+	}
+	else
+	{
+		u_int8_t mac[this->hmac->get_block_size(this->hmac)];
+		
+		this->hmac->get_mac(this->hmac, data, mac);
+
+		chunk->ptr = malloc(this->block_size);
+		chunk->len = this->block_size;
+		
+		memcpy(chunk->ptr, mac, this->block_size);
+	}
+}
+
+/**
+ * Implementation of signer_t.verify_signature.
+ */
+static bool verify_signature(private_hmac_signer_t *this,
+							 chunk_t data, chunk_t signature)
+{
+	u_int8_t mac[this->hmac->get_block_size(this->hmac)];
+	
+	this->hmac->get_mac(this->hmac, data, mac);
+	
+	if (signature.len != this->block_size)
+	{
+		return FALSE;
+	}
+	return memeq(signature.ptr, mac, this->block_size);
+}
+
+/**
+ * Implementation of signer_t.get_key_size.
+ */
+static size_t get_key_size(private_hmac_signer_t *this)
+{
+	return this->hmac->get_block_size(this->hmac);
+}
+
+/**
+ * Implementation of signer_t.get_block_size.
+ */
+static size_t get_block_size(private_hmac_signer_t *this)
+{
+	return this->block_size;
+}
+
+/**
+ * Implementation of signer_t.set_key.
+ */
+static void set_key(private_hmac_signer_t *this, chunk_t key)
+{
+	this->hmac->set_key(this->hmac, key);
+}
+
+/**
+ * Implementation of signer_t.destroy.
+ */
+static status_t destroy(private_hmac_signer_t *this)
+{
+	this->hmac->destroy(this->hmac);
+	free(this);
+	return SUCCESS;
+}
+
+/*
+ * Described in header
+ */
+hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
+{
+	private_hmac_signer_t *this;
+	size_t trunc;
+	hash_algorithm_t hash;
+	
+	switch (algo)
+	{
+		case AUTH_HMAC_SHA1_96:
+			hash = HASH_SHA1;
+			trunc = 12;
+			break;
+		case AUTH_HMAC_SHA1_128:
+			hash = HASH_SHA1;
+			trunc = 16;
+			break;
+		case AUTH_HMAC_MD5_96:
+			hash = HASH_MD5;
+			trunc = 12;
+			break;
+		case AUTH_HMAC_SHA2_256_128:
+			hash = HASH_SHA256;
+			trunc = 16;
+			break;
+		case AUTH_HMAC_SHA2_384_192:
+			hash = HASH_SHA384;
+			trunc = 24;
+			break;
+		case AUTH_HMAC_SHA2_512_256:
+			hash = HASH_SHA512;
+			trunc = 32;
+			break;
+		default:
+			return NULL;
+	}
+	
+	this = malloc_thing(private_hmac_signer_t);
+	this->hmac = hmac_create(hash);
+	if (this->hmac == NULL)
+	{
+		free(this);
+		return NULL;
+	}
+	/* prevent invalid truncation */
+	this->block_size = min(trunc, this->hmac->get_block_size(this->hmac));
+	
+	/* interface functions */
+	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
+	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
+	this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature;
+	this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size;
+	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
+	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
+	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
+	
+	return &(this->public);
+}
+
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.h b/src/libstrongswan/plugins/hmac/hmac_signer.h
new file mode 100644
index 000000000..969f482e7
--- /dev/null
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hmac_signer hmac_signer
+ * @{ @ingroup hmac_p
+ */
+
+#ifndef HMAC_SIGNER_H_
+#define HMAC_SIGNER_H_
+
+typedef struct hmac_signer_t hmac_signer_t;
+
+#include <crypto/signers/signer.h>
+
+/**
+ * Implementation of signer_t interface using HMAC.
+ *
+ * HMAC uses a standard hash function implemented in a hasher_t to build a MAC.
+ */
+struct hmac_signer_t {
+	
+	/**
+	 * generic signer_t interface for this signer
+	 */
+	signer_t signer_interface;
+};
+
+/**
+ * Creates a new hmac_signer_t.
+ *
+ * HMAC signatures are often truncated to shorten them to a more usable, but
+ * still secure enough length.
+ * Block size must be equal or smaller then the hash algorithms
+ * hash.
+ *
+ * @param algo		algorithm to implement
+ * @return			hmac_signer_t, NULL if  not supported
+ */
+hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo);
+
+#endif /*HMAC_SIGNER_H_ @}*/
diff --git a/src/libstrongswan/plugins/ldap/Makefile.am b/src/libstrongswan/plugins/ldap/Makefile.am
new file mode 100644
index 000000000..ac6b4be00
--- /dev/null
+++ b/src/libstrongswan/plugins/ldap/Makefile.am
@@ -0,0 +1,11 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-ldap.la
+
+libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
+libstrongswan_ldap_la_LDFLAGS = -module
+libstrongswan_ldap_la_LIBADD  = -lldap -llber
+
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
new file mode 100644
index 000000000..8c28f1307
--- /dev/null
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -0,0 +1,495 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/ldap
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_ldap_la_DEPENDENCIES =
+am_libstrongswan_ldap_la_OBJECTS = ldap_plugin.lo ldap_fetcher.lo
+libstrongswan_ldap_la_OBJECTS = $(am_libstrongswan_ldap_la_OBJECTS)
+libstrongswan_ldap_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_ldap_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_ldap_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ldap_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-ldap.la
+libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
+libstrongswan_ldap_la_LDFLAGS = -module
+libstrongswan_ldap_la_LIBADD = -lldap -llber
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/ldap/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/ldap/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-ldap.la: $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_DEPENDENCIES) 
+	$(libstrongswan_ldap_la_LINK) -rpath $(plugindir) $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap_fetcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
new file mode 100644
index 000000000..8e55b800e
--- /dev/null
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2007 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: ldap_fetcher.c 3693 2008-03-28 22:44:45Z andreas $
+ */
+
+#ifndef LDAP_DEPRECATED
+#define LDAP_DEPRECATED	1
+#endif /* LDAP_DEPRECATED */
+#include <ldap.h>
+
+#include <errno.h>
+
+#include <library.h>
+#include <debug.h>
+
+#include "ldap_fetcher.h"
+
+#define DEFAULT_TIMEOUT 10
+
+typedef struct private_ldap_fetcher_t private_ldap_fetcher_t;
+
+/**
+ * Private Data of a ldap_fetcher_t object.
+ */
+struct private_ldap_fetcher_t {
+	/**
+	 * Public data
+	 */
+	ldap_fetcher_t public;
+	
+	/**
+	 * timeout to use for fetches
+	 */
+	u_int timeout;
+};
+
+/**
+ * Parses the result returned by an ldap query
+ */
+static bool parse(LDAP *ldap, LDAPMessage *result, chunk_t *response)
+{
+	LDAPMessage *entry = ldap_first_entry(ldap, result);
+	bool success = FALSE;
+
+	if (entry)
+	{
+		BerElement *ber = NULL;
+		char *attr;
+
+		attr = ldap_first_attribute(ldap, entry, &ber);
+		if (attr)
+		{
+			struct berval **values = ldap_get_values_len(ldap, entry, attr);
+
+			if (values)
+			{
+				if (values[0])
+				{
+					*response = chunk_alloc(values[0]->bv_len);
+					memcpy(response->ptr, values[0]->bv_val, response->len);
+					success = TRUE;
+				}
+				else
+				{
+					DBG1("LDAP response contains no values");
+				}
+				ldap_value_free_len(values);
+			}
+			else
+			{
+				DBG1("getting LDAP values failed: %s", 
+					 ldap_err2string(ldap_result2error(ldap, entry, 0)));
+			}
+			ldap_memfree(attr);
+		}
+		else
+		{
+			DBG1("finding LDAP attributes failed: %s",
+				 ldap_err2string(ldap_result2error(ldap, entry, 0)));
+		}
+		ber_free(ber, 0);
+	}
+	else
+	{
+		DBG1("finding first LDAP entry failed: %s",
+			 ldap_err2string(ldap_result2error(ldap, entry, 0)));
+	}
+	return success;
+}
+
+
+static status_t fetch(private_ldap_fetcher_t *this, char *url,
+					  chunk_t *result, va_list args)
+{
+	LDAP *ldap;
+	LDAPURLDesc *lurl;
+	LDAPMessage *msg;
+	int res;
+	int ldap_version = LDAP_VERSION3;
+	struct timeval timeout;
+	status_t status = FAILED;
+	
+	if (!strneq(url, "ldap", 4))
+	{
+		return NOT_SUPPORTED;
+	}
+	if (ldap_url_parse(url, &lurl) != LDAP_SUCCESS)
+	{
+		return NOT_SUPPORTED;
+	}
+	ldap = ldap_init(lurl->lud_host, lurl->lud_port);
+	if (ldap == NULL)
+	{
+		DBG1("LDAP initialization failed: %s", strerror(errno));
+		ldap_free_urldesc(lurl);
+		return FAILED;
+	}
+	
+	timeout.tv_sec = this->timeout;
+	timeout.tv_usec = 0;
+
+	ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
+	ldap_set_option(ldap, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
+
+	DBG2("sending LDAP request to '%s'...", url);
+
+	res = ldap_simple_bind_s(ldap, NULL, NULL);
+	if (res == LDAP_SUCCESS)
+	{
+		res = ldap_search_st(ldap, lurl->lud_dn, lurl->lud_scope,
+							 lurl->lud_filter, lurl->lud_attrs,
+							 0, &timeout, &msg);
+
+		if (res == LDAP_SUCCESS)
+		{
+			if (parse(ldap, msg, result))
+			{
+				status = SUCCESS;
+			}
+			ldap_msgfree(msg);
+		}
+		else
+		{
+			DBG1("LDAP search failed: %s", ldap_err2string(res));
+		}
+	}
+	else
+	{
+		DBG1("LDAP bind to '%s' failed: %s", url, ldap_err2string(res));
+	}
+	ldap_unbind_s(ldap);
+	ldap_free_urldesc(lurl);
+	return status;
+}
+
+
+/**
+ * Implementation of fetcher_t.set_option.
+ */
+static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, ...)
+{
+	va_list args;
+	
+	va_start(args, option);
+	switch (option)
+	{
+		case FETCH_TIMEOUT:
+		{
+			this->timeout = va_arg(args, u_int);
+			return TRUE;
+		}
+		default:
+			return FALSE;
+	}
+}
+
+/**
+ * Implements ldap_fetcher_t.destroy
+ */
+static void destroy(private_ldap_fetcher_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ldap_fetcher_t *ldap_fetcher_create()
+{
+	private_ldap_fetcher_t *this = malloc_thing(private_ldap_fetcher_t);
+
+	this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch;
+	this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option;
+	this->public.interface.destroy = (void (*)(fetcher_t*))destroy;
+	
+	this->timeout = DEFAULT_TIMEOUT;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.h b/src/libstrongswan/plugins/ldap/ldap_fetcher.h
new file mode 100644
index 000000000..bde60c799
--- /dev/null
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ldap_fetcher ldap_fetcher
+ * @{ @ingroup ldap_p
+ */
+
+#ifndef LDAP_FETCHER_H_
+#define LDAP_FETCHER_H_
+
+typedef struct ldap_fetcher_t ldap_fetcher_t;
+
+/**
+ * Fetcher implementation using OpenLDAP.
+ */
+struct ldap_fetcher_t {
+
+	/**
+	 * Implements fetcher interface
+	 */
+	fetcher_t interface;
+};
+
+/**
+ * Create a ldap_fetcher instance.
+ */
+ldap_fetcher_t *ldap_fetcher_create();
+
+#endif /* LDAP_FETCHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.c b/src/libstrongswan/plugins/ldap/ldap_plugin.c
new file mode 100644
index 000000000..0925cb395
--- /dev/null
+++ b/src/libstrongswan/plugins/ldap/ldap_plugin.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: ldap_plugin.c 3529 2008-03-05 15:26:24Z martin $
+ */
+
+#include "ldap_plugin.h"
+
+#include <library.h>
+#include "ldap_fetcher.h"
+
+typedef struct private_ldap_plugin_t private_ldap_plugin_t;
+
+/**
+ * private data of ldap_plugin
+ */
+struct private_ldap_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	ldap_plugin_t public;
+};
+
+/**
+ * Implementation of ldap_plugin_t.destroy
+ */
+static void destroy(private_ldap_plugin_t *this)
+{
+	lib->fetcher->remove_fetcher(lib->fetcher, 
+								 (fetcher_constructor_t)ldap_fetcher_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_ldap_plugin_t *this = malloc_thing(private_ldap_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	lib->fetcher->add_fetcher(lib->fetcher,
+						(fetcher_constructor_t)ldap_fetcher_create, "ldap://");
+	lib->fetcher->add_fetcher(lib->fetcher,
+						(fetcher_constructor_t)ldap_fetcher_create, "ldaps://");
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.h b/src/libstrongswan/plugins/ldap/ldap_plugin.h
new file mode 100644
index 000000000..7b2bb3232
--- /dev/null
+++ b/src/libstrongswan/plugins/ldap/ldap_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ldap_p ldap
+ * @ingroup plugins
+ *
+ * @defgroup ldap_plugin ldap_plugin
+ * @{ @ingroup ldap_p
+ */
+
+#ifndef LDAP_PLUGIN_H_
+#define LDAP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ldap_plugin_t ldap_plugin_t;
+
+/**
+ * Plugin implementing LDAP fetcher using OpenLDAP.
+ */
+struct ldap_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a ldap_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* LDAP_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/md5/Makefile.am b/src/libstrongswan/plugins/md5/Makefile.am
new file mode 100644
index 000000000..0a9c5cbf4
--- /dev/null
+++ b/src/libstrongswan/plugins/md5/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-md5.la
+
+libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
+libstrongswan_md5_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
new file mode 100644
index 000000000..6a4b2a78b
--- /dev/null
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -0,0 +1,494 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/md5
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_md5_la_LIBADD =
+am_libstrongswan_md5_la_OBJECTS = md5_plugin.lo md5_hasher.lo
+libstrongswan_md5_la_OBJECTS = $(am_libstrongswan_md5_la_OBJECTS)
+libstrongswan_md5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_md5_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_md5_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_md5_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-md5.la
+libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
+libstrongswan_md5_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/md5/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/md5/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-md5.la: $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_DEPENDENCIES) 
+	$(libstrongswan_md5_la_LINK) -rpath $(plugindir) $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/md5/md5_hasher.c b/src/libstrongswan/plugins/md5/md5_hasher.c
new file mode 100644
index 000000000..2354139bb
--- /dev/null
+++ b/src/libstrongswan/plugins/md5/md5_hasher.c
@@ -0,0 +1,392 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 1991-1992, RSA Data Security, Inc. Created 1991. 
+ * All rights reserved.
+ * 
+ * Derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.
+ * Ported to fulfill hasher_t interface.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: md5_hasher.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include <string.h>
+
+#include "md5_hasher.h"
+
+
+/* Constants for MD5Transform routine. */
+#define S11 7
+#define S12 12
+#define S13 17
+#define S14 22
+#define S21 5
+#define S22 9
+#define S23 14
+#define S24 20
+#define S31 4
+#define S32 11
+#define S33 16
+#define S34 23
+#define S41 6
+#define S42 10
+#define S43 15
+#define S44 21
+
+static u_int8_t PADDING[64] = {
+  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * ugly macro stuff
+ */ 
+/* F, G, H and I are basic MD5 functions.
+ */
+#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
+#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define I(x, y, z) ((y) ^ ((x) | (~z)))
+
+/* ROTATE_LEFT rotates x left n bits.
+ */
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+
+/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
+Rotation is separate from addition to prevent recomputation.
+ */
+#define FF(a, b, c, d, x, s, ac) { \
+ (a) += F ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define GG(a, b, c, d, x, s, ac) { \
+ (a) += G ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define HH(a, b, c, d, x, s, ac) { \
+ (a) += H ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define II(a, b, c, d, x, s, ac) { \
+ (a) += I ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+
+
+
+typedef struct private_md5_hasher_t private_md5_hasher_t;
+
+/**
+ * Private data structure with hasing context.
+ */
+struct private_md5_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	md5_hasher_t public;
+	
+	/*
+	 * State of the hasher.
+	 */
+	u_int32_t state[5];
+    u_int32_t count[2];
+    u_int8_t buffer[64];
+};
+
+
+#if BYTE_ORDER != LITTLE_ENDIAN
+
+/* Encodes input (u_int32_t) into output (u_int8_t). Assumes len is
+ * a multiple of 4.
+ */
+static void Encode (u_int8_t *output, u_int32_t *input, size_t len)
+{
+	size_t i, j;
+
+	for (i = 0, j = 0; j < len; i++, j += 4) 
+	{
+		output[j] = (u_int8_t)(input[i] & 0xff);
+		output[j+1] = (u_int8_t)((input[i] >> 8) & 0xff);
+		output[j+2] = (u_int8_t)((input[i] >> 16) & 0xff);
+		output[j+3] = (u_int8_t)((input[i] >> 24) & 0xff);
+	}
+}
+
+/* Decodes input (u_int8_t) into output (u_int32_t). Assumes len is
+ * a multiple of 4.
+ */
+static void Decode(u_int32_t *output, u_int8_t *input, size_t len)
+{
+	size_t i, j;
+
+	for (i = 0, j = 0; j < len; i++, j += 4)
+	{
+ 		output[i] = ((u_int32_t)input[j]) | (((u_int32_t)input[j+1]) << 8) |
+		(((u_int32_t)input[j+2]) << 16) | (((u_int32_t)input[j+3]) << 24);
+	}
+}
+
+#elif BYTE_ORDER == LITTLE_ENDIAN
+ #define Encode memcpy
+ #define Decode memcpy
+#endif
+
+/* MD5 basic transformation. Transforms state based on block.
+ */
+static void MD5Transform(u_int32_t state[4], u_int8_t block[64])
+{
+	u_int32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16];
+
+	Decode(x, block, 64);
+
+	/* Round 1 */
+	FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
+	FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
+	FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
+	FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
+	FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
+	FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
+	FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
+	FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
+	FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
+	FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
+	FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
+	FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
+	FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
+	FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
+	FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
+	FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
+
+	/* Round 2 */
+	GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
+	GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
+	GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
+	GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
+	GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
+	GG (d, a, b, c, x[10], S22,  0x2441453); /* 22 */
+	GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
+	GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
+	GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
+	GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
+	GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
+	GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
+	GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
+	GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
+	GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
+	GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
+
+	/* Round 3 */
+	HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
+	HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
+	HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
+	HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
+	HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
+	HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
+	HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
+	HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
+	HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
+	HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
+	HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
+	HH (b, c, d, a, x[ 6], S34,  0x4881d05); /* 44 */
+	HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
+	HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
+	HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
+	HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
+
+	/* Round 4 */
+	II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
+	II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
+	II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
+	II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
+	II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
+	II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
+	II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
+	II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
+	II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
+	II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
+	II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
+	II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
+	II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
+	II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
+	II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
+	II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
+
+	state[0] += a;
+	state[1] += b;
+	state[2] += c;
+	state[3] += d;
+}
+
+/* MD5 block update operation. Continues an MD5 message-digest
+ * operation, processing another message block, and updating the
+ * context.
+ */
+static void MD5Update(private_md5_hasher_t *this, u_int8_t *input, size_t inputLen)
+{
+	u_int32_t i;
+	size_t index, partLen;
+
+	/* Compute number of bytes mod 64 */
+	index = (u_int8_t)((this->count[0] >> 3) & 0x3F);
+
+	/* Update number of bits */
+	if ((this->count[0] += (inputLen << 3)) < (inputLen << 3))
+	{
+		this->count[1]++;
+	}
+	this->count[1] += (inputLen >> 29);
+
+	partLen = 64 - index;
+
+	/* Transform as many times as possible. */
+	if (inputLen >= partLen) 
+	{
+		memcpy(&this->buffer[index], input, partLen);
+		MD5Transform (this->state, this->buffer);
+
+		for (i = partLen; i + 63 < inputLen; i += 64)
+		{
+	    	MD5Transform (this->state, &input[i]);
+		}
+		index = 0;
+	}
+	else
+	{
+		i = 0;
+	}
+
+	/* Buffer remaining input */
+	memcpy(&this->buffer[index], &input[i], inputLen-i);
+}
+
+/* MD5 finalization. Ends an MD5 message-digest operation, writing the
+ * the message digest and zeroizing the context.
+ */
+static void MD5Final (private_md5_hasher_t *this, u_int8_t digest[16])
+{
+	u_int8_t bits[8];
+	size_t index, padLen;
+
+	/* Save number of bits */
+	Encode (bits, this->count, 8);
+
+	/* Pad out to 56 mod 64. */
+	index = (size_t)((this->count[0] >> 3) & 0x3f);
+	padLen = (index < 56) ? (56 - index) : (120 - index);
+	MD5Update (this, PADDING, padLen);
+
+	/* Append length (before padding) */
+	MD5Update (this, bits, 8);
+
+	if (digest != NULL)			/* Bill Simpson's padding */
+	{
+		/* store state in digest */
+		Encode (digest, this->state, 16);
+	}
+}
+
+
+
+/**
+ * Implementation of hasher_t.get_hash.
+ */
+static void get_hash(private_md5_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
+{
+	MD5Update(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		MD5Final(this, buffer);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
+
+/**
+ * Implementation of hasher_t.allocate_hash.
+ */
+static void allocate_hash(private_md5_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	MD5Update(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{
+		allocated_hash.ptr = malloc(HASH_SIZE_MD5);
+		allocated_hash.len = HASH_SIZE_MD5;
+
+		MD5Final(this, allocated_hash.ptr);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		
+		*hash = allocated_hash;
+	}
+}
+	
+/**
+ * Implementation of hasher_t.get_hash_size.
+ */
+static size_t get_hash_size(private_md5_hasher_t *this)
+{
+	return HASH_SIZE_MD5;
+}
+
+/**
+ * Implementation of hasher_t.reset.
+ */
+static void reset(private_md5_hasher_t *this)
+{
+	this->state[0] = 0x67452301;
+	this->state[1] = 0xefcdab89;
+	this->state[2] = 0x98badcfe;
+	this->state[3] = 0x10325476;
+	this->count[0] = 0;
+	this->count[1] = 0;
+}
+
+/**
+ * Implementation of hasher_t.destroy.
+ */
+static void destroy(private_md5_hasher_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+md5_hasher_t *md5_hasher_create(hash_algorithm_t algo)
+{
+	private_md5_hasher_t *this;
+	
+	if (algo != HASH_MD5)
+	{
+		return NULL;
+	}
+	this = malloc_thing(private_md5_hasher_t);
+	
+	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
+	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
+	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
+	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
+	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
+	
+	/* initialize */
+	reset(this);
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/plugins/md5/md5_hasher.h b/src/libstrongswan/plugins/md5/md5_hasher.h
new file mode 100644
index 000000000..d4a0417ab
--- /dev/null
+++ b/src/libstrongswan/plugins/md5/md5_hasher.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup md5_hasher md5_hasher
+ * @{ @ingroup md5_p
+ */
+
+#ifndef MD5_HASHER_H_
+#define MD5_HASHER_H_
+
+typedef struct md5_hasher_t md5_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hasher_t interface using the MD5 algorithm.
+ */
+struct md5_hasher_t {
+	
+	/**
+	 * Generic hasher_t interface for this hasher.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * Creates a new md5_hasher_t.
+ * 
+ * @param algo		hash algorithm, must be HASH_MD5
+ * @return			md5_hasher_t object, NULL if not supported
+ */
+md5_hasher_t *md5_hasher_create(hash_algorithm_t algo);
+
+#endif /*MD5_HASHER_H_@}*/
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c
new file mode 100644
index 000000000..c1c9a0805
--- /dev/null
+++ b/src/libstrongswan/plugins/md5/md5_plugin.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: md5_plugin.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include "md5_plugin.h"
+
+#include <library.h>
+#include "md5_hasher.h"
+
+typedef struct private_md5_plugin_t private_md5_plugin_t;
+
+/**
+ * private data of md5_plugin
+ */
+struct private_md5_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	md5_plugin_t public;
+};
+
+/**
+ * Implementation of md5_plugin_t.destroy
+ */
+static void destroy(private_md5_plugin_t *this)
+{
+	lib->crypto->remove_hasher(lib->crypto,
+							   (hasher_constructor_t)md5_hasher_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_md5_plugin_t *this = malloc_thing(private_md5_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+							(hasher_constructor_t)md5_hasher_create);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.h b/src/libstrongswan/plugins/md5/md5_plugin.h
new file mode 100644
index 000000000..e8e8dd535
--- /dev/null
+++ b/src/libstrongswan/plugins/md5/md5_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup md5_p md5
+ * @ingroup plugins
+ *
+ * @defgroup md5_plugin md5_plugin
+ * @{ @ingroup md5_p
+ */
+
+#ifndef MD5_PLUGIN_H_
+#define MD5_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct md5_plugin_t md5_plugin_t;
+
+/**
+ * Plugin implementing the MD5 hash algorithm in software.
+ */
+struct md5_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a md5_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* MD5_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am
new file mode 100644
index 000000000..ec94b8fda
--- /dev/null
+++ b/src/libstrongswan/plugins/mysql/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-mysql.la
+
+libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c  \
+	mysql_database.h mysql_database.c
+libstrongswan_mysql_la_LDFLAGS = -module
+libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
+
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
new file mode 100644
index 000000000..6de9dc13d
--- /dev/null
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -0,0 +1,497 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/mysql
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_mysql_la_DEPENDENCIES =
+am_libstrongswan_mysql_la_OBJECTS = mysql_plugin.lo mysql_database.lo
+libstrongswan_mysql_la_OBJECTS = $(am_libstrongswan_mysql_la_OBJECTS)
+libstrongswan_mysql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_mysql_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_mysql_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_mysql_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-mysql.la
+libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c  \
+	mysql_database.h mysql_database.c
+
+libstrongswan_mysql_la_LDFLAGS = -module
+libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/mysql/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/mysql/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-mysql.la: $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_DEPENDENCIES) 
+	$(libstrongswan_mysql_la_LINK) -rpath $(plugindir) $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mysql_database.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mysql_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
new file mode 100644
index 000000000..58202c5ae
--- /dev/null
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -0,0 +1,695 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: mysql_database.c 4111 2008-06-26 07:31:52Z martin $
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <pthread.h>
+#include <mysql/mysql.h>
+
+#include "mysql_database.h"
+
+#include <debug.h>
+#include <utils/mutex.h>
+#include <utils/linked_list.h>
+
+/* Older mysql.h headers do not define it, but we need it. It is not returned
+ * in in MySQL 4 by default, but by MySQL 5. To avoid this problem, we catch
+ * it in all cases. */
+#ifndef MYSQL_DATA_TRUNCATED
+#define MYSQL_DATA_TRUNCATED 101
+#endif
+
+typedef struct private_mysql_database_t private_mysql_database_t;
+
+/**
+ * private data of mysql_database
+ */
+struct private_mysql_database_t {
+
+	/**
+	 * public functions
+	 */
+	mysql_database_t public;
+	
+	/**
+	 * connection pool, contains conn_t
+	 */
+	linked_list_t *pool;
+	
+	/**
+	 * mutex to lock pool
+	 */
+	mutex_t *mutex;
+	
+	/**
+ 	 * hostname to connect to
+ 	 */
+	char *host;
+	
+	/**
+	 * username to use
+	 */
+	char *username;
+	
+	/**
+	 * password
+	 */
+	char *password;
+	
+	/**
+	 * database name
+	 */
+	char *database;
+	
+	/**
+	 * tcp port
+	 */
+	int port;
+};
+
+typedef struct conn_t conn_t;
+
+/**
+ * connection pool entry
+ */
+struct conn_t {
+	
+	/**
+	 * MySQL database connection
+	 */
+	MYSQL *mysql;
+	
+	/**
+	 * connection in use?
+	 */
+	bool in_use;
+};
+
+/**
+ * Release a mysql connection
+ */
+static void conn_release(conn_t *conn)
+{
+	conn->in_use = FALSE;
+}
+/**
+ * thread specific initialization flag
+ */
+pthread_key_t initialized;
+
+/**
+ * Initialize a thread for mysql usage
+ */
+static void thread_initialize()
+{
+	if (pthread_getspecific(initialized) == NULL)
+	{
+		pthread_setspecific(initialized, (void*)TRUE);
+		mysql_thread_init();
+	}
+}
+
+/**
+ * mysql library initialization function
+ */
+bool mysql_database_init()
+{
+	if (mysql_library_init(0, NULL, NULL))
+	{
+		return FALSE;
+	}
+	if (pthread_key_create(&initialized, (void*)mysql_thread_end))
+	{
+		mysql_library_end();
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * mysql library cleanup function
+ */
+void mysql_database_deinit()
+{
+	pthread_key_delete(initialized);
+	mysql_thread_end();
+	/* mysql_library_end(); would be the clean way, however, it hangs... */
+}
+
+/**
+ * Destroy a mysql connection
+ */
+static void conn_destroy(conn_t *this)
+{
+	mysql_close(this->mysql);
+	free(this);
+}
+
+/**
+ * Acquire/Reuse a mysql connection
+ */
+static conn_t *conn_get(private_mysql_database_t *this)
+{
+	conn_t *current, *found = NULL;
+	enumerator_t *enumerator;
+	
+	thread_initialize();
+	
+	while (TRUE)
+	{
+		this->mutex->lock(this->mutex);
+		enumerator = this->pool->create_enumerator(this->pool);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (!current->in_use)
+			{
+				found = current;
+				found->in_use = TRUE;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		this->mutex->unlock(this->mutex);
+		if (found)
+		{	/* check connection if found, release if ping fails */
+			if (mysql_ping(found->mysql) == 0)
+			{
+				break;
+			}
+			this->mutex->lock(this->mutex);
+			this->pool->remove(this->pool, found, NULL);
+			this->mutex->unlock(this->mutex);
+			conn_destroy(found);
+			found = NULL;
+			continue;
+		}
+		break;
+	}
+	if (found == NULL)
+	{
+		found = malloc_thing(conn_t);
+		found->in_use = TRUE;
+		found->mysql = mysql_init(NULL);
+		if (!mysql_real_connect(found->mysql, this->host, this->username,
+								this->password, this->database, this->port,
+								NULL, 0))
+		{
+			DBG1("connecting to mysql://%s:***@%s:%d/%s failed: %s",
+				 this->username, this->host, this->port, this->database,
+				 mysql_error(found->mysql));
+			conn_destroy(found);
+			found = NULL;
+		}
+		else
+		{
+			this->mutex->lock(this->mutex);
+			this->pool->insert_last(this->pool, found);
+			DBG2("increased MySQL connection pool size to %d",
+				 this->pool->get_count(this->pool));
+			this->mutex->unlock(this->mutex);
+		}
+	}
+	return found;
+}
+
+/**
+ * Create and run a MySQL stmt using a sql string and args
+ */
+static MYSQL_STMT* run(MYSQL *mysql, char *sql, va_list *args)
+{
+	MYSQL_STMT *stmt;
+	int params;
+	
+	stmt = mysql_stmt_init(mysql);
+	if (stmt == NULL)
+	{
+    	DBG1("creating MySQL statement failed: %s", mysql_error(mysql));
+		return NULL;
+	}
+	if (mysql_stmt_prepare(stmt, sql, strlen(sql)))
+	{
+    	DBG1("preparing MySQL statement failed: %s", mysql_stmt_error(stmt));
+    	mysql_stmt_close(stmt);
+    	return NULL;
+	}
+	params = mysql_stmt_param_count(stmt);
+	if (params > 0)
+	{
+		int i;
+		MYSQL_BIND *bind;
+	
+		bind = alloca(sizeof(MYSQL_BIND) * params);
+		memset(bind, 0, sizeof(MYSQL_BIND) * params);
+		
+		for (i = 0; i < params; i++)
+		{
+			switch (va_arg(*args, db_type_t))
+			{
+				case DB_INT:
+				{
+					bind[i].buffer_type = MYSQL_TYPE_LONG;
+					bind[i].buffer = (char*)alloca(sizeof(int));
+					*(int*)bind[i].buffer = va_arg(*args, int);
+					bind[i].buffer_length = sizeof(int);
+					break;
+				}
+				case DB_UINT:
+				{
+					bind[i].buffer_type = MYSQL_TYPE_LONG;
+					bind[i].buffer = (char*)alloca(sizeof(u_int));
+					*(u_int*)bind[i].buffer = va_arg(*args, u_int);
+					bind[i].buffer_length = sizeof(u_int);
+					bind[i].is_unsigned = TRUE;
+					break;
+				}
+				case DB_TEXT:
+				{
+					bind[i].buffer_type = MYSQL_TYPE_STRING;;
+					bind[i].buffer = va_arg(*args, char*);
+					if (bind[i].buffer)
+					{
+						bind[i].buffer_length = strlen(bind[i].buffer);
+					}
+					break;
+				}
+				case DB_BLOB:
+				{	
+					chunk_t chunk = va_arg(*args, chunk_t);
+					bind[i].buffer_type = MYSQL_TYPE_BLOB;
+					bind[i].buffer = chunk.ptr;
+					bind[i].buffer_length = chunk.len;
+					break;
+				}
+				case DB_DOUBLE:
+				{
+					bind[i].buffer_type = MYSQL_TYPE_DOUBLE;
+					bind[i].buffer = (char*)alloca(sizeof(double));
+					*(double*)bind[i].buffer = va_arg(*args, double);
+					bind[i].buffer_length = sizeof(double);
+					break;
+				}
+    			case DB_NULL:
+				{
+					bind[i].buffer_type = MYSQL_TYPE_NULL;
+					break;
+				}
+				default:
+    				DBG1("invalid data type supplied");
+    				mysql_stmt_close(stmt);
+    				return NULL;
+			}
+		}
+		if (mysql_stmt_bind_param(stmt, bind))
+		{
+    		DBG1("binding MySQL param failed: %s", mysql_stmt_error(stmt));
+    		mysql_stmt_close(stmt);
+			return NULL;
+		}
+	}
+	if (mysql_stmt_execute(stmt))
+	{
+    	DBG1("executing MySQL statement failed: %s", mysql_stmt_error(stmt));
+    	mysql_stmt_close(stmt);
+		return NULL;
+	}
+	return stmt;
+}
+
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** associated MySQL statement */
+	MYSQL_STMT *stmt;
+	/** result bindings */
+	MYSQL_BIND *bind;
+	/** pooled connection handle */
+	conn_t *conn;
+	/** value for INT, UINT, double */
+	union {
+		void *p_void;;
+		int *p_int;
+		u_int *p_uint;
+		double *p_double;
+	} val;
+	/* length for TEXT and BLOB */
+	unsigned long *length;
+} mysql_enumerator_t;
+
+/**
+ * create a mysql enumerator
+ */
+static void mysql_enumerator_destroy(mysql_enumerator_t *this)
+{
+	int columns, i;
+	
+	columns = mysql_stmt_field_count(this->stmt);
+	
+	for (i = 0; i < columns; i++)
+	{
+		switch (this->bind[i].buffer_type)
+		{
+			case MYSQL_TYPE_STRING:
+			case MYSQL_TYPE_BLOB:
+			{
+				free(this->bind[i].buffer);
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	mysql_stmt_close(this->stmt);
+	conn_release(this->conn);
+	free(this->bind);
+	free(this->val.p_void);
+	free(this->length);
+	free(this);
+}
+
+/**
+ * Implementation of database.query().enumerate
+ */
+static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...)
+{
+	int i, columns;
+	va_list args;
+	
+	columns = mysql_stmt_field_count(this->stmt);
+	
+	/* free/reset data set of previous call */
+	for (i = 0; i < columns; i++)
+	{
+		switch (this->bind[i].buffer_type)
+		{
+			case MYSQL_TYPE_STRING:
+			case MYSQL_TYPE_BLOB:
+			{
+				free(this->bind[i].buffer);
+				this->bind[i].buffer = NULL;
+				this->bind[i].buffer_length = 0;
+				this->bind[i].length = &this->length[i];
+				this->length[i] = 0;
+				break;
+			}
+			default:
+				break;
+		}
+	}
+
+	switch (mysql_stmt_fetch(this->stmt))
+	{
+		case 0:
+		case MYSQL_DATA_TRUNCATED:
+			break;
+		case MYSQL_NO_DATA:
+			return FALSE;
+		default:
+			DBG1("fetching MySQL row failed: %s", mysql_stmt_error(this->stmt));
+			return FALSE;
+	}
+	
+	va_start(args, this);
+	for (i = 0; i < columns; i++)
+	{
+		switch (this->bind[i].buffer_type)
+		{
+			case MYSQL_TYPE_LONG:
+			{
+				if (this->bind[i].is_unsigned)
+				{
+					u_int *value = va_arg(args, u_int*);
+					*value = this->val.p_uint[i];
+				}
+				else
+				{
+					int *value = va_arg(args, int*);
+					*value = this->val.p_int[i];
+				}
+				break;
+			}
+			case MYSQL_TYPE_STRING:
+			{
+				char **value = va_arg(args, char**);
+				this->bind[i].buffer = malloc(this->length[i]+1);
+				this->bind[i].buffer_length = this->length[i];
+				*value = this->bind[i].buffer;
+	  			mysql_stmt_fetch_column(this->stmt, &this->bind[i], i, 0);
+	  			((char*)this->bind[i].buffer)[this->length[i]] = '\0';
+	  			break;
+			}
+			case MYSQL_TYPE_BLOB:
+			{
+				chunk_t *value = va_arg(args, chunk_t*);
+				this->bind[i].buffer = malloc(this->length[i]);
+				this->bind[i].buffer_length = this->length[i];
+				value->ptr = this->bind[i].buffer;
+				value->len = this->length[i];
+	  			mysql_stmt_fetch_column(this->stmt, &this->bind[i], i, 0);
+	  			break;
+			}
+			case MYSQL_TYPE_DOUBLE:
+			{
+				double *value = va_arg(args, double*);
+				*value = this->val.p_double[i];
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of database_t.query.
+ */
+static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
+{
+	MYSQL_STMT *stmt;
+	va_list args;
+	mysql_enumerator_t *enumerator = NULL;
+	conn_t *conn;
+	
+	conn = conn_get(this);
+	if (!conn)
+	{
+		return NULL;
+	}
+
+	va_start(args, sql);
+	stmt = run(conn->mysql, sql, &args);
+	if (stmt)
+	{
+		int columns, i;
+		
+		enumerator = malloc_thing(mysql_enumerator_t);
+		enumerator->public.enumerate = (void*)mysql_enumerator_enumerate;
+		enumerator->public.destroy = (void*)mysql_enumerator_destroy;
+		enumerator->stmt = stmt;
+		enumerator->conn = conn;
+		columns = mysql_stmt_field_count(stmt);
+		enumerator->bind = calloc(columns, sizeof(MYSQL_BIND));
+		enumerator->length = calloc(columns, sizeof(unsigned long));
+		enumerator->val.p_void = calloc(columns, sizeof(enumerator->val));
+		for (i = 0; i < columns; i++)
+		{
+			switch (va_arg(args, db_type_t))
+			{
+				case DB_INT:
+				{
+					enumerator->bind[i].buffer_type = MYSQL_TYPE_LONG;
+					enumerator->bind[i].buffer = (char*)&enumerator->val.p_int[i];
+					break;
+				}
+				case DB_UINT:
+				{
+					enumerator->bind[i].buffer_type = MYSQL_TYPE_LONG;
+					enumerator->bind[i].buffer = (char*)&enumerator->val.p_uint[i];
+					enumerator->bind[i].is_unsigned = TRUE;
+					break;
+				}
+				case DB_TEXT:
+				{
+					enumerator->bind[i].buffer_type = MYSQL_TYPE_STRING;
+					enumerator->bind[i].length = &enumerator->length[i];
+					break;
+				}
+				case DB_BLOB:
+				{	
+					enumerator->bind[i].buffer_type = MYSQL_TYPE_BLOB;
+					enumerator->bind[i].length = &enumerator->length[i];
+					break;
+				}
+				case DB_DOUBLE:
+				{
+					enumerator->bind[i].buffer_type = MYSQL_TYPE_DOUBLE;
+					enumerator->bind[i].buffer = (char*)&enumerator->val.p_double[i];
+					break;
+				}
+				default:
+    				DBG1("invalid result data type supplied");
+    				mysql_enumerator_destroy(enumerator);
+    				va_end(args);
+    				return NULL;
+			}
+		}
+		if (mysql_stmt_bind_result(stmt, enumerator->bind))
+		{
+			DBG1("binding MySQL result failed: %s", mysql_stmt_error(stmt));
+    		mysql_enumerator_destroy(enumerator);
+    		enumerator = NULL;
+		}
+	}
+	else
+	{
+		conn_release(conn);
+	}
+	va_end(args);
+	return (enumerator_t*)enumerator;
+}
+
+/**
+ * Implementation of database_t.execute.
+ */
+static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...)
+{
+	MYSQL_STMT *stmt;
+	va_list args;
+	conn_t *conn;
+	int affected = -1;
+	
+	conn = conn_get(this);
+	if (!conn)
+	{
+		return -1;
+	}
+	va_start(args, sql);
+	stmt = run(conn->mysql, sql, &args);
+	if (stmt)
+	{
+		if (rowid)
+		{
+			*rowid = mysql_stmt_insert_id(stmt);
+		}
+		affected = mysql_stmt_affected_rows(stmt);
+		mysql_stmt_close(stmt);
+	}
+	va_end(args);
+	conn_release(conn);
+	return affected;
+}
+
+/**
+ * Implementation of database_t.destroy
+ */
+static void destroy(private_mysql_database_t *this)
+{
+	this->pool->destroy_function(this->pool, (void*)conn_destroy);
+	this->mutex->destroy(this->mutex);
+	free(this->host);
+	free(this->username);
+	free(this->password);
+	free(this->database);
+	free(this);
+}
+
+static bool parse_uri(private_mysql_database_t *this, char *uri)
+{
+	char *username, *password, *host, *port = "0", *database, *pos;
+
+	/**
+	 * parse mysql://username:pass@host:port/database uri
+	 */
+	username = strdupa(uri + 8);
+	pos = strchr(username, ':');
+	if (pos)
+	{
+		*pos = '\0';
+		password = pos + 1;
+		pos = strrchr(password, '@');
+		if (pos)
+		{
+			*pos = '\0';
+			host = pos + 1;
+			pos = strrchr(host, ':');
+			if (pos)
+			{
+				*pos = '\0';
+				port = pos + 1;
+				pos = strchr(port, '/');
+			}
+			else
+			{
+				pos = strchr(host, '/');
+			}
+			if (pos)
+			{
+				*pos = '\0';
+				database = pos + 1;
+	
+				this->host = strdup(host);
+				this->username = strdup(username);
+				this->password = strdup(password);
+				this->database = strdup(database);
+				this->port = atoi(port);
+				return TRUE;
+			}
+		}
+	}
+	DBG1("parsing MySQL database uri '%s' failed", uri);
+	return FALSE;
+}
+
+
+/*
+ * see header file
+ */
+mysql_database_t *mysql_database_create(char *uri)
+{
+	conn_t *conn;
+	private_mysql_database_t *this;
+	
+	if (!strneq(uri, "mysql://", 8))
+	{
+		return NULL;
+	}
+
+	this = malloc_thing(private_mysql_database_t);
+	
+	this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
+	this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
+	this->public.db.destroy = (void(*)(database_t*))destroy;
+	
+	if (!parse_uri(this, uri))
+	{
+		free(this);
+		return NULL;
+	}
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->pool = linked_list_create();
+	
+	/* check connectivity */
+	conn = conn_get(this);
+	if (!conn)
+	{
+    	destroy(this);
+    	return NULL;
+	}
+	conn_release(conn);
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.h b/src/libstrongswan/plugins/mysql/mysql_database.h
new file mode 100644
index 000000000..d04aa79fa
--- /dev/null
+++ b/src/libstrongswan/plugins/mysql/mysql_database.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mysql_database mysql_database
+ * @{ @ingroup mysql_p
+ */
+
+#ifndef MYSQL_DATABASE_H_
+#define MYSQL_DATABASE_H_
+
+#include <database/database.h>
+
+typedef struct mysql_database_t mysql_database_t;
+
+/**
+ * MySQL databse_t implementation.
+ */
+struct mysql_database_t {
+
+	/**
+	 * Implements database_t
+	 */
+	database_t db;
+};
+
+/**
+ * Create a mysql_database instance.
+ *
+ * @param uri			connection URI, mysql://user:pass@host:port/database
+ */
+mysql_database_t *mysql_database_create(char *uri);
+
+/**
+ * MySQL client library initialization function
+ *
+ * @return 		FALSE if initialization failed
+ */
+bool mysql_database_init();
+
+/**
+ * Mysql client library cleanup function
+ */
+void mysql_database_deinit();
+
+#endif /* MYSQL_DATABASE_H_ @}*/
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c
new file mode 100644
index 000000000..29348ac14
--- /dev/null
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: mysql_plugin.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include "mysql_plugin.h"
+
+#include <library.h>
+#include <debug.h>
+#include "mysql_database.h"
+
+typedef struct private_mysql_plugin_t private_mysql_plugin_t;
+
+/**
+ * private data of mysql_plugin
+ */
+struct private_mysql_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	mysql_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_mysql_plugin_t *this)
+{
+	lib->db->remove_database(lib->db,
+							 (database_constructor_t)mysql_database_create);
+	mysql_database_deinit();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_mysql_plugin_t *this;
+	
+	if (!mysql_database_init())
+	{
+		DBG1("MySQL client library initialization failed");
+		return NULL;
+	}
+	
+	this = malloc_thing(private_mysql_plugin_t);
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->db->add_database(lib->db,
+						  (database_constructor_t)mysql_database_create);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.h b/src/libstrongswan/plugins/mysql/mysql_plugin.h
new file mode 100644
index 000000000..dbcabaafe
--- /dev/null
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mysql_p mysql
+ * @ingroup plugins
+ *
+ * @defgroup mysql_plugin mysql_plugin
+ * @{ @ingroup mysql_p
+ */
+
+#ifndef MYSQL_PLUGIN_H_
+#define MYSQL_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct mysql_plugin_t mysql_plugin_t;
+
+/**
+ * Plugin implementing mysql database connectivity.
+ */
+struct mysql_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a mysql_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* MYSQL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
new file mode 100644
index 000000000..f331a78eb
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-openssl.la
+
+libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
+	openssl_util.c openssl_util.h \
+	openssl_crypter.c openssl_crypter.h \
+	openssl_hasher.c openssl_hasher.h \
+	openssl_diffie_hellman.c openssl_diffie_hellman.h \
+	openssl_rsa_private_key.c openssl_rsa_private_key.h \
+	openssl_rsa_public_key.c openssl_rsa_public_key.h \
+	openssl_ec_diffie_hellman.c openssl_ec_diffie_hellman.h \
+	openssl_ec_private_key.c openssl_ec_private_key.h \
+	openssl_ec_public_key.c openssl_ec_public_key.h
+
+libstrongswan_openssl_la_LDFLAGS = -module
+libstrongswan_openssl_la_LIBADD  = -lcrypto
+
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
new file mode 100644
index 000000000..f83b0ce38
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -0,0 +1,518 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/openssl
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_openssl_la_DEPENDENCIES =
+am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
+	openssl_util.lo openssl_crypter.lo openssl_hasher.lo \
+	openssl_diffie_hellman.lo openssl_rsa_private_key.lo \
+	openssl_rsa_public_key.lo openssl_ec_diffie_hellman.lo \
+	openssl_ec_private_key.lo openssl_ec_public_key.lo
+libstrongswan_openssl_la_OBJECTS =  \
+	$(am_libstrongswan_openssl_la_OBJECTS)
+libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_openssl_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_openssl_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_openssl_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-openssl.la
+libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
+	openssl_util.c openssl_util.h \
+	openssl_crypter.c openssl_crypter.h \
+	openssl_hasher.c openssl_hasher.h \
+	openssl_diffie_hellman.c openssl_diffie_hellman.h \
+	openssl_rsa_private_key.c openssl_rsa_private_key.h \
+	openssl_rsa_public_key.c openssl_rsa_public_key.h \
+	openssl_ec_diffie_hellman.c openssl_ec_diffie_hellman.h \
+	openssl_ec_private_key.c openssl_ec_private_key.h \
+	openssl_ec_public_key.c openssl_ec_public_key.h
+
+libstrongswan_openssl_la_LDFLAGS = -module
+libstrongswan_openssl_la_LIBADD = -lcrypto
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/openssl/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/openssl/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES) 
+	$(libstrongswan_openssl_la_LINK) -rpath $(plugindir) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_diffie_hellman.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_diffie_hellman.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_util.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
new file mode 100644
index 000000000..e59c4d615
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -0,0 +1,258 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_crypter.c 4020 2008-05-28 12:20:38Z andreas $
+ */
+
+#include "openssl_crypter.h"
+
+#include <openssl/evp.h>
+
+typedef struct private_openssl_crypter_t private_openssl_crypter_t;
+
+/**
+ * Private data of openssl_crypter_t
+ */
+struct private_openssl_crypter_t {
+	
+	/**
+	 * Public part of this class.
+	 */
+	openssl_crypter_t public;
+	
+	/*
+	 * the key
+	 */
+	chunk_t	key;
+	
+	/*
+	 * the cipher to use
+	 */
+	const EVP_CIPHER *cipher;
+};
+
+/**
+ * Mapping from the algorithms defined in IKEv2 to
+ * OpenSSL algorithm names and their key length
+ */
+typedef struct {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2_id;
+	
+	/**
+	 * Name of the algorithm, as used in OpenSSL
+	 */
+	char *name;
+	
+	/**
+	 * Minimum valid key length in bytes
+	 */
+	size_t key_size_min;
+	
+	/**
+	 * Maximum valid key length in bytes
+	 */
+	size_t key_size_max;
+} openssl_algorithm_t;
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static openssl_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64, 	"***", 			0,	0}, */
+	{ENCR_DES, 			"des",			8,	8},		/* 64 bits */
+	{ENCR_3DES, 		"des3",			24,	24},	/* 192 bits */
+	{ENCR_RC5, 			"rc5", 			5,	255},	/* 40 to 2040 bits, RFC 2451 */
+	{ENCR_IDEA, 		"idea",			16,	16},	/* 128 bits, RFC 2451 */
+	{ENCR_CAST, 		"cast",			5,	16},	/* 40 to 128 bits, RFC 2451 */
+	{ENCR_BLOWFISH, 	"blowfish",		5,	56},	/* 40 to 448 bits, RFC 2451 */
+/*	{ENCR_3IDEA, 		"***",			0,	0}, */
+/*	{ENCR_DES_IV32, 	"***",			0,	0}, */
+/*	{ENCR_NULL, 		"***",			0,	0}, */ /* handled separately */
+/*	{ENCR_AES_CBC, 		"***",			0,	0}, */ /* handled separately */
+/*	{ENCR_AES_CTR, 		"***",			0,	0}, */ /* disabled in evp.h */
+	{END_OF_LIST, 		NULL,			0,	0},
+};
+
+/**
+ * Look up an OpenSSL algorithm name and validate its key size
+ */
+static char* lookup_algorithm(openssl_algorithm_t *openssl_algo, 
+					   u_int16_t ikev2_algo, size_t *key_size)
+{
+	while (openssl_algo->ikev2_id != END_OF_LIST)
+	{
+		if (ikev2_algo == openssl_algo->ikev2_id)
+		{
+			/* set the key size if it is not set */
+			if (*key_size == 0 &&
+				(openssl_algo->key_size_min == openssl_algo->key_size_max))
+			{
+				*key_size = openssl_algo->key_size_min;
+			}
+			
+			/* validate key size */
+			if (*key_size < openssl_algo->key_size_min ||
+				*key_size > openssl_algo->key_size_max)
+			{
+				return NULL;
+			}
+			return openssl_algo->name;
+		}
+		openssl_algo++;
+	}
+	return NULL;
+}
+
+static void crypt(private_openssl_crypter_t *this, chunk_t data,
+					chunk_t iv, chunk_t *dst, int enc)
+{
+	int len;
+	u_char *out;
+	
+	out = data.ptr;
+	if (dst)
+	{
+		*dst = chunk_alloc(data.len);
+		out = dst->ptr;
+	}
+	EVP_CIPHER_CTX ctx;
+	EVP_CIPHER_CTX_init(&ctx);
+	EVP_CipherInit_ex(&ctx, this->cipher, NULL, this->key.ptr, iv.ptr, enc);
+	EVP_CIPHER_CTX_set_padding(&ctx, 0); /* disable padding */
+	EVP_CipherUpdate(&ctx, out, &len, data.ptr, data.len);
+	EVP_CipherFinal_ex(&ctx, out, &len); /* since padding is disabled this does nothing */
+	EVP_CIPHER_CTX_cleanup(&ctx);
+}
+
+/**
+ * Implementation of crypter_t.decrypt.
+ */
+static void decrypt(private_openssl_crypter_t *this, chunk_t data, 
+						chunk_t iv, chunk_t *dst)
+{
+	crypt(this, data, iv, dst, 0);
+}
+
+
+/**
+ * Implementation of crypter_t.encrypt.
+ */
+static void encrypt (private_openssl_crypter_t *this, chunk_t data, 
+							chunk_t iv, chunk_t *dst)
+{
+	crypt(this, data, iv, dst, 1);
+}
+
+/**
+ * Implementation of crypter_t.get_block_size.
+ */
+static size_t get_block_size(private_openssl_crypter_t *this)
+{
+	return this->cipher->block_size;
+}
+
+/**
+ * Implementation of crypter_t.get_key_size.
+ */
+static size_t get_key_size(private_openssl_crypter_t *this)
+{
+	return this->key.len;
+}
+
+/**
+ * Implementation of crypter_t.set_key.
+ */
+static void set_key(private_openssl_crypter_t *this, chunk_t key)
+{
+	memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len));
+}
+
+/**
+ * Implementation of crypter_t.destroy.
+ */
+static void destroy (private_openssl_crypter_t *this)
+{
+	free(this->key.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo, 
+												  size_t key_size)
+{
+	private_openssl_crypter_t *this;
+	
+	this = malloc_thing(private_openssl_crypter_t);
+	
+	switch (algo)
+	{
+		case ENCR_NULL:
+			this->cipher = EVP_enc_null();
+			break;
+		case ENCR_AES_CBC:
+			switch (key_size)
+			{
+				case 16:        /* AES 128 */
+					this->cipher = EVP_get_cipherbyname("aes128");
+					break;
+				case 24:        /* AES-192 */
+					this->cipher = EVP_get_cipherbyname("aes192");
+					break;
+				case 32:        /* AES-256 */
+					this->cipher = EVP_get_cipherbyname("aes256"); 
+					break;
+				default:
+					free(this);
+					return NULL;
+			}
+			break;
+		default:
+		{
+			char* name = lookup_algorithm(encryption_algs, algo, &key_size);
+			if (!name)
+			{
+				/* algo unavailable or key_size invalid */
+				free(this);
+				return NULL;
+			}
+			this->cipher = EVP_get_cipherbyname(name);
+			break;
+		}
+	}
+	
+	if (!this->cipher)
+	{
+		/* OpenSSL does not support the requested algo */
+		free(this);
+		return NULL;
+	}
+	
+	this->key = chunk_alloc(key_size);
+	
+	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
+	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
+	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
+	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
+	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
+	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
+	
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.h b/src/libstrongswan/plugins/openssl/openssl_crypter.h
new file mode 100644
index 000000000..f80d0dec6
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ * 
+ * $Id: openssl_crypter.h 4000 2008-05-22 12:13:10Z tobias $
+ */
+
+/**
+ * @defgroup openssl_crypter openssl_crypter
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_CRYPTER_H_
+#define OPENSSL_CRYPTER_H_
+
+typedef struct openssl_crypter_t openssl_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+/**
+ * Implementation of crypters using OpenSSL.
+ */
+struct openssl_crypter_t {
+	
+	/**
+	 * The crypter_t interface.
+	 */
+	crypter_t crypter_interface;
+};
+
+/**
+ * Constructor to create openssl_crypter_t.
+ * 
+ * @param algo			algorithm to implement
+ * @param key_size		key size in bytes
+ * @return				openssl_crypter_t, NULL if not supported
+ */
+openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
+												  size_t key_size);
+
+#endif /* OPENSSL_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
new file mode 100644
index 000000000..95c079b0b
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -0,0 +1,242 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_diffie_hellman.c 3896 2008-04-29 15:42:34Z tobias $
+ */
+
+#include <openssl/dh.h>
+
+#include "openssl_diffie_hellman.h"
+
+#include <debug.h>
+
+typedef struct modulus_entry_t modulus_entry_t;
+
+/** 
+ * Entry of the modulus list.
+ */
+struct modulus_entry_t {
+	/**
+	 * Group number as it is defined in file transform_substructure.h.
+	 */
+	diffie_hellman_group_t group;
+	
+	/**
+	 * Pointer to the function to get the modulus.
+	 */
+	BIGNUM *(*get_prime)(BIGNUM *bn);
+	
+	/* 
+	 * Generator value.
+	 */	
+	u_int16_t generator;
+};
+
+/**
+ * All supported modulus values.
+ */
+static modulus_entry_t modulus_entries[] = {
+	{MODP_768_BIT,  get_rfc2409_prime_768,  2},
+	{MODP_1024_BIT, get_rfc2409_prime_1024, 2},
+	{MODP_1536_BIT, get_rfc3526_prime_1536, 2},
+	{MODP_2048_BIT, get_rfc3526_prime_2048, 2},
+	{MODP_3072_BIT, get_rfc3526_prime_3072, 2},
+	{MODP_4096_BIT, get_rfc3526_prime_4096, 2},
+	{MODP_6144_BIT, get_rfc3526_prime_6144, 2},
+	{MODP_8192_BIT, get_rfc3526_prime_8192, 2},
+};
+
+typedef struct private_openssl_diffie_hellman_t private_openssl_diffie_hellman_t;
+
+/**
+ * Private data of an openssl_diffie_hellman_t object.
+ */
+struct private_openssl_diffie_hellman_t {
+	/**
+	 * Public openssl_diffie_hellman_t interface.
+	 */
+	openssl_diffie_hellman_t public;
+	
+	/**
+	 * Diffie Hellman group number.
+	 */
+	u_int16_t group;
+	
+	/**
+	 * Diffie Hellman object
+	 */
+	DH *dh;
+	
+	/**
+	 * Other public value
+	 */
+	BIGNUM *pub_key;
+	
+	/**
+	 * Shared secret
+	 */
+	chunk_t shared_secret;
+
+	/**
+	 * True if shared secret is computed
+	 */
+	bool computed;
+};
+
+/**
+ * Convert a BIGNUM to a chunk
+ */
+static void bn2chunk(BIGNUM *bn, chunk_t *chunk)
+{
+	chunk->len = BN_num_bytes(bn);
+	chunk->ptr = malloc(chunk->len);
+	BN_bn2bin(bn, chunk->ptr);
+}
+
+/**
+ * Implementation of openssl_diffie_hellman_t.set_other_public_value.
+ */
+static void set_other_public_value(private_openssl_diffie_hellman_t *this, chunk_t value)
+{
+	int len;
+	BN_bin2bn(value.ptr, value.len, this->pub_key);
+
+	len = DH_size(this->dh);
+	chunk_free(&this->shared_secret);
+	this->shared_secret = chunk_alloc(len);
+	
+	if (DH_compute_key(this->shared_secret.ptr, this->pub_key, this->dh) < 0) {
+    	DBG1("DH shared secret computation failed");
+    	return;
+    }
+	
+    this->computed = TRUE;
+}
+
+/**
+ * Implementation of openssl_diffie_hellman_t.get_other_public_value.
+ */
+static status_t get_other_public_value(private_openssl_diffie_hellman_t *this, 
+									   chunk_t *value)
+{
+	if (!this->computed)
+	{
+		return FAILED;
+	}
+	bn2chunk(this->pub_key, value);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of openssl_diffie_hellman_t.get_my_public_value.
+ */
+static void get_my_public_value(private_openssl_diffie_hellman_t *this,chunk_t *value)
+{
+	bn2chunk(this->dh->pub_key, value);
+}
+
+/**
+ * Implementation of openssl_diffie_hellman_t.get_shared_secret.
+ */
+static status_t get_shared_secret(private_openssl_diffie_hellman_t *this, chunk_t *secret)
+{
+	if (!this->computed)
+	{
+		return FAILED;
+	}
+	*secret = chunk_clone(this->shared_secret);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of openssl_diffie_hellman_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(private_openssl_diffie_hellman_t *this)
+{
+	return this->group;
+}
+
+/**
+ * Lookup the modulus in modulo table
+ */
+static status_t set_modulus(private_openssl_diffie_hellman_t *this)
+{
+	int i;
+	for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
+	{
+		if (modulus_entries[i].group == this->group)
+		{
+			this->dh->p = modulus_entries[i].get_prime(NULL);
+			this->dh->g = BN_new();
+			BN_set_word(this->dh->g, modulus_entries[i].generator);
+			return SUCCESS;
+		}
+	}
+	return NOT_FOUND;
+}
+
+/**
+ * Implementation of openssl_diffie_hellman_t.destroy.
+ */
+static void destroy(private_openssl_diffie_hellman_t *this)
+{
+	BN_clear_free(this->pub_key);
+	DH_free(this->dh);
+	chunk_free(&this->shared_secret);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group)
+{
+	private_openssl_diffie_hellman_t *this = malloc_thing(private_openssl_diffie_hellman_t);
+	
+	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
+	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
+	this->public.dh.get_other_public_value = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_other_public_value;
+	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
+	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
+	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	
+	this->dh = DH_new();
+	if (!this->dh)
+	{
+		free(this);
+		return NULL;
+	}
+	
+	this->group = group;
+	this->computed = FALSE;
+	
+	this->pub_key = BN_new();
+	this->shared_secret = chunk_empty;
+	
+	/* find a modulus according to group */
+	if (set_modulus(this) != SUCCESS)
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	/* generate my public and private values */
+	if (!DH_generate_key(this->dh))
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
new file mode 100644
index 000000000..c72b4aab0
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ * 
+ * $Id: openssl_diffie_hellman.h 4000 2008-05-22 12:13:10Z tobias $
+ */
+
+/**
+ * @defgroup openssl_diffie_hellman openssl_diffie_hellman
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_DIFFIE_HELLMAN_H_
+#define OPENSSL_DIFFIE_HELLMAN_H_
+
+typedef struct openssl_diffie_hellman_t openssl_diffie_hellman_t;
+
+#include <library.h>
+
+/**
+ * Implementation of the Diffie-Hellman algorithm using OpenSSL.
+ */
+struct openssl_diffie_hellman_t {
+	
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new openssl_diffie_hellman_t object.
+ * 
+ * @param group			Diffie Hellman group number to use
+ * @return				openssl_diffie_hellman_t object, NULL if not supported
+ */
+openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group);
+
+#endif /*OPENSSL_DIFFIE_HELLMAN_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
new file mode 100644
index 000000000..9d2bd44cd
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -0,0 +1,342 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_ec_diffie_hellman.c 4052 2008-06-10 09:19:18Z tobias $
+ */
+
+#include <openssl/ec.h>
+#include <openssl/objects.h>
+
+#include "openssl_ec_diffie_hellman.h"
+#include "openssl_util.h"
+
+#include <debug.h>
+
+typedef struct private_openssl_ec_diffie_hellman_t private_openssl_ec_diffie_hellman_t;
+
+/**
+ * Private data of an openssl_ec_diffie_hellman_t object.
+ */
+struct private_openssl_ec_diffie_hellman_t {
+	/**
+	 * Public openssl_ec_diffie_hellman_t interface.
+	 */
+	openssl_ec_diffie_hellman_t public;
+	
+	/**
+	 * Diffie Hellman group number.
+	 */
+	u_int16_t group;
+	
+	/**
+	 * EC private (public) key
+	 */
+	EC_KEY *key;
+	
+	/**
+	 * EC group
+	 */
+	const EC_GROUP *ec_group;
+	
+	/**
+	 * Other public key
+	 */
+	EC_POINT *pub_key;
+	
+	/**
+	 * Shared secret
+	 */
+	chunk_t shared_secret;
+
+	/**
+	 * True if shared secret is computed
+	 */
+	bool computed;
+};
+
+/**
+ * Convert a chunk to an EC_POINT (which must already exist). The x and y
+ * coordinates of the point have to be concatenated in the chunk.
+ */
+static bool chunk2ecp(const EC_GROUP *group, chunk_t chunk, EC_POINT *point)
+{
+	BN_CTX *ctx;
+	BIGNUM *x, *y;
+	bool ret = FALSE;
+	
+	ctx = BN_CTX_new();
+	if (!ctx)
+	{
+		return FALSE;
+	}
+	
+	BN_CTX_start(ctx);
+	x = BN_CTX_get(ctx);
+	y = BN_CTX_get(ctx);
+	if (!x || !y)
+	{
+		goto error;
+	}
+	
+	if (!openssl_bn_split(chunk, x, y))
+	{
+		goto error;
+	}
+	
+	if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+	{
+		goto error;
+	}
+	
+	ret = TRUE;
+error:
+	BN_CTX_end(ctx);
+	BN_CTX_free(ctx);
+	return ret;
+}
+
+/**
+ * Convert an EC_POINT to a chunk by concatenating the x and y coordinates of
+ * the point. This function allocates memory for the chunk.
+ */
+static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chunk)
+{
+	BN_CTX *ctx;
+	BIGNUM *x, *y;
+	bool ret = FALSE;
+	
+	ctx = BN_CTX_new();
+	if (!ctx)
+	{
+		return FALSE;
+	}
+	
+	BN_CTX_start(ctx);
+	x = BN_CTX_get(ctx);
+	y = BN_CTX_get(ctx);
+	if (!x || !y)
+	{
+		goto error;
+	}
+	
+	if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
+	{
+		goto error;
+	}
+	
+	if (!openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), x, y, chunk))
+	{
+		goto error;
+	}
+	
+	ret = TRUE;
+error:
+	BN_CTX_end(ctx);
+	BN_CTX_free(ctx);
+	return ret;
+}
+
+/**
+ * Compute the shared secret.
+ * 
+ * We cannot use the function ECDH_compute_key() because that returns only the
+ * x coordinate of the shared secret point (which is defined, for instance, in
+ * 'NIST SP 800-56A').
+ * However, we need both coordinates as RFC 4753 says: "The Diffie-Hellman
+ *   public value is obtained by concatenating the x and y values. The format
+ *   of the Diffie-Hellman shared secret value is the same as that of the
+ *   Diffie-Hellman public value."
+ */
+static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_t *shared_secret)
+{
+	const BIGNUM *priv_key;
+	EC_POINT *secret = NULL;
+	bool ret = FALSE;
+	
+	priv_key = EC_KEY_get0_private_key(this->key);
+	if (!priv_key)
+	{
+		goto error;
+	}
+	
+	secret = EC_POINT_new(this->ec_group);
+	if (!secret)
+	{
+		goto error;
+	}
+
+	if (!EC_POINT_mul(this->ec_group, secret, NULL, this->pub_key, priv_key, NULL))
+	{
+		goto error;
+	}
+	
+	if (!ecp2chunk(this->ec_group, secret, shared_secret))
+	{
+		goto error;
+	}
+	
+	ret = TRUE;
+error:
+	if (secret)
+	{
+		EC_POINT_clear_free(secret);
+	}
+	return ret;
+}
+
+/**
+ * Implementation of openssl_ec_diffie_hellman_t.set_other_public_value.
+ */
+static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, chunk_t value)
+{
+	if (!chunk2ecp(this->ec_group, value, this->pub_key))
+	{
+		DBG1("ECDH public value is malformed");
+		return;
+	}
+	
+	chunk_free(&this->shared_secret);
+	
+	if (!compute_shared_key(this, &this->shared_secret)) {
+		DBG1("ECDH shared secret computation failed");
+		return;
+	}
+	
+	this->computed = TRUE;
+}
+
+/**
+ * Implementation of openssl_ec_diffie_hellman_t.get_other_public_value.
+ */
+static status_t get_other_public_value(private_openssl_ec_diffie_hellman_t *this, 
+									   chunk_t *value)
+{
+	if (!this->computed)
+	{
+		return FAILED;
+	}
+	
+	if (!ecp2chunk(this->ec_group, this->pub_key, value))
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of openssl_ec_diffie_hellman_t.get_my_public_value.
+ */
+static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
+{
+	ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value);
+}
+
+/**
+ * Implementation of openssl_ec_diffie_hellman_t.get_shared_secret.
+ */
+static status_t get_shared_secret(private_openssl_ec_diffie_hellman_t *this, chunk_t *secret)
+{
+	if (!this->computed)
+	{
+		return FAILED;
+	}
+	*secret = chunk_clone(this->shared_secret);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of openssl_ec_diffie_hellman_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(private_openssl_ec_diffie_hellman_t *this)
+{
+	return this->group;
+}
+
+/**
+ * Implementation of openssl_ec_diffie_hellman_t.destroy.
+ */
+static void destroy(private_openssl_ec_diffie_hellman_t *this)
+{
+	EC_POINT_clear_free(this->pub_key);
+	EC_KEY_free(this->key);
+	chunk_free(&this->shared_secret);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group)
+{
+	private_openssl_ec_diffie_hellman_t *this = malloc_thing(private_openssl_ec_diffie_hellman_t);
+	
+	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
+	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
+	this->public.dh.get_other_public_value = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_other_public_value;
+	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
+	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
+	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	
+	switch (group)
+	{
+		case ECP_192_BIT:
+			this->key = EC_KEY_new_by_curve_name(NID_X9_62_prime192v1);
+			break;
+		case ECP_224_BIT:
+			this->key = EC_KEY_new_by_curve_name(NID_secp224r1);
+			break;
+		case ECP_256_BIT:
+			this->key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+			break;
+		case ECP_384_BIT:
+			this->key = EC_KEY_new_by_curve_name(NID_secp384r1);
+			break;
+		case ECP_521_BIT:
+			this->key = EC_KEY_new_by_curve_name(NID_secp521r1);
+			break;
+		default:
+			this->key = NULL;
+			break;
+	}
+	
+	if (!this->key)
+	{
+		free(this);
+		return NULL;
+	}
+	
+	/* caching the EC group */
+	this->ec_group = EC_KEY_get0_group(this->key);
+	
+	this->pub_key = EC_POINT_new(this->ec_group);
+	if (!this->pub_key)
+	{
+		free(this);
+		return NULL;
+	}
+	
+	/* generate an EC private (public) key */
+	if (!EC_KEY_generate_key(this->key))
+	{
+		free(this);
+		return NULL;
+	}
+	
+	this->group = group;
+	this->computed = FALSE;
+	
+	this->shared_secret = chunk_empty;
+	
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
new file mode 100644
index 000000000..e89f1cbd7
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ * 
+ * $Id: openssl_ec_diffie_hellman.h 4000 2008-05-22 12:13:10Z tobias $
+ */
+
+/**
+ * @defgroup openssl_ec_diffie_hellman openssl_ec_diffie_hellman
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_EC_DIFFIE_HELLMAN_H_
+#define OPENSSL_EC_DIFFIE_HELLMAN_H_
+
+typedef struct openssl_ec_diffie_hellman_t openssl_ec_diffie_hellman_t;
+
+#include <library.h>
+
+/**
+ * Implementation of the EC Diffie-Hellman algorithm using OpenSSL.
+ */
+struct openssl_ec_diffie_hellman_t {
+	
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new openssl_ec_diffie_hellman_t object.
+ * 
+ * @param group			EC Diffie Hellman group number to use
+ * @return				openssl_ec_diffie_hellman_t object, NULL if not supported
+ */
+openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group);
+
+#endif /*OPENSSL_EC_DIFFIE_HELLMAN_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
new file mode 100644
index 000000000..9f7df4bca
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -0,0 +1,445 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_ec_private_key.c 4051 2008-06-10 09:08:27Z tobias $
+ */
+
+#include "openssl_ec_private_key.h"
+#include "openssl_ec_public_key.h"
+#include "openssl_util.h"
+
+#include <debug.h>
+
+#include <openssl/evp.h>
+#include <openssl/ecdsa.h>
+
+typedef struct private_openssl_ec_private_key_t private_openssl_ec_private_key_t;
+
+/**
+ * Private data of a openssl_ec_private_key_t object.
+ */
+struct private_openssl_ec_private_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	openssl_ec_private_key_t public;
+	
+	/**
+	 * EC key object
+	 */
+	EC_KEY *ec;
+
+	/**
+	 * Keyid formed as a SHA-1 hash of a privateKey object
+	 */
+	identification_t* keyid;
+
+	/**
+	 * Keyid formed as a SHA-1 hash of a privateKeyInfo object
+	 */
+	identification_t* keyid_info;
+	
+	/**
+	 * reference count
+	 */
+	refcount_t ref;	
+};
+
+/**
+ * Mapping from the signature scheme defined in (RFC 4754) to the elliptic
+ * curve and the hash algorithm
+ */
+typedef struct {
+	/**
+	 * Scheme specified in RFC 4754
+	 */
+	int scheme;
+	
+	/**
+	 * NID of the hash
+	 */
+	int hash;
+	
+	/**
+	 * NID of the curve
+	 */
+	int curve;
+} openssl_ecdsa_scheme_t;
+
+#define END_OF_LIST -1
+
+/**
+ * Signature schemes
+ */
+static openssl_ecdsa_scheme_t ecdsa_schemes[] = {
+	{SIGN_ECDSA_256, NID_sha256, NID_X9_62_prime256v1},
+	{SIGN_ECDSA_384, NID_sha384, NID_secp384r1},
+	{SIGN_ECDSA_521, NID_sha512, NID_secp521r1},
+	{END_OF_LIST,    0,          0},
+};
+
+/**
+ * Look up the hash and curve of a signature scheme
+ */
+static bool lookup_scheme(int scheme, int *hash, int *curve)
+{
+	openssl_ecdsa_scheme_t *ecdsa_scheme = ecdsa_schemes;
+	while (ecdsa_scheme->scheme != END_OF_LIST)
+	{
+		if (scheme == ecdsa_scheme->scheme)
+		{
+			*hash = ecdsa_scheme->hash;
+			*curve = ecdsa_scheme->curve;
+			return TRUE;
+		}
+		ecdsa_scheme++;
+	}
+	return FALSE;
+}
+
+/**
+ * shared functions, implemented in openssl_ec_public_key.c
+ */
+bool openssl_ec_public_key_build_id(EC_KEY *ec, identification_t **keyid,
+								 identification_t **keyid_info);
+
+openssl_ec_public_key_t *openssl_ec_public_key_create_from_private_key(EC_KEY *ec);
+
+
+/**
+ * Convert an ECDSA_SIG to a chunk by concatenating r and s.
+ * This function allocates memory for the chunk.
+ */
+static bool sig2chunk(const EC_GROUP *group, ECDSA_SIG *sig, chunk_t *chunk)
+{
+	return openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), sig->r, sig->s, chunk);
+}
+
+/**
+ * Build the signature
+ */
+static bool build_signature(private_openssl_ec_private_key_t *this,
+							int hash_type, chunk_t data, chunk_t *signature)
+{
+	chunk_t hash = chunk_empty;
+	ECDSA_SIG *sig;
+	bool ret = FALSE;
+	
+	if (!openssl_hash_chunk(hash_type, data, &hash))
+	{
+		return FALSE;
+	}
+	
+	sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
+	if (!sig)
+	{
+		goto error;
+	}
+	
+	if (!sig2chunk(EC_KEY_get0_group(this->ec), sig, signature))
+	{
+		goto error;
+	}
+	
+	ret = TRUE;
+error:
+	chunk_free(&hash);
+	if (sig)
+	{
+		ECDSA_SIG_free(sig);
+	}
+	return ret;
+}
+
+/**
+ * Implementation of private_key_t.get_type.
+ */
+static key_type_t get_type(private_openssl_ec_private_key_t *this)
+{
+	return KEY_ECDSA;
+}
+
+/**
+ * Implementation of private_key_t.sign.
+ */
+static bool sign(private_openssl_ec_private_key_t *this, signature_scheme_t scheme, 
+				 chunk_t data, chunk_t *signature)
+{
+	EC_GROUP *req_group;
+	const EC_GROUP *my_group;
+	int hash, curve;
+	
+	if (!lookup_scheme(scheme, &hash, &curve))
+	{
+		DBG1("signature scheme %N not supported in EC",
+				 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	
+	req_group = EC_GROUP_new_by_curve_name(curve);
+	if (!req_group)
+	{
+		DBG1("signature scheme %N not supported in EC (required curve not supported)",
+				 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	
+	my_group = EC_KEY_get0_group(this->ec);
+	if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
+	{
+		DBG1("signature scheme %N not supported by private key",
+				 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	
+	EC_GROUP_free(req_group);
+	
+	return build_signature(this, hash, data, signature);
+}
+
+/**
+ * Implementation of private_key_t.destroy.
+ */
+static bool decrypt(private_openssl_ec_private_key_t *this,
+					chunk_t crypto, chunk_t *plain)
+{
+	DBG1("EC private key decryption not implemented");
+	return FALSE;
+}
+
+/**
+ * Implementation of private_key_t.get_keysize.
+ */
+static size_t get_keysize(private_openssl_ec_private_key_t *this)
+{
+	return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec));
+}
+
+/**
+ * Implementation of private_key_t.get_id.
+ */
+static identification_t* get_id(private_openssl_ec_private_key_t *this,
+								id_type_t type)
+{
+	switch (type)
+	{
+		case ID_PUBKEY_INFO_SHA1:
+			return this->keyid_info;
+		case ID_PUBKEY_SHA1:
+			return this->keyid;
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Implementation of private_key_t.get_public_key.
+ */
+static openssl_ec_public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
+{
+	return openssl_ec_public_key_create_from_private_key(this->ec);
+}
+
+/**
+ * Implementation of private_key_t.belongs_to.
+ */
+static bool belongs_to(private_openssl_ec_private_key_t *this, public_key_t *public)
+{
+	identification_t *keyid;
+
+	if (public->get_type(public) != KEY_ECDSA)
+	{
+		return FALSE;
+	}
+	keyid = public->get_id(public, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of private_key_t.get_encoding.
+ */
+static chunk_t get_encoding(private_openssl_ec_private_key_t *this)
+{
+	chunk_t enc = chunk_alloc(i2d_ECPrivateKey(this->ec, NULL));
+	u_char *p = enc.ptr;
+	i2d_ECPrivateKey(this->ec, &p);
+	return enc;
+}
+
+/**
+ * Implementation of private_key_t.get_ref.
+ */
+static private_openssl_ec_private_key_t* get_ref(private_openssl_ec_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+
+}
+
+/**
+ * Implementation of private_key_t.destroy.
+ */
+static void destroy(private_openssl_ec_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		if (this->ec)
+		{
+			EC_KEY_free(this->ec);
+		}
+		DESTROY_IF(this->keyid);
+		DESTROY_IF(this->keyid_info);
+		free(this);
+	}
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_openssl_ec_private_key_t *openssl_ec_private_key_create_empty(void)
+{
+	private_openssl_ec_private_key_t *this = malloc_thing(private_openssl_ec_private_key_t);
+	
+	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
+	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
+	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
+	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
+	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
+	this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
+	this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
+	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
+	
+	this->ec = NULL;
+	this->keyid = NULL;
+	this->keyid_info = NULL;
+	this->ref = 1;
+	
+	return this;
+}
+
+/**
+ * load private key from an ASN1 encoded blob
+ */
+static openssl_ec_private_key_t *load(chunk_t blob)
+{
+	u_char *p = blob.ptr;
+	private_openssl_ec_private_key_t *this = openssl_ec_private_key_create_empty();
+	
+	this->ec = d2i_ECPrivateKey(NULL, (const u_char**)&p, blob.len);
+	
+	chunk_clear(&blob);
+
+	if (!this->ec)
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	if (!openssl_ec_public_key_build_id(this->ec, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	if (!EC_KEY_check_key(this->ec))
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	return &this->public;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for key loading/generation
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded/generated private key */
+	openssl_ec_private_key_t *key;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static openssl_ec_private_key_t *build(private_builder_t *this)
+{
+	openssl_ec_private_key_t *key = this->key;
+	
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	if (this->key)
+	{
+		DBG1("ignoring surplus build part %N", builder_part_names, part);
+		return;
+	}
+	
+	switch (part)
+	{
+		case BUILD_BLOB_ASN1_DER:
+		{
+			va_start(args, part);
+			this->key = load(va_arg(args, chunk_t));
+			va_end(args);
+			break;
+		}
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *openssl_ec_private_key_builder(key_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != KEY_ECDSA)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->key = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
new file mode 100644
index 000000000..629fc9574
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ * 
+ * $Id: openssl_ec_private_key.h 4051 2008-06-10 09:08:27Z tobias $
+ */
+
+/**
+ * @defgroup openssl_ec_private_key openssl_ec_private_key
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_EC_PRIVATE_KEY_H_
+#define OPENSSL_EC_PRIVATE_KEY_H_
+
+#include <credentials/keys/private_key.h>
+
+typedef struct openssl_ec_private_key_t openssl_ec_private_key_t;
+
+/**
+ * private_key_t implementation of ECDSA using OpenSSL.
+ */
+struct openssl_ec_private_key_t {
+
+	/**
+	 * Implements private_key_t interface
+	 */
+	private_key_t interface;
+};
+
+/**
+ * Create the builder for a private key.
+ *
+ * @param type		type of the key, must be KEY_ECDSA
+ * @return 			builder instance
+ */
+builder_t *openssl_ec_private_key_builder(key_type_t type);
+
+#endif /*OPENSSL_EC_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
new file mode 100644
index 000000000..2056575ba
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -0,0 +1,447 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_ec_public_key.c 4051 2008-06-10 09:08:27Z tobias $
+ */
+
+#include "openssl_ec_public_key.h"
+#include "openssl_util.h"
+
+#include <debug.h>
+
+#include <openssl/evp.h>
+#include <openssl/ecdsa.h>
+#include <openssl/x509.h>
+
+typedef struct private_openssl_ec_public_key_t private_openssl_ec_public_key_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_openssl_ec_public_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	openssl_ec_public_key_t public;
+	
+	/**
+	 * EC key object
+	 */
+	EC_KEY *ec;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
+	 */
+	identification_t *keyid_info;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKey object
+	 */
+	identification_t *keyid;
+	
+	/**
+	 * reference counter
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Convert a chunk to an ECDSA_SIG (which must already exist). r and s
+ * of the signature have to be concatenated in the chunk.
+ */
+static bool chunk2sig(const EC_GROUP *group, chunk_t chunk, ECDSA_SIG *sig)
+{
+	return openssl_bn_split(chunk, sig->r, sig->s);
+}
+
+/**
+ * Verification of a signature as in RFC 4754
+ */
+static bool verify_signature(private_openssl_ec_public_key_t *this,
+								int hash_type, chunk_t data, chunk_t signature)
+{
+	chunk_t hash = chunk_empty;
+	ECDSA_SIG *sig;
+	bool valid = FALSE;
+	
+	if (!openssl_hash_chunk(hash_type, data, &hash))
+	{
+		return FALSE;
+	}
+	
+	sig = ECDSA_SIG_new();
+	if (!sig)
+	{
+		goto error;
+	}
+	
+	if (!chunk2sig(EC_KEY_get0_group(this->ec), signature, sig))
+	{
+		goto error;
+	}
+	
+	valid = (ECDSA_do_verify(hash.ptr, hash.len, sig, this->ec) == 1);
+	
+error:
+	if (sig)
+	{
+		ECDSA_SIG_free(sig);
+	}
+	chunk_free(&hash);
+	return valid;
+}
+
+
+/**
+ * Verification of the default signature using SHA-1
+ */
+static bool verify_default_signature(private_openssl_ec_public_key_t *this,
+								chunk_t data, chunk_t signature)
+{
+	bool valid = FALSE;
+	chunk_t hash = chunk_empty;
+	u_char *p;
+	ECDSA_SIG *sig;
+	
+	/* remove any preceding 0-bytes from signature */
+	while (signature.len && *(signature.ptr) == 0x00)
+	{
+		signature.len -= 1;
+		signature.ptr++;
+	}
+	
+	p = signature.ptr;
+	sig = d2i_ECDSA_SIG(NULL, (const u_char**)&p, signature.len);
+	if (!sig)
+	{
+		return FALSE;
+	}
+	
+	if (!openssl_hash_chunk(NID_sha1, data, &hash))
+	{
+		goto error;
+	}
+	
+	valid = (ECDSA_do_verify(hash.ptr, hash.len, sig, this->ec) == 1);
+
+error:
+	if (sig)
+	{
+		ECDSA_SIG_free(sig);
+	}
+	chunk_free(&hash);
+	return valid;
+}
+
+/**
+ * Implementation of public_key_t.get_type.
+ */
+static key_type_t get_type(private_openssl_ec_public_key_t *this)
+{
+	return KEY_ECDSA;
+}
+
+/**
+ * Implementation of public_key_t.verify.
+ */
+static bool verify(private_openssl_ec_public_key_t *this, signature_scheme_t scheme, 
+				   chunk_t data, chunk_t signature)
+{
+	switch (scheme)
+	{
+		case SIGN_ECDSA_WITH_SHA1:
+			return verify_default_signature(this, data, signature);
+		case SIGN_ECDSA_256:
+			return verify_signature(this, NID_sha256, data, signature);
+		case SIGN_ECDSA_384:
+			return verify_signature(this, NID_sha384, data, signature);
+		case SIGN_ECDSA_521:
+			return verify_signature(this, NID_sha512, data, signature);
+		default:
+			DBG1("signature scheme %N not supported in EC",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+/**
+ * Implementation of public_key_t.get_keysize.
+ */
+static bool encrypt(private_openssl_ec_public_key_t *this, chunk_t crypto, chunk_t *plain)
+{
+	DBG1("EC public key encryption not implemented");
+	return FALSE;
+}
+
+/**
+ * Implementation of public_key_t.get_keysize.
+ */
+static size_t get_keysize(private_openssl_ec_public_key_t *this)
+{
+	return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec));
+}
+
+/**
+ * Implementation of public_key_t.get_id.
+ */
+static identification_t *get_id(private_openssl_ec_public_key_t *this,
+								id_type_t type)
+{
+	switch (type)
+	{
+		case ID_PUBKEY_INFO_SHA1:
+			return this->keyid_info;
+		case ID_PUBKEY_SHA1:
+			return this->keyid;
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Encodes the public key
+ */ 
+static chunk_t get_encoding_raw(EC_KEY *ec)
+{
+	/* since the points can be stored in three different forms this may not
+	 * be correct for all cases */
+	const EC_GROUP *group = EC_KEY_get0_group(ec);
+	const EC_POINT *pub = EC_KEY_get0_public_key(ec);
+	chunk_t enc = chunk_alloc(EC_POINT_point2oct(group, pub,
+						POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL));
+	EC_POINT_point2oct(group, pub, POINT_CONVERSION_UNCOMPRESSED,
+						enc.ptr, enc.len, NULL);
+	return enc;	
+}
+
+/**
+ * Encodes the public key info (public key with ec parameters)
+ */ 
+static chunk_t get_encoding_full(EC_KEY *ec)
+{
+	chunk_t enc = chunk_alloc(i2d_EC_PUBKEY(ec, NULL));
+	u_char *p = enc.ptr;
+	i2d_EC_PUBKEY(ec, &p);
+	return enc;
+}
+
+/*
+ * Implementation of public_key_t.get_encoding.
+ */
+static chunk_t get_encoding(private_openssl_ec_public_key_t *this)
+{
+	return get_encoding_full(this->ec);
+}
+
+/**
+ * Implementation of public_key_t.get_ref.
+ */
+static private_openssl_ec_public_key_t* get_ref(private_openssl_ec_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of openssl_ec_public_key.destroy.
+ */
+static void destroy(private_openssl_ec_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		if (this->ec)
+		{
+			EC_KEY_free(this->ec);
+		}
+		DESTROY_IF(this->keyid);
+		DESTROY_IF(this->keyid_info);
+		free(this);
+	}
+}
+
+/**
+ * Generic private constructor
+ */
+static private_openssl_ec_public_key_t *openssl_ec_public_key_create_empty()
+{
+	private_openssl_ec_public_key_t *this = malloc_thing(private_openssl_ec_public_key_t);
+	
+	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
+	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
+	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt;
+	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
+	this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
+	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
+	
+	this->ec = NULL;
+	this->keyid = NULL;
+	this->keyid_info = NULL;
+	this->ref = 1;
+	
+	return this;
+}
+
+/**
+ * Build key identifier from the public key using SHA1 hashed publicKey(Info).
+ * Also used in openssl_ec_private_key.c.
+ */
+bool openssl_ec_public_key_build_id(EC_KEY *ec, identification_t **keyid,
+								 identification_t **keyid_info)
+{
+	chunk_t publicKeyInfo, publicKey, hash;
+	hasher_t *hasher;
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1("SHA1 hash algorithm not supported, unable to use EC");
+		return FALSE;
+	}
+	
+	publicKey = get_encoding_raw(ec);
+	
+	hasher->allocate_hash(hasher, publicKey, &hash);
+	*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
+	chunk_free(&hash);
+	
+	publicKeyInfo = get_encoding_full(ec);
+	
+	hasher->allocate_hash(hasher, publicKeyInfo, &hash);
+	*keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
+	chunk_free(&hash);
+	
+	hasher->destroy(hasher);
+	chunk_free(&publicKeyInfo);
+	chunk_free(&publicKey);
+	
+	return TRUE;
+}
+
+/**
+ * Create a public key from BIGNUM values, used in openssl_ec_private_key.c
+ */
+openssl_ec_public_key_t *openssl_ec_public_key_create_from_private_key(EC_KEY *ec)
+{
+	private_openssl_ec_public_key_t *this = openssl_ec_public_key_create_empty();
+	
+	this->ec = EC_KEY_new();
+	EC_KEY_set_public_key(this->ec, EC_KEY_get0_public_key(ec));
+	
+	if (!openssl_ec_public_key_build_id(this->ec, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/**
+ * Load a public key from an ASN1 encoded blob
+ */
+static openssl_ec_public_key_t *load(chunk_t blob)
+{
+	u_char *p = blob.ptr;
+	private_openssl_ec_public_key_t *this = openssl_ec_public_key_create_empty();
+	
+	this->ec = d2i_EC_PUBKEY(NULL, (const u_char**)&p, blob.len);
+	
+	chunk_clear(&blob);
+	
+	if (!this->ec)
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	if (!openssl_ec_public_key_build_id(this->ec, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for key loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded public key */
+	openssl_ec_public_key_t *key;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static openssl_ec_public_key_t *build(private_builder_t *this)
+{
+	openssl_ec_public_key_t *key = this->key;
+	
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	if (this->key)
+	{
+		DBG1("ignoring surplus build part %N", builder_part_names, part);
+		return;
+	}
+	
+	switch (part)
+	{
+		case BUILD_BLOB_ASN1_DER:
+		{
+			va_start(args, part);
+			this->key = load(va_arg(args, chunk_t));
+			va_end(args);
+			break;
+		}
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *openssl_ec_public_key_builder(key_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != KEY_ECDSA)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->key = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
new file mode 100644
index 000000000..92684402c
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_ec_public_key.h 4051 2008-06-10 09:08:27Z tobias $
+ */
+
+/**
+ * @defgroup openssl_ec_public_key openssl_ec_public_key
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_EC_PUBLIC_KEY_H_
+#define OPENSSL_EC_PUBLIC_KEY_H_
+
+typedef struct openssl_ec_public_key_t openssl_ec_public_key_t;
+
+#include <credentials/keys/public_key.h>
+
+/**
+ * public_key_t implementation of ECDSA using OpenSSL.
+ */
+struct openssl_ec_public_key_t {
+
+	/**
+	 * Implements the public_key_t interface
+	 */
+	public_key_t interface;
+};
+
+/**
+ * Create the builder for a public key.
+ *
+ * @param type		type of the key, must be KEY_ECDSA
+ * @return 			builder instance
+ */
+builder_t *openssl_ec_public_key_builder(key_type_t type);
+
+#endif /*OPENSSL_EC_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
new file mode 100644
index 000000000..1275cdfb0
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_hasher.c 3898 2008-04-30 09:23:13Z tobias $
+ */
+
+#include "openssl_hasher.h"
+
+#include <openssl/evp.h>
+
+typedef struct private_openssl_hasher_t private_openssl_hasher_t;
+
+/**
+ * Private data of openssl_hasher_t
+ */
+struct private_openssl_hasher_t {
+	
+	/**
+	 * Public part of this class.
+	 */
+	openssl_hasher_t public;
+	
+	/**
+	 * the hasher to use
+	 */
+	const EVP_MD *hasher;
+	
+	/**
+	 * the current digest context 
+	 */
+	EVP_MD_CTX *ctx;
+};
+
+/**
+ * Mapping from the algorithms defined in IKEv2 to
+ * OpenSSL algorithm names
+ */
+typedef struct {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2_id;
+	
+	/**
+	 * Name of the algorithm, as used in OpenSSL
+	 */
+	char *name;
+} openssl_algorithm_t;
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for integrity
+ */
+static openssl_algorithm_t integrity_algs[] = {
+	{HASH_MD2,		"md2"},
+	{HASH_MD5,		"md5"},
+	{HASH_SHA1,		"sha1"},
+	{HASH_SHA256,	"sha256"},
+	{HASH_SHA384,	"sha384"},
+	{HASH_SHA512, 	"sha512"},
+	{END_OF_LIST, 	NULL},
+};
+
+/**
+ * Look up an OpenSSL algorithm name
+ */
+static char* lookup_algorithm(openssl_algorithm_t *openssl_algo, 
+					   u_int16_t ikev2_algo)
+{
+	while (openssl_algo->ikev2_id != END_OF_LIST)
+	{
+		if (ikev2_algo == openssl_algo->ikev2_id)
+		{
+			return openssl_algo->name;
+		}
+		openssl_algo++;
+	}
+	return NULL;
+}
+
+/**
+ * Implementation of hasher_t.get_hash_size.
+ */
+static size_t get_hash_size(private_openssl_hasher_t *this)
+{
+	return this->hasher->md_size;
+}
+
+/**
+ * Implementation of hasher_t.reset.
+ */
+static void reset(private_openssl_hasher_t *this)
+{
+	EVP_DigestInit_ex(this->ctx, this->hasher, NULL);
+}
+
+/**
+ * Implementation of hasher_t.get_hash.
+ */
+static void get_hash(private_openssl_hasher_t *this, chunk_t chunk,
+					 u_int8_t *hash)
+{
+	EVP_DigestUpdate(this->ctx, chunk.ptr, chunk.len);
+	if (hash)
+	{
+		EVP_DigestFinal_ex(this->ctx, hash, NULL);
+		reset(this);
+	}
+}
+
+/**
+ * Implementation of hasher_t.allocate_hash.
+ */
+static void allocate_hash(private_openssl_hasher_t *this, chunk_t chunk,
+						  chunk_t *hash)
+{
+	if (hash)
+	{
+		*hash = chunk_alloc(get_hash_size(this));
+		get_hash(this, chunk, hash->ptr);
+	}
+	else
+	{
+		get_hash(this, chunk, NULL);	
+	}
+}
+
+/**
+ * Implementation of hasher_t.destroy.
+ */
+static void destroy (private_openssl_hasher_t *this)
+{
+	EVP_MD_CTX_destroy(this->ctx);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
+{
+	private_openssl_hasher_t *this;
+	
+	char* name = lookup_algorithm(integrity_algs, algo);
+	if (!name)
+	{
+		/* algo unavailable */
+		return NULL;
+	}
+
+	this = malloc_thing(private_openssl_hasher_t);
+	
+	this->hasher = EVP_get_digestbyname(name);
+	if (!this->hasher)
+	{
+		/* OpenSSL does not support the requested algo */
+		free(this);
+		return NULL;
+	}
+	
+	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
+	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
+	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
+	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
+	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
+	
+	this->ctx = EVP_MD_CTX_create();
+	
+	/* initialization */
+	reset(this);
+	
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.h b/src/libstrongswan/plugins/openssl/openssl_hasher.h
new file mode 100644
index 000000000..f776e9fd4
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ * 
+ * $Id: openssl_hasher.h 4000 2008-05-22 12:13:10Z tobias $
+ */
+
+/**
+ * @defgroup openssl_hasher openssl_hasher
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_HASHER_H_
+#define OPENSSL_HASHER_H_
+
+typedef struct openssl_hasher_t openssl_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hashers using OpenSSL.
+ */
+struct openssl_hasher_t {
+	
+	/**
+	 * The hasher_t interface.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * Constructor to create openssl_hasher_t.
+ * 
+ * @param algo			algorithm
+ * @param key_size		key size in bytes
+ * @return				openssl_hasher_t, NULL if not supported
+ */
+openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo);
+
+#endif /* OPENSSL_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
new file mode 100644
index 000000000..7fdd7c224
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_plugin.c 4107 2008-06-25 12:39:32Z tobias $
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+
+#include "openssl_plugin.h"
+
+#include <library.h>
+#include "openssl_crypter.h"
+#include "openssl_hasher.h"
+#include "openssl_diffie_hellman.h"
+#include "openssl_ec_diffie_hellman.h"
+#include "openssl_rsa_private_key.h"
+#include "openssl_rsa_public_key.h"
+#include "openssl_ec_private_key.h"
+#include "openssl_ec_public_key.h"
+
+typedef struct private_openssl_plugin_t private_openssl_plugin_t;
+
+/**
+ * private data of openssl_plugin
+ */
+struct private_openssl_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	openssl_plugin_t public;
+};
+
+/**
+ * Implementation of openssl_plugin_t.destroy
+ */
+static void destroy(private_openssl_plugin_t *this)
+{
+	lib->crypto->remove_crypter(lib->crypto,
+					(crypter_constructor_t)openssl_crypter_create);
+	lib->crypto->remove_hasher(lib->crypto,
+					(hasher_constructor_t)openssl_hasher_create);
+	lib->crypto->remove_dh(lib->crypto, 
+					(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->remove_dh(lib->crypto, 
+					(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->creds->remove_builder(lib->creds,
+					(builder_constructor_t)openssl_rsa_private_key_builder);
+	lib->creds->remove_builder(lib->creds,
+					(builder_constructor_t)openssl_rsa_public_key_builder);
+	lib->creds->remove_builder(lib->creds,
+					(builder_constructor_t)openssl_ec_private_key_builder);
+	lib->creds->remove_builder(lib->creds,
+					(builder_constructor_t)openssl_ec_public_key_builder);
+	
+	ENGINE_cleanup();
+	EVP_cleanup();
+	
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_openssl_plugin_t *this = malloc_thing(private_openssl_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	OpenSSL_add_all_algorithms();
+	
+	/* activate support for hardware accelerators */
+	ENGINE_load_builtin_engines();
+	ENGINE_register_all_complete();
+	
+	/* crypter */
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+					(crypter_constructor_t)openssl_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
+					(crypter_constructor_t)openssl_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_RC5,
+					(crypter_constructor_t)openssl_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_IDEA,
+					(crypter_constructor_t)openssl_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAST,
+					(crypter_constructor_t)openssl_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
+					(crypter_constructor_t)openssl_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_NULL,
+					(crypter_constructor_t)openssl_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+					(crypter_constructor_t)openssl_crypter_create);
+	
+	/* hasher */
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+					(hasher_constructor_t)openssl_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_MD2,
+					(hasher_constructor_t)openssl_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+					(hasher_constructor_t)openssl_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+					(hasher_constructor_t)openssl_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+					(hasher_constructor_t)openssl_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+					(hasher_constructor_t)openssl_hasher_create);
+	
+	/* diffie hellman */
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, 
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, 
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, 
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, 
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, 
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	
+	/* ec diffie hellman */
+	lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, ECP_224_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, ECP_384_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, ECP_521_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	
+	/* rsa */
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+						(builder_constructor_t)openssl_rsa_private_key_builder);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+						(builder_constructor_t)openssl_rsa_public_key_builder);
+	
+	/* ec */
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+						(builder_constructor_t)openssl_ec_private_key_builder);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
+						(builder_constructor_t)openssl_ec_public_key_builder);
+	
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.h b/src/libstrongswan/plugins/openssl/openssl_plugin.h
new file mode 100644
index 000000000..40f741dfa
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ * 
+ * $Id: openssl_plugin.h 4000 2008-05-22 12:13:10Z tobias $
+ */
+
+/**
+ * @defgroup openssl_p openssl
+ * @ingroup plugins
+ *
+ * @defgroup openssl_plugin openssl_plugin
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_PLUGIN_H_
+#define OPENSSL_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct openssl_plugin_t openssl_plugin_t;
+
+/**
+ * Plugin implementing crypto functions via the OpenSSL library
+ */
+struct openssl_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a openssl_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* OPENSSL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
new file mode 100644
index 000000000..7595eed3a
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -0,0 +1,422 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_rsa_private_key.c 3963 2008-05-15 12:41:06Z tobias $
+ */
+
+#include "openssl_rsa_private_key.h"
+#include "openssl_rsa_public_key.h"
+
+#include <debug.h>
+
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+
+/**
+ *  Public exponent to use for key generation.
+ */
+#define PUBLIC_EXPONENT 0x10001
+
+typedef struct private_openssl_rsa_private_key_t private_openssl_rsa_private_key_t;
+
+/**
+ * Private data of a openssl_rsa_private_key_t object.
+ */
+struct private_openssl_rsa_private_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	openssl_rsa_private_key_t public;
+	
+	/**
+	 * RSA object from OpenSSL
+	 */
+	RSA *rsa;
+
+	/**
+	 * Keyid formed as a SHA-1 hash of a privateKey object
+	 */
+	identification_t* keyid;
+
+	/**
+	 * Keyid formed as a SHA-1 hash of a privateKeyInfo object
+	 */
+	identification_t* keyid_info;
+	
+	/**
+	 * reference count
+	 */
+	refcount_t ref;	
+};
+
+/**
+ * shared functions, implemented in openssl_rsa_public_key.c
+ */
+bool openssl_rsa_public_key_build_id(RSA *rsa, identification_t **keyid,
+								 identification_t **keyid_info);
+
+
+openssl_rsa_public_key_t *openssl_rsa_public_key_create_from_n_e(BIGNUM *n, BIGNUM *e);
+
+
+/**
+ * Build an EMPSA PKCS1 signature described in PKCS#1
+ */
+static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this,
+									   int type, chunk_t data, chunk_t *signature)
+{
+	bool success = FALSE;
+	const EVP_MD *hasher = EVP_get_digestbynid(type);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+	
+	EVP_MD_CTX *ctx = EVP_MD_CTX_create();
+	EVP_PKEY *key = EVP_PKEY_new();
+	if (!ctx || !key)
+	{
+		goto error;
+	}
+	
+	if (!EVP_PKEY_set1_RSA(key, this->rsa))
+	{
+		goto error;
+	}
+	
+	if (!EVP_SignInit_ex(ctx, hasher, NULL))
+	{
+		goto error;
+	}
+	
+	if (!EVP_SignUpdate(ctx, data.ptr, data.len))
+	{
+		goto error;
+	}
+	
+	*signature = chunk_alloc(RSA_size(this->rsa));
+	
+	if (!EVP_SignFinal(ctx, signature->ptr, &signature->len, key))
+	{
+		goto error;
+	}
+	
+	success = TRUE;
+	
+error:
+	if (key)
+	{
+		EVP_PKEY_free(key);
+	}
+	if (ctx)
+	{
+		EVP_MD_CTX_destroy(ctx);
+	}
+	return success;
+}
+
+/**
+ * Implementation of openssl_rsa_private_key.destroy.
+ */
+static key_type_t get_type(private_openssl_rsa_private_key_t *this)
+{
+	return KEY_RSA;
+}
+
+/**
+ * Implementation of openssl_rsa_private_key.destroy.
+ */
+static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme, 
+				 chunk_t data, chunk_t *signature)
+{
+	switch (scheme)
+	{
+		case SIGN_DEFAULT:
+			/* default is EMSA-PKCS1 using SHA1 */
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return build_emsa_pkcs1_signature(this, NID_sha1, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA256:
+			return build_emsa_pkcs1_signature(this, NID_sha256, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA384:
+			return build_emsa_pkcs1_signature(this, NID_sha384, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA512:
+			return build_emsa_pkcs1_signature(this, NID_sha512, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+			return build_emsa_pkcs1_signature(this, NID_md5, data, signature);
+		default:
+			DBG1("signature scheme %N not supported in RSA",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+/**
+ * Implementation of openssl_rsa_private_key.destroy.
+ */
+static bool decrypt(private_openssl_rsa_private_key_t *this,
+					chunk_t crypto, chunk_t *plain)
+{
+	DBG1("RSA private key decryption not implemented");
+	return FALSE;
+}
+
+/**
+ * Implementation of openssl_rsa_private_key.destroy.
+ */
+static size_t get_keysize(private_openssl_rsa_private_key_t *this)
+{
+	return RSA_size(this->rsa);
+}
+
+/**
+ * Implementation of openssl_rsa_private_key.destroy.
+ */
+static identification_t* get_id(private_openssl_rsa_private_key_t *this,
+								id_type_t type)
+{
+	switch (type)
+	{
+		case ID_PUBKEY_INFO_SHA1:
+			return this->keyid_info;
+		case ID_PUBKEY_SHA1:
+			return this->keyid;
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Implementation of openssl_rsa_private_key.destroy.
+ */
+static openssl_rsa_public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
+{
+	return openssl_rsa_public_key_create_from_n_e(this->rsa->n, this->rsa->e);
+}
+
+/**
+ * Implementation of openssl_rsa_private_key.destroy.
+ */
+static bool belongs_to(private_openssl_rsa_private_key_t *this, public_key_t *public)
+{
+	identification_t *keyid;
+
+	if (public->get_type(public) != KEY_RSA)
+	{
+		return FALSE;
+	}
+	keyid = public->get_id(public, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of private_key_t.get_encoding.
+ */
+static chunk_t get_encoding(private_openssl_rsa_private_key_t *this)
+{
+	chunk_t enc = chunk_alloc(i2d_RSAPrivateKey(this->rsa, NULL));
+	u_char *p = enc.ptr;
+	i2d_RSAPrivateKey(this->rsa, &p);
+	return enc;
+}
+
+/**
+ * Implementation of openssl_rsa_private_key.destroy.
+ */
+static private_openssl_rsa_private_key_t* get_ref(private_openssl_rsa_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+
+}
+
+/**
+ * Implementation of openssl_rsa_private_key.destroy.
+ */
+static void destroy(private_openssl_rsa_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		if (this->rsa)
+		{
+			RSA_free(this->rsa);
+		}
+		DESTROY_IF(this->keyid);
+		DESTROY_IF(this->keyid_info);
+		free(this);
+	}
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_openssl_rsa_private_key_t *openssl_rsa_private_key_create_empty(void)
+{
+	private_openssl_rsa_private_key_t *this = malloc_thing(private_openssl_rsa_private_key_t);
+	
+	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
+	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
+	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
+	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
+	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
+	this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
+	this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
+	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
+	
+	this->keyid = NULL;
+	this->keyid_info = NULL;
+	this->ref = 1;
+	
+	return this;
+}
+
+/**
+ * Generate an RSA key of specified key size
+ */
+static openssl_rsa_private_key_t *generate(size_t key_size)
+{
+	private_openssl_rsa_private_key_t *this = openssl_rsa_private_key_create_empty();
+	
+	this->rsa = RSA_generate_key(key_size, PUBLIC_EXPONENT, NULL, NULL);
+	
+	if (!openssl_rsa_public_key_build_id(this->rsa, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	return &this->public;
+}
+
+/**
+ * load private key from an ASN1 encoded blob
+ */
+static openssl_rsa_private_key_t *load(chunk_t blob)
+{
+	u_char *p = blob.ptr;
+	private_openssl_rsa_private_key_t *this = openssl_rsa_private_key_create_empty();
+	
+	this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&p, blob.len);
+	
+	chunk_clear(&blob);
+
+	if (!this->rsa)
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	if (!openssl_rsa_public_key_build_id(this->rsa, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	if (!RSA_check_key(this->rsa))
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	return &this->public;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for key loading/generation
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded/generated private key */
+	openssl_rsa_private_key_t *key;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static openssl_rsa_private_key_t *build(private_builder_t *this)
+{
+	openssl_rsa_private_key_t *key = this->key;
+	
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	if (this->key)
+	{
+		DBG1("ignoring surplus build part %N", builder_part_names, part);
+		return;
+	}
+	
+	switch (part)
+	{
+		case BUILD_BLOB_ASN1_DER:
+		{
+			va_start(args, part);
+			this->key = load(va_arg(args, chunk_t));
+			va_end(args);
+			break;
+		}		
+		case BUILD_KEY_SIZE:
+		{
+			va_start(args, part);
+			this->key = generate(va_arg(args, u_int));
+			va_end(args);
+			break;
+		}
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *openssl_rsa_private_key_builder(key_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != KEY_RSA)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->key = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
new file mode 100644
index 000000000..81d81b2db
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ * 
+ * $Id: openssl_rsa_private_key.h 4000 2008-05-22 12:13:10Z tobias $
+ */
+
+/**
+ * @defgroup openssl_rsa_private_key openssl_rsa_private_key
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_RSA_PRIVATE_KEY_H_
+#define OPENSSL_RSA_PRIVATE_KEY_H_
+
+#include <credentials/keys/private_key.h>
+
+typedef struct openssl_rsa_private_key_t openssl_rsa_private_key_t;
+
+/**
+ * private_key_t implementation of RSA algorithm using OpenSSL.
+ */
+struct openssl_rsa_private_key_t {
+
+	/**
+	 * Implements private_key_t interface
+	 */
+	private_key_t interface;
+};
+
+/**
+ * Create the builder for a private key.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @return 			builder instance
+ */
+builder_t *openssl_rsa_private_key_builder(key_type_t type);
+
+#endif /*OPENSSL_RSA_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
new file mode 100644
index 000000000..755b86e96
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -0,0 +1,433 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_rsa_public_key.c 3963 2008-05-15 12:41:06Z tobias $
+ */
+
+#include "openssl_rsa_public_key.h"
+
+#include <debug.h>
+
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
+typedef struct private_openssl_rsa_public_key_t private_openssl_rsa_public_key_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_openssl_rsa_public_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	openssl_rsa_public_key_t public;
+	
+	/**
+	 * RSA object from OpenSSL
+	 */
+	RSA *rsa;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
+	 */
+	identification_t *keyid_info;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKey object
+	 */
+	identification_t *keyid;
+	
+	/**
+	 * reference counter
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Verification of an EMPSA PKCS1 signature described in PKCS#1
+ */
+static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
+										int type, chunk_t data, chunk_t signature)
+{
+	bool valid = FALSE;
+	const EVP_MD *hasher = EVP_get_digestbynid(type);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+	
+	EVP_MD_CTX *ctx = EVP_MD_CTX_create();
+	EVP_PKEY *key = EVP_PKEY_new();
+	if (!ctx || !key)
+	{
+		goto error;
+	}
+	
+	if (!EVP_PKEY_set1_RSA(key, this->rsa))
+	{
+		goto error;
+	}
+	
+	if (!EVP_VerifyInit_ex(ctx, hasher, NULL))
+	{
+		goto error;
+	}
+	
+	if (!EVP_VerifyUpdate(ctx, data.ptr, data.len))
+	{
+		goto error;
+	}
+	
+	/* remove any preceding 0-bytes from signature */
+	while (signature.len && *(signature.ptr) == 0x00)
+	{
+		signature.len -= 1;
+		signature.ptr++;
+	}
+	
+	valid = (EVP_VerifyFinal(ctx, signature.ptr, signature.len, key) == 1);
+	
+error:
+	if (key)
+	{
+		EVP_PKEY_free(key);
+	}
+	if (ctx)
+	{
+		EVP_MD_CTX_destroy(ctx);
+	}
+	return valid;
+}
+
+/**
+ * Implementation of public_key_t.get_type.
+ */
+static key_type_t get_type(private_openssl_rsa_public_key_t *this)
+{
+	return KEY_RSA;
+}
+
+/**
+ * Implementation of public_key_t.verify.
+ */
+static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t scheme, 
+				   chunk_t data, chunk_t signature)
+{
+	switch (scheme)
+	{
+		case SIGN_DEFAULT:
+			/* default is EMSA-PKCS1 using SHA1 */
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA256:
+			return verify_emsa_pkcs1_signature(this, NID_sha256, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA384:
+			return verify_emsa_pkcs1_signature(this, NID_sha384, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA512:
+			return verify_emsa_pkcs1_signature(this, NID_sha512, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+			return verify_emsa_pkcs1_signature(this, NID_md5, data, signature);
+		default:
+			DBG1("signature scheme %N not supported in RSA",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+/**
+ * Implementation of public_key_t.get_keysize.
+ */
+static bool encrypt(private_openssl_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain)
+{
+	DBG1("RSA public key encryption not implemented");
+	return FALSE;
+}
+
+/**
+ * Implementation of public_key_t.get_keysize.
+ */
+static size_t get_keysize(private_openssl_rsa_public_key_t *this)
+{
+	return RSA_size(this->rsa);
+}
+
+/**
+ * Implementation of public_key_t.get_id.
+ */
+static identification_t *get_id(private_openssl_rsa_public_key_t *this,
+								id_type_t type)
+{
+	switch (type)
+	{
+		case ID_PUBKEY_INFO_SHA1:
+			return this->keyid_info;
+		case ID_PUBKEY_SHA1:
+			return this->keyid;
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Encodes the public key
+ */ 
+static chunk_t get_encoding_raw(RSA *rsa)
+{
+	chunk_t enc = chunk_alloc(i2d_RSAPublicKey(rsa, NULL));
+	u_char *p = enc.ptr;
+	i2d_RSAPublicKey(rsa, &p);
+	return enc;
+}
+
+/**
+ * Encodes the public key with the algorithm used
+ */
+static chunk_t get_encoding_with_algo(RSA *rsa)
+{
+	u_char *p;
+	chunk_t enc;
+	X509_PUBKEY *pubkey = X509_PUBKEY_new();
+	
+	ASN1_OBJECT_free(pubkey->algor->algorithm);
+	pubkey->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
+	
+	if (pubkey->algor->parameter == NULL ||
+		pubkey->algor->parameter->type != V_ASN1_NULL)
+	{
+		ASN1_TYPE_free(pubkey->algor->parameter);
+		pubkey->algor->parameter = ASN1_TYPE_new();
+		pubkey->algor->parameter->type = V_ASN1_NULL;
+	}
+	
+	enc = get_encoding_raw(rsa);
+	M_ASN1_BIT_STRING_set(pubkey->public_key, enc.ptr, enc.len);
+	chunk_free(&enc);
+	
+	enc = chunk_alloc(i2d_X509_PUBKEY(pubkey, NULL));
+	p = enc.ptr;
+	i2d_X509_PUBKEY(pubkey, &p);
+	X509_PUBKEY_free(pubkey);
+	return enc;
+}
+
+/*
+ * Implementation of public_key_t.get_encoding.
+ */
+static chunk_t get_encoding(private_openssl_rsa_public_key_t *this)
+{
+	return get_encoding_raw(this->rsa);
+}
+
+/**
+ * Implementation of public_key_t.get_ref.
+ */
+static private_openssl_rsa_public_key_t* get_ref(private_openssl_rsa_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of openssl_rsa_public_key.destroy.
+ */
+static void destroy(private_openssl_rsa_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		if (this->rsa)
+		{
+			RSA_free(this->rsa);
+		}
+		DESTROY_IF(this->keyid);
+		DESTROY_IF(this->keyid_info);
+		free(this);
+	}
+}
+
+/**
+ * Generic private constructor
+ */
+static private_openssl_rsa_public_key_t *openssl_rsa_public_key_create_empty()
+{
+	private_openssl_rsa_public_key_t *this = malloc_thing(private_openssl_rsa_public_key_t);
+	
+	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
+	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
+	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt;
+	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
+	this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
+	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
+	
+	this->keyid = NULL;
+	this->keyid_info = NULL;
+	this->ref = 1;
+	
+	return this;
+}
+
+/**
+ * Build the RSA key identifier from n and e using SHA1 hashed publicKey(Info).
+ * Also used in openssl_rsa_private_key.c.
+ */
+bool openssl_rsa_public_key_build_id(RSA *rsa, identification_t **keyid,
+								 identification_t **keyid_info)
+{
+	chunk_t publicKeyInfo, publicKey, hash;
+	hasher_t *hasher;
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1("SHA1 hash algorithm not supported, unable to use RSA");
+		return FALSE;
+	}
+	
+	publicKey = get_encoding_raw(rsa);
+	
+	hasher->allocate_hash(hasher, publicKey, &hash);
+	*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
+	chunk_free(&hash);
+	
+	publicKeyInfo = get_encoding_with_algo(rsa);
+	
+	hasher->allocate_hash(hasher, publicKeyInfo, &hash);
+	*keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
+	chunk_free(&hash);
+	
+	hasher->destroy(hasher);
+	chunk_free(&publicKeyInfo);
+	chunk_free(&publicKey);
+	
+	return TRUE;
+}
+
+/**
+ * Create a public key from BIGNUM values, used in openssl_rsa_private_key.c
+ */
+openssl_rsa_public_key_t *openssl_rsa_public_key_create_from_n_e(BIGNUM *n, BIGNUM *e)
+{
+	private_openssl_rsa_public_key_t *this = openssl_rsa_public_key_create_empty();
+	
+	this->rsa = RSA_new();
+	this->rsa->n = BN_dup(n);
+	this->rsa->e = BN_dup(e);
+	
+	if (!openssl_rsa_public_key_build_id(this->rsa, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/**
+ * Load a public key from an ASN1 encoded blob
+ */
+static openssl_rsa_public_key_t *load(chunk_t blob)
+{
+	u_char *p = blob.ptr;
+	private_openssl_rsa_public_key_t *this = openssl_rsa_public_key_create_empty();
+
+	this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&p, blob.len);
+	
+	chunk_clear(&blob);
+
+	if (!this->rsa)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	if (!openssl_rsa_public_key_build_id(this->rsa, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for key loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded public key */
+	openssl_rsa_public_key_t *key;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static openssl_rsa_public_key_t *build(private_builder_t *this)
+{
+	openssl_rsa_public_key_t *key = this->key;
+	
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	if (this->key)
+	{
+		DBG1("ignoring surplus build part %N", builder_part_names, part);
+		return;
+	}
+	
+	switch (part)
+	{
+		case BUILD_BLOB_ASN1_DER:
+		{
+			va_start(args, part);
+			this->key = load(va_arg(args, chunk_t));
+			va_end(args);
+			break;
+		}
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *openssl_rsa_public_key_builder(key_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != KEY_RSA)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->key = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
new file mode 100644
index 000000000..570fb69cb
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_rsa_public_key.h 4000 2008-05-22 12:13:10Z tobias $
+ */
+
+/**
+ * @defgroup openssl_rsa_public_key openssl_rsa_public_key
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_RSA_PUBLIC_KEY_H_
+#define OPENSSL_RSA_PUBLIC_KEY_H_
+
+typedef struct openssl_rsa_public_key_t openssl_rsa_public_key_t;
+
+#include <credentials/keys/public_key.h>
+
+/**
+ * public_key_t implementation of RSA algorithm using OpenSSL.
+ */
+struct openssl_rsa_public_key_t {
+
+	/**
+	 * Implements the public_key_t interface
+	 */
+	public_key_t interface;
+};
+
+/**
+ * Create the builder for a public key.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @return 			builder instance
+ */
+builder_t *openssl_rsa_public_key_builder(key_type_t type);
+
+#endif /*OPENSSL_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
new file mode 100644
index 000000000..3c4f6595b
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_util.c 4051 2008-06-10 09:08:27Z tobias $
+ */
+
+#include "openssl_util.h"
+
+#include <debug.h>
+
+#include <openssl/evp.h>
+
+/**
+ * Described in header.
+ */
+bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash)
+{
+	EVP_MD_CTX *ctx;
+	bool ret = FALSE;
+	const EVP_MD *hasher = EVP_get_digestbynid(hash_type);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+	
+	ctx = EVP_MD_CTX_create();	
+	if (!ctx)
+	{
+		goto error;
+	}
+	
+	if (!EVP_DigestInit_ex(ctx, hasher, NULL))
+	{
+		goto error;
+	}
+	
+	if (!EVP_DigestUpdate(ctx, data.ptr, data.len))
+	{
+		goto error;
+	}
+	
+	*hash = chunk_alloc(hasher->md_size);
+	if (!EVP_DigestFinal_ex(ctx, hash->ptr, NULL))
+	{
+		chunk_free(hash);
+		goto error;
+	}
+	
+	ret = TRUE;
+error:
+	if (ctx)
+	{
+		EVP_MD_CTX_destroy(ctx);
+	}
+	return ret;
+}
+
+/**
+ * Described in header.
+ */
+bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk)
+{
+	int offset;
+	
+	chunk->len = len * 2;
+	chunk->ptr = malloc(chunk->len);
+	memset(chunk->ptr, 0, chunk->len);
+	
+	offset = len - BN_num_bytes(a);
+	if (!BN_bn2bin(a, chunk->ptr + offset))
+	{
+		goto error;
+	}
+	
+	offset = len - BN_num_bytes(b);
+	if (!BN_bn2bin(b, chunk->ptr + len + offset))
+	{
+		goto error;
+	}
+	
+	return TRUE;
+error:
+	chunk_free(chunk);
+	return FALSE;
+}
+
+
+/**
+ * Described in header.
+ */
+bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b)
+{
+	int len;
+	
+	if ((chunk.len % 2) != 0)
+	{
+		return FALSE;
+	}
+	
+	len = chunk.len / 2;
+	
+	if (!BN_bin2bn(chunk.ptr, len, a) ||
+		!BN_bin2bn(chunk.ptr + len, len, b))
+	{
+		return FALSE;
+	}
+	
+	return TRUE;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
new file mode 100644
index 000000000..2dbd5054e
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: openssl_util.h 4051 2008-06-10 09:08:27Z tobias $
+ */
+
+/**
+ * @defgroup openssl_util openssl_util
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_UTIL_H_
+#define OPENSSL_UTIL_H_
+
+#include <library.h>
+#include <openssl/bn.h>
+
+/**
+ * Returns the length in bytes of a field element
+ */
+#define EC_FIELD_ELEMENT_LEN(group) ((EC_GROUP_get_degree(group) + 7) / 8)
+
+/**
+ * Creates a hash of a given type of a chunk of data.
+ * 
+ * Note: this function allocates memory for the hash
+ * 
+ * @param hash_type	NID of the hash
+ * @param data		the chunk of data to hash
+ * @param hash		chunk that contains the hash
+ * @return 			TRUE on success, FALSE otherwise
+ */
+bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash);
+
+/**
+ * Concatenates two bignums into a chunk, thereby enfocing the length of
+ * a single BIGNUM, if necessary, by pre-pending it with zeros.
+ * 
+ * Note: this function allocates memory for the chunk
+ * 
+ * @param len		the length of a single BIGNUM
+ * @param a			first BIGNUM
+ * @param b			second BIGNUM
+ * @param chunk		resulting chunk
+ * @return			TRUE on success, FALSE otherwise
+ */
+bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk);
+
+/**
+ * Splits a chunk into two bignums of equal binary length.
+ * 
+ * @param chunk		a chunk that contains the two BIGNUMs
+ * @param a			first BIGNUM
+ * @param b			second BIGNUM
+ * @return			TRUE on success, FALSE otherwise
+ */
+bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b);
+
+#endif /*OPENSSL_UTIL_H_ @}*/
diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am
new file mode 100644
index 000000000..e2e76e9e6
--- /dev/null
+++ b/src/libstrongswan/plugins/padlock/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-padlock.la
+
+libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
+	padlock_aes_crypter.c padlock_aes_crypter.h \
+	padlock_sha1_hasher.c padlock_sha1_hasher.h
+libstrongswan_padlock_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
new file mode 100644
index 000000000..d96b2cf6d
--- /dev/null
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -0,0 +1,500 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/padlock
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_padlock_la_LIBADD =
+am_libstrongswan_padlock_la_OBJECTS = padlock_plugin.lo \
+	padlock_aes_crypter.lo padlock_sha1_hasher.lo
+libstrongswan_padlock_la_OBJECTS =  \
+	$(am_libstrongswan_padlock_la_OBJECTS)
+libstrongswan_padlock_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_padlock_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_padlock_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_padlock_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-padlock.la
+libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
+	padlock_aes_crypter.c padlock_aes_crypter.h \
+	padlock_sha1_hasher.c padlock_sha1_hasher.h
+
+libstrongswan_padlock_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/padlock/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/padlock/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-padlock.la: $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_DEPENDENCIES) 
+	$(libstrongswan_padlock_la_LINK) -rpath $(plugindir) $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/padlock_aes_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/padlock_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/padlock_sha1_hasher.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
new file mode 100644
index 000000000..f6f9b3501
--- /dev/null
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "padlock_aes_crypter.h"
+#include <stdio.h>
+
+#define AES_BLOCK_SIZE 16
+#define PADLOCK_ALIGN __attribute__ ((__aligned__(16)))
+
+typedef struct private_padlock_aes_crypter_t private_padlock_aes_crypter_t;
+
+/**
+ * Private data of padlock_aes_crypter_t
+ */
+struct private_padlock_aes_crypter_t {
+	
+	/**
+	 * Public part of this class.
+	 */
+	padlock_aes_crypter_t public;
+	
+	/*
+	 * the key
+	 */
+	chunk_t	key;
+};
+
+/**
+ * Control word structure to pass to crypt operations
+ */
+typedef struct {
+	u_int __attribute__ ((__packed__))
+		rounds:4,
+		algo:3,
+		keygen:1,
+		interm:1,
+		encdec:1,
+		ksize:2;
+	/* microcode needs additional bytes for calculation */
+	u_char buf[124];
+} cword;
+
+/**
+ * Invoke the actual de/encryption
+ */
+static void padlock_crypt(void *key, void *ctrl, void *src, void *dst, 
+						  int count, void *iv)
+{
+	asm volatile(
+		"pushl %%eax\n pushl %%ebx\n pushl %%ecx\n"
+		"pushl %%edx\n pushl %%esi\n pushl %%edi\n"
+		"pushfl\n popfl\n"
+		"movl %0, %%eax\n"
+		"movl %1, %%ebx\n"
+		"movl %2, %%ecx\n"
+		"movl %3, %%edx\n"
+		"movl %4, %%esi\n"
+		"movl %5, %%edi\n"
+		"rep\n"
+		".byte 0x0f, 0xa7, 0xd0\n"
+		"popl %%edi\n popl %%esi\n popl %%edx\n"
+		"popl %%ecx\n popl %%ebx\n popl %%eax\n"
+		:
+		: "m"(iv),"m"(key), "m"(count), "m"(ctrl), "m"(src), "m"(dst)
+		: "eax", "ecx", "edx", "esi", "edi");
+}
+
+/*
+ * Implementation of crypter_t.crypt
+ */
+static void crypt(private_padlock_aes_crypter_t *this, char *iv, 
+				  chunk_t src, chunk_t *dst, bool enc)
+{
+	cword cword PADLOCK_ALIGN;
+	u_char key_aligned[256] PADLOCK_ALIGN;
+	u_char iv_aligned[16] PADLOCK_ALIGN;
+
+	memset(&cword, 0, sizeof(cword));
+
+	/* set encryption/decryption flag */
+	cword.encdec = enc;
+	/* calculate rounds and key size */
+	cword.rounds = 10 + (this->key.len - 16) / 4;
+	cword.ksize = (this->key.len - 16) / 8;
+	/* enable autoalign */
+	cword.algo |= 2;
+
+	/* move data to aligned buffers */
+	memcpy(iv_aligned, iv, sizeof(iv_aligned));
+	memcpy(key_aligned, this->key.ptr, this->key.len);
+
+	*dst = chunk_alloc(src.len);
+	padlock_crypt(key_aligned, &cword, src.ptr, dst->ptr,
+				  src.len / AES_BLOCK_SIZE, iv_aligned);
+}
+
+/**
+ * Implementation of crypter_t.decrypt.
+ */
+static void decrypt(private_padlock_aes_crypter_t *this, chunk_t data, 
+						chunk_t iv, chunk_t *dst)
+{
+	crypt(this, iv.ptr, data, dst, TRUE);
+}
+
+
+/**
+ * Implementation of crypter_t.encrypt.
+ */
+static void encrypt (private_padlock_aes_crypter_t *this, chunk_t data, 
+							chunk_t iv, chunk_t *dst)
+{
+	crypt(this, iv.ptr, data, dst, FALSE);
+}
+
+/**
+ * Implementation of crypter_t.get_block_size.
+ */
+static size_t get_block_size(private_padlock_aes_crypter_t *this)
+{
+	return AES_BLOCK_SIZE;
+}
+
+/**
+ * Implementation of crypter_t.get_key_size.
+ */
+static size_t get_key_size(private_padlock_aes_crypter_t *this)
+{
+	return this->key.len;
+}
+
+/**
+ * Implementation of crypter_t.set_key.
+ */
+static void set_key(private_padlock_aes_crypter_t *this, chunk_t key)
+{
+	memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len));
+}
+
+/**
+ * Implementation of crypter_t.destroy and aes_crypter_t.destroy.
+ */
+static void destroy (private_padlock_aes_crypter_t *this)
+{
+	free(this->key.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo, 
+												  size_t key_size)
+{
+	private_padlock_aes_crypter_t *this;
+	
+	if (algo != ENCR_AES_CBC)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_padlock_aes_crypter_t);
+	
+	switch (key_size)
+	{
+		case 16:        /* AES 128 */
+			break;
+		case 24:        /* AES-192 */
+		case 32:        /* AES-256 */
+			/* These need an expanded key, currently not supported, FALL */
+		default:
+			free(this);
+			return NULL;
+	}
+	
+	this->key = chunk_alloc(key_size);
+	
+	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
+	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
+	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
+	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
+	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
+	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
+	
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
new file mode 100644
index 000000000..e8b01633d
--- /dev/null
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup padlock_aes_crypter padlock_aes_crypter
+ * @{ @ingroup padlock_p
+ */
+
+#ifndef PADLOCK_AES_CRYPTER_H_
+#define PADLOCK_AES_CRYPTER_H_
+
+typedef struct padlock_aes_crypter_t padlock_aes_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+/**
+ * Implementation of AES-128 using VIA Padlock.
+ */
+struct padlock_aes_crypter_t {
+	
+	/**
+	 * The crypter_t interface.
+	 */
+	crypter_t crypter_interface;
+};
+
+/**
+ * Constructor to create padlock_aes_crypter_t.
+ * 
+ * @param key_size		key size in bytes, currently supports only 16.
+ * @param algo			algorithm to implement, must be ENCR_AES_CBC
+ * @return				padlock_aes_crypter_t, NULL if not supported
+ */
+padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo,
+												  size_t key_size);
+
+#endif /* PADLOCK_AES_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
new file mode 100644
index 000000000..822acc4a2
--- /dev/null
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "padlock_plugin.h"
+
+#include <library.h>
+#include "padlock_aes_crypter.h"
+#include "padlock_sha1_hasher.h"
+
+typedef struct private_padlock_plugin_t private_padlock_plugin_t;
+
+/**
+ * private data of aes_plugin
+ */
+struct private_padlock_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	padlock_plugin_t public;
+};
+
+/**
+ * Implementation of aes_plugin_t.destroy
+ */
+static void destroy(private_padlock_plugin_t *this)
+{
+	lib->crypto->remove_crypter(lib->crypto,
+					(crypter_constructor_t)padlock_aes_crypter_create);
+	lib->crypto->remove_hasher(lib->crypto,
+					(hasher_constructor_t)padlock_sha1_hasher_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_padlock_plugin_t *this = malloc_thing(private_padlock_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+					(crypter_constructor_t)padlock_aes_crypter_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+					(hasher_constructor_t)padlock_sha1_hasher_create);
+	
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.h b/src/libstrongswan/plugins/padlock/padlock_plugin.h
new file mode 100644
index 000000000..7e013a5f7
--- /dev/null
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup padlock_p padlock
+ * @ingroup plugins
+ *
+ * @defgroup padlock_plugin padlock_plugin
+ * @{ @ingroup padlock_p
+ */
+
+#ifndef PADLOCK_PLUGIN_H_
+#define PADLOCK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct padlock_plugin_t padlock_plugin_t;
+
+/**
+ * Plugin implementing VIA Padlock crypto functions
+ */
+struct padlock_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a padlock_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* PADLOCK_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
new file mode 100644
index 000000000..4ac5ddf4d
--- /dev/null
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include <string.h>
+#include <arpa/inet.h>
+#include <byteswap.h>
+
+#include "padlock_sha1_hasher.h"
+
+#define PADLOCK_ALIGN __attribute__ ((__aligned__(16)))
+
+typedef struct private_padlock_sha1_hasher_t private_padlock_sha1_hasher_t;
+
+/**
+ * Private data structure with hasing context.
+ */
+struct private_padlock_sha1_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	padlock_sha1_hasher_t public;
+	
+	/**
+	 * data collected to hash
+	 */
+	chunk_t data;
+};
+
+/**
+ * Invoke the actual padlock sha1() operation
+ */
+static void padlock_sha1(int len, u_char *in, u_char *out)
+{
+	/* rep xsha1 */
+    asm volatile (
+		".byte 0xf3, 0x0f, 0xa6, 0xc8" 
+		: "+S"(in), "+D"(out)
+		: "c"(len), "a"(0));
+}
+
+/**
+ * sha1() a buffer of data into digest
+ */
+static void sha1(chunk_t data, u_int32_t *digest)
+{
+	u_int32_t hash[128] PADLOCK_ALIGN;
+ 
+	hash[0] = 0x67452301;
+	hash[1] = 0xefcdab89;
+	hash[2] = 0x98badcfe;
+	hash[3] = 0x10325476;
+	hash[4] = 0xc3d2e1f0;
+
+	padlock_sha1(data.len, data.ptr, (u_char*)hash);
+
+	digest[0] = bswap_32(hash[0]);
+	digest[1] = bswap_32(hash[1]);
+	digest[2] = bswap_32(hash[2]);
+	digest[3] = bswap_32(hash[3]);
+	digest[4] = bswap_32(hash[4]);
+}
+
+/**
+ * append data to the to-be-hashed buffer
+ */
+static void append_data(private_padlock_sha1_hasher_t *this, chunk_t data)
+{
+	this->data.ptr = realloc(this->data.ptr, this->data.len + data.len);
+	memcpy(this->data.ptr + this->data.len, data.ptr, data.len);
+	this->data.len += data.len;
+}
+
+/**
+ * Implementation of hasher_t.reset.
+ */
+static void reset(private_padlock_sha1_hasher_t *this)
+{
+	chunk_free(&this->data);
+}
+
+/**
+ * Implementation of hasher_t.get_hash.
+ */
+static void get_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
+					 u_int8_t *hash)
+{
+	if (hash)
+	{
+		if (this->data.len)
+		{
+			append_data(this, chunk);
+			sha1(this->data, (u_int32_t*)hash);
+		}
+		else
+		{   /* hash directly if no previous data found */   
+			sha1(chunk, (u_int32_t*)hash);
+		}
+		reset(this);
+	}
+	else
+	{
+		append_data(this, chunk);	
+	}
+}
+
+/**
+ * Implementation of hasher_t.allocate_hash.
+ */
+static void allocate_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
+						  chunk_t *hash)
+{
+	if (hash)
+	{
+		*hash = chunk_alloc(HASH_SIZE_SHA1);
+		get_hash(this, chunk, hash->ptr);
+	}
+	else
+	{
+		get_hash(this, chunk, NULL);	
+	}
+}
+	
+/**
+ * Implementation of hasher_t.get_hash_size.
+ */
+static size_t get_hash_size(private_padlock_sha1_hasher_t *this)
+{
+	return HASH_SIZE_SHA1;
+}
+
+/**
+ * Implementation of hasher_t.destroy.
+ */
+static void destroy(private_padlock_sha1_hasher_t *this)
+{
+	free(this->data.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+padlock_sha1_hasher_t *padlock_sha1_hasher_create(hash_algorithm_t algo)
+{
+	private_padlock_sha1_hasher_t *this;
+	
+	if (algo != HASH_SHA1)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_padlock_sha1_hasher_t);
+	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
+	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
+	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
+	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
+	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
+	
+	this->data = chunk_empty;
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
new file mode 100644
index 000000000..6855b827f
--- /dev/null
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sha1_hasher sha1_hasher
+ * @{ @ingroup sha1_p
+ */
+
+#ifndef PADLOCK_SHA1_HASHER_H_
+#define PADLOCK_SHA1_HASHER_H_
+
+typedef struct padlock_sha1_hasher_t padlock_sha1_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hasher_t interface using the SHA1 algorithm.
+ */
+struct padlock_sha1_hasher_t {
+	
+	/**
+	 * Implements hasher_t interface.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * Creates a new sha1_hasher_t.
+ *
+ * @param algo		algorithm, must be HASH_SHA1
+ * @return			sha1_hasher_t object
+ */
+padlock_sha1_hasher_t *padlock_sha1_hasher_create(hash_algorithm_t algo);
+
+#endif /*SHA1_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin.h b/src/libstrongswan/plugins/plugin.h
new file mode 100644
index 000000000..cf0b728a3
--- /dev/null
+++ b/src/libstrongswan/plugins/plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup plugin plugin
+ * @{ @ingroup plugins
+ */
+
+#ifndef PLUGIN_H_
+#define PLUGIN_H_
+
+typedef struct plugin_t plugin_t;
+
+/**
+ * Interface definition of a plugin.
+ */
+struct plugin_t {
+	
+	/**
+     * Destroy a plugin instance.
+     */
+    void (*destroy)(plugin_t *this);
+};
+
+
+/**
+ * Plugin constructor function definiton.
+ *
+ * Each plugin has a constructor functions. This function is called on daemon
+ * startup to initialize each plugin.
+ * The plugin function is named plugin_create().
+ *
+ * @return				plugin_t instance
+ */
+typedef plugin_t *(*plugin_constructor_t)(void);
+
+#endif /* PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
new file mode 100644
index 000000000..4c5095e4a
--- /dev/null
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -0,0 +1,193 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: plugin_loader.c 4108 2008-06-25 14:53:49Z martin $
+ */
+
+#define _GNU_SOURCE
+#include "plugin_loader.h"
+
+#include <string.h>
+#include <dlfcn.h>
+#include <limits.h>
+#include <stdio.h>
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <plugins/plugin.h>
+
+typedef struct private_plugin_loader_t private_plugin_loader_t;
+
+/**
+ * private data of plugin_loader
+ */
+struct private_plugin_loader_t {
+
+	/**
+	 * public functions
+	 */
+	plugin_loader_t public;
+	
+	/**
+	 * list of loaded plugins
+	 */
+	linked_list_t *plugins;
+	
+	/**
+	 * names of loaded plugins
+	 */
+	linked_list_t *names;
+};
+
+/**
+ * load a single plugin
+ */
+static plugin_t* load_plugin(private_plugin_loader_t *this,
+							 char *path, char *name)
+{
+	char file[PATH_MAX];
+	void *handle;
+	plugin_t *plugin;
+	plugin_constructor_t constructor;
+	
+	snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name);
+	
+	handle = dlopen(file, RTLD_LAZY);
+	if (handle == NULL)
+	{
+		DBG1("loading plugin '%s' failed: %s", name, dlerror());
+		return NULL;
+	}
+	constructor = dlsym(handle, "plugin_create");
+	if (constructor == NULL)
+	{
+		DBG1("loading plugin '%s' failed: no plugin_create() function", name);
+		dlclose(handle);
+		return NULL;
+	}
+	plugin = constructor();
+	if (plugin == NULL)
+	{
+		DBG1("loading plugin '%s' failed: plugin_create() returned NULL", name);
+		dlclose(handle);
+		return NULL;
+	}
+	DBG2("plugin '%s' loaded successfully", name);
+	
+	/* we do not store or free dlopen() handles, leak_detective requires
+	 * the modules to keep loaded until leak report */
+	return plugin;
+}
+
+/**
+ * Implementation of plugin_loader_t.load_plugins.
+ */
+static int load(private_plugin_loader_t *this, char *path, char *list)
+{
+	plugin_t *plugin;
+	char *pos;
+	int count = 0;
+	
+	list = strdupa(list);
+	while (TRUE)
+	{
+		/* eat any whitespace in front */
+		while (*list == ' ')
+		{
+			list++;
+		}
+		/* have we reached the end of the list? */
+		if (!*list)
+		{
+			break;
+		}
+		pos = strchr(list, ' ');
+		if (pos)
+		{
+			*pos++ = '\0';
+		}
+		plugin = load_plugin(this, path, list);
+		if (plugin)
+		{	/* insert in front to destroy them in reverse order */
+			this->plugins->insert_last(this->plugins, plugin);
+			this->names->insert_last(this->names, strdup(list));
+			count++;
+		}
+		if (pos)
+		{
+			list = pos;
+		}
+		else
+		{
+			break;
+		}
+	}
+	return count;
+}
+
+/**
+ * Implementation of plugin_loader_t.unload
+ */
+static void unload(private_plugin_loader_t *this)
+{
+	plugin_t *plugin;
+	char *name;
+	
+	while (this->plugins->remove_first(this->plugins,
+									   (void**)&plugin) == SUCCESS)
+	{
+		plugin->destroy(plugin);
+	}
+	while (this->names->remove_first(this->names, (void**)&name) == SUCCESS)
+	{
+		free(name);
+	}
+}
+
+/**
+ * Implementation of plugin_loader_t.create_plugin_enumerator
+ */
+static enumerator_t* create_plugin_enumerator(private_plugin_loader_t *this)
+{
+	return this->names->create_enumerator(this->names);
+}	 
+
+/**
+ * Implementation of plugin_loader_t.destroy
+ */
+static void destroy(private_plugin_loader_t *this)
+{
+	this->plugins->destroy_offset(this->plugins, offsetof(plugin_t, destroy));
+	this->names->destroy_function(this->names, free);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_loader_t *plugin_loader_create()
+{
+	private_plugin_loader_t *this = malloc_thing(private_plugin_loader_t);
+	
+	this->public.load = (int(*)(plugin_loader_t*, char *path, char *prefix))load;
+	this->public.unload = (void(*)(plugin_loader_t*))unload;
+	this->public.create_plugin_enumerator = (enumerator_t*(*)(plugin_loader_t*))create_plugin_enumerator;
+	this->public.destroy = (void(*)(plugin_loader_t*))destroy;
+	
+	this->plugins = linked_list_create();
+	this->names = linked_list_create();
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
new file mode 100644
index 000000000..bd24e7558
--- /dev/null
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup plugin_loader plugin_loader
+ * @{ @ingroup plugin
+ */
+
+#ifndef PLUGIN_LOADER_H_
+#define PLUGIN_LOADER_H_
+
+typedef struct plugin_loader_t plugin_loader_t;
+
+#include <utils/enumerator.h>
+
+/**
+ * The plugin_loader loads plugins from a directory and initializes them
+ */
+struct plugin_loader_t {	
+	
+	/**
+	 * Load a list of plugins from a directory.
+	 *
+	 * @param path			path containing loadable plugins
+	 * @param list			space separated list of plugins to load
+	 * @return				number of successfully loaded plugins
+	 */
+	int (*load)(plugin_loader_t *this, char *path, char *list);
+	
+	/**
+	 * Unload all loaded plugins.
+	 */
+	void (*unload)(plugin_loader_t *this);
+	
+	/**
+	 * Create an enumerator over all loaded plugin names.
+	 *
+	 * @return				enumerator over char*
+	 */
+	enumerator_t* (*create_plugin_enumerator)(plugin_loader_t *this);
+	
+	/**
+     * Unload loaded plugins, destroy plugin_loader instance.
+     */
+    void (*destroy)(plugin_loader_t *this);
+};
+
+/**
+ * Create a plugin_loader instance.
+ *
+ * @return			plugin loader instance
+ */
+plugin_loader_t *plugin_loader_create();
+
+#endif /* PLUGIN_LOADER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am
new file mode 100644
index 000000000..3b512614f
--- /dev/null
+++ b/src/libstrongswan/plugins/pubkey/Makefile.am
@@ -0,0 +1,13 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-pubkey.la
+
+libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
+  pubkey_cert.h pubkey_cert.c\
+  pubkey_public_key.h pubkey_public_key.c
+
+libstrongswan_pubkey_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
new file mode 100644
index 000000000..ced339d15
--- /dev/null
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -0,0 +1,500 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pubkey
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_pubkey_la_LIBADD =
+am_libstrongswan_pubkey_la_OBJECTS = pubkey_plugin.lo pubkey_cert.lo \
+	pubkey_public_key.lo
+libstrongswan_pubkey_la_OBJECTS =  \
+	$(am_libstrongswan_pubkey_la_OBJECTS)
+libstrongswan_pubkey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_pubkey_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_pubkey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pubkey_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-pubkey.la
+libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
+  pubkey_cert.h pubkey_cert.c\
+  pubkey_public_key.h pubkey_public_key.c
+
+libstrongswan_pubkey_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/pubkey/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/pubkey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pubkey.la: $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_DEPENDENCIES) 
+	$(libstrongswan_pubkey_la_LINK) -rpath $(plugindir) $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_cert.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_public_key.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
new file mode 100644
index 000000000..63dffb47b
--- /dev/null
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -0,0 +1,284 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "pubkey_cert.h"
+
+#include <debug.h>
+
+typedef struct private_pubkey_cert_t private_pubkey_cert_t;
+
+/**
+ * private data of pubkey_cert
+ */
+struct private_pubkey_cert_t {
+
+	/**
+	 * public functions
+	 */
+	pubkey_cert_t public;
+	
+	/**
+	 * wrapped public key
+	 */
+	public_key_t *key;
+	
+	/**
+	 * dummy issuer id, ID_ANY
+	 */
+	identification_t *issuer;
+	
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Implementation of certificate_t.get_type
+ */
+static certificate_type_t get_type(private_pubkey_cert_t *this)
+{
+	return CERT_TRUSTED_PUBKEY;
+}
+
+/**
+ * Implementation of certificate_t.get_subject
+ */
+static identification_t* get_subject(private_pubkey_cert_t *this)
+{
+	return this->key->get_id(this->key, ID_PUBKEY_SHA1);
+}
+
+/**
+ * Implementation of certificate_t.get_issuer
+ */
+static identification_t* get_issuer(private_pubkey_cert_t *this)
+{
+	return this->issuer;
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_subject(private_pubkey_cert_t *this,
+							  identification_t *subject)
+{
+	identification_t *id;
+	
+	id = this->key->get_id(this->key, subject->get_type(subject));
+	if (id)
+	{
+		return id->matches(id, subject);
+	}
+	return ID_MATCH_NONE;	
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_issuer(private_pubkey_cert_t *this,
+							 identification_t *issuer)
+{
+	return ID_MATCH_NONE;
+}
+
+/**
+ * Implementation of certificate_t.equals.
+ */
+static bool equals(private_pubkey_cert_t *this, certificate_t *other)
+{
+	if (this == (private_pubkey_cert_t*)other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != CERT_TRUSTED_PUBKEY)
+	{
+		return FALSE;
+	}
+	return other->has_subject(other, this->key->get_id(this->key, ID_PUBKEY_SHA1));
+}
+
+/**
+ * Implementation of certificate_t.issued_by
+ */
+static bool issued_by(private_pubkey_cert_t *this, certificate_t *issuer)
+{
+	return equals(this, issuer);
+}
+
+/**
+ * Implementation of certificate_t.get_public_key
+ */
+static public_key_t* get_public_key(private_pubkey_cert_t *this)
+{
+	this->key->get_ref(this->key);
+	return this->key;
+}
+/**
+ * Implementation of certificate_t.get_validity.
+ */
+static bool get_validity(private_pubkey_cert_t *this, time_t *when,
+						 time_t *not_before, time_t *not_after)
+{
+	if (not_before)
+	{
+		*not_before = 0;
+	}
+	if (not_after)
+	{
+		*not_after = ~0;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of certificate_t.is_newer.
+ */
+static bool is_newer(certificate_t *this, certificate_t *that)
+{
+	return FALSE;
+}
+	
+/**
+ * Implementation of certificate_t.get_encoding.
+ */
+static chunk_t get_encoding(private_pubkey_cert_t *this)
+{
+	return this->key->get_encoding(this->key);
+}
+
+/**
+ * Implementation of certificate_t.get_ref
+ */
+static private_pubkey_cert_t* get_ref(private_pubkey_cert_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of pubkey_cert_t.destroy
+ */
+static void destroy(private_pubkey_cert_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->issuer->destroy(this->issuer);
+		this->key->destroy(this->key);
+		free(this);
+	}
+}
+
+/*
+ * see header file
+ */
+static pubkey_cert_t *pubkey_cert_create(public_key_t *key)
+{
+	private_pubkey_cert_t *this = malloc_thing(private_pubkey_cert_t);
+	
+	this->public.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
+	this->public.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
+	this->public.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
+	this->public.interface.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_subject;
+	this->public.interface.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer;
+	this->public.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
+	this->public.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
+	this->public.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
+	this->public.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
+	this->public.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
+	this->public.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
+	this->public.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(certificate_t *this))destroy;
+	
+	this->ref = 1;
+	this->key = key;
+	this->issuer = identification_create_from_encoding(ID_ANY, chunk_empty);
+	
+	return &this->public;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for key loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded public key */
+	pubkey_cert_t *key;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static pubkey_cert_t *build(private_builder_t *this)
+{
+	pubkey_cert_t *key = this->key;
+	
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	if (this->key)
+	{
+		DBG1("ignoring surplus build part %N", builder_part_names, part);
+		return;
+	}
+	
+	switch (part)
+	{
+		case BUILD_PUBLIC_KEY:
+		{
+			va_start(args, part);
+			this->key = pubkey_cert_create(va_arg(args, public_key_t*));
+			va_end(args);
+			break;
+		}
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *pubkey_cert_builder(certificate_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != CERT_TRUSTED_PUBKEY)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->key = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.h b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
new file mode 100644
index 000000000..71ffe5099
--- /dev/null
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup pubkey_cert pubkey_cert
+ * @{ @ingroup certificates
+ */
+
+#ifndef PUBKEY_CERT_H_
+#define PUBKEY_CERT_H_
+
+#include <credentials/certificates/certificate.h>
+
+typedef struct pubkey_cert_t pubkey_cert_t;
+
+/**
+ * A trusted public key wrapped into certificate of type CERT_TRUSTED_PUBKEY.
+ */
+struct pubkey_cert_t {
+
+	/**
+	 * Implements certificate_t.
+	 */
+	certificate_t interface;
+};
+
+/**
+ * Create the builder for a trusted public key.
+ *
+ * The builders add() function takes BUILD_PUBLIC_KEY to enwrap.
+ *
+ * @param type		type of the certificate, must be CERT_pubkey_cert
+ * @return 			builder instance
+ */
+builder_t *pubkey_cert_builder(certificate_type_t type);
+
+#endif /* PUBKEY_CERT_H_ @}*/
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
new file mode 100644
index 000000000..dd7ac6fd1
--- /dev/null
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "pubkey_plugin.h"
+
+#include <library.h>
+#include "pubkey_cert.h"
+#include "pubkey_public_key.h"
+
+typedef struct private_pubkey_plugin_t private_pubkey_plugin_t;
+
+/**
+ * private data of pubkey_plugin
+ */
+struct private_pubkey_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pubkey_plugin_t public;
+};
+
+/**
+ * Implementation of pubkey_plugin_t.pubkeytroy
+ */
+static void destroy(private_pubkey_plugin_t *this)
+{
+	lib->creds->remove_builder(lib->creds,
+							(builder_constructor_t)pubkey_cert_builder);
+	lib->creds->remove_builder(lib->creds,
+							(builder_constructor_t)pubkey_public_key_builder);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_pubkey_plugin_t *this = malloc_thing(private_pubkey_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+							(builder_constructor_t)pubkey_cert_builder);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+							(builder_constructor_t)pubkey_public_key_builder);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.h b/src/libstrongswan/plugins/pubkey/pubkey_plugin.h
new file mode 100644
index 000000000..64d0995fc
--- /dev/null
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pubkey_p pubkey
+ * @ingroup plugins
+ *
+ * @defgroup pubkey_plugin pubkey_plugin
+ * @{ @ingroup pubkey_p
+ */
+
+#ifndef PUBKEY_PLUGIN_H_
+#define PUBKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pubkey_plugin_t pubkey_plugin_t;
+
+/**
+ * Plugin implementing CERT_TRUSTED_PUBKEY certificate type.
+ */
+struct pubkey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a pubkey_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* PUBKEY_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_public_key.c b/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
new file mode 100644
index 000000000..0527ed758
--- /dev/null
+++ b/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2000-2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: pubkey_public_key.c 4059 2008-06-11 14:10:02Z martin $
+ */
+
+#include "pubkey_public_key.h"
+
+#include <debug.h>
+#include <asn1/pem.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+
+/**
+ * ASN.1 definition of a subjectPublicKeyInfo structure
+ */
+static const asn1Object_t pkinfoObjects[] = {
+	{ 0, "subjectPublicKeyInfo",ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
+	{ 1,   "algorithm",			ASN1_EOC,			ASN1_RAW	}, /* 1 */
+	{ 1,   "subjectPublicKey",	ASN1_BIT_STRING,	ASN1_BODY	}, /* 2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
+};
+#define PKINFO_SUBJECT_PUBLIC_KEY_ALGORITHM	1
+#define PKINFO_SUBJECT_PUBLIC_KEY			2
+
+
+/**
+ * Load a public key from an ASN1 encoded blob
+ */
+static public_key_t *load(chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	public_key_t *key = NULL;
+	key_type_t type = KEY_ANY;
+
+	parser = asn1_parser_create(pkinfoObjects, blob);
+	
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PKINFO_SUBJECT_PUBLIC_KEY_ALGORITHM:
+			{
+				int oid = asn1_parse_algorithmIdentifier(object,
+										parser->get_level(parser)+1, NULL);
+				
+				if (oid == OID_RSA_ENCRYPTION)
+				{
+					type = KEY_RSA;
+				}
+				else if (oid == OID_EC_PUBLICKEY)
+				{
+					/* we need the whole subjectPublicKeyInfo for EC public keys */
+					key = lib->creds->create(lib->creds,
+								CRED_PUBLIC_KEY, KEY_ECDSA, BUILD_BLOB_ASN1_DER,
+								chunk_clone(blob), BUILD_END);
+					goto end;
+				}
+				else
+				{
+					/* key type not supported */
+					goto end;
+				}
+				break;
+			}
+			case PKINFO_SUBJECT_PUBLIC_KEY:
+				if (object.len > 0 && *object.ptr == 0x00)
+				{
+					/* skip initial bit string octet defining 0 unused bits */
+					object = chunk_skip(object, 1);
+				}
+				key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type,
+										 BUILD_BLOB_ASN1_DER, chunk_clone(object),
+										 BUILD_END);
+				break;
+		}
+	} 
+	
+end:
+	parser->destroy(parser);
+	free(blob.ptr);
+	return key; 
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for key loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded public key */
+	public_key_t *key;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static public_key_t *build(private_builder_t *this)
+{
+	public_key_t *key = this->key;
+	
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	if (this->key)
+	{
+		DBG1("ignoring surplus build part %N", builder_part_names, part);
+		return;
+	}
+	va_start(args, part);
+	switch (part)
+	{
+		case BUILD_BLOB_ASN1_DER:
+		{
+			this->key = load(va_arg(args, chunk_t));
+			break;
+		}
+		case BUILD_BLOB_ASN1_PEM:
+		{
+			bool pgp;
+			char *pem;
+			chunk_t blob;
+			
+			pem = va_arg(args, char *);
+			blob = chunk_clone(chunk_create(pem, strlen(pem)));
+			if (pem_to_bin(&blob, &chunk_empty, &pgp))
+			{
+				this->key = load(chunk_clone(blob));
+			}
+			free(blob.ptr);
+			break;
+		}
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+	va_end(args);
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *pubkey_public_key_builder(key_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != KEY_ANY)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->key = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_public_key.h b/src/libstrongswan/plugins/pubkey/pubkey_public_key.h
new file mode 100644
index 000000000..914ad74e9
--- /dev/null
+++ b/src/libstrongswan/plugins/pubkey/pubkey_public_key.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: pubkey_public_key.h 3961 2008-05-15 12:33:00Z tobias $
+ */
+
+/**
+ * @defgroup pubkey_public_key pubkey_public_key
+ * @{ @ingroup pubkey_p
+ */
+
+#ifndef PUBKEY_PUBLIC_KEY_H_
+#define PUBKEY_PUBLIC_KEY_H_
+
+#include <credentials/keys/public_key.h>
+
+/**
+ * Create the builder for a generic public key.
+ *
+ * @param type		type of the key, must be KEY_ANY
+ * @return 			builder instance
+ */
+builder_t *pubkey_public_key_builder(key_type_t type);
+
+#endif /*PUBKEY_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am
new file mode 100644
index 000000000..8b61d7094
--- /dev/null
+++ b/src/libstrongswan/plugins/random/Makefile.am
@@ -0,0 +1,11 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-random.la
+
+libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
+  random_rng.c random_rng.h
+libstrongswan_random_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
new file mode 100644
index 000000000..c4baa04b3
--- /dev/null
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -0,0 +1,497 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/random
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_random_la_LIBADD =
+am_libstrongswan_random_la_OBJECTS = random_plugin.lo random_rng.lo
+libstrongswan_random_la_OBJECTS =  \
+	$(am_libstrongswan_random_la_OBJECTS)
+libstrongswan_random_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_random_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_random_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_random_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-random.la
+libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
+  random_rng.c random_rng.h
+
+libstrongswan_random_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/random/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/random/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-random.la: $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_DEPENDENCIES) 
+	$(libstrongswan_random_la_LINK) -rpath $(plugindir) $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random_rng.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
new file mode 100644
index 000000000..3eff81ee0
--- /dev/null
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "random_plugin.h"
+
+#include <library.h>
+#include "random_rng.h"
+
+typedef struct private_random_plugin_t private_random_plugin_t;
+
+/**
+ * private data of random_plugin
+ */
+struct private_random_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	random_plugin_t public;
+};
+
+/**
+ * Implementation of random_plugin_t.gmptroy
+ */
+static void destroy(private_random_plugin_t *this)
+{
+	lib->crypto->remove_rng(lib->crypto,
+							(rng_constructor_t)random_rng_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_random_plugin_t *this = malloc_thing(private_random_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_rng(lib->crypto, RNG_STRONG, 
+						 (rng_constructor_t)random_rng_create);
+	lib->crypto->add_rng(lib->crypto, RNG_REAL, 
+						 (rng_constructor_t)random_rng_create);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/random/random_plugin.h b/src/libstrongswan/plugins/random/random_plugin.h
new file mode 100644
index 000000000..9e8b99387
--- /dev/null
+++ b/src/libstrongswan/plugins/random/random_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup random_p random
+ * @ingroup plugins
+ * 
+ * @defgroup random_plugin random_plugin
+ * @{ @ingroup random_p
+ */
+
+#ifndef RANDOM_PLUGIN_H_
+#define RANDOM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct random_plugin_t random_plugin_t;
+
+/**
+ * Plugin implementing a RNG reading from /dev/[u]random.
+ */
+struct random_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a random_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* RANDOM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
new file mode 100644
index 000000000..1aadc88bd
--- /dev/null
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <debug.h>
+
+#include "random_rng.h"
+
+#ifndef DEV_RANDOM
+# define DEV_RANDOM "/dev/random"
+#endif
+
+#ifndef DEV_URANDOM
+# define DEV_URANDOM "/dev/urandom"
+#endif
+
+typedef struct private_random_rng_t private_random_rng_t;
+
+/**
+ * Private data of an random_rng_t object.
+ */
+struct private_random_rng_t {
+
+	/**
+	 * Public random_rng_t interface.
+	 */
+	random_rng_t public;
+	
+	/**
+	 * random device, depends on quality
+	 */
+	int dev;
+	
+	/**
+	 * file we read random bytes from
+	 */
+	char *file;
+};
+
+/**
+ * Implementation of random_rng_t.get_bytes.
+ */
+static void get_bytes(private_random_rng_t *this, size_t bytes,
+					  u_int8_t *buffer)
+{
+	size_t done, got;
+	
+	done = 0;
+	
+	while (done < bytes)
+	{
+		got = read(this->dev, buffer + done, bytes - done);
+		if (got <= 0)
+		{
+			DBG1("reading from \"%s\" failed: %s, retrying...",
+				 this->file, strerror(errno));
+			close(this->dev);
+			sleep(1);
+			this->dev = open(this->file, 0);
+		}
+		done += got;
+	}
+}
+
+/**
+ * Implementation of random_rng_t.allocate_bytes.
+ */
+static void allocate_bytes(private_random_rng_t *this, size_t bytes,
+						   chunk_t *chunk)
+{
+	*chunk = chunk_alloc(bytes);
+	get_bytes(this, chunk->len, chunk->ptr);
+}
+
+/**
+ * Implementation of random_rng_t.destroy.
+ */
+static void destroy(private_random_rng_t *this)
+{
+	close(this->dev);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+random_rng_t *random_rng_create(rng_quality_t quality)
+{
+	private_random_rng_t *this = malloc_thing(private_random_rng_t);
+
+	/* public functions */
+	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
+	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
+	this->public.rng.destroy = (void (*) (rng_t *))destroy;
+
+	if (quality == RNG_REAL)
+	{
+		this->file = DEV_RANDOM;
+	}
+	else
+	{
+		this->file = DEV_URANDOM;
+	}
+	
+	this->dev = open(this->file, 0);
+	if (this->dev < 0)
+	{
+		DBG1("opening \"%s\" failed: %s", this->file, strerror(errno));
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/random/random_rng.h b/src/libstrongswan/plugins/random/random_rng.h
new file mode 100644
index 000000000..7f82353d8
--- /dev/null
+++ b/src/libstrongswan/plugins/random/random_rng.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+ 
+/**
+ * @defgroup random_rng random_rng
+ * @{ @ingroup utils
+ */
+
+#ifndef RANDOM_RNG_H_
+#define RANDOM_RNG_H_
+
+typedef struct random_rng_t random_rng_t;
+
+#include <library.h>
+
+/**
+ * rng_t implementation on top of /dev/[u]random
+ */
+struct random_rng_t {
+	
+	/**
+	 * Implements rng_t.
+	 */
+	rng_t rng;
+};
+
+/**
+ * Creates an random_rng_t instance.
+ * 
+ * @param quality	required quality of randomness
+ * @return			created random_rng_t
+ */
+random_rng_t *random_rng_create(rng_quality_t quality);
+
+#endif /*RANDOM_RNG_H_ @} */
diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am
new file mode 100644
index 000000000..299e85083
--- /dev/null
+++ b/src/libstrongswan/plugins/sha1/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-sha1.la
+
+libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c sha1_hasher.c sha1_hasher.h
+libstrongswan_sha1_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
new file mode 100644
index 000000000..b57c46aee
--- /dev/null
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -0,0 +1,494 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/sha1
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_sha1_la_LIBADD =
+am_libstrongswan_sha1_la_OBJECTS = sha1_plugin.lo sha1_hasher.lo
+libstrongswan_sha1_la_OBJECTS = $(am_libstrongswan_sha1_la_OBJECTS)
+libstrongswan_sha1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_sha1_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_sha1_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_sha1_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-sha1.la
+libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c sha1_hasher.c sha1_hasher.h
+libstrongswan_sha1_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sha1/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sha1/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-sha1.la: $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_DEPENDENCIES) 
+	$(libstrongswan_sha1_la_LINK) -rpath $(plugindir) $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/sha1/sha1_hasher.c b/src/libstrongswan/plugins/sha1/sha1_hasher.c
new file mode 100644
index 000000000..c496be8f4
--- /dev/null
+++ b/src/libstrongswan/plugins/sha1/sha1_hasher.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ * 
+ * Ported from Steve Reid's <steve@edmweb.com> implementation
+ * "SHA1 in C" found in strongSwan.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: sha1_hasher.c 3619 2008-03-19 14:02:52Z martin $
+ */
+
+#include <string.h>
+#include <arpa/inet.h>
+
+#include "sha1_hasher.h"
+
+/*
+ * ugly macro stuff
+ */ 
+#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+ #define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) |(rol(block->l[i],8)&0x00FF00FF))
+#elif BYTE_ORDER == BIG_ENDIAN
+ #define blk0(i) block->l[i]
+#else
+ #error "Endianness not defined!"
+#endif
+#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] ^block->l[(i+2)&15]^block->l[i&15],1))
+
+/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
+#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
+#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
+#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
+
+
+typedef struct private_sha1_hasher_t private_sha1_hasher_t;
+typedef struct private_sha1_keyed_prf_t private_sha1_keyed_prf_t;
+
+/**
+ * Private data structure with hasing context.
+ */
+struct private_sha1_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	sha1_hasher_t public;
+	
+	/*
+	 * State of the hasher.
+	 */
+	u_int32_t state[5];
+    u_int32_t count[2];
+    u_int8_t buffer[64];
+};
+
+/**
+ * Private data structure with keyed prf context.
+ */
+struct private_sha1_keyed_prf_t {
+	/**
+	 * public prf interface
+	 */
+	sha1_keyed_prf_t public;
+
+	/**
+	 * internal used hasher
+	 */
+	private_sha1_hasher_t *hasher;
+};
+
+/* 
+ * Hash a single 512-bit block. This is the core of the algorithm. *
+ */
+static void SHA1Transform(u_int32_t state[5], const unsigned char buffer[64])
+{
+	u_int32_t a, b, c, d, e;
+	typedef union {
+    	u_int8_t c[64];
+    	u_int32_t l[16];
+	} CHAR64LONG16;
+	CHAR64LONG16 block[1];  /* use array to appear as a pointer */
+    memcpy(block, buffer, 64);
+
+    /* Copy context->state[] to working vars */
+    a = state[0];
+    b = state[1];
+    c = state[2];
+    d = state[3];
+    e = state[4];
+    /* 4 rounds of 20 operations each. Loop unrolled. */
+    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+    /* Add the working vars back into context.state[] */
+    state[0] += a;
+    state[1] += b;
+    state[2] += c;
+    state[3] += d;
+    state[4] += e;
+    /* Wipe variables */
+    a = b = c = d = e = 0;
+    memset(block, '\0', sizeof(block));
+}
+
+/* 
+ * Run your data through this. 
+ */
+static void SHA1Update(private_sha1_hasher_t* this, u_int8_t *data, u_int32_t len)
+{
+	u_int32_t i;
+	u_int32_t j;
+
+    j = this->count[0];
+    if ((this->count[0] += len << 3) < j)
+    {
+		this->count[1]++;
+    }
+    this->count[1] += (len>>29);
+    j = (j >> 3) & 63;
+    if ((j + len) > 63) 
+    {
+        memcpy(&this->buffer[j], data, (i = 64-j));
+        SHA1Transform(this->state, this->buffer);
+        for ( ; i + 63 < len; i += 64) 
+        {
+            SHA1Transform(this->state, &data[i]);
+        }
+        j = 0;
+    }
+    else 
+    {
+    	i = 0;
+    }
+    memcpy(&this->buffer[j], &data[i], len - i);
+}
+
+
+/* 
+ * Add padding and return the message digest. 
+ */
+static void SHA1Final(private_sha1_hasher_t *this, u_int8_t *digest)
+{
+	u_int32_t i;
+	u_int8_t finalcount[8];
+	u_int8_t c;
+
+    for (i = 0; i < 8; i++) 
+    {
+        finalcount[i] = (u_int8_t)((this->count[(i >= 4 ? 0 : 1)]
+         >> ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
+    }
+    c = 0200;
+    SHA1Update(this, &c, 1);
+    while ((this->count[0] & 504) != 448) 
+    {
+		c = 0000;
+        SHA1Update(this, &c, 1);
+    }
+    SHA1Update(this, finalcount, 8);  /* Should cause a SHA1Transform() */
+    for (i = 0; i < 20; i++) 
+    {
+        digest[i] = (u_int8_t)((this->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+    }
+}
+
+/**
+ * Implementation of hasher_t.reset.
+ */
+static void reset(private_sha1_hasher_t *this)
+{
+	this->state[0] = 0x67452301;
+    this->state[1] = 0xEFCDAB89;
+    this->state[2] = 0x98BADCFE;
+    this->state[3] = 0x10325476;
+    this->state[4] = 0xC3D2E1F0;
+    this->count[0] = 0;
+    this->count[1] = 0;
+}
+
+/**
+ * Implementation of hasher_t.get_hash.
+ */
+static void get_hash(private_sha1_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
+{
+	SHA1Update(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		SHA1Final(this, buffer);
+		reset(this);
+	}
+}
+
+/**
+ * Implementation of hasher_t.allocate_hash.
+ */
+static void allocate_hash(private_sha1_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+	SHA1Update(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{	
+		hash->ptr = malloc(HASH_SIZE_SHA1);
+		hash->len = HASH_SIZE_SHA1;
+		
+		SHA1Final(this, hash->ptr);
+		reset(this);
+	}
+}
+	
+/**
+ * Implementation of hasher_t.get_hash_size.
+ */
+static size_t get_hash_size(private_sha1_hasher_t *this)
+{
+	return HASH_SIZE_SHA1;
+}
+
+/**
+ * Implementation of hasher_t.destroy.
+ */
+static void destroy(private_sha1_hasher_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+sha1_hasher_t *sha1_hasher_create(hash_algorithm_t algo)
+{
+	private_sha1_hasher_t *this;
+	if (algo != HASH_SHA1)
+	{
+		return NULL;
+	}
+	this = malloc_thing(private_sha1_hasher_t);
+	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
+	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
+	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
+	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
+	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
+	
+	/* initialize */
+	reset(this);
+	
+	return &(this->public);
+}
+
+/**
+ * Implementation of prf_t.get_bytes.
+ */
+static void get_bytes(private_sha1_keyed_prf_t *this, chunk_t seed, u_int8_t *bytes)
+{
+	u_int32_t *hash = (u_int32_t*)bytes;
+
+	SHA1Update(this->hasher, seed.ptr, seed.len);
+
+	hash[0] = htonl(this->hasher->state[0]);
+	hash[1] = htonl(this->hasher->state[1]);
+	hash[2] = htonl(this->hasher->state[2]);
+	hash[3] = htonl(this->hasher->state[3]);
+	hash[4] = htonl(this->hasher->state[4]);
+}
+
+/**
+ * Implementation of prf_t.get_block_size.
+ */
+static size_t get_block_size(private_sha1_keyed_prf_t *this)
+{
+	return HASH_SIZE_SHA1;
+}
+
+/**
+ * Implementation of prf_t.allocate_bytes.
+ */
+static void allocate_bytes(private_sha1_keyed_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(HASH_SIZE_SHA1);
+	get_bytes(this, seed, chunk->ptr);
+}
+
+/**
+ * Implementation of prf_t.get_key_size.
+ */
+static size_t get_key_size(private_sha1_keyed_prf_t *this)
+{
+	return sizeof(this->hasher->state);
+}
+
+/**
+ * Implementation of prf_t.set_key.
+ */
+static void set_key(private_sha1_keyed_prf_t *this, chunk_t key)
+{
+	int i, rounds;
+	u_int32_t *iv = (u_int32_t*)key.ptr;
+	
+	reset(this->hasher);
+	rounds = min(key.len/sizeof(u_int32_t), sizeof(this->hasher->state));
+	for (i = 0; i < rounds; i++)
+	{
+		this->hasher->state[i] ^= htonl(iv[i]);
+	}
+}
+
+/**
+ * Implementation of prf_t.destroy.
+ */
+static void destroy_p(private_sha1_keyed_prf_t *this)
+{
+	destroy(this->hasher);
+	free(this);
+}
+
+/**
+ * see header
+ */
+sha1_keyed_prf_t *sha1_keyed_prf_create(pseudo_random_function_t algo)
+{
+	private_sha1_keyed_prf_t *this;
+	if (algo != PRF_KEYED_SHA1)
+	{
+		return NULL;
+	}
+	this = malloc_thing(private_sha1_keyed_prf_t);
+	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
+	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
+	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
+	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
+	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
+	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy_p;
+	
+	this->hasher = (private_sha1_hasher_t*)sha1_hasher_create(HASH_SHA1);
+	
+	return &(this->public);
+}
+
diff --git a/src/libstrongswan/plugins/sha1/sha1_hasher.h b/src/libstrongswan/plugins/sha1/sha1_hasher.h
new file mode 100644
index 000000000..2e44797d8
--- /dev/null
+++ b/src/libstrongswan/plugins/sha1/sha1_hasher.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sha1_hasher sha1_hasher
+ * @{ @ingroup sha1_p
+ */
+
+#ifndef SHA1_HASHER_H_
+#define SHA1_HASHER_H_
+
+typedef struct sha1_hasher_t sha1_hasher_t;
+typedef struct sha1_keyed_prf_t sha1_keyed_prf_t;
+
+#include <crypto/hashers/hasher.h>
+#include <crypto/prfs/prf.h>
+
+/**
+ * Implementation of hasher_t interface using the SHA1 algorithm.
+ */
+struct sha1_hasher_t {
+	
+	/**
+	 * Implements hasher_t interface.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * Implementation of prf_t interface using keyed SHA1 algorithm (used for EAP-AKA).
+ */
+struct sha1_keyed_prf_t {
+	
+	/**
+	 * Implements prf_t interface.
+	 */
+	prf_t prf_interface;
+};
+
+/**
+ * Creates a new sha1_hasher_t.
+ *
+ * @param algo		algorithm, must be HASH_SHA1
+ * @return			sha1_hasher_t object
+ */
+sha1_hasher_t *sha1_hasher_create(hash_algorithm_t algo);
+
+/**
+ * Creates a new sha1_keyed_prf_t.
+ *
+ * @param algo		algorithm, must be PRF_KEYED_SHA1
+ * @return			sha1_keyed_prf_tobject
+ */
+sha1_keyed_prf_t *sha1_keyed_prf_create(pseudo_random_function_t algo);
+
+#endif /*SHA1_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c
new file mode 100644
index 000000000..e8da99e6c
--- /dev/null
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: sha1_plugin.c 3619 2008-03-19 14:02:52Z martin $
+ */
+
+#include "sha1_plugin.h"
+
+#include <library.h>
+#include "sha1_hasher.h"
+
+typedef struct private_sha1_plugin_t private_sha1_plugin_t;
+
+/**
+ * private data of sha1_plugin
+ */
+struct private_sha1_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	sha1_plugin_t public;
+};
+
+/**
+ * Implementation of sha1_plugin_t.destroy
+ */
+static void destroy(private_sha1_plugin_t *this)
+{
+	lib->crypto->remove_hasher(lib->crypto,
+							   (hasher_constructor_t)sha1_hasher_create);
+	lib->crypto->remove_prf(lib->crypto,
+							   (prf_constructor_t)sha1_keyed_prf_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_sha1_plugin_t *this = malloc_thing(private_sha1_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+							(hasher_constructor_t)sha1_hasher_create);
+	lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
+							(prf_constructor_t)sha1_keyed_prf_create);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.h b/src/libstrongswan/plugins/sha1/sha1_plugin.h
new file mode 100644
index 000000000..82ab04c86
--- /dev/null
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sha1_p sha1
+ * @ingroup plugins
+ *
+ * @defgroup sha1_plugin sha1_plugin
+ * @{ @ingroup sha1_p
+ */
+
+#ifndef SHA1_PLUGIN_H_
+#define SHA1_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct sha1_plugin_t sha1_plugin_t;
+
+/**
+ * Plugin implementing the SHA1 algorithm in software.
+ */
+struct sha1_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a sha1_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* SHA1_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha2/Makefile.am b/src/libstrongswan/plugins/sha2/Makefile.am
new file mode 100644
index 000000000..066e49476
--- /dev/null
+++ b/src/libstrongswan/plugins/sha2/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-sha2.la
+
+libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
+libstrongswan_sha2_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
new file mode 100644
index 000000000..ec0e45248
--- /dev/null
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -0,0 +1,494 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/sha2
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_sha2_la_LIBADD =
+am_libstrongswan_sha2_la_OBJECTS = sha2_plugin.lo sha2_hasher.lo
+libstrongswan_sha2_la_OBJECTS = $(am_libstrongswan_sha2_la_OBJECTS)
+libstrongswan_sha2_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_sha2_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_sha2_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_sha2_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-sha2.la
+libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
+libstrongswan_sha2_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sha2/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sha2/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-sha2.la: $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_DEPENDENCIES) 
+	$(libstrongswan_sha2_la_LINK) -rpath $(plugindir) $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.c b/src/libstrongswan/plugins/sha2/sha2_hasher.c
new file mode 100644
index 000000000..ca9c2f926
--- /dev/null
+++ b/src/libstrongswan/plugins/sha2/sha2_hasher.c
@@ -0,0 +1,632 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2001 Jari Ruusu.
+ *
+ * Ported from strongSwans implementation written by Jari Ruusu.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: sha2_hasher.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include <string.h>
+
+#include "sha2_hasher.h"
+
+
+typedef struct private_sha512_hasher_t private_sha512_hasher_t;
+
+/**
+ * Private data structure with hasing context for SHA384 and SHA512
+ */
+struct private_sha512_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	sha2_hasher_t public;
+	
+	unsigned char   sha_out[128];   /* results are here, bytes 0..47/0..63 */
+	u_int64_t       sha_H[8];
+	u_int64_t       sha_blocks;
+	u_int64_t       sha_blocksMSB;
+	int             sha_bufCnt;
+};
+
+
+typedef struct private_sha256_hasher_t private_sha256_hasher_t;
+
+/**
+ * Private data structure with hasing context for SHA256
+ */
+struct private_sha256_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	sha2_hasher_t public;
+	
+	unsigned char   sha_out[64];    /* results are here, bytes 0...31 */
+	u_int32_t       sha_H[8];
+	u_int64_t       sha_blocks;
+	int             sha_bufCnt;
+};
+
+
+static const u_int32_t sha256_hashInit[8] = {
+	0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c,
+	0x1f83d9ab, 0x5be0cd19
+};
+
+static const u_int32_t sha256_K[64] = {
+	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
+	0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
+	0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
+	0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
+	0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
+	0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+};
+
+static const u_int64_t sha512_hashInit[8] = {
+	0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, 0x3c6ef372fe94f82bULL,
+	0xa54ff53a5f1d36f1ULL, 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
+	0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
+};
+
+static const u_int64_t sha384_hashInit[8] = {
+	0xcbbb9d5dc1059ed8ULL, 0x629a292a367cd507ULL, 0x9159015a3070dd17ULL,
+	0x152fecd8f70e5939ULL, 0x67332667ffc00b31ULL, 0x8eb44a8768581511ULL,
+	0xdb0c2e0d64f98fa7ULL, 0x47b5481dbefa4fa4ULL
+};
+
+static const u_int64_t sha512_K[80] = {
+	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL,
+	0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
+	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL,
+	0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL,
+	0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
+	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL,
+	0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL,
+	0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
+	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL,
+	0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL,
+	0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
+	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL,
+	0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL,
+	0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
+	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL,
+	0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL,
+	0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
+	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL,
+	0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL,
+	0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
+	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
+};
+
+
+/* set macros for SHA256 */
+#define Ch(x,y,z)   (((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z)  (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+#define R(x,y)      ((y) >> (x))
+
+#define S(x,y)      (((y) >> (x)) | ((y) << (32 - (x))))
+#define uSig0(x)    ((S(2,(x))) ^ (S(13,(x))) ^ (S(22,(x))))
+#define uSig1(x)    ((S(6,(x))) ^ (S(11,(x))) ^ (S(25,(x))))
+#define lSig0(x)    ((S(7,(x))) ^ (S(18,(x))) ^ (R(3,(x))))
+#define lSig1(x)    ((S(17,(x))) ^ (S(19,(x))) ^ (R(10,(x))))
+
+/**
+ * Single block SHA256 transformation
+ */
+static void sha256_transform(private_sha256_hasher_t *ctx, 
+							 const unsigned char *datap)
+{
+	register int    j;
+	u_int32_t       a, b, c, d, e, f, g, h;
+	u_int32_t       T1, T2, W[64], Wm2, Wm15;
+
+	/* read the data, big endian byte order */
+	j = 0;
+	do {
+		W[j] = (((u_int32_t)(datap[0]))<<24) | (((u_int32_t)(datap[1]))<<16) |
+				(((u_int32_t)(datap[2]))<<8 ) | ((u_int32_t)(datap[3]));
+		datap += 4;
+	} while(++j < 16);
+
+	/* initialize variables a...h */
+	a = ctx->sha_H[0];
+	b = ctx->sha_H[1];
+	c = ctx->sha_H[2];
+	d = ctx->sha_H[3];
+	e = ctx->sha_H[4];
+	f = ctx->sha_H[5];
+	g = ctx->sha_H[6];
+	h = ctx->sha_H[7];
+
+	/* apply compression function */
+	j = 0;
+	do
+	{
+		if(j >= 16) 
+		{
+			Wm2 = W[j - 2];
+			Wm15 = W[j - 15];
+			W[j] = lSig1(Wm2) + W[j - 7] + lSig0(Wm15) + W[j - 16];
+		}
+		T1 = h + uSig1(e) + Ch(e,f,g) + sha256_K[j] + W[j];
+		T2 = uSig0(a) + Maj(a,b,c);
+		h = g; g = f; f = e;
+		e = d + T1;
+		d = c; c = b; b = a;
+		a = T1 + T2;
+	} while(++j < 64);
+
+	/* compute intermediate hash value */
+	ctx->sha_H[0] += a;
+	ctx->sha_H[1] += b;
+	ctx->sha_H[2] += c;
+	ctx->sha_H[3] += d;
+	ctx->sha_H[4] += e;
+	ctx->sha_H[5] += f;
+	ctx->sha_H[6] += g;
+	ctx->sha_H[7] += h;
+
+	ctx->sha_blocks++;
+}
+
+/**
+ * Update SHA256 hash
+ */
+static void sha256_write(private_sha256_hasher_t *ctx, 
+						 const unsigned char *datap, int length)
+{
+	while(length > 0)
+	{
+		if(!ctx->sha_bufCnt)
+		{
+			while(length >= sizeof(ctx->sha_out))
+			{
+				sha256_transform(ctx, datap);
+				datap += sizeof(ctx->sha_out);
+				length -= sizeof(ctx->sha_out);
+			}
+			if(!length) return;
+		}
+		ctx->sha_out[ctx->sha_bufCnt] = *datap++;
+		length--;
+		if(++ctx->sha_bufCnt == sizeof(ctx->sha_out))
+		{
+			sha256_transform(ctx, &ctx->sha_out[0]);
+			ctx->sha_bufCnt = 0;
+		}
+	}
+}
+
+/**
+ * finalize SHA256 hash
+ */
+static void sha256_final(private_sha256_hasher_t *ctx)
+{
+	register int    j;
+	u_int64_t       bitLength;
+	u_int32_t       i;
+	unsigned char   padByte, *datap;
+
+	bitLength = (ctx->sha_blocks << 9) | (ctx->sha_bufCnt << 3);
+	padByte = 0x80;
+	sha256_write(ctx, &padByte, 1);
+
+	/* pad extra space with zeroes */
+	padByte = 0;
+	while(ctx->sha_bufCnt != 56)
+	{
+		sha256_write(ctx, &padByte, 1);
+	}
+	
+	/* write bit length, big endian byte order */
+	ctx->sha_out[56] = bitLength >> 56;
+	ctx->sha_out[57] = bitLength >> 48;
+	ctx->sha_out[58] = bitLength >> 40;
+	ctx->sha_out[59] = bitLength >> 32;
+	ctx->sha_out[60] = bitLength >> 24;
+	ctx->sha_out[61] = bitLength >> 16;
+	ctx->sha_out[62] = bitLength >> 8;
+	ctx->sha_out[63] = bitLength;
+	sha256_transform(ctx, &ctx->sha_out[0]);
+	
+	/* return results in ctx->sha_out[0...31] */
+	datap = &ctx->sha_out[0];
+	j = 0;
+	do {
+		i = ctx->sha_H[j];
+		datap[0] = i >> 24;
+		datap[1] = i >> 16;
+		datap[2] = i >> 8;
+		datap[3] = i;
+		datap += 4;
+	} while(++j < 8);
+}
+
+/* update macros for SHA512 */
+#undef S
+#undef uSig0
+#undef uSig1
+#undef lSig0
+#undef lSig1
+#define S(x,y)      (((y) >> (x)) | ((y) << (64 - (x))))
+#define uSig0(x)    ((S(28,(x))) ^ (S(34,(x))) ^ (S(39,(x))))
+#define uSig1(x)    ((S(14,(x))) ^ (S(18,(x))) ^ (S(41,(x))))
+#define lSig0(x)    ((S(1,(x))) ^ (S(8,(x))) ^ (R(7,(x))))
+#define lSig1(x)    ((S(19,(x))) ^ (S(61,(x))) ^ (R(6,(x))))
+
+/**
+ * Single block SHA384/SHA512 transformation
+ */
+static void sha512_transform(private_sha512_hasher_t *ctx, 
+							 const unsigned char *datap)
+{
+	register int    j;
+	u_int64_t       a, b, c, d, e, f, g, h;
+	u_int64_t       T1, T2, W[80], Wm2, Wm15;
+
+	/* read the data, big endian byte order */
+	j = 0;
+	do {
+		W[j] = (((u_int64_t)(datap[0]))<<56) | (((u_int64_t)(datap[1]))<<48) |
+				(((u_int64_t)(datap[2]))<<40) | (((u_int64_t)(datap[3]))<<32) |
+				(((u_int64_t)(datap[4]))<<24) | (((u_int64_t)(datap[5]))<<16) |
+				(((u_int64_t)(datap[6]))<<8 ) | ((u_int64_t)(datap[7]));
+		datap += 8;
+	} while(++j < 16);
+
+	/* initialize variables a...h */
+	a = ctx->sha_H[0];
+	b = ctx->sha_H[1];
+	c = ctx->sha_H[2];
+	d = ctx->sha_H[3];
+	e = ctx->sha_H[4];
+	f = ctx->sha_H[5];
+	g = ctx->sha_H[6];
+	h = ctx->sha_H[7];
+
+	/* apply compression function */
+	j = 0;
+	do {
+		if(j >= 16) {
+			Wm2 = W[j - 2];
+			Wm15 = W[j - 15];
+			W[j] = lSig1(Wm2) + W[j - 7] + lSig0(Wm15) + W[j - 16];
+		}
+		T1 = h + uSig1(e) + Ch(e,f,g) + sha512_K[j] + W[j];
+		T2 = uSig0(a) + Maj(a,b,c);
+		h = g; g = f; f = e;
+		e = d + T1;
+		d = c; c = b; b = a;
+		a = T1 + T2;
+	} while(++j < 80);
+
+	/* compute intermediate hash value */
+	ctx->sha_H[0] += a;
+	ctx->sha_H[1] += b;
+	ctx->sha_H[2] += c;
+	ctx->sha_H[3] += d;
+	ctx->sha_H[4] += e;
+	ctx->sha_H[5] += f;
+	ctx->sha_H[6] += g;
+	ctx->sha_H[7] += h;
+
+	ctx->sha_blocks++;
+	if(!ctx->sha_blocks) ctx->sha_blocksMSB++;
+}
+
+/**
+ * Update a SHA384/SHA512 hash
+ */
+static void sha512_write(private_sha512_hasher_t *ctx, 
+						 const unsigned char *datap, int length)
+{
+	while(length > 0) 
+	{
+		if(!ctx->sha_bufCnt) 
+		{
+			while(length >= sizeof(ctx->sha_out)) 
+			{
+				sha512_transform(ctx, datap);
+				datap += sizeof(ctx->sha_out);
+				length -= sizeof(ctx->sha_out);
+			}
+			if(!length) return;
+		}
+		ctx->sha_out[ctx->sha_bufCnt] = *datap++;
+		length--;
+		if(++ctx->sha_bufCnt == sizeof(ctx->sha_out)) 
+		{
+			sha512_transform(ctx, &ctx->sha_out[0]);
+			ctx->sha_bufCnt = 0;
+		}
+	}
+}
+
+/**
+ * Finalize a SHA384/SHA512 hash
+ */
+static void sha512_final(private_sha512_hasher_t *ctx)
+{
+	register int    j;
+	u_int64_t       bitLength, bitLengthMSB;
+	u_int64_t       i;
+	unsigned char   padByte, *datap;
+
+	bitLength = (ctx->sha_blocks << 10) | (ctx->sha_bufCnt << 3);
+	bitLengthMSB = (ctx->sha_blocksMSB << 10) | (ctx->sha_blocks >> 54);
+	padByte = 0x80;
+	sha512_write(ctx, &padByte, 1);
+
+	/* pad extra space with zeroes */
+	padByte = 0;
+	while(ctx->sha_bufCnt != 112) 
+	{
+		sha512_write(ctx, &padByte, 1);
+	}
+
+	/* write bit length, big endian byte order */
+	ctx->sha_out[112] = bitLengthMSB >> 56;
+	ctx->sha_out[113] = bitLengthMSB >> 48;
+	ctx->sha_out[114] = bitLengthMSB >> 40;
+	ctx->sha_out[115] = bitLengthMSB >> 32;
+	ctx->sha_out[116] = bitLengthMSB >> 24;
+	ctx->sha_out[117] = bitLengthMSB >> 16;
+	ctx->sha_out[118] = bitLengthMSB >> 8;
+	ctx->sha_out[119] = bitLengthMSB;
+	ctx->sha_out[120] = bitLength >> 56;
+	ctx->sha_out[121] = bitLength >> 48;
+	ctx->sha_out[122] = bitLength >> 40;
+	ctx->sha_out[123] = bitLength >> 32;
+	ctx->sha_out[124] = bitLength >> 24;
+	ctx->sha_out[125] = bitLength >> 16;
+	ctx->sha_out[126] = bitLength >> 8;
+	ctx->sha_out[127] = bitLength;
+	sha512_transform(ctx, &ctx->sha_out[0]);
+	
+	/* return results in ctx->sha_out[0...63] */
+	datap = &ctx->sha_out[0];
+	j = 0;
+	do {
+		i = ctx->sha_H[j];
+		datap[0] = i >> 56;
+		datap[1] = i >> 48;
+		datap[2] = i >> 40;
+		datap[3] = i >> 32;
+		datap[4] = i >> 24;
+		datap[5] = i >> 16;
+		datap[6] = i >> 8;
+		datap[7] = i;
+		datap += 8;
+	} while(++j < 8);
+}
+
+/**
+ * Implementation of hasher_t.get_hash for SHA256.
+ */
+static void get_hash256(private_sha256_hasher_t *this, 
+						chunk_t chunk, u_int8_t *buffer)
+{
+	sha256_write(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		sha256_final(this);
+		memcpy(buffer, this->sha_out, HASH_SIZE_SHA256);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
+/**
+ * Implementation of hasher_t.get_hash for SHA384.
+ */
+static void get_hash384(private_sha512_hasher_t *this,
+						chunk_t chunk, u_int8_t *buffer)
+{
+	sha512_write(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		sha512_final(this);
+		memcpy(buffer, this->sha_out, HASH_SIZE_SHA384);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
+/**
+ * Implementation of hasher_t.get_hash for SHA512.
+ */
+static void get_hash512(private_sha512_hasher_t *this,
+						chunk_t chunk, u_int8_t *buffer)
+{
+	sha512_write(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		sha512_final(this);
+		memcpy(buffer, this->sha_out, HASH_SIZE_SHA512);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
+/**
+ * Implementation of hasher_t.allocate_hash for SHA256.
+ */
+static void allocate_hash256(private_sha256_hasher_t *this, 
+							 chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	sha256_write(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{
+		sha256_final(this);
+		allocated_hash = chunk_alloc(HASH_SIZE_SHA256);
+		memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA256);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		*hash = allocated_hash;
+	}
+}
+
+/**
+ * Implementation of hasher_t.allocate_hash for SHA384.
+ */
+static void allocate_hash384(private_sha512_hasher_t *this, 
+							 chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	sha512_write(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{
+		sha512_final(this);
+		allocated_hash = chunk_alloc(HASH_SIZE_SHA384);
+		memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA384);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		*hash = allocated_hash;
+	}
+}
+
+/**
+ * Implementation of hasher_t.allocate_hash for SHA512.
+ */
+static void allocate_hash512(private_sha512_hasher_t *this, 
+							 chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	sha512_write(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{
+		sha512_final(this);
+		allocated_hash = chunk_alloc(HASH_SIZE_SHA512);
+		memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA512);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		*hash = allocated_hash;
+	}
+}
+
+/**
+ * Implementation of hasher_t.get_hash_size for SHA256.
+ */
+static size_t get_hash_size256(private_sha256_hasher_t *this)
+{
+	return HASH_SIZE_SHA256;
+}
+	
+/**
+ * Implementation of hasher_t.get_hash_size for SHA384.
+ */
+static size_t get_hash_size384(private_sha512_hasher_t *this)
+{
+	return HASH_SIZE_SHA384;
+}
+	
+/**
+ * Implementation of hasher_t.get_hash_size for SHA512.
+ */
+static size_t get_hash_size512(private_sha512_hasher_t *this)
+{
+	return HASH_SIZE_SHA512;
+}
+
+/**
+ * Implementation of hasher_t.reset for SHA256
+ */
+static void reset256(private_sha256_hasher_t *ctx)
+{
+	memcpy(&ctx->sha_H[0], &sha256_hashInit[0], sizeof(ctx->sha_H));
+	ctx->sha_blocks = 0;
+	ctx->sha_bufCnt = 0;
+}
+
+/**
+ * Implementation of hasher_t.reset for SHA384
+ */
+static void reset384(private_sha512_hasher_t *ctx)
+{
+	memcpy(&ctx->sha_H[0], &sha384_hashInit[0], sizeof(ctx->sha_H));
+	ctx->sha_blocks = 0;
+	ctx->sha_blocksMSB = 0;
+	ctx->sha_bufCnt = 0;
+}
+
+/**
+ * Implementation of hasher_t.reset for SHA512
+ */
+static void reset512(private_sha512_hasher_t *ctx)
+{
+	memcpy(&ctx->sha_H[0], &sha512_hashInit[0], sizeof(ctx->sha_H));
+	ctx->sha_blocks = 0;
+	ctx->sha_blocksMSB = 0;
+	ctx->sha_bufCnt = 0;
+}
+
+/**
+ * Implementation of hasher_t.destroy.
+ */
+static void destroy(sha2_hasher_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm)
+{
+	sha2_hasher_t *this;
+	
+	switch (algorithm)
+	{
+		case HASH_SHA256:
+			this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t);
+			this->hasher_interface.reset = (void(*)(hasher_t*))reset256;
+			this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size256;
+			this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash256;
+			this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash256;
+			break;
+		case HASH_SHA384:
+			/* uses SHA512 data structure */
+			this = (sha2_hasher_t*)malloc_thing(private_sha512_hasher_t);
+			this->hasher_interface.reset = (void(*)(hasher_t*))reset384;
+			this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size384;
+			this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash384;
+			this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash384;
+			break;
+		case HASH_SHA512:
+			this = (sha2_hasher_t*)malloc_thing(private_sha512_hasher_t);
+			this->hasher_interface.reset = (void(*)(hasher_t*))reset512;
+			this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size512;
+			this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash512;
+			this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash512;
+			break;
+		default:
+			return NULL;
+	}
+	this->hasher_interface.destroy = (void(*)(hasher_t*))destroy;
+	
+	/* initialize */
+	this->hasher_interface.reset(&this->hasher_interface);
+	
+	return this;
+}
diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.h b/src/libstrongswan/plugins/sha2/sha2_hasher.h
new file mode 100644
index 000000000..6d732495a
--- /dev/null
+++ b/src/libstrongswan/plugins/sha2/sha2_hasher.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sha2_hasher sha2_hasher
+ * @{ @ingroup sha2_p
+ */
+
+#ifndef SHA2_HASHER_H_
+#define SHA2_HASHER_H_
+
+typedef struct sha2_hasher_t sha2_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hasher_t interface using the SHA2 algorithms.
+ *
+ * SHA2 is an other name for the SHA-256, SHA-384 and SHA-512 variants of
+ * the SHA hash algorithm.
+ */
+struct sha2_hasher_t {
+	
+	/**
+	 * Generic hasher_t interface for this hasher.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * Creates a new sha2_hasher_t.
+ * 
+ * @param	algorithm	HASH_SHA256, HASH_SHA384 or HASH_SHA512
+ * @return				sha2_hasher_t object, NULL if not supported
+ */
+sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm);
+
+#endif /* SHA2_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c
new file mode 100644
index 000000000..ebb2947ef
--- /dev/null
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: sha2_plugin.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include "sha2_plugin.h"
+
+#include <library.h>
+#include "sha2_hasher.h"
+
+typedef struct private_sha2_plugin_t private_sha2_plugin_t;
+
+/**
+ * private data of sha2_plugin
+ */
+struct private_sha2_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	sha2_plugin_t public;
+};
+
+/**
+ * Implementation of sha2_plugin_t.destroy
+ */
+static void destroy(private_sha2_plugin_t *this)
+{
+	lib->crypto->remove_hasher(lib->crypto,
+							   (hasher_constructor_t)sha2_hasher_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_sha2_plugin_t *this = malloc_thing(private_sha2_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+							(hasher_constructor_t)sha2_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+							(hasher_constructor_t)sha2_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+							(hasher_constructor_t)sha2_hasher_create);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.h b/src/libstrongswan/plugins/sha2/sha2_plugin.h
new file mode 100644
index 000000000..859597758
--- /dev/null
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sha2_p sha2
+ * @ingroup plugins
+ *
+ * @defgroup sha2_plugin sha2_plugin
+ * @{ @ingroup sha2_p
+ */
+
+#ifndef SHA2_PLUGIN_H_
+#define SHA2_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct sha2_plugin_t sha2_plugin_t;
+
+/**
+ * Plugin implementing the SHA256, SHA384 and SHA512 algorithms in software.
+ */
+struct sha2_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a sha2_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* SHA2_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.am b/src/libstrongswan/plugins/sqlite/Makefile.am
new file mode 100644
index 000000000..7c3017abf
--- /dev/null
+++ b/src/libstrongswan/plugins/sqlite/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-sqlite.la
+
+libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c  \
+	sqlite_database.h sqlite_database.c
+libstrongswan_sqlite_la_LDFLAGS = -module
+libstrongswan_sqlite_la_LIBADD = -lsqlite3
+
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
new file mode 100644
index 000000000..3a73829dc
--- /dev/null
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -0,0 +1,499 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/sqlite
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_sqlite_la_DEPENDENCIES =
+am_libstrongswan_sqlite_la_OBJECTS = sqlite_plugin.lo \
+	sqlite_database.lo
+libstrongswan_sqlite_la_OBJECTS =  \
+	$(am_libstrongswan_sqlite_la_OBJECTS)
+libstrongswan_sqlite_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_sqlite_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_sqlite_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_sqlite_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-sqlite.la
+libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c  \
+	sqlite_database.h sqlite_database.c
+
+libstrongswan_sqlite_la_LDFLAGS = -module
+libstrongswan_sqlite_la_LIBADD = -lsqlite3
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sqlite/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sqlite/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-sqlite.la: $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_DEPENDENCIES) 
+	$(libstrongswan_sqlite_la_LINK) -rpath $(plugindir) $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sqlite_database.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sqlite_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
new file mode 100644
index 000000000..d5a03894d
--- /dev/null
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -0,0 +1,321 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: sqlite_database.c 3911 2008-05-07 14:41:13Z martin $
+ */
+
+#include "sqlite_database.h"
+
+#include <sqlite3.h>
+#include <library.h>
+#include <debug.h>
+#include <utils/mutex.h>
+
+typedef struct private_sqlite_database_t private_sqlite_database_t;
+
+/**
+ * private data of sqlite_database
+ */
+struct private_sqlite_database_t {
+
+	/**
+	 * public functions
+	 */
+	sqlite_database_t public;
+	
+	/**
+	 * sqlite database connection
+	 */
+	sqlite3 *db;
+	
+	/**
+	 * mutex used to lock execute()
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Create and run a sqlite stmt using a sql string and args
+ */
+static sqlite3_stmt* run(private_sqlite_database_t *this, char *sql,
+						 va_list *args)
+{
+	sqlite3_stmt *stmt = NULL;
+	int params, i, res = SQLITE_OK;
+
+#ifdef HAVE_SQLITE3_PREPARE_V2
+	if (sqlite3_prepare_v2(this->db, sql, -1, &stmt, NULL) == SQLITE_OK)
+#else
+	if (sqlite3_prepare(this->db, sql, -1, &stmt, NULL) == SQLITE_OK)
+#endif
+	{
+		params = sqlite3_bind_parameter_count(stmt);
+		for (i = 1; i <= params; i++)
+		{
+			switch (va_arg(*args, db_type_t))
+			{
+				case DB_INT:
+				{
+					res = sqlite3_bind_int(stmt, i, va_arg(*args, int));
+					break;
+				}
+				case DB_UINT:
+				{
+					res = sqlite3_bind_int64(stmt, i, va_arg(*args, u_int));
+					break;
+				}
+				case DB_TEXT:
+				{
+					const char *text = va_arg(*args, const char*);
+					res = sqlite3_bind_text(stmt, i, text, -1, SQLITE_STATIC);
+					break;
+				}
+				case DB_BLOB:
+				{
+					chunk_t c = va_arg(*args, chunk_t);
+					res = sqlite3_bind_blob(stmt, i, c.ptr, c.len, SQLITE_STATIC);
+					break;
+				}
+				case DB_DOUBLE:
+				{
+					res = sqlite3_bind_double(stmt, i, va_arg(*args, double));
+					break;
+				}
+				case DB_NULL:
+				{
+					res = sqlite3_bind_null(stmt, i);
+					break;
+				}
+				default:
+				{
+					res = SQLITE_MISUSE;
+					break;
+				}
+			}
+			if (res != SQLITE_OK)
+			{
+				break;
+			}
+		}
+	}
+	else
+	{
+		DBG1("preparing sqlite statement failed: %s", sqlite3_errmsg(this->db));
+	}
+	if (res != SQLITE_OK)
+	{
+		DBG1("binding sqlite statement failed: %s", sqlite3_errmsg(this->db));
+		sqlite3_finalize(stmt);
+		return NULL;
+	}
+	return stmt;
+}
+
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** associated sqlite statement */
+	sqlite3_stmt *stmt;
+	/** number of result columns */
+	int count;
+	/** column types */
+	db_type_t *columns;
+	/** reference to db connection */
+	sqlite3 *db;
+} sqlite_enumerator_t;
+
+/**
+ * destroy a sqlite enumerator
+ */
+static void sqlite_enumerator_destroy(sqlite_enumerator_t *this)
+{
+	sqlite3_finalize(this->stmt);
+	free(this->columns);
+	free(this);
+}
+
+/**
+ * Implementation of database.query().enumerate
+ */
+static bool sqlite_enumerator_enumerate(sqlite_enumerator_t *this, ...)
+{
+	int i;
+	va_list args;
+
+	switch (sqlite3_step(this->stmt))
+	{
+		case SQLITE_ROW:
+			break;
+		default:
+			DBG1("stepping sqlite statement failed: %s", sqlite3_errmsg(this->db));
+			/* fall */
+		case SQLITE_DONE:
+			return FALSE;
+	}
+	va_start(args, this);
+	for (i = 0; i < this->count; i++)
+	{
+		switch (this->columns[i])
+		{
+			case DB_INT:
+			{
+				int *value = va_arg(args, int*);
+				*value = sqlite3_column_int(this->stmt, i);
+				break;
+			}
+			case DB_UINT:
+			{
+				u_int *value = va_arg(args, u_int*);
+				*value = (u_int)sqlite3_column_int64(this->stmt, i);
+				break;
+			}
+			case DB_TEXT:
+			{
+				const unsigned char **value = va_arg(args, const unsigned char**);
+				*value = sqlite3_column_text(this->stmt, i);
+				break;
+			}
+			case DB_BLOB:
+			{
+				chunk_t *chunk = va_arg(args, chunk_t*);
+				chunk->len = sqlite3_column_bytes(this->stmt, i);
+				chunk->ptr = (u_char*)sqlite3_column_blob(this->stmt, i);
+				break;
+			}
+			case DB_DOUBLE:
+			{
+				double *value = va_arg(args, double*);
+				*value = sqlite3_column_double(this->stmt, i);
+				break;
+			}
+			default:
+				DBG1("invalid result type supplied");
+				return FALSE;
+		}
+	}
+	va_end(args);
+	return TRUE;
+}
+
+/**
+ * Implementation of database_t.query.
+ */
+static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...)
+{
+	sqlite3_stmt *stmt;
+	va_list args;
+	sqlite_enumerator_t *enumerator = NULL;
+	int i;
+	
+	
+	va_start(args, sql);
+	stmt = run(this, sql, &args);
+	if (stmt)
+	{
+		enumerator = malloc_thing(sqlite_enumerator_t);
+		enumerator->public.enumerate = (void*)sqlite_enumerator_enumerate;
+		enumerator->public.destroy = (void*)sqlite_enumerator_destroy;
+		enumerator->stmt = stmt;
+		enumerator->count = sqlite3_column_count(stmt);
+		enumerator->columns = malloc(sizeof(db_type_t) * enumerator->count);
+		enumerator->db = this->db;
+		for (i = 0; i < enumerator->count; i++)
+		{
+			enumerator->columns[i] = va_arg(args, db_type_t);
+		}
+	}
+	va_end(args);
+	return (enumerator_t*)enumerator;
+}
+
+/**
+ * Implementation of database_t.execute.
+ */
+static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...)
+{
+	sqlite3_stmt *stmt;
+	int affected = -1;
+	va_list args;
+	
+	/* we need a lock to get our rowid/changes correctly */
+	this->mutex->lock(this->mutex);
+	va_start(args, sql);
+	stmt = run(this, sql, &args);
+	va_end(args);
+	if (stmt)
+	{
+		if (sqlite3_step(stmt) == SQLITE_DONE)
+		{
+			if (rowid)
+			{
+				*rowid = sqlite3_last_insert_rowid(this->db);
+			}
+			affected = sqlite3_changes(this->db);
+		}
+		else
+		{
+			DBG1("sqlite execute failed: %s", sqlite3_errmsg(this->db));
+		}
+		sqlite3_finalize(stmt);
+	}
+	this->mutex->unlock(this->mutex);
+	return affected;
+}
+
+/**
+ * Implementation of database_t.destroy
+ */
+static void destroy(private_sqlite_database_t *this)
+{
+	sqlite3_close(this->db);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+sqlite_database_t *sqlite_database_create(char *uri)
+{
+	char *file;
+	private_sqlite_database_t *this;
+	
+	/**
+	 * parse sqlite:///path/to/file.db uri
+	 */
+	if (!strneq(uri, "sqlite://", 9))
+	{
+		return NULL;
+	}
+	file = uri + 9;
+	
+	this = malloc_thing(private_sqlite_database_t);
+	
+	this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
+	this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
+	this->public.db.destroy = (void(*)(database_t*))destroy;
+	
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	
+	if (sqlite3_open(file, &this->db) != SQLITE_OK)
+	{
+		DBG1("opening SQLite database '%s' failed: %s",
+			 file, sqlite3_errmsg(this->db));
+		destroy(this);
+		return NULL;
+	}
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.h b/src/libstrongswan/plugins/sqlite/sqlite_database.h
new file mode 100644
index 000000000..795785627
--- /dev/null
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sqlite_database sqlite_database
+ * @{ @ingroup sqlite_p
+ */
+
+#ifndef SQLITE_DATABASE_H_
+#define SQLITE_DATABASE_H_
+
+#include <database/database.h>
+
+typedef struct sqlite_database_t sqlite_database_t;
+
+/**
+ * sqlite databse_t implementation.
+ */
+struct sqlite_database_t {
+
+	/**
+	 * Implements database_t
+	 */
+	database_t db;
+};
+
+/**
+ * Create a sqlite_database instance.
+ *
+ * @param uri			connection URI, sqlite:///path/to/file.db
+ */
+sqlite_database_t *sqlite_database_create(char *uri);
+
+#endif /* SQLITE_DATABASE_H_ @}*/
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
new file mode 100644
index 000000000..441e59a5e
--- /dev/null
+++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: sqlite_plugin.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include "sqlite_plugin.h"
+
+#include <library.h>
+#include "sqlite_database.h"
+
+typedef struct private_sqlite_plugin_t private_sqlite_plugin_t;
+
+/**
+ * private data of sqlite_plugin
+ */
+struct private_sqlite_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	sqlite_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_sqlite_plugin_t *this)
+{
+	lib->db->remove_database(lib->db,
+							 (database_constructor_t)sqlite_database_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_sqlite_plugin_t *this = malloc_thing(private_sqlite_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->db->add_database(lib->db,
+						  (database_constructor_t)sqlite_database_create);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.h b/src/libstrongswan/plugins/sqlite/sqlite_plugin.h
new file mode 100644
index 000000000..07bf9618f
--- /dev/null
+++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sqlite_p sqlite
+ * @ingroup plugins
+ *
+ * @defgroup sqlite_plugin sqlite_plugin
+ * @{ @ingroup sqlite_p
+ */
+
+#ifndef SQLITE_PLUGIN_H_
+#define SQLITE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct sqlite_plugin_t sqlite_plugin_t;
+
+/**
+ * Plugin implementing sqlite database connectivity
+ */
+struct sqlite_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a sqlite_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* SQLITE_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am
new file mode 100644
index 000000000..3f9f85c36
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-x509.la
+
+libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
+  x509_cert.h x509_cert.c \
+  x509_crl.h x509_crl.c \
+  x509_ac.h x509_ac.c \
+  x509_ocsp_request.h x509_ocsp_request.c \
+  x509_ocsp_response.h x509_ocsp_response.c \
+  ietf_attr_list.h ietf_attr_list.c
+libstrongswan_x509_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
new file mode 100644
index 000000000..9178d6c8c
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -0,0 +1,508 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/x509
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_x509_la_LIBADD =
+am_libstrongswan_x509_la_OBJECTS = x509_plugin.lo x509_cert.lo \
+	x509_crl.lo x509_ac.lo x509_ocsp_request.lo \
+	x509_ocsp_response.lo ietf_attr_list.lo
+libstrongswan_x509_la_OBJECTS = $(am_libstrongswan_x509_la_OBJECTS)
+libstrongswan_x509_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_x509_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_x509_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_x509_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-x509.la
+libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
+  x509_cert.h x509_cert.c \
+  x509_crl.h x509_crl.c \
+  x509_ac.h x509_ac.c \
+  x509_ocsp_request.h x509_ocsp_request.c \
+  x509_ocsp_response.h x509_ocsp_response.c \
+  ietf_attr_list.h ietf_attr_list.c
+
+libstrongswan_x509_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/x509/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/x509/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-x509.la: $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_DEPENDENCIES) 
+	$(libstrongswan_x509_la_LINK) -rpath $(plugindir) $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_list.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_ac.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_cert.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_crl.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_ocsp_request.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_ocsp_response.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/x509/ietf_attr_list.c b/src/libstrongswan/plugins/x509/ietf_attr_list.c
new file mode 100644
index 000000000..17f6949b2
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/ietf_attr_list.c
@@ -0,0 +1,396 @@
+/* 
+ * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <stdio.h>
+
+#include <debug.h>
+#include <library.h>
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <utils/lexparser.h>
+
+#include "ietf_attr_list.h"
+
+/**
+ * Private definition of ietfAttribute kinds
+ */
+typedef enum {
+	IETF_ATTRIBUTE_OCTETS =	0,
+	IETF_ATTRIBUTE_OID =	1,
+	IETF_ATTRIBUTE_STRING =	2
+} ietfAttribute_t;
+
+typedef struct ietfAttr_t ietfAttr_t;
+
+/**
+ * Private definition of an ietfAttribute
+ */
+struct ietfAttr_t {
+	/**
+	 * IETF attribute kind
+	 */
+	ietfAttribute_t kind;
+
+	/**
+	 * IETF attribute valuse
+	 */
+	chunk_t value;
+
+	/**
+	 * Compares two ietfAttributes
+	 *	
+	 * return -1 if this is earlier in the alphabet than other
+	 * return  0 if this equals other
+	 * return +1 if this is later in the alphabet than other
+	 *
+	 * @param this		calling object
+	 * @param other		other object
+	 */
+	int (*compare) (const ietfAttr_t *this ,const ietfAttr_t *other);
+
+	/**
+	 * Destroys the ietfAttr_t object.
+	 * 
+	 * @param this			ietfAttr_t to destroy
+	 */
+	void (*destroy) (ietfAttr_t *this);
+};
+
+/**
+ * Implements ietfAttr_t.compare.
+ */
+static int ietfAttr_compare(const ietfAttr_t *this ,const ietfAttr_t *other)
+{
+	int cmp_len, len, cmp_value;
+
+	/* OID attributes are appended after STRING and OCTETS attributes */
+	if (this->kind != IETF_ATTRIBUTE_OID && other->kind == IETF_ATTRIBUTE_OID)
+	{
+		return -1;
+	}
+	if (this->kind == IETF_ATTRIBUTE_OID && other->kind != IETF_ATTRIBUTE_OID)
+	{
+		return 1;
+	}
+	
+    cmp_len = this->value.len - other->value.len;
+    len = (cmp_len < 0)? this->value.len : other->value.len;
+    cmp_value = memcmp(this->value.ptr, other->value.ptr, len);
+
+    return (cmp_value == 0)? cmp_len : cmp_value;
+}
+
+/**
+ * Implements ietfAttr_t.destroy.
+ */
+static void ietfAttr_destroy(ietfAttr_t *this)
+{
+	free(this->value.ptr);
+	free(this);
+}
+
+/**
+ * Creates an ietfAttr_t object.
+ */
+static ietfAttr_t *ietfAttr_create(ietfAttribute_t kind, chunk_t value)
+{
+	ietfAttr_t *this = malloc_thing(ietfAttr_t);
+
+	/* initialize */
+	this->kind = kind;
+	this->value = chunk_clone(value);
+
+	/* function */
+	this->compare = ietfAttr_compare;
+	this->destroy = ietfAttr_destroy;
+
+	return this;
+}
+
+/**
+ * Adds an ietfAttr_t object to a sorted linked list
+ */
+static void ietfAttr_add(linked_list_t *list, ietfAttr_t *attr)
+{
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+	ietfAttr_t *current_attr;
+	bool found = FALSE;
+
+	while (iterator->iterate(iterator, (void **)&current_attr))
+	{
+		int cmp = attr->compare(attr, current_attr);
+
+		if (cmp > 0)
+		{
+			 continue;
+		}
+		if (cmp == 0)
+		{
+			attr->destroy(attr);
+		}
+		else
+		{
+			iterator->insert_before(iterator, attr);
+		}
+		found = TRUE;
+		break;
+	}
+	iterator->destroy(iterator);
+	if (!found)
+	{
+		list->insert_last(list, attr);
+	}
+}
+
+/*
+ * Described in header.
+ */
+bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b)
+{
+	 bool result = TRUE;
+
+	/* lists must have the same number of attributes */
+	if (list_a->get_count(list_a) != list_b->get_count(list_b))
+	{
+		return FALSE;
+	}
+	/* empty lists - no attributes */
+	if (list_a->get_count(list_a) == 0)
+	{
+		return TRUE;
+	}
+
+	/* compare two alphabetically-sorted lists */
+	{
+		iterator_t *iterator_a = list_a->create_iterator(list_a, TRUE);
+		iterator_t *iterator_b = list_b->create_iterator(list_b, TRUE);
+		ietfAttr_t *attr_a, *attr_b;
+
+		while (iterator_a->iterate(iterator_a, (void **)&attr_a) &&
+			   iterator_b->iterate(iterator_b, (void **)&attr_b))
+		{
+			if (attr_a->compare(attr_a, attr_b) != 0)
+			{
+				/* we have a mismatch */
+				result = FALSE;
+				break;
+			}
+  		}
+		iterator_a->destroy(iterator_a);
+		iterator_b->destroy(iterator_b);
+	}
+	return result;
+}
+
+/*
+ * Described in header.
+ */
+void ietfAttr_list_list(linked_list_t *list, FILE *out)
+{
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+	ietfAttr_t *attr;
+	bool first = TRUE;
+
+	while (iterator->iterate(iterator, (void **)&attr))
+	{
+		if (first)
+		{
+			first = FALSE;
+		}
+		else
+		{
+			fprintf(out, ", ");
+		}
+
+		switch (attr->kind)
+		{
+			case IETF_ATTRIBUTE_OCTETS:
+			case IETF_ATTRIBUTE_STRING:
+				fprintf(out, "%.*s", (int)attr->value.len, attr->value.ptr);
+				break;
+			case IETF_ATTRIBUTE_OID:
+				{
+					int oid = asn1_known_oid(attr->value);
+
+					if (oid == OID_UNKNOWN)
+					{
+						fprintf(out, "0x#B", &attr->value);
+					}
+					else
+					{
+						fprintf(out, "%s", oid_names[oid]);
+					}
+				}
+	    		break;
+			default:
+	    		break;
+  		}
+	}
+	iterator->destroy(iterator);
+}
+
+/*
+ * Described in header.
+ */
+void ietfAttr_list_create_from_string(char *msg, linked_list_t *list)
+{
+	chunk_t line = { msg, strlen(msg) };
+
+	while (eat_whitespace(&line))
+	{
+		chunk_t group;
+
+		/* extract the next comma-separated group attribute */
+		if (!extract_token(&group, ',', &line))
+		{
+			group = line;
+			line.len = 0;
+		}
+
+		/* remove any trailing spaces */
+		while (group.len > 0 && *(group.ptr + group.len - 1) == ' ')
+		{
+			group.len--;
+		}
+
+		/* add the group attribute to the list */
+		if (group.len > 0)
+		{
+			ietfAttr_t *attr = ietfAttr_create(IETF_ATTRIBUTE_STRING, group);
+		
+			ietfAttr_add(list, attr);
+		}
+	}
+}
+
+/**
+ * ASN.1 definition of ietfAttrSyntax
+ */
+static const asn1Object_t ietfAttrSyntaxObjects[] =
+{
+	{ 0, "ietfAttrSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "policyAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+													ASN1_BODY }, /*  1 */
+	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
+	{ 1,   "values",			ASN1_SEQUENCE,		ASN1_LOOP }, /*  3 */
+	{ 2,     "octets",			ASN1_OCTET_STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  4 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  5 */
+	{ 2,     "oid",				ASN1_OID,			ASN1_OPT |
+													ASN1_BODY }, /*  6 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  7 */
+	{ 2,     "string",			ASN1_UTF8STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  8 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  9 */
+	{ 1,   "end loop",			ASN1_EOC,			ASN1_END  }, /* 10 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT }
+};
+#define IETF_ATTR_OCTETS	 4
+#define IETF_ATTR_OID		 6
+#define IETF_ATTR_STRING	 8
+
+/*
+ * Described in header.
+ */
+void ietfAttr_list_create_from_chunk(chunk_t chunk, linked_list_t *list, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+
+	parser = asn1_parser_create(ietfAttrSyntaxObjects, chunk);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case IETF_ATTR_OCTETS:
+			case IETF_ATTR_OID:
+			case IETF_ATTR_STRING:
+				{
+					ietfAttribute_t kind = (objectID - IETF_ATTR_OCTETS) / 2;
+					ietfAttr_t *attr   = ietfAttr_create(kind, object);
+					ietfAttr_add(list, attr);
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	parser->destroy(parser);
+}
+
+/*
+ * Described in header.
+ */
+chunk_t ietfAttr_list_encode(linked_list_t *list)
+{
+	chunk_t ietfAttributes;
+	size_t size = 0;
+	u_char *pos;
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+	ietfAttr_t *attr;
+
+	/* precalculate the total size of all values */
+	while (iterator->iterate(iterator, (void **)&attr))
+	{
+		size_t len = attr->value.len;
+
+		size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len;
+	}
+	iterator->destroy(iterator);
+
+	pos = asn1_build_object(&ietfAttributes, ASN1_SEQUENCE, size);
+
+	iterator = list->create_iterator(list, TRUE);
+	while (iterator->iterate(iterator, (void **)&attr))
+	{
+		chunk_t ietfAttribute;
+		asn1_t type = ASN1_NULL;
+
+		switch (attr->kind)
+		{
+			case IETF_ATTRIBUTE_OCTETS:
+				type = ASN1_OCTET_STRING;
+				break;
+			case IETF_ATTRIBUTE_STRING:
+				type = ASN1_UTF8STRING;
+				break;
+			case IETF_ATTRIBUTE_OID:
+				type = ASN1_OID;
+				break;
+		}
+		ietfAttribute = asn1_simple_object(type, attr->value);
+
+		/* copy ietfAttribute into ietfAttributes chunk */
+		memcpy(pos, ietfAttribute.ptr, ietfAttribute.len); 
+		pos += ietfAttribute.len;
+		free(ietfAttribute.ptr);
+	}
+	iterator->destroy(iterator);
+
+	return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes);
+}
+
+/*
+ * Described in header.
+ */
+void ietfAttr_list_destroy(linked_list_t *list)
+{
+	list->destroy_offset(list, offsetof(ietfAttr_t, destroy));
+}
diff --git a/src/libstrongswan/plugins/x509/ietf_attr_list.h b/src/libstrongswan/plugins/x509/ietf_attr_list.h
new file mode 100644
index 000000000..e3e4add61
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/ietf_attr_list.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2007 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup ietf_attr_list ietf_attr_list
+ * @{ @ingroup x509_p
+ */
+
+#ifndef IETF_ATTR_LIST_H_
+#define IETF_ATTR_LIST_H_
+
+#include <library.h>
+#include <utils/linked_list.h>
+
+
+/**
+ * @brief Compare two linked lists of ietfAttr_t objects for equality
+ *
+ * @param list_a	first alphabetically-sorted list
+ * @param list_b	second alphabetically-sorted list
+ * @return			TRUE if equal	
+ */
+bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b);
+
+/**
+ * @brief Lists a linked list of ietfAttr_t objects
+ *
+ * @param list		alphabetically-sorted linked list of attributes
+ * @param out		output file	
+ */
+void ietfAttr_list_list(linked_list_t *list, FILE *out);
+
+/**
+ * @brief Create a linked list of ietfAttr_t objects from a string
+ *
+ * @param msg		string with comma-separated group names
+ * @param list		alphabetically-sorted linked list of attributes
+  */
+void ietfAttr_list_create_from_string(char *msg, linked_list_t *list);
+
+/**
+ * @brief Create a linked list of ietfAttr_t objects from an ASN.1-coded chunk
+ *
+ * @param chunk		chunk containing ASN.1-coded attributes
+ * @param list		alphabetically-sorted linked list of attributes
+ * @param level0	parsing level
+ */
+void ietfAttr_list_create_from_chunk(chunk_t chunk, linked_list_t *list, int level0);
+
+/**
+ * @brief Encode a linked list of ietfAttr_t objects into an ASN.1-coded chunk
+ *
+ * @param list		alphabetically-sorted linked list of attributes
+ * @return			chunk containing ASN.1-coded attributes
+ */
+chunk_t ietfAttr_list_encode(linked_list_t *list);
+
+/**
+ * @brief Destroys a linked list of ietfAttr_t objects
+ *
+ * @param list		list to be destroyed
+ */
+void ietfAttr_list_destroy(linked_list_t *list);
+
+#endif /* IETF_ATTR_LIST_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
new file mode 100644
index 000000000..cfa38c66b
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -0,0 +1,1140 @@
+/*
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+ * Copyright (C) 2002-2008 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "x509_ac.h"
+#include "ietf_attr_list.h"
+
+#include <library.h>
+#include <debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/pem.h>
+#include <utils/identification.h>
+#include <utils/linked_list.h>
+#include <credentials/certificates/x509.h>
+
+extern identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob,
+							 int level0, chunk_t *authKeySerialNumber);
+
+typedef struct private_x509_ac_t private_x509_ac_t;
+
+/**
+ * private data of x509_ac_t object
+ */
+struct private_x509_ac_t {
+
+	/**
+	 * public functions
+	 */
+	x509_ac_t public;
+	
+	/**
+	 * X.509 attribute certificate encoding in ASN.1 DER format
+	 */
+	chunk_t encoding;
+
+	/**
+	 * X.509 attribute certificate body over which signature is computed
+	 */
+	chunk_t certificateInfo;
+
+	/**
+	 * Version of the X.509 attribute certificate
+	 */
+	u_int version;
+
+	/**
+	 * Serial number of the X.509 attribute certificate
+	 */
+	chunk_t serialNumber;
+
+	/**
+	 * ID representing the issuer of the holder certificate
+	 */
+	identification_t *holderIssuer;
+
+	/**
+	 * Serial number of the holder certificate
+	 */
+	chunk_t holderSerial;
+
+	/**
+	 * ID representing the holder
+	 */
+	identification_t *entityName;
+	
+	/**
+	 * ID representing the attribute certificate issuer
+	 */
+	identification_t *issuerName;
+
+	/**
+	 * Start time of certificate validity
+	 */
+	time_t notBefore;
+
+	/**
+	 * End time of certificate validity
+	 */
+	time_t notAfter;
+
+	/**
+	 * List of charging attributes
+	 */
+	linked_list_t *charging;
+
+	/**
+	 * List of groub attributes
+	 */
+	linked_list_t *groups;
+
+	/**
+	 * Authority Key Identifier
+	 */
+	identification_t *authKeyIdentifier;
+
+	/**
+	 * Authority Key Serial Number
+	 */
+	chunk_t authKeySerialNumber;
+
+	/**
+	 * No revocation information available
+	 */
+	bool noRevAvail;
+
+	/**
+	 * Signature algorithm
+	 */
+	int algorithm;
+
+	/**
+	 * Signature
+	 */
+	chunk_t signature;
+
+    /**
+     * Holder certificate
+     */
+	certificate_t *holderCert;
+
+    /**
+     * Signer certificate
+     */
+	certificate_t *signerCert;
+
+   /**
+    * Signer private key;
+    */
+	private_key_t *signerKey;
+
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+static u_char ASN1_group_oid_str[] = {
+	0x06, 0x08,
+		  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04
+};
+
+static const chunk_t ASN1_group_oid = chunk_from_buf(ASN1_group_oid_str);
+
+static u_char ASN1_authorityKeyIdentifier_oid_str[] = {
+	0x06, 0x03,
+		  0x55, 0x1d, 0x23
+};
+
+static const chunk_t ASN1_authorityKeyIdentifier_oid =
+	 			 	 	chunk_from_buf(ASN1_authorityKeyIdentifier_oid_str);
+
+static u_char ASN1_noRevAvail_ext_str[] = {
+	0x30, 0x09,
+		  0x06, 0x03,
+				0x55, 0x1d, 0x38,
+		  0x04, 0x02,
+				0x05, 0x00
+};
+
+static const chunk_t ASN1_noRevAvail_ext = chunk_from_buf(ASN1_noRevAvail_ext_str);
+
+/**
+ * declaration of function implemented in x509_cert.c
+ */
+extern void x509_parse_generalNames(chunk_t blob, int level0, bool implicit,
+									linked_list_t *list);
+/**
+ * parses a directoryName
+ */
+static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name)
+{
+	bool has_directoryName;
+	linked_list_t *list = linked_list_create();
+
+	x509_parse_generalNames(blob, level, implicit, list);
+	has_directoryName = list->get_count(list) > 0;
+
+	if (has_directoryName)
+	{
+		iterator_t *iterator = list->create_iterator(list, TRUE);
+		identification_t *directoryName;
+		bool first = TRUE;
+
+		while (iterator->iterate(iterator, (void**)&directoryName))
+		{
+			if (first)
+			{
+				*name = directoryName;
+				first = FALSE;
+			}
+			else
+			{
+				DBG1("more than one directory name - first selected");
+				directoryName->destroy(directoryName);
+			}
+		}
+		iterator->destroy(iterator);
+	}
+	else
+	{
+		DBG1("no directoryName found");
+	}
+
+	list->destroy(list);
+	return has_directoryName;
+}
+
+/**
+ * ASN.1 definition of roleSyntax
+ */
+static const asn1Object_t roleSyntaxObjects[] =
+{
+	{ 0, "roleSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
+	{ 1,   "roleAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+												ASN1_OBJ  }, /* 1 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END  }, /* 2 */
+	{ 1,   "roleName",		ASN1_CONTEXT_C_1,	ASN1_OBJ  }, /* 3 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT }
+};
+
+/**
+ * Parses roleSyntax
+ */
+static void parse_roleSyntax(chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+
+	parser = asn1_parser_create(roleSyntaxObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			default:
+				break;
+		}
+	}
+	parser->destroy(parser);
+}
+
+/**
+ * ASN.1 definition of an X509 attribute certificate
+ */
+static const asn1Object_t acObjects[] =
+{
+	{ 0, "AttributeCertificate",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  0 */
+	{ 1,   "AttributeCertificateInfo",		ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  1 */
+	{ 2,	   "version",					ASN1_INTEGER,		  ASN1_DEF |
+																  ASN1_BODY }, /*  2 */
+	{ 2,	   "holder",					ASN1_SEQUENCE,		  ASN1_NONE }, /*  3 */
+	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /*  4 */
+	{ 4,	       "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  5 */
+	{ 4,	       "serial",				ASN1_INTEGER,		  ASN1_BODY }, /*  6 */
+	{ 4,         "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
+																  ASN1_BODY }, /*  7 */
+	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /*  8 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /*  9 */
+	{ 3,	   "entityName",				ASN1_CONTEXT_C_1,	  ASN1_OPT |
+																  ASN1_OBJ  }, /* 10 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 11 */
+	{ 3,	     "objectDigestInfo",		ASN1_CONTEXT_C_2,	  ASN1_OPT  }, /* 12 */
+	{ 4,	       "digestedObjectType",	ASN1_ENUMERATED,	  ASN1_BODY }, /* 13 */
+	{ 4,	       "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+																  ASN1_BODY }, /* 14 */
+	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /* 15 */
+	{ 4,         "digestAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 16 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 17 */
+	{ 2,	   "v2Form",					ASN1_CONTEXT_C_0,	  ASN1_NONE }, /* 18 */
+	{ 3,	     "issuerName",				ASN1_SEQUENCE,		  ASN1_OPT |
+																  ASN1_OBJ  }, /* 19 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 20 */
+	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /* 21 */
+	{ 4,	       "issuerSerial",			ASN1_SEQUENCE,		  ASN1_NONE }, /* 22 */
+	{ 5,	         "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 23 */
+	{ 5,	  	 "serial",					ASN1_INTEGER,		  ASN1_BODY }, /* 24 */
+	{ 5,           "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
+																  ASN1_BODY }, /* 25 */
+	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 26 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 27 */
+	{ 3,       "objectDigestInfo",			ASN1_CONTEXT_C_1,	  ASN1_OPT  }, /* 28 */
+	{ 4,	       "digestInfo",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 29 */
+	{ 5,  	 "digestedObjectType",			ASN1_ENUMERATED,	  ASN1_BODY }, /* 30 */
+	{ 5,	  	 "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+																  ASN1_BODY }, /* 31 */
+	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 32 */
+	{ 5,           "digestAlgorithm",		ASN1_EOC,			  ASN1_RAW  }, /* 33 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 34 */
+	{ 2,	   "signature",					ASN1_EOC,			  ASN1_RAW  }, /* 35 */
+	{ 2,	   "serialNumber",				ASN1_INTEGER,		  ASN1_BODY }, /* 36 */
+	{ 2,	   "attrCertValidityPeriod",	ASN1_SEQUENCE,		  ASN1_NONE }, /* 37 */
+	{ 3,	     "notBeforeTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
+	{ 3,	     "notAfterTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
+	{ 2,	   "attributes",				ASN1_SEQUENCE,		  ASN1_LOOP }, /* 40 */
+	{ 3,       "attribute",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 41 */
+	{ 4,         "type",					ASN1_OID,			  ASN1_BODY }, /* 42 */
+	{ 4,         "values",					ASN1_SET, 			  ASN1_LOOP }, /* 43 */
+	{ 5,           "value",					ASN1_EOC, 			  ASN1_RAW  }, /* 44 */
+	{ 4, 	       "end loop",				ASN1_EOC,			  ASN1_END  }, /* 45 */
+	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 46 */
+	{ 2,     "extensions",					ASN1_SEQUENCE,		  ASN1_LOOP }, /* 47 */
+	{ 3,       "extension",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 48 */
+	{ 4,         "extnID",					ASN1_OID,			  ASN1_BODY }, /* 49 */
+	{ 4,         "critical",				ASN1_BOOLEAN,		  ASN1_DEF |
+																  ASN1_BODY }, /* 50 */
+	{ 4,         "extnValue",				ASN1_OCTET_STRING,	  ASN1_BODY }, /* 51 */
+	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 52 */
+	{ 1,   "signatureAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 53 */
+	{ 1,   "signatureValue",				ASN1_BIT_STRING,	  ASN1_BODY }, /* 54 */
+	{ 0, "exit",							ASN1_EOC,			  ASN1_EXIT }
+};
+#define AC_OBJ_CERTIFICATE_INFO		 1
+#define AC_OBJ_VERSION				 2
+#define AC_OBJ_HOLDER_ISSUER		 5
+#define AC_OBJ_HOLDER_SERIAL		 6
+#define AC_OBJ_ENTITY_NAME			10
+#define AC_OBJ_ISSUER_NAME			19
+#define AC_OBJ_ISSUER				23
+#define AC_OBJ_SIG_ALG				35
+#define AC_OBJ_SERIAL_NUMBER		36
+#define AC_OBJ_NOT_BEFORE			38
+#define AC_OBJ_NOT_AFTER			39
+#define AC_OBJ_ATTRIBUTE_TYPE		42
+#define AC_OBJ_ATTRIBUTE_VALUE		44
+#define AC_OBJ_EXTN_ID				49
+#define AC_OBJ_CRITICAL				50
+#define AC_OBJ_EXTN_VALUE			51
+#define AC_OBJ_ALGORITHM			53
+#define AC_OBJ_SIGNATURE			54
+
+/**
+ * Parses an X.509 attribute certificate
+ */
+static bool parse_certificate(private_x509_ac_t *this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int type     = OID_UNKNOWN;
+	int extn_oid = OID_UNKNOWN;
+	int sig_alg  = OID_UNKNOWN;
+	bool success = FALSE;
+	bool critical;
+
+	parser = asn1_parser_create(acObjects, this->encoding);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser)+1;
+
+		switch (objectID)
+		{
+			case AC_OBJ_CERTIFICATE_INFO:
+				this->certificateInfo = object;
+				break;
+			case AC_OBJ_VERSION:
+				this->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
+				DBG2("  v%d", this->version);
+				if (this->version != 2)
+				{
+					DBG1("v%d attribute certificates are not supported", this->version);
+					goto end;
+				}
+				break;
+			case AC_OBJ_HOLDER_ISSUER:
+				if (!parse_directoryName(object, level, FALSE, &this->holderIssuer))
+				{
+					goto end;
+				}
+				break;
+			case AC_OBJ_HOLDER_SERIAL:
+				this->holderSerial = object;
+				break;
+			case AC_OBJ_ENTITY_NAME:
+				if (!parse_directoryName(object, level, TRUE, &this->entityName))
+				{
+					goto end;
+				}
+				break;
+			case AC_OBJ_ISSUER_NAME:
+				if (!parse_directoryName(object, level, FALSE, &this->issuerName))
+				{
+					goto end;
+				}
+				break;
+			case AC_OBJ_SIG_ALG:
+				sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case AC_OBJ_SERIAL_NUMBER:
+				this->serialNumber = object;
+				break;
+			case AC_OBJ_NOT_BEFORE:
+				this->notBefore = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+				break;
+			case AC_OBJ_NOT_AFTER:
+				this->notAfter = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+				break;
+			case AC_OBJ_ATTRIBUTE_TYPE:
+				type = asn1_known_oid(object);
+				break;
+			case AC_OBJ_ATTRIBUTE_VALUE:
+			{
+				switch (type)
+				{
+					case OID_AUTHENTICATION_INFO:
+						DBG2("  need to parse authenticationInfo");
+						break;
+					case OID_ACCESS_IDENTITY:
+						DBG2("  need to parse accessIdentity");
+						break;
+					case OID_CHARGING_IDENTITY:
+						ietfAttr_list_create_from_chunk(object, this->charging, level);
+						break;
+					case OID_GROUP:
+						ietfAttr_list_create_from_chunk(object, this->groups, level);
+						break;
+					case OID_ROLE:
+						parse_roleSyntax(object, level);
+						break;
+					default:
+						break;
+				}
+				break;
+			}
+			case AC_OBJ_EXTN_ID:
+				extn_oid = asn1_known_oid(object);
+				break;
+			case AC_OBJ_CRITICAL:
+				critical = object.len && *object.ptr;
+				DBG2("  %s",(critical)?"TRUE":"FALSE");
+				break;
+			case AC_OBJ_EXTN_VALUE:
+			{
+				switch (extn_oid)
+				{
+					case OID_CRL_DISTRIBUTION_POINTS:
+						DBG2("  need to parse crlDistributionPoints");
+						break;
+					case OID_AUTHORITY_KEY_ID:
+						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
+						 							level, &this->authKeySerialNumber);
+						break;
+					case OID_TARGET_INFORMATION:
+						DBG2("  need to parse targetInformation");
+						break;
+					case OID_NO_REV_AVAIL:
+						this->noRevAvail = TRUE;
+						break;
+					default:
+						break;
+				}
+				break;
+			}
+			case AC_OBJ_ALGORITHM:
+				this->algorithm = asn1_parse_algorithmIdentifier(object, level,
+																 NULL);
+				if (this->algorithm != sig_alg)
+				{
+					DBG1("  signature algorithms do not agree");
+					success = FALSE;
+					goto end;
+				}
+				break;
+			case AC_OBJ_SIGNATURE:
+				this->signature = object;
+				break;
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * build directoryName
+ */
+static chunk_t build_directoryName(asn1_t tag, chunk_t name)
+{
+	return asn1_wrap(tag, "m",
+		asn1_simple_object(ASN1_CONTEXT_C_4, name));
+}
+
+/**
+ * build holder
+ */
+static chunk_t build_holder(private_x509_ac_t *this)
+{
+	x509_t* x509 = (x509_t*)this->holderCert;
+	identification_t *issuer = this->holderCert->get_issuer(this->holderCert);
+	identification_t *subject = this->holderCert->get_subject(this->holderCert);
+
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+		asn1_wrap(ASN1_CONTEXT_C_0, "mm",
+			build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)),
+			asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))
+		),
+		build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject)));
+}
+
+/**
+ * build v2Form
+ */
+static chunk_t build_v2_form(private_x509_ac_t *this)
+{
+	identification_t *subject = this->signerCert->get_subject(this->signerCert);
+
+	return asn1_wrap(ASN1_CONTEXT_C_0, "m",
+		build_directoryName(ASN1_SEQUENCE, subject->get_encoding(subject)));
+}
+
+/**
+ * build attrCertValidityPeriod
+ */
+static chunk_t build_attr_cert_validity(private_x509_ac_t *this)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+				asn1_from_time(&this->notBefore, ASN1_GENERALIZEDTIME),
+				asn1_from_time(&this->notAfter,  ASN1_GENERALIZEDTIME));
+}
+
+
+/**
+ * build attribute type
+ */
+static chunk_t build_attribute_type(const chunk_t type, chunk_t content)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+				type,
+				asn1_wrap(ASN1_SET, "m", content));
+}
+
+/**
+ * build attributes
+ */
+static chunk_t build_attributes(private_x509_ac_t *this)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "m",
+		build_attribute_type(ASN1_group_oid, ietfAttr_list_encode(this->groups)));
+}
+
+/**
+ * build authorityKeyIdentifier
+ */
+static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this)
+{
+	chunk_t keyIdentifier;
+	chunk_t authorityCertIssuer;
+	chunk_t authorityCertSerialNumber;
+	x509_t *x509 = (x509_t*)this->signerCert;
+	identification_t *issuer = this->signerCert->get_issuer(this->signerCert);
+	public_key_t *public = this->signerCert->get_public_key(this->signerCert);
+
+	if (public)
+	{
+		identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);
+
+		this->authKeyIdentifier = keyid = keyid->clone(keyid);
+		keyIdentifier = keyid->get_encoding(keyid);		
+		public->destroy(public);
+	}
+	else
+	{
+		keyIdentifier = chunk_empty;
+	}
+	authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1,
+								issuer->get_encoding(issuer));
+	authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2,
+									x509->get_serial(x509));
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+				ASN1_authorityKeyIdentifier_oid,
+				asn1_wrap(ASN1_OCTET_STRING, "m",
+					asn1_wrap(ASN1_SEQUENCE, "cmm",
+						keyIdentifier,
+						authorityCertIssuer,
+						authorityCertSerialNumber
+					)
+				)
+		   );
+}
+
+/**
+ * build extensions
+ */
+static chunk_t build_extensions(private_x509_ac_t *this)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "mc",
+				build_authorityKeyIdentifier(this),
+				ASN1_noRevAvail_ext);
+}
+
+/**
+ * build attributeCertificateInfo
+ */
+static chunk_t build_attr_cert_info(private_x509_ac_t *this)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm",
+				ASN1_INTEGER_1,
+				build_holder(this),
+				build_v2_form(this),
+				asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
+				asn1_simple_object(ASN1_INTEGER, this->serialNumber),
+				build_attr_cert_validity(this),
+				build_attributes(this),
+				build_extensions(this));
+}
+
+
+/**
+ * build an X.509 attribute certificate
+ */
+static chunk_t build_ac(private_x509_ac_t *this)
+{
+	chunk_t signatureValue;
+    chunk_t attributeCertificateInfo;
+
+	attributeCertificateInfo = build_attr_cert_info(this);
+
+	this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1,
+						  attributeCertificateInfo, &signatureValue);
+
+	return asn1_wrap(ASN1_SEQUENCE, "mcm",
+				attributeCertificateInfo,
+				asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
+				asn1_bitstring("m", signatureValue));
+}
+
+/**
+ * Implementation of ac_t.get_serial.
+ */
+static chunk_t get_serial(private_x509_ac_t *this)
+{
+	return this->serialNumber;
+}
+
+/**
+ * Implementation of ac_t.get_holderSerial.
+ */
+static chunk_t get_holderSerial(private_x509_ac_t *this)
+{
+	return this->holderSerial;
+}
+
+/**
+ * Implementation of ac_t.get_holderIssuer.
+ */
+static identification_t* get_holderIssuer(private_x509_ac_t *this)
+{
+	return this->holderIssuer;
+}
+
+/**
+ * Implementation of ac_t.get_authKeyIdentifier.
+ */
+static identification_t* get_authKeyIdentifier(private_x509_ac_t *this)
+{
+	return this->authKeyIdentifier;
+}
+
+/**
+ * Implementation of certificate_t.get_type
+ */
+static certificate_type_t get_type(private_x509_ac_t *this)
+{
+	return CERT_X509_AC;
+}
+
+/**
+ * Implementation of certificate_t.get_subject
+ */
+static identification_t* get_subject(private_x509_ac_t *this)
+{
+	return this->entityName;
+}
+
+/**
+ * Implementation of certificate_t.get_issuer
+ */
+static identification_t* get_issuer(private_x509_ac_t *this)
+{
+	return this->issuerName;
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject)
+{
+	return ID_MATCH_NONE;	
+}
+
+/**
+ * Implementation of certificate_t.has_issuer.
+ */
+static id_match_t has_issuer(private_x509_ac_t *this, identification_t *issuer)
+{
+	id_match_t match;
+
+	if (issuer->get_type(issuer) == ID_PUBKEY_SHA1)
+	{
+		if (this->authKeyIdentifier)
+		{
+			match = issuer->matches(issuer, this->authKeyIdentifier);
+		}
+		else
+		{
+			match = ID_MATCH_NONE;
+		}
+	}
+	else
+	{
+		match = this->issuerName->matches(this->issuerName, issuer);
+	}
+	return match;
+}
+
+/**
+ * Implementation of certificate_t.issued_by
+ */
+static bool issued_by(private_x509_ac_t *this, certificate_t *issuer)
+{
+	public_key_t *key;
+	signature_scheme_t scheme;
+	bool valid;
+	x509_t *x509 = (x509_t*)issuer;
+	
+	/* check if issuer is an X.509 AA certificate */
+	if (issuer->get_type(issuer) != CERT_X509)
+	{
+		return FALSE;
+	}
+	if (!(x509->get_flags(x509) & X509_AA))
+	{
+		return FALSE;
+	}
+
+	/* get the public key of the issuer */
+	key = issuer->get_public_key(issuer);
+
+	/* compare keyIdentifiers if available, otherwise use DNs */
+	if (this->authKeyIdentifier && key)
+	{
+		identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1);
+
+		if (!subjectKeyIdentifier->equals(subjectKeyIdentifier,
+										  this->authKeyIdentifier))
+		{
+			return FALSE;
+		}
+	}
+	else 
+	{
+		if (!this->issuerName->equals(this->issuerName, issuer->get_subject(issuer)))
+		{
+			return FALSE;
+		}
+	}
+	/* TODO: generic OID to scheme mapper? */
+	switch (this->algorithm)
+	{
+		case OID_MD5_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_MD5;
+			break;
+		case OID_SHA1_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			break;
+		case OID_SHA256_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
+			break;
+		case OID_SHA384_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
+			break;
+		case OID_SHA512_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
+			break;
+		case OID_ECDSA_WITH_SHA1:
+			scheme = SIGN_ECDSA_WITH_SHA1;
+			break;
+		default:
+			return FALSE;
+	}
+	if (key == NULL)
+	{
+		return FALSE;
+	}
+	valid = key->verify(key, scheme, this->certificateInfo, this->signature);
+	key->destroy(key);
+	return valid;
+}
+
+/**
+ * Implementation of certificate_t.get_public_key.
+ */
+static public_key_t* get_public_key(private_x509_ac_t *this)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of certificate_t.get_ref.
+ */
+static private_x509_ac_t* get_ref(private_x509_ac_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of certificate_t.get_validity.
+ */
+static bool get_validity(private_x509_ac_t *this, time_t *when,
+						 time_t *not_before, time_t *not_after)
+{
+	time_t t;
+	
+	if (when)
+	{
+		t = *when;
+	}
+	else
+	{
+		t = time(NULL);
+	}
+	if (not_before)
+	{
+		*not_before = this->notBefore;
+	}
+	if (not_after)
+	{
+		*not_after = this->notAfter;
+	}
+	return (t >= this->notBefore && t <= this->notAfter);
+}
+
+/**
+ * Implementation of certificate_t.is_newer.
+ */
+static bool is_newer(private_x509_ac_t *this, ac_t *that)
+{
+	certificate_t *this_cert = &this->public.interface.certificate;
+	certificate_t *that_cert = &that->certificate;
+	time_t this_update, that_update, now = time(NULL);
+	bool new;
+
+	this_cert->get_validity(this_cert, &now, &this_update, NULL);
+	that_cert->get_validity(that_cert, &now, &that_update, NULL);
+	new = this_update > that_update;
+	DBG1("  attr cert from %#T is %s - existing attr_cert from %#T %s",
+			&this_update, FALSE, new ? "newer":"not newer",
+			&that_update, FALSE, new ? "replaced":"retained");
+	return new;
+}
+	
+/**
+ * Implementation of certificate_t.get_encoding.
+ */
+static chunk_t get_encoding(private_x509_ac_t *this)
+{
+	return chunk_clone(this->encoding);
+}
+
+/**
+ * Implementation of certificate_t.equals.
+ */
+static bool equals(private_x509_ac_t *this, certificate_t *other)
+{
+	chunk_t encoding;
+	bool equal;
+	
+	if ((certificate_t*)this == other)
+	{
+		return TRUE;
+	}
+	if (other->equals == (void*)equals)
+	{	/* skip allocation if we have the same implementation */
+		return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding); 
+	}
+	encoding = other->get_encoding(other);
+	equal = chunk_equals(this->encoding, encoding);
+	free(encoding.ptr);
+	return equal;
+}
+
+/**
+ * Implementation of x509_ac_t.destroy
+ */
+static void destroy(private_x509_ac_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		DESTROY_IF(this->holderIssuer);
+		DESTROY_IF(this->entityName);
+		DESTROY_IF(this->issuerName);
+		DESTROY_IF(this->authKeyIdentifier);
+		DESTROY_IF(this->holderCert);
+		DESTROY_IF(this->signerCert);
+		DESTROY_IF(this->signerKey);
+
+		ietfAttr_list_destroy(this->charging);
+		ietfAttr_list_destroy(this->groups);
+		free(this->encoding.ptr);
+		free(this);
+	}
+}
+
+/**
+ * create an empty but initialized X.509 attribute certificate
+ */
+static private_x509_ac_t *create_empty(void)
+{
+	private_x509_ac_t *this = malloc_thing(private_x509_ac_t);
+	
+	/* public functions */
+	this->public.interface.get_serial = (chunk_t (*)(ac_t*))get_serial;
+	this->public.interface.get_holderSerial = (chunk_t (*)(ac_t*))get_holderSerial;
+	this->public.interface.get_holderIssuer = (identification_t* (*)(ac_t*))get_holderIssuer;
+	this->public.interface.get_authKeyIdentifier = (identification_t* (*)(ac_t*))get_authKeyIdentifier;
+	this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
+	this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
+	this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
+	this->public.interface.certificate.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_subject;
+	this->public.interface.certificate.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
+	this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
+	this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
+	this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
+	this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
+	this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
+	this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
+	this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
+	this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
+
+	/* initialize */
+	this->encoding = chunk_empty;
+	this->holderSerial = chunk_empty;
+	this->holderIssuer = NULL;
+	this->entityName = NULL;
+	this->issuerName = NULL;
+	this->authKeyIdentifier = NULL;
+	this->holderCert = NULL;
+	this->signerCert = NULL;
+	this->signerKey = NULL;
+	this->charging = linked_list_create();
+	this->groups = linked_list_create();
+	this->ref = 1;
+
+	return this;
+}
+
+/**
+ * create X.509 attribute certificate from a chunk
+ */
+static private_x509_ac_t* create_from_chunk(chunk_t chunk)
+{
+	private_x509_ac_t *this = create_empty();
+
+	this->encoding = chunk;
+	if (!parse_certificate(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return this;
+}	
+
+/**
+ * create X.509 crl from a file
+ */
+static private_x509_ac_t* create_from_file(char *path)
+{
+	bool pgp = FALSE;
+	chunk_t chunk;
+	private_x509_ac_t *this;
+	
+	if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
+	{
+		return NULL;
+	}
+
+	this = create_from_chunk(chunk);
+
+	if (this == NULL)
+	{
+		DBG1("  could not parse loaded attribute certificate file '%s'", path);
+		return NULL;
+	}
+	DBG1("  loaded attribute certificate file '%s'", path);
+	return this;
+}
+	
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for certificate loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** X.509 attribute certificate to build */
+	private_x509_ac_t *ac;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static private_x509_ac_t* build(private_builder_t *this)
+{
+	private_x509_ac_t *ac = this->ac;
+
+	free(this);
+
+	/* synthesis if encoding does not exist */
+	if (ac && ac->encoding.ptr == NULL)
+	{
+		if (ac->holderCert && ac->signerCert && ac->signerKey)
+		{
+			ac->encoding = build_ac(ac);
+			return ac;
+		}
+		destroy(ac);
+		return NULL;
+	}
+	else
+	{
+		return ac;
+	}
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	certificate_t *cert;
+
+	va_start(args, part);
+	switch (part)
+	{
+		case BUILD_FROM_FILE:
+			if (this->ac)
+			{
+				destroy(this->ac);
+			}
+			this->ac = create_from_file(va_arg(args, char*));
+			break;
+		case BUILD_BLOB_ASN1_DER:
+			if (this->ac)
+			{
+				destroy(this->ac);
+			}
+			this->ac = create_from_chunk(va_arg(args, chunk_t));
+			break;
+		case BUILD_NOT_BEFORE_TIME:
+			this->ac->notBefore = va_arg(args, time_t);
+			break;
+		case BUILD_NOT_AFTER_TIME:
+			this->ac->notAfter = va_arg(args, time_t);
+			break;
+		case BUILD_SERIAL:
+			this->ac->serialNumber = va_arg(args, chunk_t);
+			break;
+		case BUILD_IETF_GROUP_ATTR:
+			ietfAttr_list_create_from_string(va_arg(args, char*),
+											 this->ac->groups);
+			break;
+		case BUILD_CERT:
+			cert = va_arg(args, certificate_t*);
+			if (cert->get_type(cert) == CERT_X509)
+			{
+				this->ac->holderCert = cert;
+			}
+			else
+			{
+				cert->destroy(cert);
+			}
+			break;
+		case BUILD_SIGNING_CERT:
+			cert = va_arg(args, certificate_t*);
+			if (cert->get_type(cert) == CERT_X509)
+			{
+				this->ac->signerCert = cert;
+			}
+			else
+			{
+				cert->destroy(cert);
+			}
+			break;
+		case BUILD_SIGNING_KEY:
+			this->ac->signerKey = va_arg(args, private_key_t*);
+			break;
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+	va_end(args);
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *x509_ac_builder(certificate_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != CERT_X509_AC)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->ac = create_empty();
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/x509/x509_ac.h b/src/libstrongswan/plugins/x509/x509_ac.h
new file mode 100644
index 000000000..2fd165e45
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_ac.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+ * Copyright (C) 2002-2008 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup x509_ac x509_ac
+ * @{ @ingroup x509_p
+ */
+
+#ifndef X509_AC_H_
+#define X509_AC_H_
+
+#include <credentials/certificates/ac.h>
+
+typedef struct x509_ac_t x509_ac_t;
+
+/**
+ * Implementation of ac_t using own ASN1 parser.
+ */
+struct x509_ac_t {
+
+	/**
+	 * Implements the ac_t interface
+	 */
+	ac_t interface;
+};
+
+/**
+ * Create the building facility for X.509 attribute certificates.
+ *
+ * The resulting builder accepts:
+ * 	BUILD_USER_CERT: 	user certificate, exactly one
+ *	BUILD_SIGNER_CERT:	signer certificate, exactly one
+ *	BUILD_SIGNER_KEY:	signer private key, exactly one
+ *  BUILD_SERIAL:		serial number, exactly one
+ *  BUILD_GROUP_ATTR:	group attribute, optional, several possible
+ *
+ * @param type		certificate type, CERT_X509_AC only
+ * @return			builder instance to build X.509 attribute certificates
+ */
+builder_t *x509_ac_builder(certificate_type_t type);
+
+#endif /* X509_AC_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
new file mode 100644
index 000000000..714258865
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -0,0 +1,1295 @@
+/*
+ * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
+ * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
+ * Copyright (C) 2002 Mario Strasser
+ * Copyright (C) 2000-2006 Andreas Steffen
+ * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: x509_cert.c 4051 2008-06-10 09:08:27Z tobias $
+ */
+
+#define _GNU_SOURCE
+
+#include "x509_cert.h"
+
+#include <sys/stat.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+
+#include <library.h>
+#include <debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/pem.h>
+#include <crypto/hashers/hasher.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+/**
+ * Different kinds of generalNames
+ */
+typedef enum {
+	GN_OTHER_NAME =		0,
+	GN_RFC822_NAME =	1,
+	GN_DNS_NAME =		2,
+	GN_X400_ADDRESS =	3,
+	GN_DIRECTORY_NAME =	4,
+	GN_EDI_PARTY_NAME = 5,
+	GN_URI =			6,
+	GN_IP_ADDRESS =		7,
+	GN_REGISTERED_ID =	8,
+} generalNames_t;
+
+
+typedef struct private_x509_cert_t private_x509_cert_t;
+
+/**
+ * Private data of a x509_cert_t object.
+ */
+struct private_x509_cert_t {
+	/**
+	 * Public interface for this certificate.
+	 */
+	x509_cert_t public;
+
+	/**
+	 * X.509 certificate encoding in ASN.1 DER format
+	 */
+	chunk_t encoding;
+	
+	/**
+	 * SHA1 hash of the DER encoding of this X.509 certificate
+	 */
+	chunk_t encoding_hash;
+
+	/**
+	 * X.509 certificate body over which signature is computed
+	 */
+	chunk_t tbsCertificate;
+
+	/**
+	 * Version of the X.509 certificate
+	 */
+	u_int version;
+	
+	/**
+	 * Serial number of the X.509 certificate
+	 */
+	chunk_t serialNumber;
+	
+	/**
+	 * ID representing the certificate issuer
+	 */
+	identification_t *issuer;
+
+	/**
+	 * Start time of certificate validity
+	 */
+	time_t notBefore;
+
+	/**
+	 * End time of certificate validity
+	 */
+	time_t notAfter;
+
+	/**
+	 * ID representing the certificate subject
+	 */
+	identification_t *subject;
+	
+	/**
+	 * List of subjectAltNames as identification_t
+	 */
+	linked_list_t *subjectAltNames;
+	
+	/**
+	 * List of crlDistributionPoints as allocated char*
+	 */
+	linked_list_t *crl_uris;
+
+	/**
+	 * List ocspAccessLocations as identification_t
+	 */
+	linked_list_t *ocsp_uris;
+
+	/**
+	 * certificates embedded public key
+	 */
+	public_key_t *public_key;
+	
+	/**
+	 * Subject Key Identifier
+	 */
+	chunk_t subjectKeyID;
+
+	/**
+	 * Authority Key Identifier
+	 */
+	identification_t *authKeyIdentifier;
+
+	/**
+	 * Authority Key Serial Number
+	 */
+	chunk_t authKeySerialNumber;
+	
+	/**
+	 * x509 constraints and other flags
+	 */
+	x509_flag_t flags;
+
+	/**
+	 * Signature algorithm
+	 */
+	int algorithm;
+
+	/**
+	 * Signature
+	 */
+	chunk_t signature;
+	
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+static u_char ASN1_sAN_oid_buf[] = {
+	0x06, 0x03, 0x55, 0x1D, 0x11
+};
+static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_sAN_oid_buf);
+
+/**
+ * ASN.1 definition of a basicConstraints extension 
+ */
+static const asn1Object_t basicConstraintsObjects[] = {
+	{ 0, "basicConstraints",	ASN1_SEQUENCE,	ASN1_NONE			}, /*  0 */
+	{ 1,   "CA",				ASN1_BOOLEAN,	ASN1_DEF|ASN1_BODY	}, /*  1 */
+	{ 1,   "pathLenConstraint",	ASN1_INTEGER,	ASN1_OPT|ASN1_BODY	}, /*  2 */
+	{ 1,   "end opt",			ASN1_EOC,		ASN1_END  			}, /*  3 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT  			}
+};
+#define BASIC_CONSTRAINTS_CA	1
+
+/**
+ * Extracts the basicConstraints extension
+ */
+static bool parse_basicConstraints(chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool isCA = FALSE;
+
+	parser = asn1_parser_create(basicConstraintsObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == BASIC_CONSTRAINTS_CA)
+		{
+			isCA = object.len && *object.ptr;
+			DBG2("  %s", isCA ? "TRUE" : "FALSE");
+		}
+	}
+	parser->destroy(parser);
+
+	return isCA;
+}
+
+/**
+ * ASN.1 definition of otherName 
+ */
+static const asn1Object_t otherNameObjects[] = {
+	{0, "type-id",	ASN1_OID,			ASN1_BODY	}, /* 0 */
+	{0, "value",	ASN1_CONTEXT_C_0,	ASN1_BODY	}, /* 1 */
+	{0, "exit",		ASN1_EOC,			ASN1_EXIT	}
+};
+#define ON_OBJ_ID_TYPE		0
+#define ON_OBJ_VALUE		1
+
+/**
+ * Extracts an otherName
+ */
+static bool parse_otherName(chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int oid = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(otherNameObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case ON_OBJ_ID_TYPE:
+				oid = asn1_known_oid(object);
+				break;
+			case ON_OBJ_VALUE:
+				if (oid == OID_XMPP_ADDR)
+				{
+					if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
+								parser->get_level(parser)+1, "xmppAddr"))
+					{
+						goto end;
+					}
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of generalName 
+ */
+static const asn1Object_t generalNameObjects[] = {
+	{ 0, "otherName",		ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_BODY	}, /*  0 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  1 */
+	{ 0, "rfc822Name",		ASN1_CONTEXT_S_1,  ASN1_OPT|ASN1_BODY	}, /*  2 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END 			}, /*  3 */
+	{ 0, "dnsName",			ASN1_CONTEXT_S_2,  ASN1_OPT|ASN1_BODY	}, /*  4 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  5 */
+	{ 0, "x400Address",		ASN1_CONTEXT_S_3,  ASN1_OPT|ASN1_BODY	}, /*  6 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  7 */
+	{ 0, "directoryName",	ASN1_CONTEXT_C_4,  ASN1_OPT|ASN1_BODY	}, /*  8 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  9 */
+	{ 0, "ediPartyName",	ASN1_CONTEXT_C_5,  ASN1_OPT|ASN1_BODY	}, /* 10 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 11 */
+	{ 0, "URI",				ASN1_CONTEXT_S_6,  ASN1_OPT|ASN1_BODY	}, /* 12 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 13 */
+	{ 0, "ipAddress",		ASN1_CONTEXT_S_7,  ASN1_OPT|ASN1_BODY	}, /* 14 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 15 */
+	{ 0, "registeredID",	ASN1_CONTEXT_S_8,  ASN1_OPT|ASN1_BODY	}, /* 16 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 17 */
+	{ 0, "exit",			ASN1_EOC,          ASN1_EXIT			}
+};
+#define GN_OBJ_OTHER_NAME	 	 0
+#define GN_OBJ_RFC822_NAME	 	 2
+#define GN_OBJ_DNS_NAME		 	 4
+#define GN_OBJ_X400_ADDRESS	 	 6
+#define GN_OBJ_DIRECTORY_NAME	 8
+#define GN_OBJ_EDI_PARTY_NAME	10
+#define GN_OBJ_URI				12
+#define GN_OBJ_IP_ADDRESS		14
+#define GN_OBJ_REGISTERED_ID	16
+
+/**
+ * Extracts a generalName
+ */
+static identification_t *parse_generalName(chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID ;
+
+	identification_t *gn = NULL;
+
+	parser = asn1_parser_create(generalNameObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		id_type_t id_type = ID_ANY;
+	
+		switch (objectID)
+		{
+			case GN_OBJ_RFC822_NAME:
+				id_type = ID_RFC822_ADDR;
+				break;
+			case GN_OBJ_DNS_NAME:
+				id_type = ID_FQDN;
+				break;
+			case GN_OBJ_URI:
+				id_type = ID_DER_ASN1_GN_URI;
+				break;
+			case GN_OBJ_DIRECTORY_NAME:
+				id_type = ID_DER_ASN1_DN;
+	    		break;
+			case GN_OBJ_IP_ADDRESS:
+				id_type = ID_IPV4_ADDR;
+				break;
+			case GN_OBJ_OTHER_NAME:
+				if (!parse_otherName(object, parser->get_level(parser)+1))
+				{
+					goto end;
+				}
+				break;
+			case GN_OBJ_X400_ADDRESS:
+			case GN_OBJ_EDI_PARTY_NAME:
+			case GN_OBJ_REGISTERED_ID:
+			default:
+				break;
+		}
+		if (id_type != ID_ANY)
+		{
+			gn = identification_create_from_encoding(id_type, object);
+			DBG2("  '%D'", gn);
+			goto end;
+        }
+   }
+
+end:
+	parser->destroy(parser);
+    return gn;
+}
+
+/**
+ * ASN.1 definition of generalNames 
+ */
+static const asn1Object_t generalNamesObjects[] = {
+	{ 0, "generalNames",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
+	{ 1,   "generalName",	ASN1_EOC,		ASN1_RAW  }, /* 1 */
+	{ 0, "end loop",		ASN1_EOC,		ASN1_END  }, /* 2 */
+	{ 0, "exit",			ASN1_EOC,		ASN1_EXIT }
+};
+#define GENERAL_NAMES_GN	1
+
+/**
+ * Extracts one or several GNs and puts them into a chained list
+ */
+void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+
+	parser = asn1_parser_create(generalNamesObjects, blob);
+	parser->set_top_level(parser, level0);
+	parser->set_flags(parser, implicit, FALSE);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == GENERAL_NAMES_GN)
+		{
+			identification_t *gn = parse_generalName(object,
+											parser->get_level(parser)+1);
+
+			if (gn)
+			{
+				list->insert_last(list, (void *)gn);
+			}
+		}
+	}
+	parser->destroy(parser);
+}
+
+/**
+ * ASN.1 definition of a authorityKeyIdentifier extension 
+ */
+static const asn1Object_t authKeyIdentifierObjects[] = {
+	{ 0, "authorityKeyIdentifier",		ASN1_SEQUENCE,		ASN1_NONE 			}, /* 0 */
+	{ 1,   "keyIdentifier",				ASN1_CONTEXT_S_0,	ASN1_OPT|ASN1_BODY	}, /* 1 */
+	{ 1,   "end opt",					ASN1_EOC,			ASN1_END  			}, /* 2 */
+	{ 1,   "authorityCertIssuer",		ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_OBJ	}, /* 3 */
+	{ 1,   "end opt",					ASN1_EOC,			ASN1_END  			}, /* 4 */
+	{ 1,   "authorityCertSerialNumber",	ASN1_CONTEXT_S_2,	ASN1_OPT|ASN1_BODY	}, /* 5 */
+	{ 1,   "end opt",					ASN1_EOC,			ASN1_END  			}, /* 6 */
+	{ 0, "exit",						ASN1_EOC,			ASN1_EXIT  			}
+};
+#define AUTH_KEY_ID_KEY_ID			1
+#define AUTH_KEY_ID_CERT_ISSUER		3
+#define AUTH_KEY_ID_CERT_SERIAL		5
+
+/**
+ * Extracts an authoritykeyIdentifier
+ */
+identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
+												chunk_t *authKeySerialNumber)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	identification_t *authKeyIdentifier = NULL;
+
+	*authKeySerialNumber = chunk_empty;
+
+	parser = asn1_parser_create(authKeyIdentifierObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID) 
+		{
+			case AUTH_KEY_ID_KEY_ID:
+				authKeyIdentifier = identification_create_from_encoding(
+												ID_PUBKEY_SHA1, object); 
+				break;
+			case AUTH_KEY_ID_CERT_ISSUER:
+				/* TODO: x509_parse_generalNames(object, level+1, TRUE); */
+				break;
+			case AUTH_KEY_ID_CERT_SERIAL:
+				*authKeySerialNumber = object;
+				break;
+			default:
+				break;
+		}
+	}
+	parser->destroy(parser);
+	return authKeyIdentifier;
+}
+
+/**
+ * ASN.1 definition of a authorityInfoAccess extension 
+ */
+static const asn1Object_t authInfoAccessObjects[] = {
+	{ 0, "authorityInfoAccess",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
+	{ 1,   "accessDescription",	ASN1_SEQUENCE,	ASN1_NONE }, /* 1 */
+	{ 2,     "accessMethod",	ASN1_OID,		ASN1_BODY }, /* 2 */
+	{ 2,     "accessLocation",	ASN1_EOC,		ASN1_RAW  }, /* 3 */
+	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }, /* 4 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
+};
+#define AUTH_INFO_ACCESS_METHOD		2
+#define AUTH_INFO_ACCESS_LOCATION	3
+
+/**
+ * Extracts an authorityInfoAcess location
+ */
+static void parse_authorityInfoAccess(chunk_t blob, int level0,
+									  private_x509_cert_t *this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int accessMethod = OID_UNKNOWN;
+	
+	parser = asn1_parser_create(authInfoAccessObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID) 
+		{
+			case AUTH_INFO_ACCESS_METHOD:
+				accessMethod = asn1_known_oid(object);
+				break;
+			case AUTH_INFO_ACCESS_LOCATION:
+			{
+				switch (accessMethod)
+				{
+					case OID_OCSP:
+					case OID_CA_ISSUERS:
+						{
+							identification_t *id;
+							char *uri;
+
+							id = parse_generalName(object,
+											parser->get_level(parser)+1);
+							if (id == NULL)
+							{
+								/* parsing went wrong - abort */
+								goto end;
+							}
+							DBG2("  '%D'", id);
+							if (accessMethod == OID_OCSP &&
+								asprintf(&uri, "%D", id) > 0)
+							{
+								this->ocsp_uris->insert_last(this->ocsp_uris, uri);
+							}
+							id->destroy(id);
+						}
+						break;
+					default:
+						/* unkown accessMethod, ignoring */
+						break;
+				}
+				break;
+			}
+			default:
+				break;
+		}
+	}
+
+end:
+	parser->destroy(parser);
+}
+
+/**
+ * ASN.1 definition of a extendedKeyUsage extension
+ */
+static const asn1Object_t extendedKeyUsageObjects[] = {
+	{ 0, "extendedKeyUsage",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
+	{ 1,   "keyPurposeID",		ASN1_OID,		ASN1_BODY }, /* 1 */
+	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }, /* 2 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
+};
+#define EXT_KEY_USAGE_PURPOSE_ID	1
+
+/**
+ * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
+ */
+static bool parse_extendedKeyUsage(chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool ocsp_signing = FALSE;
+	
+	parser = asn1_parser_create(extendedKeyUsageObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == EXT_KEY_USAGE_PURPOSE_ID && 
+			asn1_known_oid(object) == OID_OCSP_SIGNING)
+		{
+			ocsp_signing = TRUE;
+		}
+	}
+	parser->destroy(parser);
+	return ocsp_signing;
+}
+
+/**
+ * ASN.1 definition of crlDistributionPoints
+ */
+static const asn1Object_t crlDistributionPointsObjects[] = {
+	{ 0, "crlDistributionPoints",	ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
+	{ 1,   "DistributionPoint",		ASN1_SEQUENCE,		ASN1_NONE			}, /*  1 */
+	{ 2,     "distributionPoint",	ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_LOOP	}, /*  2 */
+	{ 3,       "fullName",			ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_OBJ	}, /*  3 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  4 */
+	{ 3,       "nameRelToCRLIssuer",ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_BODY	}, /*  5 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  6 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /*  7 */
+	{ 2,     "reasons",				ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_BODY	}, /*  8 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /*  9 */
+	{ 2,     "crlIssuer",			ASN1_CONTEXT_C_2,	ASN1_OPT|ASN1_BODY	}, /* 10 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 11 */
+	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /* 12 */
+	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
+};
+#define CRL_DIST_POINTS_FULLNAME	 3
+
+/**
+ * Extracts one or several crlDistributionPoints into a list
+ */
+static void parse_crlDistributionPoints(chunk_t blob, int level0,
+										private_x509_cert_t *this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	linked_list_t *list = linked_list_create();
+	
+	parser = asn1_parser_create(crlDistributionPointsObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == CRL_DIST_POINTS_FULLNAME)
+		{
+			identification_t *id;
+
+			/* append extracted generalNames to existing chained list */
+			x509_parse_generalNames(object, parser->get_level(parser)+1,
+									TRUE, list);
+	
+			while (list->remove_last(list, (void**)&id) == SUCCESS)
+			{
+				char *uri;
+
+				if (asprintf(&uri, "%D", id) > 0)
+				{
+					this->crl_uris->insert_last(this->crl_uris, uri);
+				}
+				id->destroy(id);
+			}
+		}
+	}
+	parser->destroy(parser);
+	list->destroy(list);
+}
+
+/**
+ * ASN.1 definition of an X.509v3 x509_cert
+ */
+static const asn1Object_t certObjects[] = {
+	{ 0, "x509",					ASN1_SEQUENCE,		ASN1_OBJ			}, /*  0 */
+	{ 1,   "tbsCertificate",		ASN1_SEQUENCE,		ASN1_OBJ			}, /*  1 */
+	{ 2,     "DEFAULT v1",			ASN1_CONTEXT_C_0,	ASN1_DEF			}, /*  2 */
+	{ 3,       "version",			ASN1_INTEGER,		ASN1_BODY			}, /*  3 */
+	{ 2,     "serialNumber",		ASN1_INTEGER,		ASN1_BODY			}, /*  4 */
+	{ 2,     "signature",			ASN1_EOC,			ASN1_RAW			}, /*  5 */
+	{ 2,     "issuer",				ASN1_SEQUENCE,		ASN1_OBJ			}, /*  6 */
+	{ 2,     "validity",			ASN1_SEQUENCE,		ASN1_NONE			}, /*  7 */
+	{ 3,       "notBefore",			ASN1_EOC,			ASN1_RAW			}, /*  8 */
+	{ 3,       "notAfter",			ASN1_EOC,			ASN1_RAW			}, /*  9 */
+	{ 2,     "subject",				ASN1_SEQUENCE,		ASN1_OBJ			}, /* 10 */
+	{ 2,     "subjectPublicKeyInfo",ASN1_SEQUENCE,		ASN1_RAW			}, /* 11 */
+	{ 2,     "issuerUniqueID",		ASN1_CONTEXT_C_1,	ASN1_OPT			}, /* 12 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 13 */
+	{ 2,     "subjectUniqueID",		ASN1_CONTEXT_C_2,	ASN1_OPT			}, /* 14 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 15 */
+	{ 2,     "optional extensions",	ASN1_CONTEXT_C_3,	ASN1_OPT			}, /* 16 */
+	{ 3,       "extensions",		ASN1_SEQUENCE,		ASN1_LOOP			}, /* 17 */
+	{ 4,         "extension",		ASN1_SEQUENCE,		ASN1_NONE			}, /* 18 */
+	{ 5,           "extnID",		ASN1_OID,			ASN1_BODY			}, /* 19 */
+	{ 5,           "critical",		ASN1_BOOLEAN,		ASN1_DEF|ASN1_BODY	}, /* 20 */
+	{ 5,           "extnValue",		ASN1_OCTET_STRING,	ASN1_BODY			}, /* 21 */
+	{ 3,       "end loop",			ASN1_EOC,			ASN1_END			}, /* 22 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 23 */
+	{ 1,   "signatureAlgorithm",	ASN1_EOC,			ASN1_RAW			}, /* 24 */
+	{ 1,   "signatureValue",		ASN1_BIT_STRING,	ASN1_BODY			}, /* 25 */
+	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
+};
+#define X509_OBJ_TBS_CERTIFICATE				 1
+#define X509_OBJ_VERSION						 3
+#define X509_OBJ_SERIAL_NUMBER					 4
+#define X509_OBJ_SIG_ALG						 5
+#define X509_OBJ_ISSUER 						 6
+#define X509_OBJ_NOT_BEFORE						 8
+#define X509_OBJ_NOT_AFTER						 9
+#define X509_OBJ_SUBJECT						10
+#define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO		11
+#define X509_OBJ_EXTN_ID						19
+#define X509_OBJ_CRITICAL						20
+#define X509_OBJ_EXTN_VALUE						21
+#define X509_OBJ_ALGORITHM						24
+#define X509_OBJ_SIGNATURE						25
+
+/**
+ * Parses an X.509v3 certificate
+ */
+static bool parse_certificate(private_x509_cert_t *this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int extn_oid = OID_UNKNOWN;
+	int sig_alg  = OID_UNKNOWN;
+	bool success = FALSE;
+	bool critical;
+	
+	parser = asn1_parser_create(certObjects, this->encoding);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser)+1;
+
+		switch (objectID)
+		{
+			case X509_OBJ_TBS_CERTIFICATE:
+				this->tbsCertificate = object;
+				break;
+			case X509_OBJ_VERSION:
+				this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
+				DBG2("  v%d", this->version);
+				break;
+			case X509_OBJ_SERIAL_NUMBER:
+				this->serialNumber = object;
+				break;
+			case X509_OBJ_SIG_ALG:
+				sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case X509_OBJ_ISSUER:
+				this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+				DBG2("  '%D'", this->issuer);
+				break;
+			case X509_OBJ_NOT_BEFORE:
+				this->notBefore = asn1_parse_time(object, level);
+				break;
+			case X509_OBJ_NOT_AFTER:
+				this->notAfter = asn1_parse_time(object, level);
+				break;
+			case X509_OBJ_SUBJECT:
+				this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+				DBG2("  '%D'", this->subject);
+				break;
+			case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
+				this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+						KEY_ANY, BUILD_BLOB_ASN1_DER, chunk_clone(object), BUILD_END);
+				if (this->public_key == NULL)
+				{
+					DBG1("could not create public key");
+					goto end;
+				}
+				break;
+			case X509_OBJ_EXTN_ID:
+				extn_oid = asn1_known_oid(object);
+				break;
+			case X509_OBJ_CRITICAL:
+				critical = object.len && *object.ptr;
+				DBG2("  %s", critical ? "TRUE" : "FALSE");
+				break;
+			case X509_OBJ_EXTN_VALUE:
+			{
+				switch (extn_oid)
+				{
+					case OID_SUBJECT_KEY_ID:
+						if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
+													  level, "keyIdentifier"))
+						{
+							goto end;
+						}
+						this->subjectKeyID = object;
+						break;
+					case OID_SUBJECT_ALT_NAME:
+						x509_parse_generalNames(object, level, FALSE,
+												this->subjectAltNames);
+						break;
+					case OID_BASIC_CONSTRAINTS:
+						if (parse_basicConstraints(object, level))
+						{
+							this->flags |= X509_CA;
+						}
+						break;
+					case OID_CRL_DISTRIBUTION_POINTS:
+						parse_crlDistributionPoints(object, level, this);
+						break;
+					case OID_AUTHORITY_KEY_ID:
+						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
+							 							level, &this->authKeySerialNumber);
+						break;
+					case OID_AUTHORITY_INFO_ACCESS:
+						parse_authorityInfoAccess(object, level, this);
+						break;
+					case OID_EXTENDED_KEY_USAGE:
+						if (parse_extendedKeyUsage(object, level))
+						{
+							this->flags |= X509_OCSP_SIGNER;
+						}
+						break;
+					case OID_NS_REVOCATION_URL:
+					case OID_NS_CA_REVOCATION_URL:
+					case OID_NS_CA_POLICY_URL:
+					case OID_NS_COMMENT:
+						if (!asn1_parse_simple_object(&object, ASN1_IA5STRING, 
+											level, oid_names[extn_oid].name))
+						{
+							goto end;
+						}
+						break;
+					default:
+						break;
+				}
+				break;
+			}
+			case X509_OBJ_ALGORITHM:
+				this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
+				if (this->algorithm != sig_alg)
+				{
+					DBG1("  signature algorithms do not agree");
+					goto end;
+				}
+				break;
+			case X509_OBJ_SIGNATURE:
+				this->signature = object;
+				break;
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * Implementation of certificate_t.get_type
+ */
+static certificate_type_t get_type(private_x509_cert_t *this)
+{
+	return CERT_X509;
+}
+
+/**
+ * Implementation of certificate_t.get_subject
+ */
+static identification_t* get_subject(private_x509_cert_t *this)
+{
+	return this->subject;
+}
+
+/**
+ * Implementation of certificate_t.get_issuer
+ */
+static identification_t* get_issuer(private_x509_cert_t *this)
+{
+	return this->issuer;
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject)
+{
+	identification_t *current;
+	enumerator_t *enumerator;
+	id_match_t match, best;
+	
+	if (this->encoding_hash.ptr && subject->get_type(subject) == ID_CERT_DER_SHA1 &&
+		chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+	{
+		return ID_MATCH_PERFECT;
+	}
+
+	best = this->subject->matches(this->subject, subject);
+	enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		match = current->matches(current, subject);
+		if (match > best)
+		{
+			best = match;	
+		}
+	}
+	enumerator->destroy(enumerator);
+	return best;	
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer)
+{
+	/* issuerAltNames currently not supported */
+	return this->issuer->matches(this->issuer, issuer);
+}
+
+/**
+ * Implementation of certificate_t.issued_by
+ */
+static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
+{
+	public_key_t *key;
+	signature_scheme_t scheme;
+	bool valid;
+	x509_t *x509 = (x509_t*)issuer;
+	
+	if (&this->public.interface.interface == issuer)
+	{
+		if (this->flags & X509_SELF_SIGNED)
+		{
+			return TRUE;
+		}
+	}
+	else
+	{
+		if (issuer->get_type(issuer) != CERT_X509)
+		{
+			return FALSE;
+		}
+		if (!(x509->get_flags(x509) & X509_CA))
+		{
+			return FALSE;
+		}
+	}
+	if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+	{
+		return FALSE;
+	}
+	/* TODO: generic OID to scheme mapper? */
+	switch (this->algorithm)
+	{
+		case OID_MD5_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_MD5;
+			break;
+		case OID_SHA1_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			break;
+		case OID_SHA256_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
+			break;
+		case OID_SHA384_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
+			break;
+		case OID_SHA512_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
+			break;
+		case OID_ECDSA_WITH_SHA1:
+			scheme = SIGN_ECDSA_WITH_SHA1;
+			break;
+		default:
+			return FALSE;
+	}
+	key = issuer->get_public_key(issuer);
+	if (key == NULL)
+	{
+		return FALSE;
+	}
+	/* TODO: add a lightweight check option (comparing auth/subject keyids only) */
+	valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
+	key->destroy(key);
+	return valid;
+}
+
+/**
+ * Implementation of certificate_t.get_public_key
+ */
+static public_key_t* get_public_key(private_x509_cert_t *this)
+{
+	this->public_key->get_ref(this->public_key);
+	return this->public_key;
+}
+
+/**
+ * Implementation of certificate_t.asdf
+ */
+static private_x509_cert_t* get_ref(private_x509_cert_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of x509_cert_t.get_flags.
+ */
+static x509_flag_t get_flags(private_x509_cert_t *this)
+{
+	return this->flags;
+}
+
+/**
+ * Implementation of x509_cert_t.get_validity.
+ */
+static bool get_validity(private_x509_cert_t *this, time_t *when,
+						 time_t *not_before, time_t *not_after)
+{
+	time_t t;
+	
+	if (when)
+	{
+		t = *when;
+	}
+	else
+	{
+		t = time(NULL);
+	}
+	if (not_before)
+	{
+		*not_before = this->notBefore;
+	}
+	if (not_after)
+	{
+		*not_after = this->notAfter;
+	}
+	return (t >= this->notBefore && t <= this->notAfter);
+}
+
+/**
+ * Implementation of certificate_t.is_newer.
+ */
+static bool is_newer(certificate_t *this, certificate_t *that)
+{
+	time_t this_update, that_update, now = time(NULL);
+	bool new;
+
+	this->get_validity(this, &now, &this_update, NULL);
+	that->get_validity(that, &now, &that_update, NULL);
+	new = this_update > that_update;
+	DBG1("  certificate from %#T is %s - existing certificate from %#T %s",
+				&this_update, FALSE, new ? "newer":"not newer",
+				&that_update, FALSE, new ? "replaced":"retained");
+	return new;
+}
+	
+/**
+ * Implementation of certificate_t.get_encoding.
+ */
+static chunk_t get_encoding(private_x509_cert_t *this)
+{
+	return chunk_clone(this->encoding);
+}
+
+/**
+ * Implementation of certificate_t.equals.
+ */
+static bool equals(private_x509_cert_t *this, certificate_t *other)
+{
+	chunk_t encoding;
+	bool equal;
+
+	if (this == (private_x509_cert_t*)other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != CERT_X509)
+	{
+		return FALSE;
+	}
+	if (other->equals == (void*)equals)
+	{	/* skip allocation if we have the same implementation */
+		return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding); 
+	}
+	encoding = other->get_encoding(other);
+	equal = chunk_equals(this->encoding, encoding);
+	free(encoding.ptr);
+	return equal;
+}
+
+/**
+ * Implementation of x509_t.get_serial.
+ */
+static chunk_t get_serial(private_x509_cert_t *this)
+{
+	return this->serialNumber;
+}
+
+/**
+ * Implementation of x509_t.get_authKeyIdentifier.
+ */
+static identification_t *get_authKeyIdentifier(private_x509_cert_t *this)
+{
+	return this->authKeyIdentifier;
+}
+
+/**
+ * Implementation of x509_cert_t.create_subjectAltName_enumerator.
+ */
+static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this)
+{
+	return this->subjectAltNames->create_enumerator(this->subjectAltNames);
+}
+
+/**
+ * Implementation of x509_cert_t.create_ocsp_uri_enumerator.
+ */
+static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this)
+{
+	return this->ocsp_uris->create_enumerator(this->ocsp_uris);
+}
+
+/**
+ * Implementation of x509_cert_t.create_crl_uri_enumerator.
+ */
+static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this)
+{
+	return this->crl_uris->create_enumerator(this->crl_uris);
+}
+
+/**
+ * Implementation of certificate_t.asdf
+ */
+static void destroy(private_x509_cert_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->subjectAltNames->destroy_offset(this->subjectAltNames,
+									offsetof(identification_t, destroy));
+		this->crl_uris->destroy_function(this->crl_uris, free);
+		this->ocsp_uris->destroy_function(this->ocsp_uris, free);
+		DESTROY_IF(this->issuer);
+		DESTROY_IF(this->subject);
+		DESTROY_IF(this->public_key);
+		DESTROY_IF(this->authKeyIdentifier);
+		chunk_free(&this->encoding);
+		chunk_free(&this->encoding_hash);
+		free(this);
+	}
+}
+
+/**
+ * create an empty but initialized X.509 certificate
+ */
+static private_x509_cert_t* create_empty(void)
+{
+	private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
+	
+	this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
+	this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
+	this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
+	this->public.interface.interface.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_subject;
+	this->public.interface.interface.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer;
+	this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
+	this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
+	this->public.interface.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
+	this->public.interface.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
+	this->public.interface.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
+	this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
+	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
+	this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
+	this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
+	this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
+	this->public.interface.get_authKeyIdentifier = (identification_t* (*)(x509_t*))get_authKeyIdentifier;
+	this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
+	this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
+	this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
+
+	this->encoding = chunk_empty;
+	this->encoding_hash = chunk_empty;
+	this->public_key = NULL;
+	this->subject = NULL;
+	this->issuer = NULL;
+	this->subjectAltNames = linked_list_create();
+	this->crl_uris = linked_list_create();
+	this->ocsp_uris = linked_list_create();
+	this->subjectKeyID = chunk_empty;
+	this->authKeyIdentifier = NULL;
+	this->authKeySerialNumber = chunk_empty;
+	this->flags = 0;
+	this->ref = 1;
+
+	return this;
+}
+
+/**
+ * create an X.509 certificate from a chunk
+ */
+static private_x509_cert_t *create_from_chunk(chunk_t chunk)
+{
+	private_x509_cert_t *this = create_empty();
+
+	this->encoding = chunk;
+	if (!parse_certificate(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	/* check if the certificate is self-signed */
+	if (issued_by(this, &this->public.interface.interface))
+	{
+		this->flags |= X509_SELF_SIGNED;
+	}
+	
+	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher != NULL)
+	{
+		hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
+		hasher->destroy(hasher);
+	}
+	else
+	{
+		DBG1("  unable to create hash of certificate, SHA1 not supported");		
+	}
+	
+	return this;
+}
+
+/**
+ * create an X.509 certificate from a file
+ */
+static private_x509_cert_t *create_from_file(char *path)
+{
+	bool pgp = FALSE;
+	chunk_t chunk;
+	private_x509_cert_t *this;
+	
+	if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
+	{
+		return NULL;
+	}
+
+	this = create_from_chunk(chunk);
+
+	if (this == NULL)
+	{
+		DBG1("  could not parse loaded certificate file '%s'",path);
+		return NULL;
+	}
+	DBG1("  loaded certificate file '%s'",  path);
+	return this;
+
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for certificate loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded certificate */
+	private_x509_cert_t *cert;
+	/** additional flags to enforce */
+	x509_flag_t flags;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static private_x509_cert_t *build(private_builder_t *this)
+{
+	private_x509_cert_t *cert = this->cert;
+	x509_flag_t flags = this->flags;
+
+	free(this);
+	if (cert == NULL)
+	{
+		return NULL;
+	}
+	if ((flags & X509_CA) && !(cert->flags & X509_CA))
+	{
+		DBG1("  ca certificate must have ca basic constraint set, discarded");
+		destroy(cert);
+		return NULL;
+	}
+	cert->flags |= flags;
+	return cert;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	va_start(args, part);
+	switch (part)
+	{
+		case BUILD_FROM_FILE:
+			this->cert = create_from_file(va_arg(args, char*));
+			break;
+		case BUILD_BLOB_ASN1_DER:
+			this->cert = create_from_chunk(va_arg(args, chunk_t));
+			break;
+		case BUILD_X509_FLAG:
+			this->flags = va_arg(args, x509_flag_t);
+			break;
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+	va_end(args);
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *x509_cert_builder(certificate_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != CERT_X509)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->cert = NULL;
+	this->flags = 0;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/x509/x509_cert.h b/src/libstrongswan/plugins/x509/x509_cert.h
new file mode 100644
index 000000000..701cc3d63
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_cert.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: x509_cert.h 3650 2008-03-22 08:15:18Z andreas $
+ */
+
+/**
+ * @defgroup x509_cert x509_cert
+ * @{ @ingroup x509_p
+ */
+
+#ifndef X509_CERT_H_
+#define X509_CERT_H_
+
+typedef struct x509_cert_t x509_cert_t;
+
+#include <credentials/certificates/x509.h>
+
+/**
+ * Implementation of x509_t/certificate_t using own ASN1 parser.
+ */
+struct x509_cert_t {
+
+	/**
+	 * Implements the x509_t interface
+	 */
+	x509_t interface;
+};
+
+/**
+ * Create the building facility for x509 certificates
+ *
+ * @param type		certificate type, CERT_X509 only
+ * @return			builder instance to build certificate
+ */
+builder_t *x509_cert_builder(certificate_type_t type);
+
+#endif /* X509_CERT_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
new file mode 100644
index 000000000..3bdda1701
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -0,0 +1,742 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: x509_crl.c 4091 2008-06-22 17:41:07Z andreas $
+ */
+
+#include "x509_crl.h"
+
+typedef struct private_x509_crl_t private_x509_crl_t;
+typedef struct revoked_t revoked_t;
+
+#include <debug.h>
+#include <library.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/pem.h>
+#include <credentials/certificates/x509.h>
+#include <utils/linked_list.h>
+
+/**
+ * entry for a revoked certificate
+ */
+struct revoked_t {
+	/**
+	 * serial of the revoked certificate
+	 */
+	chunk_t serial;
+	
+	/**
+	 * date of revocation
+	 */
+	time_t date;
+	
+	/**
+	 * reason for revocation
+	 */
+	crl_reason_t reason;
+};
+
+/**
+ * private data of x509_crl
+ */
+struct private_x509_crl_t {
+
+	/**
+	 * public functions
+	 */
+	x509_crl_t public;
+	
+	/**
+	 * X.509 crl encoding in ASN.1 DER format
+	 */
+	chunk_t encoding;
+
+	/**
+	 * X.509 crl body over which signature is computed
+	 */
+	chunk_t tbsCertList;
+
+	/**
+	 * Version of the X.509 crl
+	 */
+	u_int version;
+	
+	/**
+	 * ID representing the crl issuer
+	 */
+	identification_t *issuer;
+	
+	/**
+	 * CRL number
+	 */
+	chunk_t crlNumber;
+
+	/**
+	 * Time when the crl was generated
+	 */
+	time_t thisUpdate;
+
+	/**
+	 * Time when an update crl will be available
+	 */
+	time_t nextUpdate;
+
+	/**
+	 * list of revoked certificates as revoked_t
+	 */
+	linked_list_t *revoked;
+	
+	/**
+	 * Authority Key Identifier
+	 */
+	identification_t *authKeyIdentifier;
+
+	/**
+	 * Authority Key Serial Number
+	 */
+	chunk_t authKeySerialNumber;
+	
+	/**
+	 * Signature algorithm
+	 */
+	int algorithm;
+	
+	/**
+	 * Signature
+	 */
+	chunk_t signature;
+	
+	/**
+	 * reference counter
+	 */
+	refcount_t ref;
+};
+
+/**
+ * from x509_cert
+ */
+extern identification_t* x509_parse_authorityKeyIdentifier(
+								chunk_t blob, int level0, 
+								chunk_t *authKeySerialNumber);
+
+/**
+  * ASN.1 definition of an X.509 certificate revocation list
+ */
+static const asn1Object_t crlObjects[] = {
+	{ 0, "certificateList",				ASN1_SEQUENCE,     ASN1_OBJ  }, /*  0 */
+	{ 1,   "tbsCertList",				ASN1_SEQUENCE,     ASN1_OBJ  }, /*  1 */
+	{ 2,     "version",					ASN1_INTEGER,      ASN1_OPT |
+														   ASN1_BODY }, /*  2 */
+	{ 2,     "end opt",					ASN1_EOC,          ASN1_END  }, /*  3 */
+	{ 2,     "signature",				ASN1_EOC,          ASN1_RAW  }, /*  4 */	
+	{ 2,     "issuer",					ASN1_SEQUENCE,     ASN1_OBJ  }, /*  5 */
+	{ 2,     "thisUpdate",				ASN1_EOC,          ASN1_RAW  }, /*  6 */
+	{ 2,     "nextUpdate",				ASN1_EOC,          ASN1_RAW  }, /*  7 */
+	{ 2,     "revokedCertificates",		ASN1_SEQUENCE,     ASN1_OPT |
+														   ASN1_LOOP }, /*  8 */
+	{ 3,       "certList",				ASN1_SEQUENCE,     ASN1_NONE }, /*  9 */
+	{ 4,         "userCertificate",		ASN1_INTEGER,      ASN1_BODY }, /* 10 */
+	{ 4,         "revocationDate",		ASN1_EOC,          ASN1_RAW  }, /* 11 */
+	{ 4,         "crlEntryExtensions",  ASN1_SEQUENCE,     ASN1_OPT |
+							   							   ASN1_LOOP }, /* 12 */
+	{ 5,           "extension",			ASN1_SEQUENCE,	   ASN1_NONE }, /* 13 */
+	{ 6,             "extnID",			ASN1_OID,          ASN1_BODY }, /* 14 */
+	{ 6,             "critical",		ASN1_BOOLEAN,      ASN1_DEF |
+														   ASN1_BODY }, /* 15 */
+	{ 6,             "extnValue",		ASN1_OCTET_STRING, ASN1_BODY }, /* 16 */
+	{ 4,         "end opt or loop",		ASN1_EOC,          ASN1_END  }, /* 17 */
+	{ 2,     "end opt or loop",			ASN1_EOC,          ASN1_END  }, /* 18 */
+	{ 2,     "optional extensions",		ASN1_CONTEXT_C_0,  ASN1_OPT  }, /* 19 */
+	{ 3,       "crlExtensions",			ASN1_SEQUENCE,     ASN1_LOOP }, /* 20 */
+	{ 4,         "extension",			ASN1_SEQUENCE,     ASN1_NONE }, /* 21 */
+	{ 5,           "extnID",			ASN1_OID,          ASN1_BODY }, /* 22 */
+	{ 5,           "critical",			ASN1_BOOLEAN,      ASN1_DEF |
+														   ASN1_BODY }, /* 23 */
+	{ 5,           "extnValue",			ASN1_OCTET_STRING, ASN1_BODY }, /* 24 */
+	{ 3,       "end loop",				ASN1_EOC,          ASN1_END  }, /* 25 */
+	{ 2,     "end opt",					ASN1_EOC,          ASN1_END  }, /* 26 */
+	{ 1,   "signatureAlgorithm",		ASN1_EOC,          ASN1_RAW  }, /* 27 */
+	{ 1,   "signatureValue",			ASN1_BIT_STRING,   ASN1_BODY }, /* 28 */
+	{ 0, "exit",						ASN1_EOC,		   ASN1_EXIT }
+};
+#define CRL_OBJ_TBS_CERT_LIST			 1
+#define CRL_OBJ_VERSION					 2
+#define CRL_OBJ_SIG_ALG					 4
+#define CRL_OBJ_ISSUER					 5
+#define CRL_OBJ_THIS_UPDATE				 6
+#define CRL_OBJ_NEXT_UPDATE				 7
+#define CRL_OBJ_USER_CERTIFICATE		10
+#define CRL_OBJ_REVOCATION_DATE			11
+#define CRL_OBJ_CRL_ENTRY_EXTN_ID		14
+#define CRL_OBJ_CRL_ENTRY_CRITICAL		15
+#define CRL_OBJ_CRL_ENTRY_EXTN_VALUE	16
+#define CRL_OBJ_EXTN_ID					22
+#define CRL_OBJ_CRITICAL				23
+#define CRL_OBJ_EXTN_VALUE				24
+#define CRL_OBJ_ALGORITHM				27
+#define CRL_OBJ_SIGNATURE				28
+
+/**
+ *  Parses an X.509 Certificate Revocation List (CRL)
+ */
+static bool parse(private_x509_crl_t *this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	chunk_t extnID;
+	chunk_t userCertificate = chunk_empty;
+	int objectID;
+	int sig_alg = OID_UNKNOWN;
+	bool success = FALSE;
+	bool critical;
+	revoked_t *revoked = NULL;
+
+	parser = asn1_parser_create(crlObjects, this->encoding);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser)+1;
+
+		switch (objectID)
+		{
+			case CRL_OBJ_TBS_CERT_LIST:
+				this->tbsCertList = object;
+				break;
+			case CRL_OBJ_VERSION:
+				this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
+				DBG2("  v%d", this->version);
+				break;
+			case CRL_OBJ_SIG_ALG:
+				sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case CRL_OBJ_ISSUER:
+				this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+				DBG2("  '%D'", this->issuer);
+				break;
+			case CRL_OBJ_THIS_UPDATE:
+				this->thisUpdate = asn1_parse_time(object, level);
+				break;
+			case CRL_OBJ_NEXT_UPDATE:
+				this->nextUpdate = asn1_parse_time(object, level);
+				break;
+			case CRL_OBJ_USER_CERTIFICATE:
+				userCertificate = object;
+				break;
+			case CRL_OBJ_REVOCATION_DATE:
+				revoked = malloc_thing(revoked_t);
+				revoked->serial = userCertificate;
+				revoked->date = asn1_parse_time(object, level);
+				revoked->reason = CRL_UNSPECIFIED;
+				this->revoked->insert_last(this->revoked, (void *)revoked);
+				break;
+			case CRL_OBJ_CRL_ENTRY_EXTN_ID:
+			case CRL_OBJ_EXTN_ID:
+				extnID = object;
+				break;
+			case CRL_OBJ_CRL_ENTRY_CRITICAL:
+			case CRL_OBJ_CRITICAL:
+				critical = object.len && *object.ptr;
+				DBG2("  %s", critical ? "TRUE" : "FALSE");
+				break;
+			case CRL_OBJ_CRL_ENTRY_EXTN_VALUE:
+			case CRL_OBJ_EXTN_VALUE:
+				{
+					int extn_oid = asn1_known_oid(extnID);
+
+					if (revoked && extn_oid == OID_CRL_REASON_CODE)
+					{
+						if (*object.ptr == ASN1_ENUMERATED &&
+							asn1_length(&object) == 1)
+						{
+							revoked->reason = *object.ptr;
+						}
+						DBG2("  '%N'", crl_reason_names, revoked->reason);
+					}
+					else if (extn_oid == OID_AUTHORITY_KEY_ID)
+					{
+
+						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
+									 					level, &this->authKeySerialNumber);
+					}
+					else if (extn_oid == OID_CRL_NUMBER)
+					{
+						if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
+													  level, "crlNumber"))
+						{
+							goto end;
+						}
+						this->crlNumber = object;
+					}
+				}
+				break;
+			case CRL_OBJ_ALGORITHM:
+			{
+				this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
+				if (this->algorithm != sig_alg)
+				{
+					DBG1("  signature algorithms do not agree");
+					goto end;
+				}
+				break;
+			}
+			case CRL_OBJ_SIGNATURE:
+				this->signature = object;
+				break;
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * enumerator filter callback for create_enumerator
+ */
+static bool filter(void *data, revoked_t **revoked, chunk_t *serial, void *p2,
+				   time_t *date, void *p3, crl_reason_t *reason)
+{
+	if (serial)
+	{
+		*serial = (*revoked)->serial;
+	}
+	if (date)
+	{
+		*date = (*revoked)->date;
+	}
+	if (reason)
+	{
+		*reason = (*revoked)->reason;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of crl_t.get_serial.
+ */
+static chunk_t get_serial(private_x509_crl_t *this)
+{
+	return this->crlNumber;
+}
+
+/**
+ * Implementation of crl_t.get_authKeyIdentifier.
+ */
+static identification_t* get_authKeyIdentifier(private_x509_crl_t *this)
+{
+	return this->authKeyIdentifier;
+}
+/**
+ * Implementation of crl_t.create_enumerator.
+ */
+static enumerator_t* create_enumerator(private_x509_crl_t *this)
+{
+	return enumerator_create_filter(
+								this->revoked->create_enumerator(this->revoked), 
+								(void*)filter, NULL, NULL);
+}
+
+/**
+ * Implementation of certificate_t.get_type
+ */
+static certificate_type_t get_type(private_x509_crl_t *this)
+{
+	return CERT_X509_CRL;
+}
+
+/**
+ * Implementation of certificate_t.get_issuer and get_subject
+ */
+static identification_t* get_issuer(private_x509_crl_t *this)
+{
+	return this->issuer;
+}
+
+/**
+ * Implementation of certificate_t.has_subject and has_issuer.
+ */
+static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer)
+{
+	id_match_t match;
+
+	if (issuer->get_type(issuer) == ID_PUBKEY_SHA1)
+	{
+		if (this->authKeyIdentifier)
+		{
+			match = issuer->matches(issuer, this->authKeyIdentifier);
+		}
+		else
+		{
+			match = ID_MATCH_NONE;
+		}
+	}
+	else
+	{
+		match = this->issuer->matches(this->issuer, issuer);
+	}
+	return match;
+}
+
+/**
+ * Implementation of certificate_t.issued_by
+ */
+static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
+{
+	public_key_t *key;
+	signature_scheme_t scheme;
+	bool valid;
+	x509_t *x509 = (x509_t*)issuer;
+	
+	/* check if issuer is an X.509 CA certificate */
+	if (issuer->get_type(issuer) != CERT_X509)
+	{
+		return FALSE;
+	}
+	if (!(x509->get_flags(x509) & X509_CA))
+	{
+		return FALSE;
+	}
+
+	/* get the public key of the issuer */
+	key = issuer->get_public_key(issuer);
+
+	/* compare keyIdentifiers if available, otherwise use DNs */
+	if (this->authKeyIdentifier && key)
+	{
+		identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1);
+
+		if (!subjectKeyIdentifier->equals(subjectKeyIdentifier,
+										  this->authKeyIdentifier))
+		{
+			return FALSE;
+		}
+	}
+	else 
+	{
+		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+		{
+			return FALSE;
+		}
+	}
+	/* TODO: generic OID to scheme mapper? */
+	switch (this->algorithm)
+	{
+		case OID_MD5_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_MD5;
+			break;
+		case OID_SHA1_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			break;
+		case OID_SHA256_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
+			break;
+		case OID_SHA384_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
+			break;
+		case OID_SHA512_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
+			break;
+		case OID_ECDSA_WITH_SHA1:
+			scheme = SIGN_ECDSA_WITH_SHA1;
+			break;
+		default:
+			return FALSE;
+	}
+	if (key == NULL)
+	{
+		return FALSE;
+	}
+	valid = key->verify(key, scheme, this->tbsCertList, this->signature);
+	key->destroy(key);
+	return valid;
+}
+
+/**
+ * Implementation of certificate_t.get_public_key
+ */
+static public_key_t* get_public_key(private_x509_crl_t *this)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of certificate_t.asdf
+ */
+static private_x509_crl_t* get_ref(private_x509_crl_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of certificate_t.get_validity.
+ */
+static bool get_validity(private_x509_crl_t *this, time_t *when,
+						 time_t *not_before, time_t *not_after)
+{
+	time_t t;
+	
+	if (when)
+	{
+		t = *when;
+	}
+	else
+	{
+		t = time(NULL);
+	}
+	if (not_before)
+	{
+		*not_before = this->thisUpdate;
+	}
+	if (not_after)
+	{
+		*not_after = this->nextUpdate;
+	}
+	return (t <= this->nextUpdate);
+}
+
+/**
+ * Implementation of certificate_t.is_newer.
+ */
+static bool is_newer(private_x509_crl_t *this, crl_t *that)
+{
+	chunk_t that_crlNumber = that->get_serial(that);
+	bool new;
+	
+	/* compare crlNumbers if available - otherwise use thisUpdate */
+	if (this->crlNumber.ptr != NULL && that_crlNumber.ptr != NULL)
+	{
+		new = chunk_compare(this->crlNumber, that_crlNumber) > 0;
+		DBG1("  crl #%#B is %s - existing crl #%#B %s",
+				&this->crlNumber, new ? "newer":"not newer",
+				&that_crlNumber,  new ? "replaced":"retained");
+	}
+	else 
+	{
+		certificate_t *this_cert = &this->public.crl.certificate;
+		certificate_t *that_cert = &that->certificate;
+
+		time_t this_update, that_update, now = time(NULL);
+
+		this_cert->get_validity(this_cert, &now, &this_update, NULL);
+		that_cert->get_validity(that_cert, &now, &that_update, NULL);
+		new = this_update > that_update;
+		DBG1("  crl from %#T is %s - existing crl from %#T %s",
+				&this_update, FALSE, new ? "newer":"not newer",
+				&that_update, FALSE, new ? "replaced":"retained");
+	}
+	return new;
+}
+	
+/**
+ * Implementation of certificate_t.get_encoding.
+ */
+static chunk_t get_encoding(private_x509_crl_t *this)
+{
+	return chunk_clone(this->encoding);
+}
+
+/**
+ * Implementation of certificate_t.equals.
+ */
+static bool equals(private_x509_crl_t *this, certificate_t *other)
+{
+	chunk_t encoding;
+	bool equal;
+	
+	if ((certificate_t*)this == other)
+	{
+		return TRUE;
+	}
+	if (other->equals == (void*)equals)
+	{	/* skip allocation if we have the same implementation */
+		return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding); 
+	}
+	encoding = other->get_encoding(other);
+	equal = chunk_equals(this->encoding, encoding);
+	free(encoding.ptr);
+	return equal;
+}
+
+/**
+ * Implementation of certificate_t.destroy
+ */
+static void destroy(private_x509_crl_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->revoked->destroy_function(this->revoked, free);
+		DESTROY_IF(this->issuer);
+		DESTROY_IF(this->authKeyIdentifier);
+		free(this->encoding.ptr);
+		free(this);
+	}
+}
+
+/**
+ * create an empty but initialized X.509 crl
+ */
+static private_x509_crl_t* create_empty(void)
+{
+	private_x509_crl_t *this = malloc_thing(private_x509_crl_t);
+	
+	this->public.crl.get_serial = (chunk_t (*)(crl_t*))get_serial;
+	this->public.crl.get_authKeyIdentifier = (identification_t* (*)(crl_t*))get_authKeyIdentifier;
+	this->public.crl.create_enumerator = (enumerator_t* (*)(crl_t*))create_enumerator;
+	this->public.crl.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
+	this->public.crl.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer;
+	this->public.crl.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
+	this->public.crl.certificate.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_issuer;
+	this->public.crl.certificate.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer;
+	this->public.crl.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
+	this->public.crl.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
+	this->public.crl.certificate.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
+	this->public.crl.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
+	this->public.crl.certificate.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
+	this->public.crl.certificate.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
+	this->public.crl.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
+	this->public.crl.certificate.destroy = (void (*)(certificate_t *this))destroy;
+	
+	this->encoding = chunk_empty;
+	this->tbsCertList = chunk_empty;
+	this->issuer = NULL;
+	this->crlNumber = chunk_empty;
+	this->revoked = linked_list_create();
+	this->authKeyIdentifier = NULL;
+	this->authKeySerialNumber = chunk_empty;
+	this->ref = 1;
+	
+	return this;
+}
+
+/**
+ * create an X.509 crl from a chunk
+ */
+static private_x509_crl_t* create_from_chunk(chunk_t chunk)
+{
+	private_x509_crl_t *this = create_empty();
+
+	this->encoding = chunk;
+	if (!parse(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return this;
+}
+
+/**
+ * create an X.509 crl from a file
+ */
+static private_x509_crl_t* create_from_file(char *path)
+{
+	bool pgp = FALSE;
+	chunk_t chunk;
+	private_x509_crl_t *this;
+	
+	if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
+	{
+		return NULL;
+	}
+
+	this = create_from_chunk(chunk);
+
+	if (this == NULL)
+	{
+		DBG1("  could not parse loaded crl file '%s'",path);
+		return NULL;
+	}
+	DBG1("  loaded crl file '%s'",  path);
+	return this;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for certificate loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded CRL */
+	private_x509_crl_t *crl;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static private_x509_crl_t *build(private_builder_t *this)
+{
+	private_x509_crl_t *crl = this->crl;
+	
+	free(this);
+	return crl;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	if (this->crl)
+	{
+		DBG1("ignoring surplus build part %N", builder_part_names, part);
+		return;
+	}
+	
+	va_start(args, part);
+	switch (part)
+	{
+		case BUILD_FROM_FILE:
+			this->crl = create_from_file(va_arg(args, char*));
+			break;
+		case BUILD_BLOB_ASN1_DER:
+		{
+			this->crl = create_from_chunk(va_arg(args, chunk_t));
+			break;
+		}
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+	va_end(args);
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *x509_crl_builder(certificate_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != CERT_X509_CRL)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->crl = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/x509/x509_crl.h b/src/libstrongswan/plugins/x509/x509_crl.h
new file mode 100644
index 000000000..0d9e5cca4
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_crl.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup x509_crl x509_crl
+ * @{ @ingroup x509_p
+ */
+
+#ifndef X509_CRL_H_
+#define X509_CRL_H_
+
+typedef struct x509_crl_t x509_crl_t;
+
+#include <credentials/certificates/crl.h>
+
+/**
+ * Implementation of the X509 certification revocation list.
+ */
+struct x509_crl_t {
+
+	/**
+	 * Implements the crl_t interface
+	 */
+	crl_t crl;
+};
+
+
+/**
+ * Create the building facility for x509 certificate revocation lists.
+ *
+ * @param type		certificate type, CERT_X509_CRL only
+ * @return			builder instance to build certificate
+ */
+builder_t *x509_crl_builder(certificate_type_t type);
+
+#endif /* X509_CRL_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
new file mode 100644
index 000000000..590a974f7
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -0,0 +1,612 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2007 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: x509_ocsp_request.c 4091 2008-06-22 17:41:07Z andreas $
+ */
+
+#include "x509_ocsp_request.h"
+
+#include <library.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <utils/identification.h>
+#include <utils/linked_list.h>
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+
+#define NONCE_LEN		16
+
+typedef struct private_x509_ocsp_request_t private_x509_ocsp_request_t;
+
+/**
+ * private data of x509_ocsp_request
+ */
+struct private_x509_ocsp_request_t {
+
+	/**
+	 * public functions
+	 */
+	x509_ocsp_request_t public;
+	
+	/**
+	 * CA the candidates belong to
+	 */
+	x509_t *ca;
+	
+	/**
+	 * Requestor name, subject of cert used if not set
+	 */
+	identification_t *requestor;
+
+	/**
+	 * Requestor certificate, included in request
+	 */
+	certificate_t *cert;
+	
+	/**
+	 * Requestor private key to sign request
+	 */
+	private_key_t *key;
+	
+	/**
+	 * list of certificates to check, x509_t
+	 */
+	linked_list_t *candidates;
+	
+	/**
+	 * nonce used in request
+	 */
+	chunk_t nonce;
+	
+	/**
+	 * encoded OCSP request
+	 */
+	chunk_t encoding;
+	
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+static u_char ASN1_nonce_oid_str[] = {
+	0x06, 0x09,
+		  0x2B, 0x06,
+				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
+};
+
+static u_char ASN1_response_oid_str[] = {
+	0x06, 0x09,
+		  0x2B, 0x06,
+				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
+};
+
+static u_char ASN1_response_content_str[] = {
+	0x04, 0x0D,
+		  0x30, 0x0B,
+				0x06, 0x09,
+				0x2B, 0x06,
+				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+};
+
+static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
+static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
+static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
+
+/**
+ * build requestorName
+ */
+static chunk_t build_requestorName(private_x509_ocsp_request_t *this)
+{
+	if (this->requestor || this->cert)
+	{	/* use requestor name, fallback to his cert subject */
+		if (!this->requestor)
+		{
+			this->requestor = this->cert->get_subject(this->cert);
+			this->requestor = this->requestor->clone(this->requestor);
+		}
+		return asn1_wrap(ASN1_CONTEXT_C_1, "m",
+					asn1_simple_object(ASN1_CONTEXT_C_4,
+						this->requestor->get_encoding(this->requestor)));
+	
+	}
+	return chunk_empty;
+}
+
+/**
+ * build Request, not using singleRequestExtensions
+ */
+static chunk_t build_Request(private_x509_ocsp_request_t *this,
+							 chunk_t issuerNameHash, chunk_t issuerKeyHash,
+							 chunk_t serialNumber)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "m",
+				asn1_wrap(ASN1_SEQUENCE, "cmmm",
+					asn1_algorithmIdentifier(OID_SHA1),
+					asn1_simple_object(ASN1_OCTET_STRING, issuerNameHash),
+					asn1_simple_object(ASN1_OCTET_STRING, issuerKeyHash),
+					asn1_simple_object(ASN1_INTEGER, serialNumber)));
+}
+
+/**
+ * build requestList
+ */
+static chunk_t build_requestList(private_x509_ocsp_request_t *this)
+{
+	chunk_t issuerNameHash, issuerKeyHash;
+	identification_t *issuer;
+	x509_t *x509;
+	certificate_t *cert;
+	chunk_t list = chunk_empty;
+	public_key_t *public;
+	
+	cert = (certificate_t*)this->ca;
+	public = cert->get_public_key(cert);
+	if (public)
+	{
+		hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+		if (hasher)
+		{
+			identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);	
+			if (keyid)
+			{
+				enumerator_t *enumerator;
+			
+				issuerKeyHash = keyid->get_encoding(keyid);
+		
+				issuer = cert->get_subject(cert);
+				hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
+									  &issuerNameHash);
+				hasher->destroy(hasher);
+	
+				enumerator = this->candidates->create_enumerator(this->candidates);
+				while (enumerator->enumerate(enumerator, &x509))
+				{
+					chunk_t request, serialNumber;
+			
+					serialNumber = x509->get_serial(x509);
+					request = build_Request(this, issuerNameHash, issuerKeyHash,
+											serialNumber);
+					list = chunk_cat("mm", list, request);
+				}
+				enumerator->destroy(enumerator);
+				chunk_free(&issuerNameHash);
+			}
+		}
+		else
+		{
+			DBG1("creating OCSP request failed, SHA1 not supported");
+		}
+		public->destroy(public);
+	}
+	else
+	{
+		DBG1("creating OCSP request failed, CA certificate has no public key");
+	}
+	return asn1_wrap(ASN1_SEQUENCE, "m", list);
+}
+
+/**
+ * build nonce extension
+ */
+static chunk_t build_nonce(private_x509_ocsp_request_t *this)
+{
+	rng_t *rng;
+	
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (rng)
+	{
+		rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+		rng->destroy(rng);
+		return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
+					asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
+	}
+	DBG1("creating OCSP request nonce failed, no RNG found");
+	return chunk_empty;
+}
+
+/**
+ * build acceptableResponses extension
+ */
+static chunk_t build_acceptableResponses(private_x509_ocsp_request_t *this)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "cc",
+				ASN1_response_oid,
+				ASN1_response_content);
+}
+
+/**
+ * build requestExtensions
+ */
+static chunk_t build_requestExtensions(private_x509_ocsp_request_t *this)
+{
+    return asn1_wrap(ASN1_CONTEXT_C_2, "m",
+				asn1_wrap(ASN1_SEQUENCE, "mm",
+					build_nonce(this),
+					build_acceptableResponses(this)));
+}
+
+/**
+ * build tbsRequest
+ */
+static chunk_t build_tbsRequest(private_x509_ocsp_request_t *this)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "mmm",
+				build_requestorName(this),
+				build_requestList(this),
+				build_requestExtensions(this));
+}
+
+/**
+ * Build the optionalSignature
+ */
+static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
+									   chunk_t tbsRequest)
+{
+	int oid;
+	signature_scheme_t scheme;
+	chunk_t certs, signature;
+	
+	switch (this->key->get_type(this->key))
+	{
+		/* TODO: use a generic mapping function */
+		case KEY_RSA:
+			oid = OID_SHA1_WITH_RSA;
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			break;
+		case KEY_ECDSA:
+			oid = OID_ECDSA_WITH_SHA1;
+			scheme = SIGN_ECDSA_WITH_SHA1;
+			break;
+		default:
+			DBG1("unable to sign OCSP request, %N signature not supported",
+				 key_type_names, this->key->get_type(this->key));
+			return chunk_empty;
+	}
+	
+	if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
+	{
+		DBG1("creating OCSP signature failed, skipped");
+		return chunk_empty;
+	}
+	if (this->cert)
+	{
+		certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
+					asn1_wrap(ASN1_SEQUENCE, "m",
+						this->cert->get_encoding(this->cert)));
+	}
+	return asn1_wrap(ASN1_CONTEXT_C_0, "m",
+				asn1_wrap(ASN1_SEQUENCE, "cmm", 
+					asn1_algorithmIdentifier(oid),
+					asn1_bitstring("m", signature),
+					certs));
+}
+
+/**
+ * Build the OCSPRequest data
+ *
+ */
+static chunk_t build_OCSPRequest(private_x509_ocsp_request_t *this)
+{
+	chunk_t tbsRequest, optionalSignature = chunk_empty;
+	
+	tbsRequest = build_tbsRequest(this);
+	if (this->key)
+	{
+		optionalSignature = build_optionalSignature(this, tbsRequest);
+	}
+	return asn1_wrap(ASN1_SEQUENCE, "mm", tbsRequest, optionalSignature);
+}
+
+
+/**
+ * Implementation of certificate_t.get_type
+ */
+static certificate_type_t get_type(private_x509_ocsp_request_t *this)
+{
+	return CERT_X509_OCSP_REQUEST;
+}
+
+/**
+ * Implementation of certificate_t.get_subject
+ */
+static identification_t* get_subject(private_x509_ocsp_request_t *this)
+{
+	certificate_t *ca = (certificate_t*)this->ca;
+	
+	if (this->requestor)
+	{
+		return this->requestor;
+	}
+	if (this->cert)
+	{
+		return this->cert->get_subject(this->cert);
+	}
+	return ca->get_subject(ca);
+}
+
+/**
+ * Implementation of certificate_t.get_issuer
+ */
+static identification_t* get_issuer(private_x509_ocsp_request_t *this)
+{
+	certificate_t *ca = (certificate_t*)this->ca;
+	
+	return ca->get_subject(ca);
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_subject(private_x509_ocsp_request_t *this,
+							  identification_t *subject)
+{
+	certificate_t *current;
+	enumerator_t *enumerator;
+	id_match_t match, best = ID_MATCH_NONE;
+
+	enumerator = this->candidates->create_enumerator(this->candidates);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		match = current->has_subject(current, subject);
+		if (match > best)
+		{
+			best = match;	
+		}
+	}
+	enumerator->destroy(enumerator);
+	return best;	
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_issuer(private_x509_ocsp_request_t *this,
+							 identification_t *issuer)
+{
+	certificate_t *ca = (certificate_t*)this->ca;
+
+	return ca->has_subject(ca, issuer);
+}
+
+/**
+ * Implementation of certificate_t.issued_by
+ */
+static bool issued_by(private_x509_ocsp_request_t *this, certificate_t *issuer)
+{
+	DBG1("OCSP request validation not implemented!");
+	return FALSE;
+}
+
+/**
+ * Implementation of certificate_t.get_public_key
+ */
+static public_key_t* get_public_key(private_x509_ocsp_request_t *this)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of x509_cert_t.get_validity.
+ */
+static bool get_validity(private_x509_ocsp_request_t *this, time_t *when,
+						 time_t *not_before, time_t *not_after)
+{
+	certificate_t *cert;
+
+	if (this->cert)
+	{
+		cert = this->cert;
+	}
+	else
+	{
+		cert = (certificate_t*)this->ca;
+	}
+	return cert->get_validity(cert, when, not_before, not_after);
+}
+	
+/**
+ * Implementation of certificate_t.get_encoding.
+ */
+static chunk_t get_encoding(private_x509_ocsp_request_t *this)
+{
+	return chunk_clone(this->encoding);
+}
+
+/**
+ * Implementation of certificate_t.equals.
+ */
+static bool equals(private_x509_ocsp_request_t *this, certificate_t *other)
+{
+	chunk_t encoding;
+	bool equal;
+	
+	if (this == (private_x509_ocsp_request_t*)other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != CERT_X509_OCSP_REQUEST)
+	{
+		return FALSE;
+	}
+	if (other->equals == (void*)equals)
+	{	/* skip allocation if we have the same implementation */
+		return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding); 
+	}
+	encoding = other->get_encoding(other);
+	equal = chunk_equals(this->encoding, encoding);
+	free(encoding.ptr);
+	return equal;
+}
+
+/**
+ * Implementation of certificate_t.asdf
+ */
+static private_x509_ocsp_request_t* get_ref(private_x509_ocsp_request_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of x509_ocsp_request_t.destroy
+ */
+static void destroy(private_x509_ocsp_request_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		DESTROY_IF((certificate_t*)this->ca);
+		DESTROY_IF(this->requestor);
+		DESTROY_IF(this->cert);
+		DESTROY_IF(this->key);
+		this->candidates->destroy_offset(this->candidates, offsetof(certificate_t, destroy));
+		chunk_free(&this->nonce);
+		chunk_free(&this->encoding);
+		free(this);
+	}
+}
+
+/**
+ * create an empty but initialized OCSP request
+ */
+static private_x509_ocsp_request_t *create_empty()
+{
+	private_x509_ocsp_request_t *this = malloc_thing(private_x509_ocsp_request_t);
+	
+	this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
+	this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
+	this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
+	this->public.interface.interface.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_subject;
+	this->public.interface.interface.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
+	this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
+	this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
+	this->public.interface.interface.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
+	this->public.interface.interface.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
+	this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
+	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
+	this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
+	
+	this->ca = NULL;
+	this->requestor = NULL;
+	this->cert = NULL;
+	this->key = NULL;
+	this->nonce = chunk_empty;
+	this->encoding = chunk_empty;
+	this->candidates = linked_list_create();
+	this->ref = 1;
+	
+	return this;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for certificate loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** OCSP request to build */
+	private_x509_ocsp_request_t *req;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static x509_ocsp_request_t *build(private_builder_t *this)
+{
+	private_x509_ocsp_request_t *req;
+	
+	req = this->req;
+	free(this);
+	if (req->ca)
+	{
+		req->encoding = build_OCSPRequest(req);
+		return &req->public;
+	}
+	destroy(req);
+	return NULL;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	certificate_t *cert;
+	
+	va_start(args, part);
+	switch (part)
+	{
+		case BUILD_CA_CERT:
+			cert = va_arg(args, certificate_t*);
+			if (cert->get_type(cert) == CERT_X509)
+			{
+				this->req->ca = (x509_t*)cert;
+			}
+			else
+			{
+				cert->destroy(cert);
+			}
+			break;
+		case BUILD_CERT:
+			cert = va_arg(args, certificate_t*);
+			if (cert->get_type(cert) == CERT_X509)
+			{
+				this->req->candidates->insert_last(this->req->candidates, cert);
+			}
+			else
+			{
+				cert->destroy(cert);
+			}
+			break;
+		case BUILD_SIGNING_CERT:
+			this->req->cert = va_arg(args, certificate_t*);
+			break;
+		case BUILD_SIGNING_KEY:
+			this->req->key = va_arg(args, private_key_t*);
+			break;
+		case BUILD_SUBJECT:
+			this->req->requestor = va_arg(args, identification_t*);
+			break;
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+	va_end(args);
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *x509_ocsp_request_builder(certificate_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != CERT_X509_OCSP_REQUEST)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->req = create_empty();
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.h b/src/libstrongswan/plugins/x509/x509_ocsp_request.h
new file mode 100644
index 000000000..0a4016f65
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup x509_ocsp_request x509_ocsp_request
+ * @{ @ingroup x509_p
+ */
+
+#ifndef X509_OCSP_REQUEST_H_
+#define X509_OCSP_REQUEST_H_
+
+#include <credentials/certificates/ocsp_request.h>
+
+typedef struct x509_ocsp_request_t x509_ocsp_request_t;
+
+/**
+ * Implementation of ocsp_request_t using own ASN1 parser.
+ */
+struct x509_ocsp_request_t {
+
+	/**
+	 * Implements the ocsp_request_t interface
+	 */
+	ocsp_request_t interface;
+};
+
+/**
+ * Create the building facility for OCSP requests.
+ *
+ * The resulting builder accepts:
+ * 	BUILD_CA_CERT:		CA of the checked certificates, exactly one
+ *	BUILD_CERT:			certificates to check with the request, at least one
+ * 	BUILD_SUBJECT:		subject requesting check, optional
+ *	BUILD_SIGNING_CERT:	certificate to create requestor signature, optional
+ *	BUILD_SIGNING_KEY:	private key to create requestor signature, optional
+ *
+ * @param type		certificate type, CERT_X509_OCSP_REQUEST only
+ * @return			builder instance to build OCSP requests
+ */
+builder_t *x509_ocsp_request_builder(certificate_type_t type);
+
+#endif /* X509_OCSP_REQUEST_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
new file mode 100644
index 000000000..33cf73cd2
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -0,0 +1,990 @@
+/**
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2007 Andreas Steffen
+ * Hochschule für Technik Rapperswil
+ * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: x509_ocsp_response.c 4091 2008-06-22 17:41:07Z andreas $
+ */
+
+#include "x509_ocsp_response.h"
+
+#include <time.h>
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <utils/identification.h>
+#include <utils/linked_list.h>
+#include <debug.h>
+
+#include <library.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/crl.h>
+
+/**
+ * how long do we use an OCSP response without a nextUpdate
+ */
+#define OCSP_DEFAULT_LIFETIME 30
+
+typedef struct private_x509_ocsp_response_t private_x509_ocsp_response_t;
+
+/**
+ * Private data of a ocsp_t object.
+ */
+struct private_x509_ocsp_response_t {
+	/**
+	 * Public interface for this ocsp object.
+	 */
+	x509_ocsp_response_t public;
+	
+	/**
+	 * complete encoded OCSP response
+	 */
+	chunk_t encoding;
+	
+	/**
+	 * data for signature verficiation
+	 */
+	chunk_t tbsResponseData;
+	
+	/**
+	 * signature algorithm (OID)
+	 */
+	int signatureAlgorithm;
+	
+	/**
+	 * signature
+	 */
+	chunk_t signature;
+	
+	/**
+	 * name or keyid of the responder
+	 */
+	identification_t *responderId;
+	
+	/**
+	 * time of response production
+	 */
+	time_t producedAt;
+	
+	/**
+	 * latest nextUpdate in this OCSP response
+	 */
+	time_t usableUntil;
+	
+	/**
+	 * list of included certificates
+	 */
+	linked_list_t *certs;
+
+	/**
+	 * Linked list of OCSP responses, single_response_t
+	 */
+	linked_list_t *responses;
+
+	/**
+	 * Nonce required for ocsp request and response
+	 */
+	chunk_t nonce;
+	
+	/**
+	 * reference counter
+	 */
+	refcount_t ref;
+};
+
+/**
+ * single response contained in OCSP response
+ */
+typedef struct {
+	/** hash algorithm OID to for the two hashes */
+	int hashAlgorithm;
+	/** hash of issuer DN */
+	chunk_t issuerNameHash;
+	/** issuerKeyID */
+	chunk_t issuerKeyHash;
+	/** serial number of certificate */
+	chunk_t serialNumber;
+	/** OCSP certificate status */
+	cert_validation_t status;
+	/** time of revocation, if revoked */
+	time_t revocationTime;
+	/** revocation reason, if revoked */
+	crl_reason_t revocationReason;
+	/** creation of associated CRL */
+	time_t thisUpdate;
+	/** creation of next CRL */
+	time_t nextUpdate;
+} single_response_t;
+
+/* our OCSP response version implementation */
+#define OCSP_BASIC_RESPONSE_VERSION 1
+
+/* some OCSP specific prefabricated ASN.1 constants */
+static u_char ASN1_nonce_oid_str[] = {
+	0x06, 0x09,
+		  0x2B, 0x06,
+				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
+};
+
+static u_char ASN1_response_oid_str[] = {
+	0x06, 0x09,
+		  0x2B, 0x06,
+				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
+};
+
+static u_char ASN1_response_content_str[] = {
+	0x04, 0x0D,
+		  0x30, 0x0B,
+				0x06, 0x09,
+				0x2B, 0x06,
+				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+};
+
+static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
+static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
+static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
+
+/**
+ * Implementaiton of ocsp_response_t.get_status
+ */
+static cert_validation_t get_status(private_x509_ocsp_response_t *this,
+									x509_t *subject, x509_t *issuer,
+									time_t *revocation_time,
+									crl_reason_t *revocation_reason,
+									time_t *this_update, time_t *next_update)
+{
+	enumerator_t *enumerator;
+	single_response_t *response;
+	cert_validation_t status = VALIDATION_FAILED;
+	certificate_t *issuercert = &issuer->interface;
+	
+	enumerator = this->responses->create_enumerator(this->responses);
+	while (enumerator->enumerate(enumerator, &response))
+	{
+		hasher_t *hasher;
+		identification_t *id;
+		chunk_t hash;
+		
+		/* check serial first, is cheaper */
+		if (!chunk_equals(subject->get_serial(subject), response->serialNumber))
+		{
+			continue;
+		}
+		/* check issuerKeyHash if available */
+		if (response->issuerKeyHash.ptr)
+		{
+			public_key_t *public;
+			
+			public = issuercert->get_public_key(issuercert);
+			if (!public)
+			{
+				continue;
+			}
+			switch (response->hashAlgorithm)
+			{	/* TODO: generic mapper function */
+				case OID_SHA1:
+					id = public->get_id(public, ID_PUBKEY_SHA1);
+					break;
+				default:
+					public->destroy(public);
+					continue;
+			}
+			if (!chunk_equals(response->issuerKeyHash, id->get_encoding(id)))
+			{
+				public->destroy(public);
+				continue;
+			}
+			public->destroy(public);
+		}
+		/* check issuerNameHash, if available */
+		else if (response->issuerNameHash.ptr)
+		{
+			hasher = lib->crypto->create_hasher(lib->crypto, 
+							hasher_algorithm_from_oid(response->hashAlgorithm));
+			if (!hasher)
+			{
+				continue;
+			}
+			id = issuercert->get_subject(issuercert);
+			hasher->allocate_hash(hasher, id->get_encoding(id), &hash);
+			hasher->destroy(hasher);
+			if (!chunk_equals(hash, response->issuerNameHash))
+			{
+				continue;
+			}
+		}
+		else
+		{
+			continue;
+		}
+		/* got a match */
+		status = response->status;
+		*revocation_time = response->revocationTime;
+		*revocation_reason = response->revocationReason;
+		*this_update = response->thisUpdate;
+		*next_update = response->nextUpdate;
+		
+		break;
+	}
+	enumerator->destroy(enumerator);
+	return status;
+}
+
+/**
+ * Implementation of ocsp_response_t.create_cert_enumerator.
+ */
+static enumerator_t* create_cert_enumerator(private_x509_ocsp_response_t *this)
+{
+	return this->certs->create_enumerator(this->certs);
+}
+
+/**
+ * ASN.1 definition of singleResponse
+ */
+static const asn1Object_t singleResponseObjects[] = {
+	{ 0, "singleResponse",				ASN1_SEQUENCE,			ASN1_BODY }, /*  0 */
+	{ 1,   "certID",					ASN1_SEQUENCE,			ASN1_NONE }, /*  1 */
+	{ 2,     "algorithm",				ASN1_EOC,				ASN1_RAW  }, /*  2 */
+	{ 2,     "issuerNameHash",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  3 */
+	{ 2,     "issuerKeyHash",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  4 */
+	{ 2,     "serialNumber",			ASN1_INTEGER,			ASN1_BODY }, /*  5 */
+	{ 1,   "certStatusGood",			ASN1_CONTEXT_S_0,		ASN1_OPT  }, /*  6 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /*  7 */
+	{ 1,   "certStatusRevoked",			ASN1_CONTEXT_C_1,		ASN1_OPT  }, /*  8 */
+	{ 2,     "revocationTime",			ASN1_GENERALIZEDTIME,	ASN1_BODY }, /*  9 */
+	{ 2,     "revocationReason",		ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 10 */
+	{ 3,       "crlReason",				ASN1_ENUMERATED,		ASN1_BODY }, /* 11 */
+	{ 2,     "end opt",					ASN1_EOC,				ASN1_END  }, /* 12 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 13 */
+	{ 1,   "certStatusUnknown",			ASN1_CONTEXT_S_2,		ASN1_OPT  }, /* 14 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 15 */
+	{ 1,   "thisUpdate",				ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 16 */
+	{ 1,   "nextUpdateContext",			ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 17 */
+	{ 2,     "nextUpdate",				ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 18 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 19 */
+	{ 1,   "singleExtensionsContext",	ASN1_CONTEXT_C_1,		ASN1_OPT  }, /* 20 */
+	{ 2,     "singleExtensions",		ASN1_SEQUENCE,			ASN1_LOOP }, /* 21 */
+	{ 3,       "extension",				ASN1_SEQUENCE,			ASN1_NONE }, /* 22 */
+	{ 4,         "extnID",				ASN1_OID,				ASN1_BODY }, /* 23 */
+	{ 4,         "critical",			ASN1_BOOLEAN,			ASN1_BODY |
+																ASN1_DEF  }, /* 24 */
+	{ 4,         "extnValue",			ASN1_OCTET_STRING,		ASN1_BODY }, /* 25 */
+	{ 2,     "end loop",				ASN1_EOC,				ASN1_END  }, /* 26 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 27 */
+	{ 0, "exit",						ASN1_EOC,				ASN1_EXIT }
+};
+#define SINGLE_RESPONSE_ALGORITHM					 2
+#define SINGLE_RESPONSE_ISSUER_NAME_HASH			 3
+#define SINGLE_RESPONSE_ISSUER_KEY_HASH				 4
+#define SINGLE_RESPONSE_SERIAL_NUMBER				 5
+#define SINGLE_RESPONSE_CERT_STATUS_GOOD			 6
+#define SINGLE_RESPONSE_CERT_STATUS_REVOKED			 8
+#define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME	 9
+#define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON		11
+#define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN			14
+#define SINGLE_RESPONSE_THIS_UPDATE					16
+#define SINGLE_RESPONSE_NEXT_UPDATE					18
+#define SINGLE_RESPONSE_EXT_ID						23
+#define SINGLE_RESPONSE_CRITICAL					24
+#define SINGLE_RESPONSE_EXT_VALUE					25
+
+/**
+ * Parse a single OCSP response
+ */
+static bool parse_singleResponse(private_x509_ocsp_response_t *this,
+								 chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success = FALSE;
+
+	single_response_t *response;
+	
+	response = malloc_thing(single_response_t);
+	response->hashAlgorithm = OID_UNKNOWN;
+	response->issuerNameHash = chunk_empty;
+	response->issuerKeyHash = chunk_empty;
+	response->serialNumber = chunk_empty;
+	response->status = VALIDATION_FAILED;
+	response->revocationTime = 0;
+	response->revocationReason = CRL_UNSPECIFIED;
+	response->thisUpdate = UNDEFINED_TIME;
+	/* if nextUpdate is missing, we give it a short lifetime */
+	response->nextUpdate = this->producedAt + OCSP_DEFAULT_LIFETIME;
+
+	parser = asn1_parser_create(singleResponseObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case SINGLE_RESPONSE_ALGORITHM:
+				response->hashAlgorithm = asn1_parse_algorithmIdentifier(object,
+											parser->get_level(parser)+1, NULL);
+				break;
+			case SINGLE_RESPONSE_ISSUER_NAME_HASH:
+				response->issuerNameHash = object;
+				break;
+			case SINGLE_RESPONSE_ISSUER_KEY_HASH:
+				response->issuerKeyHash = object;
+				break;
+			case SINGLE_RESPONSE_SERIAL_NUMBER:
+				response->serialNumber = object;
+				break;
+			case SINGLE_RESPONSE_CERT_STATUS_GOOD:
+				response->status = VALIDATION_GOOD;
+				break;
+			case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
+				response->status = VALIDATION_REVOKED;
+				break;
+			case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
+				response->revocationTime = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+				break;
+			case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
+				if (object.len == 1)
+				{
+					response->revocationReason = *object.ptr;
+				}
+	    		break;
+			case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
+				response->status = VALIDATION_FAILED;
+				break;
+			case SINGLE_RESPONSE_THIS_UPDATE:
+				response->thisUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+				break;
+			case SINGLE_RESPONSE_NEXT_UPDATE:
+				response->nextUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+				if (response->nextUpdate > this->usableUntil)
+				{
+					this->usableUntil = response->nextUpdate;
+				}
+	    		break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	if (success)
+	{
+		if (this->usableUntil == UNDEFINED_TIME)
+		{
+			this->usableUntil = this->producedAt + OCSP_DEFAULT_LIFETIME;
+		}
+		this->responses->insert_last(this->responses, response);
+	}
+	return success;
+}
+
+/**
+ * ASN.1 definition of responses
+ */
+static const asn1Object_t responsesObjects[] = {
+	{ 0, "responses",			ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
+	{ 1,   "singleResponse",	ASN1_EOC,		ASN1_RAW  }, /* 1 */
+	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }, /* 2 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
+};
+#define RESPONSES_SINGLE_RESPONSE	1
+
+/**
+ * Parse all responses
+ */
+static bool parse_responses(private_x509_ocsp_response_t *this, 
+							chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success = FALSE;
+	
+	parser = asn1_parser_create(responsesObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case RESPONSES_SINGLE_RESPONSE:
+				if (!parse_singleResponse(this, object,
+										  parser->get_level(parser)+1))
+				{
+					goto end;
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of basicResponse
+ */
+static const asn1Object_t basicResponseObjects[] = {
+	{ 0, "BasicOCSPResponse",				ASN1_SEQUENCE,			ASN1_NONE }, /*  0 */
+	{ 1,   "tbsResponseData",				ASN1_SEQUENCE,			ASN1_OBJ  }, /*  1 */
+	{ 2,     "versionContext",				ASN1_CONTEXT_C_0,		ASN1_NONE |
+																	ASN1_DEF  }, /*  2 */
+	{ 3,       "version",					ASN1_INTEGER,			ASN1_BODY }, /*  3 */
+	{ 2,     "responderIdContext",			ASN1_CONTEXT_C_1,		ASN1_OPT  }, /*  4 */
+	{ 3,       "responderIdByName",			ASN1_SEQUENCE,			ASN1_OBJ  }, /*  5 */
+	{ 2,     "end choice",					ASN1_EOC,				ASN1_END  }, /*  6 */
+	{ 2,     "responderIdContext",			ASN1_CONTEXT_C_2,		ASN1_OPT  }, /*  7 */
+	{ 3,       "responderIdByKey",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  8 */
+	{ 2,     "end choice",					ASN1_EOC,				ASN1_END  }, /*  9 */
+	{ 2,     "producedAt",					ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 10 */
+	{ 2,     "responses",					ASN1_SEQUENCE,			ASN1_OBJ  }, /* 11 */
+	{ 2,     "responseExtensionsContext",	ASN1_CONTEXT_C_1,		ASN1_OPT  }, /* 12 */
+	{ 3,       "responseExtensions",		ASN1_SEQUENCE,			ASN1_LOOP }, /* 13 */
+	{ 4,         "extension",				ASN1_SEQUENCE,			ASN1_NONE }, /* 14 */
+	{ 5,           "extnID",				ASN1_OID,				ASN1_BODY }, /* 15 */
+	{ 5,           "critical",				ASN1_BOOLEAN,			ASN1_BODY |
+																	ASN1_DEF  }, /* 16 */
+	{ 5,           "extnValue",				ASN1_OCTET_STRING,		ASN1_BODY }, /* 17 */
+	{ 4,         "end loop",				ASN1_EOC,				ASN1_END  }, /* 18 */
+	{ 2,     "end opt",						ASN1_EOC,				ASN1_END  }, /* 19 */
+	{ 1,   "signatureAlgorithm",			ASN1_EOC,				ASN1_RAW  }, /* 20 */
+	{ 1,   "signature",						ASN1_BIT_STRING,		ASN1_BODY }, /* 21 */
+	{ 1,   "certsContext",					ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 22 */
+	{ 2,     "certs",						ASN1_SEQUENCE,			ASN1_LOOP }, /* 23 */
+	{ 3,       "certificate",				ASN1_SEQUENCE,			ASN1_RAW  }, /* 24 */
+	{ 2,     "end loop",					ASN1_EOC,				ASN1_END  }, /* 25 */
+	{ 1,   "end opt",						ASN1_EOC,				ASN1_END  }, /* 26 */
+	{ 0, "exit",							ASN1_EOC,				ASN1_EXIT }
+};
+#define BASIC_RESPONSE_TBS_DATA		 1
+#define BASIC_RESPONSE_VERSION		 3
+#define BASIC_RESPONSE_ID_BY_NAME	 5
+#define BASIC_RESPONSE_ID_BY_KEY	 8
+#define BASIC_RESPONSE_PRODUCED_AT	10
+#define BASIC_RESPONSE_RESPONSES	11
+#define BASIC_RESPONSE_EXT_ID		15
+#define BASIC_RESPONSE_CRITICAL		16
+#define BASIC_RESPONSE_EXT_VALUE	17
+#define BASIC_RESPONSE_ALGORITHM	20
+#define BASIC_RESPONSE_SIGNATURE	21
+#define BASIC_RESPONSE_CERTIFICATE	24
+
+/**
+ * Parse a basicOCSPResponse
+ */
+static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, 
+									chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	chunk_t responses = chunk_empty;
+	int objectID;
+	int extn_oid = OID_UNKNOWN;
+	u_int responses_level = level0;
+	certificate_t *cert;
+	bool success = FALSE;
+	bool critical;
+	
+	parser = asn1_parser_create(basicResponseObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case BASIC_RESPONSE_TBS_DATA:
+				this->tbsResponseData = object;
+				break;
+			case BASIC_RESPONSE_VERSION:
+			{
+				u_int version = (object.len)? (1 + (u_int)*object.ptr) : 1;
+
+				if (version != OCSP_BASIC_RESPONSE_VERSION)
+				{
+					DBG1("  ocsp ResponseData version %d not supported", version);
+					goto end;
+				}
+				break;
+			}
+			case BASIC_RESPONSE_ID_BY_NAME:
+				this->responderId = identification_create_from_encoding(
+													ID_DER_ASN1_DN, object);
+				DBG2("  '%D'", this->responderId);
+				break;
+			case BASIC_RESPONSE_ID_BY_KEY:
+				this->responderId = identification_create_from_encoding(
+													ID_PUBKEY_INFO_SHA1, object);
+				DBG2("  '%D'", this->responderId);
+				break;
+			case BASIC_RESPONSE_PRODUCED_AT:
+				this->producedAt = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+				break;
+			case BASIC_RESPONSE_RESPONSES:
+				responses = object;
+				responses_level = parser->get_level(parser)+1;
+				break;
+			case BASIC_RESPONSE_EXT_ID:
+				extn_oid = asn1_known_oid(object);
+				break;
+			case BASIC_RESPONSE_CRITICAL:
+				critical = object.len && *object.ptr;
+				DBG2("  %s", critical ? "TRUE" : "FALSE");
+				break;
+			case BASIC_RESPONSE_EXT_VALUE:
+				if (extn_oid == OID_NONCE)
+				{
+					this->nonce = object;
+				}
+				break;
+			case BASIC_RESPONSE_ALGORITHM:
+				this->signatureAlgorithm = asn1_parse_algorithmIdentifier(object,
+												parser->get_level(parser)+1, NULL);
+				break;
+			case BASIC_RESPONSE_SIGNATURE:
+				this->signature = object;
+				break;
+			case BASIC_RESPONSE_CERTIFICATE:
+			{
+				cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,CERT_X509,
+										  BUILD_BLOB_ASN1_DER,
+										  chunk_clone(object),
+										  BUILD_END);
+				if (cert)
+				{
+					this->certs->insert_last(this->certs, cert);
+				}
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	if (success)
+	{
+		if (!this->responderId)
+		{
+			this->responderId = identification_create_from_encoding(ID_ANY,
+									chunk_empty);
+		}
+		success = parse_responses(this, responses, responses_level);
+	}
+	return success;
+}
+
+/**
+ * ASN.1 definition of ocspResponse
+ */
+static const asn1Object_t ocspResponseObjects[] = {
+	{ 0, "OCSPResponse",			ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
+	{ 1,   "responseStatus",		ASN1_ENUMERATED,	ASN1_BODY }, /* 1 */
+	{ 1,   "responseBytesContext",	ASN1_CONTEXT_C_0,	ASN1_OPT  }, /* 2 */
+	{ 2,     "responseBytes",		ASN1_SEQUENCE,		ASN1_NONE }, /* 3 */
+	{ 3,       "responseType",		ASN1_OID,			ASN1_BODY }, /* 4 */
+	{ 3,       "response",			ASN1_OCTET_STRING,	ASN1_BODY }, /* 5 */
+	{ 1,   "end opt",				ASN1_EOC,			ASN1_END  }, /* 6 */
+	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT }
+};
+#define OCSP_RESPONSE_STATUS	1
+#define OCSP_RESPONSE_TYPE		4
+#define OCSP_RESPONSE			5
+
+/**
+ * Parse OCSPResponse object
+ */
+static bool parse_OCSPResponse(private_x509_ocsp_response_t *this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int responseType = OID_UNKNOWN;
+	bool success = FALSE;
+	ocsp_status_t status;
+
+	parser = asn1_parser_create(ocspResponseObjects, this->encoding);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case OCSP_RESPONSE_STATUS:
+				status = (ocsp_status_t)*object.ptr;
+				switch (status)
+	    		{
+	    			case OCSP_SUCCESSFUL:
+						break;
+					default:
+						DBG1("  ocsp response status: %N",
+							 ocsp_status_names, status);
+						goto end;
+				}
+	    		break;
+			case OCSP_RESPONSE_TYPE:
+				responseType = asn1_known_oid(object);
+				break;
+			case OCSP_RESPONSE:
+				switch (responseType)
+				{
+					case OID_BASIC:
+						success = parse_basicOCSPResponse(this, object,
+												parser->get_level(parser)+1);
+						break;
+					default:
+						DBG1("  ocsp response type %#B not supported", &object);
+						goto end;
+				}
+				break;
+		}
+	}
+	success &= parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * Implementation of certificate_t.get_type
+ */
+static certificate_type_t get_type(private_x509_ocsp_response_t *this)
+{
+	return CERT_X509_OCSP_RESPONSE;
+}
+
+/**
+ * Implementation of certificate_t.get_issuer
+ */
+static identification_t* get_issuer(private_x509_ocsp_response_t *this)
+{
+	return this->responderId;
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_issuer(private_x509_ocsp_response_t *this,
+							 identification_t *issuer)
+{
+	return this->responderId->matches(this->responderId, issuer);
+}
+
+/**
+ * Implementation of certificate_t.issued_by
+ */
+static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer)
+{
+	public_key_t *key;
+	signature_scheme_t scheme;
+	bool valid;
+	x509_t *x509 = (x509_t*)issuer;
+	
+	if (issuer->get_type(issuer) != CERT_X509)
+	{
+		return FALSE;
+	}
+	if (this->responderId->get_type(this->responderId) == ID_DER_ASN1_DN)
+	{
+		if (!this->responderId->equals(this->responderId,
+									   issuer->get_subject(issuer)))
+		{
+			return FALSE;
+		}
+	}
+	else
+	{
+		bool equal;
+		public_key_t *public = issuer->get_public_key(issuer);
+
+		if (public == NULL)
+		{
+			return FALSE;
+		}
+		equal = this->responderId->equals(this->responderId,
+										  public->get_id(public, ID_PUBKEY_SHA1));
+		public->destroy(public);
+		if (!equal)
+		{
+				return FALSE;
+		}
+	}
+	if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
+		!(x509->get_flags(x509) & X509_CA))
+	{
+		return FALSE;
+	}
+	/* TODO: generic OID to scheme mapper? */
+	switch (this->signatureAlgorithm)
+	{
+		case OID_MD5_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_MD5;
+			break;
+		case OID_SHA1_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			break;
+		case OID_SHA256_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
+			break;
+		case OID_SHA384_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
+			break;
+		case OID_SHA512_WITH_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
+			break;
+		case OID_ECDSA_WITH_SHA1:
+			scheme = SIGN_ECDSA_WITH_SHA1;
+			break;
+		default:
+			return FALSE;
+	}
+	key = issuer->get_public_key(issuer);
+	if (key == NULL)
+	{
+		return FALSE;
+	}
+	valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
+	key->destroy(key);
+	return valid;
+}
+
+/**
+ * Implementation of certificate_t.get_public_key
+ */
+static public_key_t* get_public_key(private_x509_ocsp_response_t *this)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of certificate_t.get_validity.
+ */
+static bool get_validity(private_x509_ocsp_response_t *this, time_t *when,
+						 time_t *not_before, time_t *not_after)
+{
+	time_t t;
+
+	if (when == NULL)
+	{
+		t = time(NULL);
+	}
+	else
+	{
+		t = *when;
+	}
+	if (not_before)
+	{
+		*not_before = this->producedAt;
+	}
+	if (not_after)
+	{
+		*not_after = this->usableUntil;
+	}
+	return (t < this->usableUntil);
+}
+
+/**
+ * Implementation of certificate_t.is_newer.
+ */
+static bool is_newer(certificate_t *this, certificate_t *that)
+{
+	time_t this_update, that_update, now = time(NULL);
+	bool new;
+
+	this->get_validity(this, &now, &this_update, NULL);
+	that->get_validity(that, &now, &that_update, NULL);
+	new = this_update > that_update;
+	DBG1("  ocsp response from %#T is %s - existing ocsp response from %#T %s",
+				&this_update, FALSE, new ? "newer":"not newer",
+				&that_update, FALSE, new ? "replaced":"retained");
+	return new;
+}
+	
+/**
+ * Implementation of certificate_t.get_encoding.
+ */
+static chunk_t get_encoding(private_x509_ocsp_response_t *this)
+{
+	return chunk_clone(this->encoding);
+}
+
+/**
+ * Implementation of certificate_t.equals.
+ */
+static bool equals(private_x509_ocsp_response_t *this, certificate_t *other)
+{
+	chunk_t encoding;
+	bool equal;
+	
+	if (this == (private_x509_ocsp_response_t*)other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != CERT_X509_OCSP_RESPONSE)
+	{
+		return FALSE;
+	}
+	if (other->equals == (void*)equals)
+	{	/* skip allocation if we have the same implementation */
+		return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding); 
+	}
+	encoding = other->get_encoding(other);
+	equal = chunk_equals(this->encoding, encoding);
+	free(encoding.ptr);
+	return equal;
+}
+
+/**
+ * Implementation of certificate_t.get_ref
+ */
+static private_x509_ocsp_response_t* get_ref(private_x509_ocsp_response_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implements ocsp_t.destroy.
+ */
+static void destroy(private_x509_ocsp_response_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
+		this->responses->destroy_function(this->responses, free);
+		DESTROY_IF(this->responderId);
+		free(this->encoding.ptr);
+		free(this);
+	}
+}
+
+/**
+ * load an OCSP response
+ */
+static x509_ocsp_response_t *load(chunk_t data)
+{
+	private_x509_ocsp_response_t *this;
+	
+	this = malloc_thing(private_x509_ocsp_response_t);
+	
+	this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
+	this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer;
+	this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
+	this->public.interface.certificate.has_subject = (id_match_t(*)(certificate_t*, identification_t *subject))has_issuer;
+	this->public.interface.certificate.has_issuer = (id_match_t(*)(certificate_t*, identification_t *issuer))has_issuer;
+	this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
+	this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
+	this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
+	this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
+	this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
+	this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
+	this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
+	this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
+	this->public.interface.get_status = (cert_validation_t(*)(ocsp_response_t*, x509_t *subject, x509_t *issuer, time_t *revocation_time,crl_reason_t *revocation_reason,time_t *this_update, time_t *next_update))get_status;
+	this->public.interface.create_cert_enumerator = (enumerator_t*(*)(ocsp_response_t*))create_cert_enumerator;
+	
+	this->ref = 1;
+	this->encoding = data;
+	this->tbsResponseData = chunk_empty;
+	this->responderId = NULL;
+	this->producedAt = UNDEFINED_TIME;
+	this->usableUntil = UNDEFINED_TIME;
+	this->responses = linked_list_create();
+	this->nonce = chunk_empty;
+	this->signatureAlgorithm = OID_UNKNOWN;
+	this->signature = chunk_empty;
+	this->certs = linked_list_create();
+
+	if (!parse_OCSPResponse(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for certificate loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded response */
+	x509_ocsp_response_t *res;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static x509_ocsp_response_t *build(private_builder_t *this)
+{
+	x509_ocsp_response_t *res = this->res;
+	
+	free(this);
+	return res;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	if (this->res)
+	{
+		DBG1("ignoring surplus build part %N", builder_part_names, part);
+		return;
+	}
+	
+	switch (part)
+	{
+		case BUILD_BLOB_ASN1_DER:
+		{
+			va_start(args, part);
+			this->res = load(va_arg(args, chunk_t));
+			va_end(args);
+			break;
+		}
+		default:
+			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			break;
+	}
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *x509_ocsp_response_builder(certificate_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != CERT_X509_OCSP_RESPONSE)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->res = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.h b/src/libstrongswan/plugins/x509/x509_ocsp_response.h
new file mode 100644
index 000000000..8b4c8328d
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup x509_ocsp_response x509_ocsp_response
+ * @{ @ingroup x509_p
+ */
+
+#ifndef X509_OCSP_RESPONSE_H_
+#define X509_OCSP_RESPONSE_H_
+
+#include <credentials/certificates/ocsp_response.h>
+
+typedef struct x509_ocsp_response_t x509_ocsp_response_t;
+
+/**
+ * Implementation of ocsp_response_t using own ASN1 parser.
+ */
+struct x509_ocsp_response_t {
+
+	/**
+	 * Implements the ocsp_response_t interface
+	 */
+	ocsp_response_t interface;
+};
+
+/**
+ * Create the building facility for OCSP responses.
+ *
+ * @param type		certificate type, CERT_X509_OCSP_RESPONSE only
+ * @return			builder instance to build OCSP responses
+ */
+builder_t *x509_ocsp_response_builder(certificate_type_t type);
+
+#endif /* X509_OCSP_RESPONSE_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
new file mode 100644
index 000000000..42768487d
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: x509_plugin.c 3640 2008-03-21 10:52:11Z andreas $
+ */
+
+#include "x509_plugin.h"
+
+#include <library.h>
+#include "x509_cert.h"
+#include "x509_ac.h"
+#include "x509_crl.h"
+#include "x509_ocsp_request.h"
+#include "x509_ocsp_response.h"
+
+typedef struct private_x509_plugin_t private_x509_plugin_t;
+
+/**
+ * private data of x509_plugin
+ */
+struct private_x509_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	x509_plugin_t public;
+};
+
+/**
+ * Implementation of x509_plugin_t.x509troy
+ */
+static void destroy(private_x509_plugin_t *this)
+{
+	lib->creds->remove_builder(lib->creds,
+							   (builder_constructor_t)x509_cert_builder);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_constructor_t)x509_ac_builder);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_constructor_t)x509_crl_builder);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_constructor_t)x509_ocsp_request_builder);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_constructor_t)x509_ocsp_response_builder);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							(builder_constructor_t)x509_cert_builder);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+							(builder_constructor_t)x509_ac_builder);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+							(builder_constructor_t)x509_crl_builder);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+							(builder_constructor_t)x509_ocsp_request_builder);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+							(builder_constructor_t)x509_ocsp_response_builder);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.h b/src/libstrongswan/plugins/x509/x509_plugin.h
new file mode 100644
index 000000000..9743a2367
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup x509_p x509
+ * @ingroup plugins
+ *
+ * @defgroup x509_plugin x509_plugin
+ * @{ @ingroup x509_p
+ */
+
+#ifndef X509_PLUGIN_H_
+#define X509_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct x509_plugin_t x509_plugin_t;
+
+/**
+ * Plugin implementing x509, CRL and OCSP certificates.
+ */
+struct x509_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a x509_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* X509_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.am b/src/libstrongswan/plugins/xcbc/Makefile.am
new file mode 100644
index 000000000..1b10d21f8
--- /dev/null
+++ b/src/libstrongswan/plugins/xcbc/Makefile.am
@@ -0,0 +1,11 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-xcbc.la
+
+libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
+	xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
+libstrongswan_xcbc_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
new file mode 100644
index 000000000..3fdf46955
--- /dev/null
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -0,0 +1,499 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/xcbc
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_xcbc_la_LIBADD =
+am_libstrongswan_xcbc_la_OBJECTS = xcbc_plugin.lo xcbc.lo xcbc_prf.lo \
+	xcbc_signer.lo
+libstrongswan_xcbc_la_OBJECTS = $(am_libstrongswan_xcbc_la_OBJECTS)
+libstrongswan_xcbc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_xcbc_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_xcbc_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_xcbc_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-xcbc.la
+libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
+	xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
+
+libstrongswan_xcbc_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/xcbc/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/xcbc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-xcbc.la: $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_DEPENDENCIES) 
+	$(libstrongswan_xcbc_la_LINK) -rpath $(plugindir) $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xcbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xcbc_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xcbc_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xcbc_signer.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
new file mode 100644
index 000000000..ab37eca40
--- /dev/null
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -0,0 +1,299 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General xcbc License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General xcbc License
+ * for more details.
+ *
+ * $Id: xcbc.c 3589 2008-03-13 14:14:44Z martin $
+ */
+
+#include <string.h>
+
+#include "xcbc.h"
+
+#include <debug.h>
+
+typedef struct private_xcbc_t private_xcbc_t;
+
+/**
+ * Private data of a xcbc_t object.
+ * 
+ * The variable names are the same as in the RFC.
+ */
+struct private_xcbc_t {
+	/**
+	 * Public xcbc_t interface.
+	 */
+	xcbc_t xcbc;
+	
+	/**
+	 * Block size, in bytes
+	 */
+	u_int8_t b;
+	
+	/**
+	 * crypter using k1
+	 */
+	crypter_t *k1;
+	
+	/**
+	 * k2
+	 */
+	u_int8_t *k2;
+	
+	/**
+	 * k3
+	 */
+	u_int8_t *k3;
+	
+	/**
+	 * E
+	 */
+	u_int8_t *e;
+	
+	/**
+	 * remaining, unprocessed bytes in append mode
+	 */
+	u_int8_t *remaining;
+	
+	/**
+	 * number of bytes in remaining
+	 */
+	int remaining_bytes;
+	
+	/**
+	 * TRUE if we have zero bytes to xcbc in final()
+	 */
+	bool zero;
+};
+
+/**
+ * xcbc supplied data, but do not run final operation
+ */
+static void update(private_xcbc_t *this, chunk_t data)
+{
+	chunk_t iv;
+	
+	if (data.len)
+	{
+		this->zero = FALSE;
+	}
+	
+	if (this->remaining_bytes + data.len <= this->b)
+	{	/* no complete block, just copy into remaining */
+		memcpy(this->remaining + this->remaining_bytes, data.ptr, data.len);
+		this->remaining_bytes += data.len;
+		return;
+	}
+	
+	iv = chunk_alloca(this->b);
+	memset(iv.ptr, 0, iv.len);
+	
+	/* (3) For each block M[i], where i = 1 ... n-1:
+	 *     XOR M[i] with E[i-1], then encrypt the result with Key K1,
+	 *     yielding E[i].
+	 */
+	
+	/* append data to remaining bytes, process block M[1] */
+	memcpy(this->remaining + this->remaining_bytes, data.ptr,
+		   this->b - this->remaining_bytes);
+	data = chunk_skip(data, this->b - this->remaining_bytes);
+	memxor(this->e, this->remaining, this->b);
+	this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
+	
+	/* process blocks M[2] ... M[n-1] */
+	while (data.len > this->b)
+	{
+		memcpy(this->remaining, data.ptr, this->b);
+		data = chunk_skip(data, this->b);
+		memxor(this->e, this->remaining, this->b);
+		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
+	}
+	
+	/* store remaining bytes of block M[n] */
+	memcpy(this->remaining, data.ptr, data.len);
+	this->remaining_bytes = data.len;
+}
+
+/**
+ * run last round, data is in this->e
+ */
+static void final(private_xcbc_t *this, u_int8_t *out)
+{
+	chunk_t iv;
+	
+	iv = chunk_alloca(this->b);
+	memset(iv.ptr, 0, iv.len);
+	
+	/* (4) For block M[n]: */
+	if (this->remaining_bytes == this->b && !this->zero)
+	{
+		/* a) If the blocksize of M[n] is 128 bits:
+         *    XOR M[n] with E[n-1] and Key K2, then encrypt the result with
+         *    Key K1, yielding E[n].
+         */
+		memxor(this->e, this->remaining, this->b);
+		memxor(this->e, this->k2, this->b);
+		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
+	}
+	else
+	{
+		/* b) If the blocksize of M[n] is less than 128 bits:
+		 *
+		 *  i) Pad M[n] with a single "1" bit, followed by the number of
+         *     "0" bits (possibly none) required to increase M[n]'s
+         *     blocksize to 128 bits.
+         */
+        if (this->remaining_bytes < this->b)
+        {
+		    this->remaining[this->remaining_bytes] = 0x80;
+		    while (++this->remaining_bytes < this->b)
+		    {
+			    this->remaining[this->remaining_bytes] = 0x00;
+		    }
+        }
+        /*  ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result
+         *      with Key K1, yielding E[n].
+         */
+		memxor(this->e, this->remaining, this->b);
+		memxor(this->e, this->k3, this->b);
+		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
+	}
+	
+	memcpy(out, this->e, this->b);
+	
+	/* (2) Define E[0] = 0x00000000000000000000000000000000 */
+	memset(this->e, 0, this->b);
+	this->remaining_bytes = 0;
+	this->zero = TRUE;
+}
+
+/**
+ * Implementation of xcbc_t.get_mac.
+ */
+static void get_mac(private_xcbc_t *this, chunk_t data, u_int8_t *out)
+{
+	/* update E, do not process last block */
+	update(this, data);
+	
+	if (out)
+	{	/* if not in append mode, process last block and output result */
+		final(this, out);
+	}
+}
+	
+/**
+ * Implementation of xcbc_t.get_block_size.
+ */
+static size_t get_block_size(private_xcbc_t *this)
+{
+	return this->b;
+}
+
+/**
+ * Implementation of xcbc_t.set_key.
+ */
+static void set_key(private_xcbc_t *this, chunk_t key)
+{
+	chunk_t iv, k1, lengthened;
+
+	/* we support variable keys from RFC4434 */
+	if (key.len == this->b)
+	{
+		lengthened = key;
+	}
+	else if (key.len < this->b)
+	{	/* pad short keys */
+		lengthened = chunk_alloca(this->b);
+		memset(lengthened.ptr, 0, lengthened.len);
+		memcpy(lengthened.ptr, key.ptr, key.len);
+	}
+	else
+	{	/* shorten key using xcbc */
+		lengthened = chunk_alloca(this->b);
+		memset(lengthened.ptr, 0, lengthened.len);
+		set_key(this, lengthened);
+		get_mac(this, key, lengthened.ptr);
+	}
+
+	k1 = chunk_alloca(this->b);
+	iv = chunk_alloca(this->b);
+	memset(iv.ptr, 0, iv.len);
+	
+	/* 
+	 * (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret
+     *     key K, as follows:
+     *     K1 = 0x01010101010101010101010101010101 encrypted with Key K
+     *     K2 = 0x02020202020202020202020202020202 encrypted with Key K
+     *     K3 = 0x03030303030303030303030303030303 encrypted with Key K
+     */
+	this->k1->set_key(this->k1, lengthened);
+	memset(this->k2, 0x02, this->b);
+	this->k1->encrypt(this->k1, chunk_create(this->k2, this->b), iv, NULL);
+	memset(this->k3, 0x03, this->b);
+	this->k1->encrypt(this->k1, chunk_create(this->k3, this->b), iv, NULL);
+	memset(k1.ptr, 0x01, this->b);
+	this->k1->encrypt(this->k1, k1, iv, NULL);
+	this->k1->set_key(this->k1, k1);
+}
+
+/**
+ * Implementation of xcbc_t.destroy.
+ */
+static void destroy(private_xcbc_t *this)
+{
+	this->k1->destroy(this->k1);
+	free(this->k2);
+	free(this->k3);
+	free(this->e);
+	free(this->remaining);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_xcbc_t *this;
+	crypter_t *crypter;
+	
+	crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size);
+	if (!crypter)
+	{
+		return NULL;
+	}
+	/* input and output of crypter must be equal for xcbc */
+	if (crypter->get_block_size(crypter) != key_size)
+	{
+		crypter->destroy(crypter);
+		return NULL;
+	}
+	
+	this = malloc_thing(private_xcbc_t);
+	this->xcbc.get_mac = (void (*)(xcbc_t *,chunk_t,u_int8_t*))get_mac;
+	this->xcbc.get_block_size = (size_t (*)(xcbc_t *))get_block_size;
+	this->xcbc.set_key = (void (*)(xcbc_t *,chunk_t))set_key;
+	this->xcbc.destroy = (void (*)(xcbc_t *))destroy;
+	
+	this->b = crypter->get_block_size(crypter);
+	this->k1 = crypter;
+	this->k2 = malloc(this->b);
+	this->k3 = malloc(this->b);
+	this->e = malloc(this->b);
+	memset(this->e, 0, this->b);
+	this->remaining = malloc(this->b);
+	this->remaining_bytes = 0;
+	this->zero = TRUE;
+
+	return &this->xcbc;
+}
+
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.h b/src/libstrongswan/plugins/xcbc/xcbc.h
new file mode 100644
index 000000000..81812442e
--- /dev/null
+++ b/src/libstrongswan/plugins/xcbc/xcbc.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xcbc xcbc
+ * @{ @ingroup xcbc_p
+ */
+
+#ifndef XCBC_H_
+#define XCBC_H_
+
+typedef struct xcbc_t xcbc_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Message authentication using CBC crypter.
+ *
+ * This class implements the message authenticaion algorithm
+ * described in RFC3566.
+ */
+struct xcbc_t {
+	
+	/**
+	 * Generate message authentication code.
+	 * 
+	 * If buffer is NULL, no result is given back. A next call will
+	 * append the data to already supplied data. If buffer is not NULL, 
+	 * the mac of all apended data is calculated, returned and the
+	 * state of the xcbc_t is reseted.
+	 * 
+	 * @param data		chunk of data to authenticate
+	 * @param buffer	pointer where the generated bytes will be written
+	 */
+	void (*get_mac) (xcbc_t *this, chunk_t data, u_int8_t *buffer);
+	
+	/**
+	 * Get the block size of this xcbc_t object.
+	 * 
+	 * @return			block size in bytes
+	 */
+	size_t (*get_block_size) (xcbc_t *this);
+	
+	/**
+	 * Set the key for this xcbc_t object.
+	 * 
+	 * @param key		key to set
+	 */
+	void (*set_key) (xcbc_t *this, chunk_t key);
+	
+	/**
+	 * Destroys a xcbc_t object.
+	 */
+	void (*destroy) (xcbc_t *this);
+};
+
+/**
+ * Creates a new xcbc_t object.
+ * 
+ * @param algo			underlying crypto algorithm
+ * @param key_size		key size to use, if required for algorithm
+ * @return				xcbc_t object, NULL if not supported
+ */
+xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /*xcbc_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
new file mode 100644
index 000000000..f1501476f
--- /dev/null
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "xcbc_plugin.h"
+
+#include <library.h>
+#include "xcbc_signer.h"
+#include "xcbc_prf.h"
+
+typedef struct private_xcbc_plugin_t private_xcbc_plugin_t;
+
+/**
+ * private data of xcbc_plugin
+ */
+struct private_xcbc_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	xcbc_plugin_t public;
+};
+
+/**
+ * Implementation of xcbc_plugin_t.xcbctroy
+ */
+static void destroy(private_xcbc_plugin_t *this)
+{
+	lib->crypto->remove_prf(lib->crypto,
+							(prf_constructor_t)xcbc_prf_create);
+	lib->crypto->remove_signer(lib->crypto,
+							   (signer_constructor_t)xcbc_signer_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_xcbc_plugin_t *this = malloc_thing(private_xcbc_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, 
+						 (prf_constructor_t)xcbc_prf_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, 
+							(signer_constructor_t)xcbc_signer_create);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.h b/src/libstrongswan/plugins/xcbc/xcbc_plugin.h
new file mode 100644
index 000000000..728d84690
--- /dev/null
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xcbc_p xcbc
+ * @ingroup plugins
+ *
+ * @defgroup xcbc_plugin xcbc_plugin
+ * @{ @ingroup xcbc_p
+ */
+
+#ifndef XCBC_PLUGIN_H_
+#define XCBC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xcbc_plugin_t xcbc_plugin_t;
+
+/**
+ * Plugin implementing xcbc algorithm to provide crypter based PRF and signers.
+ */
+struct xcbc_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a xcbc_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* XCBC_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.c b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
new file mode 100644
index 000000000..03056594d
--- /dev/null
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "xcbc_prf.h"
+
+#include "xcbc.h"
+
+typedef struct private_xcbc_prf_t private_xcbc_prf_t;
+
+/**
+ * Private data of a xcbc_prf_t object.
+ */
+struct private_xcbc_prf_t {
+
+	/**
+	 * Public xcbc_prf_t interface.
+	 */
+	xcbc_prf_t public;	
+	
+	/**
+	 * xcbc to use for generation.
+	 */
+	xcbc_t *xcbc;
+};
+
+/**
+ * Implementation of prf_t.get_bytes.
+ */
+static void get_bytes(private_xcbc_prf_t *this, chunk_t seed, u_int8_t *buffer)
+{
+	this->xcbc->get_mac(this->xcbc, seed, buffer);
+}
+
+/**
+ * Implementation of prf_t.allocate_bytes.
+ */
+static void allocate_bytes(private_xcbc_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+	if (chunk)
+	{
+		*chunk = chunk_alloc(this->xcbc->get_block_size(this->xcbc));
+		get_bytes(this, seed, chunk->ptr);
+	}
+	else
+	{
+		get_bytes(this, seed, NULL);
+	}
+}
+
+/**
+ * Implementation of prf_t.get_block_size.
+ */
+static size_t get_block_size(private_xcbc_prf_t *this)
+{
+	return this->xcbc->get_block_size(this->xcbc);
+}
+
+/**
+ * Implementation of prf_t.get_block_size.
+ */
+static size_t get_key_size(private_xcbc_prf_t *this)
+{
+	/* in xcbc, block and key size are always equal */
+	return this->xcbc->get_block_size(this->xcbc);
+}
+
+/**
+ * Implementation of prf_t.set_key.
+ */
+static void set_key(private_xcbc_prf_t *this, chunk_t key)
+{
+	this->xcbc->set_key(this->xcbc, key);
+}
+
+/**
+ * Implementation of prf_t.destroy.
+ */
+static void destroy(private_xcbc_prf_t *this)
+{
+	this->xcbc->destroy(this->xcbc);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo)
+{
+	private_xcbc_prf_t *this;
+	xcbc_t *xcbc;
+	
+	switch (algo)
+	{
+		case PRF_AES128_XCBC:
+			xcbc = xcbc_create(ENCR_AES_CBC, 16);
+			break;
+		default:
+			return NULL;
+	}
+	if (!xcbc)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_xcbc_prf_t);
+	this->xcbc = xcbc;
+	
+	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
+	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
+	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
+	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
+	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
+	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.h b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
new file mode 100644
index 000000000..e8692ae23
--- /dev/null
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xcbc_prf xcbc_prf
+ * @{ @ingroup xcbc_p
+ */
+
+#ifndef PRF_XCBC_H_
+#define PRF_XCBC_H_
+
+typedef struct xcbc_prf_t xcbc_prf_t;
+
+#include <crypto/prfs/prf.h>
+
+/**
+ * Implementation of prf_t on CBC block cipher using XCBC, RFC3664/RFC4434.
+ * 
+ * This simply wraps a xcbc_t in a prf_t. More a question of
+ * interface matching.
+ */
+struct xcbc_prf_t {
+	
+	/**
+	 * Generic prf_t interface for this xcbc_prf_t class.
+	 */
+	prf_t prf_interface;
+};
+
+/**
+ * Creates a new xcbc_prf_t object.
+ * 
+ * @param algo		algorithm to implement
+ * @return			xcbc_prf_t object, NULL if hash not supported
+ */
+xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo);
+
+#endif /*PRF_XCBC_SHA1_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.c b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
new file mode 100644
index 000000000..29eb2d25b
--- /dev/null
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include <string.h>
+
+#include "xcbc_signer.h"
+#include "xcbc.h"
+
+typedef struct private_xcbc_signer_t private_xcbc_signer_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_xcbc_signer_t {
+
+	/**
+	 * Public interface of xcbc_signer_t.
+	 */
+	xcbc_signer_t public;
+	
+	/**
+	 * Assigned xcbc function.
+	 */
+	xcbc_t *xcbc;
+	
+	/**
+	 * Block size (truncation of XCBC MAC)
+	 */
+	size_t block_size;
+};
+
+/**
+ * Implementation of signer_t.get_signature.
+ */
+static void get_signature(private_xcbc_signer_t *this,
+						  chunk_t data, u_int8_t *buffer)
+{
+	if (buffer == NULL)
+	{	/* append mode */
+		this->xcbc->get_mac(this->xcbc, data, NULL);
+	}
+	else
+	{
+		u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
+		
+		this->xcbc->get_mac(this->xcbc, data, mac);
+		memcpy(buffer, mac, this->block_size);
+	}
+}
+
+/**
+ * Implementation of signer_t.allocate_signature.
+ */
+static void allocate_signature (private_xcbc_signer_t *this,
+								chunk_t data, chunk_t *chunk)
+{
+	if (chunk == NULL)
+	{	/* append mode */
+		this->xcbc->get_mac(this->xcbc, data, NULL);
+	}
+	else
+	{
+		u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
+		
+		this->xcbc->get_mac(this->xcbc, data, mac);
+
+		chunk->ptr = malloc(this->block_size);
+		chunk->len = this->block_size;
+		
+		memcpy(chunk->ptr, mac, this->block_size);
+	}
+}
+
+/**
+ * Implementation of signer_t.verify_signature.
+ */
+static bool verify_signature(private_xcbc_signer_t *this,
+							 chunk_t data, chunk_t signature)
+{
+	u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
+	
+	if (signature.len != this->block_size)
+	{
+		return FALSE;
+	}
+	
+	this->xcbc->get_mac(this->xcbc, data, mac);
+	return memeq(signature.ptr, mac, this->block_size);
+}
+
+/**
+ * Implementation of signer_t.get_key_size.
+ */
+static size_t get_key_size(private_xcbc_signer_t *this)
+{
+	return this->xcbc->get_block_size(this->xcbc);
+}
+
+/**
+ * Implementation of signer_t.get_block_size.
+ */
+static size_t get_block_size(private_xcbc_signer_t *this)
+{
+	return this->block_size;
+}
+
+/**
+ * Implementation of signer_t.set_key.
+ */
+static void set_key(private_xcbc_signer_t *this, chunk_t key)
+{
+	this->xcbc->set_key(this->xcbc, key);
+}
+
+/**
+ * Implementation of signer_t.destroy.
+ */
+static status_t destroy(private_xcbc_signer_t *this)
+{
+	this->xcbc->destroy(this->xcbc);
+	free(this);
+	return SUCCESS;
+}
+
+/*
+ * Described in header
+ */
+xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
+{
+	private_xcbc_signer_t *this;
+	size_t trunc;
+	xcbc_t *xcbc;
+	
+	switch (algo)
+	{
+		case AUTH_AES_XCBC_96:
+			xcbc = xcbc_create(ENCR_AES_CBC, 16);
+			trunc = 12;
+			break;
+		default:
+			return NULL;
+	}
+	if (xcbc == NULL)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_xcbc_signer_t);
+	this->xcbc = xcbc;
+	this->block_size = min(trunc, xcbc->get_block_size(xcbc));
+	
+	/* interface functions */
+	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
+	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
+	this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature;
+	this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size;
+	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
+	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
+	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.h b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
new file mode 100644
index 000000000..c7eff7e17
--- /dev/null
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xcbc_signer xcbc_signer
+ * @{ @ingroup xcbc_p
+ */
+
+#ifndef xcbc_SIGNER_H_
+#define xcbc_SIGNER_H_
+
+typedef struct xcbc_signer_t xcbc_signer_t;
+
+#include <crypto/signers/signer.h>
+
+/**
+ * Implementation of signer_t based on CBC symmetric cypher. XCBC, RFC3566.
+ */
+struct xcbc_signer_t {
+	
+	/**
+	 * generic signer_t interface for this signer
+	 */
+	signer_t signer_interface;
+};
+
+/**
+ * Creates a new xcbc_signer_t.
+ *
+ * @param algo		algorithm to implement
+ * @return			xcbc_signer_t, NULL if  not supported
+ */
+xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo);
+
+#endif /*xcbc_SIGNER_H_ @}*/
-- 
cgit v1.2.3


From 8b80ab5a6950ce6515f477624794defd7531642a Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Wed, 29 Oct 2008 11:11:01 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.2.8)

---
 Makefile.am                                        |     2 +-
 Makefile.in                                        |     4 +-
 NEWS                                               |    96 +-
 configure                                          |  1114 +-
 configure.in                                       |   136 +-
 scripts/Makefile.am                                |    13 +
 scripts/Makefile.in                                |   511 +
 scripts/bin2array.c                                |    34 +
 scripts/bin2sql.c                                  |    25 +
 scripts/id2sql.c                                   |    36 +
 scripts/key2keyid.c                                |    71 +
 scripts/keyid2sql.c                                |    76 +
 scripts/thread_analysis.c                          |   273 +
 src/Makefile.in                                    |     2 +
 src/_copyright/Makefile.in                         |     2 +
 src/_updown/Makefile.in                            |     2 +
 src/_updown/_updown.in                             |    54 +-
 src/_updown_espmark/Makefile.in                    |     2 +
 src/_updown_espmark/_updown_espmark                |    30 +-
 src/charon/Makefile.am                             |    35 +-
 src/charon/Makefile.in                             |   172 +-
 src/charon/bus/bus.c                               |   112 +-
 src/charon/bus/bus.h                               |    74 +-
 src/charon/bus/listeners/file_logger.c             |     7 +-
 src/charon/bus/listeners/sys_logger.c              |     7 +-
 src/charon/config/backend_manager.c                |   183 +-
 src/charon/config/backend_manager.h                |     7 +-
 src/charon/config/child_cfg.c                      |    24 +-
 src/charon/config/child_cfg.h                      |    27 +-
 src/charon/config/peer_cfg.c                       |    52 +-
 src/charon/config/peer_cfg.h                       |    44 +-
 src/charon/config/proposal.c                       |   139 +-
 src/charon/config/traffic_selector.c               |    25 +-
 src/charon/control/controller.c                    |    61 +-
 src/charon/control/controller.h                    |     8 +-
 src/charon/credentials/auth_info.c                 |    35 +-
 src/charon/credentials/auth_info.h                 |    10 +-
 src/charon/credentials/credential_manager.c        |    65 +-
 src/charon/credentials/credential_set.h            |     9 +-
 src/charon/credentials/sets/auth_info_wrapper.c    |     3 +-
 src/charon/credentials/sets/cert_cache.c           |    50 +-
 src/charon/daemon.c                                |   136 +-
 src/charon/daemon.h                                |    17 +-
 src/charon/encoding/message.c                      |    11 +-
 src/charon/encoding/payloads/cert_payload.c        |     4 +-
 src/charon/encoding/payloads/vendor_id_payload.c   |     7 +-
 src/charon/kernel/kernel_interface.c               |  2997 +--
 src/charon/kernel/kernel_interface.h               |   148 +-
 src/charon/kernel/kernel_ipsec.c                   |    26 +
 src/charon/kernel/kernel_ipsec.h                   |   266 +
 src/charon/kernel/kernel_net.h                     |   145 +
 src/charon/network/receiver.c                      |    12 +-
 src/charon/network/socket.h                        |     6 +-
 src/charon/plugins/eap_aka/Makefile.in             |     2 +
 src/charon/plugins/eap_aka/eap_aka.c               |    23 +-
 src/charon/plugins/eap_gtc/Makefile.am             |    10 +
 src/charon/plugins/eap_gtc/Makefile.in             |   497 +
 src/charon/plugins/eap_gtc/eap_gtc.c               |   329 +
 src/charon/plugins/eap_gtc/eap_gtc.h               |    62 +
 src/charon/plugins/eap_gtc/eap_gtc_plugin.c        |    58 +
 src/charon/plugins/eap_gtc/eap_gtc_plugin.h        |    49 +
 src/charon/plugins/eap_identity/Makefile.in        |     2 +
 src/charon/plugins/eap_identity/eap_identity.c     |   139 +-
 src/charon/plugins/eap_identity/eap_identity.h     |    12 +-
 .../plugins/eap_identity/eap_identity_plugin.c     |     6 +-
 src/charon/plugins/eap_md5/Makefile.in             |     2 +
 src/charon/plugins/eap_md5/eap_md5.c               |    15 +-
 src/charon/plugins/eap_sim/Makefile.am             |     8 +-
 src/charon/plugins/eap_sim/Makefile.in             |    27 +-
 src/charon/plugins/eap_sim/eap_sim.c               |   171 +-
 src/charon/plugins/eap_sim/eap_sim.h               |    56 +-
 src/charon/plugins/eap_sim/eap_sim_file.c          |   283 -
 src/charon/plugins/eap_sim/eap_sim_plugin.h        |     4 +-
 src/charon/plugins/eap_sim_file/Makefile.am        |    14 +
 src/charon/plugins/eap_sim_file/Makefile.in        |   507 +
 .../plugins/eap_sim_file/eap_sim_file_card.c       |   108 +
 .../plugins/eap_sim_file/eap_sim_file_card.h       |    55 +
 .../plugins/eap_sim_file/eap_sim_file_plugin.c     |    86 +
 .../plugins/eap_sim_file/eap_sim_file_plugin.h     |    49 +
 .../plugins/eap_sim_file/eap_sim_file_provider.c   |    88 +
 .../plugins/eap_sim_file/eap_sim_file_provider.h   |    54 +
 .../plugins/eap_sim_file/eap_sim_file_triplets.c   |   263 +
 .../plugins/eap_sim_file/eap_sim_file_triplets.h   |    74 +
 src/charon/plugins/kernel_netlink/Makefile.am      |    11 +
 src/charon/plugins/kernel_netlink/Makefile.in      |   505 +
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |  1761 ++
 .../plugins/kernel_netlink/kernel_netlink_ipsec.h  |    48 +
 .../plugins/kernel_netlink/kernel_netlink_net.c    |  1358 +
 .../plugins/kernel_netlink/kernel_netlink_net.h    |    48 +
 .../plugins/kernel_netlink/kernel_netlink_plugin.c |    61 +
 .../plugins/kernel_netlink/kernel_netlink_plugin.h |    49 +
 .../plugins/kernel_netlink/kernel_netlink_shared.c |   280 +
 .../plugins/kernel_netlink/kernel_netlink_shared.h |    71 +
 src/charon/plugins/medcli/Makefile.in              |     2 +
 src/charon/plugins/medcli/medcli_config.c          |    14 +-
 src/charon/plugins/medcli/medcli_creds.c           |    11 +-
 src/charon/plugins/medcli/medcli_listener.c        |     7 +-
 src/charon/plugins/medsrv/Makefile.in              |     2 +
 src/charon/plugins/medsrv/medsrv_config.c          |     8 +-
 src/charon/plugins/medsrv/medsrv_creds.c           |    11 +-
 src/charon/plugins/medsrv/medsrv_plugin.c          |     4 +-
 src/charon/plugins/nm/Makefile.am                  |    28 +
 src/charon/plugins/nm/Makefile.in                  |   519 +
 src/charon/plugins/nm/gnome/Makefile.am            |    24 +
 src/charon/plugins/nm/gnome/Makefile.in            |   767 +
 src/charon/plugins/nm/gnome/aclocal.m4             |  8398 ++++++
 .../.deps/nm_strongswan_auth_dialog-main.Po        |     1 +
 src/charon/plugins/nm/gnome/auth-dialog/Makefile   |   566 +
 .../plugins/nm/gnome/auth-dialog/Makefile.am       |    27 +
 .../plugins/nm/gnome/auth-dialog/Makefile.in       |   566 +
 src/charon/plugins/nm/gnome/auth-dialog/main.c     |   244 +
 src/charon/plugins/nm/gnome/autogen.sh             |    15 +
 src/charon/plugins/nm/gnome/compile                |   142 +
 src/charon/plugins/nm/gnome/config.guess           |  1516 ++
 src/charon/plugins/nm/gnome/config.h.in            |   112 +
 src/charon/plugins/nm/gnome/config.sub             |  1626 ++
 src/charon/plugins/nm/gnome/configure              | 25583 +++++++++++++++++++
 src/charon/plugins/nm/gnome/configure.in           |   128 +
 src/charon/plugins/nm/gnome/depcomp                |   589 +
 src/charon/plugins/nm/gnome/install-sh             |   519 +
 src/charon/plugins/nm/gnome/intltool-extract.in    |   875 +
 src/charon/plugins/nm/gnome/intltool-merge.in      |  1506 ++
 src/charon/plugins/nm/gnome/intltool-update.in     |  1166 +
 src/charon/plugins/nm/gnome/ltmain.sh              |  6964 +++++
 src/charon/plugins/nm/gnome/missing                |   367 +
 src/charon/plugins/nm/gnome/mkinstalldirs          |   161 +
 .../plugins/nm/gnome/nm-strongswan-service.conf    |    16 +
 .../plugins/nm/gnome/nm-strongswan-service.name.in |     8 +
 src/charon/plugins/nm/gnome/po/LINGUAS             |     2 +
 src/charon/plugins/nm/gnome/po/Makefile.in.in      |   218 +
 src/charon/plugins/nm/gnome/po/POTFILES.in         |     5 +
 src/charon/plugins/nm/gnome/properties/Makefile.am |    38 +
 src/charon/plugins/nm/gnome/properties/Makefile.in |   600 +
 .../nm/gnome/properties/nm-strongswan-dialog.glade |   334 +
 .../plugins/nm/gnome/properties/nm-strongswan.c    |   526 +
 .../plugins/nm/gnome/properties/nm-strongswan.h    |    78 +
 src/charon/plugins/nm/nm_creds.c                   |   341 +
 src/charon/plugins/nm/nm_creds.h                   |    79 +
 src/charon/plugins/nm/nm_plugin.c                  |   119 +
 src/charon/plugins/nm/nm_plugin.h                  |    49 +
 src/charon/plugins/nm/nm_service.c                 |   499 +
 src/charon/plugins/nm/nm_service.h                 |    55 +
 src/charon/plugins/smp/Makefile.in                 |     2 +
 src/charon/plugins/smp/smp.c                       |     6 +-
 src/charon/plugins/sql/Makefile.in                 |     2 +
 src/charon/plugins/sql/pool.c                      |   194 +-
 src/charon/plugins/sql/sql_attribute.c             |   308 +-
 src/charon/plugins/sql/sql_config.c                |    18 +-
 src/charon/plugins/sql/sql_cred.c                  |     4 +-
 src/charon/plugins/sql/sql_logger.c                |     5 +-
 src/charon/plugins/stroke/Makefile.in              |     2 +
 src/charon/plugins/stroke/stroke_ca.c              |    32 +-
 src/charon/plugins/stroke/stroke_config.c          |   107 +-
 src/charon/plugins/stroke/stroke_control.c         |    73 +-
 src/charon/plugins/stroke/stroke_control.h         |     7 +
 src/charon/plugins/stroke/stroke_cred.c            |    75 +-
 src/charon/plugins/stroke/stroke_list.c            |   293 +-
 src/charon/plugins/stroke/stroke_socket.c          |    21 +-
 src/charon/plugins/uci/Makefile.am                 |     3 +-
 src/charon/plugins/uci/Makefile.in                 |     8 +-
 src/charon/plugins/uci/uci_config.c                |    11 +-
 src/charon/plugins/uci/uci_control.c               |   301 +
 src/charon/plugins/uci/uci_control.h               |    43 +
 src/charon/plugins/uci/uci_parser.c                |    11 +-
 src/charon/plugins/uci/uci_plugin.c                |    10 +-
 src/charon/plugins/unit_tester/Makefile.am         |     7 +-
 src/charon/plugins/unit_tester/Makefile.in         |    27 +-
 src/charon/plugins/unit_tester/tests.h             |    41 +
 src/charon/plugins/unit_tester/tests/test_agent.c  |    67 +
 .../plugins/unit_tester/tests/test_auth_info.c     |     2 +-
 src/charon/plugins/unit_tester/tests/test_chunk.c  |     2 -
 .../plugins/unit_tester/tests/test_enumerator.c    |    50 +
 src/charon/plugins/unit_tester/tests/test_pool.c   |   102 +
 .../plugins/unit_tester/tests/test_rsa_gen.c       |     2 +-
 .../processing/jobs/initiate_mediation_job.c       |    15 +-
 src/charon/processing/jobs/update_sa_job.c         |    98 +
 src/charon/processing/jobs/update_sa_job.h         |    52 +
 src/charon/sa/authenticators/authenticator.c       |    30 +-
 src/charon/sa/authenticators/authenticator.h       |    75 +-
 src/charon/sa/authenticators/eap/eap_method.c      |    10 +-
 src/charon/sa/authenticators/eap/eap_method.h      |    13 +-
 src/charon/sa/authenticators/eap/sim_manager.c     |   125 +
 src/charon/sa/authenticators/eap/sim_manager.h     |   136 +
 src/charon/sa/authenticators/eap_authenticator.c   |   183 +-
 src/charon/sa/authenticators/eap_authenticator.h   |     6 +-
 src/charon/sa/child_sa.c                           |    50 +-
 src/charon/sa/child_sa.h                           |    28 +-
 src/charon/sa/connect_manager.c                    |     4 +-
 src/charon/sa/ike_sa.c                             |   213 +-
 src/charon/sa/ike_sa.h                             |    26 +-
 src/charon/sa/ike_sa_manager.c                     |    52 +-
 src/charon/sa/task_manager.c                       |    16 +-
 src/charon/sa/tasks/child_create.c                 |   187 +-
 src/charon/sa/tasks/child_delete.c                 |    48 +-
 src/charon/sa/tasks/ike_auth.c                     |   131 +-
 src/charon/sa/tasks/ike_cert_post.c                |     9 +-
 src/charon/sa/tasks/ike_cert_pre.c                 |    43 +-
 src/charon/sa/tasks/ike_config.c                   |     7 +-
 src/charon/sa/tasks/ike_delete.c                   |    35 +-
 src/charon/sa/tasks/ike_init.c                     |    38 +-
 src/charon/sa/tasks/ike_me.c                       |    18 +-
 src/charon/sa/tasks/ike_mobike.c                   |    73 +-
 src/charon/sa/tasks/ike_mobike.h                   |     7 +-
 src/charon/sa/tasks/ike_natd.c                     |    45 +-
 src/charon/sa/tasks/ike_natd.h                     |    11 +-
 src/charon/sa/tasks/ike_reauth.c                   |     5 +-
 src/charon/sa/tasks/ike_rekey.c                    |    22 +-
 src/dumm/Makefile.am                               |    15 +-
 src/dumm/Makefile.in                               |    38 +-
 src/dumm/bridge.c                                  |    22 +-
 src/dumm/cowfs.c                                   |     9 +-
 src/dumm/dumm.c                                    |    55 +-
 src/dumm/dumm.h                                    |     9 +-
 src/dumm/ext/README                                |     8 +
 src/dumm/ext/dumm.c                                |   633 +
 src/dumm/ext/extconf.rb                            |    21 +
 src/dumm/ext/lib/dumm.rb                           |    21 +
 src/dumm/ext/lib/dumm/guest.rb                     |    40 +
 src/dumm/guest.c                                   |   174 +-
 src/dumm/guest.h                                   |    41 +-
 src/dumm/iface.c                                   |   112 +-
 src/dumm/iface.h                                   |    48 +-
 src/dumm/irdumm.c                                  |    60 +
 src/dumm/main.c                                    |    18 +-
 src/dumm/mconsole.c                                |   110 +-
 src/dumm/mconsole.h                                |    11 +
 src/dumm/testing.c                                 |   171 -
 src/include/Makefile.in                            |     2 +
 src/include/linux/xfrm.h                           |    26 +-
 src/ipsec/Makefile.in                              |     2 +
 src/ipsec/ipsec.in                                 |    55 +-
 src/libcrypto/Makefile.in                          |     2 +
 src/libfast/Makefile.in                            |     2 +
 src/libfreeswan/Makefile.in                        |     2 +
 src/libfreeswan/copyright.c                        |    19 +-
 src/libstrongswan/Makefile.am                      |    15 +-
 src/libstrongswan/Makefile.in                      |    69 +-
 src/libstrongswan/asn1/oid.h                       |     2 +-
 src/libstrongswan/asn1/oid.pl                      |     2 +-
 src/libstrongswan/chunk.c                          |    22 +-
 src/libstrongswan/chunk.h                          |     7 +-
 src/libstrongswan/credentials/builder.c            |    12 +-
 src/libstrongswan/credentials/builder.h            |    17 +-
 src/libstrongswan/credentials/credential_factory.c |   161 +-
 src/libstrongswan/credentials/credential_factory.h |    15 +-
 src/libstrongswan/crypto/crypto_factory.c          |   281 +-
 src/libstrongswan/crypto/crypto_factory.h          |    35 +
 src/libstrongswan/database/database.h              |    20 +
 src/libstrongswan/fips/Makefile.am                 |    19 +
 src/libstrongswan/fips/Makefile.in                 |   475 +
 src/libstrongswan/fips/fips_signer.c               |    10 +-
 src/libstrongswan/library.c                        |     4 +-
 src/libstrongswan/library.h                        |     7 +-
 src/libstrongswan/plugins/aes/Makefile.in          |     2 +
 src/libstrongswan/plugins/agent/Makefile.am        |    12 +
 src/libstrongswan/plugins/agent/Makefile.in        |   499 +
 src/libstrongswan/plugins/agent/agent_plugin.c     |    59 +
 src/libstrongswan/plugins/agent/agent_plugin.h     |    47 +
 .../plugins/agent/agent_private_key.c              |   590 +
 .../plugins/agent/agent_private_key.h              |    48 +
 src/libstrongswan/plugins/curl/Makefile.in         |     2 +
 src/libstrongswan/plugins/des/Makefile.in          |     2 +
 src/libstrongswan/plugins/des/des_plugin.c         |     6 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |     2 +
 src/libstrongswan/plugins/gmp/Makefile.in          |     2 +
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c |    26 +-
 src/libstrongswan/plugins/gmp/gmp_plugin.c         |    12 +-
 .../plugins/gmp/gmp_rsa_private_key.c              |    55 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |    47 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |     2 +
 src/libstrongswan/plugins/hmac/hmac_plugin.c       |    10 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |     2 +
 src/libstrongswan/plugins/md5/Makefile.in          |     2 +
 src/libstrongswan/plugins/mysql/Makefile.in        |     2 +
 src/libstrongswan/plugins/mysql/mysql_database.c   |    11 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |     2 +
 .../plugins/openssl/openssl_ec_private_key.c       |    39 +-
 .../plugins/openssl/openssl_ec_public_key.c        |    37 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |    42 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |    51 +-
 .../plugins/openssl/openssl_rsa_public_key.c       |    37 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |     2 +
 src/libstrongswan/plugins/plugin_loader.c          |    37 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |     2 +
 src/libstrongswan/plugins/pubkey/pubkey_cert.c     |    56 +-
 .../plugins/pubkey/pubkey_public_key.c             |    75 +-
 src/libstrongswan/plugins/random/Makefile.in       |     2 +
 src/libstrongswan/plugins/random/random_rng.c      |     3 +-
 src/libstrongswan/plugins/sha1/Makefile.am         |     3 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |    10 +-
 src/libstrongswan/plugins/sha1/sha1_hasher.c       |   115 +-
 src/libstrongswan/plugins/sha1/sha1_hasher.h       |    21 -
 src/libstrongswan/plugins/sha1/sha1_plugin.c       |     7 +-
 src/libstrongswan/plugins/sha1/sha1_prf.c          |   152 +
 src/libstrongswan/plugins/sha1/sha1_prf.h          |    47 +
 src/libstrongswan/plugins/sha2/Makefile.in         |     2 +
 src/libstrongswan/plugins/sqlite/Makefile.in       |     2 +
 src/libstrongswan/plugins/sqlite/sqlite_database.c |    43 +-
 src/libstrongswan/plugins/x509/Makefile.in         |     2 +
 src/libstrongswan/plugins/x509/x509_ac.c           |    27 +-
 src/libstrongswan/plugins/x509/x509_cert.c         |    15 +-
 src/libstrongswan/plugins/x509/x509_crl.c          |    47 +-
 src/libstrongswan/plugins/x509/x509_ocsp_request.c |    33 +-
 .../plugins/x509/x509_ocsp_response.c              |    42 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |     2 +
 src/libstrongswan/settings.c                       |    43 +-
 src/libstrongswan/settings.h                       |    11 +-
 src/libstrongswan/utils.c                          |    53 +-
 src/libstrongswan/utils.h                          |    25 +-
 src/libstrongswan/utils/enumerator.c               |   141 +-
 src/libstrongswan/utils/enumerator.h               |    15 +-
 src/libstrongswan/utils/identification.c           |     6 +-
 src/libstrongswan/utils/identification.h           |    18 +-
 src/libstrongswan/utils/leak_detective.c           |     5 +-
 src/manager/Makefile.in                            |     2 +
 src/manager/main.c                                 |     4 +-
 src/medsrv/Makefile.in                             |     2 +
 src/medsrv/main.c                                  |     2 +-
 src/openac/Makefile.in                             |     2 +
 src/openac/openac.c                                |    14 +-
 src/pluto/Makefile.am                              |     4 +
 src/pluto/Makefile.in                              |     7 +-
 src/pluto/log.c                                    |     6 +-
 src/pluto/plutomain.c                              |    38 +-
 src/pluto/vendor.c                                 |     8 +-
 src/pluto/vendor.h                                 |     6 +-
 src/scepclient/Makefile.in                         |     2 +
 src/starter/Makefile.in                            |     2 +
 src/starter/args.c                                 |     3 +-
 src/starter/confread.c                             |     9 +-
 src/starter/confread.h                             |     3 +-
 src/starter/invokecharon.c                         |    52 +-
 src/starter/ipsec.conf.5                           |    18 +-
 src/starter/keywords.c                             |   206 +-
 src/starter/keywords.h                             |     3 +-
 src/starter/keywords.txt                           |     3 +-
 src/starter/starter.c                              |     9 +-
 src/starter/starterstroke.c                        |     3 +-
 src/stroke/Makefile.in                             |     2 +
 src/stroke/stroke.c                                |    29 +-
 src/stroke/stroke_keywords.c                       |    75 +-
 src/stroke/stroke_keywords.h                       |     7 +-
 src/stroke/stroke_keywords.txt                     |     5 +-
 src/stroke/stroke_msg.h                            |    35 +-
 src/whack/Makefile.in                              |     2 +
 testing/INSTALL                                    |    15 +-
 testing/Makefile.in                                |     2 +
 testing/hosts/default/etc/ipsec.d/tables.sql       |    37 +-
 testing/images/a-m-c-w-d-s.png                     |   Bin 0 -> 26453 bytes
 testing/images/a-m-w-s-b-ip4-in-ip6.png            |   Bin 0 -> 23014 bytes
 testing/images/a-m-w-s-b-ip6-in-ip4.png            |   Bin 0 -> 23431 bytes
 testing/scripts/build-umlrootfs                    |    15 +-
 testing/scripts/gstart-umls                        |     3 +-
 testing/scripts/kstart-umls                        |     3 +-
 testing/scripts/start-umls                         |     3 +-
 testing/scripts/xstart-umls                        |     3 +-
 testing/testing.conf                               |    13 +-
 .../ike/rw-cert/hosts/dave/etc/strongswan.conf     |     2 +-
 .../ike/rw-cert/hosts/moon/etc/strongswan.conf     |     2 +-
 .../rw_v1-net_v2/hosts/moon/etc/strongswan.conf    |     2 +-
 .../ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf |     2 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |     2 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/ikev2/any-interface/description.txt  |     8 +
 testing/tests/ikev2/any-interface/evaltest.dat     |    14 +
 .../ikev2/any-interface/hosts/alice/etc/ipsec.conf |    24 +
 .../any-interface/hosts/alice/etc/strongswan.conf  |     5 +
 .../ikev2/any-interface/hosts/bob/etc/ipsec.conf   |    25 +
 .../any-interface/hosts/bob/etc/strongswan.conf    |     5 +
 .../ikev2/any-interface/hosts/moon/etc/ipsec.conf  |    30 +
 .../any-interface/hosts/moon/etc/strongswan.conf   |     5 +
 .../ikev2/any-interface/hosts/sun/etc/ipsec.conf   |    24 +
 .../any-interface/hosts/sun/etc/strongswan.conf    |     5 +
 testing/tests/ikev2/any-interface/posttest.dat     |     6 +
 testing/tests/ikev2/any-interface/pretest.dat      |    12 +
 testing/tests/ikev2/any-interface/test.conf        |    21 +
 .../ikev2/compress/hosts/carol/etc/strongswan.conf |     2 +-
 .../ikev2/compress/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../config-payload/hosts/carol/etc/strongswan.conf |     2 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |     2 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |     2 +-
 .../crl-from-cache/hosts/carol/etc/strongswan.conf |     2 +-
 .../crl-from-cache/hosts/moon/etc/strongswan.conf  |     2 +-
 .../ikev2/crl-ldap/hosts/carol/etc/strongswan.conf |     2 +-
 .../ikev2/crl-ldap/hosts/moon/etc/strongswan.conf  |     2 +-
 .../crl-revoked/hosts/carol/etc/strongswan.conf    |     2 +-
 .../crl-revoked/hosts/moon/etc/strongswan.conf     |     2 +-
 .../crl-to-cache/hosts/carol/etc/strongswan.conf   |     2 +-
 .../crl-to-cache/hosts/moon/etc/strongswan.conf    |     2 +-
 .../default-keys/hosts/carol/etc/strongswan.conf   |     2 +-
 .../default-keys/hosts/moon/etc/strongswan.conf    |     2 +-
 .../double-nat-net/hosts/alice/etc/strongswan.conf |     2 +-
 .../double-nat-net/hosts/bob/etc/strongswan.conf   |     2 +-
 .../double-nat/hosts/alice/etc/strongswan.conf     |     2 +-
 .../ikev2/double-nat/hosts/bob/etc/strongswan.conf |     2 +-
 .../dpd-clear/hosts/carol/etc/strongswan.conf      |     2 +-
 .../ikev2/dpd-clear/hosts/moon/etc/strongswan.conf |     2 +-
 .../ikev2/dpd-hold/hosts/carol/etc/strongswan.conf |     2 +-
 .../ikev2/dpd-hold/hosts/moon/etc/strongswan.conf  |     2 +-
 .../dpd-restart/hosts/carol/etc/strongswan.conf    |     2 +-
 .../dpd-restart/hosts/moon/etc/strongswan.conf     |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf |     2 +-
 .../hosts/alice/etc/strongswan.conf                |     2 +-
 .../force-udp-encaps/hosts/sun/etc/strongswan.conf |     2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |     2 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/sun/etc/strongswan.conf                  |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/sun/etc/strongswan.conf                  |     2 +-
 testing/tests/ikev2/ip-pool-db/evaltest.dat        |     2 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |     2 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |     2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |     2 +-
 .../ip-pool-wish/hosts/carol/etc/strongswan.conf   |     2 +-
 .../ip-pool-wish/hosts/dave/etc/strongswan.conf    |     2 +-
 .../ip-pool-wish/hosts/moon/etc/strongswan.conf    |     2 +-
 .../ikev2/ip-pool/hosts/carol/etc/strongswan.conf  |     2 +-
 .../ikev2/ip-pool/hosts/dave/etc/strongswan.conf   |     2 +-
 .../ikev2/ip-pool/hosts/moon/etc/strongswan.conf   |     2 +-
 .../tests/ikev2/ip-two-pools-db/description.txt    |    14 +
 testing/tests/ikev2/ip-two-pools-db/evaltest.dat   |    31 +
 .../hosts/alice/etc/init.d/iptables                |    78 +
 .../ip-two-pools-db/hosts/alice/etc/ipsec.conf     |    24 +
 .../hosts/alice/etc/strongswan.conf                |     5 +
 .../ip-two-pools-db/hosts/carol/etc/ipsec.conf     |    24 +
 .../hosts/carol/etc/strongswan.conf                |     5 +
 .../ip-two-pools-db/hosts/dave/etc/ipsec.conf      |    24 +
 .../ip-two-pools-db/hosts/dave/etc/strongswan.conf |     5 +
 .../ip-two-pools-db/hosts/moon/etc/init.d/iptables |    91 +
 .../ip-two-pools-db/hosts/moon/etc/ipsec.conf      |    29 +
 .../ip-two-pools-db/hosts/moon/etc/strongswan.conf |    10 +
 .../hosts/venus/etc/init.d/iptables                |    78 +
 .../ip-two-pools-db/hosts/venus/etc/ipsec.conf     |    24 +
 .../hosts/venus/etc/strongswan.conf                |     5 +
 testing/tests/ikev2/ip-two-pools-db/posttest.dat   |    16 +
 testing/tests/ikev2/ip-two-pools-db/pretest.dat    |    22 +
 testing/tests/ikev2/ip-two-pools-db/test.conf      |    21 +
 testing/tests/ikev2/ip-two-pools/description.txt   |     9 +
 testing/tests/ikev2/ip-two-pools/evaltest.dat      |    14 +
 .../ip-two-pools/hosts/alice/etc/init.d/iptables   |    78 +
 .../ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf  |    23 +
 .../ip-two-pools/hosts/alice/etc/strongswan.conf   |     5 +
 .../ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf  |    23 +
 .../ip-two-pools/hosts/carol/etc/strongswan.conf   |     5 +
 .../ip-two-pools/hosts/moon/etc/init.d/iptables    |    91 +
 .../ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf   |    27 +
 .../ip-two-pools/hosts/moon/etc/strongswan.conf    |     5 +
 testing/tests/ikev2/ip-two-pools/posttest.dat      |     8 +
 testing/tests/ikev2/ip-two-pools/pretest.dat       |    10 +
 testing/tests/ikev2/ip-two-pools/test.conf         |    21 +
 .../mobike-nat/hosts/alice/etc/strongswan.conf     |     2 +-
 .../ikev2/mobike-nat/hosts/sun/etc/strongswan.conf |     2 +-
 .../hosts/alice/etc/strongswan.conf                |     2 +-
 .../hosts/sun/etc/strongswan.conf                  |     2 +-
 .../ikev2/mobike/hosts/alice/etc/strongswan.conf   |     2 +-
 .../ikev2/mobike/hosts/sun/etc/strongswan.conf     |     2 +-
 .../ikev2/multi-level-ca-cr-init/description.txt   |     8 +
 .../ikev2/multi-level-ca-cr-init/evaltest.dat      |    12 +
 .../hosts/carol/etc/ipsec.conf                     |    24 +
 .../carol/etc/ipsec.d/cacerts/researchCert.pem     |    23 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |    25 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    27 +
 .../hosts/carol/etc/ipsec.secrets                  |     3 +
 .../hosts/carol/etc/strongswan.conf                |     5 +
 .../hosts/dave/etc/ipsec.conf                      |    24 +
 .../hosts/dave/etc/ipsec.d/cacerts/salesCert.pem   |    22 +
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |    24 +
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |    27 +
 .../hosts/dave/etc/strongswan.conf                 |     5 +
 .../hosts/moon/etc/ipsec.conf                      |    36 +
 .../hosts/moon/etc/strongswan.conf                 |     5 +
 .../ikev2/multi-level-ca-cr-init/posttest.dat      |     5 +
 .../tests/ikev2/multi-level-ca-cr-init/pretest.dat |     7 +
 .../tests/ikev2/multi-level-ca-cr-init/test.conf   |    21 +
 .../ikev2/multi-level-ca-cr-resp/description.txt   |     8 +
 .../ikev2/multi-level-ca-cr-resp/evaltest.dat      |    12 +
 .../hosts/carol/etc/ipsec.conf                     |    23 +
 .../carol/etc/ipsec.d/cacerts/researchCert.pem     |    23 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |    25 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    27 +
 .../hosts/carol/etc/ipsec.secrets                  |     3 +
 .../hosts/carol/etc/strongswan.conf                |     5 +
 .../hosts/dave/etc/ipsec.conf                      |    23 +
 .../hosts/dave/etc/ipsec.d/cacerts/salesCert.pem   |    22 +
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |    24 +
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |    27 +
 .../hosts/dave/etc/strongswan.conf                 |     5 +
 .../hosts/moon/etc/ipsec.conf                      |    34 +
 .../hosts/moon/etc/strongswan.conf                 |     5 +
 .../ikev2/multi-level-ca-cr-resp/posttest.dat      |     5 +
 .../tests/ikev2/multi-level-ca-cr-resp/pretest.dat |     7 +
 .../tests/ikev2/multi-level-ca-cr-resp/test.conf   |    21 +
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../multi-level-ca/hosts/carol/etc/strongswan.conf |     2 +-
 .../multi-level-ca/hosts/dave/etc/strongswan.conf  |     2 +-
 .../multi-level-ca/hosts/moon/etc/strongswan.conf  |     2 +-
 .../nat-one-rw/hosts/alice/etc/strongswan.conf     |     3 +-
 .../ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf |     2 +-
 .../nat-two-rw-psk/hosts/alice/etc/strongswan.conf |     2 +-
 .../nat-two-rw-psk/hosts/sun/etc/strongswan.conf   |     2 +-
 .../nat-two-rw-psk/hosts/venus/etc/strongswan.conf |     2 +-
 .../nat-two-rw/hosts/alice/etc/strongswan.conf     |     2 +-
 .../ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf |     2 +-
 .../nat-two-rw/hosts/venus/etc/strongswan.conf     |     2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |     2 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |     2 +-
 .../net2net-psk/hosts/moon/etc/strongswan.conf     |     2 +-
 .../net2net-psk/hosts/sun/etc/strongswan.conf      |     2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |     2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |     2 +-
 .../net2net-start/hosts/moon/etc/strongswan.conf   |     2 +-
 .../net2net-start/hosts/sun/etc/strongswan.conf    |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../ocsp-local-cert/hosts/moon/etc/strongswan.conf |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../ocsp-revoked/hosts/carol/etc/strongswan.conf   |     2 +-
 .../ocsp-revoked/hosts/moon/etc/strongswan.conf    |     2 +-
 .../ocsp-root-cert/hosts/carol/etc/strongswan.conf |     2 +-
 .../ocsp-root-cert/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |     2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |     2 +-
 .../reauth-early/hosts/carol/etc/strongswan.conf   |     2 +-
 .../reauth-early/hosts/moon/etc/strongswan.conf    |     2 +-
 .../reauth-late/hosts/carol/etc/strongswan.conf    |     2 +-
 .../reauth-late/hosts/moon/etc/strongswan.conf     |     2 +-
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |     2 +-
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |     2 +-
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |     2 +-
 .../ikev2/rw-eap-aka-identity/description.txt      |     8 +
 .../tests/ikev2/rw-eap-aka-identity/evaltest.dat   |    11 +
 .../rw-eap-aka-identity/hosts/carol/etc/ipsec.conf |    23 +
 .../hosts/carol/etc/ipsec.secrets                  |     3 +
 .../hosts/carol/etc/strongswan.conf                |     5 +
 .../rw-eap-aka-identity/hosts/moon/etc/ipsec.conf  |    26 +
 .../hosts/moon/etc/ipsec.secrets                   |     5 +
 .../hosts/moon/etc/strongswan.conf                 |     5 +
 .../tests/ikev2/rw-eap-aka-identity/posttest.dat   |     4 +
 .../tests/ikev2/rw-eap-aka-identity/pretest.dat    |     7 +
 testing/tests/ikev2/rw-eap-aka-identity/test.conf  |    21 +
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |     2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |     2 +-
 .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf |     2 +-
 .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf  |     2 +-
 .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf |     2 +-
 .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../rw-hash-and-url/hosts/dave/etc/strongswan.conf |     2 +-
 .../rw-hash-and-url/hosts/moon/etc/strongswan.conf |     2 +-
 .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf    |     2 +-
 .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf     |     2 +-
 .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf     |     2 +-
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |     2 +-
 .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf     |     2 +-
 .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf     |     2 +-
 .../rw-psk-no-idr/hosts/carol/etc/strongswan.conf  |     2 +-
 .../rw-psk-no-idr/hosts/dave/etc/strongswan.conf   |     2 +-
 .../rw-psk-no-idr/hosts/moon/etc/strongswan.conf   |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../two-certs/hosts/carol/etc/strongswan.conf      |     2 +-
 .../ikev2/two-certs/hosts/dave/etc/strongswan.conf |     2 +-
 .../ikev2/two-certs/hosts/moon/etc/strongswan.conf |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../virtual-ip/hosts/carol/etc/strongswan.conf     |     2 +-
 .../virtual-ip/hosts/dave/etc/strongswan.conf      |     2 +-
 .../virtual-ip/hosts/moon/etc/strongswan.conf      |     2 +-
 .../wildcards/hosts/carol/etc/strongswan.conf      |     2 +-
 .../ikev2/wildcards/hosts/dave/etc/strongswan.conf |     2 +-
 .../ikev2/wildcards/hosts/moon/etc/strongswan.conf |     2 +-
 .../host2host-ikev2/hosts/moon/etc/strongswan.conf |     2 +-
 .../host2host-ikev2/hosts/sun/etc/strongswan.conf  |     2 +-
 .../net2net-ikev2/hosts/moon/etc/strongswan.conf   |     2 +-
 .../net2net-ikev2/hosts/sun/etc/strongswan.conf    |     2 +-
 .../ipv6/net2net-ip4-in-ip6-ikev2/description.txt  |     4 +
 .../ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat     |     5 +
 .../hosts/moon/etc/init.d/iptables                 |   107 +
 .../hosts/moon/etc/ipsec.conf                      |    27 +
 .../hosts/moon/etc/strongswan.conf                 |     5 +
 .../hosts/sun/etc/init.d/iptables                  |   107 +
 .../hosts/sun/etc/ipsec.conf                       |    27 +
 .../hosts/sun/etc/strongswan.conf                  |     5 +
 .../ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat     |     2 +
 .../ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat      |     6 +
 .../tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf  |    21 +
 .../ipv6/net2net-ip6-in-ip4-ikev2/description.txt  |     6 +
 .../ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat     |     5 +
 .../hosts/moon/etc/init.d/iptables                 |   107 +
 .../hosts/moon/etc/ipsec.conf                      |    24 +
 .../hosts/moon/etc/strongswan.conf                 |     6 +
 .../hosts/sun/etc/init.d/iptables                  |   107 +
 .../hosts/sun/etc/ipsec.conf                       |    24 +
 .../hosts/sun/etc/strongswan.conf                  |     6 +
 .../ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat     |     6 +
 .../ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat      |    10 +
 .../tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf  |    21 +
 .../tests/ipv6/net2net-ipv4-ikev2/description.txt  |     4 -
 testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat |     5 -
 .../hosts/moon/etc/init.d/iptables                 |   107 -
 .../net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf   |    27 -
 .../hosts/moon/etc/strongswan.conf                 |     5 -
 .../hosts/sun/etc/init.d/iptables                  |   107 -
 .../net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf    |    27 -
 .../hosts/sun/etc/strongswan.conf                  |     5 -
 testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat |     2 -
 testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat  |     6 -
 testing/tests/ipv6/net2net-ipv4-ikev2/test.conf    |    21 -
 .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf  |     2 +-
 .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf   |     2 +-
 .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf   |     2 +-
 .../rw-psk-ikev2/hosts/carol/etc/strongswan.conf   |     2 +-
 .../rw-psk-ikev2/hosts/dave/etc/strongswan.conf    |     2 +-
 .../rw-psk-ikev2/hosts/moon/etc/strongswan.conf    |     2 +-
 .../transport-ikev2/hosts/moon/etc/strongswan.conf |     2 +-
 .../transport-ikev2/hosts/sun/etc/strongswan.conf  |     2 +-
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |     2 +-
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |     2 +-
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |     2 +-
 .../tests/openssl/ike-alg-ecp-high/description.txt |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../ike-alg-ecp-low/hosts/dave/etc/strongswan.conf |     2 +-
 .../ike-alg-ecp-low/hosts/moon/etc/strongswan.conf |     2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |     2 +-
 .../openssl/rw-cert/hosts/dave/etc/strongswan.conf |     2 +-
 .../openssl/rw-cert/hosts/moon/etc/strongswan.conf |     2 +-
 .../hosts/alice/etc/strongswan.conf                |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/venus/etc/strongswan.conf                |     2 +-
 .../medsrv-psk/hosts/alice/etc/strongswan.conf     |     2 +-
 .../medsrv-psk/hosts/bob/etc/strongswan.conf       |     2 +-
 .../medsrv-psk/hosts/carol/etc/strongswan.conf     |     2 +-
 testing/tests/sql/ip-pool-db-expired/evaltest.dat  |     4 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |    52 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 testing/tests/sql/ip-pool-db-restart/evaltest.dat  |     4 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |    44 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 testing/tests/sql/ip-pool-db/evaltest.dat          |     4 +-
 .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf |     2 +-
 .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf  |     2 +-
 .../sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql |    40 +-
 .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf  |     2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |     2 +-
 .../sql/net2net-cert/hosts/sun/etc/strongswan.conf |     2 +-
 .../sql/net2net-psk/hosts/moon/etc/strongswan.conf |     2 +-
 .../sql/net2net-psk/hosts/sun/etc/strongswan.conf  |     2 +-
 .../sql/rw-cert/hosts/carol/etc/strongswan.conf    |     2 +-
 .../sql/rw-cert/hosts/dave/etc/strongswan.conf     |     2 +-
 .../sql/rw-cert/hosts/moon/etc/strongswan.conf     |     2 +-
 testing/tests/sql/rw-eap-aka-rsa/description.txt   |     7 +
 testing/tests/sql/rw-eap-aka-rsa/evaltest.dat      |    10 +
 .../sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf  |     8 +
 .../hosts/carol/etc/ipsec.d/data.sql               |   128 +
 .../rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets   |     3 +
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |    10 +
 .../sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf   |     8 +
 .../rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql |   172 +
 .../rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets    |     3 +
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |    10 +
 testing/tests/sql/rw-eap-aka-rsa/posttest.dat      |     7 +
 testing/tests/sql/rw-eap-aka-rsa/pretest.dat       |    12 +
 testing/tests/sql/rw-eap-aka-rsa/test.conf         |    21 +
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |     2 +-
 .../sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf |     2 +-
 .../sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf |     2 +-
 .../rw-psk-ipv6/hosts/carol/etc/strongswan.conf    |     2 +-
 .../sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf |     2 +-
 .../sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 testing/tests/sql/rw-rsa-keyid/description.txt     |     7 +
 testing/tests/sql/rw-rsa-keyid/evaltest.dat        |    11 +
 .../sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf    |     8 +
 .../rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql  |   134 +
 .../sql/rw-rsa-keyid/hosts/carol/etc/ipsec.secrets |     3 +
 .../rw-rsa-keyid/hosts/carol/etc/strongswan.conf   |    10 +
 .../sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf     |     8 +
 .../rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql   |   133 +
 .../sql/rw-rsa-keyid/hosts/dave/etc/ipsec.secrets  |     3 +
 .../rw-rsa-keyid/hosts/dave/etc/strongswan.conf    |    10 +
 .../sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf     |     8 +
 .../rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql   |   170 +
 .../sql/rw-rsa-keyid/hosts/moon/etc/ipsec.secrets  |     3 +
 .../rw-rsa-keyid/hosts/moon/etc/strongswan.conf    |    10 +
 testing/tests/sql/rw-rsa-keyid/posttest.dat        |    10 +
 testing/tests/sql/rw-rsa-keyid/pretest.dat         |    18 +
 testing/tests/sql/rw-rsa-keyid/test.conf           |    21 +
 testing/tests/sql/rw-rsa/description.txt           |     8 +
 testing/tests/sql/rw-rsa/evaltest.dat              |    11 +
 .../tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf    |     8 +
 .../sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql    |   134 +
 .../tests/sql/rw-rsa/hosts/carol/etc/ipsec.secrets |     3 +
 .../sql/rw-rsa/hosts/carol/etc/strongswan.conf     |    10 +
 testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf |     8 +
 .../sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql     |   133 +
 .../tests/sql/rw-rsa/hosts/dave/etc/ipsec.secrets  |     3 +
 .../sql/rw-rsa/hosts/dave/etc/strongswan.conf      |    10 +
 testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf |     8 +
 .../sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql     |   170 +
 .../tests/sql/rw-rsa/hosts/moon/etc/ipsec.secrets  |     3 +
 .../sql/rw-rsa/hosts/moon/etc/strongswan.conf      |    10 +
 testing/tests/sql/rw-rsa/posttest.dat              |    10 +
 testing/tests/sql/rw-rsa/pretest.dat               |    18 +
 testing/tests/sql/rw-rsa/test.conf                 |    21 +
 753 files changed, 77990 insertions(+), 6816 deletions(-)
 create mode 100644 scripts/Makefile.am
 create mode 100644 scripts/Makefile.in
 create mode 100644 scripts/bin2array.c
 create mode 100644 scripts/bin2sql.c
 create mode 100644 scripts/id2sql.c
 create mode 100644 scripts/key2keyid.c
 create mode 100644 scripts/keyid2sql.c
 create mode 100644 scripts/thread_analysis.c
 create mode 100644 src/charon/kernel/kernel_ipsec.c
 create mode 100644 src/charon/kernel/kernel_ipsec.h
 create mode 100644 src/charon/kernel/kernel_net.h
 create mode 100644 src/charon/plugins/eap_gtc/Makefile.am
 create mode 100644 src/charon/plugins/eap_gtc/Makefile.in
 create mode 100644 src/charon/plugins/eap_gtc/eap_gtc.c
 create mode 100644 src/charon/plugins/eap_gtc/eap_gtc.h
 create mode 100644 src/charon/plugins/eap_gtc/eap_gtc_plugin.c
 create mode 100644 src/charon/plugins/eap_gtc/eap_gtc_plugin.h
 delete mode 100644 src/charon/plugins/eap_sim/eap_sim_file.c
 create mode 100644 src/charon/plugins/eap_sim_file/Makefile.am
 create mode 100644 src/charon/plugins/eap_sim_file/Makefile.in
 create mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_card.c
 create mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_card.h
 create mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
 create mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
 create mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
 create mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
 create mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
 create mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
 create mode 100644 src/charon/plugins/kernel_netlink/Makefile.am
 create mode 100644 src/charon/plugins/kernel_netlink/Makefile.in
 create mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
 create mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
 create mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_net.c
 create mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_net.h
 create mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
 create mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
 create mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
 create mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
 create mode 100644 src/charon/plugins/nm/Makefile.am
 create mode 100644 src/charon/plugins/nm/Makefile.in
 create mode 100644 src/charon/plugins/nm/gnome/Makefile.am
 create mode 100644 src/charon/plugins/nm/gnome/Makefile.in
 create mode 100644 src/charon/plugins/nm/gnome/aclocal.m4
 create mode 100644 src/charon/plugins/nm/gnome/auth-dialog/.deps/nm_strongswan_auth_dialog-main.Po
 create mode 100644 src/charon/plugins/nm/gnome/auth-dialog/Makefile
 create mode 100644 src/charon/plugins/nm/gnome/auth-dialog/Makefile.am
 create mode 100644 src/charon/plugins/nm/gnome/auth-dialog/Makefile.in
 create mode 100644 src/charon/plugins/nm/gnome/auth-dialog/main.c
 create mode 100755 src/charon/plugins/nm/gnome/autogen.sh
 create mode 100755 src/charon/plugins/nm/gnome/compile
 create mode 100755 src/charon/plugins/nm/gnome/config.guess
 create mode 100644 src/charon/plugins/nm/gnome/config.h.in
 create mode 100755 src/charon/plugins/nm/gnome/config.sub
 create mode 100755 src/charon/plugins/nm/gnome/configure
 create mode 100644 src/charon/plugins/nm/gnome/configure.in
 create mode 100755 src/charon/plugins/nm/gnome/depcomp
 create mode 100755 src/charon/plugins/nm/gnome/install-sh
 create mode 100644 src/charon/plugins/nm/gnome/intltool-extract.in
 create mode 100644 src/charon/plugins/nm/gnome/intltool-merge.in
 create mode 100644 src/charon/plugins/nm/gnome/intltool-update.in
 create mode 100644 src/charon/plugins/nm/gnome/ltmain.sh
 create mode 100755 src/charon/plugins/nm/gnome/missing
 create mode 100755 src/charon/plugins/nm/gnome/mkinstalldirs
 create mode 100644 src/charon/plugins/nm/gnome/nm-strongswan-service.conf
 create mode 100644 src/charon/plugins/nm/gnome/nm-strongswan-service.name.in
 create mode 100644 src/charon/plugins/nm/gnome/po/LINGUAS
 create mode 100644 src/charon/plugins/nm/gnome/po/Makefile.in.in
 create mode 100644 src/charon/plugins/nm/gnome/po/POTFILES.in
 create mode 100644 src/charon/plugins/nm/gnome/properties/Makefile.am
 create mode 100644 src/charon/plugins/nm/gnome/properties/Makefile.in
 create mode 100644 src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
 create mode 100644 src/charon/plugins/nm/gnome/properties/nm-strongswan.c
 create mode 100644 src/charon/plugins/nm/gnome/properties/nm-strongswan.h
 create mode 100644 src/charon/plugins/nm/nm_creds.c
 create mode 100644 src/charon/plugins/nm/nm_creds.h
 create mode 100644 src/charon/plugins/nm/nm_plugin.c
 create mode 100644 src/charon/plugins/nm/nm_plugin.h
 create mode 100644 src/charon/plugins/nm/nm_service.c
 create mode 100644 src/charon/plugins/nm/nm_service.h
 create mode 100644 src/charon/plugins/uci/uci_control.c
 create mode 100644 src/charon/plugins/uci/uci_control.h
 create mode 100644 src/charon/plugins/unit_tester/tests.h
 create mode 100644 src/charon/plugins/unit_tester/tests/test_agent.c
 create mode 100644 src/charon/plugins/unit_tester/tests/test_pool.c
 create mode 100644 src/charon/processing/jobs/update_sa_job.c
 create mode 100644 src/charon/processing/jobs/update_sa_job.h
 create mode 100644 src/charon/sa/authenticators/eap/sim_manager.c
 create mode 100644 src/charon/sa/authenticators/eap/sim_manager.h
 create mode 100644 src/dumm/ext/README
 create mode 100644 src/dumm/ext/dumm.c
 create mode 100644 src/dumm/ext/extconf.rb
 create mode 100644 src/dumm/ext/lib/dumm.rb
 create mode 100644 src/dumm/ext/lib/dumm/guest.rb
 create mode 100644 src/dumm/irdumm.c
 delete mode 100644 src/dumm/testing.c
 create mode 100644 src/libstrongswan/fips/Makefile.am
 create mode 100644 src/libstrongswan/fips/Makefile.in
 create mode 100644 src/libstrongswan/plugins/agent/Makefile.am
 create mode 100644 src/libstrongswan/plugins/agent/Makefile.in
 create mode 100644 src/libstrongswan/plugins/agent/agent_plugin.c
 create mode 100644 src/libstrongswan/plugins/agent/agent_plugin.h
 create mode 100644 src/libstrongswan/plugins/agent/agent_private_key.c
 create mode 100644 src/libstrongswan/plugins/agent/agent_private_key.h
 create mode 100644 src/libstrongswan/plugins/sha1/sha1_prf.c
 create mode 100644 src/libstrongswan/plugins/sha1/sha1_prf.h
 create mode 100644 testing/images/a-m-c-w-d-s.png
 create mode 100644 testing/images/a-m-w-s-b-ip4-in-ip6.png
 create mode 100644 testing/images/a-m-w-s-b-ip6-in-ip4.png
 create mode 100644 testing/tests/ikev2/any-interface/description.txt
 create mode 100644 testing/tests/ikev2/any-interface/evaltest.dat
 create mode 100755 testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/any-interface/posttest.dat
 create mode 100644 testing/tests/ikev2/any-interface/pretest.dat
 create mode 100644 testing/tests/ikev2/any-interface/test.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/description.txt
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/evaltest.dat
 create mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/posttest.dat
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/pretest.dat
 create mode 100644 testing/tests/ikev2/ip-two-pools-db/test.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools/description.txt
 create mode 100644 testing/tests/ikev2/ip-two-pools/evaltest.dat
 create mode 100755 testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools/posttest.dat
 create mode 100644 testing/tests/ikev2/ip-two-pools/pretest.dat
 create mode 100644 testing/tests/ikev2/ip-two-pools/test.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/description.txt
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat
 create mode 100755 testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/posttest.dat
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-init/test.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/description.txt
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
 create mode 100755 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/posttest.dat
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
 create mode 100644 testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-aka-identity/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-aka-identity/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-aka-identity/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-aka-identity/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-aka-identity/test.conf
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/description.txt
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
 create mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
 create mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
 delete mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/description.txt
 delete mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat
 delete mode 100755 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf
 delete mode 100755 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables
 delete mode 100755 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf
 delete mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf
 delete mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat
 delete mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat
 delete mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/test.conf
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/description.txt
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
 create mode 100755 testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/posttest.dat
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/pretest.dat
 create mode 100644 testing/tests/sql/rw-eap-aka-rsa/test.conf
 create mode 100644 testing/tests/sql/rw-rsa-keyid/description.txt
 create mode 100644 testing/tests/sql/rw-rsa-keyid/evaltest.dat
 create mode 100755 testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/sql/rw-rsa-keyid/posttest.dat
 create mode 100644 testing/tests/sql/rw-rsa-keyid/pretest.dat
 create mode 100644 testing/tests/sql/rw-rsa-keyid/test.conf
 create mode 100644 testing/tests/sql/rw-rsa/description.txt
 create mode 100644 testing/tests/sql/rw-rsa/evaltest.dat
 create mode 100755 testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/sql/rw-rsa/posttest.dat
 create mode 100644 testing/tests/sql/rw-rsa/pretest.dat
 create mode 100644 testing/tests/sql/rw-rsa/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/Makefile.am b/Makefile.am
index c3d8d0df5..e6a73e996 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = src testing
+SUBDIRS = src testing scripts
 EXTRA_DIST = Doxyfile.in CREDITS
 CLEANFILES = apidoc Doxyfile
 
diff --git a/Makefile.in b/Makefile.in
index 36a7c201a..4d7240711 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -184,6 +184,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -203,7 +205,7 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-SUBDIRS = src testing
+SUBDIRS = src testing scripts
 EXTRA_DIST = Doxyfile.in CREDITS
 CLEANFILES = apidoc Doxyfile
 all: all-recursive
diff --git a/NEWS b/NEWS
index f26b34758..5ccc7c05f 100644
--- a/NEWS
+++ b/NEWS
@@ -1,11 +1,101 @@
+strongswan-4.2.8
+----------------
+
+- IKEv2 charon daemon supports authentication based on raw public keys
+  stored in the SQL database backend. The ipsec listpubkeys command
+  lists the available raw public keys via the stroke interface.
+
+- Several MOBIKE improvements: Detect changes in NAT mappings in DPD exchanges,
+  handle events if kernel detects NAT mapping changes in UDP-encapsulated
+  ESP packets (requires kernel patch), reuse old addesses in MOBIKE updates as
+  long as possible and other fixes.
+
+- Fixed a bug in addr_in_subnet() which caused insertion of wrong source
+  routes for destination subnets having netwmasks not being a multiple of 8 bits.
+  Thanks go to Wolfgang Steudel, TU Ilmenau for reporting this bug.
+
+
+strongswan-4.2.7
+----------------
+
+- Fixed a Denial-of-Service vulnerability where an IKE_SA_INIT message with
+  a KE payload containing zeroes only can cause a crash of the IKEv2 charon
+  daemon due to a NULL pointer returned by the mpz_export() function of the
+  GNU Multiprecision Library (GMP). Thanks go to Mu Dynamics Research Labs
+  for making us aware of this problem. 
+
+- The new agent plugin provides a private key implementation on top of an 
+  ssh-agent.
+
+- The NetworkManager plugin has been extended to support certificate client
+  authentication using RSA keys loaded from a file or using ssh-agent.
+
+- Daemon capability dropping has been ported to libcap and must be enabled
+  explicitly --with-capabilities=libcap. Future version will support the
+  newer libcap2 library.
+
+- ipsec listalgs lists the IKEv2 cryptografic algorithms registered with the
+  charon keying daemon.
+
+
+strongswan-4.2.6
+----------------
+
+- A NetworkManager plugin allows GUI-based configuration of road-warrior
+  clients in a simple way. It features X509 based gateway authentication
+  and EAP client authentication, tunnel setup/teardown and storing passwords
+  in the Gnome Keyring.
+
+- A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt and allows
+  username/password authentication against any PAM service on the gateway.
+  The new EAP method interacts nicely with the NetworkManager plugin and allows 
+  client authentication against e.g. LDAP.
+
+- Improved support for the EAP-Identity method. The new ipsec.conf eap_identity
+  parameter defines an additional identity to pass to the server in EAP
+  authentication.
+
+- The "ipsec statusall" command now lists CA restrictions, EAP
+  authentication types and EAP identities.
+
+- Fixed two multithreading deadlocks occurring when starting up
+  several hundred tunnels concurrently.
+
+- Fixed the --enable-integrity-test configure option which
+  computes a SHA-1 checksum over the libstrongswan library.
+
+
+strongswan-4.2.5
+----------------
+
+- Consistent logging of IKE and CHILD SAs at the audit (AUD) level. 
+
+- Improved the performance of the SQL-based virtual IP address pool
+  by introducing an additional addresses table. The leases table
+  storing only history information has become optional and can be
+  disabled by setting charon.plugins.sql.lease_history = no in
+  strongswan.conf.
+
+- The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6
+  and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels.
+
+- management of different virtual IP pools for different
+  network interfaces have become possible.
+
+- fixed a bug which prevented the assignment of more than 256 
+  virtual IP addresses from a pool managed by an sql database.
+
+- fixed a bug which did not delete own IPCOMP SAs in the kernel.
+
+ 
 strongswan-4.2.4
 ----------------
 
-- Added statistics functions to ip pool --status and ip pool --leases
-  and input validation checks to various ip pool commands.
+- Added statistics functions to ipsec pool --status and ipsec pool --leases
+  and input validation checks to various ipsec pool commands.
 
 - ipsec statusall now lists all loaded charon plugins and displays
-  the negotiated IKE cipher suite proposal.
+  the negotiated IKEv2 cipher suite proposals.
 
 - The openssl plugin supports the elliptic curve Diffie-Hellman groups
   19, 20, 21, 25, and 26.
diff --git a/configure b/configure
index b43af7520..acbd93ada 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for strongSwan 4.2.4.
+# Generated by GNU Autoconf 2.61 for strongSwan 4.2.8.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
 # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
@@ -726,8 +726,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.2.4'
-PACKAGE_STRING='strongSwan 4.2.4'
+PACKAGE_VERSION='4.2.8'
+PACKAGE_STRING='strongSwan 4.2.8'
 PACKAGE_BUGREPORT=''
 
 # Factoring default headers for most tests.
@@ -895,6 +895,8 @@ xml_CFLAGS
 xml_LIBS
 gtk_CFLAGS
 gtk_LIBS
+nm_CFLAGS
+nm_LIBS
 libstrongswan_plugins
 USE_CURL_TRUE
 USE_CURL_FALSE
@@ -932,12 +934,16 @@ USE_PADLOCK_TRUE
 USE_PADLOCK_FALSE
 USE_OPENSSL_TRUE
 USE_OPENSSL_FALSE
+USE_AGENT_TRUE
+USE_AGENT_FALSE
 USE_STROKE_TRUE
 USE_STROKE_FALSE
 USE_MEDSRV_TRUE
 USE_MEDSRV_FALSE
 USE_MEDCLI_TRUE
 USE_MEDCLI_FALSE
+USE_NM_TRUE
+USE_NM_FALSE
 USE_UCI_TRUE
 USE_UCI_FALSE
 USE_SMP_TRUE
@@ -948,12 +954,18 @@ USE_UNIT_TESTS_TRUE
 USE_UNIT_TESTS_FALSE
 USE_EAP_SIM_TRUE
 USE_EAP_SIM_FALSE
+USE_EAP_SIM_FILE_TRUE
+USE_EAP_SIM_FILE_FALSE
 USE_EAP_IDENTITY_TRUE
 USE_EAP_IDENTITY_FALSE
 USE_EAP_MD5_TRUE
 USE_EAP_MD5_FALSE
+USE_EAP_GTC_TRUE
+USE_EAP_GTC_FALSE
 USE_EAP_AKA_TRUE
 USE_EAP_AKA_FALSE
+USE_KERNEL_NETLINK_TRUE
+USE_KERNEL_NETLINK_FALSE
 USE_SMARTCARD_TRUE
 USE_SMARTCARD_FALSE
 USE_CISCO_QUIRKS_TRUE
@@ -978,6 +990,8 @@ USE_INTEGRITY_TEST_TRUE
 USE_INTEGRITY_TEST_FALSE
 USE_SELF_TEST_TRUE
 USE_SELF_TEST_FALSE
+USE_CAPABILITIES_TRUE
+USE_CAPABILITIES_FALSE
 USE_PLUTO_TRUE
 USE_PLUTO_FALSE
 USE_CHARON_TRUE
@@ -1014,7 +1028,9 @@ YFLAGS
 xml_CFLAGS
 xml_LIBS
 gtk_CFLAGS
-gtk_LIBS'
+gtk_LIBS
+nm_CFLAGS
+nm_LIBS'
 
 
 # Initialize some variables set by options.
@@ -1517,7 +1533,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.2.4 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.2.8 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1587,7 +1603,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.2.4:";;
+     short | recursive ) echo "Configuration of strongSwan 4.2.8:";;
    esac
   cat <<\_ACEOF
 
@@ -1646,12 +1662,19 @@ Optional Features:
                           is NO).
   --enable-eap-sim        build SIM authenication module for EAP (default is
                           NO).
+  --enable-eap-sim-file   build EAP-SIM backend based on a triplet file
+                          (default is NO).
   --enable-eap-identity   build EAP module providing EAP-Identity helper
                           (default is NO).
   --enable-eap-md5        build MD5 (CHAP) authenication module for EAP
                           (default is NO).
+  --enable-eap-gtc        build PAM based GTC authenication module for EAP
+                          (default is NO).
   --enable-eap-aka        build AKA authentication module for EAP (default is
                           NO).
+  --disable-kernel-netlink
+                          disable the netlink kernel interface. (default is
+                          NO).
   --enable-nat-transport  enable NAT traversal with IPsec transport mode
                           (default is NO).
   --disable-vendor-id     disable the sending of the strongSwan vendor ID
@@ -1677,8 +1700,11 @@ Optional Features:
                           is NO).
   --enable-padlock        enables VIA Padlock crypto plugin. (default is NO).
   --enable-openssl        enables the OpenSSL crypto plugin. (default is NO).
+  --enable-agent          enables the ssh-agent signing plugin. (default is
+                          NO).
   --enable-uci            enable OpenWRT UCI configuration plugin (default is
                           NO).
+  --enable-nm             enable NetworkManager plugin (default is NO).
   --enable-shared[=PKGS]  build shared libraries [default=yes]
   --enable-static[=PKGS]  build static libraries [default=yes]
   --enable-fast-install[=PKGS]
@@ -1724,6 +1750,9 @@ Optional Packages:
                           (default is 0).
   --with-group=group      change group of the daemons to "group" after startup
                           (default is 0).
+  --with-capabilities=libcap
+                          capability dropping using libcap. Currenlty only the
+                          value "libcap" is supported (default is NO).
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-pic              try to use only PIC/non-PIC objects [default=use
                           both]
@@ -1753,6 +1782,8 @@ Some influential environment variables:
   xml_LIBS    linker flags for xml, overriding pkg-config
   gtk_CFLAGS  C compiler flags for gtk, overriding pkg-config
   gtk_LIBS    linker flags for gtk, overriding pkg-config
+  nm_CFLAGS   C compiler flags for nm, overriding pkg-config
+  nm_LIBS     linker flags for nm, overriding pkg-config
 
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
@@ -1817,7 +1848,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.2.4
+strongSwan configure 4.2.8
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1831,7 +1862,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.2.4, which was
+It was created by strongSwan $as_me 4.2.8, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -2521,7 +2552,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.2.4'
+ VERSION='4.2.8'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -4933,12 +4964,12 @@ if test "${with_ipsecdir+set}" = set; then
   withval=$with_ipsecdir; ipsecdir="$withval"
 
 else
-  ipsecdir="${libexecdir}/ipsec"
+  ipsecdir="${libexecdir%/}/ipsec"
 
 
 fi
 
-plugindir="${ipsecdir}/plugins"
+plugindir="${ipsecdir%/}/plugins"
 
 
 
@@ -4947,7 +4978,7 @@ if test "${with_plugindir+set}" = set; then
   withval=$with_plugindir; plugindir="$withval"
 
 else
-  plugindir="${ipsecdir}/plugins"
+  plugindir="${ipsecdir%/}/plugins"
 
 
 fi
@@ -4959,7 +4990,7 @@ if test "${with_sim_reader+set}" = set; then
   withval=$with_sim_reader; simreader="$withval"
 
 else
-  simreader="${plugindir}/libeapsim-file.so"
+  simreader="${plugindir%/}/libeapsim-file.so"
 
 
 fi
@@ -4971,7 +5002,7 @@ if test "${with_linux_headers+set}" = set; then
   withval=$with_linux_headers; linuxdir="$withval"
 
 else
-  linuxdir="../include"
+  linuxdir="\${top_srcdir}/src/include"
 
 
 fi
@@ -5064,6 +5095,16 @@ else
 fi
 
 
+
+# Check whether --with-capabilities was given.
+if test "${with_capabilities+set}" = set; then
+  withval=$with_capabilities; capabilities="$withval"
+else
+  capabilities=no
+
+fi
+
+
 # Check whether --enable-curl was given.
 if test "${enable_curl+set}" = set; then
   enableval=$enable_curl; if test x$enableval = xyes; then
@@ -5350,6 +5391,15 @@ if test "${enable_eap_sim+set}" = set; then
 fi
 
 
+# Check whether --enable-eap-sim-file was given.
+if test "${enable_eap_sim_file+set}" = set; then
+  enableval=$enable_eap_sim_file; if test x$enableval = xyes; then
+		eap_sim_file=true
+	fi
+
+fi
+
+
 # Check whether --enable-eap-identity was given.
 if test "${enable_eap_identity+set}" = set; then
   enableval=$enable_eap_identity; if test x$enableval = xyes; then
@@ -5368,6 +5418,15 @@ if test "${enable_eap_md5+set}" = set; then
 fi
 
 
+# Check whether --enable-eap-gtc was given.
+if test "${enable_eap_gtc+set}" = set; then
+  enableval=$enable_eap_gtc; if test x$enableval = xyes; then
+		eap_gtc=true
+	fi
+
+fi
+
+
 # Check whether --enable-eap-aka was given.
 if test "${enable_eap_aka+set}" = set; then
   enableval=$enable_eap_aka; if test x$enableval = xyes; then
@@ -5377,6 +5436,19 @@ if test "${enable_eap_aka+set}" = set; then
 fi
 
 
+# Check whether --enable-kernel-netlink was given.
+if test "${enable_kernel_netlink+set}" = set; then
+  enableval=$enable_kernel_netlink; if test x$enableval = xyes; then
+		kernel_netlink=true
+	 else
+		kernel_netlink=false
+	fi
+else
+  kernel_netlink=true
+
+fi
+
+
 # Check whether --enable-nat-transport was given.
 if test "${enable_nat_transport+set}" = set; then
   enableval=$enable_nat_transport; if test x$enableval = xyes; then
@@ -5543,6 +5615,16 @@ if test "${enable_openssl+set}" = set; then
 fi
 
 
+# Check whether --enable-agent was given.
+if test "${enable_agent+set}" = set; then
+  enableval=$enable_agent; if test x$enableval = xyes; then
+		agent=true
+	 else
+		agent=false
+	fi
+fi
+
+
 # Check whether --enable-uci was given.
 if test "${enable_uci+set}" = set; then
   enableval=$enable_uci; if test x$enableval = xyes; then
@@ -5552,6 +5634,15 @@ if test "${enable_uci+set}" = set; then
 fi
 
 
+# Check whether --enable-nm was given.
+if test "${enable_nm+set}" = set; then
+  enableval=$enable_nm; if test x$enableval = xyes; then
+		nm=true
+	fi
+
+fi
+
+
 
 # Find a good install program.  We prefer a C program (faster),
 # so one script is as good as another.  But avoid the broken or
@@ -6278,7 +6369,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 6281 "configure"' > conftest.$ac_ext
+  echo '#line 6372 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -8856,11 +8947,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8859: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8950: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8863: \$? = $ac_status" >&5
+   echo "$as_me:8954: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9146,11 +9237,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9149: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9240: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9153: \$? = $ac_status" >&5
+   echo "$as_me:9244: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9250,11 +9341,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9253: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9344: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9257: \$? = $ac_status" >&5
+   echo "$as_me:9348: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -11627,7 +11718,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 11630 "configure"
+#line 11721 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -11727,7 +11818,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 11730 "configure"
+#line 11821 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -14128,11 +14219,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14131: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14222: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:14135: \$? = $ac_status" >&5
+   echo "$as_me:14226: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -14232,11 +14323,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14235: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14326: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:14239: \$? = $ac_status" >&5
+   echo "$as_me:14330: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -15830,11 +15921,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15833: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15924: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:15837: \$? = $ac_status" >&5
+   echo "$as_me:15928: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -15934,11 +16025,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15937: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16028: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:15941: \$? = $ac_status" >&5
+   echo "$as_me:16032: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -18154,11 +18245,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18157: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18248: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:18161: \$? = $ac_status" >&5
+   echo "$as_me:18252: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -18444,11 +18535,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18447: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18538: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:18451: \$? = $ac_status" >&5
+   echo "$as_me:18542: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -18548,11 +18639,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18551: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18642: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:18555: \$? = $ac_status" >&5
+   echo "$as_me:18646: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -22634,58 +22725,6 @@ fi
 done
 
 
-{ echo "$as_me:$LINENO: checking capset() definition" >&5
-echo $ECHO_N "checking capset() definition... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <linux/capset.h>
-int
-main ()
-{
-
-		void *test = capset;
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }; cat >>confdefs.h <<_ACEOF
-#define NO_CAPSET_DEFINED 1
-_ACEOF
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-
 if test x$gmp = xtrue; then
 	{ echo "$as_me:$LINENO: checking for main in -lgmp" >&5
 echo $ECHO_N "checking for main in -lgmp... $ECHO_C" >&6; }
@@ -24346,6 +24385,57 @@ sed 's/^/| /' conftest.$ac_ext >&5
 echo "${ECHO_T}no" >&6; }
 fi
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	{ echo "$as_me:$LINENO: checking sqlite3.h version >= 3.3.1" >&5
+echo $ECHO_N "checking sqlite3.h version >= 3.3.1... $ECHO_C" >&6; }
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sqlite3.h>
+int
+main ()
+{
+
+			#if SQLITE_VERSION_NUMBER < 3003001
+				#error bad sqlite
+			#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }; { { echo "$as_me:$LINENO: error: SQLite version >= 3.3.1 required!" >&5
+echo "$as_me: error: SQLite version >= 3.3.1 required!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
@@ -24751,116 +24841,637 @@ fi
 
 fi
 
+if test x$nm = xtrue; then
 
-libstrongswan_plugins=
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for nm" >&5
+echo $ECHO_N "checking for nm... $ECHO_C" >&6; }
 
-if test x$curl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" curl"
-fi
-if test x$ldap = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" ldap"
-fi
-if test x$aes = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" aes"
-fi
-if test x$des = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" des"
-fi
-if test x$md5 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md5"
-fi
-if test x$sha1 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
-fi
-if test x$sha2 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
-fi
-if test x$fips_prf = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
-fi
-if test x$gmp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
-fi
-if test x$random = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" random"
-fi
-if test x$x509 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" x509"
-fi
-if test x$pubkey = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
-fi
-if test x$hmac = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
-fi
-if test x$xcbc = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
-fi
-if test x$mysql = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
+if test -n "$PKG_CONFIG"; then
+    if test -n "$nm_CFLAGS"; then
+        pkg_cv_nm_CFLAGS="$nm_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager libnm_glib_vpn gthread-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager libnm_glib_vpn gthread-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
 fi
-if test x$sqlite = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
+    fi
+else
+	pkg_failed=untried
 fi
-if test x$padlock = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
+if test -n "$PKG_CONFIG"; then
+    if test -n "$nm_LIBS"; then
+        pkg_cv_nm_LIBS="$nm_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager libnm_glib_vpn gthread-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager libnm_glib_vpn gthread-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
 fi
-if test x$openssl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
+    fi
+else
+	pkg_failed=untried
 fi
 
 
 
+if test $pkg_failed = yes; then
 
- if test x$curl = xtrue; then
-  USE_CURL_TRUE=
-  USE_CURL_FALSE='#'
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
 else
-  USE_CURL_TRUE='#'
-  USE_CURL_FALSE=
+        _pkg_short_errors_supported=no
 fi
+        if test $_pkg_short_errors_supported = yes; then
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager libnm_glib_vpn gthread-2.0"`
+        else
+	        nm_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager libnm_glib_vpn gthread-2.0"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$nm_PKG_ERRORS" >&5
 
- if test x$ldap = xtrue; then
-  USE_LDAP_TRUE=
-  USE_LDAP_FALSE='#'
-else
-  USE_LDAP_TRUE='#'
-  USE_LDAP_FALSE=
-fi
+	{ { echo "$as_me:$LINENO: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
 
- if test x$aes = xtrue; then
-  USE_AES_TRUE=
-  USE_AES_FALSE='#'
-else
-  USE_AES_TRUE='#'
-  USE_AES_FALSE=
-fi
+$nm_PKG_ERRORS
 
- if test x$des = xtrue; then
-  USE_DES_TRUE=
-  USE_DES_FALSE='#'
-else
-  USE_DES_TRUE='#'
-  USE_DES_FALSE=
-fi
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
 
- if test x$md5 = xtrue; then
-  USE_MD5_TRUE=
-  USE_MD5_FALSE='#'
-else
-  USE_MD5_TRUE='#'
-  USE_MD5_FALSE=
-fi
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
 
- if test x$sha1 = xtrue; then
-  USE_SHA1_TRUE=
-  USE_SHA1_FALSE='#'
-else
-  USE_SHA1_TRUE='#'
-  USE_SHA1_FALSE=
-fi
+$nm_PKG_ERRORS
 
- if test x$sha2 = xtrue; then
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	nm_CFLAGS=$pkg_cv_nm_CFLAGS
+	nm_LIBS=$pkg_cv_nm_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+fi
+
+if test x$eap_gtc = xtrue; then
+	{ echo "$as_me:$LINENO: checking for main in -lpam" >&5
+echo $ECHO_N "checking for main in -lpam... $ECHO_C" >&6; }
+if test "${ac_cv_lib_pam_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpam  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_pam_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_pam_main=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_pam_main" >&5
+echo "${ECHO_T}$ac_cv_lib_pam_main" >&6; }
+if test $ac_cv_lib_pam_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: PAM library not found" >&5
+echo "$as_me: error: PAM library not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_pam=ac_cv_lib_pam_main
+
+	if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
+echo $ECHO_N "checking for security/pam_appl.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
+echo "${ECHO_T}$ac_cv_header_security_pam_appl_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking security/pam_appl.h usability" >&5
+echo $ECHO_N "checking security/pam_appl.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <security/pam_appl.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking security/pam_appl.h presence" >&5
+echo $ECHO_N "checking security/pam_appl.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <security/pam_appl.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: security/pam_appl.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: security/pam_appl.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
+echo $ECHO_N "checking for security/pam_appl.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_security_pam_appl_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
+echo "${ECHO_T}$ac_cv_header_security_pam_appl_h" >&6; }
+
+fi
+if test $ac_cv_header_security_pam_appl_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: PAM header security/pam_appl.h not found!" >&5
+echo "$as_me: error: PAM header security/pam_appl.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+
+fi
+
+if test x$capabilities = xlibcap; then
+	{ echo "$as_me:$LINENO: checking for main in -lcap" >&5
+echo $ECHO_N "checking for main in -lcap... $ECHO_C" >&6; }
+if test "${ac_cv_lib_cap_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcap  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_cap_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_cap_main=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_main" >&5
+echo "${ECHO_T}$ac_cv_lib_cap_main" >&6; }
+if test $ac_cv_lib_cap_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: libcap library not found" >&5
+echo "$as_me: error: libcap library not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_cap=ac_cv_lib_cap_main
+
+	if test "${ac_cv_header_sys_capability_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for sys/capability.h" >&5
+echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_sys_capability_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
+echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking sys/capability.h usability" >&5
+echo $ECHO_N "checking sys/capability.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <sys/capability.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking sys/capability.h presence" >&5
+echo $ECHO_N "checking sys/capability.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/capability.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5
+echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_sys_capability_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_sys_capability_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
+echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
+
+fi
+if test $ac_cv_header_sys_capability_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: libcap header sys/capability.h not found!" >&5
+echo "$as_me: error: libcap header sys/capability.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+
+fi
+
+
+libstrongswan_plugins=
+
+if test x$curl = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" curl"
+fi
+if test x$ldap = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" ldap"
+fi
+if test x$aes = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" aes"
+fi
+if test x$des = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" des"
+fi
+if test x$sha1 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
+fi
+if test x$sha2 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
+fi
+if test x$md5 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" md5"
+fi
+if test x$fips_prf = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
+fi
+if test x$random = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" random"
+fi
+if test x$x509 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" x509"
+fi
+if test x$pubkey = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
+fi
+if test x$xcbc = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
+fi
+if test x$hmac = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
+fi
+if test x$mysql = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
+fi
+if test x$sqlite = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
+fi
+if test x$padlock = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
+fi
+if test x$openssl = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
+fi
+if test x$agent = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" agent"
+fi
+if test x$gmp = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
+fi
+
+
+
+
+ if test x$curl = xtrue; then
+  USE_CURL_TRUE=
+  USE_CURL_FALSE='#'
+else
+  USE_CURL_TRUE='#'
+  USE_CURL_FALSE=
+fi
+
+ if test x$ldap = xtrue; then
+  USE_LDAP_TRUE=
+  USE_LDAP_FALSE='#'
+else
+  USE_LDAP_TRUE='#'
+  USE_LDAP_FALSE=
+fi
+
+ if test x$aes = xtrue; then
+  USE_AES_TRUE=
+  USE_AES_FALSE='#'
+else
+  USE_AES_TRUE='#'
+  USE_AES_FALSE=
+fi
+
+ if test x$des = xtrue; then
+  USE_DES_TRUE=
+  USE_DES_FALSE='#'
+else
+  USE_DES_TRUE='#'
+  USE_DES_FALSE=
+fi
+
+ if test x$md5 = xtrue; then
+  USE_MD5_TRUE=
+  USE_MD5_FALSE='#'
+else
+  USE_MD5_TRUE='#'
+  USE_MD5_FALSE=
+fi
+
+ if test x$sha1 = xtrue; then
+  USE_SHA1_TRUE=
+  USE_SHA1_FALSE='#'
+else
+  USE_SHA1_TRUE='#'
+  USE_SHA1_FALSE=
+fi
+
+ if test x$sha2 = xtrue; then
   USE_SHA2_TRUE=
   USE_SHA2_FALSE='#'
 else
@@ -24956,6 +25567,14 @@ else
   USE_OPENSSL_FALSE=
 fi
 
+ if test x$agent = xtrue; then
+  USE_AGENT_TRUE=
+  USE_AGENT_FALSE='#'
+else
+  USE_AGENT_TRUE='#'
+  USE_AGENT_FALSE=
+fi
+
 
  if test x$stroke = xtrue; then
   USE_STROKE_TRUE=
@@ -24981,6 +25600,14 @@ else
   USE_MEDCLI_FALSE=
 fi
 
+ if test x$nm = xtrue; then
+  USE_NM_TRUE=
+  USE_NM_FALSE='#'
+else
+  USE_NM_TRUE='#'
+  USE_NM_FALSE=
+fi
+
  if test x$uci = xtrue; then
   USE_UCI_TRUE=
   USE_UCI_FALSE='#'
@@ -25021,6 +25648,14 @@ else
   USE_EAP_SIM_FALSE=
 fi
 
+ if test x$eap_sim_file = xtrue; then
+  USE_EAP_SIM_FILE_TRUE=
+  USE_EAP_SIM_FILE_FALSE='#'
+else
+  USE_EAP_SIM_FILE_TRUE='#'
+  USE_EAP_SIM_FILE_FALSE=
+fi
+
  if test x$eap_identity = xtrue; then
   USE_EAP_IDENTITY_TRUE=
   USE_EAP_IDENTITY_FALSE='#'
@@ -25037,6 +25672,14 @@ else
   USE_EAP_MD5_FALSE=
 fi
 
+ if test x$eap_gtc = xtrue; then
+  USE_EAP_GTC_TRUE=
+  USE_EAP_GTC_FALSE='#'
+else
+  USE_EAP_GTC_TRUE='#'
+  USE_EAP_GTC_FALSE=
+fi
+
  if test x$eap_aka = xtrue; then
   USE_EAP_AKA_TRUE=
   USE_EAP_AKA_FALSE='#'
@@ -25045,6 +25688,14 @@ else
   USE_EAP_AKA_FALSE=
 fi
 
+ if test x$kernel_netlink = xtrue; then
+  USE_KERNEL_NETLINK_TRUE=
+  USE_KERNEL_NETLINK_FALSE='#'
+else
+  USE_KERNEL_NETLINK_TRUE='#'
+  USE_KERNEL_NETLINK_FALSE=
+fi
+
 
  if test x$smartcard = xtrue; then
   USE_SMARTCARD_TRUE=
@@ -25142,6 +25793,14 @@ else
   USE_SELF_TEST_FALSE=
 fi
 
+ if test x$capabilities = xlibcap; then
+  USE_CAPABILITIES_TRUE=
+  USE_CAPABILITIES_FALSE='#'
+else
+  USE_CAPABILITIES_TRUE='#'
+  USE_CAPABILITIES_FALSE=
+fi
+
  if test x$pluto = xtrue; then
   USE_PLUTO_TRUE=
   USE_PLUTO_FALSE='#'
@@ -25197,10 +25856,16 @@ if test x$me = xtrue; then
 #define ME 1
 _ACEOF
 
+fi
+if test x$capabilities = xlibcap; then
+	cat >>confdefs.h <<\_ACEOF
+#define CAPABILITIES 1
+_ACEOF
+
 fi
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/unit_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/fips/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/unit_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -25482,6 +26147,13 @@ echo "$as_me: error: conditional \"USE_OPENSSL\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_AGENT_TRUE}" && test -z "${USE_AGENT_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_AGENT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_AGENT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_STROKE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -25503,6 +26175,13 @@ echo "$as_me: error: conditional \"USE_MEDCLI\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_NM_TRUE}" && test -z "${USE_NM_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_NM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_NM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_UCI\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -25538,6 +26217,13 @@ echo "$as_me: error: conditional \"USE_EAP_SIM\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_EAP_SIM_FILE_TRUE}" && test -z "${USE_EAP_SIM_FILE_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_EAP_IDENTITY_TRUE}" && test -z "${USE_EAP_IDENTITY_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_IDENTITY\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -25552,6 +26238,13 @@ echo "$as_me: error: conditional \"USE_EAP_MD5\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_EAP_GTC_TRUE}" && test -z "${USE_EAP_GTC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_GTC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_EAP_GTC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_EAP_AKA_TRUE}" && test -z "${USE_EAP_AKA_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_AKA\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -25559,6 +26252,13 @@ echo "$as_me: error: conditional \"USE_EAP_AKA\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_SMARTCARD\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -25643,6 +26343,13 @@ echo "$as_me: error: conditional \"USE_SELF_TEST\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_CAPABILITIES_TRUE}" && test -z "${USE_CAPABILITIES_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_CAPABILITIES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_CAPABILITIES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_PLUTO_TRUE}" && test -z "${USE_PLUTO_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_PLUTO\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -25985,7 +26692,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.2.4, which was
+This file was extended by strongSwan $as_me 4.2.8, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -26032,7 +26739,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-strongSwan config.status 4.2.4
+strongSwan config.status 4.2.8
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
@@ -26160,6 +26867,8 @@ do
     "src/libstrongswan/plugins/sqlite/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sqlite/Makefile" ;;
     "src/libstrongswan/plugins/padlock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/padlock/Makefile" ;;
     "src/libstrongswan/plugins/openssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/openssl/Makefile" ;;
+    "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
+    "src/libstrongswan/fips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/fips/Makefile" ;;
     "src/libcrypto/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcrypto/Makefile" ;;
     "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
     "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
@@ -26168,11 +26877,15 @@ do
     "src/charon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_aka/Makefile" ;;
     "src/charon/plugins/eap_identity/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_identity/Makefile" ;;
     "src/charon/plugins/eap_md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_md5/Makefile" ;;
+    "src/charon/plugins/eap_gtc/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_gtc/Makefile" ;;
     "src/charon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim/Makefile" ;;
+    "src/charon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim_file/Makefile" ;;
+    "src/charon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_netlink/Makefile" ;;
     "src/charon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/smp/Makefile" ;;
     "src/charon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/sql/Makefile" ;;
     "src/charon/plugins/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/medsrv/Makefile" ;;
     "src/charon/plugins/medcli/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/medcli/Makefile" ;;
+    "src/charon/plugins/nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/nm/Makefile" ;;
     "src/charon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/uci/Makefile" ;;
     "src/charon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/stroke/Makefile" ;;
     "src/charon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/unit_tester/Makefile" ;;
@@ -26188,6 +26901,7 @@ do
     "src/libfast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfast/Makefile" ;;
     "src/manager/Makefile") CONFIG_FILES="$CONFIG_FILES src/manager/Makefile" ;;
     "src/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/medsrv/Makefile" ;;
+    "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
   *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
@@ -26420,6 +27134,8 @@ xml_CFLAGS!$xml_CFLAGS$ac_delim
 xml_LIBS!$xml_LIBS$ac_delim
 gtk_CFLAGS!$gtk_CFLAGS$ac_delim
 gtk_LIBS!$gtk_LIBS$ac_delim
+nm_CFLAGS!$nm_CFLAGS$ac_delim
+nm_LIBS!$nm_LIBS$ac_delim
 libstrongswan_plugins!$libstrongswan_plugins$ac_delim
 USE_CURL_TRUE!$USE_CURL_TRUE$ac_delim
 USE_CURL_FALSE!$USE_CURL_FALSE$ac_delim
@@ -26457,12 +27173,16 @@ USE_PADLOCK_TRUE!$USE_PADLOCK_TRUE$ac_delim
 USE_PADLOCK_FALSE!$USE_PADLOCK_FALSE$ac_delim
 USE_OPENSSL_TRUE!$USE_OPENSSL_TRUE$ac_delim
 USE_OPENSSL_FALSE!$USE_OPENSSL_FALSE$ac_delim
+USE_AGENT_TRUE!$USE_AGENT_TRUE$ac_delim
+USE_AGENT_FALSE!$USE_AGENT_FALSE$ac_delim
 USE_STROKE_TRUE!$USE_STROKE_TRUE$ac_delim
 USE_STROKE_FALSE!$USE_STROKE_FALSE$ac_delim
 USE_MEDSRV_TRUE!$USE_MEDSRV_TRUE$ac_delim
 USE_MEDSRV_FALSE!$USE_MEDSRV_FALSE$ac_delim
 USE_MEDCLI_TRUE!$USE_MEDCLI_TRUE$ac_delim
 USE_MEDCLI_FALSE!$USE_MEDCLI_FALSE$ac_delim
+USE_NM_TRUE!$USE_NM_TRUE$ac_delim
+USE_NM_FALSE!$USE_NM_FALSE$ac_delim
 USE_UCI_TRUE!$USE_UCI_TRUE$ac_delim
 USE_UCI_FALSE!$USE_UCI_FALSE$ac_delim
 USE_SMP_TRUE!$USE_SMP_TRUE$ac_delim
@@ -26473,18 +27193,12 @@ USE_UNIT_TESTS_TRUE!$USE_UNIT_TESTS_TRUE$ac_delim
 USE_UNIT_TESTS_FALSE!$USE_UNIT_TESTS_FALSE$ac_delim
 USE_EAP_SIM_TRUE!$USE_EAP_SIM_TRUE$ac_delim
 USE_EAP_SIM_FALSE!$USE_EAP_SIM_FALSE$ac_delim
+USE_EAP_SIM_FILE_TRUE!$USE_EAP_SIM_FILE_TRUE$ac_delim
+USE_EAP_SIM_FILE_FALSE!$USE_EAP_SIM_FILE_FALSE$ac_delim
 USE_EAP_IDENTITY_TRUE!$USE_EAP_IDENTITY_TRUE$ac_delim
 USE_EAP_IDENTITY_FALSE!$USE_EAP_IDENTITY_FALSE$ac_delim
 USE_EAP_MD5_TRUE!$USE_EAP_MD5_TRUE$ac_delim
 USE_EAP_MD5_FALSE!$USE_EAP_MD5_FALSE$ac_delim
-USE_EAP_AKA_TRUE!$USE_EAP_AKA_TRUE$ac_delim
-USE_EAP_AKA_FALSE!$USE_EAP_AKA_FALSE$ac_delim
-USE_SMARTCARD_TRUE!$USE_SMARTCARD_TRUE$ac_delim
-USE_SMARTCARD_FALSE!$USE_SMARTCARD_FALSE$ac_delim
-USE_CISCO_QUIRKS_TRUE!$USE_CISCO_QUIRKS_TRUE$ac_delim
-USE_CISCO_QUIRKS_FALSE!$USE_CISCO_QUIRKS_FALSE$ac_delim
-USE_LEAK_DETECTIVE_TRUE!$USE_LEAK_DETECTIVE_TRUE$ac_delim
-USE_LEAK_DETECTIVE_FALSE!$USE_LEAK_DETECTIVE_FALSE$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -26526,6 +27240,18 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+USE_EAP_GTC_TRUE!$USE_EAP_GTC_TRUE$ac_delim
+USE_EAP_GTC_FALSE!$USE_EAP_GTC_FALSE$ac_delim
+USE_EAP_AKA_TRUE!$USE_EAP_AKA_TRUE$ac_delim
+USE_EAP_AKA_FALSE!$USE_EAP_AKA_FALSE$ac_delim
+USE_KERNEL_NETLINK_TRUE!$USE_KERNEL_NETLINK_TRUE$ac_delim
+USE_KERNEL_NETLINK_FALSE!$USE_KERNEL_NETLINK_FALSE$ac_delim
+USE_SMARTCARD_TRUE!$USE_SMARTCARD_TRUE$ac_delim
+USE_SMARTCARD_FALSE!$USE_SMARTCARD_FALSE$ac_delim
+USE_CISCO_QUIRKS_TRUE!$USE_CISCO_QUIRKS_TRUE$ac_delim
+USE_CISCO_QUIRKS_FALSE!$USE_CISCO_QUIRKS_FALSE$ac_delim
+USE_LEAK_DETECTIVE_TRUE!$USE_LEAK_DETECTIVE_TRUE$ac_delim
+USE_LEAK_DETECTIVE_FALSE!$USE_LEAK_DETECTIVE_FALSE$ac_delim
 USE_NAT_TRANSPORT_TRUE!$USE_NAT_TRANSPORT_TRUE$ac_delim
 USE_NAT_TRANSPORT_FALSE!$USE_NAT_TRANSPORT_FALSE$ac_delim
 USE_VENDORID_TRUE!$USE_VENDORID_TRUE$ac_delim
@@ -26544,6 +27270,8 @@ USE_INTEGRITY_TEST_TRUE!$USE_INTEGRITY_TEST_TRUE$ac_delim
 USE_INTEGRITY_TEST_FALSE!$USE_INTEGRITY_TEST_FALSE$ac_delim
 USE_SELF_TEST_TRUE!$USE_SELF_TEST_TRUE$ac_delim
 USE_SELF_TEST_FALSE!$USE_SELF_TEST_FALSE$ac_delim
+USE_CAPABILITIES_TRUE!$USE_CAPABILITIES_TRUE$ac_delim
+USE_CAPABILITIES_FALSE!$USE_CAPABILITIES_FALSE$ac_delim
 USE_PLUTO_TRUE!$USE_PLUTO_TRUE$ac_delim
 USE_PLUTO_FALSE!$USE_PLUTO_FALSE$ac_delim
 USE_CHARON_TRUE!$USE_CHARON_TRUE$ac_delim
@@ -26560,7 +27288,7 @@ LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 32; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 46; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
diff --git a/configure.in b/configure.in
index 7c9db68ae..6c8c1accc 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.2.4)
+AC_INIT(strongSwan,4.2.8)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_C_BIGENDIAN
 AC_SUBST(confdir, '${sysconfdir}')
@@ -77,28 +77,28 @@ AC_ARG_WITH(
 	[ipsecdir],
 	AS_HELP_STRING([--with-ipsecdir=dir],[installation path for ipsec tools other than "libexecdir/ipsec"]),
 	[AC_SUBST(ipsecdir, "$withval")],
-	[AC_SUBST(ipsecdir, "${libexecdir}/ipsec")]
+	[AC_SUBST(ipsecdir, "${libexecdir%/}/ipsec")]
 )
-AC_SUBST(plugindir, "${ipsecdir}/plugins")
+AC_SUBST(plugindir, "${ipsecdir%/}/plugins")
 
 AC_ARG_WITH(
 	[plugindir],
 	AS_HELP_STRING([--with-plugindir=dir],[installation path for plugins other than "ipsecdir/plugins"]),
 	[AC_SUBST(plugindir, "$withval")],
-	[AC_SUBST(plugindir, "${ipsecdir}/plugins")]
+	[AC_SUBST(plugindir, "${ipsecdir%/}/plugins")]
 )
 
 AC_ARG_WITH(
 	[sim-reader],
 	AS_HELP_STRING([--with-sim-reader=library.so],[library containing the sim_run_alg()/sim_get_triplet() function for EAP-SIM]),
 	[AC_SUBST(simreader, "$withval")],
-	[AC_SUBST(simreader, "${plugindir}/libeapsim-file.so")]
+	[AC_SUBST(simreader, "${plugindir%/}/libeapsim-file.so")]
 )
 
 AC_ARG_WITH(
 	[linux-headers],
 	AS_HELP_STRING([--with-linux-headers=dir],[use the linux header files in dir instead of the supplied ones in "src/include"]),
-	[AC_SUBST(linuxdir, "$withval")], [AC_SUBST(linuxdir, "../include")]
+	[AC_SUBST(linuxdir, "$withval")], [AC_SUBST(linuxdir, "\${top_srcdir}/src/include")]
 )
 AC_SUBST(LINUX_HEADERS)
 
@@ -138,6 +138,14 @@ AC_ARG_WITH(
 	[AC_SUBST(ipsecgroup, "root")]
 )
 
+dnl Will be extended to --with-capabilities=libcap|libcap2
+AC_ARG_WITH(
+	[capabilities],
+	AS_HELP_STRING([--with-capabilities=libcap],[capability dropping using libcap. Currenlty only the value "libcap" is supported (default is NO).]),
+	[capabilities="$withval"],
+	[capabilities=no]
+)
+
 AC_ARG_ENABLE(
 	[curl],
 	AS_HELP_STRING([--enable-curl],[enable CURL fetcher plugin to fetch files via libcurl (default is NO). Requires libcurl.]),
@@ -385,6 +393,14 @@ AC_ARG_ENABLE(
 	fi]
 )
 
+AC_ARG_ENABLE(
+	[eap-sim-file],
+	AS_HELP_STRING([--enable-eap-sim-file],[build EAP-SIM backend based on a triplet file (default is NO).]),
+	[if test x$enableval = xyes; then
+		eap_sim_file=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[eap-identity],
 	AS_HELP_STRING([--enable-eap-identity],[build EAP module providing EAP-Identity helper (default is NO).]),
@@ -401,6 +417,14 @@ AC_ARG_ENABLE(
 	fi]
 )
 
+AC_ARG_ENABLE(
+	[eap-gtc],
+	AS_HELP_STRING([--enable-eap-gtc],[build PAM based GTC authenication module for EAP (default is NO).]),
+	[if test x$enableval = xyes; then
+		eap_gtc=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[eap-aka],
 	AS_HELP_STRING([--enable-eap-aka],[build AKA authentication module for EAP (default is NO).]),
@@ -409,6 +433,17 @@ AC_ARG_ENABLE(
 	fi]
 )
 
+AC_ARG_ENABLE(
+	[kernel-netlink],
+	AS_HELP_STRING([--disable-kernel-netlink],[disable the netlink kernel interface. (default is NO).]),
+	[if test x$enableval = xyes; then
+		kernel_netlink=true
+	 else
+		kernel_netlink=false
+	fi],
+	kernel_netlink=true
+)
+
 AC_ARG_ENABLE(
 	[nat-transport],
 	AS_HELP_STRING([--enable-nat-transport],[enable NAT traversal with IPsec transport mode (default is NO).]),
@@ -555,6 +590,16 @@ AC_ARG_ENABLE(
 	fi],
 )
 
+AC_ARG_ENABLE(
+	[agent],
+	AS_HELP_STRING([--enable-agent],[enables the ssh-agent signing plugin. (default is NO).]),
+	[if test x$enableval = xyes; then
+		agent=true
+	 else
+		agent=false
+	fi],
+)
+
 AC_ARG_ENABLE(
 	[uci],
 	AS_HELP_STRING([--enable-uci],[enable OpenWRT UCI configuration plugin (default is NO).]),
@@ -563,6 +608,14 @@ AC_ARG_ENABLE(
 	fi]
 )
 
+AC_ARG_ENABLE(
+	[nm],
+	AS_HELP_STRING([--enable-nm],[enable NetworkManager plugin (default is NO).]),
+	[if test x$enableval = xyes; then
+		nm=true
+	fi]
+)
+
 dnl =========================
 dnl  check required programs
 dnl =========================
@@ -612,15 +665,6 @@ AC_HAVE_LIBRARY(dl)
 AC_CHECK_FUNCS(backtrace)
 AC_CHECK_FUNCS(dladdr)
 
-AC_MSG_CHECKING([capset() definition])
-AC_TRY_COMPILE(
-	[#include <linux/capset.h>],
-	[
-		void *test = capset;
-	], 
-	[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_DEFINE_UNQUOTED(NO_CAPSET_DEFINED, 1)]
-)
-
 if test x$gmp = xtrue; then
 	AC_HAVE_LIBRARY([gmp],[LIBS="$LIBS"],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])
 	AC_MSG_CHECKING([gmp.h version >= 4.1.4])
@@ -684,6 +728,15 @@ if test x$sqlite = xtrue; then
 			void *test = sqlite3_prepare_v2;
 		], 
 		[AC_MSG_RESULT([yes])]; AC_DEFINE_UNQUOTED(HAVE_SQLITE3_PREPARE_V2, 1), [AC_MSG_RESULT([no])])
+	AC_MSG_CHECKING([sqlite3.h version >= 3.3.1])
+	AC_TRY_COMPILE(
+		[#include <sqlite3.h>],
+		[
+			#if SQLITE_VERSION_NUMBER < 3003001
+				#error bad sqlite
+			#endif
+		], 
+		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])])
 fi
 
 if test x$openssl = xtrue; then
@@ -696,6 +749,22 @@ if test x$uci = xtrue; then
 	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
 fi
 
+if test x$nm = xtrue; then
+	PKG_CHECK_MODULES(nm, [NetworkManager libnm_glib_vpn gthread-2.0])
+	AC_SUBST(nm_CFLAGS)
+	AC_SUBST(nm_LIBS)
+fi
+
+if test x$eap_gtc = xtrue; then
+	AC_HAVE_LIBRARY([pam],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])])
+	AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
+fi
+
+if test x$capabilities = xlibcap; then
+	AC_HAVE_LIBRARY([cap],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])])
+	AC_CHECK_HEADER([sys/capability.h],,[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
+fi
+
 dnl ======================================
 dnl  collect all plugins for libstrongswan
 dnl ======================================
@@ -714,21 +783,18 @@ fi
 if test x$des = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" des"
 fi
-if test x$md5 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md5"
-fi
 if test x$sha1 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
 fi
 if test x$sha2 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
 fi
+if test x$md5 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" md5"
+fi
 if test x$fips_prf = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
 fi
-if test x$gmp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
-fi
 if test x$random = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" random"
 fi
@@ -738,12 +804,12 @@ fi
 if test x$pubkey = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
 fi
-if test x$hmac = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
-fi
 if test x$xcbc = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
 fi
+if test x$hmac = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
+fi
 if test x$mysql = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
 fi
@@ -756,6 +822,12 @@ fi
 if test x$openssl = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
 fi
+if test x$agent = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" agent"
+fi
+if test x$gmp = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
+fi
 
 AC_SUBST(libstrongswan_plugins)
 
@@ -783,20 +855,25 @@ AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue)
 AM_CONDITIONAL(USE_SQLITE, test x$sqlite = xtrue)
 AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
 AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
+AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
 
 dnl charon plugins
 dnl ==============
 AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
 AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
 AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
+AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
 AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
 AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
 AM_CONDITIONAL(USE_UNIT_TESTS, test x$unittest = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
+AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
 AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
 AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
+AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
 AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
+AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
 
 dnl other options
 dnl =============
@@ -812,6 +889,7 @@ AM_CONDITIONAL(USE_MANAGER, test x$manager = xtrue)
 AM_CONDITIONAL(USE_ME, test x$me = xtrue)
 AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
 AM_CONDITIONAL(USE_SELF_TEST, test x$self_test = xtrue)
+AM_CONDITIONAL(USE_CAPABILITIES, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
@@ -826,6 +904,9 @@ dnl ==============================
 if test x$me = xtrue; then
 	AC_DEFINE(ME)
 fi
+if test x$capabilities = xlibcap; then
+	AC_DEFINE(CAPABILITIES)
+fi
 
 dnl ==============================
 dnl  build Makefiles
@@ -854,6 +935,8 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/sqlite/Makefile
 	src/libstrongswan/plugins/padlock/Makefile
 	src/libstrongswan/plugins/openssl/Makefile
+	src/libstrongswan/plugins/agent/Makefile
+	src/libstrongswan/fips/Makefile
 	src/libcrypto/Makefile
 	src/libfreeswan/Makefile
 	src/pluto/Makefile
@@ -862,11 +945,15 @@ AC_OUTPUT(
 	src/charon/plugins/eap_aka/Makefile
 	src/charon/plugins/eap_identity/Makefile
 	src/charon/plugins/eap_md5/Makefile
+	src/charon/plugins/eap_gtc/Makefile
 	src/charon/plugins/eap_sim/Makefile
+	src/charon/plugins/eap_sim_file/Makefile
+	src/charon/plugins/kernel_netlink/Makefile
 	src/charon/plugins/smp/Makefile
 	src/charon/plugins/sql/Makefile
 	src/charon/plugins/medsrv/Makefile
 	src/charon/plugins/medcli/Makefile
+	src/charon/plugins/nm/Makefile
 	src/charon/plugins/uci/Makefile
 	src/charon/plugins/stroke/Makefile
 	src/charon/plugins/unit_tester/Makefile
@@ -882,5 +969,6 @@ AC_OUTPUT(
 	src/libfast/Makefile
 	src/manager/Makefile
 	src/medsrv/Makefile
+	scripts/Makefile
 	testing/Makefile
 )
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
new file mode 100644
index 000000000..14e460eab
--- /dev/null
+++ b/scripts/Makefile.am
@@ -0,0 +1,13 @@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS =-DIPSEC_PLUGINDIR=\"${plugindir}\"
+
+noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql thread_analysis
+bin2array_SOURCES = bin2array.c
+bin2sql_SOURCES = bin2sql.c
+id2sql_SOURCES = id2sql.c
+key2keyid_SOURCES = key2keyid.c
+keyid2sql_SOURCES = keyid2sql.c
+thread_analysis_SOURCES = thread_analysis.c
+id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
new file mode 100644
index 000000000..36c547b21
--- /dev/null
+++ b/scripts/Makefile.in
@@ -0,0 +1,511 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
+	key2keyid$(EXEEXT) keyid2sql$(EXEEXT) thread_analysis$(EXEEXT)
+subdir = scripts
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+PROGRAMS = $(noinst_PROGRAMS)
+am_bin2array_OBJECTS = bin2array.$(OBJEXT)
+bin2array_OBJECTS = $(am_bin2array_OBJECTS)
+bin2array_LDADD = $(LDADD)
+am_bin2sql_OBJECTS = bin2sql.$(OBJEXT)
+bin2sql_OBJECTS = $(am_bin2sql_OBJECTS)
+bin2sql_LDADD = $(LDADD)
+am_id2sql_OBJECTS = id2sql.$(OBJEXT)
+id2sql_OBJECTS = $(am_id2sql_OBJECTS)
+id2sql_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_key2keyid_OBJECTS = key2keyid.$(OBJEXT)
+key2keyid_OBJECTS = $(am_key2keyid_OBJECTS)
+key2keyid_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_keyid2sql_OBJECTS = keyid2sql.$(OBJEXT)
+keyid2sql_OBJECTS = $(am_keyid2sql_OBJECTS)
+keyid2sql_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_thread_analysis_OBJECTS = thread_analysis.$(OBJEXT)
+thread_analysis_OBJECTS = $(am_thread_analysis_OBJECTS)
+thread_analysis_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) $(id2sql_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(thread_analysis_SOURCES)
+DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
+	$(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(thread_analysis_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -DIPSEC_PLUGINDIR=\"${plugindir}\"
+bin2array_SOURCES = bin2array.c
+bin2sql_SOURCES = bin2sql.c
+id2sql_SOURCES = id2sql.c
+key2keyid_SOURCES = key2keyid.c
+keyid2sql_SOURCES = keyid2sql.c
+thread_analysis_SOURCES = thread_analysis.c
+id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  scripts/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  scripts/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES) 
+	@rm -f bin2array$(EXEEXT)
+	$(LINK) $(bin2array_OBJECTS) $(bin2array_LDADD) $(LIBS)
+bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) 
+	@rm -f bin2sql$(EXEEXT)
+	$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
+id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) 
+	@rm -f id2sql$(EXEEXT)
+	$(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS)
+key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) 
+	@rm -f key2keyid$(EXEEXT)
+	$(LINK) $(key2keyid_OBJECTS) $(key2keyid_LDADD) $(LIBS)
+keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) 
+	@rm -f keyid2sql$(EXEEXT)
+	$(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS)
+thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) 
+	@rm -f thread_analysis$(EXEEXT)
+	$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2array.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2sql.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid2sql.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_analysis.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstPROGRAMS ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/scripts/bin2array.c b/scripts/bin2array.c
new file mode 100644
index 000000000..4778b446a
--- /dev/null
+++ b/scripts/bin2array.c
@@ -0,0 +1,34 @@
+
+#include <stdio.h>
+
+/**
+ * convert standard input to binary data to a c array
+ */
+int main(int argc, char *argv[])
+{
+	int i, end = 0;
+	unsigned char byte;
+
+	printf("char %s[] = {\n", argc > 1 ? argv[1] : "data");
+	while (1)
+	{
+		printf("  ");
+		for (i = 0; i < 16; i++)
+		{
+			if (fread(&byte, 1, 1, stdin) != 1)
+			{
+				end = 1;
+				break;
+			}
+			printf("0x%02x,", (unsigned int)byte);
+		}
+		printf("\n");
+		if (end)
+		{
+			break;
+		}
+	}	
+	printf("};\n");
+	return 0;
+}
+
diff --git a/scripts/bin2sql.c b/scripts/bin2sql.c
new file mode 100644
index 000000000..4f83dd3f2
--- /dev/null
+++ b/scripts/bin2sql.c
@@ -0,0 +1,25 @@
+
+#include <stdio.h>
+
+/**
+ * convert standard input to SQL hex binary
+ */
+int main(int argc, char *argv[])
+{
+	int end = 0;
+	unsigned char byte;
+
+	printf("X'");
+	while (1)
+	{
+		if (fread(&byte, 1, 1, stdin) != 1)
+		{
+			end = 1;
+			break;
+		}
+		printf("%02x", (unsigned int)byte);
+	}	
+	printf("'\n");
+	return 0;
+}
+
diff --git a/scripts/id2sql.c b/scripts/id2sql.c
new file mode 100644
index 000000000..3990e88da
--- /dev/null
+++ b/scripts/id2sql.c
@@ -0,0 +1,36 @@
+
+#include <stdio.h>
+#include <library.h>
+
+/**
+ * convert an identity to type and encoding
+ */
+int main(int argc, char *argv[])
+{
+	identification_t *id;
+	chunk_t enc;
+	int i;
+	
+	if (argc < 2)
+	{
+		return -1;
+	}
+
+	id = identification_create_from_string(argv[1]);
+	if (!id)
+	{
+		return -2;
+	}
+	printf("type\tencoding\n");
+	printf("%d,\t", id->get_type(id));
+	enc = id->get_encoding(id);
+
+	printf("X'");
+	for (i = 0; i < enc.len; i++)
+	{
+		printf("%02x", (unsigned int)enc.ptr[i]);
+	}	
+	printf("'\n");
+	return 0;
+}
+
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
new file mode 100644
index 000000000..80c342919
--- /dev/null
+++ b/scripts/key2keyid.c
@@ -0,0 +1,71 @@
+
+#include <stdio.h>
+#include <library.h>
+#include <debug.h>
+
+/**
+ * print the keyids of a private or public key
+ */
+int main(int argc, char *argv[])
+{
+	public_key_t *public;
+	private_key_t *private;
+	chunk_t chunk;
+	char buf[8096];
+	int read;
+	
+	library_init(NULL);
+	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, "gmp pubkey sha1");
+	atexit(library_deinit);
+
+	read = fread(buf, 1, sizeof(buf), stdin);
+	if (read <= 0)
+	{
+		fprintf(stderr, "reading key failed.\n");
+		return -1;
+	}
+	
+	chunk = chunk_create(buf, read);
+	
+	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								 BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+								 BUILD_END);
+	if (private)
+	{
+		printf("parsed %d bits %N private key.\n",
+			   private->get_keysize(private)*8,
+			   key_type_names, private->get_type(private));
+		printf("%N is:\t %D\n", id_type_names, ID_PUBKEY_INFO_SHA1,
+			   private->get_id(private, ID_PUBKEY_INFO_SHA1));
+		printf("%N is:\t %D\n", id_type_names, ID_PUBKEY_SHA1,
+			   private->get_id(private, ID_PUBKEY_SHA1));
+		private->destroy(private);
+		return 0;
+	}
+	
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+								BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+								BUILD_END);
+	if (!public)
+	{
+		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+									BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+									BUILD_END);
+	}
+	if (public)
+	{
+		printf("parsed %d bits %N public key.\n",
+			   public->get_keysize(public)*8,
+			   key_type_names, public->get_type(public));
+		printf("%N is:\t %D\n", id_type_names, ID_PUBKEY_INFO_SHA1,
+			   public->get_id(public, ID_PUBKEY_INFO_SHA1));
+		printf("%N is:\t %D\n", id_type_names, ID_PUBKEY_SHA1,
+			   public->get_id(public, ID_PUBKEY_SHA1));
+		public->destroy(public);
+		return 0;
+	}
+	
+	fprintf(stderr, "unable to parse input key.\n");
+	return -1;
+}
+
diff --git a/scripts/keyid2sql.c b/scripts/keyid2sql.c
new file mode 100644
index 000000000..f7d447a78
--- /dev/null
+++ b/scripts/keyid2sql.c
@@ -0,0 +1,76 @@
+
+#include <stdio.h>
+#include <library.h>
+#include <debug.h>
+
+/**
+ * print the keyids of a private or public key in sql format
+ */
+int main(int argc, char *argv[])
+{
+	public_key_t *public;
+	private_key_t *private;
+	identification_t *keyid;
+	chunk_t chunk;
+	char buf[8096];
+	int read, n;
+	
+	library_init(NULL);
+	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, "gmp pubkey sha1");
+	atexit(library_deinit);
+
+	read = fread(buf, 1, sizeof(buf), stdin);
+	if (read <= 0)
+	{
+		fprintf(stderr, "reading key failed.\n");
+		return -1;
+	}
+	
+	chunk = chunk_create(buf, read);
+	
+	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								 BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+								 BUILD_END);
+	if (private)
+	{
+		keyid = private->get_id(private, ID_PUBKEY_INFO_SHA1);
+		chunk = keyid->get_encoding(keyid);
+
+		printf("%d, X'", ID_PUBKEY_INFO_SHA1);
+		for (n = 0; n < chunk.len; n++)
+		{
+			printf("%.2x", chunk.ptr[n]);
+		}
+		printf("'\n");
+		private->destroy(private);
+		return 0;
+	}
+	
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+								BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+								BUILD_END);
+	if (!public)
+	{
+		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+									BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+									BUILD_END);
+	}
+	if (public)
+	{
+		keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
+		chunk = keyid->get_encoding(keyid);
+
+		printf("%d, X'", ID_PUBKEY_INFO_SHA1);
+		for (n = 0; n < chunk.len; n++)
+		{
+			printf("%.2x", chunk.ptr[n]);
+		}
+		printf("'\n");
+		public->destroy(public);
+		return 0;
+	}
+	
+	fprintf(stderr, "unable to parse input key.\n");
+	return -1;
+}
+
diff --git a/scripts/thread_analysis.c b/scripts/thread_analysis.c
new file mode 100644
index 000000000..a03e8c994
--- /dev/null
+++ b/scripts/thread_analysis.c
@@ -0,0 +1,273 @@
+/* Analyzes the concurrent use of charon's threads
+ * 
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define LOGFILE		"moon.daemon.log"
+#define LINE_LEN	2048
+#define THREADS		99
+
+typedef enum state_t state_t;
+
+enum state_t {
+	STATE_IDLE  = 0,
+	STATE_INIT  = 1,
+	STATE_AUTH  = 2,
+	STATE_BUSY  = 3,
+	STATE_RETRY = 4,
+	STATE_ERROR = 5
+};
+
+typedef enum mode_t mode_t;
+
+enum print_t {
+    MODE_ANY	= 0,
+	MODE_ADD	= 1,
+	MODE_DEL	= 2
+};
+
+static char *state_names[] = { "idle", "init", "auth", "busy", "retry", "error" };
+
+static int readline(FILE *fd, char *line)
+{
+	while (fread(line, 1, 1, fd))
+	{
+		if (*line == '\n')
+		{
+			*line = '\0';
+			return 1;
+		}
+		line++;		
+	}
+	*line = '\0';
+	return 0;
+}
+
+static void printline(state_t *state, char *timestamp)
+{
+	int states[] = { 0, 0, 0, 0, 0};
+	int th, total ;
+
+	printf("    <tr>\n");
+	printf("      <td class=\"log\">%.15s</td>", timestamp);
+
+	for (th = 1; th <= THREADS; th++)
+	{
+		states[state[th]]++;
+		printf("<td class=\"%s\"></td>", state_names[state[th]]);	
+	}
+	total = states[STATE_INIT] + states[STATE_AUTH] + states[STATE_BUSY] + states[STATE_RETRY];
+	printf("<td class=\"init\">%d</td><td class=\"auth\">%d</td><td class=\"busy\">%d</td>",
+			states[STATE_INIT], states[STATE_AUTH], total);
+	for (th = 10; th <= (THREADS + 2); th += 5)
+	{
+		printf("<td class=\"%s\"></td>", (th <= total + 2)? "busy":"idle");	
+	}
+	printf("\n");
+	printf("    </tr>\n");
+}
+
+int main(int argc, char *argv[])
+{
+	char line[LINE_LEN];
+	int section = 0;
+	int mode = MODE_ANY;
+	int th;
+	FILE *fd;
+
+	state_t state[THREADS + 1];
+	
+	/* threads 1..5 and 9 are always busy */
+	for (th = 1; th <= THREADS; th++)
+	{
+		state[th] = (th <= 5 || th == 9 )? STATE_BUSY : STATE_IDLE;
+	}
+  
+	/* open the log file */
+	fd = fopen(LOGFILE, "r");
+	if (!fd)
+	{
+		printf("could not open log file '%s'\n");
+		return 1;
+	}
+
+	printf("<html>\n");
+	printf("<head>\n");
+	printf("  <title>Charon Thread Analysis</title>\n");
+	printf("  <style>\n");
+	printf("    body     { font: 11px verdana,arial, helvetica, sans-serif }\n");
+	printf("    td       { font: 10px verdana,arial, helvetica, sans-serif;\n");
+	printf("               text-align: center;  padding: 0px 1px 0px 1px; background: #FFFF66 }\n");
+	printf("    td.log   { text-align: left; background: #FFFF66; white-space: nowrap }\n");
+	printf("    td.idle  { background: #FFFF66 }\n");
+	printf("    td.init  { background: #FFA522 }\n");
+	printf("    td.auth  { background: #90EE90 }\n");
+	printf("    td.busy  { background: #ADD8E6 }\n");
+	printf("    td.retry { background: #7B68EE }\n");
+	printf("    td.error { background: #FF6347 }\n");
+	printf("    hr { background-color: #000000; border: 0; height: 1px; }\n");
+	printf("    a:visited { color: #000000 }\n");
+    printf("    a:link    { color: #000000 }\n");
+	printf("    a:hover   { color: #0000FF }\n");
+	printf("  </style>\n");
+	printf("</head>\n");
+	printf("<body>\n");
+	printf("  <h1>Charon Thread Analysis</h1>\n");
+	printf("  <table>\n");
+
+	/* print table header */
+	printf("    <tr>\n");
+	printf("      <td class=\"log\">Timestamp</td>");
+	for (th = 1 ; th <= THREADS; th++)
+	{
+		printf("<td>%02d</td>", th);	
+	}
+	printf("<td class=\"init\">I</td><td class=\"auth\">A</td><td class=\"busy\">B</td>");
+	for (th = 10; th <= (THREADS + 2); th += 5)
+	{
+		printf("<td class=\"busy\">%d</td>", (th == 100)? 99:th);	
+	}
+	printf("\n");
+	printf("    </tr>\n");
+	
+	while (readline(fd, line))
+	{
+		char *p_section, *p_charon, *p_thread, *p_log;
+
+		p_section = strstr(line, "---");
+		if (p_section)
+		{
+			printline(state, line);
+			mode = MODE_ANY;
+
+			if (section++ < 1)
+			{
+				continue;
+			}
+			else
+			{
+				break;
+			}
+		}
+
+		p_charon = strstr(line, "charon");
+		if (!p_charon)
+		{
+			continue;
+		}
+		
+		/* determine thread */
+		p_thread = p_charon + 8;
+		th = atol(p_thread);
+
+		/* determine log message */
+		p_log = p_charon + 16;
+		if (strstr(p_log, "received packet"))
+		{
+			if (mode == MODE_DEL)
+			{
+				printline(state, line);
+			}
+			mode = MODE_ADD;
+			if (state[th] != STATE_IDLE)
+			{
+				state[th] = STATE_ERROR;
+			}
+			else
+			{
+				state[th] = STATE_BUSY;
+			}
+		}
+		if (strstr(p_log, "sending packet"))
+		{
+			if (mode == MODE_ADD)
+			{
+				printline(state, line);
+			}
+			mode = MODE_DEL;
+			if (state[th] == STATE_IDLE)
+			{
+				state[th] = STATE_ERROR;
+			}
+			else
+			{
+				state[th] = STATE_IDLE;
+			}
+		}
+		if (strstr(p_log, "parsed IKE_SA_INIT request"))
+		{
+			if (state[th] != STATE_BUSY)
+			{
+				state[th] = STATE_ERROR;
+			}
+			else
+			{
+				state[th] = STATE_INIT;
+			}
+		}
+		if (strstr(p_log, "parsed IKE_AUTH request"))
+		{
+			if (state[th] != STATE_BUSY)
+			{
+				state[th] = STATE_ERROR;
+			}
+			else
+			{
+				state[th] = STATE_AUTH;
+			}
+		}
+		if (strstr(p_log, "already processing"))
+		{
+			if (state[th] != STATE_IDLE)
+			{
+				state[th] = STATE_ERROR;
+			}
+			else
+			{
+				state[th] = STATE_RETRY;
+			}
+			printline(state, line);
+			mode = MODE_ANY;
+			state[th] = STATE_IDLE;
+		}
+	}
+	printf("  </table>\n");
+	printf("  <p>\n");
+	printf("  <table>\n");
+	printf("    <tr>\n");
+	printf("      <td class=\"init\">&nbsp;I&nbsp;</td><td>IKE_SA_INIT Thread &nbsp;</td>\n");
+	printf("      <td class=\"auth\">&nbsp;A&nbsp;</td><td>IKE_AUTH Thread &nbsp;</td>\n");
+	printf("      <td class=\"retry\">&nbsp;R&nbsp;</td><td>Retransmit Thread &nbsp;</td>\n");
+	printf("      <td class=\"busy\">&nbsp;B&nbsp;</td><td>Busy Thread &nbsp;</td>\n");
+	printf("      <td class=\"error\">&nbsp;E&nbsp;</td><td>State Error &nbsp;</td>\n");
+	printf("    </tr>\n");
+	printf("  </table>\n");
+	printf("  <p>\n");
+	printf("  <hr/>\n");
+	printf("  <em>&copy; 2008\n");
+	printf("    <a href=\"http://ita.hsr.ch?&L=1\" target=\"popup\">\n");
+	printf("       ITA Institute for Internet Technologies and Applications</a> -\n");
+	printf("    <a href=\"http://www.hsr.ch/?&L=1\" target=\"popup\">\n");
+	printf("       HSR Hochschule f&uuml;r Technik Rapperswil</a>\n");
+	printf("  </em>\n");
+	printf("</body>\n");
+	printf("</html>\n");
+
+	fclose(fd);	
+	return 0;
+}
diff --git a/src/Makefile.in b/src/Makefile.in
index 5b970f87a..98c4daa06 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -182,6 +182,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 342dc48ed..a8f14689a 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -183,6 +183,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 8173de597..6de07b931 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -165,6 +165,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index cb0404b34..d71317e60 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -16,7 +16,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: _updown.in 3389 2007-12-12 22:12:10Z andreas $
+# RCSID $Id: _updown.in 4187 2008-07-18 10:04:40Z andreas $
 
 # CAUTION:  Installing a new version of strongSwan will install a new
 # copy of this script, wiping out any custom changes you make.  If
@@ -302,6 +302,10 @@ then
 	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
 fi
 
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
 # the big choice
 case "$PLUTO_VERB:$1" in
 prepare-host:*|prepare-client:*)
@@ -385,13 +389,13 @@ up-host:iptables)
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi	
 	;;
@@ -409,13 +413,13 @@ down-host:iptables)
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -448,13 +452,13 @@ up-client:iptables)
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
 	;;
@@ -491,13 +495,13 @@ down-client:iptables)
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
 	;;
@@ -544,13 +548,13 @@ up-host-v6:iptables)
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/128" ]
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi	
 	;;
@@ -568,13 +572,13 @@ down-host-v6:iptables)
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/128" ]
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -607,13 +611,13 @@ up-client-v6:iptables)
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/128" ]
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
 	;;
@@ -650,13 +654,13 @@ down-client-v6:iptables)
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/128" ]
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
 	;;
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 00555c6b3..99dddf247 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -165,6 +165,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark
index 00d77a7e5..fbaf30132 100644
--- a/src/_updown_espmark/_updown_espmark
+++ b/src/_updown_espmark/_updown_espmark
@@ -16,7 +16,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: _updown_espmark 3268 2007-10-08 19:59:18Z andreas $
+# RCSID $Id: _updown_espmark 4187 2008-07-18 10:04:40Z andreas $
 
 
 
@@ -277,6 +277,10 @@ then
 	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
 fi
 
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
 # the big choice
 case "$PLUTO_VERB:$1" in
 prepare-host:*|prepare-client:*)
@@ -333,13 +337,13 @@ up-host:*)
 	    -s $PLUTO_ME $S_MY_PORT \
 	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
 	#
-	if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	then
 	  logger -t $TAG -p $FAC_PRIO \
-	    "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+	    "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	else
 	  logger -t $TAG -p $FAC_PRIO \
-	    "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	fi
 	;;
 down-host:*)
@@ -354,13 +358,13 @@ down-host:*)
 	    -s $PLUTO_ME $S_MY_PORT \
 	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
 	#
-	if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	then
 	  logger -t $TAG -p $FAC_PRIO -- \
-	    "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+	    "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	else
 	  logger -t $TAG -p $FAC_PRIO -- \
-	  "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	fi
 	;;
 up-client:)
@@ -374,13 +378,13 @@ up-client:)
 	    -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
 	       $CHECK_MARK -j ACCEPT
 	#
-	if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	then
 	  logger -t $TAG -p $FAC_PRIO \
-	    "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	    "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	else
 	  logger -t $TAG -p $FAC_PRIO \
-	    "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	    "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	fi
 	;;
 down-client:)
@@ -394,13 +398,13 @@ down-client:)
 	    -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
 	       $CHECK_MARK -j ACCEPT
 	#
-	if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	then
 	  logger -t $TAG -p $FAC_PRIO -- \
-	    "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	    "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	else
 	  logger -t $TAG -p $FAC_PRIO -- \
-	    "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	fi
 	;;
 up-client:ipfwadm)
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 9a04055c3..c9f63ac9d 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -41,6 +41,8 @@ encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
 kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.h \
 network/packet.c network/packet.h \
 network/receiver.c network/receiver.h \
 network/sender.c network/sender.h \
@@ -57,12 +59,14 @@ processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
 processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
+processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/scheduler.c processing/scheduler.h \
 processing/processor.c processing/processor.h  \
 sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
 sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
 sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
 sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
+sa/authenticators/eap/sim_manager.c sa/authenticators/eap/sim_manager.h \
 sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
 sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
 sa/child_sa.c sa/child_sa.h \
@@ -129,15 +133,20 @@ if USE_SELF_TEST
   AM_CFLAGS += -DSELF_TEST
 endif
 
+if USE_CAPABILITIES
+  charon_LDADD += -lcap
+endif
+
+
 # build optional plugins
 ########################
 
 SUBDIRS = . 
 PLUGINS = ${libstrongswan_plugins}
 
-if USE_UNIT_TESTS
-  SUBDIRS += plugins/unit_tester
-  PLUGINS += unit-tester
+if USE_KERNEL_NETLINK
+  SUBDIRS += plugins/kernel_netlink
+  PLUGINS += kernel-netlink
 endif
 
 if USE_STROKE
@@ -165,11 +174,21 @@ if USE_EAP_SIM
   PLUGINS += eapsim
 endif
 
+if USE_EAP_SIM_FILE
+  SUBDIRS += plugins/eap_sim_file
+  PLUGINS += eapsim-file
+endif
+
 if USE_EAP_MD5
   SUBDIRS += plugins/eap_md5
   PLUGINS += eapmd5
 endif
 
+if USE_EAP_GTC
+  SUBDIRS += plugins/eap_gtc
+  PLUGINS += eapgtc
+endif
+
 if USE_EAP_AKA
   SUBDIRS += plugins/eap_aka
   PLUGINS += eapaka
@@ -185,10 +204,20 @@ if USE_MEDCLI
   PLUGINS += medcli
 endif
 
+if USE_NM
+  SUBDIRS += plugins/nm
+  PLUGINS += nm
+endif
+
 if USE_UCI
   SUBDIRS += plugins/uci
   PLUGINS += uci
 endif
 
+if USE_UNIT_TESTS
+  SUBDIRS += plugins/unit_tester
+  PLUGINS += unit-tester
+endif
+
 AM_CFLAGS += -DPLUGINS=\""${PLUGINS}\""
 
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index cf03a0e35..8d13f16e9 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -49,28 +49,37 @@ ipsec_PROGRAMS = charon$(EXEEXT)
 
 @USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
 @USE_SELF_TEST_TRUE@am__append_5 = -DSELF_TEST
-@USE_UNIT_TESTS_TRUE@am__append_6 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_7 = unit-tester
-@USE_STROKE_TRUE@am__append_8 = plugins/stroke
-@USE_STROKE_TRUE@am__append_9 = stroke
-@USE_SMP_TRUE@am__append_10 = plugins/smp
-@USE_SMP_TRUE@am__append_11 = smp
-@USE_SQL_TRUE@am__append_12 = plugins/sql
-@USE_SQL_TRUE@am__append_13 = sql
-@USE_EAP_IDENTITY_TRUE@am__append_14 = plugins/eap_identity
-@USE_EAP_IDENTITY_TRUE@am__append_15 = eapidentity
-@USE_EAP_SIM_TRUE@am__append_16 = plugins/eap_sim
-@USE_EAP_SIM_TRUE@am__append_17 = eapsim
-@USE_EAP_MD5_TRUE@am__append_18 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_19 = eapmd5
-@USE_EAP_AKA_TRUE@am__append_20 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_21 = eapaka
-@USE_MEDSRV_TRUE@am__append_22 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_23 = medsrv
-@USE_MEDCLI_TRUE@am__append_24 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_25 = medcli
-@USE_UCI_TRUE@am__append_26 = plugins/uci
-@USE_UCI_TRUE@am__append_27 = uci
+@USE_CAPABILITIES_TRUE@am__append_6 = -lcap
+@USE_KERNEL_NETLINK_TRUE@am__append_7 = plugins/kernel_netlink
+@USE_KERNEL_NETLINK_TRUE@am__append_8 = kernel-netlink
+@USE_STROKE_TRUE@am__append_9 = plugins/stroke
+@USE_STROKE_TRUE@am__append_10 = stroke
+@USE_SMP_TRUE@am__append_11 = plugins/smp
+@USE_SMP_TRUE@am__append_12 = smp
+@USE_SQL_TRUE@am__append_13 = plugins/sql
+@USE_SQL_TRUE@am__append_14 = sql
+@USE_EAP_IDENTITY_TRUE@am__append_15 = plugins/eap_identity
+@USE_EAP_IDENTITY_TRUE@am__append_16 = eapidentity
+@USE_EAP_SIM_TRUE@am__append_17 = plugins/eap_sim
+@USE_EAP_SIM_TRUE@am__append_18 = eapsim
+@USE_EAP_SIM_FILE_TRUE@am__append_19 = plugins/eap_sim_file
+@USE_EAP_SIM_FILE_TRUE@am__append_20 = eapsim-file
+@USE_EAP_MD5_TRUE@am__append_21 = plugins/eap_md5
+@USE_EAP_MD5_TRUE@am__append_22 = eapmd5
+@USE_EAP_GTC_TRUE@am__append_23 = plugins/eap_gtc
+@USE_EAP_GTC_TRUE@am__append_24 = eapgtc
+@USE_EAP_AKA_TRUE@am__append_25 = plugins/eap_aka
+@USE_EAP_AKA_TRUE@am__append_26 = eapaka
+@USE_MEDSRV_TRUE@am__append_27 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_28 = medsrv
+@USE_MEDCLI_TRUE@am__append_29 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_30 = medcli
+@USE_NM_TRUE@am__append_31 = plugins/nm
+@USE_NM_TRUE@am__append_32 = nm
+@USE_UCI_TRUE@am__append_33 = plugins/uci
+@USE_UCI_TRUE@am__append_34 = uci
+@USE_UNIT_TESTS_TRUE@am__append_35 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_36 = unit-tester
 subdir = src/charon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -135,9 +144,10 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
 	encoding/payloads/vendor_id_payload.c \
 	encoding/payloads/vendor_id_payload.h \
 	kernel/kernel_interface.c kernel/kernel_interface.h \
-	network/packet.c network/packet.h network/receiver.c \
-	network/receiver.h network/sender.c network/sender.h \
-	network/socket.h processing/jobs/job.h \
+	kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+	kernel/kernel_net.h network/packet.c network/packet.h \
+	network/receiver.c network/receiver.h network/sender.c \
+	network/sender.h network/socket.h processing/jobs/job.h \
 	processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
 	processing/jobs/callback_job.c processing/jobs/callback_job.h \
 	processing/jobs/delete_child_sa_job.c \
@@ -156,9 +166,10 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
 	processing/jobs/send_keepalive_job.c \
 	processing/jobs/send_keepalive_job.h \
 	processing/jobs/roam_job.c processing/jobs/roam_job.h \
-	processing/scheduler.c processing/scheduler.h \
-	processing/processor.c processing/processor.h \
-	sa/authenticators/authenticator.c \
+	processing/jobs/update_sa_job.c \
+	processing/jobs/update_sa_job.h processing/scheduler.c \
+	processing/scheduler.h processing/processor.c \
+	processing/processor.h sa/authenticators/authenticator.c \
 	sa/authenticators/authenticator.h \
 	sa/authenticators/eap_authenticator.c \
 	sa/authenticators/eap_authenticator.h \
@@ -166,6 +177,8 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
 	sa/authenticators/eap/eap_method.h \
 	sa/authenticators/eap/eap_manager.c \
 	sa/authenticators/eap/eap_manager.h \
+	sa/authenticators/eap/sim_manager.c \
+	sa/authenticators/eap/sim_manager.h \
 	sa/authenticators/psk_authenticator.c \
 	sa/authenticators/psk_authenticator.h \
 	sa/authenticators/pubkey_authenticator.c \
@@ -226,15 +239,16 @@ am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
 	transform_attribute.$(OBJEXT) transform_substructure.$(OBJEXT) \
 	ts_payload.$(OBJEXT) unknown_payload.$(OBJEXT) \
 	vendor_id_payload.$(OBJEXT) kernel_interface.$(OBJEXT) \
-	packet.$(OBJEXT) receiver.$(OBJEXT) sender.$(OBJEXT) \
-	acquire_job.$(OBJEXT) callback_job.$(OBJEXT) \
+	kernel_ipsec.$(OBJEXT) packet.$(OBJEXT) receiver.$(OBJEXT) \
+	sender.$(OBJEXT) acquire_job.$(OBJEXT) callback_job.$(OBJEXT) \
 	delete_child_sa_job.$(OBJEXT) delete_ike_sa_job.$(OBJEXT) \
 	process_message_job.$(OBJEXT) rekey_child_sa_job.$(OBJEXT) \
 	rekey_ike_sa_job.$(OBJEXT) retransmit_job.$(OBJEXT) \
 	send_dpd_job.$(OBJEXT) send_keepalive_job.$(OBJEXT) \
-	roam_job.$(OBJEXT) scheduler.$(OBJEXT) processor.$(OBJEXT) \
-	authenticator.$(OBJEXT) eap_authenticator.$(OBJEXT) \
-	eap_method.$(OBJEXT) eap_manager.$(OBJEXT) \
+	roam_job.$(OBJEXT) update_sa_job.$(OBJEXT) scheduler.$(OBJEXT) \
+	processor.$(OBJEXT) authenticator.$(OBJEXT) \
+	eap_authenticator.$(OBJEXT) eap_method.$(OBJEXT) \
+	eap_manager.$(OBJEXT) sim_manager.$(OBJEXT) \
 	psk_authenticator.$(OBJEXT) pubkey_authenticator.$(OBJEXT) \
 	child_sa.$(OBJEXT) ike_sa.$(OBJEXT) ike_sa_id.$(OBJEXT) \
 	ike_sa_manager.$(OBJEXT) task_manager.$(OBJEXT) \
@@ -250,8 +264,10 @@ am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
 	cert_cache.$(OBJEXT) $(am__objects_1) $(am__objects_2) \
 	$(am__objects_3)
 charon_OBJECTS = $(am_charon_OBJECTS)
+am__DEPENDENCIES_1 =
 charon_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -277,10 +293,11 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/unit_tester plugins/stroke plugins/smp \
+DIST_SUBDIRS = . plugins/kernel_netlink plugins/stroke plugins/smp \
 	plugins/sql plugins/eap_identity plugins/eap_sim \
-	plugins/eap_md5 plugins/eap_aka plugins/medsrv plugins/medcli \
-	plugins/uci
+	plugins/eap_sim_file plugins/eap_md5 plugins/eap_gtc \
+	plugins/eap_aka plugins/medsrv plugins/medcli plugins/nm \
+	plugins/uci plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -397,6 +414,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -469,9 +488,10 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
 	encoding/payloads/vendor_id_payload.c \
 	encoding/payloads/vendor_id_payload.h \
 	kernel/kernel_interface.c kernel/kernel_interface.h \
-	network/packet.c network/packet.h network/receiver.c \
-	network/receiver.h network/sender.c network/sender.h \
-	network/socket.h processing/jobs/job.h \
+	kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+	kernel/kernel_net.h network/packet.c network/packet.h \
+	network/receiver.c network/receiver.h network/sender.c \
+	network/sender.h network/socket.h processing/jobs/job.h \
 	processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
 	processing/jobs/callback_job.c processing/jobs/callback_job.h \
 	processing/jobs/delete_child_sa_job.c \
@@ -490,9 +510,10 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
 	processing/jobs/send_keepalive_job.c \
 	processing/jobs/send_keepalive_job.h \
 	processing/jobs/roam_job.c processing/jobs/roam_job.h \
-	processing/scheduler.c processing/scheduler.h \
-	processing/processor.c processing/processor.h \
-	sa/authenticators/authenticator.c \
+	processing/jobs/update_sa_job.c \
+	processing/jobs/update_sa_job.h processing/scheduler.c \
+	processing/scheduler.h processing/processor.c \
+	processing/processor.h sa/authenticators/authenticator.c \
 	sa/authenticators/authenticator.h \
 	sa/authenticators/eap_authenticator.c \
 	sa/authenticators/eap_authenticator.h \
@@ -500,6 +521,8 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
 	sa/authenticators/eap/eap_method.h \
 	sa/authenticators/eap/eap_manager.c \
 	sa/authenticators/eap/eap_manager.h \
+	sa/authenticators/eap/sim_manager.c \
+	sa/authenticators/eap/sim_manager.h \
 	sa/authenticators/psk_authenticator.c \
 	sa/authenticators/psk_authenticator.h \
 	sa/authenticators/pubkey_authenticator.c \
@@ -536,18 +559,22 @@ AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
 	-DRESOLV_CONF=\"${resolv_conf}\" $(am__append_4) \
 	$(am__append_5) -DPLUGINS=\""${PLUGINS}\""
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm -ldl
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+	-lpthread -lm -ldl $(am__append_6)
 
 # build optional plugins
 ########################
-SUBDIRS = . $(am__append_6) $(am__append_8) $(am__append_10) \
+SUBDIRS = . $(am__append_7) $(am__append_9) $(am__append_11) \
+	$(am__append_13) $(am__append_15) $(am__append_17) \
+	$(am__append_19) $(am__append_21) $(am__append_23) \
+	$(am__append_25) $(am__append_27) $(am__append_29) \
+	$(am__append_31) $(am__append_33) $(am__append_35)
+PLUGINS = ${libstrongswan_plugins} $(am__append_8) $(am__append_10) \
 	$(am__append_12) $(am__append_14) $(am__append_16) \
 	$(am__append_18) $(am__append_20) $(am__append_22) \
-	$(am__append_24) $(am__append_26)
-PLUGINS = ${libstrongswan_plugins} $(am__append_7) $(am__append_9) \
-	$(am__append_11) $(am__append_13) $(am__append_15) \
-	$(am__append_17) $(am__append_19) $(am__append_21) \
-	$(am__append_23) $(am__append_25) $(am__append_27)
+	$(am__append_24) $(am__append_26) $(am__append_28) \
+	$(am__append_30) $(am__append_32) $(am__append_34) \
+	$(am__append_36)
 all: all-recursive
 
 .SUFFIXES:
@@ -676,6 +703,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_ipsec.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_manager.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Po@am__quote@
@@ -702,6 +730,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_dpd_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_keepalive_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sim_manager.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket-raw.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Po@am__quote@
@@ -713,6 +742,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ts_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unknown_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/update_sa_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor_id_payload.Po@am__quote@
 
 .c.o:
@@ -1268,6 +1298,20 @@ kernel_interface.obj: kernel/kernel_interface.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.obj `if test -f 'kernel/kernel_interface.c'; then $(CYGPATH_W) 'kernel/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_interface.c'; fi`
 
+kernel_ipsec.o: kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.o -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.o `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.o `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+
+kernel_ipsec.obj: kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.obj -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.obj `if test -f 'kernel/kernel_ipsec.c'; then $(CYGPATH_W) 'kernel/kernel_ipsec.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_ipsec.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.obj `if test -f 'kernel/kernel_ipsec.c'; then $(CYGPATH_W) 'kernel/kernel_ipsec.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_ipsec.c'; fi`
+
 packet.o: network/packet.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.o -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Po
@@ -1464,6 +1508,20 @@ roam_job.obj: processing/jobs/roam_job.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.obj `if test -f 'processing/jobs/roam_job.c'; then $(CYGPATH_W) 'processing/jobs/roam_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/roam_job.c'; fi`
 
+update_sa_job.o: processing/jobs/update_sa_job.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.o -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.o `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/update_sa_job.c' object='update_sa_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.o `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
+
+update_sa_job.obj: processing/jobs/update_sa_job.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.obj -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.obj `if test -f 'processing/jobs/update_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/update_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/update_sa_job.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/update_sa_job.c' object='update_sa_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.obj `if test -f 'processing/jobs/update_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/update_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/update_sa_job.c'; fi`
+
 scheduler.o: processing/scheduler.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.o -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.o `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Po
@@ -1548,6 +1606,20 @@ eap_manager.obj: sa/authenticators/eap/eap_manager.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_manager.obj `if test -f 'sa/authenticators/eap/eap_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_manager.c'; fi`
 
+sim_manager.o: sa/authenticators/eap/sim_manager.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sim_manager.o -MD -MP -MF $(DEPDIR)/sim_manager.Tpo -c -o sim_manager.o `test -f 'sa/authenticators/eap/sim_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/sim_manager.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sim_manager.Tpo $(DEPDIR)/sim_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/sim_manager.c' object='sim_manager.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sim_manager.o `test -f 'sa/authenticators/eap/sim_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/sim_manager.c
+
+sim_manager.obj: sa/authenticators/eap/sim_manager.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sim_manager.obj -MD -MP -MF $(DEPDIR)/sim_manager.Tpo -c -o sim_manager.obj `if test -f 'sa/authenticators/eap/sim_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/sim_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/sim_manager.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sim_manager.Tpo $(DEPDIR)/sim_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/sim_manager.c' object='sim_manager.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sim_manager.obj `if test -f 'sa/authenticators/eap/sim_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/sim_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/sim_manager.c'; fi`
+
 psk_authenticator.o: sa/authenticators/psk_authenticator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.o -MD -MP -MF $(DEPDIR)/psk_authenticator.Tpo -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Po
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
index 1b12f8735..a102a3984 100644
--- a/src/charon/bus/bus.c
+++ b/src/charon/bus/bus.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: bus.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: bus.c 4198 2008-07-21 14:23:43Z martin $
  */
 
 #include "bus.h"
@@ -100,6 +100,11 @@ struct entry_t {
 	 */
 	bool blocker;
 	
+	/**
+	 * are we currently calling this listener
+	 */
+	bool calling;
+	
 	/**
 	 * condvar where active listeners wait
 	 */
@@ -115,6 +120,7 @@ static entry_t *entry_create(bus_listener_t *listener, bool blocker)
 	
 	this->listener = listener;
 	this->blocker = blocker;
+	this->calling = FALSE;
 	this->condvar = condvar_create(CONDVAR_DEFAULT);
 	
 	return this;
@@ -253,58 +259,94 @@ static void set_sa(private_bus_t *this, ike_sa_t *ike_sa)
 	pthread_setspecific(this->thread_sa, ike_sa);
 }
 
-	
 /**
- * Implementation of bus_t.vsignal.
+ * data associated to a signal, passed to callback
  */
-static void vsignal(private_bus_t *this, signal_t signal, level_t level,
-					char* format, va_list args)
-{
-	iterator_t *iterator;
-	entry_t *entry;
+typedef struct {
+	/** associated IKE_SA */
 	ike_sa_t *ike_sa;
+	/** invoking thread */
 	long thread;
-	
-	this->mutex->lock(this->mutex);
-	ike_sa = pthread_getspecific(this->thread_sa);
-	thread = get_thread_number(this);
-	
-	iterator = this->listeners->create_iterator(this->listeners, TRUE);
-	while (iterator->iterate(iterator, (void**)&entry))
+	/** signal type */
+	signal_t signal;
+	/** signal level */
+	level_t level;
+	/** signal specific user data */
+	void *user;
+	/** format string */
+	char *format;
+	/** argument list */
+	va_list args;
+} signal_data_t;
+
+/**
+ * listener invocation as a list remove callback
+ */
+static bool signal_cb(entry_t *entry, signal_data_t *data)
+{
+	va_list args;
+
+	if (entry->calling)
+	{	/* avoid recursive calls */
+		return FALSE;
+	}
+	entry->calling = TRUE;
+	va_copy(args, data->args);
+	if (!entry->listener->signal(entry->listener, data->signal, data->level,
+					data->thread, data->ike_sa, data->user, data->format, args))
 	{
-		va_list args_copy;
-		va_copy(args_copy, args);
-		if (!entry->listener->signal(entry->listener, signal, level, thread, 
-									 ike_sa, format, args_copy))
+		if (entry->blocker)
 		{
-			iterator->remove(iterator);
-			if (entry->blocker)
-			{
-				entry->blocker = FALSE;
-				entry->condvar->signal(entry->condvar);
-			}
-			else
-			{
-				entry_destroy(entry);
-			}
+			entry->blocker = FALSE;
+			entry->condvar->signal(entry->condvar);
+		}
+		else
+		{
+			entry_destroy(entry);
 		}
-		va_end(args_copy);
+		va_end(args);
+		entry->calling = FALSE;
+		return TRUE;
 	}
-	iterator->destroy(iterator);
+	va_end(args);
+	entry->calling = FALSE;
+	return FALSE;
+}
+
+/**
+ * Implementation of bus_t.vsignal.
+ */
+static void vsignal(private_bus_t *this, signal_t signal, level_t level,
+					void *user, char* format, va_list args)
+{
+	signal_data_t data;
+	
+	data.ike_sa = pthread_getspecific(this->thread_sa);
+	data.thread = get_thread_number(this);
+	data.signal = signal;
+	data.level = level;
+	data.user = user;
+	data.format = format;
+	va_copy(data.args, args);
 	
+	this->mutex->lock(this->mutex);
+	/* we use the remove() method to invoke all listeners with small overhead */
+	this->listeners->remove(this->listeners, &data, (void*)signal_cb);
 	this->mutex->unlock(this->mutex);
+	
+	va_end(data.args);
 }
 
 /**
  * Implementation of bus_t.signal.
  */
 static void signal_(private_bus_t *this, signal_t signal, level_t level, 
-					char* format, ...)
+					void* data, char* format, ...)
 {
 	va_list args;
 	
 	va_start(args, format);
-	vsignal(this, signal, level, format, args);
+	vsignal(this, signal, level, data, format, args);
 	va_end(args);
 }
 
@@ -329,8 +371,8 @@ bus_t *bus_create()
 	this->public.remove_listener = (void(*)(bus_t*,bus_listener_t*))remove_listener;
 	this->public.listen = (void(*)(bus_t*, bus_listener_t *listener, job_t *job))listen_;
 	this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa;
-	this->public.signal = (void(*)(bus_t*,signal_t,level_t,char*,...))signal_;
-	this->public.vsignal = (void(*)(bus_t*,signal_t,level_t,char*,va_list))vsignal;
+	this->public.signal = (void(*)(bus_t*,signal_t,level_t,void*,char*,...))signal_;
+	this->public.vsignal = (void(*)(bus_t*,signal_t,level_t,void*,char*,va_list))vsignal;
 	this->public.destroy = (void(*)(bus_t*)) destroy;
 	
 	this->listeners = linked_list_create();
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index 7fa2c42bc..db417064f 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: bus.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: bus.h 4192 2008-07-18 15:51:40Z martin $
  */
 
 /**
@@ -97,29 +97,29 @@ enum signal_t {
 	IKE_REKEY_FAILED,
 	
 	/** signals for CHILD_SA establishment */
-	CHILD_UP_START,
-	CHILD_UP_SUCCESS,
-	CHILD_UP_FAILED,
+	CHD_UP_START,
+	CHD_UP_SUCCESS,
+	CHD_UP_FAILED,
 	
 	/** signals for CHILD_SA delete */
-	CHILD_DOWN_START,
-	CHILD_DOWN_SUCCESS,
-	CHILD_DOWN_FAILED,
+	CHD_DOWN_START,
+	CHD_DOWN_SUCCESS,
+	CHD_DOWN_FAILED,
 	
 	/** signals for CHILD_SA rekeying */
-	CHILD_REKEY_START,
-	CHILD_REKEY_SUCCESS,
-	CHILD_REKEY_FAILED,
+	CHD_REKEY_START,
+	CHD_REKEY_SUCCESS,
+	CHD_REKEY_FAILED,
 	
 	/** signals for CHILD_SA routing */
-	CHILD_ROUTE_START,
-	CHILD_ROUTE_SUCCESS,
-	CHILD_ROUTE_FAILED,
+	CHD_ROUTE_START,
+	CHD_ROUTE_SUCCESS,
+	CHD_ROUTE_FAILED,
 	
 	/** signals for CHILD_SA routing */
-	CHILD_UNROUTE_START,
-	CHILD_UNROUTE_SUCCESS,
-	CHILD_UNROUTE_FAILED,
+	CHD_UNROUTE_START,
+	CHD_UNROUTE_SUCCESS,
+	CHD_UNROUTE_FAILED,
 	
 	SIG_MAX
 };
@@ -161,16 +161,16 @@ enum level_t {
  * @param format	printf() style format string
  * @param ...		printf() style agument list
  */
-# define DBG1(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_1, format, ##__VA_ARGS__)
+# define DBG1(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_1, NULL, format, ##__VA_ARGS__)
 #endif /* DEBUG_LEVEL */
 #if DEBUG_LEVEL >= 2
-#define DBG2(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_2, format, ##__VA_ARGS__)
+#define DBG2(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_2, NULL, format, ##__VA_ARGS__)
 #endif /* DEBUG_LEVEL */
 #if DEBUG_LEVEL >= 3
-#define DBG3(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_3, format, ##__VA_ARGS__)
+#define DBG3(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_3, NULL, format, ##__VA_ARGS__)
 #endif /* DEBUG_LEVEL */
 #if DEBUG_LEVEL >= 4
-#define DBG4(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_4, format, ##__VA_ARGS__)
+#define DBG4(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_4, NULL, format, ##__VA_ARGS__)
 #endif /* DEBUG_LEVEL */
 
 #ifndef DBG1
@@ -187,13 +187,22 @@ enum level_t {
 #endif /* DBG4 */
 
 /**
- * Raise a signal for an occured event.
+ * Raise a signal for an IKE_SA event.
  *
  * @param sig		signal_t signal description
  * @param format	printf() style format string
  * @param ...		printf() style agument list
  */
-#define SIG(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_0, format, ##__VA_ARGS__)
+#define SIG_IKE(sig, format, ...) charon->bus->signal(charon->bus, IKE_##sig, LEVEL_0, NULL, format, ##__VA_ARGS__)
+
+/**
+ * Raise a signal for an IKE event.
+ *
+ * @param sig		signal_t signal description
+ * @param format	printf() style format string
+ * @param ...		printf() style agument list
+ */
+#define SIG_CHD(sig, chd, format, ...) charon->bus->signal(charon->bus, CHD_##sig, LEVEL_0, chd, format, ##__VA_ARGS__)
 
 /**
  * Get the type of a signal.
@@ -227,20 +236,21 @@ struct bus_listener_t {
 	 * a "..." parameters to functions is not (cleanly) possible.
 	 * The implementing signal function returns TRUE to stay registered
 	 * to the bus, or FALSE to unregister itself.
-	 * You should not call bus_t.signal() inside of a registered listener,
-	 * as it WILL call itself recursively. If you do so, make shure to 
-	 * avoid infinite recursion. Watch your stack!
+	 * Calling bus_t.signal() inside of a registered listener is possible,
+	 * but the bus does not invoke listeners recursively.
 	 *
 	 * @param singal	kind of the signal (up, down, rekeyed, ...)
 	 * @param level		verbosity level of the signal
 	 * @param thread	ID of the thread raised this signal
 	 * @param ike_sa	IKE_SA associated to the event
+	 * @param data		additional signal specific user data
 	 * @param format	printf() style format string
 	 * @param args		vprintf() style va_list argument list
 	 " @return			TRUE to stay registered, FALSE to unregister
 	 */
 	bool (*signal) (bus_listener_t *this, signal_t signal, level_t level,
-					int thread, ike_sa_t *ike_sa, char* format, va_list args);
+					int thread, ike_sa_t *ike_sa, void *data, 
+					char* format, va_list args);
 };
 
 /**
@@ -310,26 +320,26 @@ struct bus_t {
 	 *
 	 * @param singal	kind of the signal (up, down, rekeyed, ...)
 	 * @param level		verbosity level of the signal
+	 * @param data		additional signal specific user data
 	 * @param format	printf() style format string
 	 * @param ...		printf() style argument list
 	 */
-	void (*signal) (bus_t *this, signal_t signal, level_t level, char* format, ...);
+	void (*signal) (bus_t *this, signal_t signal, level_t level,
+					void *data, char* format, ...);
 	
 	/**
 	 * Send a signal to the bus using va_list arguments.
 	 *
 	 * Same as bus_t.signal(), but uses va_list argument list.
 	 *
-	 * @todo Improve performace of vsignal implementation. This method is
-	 * called extensively and therefore shouldn't allocate heap memory or
-	 * do other expensive tasks!
-	 *
 	 * @param singal	kind of the signal (up, down, rekeyed, ...)
 	 * @param level		verbosity level of the signal
+	 * @param data		additional signal specific user data
 	 * @param format	printf() style format string
 	 * @param args		va_list arguments
 	 */
-	void (*vsignal) (bus_t *this, signal_t signal, level_t level, char* format, va_list args);
+	void (*vsignal) (bus_t *this, signal_t signal, level_t level,
+					 void *data, char* format, va_list args);
 	
 	/**
 	 * Destroy the signal bus.
diff --git a/src/charon/bus/listeners/file_logger.c b/src/charon/bus/listeners/file_logger.c
index f89da8529..8a7f66360 100644
--- a/src/charon/bus/listeners/file_logger.c
+++ b/src/charon/bus/listeners/file_logger.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: file_logger.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: file_logger.c 4192 2008-07-18 15:51:40Z martin $
  */
 
 #include <stdio.h>
@@ -49,7 +49,8 @@ struct private_file_logger_t {
  * Implementation of bus_listener_t.signal.
  */
 static bool signal_(private_file_logger_t *this, signal_t signal, level_t level,
-					int thread, ike_sa_t* ike_sa, char *format, va_list args)
+					int thread, ike_sa_t* ike_sa, void *data,
+					char *format, va_list args)
 {
 	if (level <= this->levels[SIG_TYPE(signal)])
 	{
@@ -111,7 +112,7 @@ file_logger_t *file_logger_create(FILE *out)
 	private_file_logger_t *this = malloc_thing(private_file_logger_t);
 	
 	/* public functions */
-	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,char*,va_list))signal_;
+	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,void*,char*,va_list))signal_;
 	this->public.set_level = (void(*)(file_logger_t*,signal_t,level_t))set_level;
 	this->public.destroy = (void(*)(file_logger_t*))destroy;
 	
diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c
index 900fa3aa6..4f5b6fc3b 100644
--- a/src/charon/bus/listeners/sys_logger.c
+++ b/src/charon/bus/listeners/sys_logger.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sys_logger.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: sys_logger.c 4192 2008-07-18 15:51:40Z martin $
  */
 
 #include <stdio.h>
@@ -50,7 +50,8 @@ struct private_sys_logger_t {
  * Implementation of bus_listener_t.signal.
  */
 static bool signal_(private_sys_logger_t *this, signal_t signal, level_t level,
-					int thread, ike_sa_t* ike_sa, char *format, va_list args)
+					int thread, ike_sa_t* ike_sa, void *data, 
+					char *format, va_list args)
 {
 	if (level <= this->levels[SIG_TYPE(signal)])
 	{
@@ -114,7 +115,7 @@ sys_logger_t *sys_logger_create(int facility)
 	private_sys_logger_t *this = malloc_thing(private_sys_logger_t);
 	
 	/* public functions */
-	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,char*,va_list))signal_;
+	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,void*,char*,va_list))signal_;
 	this->public.set_level = (void(*)(sys_logger_t*,signal_t,level_t))set_level;
 	this->public.destroy = (void(*)(sys_logger_t*))destroy;
 	
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index d77c05fd7..c2b408ca9 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: backend_manager.c 4044 2008-06-06 15:05:54Z martin $
+ * $Id: backend_manager.c 4134 2008-07-01 11:10:37Z martin $
  */
 
 #include "backend_manager.h"
@@ -48,6 +48,16 @@ struct private_backend_manager_t {
 	mutex_t *mutex;
 };
 
+/**
+ * match of an ike_cfg
+ */
+typedef enum ike_cfg_match_t {
+	MATCH_NONE  = 0x00,
+	MATCH_ANY   = 0x01,
+	MATCH_ME    = 0x04,
+	MATCH_OTHER = 0x08,
+} ike_cfg_match_t;
+
 /**
  * data to pass nested IKE enumerator
  */
@@ -107,6 +117,48 @@ static enumerator_t *peer_enum_create_all(backend_t *backend)
 	return backend->create_peer_cfg_enumerator(backend, NULL, NULL);
 }
 
+/**
+ * get a match of a candidate ike_cfg for two hosts
+ */
+static ike_cfg_match_t get_match(ike_cfg_t *cand, host_t *me, host_t *other)
+{
+	host_t *me_cand, *other_cand;
+	ike_cfg_match_t match = MATCH_NONE;
+	
+	me_cand = host_create_from_dns(cand->get_my_addr(cand),
+								   me->get_family(me), 0);
+	if (!me_cand)
+	{
+		return MATCH_NONE;
+	}
+	if (me_cand->ip_equals(me_cand, me))
+	{
+		match += MATCH_ME;
+	}
+	else if (me_cand->is_anyaddr(me_cand))
+	{
+		match += MATCH_ANY;
+	}
+	me_cand->destroy(me_cand);
+	
+	other_cand = host_create_from_dns(cand->get_other_addr(cand),
+									  other->get_family(other), 0);
+	if (!other_cand)
+	{
+		return MATCH_NONE;
+	}
+	if (other_cand->ip_equals(other_cand, other))
+	{
+		match += MATCH_OTHER;
+	}
+	else if (other_cand->is_anyaddr(other_cand))
+	{
+		match += MATCH_ANY;
+	}
+	other_cand->destroy(other_cand);
+	return match;
+}
+
 /**
  * implements backend_manager_t.get_ike_cfg.
  */
@@ -115,14 +167,8 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 {
 	ike_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
-	host_t *my_candidate, *other_candidate;
+	ike_cfg_match_t match, best = MATCH_ANY;
 	ike_data_t *data;
-	enum {
-		MATCH_NONE  = 0x00,
-		MATCH_ANY   = 0x01,
-		MATCH_ME    = 0x04,
-		MATCH_OTHER = 0x08,
-	} prio, best = MATCH_ANY;
 	
 	data = malloc_thing(ike_data_t);
 	data->this = this;
@@ -137,51 +183,20 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 						(void*)ike_enum_create, data, (void*)ike_enum_destroy);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
-		prio = MATCH_NONE;
-		
-		my_candidate = host_create_from_dns(current->get_my_addr(current),
-											me->get_family(me), 0);
-		if (!my_candidate)
-		{
-			continue;
-		}
-		if (my_candidate->ip_equals(my_candidate, me))
-		{
-			prio += MATCH_ME;
-		}
-		else if (my_candidate->is_anyaddr(my_candidate))
-		{
-			prio += MATCH_ANY;
-		}
-		my_candidate->destroy(my_candidate);
-		
-		other_candidate = host_create_from_dns(current->get_other_addr(current),
-											   other->get_family(other), 0);
-		if (!other_candidate)
-		{
-			continue;
-		}
-		if (other_candidate->ip_equals(other_candidate, other))
-		{
-			prio += MATCH_OTHER;
-		}
-		else if (other_candidate->is_anyaddr(other_candidate))
-		{
-			prio += MATCH_ANY;
-		}
-		other_candidate->destroy(other_candidate);
-		
-		DBG2(DBG_CFG, "  candidate: %s...%s, prio %d", 
-			 current->get_my_addr(current), current->get_other_addr(current),
-			 prio);
-		
-		/* we require at least two MATCH_ANY */
-		if (prio > best)
+		match = get_match(current, me, other);
+
+		if (match)
 		{
-			best = prio;
-			DESTROY_IF(found);
-			found = current;
-			found->get_ref(found);
+			DBG2(DBG_CFG, "  candidate: %s...%s, prio %d", 
+				 current->get_my_addr(current), current->get_other_addr(current),
+				 match);
+			if (match > best)
+			{
+				DESTROY_IF(found);
+				found = current;
+				found->get_ref(found);
+				best = match;
+			}
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -202,22 +217,23 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this)
 /**
  * implements backend_manager_t.get_peer_cfg.
  */			
-static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this,
-								identification_t *me, identification_t *other,
-								auth_info_t *auth)
+static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
+								host_t *other, identification_t *my_id,
+								identification_t *other_id, auth_info_t *auth)
 {
 	peer_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
-	identification_t *my_candidate, *other_candidate;
-	id_match_t best = ID_MATCH_NONE;
+	id_match_t best_peer = ID_MATCH_NONE;
+	ike_cfg_match_t best_ike = MATCH_NONE;
 	peer_data_t *data;
 	
-	DBG2(DBG_CFG, "looking for a config for %D...%D", me, other);
+	DBG2(DBG_CFG, "looking for a config for %H[%D]...%H[%D]",
+		 me, my_id, other, other_id);
 	
 	data = malloc_thing(peer_data_t);
 	data->this = this;
-	data->me = me;
-	data->other = other;
+	data->me = my_id;
+	data->other = other_id;
 	
 	this->mutex->lock(this->mutex);
 	enumerator = enumerator_create_nested(
@@ -225,42 +241,45 @@ static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this,
 						(void*)peer_enum_create, data, (void*)peer_enum_destroy);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		id_match_t m1, m2, sum;
+		identification_t *my_cand, *other_cand;
+		id_match_t m1, m2, match_peer;
+		ike_cfg_match_t match_ike;
 
-		my_candidate = current->get_my_id(current);
-		other_candidate = current->get_other_id(current);
+		my_cand = current->get_my_id(current);
+		other_cand = current->get_other_id(current);
 		
 		/* own ID may have wildcards in both, config and request (missing IDr) */
-		m1 = my_candidate->matches(my_candidate, me);
+		m1 = my_cand->matches(my_cand, my_id);
 		if (!m1)
 		{
-			m1 = me->matches(me, my_candidate);
+			m1 = my_id->matches(my_id, my_cand);
 		}
-		m2 = other->matches(other, other_candidate);
-		sum = m1 + m2;
+		m2 = other_id->matches(other_id, other_cand);
+		
+		match_peer = m1 + m2;
+		match_ike = get_match(current->get_ike_cfg(current), me, other);
 		
-		if (m1 && m2)
+		if (m1 && m2 && match_ike && 
+			auth->complies(auth, current->get_auth(current)))
 		{
-			if (auth->complies(auth, current->get_auth(current)))
+			DBG2(DBG_CFG, "  candidate '%s': %D...%D, prio %d.%d",
+			 	 current->get_name(current), my_cand, other_cand,
+			 	 match_peer, match_ike);
+			if (match_peer >= best_peer && match_ike > best_ike)
 			{
-				DBG2(DBG_CFG, "  candidate '%s': %D...%D, prio %d",
-				 	 current->get_name(current), my_candidate,
-				 	 other_candidate, sum);
-				if (sum > best)
-				{
-					DESTROY_IF(found);
-					found = current;
-					found->get_ref(found);
-					best = sum;
-				}
+				DESTROY_IF(found);
+				found = current;
+				found->get_ref(found);
+				best_peer = match_peer;
+				best_ike = match_ike;
 			}
 		}
 	}
 	if (found)
 	{
-		DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d",
+		DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d.%d",
 			 found->get_name(found), found->get_my_id(found),
-			 found->get_other_id(found), best);
+			 found->get_other_id(found), best_peer, best_ike);
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
@@ -325,7 +344,7 @@ backend_manager_t *backend_manager_create()
 	private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
 	
 	this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
-	this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg;
+	this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg;
 	this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name;
 	this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*))create_peer_cfg_enumerator;
 	this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend;
diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h
index 6400bd7fd..17df26dad 100644
--- a/src/charon/config/backend_manager.h
+++ b/src/charon/config/backend_manager.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: backend_manager.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: backend_manager.h 4132 2008-07-01 09:05:20Z martin $
  */
 
 /**
@@ -66,12 +66,15 @@ struct backend_manager_t {
 	/**
 	 * Get a peer_config identified by two IDs and authorization info.
 	 *
+	 * @param me				own address
+	 * @param other				peer address
 	 * @param my_id				own ID
 	 * @param other_id			peer ID
 	 * @param auth_info			authorization info
 	 * @return					matching peer_config, or NULL if none found
 	 */
-	peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, identification_t *my_id,
+	peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, host_t *me,
+								host_t *other, identification_t *my_id,
 								identification_t *other_id, auth_info_t *auth);
 	
 	/**
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index f929927ef..24242345b 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -14,25 +14,17 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_cfg.c 4062 2008-06-12 11:42:19Z martin $
+ * $Id: child_cfg.c 4358 2008-09-25 13:56:23Z tobias $
  */
 
 #include "child_cfg.h"
 
 #include <daemon.h>
 
-ENUM(mode_names, MODE_TRANSPORT, MODE_BEET,
-	"TRANSPORT",
-	"TUNNEL",
-	"2",
-	"3",
-	"BEET",
-);
-
 ENUM(action_names, ACTION_NONE, ACTION_RESTART,
-	"ACTION_NONE",
-	"ACTION_ROUTE",
-	"ACTION_RESTART",
+	"clear",
+	"hold",
+	"restart",
 );
 
 ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE, 
@@ -94,7 +86,7 @@ struct private_child_cfg_t {
 	/**
 	 * Mode to propose for a initiated CHILD: tunnel/transport
 	 */
-	mode_t mode;
+	ipsec_mode_t mode;
 	
 	/**
 	 * action to take on DPD
@@ -379,7 +371,7 @@ static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
 /**
  * Implementation of child_cfg_t.get_mode
  */
-static mode_t get_mode(private_child_cfg_t *this)
+static ipsec_mode_t get_mode(private_child_cfg_t *this)
 {
 	return this->mode;
 }
@@ -462,7 +454,7 @@ static void destroy(private_child_cfg_t *this)
  */
 child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 							  u_int32_t rekeytime, u_int32_t jitter,
-							  char *updown, bool hostaccess, mode_t mode,
+							  char *updown, bool hostaccess, ipsec_mode_t mode,
 							  action_t dpd_action, action_t close_action, bool ipcomp)
 {
 	private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
@@ -475,7 +467,7 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
 	this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
 	this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
-	this->public.get_mode = (mode_t (*) (child_cfg_t *))get_mode;
+	this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
 	this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
 	this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
 	this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 6d262c217..83d6cafe6 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_cfg.h 3920 2008-05-08 16:19:11Z tobias $
+ * $Id: child_cfg.h 4358 2008-09-25 13:56:23Z tobias $
  */
 
 /**
@@ -25,7 +25,6 @@
 #ifndef CHILD_CFG_H_
 #define CHILD_CFG_H_
 
-typedef enum mode_t mode_t;
 typedef enum action_t action_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct child_cfg_t child_cfg_t;
@@ -33,25 +32,7 @@ typedef struct child_cfg_t child_cfg_t;
 #include <library.h>
 #include <config/proposal.h>
 #include <config/traffic_selector.h>
-
-/**
- * Mode of an CHILD_SA.
- *
- * These are equal to those defined in XFRM, so don't change.
- */
-enum mode_t {
-	/** transport mode, no inner address */
-	MODE_TRANSPORT = 0,
-	/** tunnel mode, inner and outer addresses */
-	MODE_TUNNEL = 1,
-	/** BEET mode, tunnel mode but fixed, bound inner addresses */
-	MODE_BEET = 4,
-};
-
-/**
- * enum names for mode_t.
- */
-extern enum_name_t *mode_names;
+#include <kernel/kernel_ipsec.h>
 
 /**
  * Action to take when DPD detected/connection gets closed by peer.
@@ -208,7 +189,7 @@ struct child_cfg_t {
 	 * 
 	 * @return				ipsec mode
 	 */
-	mode_t (*get_mode) (child_cfg_t *this);
+	ipsec_mode_t (*get_mode) (child_cfg_t *this);
 	
 	/**
 	 * Action to take on DPD.
@@ -279,7 +260,7 @@ struct child_cfg_t {
  */
 child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 							  u_int32_t rekeytime, u_int32_t jitter,
-							  char *updown, bool hostaccess, mode_t mode,
+							  char *updown, bool hostaccess, ipsec_mode_t mode,
 							  action_t dpd_action, action_t close_action,
 							  bool ipcomp);
 
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index 0e56759c2..04f323128 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2007-2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: peer_cfg.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: peer_cfg.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include <string.h>
@@ -37,12 +37,6 @@ ENUM(unique_policy_names, UNIQUE_NO, UNIQUE_KEEP,
 	"UNIQUE_KEEP",
 );
 
-ENUM(config_auth_method_names, CONF_AUTH_PUBKEY, CONF_AUTH_EAP,
-	"CONF_AUTH_PUBKEY",
-	"CONF_AUTH_PSK",
-	"CONF_AUTH_EAP",
-);
-
 typedef struct private_peer_cfg_t private_peer_cfg_t;
 
 /**
@@ -105,21 +99,6 @@ struct private_peer_cfg_t {
 	 */
 	unique_policy_t unique;
 	
-	/**
-	 * Method to use for own authentication data
-	 */
-	config_auth_method_t auth_method;
-	
-	/**
-	 * EAP type to use for peer authentication
-	 */
-	eap_type_t eap_type;
-	
-	/**
-	 * EAP vendor ID if vendor specific type is used
-	 */
-	u_int32_t eap_vendor;
-	
 	/**
 	 * number of tries after giving up if peer does not respond
 	 */
@@ -318,23 +297,6 @@ static unique_policy_t get_unique_policy(private_peer_cfg_t *this)
 	return this->unique;
 }
 
-/**
- * Implementation of peer_cfg_t.get_auth_method.
- */
-static config_auth_method_t get_auth_method(private_peer_cfg_t *this)
-{
-	return this->auth_method;
-}
-
-/**
- * Implementation of peer_cfg_t.get_eap_type.
- */
-static eap_type_t get_eap_type(private_peer_cfg_t *this, u_int32_t *vendor)
-{
-	*vendor = this->eap_vendor;
-	return this->eap_type;
-}
-
 /**
  * Implementation of peer_cfg_t.get_keyingtries.
  */
@@ -469,9 +431,6 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
 		this->other_id->equals(this->other_id, other->other_id) &&
 		this->cert_policy == other->cert_policy &&
 		this->unique == other->unique &&
-		this->auth_method == other->auth_method &&
-		this->eap_type == other->eap_type &&
-		this->eap_vendor == other->eap_vendor &&
 		this->keyingtries == other->keyingtries &&
 		this->use_mobike == other->use_mobike &&
 		this->rekey_time == other->rekey_time &&
@@ -533,8 +492,6 @@ static void destroy(private_peer_cfg_t *this)
 peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 							identification_t *my_id, identification_t *other_id,
 							cert_policy_t cert_policy, unique_policy_t unique,
-							config_auth_method_t auth_method, eap_type_t eap_type,
-							u_int32_t eap_vendor,
 							u_int32_t keyingtries, u_int32_t rekey_time,
 							u_int32_t reauth_time, u_int32_t jitter_time,
 							u_int32_t over_time, bool mobike, u_int32_t dpd,
@@ -556,8 +513,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id;
 	this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy;
 	this->public.get_unique_policy = (unique_policy_t (*) (peer_cfg_t *))get_unique_policy;
-	this->public.get_auth_method = (config_auth_method_t (*) (peer_cfg_t *))get_auth_method;
-	this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *,u_int32_t*))get_eap_type;
 	this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries;
 	this->public.get_rekey_time = (u_int32_t(*)(peer_cfg_t*))get_rekey_time;
 	this->public.get_reauth_time = (u_int32_t(*)(peer_cfg_t*))get_reauth_time;
@@ -586,9 +541,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->other_id = other_id;
 	this->cert_policy = cert_policy;
 	this->unique = unique;
-	this->auth_method = auth_method;
-	this->eap_type = eap_type;
-	this->eap_vendor = eap_vendor;
 	this->keyingtries = keyingtries;
 	this->rekey_time = rekey_time;
 	this->reauth_time = reauth_time;
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
index 5662b48df..473cdfd04 100644
--- a/src/charon/config/peer_cfg.h
+++ b/src/charon/config/peer_cfg.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: peer_cfg.h 4054 2008-06-10 20:31:53Z andreas $
+ * $Id: peer_cfg.h 4276 2008-08-22 10:44:51Z martin $
  */
 
 /**
@@ -27,7 +27,6 @@
 
 typedef enum cert_policy_t cert_policy_t;
 typedef enum unique_policy_t unique_policy_t;
-typedef enum config_auth_method_t config_auth_method_t;
 typedef struct peer_cfg_t peer_cfg_t;
 
 #include <library.h>
@@ -81,23 +80,6 @@ enum unique_policy_t {
  */
 extern enum_name_t *unique_policy_names;
 
-/**
- * Authentication method for this IKE_SA.
- */
-enum config_auth_method_t {
-	/** authentication using public keys (RSA, ECDSA) */
-	CONF_AUTH_PUBKEY =	1,
-	/** authentication using a pre-shared secret */
-	CONF_AUTH_PSK = 	2,
-	/** authentication using EAP */
-	CONF_AUTH_EAP = 	3,
-};
-
-/**
- * enum strings for config_auth_method_t
- */
-extern enum_name_t *config_auth_method_names;
-
 /**
  * Configuration of a peer, specified by IDs.
  *
@@ -220,25 +202,6 @@ struct peer_cfg_t {
 	 * @return			unique policy
 	 */
 	unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
-
-	/**
-	 * Get the authentication method to use to authenticate us.
-	 * 
-	 * @return			authentication method
-	 */
-	config_auth_method_t (*get_auth_method) (peer_cfg_t *this);
-	
-	/**
-	 * Get the EAP type to use for peer authentication.
-	 *
-	 * If vendor specific types are used, a vendor ID != 0 is returned to
-	 * to vendor argument. Then the returned type is specific for that 
-	 * vendor ID.
-	 * 
-	 * @param vendor	receives vendor specifier, 0 for predefined EAP types
-	 * @return			authentication method
-	 */
-	eap_type_t (*get_eap_type) (peer_cfg_t *this, u_int32_t *vendor);
 	
 	/**
 	 * Get the max number of retries after timeout.
@@ -372,9 +335,6 @@ struct peer_cfg_t {
  * @param other_id 			identification_t for the remote guy
  * @param cert_policy		should we send a certificate payload?
  * @param unique			uniqueness of an IKE_SA
- * @param auth_method		auth method to use to authenticate us
- * @param eap_type			EAP type to use for peer authentication
- * @param eap_vendor		EAP vendor identifier, if vendor specific type is used
  * @param keyingtries		how many keying tries should be done before giving up
  * @param rekey_time		timeout before starting rekeying
  * @param reauth_time		timeout before starting reauthentication
@@ -393,8 +353,6 @@ struct peer_cfg_t {
 peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
 							identification_t *my_id, identification_t *other_id,
 							cert_policy_t cert_policy, unique_policy_t unique,
-							config_auth_method_t auth_method, eap_type_t eap_type,
-							u_int32_t eap_vendor,
 							u_int32_t keyingtries, u_int32_t rekey_time,
 							u_int32_t reauth_time, u_int32_t jitter_time,
 							u_int32_t over_time, bool mobike, u_int32_t dpd,
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index 803cf8ae4..b1c049fe8 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: proposal.c 4062 2008-06-12 11:42:19Z martin $
+ * $Id: proposal.c 4390 2008-10-08 12:57:11Z martin $
  */
 
 #include <string.h>
@@ -755,10 +755,18 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 	{
 		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
 	}
+	else if (strncmp(alg.ptr, "modp3072", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0);
+	}
 	else if (strncmp(alg.ptr, "modp4096", alg.len) == 0)
 	{
 		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0);
 	}
+	else if (strncmp(alg.ptr, "modp6144", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0);
+	}
 	else if (strncmp(alg.ptr, "modp8192", alg.len) == 0)
 	{
 		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0);
@@ -938,6 +946,112 @@ proposal_t *proposal_create(protocol_id_t protocol)
 	return &this->public;
 }
 
+/**
+ * Add supported IKE algorithms to proposal
+ */
+static void proposal_add_supported_ike(private_proposal_t *this)
+{
+	enumerator_t *enumerator;
+	encryption_algorithm_t encryption;
+	integrity_algorithm_t integrity;
+	pseudo_random_function_t prf;
+	diffie_hellman_group_t group;
+	
+	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption))
+	{
+		switch (encryption)
+		{
+			case ENCR_AES_CBC:
+				/* we assume that we support all AES sizes */
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+				break;
+			case ENCR_3DES:
+			case ENCR_AES_CTR:
+			case ENCR_AES_CCM_ICV8:
+			case ENCR_AES_CCM_ICV12:
+			case ENCR_AES_CCM_ICV16:
+			case ENCR_AES_GCM_ICV8:
+			case ENCR_AES_GCM_ICV12:
+			case ENCR_AES_GCM_ICV16:
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
+				break;
+			case ENCR_DES:
+				/* no, thanks */
+				break;
+			default:
+				break;
+		}	
+	}
+	enumerator->destroy(enumerator);
+	
+	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &integrity))
+	{
+		switch (integrity)
+		{
+			case AUTH_HMAC_SHA1_96:
+			case AUTH_HMAC_SHA2_256_128:
+			case AUTH_HMAC_SHA2_384_192:
+			case AUTH_HMAC_SHA2_512_256:
+			case AUTH_HMAC_MD5_96:
+			case AUTH_AES_XCBC_96:
+				add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
+				break;
+			default:
+				break;
+		}	
+	}
+	enumerator->destroy(enumerator);
+	
+	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &prf))
+	{
+		switch (prf)
+		{
+			case PRF_HMAC_SHA1:
+			case PRF_HMAC_SHA2_256:
+			case PRF_HMAC_SHA2_384:
+			case PRF_HMAC_SHA2_512:
+			case PRF_HMAC_MD5:
+			case PRF_AES128_XCBC:
+				add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group))
+	{
+		switch (group)
+		{
+			case MODP_768_BIT:
+				/* weak */
+				break;
+			case MODP_1024_BIT:
+			case MODP_1536_BIT:
+			case MODP_2048_BIT:
+			case MODP_4096_BIT:
+			case MODP_8192_BIT:
+			case ECP_256_BIT:
+			case ECP_384_BIT:
+			case ECP_521_BIT:
+			case ECP_192_BIT:
+			case ECP_224_BIT:
+				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
 /*
  * Describtion in header-file
  */
@@ -948,27 +1062,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
 	switch (protocol)
 	{
 		case PROTO_IKE:
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         192);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         256);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,              0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_256_128, 0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_384_192, 0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_512_256, 0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,        0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,      0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,          0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,           0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,      0);
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,      0);
-			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_2048_BIT,          0);
-			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_1536_BIT,          0);
-			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_1024_BIT,          0);
-			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_4096_BIT,          0);
-			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_8192_BIT,          0);
+			proposal_add_supported_ike(this);
 			break;
 		case PROTO_ESP:
 			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
@@ -990,7 +1084,6 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
 		default:
 			break;
 	}
-	
 	return &this->public;
 }
 
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
index f41c39d30..63172f855 100644
--- a/src/charon/config/traffic_selector.c
+++ b/src/charon/config/traffic_selector.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector.c 3658 2008-03-26 10:06:45Z martin $
+ * $Id: traffic_selector.c 4199 2008-07-21 19:08:03Z andreas $
  */
 
 #include <arpa/inet.h>
@@ -195,21 +195,22 @@ static int print(FILE *stream, const struct printf_info *info,
 		memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) && 
 		memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
 	{
-		return fprintf(stream, "dynamic/%d",
-					   this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
-	}
-	
-	if (this->type == TS_IPV4_ADDR_RANGE)
-	{
-		inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str));
+		written += fprintf(stream, "dynamic/%d",
+						   this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
 	}
 	else
 	{
-		inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str));
+		if (this->type == TS_IPV4_ADDR_RANGE)
+		{
+			inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str));
+		}
+		else
+		{
+			inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str));
+		}
+		mask = calc_netbits(this);
+		written += fprintf(stream, "%s/%d", addr_str, mask);
 	}
-	mask = calc_netbits(this);
-	
-	written += fprintf(stream, "%s/%d", addr_str, mask);
 	
 	/* check if we have protocol and/or port selectors */
 	has_proto = this->protocol != 0;
diff --git a/src/charon/control/controller.c b/src/charon/control/controller.c
index 2d1decd88..c124f439a 100644
--- a/src/charon/control/controller.c
+++ b/src/charon/control/controller.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: controller.c 3820 2008-04-17 11:22:37Z martin $
+ * $Id: controller.c 4192 2008-07-18 15:51:40Z martin $
  */
 
 #include "controller.h"
@@ -118,21 +118,22 @@ static enumerator_t* create_ike_sa_enumerator(controller_t *this)
  */
 static bool initiate_listener(interface_bus_listener_t *this, signal_t signal,
 							  level_t level, int thread, ike_sa_t *ike_sa,
-							  char* format, va_list args)
+							  void* data, char* format, va_list args)
 {
 	if (this->ike_sa == ike_sa)
 	{
-		if (!this->callback(this->param, signal, level, ike_sa, format, args))
+		if (!this->callback(this->param, signal, level, ike_sa, data,
+							format, args))
 		{
 			return FALSE;
 		}
 		switch (signal)
 		{
-			case CHILD_UP_SUCCESS:
+			case CHD_UP_SUCCESS:
 				this->status = SUCCESS;
 				return FALSE;
 			case IKE_UP_FAILED:
-			case CHILD_UP_FAILED:
+			case CHD_UP_FAILED:
 				return FALSE;
 			default:
 				break;
@@ -200,11 +201,12 @@ static status_t initiate(private_controller_t *this,
  */
 static bool terminate_ike_listener(interface_bus_listener_t *this, signal_t signal,
 								   level_t level, int thread, ike_sa_t *ike_sa,
-								   char* format, va_list args)
+								   void* data, char* format, va_list args)
 {
 	if (this->ike_sa == ike_sa)
 	{
-		if (!this->callback(this->param, signal, level, ike_sa, format, args))
+		if (!this->callback(this->param, signal, level, ike_sa,
+							data, format, args))
 		{
 			return FALSE;
 		}
@@ -234,7 +236,7 @@ static status_t terminate_ike_execute(interface_job_t *job)
 													listener->id, FALSE);
 	if (ike_sa == NULL)
 	{
-		SIG(IKE_DOWN_FAILED, "unable to terminate, IKE_SA with "
+		SIG_IKE(DOWN_FAILED, "unable to terminate, IKE_SA with "
 			"ID %d not found", listener->id);
 		return NOT_FOUND;
 	}	
@@ -277,22 +279,23 @@ static status_t terminate_ike(controller_t *this, u_int32_t unique_id,
  */
 static bool terminate_child_listener(interface_bus_listener_t *this, signal_t signal,
 									 level_t level, int thread, ike_sa_t *ike_sa,
-									 char* format, va_list args)
+									 void* data, char* format, va_list args)
 {
 	if (this->ike_sa == ike_sa)
 	{
-		if (!this->callback(this->param, signal, level, ike_sa, format, args))
+		if (!this->callback(this->param, signal, level, ike_sa,
+							data, format, args))
 		{
 			return FALSE;
 		}
 		switch (signal)
 		{
-			case CHILD_DOWN_SUCCESS:
+			case CHD_DOWN_SUCCESS:
 			case IKE_DOWN_SUCCESS:
 				this->status = SUCCESS;
 				return FALSE;
 			case IKE_DOWN_FAILED:
-			case CHILD_DOWN_FAILED:
+			case CHD_DOWN_FAILED:
 				return FALSE;
 			default:
 				break;
@@ -315,8 +318,8 @@ static status_t terminate_child_execute(interface_job_t *job)
 													listener->id, TRUE);							
 	if (ike_sa == NULL)
 	{
-		SIG(CHILD_DOWN_FAILED, "unable to terminate, CHILD_SA with "
-			"ID %d not found", listener->id);
+		SIG_CHD(DOWN_FAILED, NULL, "unable to terminate, CHILD_SA with "
+				"ID %d not found", listener->id);
 		return NOT_FOUND;
 	}
 	listener->ike_sa = ike_sa;
@@ -335,8 +338,8 @@ static status_t terminate_child_execute(interface_job_t *job)
 	
 	if (child_sa == NULL)
 	{
-		SIG(CHILD_DOWN_FAILED, "unable to terminate, established CHILD_SA with "
-			"ID %d not found", listener->id);
+		SIG_CHD(DOWN_FAILED, NULL, "unable to terminate, established "
+				"CHILD_SA with ID %d not found", listener->id);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		return NOT_FOUND;
 	}
@@ -380,20 +383,21 @@ static status_t terminate_child(controller_t *this, u_int32_t reqid,
  */
 static bool route_listener(interface_bus_listener_t *this, signal_t signal,
 						   level_t level, int thread, ike_sa_t *ike_sa,
-						   char* format, va_list args)
+						   void* data, char* format, va_list args)
 {
 	if (this->ike_sa == ike_sa)
 	{
-		if (!this->callback(this->param, signal, level, ike_sa, format, args))
+		if (!this->callback(this->param, signal, level, ike_sa,
+							data, format, args))
 		{
 			return FALSE;
 		}
 		switch (signal)
 		{
-			case CHILD_ROUTE_SUCCESS:
+			case CHD_ROUTE_SUCCESS:
 				this->status = SUCCESS;
 				return FALSE;
-			case CHILD_ROUTE_FAILED:
+			case CHD_ROUTE_FAILED:
 				return FALSE;
 			default:
 				break;
@@ -458,20 +462,21 @@ static status_t route(controller_t *this,
  */
 static bool unroute_listener(interface_bus_listener_t *this, signal_t signal,
 						     level_t level, int thread, ike_sa_t *ike_sa,
-						     char* format, va_list args)
+						     void* data, char* format, va_list args)
 {
 	if (this->ike_sa == ike_sa)
 	{
-		if (!this->callback(this->param, signal, level, ike_sa, format, args))
+		if (!this->callback(this->param, signal, level, ike_sa, 
+							data, format, args))
 		{
 			return FALSE;
 		}
 		switch (signal)
 		{
-			case CHILD_UNROUTE_SUCCESS:
+			case CHD_UNROUTE_SUCCESS:
 				this->status = SUCCESS;
 				return FALSE;
-			case CHILD_UNROUTE_FAILED:
+			case CHD_UNROUTE_FAILED:
 				return FALSE;
 			default:
 				break;
@@ -491,8 +496,8 @@ static status_t unroute_execute(interface_job_t *job)
 													listener->id, TRUE);
 	if (ike_sa == NULL)
 	{
-		SIG(CHILD_DOWN_FAILED, "unable to unroute, CHILD_SA with "
-			"ID %d not found", listener->id);
+		SIG_CHD(DOWN_FAILED, NULL, "unable to unroute, CHILD_SA with "
+				"ID %d not found", listener->id);
 		return NOT_FOUND;
 	}
 	listener->ike_sa = ike_sa;
@@ -533,7 +538,7 @@ static status_t unroute(controller_t *this, u_int32_t reqid,
  * See header
  */
 bool controller_cb_empty(void *param, signal_t signal, level_t level,
-								ike_sa_t *ike_sa, char *format, va_list args)
+					ike_sa_t *ike_sa, void *data, char *format, va_list args)
 {
 	return TRUE;
 }
@@ -554,7 +559,7 @@ controller_t *controller_create(void)
 	private_controller_t *this = malloc_thing(private_controller_t);
 	
 	this->public.create_ike_sa_enumerator = (enumerator_t*(*)(controller_t*))create_ike_sa_enumerator;
-	this->public.initiate = (status_t(*)(controller_t*,peer_cfg_t*,child_cfg_t*,bool(*)(void*,signal_t,level_t,ike_sa_t*,char*,va_list),void*))initiate;
+	this->public.initiate = (status_t(*)(controller_t*,peer_cfg_t*,child_cfg_t*,controller_cb_t,void*))initiate;
 	this->public.terminate_ike = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void*))terminate_ike;
 	this->public.terminate_child = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void *param))terminate_child;
 	this->public.route = (status_t(*)(controller_t*,peer_cfg_t*, child_cfg_t*,controller_cb_t,void*))route;
diff --git a/src/charon/control/controller.h b/src/charon/control/controller.h
index 643611965..f40af0260 100644
--- a/src/charon/control/controller.h
+++ b/src/charon/control/controller.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: controller.h 3804 2008-04-14 11:37:46Z martin $
+ * $Id: controller.h 4192 2008-07-18 15:51:40Z martin $
  */
 
 /**
@@ -37,7 +37,8 @@
  * @return				FALSE to return from invoked function
  */
 typedef bool(*controller_cb_t)(void* param, signal_t signal, level_t level,
-							   ike_sa_t* ike_sa, char* format, va_list args);
+							   ike_sa_t* ike_sa, void *data,
+							   char* format, va_list args);
 
 /**
  * Empty callback function for controller_t functions.
@@ -46,7 +47,8 @@ typedef bool(*controller_cb_t)(void* param, signal_t signal, level_t level,
  * this function to the controllers methods.
  */
 bool controller_cb_empty(void *param, signal_t signal, level_t level,
-								ike_sa_t *ike_sa, char *format, va_list args);
+						 ike_sa_t *ike_sa, void *data,
+						 char *format, va_list args);
 
 typedef struct controller_t controller_t;
 
diff --git a/src/charon/credentials/auth_info.c b/src/charon/credentials/auth_info.c
index cd748bc97..028ca35c9 100644
--- a/src/charon/credentials/auth_info.c
+++ b/src/charon/credentials/auth_info.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: auth_info.c 3838 2008-04-18 11:24:45Z tobias $
+ * $Id: auth_info.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 
@@ -25,6 +25,10 @@
 #include <credentials/certificates/certificate.h>
 
 ENUM(auth_item_names, AUTHN_CA_CERT, AUTHZ_AC_GROUP,
+	"AUTHN_AUTH_CLASS",
+	"AUTHN_EAP_TYPE",
+	"AUTHN_EAP_VENDOR",
+	"AUTHN_EAP_IDENTITY",
 	"AUTHN_CA_CERT",
 	"AUTHN_CA_CERT_KEYID",
 	"AUTHN_CA_CERT_NAME",
@@ -208,14 +212,18 @@ static void add_item(private_auth_info_t *this, auth_item_t type, void *value)
 			item->value = validation;
 			break;
 		}
+		case AUTHN_AUTH_CLASS:
+		case AUTHN_EAP_TYPE:
+		case AUTHN_EAP_VENDOR:
 		case AUTHZ_EAP:
 		{
-			eap_method_t *method = malloc_thing(eap_method_t);
+			u_int *intval = malloc_thing(u_int);
 
-			*method = *(eap_method_t*)value;
-			item->value = method;
+			*intval = *(u_int*)value;
+			item->value = intval;
 			break;
 		}
+		case AUTHN_EAP_IDENTITY:
 		case AUTHN_CA_CERT_KEYID:
 		case AUTHN_CA_CERT_NAME:
 		case AUTHZ_CA_CERT_NAME:
@@ -246,6 +254,10 @@ static bool complies(private_auth_info_t *this, auth_info_t *constraints)
 	{
 		switch (t1)
 		{
+			case AUTHN_AUTH_CLASS:
+			case AUTHN_EAP_TYPE:
+			case AUTHN_EAP_VENDOR:
+			case AUTHN_EAP_IDENTITY:
 			case AUTHN_CA_CERT_KEYID:
 			case AUTHN_CA_CERT:
 			case AUTHN_CA_CERT_NAME:
@@ -444,6 +456,7 @@ static bool equals(private_auth_info_t *this, private_auth_info_t *other)
 						}
 						continue;
 					}
+					case AUTHN_EAP_IDENTITY:
 					case AUTHN_CA_CERT_KEYID:
 					case AUTHN_CA_CERT_NAME:
 					case AUTHZ_CA_CERT_NAME:
@@ -460,6 +473,16 @@ static bool equals(private_auth_info_t *this, private_auth_info_t *other)
 						}
 						continue;
 					}
+					case AUTHN_AUTH_CLASS:
+					case AUTHN_EAP_TYPE:
+					case AUTHN_EAP_VENDOR:
+					{
+						if (*(u_int*)i1->value == *(u_int*)i2->value)
+						{
+							found = TRUE;
+							break;
+						}
+					}
 					case AUTHZ_PUBKEY:
 					case AUTHZ_PSK:
 					case AUTHZ_EAP:
@@ -511,6 +534,9 @@ static void destroy_item_value(item_t *item)
 			cert->destroy(cert);
 			break;
 		}
+		case AUTHN_AUTH_CLASS:
+		case AUTHN_EAP_TYPE:
+		case AUTHN_EAP_VENDOR:
 		case AUTHN_IM_HASH_URL:
 		case AUTHN_SUBJECT_HASH_URL:
 		case AUTHZ_CRL_VALIDATION:
@@ -520,6 +546,7 @@ static void destroy_item_value(item_t *item)
 			free(item->value);
 			break;
 		}
+		case AUTHN_EAP_IDENTITY:
 		case AUTHN_CA_CERT_KEYID:
 		case AUTHN_CA_CERT_NAME:
 		case AUTHZ_CA_CERT_NAME:
diff --git a/src/charon/credentials/auth_info.h b/src/charon/credentials/auth_info.h
index 5fe2919f8..52433433a 100644
--- a/src/charon/credentials/auth_info.h
+++ b/src/charon/credentials/auth_info.h
@@ -60,6 +60,14 @@ enum auth_item_t {
 	 * items provided to authentication process
 	 */
 	
+	/** authentication class to use, value is auth_class_t* */
+	AUTHN_AUTH_CLASS,
+	/** EAP method to request from peer, value is eap_type_t* */
+	AUTHN_EAP_TYPE,
+	/** EAP vendor to used in conjunction with EAP method, value is u_int32_t* */
+	AUTHN_EAP_VENDOR,
+	/** EAP identity to use within EAP-Identity exchange */
+	AUTHN_EAP_IDENTITY,
 	/** CA certificate to use for authentication, value is certificate_t* */
 	AUTHN_CA_CERT,
 	/** Keyid of a CA certificate to use, value is identification_t* */
@@ -83,7 +91,7 @@ enum auth_item_t {
 	AUTHZ_PUBKEY,
 	/** subject has ben authenticated using preshared secrets, value is shared_key_t* */ 
 	AUTHZ_PSK,
-	/** subject has been authenticated using EAP, value is eap_method_t */
+	/** subject has been authenticated using EAP, value is eap_type_t* */
 	AUTHZ_EAP,
 	/** certificate authority, value is certificate_t* */
 	AUTHZ_CA_CERT,
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 251559141..b11cdc0df 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: credential_manager.c 3953 2008-05-14 06:49:31Z martin $
+ * $Id: credential_manager.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 /* some clibs need it for rwlocks */
@@ -60,6 +60,11 @@ struct private_credential_manager_t {
 	 */
 	cert_cache_t *cache;
 	
+	/**
+	 * certificates queued for persistent caching
+	 */
+	linked_list_t *cache_queue;
+	
 	/**
 	 * read-write lock to sets list
 	 */
@@ -270,7 +275,7 @@ static enumerator_t *create_private(credential_set_t *set, private_data_t *data)
 }
 
 /**
- * Implementation of credential_manager_t.get_private_by_keyid.
+ * Implementation of credential_manager_t.create_private_enumerator.
  */
 static enumerator_t* create_private_enumerator(
 									private_credential_manager_t *this,
@@ -407,16 +412,50 @@ static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
 	credential_set_t *set;
 	enumerator_t *enumerator;
 	
-	pthread_rwlock_rdlock(&this->lock);
-	enumerator = this->sets->create_enumerator(this->sets);
-	while (enumerator->enumerate(enumerator, &set))
+	if (pthread_rwlock_trywrlock(&this->lock) == 0)
 	{
-		set->cache_cert(set, cert);
+		enumerator = this->sets->create_enumerator(this->sets);
+		while (enumerator->enumerate(enumerator, &set))
+		{
+			set->cache_cert(set, cert);
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{	/* we can't cache now as other threads are active, queue for later */
+		pthread_rwlock_rdlock(&this->lock);
+		this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert));
 	}
-	enumerator->destroy(enumerator);
 	pthread_rwlock_unlock(&this->lock);
 }
 
+/**
+ * Try to cache certificates queued for caching
+ */
+static void cache_queue(private_credential_manager_t *this)
+{
+	credential_set_t *set;
+	certificate_t *cert;
+	enumerator_t *enumerator;
+	
+	if (this->cache_queue->get_count(this->cache_queue) > 0 &&
+		pthread_rwlock_trywrlock(&this->lock) == 0)
+	{
+		while (this->cache_queue->remove_last(this->cache_queue,
+											  (void**)&cert) == SUCCESS)
+		{
+			enumerator = this->sets->create_enumerator(this->sets);
+			while (enumerator->enumerate(enumerator, &set))
+			{
+				set->cache_cert(set, cert);
+			}
+			enumerator->destroy(enumerator);
+			cert->destroy(cert);
+		}
+		pthread_rwlock_unlock(&this->lock);
+	}
+}
+
 /**
  * forward declaration 
  */
@@ -435,8 +474,8 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
 	/* TODO: requestor name, signature */
 	request = lib->creds->create(lib->creds,
 						CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
-						BUILD_CA_CERT, issuer->get_ref(issuer),
-						BUILD_CERT, subject->get_ref(subject), BUILD_END);
+						BUILD_CA_CERT, issuer,
+						BUILD_CERT, subject, BUILD_END);
 	if (!request)
 	{
 		DBG1(DBG_CFG, "generating ocsp request failed");
@@ -461,6 +500,7 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
 	response = lib->creds->create(lib->creds,
 								  CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
 								  BUILD_BLOB_ASN1_DER, receive, BUILD_END);
+	chunk_free(&receive);
 	if (!response)
 	{
 		DBG1(DBG_CFG, "parsing ocsp response failed");
@@ -1142,6 +1182,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
 				verify_trust_chain(this->this, this->pretrusted, this->auth,
 								   TRUE, this->crl, this->ocsp))
 			{
+				this->auth->add_item(this->auth, AUTHZ_CA_CERT, this->pretrusted);
 				DBG1(DBG_CFG, "  using trusted certificate \"%D\"",
 					 this->pretrusted->get_subject(this->pretrusted));
 				*cert = this->pretrusted;
@@ -1262,6 +1303,9 @@ static void public_destroy(public_enumerator_t *this)
 		this->wrapper->destroy(this->wrapper);
 	}
 	pthread_rwlock_unlock(&this->this->lock);
+	
+	/* check for delayed certificate cache queue */
+	cache_queue(this->this);
 	free(this);
 }
 
@@ -1501,6 +1545,8 @@ static void remove_set(private_credential_manager_t *this, credential_set_t *set
  */
 static void destroy(private_credential_manager_t *this)
 {
+	cache_queue(this);
+	this->cache_queue->destroy(this->cache_queue);
 	this->sets->remove(this->sets, this->cache, NULL);
 	this->sets->destroy(this->sets);
 	pthread_key_delete(this->local_sets);
@@ -1532,6 +1578,7 @@ credential_manager_t *credential_manager_create()
 	this->sets = linked_list_create();
 	pthread_key_create(&this->local_sets, (void*)this->sets->destroy);
 	this->cache = cert_cache_create();
+	this->cache_queue = linked_list_create();
 	this->sets->insert_first(this->sets, this->cache);
 	pthread_rwlock_init(&this->lock, NULL);
 	
diff --git a/src/charon/credentials/credential_set.h b/src/charon/credentials/credential_set.h
index b5f3b95cd..4166d05a3 100644
--- a/src/charon/credentials/credential_set.h
+++ b/src/charon/credentials/credential_set.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: credential_set.h 3820 2008-04-17 11:22:37Z martin $
+ * $Id: credential_set.h 4229 2008-07-30 11:38:44Z martin $
  */
 
 /**
@@ -36,6 +36,13 @@ typedef struct credential_set_t credential_set_t;
  * Enumerators are used because queries might return multiple matches.
  * Filter parameters restrict enumeration over specific items only.
  * See credential_manager_t for an overview of the credential framework.
+ *
+ * A credential set enumerator may not block the credential set, i.e. multiple
+ * threads must be able to hold multiple enumerators, as the credential manager
+ * is higly parallelized. The best way to achieve this is by using shared
+ * read locks for the enumerators only. Otherwiese deadlocks will occur.
+ * The writing cache_cert() routine is called by the manager only if no
+ * enumerator is alive, so it is save to use a write lock there.
  */
 struct credential_set_t {
 	
diff --git a/src/charon/credentials/sets/auth_info_wrapper.c b/src/charon/credentials/sets/auth_info_wrapper.c
index 32783ff93..7ec75be15 100644
--- a/src/charon/credentials/sets/auth_info_wrapper.c
+++ b/src/charon/credentials/sets/auth_info_wrapper.c
@@ -73,7 +73,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void
 	certificate_t *cert;
 	
 	DBG1(DBG_CFG, "  fetching certificate from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &data) != SUCCESS)
+	if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
 	{
 		DBG1(DBG_CFG, "  fetching certificate failed");
 		/* we set the item to NULL, so we can skip it */
@@ -83,6 +83,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void
 	
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 					  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+	free(data.ptr);
 	
 	if (!cert)
 	{
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
index 8af8bb619..4a9a97149 100644
--- a/src/charon/credentials/sets/cert_cache.c
+++ b/src/charon/credentials/sets/cert_cache.c
@@ -15,11 +15,13 @@
  * $Id$
  */
 
+#define _GNU_SOURCE
+#include <pthread.h>
+
 #include "cert_cache.h"
 
 #include <daemon.h>
 #include <utils/linked_list.h>
-#include <utils/mutex.h>
 
 #define CACHE_SIZE 30
 
@@ -44,7 +46,7 @@ struct private_cert_cache_t {
 	/**
 	 * do we have an active enumerator
 	 */
-	bool enumerating;
+	refcount_t enumerating;
 	
 	/**
 	 * have we increased the cache without a check_cache?
@@ -52,9 +54,9 @@ struct private_cert_cache_t {
 	bool check_required;
 	
 	/**
-	 * mutex to lock relations list
+	 * read-write lock to sets list
 	 */
-	mutex_t *mutex;
+	pthread_rwlock_t lock;
 };
 
 /**
@@ -88,8 +90,8 @@ static void check_cache(private_cert_cache_t *this)
 	{
 		this->check_required = TRUE;
 	}
-	else
-	{
+	else if (pthread_rwlock_trywrlock(&this->lock) == 0)
+	{	/* never blocks, only done if lock is available */
 		while (this->relations->get_count(this->relations) > CACHE_SIZE)
 		{
 			relation_t *oldest = NULL, *current;
@@ -108,6 +110,7 @@ static void check_cache(private_cert_cache_t *this)
 			relation_destroy(oldest);
 		}
 		this->check_required = FALSE;
+		pthread_rwlock_unlock(&this->lock);
 	}
 }
 
@@ -121,7 +124,7 @@ static bool issued_by(private_cert_cache_t *this,
 	enumerator_t *enumerator;
 	
 	/* lookup cache */
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_rdlock(&this->lock);
 	enumerator = this->relations->create_enumerator(this->relations);
 	while (enumerator->enumerate(enumerator, &current))
 	{
@@ -146,7 +149,7 @@ static bool issued_by(private_cert_cache_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 	if (found)
 	{
 		return TRUE;
@@ -161,10 +164,9 @@ static bool issued_by(private_cert_cache_t *this,
 	found->subject = subject->get_ref(subject);
 	found->issuer = issuer->get_ref(issuer);
 	found->last_use = time(NULL);
-	this->mutex->lock(this->mutex);
+	/* insert should be ok without lock */
 	this->relations->insert_last(this->relations, found);
 	check_cache(this);
-	this->mutex->unlock(this->mutex);
 	return TRUE;
 }
 
@@ -230,12 +232,12 @@ static bool certs_filter(cert_data_t *data, relation_t **in, certificate_t **out
  */
 static void certs_destroy(cert_data_t *data)
 {
-	data->this->enumerating--;
+	ref_put(&data->this->enumerating);
+	pthread_rwlock_unlock(&data->this->lock);
 	if (data->this->check_required)
 	{
 		check_cache(data->this);
 	}
-	data->this->mutex->unlock(data->this->mutex);
 	free(data);
 }
 
@@ -258,21 +260,13 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this,
 	data->id = id;
 	data->this = this;
 	
-	this->mutex->lock(this->mutex);
-	this->enumerating++;
+	pthread_rwlock_rdlock(&this->lock);
+	ref_get(&this->enumerating);
 	return enumerator_create_filter(
 							this->relations->create_enumerator(this->relations),
 							(void*)certs_filter, data, (void*)certs_destroy);
 }
 
-/**
- * Implementation of credential_set_t.cache_cert.
- */
-static void cache_cert(private_cert_cache_t *this, certificate_t *cert)
-{
-	/* TODO: implement caching */
-}
-
 /**
  * Implementation of cert_cache_t.flush.
  */
@@ -281,7 +275,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
 	enumerator_t *enumerator;
 	relation_t *relation;
 	
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_wrlock(&this->lock);
 	enumerator = this->relations->create_enumerator(this->relations);
 	while (enumerator->enumerate(enumerator, &relation))
 	{
@@ -293,7 +287,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 }
 
 /**
@@ -302,7 +296,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
 static void destroy(private_cert_cache_t *this)
 {
 	this->relations->destroy_function(this->relations, (void*)relation_destroy);
-	this->mutex->destroy(this->mutex);
+	pthread_rwlock_destroy(&this->lock);
 	free(this);
 }
 
@@ -317,15 +311,15 @@ cert_cache_t *cert_cache_create()
 	this->public.set.create_cert_enumerator = (void*)create_enumerator;
 	this->public.set.create_shared_enumerator = (void*)return_null;
 	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)cache_cert;
+	this->public.set.cache_cert = (void*)nop;
 	this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
 	this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
 	this->public.destroy = (void(*)(cert_cache_t*))destroy;
 	
 	this->relations = linked_list_create();
-	this->enumerating = FALSE;
+	this->enumerating = 0;
 	this->check_required = FALSE;
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	pthread_rwlock_init(&this->lock, NULL);
 	
 	return &this->public;
 }
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 1ab88104a..065f7d701 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -22,7 +22,6 @@
 #endif /* HAVE_DLADDR */
 
 #include <stdio.h>
-#include <linux/capability.h>
 #include <sys/prctl.h>
 #include <signal.h>
 #include <pthread.h>
@@ -38,6 +37,9 @@
 #ifdef HAVE_BACKTRACE
 # include <execinfo.h>
 #endif /* HAVE_BACKTRACE */
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif /* CAPABILITIES */
 
 #include "daemon.h"
 
@@ -45,14 +47,9 @@
 #include <config/traffic_selector.h>
 #include <config/proposal.h>
 
-/* on some distros, a capset definition is missing */
-#ifdef NO_CAPSET_DEFINED
-extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
-#endif /* NO_CAPSET_DEFINED */
-
 #ifdef INTEGRITY_TEST
 #include <fips/fips.h>
-#include <fips_signature.h>
+#include <fips/fips_signature.h>
 #endif /* INTEGRITY_TEST */
 
 typedef struct private_daemon_t private_daemon_t;
@@ -75,6 +72,13 @@ struct private_daemon_t {
 	 * The thread_id of main-thread.
 	 */
 	pthread_t main_thread_id;
+
+#ifdef CAPABILITIES
+	/**
+	 * capabilities to keep
+	 */
+	cap_t caps;
+#endif /* CAPABILITIES */
 };
 
 /**
@@ -95,7 +99,7 @@ static void dbg_bus(int level, char *fmt, ...)
 	va_list args;
 	
 	va_start(args, fmt);
-	charon->bus->vsignal(charon->bus, DBG_LIB, level, fmt, args);
+	charon->bus->vsignal(charon->bus, DBG_LIB, level, NULL, fmt, args);
 	va_end(args);
 }
 
@@ -183,11 +187,15 @@ static void destroy(private_daemon_t *this)
 	}
 	/* unload plugins to release threads */
 	lib->plugins->unload(lib->plugins);
+#ifdef CAPABILITIES
+	cap_free(this->caps);
+#endif /* CAPABILITIES */
 	DESTROY_IF(this->public.ike_sa_manager);
 	DESTROY_IF(this->public.kernel_interface);
 	DESTROY_IF(this->public.scheduler);
 	DESTROY_IF(this->public.controller);
 	DESTROY_IF(this->public.eap);
+	DESTROY_IF(this->public.sim);
 #ifdef ME
 	DESTROY_IF(this->public.connect_manager);
 	DESTROY_IF(this->public.mediation_manager);
@@ -242,55 +250,37 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 /**
  * drop daemon capabilities
  */
-static void drop_capabilities(private_daemon_t *this, bool full)
-{
-	struct __user_cap_header_struct hdr;
-	struct __user_cap_data_struct data;
-	
-	/* CAP_NET_ADMIN is needed to use netlink */
-	u_int32_t keep = (1<<CAP_NET_ADMIN) | (1<<CAP_SYS_NICE);
-	
-	if (full)
+static void drop_capabilities(private_daemon_t *this)
+{	
+	prctl(PR_SET_KEEPCAPS, 1);
+
+	if (setgid(charon->gid) != 0)
 	{
-		if (setgid(charon->gid) != 0)
-		{
-			kill_daemon(this, "change to unprivileged group failed");	
-		}
-		if (setuid(charon->uid) != 0)
-		{
-			kill_daemon(this, "change to unprivileged user failed");	
-		}
+		kill_daemon(this, "change to unprivileged group failed");	
 	}
-	else
+	if (setuid(charon->uid) != 0)
 	{
-		/* CAP_NET_BIND_SERVICE to bind services below port 1024 */
-		keep |= (1<<CAP_NET_BIND_SERVICE);
-		/* CAP_NET_RAW to create RAW sockets */
-		keep |= (1<<CAP_NET_RAW);
-		/* CAP_DAC_READ_SEARCH to read ipsec.secrets */
-		keep |= (1<<CAP_DAC_READ_SEARCH);
-		/* CAP_CHOWN to change file permissions (socket permissions) */
-		keep |= (1<<CAP_CHOWN);
-		/* CAP_SETUID to call setuid()  */
-		keep |= (1<<CAP_SETUID);
-		/* CAP_SETGID to call setgid() */
-		keep |= (1<<CAP_SETGID);
+		kill_daemon(this, "change to unprivileged user failed");	
 	}
-
-	/* we use the old capset version for now. For systems with version 2
-	 * available, we specifiy version 1 excplicitly. */
-#ifdef _LINUX_CAPABILITY_VERSION_1
-	hdr.version = _LINUX_CAPABILITY_VERSION_1;
-#else
-	hdr.version = _LINUX_CAPABILITY_VERSION;
-#endif
-	hdr.pid = 0;
-	data.inheritable = data.effective = data.permitted = keep;
 	
-	if (capset(&hdr, &data))
+#ifdef CAPABILITIES
+	if (cap_set_proc(this->caps) != 0)
 	{
 		kill_daemon(this, "unable to drop daemon capabilities");
 	}
+#endif /* CAPABILITIES */
+}
+
+/**
+ * Implementation of daemon_t.keep_cap
+ */
+static void keep_cap(private_daemon_t *this, u_int cap)
+{
+#ifdef CAPABILITIES
+	cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
+	cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET);
+	cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET);
+#endif /* CAPABILITIES */
 }
 
 /**
@@ -362,25 +352,13 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	
 	DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION);
 
-#ifdef INTEGRITY_TEST
-	DBG1(DBG_DMN, "integrity test of libstrongswan code");
-	if (fips_verify_hmac_signature(hmac_key, hmac_signature))
-	{
-		DBG1(DBG_DMN, "  integrity test passed");
-	}
-	else
-	{
-		DBG1(DBG_DMN, "  integrity test failed");
-		return FALSE;
-	}
-#endif /* INTEGRITY_TEST */
-
 	/* load secrets, ca certificates and crls */
 	this->public.processor = processor_create();
 	this->public.scheduler = scheduler_create();
 	this->public.credentials = credential_manager_create();
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
+	this->public.sim = sim_manager_create();
 	this->public.backends = backend_manager_create();
 	this->public.attributes = attribute_manager_create();
 	this->public.kernel_interface = kernel_interface_create();
@@ -390,6 +368,22 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
 		lib->settings->get_str(lib->settings, "charon.load", PLUGINS));
 	
+	/* create the kernel interfaces */
+	this->public.kernel_interface->create_interfaces(this->public.kernel_interface);
+	
+#ifdef INTEGRITY_TEST
+	DBG1(DBG_DMN, "integrity test of libstrongswan code");
+	if (fips_verify_hmac_signature(hmac_key, hmac_signature))
+	{
+		DBG1(DBG_DMN, "  integrity test passed");
+	}
+	else
+	{
+		DBG1(DBG_DMN, "  integrity test failed");
+		return FALSE;
+	}
+#endif /* INTEGRITY_TEST */
+
 	this->public.ike_sa_manager = ike_sa_manager_create();
 	if (this->public.ike_sa_manager == NULL)
 	{
@@ -472,6 +466,7 @@ private_daemon_t *daemon_create(void)
 		
 	/* assign methods */
 	this->public.kill = (void (*) (daemon_t*,char*))kill_daemon;
+	this->public.keep_cap = (void(*)(daemon_t*, u_int cap))keep_cap;
 	
 	/* NULL members for clean destruction */
 	this->public.socket = NULL;
@@ -486,6 +481,7 @@ private_daemon_t *daemon_create(void)
 	this->public.processor = NULL;
 	this->public.controller = NULL;
 	this->public.eap = NULL;
+	this->public.sim = NULL;
 	this->public.bus = NULL;
 	this->public.outlog = NULL;
 	this->public.syslog = NULL;
@@ -498,6 +494,14 @@ private_daemon_t *daemon_create(void)
 	this->public.gid = 0;
 	
 	this->main_thread_id = pthread_self();
+#ifdef CAPABILITIES
+	this->caps = cap_init();
+	keep_cap(this, CAP_NET_ADMIN);
+	if (lib->leak_detective)
+	{
+		keep_cap(this, CAP_SYS_NICE);
+	}
+#endif /* CAPABILITIES */
 	
 	/* add handler for SEGV and ILL,
 	 * add handler for USR1 (cancellation).
@@ -567,10 +571,6 @@ int main(int argc, char *argv[])
 	
 	lookup_uid_gid(private_charon);
 	
-	/* drop the capabilities we won't need for initialization */
-	prctl(PR_SET_KEEPCAPS, 1);
-	drop_capabilities(private_charon, FALSE);
-	
 	/* use CTRL loglevel for default */
 	for (signal = 0; signal < DBG_MAX; signal++)
 	{
@@ -646,8 +646,8 @@ int main(int argc, char *argv[])
 		fclose(pid_file);
 	}
 	
-	/* drop additional capabilites (bind & root) */
-	drop_capabilities(private_charon, TRUE);
+	/* drop the capabilities we won't need */
+	drop_capabilities(private_charon);
 	
 	/* start the engine, go multithreaded */
 	charon->processor->set_threads(charon->processor,
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index 5893e7332..62a286f04 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: daemon.h 3964 2008-05-15 14:01:26Z martin $
+ * $Id: daemon.h 4406 2008-10-10 08:36:01Z martin $
  */
 
 /**
@@ -163,6 +163,7 @@ typedef struct daemon_t daemon_t;
 #include <config/attributes/attribute_manager.h>
 #include <credentials/credential_manager.h>
 #include <sa/authenticators/eap/eap_manager.h>
+#include <sa/authenticators/eap/sim_manager.h>
 
 #ifdef ME
 #include <sa/connect_manager.h>
@@ -280,6 +281,11 @@ struct daemon_t {
 	 */
 	eap_manager_t *eap;
 	
+	/**
+	 * SIM manager to maintain SIM cards/providers
+	 */
+	sim_manager_t *sim;
+	
 #ifdef ME
 	/**
 	 * Connect manager
@@ -302,6 +308,15 @@ struct daemon_t {
 	 */
 	gid_t gid;
 	
+	/**
+	 * Do not drop a given capability after initialization.
+	 *
+	 * Some plugins might need additional capabilites. They tell the daemon
+	 * during plugin initialization which one they need, the daemon won't
+	 * drop these.
+	 */
+	void (*keep_cap)(daemon_t *this, u_int cap);
+	
 	/**
 	 * Shut down the daemon.
 	 * 
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c
index af9483192..600fe97d9 100644
--- a/src/charon/encoding/message.c
+++ b/src/charon/encoding/message.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: message.c 3991 2008-05-21 17:56:21Z martin $
+ * $Id: message.c 4339 2008-09-11 11:14:09Z martin $
  */
 
 #include <stdlib.h>
@@ -39,6 +39,11 @@
  */
 #define MAX_NOTIFY_PAYLOADS 20
 
+/**
+ * Max number of delete payloads per IKEv2 Message
+ */
+#define MAX_DELETE_PAYLOADS 20
+
 
 typedef struct payload_rule_t payload_rule_t;
 
@@ -299,7 +304,7 @@ static payload_rule_t informational_i_payload_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{DELETE,						0,	1,						TRUE,	FALSE},
+	{DELETE,						0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
 	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
 };
 
@@ -324,7 +329,7 @@ static payload_rule_t informational_r_payload_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{DELETE,						0,	1,						TRUE,	FALSE},
+	{DELETE,						0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
 	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
 };
 
diff --git a/src/charon/encoding/payloads/cert_payload.c b/src/charon/encoding/payloads/cert_payload.c
index 99f504c5e..7ff334006 100644
--- a/src/charon/encoding/payloads/cert_payload.c
+++ b/src/charon/encoding/payloads/cert_payload.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: cert_payload.c 3852 2008-04-18 21:27:08Z andreas $
+ * $Id: cert_payload.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include <stddef.h>
@@ -229,7 +229,7 @@ static certificate_t *get_cert(private_cert_payload_t *this)
 		return NULL;
 	}
 	return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							  BUILD_BLOB_ASN1_DER, chunk_clone(this->data),
+							  BUILD_BLOB_ASN1_DER, this->data,
 							  BUILD_END);
 }
 
diff --git a/src/charon/encoding/payloads/vendor_id_payload.c b/src/charon/encoding/payloads/vendor_id_payload.c
index 3eacc1a72..3e47b9348 100644
--- a/src/charon/encoding/payloads/vendor_id_payload.c
+++ b/src/charon/encoding/payloads/vendor_id_payload.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: vendor_id_payload.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: vendor_id_payload.c 4120 2008-06-27 15:22:27Z andreas $
  */
 
 #include <stddef.h>
@@ -86,9 +86,8 @@ encoding_rule_t vendor_id_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       ! Next Payload  !C!  RESERVED   !         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Cert Encoding !                                               !
-      +-+-+-+-+-+-+-+-+                                               !
-      ~                       Certificate Data                        ~
+      +                                                               !
+      ~                            VID Data                           ~
       !                                                               !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index f5cb40977..3c82b580e 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -1,13 +1,6 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005 Jan Hutter
+ * Copyright (C) 2008 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
- * Copyright (C) 2003 Herbert Xu.
- * 
- * Based on xfrm code from pluto.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -19,2855 +12,292 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_interface.c 4104 2008-06-24 15:35:09Z tobias $
+ * $Id: kernel_interface.c 4406 2008-10-10 08:36:01Z martin $
  */
 
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-#include <linux/netlink.h>
-#include <linux/rtnetlink.h>
-#include <linux/xfrm.h>
-#include <linux/udp.h>
-#include <pthread.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <net/if.h>
-#include <sys/ioctl.h>
-
 #include "kernel_interface.h"
 
+#include <pthread.h>
+
 #include <daemon.h>
 #include <utils/linked_list.h>
-#include <processing/jobs/delete_child_sa_job.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/acquire_job.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/roam_job.h>
-
-/** routing table for routes installed by us */
-#ifndef IPSEC_ROUTING_TABLE
-#define IPSEC_ROUTING_TABLE 100
-#endif
-#ifndef IPSEC_ROUTING_TABLE_PRIO
-#define IPSEC_ROUTING_TABLE_PRIO 100
-#endif
-
-/** kernel level protocol identifiers */
-#define KERNEL_ESP 50
-#define KERNEL_AH 51
-
-/** default priority of installed policies */
-#define PRIO_LOW 3000
-#define PRIO_HIGH 2000
-
-/** delay before firing roam jobs (ms) */
-#define ROAM_DELAY 100
-
-#define BUFFER_SIZE 1024
-
-/**
- * returns a pointer to the first rtattr following the nlmsghdr *nlh and the 
- * 'usual' netlink data x like 'struct xfrm_usersa_info' 
- */
-#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
-/**
- * returns a pointer to the next rtattr following rta.
- * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
- */
-#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
-/**
- * returns the total size of attached rta data 
- * (after 'usual' netlink data x like 'struct xfrm_usersa_info') 
- */
-#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
-
-typedef struct kernel_algorithm_t kernel_algorithm_t;
-
-/**
- * Mapping from the algorithms defined in IKEv2 to
- * kernel level algorithm names and their key length
- */
-struct kernel_algorithm_t {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2_id;
-	
-	/**
-	 * Name of the algorithm, as used as kernel identifier
-	 */
-	char *name;
-	
-	/**
-	 * Key length in bits, if fixed size
-	 */
-	u_int key_size;
-};
-#define END_OF_LIST -1
-
-/**
- * Algorithms for encryption
- */
-static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64, 		"***", 					0}, */
-	{ENCR_DES, 				"des", 					64},
-	{ENCR_3DES, 			"des3_ede",				192},
-/*	{ENCR_RC5, 				"***", 					0}, */
-/*	{ENCR_IDEA, 			"***",					0}, */
-	{ENCR_CAST, 			"cast128",				0},
-	{ENCR_BLOWFISH, 		"blowfish",				0},
-/*	{ENCR_3IDEA, 			"***",					0}, */
-/*	{ENCR_DES_IV32, 		"***",					0}, */
-	{ENCR_NULL, 			"cipher_null",			0},
-	{ENCR_AES_CBC,	 		"aes",					0},
-/*	{ENCR_AES_CTR, 			"***",					0}, */
-	{ENCR_AES_CCM_ICV8,		"rfc4309(ccm(aes))",	64},	/* key_size = ICV size */
-	{ENCR_AES_CCM_ICV12,	"rfc4309(ccm(aes))",	96},	/* key_size = ICV size */
-	{ENCR_AES_CCM_ICV16,	"rfc4309(ccm(aes))",	128},	/* key_size = ICV size */
-	{ENCR_AES_GCM_ICV8,		"rfc4106(gcm(aes))",	64},	/* key_size = ICV size */
-	{ENCR_AES_GCM_ICV12,	"rfc4106(gcm(aes))",	96},	/* key_size = ICV size */
-	{ENCR_AES_GCM_ICV16,	"rfc4106(gcm(aes))",	128},	/* key_size = ICV size */
-	{END_OF_LIST, 		NULL,			0},
-};
-
-/**
- * Algorithms for integrity protection
- */
-static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96, 			"md5",			128},
-	{AUTH_HMAC_SHA1_96,			"sha1",			160},
-	{AUTH_HMAC_SHA2_256_128,	"sha256",		256},
-	{AUTH_HMAC_SHA2_384_192,	"sha384",		384},
-	{AUTH_HMAC_SHA2_512_256,	"sha512",		512},
-/*	{AUTH_DES_MAC,				"***",			0}, */
-/*	{AUTH_KPDK_MD5,				"***",			0}, */
-	{AUTH_AES_XCBC_96,			"xcbc(aes)",	128},
-	{END_OF_LIST, 				NULL,			0},
-};
-
-/**
- * Algorithms for IPComp
- */
-static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI, 			"***",			0}, */
-	{IPCOMP_DEFLATE,		"deflate",		0},
-	{IPCOMP_LZS,			"lzs",			0},
-	{IPCOMP_LZJH,			"lzjh",			0},
-	{END_OF_LIST, 			NULL,			0},
-};
-
-/**
- * Look up a kernel algorithm name and its key size
- */
-static char* lookup_algorithm(kernel_algorithm_t *kernel_algo, 
-					   u_int16_t ikev2_algo, u_int16_t *key_size)
-{
-	while (kernel_algo->ikev2_id != END_OF_LIST)
-	{
-		if (ikev2_algo == kernel_algo->ikev2_id)
-		{
-			/* match, evaluate key length */
-			if (key_size && *key_size == 0)
-			{	/* update key size if not set */
-				*key_size = kernel_algo->key_size;
-			}
-			return kernel_algo->name;
-		}
-		kernel_algo++;
-	}
-	return NULL;
-}
-
-typedef struct route_entry_t route_entry_t;
-
-/**
- * installed routing entry
- */
-struct route_entry_t {
-
-	/** Index of the interface the route is bound to */
-	int if_index;
-
-	/** Source ip of the route */
-	host_t *src_ip;
-	
-	/** gateway for this route */
-	host_t *gateway;
-
-	/** Destination net */
-	chunk_t dst_net;
-
-	/** Destination net prefixlen */
-	u_int8_t prefixlen;
-};
-
-/**
- * destroy an route_entry_t object
- */
-static void route_entry_destroy(route_entry_t *this)
-{
-	this->src_ip->destroy(this->src_ip);
-	this->gateway->destroy(this->gateway);
-	chunk_free(&this->dst_net);
-	free(this);
-}
-
-typedef struct policy_entry_t policy_entry_t;
-
-/**
- * installed kernel policy.
- */
-struct policy_entry_t {
-	
-	/** direction of this policy: in, out, forward */
-	u_int8_t direction;
-	
-	/** reqid of the policy */
-	u_int32_t reqid;
-	
-	/** parameters of installed policy */
-	struct xfrm_selector sel;
-	
-	/** associated route installed for this policy */
-	route_entry_t *route;
-	
-	/** by how many CHILD_SA's this policy is used */
-	u_int refcount;
-};
-
-typedef struct addr_entry_t addr_entry_t;
-
-/**
- * IP address in an inface_entry_t
- */
-struct addr_entry_t {
-	
-	/** The ip address */
-	host_t *ip;
-	
-	/** virtual IP managed by us */
-	bool virtual;
-	
-	/** scope of the address */
-	u_char scope;
-	
-	/** Number of times this IP is used, if virtual */
-	u_int refcount;
-};
-
-/**
- * destroy a addr_entry_t object
- */
-static void addr_entry_destroy(addr_entry_t *this)
-{
-	this->ip->destroy(this->ip);
-	free(this);
-}
-
-typedef struct iface_entry_t iface_entry_t;
-
-/**
- * A network interface on this system, containing addr_entry_t's
- */
-struct iface_entry_t {
-	
-	/** interface index */
-	int ifindex;
-	
-	/** name of the interface */
-	char ifname[IFNAMSIZ];
-	
-	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
-	u_int flags;
-	
-	/** list of addresses as host_t */
-	linked_list_t *addrs;
-};
-
-/**
- * destroy an interface entry
- */
-static void iface_entry_destroy(iface_entry_t *this)
-{
-	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
-	free(this);
-}
+#include <utils/mutex.h>
 
 typedef struct private_kernel_interface_t private_kernel_interface_t;
 
 /**
- * Private variables and functions of kernel_interface class.
+ * Private data of a kernel_interface_t object.
  */
 struct private_kernel_interface_t {
+
 	/**
-	 * Public part of the kernel_interface_t object.
+	 * Public part of kernel_interface_t object.
 	 */
 	kernel_interface_t public;
 	
 	/**
-	 * mutex to lock access to netlink socket
-	 */
-	pthread_mutex_t nl_mutex;
-	
-	/**
-	 * mutex to lock access to various lists
-	 */
-	pthread_mutex_t mutex;
-	
-	/**
-	 * condition variable to signal virtual IP add/removal
-	 */
-	pthread_cond_t cond;
-	
-	/**
-	 * List of installed policies (policy_entry_t)
-	 */
-	linked_list_t *policies;
-	
-	/**
-	 * Cached list of interfaces and its adresses (iface_entry_t)
-	 */
-	linked_list_t *ifaces;
-	
-	/**
-	 * iterator used in hook()
+	 * list of registered ipsec kernel interfaces
 	 */
-	iterator_t *hiter;
-	 
-	/**
-	 * job receiving netlink events
-	 */
-	callback_job_t *job;
-	
-	/**
-	 * current sequence number for netlink request
-	 */
-	int seq;
-	
-	/**
-	 * Netlink xfrm socket (IPsec)
-	 */
-	int socket_xfrm;
-	
-	/**
-	 * netlink xfrm socket to receive acquire and expire events
-	 */
-	int socket_xfrm_events;
-	
-	/**
-	 * Netlink rt socket (routing)
-	 */
-	int socket_rt;
-	
-	/**
-	 * Netlink rt socket to receive address change events
-	 */
-	int socket_rt_events;
+	linked_list_t *ipsec_interfaces;
 	
 	/**
-	 * time of the last roam_job
+	 * list of registered network kernel interfaces
 	 */
-	struct timeval last_roam;
+	linked_list_t *net_interfaces;
 	
 	/**
-	 * whether to install routes along policies
+	 * ipsec interface
 	 */
-	bool install_routes;
+	kernel_ipsec_t *ipsec;
 	
 	/**
-	 * routing table to install routes
+	 * network interface
 	 */
-	int routing_table;
+	kernel_net_t *net;
 	
-	/**
-	 * priority of used routing table
-	 */
-	int routing_table_prio;
-};
-
-/**
- * convert a host_t to a struct xfrm_address
- */
-static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
-{
-	chunk_t chunk = host->get_address(host);
-	memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));	
-}
-
-/**
- * convert a traffic selector address range to subnet and its mask.
- */
-static void ts2subnet(traffic_selector_t* ts, 
-					  xfrm_address_t *net, u_int8_t *mask)
-{
-	/* there is no way to do this cleanly, as the address range may
-	 * be anything else but a subnet. We use from_addr as subnet 
-	 * and try to calculate a usable subnet mask.
-	 */
-	int byte, bit;
-	bool found = FALSE;
-	chunk_t from, to;
-	size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-	
-	from = ts->get_from_address(ts);
-	to = ts->get_to_address(ts);
-	
-	*mask = (size * 8);
-	/* go trough all bits of the addresses, beginning in the front.
-	 * as long as they are equal, the subnet gets larger
-	 */
-	for (byte = 0; byte < size; byte++)
-	{
-		for (bit = 7; bit >= 0; bit--)
-		{
-			if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
-			{
-				*mask = ((7 - bit) + (byte * 8));
-				found = TRUE;
-				break;
-			}
-		}
-		if (found)
-		{
-			break;
-		}
-	}
-	memcpy(net, from.ptr, from.len);
-	chunk_free(&from);
-	chunk_free(&to);
-}
-
-/**
- * convert a traffic selector port range to port/portmask
- */
-static void ts2ports(traffic_selector_t* ts, 
-					 u_int16_t *port, u_int16_t *mask)
-{
-	/* linux does not seem to accept complex portmasks. Only
-	 * any or a specific port is allowed. We set to any, if we have
-	 * a port range, or to a specific, if we have one port only.
-	 */
-	u_int16_t from, to;
-	
-	from = ts->get_from_port(ts);
-	to = ts->get_to_port(ts);
-	
-	if (from == to)
-	{
-		*port = htons(from);
-		*mask = ~0;
-	}
-	else
-	{
-		*port = 0;
-		*mask = 0;
-	}
-}
-
-/**
- * convert a pair of traffic_selectors to a xfrm_selector
- */
-static struct xfrm_selector ts2selector(traffic_selector_t *src, 
-										traffic_selector_t *dst)
-{
-	struct xfrm_selector sel;
-
-	memset(&sel, 0, sizeof(sel));
-	sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
-	/* src or dest proto may be "any" (0), use more restrictive one */
-	sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
-	ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
-	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
-	ts2ports(dst, &sel.dport, &sel.dport_mask);
-	ts2ports(src, &sel.sport, &sel.sport_mask);
-	sel.ifindex = 0;
-	sel.user = 0;
-	
-	return sel;
-}
-
-/**
- * Creates an rtattr and adds it to the netlink message
- */
-static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
-						  size_t buflen)
-{
-	struct rtattr *rta;
-	
-	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
-	{
-		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
-		return;
-	}
-	
-	rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
-	rta->rta_type = rta_type;
-	rta->rta_len = RTA_LENGTH(data.len);
-	memcpy(RTA_DATA(rta), data.ptr, data.len);
-	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
-}
-
-/**
- * process a XFRM_MSG_ACQUIRE from kernel
- */
-static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
-{
-	u_int32_t reqid = 0;
-	job_t *job;
-	struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
-	size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
-	
-	if (RTA_OK(rtattr, rtsize))
-	{
-		if (rtattr->rta_type == XFRMA_TMPL)
-		{
-			struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
-			reqid = tmpl->reqid;
-		}
-	}
-	if (reqid == 0)
-	{
-		DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
-		return;
-	}
-	DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
-	DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
-	job = (job_t*)acquire_job_create(reqid);
-	charon->processor->queue_job(charon->processor, job);
-}
-
-/**
- * process a XFRM_MSG_EXPIRE from kernel
- */
-static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
-{
-	job_t *job;
-	protocol_id_t protocol;
-	u_int32_t spi, reqid;
-	struct xfrm_user_expire *expire;
-	
-	expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
-	protocol = expire->state.id.proto;
-	protocol = (protocol == KERNEL_ESP) ? PROTO_ESP : (protocol == KERNEL_AH) ? PROTO_AH : protocol;
-	spi = expire->state.id.spi;
-	reqid = expire->state.reqid;
-	
-	DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
-	
-	if (protocol != PROTO_ESP && protocol != PROTO_AH)
-	{
-		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA 0x%x (reqid %d) which is "
-				"not a CHILD_SA", ntohl(spi), reqid);
-		return;
-	}
-	
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
-		 expire->hard ? "delete" : "rekey",  protocol_id_names,
-		 protocol, ntohl(spi), reqid);
-	if (expire->hard)
-	{
-		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
-	}
-	else
-	{
-		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
-	}
-	charon->processor->queue_job(charon->processor, job);
-}
-
-/**
- * start a roaming job. We delay it for a second and fire only one job
- * for multiple events. Otherwise we would create two many jobs.
- */
-static void fire_roam_job(private_kernel_interface_t *this, bool address)
-{
-	struct timeval now;
-		
-	if (gettimeofday(&now, NULL) == 0)
-	{
-		if (timercmp(&now, &this->last_roam, >))
-		{
-			now.tv_usec += ROAM_DELAY * 1000;
-			while (now.tv_usec > 1000000)
-			{
-				now.tv_sec++;
-				now.tv_usec -= 1000000;
-			}
-			this->last_roam = now;
-			charon->scheduler->schedule_job(charon->scheduler,
-					(job_t*)roam_job_create(address), ROAM_DELAY);
-		}
-	}
-}
-
-/**
- * process RTM_NEWLINK/RTM_DELLINK from kernel
- */
-static void process_link(private_kernel_interface_t *this,
-						 struct nlmsghdr *hdr, bool event)
-{
-	struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
-	struct rtattr *rta = IFLA_RTA(msg);
-	size_t rtasize = IFLA_PAYLOAD (hdr);
-	iterator_t *iterator;
-	iface_entry_t *current, *entry = NULL;
-	char *name = NULL;
-	bool update = FALSE;
-	
-	while(RTA_OK(rta, rtasize))
-	{
-		switch (rta->rta_type)
-		{
-			case IFLA_IFNAME:
-				name = RTA_DATA(rta);
-				break;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-	if (!name)
-	{
-		name = "(unknown)";
-	}
-	
-	switch (hdr->nlmsg_type)
-	{
-		case RTM_NEWLINK:
-		{
-			if (msg->ifi_flags & IFF_LOOPBACK)
-			{	/* ignore loopback interfaces */
-				break;
-			}
-			iterator = this->ifaces->create_iterator_locked(this->ifaces,
-															&this->mutex);
-			while (iterator->iterate(iterator, (void**)&current))
-			{
-				if (current->ifindex == msg->ifi_index)
-				{
-					entry = current;
-					break;
-				}
-			}
-			if (!entry)
-			{
-				entry = malloc_thing(iface_entry_t);
-				entry->ifindex = msg->ifi_index;
-				entry->flags = 0;
-				entry->addrs = linked_list_create();
-				this->ifaces->insert_last(this->ifaces, entry);
-			}
-			memcpy(entry->ifname, name, IFNAMSIZ);
-			entry->ifname[IFNAMSIZ-1] = '\0';
-			if (event)
-			{
-				if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
-				{
-					update = TRUE;
-					DBG1(DBG_KNL, "interface %s activated", name);
-				}
-				if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
-				{
-					update = TRUE;
-					DBG1(DBG_KNL, "interface %s deactivated", name);
-				}
-			}
-			entry->flags = msg->ifi_flags;
-			iterator->destroy(iterator);
-			break;
-		}
-		case RTM_DELLINK:
-		{
-			iterator = this->ifaces->create_iterator_locked(this->ifaces,
-															&this->mutex);
-			while (iterator->iterate(iterator, (void**)&current))
-			{
-				if (current->ifindex == msg->ifi_index)
-				{
-					/* we do not remove it, as an address may be added to a 
-					 * "down" interface and we wan't to know that. */
-					current->flags = msg->ifi_flags;
-					break;
-				}
-			}
-			iterator->destroy(iterator);
-			break;
-		}
-	}
-	
-	/* send an update to all IKE_SAs */
-	if (update && event)
-	{
-		fire_roam_job(this, TRUE);
-	}
-}
-
-/**
- * process RTM_NEWADDR/RTM_DELADDR from kernel
- */
-static void process_addr(private_kernel_interface_t *this,
-						 struct nlmsghdr *hdr, bool event)
-{
-	struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
-	struct rtattr *rta = IFA_RTA(msg);
-	size_t rtasize = IFA_PAYLOAD (hdr);
-	host_t *host = NULL;
-	iterator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	chunk_t local = chunk_empty, address = chunk_empty;
-	bool update = FALSE, found = FALSE, changed = FALSE;
-	
-	while(RTA_OK(rta, rtasize))
-	{
-		switch (rta->rta_type)
-		{
-			case IFA_LOCAL:
-				local.ptr = RTA_DATA(rta);
-				local.len = RTA_PAYLOAD(rta);
-				break;
-			case IFA_ADDRESS:
-				address.ptr = RTA_DATA(rta);
-				address.len = RTA_PAYLOAD(rta);
-				break;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-	
-	/* For PPP interfaces, we need the IFA_LOCAL address,
-	 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
-	 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
-	if (local.ptr)
-	{
-		host = host_create_from_chunk(msg->ifa_family, local, 0);
-	}
-	else if (address.ptr)
-	{
-		host = host_create_from_chunk(msg->ifa_family, address, 0);
-	}
-	
-	if (host == NULL)
-	{	/* bad family? */
-		return;
-	}
-	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
-	{
-		if (iface->ifindex == msg->ifa_index)
-		{
-			addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-			while (addrs->iterate(addrs, (void**)&addr))
-			{
-				if (host->ip_equals(host, addr->ip))
-				{
-					found = TRUE;
-					if (hdr->nlmsg_type == RTM_DELADDR)
-					{
-						changed = TRUE;
-						addrs->remove(addrs);
-						if (!addr->virtual)
-						{
-							DBG1(DBG_KNL, "%H disappeared from %s",
-								 host, iface->ifname);
-						}
-						addr_entry_destroy(addr);
-					}
-					else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
-					{
-						addr->refcount = 1;
-					}
-				}
-			}
-			addrs->destroy(addrs);
-		
-			if (hdr->nlmsg_type == RTM_NEWADDR)
-			{
-				if (!found)
-				{
-					found = TRUE;
-					changed = TRUE;
-					addr = malloc_thing(addr_entry_t);
-					addr->ip = host->clone(host);
-					addr->virtual = FALSE;
-					addr->refcount = 1;
-					addr->scope = msg->ifa_scope;
-					
-					iface->addrs->insert_last(iface->addrs, addr);
-					if (event)
-					{
-						DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
-					}
-				}
-			}
-			if (found && (iface->flags & IFF_UP))
-			{
-				update = TRUE;
-			}
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	host->destroy(host);
-	
-	/* send an update to all IKE_SAs */
-	if (update && event && changed)
-	{
-		fire_roam_job(this, TRUE);
-	}
-}
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_interface_t *this)
-{
-	char response[1024];
-	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
-	struct sockaddr_nl addr;
-	socklen_t addr_len = sizeof(addr);
-	int len, oldstate, maxfd, selected;
-	fd_set rfds;
-
-	FD_ZERO(&rfds);
-	FD_SET(this->socket_xfrm_events, &rfds);
-	FD_SET(this->socket_rt_events, &rfds);
-	maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
-	
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-	selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
-	pthread_setcancelstate(oldstate, NULL);
-	if (selected <= 0)
-	{
-		DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
-		return JOB_REQUEUE_FAIR;
-	}
-	if (FD_ISSET(this->socket_xfrm_events, &rfds))
-	{
-		selected = this->socket_xfrm_events;
-	}
-	else if (FD_ISSET(this->socket_rt_events, &rfds))
-	{
-		selected = this->socket_rt_events;
-	}
-	else
-	{
-		return JOB_REQUEUE_DIRECT;
-	}
-	
-	len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
-				   (struct sockaddr*)&addr, &addr_len);
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from xfrm event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-	if (addr.nl_pid != 0)
-	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
-	}
-	
-	while (NLMSG_OK(hdr, len))
-	{
-		/* looks good so far, dispatch netlink message */
-		if (selected == this->socket_xfrm_events)
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_ACQUIRE:
-					process_acquire(this, hdr);
-					break;
-				case XFRM_MSG_EXPIRE:
-					process_expire(this, hdr);
-					break;
-				default:
-					break;
-			}
-		}
-		else if (selected == this->socket_rt_events)
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case RTM_NEWADDR:
-				case RTM_DELADDR:
-					process_addr(this, hdr, TRUE);
-					pthread_cond_signal(&this->cond);
-					break;
-				case RTM_NEWLINK:
-				case RTM_DELLINK:
-					process_link(this, hdr, TRUE);
-					pthread_cond_signal(&this->cond);
-					break;
-				case RTM_NEWROUTE:
-				case RTM_DELROUTE:
-					fire_roam_job(this, FALSE);
-					break;
-				default:
-					break;
-			}
-		}
-		hdr = NLMSG_NEXT(hdr, len);
-	}
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * send a netlink message and wait for a reply
- */
-static status_t netlink_send(private_kernel_interface_t *this,
-							 int socket, struct nlmsghdr *in,
-							 struct nlmsghdr **out, size_t *out_len)
-{
-	int len, addr_len;
-	struct sockaddr_nl addr;
-	chunk_t result = chunk_empty, tmp;
-	struct nlmsghdr *msg, peek;
-	
-	pthread_mutex_lock(&this->nl_mutex);
-	
-	in->nlmsg_seq = ++this->seq;
-	in->nlmsg_pid = getpid();
-	
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-	addr.nl_pid = 0;
-	addr.nl_groups = 0;
-
-	while (TRUE)
-	{
-		len = sendto(socket, in, in->nlmsg_len, 0, 
-					 (struct sockaddr*)&addr, sizeof(addr));
-		
-		if (len != in->nlmsg_len)
-		{	
-			if (errno == EINTR)
-			{
-				/* interrupted, try again */
-				continue;
-			}
-			pthread_mutex_unlock(&this->nl_mutex);
-			DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
-			return FAILED;
-		}
-		break;
-	}
-	
-	while (TRUE)
-	{	
-		char buf[4096];
-		tmp.len = sizeof(buf);
-		tmp.ptr = buf;
-		msg = (struct nlmsghdr*)tmp.ptr;
-		
-		memset(&addr, 0, sizeof(addr));
-		addr.nl_family = AF_NETLINK;
-		addr.nl_pid = getpid();
-		addr.nl_groups = 0;
-		addr_len = sizeof(addr);
-		
-		len = recvfrom(socket, tmp.ptr, tmp.len, 0,
-					   (struct sockaddr*)&addr, &addr_len);
-		
-		if (len < 0)
-		{
-			if (errno == EINTR)
-			{
-				DBG1(DBG_KNL, "got interrupted");
-				/* interrupted, try again */
-				continue;
-			}
-			DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
-			pthread_mutex_unlock(&this->nl_mutex);
-			return FAILED;
-		}
-		if (!NLMSG_OK(msg, len))
-		{
-			DBG1(DBG_KNL, "received corrupted netlink message");
-			pthread_mutex_unlock(&this->nl_mutex);
-			return FAILED;
-		}
-		if (msg->nlmsg_seq != this->seq)
-		{
-			DBG1(DBG_KNL, "received invalid netlink sequence number");
-			if (msg->nlmsg_seq < this->seq)
-			{
-				continue;
-			}
-			pthread_mutex_unlock(&this->nl_mutex);
-			return FAILED;
-		}
-		
-		tmp.len = len;
-		result = chunk_cata("cc", result, tmp);
-		
-		/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
-		 * numbers to detect multi header messages */
-		len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
-					   (struct sockaddr*)&addr, &addr_len);
-		
-		if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
-		{
-			/* seems to be multipart */
-			continue;
-		}
-		break;
-	}
-	
-	*out_len = result.len;
-	*out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
-	
-	pthread_mutex_unlock(&this->nl_mutex);
-	
-	return SUCCESS;
-}
-
-/**
- * send a netlink message and wait for its acknowlegde
- */
-static status_t netlink_send_ack(private_kernel_interface_t *this,
-								 int socket, struct nlmsghdr *in)
-{
-	struct nlmsghdr *out, *hdr;
-	size_t len;
-
-	if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	hdr = out;
-	while (NLMSG_OK(hdr, len))
-	{
-		switch (hdr->nlmsg_type)
-		{
-			case NLMSG_ERROR:
-			{
-				struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
-				
-				if (err->error)
-				{
-					DBG1(DBG_KNL, "received netlink error: %s (%d)",
-						 strerror(-err->error), -err->error);
-					free(out);
-					return FAILED;
-				}
-				free(out);
-				return SUCCESS;
-			}
-			default:
-				hdr = NLMSG_NEXT(hdr, len);
-				continue;
-			case NLMSG_DONE:
-				break;
-		}
-		break;
-	}
-	DBG1(DBG_KNL, "netlink request not acknowlegded");
-	free(out);
-	return FAILED;
-}
-	
-/**
- * Initialize a list of local addresses.
- */
-static status_t init_address_list(private_kernel_interface_t *this)
-{
-	char request[BUFFER_SIZE];
-	struct nlmsghdr *out, *current, *in;
-	struct rtgenmsg *msg;
-	size_t len;
-	iterator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	
-	DBG1(DBG_KNL, "listening on interfaces:");
-	
-	memset(&request, 0, sizeof(request));
-
-	in = (struct nlmsghdr*)&request;
-	in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
-	in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
-	msg = (struct rtgenmsg*)NLMSG_DATA(in);
-	msg->rtgen_family = AF_UNSPEC;
-	
-	/* get all links */
-	in->nlmsg_type = RTM_GETLINK;
-	if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	current = out;
-	while (NLMSG_OK(current, len))
-	{
-		switch (current->nlmsg_type)
-		{
-			case NLMSG_DONE:
-				break;
-			case RTM_NEWLINK:
-				process_link(this, current, FALSE);
-				/* fall through */
-			default:
-				current = NLMSG_NEXT(current, len);
-				continue;
-		}
-		break;
-	}
-	free(out);
-	
-	/* get all interface addresses */
-	in->nlmsg_type = RTM_GETADDR;
-	if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	current = out;
-	while (NLMSG_OK(current, len))
-	{
-		switch (current->nlmsg_type)
-		{
-			case NLMSG_DONE:
-				break;
-			case RTM_NEWADDR:
-				process_addr(this, current, FALSE);
-				/* fall through */
-			default:
-				current = NLMSG_NEXT(current, len);
-				continue;
-		}
-		break;
-	}
-	free(out);
-	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
-	{
-		if (iface->flags & IFF_UP)
-		{
-			DBG1(DBG_KNL, "  %s", iface->ifname);
-			addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-			while (addrs->iterate(addrs, (void**)&addr))
-			{
-				DBG1(DBG_KNL, "    %H", addr->ip);
-			}
-			addrs->destroy(addrs);
-		}
-	}
-	ifaces->destroy(ifaces);
-	return SUCCESS;
-}
-
-/**
- * iterator hook to iterate over addrs
- */
-static hook_result_t addr_hook(private_kernel_interface_t *this,
-							   addr_entry_t *in, host_t **out)
-{
-	if (in->virtual)
-	{	/* skip virtual interfaces added by us */
-		return HOOK_SKIP;
-	}
-	if (in->scope >= RT_SCOPE_LINK)
-	{	/* skip addresses with a unusable scope */
-		return HOOK_SKIP;
-	}
-	*out = in->ip;
-	return HOOK_NEXT;
-}
-								
-/**
- * iterator hook to iterate over ifaces
- */
-static hook_result_t iface_hook(private_kernel_interface_t *this,
-								iface_entry_t *in, host_t **out)
-{
-	if (!(in->flags & IFF_UP))
-	{	/* skip interfaces not up */
-		return HOOK_SKIP;
-	}
-
-	if (this->hiter == NULL)
-	{
-		this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
-		this->hiter->set_iterator_hook(this->hiter,
-									   (iterator_hook_t*)addr_hook, this);
-	}
-	while (this->hiter->iterate(this->hiter, (void**)out))
-	{
-		return HOOK_AGAIN;
-	}
-	this->hiter->destroy(this->hiter);
-	this->hiter = NULL;
-	return HOOK_SKIP;
-}
-
-/**
- * Implements kernel_interface_t.create_address_iterator.
- */
-static iterator_t *create_address_iterator(private_kernel_interface_t *this)
-{
-	iterator_t *iterator;
-	
-	/* This iterator is not only hooked, is is double-hooked. As we have stored
-	 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
-	 * entries in each interface we iterate. This does the iface_hook. The
-	 * addr_hook returns the ip instead of the addr_entry. */
-	
-	iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
-	return iterator;
-}
-
-/**
- * implementation of kernel_interface_t.get_interface_name
- */
-static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
-{
-	iterator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	char *name = NULL;
-	
-	DBG2(DBG_KNL, "getting interface name for %H", ip);
-	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
-	{
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
-		{
-			if (ip->ip_equals(ip, addr->ip))
-			{
-				name = strdup(iface->ifname);
-				break;
-			}
-		}
-		addrs->destroy(addrs);
-		if (name)
-		{
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	
-	if (name)
-	{
-		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "%H is not a local address", ip);
-	}
-	return name;
-}
-
-/**
- * Tries to find an ip address of a local interface that is included in the
- * supplied traffic selector.
- */
-static status_t get_address_by_ts(private_kernel_interface_t *this,
-								  traffic_selector_t *ts, host_t **ip)
-{
-	iterator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	host_t *host;
-	int family;
-	bool found = FALSE;
-	
-	DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
-	
-	/* if we have a family which includes localhost, we do not
-	 * search for an IP, we use the default */
-	family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
-	
-	if (family == AF_INET)
-	{
-		host = host_create_from_string("127.0.0.1", 0);
-	}
-	else
-	{
-		host = host_create_from_string("::1", 0);
-	}
-	
-	if (ts->includes(ts, host))
-	{
-		*ip = host_create_any(family);
-		host->destroy(host);
-		DBG2(DBG_KNL, "using host %H", *ip);
-		return SUCCESS;
-	}
-	host->destroy(host);
-	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces,	&this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
-	{
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
-		{
-			if (ts->includes(ts, addr->ip))
-			{
-				found = TRUE;
-				*ip = addr->ip->clone(addr->ip);
-				break;
-			}
-		}
-		addrs->destroy(addrs);
-		if (found)
-		{
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	
-	if (!found)
-	{
-		DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
-		return FAILED;
-	}
-	DBG2(DBG_KNL, "using host %H", *ip);
-	return SUCCESS;
-}
+	/**
+	 * locking mutex
+	 */
+	mutex_t *mutex;
+};
 
 /**
- * get the interface of a local address
+ * Implementation of kernel_interface_t.get_spi
  */
-static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
+static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *dst, 
+				 protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
-	iterator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	int ifindex = 0;
-	
-	DBG2(DBG_KNL, "getting iface for %H", ip);
-	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces,	&this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
-	{
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
-		{
-			if (ip->ip_equals(ip, addr->ip))
-			{
-				ifindex = iface->ifindex;
-				break;
-			}
-		}
-		addrs->destroy(addrs);
-		if (ifindex)
-		{
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-
-	if (ifindex == 0)
-	{
-		DBG1(DBG_KNL, "unable to get interface for %H", ip);
-	}
-	return ifindex;
+	return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi);
 }
 
 /**
- * get the refcount of a virtual ip
+ * Implementation of kernel_interface_t.get_cpi
  */
-static int get_vip_refcount(private_kernel_interface_t *this, host_t* ip)
+static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *dst, 
+					u_int32_t reqid, u_int16_t *cpi)
 {
-	iterator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	int refcount = 0;
-	
-	ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
-	while (ifaces->iterate(ifaces, (void**)&iface))
-	{
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
-		{
-			if (addr->virtual && (iface->flags & IFF_UP) &&
-				ip->ip_equals(ip, addr->ip))
-			{
-				refcount = addr->refcount;
-				break;
-			}
-		}
-		addrs->destroy(addrs);
-		if (refcount)
-		{
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	
-	return refcount;
+	return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi);
 }
 
 /**
- * Manages the creation and deletion of ip addresses on an interface.
- * By setting the appropriate nlmsg_type, the ip will be set or unset.
+ * Implementation of kernel_interface_t.add_sa
  */
-static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
-							  int flags, int if_index, host_t *ip)
+static status_t add_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
+				u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
+				u_int64_t expire_soft, u_int64_t expire_hard,
+				u_int16_t enc_alg, u_int16_t enc_size,
+				u_int16_t int_alg, u_int16_t int_size,
+				prf_plus_t *prf_plus, ipsec_mode_t mode, u_int16_t ipcomp, bool encap,
+				bool update)
 {
-	unsigned char request[BUFFER_SIZE];
-	struct nlmsghdr *hdr;
-	struct ifaddrmsg *msg;
-	chunk_t chunk;
-	
-	memset(&request, 0, sizeof(request));
-	
-	chunk = ip->get_address(ip);
-    
-    hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
-	hdr->nlmsg_type = nlmsg_type; 
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
-	
-	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
-    msg->ifa_family = ip->get_family(ip);
-    msg->ifa_flags = 0;
-    msg->ifa_prefixlen = 8 * chunk.len;
-    msg->ifa_scope = RT_SCOPE_UNIVERSE;
-    msg->ifa_index = if_index;
-	
-	add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
-
-	return netlink_send_ack(this, this->socket_rt, hdr);
+	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
+			expire_soft, expire_hard, enc_alg, enc_size, int_alg, int_size,
+			prf_plus, mode, ipcomp, encap, update);
 }
 
 /**
- * Manages source routes in the routing table.
- * By setting the appropriate nlmsg_type, the route added or r.
+ * Implementation of kernel_interface_t.update_sa
  */
-static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
-								int flags, route_entry_t *route)
+static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
+				   protocol_id_t protocol, host_t *src, host_t *dst, 
+				   host_t *new_src, host_t *new_dst, bool encap)
 {
-	unsigned char request[BUFFER_SIZE];
-	struct nlmsghdr *hdr;
-	struct rtmsg *msg;
-	chunk_t chunk;
-
-	/* if route is 0.0.0.0/0, we can't install it, as it would
-	 * overwrite the default route. Instead, we add two routes:
-	 * 0.0.0.0/1 and 128.0.0.0/1 */
-	if (this->routing_table == 0 && route->prefixlen == 0)
-	{
-		route_entry_t half;
-		status_t status;
-		
-		half.dst_net = chunk_alloca(route->dst_net.len);
-		memset(half.dst_net.ptr, 0, half.dst_net.len);
-		half.src_ip = route->src_ip;
-		half.gateway = route->gateway;
-		half.if_index = route->if_index;
-		half.prefixlen = 1;
-		
-		status = manage_srcroute(this, nlmsg_type, flags, &half);
-		half.dst_net.ptr[0] |= 0x80;
-		status = manage_srcroute(this, nlmsg_type, flags, &half);
-		return status;
-	}
-	
-	memset(&request, 0, sizeof(request));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
-	hdr->nlmsg_type = nlmsg_type;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
-
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
-	msg->rtm_family = route->src_ip->get_family(route->src_ip);
-	msg->rtm_dst_len = route->prefixlen;
-	msg->rtm_table = this->routing_table;
-	msg->rtm_protocol = RTPROT_STATIC;
-	msg->rtm_type = RTN_UNICAST;
-	msg->rtm_scope = RT_SCOPE_UNIVERSE;
-	
-	add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
-	chunk = route->src_ip->get_address(route->src_ip);
-	add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
-	chunk = route->gateway->get_address(route->gateway);
-	add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
-	chunk.ptr = (char*)&route->if_index;
-	chunk.len = sizeof(route->if_index);
-	add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
-
-	return netlink_send_ack(this, this->socket_rt, hdr);
+	return this->ipsec->update_sa(this->ipsec, spi, protocol, src, dst, new_src,
+			new_dst, encap);
 }
 
 /**
- * create or delete an rule to use our routing table
+ * Implementation of kernel_interface_t.query_sa
  */
-static status_t manage_rule(private_kernel_interface_t *this, int nlmsg_type,
-							u_int32_t table, u_int32_t prio)
+static status_t query_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi, 
+				  protocol_id_t protocol, u_int32_t *use_time)
 {
-	unsigned char request[BUFFER_SIZE];
-	struct nlmsghdr *hdr;
-	struct rtmsg *msg;
-	chunk_t chunk;
-
-	memset(&request, 0, sizeof(request));    
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = nlmsg_type; 
-	if (nlmsg_type == RTM_NEWRULE)
-	{
-		hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
-	}
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
-
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
-	msg->rtm_table = table;
-	msg->rtm_family = AF_INET;
-	msg->rtm_protocol = RTPROT_BOOT;
-	msg->rtm_scope = RT_SCOPE_UNIVERSE;
-	msg->rtm_type = RTN_UNICAST;
-
-	chunk = chunk_from_thing(prio);
-	add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
-
-	return netlink_send_ack(this, this->socket_rt, hdr);
+	return this->ipsec->query_sa(this->ipsec, dst, spi, protocol, use_time);
 }
 
 /**
- * check if an address (chunk) addr is in subnet (net with net_len net bits)
+ * Implementation of kernel_interface_t.del_sa
  */
-static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
+static status_t del_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi,
+				protocol_id_t protocol)
 {
-	int bit, byte;
-
-	if (addr.len != net.len)
-	{
-		return FALSE;
-	}
-	/* scan through all bits, beginning in the front */
-	for (byte = 0; byte < addr.len; byte++)
-	{
-		for (bit = 7; bit >= 0; bit--)
-		{
-			/* check if bits are equal (or we reached the end of the net) */
-			if (bit + byte * 8 > net_len)
-			{
-				return TRUE;
-			}
-			if (((1<<bit) & addr.ptr[byte]) != ((1<<bit) & net.ptr[byte]))
-			{
-				return FALSE;
-			}
-		}
-	}
-	return TRUE;
+	return this->ipsec->del_sa(this->ipsec, dst, spi, protocol);
 }
 
 /**
- * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
+ * Implementation of kernel_interface_t.add_policy
  */
-static host_t *get_route(private_kernel_interface_t *this, host_t *dest,
-						 bool nexthop)
+static status_t add_policy(private_kernel_interface_t *this, host_t *src, host_t *dst,
+					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+					policy_dir_t direction, protocol_id_t protocol,
+					u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
+					u_int16_t ipcomp)
 {
-	unsigned char request[BUFFER_SIZE];
-	struct nlmsghdr *hdr, *out, *current;
-	struct rtmsg *msg;
-	chunk_t chunk;
-	size_t len;
-	int best = -1;
-	host_t *src = NULL, *gtw = NULL;
-	
-	DBG2(DBG_KNL, "getting address to reach %H", dest);
-	
-	memset(&request, 0, sizeof(request));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ROOT;
-	hdr->nlmsg_type = RTM_GETROUTE;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
-
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
-	msg->rtm_family = dest->get_family(dest);
-	
-	chunk = dest->get_address(dest);
-	add_attribute(hdr, RTA_DST, chunk, sizeof(request));
-			
-	if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "getting address to %H failed", dest);
-		return NULL;
-	}
-	current = out;
-	while (NLMSG_OK(current, len))
-	{
-		switch (current->nlmsg_type)
-		{
-			case NLMSG_DONE:
-				break;
-			case RTM_NEWROUTE:
-			{
-				struct rtattr *rta;
-				size_t rtasize;
-				chunk_t rta_gtw, rta_src, rta_dst;
-				u_int32_t rta_oif = 0;
-				
-				rta_gtw = rta_src = rta_dst = chunk_empty;
-				msg = (struct rtmsg*)(NLMSG_DATA(current));
-				rta = RTM_RTA(msg);
-				rtasize = RTM_PAYLOAD(current);
-				while (RTA_OK(rta, rtasize))
-				{
-					switch (rta->rta_type)
-					{
-						case RTA_PREFSRC:
-							rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_GATEWAY:
-							rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_DST:
-							rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_OIF:
-							if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
-							{
-								rta_oif = *(u_int32_t*)RTA_DATA(rta);
-							}
-							break;
-					}
-					rta = RTA_NEXT(rta, rtasize);
-				}
-				
-				/* apply the route if:
-				 * - it is not from our own ipsec routing table
-				 * - is better than a previous one
-				 * - is the default route or
-				 * - its destination net contains our destination
-				 */
-				if ((this->routing_table == 0 ||msg->rtm_table != this->routing_table)
-					&&  msg->rtm_dst_len > best
-					&& (msg->rtm_dst_len == 0 || /* default route */
-					(rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
-				{
-					iterator_t *ifaces, *addrs;
-					iface_entry_t *iface;
-					addr_entry_t *addr;
-					
-					best = msg->rtm_dst_len;
-					if (nexthop)
-					{
-						DESTROY_IF(gtw);
-						gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
-					}
-					else if (rta_src.ptr)
-					{
-						DESTROY_IF(src);
-						src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
-						if (get_vip_refcount(this, src))
-						{	/* skip source address if it is installed by us */
-							DESTROY_IF(src);
-							src = NULL;
-							current = NLMSG_NEXT(current, len);
-							continue;
-						}
-					}
-					else
-					{
-						/* no source addr, get one from the interfaces */
-						ifaces = this->ifaces->create_iterator_locked(
-													this->ifaces, &this->mutex);
-						while (ifaces->iterate(ifaces, (void**)&iface))
-						{
-							if (iface->ifindex == rta_oif)
-							{
-								addrs = iface->addrs->create_iterator(
-															iface->addrs, TRUE);
-								while (addrs->iterate(addrs, (void**)&addr))
-								{
-									chunk_t ip = addr->ip->get_address(addr->ip);
-									if (msg->rtm_dst_len == 0
-									||	addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
-									{
-										DESTROY_IF(src);
-										src = addr->ip->clone(addr->ip);
-										break;
-									}
-								}
-								addrs->destroy(addrs);
-							}
-						}
-						ifaces->destroy(ifaces);
-					}
-				}
-				/* FALL through */
-			}
-			default:
-				current = NLMSG_NEXT(current, len);
-				continue;
-		}
-		break;
-	}
-	free(out);
-	
-	if (nexthop)
-	{
-		if (gtw)
-		{
-			return gtw;
-		}
-		return dest->clone(dest);
-	}
-	return src;
+	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
+			direction, protocol, reqid, high_prio, mode, ipcomp);
 }
 
 /**
- * Implementation of kernel_interface_t.get_source_addr.
+ * Implementation of kernel_interface_t.query_policy
  */
-static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
+static status_t query_policy(private_kernel_interface_t *this,
+					  traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+					  policy_dir_t direction, u_int32_t *use_time)
 {
-	return get_route(this, dest, FALSE);
+	return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts, direction, use_time);
 }
 
 /**
- * Implementation of kernel_interface_t.add_ip.
+ * Implementation of kernel_interface_t.del_policy
  */
-static status_t add_ip(private_kernel_interface_t *this, 
-						host_t *virtual_ip, host_t *iface_ip)
+static status_t del_policy(private_kernel_interface_t *this,
+					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+					policy_dir_t direction)
 {
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	iterator_t *addrs, *ifaces;
-	int ifindex;
-
-	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
-	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
-	{
-		bool iface_found = FALSE;
-	
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
-		{
-			if (iface_ip->ip_equals(iface_ip, addr->ip))
-			{
-				iface_found = TRUE;
-			}
-			else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
-			{
-				addr->refcount++;
-				DBG2(DBG_KNL, "virtual IP %H already installed on %s",
-					 virtual_ip, iface->ifname);
-				addrs->destroy(addrs);
-				ifaces->destroy(ifaces);
-				return SUCCESS;
-			}
-		}
-		addrs->destroy(addrs);
-		
-		if (iface_found)
-		{
-			ifindex = iface->ifindex;
-			addr = malloc_thing(addr_entry_t);
-			addr->ip = virtual_ip->clone(virtual_ip);
-			addr->refcount = 0;
-			addr->virtual = TRUE;
-			addr->scope = RT_SCOPE_UNIVERSE;
-			iface->addrs->insert_last(iface->addrs, addr);
-			
-			if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
-							  ifindex, virtual_ip) == SUCCESS)
-			{
-				while (get_vip_refcount(this, virtual_ip) == 0)
-				{	/* wait until address appears */
-					pthread_cond_wait(&this->cond, &this->mutex);
-				}
-				ifaces->destroy(ifaces);
-				return SUCCESS;
-			}
-			ifaces->destroy(ifaces);
-			DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
-			return FAILED;
-		}
-	}
-	ifaces->destroy(ifaces);
-	
-	DBG1(DBG_KNL, "interface address %H not found, unable to install"
-		 "virtual IP %H", iface_ip, virtual_ip);
-	return FAILED;
+	return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts, direction);
 }
 
 /**
- * Implementation of kernel_interface_t.del_ip.
+ * Implementation of kernel_interface_t.get_source_addr
  */
-static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
+static host_t *get_source_addr(private_kernel_interface_t *this,
+							   host_t *dest, host_t *src)
 {
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	iterator_t *addrs, *ifaces;
-	status_t status;
-	int ifindex;
-
-	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
-	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
-	{
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
-		{
-			if (virtual_ip->ip_equals(virtual_ip, addr->ip))
-			{
-				ifindex = iface->ifindex;
-				if (addr->refcount == 1)
-				{
-					status = manage_ipaddr(this, RTM_DELADDR, 0,
-									  	   ifindex, virtual_ip);
-					if (status == SUCCESS)
-					{	/* wait until the address is really gone */
-						while (get_vip_refcount(this, virtual_ip) > 0)
-						{
-							pthread_cond_wait(&this->cond, &this->mutex);
-						}
-					}
-					addrs->destroy(addrs);
-					ifaces->destroy(ifaces);
-					return status;
-				}
-				else
-				{
-					addr->refcount--;
-				}
-				DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
-					 virtual_ip);
-				addrs->destroy(addrs);
-				ifaces->destroy(ifaces);
-				return SUCCESS;
-			}
-		}
-		addrs->destroy(addrs);
-	}
-	ifaces->destroy(ifaces);
-	
-	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
-	return FAILED;
+	return this->net->get_source_addr(this->net, dest, src);
 }
 
 /**
- * Get an SPI for a specific protocol from the kernel.
+ * Implementation of kernel_interface_t.get_nexthop
  */
-static status_t get_spi_internal(private_kernel_interface_t *this,
-		host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
-		u_int32_t reqid, u_int32_t *spi)
+static host_t *get_nexthop(private_kernel_interface_t *this, host_t *dest)
 {
-	unsigned char request[BUFFER_SIZE];
-	struct nlmsghdr *hdr, *out;
-	struct xfrm_userspi_info *userspi;
-	u_int32_t received_spi = 0;
-	size_t len;
-	
-	memset(&request, 0, sizeof(request));
-	
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
-
-	userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
-	host2xfrm(src, &userspi->info.saddr);
-	host2xfrm(dst, &userspi->info.id.daddr);
-	userspi->info.id.proto = proto;
-	userspi->info.mode = TRUE; /* tunnel mode */
-	userspi->info.reqid = reqid;
-	userspi->info.family = src->get_family(src);
-	userspi->min = min;
-	userspi->max = max;
-	
-	if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWSA:
-				{
-					struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
-					received_spi = usersa->id.spi;
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					
-					DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-		free(out);
-	}
-	
-	if (received_spi == 0)
-	{
-		return FAILED;
-	}
-	
-	*spi = received_spi;
-	return SUCCESS;
+	return this->net->get_nexthop(this->net, dest);
 }
 
 /**
- * Implementation of kernel_interface_t.get_spi.
+ * Implementation of kernel_interface_t.get_interface
  */
-static status_t get_spi(private_kernel_interface_t *this, 
-						host_t *src, host_t *dst, 
-						protocol_id_t protocol, u_int32_t reqid,
-						u_int32_t *spi)
+static char* get_interface(private_kernel_interface_t *this, host_t *host)
 {
-	DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
-	
-	if (get_spi_internal(this, src, dst,
-			(protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH,
-			0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
-		return FAILED;
-	}
-	
-	DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", *spi, reqid);
-	
-	return SUCCESS;
+	return this->net->get_interface(this->net, host);
 }
 
 /**
- * Implementation of kernel_interface_t.get_cpi.
+ * Implementation of kernel_interface_t.create_address_enumerator
  */
-static status_t get_cpi(private_kernel_interface_t *this, 
-						host_t *src, host_t *dst, 
-						u_int32_t reqid, u_int16_t *cpi)
+static enumerator_t *create_address_enumerator(private_kernel_interface_t *this,
+		bool include_down_ifaces, bool include_virtual_ips)
 {
-	u_int32_t received_spi = 0;
-	DBG2(DBG_KNL, "getting CPI for reqid %d", reqid);
-	
-	if (get_spi_internal(this, src, dst,
-			IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to get CPI for reqid %d", reqid);
-		return FAILED;
-	}
-	
-	*cpi = htons((u_int16_t)ntohl(received_spi));
-	
-	DBG2(DBG_KNL, "got CPI 0x%x for reqid %d", *cpi, reqid);
-	
-	return SUCCESS;
+	return this->net->create_address_enumerator(this->net, include_down_ifaces,
+			include_virtual_ips);
 }
 
 /**
- * Implementation of kernel_interface_t.add_sa.
+ * Implementation of kernel_interface_t.add_ip
  */
-static status_t add_sa(private_kernel_interface_t *this,
-					   host_t *src, host_t *dst, u_int32_t spi,
-					   protocol_id_t protocol, u_int32_t reqid,
-					   u_int64_t expire_soft, u_int64_t expire_hard,
-					   u_int16_t enc_alg, u_int16_t enc_size,
-					   u_int16_t int_alg, u_int16_t int_size,
-					   prf_plus_t *prf_plus, mode_t mode,
-					   u_int16_t ipcomp, bool encap,
-					   bool replace)
+static status_t add_ip(private_kernel_interface_t *this, host_t *virtual_ip,
+				host_t *iface_ip)
 {
-	unsigned char request[BUFFER_SIZE];
-	char *alg_name;
-	u_int16_t add_keymat = 32; /* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
-	struct nlmsghdr *hdr;
-	struct xfrm_usersa_info *sa;
-	
-	memset(&request, 0, sizeof(request));
-	
-	DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x and reqid %d", spi, reqid);
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-	
-	sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
-	host2xfrm(src, &sa->saddr);
-	host2xfrm(dst, &sa->id.daddr);
-	sa->id.spi = spi;
-	sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
-	sa->family = src->get_family(src);
-	sa->mode = mode;
-	sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
-	sa->reqid = reqid;
-	/* we currently do not expire SAs by volume/packet count */
-	sa->lft.soft_byte_limit = XFRM_INF;
-	sa->lft.hard_byte_limit = XFRM_INF;
-	sa->lft.soft_packet_limit = XFRM_INF;
-	sa->lft.hard_packet_limit = XFRM_INF;
-	/* we use lifetimes since added, not since used */
-	sa->lft.soft_add_expires_seconds = expire_soft;
-	sa->lft.hard_add_expires_seconds = expire_hard;
-	sa->lft.soft_use_expires_seconds = 0;
-	sa->lft.hard_use_expires_seconds = 0;
-	
-	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
-	
-	switch (enc_alg)
-	{
-		case ENCR_UNDEFINED:
-			/* no encryption */
-			break;
-		case ENCR_AES_CCM_ICV8:
-		case ENCR_AES_CCM_ICV12:
-		case ENCR_AES_CCM_ICV16:
-			/* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
-			add_keymat = 24;
-			/* fall-through */
-		case ENCR_AES_GCM_ICV8:
-		case ENCR_AES_GCM_ICV12:
-		case ENCR_AES_GCM_ICV16:
-		{
-			u_int16_t icv_size = 0;
-			rthdr->rta_type = XFRMA_ALG_AEAD;
-			alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
-			if (alg_name == NULL)
-			{
-				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 encryption_algorithm_names, enc_alg);
-				return FAILED;
-			}
-			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-				 encryption_algorithm_names, enc_alg, enc_size);
-			
-			/* additional KEYMAT required */
-			enc_size += add_keymat;
-			
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
-			hdr->nlmsg_len += rthdr->rta_len;
-			if (hdr->nlmsg_len > sizeof(request))
-			{
-				return FAILED;
-			}
-			
-			struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
-			algo->alg_key_len = enc_size;
-			algo->alg_icv_len = icv_size;
-			strcpy(algo->alg_name, alg_name);
-			prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
-			
-			rthdr = XFRM_RTA_NEXT(rthdr);
-			break;
-		}
-		default:
-		{
-			rthdr->rta_type = XFRMA_ALG_CRYPT;
-			alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
-			if (alg_name == NULL)
-			{
-				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 encryption_algorithm_names, enc_alg);
-				return FAILED;
-			}
-			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-				 encryption_algorithm_names, enc_alg, enc_size);
-			
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
-			hdr->nlmsg_len += rthdr->rta_len;
-			if (hdr->nlmsg_len > sizeof(request))
-			{
-				return FAILED;
-			}
-			
-			struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-			algo->alg_key_len = enc_size;
-			strcpy(algo->alg_name, alg_name);
-			prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
-			
-			rthdr = XFRM_RTA_NEXT(rthdr);
-			break;
-		}
-	}
-		
-	if (int_alg  != AUTH_UNDEFINED)
-	{
-		rthdr->rta_type = XFRMA_ALG_AUTH;
-		alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
-		if (alg_name == NULL)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!", 
-				 integrity_algorithm_names, int_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
-			 integrity_algorithm_names, int_alg, int_size);
-		
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-		
-		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-		algo->alg_key_len = int_size;
-		strcpy(algo->alg_name, alg_name);
-		prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
-		
-		rthdr = XFRM_RTA_NEXT(rthdr);
-	}
-	
-	if (ipcomp != IPCOMP_NONE)
-	{
-		rthdr->rta_type = XFRMA_ALG_COMP;
-		alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
-		if (alg_name == NULL)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!", 
-				 ipcomp_transform_names, ipcomp);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using compression algorithm %N",
-			 ipcomp_transform_names, ipcomp);
-		
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-		
-		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-		algo->alg_key_len = 0;
-		strcpy(algo->alg_name, alg_name);
-		
-		rthdr = XFRM_RTA_NEXT(rthdr);
-	}
-	
-	if (encap)
-	{
-		rthdr->rta_type = XFRMA_ENCAP;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
-		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
-		tmpl->encap_sport = htons(src->get_port(src));
-		tmpl->encap_dport = htons(dst->get_port(dst));
-		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-		/* encap_oa could probably be derived from the 
-		 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation 
-		 * pluto does the same as we do here but it uses encap_oa in the 
-		 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates 
-		 * the kernel ignores it anyway
-		 *   -> does that mean that NAT-T encap doesn't work in transport mode?
-		 * No. The reason the kernel ignores NAT-OA is that it recomputes 
-		 * (or, rather, just ignores) the checksum. If packets pass
-		 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
-		rthdr = XFRM_RTA_NEXT(rthdr);
-	}
-	
-	if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI 0x%x", spi);
-		return FAILED;
-	}
-	return SUCCESS;
+	return this->net->add_ip(this->net, virtual_ip, iface_ip);
 }
 
 /**
- * Get the replay state (i.e. sequence numbers) of an SA.
+ * Implementation of kernel_interface_t.del_ip
  */
-static status_t get_replay_state(private_kernel_interface_t *this,
-						  u_int32_t spi, protocol_id_t protocol, host_t *dst,
-						  struct xfrm_replay_state *replay)
+static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
 {
-	unsigned char request[BUFFER_SIZE];
-	struct nlmsghdr *hdr, *out = NULL;
-	struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
-	size_t len;
-	struct rtattr *rta;
-	size_t rtasize;
-	
-	memset(&request, 0, sizeof(request));
-	
-	DBG2(DBG_KNL, "querying replay state from SAD entry with SPI 0x%x", spi);
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETAE;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
-
-	aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
-	aevent_id->flags = XFRM_AE_RVAL;
-	
-	host2xfrm(dst, &aevent_id->sa_id.daddr);
-	aevent_id->sa_id.spi = spi;
-	aevent_id->sa_id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
-	aevent_id->sa_id.family = dst->get_family(dst);
-	
-	if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWAE:
-				{
-					out_aevent = NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-	
-	if (out_aevent == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI 0x%x", spi);
-		free(out);
-		return FAILED;
-	}
-	
-	rta = XFRM_RTA(out, struct xfrm_aevent_id);
-	rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
-	while(RTA_OK(rta, rtasize))
-	{
-		if (rta->rta_type == XFRMA_REPLAY_VAL)
-		{
-			memcpy(replay, RTA_DATA(rta), rta->rta_len);
-			free(out);
-			return SUCCESS;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-	
-	DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI 0x%x", spi);
-	free(out);
-	return FAILED;
+	return this->net->del_ip(this->net, virtual_ip);
 }
 
 /**
- * Implementation of kernel_interface_t.update_sa.
+ * Implementation of kernel_interface_t.add_route
  */
-static status_t update_sa(private_kernel_interface_t *this,
-						  u_int32_t spi, protocol_id_t protocol,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst, bool encap)
+static status_t add_route(private_kernel_interface_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
-	unsigned char request[BUFFER_SIZE], *pos;
-	struct nlmsghdr *hdr, *out = NULL;
-	struct xfrm_usersa_id *sa_id;
-	struct xfrm_usersa_info *out_sa = NULL, *sa;
-	size_t len;
-	struct rtattr *rta;
-	size_t rtasize;
-	struct xfrm_encap_tmpl* tmpl = NULL;
-	bool got_replay_state;
-	struct xfrm_replay_state replay;
-	
-	memset(&request, 0, sizeof(request));
-	
-	DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x for update", spi);
-
-	/* query the exisiting SA first */
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
-	sa_id->family = dst->get_family(dst);
-	
-	if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWSA:
-				{
-					out_sa = NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-	if (out_sa == NULL)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
-		free(out);
-		return FAILED;
-	}
-	
-	/* try to get the replay state */
-	got_replay_state = (get_replay_state(
-						this, spi, protocol, dst, &replay) == SUCCESS);
-	
-	/* delete the old SA */
-	if (this->public.del_sa(&this->public, dst, spi, protocol) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI 0x%x", spi);
-		free(out);
-		return FAILED;
-	}
-	
-	DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x from %#H..%#H to %#H..%#H",
-		 spi, src, dst, new_src, new_dst);
-	
-	/* copy over the SA from out to request */
-	hdr = (struct nlmsghdr*)request;
-	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;	
-	hdr->nlmsg_type = XFRM_MSG_NEWSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-	sa = NLMSG_DATA(hdr);
-	sa->family = new_dst->get_family(new_dst);
-	
-	if (!src->ip_equals(src, new_src))
-	{
-		host2xfrm(new_src, &sa->saddr);
-	}
-	if (!dst->ip_equals(dst, new_dst))
-	{
-		host2xfrm(new_dst, &sa->id.daddr);
-	}
-	
-	rta = XFRM_RTA(out, struct xfrm_usersa_info);
-	rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
-	pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
-	while(RTA_OK(rta, rtasize))
-	{
-		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
-		if (rta->rta_type != XFRMA_ENCAP || encap)
-		{
-			if (rta->rta_type == XFRMA_ENCAP)
-			{	/* update encap tmpl */
-				tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
-				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
-				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
-			}	
-			memcpy(pos, rta, rta->rta_len);
-			pos += RTA_ALIGN(rta->rta_len);
-			hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-	
-	rta = (struct rtattr*)pos;
-	if (tmpl == NULL && encap)
-	{	/* add tmpl if we are enabling it */
-		rta->rta_type = XFRMA_ENCAP;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-		
-		hdr->nlmsg_len += rta->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-		
-		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
-		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
-		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
-		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
-		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-		
-		rta = XFRM_RTA_NEXT(rta);
-	}
-	
-	if (got_replay_state)
-	{	/* copy the replay data if available */
-		rta->rta_type = XFRMA_REPLAY_VAL;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
-		
-		hdr->nlmsg_len += rta->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-		memcpy(RTA_DATA(rta), &replay, sizeof(replay));
-		
-		rta = XFRM_RTA_NEXT(rta);
-	}
-	
-	if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-	
-	return SUCCESS;
+	return this->net->add_route(this->net, dst_net, prefixlen, gateway, src_ip,
+			if_name);
 }
 
 /**
- * Implementation of kernel_interface_t.query_sa.
+ * Implementation of kernel_interface_t.del_route
  */
-static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
-						 u_int32_t spi, protocol_id_t protocol,
-						 u_int32_t *use_time)
+static status_t del_route(private_kernel_interface_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
-	unsigned char request[BUFFER_SIZE];
-	struct nlmsghdr *out = NULL, *hdr;
-	struct xfrm_usersa_id *sa_id;
-	struct xfrm_usersa_info *sa = NULL;
-	size_t len;
-	
-	DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
-	memset(&request, 0, sizeof(request));
-	
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
-	sa_id->family = dst->get_family(dst);
-	
-	if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWSA:
-				{
-					sa = NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-	
-	if (sa == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
-		free(out);
-		return FAILED;
-	}
-	
-	*use_time = sa->curlft.use_time;
-	free (out);
-	return SUCCESS;
+	return this->net->del_route(this->net, dst_net, prefixlen, gateway, src_ip,
+			if_name);
 }
 
+
 /**
- * Implementation of kernel_interface_t.del_sa.
+ * Implementation of kernel_interface_t.add_ipsec_interface.
  */
-static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
-					   u_int32_t spi, protocol_id_t protocol)
+static void add_ipsec_interface(private_kernel_interface_t *this,
+		kernel_ipsec_constructor_t *create)
 {
-	unsigned char request[BUFFER_SIZE];
-	struct nlmsghdr *hdr;
-	struct xfrm_usersa_id *sa_id;
-	
-	memset(&request, 0, sizeof(request));
-	
-	DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
-	
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = XFRM_MSG_DELSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-	
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
-	sa_id->family = dst->get_family(dst);
-	
-	if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI 0x%x", spi);
-		return FAILED;
-	}
-	DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
-	return SUCCESS;
+	this->mutex->lock(this->mutex);
+	this->ipsec_interfaces->insert_last(this->ipsec_interfaces, create);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
- * Implementation of kernel_interface_t.add_policy.
+ * Implementation of kernel_interface_t.remove_ipsec_interface.
  */
-static status_t add_policy(private_kernel_interface_t *this, 
-						   host_t *src, host_t *dst,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, protocol_id_t protocol,
-						   u_int32_t reqid, bool high_prio, mode_t mode,
-						   u_int16_t ipcomp)
+static void remove_ipsec_interface(private_kernel_interface_t *this,
+		kernel_ipsec_constructor_t *create)
 {
-	iterator_t *iterator;
-	policy_entry_t *current, *policy;
-	bool found = FALSE;
-	unsigned char request[BUFFER_SIZE];
-	struct xfrm_userpolicy_info *policy_info;
-	struct nlmsghdr *hdr;
-	
-	/* create a policy */
-	policy = malloc_thing(policy_entry_t);
-	memset(policy, 0, sizeof(policy_entry_t));
-	policy->sel = ts2selector(src_ts, dst_ts);
-	policy->direction = direction;
-	
-	/* find the policy, which matches EXACTLY */
-	pthread_mutex_lock(&this->mutex);
-	iterator = this->policies->create_iterator(this->policies, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
-			policy->direction == current->direction)
-		{
-			/* use existing policy */
-			current->refcount++;
-			DBG2(DBG_KNL, "policy %R===%R already exists, increasing "
-				 "refcount", src_ts, dst_ts);
-			free(policy);
-			policy = current;
-			found = TRUE;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	if (!found)
-	{	/* apply the new one, if we have no such policy */
-		this->policies->insert_last(this->policies, policy);
-		policy->refcount = 1;
-	}
-	
-	DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
-	
-	memset(&request, 0, sizeof(request));
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
-
-	policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
-	policy_info->sel = policy->sel;
-	policy_info->dir = policy->direction;
-	/* calculate priority based on source selector size, small size = high prio */
-	policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
-	policy_info->priority -= policy->sel.prefixlen_s * 10;
-	policy_info->priority -= policy->sel.proto ? 2 : 0;
-	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
-	policy_info->action = XFRM_POLICY_ALLOW;
-	policy_info->share = XFRM_SHARE_ANY;
-	pthread_mutex_unlock(&this->mutex);
-	
-	/* policies don't expire */
-	policy_info->lft.soft_byte_limit = XFRM_INF;
-	policy_info->lft.soft_packet_limit = XFRM_INF;
-	policy_info->lft.hard_byte_limit = XFRM_INF;
-	policy_info->lft.hard_packet_limit = XFRM_INF;
-	policy_info->lft.soft_add_expires_seconds = 0;
-	policy_info->lft.hard_add_expires_seconds = 0;
-	policy_info->lft.soft_use_expires_seconds = 0;
-	policy_info->lft.hard_use_expires_seconds = 0;
-	
-	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
-	rthdr->rta_type = XFRMA_TMPL;
-	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-	
-	hdr->nlmsg_len += rthdr->rta_len;
-	if (hdr->nlmsg_len > sizeof(request))
-	{
-		return FAILED;
-	}
-	
-	struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
-	
-	if (ipcomp != IPCOMP_NONE)
-	{
-		tmpl->reqid = reqid;
-		tmpl->id.proto = IPPROTO_COMP;
-		tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-		tmpl->mode = mode;
-		tmpl->optional = direction != POLICY_OUT;
-		tmpl->family = src->get_family(src);
-		
-		host2xfrm(src, &tmpl->saddr);
-		host2xfrm(dst, &tmpl->id.daddr);
-		
-		/* add an additional xfrm_user_tmpl */
-		rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-		hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-		
-		tmpl++;
-	}
-	
-	tmpl->reqid = reqid;
-	tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
-	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-	tmpl->mode = mode;
-	tmpl->family = src->get_family(src);
-	
-	host2xfrm(src, &tmpl->saddr);
-	host2xfrm(dst, &tmpl->id.daddr);
-	
-	if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
-		return FAILED;
-	}
-	
-	/* install a route, if:
-	 * - we are NOT updating a policy
-	 * - this is a forward policy (to just get one for each child)
-	 * - we are in tunnel mode
-	 * - we are not using IPv6 (does not work correctly yet!)
-	 * - routing is not disabled via strongswan.conf
-	 */
-	if (policy->route == NULL && direction == POLICY_FWD &&
-		mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
-		this->install_routes)
-	{
-		policy->route = malloc_thing(route_entry_t);
-		if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
-		{
-			/* get the nexthop to src (src as we are in POLICY_FWD).*/
-			policy->route->gateway = get_route(this, src, TRUE);
-			policy->route->if_index = get_interface_index(this, dst);
-			policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
-			memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
-			policy->route->prefixlen = policy->sel.prefixlen_s;
-			
-			if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
-								policy->route) != SUCCESS)
-			{
-				DBG1(DBG_KNL, "unable to install source route for %H",
-					 policy->route->src_ip);
-				route_entry_destroy(policy->route);
-				policy->route = NULL;
-			}
-		}
-		else
-		{
-			free(policy->route);
-			policy->route = NULL;
-		}
-	}
-
-	return SUCCESS;
+	this->mutex->lock(this->mutex);
+	this->ipsec_interfaces->remove(this->ipsec_interfaces, create, NULL);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
- * Implementation of kernel_interface_t.query_policy.
+ * Implementation of kernel_interface_t.add_ipsec_interface.
  */
-static status_t query_policy(private_kernel_interface_t *this,
-							 traffic_selector_t *src_ts, 
-							 traffic_selector_t *dst_ts,
-							 policy_dir_t direction, u_int32_t *use_time)
+static void add_net_interface(private_kernel_interface_t *this,
+		kernel_net_constructor_t *create)
 {
-	unsigned char request[BUFFER_SIZE];
-	struct nlmsghdr *out = NULL, *hdr;
-	struct xfrm_userpolicy_id *policy_id;
-	struct xfrm_userpolicy_info *policy = NULL;
-	size_t len;
-	
-	memset(&request, 0, sizeof(request));
-	
-	DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+	this->mutex->lock(this->mutex);
+	this->net_interfaces->insert_last(this->net_interfaces, create);
+	this->mutex->unlock(this->mutex);
+}
 
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
-	policy_id->sel = ts2selector(src_ts, dst_ts);
-	policy_id->dir = direction;
-	
-	if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWPOLICY:
-				{
-					policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying policy failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-	
-	if (policy == NULL)
-	{
-		DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
-		free(out);
-		return FAILED;
-	}
-	*use_time = (time_t)policy->curlft.use_time;
-	
-	free(out);
-	return SUCCESS;
+/**
+ * Implementation of kernel_interface_t.remove_ipsec_interface.
+ */
+static void remove_net_interface(private_kernel_interface_t *this,
+		kernel_net_constructor_t *create)
+{
+	this->mutex->lock(this->mutex);
+	this->net_interfaces->remove(this->net_interfaces, create, NULL);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
- * Implementation of kernel_interface_t.del_policy.
+ * Implementation of kernel_interface_t.create_interfaces.
  */
-static status_t del_policy(private_kernel_interface_t *this,
-						   traffic_selector_t *src_ts, 
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction)
+static void create_interfaces(private_kernel_interface_t *this)
 {
-	policy_entry_t *current, policy, *to_delete = NULL;
-	route_entry_t *route;
-	unsigned char request[BUFFER_SIZE];
-	struct nlmsghdr *hdr;
-	struct xfrm_userpolicy_id *policy_id;
-	iterator_t *iterator;
-	
-	DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
-	
-	/* create a policy */
-	memset(&policy, 0, sizeof(policy_entry_t));
-	policy.sel = ts2selector(src_ts, dst_ts);
-	policy.direction = direction;
+	kernel_ipsec_constructor_t create_ipsec;
+	kernel_net_constructor_t create_net;
 	
-	/* find the policy */
-	iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
-	while (iterator->iterate(iterator, (void**)&current))
+	this->mutex->lock(this->mutex);
+	if (this->ipsec_interfaces->get_first(this->ipsec_interfaces, (void**)&create_ipsec) != SUCCESS)
 	{
-		if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
-			policy.direction == current->direction)
-		{
-			to_delete = current;
-			if (--to_delete->refcount > 0)
-			{
-				/* is used by more SAs, keep in kernel */
-				DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
-				iterator->destroy(iterator);
-				return SUCCESS;
-			}
-			/* remove if last reference */
-			iterator->remove(iterator);
-			break;
-		}
+		this->mutex->unlock(this->mutex);
+		charon->kill(charon, "no ipsec kernel interface loaded");
 	}
-	iterator->destroy(iterator);
-	if (!to_delete)
-	{
-		DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
-		return NOT_FOUND;
-	}
-	
-	memset(&request, 0, sizeof(request));
-	
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
-
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
-	policy_id->sel = to_delete->sel;
-	policy_id->dir = direction;
-	
-	route = to_delete->route;
-	free(to_delete);
 	
-	if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
-		return FAILED;
-	}
-
-	if (route)
+	if (this->net_interfaces->get_first(this->net_interfaces, (void**)&create_net) != SUCCESS)
 	{
-		if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "error uninstalling route installed with "
-				 "policy %R===%R", src_ts, dst_ts);
-		}		
-		route_entry_destroy(route);
+		this->mutex->unlock(this->mutex);
+		charon->kill(charon, "no network kernel interface loaded");
 	}
-	return SUCCESS;
+	this->mutex->unlock(this->mutex);
+	
+	this->ipsec = create_ipsec();
+	this->net = create_net();
 }
 
 /**
@@ -2875,132 +305,53 @@ static status_t del_policy(private_kernel_interface_t *this,
  */
 static void destroy(private_kernel_interface_t *this)
 {
-	if (this->routing_table)
-	{
-		manage_rule(this, RTM_DELRULE, this->routing_table,
-					this->routing_table_prio);
-	}
-
-	this->job->cancel(this->job);
-	close(this->socket_xfrm_events);
-	close(this->socket_xfrm);
-	close(this->socket_rt_events);
-	close(this->socket_rt);
-	this->policies->destroy(this->policies);
-	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	DESTROY_IF(this->ipsec);
+	DESTROY_IF(this->net);
+	this->ipsec_interfaces->destroy(this->ipsec_interfaces);
+	this->net_interfaces->destroy(this->net_interfaces);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
 /*
- * Described in header.
+ * Described in header-file
  */
 kernel_interface_t *kernel_interface_create()
 {
 	private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
-	struct sockaddr_nl addr;
 	
-	/* public functions */
 	this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,mode_t,u_int16_t,bool,bool))add_sa;
+	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
 	this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
 	this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
 	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
-	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,u_int16_t))add_policy;
+	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
 	this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
-	this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
-	this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
-	this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
+	
+	this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest, host_t *src))get_source_addr;
+	this->public.get_nexthop = (host_t*(*)(kernel_interface_t*, host_t *dest))get_nexthop;
+	this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface;
+	this->public.create_address_enumerator = (enumerator_t*(*)(kernel_interface_t*,bool,bool))create_address_enumerator;
 	this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
 	this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
-	this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
-
-	/* private members */
-	this->policies = linked_list_create();
-	this->ifaces = linked_list_create();
-	this->hiter = NULL;
-	this->seq = 200;
-	pthread_mutex_init(&this->mutex, NULL);
-	pthread_mutex_init(&this->nl_mutex, NULL);
-	pthread_cond_init(&this->cond, NULL);
-	timerclear(&this->last_roam);
-	this->install_routes = lib->settings->get_bool(lib->settings,
-					"charon.install_routes", TRUE);
-	this->routing_table = lib->settings->get_int(lib->settings,
-					"charon.routing_table", IPSEC_ROUTING_TABLE);
-	this->routing_table_prio = lib->settings->get_int(lib->settings,
-					"charon.routing_table_prio", IPSEC_ROUTING_TABLE_PRIO);
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-	
-	/* create and bind RT socket */
-	this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
-	if (this->socket_rt <= 0)
-	{
-		charon->kill(charon, "unable to create RT netlink socket");
-	}
-	addr.nl_groups = 0;
-	if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		charon->kill(charon, "unable to bind RT netlink socket");
-	}
-	
-	/* create and bind RT socket for events (address/interface/route changes) */
-	this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
-	if (this->socket_rt_events <= 0)
-	{
-		charon->kill(charon, "unable to create RT event socket");
-	}
-	addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | 
-					 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
-	if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		charon->kill(charon, "unable to bind RT event socket");
-	}
-	
-	/* create and bind XFRM socket */ 
-	this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
-	if (this->socket_xfrm <= 0)
-	{
-		charon->kill(charon, "unable to create XFRM netlink socket");
-	}
-	addr.nl_groups = 0;
-	if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		charon->kill(charon, "unable to bind XFRM netlink socket");
-	}
-	
-	/* create and bind XFRM socket for ACQUIRE & EXPIRE */
-	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
-	if (this->socket_xfrm_events <= 0)
-	{
-		charon->kill(charon, "unable to create XFRM event socket");
-	}
-	addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
-	if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		charon->kill(charon, "unable to bind XFRM event socket");
-	}
+	this->public.add_route = (status_t(*)(kernel_interface_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+	this->public.del_route = (status_t(*)(kernel_interface_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
 	
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	this->public.add_ipsec_interface = (void(*)(kernel_interface_t*, kernel_ipsec_constructor_t))add_ipsec_interface;
+	this->public.remove_ipsec_interface = (void(*)(kernel_interface_t*, kernel_ipsec_constructor_t))remove_ipsec_interface;
+	this->public.add_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))add_net_interface;
+	this->public.remove_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))remove_net_interface;
 	
-	if (init_address_list(this) != SUCCESS)
-	{
-		charon->kill(charon, "unable to get interface list");
-	}
+	this->public.create_interfaces = (void (*)(kernel_interface_t*))create_interfaces;
+	this->public.destroy = (void (*)(kernel_interface_t*))destroy;
 	
-	if (this->routing_table)
-	{
-		if (manage_rule(this, RTM_NEWRULE, this->routing_table,
-						this->routing_table_prio) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "unable to create routing table rule");
-		}
-	}
+	this->ipsec_interfaces = linked_list_create();
+	this->net_interfaces = linked_list_create();
+	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	this->ipsec = NULL;
+	this->net = NULL;
 	
 	return &this->public;
 }
-
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index 49928c74b..b3bf907e5 100644
--- a/src/charon/kernel/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_interface.h 3920 2008-05-08 16:19:11Z tobias $
+ * $Id: kernel_interface.h 4386 2008-10-08 08:23:46Z martin $
  */
 
 /**
@@ -26,45 +26,37 @@
 #ifndef KERNEL_INTERFACE_H_
 #define KERNEL_INTERFACE_H_
 
-typedef enum policy_dir_t policy_dir_t;
 typedef struct kernel_interface_t kernel_interface_t;
 
 #include <utils/host.h>
 #include <crypto/prf_plus.h>
 #include <encoding/payloads/proposal_substructure.h>
 
+#include <kernel/kernel_ipsec.h>
+#include <kernel/kernel_net.h>
 
 /**
- * Direction of a policy. These are equal to those
- * defined in xfrm.h, but we want to stay implementation
- * neutral here.
+ * Constructor function for ipsec kernel interface
  */
-enum policy_dir_t {
-	/** Policy for inbound traffic */
-	POLICY_IN = 0,
-	/** Policy for outbound traffic */
-	POLICY_OUT = 1,
-	/** Policy for forwarded traffic */
-	POLICY_FWD = 2,
-};
+typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void);
+
+/**
+ * Constructor function for network kernel interface
+ */
+typedef kernel_net_t* (*kernel_net_constructor_t)(void);
 
 /**
- * Interface to the kernel.
+ * Manager and wrapper for different kernel interfaces.
  * 
  * The kernel interface handles the communication with the kernel
- * for SA and policy management. It allows setup of these, and provides 
- * further the handling of kernel events.
- * Policy information are cached in the interface. This is necessary to do
- * reference counting. The Linux kernel does not allow the same policy
- * installed twice, but we need this as CHILD_SA exist multiple times
- * when rekeying. Thats why we do reference counting of policies.
+ * for SA and policy management and interface and IP address management.
  */
 struct kernel_interface_t {
 
 	/**
 	 * Get a SPI from the kernel.
 	 *
-	 * @warning get_spi() implicitely creates an SA with
+	 * @warning get_spi() implicitly creates an SA with
 	 * the allocated SPI, therefore the replace flag
 	 * in add_sa() must be set when installing this SA.
 	 * 
@@ -107,7 +99,7 @@ struct kernel_interface_t {
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param reqid			unique ID for this SA
 	 * @param expire_soft	lifetime in seconds before rekeying
-	 * @param expire_hard	lieftime in seconds before delete
+	 * @param expire_hard	lifetime in seconds before delete
 	 * @param enc_alg		Algorithm to use for encryption (ESP only)
 	 * @param enc_size		key length of encryption algorithm, if dynamic
 	 * @param int_alg		Algorithm to use for integrity protection
@@ -125,7 +117,7 @@ struct kernel_interface_t {
 						u_int64_t expire_soft, u_int64_t expire_hard,
 					    u_int16_t enc_alg, u_int16_t enc_size,
 					    u_int16_t int_alg, u_int16_t int_size,
-						prf_plus_t *prf_plus, mode_t mode,
+						prf_plus_t *prf_plus, ipsec_mode_t mode,
 						u_int16_t ipcomp, bool encap,
 						bool update);
 	
@@ -167,7 +159,7 @@ struct kernel_interface_t {
 						  protocol_id_t protocol, u_int32_t *use_time);
 	
 	/**
-	 * Delete a previusly installed SA from the SAD.
+	 * Delete a previously installed SA from the SAD.
 	 * 
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
@@ -189,7 +181,7 @@ struct kernel_interface_t {
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
 	 * @param protocol		protocol to use to protect traffic (AH/ESP)
-	 * @param reqid			uniqe ID of an SA to use to enforce policy
+	 * @param reqid			unique ID of an SA to use to enforce policy
 	 * @param high_prio		if TRUE, uses a higher priority than any with FALSE
 	 * @param mode			mode of SA (tunnel, transport)
 	 * @param ipcomp		the IPComp transform used
@@ -200,7 +192,7 @@ struct kernel_interface_t {
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
 							policy_dir_t direction, protocol_id_t protocol,
-							u_int32_t reqid, bool high_prio, mode_t mode,
+							u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
 							u_int16_t ipcomp);
 	
 	/**
@@ -243,11 +235,26 @@ struct kernel_interface_t {
 	 *
 	 * Does a route lookup to get the source address used to reach dest.
 	 * The returned host is allocated and must be destroyed.
+	 * An optional src address can be used to check if a route is available
+	 * for given source to dest.
 	 *
 	 * @param dest			target destination address
+	 * @param src			source address to check, or NULL
 	 * @return				outgoing source address, NULL if unreachable
 	 */
-	host_t* (*get_source_addr)(kernel_interface_t *this, host_t *dest);
+	host_t* (*get_source_addr)(kernel_interface_t *this,
+							   host_t *dest, host_t *src);
+	
+	/**
+	 * Get the next hop for a destination.
+	 *
+	 * Does a route lookup to get the next hop used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 *
+	 * @param dest			target destination address
+	 * @return				next hop address, NULL if unreachable
+	 */
+	host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest);
 	
 	/**
 	 * Get the interface name of a local address.
@@ -258,15 +265,18 @@ struct kernel_interface_t {
 	char* (*get_interface) (kernel_interface_t *this, host_t *host);
 	
 	/**
-	 * Creates an iterator over all local addresses.
-	 *
+	 * Creates an enumerator over all local addresses.
+	 * 
 	 * This function blocks an internal cached address list until the
-	 * iterator gets destroyed.
-	 * These hosts are read-only, do not modify or free.
-	 *
-	 * @return 				iterator over host_t's
+	 * enumerator gets destroyed.
+	 * The hosts are read-only, do not modify of free.
+	 * 
+	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
+	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
+	 * @return						enumerator over host_t's
 	 */
-	iterator_t *(*create_address_iterator) (kernel_interface_t *this);
+	enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
+						bool include_down_ifaces, bool include_virtual_ips);
 	
 	/**
 	 * Add a virtual IP to an interface.
@@ -294,9 +304,73 @@ struct kernel_interface_t {
 	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
 	
 	/**
-	 * Destroys a kernel_interface object.
+	 * Add a route.
+	 * 
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 * 						ALREADY_DONE if the route already exists
+	 */
+	status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name);
+	
+	/**
+	 * Delete a route.
+	 * 
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name);
+	
+	/**
+	 * manager methods
+	 */
+	
+	/**
+	 * Register an ipsec kernel interface constructor on the manager.
+	 *
+	 * @param create			constructor to register
+	 */
+	void (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
+	
+	/**
+	 * Unregister an ipsec kernel interface constructor.
+	 *
+	 * @param create			constructor to unregister
+	 */
+	void (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
+	
+	/**
+	 * Register a network kernel interface constructor on the manager.
+	 *
+	 * @param create			constructor to register
+	 */
+	void (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
+	
+	/**
+	 * Unregister a network kernel interface constructor.
+	 *
+	 * @param create			constructor to unregister
+	 */
+	void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
+	
+	/**
+	 * Create the kernel interfaces classes.
+	 */
+	void (*create_interfaces)(kernel_interface_t *this);
+	
+	/**
+	 * Destroys a kernel_interface_manager_t object.
 	 */
-	void (*destroy) (kernel_interface_t *kernel_interface);
+	void (*destroy) (kernel_interface_t *this);
 };
 
 /**
@@ -304,4 +378,4 @@ struct kernel_interface_t {
  */
 kernel_interface_t *kernel_interface_create(void);
 
-#endif /*KERNEL_INTERFACE_H_ @} */
+#endif /* KERNEL_INTERFACE_H_ @} */
diff --git a/src/charon/kernel/kernel_ipsec.c b/src/charon/kernel/kernel_ipsec.c
new file mode 100644
index 000000000..bae8ee125
--- /dev/null
+++ b/src/charon/kernel/kernel_ipsec.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_ipsec.c 4358 2008-09-25 13:56:23Z tobias $
+ */
+
+#include "kernel_ipsec.h"
+
+ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_BEET,
+	"TRANSPORT",
+	"TUNNEL",
+	"2",
+	"3",
+	"BEET",
+);
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
new file mode 100644
index 000000000..67786a74f
--- /dev/null
+++ b/src/charon/kernel/kernel_ipsec.h
@@ -0,0 +1,266 @@
+/*
+ * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_ipsec.h 4358 2008-09-25 13:56:23Z tobias $
+ */
+
+/**
+ * @defgroup kernel_ipsec kernel_ipsec
+ * @{ @ingroup kernel
+ */
+
+#ifndef KERNEL_IPSEC_H_
+#define KERNEL_IPSEC_H_
+
+typedef enum ipsec_mode_t ipsec_mode_t;
+typedef enum policy_dir_t policy_dir_t;
+typedef struct kernel_ipsec_t kernel_ipsec_t;
+
+#include <utils/host.h>
+#include <crypto/prf_plus.h>
+#include <encoding/payloads/proposal_substructure.h>
+
+/**
+ * Mode of an CHILD_SA.
+ *
+ * These are equal to those defined in XFRM, so don't change.
+ */
+enum ipsec_mode_t {
+	/** transport mode, no inner address */
+	MODE_TRANSPORT = 0,
+	/** tunnel mode, inner and outer addresses */
+	MODE_TUNNEL = 1,
+	/** BEET mode, tunnel mode but fixed, bound inner addresses */
+	MODE_BEET = 4,
+};
+
+/**
+ * enum names for ipsec_mode_t.
+ */
+extern enum_name_t *ipsec_mode_names;
+
+/**
+ * Direction of a policy. These are equal to those
+ * defined in xfrm.h, but we want to stay implementation
+ * neutral here.
+ */
+enum policy_dir_t {
+	/** Policy for inbound traffic */
+	POLICY_IN = 0,
+	/** Policy for outbound traffic */
+	POLICY_OUT = 1,
+	/** Policy for forwarded traffic */
+	POLICY_FWD = 2,
+};
+
+/**
+ * Interface to the ipsec subsystem of the kernel.
+ * 
+ * The kernel ipsec interface handles the communication with the kernel
+ * for SA and policy management. It allows setup of these, and provides 
+ * further the handling of kernel events.
+ * Policy information are cached in the interface. This is necessary to do
+ * reference counting. The Linux kernel does not allow the same policy
+ * installed twice, but we need this as CHILD_SA exist multiple times
+ * when rekeying. Thats why we do reference counting of policies.
+ */
+struct kernel_ipsec_t {
+	
+	/**
+	 * Get a SPI from the kernel.
+	 *
+	 * @warning get_spi() implicitly creates an SA with
+	 * the allocated SPI, therefore the replace flag
+	 * in add_sa() must be set when installing this SA.
+	 * 
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param protocol	protocol for SA (ESP/AH)
+	 * @param reqid		unique ID for this SA
+	 * @param spi		allocated spi
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst, 
+						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
+	
+	/**
+	 * Get a Compression Parameter Index (CPI) from the kernel.
+	 * 
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param reqid		unique ID for the corresponding SA
+	 * @param cpi		allocated cpi
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst, 
+						u_int32_t reqid, u_int16_t *cpi);
+	
+	/**
+	 * Add an SA to the SAD.
+	 * 
+	 * add_sa() may update an already allocated
+	 * SPI (via get_spi). In this case, the replace
+	 * flag must be set.
+	 * This function does install a single SA for a
+	 * single protocol in one direction. The kernel-interface
+	 * gets the keys itself from the PRF, as we don't know
+	 * his algorithms and key sizes.
+	 * 
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param reqid			unique ID for this SA
+	 * @param expire_soft	lifetime in seconds before rekeying
+	 * @param expire_hard	lifetime in seconds before delete
+	 * @param enc_alg		Algorithm to use for encryption (ESP only)
+	 * @param enc_size		key length of encryption algorithm, if dynamic
+	 * @param int_alg		Algorithm to use for integrity protection
+	 * @param int_size		key length of integrity algorithm, if dynamic
+	 * @param prf_plus		PRF to derive keys from
+	 * @param mode			mode of the SA (tunnel, transport)
+	 * @param ipcomp		IPComp transform to use
+	 * @param encap			enable UDP encapsulation for NAT traversal
+	 * @param replace		Should an already installed SA be updated?
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_sa) (kernel_ipsec_t *this,
+						host_t *src, host_t *dst, u_int32_t spi,
+						protocol_id_t protocol, u_int32_t reqid,
+						u_int64_t expire_soft, u_int64_t expire_hard,
+					    u_int16_t enc_alg, u_int16_t enc_size,
+					    u_int16_t int_alg, u_int16_t int_size,
+						prf_plus_t *prf_plus, ipsec_mode_t mode,
+						u_int16_t ipcomp, bool encap,
+						bool update);
+	
+	/**
+	 * Update the hosts on an installed SA.
+	 *
+	 * We cannot directly update the destination address as the kernel
+	 * requires the spi, the protocol AND the destination address (and family)
+	 * to identify SAs. Therefore if the destination address changed we
+	 * create a new SA and delete the old one.
+	 *
+	 * @param spi			SPI of the SA
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param src			current source address
+	 * @param dst			current destination address
+	 * @param new_src		new source address
+	 * @param new_dst		new destination address
+	 * @param encap			use UDP encapsulation
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*update_sa)(kernel_ipsec_t *this,
+						  u_int32_t spi, protocol_id_t protocol,
+						  host_t *src, host_t *dst, 
+						  host_t *new_src, host_t *new_dst, bool encap);
+	
+	/**
+	 * Query the use time of an SA.
+	 *
+	 * The use time of an SA is not the time of the last usage, but 
+	 * the time of the first usage of the SA.
+	 * 
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param use_time		pointer receives the time of this SA's last use
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi, 
+						  protocol_id_t protocol, u_int32_t *use_time);
+	
+	/**
+	 * Delete a previusly installed SA from the SAD.
+	 * 
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi,
+						protocol_id_t protocol);
+	
+	/**
+	 * Add a policy to the SPD.
+	 * 
+	 * A policy is always associated to an SA. Traffic which matches a
+	 * policy is handled by the SA with the same reqid.
+	 * 
+	 * @param src			source address of SA
+	 * @param dst			dest address of SA
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param protocol		protocol to use to protect traffic (AH/ESP)
+	 * @param reqid			unique ID of an SA to use to enforce policy
+	 * @param high_prio		if TRUE, uses a higher priority than any with FALSE
+	 * @param mode			mode of SA (tunnel, transport)
+	 * @param ipcomp		the IPComp transform used
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_policy) (kernel_ipsec_t *this,
+							host_t *src, host_t *dst,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction, protocol_id_t protocol,
+							u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
+							u_int16_t ipcomp);
+	
+	/**
+	 * Query the use time of a policy.
+	 *
+	 * The use time of a policy is the time the policy was used
+	 * for the last time.
+	 * 
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param[out] use_time	the time of this SA's last use
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_policy) (kernel_ipsec_t *this,
+							  traffic_selector_t *src_ts, 
+							  traffic_selector_t *dst_ts,
+							  policy_dir_t direction, u_int32_t *use_time);
+	
+	/**
+	 * Remove a policy from the SPD.
+	 *
+	 * The kernel interface implements reference counting for policies.
+	 * If the same policy is installed multiple times (in the case of rekeying),
+	 * the reference counter is increased. del_policy() decreases the ref counter
+	 * and removes the policy only when no more references are available.
+	 *
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_policy) (kernel_ipsec_t *this,
+							traffic_selector_t *src_ts, 
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction);
+	
+	/**
+	 * Destroy the implementation.
+	 */
+	void (*destroy) (kernel_ipsec_t *this);
+};
+
+#endif /* KERNEL_IPSEC_H_ @} */
diff --git a/src/charon/kernel/kernel_net.h b/src/charon/kernel/kernel_net.h
new file mode 100644
index 000000000..80a71ebc6
--- /dev/null
+++ b/src/charon/kernel/kernel_net.h
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_net.h 4386 2008-10-08 08:23:46Z martin $
+ */
+
+/**
+ * @defgroup kernel_net kernel_net
+ * @{ @ingroup kernel
+ */
+
+#ifndef KERNEL_NET_H_
+#define KERNEL_NET_H_
+
+typedef struct kernel_net_t kernel_net_t;
+
+#include <utils/enumerator.h>
+#include <utils/host.h>
+
+/**
+ * Interface to the network subsystem of the kernel.
+ * 
+ * The kernel network interface handles the communication with the kernel
+ * for interface and IP address management.
+ */
+struct kernel_net_t {
+
+	/**
+	 * Get our outgoing source address for a destination.
+	 *
+	 * Does a route lookup to get the source address used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 * An optional src address can be used to check if a route is available
+	 * for given source to dest.
+	 *
+	 * @param dest			target destination address
+	 * @param src			source address to check, or NULL
+	 * @return				outgoing source address, NULL if unreachable
+	 */
+	host_t* (*get_source_addr)(kernel_net_t *this, host_t *dest, host_t *src);
+	
+	/**
+	 * Get the next hop for a destination.
+	 *
+	 * Does a route lookup to get the next hop used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 *
+	 * @param dest			target destination address
+	 * @return				next hop address, NULL if unreachable
+	 */
+	host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest);
+	
+	/**
+	 * Get the interface name of a local address.
+	 *
+	 * @param host			address to get interface name from
+	 * @return 				allocated interface name, or NULL if not found
+	 */
+	char* (*get_interface) (kernel_net_t *this, host_t *host);
+	
+	/**
+	 * Creates an enumerator over all local addresses.
+	 * 
+	 * This function blocks an internal cached address list until the
+	 * enumerator gets destroyed.
+	 * The hosts are read-only, do not modify of free.
+	 * 
+	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
+	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
+	 * @return						enumerator over host_t's
+	 */
+	enumerator_t *(*create_address_enumerator) (kernel_net_t *this,
+						bool include_down_ifaces, bool include_virtual_ips);
+	
+	/**
+	 * Add a virtual IP to an interface.
+	 *
+	 * Virtual IPs are attached to an interface. If an IP is added multiple
+	 * times, the IP is refcounted and not removed until del_ip() was called
+	 * as many times as add_ip().
+	 * The virtual IP is attached to the interface where the iface_ip is found.
+	 *
+	 * @param virtual_ip	virtual ip address to assign
+	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip,
+						host_t *iface_ip);
+	
+	/**
+	 * Remove a virtual IP from an interface.
+	 *
+	 * The kernel interface uses refcounting, see add_ip().
+	 *
+	 * @param virtual_ip	virtual ip address to assign
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip);
+	
+	/**
+	 * Add a route.
+	 * 
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 * 						ALREADY_DONE if the route already exists
+	 */
+	status_t (*add_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name);
+	
+	/**
+	 * Delete a route.
+	 * 
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name);
+	
+	/**
+	 * Destroy the implementation.
+	 */
+	void (*destroy) (kernel_net_t *this);
+};
+
+#endif /* KERNEL_NET_H_ @} */
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
index 885280a62..73317ccbc 100644
--- a/src/charon/network/receiver.c
+++ b/src/charon/network/receiver.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: receiver.c 3994 2008-05-21 21:52:59Z andreas $
+ * $Id: receiver.c 4228 2008-07-30 08:27:08Z martin $
  */
 
 #include <stdlib.h>
@@ -96,6 +96,11 @@ struct private_receiver_t {
  	 * hasher to use for cookie calculation
  	 */
  	hasher_t *hasher;
+ 	
+ 	/**
+ 	 * use denial of service protection mechanisms (cookies)
+ 	 */
+ 	bool dos_protection;
 };
 
 /**
@@ -282,7 +287,8 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 	}
 	
 	if (message->get_request(message) &&
-		message->get_exchange_type(message) == IKE_SA_INIT)
+		message->get_exchange_type(message) == IKE_SA_INIT &&
+		this->dos_protection)
 	{
 		/* check for cookies */
 		if (cookie_required(this, message))
@@ -367,6 +373,8 @@ receiver_t *receiver_create()
 	this->secret_used = 0;
 	this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
 	memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+	this->dos_protection = lib->settings->get_bool(lib->settings,
+												"charon.dos_protection", TRUE);
 
 	this->job = callback_job_create((callback_job_cb_t)receive_packets,
 									this, NULL, NULL);
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
index 077da4bba..b76a9b0c3 100644
--- a/src/charon/network/socket.h
+++ b/src/charon/network/socket.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: socket.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: socket.h 4355 2008-09-25 07:56:58Z tobias $
  */
 
 /**
@@ -50,7 +50,7 @@ typedef struct socket_t socket_t;
  * The first uses raw sockets to allow binding of other daemons (pluto) to
  * UDP/500. An installed "Linux socket filter" filters out all non-IKEv2 
  * traffic and handles just IKEv2 messages. An other daemon (pluto) must 
- * handle all traffic seperatly, e.g. ignore IKEv2 traffic, since charon 
+ * handle all traffic separately, e.g. ignore IKEv2 traffic, since charon 
  * handles that.
  * The other implementation uses normal sockets and is built if
  * --disable-pluto is given to the configure script.
@@ -91,7 +91,7 @@ struct socket_t {
 };
 
 /**
- * Create a socket_t, wich binds multiple sockets.
+ * Create a socket_t, which binds multiple sockets.
  *
  * @return  				socket_t object
  */
diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in
index ad28b0247..51be8754f 100644
--- a/src/charon/plugins/eap_aka/Makefile.in
+++ b/src/charon/plugins/eap_aka/Makefile.in
@@ -188,6 +188,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/charon/plugins/eap_aka/eap_aka.c b/src/charon/plugins/eap_aka/eap_aka.c
index 9e35de9e1..4c0f76b7f 100644
--- a/src/charon/plugins/eap_aka/eap_aka.c
+++ b/src/charon/plugins/eap_aka/eap_aka.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_aka.c 4008 2008-05-23 15:49:43Z martin $
+ * $Id: eap_aka.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 
@@ -828,6 +828,19 @@ static eap_payload_t *build_aka_payload(private_eap_aka_t *this, eap_code_t code
 	return payload;
 }
 
+/**
+ * generate a new non-zero identifier
+ */
+static u_char get_identifier()
+{
+	u_char id;
+	
+	do {
+		id = random();
+	} while (!id);
+	return id;
+}
+
 /**
  * Initiate a AKA-Challenge using SQN
  */
@@ -900,7 +913,7 @@ static status_t server_initiate_challenge(private_eap_aka_t *this, chunk_t sqn,
 	derive_keys(this, this->peer);
 	
 	/* build payload */
-	*out = build_aka_payload(this, EAP_REQUEST, 0, AKA_CHALLENGE,
+	*out = build_aka_payload(this, EAP_REQUEST, get_identifier(), AKA_CHALLENGE,
 							 AT_RAND, this->rand, AT_AUTN, autn, AT_MAC,
 							 chunk_empty, AT_END);
 	return NEED_MORE;
@@ -1449,6 +1462,8 @@ static bool is_mutual(private_eap_aka_t *this)
  */
 static void destroy(private_eap_aka_t *this)
 {
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
 	DESTROY_IF(this->sha1);
 	DESTROY_IF(this->signer);
 	DESTROY_IF(this->prf);
@@ -1479,8 +1494,8 @@ static private_eap_aka_t *eap_aka_create_generic(identification_t *server,
 	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
 	
 	/* private data */
-	this->server = server;
-	this->peer = peer;
+	this->server = server->clone(server);
+	this->peer = peer->clone(peer);
 	this->k_encr = chunk_empty;
 	this->k_auth = chunk_empty;
 	this->msk = chunk_empty;
diff --git a/src/charon/plugins/eap_gtc/Makefile.am b/src/charon/plugins/eap_gtc/Makefile.am
new file mode 100644
index 000000000..1057bd506
--- /dev/null
+++ b/src/charon/plugins/eap_gtc/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-eapgtc.la
+
+libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
+libstrongswan_eapgtc_la_LDFLAGS = -module -lpam
+
diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in
new file mode 100644
index 000000000..661818254
--- /dev/null
+++ b/src/charon/plugins/eap_gtc/Makefile.in
@@ -0,0 +1,497 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/eap_gtc
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_eapgtc_la_LIBADD =
+am_libstrongswan_eapgtc_la_OBJECTS = eap_gtc_plugin.lo eap_gtc.lo
+libstrongswan_eapgtc_la_OBJECTS =  \
+	$(am_libstrongswan_eapgtc_la_OBJECTS)
+libstrongswan_eapgtc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eapgtc_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eapgtc_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eapgtc_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-eapgtc.la
+libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
+libstrongswan_eapgtc_la_LDFLAGS = -module -lpam
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_gtc/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_gtc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eapgtc.la: $(libstrongswan_eapgtc_la_OBJECTS) $(libstrongswan_eapgtc_la_DEPENDENCIES) 
+	$(libstrongswan_eapgtc_la_LINK) -rpath $(plugindir) $(libstrongswan_eapgtc_la_OBJECTS) $(libstrongswan_eapgtc_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_gtc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_gtc_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c
new file mode 100644
index 000000000..0a93a90f6
--- /dev/null
+++ b/src/charon/plugins/eap_gtc/eap_gtc.c
@@ -0,0 +1,329 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: eap_gtc.c 3806 2008-04-15 05:56:35Z martin $
+ */
+ 
+#include "eap_gtc.h"
+
+#include <daemon.h>
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
+#include <security/pam_appl.h>
+
+#define GTC_REQUEST_MSG "password"
+#define GTC_PAM_SERVICE "login"
+
+typedef struct private_eap_gtc_t private_eap_gtc_t;
+
+/**
+ * Private data of an eap_gtc_t object.
+ */
+struct private_eap_gtc_t {
+	
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_gtc_t public;
+	
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+	
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+	
+	/**
+	 * EAP message identififier
+	 */
+	u_int8_t identifier;
+};
+
+typedef struct eap_gtc_header_t eap_gtc_header_t;
+
+/**
+ * packed eap GTC header struct
+ */
+struct eap_gtc_header_t {
+	/** EAP code (REQUEST/RESPONSE) */
+	u_int8_t code;
+	/** unique message identifier */
+	u_int8_t identifier;
+	/** length of whole message */
+	u_int16_t length;
+	/** EAP type */
+	u_int8_t type;
+	/** type data */
+	u_int8_t data[];
+} __attribute__((__packed__));
+
+/**
+ * Implementation of eap_method_t.initiate for the peer
+ */
+static status_t initiate_peer(private_eap_gtc_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * PAM conv callback function
+ */
+static int auth_conv(int num_msg, const struct pam_message **msg,
+                	 struct pam_response **resp, char *password)
+{
+	struct pam_response *response;
+	
+	if (num_msg != 1)
+	{
+		return PAM_CONV_ERR;
+	}
+	response = malloc(sizeof(struct pam_response));
+	response->resp = strdup(password);
+	response->resp_retcode = 0;
+	*resp = response;
+	return PAM_SUCCESS;
+}
+
+/**
+ * Authenticate a username/password using PAM
+ */
+static bool authenticate(char *service, char *user, char *password)
+{
+    pam_handle_t *pamh = NULL;
+	static struct pam_conv conv;
+    int ret;
+	
+	conv.conv = (void*)auth_conv;
+	conv.appdata_ptr = password;
+	
+	ret = pam_start(service, user, &conv, &pamh);
+	if (ret != PAM_SUCCESS)
+	{
+		DBG1(DBG_IKE, "EAP-GTC pam_start failed: %s",
+			 pam_strerror(pamh, ret));
+		return FALSE;
+	}
+	ret = pam_authenticate(pamh, 0);
+	if (ret == PAM_SUCCESS)
+	{
+		ret = pam_acct_mgmt(pamh, 0);
+		if (ret != PAM_SUCCESS)
+		{
+			DBG1(DBG_IKE, "EAP-GTC pam_acct_mgmt failed: %s",
+				 pam_strerror(pamh, ret));
+		}
+	}
+	else
+	{
+		DBG1(DBG_IKE, "EAP-GTC pam_authenticate failed: %s",
+			 pam_strerror(pamh, ret));
+	}
+	pam_end(pamh, ret);
+	return ret == PAM_SUCCESS;
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the server
+ */
+static status_t initiate_server(private_eap_gtc_t *this, eap_payload_t **out)
+{
+	eap_gtc_header_t *req;
+	size_t len;
+	
+	len = strlen(GTC_REQUEST_MSG);
+	req = alloca(sizeof(eap_gtc_header_t) + len);
+	req->length = htons(sizeof(eap_gtc_header_t) + len);
+	req->code = EAP_REQUEST;
+	req->identifier = this->identifier;
+	req->type = EAP_GTC;
+	memcpy(req->data, GTC_REQUEST_MSG, len);
+	
+	*out = eap_payload_create_data(chunk_create((void*)req,
+								   sizeof(eap_gtc_header_t) + len));
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.process for the peer
+ */
+static status_t process_peer(private_eap_gtc_t *this,
+							 eap_payload_t *in, eap_payload_t **out)
+{
+	eap_gtc_header_t *res;
+	shared_key_t *shared;
+	chunk_t key;
+	size_t len;
+
+	shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP,
+											 this->peer, this->server);
+	if (shared == NULL)
+	{
+		DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'",
+			 this->peer, this->server);
+		return FAILED;
+	}
+	key = shared->get_key(shared);
+	len = key.len;
+	
+	/* TODO: According to the draft we should "SASLprep" password, RFC4013. */
+
+	res = alloca(sizeof(eap_gtc_header_t) + len);
+	res->length = htons(sizeof(eap_gtc_header_t) + len);
+	res->code = EAP_RESPONSE;
+	res->identifier = in->get_identifier(in);
+	res->type = EAP_GTC;
+	memcpy(res->data, key.ptr, len);
+	
+	shared->destroy(shared);
+	
+	*out = eap_payload_create_data(chunk_create((void*)res,
+								   sizeof(eap_gtc_header_t) + len));
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.process for the server
+ */
+static status_t process_server(private_eap_gtc_t *this,
+							   eap_payload_t *in, eap_payload_t **out)
+{
+	chunk_t data, encoding;
+	char *user, *password, *service, *pos;
+	
+	data = chunk_skip(in->get_data(in), 5);
+	if (this->identifier != in->get_identifier(in) || !data.len)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-GTC message");
+		return FAILED;
+	}
+	
+	encoding = this->peer->get_encoding(this->peer);
+	/* if a RFC822_ADDR id is provided, we use the username part only */
+	pos = memchr(encoding.ptr, '@', encoding.len);
+	if (pos)
+	{
+		encoding.len = (u_char*)pos - encoding.ptr;
+	}
+	user = alloca(encoding.len + 1);
+	memcpy(user, encoding.ptr, encoding.len);
+	user[encoding.len] = '\0';
+	
+	password = alloca(data.len + 1);
+	memcpy(password, data.ptr, data.len);
+	password[data.len] = '\0';
+	
+	service = lib->settings->get_str(lib->settings,
+						"charon.plugins.eap_gtc.pam_service", GTC_PAM_SERVICE);
+	
+	if (!authenticate(service, user, password))
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_gtc_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_GTC;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_gtc_t *this, chunk_t *msk)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_gtc_t *this)
+{
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_gtc_t *this)
+{
+	this->peer->destroy(this->peer);
+	this->server->destroy(this->server);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_eap_gtc_t *eap_gtc_create_generic(identification_t *server,
+												 identification_t *peer)
+{
+	private_eap_gtc_t *this = malloc_thing(private_eap_gtc_t);
+	
+	this->public.eap_method_interface.initiate = NULL;
+	this->public.eap_method_interface.process = NULL;
+	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+	
+	/* private data */
+	this->peer = peer->clone(peer);
+	this->server = server->clone(server);
+	this->identifier = 0;
+	
+	return this;
+}
+
+/*
+ * see header
+ */
+eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer)
+{
+	private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
+	
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
+
+	/* generate a non-zero identifier */
+	do {
+		this->identifier = random();
+	} while (!this->identifier);
+
+	return &this->public;
+}
+
+/*
+ * see header
+ */
+eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer)
+{
+	private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
+	
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.h b/src/charon/plugins/eap_gtc/eap_gtc.h
new file mode 100644
index 000000000..478ac81cf
--- /dev/null
+++ b/src/charon/plugins/eap_gtc/eap_gtc.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: eap_gtc.h 3589 2008-03-13 14:14:44Z martin $
+ */
+
+/**
+ * @defgroup eap_gtc_i eap_gtc
+ * @{ @ingroup eap_gtc
+ */
+
+#ifndef EAP_GTC_H_
+#define EAP_GTC_H_
+
+typedef struct eap_gtc_t eap_gtc_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-GTC.
+ *
+ * This implementation of draft-sheffer-ikev2-gtc-00.txt uses PAM to
+ * verify user credentials.
+ */
+struct eap_gtc_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method_interface;
+};
+
+/**
+ * Creates the EAP method EAP-GTC acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_gtc_t object
+ */
+eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-GTC acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_gtc_t object
+ */
+eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer);
+
+#endif /* EAP_GTC_H_ @}*/
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
new file mode 100644
index 000000000..cea88ef9f
--- /dev/null
+++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "eap_gtc_plugin.h"
+
+#include "eap_gtc.h"
+
+#include <daemon.h>
+
+/* missing in cababilities.h */
+#define CAP_AUDIT_WRITE 29
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(eap_gtc_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_gtc_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_gtc_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	eap_gtc_plugin_t *this = malloc_thing(eap_gtc_plugin_t);
+	
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	/* required for PAM authentication */
+	charon->keep_cap(charon, CAP_AUDIT_WRITE);
+	
+	charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_SERVER,
+							(eap_constructor_t)eap_gtc_create_server);
+	charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_PEER,
+							(eap_constructor_t)eap_gtc_create_peer);
+	
+	return &this->plugin;
+}
+
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
new file mode 100644
index 000000000..8b2f5435f
--- /dev/null
+++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup eap_gtc eap_gtc
+ * @ingroup cplugins
+ *
+ * @defgroup eap_gtc_plugin eap_gtc_plugin
+ * @{ @ingroup eap_gtc
+ */
+
+#ifndef EAP_GTC_PLUGIN_H_
+#define EAP_GTC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_gtc_plugin_t eap_gtc_plugin_t;
+
+/**
+ * EAP-GTC plugin
+ */
+struct eap_gtc_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_gtc_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* EAP_GTC_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in
index 37f3505f2..e71c13a35 100644
--- a/src/charon/plugins/eap_identity/Makefile.in
+++ b/src/charon/plugins/eap_identity/Makefile.in
@@ -190,6 +190,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/charon/plugins/eap_identity/eap_identity.c b/src/charon/plugins/eap_identity/eap_identity.c
index 0c90e8a04..deaa183f4 100644
--- a/src/charon/plugins/eap_identity/eap_identity.c
+++ b/src/charon/plugins/eap_identity/eap_identity.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2007-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_identity.c 3491 2008-02-22 14:04:00Z martin $
+ * $Id: eap_identity.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include "eap_identity.h"
@@ -36,38 +36,97 @@ struct private_eap_identity_t {
 	 * ID of the peer
 	 */
 	identification_t *peer;
+	
+	/**
+	 * received identity chunk
+	 */
+	chunk_t identity;
 };
 
+typedef struct eap_identity_header_t eap_identity_header_t;
+
+/**
+ * packed EAP Identity header struct
+ */
+struct eap_identity_header_t {
+	/** EAP code (REQUEST/RESPONSE) */
+	u_int8_t code;
+	/** unique message identifier */
+	u_int8_t identifier;
+	/** length of whole message */
+	u_int16_t length;
+	/** EAP type */
+	u_int8_t type;
+	/** identity data */
+	u_int8_t data[];
+} __attribute__((__packed__));
+
 /**
  * Implementation of eap_method_t.process for the peer
  */
-static status_t process(private_eap_identity_t *this,
-						eap_payload_t *in, eap_payload_t **out)
+static status_t process_peer(private_eap_identity_t *this,
+							 eap_payload_t *in, eap_payload_t **out)
 {
-	chunk_t id, hdr;
+	chunk_t id;
+	eap_identity_header_t *hdr;
+	size_t len;
 	
-	hdr = chunk_alloca(5);
 	id = this->peer->get_encoding(this->peer);
+	len = sizeof(eap_identity_header_t) + id.len;
 	
-	*(hdr.ptr + 0) = EAP_RESPONSE;
-	*(hdr.ptr + 1) = in->get_identifier(in);
-	*(u_int16_t*)(hdr.ptr + 2) = htons(hdr.len + id.len);
-	*(hdr.ptr + 4) = EAP_IDENTITY;
+	hdr = alloca(len);
+	hdr->code = EAP_RESPONSE;
+	hdr->identifier = in->get_identifier(in);
+	hdr->length = htons(len);
+	hdr->type = EAP_IDENTITY;
+	memcpy(hdr->data, id.ptr, id.len);
 	
-	*out = eap_payload_create_data(chunk_cata("cc", hdr, id));
+	*out = eap_payload_create_data(chunk_create((u_char*)hdr, len));
 	return SUCCESS;
-	
 }
 
 /**
  * Implementation of eap_method_t.initiate for the peer
  */
-static status_t initiate(private_eap_identity_t *this, eap_payload_t **out)
+static status_t initiate_peer(private_eap_identity_t *this, eap_payload_t **out)
 {
 	/* peer never initiates */
 	return FAILED;
 }
 
+/**
+ * Implementation of eap_method_t.process for the server
+ */
+static status_t process_server(private_eap_identity_t *this,
+							   eap_payload_t *in, eap_payload_t **out)
+{
+	chunk_t data;
+	
+	data = chunk_skip(in->get_data(in), 5);
+	if (data.len)
+	{
+		this->identity = chunk_clone(data);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the server
+ */
+static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **out)
+{
+	eap_identity_header_t hdr;
+	
+	hdr.code = EAP_REQUEST;
+	hdr.identifier = 0;
+	hdr.length = htons(sizeof(eap_identity_header_t));
+	hdr.type = EAP_IDENTITY;
+	
+	*out = eap_payload_create_data(chunk_create((u_char*)&hdr,
+												sizeof(eap_identity_header_t)));
+	return NEED_MORE;
+}
+
 /**
  * Implementation of eap_method_t.get_type.
  */
@@ -82,6 +141,11 @@ static eap_type_t get_type(private_eap_identity_t *this, u_int32_t *vendor)
  */
 static status_t get_msk(private_eap_identity_t *this, chunk_t *msk)
 {
+	if (this->identity.ptr)
+	{
+		*msk = this->identity;
+		return SUCCESS;
+	}
 	return FAILED;
 }
 
@@ -98,27 +162,58 @@ static bool is_mutual(private_eap_identity_t *this)
  */
 static void destroy(private_eap_identity_t *this)
 {
+	this->peer->destroy(this->peer);
+	free(this->identity.ptr);
 	free(this);
 }
 
-/*
- * Described in header.
+/**
+ * Generic constructor
  */
-eap_identity_t *eap_identity_create_peer(identification_t *server,
-										 identification_t *peer)
+static private_eap_identity_t *eap_identity_create(identification_t *server,
+												   identification_t *peer)
 {
 	private_eap_identity_t *this = malloc_thing(private_eap_identity_t);
 	
-	/* public functions */
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.eap_method_interface.initiate = NULL;
+	this->public.eap_method_interface.process = NULL;
 	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
 	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
 	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
 	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
 	
-	/* private data */
-	this->peer = peer;
+	this->peer = peer->clone(peer);
+	this->identity = chunk_empty;
+	
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+eap_identity_t *eap_identity_create_peer(identification_t *server,
+										 identification_t *peer)
+{
+	private_eap_identity_t *this = eap_identity_create(server, peer);
+	
+	/* public functions */
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
+	
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+eap_identity_t *eap_identity_create_server(identification_t *server,
+										   identification_t *peer)
+{
+	private_eap_identity_t *this = eap_identity_create(server, peer);
+	
+	/* public functions */
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
 	
 	return &this->public;
 }
diff --git a/src/charon/plugins/eap_identity/eap_identity.h b/src/charon/plugins/eap_identity/eap_identity.h
index 9de89e6e3..27b04b7d5 100644
--- a/src/charon/plugins/eap_identity/eap_identity.h
+++ b/src/charon/plugins/eap_identity/eap_identity.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_identity.h 3491 2008-02-22 14:04:00Z martin $
+ * $Id: eap_identity.h 4276 2008-08-22 10:44:51Z martin $
  */
 
 /**
@@ -38,6 +38,16 @@ struct eap_identity_t {
 	eap_method_t eap_method_interface;
 };
 
+/**
+ * Creates the EAP method EAP Identity, acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_identity_t object
+ */
+eap_identity_t *eap_identity_create_server(identification_t *server,
+										   identification_t *peer);
+
 /**
  * Creates the EAP method EAP Identity, acting as peer.
  *
diff --git a/src/charon/plugins/eap_identity/eap_identity_plugin.c b/src/charon/plugins/eap_identity/eap_identity_plugin.c
index 38a19d784..1393a21a0 100644
--- a/src/charon/plugins/eap_identity/eap_identity_plugin.c
+++ b/src/charon/plugins/eap_identity/eap_identity_plugin.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_identity_plugin.c 3491 2008-02-22 14:04:00Z martin $
+ * $Id: eap_identity_plugin.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include "eap_identity_plugin.h"
@@ -26,6 +26,8 @@
  */
 static void destroy(eap_identity_plugin_t *this)
 {
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_identity_create_server);
 	charon->eap->remove_method(charon->eap,
 							   (eap_constructor_t)eap_identity_create_peer);
 	free(this);
@@ -40,6 +42,8 @@ plugin_t *plugin_create()
 	
 	this->plugin.destroy = (void(*)(plugin_t*))destroy;
 	
+	charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_SERVER,
+							(eap_constructor_t)eap_identity_create_server);
 	charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_PEER,
 							(eap_constructor_t)eap_identity_create_peer);
 	
diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in
index d48fb2c44..8e0ca0706 100644
--- a/src/charon/plugins/eap_md5/Makefile.in
+++ b/src/charon/plugins/eap_md5/Makefile.in
@@ -188,6 +188,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/charon/plugins/eap_md5/eap_md5.c b/src/charon/plugins/eap_md5/eap_md5.c
index 990d64011..0781e024b 100644
--- a/src/charon/plugins/eap_md5/eap_md5.c
+++ b/src/charon/plugins/eap_md5/eap_md5.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_md5.c 3806 2008-04-15 05:56:35Z martin $
+ * $Id: eap_md5.c 4276 2008-08-22 10:44:51Z martin $
  */
  
 #include "eap_md5.h"
@@ -242,6 +242,8 @@ static bool is_mutual(private_eap_md5_t *this)
  */
 static void destroy(private_eap_md5_t *this)
 {
+	this->peer->destroy(this->peer);
+	this->server->destroy(this->server);
 	chunk_free(&this->challenge);
 	free(this);
 }
@@ -262,10 +264,10 @@ static private_eap_md5_t *eap_md5_create_generic(identification_t *server,
 	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
 	
 	/* private data */
-	this->peer = peer;
-	this->server = server;
+	this->peer = peer->clone(peer);
+	this->server = server->clone(server);
 	this->challenge = chunk_empty;
-	this->identifier = random();
+	this->identifier = 0;
 	
 	return this;
 }
@@ -280,6 +282,11 @@ eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *pee
 	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
 	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
 
+	/* generate a non-zero identifier */
+	do {
+		this->identifier = random();
+	} while (!this->identifier);
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/eap_sim/Makefile.am b/src/charon/plugins/eap_sim/Makefile.am
index 63267b9d3..6cb53ebb5 100644
--- a/src/charon/plugins/eap_sim/Makefile.am
+++ b/src/charon/plugins/eap_sim/Makefile.am
@@ -3,11 +3,9 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
 AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DSIM_READER_LIB=\"${simreader}\"
 
-plugin_LTLIBRARIES = libstrongswan-eapsim.la libeapsim-file.la
+plugin_LTLIBRARIES = libstrongswan-eapsim.la
 
-libstrongswan_eapsim_la_SOURCES = eap_sim_plugin.h eap_sim_plugin.c eap_sim.h eap_sim.c
+libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \
+  eap_sim_plugin.h eap_sim_plugin.c
 libstrongswan_eapsim_la_LDFLAGS = -module
 
-libeapsim_file_la_SOURCES = eap_sim_file.c
-libeapsim_file_la_LDFLAGS = -module
-
diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in
index e70f8457c..cc5409952 100644
--- a/src/charon/plugins/eap_sim/Makefile.in
+++ b/src/charon/plugins/eap_sim/Makefile.in
@@ -49,14 +49,8 @@ am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
 am__installdirs = "$(DESTDIR)$(plugindir)"
 pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-libeapsim_file_la_LIBADD =
-am_libeapsim_file_la_OBJECTS = eap_sim_file.lo
-libeapsim_file_la_OBJECTS = $(am_libeapsim_file_la_OBJECTS)
-libeapsim_file_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libeapsim_file_la_LDFLAGS) $(LDFLAGS) -o $@
 libstrongswan_eapsim_la_LIBADD =
-am_libstrongswan_eapsim_la_OBJECTS = eap_sim_plugin.lo eap_sim.lo
+am_libstrongswan_eapsim_la_OBJECTS = eap_sim.lo eap_sim_plugin.lo
 libstrongswan_eapsim_la_OBJECTS =  \
 	$(am_libstrongswan_eapsim_la_OBJECTS)
 libstrongswan_eapsim_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -74,10 +68,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libeapsim_file_la_SOURCES) \
-	$(libstrongswan_eapsim_la_SOURCES)
-DIST_SOURCES = $(libeapsim_file_la_SOURCES) \
-	$(libstrongswan_eapsim_la_SOURCES)
+SOURCES = $(libstrongswan_eapsim_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eapsim_la_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -196,6 +188,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -217,11 +211,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DSIM_READER_LIB=\"${simreader}\"
-plugin_LTLIBRARIES = libstrongswan-eapsim.la libeapsim-file.la
-libstrongswan_eapsim_la_SOURCES = eap_sim_plugin.h eap_sim_plugin.c eap_sim.h eap_sim.c
+plugin_LTLIBRARIES = libstrongswan-eapsim.la
+libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \
+  eap_sim_plugin.h eap_sim_plugin.c
+
 libstrongswan_eapsim_la_LDFLAGS = -module
-libeapsim_file_la_SOURCES = eap_sim_file.c
-libeapsim_file_la_LDFLAGS = -module
 all: all-am
 
 .SUFFIXES:
@@ -282,8 +276,6 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libeapsim-file.la: $(libeapsim_file_la_OBJECTS) $(libeapsim_file_la_DEPENDENCIES) 
-	$(libeapsim_file_la_LINK) -rpath $(plugindir) $(libeapsim_file_la_OBJECTS) $(libeapsim_file_la_LIBADD) $(LIBS)
 libstrongswan-eapsim.la: $(libstrongswan_eapsim_la_OBJECTS) $(libstrongswan_eapsim_la_DEPENDENCIES) 
 	$(libstrongswan_eapsim_la_LINK) -rpath $(plugindir) $(libstrongswan_eapsim_la_OBJECTS) $(libstrongswan_eapsim_la_LIBADD) $(LIBS)
 
@@ -294,7 +286,6 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_plugin.Plo@am__quote@
 
 .c.o:
diff --git a/src/charon/plugins/eap_sim/eap_sim.c b/src/charon/plugins/eap_sim/eap_sim.c
index b14076f34..8b9434716 100644
--- a/src/charon/plugins/eap_sim/eap_sim.c
+++ b/src/charon/plugins/eap_sim/eap_sim.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_sim.c 3806 2008-04-15 05:56:35Z martin $
+ * $Id: eap_sim.c 4406 2008-10-10 08:36:01Z martin $
  */
 
 #include "eap_sim.h"
@@ -149,21 +149,6 @@ struct private_eap_sim_t {
 	 */
 	signer_t *signer;
 	
-	/**
-	 * SIM cardreader function loaded from library
-	 */
-	sim_algo_t alg;
-	
-	/**
-	 * libraries get_triplet() function returning a triplet
-	 */
-	sim_get_triplet_t get_triplet;
-	
-	/**
-	 * handle of the loaded library
-	 */
-	void *handle;
-	
 	/**
 	 * how many times we try to authenticate
 	 */
@@ -215,7 +200,7 @@ struct private_eap_sim_t {
 	chunk_t msk;
 	
 	/**
-	 * EMSK, extendes MSK for further uses
+	 * EMSK, extended MSK for further uses
 	 */
 	chunk_t emsk;
 };
@@ -556,6 +541,41 @@ static void derive_keys(private_eap_sim_t *this, chunk_t kcs)
 		 &this->k_encr, &this->k_auth, &this->msk, &this->emsk);
 }
 
+/**
+ * Read a triplet from the SIM card
+ */
+static bool get_card_triplet(private_eap_sim_t *this,
+							 char *rand, char *sres, char *kc)
+{
+	enumerator_t *enumerator;
+	sim_card_t *card = NULL, *current;
+	id_match_t match, best = ID_MATCH_NONE;
+	bool success = FALSE;
+	
+	/* find the best matching SIM */
+	enumerator = charon->sim->create_card_enumerator(charon->sim);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		match = this->peer->matches(this->peer, current->get_imsi(current));
+		if (match > best)
+		{
+			card = current;
+			best = match;
+			break;
+		}
+	}
+	if (card)
+	{
+		success = card->get_triplet(card, rand, sres, kc);
+	}
+	enumerator->destroy(enumerator);
+	if (!card)
+	{
+		DBG1(DBG_IKE, "no SIM card found matching '%D'", this->peer);
+	}
+	return success;
+}
+
 /**
  * process an EAP-SIM/Request/Challenge message
  */
@@ -649,11 +669,9 @@ static status_t peer_process_challenge(private_eap_sim_t *this,
 	/* get two or three KCs/SRESes from SIM using RANDs */
 	kcs = kc = chunk_alloca(rands.len / 2);
 	sreses = sres = chunk_alloca(rands.len / 4);
-	while (rands.len > 0)
-	{
-		int kc_len = kc.len, sres_len = sres.len;
-		
-		if (this->alg(rands.ptr, RAND_LEN, sres.ptr, &sres_len, kc.ptr, &kc_len))
+	while (rands.len >= RAND_LEN)
+	{		
+		if (!get_card_triplet(this, rands.ptr, sres.ptr, kc.ptr))
 		{
 			DBG1(DBG_IKE, "unable to get EAP-SIM triplet");
 			*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
@@ -662,9 +680,9 @@ static status_t peer_process_challenge(private_eap_sim_t *this,
 			return NEED_MORE;
 		}
 		DBG3(DBG_IKE, "got triplet for RAND %b\n  Kc %b\n  SRES %b",
-			 rands.ptr, RAND_LEN, sres.ptr, sres_len, kc.ptr, kc_len);
-		kc = chunk_skip(kc, kc_len);
-		sres = chunk_skip(sres, sres_len);
+			 rands.ptr, RAND_LEN, sres.ptr, SRES_LEN, kc.ptr, KC_LEN);
+		kc = chunk_skip(kc, KC_LEN);
+		sres = chunk_skip(sres, SRES_LEN);
 		rands = chunk_skip(rands, RAND_LEN);
 	}
 	
@@ -736,6 +754,32 @@ static status_t server_process_challenge(private_eap_sim_t *this,
 	return SUCCESS;
 }
 
+/**
+ * Fetch a triplet from a provider
+ */
+static bool get_provider_triplet(private_eap_sim_t *this,
+								 char *rand, char *sres, char *kc)
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	int tried = 0;
+	
+	enumerator = charon->sim->create_provider_enumerator(charon->sim);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		if (provider->get_triplet(provider, this->peer, rand, sres, kc))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+		tried++;
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%D'",
+		 tried, this->peer);
+	return FALSE;
+}
+
 /**
  * process an EAP-SIM/Response/Start message
  */
@@ -746,9 +790,8 @@ static status_t server_process_start(private_eap_sim_t *this,
 	sim_attribute_t attribute;
 	bool supported = FALSE;
 	chunk_t rands, rand, kcs, kc, sreses, sres;
-	char id[64];
-	int len, i, rand_len, kc_len, sres_len;
-	
+	int i;
+		
 	message = in->get_data(in);
 	read_header(&message);
 
@@ -779,11 +822,6 @@ static status_t server_process_start(private_eap_sim_t *this,
 		DBG1(DBG_IKE, "received incomplete EAP-SIM/Response/Start");
 		return FAILED;
 	}
-	len = snprintf(id, sizeof(id), "%D", this->peer);
-	if (len > sizeof(id) || len < 0)
-	{
-		return FAILED;
-	}
 	
 	/* read triplets from provider */
 	rand = rands = chunk_alloca(RAND_LEN * TRIPLET_COUNT);
@@ -794,21 +832,17 @@ static status_t server_process_start(private_eap_sim_t *this,
 	sreses.len = 0;
 	for (i = 0; i < TRIPLET_COUNT; i++)
 	{
-		rand_len = RAND_LEN;
-		kc_len = KC_LEN;
-		sres_len = SRES_LEN;
-		if (this->get_triplet(id, rand.ptr, &rand_len, sres.ptr, &sres_len,
-							  kc.ptr, &kc_len))
+		if (!get_provider_triplet(this, rand.ptr, sres.ptr, kc.ptr))
 		{
 			DBG1(DBG_IKE, "getting EAP-SIM triplet %d failed", i);
 			return FAILED;
 		}
-		rands.len += rand_len;
-		kcs.len += kc_len;
-		sreses.len += sres_len;
-		rand = chunk_skip(rand, rand_len);
-		kc = chunk_skip(kc, kc_len);
-		sres = chunk_skip(sres, sres_len);
+		rands.len += RAND_LEN;
+		sreses.len += SRES_LEN;
+		kcs.len += KC_LEN;
+		rand = chunk_skip(rand, RAND_LEN);
+		sres = chunk_skip(sres, SRES_LEN);
+		kc = chunk_skip(kc, KC_LEN);
 	}
 	derive_keys(this, kcs);
 	
@@ -1016,7 +1050,8 @@ static bool is_mutual(private_eap_sim_t *this)
  */
 static void destroy(private_eap_sim_t *this)
 {
-	dlclose(this->handle);
+	this->peer->destroy(this->peer);
+	this->peer->destroy(this->peer);
 	DESTROY_IF(this->hasher);
 	DESTROY_IF(this->prf);
 	DESTROY_IF(this->signer);
@@ -1036,17 +1071,12 @@ static void destroy(private_eap_sim_t *this)
 eap_sim_t *eap_sim_create_generic(eap_role_t role, identification_t *server,
 								  identification_t *peer)
 {
-	private_eap_sim_t *this;
+	private_eap_sim_t *this = malloc_thing(private_eap_sim_t);
 	rng_t *rng;
-	void *symbol;
-	char *name;
-  	
-  	this = malloc_thing(private_eap_sim_t);
-	this->alg = NULL;
-	this->get_triplet = NULL;
+	
 	this->nonce = chunk_empty;
 	this->sreses = chunk_empty;
-	this->peer = peer;
+	this->peer = peer->clone(peer);
 	this->tries = MAX_TRIES;
 	this->version.ptr = version;
 	this->version.len = sizeof(version);
@@ -1055,48 +1085,21 @@ eap_sim_t *eap_sim_create_generic(eap_role_t role, identification_t *server,
 	this->k_encr = chunk_empty;
 	this->msk = chunk_empty;
 	this->emsk = chunk_empty;
-	this->identifier = random();
+	/* generate a non-zero identifier */
+	do {
+		this->identifier = random();
+	} while (!this->identifier);
 	
-	this->handle = dlopen(SIM_READER_LIB, RTLD_LAZY);
-	if (this->handle == NULL)
-	{
-		DBG1(DBG_IKE, "unable to open SIM reader '%s'", SIM_READER_LIB);
-		free(this);
-		return NULL;
-	}
-	switch (role)
-	{
-		case EAP_PEER:
-			name = SIM_READER_ALG;
-			break;
-		case EAP_SERVER:
-			name = SIM_READER_GET_TRIPLET;
-			break;
-		default:	
-			free(this);
-			return NULL;
-	}
-	symbol = dlsym(this->handle, name);
-	if (symbol == NULL)
-	{
-		DBG1(DBG_IKE, "unable to open SIM function '%s' in '%s'",
-			 name, SIM_READER_LIB);
-		dlclose(this->handle);
-		free(this);
-		return NULL;
-	}
 	switch (role)
 	{
 		case EAP_SERVER:
 			this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))server_initiate;
 			this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))server_process;
-			this->get_triplet = symbol;
 			this->type = EAP_REQUEST;
 			break;
 		case EAP_PEER:
 			this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))peer_initiate;
 			this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))peer_process;
-			this->alg = symbol;
 			this->type = EAP_RESPONSE;
 			rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 			if (!rng)
diff --git a/src/charon/plugins/eap_sim/eap_sim.h b/src/charon/plugins/eap_sim/eap_sim.h
index 65020aa64..ec061b6f4 100644
--- a/src/charon/plugins/eap_sim/eap_sim.h
+++ b/src/charon/plugins/eap_sim/eap_sim.h
@@ -25,62 +25,12 @@ typedef struct eap_sim_t eap_sim_t;
 
 #include <sa/authenticators/eap/eap_method.h>
 
-/** the library containing with the triplet functions */
-#ifndef SIM_READER_LIB
-#error SIM_READER_LIB not specified, use --with-sim-reader option
-#endif /* SIM_READER_LIB */
-
-/** 
- * Cardreaders SIM function.
- *
- * @param rand			RAND to run algo with
- * @param rand_length	length of value in rand
- * @param sres			buffer to get SRES
- * @param sres_length	size of buffer in sres, returns bytes written to SRES
- * @param kc			buffer to get Kc
- * @param kc_length		size of buffer in Kc, returns bytes written to Kc
- * @return				zero on success
- */
-typedef int (*sim_algo_t)(const unsigned char *rand, int rand_length,
-						  unsigned char *sres, int *sres_length, 
-						  unsigned char *kc, int *kc_length);
-
-#ifndef SIM_READER_ALG
-/** the SIM_READER_LIB's algorithm, uses sim_algo_t signature */
-#define SIM_READER_ALG "sim_run_alg"
-#endif /* SIM_READER_ALG */
-
-/** 
- * Function to get a SIM triplet.
- *
- * @param identity		identity (imsi) to get a triplet for			
- * @param rand			buffer to get RAND
- * @param rand_length	size of buffer in rand, returns bytes written to RAND
- * @param sres			buffer to get SRES
- * @param sres_length	size of buffer in sres, returns bytes written to SRES
- * @param kc			buffer to get Kc
- * @param kc_length		size of buffer in Kc, returns bytes written to Kc
- * @return				zero on success
- */
-typedef int (*sim_get_triplet_t)(char *identity,
-								 unsigned char *rand, int *rand_length,
-								 unsigned char *sres, int *sres_length, 
-								 unsigned char *kc, int *kc_length);
-						  
-#ifndef SIM_READER_GET_TRIPLET
-/** the SIM_READER_LIB's get-triplet function, uses sim_get_triplet_t signature */
-#define SIM_READER_GET_TRIPLET "sim_get_triplet"
-#endif /* SIM_READER_GET_TRIPLET */
-
 /**
  * Implementation of the eap_method_t interface using EAP-SIM.
  *
- * This EAP-SIM client implementation uses another pluggable library to
- * access the SIM card/triplet provider. This module is specified using the
- * SIM_READER_LIB definition. It has to privde a sim_run_alg() function to
- * calculate a triplet (client), and/or a sim_get_triplet() function to get
- * a triplet (server). These functions are named to the SIM_READER_ALG and
- * the SIM_READER_GET_TRIPLET definitions.
+ * This EAP-SIM client implementation handles the protocol level of EAP-SIM
+ * only, it does not provide triplet calculation/fetching. Other plugins may
+ * provide these services using the sim_manager_t of charon.
  */
 struct eap_sim_t {
 
diff --git a/src/charon/plugins/eap_sim/eap_sim_file.c b/src/charon/plugins/eap_sim/eap_sim_file.c
deleted file mode 100644
index fc4c1af26..000000000
--- a/src/charon/plugins/eap_sim/eap_sim_file.c
+++ /dev/null
@@ -1,283 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * $Id: eap_sim_file.c 3491 2008-02-22 14:04:00Z martin $
- */
-
-#include <string.h>
-#include <stdio.h>
-#include <errno.h>
-
-#include <daemon.h>
-
-#define IMSI_LEN 64
-#define RAND_LEN 16
-#define SRES_LEN 4
-#define KC_LEN 8
-
-typedef struct triplet_t triplet_t;
-
-struct triplet_t {
-	unsigned char imsi[IMSI_LEN];
-	unsigned char rand[RAND_LEN];
-	unsigned char sres[SRES_LEN];
-	unsigned char kc[KC_LEN];
-};
-
-static triplet_t *triplets = NULL;
-static int triplet_count = 0;
-
-#define TRIPLET_FILE IPSEC_CONFDIR "/ipsec.d/triplets.dat"
-
-/**
- * convert a single HEX char to its integer value
- */
-static int hexchr(char chr)
-{
-	switch (chr)
-	{
-		case '0'...'9':
-			return chr - '0';
-		case 'A'...'F':
-			return 10 + chr - 'A';
-		case 'a'...'f':
-			return 10 + chr - 'a';
-	}
-	return 0;
-}
-
-/**
- * convert a HEX string into a char array bin, limited by array length len
- */
-static void hex2bin(char *hex, unsigned char *bin, size_t len)
-{
-	char *pos;
-	int i, even = 1;
-	
-	pos = hex - 1;
-	/* find the end, as we convert bottom up */
-	while (TRUE)
-	{
-		switch (*(pos+1))
-		{
-			case '0'...'9':
-			case 'A'...'F':
-			case 'a'...'f':
-				pos++;
-				continue;
-		}
-		break;
-	}
-	/* convert two hex chars into a single bin byte */
-	for (i = 0; pos >= hex && i < len; pos--)
-	{
-		if (even)
-		{
-			bin[len - 1 - i] = hexchr(*pos);
-		}
-		else
-		{
-			bin[len - 1 - i] |= 16 * hexchr(*pos);
-			i++;
-		}
-		even = !even;
-	}
-}
-
-/**
- * free up allocated triplets
- */
-static void __attribute__ ((destructor)) free_triplets()
-{
-	free(triplets);
-}
-
-/**
- * read the triplets from the file, using freeradius triplet file syntax:
- * http://www.freeradius.org/radiusd/doc/rlm_sim_triplets
- */
-static void __attribute__ ((constructor)) read_triplets()
-{
-	char line[512], *data[4], *pos;
-	FILE *file;
-	int i, nr = 0;
-	triplet_t *triplet;
-	
-	file = fopen(TRIPLET_FILE, "r");
-	if (file == NULL)
-	{
-		DBG1(DBG_CFG, "opening triplet file %s failed: %s",
-			 TRIPLET_FILE, strerror(errno));
-		return;
-	}
-	
-	if (triplets)
-	{
-		free(triplets);
-		triplets = NULL;
-		triplet_count = 0;
-	}
-	
-	/* read line by line */
-	while (fgets(line, sizeof(line), file))
-	{
-		nr++;
-		/* skip comments, empty lines */
-		switch (line[0])
-		{
-			case '\n':
-			case '\r':
-			case '#':
-			case '\0':
-				continue;
-			default:
-				break;
-		}
-		/* read comma separated values */
-		pos = line;
-		for (i = 0; i < 4; i++)
-		{
-			data[i] = pos;
-			pos = strchr(pos, ',');
-			if (pos)
-			{
-				*pos = '\0';
-				pos++;
-			}
-			else if (i != 3)
-			{
-				DBG1(DBG_CFG, "error in triplet file, line %d", nr);
-				fclose(file);
-				return;
-			}
-		}
-		/* allocate new triplet */
-		triplet_count++;
-		triplets = realloc(triplets, triplet_count * sizeof(triplet_t));
-		triplet = &triplets[triplet_count - 1];
-		memset(triplet, 0, sizeof(triplet_t));
-		
-		/* convert/copy triplet data */
-		for (i = 0; i < IMSI_LEN - 1; i++)
-		{
-			switch (data[0][i])
-			{
-				case '\n':
-				case '\r':
-				case '\0':
-					break;
-				default:
-					triplet->imsi[i] = data[0][i];
-					continue;
-			}
-			break;
-		}
-		hex2bin(data[1], triplet->rand, RAND_LEN);
-		hex2bin(data[2], triplet->sres, SRES_LEN);
-		hex2bin(data[3], triplet->kc, KC_LEN);
-		
-		DBG4(DBG_CFG, "triplet: imsi %b\nrand %b\nsres %b\nkc %b",
-			 triplet->imsi, IMSI_LEN, triplet->rand, RAND_LEN,
-			 triplet->sres, SRES_LEN, triplet->kc, KC_LEN);
-	}
-	fclose(file);
-	DBG2(DBG_CFG, "read %d triplets from %s", triplet_count, TRIPLET_FILE);
-}
-
-/**
- * Run the sim algorithm, see eap_sim.h
- */
-int sim_run_alg(const unsigned char *rand, int rand_length,
-				unsigned char *sres, int *sres_length, 
-				unsigned char *kc, int *kc_length)
-{
-	int current;
-	
-	if (rand_length != RAND_LEN ||
-		*sres_length < SRES_LEN ||
-		*kc_length < KC_LEN)
-	{
-		return 1;
-	}
-	
-	for (current = 0; current < triplet_count; current++)
-	{
-		if (memcmp(triplets[current].rand, rand, RAND_LEN) == 0)
-		{
-			memcpy(sres, triplets[current].sres, SRES_LEN);
-			memcpy(kc, triplets[current].kc, KC_LEN);
-			*sres_length = SRES_LEN;
-			*kc_length = KC_LEN;
-			return 0;
-		}
-	}
-	return 2;
-}
-
-/**
- * Get a single triplet, see_eap_sim.h
- */
-int sim_get_triplet(char *imsi,
-					unsigned char *rand, int *rand_length,
-					unsigned char *sres, int *sres_length, 
-					unsigned char *kc, int *kc_length)
-{
-	int current;
-	triplet_t *triplet;
-	static int skip = -1;
-	
-	DBG2(DBG_CFG, "getting triplet for %s", imsi);
-	
-	if (*rand_length < RAND_LEN ||
-		*sres_length < SRES_LEN ||
-		*kc_length < KC_LEN)
-	{
-		return 1;
-	}
-	if (triplet_count == 0)
-	{
-		return 2;
-	}
-	for (current = 0; current < triplet_count; current++)
-	{
-		triplet = &triplets[current];
-	
-		if (streq(imsi, triplet->imsi))
-		{
-			/* skip triplet if already used */
-			if (skip >= current)
-			{
-				continue;
-			}
-			*rand_length = RAND_LEN;
-			*sres_length = SRES_LEN;
-			*kc_length = KC_LEN;
-			memcpy(rand, triplet->rand, RAND_LEN);
-			memcpy(sres, triplet->sres, SRES_LEN);
-			memcpy(kc, triplet->kc, KC_LEN);
-			/* remember used triplet */
-			skip = current;
-			return 0;
-		}
-	}
-	if (skip > -1)
-	{
-		/* no triplet left, reuse triplets */
-		skip = -1;
-		return sim_get_triplet(imsi, rand, rand_length,
-							   sres, sres_length, kc, kc_length);
-	}
-	return 2;
-}
-
diff --git a/src/charon/plugins/eap_sim/eap_sim_plugin.h b/src/charon/plugins/eap_sim/eap_sim_plugin.h
index 938807884..13152358a 100644
--- a/src/charon/plugins/eap_sim/eap_sim_plugin.h
+++ b/src/charon/plugins/eap_sim/eap_sim_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_sim_plugin.h 3491 2008-02-22 14:04:00Z martin $
+ * $Id: eap_sim_plugin.h 4406 2008-10-10 08:36:01Z martin $
  */
 
 /**
@@ -31,7 +31,7 @@
 typedef struct eap_sim_plugin_t eap_sim_plugin_t;
 
 /**
- * EAP-sim plugin
+ * EAP-SIM plugin.
  */
 struct eap_sim_plugin_t {
 
diff --git a/src/charon/plugins/eap_sim_file/Makefile.am b/src/charon/plugins/eap_sim_file/Makefile.am
new file mode 100644
index 000000000..fc3a0fa14
--- /dev/null
+++ b/src/charon/plugins/eap_sim_file/Makefile.am
@@ -0,0 +1,14 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\"
+
+plugin_LTLIBRARIES = libstrongswan-eapsim-file.la
+
+libstrongswan_eapsim_file_la_SOURCES = \
+  eap_sim_file_plugin.h eap_sim_file_plugin.c \
+  eap_sim_file_card.h eap_sim_file_card.c \
+  eap_sim_file_provider.h eap_sim_file_provider.c \
+  eap_sim_file_triplets.h eap_sim_file_triplets.c
+libstrongswan_eapsim_file_la_LDFLAGS = -module
+
diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in
new file mode 100644
index 000000000..c4da4ec54
--- /dev/null
+++ b/src/charon/plugins/eap_sim_file/Makefile.in
@@ -0,0 +1,507 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/eap_sim_file
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_eapsim_file_la_LIBADD =
+am_libstrongswan_eapsim_file_la_OBJECTS = eap_sim_file_plugin.lo \
+	eap_sim_file_card.lo eap_sim_file_provider.lo \
+	eap_sim_file_triplets.lo
+libstrongswan_eapsim_file_la_OBJECTS =  \
+	$(am_libstrongswan_eapsim_file_la_OBJECTS)
+libstrongswan_eapsim_file_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eapsim_file_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eapsim_file_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eapsim_file_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\"
+plugin_LTLIBRARIES = libstrongswan-eapsim-file.la
+libstrongswan_eapsim_file_la_SOURCES = \
+  eap_sim_file_plugin.h eap_sim_file_plugin.c \
+  eap_sim_file_card.h eap_sim_file_card.c \
+  eap_sim_file_provider.h eap_sim_file_provider.c \
+  eap_sim_file_triplets.h eap_sim_file_triplets.c
+
+libstrongswan_eapsim_file_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_sim_file/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_sim_file/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eapsim-file.la: $(libstrongswan_eapsim_file_la_OBJECTS) $(libstrongswan_eapsim_file_la_DEPENDENCIES) 
+	$(libstrongswan_eapsim_file_la_LINK) -rpath $(plugindir) $(libstrongswan_eapsim_file_la_OBJECTS) $(libstrongswan_eapsim_file_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_card.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_provider.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_triplets.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.c b/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
new file mode 100644
index 000000000..7969007d0
--- /dev/null
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "eap_sim_file_card.h"
+
+typedef struct private_eap_sim_file_card_t private_eap_sim_file_card_t;
+
+/**
+ * Private data of an eap_sim_file_card_t object.
+ */
+struct private_eap_sim_file_card_t {
+	
+	/**
+	 * Public eap_sim_file_card_t interface.
+	 */
+	eap_sim_file_card_t public;
+	
+	/**
+	 * IMSI, is ID_ANY for file implementation
+	 */
+	identification_t *imsi;
+	
+	/**
+ 	 * source of triplets
+ 	 */
+	eap_sim_file_triplets_t *triplets;
+};
+
+#include <daemon.h>
+
+/**
+ * Implementation of sim_card_t.get_triplet
+ */
+static bool get_triplet(private_eap_sim_file_card_t *this,
+						char *rand, char *sres, char *kc)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	char *c_rand, *c_sres, *c_kc;
+	
+	
+	DBG1(DBG_CFG, "looking for rand: %b", rand, RAND_LEN);
+	
+	enumerator = this->triplets->create_enumerator(this->triplets);
+	while (enumerator->enumerate(enumerator, &id, &c_rand, &c_sres, &c_kc))
+	{
+		DBG1(DBG_CFG, "found triplet: %b %b %b", c_rand, RAND_LEN, c_sres, SRES_LEN, c_kc, KC_LEN);
+		if (memeq(c_rand, rand, RAND_LEN))
+		{
+			memcpy(sres, c_sres, SRES_LEN);
+			memcpy(kc, c_kc, KC_LEN);
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_card_t.get_imsi
+ */
+static identification_t* get_imsi(private_eap_sim_file_card_t *this)
+{
+	return this->imsi;
+}
+
+/**
+ * Implementation of eap_sim_file_card_t.destroy.
+ */
+static void destroy(private_eap_sim_file_card_t *this)
+{
+	this->imsi->destroy(this->imsi);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets)
+{
+	private_eap_sim_file_card_t *this = malloc_thing(private_eap_sim_file_card_t);
+	
+	this->public.card.get_triplet = (bool(*)(sim_card_t*, char *rand, char *sres, char *kc))get_triplet;
+	this->public.card.get_imsi = (identification_t*(*)(sim_card_t*))get_imsi;
+	this->public.destroy = (void(*)(eap_sim_file_card_t*))destroy;
+	
+	/* this SIM card implementation does not have an ID, serve ID_ANY */
+	this->imsi = identification_create_from_encoding(ID_ANY, chunk_empty);
+	this->triplets = triplets;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
new file mode 100644
index 000000000..953a3e915
--- /dev/null
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup eap_sim_file_card eap_sim_file_card
+ * @{ @ingroup eap_sim_file
+ */
+
+#ifndef EAP_SIM_FILE_CARD_H_
+#define EAP_SIM_FILE_CARD_H_
+
+#include "eap_sim_file_triplets.h"
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_sim_file_card_t eap_sim_file_card_t;
+
+/**
+ * SIM card implementation on top of a triplet file.
+ */
+struct eap_sim_file_card_t {
+
+	/**
+	 * Implements sim_card_t interface
+	 */
+	sim_card_t card;
+	
+	/**
+	 * Destroy a eap_sim_file_card_t.
+	 */
+	void (*destroy)(eap_sim_file_card_t *this);
+};
+
+/**
+ * Create a eap_sim_file_card instance.
+ *
+ * @param triplets		source of triplets
+ */
+eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets);
+
+#endif /* EAP_SIM_FILE_CARD_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
new file mode 100644
index 000000000..6129ebb72
--- /dev/null
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "eap_sim_file_plugin.h"
+#include "eap_sim_file_card.h"
+#include "eap_sim_file_provider.h"
+#include "eap_sim_file_triplets.h"
+
+#include <daemon.h>
+
+#define TRIPLET_FILE IPSEC_CONFDIR "/ipsec.d/triplets.dat"
+
+typedef struct private_eap_sim_file_t private_eap_sim_file_t;
+
+/**
+ * Private data of an eap_sim_file_t object.
+ */
+struct private_eap_sim_file_t {
+	
+	/**
+	 * Public eap_sim_file_plugin_t interface.
+	 */
+	eap_sim_file_plugin_t public;
+	
+	/**
+	 * SIM card
+	 */
+	eap_sim_file_card_t *card;
+	
+	/**
+	 * SIM provider
+	 */
+	eap_sim_file_provider_t *provider;
+	
+	/**
+	 * Triplet source
+	 */
+	eap_sim_file_triplets_t *triplets;
+};
+
+/**
+ * Implementation of eap_sim_file_t.destroy.
+ */
+static void destroy(private_eap_sim_file_t *this)
+{
+	charon->sim->remove_card(charon->sim, &this->card->card);
+	charon->sim->remove_provider(charon->sim, &this->provider->provider);
+	this->card->destroy(this->card);
+	this->provider->destroy(this->provider);
+	this->triplets->destroy(this->triplets);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *plugin_create()
+{
+	private_eap_sim_file_t *this = malloc_thing(private_eap_sim_file_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	this->triplets = eap_sim_file_triplets_create(TRIPLET_FILE);
+	this->card = eap_sim_file_card_create(this->triplets);
+	this->provider = eap_sim_file_provider_create(this->triplets);
+	
+	charon->sim->add_card(charon->sim, &this->card->card);
+	charon->sim->add_provider(charon->sim, &this->provider->provider);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
new file mode 100644
index 000000000..c1828527d
--- /dev/null
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup eap_sim_file eap_sim_file
+ * @ingroup cplugins
+ *
+ * @defgroup eap_sim_file_plugin eap_sim_file_plugin
+ * @{ @ingroup eap_sim_file
+ */
+
+#ifndef EAP_SIM_FILE_PLUGIN_H_
+#define EAP_SIM_FILE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_sim_file_plugin_t eap_sim_file_plugin_t;
+
+/**
+ * Plugin to provide a SIM card/provider on top of a triplet file.
+ */
+struct eap_sim_file_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_sim_file_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* EAP_SIM_FILE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
new file mode 100644
index 000000000..ffb4b2901
--- /dev/null
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "eap_sim_file_provider.h"
+
+typedef struct private_eap_sim_file_provider_t private_eap_sim_file_provider_t;
+
+/**
+ * Private data of an eap_sim_file_provider_t object.
+ */
+struct private_eap_sim_file_provider_t {
+	
+	/**
+	 * Public eap_sim_file_provider_t interface.
+	 */
+	eap_sim_file_provider_t public;
+	
+	/**
+ 	 * source of triplets
+ 	 */
+	eap_sim_file_triplets_t *triplets;
+};
+
+/**
+ * Implementation of sim_provider_t.get_triplet
+ */
+static bool get_triplet(private_eap_sim_file_provider_t *this,
+						identification_t *imsi,
+						char *rand, char *sres, char *kc)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	char *c_rand, *c_sres, *c_kc;
+	
+	enumerator = this->triplets->create_enumerator(this->triplets);
+	while (enumerator->enumerate(enumerator, &id, &c_rand, &c_sres, &c_kc))
+	{
+		if (imsi->matches(imsi, id))
+		{
+			memcpy(rand, c_rand, RAND_LEN);
+			memcpy(sres, c_sres, SRES_LEN);
+			memcpy(kc, c_kc, KC_LEN);
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_sim_file_provider_t.destroy.
+ */
+static void destroy(private_eap_sim_file_provider_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_sim_file_provider_t *eap_sim_file_provider_create(
+											eap_sim_file_triplets_t *triplets)
+{
+	private_eap_sim_file_provider_t *this = malloc_thing(private_eap_sim_file_provider_t);
+	
+	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *imsi, char rand[16], char sres[4], char kc[8]))get_triplet;
+	this->public.destroy = (void(*)(eap_sim_file_provider_t*))destroy;
+	
+	this->triplets = triplets;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
new file mode 100644
index 000000000..bc8f6cca0
--- /dev/null
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup eap_sim_file_provider eap_sim_file_provider
+ * @{ @ingroup eap_sim_file
+ */
+
+#ifndef EAP_SIM_FILE_PROVIDER_H_
+#define EAP_SIM_FILE_PROVIDER_H_
+
+#include "eap_sim_file_triplets.h"
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_sim_file_provider_t eap_sim_file_provider_t;
+
+/**
+ * SIM provider implementation on top of triplets file.
+ */
+struct eap_sim_file_provider_t {
+
+	/**
+	 * Implements sim_provider_t interface.
+	 */
+	sim_provider_t provider;
+	
+	/**
+	 * Destroy a eap_sim_file_provider_t.
+	 */
+	void (*destroy)(eap_sim_file_provider_t *this);
+};
+
+/**
+ * Create a eap_sim_file_provider instance.
+ */
+eap_sim_file_provider_t *eap_sim_file_provider_create(
+											eap_sim_file_triplets_t *triplets);
+
+#endif /* EAP_SIM_FILE_PROVIDER_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
new file mode 100644
index 000000000..409e9cbd5
--- /dev/null
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "eap_sim_file_triplets.h"
+
+#include <stdio.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <utils/mutex.h>
+
+typedef struct private_eap_sim_file_triplets_t private_eap_sim_file_triplets_t;
+
+/**
+ * Private data of an eap_sim_file_triplets_t object.
+ */
+struct private_eap_sim_file_triplets_t {
+	
+	/**
+	 * Public eap_sim_file_triplets_t interface.
+	 */
+	eap_sim_file_triplets_t public;
+	
+	/**
+	 * List of triplets, as triplet_t
+	 */
+	linked_list_t *triplets;
+	
+	/**
+	 * mutex to lock triplets list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * A single triplet
+ */
+typedef struct  {
+	identification_t *imsi;
+	char rand[RAND_LEN];
+	char sres[SRES_LEN];
+	char kc[KC_LEN];
+} triplet_t;
+
+/**
+ * Destroy a triplet
+ */
+static void triplet_destroy(triplet_t *this)
+{
+	this->imsi->destroy(this->imsi);
+	free(this);
+}
+
+/**
+ * triplet enumerator
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner enumerator */
+	enumerator_t *inner;
+	/** current enumerating triplet */
+	triplet_t *current;
+	/** back ptr */
+	private_eap_sim_file_triplets_t *this;
+} triplet_enumerator_t;
+
+/**
+ * destroy a triplet enumerator
+ */
+static void enumerator_destroy(triplet_enumerator_t *e)
+{
+	if (e->current)
+	{
+		/* We assume that the current element is used on invocation if destroy.
+		 * We move that triplet to the end to avoid handout of the same triplet
+		 * next time. */
+		e->this->triplets->remove_at(e->this->triplets, e->inner);
+		e->this->triplets->insert_last(e->this->triplets, e->current);
+	}
+	e->inner->destroy(e->inner);
+	e->this->mutex->unlock(e->this->mutex);
+	free(e);
+}
+
+/**
+ * enumerate through triplets
+ */
+static bool enumerator_enumerate(triplet_enumerator_t *e, identification_t **imsi,
+								 char **rand, char **sres, char **kc)
+{
+	triplet_t *triplet;
+
+	if (e->inner->enumerate(e->inner, &triplet))
+	{
+		e->current = triplet;
+		*imsi = triplet->imsi;
+		*rand = triplet->rand;
+		*sres = triplet->sres;
+		*kc = triplet->kc;
+		return TRUE;
+	}
+	e->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_sim_file_triplets_t.create_enumerator
+ */
+static enumerator_t* create_enumerator(private_eap_sim_file_triplets_t *this)
+{
+	triplet_enumerator_t *enumerator = malloc_thing(triplet_enumerator_t);
+	
+	this->mutex->lock(this->mutex);
+	enumerator->public.enumerate = (void*)enumerator_enumerate;
+	enumerator->public.destroy = (void*)enumerator_destroy;
+	enumerator->inner = this->triplets->create_enumerator(this->triplets);
+	enumerator->current = NULL;
+	enumerator->this = this;
+	
+	return &enumerator->public;
+}
+
+/**
+ * convert to token into the array
+ */
+static void parse_token(char *to, char *from, size_t len)
+{
+	chunk_t chunk;
+	
+	chunk = chunk_create(from, min(strlen(from), len * 2));
+	chunk = chunk_from_hex(chunk, NULL);
+	memset(to, 0, len);
+	memcpy(to + len - chunk.len, chunk.ptr, chunk.len);
+	free(chunk.ptr);
+}
+
+/**
+ * Read the triplets from the file
+ */
+static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
+{
+	char line[512];
+	FILE *file;
+	int i, nr = 0;
+	
+	file = fopen(path, "r");
+	if (file == NULL)
+	{
+		DBG1(DBG_CFG, "opening triplet file %s failed: %s", 
+			 path, strerror(errno));
+		return;
+	}
+	
+	/* read line by line */
+	while (fgets(line, sizeof(line), file))
+	{
+		triplet_t *triplet;
+		enumerator_t *enumerator;
+		char *token;
+		
+		nr++;
+		/* skip comments, empty lines */
+		switch (line[0])
+		{
+			case '\n':
+			case '\r':
+			case '#':
+			case '\0':
+				continue;
+			default:
+				break;
+		}
+		triplet = malloc_thing(triplet_t);
+		memset(triplet, 0, sizeof(triplet_t));
+		
+		i = 0;
+		enumerator = enumerator_create_token(line, ",", " \n\r#");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			switch (i++)
+			{
+				case 0: /* IMSI */
+					triplet->imsi = identification_create_from_encoding(ID_EAP,
+											chunk_create(token, strlen(token)));
+					continue;
+				case 1: /* rand */
+					parse_token(triplet->rand, token, RAND_LEN);
+					continue;
+				case 2: /* sres */
+					parse_token(triplet->sres, token, SRES_LEN);
+					continue;
+				case 3: /* kc */
+					parse_token(triplet->kc, token, KC_LEN);
+					continue;
+				default:
+					break;;
+			}
+			break;
+		}
+		enumerator->destroy(enumerator);
+		if (i < 4)
+		{
+			DBG1(DBG_CFG, "error in triplet file, line %d", nr);
+			triplet_destroy(triplet);
+			continue;
+		}
+		
+		DBG1(DBG_CFG, "triplet: imsi %D\nrand %b\nsres %b\nkc %b",
+			 triplet->imsi, triplet->rand, RAND_LEN,
+			 triplet->sres, SRES_LEN, triplet->kc, KC_LEN);
+			 
+		this->triplets->insert_last(this->triplets, triplet);
+	}
+	fclose(file);
+	
+	DBG1(DBG_CFG, "read %d triplets from %s",
+		 this->triplets->get_count(this->triplets), path);
+}
+
+/**
+ * Implementation of eap_sim_file_triplets_t.destroy.
+ */
+static void destroy(private_eap_sim_file_triplets_t *this)
+{
+	this->triplets->destroy_function(this->triplets, (void*)triplet_destroy);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file)
+{
+	private_eap_sim_file_triplets_t *this = malloc_thing(private_eap_sim_file_triplets_t);
+	
+	this->public.create_enumerator = (enumerator_t*(*)(eap_sim_file_triplets_t*))create_enumerator;
+	this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy;
+	
+	this->triplets = linked_list_create();
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	
+	read_triplets(this, file);
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
new file mode 100644
index 000000000..5f3adfe62
--- /dev/null
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup eap_sim_file_triplets eap_sim_file_triplets
+ * @{ @ingroup eap_sim_file
+ */
+
+#ifndef EAP_SIM_FILE_TRIPLETS_H_
+#define EAP_SIM_FILE_TRIPLETS_H_
+
+#include <utils/enumerator.h>
+#include <utils/identification.h>
+
+/**
+ * size of RAND value
+ */
+#define RAND_LEN 16
+
+/**
+ * size of SRES value
+ */
+#define SRES_LEN 4
+
+/**
+ * size of KC value
+ */
+#define KC_LEN 8
+
+typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
+
+/**
+ * Reads triplets from a triplets.dat file.
+ *
+ * The file is in freeradius triplet file syntax:
+ * http://www.freeradius.org/radiusd/doc/rlm_sim_triplets
+ */
+struct eap_sim_file_triplets_t {
+
+	/**
+	 * Create an enumerator over the file's triplets.
+	 *
+	 * @return			enumerator over (identity, rand, sres, kc)
+	 */
+	enumerator_t* (*create_enumerator)(eap_sim_file_triplets_t *this);
+
+	/**
+	 * Destroy a eap_sim_file_triplets_t.
+	 */
+	void (*destroy)(eap_sim_file_triplets_t *this);
+};
+
+/**
+ * Create a eap_sim_file_triplets instance.
+ *
+ * @param file		triplet file to read from
+ */
+eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file);
+
+#endif /* EAP_SIM_FILE_TRIPLETS_ @}*/
diff --git a/src/charon/plugins/kernel_netlink/Makefile.am b/src/charon/plugins/kernel_netlink/Makefile.am
new file mode 100644
index 000000000..e0efe5779
--- /dev/null
+++ b/src/charon/plugins/kernel_netlink/Makefile.am
@@ -0,0 +1,11 @@
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
+
+libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \
+	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
+	kernel_netlink_shared.h kernel_netlink_shared.c
+libstrongswan_kernel_netlink_la_LDFLAGS = -module
diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in
new file mode 100644
index 000000000..658e0feea
--- /dev/null
+++ b/src/charon/plugins/kernel_netlink/Makefile.in
@@ -0,0 +1,505 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/kernel_netlink
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_kernel_netlink_la_LIBADD =
+am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \
+	kernel_netlink_ipsec.lo kernel_netlink_net.lo \
+	kernel_netlink_shared.lo
+libstrongswan_kernel_netlink_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_netlink_la_OBJECTS)
+libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_netlink_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
+libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \
+	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
+	kernel_netlink_shared.h kernel_netlink_shared.c
+
+libstrongswan_kernel_netlink_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/kernel_netlink/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/kernel_netlink/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_netlink_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
new file mode 100644
index 000000000..7b78f9eb1
--- /dev/null
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -0,0 +1,1761 @@
+/*
+ * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_netlink_ipsec.c 4406 2008-10-10 08:36:01Z martin $
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <linux/xfrm.h>
+#include <linux/udp.h>
+#include <netinet/in.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+
+#include "kernel_netlink_ipsec.h"
+#include "kernel_netlink_shared.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/update_sa_job.h>
+
+/** required for Linux 2.6.26 kernel and later */
+#ifndef XFRM_STATE_AF_UNSPEC
+#define XFRM_STATE_AF_UNSPEC	32
+#endif
+
+/** default priority of installed policies */
+#define PRIO_LOW 3000
+#define PRIO_HIGH 2000
+
+/**
+ * Create ORable bitfield of XFRM NL groups
+ */
+#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
+
+/**
+ * returns a pointer to the first rtattr following the nlmsghdr *nlh and the 
+ * 'usual' netlink data x like 'struct xfrm_usersa_info' 
+ */
+#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
+/**
+ * returns a pointer to the next rtattr following rta.
+ * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
+ */
+#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
+/**
+ * returns the total size of attached rta data 
+ * (after 'usual' netlink data x like 'struct xfrm_usersa_info') 
+ */
+#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping from the algorithms defined in IKEv2 to
+ * kernel level algorithm names and their key length
+ */
+struct kernel_algorithm_t {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2_id;
+	
+	/**
+	 * Name of the algorithm, as used as kernel identifier
+	 */
+	char *name;
+	
+	/**
+	 * Key length in bits, if fixed size
+	 */
+	u_int key_size;
+};
+
+ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
+	"in",
+	"out",
+	"fwd"
+);
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64, 		"***", 					0}, */
+	{ENCR_DES, 				"des", 					64},
+	{ENCR_3DES, 			"des3_ede",				192},
+/*	{ENCR_RC5, 				"***", 					0}, */
+/*	{ENCR_IDEA, 			"***",					0}, */
+	{ENCR_CAST, 			"cast128",				0},
+	{ENCR_BLOWFISH, 		"blowfish",				0},
+/*	{ENCR_3IDEA, 			"***",					0}, */
+/*	{ENCR_DES_IV32, 		"***",					0}, */
+	{ENCR_NULL, 			"cipher_null",			0},
+	{ENCR_AES_CBC,	 		"aes",					0},
+/*	{ENCR_AES_CTR, 			"***",					0}, */
+	{ENCR_AES_CCM_ICV8,		"rfc4309(ccm(aes))",	64},	/* key_size = ICV size */
+	{ENCR_AES_CCM_ICV12,	"rfc4309(ccm(aes))",	96},	/* key_size = ICV size */
+	{ENCR_AES_CCM_ICV16,	"rfc4309(ccm(aes))",	128},	/* key_size = ICV size */
+	{ENCR_AES_GCM_ICV8,		"rfc4106(gcm(aes))",	64},	/* key_size = ICV size */
+	{ENCR_AES_GCM_ICV12,	"rfc4106(gcm(aes))",	96},	/* key_size = ICV size */
+	{ENCR_AES_GCM_ICV16,	"rfc4106(gcm(aes))",	128},	/* key_size = ICV size */
+	{END_OF_LIST, 		NULL,			0},
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+	{AUTH_HMAC_MD5_96, 			"md5",			128},
+	{AUTH_HMAC_SHA1_96,			"sha1",			160},
+	{AUTH_HMAC_SHA2_256_128,	"sha256",		256},
+	{AUTH_HMAC_SHA2_384_192,	"sha384",		384},
+	{AUTH_HMAC_SHA2_512_256,	"sha512",		512},
+/*	{AUTH_DES_MAC,				"***",			0}, */
+/*	{AUTH_KPDK_MD5,				"***",			0}, */
+	{AUTH_AES_XCBC_96,			"xcbc(aes)",	128},
+	{END_OF_LIST, 				NULL,			0},
+};
+
+/**
+ * Algorithms for IPComp
+ */
+static kernel_algorithm_t compression_algs[] = {
+/*	{IPCOMP_OUI, 			"***",			0}, */
+	{IPCOMP_DEFLATE,		"deflate",		0},
+	{IPCOMP_LZS,			"lzs",			0},
+	{IPCOMP_LZJH,			"lzjh",			0},
+	{END_OF_LIST, 			NULL,			0},
+};
+
+/**
+ * Look up a kernel algorithm name and its key size
+ */
+static char* lookup_algorithm(kernel_algorithm_t *kernel_algo, 
+					   u_int16_t ikev2_algo, u_int16_t *key_size)
+{
+	while (kernel_algo->ikev2_id != END_OF_LIST)
+	{
+		if (ikev2_algo == kernel_algo->ikev2_id)
+		{
+			/* match, evaluate key length */
+			if (key_size && *key_size == 0)
+			{	/* update key size if not set */
+				*key_size = kernel_algo->key_size;
+			}
+			return kernel_algo->name;
+		}
+		kernel_algo++;
+	}
+	return NULL;
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+	
+	/** Source ip of the route */
+	host_t *src_ip;
+	
+	/** gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	this->src_ip->destroy(this->src_ip);
+	this->gateway->destroy(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+	
+	/** direction of this policy: in, out, forward */
+	u_int8_t direction;
+	
+	/** reqid of the policy */
+	u_int32_t reqid;
+	
+	/** parameters of installed policy */
+	struct xfrm_selector sel;
+	
+	/** associated route installed for this policy */
+	route_entry_t *route;
+	
+	/** by how many CHILD_SA's this policy is used */
+	u_int refcount;
+};
+
+typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_netlink class.
+ */
+struct private_kernel_netlink_ipsec_t {
+	/**
+	 * Public part of the kernel_netlink_t object.
+	 */
+	kernel_netlink_ipsec_t public;
+	
+	/**
+	 * mutex to lock access to various lists
+	 */
+	pthread_mutex_t mutex;
+	
+	/**
+	 * List of installed policies (policy_entry_t)
+	 */
+	linked_list_t *policies;
+		 
+	/**
+	 * job receiving netlink events
+	 */
+	callback_job_t *job;
+	
+	/**
+	 * Netlink xfrm socket (IPsec)
+	 */
+	netlink_socket_t *socket_xfrm;
+	
+	/**
+	 * netlink xfrm socket to receive acquire and expire events
+	 */
+	int socket_xfrm_events;
+	
+	/**
+	 * whether to install routes along policies
+	 */
+	bool install_routes;
+};
+
+/**
+ * convert a IKEv2 specific protocol identifier to the kernel one
+ */
+static u_int8_t proto_ike2kernel(protocol_id_t proto)
+{
+	switch (proto)
+	{
+		case PROTO_ESP:
+			return IPPROTO_ESP;
+		case PROTO_AH:
+			return IPPROTO_AH;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * reverse of ike2kernel
+ */
+static protocol_id_t proto_kernel2ike(u_int8_t proto)
+{
+	switch (proto)
+	{
+		case IPPROTO_ESP:
+			return PROTO_ESP;
+		case IPPROTO_AH:
+			return PROTO_AH;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert a host_t to a struct xfrm_address
+ */
+static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
+{
+	chunk_t chunk = host->get_address(host);
+	memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));	
+}
+
+/**
+ * convert a struct xfrm_address to a host_t
+ */
+static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
+{
+	chunk_t chunk;
+	
+	switch (family)
+	{
+		case AF_INET:
+			chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
+			break;
+		case AF_INET6:
+			chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
+			break;
+		default:
+			return NULL;
+	}
+	return host_create_from_chunk(family, chunk, ntohs(port));
+}
+
+/**
+ * convert a traffic selector address range to subnet and its mask.
+ */
+static void ts2subnet(traffic_selector_t* ts, 
+					  xfrm_address_t *net, u_int8_t *mask)
+{
+	/* there is no way to do this cleanly, as the address range may
+	 * be anything else but a subnet. We use from_addr as subnet 
+	 * and try to calculate a usable subnet mask.
+	 */
+	int byte, bit;
+	bool found = FALSE;
+	chunk_t from, to;
+	size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+	
+	from = ts->get_from_address(ts);
+	to = ts->get_to_address(ts);
+	
+	*mask = (size * 8);
+	/* go trough all bits of the addresses, beginning in the front.
+	 * as long as they are equal, the subnet gets larger
+	 */
+	for (byte = 0; byte < size; byte++)
+	{
+		for (bit = 7; bit >= 0; bit--)
+		{
+			if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
+			{
+				*mask = ((7 - bit) + (byte * 8));
+				found = TRUE;
+				break;
+			}
+		}
+		if (found)
+		{
+			break;
+		}
+	}
+	memcpy(net, from.ptr, from.len);
+	chunk_free(&from);
+	chunk_free(&to);
+}
+
+/**
+ * convert a traffic selector port range to port/portmask
+ */
+static void ts2ports(traffic_selector_t* ts, 
+					 u_int16_t *port, u_int16_t *mask)
+{
+	/* linux does not seem to accept complex portmasks. Only
+	 * any or a specific port is allowed. We set to any, if we have
+	 * a port range, or to a specific, if we have one port only.
+	 */
+	u_int16_t from, to;
+	
+	from = ts->get_from_port(ts);
+	to = ts->get_to_port(ts);
+	
+	if (from == to)
+	{
+		*port = htons(from);
+		*mask = ~0;
+	}
+	else
+	{
+		*port = 0;
+		*mask = 0;
+	}
+}
+
+/**
+ * convert a pair of traffic_selectors to a xfrm_selector
+ */
+static struct xfrm_selector ts2selector(traffic_selector_t *src, 
+										traffic_selector_t *dst)
+{
+	struct xfrm_selector sel;
+
+	memset(&sel, 0, sizeof(sel));
+	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
+	ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
+	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
+	ts2ports(dst, &sel.dport, &sel.dport_mask);
+	ts2ports(src, &sel.sport, &sel.sport_mask);
+	sel.ifindex = 0;
+	sel.user = 0;
+	
+	return sel;
+}
+
+
+/**
+ * process a XFRM_MSG_ACQUIRE from kernel
+ */
+static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
+{
+	u_int32_t reqid = 0;
+	int proto = 0;
+	job_t *job;
+	struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
+	size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
+	
+	if (RTA_OK(rtattr, rtsize))
+	{
+		if (rtattr->rta_type == XFRMA_TMPL)
+		{
+			struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
+			reqid = tmpl->reqid;
+			proto = tmpl->id.proto;
+		}
+	}
+	switch (proto)
+	{
+		case 0:
+		case IPPROTO_ESP:
+		case IPPROTO_AH:
+			break;
+		default:
+			/* acquire for AH/ESP only, not for IPCOMP */
+			return;
+	}
+	if (reqid == 0)
+	{
+		DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
+		return;
+	}
+	DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
+	DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
+	job = (job_t*)acquire_job_create(reqid);
+	charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * process a XFRM_MSG_EXPIRE from kernel
+ */
+static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
+{
+	job_t *job;
+	protocol_id_t protocol;
+	u_int32_t spi, reqid;
+	struct xfrm_user_expire *expire;
+	
+	expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
+	protocol = proto_kernel2ike(expire->state.id.proto);
+	spi = expire->state.id.spi;
+	reqid = expire->state.reqid;
+	
+	DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
+	
+	if (protocol != PROTO_ESP && protocol != PROTO_AH)
+	{
+		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%d} "
+					  "which is not a CHILD_SA", ntohl(spi), reqid);
+		return;
+	}
+	
+	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
+		 expire->hard ? "delete" : "rekey",  protocol_id_names,
+		 protocol, ntohl(spi), reqid);
+	if (expire->hard)
+	{
+		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+	}
+	else
+	{
+		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+	}
+	charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * process a XFRM_MSG_MAPPING from kernel
+ */
+static void process_mapping(private_kernel_netlink_ipsec_t *this,
+							struct nlmsghdr *hdr)
+{
+	job_t *job;
+	u_int32_t spi, reqid;
+	struct xfrm_user_mapping *mapping;
+	host_t *host;
+	
+	mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
+	spi = mapping->id.spi;
+	reqid = mapping->reqid;
+	
+	DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
+	
+	if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
+	{
+		host = xfrm2host(mapping->id.family, &mapping->new_saddr,
+						 mapping->new_sport);
+		if (host)
+		{
+			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
+				"reqid {%d} changed, queueing update job", ntohl(spi), reqid);
+			job = (job_t*)update_sa_job_create(reqid, host);
+			charon->processor->queue_job(charon->processor, job);
+		}
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
+{
+	char response[1024];
+	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
+	struct sockaddr_nl addr;
+	socklen_t addr_len = sizeof(addr);
+	int len, oldstate;
+
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
+				   (struct sockaddr*)&addr, &addr_len);
+	pthread_setcancelstate(oldstate, NULL);
+	
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from xfrm event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+	
+	if (addr.nl_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+	
+	while (NLMSG_OK(hdr, len))
+	{
+		switch (hdr->nlmsg_type)
+		{
+			case XFRM_MSG_ACQUIRE:
+				process_acquire(this, hdr);
+				break;
+			case XFRM_MSG_EXPIRE:
+				process_expire(this, hdr);
+				break;
+			case XFRM_MSG_MAPPING:
+				process_mapping(this, hdr);
+				break;
+			default:
+				break;
+		}
+		hdr = NLMSG_NEXT(hdr, len);
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Tries to find an ip address of a local interface that is included in the
+ * supplied traffic selector.
+ */
+static status_t get_address_by_ts(private_kernel_netlink_ipsec_t *this,
+								  traffic_selector_t *ts, host_t **ip)
+{
+	enumerator_t *addrs;
+	host_t *host;
+	int family;
+	bool found = FALSE;
+	
+	DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
+	
+	/* if we have a family which includes localhost, we do not
+	 * search for an IP, we use the default */
+	family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
+	
+	if (family == AF_INET)
+	{
+		host = host_create_from_string("127.0.0.1", 0);
+	}
+	else
+	{
+		host = host_create_from_string("::1", 0);
+	}
+	
+	if (ts->includes(ts, host))
+	{
+		*ip = host_create_any(family);
+		host->destroy(host);
+		DBG2(DBG_KNL, "using host %H", *ip);
+		return SUCCESS;
+	}
+	host->destroy(host);
+	
+	addrs = charon->kernel_interface->create_address_enumerator(
+				charon->kernel_interface, TRUE, TRUE);
+	while (addrs->enumerate(addrs, (void**)&host))
+	{
+		if (ts->includes(ts, host))
+		{
+			found = TRUE;
+			*ip = host->clone(host);
+			break;
+		}
+	}
+	addrs->destroy(addrs);
+	
+	if (!found)
+	{
+		DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
+		return FAILED;
+	}
+	DBG2(DBG_KNL, "using host %H", *ip);
+	return SUCCESS;
+}
+
+/**
+ * Get an SPI for a specific protocol from the kernel.
+ */
+static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
+		host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
+		u_int32_t reqid, u_int32_t *spi)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *hdr, *out;
+	struct xfrm_userspi_info *userspi;
+	u_int32_t received_spi = 0;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
+
+	userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
+	host2xfrm(src, &userspi->info.saddr);
+	host2xfrm(dst, &userspi->info.id.daddr);
+	userspi->info.id.proto = proto;
+	userspi->info.mode = TRUE; /* tunnel mode */
+	userspi->info.reqid = reqid;
+	userspi->info.family = src->get_family(src);
+	userspi->min = min;
+	userspi->max = max;
+	
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
+					received_spi = usersa->id.spi;
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					
+					DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+		free(out);
+	}
+	
+	if (received_spi == 0)
+	{
+		return FAILED;
+	}
+	
+	*spi = received_spi;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_spi.
+ */
+static status_t get_spi(private_kernel_netlink_ipsec_t *this, 
+						host_t *src, host_t *dst, 
+						protocol_id_t protocol, u_int32_t reqid,
+						u_int32_t *spi)
+{
+	DBG2(DBG_KNL, "getting SPI for reqid {%d}", reqid);
+	
+	if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
+			0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to get SPI for reqid {%d}", reqid);
+		return FAILED;
+	}
+	
+	DBG2(DBG_KNL, "got SPI %.8x for reqid {%d}", ntohl(*spi), reqid);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_cpi.
+ */
+static status_t get_cpi(private_kernel_netlink_ipsec_t *this, 
+						host_t *src, host_t *dst, 
+						u_int32_t reqid, u_int16_t *cpi)
+{
+	u_int32_t received_spi = 0;
+
+	DBG2(DBG_KNL, "getting CPI for reqid {%d}", reqid);
+	
+	if (get_spi_internal(this, src, dst,
+			IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to get CPI for reqid {%d}", reqid);
+		return FAILED;
+	}
+	
+	*cpi = htons((u_int16_t)ntohl(received_spi));
+	
+	DBG2(DBG_KNL, "got CPI %.4x for reqid {%d}", ntohs(*cpi), reqid);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_sa.
+ */
+static status_t add_sa(private_kernel_netlink_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi,
+					   protocol_id_t protocol, u_int32_t reqid,
+					   u_int64_t expire_soft, u_int64_t expire_hard,
+					   u_int16_t enc_alg, u_int16_t enc_size,
+					   u_int16_t int_alg, u_int16_t int_size,
+					   prf_plus_t *prf_plus, ipsec_mode_t mode,
+					   u_int16_t ipcomp, bool encap,
+					   bool replace)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	char *alg_name;
+	/* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
+	u_int16_t add_keymat = 32; 
+	struct nlmsghdr *hdr;
+	struct xfrm_usersa_info *sa;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
+	
+	sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
+	host2xfrm(src, &sa->saddr);
+	host2xfrm(dst, &sa->id.daddr);
+	sa->id.spi = spi;
+	sa->id.proto = proto_ike2kernel(protocol);
+	sa->family = src->get_family(src);
+	sa->mode = mode;
+	if (mode == MODE_TUNNEL)
+	{
+		sa->flags |= XFRM_STATE_AF_UNSPEC;
+	}
+	sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
+	sa->reqid = reqid;
+	/* we currently do not expire SAs by volume/packet count */
+	sa->lft.soft_byte_limit = XFRM_INF;
+	sa->lft.hard_byte_limit = XFRM_INF;
+	sa->lft.soft_packet_limit = XFRM_INF;
+	sa->lft.hard_packet_limit = XFRM_INF;
+	/* we use lifetimes since added, not since used */
+	sa->lft.soft_add_expires_seconds = expire_soft;
+	sa->lft.hard_add_expires_seconds = expire_hard;
+	sa->lft.soft_use_expires_seconds = 0;
+	sa->lft.hard_use_expires_seconds = 0;
+	
+	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
+	
+	switch (enc_alg)
+	{
+		case ENCR_UNDEFINED:
+			/* no encryption */
+			break;
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_CCM_ICV16:
+			/* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
+			add_keymat = 24;
+			/* fall-through */
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+		{
+			u_int16_t icv_size = 0;
+			rthdr->rta_type = XFRMA_ALG_AEAD;
+			alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
+			if (alg_name == NULL)
+			{
+				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 encryption_algorithm_names, enc_alg);
+				return FAILED;
+			}
+			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+				 encryption_algorithm_names, enc_alg, enc_size);
+			
+			/* additional KEYMAT required */
+			enc_size += add_keymat;
+			
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+			
+			struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
+			algo->alg_key_len = enc_size;
+			algo->alg_icv_len = icv_size;
+			strcpy(algo->alg_name, alg_name);
+			prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
+			
+			rthdr = XFRM_RTA_NEXT(rthdr);
+			break;
+		}
+		default:
+		{
+			rthdr->rta_type = XFRMA_ALG_CRYPT;
+			alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
+			if (alg_name == NULL)
+			{
+				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 encryption_algorithm_names, enc_alg);
+				return FAILED;
+			}
+			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+				 encryption_algorithm_names, enc_alg, enc_size);
+			
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+			
+			struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+			algo->alg_key_len = enc_size;
+			strcpy(algo->alg_name, alg_name);
+			prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
+			
+			rthdr = XFRM_RTA_NEXT(rthdr);
+			break;
+		}
+	}
+		
+	if (int_alg  != AUTH_UNDEFINED)
+	{
+		rthdr->rta_type = XFRMA_ALG_AUTH;
+		alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
+		if (alg_name == NULL)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!", 
+				 integrity_algorithm_names, int_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
+			 integrity_algorithm_names, int_alg, int_size);
+		
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+		
+		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+		algo->alg_key_len = int_size;
+		strcpy(algo->alg_name, alg_name);
+		prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
+		
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+	
+	if (ipcomp != IPCOMP_NONE)
+	{
+		rthdr->rta_type = XFRMA_ALG_COMP;
+		alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
+		if (alg_name == NULL)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!", 
+				 ipcomp_transform_names, ipcomp);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using compression algorithm %N",
+			 ipcomp_transform_names, ipcomp);
+		
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+		
+		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+		algo->alg_key_len = 0;
+		strcpy(algo->alg_name, alg_name);
+		
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+	
+	if (encap)
+	{
+		rthdr->rta_type = XFRMA_ENCAP;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
+		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
+		tmpl->encap_sport = htons(src->get_port(src));
+		tmpl->encap_dport = htons(dst->get_port(dst));
+		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
+		/* encap_oa could probably be derived from the 
+		 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation 
+		 * pluto does the same as we do here but it uses encap_oa in the 
+		 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates 
+		 * the kernel ignores it anyway
+		 *   -> does that mean that NAT-T encap doesn't work in transport mode?
+		 * No. The reason the kernel ignores NAT-OA is that it recomputes 
+		 * (or, rather, just ignores) the checksum. If packets pass
+		 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+	
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Get the replay state (i.e. sequence numbers) of an SA.
+ */
+static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
+						  u_int32_t spi, protocol_id_t protocol, host_t *dst,
+						  struct xfrm_replay_state *replay)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *hdr, *out = NULL;
+	struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
+	size_t len;
+	struct rtattr *rta;
+	size_t rtasize;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETAE;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
+
+	aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
+	aevent_id->flags = XFRM_AE_RVAL;
+	
+	host2xfrm(dst, &aevent_id->sa_id.daddr);
+	aevent_id->sa_id.spi = spi;
+	aevent_id->sa_id.proto = proto_ike2kernel(protocol);
+	aevent_id->sa_id.family = dst->get_family(dst);
+	
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWAE:
+				{
+					out_aevent = NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+	
+	if (out_aevent == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
+					  ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	
+	rta = XFRM_RTA(out, struct xfrm_aevent_id);
+	rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
+	while(RTA_OK(rta, rtasize))
+	{
+		if (rta->rta_type == XFRMA_REPLAY_VAL)
+		{
+			memcpy(replay, RTA_DATA(rta), rta->rta_len);
+			free(out);
+			return SUCCESS;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	
+	DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
+				  ntohl(spi));
+	free(out);
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_interface_t.update_sa.
+ */
+static status_t update_sa(private_kernel_netlink_ipsec_t *this,
+						  u_int32_t spi, protocol_id_t protocol,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst, bool encap)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE], *pos;
+	struct nlmsghdr *hdr, *out = NULL;
+	struct xfrm_usersa_id *sa_id;
+	struct xfrm_usersa_info *out_sa = NULL, *sa;
+	size_t len;
+	struct rtattr *rta;
+	size_t rtasize;
+	struct xfrm_encap_tmpl* tmpl = NULL;
+	bool got_replay_state;
+	struct xfrm_replay_state replay;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
+
+	/* query the existing SA first */
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->family = dst->get_family(dst);
+	
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					out_sa = NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+	if (out_sa == NULL)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	
+	/* try to get the replay state */
+	got_replay_state = (get_replay_state(
+						this, spi, protocol, dst, &replay) == SUCCESS);
+	
+	/* delete the old SA */
+	if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	
+	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+	
+	/* copy over the SA from out to request */
+	hdr = (struct nlmsghdr*)request;
+	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;	
+	hdr->nlmsg_type = XFRM_MSG_NEWSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
+	sa = NLMSG_DATA(hdr);
+	sa->family = new_dst->get_family(new_dst);
+	
+	if (!src->ip_equals(src, new_src))
+	{
+		host2xfrm(new_src, &sa->saddr);
+	}
+	if (!dst->ip_equals(dst, new_dst))
+	{
+		host2xfrm(new_dst, &sa->id.daddr);
+	}
+	
+	rta = XFRM_RTA(out, struct xfrm_usersa_info);
+	rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
+	pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
+	while(RTA_OK(rta, rtasize))
+	{
+		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
+		if (rta->rta_type != XFRMA_ENCAP || encap)
+		{
+			if (rta->rta_type == XFRMA_ENCAP)
+			{	/* update encap tmpl */
+				tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
+				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
+				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
+			}	
+			memcpy(pos, rta, rta->rta_len);
+			pos += RTA_ALIGN(rta->rta_len);
+			hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	
+	rta = (struct rtattr*)pos;
+	if (tmpl == NULL && encap)
+	{	/* add tmpl if we are enabling it */
+		rta->rta_type = XFRMA_ENCAP;
+		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
+		
+		hdr->nlmsg_len += rta->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+		
+		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
+		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
+		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
+		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
+		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
+		
+		rta = XFRM_RTA_NEXT(rta);
+	}
+	
+	if (got_replay_state)
+	{	/* copy the replay data if available */
+		rta->rta_type = XFRMA_REPLAY_VAL;
+		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
+		
+		hdr->nlmsg_len += rta->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+		memcpy(RTA_DATA(rta), &replay, sizeof(replay));
+		
+		rta = XFRM_RTA_NEXT(rta);
+	}
+	
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
+						 u_int32_t spi, protocol_id_t protocol,
+						 u_int32_t *use_time)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *out = NULL, *hdr;
+	struct xfrm_usersa_id *sa_id;
+	struct xfrm_usersa_info *sa = NULL;
+	size_t len;
+	
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+	memset(&request, 0, sizeof(request));
+	
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->family = dst->get_family(dst);
+	
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					sa = NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+	
+	if (sa == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	
+	*use_time = sa->curlft.use_time;
+	free (out);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
+					   u_int32_t spi, protocol_id_t protocol)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *hdr;
+	struct xfrm_usersa_id *sa_id;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+	
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_DELSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+	
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->family = dst->get_family(dst);
+	
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_policy.
+ */
+static status_t add_policy(private_kernel_netlink_ipsec_t *this, 
+						   host_t *src, host_t *dst,
+						   traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, protocol_id_t protocol,
+						   u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
+						   u_int16_t ipcomp)
+{
+	iterator_t *iterator;
+	policy_entry_t *current, *policy;
+	bool found = FALSE;
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct xfrm_userpolicy_info *policy_info;
+	struct nlmsghdr *hdr;
+	
+	/* create a policy */
+	policy = malloc_thing(policy_entry_t);
+	memset(policy, 0, sizeof(policy_entry_t));
+	policy->sel = ts2selector(src_ts, dst_ts);
+	policy->direction = direction;
+	
+	/* find the policy, which matches EXACTLY */
+	pthread_mutex_lock(&this->mutex);
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
+			policy->direction == current->direction)
+		{
+			/* use existing policy */
+			current->refcount++;
+			DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
+						  "refcount", src_ts, dst_ts,
+						   policy_dir_names, direction);
+			free(policy);
+			policy = current;
+			found = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	if (!found)
+	{	/* apply the new one, if we have no such policy */
+		this->policies->insert_last(this->policies, policy);
+		policy->refcount = 1;
+	}
+	
+	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+	
+	memset(&request, 0, sizeof(request));
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
+
+	policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
+	policy_info->sel = policy->sel;
+	policy_info->dir = policy->direction;
+	/* calculate priority based on source selector size, small size = high prio */
+	policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
+	policy_info->priority -= policy->sel.prefixlen_s * 10;
+	policy_info->priority -= policy->sel.proto ? 2 : 0;
+	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
+	policy_info->action = XFRM_POLICY_ALLOW;
+	policy_info->share = XFRM_SHARE_ANY;
+	pthread_mutex_unlock(&this->mutex);
+	
+	/* policies don't expire */
+	policy_info->lft.soft_byte_limit = XFRM_INF;
+	policy_info->lft.soft_packet_limit = XFRM_INF;
+	policy_info->lft.hard_byte_limit = XFRM_INF;
+	policy_info->lft.hard_packet_limit = XFRM_INF;
+	policy_info->lft.soft_add_expires_seconds = 0;
+	policy_info->lft.hard_add_expires_seconds = 0;
+	policy_info->lft.soft_use_expires_seconds = 0;
+	policy_info->lft.hard_use_expires_seconds = 0;
+	
+	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
+	rthdr->rta_type = XFRMA_TMPL;
+	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+	
+	hdr->nlmsg_len += rthdr->rta_len;
+	if (hdr->nlmsg_len > sizeof(request))
+	{
+		return FAILED;
+	}
+	
+	struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
+	
+	if (ipcomp != IPCOMP_NONE)
+	{
+		tmpl->reqid = reqid;
+		tmpl->id.proto = IPPROTO_COMP;
+		tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
+		tmpl->mode = mode;
+		tmpl->optional = direction != POLICY_OUT;
+		tmpl->family = src->get_family(src);
+		
+		host2xfrm(src, &tmpl->saddr);
+		host2xfrm(dst, &tmpl->id.daddr);
+		
+		/* add an additional xfrm_user_tmpl */
+		rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+		hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+		
+		tmpl++;
+	}
+	
+	tmpl->reqid = reqid;
+	tmpl->id.proto = proto_ike2kernel(protocol);
+	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
+	tmpl->mode = mode;
+	tmpl->family = src->get_family(src);
+	
+	host2xfrm(src, &tmpl->saddr);
+	host2xfrm(dst, &tmpl->id.daddr);
+	
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	
+	/* install a route, if:
+	 * - we are NOT updating a policy
+	 * - this is a forward policy (to just get one for each child)
+	 * - we are in tunnel mode
+	 * - we are not using IPv6 (does not work correctly yet!)
+	 * - routing is not disabled via strongswan.conf
+	 */
+	if (policy->route == NULL && direction == POLICY_FWD &&
+		mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+		this->install_routes)
+	{
+		route_entry_t *route = malloc_thing(route_entry_t);
+		
+		if (get_address_by_ts(this, dst_ts, &route->src_ip) == SUCCESS)
+		{
+			/* get the nexthop to src (src as we are in POLICY_FWD).*/
+			route->gateway = charon->kernel_interface->get_nexthop(
+									charon->kernel_interface, src);
+			route->if_name = charon->kernel_interface->get_interface(
+									charon->kernel_interface, dst);
+			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
+			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
+			route->prefixlen = policy->sel.prefixlen_s;
+			
+			switch (charon->kernel_interface->add_route(charon->kernel_interface,
+					route->dst_net, route->prefixlen, route->gateway,
+					route->src_ip, route->if_name))
+			{
+				default:
+					DBG1(DBG_KNL, "unable to install source route for %H",
+						 route->src_ip);
+					/* FALL */
+				case ALREADY_DONE:
+					/* route exists, do not uninstall */
+					route_entry_destroy(route);
+					break;
+				case SUCCESS:
+					/* cache the installed route */
+					policy->route = route;
+					break;
+			}
+		}
+		else
+		{
+			free(route);
+		}
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_policy.
+ */
+static status_t query_policy(private_kernel_netlink_ipsec_t *this,
+							 traffic_selector_t *src_ts, 
+							 traffic_selector_t *dst_ts,
+							 policy_dir_t direction, u_int32_t *use_time)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *out = NULL, *hdr;
+	struct xfrm_userpolicy_id *policy_id;
+	struct xfrm_userpolicy_info *policy = NULL;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id->sel = ts2selector(src_ts, dst_ts);
+	policy_id->dir = direction;
+	
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWPOLICY:
+				{
+					policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying policy failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+	
+	if (policy == NULL)
+	{
+		DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+	*use_time = (time_t)policy->curlft.use_time;
+	
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_policy.
+ */
+static status_t del_policy(private_kernel_netlink_ipsec_t *this,
+						   traffic_selector_t *src_ts, 
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction)
+{
+	policy_entry_t *current, policy, *to_delete = NULL;
+	route_entry_t *route;
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *hdr;
+	struct xfrm_userpolicy_id *policy_id;
+	iterator_t *iterator;
+	
+	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+	
+	/* create a policy */
+	memset(&policy, 0, sizeof(policy_entry_t));
+	policy.sel = ts2selector(src_ts, dst_ts);
+	policy.direction = direction;
+	
+	/* find the policy */
+	iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
+			policy.direction == current->direction)
+		{
+			to_delete = current;
+			if (--to_delete->refcount > 0)
+			{
+				/* is used by more SAs, keep in kernel */
+				DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+				iterator->destroy(iterator);
+				return SUCCESS;
+			}
+			/* remove if last reference */
+			iterator->remove(iterator);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	if (!to_delete)
+	{
+		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		return NOT_FOUND;
+	}
+	
+	memset(&request, 0, sizeof(request));
+	
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id->sel = to_delete->sel;
+	policy_id->dir = direction;
+	
+	route = to_delete->route;
+	free(to_delete);
+	
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+
+	if (route)
+	{
+		if (charon->kernel_interface->del_route(charon->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with "
+						  "policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}		
+		route_entry_destroy(route);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.destroy.
+ */
+static void destroy(private_kernel_netlink_ipsec_t *this)
+{
+	this->job->cancel(this->job);
+	close(this->socket_xfrm_events);
+	this->socket_xfrm->destroy(this->socket_xfrm);
+	this->policies->destroy(this->policies);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
+{
+	private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
+	struct sockaddr_nl addr;
+	
+	/* public functions */
+	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
+	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
+	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
+	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
+	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
+	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
+	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
+
+	/* private members */
+	this->policies = linked_list_create();
+	pthread_mutex_init(&this->mutex, NULL);
+	this->install_routes = lib->settings->get_bool(lib->settings,
+					"charon.install_routes", TRUE);
+	
+	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
+	
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+	
+	/* create and bind XFRM socket for ACQUIRE & EXPIRE */
+	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
+	if (this->socket_xfrm_events <= 0)
+	{
+		charon->kill(charon, "unable to create XFRM event socket");
+	}
+	addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) | XFRMNLGRP(MAPPING);
+	if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		charon->kill(charon, "unable to bind XFRM event socket");
+	}
+	
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	
+	return &this->public;
+}
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
new file mode 100644
index 000000000..a78004e09
--- /dev/null
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_netlink_ipsec.h 4358 2008-09-25 13:56:23Z tobias $
+ */
+
+/**
+ * @defgroup kernel_netlink_ipsec_i kernel_netlink_ipsec
+ * @{ @ingroup kernel_netlink
+ */
+
+#ifndef KERNEL_NETLINK_IPSEC_H_
+#define KERNEL_NETLINK_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_netlink_ipsec_t kernel_netlink_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using Netlink.
+ */
+struct kernel_netlink_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a netlink kernel ipsec interface instance.
+ *
+ * @return			kernel_netlink_ipsec_t instance
+ */
+kernel_netlink_ipsec_t *kernel_netlink_ipsec_create();
+
+#endif /* KERNEL_NETLINK_IPSEC_H_ @} */
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
new file mode 100644
index 000000000..d8bba9412
--- /dev/null
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -0,0 +1,1358 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_netlink_net.c 4391 2008-10-09 05:44:00Z andreas $
+ */
+
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <sys/time.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <errno.h>
+#include <net/if.h>
+
+#include "kernel_netlink_net.h"
+#include "kernel_netlink_shared.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/roam_job.h>
+
+/** delay before firing roam jobs (ms) */
+#define ROAM_DELAY 100
+
+/** routing table for routes installed by us */
+#ifndef IPSEC_ROUTING_TABLE
+#define IPSEC_ROUTING_TABLE 100
+#endif
+#ifndef IPSEC_ROUTING_TABLE_PRIO
+#define IPSEC_ROUTING_TABLE_PRIO 100
+#endif
+
+typedef struct addr_entry_t addr_entry_t;
+
+/**
+ * IP address in an inface_entry_t
+ */
+struct addr_entry_t {
+	
+	/** The ip address */
+	host_t *ip;
+	
+	/** virtual IP managed by us */
+	bool virtual;
+	
+	/** scope of the address */
+	u_char scope;
+	
+	/** Number of times this IP is used, if virtual */
+	u_int refcount;
+};
+
+/**
+ * destroy a addr_entry_t object
+ */
+static void addr_entry_destroy(addr_entry_t *this)
+{
+	this->ip->destroy(this->ip);
+	free(this);
+}
+
+typedef struct iface_entry_t iface_entry_t;
+
+/**
+ * A network interface on this system, containing addr_entry_t's
+ */
+struct iface_entry_t {
+	
+	/** interface index */
+	int ifindex;
+	
+	/** name of the interface */
+	char ifname[IFNAMSIZ];
+	
+	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+	u_int flags;
+	
+	/** list of addresses as host_t */
+	linked_list_t *addrs;
+};
+
+/**
+ * destroy an interface entry
+ */
+static void iface_entry_destroy(iface_entry_t *this)
+{
+	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
+	free(this);
+}
+
+typedef struct private_kernel_netlink_net_t private_kernel_netlink_net_t;
+
+/**
+ * Private variables and functions of kernel_netlink_net class.
+ */
+struct private_kernel_netlink_net_t {
+	/**
+	 * Public part of the kernel_netlink_net_t object.
+	 */
+	kernel_netlink_net_t public;
+	
+	/**
+	 * mutex to lock access to various lists
+	 */
+	pthread_mutex_t mutex;
+	
+	/**
+	 * condition variable to signal virtual IP add/removal
+	 */
+	pthread_cond_t cond;
+	
+	/**
+	 * Cached list of interfaces and its addresses (iface_entry_t)
+	 */
+	linked_list_t *ifaces;
+	 
+	/**
+	 * job receiving netlink events
+	 */
+	callback_job_t *job;
+	
+	/**
+	 * netlink rt socket (routing)
+	 */
+	netlink_socket_t *socket;
+	
+	/**
+	 * Netlink rt socket to receive address change events
+	 */
+	int socket_events;
+	
+	/**
+	 * time of the last roam_job
+	 */
+	struct timeval last_roam;
+	
+	/**
+	 * routing table to install routes
+	 */
+	int routing_table;
+	
+	/**
+	 * priority of used routing table
+	 */
+	int routing_table_prio;
+
+	/**
+	 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
+	 */
+	bool process_route;
+
+};
+
+/**
+ * get the refcount of a virtual ip
+ */
+static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
+{
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	int refcount = 0;
+	
+	ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
+		{
+			if (addr->virtual && (iface->flags & IFF_UP) &&
+				ip->ip_equals(ip, addr->ip))
+			{
+				refcount = addr->refcount;
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (refcount)
+		{
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	
+	return refcount;
+}
+
+/**
+ * start a roaming job. We delay it for a second and fire only one job
+ * for multiple events. Otherwise we would create two many jobs.
+ */
+static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
+{
+	struct timeval now;
+		
+	if (gettimeofday(&now, NULL) == 0)
+	{
+		if (timercmp(&now, &this->last_roam, >))
+		{
+			now.tv_usec += ROAM_DELAY * 1000;
+			while (now.tv_usec > 1000000)
+			{
+				now.tv_sec++;
+				now.tv_usec -= 1000000;
+			}
+			this->last_roam = now;
+			charon->scheduler->schedule_job(charon->scheduler,
+					(job_t*)roam_job_create(address), ROAM_DELAY);
+		}
+	}
+}
+
+/**
+ * process RTM_NEWLINK/RTM_DELLINK from kernel
+ */
+static void process_link(private_kernel_netlink_net_t *this,
+						 struct nlmsghdr *hdr, bool event)
+{
+	struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = IFLA_RTA(msg);
+	size_t rtasize = IFLA_PAYLOAD (hdr);
+	iterator_t *iterator;
+	iface_entry_t *current, *entry = NULL;
+	char *name = NULL;
+	bool update = FALSE;
+	
+	while(RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
+		{
+			case IFLA_IFNAME:
+				name = RTA_DATA(rta);
+				break;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	if (!name)
+	{
+		name = "(unknown)";
+	}
+	
+	switch (hdr->nlmsg_type)
+	{
+		case RTM_NEWLINK:
+		{
+			if (msg->ifi_flags & IFF_LOOPBACK)
+			{	/* ignore loopback interfaces */
+				break;
+			}
+			iterator = this->ifaces->create_iterator_locked(this->ifaces,
+															&this->mutex);
+			while (iterator->iterate(iterator, (void**)&current))
+			{
+				if (current->ifindex == msg->ifi_index)
+				{
+					entry = current;
+					break;
+				}
+			}
+			if (!entry)
+			{
+				entry = malloc_thing(iface_entry_t);
+				entry->ifindex = msg->ifi_index;
+				entry->flags = 0;
+				entry->addrs = linked_list_create();
+				this->ifaces->insert_last(this->ifaces, entry);
+			}
+			memcpy(entry->ifname, name, IFNAMSIZ);
+			entry->ifname[IFNAMSIZ-1] = '\0';
+			if (event)
+			{
+				if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
+				{
+					update = TRUE;
+					DBG1(DBG_KNL, "interface %s activated", name);
+				}
+				if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
+				{
+					update = TRUE;
+					DBG1(DBG_KNL, "interface %s deactivated", name);
+				}
+			}
+			entry->flags = msg->ifi_flags;
+			iterator->destroy(iterator);
+			break;
+		}
+		case RTM_DELLINK:
+		{
+			iterator = this->ifaces->create_iterator_locked(this->ifaces,
+															&this->mutex);
+			while (iterator->iterate(iterator, (void**)&current))
+			{
+				if (current->ifindex == msg->ifi_index)
+				{
+					/* we do not remove it, as an address may be added to a 
+					 * "down" interface and we wan't to know that. */
+					current->flags = msg->ifi_flags;
+					break;
+				}
+			}
+			iterator->destroy(iterator);
+			break;
+		}
+	}
+	
+	/* send an update to all IKE_SAs */
+	if (update && event)
+	{
+		fire_roam_job(this, TRUE);
+	}
+}
+
+/**
+ * process RTM_NEWADDR/RTM_DELADDR from kernel
+ */
+static void process_addr(private_kernel_netlink_net_t *this,
+						 struct nlmsghdr *hdr, bool event)
+{
+	struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = IFA_RTA(msg);
+	size_t rtasize = IFA_PAYLOAD (hdr);
+	host_t *host = NULL;
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	chunk_t local = chunk_empty, address = chunk_empty;
+	bool update = FALSE, found = FALSE, changed = FALSE;
+	
+	while(RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
+		{
+			case IFA_LOCAL:
+				local.ptr = RTA_DATA(rta);
+				local.len = RTA_PAYLOAD(rta);
+				break;
+			case IFA_ADDRESS:
+				address.ptr = RTA_DATA(rta);
+				address.len = RTA_PAYLOAD(rta);
+				break;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	
+	/* For PPP interfaces, we need the IFA_LOCAL address,
+	 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
+	 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
+	if (local.ptr)
+	{
+		host = host_create_from_chunk(msg->ifa_family, local, 0);
+	}
+	else if (address.ptr)
+	{
+		host = host_create_from_chunk(msg->ifa_family, address, 0);
+	}
+	
+	if (host == NULL)
+	{	/* bad family? */
+		return;
+	}
+	
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		if (iface->ifindex == msg->ifa_index)
+		{
+			addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+			while (addrs->iterate(addrs, (void**)&addr))
+			{
+				if (host->ip_equals(host, addr->ip))
+				{
+					found = TRUE;
+					if (hdr->nlmsg_type == RTM_DELADDR)
+					{
+						addrs->remove(addrs);
+						if (!addr->virtual)
+						{
+							changed = TRUE;
+							DBG1(DBG_KNL, "%H disappeared from %s",
+								 host, iface->ifname);
+						}
+						addr_entry_destroy(addr);
+					}
+					else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
+					{
+						addr->refcount = 1;
+					}
+				}
+			}
+			addrs->destroy(addrs);
+		
+			if (hdr->nlmsg_type == RTM_NEWADDR)
+			{
+				if (!found)
+				{
+					found = TRUE;
+					changed = TRUE;
+					addr = malloc_thing(addr_entry_t);
+					addr->ip = host->clone(host);
+					addr->virtual = FALSE;
+					addr->refcount = 1;
+					addr->scope = msg->ifa_scope;
+					
+					iface->addrs->insert_last(iface->addrs, addr);
+					if (event)
+					{
+						DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+					}
+				}
+			}
+			if (found && (iface->flags & IFF_UP))
+			{
+				update = TRUE;
+			}
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	host->destroy(host);
+	
+	/* send an update to all IKE_SAs */
+	if (update && event && changed)
+	{
+		fire_roam_job(this, TRUE);
+	}
+}
+
+/**
+ * process RTM_NEWROUTE and RTM_DELROUTE from kernel
+ */
+static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr)
+{
+	struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = RTM_RTA(msg);
+	size_t rtasize = RTM_PAYLOAD(hdr);
+	host_t *host = NULL;
+	
+	/* ignore routes added by us */
+	if (msg->rtm_table && msg->rtm_table == this->routing_table)
+	{
+		return;
+	}
+	
+	while (RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
+		{
+			case RTA_PREFSRC:
+				host = host_create_from_chunk(msg->rtm_family,
+							chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
+				break;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	if (host)
+	{
+		if (!get_vip_refcount(this, host))
+		{	/* ignore routes added for virtual IPs */
+			fire_roam_job(this, FALSE);
+		}
+		host->destroy(host);
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
+{
+	char response[1024];
+	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
+	struct sockaddr_nl addr;
+	socklen_t addr_len = sizeof(addr);
+	int len, oldstate;
+
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);	
+	len = recvfrom(this->socket_events, response, sizeof(response), 0,
+				   (struct sockaddr*)&addr, &addr_len);
+	pthread_setcancelstate(oldstate, NULL);
+	
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from rt event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+	
+	if (addr.nl_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+	
+	while (NLMSG_OK(hdr, len))
+	{
+		/* looks good so far, dispatch netlink message */
+		switch (hdr->nlmsg_type)
+		{
+			case RTM_NEWADDR:
+			case RTM_DELADDR:
+				process_addr(this, hdr, TRUE);
+				pthread_cond_broadcast(&this->cond);
+				break;
+			case RTM_NEWLINK:
+			case RTM_DELLINK:
+				process_link(this, hdr, TRUE);
+				pthread_cond_broadcast(&this->cond);
+				break;
+			case RTM_NEWROUTE:
+			case RTM_DELROUTE:
+				if (this->process_route)
+				{
+					process_route(this, hdr);
+				}
+				break;
+			default:
+				break;
+		}
+		hdr = NLMSG_NEXT(hdr, len);
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+/** enumerator over addresses */
+typedef struct {
+	private_kernel_netlink_net_t* this;
+	/** whether to enumerate down interfaces */
+	bool include_down_ifaces;
+	/** whether to enumerate virtual ip addresses */ 
+	bool include_virtual_ips;
+} address_enumerator_t;
+
+/**
+ * cleanup function for address enumerator
+ */
+static void address_enumerator_destroy(address_enumerator_t *data)
+{
+	pthread_mutex_unlock(&data->this->mutex);
+	free(data);
+}
+
+/**
+ * filter for addresses
+ */
+static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+{
+	if (!data->include_virtual_ips && (*in)->virtual)
+	{	/* skip virtual interfaces added by us */
+		return FALSE;
+	}
+	if ((*in)->scope >= RT_SCOPE_LINK)
+	{	/* skip addresses with a unusable scope */
+		return FALSE;
+	}
+	*out = (*in)->ip;
+	return TRUE;
+}
+
+/**
+ * enumerator constructor for interfaces
+ */
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+{
+	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+				(void*)filter_addresses, data, NULL);
+}
+
+/**
+ * filter for interfaces
+ */
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+{
+	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+	{	/* skip interfaces not up */
+		return FALSE;
+	}
+	*out = *in;
+	return TRUE;
+}
+
+/**
+ * implementation of kernel_net_t.create_address_enumerator
+ */
+static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *this,
+		bool include_down_ifaces, bool include_virtual_ips)
+{
+	address_enumerator_t *data = malloc_thing(address_enumerator_t);
+	data->this = this;
+	data->include_down_ifaces = include_down_ifaces;
+	data->include_virtual_ips = include_virtual_ips;
+	
+	pthread_mutex_lock(&this->mutex);
+	return enumerator_create_nested(
+				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
+							(void*)filter_interfaces, data, NULL),
+				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+}
+
+/**
+ * implementation of kernel_net_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
+{
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	char *name = NULL;
+	
+	DBG2(DBG_KNL, "getting interface name for %H", ip);
+	
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
+		{
+			if (ip->ip_equals(ip, addr->ip))
+			{
+				name = strdup(iface->ifname);
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (name)
+		{
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	
+	if (name)
+	{
+		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "%H is not a local address", ip);
+	}
+	return name;
+}
+
+/**
+ * get the index of an interface by name
+ */
+static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
+{
+	iterator_t *ifaces;
+	iface_entry_t *iface;
+	int ifindex = 0;
+	
+	DBG2(DBG_KNL, "getting iface index for %s", name);
+	
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces,	&this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		if (streq(name, iface->ifname))
+		{
+			ifindex = iface->ifindex;
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+
+	if (ifindex == 0)
+	{
+		DBG1(DBG_KNL, "unable to get interface index for %s", name);
+	}
+	return ifindex;
+}
+
+/**
+ * check if an address (chunk) addr is in subnet (net with net_len net bits)
+ */
+static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
+{
+	static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+	int byte = 0;
+
+	if (addr.len != net.len || net_len > 8 * net.len )
+	{
+		return FALSE;
+	}
+
+	/* scan through all bytes in network order */
+	while (net_len > 0)
+	{
+		if (net_len < 8)
+		{
+			return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
+		}
+		else
+		{
+			if (addr.ptr[byte] != net.ptr[byte])
+			{
+				return FALSE;
+			}
+			byte++;
+			net_len -= 8;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
+ */
+static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
+						 bool nexthop, host_t *candidate)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *hdr, *out, *current;
+	struct rtmsg *msg;
+	chunk_t chunk;
+	size_t len;
+	int best = -1;
+	host_t *src = NULL, *gtw = NULL;
+	
+	DBG2(DBG_KNL, "getting address to reach %H", dest);
+	
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ROOT;
+	hdr->nlmsg_type = RTM_GETROUTE;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_family = dest->get_family(dest);
+	
+	chunk = dest->get_address(dest);
+	netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
+	if (candidate)
+	{
+		chunk = candidate->get_address(candidate);
+		netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+	}
+	
+	if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "getting address to %H failed", dest);
+		return NULL;
+	}
+	current = out;
+	while (NLMSG_OK(current, len))
+	{
+		switch (current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWROUTE:
+			{
+				struct rtattr *rta;
+				size_t rtasize;
+				chunk_t rta_gtw, rta_src, rta_dst;
+				u_int32_t rta_oif = 0;
+				
+				rta_gtw = rta_src = rta_dst = chunk_empty;
+				msg = (struct rtmsg*)(NLMSG_DATA(current));
+				rta = RTM_RTA(msg);
+				rtasize = RTM_PAYLOAD(current);
+				while (RTA_OK(rta, rtasize))
+				{
+					switch (rta->rta_type)
+					{
+						case RTA_PREFSRC:
+							rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+							break;
+						case RTA_GATEWAY:
+							rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+							break;
+						case RTA_DST:
+							rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+							break;
+						case RTA_OIF:
+							if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
+							{
+								rta_oif = *(u_int32_t*)RTA_DATA(rta);
+							}
+							break;
+					}
+					rta = RTA_NEXT(rta, rtasize);
+				}
+				
+				/* apply the route if:
+				 * - it is not from our own ipsec routing table
+				 * - is better than a previous one
+				 * - is the default route or
+				 * - its destination net contains our destination
+				 */
+				if ((this->routing_table == 0 ||msg->rtm_table != this->routing_table)
+					&&  msg->rtm_dst_len > best
+					&& (msg->rtm_dst_len == 0 || /* default route */
+					(rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
+				{
+					iterator_t *ifaces, *addrs;
+					iface_entry_t *iface;
+					addr_entry_t *addr;
+					
+					best = msg->rtm_dst_len;
+					if (nexthop)
+					{
+						DESTROY_IF(gtw);
+						gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
+					}
+					else if (rta_src.ptr)
+					{
+						DESTROY_IF(src);
+						src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
+						if (get_vip_refcount(this, src))
+						{	/* skip source address if it is installed by us */
+							DESTROY_IF(src);
+							src = NULL;
+							current = NLMSG_NEXT(current, len);
+							continue;
+						}
+					}
+					else
+					{
+						/* no source addr, get one from the interfaces */
+						ifaces = this->ifaces->create_iterator_locked(
+													this->ifaces, &this->mutex);
+						while (ifaces->iterate(ifaces, (void**)&iface))
+						{
+							if (iface->ifindex == rta_oif)
+							{
+								addrs = iface->addrs->create_iterator(
+															iface->addrs, TRUE);
+								while (addrs->iterate(addrs, (void**)&addr))
+								{
+									chunk_t ip = addr->ip->get_address(addr->ip);
+									if ((msg->rtm_dst_len == 0 && 
+										 addr->ip->get_family(addr->ip) ==
+										 	dest->get_family(dest)) ||
+										addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
+									{
+										DESTROY_IF(src);
+										src = addr->ip->clone(addr->ip);
+										break;
+									}
+								}
+								addrs->destroy(addrs);
+							}
+						}
+						ifaces->destroy(ifaces);
+					}
+				}
+				/* FALL through */
+			}
+			default:
+				current = NLMSG_NEXT(current, len);
+				continue;
+		}
+		break;
+	}
+	free(out);
+	
+	if (nexthop)
+	{
+		if (gtw)
+		{
+			return gtw;
+		}
+		return dest->clone(dest);
+	}
+	return src;
+}
+
+/**
+ * Implementation of kernel_net_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_netlink_net_t *this,
+							   host_t *dest, host_t *src)
+{
+	return get_route(this, dest, FALSE, src);
+}
+
+/**
+ * Implementation of kernel_net_t.get_nexthop.
+ */
+static host_t* get_nexthop(private_kernel_netlink_net_t *this, host_t *dest)
+{
+	return get_route(this, dest, TRUE, NULL);
+}
+
+/**
+ * Manages the creation and deletion of ip addresses on an interface.
+ * By setting the appropriate nlmsg_type, the ip will be set or unset.
+ */
+static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
+							  int flags, int if_index, host_t *ip)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *hdr;
+	struct ifaddrmsg *msg;
+	chunk_t chunk;
+	
+	memset(&request, 0, sizeof(request));
+	
+	chunk = ip->get_address(ip);
+    
+    hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+	hdr->nlmsg_type = nlmsg_type; 
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
+	
+	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
+    msg->ifa_family = ip->get_family(ip);
+    msg->ifa_flags = 0;
+    msg->ifa_prefixlen = 8 * chunk.len;
+    msg->ifa_scope = RT_SCOPE_UNIVERSE;
+    msg->ifa_index = if_index;
+	
+	netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
+
+	return this->socket->send_ack(this->socket, hdr);
+}
+
+/**
+ * Implementation of kernel_net_t.add_ip.
+ */
+static status_t add_ip(private_kernel_netlink_net_t *this, 
+						host_t *virtual_ip, host_t *iface_ip)
+{
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	iterator_t *addrs, *ifaces;
+	int ifindex;
+
+	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
+	
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		bool iface_found = FALSE;
+	
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
+		{
+			if (iface_ip->ip_equals(iface_ip, addr->ip))
+			{
+				iface_found = TRUE;
+			}
+			else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
+			{
+				addr->refcount++;
+				DBG2(DBG_KNL, "virtual IP %H already installed on %s",
+					 virtual_ip, iface->ifname);
+				addrs->destroy(addrs);
+				ifaces->destroy(ifaces);
+				return SUCCESS;
+			}
+		}
+		addrs->destroy(addrs);
+		
+		if (iface_found)
+		{
+			ifindex = iface->ifindex;
+			addr = malloc_thing(addr_entry_t);
+			addr->ip = virtual_ip->clone(virtual_ip);
+			addr->refcount = 0;
+			addr->virtual = TRUE;
+			addr->scope = RT_SCOPE_UNIVERSE;
+			iface->addrs->insert_last(iface->addrs, addr);
+			
+			if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
+							  ifindex, virtual_ip) == SUCCESS)
+			{
+				while (get_vip_refcount(this, virtual_ip) == 0)
+				{	/* wait until address appears */
+					pthread_cond_wait(&this->cond, &this->mutex);
+				}
+				ifaces->destroy(ifaces);
+				return SUCCESS;
+			}
+			ifaces->destroy(ifaces);
+			DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
+			return FAILED;
+		}
+	}
+	ifaces->destroy(ifaces);
+	
+	DBG1(DBG_KNL, "interface address %H not found, unable to install"
+		 "virtual IP %H", iface_ip, virtual_ip);
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_ip.
+ */
+static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
+{
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	iterator_t *addrs, *ifaces;
+	status_t status;
+	int ifindex;
+
+	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
+	
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
+		{
+			if (virtual_ip->ip_equals(virtual_ip, addr->ip))
+			{
+				ifindex = iface->ifindex;
+				if (addr->refcount == 1)
+				{
+					status = manage_ipaddr(this, RTM_DELADDR, 0,
+									  	   ifindex, virtual_ip);
+					if (status == SUCCESS)
+					{	/* wait until the address is really gone */
+						while (get_vip_refcount(this, virtual_ip) > 0)
+						{
+							pthread_cond_wait(&this->cond, &this->mutex);
+						}
+					}
+					addrs->destroy(addrs);
+					ifaces->destroy(ifaces);
+					return status;
+				}
+				else
+				{
+					addr->refcount--;
+				}
+				DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
+					 virtual_ip);
+				addrs->destroy(addrs);
+				ifaces->destroy(ifaces);
+				return SUCCESS;
+			}
+		}
+		addrs->destroy(addrs);
+	}
+	ifaces->destroy(ifaces);
+	
+	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
+	return FAILED;
+}
+
+/**
+ * Manages source routes in the routing table.
+ * By setting the appropriate nlmsg_type, the route gets added or removed.
+ */
+static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_type,
+								int flags, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *hdr;
+	struct rtmsg *msg;
+	int ifindex;
+	chunk_t chunk;
+
+	/* if route is 0.0.0.0/0, we can't install it, as it would
+	 * overwrite the default route. Instead, we add two routes:
+	 * 0.0.0.0/1 and 128.0.0.0/1 */
+	if (this->routing_table == 0 && prefixlen == 0)
+	{
+		chunk_t half_net;
+		u_int8_t half_prefixlen;
+		status_t status;
+		
+		half_net = chunk_alloca(dst_net.len);
+		memset(half_net.ptr, 0, half_net.len);
+		half_prefixlen = 1;
+		
+		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
+					gateway, src_ip, if_name);
+		half_net.ptr[0] |= 0x80;
+		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
+					gateway, src_ip, if_name);
+		return status;
+	}
+	
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+	hdr->nlmsg_type = nlmsg_type;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_family = src_ip->get_family(src_ip);
+	msg->rtm_dst_len = prefixlen;
+	msg->rtm_table = this->routing_table;
+	msg->rtm_protocol = RTPROT_STATIC;
+	msg->rtm_type = RTN_UNICAST;
+	msg->rtm_scope = RT_SCOPE_UNIVERSE;
+	
+	netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request));
+	chunk = src_ip->get_address(src_ip);
+	netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+	chunk = gateway->get_address(gateway);
+	netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
+	ifindex = get_interface_index(this, if_name);
+	chunk.ptr = (char*)&ifindex;
+	chunk.len = sizeof(ifindex);
+	netlink_add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
+
+	return this->socket->send_ack(this->socket, hdr);
+}
+
+/**
+ * Implementation of kernel_net_t.add_route.
+ */
+status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
+				dst_net, prefixlen, gateway, src_ip, if_name);
+}
+	
+/**
+ * Implementation of kernel_net_t.del_route.
+ */
+status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
+				gateway, src_ip, if_name);
+}
+
+/**
+ * Initialize a list of local addresses.
+ */
+static status_t init_address_list(private_kernel_netlink_net_t *this)
+{
+	char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *out, *current, *in;
+	struct rtgenmsg *msg;
+	size_t len;
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	
+	DBG1(DBG_KNL, "listening on interfaces:");
+	
+	memset(&request, 0, sizeof(request));
+
+	in = (struct nlmsghdr*)&request;
+	in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
+	in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
+	msg = (struct rtgenmsg*)NLMSG_DATA(in);
+	msg->rtgen_family = AF_UNSPEC;
+	
+	/* get all links */
+	in->nlmsg_type = RTM_GETLINK;
+	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	current = out;
+	while (NLMSG_OK(current, len))
+	{
+		switch (current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWLINK:
+				process_link(this, current, FALSE);
+				/* fall through */
+			default:
+				current = NLMSG_NEXT(current, len);
+				continue;
+		}
+		break;
+	}
+	free(out);
+	
+	/* get all interface addresses */
+	in->nlmsg_type = RTM_GETADDR;
+	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	current = out;
+	while (NLMSG_OK(current, len))
+	{
+		switch (current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWADDR:
+				process_addr(this, current, FALSE);
+				/* fall through */
+			default:
+				current = NLMSG_NEXT(current, len);
+				continue;
+		}
+		break;
+	}
+	free(out);
+	
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		if (iface->flags & IFF_UP)
+		{
+			DBG1(DBG_KNL, "  %s", iface->ifname);
+			addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+			while (addrs->iterate(addrs, (void**)&addr))
+			{
+				DBG1(DBG_KNL, "    %H", addr->ip);
+			}
+			addrs->destroy(addrs);
+		}
+	}
+	ifaces->destroy(ifaces);
+	return SUCCESS;
+}
+
+/**
+ * create or delete a rule to use our routing table
+ */
+static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
+							u_int32_t table, u_int32_t prio)
+{
+	unsigned char request[NETLINK_BUFFER_SIZE];
+	struct nlmsghdr *hdr;
+	struct rtmsg *msg;
+	chunk_t chunk;
+
+	memset(&request, 0, sizeof(request));    
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = nlmsg_type; 
+	if (nlmsg_type == RTM_NEWRULE)
+	{
+		hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
+	}
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_table = table;
+	msg->rtm_family = AF_INET;
+	msg->rtm_protocol = RTPROT_BOOT;
+	msg->rtm_scope = RT_SCOPE_UNIVERSE;
+	msg->rtm_type = RTN_UNICAST;
+
+	chunk = chunk_from_thing(prio);
+	netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
+
+	return this->socket->send_ack(this->socket, hdr);
+}
+
+/**
+ * Implementation of kernel_netlink_net_t.destroy.
+ */
+static void destroy(private_kernel_netlink_net_t *this)
+{
+	if (this->routing_table)
+	{
+		manage_rule(this, RTM_DELRULE, this->routing_table,
+					this->routing_table_prio);
+	}
+
+	this->job->cancel(this->job);
+	close(this->socket_events);
+	this->socket->destroy(this->socket);
+	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_netlink_net_t *kernel_netlink_net_create()
+{
+	private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t);
+	struct sockaddr_nl addr;
+	
+	/* public functions */
+	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
+	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
+	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
+	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
+	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
+	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
+	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
+	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
+
+	/* private members */
+	this->ifaces = linked_list_create();
+	pthread_mutex_init(&this->mutex, NULL);
+	pthread_cond_init(&this->cond, NULL);
+	timerclear(&this->last_roam);
+	this->routing_table = lib->settings->get_int(lib->settings,
+					"charon.routing_table", IPSEC_ROUTING_TABLE);
+	this->routing_table_prio = lib->settings->get_int(lib->settings,
+					"charon.routing_table_prio", IPSEC_ROUTING_TABLE_PRIO);
+	this->process_route = lib->settings->get_bool(lib->settings,
+					"charon.process_route", TRUE);
+	
+	this->socket = netlink_socket_create(NETLINK_ROUTE);
+	
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+	
+	/* create and bind RT socket for events (address/interface/route changes) */
+	this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+	if (this->socket_events <= 0)
+	{
+		charon->kill(charon, "unable to create RT event socket");
+	}
+	addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | 
+					 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
+	if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		charon->kill(charon, "unable to bind RT event socket");
+	}
+	
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	
+	if (init_address_list(this) != SUCCESS)
+	{
+		charon->kill(charon, "unable to get interface list");
+	}
+	
+	if (this->routing_table)
+	{
+		if (manage_rule(this, RTM_NEWRULE, this->routing_table,
+						this->routing_table_prio) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "unable to create routing table rule");
+		}
+	}
+	
+	return &this->public;
+}
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
new file mode 100644
index 000000000..393167a71
--- /dev/null
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_netlink_net.h 4350 2008-09-18 15:16:43Z tobias $
+ */
+
+/**
+ * @defgroup kernel_netlink_net_i kernel_netlink_net
+ * @{ @ingroup kernel_netlink
+ */
+
+#ifndef KERNEL_NETLINK_NET_H_
+#define KERNEL_NETLINK_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_netlink_net_t kernel_netlink_net_t;
+
+/**
+ * Implementation of the kernel network interface using Netlink.
+ */
+struct kernel_netlink_net_t {
+
+	/**
+	 * Implements kernel_net_t interface
+	 */
+	kernel_net_t interface;
+};
+
+/**
+ * Create a netlink kernel network interface instance.
+ *
+ * @return			kernel_netlink_net_t instance
+ */
+kernel_netlink_net_t *kernel_netlink_net_create();
+
+#endif /* KERNEL_NETLINK_NET_H_ @} */
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
new file mode 100644
index 000000000..adc3d585f
--- /dev/null
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_netlink_plugin.c 4350 2008-09-18 15:16:43Z tobias $
+ */
+
+
+#include "kernel_netlink_plugin.h"
+
+#include "kernel_netlink_ipsec.h"
+#include "kernel_netlink_net.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
+
+/**
+ * private data of kernel netlink plugin
+ */
+struct private_kernel_netlink_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_netlink_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_netlink_plugin_t *this)
+{
+	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
+	charon->kernel_interface->remove_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
+	charon->kernel_interface->add_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
+	
+	return &this->public.plugin;
+}
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
new file mode 100644
index 000000000..80a6c27e1
--- /dev/null
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_netlink_plugin.h 4358 2008-09-25 13:56:23Z tobias $
+ */
+
+/**
+ * @defgroup kernel_netlink kernel_netlink
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_netlink_plugin kernel_netlink_plugin
+ * @{ @ingroup kernel_netlink
+ */
+
+#ifndef KERNEL_NETLINK_PLUGIN_H_
+#define KERNEL_NETLINK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_netlink_plugin_t kernel_netlink_plugin_t;
+
+/**
+ * netlink kernel interface plugin
+ */
+struct kernel_netlink_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a kernel_netlink_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* KERNEL_NETLINK_PLUGIN_H_ @} */
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
new file mode 100644
index 000000000..55d08c5e5
--- /dev/null
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_netlink_shared.c 4350 2008-09-18 15:16:43Z tobias $
+ */
+
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include "kernel_netlink_shared.h"
+
+#include <daemon.h>
+
+typedef struct private_netlink_socket_t private_netlink_socket_t;
+
+/**
+ * Private variables and functions of netlink_socket_t class.
+ */
+struct private_netlink_socket_t {
+	/**
+	 * public part of the netlink_socket_t object.
+	 */
+	netlink_socket_t public;
+	
+	/**
+	 * mutex to lock access to netlink socket
+	 */
+	pthread_mutex_t mutex;
+
+	/**
+	 * current sequence number for netlink request
+	 */
+	int seq;
+	
+	/**
+	 * netlink socket 
+	 */
+	int socket;
+};
+
+/**
+ * Implementation of netlink_socket_t.send
+ */
+static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in,
+			  struct nlmsghdr **out, size_t *out_len)
+{
+	int len, addr_len;
+	struct sockaddr_nl addr;
+	chunk_t result = chunk_empty, tmp;
+	struct nlmsghdr *msg, peek;
+	
+	pthread_mutex_lock(&this->mutex);
+	
+	in->nlmsg_seq = ++this->seq;
+	in->nlmsg_pid = getpid();
+	
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+	addr.nl_pid = 0;
+	addr.nl_groups = 0;
+
+	while (TRUE)
+	{
+		len = sendto(this->socket, in, in->nlmsg_len, 0, 
+					 (struct sockaddr*)&addr, sizeof(addr));
+		
+		if (len != in->nlmsg_len)
+		{	
+			if (errno == EINTR)
+			{
+				/* interrupted, try again */
+				continue;
+			}
+			pthread_mutex_unlock(&this->mutex);
+			DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
+			return FAILED;
+		}
+		break;
+	}
+	
+	while (TRUE)
+	{	
+		char buf[4096];
+		tmp.len = sizeof(buf);
+		tmp.ptr = buf;
+		msg = (struct nlmsghdr*)tmp.ptr;
+		
+		memset(&addr, 0, sizeof(addr));
+		addr.nl_family = AF_NETLINK;
+		addr.nl_pid = getpid();
+		addr.nl_groups = 0;
+		addr_len = sizeof(addr);
+		
+		len = recvfrom(this->socket, tmp.ptr, tmp.len, 0,
+					   (struct sockaddr*)&addr, &addr_len);
+		
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				DBG1(DBG_KNL, "got interrupted");
+				/* interrupted, try again */
+				continue;
+			}
+			DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
+			pthread_mutex_unlock(&this->mutex);
+			free(result.ptr);
+			return FAILED;
+		}
+		if (!NLMSG_OK(msg, len))
+		{
+			DBG1(DBG_KNL, "received corrupted netlink message");
+			pthread_mutex_unlock(&this->mutex);
+			free(result.ptr);
+			return FAILED;
+		}
+		if (msg->nlmsg_seq != this->seq)
+		{
+			DBG1(DBG_KNL, "received invalid netlink sequence number");
+			if (msg->nlmsg_seq < this->seq)
+			{
+				continue;
+			}
+			pthread_mutex_unlock(&this->mutex);
+			free(result.ptr);
+			return FAILED;
+		}
+		
+		tmp.len = len;
+		result.ptr = realloc(result.ptr, result.len + tmp.len);
+		memcpy(result.ptr + result.len, tmp.ptr, tmp.len);
+		result.len += tmp.len;
+		
+		/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
+		 * numbers to detect multi header messages */
+		len = recvfrom(this->socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
+					   (struct sockaddr*)&addr, &addr_len);
+		
+		if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
+		{
+			/* seems to be multipart */
+			continue;
+		}
+		break;
+	}
+	
+	*out_len = result.len;
+	*out = (struct nlmsghdr*)result.ptr;
+	
+	pthread_mutex_unlock(&this->mutex);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of netlink_socket_t.send_ack.
+ */
+static status_t netlink_send_ack(private_netlink_socket_t *this, struct nlmsghdr *in)
+{
+	struct nlmsghdr *out, *hdr;
+	size_t len;
+
+	if (netlink_send(this, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	hdr = out;
+	while (NLMSG_OK(hdr, len))
+	{
+		switch (hdr->nlmsg_type)
+		{
+			case NLMSG_ERROR:
+			{
+				struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
+				
+				if (err->error)
+				{
+					if (-err->error == EEXIST)
+					{	/* do not report existing routes */
+						free(out);
+						return ALREADY_DONE;
+					}
+					DBG1(DBG_KNL, "received netlink error: %s (%d)",
+						 strerror(-err->error), -err->error);
+					free(out);
+					return FAILED;
+				}
+				free(out);
+				return SUCCESS;
+			}
+			default:
+				hdr = NLMSG_NEXT(hdr, len);
+				continue;
+			case NLMSG_DONE:
+				break;
+		}
+		break;
+	}
+	DBG1(DBG_KNL, "netlink request not acknowledged");
+	free(out);
+	return FAILED;
+}
+
+/**
+ * Implementation of netlink_socket_t.destroy.
+ */
+static void destroy(private_netlink_socket_t *this)
+{
+	close(this->socket);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+netlink_socket_t *netlink_socket_create(int protocol) {
+	private_netlink_socket_t *this = malloc_thing(private_netlink_socket_t);
+	struct sockaddr_nl addr;
+	
+	/* public functions */
+	this->public.send = (status_t(*)(netlink_socket_t*,struct nlmsghdr*, struct nlmsghdr**, size_t*))netlink_send;
+	this->public.send_ack = (status_t(*)(netlink_socket_t*,struct nlmsghdr*))netlink_send_ack;
+	this->public.destroy = (void(*)(netlink_socket_t*))destroy;
+
+	/* private members */
+	this->seq = 200;
+	pthread_mutex_init(&this->mutex, NULL);
+	
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+	
+	this->socket = socket(AF_NETLINK, SOCK_RAW, protocol);
+	if (this->socket <= 0)
+	{
+		charon->kill(charon, "unable to create netlink socket");
+	}
+	
+	addr.nl_groups = 0;
+	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		charon->kill(charon, "unable to bind netlink socket");
+	}
+	
+	return &this->public;
+}
+
+/**
+ * Described in header.
+ */
+void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
+						  size_t buflen)
+{
+	struct rtattr *rta;
+	
+	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
+	{
+		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
+		return;
+	}
+	
+	rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
+	rta->rta_type = rta_type;
+	rta->rta_len = RTA_LENGTH(data.len);
+	memcpy(RTA_DATA(rta), data.ptr, data.len);
+	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
+}
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
new file mode 100644
index 000000000..6428cc9a2
--- /dev/null
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_netlink_shared.h 4350 2008-09-18 15:16:43Z tobias $
+ */
+
+#ifndef KERNEL_NETLINK_SHARED_H_
+#define KERNEL_NETLINK_SHARED_H_
+
+#include <library.h>
+
+#define NETLINK_BUFFER_SIZE 1024
+
+typedef struct netlink_socket_t netlink_socket_t;
+
+/**
+ * Wrapper around a netlink socket.
+ */
+struct netlink_socket_t {
+
+	/**
+	 * Send a netlink message and wait for a reply.
+	 * 
+	 * @param	in		netlink message to send
+	 * @param	out 	received netlink message
+	 * @param	out_len	length of the received message
+	 */
+	status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len);
+	
+	/**
+	 * Send a netlink message and wait for its acknowledge.
+	 * 
+	 * @param	in		netlink message to send
+	 */
+	status_t (*send_ack)(netlink_socket_t *this, struct nlmsghdr *in);
+	
+	/**
+	 * Destroy the socket.
+	 */
+	void (*destroy)(netlink_socket_t *this);
+};
+
+/**
+ * Create a netlink_socket_t object.
+ * 
+ * @param	protocol	protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
+ */
+netlink_socket_t *netlink_socket_create(int protocol);
+
+/**
+ * Creates an rtattr and adds it to the given netlink message.
+ * 
+ * @param	hdr			netlink message
+ * @param	rta_type	type of the rtattr
+ * @param	data		data to add to the rtattr
+ * @param	buflen		length of the netlink message buffer
+ */
+void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, size_t buflen);
+
+#endif /* KERNEL_NETLINK_SHARED_H_ */
diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in
index 85be6bae7..605ee1399 100644
--- a/src/charon/plugins/medcli/Makefile.in
+++ b/src/charon/plugins/medcli/Makefile.in
@@ -189,6 +189,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/charon/plugins/medcli/medcli_config.c b/src/charon/plugins/medcli/medcli_config.c
index 96dfa7c94..d1e6c0c9e 100644
--- a/src/charon/plugins/medcli/medcli_config.c
+++ b/src/charon/plugins/medcli/medcli_config.c
@@ -120,8 +120,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 		"mediation", 2, ike_cfg,
 		identification_create_from_encoding(ID_KEY_ID, me),
 		identification_create_from_encoding(ID_KEY_ID, other),
-		CERT_NEVER_SEND, UNIQUE_REPLACE, CONF_AUTH_PUBKEY,
-		0, 0, 							/* EAP method, vendor */
+		CERT_NEVER_SEND, UNIQUE_REPLACE, 
 		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
 		TRUE, this->dpd, 				/* mobike, dpddelay */
@@ -149,8 +148,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 		name, 2, this->ike->get_ref(this->ike),
 		identification_create_from_encoding(ID_KEY_ID, me),
 		identification_create_from_encoding(ID_KEY_ID, other),
-		CERT_NEVER_SEND, UNIQUE_REPLACE, CONF_AUTH_PUBKEY,
-		0, 0, 							/* EAP method, vendor */
+		CERT_NEVER_SEND, UNIQUE_REPLACE, 
 		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
 		TRUE, this->dpd, 				/* mobike, dpddelay */
@@ -213,8 +211,7 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 				name, 2, this->ike->get_ref(this->ike),
 				identification_create_from_encoding(ID_KEY_ID, me),
 				identification_create_from_encoding(ID_KEY_ID, other),
-				CERT_NEVER_SEND, UNIQUE_REPLACE, AUTH_RSA,
-				0, 0, 							/* EAP method, vendor */
+				CERT_NEVER_SEND, UNIQUE_REPLACE, 
 				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
 				TRUE, this->dpd, 				/* mobike, dpddelay */
@@ -357,9 +354,8 @@ medcli_config_t *medcli_config_create(database_t *db)
 	this->public.destroy = (void(*)(medcli_config_t*))destroy;
 	
 	this->db = db;
-	this->rekey = lib->settings->get_int(lib->settings,
-										 "medclient.rekey", 20) * 60;
-	this->dpd = lib->settings->get_int(lib->settings, "medclient.dpd", 300);
+	this->rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200);
+	this->dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300);
 	this->ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", "0.0.0.0");
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 	
diff --git a/src/charon/plugins/medcli/medcli_creds.c b/src/charon/plugins/medcli/medcli_creds.c
index 685f34271..1e99f6990 100644
--- a/src/charon/plugins/medcli/medcli_creds.c
+++ b/src/charon/plugins/medcli/medcli_creds.c
@@ -63,7 +63,7 @@ static bool private_enumerator_enumerate(private_enumerator_t *this,
 	while (this->inner->enumerate(this->inner, &chunk))
 	{
 		this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-										   BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+										   BUILD_BLOB_ASN1_DER, chunk,
 										   BUILD_END);
 		if (this->current)
 		{
@@ -143,7 +143,7 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this,
 	while (this->inner->enumerate(this->inner, &chunk))
 	{
 		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-									BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+									BUILD_BLOB_ASN1_DER, chunk,
 									BUILD_END);
 		if (public)
 		{
@@ -152,14 +152,17 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this,
 				this->current = lib->creds->create(lib->creds,
 										CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
 										BUILD_PUBLIC_KEY, public, BUILD_END);
+				public->destroy(public);
 				if (this->current)
 				{
 					*cert = this->current;
 					return TRUE;
 				}
-				continue;
 			}
-			public->destroy(public);
+			else
+			{
+				public->destroy(public);
+			}
 		}
 	}
 	this->current = NULL;
diff --git a/src/charon/plugins/medcli/medcli_listener.c b/src/charon/plugins/medcli/medcli_listener.c
index cb370ba2a..3b4156903 100644
--- a/src/charon/plugins/medcli/medcli_listener.c
+++ b/src/charon/plugins/medcli/medcli_listener.c
@@ -51,8 +51,9 @@ struct private_medcli_listener_t {
 /**
  * Implementation of bus_listener_t.signal.
  */
-static bool signal_(private_medcli_listener_t *this, signal_t signal, level_t level,
-					int thread, ike_sa_t* ike_sa, char *format, va_list args)
+static bool signal_(private_medcli_listener_t *this, signal_t signal,
+					level_t level, int thread, ike_sa_t* ike_sa, void *data,
+					char *format, va_list args)
 {
 	mediated_state_t state;
 	
@@ -100,7 +101,7 @@ medcli_listener_t *medcli_listener_create(database_t *db)
 {
 	private_medcli_listener_t *this = malloc_thing(private_medcli_listener_t);
 
-	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,char*,va_list))signal_;
+	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,void*,char*,va_list))signal_;
 	this->public.destroy = (void (*)(medcli_listener_t*))destroy;
 	
 	this->db = db;
diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in
index b6561e15e..2162afa77 100644
--- a/src/charon/plugins/medsrv/Makefile.in
+++ b/src/charon/plugins/medsrv/Makefile.in
@@ -189,6 +189,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/charon/plugins/medsrv/medsrv_config.c b/src/charon/plugins/medsrv/medsrv_config.c
index 1017b9de0..bec6837c0 100644
--- a/src/charon/plugins/medsrv/medsrv_config.c
+++ b/src/charon/plugins/medsrv/medsrv_config.c
@@ -99,8 +99,7 @@ static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
 			peer_cfg = peer_cfg_create(
 				name, 2, this->ike->get_ref(this->ike),
 				me->clone(me), other->clone(other),
-				CERT_NEVER_SEND, UNIQUE_REPLACE, CONF_AUTH_PUBKEY,
-				0, 0, 							/* EAP method, vendor */
+				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
 				TRUE, this->dpd, 				/* mobike, dpddelay */
@@ -136,9 +135,8 @@ medsrv_config_t *medsrv_config_create(database_t *db)
 	this->public.destroy = (void(*)(medsrv_config_t*))destroy;
 	
 	this->db = db;
-	this->rekey = lib->settings->get_int(lib->settings,
-										 "medsrv.rekey", 20) * 60;
-	this->dpd = lib->settings->get_int(lib->settings, "medsrv.dpd", 300);
+	this->rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200);
+	this->dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300);
 	this->ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", "0.0.0.0");
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 	
diff --git a/src/charon/plugins/medsrv/medsrv_creds.c b/src/charon/plugins/medsrv/medsrv_creds.c
index 48e05c38e..5d2d46e53 100644
--- a/src/charon/plugins/medsrv/medsrv_creds.c
+++ b/src/charon/plugins/medsrv/medsrv_creds.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: medsrv_creds.c 4061 2008-06-11 14:13:24Z martin $
+ * $Id: medsrv_creds.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "medsrv_creds.h"
@@ -67,7 +67,7 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this,
 	while (this->inner->enumerate(this->inner, &chunk))
 	{
 		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-									BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+									BUILD_BLOB_ASN1_DER, chunk,
 									BUILD_END);
 		if (public)
 		{
@@ -76,14 +76,17 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this,
 				trusted = lib->creds->create(lib->creds,
 										CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
 										BUILD_PUBLIC_KEY, public, BUILD_END);
+				public->destroy(public);
 				if (trusted)
 				{
 					*cert = this->current = trusted;
 					return TRUE;
 				}
-				continue;
 			}
-			public->destroy(public);
+			else
+			{
+				public->destroy(public);
+			}
 		}
 	}
 	this->current = NULL;
diff --git a/src/charon/plugins/medsrv/medsrv_plugin.c b/src/charon/plugins/medsrv/medsrv_plugin.c
index f29120337..e34a1d4de 100644
--- a/src/charon/plugins/medsrv/medsrv_plugin.c
+++ b/src/charon/plugins/medsrv/medsrv_plugin.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: medsrv_plugin.c 3915 2008-05-08 12:11:30Z martin $
+ * $Id: medsrv_plugin.c 4137 2008-07-01 13:57:47Z martin $
  */
 
 #include "medsrv_plugin.h"
@@ -74,7 +74,7 @@ plugin_t *plugin_create()
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 	
 	uri = lib->settings->get_str(lib->settings,
-								 "medmanager.database", NULL);
+								 "medsrv.database", NULL);
 	if (!uri)
 	{
 		DBG1(DBG_CFG, "mediation database URI not defined, skipped");
diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
new file mode 100644
index 000000000..107ca1a31
--- /dev/null
+++ b/src/charon/plugins/nm/Makefile.am
@@ -0,0 +1,28 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFLAGS}
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-nm.la
+libstrongswan_nm_la_SOURCES = \
+  nm_plugin.h nm_plugin.c nm_service.h nm_service.c nm_creds.h nm_creds.c
+libstrongswan_nm_la_LDFLAGS = -module
+libstrongswan_nm_la_LIBADD = ${nm_LIBS}
+
+
+# build gnome/configure and friends for distribution
+
+EXTRA_DIST = gnome/configure gnome/po/LINGUAS gnome/po/POTFILES.in gnome/po/Makefile.in.in \
+	gnome/ltmain.sh gnome/config.h.in gnome/depcomp gnome/Makefile.in \
+	gnome/compile gnome/intltool-merge.in gnome/configure.in gnome/install-sh \
+	gnome/aclocal.m4 gnome/Makefile.am gnome/autogen.sh \
+	gnome/properties/Makefile.in gnome/properties/nm-strongswan-dialog.glade \
+	gnome/properties/Makefile.am gnome/properties/nm-strongswan.c \
+	gnome/properties/nm-strongswan.h gnome/intltool-update.in gnome/config.guess \
+	gnome/nm-strongswan-service.name.in gnome/nm-strongswan-service.conf \
+	gnome/mkinstalldirs gnome/auth-dialog gnome/auth-dialog/Makefile.in \
+	gnome/auth-dialog/Makefile.am gnome/auth-dialog/main.c gnome/intltool-extract.in \
+	gnome/config.sub gnome/missing
+
+gnome/configure :	gnome/configure.in
+					cd gnome && ./autogen.sh; cd ..
diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in
new file mode 100644
index 000000000..46e4ab851
--- /dev/null
+++ b/src/charon/plugins/nm/Makefile.in
@@ -0,0 +1,519 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/nm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_nm_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_nm_la_OBJECTS = nm_plugin.lo nm_service.lo \
+	nm_creds.lo
+libstrongswan_nm_la_OBJECTS = $(am_libstrongswan_nm_la_OBJECTS)
+libstrongswan_nm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_nm_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_nm_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_nm_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFLAGS}
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-nm.la
+libstrongswan_nm_la_SOURCES = \
+  nm_plugin.h nm_plugin.c nm_service.h nm_service.c nm_creds.h nm_creds.c
+
+libstrongswan_nm_la_LDFLAGS = -module
+libstrongswan_nm_la_LIBADD = ${nm_LIBS}
+
+# build gnome/configure and friends for distribution
+EXTRA_DIST = gnome/configure gnome/po/LINGUAS gnome/po/POTFILES.in gnome/po/Makefile.in.in \
+	gnome/ltmain.sh gnome/config.h.in gnome/depcomp gnome/Makefile.in \
+	gnome/compile gnome/intltool-merge.in gnome/configure.in gnome/install-sh \
+	gnome/aclocal.m4 gnome/Makefile.am gnome/autogen.sh \
+	gnome/properties/Makefile.in gnome/properties/nm-strongswan-dialog.glade \
+	gnome/properties/Makefile.am gnome/properties/nm-strongswan.c \
+	gnome/properties/nm-strongswan.h gnome/intltool-update.in gnome/config.guess \
+	gnome/nm-strongswan-service.name.in gnome/nm-strongswan-service.conf \
+	gnome/mkinstalldirs gnome/auth-dialog gnome/auth-dialog/Makefile.in \
+	gnome/auth-dialog/Makefile.am gnome/auth-dialog/main.c gnome/intltool-extract.in \
+	gnome/config.sub gnome/missing
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/nm/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/nm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-nm.la: $(libstrongswan_nm_la_OBJECTS) $(libstrongswan_nm_la_DEPENDENCIES) 
+	$(libstrongswan_nm_la_LINK) -rpath $(plugindir) $(libstrongswan_nm_la_OBJECTS) $(libstrongswan_nm_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_service.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+
+gnome/configure :	gnome/configure.in
+					cd gnome && ./autogen.sh; cd ..
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/Makefile.am b/src/charon/plugins/nm/gnome/Makefile.am
new file mode 100644
index 000000000..62d28e438
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/Makefile.am
@@ -0,0 +1,24 @@
+AUTOMAKE_OPTIONS = foreign
+
+SUBDIRS = properties auth-dialog po
+
+dbusservicedir = $(sysconfdir)/dbus-1/system.d
+dbusservice_DATA = nm-strongswan-service.conf
+
+nmvpnservicedir = $(sysconfdir)/NetworkManager/VPN
+nmvpnservice_DATA = nm-strongswan-service.name
+
+@INTLTOOL_DESKTOP_RULE@
+
+nm-strongswan-service.name: $(srcdir)/nm-strongswan-service.name.in
+	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' \
+		-e 's|[@]CHARON[@]|$(charon)|' $< >$@
+
+EXTRA_DIST = nm-strongswan-service.name.in \
+             $(dbusservice_DATA)  \
+             intltool-extract.in  \
+             intltool-merge.in    \
+             intltool-update.in
+
+CLEANFILES = $(nmvpnservice_DATA) *~
+DISTCLEANFILES = intltool-extract intltool-merge intltool-update
diff --git a/src/charon/plugins/nm/gnome/Makefile.in b/src/charon/plugins/nm/gnome/Makefile.in
new file mode 100644
index 000000000..41745247f
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/Makefile.in
@@ -0,0 +1,767 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = .
+DIST_COMMON = $(am__configure_deps) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in $(srcdir)/config.h.in \
+	$(top_srcdir)/configure compile config.guess config.sub \
+	depcomp install-sh ltmain.sh missing mkinstalldirs
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
+ configure.lineno config.status.lineno
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = config.h
+CONFIG_CLEAN_FILES =
+SOURCES =
+DIST_SOURCES =
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(dbusservicedir)" \
+	"$(DESTDIR)$(nmvpnservicedir)"
+dbusserviceDATA_INSTALL = $(INSTALL_DATA)
+nmvpnserviceDATA_INSTALL = $(INSTALL_DATA)
+DATA = $(dbusservice_DATA) $(nmvpnservice_DATA)
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = $(SUBDIRS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+distdir = $(PACKAGE)-$(VERSION)
+top_distdir = $(distdir)
+am__remove_distdir = \
+  { test ! -d $(distdir) \
+    || { find $(distdir) -type d ! -perm -200 -exec chmod u+w {} ';' \
+         && rm -fr $(distdir); }; }
+DIST_ARCHIVES = $(distdir).tar.gz
+GZIP_ENV = --best
+distuninstallcheck_listfiles = find . -type f -print
+distcleancheck_listfiles = find . -type f -print
+ACLOCAL = @ACLOCAL@
+ALL_LINGUAS = @ALL_LINGUAS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CATALOGS = @CATALOGS@
+CATOBJEXT = @CATOBJEXT@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DATADIRNAME = @DATADIRNAME@
+DBUS_CFLAGS = @DBUS_CFLAGS@
+DBUS_LIBS = @DBUS_LIBS@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GCONF_CFLAGS = @GCONF_CFLAGS@
+GCONF_LIBS = @GCONF_LIBS@
+GDK_PIXBUF_CFLAGS = @GDK_PIXBUF_CFLAGS@
+GDK_PIXBUF_LIBS = @GDK_PIXBUF_LIBS@
+GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
+GLADE_CFLAGS = @GLADE_CFLAGS@
+GLADE_LIBS = @GLADE_LIBS@
+GMOFILES = @GMOFILES@
+GMSGFMT = @GMSGFMT@
+GNOMEKEYRING_CFLAGS = @GNOMEKEYRING_CFLAGS@
+GNOMEKEYRING_LIBS = @GNOMEKEYRING_LIBS@
+GREP = @GREP@
+GTHREAD_CFLAGS = @GTHREAD_CFLAGS@
+GTHREAD_LIBS = @GTHREAD_LIBS@
+GTK_CFLAGS = @GTK_CFLAGS@
+GTK_LIBS = @GTK_LIBS@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INSTOBJEXT = @INSTOBJEXT@
+INTLLIBS = @INTLLIBS@
+INTLTOOL_CAVES_RULE = @INTLTOOL_CAVES_RULE@
+INTLTOOL_DESKTOP_RULE = @INTLTOOL_DESKTOP_RULE@
+INTLTOOL_DIRECTORY_RULE = @INTLTOOL_DIRECTORY_RULE@
+INTLTOOL_EXTRACT = @INTLTOOL_EXTRACT@
+INTLTOOL_KBD_RULE = @INTLTOOL_KBD_RULE@
+INTLTOOL_KEYS_RULE = @INTLTOOL_KEYS_RULE@
+INTLTOOL_MERGE = @INTLTOOL_MERGE@
+INTLTOOL_OAF_RULE = @INTLTOOL_OAF_RULE@
+INTLTOOL_PERL = @INTLTOOL_PERL@
+INTLTOOL_POLICY_RULE = @INTLTOOL_POLICY_RULE@
+INTLTOOL_PONG_RULE = @INTLTOOL_PONG_RULE@
+INTLTOOL_PROP_RULE = @INTLTOOL_PROP_RULE@
+INTLTOOL_SCHEMAS_RULE = @INTLTOOL_SCHEMAS_RULE@
+INTLTOOL_SERVER_RULE = @INTLTOOL_SERVER_RULE@
+INTLTOOL_SERVICE_RULE = @INTLTOOL_SERVICE_RULE@
+INTLTOOL_SHEET_RULE = @INTLTOOL_SHEET_RULE@
+INTLTOOL_SOUNDLIST_RULE = @INTLTOOL_SOUNDLIST_RULE@
+INTLTOOL_THEME_RULE = @INTLTOOL_THEME_RULE@
+INTLTOOL_UI_RULE = @INTLTOOL_UI_RULE@
+INTLTOOL_UPDATE = @INTLTOOL_UPDATE@
+INTLTOOL_XAM_RULE = @INTLTOOL_XAM_RULE@
+INTLTOOL_XML_NOMERGE_RULE = @INTLTOOL_XML_NOMERGE_RULE@
+INTLTOOL_XML_RULE = @INTLTOOL_XML_RULE@
+LDFLAGS = @LDFLAGS@
+LIBGNOMEUI_CFLAGS = @LIBGNOMEUI_CFLAGS@
+LIBGNOMEUI_LIBS = @LIBGNOMEUI_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MKINSTALLDIRS = @MKINSTALLDIRS@
+MSGFMT = @MSGFMT@
+MSGFMT_OPTS = @MSGFMT_OPTS@
+MSGMERGE = @MSGMERGE@
+NMEDIT = @NMEDIT@
+NM_UTILS_CFLAGS = @NM_UTILS_CFLAGS@
+NM_UTILS_LIBS = @NM_UTILS_LIBS@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PKG_CONFIG = @PKG_CONFIG@
+POFILES = @POFILES@
+POSUB = @POSUB@
+PO_IN_DATADIR_FALSE = @PO_IN_DATADIR_FALSE@
+PO_IN_DATADIR_TRUE = @PO_IN_DATADIR_TRUE@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+XGETTEXT = @XGETTEXT@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+charon = @charon@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+AUTOMAKE_OPTIONS = foreign
+SUBDIRS = properties auth-dialog po
+dbusservicedir = $(sysconfdir)/dbus-1/system.d
+dbusservice_DATA = nm-strongswan-service.conf
+nmvpnservicedir = $(sysconfdir)/NetworkManager/VPN
+nmvpnservice_DATA = nm-strongswan-service.name
+EXTRA_DIST = nm-strongswan-service.name.in \
+             $(dbusservice_DATA)  \
+             intltool-extract.in  \
+             intltool-merge.in    \
+             intltool-update.in
+
+CLEANFILES = $(nmvpnservice_DATA) *~
+DISTCLEANFILES = intltool-extract intltool-merge intltool-update
+all: config.h
+	$(MAKE) $(AM_MAKEFLAGS) all-recursive
+
+.SUFFIXES:
+am--refresh:
+	@:
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      echo ' cd $(srcdir) && $(AUTOMAKE) --foreign '; \
+	      cd $(srcdir) && $(AUTOMAKE) --foreign  \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    echo ' $(SHELL) ./config.status'; \
+	    $(SHELL) ./config.status;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	$(SHELL) ./config.status --recheck
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(srcdir) && $(AUTOCONF)
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
+
+config.h: stamp-h1
+	@if test ! -f $@; then \
+	  rm -f stamp-h1; \
+	  $(MAKE) $(AM_MAKEFLAGS) stamp-h1; \
+	else :; fi
+
+stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
+	@rm -f stamp-h1
+	cd $(top_builddir) && $(SHELL) ./config.status config.h
+$(srcdir)/config.h.in: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) 
+	cd $(top_srcdir) && $(AUTOHEADER)
+	rm -f stamp-h1
+	touch $@
+
+distclean-hdr:
+	-rm -f config.h stamp-h1
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+install-dbusserviceDATA: $(dbusservice_DATA)
+	@$(NORMAL_INSTALL)
+	test -z "$(dbusservicedir)" || $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)"
+	@list='$(dbusservice_DATA)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(dbusserviceDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(dbusservicedir)/$$f'"; \
+	  $(dbusserviceDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(dbusservicedir)/$$f"; \
+	done
+
+uninstall-dbusserviceDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dbusservice_DATA)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(dbusservicedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(dbusservicedir)/$$f"; \
+	done
+install-nmvpnserviceDATA: $(nmvpnservice_DATA)
+	@$(NORMAL_INSTALL)
+	test -z "$(nmvpnservicedir)" || $(MKDIR_P) "$(DESTDIR)$(nmvpnservicedir)"
+	@list='$(nmvpnservice_DATA)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(nmvpnserviceDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(nmvpnservicedir)/$$f'"; \
+	  $(nmvpnserviceDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(nmvpnservicedir)/$$f"; \
+	done
+
+uninstall-nmvpnserviceDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nmvpnservice_DATA)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(nmvpnservicedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(nmvpnservicedir)/$$f"; \
+	done
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	$(am__remove_distdir)
+	test -d $(distdir) || mkdir $(distdir)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
+	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
+	    (cd $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
+	|| chmod -R a+r $(distdir)
+dist-gzip: distdir
+	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	$(am__remove_distdir)
+
+dist-bzip2: distdir
+	tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
+	$(am__remove_distdir)
+
+dist-lzma: distdir
+	tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma
+	$(am__remove_distdir)
+
+dist-tarZ: distdir
+	tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
+	$(am__remove_distdir)
+
+dist-shar: distdir
+	shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
+	$(am__remove_distdir)
+
+dist-zip: distdir
+	-rm -f $(distdir).zip
+	zip -rq $(distdir).zip $(distdir)
+	$(am__remove_distdir)
+
+dist dist-all: distdir
+	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	$(am__remove_distdir)
+
+# This target untars the dist file and tries a VPATH configuration.  Then
+# it guarantees that the distribution is self-contained by making another
+# tarfile.
+distcheck: dist
+	case '$(DIST_ARCHIVES)' in \
+	*.tar.gz*) \
+	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(am__untar) ;;\
+	*.tar.bz2*) \
+	  bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\
+	*.tar.lzma*) \
+	  unlzma -c $(distdir).tar.lzma | $(am__untar) ;;\
+	*.tar.Z*) \
+	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
+	*.shar.gz*) \
+	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).shar.gz | unshar ;;\
+	*.zip*) \
+	  unzip $(distdir).zip ;;\
+	esac
+	chmod -R a-w $(distdir); chmod a+w $(distdir)
+	mkdir $(distdir)/_build
+	mkdir $(distdir)/_inst
+	chmod a-w $(distdir)
+	dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
+	  && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
+	  && cd $(distdir)/_build \
+	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
+	    $(DISTCHECK_CONFIGURE_FLAGS) \
+	  && $(MAKE) $(AM_MAKEFLAGS) \
+	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
+	  && $(MAKE) $(AM_MAKEFLAGS) check \
+	  && $(MAKE) $(AM_MAKEFLAGS) install \
+	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
+	  && $(MAKE) $(AM_MAKEFLAGS) uninstall \
+	  && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \
+	        distuninstallcheck \
+	  && chmod -R a-w "$$dc_install_base" \
+	  && ({ \
+	       (cd ../.. && umask 077 && mkdir "$$dc_destdir") \
+	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \
+	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \
+	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \
+	            distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \
+	      } || { rm -rf "$$dc_destdir"; exit 1; }) \
+	  && rm -rf "$$dc_destdir" \
+	  && $(MAKE) $(AM_MAKEFLAGS) dist \
+	  && rm -rf $(DIST_ARCHIVES) \
+	  && $(MAKE) $(AM_MAKEFLAGS) distcleancheck
+	$(am__remove_distdir)
+	@(echo "$(distdir) archives ready for distribution: "; \
+	  list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
+	  sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
+distuninstallcheck:
+	@cd $(distuninstallcheck_dir) \
+	&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
+	   || { echo "ERROR: files left after uninstall:" ; \
+	        if test -n "$(DESTDIR)"; then \
+	          echo "  (check DESTDIR support)"; \
+	        fi ; \
+	        $(distuninstallcheck_listfiles) ; \
+	        exit 1; } >&2
+distcleancheck: distclean
+	@if test '$(srcdir)' = . ; then \
+	  echo "ERROR: distcleancheck can only run from a VPATH build" ; \
+	  exit 1 ; \
+	fi
+	@test `$(distcleancheck_listfiles) | wc -l` -eq 0 \
+	  || { echo "ERROR: files left in build directory after distclean:" ; \
+	       $(distcleancheck_listfiles) ; \
+	       exit 1; } >&2
+check-am: all-am
+check: check-recursive
+all-am: Makefile $(DATA) config.h
+installdirs: installdirs-recursive
+installdirs-am:
+	for dir in "$(DESTDIR)$(dbusservicedir)" "$(DESTDIR)$(nmvpnservicedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-recursive
+	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-hdr \
+	distclean-libtool distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+info: info-recursive
+
+info-am:
+
+install-data-am: install-dbusserviceDATA install-nmvpnserviceDATA
+
+install-dvi: install-dvi-recursive
+
+install-exec-am:
+
+install-html: install-html-recursive
+
+install-info: install-info-recursive
+
+install-man:
+
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
+	-rm -rf $(top_srcdir)/autom4te.cache
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am: uninstall-dbusserviceDATA uninstall-nmvpnserviceDATA
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-strip
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am am--refresh check check-am clean clean-generic \
+	clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
+	dist-gzip dist-lzma dist-shar dist-tarZ dist-zip distcheck \
+	distclean distclean-generic distclean-hdr distclean-libtool \
+	distclean-tags distcleancheck distdir distuninstallcheck dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dbusserviceDATA \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-html install-html-am install-info install-info-am \
+	install-man install-nmvpnserviceDATA install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-recursive uninstall uninstall-am \
+	uninstall-dbusserviceDATA uninstall-nmvpnserviceDATA
+
+
+@INTLTOOL_DESKTOP_RULE@
+
+nm-strongswan-service.name: $(srcdir)/nm-strongswan-service.name.in
+	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' \
+		-e 's|[@]CHARON[@]|$(charon)|' $< >$@
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/aclocal.m4 b/src/charon/plugins/nm/gnome/aclocal.m4
new file mode 100644
index 000000000..f7e0859bf
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/aclocal.m4
@@ -0,0 +1,8398 @@
+# generated automatically by aclocal 1.10.1 -*- Autoconf -*-
+
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+# 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+m4_ifndef([AC_AUTOCONF_VERSION],
+  [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
+m4_if(AC_AUTOCONF_VERSION, [2.61],,
+[m4_warning([this file was generated for autoconf 2.61.
+You have another version of autoconf.  It may work, but is not guaranteed to.
+If you have problems, you may need to regenerate the build system entirely.
+To do so, use the procedure documented by the package, typically `autoreconf'.])])
+
+# Copyright (C) 1995-2002 Free Software Foundation, Inc.
+# Copyright (C) 2001-2003,2004 Red Hat, Inc.
+#
+# This file is free software, distributed under the terms of the GNU
+# General Public License.  As a special exception to the GNU General
+# Public License, this file may be distributed as part of a program
+# that contains a configuration script generated by Autoconf, under
+# the same distribution terms as the rest of that program.
+#
+# This file can be copied and used freely without restrictions.  It can
+# be used in projects which are not available under the GNU Public License
+# but which still want to provide support for the GNU gettext functionality.
+#
+# Macro to add for using GNU gettext.
+# Ulrich Drepper <drepper@cygnus.com>, 1995, 1996
+#
+# Modified to never use included libintl. 
+# Owen Taylor <otaylor@redhat.com>, 12/15/1998
+#
+# Major rework to remove unused code
+# Owen Taylor <otaylor@redhat.com>, 12/11/2002
+#
+# Added better handling of ALL_LINGUAS from GNU gettext version 
+# written by Bruno Haible, Owen Taylor <otaylor.redhat.com> 5/30/3002
+#
+# Modified to require ngettext
+# Matthias Clasen <mclasen@redhat.com> 08/06/2004
+#
+# We need this here as well, since someone might use autoconf-2.5x
+# to configure GLib then an older version to configure a package
+# using AM_GLIB_GNU_GETTEXT
+AC_PREREQ(2.53)
+
+dnl
+dnl We go to great lengths to make sure that aclocal won't 
+dnl try to pull in the installed version of these macros
+dnl when running aclocal in the glib directory.
+dnl
+m4_copy([AC_DEFUN],[glib_DEFUN])
+m4_copy([AC_REQUIRE],[glib_REQUIRE])
+dnl
+dnl At the end, if we're not within glib, we'll define the public
+dnl definitions in terms of our private definitions.
+dnl
+
+# GLIB_LC_MESSAGES
+#--------------------
+glib_DEFUN([GLIB_LC_MESSAGES],
+  [AC_CHECK_HEADERS([locale.h])
+    if test $ac_cv_header_locale_h = yes; then
+    AC_CACHE_CHECK([for LC_MESSAGES], am_cv_val_LC_MESSAGES,
+      [AC_TRY_LINK([#include <locale.h>], [return LC_MESSAGES],
+       am_cv_val_LC_MESSAGES=yes, am_cv_val_LC_MESSAGES=no)])
+    if test $am_cv_val_LC_MESSAGES = yes; then
+      AC_DEFINE(HAVE_LC_MESSAGES, 1,
+        [Define if your <locale.h> file defines LC_MESSAGES.])
+    fi
+  fi])
+
+# GLIB_PATH_PROG_WITH_TEST
+#----------------------------
+dnl GLIB_PATH_PROG_WITH_TEST(VARIABLE, PROG-TO-CHECK-FOR,
+dnl   TEST-PERFORMED-ON-FOUND_PROGRAM [, VALUE-IF-NOT-FOUND [, PATH]])
+glib_DEFUN([GLIB_PATH_PROG_WITH_TEST],
+[# Extract the first word of "$2", so it can be a program name with args.
+set dummy $2; ac_word=[$]2
+AC_MSG_CHECKING([for $ac_word])
+AC_CACHE_VAL(ac_cv_path_$1,
+[case "[$]$1" in
+  /*)
+  ac_cv_path_$1="[$]$1" # Let the user override the test with a path.
+  ;;
+  *)
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+  for ac_dir in ifelse([$5], , $PATH, [$5]); do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      if [$3]; then
+	ac_cv_path_$1="$ac_dir/$ac_word"
+	break
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+dnl If no 4th arg is given, leave the cache variable unset,
+dnl so AC_PATH_PROGS will keep looking.
+ifelse([$4], , , [  test -z "[$]ac_cv_path_$1" && ac_cv_path_$1="$4"
+])dnl
+  ;;
+esac])dnl
+$1="$ac_cv_path_$1"
+if test ifelse([$4], , [-n "[$]$1"], ["[$]$1" != "$4"]); then
+  AC_MSG_RESULT([$]$1)
+else
+  AC_MSG_RESULT(no)
+fi
+AC_SUBST($1)dnl
+])
+
+# GLIB_WITH_NLS
+#-----------------
+glib_DEFUN([GLIB_WITH_NLS],
+  dnl NLS is obligatory
+  [USE_NLS=yes
+    AC_SUBST(USE_NLS)
+
+    gt_cv_have_gettext=no
+
+    CATOBJEXT=NONE
+    XGETTEXT=:
+    INTLLIBS=
+
+    AC_CHECK_HEADER(libintl.h,
+     [gt_cv_func_dgettext_libintl="no"
+      libintl_extra_libs=""
+
+      #
+      # First check in libc
+      #
+      AC_CACHE_CHECK([for ngettext in libc], gt_cv_func_ngettext_libc,
+        [AC_TRY_LINK([
+#include <libintl.h>
+],
+         [return !ngettext ("","", 1)],
+	  gt_cv_func_ngettext_libc=yes,
+          gt_cv_func_ngettext_libc=no)
+        ])
+  
+      if test "$gt_cv_func_ngettext_libc" = "yes" ; then
+	      AC_CACHE_CHECK([for dgettext in libc], gt_cv_func_dgettext_libc,
+        	[AC_TRY_LINK([
+#include <libintl.h>
+],
+	          [return !dgettext ("","")],
+		  gt_cv_func_dgettext_libc=yes,
+	          gt_cv_func_dgettext_libc=no)
+        	])
+      fi
+  
+      if test "$gt_cv_func_ngettext_libc" = "yes" ; then
+        AC_CHECK_FUNCS(bind_textdomain_codeset)
+      fi
+
+      #
+      # If we don't have everything we want, check in libintl
+      #
+      if test "$gt_cv_func_dgettext_libc" != "yes" \
+	 || test "$gt_cv_func_ngettext_libc" != "yes" \
+         || test "$ac_cv_func_bind_textdomain_codeset" != "yes" ; then
+        
+        AC_CHECK_LIB(intl, bindtextdomain,
+	    [AC_CHECK_LIB(intl, ngettext,
+		    [AC_CHECK_LIB(intl, dgettext,
+			          gt_cv_func_dgettext_libintl=yes)])])
+
+	if test "$gt_cv_func_dgettext_libintl" != "yes" ; then
+	  AC_MSG_CHECKING([if -liconv is needed to use gettext])
+	  AC_MSG_RESULT([])
+  	  AC_CHECK_LIB(intl, ngettext,
+          	[AC_CHECK_LIB(intl, dcgettext,
+		       [gt_cv_func_dgettext_libintl=yes
+			libintl_extra_libs=-liconv],
+			:,-liconv)],
+		:,-liconv)
+        fi
+
+        #
+        # If we found libintl, then check in it for bind_textdomain_codeset();
+        # we'll prefer libc if neither have bind_textdomain_codeset(),
+        # and both have dgettext and ngettext
+        #
+        if test "$gt_cv_func_dgettext_libintl" = "yes" ; then
+          glib_save_LIBS="$LIBS"
+          LIBS="$LIBS -lintl $libintl_extra_libs"
+          unset ac_cv_func_bind_textdomain_codeset
+          AC_CHECK_FUNCS(bind_textdomain_codeset)
+          LIBS="$glib_save_LIBS"
+
+          if test "$ac_cv_func_bind_textdomain_codeset" = "yes" ; then
+            gt_cv_func_dgettext_libc=no
+          else
+            if test "$gt_cv_func_dgettext_libc" = "yes" \
+		&& test "$gt_cv_func_ngettext_libc" = "yes"; then
+              gt_cv_func_dgettext_libintl=no
+            fi
+          fi
+        fi
+      fi
+
+      if test "$gt_cv_func_dgettext_libc" = "yes" \
+	|| test "$gt_cv_func_dgettext_libintl" = "yes"; then
+        gt_cv_have_gettext=yes
+      fi
+  
+      if test "$gt_cv_func_dgettext_libintl" = "yes"; then
+        INTLLIBS="-lintl $libintl_extra_libs"
+      fi
+  
+      if test "$gt_cv_have_gettext" = "yes"; then
+	AC_DEFINE(HAVE_GETTEXT,1,
+	  [Define if the GNU gettext() function is already present or preinstalled.])
+	GLIB_PATH_PROG_WITH_TEST(MSGFMT, msgfmt,
+	  [test -z "`$ac_dir/$ac_word -h 2>&1 | grep 'dv '`"], no)dnl
+	if test "$MSGFMT" != "no"; then
+          glib_save_LIBS="$LIBS"
+          LIBS="$LIBS $INTLLIBS"
+	  AC_CHECK_FUNCS(dcgettext)
+	  MSGFMT_OPTS=
+	  AC_MSG_CHECKING([if msgfmt accepts -c])
+	  GLIB_RUN_PROG([$MSGFMT -c -o /dev/null],[
+msgid ""
+msgstr ""
+"Content-Type: text/plain; charset=UTF-8\n"
+"Project-Id-Version: test 1.0\n"
+"PO-Revision-Date: 2007-02-15 12:01+0100\n"
+"Last-Translator: test <foo@bar.xx>\n"
+"Language-Team: C <LL@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Transfer-Encoding: 8bit\n"
+], [MSGFMT_OPTS=-c; AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no])])
+	  AC_SUBST(MSGFMT_OPTS)
+	  AC_PATH_PROG(GMSGFMT, gmsgfmt, $MSGFMT)
+	  GLIB_PATH_PROG_WITH_TEST(XGETTEXT, xgettext,
+	    [test -z "`$ac_dir/$ac_word -h 2>&1 | grep '(HELP)'`"], :)
+	  AC_TRY_LINK(, [extern int _nl_msg_cat_cntr;
+			 return _nl_msg_cat_cntr],
+	    [CATOBJEXT=.gmo 
+             DATADIRNAME=share],
+	    [case $host in
+	    *-*-solaris*)
+	    dnl On Solaris, if bind_textdomain_codeset is in libc,
+	    dnl GNU format message catalog is always supported,
+            dnl since both are added to the libc all together.
+	    dnl Hence, we'd like to go with DATADIRNAME=share and
+	    dnl and CATOBJEXT=.gmo in this case.
+            AC_CHECK_FUNC(bind_textdomain_codeset,
+	      [CATOBJEXT=.gmo 
+               DATADIRNAME=share],
+	      [CATOBJEXT=.mo
+               DATADIRNAME=lib])
+	    ;;
+	    *)
+	    CATOBJEXT=.mo
+            DATADIRNAME=lib
+	    ;;
+	    esac])
+          LIBS="$glib_save_LIBS"
+	  INSTOBJEXT=.mo
+	else
+	  gt_cv_have_gettext=no
+	fi
+      fi
+    ])
+
+    if test "$gt_cv_have_gettext" = "yes" ; then
+      AC_DEFINE(ENABLE_NLS, 1,
+        [always defined to indicate that i18n is enabled])
+    fi
+
+    dnl Test whether we really found GNU xgettext.
+    if test "$XGETTEXT" != ":"; then
+      dnl If it is not GNU xgettext we define it as : so that the
+      dnl Makefiles still can work.
+      if $XGETTEXT --omit-header /dev/null 2> /dev/null; then
+        : ;
+      else
+        AC_MSG_RESULT(
+	  [found xgettext program is not GNU xgettext; ignore it])
+        XGETTEXT=":"
+      fi
+    fi
+
+    # We need to process the po/ directory.
+    POSUB=po
+
+    AC_OUTPUT_COMMANDS(
+      [case "$CONFIG_FILES" in *po/Makefile.in*)
+        sed -e "/POTFILES =/r po/POTFILES" po/Makefile.in > po/Makefile
+      esac])
+
+    dnl These rules are solely for the distribution goal.  While doing this
+    dnl we only have to keep exactly one list of the available catalogs
+    dnl in configure.in.
+    for lang in $ALL_LINGUAS; do
+      GMOFILES="$GMOFILES $lang.gmo"
+      POFILES="$POFILES $lang.po"
+    done
+
+    dnl Make all variables we use known to autoconf.
+    AC_SUBST(CATALOGS)
+    AC_SUBST(CATOBJEXT)
+    AC_SUBST(DATADIRNAME)
+    AC_SUBST(GMOFILES)
+    AC_SUBST(INSTOBJEXT)
+    AC_SUBST(INTLLIBS)
+    AC_SUBST(PO_IN_DATADIR_TRUE)
+    AC_SUBST(PO_IN_DATADIR_FALSE)
+    AC_SUBST(POFILES)
+    AC_SUBST(POSUB)
+  ])
+
+# AM_GLIB_GNU_GETTEXT
+# -------------------
+# Do checks necessary for use of gettext. If a suitable implementation 
+# of gettext is found in either in libintl or in the C library,
+# it will set INTLLIBS to the libraries needed for use of gettext
+# and AC_DEFINE() HAVE_GETTEXT and ENABLE_NLS. (The shell variable
+# gt_cv_have_gettext will be set to "yes".) It will also call AC_SUBST()
+# on various variables needed by the Makefile.in.in installed by 
+# glib-gettextize.
+dnl
+glib_DEFUN([GLIB_GNU_GETTEXT],
+  [AC_REQUIRE([AC_PROG_CC])dnl
+   AC_REQUIRE([AC_HEADER_STDC])dnl
+   
+   GLIB_LC_MESSAGES
+   GLIB_WITH_NLS
+
+   if test "$gt_cv_have_gettext" = "yes"; then
+     if test "x$ALL_LINGUAS" = "x"; then
+       LINGUAS=
+     else
+       AC_MSG_CHECKING(for catalogs to be installed)
+       NEW_LINGUAS=
+       for presentlang in $ALL_LINGUAS; do
+         useit=no
+         if test "%UNSET%" != "${LINGUAS-%UNSET%}"; then
+           desiredlanguages="$LINGUAS"
+         else
+           desiredlanguages="$ALL_LINGUAS"
+         fi
+         for desiredlang in $desiredlanguages; do
+ 	   # Use the presentlang catalog if desiredlang is
+           #   a. equal to presentlang, or
+           #   b. a variant of presentlang (because in this case,
+           #      presentlang can be used as a fallback for messages
+           #      which are not translated in the desiredlang catalog).
+           case "$desiredlang" in
+             "$presentlang"*) useit=yes;;
+           esac
+         done
+         if test $useit = yes; then
+           NEW_LINGUAS="$NEW_LINGUAS $presentlang"
+         fi
+       done
+       LINGUAS=$NEW_LINGUAS
+       AC_MSG_RESULT($LINGUAS)
+     fi
+
+     dnl Construct list of names of catalog files to be constructed.
+     if test -n "$LINGUAS"; then
+       for lang in $LINGUAS; do CATALOGS="$CATALOGS $lang$CATOBJEXT"; done
+     fi
+   fi
+
+   dnl If the AC_CONFIG_AUX_DIR macro for autoconf is used we possibly
+   dnl find the mkinstalldirs script in another subdir but ($top_srcdir).
+   dnl Try to locate is.
+   MKINSTALLDIRS=
+   if test -n "$ac_aux_dir"; then
+     MKINSTALLDIRS="$ac_aux_dir/mkinstalldirs"
+   fi
+   if test -z "$MKINSTALLDIRS"; then
+     MKINSTALLDIRS="\$(top_srcdir)/mkinstalldirs"
+   fi
+   AC_SUBST(MKINSTALLDIRS)
+
+   dnl Generate list of files to be processed by xgettext which will
+   dnl be included in po/Makefile.
+   test -d po || mkdir po
+   if test "x$srcdir" != "x."; then
+     if test "x`echo $srcdir | sed 's@/.*@@'`" = "x"; then
+       posrcprefix="$srcdir/"
+     else
+       posrcprefix="../$srcdir/"
+     fi
+   else
+     posrcprefix="../"
+   fi
+   rm -f po/POTFILES
+   sed -e "/^#/d" -e "/^\$/d" -e "s,.*,	$posrcprefix& \\\\," -e "\$s/\(.*\) \\\\/\1/" \
+	< $srcdir/po/POTFILES.in > po/POTFILES
+  ])
+
+# AM_GLIB_DEFINE_LOCALEDIR(VARIABLE)
+# -------------------------------
+# Define VARIABLE to the location where catalog files will
+# be installed by po/Makefile.
+glib_DEFUN([GLIB_DEFINE_LOCALEDIR],
+[glib_REQUIRE([GLIB_GNU_GETTEXT])dnl
+glib_save_prefix="$prefix"
+glib_save_exec_prefix="$exec_prefix"
+glib_save_datarootdir="$datarootdir"
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+test "x$exec_prefix" = xNONE && exec_prefix=$prefix
+datarootdir=`eval echo "${datarootdir}"`
+if test "x$CATOBJEXT" = "x.mo" ; then
+  localedir=`eval echo "${libdir}/locale"`
+else
+  localedir=`eval echo "${datadir}/locale"`
+fi
+prefix="$glib_save_prefix"
+exec_prefix="$glib_save_exec_prefix"
+datarootdir="$glib_save_datarootdir"
+AC_DEFINE_UNQUOTED($1, "$localedir",
+  [Define the location where the catalogs will be installed])
+])
+
+dnl
+dnl Now the definitions that aclocal will find
+dnl
+ifdef(glib_configure_in,[],[
+AC_DEFUN([AM_GLIB_GNU_GETTEXT],[GLIB_GNU_GETTEXT($@)])
+AC_DEFUN([AM_GLIB_DEFINE_LOCALEDIR],[GLIB_DEFINE_LOCALEDIR($@)])
+])dnl
+
+# GLIB_RUN_PROG(PROGRAM, TEST-FILE, [ACTION-IF-PASS], [ACTION-IF-FAIL])
+# 
+# Create a temporary file with TEST-FILE as its contents and pass the
+# file name to PROGRAM.  Perform ACTION-IF-PASS if PROGRAM exits with
+# 0 and perform ACTION-IF-FAIL for any other exit status.
+AC_DEFUN([GLIB_RUN_PROG],
+[cat >conftest.foo <<_ACEOF
+$2
+_ACEOF
+if AC_RUN_LOG([$1 conftest.foo]); then
+  m4_ifval([$3], [$3], [:])
+m4_ifvaln([$4], [else $4])dnl
+echo "$as_me: failed input was:" >&AS_MESSAGE_LOG_FD
+sed 's/^/| /' conftest.foo >&AS_MESSAGE_LOG_FD
+fi])
+
+
+
+dnl IT_PROG_INTLTOOL([MINIMUM-VERSION], [no-xml])
+# serial 36 IT_PROG_INTLTOOL
+AC_DEFUN([IT_PROG_INTLTOOL],
+[AC_PREREQ([2.50])dnl
+
+case "$am__api_version" in
+    1.[01234])
+	AC_MSG_ERROR([Automake 1.5 or newer is required to use intltool])
+    ;;
+    *)
+    ;;
+esac
+
+if test -n "$1"; then
+    AC_MSG_CHECKING([for intltool >= $1])
+
+    INTLTOOL_REQUIRED_VERSION_AS_INT=`echo $1 | awk -F. '{ print $ 1 * 1000 + $ 2 * 100 + $ 3; }'`
+    INTLTOOL_APPLIED_VERSION=`awk -F\" '/\\$VERSION / { print $ 2; }' ${ac_aux_dir}/intltool-update.in`
+    [INTLTOOL_APPLIED_VERSION_AS_INT=`awk -F\" '/\\$VERSION / { split($ 2, VERSION, "."); print VERSION[1] * 1000 + VERSION[2] * 100 + VERSION[3];}' ${ac_aux_dir}/intltool-update.in`
+    ]
+    AC_MSG_RESULT([$INTLTOOL_APPLIED_VERSION found])
+    test "$INTLTOOL_APPLIED_VERSION_AS_INT" -ge "$INTLTOOL_REQUIRED_VERSION_AS_INT" ||
+	AC_MSG_ERROR([Your intltool is too old.  You need intltool $1 or later.])
+fi
+
+  INTLTOOL_DESKTOP_RULE='%.desktop:   %.desktop.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+INTLTOOL_DIRECTORY_RULE='%.directory: %.directory.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+     INTLTOOL_KEYS_RULE='%.keys:      %.keys.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -k -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+     INTLTOOL_PROP_RULE='%.prop:      %.prop.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+      INTLTOOL_OAF_RULE='%.oaf:       %.oaf.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -p $(top_srcdir)/po $< [$]@'
+     INTLTOOL_PONG_RULE='%.pong:      %.pong.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+   INTLTOOL_SERVER_RULE='%.server:    %.server.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+    INTLTOOL_SHEET_RULE='%.sheet:     %.sheet.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+INTLTOOL_SOUNDLIST_RULE='%.soundlist: %.soundlist.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+       INTLTOOL_UI_RULE='%.ui:        %.ui.in        $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+      INTLTOOL_XML_RULE='%.xml:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+      INTLTOOL_XML_NOMERGE_RULE='%.xml:       %.xml.in       $(INTLTOOL_MERGE) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u /tmp $< [$]@' 
+      INTLTOOL_XAM_RULE='%.xam:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+      INTLTOOL_KBD_RULE='%.kbd:       %.kbd.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -m -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+    INTLTOOL_CAVES_RULE='%.caves:     %.caves.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+  INTLTOOL_SCHEMAS_RULE='%.schemas:   %.schemas.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -s -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+    INTLTOOL_THEME_RULE='%.theme:     %.theme.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
+    INTLTOOL_SERVICE_RULE='%.service: %.service.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
+   INTLTOOL_POLICY_RULE='%.policy:    %.policy.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
+
+AC_SUBST(INTLTOOL_DESKTOP_RULE)
+AC_SUBST(INTLTOOL_DIRECTORY_RULE)
+AC_SUBST(INTLTOOL_KEYS_RULE)
+AC_SUBST(INTLTOOL_PROP_RULE)
+AC_SUBST(INTLTOOL_OAF_RULE)
+AC_SUBST(INTLTOOL_PONG_RULE)
+AC_SUBST(INTLTOOL_SERVER_RULE)
+AC_SUBST(INTLTOOL_SHEET_RULE)
+AC_SUBST(INTLTOOL_SOUNDLIST_RULE)
+AC_SUBST(INTLTOOL_UI_RULE)
+AC_SUBST(INTLTOOL_XAM_RULE)
+AC_SUBST(INTLTOOL_KBD_RULE)
+AC_SUBST(INTLTOOL_XML_RULE)
+AC_SUBST(INTLTOOL_XML_NOMERGE_RULE)
+AC_SUBST(INTLTOOL_CAVES_RULE)
+AC_SUBST(INTLTOOL_SCHEMAS_RULE)
+AC_SUBST(INTLTOOL_THEME_RULE)
+AC_SUBST(INTLTOOL_SERVICE_RULE)
+AC_SUBST(INTLTOOL_POLICY_RULE)
+
+# Check the gettext tools to make sure they are GNU
+AC_PATH_PROG(XGETTEXT, xgettext)
+AC_PATH_PROG(MSGMERGE, msgmerge)
+AC_PATH_PROG(MSGFMT, msgfmt)
+if test -z "$XGETTEXT" -o -z "$MSGMERGE" -o -z "$MSGFMT"; then
+    AC_MSG_ERROR([GNU gettext tools not found; required for intltool])
+fi
+xgversion="`$XGETTEXT --version|grep '(GNU ' 2> /dev/null`"
+mmversion="`$MSGMERGE --version|grep '(GNU ' 2> /dev/null`"
+mfversion="`$MSGFMT --version|grep '(GNU ' 2> /dev/null`"
+if test -z "$xgversion" -o -z "$mmversion" -o -z "$mfversion"; then
+    AC_MSG_ERROR([GNU gettext tools not found; required for intltool])
+fi
+
+# Use the tools built into the package, not the ones that are installed.
+AC_SUBST(INTLTOOL_EXTRACT, '$(top_builddir)/intltool-extract')
+AC_SUBST(INTLTOOL_MERGE, '$(top_builddir)/intltool-merge')
+AC_SUBST(INTLTOOL_UPDATE, '$(top_builddir)/intltool-update')
+
+AC_PATH_PROG(INTLTOOL_PERL, perl)
+if test -z "$INTLTOOL_PERL"; then
+   AC_MSG_ERROR([perl not found; required for intltool])
+fi
+if test -z "`$INTLTOOL_PERL -v | fgrep '5.' 2> /dev/null`"; then
+   AC_MSG_ERROR([perl 5.x required for intltool])
+fi
+if test "x$2" != "xno-xml"; then
+   AC_MSG_CHECKING([for XML::Parser])
+   if `$INTLTOOL_PERL -e "require XML::Parser" 2>/dev/null`; then
+       AC_MSG_RESULT([ok])
+   else
+       AC_MSG_ERROR([XML::Parser perl module is required for intltool])
+   fi
+fi
+
+# Substitute ALL_LINGUAS so we can use it in po/Makefile
+AC_SUBST(ALL_LINGUAS)
+
+# Set DATADIRNAME correctly if it is not set yet
+# (copied from glib-gettext.m4)
+if test -z "$DATADIRNAME"; then
+  AC_LINK_IFELSE(
+    [AC_LANG_PROGRAM([[]],
+                     [[extern int _nl_msg_cat_cntr;
+                       return _nl_msg_cat_cntr]])],
+    [DATADIRNAME=share],
+    [case $host in
+    *-*-solaris*)
+    dnl On Solaris, if bind_textdomain_codeset is in libc,
+    dnl GNU format message catalog is always supported,
+    dnl since both are added to the libc all together.
+    dnl Hence, we'd like to go with DATADIRNAME=share
+    dnl in this case.
+    AC_CHECK_FUNC(bind_textdomain_codeset,
+      [DATADIRNAME=share], [DATADIRNAME=lib])
+    ;;
+    *)
+    [DATADIRNAME=lib]
+    ;;
+    esac])
+fi
+AC_SUBST(DATADIRNAME)
+
+IT_PO_SUBDIR([po])
+
+dnl The following is very similar to
+dnl
+dnl	AC_CONFIG_FILES([intltool-extract intltool-merge intltool-update])
+dnl
+dnl with the following slight differences:
+dnl  - the *.in files are in ac_aux_dir,
+dnl  - if the file haven't changed upon reconfigure, it's not touched,
+dnl  - the evaluation of the third parameter enables a hack which computes
+dnl    the actual value of $libdir,
+dnl  - the user sees "executing intltool commands", instead of
+dnl    "creating intltool-extract" and such.
+dnl
+dnl Nothing crucial here, and we could use AC_CONFIG_FILES, if there were
+dnl a reason for it.
+
+AC_CONFIG_COMMANDS([intltool], [
+
+for file in intltool-extract intltool-merge intltool-update; do
+  sed -e "s|@INTLTOOL_EXTRACT@|`pwd`/intltool-extract|g" \
+      -e "s|@INTLTOOL_LIBDIR@|${INTLTOOL_LIBDIR}|g" \
+      -e "s|@INTLTOOL_PERL@|${INTLTOOL_PERL}|g" \
+	< ${ac_aux_dir}/${file}.in > ${file}.out
+  if cmp -s ${file} ${file}.out 2>/dev/null; then
+    rm -f ${file}.out
+  else
+    mv -f ${file}.out ${file}
+  fi
+  chmod ugo+x ${file}
+  chmod u+w ${file}
+done
+
+],
+[INTLTOOL_PERL='${INTLTOOL_PERL}' ac_aux_dir='${ac_aux_dir}'
+prefix="$prefix" exec_prefix="$exec_prefix" INTLTOOL_LIBDIR="$libdir" 
+INTLTOOL_EXTRACT='${INTLTOOL_EXTRACT}'])
+
+])
+
+
+# IT_PO_SUBDIR(DIRNAME)
+# ---------------------
+# All po subdirs have to be declared with this macro; the subdir "po" is
+# declared by IT_PROG_INTLTOOL.
+#
+AC_DEFUN([IT_PO_SUBDIR],
+[AC_PREREQ([2.53])dnl We use ac_top_srcdir inside AC_CONFIG_COMMANDS.
+dnl
+dnl The following CONFIG_COMMANDS should be exetuted at the very end
+dnl of config.status.
+AC_CONFIG_COMMANDS_PRE([
+  AC_CONFIG_COMMANDS([$1/stamp-it], [
+    rm -f "$1/stamp-it" "$1/stamp-it.tmp" "$1/POTFILES" "$1/Makefile.tmp"
+    >"$1/stamp-it.tmp"
+    [sed '/^#/d
+	 s/^[[].*] *//
+	 /^[ 	]*$/d
+	'"s|^|	$ac_top_srcdir/|" \
+      "$srcdir/$1/POTFILES.in" | sed '$!s/$/ \\/' >"$1/POTFILES"
+    ]
+    if test ! -f "$1/Makefile"; then
+      AC_MSG_ERROR([$1/Makefile is not ready.])
+    fi
+    mv "$1/Makefile" "$1/Makefile.tmp"
+    [sed '/^POTFILES =/,/[^\\]$/ {
+		/^POTFILES =/!d
+		r $1/POTFILES
+	  }
+	 ' "$1/Makefile.tmp" >"$1/Makefile"]
+    rm -f "$1/Makefile.tmp"
+    mv "$1/stamp-it.tmp" "$1/stamp-it"
+  ])
+])dnl
+])
+
+
+# deprecated macros
+AU_ALIAS([AC_PROG_INTLTOOL], [IT_PROG_INTLTOOL])
+# A hint is needed for aclocal from Automake <= 1.9.4:
+# AC_DEFUN([AC_PROG_INTLTOOL], ...)
+
+
+# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
+
+# serial 52 Debian 1.5.26-1ubuntu1 AC_PROG_LIBTOOL
+
+
+# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
+# -----------------------------------------------------------
+# If this macro is not defined by Autoconf, define it here.
+m4_ifdef([AC_PROVIDE_IFELSE],
+         [],
+         [m4_define([AC_PROVIDE_IFELSE],
+	         [m4_ifdef([AC_PROVIDE_$1],
+		           [$2], [$3])])])
+
+
+# AC_PROG_LIBTOOL
+# ---------------
+AC_DEFUN([AC_PROG_LIBTOOL],
+[AC_REQUIRE([_AC_PROG_LIBTOOL])dnl
+dnl If AC_PROG_CXX has already been expanded, run AC_LIBTOOL_CXX
+dnl immediately, otherwise, hook it in at the end of AC_PROG_CXX.
+  AC_PROVIDE_IFELSE([AC_PROG_CXX],
+    [AC_LIBTOOL_CXX],
+    [define([AC_PROG_CXX], defn([AC_PROG_CXX])[AC_LIBTOOL_CXX
+  ])])
+dnl And a similar setup for Fortran 77 support
+  AC_PROVIDE_IFELSE([AC_PROG_F77],
+    [AC_LIBTOOL_F77],
+    [define([AC_PROG_F77], defn([AC_PROG_F77])[AC_LIBTOOL_F77
+])])
+
+dnl Quote A][M_PROG_GCJ so that aclocal doesn't bring it in needlessly.
+dnl If either AC_PROG_GCJ or A][M_PROG_GCJ have already been expanded, run
+dnl AC_LIBTOOL_GCJ immediately, otherwise, hook it in at the end of both.
+  AC_PROVIDE_IFELSE([AC_PROG_GCJ],
+    [AC_LIBTOOL_GCJ],
+    [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
+      [AC_LIBTOOL_GCJ],
+      [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],
+	[AC_LIBTOOL_GCJ],
+      [ifdef([AC_PROG_GCJ],
+	     [define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])
+       ifdef([A][M_PROG_GCJ],
+	     [define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[AC_LIBTOOL_GCJ])])
+       ifdef([LT_AC_PROG_GCJ],
+	     [define([LT_AC_PROG_GCJ],
+		defn([LT_AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])])])
+])])# AC_PROG_LIBTOOL
+
+
+# _AC_PROG_LIBTOOL
+# ----------------
+AC_DEFUN([_AC_PROG_LIBTOOL],
+[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_CXX])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_F77])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_GCJ])dnl
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+# Prevent multiple expansion
+define([AC_PROG_LIBTOOL], [])
+])# _AC_PROG_LIBTOOL
+
+
+# AC_LIBTOOL_SETUP
+# ----------------
+AC_DEFUN([AC_LIBTOOL_SETUP],
+[AC_PREREQ(2.50)dnl
+AC_REQUIRE([AC_ENABLE_SHARED])dnl
+AC_REQUIRE([AC_ENABLE_STATIC])dnl
+AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_LD])dnl
+AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl
+AC_REQUIRE([AC_PROG_NM])dnl
+
+AC_REQUIRE([AC_PROG_LN_S])dnl
+AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
+# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
+AC_REQUIRE([AC_OBJEXT])dnl
+AC_REQUIRE([AC_EXEEXT])dnl
+dnl
+AC_LIBTOOL_SYS_MAX_CMD_LEN
+AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+AC_LIBTOOL_OBJDIR
+
+AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+_LT_AC_PROG_ECHO_BACKSLASH
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e 1s/^X//'
+[sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g']
+
+# Same as above, but do not quote variable references.
+[double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g']
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+# Constants:
+rm="rm -f"
+
+# Global variables:
+default_ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a `.a' archive for static linking (except MSVC,
+# which needs '.lib').
+libext=a
+ltmain="$ac_aux_dir/ltmain.sh"
+ofile="$default_ofile"
+with_gnu_ld="$lt_cv_prog_gnu_ld"
+
+AC_CHECK_TOOL(AR, ar, false)
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+AC_CHECK_TOOL(STRIP, strip, :)
+
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+
+# Set sane defaults for various variables
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+test -z "$AS" && AS=as
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$LD" && LD=ld
+test -z "$LN_S" && LN_S="ln -s"
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+test -z "$NM" && NM=nm
+test -z "$SED" && SED=sed
+test -z "$OBJDUMP" && OBJDUMP=objdump
+test -z "$RANLIB" && RANLIB=:
+test -z "$STRIP" && STRIP=:
+test -z "$ac_objext" && ac_objext=o
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    ;;
+  *)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+fi
+
+_LT_CC_BASENAME([$compiler])
+
+# Only perform the check for file, if the check method requires it
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    AC_PATH_MAGIC
+  fi
+  ;;
+esac
+
+_LT_REQUIRED_DARWIN_CHECKS
+
+AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no)
+AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
+enable_win32_dll=yes, enable_win32_dll=no)
+
+AC_ARG_ENABLE([libtool-lock],
+    [AC_HELP_STRING([--disable-libtool-lock],
+	[avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+AC_ARG_WITH([pic],
+    [AC_HELP_STRING([--with-pic],
+	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
+    [pic_mode="$withval"],
+    [pic_mode=default])
+test -z "$pic_mode" && pic_mode=default
+
+# Use C for the default configuration in the libtool script
+tagname=
+AC_LIBTOOL_LANG_C_CONFIG
+_LT_AC_TAGCONFIG
+])# AC_LIBTOOL_SETUP
+
+
+# _LT_AC_SYS_COMPILER
+# -------------------
+AC_DEFUN([_LT_AC_SYS_COMPILER],
+[AC_REQUIRE([AC_PROG_CC])dnl
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+])# _LT_AC_SYS_COMPILER
+
+
+# _LT_CC_BASENAME(CC)
+# -------------------
+# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
+AC_DEFUN([_LT_CC_BASENAME],
+[for cc_temp in $1""; do
+  case $cc_temp in
+    compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
+    distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+])
+
+
+# _LT_COMPILER_BOILERPLATE
+# ------------------------
+# Check for compiler boilerplate output or warnings with
+# the simple compiler test code.
+AC_DEFUN([_LT_COMPILER_BOILERPLATE],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+])# _LT_COMPILER_BOILERPLATE
+
+
+# _LT_LINKER_BOILERPLATE
+# ----------------------
+# Check for linker boilerplate output or warnings with
+# the simple link test code.
+AC_DEFUN([_LT_LINKER_BOILERPLATE],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm -r conftest*
+])# _LT_LINKER_BOILERPLATE
+
+# _LT_REQUIRED_DARWIN_CHECKS
+# --------------------------
+# Check for some things on darwin
+AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS],[
+  case $host_os in
+    rhapsody* | darwin*)
+    AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:])
+    AC_CHECK_TOOL([NMEDIT], [nmedit], [:])
+
+    AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod],
+      [lt_cv_apple_cc_single_mod=no
+      if test -z "${LT_MULTI_MODULE}"; then
+   # By default we will add the -single_module flag. You can override
+   # by either setting the environment variable LT_MULTI_MODULE
+   # non-empty at configure time, or by adding -multi_module to the
+   # link flags.
+   echo "int foo(void){return 1;}" > conftest.c
+   $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+     -dynamiclib ${wl}-single_module conftest.c
+   if test -f libconftest.dylib; then
+     lt_cv_apple_cc_single_mod=yes
+     rm -rf libconftest.dylib*
+   fi
+   rm conftest.c
+      fi])
+    AC_CACHE_CHECK([for -exported_symbols_list linker flag],
+      [lt_cv_ld_exported_symbols_list],
+      [lt_cv_ld_exported_symbols_list=no
+      save_LDFLAGS=$LDFLAGS
+      echo "_main" > conftest.sym
+      LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
+      AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
+   [lt_cv_ld_exported_symbols_list=yes],
+   [lt_cv_ld_exported_symbols_list=no])
+   LDFLAGS="$save_LDFLAGS"
+    ])
+    case $host_os in
+    rhapsody* | darwin1.[[0123]])
+      _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
+    darwin1.*)
+     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+    darwin*)
+      # if running on 10.5 or later, the deployment target defaults
+      # to the OS version, if on x86, and 10.4, the deployment
+      # target defaults to 10.4. Don't you love it?
+      case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
+   10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
+     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+   10.[[012]]*)
+     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+   10.*)
+     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+      esac
+    ;;
+  esac
+    if test "$lt_cv_apple_cc_single_mod" = "yes"; then
+      _lt_dar_single_mod='$single_module'
+    fi
+    if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
+      _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
+    else
+      _lt_dar_export_syms="~$NMEDIT -s \$output_objdir/\${libname}-symbols.expsym \${lib}"
+    fi
+    if test "$DSYMUTIL" != ":"; then
+      _lt_dsymutil="~$DSYMUTIL \$lib || :"
+    else
+      _lt_dsymutil=
+    fi
+    ;;
+  esac
+])
+
+# _LT_AC_SYS_LIBPATH_AIX
+# ----------------------
+# Links a minimal program and checks the executable
+# for the system default hardcoded library path. In most cases,
+# this is /usr/lib:/lib, but when the MPI compilers are used
+# the location of the communication and MPI libs are included too.
+# If we don't find anything, use the default library path according
+# to the aix ld manual.
+AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_LINK_IFELSE(AC_LANG_PROGRAM,[
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi],[])
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+])# _LT_AC_SYS_LIBPATH_AIX
+
+
+# _LT_AC_SHELL_INIT(ARG)
+# ----------------------
+AC_DEFUN([_LT_AC_SHELL_INIT],
+[ifdef([AC_DIVERSION_NOTICE],
+	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
+	 [AC_DIVERT_PUSH(NOTICE)])
+$1
+AC_DIVERT_POP
+])# _LT_AC_SHELL_INIT
+
+
+# _LT_AC_PROG_ECHO_BACKSLASH
+# --------------------------
+# Add some code to the start of the generated configure script which
+# will find an echo command which doesn't interpret backslashes.
+AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH],
+[_LT_AC_SHELL_INIT([
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+case X$ECHO in
+X*--fallback-echo)
+  # Remove one level of quotation (which was required for Make).
+  ECHO=`echo "$ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
+  ;;
+esac
+
+echo=${ECHO-echo}
+if test "X[$]1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X[$]1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell.
+  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
+fi
+
+if test "X[$]1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+[$]*
+EOF
+  exit 0
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+if test -z "$ECHO"; then
+if test "X${echo_test_string+set}" != Xset; then
+# find a string as large as possible, as long as the shell can cope with it
+  for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
+    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
+       echo_test_string=`eval $cmd` &&
+       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
+    then
+      break
+    fi
+  done
+fi
+
+if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+   test "X$echo_testing_string" = "X$echo_test_string"; then
+  :
+else
+  # The Solaris, AIX, and Digital Unix default echo programs unquote
+  # backslashes.  This makes it impossible to quote backslashes using
+  #   echo "$something" | sed 's/\\/\\\\/g'
+  #
+  # So, first we look for a working echo in the user's PATH.
+
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for dir in $PATH /usr/ucb; do
+    IFS="$lt_save_ifs"
+    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      echo="$dir/echo"
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  if test "X$echo" = Xecho; then
+    # We didn't find a better echo, so look for alternatives.
+    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      # This shell has a builtin print -r that does the trick.
+      echo='print -r'
+    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
+	 test "X$CONFIG_SHELL" != X/bin/ksh; then
+      # If we have ksh, try running configure again with it.
+      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+      export ORIGINAL_CONFIG_SHELL
+      CONFIG_SHELL=/bin/ksh
+      export CONFIG_SHELL
+      exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
+    else
+      # Try using printf.
+      echo='printf %s\n'
+      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+	 test "X$echo_testing_string" = "X$echo_test_string"; then
+	# Cool, printf works
+	:
+      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	export CONFIG_SHELL
+	SHELL="$CONFIG_SHELL"
+	export SHELL
+	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+      elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+      else
+	# maybe with a smaller string...
+	prev=:
+
+	for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
+	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
+	  then
+	    break
+	  fi
+	  prev="$cmd"
+	done
+
+	if test "$prev" != 'sed 50q "[$]0"'; then
+	  echo_test_string=`eval $prev`
+	  export echo_test_string
+	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
+	else
+	  # Oops.  We lost completely, so just stick with echo.
+	  echo=echo
+	fi
+      fi
+    fi
+  fi
+fi
+fi
+
+# Copy echo and quote the copy suitably for passing to libtool from
+# the Makefile, instead of quoting the original, which is used later.
+ECHO=$echo
+if test "X$ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
+   ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
+fi
+
+AC_SUBST(ECHO)
+])])# _LT_AC_PROG_ECHO_BACKSLASH
+
+
+# _LT_AC_LOCK
+# -----------
+AC_DEFUN([_LT_AC_LOCK],
+[AC_ARG_ENABLE([libtool-lock],
+    [AC_HELP_STRING([--disable-libtool-lock],
+	[avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *ELF-32*)
+      HPUX_IA64_MODE="32"
+      ;;
+    *ELF-64*)
+      HPUX_IA64_MODE="64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+   if test "$lt_cv_prog_gnu_ld" = yes; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -melf32bsmip"
+      ;;
+    *N32*)
+      LD="${LD-ld} -melf32bmipn32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -melf64bmip"
+      ;;
+    esac
+   else
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+   fi
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
+s390*-*linux*|sparc*-*linux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.o` in
+    *32-bit*)
+      case $host in
+        x86_64-*kfreebsd*-gnu)
+          LD="${LD-ld} -m elf_i386_fbsd"
+          ;;
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_i386"
+          ;;
+        ppc64-*linux*|powerpc64-*linux*)
+          LD="${LD-ld} -m elf32ppclinux"
+          ;;
+        s390x-*linux*)
+          LD="${LD-ld} -m elf_s390"
+          ;;
+        sparc64-*linux*)
+          LD="${LD-ld} -m elf32_sparc"
+          ;;
+      esac
+      ;;
+    *64-bit*)
+      case $host in
+        x86_64-*kfreebsd*-gnu)
+          LD="${LD-ld} -m elf_x86_64_fbsd"
+          ;;
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        ppc*-*linux*|powerpc*-*linux*)
+          LD="${LD-ld} -m elf64ppc"
+          ;;
+        s390*-*linux*)
+          LD="${LD-ld} -m elf64_s390"
+          ;;
+        sparc*-*linux*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
+    [AC_LANG_PUSH(C)
+     AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
+     AC_LANG_POP])
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+sparc*-*solaris*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      *)
+        if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
+	  LD="${LD-ld} -64"
+	fi
+	;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
+[*-*-cygwin* | *-*-mingw* | *-*-pw32*)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+  ;;
+  ])
+esac
+
+need_locks="$enable_libtool_lock"
+
+])# _LT_AC_LOCK
+
+
+# AC_LIBTOOL_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
+# ----------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION],
+[AC_REQUIRE([LT_AC_PROG_SED])
+AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+  ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$3"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       $2=yes
+     fi
+   fi
+   $rm conftest*
+])
+
+if test x"[$]$2" = xyes; then
+    ifelse([$5], , :, [$5])
+else
+    ifelse([$6], , :, [$6])
+fi
+])# AC_LIBTOOL_COMPILER_OPTION
+
+
+# AC_LIBTOOL_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#                          [ACTION-SUCCESS], [ACTION-FAILURE])
+# ------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $3"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&AS_MESSAGE_LOG_FD
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         $2=yes
+       fi
+     else
+       $2=yes
+     fi
+   fi
+   $rm -r conftest*
+   LDFLAGS="$save_LDFLAGS"
+])
+
+if test x"[$]$2" = xyes; then
+    ifelse([$4], , :, [$4])
+else
+    ifelse([$5], , :, [$5])
+fi
+])# AC_LIBTOOL_LINKER_OPTION
+
+
+# AC_LIBTOOL_SYS_MAX_CMD_LEN
+# --------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN],
+[# find the maximum length of command line arguments
+AC_MSG_CHECKING([the maximum length of command line arguments])
+AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
+  i=0
+  teststring="ABCD"
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
+    # This has been around since 386BSD, at least.  Likely further.
+    if test -x /sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
+    elif test -x /usr/sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
+    else
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
+    fi
+    # And add a safety zone
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    ;;
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
+    ;;
+
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
+    ;;
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
+    ;;
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ 	]]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
+    ;;
+  *)
+    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
+    if test -n "$lt_cv_sys_max_cmd_len"; then
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    else
+      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+      while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \
+	       = "XX$teststring") >/dev/null 2>&1 &&
+	      new_result=`expr "X$teststring" : ".*" 2>&1` &&
+	      lt_cv_sys_max_cmd_len=$new_result &&
+	      test $i != 17 # 1/2 MB should be enough
+      do
+        i=`expr $i + 1`
+        teststring=$teststring$teststring
+      done
+      teststring=
+      # Add a significant safety factor because C++ compilers can tack on massive
+      # amounts of additional arguments before passing them to the linker.
+      # It appears as though 1/2 is a usable value.
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    fi
+    ;;
+  esac
+])
+if test -n $lt_cv_sys_max_cmd_len ; then
+  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
+else
+  AC_MSG_RESULT(none)
+fi
+])# AC_LIBTOOL_SYS_MAX_CMD_LEN
+
+
+# _LT_AC_CHECK_DLFCN
+# ------------------
+AC_DEFUN([_LT_AC_CHECK_DLFCN],
+[AC_CHECK_HEADERS(dlfcn.h)dnl
+])# _LT_AC_CHECK_DLFCN
+
+
+# _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
+#                           ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
+# ---------------------------------------------------------------------
+AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF],
+[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+if test "$cross_compiling" = yes; then :
+  [$4]
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+[#line __oline__ "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
+
+    exit (status);
+}]
+EOF
+  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) $1 ;;
+      x$lt_dlneed_uscore) $2 ;;
+      x$lt_dlunknown|x*) $3 ;;
+    esac
+  else :
+    # compilation failed
+    $3
+  fi
+fi
+rm -fr conftest*
+])# _LT_AC_TRY_DLOPEN_SELF
+
+
+# AC_LIBTOOL_DLOPEN_SELF
+# ----------------------
+AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF],
+[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+   ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+   ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ])
+   ;;
+
+  *)
+    AC_CHECK_FUNC([shl_load],
+	  [lt_cv_dlopen="shl_load"],
+      [AC_CHECK_LIB([dld], [shl_load],
+	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"],
+	[AC_CHECK_FUNC([dlopen],
+	      [lt_cv_dlopen="dlopen"],
+	  [AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],
+	    [AC_CHECK_LIB([svld], [dlopen],
+		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
+	      [AC_CHECK_LIB([dld], [dld_link],
+		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"])
+	      ])
+	    ])
+	  ])
+	])
+      ])
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    AC_CACHE_CHECK([whether a program can dlopen itself],
+	  lt_cv_dlopen_self, [dnl
+	  _LT_AC_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
+	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
+    ])
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
+      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
+    	  lt_cv_dlopen_self_static, [dnl
+	  _LT_AC_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
+	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
+      ])
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+])# AC_LIBTOOL_DLOPEN_SELF
+
+
+# AC_LIBTOOL_PROG_CC_C_O([TAGNAME])
+# ---------------------------------
+# Check to see if options -c and -o are simultaneously supported by compiler
+AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
+  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
+  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+     fi
+   fi
+   chmod u+w . 2>&AS_MESSAGE_LOG_FD
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+])
+])# AC_LIBTOOL_PROG_CC_C_O
+
+
+# AC_LIBTOOL_SYS_HARD_LINK_LOCKS([TAGNAME])
+# -----------------------------------------
+# Check to see if we can do hard links to lock some files if needed
+AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS],
+[AC_REQUIRE([_LT_AC_LOCK])dnl
+
+hard_links="nottested"
+if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  AC_MSG_CHECKING([if we can lock with hard links])
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  AC_MSG_RESULT([$hard_links])
+  if test "$hard_links" = no; then
+    AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe])
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+])# AC_LIBTOOL_SYS_HARD_LINK_LOCKS
+
+
+# AC_LIBTOOL_OBJDIR
+# -----------------
+AC_DEFUN([AC_LIBTOOL_OBJDIR],
+[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
+[rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null])
+objdir=$lt_cv_objdir
+])# AC_LIBTOOL_OBJDIR
+
+
+# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH([TAGNAME])
+# ----------------------------------------------
+# Check hardcoding attributes.
+AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH],
+[AC_MSG_CHECKING([how to hardcode library paths into programs])
+_LT_AC_TAGVAR(hardcode_action, $1)=
+if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \
+   test -n "$_LT_AC_TAGVAR(runpath_var, $1)" || \
+   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
+     test "$_LT_AC_TAGVAR(hardcode_minus_L, $1)" != no; then
+    # Linking always hardcodes the temporary library directory.
+    _LT_AC_TAGVAR(hardcode_action, $1)=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    _LT_AC_TAGVAR(hardcode_action, $1)=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  _LT_AC_TAGVAR(hardcode_action, $1)=unsupported
+fi
+AC_MSG_RESULT([$_LT_AC_TAGVAR(hardcode_action, $1)])
+
+if test "$_LT_AC_TAGVAR(hardcode_action, $1)" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+])# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH
+
+
+# AC_LIBTOOL_SYS_LIB_STRIP
+# ------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP],
+[striplib=
+old_striplib=
+AC_MSG_CHECKING([whether stripping libraries is possible])
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  AC_MSG_RESULT([yes])
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         old_striplib="$STRIP -S"
+         AC_MSG_RESULT([yes])
+       else
+  AC_MSG_RESULT([no])
+fi
+       ;;
+   *)
+  AC_MSG_RESULT([no])
+    ;;
+  esac
+fi
+])# AC_LIBTOOL_SYS_LIB_STRIP
+
+
+# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+# -----------------------------
+# PORTME Fill in your ld.so characteristics
+AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_MSG_CHECKING([dynamic linker characteristics])
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+m4_if($1,[],[
+if test "$GCC" = yes; then
+  case $host_os in
+    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
+    *) lt_awk_arg="/^libraries:/" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+  # Ok, now we have the path, separated by spaces, we can step through it
+  # and add multilib dir if necessary.
+  lt_tmp_lt_search_path_spec=
+  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
+  for lt_sys_path in $lt_search_path_spec; do
+    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
+      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
+    else
+      test -d "$lt_sys_path" && \
+	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
+    fi
+  done
+  lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk '
+BEGIN {RS=" "; FS="/|\n";} {
+  lt_foo="";
+  lt_count=0;
+  for (lt_i = NF; lt_i > 0; lt_i--) {
+    if ($lt_i != "" && $lt_i != ".") {
+      if ($lt_i == "..") {
+        lt_count++;
+      } else {
+        if (lt_count == 0) {
+          lt_foo="/" $lt_i lt_foo;
+        } else {
+          lt_count--;
+        }
+      }
+    }
+  }
+  if (lt_foo != "") { lt_freq[[lt_foo]]++; }
+  if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
+}'`
+  sys_lib_search_path_spec=`echo $lt_search_path_spec`
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi])
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix[[4-9]]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[[01]] | aix4.[[01]].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[[45]]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | [grep ';[c-zC-Z]:/' >/dev/null]; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+  m4_if([$1], [],[
+  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) 
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[[123]]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[[01]]* | freebsdelf3.[[01]]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \
+  freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  *) # from 4.6 on, and DragonFly
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext_cmds='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix[[3-9]]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[[89]] | openbsd2.[[89]].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+rdos*)
+  dynamic_linker=no
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+AC_MSG_RESULT([$dynamic_linker])
+test "$dynamic_linker" = no && can_build_shared=no
+
+AC_CACHE_VAL([lt_cv_sys_lib_search_path_spec],
+[lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"])
+sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
+AC_CACHE_VAL([lt_cv_sys_lib_dlsearch_path_spec],
+[lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"])
+sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+])# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+
+
+# _LT_AC_TAGCONFIG
+# ----------------
+AC_DEFUN([_LT_AC_TAGCONFIG],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_ARG_WITH([tags],
+    [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@],
+        [include additional configurations @<:@automatic@:>@])],
+    [tagnames="$withval"])
+
+if test -f "$ltmain" && test -n "$tagnames"; then
+  if test ! -f "${ofile}"; then
+    AC_MSG_WARN([output file `$ofile' does not exist])
+  fi
+
+  if test -z "$LTCC"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
+    if test -z "$LTCC"; then
+      AC_MSG_WARN([output file `$ofile' does not look like a libtool script])
+    else
+      AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile'])
+    fi
+  fi
+  if test -z "$LTCFLAGS"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
+  fi
+
+  # Extract list of available tagged configurations in $ofile.
+  # Note that this assumes the entire list is on one line.
+  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
+
+  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+  for tagname in $tagnames; do
+    IFS="$lt_save_ifs"
+    # Check whether tagname contains only valid characters
+    case `$echo "X$tagname" | $Xsed -e 's:[[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]]::g'` in
+    "") ;;
+    *)  AC_MSG_ERROR([invalid tag name: $tagname])
+	;;
+    esac
+
+    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
+    then
+      AC_MSG_ERROR([tag name \"$tagname\" already exists])
+    fi
+
+    # Update the list of available tags.
+    if test -n "$tagname"; then
+      echo appending configuration tag \"$tagname\" to $ofile
+
+      case $tagname in
+      CXX)
+	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+	    (test "X$CXX" != "Xg++"))) ; then
+	  AC_LIBTOOL_LANG_CXX_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      F77)
+	if test -n "$F77" && test "X$F77" != "Xno"; then
+	  AC_LIBTOOL_LANG_F77_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      GCJ)
+	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
+	  AC_LIBTOOL_LANG_GCJ_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      RC)
+	AC_LIBTOOL_LANG_RC_CONFIG
+	;;
+
+      *)
+	AC_MSG_ERROR([Unsupported tag name: $tagname])
+	;;
+      esac
+
+      # Append the new tag name to the list of available tags.
+      if test -n "$tagname" ; then
+      available_tags="$available_tags $tagname"
+    fi
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  # Now substitute the updated list of available tags.
+  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
+    mv "${ofile}T" "$ofile"
+    chmod +x "$ofile"
+  else
+    rm -f "${ofile}T"
+    AC_MSG_ERROR([unable to update list of available tagged configurations.])
+  fi
+fi
+])# _LT_AC_TAGCONFIG
+
+
+# AC_LIBTOOL_DLOPEN
+# -----------------
+# enable checks for dlopen support
+AC_DEFUN([AC_LIBTOOL_DLOPEN],
+ [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])
+])# AC_LIBTOOL_DLOPEN
+
+
+# AC_LIBTOOL_WIN32_DLL
+# --------------------
+# declare package support for building win32 DLLs
+AC_DEFUN([AC_LIBTOOL_WIN32_DLL],
+[AC_BEFORE([$0], [AC_LIBTOOL_SETUP])
+])# AC_LIBTOOL_WIN32_DLL
+
+
+# AC_ENABLE_SHARED([DEFAULT])
+# ---------------------------
+# implement the --enable-shared flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_SHARED],
+[define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([shared],
+    [AC_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
+	[build shared libraries @<:@default=]AC_ENABLE_SHARED_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_shared=]AC_ENABLE_SHARED_DEFAULT)
+])# AC_ENABLE_SHARED
+
+
+# AC_DISABLE_SHARED
+# -----------------
+# set the default shared flag to --disable-shared
+AC_DEFUN([AC_DISABLE_SHARED],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_SHARED(no)
+])# AC_DISABLE_SHARED
+
+
+# AC_ENABLE_STATIC([DEFAULT])
+# ---------------------------
+# implement the --enable-static flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_STATIC],
+[define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([static],
+    [AC_HELP_STRING([--enable-static@<:@=PKGS@:>@],
+	[build static libraries @<:@default=]AC_ENABLE_STATIC_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_static=]AC_ENABLE_STATIC_DEFAULT)
+])# AC_ENABLE_STATIC
+
+
+# AC_DISABLE_STATIC
+# -----------------
+# set the default static flag to --disable-static
+AC_DEFUN([AC_DISABLE_STATIC],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_STATIC(no)
+])# AC_DISABLE_STATIC
+
+
+# AC_ENABLE_FAST_INSTALL([DEFAULT])
+# ---------------------------------
+# implement the --enable-fast-install flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_FAST_INSTALL],
+[define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([fast-install],
+    [AC_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
+    [optimize for fast installation @<:@default=]AC_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_fast_install=]AC_ENABLE_FAST_INSTALL_DEFAULT)
+])# AC_ENABLE_FAST_INSTALL
+
+
+# AC_DISABLE_FAST_INSTALL
+# -----------------------
+# set the default to --disable-fast-install
+AC_DEFUN([AC_DISABLE_FAST_INSTALL],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_FAST_INSTALL(no)
+])# AC_DISABLE_FAST_INSTALL
+
+
+# AC_LIBTOOL_PICMODE([MODE])
+# --------------------------
+# implement the --with-pic flag
+# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
+AC_DEFUN([AC_LIBTOOL_PICMODE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+pic_mode=ifelse($#,1,$1,default)
+])# AC_LIBTOOL_PICMODE
+
+
+# AC_PROG_EGREP
+# -------------
+# This is predefined starting with Autoconf 2.54, so this conditional
+# definition can be removed once we require Autoconf 2.54 or later.
+m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP],
+[AC_CACHE_CHECK([for egrep], [ac_cv_prog_egrep],
+   [if echo a | (grep -E '(a|b)') >/dev/null 2>&1
+    then ac_cv_prog_egrep='grep -E'
+    else ac_cv_prog_egrep='egrep'
+    fi])
+ EGREP=$ac_cv_prog_egrep
+ AC_SUBST([EGREP])
+])])
+
+
+# AC_PATH_TOOL_PREFIX
+# -------------------
+# find a file program which can recognize shared library
+AC_DEFUN([AC_PATH_TOOL_PREFIX],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
+[case $MAGIC_CMD in
+[[\\/*] |  ?:[\\/]*])
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+dnl $ac_dummy forces splitting on constant user-supplied paths.
+dnl POSIX.2 word splitting is done only on the output of word expansions,
+dnl not every word.  This closes a longstanding sh security hole.
+  ac_dummy="ifelse([$2], , $PATH, [$2])"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$1; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/$1"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac])
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  AC_MSG_RESULT($MAGIC_CMD)
+else
+  AC_MSG_RESULT(no)
+fi
+])# AC_PATH_TOOL_PREFIX
+
+
+# AC_PATH_MAGIC
+# -------------
+# find a file program which can recognize a shared library
+AC_DEFUN([AC_PATH_MAGIC],
+[AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
+  else
+    MAGIC_CMD=:
+  fi
+fi
+])# AC_PATH_MAGIC
+
+
+# AC_PROG_LD
+# ----------
+# find the pathname to the GNU or non-GNU linker
+AC_DEFUN([AC_PROG_LD],
+[AC_ARG_WITH([gnu-ld],
+    [AC_HELP_STRING([--with-gnu-ld],
+	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
+    [test "$withval" = no || with_gnu_ld=yes],
+    [with_gnu_ld=no])
+AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  AC_MSG_CHECKING([for ld used by $CC])
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [[\\/]]* | ?:[[\\/]]*)
+      re_direlt='/[[^/]][[^/]]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  AC_MSG_CHECKING([for GNU ld])
+else
+  AC_MSG_CHECKING([for non-GNU ld])
+fi
+AC_CACHE_VAL(lt_cv_path_LD,
+[if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some variants of GNU ld only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi])
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  AC_MSG_RESULT($LD)
+else
+  AC_MSG_RESULT(no)
+fi
+test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
+AC_PROG_LD_GNU
+])# AC_PROG_LD
+
+
+# AC_PROG_LD_GNU
+# --------------
+AC_DEFUN([AC_PROG_LD_GNU],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
+[# I'd rather use --version here, but apparently some GNU lds only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac])
+with_gnu_ld=$lt_cv_prog_gnu_ld
+])# AC_PROG_LD_GNU
+
+
+# AC_PROG_LD_RELOAD_FLAG
+# ----------------------
+# find reload flag for linker
+#   -- PORTME Some linkers may need a different reload flag.
+AC_DEFUN([AC_PROG_LD_RELOAD_FLAG],
+[AC_CACHE_CHECK([for $LD option to reload object files],
+  lt_cv_ld_reload_flag,
+  [lt_cv_ld_reload_flag='-r'])
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+case $host_os in
+  darwin*)
+    if test "$GCC" = yes; then
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
+    else
+      reload_cmds='$LD$reload_flag -o $output$reload_objs'
+    fi
+    ;;
+esac
+])# AC_PROG_LD_RELOAD_FLAG
+
+
+# AC_DEPLIBS_CHECK_METHOD
+# -----------------------
+# how to check for library dependencies
+#  -- PORTME fill in with the dynamic library characteristics
+AC_DEFUN([AC_DEPLIBS_CHECK_METHOD],
+[AC_CACHE_CHECK([how to recognize dependent libraries],
+lt_cv_deplibs_check_method,
+[lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given extended regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix[[4-9]]*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi[[45]]*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # func_win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='func_win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # func_win32_libid shell function, so use a weaker test based on 'objdump',
+  # unless we find 'file', for example because we are cross-compiling.
+  if ( file / ) >/dev/null 2>&1; then
+    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+    lt_cv_file_magic_cmd='func_win32_libid'
+  else
+    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    lt_cv_file_magic_cmd='$OBJDUMP -f'
+  fi
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | dragonfly*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case $host_cpu in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+interix[[3-9]]*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd* | netbsdelf*-gnu)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+nto-qnx*)
+  lt_cv_deplibs_check_method=unknown
+  ;;
+
+openbsd*)
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+rdos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.3*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+])
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+])# AC_DEPLIBS_CHECK_METHOD
+
+
+# AC_PROG_NM
+# ----------
+# find the pathname to a BSD-compatible name lister
+AC_DEFUN([AC_PROG_NM],
+[AC_CACHE_CHECK([for BSD-compatible nm], lt_cv_path_NM,
+[if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM="$NM"
+else
+  lt_nm_to_check="${ac_tool_prefix}nm"
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
+    lt_nm_to_check="$lt_nm_to_check nm"
+  fi
+  for lt_tmp_nm in $lt_nm_to_check; do
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
+      IFS="$lt_save_ifs"
+      test -z "$ac_dir" && ac_dir=.
+      tmp_nm="$ac_dir/$lt_tmp_nm"
+      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+	# Check to see if the nm accepts a BSD-compat flag.
+	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
+	#   nm: unknown option "B" ignored
+	# Tru64's nm complains that /dev/null is an invalid object file
+	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+	*/dev/null* | *'Invalid file or object type'*)
+	  lt_cv_path_NM="$tmp_nm -B"
+	  break
+	  ;;
+	*)
+	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	  */dev/null*)
+	    lt_cv_path_NM="$tmp_nm -p"
+	    break
+	    ;;
+	  *)
+	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	    continue # so that we can try to find one that supports BSD flags
+	    ;;
+	  esac
+	  ;;
+	esac
+      fi
+    done
+    IFS="$lt_save_ifs"
+  done
+  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
+fi])
+NM="$lt_cv_path_NM"
+])# AC_PROG_NM
+
+
+# AC_CHECK_LIBM
+# -------------
+# check for math library
+AC_DEFUN([AC_CHECK_LIBM],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+LIBM=
+case $host in
+*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
+  # These system don't have libm, or don't need it
+  ;;
+*-ncr-sysv4.3*)
+  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
+  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
+  ;;
+*)
+  AC_CHECK_LIB(m, cos, LIBM="-lm")
+  ;;
+esac
+])# AC_CHECK_LIBM
+
+
+# AC_LIBLTDL_CONVENIENCE([DIRECTORY])
+# -----------------------------------
+# sets LIBLTDL to the link flags for the libltdl convenience library and
+# LTDLINCL to the include flags for the libltdl header and adds
+# --enable-ltdl-convenience to the configure arguments.  Note that
+# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
+# it is assumed to be `libltdl'.  LIBLTDL will be prefixed with
+# '${top_builddir}/' and LTDLINCL will be prefixed with '${top_srcdir}/'
+# (note the single quotes!).  If your package is not flat and you're not
+# using automake, define top_builddir and top_srcdir appropriately in
+# the Makefiles.
+AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  case $enable_ltdl_convenience in
+  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
+  "") enable_ltdl_convenience=yes
+      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
+  esac
+  LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la
+  LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  # For backwards non-gettext consistent compatibility...
+  INCLTDL="$LTDLINCL"
+])# AC_LIBLTDL_CONVENIENCE
+
+
+# AC_LIBLTDL_INSTALLABLE([DIRECTORY])
+# -----------------------------------
+# sets LIBLTDL to the link flags for the libltdl installable library and
+# LTDLINCL to the include flags for the libltdl header and adds
+# --enable-ltdl-install to the configure arguments.  Note that
+# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
+# and an installed libltdl is not found, it is assumed to be `libltdl'.
+# LIBLTDL will be prefixed with '${top_builddir}/'# and LTDLINCL with
+# '${top_srcdir}/' (note the single quotes!).  If your package is not
+# flat and you're not using automake, define top_builddir and top_srcdir
+# appropriately in the Makefiles.
+# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
+AC_DEFUN([AC_LIBLTDL_INSTALLABLE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  AC_CHECK_LIB(ltdl, lt_dlinit,
+  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
+  [if test x"$enable_ltdl_install" = xno; then
+     AC_MSG_WARN([libltdl not installed, but installation disabled])
+   else
+     enable_ltdl_install=yes
+   fi
+  ])
+  if test x"$enable_ltdl_install" = x"yes"; then
+    ac_configure_args="$ac_configure_args --enable-ltdl-install"
+    LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la
+    LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  else
+    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
+    LIBLTDL="-lltdl"
+    LTDLINCL=
+  fi
+  # For backwards non-gettext consistent compatibility...
+  INCLTDL="$LTDLINCL"
+])# AC_LIBLTDL_INSTALLABLE
+
+
+# AC_LIBTOOL_CXX
+# --------------
+# enable support for C++ libraries
+AC_DEFUN([AC_LIBTOOL_CXX],
+[AC_REQUIRE([_LT_AC_LANG_CXX])
+])# AC_LIBTOOL_CXX
+
+
+# _LT_AC_LANG_CXX
+# ---------------
+AC_DEFUN([_LT_AC_LANG_CXX],
+[AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([_LT_AC_PROG_CXXCPP])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
+])# _LT_AC_LANG_CXX
+
+# _LT_AC_PROG_CXXCPP
+# ------------------
+AC_DEFUN([_LT_AC_PROG_CXXCPP],
+[
+AC_REQUIRE([AC_PROG_CXX])
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  AC_PROG_CXXCPP
+fi
+])# _LT_AC_PROG_CXXCPP
+
+# AC_LIBTOOL_F77
+# --------------
+# enable support for Fortran 77 libraries
+AC_DEFUN([AC_LIBTOOL_F77],
+[AC_REQUIRE([_LT_AC_LANG_F77])
+])# AC_LIBTOOL_F77
+
+
+# _LT_AC_LANG_F77
+# ---------------
+AC_DEFUN([_LT_AC_LANG_F77],
+[AC_REQUIRE([AC_PROG_F77])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}F77])
+])# _LT_AC_LANG_F77
+
+
+# AC_LIBTOOL_GCJ
+# --------------
+# enable support for GCJ libraries
+AC_DEFUN([AC_LIBTOOL_GCJ],
+[AC_REQUIRE([_LT_AC_LANG_GCJ])
+])# AC_LIBTOOL_GCJ
+
+
+# _LT_AC_LANG_GCJ
+# ---------------
+AC_DEFUN([_LT_AC_LANG_GCJ],
+[AC_PROVIDE_IFELSE([AC_PROG_GCJ],[],
+  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],[],
+    [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],[],
+      [ifdef([AC_PROG_GCJ],[AC_REQUIRE([AC_PROG_GCJ])],
+	 [ifdef([A][M_PROG_GCJ],[AC_REQUIRE([A][M_PROG_GCJ])],
+	   [AC_REQUIRE([A][C_PROG_GCJ_OR_A][M_PROG_GCJ])])])])])])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ])
+])# _LT_AC_LANG_GCJ
+
+
+# AC_LIBTOOL_RC
+# -------------
+# enable support for Windows resource files
+AC_DEFUN([AC_LIBTOOL_RC],
+[AC_REQUIRE([LT_AC_PROG_RC])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}RC])
+])# AC_LIBTOOL_RC
+
+
+# AC_LIBTOOL_LANG_C_CONFIG
+# ------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG], [_LT_AC_LANG_C_CONFIG])
+AC_DEFUN([_LT_AC_LANG_C_CONFIG],
+[lt_save_CC="$CC"
+AC_LANG_PUSH(C)
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}'
+
+_LT_AC_SYS_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF
+
+# Report which library types will actually be built
+AC_MSG_CHECKING([if libtool supports shared libraries])
+AC_MSG_RESULT([$can_build_shared])
+
+AC_MSG_CHECKING([whether to build shared libraries])
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case $host_os in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+
+aix[[4-9]]*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+    ;;
+esac
+AC_MSG_RESULT([$enable_shared])
+
+AC_MSG_CHECKING([whether to build static libraries])
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+AC_MSG_RESULT([$enable_static])
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_C_CONFIG
+
+
+# AC_LIBTOOL_LANG_CXX_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)])
+AC_DEFUN([_LT_AC_LANG_CXX_CONFIG],
+[AC_LANG_PUSH(C++)
+AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([_LT_AC_PROG_CXXCPP])
+
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_AC_TAGVAR(allow_undefined_flag, $1)=
+_LT_AC_TAGVAR(always_export_symbols, $1)=no
+_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_direct, $1)=no
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+_LT_AC_TAGVAR(hardcode_automatic, $1)=no
+_LT_AC_TAGVAR(module_cmds, $1)=
+_LT_AC_TAGVAR(module_expsym_cmds, $1)=
+_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_AC_TAGVAR(no_undefined_flag, $1)=
+_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Dependencies to place before and after the object being linked:
+_LT_AC_TAGVAR(predep_objects, $1)=
+_LT_AC_TAGVAR(postdep_objects, $1)=
+_LT_AC_TAGVAR(predeps, $1)=
+_LT_AC_TAGVAR(postdeps, $1)=
+_LT_AC_TAGVAR(compiler_lib_search_path, $1)=
+_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=
+
+# Source file extension for C++ test sources.
+ac_ext=cpp
+
+# Object file extension for compiled C++ test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_LD=$LD
+lt_save_GCC=$GCC
+GCC=$GXX
+lt_save_with_gnu_ld=$with_gnu_ld
+lt_save_path_LD=$lt_cv_path_LD
+if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+else
+  $as_unset lt_cv_prog_gnu_ld
+fi
+if test -n "${lt_cv_path_LDCXX+set}"; then
+  lt_cv_path_LD=$lt_cv_path_LDCXX
+else
+  $as_unset lt_cv_path_LD
+fi
+test -z "${LDCXX+set}" || LD=$LDCXX
+CC=${CXX-"c++"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+
+# We don't want -fno-exception wen compiling C++ code, so set the
+# no_builtin_flag separately
+if test "$GXX" = yes; then
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+else
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+fi
+
+if test "$GXX" = yes; then
+  # Set up default GNU C++ configuration
+
+  AC_PROG_LD
+
+  # Check if GNU C++ uses GNU ld as the underlying linker, since the
+  # archiving commands below assume that GNU ld is being used.
+  if test "$with_gnu_ld" = yes; then
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+    #     investigate it a little bit more. (MM)
+    wlarc='${wl}'
+
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
+	grep 'no-whole-archive' > /dev/null; then
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+  else
+    with_gnu_ld=no
+    wlarc=
+
+    # A generic and very simple default shared library creation
+    # command for GNU C++ for the case where it uses the native
+    # linker, instead of GNU ld.  If possible, this setting should
+    # overridden to take advantage of the native linker features on
+    # the platform it is being used on.
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+  fi
+
+  # Commands to make compiler produce verbose output that lists
+  # what "hidden" libraries, object files and flags are used when
+  # linking a shared library.
+  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+else
+  GXX=no
+  with_gnu_ld=no
+  wlarc=
+fi
+
+# PORTME: fill in a description of your system's C++ link characteristics
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+_LT_AC_TAGVAR(ld_shlibs, $1)=yes
+case $host_os in
+  aix3*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  aix[[4-9]]*)
+    if test "$host_cpu" = ia64; then
+      # On IA64, the linker does run time linking by default, so we don't
+      # have to do anything special.
+      aix_use_runtimelinking=no
+      exp_sym_flag='-Bexport'
+      no_entry_flag=""
+    else
+      aix_use_runtimelinking=no
+
+      # Test if we are trying to use run time linking or normal
+      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+      # need to do runtime linking.
+      case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
+	for ld_flag in $LDFLAGS; do
+	  case $ld_flag in
+	  *-brtl*)
+	    aix_use_runtimelinking=yes
+	    break
+	    ;;
+	  esac
+	done
+	;;
+      esac
+
+      exp_sym_flag='-bexport'
+      no_entry_flag='-bnoentry'
+    fi
+
+    # When large executables or shared objects are built, AIX ld can
+    # have problems creating the table of contents.  If linking a library
+    # or program results in "error TOC overflow" add -mminimal-toc to
+    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+    _LT_AC_TAGVAR(archive_cmds, $1)=''
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+    if test "$GXX" = yes; then
+      case $host_os in aix4.[[012]]|aix4.[[012]].*)
+      # We only want to do this on AIX 4.2 and lower, the check
+      # below for broken collect2 doesn't work under 4.3+
+	collect2name=`${CC} -print-prog-name=collect2`
+	if test -f "$collect2name" && \
+	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	then
+	  # We have reworked collect2
+	  :
+	else
+	  # We have old collect2
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+	fi
+	;;
+      esac
+      shared_flag='-shared'
+      if test "$aix_use_runtimelinking" = yes; then
+	shared_flag="$shared_flag "'${wl}-G'
+      fi
+    else
+      # not using gcc
+      if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	shared_flag='-G'
+      else
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag='${wl}-G'
+	else
+	  shared_flag='${wl}-bM:SRE'
+	fi
+      fi
+    fi
+
+    # It seems that -bexpall does not export symbols beginning with
+    # underscore (_), so it is better to generate a list of symbols to export.
+    _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+    if test "$aix_use_runtimelinking" = yes; then
+      # Warning - without using the other runtime loading flags (-brtl),
+      # -berok will link without error, but may produce a broken library.
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
+      # Determine the default libpath from the value encoded in an empty executable.
+      _LT_AC_SYS_LIBPATH_AIX
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+     else
+      if test "$host_cpu" = ia64; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+      else
+	# Determine the default libpath from the value encoded in an empty executable.
+	_LT_AC_SYS_LIBPATH_AIX
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	# Warning - without using the other run time loading flags,
+	# -berok will link without error, but may produce a broken library.
+	_LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	# Exported symbols can be pulled into shared objects from archives
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+	# This is similar to how AIX traditionally builds its shared libraries.
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+      fi
+    fi
+    ;;
+
+  beos*)
+    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+      # support --undefined.  This deserves some investigation.  FIXME
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+    ;;
+
+  chorus*)
+    case $cc_basename in
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+
+  cygwin* | mingw* | pw32*)
+    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+    # as there is no search path for DLLs.
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+    _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+    _LT_AC_TAGVAR(always_export_symbols, $1)=no
+    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      # If the export-symbols file already is a .def file (1st line
+      # is EXPORTS), use it as is; otherwise, prepend...
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	cp $export_symbols $output_objdir/$soname.def;
+      else
+	echo EXPORTS > $output_objdir/$soname.def;
+	cat $export_symbols >> $output_objdir/$soname.def;
+      fi~
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+  ;;
+      darwin* | rhapsody*)
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
+      if test "$GXX" = yes ; then
+      output_verbose_link_cmd='echo'
+      _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+      _LT_AC_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+      _LT_AC_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
+      if test "$lt_cv_apple_cc_single_mod" != "yes"; then
+        _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
+        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
+      fi
+      else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
+          _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         _LT_AC_TAGVAR(ld_shlibs, $1)=no
+          ;;
+      esac
+      fi
+        ;;
+
+  dgux*)
+    case $cc_basename in
+      ec++*)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      ghcx*)
+	# Green Hills C++ Compiler
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  freebsd[[12]]*)
+    # C++ shared libraries reported to be fairly broken before switch to ELF
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  freebsd-elf*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    ;;
+  freebsd* | dragonfly*)
+    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+    # conventions
+    _LT_AC_TAGVAR(ld_shlibs, $1)=yes
+    ;;
+  gnu*)
+    ;;
+  hpux9*)
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+				# but as the default
+				# location of the library.
+
+    case $cc_basename in
+    CC*)
+      # FIXME: insert proper C++ library support
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    aCC*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      #
+      # There doesn't appear to be a way to prevent this compiler from
+      # explicitly linking system object files so we need to strip them
+      # from the output so that they don't get included in the library
+      # dependencies.
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[[-]]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      ;;
+    *)
+      if test "$GXX" = yes; then
+        _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+        # FIXME: insert proper C++ library support
+        _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+    ;;
+  hpux10*|hpux11*)
+    if test $with_gnu_ld = no; then
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+      case $host_cpu in
+      hppa*64*|ia64*) ;;
+      *)
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+        ;;
+      esac
+    fi
+    case $host_cpu in
+    hppa*64*|ia64*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+    *)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    esac
+
+    case $cc_basename in
+      CC*)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      aCC*)
+	case $host_cpu in
+	hppa*64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	esac
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test $with_gnu_ld = no; then
+	    case $host_cpu in
+	    hppa*64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    ia64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    *)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    esac
+	  fi
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  interix[[3-9]]*)
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+    # Instead, shared libraries are loaded at an image base (0x10000000 by
+    # default) and relocated if they conflict, which is a slow very memory
+    # consuming and fragmenting process.  To avoid this, we pick a random,
+    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    ;;
+  irix5* | irix6*)
+    case $cc_basename in
+      CC*)
+	# SGI C++
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+
+	# Archives containing C++ object files must be created using
+	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test "$with_gnu_ld" = no; then
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	  else
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
+	  fi
+	fi
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+	;;
+    esac
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    ;;
+  linux* | k*bsd*-gnu)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+	;;
+      icpc*)
+	# Intel C++
+	with_gnu_ld=yes
+	# version 8.0 and above of icpc choke on multiply defined symbols
+	# if we add $predep_objects and $postdep_objects, however 7.1 and
+	# earlier do not add the objects themselves.
+	case `$CC -V 2>&1` in
+	*"Version 7."*)
+  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+  	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	*)  # Version 8.0 or newer
+	  tmp_idyn=
+	  case $host_cpu in
+	    ia64*) tmp_idyn=' -i_dynamic';;
+	  esac
+  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	esac
+	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	;;
+      pgCC* | pgcpp*)
+        # Portland Group C++ compiler
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+  	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+        ;;
+      cxx*)
+	# Compaq C++
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
+
+	runpath_var=LD_RUN_PATH
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C++ 5.9
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+
+	  # Not sure whether something based on
+	  # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
+	  # would be better.
+	  output_verbose_link_cmd='echo'
+
+	  # Archives containing C++ object files must be created using
+	  # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	  # necessary to make sure instantiated templates are included
+	  # in the archive.
+	  _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	  ;;
+	esac
+	;;
+    esac
+    ;;
+  lynxos*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  m88k*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  mvs*)
+    case $cc_basename in
+      cxx*)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  netbsd* | netbsdelf*-gnu)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+      wlarc=
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    fi
+    # Workaround some broken pre-1.5 toolchains
+    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+    ;;
+  openbsd2*)
+    # C++ shared libraries are fairly broken
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  openbsd*)
+    if test -f /usr/libexec/ld.so; then
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      fi
+      output_verbose_link_cmd='echo'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+    ;;
+  osf3*)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+
+	;;
+      RCC*)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      cxx*)
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  osf4* | osf5*)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Archives containing C++ object files must be created using
+	# the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs'
+	;;
+      RCC*)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      cxx*)
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+	  echo "-hidden">> $lib.exp~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
+	  $rm $lib.exp'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  psos*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  sunos4*)
+    case $cc_basename in
+      CC*)
+	# Sun C++ 4.x
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      lcc*)
+	# Lucid
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  solaris*)
+    case $cc_basename in
+      CC*)
+	# Sun C++ 4.2, 5.x and Centerline C++
+        _LT_AC_TAGVAR(archive_cmds_need_lc,$1)=yes
+	_LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	case $host_os in
+	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+	  *)
+	    # The compiler driver will combine and reorder linker options,
+	    # but understands `-z linker_flag'.
+	    # Supported since Solaris 2.6 (maybe 2.5.1?)
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+	    ;;
+	esac
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+	output_verbose_link_cmd='echo'
+
+	# Archives containing C++ object files must be created using
+	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	;;
+      gcx*)
+	# Green Hills C++ Compiler
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+
+	# The C++ compiler must be used to create the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	;;
+      *)
+	# GNU C++ compiler with Solaris linker
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
+	  if $CC --version | grep -v '^2\.7' > /dev/null; then
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  else
+	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
+	    # platform.
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  fi
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
+	  case $host_os in
+	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+	  *)
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    ;;
+	  esac
+	fi
+	;;
+    esac
+    ;;
+  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  sysv5* | sco3.2v5* | sco5v6*)
+    # Note: We can NOT use -z defs as we might desire, because we do not
+    # link with -lc, and that would cause any symbols used from libc to
+    # always be unresolved, which means just about no library would
+    # ever link correctly.  If we're not using GNU ld we use -z text
+    # though, which does catch some bad symbols but isn't as heavy-handed
+    # as -z defs.
+    # For security reasons, it is highly recommended that you always
+    # use absolute paths for naming shared libraries, and exclude the
+    # DT_RUNPATH tag from executables and libraries.  But doing so
+    # requires that you compile everything twice, which is a pain.
+    # So that behaviour is only enabled if SCOABSPATH is set to a
+    # non-empty value in the environment.  Most likely only useful for
+    # creating official distributions of packages.
+    # This is a hack until libtool officially supports absolute path
+    # names for shared libraries.
+    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+    _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  tandem*)
+    case $cc_basename in
+      NCC*)
+	# NonStop-UX NCC 3.20
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  vxworks*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  *)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+esac
+AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+_LT_AC_TAGVAR(GCC, $1)="$GXX"
+_LT_AC_TAGVAR(LD, $1)="$LD"
+
+AC_LIBTOOL_POSTDEP_PREDEP($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC=$lt_save_CC
+LDCXX=$LD
+LD=$lt_save_LD
+GCC=$lt_save_GCC
+with_gnu_ldcxx=$with_gnu_ld
+with_gnu_ld=$lt_save_with_gnu_ld
+lt_cv_path_LDCXX=$lt_cv_path_LD
+lt_cv_path_LD=$lt_save_path_LD
+lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+])# AC_LIBTOOL_LANG_CXX_CONFIG
+
+# AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME])
+# ------------------------------------
+# Figure out "hidden" library dependencies from verbose
+# compiler output when linking a shared library.
+# Parse the compiler output and extract the necessary
+# objects, libraries and library flags.
+AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+dnl we can't use the lt_simple_compile_test_code here,
+dnl because it contains code intended for an executable,
+dnl not a library.  It's possible we should let each
+dnl tag define a new lt_????_link_test_code variable,
+dnl but it's only used here...
+ifelse([$1],[],[cat > conftest.$ac_ext <<EOF
+int a;
+void foo (void) { a = 0; }
+EOF
+],[$1],[CXX],[cat > conftest.$ac_ext <<EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+EOF
+],[$1],[F77],[cat > conftest.$ac_ext <<EOF
+      subroutine foo
+      implicit none
+      integer*4 a
+      a=0
+      return
+      end
+EOF
+],[$1],[GCJ],[cat > conftest.$ac_ext <<EOF
+public class foo {
+  private int a;
+  public void bar (void) {
+    a = 0;
+  }
+};
+EOF
+])
+dnl Parse the compiler output and extract the necessary
+dnl objects, libraries and library flags.
+if AC_TRY_EVAL(ac_compile); then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  # The `*' in the case matches for architectures that use `case' in
+  # $output_verbose_cmd can trigger glob expansion during the loop
+  # eval without this substitution.
+  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
+
+  for p in `eval $output_verbose_link_cmd`; do
+    case $p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test $p = "-L" \
+	  || test $p = "-R"; then
+	 prev=$p
+	 continue
+       else
+	 prev=
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 case $p in
+	 -L* | -R*)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
+	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
+	   else
+	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${_LT_AC_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$_LT_AC_TAGVAR(postdeps, $1)"; then
+	   _LT_AC_TAGVAR(postdeps, $1)="${prev}${p}"
+	 else
+	   _LT_AC_TAGVAR(postdeps, $1)="${_LT_AC_TAGVAR(postdeps, $1)} ${prev}${p}"
+	 fi
+       fi
+       ;;
+
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 if test -z "$_LT_AC_TAGVAR(predep_objects, $1)"; then
+	   _LT_AC_TAGVAR(predep_objects, $1)="$p"
+	 else
+	   _LT_AC_TAGVAR(predep_objects, $1)="$_LT_AC_TAGVAR(predep_objects, $1) $p"
+	 fi
+       else
+	 if test -z "$_LT_AC_TAGVAR(postdep_objects, $1)"; then
+	   _LT_AC_TAGVAR(postdep_objects, $1)="$p"
+	 else
+	   _LT_AC_TAGVAR(postdep_objects, $1)="$_LT_AC_TAGVAR(postdep_objects, $1) $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling $1 test program"
+fi
+
+$rm -f confest.$objext
+
+_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=
+if test -n "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
+  _LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_AC_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
+fi
+
+# PORTME: override above test on systems where it is broken
+ifelse([$1],[CXX],
+[case $host_os in
+interix[[3-9]]*)
+  # Interix 3.5 installs completely hosed .la files for C++, so rather than
+  # hack all around it, let's just trust "g++" to DTRT.
+  _LT_AC_TAGVAR(predep_objects,$1)=
+  _LT_AC_TAGVAR(postdep_objects,$1)=
+  _LT_AC_TAGVAR(postdeps,$1)=
+  ;;
+
+linux*)
+  case `$CC -V 2>&1 | sed 5q` in
+  *Sun\ C*)
+    # Sun C++ 5.9
+    #
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+    if test "$solaris_use_stlport4" != yes; then
+      _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+
+solaris*)
+  case $cc_basename in
+  CC*)
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+
+    # Adding this requires a known-good setup of shared libraries for
+    # Sun compiler versions before 5.6, else PIC objects from an old
+    # archive will be linked into the output, leading to subtle bugs.
+    if test "$solaris_use_stlport4" != yes; then
+      _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+esac
+])
+case " $_LT_AC_TAGVAR(postdeps, $1) " in
+*" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;;
+esac
+])# AC_LIBTOOL_POSTDEP_PREDEP
+
+# AC_LIBTOOL_LANG_F77_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG], [_LT_AC_LANG_F77_CONFIG(F77)])
+AC_DEFUN([_LT_AC_LANG_F77_CONFIG],
+[AC_REQUIRE([AC_PROG_F77])
+AC_LANG_PUSH(Fortran 77)
+
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_AC_TAGVAR(allow_undefined_flag, $1)=
+_LT_AC_TAGVAR(always_export_symbols, $1)=no
+_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_direct, $1)=no
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_automatic, $1)=no
+_LT_AC_TAGVAR(module_cmds, $1)=
+_LT_AC_TAGVAR(module_expsym_cmds, $1)=
+_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_AC_TAGVAR(no_undefined_flag, $1)=
+_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="\
+      program t
+      end
+"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${F77-"f77"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+
+AC_MSG_CHECKING([if libtool supports shared libraries])
+AC_MSG_RESULT([$can_build_shared])
+
+AC_MSG_CHECKING([whether to build shared libraries])
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case $host_os in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+aix[[4-9]]*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+  ;;
+esac
+AC_MSG_RESULT([$enable_shared])
+
+AC_MSG_CHECKING([whether to build static libraries])
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+AC_MSG_RESULT([$enable_static])
+
+_LT_AC_TAGVAR(GCC, $1)="$G77"
+_LT_AC_TAGVAR(LD, $1)="$LD"
+
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_F77_CONFIG
+
+
+# AC_LIBTOOL_LANG_GCJ_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG], [_LT_AC_LANG_GCJ_CONFIG(GCJ)])
+AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG],
+[AC_LANG_SAVE
+
+# Source file extension for Java test sources.
+ac_ext=java
+
+# Object file extension for compiled Java test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${GCJ-"gcj"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+
+AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_GCJ_CONFIG
+
+
+# AC_LIBTOOL_LANG_RC_CONFIG
+# -------------------------
+# Ensure that the configuration vars for the Windows resource compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG], [_LT_AC_LANG_RC_CONFIG(RC)])
+AC_DEFUN([_LT_AC_LANG_RC_CONFIG],
+[AC_LANG_SAVE
+
+# Source file extension for RC test sources.
+ac_ext=rc
+
+# Object file extension for compiled RC test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="$lt_simple_compile_test_code"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${RC-"windres"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_RC_CONFIG
+
+
+# AC_LIBTOOL_CONFIG([TAGNAME])
+# ----------------------------
+# If TAGNAME is not passed, then create an initial libtool script
+# with a default configuration from the untagged config vars.  Otherwise
+# add code to config.status for appending the configuration named by
+# TAGNAME from the matching tagged config vars.
+AC_DEFUN([AC_LIBTOOL_CONFIG],
+[# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    _LT_AC_TAGVAR(compiler, $1) \
+    _LT_AC_TAGVAR(CC, $1) \
+    _LT_AC_TAGVAR(LD, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) \
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1) \
+    _LT_AC_TAGVAR(thread_safe_flag_spec, $1) \
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1) \
+    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) \
+    _LT_AC_TAGVAR(old_archive_cmds, $1) \
+    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) \
+    _LT_AC_TAGVAR(predep_objects, $1) \
+    _LT_AC_TAGVAR(postdep_objects, $1) \
+    _LT_AC_TAGVAR(predeps, $1) \
+    _LT_AC_TAGVAR(postdeps, $1) \
+    _LT_AC_TAGVAR(compiler_lib_search_path, $1) \
+    _LT_AC_TAGVAR(compiler_lib_search_dirs, $1) \
+    _LT_AC_TAGVAR(archive_cmds, $1) \
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1) \
+    _LT_AC_TAGVAR(postinstall_cmds, $1) \
+    _LT_AC_TAGVAR(postuninstall_cmds, $1) \
+    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) \
+    _LT_AC_TAGVAR(allow_undefined_flag, $1) \
+    _LT_AC_TAGVAR(no_undefined_flag, $1) \
+    _LT_AC_TAGVAR(export_symbols_cmds, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1) \
+    _LT_AC_TAGVAR(hardcode_automatic, $1) \
+    _LT_AC_TAGVAR(module_cmds, $1) \
+    _LT_AC_TAGVAR(module_expsym_cmds, $1) \
+    _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \
+    _LT_AC_TAGVAR(fix_srcfile_path, $1) \
+    _LT_AC_TAGVAR(exclude_expsyms, $1) \
+    _LT_AC_TAGVAR(include_expsyms, $1); do
+
+    case $var in
+    _LT_AC_TAGVAR(old_archive_cmds, $1) | \
+    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) | \
+    _LT_AC_TAGVAR(archive_cmds, $1) | \
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1) | \
+    _LT_AC_TAGVAR(module_cmds, $1) | \
+    _LT_AC_TAGVAR(module_expsym_cmds, $1) | \
+    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) | \
+    _LT_AC_TAGVAR(export_symbols_cmds, $1) | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\[$]0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\[$]0 --fallback-echo"[$]/[$]0 --fallback-echo"/'`
+    ;;
+  esac
+
+ifelse([$1], [],
+  [cfgfile="${ofile}T"
+  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
+  $rm -f "$cfgfile"
+  AC_MSG_NOTICE([creating $ofile])],
+  [cfgfile="$ofile"])
+
+  cat <<__EOF__ >> "$cfgfile"
+ifelse([$1], [],
+[#! $SHELL
+
+# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
+# Free Software Foundation, Inc.
+#
+# This file is part of GNU Libtool:
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# A sed program that does not truncate output.
+SED=$lt_SED
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="$SED -e 1s/^X//"
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+# The names of the tagged configurations supported by this script.
+available_tags=
+
+# ### BEGIN LIBTOOL CONFIG],
+[# ### BEGIN LIBTOOL TAG CONFIG: $tagname])
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_[]_LT_AC_TAGVAR(compiler, $1)
+
+# Is the compiler the GNU C compiler?
+with_gcc=$_LT_AC_TAGVAR(GCC, $1)
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_[]_LT_AC_TAGVAR(LD, $1)
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_static, $1)
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_[]_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_[]_LT_AC_TAGVAR(whole_archive_flag_spec, $1)
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_[]_LT_AC_TAGVAR(thread_safe_flag_spec, $1)
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_cmds, $1)
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_new_cmds, $1)
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_[]_LT_AC_TAGVAR(archive_cmds, $1)
+archive_expsym_cmds=$lt_[]_LT_AC_TAGVAR(archive_expsym_cmds, $1)
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_[]_LT_AC_TAGVAR(module_cmds, $1)
+module_expsym_cmds=$lt_[]_LT_AC_TAGVAR(module_expsym_cmds, $1)
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_[]_LT_AC_TAGVAR(predep_objects, $1)
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_[]_LT_AC_TAGVAR(postdep_objects, $1)
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1)
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1)
+
+# The directories searched by this compiler when creating a shared
+# library
+compiler_lib_search_dirs=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1)
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_[]_LT_AC_TAGVAR(allow_undefined_flag, $1)
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_[]_LT_AC_TAGVAR(no_undefined_flag, $1)
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$_LT_AC_TAGVAR(hardcode_action, $1)
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_separator, $1)
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$_LT_AC_TAGVAR(hardcode_direct, $1)
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$_LT_AC_TAGVAR(hardcode_minus_L, $1)
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$_LT_AC_TAGVAR(hardcode_automatic, $1)
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$_LT_AC_TAGVAR(link_all_deplibs, $1)
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path=$lt_fix_srcfile_path
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1)
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_[]_LT_AC_TAGVAR(export_symbols_cmds, $1)
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_[]_LT_AC_TAGVAR(exclude_expsyms, $1)
+
+# Symbols that must always be exported.
+include_expsyms=$lt_[]_LT_AC_TAGVAR(include_expsyms, $1)
+
+ifelse([$1],[],
+[# ### END LIBTOOL CONFIG],
+[# ### END LIBTOOL TAG CONFIG: $tagname])
+
+__EOF__
+
+ifelse([$1],[], [
+  case $host_os in
+  aix3*)
+    cat <<\EOF >> "$cfgfile"
+
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+EOF
+    ;;
+  esac
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
+
+  mv -f "$cfgfile" "$ofile" || \
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+])
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+])# AC_LIBTOOL_CONFIG
+
+
+# AC_LIBTOOL_PROG_COMPILER_NO_RTTI([TAGNAME])
+# -------------------------------------------
+AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI],
+[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+
+_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+
+if test "$GCC" = yes; then
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+
+  AC_LIBTOOL_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
+    lt_cv_prog_compiler_rtti_exceptions,
+    [-fno-rtti -fno-exceptions], [],
+    [_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
+fi
+])# AC_LIBTOOL_PROG_COMPILER_NO_RTTI
+
+
+# AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+# ---------------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE],
+[AC_REQUIRE([AC_CANONICAL_HOST])
+AC_REQUIRE([LT_AC_PROG_SED])
+AC_REQUIRE([AC_PROG_NM])
+AC_REQUIRE([AC_OBJEXT])
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+AC_MSG_CHECKING([command to parse $NM output from $compiler object])
+AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
+[
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[[BCDEGRST]]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
+
+# Transform an extracted symbol line into a proper C declaration
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[[BCDT]]'
+  ;;
+cygwin* | mingw* | pw32*)
+  symcode='[[ABCDGISTW]]'
+  ;;
+hpux*) # Its linker distinguishes data from code symbols
+  if test "$host_cpu" = ia64; then
+    symcode='[[ABCDEGRST]]'
+  fi
+  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  ;;
+linux* | k*bsd*-gnu)
+  if test "$host_cpu" = ia64; then
+    symcode='[[ABCDGIRSTW]]'
+    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  fi
+  ;;
+irix* | nonstopux*)
+  symcode='[[BCDEGRST]]'
+  ;;
+osf*)
+  symcode='[[BCDEGQRST]]'
+  ;;
+solaris*)
+  symcode='[[BDRT]]'
+  ;;
+sco3.2v5*)
+  symcode='[[DT]]'
+  ;;
+sysv4.2uw2*)
+  symcode='[[DT]]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[[ABDT]]'
+  ;;
+sysv4)
+  symcode='[[DFNSTU]]'
+  ;;
+esac
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[[ABCDGIRSTW]]' ;;
+esac
+
+# Try without a prefix undercore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
+
+  # Write the raw and C identifiers.
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+  if AC_TRY_EVAL(ac_compile); then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if grep ' nm_test_var$' "$nlist" >/dev/null; then
+	if grep ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<EOF > conftest.$ac_ext
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
+
+	  cat <<EOF >> conftest.$ac_ext
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[[]] =
+{
+EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
+	  cat <<\EOF >> conftest.$ac_ext
+  {0, (lt_ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_save_LIBS="$LIBS"
+	  lt_save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$ac_objext"
+	  CFLAGS="$CFLAGS$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
+	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
+	    pipe_works=yes
+	  fi
+	  LIBS="$lt_save_LIBS"
+	  CFLAGS="$lt_save_CFLAGS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
+    fi
+  else
+    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
+    cat conftest.$ac_ext >&5
+  fi
+  rm -rf conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+])
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  AC_MSG_RESULT(failed)
+else
+  AC_MSG_RESULT(ok)
+fi
+]) # AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+
+
+# AC_LIBTOOL_PROG_COMPILER_PIC([TAGNAME])
+# ---------------------------------------
+AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC],
+[_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=
+_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=
+
+AC_MSG_CHECKING([for $compiler option to produce PIC])
+ ifelse([$1],[CXX],[
+  # C++ specific cases for pic, static, wl, etc.
+  if test "$GXX" = yes; then
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+      ;;
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | cygwin* | os2* | pw32*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      m4_if([$1], [GCJ], [],
+	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+      ;;
+    interix[[3-9]]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    case $host_os in
+      aix[[4-9]]*)
+	# All AIX code is PIC.
+	if test "$host_cpu" = ia64; then
+	  # AIX 5 now supports IA64 processor
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	else
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+	fi
+	;;
+      chorus*)
+	case $cc_basename in
+	cxch68*)
+	  # Green Hills C++ Compiler
+	  # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
+	  ;;
+	esac
+	;;
+       darwin*)
+         # PIC is the default on this platform
+         # Common symbols not allowed in MH_DYLIB files
+         case $cc_basename in
+           xlc*)
+           _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
+           _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+           ;;
+         esac
+       ;;
+      dgux*)
+	case $cc_basename in
+	  ec++*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  ghcx*)
+	    # Green Hills C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | dragonfly*)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+	    if test "$host_cpu" != ia64; then
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	    fi
+	    ;;
+	  aCC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+	    case $host_cpu in
+	    hppa*64*|ia64*)
+	      # +Z the default
+	      ;;
+	    *)
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	      ;;
+	    esac
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      interix*)
+	# This is c89, which is MS Visual C++ (no shared libs)
+	# Anyone wants to do a port?
+	;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      linux* | k*bsd*-gnu)
+	case $cc_basename in
+	  KCC*)
+	    # KAI C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  icpc* | ecpc*)
+	    # Intel C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
+	  pgCC* | pgcpp*)
+	    # Portland Group C++ compiler.
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  cxx*)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	      ;;
+	    esac
+	    ;;
+	esac
+	;;
+      lynxos*)
+	;;
+      m88k*)
+	;;
+      mvs*)
+	case $cc_basename in
+	  cxx*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      netbsd* | netbsdelf*-gnu)
+	;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    ;;
+	  RCC*)
+	    # Rational C++ 2.4.1
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  cxx*)
+	    # Digital/Compaq C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      psos*)
+	;;
+      solaris*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	    ;;
+	  gcx*)
+	    # Green Hills C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sunos4*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.x
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  lcc*)
+	    # Lucid
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      tandem*)
+	case $cc_basename in
+	  NCC*)
+	    # NonStop-UX NCC 3.20
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+	case $cc_basename in
+	  CC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	esac
+	;;
+      vxworks*)
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+	;;
+    esac
+  fi
+],
+[
+  if test "$GCC" = yes; then
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      m4_if([$1], [GCJ], [],
+	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+
+    interix[[3-9]]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      else
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
+         _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+         ;;
+       esac
+       ;;
+
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      m4_if([$1], [GCJ], [],
+	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC (with -KPIC) is the default.
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    newsos6)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    linux* | k*bsd*-gnu)
+      case $cc_basename in
+      icc* | ecc*)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+        ;;
+      ccc*)
+        _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+        # All Alpha code is PIC.
+        _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+        ;;
+      *)
+        case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=''
+	  ;;
+	esac
+	;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # All OSF/1 code is PIC.
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    rdos*)
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    solaris*)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    unicos*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+
+    uts4*)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+    esac
+  fi
+])
+AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)])
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
+  AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works],
+    _LT_AC_TAGVAR(lt_cv_prog_compiler_pic_works, $1),
+    [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [],
+    [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in
+     "" | " "*) ;;
+     *) _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)" ;;
+     esac],
+    [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+     _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
+fi
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+    ;;
+  *)
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])"
+    ;;
+esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_AC_TAGVAR(lt_prog_compiler_static, $1)\"
+AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
+  _LT_AC_TAGVAR(lt_cv_prog_compiler_static_works, $1),
+  $lt_tmp_static_flag,
+  [],
+  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
+])
+
+
+# AC_LIBTOOL_PROG_LD_SHLIBS([TAGNAME])
+# ------------------------------------
+# See if the linker supports building shared libraries.
+AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+ifelse([$1],[CXX],[
+  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  case $host_os in
+  aix[[4-9]]*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+    else
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
+  ;;
+  cygwin* | mingw*)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+  ;;
+  linux* | k*bsd*-gnu)
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=no
+  ;;
+  *)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  esac
+  _LT_AC_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
+],[
+  runpath_var=
+  _LT_AC_TAGVAR(allow_undefined_flag, $1)=
+  _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+  _LT_AC_TAGVAR(archive_cmds, $1)=
+  _LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+  _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)=
+  _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)=
+  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+  _LT_AC_TAGVAR(thread_safe_flag_spec, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+  _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  _LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+  _LT_AC_TAGVAR(hardcode_automatic, $1)=no
+  _LT_AC_TAGVAR(module_cmds, $1)=
+  _LT_AC_TAGVAR(module_expsym_cmds, $1)=
+  _LT_AC_TAGVAR(always_export_symbols, $1)=no
+  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  _LT_AC_TAGVAR(include_expsyms, $1)=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  _LT_AC_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  # Exclude shared library initialization/finalization symbols.
+dnl Note also adjust exclude_expsyms for C++ above.
+  extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  _LT_CC_BASENAME([$compiler])
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  _LT_AC_TAGVAR(ld_shlibs, $1)=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix[[3-9]]*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+      # as there is no search path for DLLs.
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(always_export_symbols, $1)=no
+      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    interix[[3-9]]*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    gnu* | linux* | k*bsd*-gnu)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	*)
+	  tmp_sharedflag='-shared' ;;
+	esac
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=no
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+
+    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no; then
+      runpath_var=
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	_LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+      fi
+      ;;
+
+    aix[[4-9]]*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+	else
+	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      _LT_AC_TAGVAR(archive_cmds, $1)=''
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[[012]]|aix4.[[012]].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  :
+	  else
+  	  # We have old collect2
+  	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+  	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+  	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       _LT_AC_SYS_LIBPATH_AIX
+       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 _LT_AC_SYS_LIBPATH_AIX
+	 _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      # see comment about different semantics on the GNU ld section
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    bsdi[[45]]*)
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
+      # FIXME: Should let the user specify the lib program.
+      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
+      _LT_AC_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
+      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      ;;
+
+    darwin* | rhapsody*)
+      case $host_os in
+        rhapsody* | darwin1.[[012]])
+         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[[012]])
+               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+      esac
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+        _LT_AC_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+        _LT_AC_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
+    else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
+         _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         _LT_AC_TAGVAR(ld_shlibs, $1)=no
+          ;;
+      esac
+    fi
+      ;;
+
+    dgux*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    freebsd1*)
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | dragonfly*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      ;;
+
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	_LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	_LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    newsos6)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    openbsd*)
+      if test -f /usr/libexec/ld.so; then
+	_LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	else
+	  case $host_os in
+	   openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
+	     _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	     _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	     ;;
+	   *)
+	     _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	     _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	     ;;
+	  esac
+        fi
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    os2*)
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(archive_cmds, $1)='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      else
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    solaris*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	wlarc=''
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      case $host_os in
+      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+      *)
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+	if test "$GCC" = yes; then
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+	fi
+	;;
+      esac
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+        ;;
+	motorola)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4.3*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	_LT_AC_TAGVAR(ld_shlibs, $1)=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    esac
+  fi
+])
+AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)" in
+x|xyes)
+  # Assume -lc should be added
+  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $_LT_AC_TAGVAR(archive_cmds, $1) in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
+      $rm conftest*
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+	pic_flag=$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$_LT_AC_TAGVAR(allow_undefined_flag, $1)
+        _LT_AC_TAGVAR(allow_undefined_flag, $1)=
+        if AC_TRY_EVAL(_LT_AC_TAGVAR(archive_cmds, $1) 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1)
+        then
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+        else
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+        fi
+        _LT_AC_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      AC_MSG_RESULT([$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)])
+      ;;
+    esac
+  fi
+  ;;
+esac
+])# AC_LIBTOOL_PROG_LD_SHLIBS
+
+
+# _LT_AC_FILE_LTDLL_C
+# -------------------
+# Be careful that the start marker always follows a newline.
+AC_DEFUN([_LT_AC_FILE_LTDLL_C], [
+# /* ltdll.c starts here */
+# #define WIN32_LEAN_AND_MEAN
+# #include <windows.h>
+# #undef WIN32_LEAN_AND_MEAN
+# #include <stdio.h>
+#
+# #ifndef __CYGWIN__
+# #  ifdef __CYGWIN32__
+# #    define __CYGWIN__ __CYGWIN32__
+# #  endif
+# #endif
+#
+# #ifdef __cplusplus
+# extern "C" {
+# #endif
+# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
+# #ifdef __cplusplus
+# }
+# #endif
+#
+# #ifdef __CYGWIN__
+# #include <cygwin/cygwin_dll.h>
+# DECLARE_CYGWIN_DLL( DllMain );
+# #endif
+# HINSTANCE __hDllInstance_base;
+#
+# BOOL APIENTRY
+# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
+# {
+#   __hDllInstance_base = hInst;
+#   return TRUE;
+# }
+# /* ltdll.c ends here */
+])# _LT_AC_FILE_LTDLL_C
+
+
+# _LT_AC_TAGVAR(VARNAME, [TAGNAME])
+# ---------------------------------
+AC_DEFUN([_LT_AC_TAGVAR], [ifelse([$2], [], [$1], [$1_$2])])
+
+
+# old names
+AC_DEFUN([AM_PROG_LIBTOOL],   [AC_PROG_LIBTOOL])
+AC_DEFUN([AM_ENABLE_SHARED],  [AC_ENABLE_SHARED($@)])
+AC_DEFUN([AM_ENABLE_STATIC],  [AC_ENABLE_STATIC($@)])
+AC_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
+AC_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
+AC_DEFUN([AM_PROG_LD],        [AC_PROG_LD])
+AC_DEFUN([AM_PROG_NM],        [AC_PROG_NM])
+
+# This is just to silence aclocal about the macro not being used
+ifelse([AC_DISABLE_FAST_INSTALL])
+
+AC_DEFUN([LT_AC_PROG_GCJ],
+[AC_CHECK_TOOL(GCJ, gcj, no)
+  test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
+  AC_SUBST(GCJFLAGS)
+])
+
+AC_DEFUN([LT_AC_PROG_RC],
+[AC_CHECK_TOOL(RC, windres, no)
+])
+
+
+# Cheap backport of AS_EXECUTABLE_P and required macros
+# from Autoconf 2.59; we should not use $as_executable_p directly.
+
+# _AS_TEST_PREPARE
+# ----------------
+m4_ifndef([_AS_TEST_PREPARE],
+[m4_defun([_AS_TEST_PREPARE],
+[if test -x / >/dev/null 2>&1; then
+  as_executable_p='test -x'
+else
+  as_executable_p='test -f'
+fi
+])])# _AS_TEST_PREPARE
+
+# AS_EXECUTABLE_P
+# ---------------
+# Check whether a file is executable.
+m4_ifndef([AS_EXECUTABLE_P],
+[m4_defun([AS_EXECUTABLE_P],
+[AS_REQUIRE([_AS_TEST_PREPARE])dnl
+$as_executable_p $1[]dnl
+])])# AS_EXECUTABLE_P
+
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+# LT_AC_PROG_SED
+# --------------
+# Check for a fully-functional sed program, that truncates
+# as few characters as possible.  Prefer GNU sed if found.
+AC_DEFUN([LT_AC_PROG_SED],
+[AC_MSG_CHECKING([for a sed that does not truncate output])
+AC_CACHE_VAL(lt_cv_path_SED,
+[# Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if AS_EXECUTABLE_P(["$as_dir/$lt_ac_prog$ac_exec_ext"]); then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+IFS=$as_save_IFS
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f $lt_ac_sed && continue
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test $lt_ac_count -gt 10 && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test $lt_ac_count -gt $lt_ac_max; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+])
+SED=$lt_cv_path_SED
+AC_SUBST([SED])
+AC_MSG_RESULT([$SED])
+])
+
+# pkg.m4 - Macros to locate and utilise pkg-config.            -*- Autoconf -*-
+# 
+# Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# PKG_PROG_PKG_CONFIG([MIN-VERSION])
+# ----------------------------------
+AC_DEFUN([PKG_PROG_PKG_CONFIG],
+[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
+m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
+AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+	AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
+fi
+if test -n "$PKG_CONFIG"; then
+	_pkg_min_version=m4_default([$1], [0.9.0])
+	AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+		AC_MSG_RESULT([yes])
+	else
+		AC_MSG_RESULT([no])
+		PKG_CONFIG=""
+	fi
+		
+fi[]dnl
+])# PKG_PROG_PKG_CONFIG
+
+# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+#
+# Check to see whether a particular set of modules exists.  Similar
+# to PKG_CHECK_MODULES(), but does not set variables or print errors.
+#
+#
+# Similar to PKG_CHECK_MODULES, make sure that the first instance of
+# this or PKG_CHECK_MODULES is called, or make sure to call
+# PKG_CHECK_EXISTS manually
+# --------------------------------------------------------------
+AC_DEFUN([PKG_CHECK_EXISTS],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+if test -n "$PKG_CONFIG" && \
+    AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
+  m4_ifval([$2], [$2], [:])
+m4_ifvaln([$3], [else
+  $3])dnl
+fi])
+
+
+# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
+# ---------------------------------------------
+m4_define([_PKG_CONFIG],
+[if test -n "$PKG_CONFIG"; then
+    if test -n "$$1"; then
+        pkg_cv_[]$1="$$1"
+    else
+        PKG_CHECK_EXISTS([$3],
+                         [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
+			 [pkg_failed=yes])
+    fi
+else
+	pkg_failed=untried
+fi[]dnl
+])# _PKG_CONFIG
+
+# _PKG_SHORT_ERRORS_SUPPORTED
+# -----------------------------
+AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi[]dnl
+])# _PKG_SHORT_ERRORS_SUPPORTED
+
+
+# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
+# [ACTION-IF-NOT-FOUND])
+#
+#
+# Note that if there is a possibility the first call to
+# PKG_CHECK_MODULES might not happen, you should be sure to include an
+# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
+#
+#
+# --------------------------------------------------------------
+AC_DEFUN([PKG_CHECK_MODULES],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
+AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
+
+pkg_failed=no
+AC_MSG_CHECKING([for $1])
+
+_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
+_PKG_CONFIG([$1][_LIBS], [libs], [$2])
+
+m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
+and $1[]_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.])
+
+if test $pkg_failed = yes; then
+        _PKG_SHORT_ERRORS_SUPPORTED
+        if test $_pkg_short_errors_supported = yes; then
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"`
+        else 
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
+
+	ifelse([$4], , [AC_MSG_ERROR(dnl
+[Package requirements ($2) were not met:
+
+$$1_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+_PKG_TEXT
+])],
+		[AC_MSG_RESULT([no])
+                $4])
+elif test $pkg_failed = untried; then
+	ifelse([$4], , [AC_MSG_FAILURE(dnl
+[The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+_PKG_TEXT
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.])],
+		[$4])
+else
+	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
+	$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
+        AC_MSG_RESULT([yes])
+	ifelse([$3], , :, [$3])
+fi[]dnl
+])# PKG_CHECK_MODULES
+
+# Copyright (C) 2002, 2003, 2005, 2006, 2007  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_AUTOMAKE_VERSION(VERSION)
+# ----------------------------
+# Automake X.Y traces this macro to ensure aclocal.m4 has been
+# generated from the m4 files accompanying Automake X.Y.
+# (This private macro should not be called outside this file.)
+AC_DEFUN([AM_AUTOMAKE_VERSION],
+[am__api_version='1.10'
+dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
+dnl require some minimum version.  Point them to the right macro.
+m4_if([$1], [1.10.1], [],
+      [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
+])
+
+# _AM_AUTOCONF_VERSION(VERSION)
+# -----------------------------
+# aclocal traces this macro to find the Autoconf version.
+# This is a private macro too.  Using m4_define simplifies
+# the logic in aclocal, which can simply ignore this definition.
+m4_define([_AM_AUTOCONF_VERSION], [])
+
+# AM_SET_CURRENT_AUTOMAKE_VERSION
+# -------------------------------
+# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
+# This function is AC_REQUIREd by AC_INIT_AUTOMAKE.
+AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
+[AM_AUTOMAKE_VERSION([1.10.1])dnl
+m4_ifndef([AC_AUTOCONF_VERSION],
+  [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
+_AM_AUTOCONF_VERSION(AC_AUTOCONF_VERSION)])
+
+# AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
+
+# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets
+# $ac_aux_dir to `$srcdir/foo'.  In other projects, it is set to
+# `$srcdir', `$srcdir/..', or `$srcdir/../..'.
+#
+# Of course, Automake must honor this variable whenever it calls a
+# tool from the auxiliary directory.  The problem is that $srcdir (and
+# therefore $ac_aux_dir as well) can be either absolute or relative,
+# depending on how configure is run.  This is pretty annoying, since
+# it makes $ac_aux_dir quite unusable in subdirectories: in the top
+# source directory, any form will work fine, but in subdirectories a
+# relative path needs to be adjusted first.
+#
+# $ac_aux_dir/missing
+#    fails when called from a subdirectory if $ac_aux_dir is relative
+# $top_srcdir/$ac_aux_dir/missing
+#    fails if $ac_aux_dir is absolute,
+#    fails when called from a subdirectory in a VPATH build with
+#          a relative $ac_aux_dir
+#
+# The reason of the latter failure is that $top_srcdir and $ac_aux_dir
+# are both prefixed by $srcdir.  In an in-source build this is usually
+# harmless because $srcdir is `.', but things will broke when you
+# start a VPATH build or use an absolute $srcdir.
+#
+# So we could use something similar to $top_srcdir/$ac_aux_dir/missing,
+# iff we strip the leading $srcdir from $ac_aux_dir.  That would be:
+#   am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"`
+# and then we would define $MISSING as
+#   MISSING="\${SHELL} $am_aux_dir/missing"
+# This will work as long as MISSING is not called from configure, because
+# unfortunately $(top_srcdir) has no meaning in configure.
+# However there are other variables, like CC, which are often used in
+# configure, and could therefore not use this "fixed" $ac_aux_dir.
+#
+# Another solution, used here, is to always expand $ac_aux_dir to an
+# absolute PATH.  The drawback is that using absolute paths prevent a
+# configured tree to be moved without reconfiguration.
+
+AC_DEFUN([AM_AUX_DIR_EXPAND],
+[dnl Rely on autoconf to set up CDPATH properly.
+AC_PREREQ([2.50])dnl
+# expand $ac_aux_dir to an absolute path
+am_aux_dir=`cd $ac_aux_dir && pwd`
+])
+
+# AM_CONDITIONAL                                            -*- Autoconf -*-
+
+# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 8
+
+# AM_CONDITIONAL(NAME, SHELL-CONDITION)
+# -------------------------------------
+# Define a conditional.
+AC_DEFUN([AM_CONDITIONAL],
+[AC_PREREQ(2.52)dnl
+ ifelse([$1], [TRUE],  [AC_FATAL([$0: invalid condition: $1])],
+	[$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
+AC_SUBST([$1_TRUE])dnl
+AC_SUBST([$1_FALSE])dnl
+_AM_SUBST_NOTMAKE([$1_TRUE])dnl
+_AM_SUBST_NOTMAKE([$1_FALSE])dnl
+if $2; then
+  $1_TRUE=
+  $1_FALSE='#'
+else
+  $1_TRUE='#'
+  $1_FALSE=
+fi
+AC_CONFIG_COMMANDS_PRE(
+[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
+  AC_MSG_ERROR([[conditional "$1" was never defined.
+Usually this means the macro was only invoked conditionally.]])
+fi])])
+
+# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 9
+
+# There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
+# written in clear, in which case automake, when reading aclocal.m4,
+# will think it sees a *use*, and therefore will trigger all it's
+# C support machinery.  Also note that it means that autoscan, seeing
+# CC etc. in the Makefile, will ask for an AC_PROG_CC use...
+
+
+# _AM_DEPENDENCIES(NAME)
+# ----------------------
+# See how the compiler implements dependency checking.
+# NAME is "CC", "CXX", "GCJ", or "OBJC".
+# We try a few techniques and use that to set a single cache variable.
+#
+# We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was
+# modified to invoke _AM_DEPENDENCIES(CC); we would have a circular
+# dependency, and given that the user is not expected to run this macro,
+# just rely on AC_PROG_CC.
+AC_DEFUN([_AM_DEPENDENCIES],
+[AC_REQUIRE([AM_SET_DEPDIR])dnl
+AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl
+AC_REQUIRE([AM_MAKE_INCLUDE])dnl
+AC_REQUIRE([AM_DEP_TRACK])dnl
+
+ifelse([$1], CC,   [depcc="$CC"   am_compiler_list=],
+       [$1], CXX,  [depcc="$CXX"  am_compiler_list=],
+       [$1], OBJC, [depcc="$OBJC" am_compiler_list='gcc3 gcc'],
+       [$1], UPC,  [depcc="$UPC"  am_compiler_list=],
+       [$1], GCJ,  [depcc="$GCJ"  am_compiler_list='gcc3 gcc'],
+                   [depcc="$$1"   am_compiler_list=])
+
+AC_CACHE_CHECK([dependency style of $depcc],
+               [am_cv_$1_dependencies_compiler_type],
+[if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
+  # We make a subdir and do the tests there.  Otherwise we can end up
+  # making bogus files that we don't know about and never remove.  For
+  # instance it was reported that on HP-UX the gcc test will end up
+  # making a dummy file named `D' -- because `-MD' means `put the output
+  # in D'.
+  mkdir conftest.dir
+  # Copy depcomp to subdir because otherwise we won't find it if we're
+  # using a relative directory.
+  cp "$am_depcomp" conftest.dir
+  cd conftest.dir
+  # We will build objects and dependencies in a subdirectory because
+  # it helps to detect inapplicable dependency modes.  For instance
+  # both Tru64's cc and ICC support -MD to output dependencies as a
+  # side effect of compilation, but ICC will put the dependencies in
+  # the current directory while Tru64 will put them in the object
+  # directory.
+  mkdir sub
+
+  am_cv_$1_dependencies_compiler_type=none
+  if test "$am_compiler_list" = ""; then
+     am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp`
+  fi
+  for depmode in $am_compiler_list; do
+    # Setup a source with many dependencies, because some compilers
+    # like to wrap large dependency lists on column 80 (with \), and
+    # we should not choose a depcomp mode which is confused by this.
+    #
+    # We need to recreate these files for each test, as the compiler may
+    # overwrite some of them when testing with obscure command lines.
+    # This happens at least with the AIX C compiler.
+    : > sub/conftest.c
+    for i in 1 2 3 4 5 6; do
+      echo '#include "conftst'$i'.h"' >> sub/conftest.c
+      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
+      # Solaris 8's {/usr,}/bin/sh.
+      touch sub/conftst$i.h
+    done
+    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
+
+    case $depmode in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode=$depmode \
+       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
+       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+         >/dev/null 2>conftest.err &&
+       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
+      # icc doesn't choke on unknown options, it will just issue warnings
+      # or remarks (even with -Werror).  So we grep stderr for any message
+      # that says an option was ignored or not supported.
+      # When given -MP, icc 7.0 and 7.1 complain thusly:
+      #   icc: Command line warning: ignoring option '-M'; no argument required
+      # The diagnosis changed in icc 8.0:
+      #   icc: Command line remark: option '-MP' not supported
+      if (grep 'ignoring option' conftest.err ||
+          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
+        am_cv_$1_dependencies_compiler_type=$depmode
+        break
+      fi
+    fi
+  done
+
+  cd ..
+  rm -rf conftest.dir
+else
+  am_cv_$1_dependencies_compiler_type=none
+fi
+])
+AC_SUBST([$1DEPMODE], [depmode=$am_cv_$1_dependencies_compiler_type])
+AM_CONDITIONAL([am__fastdep$1], [
+  test "x$enable_dependency_tracking" != xno \
+  && test "$am_cv_$1_dependencies_compiler_type" = gcc3])
+])
+
+
+# AM_SET_DEPDIR
+# -------------
+# Choose a directory name for dependency files.
+# This macro is AC_REQUIREd in _AM_DEPENDENCIES
+AC_DEFUN([AM_SET_DEPDIR],
+[AC_REQUIRE([AM_SET_LEADING_DOT])dnl
+AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl
+])
+
+
+# AM_DEP_TRACK
+# ------------
+AC_DEFUN([AM_DEP_TRACK],
+[AC_ARG_ENABLE(dependency-tracking,
+[  --disable-dependency-tracking  speeds up one-time build
+  --enable-dependency-tracking   do not reject slow dependency extractors])
+if test "x$enable_dependency_tracking" != xno; then
+  am_depcomp="$ac_aux_dir/depcomp"
+  AMDEPBACKSLASH='\'
+fi
+AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno])
+AC_SUBST([AMDEPBACKSLASH])dnl
+_AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl
+])
+
+# Generate code to set up dependency tracking.              -*- Autoconf -*-
+
+# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+#serial 3
+
+# _AM_OUTPUT_DEPENDENCY_COMMANDS
+# ------------------------------
+AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS],
+[for mf in $CONFIG_FILES; do
+  # Strip MF so we end up with the name of the file.
+  mf=`echo "$mf" | sed -e 's/:.*$//'`
+  # Check whether this is an Automake generated Makefile or not.
+  # We used to match only the files named `Makefile.in', but
+  # some people rename them; so instead we look at the file content.
+  # Grep'ing the first line is not enough: some people post-process
+  # each Makefile.in and add a new line on top of each file to say so.
+  # Grep'ing the whole file is not good either: AIX grep has a line
+  # limit of 2048, but all sed's we know have understand at least 4000.
+  if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
+    dirpart=`AS_DIRNAME("$mf")`
+  else
+    continue
+  fi
+  # Extract the definition of DEPDIR, am__include, and am__quote
+  # from the Makefile without running `make'.
+  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
+  test -z "$DEPDIR" && continue
+  am__include=`sed -n 's/^am__include = //p' < "$mf"`
+  test -z "am__include" && continue
+  am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
+  # When using ansi2knr, U may be empty or an underscore; expand it
+  U=`sed -n 's/^U = //p' < "$mf"`
+  # Find all dependency output files, they are included files with
+  # $(DEPDIR) in their names.  We invoke sed twice because it is the
+  # simplest approach to changing $(DEPDIR) to its actual value in the
+  # expansion.
+  for file in `sed -n "
+    s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
+       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+    # Make sure the directory exists.
+    test -f "$dirpart/$file" && continue
+    fdir=`AS_DIRNAME(["$file"])`
+    AS_MKDIR_P([$dirpart/$fdir])
+    # echo "creating $dirpart/$file"
+    echo '# dummy' > "$dirpart/$file"
+  done
+done
+])# _AM_OUTPUT_DEPENDENCY_COMMANDS
+
+
+# AM_OUTPUT_DEPENDENCY_COMMANDS
+# -----------------------------
+# This macro should only be invoked once -- use via AC_REQUIRE.
+#
+# This code is only required when automatic dependency tracking
+# is enabled.  FIXME.  This creates each `.P' file that we will
+# need in order to bootstrap the dependency handling code.
+AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
+[AC_CONFIG_COMMANDS([depfiles],
+     [test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS],
+     [AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"])
+])
+
+# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 8
+
+# AM_CONFIG_HEADER is obsolete.  It has been replaced by AC_CONFIG_HEADERS.
+AU_DEFUN([AM_CONFIG_HEADER], [AC_CONFIG_HEADERS($@)])
+
+# Do all the work for Automake.                             -*- Autoconf -*-
+
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+# 2005, 2006, 2008 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 13
+
+# This macro actually does too much.  Some checks are only needed if
+# your package does certain things.  But this isn't really a big deal.
+
+# AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE])
+# AM_INIT_AUTOMAKE([OPTIONS])
+# -----------------------------------------------
+# The call with PACKAGE and VERSION arguments is the old style
+# call (pre autoconf-2.50), which is being phased out.  PACKAGE
+# and VERSION should now be passed to AC_INIT and removed from
+# the call to AM_INIT_AUTOMAKE.
+# We support both call styles for the transition.  After
+# the next Automake release, Autoconf can make the AC_INIT
+# arguments mandatory, and then we can depend on a new Autoconf
+# release and drop the old call support.
+AC_DEFUN([AM_INIT_AUTOMAKE],
+[AC_PREREQ([2.60])dnl
+dnl Autoconf wants to disallow AM_ names.  We explicitly allow
+dnl the ones we care about.
+m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl
+AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl
+AC_REQUIRE([AC_PROG_INSTALL])dnl
+if test "`cd $srcdir && pwd`" != "`pwd`"; then
+  # Use -I$(srcdir) only when $(srcdir) != ., so that make's output
+  # is not polluted with repeated "-I."
+  AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl
+  # test to see if srcdir already configured
+  if test -f $srcdir/config.status; then
+    AC_MSG_ERROR([source directory already configured; run "make distclean" there first])
+  fi
+fi
+
+# test whether we have cygpath
+if test -z "$CYGPATH_W"; then
+  if (cygpath --version) >/dev/null 2>/dev/null; then
+    CYGPATH_W='cygpath -w'
+  else
+    CYGPATH_W=echo
+  fi
+fi
+AC_SUBST([CYGPATH_W])
+
+# Define the identity of the package.
+dnl Distinguish between old-style and new-style calls.
+m4_ifval([$2],
+[m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl
+ AC_SUBST([PACKAGE], [$1])dnl
+ AC_SUBST([VERSION], [$2])],
+[_AM_SET_OPTIONS([$1])dnl
+dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT.
+m4_if(m4_ifdef([AC_PACKAGE_NAME], 1)m4_ifdef([AC_PACKAGE_VERSION], 1), 11,,
+  [m4_fatal([AC_INIT should be called with package and version arguments])])dnl
+ AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl
+ AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl
+
+_AM_IF_OPTION([no-define],,
+[AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package])
+ AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])dnl
+
+# Some tools Automake needs.
+AC_REQUIRE([AM_SANITY_CHECK])dnl
+AC_REQUIRE([AC_ARG_PROGRAM])dnl
+AM_MISSING_PROG(ACLOCAL, aclocal-${am__api_version})
+AM_MISSING_PROG(AUTOCONF, autoconf)
+AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version})
+AM_MISSING_PROG(AUTOHEADER, autoheader)
+AM_MISSING_PROG(MAKEINFO, makeinfo)
+AM_PROG_INSTALL_SH
+AM_PROG_INSTALL_STRIP
+AC_REQUIRE([AM_PROG_MKDIR_P])dnl
+# We need awk for the "check" target.  The system "awk" is bad on
+# some platforms.
+AC_REQUIRE([AC_PROG_AWK])dnl
+AC_REQUIRE([AC_PROG_MAKE_SET])dnl
+AC_REQUIRE([AM_SET_LEADING_DOT])dnl
+_AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])],
+              [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])],
+	      		     [_AM_PROG_TAR([v7])])])
+_AM_IF_OPTION([no-dependencies],,
+[AC_PROVIDE_IFELSE([AC_PROG_CC],
+                  [_AM_DEPENDENCIES(CC)],
+                  [define([AC_PROG_CC],
+                          defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl
+AC_PROVIDE_IFELSE([AC_PROG_CXX],
+                  [_AM_DEPENDENCIES(CXX)],
+                  [define([AC_PROG_CXX],
+                          defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl
+AC_PROVIDE_IFELSE([AC_PROG_OBJC],
+                  [_AM_DEPENDENCIES(OBJC)],
+                  [define([AC_PROG_OBJC],
+                          defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl
+])
+])
+
+
+# When config.status generates a header, we must update the stamp-h file.
+# This file resides in the same directory as the config header
+# that is generated.  The stamp files are numbered to have different names.
+
+# Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the
+# loop where config.status creates the headers, so we can generate
+# our stamp files there.
+AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK],
+[# Compute $1's index in $config_headers.
+_am_arg=$1
+_am_stamp_count=1
+for _am_header in $config_headers :; do
+  case $_am_header in
+    $_am_arg | $_am_arg:* )
+      break ;;
+    * )
+      _am_stamp_count=`expr $_am_stamp_count + 1` ;;
+  esac
+done
+echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
+
+# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_PROG_INSTALL_SH
+# ------------------
+# Define $install_sh.
+AC_DEFUN([AM_PROG_INSTALL_SH],
+[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"}
+AC_SUBST(install_sh)])
+
+# Copyright (C) 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 2
+
+# Check whether the underlying file-system supports filenames
+# with a leading dot.  For instance MS-DOS doesn't.
+AC_DEFUN([AM_SET_LEADING_DOT],
+[rm -rf .tst 2>/dev/null
+mkdir .tst 2>/dev/null
+if test -d .tst; then
+  am__leading_dot=.
+else
+  am__leading_dot=_
+fi
+rmdir .tst 2>/dev/null
+AC_SUBST([am__leading_dot])])
+
+# Add --enable-maintainer-mode option to configure.         -*- Autoconf -*-
+# From Jim Meyering
+
+# Copyright (C) 1996, 1998, 2000, 2001, 2002, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 4
+
+AC_DEFUN([AM_MAINTAINER_MODE],
+[AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
+  dnl maintainer-mode is disabled by default
+  AC_ARG_ENABLE(maintainer-mode,
+[  --enable-maintainer-mode  enable make rules and dependencies not useful
+			  (and sometimes confusing) to the casual installer],
+      USE_MAINTAINER_MODE=$enableval,
+      USE_MAINTAINER_MODE=no)
+  AC_MSG_RESULT([$USE_MAINTAINER_MODE])
+  AM_CONDITIONAL(MAINTAINER_MODE, [test $USE_MAINTAINER_MODE = yes])
+  MAINT=$MAINTAINER_MODE_TRUE
+  AC_SUBST(MAINT)dnl
+]
+)
+
+AU_DEFUN([jm_MAINTAINER_MODE], [AM_MAINTAINER_MODE])
+
+# Check to see how 'make' treats includes.	            -*- Autoconf -*-
+
+# Copyright (C) 2001, 2002, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 3
+
+# AM_MAKE_INCLUDE()
+# -----------------
+# Check to see how make treats includes.
+AC_DEFUN([AM_MAKE_INCLUDE],
+[am_make=${MAKE-make}
+cat > confinc << 'END'
+am__doit:
+	@echo done
+.PHONY: am__doit
+END
+# If we don't find an include directive, just comment out the code.
+AC_MSG_CHECKING([for style of include used by $am_make])
+am__include="#"
+am__quote=
+_am_result=none
+# First try GNU make style include.
+echo "include confinc" > confmf
+# We grep out `Entering directory' and `Leaving directory'
+# messages which can occur if `w' ends up in MAKEFLAGS.
+# In particular we don't look at `^make:' because GNU make might
+# be invoked under some other name (usually "gmake"), in which
+# case it prints its new name instead of `make'.
+if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then
+   am__include=include
+   am__quote=
+   _am_result=GNU
+fi
+# Now try BSD make style include.
+if test "$am__include" = "#"; then
+   echo '.include "confinc"' > confmf
+   if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then
+      am__include=.include
+      am__quote="\""
+      _am_result=BSD
+   fi
+fi
+AC_SUBST([am__include])
+AC_SUBST([am__quote])
+AC_MSG_RESULT([$_am_result])
+rm -f confinc confmf
+])
+
+# Copyright (C) 1999, 2000, 2001, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 5
+
+# AM_PROG_CC_C_O
+# --------------
+# Like AC_PROG_CC_C_O, but changed for automake.
+AC_DEFUN([AM_PROG_CC_C_O],
+[AC_REQUIRE([AC_PROG_CC_C_O])dnl
+AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+AC_REQUIRE_AUX_FILE([compile])dnl
+# FIXME: we rely on the cache variable name because
+# there is no other way.
+set dummy $CC
+ac_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
+if eval "test \"`echo '$ac_cv_prog_cc_'${ac_cc}_c_o`\" != yes"; then
+   # Losing compiler, so override with the script.
+   # FIXME: It is wrong to rewrite CC.
+   # But if we don't then we get into trouble of one sort or another.
+   # A longer-term fix would be to have automake use am__CC in this case,
+   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+   CC="$am_aux_dir/compile $CC"
+fi
+dnl Make sure AC_PROG_CC is never called again, or it will override our
+dnl setting of CC.
+m4_define([AC_PROG_CC],
+          [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
+])
+
+# Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
+
+# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 5
+
+# AM_MISSING_PROG(NAME, PROGRAM)
+# ------------------------------
+AC_DEFUN([AM_MISSING_PROG],
+[AC_REQUIRE([AM_MISSING_HAS_RUN])
+$1=${$1-"${am_missing_run}$2"}
+AC_SUBST($1)])
+
+
+# AM_MISSING_HAS_RUN
+# ------------------
+# Define MISSING if not defined so far and test if it supports --run.
+# If it does, set am_missing_run to use it, otherwise, to nothing.
+AC_DEFUN([AM_MISSING_HAS_RUN],
+[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+AC_REQUIRE_AUX_FILE([missing])dnl
+test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
+# Use eval to expand $SHELL
+if eval "$MISSING --run true"; then
+  am_missing_run="$MISSING --run "
+else
+  am_missing_run=
+  AC_MSG_WARN([`missing' script is too old or missing])
+fi
+])
+
+# Copyright (C) 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_PROG_MKDIR_P
+# ---------------
+# Check for `mkdir -p'.
+AC_DEFUN([AM_PROG_MKDIR_P],
+[AC_PREREQ([2.60])dnl
+AC_REQUIRE([AC_PROG_MKDIR_P])dnl
+dnl Automake 1.8 to 1.9.6 used to define mkdir_p.  We now use MKDIR_P,
+dnl while keeping a definition of mkdir_p for backward compatibility.
+dnl @MKDIR_P@ is magic: AC_OUTPUT adjusts its value for each Makefile.
+dnl However we cannot define mkdir_p as $(MKDIR_P) for the sake of
+dnl Makefile.ins that do not define MKDIR_P, so we do our own
+dnl adjustment using top_builddir (which is defined more often than
+dnl MKDIR_P).
+AC_SUBST([mkdir_p], ["$MKDIR_P"])dnl
+case $mkdir_p in
+  [[\\/$]]* | ?:[[\\/]]*) ;;
+  */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;;
+esac
+])
+
+# Helper functions for option handling.                     -*- Autoconf -*-
+
+# Copyright (C) 2001, 2002, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 3
+
+# _AM_MANGLE_OPTION(NAME)
+# -----------------------
+AC_DEFUN([_AM_MANGLE_OPTION],
+[[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])])
+
+# _AM_SET_OPTION(NAME)
+# ------------------------------
+# Set option NAME.  Presently that only means defining a flag for this option.
+AC_DEFUN([_AM_SET_OPTION],
+[m4_define(_AM_MANGLE_OPTION([$1]), 1)])
+
+# _AM_SET_OPTIONS(OPTIONS)
+# ----------------------------------
+# OPTIONS is a space-separated list of Automake options.
+AC_DEFUN([_AM_SET_OPTIONS],
+[AC_FOREACH([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])])
+
+# _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET])
+# -------------------------------------------
+# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
+AC_DEFUN([_AM_IF_OPTION],
+[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
+
+# Check to make sure that the build environment is sane.    -*- Autoconf -*-
+
+# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 4
+
+# AM_SANITY_CHECK
+# ---------------
+AC_DEFUN([AM_SANITY_CHECK],
+[AC_MSG_CHECKING([whether build environment is sane])
+# Just in case
+sleep 1
+echo timestamp > conftest.file
+# Do `set' in a subshell so we don't clobber the current shell's
+# arguments.  Must try -L first in case configure is actually a
+# symlink; some systems play weird games with the mod time of symlinks
+# (eg FreeBSD returns the mod time of the symlink's containing
+# directory).
+if (
+   set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null`
+   if test "$[*]" = "X"; then
+      # -L didn't work.
+      set X `ls -t $srcdir/configure conftest.file`
+   fi
+   rm -f conftest.file
+   if test "$[*]" != "X $srcdir/configure conftest.file" \
+      && test "$[*]" != "X conftest.file $srcdir/configure"; then
+
+      # If neither matched, then we have a broken ls.  This can happen
+      # if, for instance, CONFIG_SHELL is bash and it inherits a
+      # broken ls alias from the environment.  This has actually
+      # happened.  Such a system could not be considered "sane".
+      AC_MSG_ERROR([ls -t appears to fail.  Make sure there is not a broken
+alias in your environment])
+   fi
+
+   test "$[2]" = conftest.file
+   )
+then
+   # Ok.
+   :
+else
+   AC_MSG_ERROR([newly created file is older than distributed files!
+Check your system clock])
+fi
+AC_MSG_RESULT(yes)])
+
+# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_PROG_INSTALL_STRIP
+# ---------------------
+# One issue with vendor `install' (even GNU) is that you can't
+# specify the program used to strip binaries.  This is especially
+# annoying in cross-compiling environments, where the build's strip
+# is unlikely to handle the host's binaries.
+# Fortunately install-sh will honor a STRIPPROG variable, so we
+# always use install-sh in `make install-strip', and initialize
+# STRIPPROG with the value of the STRIP variable (set by the user).
+AC_DEFUN([AM_PROG_INSTALL_STRIP],
+[AC_REQUIRE([AM_PROG_INSTALL_SH])dnl
+# Installed binaries are usually stripped using `strip' when the user
+# run `make install-strip'.  However `strip' might not be the right
+# tool to use in cross-compilation environments, therefore Automake
+# will honor the `STRIP' environment variable to overrule this program.
+dnl Don't test for $cross_compiling = yes, because it might be `maybe'.
+if test "$cross_compiling" != no; then
+  AC_CHECK_TOOL([STRIP], [strip], :)
+fi
+INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
+AC_SUBST([INSTALL_STRIP_PROGRAM])])
+
+# Copyright (C) 2006  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# _AM_SUBST_NOTMAKE(VARIABLE)
+# ---------------------------
+# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
+# This macro is traced by Automake.
+AC_DEFUN([_AM_SUBST_NOTMAKE])
+
+# Check how to create a tarball.                            -*- Autoconf -*-
+
+# Copyright (C) 2004, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 2
+
+# _AM_PROG_TAR(FORMAT)
+# --------------------
+# Check how to create a tarball in format FORMAT.
+# FORMAT should be one of `v7', `ustar', or `pax'.
+#
+# Substitute a variable $(am__tar) that is a command
+# writing to stdout a FORMAT-tarball containing the directory
+# $tardir.
+#     tardir=directory && $(am__tar) > result.tar
+#
+# Substitute a variable $(am__untar) that extract such
+# a tarball read from stdin.
+#     $(am__untar) < result.tar
+AC_DEFUN([_AM_PROG_TAR],
+[# Always define AMTAR for backward compatibility.
+AM_MISSING_PROG([AMTAR], [tar])
+m4_if([$1], [v7],
+     [am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'],
+     [m4_case([$1], [ustar],, [pax],,
+              [m4_fatal([Unknown tar format])])
+AC_MSG_CHECKING([how to create a $1 tar archive])
+# Loop over all known methods to create a tar archive until one works.
+_am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none'
+_am_tools=${am_cv_prog_tar_$1-$_am_tools}
+# Do not fold the above two line into one, because Tru64 sh and
+# Solaris sh will not grok spaces in the rhs of `-'.
+for _am_tool in $_am_tools
+do
+  case $_am_tool in
+  gnutar)
+    for _am_tar in tar gnutar gtar;
+    do
+      AM_RUN_LOG([$_am_tar --version]) && break
+    done
+    am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"'
+    am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"'
+    am__untar="$_am_tar -xf -"
+    ;;
+  plaintar)
+    # Must skip GNU tar: if it does not support --format= it doesn't create
+    # ustar tarball either.
+    (tar --version) >/dev/null 2>&1 && continue
+    am__tar='tar chf - "$$tardir"'
+    am__tar_='tar chf - "$tardir"'
+    am__untar='tar xf -'
+    ;;
+  pax)
+    am__tar='pax -L -x $1 -w "$$tardir"'
+    am__tar_='pax -L -x $1 -w "$tardir"'
+    am__untar='pax -r'
+    ;;
+  cpio)
+    am__tar='find "$$tardir" -print | cpio -o -H $1 -L'
+    am__tar_='find "$tardir" -print | cpio -o -H $1 -L'
+    am__untar='cpio -i -H $1 -d'
+    ;;
+  none)
+    am__tar=false
+    am__tar_=false
+    am__untar=false
+    ;;
+  esac
+
+  # If the value was cached, stop now.  We just wanted to have am__tar
+  # and am__untar set.
+  test -n "${am_cv_prog_tar_$1}" && break
+
+  # tar/untar a dummy directory, and stop if the command works
+  rm -rf conftest.dir
+  mkdir conftest.dir
+  echo GrepMe > conftest.dir/file
+  AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar])
+  rm -rf conftest.dir
+  if test -s conftest.tar; then
+    AM_RUN_LOG([$am__untar <conftest.tar])
+    grep GrepMe conftest.dir/file >/dev/null 2>&1 && break
+  fi
+done
+rm -rf conftest.dir
+
+AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool])
+AC_MSG_RESULT([$am_cv_prog_tar_$1])])
+AC_SUBST([am__tar])
+AC_SUBST([am__untar])
+]) # _AM_PROG_TAR
+
diff --git a/src/charon/plugins/nm/gnome/auth-dialog/.deps/nm_strongswan_auth_dialog-main.Po b/src/charon/plugins/nm/gnome/auth-dialog/.deps/nm_strongswan_auth_dialog-main.Po
new file mode 100644
index 000000000..9ce06a81e
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/auth-dialog/.deps/nm_strongswan_auth_dialog-main.Po
@@ -0,0 +1 @@
+# dummy
diff --git a/src/charon/plugins/nm/gnome/auth-dialog/Makefile b/src/charon/plugins/nm/gnome/auth-dialog/Makefile
new file mode 100644
index 000000000..7519b1e2f
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/auth-dialog/Makefile
@@ -0,0 +1,566 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# auth-dialog/Makefile.  Generated from Makefile.in by configure.
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+
+
+
+pkgdatadir = $(datadir)/NetworkManager-strongswan
+pkglibdir = $(libdir)/NetworkManager-strongswan
+pkgincludedir = $(includedir)/NetworkManager-strongswan
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = i686-pc-linux-gnu
+host_triplet = i686-pc-linux-gnu
+libexec_PROGRAMS = nm-strongswan-auth-dialog$(EXEEXT)
+subdir = auth-dialog
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(libexecdir)"
+libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(libexec_PROGRAMS)
+am_nm_strongswan_auth_dialog_OBJECTS =  \
+	nm_strongswan_auth_dialog-main.$(OBJEXT)
+nm_strongswan_auth_dialog_OBJECTS =  \
+	$(am_nm_strongswan_auth_dialog_OBJECTS)
+am__DEPENDENCIES_1 =
+nm_strongswan_auth_dialog_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(nm_strongswan_auth_dialog_SOURCES)
+DIST_SOURCES = $(nm_strongswan_auth_dialog_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run aclocal-1.10
+ALL_LINGUAS = 
+AMTAR = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run tar
+AR = ar
+AUTOCONF = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run autoconf
+AUTOHEADER = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run autoheader
+AUTOMAKE = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run automake-1.10
+AWK = gawk
+CATALOGS = 
+CATOBJEXT = .gmo
+CC = gcc
+CCDEPMODE = depmode=gcc3
+CFLAGS = -g -O2
+CPP = gcc -E
+CPPFLAGS = 
+CXX = g++
+CXXCPP = g++ -E
+CXXDEPMODE = depmode=gcc3
+CXXFLAGS = -g -O2
+CYGPATH_W = echo
+DATADIRNAME = share
+DBUS_CFLAGS = -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include  
+DBUS_LIBS = -ldbus-glib-1 -ldbus-1 -lgobject-2.0 -lglib-2.0  
+DEFS = -DHAVE_CONFIG_H
+DEPDIR = .deps
+DSYMUTIL = 
+ECHO = echo
+ECHO_C = 
+ECHO_N = -n
+ECHO_T = 
+EGREP = /bin/grep -E
+EXEEXT = 
+F77 = 
+FFLAGS = 
+GCONF_CFLAGS = -DORBIT2=1 -pthread -I/usr/include/gconf/2 -I/usr/include/orbit-2.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include  
+GCONF_LIBS = -lgconf-2 -lglib-2.0  
+GDK_PIXBUF_CFLAGS = -I/usr/include/gtk-2.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include  
+GDK_PIXBUF_LIBS = -lgdk_pixbuf-2.0 -lm -lgobject-2.0 -lgmodule-2.0 -ldl -lglib-2.0  
+GETTEXT_PACKAGE = NetworkManager-strongswan
+GLADE_CFLAGS = -I/usr/include/libglade-2.0 -I/usr/include/gtk-2.0 -I/usr/include/libxml2 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/pixman-1  
+GLADE_LIBS = -lglade-2.0 -lgtk-x11-2.0 -lxml2 -lgdk-x11-2.0 -latk-1.0 -lgdk_pixbuf-2.0 -lm -lpangocairo-1.0 -lpango-1.0 -lcairo -lgobject-2.0 -lgmodule-2.0 -ldl -lglib-2.0  
+GMOFILES = 
+GMSGFMT = /usr/bin/msgfmt
+GNOMEKEYRING_CFLAGS = -I/usr/include/gnome-keyring-1 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include  
+GNOMEKEYRING_LIBS = -lgnome-keyring -lglib-2.0  
+GREP = /bin/grep
+GTHREAD_CFLAGS = -pthread -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include  
+GTHREAD_LIBS = -pthread -lgthread-2.0 -lrt -lglib-2.0  
+GTK_CFLAGS = -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/pixman-1  
+GTK_LIBS = -lgtk-x11-2.0 -lgdk-x11-2.0 -latk-1.0 -lgdk_pixbuf-2.0 -lm -lpangocairo-1.0 -lpango-1.0 -lcairo -lgobject-2.0 -lgmodule-2.0 -ldl -lglib-2.0  
+INSTALL = /usr/bin/install -c
+INSTALL_DATA = ${INSTALL} -m 644
+INSTALL_PROGRAM = ${INSTALL}
+INSTALL_SCRIPT = ${INSTALL}
+INSTALL_STRIP_PROGRAM = $(install_sh) -c -s
+INSTOBJEXT = .mo
+INTLLIBS = 
+INTLTOOL_CAVES_RULE = %.caves:     %.caves.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_DESKTOP_RULE = %.desktop:   %.desktop.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_DIRECTORY_RULE = %.directory: %.directory.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_EXTRACT = $(top_builddir)/intltool-extract
+INTLTOOL_KBD_RULE = %.kbd:       %.kbd.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -m -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_KEYS_RULE = %.keys:      %.keys.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -k -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_MERGE = $(top_builddir)/intltool-merge
+INTLTOOL_OAF_RULE = %.oaf:       %.oaf.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -p $(top_srcdir)/po $< $@
+INTLTOOL_PERL = /usr/bin/perl
+INTLTOOL_POLICY_RULE = %.policy:    %.policy.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_PONG_RULE = %.pong:      %.pong.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_PROP_RULE = %.prop:      %.prop.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_SCHEMAS_RULE = %.schemas:   %.schemas.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -s -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_SERVER_RULE = %.server:    %.server.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_SERVICE_RULE = %.service: %.service.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_SHEET_RULE = %.sheet:     %.sheet.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_SOUNDLIST_RULE = %.soundlist: %.soundlist.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_THEME_RULE = %.theme:     %.theme.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_UI_RULE = %.ui:        %.ui.in        $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_UPDATE = $(top_builddir)/intltool-update
+INTLTOOL_XAM_RULE = %.xam:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+INTLTOOL_XML_NOMERGE_RULE = %.xml:       %.xml.in       $(INTLTOOL_MERGE) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u /tmp $< $@
+INTLTOOL_XML_RULE = %.xml:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
+LDFLAGS = 
+LIBGNOMEUI_CFLAGS = -DORBIT2=1 -pthread -I/usr/include/libgnomeui-2.0 -I/usr/include/libart-2.0 -I/usr/include/gconf/2 -I/usr/include/gnome-keyring-1 -I/usr/include/libgnome-2.0 -I/usr/include/libbonoboui-2.0 -I/usr/include/libgnomecanvas-2.0 -I/usr/include/gtk-2.0 -I/usr/include/gnome-vfs-2.0 -I/usr/lib/gnome-vfs-2.0/include -I/usr/include/orbit-2.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/libbonobo-2.0 -I/usr/include/bonobo-activation-2.0 -I/usr/include/libxml2 -I/usr/include/pango-1.0 -I/usr/include/gail-1.0 -I/usr/include/freetype2 -I/usr/include/atk-1.0 -I/usr/lib/gtk-2.0/include -I/usr/include/cairo -I/usr/include/libpng12 -I/usr/include/pixman-1  
+LIBGNOMEUI_LIBS = -pthread -lgnomeui-2 -lSM -lICE -lbonoboui-2 -lgnomevfs-2 -lgnomecanvas-2 -lgnome-2 -lpopt -lbonobo-2 -lbonobo-activation -lORBit-2 -lart_lgpl_2 -lgtk-x11-2.0 -lgdk-x11-2.0 -latk-1.0 -lgdk_pixbuf-2.0 -lm -lpangocairo-1.0 -lpango-1.0 -lcairo -lgconf-2 -lgthread-2.0 -lrt -lgmodule-2.0 -ldl -lgobject-2.0 -lglib-2.0  
+LIBOBJS = 
+LIBS = 
+LIBTOOL = $(SHELL) $(top_builddir)/libtool
+LN_S = ln -s
+LTLIBOBJS = 
+MAINT = 
+MAKEINFO = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run makeinfo
+MKDIR_P = /bin/mkdir -p
+MKINSTALLDIRS = ./mkinstalldirs
+MSGFMT = /usr/bin/msgfmt
+MSGFMT_OPTS = -c
+MSGMERGE = /usr/bin/msgmerge
+NMEDIT = 
+NM_UTILS_CFLAGS = -I/usr/include/NetworkManager -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/libnm-glib -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include  
+NM_UTILS_LIBS = -lnm-util -lnm_glib -lnm_glib_vpn -ldbus-glib-1 -ldbus-1 -lgobject-2.0 -lglib-2.0  
+OBJEXT = o
+PACKAGE = NetworkManager-strongswan
+PACKAGE_BUGREPORT = martin@strongswan.org
+PACKAGE_NAME = NetworkManager-strongswan
+PACKAGE_STRING = NetworkManager-strongswan 4.2.6
+PACKAGE_TARNAME = NetworkManager-strongswan
+PACKAGE_VERSION = 4.2.6
+PATH_SEPARATOR = :
+PKG_CONFIG = /usr/bin/pkg-config
+POFILES = 
+POSUB = po
+PO_IN_DATADIR_FALSE = 
+PO_IN_DATADIR_TRUE = 
+RANLIB = ranlib
+SED = /bin/sed
+SET_MAKE = 
+SHELL = /bin/bash
+STRIP = strip
+USE_NLS = yes
+VERSION = 4.2.6
+XGETTEXT = /usr/bin/xgettext
+abs_builddir = /home/andi/trunk/src/charon/plugins/nm/gnome/auth-dialog
+abs_srcdir = /home/andi/trunk/src/charon/plugins/nm/gnome/auth-dialog
+abs_top_builddir = /home/andi/trunk/src/charon/plugins/nm/gnome
+abs_top_srcdir = /home/andi/trunk/src/charon/plugins/nm/gnome
+ac_ct_CC = gcc
+ac_ct_CXX = g++
+ac_ct_F77 = 
+am__include = include
+am__leading_dot = .
+am__quote = 
+am__tar = ${AMTAR} chof - "$$tardir"
+am__untar = ${AMTAR} xf -
+bindir = ${exec_prefix}/bin
+build = i686-pc-linux-gnu
+build_alias = 
+build_cpu = i686
+build_os = linux-gnu
+build_vendor = pc
+builddir = .
+charon = ${exec_prefix}/libexec/ipsec/charon
+datadir = ${datarootdir}
+datarootdir = ${prefix}/share
+docdir = ${datarootdir}/doc/${PACKAGE_TARNAME}
+dvidir = ${docdir}
+exec_prefix = ${prefix}
+host = i686-pc-linux-gnu
+host_alias = 
+host_cpu = i686
+host_os = linux-gnu
+host_vendor = pc
+htmldir = ${docdir}
+includedir = ${prefix}/include
+infodir = ${datarootdir}/info
+install_sh = $(SHELL) /home/andi/trunk/src/charon/plugins/nm/gnome/install-sh
+libdir = ${exec_prefix}/lib
+libexecdir = ${exec_prefix}/libexec
+localedir = ${datarootdir}/locale
+localstatedir = ${prefix}/var
+mandir = ${datarootdir}/man
+mkdir_p = /bin/mkdir -p
+oldincludedir = /usr/include
+pdfdir = ${docdir}
+prefix = /usr/local
+program_transform_name = s,x,x,
+psdir = ${docdir}
+sbindir = ${exec_prefix}/sbin
+sharedstatedir = ${prefix}/com
+srcdir = .
+sysconfdir = ${prefix}/etc
+target_alias = 
+top_builddir = ..
+top_srcdir = ..
+nm_strongswan_auth_dialog_CPPFLAGS = \
+	$(GTHREAD_CFLAGS) \
+	$(GTK_CFLAGS) \
+	$(LIBGNOMEUI_CFLAGS) \
+	$(GNOMEKEYRING_CFLAGS) \
+	$(NETWORK_MANAGER_CFLAGS) \
+	$(NM_UTILS_CFLAGS) \
+	-DICONDIR=\""$(datadir)/pixmaps"\" \
+	-DGLADEDIR=\""$(gladedir)"\" \
+	-DBINDIR=\""$(bindir)"\" \
+	-DDBUS_API_SUBJECT_TO_CHANGE \
+	-DG_DISABLE_DEPRECATED \
+	-DGDK_DISABLE_DEPRECATED \
+	-DGNOME_DISABLE_DEPRECATED \
+	-DGNOMELOCALEDIR=\"$(datadir)/locale\" \
+	-DVERSION=\"$(VERSION)\"
+
+nm_strongswan_auth_dialog_SOURCES = \
+	main.c
+
+nm_strongswan_auth_dialog_LDADD = \
+	$(GTK_LIBS) \
+	$(LIBGNOMEUI_LIBS) \
+	$(GNOMEKEYRING_LIBS)
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  auth-dialog/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  auth-dialog/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(libexecdir)/$$f"; \
+	done
+
+clean-libexecPROGRAMS:
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+nm-strongswan-auth-dialog$(EXEEXT): $(nm_strongswan_auth_dialog_OBJECTS) $(nm_strongswan_auth_dialog_DEPENDENCIES) 
+	@rm -f nm-strongswan-auth-dialog$(EXEEXT)
+	$(LINK) $(nm_strongswan_auth_dialog_OBJECTS) $(nm_strongswan_auth_dialog_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+include ./$(DEPDIR)/nm_strongswan_auth_dialog-main.Po
+
+.c.o:
+	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+	mv -f $$depbase.Tpo $$depbase.Po
+#	source='$<' object='$@' libtool=no \
+#	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \
+#	$(COMPILE) -c -o $@ $<
+
+.c.obj:
+	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+	mv -f $$depbase.Tpo $$depbase.Po
+#	source='$<' object='$@' libtool=no \
+#	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \
+#	$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+	mv -f $$depbase.Tpo $$depbase.Plo
+#	source='$<' object='$@' libtool=yes \
+#	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \
+#	$(LTCOMPILE) -c -o $@ $<
+
+nm_strongswan_auth_dialog-main.o: main.c
+	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_strongswan_auth_dialog-main.o -MD -MP -MF $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo -c -o nm_strongswan_auth_dialog-main.o `test -f 'main.c' || echo '$(srcdir)/'`main.c
+	mv -f $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo $(DEPDIR)/nm_strongswan_auth_dialog-main.Po
+#	source='main.c' object='nm_strongswan_auth_dialog-main.o' libtool=no \
+#	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \
+#	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_strongswan_auth_dialog-main.o `test -f 'main.c' || echo '$(srcdir)/'`main.c
+
+nm_strongswan_auth_dialog-main.obj: main.c
+	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_strongswan_auth_dialog-main.obj -MD -MP -MF $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo -c -o nm_strongswan_auth_dialog-main.obj `if test -f 'main.c'; then $(CYGPATH_W) 'main.c'; else $(CYGPATH_W) '$(srcdir)/main.c'; fi`
+	mv -f $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo $(DEPDIR)/nm_strongswan_auth_dialog-main.Po
+#	source='main.c' object='nm_strongswan_auth_dialog-main.obj' libtool=no \
+#	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \
+#	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_strongswan_auth_dialog-main.obj `if test -f 'main.c'; then $(CYGPATH_W) 'main.c'; else $(CYGPATH_W) '$(srcdir)/main.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(libexecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-exec-am: install-libexecPROGRAMS
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-libexecPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libexecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-libexecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-libexecPROGRAMS
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/auth-dialog/Makefile.am b/src/charon/plugins/nm/gnome/auth-dialog/Makefile.am
new file mode 100644
index 000000000..c95164785
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/auth-dialog/Makefile.am
@@ -0,0 +1,27 @@
+libexec_PROGRAMS = nm-strongswan-auth-dialog
+
+nm_strongswan_auth_dialog_CPPFLAGS = \
+	$(GTHREAD_CFLAGS) \
+	$(GTK_CFLAGS) \
+	$(LIBGNOMEUI_CFLAGS) \
+	$(GNOMEKEYRING_CFLAGS) \
+	$(NETWORK_MANAGER_CFLAGS) \
+	$(NM_UTILS_CFLAGS) \
+	-DICONDIR=\""$(datadir)/pixmaps"\" \
+	-DGLADEDIR=\""$(gladedir)"\" \
+	-DBINDIR=\""$(bindir)"\" \
+	-DDBUS_API_SUBJECT_TO_CHANGE \
+	-DG_DISABLE_DEPRECATED \
+	-DGDK_DISABLE_DEPRECATED \
+	-DGNOME_DISABLE_DEPRECATED \
+	-DGNOMELOCALEDIR=\"$(datadir)/locale\" \
+	-DVERSION=\"$(VERSION)\"
+
+nm_strongswan_auth_dialog_SOURCES =	\
+	main.c
+
+nm_strongswan_auth_dialog_LDADD = \
+	$(GTK_LIBS) \
+	$(LIBGNOMEUI_LIBS) \
+	$(GNOMEKEYRING_LIBS)
+
diff --git a/src/charon/plugins/nm/gnome/auth-dialog/Makefile.in b/src/charon/plugins/nm/gnome/auth-dialog/Makefile.in
new file mode 100644
index 000000000..fa953505f
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/auth-dialog/Makefile.in
@@ -0,0 +1,566 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+libexec_PROGRAMS = nm-strongswan-auth-dialog$(EXEEXT)
+subdir = auth-dialog
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(libexecdir)"
+libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(libexec_PROGRAMS)
+am_nm_strongswan_auth_dialog_OBJECTS =  \
+	nm_strongswan_auth_dialog-main.$(OBJEXT)
+nm_strongswan_auth_dialog_OBJECTS =  \
+	$(am_nm_strongswan_auth_dialog_OBJECTS)
+am__DEPENDENCIES_1 =
+nm_strongswan_auth_dialog_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(nm_strongswan_auth_dialog_SOURCES)
+DIST_SOURCES = $(nm_strongswan_auth_dialog_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALL_LINGUAS = @ALL_LINGUAS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CATALOGS = @CATALOGS@
+CATOBJEXT = @CATOBJEXT@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DATADIRNAME = @DATADIRNAME@
+DBUS_CFLAGS = @DBUS_CFLAGS@
+DBUS_LIBS = @DBUS_LIBS@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GCONF_CFLAGS = @GCONF_CFLAGS@
+GCONF_LIBS = @GCONF_LIBS@
+GDK_PIXBUF_CFLAGS = @GDK_PIXBUF_CFLAGS@
+GDK_PIXBUF_LIBS = @GDK_PIXBUF_LIBS@
+GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
+GLADE_CFLAGS = @GLADE_CFLAGS@
+GLADE_LIBS = @GLADE_LIBS@
+GMOFILES = @GMOFILES@
+GMSGFMT = @GMSGFMT@
+GNOMEKEYRING_CFLAGS = @GNOMEKEYRING_CFLAGS@
+GNOMEKEYRING_LIBS = @GNOMEKEYRING_LIBS@
+GREP = @GREP@
+GTHREAD_CFLAGS = @GTHREAD_CFLAGS@
+GTHREAD_LIBS = @GTHREAD_LIBS@
+GTK_CFLAGS = @GTK_CFLAGS@
+GTK_LIBS = @GTK_LIBS@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INSTOBJEXT = @INSTOBJEXT@
+INTLLIBS = @INTLLIBS@
+INTLTOOL_CAVES_RULE = @INTLTOOL_CAVES_RULE@
+INTLTOOL_DESKTOP_RULE = @INTLTOOL_DESKTOP_RULE@
+INTLTOOL_DIRECTORY_RULE = @INTLTOOL_DIRECTORY_RULE@
+INTLTOOL_EXTRACT = @INTLTOOL_EXTRACT@
+INTLTOOL_KBD_RULE = @INTLTOOL_KBD_RULE@
+INTLTOOL_KEYS_RULE = @INTLTOOL_KEYS_RULE@
+INTLTOOL_MERGE = @INTLTOOL_MERGE@
+INTLTOOL_OAF_RULE = @INTLTOOL_OAF_RULE@
+INTLTOOL_PERL = @INTLTOOL_PERL@
+INTLTOOL_POLICY_RULE = @INTLTOOL_POLICY_RULE@
+INTLTOOL_PONG_RULE = @INTLTOOL_PONG_RULE@
+INTLTOOL_PROP_RULE = @INTLTOOL_PROP_RULE@
+INTLTOOL_SCHEMAS_RULE = @INTLTOOL_SCHEMAS_RULE@
+INTLTOOL_SERVER_RULE = @INTLTOOL_SERVER_RULE@
+INTLTOOL_SERVICE_RULE = @INTLTOOL_SERVICE_RULE@
+INTLTOOL_SHEET_RULE = @INTLTOOL_SHEET_RULE@
+INTLTOOL_SOUNDLIST_RULE = @INTLTOOL_SOUNDLIST_RULE@
+INTLTOOL_THEME_RULE = @INTLTOOL_THEME_RULE@
+INTLTOOL_UI_RULE = @INTLTOOL_UI_RULE@
+INTLTOOL_UPDATE = @INTLTOOL_UPDATE@
+INTLTOOL_XAM_RULE = @INTLTOOL_XAM_RULE@
+INTLTOOL_XML_NOMERGE_RULE = @INTLTOOL_XML_NOMERGE_RULE@
+INTLTOOL_XML_RULE = @INTLTOOL_XML_RULE@
+LDFLAGS = @LDFLAGS@
+LIBGNOMEUI_CFLAGS = @LIBGNOMEUI_CFLAGS@
+LIBGNOMEUI_LIBS = @LIBGNOMEUI_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MKINSTALLDIRS = @MKINSTALLDIRS@
+MSGFMT = @MSGFMT@
+MSGFMT_OPTS = @MSGFMT_OPTS@
+MSGMERGE = @MSGMERGE@
+NMEDIT = @NMEDIT@
+NM_UTILS_CFLAGS = @NM_UTILS_CFLAGS@
+NM_UTILS_LIBS = @NM_UTILS_LIBS@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PKG_CONFIG = @PKG_CONFIG@
+POFILES = @POFILES@
+POSUB = @POSUB@
+PO_IN_DATADIR_FALSE = @PO_IN_DATADIR_FALSE@
+PO_IN_DATADIR_TRUE = @PO_IN_DATADIR_TRUE@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+XGETTEXT = @XGETTEXT@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+charon = @charon@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+nm_strongswan_auth_dialog_CPPFLAGS = \
+	$(GTHREAD_CFLAGS) \
+	$(GTK_CFLAGS) \
+	$(LIBGNOMEUI_CFLAGS) \
+	$(GNOMEKEYRING_CFLAGS) \
+	$(NETWORK_MANAGER_CFLAGS) \
+	$(NM_UTILS_CFLAGS) \
+	-DICONDIR=\""$(datadir)/pixmaps"\" \
+	-DGLADEDIR=\""$(gladedir)"\" \
+	-DBINDIR=\""$(bindir)"\" \
+	-DDBUS_API_SUBJECT_TO_CHANGE \
+	-DG_DISABLE_DEPRECATED \
+	-DGDK_DISABLE_DEPRECATED \
+	-DGNOME_DISABLE_DEPRECATED \
+	-DGNOMELOCALEDIR=\"$(datadir)/locale\" \
+	-DVERSION=\"$(VERSION)\"
+
+nm_strongswan_auth_dialog_SOURCES = \
+	main.c
+
+nm_strongswan_auth_dialog_LDADD = \
+	$(GTK_LIBS) \
+	$(LIBGNOMEUI_LIBS) \
+	$(GNOMEKEYRING_LIBS)
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  auth-dialog/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  auth-dialog/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(libexecdir)/$$f"; \
+	done
+
+clean-libexecPROGRAMS:
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+nm-strongswan-auth-dialog$(EXEEXT): $(nm_strongswan_auth_dialog_OBJECTS) $(nm_strongswan_auth_dialog_DEPENDENCIES) 
+	@rm -f nm-strongswan-auth-dialog$(EXEEXT)
+	$(LINK) $(nm_strongswan_auth_dialog_OBJECTS) $(nm_strongswan_auth_dialog_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_strongswan_auth_dialog-main.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+nm_strongswan_auth_dialog-main.o: main.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_strongswan_auth_dialog-main.o -MD -MP -MF $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo -c -o nm_strongswan_auth_dialog-main.o `test -f 'main.c' || echo '$(srcdir)/'`main.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo $(DEPDIR)/nm_strongswan_auth_dialog-main.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='main.c' object='nm_strongswan_auth_dialog-main.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_strongswan_auth_dialog-main.o `test -f 'main.c' || echo '$(srcdir)/'`main.c
+
+nm_strongswan_auth_dialog-main.obj: main.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_strongswan_auth_dialog-main.obj -MD -MP -MF $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo -c -o nm_strongswan_auth_dialog-main.obj `if test -f 'main.c'; then $(CYGPATH_W) 'main.c'; else $(CYGPATH_W) '$(srcdir)/main.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo $(DEPDIR)/nm_strongswan_auth_dialog-main.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='main.c' object='nm_strongswan_auth_dialog-main.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_strongswan_auth_dialog-main.obj `if test -f 'main.c'; then $(CYGPATH_W) 'main.c'; else $(CYGPATH_W) '$(srcdir)/main.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(libexecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-exec-am: install-libexecPROGRAMS
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-libexecPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libexecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-libexecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-libexecPROGRAMS
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/auth-dialog/main.c b/src/charon/plugins/nm/gnome/auth-dialog/main.c
new file mode 100644
index 000000000..6f2095527
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/auth-dialog/main.c
@@ -0,0 +1,244 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2004 Dan Williams 
+ * Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <string.h>
+#include <glib/gi18n.h>
+#include <gtk/gtk.h>
+#include <gnome-keyring.h>
+#include <libgnomeui/libgnomeui.h>
+#include <gconf/gconf-client.h>
+#include <nm-vpn-plugin.h>
+#include <nm-setting-vpn.h>
+#include <nm-setting-connection.h>
+
+#define NM_DBUS_SERVICE_STRONGSWAN	"org.freedesktop.NetworkManager.strongswan"
+
+/**
+ * lookup a password in the keyring
+ */
+static char *lookup_password(char *name, char *service)
+{
+	GList *list;
+	GList *iter;
+	char *pass = NULL;
+
+	if (gnome_keyring_find_network_password_sync(g_get_user_name(), NULL, name,
+			NULL, service, NULL, 0, &list) != GNOME_KEYRING_RESULT_OK)
+	{
+		return NULL;
+	}
+
+	for (iter = list; iter; iter = iter->next)
+	{
+		GnomeKeyringNetworkPasswordData *data = iter->data;
+		
+		if (strcmp(data->object, "password") == 0 && data->password)
+		{
+			pass = g_strdup(data->password);
+			break;
+		}
+	}
+	gnome_keyring_network_password_list_free(list);
+	return pass;
+}
+
+/**
+ * get the connection type
+ */
+static char* get_connection_type(char *uuid)
+{
+	GConfClient *client = NULL;
+	GSList *list;
+	GSList *iter;
+	char *key, *str, *path, *found = NULL, *method = NULL;
+
+	client = gconf_client_get_default();
+
+	list = gconf_client_all_dirs(client, "/system/networking/connections", NULL);
+	g_return_val_if_fail(list, NULL);
+
+	for (iter = list; iter; iter = iter->next)
+	{
+		path = (char *) iter->data;
+
+		key = g_strdup_printf("%s/%s/%s", path,
+							  NM_SETTING_CONNECTION_SETTING_NAME,
+							  NM_SETTING_CONNECTION_UUID);
+		str = gconf_client_get_string(client, key, NULL);
+		g_free (key);
+
+		if (str && !strcmp(str, uuid))
+		{
+			found = g_strdup(path);
+		}
+		g_free (str);
+		if (found)
+		{
+			break;
+		}
+	}
+	g_slist_foreach(list, (GFunc)g_free, NULL);
+	g_slist_free(list);
+	
+	if (found)
+	{
+		key = g_strdup_printf ("%s/%s/%s", found,
+			                   NM_SETTING_VPN_SETTING_NAME, "method");
+		method = gconf_client_get_string(client, key, NULL);
+		g_free(found);
+		g_free(key);
+	}
+	g_object_unref(client);
+	return method;
+}
+
+int main (int argc, char *argv[])
+{
+	gboolean retry = FALSE;
+	gchar *name = NULL, *uuid = NULL, *service = NULL, *keyring = NULL, *pass;
+	GOptionContext *context;
+	GnomeProgram *program = NULL;
+	int exit_status = 1;
+	char buf, *agent, *type;
+	guint32 itemid;
+	GtkWidget *dialog;
+	GOptionEntry entries[] = {
+		{ "reprompt", 'r', 0, G_OPTION_ARG_NONE, &retry, "Reprompt for passwords", NULL},
+		{ "uuid", 'u', 0, G_OPTION_ARG_STRING, &uuid, "UUID of VPN connection", NULL},
+		{ "name", 'n', 0, G_OPTION_ARG_STRING, &name, "Name of VPN connection", NULL},
+		{ "service", 's', 0, G_OPTION_ARG_STRING, &service, "VPN service type", NULL},
+		{ NULL }
+	};
+
+	bindtextdomain(GETTEXT_PACKAGE, NULL);
+	bind_textdomain_codeset(GETTEXT_PACKAGE, "UTF-8");
+	textdomain(GETTEXT_PACKAGE);
+
+	context = g_option_context_new ("- strongswan auth dialog");
+	g_option_context_add_main_entries (context, entries, GETTEXT_PACKAGE);
+
+	program = gnome_program_init ("nm-strongswan-auth-dialog", VERSION,
+								LIBGNOMEUI_MODULE,
+								argc, argv,
+								GNOME_PARAM_GOPTION_CONTEXT, context,
+								GNOME_PARAM_NONE);
+	
+	if (uuid == NULL || name == NULL || service == NULL)
+	{
+		fprintf (stderr, "Have to supply UUID, name, and service\n");
+		g_object_unref (program);
+		return 1;
+	}
+	
+	if (strcmp(service, NM_DBUS_SERVICE_STRONGSWAN) != 0)
+	{
+		fprintf(stderr, "This dialog only works with the '%s' service\n",
+				NM_DBUS_SERVICE_STRONGSWAN);
+		g_object_unref (program);
+		return 1;
+	}
+	
+	type = get_connection_type(uuid);
+	if (!type)
+	{
+		fprintf(stderr, "Connection lookup failed\n");
+		g_object_unref (program);
+		return 1;
+	}
+	if (!strcmp(type, "eap") || !strcmp(type, "key"))
+	{
+		pass = lookup_password(name, service);
+		if (!pass || retry)
+		{
+			if (!strcmp(type, "eap"))
+			{
+				dialog = gnome_password_dialog_new(_("VPN password required"),
+							_("EAP password required to establish VPN connection:"),
+							NULL, NULL, TRUE);
+			}
+			else
+			{
+				dialog = gnome_password_dialog_new(_("VPN password required"),
+							_("Private key decryption password required to establish VPN connection:"),
+							NULL, NULL, TRUE);
+			}
+			gnome_password_dialog_set_show_remember(GNOME_PASSWORD_DIALOG(dialog), TRUE);
+			gnome_password_dialog_set_show_username(GNOME_PASSWORD_DIALOG(dialog), FALSE);
+			if (pass)
+			{
+				gnome_password_dialog_set_password(GNOME_PASSWORD_DIALOG(dialog), pass);
+			}
+			if (!gnome_password_dialog_run_and_block(GNOME_PASSWORD_DIALOG(dialog)))
+			{
+				g_object_unref (program);
+				return 1;
+			}
+
+			pass = gnome_password_dialog_get_password(GNOME_PASSWORD_DIALOG(dialog));
+			switch (gnome_password_dialog_get_remember(GNOME_PASSWORD_DIALOG(dialog)))
+			{
+				case GNOME_PASSWORD_DIALOG_REMEMBER_NOTHING:
+					break;
+				case GNOME_PASSWORD_DIALOG_REMEMBER_SESSION:
+					keyring = "session";
+					/* FALL */
+				case GNOME_PASSWORD_DIALOG_REMEMBER_FOREVER:
+					if (gnome_keyring_set_network_password_sync(keyring,
+							g_get_user_name(), NULL, name, "password", service, NULL, 0,
+							pass, &itemid) != GNOME_KEYRING_RESULT_OK)
+					{
+						g_warning ("storing password in keyring failed");
+					}
+					break;
+			}
+		}
+		printf("password\n%s\n", pass);
+	}
+	else
+	{
+		agent = getenv("SSH_AUTH_SOCK");
+		if (agent)
+		{
+			printf("agent\n%s\n", agent);
+		}
+		else
+		{
+			GtkWidget *dialog;
+			
+			dialog = gtk_message_dialog_new(NULL, 0, GTK_MESSAGE_ERROR,
+						  GTK_BUTTONS_OK, 
+						  _("Configuration uses ssh-agent for authentication, "
+						  "but ssh-agent is not running!"));
+			gtk_dialog_run (GTK_DIALOG (dialog));
+			gtk_widget_destroy (dialog);
+			return 1;
+		}
+	}
+	printf("\n\n");
+	/* flush output, wait for input */
+	fflush(stdout);
+	fread(&buf, 1, sizeof(buf), stdin);
+	g_object_unref(program);
+	return 0;
+}
+
diff --git a/src/charon/plugins/nm/gnome/autogen.sh b/src/charon/plugins/nm/gnome/autogen.sh
new file mode 100755
index 000000000..25847e7c3
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/autogen.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+# Run this to generate all the initial makefiles, etc.
+
+srcdir=`dirname $0`
+test -z "$srcdir" && srcdir=.
+REQUIRED_AUTOMAKE_VERSION=1.7
+PKG_NAME=NetworkManager-strongswan
+
+which gnome-autogen.sh || {
+    echo "You need to install gnome-common from the GNOME CVS"
+    exit 1
+}
+USE_GNOME2_MACROS=1 . gnome-autogen.sh
+
+
diff --git a/src/charon/plugins/nm/gnome/compile b/src/charon/plugins/nm/gnome/compile
new file mode 100755
index 000000000..1b1d23216
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/compile
@@ -0,0 +1,142 @@
+#! /bin/sh
+# Wrapper for compilers which do not understand `-c -o'.
+
+scriptversion=2005-05-14.22
+
+# Copyright (C) 1999, 2000, 2003, 2004, 2005 Free Software Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+case $1 in
+  '')
+     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
+     exit 1;
+     ;;
+  -h | --h*)
+    cat <<\EOF
+Usage: compile [--help] [--version] PROGRAM [ARGS]
+
+Wrapper for compilers which do not understand `-c -o'.
+Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
+arguments, and rename the output as expected.
+
+If you are trying to build a whole package this is not the
+right script to run: please start by reading the file `INSTALL'.
+
+Report bugs to <bug-automake@gnu.org>.
+EOF
+    exit $?
+    ;;
+  -v | --v*)
+    echo "compile $scriptversion"
+    exit $?
+    ;;
+esac
+
+ofile=
+cfile=
+eat=
+
+for arg
+do
+  if test -n "$eat"; then
+    eat=
+  else
+    case $1 in
+      -o)
+	# configure might choose to run compile as `compile cc -o foo foo.c'.
+	# So we strip `-o arg' only if arg is an object.
+	eat=1
+	case $2 in
+	  *.o | *.obj)
+	    ofile=$2
+	    ;;
+	  *)
+	    set x "$@" -o "$2"
+	    shift
+	    ;;
+	esac
+	;;
+      *.c)
+	cfile=$1
+	set x "$@" "$1"
+	shift
+	;;
+      *)
+	set x "$@" "$1"
+	shift
+	;;
+    esac
+  fi
+  shift
+done
+
+if test -z "$ofile" || test -z "$cfile"; then
+  # If no `-o' option was seen then we might have been invoked from a
+  # pattern rule where we don't need one.  That is ok -- this is a
+  # normal compilation that the losing compiler can handle.  If no
+  # `.c' file was seen then we are probably linking.  That is also
+  # ok.
+  exec "$@"
+fi
+
+# Name of file we expect compiler to create.
+cofile=`echo "$cfile" | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
+
+# Create the lock directory.
+# Note: use `[/.-]' here to ensure that we don't use the same name
+# that we are using for the .o file.  Also, base the name on the expected
+# object file name, since that is what matters with a parallel build.
+lockdir=`echo "$cofile" | sed -e 's|[/.-]|_|g'`.d
+while true; do
+  if mkdir "$lockdir" >/dev/null 2>&1; then
+    break
+  fi
+  sleep 1
+done
+# FIXME: race condition here if user kills between mkdir and trap.
+trap "rmdir '$lockdir'; exit 1" 1 2 15
+
+# Run the compile.
+"$@"
+ret=$?
+
+if test -f "$cofile"; then
+  mv "$cofile" "$ofile"
+elif test -f "${cofile}bj"; then
+  mv "${cofile}bj" "$ofile"
+fi
+
+rmdir "$lockdir"
+exit $ret
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/src/charon/plugins/nm/gnome/config.guess b/src/charon/plugins/nm/gnome/config.guess
new file mode 100755
index 000000000..278f9e9e0
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/config.guess
@@ -0,0 +1,1516 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
+#   Inc.
+
+timestamp='2007-07-22'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
+# 02110-1301, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Originally written by Per Bothner <per@bothner.com>.
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit build system type.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of the system \`$me' is run on.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.guess ($timestamp)
+
+Originally written by Per Bothner.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help" >&2
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+trap 'exit 1' 1 2 15
+
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
+
+# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# use `HOST_CC' if defined, but it is deprecated.
+
+# Portable tmp directory creation inspired by the Autoconf team.
+
+set_cc_for_build='
+trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+: ${TMPDIR=/tmp} ;
+ { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+ { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
+ { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
+dummy=$tmp/dummy ;
+tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,)    echo "int x;" > $dummy.c ;
+	for c in cc gcc c89 c99 ; do
+	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+	     CC_FOR_BUILD="$c"; break ;
+	  fi ;
+	done ;
+	if test x"$CC_FOR_BUILD" = x ; then
+	  CC_FOR_BUILD=no_compiler_found ;
+	fi
+	;;
+ ,,*)   CC_FOR_BUILD=$CC ;;
+ ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
+esac ; set_cc_for_build= ;'
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 1994-08-24)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# NetBSD (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	#
+	# Note: NetBSD doesn't particularly care about the vendor
+	# portion of the name.  We always set it to "unknown".
+	sysctl="sysctl -n hw.machine_arch"
+	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	case "${UNAME_MACHINE_ARCH}" in
+	    armeb) machine=armeb-unknown ;;
+	    arm*) machine=arm-unknown ;;
+	    sh3el) machine=shl-unknown ;;
+	    sh3eb) machine=sh-unknown ;;
+	    sh5el) machine=sh5le-unknown ;;
+	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+	esac
+	# The Operating System including object format, if it has switched
+	# to ELF recently, or will in the future.
+	case "${UNAME_MACHINE_ARCH}" in
+	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+		eval $set_cc_for_build
+		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+			| grep __ELF__ >/dev/null
+		then
+		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+		    # Return netbsd for either.  FIX?
+		    os=netbsd
+		else
+		    os=netbsdelf
+		fi
+		;;
+	    *)
+	        os=netbsd
+		;;
+	esac
+	# The OS release
+	# Debian GNU/NetBSD machines have a different userland, and
+	# thus, need a distinct triplet. However, they do not need
+	# kernel version information, so it can be replaced with a
+	# suitable tag, in the style of linux-gnu.
+	case "${UNAME_VERSION}" in
+	    Debian*)
+		release='-gnu'
+		;;
+	    *)
+		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		;;
+	esac
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit ;;
+    *:OpenBSD:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
+	exit ;;
+    *:ekkoBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
+	exit ;;
+    *:SolidBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE}
+	exit ;;
+    macppc:MirBSD:*:*)
+	echo powerpc-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    *:MirBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    alpha:OSF1:*:*)
+	case $UNAME_RELEASE in
+	*4.0)
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+		;;
+	*5.*)
+	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		;;
+	esac
+	# According to Compaq, /usr/sbin/psrinfo has been available on
+	# OSF/1 and Tru64 systems produced since 1995.  I hope that
+	# covers most systems running today.  This code pipes the CPU
+	# types through head -n 1, so we only detect the type of CPU 0.
+	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
+	case "$ALPHA_CPU_TYPE" in
+	    "EV4 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV4.5 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "LCA4 (21066/21068)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV5 (21164)")
+		UNAME_MACHINE="alphaev5" ;;
+	    "EV5.6 (21164A)")
+		UNAME_MACHINE="alphaev56" ;;
+	    "EV5.6 (21164PC)")
+		UNAME_MACHINE="alphapca56" ;;
+	    "EV5.7 (21164PC)")
+		UNAME_MACHINE="alphapca57" ;;
+	    "EV6 (21264)")
+		UNAME_MACHINE="alphaev6" ;;
+	    "EV6.7 (21264A)")
+		UNAME_MACHINE="alphaev67" ;;
+	    "EV6.8CB (21264C)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8AL (21264B)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8CX (21264D)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.9A (21264/EV69A)")
+		UNAME_MACHINE="alphaev69" ;;
+	    "EV7 (21364)")
+		UNAME_MACHINE="alphaev7" ;;
+	    "EV7.9 (21364A)")
+		UNAME_MACHINE="alphaev79" ;;
+	esac
+	# A Pn.n version is a patched version.
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit ;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit ;;
+    *:[Mm]orph[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-morphos
+	exit ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit ;;
+    *:z/VM:*:*)
+	echo s390-ibm-zvmoe
+	exit ;;
+    *:OS400:*:*)
+        echo powerpc-ibm-os400
+	exit ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit ;;
+    arm:riscos:*:*|arm:RISCOS:*:*)
+	echo arm-unknown-riscos
+	exit ;;
+    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit ;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit ;;
+    DRS?6000:unix:4.0:6*)
+	echo sparc-icl-nx6
+	exit ;;
+    DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
+	case `/usr/bin/uname -p` in
+	    sparc) echo sparc-icl-nx7; exit ;;
+	esac ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit ;;
+    m68k:machten:*:*)
+	echo m68k-apple-machten${UNAME_RELEASE}
+	exit ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c &&
+	  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
+	  SYSTEM_NAME=`$dummy $dummyarg` &&
+	    { echo "$SYSTEM_NAME"; exit; }
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit ;;
+    Motorola:PowerMAX_OS:*:*)
+	echo powerpc-motorola-powermax
+	exit ;;
+    Motorola:*:4.3:PL8-*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+ 	exit ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
+	exit ;;               # Note that: echo "'`uname -s`'" gives 'AIX '
+    i*86:AIX:*:*)
+	echo i386-ibm-aix
+	exit ;;
+    ia64:AIX:*:*)
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		eval $set_cc_for_build
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
+		then
+			echo "$SYSTEM_NAME"
+		else
+			echo rs6000-ibm-aix3.2.5
+		fi
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit ;;
+    *:AIX:*:[45])
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit ;;                             # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit ;;
+    9000/[34678]??:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+		if [ -x /usr/bin/getconf ]; then
+		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
+                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+                    case "${sc_cpu_version}" in
+                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+                      532)                      # CPU_PA_RISC2_0
+                        case "${sc_kernel_bits}" in
+                          32) HP_ARCH="hppa2.0n" ;;
+                          64) HP_ARCH="hppa2.0w" ;;
+			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+                        esac ;;
+                    esac
+		fi
+		if [ "${HP_ARCH}" = "" ]; then
+		    eval $set_cc_for_build
+		    sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
+              #include <stdlib.h>
+              #include <unistd.h>
+
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+
+                  switch (cpu)
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0:
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits)
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    test -z "$HP_ARCH" && HP_ARCH=hppa
+		fi ;;
+	esac
+	if [ ${HP_ARCH} = "hppa2.0w" ]
+	then
+	    eval $set_cc_for_build
+
+	    # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
+	    # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
+	    # generating 64-bit code.  GNU and HP use different nomenclature:
+	    #
+	    # $ CC_FOR_BUILD=cc ./config.guess
+	    # => hppa2.0w-hp-hpux11.23
+	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
+	    # => hppa64-hp-hpux11.23
+
+	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+		grep __LP64__ >/dev/null
+	    then
+		HP_ARCH="hppa2.0w"
+	    else
+		HP_ARCH="hppa64"
+	    fi
+	fi
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit ;;
+    ia64:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ia64-hp-hpux${HPUX_REV}
+	exit ;;
+    3050*:HI-UX:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
+		{ echo "$SYSTEM_NAME"; exit; }
+	echo unknown-hitachi-hiuxwe2
+	exit ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit ;;
+    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit ;;
+    i*86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
+	      -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*T3E:*:*:*)
+	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    *:UNICOS/mp:*:*)
+	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
+	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit ;;
+    5000:UNIX_System_V:4.*:*)
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
+    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:FreeBSD:*:*)
+	case ${UNAME_MACHINE} in
+	    pc98)
+		echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	    amd64)
+		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	    *)
+		echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	esac
+	exit ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit ;;
+    *:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit ;;
+    i*:windows32*:*)
+    	# uname -m includes "-pc" on this system.
+    	echo ${UNAME_MACHINE}-mingw32
+	exit ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit ;;
+    *:Interix*:[3456]*)
+    	case ${UNAME_MACHINE} in
+	    x86)
+		echo i586-pc-interix${UNAME_RELEASE}
+		exit ;;
+	    EM64T | authenticamd)
+		echo x86_64-unknown-interix${UNAME_RELEASE}
+		exit ;;
+	esac ;;
+    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
+	echo i${UNAME_MACHINE}-pc-mks
+	exit ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i586-pc-interix
+	exit ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit ;;
+    amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
+	echo x86_64-unknown-cygwin
+	exit ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    *:GNU:*:*)
+	# the GNU system
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit ;;
+    *:GNU/*:*:*)
+	# other systems with GNU libc and userland
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
+	exit ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit ;;
+    arm*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    avr32*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    cris:Linux:*:*)
+	echo cris-axis-linux-gnu
+	exit ;;
+    crisv32:Linux:*:*)
+	echo crisv32-axis-linux-gnu
+	exit ;;
+    frv:Linux:*:*)
+    	echo frv-unknown-linux-gnu
+	exit ;;
+    ia64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    m32r*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    m68*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    mips:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips
+	#undef mipsel
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mipsel
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
+	    /^CPU/{
+		s: ::g
+		p
+	    }'`"
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	;;
+    mips64:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips64
+	#undef mips64el
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mips64el
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips64
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
+	    /^CPU/{
+		s: ::g
+		p
+	    }'`"
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	;;
+    or32:Linux:*:*)
+	echo or32-unknown-linux-gnu
+	exit ;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-gnu
+	exit ;;
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-gnu
+	exit ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+        esac
+	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
+	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	exit ;;
+    parisc:Linux:*:* | hppa:Linux:*:*)
+	# Look for CPU level
+	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
+	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
+	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
+	  *)    echo hppa-unknown-linux-gnu ;;
+	esac
+	exit ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-gnu
+	exit ;;
+    s390:Linux:*:* | s390x:Linux:*:*)
+	echo ${UNAME_MACHINE}-ibm-linux
+	exit ;;
+    sh64*:Linux:*:*)
+    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    sh*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    sparc:Linux:*:* | sparc64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    vax:Linux:*:*)
+	echo ${UNAME_MACHINE}-dec-linux-gnu
+	exit ;;
+    x86_64:Linux:*:*)
+	echo x86_64-unknown-linux-gnu
+	exit ;;
+    xtensa:Linux:*:*)
+    	echo xtensa-unknown-linux-gnu
+	exit ;;
+    i*86:Linux:*:*)
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	# Set LC_ALL=C to ensure ld outputs messages in English.
+	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
+			 | sed -ne '/supported targets:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported targets: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_targets" in
+	  elf32-i386)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+		;;
+	  a.out-i386-linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit ;;
+	  coff-i386)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit ;;
+	  "")
+		# Either a pre-BFD a.out linker (linux-gnuoldld) or
+		# one that does not give us useful --help.
+		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
+		exit ;;
+	esac
+	# Determine whether the default compiler is a.out or elf
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#ifdef __ELF__
+	# ifdef __GLIBC__
+	#  if __GLIBC__ >= 2
+	LIBC=gnu
+	#  else
+	LIBC=gnulibc1
+	#  endif
+	# else
+	LIBC=gnulibc1
+	# endif
+	#else
+	#if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC)
+	LIBC=gnu
+	#else
+	LIBC=gnuaout
+	#endif
+	#endif
+	#ifdef __dietlibc__
+	LIBC=dietlibc
+	#endif
+EOF
+	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
+	    /^LIBC/{
+		s: ::g
+		p
+	    }'`"
+	test x"${LIBC}" != x && {
+		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+		exit
+	}
+	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
+	;;
+    i*86:DYNIX/ptx:4*:*)
+	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
+	# earlier versions are messed up and put the nodename in both
+	# sysname and nodename.
+	echo i386-sequent-sysv4
+	exit ;;
+    i*86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit ;;
+    i*86:OS/2:*:*)
+	# If we were able to find `uname', then EMX Unix compatibility
+	# is probably installed.
+	echo ${UNAME_MACHINE}-pc-os2-emx
+	exit ;;
+    i*86:XTS-300:*:STOP)
+	echo ${UNAME_MACHINE}-unknown-stop
+	exit ;;
+    i*86:atheos:*:*)
+	echo ${UNAME_MACHINE}-unknown-atheos
+	exit ;;
+    i*86:syllable:*:*)
+	echo ${UNAME_MACHINE}-pc-syllable
+	exit ;;
+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    i*86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit ;;
+    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit ;;
+    i*86:*:5:[678]*)
+    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	case `/bin/uname -X | grep "^Machine"` in
+	    *486*)	     UNAME_MACHINE=i486 ;;
+	    *Pentium)	     UNAME_MACHINE=i586 ;;
+	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
+	esac
+	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+	exit ;;
+    i*86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit ;;
+    mc68k:UNIX:SYSTEM5:3.51m)
+	echo m68k-convergent-sysv
+	exit ;;
+    M680?0:D-NIX:5.3:*)
+	echo m68k-diab-dnix
+	exit ;;
+    M68*:*:R3V[5678]*:*)
+	test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
+    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && { echo i486-ncr-sysv4; exit; } ;;
+    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    rs6000:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
+	echo powerpc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit ;;
+    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                      # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit ;;
+    i*86:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo ${UNAME_MACHINE}-stratus-vos
+	exit ;;
+    *:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo hppa1.1-stratus-vos
+	exit ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-6:SUPER-UX:*:*)
+	echo sx6-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-7:SUPER-UX:*:*)
+	echo sx7-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-8:SUPER-UX:*:*)
+	echo sx8-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-8R:SUPER-UX:*:*)
+	echo sx8r-nec-superux${UNAME_RELEASE}
+	exit ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Darwin:*:*)
+	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
+	case $UNAME_PROCESSOR in
+	    unknown) UNAME_PROCESSOR=powerpc ;;
+	esac
+	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+	exit ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	UNAME_PROCESSOR=`uname -p`
+	if test "$UNAME_PROCESSOR" = "x86"; then
+		UNAME_PROCESSOR=i386
+		UNAME_MACHINE=pc
+	fi
+	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+	exit ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit ;;
+    NSE-?:NONSTOP_KERNEL:*:*)
+	echo nse-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    NSR-?:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    *:NonStop-UX:*:*)
+	echo mips-compaq-nonstopux
+	exit ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit ;;
+    *:TOPS-10:*:*)
+	echo pdp10-unknown-tops10
+	exit ;;
+    *:TENEX:*:*)
+	echo pdp10-unknown-tenex
+	exit ;;
+    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
+	echo pdp10-dec-tops20
+	exit ;;
+    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
+	echo pdp10-xkl-tops20
+	exit ;;
+    *:TOPS-20:*:*)
+	echo pdp10-unknown-tops20
+	exit ;;
+    *:ITS:*:*)
+	echo pdp10-unknown-its
+	exit ;;
+    SEI:*:*:SEIUX)
+        echo mips-sei-seiux${UNAME_RELEASE}
+	exit ;;
+    *:DragonFly:*:*)
+	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    *:*VMS:*:*)
+    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	case "${UNAME_MACHINE}" in
+	    A*) echo alpha-dec-vms ; exit ;;
+	    I*) echo ia64-dec-vms ; exit ;;
+	    V*) echo vax-dec-vms ; exit ;;
+	esac ;;
+    *:XENIX:*:SysV)
+	echo i386-pc-xenix
+	exit ;;
+    i*86:skyos:*:*)
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	exit ;;
+    i*86:rdos:*:*)
+	echo ${UNAME_MACHINE}-pc-rdos
+	exit ;;
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+eval $set_cc_for_build
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix\n"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+# if !defined (ultrix)
+#  include <sys/param.h>
+#  if defined (BSD)
+#   if BSD == 43
+      printf ("vax-dec-bsd4.3\n"); exit (0);
+#   else
+#    if BSD == 199006
+      printf ("vax-dec-bsd4.3reno\n"); exit (0);
+#    else
+      printf ("vax-dec-bsd\n"); exit (0);
+#    endif
+#   endif
+#  else
+    printf ("vax-dec-bsd\n"); exit (0);
+#  endif
+# else
+    printf ("vax-dec-ultrix\n"); exit (0);
+# endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
+	{ echo "$SYSTEM_NAME"; exit; }
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit ;;
+    c34*)
+	echo c34-convex-bsd
+	exit ;;
+    c38*)
+	echo c38-convex-bsd
+	exit ;;
+    c4*)
+	echo c4-convex-bsd
+	exit ;;
+    esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+This script, last modified $timestamp, has failed to recognize
+the operating system you are using. It is advised that you
+download the most up to date version of the config scripts from
+
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
+and
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess timestamp = $timestamp
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/src/charon/plugins/nm/gnome/config.h.in b/src/charon/plugins/nm/gnome/config.h.in
new file mode 100644
index 000000000..2b64591de
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/config.h.in
@@ -0,0 +1,112 @@
+/* config.h.in.  Generated from configure.in by autoheader.  */
+
+/* always defined to indicate that i18n is enabled */
+#undef ENABLE_NLS
+
+/* Gettext package */
+#undef GETTEXT_PACKAGE
+
+/* Define to 1 if you have the `bind_textdomain_codeset' function. */
+#undef HAVE_BIND_TEXTDOMAIN_CODESET
+
+/* Define to 1 if you have the `dcgettext' function. */
+#undef HAVE_DCGETTEXT
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#undef HAVE_DLFCN_H
+
+/* Define to 1 if you have the <fcntl.h> header file. */
+#undef HAVE_FCNTL_H
+
+/* Define if the GNU gettext() function is already present or preinstalled. */
+#undef HAVE_GETTEXT
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#undef HAVE_INTTYPES_H
+
+/* Define if your <locale.h> file defines LC_MESSAGES. */
+#undef HAVE_LC_MESSAGES
+
+/* Define to 1 if you have the <locale.h> header file. */
+#undef HAVE_LOCALE_H
+
+/* Define to 1 if you have the <memory.h> header file. */
+#undef HAVE_MEMORY_H
+
+/* Define to 1 if you have the <paths.h> header file. */
+#undef HAVE_PATHS_H
+
+/* Define to 1 if you have the `select' function. */
+#undef HAVE_SELECT
+
+/* Define to 1 if you have the `socket' function. */
+#undef HAVE_SOCKET
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#undef HAVE_STDINT_H
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#undef HAVE_STDLIB_H
+
+/* Define to 1 if you have the <strings.h> header file. */
+#undef HAVE_STRINGS_H
+
+/* Define to 1 if you have the <string.h> header file. */
+#undef HAVE_STRING_H
+
+/* Define to 1 if you have the <syslog.h> header file. */
+#undef HAVE_SYSLOG_H
+
+/* Define to 1 if you have the <sys/ioctl.h> header file. */
+#undef HAVE_SYS_IOCTL_H
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#undef HAVE_SYS_STAT_H
+
+/* Define to 1 if you have the <sys/time.h> header file. */
+#undef HAVE_SYS_TIME_H
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#undef HAVE_SYS_TYPES_H
+
+/* Define to 1 if you have the `uname' function. */
+#undef HAVE_UNAME
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
+
+/* Define to 1 if your C compiler doesn't accept -c and -o together. */
+#undef NO_MINUS_C_MINUS_O
+
+/* Name of package */
+#undef PACKAGE
+
+/* Define to the address where bug reports for this package should be sent. */
+#undef PACKAGE_BUGREPORT
+
+/* Define to the full name of this package. */
+#undef PACKAGE_NAME
+
+/* Define to the full name and version of this package. */
+#undef PACKAGE_STRING
+
+/* Define to the one symbol short name of this package. */
+#undef PACKAGE_TARNAME
+
+/* Define to the version of this package. */
+#undef PACKAGE_VERSION
+
+/* Define to 1 if you have the ANSI C header files. */
+#undef STDC_HEADERS
+
+/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
+#undef TIME_WITH_SYS_TIME
+
+/* Version number of package */
+#undef VERSION
+
+/* Define to `int' if <sys/types.h> does not define. */
+#undef mode_t
+
+/* Define to `int' if <sys/types.h> does not define. */
+#undef pid_t
diff --git a/src/charon/plugins/nm/gnome/config.sub b/src/charon/plugins/nm/gnome/config.sub
new file mode 100755
index 000000000..1761d8bdf
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/config.sub
@@ -0,0 +1,1626 @@
+#! /bin/sh
+# Configuration validation subroutine script.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
+#   Inc.
+
+timestamp='2007-06-28'
+
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
+# 02110-1301, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit ;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \
+  uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \
+  storm-chaos* | os2-emx* | rtmk-nova*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis | -knuth | -cray)
+		os=
+		basic_machine=$1
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-chorusos*)
+		os=-chorusos
+		basic_machine=$1
+		;;
+ 	-chorusrdb)
+ 		os=-chorusrdb
+		basic_machine=$1
+ 		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco6)
+		os=-sco5v6
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco5v6*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	1750a | 580 \
+	| a29k \
+	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+	| am33_2.0 \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
+	| bfin \
+	| c4x | clipper \
+	| d10v | d30v | dlx | dsp16xx \
+	| fido | fr30 | frv \
+	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| i370 | i860 | i960 | ia64 \
+	| ip2k | iq2000 \
+	| m32c | m32r | m32rle | m68000 | m68k | m88k \
+	| maxq | mb | microblaze | mcore | mep \
+	| mips | mipsbe | mipseb | mipsel | mipsle \
+	| mips16 \
+	| mips64 | mips64el \
+	| mips64vr | mips64vrel \
+	| mips64orion | mips64orionel \
+	| mips64vr4100 | mips64vr4100el \
+	| mips64vr4300 | mips64vr4300el \
+	| mips64vr5000 | mips64vr5000el \
+	| mips64vr5900 | mips64vr5900el \
+	| mipsisa32 | mipsisa32el \
+	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa64 | mipsisa64el \
+	| mipsisa64r2 | mipsisa64r2el \
+	| mipsisa64sb1 | mipsisa64sb1el \
+	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipstx39 | mipstx39el \
+	| mn10200 | mn10300 \
+	| mt \
+	| msp430 \
+	| nios | nios2 \
+	| ns16k | ns32k \
+	| or32 \
+	| pdp10 | pdp11 | pj | pjl \
+	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| pyramid \
+	| score \
+	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
+	| sh64 | sh64le \
+	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
+	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
+	| spu | strongarm \
+	| tahoe | thumb | tic4x | tic80 | tron \
+	| v850 | v850e \
+	| we32k \
+	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| z8k)
+		basic_machine=$basic_machine-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+		;;
+	ms1)
+		basic_machine=mt-unknown
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i*86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	580-* \
+	| a29k-* \
+	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
+	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
+	| avr-* | avr32-* \
+	| bfin-* | bs2000-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| clipper-* | craynv-* | cydra-* \
+	| d10v-* | d30v-* | dlx-* \
+	| elxsi-* \
+	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
+	| h8300-* | h8500-* \
+	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| i*86-* | i860-* | i960-* | ia64-* \
+	| ip2k-* | iq2000-* \
+	| m32c-* | m32r-* | m32rle-* \
+	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* \
+	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+	| mips16-* \
+	| mips64-* | mips64el-* \
+	| mips64vr-* | mips64vrel-* \
+	| mips64orion-* | mips64orionel-* \
+	| mips64vr4100-* | mips64vr4100el-* \
+	| mips64vr4300-* | mips64vr4300el-* \
+	| mips64vr5000-* | mips64vr5000el-* \
+	| mips64vr5900-* | mips64vr5900el-* \
+	| mipsisa32-* | mipsisa32el-* \
+	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa64-* | mipsisa64el-* \
+	| mipsisa64r2-* | mipsisa64r2el-* \
+	| mipsisa64sb1-* | mipsisa64sb1el-* \
+	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipstx39-* | mipstx39el-* \
+	| mmix-* \
+	| mt-* \
+	| msp430-* \
+	| nios-* | nios2-* \
+	| none-* | np1-* | ns16k-* | ns32k-* \
+	| orion-* \
+	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| pyramid-* \
+	| romp-* | rs6000-* \
+	| sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
+	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
+	| sparclite-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
+	| tahoe-* | thumb-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tron-* \
+	| v850-* | v850e-* | vax-* \
+	| we32k-* \
+	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| xstormy16-* | xtensa-* \
+	| ymp-* \
+	| z8k-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+    	abacus)
+		basic_machine=abacus-unknown
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amd64)
+		basic_machine=x86_64-pc
+		;;
+	amd64-*)
+		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	c90)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | j90)
+		basic_machine=j90-cray
+		os=-unicos
+		;;
+	craynv)
+		basic_machine=craynv-cray
+		os=-unicosmp
+		;;
+	cr16)
+		basic_machine=cr16-unknown
+		os=-elf
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	crisv32 | crisv32-* | etraxfs*)
+		basic_machine=crisv32-axis
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	crx)
+		basic_machine=crx-unknown
+		os=-elf
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	decsystem10* | dec10*)
+		basic_machine=pdp10-dec
+		os=-tops10
+		;;
+	decsystem20* | dec20*)
+		basic_machine=pdp10-dec
+		os=-tops20
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	djgpp)
+		basic_machine=i586-pc
+		os=-msdosdjgpp
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	go32)
+		basic_machine=i386-pc
+		os=-go32
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i*86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i*86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i*86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i*86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	mingw32)
+		basic_machine=i386-pc
+		os=-mingw32
+		;;
+	mingw32ce)
+		basic_machine=arm-unknown
+		os=-mingw32ce
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	morphos)
+		basic_machine=powerpc-unknown
+		os=-morphos
+		;;
+	msdos)
+		basic_machine=i386-pc
+		os=-msdos
+		;;
+	ms1-*)
+		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	nonstopux)
+		basic_machine=mips-compaq
+		os=-nonstopux
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	openrisc | openrisc-*)
+		basic_machine=or32-unknown
+		;;
+	os400)
+		basic_machine=powerpc-ibm
+		os=-os400
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+	pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pc98)
+		basic_machine=i386-pc
+		;;
+	pc98-*)
+		basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium | p5 | k5 | k6 | nexgen | viac3)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon | athlon_*)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2 | pentiumiii | pentium3)
+		basic_machine=i686-pc
+		;;
+	pentium4)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium4-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=power-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+		;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+		;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64)	basic_machine=powerpc64-unknown
+		;;
+	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+		basic_machine=powerpc64le-unknown
+		;;
+	ppc64le-* | powerpc64little-*)
+		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	rdos)
+		basic_machine=i386-pc
+		os=-rdos
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	s390 | s390-*)
+		basic_machine=s390-ibm
+		;;
+	s390x | s390x-*)
+		basic_machine=s390x-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sb1)
+		basic_machine=mipsisa64sb1-unknown
+		;;
+	sb1el)
+		basic_machine=mipsisa64sb1el-unknown
+		;;
+	sde)
+		basic_machine=mipsisa32-sde
+		os=-elf
+		;;
+	sei)
+		basic_machine=mips-sei
+		os=-seiux
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sh5el)
+		basic_machine=sh5le-unknown
+		;;
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparclite-wrs | simso-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=alphaev5-cray
+		os=-unicos
+		;;
+	t90)
+		basic_machine=t90-cray
+		os=-unicos
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
+	tic55x | c55x*)
+		basic_machine=tic55x-unknown
+		os=-coff
+		;;
+	tic6x | c6x*)
+		basic_machine=tic6x-unknown
+		os=-coff
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	toad1)
+		basic_machine=pdp10-xkl
+		os=-tops20
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	tpf)
+		basic_machine=s390x-ibm
+		os=-tpf
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+		basic_machine=f301-fujitsu
+		;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xbox)
+		basic_machine=i686-pc
+		os=-mingw32
+		;;
+	xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	mmix)
+		basic_machine=mmix-knuth
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp10)
+		# there are many clones, so DEC is not a safe bet
+		basic_machine=pdp10-unknown
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
+		basic_machine=sh-unknown
+		;;
+	sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
+		basic_machine=sparc-sun
+		;;
+	cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	*-unknown)
+		# Make sure to match an already-canonicalized machine name.
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
+	      | -openbsd* | -solidbsd* \
+	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
+	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -chorusos* | -chorusrdb* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \
+	      | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
+	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i*86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto-qnx*)
+		;;
+	-nto*)
+		os=`echo $os | sed -e 's|nto|nto-qnx|'`
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux-dietlibc)
+		os=-linux-dietlibc
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+        -os400*)
+		os=-os400
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-atheos*)
+		os=-atheos
+		;;
+	-syllable*)
+		os=-syllable
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-nova*)
+		os=-rtmk-nova
+		;;
+	-ns2 )
+		os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+        -tpf*)
+		os=-tpf
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+		os=-mint
+		;;
+	-aros*)
+		os=-aros
+		;;
+	-kaos*)
+		os=-kaos
+		;;
+	-zvmoe)
+		os=-zvmoe
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+        score-*)
+		os=-elf
+		;;
+        spu-*)
+		os=-elf
+		;;
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+        c4x-* | tic4x-*)
+        	os=-coff
+		;;
+	# This must come before the *-dec entry.
+	pdp10-*)
+		os=-tops20
+		;;
+	pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+        mep-*)
+		os=-elf
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	or32-*)
+		os=-coff
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-haiku)
+		os=-haiku
+		;;
+	*-ibm)
+		os=-aix
+		;;
+    	*-knuth)
+		os=-mmixware
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+	*-gould)
+		os=-sysv
+		;;
+	*-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+	*-sgi)
+		os=-irix
+		;;
+	*-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f30[01]-fujitsu | f700-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-os400*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-tpf*)
+				vendor=ibm
+				;;
+			-vxsim* | -vxworks* | -windiss*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+				vendor=atari
+				;;
+			-vos*)
+				vendor=stratus
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/src/charon/plugins/nm/gnome/configure b/src/charon/plugins/nm/gnome/configure
new file mode 100755
index 000000000..45ab8dec1
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/configure
@@ -0,0 +1,25583 @@
+#! /bin/sh
+# Guess values for system-dependent variables and create Makefiles.
+# Generated by GNU Autoconf 2.61 for NetworkManager-strongswan 4.2.6.
+#
+# Report bugs to <martin@strongswan.org>.
+#
+# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+## --------------------- ##
+## M4sh Initialization.  ##
+## --------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
+fi
+
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
+
+
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
+
+# Work around bugs in pre-3.0 UWIN ksh.
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+  fi
+done
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+
+# CDPATH.
+$as_unset CDPATH
+
+
+if test "x$CONFIG_SHELL" = x; then
+  if (eval ":") 2>/dev/null; then
+  as_have_required=yes
+else
+  as_have_required=no
+fi
+
+  if test $as_have_required = yes && 	 (eval ":
+(as_func_return () {
+  (exit \$1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0) || { (exit 1); exit 1; }
+
+(
+  as_lineno_1=\$LINENO
+  as_lineno_2=\$LINENO
+  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
+  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
+") 2> /dev/null; then
+  :
+else
+  as_candidate_shells=
+    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  case $as_dir in
+	 /*)
+	   for as_base in sh bash ksh sh5; do
+	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
+	   done;;
+       esac
+done
+IFS=$as_save_IFS
+
+
+      for as_shell in $as_candidate_shells $SHELL; do
+	 # Try only shells that exist, to save several forks.
+	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+		{ ("$as_shell") 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+_ASEOF
+}; then
+  CONFIG_SHELL=$as_shell
+	       as_have_required=yes
+	       if { "$as_shell" 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+(as_func_return () {
+  (exit $1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = "$1" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test $exitcode = 0) || { (exit 1); exit 1; }
+
+(
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
+
+_ASEOF
+}; then
+  break
+fi
+
+fi
+
+      done
+
+      if test "x$CONFIG_SHELL" != x; then
+  for as_var in BASH_ENV ENV
+        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+        done
+        export CONFIG_SHELL
+        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+fi
+
+
+    if test $as_have_required = no; then
+  echo This script requires a shell more modern than all the
+      echo shells that I found on your system.  Please install a
+      echo modern shell, or manually run the script under such a
+      echo shell if you do have one.
+      { (exit 1); exit 1; }
+fi
+
+
+fi
+
+fi
+
+
+
+(eval "as_func_return () {
+  (exit \$1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0") || {
+  echo No shell found that supports shell functions.
+  echo Please tell autoconf@gnu.org about your system,
+  echo including any error possibly output before this
+  echo message
+}
+
+
+
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+
+  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+  # uniformly replaced by the line number.  The first 'sed' inserts a
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
+  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
+    sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
+      N
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+      t loop
+      s/-\n.*//
+    ' >$as_me.lineno &&
+  chmod +x "$as_me.lineno" ||
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+   { (exit 1); exit 1; }; }
+
+  # Don't try to exec as it changes $[0], causing all sort of problems
+  # (the dirname of $[0] is not the place where we might find the
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
+  # Exit status is that of the last command.
+  exit
+}
+
+
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
+esac
+
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
+echo >conf$$.file
+if ln -s conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+    as_ln_s='cp -p'
+elif ln conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s=ln
+else
+  as_ln_s='cp -p'
+fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
+
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p=:
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
+fi
+
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
+else
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
+fi
+as_executable_p=$as_test_x
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+
+
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+case X$ECHO in
+X*--fallback-echo)
+  # Remove one level of quotation (which was required for Make).
+  ECHO=`echo "$ECHO" | sed 's,\\\\\$\\$0,'$0','`
+  ;;
+esac
+
+echo=${ECHO-echo}
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell.
+  exec $SHELL "$0" --no-reexec ${1+"$@"}
+fi
+
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+if test -z "$ECHO"; then
+if test "X${echo_test_string+set}" != Xset; then
+# find a string as large as possible, as long as the shell can cope with it
+  for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
+    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
+       echo_test_string=`eval $cmd` &&
+       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
+    then
+      break
+    fi
+  done
+fi
+
+if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+   test "X$echo_testing_string" = "X$echo_test_string"; then
+  :
+else
+  # The Solaris, AIX, and Digital Unix default echo programs unquote
+  # backslashes.  This makes it impossible to quote backslashes using
+  #   echo "$something" | sed 's/\\/\\\\/g'
+  #
+  # So, first we look for a working echo in the user's PATH.
+
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for dir in $PATH /usr/ucb; do
+    IFS="$lt_save_ifs"
+    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      echo="$dir/echo"
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  if test "X$echo" = Xecho; then
+    # We didn't find a better echo, so look for alternatives.
+    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      # This shell has a builtin print -r that does the trick.
+      echo='print -r'
+    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
+	 test "X$CONFIG_SHELL" != X/bin/ksh; then
+      # If we have ksh, try running configure again with it.
+      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+      export ORIGINAL_CONFIG_SHELL
+      CONFIG_SHELL=/bin/ksh
+      export CONFIG_SHELL
+      exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"}
+    else
+      # Try using printf.
+      echo='printf %s\n'
+      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+	 test "X$echo_testing_string" = "X$echo_test_string"; then
+	# Cool, printf works
+	:
+      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	export CONFIG_SHELL
+	SHELL="$CONFIG_SHELL"
+	export SHELL
+	echo="$CONFIG_SHELL $0 --fallback-echo"
+      elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	echo="$CONFIG_SHELL $0 --fallback-echo"
+      else
+	# maybe with a smaller string...
+	prev=:
+
+	for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
+	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
+	  then
+	    break
+	  fi
+	  prev="$cmd"
+	done
+
+	if test "$prev" != 'sed 50q "$0"'; then
+	  echo_test_string=`eval $prev`
+	  export echo_test_string
+	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"}
+	else
+	  # Oops.  We lost completely, so just stick with echo.
+	  echo=echo
+	fi
+      fi
+    fi
+  fi
+fi
+fi
+
+# Copy echo and quote the copy suitably for passing to libtool from
+# the Makefile, instead of quoting the original, which is used later.
+ECHO=$echo
+if test "X$ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then
+   ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo"
+fi
+
+
+
+
+tagnames=${tagnames+${tagnames},}CXX
+
+tagnames=${tagnames+${tagnames},}F77
+
+exec 7<&0 </dev/null 6>&1
+
+# Name of the host.
+# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
+# so uname gets run too.
+ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+
+#
+# Initializations.
+#
+ac_default_prefix=/usr/local
+ac_clean_files=
+ac_config_libobj_dir=.
+LIBOBJS=
+cross_compiling=no
+subdirs=
+MFLAGS=
+MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+# Identity of this package.
+PACKAGE_NAME='NetworkManager-strongswan'
+PACKAGE_TARNAME='NetworkManager-strongswan'
+PACKAGE_VERSION='4.2.6'
+PACKAGE_STRING='NetworkManager-strongswan 4.2.6'
+PACKAGE_BUGREPORT='martin@strongswan.org'
+
+# Factoring default headers for most tests.
+ac_includes_default="\
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif
+#ifdef HAVE_STRING_H
+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
+#  include <memory.h>
+# endif
+# include <string.h>
+#endif
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif"
+
+ac_subst_vars='SHELL
+PATH_SEPARATOR
+PACKAGE_NAME
+PACKAGE_TARNAME
+PACKAGE_VERSION
+PACKAGE_STRING
+PACKAGE_BUGREPORT
+exec_prefix
+prefix
+program_transform_name
+bindir
+sbindir
+libexecdir
+datarootdir
+datadir
+sysconfdir
+sharedstatedir
+localstatedir
+includedir
+oldincludedir
+docdir
+infodir
+htmldir
+dvidir
+pdfdir
+psdir
+libdir
+localedir
+mandir
+DEFS
+ECHO_C
+ECHO_N
+ECHO_T
+LIBS
+build_alias
+host_alias
+target_alias
+INSTALL_PROGRAM
+INSTALL_SCRIPT
+INSTALL_DATA
+am__isrc
+CYGPATH_W
+PACKAGE
+VERSION
+ACLOCAL
+AUTOCONF
+AUTOMAKE
+AUTOHEADER
+MAKEINFO
+install_sh
+STRIP
+INSTALL_STRIP_PROGRAM
+mkdir_p
+AWK
+SET_MAKE
+am__leading_dot
+AMTAR
+am__tar
+am__untar
+MAINTAINER_MODE_TRUE
+MAINTAINER_MODE_FALSE
+MAINT
+CC
+CFLAGS
+LDFLAGS
+CPPFLAGS
+ac_ct_CC
+EXEEXT
+OBJEXT
+DEPDIR
+am__include
+am__quote
+AMDEP_TRUE
+AMDEP_FALSE
+AMDEPBACKSLASH
+CCDEPMODE
+am__fastdepCC_TRUE
+am__fastdepCC_FALSE
+build
+build_cpu
+build_vendor
+build_os
+host
+host_cpu
+host_vendor
+host_os
+SED
+GREP
+EGREP
+LN_S
+ECHO
+AR
+RANLIB
+DSYMUTIL
+NMEDIT
+CPP
+CXX
+CXXFLAGS
+ac_ct_CXX
+CXXDEPMODE
+am__fastdepCXX_TRUE
+am__fastdepCXX_FALSE
+CXXCPP
+F77
+FFLAGS
+ac_ct_F77
+LIBTOOL
+LIBOBJS
+GETTEXT_PACKAGE
+INTLTOOL_DESKTOP_RULE
+INTLTOOL_DIRECTORY_RULE
+INTLTOOL_KEYS_RULE
+INTLTOOL_PROP_RULE
+INTLTOOL_OAF_RULE
+INTLTOOL_PONG_RULE
+INTLTOOL_SERVER_RULE
+INTLTOOL_SHEET_RULE
+INTLTOOL_SOUNDLIST_RULE
+INTLTOOL_UI_RULE
+INTLTOOL_XAM_RULE
+INTLTOOL_KBD_RULE
+INTLTOOL_XML_RULE
+INTLTOOL_XML_NOMERGE_RULE
+INTLTOOL_CAVES_RULE
+INTLTOOL_SCHEMAS_RULE
+INTLTOOL_THEME_RULE
+INTLTOOL_SERVICE_RULE
+INTLTOOL_POLICY_RULE
+XGETTEXT
+MSGMERGE
+MSGFMT
+INTLTOOL_EXTRACT
+INTLTOOL_MERGE
+INTLTOOL_UPDATE
+INTLTOOL_PERL
+ALL_LINGUAS
+DATADIRNAME
+USE_NLS
+MSGFMT_OPTS
+GMSGFMT
+CATALOGS
+CATOBJEXT
+GMOFILES
+INSTOBJEXT
+INTLLIBS
+PO_IN_DATADIR_TRUE
+PO_IN_DATADIR_FALSE
+POFILES
+POSUB
+MKINSTALLDIRS
+PKG_CONFIG
+GTHREAD_CFLAGS
+GTHREAD_LIBS
+DBUS_CFLAGS
+DBUS_LIBS
+GTK_CFLAGS
+GTK_LIBS
+GDK_PIXBUF_CFLAGS
+GDK_PIXBUF_LIBS
+GLADE_CFLAGS
+GLADE_LIBS
+LIBGNOMEUI_CFLAGS
+LIBGNOMEUI_LIBS
+GCONF_CFLAGS
+GCONF_LIBS
+GNOMEKEYRING_CFLAGS
+GNOMEKEYRING_LIBS
+NM_UTILS_CFLAGS
+NM_UTILS_LIBS
+charon
+LTLIBOBJS'
+ac_subst_files=''
+      ac_precious_vars='build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+LIBS
+CPPFLAGS
+CPP
+CXX
+CXXFLAGS
+CCC
+CXXCPP
+F77
+FFLAGS
+PKG_CONFIG
+GTHREAD_CFLAGS
+GTHREAD_LIBS
+DBUS_CFLAGS
+DBUS_LIBS
+GTK_CFLAGS
+GTK_LIBS
+GDK_PIXBUF_CFLAGS
+GDK_PIXBUF_LIBS
+GLADE_CFLAGS
+GLADE_LIBS
+LIBGNOMEUI_CFLAGS
+LIBGNOMEUI_LIBS
+GCONF_CFLAGS
+GCONF_LIBS
+GNOMEKEYRING_CFLAGS
+GNOMEKEYRING_LIBS
+NM_UTILS_CFLAGS
+NM_UTILS_LIBS'
+
+
+# Initialize some variables set by options.
+ac_init_help=
+ac_init_version=false
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+cache_file=/dev/null
+exec_prefix=NONE
+no_create=
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+verbose=
+x_includes=NONE
+x_libraries=NONE
+
+# Installation directory options.
+# These are left unexpanded so users can "make install exec_prefix=/foo"
+# and all the variables that are supposed to be based on exec_prefix
+# by default will actually change.
+# Use braces instead of parens because sh, perl, etc. also accept them.
+# (The list follows the same order as the GNU Coding Standards.)
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datarootdir='${prefix}/share'
+datadir='${datarootdir}'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+infodir='${datarootdir}/info'
+htmldir='${docdir}'
+dvidir='${docdir}'
+pdfdir='${docdir}'
+psdir='${docdir}'
+libdir='${exec_prefix}/lib'
+localedir='${datarootdir}/locale'
+mandir='${datarootdir}/man'
+
+ac_prev=
+ac_dashdash=
+for ac_option
+do
+  # If the previous option needs an argument, assign it.
+  if test -n "$ac_prev"; then
+    eval $ac_prev=\$ac_option
+    ac_prev=
+    continue
+  fi
+
+  case $ac_option in
+  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+  *)	ac_optarg=yes ;;
+  esac
+
+  # Accept the important Cygnus configure options, so we can diagnose typos.
+
+  case $ac_dashdash$ac_option in
+  --)
+    ac_dashdash=yes ;;
+
+  -bindir | --bindir | --bindi | --bind | --bin | --bi)
+    ac_prev=bindir ;;
+  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+    bindir=$ac_optarg ;;
+
+  -build | --build | --buil | --bui | --bu)
+    ac_prev=build_alias ;;
+  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+    build_alias=$ac_optarg ;;
+
+  -cache-file | --cache-file | --cache-fil | --cache-fi \
+  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+    ac_prev=cache_file ;;
+  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+    cache_file=$ac_optarg ;;
+
+  --config-cache | -C)
+    cache_file=config.cache ;;
+
+  -datadir | --datadir | --datadi | --datad)
+    ac_prev=datadir ;;
+  -datadir=* | --datadir=* | --datadi=* | --datad=*)
+    datadir=$ac_optarg ;;
+
+  -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
+  | --dataroo | --dataro | --datar)
+    ac_prev=datarootdir ;;
+  -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
+  | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
+    datarootdir=$ac_optarg ;;
+
+  -disable-* | --disable-*)
+    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+   { (exit 1); exit 1; }; }
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=no ;;
+
+  -docdir | --docdir | --docdi | --doc | --do)
+    ac_prev=docdir ;;
+  -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
+    docdir=$ac_optarg ;;
+
+  -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
+    ac_prev=dvidir ;;
+  -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
+    dvidir=$ac_optarg ;;
+
+  -enable-* | --enable-*)
+    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+   { (exit 1); exit 1; }; }
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=\$ac_optarg ;;
+
+  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+  | --exec | --exe | --ex)
+    ac_prev=exec_prefix ;;
+  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+  | --exec=* | --exe=* | --ex=*)
+    exec_prefix=$ac_optarg ;;
+
+  -gas | --gas | --ga | --g)
+    # Obsolete; use --with-gas.
+    with_gas=yes ;;
+
+  -help | --help | --hel | --he | -h)
+    ac_init_help=long ;;
+  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
+    ac_init_help=recursive ;;
+  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
+    ac_init_help=short ;;
+
+  -host | --host | --hos | --ho)
+    ac_prev=host_alias ;;
+  -host=* | --host=* | --hos=* | --ho=*)
+    host_alias=$ac_optarg ;;
+
+  -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
+    ac_prev=htmldir ;;
+  -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
+  | --ht=*)
+    htmldir=$ac_optarg ;;
+
+  -includedir | --includedir | --includedi | --included | --include \
+  | --includ | --inclu | --incl | --inc)
+    ac_prev=includedir ;;
+  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+  | --includ=* | --inclu=* | --incl=* | --inc=*)
+    includedir=$ac_optarg ;;
+
+  -infodir | --infodir | --infodi | --infod | --info | --inf)
+    ac_prev=infodir ;;
+  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+    infodir=$ac_optarg ;;
+
+  -libdir | --libdir | --libdi | --libd)
+    ac_prev=libdir ;;
+  -libdir=* | --libdir=* | --libdi=* | --libd=*)
+    libdir=$ac_optarg ;;
+
+  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+  | --libexe | --libex | --libe)
+    ac_prev=libexecdir ;;
+  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+  | --libexe=* | --libex=* | --libe=*)
+    libexecdir=$ac_optarg ;;
+
+  -localedir | --localedir | --localedi | --localed | --locale)
+    ac_prev=localedir ;;
+  -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
+    localedir=$ac_optarg ;;
+
+  -localstatedir | --localstatedir | --localstatedi | --localstated \
+  | --localstate | --localstat | --localsta | --localst | --locals)
+    ac_prev=localstatedir ;;
+  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
+    localstatedir=$ac_optarg ;;
+
+  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+    ac_prev=mandir ;;
+  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+    mandir=$ac_optarg ;;
+
+  -nfp | --nfp | --nf)
+    # Obsolete; use --without-fp.
+    with_fp=no ;;
+
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c | -n)
+    no_create=yes ;;
+
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+    no_recursion=yes ;;
+
+  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+  | --oldin | --oldi | --old | --ol | --o)
+    ac_prev=oldincludedir ;;
+  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+    oldincludedir=$ac_optarg ;;
+
+  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+    ac_prev=prefix ;;
+  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+    prefix=$ac_optarg ;;
+
+  -program-prefix | --program-prefix | --program-prefi | --program-pref \
+  | --program-pre | --program-pr | --program-p)
+    ac_prev=program_prefix ;;
+  -program-prefix=* | --program-prefix=* | --program-prefi=* \
+  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+    program_prefix=$ac_optarg ;;
+
+  -program-suffix | --program-suffix | --program-suffi | --program-suff \
+  | --program-suf | --program-su | --program-s)
+    ac_prev=program_suffix ;;
+  -program-suffix=* | --program-suffix=* | --program-suffi=* \
+  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+    program_suffix=$ac_optarg ;;
+
+  -program-transform-name | --program-transform-name \
+  | --program-transform-nam | --program-transform-na \
+  | --program-transform-n | --program-transform- \
+  | --program-transform | --program-transfor \
+  | --program-transfo | --program-transf \
+  | --program-trans | --program-tran \
+  | --progr-tra | --program-tr | --program-t)
+    ac_prev=program_transform_name ;;
+  -program-transform-name=* | --program-transform-name=* \
+  | --program-transform-nam=* | --program-transform-na=* \
+  | --program-transform-n=* | --program-transform-=* \
+  | --program-transform=* | --program-transfor=* \
+  | --program-transfo=* | --program-transf=* \
+  | --program-trans=* | --program-tran=* \
+  | --progr-tra=* | --program-tr=* | --program-t=*)
+    program_transform_name=$ac_optarg ;;
+
+  -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
+    ac_prev=pdfdir ;;
+  -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
+    pdfdir=$ac_optarg ;;
+
+  -psdir | --psdir | --psdi | --psd | --ps)
+    ac_prev=psdir ;;
+  -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
+    psdir=$ac_optarg ;;
+
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil)
+    silent=yes ;;
+
+  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+    ac_prev=sbindir ;;
+  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+  | --sbi=* | --sb=*)
+    sbindir=$ac_optarg ;;
+
+  -sharedstatedir | --sharedstatedir | --sharedstatedi \
+  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+  | --sharedst | --shareds | --shared | --share | --shar \
+  | --sha | --sh)
+    ac_prev=sharedstatedir ;;
+  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+  | --sha=* | --sh=*)
+    sharedstatedir=$ac_optarg ;;
+
+  -site | --site | --sit)
+    ac_prev=site ;;
+  -site=* | --site=* | --sit=*)
+    site=$ac_optarg ;;
+
+  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+    ac_prev=srcdir ;;
+  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+    srcdir=$ac_optarg ;;
+
+  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+  | --syscon | --sysco | --sysc | --sys | --sy)
+    ac_prev=sysconfdir ;;
+  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+    sysconfdir=$ac_optarg ;;
+
+  -target | --target | --targe | --targ | --tar | --ta | --t)
+    ac_prev=target_alias ;;
+  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+    target_alias=$ac_optarg ;;
+
+  -v | -verbose | --verbose | --verbos | --verbo | --verb)
+    verbose=yes ;;
+
+  -version | --version | --versio | --versi | --vers | -V)
+    ac_init_version=: ;;
+
+  -with-* | --with-*)
+    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid package name: $ac_package" >&2
+   { (exit 1); exit 1; }; }
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=\$ac_optarg ;;
+
+  -without-* | --without-*)
+    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid package name: $ac_package" >&2
+   { (exit 1); exit 1; }; }
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=no ;;
+
+  --x)
+    # Obsolete; use --with-x.
+    with_x=yes ;;
+
+  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+  | --x-incl | --x-inc | --x-in | --x-i)
+    ac_prev=x_includes ;;
+  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+    x_includes=$ac_optarg ;;
+
+  -x-libraries | --x-libraries | --x-librarie | --x-librari \
+  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+    ac_prev=x_libraries ;;
+  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+    x_libraries=$ac_optarg ;;
+
+  -*) { echo "$as_me: error: unrecognized option: $ac_option
+Try \`$0 --help' for more information." >&2
+   { (exit 1); exit 1; }; }
+    ;;
+
+  *=*)
+    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
+   { (exit 1); exit 1; }; }
+    eval $ac_envvar=\$ac_optarg
+    export $ac_envvar ;;
+
+  *)
+    # FIXME: should be removed in autoconf 3.0.
+    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+    expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+    ;;
+
+  esac
+done
+
+if test -n "$ac_prev"; then
+  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+  { echo "$as_me: error: missing argument to $ac_option" >&2
+   { (exit 1); exit 1; }; }
+fi
+
+# Be sure to have absolute directory names.
+for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
+		datadir sysconfdir sharedstatedir localstatedir includedir \
+		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+		libdir localedir mandir
+do
+  eval ac_val=\$$ac_var
+  case $ac_val in
+    [\\/$]* | ?:[\\/]* )  continue;;
+    NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
+  esac
+  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+   { (exit 1); exit 1; }; }
+done
+
+# There might be people who depend on the old broken behavior: `$host'
+# used to hold the argument of --host etc.
+# FIXME: To remove some day.
+build=$build_alias
+host=$host_alias
+target=$target_alias
+
+# FIXME: To remove some day.
+if test "x$host_alias" != x; then
+  if test "x$build_alias" = x; then
+    cross_compiling=maybe
+    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
+    If a cross compiler is detected then cross compile mode will be used." >&2
+  elif test "x$build_alias" != "x$host_alias"; then
+    cross_compiling=yes
+  fi
+fi
+
+ac_tool_prefix=
+test -n "$host_alias" && ac_tool_prefix=$host_alias-
+
+test "$silent" = yes && exec 6>/dev/null
+
+
+ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ac_ls_di=`ls -di .` &&
+ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+  { echo "$as_me: error: Working directory cannot be determined" >&2
+   { (exit 1); exit 1; }; }
+test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+  { echo "$as_me: error: pwd does not report name of working directory" >&2
+   { (exit 1); exit 1; }; }
+
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+  ac_srcdir_defaulted=yes
+  # Try the directory containing this script, then the parent directory.
+  ac_confdir=`$as_dirname -- "$0" ||
+$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$0" : 'X\(//\)[^/]' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$0" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  srcdir=$ac_confdir
+  if test ! -r "$srcdir/$ac_unique_file"; then
+    srcdir=..
+  fi
+else
+  ac_srcdir_defaulted=no
+fi
+if test ! -r "$srcdir/$ac_unique_file"; then
+  test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+   { (exit 1); exit 1; }; }
+fi
+ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ac_abs_confdir=`(
+	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
+   { (exit 1); exit 1; }; }
+	pwd)`
+# When building in place, set srcdir=.
+if test "$ac_abs_confdir" = "$ac_pwd"; then
+  srcdir=.
+fi
+# Remove unnecessary trailing slashes from srcdir.
+# Double slashes in file names in object file debugging info
+# mess up M-x gdb in Emacs.
+case $srcdir in
+*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
+esac
+for ac_var in $ac_precious_vars; do
+  eval ac_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_env_${ac_var}_value=\$${ac_var}
+  eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_cv_env_${ac_var}_value=\$${ac_var}
+done
+
+#
+# Report the --help message.
+#
+if test "$ac_init_help" = "long"; then
+  # Omit some internal or obsolete options to make the list less imposing.
+  # This message is too long to be a string in the A/UX 3.1 sh.
+  cat <<_ACEOF
+\`configure' configures NetworkManager-strongswan 4.2.6 to adapt to many kinds of systems.
+
+Usage: $0 [OPTION]... [VAR=VALUE]...
+
+To assign environment variables (e.g., CC, CFLAGS...), specify them as
+VAR=VALUE.  See below for descriptions of some of the useful variables.
+
+Defaults for the options are specified in brackets.
+
+Configuration:
+  -h, --help              display this help and exit
+      --help=short        display options specific to this package
+      --help=recursive    display the short help of all the included packages
+  -V, --version           display version information and exit
+  -q, --quiet, --silent   do not print \`checking...' messages
+      --cache-file=FILE   cache test results in FILE [disabled]
+  -C, --config-cache      alias for \`--cache-file=config.cache'
+  -n, --no-create         do not create output files
+      --srcdir=DIR        find the sources in DIR [configure dir or \`..']
+
+Installation directories:
+  --prefix=PREFIX         install architecture-independent files in PREFIX
+			  [$ac_default_prefix]
+  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+			  [PREFIX]
+
+By default, \`make install' will install all the files in
+\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
+an installation prefix other than \`$ac_default_prefix' using \`--prefix',
+for instance \`--prefix=\$HOME'.
+
+For better control, use the options below.
+
+Fine tuning of the installation directories:
+  --bindir=DIR           user executables [EPREFIX/bin]
+  --sbindir=DIR          system admin executables [EPREFIX/sbin]
+  --libexecdir=DIR       program executables [EPREFIX/libexec]
+  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
+  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
+  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
+  --libdir=DIR           object code libraries [EPREFIX/lib]
+  --includedir=DIR       C header files [PREFIX/include]
+  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
+  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
+  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
+  --infodir=DIR          info documentation [DATAROOTDIR/info]
+  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
+  --mandir=DIR           man documentation [DATAROOTDIR/man]
+  --docdir=DIR           documentation root [DATAROOTDIR/doc/NetworkManager-strongswan]
+  --htmldir=DIR          html documentation [DOCDIR]
+  --dvidir=DIR           dvi documentation [DOCDIR]
+  --pdfdir=DIR           pdf documentation [DOCDIR]
+  --psdir=DIR            ps documentation [DOCDIR]
+_ACEOF
+
+  cat <<\_ACEOF
+
+Program names:
+  --program-prefix=PREFIX            prepend PREFIX to installed program names
+  --program-suffix=SUFFIX            append SUFFIX to installed program names
+  --program-transform-name=PROGRAM   run sed PROGRAM on installed program names
+
+System types:
+  --build=BUILD     configure for building on BUILD [guessed]
+  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
+_ACEOF
+fi
+
+if test -n "$ac_init_help"; then
+  case $ac_init_help in
+     short | recursive ) echo "Configuration of NetworkManager-strongswan 4.2.6:";;
+   esac
+  cat <<\_ACEOF
+
+Optional Features:
+  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
+  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --enable-maintainer-mode  enable make rules and dependencies not useful
+			  (and sometimes confusing) to the casual installer
+  --disable-dependency-tracking  speeds up one-time build
+  --enable-dependency-tracking   do not reject slow dependency extractors
+  --enable-shared[=PKGS]  build shared libraries [default=yes]
+  --enable-static[=PKGS]  build static libraries [default=yes]
+  --enable-fast-install[=PKGS]
+                          optimize for fast installation [default=yes]
+  --disable-libtool-lock  avoid locking (might break parallel builds)
+  --enable-more-warnings  Maximum compiler warnings
+
+Optional Packages:
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
+  --with-pic              try to use only PIC/non-PIC objects [default=use
+                          both]
+  --with-tags[=TAGS]      include additional configurations [automatic]
+  --with-charon=file      path to the strongSwan IKEv2 daemon charon"
+
+Some influential environment variables:
+  CC          C compiler command
+  CFLAGS      C compiler flags
+  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
+              nonstandard directory <lib dir>
+  LIBS        libraries to pass to the linker, e.g. -l<library>
+  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
+              you have headers in a nonstandard directory <include dir>
+  CPP         C preprocessor
+  CXX         C++ compiler command
+  CXXFLAGS    C++ compiler flags
+  CXXCPP      C++ preprocessor
+  F77         Fortran 77 compiler command
+  FFLAGS      Fortran 77 compiler flags
+  PKG_CONFIG  path to pkg-config utility
+  GTHREAD_CFLAGS
+              C compiler flags for GTHREAD, overriding pkg-config
+  GTHREAD_LIBS
+              linker flags for GTHREAD, overriding pkg-config
+  DBUS_CFLAGS C compiler flags for DBUS, overriding pkg-config
+  DBUS_LIBS   linker flags for DBUS, overriding pkg-config
+  GTK_CFLAGS  C compiler flags for GTK, overriding pkg-config
+  GTK_LIBS    linker flags for GTK, overriding pkg-config
+  GDK_PIXBUF_CFLAGS
+              C compiler flags for GDK_PIXBUF, overriding pkg-config
+  GDK_PIXBUF_LIBS
+              linker flags for GDK_PIXBUF, overriding pkg-config
+  GLADE_CFLAGS
+              C compiler flags for GLADE, overriding pkg-config
+  GLADE_LIBS  linker flags for GLADE, overriding pkg-config
+  LIBGNOMEUI_CFLAGS
+              C compiler flags for LIBGNOMEUI, overriding pkg-config
+  LIBGNOMEUI_LIBS
+              linker flags for LIBGNOMEUI, overriding pkg-config
+  GCONF_CFLAGS
+              C compiler flags for GCONF, overriding pkg-config
+  GCONF_LIBS  linker flags for GCONF, overriding pkg-config
+  GNOMEKEYRING_CFLAGS
+              C compiler flags for GNOMEKEYRING, overriding pkg-config
+  GNOMEKEYRING_LIBS
+              linker flags for GNOMEKEYRING, overriding pkg-config
+  NM_UTILS_CFLAGS
+              C compiler flags for NM_UTILS, overriding pkg-config
+  NM_UTILS_LIBS
+              linker flags for NM_UTILS, overriding pkg-config
+
+Use these variables to override the choices made by `configure' or to help
+it to find libraries and programs with nonstandard names/locations.
+
+Report bugs to <martin@strongswan.org>.
+_ACEOF
+ac_status=$?
+fi
+
+if test "$ac_init_help" = "recursive"; then
+  # If there are subdirs, report their specific --help.
+  for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
+    test -d "$ac_dir" || continue
+    ac_builddir=.
+
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
+
+case $srcdir in
+  .)  # We are building in place.
+    ac_srcdir=.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+    cd "$ac_dir" || { ac_status=$?; continue; }
+    # Check for guested configure.
+    if test -f "$ac_srcdir/configure.gnu"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure.gnu" --help=recursive
+    elif test -f "$ac_srcdir/configure"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure" --help=recursive
+    else
+      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+    fi || ac_status=$?
+    cd "$ac_pwd" || { ac_status=$?; break; }
+  done
+fi
+
+test -n "$ac_init_help" && exit $ac_status
+if $ac_init_version; then
+  cat <<\_ACEOF
+NetworkManager-strongswan configure 4.2.6
+generated by GNU Autoconf 2.61
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
+This configure script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it.
+_ACEOF
+  exit
+fi
+cat >config.log <<_ACEOF
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+
+It was created by NetworkManager-strongswan $as_me 4.2.6, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
+
+  $ $0 $@
+
+_ACEOF
+exec 5>>config.log
+{
+cat <<_ASUNAME
+## --------- ##
+## Platform. ##
+## --------- ##
+
+hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`
+
+/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
+/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
+/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
+/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
+
+_ASUNAME
+
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  echo "PATH: $as_dir"
+done
+IFS=$as_save_IFS
+
+} >&5
+
+cat >&5 <<_ACEOF
+
+
+## ----------- ##
+## Core tests. ##
+## ----------- ##
+
+_ACEOF
+
+
+# Keep a trace of the command line.
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Strip out --silent because we don't want to record it for future runs.
+# Also quote any args containing shell meta-characters.
+# Make two passes to allow for proper duplicate-argument suppression.
+ac_configure_args=
+ac_configure_args0=
+ac_configure_args1=
+ac_must_keep_next=false
+for ac_pass in 1 2
+do
+  for ac_arg
+  do
+    case $ac_arg in
+    -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
+    -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+    | -silent | --silent | --silen | --sile | --sil)
+      continue ;;
+    *\'*)
+      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    esac
+    case $ac_pass in
+    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
+    2)
+      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
+      if test $ac_must_keep_next = true; then
+	ac_must_keep_next=false # Got value, back to normal.
+      else
+	case $ac_arg in
+	  *=* | --config-cache | -C | -disable-* | --disable-* \
+	  | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
+	  | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
+	  | -with-* | --with-* | -without-* | --without-* | --x)
+	    case "$ac_configure_args0 " in
+	      "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
+	    esac
+	    ;;
+	  -* ) ac_must_keep_next=true ;;
+	esac
+      fi
+      ac_configure_args="$ac_configure_args '$ac_arg'"
+      ;;
+    esac
+  done
+done
+$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
+$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
+
+# When interrupted or exit'd, cleanup temporary files, and complete
+# config.log.  We remove comments because anyway the quotes in there
+# would cause problems or look ugly.
+# WARNING: Use '\'' to represent an apostrophe within the trap.
+# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
+trap 'exit_status=$?
+  # Save into config.log some information that might help in debugging.
+  {
+    echo
+
+    cat <<\_ASBOX
+## ---------------- ##
+## Cache variables. ##
+## ---------------- ##
+_ASBOX
+    echo
+    # The following way of writing the cache mishandles newlines in values,
+(
+  for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
+  done
+  (set) 2>&1 |
+    case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
+      sed -n \
+	"s/'\''/'\''\\\\'\'''\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
+      ;; #(
+    *)
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+      ;;
+    esac |
+    sort
+)
+    echo
+
+    cat <<\_ASBOX
+## ----------------- ##
+## Output variables. ##
+## ----------------- ##
+_ASBOX
+    echo
+    for ac_var in $ac_subst_vars
+    do
+      eval ac_val=\$$ac_var
+      case $ac_val in
+      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+      esac
+      echo "$ac_var='\''$ac_val'\''"
+    done | sort
+    echo
+
+    if test -n "$ac_subst_files"; then
+      cat <<\_ASBOX
+## ------------------- ##
+## File substitutions. ##
+## ------------------- ##
+_ASBOX
+      echo
+      for ac_var in $ac_subst_files
+      do
+	eval ac_val=\$$ac_var
+	case $ac_val in
+	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+	esac
+	echo "$ac_var='\''$ac_val'\''"
+      done | sort
+      echo
+    fi
+
+    if test -s confdefs.h; then
+      cat <<\_ASBOX
+## ----------- ##
+## confdefs.h. ##
+## ----------- ##
+_ASBOX
+      echo
+      cat confdefs.h
+      echo
+    fi
+    test "$ac_signal" != 0 &&
+      echo "$as_me: caught signal $ac_signal"
+    echo "$as_me: exit $exit_status"
+  } >&5
+  rm -f core *.core core.conftest.* &&
+    rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
+    exit $exit_status
+' 0
+for ac_signal in 1 2 13 15; do
+  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
+done
+ac_signal=0
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -f -r conftest* confdefs.h
+
+# Predefined preprocessor variables.
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_NAME "$PACKAGE_NAME"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_VERSION "$PACKAGE_VERSION"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_STRING "$PACKAGE_STRING"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
+_ACEOF
+
+
+# Let the site file select an alternate cache file if it wants to.
+# Prefer explicitly selected file to automatically selected ones.
+if test -n "$CONFIG_SITE"; then
+  set x "$CONFIG_SITE"
+elif test "x$prefix" != xNONE; then
+  set x "$prefix/share/config.site" "$prefix/etc/config.site"
+else
+  set x "$ac_default_prefix/share/config.site" \
+	"$ac_default_prefix/etc/config.site"
+fi
+shift
+for ac_site_file
+do
+  if test -r "$ac_site_file"; then
+    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+echo "$as_me: loading site script $ac_site_file" >&6;}
+    sed 's/^/| /' "$ac_site_file" >&5
+    . "$ac_site_file"
+  fi
+done
+
+if test -r "$cache_file"; then
+  # Some versions of bash will fail to source /dev/null (special
+  # files actually), so we avoid doing that.
+  if test -f "$cache_file"; then
+    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
+echo "$as_me: loading cache $cache_file" >&6;}
+    case $cache_file in
+      [\\/]* | ?:[\\/]* ) . "$cache_file";;
+      *)                      . "./$cache_file";;
+    esac
+  fi
+else
+  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
+echo "$as_me: creating cache $cache_file" >&6;}
+  >$cache_file
+fi
+
+# Check that the precious variables saved in the cache have kept the same
+# value.
+ac_cache_corrupted=false
+for ac_var in $ac_precious_vars; do
+  eval ac_old_set=\$ac_cv_env_${ac_var}_set
+  eval ac_new_set=\$ac_env_${ac_var}_set
+  eval ac_old_val=\$ac_cv_env_${ac_var}_value
+  eval ac_new_val=\$ac_env_${ac_var}_value
+  case $ac_old_set,$ac_new_set in
+    set,)
+      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+      ac_cache_corrupted=: ;;
+    ,set)
+      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+      ac_cache_corrupted=: ;;
+    ,);;
+    *)
+      if test "x$ac_old_val" != "x$ac_new_val"; then
+	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
+echo "$as_me:   former value:  $ac_old_val" >&2;}
+	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
+echo "$as_me:   current value: $ac_new_val" >&2;}
+	ac_cache_corrupted=:
+      fi;;
+  esac
+  # Pass precious variables to config.status.
+  if test "$ac_new_set" = set; then
+    case $ac_new_val in
+    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+    *) ac_arg=$ac_var=$ac_new_val ;;
+    esac
+    case " $ac_configure_args " in
+      *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
+      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
+    esac
+  fi
+done
+if $ac_cache_corrupted; then
+  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
+echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+ac_aux_dir=
+for ac_dir in . "$srcdir"/.; do
+  if test -f "$ac_dir/install-sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f "$ac_dir/install.sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  elif test -f "$ac_dir/shtool"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/shtool install -c"
+    break
+  fi
+done
+if test -z "$ac_aux_dir"; then
+  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in . \"$srcdir\"/." >&5
+echo "$as_me: error: cannot find install-sh or install.sh in . \"$srcdir\"/." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+# These three variables are undocumented and unsupported,
+# and are intended to be withdrawn in a future Autoconf release.
+# They can cause serious problems if a builder's source tree is in a directory
+# whose full name contains unusual characters.
+ac_config_guess="$SHELL $ac_aux_dir/config.guess"  # Please don't use this var.
+ac_config_sub="$SHELL $ac_aux_dir/config.sub"  # Please don't use this var.
+ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
+
+
+am__api_version='1.10'
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AmigaOS /C/install, which installs bootblocks on floppy discs
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# OS/2's system install, which has a completely different semantic
+# ./install, which can be erroneously created by make from ./install.sh.
+{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; }
+if test -z "$INSTALL"; then
+if test "${ac_cv_path_install+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  # Account for people who put trailing slashes in PATH elements.
+case $as_dir/ in
+  ./ | .// | /cC/* | \
+  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
+  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
+  /usr/ucb/* ) ;;
+  *)
+    # OSF1 and SCO ODT 3.0 have their own names for install.
+    # Don't use installbsd from OSF since it installs stuff as root
+    # by default.
+    for ac_prog in ginstall scoinst install; do
+      for ac_exec_ext in '' $ac_executable_extensions; do
+	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
+	  if test $ac_prog = install &&
+	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  elif test $ac_prog = install &&
+	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # program-specific install script used by HP pwplus--don't use.
+	    :
+	  else
+	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+	    break 3
+	  fi
+	fi
+      done
+    done
+    ;;
+esac
+done
+IFS=$as_save_IFS
+
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL=$ac_cv_path_install
+  else
+    # As a last resort, use the slow shell script.  Don't cache a
+    # value for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the value is a relative name.
+    INSTALL=$ac_install_sh
+  fi
+fi
+{ echo "$as_me:$LINENO: result: $INSTALL" >&5
+echo "${ECHO_T}$INSTALL" >&6; }
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+{ echo "$as_me:$LINENO: checking whether build environment is sane" >&5
+echo $ECHO_N "checking whether build environment is sane... $ECHO_C" >&6; }
+# Just in case
+sleep 1
+echo timestamp > conftest.file
+# Do `set' in a subshell so we don't clobber the current shell's
+# arguments.  Must try -L first in case configure is actually a
+# symlink; some systems play weird games with the mod time of symlinks
+# (eg FreeBSD returns the mod time of the symlink's containing
+# directory).
+if (
+   set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null`
+   if test "$*" = "X"; then
+      # -L didn't work.
+      set X `ls -t $srcdir/configure conftest.file`
+   fi
+   rm -f conftest.file
+   if test "$*" != "X $srcdir/configure conftest.file" \
+      && test "$*" != "X conftest.file $srcdir/configure"; then
+
+      # If neither matched, then we have a broken ls.  This can happen
+      # if, for instance, CONFIG_SHELL is bash and it inherits a
+      # broken ls alias from the environment.  This has actually
+      # happened.  Such a system could not be considered "sane".
+      { { echo "$as_me:$LINENO: error: ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" >&5
+echo "$as_me: error: ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" >&2;}
+   { (exit 1); exit 1; }; }
+   fi
+
+   test "$2" = conftest.file
+   )
+then
+   # Ok.
+   :
+else
+   { { echo "$as_me:$LINENO: error: newly created file is older than distributed files!
+Check your system clock" >&5
+echo "$as_me: error: newly created file is older than distributed files!
+Check your system clock" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+test "$program_prefix" != NONE &&
+  program_transform_name="s&^&$program_prefix&;$program_transform_name"
+# Use a double $ so make ignores it.
+test "$program_suffix" != NONE &&
+  program_transform_name="s&\$&$program_suffix&;$program_transform_name"
+# Double any \ or $.  echo might interpret backslashes.
+# By default was `s,x,x', remove it if useless.
+cat <<\_ACEOF >conftest.sed
+s/[\\$]/&&/g;s/;s,x,x,$//
+_ACEOF
+program_transform_name=`echo $program_transform_name | sed -f conftest.sed`
+rm -f conftest.sed
+
+# expand $ac_aux_dir to an absolute path
+am_aux_dir=`cd $ac_aux_dir && pwd`
+
+test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
+# Use eval to expand $SHELL
+if eval "$MISSING --run true"; then
+  am_missing_run="$MISSING --run "
+else
+  am_missing_run=
+  { echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5
+echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;}
+fi
+
+{ echo "$as_me:$LINENO: checking for a thread-safe mkdir -p" >&5
+echo $ECHO_N "checking for a thread-safe mkdir -p... $ECHO_C" >&6; }
+if test -z "$MKDIR_P"; then
+  if test "${ac_cv_path_mkdir+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in mkdir gmkdir; do
+	 for ac_exec_ext in '' $ac_executable_extensions; do
+	   { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue
+	   case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
+	     'mkdir (GNU coreutils) '* | \
+	     'mkdir (coreutils) '* | \
+	     'mkdir (fileutils) '4.1*)
+	       ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext
+	       break 3;;
+	   esac
+	 done
+       done
+done
+IFS=$as_save_IFS
+
+fi
+
+  if test "${ac_cv_path_mkdir+set}" = set; then
+    MKDIR_P="$ac_cv_path_mkdir -p"
+  else
+    # As a last resort, use the slow shell script.  Don't cache a
+    # value for MKDIR_P within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the value is a relative name.
+    test -d ./--version && rmdir ./--version
+    MKDIR_P="$ac_install_sh -d"
+  fi
+fi
+{ echo "$as_me:$LINENO: result: $MKDIR_P" >&5
+echo "${ECHO_T}$MKDIR_P" >&6; }
+
+mkdir_p="$MKDIR_P"
+case $mkdir_p in
+  [\\/$]* | ?:[\\/]*) ;;
+  */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;;
+esac
+
+for ac_prog in gawk mawk nawk awk
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_AWK+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_AWK="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+  { echo "$as_me:$LINENO: result: $AWK" >&5
+echo "${ECHO_T}$AWK" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$AWK" && break
+done
+
+{ echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
+echo $ECHO_N "checking whether ${MAKE-make} sets \$(MAKE)... $ECHO_C" >&6; }
+set x ${MAKE-make}; ac_make=`echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
+if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.make <<\_ACEOF
+SHELL = /bin/sh
+all:
+	@echo '@@@%%%=$(MAKE)=@@@%%%'
+_ACEOF
+# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+case `${MAKE-make} -f conftest.make 2>/dev/null` in
+  *@@@%%%=?*=@@@%%%*)
+    eval ac_cv_prog_make_${ac_make}_set=yes;;
+  *)
+    eval ac_cv_prog_make_${ac_make}_set=no;;
+esac
+rm -f conftest.make
+fi
+if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+  SET_MAKE=
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+  SET_MAKE="MAKE=${MAKE-make}"
+fi
+
+rm -rf .tst 2>/dev/null
+mkdir .tst 2>/dev/null
+if test -d .tst; then
+  am__leading_dot=.
+else
+  am__leading_dot=_
+fi
+rmdir .tst 2>/dev/null
+
+if test "`cd $srcdir && pwd`" != "`pwd`"; then
+  # Use -I$(srcdir) only when $(srcdir) != ., so that make's output
+  # is not polluted with repeated "-I."
+  am__isrc=' -I$(srcdir)'
+  # test to see if srcdir already configured
+  if test -f $srcdir/config.status; then
+    { { echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5
+echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+fi
+
+# test whether we have cygpath
+if test -z "$CYGPATH_W"; then
+  if (cygpath --version) >/dev/null 2>/dev/null; then
+    CYGPATH_W='cygpath -w'
+  else
+    CYGPATH_W=echo
+  fi
+fi
+
+
+# Define the identity of the package.
+ PACKAGE='NetworkManager-strongswan'
+ VERSION='4.2.6'
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE "$PACKAGE"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define VERSION "$VERSION"
+_ACEOF
+
+# Some tools Automake needs.
+
+ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"}
+
+
+AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"}
+
+
+AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"}
+
+
+AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"}
+
+
+MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
+
+install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"}
+
+# Installed binaries are usually stripped using `strip' when the user
+# run `make install-strip'.  However `strip' might not be the right
+# tool to use in cross-compilation environments, therefore Automake
+# will honor the `STRIP' environment variable to overrule this program.
+if test "$cross_compiling" != no; then
+  if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  { echo "$as_me:$LINENO: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_STRIP="strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_STRIP" = x; then
+    STRIP=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    STRIP=$ac_ct_STRIP
+  fi
+else
+  STRIP="$ac_cv_prog_STRIP"
+fi
+
+fi
+INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
+
+# We need awk for the "check" target.  The system "awk" is bad on
+# some platforms.
+# Always define AMTAR for backward compatibility.
+
+AMTAR=${AMTAR-"${am_missing_run}tar"}
+
+am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking whether to enable maintainer-specific portions of Makefiles" >&5
+echo $ECHO_N "checking whether to enable maintainer-specific portions of Makefiles... $ECHO_C" >&6; }
+    # Check whether --enable-maintainer-mode was given.
+if test "${enable_maintainer_mode+set}" = set; then
+  enableval=$enable_maintainer_mode; USE_MAINTAINER_MODE=$enableval
+else
+  USE_MAINTAINER_MODE=no
+fi
+
+  { echo "$as_me:$LINENO: result: $USE_MAINTAINER_MODE" >&5
+echo "${ECHO_T}$USE_MAINTAINER_MODE" >&6; }
+   if test $USE_MAINTAINER_MODE = yes; then
+  MAINTAINER_MODE_TRUE=
+  MAINTAINER_MODE_FALSE='#'
+else
+  MAINTAINER_MODE_TRUE='#'
+  MAINTAINER_MODE_FALSE=
+fi
+
+  MAINT=$MAINTAINER_MODE_TRUE
+
+
+
+ac_config_headers="$ac_config_headers config.h"
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}gcc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CC="gcc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+          if test -n "$ac_tool_prefix"; then
+    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  fi
+fi
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+       ac_prog_rejected=yes
+       continue
+     fi
+    ac_cv_prog_CC="cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# != 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+  fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in cl.exe
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+    test -n "$CC" && break
+  done
+fi
+if test -z "$CC"; then
+  ac_ct_CC=$CC
+  for ac_prog in cl.exe
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CC="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$ac_ct_CC" && break
+done
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+fi
+
+fi
+
+
+test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&5
+echo "$as_me: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+
+# Provide some information about the compiler.
+echo "$as_me:$LINENO: checking for C compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files a.out a.exe b.out"
+# Try to create an executable without -o first, disregard a.out.
+# It will help us diagnose broken compilers, and finding out an intuition
+# of exeext.
+{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
+ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+#
+# List of possible output files, starting from the most likely.
+# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
+# only as a last resort.  b.out is created by i960 compilers.
+ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
+#
+# The IRIX 6 linker writes into existing files which may not be
+# executable, retaining their permissions.  Remove them first so a
+# subsequent execution test works.
+ac_rmfiles=
+for ac_file in $ac_files
+do
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+    * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+  esac
+done
+rm -f $ac_rmfiles
+
+if { (ac_try="$ac_link_default"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link_default") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+# in a Makefile.  We should not override ac_cv_exeext if it was cached,
+# so that the user can short-circuit this test for compilers unknown to
+# Autoconf.
+for ac_file in $ac_files ''
+do
+  test -f "$ac_file" || continue
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
+	;;
+    [ab].out )
+	# We found the default executable, but exeext='' is most
+	# certainly right.
+	break;;
+    *.* )
+        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+	then :; else
+	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	fi
+	# We set ac_cv_exeext here because the later test for it is not
+	# safe: cross compilers may not add the suffix if given an `-o'
+	# argument, so we may need to know it at that point already.
+	# Even if this section looks crufty: it has the advantage of
+	# actually working.
+	break;;
+    * )
+	break;;
+  esac
+done
+test "$ac_cv_exeext" = no && ac_cv_exeext=
+
+else
+  ac_file=''
+fi
+
+{ echo "$as_me:$LINENO: result: $ac_file" >&5
+echo "${ECHO_T}$ac_file" >&6; }
+if test -z "$ac_file"; then
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
+See \`config.log' for more details." >&5
+echo "$as_me: error: C compiler cannot create executables
+See \`config.log' for more details." >&2;}
+   { (exit 77); exit 77; }; }
+fi
+
+ac_exeext=$ac_cv_exeext
+
+# Check that the compiler produces executables we can run.  If not, either
+# the compiler is broken, or we cross compile.
+{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
+# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
+# If not cross compiling, check that we can run a simple program.
+if test "$cross_compiling" != yes; then
+  if { ac_try='./$ac_file'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+    cross_compiling=no
+  else
+    if test "$cross_compiling" = maybe; then
+	cross_compiling=yes
+    else
+	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+    fi
+  fi
+fi
+{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+
+rm -f a.out a.exe conftest$ac_cv_exeext b.out
+ac_clean_files=$ac_clean_files_save
+# Check that the compiler produces executables we can run.  If not, either
+# the compiler is broken, or we cross compile.
+{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
+echo "${ECHO_T}$cross_compiling" >&6; }
+
+{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
+echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # If both `conftest.exe' and `conftest' are `present' (well, observable)
+# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
+# work properly (i.e., refer to `conftest.exe'), while it won't with
+# `rm'.
+for ac_file in conftest.exe conftest conftest.*; do
+  test -f "$ac_file" || continue
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	  break;;
+    * ) break;;
+  esac
+done
+else
+  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." >&5
+echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+rm -f conftest$ac_cv_exeext
+{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+echo "${ECHO_T}$ac_cv_exeext" >&6; }
+
+rm -f conftest.$ac_ext
+EXEEXT=$ac_cv_exeext
+ac_exeext=$EXEEXT
+{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
+echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
+if test "${ac_cv_objext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.o conftest.obj
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  for ac_file in conftest.o conftest.obj conftest.*; do
+  test -f "$ac_file" || continue;
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
+    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+       break;;
+  esac
+done
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." >&5
+echo "$as_me: error: cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+rm -f conftest.$ac_cv_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+echo "${ECHO_T}$ac_cv_objext" >&6; }
+OBJEXT=$ac_cv_objext
+ac_objext=$OBJEXT
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
+if test "${ac_cv_c_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_compiler_gnu=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
+GCC=`test $ac_compiler_gnu = yes && echo yes`
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_save_c_werror_flag=$ac_c_werror_flag
+   ac_c_werror_flag=yes
+   ac_cv_prog_cc_g=no
+   CFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	CFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_c_werror_flag=$ac_save_c_werror_flag
+	 CFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_c_werror_flag=$ac_save_c_werror_flag
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_prog_cc_c89=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
+
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
+   function prototypes and stuff, but not '\xHH' hex character constants.
+   These don't provoke an error unfortunately, instead are silently treated
+   as 'x'.  The following induces an error, until -std is added to get
+   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
+   array size at least.  It's necessary to write '\x00'==0 to get something
+   that's true only with -std.  */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+   inside strings and character constants.  */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_c89=$ac_arg
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c89" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+  x)
+    { echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6; } ;;
+  xno)
+    { echo "$as_me:$LINENO: result: unsupported" >&5
+echo "${ECHO_T}unsupported" >&6; } ;;
+  *)
+    CC="$CC $ac_cv_prog_cc_c89"
+    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
+esac
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+DEPDIR="${am__leading_dot}deps"
+
+ac_config_commands="$ac_config_commands depfiles"
+
+
+am_make=${MAKE-make}
+cat > confinc << 'END'
+am__doit:
+	@echo done
+.PHONY: am__doit
+END
+# If we don't find an include directive, just comment out the code.
+{ echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5
+echo $ECHO_N "checking for style of include used by $am_make... $ECHO_C" >&6; }
+am__include="#"
+am__quote=
+_am_result=none
+# First try GNU make style include.
+echo "include confinc" > confmf
+# We grep out `Entering directory' and `Leaving directory'
+# messages which can occur if `w' ends up in MAKEFLAGS.
+# In particular we don't look at `^make:' because GNU make might
+# be invoked under some other name (usually "gmake"), in which
+# case it prints its new name instead of `make'.
+if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then
+   am__include=include
+   am__quote=
+   _am_result=GNU
+fi
+# Now try BSD make style include.
+if test "$am__include" = "#"; then
+   echo '.include "confinc"' > confmf
+   if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then
+      am__include=.include
+      am__quote="\""
+      _am_result=BSD
+   fi
+fi
+
+
+{ echo "$as_me:$LINENO: result: $_am_result" >&5
+echo "${ECHO_T}$_am_result" >&6; }
+rm -f confinc confmf
+
+# Check whether --enable-dependency-tracking was given.
+if test "${enable_dependency_tracking+set}" = set; then
+  enableval=$enable_dependency_tracking;
+fi
+
+if test "x$enable_dependency_tracking" != xno; then
+  am_depcomp="$ac_aux_dir/depcomp"
+  AMDEPBACKSLASH='\'
+fi
+ if test "x$enable_dependency_tracking" != xno; then
+  AMDEP_TRUE=
+  AMDEP_FALSE='#'
+else
+  AMDEP_TRUE='#'
+  AMDEP_FALSE=
+fi
+
+
+
+depcc="$CC"   am_compiler_list=
+
+{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
+echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
+if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
+  # We make a subdir and do the tests there.  Otherwise we can end up
+  # making bogus files that we don't know about and never remove.  For
+  # instance it was reported that on HP-UX the gcc test will end up
+  # making a dummy file named `D' -- because `-MD' means `put the output
+  # in D'.
+  mkdir conftest.dir
+  # Copy depcomp to subdir because otherwise we won't find it if we're
+  # using a relative directory.
+  cp "$am_depcomp" conftest.dir
+  cd conftest.dir
+  # We will build objects and dependencies in a subdirectory because
+  # it helps to detect inapplicable dependency modes.  For instance
+  # both Tru64's cc and ICC support -MD to output dependencies as a
+  # side effect of compilation, but ICC will put the dependencies in
+  # the current directory while Tru64 will put them in the object
+  # directory.
+  mkdir sub
+
+  am_cv_CC_dependencies_compiler_type=none
+  if test "$am_compiler_list" = ""; then
+     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
+  fi
+  for depmode in $am_compiler_list; do
+    # Setup a source with many dependencies, because some compilers
+    # like to wrap large dependency lists on column 80 (with \), and
+    # we should not choose a depcomp mode which is confused by this.
+    #
+    # We need to recreate these files for each test, as the compiler may
+    # overwrite some of them when testing with obscure command lines.
+    # This happens at least with the AIX C compiler.
+    : > sub/conftest.c
+    for i in 1 2 3 4 5 6; do
+      echo '#include "conftst'$i'.h"' >> sub/conftest.c
+      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
+      # Solaris 8's {/usr,}/bin/sh.
+      touch sub/conftst$i.h
+    done
+    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
+
+    case $depmode in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode=$depmode \
+       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
+       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+         >/dev/null 2>conftest.err &&
+       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
+      # icc doesn't choke on unknown options, it will just issue warnings
+      # or remarks (even with -Werror).  So we grep stderr for any message
+      # that says an option was ignored or not supported.
+      # When given -MP, icc 7.0 and 7.1 complain thusly:
+      #   icc: Command line warning: ignoring option '-M'; no argument required
+      # The diagnosis changed in icc 8.0:
+      #   icc: Command line remark: option '-MP' not supported
+      if (grep 'ignoring option' conftest.err ||
+          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
+        am_cv_CC_dependencies_compiler_type=$depmode
+        break
+      fi
+    fi
+  done
+
+  cd ..
+  rm -rf conftest.dir
+else
+  am_cv_CC_dependencies_compiler_type=none
+fi
+
+fi
+{ echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5
+echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6; }
+CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type
+
+ if
+  test "x$enable_dependency_tracking" != xno \
+  && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then
+  am__fastdepCC_TRUE=
+  am__fastdepCC_FALSE='#'
+else
+  am__fastdepCC_TRUE='#'
+  am__fastdepCC_FALSE=
+fi
+
+
+if test "x$CC" != xcc; then
+  { echo "$as_me:$LINENO: checking whether $CC and cc understand -c and -o together" >&5
+echo $ECHO_N "checking whether $CC and cc understand -c and -o together... $ECHO_C" >&6; }
+else
+  { echo "$as_me:$LINENO: checking whether cc understands -c and -o together" >&5
+echo $ECHO_N "checking whether cc understands -c and -o together... $ECHO_C" >&6; }
+fi
+set dummy $CC; ac_cc=`echo $2 |
+		      sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
+if { as_var=ac_cv_prog_cc_${ac_cc}_c_o; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+# Make sure it works both with $CC and with simple cc.
+# We do the test twice because some compilers refuse to overwrite an
+# existing .o file with -o, though they will create one.
+ac_try='$CC -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
+rm -f conftest2.*
+if { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+   test -f conftest2.$ac_objext && { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); };
+then
+  eval ac_cv_prog_cc_${ac_cc}_c_o=yes
+  if test "x$CC" != xcc; then
+    # Test first that cc exists at all.
+    if { ac_try='cc -c conftest.$ac_ext >&5'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+      ac_try='cc -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
+      rm -f conftest2.*
+      if { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 test -f conftest2.$ac_objext && { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); };
+      then
+	# cc works too.
+	:
+      else
+	# cc exists but doesn't like -o.
+	eval ac_cv_prog_cc_${ac_cc}_c_o=no
+      fi
+    fi
+  fi
+else
+  eval ac_cv_prog_cc_${ac_cc}_c_o=no
+fi
+rm -f core conftest*
+
+fi
+if eval test \$ac_cv_prog_cc_${ac_cc}_c_o = yes; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define NO_MINUS_C_MINUS_O 1
+_ACEOF
+
+fi
+
+# FIXME: we rely on the cache variable name because
+# there is no other way.
+set dummy $CC
+ac_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
+if eval "test \"`echo '$ac_cv_prog_cc_'${ac_cc}_c_o`\" != yes"; then
+   # Losing compiler, so override with the script.
+   # FIXME: It is wrong to rewrite CC.
+   # But if we don't then we get into trouble of one sort or another.
+   # A longer-term fix would be to have automake use am__CC in this case,
+   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+   CC="$am_aux_dir/compile $CC"
+fi
+
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AmigaOS /C/install, which installs bootblocks on floppy discs
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# OS/2's system install, which has a completely different semantic
+# ./install, which can be erroneously created by make from ./install.sh.
+{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; }
+if test -z "$INSTALL"; then
+if test "${ac_cv_path_install+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  # Account for people who put trailing slashes in PATH elements.
+case $as_dir/ in
+  ./ | .// | /cC/* | \
+  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
+  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
+  /usr/ucb/* ) ;;
+  *)
+    # OSF1 and SCO ODT 3.0 have their own names for install.
+    # Don't use installbsd from OSF since it installs stuff as root
+    # by default.
+    for ac_prog in ginstall scoinst install; do
+      for ac_exec_ext in '' $ac_executable_extensions; do
+	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
+	  if test $ac_prog = install &&
+	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  elif test $ac_prog = install &&
+	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # program-specific install script used by HP pwplus--don't use.
+	    :
+	  else
+	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+	    break 3
+	  fi
+	fi
+      done
+    done
+    ;;
+esac
+done
+IFS=$as_save_IFS
+
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL=$ac_cv_path_install
+  else
+    # As a last resort, use the slow shell script.  Don't cache a
+    # value for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the value is a relative name.
+    INSTALL=$ac_install_sh
+  fi
+fi
+{ echo "$as_me:$LINENO: result: $INSTALL" >&5
+echo "${ECHO_T}$INSTALL" >&6; }
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+# Check whether --enable-shared was given.
+if test "${enable_shared+set}" = set; then
+  enableval=$enable_shared; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
+else
+  enable_shared=yes
+fi
+
+
+# Check whether --enable-static was given.
+if test "${enable_static+set}" = set; then
+  enableval=$enable_static; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
+else
+  enable_static=yes
+fi
+
+
+# Check whether --enable-fast-install was given.
+if test "${enable_fast_install+set}" = set; then
+  enableval=$enable_fast_install; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
+else
+  enable_fast_install=yes
+fi
+
+
+# Make sure we can run config.sub.
+$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
+  { { echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
+echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
+   { (exit 1); exit 1; }; }
+
+{ echo "$as_me:$LINENO: checking build system type" >&5
+echo $ECHO_N "checking build system type... $ECHO_C" >&6; }
+if test "${ac_cv_build+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_build_alias=$build_alias
+test "x$ac_build_alias" = x &&
+  ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
+test "x$ac_build_alias" = x &&
+  { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
+echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
+   { (exit 1); exit 1; }; }
+ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
+  { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
+echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+echo "${ECHO_T}$ac_cv_build" >&6; }
+case $ac_cv_build in
+*-*-*) ;;
+*) { { echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
+echo "$as_me: error: invalid value of canonical build" >&2;}
+   { (exit 1); exit 1; }; };;
+esac
+build=$ac_cv_build
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_build
+shift
+build_cpu=$1
+build_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+build_os=$*
+IFS=$ac_save_IFS
+case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
+
+
+{ echo "$as_me:$LINENO: checking host system type" >&5
+echo $ECHO_N "checking host system type... $ECHO_C" >&6; }
+if test "${ac_cv_host+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test "x$host_alias" = x; then
+  ac_cv_host=$ac_cv_build
+else
+  ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
+    { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
+echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+echo "${ECHO_T}$ac_cv_host" >&6; }
+case $ac_cv_host in
+*-*-*) ;;
+*) { { echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
+echo "$as_me: error: invalid value of canonical host" >&2;}
+   { (exit 1); exit 1; }; };;
+esac
+host=$ac_cv_host
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_host
+shift
+host_cpu=$1
+host_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+host_os=$*
+IFS=$ac_save_IFS
+case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
+
+
+{ echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
+echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6; }
+if test "${lt_cv_path_SED+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if { test -f "$as_dir/$lt_ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$lt_ac_prog$ac_exec_ext"; }; then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+IFS=$as_save_IFS
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f $lt_ac_sed && continue
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test $lt_ac_count -gt 10 && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test $lt_ac_count -gt $lt_ac_max; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+
+fi
+
+SED=$lt_cv_path_SED
+
+{ echo "$as_me:$LINENO: result: $SED" >&5
+echo "${ECHO_T}$SED" >&6; }
+
+{ echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
+echo $ECHO_N "checking for grep that handles long lines and -e... $ECHO_C" >&6; }
+if test "${ac_cv_path_GREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # Extract the first word of "grep ggrep" to use in msg output
+if test -z "$GREP"; then
+set dummy grep ggrep; ac_prog_name=$2
+if test "${ac_cv_path_GREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_path_GREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in grep ggrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+    # Check for GNU ac_path_GREP and select it if it is found.
+  # Check for GNU $ac_path_GREP
+case `"$ac_path_GREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'GREP' >> "conftest.nl"
+    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_GREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_GREP="$ac_path_GREP"
+      ac_path_GREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_GREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+GREP="$ac_cv_path_GREP"
+if test -z "$GREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_GREP=$GREP
+fi
+
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
+echo "${ECHO_T}$ac_cv_path_GREP" >&6; }
+ GREP="$ac_cv_path_GREP"
+
+
+{ echo "$as_me:$LINENO: checking for egrep" >&5
+echo $ECHO_N "checking for egrep... $ECHO_C" >&6; }
+if test "${ac_cv_path_EGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
+   then ac_cv_path_EGREP="$GREP -E"
+   else
+     # Extract the first word of "egrep" to use in msg output
+if test -z "$EGREP"; then
+set dummy egrep; ac_prog_name=$2
+if test "${ac_cv_path_EGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_path_EGREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in egrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+    # Check for GNU ac_path_EGREP and select it if it is found.
+  # Check for GNU $ac_path_EGREP
+case `"$ac_path_EGREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'EGREP' >> "conftest.nl"
+    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_EGREP="$ac_path_EGREP"
+      ac_path_EGREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_EGREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+EGREP="$ac_cv_path_EGREP"
+if test -z "$EGREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_EGREP=$EGREP
+fi
+
+
+   fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+echo "${ECHO_T}$ac_cv_path_EGREP" >&6; }
+ EGREP="$ac_cv_path_EGREP"
+
+
+
+# Check whether --with-gnu-ld was given.
+if test "${with_gnu_ld+set}" = set; then
+  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi
+
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [\\/]* | ?:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  { echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
+else
+  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
+fi
+if test "${lt_cv_path_LD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some variants of GNU ld only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi
+fi
+
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  { echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
+echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+   { (exit 1); exit 1; }; }
+{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
+if test "${lt_cv_prog_gnu_ld+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # I'd rather use --version here, but apparently some GNU lds only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
+with_gnu_ld=$lt_cv_prog_gnu_ld
+
+
+{ echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
+echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6; }
+if test "${lt_cv_ld_reload_flag+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_ld_reload_flag='-r'
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
+echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6; }
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+case $host_os in
+  darwin*)
+    if test "$GCC" = yes; then
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
+    else
+      reload_cmds='$LD$reload_flag -o $output$reload_objs'
+    fi
+    ;;
+esac
+
+{ echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
+echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6; }
+if test "${lt_cv_path_NM+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM="$NM"
+else
+  lt_nm_to_check="${ac_tool_prefix}nm"
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
+    lt_nm_to_check="$lt_nm_to_check nm"
+  fi
+  for lt_tmp_nm in $lt_nm_to_check; do
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
+      IFS="$lt_save_ifs"
+      test -z "$ac_dir" && ac_dir=.
+      tmp_nm="$ac_dir/$lt_tmp_nm"
+      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+	# Check to see if the nm accepts a BSD-compat flag.
+	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
+	#   nm: unknown option "B" ignored
+	# Tru64's nm complains that /dev/null is an invalid object file
+	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+	*/dev/null* | *'Invalid file or object type'*)
+	  lt_cv_path_NM="$tmp_nm -B"
+	  break
+	  ;;
+	*)
+	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	  */dev/null*)
+	    lt_cv_path_NM="$tmp_nm -p"
+	    break
+	    ;;
+	  *)
+	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	    continue # so that we can try to find one that supports BSD flags
+	    ;;
+	  esac
+	  ;;
+	esac
+      fi
+    done
+    IFS="$lt_save_ifs"
+  done
+  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
+fi
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
+echo "${ECHO_T}$lt_cv_path_NM" >&6; }
+NM="$lt_cv_path_NM"
+
+{ echo "$as_me:$LINENO: checking whether ln -s works" >&5
+echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6; }
+LN_S=$as_ln_s
+if test "$LN_S" = "ln -s"; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no, using $LN_S" >&5
+echo "${ECHO_T}no, using $LN_S" >&6; }
+fi
+
+{ echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5
+echo $ECHO_N "checking how to recognize dependent libraries... $ECHO_C" >&6; }
+if test "${lt_cv_deplibs_check_method+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given extended regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix[4-9]*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi[45]*)
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # func_win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='func_win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # func_win32_libid shell function, so use a weaker test based on 'objdump',
+  # unless we find 'file', for example because we are cross-compiling.
+  if ( file / ) >/dev/null 2>&1; then
+    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+    lt_cv_file_magic_cmd='func_win32_libid'
+  else
+    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    lt_cv_file_magic_cmd='$OBJDUMP -f'
+  fi
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | dragonfly*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case $host_cpu in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+interix[3-9]*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd* | netbsdelf*-gnu)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+nto-qnx*)
+  lt_cv_deplibs_check_method=unknown
+  ;;
+
+openbsd*)
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+rdos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.3*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
+echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6; }
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+
+
+
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# Check whether --enable-libtool-lock was given.
+if test "${enable_libtool_lock+set}" = set; then
+  enableval=$enable_libtool_lock;
+fi
+
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *ELF-32*)
+      HPUX_IA64_MODE="32"
+      ;;
+    *ELF-64*)
+      HPUX_IA64_MODE="64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '#line 4665 "configure"' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+   if test "$lt_cv_prog_gnu_ld" = yes; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -melf32bsmip"
+      ;;
+    *N32*)
+      LD="${LD-ld} -melf32bmipn32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -melf64bmip"
+      ;;
+    esac
+   else
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+   fi
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
+s390*-*linux*|sparc*-*linux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.o` in
+    *32-bit*)
+      case $host in
+        x86_64-*kfreebsd*-gnu)
+          LD="${LD-ld} -m elf_i386_fbsd"
+          ;;
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_i386"
+          ;;
+        ppc64-*linux*|powerpc64-*linux*)
+          LD="${LD-ld} -m elf32ppclinux"
+          ;;
+        s390x-*linux*)
+          LD="${LD-ld} -m elf_s390"
+          ;;
+        sparc64-*linux*)
+          LD="${LD-ld} -m elf32_sparc"
+          ;;
+      esac
+      ;;
+    *64-bit*)
+      case $host in
+        x86_64-*kfreebsd*-gnu)
+          LD="${LD-ld} -m elf_x86_64_fbsd"
+          ;;
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        ppc*-*linux*|powerpc*-*linux*)
+          LD="${LD-ld} -m elf64ppc"
+          ;;
+        s390*-*linux*)
+          LD="${LD-ld} -m elf64_s390"
+          ;;
+        sparc*-*linux*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  { echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
+echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6; }
+if test "${lt_cv_cc_needs_belf+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+     cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  lt_cv_cc_needs_belf=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	lt_cv_cc_needs_belf=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+     ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
+echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6; }
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+sparc*-*solaris*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      *)
+        if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
+	  LD="${LD-ld} -64"
+	fi
+	;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+
+esac
+
+need_locks="$enable_libtool_lock"
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+{ echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6; }
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+  if test "${ac_cv_prog_CPP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+      # Double quotes because CPP needs to be expanded
+    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
+    do
+      ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  break
+fi
+
+    done
+    ac_cv_prog_CPP=$CPP
+
+fi
+  CPP=$ac_cv_prog_CPP
+else
+  ac_cv_prog_CPP=$CPP
+fi
+{ echo "$as_me:$LINENO: result: $CPP" >&5
+echo "${ECHO_T}$CPP" >&6; }
+ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." >&5
+echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
+if test "${ac_cv_header_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_header_stdc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_header_stdc=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "memchr" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "free" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ctype.h>
+#include <stdlib.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) \
+		   (('a' <= (c) && (c) <= 'i') \
+		     || ('j' <= (c) && (c) <= 'r') \
+		     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
+
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+	|| toupper (i) != TOUPPER (i))
+      return 2;
+  return 0;
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+ac_cv_header_stdc=no
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
+if test $ac_cv_header_stdc = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define STDC_HEADERS 1
+_ACEOF
+
+fi
+
+# On IRIX 5.3, sys/types and inttypes.h are conflicting.
+
+
+
+
+
+
+
+
+
+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
+		  inttypes.h stdint.h unistd.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in dlfcn.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    ( cat <<\_ASBOX
+## ------------------------------------ ##
+## Report this to martin@strongswan.org ##
+## ------------------------------------ ##
+_ASBOX
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+ac_ext=cpp
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+if test -z "$CXX"; then
+  if test -n "$CCC"; then
+    CXX=$CCC
+  else
+    if test -n "$ac_tool_prefix"; then
+  for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CXX"; then
+  ac_cv_prog_CXX="$CXX" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CXX="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CXX=$ac_cv_prog_CXX
+if test -n "$CXX"; then
+  { echo "$as_me:$LINENO: result: $CXX" >&5
+echo "${ECHO_T}$CXX" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+    test -n "$CXX" && break
+  done
+fi
+if test -z "$CXX"; then
+  ac_ct_CXX=$CXX
+  for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CXX"; then
+  ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CXX="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CXX=$ac_cv_prog_ac_ct_CXX
+if test -n "$ac_ct_CXX"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5
+echo "${ECHO_T}$ac_ct_CXX" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$ac_ct_CXX" && break
+done
+
+  if test "x$ac_ct_CXX" = x; then
+    CXX="g++"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CXX=$ac_ct_CXX
+  fi
+fi
+
+  fi
+fi
+# Provide some information about the compiler.
+echo "$as_me:$LINENO: checking for C++ compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C++ compiler... $ECHO_C" >&6; }
+if test "${ac_cv_cxx_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_compiler_gnu=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_cxx_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_cxx_compiler_gnu" >&6; }
+GXX=`test $ac_compiler_gnu = yes && echo yes`
+ac_test_CXXFLAGS=${CXXFLAGS+set}
+ac_save_CXXFLAGS=$CXXFLAGS
+{ echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5
+echo $ECHO_N "checking whether $CXX accepts -g... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cxx_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_save_cxx_werror_flag=$ac_cxx_werror_flag
+   ac_cxx_werror_flag=yes
+   ac_cv_prog_cxx_g=no
+   CXXFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cxx_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	CXXFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cxx_werror_flag=$ac_save_cxx_werror_flag
+	 CXXFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cxx_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_cxx_werror_flag=$ac_save_cxx_werror_flag
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cxx_g" >&6; }
+if test "$ac_test_CXXFLAGS" = set; then
+  CXXFLAGS=$ac_save_CXXFLAGS
+elif test $ac_cv_prog_cxx_g = yes; then
+  if test "$GXX" = yes; then
+    CXXFLAGS="-g -O2"
+  else
+    CXXFLAGS="-g"
+  fi
+else
+  if test "$GXX" = yes; then
+    CXXFLAGS="-O2"
+  else
+    CXXFLAGS=
+  fi
+fi
+ac_ext=cpp
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+
+depcc="$CXX"  am_compiler_list=
+
+{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
+echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
+if test "${am_cv_CXX_dependencies_compiler_type+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
+  # We make a subdir and do the tests there.  Otherwise we can end up
+  # making bogus files that we don't know about and never remove.  For
+  # instance it was reported that on HP-UX the gcc test will end up
+  # making a dummy file named `D' -- because `-MD' means `put the output
+  # in D'.
+  mkdir conftest.dir
+  # Copy depcomp to subdir because otherwise we won't find it if we're
+  # using a relative directory.
+  cp "$am_depcomp" conftest.dir
+  cd conftest.dir
+  # We will build objects and dependencies in a subdirectory because
+  # it helps to detect inapplicable dependency modes.  For instance
+  # both Tru64's cc and ICC support -MD to output dependencies as a
+  # side effect of compilation, but ICC will put the dependencies in
+  # the current directory while Tru64 will put them in the object
+  # directory.
+  mkdir sub
+
+  am_cv_CXX_dependencies_compiler_type=none
+  if test "$am_compiler_list" = ""; then
+     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
+  fi
+  for depmode in $am_compiler_list; do
+    # Setup a source with many dependencies, because some compilers
+    # like to wrap large dependency lists on column 80 (with \), and
+    # we should not choose a depcomp mode which is confused by this.
+    #
+    # We need to recreate these files for each test, as the compiler may
+    # overwrite some of them when testing with obscure command lines.
+    # This happens at least with the AIX C compiler.
+    : > sub/conftest.c
+    for i in 1 2 3 4 5 6; do
+      echo '#include "conftst'$i'.h"' >> sub/conftest.c
+      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
+      # Solaris 8's {/usr,}/bin/sh.
+      touch sub/conftst$i.h
+    done
+    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
+
+    case $depmode in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode=$depmode \
+       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
+       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+         >/dev/null 2>conftest.err &&
+       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
+      # icc doesn't choke on unknown options, it will just issue warnings
+      # or remarks (even with -Werror).  So we grep stderr for any message
+      # that says an option was ignored or not supported.
+      # When given -MP, icc 7.0 and 7.1 complain thusly:
+      #   icc: Command line warning: ignoring option '-M'; no argument required
+      # The diagnosis changed in icc 8.0:
+      #   icc: Command line remark: option '-MP' not supported
+      if (grep 'ignoring option' conftest.err ||
+          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
+        am_cv_CXX_dependencies_compiler_type=$depmode
+        break
+      fi
+    fi
+  done
+
+  cd ..
+  rm -rf conftest.dir
+else
+  am_cv_CXX_dependencies_compiler_type=none
+fi
+
+fi
+{ echo "$as_me:$LINENO: result: $am_cv_CXX_dependencies_compiler_type" >&5
+echo "${ECHO_T}$am_cv_CXX_dependencies_compiler_type" >&6; }
+CXXDEPMODE=depmode=$am_cv_CXX_dependencies_compiler_type
+
+ if
+  test "x$enable_dependency_tracking" != xno \
+  && test "$am_cv_CXX_dependencies_compiler_type" = gcc3; then
+  am__fastdepCXX_TRUE=
+  am__fastdepCXX_FALSE='#'
+else
+  am__fastdepCXX_TRUE='#'
+  am__fastdepCXX_FALSE=
+fi
+
+
+
+
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  ac_ext=cpp
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+{ echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5
+echo $ECHO_N "checking how to run the C++ preprocessor... $ECHO_C" >&6; }
+if test -z "$CXXCPP"; then
+  if test "${ac_cv_prog_CXXCPP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+      # Double quotes because CXXCPP needs to be expanded
+    for CXXCPP in "$CXX -E" "/lib/cpp"
+    do
+      ac_preproc_ok=false
+for ac_cxx_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  break
+fi
+
+    done
+    ac_cv_prog_CXXCPP=$CXXCPP
+
+fi
+  CXXCPP=$ac_cv_prog_CXXCPP
+else
+  ac_cv_prog_CXXCPP=$CXXCPP
+fi
+{ echo "$as_me:$LINENO: result: $CXXCPP" >&5
+echo "${ECHO_T}$CXXCPP" >&6; }
+ac_preproc_ok=false
+for ac_cxx_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: C++ preprocessor \"$CXXCPP\" fails sanity check
+See \`config.log' for more details." >&5
+echo "$as_me: error: C++ preprocessor \"$CXXCPP\" fails sanity check
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+ac_ext=cpp
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+
+fi
+
+
+ac_ext=f
+ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
+ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_f77_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$F77"; then
+  ac_cv_prog_F77="$F77" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_F77="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+F77=$ac_cv_prog_F77
+if test -n "$F77"; then
+  { echo "$as_me:$LINENO: result: $F77" >&5
+echo "${ECHO_T}$F77" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+    test -n "$F77" && break
+  done
+fi
+if test -z "$F77"; then
+  ac_ct_F77=$F77
+  for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_F77"; then
+  ac_cv_prog_ac_ct_F77="$ac_ct_F77" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_F77="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_F77=$ac_cv_prog_ac_ct_F77
+if test -n "$ac_ct_F77"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_F77" >&5
+echo "${ECHO_T}$ac_ct_F77" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$ac_ct_F77" && break
+done
+
+  if test "x$ac_ct_F77" = x; then
+    F77=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    F77=$ac_ct_F77
+  fi
+fi
+
+
+# Provide some information about the compiler.
+echo "$as_me:$LINENO: checking for Fortran 77 compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+rm -f a.out
+
+# If we don't use `.F' as extension, the preprocessor is not run on the
+# input file.  (Note that this only needs to work for GNU compilers.)
+ac_save_ext=$ac_ext
+ac_ext=F
+{ echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU Fortran 77 compiler... $ECHO_C" >&6; }
+if test "${ac_cv_f77_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+      program main
+#ifndef __GNUC__
+       choke me
+#endif
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_compiler_gnu=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_f77_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_f77_compiler_gnu" >&6; }
+ac_ext=$ac_save_ext
+ac_test_FFLAGS=${FFLAGS+set}
+ac_save_FFLAGS=$FFLAGS
+FFLAGS=
+{ echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5
+echo $ECHO_N "checking whether $F77 accepts -g... $ECHO_C" >&6; }
+if test "${ac_cv_prog_f77_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  FFLAGS=-g
+cat >conftest.$ac_ext <<_ACEOF
+      program main
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_f77_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_prog_f77_g=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5
+echo "${ECHO_T}$ac_cv_prog_f77_g" >&6; }
+if test "$ac_test_FFLAGS" = set; then
+  FFLAGS=$ac_save_FFLAGS
+elif test $ac_cv_prog_f77_g = yes; then
+  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
+    FFLAGS="-g -O2"
+  else
+    FFLAGS="-g"
+  fi
+else
+  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
+    FFLAGS="-O2"
+  else
+    FFLAGS=
+  fi
+fi
+
+G77=`test $ac_compiler_gnu = yes && echo yes`
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
+# find the maximum length of command line arguments
+{ echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
+echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; }
+if test "${lt_cv_sys_max_cmd_len+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+    i=0
+  teststring="ABCD"
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
+    # This has been around since 386BSD, at least.  Likely further.
+    if test -x /sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
+    elif test -x /usr/sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
+    else
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
+    fi
+    # And add a safety zone
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    ;;
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
+    ;;
+
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
+    ;;
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
+    ;;
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[ 	]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
+    ;;
+  *)
+    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
+    if test -n "$lt_cv_sys_max_cmd_len"; then
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    else
+      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+      while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \
+	       = "XX$teststring") >/dev/null 2>&1 &&
+	      new_result=`expr "X$teststring" : ".*" 2>&1` &&
+	      lt_cv_sys_max_cmd_len=$new_result &&
+	      test $i != 17 # 1/2 MB should be enough
+      do
+        i=`expr $i + 1`
+        teststring=$teststring$teststring
+      done
+      teststring=
+      # Add a significant safety factor because C++ compilers can tack on massive
+      # amounts of additional arguments before passing them to the linker.
+      # It appears as though 1/2 is a usable value.
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    fi
+    ;;
+  esac
+
+fi
+
+if test -n $lt_cv_sys_max_cmd_len ; then
+  { echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
+echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6; }
+else
+  { echo "$as_me:$LINENO: result: none" >&5
+echo "${ECHO_T}none" >&6; }
+fi
+
+
+
+
+
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+{ echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
+echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6; }
+if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[BCDEGRST]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
+
+# Transform an extracted symbol line into a proper C declaration
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[BCDT]'
+  ;;
+cygwin* | mingw* | pw32*)
+  symcode='[ABCDGISTW]'
+  ;;
+hpux*) # Its linker distinguishes data from code symbols
+  if test "$host_cpu" = ia64; then
+    symcode='[ABCDEGRST]'
+  fi
+  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  ;;
+linux* | k*bsd*-gnu)
+  if test "$host_cpu" = ia64; then
+    symcode='[ABCDGIRSTW]'
+    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  fi
+  ;;
+irix* | nonstopux*)
+  symcode='[BCDEGRST]'
+  ;;
+osf*)
+  symcode='[BCDEGQRST]'
+  ;;
+solaris*)
+  symcode='[BDRT]'
+  ;;
+sco3.2v5*)
+  symcode='[DT]'
+  ;;
+sysv4.2uw2*)
+  symcode='[DT]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[ABDT]'
+  ;;
+sysv4)
+  symcode='[DFNSTU]'
+  ;;
+esac
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[ABCDGIRSTW]' ;;
+esac
+
+# Try without a prefix undercore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
+
+  # Write the raw and C identifiers.
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ 	]\($symcode$symcode*\)[ 	][ 	]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5
+  (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if grep ' nm_test_var$' "$nlist" >/dev/null; then
+	if grep ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<EOF > conftest.$ac_ext
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
+
+	  cat <<EOF >> conftest.$ac_ext
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[] =
+{
+EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
+	  cat <<\EOF >> conftest.$ac_ext
+  {0, (lt_ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_save_LIBS="$LIBS"
+	  lt_save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$ac_objext"
+	  CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag"
+	  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext}; then
+	    pipe_works=yes
+	  fi
+	  LIBS="$lt_save_LIBS"
+	  CFLAGS="$lt_save_CFLAGS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&5
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&5
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&5
+    fi
+  else
+    echo "$progname: failed program was:" >&5
+    cat conftest.$ac_ext >&5
+  fi
+  rm -rf conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+
+fi
+
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  { echo "$as_me:$LINENO: result: failed" >&5
+echo "${ECHO_T}failed" >&6; }
+else
+  { echo "$as_me:$LINENO: result: ok" >&5
+echo "${ECHO_T}ok" >&6; }
+fi
+
+{ echo "$as_me:$LINENO: checking for objdir" >&5
+echo $ECHO_N "checking for objdir... $ECHO_C" >&6; }
+if test "${lt_cv_objdir+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
+echo "${ECHO_T}$lt_cv_objdir" >&6; }
+objdir=$lt_cv_objdir
+
+
+
+
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e 1s/^X//'
+sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+# Constants:
+rm="rm -f"
+
+# Global variables:
+default_ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a `.a' archive for static linking (except MSVC,
+# which needs '.lib').
+libext=a
+ltmain="$ac_aux_dir/ltmain.sh"
+ofile="$default_ofile"
+with_gnu_ld="$lt_cv_prog_gnu_ld"
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ar; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_AR+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AR"; then
+  ac_cv_prog_AR="$AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_AR="${ac_tool_prefix}ar"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+AR=$ac_cv_prog_AR
+if test -n "$AR"; then
+  { echo "$as_me:$LINENO: result: $AR" >&5
+echo "${ECHO_T}$AR" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_AR"; then
+  ac_ct_AR=$AR
+  # Extract the first word of "ar", so it can be a program name with args.
+set dummy ar; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_AR"; then
+  ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_AR="ar"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_AR=$ac_cv_prog_ac_ct_AR
+if test -n "$ac_ct_AR"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
+echo "${ECHO_T}$ac_ct_AR" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_AR" = x; then
+    AR="false"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    AR=$ac_ct_AR
+  fi
+else
+  AR="$ac_cv_prog_AR"
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+RANLIB=$ac_cv_prog_RANLIB
+if test -n "$RANLIB"; then
+  { echo "$as_me:$LINENO: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_RANLIB"; then
+  ac_ct_RANLIB=$RANLIB
+  # Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_RANLIB"; then
+  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_RANLIB="ranlib"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
+if test -n "$ac_ct_RANLIB"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_RANLIB" = x; then
+    RANLIB=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    RANLIB=$ac_ct_RANLIB
+  fi
+else
+  RANLIB="$ac_cv_prog_RANLIB"
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  { echo "$as_me:$LINENO: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_STRIP="strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_STRIP" = x; then
+    STRIP=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    STRIP=$ac_ct_STRIP
+  fi
+else
+  STRIP="$ac_cv_prog_STRIP"
+fi
+
+
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+
+# Set sane defaults for various variables
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+test -z "$AS" && AS=as
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$LD" && LD=ld
+test -z "$LN_S" && LN_S="ln -s"
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+test -z "$NM" && NM=nm
+test -z "$SED" && SED=sed
+test -z "$OBJDUMP" && OBJDUMP=objdump
+test -z "$RANLIB" && RANLIB=:
+test -z "$STRIP" && STRIP=:
+test -z "$ac_objext" && ac_objext=o
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    ;;
+  *)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+fi
+
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+
+# Only perform the check for file, if the check method requires it
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    { echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
+echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6; }
+if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $MAGIC_CMD in
+[\\/*] |  ?:[\\/]*)
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/${ac_tool_prefix}file; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac
+fi
+
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    { echo "$as_me:$LINENO: checking for file" >&5
+echo $ECHO_N "checking for file... $ECHO_C" >&6; }
+if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $MAGIC_CMD in
+[\\/*] |  ?:[\\/]*)
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/file; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/file"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac
+fi
+
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  else
+    MAGIC_CMD=:
+  fi
+fi
+
+  fi
+  ;;
+esac
+
+
+  case $host_os in
+    rhapsody* | darwin*)
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args.
+set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_DSYMUTIL+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$DSYMUTIL"; then
+  ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+DSYMUTIL=$ac_cv_prog_DSYMUTIL
+if test -n "$DSYMUTIL"; then
+  { echo "$as_me:$LINENO: result: $DSYMUTIL" >&5
+echo "${ECHO_T}$DSYMUTIL" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_DSYMUTIL"; then
+  ac_ct_DSYMUTIL=$DSYMUTIL
+  # Extract the first word of "dsymutil", so it can be a program name with args.
+set dummy dsymutil; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_DSYMUTIL"; then
+  ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL
+if test -n "$ac_ct_DSYMUTIL"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5
+echo "${ECHO_T}$ac_ct_DSYMUTIL" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_DSYMUTIL" = x; then
+    DSYMUTIL=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    DSYMUTIL=$ac_ct_DSYMUTIL
+  fi
+else
+  DSYMUTIL="$ac_cv_prog_DSYMUTIL"
+fi
+
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args.
+set dummy ${ac_tool_prefix}nmedit; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_NMEDIT+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$NMEDIT"; then
+  ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+NMEDIT=$ac_cv_prog_NMEDIT
+if test -n "$NMEDIT"; then
+  { echo "$as_me:$LINENO: result: $NMEDIT" >&5
+echo "${ECHO_T}$NMEDIT" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_NMEDIT"; then
+  ac_ct_NMEDIT=$NMEDIT
+  # Extract the first word of "nmedit", so it can be a program name with args.
+set dummy nmedit; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_NMEDIT"; then
+  ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_NMEDIT="nmedit"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT
+if test -n "$ac_ct_NMEDIT"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5
+echo "${ECHO_T}$ac_ct_NMEDIT" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_NMEDIT" = x; then
+    NMEDIT=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    NMEDIT=$ac_ct_NMEDIT
+  fi
+else
+  NMEDIT="$ac_cv_prog_NMEDIT"
+fi
+
+
+    { echo "$as_me:$LINENO: checking for -single_module linker flag" >&5
+echo $ECHO_N "checking for -single_module linker flag... $ECHO_C" >&6; }
+if test "${lt_cv_apple_cc_single_mod+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_apple_cc_single_mod=no
+      if test -z "${LT_MULTI_MODULE}"; then
+   # By default we will add the -single_module flag. You can override
+   # by either setting the environment variable LT_MULTI_MODULE
+   # non-empty at configure time, or by adding -multi_module to the
+   # link flags.
+   echo "int foo(void){return 1;}" > conftest.c
+   $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+     -dynamiclib ${wl}-single_module conftest.c
+   if test -f libconftest.dylib; then
+     lt_cv_apple_cc_single_mod=yes
+     rm -rf libconftest.dylib*
+   fi
+   rm conftest.c
+      fi
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5
+echo "${ECHO_T}$lt_cv_apple_cc_single_mod" >&6; }
+    { echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5
+echo $ECHO_N "checking for -exported_symbols_list linker flag... $ECHO_C" >&6; }
+if test "${lt_cv_ld_exported_symbols_list+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_ld_exported_symbols_list=no
+      save_LDFLAGS=$LDFLAGS
+      echo "_main" > conftest.sym
+      LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  lt_cv_ld_exported_symbols_list=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	lt_cv_ld_exported_symbols_list=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5
+echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; }
+    case $host_os in
+    rhapsody* | darwin1.[0123])
+      _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
+    darwin1.*)
+     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+    darwin*)
+      # if running on 10.5 or later, the deployment target defaults
+      # to the OS version, if on x86, and 10.4, the deployment
+      # target defaults to 10.4. Don't you love it?
+      case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
+   10.0,*86*-darwin8*|10.0,*-darwin[91]*)
+     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+   10.[012]*)
+     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+   10.*)
+     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+      esac
+    ;;
+  esac
+    if test "$lt_cv_apple_cc_single_mod" = "yes"; then
+      _lt_dar_single_mod='$single_module'
+    fi
+    if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
+      _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
+    else
+      _lt_dar_export_syms="~$NMEDIT -s \$output_objdir/\${libname}-symbols.expsym \${lib}"
+    fi
+    if test "$DSYMUTIL" != ":"; then
+      _lt_dsymutil="~$DSYMUTIL \$lib || :"
+    else
+      _lt_dsymutil=
+    fi
+    ;;
+  esac
+
+
+enable_dlopen=no
+enable_win32_dll=no
+
+# Check whether --enable-libtool-lock was given.
+if test "${enable_libtool_lock+set}" = set; then
+  enableval=$enable_libtool_lock;
+fi
+
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+
+# Check whether --with-pic was given.
+if test "${with_pic+set}" = set; then
+  withval=$with_pic; pic_mode="$withval"
+else
+  pic_mode=default
+fi
+
+test -z "$pic_mode" && pic_mode=default
+
+# Use C for the default configuration in the libtool script
+tagname=
+lt_save_CC="$CC"
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+objext=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}'
+
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm -r conftest*
+
+
+
+lt_prog_compiler_no_builtin_flag=
+
+if test "$GCC" = yes; then
+  lt_prog_compiler_no_builtin_flag=' -fno-builtin'
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_rtti_exceptions=no
+  ac_outfile=conftest.$ac_objext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="-fno-rtti -fno-exceptions"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:7722: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:7726: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_rtti_exceptions=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
+
+if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
+    lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
+else
+    :
+fi
+
+fi
+
+lt_prog_compiler_wl=
+lt_prog_compiler_pic=
+lt_prog_compiler_static=
+
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+
+  if test "$GCC" = yes; then
+    lt_prog_compiler_wl='-Wl,'
+    lt_prog_compiler_static='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      lt_prog_compiler_pic='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic='-fno-common'
+      ;;
+
+    interix[3-9]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      lt_prog_compiler_pic='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static='-Bstatic'
+      else
+	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         lt_prog_compiler_pic='-qnocommon'
+         lt_prog_compiler_wl='-Wl,'
+         ;;
+       esac
+       ;;
+
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
+    newsos6)
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    linux* | k*bsd*-gnu)
+      case $cc_basename in
+      icc* | ecc*)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-KPIC'
+	lt_prog_compiler_static='-static'
+        ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-fpic'
+	lt_prog_compiler_static='-Bstatic'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static='-non_shared'
+        ;;
+      *)
+        case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl=''
+	  ;;
+	esac
+	;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
+    rdos*)
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
+    solaris*)
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	lt_prog_compiler_wl='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      lt_prog_compiler_wl='-Qoption ld '
+      lt_prog_compiler_pic='-PIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	lt_prog_compiler_pic='-Kconform_pic'
+	lt_prog_compiler_static='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    unicos*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_can_build_shared=no
+      ;;
+
+    uts4*)
+      lt_prog_compiler_pic='-pic'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    *)
+      lt_prog_compiler_can_build_shared=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic" >&6; }
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic"; then
+
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_pic_works+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_pic_works=no
+  ac_outfile=conftest.$ac_objext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic -DPIC"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:8012: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:8016: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_pic_works=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_pic_works" >&6; }
+
+if test x"$lt_cv_prog_compiler_pic_works" = xyes; then
+    case $lt_prog_compiler_pic in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;;
+     esac
+else
+    lt_prog_compiler_pic=
+     lt_prog_compiler_can_build_shared=no
+fi
+
+fi
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic=
+    ;;
+  *)
+    lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
+    ;;
+esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_static_works+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_static_works=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_cv_prog_compiler_static_works=yes
+       fi
+     else
+       lt_cv_prog_compiler_static_works=yes
+     fi
+   fi
+   $rm -r conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_static_works" >&6; }
+
+if test x"$lt_cv_prog_compiler_static_works" = xyes; then
+    :
+else
+    lt_prog_compiler_static=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_c_o+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:8116: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:8120: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+
+  runpath_var=
+  allow_undefined_flag=
+  enable_shared_with_static_runtimes=no
+  archive_cmds=
+  archive_expsym_cmds=
+  old_archive_From_new_cmds=
+  old_archive_from_expsyms_cmds=
+  export_dynamic_flag_spec=
+  whole_archive_flag_spec=
+  thread_safe_flag_spec=
+  hardcode_libdir_flag_spec=
+  hardcode_libdir_flag_spec_ld=
+  hardcode_libdir_separator=
+  hardcode_direct=no
+  hardcode_minus_L=no
+  hardcode_shlibpath_var=unsupported
+  link_all_deplibs=unknown
+  hardcode_automatic=no
+  module_cmds=
+  module_expsym_cmds=
+  always_export_symbols=no
+  export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  exclude_expsyms='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  # Exclude shared library initialization/finalization symbols.
+  extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  ld_shlibs=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix[3-9]*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	ld_shlibs=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      ld_shlibs=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec='-L$libdir'
+      allow_undefined_flag=unsupported
+      always_export_symbols=no
+      enable_shared_with_static_runtimes=yes
+      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    interix[3-9]*)
+      hardcode_direct=no
+      hardcode_shlibpath_var=no
+      hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+      export_dynamic_flag_spec='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    gnu* | linux* | k*bsd*-gnu)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	*)
+	  tmp_sharedflag='-shared' ;;
+	esac
+	archive_cmds='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
+	link_all_deplibs=no
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	ld_shlibs=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    ld_shlibs=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+    esac
+
+    if test "$ld_shlibs" = no; then
+      runpath_var=
+      hardcode_libdir_flag_spec=
+      export_dynamic_flag_spec=
+      whole_archive_flag_spec=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag=unsupported
+      always_export_symbols=yes
+      archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct=unsupported
+      fi
+      ;;
+
+    aix[4-9]*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds=''
+      hardcode_direct=yes
+      hardcode_libdir_separator=':'
+      link_all_deplibs=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  :
+	  else
+  	  # We have old collect2
+  	  hardcode_direct=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  hardcode_minus_L=yes
+  	  hardcode_libdir_flag_spec='-L$libdir'
+  	  hardcode_libdir_separator=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+       hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
+	archive_expsym_cmds="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag="-z nodefs"
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag=' ${wl}-bernotok'
+	  allow_undefined_flag=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  whole_archive_flag_spec='$convenience'
+	  archive_cmds_need_lc=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      # see comment about different semantics on the GNU ld section
+      ld_shlibs=no
+      ;;
+
+    bsdi[45]*)
+      export_dynamic_flag_spec=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec=' '
+      allow_undefined_flag=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_From_new_cmds='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      enable_shared_with_static_runtimes=yes
+      ;;
+
+    darwin* | rhapsody*)
+      case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+      esac
+      archive_cmds_need_lc=no
+      hardcode_direct=no
+      hardcode_automatic=yes
+      hardcode_shlibpath_var=unsupported
+      whole_archive_flag_spec=''
+      link_all_deplibs=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+        module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+        archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+        module_expsym_cmds="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
+    else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
+         module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs=no
+          ;;
+      esac
+    fi
+      ;;
+
+    dgux*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_shlibpath_var=no
+      ;;
+
+    freebsd1*)
+      ld_shlibs=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | dragonfly*)
+      archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	archive_cmds='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator=:
+      hardcode_direct=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L=yes
+      export_dynamic_flag_spec='${wl}-E'
+      ;;
+
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator=:
+
+	hardcode_direct=yes
+	export_dynamic_flag_spec='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  hardcode_libdir_flag_spec_ld='+b $libdir'
+	  hardcode_direct=no
+	  hardcode_shlibpath_var=no
+	  ;;
+	*)
+	  hardcode_direct=yes
+	  export_dynamic_flag_spec='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_ld='-rpath $libdir'
+      fi
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      link_all_deplibs=yes
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    newsos6)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      hardcode_shlibpath_var=no
+      ;;
+
+    openbsd*)
+      if test -f /usr/libexec/ld.so; then
+	hardcode_direct=yes
+	hardcode_shlibpath_var=no
+	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	  archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	  hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+	  export_dynamic_flag_spec='${wl}-E'
+	else
+	  case $host_os in
+	   openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+	     archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	     hardcode_libdir_flag_spec='-R$libdir'
+	     ;;
+	   *)
+	     archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	     hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+	     ;;
+	  esac
+        fi
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      allow_undefined_flag=unsupported
+      archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      old_archive_From_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	allow_undefined_flag=' -expect_unresolved \*'
+	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      else
+	allow_undefined_flag=' -expect_unresolved \*'
+	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec='-rpath $libdir'
+      fi
+      hardcode_libdir_separator=:
+      ;;
+
+    solaris*)
+      no_undefined_flag=' -z text'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	wlarc=''
+	archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_shlibpath_var=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *)
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+	if test "$GCC" = yes; then
+	  whole_archive_flag_spec='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  whole_archive_flag_spec='-z allextract$convenience -z defaultextract'
+	fi
+	;;
+      esac
+      link_all_deplibs=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds='$CC -r -o $output$reload_objs'
+	  hardcode_direct=no
+        ;;
+	motorola)
+	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var=no
+      ;;
+
+    sysv4.3*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var=no
+      export_dynamic_flag_spec='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
+      no_undefined_flag='${wl}-z,text'
+      archive_cmds_need_lc=no
+      hardcode_shlibpath_var=no
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag='${wl}-z,text'
+      allow_undefined_flag='${wl}-z,nodefs'
+      archive_cmds_need_lc=no
+      hardcode_shlibpath_var=no
+      hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      hardcode_libdir_separator=':'
+      link_all_deplibs=yes
+      export_dynamic_flag_spec='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_shlibpath_var=no
+      ;;
+
+    *)
+      ld_shlibs=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $ld_shlibs" >&5
+echo "${ECHO_T}$ld_shlibs" >&6; }
+test "$ld_shlibs" = no && can_build_shared=no
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
+      $rm conftest*
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl
+	pic_flag=$lt_prog_compiler_pic
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag
+        allow_undefined_flag=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc=no
+        else
+	  archive_cmds_need_lc=yes
+        fi
+        allow_undefined_flag=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
+echo "${ECHO_T}$archive_cmds_need_lc" >&6; }
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+
+if test "$GCC" = yes; then
+  case $host_os in
+    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
+    *) lt_awk_arg="/^libraries:/" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+  # Ok, now we have the path, separated by spaces, we can step through it
+  # and add multilib dir if necessary.
+  lt_tmp_lt_search_path_spec=
+  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
+  for lt_sys_path in $lt_search_path_spec; do
+    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
+      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
+    else
+      test -d "$lt_sys_path" && \
+	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
+    fi
+  done
+  lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk '
+BEGIN {RS=" "; FS="/|\n";} {
+  lt_foo="";
+  lt_count=0;
+  for (lt_i = NF; lt_i > 0; lt_i--) {
+    if ($lt_i != "" && $lt_i != ".") {
+      if ($lt_i == "..") {
+        lt_count++;
+      } else {
+        if (lt_count == 0) {
+          lt_foo="/" $lt_i lt_foo;
+        } else {
+          lt_count--;
+        }
+      }
+    }
+  }
+  if (lt_foo != "") { lt_freq[lt_foo]++; }
+  if (lt_freq[lt_foo] == 1) { print lt_foo; }
+}'`
+  sys_lib_search_path_spec=`echo $lt_search_path_spec`
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix[4-9]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[45]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+
+  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  *) # from 4.6 on, and DragonFly
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext_cmds='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix[3-9]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+rdos*)
+  dynamic_linker=no
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
+test "$dynamic_linker" = no && can_build_shared=no
+
+if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
+fi
+
+sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
+if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
+fi
+
+sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
+hardcode_action=
+if test -n "$hardcode_libdir_flag_spec" || \
+   test -n "$runpath_var" || \
+   test "X$hardcode_automatic" = "Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, )" != no &&
+     test "$hardcode_minus_L" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action=unsupported
+fi
+{ echo "$as_me:$LINENO: result: $hardcode_action" >&5
+echo "${ECHO_T}$hardcode_action" >&6; }
+
+if test "$hardcode_action" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+striplib=
+old_striplib=
+{ echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6; }
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         old_striplib="$STRIP -S"
+         { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+       else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+       ;;
+   *)
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+    ;;
+  esac
+fi
+
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+   ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+   ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_dl_dlopen=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+
+fi
+
+   ;;
+
+  *)
+    { echo "$as_me:$LINENO: checking for shl_load" >&5
+echo $ECHO_N "checking for shl_load... $ECHO_C" >&6; }
+if test "${ac_cv_func_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define shl_load innocuous_shl_load
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shl_load (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef shl_load
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_shl_load || defined __stub___shl_load
+choke me
+#endif
+
+int
+main ()
+{
+return shl_load ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_shl_load=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
+echo "${ECHO_T}$ac_cv_func_shl_load" >&6; }
+if test $ac_cv_func_shl_load = yes; then
+  lt_cv_dlopen="shl_load"
+else
+  { echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
+echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dld_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load ();
+int
+main ()
+{
+return shl_load ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dld_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_dld_shl_load=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; }
+if test $ac_cv_lib_dld_shl_load = yes; then
+  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
+else
+  { echo "$as_me:$LINENO: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; }
+if test "${ac_cv_func_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define dlopen innocuous_dlopen
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char dlopen (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef dlopen
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_dlopen || defined __stub___dlopen
+choke me
+#endif
+
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_dlopen=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
+echo "${ECHO_T}$ac_cv_func_dlopen" >&6; }
+if test $ac_cv_func_dlopen = yes; then
+  lt_cv_dlopen="dlopen"
+else
+  { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_dl_dlopen=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+  { echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
+echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6; }
+if test "${ac_cv_lib_svld_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsvld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_svld_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_svld_dlopen=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6; }
+if test $ac_cv_lib_svld_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
+else
+  { echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
+echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dld_dld_link+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dld_link ();
+int
+main ()
+{
+return dld_link ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dld_dld_link=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_dld_dld_link=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; }
+if test $ac_cv_lib_dld_dld_link = yes; then
+  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    { echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
+echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6; }
+if test "${lt_cv_dlopen_self+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+#line 10493 "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
+
+    exit (status);
+}
+EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) >&5 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self" >&6; }
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
+      { echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
+echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6; }
+if test "${lt_cv_dlopen_self_static+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self_static=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+#line 10593 "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
+
+    exit (status);
+}
+EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) >&5 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self_static=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6; }
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+
+
+# Report which library types will actually be built
+{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6; }
+
+{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case $host_os in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+
+aix[4-9]*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+    ;;
+esac
+{ echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6; }
+
+{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+{ echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6; }
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler \
+    CC \
+    LD \
+    lt_prog_compiler_wl \
+    lt_prog_compiler_pic \
+    lt_prog_compiler_static \
+    lt_prog_compiler_no_builtin_flag \
+    export_dynamic_flag_spec \
+    thread_safe_flag_spec \
+    whole_archive_flag_spec \
+    enable_shared_with_static_runtimes \
+    old_archive_cmds \
+    old_archive_from_new_cmds \
+    predep_objects \
+    postdep_objects \
+    predeps \
+    postdeps \
+    compiler_lib_search_path \
+    compiler_lib_search_dirs \
+    archive_cmds \
+    archive_expsym_cmds \
+    postinstall_cmds \
+    postuninstall_cmds \
+    old_archive_from_expsyms_cmds \
+    allow_undefined_flag \
+    no_undefined_flag \
+    export_symbols_cmds \
+    hardcode_libdir_flag_spec \
+    hardcode_libdir_flag_spec_ld \
+    hardcode_libdir_separator \
+    hardcode_automatic \
+    module_cmds \
+    module_expsym_cmds \
+    lt_cv_prog_compiler_c_o \
+    fix_srcfile_path \
+    exclude_expsyms \
+    include_expsyms; do
+
+    case $var in
+    old_archive_cmds | \
+    old_archive_from_new_cmds | \
+    archive_cmds | \
+    archive_expsym_cmds | \
+    module_cmds | \
+    module_expsym_cmds | \
+    old_archive_from_expsyms_cmds | \
+    export_symbols_cmds | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="${ofile}T"
+  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
+  $rm -f "$cfgfile"
+  { echo "$as_me:$LINENO: creating $ofile" >&5
+echo "$as_me: creating $ofile" >&6;}
+
+  cat <<__EOF__ >> "$cfgfile"
+#! $SHELL
+
+# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
+# Free Software Foundation, Inc.
+#
+# This file is part of GNU Libtool:
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# A sed program that does not truncate output.
+SED=$lt_SED
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="$SED -e 1s/^X//"
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+# The names of the tagged configurations supported by this script.
+available_tags=
+
+# ### BEGIN LIBTOOL CONFIG
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_compiler
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds
+archive_expsym_cmds=$lt_archive_expsym_cmds
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds
+module_expsym_cmds=$lt_module_expsym_cmds
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps
+
+# The directories searched by this compiler when creating a shared
+# library
+compiler_lib_search_dirs=$lt_compiler_lib_search_dirs
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path=$lt_fix_srcfile_path
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms
+
+# ### END LIBTOOL CONFIG
+
+__EOF__
+
+
+  case $host_os in
+  aix3*)
+    cat <<\EOF >> "$cfgfile"
+
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+EOF
+    ;;
+  esac
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
+
+  mv -f "$cfgfile" "$ofile" || \
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+
+# Check whether --with-tags was given.
+if test "${with_tags+set}" = set; then
+  withval=$with_tags; tagnames="$withval"
+fi
+
+
+if test -f "$ltmain" && test -n "$tagnames"; then
+  if test ! -f "${ofile}"; then
+    { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not exist" >&5
+echo "$as_me: WARNING: output file \`$ofile' does not exist" >&2;}
+  fi
+
+  if test -z "$LTCC"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
+    if test -z "$LTCC"; then
+      { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not look like a libtool script" >&5
+echo "$as_me: WARNING: output file \`$ofile' does not look like a libtool script" >&2;}
+    else
+      { echo "$as_me:$LINENO: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&5
+echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;}
+    fi
+  fi
+  if test -z "$LTCFLAGS"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
+  fi
+
+  # Extract list of available tagged configurations in $ofile.
+  # Note that this assumes the entire list is on one line.
+  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
+
+  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+  for tagname in $tagnames; do
+    IFS="$lt_save_ifs"
+    # Check whether tagname contains only valid characters
+    case `$echo "X$tagname" | $Xsed -e 's:[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]::g'` in
+    "") ;;
+    *)  { { echo "$as_me:$LINENO: error: invalid tag name: $tagname" >&5
+echo "$as_me: error: invalid tag name: $tagname" >&2;}
+   { (exit 1); exit 1; }; }
+	;;
+    esac
+
+    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
+    then
+      { { echo "$as_me:$LINENO: error: tag name \"$tagname\" already exists" >&5
+echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
+   { (exit 1); exit 1; }; }
+    fi
+
+    # Update the list of available tags.
+    if test -n "$tagname"; then
+      echo appending configuration tag \"$tagname\" to $ofile
+
+      case $tagname in
+      CXX)
+	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+	    (test "X$CXX" != "Xg++"))) ; then
+	  ac_ext=cpp
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+
+
+
+
+archive_cmds_need_lc_CXX=no
+allow_undefined_flag_CXX=
+always_export_symbols_CXX=no
+archive_expsym_cmds_CXX=
+export_dynamic_flag_spec_CXX=
+hardcode_direct_CXX=no
+hardcode_libdir_flag_spec_CXX=
+hardcode_libdir_flag_spec_ld_CXX=
+hardcode_libdir_separator_CXX=
+hardcode_minus_L_CXX=no
+hardcode_shlibpath_var_CXX=unsupported
+hardcode_automatic_CXX=no
+module_cmds_CXX=
+module_expsym_cmds_CXX=
+link_all_deplibs_CXX=unknown
+old_archive_cmds_CXX=$old_archive_cmds
+no_undefined_flag_CXX=
+whole_archive_flag_spec_CXX=
+enable_shared_with_static_runtimes_CXX=no
+
+# Dependencies to place before and after the object being linked:
+predep_objects_CXX=
+postdep_objects_CXX=
+predeps_CXX=
+postdeps_CXX=
+compiler_lib_search_path_CXX=
+compiler_lib_search_dirs_CXX=
+
+# Source file extension for C++ test sources.
+ac_ext=cpp
+
+# Object file extension for compiled C++ test sources.
+objext=o
+objext_CXX=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(int, char *[]) { return(0); }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm -r conftest*
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_LD=$LD
+lt_save_GCC=$GCC
+GCC=$GXX
+lt_save_with_gnu_ld=$with_gnu_ld
+lt_save_path_LD=$lt_cv_path_LD
+if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+else
+  $as_unset lt_cv_prog_gnu_ld
+fi
+if test -n "${lt_cv_path_LDCXX+set}"; then
+  lt_cv_path_LD=$lt_cv_path_LDCXX
+else
+  $as_unset lt_cv_path_LD
+fi
+test -z "${LDCXX+set}" || LD=$LDCXX
+CC=${CXX-"c++"}
+compiler=$CC
+compiler_CXX=$CC
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+
+# We don't want -fno-exception wen compiling C++ code, so set the
+# no_builtin_flag separately
+if test "$GXX" = yes; then
+  lt_prog_compiler_no_builtin_flag_CXX=' -fno-builtin'
+else
+  lt_prog_compiler_no_builtin_flag_CXX=
+fi
+
+if test "$GXX" = yes; then
+  # Set up default GNU C++ configuration
+
+
+# Check whether --with-gnu-ld was given.
+if test "${with_gnu_ld+set}" = set; then
+  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi
+
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [\\/]* | ?:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  { echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
+else
+  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
+fi
+if test "${lt_cv_path_LD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some variants of GNU ld only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi
+fi
+
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  { echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
+echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+   { (exit 1); exit 1; }; }
+{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
+if test "${lt_cv_prog_gnu_ld+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # I'd rather use --version here, but apparently some GNU lds only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
+with_gnu_ld=$lt_cv_prog_gnu_ld
+
+
+
+  # Check if GNU C++ uses GNU ld as the underlying linker, since the
+  # archiving commands below assume that GNU ld is being used.
+  if test "$with_gnu_ld" = yes; then
+    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    archive_expsym_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+
+    hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+    #     investigate it a little bit more. (MM)
+    wlarc='${wl}'
+
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
+	grep 'no-whole-archive' > /dev/null; then
+      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      whole_archive_flag_spec_CXX=
+    fi
+  else
+    with_gnu_ld=no
+    wlarc=
+
+    # A generic and very simple default shared library creation
+    # command for GNU C++ for the case where it uses the native
+    # linker, instead of GNU ld.  If possible, this setting should
+    # overridden to take advantage of the native linker features on
+    # the platform it is being used on.
+    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+  fi
+
+  # Commands to make compiler produce verbose output that lists
+  # what "hidden" libraries, object files and flags are used when
+  # linking a shared library.
+  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+else
+  GXX=no
+  with_gnu_ld=no
+  wlarc=
+fi
+
+# PORTME: fill in a description of your system's C++ link characteristics
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+ld_shlibs_CXX=yes
+case $host_os in
+  aix3*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  aix[4-9]*)
+    if test "$host_cpu" = ia64; then
+      # On IA64, the linker does run time linking by default, so we don't
+      # have to do anything special.
+      aix_use_runtimelinking=no
+      exp_sym_flag='-Bexport'
+      no_entry_flag=""
+    else
+      aix_use_runtimelinking=no
+
+      # Test if we are trying to use run time linking or normal
+      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+      # need to do runtime linking.
+      case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
+	for ld_flag in $LDFLAGS; do
+	  case $ld_flag in
+	  *-brtl*)
+	    aix_use_runtimelinking=yes
+	    break
+	    ;;
+	  esac
+	done
+	;;
+      esac
+
+      exp_sym_flag='-bexport'
+      no_entry_flag='-bnoentry'
+    fi
+
+    # When large executables or shared objects are built, AIX ld can
+    # have problems creating the table of contents.  If linking a library
+    # or program results in "error TOC overflow" add -mminimal-toc to
+    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+    archive_cmds_CXX=''
+    hardcode_direct_CXX=yes
+    hardcode_libdir_separator_CXX=':'
+    link_all_deplibs_CXX=yes
+
+    if test "$GXX" = yes; then
+      case $host_os in aix4.[012]|aix4.[012].*)
+      # We only want to do this on AIX 4.2 and lower, the check
+      # below for broken collect2 doesn't work under 4.3+
+	collect2name=`${CC} -print-prog-name=collect2`
+	if test -f "$collect2name" && \
+	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	then
+	  # We have reworked collect2
+	  :
+	else
+	  # We have old collect2
+	  hardcode_direct_CXX=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  hardcode_minus_L_CXX=yes
+	  hardcode_libdir_flag_spec_CXX='-L$libdir'
+	  hardcode_libdir_separator_CXX=
+	fi
+	;;
+      esac
+      shared_flag='-shared'
+      if test "$aix_use_runtimelinking" = yes; then
+	shared_flag="$shared_flag "'${wl}-G'
+      fi
+    else
+      # not using gcc
+      if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	shared_flag='-G'
+      else
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag='${wl}-G'
+	else
+	  shared_flag='${wl}-bM:SRE'
+	fi
+      fi
+    fi
+
+    # It seems that -bexpall does not export symbols beginning with
+    # underscore (_), so it is better to generate a list of symbols to export.
+    always_export_symbols_CXX=yes
+    if test "$aix_use_runtimelinking" = yes; then
+      # Warning - without using the other runtime loading flags (-brtl),
+      # -berok will link without error, but may produce a broken library.
+      allow_undefined_flag_CXX='-berok'
+      # Determine the default libpath from the value encoded in an empty executable.
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+      hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
+
+      archive_expsym_cmds_CXX="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+     else
+      if test "$host_cpu" = ia64; then
+	hardcode_libdir_flag_spec_CXX='${wl}-R $libdir:/usr/lib:/lib'
+	allow_undefined_flag_CXX="-z nodefs"
+	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+      else
+	# Determine the default libpath from the value encoded in an empty executable.
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
+	# Warning - without using the other run time loading flags,
+	# -berok will link without error, but may produce a broken library.
+	no_undefined_flag_CXX=' ${wl}-bernotok'
+	allow_undefined_flag_CXX=' ${wl}-berok'
+	# Exported symbols can be pulled into shared objects from archives
+	whole_archive_flag_spec_CXX='$convenience'
+	archive_cmds_need_lc_CXX=yes
+	# This is similar to how AIX traditionally builds its shared libraries.
+	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+      fi
+    fi
+    ;;
+
+  beos*)
+    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+      allow_undefined_flag_CXX=unsupported
+      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+      # support --undefined.  This deserves some investigation.  FIXME
+      archive_cmds_CXX='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    else
+      ld_shlibs_CXX=no
+    fi
+    ;;
+
+  chorus*)
+    case $cc_basename in
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+
+  cygwin* | mingw* | pw32*)
+    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, CXX) is actually meaningless,
+    # as there is no search path for DLLs.
+    hardcode_libdir_flag_spec_CXX='-L$libdir'
+    allow_undefined_flag_CXX=unsupported
+    always_export_symbols_CXX=no
+    enable_shared_with_static_runtimes_CXX=yes
+
+    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+      archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      # If the export-symbols file already is a .def file (1st line
+      # is EXPORTS), use it as is; otherwise, prepend...
+      archive_expsym_cmds_CXX='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	cp $export_symbols $output_objdir/$soname.def;
+      else
+	echo EXPORTS > $output_objdir/$soname.def;
+	cat $export_symbols >> $output_objdir/$soname.def;
+      fi~
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+    else
+      ld_shlibs_CXX=no
+    fi
+  ;;
+      darwin* | rhapsody*)
+      archive_cmds_need_lc_CXX=no
+      hardcode_direct_CXX=no
+      hardcode_automatic_CXX=yes
+      hardcode_shlibpath_var_CXX=unsupported
+      whole_archive_flag_spec_CXX=''
+      link_all_deplibs_CXX=yes
+      allow_undefined_flag_CXX="$_lt_dar_allow_undefined"
+      if test "$GXX" = yes ; then
+      output_verbose_link_cmd='echo'
+      archive_cmds_CXX="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+      module_cmds_CXX="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+      archive_expsym_cmds_CXX="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+      module_expsym_cmds_CXX="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
+      if test "$lt_cv_apple_cc_single_mod" != "yes"; then
+        archive_cmds_CXX="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
+        archive_expsym_cmds_CXX="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
+      fi
+      else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+          archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
+          module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs_CXX=no
+          ;;
+      esac
+      fi
+        ;;
+
+  dgux*)
+    case $cc_basename in
+      ec++*)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      ghcx*)
+	# Green Hills C++ Compiler
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  freebsd[12]*)
+    # C++ shared libraries reported to be fairly broken before switch to ELF
+    ld_shlibs_CXX=no
+    ;;
+  freebsd-elf*)
+    archive_cmds_need_lc_CXX=no
+    ;;
+  freebsd* | dragonfly*)
+    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+    # conventions
+    ld_shlibs_CXX=yes
+    ;;
+  gnu*)
+    ;;
+  hpux9*)
+    hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
+    hardcode_libdir_separator_CXX=:
+    export_dynamic_flag_spec_CXX='${wl}-E'
+    hardcode_direct_CXX=yes
+    hardcode_minus_L_CXX=yes # Not in the search PATH,
+				# but as the default
+				# location of the library.
+
+    case $cc_basename in
+    CC*)
+      # FIXME: insert proper C++ library support
+      ld_shlibs_CXX=no
+      ;;
+    aCC*)
+      archive_cmds_CXX='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      #
+      # There doesn't appear to be a way to prevent this compiler from
+      # explicitly linking system object files so we need to strip them
+      # from the output so that they don't get included in the library
+      # dependencies.
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[-]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      ;;
+    *)
+      if test "$GXX" = yes; then
+        archive_cmds_CXX='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+        # FIXME: insert proper C++ library support
+        ld_shlibs_CXX=no
+      fi
+      ;;
+    esac
+    ;;
+  hpux10*|hpux11*)
+    if test $with_gnu_ld = no; then
+      hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator_CXX=:
+
+      case $host_cpu in
+      hppa*64*|ia64*) ;;
+      *)
+	export_dynamic_flag_spec_CXX='${wl}-E'
+        ;;
+      esac
+    fi
+    case $host_cpu in
+    hppa*64*|ia64*)
+      hardcode_direct_CXX=no
+      hardcode_shlibpath_var_CXX=no
+      ;;
+    *)
+      hardcode_direct_CXX=yes
+      hardcode_minus_L_CXX=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    esac
+
+    case $cc_basename in
+      CC*)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      aCC*)
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	esac
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test $with_gnu_ld = no; then
+	    case $host_cpu in
+	    hppa*64*)
+	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    ia64*)
+	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    *)
+	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    esac
+	  fi
+	else
+	  # FIXME: insert proper C++ library support
+	  ld_shlibs_CXX=no
+	fi
+	;;
+    esac
+    ;;
+  interix[3-9]*)
+    hardcode_direct_CXX=no
+    hardcode_shlibpath_var_CXX=no
+    hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+    export_dynamic_flag_spec_CXX='${wl}-E'
+    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+    # Instead, shared libraries are loaded at an image base (0x10000000 by
+    # default) and relocated if they conflict, which is a slow very memory
+    # consuming and fragmenting process.  To avoid this, we pick a random,
+    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+    archive_cmds_CXX='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    archive_expsym_cmds_CXX='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    ;;
+  irix5* | irix6*)
+    case $cc_basename in
+      CC*)
+	# SGI C++
+	archive_cmds_CXX='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+
+	# Archives containing C++ object files must be created using
+	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	old_archive_cmds_CXX='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test "$with_gnu_ld" = no; then
+	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	  else
+	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
+	  fi
+	fi
+	link_all_deplibs_CXX=yes
+	;;
+    esac
+    hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+    hardcode_libdir_separator_CXX=:
+    ;;
+  linux* | k*bsd*-gnu)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	archive_expsym_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	hardcode_libdir_flag_spec_CXX='${wl}--rpath,$libdir'
+	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
+	;;
+      icpc*)
+	# Intel C++
+	with_gnu_ld=yes
+	# version 8.0 and above of icpc choke on multiply defined symbols
+	# if we add $predep_objects and $postdep_objects, however 7.1 and
+	# earlier do not add the objects themselves.
+	case `$CC -V 2>&1` in
+	*"Version 7."*)
+  	  archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+  	  archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	*)  # Version 8.0 or newer
+	  tmp_idyn=
+	  case $host_cpu in
+	    ia64*) tmp_idyn=' -i_dynamic';;
+	  esac
+  	  archive_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	  archive_expsym_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	esac
+	archive_cmds_need_lc_CXX=no
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+	whole_archive_flag_spec_CXX='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	;;
+      pgCC* | pgcpp*)
+        # Portland Group C++ compiler
+	archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+  	archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
+	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+	whole_archive_flag_spec_CXX='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+        ;;
+      cxx*)
+	# Compaq C++
+	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
+
+	runpath_var=LD_RUN_PATH
+	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C++ 5.9
+	  no_undefined_flag_CXX=' -zdefs'
+	  archive_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  archive_expsym_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
+	  hardcode_libdir_flag_spec_CXX='-R$libdir'
+	  whole_archive_flag_spec_CXX='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+
+	  # Not sure whether something based on
+	  # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
+	  # would be better.
+	  output_verbose_link_cmd='echo'
+
+	  # Archives containing C++ object files must be created using
+	  # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	  # necessary to make sure instantiated templates are included
+	  # in the archive.
+	  old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
+	  ;;
+	esac
+	;;
+    esac
+    ;;
+  lynxos*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  m88k*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  mvs*)
+    case $cc_basename in
+      cxx*)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  netbsd* | netbsdelf*-gnu)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      archive_cmds_CXX='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+      wlarc=
+      hardcode_libdir_flag_spec_CXX='-R$libdir'
+      hardcode_direct_CXX=yes
+      hardcode_shlibpath_var_CXX=no
+    fi
+    # Workaround some broken pre-1.5 toolchains
+    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+    ;;
+  openbsd2*)
+    # C++ shared libraries are fairly broken
+    ld_shlibs_CXX=no
+    ;;
+  openbsd*)
+    if test -f /usr/libexec/ld.so; then
+      hardcode_direct_CXX=yes
+      hardcode_shlibpath_var_CXX=no
+      archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+      hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
+	export_dynamic_flag_spec_CXX='${wl}-E'
+	whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      fi
+      output_verbose_link_cmd='echo'
+    else
+      ld_shlibs_CXX=no
+    fi
+    ;;
+  osf3*)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
+
+	;;
+      RCC*)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      cxx*)
+	allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
+	  archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+
+	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+	  hardcode_libdir_separator_CXX=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  ld_shlibs_CXX=no
+	fi
+	;;
+    esac
+    ;;
+  osf4* | osf5*)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Archives containing C++ object files must be created using
+	# the KAI C++ compiler.
+	old_archive_cmds_CXX='$CC -o $oldlib $oldobjs'
+	;;
+      RCC*)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      cxx*)
+	allow_undefined_flag_CXX=' -expect_unresolved \*'
+	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds_CXX='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+	  echo "-hidden">> $lib.exp~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
+	  $rm $lib.exp'
+
+	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
+	 archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+
+	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+	  hardcode_libdir_separator_CXX=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  ld_shlibs_CXX=no
+	fi
+	;;
+    esac
+    ;;
+  psos*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  sunos4*)
+    case $cc_basename in
+      CC*)
+	# Sun C++ 4.x
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      lcc*)
+	# Lucid
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  solaris*)
+    case $cc_basename in
+      CC*)
+	# Sun C++ 4.2, 5.x and Centerline C++
+        archive_cmds_need_lc_CXX=yes
+	no_undefined_flag_CXX=' -zdefs'
+	archive_cmds_CXX='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	hardcode_libdir_flag_spec_CXX='-R$libdir'
+	hardcode_shlibpath_var_CXX=no
+	case $host_os in
+	  solaris2.[0-5] | solaris2.[0-5].*) ;;
+	  *)
+	    # The compiler driver will combine and reorder linker options,
+	    # but understands `-z linker_flag'.
+	    # Supported since Solaris 2.6 (maybe 2.5.1?)
+	    whole_archive_flag_spec_CXX='-z allextract$convenience -z defaultextract'
+	    ;;
+	esac
+	link_all_deplibs_CXX=yes
+
+	output_verbose_link_cmd='echo'
+
+	# Archives containing C++ object files must be created using
+	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
+	;;
+      gcx*)
+	# Green Hills C++ Compiler
+	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+
+	# The C++ compiler must be used to create the archive.
+	old_archive_cmds_CXX='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	;;
+      *)
+	# GNU C++ compiler with Solaris linker
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  no_undefined_flag_CXX=' ${wl}-z ${wl}defs'
+	  if $CC --version | grep -v '^2\.7' > /dev/null; then
+	    archive_cmds_CXX='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  else
+	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
+	    # platform.
+	    archive_cmds_CXX='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  fi
+
+	  hardcode_libdir_flag_spec_CXX='${wl}-R $wl$libdir'
+	  case $host_os in
+	  solaris2.[0-5] | solaris2.[0-5].*) ;;
+	  *)
+	    whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    ;;
+	  esac
+	fi
+	;;
+    esac
+    ;;
+  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
+    no_undefined_flag_CXX='${wl}-z,text'
+    archive_cmds_need_lc_CXX=no
+    hardcode_shlibpath_var_CXX=no
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	archive_cmds_CXX='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	archive_cmds_CXX='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  sysv5* | sco3.2v5* | sco5v6*)
+    # Note: We can NOT use -z defs as we might desire, because we do not
+    # link with -lc, and that would cause any symbols used from libc to
+    # always be unresolved, which means just about no library would
+    # ever link correctly.  If we're not using GNU ld we use -z text
+    # though, which does catch some bad symbols but isn't as heavy-handed
+    # as -z defs.
+    # For security reasons, it is highly recommended that you always
+    # use absolute paths for naming shared libraries, and exclude the
+    # DT_RUNPATH tag from executables and libraries.  But doing so
+    # requires that you compile everything twice, which is a pain.
+    # So that behaviour is only enabled if SCOABSPATH is set to a
+    # non-empty value in the environment.  Most likely only useful for
+    # creating official distributions of packages.
+    # This is a hack until libtool officially supports absolute path
+    # names for shared libraries.
+    no_undefined_flag_CXX='${wl}-z,text'
+    allow_undefined_flag_CXX='${wl}-z,nodefs'
+    archive_cmds_need_lc_CXX=no
+    hardcode_shlibpath_var_CXX=no
+    hardcode_libdir_flag_spec_CXX='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+    hardcode_libdir_separator_CXX=':'
+    link_all_deplibs_CXX=yes
+    export_dynamic_flag_spec_CXX='${wl}-Bexport'
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	archive_cmds_CXX='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	archive_cmds_CXX='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  tandem*)
+    case $cc_basename in
+      NCC*)
+	# NonStop-UX NCC 3.20
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  vxworks*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  *)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+esac
+{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
+echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
+test "$ld_shlibs_CXX" = no && can_build_shared=no
+
+GCC_CXX="$GXX"
+LD_CXX="$LD"
+
+cat > conftest.$ac_ext <<EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+EOF
+
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  # The `*' in the case matches for architectures that use `case' in
+  # $output_verbose_cmd can trigger glob expansion during the loop
+  # eval without this substitution.
+  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
+
+  for p in `eval $output_verbose_link_cmd`; do
+    case $p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test $p = "-L" \
+	  || test $p = "-R"; then
+	 prev=$p
+	 continue
+       else
+	 prev=
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 case $p in
+	 -L* | -R*)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$compiler_lib_search_path_CXX"; then
+	     compiler_lib_search_path_CXX="${prev}${p}"
+	   else
+	     compiler_lib_search_path_CXX="${compiler_lib_search_path_CXX} ${prev}${p}"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$postdeps_CXX"; then
+	   postdeps_CXX="${prev}${p}"
+	 else
+	   postdeps_CXX="${postdeps_CXX} ${prev}${p}"
+	 fi
+       fi
+       ;;
+
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 if test -z "$predep_objects_CXX"; then
+	   predep_objects_CXX="$p"
+	 else
+	   predep_objects_CXX="$predep_objects_CXX $p"
+	 fi
+       else
+	 if test -z "$postdep_objects_CXX"; then
+	   postdep_objects_CXX="$p"
+	 else
+	   postdep_objects_CXX="$postdep_objects_CXX $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling CXX test program"
+fi
+
+$rm -f confest.$objext
+
+compiler_lib_search_dirs_CXX=
+if test -n "$compiler_lib_search_path_CXX"; then
+  compiler_lib_search_dirs_CXX=`echo " ${compiler_lib_search_path_CXX}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
+fi
+
+# PORTME: override above test on systems where it is broken
+case $host_os in
+interix[3-9]*)
+  # Interix 3.5 installs completely hosed .la files for C++, so rather than
+  # hack all around it, let's just trust "g++" to DTRT.
+  predep_objects_CXX=
+  postdep_objects_CXX=
+  postdeps_CXX=
+  ;;
+
+linux*)
+  case `$CC -V 2>&1 | sed 5q` in
+  *Sun\ C*)
+    # Sun C++ 5.9
+    #
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+    if test "$solaris_use_stlport4" != yes; then
+      postdeps_CXX='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+
+solaris*)
+  case $cc_basename in
+  CC*)
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+
+    # Adding this requires a known-good setup of shared libraries for
+    # Sun compiler versions before 5.6, else PIC objects from an old
+    # archive will be linked into the output, leading to subtle bugs.
+    if test "$solaris_use_stlport4" != yes; then
+      postdeps_CXX='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+esac
+
+case " $postdeps_CXX " in
+*" -lc "*) archive_cmds_need_lc_CXX=no ;;
+esac
+
+lt_prog_compiler_wl_CXX=
+lt_prog_compiler_pic_CXX=
+lt_prog_compiler_static_CXX=
+
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+
+  # C++ specific cases for pic, static, wl, etc.
+  if test "$GXX" = yes; then
+    lt_prog_compiler_wl_CXX='-Wl,'
+    lt_prog_compiler_static_CXX='-static'
+
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_CXX='-Bstatic'
+      fi
+      ;;
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic_CXX='-m68020 -resident32 -malways-restore-a4'
+      ;;
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | cygwin* | os2* | pw32*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      lt_prog_compiler_pic_CXX='-DDLL_EXPORT'
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic_CXX='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      lt_prog_compiler_pic_CXX=
+      ;;
+    interix[3-9]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic_CXX=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	;;
+      *)
+	lt_prog_compiler_pic_CXX='-fPIC'
+	;;
+      esac
+      ;;
+    *)
+      lt_prog_compiler_pic_CXX='-fPIC'
+      ;;
+    esac
+  else
+    case $host_os in
+      aix[4-9]*)
+	# All AIX code is PIC.
+	if test "$host_cpu" = ia64; then
+	  # AIX 5 now supports IA64 processor
+	  lt_prog_compiler_static_CXX='-Bstatic'
+	else
+	  lt_prog_compiler_static_CXX='-bnso -bI:/lib/syscalls.exp'
+	fi
+	;;
+      chorus*)
+	case $cc_basename in
+	cxch68*)
+	  # Green Hills C++ Compiler
+	  # _LT_AC_TAGVAR(lt_prog_compiler_static, CXX)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
+	  ;;
+	esac
+	;;
+       darwin*)
+         # PIC is the default on this platform
+         # Common symbols not allowed in MH_DYLIB files
+         case $cc_basename in
+           xlc*)
+           lt_prog_compiler_pic_CXX='-qnocommon'
+           lt_prog_compiler_wl_CXX='-Wl,'
+           ;;
+         esac
+       ;;
+      dgux*)
+	case $cc_basename in
+	  ec++*)
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    ;;
+	  ghcx*)
+	    # Green Hills C++ Compiler
+	    lt_prog_compiler_pic_CXX='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | dragonfly*)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC*)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_static_CXX='${wl}-a ${wl}archive'
+	    if test "$host_cpu" != ia64; then
+	      lt_prog_compiler_pic_CXX='+Z'
+	    fi
+	    ;;
+	  aCC*)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_static_CXX='${wl}-a ${wl}archive'
+	    case $host_cpu in
+	    hppa*64*|ia64*)
+	      # +Z the default
+	      ;;
+	    *)
+	      lt_prog_compiler_pic_CXX='+Z'
+	      ;;
+	    esac
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      interix*)
+	# This is c89, which is MS Visual C++ (no shared libs)
+	# Anyone wants to do a port?
+	;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC*)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_static_CXX='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      linux* | k*bsd*-gnu)
+	case $cc_basename in
+	  KCC*)
+	    # KAI C++ Compiler
+	    lt_prog_compiler_wl_CXX='--backend -Wl,'
+	    lt_prog_compiler_pic_CXX='-fPIC'
+	    ;;
+	  icpc* | ecpc*)
+	    # Intel C++
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    lt_prog_compiler_static_CXX='-static'
+	    ;;
+	  pgCC* | pgcpp*)
+	    # Portland Group C++ compiler.
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_pic_CXX='-fpic'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    ;;
+	  cxx*)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    lt_prog_compiler_pic_CXX=
+	    lt_prog_compiler_static_CXX='-non_shared'
+	    ;;
+	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      lt_prog_compiler_pic_CXX='-KPIC'
+	      lt_prog_compiler_static_CXX='-Bstatic'
+	      lt_prog_compiler_wl_CXX='-Qoption ld '
+	      ;;
+	    esac
+	    ;;
+	esac
+	;;
+      lynxos*)
+	;;
+      m88k*)
+	;;
+      mvs*)
+	case $cc_basename in
+	  cxx*)
+	    lt_prog_compiler_pic_CXX='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      netbsd* | netbsdelf*-gnu)
+	;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC*)
+	    lt_prog_compiler_wl_CXX='--backend -Wl,'
+	    ;;
+	  RCC*)
+	    # Rational C++ 2.4.1
+	    lt_prog_compiler_pic_CXX='-pic'
+	    ;;
+	  cxx*)
+	    # Digital/Compaq C++
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    lt_prog_compiler_pic_CXX=
+	    lt_prog_compiler_static_CXX='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      psos*)
+	;;
+      solaris*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    lt_prog_compiler_wl_CXX='-Qoption ld '
+	    ;;
+	  gcx*)
+	    # Green Hills C++ Compiler
+	    lt_prog_compiler_pic_CXX='-PIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sunos4*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.x
+	    lt_prog_compiler_pic_CXX='-pic'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    ;;
+	  lcc*)
+	    # Lucid
+	    lt_prog_compiler_pic_CXX='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      tandem*)
+	case $cc_basename in
+	  NCC*)
+	    # NonStop-UX NCC 3.20
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+	case $cc_basename in
+	  CC*)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    ;;
+	esac
+	;;
+      vxworks*)
+	;;
+      *)
+	lt_prog_compiler_can_build_shared_CXX=no
+	;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_CXX" >&6; }
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic_CXX"; then
+
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_pic_works_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_pic_works_CXX=no
+  ac_outfile=conftest.$ac_objext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic_CXX -DPIC"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:12994: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:12998: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_pic_works_CXX=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_CXX" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_CXX" >&6; }
+
+if test x"$lt_cv_prog_compiler_pic_works_CXX" = xyes; then
+    case $lt_prog_compiler_pic_CXX in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic_CXX=" $lt_prog_compiler_pic_CXX" ;;
+     esac
+else
+    lt_prog_compiler_pic_CXX=
+     lt_prog_compiler_can_build_shared_CXX=no
+fi
+
+fi
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic_CXX=
+    ;;
+  *)
+    lt_prog_compiler_pic_CXX="$lt_prog_compiler_pic_CXX -DPIC"
+    ;;
+esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl_CXX eval lt_tmp_static_flag=\"$lt_prog_compiler_static_CXX\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_static_works_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_static_works_CXX=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_cv_prog_compiler_static_works_CXX=yes
+       fi
+     else
+       lt_cv_prog_compiler_static_works_CXX=yes
+     fi
+   fi
+   $rm -r conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_CXX" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_static_works_CXX" >&6; }
+
+if test x"$lt_cv_prog_compiler_static_works_CXX" = xyes; then
+    :
+else
+    lt_prog_compiler_static_CXX=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_c_o_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o_CXX=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:13098: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:13102: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o_CXX=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_CXX" >&6; }
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o_CXX" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+
+  export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  case $host_os in
+  aix[4-9]*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+      export_symbols_cmds_CXX='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+    else
+      export_symbols_cmds_CXX='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    export_symbols_cmds_CXX="$ltdll_cmds"
+  ;;
+  cygwin* | mingw*)
+    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;/^.*[ ]__nm__/s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+  ;;
+  linux* | k*bsd*-gnu)
+    link_all_deplibs_CXX=no
+  ;;
+  *)
+    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  esac
+  exclude_expsyms_CXX='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
+
+{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
+echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
+test "$ld_shlibs_CXX" = no && can_build_shared=no
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc_CXX" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc_CXX=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds_CXX in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
+      $rm conftest*
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl_CXX
+	pic_flag=$lt_prog_compiler_pic_CXX
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag_CXX
+        allow_undefined_flag_CXX=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc_CXX=no
+        else
+	  archive_cmds_need_lc_CXX=yes
+        fi
+        allow_undefined_flag_CXX=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_CXX" >&6; }
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix[4-9]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[45]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  *) # from 4.6 on, and DragonFly
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext_cmds='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix[3-9]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+rdos*)
+  dynamic_linker=no
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
+test "$dynamic_linker" = no && can_build_shared=no
+
+if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
+fi
+
+sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
+if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
+fi
+
+sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
+hardcode_action_CXX=
+if test -n "$hardcode_libdir_flag_spec_CXX" || \
+   test -n "$runpath_var_CXX" || \
+   test "X$hardcode_automatic_CXX" = "Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct_CXX" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, CXX)" != no &&
+     test "$hardcode_minus_L_CXX" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action_CXX=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action_CXX=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action_CXX=unsupported
+fi
+{ echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5
+echo "${ECHO_T}$hardcode_action_CXX" >&6; }
+
+if test "$hardcode_action_CXX" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_CXX \
+    CC_CXX \
+    LD_CXX \
+    lt_prog_compiler_wl_CXX \
+    lt_prog_compiler_pic_CXX \
+    lt_prog_compiler_static_CXX \
+    lt_prog_compiler_no_builtin_flag_CXX \
+    export_dynamic_flag_spec_CXX \
+    thread_safe_flag_spec_CXX \
+    whole_archive_flag_spec_CXX \
+    enable_shared_with_static_runtimes_CXX \
+    old_archive_cmds_CXX \
+    old_archive_from_new_cmds_CXX \
+    predep_objects_CXX \
+    postdep_objects_CXX \
+    predeps_CXX \
+    postdeps_CXX \
+    compiler_lib_search_path_CXX \
+    compiler_lib_search_dirs_CXX \
+    archive_cmds_CXX \
+    archive_expsym_cmds_CXX \
+    postinstall_cmds_CXX \
+    postuninstall_cmds_CXX \
+    old_archive_from_expsyms_cmds_CXX \
+    allow_undefined_flag_CXX \
+    no_undefined_flag_CXX \
+    export_symbols_cmds_CXX \
+    hardcode_libdir_flag_spec_CXX \
+    hardcode_libdir_flag_spec_ld_CXX \
+    hardcode_libdir_separator_CXX \
+    hardcode_automatic_CXX \
+    module_cmds_CXX \
+    module_expsym_cmds_CXX \
+    lt_cv_prog_compiler_c_o_CXX \
+    fix_srcfile_path_CXX \
+    exclude_expsyms_CXX \
+    include_expsyms_CXX; do
+
+    case $var in
+    old_archive_cmds_CXX | \
+    old_archive_from_new_cmds_CXX | \
+    archive_cmds_CXX | \
+    archive_expsym_cmds_CXX | \
+    module_cmds_CXX | \
+    module_expsym_cmds_CXX | \
+    old_archive_from_expsyms_cmds_CXX | \
+    export_symbols_cmds_CXX | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_CXX
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_CXX
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_compiler_CXX
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_CXX
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_CXX
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_CXX
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_CXX
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_CXX
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_CXX
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_CXX
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_CXX
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_CXX
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_CXX
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_CXX
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_CXX
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_CXX
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_CXX
+archive_expsym_cmds=$lt_archive_expsym_cmds_CXX
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_CXX
+module_expsym_cmds=$lt_module_expsym_cmds_CXX
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_CXX
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_CXX
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_CXX
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_CXX
+
+# The directories searched by this compiler when creating a shared
+# library
+compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_CXX
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_CXX
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_CXX
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_CXX
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_CXX
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_CXX
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_CXX
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_CXX
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_CXX
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_CXX
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_CXX
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_CXX
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_CXX
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path=$lt_fix_srcfile_path
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_CXX
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_CXX
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_CXX
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_CXX
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC=$lt_save_CC
+LDCXX=$LD
+LD=$lt_save_LD
+GCC=$lt_save_GCC
+with_gnu_ldcxx=$with_gnu_ld
+with_gnu_ld=$lt_save_with_gnu_ld
+lt_cv_path_LDCXX=$lt_cv_path_LD
+lt_cv_path_LD=$lt_save_path_LD
+lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+
+	else
+	  tagname=""
+	fi
+	;;
+
+      F77)
+	if test -n "$F77" && test "X$F77" != "Xno"; then
+
+ac_ext=f
+ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
+ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_f77_compiler_gnu
+
+
+archive_cmds_need_lc_F77=no
+allow_undefined_flag_F77=
+always_export_symbols_F77=no
+archive_expsym_cmds_F77=
+export_dynamic_flag_spec_F77=
+hardcode_direct_F77=no
+hardcode_libdir_flag_spec_F77=
+hardcode_libdir_flag_spec_ld_F77=
+hardcode_libdir_separator_F77=
+hardcode_minus_L_F77=no
+hardcode_automatic_F77=no
+module_cmds_F77=
+module_expsym_cmds_F77=
+link_all_deplibs_F77=unknown
+old_archive_cmds_F77=$old_archive_cmds
+no_undefined_flag_F77=
+whole_archive_flag_spec_F77=
+enable_shared_with_static_runtimes_F77=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+objext_F77=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="\
+      program t
+      end
+"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm -r conftest*
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${F77-"f77"}
+compiler=$CC
+compiler_F77=$CC
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+
+{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6; }
+
+{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case $host_os in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+aix[4-9]*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6; }
+
+{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+{ echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6; }
+
+GCC_F77="$G77"
+LD_F77="$LD"
+
+lt_prog_compiler_wl_F77=
+lt_prog_compiler_pic_F77=
+lt_prog_compiler_static_F77=
+
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+
+  if test "$GCC" = yes; then
+    lt_prog_compiler_wl_F77='-Wl,'
+    lt_prog_compiler_static_F77='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_F77='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic_F77='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic_F77='-fno-common'
+      ;;
+
+    interix[3-9]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared_F77=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic_F77=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_F77='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      lt_prog_compiler_pic_F77='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_F77='-Bstatic'
+      else
+	lt_prog_compiler_static_F77='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         lt_prog_compiler_pic_F77='-qnocommon'
+         lt_prog_compiler_wl_F77='-Wl,'
+         ;;
+       esac
+       ;;
+
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_F77='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static_F77='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static_F77='-non_shared'
+      ;;
+
+    newsos6)
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    linux* | k*bsd*-gnu)
+      case $cc_basename in
+      icc* | ecc*)
+	lt_prog_compiler_wl_F77='-Wl,'
+	lt_prog_compiler_pic_F77='-KPIC'
+	lt_prog_compiler_static_F77='-static'
+        ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl_F77='-Wl,'
+	lt_prog_compiler_pic_F77='-fpic'
+	lt_prog_compiler_static_F77='-Bstatic'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl_F77='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static_F77='-non_shared'
+        ;;
+      *)
+        case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  lt_prog_compiler_pic_F77='-KPIC'
+	  lt_prog_compiler_static_F77='-Bstatic'
+	  lt_prog_compiler_wl_F77='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic_F77='-KPIC'
+	  lt_prog_compiler_static_F77='-Bstatic'
+	  lt_prog_compiler_wl_F77=''
+	  ;;
+	esac
+	;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static_F77='-non_shared'
+      ;;
+
+    rdos*)
+      lt_prog_compiler_static_F77='-non_shared'
+      ;;
+
+    solaris*)
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	lt_prog_compiler_wl_F77='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl_F77='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      lt_prog_compiler_wl_F77='-Qoption ld '
+      lt_prog_compiler_pic_F77='-PIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	lt_prog_compiler_pic_F77='-Kconform_pic'
+	lt_prog_compiler_static_F77='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    unicos*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      lt_prog_compiler_can_build_shared_F77=no
+      ;;
+
+    uts4*)
+      lt_prog_compiler_pic_F77='-pic'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    *)
+      lt_prog_compiler_can_build_shared_F77=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_F77" >&6; }
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic_F77"; then
+
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_pic_works_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_pic_works_F77=no
+  ac_outfile=conftest.$ac_objext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic_F77"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:14696: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:14700: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_pic_works_F77=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_F77" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_F77" >&6; }
+
+if test x"$lt_cv_prog_compiler_pic_works_F77" = xyes; then
+    case $lt_prog_compiler_pic_F77 in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic_F77=" $lt_prog_compiler_pic_F77" ;;
+     esac
+else
+    lt_prog_compiler_pic_F77=
+     lt_prog_compiler_can_build_shared_F77=no
+fi
+
+fi
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic_F77=
+    ;;
+  *)
+    lt_prog_compiler_pic_F77="$lt_prog_compiler_pic_F77"
+    ;;
+esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl_F77 eval lt_tmp_static_flag=\"$lt_prog_compiler_static_F77\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_static_works_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_static_works_F77=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_cv_prog_compiler_static_works_F77=yes
+       fi
+     else
+       lt_cv_prog_compiler_static_works_F77=yes
+     fi
+   fi
+   $rm -r conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_F77" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_static_works_F77" >&6; }
+
+if test x"$lt_cv_prog_compiler_static_works_F77" = xyes; then
+    :
+else
+    lt_prog_compiler_static_F77=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_c_o_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o_F77=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:14800: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:14804: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o_F77=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_F77" >&6; }
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o_F77" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+
+  runpath_var=
+  allow_undefined_flag_F77=
+  enable_shared_with_static_runtimes_F77=no
+  archive_cmds_F77=
+  archive_expsym_cmds_F77=
+  old_archive_From_new_cmds_F77=
+  old_archive_from_expsyms_cmds_F77=
+  export_dynamic_flag_spec_F77=
+  whole_archive_flag_spec_F77=
+  thread_safe_flag_spec_F77=
+  hardcode_libdir_flag_spec_F77=
+  hardcode_libdir_flag_spec_ld_F77=
+  hardcode_libdir_separator_F77=
+  hardcode_direct_F77=no
+  hardcode_minus_L_F77=no
+  hardcode_shlibpath_var_F77=unsupported
+  link_all_deplibs_F77=unknown
+  hardcode_automatic_F77=no
+  module_cmds_F77=
+  module_expsym_cmds_F77=
+  always_export_symbols_F77=no
+  export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms_F77=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  exclude_expsyms_F77='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  # Exclude shared library initialization/finalization symbols.
+  extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  ld_shlibs_F77=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec_F77='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec_F77='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec_F77="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec_F77=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix[3-9]*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	ld_shlibs_F77=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_minus_L_F77=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      ld_shlibs_F77=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag_F77=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds_F77='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, F77) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      allow_undefined_flag_F77=unsupported
+      always_export_symbols_F77=no
+      enable_shared_with_static_runtimes_F77=yes
+      export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	archive_expsym_cmds_F77='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    interix[3-9]*)
+      hardcode_direct_F77=no
+      hardcode_shlibpath_var_F77=no
+      hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
+      export_dynamic_flag_spec_F77='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds_F77='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds_F77='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    gnu* | linux* | k*bsd*-gnu)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  whole_archive_flag_spec_F77='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	*)
+	  tmp_sharedflag='-shared' ;;
+	esac
+	archive_cmds_F77='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
+	link_all_deplibs_F77=no
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_F77='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	ld_shlibs_F77=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs_F77=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    ld_shlibs_F77=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      archive_cmds_F77='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+    esac
+
+    if test "$ld_shlibs_F77" = no; then
+      runpath_var=
+      hardcode_libdir_flag_spec_F77=
+      export_dynamic_flag_spec_F77=
+      whole_archive_flag_spec_F77=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag_F77=unsupported
+      always_export_symbols_F77=yes
+      archive_expsym_cmds_F77='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L_F77=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct_F77=unsupported
+      fi
+      ;;
+
+    aix[4-9]*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  export_symbols_cmds_F77='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds_F77='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds_F77=''
+      hardcode_direct_F77=yes
+      hardcode_libdir_separator_F77=':'
+      link_all_deplibs_F77=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  :
+	  else
+  	  # We have old collect2
+  	  hardcode_direct_F77=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  hardcode_minus_L_F77=yes
+  	  hardcode_libdir_flag_spec_F77='-L$libdir'
+  	  hardcode_libdir_separator_F77=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols_F77=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag_F77='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       cat >conftest.$ac_ext <<_ACEOF
+      program main
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+       hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
+	archive_expsym_cmds_F77="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  hardcode_libdir_flag_spec_F77='${wl}-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag_F77="-z nodefs"
+	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 cat >conftest.$ac_ext <<_ACEOF
+      program main
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	 hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag_F77=' ${wl}-bernotok'
+	  allow_undefined_flag_F77=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  whole_archive_flag_spec_F77='$convenience'
+	  archive_cmds_need_lc_F77=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_minus_L_F77=yes
+      # see comment about different semantics on the GNU ld section
+      ld_shlibs_F77=no
+      ;;
+
+    bsdi[45]*)
+      export_dynamic_flag_spec_F77=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec_F77=' '
+      allow_undefined_flag_F77=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds_F77='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_From_new_cmds_F77='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds_F77='lib -OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path_F77='`cygpath -w "$srcfile"`'
+      enable_shared_with_static_runtimes_F77=yes
+      ;;
+
+    darwin* | rhapsody*)
+      case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag_F77='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag_F77='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+      esac
+      archive_cmds_need_lc_F77=no
+      hardcode_direct_F77=no
+      hardcode_automatic_F77=yes
+      hardcode_shlibpath_var_F77=unsupported
+      whole_archive_flag_spec_F77=''
+      link_all_deplibs_F77=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        archive_cmds_F77="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+        module_cmds_F77="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+        archive_expsym_cmds_F77="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+        module_expsym_cmds_F77="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
+    else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
+         module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs_F77=no
+          ;;
+      esac
+    fi
+      ;;
+
+    dgux*)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    freebsd1*)
+      ld_shlibs_F77=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_F77=yes
+      hardcode_minus_L_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | dragonfly*)
+      archive_cmds_F77='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds_F77='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      hardcode_direct_F77=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L_F77=yes
+      export_dynamic_flag_spec_F77='${wl}-E'
+      ;;
+
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_F77=:
+
+	hardcode_direct_F77=yes
+	export_dynamic_flag_spec_F77='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L_F77=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_F77=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  hardcode_libdir_flag_spec_ld_F77='+b $libdir'
+	  hardcode_direct_F77=no
+	  hardcode_shlibpath_var_F77=no
+	  ;;
+	*)
+	  hardcode_direct_F77=yes
+	  export_dynamic_flag_spec_F77='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L_F77=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	archive_cmds_F77='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_ld_F77='-rpath $libdir'
+      fi
+      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      link_all_deplibs_F77=yes
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds_F77='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    newsos6)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_F77=yes
+      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    openbsd*)
+      if test -f /usr/libexec/ld.so; then
+	hardcode_direct_F77=yes
+	hardcode_shlibpath_var_F77=no
+	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	  archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	  hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
+	  export_dynamic_flag_spec_F77='${wl}-E'
+	else
+	  case $host_os in
+	   openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+	     archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	     hardcode_libdir_flag_spec_F77='-R$libdir'
+	     ;;
+	   *)
+	     archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	     hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
+	     ;;
+	  esac
+        fi
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_minus_L_F77=yes
+      allow_undefined_flag_F77=unsupported
+      archive_cmds_F77='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      old_archive_From_new_cmds_F77='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	allow_undefined_flag_F77=' -expect_unresolved \*'
+	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      else
+	allow_undefined_flag_F77=' -expect_unresolved \*'
+	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds_F77='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec_F77='-rpath $libdir'
+      fi
+      hardcode_libdir_separator_F77=:
+      ;;
+
+    solaris*)
+      no_undefined_flag_F77=' -z text'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	wlarc=''
+	archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_shlibpath_var_F77=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *)
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+	if test "$GCC" = yes; then
+	  whole_archive_flag_spec_F77='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract'
+	fi
+	;;
+      esac
+      link_all_deplibs_F77=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds_F77='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_direct_F77=yes
+      hardcode_minus_L_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_F77=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds_F77='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds_F77='$CC -r -o $output$reload_objs'
+	  hardcode_direct_F77=no
+        ;;
+	motorola)
+	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_F77=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    sysv4.3*)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var_F77=no
+      export_dynamic_flag_spec_F77='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var_F77=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs_F77=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
+      no_undefined_flag_F77='${wl}-z,text'
+      archive_cmds_need_lc_F77=no
+      hardcode_shlibpath_var_F77=no
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag_F77='${wl}-z,text'
+      allow_undefined_flag_F77='${wl}-z,nodefs'
+      archive_cmds_need_lc_F77=no
+      hardcode_shlibpath_var_F77=no
+      hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      hardcode_libdir_separator_F77=':'
+      link_all_deplibs_F77=yes
+      export_dynamic_flag_spec_F77='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    *)
+      ld_shlibs_F77=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5
+echo "${ECHO_T}$ld_shlibs_F77" >&6; }
+test "$ld_shlibs_F77" = no && can_build_shared=no
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc_F77" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc_F77=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds_F77 in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
+      $rm conftest*
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl_F77
+	pic_flag=$lt_prog_compiler_pic_F77
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag_F77
+        allow_undefined_flag_F77=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc_F77=no
+        else
+	  archive_cmds_need_lc_F77=yes
+        fi
+        allow_undefined_flag_F77=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_F77" >&6; }
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix[4-9]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[45]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  *) # from 4.6 on, and DragonFly
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext_cmds='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix[3-9]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+rdos*)
+  dynamic_linker=no
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
+test "$dynamic_linker" = no && can_build_shared=no
+
+if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
+fi
+
+sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
+if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
+fi
+
+sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
+hardcode_action_F77=
+if test -n "$hardcode_libdir_flag_spec_F77" || \
+   test -n "$runpath_var_F77" || \
+   test "X$hardcode_automatic_F77" = "Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct_F77" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, F77)" != no &&
+     test "$hardcode_minus_L_F77" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action_F77=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action_F77=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action_F77=unsupported
+fi
+{ echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5
+echo "${ECHO_T}$hardcode_action_F77" >&6; }
+
+if test "$hardcode_action_F77" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_F77 \
+    CC_F77 \
+    LD_F77 \
+    lt_prog_compiler_wl_F77 \
+    lt_prog_compiler_pic_F77 \
+    lt_prog_compiler_static_F77 \
+    lt_prog_compiler_no_builtin_flag_F77 \
+    export_dynamic_flag_spec_F77 \
+    thread_safe_flag_spec_F77 \
+    whole_archive_flag_spec_F77 \
+    enable_shared_with_static_runtimes_F77 \
+    old_archive_cmds_F77 \
+    old_archive_from_new_cmds_F77 \
+    predep_objects_F77 \
+    postdep_objects_F77 \
+    predeps_F77 \
+    postdeps_F77 \
+    compiler_lib_search_path_F77 \
+    compiler_lib_search_dirs_F77 \
+    archive_cmds_F77 \
+    archive_expsym_cmds_F77 \
+    postinstall_cmds_F77 \
+    postuninstall_cmds_F77 \
+    old_archive_from_expsyms_cmds_F77 \
+    allow_undefined_flag_F77 \
+    no_undefined_flag_F77 \
+    export_symbols_cmds_F77 \
+    hardcode_libdir_flag_spec_F77 \
+    hardcode_libdir_flag_spec_ld_F77 \
+    hardcode_libdir_separator_F77 \
+    hardcode_automatic_F77 \
+    module_cmds_F77 \
+    module_expsym_cmds_F77 \
+    lt_cv_prog_compiler_c_o_F77 \
+    fix_srcfile_path_F77 \
+    exclude_expsyms_F77 \
+    include_expsyms_F77; do
+
+    case $var in
+    old_archive_cmds_F77 | \
+    old_archive_from_new_cmds_F77 | \
+    archive_cmds_F77 | \
+    archive_expsym_cmds_F77 | \
+    module_cmds_F77 | \
+    module_expsym_cmds_F77 | \
+    old_archive_from_expsyms_cmds_F77 | \
+    export_symbols_cmds_F77 | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_F77
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_F77
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_compiler_F77
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_F77
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_F77
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_F77
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_F77
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_F77
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_F77
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_F77
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_F77
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_F77
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_F77
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_F77
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_F77
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_F77
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_F77
+archive_expsym_cmds=$lt_archive_expsym_cmds_F77
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_F77
+module_expsym_cmds=$lt_module_expsym_cmds_F77
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_F77
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_F77
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_F77
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_F77
+
+# The directories searched by this compiler when creating a shared
+# library
+compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_F77
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_F77
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_F77
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_F77
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_F77
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_F77
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_F77
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_F77
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_F77
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_F77
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_F77
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_F77
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_F77
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path=$lt_fix_srcfile_path
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_F77
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_F77
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_F77
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_F77
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+	else
+	  tagname=""
+	fi
+	;;
+
+      GCJ)
+	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
+
+
+# Source file extension for Java test sources.
+ac_ext=java
+
+# Object file extension for compiled Java test sources.
+objext=o
+objext_GCJ=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm -r conftest*
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${GCJ-"gcj"}
+compiler=$CC
+compiler_GCJ=$CC
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+archive_cmds_need_lc_GCJ=no
+
+old_archive_cmds_GCJ=$old_archive_cmds
+
+
+lt_prog_compiler_no_builtin_flag_GCJ=
+
+if test "$GCC" = yes; then
+  lt_prog_compiler_no_builtin_flag_GCJ=' -fno-builtin'
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_rtti_exceptions=no
+  ac_outfile=conftest.$ac_objext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="-fno-rtti -fno-exceptions"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:17020: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:17024: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_rtti_exceptions=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
+
+if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
+    lt_prog_compiler_no_builtin_flag_GCJ="$lt_prog_compiler_no_builtin_flag_GCJ -fno-rtti -fno-exceptions"
+else
+    :
+fi
+
+fi
+
+lt_prog_compiler_wl_GCJ=
+lt_prog_compiler_pic_GCJ=
+lt_prog_compiler_static_GCJ=
+
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+
+  if test "$GCC" = yes; then
+    lt_prog_compiler_wl_GCJ='-Wl,'
+    lt_prog_compiler_static_GCJ='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_GCJ='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic_GCJ='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic_GCJ='-fno-common'
+      ;;
+
+    interix[3-9]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared_GCJ=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic_GCJ=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_GCJ='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      lt_prog_compiler_pic_GCJ='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_GCJ='-Bstatic'
+      else
+	lt_prog_compiler_static_GCJ='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         lt_prog_compiler_pic_GCJ='-qnocommon'
+         lt_prog_compiler_wl_GCJ='-Wl,'
+         ;;
+       esac
+       ;;
+
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_GCJ='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static_GCJ='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static_GCJ='-non_shared'
+      ;;
+
+    newsos6)
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    linux* | k*bsd*-gnu)
+      case $cc_basename in
+      icc* | ecc*)
+	lt_prog_compiler_wl_GCJ='-Wl,'
+	lt_prog_compiler_pic_GCJ='-KPIC'
+	lt_prog_compiler_static_GCJ='-static'
+        ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl_GCJ='-Wl,'
+	lt_prog_compiler_pic_GCJ='-fpic'
+	lt_prog_compiler_static_GCJ='-Bstatic'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl_GCJ='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static_GCJ='-non_shared'
+        ;;
+      *)
+        case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  lt_prog_compiler_pic_GCJ='-KPIC'
+	  lt_prog_compiler_static_GCJ='-Bstatic'
+	  lt_prog_compiler_wl_GCJ='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic_GCJ='-KPIC'
+	  lt_prog_compiler_static_GCJ='-Bstatic'
+	  lt_prog_compiler_wl_GCJ=''
+	  ;;
+	esac
+	;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static_GCJ='-non_shared'
+      ;;
+
+    rdos*)
+      lt_prog_compiler_static_GCJ='-non_shared'
+      ;;
+
+    solaris*)
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	lt_prog_compiler_wl_GCJ='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl_GCJ='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      lt_prog_compiler_wl_GCJ='-Qoption ld '
+      lt_prog_compiler_pic_GCJ='-PIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	lt_prog_compiler_pic_GCJ='-Kconform_pic'
+	lt_prog_compiler_static_GCJ='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    unicos*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      lt_prog_compiler_can_build_shared_GCJ=no
+      ;;
+
+    uts4*)
+      lt_prog_compiler_pic_GCJ='-pic'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    *)
+      lt_prog_compiler_can_build_shared_GCJ=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_GCJ" >&6; }
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic_GCJ"; then
+
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_pic_works_GCJ+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_pic_works_GCJ=no
+  ac_outfile=conftest.$ac_objext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic_GCJ"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:17310: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:17314: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_pic_works_GCJ=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_GCJ" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_GCJ" >&6; }
+
+if test x"$lt_cv_prog_compiler_pic_works_GCJ" = xyes; then
+    case $lt_prog_compiler_pic_GCJ in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic_GCJ=" $lt_prog_compiler_pic_GCJ" ;;
+     esac
+else
+    lt_prog_compiler_pic_GCJ=
+     lt_prog_compiler_can_build_shared_GCJ=no
+fi
+
+fi
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic_GCJ=
+    ;;
+  *)
+    lt_prog_compiler_pic_GCJ="$lt_prog_compiler_pic_GCJ"
+    ;;
+esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl_GCJ eval lt_tmp_static_flag=\"$lt_prog_compiler_static_GCJ\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_static_works_GCJ+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_static_works_GCJ=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_cv_prog_compiler_static_works_GCJ=yes
+       fi
+     else
+       lt_cv_prog_compiler_static_works_GCJ=yes
+     fi
+   fi
+   $rm -r conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_GCJ" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_static_works_GCJ" >&6; }
+
+if test x"$lt_cv_prog_compiler_static_works_GCJ" = xyes; then
+    :
+else
+    lt_prog_compiler_static_GCJ=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_c_o_GCJ+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o_GCJ=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:17414: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:17418: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o_GCJ=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_GCJ" >&6; }
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o_GCJ" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+
+  runpath_var=
+  allow_undefined_flag_GCJ=
+  enable_shared_with_static_runtimes_GCJ=no
+  archive_cmds_GCJ=
+  archive_expsym_cmds_GCJ=
+  old_archive_From_new_cmds_GCJ=
+  old_archive_from_expsyms_cmds_GCJ=
+  export_dynamic_flag_spec_GCJ=
+  whole_archive_flag_spec_GCJ=
+  thread_safe_flag_spec_GCJ=
+  hardcode_libdir_flag_spec_GCJ=
+  hardcode_libdir_flag_spec_ld_GCJ=
+  hardcode_libdir_separator_GCJ=
+  hardcode_direct_GCJ=no
+  hardcode_minus_L_GCJ=no
+  hardcode_shlibpath_var_GCJ=unsupported
+  link_all_deplibs_GCJ=unknown
+  hardcode_automatic_GCJ=no
+  module_cmds_GCJ=
+  module_expsym_cmds_GCJ=
+  always_export_symbols_GCJ=no
+  export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms_GCJ=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  exclude_expsyms_GCJ='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  # Exclude shared library initialization/finalization symbols.
+  extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  ld_shlibs_GCJ=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec_GCJ='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec_GCJ='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec_GCJ="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec_GCJ=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix[3-9]*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	ld_shlibs_GCJ=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_minus_L_GCJ=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      ld_shlibs_GCJ=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag_GCJ=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds_GCJ='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, GCJ) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      allow_undefined_flag_GCJ=unsupported
+      always_export_symbols_GCJ=no
+      enable_shared_with_static_runtimes_GCJ=yes
+      export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	archive_expsym_cmds_GCJ='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    interix[3-9]*)
+      hardcode_direct_GCJ=no
+      hardcode_shlibpath_var_GCJ=no
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
+      export_dynamic_flag_spec_GCJ='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds_GCJ='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds_GCJ='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    gnu* | linux* | k*bsd*-gnu)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	*)
+	  tmp_sharedflag='-shared' ;;
+	esac
+	archive_cmds_GCJ='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
+	link_all_deplibs_GCJ=no
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_GCJ='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	ld_shlibs_GCJ=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs_GCJ=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    ld_shlibs_GCJ=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      archive_cmds_GCJ='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+    esac
+
+    if test "$ld_shlibs_GCJ" = no; then
+      runpath_var=
+      hardcode_libdir_flag_spec_GCJ=
+      export_dynamic_flag_spec_GCJ=
+      whole_archive_flag_spec_GCJ=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag_GCJ=unsupported
+      always_export_symbols_GCJ=yes
+      archive_expsym_cmds_GCJ='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L_GCJ=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct_GCJ=unsupported
+      fi
+      ;;
+
+    aix[4-9]*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  export_symbols_cmds_GCJ='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds_GCJ='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds_GCJ=''
+      hardcode_direct_GCJ=yes
+      hardcode_libdir_separator_GCJ=':'
+      link_all_deplibs_GCJ=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  :
+	  else
+  	  # We have old collect2
+  	  hardcode_direct_GCJ=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  hardcode_minus_L_GCJ=yes
+  	  hardcode_libdir_flag_spec_GCJ='-L$libdir'
+  	  hardcode_libdir_separator_GCJ=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols_GCJ=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag_GCJ='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+       hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
+	archive_expsym_cmds_GCJ="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  hardcode_libdir_flag_spec_GCJ='${wl}-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag_GCJ="-z nodefs"
+	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	 hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag_GCJ=' ${wl}-bernotok'
+	  allow_undefined_flag_GCJ=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  whole_archive_flag_spec_GCJ='$convenience'
+	  archive_cmds_need_lc_GCJ=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_minus_L_GCJ=yes
+      # see comment about different semantics on the GNU ld section
+      ld_shlibs_GCJ=no
+      ;;
+
+    bsdi[45]*)
+      export_dynamic_flag_spec_GCJ=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec_GCJ=' '
+      allow_undefined_flag_GCJ=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds_GCJ='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_From_new_cmds_GCJ='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds_GCJ='lib -OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path_GCJ='`cygpath -w "$srcfile"`'
+      enable_shared_with_static_runtimes_GCJ=yes
+      ;;
+
+    darwin* | rhapsody*)
+      case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag_GCJ='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag_GCJ='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+      esac
+      archive_cmds_need_lc_GCJ=no
+      hardcode_direct_GCJ=no
+      hardcode_automatic_GCJ=yes
+      hardcode_shlibpath_var_GCJ=unsupported
+      whole_archive_flag_spec_GCJ=''
+      link_all_deplibs_GCJ=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        archive_cmds_GCJ="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+        module_cmds_GCJ="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+        archive_expsym_cmds_GCJ="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+        module_expsym_cmds_GCJ="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
+    else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
+         module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs_GCJ=no
+          ;;
+      esac
+    fi
+      ;;
+
+    dgux*)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    freebsd1*)
+      ld_shlibs_GCJ=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_GCJ=yes
+      hardcode_minus_L_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | dragonfly*)
+      archive_cmds_GCJ='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds_GCJ='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      hardcode_direct_GCJ=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L_GCJ=yes
+      export_dynamic_flag_spec_GCJ='${wl}-E'
+      ;;
+
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_GCJ=:
+
+	hardcode_direct_GCJ=yes
+	export_dynamic_flag_spec_GCJ='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L_GCJ=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_GCJ=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  hardcode_libdir_flag_spec_ld_GCJ='+b $libdir'
+	  hardcode_direct_GCJ=no
+	  hardcode_shlibpath_var_GCJ=no
+	  ;;
+	*)
+	  hardcode_direct_GCJ=yes
+	  export_dynamic_flag_spec_GCJ='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L_GCJ=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	archive_cmds_GCJ='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_ld_GCJ='-rpath $libdir'
+      fi
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      link_all_deplibs_GCJ=yes
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds_GCJ='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    newsos6)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_GCJ=yes
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    openbsd*)
+      if test -f /usr/libexec/ld.so; then
+	hardcode_direct_GCJ=yes
+	hardcode_shlibpath_var_GCJ=no
+	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	  archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	  hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
+	  export_dynamic_flag_spec_GCJ='${wl}-E'
+	else
+	  case $host_os in
+	   openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+	     archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	     hardcode_libdir_flag_spec_GCJ='-R$libdir'
+	     ;;
+	   *)
+	     archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	     hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
+	     ;;
+	  esac
+        fi
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_minus_L_GCJ=yes
+      allow_undefined_flag_GCJ=unsupported
+      archive_cmds_GCJ='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      old_archive_From_new_cmds_GCJ='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	allow_undefined_flag_GCJ=' -expect_unresolved \*'
+	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      else
+	allow_undefined_flag_GCJ=' -expect_unresolved \*'
+	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds_GCJ='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec_GCJ='-rpath $libdir'
+      fi
+      hardcode_libdir_separator_GCJ=:
+      ;;
+
+    solaris*)
+      no_undefined_flag_GCJ=' -z text'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	wlarc=''
+	archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_shlibpath_var_GCJ=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *)
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+	if test "$GCC" = yes; then
+	  whole_archive_flag_spec_GCJ='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract'
+	fi
+	;;
+      esac
+      link_all_deplibs_GCJ=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds_GCJ='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_minus_L_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_GCJ=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds_GCJ='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds_GCJ='$CC -r -o $output$reload_objs'
+	  hardcode_direct_GCJ=no
+        ;;
+	motorola)
+	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_GCJ=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    sysv4.3*)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var_GCJ=no
+      export_dynamic_flag_spec_GCJ='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var_GCJ=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs_GCJ=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
+      no_undefined_flag_GCJ='${wl}-z,text'
+      archive_cmds_need_lc_GCJ=no
+      hardcode_shlibpath_var_GCJ=no
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag_GCJ='${wl}-z,text'
+      allow_undefined_flag_GCJ='${wl}-z,nodefs'
+      archive_cmds_need_lc_GCJ=no
+      hardcode_shlibpath_var_GCJ=no
+      hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      hardcode_libdir_separator_GCJ=':'
+      link_all_deplibs_GCJ=yes
+      export_dynamic_flag_spec_GCJ='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    *)
+      ld_shlibs_GCJ=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5
+echo "${ECHO_T}$ld_shlibs_GCJ" >&6; }
+test "$ld_shlibs_GCJ" = no && can_build_shared=no
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc_GCJ" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc_GCJ=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds_GCJ in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
+      $rm conftest*
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl_GCJ
+	pic_flag=$lt_prog_compiler_pic_GCJ
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag_GCJ
+        allow_undefined_flag_GCJ=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc_GCJ=no
+        else
+	  archive_cmds_need_lc_GCJ=yes
+        fi
+        allow_undefined_flag_GCJ=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_GCJ" >&6; }
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix[4-9]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[45]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  *) # from 4.6 on, and DragonFly
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext_cmds='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix[3-9]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+rdos*)
+  dynamic_linker=no
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
+test "$dynamic_linker" = no && can_build_shared=no
+
+if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
+fi
+
+sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
+if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
+fi
+
+sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
+hardcode_action_GCJ=
+if test -n "$hardcode_libdir_flag_spec_GCJ" || \
+   test -n "$runpath_var_GCJ" || \
+   test "X$hardcode_automatic_GCJ" = "Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct_GCJ" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, GCJ)" != no &&
+     test "$hardcode_minus_L_GCJ" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action_GCJ=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action_GCJ=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action_GCJ=unsupported
+fi
+{ echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5
+echo "${ECHO_T}$hardcode_action_GCJ" >&6; }
+
+if test "$hardcode_action_GCJ" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_GCJ \
+    CC_GCJ \
+    LD_GCJ \
+    lt_prog_compiler_wl_GCJ \
+    lt_prog_compiler_pic_GCJ \
+    lt_prog_compiler_static_GCJ \
+    lt_prog_compiler_no_builtin_flag_GCJ \
+    export_dynamic_flag_spec_GCJ \
+    thread_safe_flag_spec_GCJ \
+    whole_archive_flag_spec_GCJ \
+    enable_shared_with_static_runtimes_GCJ \
+    old_archive_cmds_GCJ \
+    old_archive_from_new_cmds_GCJ \
+    predep_objects_GCJ \
+    postdep_objects_GCJ \
+    predeps_GCJ \
+    postdeps_GCJ \
+    compiler_lib_search_path_GCJ \
+    compiler_lib_search_dirs_GCJ \
+    archive_cmds_GCJ \
+    archive_expsym_cmds_GCJ \
+    postinstall_cmds_GCJ \
+    postuninstall_cmds_GCJ \
+    old_archive_from_expsyms_cmds_GCJ \
+    allow_undefined_flag_GCJ \
+    no_undefined_flag_GCJ \
+    export_symbols_cmds_GCJ \
+    hardcode_libdir_flag_spec_GCJ \
+    hardcode_libdir_flag_spec_ld_GCJ \
+    hardcode_libdir_separator_GCJ \
+    hardcode_automatic_GCJ \
+    module_cmds_GCJ \
+    module_expsym_cmds_GCJ \
+    lt_cv_prog_compiler_c_o_GCJ \
+    fix_srcfile_path_GCJ \
+    exclude_expsyms_GCJ \
+    include_expsyms_GCJ; do
+
+    case $var in
+    old_archive_cmds_GCJ | \
+    old_archive_from_new_cmds_GCJ | \
+    archive_cmds_GCJ | \
+    archive_expsym_cmds_GCJ | \
+    module_cmds_GCJ | \
+    module_expsym_cmds_GCJ | \
+    old_archive_from_expsyms_cmds_GCJ | \
+    export_symbols_cmds_GCJ | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_GCJ
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_GCJ
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_compiler_GCJ
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_GCJ
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_GCJ
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_GCJ
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_GCJ
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_GCJ
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_GCJ
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_GCJ
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_GCJ
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_GCJ
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_GCJ
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_GCJ
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_GCJ
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_GCJ
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_GCJ
+archive_expsym_cmds=$lt_archive_expsym_cmds_GCJ
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_GCJ
+module_expsym_cmds=$lt_module_expsym_cmds_GCJ
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_GCJ
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_GCJ
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_GCJ
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_GCJ
+
+# The directories searched by this compiler when creating a shared
+# library
+compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_GCJ
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_GCJ
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_GCJ
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_GCJ
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_GCJ
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_GCJ
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_GCJ
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_GCJ
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_GCJ
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_GCJ
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_GCJ
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_GCJ
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_GCJ
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path=$lt_fix_srcfile_path
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_GCJ
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_GCJ
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_GCJ
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_GCJ
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+	else
+	  tagname=""
+	fi
+	;;
+
+      RC)
+
+
+# Source file extension for RC test sources.
+ac_ext=rc
+
+# Object file extension for compiled RC test sources.
+objext=o
+objext_RC=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="$lt_simple_compile_test_code"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm -r conftest*
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${RC-"windres"}
+compiler=$CC
+compiler_RC=$CC
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+lt_cv_prog_compiler_c_o_RC=yes
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_RC \
+    CC_RC \
+    LD_RC \
+    lt_prog_compiler_wl_RC \
+    lt_prog_compiler_pic_RC \
+    lt_prog_compiler_static_RC \
+    lt_prog_compiler_no_builtin_flag_RC \
+    export_dynamic_flag_spec_RC \
+    thread_safe_flag_spec_RC \
+    whole_archive_flag_spec_RC \
+    enable_shared_with_static_runtimes_RC \
+    old_archive_cmds_RC \
+    old_archive_from_new_cmds_RC \
+    predep_objects_RC \
+    postdep_objects_RC \
+    predeps_RC \
+    postdeps_RC \
+    compiler_lib_search_path_RC \
+    compiler_lib_search_dirs_RC \
+    archive_cmds_RC \
+    archive_expsym_cmds_RC \
+    postinstall_cmds_RC \
+    postuninstall_cmds_RC \
+    old_archive_from_expsyms_cmds_RC \
+    allow_undefined_flag_RC \
+    no_undefined_flag_RC \
+    export_symbols_cmds_RC \
+    hardcode_libdir_flag_spec_RC \
+    hardcode_libdir_flag_spec_ld_RC \
+    hardcode_libdir_separator_RC \
+    hardcode_automatic_RC \
+    module_cmds_RC \
+    module_expsym_cmds_RC \
+    lt_cv_prog_compiler_c_o_RC \
+    fix_srcfile_path_RC \
+    exclude_expsyms_RC \
+    include_expsyms_RC; do
+
+    case $var in
+    old_archive_cmds_RC | \
+    old_archive_from_new_cmds_RC | \
+    archive_cmds_RC | \
+    archive_expsym_cmds_RC | \
+    module_cmds_RC | \
+    module_expsym_cmds_RC | \
+    old_archive_from_expsyms_cmds_RC | \
+    export_symbols_cmds_RC | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_RC
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_RC
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_compiler_RC
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_RC
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_RC
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_RC
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_RC
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_RC
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_RC
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_RC
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_RC
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_RC
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_RC
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_RC
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_RC
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_RC
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_RC
+archive_expsym_cmds=$lt_archive_expsym_cmds_RC
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_RC
+module_expsym_cmds=$lt_module_expsym_cmds_RC
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_RC
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_RC
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_RC
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_RC
+
+# The directories searched by this compiler when creating a shared
+# library
+compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_RC
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_RC
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_RC
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_RC
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_RC
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_RC
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_RC
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_RC
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_RC
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_RC
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_RC
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_RC
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_RC
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path=$lt_fix_srcfile_path
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_RC
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_RC
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_RC
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_RC
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+	;;
+
+      *)
+	{ { echo "$as_me:$LINENO: error: Unsupported tag name: $tagname" >&5
+echo "$as_me: error: Unsupported tag name: $tagname" >&2;}
+   { (exit 1); exit 1; }; }
+	;;
+      esac
+
+      # Append the new tag name to the list of available tags.
+      if test -n "$tagname" ; then
+      available_tags="$available_tags $tagname"
+    fi
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  # Now substitute the updated list of available tags.
+  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
+    mv "${ofile}T" "$ofile"
+    chmod +x "$ofile"
+  else
+    rm -f "${ofile}T"
+    { { echo "$as_me:$LINENO: error: unable to update list of available tagged configurations." >&5
+echo "$as_me: error: unable to update list of available tagged configurations." >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+fi
+
+
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+
+# Prevent multiple expansion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
+if test "${ac_cv_header_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_header_stdc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_header_stdc=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "memchr" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "free" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ctype.h>
+#include <stdlib.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) \
+		   (('a' <= (c) && (c) <= 'i') \
+		     || ('j' <= (c) && (c) <= 'r') \
+		     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
+
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+	|| toupper (i) != TOUPPER (i))
+      return 2;
+  return 0;
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+ac_cv_header_stdc=no
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
+if test $ac_cv_header_stdc = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define STDC_HEADERS 1
+_ACEOF
+
+fi
+
+
+
+
+
+
+
+for ac_header in fcntl.h paths.h sys/ioctl.h sys/time.h syslog.h unistd.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    ( cat <<\_ASBOX
+## ------------------------------------ ##
+## Report this to martin@strongswan.org ##
+## ------------------------------------ ##
+_ASBOX
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+{ echo "$as_me:$LINENO: checking for mode_t" >&5
+echo $ECHO_N "checking for mode_t... $ECHO_C" >&6; }
+if test "${ac_cv_type_mode_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+typedef mode_t ac__type_new_;
+int
+main ()
+{
+if ((ac__type_new_ *) 0)
+  return 0;
+if (sizeof (ac__type_new_))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_type_mode_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_type_mode_t=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_type_mode_t" >&5
+echo "${ECHO_T}$ac_cv_type_mode_t" >&6; }
+if test $ac_cv_type_mode_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<_ACEOF
+#define mode_t int
+_ACEOF
+
+fi
+
+{ echo "$as_me:$LINENO: checking for pid_t" >&5
+echo $ECHO_N "checking for pid_t... $ECHO_C" >&6; }
+if test "${ac_cv_type_pid_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+typedef pid_t ac__type_new_;
+int
+main ()
+{
+if ((ac__type_new_ *) 0)
+  return 0;
+if (sizeof (ac__type_new_))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_type_pid_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_type_pid_t=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_type_pid_t" >&5
+echo "${ECHO_T}$ac_cv_type_pid_t" >&6; }
+if test $ac_cv_type_pid_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<_ACEOF
+#define pid_t int
+_ACEOF
+
+fi
+
+{ echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6; }
+if test "${ac_cv_header_time+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+
+int
+main ()
+{
+if ((struct tm *) 0)
+return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_header_time=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_header_time=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6; }
+if test $ac_cv_header_time = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define TIME_WITH_SYS_TIME 1
+_ACEOF
+
+fi
+
+
+if test $ac_cv_c_compiler_gnu = yes; then
+    { echo "$as_me:$LINENO: checking whether $CC needs -traditional" >&5
+echo $ECHO_N "checking whether $CC needs -traditional... $ECHO_C" >&6; }
+if test "${ac_cv_prog_gcc_traditional+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+    ac_pattern="Autoconf.*'x'"
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sgtty.h>
+Autoconf TIOCGETP
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "$ac_pattern" >/dev/null 2>&1; then
+  ac_cv_prog_gcc_traditional=yes
+else
+  ac_cv_prog_gcc_traditional=no
+fi
+rm -f conftest*
+
+
+  if test $ac_cv_prog_gcc_traditional = no; then
+    cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <termio.h>
+Autoconf TCGETA
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "$ac_pattern" >/dev/null 2>&1; then
+  ac_cv_prog_gcc_traditional=yes
+fi
+rm -f conftest*
+
+  fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_gcc_traditional" >&5
+echo "${ECHO_T}$ac_cv_prog_gcc_traditional" >&6; }
+  if test $ac_cv_prog_gcc_traditional = yes; then
+    CC="$CC -traditional"
+  fi
+fi
+
+{ echo "$as_me:$LINENO: checking for working memcmp" >&5
+echo $ECHO_N "checking for working memcmp... $ECHO_C" >&6; }
+if test "${ac_cv_func_memcmp_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test "$cross_compiling" = yes; then
+  ac_cv_func_memcmp_working=no
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+int
+main ()
+{
+
+  /* Some versions of memcmp are not 8-bit clean.  */
+  char c0 = '\100', c1 = '\200', c2 = '\201';
+  if (memcmp(&c0, &c2, 1) >= 0 || memcmp(&c1, &c2, 1) >= 0)
+    return 1;
+
+  /* The Next x86 OpenStep bug shows up only when comparing 16 bytes
+     or more and with at least one buffer not starting on a 4-byte boundary.
+     William Lewis provided this test program.   */
+  {
+    char foo[21];
+    char bar[21];
+    int i;
+    for (i = 0; i < 4; i++)
+      {
+	char *a = foo + i;
+	char *b = bar + i;
+	strcpy (a, "--------01111111");
+	strcpy (b, "--------10000000");
+	if (memcmp (a, b, 16) >= 0)
+	  return 1;
+      }
+    return 0;
+  }
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_memcmp_working=yes
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+ac_cv_func_memcmp_working=no
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_memcmp_working" >&5
+echo "${ECHO_T}$ac_cv_func_memcmp_working" >&6; }
+test $ac_cv_func_memcmp_working = no && case " $LIBOBJS " in
+  *" memcmp.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS memcmp.$ac_objext"
+ ;;
+esac
+
+
+
+
+
+for ac_func in select socket uname
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+GETTEXT_PACKAGE=NetworkManager-strongswan
+
+
+cat >>confdefs.h <<_ACEOF
+#define GETTEXT_PACKAGE "$GETTEXT_PACKAGE"
+_ACEOF
+
+
+
+case "$am__api_version" in
+    1.01234)
+	{ { echo "$as_me:$LINENO: error: Automake 1.5 or newer is required to use intltool" >&5
+echo "$as_me: error: Automake 1.5 or newer is required to use intltool" >&2;}
+   { (exit 1); exit 1; }; }
+    ;;
+    *)
+    ;;
+esac
+
+if test -n "0.35"; then
+    { echo "$as_me:$LINENO: checking for intltool >= 0.35" >&5
+echo $ECHO_N "checking for intltool >= 0.35... $ECHO_C" >&6; }
+
+    INTLTOOL_REQUIRED_VERSION_AS_INT=`echo 0.35 | awk -F. '{ print $ 1 * 1000 + $ 2 * 100 + $ 3; }'`
+    INTLTOOL_APPLIED_VERSION=`awk -F\" '/\\$VERSION / { print $ 2; }' ${ac_aux_dir}/intltool-update.in`
+    INTLTOOL_APPLIED_VERSION_AS_INT=`awk -F\" '/\\$VERSION / { split($ 2, VERSION, "."); print VERSION[1] * 1000 + VERSION[2] * 100 + VERSION[3];}' ${ac_aux_dir}/intltool-update.in`
+
+    { echo "$as_me:$LINENO: result: $INTLTOOL_APPLIED_VERSION found" >&5
+echo "${ECHO_T}$INTLTOOL_APPLIED_VERSION found" >&6; }
+    test "$INTLTOOL_APPLIED_VERSION_AS_INT" -ge "$INTLTOOL_REQUIRED_VERSION_AS_INT" ||
+	{ { echo "$as_me:$LINENO: error: Your intltool is too old.  You need intltool 0.35 or later." >&5
+echo "$as_me: error: Your intltool is too old.  You need intltool 0.35 or later." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+  INTLTOOL_DESKTOP_RULE='%.desktop:   %.desktop.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+INTLTOOL_DIRECTORY_RULE='%.directory: %.directory.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+     INTLTOOL_KEYS_RULE='%.keys:      %.keys.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -k -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+     INTLTOOL_PROP_RULE='%.prop:      %.prop.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+      INTLTOOL_OAF_RULE='%.oaf:       %.oaf.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -p $(top_srcdir)/po $< $@'
+     INTLTOOL_PONG_RULE='%.pong:      %.pong.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+   INTLTOOL_SERVER_RULE='%.server:    %.server.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+    INTLTOOL_SHEET_RULE='%.sheet:     %.sheet.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+INTLTOOL_SOUNDLIST_RULE='%.soundlist: %.soundlist.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+       INTLTOOL_UI_RULE='%.ui:        %.ui.in        $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+      INTLTOOL_XML_RULE='%.xml:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+      INTLTOOL_XML_NOMERGE_RULE='%.xml:       %.xml.in       $(INTLTOOL_MERGE) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u /tmp $< $@'
+      INTLTOOL_XAM_RULE='%.xam:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+      INTLTOOL_KBD_RULE='%.kbd:       %.kbd.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -m -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+    INTLTOOL_CAVES_RULE='%.caves:     %.caves.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+  INTLTOOL_SCHEMAS_RULE='%.schemas:   %.schemas.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -s -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+    INTLTOOL_THEME_RULE='%.theme:     %.theme.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+    INTLTOOL_SERVICE_RULE='%.service: %.service.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+   INTLTOOL_POLICY_RULE='%.policy:    %.policy.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Check the gettext tools to make sure they are GNU
+# Extract the first word of "xgettext", so it can be a program name with args.
+set dummy xgettext; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_XGETTEXT+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $XGETTEXT in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_XGETTEXT="$XGETTEXT" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_XGETTEXT="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+XGETTEXT=$ac_cv_path_XGETTEXT
+if test -n "$XGETTEXT"; then
+  { echo "$as_me:$LINENO: result: $XGETTEXT" >&5
+echo "${ECHO_T}$XGETTEXT" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+# Extract the first word of "msgmerge", so it can be a program name with args.
+set dummy msgmerge; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_MSGMERGE+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $MSGMERGE in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_MSGMERGE="$MSGMERGE" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_MSGMERGE="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+MSGMERGE=$ac_cv_path_MSGMERGE
+if test -n "$MSGMERGE"; then
+  { echo "$as_me:$LINENO: result: $MSGMERGE" >&5
+echo "${ECHO_T}$MSGMERGE" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+# Extract the first word of "msgfmt", so it can be a program name with args.
+set dummy msgfmt; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_MSGFMT+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $MSGFMT in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_MSGFMT="$MSGFMT" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_MSGFMT="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+MSGFMT=$ac_cv_path_MSGFMT
+if test -n "$MSGFMT"; then
+  { echo "$as_me:$LINENO: result: $MSGFMT" >&5
+echo "${ECHO_T}$MSGFMT" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+if test -z "$XGETTEXT" -o -z "$MSGMERGE" -o -z "$MSGFMT"; then
+    { { echo "$as_me:$LINENO: error: GNU gettext tools not found; required for intltool" >&5
+echo "$as_me: error: GNU gettext tools not found; required for intltool" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+xgversion="`$XGETTEXT --version|grep '(GNU ' 2> /dev/null`"
+mmversion="`$MSGMERGE --version|grep '(GNU ' 2> /dev/null`"
+mfversion="`$MSGFMT --version|grep '(GNU ' 2> /dev/null`"
+if test -z "$xgversion" -o -z "$mmversion" -o -z "$mfversion"; then
+    { { echo "$as_me:$LINENO: error: GNU gettext tools not found; required for intltool" >&5
+echo "$as_me: error: GNU gettext tools not found; required for intltool" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+# Use the tools built into the package, not the ones that are installed.
+INTLTOOL_EXTRACT='$(top_builddir)/intltool-extract'
+
+INTLTOOL_MERGE='$(top_builddir)/intltool-merge'
+
+INTLTOOL_UPDATE='$(top_builddir)/intltool-update'
+
+
+# Extract the first word of "perl", so it can be a program name with args.
+set dummy perl; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_INTLTOOL_PERL+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $INTLTOOL_PERL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_INTLTOOL_PERL="$INTLTOOL_PERL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_INTLTOOL_PERL="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+INTLTOOL_PERL=$ac_cv_path_INTLTOOL_PERL
+if test -n "$INTLTOOL_PERL"; then
+  { echo "$as_me:$LINENO: result: $INTLTOOL_PERL" >&5
+echo "${ECHO_T}$INTLTOOL_PERL" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+if test -z "$INTLTOOL_PERL"; then
+   { { echo "$as_me:$LINENO: error: perl not found; required for intltool" >&5
+echo "$as_me: error: perl not found; required for intltool" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "`$INTLTOOL_PERL -v | fgrep '5.' 2> /dev/null`"; then
+   { { echo "$as_me:$LINENO: error: perl 5.x required for intltool" >&5
+echo "$as_me: error: perl 5.x required for intltool" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test "x" != "xno-xml"; then
+   { echo "$as_me:$LINENO: checking for XML::Parser" >&5
+echo $ECHO_N "checking for XML::Parser... $ECHO_C" >&6; }
+   if `$INTLTOOL_PERL -e "require XML::Parser" 2>/dev/null`; then
+       { echo "$as_me:$LINENO: result: ok" >&5
+echo "${ECHO_T}ok" >&6; }
+   else
+       { { echo "$as_me:$LINENO: error: XML::Parser perl module is required for intltool" >&5
+echo "$as_me: error: XML::Parser perl module is required for intltool" >&2;}
+   { (exit 1); exit 1; }; }
+   fi
+fi
+
+# Substitute ALL_LINGUAS so we can use it in po/Makefile
+
+
+# Set DATADIRNAME correctly if it is not set yet
+# (copied from glib-gettext.m4)
+if test -z "$DATADIRNAME"; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+extern int _nl_msg_cat_cntr;
+                       return _nl_msg_cat_cntr
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  DATADIRNAME=share
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	case $host in
+    *-*-solaris*)
+                        { echo "$as_me:$LINENO: checking for bind_textdomain_codeset" >&5
+echo $ECHO_N "checking for bind_textdomain_codeset... $ECHO_C" >&6; }
+if test "${ac_cv_func_bind_textdomain_codeset+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define bind_textdomain_codeset to an innocuous variant, in case <limits.h> declares bind_textdomain_codeset.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define bind_textdomain_codeset innocuous_bind_textdomain_codeset
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char bind_textdomain_codeset (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef bind_textdomain_codeset
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char bind_textdomain_codeset ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_bind_textdomain_codeset || defined __stub___bind_textdomain_codeset
+choke me
+#endif
+
+int
+main ()
+{
+return bind_textdomain_codeset ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_bind_textdomain_codeset=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_bind_textdomain_codeset=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_bind_textdomain_codeset" >&5
+echo "${ECHO_T}$ac_cv_func_bind_textdomain_codeset" >&6; }
+if test $ac_cv_func_bind_textdomain_codeset = yes; then
+  DATADIRNAME=share
+else
+  DATADIRNAME=lib
+fi
+
+    ;;
+    *)
+    DATADIRNAME=lib
+    ;;
+    esac
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+
+
+
+
+
+ac_config_commands="$ac_config_commands intltool"
+
+
+
+
+
+for ac_header in locale.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    ( cat <<\_ASBOX
+## ------------------------------------ ##
+## Report this to martin@strongswan.org ##
+## ------------------------------------ ##
+_ASBOX
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+    if test $ac_cv_header_locale_h = yes; then
+    { echo "$as_me:$LINENO: checking for LC_MESSAGES" >&5
+echo $ECHO_N "checking for LC_MESSAGES... $ECHO_C" >&6; }
+if test "${am_cv_val_LC_MESSAGES+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <locale.h>
+int
+main ()
+{
+return LC_MESSAGES
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  am_cv_val_LC_MESSAGES=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	am_cv_val_LC_MESSAGES=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $am_cv_val_LC_MESSAGES" >&5
+echo "${ECHO_T}$am_cv_val_LC_MESSAGES" >&6; }
+    if test $am_cv_val_LC_MESSAGES = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_LC_MESSAGES 1
+_ACEOF
+
+    fi
+  fi
+     USE_NLS=yes
+
+
+    gt_cv_have_gettext=no
+
+    CATOBJEXT=NONE
+    XGETTEXT=:
+    INTLLIBS=
+
+    if test "${ac_cv_header_libintl_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for libintl.h" >&5
+echo $ECHO_N "checking for libintl.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_libintl_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_libintl_h" >&5
+echo "${ECHO_T}$ac_cv_header_libintl_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking libintl.h usability" >&5
+echo $ECHO_N "checking libintl.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <libintl.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking libintl.h presence" >&5
+echo $ECHO_N "checking libintl.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <libintl.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: libintl.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: libintl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: libintl.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: libintl.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: libintl.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: libintl.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: libintl.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: libintl.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: libintl.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: libintl.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: libintl.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: libintl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: libintl.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: libintl.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: libintl.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: libintl.h: in the future, the compiler will take precedence" >&2;}
+    ( cat <<\_ASBOX
+## ------------------------------------ ##
+## Report this to martin@strongswan.org ##
+## ------------------------------------ ##
+_ASBOX
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for libintl.h" >&5
+echo $ECHO_N "checking for libintl.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_libintl_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_libintl_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_libintl_h" >&5
+echo "${ECHO_T}$ac_cv_header_libintl_h" >&6; }
+
+fi
+if test $ac_cv_header_libintl_h = yes; then
+  gt_cv_func_dgettext_libintl="no"
+      libintl_extra_libs=""
+
+      #
+      # First check in libc
+      #
+      { echo "$as_me:$LINENO: checking for ngettext in libc" >&5
+echo $ECHO_N "checking for ngettext in libc... $ECHO_C" >&6; }
+if test "${gt_cv_func_ngettext_libc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <libintl.h>
+
+int
+main ()
+{
+return !ngettext ("","", 1)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  gt_cv_func_ngettext_libc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	gt_cv_func_ngettext_libc=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+
+fi
+{ echo "$as_me:$LINENO: result: $gt_cv_func_ngettext_libc" >&5
+echo "${ECHO_T}$gt_cv_func_ngettext_libc" >&6; }
+
+      if test "$gt_cv_func_ngettext_libc" = "yes" ; then
+	      { echo "$as_me:$LINENO: checking for dgettext in libc" >&5
+echo $ECHO_N "checking for dgettext in libc... $ECHO_C" >&6; }
+if test "${gt_cv_func_dgettext_libc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <libintl.h>
+
+int
+main ()
+{
+return !dgettext ("","")
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  gt_cv_func_dgettext_libc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	gt_cv_func_dgettext_libc=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+
+fi
+{ echo "$as_me:$LINENO: result: $gt_cv_func_dgettext_libc" >&5
+echo "${ECHO_T}$gt_cv_func_dgettext_libc" >&6; }
+      fi
+
+      if test "$gt_cv_func_ngettext_libc" = "yes" ; then
+
+for ac_func in bind_textdomain_codeset
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+      fi
+
+      #
+      # If we don't have everything we want, check in libintl
+      #
+      if test "$gt_cv_func_dgettext_libc" != "yes" \
+	 || test "$gt_cv_func_ngettext_libc" != "yes" \
+         || test "$ac_cv_func_bind_textdomain_codeset" != "yes" ; then
+
+        { echo "$as_me:$LINENO: checking for bindtextdomain in -lintl" >&5
+echo $ECHO_N "checking for bindtextdomain in -lintl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_intl_bindtextdomain+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lintl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char bindtextdomain ();
+int
+main ()
+{
+return bindtextdomain ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_intl_bindtextdomain=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_intl_bindtextdomain=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_bindtextdomain" >&5
+echo "${ECHO_T}$ac_cv_lib_intl_bindtextdomain" >&6; }
+if test $ac_cv_lib_intl_bindtextdomain = yes; then
+  { echo "$as_me:$LINENO: checking for ngettext in -lintl" >&5
+echo $ECHO_N "checking for ngettext in -lintl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_intl_ngettext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lintl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ngettext ();
+int
+main ()
+{
+return ngettext ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_intl_ngettext=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_intl_ngettext=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_ngettext" >&5
+echo "${ECHO_T}$ac_cv_lib_intl_ngettext" >&6; }
+if test $ac_cv_lib_intl_ngettext = yes; then
+  { echo "$as_me:$LINENO: checking for dgettext in -lintl" >&5
+echo $ECHO_N "checking for dgettext in -lintl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_intl_dgettext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lintl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dgettext ();
+int
+main ()
+{
+return dgettext ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_intl_dgettext=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_intl_dgettext=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_dgettext" >&5
+echo "${ECHO_T}$ac_cv_lib_intl_dgettext" >&6; }
+if test $ac_cv_lib_intl_dgettext = yes; then
+  gt_cv_func_dgettext_libintl=yes
+fi
+
+fi
+
+fi
+
+
+	if test "$gt_cv_func_dgettext_libintl" != "yes" ; then
+	  { echo "$as_me:$LINENO: checking if -liconv is needed to use gettext" >&5
+echo $ECHO_N "checking if -liconv is needed to use gettext... $ECHO_C" >&6; }
+	  { echo "$as_me:$LINENO: result: " >&5
+echo "${ECHO_T}" >&6; }
+  	  { echo "$as_me:$LINENO: checking for ngettext in -lintl" >&5
+echo $ECHO_N "checking for ngettext in -lintl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_intl_ngettext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lintl -liconv $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ngettext ();
+int
+main ()
+{
+return ngettext ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_intl_ngettext=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_intl_ngettext=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_ngettext" >&5
+echo "${ECHO_T}$ac_cv_lib_intl_ngettext" >&6; }
+if test $ac_cv_lib_intl_ngettext = yes; then
+  { echo "$as_me:$LINENO: checking for dcgettext in -lintl" >&5
+echo $ECHO_N "checking for dcgettext in -lintl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_intl_dcgettext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lintl -liconv $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dcgettext ();
+int
+main ()
+{
+return dcgettext ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_intl_dcgettext=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_intl_dcgettext=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_dcgettext" >&5
+echo "${ECHO_T}$ac_cv_lib_intl_dcgettext" >&6; }
+if test $ac_cv_lib_intl_dcgettext = yes; then
+  gt_cv_func_dgettext_libintl=yes
+			libintl_extra_libs=-liconv
+else
+  :
+fi
+
+else
+  :
+fi
+
+        fi
+
+        #
+        # If we found libintl, then check in it for bind_textdomain_codeset();
+        # we'll prefer libc if neither have bind_textdomain_codeset(),
+        # and both have dgettext and ngettext
+        #
+        if test "$gt_cv_func_dgettext_libintl" = "yes" ; then
+          glib_save_LIBS="$LIBS"
+          LIBS="$LIBS -lintl $libintl_extra_libs"
+          unset ac_cv_func_bind_textdomain_codeset
+
+for ac_func in bind_textdomain_codeset
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+          LIBS="$glib_save_LIBS"
+
+          if test "$ac_cv_func_bind_textdomain_codeset" = "yes" ; then
+            gt_cv_func_dgettext_libc=no
+          else
+            if test "$gt_cv_func_dgettext_libc" = "yes" \
+		&& test "$gt_cv_func_ngettext_libc" = "yes"; then
+              gt_cv_func_dgettext_libintl=no
+            fi
+          fi
+        fi
+      fi
+
+      if test "$gt_cv_func_dgettext_libc" = "yes" \
+	|| test "$gt_cv_func_dgettext_libintl" = "yes"; then
+        gt_cv_have_gettext=yes
+      fi
+
+      if test "$gt_cv_func_dgettext_libintl" = "yes"; then
+        INTLLIBS="-lintl $libintl_extra_libs"
+      fi
+
+      if test "$gt_cv_have_gettext" = "yes"; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_GETTEXT 1
+_ACEOF
+
+	# Extract the first word of "msgfmt", so it can be a program name with args.
+set dummy msgfmt; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_MSGFMT+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case "$MSGFMT" in
+  /*)
+  ac_cv_path_MSGFMT="$MSGFMT" # Let the user override the test with a path.
+  ;;
+  *)
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+  for ac_dir in $PATH; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      if test -z "`$ac_dir/$ac_word -h 2>&1 | grep 'dv '`"; then
+	ac_cv_path_MSGFMT="$ac_dir/$ac_word"
+	break
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_path_MSGFMT" && ac_cv_path_MSGFMT="no"
+  ;;
+esac
+fi
+MSGFMT="$ac_cv_path_MSGFMT"
+if test "$MSGFMT" != "no"; then
+  { echo "$as_me:$LINENO: result: $MSGFMT" >&5
+echo "${ECHO_T}$MSGFMT" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+	if test "$MSGFMT" != "no"; then
+          glib_save_LIBS="$LIBS"
+          LIBS="$LIBS $INTLLIBS"
+
+for ac_func in dcgettext
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+	  MSGFMT_OPTS=
+	  { echo "$as_me:$LINENO: checking if msgfmt accepts -c" >&5
+echo $ECHO_N "checking if msgfmt accepts -c... $ECHO_C" >&6; }
+	  cat >conftest.foo <<_ACEOF
+
+msgid ""
+msgstr ""
+"Content-Type: text/plain; charset=UTF-8\n"
+"Project-Id-Version: test 1.0\n"
+"PO-Revision-Date: 2007-02-15 12:01+0100\n"
+"Last-Translator: test <foo@bar.xx>\n"
+"Language-Team: C <LL@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+_ACEOF
+if { (echo "$as_me:$LINENO: \$MSGFMT -c -o /dev/null conftest.foo") >&5
+  ($MSGFMT -c -o /dev/null conftest.foo) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  MSGFMT_OPTS=-c; { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+echo "$as_me: failed input was:" >&5
+sed 's/^/| /' conftest.foo >&5
+fi
+
+	  # Extract the first word of "gmsgfmt", so it can be a program name with args.
+set dummy gmsgfmt; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_GMSGFMT+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $GMSGFMT in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_GMSGFMT="$GMSGFMT" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_path_GMSGFMT" && ac_cv_path_GMSGFMT="$MSGFMT"
+  ;;
+esac
+fi
+GMSGFMT=$ac_cv_path_GMSGFMT
+if test -n "$GMSGFMT"; then
+  { echo "$as_me:$LINENO: result: $GMSGFMT" >&5
+echo "${ECHO_T}$GMSGFMT" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+	  # Extract the first word of "xgettext", so it can be a program name with args.
+set dummy xgettext; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_XGETTEXT+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case "$XGETTEXT" in
+  /*)
+  ac_cv_path_XGETTEXT="$XGETTEXT" # Let the user override the test with a path.
+  ;;
+  *)
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+  for ac_dir in $PATH; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      if test -z "`$ac_dir/$ac_word -h 2>&1 | grep '(HELP)'`"; then
+	ac_cv_path_XGETTEXT="$ac_dir/$ac_word"
+	break
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_path_XGETTEXT" && ac_cv_path_XGETTEXT=":"
+  ;;
+esac
+fi
+XGETTEXT="$ac_cv_path_XGETTEXT"
+if test "$XGETTEXT" != ":"; then
+  { echo "$as_me:$LINENO: result: $XGETTEXT" >&5
+echo "${ECHO_T}$XGETTEXT" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+	  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+extern int _nl_msg_cat_cntr;
+			 return _nl_msg_cat_cntr
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  CATOBJEXT=.gmo
+             DATADIRNAME=share
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	case $host in
+	    *-*-solaris*)
+	    	                	    	                { echo "$as_me:$LINENO: checking for bind_textdomain_codeset" >&5
+echo $ECHO_N "checking for bind_textdomain_codeset... $ECHO_C" >&6; }
+if test "${ac_cv_func_bind_textdomain_codeset+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define bind_textdomain_codeset to an innocuous variant, in case <limits.h> declares bind_textdomain_codeset.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define bind_textdomain_codeset innocuous_bind_textdomain_codeset
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char bind_textdomain_codeset (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef bind_textdomain_codeset
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char bind_textdomain_codeset ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_bind_textdomain_codeset || defined __stub___bind_textdomain_codeset
+choke me
+#endif
+
+int
+main ()
+{
+return bind_textdomain_codeset ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_bind_textdomain_codeset=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_bind_textdomain_codeset=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_bind_textdomain_codeset" >&5
+echo "${ECHO_T}$ac_cv_func_bind_textdomain_codeset" >&6; }
+if test $ac_cv_func_bind_textdomain_codeset = yes; then
+  CATOBJEXT=.gmo
+               DATADIRNAME=share
+else
+  CATOBJEXT=.mo
+               DATADIRNAME=lib
+fi
+
+	    ;;
+	    *)
+	    CATOBJEXT=.mo
+            DATADIRNAME=lib
+	    ;;
+	    esac
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+          LIBS="$glib_save_LIBS"
+	  INSTOBJEXT=.mo
+	else
+	  gt_cv_have_gettext=no
+	fi
+      fi
+
+fi
+
+
+
+    if test "$gt_cv_have_gettext" = "yes" ; then
+
+cat >>confdefs.h <<\_ACEOF
+#define ENABLE_NLS 1
+_ACEOF
+
+    fi
+
+        if test "$XGETTEXT" != ":"; then
+                  if $XGETTEXT --omit-header /dev/null 2> /dev/null; then
+        : ;
+      else
+        { echo "$as_me:$LINENO: result: found xgettext program is not GNU xgettext; ignore it" >&5
+echo "${ECHO_T}found xgettext program is not GNU xgettext; ignore it" >&6; }
+        XGETTEXT=":"
+      fi
+    fi
+
+    # We need to process the po/ directory.
+    POSUB=po
+
+    ac_config_commands="$ac_config_commands default-1"
+
+
+                for lang in $ALL_LINGUAS; do
+      GMOFILES="$GMOFILES $lang.gmo"
+      POFILES="$POFILES $lang.po"
+    done
+
+
+
+
+
+
+
+
+
+
+
+
+
+   if test "$gt_cv_have_gettext" = "yes"; then
+     if test "x$ALL_LINGUAS" = "x"; then
+       LINGUAS=
+     else
+       { echo "$as_me:$LINENO: checking for catalogs to be installed" >&5
+echo $ECHO_N "checking for catalogs to be installed... $ECHO_C" >&6; }
+       NEW_LINGUAS=
+       for presentlang in $ALL_LINGUAS; do
+         useit=no
+         if test "%UNSET%" != "${LINGUAS-%UNSET%}"; then
+           desiredlanguages="$LINGUAS"
+         else
+           desiredlanguages="$ALL_LINGUAS"
+         fi
+         for desiredlang in $desiredlanguages; do
+ 	   # Use the presentlang catalog if desiredlang is
+           #   a. equal to presentlang, or
+           #   b. a variant of presentlang (because in this case,
+           #      presentlang can be used as a fallback for messages
+           #      which are not translated in the desiredlang catalog).
+           case "$desiredlang" in
+             "$presentlang"*) useit=yes;;
+           esac
+         done
+         if test $useit = yes; then
+           NEW_LINGUAS="$NEW_LINGUAS $presentlang"
+         fi
+       done
+       LINGUAS=$NEW_LINGUAS
+       { echo "$as_me:$LINENO: result: $LINGUAS" >&5
+echo "${ECHO_T}$LINGUAS" >&6; }
+     fi
+
+          if test -n "$LINGUAS"; then
+       for lang in $LINGUAS; do CATALOGS="$CATALOGS $lang$CATOBJEXT"; done
+     fi
+   fi
+
+            MKINSTALLDIRS=
+   if test -n "$ac_aux_dir"; then
+     MKINSTALLDIRS="$ac_aux_dir/mkinstalldirs"
+   fi
+   if test -z "$MKINSTALLDIRS"; then
+     MKINSTALLDIRS="\$(top_srcdir)/mkinstalldirs"
+   fi
+
+
+         test -d po || mkdir po
+   if test "x$srcdir" != "x."; then
+     if test "x`echo $srcdir | sed 's@/.*@@'`" = "x"; then
+       posrcprefix="$srcdir/"
+     else
+       posrcprefix="../$srcdir/"
+     fi
+   else
+     posrcprefix="../"
+   fi
+   rm -f po/POTFILES
+   sed -e "/^#/d" -e "/^\$/d" -e "s,.*,	$posrcprefix& \\\\," -e "\$s/\(.*\) \\\\/\1/" \
+	< $srcdir/po/POTFILES.in > po/POTFILES
+
+
+
+
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+	if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_PKG_CONFIG+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PKG_CONFIG=$ac_cv_path_PKG_CONFIG
+if test -n "$PKG_CONFIG"; then
+  { echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5
+echo "${ECHO_T}$PKG_CONFIG" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_path_PKG_CONFIG"; then
+  ac_pt_PKG_CONFIG=$PKG_CONFIG
+  # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $ac_pt_PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
+if test -n "$ac_pt_PKG_CONFIG"; then
+  { echo "$as_me:$LINENO: result: $ac_pt_PKG_CONFIG" >&5
+echo "${ECHO_T}$ac_pt_PKG_CONFIG" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_pt_PKG_CONFIG" = x; then
+    PKG_CONFIG=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    PKG_CONFIG=$ac_pt_PKG_CONFIG
+  fi
+else
+  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
+fi
+
+fi
+if test -n "$PKG_CONFIG"; then
+	_pkg_min_version=0.9.0
+	{ echo "$as_me:$LINENO: checking pkg-config is at least version $_pkg_min_version" >&5
+echo $ECHO_N "checking pkg-config is at least version $_pkg_min_version... $ECHO_C" >&6; }
+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+		{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	else
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+		PKG_CONFIG=""
+	fi
+
+fi
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for GTHREAD" >&5
+echo $ECHO_N "checking for GTHREAD... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GTHREAD_CFLAGS"; then
+        pkg_cv_GTHREAD_CFLAGS="$GTHREAD_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gthread-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gthread-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GTHREAD_CFLAGS=`$PKG_CONFIG --cflags "gthread-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GTHREAD_LIBS"; then
+        pkg_cv_GTHREAD_LIBS="$GTHREAD_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gthread-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gthread-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GTHREAD_LIBS=`$PKG_CONFIG --libs "gthread-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        GTHREAD_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gthread-2.0"`
+        else
+	        GTHREAD_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gthread-2.0"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$GTHREAD_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: Package requirements (gthread-2.0) were not met:
+
+$GTHREAD_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GTHREAD_CFLAGS
+and GTHREAD_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (gthread-2.0) were not met:
+
+$GTHREAD_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GTHREAD_CFLAGS
+and GTHREAD_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GTHREAD_CFLAGS
+and GTHREAD_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GTHREAD_CFLAGS
+and GTHREAD_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	GTHREAD_CFLAGS=$pkg_cv_GTHREAD_CFLAGS
+	GTHREAD_LIBS=$pkg_cv_GTHREAD_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for DBUS" >&5
+echo $ECHO_N "checking for DBUS... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$DBUS_CFLAGS"; then
+        pkg_cv_DBUS_CFLAGS="$DBUS_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"dbus-glib-1 >= 0.30\"") >&5
+  ($PKG_CONFIG --exists --print-errors "dbus-glib-1 >= 0.30") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_DBUS_CFLAGS=`$PKG_CONFIG --cflags "dbus-glib-1 >= 0.30" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$DBUS_LIBS"; then
+        pkg_cv_DBUS_LIBS="$DBUS_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"dbus-glib-1 >= 0.30\"") >&5
+  ($PKG_CONFIG --exists --print-errors "dbus-glib-1 >= 0.30") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_DBUS_LIBS=`$PKG_CONFIG --libs "dbus-glib-1 >= 0.30" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        DBUS_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "dbus-glib-1 >= 0.30"`
+        else
+	        DBUS_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "dbus-glib-1 >= 0.30"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$DBUS_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: Package requirements (dbus-glib-1 >= 0.30) were not met:
+
+$DBUS_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables DBUS_CFLAGS
+and DBUS_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (dbus-glib-1 >= 0.30) were not met:
+
+$DBUS_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables DBUS_CFLAGS
+and DBUS_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables DBUS_CFLAGS
+and DBUS_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables DBUS_CFLAGS
+and DBUS_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	DBUS_CFLAGS=$pkg_cv_DBUS_CFLAGS
+	DBUS_LIBS=$pkg_cv_DBUS_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+
+if test x"$with_gnome" != xno; then
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for GTK" >&5
+echo $ECHO_N "checking for GTK... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GTK_CFLAGS"; then
+        pkg_cv_GTK_CFLAGS="$GTK_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 >= 2.6\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 >= 2.6") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GTK_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 >= 2.6" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GTK_LIBS"; then
+        pkg_cv_GTK_LIBS="$GTK_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 >= 2.6\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 >= 2.6") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GTK_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 >= 2.6" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        GTK_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gtk+-2.0 >= 2.6"`
+        else
+	        GTK_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gtk+-2.0 >= 2.6"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$GTK_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: Package requirements (gtk+-2.0 >= 2.6) were not met:
+
+$GTK_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GTK_CFLAGS
+and GTK_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (gtk+-2.0 >= 2.6) were not met:
+
+$GTK_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GTK_CFLAGS
+and GTK_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GTK_CFLAGS
+and GTK_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GTK_CFLAGS
+and GTK_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	GTK_CFLAGS=$pkg_cv_GTK_CFLAGS
+	GTK_LIBS=$pkg_cv_GTK_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for GDK_PIXBUF" >&5
+echo $ECHO_N "checking for GDK_PIXBUF... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GDK_PIXBUF_CFLAGS"; then
+        pkg_cv_GDK_PIXBUF_CFLAGS="$GDK_PIXBUF_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gdk-pixbuf-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gdk-pixbuf-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GDK_PIXBUF_CFLAGS=`$PKG_CONFIG --cflags "gdk-pixbuf-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GDK_PIXBUF_LIBS"; then
+        pkg_cv_GDK_PIXBUF_LIBS="$GDK_PIXBUF_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gdk-pixbuf-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gdk-pixbuf-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GDK_PIXBUF_LIBS=`$PKG_CONFIG --libs "gdk-pixbuf-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        GDK_PIXBUF_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gdk-pixbuf-2.0"`
+        else
+	        GDK_PIXBUF_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gdk-pixbuf-2.0"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$GDK_PIXBUF_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: Package requirements (gdk-pixbuf-2.0) were not met:
+
+$GDK_PIXBUF_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GDK_PIXBUF_CFLAGS
+and GDK_PIXBUF_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (gdk-pixbuf-2.0) were not met:
+
+$GDK_PIXBUF_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GDK_PIXBUF_CFLAGS
+and GDK_PIXBUF_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GDK_PIXBUF_CFLAGS
+and GDK_PIXBUF_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GDK_PIXBUF_CFLAGS
+and GDK_PIXBUF_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	GDK_PIXBUF_CFLAGS=$pkg_cv_GDK_PIXBUF_CFLAGS
+	GDK_PIXBUF_LIBS=$pkg_cv_GDK_PIXBUF_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for GLADE" >&5
+echo $ECHO_N "checking for GLADE... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GLADE_CFLAGS"; then
+        pkg_cv_GLADE_CFLAGS="$GLADE_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libglade-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "libglade-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GLADE_CFLAGS=`$PKG_CONFIG --cflags "libglade-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GLADE_LIBS"; then
+        pkg_cv_GLADE_LIBS="$GLADE_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libglade-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "libglade-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GLADE_LIBS=`$PKG_CONFIG --libs "libglade-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        GLADE_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libglade-2.0"`
+        else
+	        GLADE_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libglade-2.0"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$GLADE_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: Package requirements (libglade-2.0) were not met:
+
+$GLADE_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GLADE_CFLAGS
+and GLADE_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (libglade-2.0) were not met:
+
+$GLADE_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GLADE_CFLAGS
+and GLADE_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GLADE_CFLAGS
+and GLADE_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GLADE_CFLAGS
+and GLADE_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	GLADE_CFLAGS=$pkg_cv_GLADE_CFLAGS
+	GLADE_LIBS=$pkg_cv_GLADE_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for LIBGNOMEUI" >&5
+echo $ECHO_N "checking for LIBGNOMEUI... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$LIBGNOMEUI_CFLAGS"; then
+        pkg_cv_LIBGNOMEUI_CFLAGS="$LIBGNOMEUI_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libgnomeui-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "libgnomeui-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_LIBGNOMEUI_CFLAGS=`$PKG_CONFIG --cflags "libgnomeui-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$LIBGNOMEUI_LIBS"; then
+        pkg_cv_LIBGNOMEUI_LIBS="$LIBGNOMEUI_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libgnomeui-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "libgnomeui-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_LIBGNOMEUI_LIBS=`$PKG_CONFIG --libs "libgnomeui-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        LIBGNOMEUI_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libgnomeui-2.0"`
+        else
+	        LIBGNOMEUI_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libgnomeui-2.0"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$LIBGNOMEUI_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: Package requirements (libgnomeui-2.0) were not met:
+
+$LIBGNOMEUI_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables LIBGNOMEUI_CFLAGS
+and LIBGNOMEUI_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (libgnomeui-2.0) were not met:
+
+$LIBGNOMEUI_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables LIBGNOMEUI_CFLAGS
+and LIBGNOMEUI_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables LIBGNOMEUI_CFLAGS
+and LIBGNOMEUI_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables LIBGNOMEUI_CFLAGS
+and LIBGNOMEUI_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	LIBGNOMEUI_CFLAGS=$pkg_cv_LIBGNOMEUI_CFLAGS
+	LIBGNOMEUI_LIBS=$pkg_cv_LIBGNOMEUI_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for GCONF" >&5
+echo $ECHO_N "checking for GCONF... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GCONF_CFLAGS"; then
+        pkg_cv_GCONF_CFLAGS="$GCONF_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gconf-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gconf-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GCONF_CFLAGS=`$PKG_CONFIG --cflags "gconf-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GCONF_LIBS"; then
+        pkg_cv_GCONF_LIBS="$GCONF_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gconf-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gconf-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GCONF_LIBS=`$PKG_CONFIG --libs "gconf-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        GCONF_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gconf-2.0"`
+        else
+	        GCONF_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gconf-2.0"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$GCONF_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: Package requirements (gconf-2.0) were not met:
+
+$GCONF_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GCONF_CFLAGS
+and GCONF_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (gconf-2.0) were not met:
+
+$GCONF_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GCONF_CFLAGS
+and GCONF_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GCONF_CFLAGS
+and GCONF_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GCONF_CFLAGS
+and GCONF_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	GCONF_CFLAGS=$pkg_cv_GCONF_CFLAGS
+	GCONF_LIBS=$pkg_cv_GCONF_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for GNOMEKEYRING" >&5
+echo $ECHO_N "checking for GNOMEKEYRING... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GNOMEKEYRING_CFLAGS"; then
+        pkg_cv_GNOMEKEYRING_CFLAGS="$GNOMEKEYRING_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gnome-keyring-1\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gnome-keyring-1") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GNOMEKEYRING_CFLAGS=`$PKG_CONFIG --cflags "gnome-keyring-1" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$GNOMEKEYRING_LIBS"; then
+        pkg_cv_GNOMEKEYRING_LIBS="$GNOMEKEYRING_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gnome-keyring-1\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gnome-keyring-1") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_GNOMEKEYRING_LIBS=`$PKG_CONFIG --libs "gnome-keyring-1" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        GNOMEKEYRING_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gnome-keyring-1"`
+        else
+	        GNOMEKEYRING_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gnome-keyring-1"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$GNOMEKEYRING_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: Package requirements (gnome-keyring-1) were not met:
+
+$GNOMEKEYRING_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GNOMEKEYRING_CFLAGS
+and GNOMEKEYRING_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (gnome-keyring-1) were not met:
+
+$GNOMEKEYRING_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables GNOMEKEYRING_CFLAGS
+and GNOMEKEYRING_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GNOMEKEYRING_CFLAGS
+and GNOMEKEYRING_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables GNOMEKEYRING_CFLAGS
+and GNOMEKEYRING_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	GNOMEKEYRING_CFLAGS=$pkg_cv_GNOMEKEYRING_CFLAGS
+	GNOMEKEYRING_LIBS=$pkg_cv_GNOMEKEYRING_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+fi
+
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for NM_UTILS" >&5
+echo $ECHO_N "checking for NM_UTILS... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$NM_UTILS_CFLAGS"; then
+        pkg_cv_NM_UTILS_CFLAGS="$NM_UTILS_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn\"") >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_NM_UTILS_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$NM_UTILS_LIBS"; then
+        pkg_cv_NM_UTILS_LIBS="$NM_UTILS_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn\"") >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_NM_UTILS_LIBS=`$PKG_CONFIG --libs "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        NM_UTILS_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn"`
+        else
+	        NM_UTILS_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$NM_UTILS_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: Package requirements (NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn) were not met:
+
+$NM_UTILS_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables NM_UTILS_CFLAGS
+and NM_UTILS_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn) were not met:
+
+$NM_UTILS_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables NM_UTILS_CFLAGS
+and NM_UTILS_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables NM_UTILS_CFLAGS
+and NM_UTILS_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables NM_UTILS_CFLAGS
+and NM_UTILS_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	NM_UTILS_CFLAGS=$pkg_cv_NM_UTILS_CFLAGS
+	NM_UTILS_LIBS=$pkg_cv_NM_UTILS_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+
+
+# Check whether --with-charon was given.
+if test "${with_charon+set}" = set; then
+  withval=$with_charon; charon="$withval"
+
+else
+  charon="${libexecdir}/ipsec/charon"
+
+
+fi
+
+
+# Check whether --enable-more-warnings was given.
+if test "${enable_more_warnings+set}" = set; then
+  enableval=$enable_more_warnings; set_more_warnings="$enableval"
+else
+
+if test -d "$srcdir/{arch}" || test -d "$srcdir/CVS"; then
+	set_more_warnings=yes
+else
+	set_more_warnings=no
+fi
+
+fi
+
+{ echo "$as_me:$LINENO: checking for more warnings" >&5
+echo $ECHO_N "checking for more warnings... $ECHO_C" >&6; }
+if test "$GCC" = "yes" -a "$set_more_warnings" != "no"; then
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	CFLAGS="-Wall -Werror -std=gnu89 $CFLAGS"
+
+	for option in -Wno-unused -Wno-strict-aliasing -Wno-sign-compare -Wdeclaration-after-statement -Wno-pointer-sign ; do
+		SAVE_CFLAGS="$CFLAGS"
+		CFLAGS="$CFLAGS $option"
+		{ echo "$as_me:$LINENO: checking whether gcc understands $option" >&5
+echo $ECHO_N "checking whether gcc understands $option... $ECHO_C" >&6; }
+		cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  has_option=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	has_option=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+		if test $has_option = no; then
+			CFLAGS="$SAVE_CFLAGS"
+		fi
+		{ echo "$as_me:$LINENO: result: $has_option" >&5
+echo "${ECHO_T}$has_option" >&6; }
+		unset has_option
+		unset SAVE_CFLAGS
+	done
+	unset option
+else
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+ac_config_files="$ac_config_files Makefile properties/Makefile auth-dialog/Makefile po/Makefile.in"
+
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems.  If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overridden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, we kill variables containing newlines.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(
+  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
+  done
+
+  (set) 2>&1 |
+    case $as_nl`(ac_space=' '; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
+      # `set' does not quote correctly, so add quotes (double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      sed -n \
+	"s/'/'\\\\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;; #(
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+      ;;
+    esac |
+    sort
+) |
+  sed '
+     /^ac_cv_env_/b end
+     t clear
+     :clear
+     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+     t end
+     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     :end' >>confcache
+if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+  if test -w "$cache_file"; then
+    test "x$cache_file" != "x/dev/null" &&
+      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+echo "$as_me: updating cache $cache_file" >&6;}
+    cat confcache >$cache_file
+  else
+    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+echo "$as_me: not updating unwritable cache $cache_file" >&6;}
+  fi
+fi
+rm -f confcache
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+DEFS=-DHAVE_CONFIG_H
+
+ac_libobjs=
+ac_ltlibobjs=
+for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+  # 1. Remove the extension, and $U if already installed.
+  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+  ac_i=`echo "$ac_i" | sed "$ac_script"`
+  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
+  #    will be set to the directory where LIBOBJS objects are built.
+  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
+done
+LIBOBJS=$ac_libobjs
+
+LTLIBOBJS=$ac_ltlibobjs
+
+
+if test -z "${MAINTAINER_MODE_TRUE}" && test -z "${MAINTAINER_MODE_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"MAINTAINER_MODE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"MAINTAINER_MODE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"AMDEP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${am__fastdepCXX_TRUE}" && test -z "${am__fastdepCXX_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCXX\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"am__fastdepCXX\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+  ac_config_commands="$ac_config_commands po/stamp-it"
+
+
+
+: ${CONFIG_STATUS=./config.status}
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+echo "$as_me: creating $CONFIG_STATUS" >&6;}
+cat >$CONFIG_STATUS <<_ACEOF
+#! $SHELL
+# Generated by $as_me.
+# Run this file to recreate the current configuration.
+# Compiler output produced by configure, useful for debugging
+# configure, is in config.log if it exists.
+
+debug=false
+ac_cs_recheck=false
+ac_cs_silent=false
+SHELL=\${CONFIG_SHELL-$SHELL}
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+## --------------------- ##
+## M4sh Initialization.  ##
+## --------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
+fi
+
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
+
+
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
+
+# Work around bugs in pre-3.0 UWIN ksh.
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+  fi
+done
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+
+# CDPATH.
+$as_unset CDPATH
+
+
+
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+
+  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+  # uniformly replaced by the line number.  The first 'sed' inserts a
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
+  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
+    sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
+      N
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+      t loop
+      s/-\n.*//
+    ' >$as_me.lineno &&
+  chmod +x "$as_me.lineno" ||
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+   { (exit 1); exit 1; }; }
+
+  # Don't try to exec as it changes $[0], causing all sort of problems
+  # (the dirname of $[0] is not the place where we might find the
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
+  # Exit status is that of the last command.
+  exit
+}
+
+
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
+esac
+
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
+echo >conf$$.file
+if ln -s conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+    as_ln_s='cp -p'
+elif ln conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s=ln
+else
+  as_ln_s='cp -p'
+fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
+
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p=:
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
+fi
+
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
+else
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
+fi
+as_executable_p=$as_test_x
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+exec 6>&1
+
+# Save the log message, to keep $[0] and so on meaningful, and to
+# report actual input values of CONFIG_FILES etc. instead of their
+# values after options handling.
+ac_log="
+This file was extended by NetworkManager-strongswan $as_me 4.2.6, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
+
+  CONFIG_FILES    = $CONFIG_FILES
+  CONFIG_HEADERS  = $CONFIG_HEADERS
+  CONFIG_LINKS    = $CONFIG_LINKS
+  CONFIG_COMMANDS = $CONFIG_COMMANDS
+  $ $0 $@
+
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+"
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<_ACEOF
+# Files that config.status was made for.
+config_files="$ac_config_files"
+config_headers="$ac_config_headers"
+config_commands="$ac_config_commands"
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+ac_cs_usage="\
+\`$as_me' instantiates files from templates according to the
+current configuration.
+
+Usage: $0 [OPTIONS] [FILE]...
+
+  -h, --help       print this help, then exit
+  -V, --version    print version number and configuration settings, then exit
+  -q, --quiet      do not print progress messages
+  -d, --debug      don't remove temporary files
+      --recheck    update $as_me by reconfiguring in the same conditions
+  --file=FILE[:TEMPLATE]
+		   instantiate the configuration file FILE
+  --header=FILE[:TEMPLATE]
+		   instantiate the configuration header FILE
+
+Configuration files:
+$config_files
+
+Configuration headers:
+$config_headers
+
+Configuration commands:
+$config_commands
+
+Report bugs to <bug-autoconf@gnu.org>."
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+ac_cs_version="\\
+NetworkManager-strongswan config.status 4.2.6
+configured by $0, generated by GNU Autoconf 2.61,
+  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
+
+Copyright (C) 2006 Free Software Foundation, Inc.
+This config.status script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it."
+
+ac_pwd='$ac_pwd'
+srcdir='$srcdir'
+INSTALL='$INSTALL'
+MKDIR_P='$MKDIR_P'
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If no file are specified by the user, then we need to provide default
+# value.  By we need to know if files were specified by the user.
+ac_need_defaults=:
+while test $# != 0
+do
+  case $1 in
+  --*=*)
+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
+    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
+    ac_shift=:
+    ;;
+  *)
+    ac_option=$1
+    ac_optarg=$2
+    ac_shift=shift
+    ;;
+  esac
+
+  case $ac_option in
+  # Handling of the options.
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    ac_cs_recheck=: ;;
+  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+    echo "$ac_cs_version"; exit ;;
+  --debug | --debu | --deb | --de | --d | -d )
+    debug=: ;;
+  --file | --fil | --fi | --f )
+    $ac_shift
+    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
+    ac_need_defaults=false;;
+  --header | --heade | --head | --hea )
+    $ac_shift
+    CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
+    ac_need_defaults=false;;
+  --he | --h)
+    # Conflict between --help and --header
+    { echo "$as_me: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&2
+   { (exit 1); exit 1; }; };;
+  --help | --hel | -h )
+    echo "$ac_cs_usage"; exit ;;
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil | --si | --s)
+    ac_cs_silent=: ;;
+
+  # This is an error.
+  -*) { echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2
+   { (exit 1); exit 1; }; } ;;
+
+  *) ac_config_targets="$ac_config_targets $1"
+     ac_need_defaults=false ;;
+
+  esac
+  shift
+done
+
+ac_configure_extra_args=
+
+if $ac_cs_silent; then
+  exec 6>/dev/null
+  ac_configure_extra_args="$ac_configure_extra_args --silent"
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+if \$ac_cs_recheck; then
+  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+  CONFIG_SHELL=$SHELL
+  export CONFIG_SHELL
+  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+exec 5>>config.log
+{
+  echo
+  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+  echo "$ac_log"
+} >&5
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+#
+# INIT-COMMANDS
+#
+AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
+INTLTOOL_PERL='${INTLTOOL_PERL}' ac_aux_dir='${ac_aux_dir}'
+prefix="$prefix" exec_prefix="$exec_prefix" INTLTOOL_LIBDIR="$libdir"
+INTLTOOL_EXTRACT='${INTLTOOL_EXTRACT}'
+
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+
+# Handling of arguments.
+for ac_config_target in $ac_config_targets
+do
+  case $ac_config_target in
+    "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+    "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
+    "intltool") CONFIG_COMMANDS="$CONFIG_COMMANDS intltool" ;;
+    "default-1") CONFIG_COMMANDS="$CONFIG_COMMANDS default-1" ;;
+    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "properties/Makefile") CONFIG_FILES="$CONFIG_FILES properties/Makefile" ;;
+    "auth-dialog/Makefile") CONFIG_FILES="$CONFIG_FILES auth-dialog/Makefile" ;;
+    "po/Makefile.in") CONFIG_FILES="$CONFIG_FILES po/Makefile.in" ;;
+    "po/stamp-it") CONFIG_COMMANDS="$CONFIG_COMMANDS po/stamp-it" ;;
+
+  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+   { (exit 1); exit 1; }; };;
+  esac
+done
+
+
+# If the user did not use the arguments to specify the items to instantiate,
+# then the envvar interface is used.  Set only those that are not.
+# We use the long form for the default assignment because of an extremely
+# bizarre bug on SunOS 4.1.3.
+if $ac_need_defaults; then
+  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
+  test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
+  test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands
+fi
+
+# Have a temporary directory for convenience.  Make it in the build tree
+# simply because there is no reason against having it here, and in addition,
+# creating and moving files from /tmp can sometimes cause problems.
+# Hook for its removal unless debugging.
+# Note that there is a small window in which the directory will not be cleaned:
+# after its creation but before its name has been assigned to `$tmp'.
+$debug ||
+{
+  tmp=
+  trap 'exit_status=$?
+  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+' 0
+  trap '{ (exit 1); exit 1; }' 1 2 13 15
+}
+# Create a (secure) tmp directory for tmp files.
+
+{
+  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
+  test -n "$tmp" && test -d "$tmp"
+}  ||
+{
+  tmp=./conf$$-$RANDOM
+  (umask 077 && mkdir "$tmp")
+} ||
+{
+   echo "$me: cannot create a temporary directory in ." >&2
+   { (exit 1); exit 1; }
+}
+
+#
+# Set up the sed scripts for CONFIG_FILES section.
+#
+
+# No need to generate the scripts if there are no CONFIG_FILES.
+# This happens for instance when ./config.status config.h
+if test -n "$CONFIG_FILES"; then
+
+_ACEOF
+
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+SHELL!$SHELL$ac_delim
+PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+exec_prefix!$exec_prefix$ac_delim
+prefix!$prefix$ac_delim
+program_transform_name!$program_transform_name$ac_delim
+bindir!$bindir$ac_delim
+sbindir!$sbindir$ac_delim
+libexecdir!$libexecdir$ac_delim
+datarootdir!$datarootdir$ac_delim
+datadir!$datadir$ac_delim
+sysconfdir!$sysconfdir$ac_delim
+sharedstatedir!$sharedstatedir$ac_delim
+localstatedir!$localstatedir$ac_delim
+includedir!$includedir$ac_delim
+oldincludedir!$oldincludedir$ac_delim
+docdir!$docdir$ac_delim
+infodir!$infodir$ac_delim
+htmldir!$htmldir$ac_delim
+dvidir!$dvidir$ac_delim
+pdfdir!$pdfdir$ac_delim
+psdir!$psdir$ac_delim
+libdir!$libdir$ac_delim
+localedir!$localedir$ac_delim
+mandir!$mandir$ac_delim
+DEFS!$DEFS$ac_delim
+ECHO_C!$ECHO_C$ac_delim
+ECHO_N!$ECHO_N$ac_delim
+ECHO_T!$ECHO_T$ac_delim
+LIBS!$LIBS$ac_delim
+build_alias!$build_alias$ac_delim
+host_alias!$host_alias$ac_delim
+target_alias!$target_alias$ac_delim
+INSTALL_PROGRAM!$INSTALL_PROGRAM$ac_delim
+INSTALL_SCRIPT!$INSTALL_SCRIPT$ac_delim
+INSTALL_DATA!$INSTALL_DATA$ac_delim
+am__isrc!$am__isrc$ac_delim
+CYGPATH_W!$CYGPATH_W$ac_delim
+PACKAGE!$PACKAGE$ac_delim
+VERSION!$VERSION$ac_delim
+ACLOCAL!$ACLOCAL$ac_delim
+AUTOCONF!$AUTOCONF$ac_delim
+AUTOMAKE!$AUTOMAKE$ac_delim
+AUTOHEADER!$AUTOHEADER$ac_delim
+MAKEINFO!$MAKEINFO$ac_delim
+install_sh!$install_sh$ac_delim
+STRIP!$STRIP$ac_delim
+INSTALL_STRIP_PROGRAM!$INSTALL_STRIP_PROGRAM$ac_delim
+mkdir_p!$mkdir_p$ac_delim
+AWK!$AWK$ac_delim
+SET_MAKE!$SET_MAKE$ac_delim
+am__leading_dot!$am__leading_dot$ac_delim
+AMTAR!$AMTAR$ac_delim
+am__tar!$am__tar$ac_delim
+am__untar!$am__untar$ac_delim
+MAINTAINER_MODE_TRUE!$MAINTAINER_MODE_TRUE$ac_delim
+MAINTAINER_MODE_FALSE!$MAINTAINER_MODE_FALSE$ac_delim
+MAINT!$MAINT$ac_delim
+CC!$CC$ac_delim
+CFLAGS!$CFLAGS$ac_delim
+LDFLAGS!$LDFLAGS$ac_delim
+CPPFLAGS!$CPPFLAGS$ac_delim
+ac_ct_CC!$ac_ct_CC$ac_delim
+EXEEXT!$EXEEXT$ac_delim
+OBJEXT!$OBJEXT$ac_delim
+DEPDIR!$DEPDIR$ac_delim
+am__include!$am__include$ac_delim
+am__quote!$am__quote$ac_delim
+AMDEP_TRUE!$AMDEP_TRUE$ac_delim
+AMDEP_FALSE!$AMDEP_FALSE$ac_delim
+AMDEPBACKSLASH!$AMDEPBACKSLASH$ac_delim
+CCDEPMODE!$CCDEPMODE$ac_delim
+am__fastdepCC_TRUE!$am__fastdepCC_TRUE$ac_delim
+am__fastdepCC_FALSE!$am__fastdepCC_FALSE$ac_delim
+build!$build$ac_delim
+build_cpu!$build_cpu$ac_delim
+build_vendor!$build_vendor$ac_delim
+build_os!$build_os$ac_delim
+host!$host$ac_delim
+host_cpu!$host_cpu$ac_delim
+host_vendor!$host_vendor$ac_delim
+host_os!$host_os$ac_delim
+SED!$SED$ac_delim
+GREP!$GREP$ac_delim
+EGREP!$EGREP$ac_delim
+LN_S!$LN_S$ac_delim
+ECHO!$ECHO$ac_delim
+AR!$AR$ac_delim
+RANLIB!$RANLIB$ac_delim
+DSYMUTIL!$DSYMUTIL$ac_delim
+NMEDIT!$NMEDIT$ac_delim
+CPP!$CPP$ac_delim
+CXX!$CXX$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+CEOF$ac_eof
+_ACEOF
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+CXXFLAGS!$CXXFLAGS$ac_delim
+ac_ct_CXX!$ac_ct_CXX$ac_delim
+CXXDEPMODE!$CXXDEPMODE$ac_delim
+am__fastdepCXX_TRUE!$am__fastdepCXX_TRUE$ac_delim
+am__fastdepCXX_FALSE!$am__fastdepCXX_FALSE$ac_delim
+CXXCPP!$CXXCPP$ac_delim
+F77!$F77$ac_delim
+FFLAGS!$FFLAGS$ac_delim
+ac_ct_F77!$ac_ct_F77$ac_delim
+LIBTOOL!$LIBTOOL$ac_delim
+LIBOBJS!$LIBOBJS$ac_delim
+GETTEXT_PACKAGE!$GETTEXT_PACKAGE$ac_delim
+INTLTOOL_DESKTOP_RULE!$INTLTOOL_DESKTOP_RULE$ac_delim
+INTLTOOL_DIRECTORY_RULE!$INTLTOOL_DIRECTORY_RULE$ac_delim
+INTLTOOL_KEYS_RULE!$INTLTOOL_KEYS_RULE$ac_delim
+INTLTOOL_PROP_RULE!$INTLTOOL_PROP_RULE$ac_delim
+INTLTOOL_OAF_RULE!$INTLTOOL_OAF_RULE$ac_delim
+INTLTOOL_PONG_RULE!$INTLTOOL_PONG_RULE$ac_delim
+INTLTOOL_SERVER_RULE!$INTLTOOL_SERVER_RULE$ac_delim
+INTLTOOL_SHEET_RULE!$INTLTOOL_SHEET_RULE$ac_delim
+INTLTOOL_SOUNDLIST_RULE!$INTLTOOL_SOUNDLIST_RULE$ac_delim
+INTLTOOL_UI_RULE!$INTLTOOL_UI_RULE$ac_delim
+INTLTOOL_XAM_RULE!$INTLTOOL_XAM_RULE$ac_delim
+INTLTOOL_KBD_RULE!$INTLTOOL_KBD_RULE$ac_delim
+INTLTOOL_XML_RULE!$INTLTOOL_XML_RULE$ac_delim
+INTLTOOL_XML_NOMERGE_RULE!$INTLTOOL_XML_NOMERGE_RULE$ac_delim
+INTLTOOL_CAVES_RULE!$INTLTOOL_CAVES_RULE$ac_delim
+INTLTOOL_SCHEMAS_RULE!$INTLTOOL_SCHEMAS_RULE$ac_delim
+INTLTOOL_THEME_RULE!$INTLTOOL_THEME_RULE$ac_delim
+INTLTOOL_SERVICE_RULE!$INTLTOOL_SERVICE_RULE$ac_delim
+INTLTOOL_POLICY_RULE!$INTLTOOL_POLICY_RULE$ac_delim
+XGETTEXT!$XGETTEXT$ac_delim
+MSGMERGE!$MSGMERGE$ac_delim
+MSGFMT!$MSGFMT$ac_delim
+INTLTOOL_EXTRACT!$INTLTOOL_EXTRACT$ac_delim
+INTLTOOL_MERGE!$INTLTOOL_MERGE$ac_delim
+INTLTOOL_UPDATE!$INTLTOOL_UPDATE$ac_delim
+INTLTOOL_PERL!$INTLTOOL_PERL$ac_delim
+ALL_LINGUAS!$ALL_LINGUAS$ac_delim
+DATADIRNAME!$DATADIRNAME$ac_delim
+USE_NLS!$USE_NLS$ac_delim
+MSGFMT_OPTS!$MSGFMT_OPTS$ac_delim
+GMSGFMT!$GMSGFMT$ac_delim
+CATALOGS!$CATALOGS$ac_delim
+CATOBJEXT!$CATOBJEXT$ac_delim
+GMOFILES!$GMOFILES$ac_delim
+INSTOBJEXT!$INSTOBJEXT$ac_delim
+INTLLIBS!$INTLLIBS$ac_delim
+PO_IN_DATADIR_TRUE!$PO_IN_DATADIR_TRUE$ac_delim
+PO_IN_DATADIR_FALSE!$PO_IN_DATADIR_FALSE$ac_delim
+POFILES!$POFILES$ac_delim
+POSUB!$POSUB$ac_delim
+MKINSTALLDIRS!$MKINSTALLDIRS$ac_delim
+PKG_CONFIG!$PKG_CONFIG$ac_delim
+GTHREAD_CFLAGS!$GTHREAD_CFLAGS$ac_delim
+GTHREAD_LIBS!$GTHREAD_LIBS$ac_delim
+DBUS_CFLAGS!$DBUS_CFLAGS$ac_delim
+DBUS_LIBS!$DBUS_LIBS$ac_delim
+GTK_CFLAGS!$GTK_CFLAGS$ac_delim
+GTK_LIBS!$GTK_LIBS$ac_delim
+GDK_PIXBUF_CFLAGS!$GDK_PIXBUF_CFLAGS$ac_delim
+GDK_PIXBUF_LIBS!$GDK_PIXBUF_LIBS$ac_delim
+GLADE_CFLAGS!$GLADE_CFLAGS$ac_delim
+GLADE_LIBS!$GLADE_LIBS$ac_delim
+LIBGNOMEUI_CFLAGS!$LIBGNOMEUI_CFLAGS$ac_delim
+LIBGNOMEUI_LIBS!$LIBGNOMEUI_LIBS$ac_delim
+GCONF_CFLAGS!$GCONF_CFLAGS$ac_delim
+GCONF_LIBS!$GCONF_LIBS$ac_delim
+GNOMEKEYRING_CFLAGS!$GNOMEKEYRING_CFLAGS$ac_delim
+GNOMEKEYRING_LIBS!$GNOMEKEYRING_LIBS$ac_delim
+NM_UTILS_CFLAGS!$NM_UTILS_CFLAGS$ac_delim
+NM_UTILS_LIBS!$NM_UTILS_LIBS$ac_delim
+charon!$charon$ac_delim
+LTLIBOBJS!$LTLIBOBJS$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 74; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+:end
+s/|#_!!_#|//g
+CEOF$ac_eof
+_ACEOF
+
+
+# VPATH may cause trouble with some makes, so we remove $(srcdir),
+# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
+s/:*\$(srcdir):*/:/
+s/:*\${srcdir}:*/:/
+s/:*@srcdir@:*/:/
+s/^\([^=]*=[	 ]*\):*/\1/
+s/:*$//
+s/^[^=]*=[	 ]*$//
+}'
+fi
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+fi # test -n "$CONFIG_FILES"
+
+
+for ac_tag in  :F $CONFIG_FILES  :H $CONFIG_HEADERS    :C $CONFIG_COMMANDS
+do
+  case $ac_tag in
+  :[FHLC]) ac_mode=$ac_tag; continue;;
+  esac
+  case $ac_mode$ac_tag in
+  :[FHL]*:*);;
+  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+   { (exit 1); exit 1; }; };;
+  :[FH]-) ac_tag=-:-;;
+  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+  esac
+  ac_save_IFS=$IFS
+  IFS=:
+  set x $ac_tag
+  IFS=$ac_save_IFS
+  shift
+  ac_file=$1
+  shift
+
+  case $ac_mode in
+  :L) ac_source=$1;;
+  :[FH])
+    ac_file_inputs=
+    for ac_f
+    do
+      case $ac_f in
+      -) ac_f="$tmp/stdin";;
+      *) # Look for the file first in the build tree, then in the source tree
+	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
+	 # because $ac_f cannot contain `:'.
+	 test -f "$ac_f" ||
+	   case $ac_f in
+	   [\\/$]*) false;;
+	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+	   esac ||
+	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+   { (exit 1); exit 1; }; };;
+      esac
+      ac_file_inputs="$ac_file_inputs $ac_f"
+    done
+
+    # Let's still pretend it is `configure' which instantiates (i.e., don't
+    # use $as_me), people would be surprised to read:
+    #    /* config.h.  Generated by config.status.  */
+    configure_input="Generated from "`IFS=:
+	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
+    if test x"$ac_file" != x-; then
+      configure_input="$ac_file.  $configure_input"
+      { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+    fi
+
+    case $ac_tag in
+    *:-:* | *:-) cat >"$tmp/stdin";;
+    esac
+    ;;
+  esac
+
+  ac_dir=`$as_dirname -- "$ac_file" ||
+$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$ac_file" : 'X\(//\)[^/]' \| \
+	 X"$ac_file" : 'X\(//\)$' \| \
+	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  { as_dir="$ac_dir"
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
+    as_dirs=
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
+    done
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
+   { (exit 1); exit 1; }; }; }
+  ac_builddir=.
+
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
+
+case $srcdir in
+  .)  # We are building in place.
+    ac_srcdir=.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+
+  case $ac_mode in
+  :F)
+  #
+  # CONFIG_FILE
+  #
+
+  case $INSTALL in
+  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
+  *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
+  esac
+  ac_MKDIR_P=$MKDIR_P
+  case $MKDIR_P in
+  [\\/$]* | ?:[\\/]* ) ;;
+  */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;;
+  esac
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If the template does not know about datarootdir, expand it.
+# FIXME: This hack should be removed a few years after 2.60.
+ac_datarootdir_hack=; ac_datarootdir_seen=
+
+case `sed -n '/datarootdir/ {
+  p
+  q
+}
+/@datadir@/p
+/@docdir@/p
+/@infodir@/p
+/@localedir@/p
+/@mandir@/p
+' $ac_file_inputs` in
+*datarootdir*) ac_datarootdir_seen=yes;;
+*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+  ac_datarootdir_hack='
+  s&@datadir@&$datadir&g
+  s&@docdir@&$docdir&g
+  s&@infodir@&$infodir&g
+  s&@localedir@&$localedir&g
+  s&@mandir@&$mandir&g
+    s&\\\${datarootdir}&$datarootdir&g' ;;
+esac
+_ACEOF
+
+# Neutralize VPATH when `$srcdir' = `.'.
+# Shell code in configure.ac might set extrasub.
+# FIXME: do we really want to maintain this feature?
+cat >>$CONFIG_STATUS <<_ACEOF
+  sed "$ac_vpsub
+$extrasub
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+:t
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+s&@configure_input@&$configure_input&;t t
+s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@srcdir@&$ac_srcdir&;t t
+s&@abs_srcdir@&$ac_abs_srcdir&;t t
+s&@top_srcdir@&$ac_top_srcdir&;t t
+s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
+s&@builddir@&$ac_builddir&;t t
+s&@abs_builddir@&$ac_abs_builddir&;t t
+s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+s&@INSTALL@&$ac_INSTALL&;t t
+s&@MKDIR_P@&$ac_MKDIR_P&;t t
+$ac_datarootdir_hack
+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" >$tmp/out
+
+test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&5
+echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&2;}
+
+  rm -f "$tmp/stdin"
+  case $ac_file in
+  -) cat "$tmp/out"; rm -f "$tmp/out";;
+  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
+  esac
+ ;;
+  :H)
+  #
+  # CONFIG_HEADER
+  #
+_ACEOF
+
+# Transform confdefs.h into a sed script `conftest.defines', that
+# substitutes the proper values into config.h.in to produce config.h.
+rm -f conftest.defines conftest.tail
+# First, append a space to every undef/define line, to ease matching.
+echo 's/$/ /' >conftest.defines
+# Then, protect against being on the right side of a sed subst, or in
+# an unquoted here document, in config.status.  If some macros were
+# called several times there might be several #defines for the same
+# symbol, which is useless.  But do not sort them, since the last
+# AC_DEFINE must be honored.
+ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
+# These sed commands are passed to sed as "A NAME B PARAMS C VALUE D", where
+# NAME is the cpp macro being defined, VALUE is the value it is being given.
+# PARAMS is the parameter list in the macro definition--in most cases, it's
+# just an empty string.
+ac_dA='s,^\\([	 #]*\\)[^	 ]*\\([	 ]*'
+ac_dB='\\)[	 (].*,\\1define\\2'
+ac_dC=' '
+ac_dD=' ,'
+
+uniq confdefs.h |
+  sed -n '
+	t rset
+	:rset
+	s/^[	 ]*#[	 ]*define[	 ][	 ]*//
+	t ok
+	d
+	:ok
+	s/[\\&,]/\\&/g
+	s/^\('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/ '"$ac_dA"'\1'"$ac_dB"'\2'"${ac_dC}"'\3'"$ac_dD"'/p
+	s/^\('"$ac_word_re"'\)[	 ]*\(.*\)/'"$ac_dA"'\1'"$ac_dB$ac_dC"'\2'"$ac_dD"'/p
+  ' >>conftest.defines
+
+# Remove the space that was appended to ease matching.
+# Then replace #undef with comments.  This is necessary, for
+# example, in the case of _POSIX_SOURCE, which is predefined and required
+# on some systems where configure will not decide to define it.
+# (The regexp can be short, since the line contains either #define or #undef.)
+echo 's/ $//
+s,^[	 #]*u.*,/* & */,' >>conftest.defines
+
+# Break up conftest.defines:
+ac_max_sed_lines=50
+
+# First sed command is:	 sed -f defines.sed $ac_file_inputs >"$tmp/out1"
+# Second one is:	 sed -f defines.sed "$tmp/out1" >"$tmp/out2"
+# Third one will be:	 sed -f defines.sed "$tmp/out2" >"$tmp/out1"
+# et cetera.
+ac_in='$ac_file_inputs'
+ac_out='"$tmp/out1"'
+ac_nxt='"$tmp/out2"'
+
+while :
+do
+  # Write a here document:
+    cat >>$CONFIG_STATUS <<_ACEOF
+    # First, check the format of the line:
+    cat >"\$tmp/defines.sed" <<\\CEOF
+/^[	 ]*#[	 ]*undef[	 ][	 ]*$ac_word_re[	 ]*\$/b def
+/^[	 ]*#[	 ]*define[	 ][	 ]*$ac_word_re[(	 ]/b def
+b
+:def
+_ACEOF
+  sed ${ac_max_sed_lines}q conftest.defines >>$CONFIG_STATUS
+  echo 'CEOF
+    sed -f "$tmp/defines.sed"' "$ac_in >$ac_out" >>$CONFIG_STATUS
+  ac_in=$ac_out; ac_out=$ac_nxt; ac_nxt=$ac_in
+  sed 1,${ac_max_sed_lines}d conftest.defines >conftest.tail
+  grep . conftest.tail >/dev/null || break
+  rm -f conftest.defines
+  mv conftest.tail conftest.defines
+done
+rm -f conftest.defines conftest.tail
+
+echo "ac_result=$ac_in" >>$CONFIG_STATUS
+cat >>$CONFIG_STATUS <<\_ACEOF
+  if test x"$ac_file" != x-; then
+    echo "/* $configure_input  */" >"$tmp/config.h"
+    cat "$ac_result" >>"$tmp/config.h"
+    if diff $ac_file "$tmp/config.h" >/dev/null 2>&1; then
+      { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
+echo "$as_me: $ac_file is unchanged" >&6;}
+    else
+      rm -f $ac_file
+      mv "$tmp/config.h" $ac_file
+    fi
+  else
+    echo "/* $configure_input  */"
+    cat "$ac_result"
+  fi
+  rm -f "$tmp/out12"
+# Compute $ac_file's index in $config_headers.
+_am_arg=$ac_file
+_am_stamp_count=1
+for _am_header in $config_headers :; do
+  case $_am_header in
+    $_am_arg | $_am_arg:* )
+      break ;;
+    * )
+      _am_stamp_count=`expr $_am_stamp_count + 1` ;;
+  esac
+done
+echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" ||
+$as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$_am_arg" : 'X\(//\)[^/]' \| \
+	 X"$_am_arg" : 'X\(//\)$' \| \
+	 X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$_am_arg" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`/stamp-h$_am_stamp_count
+ ;;
+
+  :C)  { echo "$as_me:$LINENO: executing $ac_file commands" >&5
+echo "$as_me: executing $ac_file commands" >&6;}
+ ;;
+  esac
+
+
+  case $ac_file$ac_mode in
+    "depfiles":C) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do
+  # Strip MF so we end up with the name of the file.
+  mf=`echo "$mf" | sed -e 's/:.*$//'`
+  # Check whether this is an Automake generated Makefile or not.
+  # We used to match only the files named `Makefile.in', but
+  # some people rename them; so instead we look at the file content.
+  # Grep'ing the first line is not enough: some people post-process
+  # each Makefile.in and add a new line on top of each file to say so.
+  # Grep'ing the whole file is not good either: AIX grep has a line
+  # limit of 2048, but all sed's we know have understand at least 4000.
+  if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
+    dirpart=`$as_dirname -- "$mf" ||
+$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$mf" : 'X\(//\)[^/]' \| \
+	 X"$mf" : 'X\(//\)$' \| \
+	 X"$mf" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$mf" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  else
+    continue
+  fi
+  # Extract the definition of DEPDIR, am__include, and am__quote
+  # from the Makefile without running `make'.
+  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
+  test -z "$DEPDIR" && continue
+  am__include=`sed -n 's/^am__include = //p' < "$mf"`
+  test -z "am__include" && continue
+  am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
+  # When using ansi2knr, U may be empty or an underscore; expand it
+  U=`sed -n 's/^U = //p' < "$mf"`
+  # Find all dependency output files, they are included files with
+  # $(DEPDIR) in their names.  We invoke sed twice because it is the
+  # simplest approach to changing $(DEPDIR) to its actual value in the
+  # expansion.
+  for file in `sed -n "
+    s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
+       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+    # Make sure the directory exists.
+    test -f "$dirpart/$file" && continue
+    fdir=`$as_dirname -- "$file" ||
+$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$file" : 'X\(//\)[^/]' \| \
+	 X"$file" : 'X\(//\)$' \| \
+	 X"$file" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+    { as_dir=$dirpart/$fdir
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
+    as_dirs=
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
+    done
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
+   { (exit 1); exit 1; }; }; }
+    # echo "creating $dirpart/$file"
+    echo '# dummy' > "$dirpart/$file"
+  done
+done
+ ;;
+    "intltool":C)
+
+for file in intltool-extract intltool-merge intltool-update; do
+  sed -e "s|@INTLTOOL_EXTRACT@|`pwd`/intltool-extract|g" \
+      -e "s|@INTLTOOL_LIBDIR@|${INTLTOOL_LIBDIR}|g" \
+      -e "s|@INTLTOOL_PERL@|${INTLTOOL_PERL}|g" \
+	< ${ac_aux_dir}/${file}.in > ${file}.out
+  if cmp -s ${file} ${file}.out 2>/dev/null; then
+    rm -f ${file}.out
+  else
+    mv -f ${file}.out ${file}
+  fi
+  chmod ugo+x ${file}
+  chmod u+w ${file}
+done
+
+ ;;
+    "default-1":C) case "$CONFIG_FILES" in *po/Makefile.in*)
+        sed -e "/POTFILES =/r po/POTFILES" po/Makefile.in > po/Makefile
+      esac ;;
+    "po/stamp-it":C)
+    rm -f "po/stamp-it" "po/stamp-it.tmp" "po/POTFILES" "po/Makefile.tmp"
+    >"po/stamp-it.tmp"
+    sed '/^#/d
+	 s/^[[].*] *//
+	 /^[ 	]*$/d
+	'"s|^|	$ac_top_srcdir/|" \
+      "$srcdir/po/POTFILES.in" | sed '$!s/$/ \\/' >"po/POTFILES"
+
+    if test ! -f "po/Makefile"; then
+      { { echo "$as_me:$LINENO: error: po/Makefile is not ready." >&5
+echo "$as_me: error: po/Makefile is not ready." >&2;}
+   { (exit 1); exit 1; }; }
+    fi
+    mv "po/Makefile" "po/Makefile.tmp"
+    sed '/^POTFILES =/,/[^\\]$/ {
+		/^POTFILES =/!d
+		r po/POTFILES
+	  }
+	 ' "po/Makefile.tmp" >"po/Makefile"
+    rm -f "po/Makefile.tmp"
+    mv "po/stamp-it.tmp" "po/stamp-it"
+   ;;
+
+  esac
+done # for ac_tag
+
+
+{ (exit 0); exit 0; }
+_ACEOF
+chmod +x $CONFIG_STATUS
+ac_clean_files=$ac_clean_files_save
+
+
+# configure is writing to config.log, and then calls config.status.
+# config.status does its own redirection, appending to config.log.
+# Unfortunately, on DOS this fails, as config.log is still kept open
+# by configure, so config.status won't be able to write to it; its
+# output is simply discarded.  So we exec the FD to /dev/null,
+# effectively closing config.log, so it can be properly (re)opened and
+# appended to by config.status.  When coming back to configure, we
+# need to make the FD available again.
+if test "$no_create" != yes; then
+  ac_cs_success=:
+  ac_config_status_args=
+  test "$silent" = yes &&
+    ac_config_status_args="$ac_config_status_args --quiet"
+  exec 5>/dev/null
+  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
+  exec 5>>config.log
+  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
+  # would make configure fail if this is the last instruction.
+  $ac_cs_success || { (exit 1); exit 1; }
+fi
+
diff --git a/src/charon/plugins/nm/gnome/configure.in b/src/charon/plugins/nm/gnome/configure.in
new file mode 100644
index 000000000..5bbcdcbad
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/configure.in
@@ -0,0 +1,128 @@
+AC_PREREQ(2.52)
+
+AC_INIT(NetworkManager-strongswan, 4.2.6, martin@strongswan.org, NetworkManager-strongswan)
+AC_CONFIG_AUX_DIR(.)
+AM_INIT_AUTOMAKE([subdir-objects])
+AM_MAINTAINER_MODE
+
+AM_CONFIG_HEADER(config.h)
+
+dnl
+dnl Require programs
+dnl
+AC_PROG_CC
+AM_PROG_CC_C_O
+AC_PROG_INSTALL
+AC_PROG_LIBTOOL
+
+dnl
+dnl Required headers
+dnl
+AC_HEADER_STDC
+AC_CHECK_HEADERS(fcntl.h paths.h sys/ioctl.h sys/time.h syslog.h unistd.h)
+
+dnl
+dnl Checks for typedefs, structures, and compiler characteristics.
+dnl
+AC_TYPE_MODE_T
+AC_TYPE_PID_T
+AC_HEADER_TIME
+
+dnl
+dnl Checks for library functions.
+dnl
+AC_PROG_GCC_TRADITIONAL
+AC_FUNC_MEMCMP
+AC_CHECK_FUNCS(select socket uname)
+
+GETTEXT_PACKAGE=NetworkManager-strongswan
+AC_SUBST(GETTEXT_PACKAGE)
+AC_DEFINE_UNQUOTED(GETTEXT_PACKAGE,"$GETTEXT_PACKAGE", [Gettext package])
+
+IT_PROG_INTLTOOL([0.35])
+AM_GLIB_GNU_GETTEXT
+
+PKG_CHECK_MODULES(GTHREAD, gthread-2.0)
+AC_SUBST(GTHREAD_CFLAGS)
+AC_SUBST(GTHREAD_LIBS)
+
+PKG_CHECK_MODULES(DBUS, dbus-glib-1 >= 0.30)
+AC_SUBST(DBUS_CFLAGS)
+AC_SUBST(DBUS_LIBS)
+
+if test x"$with_gnome" != xno; then
+	PKG_CHECK_MODULES(GTK, gtk+-2.0 >= 2.6)
+	AC_SUBST(GTK_CFLAGS)
+	AC_SUBST(GTK_LIBS)
+
+	PKG_CHECK_MODULES(GDK_PIXBUF, gdk-pixbuf-2.0)
+	AC_SUBST(GDK_PIXBUF_CFLAGS)
+	AC_SUBST(GDK_PIXBUF_LIBS)
+
+	PKG_CHECK_MODULES(GLADE, libglade-2.0)
+	AC_SUBST(GLADE_CFLAGS)
+	AC_SUBST(GLADE_LIBS)
+
+	PKG_CHECK_MODULES(LIBGNOMEUI, libgnomeui-2.0)
+	AC_SUBST(LIBGNOMEUI_CFLAGS)
+	AC_SUBST(LIBGNOMEUI_LIBS)
+
+	PKG_CHECK_MODULES(GCONF, gconf-2.0)
+	AC_SUBST(GCONF_CFLAGS)
+	AC_SUBST(GCONF_LIBS)
+
+	PKG_CHECK_MODULES(GNOMEKEYRING, gnome-keyring-1)
+	AC_SUBST(GNOMEKEYRING_CFLAGS)
+	AC_SUBST(GNOMEKEYRING_LIBS)
+fi
+
+PKG_CHECK_MODULES(NM_UTILS, NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn)
+AC_SUBST(NM_UTILS_CFLAGS)
+AC_SUBST(NM_UTILS_LIBS)
+
+AC_ARG_WITH(
+	[charon],
+	AS_HELP_STRING([--with-charon=file],[path to the strongSwan IKEv2 daemon charon"]),
+	[AC_SUBST(charon, "$withval")],
+	[AC_SUBST(charon, "${libexecdir}/ipsec/charon")]
+)
+
+AC_ARG_ENABLE(more-warnings,
+AC_HELP_STRING([--enable-more-warnings], [Maximum compiler warnings]),
+set_more_warnings="$enableval",[
+if test -d "$srcdir/{arch}" || test -d "$srcdir/CVS"; then
+	set_more_warnings=yes
+else
+	set_more_warnings=no
+fi
+])
+AC_MSG_CHECKING(for more warnings, including -Werror)
+if test "$GCC" = "yes" -a "$set_more_warnings" != "no"; then
+	AC_MSG_RESULT(yes)
+	CFLAGS="-Wall -Werror -std=gnu89 $CFLAGS"
+
+	for option in -Wno-unused -Wno-strict-aliasing -Wno-sign-compare -Wdeclaration-after-statement -Wno-pointer-sign ; do
+		SAVE_CFLAGS="$CFLAGS"
+		CFLAGS="$CFLAGS $option"
+		AC_MSG_CHECKING([whether gcc understands $option])
+		AC_TRY_COMPILE([], [],
+			has_option=yes,
+			has_option=no,)
+		if test $has_option = no; then
+			CFLAGS="$SAVE_CFLAGS"
+		fi
+		AC_MSG_RESULT($has_option)
+		unset has_option
+		unset SAVE_CFLAGS
+	done
+	unset option
+else
+	AC_MSG_RESULT(no)
+fi
+
+AC_OUTPUT([
+Makefile
+properties/Makefile
+auth-dialog/Makefile
+po/Makefile.in
+])
diff --git a/src/charon/plugins/nm/gnome/depcomp b/src/charon/plugins/nm/gnome/depcomp
new file mode 100755
index 000000000..e5f9736c7
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/depcomp
@@ -0,0 +1,589 @@
+#! /bin/sh
+# depcomp - compile a program generating dependencies as side-effects
+
+scriptversion=2007-03-29.01
+
+# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software
+# Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
+
+case $1 in
+  '')
+     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
+     exit 1;
+     ;;
+  -h | --h*)
+    cat <<\EOF
+Usage: depcomp [--help] [--version] PROGRAM [ARGS]
+
+Run PROGRAMS ARGS to compile a file, generating dependencies
+as side-effects.
+
+Environment variables:
+  depmode     Dependency tracking mode.
+  source      Source file read by `PROGRAMS ARGS'.
+  object      Object file output by `PROGRAMS ARGS'.
+  DEPDIR      directory where to store dependencies.
+  depfile     Dependency file to output.
+  tmpdepfile  Temporary file to use when outputing dependencies.
+  libtool     Whether libtool is used (yes/no).
+
+Report bugs to <bug-automake@gnu.org>.
+EOF
+    exit $?
+    ;;
+  -v | --v*)
+    echo "depcomp $scriptversion"
+    exit $?
+    ;;
+esac
+
+if test -z "$depmode" || test -z "$source" || test -z "$object"; then
+  echo "depcomp: Variables source, object and depmode must be set" 1>&2
+  exit 1
+fi
+
+# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po.
+depfile=${depfile-`echo "$object" |
+  sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`}
+tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
+
+rm -f "$tmpdepfile"
+
+# Some modes work just like other modes, but use different flags.  We
+# parameterize here, but still list the modes in the big case below,
+# to make depend.m4 easier to write.  Note that we *cannot* use a case
+# here, because this file can only contain one case statement.
+if test "$depmode" = hp; then
+  # HP compiler uses -M and no extra arg.
+  gccflag=-M
+  depmode=gcc
+fi
+
+if test "$depmode" = dashXmstdout; then
+   # This is just like dashmstdout with a different argument.
+   dashmflag=-xM
+   depmode=dashmstdout
+fi
+
+case "$depmode" in
+gcc3)
+## gcc 3 implements dependency tracking that does exactly what
+## we want.  Yay!  Note: for some reason libtool 1.4 doesn't like
+## it if -MD -MP comes after the -MF stuff.  Hmm.
+## Unfortunately, FreeBSD c89 acceptance of flags depends upon
+## the command line argument order; so add the flags where they
+## appear in depend2.am.  Note that the slowdown incurred here
+## affects only configure: in makefiles, %FASTDEP% shortcuts this.
+  for arg
+  do
+    case $arg in
+    -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;;
+    *)  set fnord "$@" "$arg" ;;
+    esac
+    shift # fnord
+    shift # $arg
+  done
+  "$@"
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  mv "$tmpdepfile" "$depfile"
+  ;;
+
+gcc)
+## There are various ways to get dependency output from gcc.  Here's
+## why we pick this rather obscure method:
+## - Don't want to use -MD because we'd like the dependencies to end
+##   up in a subdir.  Having to rename by hand is ugly.
+##   (We might end up doing this anyway to support other compilers.)
+## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
+##   -MM, not -M (despite what the docs say).
+## - Using -M directly means running the compiler twice (even worse
+##   than renaming).
+  if test -z "$gccflag"; then
+    gccflag=-MD,
+  fi
+  "$@" -Wp,"$gccflag$tmpdepfile"
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
+## The second -e expression handles DOS-style file names with drive letters.
+  sed -e 's/^[^:]*: / /' \
+      -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
+## This next piece of magic avoids the `deleted header file' problem.
+## The problem is that when a header file which appears in a .P file
+## is deleted, the dependency causes make to die (because there is
+## typically no way to rebuild the header).  We avoid this by adding
+## dummy dependencies for each header file.  Too bad gcc doesn't do
+## this for us directly.
+  tr ' ' '
+' < "$tmpdepfile" |
+## Some versions of gcc put a space before the `:'.  On the theory
+## that the space means something, we add a space to the output as
+## well.
+## Some versions of the HPUX 10.20 sed can't process this invocation
+## correctly.  Breaking it into two sed invocations is a workaround.
+    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+hp)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
+sgi)
+  if test "$libtool" = yes; then
+    "$@" "-Wp,-MDupdate,$tmpdepfile"
+  else
+    "$@" -MDupdate "$tmpdepfile"
+  fi
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+
+  if test -f "$tmpdepfile"; then  # yes, the sourcefile depend on other files
+    echo "$object : \\" > "$depfile"
+
+    # Clip off the initial element (the dependent).  Don't try to be
+    # clever and replace this with sed code, as IRIX sed won't handle
+    # lines with more than a fixed number of characters (4096 in
+    # IRIX 6.2 sed, 8192 in IRIX 6.5).  We also remove comment lines;
+    # the IRIX cc adds comments like `#:fec' to the end of the
+    # dependency line.
+    tr ' ' '
+' < "$tmpdepfile" \
+    | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
+    tr '
+' ' ' >> $depfile
+    echo >> $depfile
+
+    # The second pass generates a dummy entry for each header file.
+    tr ' ' '
+' < "$tmpdepfile" \
+   | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
+   >> $depfile
+  else
+    # The sourcefile does not contain any dependencies, so just
+    # store a dummy comment line, to avoid errors with the Makefile
+    # "include basename.Plo" scheme.
+    echo "#dummy" > "$depfile"
+  fi
+  rm -f "$tmpdepfile"
+  ;;
+
+aix)
+  # The C for AIX Compiler uses -M and outputs the dependencies
+  # in a .u file.  In older versions, this file always lives in the
+  # current directory.  Also, the AIX compiler puts `$object:' at the
+  # start of each line; $object doesn't have directory information.
+  # Version 6 uses the directory in both cases.
+  dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
+  test "x$dir" = "x$object" && dir=
+  base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
+  if test "$libtool" = yes; then
+    tmpdepfile1=$dir$base.u
+    tmpdepfile2=$base.u
+    tmpdepfile3=$dir.libs/$base.u
+    "$@" -Wc,-M
+  else
+    tmpdepfile1=$dir$base.u
+    tmpdepfile2=$dir$base.u
+    tmpdepfile3=$dir$base.u
+    "$@" -M
+  fi
+  stat=$?
+
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
+    exit $stat
+  fi
+
+  for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
+  do
+    test -f "$tmpdepfile" && break
+  done
+  if test -f "$tmpdepfile"; then
+    # Each line is of the form `foo.o: dependent.h'.
+    # Do two passes, one to just change these to
+    # `$object: dependent.h' and one to simply `dependent.h:'.
+    sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
+    # That's a tab and a space in the [].
+    sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
+  else
+    # The sourcefile does not contain any dependencies, so just
+    # store a dummy comment line, to avoid errors with the Makefile
+    # "include basename.Plo" scheme.
+    echo "#dummy" > "$depfile"
+  fi
+  rm -f "$tmpdepfile"
+  ;;
+
+icc)
+  # Intel's C compiler understands `-MD -MF file'.  However on
+  #    icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
+  # ICC 7.0 will fill foo.d with something like
+  #    foo.o: sub/foo.c
+  #    foo.o: sub/foo.h
+  # which is wrong.  We want:
+  #    sub/foo.o: sub/foo.c
+  #    sub/foo.o: sub/foo.h
+  #    sub/foo.c:
+  #    sub/foo.h:
+  # ICC 7.1 will output
+  #    foo.o: sub/foo.c sub/foo.h
+  # and will wrap long lines using \ :
+  #    foo.o: sub/foo.c ... \
+  #     sub/foo.h ... \
+  #     ...
+
+  "$@" -MD -MF "$tmpdepfile"
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+  # Each line is of the form `foo.o: dependent.h',
+  # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
+  # Do two passes, one to just change these to
+  # `$object: dependent.h' and one to simply `dependent.h:'.
+  sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
+  # Some versions of the HPUX 10.20 sed can't process this invocation
+  # correctly.  Breaking it into two sed invocations is a workaround.
+  sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
+    sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+hp2)
+  # The "hp" stanza above does not work with aCC (C++) and HP's ia64
+  # compilers, which have integrated preprocessors.  The correct option
+  # to use with these is +Maked; it writes dependencies to a file named
+  # 'foo.d', which lands next to the object file, wherever that
+  # happens to be.
+  # Much of this is similar to the tru64 case; see comments there.
+  dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
+  test "x$dir" = "x$object" && dir=
+  base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
+  if test "$libtool" = yes; then
+    tmpdepfile1=$dir$base.d
+    tmpdepfile2=$dir.libs/$base.d
+    "$@" -Wc,+Maked
+  else
+    tmpdepfile1=$dir$base.d
+    tmpdepfile2=$dir$base.d
+    "$@" +Maked
+  fi
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+     rm -f "$tmpdepfile1" "$tmpdepfile2"
+     exit $stat
+  fi
+
+  for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2"
+  do
+    test -f "$tmpdepfile" && break
+  done
+  if test -f "$tmpdepfile"; then
+    sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
+    # Add `dependent.h:' lines.
+    sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile"
+  else
+    echo "#dummy" > "$depfile"
+  fi
+  rm -f "$tmpdepfile" "$tmpdepfile2"
+  ;;
+
+tru64)
+   # The Tru64 compiler uses -MD to generate dependencies as a side
+   # effect.  `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
+   # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
+   # dependencies in `foo.d' instead, so we check for that too.
+   # Subdirectories are respected.
+   dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
+   test "x$dir" = "x$object" && dir=
+   base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
+
+   if test "$libtool" = yes; then
+      # With Tru64 cc, shared objects can also be used to make a
+      # static library.  This mechanism is used in libtool 1.4 series to
+      # handle both shared and static libraries in a single compilation.
+      # With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d.
+      #
+      # With libtool 1.5 this exception was removed, and libtool now
+      # generates 2 separate objects for the 2 libraries.  These two
+      # compilations output dependencies in $dir.libs/$base.o.d and
+      # in $dir$base.o.d.  We have to check for both files, because
+      # one of the two compilations can be disabled.  We should prefer
+      # $dir$base.o.d over $dir.libs/$base.o.d because the latter is
+      # automatically cleaned when .libs/ is deleted, while ignoring
+      # the former would cause a distcleancheck panic.
+      tmpdepfile1=$dir.libs/$base.lo.d   # libtool 1.4
+      tmpdepfile2=$dir$base.o.d          # libtool 1.5
+      tmpdepfile3=$dir.libs/$base.o.d    # libtool 1.5
+      tmpdepfile4=$dir.libs/$base.d      # Compaq CCC V6.2-504
+      "$@" -Wc,-MD
+   else
+      tmpdepfile1=$dir$base.o.d
+      tmpdepfile2=$dir$base.d
+      tmpdepfile3=$dir$base.d
+      tmpdepfile4=$dir$base.d
+      "$@" -MD
+   fi
+
+   stat=$?
+   if test $stat -eq 0; then :
+   else
+      rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
+      exit $stat
+   fi
+
+   for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
+   do
+     test -f "$tmpdepfile" && break
+   done
+   if test -f "$tmpdepfile"; then
+      sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
+      # That's a tab and a space in the [].
+      sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
+   else
+      echo "#dummy" > "$depfile"
+   fi
+   rm -f "$tmpdepfile"
+   ;;
+
+#nosideeffect)
+  # This comment above is used by automake to tell side-effect
+  # dependency tracking mechanisms from slower ones.
+
+dashmstdout)
+  # Important note: in order to support this mode, a compiler *must*
+  # always write the preprocessed file to stdout, regardless of -o.
+  "$@" || exit $?
+
+  # Remove the call to Libtool.
+  if test "$libtool" = yes; then
+    while test $1 != '--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+
+  # Remove `-o $object'.
+  IFS=" "
+  for arg
+  do
+    case $arg in
+    -o)
+      shift
+      ;;
+    $object)
+      shift
+      ;;
+    *)
+      set fnord "$@" "$arg"
+      shift # fnord
+      shift # $arg
+      ;;
+    esac
+  done
+
+  test -z "$dashmflag" && dashmflag=-M
+  # Require at least two characters before searching for `:'
+  # in the target name.  This is to cope with DOS-style filenames:
+  # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
+  "$@" $dashmflag |
+    sed 's:^[  ]*[^: ][^:][^:]*\:[    ]*:'"$object"'\: :' > "$tmpdepfile"
+  rm -f "$depfile"
+  cat < "$tmpdepfile" > "$depfile"
+  tr ' ' '
+' < "$tmpdepfile" | \
+## Some versions of the HPUX 10.20 sed can't process this invocation
+## correctly.  Breaking it into two sed invocations is a workaround.
+    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+dashXmstdout)
+  # This case only exists to satisfy depend.m4.  It is never actually
+  # run, as this mode is specially recognized in the preamble.
+  exit 1
+  ;;
+
+makedepend)
+  "$@" || exit $?
+  # Remove any Libtool call
+  if test "$libtool" = yes; then
+    while test $1 != '--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+  # X makedepend
+  shift
+  cleared=no
+  for arg in "$@"; do
+    case $cleared in
+    no)
+      set ""; shift
+      cleared=yes ;;
+    esac
+    case "$arg" in
+    -D*|-I*)
+      set fnord "$@" "$arg"; shift ;;
+    # Strip any option that makedepend may not understand.  Remove
+    # the object too, otherwise makedepend will parse it as a source file.
+    -*|$object)
+      ;;
+    *)
+      set fnord "$@" "$arg"; shift ;;
+    esac
+  done
+  obj_suffix="`echo $object | sed 's/^.*\././'`"
+  touch "$tmpdepfile"
+  ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
+  rm -f "$depfile"
+  cat < "$tmpdepfile" > "$depfile"
+  sed '1,2d' "$tmpdepfile" | tr ' ' '
+' | \
+## Some versions of the HPUX 10.20 sed can't process this invocation
+## correctly.  Breaking it into two sed invocations is a workaround.
+    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile" "$tmpdepfile".bak
+  ;;
+
+cpp)
+  # Important note: in order to support this mode, a compiler *must*
+  # always write the preprocessed file to stdout.
+  "$@" || exit $?
+
+  # Remove the call to Libtool.
+  if test "$libtool" = yes; then
+    while test $1 != '--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+
+  # Remove `-o $object'.
+  IFS=" "
+  for arg
+  do
+    case $arg in
+    -o)
+      shift
+      ;;
+    $object)
+      shift
+      ;;
+    *)
+      set fnord "$@" "$arg"
+      shift # fnord
+      shift # $arg
+      ;;
+    esac
+  done
+
+  "$@" -E |
+    sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
+       -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
+    sed '$ s: \\$::' > "$tmpdepfile"
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  cat < "$tmpdepfile" >> "$depfile"
+  sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+msvisualcpp)
+  # Important note: in order to support this mode, a compiler *must*
+  # always write the preprocessed file to stdout, regardless of -o,
+  # because we must use -o when running libtool.
+  "$@" || exit $?
+  IFS=" "
+  for arg
+  do
+    case "$arg" in
+    "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
+	set fnord "$@"
+	shift
+	shift
+	;;
+    *)
+	set fnord "$@" "$arg"
+	shift
+	shift
+	;;
+    esac
+  done
+  "$@" -E |
+  sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::	\1 \\:p' >> "$depfile"
+  echo "	" >> "$depfile"
+  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+none)
+  exec "$@"
+  ;;
+
+*)
+  echo "Unknown depmode $depmode" 1>&2
+  exit 1
+  ;;
+esac
+
+exit 0
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/src/charon/plugins/nm/gnome/install-sh b/src/charon/plugins/nm/gnome/install-sh
new file mode 100755
index 000000000..a5897de6e
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/install-sh
@@ -0,0 +1,519 @@
+#!/bin/sh
+# install - install a program, script, or datafile
+
+scriptversion=2006-12-25.00
+
+# This originates from X11R5 (mit/util/scripts/install.sh), which was
+# later released in X11R6 (xc/config/util/install.sh) with the
+# following copyright and license.
+#
+# Copyright (C) 1994 X Consortium
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
+# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# Except as contained in this notice, the name of the X Consortium shall not
+# be used in advertising or otherwise to promote the sale, use or other deal-
+# ings in this Software without prior written authorization from the X Consor-
+# tium.
+#
+#
+# FSF changes to this file are in the public domain.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+
+nl='
+'
+IFS=" ""	$nl"
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit=${DOITPROG-}
+if test -z "$doit"; then
+  doit_exec=exec
+else
+  doit_exec=$doit
+fi
+
+# Put in absolute file names if you don't have them in your path;
+# or use environment vars.
+
+chgrpprog=${CHGRPPROG-chgrp}
+chmodprog=${CHMODPROG-chmod}
+chownprog=${CHOWNPROG-chown}
+cmpprog=${CMPPROG-cmp}
+cpprog=${CPPROG-cp}
+mkdirprog=${MKDIRPROG-mkdir}
+mvprog=${MVPROG-mv}
+rmprog=${RMPROG-rm}
+stripprog=${STRIPPROG-strip}
+
+posix_glob='?'
+initialize_posix_glob='
+  test "$posix_glob" != "?" || {
+    if (set -f) 2>/dev/null; then
+      posix_glob=
+    else
+      posix_glob=:
+    fi
+  }
+'
+
+posix_mkdir=
+
+# Desired mode of installed file.
+mode=0755
+
+chgrpcmd=
+chmodcmd=$chmodprog
+chowncmd=
+mvcmd=$mvprog
+rmcmd="$rmprog -f"
+stripcmd=
+
+src=
+dst=
+dir_arg=
+dst_arg=
+
+copy_on_change=false
+no_target_directory=
+
+usage="\
+Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
+   or: $0 [OPTION]... SRCFILES... DIRECTORY
+   or: $0 [OPTION]... -t DIRECTORY SRCFILES...
+   or: $0 [OPTION]... -d DIRECTORIES...
+
+In the 1st form, copy SRCFILE to DSTFILE.
+In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
+In the 4th, create DIRECTORIES.
+
+Options:
+     --help     display this help and exit.
+     --version  display version info and exit.
+
+  -c            (ignored)
+  -C            install only if different (preserve the last data modification time)
+  -d            create directories instead of installing files.
+  -g GROUP      $chgrpprog installed files to GROUP.
+  -m MODE       $chmodprog installed files to MODE.
+  -o USER       $chownprog installed files to USER.
+  -s            $stripprog installed files.
+  -t DIRECTORY  install into DIRECTORY.
+  -T            report an error if DSTFILE is a directory.
+
+Environment variables override the default commands:
+  CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
+  RMPROG STRIPPROG
+"
+
+while test $# -ne 0; do
+  case $1 in
+    -c) ;;
+
+    -C) copy_on_change=true;;
+
+    -d) dir_arg=true;;
+
+    -g) chgrpcmd="$chgrpprog $2"
+	shift;;
+
+    --help) echo "$usage"; exit $?;;
+
+    -m) mode=$2
+	case $mode in
+	  *' '* | *'	'* | *'
+'*	  | *'*'* | *'?'* | *'['*)
+	    echo "$0: invalid mode: $mode" >&2
+	    exit 1;;
+	esac
+	shift;;
+
+    -o) chowncmd="$chownprog $2"
+	shift;;
+
+    -s) stripcmd=$stripprog;;
+
+    -t) dst_arg=$2
+	shift;;
+
+    -T) no_target_directory=true;;
+
+    --version) echo "$0 $scriptversion"; exit $?;;
+
+    --)	shift
+	break;;
+
+    -*)	echo "$0: invalid option: $1" >&2
+	exit 1;;
+
+    *)  break;;
+  esac
+  shift
+done
+
+if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
+  # When -d is used, all remaining arguments are directories to create.
+  # When -t is used, the destination is already specified.
+  # Otherwise, the last argument is the destination.  Remove it from $@.
+  for arg
+  do
+    if test -n "$dst_arg"; then
+      # $@ is not empty: it contains at least $arg.
+      set fnord "$@" "$dst_arg"
+      shift # fnord
+    fi
+    shift # arg
+    dst_arg=$arg
+  done
+fi
+
+if test $# -eq 0; then
+  if test -z "$dir_arg"; then
+    echo "$0: no input file specified." >&2
+    exit 1
+  fi
+  # It's OK to call `install-sh -d' without argument.
+  # This can happen when creating conditional directories.
+  exit 0
+fi
+
+if test -z "$dir_arg"; then
+  trap '(exit $?); exit' 1 2 13 15
+
+  # Set umask so as not to create temps with too-generous modes.
+  # However, 'strip' requires both read and write access to temps.
+  case $mode in
+    # Optimize common cases.
+    *644) cp_umask=133;;
+    *755) cp_umask=22;;
+
+    *[0-7])
+      if test -z "$stripcmd"; then
+	u_plus_rw=
+      else
+	u_plus_rw='% 200'
+      fi
+      cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
+    *)
+      if test -z "$stripcmd"; then
+	u_plus_rw=
+      else
+	u_plus_rw=,u+rw
+      fi
+      cp_umask=$mode$u_plus_rw;;
+  esac
+fi
+
+for src
+do
+  # Protect names starting with `-'.
+  case $src in
+    -*) src=./$src;;
+  esac
+
+  if test -n "$dir_arg"; then
+    dst=$src
+    dstdir=$dst
+    test -d "$dstdir"
+    dstdir_status=$?
+  else
+
+    # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
+    # might cause directories to be created, which would be especially bad
+    # if $src (and thus $dsttmp) contains '*'.
+    if test ! -f "$src" && test ! -d "$src"; then
+      echo "$0: $src does not exist." >&2
+      exit 1
+    fi
+
+    if test -z "$dst_arg"; then
+      echo "$0: no destination specified." >&2
+      exit 1
+    fi
+
+    dst=$dst_arg
+    # Protect names starting with `-'.
+    case $dst in
+      -*) dst=./$dst;;
+    esac
+
+    # If destination is a directory, append the input filename; won't work
+    # if double slashes aren't ignored.
+    if test -d "$dst"; then
+      if test -n "$no_target_directory"; then
+	echo "$0: $dst_arg: Is a directory" >&2
+	exit 1
+      fi
+      dstdir=$dst
+      dst=$dstdir/`basename "$src"`
+      dstdir_status=0
+    else
+      # Prefer dirname, but fall back on a substitute if dirname fails.
+      dstdir=`
+	(dirname "$dst") 2>/dev/null ||
+	expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	     X"$dst" : 'X\(//\)[^/]' \| \
+	     X"$dst" : 'X\(//\)$' \| \
+	     X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
+	echo X"$dst" |
+	    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+		   s//\1/
+		   q
+		 }
+		 /^X\(\/\/\)[^/].*/{
+		   s//\1/
+		   q
+		 }
+		 /^X\(\/\/\)$/{
+		   s//\1/
+		   q
+		 }
+		 /^X\(\/\).*/{
+		   s//\1/
+		   q
+		 }
+		 s/.*/./; q'
+      `
+
+      test -d "$dstdir"
+      dstdir_status=$?
+    fi
+  fi
+
+  obsolete_mkdir_used=false
+
+  if test $dstdir_status != 0; then
+    case $posix_mkdir in
+      '')
+	# Create intermediate dirs using mode 755 as modified by the umask.
+	# This is like FreeBSD 'install' as of 1997-10-28.
+	umask=`umask`
+	case $stripcmd.$umask in
+	  # Optimize common cases.
+	  *[2367][2367]) mkdir_umask=$umask;;
+	  .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
+
+	  *[0-7])
+	    mkdir_umask=`expr $umask + 22 \
+	      - $umask % 100 % 40 + $umask % 20 \
+	      - $umask % 10 % 4 + $umask % 2
+	    `;;
+	  *) mkdir_umask=$umask,go-w;;
+	esac
+
+	# With -d, create the new directory with the user-specified mode.
+	# Otherwise, rely on $mkdir_umask.
+	if test -n "$dir_arg"; then
+	  mkdir_mode=-m$mode
+	else
+	  mkdir_mode=
+	fi
+
+	posix_mkdir=false
+	case $umask in
+	  *[123567][0-7][0-7])
+	    # POSIX mkdir -p sets u+wx bits regardless of umask, which
+	    # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
+	    ;;
+	  *)
+	    tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
+	    trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
+
+	    if (umask $mkdir_umask &&
+		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
+	    then
+	      if test -z "$dir_arg" || {
+		   # Check for POSIX incompatibilities with -m.
+		   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
+		   # other-writeable bit of parent directory when it shouldn't.
+		   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
+		   ls_ld_tmpdir=`ls -ld "$tmpdir"`
+		   case $ls_ld_tmpdir in
+		     d????-?r-*) different_mode=700;;
+		     d????-?--*) different_mode=755;;
+		     *) false;;
+		   esac &&
+		   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
+		     ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
+		     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
+		   }
+		 }
+	      then posix_mkdir=:
+	      fi
+	      rmdir "$tmpdir/d" "$tmpdir"
+	    else
+	      # Remove any dirs left behind by ancient mkdir implementations.
+	      rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
+	    fi
+	    trap '' 0;;
+	esac;;
+    esac
+
+    if
+      $posix_mkdir && (
+	umask $mkdir_umask &&
+	$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
+      )
+    then :
+    else
+
+      # The umask is ridiculous, or mkdir does not conform to POSIX,
+      # or it failed possibly due to a race condition.  Create the
+      # directory the slow way, step by step, checking for races as we go.
+
+      case $dstdir in
+	/*) prefix='/';;
+	-*) prefix='./';;
+	*)  prefix='';;
+      esac
+
+      eval "$initialize_posix_glob"
+
+      oIFS=$IFS
+      IFS=/
+      $posix_glob set -f
+      set fnord $dstdir
+      shift
+      $posix_glob set +f
+      IFS=$oIFS
+
+      prefixes=
+
+      for d
+      do
+	test -z "$d" && continue
+
+	prefix=$prefix$d
+	if test -d "$prefix"; then
+	  prefixes=
+	else
+	  if $posix_mkdir; then
+	    (umask=$mkdir_umask &&
+	     $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
+	    # Don't fail if two instances are running concurrently.
+	    test -d "$prefix" || exit 1
+	  else
+	    case $prefix in
+	      *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
+	      *) qprefix=$prefix;;
+	    esac
+	    prefixes="$prefixes '$qprefix'"
+	  fi
+	fi
+	prefix=$prefix/
+      done
+
+      if test -n "$prefixes"; then
+	# Don't fail if two instances are running concurrently.
+	(umask $mkdir_umask &&
+	 eval "\$doit_exec \$mkdirprog $prefixes") ||
+	  test -d "$dstdir" || exit 1
+	obsolete_mkdir_used=true
+      fi
+    fi
+  fi
+
+  if test -n "$dir_arg"; then
+    { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
+    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
+    { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
+      test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
+  else
+
+    # Make a couple of temp file names in the proper directory.
+    dsttmp=$dstdir/_inst.$$_
+    rmtmp=$dstdir/_rm.$$_
+
+    # Trap to clean up those temp files at exit.
+    trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
+
+    # Copy the file name to the temp name.
+    (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
+
+    # and set any options; do chmod last to preserve setuid bits.
+    #
+    # If any of these fail, we abort the whole thing.  If we want to
+    # ignore errors from any of these, just make sure not to ignore
+    # errors from the above "$doit $cpprog $src $dsttmp" command.
+    #
+    { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
+    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
+    { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
+    { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
+
+    # If -C, don't bother to copy if it wouldn't change the file.
+    if $copy_on_change &&
+       old=`LC_ALL=C ls -dlL "$dst"	2>/dev/null` &&
+       new=`LC_ALL=C ls -dlL "$dsttmp"	2>/dev/null` &&
+
+       eval "$initialize_posix_glob" &&
+       $posix_glob set -f &&
+       set X $old && old=:$2:$4:$5:$6 &&
+       set X $new && new=:$2:$4:$5:$6 &&
+       $posix_glob set +f &&
+
+       test "$old" = "$new" &&
+       $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
+    then
+      rm -f "$dsttmp"
+    else
+      # Rename the file to the real destination.
+      $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
+
+      # The rename failed, perhaps because mv can't rename something else
+      # to itself, or perhaps because mv is so ancient that it does not
+      # support -f.
+      {
+	# Now remove or move aside any old file at destination location.
+	# We try this two ways since rm can't unlink itself on some
+	# systems and the destination file might be busy for other
+	# reasons.  In this case, the final cleanup might fail but the new
+	# file should still install successfully.
+	{
+	  test ! -f "$dst" ||
+	  $doit $rmcmd -f "$dst" 2>/dev/null ||
+	  { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
+	    { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
+	  } ||
+	  { echo "$0: cannot unlink or rename $dst" >&2
+	    (exit 1); exit 1
+	  }
+	} &&
+
+	# Now rename the file to the real destination.
+	$doit $mvcmd "$dsttmp" "$dst"
+      }
+    fi || exit 1
+
+    trap '' 0
+  fi
+done
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/src/charon/plugins/nm/gnome/intltool-extract.in b/src/charon/plugins/nm/gnome/intltool-extract.in
new file mode 100644
index 000000000..ae393ac66
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/intltool-extract.in
@@ -0,0 +1,875 @@
+#!@INTLTOOL_PERL@ -w 
+# -*- Mode: perl; indent-tabs-mode: nil; c-basic-offset: 4  -*-
+
+#
+#  The Intltool Message Extractor
+#
+#  Copyright (C) 2000-2001, 2003 Free Software Foundation.
+#
+#  Intltool is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU General Public License as
+#  published by the Free Software Foundation; either version 2 of the
+#  License, or (at your option) any later version.
+#
+#  Intltool is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#  As a special exception to the GNU General Public License, if you
+#  distribute this file as part of a program that contains a
+#  configuration script generated by Autoconf, you may include it under
+#  the same distribution terms that you use for the rest of that program.
+#
+#  Authors: Kenneth Christiansen <kenneth@gnu.org>
+#           Darin Adler <darin@bentspoon.com>
+#
+
+## Release information
+my $PROGRAM      = "intltool-extract";
+my $PACKAGE      = "intltool";
+my $VERSION      = "0.37.1";
+
+## Loaded modules
+use strict; 
+use File::Basename;
+use Getopt::Long;
+
+## Scalars used by the option stuff
+my $TYPE_ARG	= "0";
+my $LOCAL_ARG	= "0";
+my $HELP_ARG 	= "0";
+my $VERSION_ARG = "0";
+my $UPDATE_ARG  = "0";
+my $QUIET_ARG   = "0";
+my $SRCDIR_ARG	= ".";
+
+my $FILE;
+my $OUTFILE;
+
+my $gettext_type = "";
+my $input;
+my %messages = ();
+my %loc = ();
+my %count = ();
+my %comments = ();
+my $strcount = 0;
+
+my $XMLCOMMENT = "";
+
+## Use this instead of \w for XML files to handle more possible characters.
+my $w = "[-A-Za-z0-9._:]";
+
+## Always print first
+$| = 1;
+
+## Handle options
+GetOptions (
+	    "type=s"     => \$TYPE_ARG,
+            "local|l"    => \$LOCAL_ARG,
+            "help|h"     => \$HELP_ARG,
+            "version|v"  => \$VERSION_ARG,
+            "update"     => \$UPDATE_ARG,
+	    "quiet|q"    => \$QUIET_ARG,
+	    "srcdir=s"	 => \$SRCDIR_ARG,
+            ) or &error;
+
+&split_on_argument;
+
+
+## Check for options. 
+## This section will check for the different options.
+
+sub split_on_argument {
+
+    if ($VERSION_ARG) {
+        &version;
+
+    } elsif ($HELP_ARG) {
+	&help;
+        
+    } elsif ($LOCAL_ARG) {
+        &place_local;
+        &extract;
+
+    } elsif ($UPDATE_ARG) {
+	&place_normal;
+	&extract;
+
+    } elsif (@ARGV > 0) {
+	&place_normal;
+	&message;
+	&extract;
+
+    } else {
+	&help;
+
+    }  
+}    
+
+sub place_normal {
+    $FILE	 = $ARGV[0];
+    $OUTFILE     = "$FILE.h";
+
+    my $dirname = dirname ($OUTFILE);
+    if (! -d "$dirname" && $dirname ne "") {
+        system ("mkdir -p $dirname");
+    }
+}   
+
+sub place_local {
+    $FILE	 = $ARGV[0];
+    $OUTFILE     = fileparse($FILE, ());
+    if (!-e "tmp/") { 
+        system("mkdir tmp/"); 
+    }
+    $OUTFILE     = "./tmp/$OUTFILE.h"
+}
+
+sub determine_type {
+   if ($TYPE_ARG =~ /^gettext\/(.*)/) {
+	$gettext_type=$1
+   }
+}
+
+## Sub for printing release information
+sub version{
+    print <<_EOF_;
+${PROGRAM} (${PACKAGE}) $VERSION
+Copyright (C) 2000, 2003 Free Software Foundation, Inc.
+Written by Kenneth Christiansen, 2000.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+_EOF_
+    exit;
+}
+
+## Sub for printing usage information
+sub help {
+    print <<_EOF_;
+Usage: ${PROGRAM} [OPTION]... [FILENAME]
+Generates a header file from an XML source file.
+
+It grabs all strings between <_translatable_node> and its end tag in
+XML files. Read manpage (man ${PROGRAM}) for more info.
+
+      --type=TYPE   Specify the file type of FILENAME. Currently supports:
+                    "gettext/glade", "gettext/ini", "gettext/keys"
+                    "gettext/rfc822deb", "gettext/schemas",
+                    "gettext/scheme", "gettext/xml", "gettext/quoted",
+                    "gettext/quotedxml"
+  -l, --local       Writes output into current working directory
+                    (conflicts with --update)
+      --update      Writes output into the same directory the source file 
+                    reside (conflicts with --local)
+      --srcdir      Root of the source tree
+  -v, --version     Output version information and exit
+  -h, --help        Display this help and exit
+  -q, --quiet       Quiet mode
+
+Report bugs to http://bugzilla.gnome.org/ (product name "$PACKAGE")
+or send email to <xml-i18n-tools\@gnome.org>.
+_EOF_
+    exit;
+}
+
+## Sub for printing error messages
+sub error{
+    print STDERR "Try `${PROGRAM} --help' for more information.\n";
+    exit;
+}
+
+sub message {
+    print "Generating C format header file for translation.\n" unless $QUIET_ARG;
+}
+
+sub extract {
+    &determine_type;
+
+    &convert;
+
+    open OUT, ">$OUTFILE";
+    binmode (OUT) if $^O eq 'MSWin32';
+    &msg_write;
+    close OUT;
+
+    print "Wrote $OUTFILE\n" unless $QUIET_ARG;
+}
+
+sub convert {
+
+    ## Reading the file
+    {
+	local (*IN);
+	local $/; #slurp mode
+	open (IN, "<$SRCDIR_ARG/$FILE") || die "can't open $SRCDIR_ARG/$FILE: $!";
+	$input = <IN>;
+    }
+
+    &type_ini if $gettext_type eq "ini";
+    &type_keys if $gettext_type eq "keys";
+    &type_xml if $gettext_type eq "xml";
+    &type_glade if $gettext_type eq "glade";
+    &type_scheme if $gettext_type eq "scheme";
+    &type_schemas  if $gettext_type eq "schemas";
+    &type_rfc822deb  if $gettext_type eq "rfc822deb";
+    &type_quoted if $gettext_type eq "quoted";
+    &type_quotedxml if $gettext_type eq "quotedxml";
+}
+
+sub entity_decode_minimal
+{
+    local ($_) = @_;
+
+    s/&apos;/'/g; # '
+    s/&quot;/"/g; # "
+    s/&amp;/&/g;
+
+    return $_;
+}
+
+sub entity_decode
+{
+    local ($_) = @_;
+
+    s/&apos;/'/g; # '
+    s/&quot;/"/g; # "
+    s/&lt;/</g;
+    s/&gt;/>/g;
+    s/&amp;/&/g;
+
+    return $_;
+}
+
+sub escape_char
+{
+    return '\"' if $_ eq '"';
+    return '\n' if $_ eq "\n";
+    return '\\\\' if $_ eq '\\';
+
+    return $_;
+}
+
+sub escape
+{
+    my ($string) = @_;
+    return join "", map &escape_char, split //, $string;
+}
+
+sub type_ini {
+    ### For generic translatable desktop files ###
+    while ($input =~ /^(#(.+)\n)?^_.*=(.*)$/mg) {
+        if (defined($2))  {
+            $comments{$3} = $2;
+        }
+        $messages{$3} = [];
+    }
+}
+
+sub type_keys {
+    ### For generic translatable mime/keys files ###
+    while ($input =~ /^\s*_\w+=(.*)$/mg) {
+        $messages{$1} = [];
+    }
+}
+
+sub type_xml {
+    ### For generic translatable XML files ###
+    my $tree = readXml($input);
+    parseTree(0, $tree);
+}
+
+sub print_var {
+    my $var = shift;
+    my $vartype = ref $var;
+    
+    if ($vartype =~ /ARRAY/) {
+        my @arr = @{$var};
+        print "[ ";
+        foreach my $el (@arr) {
+            print_var($el);
+            print ", ";
+        }
+        print "] ";
+    } elsif ($vartype =~ /HASH/) {
+        my %hash = %{$var};
+        print "{ ";
+        foreach my $key (keys %hash) {
+            print "$key => ";
+            print_var($hash{$key});
+            print ", ";
+        }
+        print "} ";
+    } else {
+        print $var;
+    }
+}
+
+# Same syntax as getAttributeString in intltool-merge.in.in, similar logic (look for ## differences comment)
+sub getAttributeString
+{
+    my $sub = shift;
+    my $do_translate = shift || 1;
+    my $language = shift || "";
+    my $translate = shift;
+    my $result = "";
+    foreach my $e (reverse(sort(keys %{ $sub }))) {
+	my $key    = $e;
+	my $string = $sub->{$e};
+	my $quote = '"';
+	
+	$string =~ s/^[\s]+//;
+	$string =~ s/[\s]+$//;
+	
+	if ($string =~ /^'.*'$/)
+	{
+	    $quote = "'";
+	}
+	$string =~ s/^['"]//g;
+	$string =~ s/['"]$//g;
+
+        ## differences from intltool-merge.in.in
+	if ($key =~ /^_/) {
+            $comments{entity_decode($string)} = $XMLCOMMENT if $XMLCOMMENT;
+            $messages{entity_decode($string)} = [];
+            $$translate = 2;
+	}
+        ## differences end here from intltool-merge.in.in
+	$result .= " $key=$quote$string$quote";
+    }
+    return $result;
+}
+
+# Verbatim copy from intltool-merge.in.in
+sub getXMLstring
+{
+    my $ref = shift;
+    my $spacepreserve = shift || 0;
+    my @list = @{ $ref };
+    my $result = "";
+
+    my $count = scalar(@list);
+    my $attrs = $list[0];
+    my $index = 1;
+
+    $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
+    $spacepreserve = 0 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?default["']?$/));
+
+    while ($index < $count) {
+	my $type = $list[$index];
+	my $content = $list[$index+1];
+        if (! $type ) {
+	    # We've got CDATA
+	    if ($content) {
+		# lets strip the whitespace here, and *ONLY* here
+                $content =~ s/\s+/ /gs if (!$spacepreserve);
+		$result .= $content;
+	    }
+	} elsif ( "$type" ne "1" ) {
+	    # We've got another element
+	    $result .= "<$type";
+	    $result .= getAttributeString(@{$content}[0], 0); # no nested translatable elements
+	    if ($content) {
+		my $subresult = getXMLstring($content, $spacepreserve);
+		if ($subresult) {
+		    $result .= ">".$subresult . "</$type>";
+		} else {
+		    $result .= "/>";
+		}
+	    } else {
+		$result .= "/>";
+	    }
+	}
+	$index += 2;
+    }
+    return $result;
+}
+
+# Verbatim copy from intltool-merge.in.in, except for MULTIPLE_OUTPUT handling removed
+# Translate list of nodes if necessary
+sub translate_subnodes
+{
+    my $fh = shift;
+    my $content = shift;
+    my $language = shift || "";
+    my $singlelang = shift || 0;
+    my $spacepreserve = shift || 0;
+
+    my @nodes = @{ $content };
+
+    my $count = scalar(@nodes);
+    my $index = 0;
+    while ($index < $count) {
+        my $type = $nodes[$index];
+        my $rest = $nodes[$index+1];
+        traverse($fh, $type, $rest, $language, $spacepreserve);
+        $index += 2;
+    }
+}
+
+# Based on traverse() in intltool-merge.in.in
+sub traverse
+{
+    my $fh = shift; # unused, to allow us to sync code between -merge and -extract
+    my $nodename = shift;
+    my $content = shift;
+    my $language = shift || "";
+    my $spacepreserve = shift || 0;
+
+    if ($nodename && "$nodename" eq "1") {
+        $XMLCOMMENT = $content;
+    } elsif ($nodename) {
+	# element
+	my @all = @{ $content };
+	my $attrs = shift @all;
+	my $translate = 0;
+	my $outattr = getAttributeString($attrs, 1, $language, \$translate);
+
+	if ($nodename =~ /^_/) {
+	    $translate = 1;
+	    $nodename =~ s/^_//;
+	}
+	my $lookup = '';
+
+        $spacepreserve = 0 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?default["']?$/));
+        $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
+
+	if ($translate) {
+	    $lookup = getXMLstring($content, $spacepreserve);
+            if (!$spacepreserve) {
+                $lookup =~ s/^\s+//s;
+                $lookup =~ s/\s+$//s;
+            }
+
+	    if ($lookup && $translate != 2) {
+                $comments{$lookup} = $XMLCOMMENT if $XMLCOMMENT;
+                $messages{$lookup} = [];
+            } elsif ($translate == 2) {
+                translate_subnodes($fh, \@all, $language, 1, $spacepreserve);
+	    }
+	} else {
+            $XMLCOMMENT = "";
+	    my $count = scalar(@all);
+	    if ($count > 0) {
+                my $index = 0;
+                while ($index < $count) {
+                    my $type = $all[$index];
+                    my $rest = $all[$index+1];
+                    traverse($fh, $type, $rest, $language, $spacepreserve);
+                    $index += 2;
+                }
+	    }
+	}
+        $XMLCOMMENT = "";
+    }
+}
+
+
+# Verbatim copy from intltool-merge.in.in, $fh for compatibility
+sub parseTree
+{
+    my $fh        = shift;
+    my $ref       = shift;
+    my $language  = shift || "";
+
+    my $name = shift @{ $ref };
+    my $cont = shift @{ $ref };
+
+    while (!$name || "$name" eq "1") {
+        $name = shift @{ $ref };
+        $cont = shift @{ $ref };
+    }
+
+    my $spacepreserve = 0;
+    my $attrs = @{$cont}[0];
+    $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
+
+    traverse($fh, $name, $cont, $language, $spacepreserve);
+}
+
+# Verbatim copy from intltool-merge.in.in
+sub intltool_tree_comment
+{
+    my $expat = shift;
+    my $data  = $expat->original_string();
+    my $clist = $expat->{Curlist};
+    my $pos   = $#$clist;
+
+    $data =~ s/^<!--//s;
+    $data =~ s/-->$//s;
+    push @$clist, 1 => $data;
+}
+
+# Verbatim copy from intltool-merge.in.in
+sub intltool_tree_cdatastart
+{
+    my $expat    = shift;
+    my $clist = $expat->{Curlist};
+    my $pos   = $#$clist;
+
+    push @$clist, 0 => $expat->original_string();
+}
+
+# Verbatim copy from intltool-merge.in.in
+sub intltool_tree_cdataend
+{
+    my $expat    = shift;
+    my $clist = $expat->{Curlist};
+    my $pos   = $#$clist;
+
+    $clist->[$pos] .= $expat->original_string();
+}
+
+# Verbatim copy from intltool-merge.in.in
+sub intltool_tree_char
+{
+    my $expat = shift;
+    my $text  = shift;
+    my $clist = $expat->{Curlist};
+    my $pos   = $#$clist;
+
+    # Use original_string so that we retain escaped entities
+    # in CDATA sections.
+    #
+    if ($pos > 0 and $clist->[$pos - 1] eq '0') {
+        $clist->[$pos] .= $expat->original_string();
+    } else {
+        push @$clist, 0 => $expat->original_string();
+    }
+}
+
+# Verbatim copy from intltool-merge.in.in
+sub intltool_tree_start
+{
+    my $expat    = shift;
+    my $tag      = shift;
+    my @origlist = ();
+
+    # Use original_string so that we retain escaped entities
+    # in attribute values.  We must convert the string to an
+    # @origlist array to conform to the structure of the Tree
+    # Style.
+    #
+    my @original_array = split /\x/, $expat->original_string();
+    my $source         = $expat->original_string();
+
+    # Remove leading tag.
+    #
+    $source =~ s|^\s*<\s*(\S+)||s;
+
+    # Grab attribute key/value pairs and push onto @origlist array.
+    #
+    while ($source)
+    {
+       if ($source =~ /^\s*([\w:-]+)\s*[=]\s*["]/)
+       {
+           $source =~ s|^\s*([\w:-]+)\s*[=]\s*["]([^"]*)["]||s;
+           push @origlist, $1;
+           push @origlist, '"' . $2 . '"';
+       }
+       elsif ($source =~ /^\s*([\w:-]+)\s*[=]\s*[']/)
+       {
+           $source =~ s|^\s*([\w:-]+)\s*[=]\s*[']([^']*)[']||s;
+           push @origlist, $1;
+           push @origlist, "'" . $2 . "'";
+       }
+       else
+       {
+           last;
+       }
+    }
+
+    my $ol = [ { @origlist } ];
+
+    push @{ $expat->{Lists} }, $expat->{Curlist};
+    push @{ $expat->{Curlist} }, $tag => $ol;
+    $expat->{Curlist} = $ol;
+}
+
+# Copied from intltool-merge.in.in and added comment handler.
+sub readXml
+{
+    my $xmldoc = shift || return;
+    my $ret = eval 'require XML::Parser';
+    if(!$ret) {
+        die "You must have XML::Parser installed to run $0\n\n";
+    }
+    my $xp = new XML::Parser(Style => 'Tree');
+    $xp->setHandlers(Char => \&intltool_tree_char);
+    $xp->setHandlers(Start => \&intltool_tree_start);
+    $xp->setHandlers(CdataStart => \&intltool_tree_cdatastart);
+    $xp->setHandlers(CdataEnd => \&intltool_tree_cdataend);
+
+    ## differences from intltool-merge.in.in
+    $xp->setHandlers(Comment => \&intltool_tree_comment);
+    ## differences end here from intltool-merge.in.in
+
+    my $tree = $xp->parse($xmldoc);
+    #print_var($tree);
+
+# <foo><!-- comment --><head id="a">Hello <em>there</em></head><bar>Howdy<ref/></bar>do</foo>
+# would be:
+# [foo, [{}, 1, "comment", head, [{id => "a"}, 0, "Hello ",  em, [{}, 0, "there"]], bar, 
+# [{}, 0, "Howdy",  ref, [{}]], 0, "do" ] ]
+
+    return $tree;
+}
+
+sub type_schemas {
+    ### For schemas XML files ###
+         
+    # FIXME: We should handle escaped < (less than)
+    while ($input =~ /
+                      <locale\ name="C">\s*
+                          (<default>\s*(?:<!--([^>]*?)-->\s*)?(.*?)\s*<\/default>\s*)?
+                          (<short>\s*(?:<!--([^>]*?)-->\s*)?(.*?)\s*<\/short>\s*)?
+                          (<long>\s*(?:<!--([^>]*?)-->\s*)?(.*?)\s*<\/long>\s*)?
+                      <\/locale>
+                     /sgx) {
+        my @totranslate = ($3,$6,$9);
+        my @eachcomment = ($2,$5,$8);
+        foreach (@totranslate) {
+            my $currentcomment = shift @eachcomment;
+            next if !$_;
+            s/\s+/ /g;
+            $messages{entity_decode_minimal($_)} = [];
+            $comments{entity_decode_minimal($_)} = $currentcomment if (defined($currentcomment));
+        }
+    }
+}
+
+sub type_rfc822deb {
+    ### For rfc822-style Debian configuration files ###
+
+    my $lineno = 1;
+    my $type = '';
+    while ($input =~ /\G(.*?)(^|\n)(_+)([^:]+):[ \t]*(.*?)(?=\n\S|$)/sg)
+    {
+        my ($pre, $newline, $underscore, $tag, $text) = ($1, $2, $3, $4, $5);
+        while ($pre =~ m/\n/g)
+        {
+            $lineno ++;
+        }
+        $lineno += length($newline);
+        my @str_list = rfc822deb_split(length($underscore), $text);
+        for my $str (@str_list)
+        {
+            $strcount++;
+            $messages{$str} = [];
+            $loc{$str} = $lineno;
+            $count{$str} = $strcount;
+            my $usercomment = '';
+            while($pre =~ s/(^|\n)#([^\n]*)$//s)
+            {
+                $usercomment = "\n" . $2 . $usercomment;
+            }
+            $comments{$str} = $tag . $usercomment;
+        }
+        $lineno += ($text =~ s/\n//g);
+    }
+}
+
+sub rfc822deb_split {
+    # Debian defines a special way to deal with rfc822-style files:
+    # when a value contain newlines, it consists of
+    #   1.  a short form (first line)
+    #   2.  a long description, all lines begin with a space,
+    #       and paragraphs are separated by a single dot on a line
+    # This routine returns an array of all paragraphs, and reformat
+    # them.
+    # When first argument is 2, the string is a comma separated list of
+    # values.
+    my $type = shift;
+    my $text = shift;
+    $text =~ s/^[ \t]//mg;
+    return (split(/, */, $text, 0)) if $type ne 1;
+    return ($text) if $text !~ /\n/;
+
+    $text =~ s/([^\n]*)\n//;
+    my @list = ($1);
+    my $str = '';
+    for my $line (split (/\n/, $text))
+    {
+        chomp $line;
+        if ($line =~ /^\.\s*$/)
+        {
+            #  New paragraph
+            $str =~ s/\s*$//;
+            push(@list, $str);
+            $str = '';
+        }
+        elsif ($line =~ /^\s/)
+        {
+            #  Line which must not be reformatted
+            $str .= "\n" if length ($str) && $str !~ /\n$/;
+            $line =~ s/\s+$//;
+            $str .= $line."\n";
+        }
+        else
+        {
+            #  Continuation line, remove newline
+            $str .= " " if length ($str) && $str !~ /\n$/;
+            $str .= $line;
+        }
+    }
+    $str =~ s/\s*$//;
+    push(@list, $str) if length ($str);
+    return @list;
+}
+
+sub type_quoted {
+    while ($input =~ /\"(([^\"]|\\\")*[^\\\"])\"/g) {
+        my $message = $1;
+        my $before = $`;
+        $message =~ s/\\\"/\"/g;
+        $before =~ s/[^\n]//g;
+        $messages{$message} = [];
+        $loc{$message} = length ($before) + 2;
+    }
+}
+
+sub type_quotedxml {
+    while ($input =~ /\"(([^\"]|\\\")*[^\\\"])\"/g) {
+        my $message = $1;
+        my $before = $`;
+        $message =~ s/\\\"/\"/g;
+        $message = entity_decode($message);
+        $before =~ s/[^\n]//g;
+        $messages{$message} = [];
+        $loc{$message} = length ($before) + 2;
+    }
+}
+
+sub type_glade {
+    ### For translatable Glade XML files ###
+
+    my $tags = "label|title|text|format|copyright|comments|preview_text|tooltip|message";
+
+    while ($input =~ /<($tags)>([^<]+)<\/($tags)>/sg) {
+	# Glade sometimes uses tags that normally mark translatable things for
+        # little bits of non-translatable content. We work around this by not
+        # translating strings that only includes something like label4 or window1.
+	$messages{entity_decode($2)} = [] unless $2 =~ /^(window|label|dialog)[0-9]+$/;
+    }
+    
+    while ($input =~ /<items>(..[^<]*)<\/items>/sg) {
+	for my $item (split (/\n/, $1)) {
+	    $messages{entity_decode($item)} = [];
+	}
+    }
+
+    ## handle new glade files
+    while ($input =~ /<(property|atkproperty|col)\s+[^>]*translatable\s*=\s*"yes"(?:\s+[^>]*comments\s*=\s*"([^"]*)")?[^>]*>([^<]+)<\/\1>/sg) {
+	$messages{entity_decode($3)} = [] unless $3 =~ /^(window|label)[0-9]+$/;
+        if (defined($2) and !($3 =~ /^(window|label)[0-9]+$/)) {
+	   $comments{entity_decode($3)} = entity_decode($2) ;
+        }
+    }
+    while ($input =~ /<atkaction\s+action_name="([^>]*)"\s+description="([^>]+)"\/>/sg) {
+        $messages{entity_decode_minimal($2)} = [];
+    }
+}
+
+sub type_scheme {
+    my ($line, $i, $state, $str, $trcomment, $char);
+    for $line (split(/\n/, $input)) {
+        $i = 0;
+        $state = 0; # 0 - nothing, 1 - string, 2 - translatable string
+        while ($i < length($line)) {
+            if (substr($line,$i,1) eq "\"") {
+                if ($state == 2) {
+                    $comments{$str} = $trcomment if ($trcomment);
+                    $messages{$str} = [];
+                    $str = '';
+                    $state = 0; $trcomment = "";
+                } elsif ($state == 1) {
+                    $str = '';
+                    $state = 0; $trcomment = "";
+                } else {
+                    $state = 1;
+                    $str = '';
+                    if ($i>0 && substr($line,$i-1,1) eq '_') {
+                        $state = 2;
+                    }
+                }
+            } elsif (!$state) {
+                if (substr($line,$i,1) eq ";") {
+                    $trcomment = substr($line,$i+1);
+                    $trcomment =~ s/^;*\s*//;
+                    $i = length($line);
+                } elsif ($trcomment && substr($line,$i,1) !~ /\s|\(|\)|_/) {
+                    $trcomment = "";
+                }
+            } else {
+                if (substr($line,$i,1) eq "\\") {
+                    $char = substr($line,$i+1,1);
+                    if ($char ne "\"" && $char ne "\\") {
+                       $str = $str . "\\";
+                    }
+                    $i++;
+                }
+                $str = $str . substr($line,$i,1);
+            }
+            $i++;
+        }
+    }
+}
+
+sub msg_write {
+    my @msgids;
+    if (%count)
+    {
+        @msgids = sort { $count{$a} <=> $count{$b} } keys %count;
+    }
+    else
+    {
+        @msgids = sort keys %messages;
+    }
+    for my $message (@msgids)
+    {
+	my $offsetlines = 1;
+	$offsetlines++ if $message =~ /%/;
+	if (defined ($comments{$message}))
+	{
+		while ($comments{$message} =~ m/\n/g)
+		{
+		    $offsetlines++;
+		}
+	}
+	print OUT "# ".($loc{$message} - $offsetlines).  " \"$FILE\"\n"
+	        if defined $loc{$message};
+   	print OUT "/* ".$comments{$message}." */\n"
+                if defined $comments{$message};
+   	print OUT "/* xgettext:no-c-format */\n" if $message =~ /%/;
+        
+    	my @lines = split (/\n/, $message, -1);
+    	for (my $n = 0; $n < @lines; $n++)
+	{
+            if ($n == 0)
+            {
+ 		print OUT "char *s = N_(\""; 
+            }
+            else
+            {  
+                print OUT "             \""; 
+            }
+
+            print OUT escape($lines[$n]);
+
+            if ($n < @lines - 1)
+            {
+                print OUT "\\n\"\n"; 
+            }
+            else
+            {
+                print OUT "\");\n";  
+	    }
+        }
+    }
+}
+
diff --git a/src/charon/plugins/nm/gnome/intltool-merge.in b/src/charon/plugins/nm/gnome/intltool-merge.in
new file mode 100644
index 000000000..60c3f3e29
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/intltool-merge.in
@@ -0,0 +1,1506 @@
+#!@INTLTOOL_PERL@ -w
+# -*- Mode: perl; indent-tabs-mode: nil; c-basic-offset: 4  -*-
+
+#
+#  The Intltool Message Merger
+#
+#  Copyright (C) 2000, 2003 Free Software Foundation.
+#  Copyright (C) 2000, 2001 Eazel, Inc
+#
+#  Intltool is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU General Public License 
+#  version 2 published by the Free Software Foundation.
+#
+#  Intltool is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#  As a special exception to the GNU General Public License, if you
+#  distribute this file as part of a program that contains a
+#  configuration script generated by Autoconf, you may include it under
+#  the same distribution terms that you use for the rest of that program.
+#
+#  Authors:  Maciej Stachowiak <mjs@noisehavoc.org>
+#            Kenneth Christiansen <kenneth@gnu.org>
+#            Darin Adler <darin@bentspoon.com>
+#
+#  Proper XML UTF-8'ification written by Cyrille Chepelov <chepelov@calixo.net>
+#
+
+## Release information
+my $PROGRAM = "intltool-merge";
+my $PACKAGE = "intltool";
+my $VERSION = "0.37.1";
+
+## Loaded modules
+use strict; 
+use Getopt::Long;
+use Text::Wrap;
+use File::Basename;
+
+my $must_end_tag      = -1;
+my $last_depth        = -1;
+my $translation_depth = -1;
+my @tag_stack = ();
+my @entered_tag = ();
+my @translation_strings = ();
+my $leading_space = "";
+
+## Scalars used by the option stuff
+my $HELP_ARG = 0;
+my $VERSION_ARG = 0;
+my $BA_STYLE_ARG = 0;
+my $XML_STYLE_ARG = 0;
+my $KEYS_STYLE_ARG = 0;
+my $DESKTOP_STYLE_ARG = 0;
+my $SCHEMAS_STYLE_ARG = 0;
+my $RFC822DEB_STYLE_ARG = 0;
+my $QUOTED_STYLE_ARG = 0;
+my $QUOTEDXML_STYLE_ARG = 0;
+my $QUIET_ARG = 0;
+my $PASS_THROUGH_ARG = 0;
+my $UTF8_ARG = 0;
+my $MULTIPLE_OUTPUT = 0;
+my $cache_file;
+
+## Handle options
+GetOptions 
+(
+ "help" => \$HELP_ARG,
+ "version" => \$VERSION_ARG,
+ "quiet|q" => \$QUIET_ARG,
+ "oaf-style|o" => \$BA_STYLE_ARG, ## for compatibility
+ "ba-style|b" => \$BA_STYLE_ARG,
+ "xml-style|x" => \$XML_STYLE_ARG,
+ "keys-style|k" => \$KEYS_STYLE_ARG,
+ "desktop-style|d" => \$DESKTOP_STYLE_ARG,
+ "schemas-style|s" => \$SCHEMAS_STYLE_ARG,
+ "rfc822deb-style|r" => \$RFC822DEB_STYLE_ARG,
+ "quoted-style" => \$QUOTED_STYLE_ARG,
+ "quotedxml-style" => \$QUOTEDXML_STYLE_ARG,
+ "pass-through|p" => \$PASS_THROUGH_ARG,
+ "utf8|u" => \$UTF8_ARG,
+ "multiple-output|m" => \$MULTIPLE_OUTPUT,
+ "cache|c=s" => \$cache_file
+ ) or &error;
+
+my $PO_DIR;
+my $FILE;
+my $OUTFILE;
+
+my %po_files_by_lang = ();
+my %translations = ();
+my $iconv = $ENV{"ICONV"} || "iconv";
+my $devnull = ($^O eq 'MSWin32' ? 'NUL:' : '/dev/null');
+
+sub isProgramInPath
+{
+    my ($file) = @_;
+    # If either a file exists, or when run it returns 0 exit status
+    return 1 if ((-x $file) or (system("$file -l >$devnull") == 0));
+    return 0;
+}
+
+if (! isProgramInPath ("$iconv"))
+{
+	print STDERR " *** iconv is not found on this system!\n".
+		     " *** Without it, intltool-merge can not convert encodings.\n";
+	exit;
+}
+
+# Use this instead of \w for XML files to handle more possible characters.
+my $w = "[-A-Za-z0-9._:]";
+
+# XML quoted string contents
+my $q = "[^\\\"]*";
+
+## Check for options. 
+
+if ($VERSION_ARG) 
+{
+	&print_version;
+} 
+elsif ($HELP_ARG) 
+{
+	&print_help;
+} 
+elsif ($BA_STYLE_ARG && @ARGV > 2) 
+{
+	&utf8_sanity_check;
+	&preparation;
+	&print_message;
+	&ba_merge_translations;
+	&finalize;
+} 
+elsif ($XML_STYLE_ARG && @ARGV > 2) 
+{
+	&utf8_sanity_check;
+	&preparation;
+	&print_message;
+	&xml_merge_output;
+	&finalize;
+} 
+elsif ($KEYS_STYLE_ARG && @ARGV > 2) 
+{
+	&utf8_sanity_check;
+	&preparation;
+	&print_message;
+        &keys_merge_translations;
+	&finalize;
+} 
+elsif ($DESKTOP_STYLE_ARG && @ARGV > 2) 
+{
+	&utf8_sanity_check;
+	&preparation;
+	&print_message;
+	&desktop_merge_translations;
+	&finalize;
+} 
+elsif ($SCHEMAS_STYLE_ARG && @ARGV > 2) 
+{
+	&utf8_sanity_check;
+	&preparation;
+	&print_message;
+	&schemas_merge_translations;
+	&finalize;
+} 
+elsif ($RFC822DEB_STYLE_ARG && @ARGV > 2) 
+{
+	&preparation;
+	&print_message;
+	&rfc822deb_merge_translations;
+	&finalize;
+} 
+elsif (($QUOTED_STYLE_ARG || $QUOTEDXML_STYLE_ARG) && @ARGV > 2)
+{
+	&utf8_sanity_check;
+	&preparation;
+	&print_message;
+	&quoted_merge_translations($QUOTEDXML_STYLE_ARG);
+	&finalize;
+} 
+else 
+{
+	&print_help;
+}
+
+exit;
+
+## Sub for printing release information
+sub print_version
+{
+    print <<_EOF_;
+${PROGRAM} (${PACKAGE}) ${VERSION}
+Written by Maciej Stachowiak, Darin Adler and Kenneth Christiansen.
+
+Copyright (C) 2000-2003 Free Software Foundation, Inc.
+Copyright (C) 2000-2001 Eazel, Inc.
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+_EOF_
+    exit;
+}
+
+## Sub for printing usage information
+sub print_help
+{
+    print <<_EOF_;
+Usage: ${PROGRAM} [OPTION]... PO_DIRECTORY FILENAME OUTPUT_FILE
+Generates an output file that includes some localized attributes from an
+untranslated source file.
+
+Mandatory options: (exactly one must be specified)
+  -b, --ba-style         includes translations in the bonobo-activation style
+  -d, --desktop-style    includes translations in the desktop style
+  -k, --keys-style       includes translations in the keys style
+  -s, --schemas-style    includes translations in the schemas style
+  -r, --rfc822deb-style  includes translations in the RFC822 style
+      --quoted-style     includes translations in the quoted string style
+      --quotedxml-style  includes translations in the quoted xml string style
+  -x, --xml-style        includes translations in the standard xml style
+
+Other options:
+  -u, --utf8             convert all strings to UTF-8 before merging 
+                         (default for everything except RFC822 style)
+  -p, --pass-through     deprecated, does nothing and issues a warning
+  -m, --multiple-output  output one localized file per locale, instead of 
+	                 a single file containing all localized elements
+  -c, --cache=FILE       specify cache file name
+                         (usually \$top_builddir/po/.intltool-merge-cache)
+  -q, --quiet            suppress most messages
+      --help             display this help and exit
+      --version          output version information and exit
+
+Report bugs to http://bugzilla.gnome.org/ (product name "$PACKAGE")
+or send email to <xml-i18n-tools\@gnome.org>.
+_EOF_
+    exit;
+}
+
+
+## Sub for printing error messages
+sub print_error
+{
+    print STDERR "Try `${PROGRAM} --help' for more information.\n";
+    exit;
+}
+
+
+sub print_message 
+{
+    print "Merging translations into $OUTFILE.\n" unless $QUIET_ARG;
+}
+
+
+sub preparation 
+{
+    $PO_DIR = $ARGV[0];
+    $FILE = $ARGV[1];
+    $OUTFILE = $ARGV[2];
+
+    &gather_po_files;
+    &get_translation_database;
+}
+
+# General-purpose code for looking up translations in .po files
+
+sub po_file2lang
+{
+    my ($tmp) = @_; 
+    $tmp =~ s/^.*\/(.*)\.po$/$1/; 
+    return $tmp; 
+}
+
+sub gather_po_files
+{
+    if (my $linguas = $ENV{"LINGUAS"})
+    {
+        for my $lang (split / /, $linguas) {
+            my $po_file = $PO_DIR . "/" . $lang . ".po";
+            if (-e $po_file) {
+                $po_files_by_lang{$lang} = $po_file;
+            }
+        }
+    }
+    else
+    {
+        if (open LINGUAS_FILE, "$PO_DIR/LINGUAS")
+        {
+            while (<LINGUAS_FILE>)
+            {
+                next if /^#/;
+
+                for my $lang (split)
+                {
+                    chomp ($lang);
+                    my $po_file = $PO_DIR . "/" . $lang . ".po";
+                    if (-e $po_file) {
+                        $po_files_by_lang{$lang} = $po_file;
+                    }
+                }
+            }
+
+            close LINGUAS_FILE;
+        }
+        else
+        {
+            for my $po_file (glob "$PO_DIR/*.po") {
+                $po_files_by_lang{po_file2lang($po_file)} = $po_file;
+            }
+        }
+    }
+}
+
+sub get_local_charset
+{
+    my ($encoding) = @_;
+    my $alias_file = $ENV{"G_CHARSET_ALIAS"} || "@INTLTOOL_LIBDIR@/charset.alias";
+
+    # seek character encoding aliases in charset.alias (glib)
+
+    if (open CHARSET_ALIAS, $alias_file) 
+    {
+	while (<CHARSET_ALIAS>) 
+        {
+            next if /^\#/;
+            return $1 if (/^\s*([-._a-zA-Z0-9]+)\s+$encoding\b/i)
+        }
+
+        close CHARSET_ALIAS;
+    }
+
+    # if not found, return input string
+
+    return $encoding;
+}
+
+sub get_po_encoding
+{
+    my ($in_po_file) = @_;
+    my $encoding = "";
+
+    open IN_PO_FILE, $in_po_file or die;
+    while (<IN_PO_FILE>) 
+    {
+        ## example: "Content-Type: text/plain; charset=ISO-8859-1\n"
+        if (/Content-Type\:.*charset=([-a-zA-Z0-9]+)\\n/) 
+        {
+            $encoding = $1; 
+            last;
+        }
+    }
+    close IN_PO_FILE;
+
+    if (!$encoding) 
+    {
+        print STDERR "Warning: no encoding found in $in_po_file. Assuming ISO-8859-1\n" unless $QUIET_ARG;
+        $encoding = "ISO-8859-1";
+    }
+
+    system ("$iconv -f $encoding -t UTF-8 <$devnull 2>$devnull");
+    if ($?) {
+	$encoding = get_local_charset($encoding);
+    }
+
+    return $encoding
+}
+
+sub utf8_sanity_check 
+{
+    print STDERR "Warning: option --pass-through has been removed.\n" if $PASS_THROUGH_ARG;
+    $UTF8_ARG = 1;
+}
+
+sub get_translation_database
+{
+    if ($cache_file) {
+	&get_cached_translation_database;
+    } else {
+        &create_translation_database;
+    }
+}
+
+sub get_newest_po_age
+{
+    my $newest_age;
+
+    foreach my $file (values %po_files_by_lang) 
+    {
+	my $file_age = -M $file;
+	$newest_age = $file_age if !$newest_age || $file_age < $newest_age;
+    }
+
+    $newest_age = 0 if !$newest_age;
+
+    return $newest_age;
+}
+
+sub create_cache
+{
+    print "Generating and caching the translation database\n" unless $QUIET_ARG;
+
+    &create_translation_database;
+
+    open CACHE, ">$cache_file" || die;
+    print CACHE join "\x01", %translations;
+    close CACHE;
+}
+
+sub load_cache 
+{
+    print "Found cached translation database\n" unless $QUIET_ARG;
+
+    my $contents;
+    open CACHE, "<$cache_file" || die;
+    {
+        local $/;
+        $contents = <CACHE>;
+    }
+    close CACHE;
+    %translations = split "\x01", $contents;
+}
+
+sub get_cached_translation_database
+{
+    my $cache_file_age = -M $cache_file;
+    if (defined $cache_file_age) 
+    {
+        if ($cache_file_age <= &get_newest_po_age) 
+        {
+            &load_cache;
+            return;
+        }
+        print "Found too-old cached translation database\n" unless $QUIET_ARG;
+    }
+
+    &create_cache;
+}
+
+sub create_translation_database
+{
+    for my $lang (keys %po_files_by_lang) 
+    {
+    	my $po_file = $po_files_by_lang{$lang};
+
+        if ($UTF8_ARG) 
+        {
+            my $encoding = get_po_encoding ($po_file);
+
+            if (lc $encoding eq "utf-8") 
+            {
+                open PO_FILE, "<$po_file";	
+            } 
+            else 
+            {
+		print "NOTICE: $po_file is not in UTF-8 but $encoding, converting...\n" unless $QUIET_ARG;;
+
+                open PO_FILE, "$iconv -f $encoding -t UTF-8 $po_file|";	
+            }
+        } 
+        else 
+        {
+            open PO_FILE, "<$po_file";	
+        }
+
+	my $nextfuzzy = 0;
+	my $inmsgid = 0;
+	my $inmsgstr = 0;
+	my $msgid = "";
+	my $msgstr = "";
+
+        while (<PO_FILE>) 
+        {
+	    $nextfuzzy = 1 if /^#, fuzzy/;
+       
+	    if (/^msgid "((\\.|[^\\]+)*)"/ ) 
+            {
+		$translations{$lang, $msgid} = $msgstr if $inmsgstr && $msgid && $msgstr;
+		$msgid = "";
+		$msgstr = "";
+
+		if ($nextfuzzy) {
+		    $inmsgid = 0;
+		} else {
+		    $msgid = unescape_po_string($1);
+		    $inmsgid = 1;
+		}
+		$inmsgstr = 0;
+		$nextfuzzy = 0;
+	    }
+
+	    if (/^msgstr "((\\.|[^\\]+)*)"/) 
+            {
+	        $msgstr = unescape_po_string($1);
+		$inmsgstr = 1;
+		$inmsgid = 0;
+	    }
+
+	    if (/^"((\\.|[^\\]+)*)"/) 
+            {
+	        $msgid .= unescape_po_string($1) if $inmsgid;
+	        $msgstr .= unescape_po_string($1) if $inmsgstr;
+	    }
+	}
+	$translations{$lang, $msgid} = $msgstr if $inmsgstr && $msgid && $msgstr;
+    }
+}
+
+sub finalize
+{
+}
+
+sub unescape_one_sequence
+{
+    my ($sequence) = @_;
+
+    return "\\" if $sequence eq "\\\\";
+    return "\"" if $sequence eq "\\\"";
+    return "\n" if $sequence eq "\\n";
+    return "\r" if $sequence eq "\\r";
+    return "\t" if $sequence eq "\\t";
+    return "\b" if $sequence eq "\\b";
+    return "\f" if $sequence eq "\\f";
+    return "\a" if $sequence eq "\\a";
+    return chr(11) if $sequence eq "\\v"; # vertical tab, see ascii(7)
+
+    return chr(hex($1)) if ($sequence =~ /\\x([0-9a-fA-F]{2})/);
+    return chr(oct($1)) if ($sequence =~ /\\([0-7]{3})/);
+
+    # FIXME: Is \0 supported as well? Kenneth and Rodney don't want it, see bug #48489
+
+    return $sequence;
+}
+
+sub unescape_po_string
+{
+    my ($string) = @_;
+
+    $string =~ s/(\\x[0-9a-fA-F]{2}|\\[0-7]{3}|\\.)/unescape_one_sequence($1)/eg;
+
+    return $string;
+}
+
+sub entity_decode
+{
+    local ($_) = @_;
+
+    s/&apos;/'/g; # '
+    s/&quot;/"/g; # "
+    s/&lt;/</g;
+    s/&gt;/>/g;
+    s/&amp;/&/g;
+
+    return $_;
+}
+ 
+# entity_encode: (string)
+#
+# Encode the given string to XML format (encode '<' etc).
+
+sub entity_encode
+{
+    my ($pre_encoded) = @_;
+
+    my @list_of_chars = unpack ('C*', $pre_encoded);
+
+    # with UTF-8 we only encode minimalistic
+    return join ('', map (&entity_encode_int_minimalist, @list_of_chars));
+}
+
+sub entity_encode_int_minimalist
+{
+    return "&quot;" if $_ == 34;
+    return "&amp;" if $_ == 38;
+    return "&apos;" if $_ == 39;
+    return "&lt;" if $_ == 60;
+    return "&gt;" if $_ == 62;
+    return chr $_;
+}
+
+sub entity_encoded_translation
+{
+    my ($lang, $string) = @_;
+
+    my $translation = $translations{$lang, $string};
+    return $string if !$translation;
+    return entity_encode ($translation);
+}
+
+## XML (bonobo-activation specific) merge code
+
+sub ba_merge_translations
+{
+    my $source;
+
+    {
+       local $/; # slurp mode
+       open INPUT, "<$FILE" or die "can't open $FILE: $!";
+       $source = <INPUT>;
+       close INPUT;
+    }
+
+    open OUTPUT, ">$OUTFILE" or die "can't open $OUTFILE: $!";
+    # Binmode so that selftest works ok if using a native Win32 Perl...
+    binmode (OUTPUT) if $^O eq 'MSWin32';
+
+    while ($source =~ s|^(.*?)([ \t]*<\s*$w+\s+($w+\s*=\s*"$q"\s*)+/?>)([ \t]*\n)?||s) 
+    {
+        print OUTPUT $1;
+
+        my $node = $2 . "\n";
+
+        my @strings = ();
+        $_ = $node;
+	while (s/(\s)_($w+\s*=\s*"($q)")/$1$2/s) {
+             push @strings, entity_decode($3);
+        }
+	print OUTPUT;
+
+	my %langs;
+	for my $string (@strings) 
+        {
+	    for my $lang (keys %po_files_by_lang) 
+            {
+                $langs{$lang} = 1 if $translations{$lang, $string};
+	    }
+	}
+	
+	for my $lang (sort keys %langs) 
+        {
+	    $_ = $node;
+	    s/(\sname\s*=\s*)"($q)"/$1"$2-$lang"/s;
+	    s/(\s)_($w+\s*=\s*")($q)"/$1 . $2 . entity_encoded_translation($lang, $3) . '"'/seg;
+	    print OUTPUT;
+        }
+    }
+
+    print OUTPUT $source;
+
+    close OUTPUT;
+}
+
+
+## XML (non-bonobo-activation) merge code
+
+
+# Process tag attributes
+#   Only parameter is a HASH containing attributes -> values mapping
+sub getAttributeString
+{
+    my $sub = shift;
+    my $do_translate = shift || 0;
+    my $language = shift || "";
+    my $result = "";
+    my $translate = shift;
+    foreach my $e (reverse(sort(keys %{ $sub }))) {
+	my $key    = $e;
+	my $string = $sub->{$e};
+	my $quote = '"';
+	
+	$string =~ s/^[\s]+//;
+	$string =~ s/[\s]+$//;
+	
+	if ($string =~ /^'.*'$/)
+	{
+	    $quote = "'";
+	}
+	$string =~ s/^['"]//g;
+	$string =~ s/['"]$//g;
+
+	if ($do_translate && $key =~ /^_/) {
+	    $key =~ s|^_||g;
+	    if ($language) {
+		# Handle translation
+		my $decode_string = entity_decode($string);
+		my $translation = $translations{$language, $decode_string};
+		if ($translation) {
+		    $translation = entity_encode($translation);
+		    $string = $translation;
+                }
+                $$translate = 2;
+            } else {
+                 $$translate = 2 if ($translate && (!$$translate)); # watch not to "overwrite" $translate
+            }
+	}
+	
+	$result .= " $key=$quote$string$quote";
+    }
+    return $result;
+}
+
+# Returns a translatable string from XML node, it works on contents of every node in XML::Parser tree
+sub getXMLstring
+{
+    my $ref = shift;
+    my $spacepreserve = shift || 0;
+    my @list = @{ $ref };
+    my $result = "";
+
+    my $count = scalar(@list);
+    my $attrs = $list[0];
+    my $index = 1;
+
+    $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
+    $spacepreserve = 0 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?default["']?$/));
+
+    while ($index < $count) {
+	my $type = $list[$index];
+	my $content = $list[$index+1];
+        if (! $type ) {
+	    # We've got CDATA
+	    if ($content) {
+		# lets strip the whitespace here, and *ONLY* here
+                $content =~ s/\s+/ /gs if (!$spacepreserve);
+		$result .= $content;
+	    }
+	} elsif ( "$type" ne "1" ) {
+	    # We've got another element
+	    $result .= "<$type";
+	    $result .= getAttributeString(@{$content}[0], 0); # no nested translatable elements
+	    if ($content) {
+		my $subresult = getXMLstring($content, $spacepreserve);
+		if ($subresult) {
+		    $result .= ">".$subresult . "</$type>";
+		} else {
+		    $result .= "/>";
+		}
+	    } else {
+		$result .= "/>";
+	    }
+	}
+	$index += 2;
+    }
+    return $result;
+}
+
+# Translate list of nodes if necessary
+sub translate_subnodes
+{
+    my $fh = shift;
+    my $content = shift;
+    my $language = shift || "";
+    my $singlelang = shift || 0;
+    my $spacepreserve = shift || 0;
+
+    my @nodes = @{ $content };
+
+    my $count = scalar(@nodes);
+    my $index = 0;
+    while ($index < $count) {
+        my $type = $nodes[$index];
+        my $rest = $nodes[$index+1];
+        if ($singlelang) {
+            my $oldMO = $MULTIPLE_OUTPUT;
+            $MULTIPLE_OUTPUT = 1;
+            traverse($fh, $type, $rest, $language, $spacepreserve);
+            $MULTIPLE_OUTPUT = $oldMO;
+        } else {
+            traverse($fh, $type, $rest, $language, $spacepreserve);
+        }
+        $index += 2;
+    }
+}
+
+sub isWellFormedXmlFragment
+{
+    my $ret = eval 'require XML::Parser';
+    if(!$ret) {
+        die "You must have XML::Parser installed to run $0\n\n";
+    } 
+
+    my $fragment = shift;
+    return 0 if (!$fragment);
+
+    $fragment = "<root>$fragment</root>";
+    my $xp = new XML::Parser(Style => 'Tree');
+    my $tree = 0;
+    eval { $tree = $xp->parse($fragment); };
+    return $tree;
+}
+
+sub traverse
+{
+    my $fh = shift; 
+    my $nodename = shift;
+    my $content = shift;
+    my $language = shift || "";
+    my $spacepreserve = shift || 0;
+
+    if (!$nodename) {
+	if ($content =~ /^[\s]*$/) {
+	    $leading_space .= $content;
+	}
+	print $fh $content;
+    } else {
+	# element
+	my @all = @{ $content };
+	my $attrs = shift @all;
+	my $translate = 0;
+	my $outattr = getAttributeString($attrs, 1, $language, \$translate);
+
+	if ($nodename =~ /^_/) {
+	    $translate = 1;
+	    $nodename =~ s/^_//;
+	}
+	my $lookup = '';
+
+        $spacepreserve = 0 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?default["']?$/));
+        $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
+
+	print $fh "<$nodename", $outattr;
+	if ($translate) {
+	    $lookup = getXMLstring($content, $spacepreserve);
+            if (!$spacepreserve) {
+                $lookup =~ s/^\s+//s;
+                $lookup =~ s/\s+$//s;
+            }
+
+	    if ($lookup || $translate == 2) {
+                my $translation = $translations{$language, $lookup} if isWellFormedXmlFragment($translations{$language, $lookup});
+                if ($MULTIPLE_OUTPUT && ($translation || $translate == 2)) {
+                    $translation = $lookup if (!$translation);
+                    print $fh " xml:lang=\"", $language, "\"" if $language;
+                    print $fh ">";
+                    if ($translate == 2) {
+                        translate_subnodes($fh, \@all, $language, 1, $spacepreserve);
+                    } else {
+                        print $fh $translation;
+                    }
+                    print $fh "</$nodename>";
+
+                    return; # this means there will be no same translation with xml:lang="$language"...
+                            # if we want them both, just remove this "return"
+                } else {
+                    print $fh ">";
+                    if ($translate == 2) {
+                        translate_subnodes($fh, \@all, $language, 1, $spacepreserve);
+                    } else {
+                        print $fh $lookup;
+                    }
+                    print $fh "</$nodename>";
+                }
+	    } else {
+		print $fh "/>";
+	    }
+
+	    for my $lang (sort keys %po_files_by_lang) {
+                    if ($MULTIPLE_OUTPUT && $lang ne "$language") {
+                        next;
+                    }
+		    if ($lang) {
+                        # Handle translation
+                        #
+                        my $translate = 0;
+                        my $localattrs = getAttributeString($attrs, 1, $lang, \$translate);
+                        my $translation = $translations{$lang, $lookup} if isWellFormedXmlFragment($translations{$lang, $lookup});
+                        if ($translate && !$translation) {
+                            $translation = $lookup;
+                        }
+
+                        if ($translation || $translate) {
+			    print $fh "\n";
+			    $leading_space =~ s/.*\n//g;
+			    print $fh $leading_space;
+ 			    print $fh "<", $nodename, " xml:lang=\"", $lang, "\"", $localattrs, ">";
+                            if ($translate == 2) {
+                               translate_subnodes($fh, \@all, $lang, 1, $spacepreserve);
+                            } else {
+                                print $fh $translation;
+                            }
+                            print $fh "</$nodename>";
+			}
+                    }
+	    }
+
+	} else {
+	    my $count = scalar(@all);
+	    if ($count > 0) {
+		print $fh ">";
+                my $index = 0;
+                while ($index < $count) {
+                    my $type = $all[$index];
+                    my $rest = $all[$index+1];
+                    traverse($fh, $type, $rest, $language, $spacepreserve);
+                    $index += 2;
+                }
+		print $fh "</$nodename>";
+	    } else {
+		print $fh "/>";
+	    }
+	}
+    }
+}
+
+sub intltool_tree_comment
+{
+    my $expat = shift;
+    my $data  = shift;
+    my $clist = $expat->{Curlist};
+    my $pos   = $#$clist;
+
+    push @$clist, 1 => $data;
+}
+
+sub intltool_tree_cdatastart
+{
+    my $expat    = shift;
+    my $clist = $expat->{Curlist};
+    my $pos   = $#$clist;
+
+    push @$clist, 0 => $expat->original_string();
+}
+
+sub intltool_tree_cdataend
+{
+    my $expat    = shift;
+    my $clist = $expat->{Curlist};
+    my $pos   = $#$clist;
+
+    $clist->[$pos] .= $expat->original_string();
+}
+
+sub intltool_tree_char
+{
+    my $expat = shift;
+    my $text  = shift;
+    my $clist = $expat->{Curlist};
+    my $pos   = $#$clist;
+
+    # Use original_string so that we retain escaped entities
+    # in CDATA sections.
+    #
+    if ($pos > 0 and $clist->[$pos - 1] eq '0') {
+        $clist->[$pos] .= $expat->original_string();
+    } else {
+        push @$clist, 0 => $expat->original_string();
+    }
+}
+
+sub intltool_tree_start
+{
+    my $expat    = shift;
+    my $tag      = shift;
+    my @origlist = ();
+
+    # Use original_string so that we retain escaped entities
+    # in attribute values.  We must convert the string to an
+    # @origlist array to conform to the structure of the Tree
+    # Style.
+    #
+    my @original_array = split /\x/, $expat->original_string();
+    my $source         = $expat->original_string();
+
+    # Remove leading tag.
+    #
+    $source =~ s|^\s*<\s*(\S+)||s;
+
+    # Grab attribute key/value pairs and push onto @origlist array.
+    #
+    while ($source)
+    {
+       if ($source =~ /^\s*([\w:-]+)\s*[=]\s*["]/)
+       {
+           $source =~ s|^\s*([\w:-]+)\s*[=]\s*["]([^"]*)["]||s;
+           push @origlist, $1;
+           push @origlist, '"' . $2 . '"';
+       }
+       elsif ($source =~ /^\s*([\w:-]+)\s*[=]\s*[']/)
+       {
+           $source =~ s|^\s*([\w:-]+)\s*[=]\s*[']([^']*)[']||s;
+           push @origlist, $1;
+           push @origlist, "'" . $2 . "'";
+       }
+       else
+       {
+           last;
+       }
+    }
+
+    my $ol = [ { @origlist } ];
+
+    push @{ $expat->{Lists} }, $expat->{Curlist};
+    push @{ $expat->{Curlist} }, $tag => $ol;
+    $expat->{Curlist} = $ol;
+}
+
+sub readXml
+{
+    my $filename = shift || return;
+    if(!-f $filename) {
+        die "ERROR Cannot find filename: $filename\n";
+    }
+
+    my $ret = eval 'require XML::Parser';
+    if(!$ret) {
+        die "You must have XML::Parser installed to run $0\n\n";
+    } 
+    my $xp = new XML::Parser(Style => 'Tree');
+    $xp->setHandlers(Char => \&intltool_tree_char);
+    $xp->setHandlers(Start => \&intltool_tree_start);
+    $xp->setHandlers(CdataStart => \&intltool_tree_cdatastart);
+    $xp->setHandlers(CdataEnd => \&intltool_tree_cdataend);
+    my $tree = $xp->parsefile($filename);
+
+# <foo><head id="a">Hello <em>there</em></head><bar>Howdy<ref/></bar>do</foo>
+# would be:
+# [foo, [{}, head, [{id => "a"}, 0, "Hello ",  em, [{}, 0, "there"]], bar, [{},
+# 0, "Howdy",  ref, [{}]], 0, "do" ] ]
+
+    return $tree;
+}
+
+sub print_header
+{
+    my $infile = shift;
+    my $fh = shift;
+    my $source;
+
+    if(!-f $infile) {
+        die "ERROR Cannot find filename: $infile\n";
+    }
+
+    print $fh qq{<?xml version="1.0" encoding="UTF-8"?>\n};
+    {
+        local $/;
+        open DOCINPUT, "<${FILE}" or die;
+        $source = <DOCINPUT>;
+        close DOCINPUT;
+    }
+    if ($source =~ /(<!DOCTYPE.*\[.*\]\s*>)/s)
+    {
+        print $fh "$1\n";
+    }
+    elsif ($source =~ /(<!DOCTYPE[^>]*>)/s)
+    {
+        print $fh "$1\n";
+    }
+}
+
+sub parseTree
+{
+    my $fh        = shift;
+    my $ref       = shift;
+    my $language  = shift || "";
+
+    my $name = shift @{ $ref };
+    my $cont = shift @{ $ref };
+    
+    while (!$name || "$name" eq "1") {
+        $name = shift @{ $ref };
+        $cont = shift @{ $ref };
+    }
+
+    my $spacepreserve = 0;
+    my $attrs = @{$cont}[0];
+    $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
+
+    traverse($fh, $name, $cont, $language, $spacepreserve);
+}
+
+sub xml_merge_output
+{
+    my $source;
+
+    if ($MULTIPLE_OUTPUT) {
+        for my $lang (sort keys %po_files_by_lang) {
+	    if ( ! -d $lang ) {
+	        mkdir $lang or -d $lang or die "Cannot create subdirectory $lang: $!\n";
+            }
+            open OUTPUT, ">$lang/$OUTFILE" or die "Cannot open $lang/$OUTFILE: $!\n";
+            binmode (OUTPUT) if $^O eq 'MSWin32';
+            my $tree = readXml($FILE);
+            print_header($FILE, \*OUTPUT);
+            parseTree(\*OUTPUT, $tree, $lang);
+            close OUTPUT;
+            print "CREATED $lang/$OUTFILE\n" unless $QUIET_ARG;
+        }
+        if ( ! -d "C" ) {
+            mkdir "C" or -d "C" or die "Cannot create subdirectory C: $!\n";
+        }
+        open OUTPUT, ">C/$OUTFILE" or die "Cannot open C/$OUTFILE: $!\n";
+        binmode (OUTPUT) if $^O eq 'MSWin32';
+        my $tree = readXml($FILE);
+        print_header($FILE, \*OUTPUT);
+        parseTree(\*OUTPUT, $tree);
+        close OUTPUT;
+        print "CREATED C/$OUTFILE\n" unless $QUIET_ARG;
+    } else {
+        open OUTPUT, ">$OUTFILE" or die "Cannot open $OUTFILE: $!\n";
+        binmode (OUTPUT) if $^O eq 'MSWin32';
+        my $tree = readXml($FILE);
+        print_header($FILE, \*OUTPUT);
+        parseTree(\*OUTPUT, $tree);
+        close OUTPUT;
+        print "CREATED $OUTFILE\n" unless $QUIET_ARG;
+    }
+}
+
+sub keys_merge_translation
+{
+    my ($lang) = @_;
+
+    if ( ! -d $lang && $MULTIPLE_OUTPUT)
+    {
+        mkdir $lang or -d $lang or die "Cannot create subdirectory $lang: $!\n";
+    }
+
+    open INPUT, "<${FILE}" or die "Cannot open ${FILE}: $!\n";
+    open OUTPUT, ">$lang/$OUTFILE" or die "Cannot open $lang/$OUTFILE: $!\n";
+    binmode (OUTPUT) if $^O eq 'MSWin32';
+
+    while (<INPUT>)
+    {
+        if (s/^(\s*)_(\w+=(.*))/$1$2/)
+        {
+            my $string = $3;
+
+            if (!$MULTIPLE_OUTPUT)
+            {
+                print OUTPUT;
+
+                my $non_translated_line = $_;
+
+                for my $lang (sort keys %po_files_by_lang)
+                {
+                    my $translation = $translations{$lang, $string};
+                    next if !$translation;
+
+                    $_ = $non_translated_line;
+                    s/(\w+)=.*/[$lang]$1=$translation/;
+                    print OUTPUT;
+                }
+            }
+            else
+            {
+                my $non_translated_line = $_;
+                my $translation = $translations{$lang, $string};
+                $translation = $string if !$translation;
+
+                $_ = $non_translated_line;
+                s/(\w+)=.*/$1=$translation/;
+                print OUTPUT;
+            }
+        }
+        else
+        {
+            print OUTPUT;
+        }
+    }
+
+    close OUTPUT;
+    close INPUT;
+
+    print "CREATED $lang/$OUTFILE\n" unless $QUIET_ARG;
+}
+
+sub keys_merge_translations
+{
+    if ($MULTIPLE_OUTPUT)
+    {
+        for my $lang (sort keys %po_files_by_lang)
+        {
+            keys_merge_translation ($lang);
+        }
+        keys_merge_translation ("C");
+    }
+    else
+    {
+        keys_merge_translation (".");
+    }
+}
+
+sub desktop_merge_translations
+{
+    open INPUT, "<${FILE}" or die;
+    open OUTPUT, ">${OUTFILE}" or die;
+    binmode (OUTPUT) if $^O eq 'MSWin32';
+
+    while (<INPUT>) 
+    {
+        if (s/^(\s*)_(\w+=(.*))/$1$2/)  
+        {
+	    my $string = $3;
+
+            print OUTPUT;
+
+	    my $non_translated_line = $_;
+
+            for my $lang (sort keys %po_files_by_lang) 
+            {
+                my $translation = $translations{$lang, $string};
+                next if !$translation;
+
+                $_ = $non_translated_line;
+                s/(\w+)=.*/${1}[$lang]=$translation/;
+                print OUTPUT;
+            }
+	} 
+        else 
+        {
+            print OUTPUT;
+        }
+    }
+
+    close OUTPUT;
+    close INPUT;
+}
+
+sub schemas_merge_translations
+{
+    my $source;
+
+    {
+       local $/; # slurp mode
+       open INPUT, "<$FILE" or die "can't open $FILE: $!";
+       $source = <INPUT>;
+       close INPUT;
+    }
+
+    open OUTPUT, ">$OUTFILE" or die;
+    binmode (OUTPUT) if $^O eq 'MSWin32';
+
+    # FIXME: support attribute translations
+
+    # Empty nodes never need translation, so unmark all of them.
+    # For example, <_foo/> is just replaced by <foo/>.
+    $source =~ s|<\s*_($w+)\s*/>|<$1/>|g;
+
+    while ($source =~ s/
+                        (.*?)
+                        (\s+)(<locale\ name="C">(\s*)
+                            (<default>\s*(?:<!--[^>]*?-->\s*)?(.*?)\s*<\/default>)?(\s*)
+                            (<short>\s*(?:<!--[^>]*?-->\s*)?(.*?)\s*<\/short>)?(\s*)
+                            (<long>\s*(?:<!--[^>]*?-->\s*)?(.*?)\s*<\/long>)?(\s*)
+                        <\/locale>)
+                       //sx) 
+    {
+        print OUTPUT $1;
+
+	my $locale_start_spaces = $2 ? $2 : '';
+	my $default_spaces = $4 ? $4 : '';
+	my $short_spaces = $7 ? $7 : '';
+	my $long_spaces = $10 ? $10 : '';
+	my $locale_end_spaces = $13 ? $13 : '';
+	my $c_default_block = $3 ? $3 : '';
+	my $default_string = $6 ? $6 : '';
+	my $short_string = $9 ? $9 : '';
+	my $long_string = $12 ? $12 : '';
+
+	print OUTPUT "$locale_start_spaces$c_default_block";
+
+        $default_string =~ s/\s+/ /g;
+        $default_string = entity_decode($default_string);
+	$short_string =~ s/\s+/ /g;
+	$short_string = entity_decode($short_string);
+	$long_string =~ s/\s+/ /g;
+	$long_string = entity_decode($long_string);
+
+	for my $lang (sort keys %po_files_by_lang) 
+        {
+	    my $default_translation = $translations{$lang, $default_string};
+	    my $short_translation = $translations{$lang, $short_string};
+	    my $long_translation  = $translations{$lang, $long_string};
+
+	    next if (!$default_translation && !$short_translation && 
+                     !$long_translation);
+
+	    print OUTPUT "\n$locale_start_spaces<locale name=\"$lang\">";
+
+        print OUTPUT "$default_spaces";    
+
+        if ($default_translation)
+        {
+            $default_translation = entity_encode($default_translation);
+            print OUTPUT "<default>$default_translation</default>";
+        }
+
+	    print OUTPUT "$short_spaces";
+
+	    if ($short_translation)
+	    {
+			$short_translation = entity_encode($short_translation);
+			print OUTPUT "<short>$short_translation</short>";
+	    }
+
+	    print OUTPUT "$long_spaces";
+
+	    if ($long_translation)
+	    {
+			$long_translation = entity_encode($long_translation);
+			print OUTPUT "<long>$long_translation</long>";
+	    }	    
+
+	    print OUTPUT "$locale_end_spaces</locale>";
+        }
+    }
+
+    print OUTPUT $source;
+
+    close OUTPUT;
+}
+
+sub rfc822deb_merge_translations
+{
+    my %encodings = ();
+    for my $lang (keys %po_files_by_lang) {
+        $encodings{$lang} = ($UTF8_ARG ? 'UTF-8' : get_po_encoding($po_files_by_lang{$lang}));
+    }
+
+    my $source;
+
+    $Text::Wrap::huge = 'overflow';
+    $Text::Wrap::break = qr/\n|\s(?=\S)/;
+
+    {
+       local $/; # slurp mode
+       open INPUT, "<$FILE" or die "can't open $FILE: $!";
+       $source = <INPUT>;
+       close INPUT;
+    }
+
+    open OUTPUT, ">${OUTFILE}" or die;
+    binmode (OUTPUT) if $^O eq 'MSWin32';
+
+    while ($source =~ /(^|\n+)(_*)([^:\s]+)(:[ \t]*)(.*?)(?=\n[\S\n]|$)/sg)
+    {
+	    my $sep = $1;
+	    my $non_translated_line = $3.$4;
+	    my $string = $5;
+	    my $underscore = length($2);
+	    next if $underscore eq 0 && $non_translated_line =~ /^#/;
+	    #  Remove [] dummy strings
+	    my $stripped = $string;
+	    $stripped =~ s/\[\s[^\[\]]*\],/,/g if $underscore eq 2;
+	    $stripped =~ s/\[\s[^\[\]]*\]$//;
+	    $non_translated_line .= $stripped;
+
+	    print OUTPUT $sep.$non_translated_line;
+    
+	    if ($underscore) 
+	    {
+	        my @str_list = rfc822deb_split($underscore, $string);
+
+	        for my $lang (sort keys %po_files_by_lang) 
+                {
+                    my $is_translated = 1;
+                    my $str_translated = '';
+                    my $first = 1;
+                
+                    for my $str (@str_list) 
+                    {
+                        my $translation = $translations{$lang, $str};
+                    
+                        if (!$translation) 
+                        {
+                            $is_translated = 0;
+                            last;
+                        }
+
+	                #  $translation may also contain [] dummy
+                        #  strings, mostly to indicate an empty string
+	                $translation =~ s/\[\s[^\[\]]*\]$//;
+                        
+                        if ($first) 
+                        {
+                            if ($underscore eq 2)
+                            {
+                                $str_translated .= $translation;
+                            }
+                            else
+                            {
+                                $str_translated .=
+                                    Text::Tabs::expand($translation) .
+                                    "\n";
+                            }
+                        } 
+                        else 
+                        {
+                            if ($underscore eq 2)
+                            {
+                                $str_translated .= ', ' . $translation;
+                            }
+                            else
+                            {
+                                $str_translated .= Text::Tabs::expand(
+                                    Text::Wrap::wrap(' ', ' ', $translation)) .
+                                    "\n .\n";
+                            }
+                        }
+                        $first = 0;
+
+                        #  To fix some problems with Text::Wrap::wrap
+                        $str_translated =~ s/(\n )+\n/\n .\n/g;
+                    }
+                    next unless $is_translated;
+
+                    $str_translated =~ s/\n \.\n$//;
+                    $str_translated =~ s/\s+$//;
+
+                    $_ = $non_translated_line;
+                    s/^(\w+):\s*.*/$sep${1}-$lang.$encodings{$lang}: $str_translated/s;
+                    print OUTPUT;
+                }
+	    }
+    }
+    print OUTPUT "\n";
+
+    close OUTPUT;
+    close INPUT;
+}
+
+sub rfc822deb_split 
+{
+    # Debian defines a special way to deal with rfc822-style files:
+    # when a value contain newlines, it consists of
+    #   1.  a short form (first line)
+    #   2.  a long description, all lines begin with a space,
+    #       and paragraphs are separated by a single dot on a line
+    # This routine returns an array of all paragraphs, and reformat
+    # them.
+    # When first argument is 2, the string is a comma separated list of
+    # values.
+    my $type = shift;
+    my $text = shift;
+    $text =~ s/^[ \t]//mg;
+    return (split(/, */, $text, 0)) if $type ne 1;
+    return ($text) if $text !~ /\n/;
+
+    $text =~ s/([^\n]*)\n//;
+    my @list = ($1);
+    my $str = '';
+
+    for my $line (split (/\n/, $text)) 
+    {
+        chomp $line;
+        if ($line =~ /^\.\s*$/)
+        {
+            #  New paragraph
+            $str =~ s/\s*$//;
+            push(@list, $str);
+            $str = '';
+        } 
+        elsif ($line =~ /^\s/) 
+        {
+            #  Line which must not be reformatted
+            $str .= "\n" if length ($str) && $str !~ /\n$/;
+            $line =~ s/\s+$//;
+            $str .= $line."\n";
+        } 
+        else 
+        {
+            #  Continuation line, remove newline
+            $str .= " " if length ($str) && $str !~ /\n$/;
+            $str .= $line;
+        }
+    }
+
+    $str =~ s/\s*$//;
+    push(@list, $str) if length ($str);
+
+    return @list;
+}
+
+sub quoted_translation
+{
+    my ($xml_mode, $lang, $string) = @_;
+
+    $string = entity_decode($string) if $xml_mode;
+    $string =~ s/\\\"/\"/g;
+
+    my $translation = $translations{$lang, $string};
+    $translation = $string if !$translation;
+    $translation = entity_encode($translation) if $xml_mode;
+    $translation =~ s/\"/\\\"/g;
+    return $translation
+}
+
+sub quoted_merge_translations
+{
+    my ($xml_mode) = @_;
+
+    if (!$MULTIPLE_OUTPUT) {
+        print "Quoted only supports Multiple Output.\n";
+        exit(1);
+    }
+
+    for my $lang (sort keys %po_files_by_lang) {
+        if ( ! -d $lang ) {
+            mkdir $lang or -d $lang or die "Cannot create subdirectory $lang: $!\n";
+        }
+        open INPUT, "<${FILE}" or die;
+        open OUTPUT, ">$lang/$OUTFILE" or die "Cannot open $lang/$OUTFILE: $!\n";
+        binmode (OUTPUT) if $^O eq 'MSWin32';
+        while (<INPUT>) 
+        {
+            s/\"(([^\"]|\\\")*[^\\\"])\"/"\"" . &quoted_translation($xml_mode, $lang, $1) . "\""/ge;
+            print OUTPUT;
+        }
+        close OUTPUT;
+        close INPUT;
+    }
+}
diff --git a/src/charon/plugins/nm/gnome/intltool-update.in b/src/charon/plugins/nm/gnome/intltool-update.in
new file mode 100644
index 000000000..2684cc0d2
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/intltool-update.in
@@ -0,0 +1,1166 @@
+#!@INTLTOOL_PERL@ -w
+# -*- Mode: perl; indent-tabs-mode: nil; c-basic-offset: 4  -*-
+
+#
+#  The Intltool Message Updater
+#
+#  Copyright (C) 2000-2003 Free Software Foundation.
+#
+#  Intltool is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU General Public License 
+#  version 2 published by the Free Software Foundation.
+#
+#  Intltool is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#  As a special exception to the GNU General Public License, if you
+#  distribute this file as part of a program that contains a
+#  configuration script generated by Autoconf, you may include it under
+#  the same distribution terms that you use for the rest of that program.
+#
+#  Authors: Kenneth Christiansen <kenneth@gnu.org>
+#           Maciej Stachowiak
+#           Darin Adler <darin@bentspoon.com>
+
+## Release information
+my $PROGRAM = "intltool-update";
+my $VERSION = "0.37.1";
+my $PACKAGE = "intltool";
+
+## Loaded modules
+use strict;
+use Getopt::Long;
+use Cwd;
+use File::Copy;
+use File::Find;
+
+## Scalars used by the option stuff
+my $HELP_ARG 	   = 0;
+my $VERSION_ARG    = 0;
+my $DIST_ARG	   = 0;
+my $POT_ARG	   = 0;
+my $HEADERS_ARG    = 0;
+my $MAINTAIN_ARG   = 0;
+my $REPORT_ARG     = 0;
+my $VERBOSE	   = 0;
+my $GETTEXT_PACKAGE = "";
+my $OUTPUT_FILE    = "";
+
+my @languages;
+my %varhash = ();
+my %po_files_by_lang = ();
+
+# Regular expressions to categorize file types.
+# FIXME: Please check if the following is correct
+
+my $xml_support =
+"xml(?:\\.in)*|".	# http://www.w3.org/XML/ (Note: .in is not required)
+"ui|".			# Bonobo specific - User Interface desc. files
+"lang|".		# ?
+"glade2?(?:\\.in)*|".	# Glade specific - User Interface desc. files (Note: .in is not required)
+"scm(?:\\.in)*|".	# ? (Note: .in is not required)
+"oaf(?:\\.in)+|".	# DEPRECATED: Replaces by Bonobo .server files 
+"etspec|".		# ?
+"server(?:\\.in)+|".	# Bonobo specific
+"sheet(?:\\.in)+|".	# ?
+"schemas(?:\\.in)+|".	# GConf specific
+"pong(?:\\.in)+|".	# DEPRECATED: PONG is not used [by GNOME] any longer.
+"kbd(?:\\.in)+|".	# GOK specific. 
+"policy(?:\\.in)+";	# PolicyKit files
+
+my $ini_support =
+"icon(?:\\.in)+|".	# http://www.freedesktop.org/Standards/icon-theme-spec
+"desktop(?:\\.in)+|".	# http://www.freedesktop.org/Standards/menu-spec
+"caves(?:\\.in)+|".	# GNOME Games specific
+"directory(?:\\.in)+|".	# http://www.freedesktop.org/Standards/menu-spec
+"soundlist(?:\\.in)+|".	# GNOME specific
+"keys(?:\\.in)+|".	# GNOME Mime database specific
+"theme(?:\\.in)+|".	# http://www.freedesktop.org/Standards/icon-theme-spec
+"service(?:\\.in)+";    # DBus specific
+
+my $buildin_gettext_support = 
+"c|y|cs|cc|cpp|c\\+\\+|h|hh|gob|py";
+
+## Always flush buffer when printing
+$| = 1;
+
+## Sometimes the source tree will be rooted somewhere else.
+my $SRCDIR = $ENV{"srcdir"} || ".";
+my $POTFILES_in;
+
+$POTFILES_in = "<$SRCDIR/POTFILES.in";
+
+my $devnull = ($^O eq 'MSWin32' ? 'NUL:' : '/dev/null');
+
+## Handle options
+GetOptions 
+(
+ "help" 	       => \$HELP_ARG,
+ "version" 	       => \$VERSION_ARG,
+ "dist|d"	       => \$DIST_ARG,
+ "pot|p"	       => \$POT_ARG,
+ "headers|s"	       => \$HEADERS_ARG,
+ "maintain|m"	       => \$MAINTAIN_ARG,
+ "report|r"	       => \$REPORT_ARG,
+ "verbose|x"	       => \$VERBOSE,
+ "gettext-package|g=s" => \$GETTEXT_PACKAGE,
+ "output-file|o=s"     => \$OUTPUT_FILE,
+ ) or &Console_WriteError_InvalidOption;
+
+&Console_Write_IntltoolHelp if $HELP_ARG;
+&Console_Write_IntltoolVersion if $VERSION_ARG;
+
+my $arg_count = ($DIST_ARG > 0)
+    + ($POT_ARG > 0)
+    + ($HEADERS_ARG > 0)
+    + ($MAINTAIN_ARG > 0)
+    + ($REPORT_ARG > 0);
+
+&Console_Write_IntltoolHelp if $arg_count > 1;
+
+my $PKGNAME = FindPackageName ();
+
+# --version and --help don't require a module name
+my $MODULE = $GETTEXT_PACKAGE || $PKGNAME || "unknown";
+
+if ($POT_ARG)
+{
+    &GenerateHeaders;
+    &GeneratePOTemplate;
+}
+elsif ($HEADERS_ARG)
+{
+    &GenerateHeaders;
+}
+elsif ($MAINTAIN_ARG)
+{
+    &FindLeftoutFiles;
+}
+elsif ($REPORT_ARG)
+{
+    &GenerateHeaders;
+    &GeneratePOTemplate;
+    &Console_Write_CoverageReport;
+}
+elsif ((defined $ARGV[0]) && $ARGV[0] =~ /^[a-z]/)
+{
+    my $lang = $ARGV[0];
+
+    ## Report error if the language file supplied
+    ## to the command line is non-existent
+    &Console_WriteError_NotExisting("$SRCDIR/$lang.po")
+        if ! -s "$SRCDIR/$lang.po";
+
+    if (!$DIST_ARG)
+    {
+	print "Working, please wait..." if $VERBOSE;
+	&GenerateHeaders;
+	&GeneratePOTemplate;
+    }
+    &POFile_Update ($lang, $OUTPUT_FILE);
+    &Console_Write_TranslationStatus ($lang, $OUTPUT_FILE);
+} 
+else 
+{
+    &Console_Write_IntltoolHelp;
+}
+
+exit;
+
+#########
+
+sub Console_Write_IntltoolVersion
+{
+    print <<_EOF_;
+${PROGRAM} (${PACKAGE}) $VERSION
+Written by Kenneth Christiansen, Maciej Stachowiak, and Darin Adler.
+
+Copyright (C) 2000-2003 Free Software Foundation, Inc.
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+_EOF_
+    exit;
+}
+
+sub Console_Write_IntltoolHelp
+{
+    print <<_EOF_;
+Usage: ${PROGRAM} [OPTION]... LANGCODE
+Updates PO template files and merge them with the translations.
+
+Mode of operation (only one is allowed):
+  -p, --pot                   generate the PO template only
+  -s, --headers               generate the header files in POTFILES.in
+  -m, --maintain              search for left out files from POTFILES.in
+  -r, --report                display a status report for the module
+  -d, --dist                  merge LANGCODE.po with existing PO template
+
+Extra options:
+  -g, --gettext-package=NAME  override PO template name, useful with --pot
+  -o, --output-file=FILE      write merged translation to FILE
+  -x, --verbose               display lots of feedback
+      --help                  display this help and exit
+      --version               output version information and exit
+
+Examples of use:
+${PROGRAM} --pot    just create a new PO template
+${PROGRAM} xy       create new PO template and merge xy.po with it
+
+Report bugs to http://bugzilla.gnome.org/ (product name "$PACKAGE")
+or send email to <xml-i18n-tools\@gnome.org>.
+_EOF_
+    exit;
+}
+
+sub echo_n
+{
+    my $str = shift;
+    my $ret = `echo "$str"`;
+
+    $ret =~ s/\n$//; # do we need the "s" flag?
+
+    return $ret;
+}
+
+sub POFile_DetermineType ($) 
+{
+   my $type = $_;
+   my $gettext_type;
+
+   my $xml_regex     = "(?:" . $xml_support . ")";
+   my $ini_regex     = "(?:" . $ini_support . ")";
+   my $buildin_regex = "(?:" . $buildin_gettext_support . ")";
+
+   if ($type =~ /\[type: gettext\/([^\]].*)]/) 
+   {
+	$gettext_type=$1;
+   }
+   elsif ($type =~ /schemas(\.in)+$/) 
+   {
+	$gettext_type="schemas";
+   }
+   elsif ($type =~ /glade2?(\.in)*$/) 
+   {
+       $gettext_type="glade";
+   }
+   elsif ($type =~ /scm(\.in)*$/) 
+   {
+       $gettext_type="scheme";
+   }
+   elsif ($type =~ /keys(\.in)+$/) 
+   {
+       $gettext_type="keys";
+   }
+
+   # bucket types
+
+   elsif ($type =~ /$xml_regex$/) 
+   {
+       $gettext_type="xml";
+   }
+   elsif ($type =~ /$ini_regex$/) 
+   { 
+       $gettext_type="ini";
+   }
+   elsif ($type =~ /$buildin_regex$/) 
+   {
+       $gettext_type="buildin";
+   }
+   else
+   { 
+       $gettext_type="unknown"; 
+   }
+
+   return "gettext\/$gettext_type";
+}
+
+sub TextFile_DetermineEncoding ($) 
+{
+    my $gettext_code="ASCII"; # All files are ASCII by default
+    my $filetype=`file $_ | cut -d ' ' -f 2`;
+
+    if ($? eq "0")
+    {
+	if ($filetype =~ /^(ISO|UTF)/)
+	{
+	    chomp ($gettext_code = $filetype);
+	}
+	elsif ($filetype =~ /^XML/)
+	{
+	    $gettext_code="UTF-8"; # We asume that .glade and other .xml files are UTF-8
+	}
+    }
+
+    return $gettext_code;
+}
+
+sub isNotValidMissing
+{
+    my ($file) = @_;
+
+    return if $file =~ /^\{arch\}\/.*$/;
+    return if $file =~ /^$varhash{"PACKAGE"}-$varhash{"VERSION"}\/.*$/;
+}
+
+sub FindLeftoutFiles
+{
+    my (@buf_i18n_plain,
+	@buf_i18n_xml,
+	@buf_i18n_xml_unmarked,
+	@buf_i18n_ini,
+	@buf_potfiles,
+	@buf_potfiles_ignore,
+	@buf_allfiles,
+	@buf_allfiles_sorted,
+	@buf_potfiles_sorted,
+        @buf_potfiles_ignore_sorted
+    );
+
+    ## Search and find all translatable files
+    find sub { 
+	push @buf_i18n_plain,        "$File::Find::name" if /\.($buildin_gettext_support)$/;
+	push @buf_i18n_xml,          "$File::Find::name" if /\.($xml_support)$/;
+	push @buf_i18n_ini,          "$File::Find::name" if /\.($ini_support)$/;
+	push @buf_i18n_xml_unmarked, "$File::Find::name" if /\.(schemas(\.in)+)$/;
+	}, "..";
+    find sub { 
+	push @buf_i18n_plain,        "$File::Find::name" if /\.($buildin_gettext_support)$/;
+	push @buf_i18n_xml,          "$File::Find::name" if /\.($xml_support)$/;
+	push @buf_i18n_ini,          "$File::Find::name" if /\.($ini_support)$/;
+	push @buf_i18n_xml_unmarked, "$File::Find::name" if /\.(schemas(\.in)+)$/;
+	}, "$SRCDIR/.." if "$SRCDIR" ne ".";
+
+    open POTFILES, $POTFILES_in or die "$PROGRAM:  there's no POTFILES.in!\n";
+    @buf_potfiles = grep !/^(#|\s*$)/, <POTFILES>;
+    close POTFILES;
+
+    foreach (@buf_potfiles) {
+	s/^\[.*]\s*//;
+    }
+
+    print "Searching for missing translatable files...\n" if $VERBOSE;
+
+    ## Check if we should ignore some found files, when
+    ## comparing with POTFILES.in
+    foreach my $ignore ("POTFILES.skip", "POTFILES.ignore")
+    {
+	(-s "$SRCDIR/$ignore") or next;
+
+	if ("$ignore" eq "POTFILES.ignore")
+	{
+	    print "The usage of POTFILES.ignore is deprecated. Please consider moving the\n".
+		  "content of this file to POTFILES.skip.\n";
+	}
+
+	print "Found $ignore: Ignoring files...\n" if $VERBOSE;
+	open FILE, "<$SRCDIR/$ignore" or die "ERROR: Failed to open $SRCDIR/$ignore!\n";
+	    
+	while (<FILE>)
+	{
+	    push @buf_potfiles_ignore, $_ unless /^(#|\s*$)/;
+	}
+	close FILE;
+
+	@buf_potfiles_ignore_sorted = sort (@buf_potfiles_ignore);
+    }
+
+    foreach my $file (@buf_i18n_plain)
+    {
+	my $in_comment = 0;
+	my $in_macro = 0;
+
+	open FILE, "<$file";
+	while (<FILE>)
+	{
+	    # Handle continued multi-line comment.
+	    if ($in_comment)
+	    {
+		next unless s-.*\*/--;
+		$in_comment = 0;
+	    }
+
+	    # Handle continued macro.
+	    if ($in_macro)
+	    {
+		$in_macro = 0 unless /\\$/;
+		next;
+	    }
+
+	    # Handle start of macro (or any preprocessor directive).
+	    if (/^\s*\#/)
+	    {
+		$in_macro = 1 if /^([^\\]|\\.)*\\$/;
+		next;
+	    }
+
+	    # Handle comments and quoted text.
+	    while (m-(/\*|//|\'|\")-) # \' and \" keep emacs perl mode happy
+	    {
+		my $match = $1;
+		if ($match eq "/*")
+		{
+		    if (!s-/\*.*?\*/--)
+		    {
+			s-/\*.*--;
+			$in_comment = 1;
+		    }
+		}
+		elsif ($match eq "//")
+		{
+		    s-//.*--;
+		}
+		else # ' or "
+		{
+		    if (!s-$match([^\\]|\\.)*?$match-QUOTEDTEXT-)
+		    {
+			warn "mismatched quotes at line $. in $file\n";
+			s-$match.*--;
+		    }
+		}
+	    }	    
+
+	    if (/\w\.GetString *\(QUOTEDTEXT/)
+	    {
+                if (defined isNotValidMissing (unpack("x3 A*", $file))) {
+                    ## Remove the first 3 chars and add newline
+                    push @buf_allfiles, unpack("x3 A*", $file) . "\n";
+                }
+		last;
+	    }
+
+            ## C_ N_ Q_ and _ are the macros defined in gi8n.h
+	    if (/[CNQ]?_ *\(QUOTEDTEXT/)
+	    {
+                if (defined isNotValidMissing (unpack("x3 A*", $file))) {
+                    ## Remove the first 3 chars and add newline
+                    push @buf_allfiles, unpack("x3 A*", $file) . "\n";
+                }
+		last;
+	    }
+	}
+	close FILE;
+    }
+
+    foreach my $file (@buf_i18n_xml) 
+    {
+	open FILE, "<$file";
+	
+	while (<FILE>) 
+	{
+	    # FIXME: share the pattern matching code with intltool-extract
+	    if (/\s_[-A-Za-z0-9._:]+\s*=\s*\"([^"]+)\"/ || /<_[^>]+>/ || /translatable=\"yes\"/)
+	    {
+                if (defined isNotValidMissing (unpack("x3 A*", $file))) {
+                    push @buf_allfiles, unpack("x3 A*", $file) . "\n";
+                }
+		last;
+	    }
+	}
+	close FILE;
+    }
+
+    foreach my $file (@buf_i18n_ini)
+    {
+	open FILE, "<$file";
+	while (<FILE>) 
+	{
+	    if (/_(.*)=/)
+	    {
+                if (defined isNotValidMissing (unpack("x3 A*", $file))) {
+                    push @buf_allfiles, unpack("x3 A*", $file) . "\n";
+                }
+		last;
+	    }
+	}
+	close FILE;
+    }
+
+    foreach my $file (@buf_i18n_xml_unmarked)
+    {
+        if (defined isNotValidMissing (unpack("x3 A*", $file))) {
+            push @buf_allfiles, unpack("x3 A*", $file) . "\n";
+        }
+    }
+
+
+    @buf_allfiles_sorted = sort (@buf_allfiles);
+    @buf_potfiles_sorted = sort (@buf_potfiles);
+
+    my %in2;
+    foreach (@buf_potfiles_sorted) 
+    {
+        s#^$SRCDIR/../##;
+        s#^$SRCDIR/##;
+	$in2{$_} = 1;
+    }
+
+    foreach (@buf_potfiles_ignore_sorted) 
+    {
+        s#^$SRCDIR/../##;
+        s#^$SRCDIR/##;
+	$in2{$_} = 1;
+    }
+
+    my @result;
+
+    foreach (@buf_allfiles_sorted)
+    {
+        my $dummy = $_;
+        my $srcdir = $SRCDIR;
+
+        $srcdir =~ s#^../##;
+        $dummy =~ s#^$srcdir/../##;
+        $dummy =~ s#^$srcdir/##;
+        $dummy =~ s#_build/##;
+	if (!exists($in2{$dummy}))
+	{
+	    push @result, $dummy
+	}
+    }
+
+    my @buf_potfiles_notexist;
+
+    foreach (@buf_potfiles_sorted)
+    {
+	chomp (my $dummy = $_);
+	if ("$dummy" ne "" and !(-f "$SRCDIR/../$dummy" or -f "../$dummy"))
+	{
+	    push @buf_potfiles_notexist, $_;
+	}
+    }
+
+    ## Save file with information about the files missing
+    ## if any, and give information about this procedure.
+    if (@result + @buf_potfiles_notexist > 0)
+    {
+	if (@result) 
+	{
+	    print "\n" if $VERBOSE;
+	    unlink "missing";
+	    open OUT, ">missing";
+	    print OUT @result;
+	    close OUT;
+	    warn "\e[1mThe following files contain translations and are currently not in use. Please\e[0m\n".
+	         "\e[1mconsider adding these to the POTFILES.in file, located in the po/ directory.\e[0m\n\n";
+	    print STDERR @result, "\n";
+	    warn "If some of these files are left out on purpose then please add them to\n".
+		 "POTFILES.skip instead of POTFILES.in. A file \e[1m'missing'\e[0m containing this list\n".
+		 "of left out files has been written in the current directory.\n";
+	}
+	if (@buf_potfiles_notexist)
+	{
+	    unlink "notexist";
+	    open OUT, ">notexist";
+	    print OUT @buf_potfiles_notexist;
+	    close OUT;
+	    warn "\n" if ($VERBOSE or @result);
+	    warn "\e[1mThe following files do not exist anymore:\e[0m\n\n";
+	    warn @buf_potfiles_notexist, "\n";
+	    warn "Please remove them from POTFILES.in. A file \e[1m'notexist'\e[0m\n".
+		 "containing this list of absent files has been written in the current directory.\n";
+	}
+    }
+
+    ## If there is nothing to complain about, notify the user
+    else {
+	print "\nAll files containing translations are present in POTFILES.in.\n" if $VERBOSE;
+    }
+}
+
+sub Console_WriteError_InvalidOption
+{
+    ## Handle invalid arguments
+    print STDERR "Try `${PROGRAM} --help' for more information.\n";
+    exit 1;
+}
+
+sub isProgramInPath
+{
+    my ($file) = @_;
+    # If either a file exists, or when run it returns 0 exit status
+    return 1 if ((-x $file) or (system("$file --version >$devnull") == 0));
+    return 0;
+}
+
+sub isGNUGettextTool
+{
+    my ($file) = @_;
+    # Check that we are using GNU gettext tools
+    if (isProgramInPath ($file))
+    {
+        my $version = `$file --version`;
+        return 1 if ($version =~ m/.*\(GNU .*\).*/);
+    }
+    return 0;
+}
+
+sub GenerateHeaders
+{
+    my $EXTRACT = $ENV{"INTLTOOL_EXTRACT"} || "intltool-extract";
+
+    ## Generate the .h header files, so we can allow glade and
+    ## xml translation support
+    if (! isProgramInPath ("$EXTRACT"))
+    {
+	print STDERR "\n *** The intltool-extract script wasn't found!"
+	     ."\n *** Without it, intltool-update can not generate files.\n";
+	exit;
+    }
+    else
+    {
+	open (FILE, $POTFILES_in) or die "$PROGRAM: POTFILES.in not found.\n";
+	
+	while (<FILE>) 
+	{
+	   chomp;
+	   next if /^\[\s*encoding/;
+
+	   ## Find xml files in POTFILES.in and generate the
+	   ## files with help from the extract script
+
+	   my $gettext_type= &POFile_DetermineType ($1);
+
+	   if (/\.($xml_support|$ini_support)$/ || /^\[/)
+	   {
+	       s/^\[[^\[].*]\s*//;
+
+	       my $filename = "../$_";
+
+	       if ($VERBOSE)
+	       {
+		   system ($EXTRACT, "--update", "--srcdir=$SRCDIR",
+			   "--type=$gettext_type", $filename);
+	       } 
+	       else 
+	       {
+	 	   system ($EXTRACT, "--update", "--type=$gettext_type", 
+			   "--srcdir=$SRCDIR", "--quiet", $filename);
+	       }
+	   }
+       }
+       close FILE;
+   }
+}
+
+#
+# Generate .pot file from POTFILES.in
+#
+sub GeneratePOTemplate
+{
+    my $XGETTEXT = $ENV{"XGETTEXT"} || "xgettext";
+    my $XGETTEXT_ARGS = $ENV{"XGETTEXT_ARGS"} || '';
+    chomp $XGETTEXT;
+
+    if (! isGNUGettextTool ("$XGETTEXT"))
+    {
+	print STDERR " *** GNU xgettext is not found on this system!\n".
+		     " *** Without it, intltool-update can not extract strings.\n";
+	exit;
+    }
+
+    print "Building $MODULE.pot...\n" if $VERBOSE;
+
+    open INFILE, $POTFILES_in;
+    unlink "POTFILES.in.temp";
+    open OUTFILE, ">POTFILES.in.temp" or die("Cannot open POTFILES.in.temp for writing");
+
+    my $gettext_support_nonascii = 0;
+
+    # checks for GNU gettext >= 0.12
+    my $dummy = `$XGETTEXT --version --from-code=UTF-8 >$devnull 2>$devnull`;
+    if ($? == 0)
+    {
+	$gettext_support_nonascii = 1;
+    }
+    else
+    {
+	# urge everybody to upgrade gettext
+	print STDERR "WARNING: This version of gettext does not support extracting non-ASCII\n".
+		     "         strings. That means you should install a version of gettext\n".
+		     "         that supports non-ASCII strings (such as GNU gettext >= 0.12),\n".
+		     "         or have to let non-ASCII strings untranslated. (If there is any)\n";
+    }
+
+    my $encoding = "ASCII";
+    my $forced_gettext_code;
+    my @temp_headers;
+    my $encoding_problem_is_reported = 0;
+
+    while (<INFILE>) 
+    {
+	next if (/^#/ or /^\s*$/);
+
+	chomp;
+
+	my $gettext_code;
+
+	if (/^\[\s*encoding:\s*(.*)\s*\]/)
+	{
+	    $forced_gettext_code=$1;
+	}
+	elsif (/\.($xml_support|$ini_support)$/ || /^\[/)
+	{
+	    s/^\[.*]\s*//;
+            print OUTFILE "../$_.h\n";
+	    push @temp_headers, "../$_.h";
+	    $gettext_code = &TextFile_DetermineEncoding ("../$_.h") if ($gettext_support_nonascii and not defined $forced_gettext_code);
+	} 
+	else 
+	{
+            print OUTFILE "$SRCDIR/../$_\n";
+	    $gettext_code = &TextFile_DetermineEncoding ("$SRCDIR/../$_") if ($gettext_support_nonascii and not defined $forced_gettext_code);
+	}
+
+	next if (! $gettext_support_nonascii);
+
+	if (defined $forced_gettext_code)
+	{
+	    $encoding=$forced_gettext_code;
+	}
+	elsif (defined $gettext_code and "$encoding" ne "$gettext_code")
+	{
+	    if ($encoding eq "ASCII")
+	    {
+		$encoding=$gettext_code;
+	    }
+	    elsif ($gettext_code ne "ASCII")
+	    {
+		# Only report once because the message is quite long
+		if (! $encoding_problem_is_reported)
+		{
+		    print STDERR "WARNING: You should use the same file encoding for all your project files,\n".
+				 "         but $PROGRAM thinks that most of the source files are in\n".
+				 "         $encoding encoding, while \"$_\" is (likely) in\n".
+		       		 "         $gettext_code encoding. If you are sure that all translatable strings\n".
+				 "         are in same encoding (say UTF-8), please \e[1m*prepend*\e[0m the following\n".
+				 "         line to POTFILES.in:\n\n".
+				 "                 [encoding: UTF-8]\n\n".
+				 "         and make sure that configure.in/ac checks for $PACKAGE >= 0.27 .\n".
+				 "(such warning message will only be reported once.)\n";
+		    $encoding_problem_is_reported = 1;
+		}
+	    }
+	}
+    }
+
+    close OUTFILE;
+    close INFILE;
+
+    unlink "$MODULE.pot";
+    my @xgettext_argument=("$XGETTEXT",
+			   "--add-comments",
+			   "--directory\=.",
+                           "--default-domain\=$MODULE",
+                           "--flag\=g_strdup_printf:1:c-format",
+                           "--flag\=g_string_printf:2:c-format",
+                           "--flag\=g_string_append_printf:2:c-format",
+                           "--flag\=g_error_new:3:c-format",
+                           "--flag\=g_set_error:4:c-format",
+                           "--flag\=g_markup_printf_escaped:1:c-format",
+                           "--flag\=g_log:3:c-format",
+                           "--flag\=g_print:1:c-format",
+                           "--flag\=g_printerr:1:c-format",
+                           "--flag\=g_printf:1:c-format",
+                           "--flag\=g_fprintf:2:c-format",
+                           "--flag\=g_sprintf:2:c-format",
+                           "--flag\=g_snprintf:3:c-format",
+                           "--flag\=g_scanner_error:2:c-format",
+                           "--flag\=g_scanner_warn:2:c-format",
+			   "--output\=$MODULE\.pot",
+			   "--files-from\=\.\/POTFILES\.in\.temp");
+    my $XGETTEXT_KEYWORDS = &FindPOTKeywords;
+    push @xgettext_argument, $XGETTEXT_KEYWORDS;
+    my $MSGID_BUGS_ADDRESS = &FindMakevarsBugAddress;
+    push @xgettext_argument, "--msgid-bugs-address\=\"$MSGID_BUGS_ADDRESS\"" if $MSGID_BUGS_ADDRESS;
+    push @xgettext_argument, "--from-code\=$encoding" if ($gettext_support_nonascii);
+    push @xgettext_argument, $XGETTEXT_ARGS if $XGETTEXT_ARGS;
+    my $xgettext_command = join ' ', @xgettext_argument;
+
+    # intercept xgettext error message
+    print "Running $xgettext_command\n" if $VERBOSE;
+    my $xgettext_error_msg = `$xgettext_command 2>\&1`;
+    my $command_failed = $?;
+
+    unlink "POTFILES.in.temp";
+
+    print "Removing generated header (.h) files..." if $VERBOSE;
+    unlink foreach (@temp_headers);
+    print "done.\n" if $VERBOSE;
+
+    if (! $command_failed)
+    {
+	if (! -e "$MODULE.pot")
+	{
+	    print "None of the files in POTFILES.in contain strings marked for translation.\n" if $VERBOSE;
+	}
+	else
+	{
+	    print "Wrote $MODULE.pot\n" if $VERBOSE;
+	}
+    }
+    else
+    {
+	if ($xgettext_error_msg =~ /--from-code/)
+	{
+	    # replace non-ASCII error message with a more useful one.
+	    print STDERR "ERROR: xgettext failed to generate PO template file because there is non-ASCII\n".
+			 "       string marked for translation. Please make sure that all strings marked\n".
+			 "       for translation are in uniform encoding (say UTF-8), then \e[1m*prepend*\e[0m the\n".
+			 "       following line to POTFILES.in and rerun $PROGRAM:\n\n".
+			 "           [encoding: UTF-8]\n\n";
+	}
+	else
+	{
+	    print STDERR "$xgettext_error_msg";
+	    if (-e "$MODULE.pot")
+	    {
+		# is this possible?
+		print STDERR "ERROR: xgettext failed but still managed to generate PO template file.\n".
+			     "       Please consult error message above if there is any.\n";
+	    }
+	    else
+	    {
+		print STDERR "ERROR: xgettext failed to generate PO template file. Please consult\n".
+			     "       error message above if there is any.\n";
+	    }
+	}
+	exit (1);
+    }
+}
+
+sub POFile_Update
+{
+    -f "$MODULE.pot" or die "$PROGRAM: $MODULE.pot does not exist.\n";
+
+    my $MSGMERGE = $ENV{"MSGMERGE"} || "msgmerge";
+    my ($lang, $outfile) = @_;
+
+    if (! isGNUGettextTool ("$MSGMERGE"))
+    {
+	print STDERR " *** GNU msgmerge is not found on this system!\n".
+		     " *** Without it, intltool-update can not extract strings.\n";
+	exit;
+    }
+
+    print "Merging $SRCDIR/$lang.po with $MODULE.pot..." if $VERBOSE;
+
+    my $infile = "$SRCDIR/$lang.po";
+    $outfile = "$SRCDIR/$lang.po" if ($outfile eq "");
+
+    # I think msgmerge won't overwrite old file if merge is not successful
+    system ("$MSGMERGE", "-o", $outfile, $infile, "$MODULE.pot");
+}
+
+sub Console_WriteError_NotExisting
+{
+    my ($file) = @_;
+
+    ## Report error if supplied language file is non-existing
+    print STDERR "$PROGRAM: $file does not exist!\n";
+    print STDERR "Try '$PROGRAM --help' for more information.\n";
+    exit;
+}
+
+sub GatherPOFiles
+{
+    my @po_files = glob ("./*.po");
+
+    @languages = map (&POFile_GetLanguage, @po_files);
+
+    foreach my $lang (@languages) 
+    {
+	$po_files_by_lang{$lang} = shift (@po_files);
+    }
+}
+
+sub POFile_GetLanguage ($)
+{
+    s/^(.*\/)?(.+)\.po$/$2/;
+    return $_;
+}
+
+sub Console_Write_TranslationStatus
+{
+    my ($lang, $output_file) = @_;
+    my $MSGFMT = $ENV{"MSGFMT"} || "msgfmt";
+
+    if (! isGNUGettextTool ("$MSGFMT"))
+    {
+	print STDERR " *** GNU msgfmt is not found on this system!\n".
+		     " *** Without it, intltool-update can not extract strings.\n";
+	exit;
+    }
+
+    $output_file = "$SRCDIR/$lang.po" if ($output_file eq "");
+
+    system ("$MSGFMT", "-o", "$devnull", "--verbose", $output_file);
+}
+
+sub Console_Write_CoverageReport
+{
+    my $MSGFMT = $ENV{"MSGFMT"} || "msgfmt";
+
+    if (! isGNUGettextTool ("$MSGFMT"))
+    {
+	print STDERR " *** GNU msgfmt is not found on this system!\n".
+		     " *** Without it, intltool-update can not extract strings.\n";
+	exit;
+    }
+
+    &GatherPOFiles;
+
+    foreach my $lang (@languages) 
+    {
+	print STDERR "$lang: ";
+	&POFile_Update ($lang, "");
+    }
+
+    print STDERR "\n\n * Current translation support in $MODULE \n\n";
+
+    foreach my $lang (@languages)
+    {
+	print STDERR "$lang: ";
+	system ("$MSGFMT", "-o", "$devnull", "--verbose", "$SRCDIR/$lang.po");
+    }
+}
+
+sub SubstituteVariable
+{
+    my ($str) = @_;
+    
+    # always need to rewind file whenever it has been accessed
+    seek (CONF, 0, 0);
+
+    # cache each variable. varhash is global to we can add
+    # variables elsewhere.
+    while (<CONF>)
+    {
+	if (/^(\w+)=(.*)$/)
+	{
+	    ($varhash{$1} = $2) =~  s/^["'](.*)["']$/$1/;
+	}
+    }
+    
+    if ($str =~ /^(.*)\${?([A-Z_]+)}?(.*)$/)
+    {
+	my $rest = $3;
+	my $untouched = $1;
+	my $sub = "";
+        # Ignore recursive definitions of variables
+        $sub = $varhash{$2} if defined $varhash{$2} and $varhash{$2} !~ /\${?$2}?/;
+
+	return SubstituteVariable ("$untouched$sub$rest");
+    }
+    
+    # We're using Perl backticks ` and "echo -n" here in order to 
+    # expand any shell escapes (such as backticks themselves) in every variable
+    return echo_n ($str);
+}
+
+sub CONF_Handle_Open
+{
+    my $base_dirname = getcwd();
+    $base_dirname =~ s@.*/@@;
+
+    my ($conf_in, $src_dir);
+
+    if ($base_dirname =~ /^po(-.+)?$/) 
+    {
+	if (-f "Makevars") 
+	{
+	    my $makefile_source;
+
+	    local (*IN);
+	    open (IN, "<Makevars") || die "can't open Makevars: $!";
+
+	    while (<IN>) 
+	    {
+		if (/^top_builddir[ \t]*=/) 
+		{
+		    $src_dir = $_;
+		    $src_dir =~ s/^top_builddir[ \t]*=[ \t]*([^ \t\n\r]*)/$1/;
+
+		    chomp $src_dir;
+                    if (-f "$src_dir" . "/configure.ac") {
+                        $conf_in = "$src_dir" . "/configure.ac" . "\n";
+                    } else {
+                        $conf_in = "$src_dir" . "/configure.in" . "\n";
+                    }
+		    last;
+		}
+	    }
+	    close IN;
+
+	    $conf_in || die "Cannot find top_builddir in Makevars.";
+	}
+	elsif (-f "$SRCDIR/../configure.ac") 
+	{
+	    $conf_in = "$SRCDIR/../configure.ac";
+	} 
+	elsif (-f "$SRCDIR/../configure.in") 
+	{
+	    $conf_in = "$SRCDIR/../configure.in";
+	} 
+	else 
+	{
+	    my $makefile_source;
+
+	    local (*IN);
+	    open (IN, "<Makefile") || return;
+
+	    while (<IN>) 
+	    {
+		if (/^top_srcdir[ \t]*=/) 
+		{
+		    $src_dir = $_;		    
+		    $src_dir =~ s/^top_srcdir[ \t]*=[ \t]*([^ \t\n\r]*)/$1/;
+
+		    chomp $src_dir;
+		    $conf_in = "$src_dir" . "/configure.in" . "\n";
+
+		    last;
+		}
+	    }
+	    close IN;
+
+	    $conf_in || die "Cannot find top_srcdir in Makefile.";
+	}
+
+	open (CONF, "<$conf_in");
+    }
+    else
+    {
+	print STDERR "$PROGRAM: Unable to proceed.\n" .
+		     "Make sure to run this script inside the po directory.\n";
+	exit;
+    }
+}
+
+sub FindPackageName
+{
+    my $version;
+    my $domain = &FindMakevarsDomain;
+    my $name = $domain || "untitled";
+
+    &CONF_Handle_Open;
+
+    my $conf_source; {
+	local (*IN);
+	open (IN, "<&CONF") || return $name;
+	seek (IN, 0, 0);
+	local $/; # slurp mode
+	$conf_source = <IN>;
+	close IN;
+    }
+
+    # priority for getting package name:
+    # 1. GETTEXT_PACKAGE
+    # 2. first argument of AC_INIT (with >= 2 arguments)
+    # 3. first argument of AM_INIT_AUTOMAKE (with >= 2 argument)
+
+    # /^AM_INIT_AUTOMAKE\([\s\[]*([^,\)\s\]]+)/m 
+    # the \s makes this not work, why?
+    if ($conf_source =~ /^AM_INIT_AUTOMAKE\(([^,\)]+),([^,\)]+)/m)
+    {
+	($name, $version) = ($1, $2);
+	$name    =~ s/[\[\]\s]//g;
+	$version =~ s/[\[\]\s]//g;
+	$varhash{"PACKAGE_NAME"} = $name if (not $name =~ /\${?AC_PACKAGE_NAME}?/);
+	$varhash{"PACKAGE"} = $name if (not $name =~ /\${?PACKAGE}?/);
+	$varhash{"PACKAGE_VERSION"} = $version if (not $name =~ /\${?AC_PACKAGE_VERSION}?/);
+	$varhash{"VERSION"} = $version if (not $name =~ /\${?VERSION}?/);
+    }
+    
+    if ($conf_source =~ /^AC_INIT\(([^,\)]+),([^,\)]+)/m) 
+    {
+	($name, $version) = ($1, $2);
+	$name    =~ s/[\[\]\s]//g;
+	$version =~ s/[\[\]\s]//g;
+	$varhash{"PACKAGE_NAME"} = $name if (not $name =~ /\${?AC_PACKAGE_NAME}?/);
+	$varhash{"PACKAGE"} = $name if (not $name =~ /\${?PACKAGE}?/);
+	$varhash{"PACKAGE_VERSION"} = $version if (not $name =~ /\${?AC_PACKAGE_VERSION}?/);
+	$varhash{"VERSION"} = $version if (not $name =~ /\${?VERSION}?/);
+    }
+
+    # \s makes this not work, why?
+    $name = $1 if $conf_source =~ /^GETTEXT_PACKAGE=\[?([^\n\]]+)/m;
+    
+    # m4 macros AC_PACKAGE_NAME, AC_PACKAGE_VERSION etc. have same value
+    # as corresponding $PACKAGE_NAME, $PACKAGE_VERSION etc. shell variables.
+    $name =~ s/\bAC_PACKAGE_/\$PACKAGE_/g;
+
+    $name = $domain if $domain;
+
+    $name = SubstituteVariable ($name);
+    $name =~ s/^["'](.*)["']$/$1/;
+
+    return $name if $name;
+}
+
+
+sub FindPOTKeywords
+{
+
+    my $keywords = "--keyword\=\_ --keyword\=N\_ --keyword\=U\_ --keyword\=Q\_";
+    my $varname = "XGETTEXT_OPTIONS";
+    my $make_source; {
+	local (*IN);
+	open (IN, "<Makevars") || (open(IN, "<Makefile.in.in") && ($varname = "XGETTEXT_KEYWORDS")) || return $keywords;
+	seek (IN, 0, 0);
+	local $/; # slurp mode
+	$make_source = <IN>;
+	close IN;
+    }
+
+    # unwrap lines split with a trailing \
+    $make_source =~  s/\\ $ \n/ /mxg;
+    $keywords = $1 if $make_source =~ /^$varname[ ]*=\[?([^\n\]]+)/m;
+    
+    return $keywords;
+}
+
+sub FindMakevarsDomain
+{
+
+    my $domain = "";
+    my $makevars_source; { 
+	local (*IN);
+	open (IN, "<Makevars") || return $domain;
+	seek (IN, 0, 0);
+	local $/; # slurp mode
+	$makevars_source = <IN>;
+	close IN;
+    }
+
+    $domain = $1 if $makevars_source =~ /^DOMAIN[ ]*=\[?([^\n\]\$]+)/m;
+    $domain =~ s/^\s+//;
+    $domain =~ s/\s+$//;
+    
+    return $domain;
+}
+
+sub FindMakevarsBugAddress
+{
+
+    my $address = "";
+    my $makevars_source; { 
+	local (*IN);
+	open (IN, "<Makevars") || return undef;
+	seek (IN, 0, 0);
+	local $/; # slurp mode
+	$makevars_source = <IN>;
+	close IN;
+    }
+
+    $address = $1 if $makevars_source =~ /^MSGID_BUGS_ADDRESS[ ]*=\[?([^\n\]\$]+)/m;
+    $address =~ s/^\s+//;
+    $address =~ s/\s+$//;
+    
+    return $address;
+}
diff --git a/src/charon/plugins/nm/gnome/ltmain.sh b/src/charon/plugins/nm/gnome/ltmain.sh
new file mode 100644
index 000000000..e420facf5
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/ltmain.sh
@@ -0,0 +1,6964 @@
+# ltmain.sh - Provide generalized library-building support services.
+# NOTE: Changing this file will not affect anything until you rerun configure.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
+# 2007, 2008  Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+basename="s,^.*/,,g"
+
+# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
+# is ksh but when the shell is invoked as "sh" and the current value of
+# the _XPG environment variable is not equal to 1 (one), the special
+# positional parameter $0, within a function call, is the name of the
+# function.
+progpath="$0"
+
+# The name of this program:
+progname=`echo "$progpath" | $SED $basename`
+modename="$progname"
+
+# Global variables:
+EXIT_SUCCESS=0
+EXIT_FAILURE=1
+
+PROGRAM=ltmain.sh
+PACKAGE=libtool
+VERSION="1.5.26 Debian 1.5.26-1ubuntu1"
+TIMESTAMP=" (1.1220.2.493 2008/02/01 16:58:18)"
+
+# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE).
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac
+fi
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
+
+# Check that we have a working $echo.
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell, and then maybe $echo will work.
+  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
+fi
+
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit $EXIT_SUCCESS
+fi
+
+default_mode=
+help="Try \`$progname --help' for more information."
+magic="%%%MAGIC variable%%%"
+mkdir="mkdir"
+mv="mv -f"
+rm="rm -f"
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed="${SED}"' -e 1s/^X//'
+sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
+# test EBCDIC or ASCII
+case `echo X|tr X '\101'` in
+ A) # ASCII based system
+    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
+  SP2NL='tr \040 \012'
+  NL2SP='tr \015\012 \040\040'
+  ;;
+ *) # EBCDIC based system
+  SP2NL='tr \100 \n'
+  NL2SP='tr \r\n \100\100'
+  ;;
+esac
+
+# NLS nuisances.
+# Only set LANG and LC_ALL to C if already set.
+# These must not be set unconditionally because not all systems understand
+# e.g. LANG=C (notably SCO).
+# We save the old values to restore during execute mode.
+lt_env=
+for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
+do
+  eval "if test \"\${$lt_var+set}\" = set; then
+	  save_$lt_var=\$$lt_var
+	  lt_env=\"$lt_var=\$$lt_var \$lt_env\"
+	  $lt_var=C
+	  export $lt_var
+	fi"
+done
+
+if test -n "$lt_env"; then
+  lt_env="env $lt_env"
+fi
+
+# Make sure IFS has a sensible default
+lt_nl='
+'
+IFS=" 	$lt_nl"
+
+if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+  $echo "$modename: not configured to build any kind of library" 1>&2
+  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+  exit $EXIT_FAILURE
+fi
+
+# Global variables.
+mode=$default_mode
+nonopt=
+prev=
+prevopt=
+run=
+show="$echo"
+show_help=
+execute_dlfiles=
+duplicate_deps=no
+preserve_args=
+lo2o="s/\\.lo\$/.${objext}/"
+o2lo="s/\\.${objext}\$/.lo/"
+extracted_archives=
+extracted_serial=0
+
+#####################################
+# Shell function definitions:
+# This seems to be the best place for them
+
+# func_mktempdir [string]
+# Make a temporary directory that won't clash with other running
+# libtool processes, and avoids race conditions if possible.  If
+# given, STRING is the basename for that directory.
+func_mktempdir ()
+{
+    my_template="${TMPDIR-/tmp}/${1-$progname}"
+
+    if test "$run" = ":"; then
+      # Return a directory name, but don't create it in dry-run mode
+      my_tmpdir="${my_template}-$$"
+    else
+
+      # If mktemp works, use that first and foremost
+      my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null`
+
+      if test ! -d "$my_tmpdir"; then
+	# Failing that, at least try and use $RANDOM to avoid a race
+	my_tmpdir="${my_template}-${RANDOM-0}$$"
+
+	save_mktempdir_umask=`umask`
+	umask 0077
+	$mkdir "$my_tmpdir"
+	umask $save_mktempdir_umask
+      fi
+
+      # If we're not in dry-run mode, bomb out on failure
+      test -d "$my_tmpdir" || {
+        $echo "cannot create temporary directory \`$my_tmpdir'" 1>&2
+	exit $EXIT_FAILURE
+      }
+    fi
+
+    $echo "X$my_tmpdir" | $Xsed
+}
+
+
+# func_win32_libid arg
+# return the library type of file 'arg'
+#
+# Need a lot of goo to handle *both* DLLs and import libs
+# Has to be a shell function in order to 'eat' the argument
+# that is supplied when $file_magic_command is called.
+func_win32_libid ()
+{
+  win32_libid_type="unknown"
+  win32_fileres=`file -L $1 2>/dev/null`
+  case $win32_fileres in
+  *ar\ archive\ import\ library*) # definitely import
+    win32_libid_type="x86 archive import"
+    ;;
+  *ar\ archive*) # could be an import, or static
+    if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \
+      $EGREP -e 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
+      win32_nmres=`eval $NM -f posix -A $1 | \
+	$SED -n -e '1,100{
+		/ I /{
+			s,.*,import,
+			p
+			q
+			}
+		}'`
+      case $win32_nmres in
+      import*)  win32_libid_type="x86 archive import";;
+      *)        win32_libid_type="x86 archive static";;
+      esac
+    fi
+    ;;
+  *DLL*)
+    win32_libid_type="x86 DLL"
+    ;;
+  *executable*) # but shell scripts are "executable" too...
+    case $win32_fileres in
+    *MS\ Windows\ PE\ Intel*)
+      win32_libid_type="x86 DLL"
+      ;;
+    esac
+    ;;
+  esac
+  $echo $win32_libid_type
+}
+
+
+# func_infer_tag arg
+# Infer tagged configuration to use if any are available and
+# if one wasn't chosen via the "--tag" command line option.
+# Only attempt this if the compiler in the base compile
+# command doesn't match the default compiler.
+# arg is usually of the form 'gcc ...'
+func_infer_tag ()
+{
+    if test -n "$available_tags" && test -z "$tagname"; then
+      CC_quoted=
+      for arg in $CC; do
+	case $arg in
+	  *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	CC_quoted="$CC_quoted $arg"
+      done
+      case $@ in
+      # Blanks in the command may have been stripped by the calling shell,
+      # but not from the CC environment variable when configure was run.
+      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*) ;;
+      # Blanks at the start of $base_compile will cause this to fail
+      # if we don't check for them as well.
+      *)
+	for z in $available_tags; do
+	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
+	    # Evaluate the configuration.
+	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
+	    CC_quoted=
+	    for arg in $CC; do
+	    # Double-quote args containing other shell metacharacters.
+	    case $arg in
+	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	      arg="\"$arg\""
+	      ;;
+	    esac
+	    CC_quoted="$CC_quoted $arg"
+	  done
+	    case "$@ " in
+	      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*)
+	      # The compiler in the base compile command matches
+	      # the one in the tagged configuration.
+	      # Assume this is the tagged configuration we want.
+	      tagname=$z
+	      break
+	      ;;
+	    esac
+	  fi
+	done
+	# If $tagname still isn't set, then no tagged configuration
+	# was found and let the user know that the "--tag" command
+	# line option must be used.
+	if test -z "$tagname"; then
+	  $echo "$modename: unable to infer tagged configuration"
+	  $echo "$modename: specify a tag with \`--tag'" 1>&2
+	  exit $EXIT_FAILURE
+#        else
+#          $echo "$modename: using $tagname tagged configuration"
+	fi
+	;;
+      esac
+    fi
+}
+
+
+# func_extract_an_archive dir oldlib
+func_extract_an_archive ()
+{
+    f_ex_an_ar_dir="$1"; shift
+    f_ex_an_ar_oldlib="$1"
+
+    $show "(cd $f_ex_an_ar_dir && $AR x $f_ex_an_ar_oldlib)"
+    $run eval "(cd \$f_ex_an_ar_dir && $AR x \$f_ex_an_ar_oldlib)" || exit $?
+    if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
+     :
+    else
+      $echo "$modename: ERROR: object name conflicts: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" 1>&2
+      exit $EXIT_FAILURE
+    fi
+}
+
+# func_extract_archives gentop oldlib ...
+func_extract_archives ()
+{
+    my_gentop="$1"; shift
+    my_oldlibs=${1+"$@"}
+    my_oldobjs=""
+    my_xlib=""
+    my_xabs=""
+    my_xdir=""
+    my_status=""
+
+    $show "${rm}r $my_gentop"
+    $run ${rm}r "$my_gentop"
+    $show "$mkdir $my_gentop"
+    $run $mkdir "$my_gentop"
+    my_status=$?
+    if test "$my_status" -ne 0 && test ! -d "$my_gentop"; then
+      exit $my_status
+    fi
+
+    for my_xlib in $my_oldlibs; do
+      # Extract the objects.
+      case $my_xlib in
+	[\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;;
+	*) my_xabs=`pwd`"/$my_xlib" ;;
+      esac
+      my_xlib=`$echo "X$my_xlib" | $Xsed -e 's%^.*/%%'`
+      my_xlib_u=$my_xlib
+      while :; do
+        case " $extracted_archives " in
+	*" $my_xlib_u "*)
+	  extracted_serial=`expr $extracted_serial + 1`
+	  my_xlib_u=lt$extracted_serial-$my_xlib ;;
+	*) break ;;
+	esac
+      done
+      extracted_archives="$extracted_archives $my_xlib_u"
+      my_xdir="$my_gentop/$my_xlib_u"
+
+      $show "${rm}r $my_xdir"
+      $run ${rm}r "$my_xdir"
+      $show "$mkdir $my_xdir"
+      $run $mkdir "$my_xdir"
+      exit_status=$?
+      if test "$exit_status" -ne 0 && test ! -d "$my_xdir"; then
+	exit $exit_status
+      fi
+      case $host in
+      *-darwin*)
+	$show "Extracting $my_xabs"
+	# Do not bother doing anything if just a dry run
+	if test -z "$run"; then
+	  darwin_orig_dir=`pwd`
+	  cd $my_xdir || exit $?
+	  darwin_archive=$my_xabs
+	  darwin_curdir=`pwd`
+	  darwin_base_archive=`$echo "X$darwin_archive" | $Xsed -e 's%^.*/%%'`
+	  darwin_arches=`lipo -info "$darwin_archive" 2>/dev/null | $EGREP Architectures 2>/dev/null`
+	  if test -n "$darwin_arches"; then 
+	    darwin_arches=`echo "$darwin_arches" | $SED -e 's/.*are://'`
+	    darwin_arch=
+	    $show "$darwin_base_archive has multiple architectures $darwin_arches"
+	    for darwin_arch in  $darwin_arches ; do
+	      mkdir -p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
+	      lipo -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
+	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
+	      func_extract_an_archive "`pwd`" "${darwin_base_archive}"
+	      cd "$darwin_curdir"
+	      $rm "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}"
+	    done # $darwin_arches
+      ## Okay now we have a bunch of thin objects, gotta fatten them up :)
+	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print| xargs basename | sort -u | $NL2SP`
+	    darwin_file=
+	    darwin_files=
+	    for darwin_file in $darwin_filelist; do
+	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
+	      lipo -create -output "$darwin_file" $darwin_files
+	    done # $darwin_filelist
+	    ${rm}r unfat-$$
+	    cd "$darwin_orig_dir"
+	  else
+	    cd "$darwin_orig_dir"
+ 	    func_extract_an_archive "$my_xdir" "$my_xabs"
+	  fi # $darwin_arches
+	fi # $run
+	;;
+      *)
+        func_extract_an_archive "$my_xdir" "$my_xabs"
+        ;;
+      esac
+      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+    done
+    func_extract_archives_result="$my_oldobjs"
+}
+# End of Shell function definitions
+#####################################
+
+# Darwin sucks
+eval std_shrext=\"$shrext_cmds\"
+
+disable_libs=no
+
+# Parse our command line options once, thoroughly.
+while test "$#" -gt 0
+do
+  arg="$1"
+  shift
+
+  case $arg in
+  -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$prev"; then
+    case $prev in
+    execute_dlfiles)
+      execute_dlfiles="$execute_dlfiles $arg"
+      ;;
+    tag)
+      tagname="$arg"
+      preserve_args="${preserve_args}=$arg"
+
+      # Check whether tagname contains only valid characters
+      case $tagname in
+      *[!-_A-Za-z0-9,/]*)
+	$echo "$progname: invalid tag name: $tagname" 1>&2
+	exit $EXIT_FAILURE
+	;;
+      esac
+
+      case $tagname in
+      CC)
+	# Don't test for the "default" C tag, as we know, it's there, but
+	# not specially marked.
+	;;
+      *)
+	if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$progpath" > /dev/null; then
+	  taglist="$taglist $tagname"
+	  # Evaluate the configuration.
+	  eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $progpath`"
+	else
+	  $echo "$progname: ignoring unknown tag $tagname" 1>&2
+	fi
+	;;
+      esac
+      ;;
+    *)
+      eval "$prev=\$arg"
+      ;;
+    esac
+
+    prev=
+    prevopt=
+    continue
+  fi
+
+  # Have we seen a non-optional argument yet?
+  case $arg in
+  --help)
+    show_help=yes
+    ;;
+
+  --version)
+    echo "\
+$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP
+
+Copyright (C) 2008  Free Software Foundation, Inc.
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+    exit $?
+    ;;
+
+  --config)
+    ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $progpath
+    # Now print the configurations for the tags.
+    for tagname in $taglist; do
+      ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$progpath"
+    done
+    exit $?
+    ;;
+
+  --debug)
+    $echo "$progname: enabling shell trace mode"
+    set -x
+    preserve_args="$preserve_args $arg"
+    ;;
+
+  --dry-run | -n)
+    run=:
+    ;;
+
+  --features)
+    $echo "host: $host"
+    if test "$build_libtool_libs" = yes; then
+      $echo "enable shared libraries"
+    else
+      $echo "disable shared libraries"
+    fi
+    if test "$build_old_libs" = yes; then
+      $echo "enable static libraries"
+    else
+      $echo "disable static libraries"
+    fi
+    exit $?
+    ;;
+
+  --finish) mode="finish" ;;
+
+  --mode) prevopt="--mode" prev=mode ;;
+  --mode=*) mode="$optarg" ;;
+
+  --preserve-dup-deps) duplicate_deps="yes" ;;
+
+  --quiet | --silent)
+    show=:
+    preserve_args="$preserve_args $arg"
+    ;;
+
+  --tag)
+    prevopt="--tag"
+    prev=tag
+    preserve_args="$preserve_args --tag"
+    ;;
+  --tag=*)
+    set tag "$optarg" ${1+"$@"}
+    shift
+    prev=tag
+    preserve_args="$preserve_args --tag"
+    ;;
+
+  -dlopen)
+    prevopt="-dlopen"
+    prev=execute_dlfiles
+    ;;
+
+  -*)
+    $echo "$modename: unrecognized option \`$arg'" 1>&2
+    $echo "$help" 1>&2
+    exit $EXIT_FAILURE
+    ;;
+
+  *)
+    nonopt="$arg"
+    break
+    ;;
+  esac
+done
+
+if test -n "$prevopt"; then
+  $echo "$modename: option \`$prevopt' requires an argument" 1>&2
+  $echo "$help" 1>&2
+  exit $EXIT_FAILURE
+fi
+
+case $disable_libs in
+no) 
+  ;;
+shared)
+  build_libtool_libs=no
+  build_old_libs=yes
+  ;;
+static)
+  build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac`
+  ;;
+esac
+
+# If this variable is set in any of the actions, the command in it
+# will be execed at the end.  This prevents here-documents from being
+# left over by shells.
+exec_cmd=
+
+if test -z "$show_help"; then
+
+  # Infer the operation mode.
+  if test -z "$mode"; then
+    $echo "*** Warning: inferring the mode of operation is deprecated." 1>&2
+    $echo "*** Future versions of Libtool will require --mode=MODE be specified." 1>&2
+    case $nonopt in
+    *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*)
+      mode=link
+      for arg
+      do
+	case $arg in
+	-c)
+	   mode=compile
+	   break
+	   ;;
+	esac
+      done
+      ;;
+    *db | *dbx | *strace | *truss)
+      mode=execute
+      ;;
+    *install*|cp|mv)
+      mode=install
+      ;;
+    *rm)
+      mode=uninstall
+      ;;
+    *)
+      # If we have no mode, but dlfiles were specified, then do execute mode.
+      test -n "$execute_dlfiles" && mode=execute
+
+      # Just use the default operation mode.
+      if test -z "$mode"; then
+	if test -n "$nonopt"; then
+	  $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
+	else
+	  $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
+	fi
+      fi
+      ;;
+    esac
+  fi
+
+  # Only execute mode is allowed to have -dlopen flags.
+  if test -n "$execute_dlfiles" && test "$mode" != execute; then
+    $echo "$modename: unrecognized option \`-dlopen'" 1>&2
+    $echo "$help" 1>&2
+    exit $EXIT_FAILURE
+  fi
+
+  # Change the help message to a mode-specific one.
+  generic_help="$help"
+  help="Try \`$modename --help --mode=$mode' for more information."
+
+  # These modes are in order of execution frequency so that they run quickly.
+  case $mode in
+  # libtool compile mode
+  compile)
+    modename="$modename: compile"
+    # Get the compilation command and the source file.
+    base_compile=
+    srcfile="$nonopt"  #  always keep a non-empty value in "srcfile"
+    suppress_opt=yes
+    suppress_output=
+    arg_mode=normal
+    libobj=
+    later=
+
+    for arg
+    do
+      case $arg_mode in
+      arg  )
+	# do not "continue".  Instead, add this to base_compile
+	lastarg="$arg"
+	arg_mode=normal
+	;;
+
+      target )
+	libobj="$arg"
+	arg_mode=normal
+	continue
+	;;
+
+      normal )
+	# Accept any command-line options.
+	case $arg in
+	-o)
+	  if test -n "$libobj" ; then
+	    $echo "$modename: you cannot specify \`-o' more than once" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	  arg_mode=target
+	  continue
+	  ;;
+
+	-static | -prefer-pic | -prefer-non-pic)
+	  later="$later $arg"
+	  continue
+	  ;;
+
+	-no-suppress)
+	  suppress_opt=no
+	  continue
+	  ;;
+
+	-Xcompiler)
+	  arg_mode=arg  #  the next one goes into the "base_compile" arg list
+	  continue      #  The current "srcfile" will either be retained or
+	  ;;            #  replaced later.  I would guess that would be a bug.
+
+	-Wc,*)
+	  args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
+	  lastarg=
+	  save_ifs="$IFS"; IFS=','
+ 	  for arg in $args; do
+	    IFS="$save_ifs"
+
+	    # Double-quote args containing other shell metacharacters.
+	    # Many Bourne shells cannot handle close brackets correctly
+	    # in scan sets, so we specify it separately.
+	    case $arg in
+	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	      arg="\"$arg\""
+	      ;;
+	    esac
+	    lastarg="$lastarg $arg"
+	  done
+	  IFS="$save_ifs"
+	  lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"`
+
+	  # Add the arguments to base_compile.
+	  base_compile="$base_compile $lastarg"
+	  continue
+	  ;;
+
+	* )
+	  # Accept the current argument as the source file.
+	  # The previous "srcfile" becomes the current argument.
+	  #
+	  lastarg="$srcfile"
+	  srcfile="$arg"
+	  ;;
+	esac  #  case $arg
+	;;
+      esac    #  case $arg_mode
+
+      # Aesthetically quote the previous argument.
+      lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
+
+      case $lastarg in
+      # Double-quote args containing other shell metacharacters.
+      # Many Bourne shells cannot handle close brackets correctly
+      # in scan sets, and some SunOS ksh mistreat backslash-escaping
+      # in scan sets (worked around with variable expansion),
+      # and furthermore cannot handle '|' '&' '(' ')' in scan sets 
+      # at all, so we specify them separately.
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	lastarg="\"$lastarg\""
+	;;
+      esac
+
+      base_compile="$base_compile $lastarg"
+    done # for arg
+
+    case $arg_mode in
+    arg)
+      $echo "$modename: you must specify an argument for -Xcompile"
+      exit $EXIT_FAILURE
+      ;;
+    target)
+      $echo "$modename: you must specify a target with \`-o'" 1>&2
+      exit $EXIT_FAILURE
+      ;;
+    *)
+      # Get the name of the library object.
+      [ -z "$libobj" ] && libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'`
+      ;;
+    esac
+
+    # Recognize several different file suffixes.
+    # If the user specifies -o file.o, it is replaced with file.lo
+    xform='[cCFSifmso]'
+    case $libobj in
+    *.ada) xform=ada ;;
+    *.adb) xform=adb ;;
+    *.ads) xform=ads ;;
+    *.asm) xform=asm ;;
+    *.c++) xform=c++ ;;
+    *.cc) xform=cc ;;
+    *.ii) xform=ii ;;
+    *.class) xform=class ;;
+    *.cpp) xform=cpp ;;
+    *.cxx) xform=cxx ;;
+    *.[fF][09]?) xform=[fF][09]. ;;
+    *.for) xform=for ;;
+    *.java) xform=java ;;
+    *.obj) xform=obj ;;
+    *.sx) xform=sx ;;
+    esac
+
+    libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
+
+    case $libobj in
+    *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
+    *)
+      $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
+      exit $EXIT_FAILURE
+      ;;
+    esac
+
+    func_infer_tag $base_compile
+
+    for arg in $later; do
+      case $arg in
+      -static)
+	build_old_libs=yes
+	continue
+	;;
+
+      -prefer-pic)
+	pic_mode=yes
+	continue
+	;;
+
+      -prefer-non-pic)
+	pic_mode=no
+	continue
+	;;
+      esac
+    done
+
+    qlibobj=`$echo "X$libobj" | $Xsed -e "$sed_quote_subst"`
+    case $qlibobj in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qlibobj="\"$qlibobj\"" ;;
+    esac
+    test "X$libobj" != "X$qlibobj" \
+	&& $echo "X$libobj" | grep '[]~#^*{};<>?"'"'"' 	&()|`$[]' \
+	&& $echo "$modename: libobj name \`$libobj' may not contain shell special characters."
+    objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+    xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+    if test "X$xdir" = "X$obj"; then
+      xdir=
+    else
+      xdir=$xdir/
+    fi
+    lobj=${xdir}$objdir/$objname
+
+    if test -z "$base_compile"; then
+      $echo "$modename: you must specify a compilation command" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    # Delete any leftover library objects.
+    if test "$build_old_libs" = yes; then
+      removelist="$obj $lobj $libobj ${libobj}T"
+    else
+      removelist="$lobj $libobj ${libobj}T"
+    fi
+
+    $run $rm $removelist
+    trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
+
+    # On Cygwin there's no "real" PIC flag so we must build both object types
+    case $host_os in
+    cygwin* | mingw* | pw32* | os2*)
+      pic_mode=default
+      ;;
+    esac
+    if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then
+      # non-PIC code in shared libraries is not supported
+      pic_mode=default
+    fi
+
+    # Calculate the filename of the output object if compiler does
+    # not support -o with -c
+    if test "$compiler_c_o" = no; then
+      output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
+      lockfile="$output_obj.lock"
+      removelist="$removelist $output_obj $lockfile"
+      trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
+    else
+      output_obj=
+      need_locks=no
+      lockfile=
+    fi
+
+    # Lock this critical section if it is needed
+    # We use this script file to make the link, it avoids creating a new file
+    if test "$need_locks" = yes; then
+      until $run ln "$progpath" "$lockfile" 2>/dev/null; do
+	$show "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    elif test "$need_locks" = warn; then
+      if test -f "$lockfile"; then
+	$echo "\
+*** ERROR, $lockfile exists and contains:
+`cat $lockfile 2>/dev/null`
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit $EXIT_FAILURE
+      fi
+      $echo "$srcfile" > "$lockfile"
+    fi
+
+    if test -n "$fix_srcfile_path"; then
+      eval srcfile=\"$fix_srcfile_path\"
+    fi
+    qsrcfile=`$echo "X$srcfile" | $Xsed -e "$sed_quote_subst"`
+    case $qsrcfile in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+      qsrcfile="\"$qsrcfile\"" ;;
+    esac
+
+    $run $rm "$libobj" "${libobj}T"
+
+    # Create a libtool object file (analogous to a ".la" file),
+    # but don't create it if we're doing a dry run.
+    test -z "$run" && cat > ${libobj}T <<EOF
+# $libobj - a libtool object file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# Name of the PIC object.
+EOF
+
+    # Only build a PIC object if we are building libtool libraries.
+    if test "$build_libtool_libs" = yes; then
+      # Without this assignment, base_compile gets emptied.
+      fbsd_hideous_sh_bug=$base_compile
+
+      if test "$pic_mode" != no; then
+	command="$base_compile $qsrcfile $pic_flag"
+      else
+	# Don't build PIC code
+	command="$base_compile $qsrcfile"
+      fi
+
+      if test ! -d "${xdir}$objdir"; then
+	$show "$mkdir ${xdir}$objdir"
+	$run $mkdir ${xdir}$objdir
+	exit_status=$?
+	if test "$exit_status" -ne 0 && test ! -d "${xdir}$objdir"; then
+	  exit $exit_status
+	fi
+      fi
+
+      if test -z "$output_obj"; then
+	# Place PIC objects in $objdir
+	command="$command -o $lobj"
+      fi
+
+      $run $rm "$lobj" "$output_obj"
+
+      $show "$command"
+      if $run eval $lt_env "$command"; then :
+      else
+	test -n "$output_obj" && $run $rm $removelist
+	exit $EXIT_FAILURE
+      fi
+
+      if test "$need_locks" = warn &&
+	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
+	$echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit $EXIT_FAILURE
+      fi
+
+      # Just move the object if needed, then go on to compile the next one
+      if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then
+	$show "$mv $output_obj $lobj"
+	if $run $mv $output_obj $lobj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Append the name of the PIC object to the libtool object file.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+pic_object='$objdir/$objname'
+
+EOF
+
+      # Allow error messages only from the first compilation.
+      if test "$suppress_opt" = yes; then
+        suppress_output=' >/dev/null 2>&1'
+      fi
+    else
+      # No PIC object so indicate it doesn't exist in the libtool
+      # object file.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+pic_object=none
+
+EOF
+    fi
+
+    # Only build a position-dependent object if we build old libraries.
+    if test "$build_old_libs" = yes; then
+      if test "$pic_mode" != yes; then
+	# Don't build PIC code
+	command="$base_compile $qsrcfile"
+      else
+	command="$base_compile $qsrcfile $pic_flag"
+      fi
+      if test "$compiler_c_o" = yes; then
+	command="$command -o $obj"
+      fi
+
+      # Suppress compiler output if we already did a PIC compilation.
+      command="$command$suppress_output"
+      $run $rm "$obj" "$output_obj"
+      $show "$command"
+      if $run eval $lt_env "$command"; then :
+      else
+	$run $rm $removelist
+	exit $EXIT_FAILURE
+      fi
+
+      if test "$need_locks" = warn &&
+	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
+	$echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit $EXIT_FAILURE
+      fi
+
+      # Just move the object if needed
+      if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then
+	$show "$mv $output_obj $obj"
+	if $run $mv $output_obj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Append the name of the non-PIC object the libtool object file.
+      # Only append if the libtool object file exists.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+# Name of the non-PIC object.
+non_pic_object='$objname'
+
+EOF
+    else
+      # Append the name of the non-PIC object the libtool object file.
+      # Only append if the libtool object file exists.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+# Name of the non-PIC object.
+non_pic_object=none
+
+EOF
+    fi
+
+    $run $mv "${libobj}T" "${libobj}"
+
+    # Unlock the critical section if it was locked
+    if test "$need_locks" != no; then
+      $run $rm "$lockfile"
+    fi
+
+    exit $EXIT_SUCCESS
+    ;;
+
+  # libtool link mode
+  link | relink)
+    modename="$modename: link"
+    case $host in
+    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+      # It is impossible to link a dll without this setting, and
+      # we shouldn't force the makefile maintainer to figure out
+      # which system we are compiling for in order to pass an extra
+      # flag for every libtool invocation.
+      # allow_undefined=no
+
+      # FIXME: Unfortunately, there are problems with the above when trying
+      # to make a dll which has undefined symbols, in which case not
+      # even a static library is built.  For now, we need to specify
+      # -no-undefined on the libtool link line when we can be certain
+      # that all symbols are satisfied, otherwise we get a static library.
+      allow_undefined=yes
+      ;;
+    *)
+      allow_undefined=yes
+      ;;
+    esac
+    libtool_args="$nonopt"
+    base_compile="$nonopt $@"
+    compile_command="$nonopt"
+    finalize_command="$nonopt"
+
+    compile_rpath=
+    finalize_rpath=
+    compile_shlibpath=
+    finalize_shlibpath=
+    convenience=
+    old_convenience=
+    deplibs=
+    old_deplibs=
+    compiler_flags=
+    linker_flags=
+    dllsearchpath=
+    lib_search_path=`pwd`
+    inst_prefix_dir=
+
+    avoid_version=no
+    dlfiles=
+    dlprefiles=
+    dlself=no
+    export_dynamic=no
+    export_symbols=
+    export_symbols_regex=
+    generated=
+    libobjs=
+    ltlibs=
+    module=no
+    no_install=no
+    objs=
+    non_pic_objects=
+    notinst_path= # paths that contain not-installed libtool libraries
+    precious_files_regex=
+    prefer_static_libs=no
+    preload=no
+    prev=
+    prevarg=
+    release=
+    rpath=
+    xrpath=
+    perm_rpath=
+    temp_rpath=
+    thread_safe=no
+    vinfo=
+    vinfo_number=no
+    single_module="${wl}-single_module"
+
+    func_infer_tag $base_compile
+
+    # We need to know -static, to get the right output filenames.
+    for arg
+    do
+      case $arg in
+      -all-static | -static | -static-libtool-libs)
+	case $arg in
+	-all-static)
+	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
+	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
+	  fi
+	  if test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	  prefer_static_libs=yes
+	  ;;
+	-static)
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	  prefer_static_libs=built
+	  ;;
+	-static-libtool-libs)
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	  prefer_static_libs=yes
+	  ;;
+	esac
+	build_libtool_libs=no
+	build_old_libs=yes
+	break
+	;;
+      esac
+    done
+
+    # See if our shared archives depend on static archives.
+    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
+
+    # Go through the arguments, transforming them on the way.
+    while test "$#" -gt 0; do
+      arg="$1"
+      shift
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test
+	;;
+      *) qarg=$arg ;;
+      esac
+      libtool_args="$libtool_args $qarg"
+
+      # If the previous option needs an argument, assign it.
+      if test -n "$prev"; then
+	case $prev in
+	output)
+	  compile_command="$compile_command @OUTPUT@"
+	  finalize_command="$finalize_command @OUTPUT@"
+	  ;;
+	esac
+
+	case $prev in
+	dlfiles|dlprefiles)
+	  if test "$preload" = no; then
+	    # Add the symbol object into the linking commands.
+	    compile_command="$compile_command @SYMFILE@"
+	    finalize_command="$finalize_command @SYMFILE@"
+	    preload=yes
+	  fi
+	  case $arg in
+	  *.la | *.lo) ;;  # We handle these cases below.
+	  force)
+	    if test "$dlself" = no; then
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  self)
+	    if test "$prev" = dlprefiles; then
+	      dlself=yes
+	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
+	      dlself=yes
+	    else
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  *)
+	    if test "$prev" = dlfiles; then
+	      dlfiles="$dlfiles $arg"
+	    else
+	      dlprefiles="$dlprefiles $arg"
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  esac
+	  ;;
+	expsyms)
+	  export_symbols="$arg"
+	  if test ! -f "$arg"; then
+	    $echo "$modename: symbol file \`$arg' does not exist"
+	    exit $EXIT_FAILURE
+	  fi
+	  prev=
+	  continue
+	  ;;
+	expsyms_regex)
+	  export_symbols_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	inst_prefix)
+	  inst_prefix_dir="$arg"
+	  prev=
+	  continue
+	  ;;
+	precious_regex)
+	  precious_files_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	release)
+	  release="-$arg"
+	  prev=
+	  continue
+	  ;;
+	objectlist)
+	  if test -f "$arg"; then
+	    save_arg=$arg
+	    moreargs=
+	    for fil in `cat $save_arg`
+	    do
+#	      moreargs="$moreargs $fil"
+	      arg=$fil
+	      # A libtool-controlled object.
+
+	      # Check to see that this really is a libtool object.
+	      if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+		pic_object=
+		non_pic_object=
+
+		# Read the .lo file
+		# If there is no directory component, then add one.
+		case $arg in
+		*/* | *\\*) . $arg ;;
+		*) . ./$arg ;;
+		esac
+
+		if test -z "$pic_object" || \
+		   test -z "$non_pic_object" ||
+		   test "$pic_object" = none && \
+		   test "$non_pic_object" = none; then
+		  $echo "$modename: cannot find name of object for \`$arg'" 1>&2
+		  exit $EXIT_FAILURE
+		fi
+
+		# Extract subdirectory from the argument.
+		xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+		if test "X$xdir" = "X$arg"; then
+		  xdir=
+		else
+		  xdir="$xdir/"
+		fi
+
+		if test "$pic_object" != none; then
+		  # Prepend the subdirectory the object is found in.
+		  pic_object="$xdir$pic_object"
+
+		  if test "$prev" = dlfiles; then
+		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+		      dlfiles="$dlfiles $pic_object"
+		      prev=
+		      continue
+		    else
+		      # If libtool objects are unsupported, then we need to preload.
+		      prev=dlprefiles
+		    fi
+		  fi
+
+		  # CHECK ME:  I think I busted this.  -Ossama
+		  if test "$prev" = dlprefiles; then
+		    # Preload the old-style object.
+		    dlprefiles="$dlprefiles $pic_object"
+		    prev=
+		  fi
+
+		  # A PIC object.
+		  libobjs="$libobjs $pic_object"
+		  arg="$pic_object"
+		fi
+
+		# Non-PIC object.
+		if test "$non_pic_object" != none; then
+		  # Prepend the subdirectory the object is found in.
+		  non_pic_object="$xdir$non_pic_object"
+
+		  # A standard non-PIC object
+		  non_pic_objects="$non_pic_objects $non_pic_object"
+		  if test -z "$pic_object" || test "$pic_object" = none ; then
+		    arg="$non_pic_object"
+		  fi
+		else
+		  # If the PIC object exists, use it instead.
+		  # $xdir was prepended to $pic_object above.
+		  non_pic_object="$pic_object"
+		  non_pic_objects="$non_pic_objects $non_pic_object"
+		fi
+	      else
+		# Only an error if not doing a dry-run.
+		if test -z "$run"; then
+		  $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
+		  exit $EXIT_FAILURE
+		else
+		  # Dry-run case.
+
+		  # Extract subdirectory from the argument.
+		  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+		  if test "X$xdir" = "X$arg"; then
+		    xdir=
+		  else
+		    xdir="$xdir/"
+		  fi
+
+		  pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
+		  non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
+		  libobjs="$libobjs $pic_object"
+		  non_pic_objects="$non_pic_objects $non_pic_object"
+		fi
+	      fi
+	    done
+	  else
+	    $echo "$modename: link input file \`$save_arg' does not exist"
+	    exit $EXIT_FAILURE
+	  fi
+	  arg=$save_arg
+	  prev=
+	  continue
+	  ;;
+	rpath | xrpath)
+	  # We need an absolute path.
+	  case $arg in
+	  [\\/]* | [A-Za-z]:[\\/]*) ;;
+	  *)
+	    $echo "$modename: only absolute run-paths are allowed" 1>&2
+	    exit $EXIT_FAILURE
+	    ;;
+	  esac
+	  if test "$prev" = rpath; then
+	    case "$rpath " in
+	    *" $arg "*) ;;
+	    *) rpath="$rpath $arg" ;;
+	    esac
+	  else
+	    case "$xrpath " in
+	    *" $arg "*) ;;
+	    *) xrpath="$xrpath $arg" ;;
+	    esac
+	  fi
+	  prev=
+	  continue
+	  ;;
+	xcompiler)
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  compile_command="$compile_command $qarg"
+	  finalize_command="$finalize_command $qarg"
+	  continue
+	  ;;
+	xlinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $wl$qarg"
+	  prev=
+	  compile_command="$compile_command $wl$qarg"
+	  finalize_command="$finalize_command $wl$qarg"
+	  continue
+	  ;;
+	xcclinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  compile_command="$compile_command $qarg"
+	  finalize_command="$finalize_command $qarg"
+	  continue
+	  ;;
+	shrext)
+  	  shrext_cmds="$arg"
+	  prev=
+	  continue
+	  ;;
+	darwin_framework|darwin_framework_skip)
+	  test "$prev" = "darwin_framework" && compiler_flags="$compiler_flags $arg"
+	  compile_command="$compile_command $arg"
+	  finalize_command="$finalize_command $arg"
+	  prev=
+	  continue
+	  ;;
+	*)
+	  eval "$prev=\"\$arg\""
+	  prev=
+	  continue
+	  ;;
+	esac
+      fi # test -n "$prev"
+
+      prevarg="$arg"
+
+      case $arg in
+      -all-static)
+	if test -n "$link_static_flag"; then
+	  compile_command="$compile_command $link_static_flag"
+	  finalize_command="$finalize_command $link_static_flag"
+	fi
+	continue
+	;;
+
+      -allow-undefined)
+	# FIXME: remove this flag sometime in the future.
+	$echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2
+	continue
+	;;
+
+      -avoid-version)
+	avoid_version=yes
+	continue
+	;;
+
+      -dlopen)
+	prev=dlfiles
+	continue
+	;;
+
+      -dlpreopen)
+	prev=dlprefiles
+	continue
+	;;
+
+      -export-dynamic)
+	export_dynamic=yes
+	continue
+	;;
+
+      -export-symbols | -export-symbols-regex)
+	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	  $echo "$modename: more than one -exported-symbols argument is not allowed"
+	  exit $EXIT_FAILURE
+	fi
+	if test "X$arg" = "X-export-symbols"; then
+	  prev=expsyms
+	else
+	  prev=expsyms_regex
+	fi
+	continue
+	;;
+
+      -framework|-arch|-isysroot)
+	case " $CC " in
+	  *" ${arg} ${1} "* | *" ${arg}	${1} "*) 
+		prev=darwin_framework_skip ;;
+	  *) compiler_flags="$compiler_flags $arg"
+	     prev=darwin_framework ;;
+	esac
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+	continue
+	;;
+
+      -inst-prefix-dir)
+	prev=inst_prefix
+	continue
+	;;
+
+      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
+      # so, if we see these flags be careful not to treat them like -L
+      -L[A-Z][A-Z]*:*)
+	case $with_gcc/$host in
+	no/*-*-irix* | /*-*-irix*)
+	  compile_command="$compile_command $arg"
+	  finalize_command="$finalize_command $arg"
+	  ;;
+	esac
+	continue
+	;;
+
+      -L*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  absdir=`cd "$dir" && pwd`
+	  if test -z "$absdir"; then
+	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
+	    absdir="$dir"
+	    notinst_path="$notinst_path $dir"
+	  fi
+	  dir="$absdir"
+	  ;;
+	esac
+	case "$deplibs " in
+	*" -L$dir "*) ;;
+	*)
+	  deplibs="$deplibs -L$dir"
+	  lib_search_path="$lib_search_path $dir"
+	  ;;
+	esac
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  testbindir=`$echo "X$dir" | $Xsed -e 's*/lib$*/bin*'`
+	  case :$dllsearchpath: in
+	  *":$dir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$dir";;
+	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  esac
+	  ;;
+	esac
+	continue
+	;;
+
+      -l*)
+	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos*)
+	    # These systems don't actually have a C or math library (as such)
+	    continue
+	    ;;
+	  *-*-os2*)
+	    # These systems don't actually have a C library (as such)
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	    # Do not include libc due to us having libc/libc_r.
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C and math libraries are in the System framework
+	    deplibs="$deplibs -framework System"
+	    continue
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  esac
+	elif test "X$arg" = "X-lc_r"; then
+	 case $host in
+	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	   # Do not include libc_r directly, use -pthread flag.
+	   continue
+	   ;;
+	 esac
+	fi
+	deplibs="$deplibs $arg"
+	continue
+	;;
+
+      # Tru64 UNIX uses -model [arg] to determine the layout of C++
+      # classes, name mangling, and exception handling.
+      -model)
+	compile_command="$compile_command $arg"
+	compiler_flags="$compiler_flags $arg"
+	finalize_command="$finalize_command $arg"
+	prev=xcompiler
+	continue
+	;;
+
+     -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+	compiler_flags="$compiler_flags $arg"
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+	continue
+	;;
+
+      -multi_module)
+	single_module="${wl}-multi_module"
+	continue
+	;;
+
+      -module)
+	module=yes
+	continue
+	;;
+
+      # -64, -mips[0-9] enable 64-bit mode on the SGI compiler
+      # -r[0-9][0-9]* specifies the processor on the SGI compiler
+      # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler
+      # +DA*, +DD* enable 64-bit mode on the HP compiler
+      # -q* pass through compiler args for the IBM compiler
+      # -m* pass through architecture-specific compiler args for GCC
+      # -m*, -t[45]*, -txscale* pass through architecture-specific
+      # compiler args for GCC
+      # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC
+      # -F/path gives path to uninstalled frameworks, gcc on darwin
+      # @file GCC response files
+      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
+      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*)
+
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+        compile_command="$compile_command $arg"
+        finalize_command="$finalize_command $arg"
+        compiler_flags="$compiler_flags $arg"
+        continue
+        ;;
+
+      -shrext)
+	prev=shrext
+	continue
+	;;
+
+      -no-fast-install)
+	fast_install=no
+	continue
+	;;
+
+      -no-install)
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin*)
+	  # The PATH hackery in wrapper scripts is required on Windows
+	  # and Darwin in order for the loader to find any dlls it needs.
+	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
+	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
+	  fast_install=no
+	  ;;
+	*) no_install=yes ;;
+	esac
+	continue
+	;;
+
+      -no-undefined)
+	allow_undefined=no
+	continue
+	;;
+
+      -objectlist)
+	prev=objectlist
+	continue
+	;;
+
+      -o) prev=output ;;
+
+      -precious-files-regex)
+	prev=precious_regex
+	continue
+	;;
+
+      -release)
+	prev=release
+	continue
+	;;
+
+      -rpath)
+	prev=rpath
+	continue
+	;;
+
+      -R)
+	prev=xrpath
+	continue
+	;;
+
+      -R*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-R//'`
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  $echo "$modename: only absolute run-paths are allowed" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+	case "$xrpath " in
+	*" $dir "*) ;;
+	*) xrpath="$xrpath $dir" ;;
+	esac
+	continue
+	;;
+
+      -static | -static-libtool-libs)
+	# The effects of -static are defined in a previous loop.
+	# We used to do the same as -all-static on platforms that
+	# didn't have a PIC flag, but the assumption that the effects
+	# would be equivalent was wrong.  It would break on at least
+	# Digital Unix and AIX.
+	continue
+	;;
+
+      -thread-safe)
+	thread_safe=yes
+	continue
+	;;
+
+      -version-info)
+	prev=vinfo
+	continue
+	;;
+      -version-number)
+	prev=vinfo
+	vinfo_number=yes
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'`
+	arg=
+	save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case $flag in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Wl,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'`
+	arg=
+	save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case $flag in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $wl$flag"
+	  linker_flags="$linker_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Xlinker)
+	prev=xlinker
+	continue
+	;;
+
+      -XCClinker)
+	prev=xcclinker
+	continue
+	;;
+
+      # Some other compiler flag.
+      -* | +*)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+
+      *.$objext)
+	# A standard object.
+	objs="$objs $arg"
+	;;
+
+      *.lo)
+	# A libtool-controlled object.
+
+	# Check to see that this really is a libtool object.
+	if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  pic_object=
+	  non_pic_object=
+
+	  # Read the .lo file
+	  # If there is no directory component, then add one.
+	  case $arg in
+	  */* | *\\*) . $arg ;;
+	  *) . ./$arg ;;
+	  esac
+
+	  if test -z "$pic_object" || \
+	     test -z "$non_pic_object" ||
+	     test "$pic_object" = none && \
+	     test "$non_pic_object" = none; then
+	    $echo "$modename: cannot find name of object for \`$arg'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+
+	  # Extract subdirectory from the argument.
+	  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+	  if test "X$xdir" = "X$arg"; then
+	    xdir=
+ 	  else
+	    xdir="$xdir/"
+	  fi
+
+	  if test "$pic_object" != none; then
+	    # Prepend the subdirectory the object is found in.
+	    pic_object="$xdir$pic_object"
+
+	    if test "$prev" = dlfiles; then
+	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+		dlfiles="$dlfiles $pic_object"
+		prev=
+		continue
+	      else
+		# If libtool objects are unsupported, then we need to preload.
+		prev=dlprefiles
+	      fi
+	    fi
+
+	    # CHECK ME:  I think I busted this.  -Ossama
+	    if test "$prev" = dlprefiles; then
+	      # Preload the old-style object.
+	      dlprefiles="$dlprefiles $pic_object"
+	      prev=
+	    fi
+
+	    # A PIC object.
+	    libobjs="$libobjs $pic_object"
+	    arg="$pic_object"
+	  fi
+
+	  # Non-PIC object.
+	  if test "$non_pic_object" != none; then
+	    # Prepend the subdirectory the object is found in.
+	    non_pic_object="$xdir$non_pic_object"
+
+	    # A standard non-PIC object
+	    non_pic_objects="$non_pic_objects $non_pic_object"
+	    if test -z "$pic_object" || test "$pic_object" = none ; then
+	      arg="$non_pic_object"
+	    fi
+	  else
+	    # If the PIC object exists, use it instead.
+	    # $xdir was prepended to $pic_object above.
+	    non_pic_object="$pic_object"
+	    non_pic_objects="$non_pic_objects $non_pic_object"
+	  fi
+	else
+	  # Only an error if not doing a dry-run.
+	  if test -z "$run"; then
+	    $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
+	    exit $EXIT_FAILURE
+	  else
+	    # Dry-run case.
+
+	    # Extract subdirectory from the argument.
+	    xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+	    if test "X$xdir" = "X$arg"; then
+	      xdir=
+	    else
+	      xdir="$xdir/"
+	    fi
+
+	    pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
+	    non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
+	    libobjs="$libobjs $pic_object"
+	    non_pic_objects="$non_pic_objects $non_pic_object"
+	  fi
+	fi
+	;;
+
+      *.$libext)
+	# An archive.
+	deplibs="$deplibs $arg"
+	old_deplibs="$old_deplibs $arg"
+	continue
+	;;
+
+      *.la)
+	# A libtool-controlled library.
+
+	if test "$prev" = dlfiles; then
+	  # This library was specified with -dlopen.
+	  dlfiles="$dlfiles $arg"
+	  prev=
+	elif test "$prev" = dlprefiles; then
+	  # The library was specified with -dlpreopen.
+	  dlprefiles="$dlprefiles $arg"
+	  prev=
+	else
+	  deplibs="$deplibs $arg"
+	fi
+	continue
+	;;
+
+      # Some other compiler argument.
+      *)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+      esac # arg
+
+      # Now actually substitute the argument into the commands.
+      if test -n "$arg"; then
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+      fi
+    done # argument parsing loop
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
+      eval arg=\"$export_dynamic_flag_spec\"
+      compile_command="$compile_command $arg"
+      finalize_command="$finalize_command $arg"
+    fi
+
+    oldlibs=
+    # calculate the name of the file, without its directory
+    outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
+    libobjs_save="$libobjs"
+
+    if test -n "$shlibpath_var"; then
+      # get the directories listed in $shlibpath_var
+      eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+    else
+      shlib_search_path=
+    fi
+    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
+    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
+
+    output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
+    if test "X$output_objdir" = "X$output"; then
+      output_objdir="$objdir"
+    else
+      output_objdir="$output_objdir/$objdir"
+    fi
+    # Create the object directory.
+    if test ! -d "$output_objdir"; then
+      $show "$mkdir $output_objdir"
+      $run $mkdir $output_objdir
+      exit_status=$?
+      if test "$exit_status" -ne 0 && test ! -d "$output_objdir"; then
+	exit $exit_status
+      fi
+    fi
+
+    # Determine the type of output
+    case $output in
+    "")
+      $echo "$modename: you must specify an output file" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+      ;;
+    *.$libext) linkmode=oldlib ;;
+    *.lo | *.$objext) linkmode=obj ;;
+    *.la) linkmode=lib ;;
+    *) linkmode=prog ;; # Anything else should be a program.
+    esac
+
+    case $host in
+    *cygwin* | *mingw* | *pw32*)
+      # don't eliminate duplications in $postdeps and $predeps
+      duplicate_compiler_generated_deps=yes
+      ;;
+    *)
+      duplicate_compiler_generated_deps=$duplicate_deps
+      ;;
+    esac
+    specialdeplibs=
+
+    libs=
+    # Find all interdependent deplibs by searching for libraries
+    # that are linked more than once (e.g. -la -lb -la)
+    for deplib in $deplibs; do
+      if test "X$duplicate_deps" = "Xyes" ; then
+	case "$libs " in
+	*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	esac
+      fi
+      libs="$libs $deplib"
+    done
+
+    if test "$linkmode" = lib; then
+      libs="$predeps $libs $compiler_lib_search_path $postdeps"
+
+      # Compute libraries that are listed more than once in $predeps
+      # $postdeps and mark them as special (i.e., whose duplicates are
+      # not to be eliminated).
+      pre_post_deps=
+      if test "X$duplicate_compiler_generated_deps" = "Xyes" ; then
+	for pre_post_dep in $predeps $postdeps; do
+	  case "$pre_post_deps " in
+	  *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;;
+	  esac
+	  pre_post_deps="$pre_post_deps $pre_post_dep"
+	done
+      fi
+      pre_post_deps=
+    fi
+
+    deplibs=
+    newdependency_libs=
+    newlib_search_path=
+    need_relink=no # whether we're linking any uninstalled libtool libraries
+    notinst_deplibs= # not-installed libtool libraries
+    case $linkmode in
+    lib)
+	passes="conv link"
+	for file in $dlfiles $dlprefiles; do
+	  case $file in
+	  *.la) ;;
+	  *)
+	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
+	    exit $EXIT_FAILURE
+	    ;;
+	  esac
+	done
+	;;
+    prog)
+	compile_deplibs=
+	finalize_deplibs=
+	alldeplibs=no
+	newdlfiles=
+	newdlprefiles=
+	passes="conv scan dlopen dlpreopen link"
+	;;
+    *)  passes="conv"
+	;;
+    esac
+    for pass in $passes; do
+      if test "$linkmode,$pass" = "lib,link" ||
+	 test "$linkmode,$pass" = "prog,scan"; then
+	libs="$deplibs"
+	deplibs=
+      fi
+      if test "$linkmode" = prog; then
+	case $pass in
+	dlopen) libs="$dlfiles" ;;
+	dlpreopen) libs="$dlprefiles" ;;
+	link)
+	  libs="$deplibs %DEPLIBS%"
+	  test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs"
+	  ;;
+	esac
+      fi
+      if test "$pass" = dlopen; then
+	# Collect dlpreopened libraries
+	save_deplibs="$deplibs"
+	deplibs=
+      fi
+      for deplib in $libs; do
+	lib=
+	found=no
+	case $deplib in
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+	  if test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$deplib $compile_deplibs"
+	    finalize_deplibs="$deplib $finalize_deplibs"
+	  else
+	    compiler_flags="$compiler_flags $deplib"
+	  fi
+	  continue
+	  ;;
+	-l*)
+	  if test "$linkmode" != lib && test "$linkmode" != prog; then
+	    $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2
+	    continue
+	  fi
+	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
+	  if test "$linkmode" = lib; then
+	    searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path"
+	  else
+	    searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path"
+	  fi
+	  for searchdir in $searchdirs; do
+	    for search_ext in .la $std_shrext .so .a; do
+	      # Search the libtool library
+	      lib="$searchdir/lib${name}${search_ext}"
+	      if test -f "$lib"; then
+		if test "$search_ext" = ".la"; then
+		  found=yes
+		else
+		  found=no
+		fi
+		break 2
+	      fi
+	    done
+	  done
+	  if test "$found" != yes; then
+	    # deplib doesn't seem to be a libtool library
+	    if test "$linkmode,$pass" = "prog,link"; then
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      deplibs="$deplib $deplibs"
+	      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    continue
+	  else # deplib is a libtool library
+	    # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib,
+	    # We need to do some special things here, and not later.
+	    if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	      case " $predeps $postdeps " in
+	      *" $deplib "*)
+		if (${SED} -e '2q' $lib |
+                    grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+		  library_names=
+		  old_library=
+		  case $lib in
+		  */* | *\\*) . $lib ;;
+		  *) . ./$lib ;;
+		  esac
+		  for l in $old_library $library_names; do
+		    ll="$l"
+		  done
+		  if test "X$ll" = "X$old_library" ; then # only static version available
+		    found=no
+		    ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
+		    test "X$ladir" = "X$lib" && ladir="."
+		    lib=$ladir/$old_library
+		    if test "$linkmode,$pass" = "prog,link"; then
+		      compile_deplibs="$deplib $compile_deplibs"
+		      finalize_deplibs="$deplib $finalize_deplibs"
+		    else
+		      deplibs="$deplib $deplibs"
+		      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
+		    fi
+		    continue
+		  fi
+		fi
+	        ;;
+	      *) ;;
+	      esac
+	    fi
+	  fi
+	  ;; # -l
+	-L*)
+	  case $linkmode in
+	  lib)
+	    deplibs="$deplib $deplibs"
+	    test "$pass" = conv && continue
+	    newdependency_libs="$deplib $newdependency_libs"
+	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    ;;
+	  prog)
+	    if test "$pass" = conv; then
+	      deplibs="$deplib $deplibs"
+	      continue
+	    fi
+	    if test "$pass" = scan; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    ;;
+	  *)
+	    $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2
+	    ;;
+	  esac # linkmode
+	  continue
+	  ;; # -L
+	-R*)
+	  if test "$pass" = link; then
+	    dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'`
+	    # Make sure the xrpath contains only unique directories.
+	    case "$xrpath " in
+	    *" $dir "*) ;;
+	    *) xrpath="$xrpath $dir" ;;
+	    esac
+	  fi
+	  deplibs="$deplib $deplibs"
+	  continue
+	  ;;
+	*.la) lib="$deplib" ;;
+	*.$libext)
+	  if test "$pass" = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  case $linkmode in
+	  lib)
+	    valid_a_lib=no
+	    case $deplibs_check_method in
+	      match_pattern*)
+		set dummy $deplibs_check_method
+	        match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+		if eval $echo \"$deplib\" 2>/dev/null \
+		    | $SED 10q \
+		    | $EGREP "$match_pattern_regex" > /dev/null; then
+		  valid_a_lib=yes
+		fi
+		;;
+	      pass_all)
+		valid_a_lib=yes
+		;;
+            esac
+	    if test "$valid_a_lib" != yes; then
+	      $echo
+	      $echo "*** Warning: Trying to link with static lib archive $deplib."
+	      $echo "*** I have the capability to make that library automatically link in when"
+	      $echo "*** you link to this library.  But I can only do this if you have a"
+	      $echo "*** shared version of the library, which you do not appear to have"
+	      $echo "*** because the file extensions .$libext of this argument makes me believe"
+	      $echo "*** that it is just a static archive that I should not used here."
+	    else
+	      $echo
+	      $echo "*** Warning: Linking the shared library $output against the"
+	      $echo "*** static library $deplib is not portable!"
+	      deplibs="$deplib $deplibs"
+	    fi
+	    continue
+	    ;;
+	  prog)
+	    if test "$pass" != link; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    continue
+	    ;;
+	  esac # linkmode
+	  ;; # *.$libext
+	*.lo | *.$objext)
+	  if test "$pass" = conv; then
+	    deplibs="$deplib $deplibs"
+	  elif test "$linkmode" = prog; then
+	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	      # If there is no dlopen support or we're linking statically,
+	      # we need to preload.
+	      newdlprefiles="$newdlprefiles $deplib"
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      newdlfiles="$newdlfiles $deplib"
+	    fi
+	  fi
+	  continue
+	  ;;
+	%DEPLIBS%)
+	  alldeplibs=yes
+	  continue
+	  ;;
+	esac # case $deplib
+	if test "$found" = yes || test -f "$lib"; then :
+	else
+	  $echo "$modename: cannot find the library \`$lib' or unhandled argument \`$deplib'" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	# Check to see that this really is a libtool archive.
+	if (${SED} -e '2q' $lib | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$ladir" = "X$lib" && ladir="."
+
+	dlname=
+	dlopen=
+	dlpreopen=
+	libdir=
+	library_names=
+	old_library=
+	# If the library was installed with an old release of libtool,
+	# it will not redefine variables installed, or shouldnotlink
+	installed=yes
+	shouldnotlink=no
+	avoidtemprpath=
+
+
+	# Read the .la file
+	case $lib in
+	*/* | *\\*) . $lib ;;
+	*) . ./$lib ;;
+	esac
+
+	if test "$linkmode,$pass" = "lib,link" ||
+	   test "$linkmode,$pass" = "prog,scan" ||
+	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
+	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
+	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	fi
+
+	if test "$pass" = conv; then
+	  # Only check for convenience libraries
+	  deplibs="$lib $deplibs"
+	  if test -z "$libdir"; then
+	    if test -z "$old_library"; then
+	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	      exit $EXIT_FAILURE
+	    fi
+	    # It is a libtool convenience library, so add in its objects.
+	    convenience="$convenience $ladir/$objdir/$old_library"
+	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+              if test "X$duplicate_deps" = "Xyes" ; then
+	        case "$tmp_libs " in
+	        *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	        esac
+              fi
+	      tmp_libs="$tmp_libs $deplib"
+	    done
+	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
+	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	  continue
+	fi # $pass = conv
+
+
+	# Get the name of the library we link against.
+	linklib=
+	for l in $old_library $library_names; do
+	  linklib="$l"
+	done
+	if test -z "$linklib"; then
+	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	# This library was specified with -dlopen.
+	if test "$pass" = dlopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	  if test -z "$dlname" ||
+	     test "$dlopen_support" != yes ||
+	     test "$build_libtool_libs" = no; then
+	    # If there is no dlname, no dlopen support or we're linking
+	    # statically, we need to preload.  We also need to preload any
+	    # dependent libraries so libltdl's deplib preloader doesn't
+	    # bomb out in the load deplibs phase.
+	    dlprefiles="$dlprefiles $lib $dependency_libs"
+	  else
+	    newdlfiles="$newdlfiles $lib"
+	  fi
+	  continue
+	fi # $pass = dlopen
+
+	# We need an absolute path.
+	case $ladir in
+	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
+	*)
+	  abs_ladir=`cd "$ladir" && pwd`
+	  if test -z "$abs_ladir"; then
+	    $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2
+	    $echo "$modename: passing it literally to the linker, although it might fail" 1>&2
+	    abs_ladir="$ladir"
+	  fi
+	  ;;
+	esac
+	laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+
+	# Find the relevant object directory and library name.
+	if test "X$installed" = Xyes; then
+	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    $echo "$modename: warning: library \`$lib' was moved." 1>&2
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    libdir="$abs_ladir"
+	  else
+	    dir="$libdir"
+	    absdir="$libdir"
+	  fi
+	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
+	else
+	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    # Remove this search path later
+	    notinst_path="$notinst_path $abs_ladir"
+	  else
+	    dir="$ladir/$objdir"
+	    absdir="$abs_ladir/$objdir"
+	    # Remove this search path later
+	    notinst_path="$notinst_path $abs_ladir"
+	  fi
+	fi # $installed = yes
+	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+
+	# This library was specified with -dlpreopen.
+	if test "$pass" = dlpreopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	  # Prefer using a static library (so that no silly _DYNAMIC symbols
+	  # are required to link).
+	  if test -n "$old_library"; then
+	    newdlprefiles="$newdlprefiles $dir/$old_library"
+	  # Otherwise, use the dlname, so that lt_dlopen finds it.
+	  elif test -n "$dlname"; then
+	    newdlprefiles="$newdlprefiles $dir/$dlname"
+	  else
+	    newdlprefiles="$newdlprefiles $dir/$linklib"
+	  fi
+	fi # $pass = dlpreopen
+
+	if test -z "$libdir"; then
+	  # Link the convenience library
+	  if test "$linkmode" = lib; then
+	    deplibs="$dir/$old_library $deplibs"
+	  elif test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$dir/$old_library $compile_deplibs"
+	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
+	  else
+	    deplibs="$lib $deplibs" # used for prog,scan pass
+	  fi
+	  continue
+	fi
+
+
+	if test "$linkmode" = prog && test "$pass" != link; then
+	  newlib_search_path="$newlib_search_path $ladir"
+	  deplibs="$lib $deplibs"
+
+	  linkalldeplibs=no
+	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
+	     test "$build_libtool_libs" = no; then
+	    linkalldeplibs=yes
+	  fi
+
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    case $deplib in
+	    -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test
+	    esac
+	    # Need to link against all dependency_libs?
+	    if test "$linkalldeplibs" = yes; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      # Need to hardcode shared library paths
+	      # or/and link against static libraries
+	      newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    if test "X$duplicate_deps" = "Xyes" ; then
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	    fi
+	    tmp_libs="$tmp_libs $deplib"
+	  done # for deplib
+	  continue
+	fi # $linkmode = prog...
+
+	if test "$linkmode,$pass" = "prog,link"; then
+	  if test -n "$library_names" &&
+	     { { test "$prefer_static_libs" = no ||
+		 test "$prefer_static_libs,$installed" = "built,yes"; } ||
+	       test -z "$old_library"; }; then
+	    # We need to hardcode the library path
+	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then
+	      # Make sure the rpath contains only unique directories.
+	      case "$temp_rpath " in
+	      *" $dir "*) ;;
+	      *" $absdir "*) ;;
+	      *) temp_rpath="$temp_rpath $absdir" ;;
+	      esac
+	    fi
+
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi # $linkmode,$pass = prog,link...
+
+	  if test "$alldeplibs" = yes &&
+	     { test "$deplibs_check_method" = pass_all ||
+	       { test "$build_libtool_libs" = yes &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+	fi
+
+	link_static=no # Whether the deplib will be linked statically
+	use_static_libs=$prefer_static_libs
+	if test "$use_static_libs" = built && test "$installed" = yes ; then
+	  use_static_libs=no
+	fi
+	if test -n "$library_names" &&
+	   { test "$use_static_libs" = no || test -z "$old_library"; }; then
+	  if test "$installed" = no; then
+	    notinst_deplibs="$notinst_deplibs $lib"
+	    need_relink=yes
+	  fi
+	  # This is a shared library
+
+	  # Warn about portability, can't link against -module's on
+	  # some systems (darwin)
+	  if test "$shouldnotlink" = yes && test "$pass" = link ; then
+	    $echo
+	    if test "$linkmode" = prog; then
+	      $echo "*** Warning: Linking the executable $output against the loadable module"
+	    else
+	      $echo "*** Warning: Linking the shared library $output against the loadable module"
+	    fi
+	    $echo "*** $linklib is not portable!"
+	  fi
+	  if test "$linkmode" = lib &&
+	     test "$hardcode_into_libs" = yes; then
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi
+
+	  if test -n "$old_archive_from_expsyms_cmds"; then
+	    # figure out the soname
+	    set dummy $library_names
+	    realname="$2"
+	    shift; shift
+	    libname=`eval \\$echo \"$libname_spec\"`
+	    # use dlname if we got it. it's perfectly good, no?
+	    if test -n "$dlname"; then
+	      soname="$dlname"
+	    elif test -n "$soname_spec"; then
+	      # bleh windows
+	      case $host in
+	      *cygwin* | mingw*)
+		major=`expr $current - $age`
+		versuffix="-$major"
+		;;
+	      esac
+	      eval soname=\"$soname_spec\"
+	    else
+	      soname="$realname"
+	    fi
+
+	    # Make a new name for the extract_expsyms_cmds to use
+	    soroot="$soname"
+	    soname=`$echo $soroot | ${SED} -e 's/^.*\///'`
+	    newlib="libimp-`$echo $soname | ${SED} 's/^lib//;s/\.dll$//'`.a"
+
+	    # If the library has no export list, then create one now
+	    if test -f "$output_objdir/$soname-def"; then :
+	    else
+	      $show "extracting exported symbol list from \`$soname'"
+	      save_ifs="$IFS"; IFS='~'
+	      cmds=$extract_expsyms_cmds
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    # Create $newlib
+	    if test -f "$output_objdir/$newlib"; then :; else
+	      $show "generating import library for \`$soname'"
+	      save_ifs="$IFS"; IFS='~'
+	      cmds=$old_archive_from_expsyms_cmds
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # make sure the library variables are pointing to the new library
+	    dir=$output_objdir
+	    linklib=$newlib
+	  fi # test -n "$old_archive_from_expsyms_cmds"
+
+	  if test "$linkmode" = prog || test "$mode" != relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    lib_linked=yes
+	    case $hardcode_action in
+	    immediate | unsupported)
+	      if test "$hardcode_direct" = no; then
+		add="$dir/$linklib"
+		case $host in
+		  *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;;
+		  *-*-sysv4*uw2*) add_dir="-L$dir" ;;
+		  *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \
+		    *-*-unixware7*) add_dir="-L$dir" ;;
+		  *-*-darwin* )
+		    # if the lib is a module then we can not link against
+		    # it, someone is ignoring the new warnings I added
+		    if /usr/bin/file -L $add 2> /dev/null |
+                      $EGREP ": [^:]* bundle" >/dev/null ; then
+		      $echo "** Warning, lib $linklib is a module, not a shared library"
+		      if test -z "$old_library" ; then
+		        $echo
+		        $echo "** And there doesn't seem to be a static archive available"
+		        $echo "** The link will probably fail, sorry"
+		      else
+		        add="$dir/$old_library"
+		      fi
+		    fi
+		esac
+	      elif test "$hardcode_minus_L" = no; then
+		case $host in
+		*-*-sunos*) add_shlibpath="$dir" ;;
+		esac
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = no; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    relink)
+	      if test "$hardcode_direct" = yes; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = yes; then
+		add_dir="-L$dir"
+		# Try looking first in the location we're being installed to.
+		if test -n "$inst_prefix_dir"; then
+		  case $libdir in
+		    [\\/]*)
+		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		      ;;
+		  esac
+		fi
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = yes; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    *) lib_linked=no ;;
+	    esac
+
+	    if test "$lib_linked" != yes; then
+	      $echo "$modename: configuration error: unsupported hardcode properties"
+	      exit $EXIT_FAILURE
+	    fi
+
+	    if test -n "$add_shlibpath"; then
+	      case :$compile_shlibpath: in
+	      *":$add_shlibpath:"*) ;;
+	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      esac
+	    fi
+	    if test "$linkmode" = prog; then
+	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
+	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	      if test "$hardcode_direct" != yes && \
+		 test "$hardcode_minus_L" != yes && \
+		 test "$hardcode_shlibpath_var" = yes; then
+		case :$finalize_shlibpath: in
+		*":$libdir:"*) ;;
+		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		esac
+	      fi
+	    fi
+	  fi
+
+	  if test "$linkmode" = prog || test "$mode" = relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    # Finalize command for both is simple: just hardcode it.
+	    if test "$hardcode_direct" = yes; then
+	      add="$libdir/$linklib"
+	    elif test "$hardcode_minus_L" = yes; then
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    elif test "$hardcode_shlibpath_var" = yes; then
+	      case :$finalize_shlibpath: in
+	      *":$libdir:"*) ;;
+	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      esac
+	      add="-l$name"
+	    elif test "$hardcode_automatic" = yes; then
+	      if test -n "$inst_prefix_dir" &&
+		 test -f "$inst_prefix_dir$libdir/$linklib" ; then
+	        add="$inst_prefix_dir$libdir/$linklib"
+	      else
+	        add="$libdir/$linklib"
+	      fi
+	    else
+	      # We cannot seem to hardcode it, guess we'll fake it.
+	      add_dir="-L$libdir"
+	      # Try looking first in the location we're being installed to.
+	      if test -n "$inst_prefix_dir"; then
+		case $libdir in
+		  [\\/]*)
+		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		    ;;
+		esac
+	      fi
+	      add="-l$name"
+	    fi
+
+	    if test "$linkmode" = prog; then
+	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
+	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	    fi
+	  fi
+	elif test "$linkmode" = prog; then
+	  # Here we assume that one of hardcode_direct or hardcode_minus_L
+	  # is not unsupported.  This is valid on all known static and
+	  # shared platforms.
+	  if test "$hardcode_direct" != unsupported; then
+	    test -n "$old_library" && linklib="$old_library"
+	    compile_deplibs="$dir/$linklib $compile_deplibs"
+	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
+	  else
+	    compile_deplibs="-l$name -L$dir $compile_deplibs"
+	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
+	  fi
+	elif test "$build_libtool_libs" = yes; then
+	  # Not a shared library
+	  if test "$deplibs_check_method" != pass_all; then
+	    # We're trying link a shared library against a static one
+	    # but the system doesn't support it.
+
+	    # Just print a warning and add the library to dependency_libs so
+	    # that the program can be linked against the static library.
+	    $echo
+	    $echo "*** Warning: This system can not link to static lib archive $lib."
+	    $echo "*** I have the capability to make that library automatically link in when"
+	    $echo "*** you link to this library.  But I can only do this if you have a"
+	    $echo "*** shared version of the library, which you do not appear to have."
+	    if test "$module" = yes; then
+	      $echo "*** But as you try to build a module library, libtool will still create "
+	      $echo "*** a static module, that should work as long as the dlopening application"
+	      $echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
+	      if test -z "$global_symbol_pipe"; then
+		$echo
+		$echo "*** However, this would only work if libtool was able to extract symbol"
+		$echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+		$echo "*** not find such a program.  So, this module is probably useless."
+		$echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	      fi
+	      if test "$build_old_libs" = no; then
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  else
+	    deplibs="$dir/$old_library $deplibs"
+	    link_static=yes
+	  fi
+	fi # link shared/static library?
+
+	if test "$linkmode" = lib; then
+	  if test -n "$dependency_libs" &&
+	     { test "$hardcode_into_libs" != yes ||
+	       test "$build_old_libs" = yes ||
+	       test "$link_static" = yes; }; then
+	    # Extract -R from dependency_libs
+	    temp_deplibs=
+	    for libdir in $dependency_libs; do
+	      case $libdir in
+	      -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'`
+		   case " $xrpath " in
+		   *" $temp_xrpath "*) ;;
+		   *) xrpath="$xrpath $temp_xrpath";;
+		   esac;;
+	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      esac
+	    done
+	    dependency_libs="$temp_deplibs"
+	  fi
+
+	  newlib_search_path="$newlib_search_path $absdir"
+	  # Link against this library
+	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
+	  # ... and its dependency_libs
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    newdependency_libs="$deplib $newdependency_libs"
+	    if test "X$duplicate_deps" = "Xyes" ; then
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	    fi
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+
+	  if test "$link_all_deplibs" != no; then
+	    # Add the search paths of all dependency libraries
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      -L*) path="$deplib" ;;
+	      *.la)
+		dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'`
+		test "X$dir" = "X$deplib" && dir="."
+		# We need an absolute path.
+		case $dir in
+		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
+		*)
+		  absdir=`cd "$dir" && pwd`
+		  if test -z "$absdir"; then
+		    $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2
+		    absdir="$dir"
+		  fi
+		  ;;
+		esac
+		if grep "^installed=no" $deplib > /dev/null; then
+		  path="$absdir/$objdir"
+		else
+		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  if test -z "$libdir"; then
+		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		    exit $EXIT_FAILURE
+		  fi
+		  if test "$absdir" != "$libdir"; then
+		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
+		  fi
+		  path="$absdir"
+		fi
+		depdepl=
+		case $host in
+		*-*-darwin*)
+		  # we do not want to link against static libs,
+		  # but need to link against shared
+		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
+		  eval deplibdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  if test -n "$deplibrary_names" ; then
+		    for tmp in $deplibrary_names ; do
+		      depdepl=$tmp
+		    done
+		    if test -f "$deplibdir/$depdepl" ; then
+		      depdepl="$deplibdir/$depdepl"
+	      	    elif test -f "$path/$depdepl" ; then
+		      depdepl="$path/$depdepl"
+		    else
+		      # Can't find it, oh well...
+		      depdepl=
+		    fi
+		    # do not add paths which are already there
+		    case " $newlib_search_path " in
+		    *" $path "*) ;;
+		    *) newlib_search_path="$newlib_search_path $path";;
+		    esac
+		  fi
+		  path=""
+		  ;;
+		*)
+		  path="-L$path"
+		  ;;
+		esac
+		;;
+	      -l*)
+		case $host in
+		*-*-darwin*)
+		  # Again, we only want to link against shared libraries
+		  eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"`
+		  for tmp in $newlib_search_path ; do
+		    if test -f "$tmp/lib$tmp_libs.dylib" ; then
+		      eval depdepl="$tmp/lib$tmp_libs.dylib"
+		      break
+		    fi
+		  done
+		  path=""
+		  ;;
+		*) continue ;;
+		esac
+		;;
+	      *) continue ;;
+	      esac
+	      case " $deplibs " in
+	      *" $path "*) ;;
+	      *) deplibs="$path $deplibs" ;;
+	      esac
+	      case " $deplibs " in
+	      *" $depdepl "*) ;;
+	      *) deplibs="$depdepl $deplibs" ;;
+	      esac
+	    done
+	  fi # link_all_deplibs != no
+	fi # linkmode = lib
+      done # for deplib in $libs
+      dependency_libs="$newdependency_libs"
+      if test "$pass" = dlpreopen; then
+	# Link the dlpreopened libraries before other libraries
+	for deplib in $save_deplibs; do
+	  deplibs="$deplib $deplibs"
+	done
+      fi
+      if test "$pass" != dlopen; then
+	if test "$pass" != conv; then
+	  # Make sure lib_search_path contains only unique directories.
+	  lib_search_path=
+	  for dir in $newlib_search_path; do
+	    case "$lib_search_path " in
+	    *" $dir "*) ;;
+	    *) lib_search_path="$lib_search_path $dir" ;;
+	    esac
+	  done
+	  newlib_search_path=
+	fi
+
+	if test "$linkmode,$pass" != "prog,link"; then
+	  vars="deplibs"
+	else
+	  vars="compile_deplibs finalize_deplibs"
+	fi
+	for var in $vars dependency_libs; do
+	  # Add libraries to $var in reverse order
+	  eval tmp_libs=\"\$$var\"
+	  new_libs=
+	  for deplib in $tmp_libs; do
+	    # FIXME: Pedantically, this is the right thing to do, so
+	    #        that some nasty dependency loop isn't accidentally
+	    #        broken:
+	    #new_libs="$deplib $new_libs"
+	    # Pragmatically, this seems to cause very few problems in
+	    # practice:
+	    case $deplib in
+	    -L*) new_libs="$deplib $new_libs" ;;
+	    -R*) ;;
+	    *)
+	      # And here is the reason: when a library appears more
+	      # than once as an explicit dependence of a library, or
+	      # is implicitly linked in more than once by the
+	      # compiler, it is considered special, and multiple
+	      # occurrences thereof are not removed.  Compare this
+	      # with having the same library being listed as a
+	      # dependency of multiple other libraries: in this case,
+	      # we know (pedantically, we assume) the library does not
+	      # need to be listed more than once, so we keep only the
+	      # last copy.  This is not always right, but it is rare
+	      # enough that we require users that really mean to play
+	      # such unportable linking tricks to link the library
+	      # using -Wl,-lname, so that libtool does not consider it
+	      # for duplicate removal.
+	      case " $specialdeplibs " in
+	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
+	      *)
+		case " $new_libs " in
+		*" $deplib "*) ;;
+		*) new_libs="$deplib $new_libs" ;;
+		esac
+		;;
+	      esac
+	      ;;
+	    esac
+	  done
+	  tmp_libs=
+	  for deplib in $new_libs; do
+	    case $deplib in
+	    -L*)
+	      case " $tmp_libs " in
+	      *" $deplib "*) ;;
+	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      esac
+	      ;;
+	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    esac
+	  done
+	  eval $var=\"$tmp_libs\"
+	done # for var
+      fi
+      # Last step: remove runtime libs from dependency_libs
+      # (they stay in deplibs)
+      tmp_libs=
+      for i in $dependency_libs ; do
+	case " $predeps $postdeps $compiler_lib_search_path " in
+	*" $i "*)
+	  i=""
+	  ;;
+	esac
+	if test -n "$i" ; then
+	  tmp_libs="$tmp_libs $i"
+	fi
+      done
+      dependency_libs=$tmp_libs
+    done # for pass
+    if test "$linkmode" = prog; then
+      dlfiles="$newdlfiles"
+      dlprefiles="$newdlprefiles"
+    fi
+
+    case $linkmode in
+    oldlib)
+      case " $deplibs" in
+      *\ -l* | *\ -L*)
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2 ;;
+      esac
+
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info/-version-number' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	$echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
+      fi
+
+      # Now set the variables for building old libraries.
+      build_libtool_libs=no
+      oldlibs="$output"
+      objs="$objs$old_deplibs"
+      ;;
+
+    lib)
+      # Make sure we only generate libraries of the form `libNAME.la'.
+      case $outputname in
+      lib*)
+	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+	eval shared_ext=\"$shrext_cmds\"
+	eval libname=\"$libname_spec\"
+	;;
+      *)
+	if test "$module" = no; then
+	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+	if test "$need_lib_prefix" != no; then
+	  # Add the "lib" prefix for modules if required
+	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	  eval shared_ext=\"$shrext_cmds\"
+	  eval libname=\"$libname_spec\"
+	else
+	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	fi
+	;;
+      esac
+
+      if test -n "$objs"; then
+	if test "$deplibs_check_method" != pass_all; then
+	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
+	  exit $EXIT_FAILURE
+	else
+	  $echo
+	  $echo "*** Warning: Linking the shared library $output against the non-libtool"
+	  $echo "*** objects $objs is not portable!"
+	  libobjs="$libobjs $objs"
+	fi
+      fi
+
+      if test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2
+      fi
+
+      set dummy $rpath
+      if test "$#" -gt 2; then
+	$echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2
+      fi
+      install_libdir="$2"
+
+      oldlibs=
+      if test -z "$rpath"; then
+	if test "$build_libtool_libs" = yes; then
+	  # Building a libtool convenience library.
+	  # Some compilers have problems with a `.al' extension so
+	  # convenience libraries should have the same extension an
+	  # archive normally would.
+	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
+	  build_libtool_libs=convenience
+	  build_old_libs=yes
+	fi
+
+	if test -n "$vinfo"; then
+	  $echo "$modename: warning: \`-version-info/-version-number' is ignored for convenience libraries" 1>&2
+	fi
+
+	if test -n "$release"; then
+	  $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2
+	fi
+      else
+
+	# Parse the version information argument.
+	save_ifs="$IFS"; IFS=':'
+	set dummy $vinfo 0 0 0
+	IFS="$save_ifs"
+
+	if test -n "$8"; then
+	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	# convert absolute version numbers to libtool ages
+	# this retains compatibility with .la files and attempts
+	# to make the code below a bit more comprehensible
+
+	case $vinfo_number in
+	yes)
+	  number_major="$2"
+	  number_minor="$3"
+	  number_revision="$4"
+	  #
+	  # There are really only two kinds -- those that
+	  # use the current revision as the major version
+	  # and those that subtract age and use age as
+	  # a minor version.  But, then there is irix
+	  # which has an extra 1 added just for fun
+	  #
+	  case $version_type in
+	  darwin|linux|osf|windows|none)
+	    current=`expr $number_major + $number_minor`
+	    age="$number_minor"
+	    revision="$number_revision"
+	    ;;
+	  freebsd-aout|freebsd-elf|sunos)
+	    current="$number_major"
+	    revision="$number_minor"
+	    age="0"
+	    ;;
+	  irix|nonstopux)
+	    current=`expr $number_major + $number_minor`
+	    age="$number_minor"
+	    revision="$number_minor"
+	    lt_irix_increment=no
+	    ;;
+	  *)
+	    $echo "$modename: unknown library version type \`$version_type'" 1>&2
+	    $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+	    exit $EXIT_FAILURE
+	    ;;
+	  esac
+	  ;;
+	no)
+	  current="$2"
+	  revision="$3"
+	  age="$4"
+	  ;;
+	esac
+
+	# Check that each of the things are valid numbers.
+	case $current in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: CURRENT \`$current' must be a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+
+	case $revision in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: REVISION \`$revision' must be a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+
+	case $age in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: AGE \`$age' must be a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+
+	if test "$age" -gt "$current"; then
+	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	# Calculate the version variables.
+	major=
+	versuffix=
+	verstring=
+	case $version_type in
+	none) ;;
+
+	darwin)
+	  # Like Linux, but with the current version available in
+	  # verstring for coding it into the library header
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  # Darwin ld doesn't like 0 for these options...
+	  minor_current=`expr $current + 1`
+	  xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
+	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
+	  ;;
+
+	freebsd-aout)
+	  major=".$current"
+	  versuffix=".$current.$revision";
+	  ;;
+
+	freebsd-elf)
+	  major=".$current"
+	  versuffix=".$current";
+	  ;;
+
+	irix | nonstopux)
+	  if test "X$lt_irix_increment" = "Xno"; then
+	    major=`expr $current - $age`
+	  else
+	    major=`expr $current - $age + 1`
+	  fi
+	  case $version_type in
+	    nonstopux) verstring_prefix=nonstopux ;;
+	    *)         verstring_prefix=sgi ;;
+	  esac
+	  verstring="$verstring_prefix$major.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$revision
+	  while test "$loop" -ne 0; do
+	    iface=`expr $revision - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="$verstring_prefix$major.$iface:$verstring"
+	  done
+
+	  # Before this point, $major must not contain `.'.
+	  major=.$major
+	  versuffix="$major.$revision"
+	  ;;
+
+	linux)
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  ;;
+
+	osf)
+	  major=.`expr $current - $age`
+	  versuffix=".$current.$age.$revision"
+	  verstring="$current.$age.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$age
+	  while test "$loop" -ne 0; do
+	    iface=`expr $current - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="$verstring:${iface}.0"
+	  done
+
+	  # Make executables depend on our current version.
+	  verstring="$verstring:${current}.0"
+	  ;;
+
+	sunos)
+	  major=".$current"
+	  versuffix=".$current.$revision"
+	  ;;
+
+	windows)
+	  # Use '-' rather than '.', since we only want one
+	  # extension on DOS 8.3 filesystems.
+	  major=`expr $current - $age`
+	  versuffix="-$major"
+	  ;;
+
+	*)
+	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
+	  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+
+	# Clear the version info if we defaulted, and they specified a release.
+	if test -z "$vinfo" && test -n "$release"; then
+	  major=
+	  case $version_type in
+	  darwin)
+	    # we can't check for "0.0" in archive_cmds due to quoting
+	    # problems, so we reset it completely
+	    verstring=
+	    ;;
+	  *)
+	    verstring="0.0"
+	    ;;
+	  esac
+	  if test "$need_version" = no; then
+	    versuffix=
+	  else
+	    versuffix=".0.0"
+	  fi
+	fi
+
+	# Remove version info from name if versioning should be avoided
+	if test "$avoid_version" = yes && test "$need_version" = no; then
+	  major=
+	  versuffix=
+	  verstring=""
+	fi
+
+	# Check to see if the archive will have undefined symbols.
+	if test "$allow_undefined" = yes; then
+	  if test "$allow_undefined_flag" = unsupported; then
+	    $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2
+	    build_libtool_libs=no
+	    build_old_libs=yes
+	  fi
+	else
+	  # Don't allow undefined symbols.
+	  allow_undefined_flag="$no_undefined_flag"
+	fi
+      fi
+
+      if test "$mode" != relink; then
+	# Remove our outputs, but don't remove object files since they
+	# may have been created when compiling PIC objects.
+	removelist=
+	tempremovelist=`$echo "$output_objdir/*"`
+	for p in $tempremovelist; do
+	  case $p in
+	    *.$objext)
+	       ;;
+	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
+	       if test "X$precious_files_regex" != "X"; then
+	         if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
+	         then
+		   continue
+		 fi
+	       fi
+	       removelist="$removelist $p"
+	       ;;
+	    *) ;;
+	  esac
+	done
+	if test -n "$removelist"; then
+	  $show "${rm}r $removelist"
+	  $run ${rm}r $removelist
+	fi
+      fi
+
+      # Now set the variables for building old libraries.
+      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
+	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+
+	# Transform .lo files to .o files.
+	oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
+      fi
+
+      # Eliminate all temporary directories.
+      #for path in $notinst_path; do
+      #	lib_search_path=`$echo "$lib_search_path " | ${SED} -e "s% $path % %g"`
+      #	deplibs=`$echo "$deplibs " | ${SED} -e "s% -L$path % %g"`
+      #	dependency_libs=`$echo "$dependency_libs " | ${SED} -e "s% -L$path % %g"`
+      #done
+
+      if test -n "$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	temp_xrpath=
+	for libdir in $xrpath; do
+	  temp_xrpath="$temp_xrpath -R$libdir"
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
+	  dependency_libs="$temp_xrpath $dependency_libs"
+	fi
+      fi
+
+      # Make sure dlfiles contains only unique files that won't be dlpreopened
+      old_dlfiles="$dlfiles"
+      dlfiles=
+      for lib in $old_dlfiles; do
+	case " $dlprefiles $dlfiles " in
+	*" $lib "*) ;;
+	*) dlfiles="$dlfiles $lib" ;;
+	esac
+      done
+
+      # Make sure dlprefiles contains only unique files
+      old_dlprefiles="$dlprefiles"
+      dlprefiles=
+      for lib in $old_dlprefiles; do
+	case "$dlprefiles " in
+	*" $lib "*) ;;
+	*) dlprefiles="$dlprefiles $lib" ;;
+	esac
+      done
+
+      if test "$build_libtool_libs" = yes; then
+	if test -n "$rpath"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*)
+	    # these systems don't actually have a c library (as such)!
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C library is in the System framework
+	    deplibs="$deplibs -framework System"
+	    ;;
+	  *-*-netbsd*)
+	    # Don't link with libc until the a.out ld.so is fixed.
+	    ;;
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	    # Do not include libc due to us having libc/libc_r.
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
+	    ;;
+ 	  *)
+	    # Add libc to deplibs on all other systems if necessary.
+	    if test "$build_libtool_need_lc" = "yes"; then
+	      deplibs="$deplibs -lc"
+	    fi
+	    ;;
+	  esac
+	fi
+
+	# Transform deplibs into only deplibs that can be linked in shared.
+	name_save=$name
+	libname_save=$libname
+	release_save=$release
+	versuffix_save=$versuffix
+	major_save=$major
+	# I'm not sure if I'm treating the release correctly.  I think
+	# release should show up in the -l (ie -lgmp5) so we don't want to
+	# add it in twice.  Is that correct?
+	release=""
+	versuffix=""
+	major=""
+	newdeplibs=
+	droppeddeps=no
+	case $deplibs_check_method in
+	pass_all)
+	  # Don't check for shared/static.  Everything works.
+	  # This might be a little naive.  We might want to check
+	  # whether the library exists or not.  But this is on
+	  # osf3 & osf4 and I'm not really sure... Just
+	  # implementing what was already the behavior.
+	  newdeplibs=$deplibs
+	  ;;
+	test_compile)
+	  # This code stresses the "libraries are programs" paradigm to its
+	  # limits. Maybe even breaks it.  We compile a program, linking it
+	  # against the deplibs as a proxy for the library.  Then we can check
+	  # whether they linked in statically or dynamically with ldd.
+	  $rm conftest.c
+	  cat > conftest.c <<EOF
+	  int main() { return 0; }
+EOF
+	  $rm conftest
+	  if $LTCC $LTCFLAGS -o conftest conftest.c $deplibs; then
+	    ldd_output=`ldd conftest`
+	    for i in $deplibs; do
+	      name=`expr $i : '-l\(.*\)'`
+	      # If $name is empty we are operating on a -L argument.
+              if test "$name" != "" && test "$name" != "0"; then
+		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		  case " $predeps $postdeps " in
+		  *" $i "*)
+		    newdeplibs="$newdeplibs $i"
+		    i=""
+		    ;;
+		  esac
+	        fi
+		if test -n "$i" ; then
+		  libname=`eval \\$echo \"$libname_spec\"`
+		  deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		  set dummy $deplib_matches
+		  deplib_match=$2
+		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		    newdeplibs="$newdeplibs $i"
+		  else
+		    droppeddeps=yes
+		    $echo
+		    $echo "*** Warning: dynamic linker does not accept needed library $i."
+		    $echo "*** I have the capability to make that library automatically link in when"
+		    $echo "*** you link to this library.  But I can only do this if you have a"
+		    $echo "*** shared version of the library, which I believe you do not have"
+		    $echo "*** because a test_compile did reveal that the linker did not use it for"
+		    $echo "*** its dynamic dependency list that programs get resolved with at runtime."
+		  fi
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  else
+	    # Error occurred in the first compile.  Let's try to salvage
+	    # the situation: Compile a separate program for each library.
+	    for i in $deplibs; do
+	      name=`expr $i : '-l\(.*\)'`
+	      # If $name is empty we are operating on a -L argument.
+              if test "$name" != "" && test "$name" != "0"; then
+		$rm conftest
+		if $LTCC $LTCFLAGS -o conftest conftest.c $i; then
+		  ldd_output=`ldd conftest`
+		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		    case " $predeps $postdeps " in
+		    *" $i "*)
+		      newdeplibs="$newdeplibs $i"
+		      i=""
+		      ;;
+		    esac
+		  fi
+		  if test -n "$i" ; then
+		    libname=`eval \\$echo \"$libname_spec\"`
+		    deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		    set dummy $deplib_matches
+		    deplib_match=$2
+		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		      newdeplibs="$newdeplibs $i"
+		    else
+		      droppeddeps=yes
+		      $echo
+		      $echo "*** Warning: dynamic linker does not accept needed library $i."
+		      $echo "*** I have the capability to make that library automatically link in when"
+		      $echo "*** you link to this library.  But I can only do this if you have a"
+		      $echo "*** shared version of the library, which you do not appear to have"
+		      $echo "*** because a test_compile did reveal that the linker did not use this one"
+		      $echo "*** as a dynamic dependency that programs can get resolved with at runtime."
+		    fi
+		  fi
+		else
+		  droppeddeps=yes
+		  $echo
+		  $echo "*** Warning!  Library $i is needed by this library but I was not able to"
+		  $echo "*** make it link in!  You will probably need to install it or some"
+		  $echo "*** library that it depends on before this library will be fully"
+		  $echo "*** functional.  Installing it before continuing would be even better."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  fi
+	  ;;
+	file_magic*)
+	  set dummy $deplibs_check_method
+	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name=`expr $a_deplib : '-l\(.*\)'`
+	    # If $name is empty we are operating on a -L argument.
+            if test "$name" != "" && test  "$name" != "0"; then
+	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		case " $predeps $postdeps " in
+		*" $a_deplib "*)
+		  newdeplibs="$newdeplibs $a_deplib"
+		  a_deplib=""
+		  ;;
+		esac
+	      fi
+	      if test -n "$a_deplib" ; then
+		libname=`eval \\$echo \"$libname_spec\"`
+		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  for potent_lib in $potential_libs; do
+		      # Follow soft links.
+		      if ls -lLd "$potent_lib" 2>/dev/null \
+			 | grep " -> " >/dev/null; then
+			continue
+		      fi
+		      # The statement above tries to avoid entering an
+		      # endless loop below, in case of cyclic links.
+		      # We might still enter an endless loop, since a link
+		      # loop can be closed while we follow links,
+		      # but so what?
+		      potlib="$potent_lib"
+		      while test -h "$potlib" 2>/dev/null; do
+			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
+			case $potliblink in
+			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
+			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			esac
+		      done
+		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
+			 | ${SED} 10q \
+			 | $EGREP "$file_magic_regex" > /dev/null; then
+			newdeplibs="$newdeplibs $a_deplib"
+			a_deplib=""
+			break 2
+		      fi
+		  done
+		done
+	      fi
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		$echo
+		$echo "*** Warning: linker path does not have real file for library $a_deplib."
+		$echo "*** I have the capability to make that library automatically link in when"
+		$echo "*** you link to this library.  But I can only do this if you have a"
+		$echo "*** shared version of the library, which you do not appear to have"
+		$echo "*** because I did check the linker path looking for a file starting"
+		if test -z "$potlib" ; then
+		  $echo "*** with $libname but no candidates were found. (...for file magic test)"
+		else
+		  $echo "*** with $libname and none of the candidates passed a file format test"
+		  $echo "*** using a file magic. Last file checked: $potlib"
+		fi
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	match_pattern*)
+	  set dummy $deplibs_check_method
+	  match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name=`expr $a_deplib : '-l\(.*\)'`
+	    # If $name is empty we are operating on a -L argument.
+	    if test -n "$name" && test "$name" != "0"; then
+	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		case " $predeps $postdeps " in
+		*" $a_deplib "*)
+		  newdeplibs="$newdeplibs $a_deplib"
+		  a_deplib=""
+		  ;;
+		esac
+	      fi
+	      if test -n "$a_deplib" ; then
+		libname=`eval \\$echo \"$libname_spec\"`
+		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  for potent_lib in $potential_libs; do
+		    potlib="$potent_lib" # see symlink-check above in file_magic test
+		    if eval $echo \"$potent_lib\" 2>/dev/null \
+		        | ${SED} 10q \
+		        | $EGREP "$match_pattern_regex" > /dev/null; then
+		      newdeplibs="$newdeplibs $a_deplib"
+		      a_deplib=""
+		      break 2
+		    fi
+		  done
+		done
+	      fi
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		$echo
+		$echo "*** Warning: linker path does not have real file for library $a_deplib."
+		$echo "*** I have the capability to make that library automatically link in when"
+		$echo "*** you link to this library.  But I can only do this if you have a"
+		$echo "*** shared version of the library, which you do not appear to have"
+		$echo "*** because I did check the linker path looking for a file starting"
+		if test -z "$potlib" ; then
+		  $echo "*** with $libname but no candidates were found. (...for regex pattern test)"
+		else
+		  $echo "*** with $libname and none of the candidates passed a file format test"
+		  $echo "*** using a regex pattern. Last file checked: $potlib"
+		fi
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	none | unknown | *)
+	  newdeplibs=""
+	  tmp_deplibs=`$echo "X $deplibs" | $Xsed -e 's/ -lc$//' \
+	    -e 's/ -[LR][^ ]*//g'`
+	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	    for i in $predeps $postdeps ; do
+	      # can't use Xsed below, because $i might contain '/'
+	      tmp_deplibs=`$echo "X $tmp_deplibs" | ${SED} -e "1s,^X,," -e "s,$i,,"`
+	    done
+	  fi
+	  if $echo "X $tmp_deplibs" | $Xsed -e 's/[ 	]//g' \
+	    | grep . >/dev/null; then
+	    $echo
+	    if test "X$deplibs_check_method" = "Xnone"; then
+	      $echo "*** Warning: inter-library dependencies are not supported in this platform."
+	    else
+	      $echo "*** Warning: inter-library dependencies are not known to be supported."
+	    fi
+	    $echo "*** All declared inter-library dependencies are being dropped."
+	    droppeddeps=yes
+	  fi
+	  ;;
+	esac
+	versuffix=$versuffix_save
+	major=$major_save
+	release=$release_save
+	libname=$libname_save
+	name=$name_save
+
+	case $host in
+	*-*-rhapsody* | *-*-darwin1.[012])
+	  # On Rhapsody replace the C library is the System framework
+	  newdeplibs=`$echo "X $newdeplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	  ;;
+	esac
+
+	if test "$droppeddeps" = yes; then
+	  if test "$module" = yes; then
+	    $echo
+	    $echo "*** Warning: libtool could not satisfy all declared inter-library"
+	    $echo "*** dependencies of module $libname.  Therefore, libtool will create"
+	    $echo "*** a static module, that should work as long as the dlopening"
+	    $echo "*** application is linked with the -dlopen flag."
+	    if test -z "$global_symbol_pipe"; then
+	      $echo
+	      $echo "*** However, this would only work if libtool was able to extract symbol"
+	      $echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      $echo "*** not find such a program.  So, this module is probably useless."
+	      $echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	    fi
+	    if test "$build_old_libs" = no; then
+	      oldlibs="$output_objdir/$libname.$libext"
+	      build_libtool_libs=module
+	      build_old_libs=yes
+	    else
+	      build_libtool_libs=no
+	    fi
+	  else
+	    $echo "*** The inter-library dependencies that have been dropped here will be"
+	    $echo "*** automatically added whenever a program is linked with this library"
+	    $echo "*** or is declared to -dlopen it."
+
+	    if test "$allow_undefined" = no; then
+	      $echo
+	      $echo "*** Since this library must not contain undefined symbols,"
+	      $echo "*** because either the platform does not support them or"
+	      $echo "*** it was explicitly requested with -no-undefined,"
+	      $echo "*** libtool will only create a static version of it."
+	      if test "$build_old_libs" = no; then
+		oldlibs="$output_objdir/$libname.$libext"
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  fi
+	fi
+	# Done checking deplibs!
+	deplibs=$newdeplibs
+      fi
+
+
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $deplibs " in
+	  *" -L$path/$objdir "*)
+	    new_libs="$new_libs -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) new_libs="$new_libs $deplib" ;;
+	  esac
+	  ;;
+	*) new_libs="$new_libs $deplib" ;;
+	esac
+      done
+      deplibs="$new_libs"
+
+
+      # All the library-specific variables (install_libdir is set above).
+      library_names=
+      old_library=
+      dlname=
+
+      # Test again, we may have decided not to build it any more
+      if test "$build_libtool_libs" = yes; then
+	if test "$hardcode_into_libs" = yes; then
+	  # Hardcode the library paths
+	  hardcode_libdirs=
+	  dep_rpath=
+	  rpath="$finalize_rpath"
+	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  for libdir in $rpath; do
+	    if test -n "$hardcode_libdir_flag_spec"; then
+	      if test -n "$hardcode_libdir_separator"; then
+		if test -z "$hardcode_libdirs"; then
+		  hardcode_libdirs="$libdir"
+		else
+		  # Just accumulate the unique libdirs.
+		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		    ;;
+		  *)
+		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    ;;
+		  esac
+		fi
+	      else
+		eval flag=\"$hardcode_libdir_flag_spec\"
+		dep_rpath="$dep_rpath $flag"
+	      fi
+	    elif test -n "$runpath_var"; then
+	      case "$perm_rpath " in
+	      *" $libdir "*) ;;
+	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      esac
+	    fi
+	  done
+	  # Substitute the hardcoded libdirs into the rpath.
+	  if test -n "$hardcode_libdir_separator" &&
+	     test -n "$hardcode_libdirs"; then
+	    libdir="$hardcode_libdirs"
+	    if test -n "$hardcode_libdir_flag_spec_ld"; then
+	      case $archive_cmds in
+	      *\$LD*) eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\" ;;
+	      *)      eval dep_rpath=\"$hardcode_libdir_flag_spec\" ;;
+	      esac
+	    else
+	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
+	    fi
+	  fi
+	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
+	    # We should set the runpath_var.
+	    rpath=
+	    for dir in $perm_rpath; do
+	      rpath="$rpath$dir:"
+	    done
+	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
+	  fi
+	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
+	fi
+
+	shlibpath="$finalize_shlibpath"
+	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	if test -n "$shlibpath"; then
+	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
+	fi
+
+	# Get the real and link names of the library.
+	eval shared_ext=\"$shrext_cmds\"
+	eval library_names=\"$library_names_spec\"
+	set dummy $library_names
+	realname="$2"
+	shift; shift
+
+	if test -n "$soname_spec"; then
+	  eval soname=\"$soname_spec\"
+	else
+	  soname="$realname"
+	fi
+	if test -z "$dlname"; then
+	  dlname=$soname
+	fi
+
+	lib="$output_objdir/$realname"
+	linknames=
+	for link
+	do
+	  linknames="$linknames $link"
+	done
+
+	# Use standard objects if they are pic
+	test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+
+	# Prepare the list of exported symbols
+	if test -z "$export_symbols"; then
+	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
+	    $show "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $run $rm $export_symbols
+	    cmds=$export_symbols_cmds
+	    save_ifs="$IFS"; IFS='~'
+	    for cmd in $cmds; do
+	      IFS="$save_ifs"
+	      eval cmd=\"$cmd\"
+	      if len=`expr "X$cmd" : ".*"` &&
+	       test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	        $show "$cmd"
+	        $run eval "$cmd" || exit $?
+	        skipped_export=false
+	      else
+	        # The command line is too long to execute in one step.
+	        $show "using reloadable object file for export list..."
+	        skipped_export=:
+		# Break out early, otherwise skipped_export may be
+		# set to false by a later but shorter cmd.
+		break
+	      fi
+	    done
+	    IFS="$save_ifs"
+	    if test -n "$export_symbols_regex"; then
+	      $show "$EGREP -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\""
+	      $run eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      $show "$mv \"${export_symbols}T\" \"$export_symbols\""
+	      $run eval '$mv "${export_symbols}T" "$export_symbols"'
+	    fi
+	  fi
+	fi
+
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"'
+	fi
+
+	tmp_deplibs=
+	for test_deplib in $deplibs; do
+		case " $convenience " in
+		*" $test_deplib "*) ;;
+		*)
+			tmp_deplibs="$tmp_deplibs $test_deplib"
+			;;
+		esac
+	done
+	deplibs="$tmp_deplibs"
+
+	if test -n "$convenience"; then
+	  if test -n "$whole_archive_flag_spec"; then
+	    save_libobjs=$libobjs
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  else
+	    gentop="$output_objdir/${outputname}x"
+	    generated="$generated $gentop"
+
+	    func_extract_archives $gentop $convenience
+	    libobjs="$libobjs $func_extract_archives_result"
+	  fi
+	fi
+	
+	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
+	  eval flag=\"$thread_safe_flag_spec\"
+	  linker_flags="$linker_flags $flag"
+	fi
+
+	# Make a backup of the uninstalled library when relinking
+	if test "$mode" = relink; then
+	  $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $?
+	fi
+
+	# Do each of the archive commands.
+	if test "$module" = yes && test -n "$module_cmds" ; then
+	  if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
+	    eval test_cmds=\"$module_expsym_cmds\"
+	    cmds=$module_expsym_cmds
+	  else
+	    eval test_cmds=\"$module_cmds\"
+	    cmds=$module_cmds
+	  fi
+	else
+	if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	  eval test_cmds=\"$archive_expsym_cmds\"
+	  cmds=$archive_expsym_cmds
+	else
+	  eval test_cmds=\"$archive_cmds\"
+	  cmds=$archive_cmds
+	  fi
+	fi
+
+	if test "X$skipped_export" != "X:" &&
+	   len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
+	   test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	  :
+	else
+	  # The command line is too long to link in one step, link piecewise.
+	  $echo "creating reloadable object files..."
+
+	  # Save the value of $output and $libobjs because we want to
+	  # use them later.  If we have whole_archive_flag_spec, we
+	  # want to use save_libobjs as it was before
+	  # whole_archive_flag_spec was expanded, because we can't
+	  # assume the linker understands whole_archive_flag_spec.
+	  # This may have to be revisited, in case too many
+	  # convenience libraries get linked in and end up exceeding
+	  # the spec.
+	  if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then
+	    save_libobjs=$libobjs
+	  fi
+	  save_output=$output
+	  output_la=`$echo "X$output" | $Xsed -e "$basename"`
+
+	  # Clear the reloadable object creation command queue and
+	  # initialize k to one.
+	  test_cmds=
+	  concat_cmds=
+	  objlist=
+	  delfiles=
+	  last_robj=
+	  k=1
+	  output=$output_objdir/$output_la-${k}.$objext
+	  # Loop over the list of objects to be linked.
+	  for obj in $save_libobjs
+	  do
+	    eval test_cmds=\"$reload_cmds $objlist $last_robj\"
+	    if test "X$objlist" = X ||
+	       { len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
+		 test "$len" -le "$max_cmd_len"; }; then
+	      objlist="$objlist $obj"
+	    else
+	      # The command $test_cmds is almost too long, add a
+	      # command to the queue.
+	      if test "$k" -eq 1 ; then
+		# The first file doesn't have a previous command to add.
+		eval concat_cmds=\"$reload_cmds $objlist $last_robj\"
+	      else
+		# All subsequent reloadable object files will link in
+		# the last one created.
+		eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\"
+	      fi
+	      last_robj=$output_objdir/$output_la-${k}.$objext
+	      k=`expr $k + 1`
+	      output=$output_objdir/$output_la-${k}.$objext
+	      objlist=$obj
+	      len=1
+	    fi
+	  done
+	  # Handle the remaining objects by creating one last
+	  # reloadable object file.  All subsequent reloadable object
+	  # files will link in the last one created.
+	  test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	  eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\"
+
+	  if ${skipped_export-false}; then
+	    $show "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $run $rm $export_symbols
+	    libobjs=$output
+	    # Append the command to create the export file.
+	    eval concat_cmds=\"\$concat_cmds~$export_symbols_cmds\"
+          fi
+
+	  # Set up a command to remove the reloadable object files
+	  # after they are used.
+	  i=0
+	  while test "$i" -lt "$k"
+	  do
+	    i=`expr $i + 1`
+	    delfiles="$delfiles $output_objdir/$output_la-${i}.$objext"
+	  done
+
+	  $echo "creating a temporary reloadable object file: $output"
+
+	  # Loop through the commands generated above and execute them.
+	  save_ifs="$IFS"; IFS='~'
+	  for cmd in $concat_cmds; do
+	    IFS="$save_ifs"
+	    $show "$cmd"
+	    $run eval "$cmd" || exit $?
+	  done
+	  IFS="$save_ifs"
+
+	  libobjs=$output
+	  # Restore the value of output.
+	  output=$save_output
+
+	  if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  fi
+	  # Expand the library linking commands again to reset the
+	  # value of $libobjs for piecewise linking.
+
+	  # Do each of the archive commands.
+	  if test "$module" = yes && test -n "$module_cmds" ; then
+	    if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
+	      cmds=$module_expsym_cmds
+	    else
+	      cmds=$module_cmds
+	    fi
+	  else
+	  if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	    cmds=$archive_expsym_cmds
+	  else
+	    cmds=$archive_cmds
+	    fi
+	  fi
+
+	  # Append the command to remove the reloadable object files
+	  # to the just-reset $cmds.
+	  eval cmds=\"\$cmds~\$rm $delfiles\"
+	fi
+	save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  eval cmd=\"$cmd\"
+	  $show "$cmd"
+	  $run eval "$cmd" || {
+	    lt_exit=$?
+
+	    # Restore the uninstalled library and exit
+	    if test "$mode" = relink; then
+	      $run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
+	    fi
+
+	    exit $lt_exit
+	  }
+	done
+	IFS="$save_ifs"
+
+	# Restore the uninstalled library and exit
+	if test "$mode" = relink; then
+	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
+
+	  if test -n "$convenience"; then
+	    if test -z "$whole_archive_flag_spec"; then
+	      $show "${rm}r $gentop"
+	      $run ${rm}r "$gentop"
+	    fi
+	  fi
+
+	  exit $EXIT_SUCCESS
+	fi
+
+	# Create links to the real library.
+	for linkname in $linknames; do
+	  if test "$realname" != "$linkname"; then
+	    $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)"
+	    $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $?
+	  fi
+	done
+
+	# If -module or -export-dynamic was specified, set the dlname.
+	if test "$module" = yes || test "$export_dynamic" = yes; then
+	  # On all known operating systems, these are identical.
+	  dlname="$soname"
+	fi
+      fi
+      ;;
+
+    obj)
+      case " $deplibs" in
+      *\ -l* | *\ -L*)
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2 ;;
+      esac
+
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for objects" 1>&2
+      fi
+
+      case $output in
+      *.lo)
+	if test -n "$objs$old_deplibs"; then
+	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+	libobj="$output"
+	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
+	;;
+      *)
+	libobj=
+	obj="$output"
+	;;
+      esac
+
+      # Delete the old objects.
+      $run $rm $obj $libobj
+
+      # Objects from convenience libraries.  This assumes
+      # single-version convenience libraries.  Whenever we create
+      # different ones for PIC/non-PIC, this we'll have to duplicate
+      # the extraction.
+      reload_conv_objs=
+      gentop=
+      # reload_cmds runs $LD directly, so let us get rid of
+      # -Wl from whole_archive_flag_spec and hope we can get by with
+      # turning comma into space..
+      wl=
+
+      if test -n "$convenience"; then
+	if test -n "$whole_archive_flag_spec"; then
+	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
+	  reload_conv_objs=$reload_objs\ `$echo "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'`
+	else
+	  gentop="$output_objdir/${obj}x"
+	  generated="$generated $gentop"
+
+	  func_extract_archives $gentop $convenience
+	  reload_conv_objs="$reload_objs $func_extract_archives_result"
+	fi
+      fi
+
+      # Create the old-style object.
+      reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+
+      output="$obj"
+      cmds=$reload_cmds
+      save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	eval cmd=\"$cmd\"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+
+      # Exit if we aren't doing a library object file.
+      if test -z "$libobj"; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	exit $EXIT_SUCCESS
+      fi
+
+      if test "$build_libtool_libs" != yes; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	# Create an invalid libtool object if no PIC, so that we don't
+	# accidentally link it into a program.
+	# $show "echo timestamp > $libobj"
+	# $run eval "echo timestamp > $libobj" || exit $?
+	exit $EXIT_SUCCESS
+      fi
+
+      if test -n "$pic_flag" || test "$pic_mode" != default; then
+	# Only do commands if we really have different PIC objects.
+	reload_objs="$libobjs $reload_conv_objs"
+	output="$libobj"
+	cmds=$reload_cmds
+	save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  eval cmd=\"$cmd\"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+      fi
+
+      if test -n "$gentop"; then
+	$show "${rm}r $gentop"
+	$run ${rm}r $gentop
+      fi
+
+      exit $EXIT_SUCCESS
+      ;;
+
+    prog)
+      case $host in
+	*cygwin*) output=`$echo $output | ${SED} -e 's,.exe$,,;s,$,.exe,'` ;;
+      esac
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for programs" 1>&2
+      fi
+
+      if test "$preload" = yes; then
+	if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown &&
+	   test "$dlopen_self_static" = unknown; then
+	  $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support."
+	fi
+      fi
+
+      case $host in
+      *-*-rhapsody* | *-*-darwin1.[012])
+	# On Rhapsody replace the C library is the System framework
+	compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	;;
+      esac
+
+      case $host in
+      *darwin*)
+        # Don't allow lazy linking, it breaks C++ global constructors
+        if test "$tagname" = CXX ; then
+        compile_command="$compile_command ${wl}-bind_at_load"
+        finalize_command="$finalize_command ${wl}-bind_at_load"
+        fi
+        ;;
+      esac
+
+
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $compile_deplibs " in
+	  *" -L$path/$objdir "*)
+	    new_libs="$new_libs -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $compile_deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) new_libs="$new_libs $deplib" ;;
+	  esac
+	  ;;
+	*) new_libs="$new_libs $deplib" ;;
+	esac
+      done
+      compile_deplibs="$new_libs"
+
+
+      compile_command="$compile_command $compile_deplibs"
+      finalize_command="$finalize_command $finalize_deplibs"
+
+      if test -n "$rpath$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	for libdir in $rpath $xrpath; do
+	  # This is the magic to use -rpath.
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+      fi
+
+      # Now hardcode the library paths
+      rpath=
+      hardcode_libdirs=
+      for libdir in $compile_rpath $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  esac
+	fi
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  testbindir=`$echo "X$libdir" | $Xsed -e 's*/lib$*/bin*'`
+	  case :$dllsearchpath: in
+	  *":$libdir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  esac
+	  ;;
+	esac
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      compile_rpath="$rpath"
+
+      rpath=
+      hardcode_libdirs=
+      for libdir in $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$finalize_perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  esac
+	fi
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      finalize_rpath="$rpath"
+
+      if test -n "$libobjs" && test "$build_old_libs" = yes; then
+	# Transform all the library objects into standard objects.
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+      fi
+
+      dlsyms=
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	if test -n "$NM" && test -n "$global_symbol_pipe"; then
+	  dlsyms="${outputname}S.c"
+	else
+	  $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
+	fi
+      fi
+
+      if test -n "$dlsyms"; then
+	case $dlsyms in
+	"") ;;
+	*.c)
+	  # Discover the nlist of each of the dlfiles.
+	  nlist="$output_objdir/${outputname}.nm"
+
+	  $show "$rm $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Parse the name list into a source file.
+	  $show "creating $output_objdir/$dlsyms"
+
+	  test -z "$run" && $echo > "$output_objdir/$dlsyms" "\
+/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
+/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */
+
+#ifdef __cplusplus
+extern \"C\" {
+#endif
+
+/* Prevent the only kind of declaration conflicts we can make. */
+#define lt_preloaded_symbols some_other_symbol
+
+/* External symbol declarations for the compiler. */\
+"
+
+	  if test "$dlself" = yes; then
+	    $show "generating symbol list for \`$output'"
+
+	    test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist"
+
+	    # Add our own program objects to the symbol list.
+	    progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	    for arg in $progfiles; do
+	      $show "extracting global C symbols from \`$arg'"
+	      $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	    done
+
+	    if test -n "$exclude_expsyms"; then
+	      $run eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    if test -n "$export_symbols_regex"; then
+	      $run eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    # Prepare the list of exported symbols
+	    if test -z "$export_symbols"; then
+	      export_symbols="$output_objdir/$outputname.exp"
+	      $run $rm $export_symbols
+	      $run eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+              case $host in
+              *cygwin* | *mingw* )
+	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+		$run eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"'
+                ;;
+              esac
+	    else
+	      $run eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
+	      $run eval 'grep -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
+	      $run eval 'mv "$nlist"T "$nlist"'
+              case $host in
+              *cygwin* | *mingw* )
+	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+		$run eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
+                ;;
+              esac
+	    fi
+	  fi
+
+	  for arg in $dlprefiles; do
+	    $show "extracting global C symbols from \`$arg'"
+	    name=`$echo "$arg" | ${SED} -e 's%^.*/%%'`
+	    $run eval '$echo ": $name " >> "$nlist"'
+	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	  done
+
+	  if test -z "$run"; then
+	    # Make sure we have at least an empty file.
+	    test -f "$nlist" || : > "$nlist"
+
+	    if test -n "$exclude_expsyms"; then
+	      $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
+	      $mv "$nlist"T "$nlist"
+	    fi
+
+	    # Try sorting and uniquifying the output.
+	    if grep -v "^: " < "$nlist" |
+		if sort -k 3 </dev/null >/dev/null 2>&1; then
+		  sort -k 3
+		else
+		  sort +2
+		fi |
+		uniq > "$nlist"S; then
+	      :
+	    else
+	      grep -v "^: " < "$nlist" > "$nlist"S
+	    fi
+
+	    if test -f "$nlist"S; then
+	      eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"'
+	    else
+	      $echo '/* NONE */' >> "$output_objdir/$dlsyms"
+	    fi
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+
+#undef lt_preloaded_symbols
+
+#if defined (__STDC__) && __STDC__
+# define lt_ptr void *
+#else
+# define lt_ptr char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+"
+
+	    case $host in
+	    *cygwin* | *mingw* )
+	  $echo >> "$output_objdir/$dlsyms" "\
+/* DATA imports from DLLs on WIN32 can't be const, because
+   runtime relocations are performed -- see ld's documentation
+   on pseudo-relocs */
+struct {
+"
+	      ;;
+	    * )
+	  $echo >> "$output_objdir/$dlsyms" "\
+const struct {
+"
+	      ;;
+	    esac
+
+
+	  $echo >> "$output_objdir/$dlsyms" "\
+  const char *name;
+  lt_ptr address;
+}
+lt_preloaded_symbols[] =
+{\
+"
+
+	    eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$dlsyms"
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+  {0, (lt_ptr) 0}
+};
+
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt_preloaded_symbols;
+}
+#endif
+
+#ifdef __cplusplus
+}
+#endif\
+"
+	  fi
+
+	  pic_flag_for_symtable=
+	  case $host in
+	  # compiling the symbol table file with pic_flag works around
+	  # a FreeBSD bug that causes programs to crash when -lm is
+	  # linked before any other PIC object.  But we must not use
+	  # pic_flag when linking with -static.  The problem exists in
+	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
+	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND";;
+	    esac;;
+	  *-*-hpux*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag";;
+	    esac
+	  esac
+
+	  # Now compile the dynamic symbol file.
+	  $show "(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
+	  $run eval '(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
+
+	  # Clean up the generated files.
+	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Transform the symbol file into the correct name.
+          case $host in
+          *cygwin* | *mingw* )
+            if test -f "$output_objdir/${outputname}.def" ; then
+              compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP`
+              finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP`
+            else
+              compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
+              finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
+             fi
+            ;;
+          * )
+            compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
+            finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
+            ;;
+          esac
+	  ;;
+	*)
+	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+      else
+	# We keep going just in case the user didn't refer to
+	# lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
+	# really was required.
+
+	# Nullify the symbol file.
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP`
+	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP`
+      fi
+
+      if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
+	# Replace the output file specification.
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$output"'%g' | $NL2SP`
+	link_command="$compile_command$compile_rpath"
+
+	# We have no uninstalled library dependencies, so finalize right now.
+	$show "$link_command"
+	$run eval "$link_command"
+	exit_status=$?
+
+	# Delete the generated files.
+	if test -n "$dlsyms"; then
+	  $show "$rm $output_objdir/${outputname}S.${objext}"
+	  $run $rm "$output_objdir/${outputname}S.${objext}"
+	fi
+
+	exit $exit_status
+      fi
+
+      if test -n "$shlibpath_var"; then
+	# We should set the shlibpath_var
+	rpath=
+	for dir in $temp_rpath; do
+	  case $dir in
+	  [\\/]* | [A-Za-z]:[\\/]*)
+	    # Absolute path.
+	    rpath="$rpath$dir:"
+	    ;;
+	  *)
+	    # Relative path: add a thisdir entry.
+	    rpath="$rpath\$thisdir/$dir:"
+	    ;;
+	  esac
+	done
+	temp_rpath="$rpath"
+      fi
+
+      if test -n "$compile_shlibpath$finalize_shlibpath"; then
+	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
+      fi
+      if test -n "$finalize_shlibpath"; then
+	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+      fi
+
+      compile_var=
+      finalize_var=
+      if test -n "$runpath_var"; then
+	if test -n "$perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+	if test -n "$finalize_perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $finalize_perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+      fi
+
+      if test "$no_install" = yes; then
+	# We don't need to create a wrapper script.
+	link_command="$compile_var$compile_command$compile_rpath"
+	# Replace the output file specification.
+	link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	# Delete the old output file.
+	$run $rm $output
+	# Link the executable and exit
+	$show "$link_command"
+	$run eval "$link_command" || exit $?
+	exit $EXIT_SUCCESS
+      fi
+
+      if test "$hardcode_action" = relink; then
+	# Fast installation is not supported
+	link_command="$compile_var$compile_command$compile_rpath"
+	relink_command="$finalize_var$finalize_command$finalize_rpath"
+
+	$echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2
+	$echo "$modename: \`$output' will be relinked during installation" 1>&2
+      else
+	if test "$fast_install" != no; then
+	  link_command="$finalize_var$compile_command$finalize_rpath"
+	  if test "$fast_install" = yes; then
+	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $SP2NL | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g' | $NL2SP`
+	  else
+	    # fast_install is set to needless
+	    relink_command=
+	  fi
+	else
+	  link_command="$compile_var$compile_command$compile_rpath"
+	  relink_command="$finalize_var$finalize_command$finalize_rpath"
+	fi
+      fi
+
+      # Replace the output file specification.
+      link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+
+      # Delete the old output files.
+      $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname
+
+      $show "$link_command"
+      $run eval "$link_command" || exit $?
+
+      # Now create the wrapper script.
+      $show "creating $output"
+
+      # Quote the relink command for shipping.
+      if test -n "$relink_command"; then
+	# Preserve any variables that may affect compiler behavior
+	for var in $variables_saved_for_relink; do
+	  if eval test -z \"\${$var+set}\"; then
+	    relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
+	  elif eval var_value=\$$var; test -z "$var_value"; then
+	    relink_command="$var=; export $var; $relink_command"
+	  else
+	    var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	    relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	  fi
+	done
+	relink_command="(cd `pwd`; $relink_command)"
+	relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP`
+      fi
+
+      # Quote $echo for shipping.
+      if test "X$echo" = "X$SHELL $progpath --fallback-echo"; then
+	case $progpath in
+	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
+	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
+	esac
+	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
+      else
+	qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Only actually do things if our run command is non-null.
+      if test -z "$run"; then
+	# win32 will think the script is a binary if it has
+	# a .exe suffix, so we strip it off here.
+	case $output in
+	  *.exe) output=`$echo $output|${SED} 's,.exe$,,'` ;;
+	esac
+	# test for cygwin because mv fails w/o .exe extensions
+	case $host in
+	  *cygwin*)
+	    exeext=.exe
+	    outputname=`$echo $outputname|${SED} 's,.exe$,,'` ;;
+	  *) exeext= ;;
+	esac
+	case $host in
+	  *cygwin* | *mingw* )
+            output_name=`basename $output`
+            output_path=`dirname $output`
+            cwrappersource="$output_path/$objdir/lt-$output_name.c"
+            cwrapper="$output_path/$output_name.exe"
+            $rm $cwrappersource $cwrapper
+            trap "$rm $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
+
+	    cat > $cwrappersource <<EOF
+
+/* $cwrappersource - temporary wrapper executable for $objdir/$outputname
+   Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+
+   The $output program cannot be directly executed until all the libtool
+   libraries that it depends on are installed.
+
+   This wrapper executable should never be moved out of the build directory.
+   If it is, it will not operate correctly.
+
+   Currently, it simply execs the wrapper *script* "/bin/sh $output",
+   but could eventually absorb all of the scripts functionality and
+   exec $objdir/$outputname directly.
+*/
+EOF
+	    cat >> $cwrappersource<<"EOF"
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <malloc.h>
+#include <stdarg.h>
+#include <assert.h>
+#include <string.h>
+#include <ctype.h>
+#include <sys/stat.h>
+
+#if defined(PATH_MAX)
+# define LT_PATHMAX PATH_MAX
+#elif defined(MAXPATHLEN)
+# define LT_PATHMAX MAXPATHLEN
+#else
+# define LT_PATHMAX 1024
+#endif
+
+#ifndef DIR_SEPARATOR
+# define DIR_SEPARATOR '/'
+# define PATH_SEPARATOR ':'
+#endif
+
+#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
+  defined (__OS2__)
+# define HAVE_DOS_BASED_FILE_SYSTEM
+# ifndef DIR_SEPARATOR_2
+#  define DIR_SEPARATOR_2 '\\'
+# endif
+# ifndef PATH_SEPARATOR_2
+#  define PATH_SEPARATOR_2 ';'
+# endif
+#endif
+
+#ifndef DIR_SEPARATOR_2
+# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR)
+#else /* DIR_SEPARATOR_2 */
+# define IS_DIR_SEPARATOR(ch) \
+        (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
+#endif /* DIR_SEPARATOR_2 */
+
+#ifndef PATH_SEPARATOR_2
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR)
+#else /* PATH_SEPARATOR_2 */
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
+#endif /* PATH_SEPARATOR_2 */
+
+#define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
+#define XFREE(stale) do { \
+  if (stale) { free ((void *) stale); stale = 0; } \
+} while (0)
+
+/* -DDEBUG is fairly common in CFLAGS.  */
+#undef DEBUG
+#if defined DEBUGWRAPPER
+# define DEBUG(format, ...) fprintf(stderr, format, __VA_ARGS__)
+#else
+# define DEBUG(format, ...)
+#endif
+
+const char *program_name = NULL;
+
+void * xmalloc (size_t num);
+char * xstrdup (const char *string);
+const char * base_name (const char *name);
+char * find_executable(const char *wrapper);
+int    check_executable(const char *path);
+char * strendzap(char *str, const char *pat);
+void lt_fatal (const char *message, ...);
+
+int
+main (int argc, char *argv[])
+{
+  char **newargz;
+  int i;
+
+  program_name = (char *) xstrdup (base_name (argv[0]));
+  DEBUG("(main) argv[0]      : %s\n",argv[0]);
+  DEBUG("(main) program_name : %s\n",program_name);
+  newargz = XMALLOC(char *, argc+2);
+EOF
+
+            cat >> $cwrappersource <<EOF
+  newargz[0] = (char *) xstrdup("$SHELL");
+EOF
+
+            cat >> $cwrappersource <<"EOF"
+  newargz[1] = find_executable(argv[0]);
+  if (newargz[1] == NULL)
+    lt_fatal("Couldn't find %s", argv[0]);
+  DEBUG("(main) found exe at : %s\n",newargz[1]);
+  /* we know the script has the same name, without the .exe */
+  /* so make sure newargz[1] doesn't end in .exe */
+  strendzap(newargz[1],".exe");
+  for (i = 1; i < argc; i++)
+    newargz[i+1] = xstrdup(argv[i]);
+  newargz[argc+1] = NULL;
+
+  for (i=0; i<argc+1; i++)
+  {
+    DEBUG("(main) newargz[%d]   : %s\n",i,newargz[i]);
+    ;
+  }
+
+EOF
+
+            case $host_os in
+              mingw*)
+                cat >> $cwrappersource <<EOF
+  execv("$SHELL",(char const **)newargz);
+EOF
+              ;;
+              *)
+                cat >> $cwrappersource <<EOF
+  execv("$SHELL",newargz);
+EOF
+              ;;
+            esac
+
+            cat >> $cwrappersource <<"EOF"
+  return 127;
+}
+
+void *
+xmalloc (size_t num)
+{
+  void * p = (void *) malloc (num);
+  if (!p)
+    lt_fatal ("Memory exhausted");
+
+  return p;
+}
+
+char *
+xstrdup (const char *string)
+{
+  return string ? strcpy ((char *) xmalloc (strlen (string) + 1), string) : NULL
+;
+}
+
+const char *
+base_name (const char *name)
+{
+  const char *base;
+
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  /* Skip over the disk name in MSDOS pathnames. */
+  if (isalpha ((unsigned char)name[0]) && name[1] == ':')
+    name += 2;
+#endif
+
+  for (base = name; *name; name++)
+    if (IS_DIR_SEPARATOR (*name))
+      base = name + 1;
+  return base;
+}
+
+int
+check_executable(const char * path)
+{
+  struct stat st;
+
+  DEBUG("(check_executable)  : %s\n", path ? (*path ? path : "EMPTY!") : "NULL!");
+  if ((!path) || (!*path))
+    return 0;
+
+  if ((stat (path, &st) >= 0) &&
+      (
+        /* MinGW & native WIN32 do not support S_IXOTH or S_IXGRP */
+#if defined (S_IXOTH)
+       ((st.st_mode & S_IXOTH) == S_IXOTH) ||
+#endif
+#if defined (S_IXGRP)
+       ((st.st_mode & S_IXGRP) == S_IXGRP) ||
+#endif
+       ((st.st_mode & S_IXUSR) == S_IXUSR))
+      )
+    return 1;
+  else
+    return 0;
+}
+
+/* Searches for the full path of the wrapper.  Returns
+   newly allocated full path name if found, NULL otherwise */
+char *
+find_executable (const char* wrapper)
+{
+  int has_slash = 0;
+  const char* p;
+  const char* p_next;
+  /* static buffer for getcwd */
+  char tmp[LT_PATHMAX + 1];
+  int tmp_len;
+  char* concat_name;
+
+  DEBUG("(find_executable)  : %s\n", wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!");
+
+  if ((wrapper == NULL) || (*wrapper == '\0'))
+    return NULL;
+
+  /* Absolute path? */
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  if (isalpha ((unsigned char)wrapper[0]) && wrapper[1] == ':')
+  {
+    concat_name = xstrdup (wrapper);
+    if (check_executable(concat_name))
+      return concat_name;
+    XFREE(concat_name);
+  }
+  else
+  {
+#endif
+    if (IS_DIR_SEPARATOR (wrapper[0]))
+    {
+      concat_name = xstrdup (wrapper);
+      if (check_executable(concat_name))
+        return concat_name;
+      XFREE(concat_name);
+    }
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  }
+#endif
+
+  for (p = wrapper; *p; p++)
+    if (*p == '/')
+    {
+      has_slash = 1;
+      break;
+    }
+  if (!has_slash)
+  {
+    /* no slashes; search PATH */
+    const char* path = getenv ("PATH");
+    if (path != NULL)
+    {
+      for (p = path; *p; p = p_next)
+      {
+        const char* q;
+        size_t p_len;
+        for (q = p; *q; q++)
+          if (IS_PATH_SEPARATOR(*q))
+            break;
+        p_len = q - p;
+        p_next = (*q == '\0' ? q : q + 1);
+        if (p_len == 0)
+        {
+          /* empty path: current directory */
+          if (getcwd (tmp, LT_PATHMAX) == NULL)
+            lt_fatal ("getcwd failed");
+          tmp_len = strlen(tmp);
+          concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
+          memcpy (concat_name, tmp, tmp_len);
+          concat_name[tmp_len] = '/';
+          strcpy (concat_name + tmp_len + 1, wrapper);
+        }
+        else
+        {
+          concat_name = XMALLOC(char, p_len + 1 + strlen(wrapper) + 1);
+          memcpy (concat_name, p, p_len);
+          concat_name[p_len] = '/';
+          strcpy (concat_name + p_len + 1, wrapper);
+        }
+        if (check_executable(concat_name))
+          return concat_name;
+        XFREE(concat_name);
+      }
+    }
+    /* not found in PATH; assume curdir */
+  }
+  /* Relative path | not found in path: prepend cwd */
+  if (getcwd (tmp, LT_PATHMAX) == NULL)
+    lt_fatal ("getcwd failed");
+  tmp_len = strlen(tmp);
+  concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
+  memcpy (concat_name, tmp, tmp_len);
+  concat_name[tmp_len] = '/';
+  strcpy (concat_name + tmp_len + 1, wrapper);
+
+  if (check_executable(concat_name))
+    return concat_name;
+  XFREE(concat_name);
+  return NULL;
+}
+
+char *
+strendzap(char *str, const char *pat)
+{
+  size_t len, patlen;
+
+  assert(str != NULL);
+  assert(pat != NULL);
+
+  len = strlen(str);
+  patlen = strlen(pat);
+
+  if (patlen <= len)
+  {
+    str += len - patlen;
+    if (strcmp(str, pat) == 0)
+      *str = '\0';
+  }
+  return str;
+}
+
+static void
+lt_error_core (int exit_status, const char * mode,
+          const char * message, va_list ap)
+{
+  fprintf (stderr, "%s: %s: ", program_name, mode);
+  vfprintf (stderr, message, ap);
+  fprintf (stderr, ".\n");
+
+  if (exit_status >= 0)
+    exit (exit_status);
+}
+
+void
+lt_fatal (const char *message, ...)
+{
+  va_list ap;
+  va_start (ap, message);
+  lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
+  va_end (ap);
+}
+EOF
+          # we should really use a build-platform specific compiler
+          # here, but OTOH, the wrappers (shell script and this C one)
+          # are only useful if you want to execute the "real" binary.
+          # Since the "real" binary is built for $host, then this
+          # wrapper might as well be built for $host, too.
+          $run $LTCC $LTCFLAGS -s -o $cwrapper $cwrappersource
+          ;;
+        esac
+        $rm $output
+        trap "$rm $output; exit $EXIT_FAILURE" 1 2 15
+
+	$echo > $output "\
+#! $SHELL
+
+# $output - temporary wrapper script for $objdir/$outputname
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# The $output program cannot be directly executed until all the libtool
+# libraries that it depends on are installed.
+#
+# This wrapper script should never be moved out of the build directory.
+# If it is, it will not operate correctly.
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='${SED} -e 1s/^X//'
+sed_quote_subst='$sed_quote_subst'
+
+# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE).
+if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '\${1+\"\$@\"}'='\"\$@\"'
+  setopt NO_GLOB_SUBST
+else
+  case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac
+fi
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+relink_command=\"$relink_command\"
+
+# This environment variable determines our operation mode.
+if test \"\$libtool_install_magic\" = \"$magic\"; then
+  # install mode needs the following variable:
+  notinst_deplibs='$notinst_deplibs'
+else
+  # When we are sourced in execute mode, \$file and \$echo are already set.
+  if test \"\$libtool_execute_magic\" != \"$magic\"; then
+    echo=\"$qecho\"
+    file=\"\$0\"
+    # Make sure echo works.
+    if test \"X\$1\" = X--no-reexec; then
+      # Discard the --no-reexec flag, and continue.
+      shift
+    elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then
+      # Yippee, \$echo works!
+      :
+    else
+      # Restart under the correct shell, and then maybe \$echo will work.
+      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
+    fi
+  fi\
+"
+	$echo >> $output "\
+
+  # Find the directory that this script lives in.
+  thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
+
+  # Follow symbolic links until we get to the real thisdir.
+  file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\`
+  while test -n \"\$file\"; do
+    destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+
+    # If there was a directory component, then change thisdir.
+    if test \"x\$destdir\" != \"x\$file\"; then
+      case \"\$destdir\" in
+      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
+      *) thisdir=\"\$thisdir/\$destdir\" ;;
+      esac
+    fi
+
+    file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
+  done
+
+  # Try to get the absolute directory name.
+  absdir=\`cd \"\$thisdir\" && pwd\`
+  test -n \"\$absdir\" && thisdir=\"\$absdir\"
+"
+
+	if test "$fast_install" = yes; then
+	  $echo >> $output "\
+  program=lt-'$outputname'$exeext
+  progdir=\"\$thisdir/$objdir\"
+
+  if test ! -f \"\$progdir/\$program\" || \\
+     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\
+       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
+
+    file=\"\$\$-\$program\"
+
+    if test ! -d \"\$progdir\"; then
+      $mkdir \"\$progdir\"
+    else
+      $rm \"\$progdir/\$file\"
+    fi"
+
+	  $echo >> $output "\
+
+    # relink executable if necessary
+    if test -n \"\$relink_command\"; then
+      if relink_command_output=\`eval \$relink_command 2>&1\`; then :
+      else
+	$echo \"\$relink_command_output\" >&2
+	$rm \"\$progdir/\$file\"
+	exit $EXIT_FAILURE
+      fi
+    fi
+
+    $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
+    { $rm \"\$progdir/\$program\";
+      $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; }
+    $rm \"\$progdir/\$file\"
+  fi"
+	else
+	  $echo >> $output "\
+  program='$outputname'
+  progdir=\"\$thisdir/$objdir\"
+"
+	fi
+
+	$echo >> $output "\
+
+  if test -f \"\$progdir/\$program\"; then"
+
+	# Export our shlibpath_var if we have one.
+	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	  $echo >> $output "\
+    # Add our own library path to $shlibpath_var
+    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
+
+    # Some systems cannot cope with colon-terminated $shlibpath_var
+    # The second colon is a workaround for a bug in BeOS R4 sed
+    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
+
+    export $shlibpath_var
+"
+	fi
+
+	# fixup the dll searchpath if we need to.
+	if test -n "$dllsearchpath"; then
+	  $echo >> $output "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
+	$echo >> $output "\
+    if test \"\$libtool_execute_magic\" != \"$magic\"; then
+      # Run the actual program with our arguments.
+"
+	case $host in
+	# Backslashes separate directories on plain windows
+	*-*-mingw | *-*-os2*)
+	  $echo >> $output "\
+      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
+"
+	  ;;
+
+	*)
+	  $echo >> $output "\
+      exec \"\$progdir/\$program\" \${1+\"\$@\"}
+"
+	  ;;
+	esac
+	$echo >> $output "\
+      \$echo \"\$0: cannot exec \$program \$*\"
+      exit $EXIT_FAILURE
+    fi
+  else
+    # The program doesn't exist.
+    \$echo \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
+    \$echo \"This script is just a wrapper for \$program.\" 1>&2
+    $echo \"See the $PACKAGE documentation for more information.\" 1>&2
+    exit $EXIT_FAILURE
+  fi
+fi\
+"
+	chmod +x $output
+      fi
+      exit $EXIT_SUCCESS
+      ;;
+    esac
+
+    # See if we need to build an old-fashioned archive.
+    for oldlib in $oldlibs; do
+
+      if test "$build_libtool_libs" = convenience; then
+	oldobjs="$libobjs_save"
+	addlibs="$convenience"
+	build_libtool_libs=no
+      else
+	if test "$build_libtool_libs" = module; then
+	  oldobjs="$libobjs_save"
+	  build_libtool_libs=no
+	else
+	  oldobjs="$old_deplibs $non_pic_objects"
+	fi
+	addlibs="$old_convenience"
+      fi
+
+      if test -n "$addlibs"; then
+	gentop="$output_objdir/${outputname}x"
+	generated="$generated $gentop"
+
+	func_extract_archives $gentop $addlibs
+	oldobjs="$oldobjs $func_extract_archives_result"
+      fi
+
+      # Do each command in the archive commands.
+      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
+       cmds=$old_archive_from_new_cmds
+      else
+	# POSIX demands no paths to be encoded in archives.  We have
+	# to avoid creating archives with duplicate basenames if we
+	# might have to extract them afterwards, e.g., when creating a
+	# static archive out of a convenience library, or when linking
+	# the entirety of a libtool archive into another (currently
+	# not supported by libtool).
+	if (for obj in $oldobjs
+	    do
+	      $echo "X$obj" | $Xsed -e 's%^.*/%%'
+	    done | sort | sort -uc >/dev/null 2>&1); then
+	  :
+	else
+	  $echo "copying selected object files to avoid basename conflicts..."
+
+	  if test -z "$gentop"; then
+	    gentop="$output_objdir/${outputname}x"
+	    generated="$generated $gentop"
+
+	    $show "${rm}r $gentop"
+	    $run ${rm}r "$gentop"
+	    $show "$mkdir $gentop"
+	    $run $mkdir "$gentop"
+	    exit_status=$?
+	    if test "$exit_status" -ne 0 && test ! -d "$gentop"; then
+	      exit $exit_status
+	    fi
+	  fi
+
+	  save_oldobjs=$oldobjs
+	  oldobjs=
+	  counter=1
+	  for obj in $save_oldobjs
+	  do
+	    objbase=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+	    case " $oldobjs " in
+	    " ") oldobjs=$obj ;;
+	    *[\ /]"$objbase "*)
+	      while :; do
+		# Make sure we don't pick an alternate name that also
+		# overlaps.
+		newobj=lt$counter-$objbase
+		counter=`expr $counter + 1`
+		case " $oldobjs " in
+		*[\ /]"$newobj "*) ;;
+		*) if test ! -f "$gentop/$newobj"; then break; fi ;;
+		esac
+	      done
+	      $show "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
+	      $run ln "$obj" "$gentop/$newobj" ||
+	      $run cp "$obj" "$gentop/$newobj"
+	      oldobjs="$oldobjs $gentop/$newobj"
+	      ;;
+	    *) oldobjs="$oldobjs $obj" ;;
+	    esac
+	  done
+	fi
+
+	eval cmds=\"$old_archive_cmds\"
+
+	if len=`expr "X$cmds" : ".*"` &&
+	     test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	  cmds=$old_archive_cmds
+	else
+	  # the command line is too long to link in one step, link in parts
+	  $echo "using piecewise archive linking..."
+	  save_RANLIB=$RANLIB
+	  RANLIB=:
+	  objlist=
+	  concat_cmds=
+	  save_oldobjs=$oldobjs
+
+	  # Is there a better way of finding the last object in the list?
+	  for obj in $save_oldobjs
+	  do
+	    last_oldobj=$obj
+	  done
+	  for obj in $save_oldobjs
+	  do
+	    oldobjs="$objlist $obj"
+	    objlist="$objlist $obj"
+	    eval test_cmds=\"$old_archive_cmds\"
+	    if len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
+	       test "$len" -le "$max_cmd_len"; then
+	      :
+	    else
+	      # the above command should be used before it gets too long
+	      oldobjs=$objlist
+	      if test "$obj" = "$last_oldobj" ; then
+	        RANLIB=$save_RANLIB
+	      fi
+	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
+	      objlist=
+	    fi
+	  done
+	  RANLIB=$save_RANLIB
+	  oldobjs=$objlist
+	  if test "X$oldobjs" = "X" ; then
+	    eval cmds=\"\$concat_cmds\"
+	  else
+	    eval cmds=\"\$concat_cmds~\$old_archive_cmds\"
+	  fi
+	fi
+      fi
+      save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+        eval cmd=\"$cmd\"
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$generated"; then
+      $show "${rm}r$generated"
+      $run ${rm}r$generated
+    fi
+
+    # Now create the libtool archive.
+    case $output in
+    *.la)
+      old_library=
+      test "$build_old_libs" = yes && old_library="$libname.$libext"
+      $show "creating $output"
+
+      # Preserve any variables that may affect compiler behavior
+      for var in $variables_saved_for_relink; do
+	if eval test -z \"\${$var+set}\"; then
+	  relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
+	elif eval var_value=\$$var; test -z "$var_value"; then
+	  relink_command="$var=; export $var; $relink_command"
+	else
+	  var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	  relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	fi
+      done
+      # Quote the link command for shipping.
+      relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
+      relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP`
+      if test "$hardcode_automatic" = yes ; then
+	relink_command=
+      fi
+
+
+      # Only create the output if not a dry run.
+      if test -z "$run"; then
+	for installed in no yes; do
+	  if test "$installed" = yes; then
+	    if test -z "$install_libdir"; then
+	      break
+	    fi
+	    output="$output_objdir/$outputname"i
+	    # Replace all uninstalled libtool libraries with the installed ones
+	    newdependency_libs=
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      *.la)
+		name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'`
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		if test -z "$libdir"; then
+		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		  exit $EXIT_FAILURE
+		fi
+		newdependency_libs="$newdependency_libs $libdir/$name"
+		;;
+	      *) newdependency_libs="$newdependency_libs $deplib" ;;
+	      esac
+	    done
+	    dependency_libs="$newdependency_libs"
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit $EXIT_FAILURE
+	      fi
+	      newdlfiles="$newdlfiles $libdir/$name"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit $EXIT_FAILURE
+	      fi
+	      newdlprefiles="$newdlprefiles $libdir/$name"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  else
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      case $lib in
+		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
+		*) abs=`pwd`"/$lib" ;;
+	      esac
+	      newdlfiles="$newdlfiles $abs"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      case $lib in
+		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
+		*) abs=`pwd`"/$lib" ;;
+	      esac
+	      newdlprefiles="$newdlprefiles $abs"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  fi
+	  $rm $output
+	  # place dlname in correct position for cygwin
+	  tdlname=$dlname
+	  case $host,$output,$installed,$module,$dlname in
+	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
+	  esac
+	  $echo > $output "\
+# $outputname - a libtool library file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# The name that we can dlopen(3).
+dlname='$tdlname'
+
+# Names of this library.
+library_names='$library_names'
+
+# The name of the static archive.
+old_library='$old_library'
+
+# Libraries that this one depends upon.
+dependency_libs='$dependency_libs'
+
+# Version information for $libname.
+current=$current
+age=$age
+revision=$revision
+
+# Is this an already installed library?
+installed=$installed
+
+# Should we warn about portability when linking against -modules?
+shouldnotlink=$module
+
+# Files to dlopen/dlpreopen
+dlopen='$dlfiles'
+dlpreopen='$dlprefiles'
+
+# Directory that this library needs to be installed in:
+libdir='$install_libdir'"
+	  if test "$installed" = no && test "$need_relink" = yes; then
+	    $echo >> $output "\
+relink_command=\"$relink_command\""
+	  fi
+	done
+      fi
+
+      # Do a symbolic link so that the libtool archive can be found in
+      # LD_LIBRARY_PATH before the program is installed.
+      $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)"
+      $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
+      ;;
+    esac
+    exit $EXIT_SUCCESS
+    ;;
+
+  # libtool install mode
+  install)
+    modename="$modename: install"
+
+    # There may be an optional sh(1) argument at the beginning of
+    # install_prog (especially on Windows NT).
+    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
+       # Allow the use of GNU shtool's install command.
+       $echo "X$nonopt" | grep shtool > /dev/null; then
+      # Aesthetically quote it.
+      arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$arg "
+      arg="$1"
+      shift
+    else
+      install_prog=
+      arg=$nonopt
+    fi
+
+    # The real first argument should be the name of the installation program.
+    # Aesthetically quote it.
+    arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+    case $arg in
+    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+      arg="\"$arg\""
+      ;;
+    esac
+    install_prog="$install_prog$arg"
+
+    # We need to accept at least all the BSD install flags.
+    dest=
+    files=
+    opts=
+    prev=
+    install_type=
+    isdir=no
+    stripme=
+    for arg
+    do
+      if test -n "$dest"; then
+	files="$files $dest"
+	dest=$arg
+	continue
+      fi
+
+      case $arg in
+      -d) isdir=yes ;;
+      -f) 
+      	case " $install_prog " in
+	*[\\\ /]cp\ *) ;;
+	*) prev=$arg ;;
+	esac
+	;;
+      -g | -m | -o) prev=$arg ;;
+      -s)
+	stripme=" -s"
+	continue
+	;;
+      -*)
+	;;
+      *)
+	# If the previous option needed an argument, then skip it.
+	if test -n "$prev"; then
+	  prev=
+	else
+	  dest=$arg
+	  continue
+	fi
+	;;
+      esac
+
+      # Aesthetically quote the argument.
+      arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$install_prog $arg"
+    done
+
+    if test -z "$install_prog"; then
+      $echo "$modename: you must specify an install program" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prev' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    if test -z "$files"; then
+      if test -z "$dest"; then
+	$echo "$modename: no file or destination specified" 1>&2
+      else
+	$echo "$modename: you must specify a destination" 1>&2
+      fi
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    # Strip any trailing slash from the destination.
+    dest=`$echo "X$dest" | $Xsed -e 's%/$%%'`
+
+    # Check to see that the destination is a directory.
+    test -d "$dest" && isdir=yes
+    if test "$isdir" = yes; then
+      destdir="$dest"
+      destname=
+    else
+      destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'`
+      test "X$destdir" = "X$dest" && destdir=.
+      destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'`
+
+      # Not a directory, so check to see that there is only one file specified.
+      set dummy $files
+      if test "$#" -gt 2; then
+	$echo "$modename: \`$dest' is not a directory" 1>&2
+	$echo "$help" 1>&2
+	exit $EXIT_FAILURE
+      fi
+    fi
+    case $destdir in
+    [\\/]* | [A-Za-z]:[\\/]*) ;;
+    *)
+      for file in $files; do
+	case $file in
+	*.lo) ;;
+	*)
+	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+      done
+      ;;
+    esac
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    staticlibs=
+    future_libdirs=
+    current_libdirs=
+    for file in $files; do
+
+      # Do each installation.
+      case $file in
+      *.$libext)
+	# Do the static libraries later.
+	staticlibs="$staticlibs $file"
+	;;
+
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	library_names=
+	old_library=
+	relink_command=
+	# If there is no directory component, then add one.
+	case $file in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Add the libdir to current_libdirs if it is the destination.
+	if test "X$destdir" = "X$libdir"; then
+	  case "$current_libdirs " in
+	  *" $libdir "*) ;;
+	  *) current_libdirs="$current_libdirs $libdir" ;;
+	  esac
+	else
+	  # Note the libdir as a future libdir.
+	  case "$future_libdirs " in
+	  *" $libdir "*) ;;
+	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  esac
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/
+	test "X$dir" = "X$file/" && dir=
+	dir="$dir$objdir"
+
+	if test -n "$relink_command"; then
+	  # Determine the prefix the user has applied to our future dir.
+	  inst_prefix_dir=`$echo "$destdir" | $SED "s%$libdir\$%%"`
+
+	  # Don't allow the user to place us outside of our expected
+	  # location b/c this prevents finding dependent libraries that
+	  # are installed to the same prefix.
+	  # At present, this check doesn't affect windows .dll's that
+	  # are installed into $libdir/../bin (currently, that works fine)
+	  # but it's something to keep an eye on.
+	  if test "$inst_prefix_dir" = "$destdir"; then
+	    $echo "$modename: error: cannot install \`$file' to a directory not ending in $libdir" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+
+	  if test -n "$inst_prefix_dir"; then
+	    # Stick the inst_prefix_dir data into the link command.
+	    relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%" | $NL2SP`
+	  else
+	    relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%%" | $NL2SP`
+	  fi
+
+	  $echo "$modename: warning: relinking \`$file'" 1>&2
+	  $show "$relink_command"
+	  if $run eval "$relink_command"; then :
+	  else
+	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	fi
+
+	# See the names of the shared library.
+	set dummy $library_names
+	if test -n "$2"; then
+	  realname="$2"
+	  shift
+	  shift
+
+	  srcname="$realname"
+	  test -n "$relink_command" && srcname="$realname"T
+
+	  # Install the shared library and build the symlinks.
+	  $show "$install_prog $dir/$srcname $destdir/$realname"
+	  $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $?
+	  if test -n "$stripme" && test -n "$striplib"; then
+	    $show "$striplib $destdir/$realname"
+	    $run eval "$striplib $destdir/$realname" || exit $?
+	  fi
+
+	  if test "$#" -gt 0; then
+	    # Delete the old symlinks, and create new ones.
+	    # Try `ln -sf' first, because the `ln' binary might depend on
+	    # the symlink we replace!  Solaris /bin/ln does not understand -f,
+	    # so we also need to try rm && ln -s.
+	    for linkname
+	    do
+	      if test "$linkname" != "$realname"; then
+                $show "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
+                $run eval "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
+	      fi
+	    done
+	  fi
+
+	  # Do each command in the postinstall commands.
+	  lib="$destdir/$realname"
+	  cmds=$postinstall_cmds
+	  save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    eval cmd=\"$cmd\"
+	    $show "$cmd"
+	    $run eval "$cmd" || {
+	      lt_exit=$?
+
+	      # Restore the uninstalled library and exit
+	      if test "$mode" = relink; then
+		$run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
+	      fi
+
+	      exit $lt_exit
+	    }
+	  done
+	  IFS="$save_ifs"
+	fi
+
+	# Install the pseudo-library for information purposes.
+	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	instname="$dir/$name"i
+	$show "$install_prog $instname $destdir/$name"
+	$run eval "$install_prog $instname $destdir/$name" || exit $?
+
+	# Maybe install the static library, too.
+	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	;;
+
+      *.lo)
+	# Install (i.e. copy) a libtool object.
+
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Deduce the name of the destination old-style object file.
+	case $destfile in
+	*.lo)
+	  staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
+	  ;;
+	*.$objext)
+	  staticdest="$destfile"
+	  destfile=
+	  ;;
+	*)
+	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+
+	# Install the libtool object if requested.
+	if test -n "$destfile"; then
+	  $show "$install_prog $file $destfile"
+	  $run eval "$install_prog $file $destfile" || exit $?
+	fi
+
+	# Install the old object if enabled.
+	if test "$build_old_libs" = yes; then
+	  # Deduce the name of the old-style object file.
+	  staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
+
+	  $show "$install_prog $staticobj $staticdest"
+	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
+	fi
+	exit $EXIT_SUCCESS
+	;;
+
+      *)
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# If the file is missing, and there is a .exe on the end, strip it
+	# because it is most likely a libtool script we actually want to
+	# install
+	stripped_ext=""
+	case $file in
+	  *.exe)
+	    if test ! -f "$file"; then
+	      file=`$echo $file|${SED} 's,.exe$,,'`
+	      stripped_ext=".exe"
+	    fi
+	    ;;
+	esac
+
+	# Do a test to see if this is really a libtool program.
+	case $host in
+	*cygwin*|*mingw*)
+	    wrapper=`$echo $file | ${SED} -e 's,.exe$,,'`
+	    ;;
+	*)
+	    wrapper=$file
+	    ;;
+	esac
+	if (${SED} -e '4q' $wrapper | grep "^# Generated by .*$PACKAGE")>/dev/null 2>&1; then
+	  notinst_deplibs=
+	  relink_command=
+
+	  # Note that it is not necessary on cygwin/mingw to append a dot to
+	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
+	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
+	  # `FILE.' does not work on cygwin managed mounts.
+	  #
+	  # If there is no directory component, then add one.
+	  case $wrapper in
+	  */* | *\\*) . ${wrapper} ;;
+	  *) . ./${wrapper} ;;
+	  esac
+
+	  # Check the variables that should have been set.
+	  if test -z "$notinst_deplibs"; then
+	    $echo "$modename: invalid libtool wrapper script \`$wrapper'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+
+	  finalize=yes
+	  for lib in $notinst_deplibs; do
+	    # Check to see that each library is installed.
+	    libdir=
+	    if test -f "$lib"; then
+	      # If there is no directory component, then add one.
+	      case $lib in
+	      */* | *\\*) . $lib ;;
+	      *) . ./$lib ;;
+	      esac
+	    fi
+	    libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    if test -n "$libdir" && test ! -f "$libfile"; then
+	      $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
+	      finalize=no
+	    fi
+	  done
+
+	  relink_command=
+	  # Note that it is not necessary on cygwin/mingw to append a dot to
+	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
+	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
+	  # `FILE.' does not work on cygwin managed mounts.
+	  #
+	  # If there is no directory component, then add one.
+	  case $wrapper in
+	  */* | *\\*) . ${wrapper} ;;
+	  *) . ./${wrapper} ;;
+	  esac
+
+	  outputname=
+	  if test "$fast_install" = no && test -n "$relink_command"; then
+	    if test "$finalize" = yes && test -z "$run"; then
+	      tmpdir=`func_mktempdir`
+	      file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
+	      outputname="$tmpdir/$file"
+	      # Replace the output file specification.
+	      relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g' | $NL2SP`
+
+	      $show "$relink_command"
+	      if $run eval "$relink_command"; then :
+	      else
+		$echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+		${rm}r "$tmpdir"
+		continue
+	      fi
+	      file="$outputname"
+	    else
+	      $echo "$modename: warning: cannot relink \`$file'" 1>&2
+	    fi
+	  else
+	    # Install the binary that we compiled earlier.
+	    file=`$echo "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+	  fi
+	fi
+
+	# remove .exe since cygwin /usr/bin/install will append another
+	# one anyway 
+	case $install_prog,$host in
+	*/usr/bin/install*,*cygwin*)
+	  case $file:$destfile in
+	  *.exe:*.exe)
+	    # this is ok
+	    ;;
+	  *.exe:*)
+	    destfile=$destfile.exe
+	    ;;
+	  *:*.exe)
+	    destfile=`$echo $destfile | ${SED} -e 's,.exe$,,'`
+	    ;;
+	  esac
+	  ;;
+	esac
+	$show "$install_prog$stripme $file $destfile"
+	$run eval "$install_prog\$stripme \$file \$destfile" || exit $?
+	test -n "$outputname" && ${rm}r "$tmpdir"
+	;;
+      esac
+    done
+
+    for file in $staticlibs; do
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+
+      # Set up the ranlib parameters.
+      oldlib="$destdir/$name"
+
+      $show "$install_prog $file $oldlib"
+      $run eval "$install_prog \$file \$oldlib" || exit $?
+
+      if test -n "$stripme" && test -n "$old_striplib"; then
+	$show "$old_striplib $oldlib"
+	$run eval "$old_striplib $oldlib" || exit $?
+      fi
+
+      # Do each command in the postinstall commands.
+      cmds=$old_postinstall_cmds
+      save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	eval cmd=\"$cmd\"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$future_libdirs"; then
+      $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2
+    fi
+
+    if test -n "$current_libdirs"; then
+      # Maybe just do a dry run.
+      test -n "$run" && current_libdirs=" -n$current_libdirs"
+      exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs'
+    else
+      exit $EXIT_SUCCESS
+    fi
+    ;;
+
+  # libtool finish mode
+  finish)
+    modename="$modename: finish"
+    libdirs="$nonopt"
+    admincmds=
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      for dir
+      do
+	libdirs="$libdirs $dir"
+      done
+
+      for libdir in $libdirs; do
+	if test -n "$finish_cmds"; then
+	  # Do each command in the finish commands.
+	  cmds=$finish_cmds
+	  save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    eval cmd=\"$cmd\"
+	    $show "$cmd"
+	    $run eval "$cmd" || admincmds="$admincmds
+       $cmd"
+	  done
+	  IFS="$save_ifs"
+	fi
+	if test -n "$finish_eval"; then
+	  # Do the single finish_eval.
+	  eval cmds=\"$finish_eval\"
+	  $run eval "$cmds" || admincmds="$admincmds
+       $cmds"
+	fi
+      done
+    fi
+
+    # Exit here if they wanted silent mode.
+    test "$show" = : && exit $EXIT_SUCCESS
+
+    $echo "X----------------------------------------------------------------------" | $Xsed
+    $echo "Libraries have been installed in:"
+    for libdir in $libdirs; do
+      $echo "   $libdir"
+    done
+    $echo
+    $echo "If you ever happen to want to link against installed libraries"
+    $echo "in a given directory, LIBDIR, you must either use libtool, and"
+    $echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
+    $echo "flag during linking and do at least one of the following:"
+    if test -n "$shlibpath_var"; then
+      $echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+      $echo "     during execution"
+    fi
+    if test -n "$runpath_var"; then
+      $echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+      $echo "     during linking"
+    fi
+    if test -n "$hardcode_libdir_flag_spec"; then
+      libdir=LIBDIR
+      eval flag=\"$hardcode_libdir_flag_spec\"
+
+      $echo "   - use the \`$flag' linker flag"
+    fi
+    if test -n "$admincmds"; then
+      $echo "   - have your system administrator run these commands:$admincmds"
+    fi
+    if test -f /etc/ld.so.conf; then
+      $echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+    fi
+    $echo
+    $echo "See any operating system documentation about shared libraries for"
+    $echo "more information, such as the ld(1) and ld.so(8) manual pages."
+    $echo "X----------------------------------------------------------------------" | $Xsed
+    exit $EXIT_SUCCESS
+    ;;
+
+  # libtool execute mode
+  execute)
+    modename="$modename: execute"
+
+    # The first argument is the command name.
+    cmd="$nonopt"
+    if test -z "$cmd"; then
+      $echo "$modename: you must specify a COMMAND" 1>&2
+      $echo "$help"
+      exit $EXIT_FAILURE
+    fi
+
+    # Handle -dlopen flags immediately.
+    for file in $execute_dlfiles; do
+      if test ! -f "$file"; then
+	$echo "$modename: \`$file' is not a file" 1>&2
+	$echo "$help" 1>&2
+	exit $EXIT_FAILURE
+      fi
+
+      dir=
+      case $file in
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	# Read the libtool library.
+	dlname=
+	library_names=
+
+	# If there is no directory component, then add one.
+	case $file in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Skip this library if it cannot be dlopened.
+	if test -z "$dlname"; then
+	  # Warn if it was a shared library.
+	  test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'"
+	  continue
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+
+	if test -f "$dir/$objdir/$dlname"; then
+	  dir="$dir/$objdir"
+	else
+	  if test ! -f "$dir/$dlname"; then
+	    $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	fi
+	;;
+
+      *.lo)
+	# Just add the directory containing the .lo file.
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+	;;
+
+      *)
+	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
+	continue
+	;;
+      esac
+
+      # Get the absolute pathname.
+      absdir=`cd "$dir" && pwd`
+      test -n "$absdir" && dir="$absdir"
+
+      # Now add the directory to shlibpath_var.
+      if eval "test -z \"\$$shlibpath_var\""; then
+	eval "$shlibpath_var=\"\$dir\""
+      else
+	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
+      fi
+    done
+
+    # This variable tells wrapper scripts just to set shlibpath_var
+    # rather than running their programs.
+    libtool_execute_magic="$magic"
+
+    # Check if any of the arguments is a wrapper script.
+    args=
+    for file
+    do
+      case $file in
+      -*) ;;
+      *)
+	# Do a test to see if this is really a libtool program.
+	if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Transform arg to wrapped name.
+	  file="$progdir/$program"
+	fi
+	;;
+      esac
+      # Quote arguments (to preserve shell metacharacters).
+      file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
+      args="$args \"$file\""
+    done
+
+    if test -z "$run"; then
+      if test -n "$shlibpath_var"; then
+	# Export the shlibpath_var.
+	eval "export $shlibpath_var"
+      fi
+
+      # Restore saved environment variables
+      for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
+      do
+	eval "if test \"\${save_$lt_var+set}\" = set; then
+		$lt_var=\$save_$lt_var; export $lt_var
+	      fi"
+      done
+
+      # Now prepare to actually exec the command.
+      exec_cmd="\$cmd$args"
+    else
+      # Display what would be done.
+      if test -n "$shlibpath_var"; then
+	eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
+	$echo "export $shlibpath_var"
+      fi
+      $echo "$cmd$args"
+      exit $EXIT_SUCCESS
+    fi
+    ;;
+
+  # libtool clean and uninstall mode
+  clean | uninstall)
+    modename="$modename: $mode"
+    rm="$nonopt"
+    files=
+    rmforce=
+    exit_status=0
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    for arg
+    do
+      case $arg in
+      -f) rm="$rm $arg"; rmforce=yes ;;
+      -*) rm="$rm $arg" ;;
+      *) files="$files $arg" ;;
+      esac
+    done
+
+    if test -z "$rm"; then
+      $echo "$modename: you must specify an RM program" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    rmdirs=
+
+    origobjdir="$objdir"
+    for file in $files; do
+      dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+      if test "X$dir" = "X$file"; then
+	dir=.
+	objdir="$origobjdir"
+      else
+	objdir="$dir/$origobjdir"
+      fi
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+      test "$mode" = uninstall && objdir="$dir"
+
+      # Remember objdir for removal later, being careful to avoid duplicates
+      if test "$mode" = clean; then
+	case " $rmdirs " in
+	  *" $objdir "*) ;;
+	  *) rmdirs="$rmdirs $objdir" ;;
+	esac
+      fi
+
+      # Don't error if the file doesn't exist and rm -f was used.
+      if (test -L "$file") >/dev/null 2>&1 \
+	|| (test -h "$file") >/dev/null 2>&1 \
+	|| test -f "$file"; then
+	:
+      elif test -d "$file"; then
+	exit_status=1
+	continue
+      elif test "$rmforce" = yes; then
+	continue
+      fi
+
+      rmfiles="$file"
+
+      case $name in
+      *.la)
+	# Possibly a libtool archive, so verify it.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  . $dir/$name
+
+	  # Delete the libtool libraries and symlinks.
+	  for n in $library_names; do
+	    rmfiles="$rmfiles $objdir/$n"
+	  done
+	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
+
+	  case "$mode" in
+	  clean)
+	    case "  $library_names " in
+	    # "  " in the beginning catches empty $dlname
+	    *" $dlname "*) ;;
+	    *) rmfiles="$rmfiles $objdir/$dlname" ;;
+	    esac
+	     test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+	    ;;
+	  uninstall)
+	    if test -n "$library_names"; then
+	      # Do each command in the postuninstall commands.
+	      cmds=$postuninstall_cmds
+	      save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd"
+		if test "$?" -ne 0 && test "$rmforce" != yes; then
+		  exit_status=1
+		fi
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    if test -n "$old_library"; then
+	      # Do each command in the old_postuninstall commands.
+	      cmds=$old_postuninstall_cmds
+	      save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd"
+		if test "$?" -ne 0 && test "$rmforce" != yes; then
+		  exit_status=1
+		fi
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # FIXME: should reinstall the best remaining shared library.
+	    ;;
+	  esac
+	fi
+	;;
+
+      *.lo)
+	# Possibly a libtool object, so verify it.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+
+	  # Read the .lo file
+	  . $dir/$name
+
+	  # Add PIC object to the list of files to remove.
+	  if test -n "$pic_object" \
+	     && test "$pic_object" != none; then
+	    rmfiles="$rmfiles $dir/$pic_object"
+	  fi
+
+	  # Add non-PIC object to the list of files to remove.
+	  if test -n "$non_pic_object" \
+	     && test "$non_pic_object" != none; then
+	    rmfiles="$rmfiles $dir/$non_pic_object"
+	  fi
+	fi
+	;;
+
+      *)
+	if test "$mode" = clean ; then
+	  noexename=$name
+	  case $file in
+	  *.exe)
+	    file=`$echo $file|${SED} 's,.exe$,,'`
+	    noexename=`$echo $name|${SED} 's,.exe$,,'`
+	    # $file with .exe has already been added to rmfiles,
+	    # add $file without .exe
+	    rmfiles="$rmfiles $file"
+	    ;;
+	  esac
+	  # Do a test to see if this is a libtool program.
+	  if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	    relink_command=
+	    . $dir/$noexename
+
+	    # note $name still contains .exe if it was in $file originally
+	    # as does the version of $file that was added into $rmfiles
+	    rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
+	    if test "$fast_install" = yes && test -n "$relink_command"; then
+	      rmfiles="$rmfiles $objdir/lt-$name"
+	    fi
+	    if test "X$noexename" != "X$name" ; then
+	      rmfiles="$rmfiles $objdir/lt-${noexename}.c"
+	    fi
+	  fi
+	fi
+	;;
+      esac
+      $show "$rm $rmfiles"
+      $run $rm $rmfiles || exit_status=1
+    done
+    objdir="$origobjdir"
+
+    # Try to remove the ${objdir}s in the directories where we deleted files
+    for dir in $rmdirs; do
+      if test -d "$dir"; then
+	$show "rmdir $dir"
+	$run rmdir $dir >/dev/null 2>&1
+      fi
+    done
+
+    exit $exit_status
+    ;;
+
+  "")
+    $echo "$modename: you must specify a MODE" 1>&2
+    $echo "$generic_help" 1>&2
+    exit $EXIT_FAILURE
+    ;;
+  esac
+
+  if test -z "$exec_cmd"; then
+    $echo "$modename: invalid operation mode \`$mode'" 1>&2
+    $echo "$generic_help" 1>&2
+    exit $EXIT_FAILURE
+  fi
+fi # test -z "$show_help"
+
+if test -n "$exec_cmd"; then
+  eval exec $exec_cmd
+  exit $EXIT_FAILURE
+fi
+
+# We need to display help for each of the modes.
+case $mode in
+"") $echo \
+"Usage: $modename [OPTION]... [MODE-ARG]...
+
+Provide generalized library-building support services.
+
+    --config          show all configuration variables
+    --debug           enable verbose shell tracing
+-n, --dry-run         display commands without modifying any files
+    --features        display basic configuration information and exit
+    --finish          same as \`--mode=finish'
+    --help            display this help message and exit
+    --mode=MODE       use operation mode MODE [default=inferred from MODE-ARGS]
+    --quiet           same as \`--silent'
+    --silent          don't print informational messages
+    --tag=TAG         use configuration variables from tag TAG
+    --version         print version information
+
+MODE must be one of the following:
+
+      clean           remove files from the build directory
+      compile         compile a source file into a libtool object
+      execute         automatically set library path, then run a program
+      finish          complete the installation of libtool libraries
+      install         install libraries or executables
+      link            create a library or an executable
+      uninstall       remove libraries from an installed directory
+
+MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
+a more detailed description of MODE.
+
+Report bugs to <bug-libtool@gnu.org>."
+  exit $EXIT_SUCCESS
+  ;;
+
+clean)
+  $echo \
+"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
+
+Remove files from the build directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, object or program, all the files associated
+with it are deleted. Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+compile)
+  $echo \
+"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
+
+Compile a source file into a libtool library object.
+
+This mode accepts the following additional options:
+
+  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
+  -prefer-pic       try to building PIC objects only
+  -prefer-non-pic   try to building non-PIC objects only
+  -static           always build a \`.o' file suitable for static linking
+
+COMPILE-COMMAND is a command to be used in creating a \`standard' object file
+from the given SOURCEFILE.
+
+The output file name is determined by removing the directory component from
+SOURCEFILE, then substituting the C source code suffix \`.c' with the
+library object suffix, \`.lo'."
+  ;;
+
+execute)
+  $echo \
+"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]...
+
+Automatically set library path, then run a program.
+
+This mode accepts the following additional options:
+
+  -dlopen FILE      add the directory containing FILE to the library path
+
+This mode sets the library path environment variable according to \`-dlopen'
+flags.
+
+If any of the ARGS are libtool executable wrappers, then they are translated
+into their corresponding uninstalled binary, and any of their required library
+directories are added to the library path.
+
+Then, COMMAND is executed, with ARGS as arguments."
+  ;;
+
+finish)
+  $echo \
+"Usage: $modename [OPTION]... --mode=finish [LIBDIR]...
+
+Complete the installation of libtool libraries.
+
+Each LIBDIR is a directory that contains libtool libraries.
+
+The commands that this mode executes may require superuser privileges.  Use
+the \`--dry-run' option if you just want to see what would be executed."
+  ;;
+
+install)
+  $echo \
+"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND...
+
+Install executables or libraries.
+
+INSTALL-COMMAND is the installation command.  The first component should be
+either the \`install' or \`cp' program.
+
+The rest of the components are interpreted as arguments to that command (only
+BSD-compatible install options are recognized)."
+  ;;
+
+link)
+  $echo \
+"Usage: $modename [OPTION]... --mode=link LINK-COMMAND...
+
+Link object files or libraries together to form another library, or to
+create an executable program.
+
+LINK-COMMAND is a command using the C compiler that you would use to create
+a program from several object files.
+
+The following components of LINK-COMMAND are treated specially:
+
+  -all-static       do not do any dynamic linking at all
+  -avoid-version    do not add a version suffix if possible
+  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
+  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
+  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
+  -export-symbols SYMFILE
+                    try to export only the symbols listed in SYMFILE
+  -export-symbols-regex REGEX
+                    try to export only the symbols matching REGEX
+  -LLIBDIR          search LIBDIR for required installed libraries
+  -lNAME            OUTPUT-FILE requires the installed library libNAME
+  -module           build a library that can dlopened
+  -no-fast-install  disable the fast-install mode
+  -no-install       link a not-installable executable
+  -no-undefined     declare that a library does not refer to external symbols
+  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
+  -objectlist FILE  Use a list of object files found in FILE to specify objects
+  -precious-files-regex REGEX
+                    don't remove output files matching REGEX
+  -release RELEASE  specify package release information
+  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
+  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
+  -static           do not do any dynamic linking of uninstalled libtool libraries
+  -static-libtool-libs
+                    do not do any dynamic linking of libtool libraries
+  -version-info CURRENT[:REVISION[:AGE]]
+                    specify library version info [each variable defaults to 0]
+
+All other options (arguments beginning with \`-') are ignored.
+
+Every other argument is treated as a filename.  Files ending in \`.la' are
+treated as uninstalled libtool libraries, other files are standard or library
+object files.
+
+If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
+only library objects (\`.lo' files) may be specified, and \`-rpath' is
+required, except when creating a convenience library.
+
+If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
+using \`ar' and \`ranlib', or on Windows using \`lib'.
+
+If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
+is created, otherwise an executable program is created."
+  ;;
+
+uninstall)
+  $echo \
+"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
+
+Remove libraries from an installation directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, all the files associated with it are deleted.
+Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+*)
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$help" 1>&2
+  exit $EXIT_FAILURE
+  ;;
+esac
+
+$echo
+$echo "Try \`$modename --help' for more information about other modes."
+
+exit $?
+
+# The TAGs below are defined such that we never get into a situation
+# in which we disable both kinds of libraries.  Given conflicting
+# choices, we go for a static library, that is the most portable,
+# since we can't tell whether shared libraries were disabled because
+# the user asked for that or because the platform doesn't support
+# them.  This is particularly important on AIX, because we don't
+# support having both static and shared libraries enabled at the same
+# time on that platform, so we default to a shared-only configuration.
+# If a disable-shared tag is given, we'll fallback to a static-only
+# configuration.  But we'll never go from static-only to shared-only.
+
+# ### BEGIN LIBTOOL TAG CONFIG: disable-shared
+disable_libs=shared
+# ### END LIBTOOL TAG CONFIG: disable-shared
+
+# ### BEGIN LIBTOOL TAG CONFIG: disable-static
+disable_libs=static
+# ### END LIBTOOL TAG CONFIG: disable-static
+
+# Local Variables:
+# mode:shell-script
+# sh-indentation:2
+# End:
diff --git a/src/charon/plugins/nm/gnome/missing b/src/charon/plugins/nm/gnome/missing
new file mode 100755
index 000000000..1c8ff7049
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/missing
@@ -0,0 +1,367 @@
+#! /bin/sh
+# Common stub for a few missing GNU programs while installing.
+
+scriptversion=2006-05-10.23
+
+# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
+#   Free Software Foundation, Inc.
+# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+if test $# -eq 0; then
+  echo 1>&2 "Try \`$0 --help' for more information"
+  exit 1
+fi
+
+run=:
+sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p'
+sed_minuso='s/.* -o \([^ ]*\).*/\1/p'
+
+# In the cases where this matters, `missing' is being run in the
+# srcdir already.
+if test -f configure.ac; then
+  configure_ac=configure.ac
+else
+  configure_ac=configure.in
+fi
+
+msg="missing on your system"
+
+case $1 in
+--run)
+  # Try to run requested program, and just exit if it succeeds.
+  run=
+  shift
+  "$@" && exit 0
+  # Exit code 63 means version mismatch.  This often happens
+  # when the user try to use an ancient version of a tool on
+  # a file that requires a minimum version.  In this case we
+  # we should proceed has if the program had been absent, or
+  # if --run hadn't been passed.
+  if test $? = 63; then
+    run=:
+    msg="probably too old"
+  fi
+  ;;
+
+  -h|--h|--he|--hel|--help)
+    echo "\
+$0 [OPTION]... PROGRAM [ARGUMENT]...
+
+Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
+error status if there is no known handling for PROGRAM.
+
+Options:
+  -h, --help      display this help and exit
+  -v, --version   output version information and exit
+  --run           try to run the given command, and emulate it if it fails
+
+Supported PROGRAM values:
+  aclocal      touch file \`aclocal.m4'
+  autoconf     touch file \`configure'
+  autoheader   touch file \`config.h.in'
+  autom4te     touch the output file, or create a stub one
+  automake     touch all \`Makefile.in' files
+  bison        create \`y.tab.[ch]', if possible, from existing .[ch]
+  flex         create \`lex.yy.c', if possible, from existing .c
+  help2man     touch the output file
+  lex          create \`lex.yy.c', if possible, from existing .c
+  makeinfo     touch the output file
+  tar          try tar, gnutar, gtar, then tar without non-portable flags
+  yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
+
+Send bug reports to <bug-automake@gnu.org>."
+    exit $?
+    ;;
+
+  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
+    echo "missing $scriptversion (GNU Automake)"
+    exit $?
+    ;;
+
+  -*)
+    echo 1>&2 "$0: Unknown \`$1' option"
+    echo 1>&2 "Try \`$0 --help' for more information"
+    exit 1
+    ;;
+
+esac
+
+# Now exit if we have it, but it failed.  Also exit now if we
+# don't have it and --version was passed (most likely to detect
+# the program).
+case $1 in
+  lex|yacc)
+    # Not GNU programs, they don't have --version.
+    ;;
+
+  tar)
+    if test -n "$run"; then
+       echo 1>&2 "ERROR: \`tar' requires --run"
+       exit 1
+    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
+       exit 1
+    fi
+    ;;
+
+  *)
+    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
+       # We have it, but it failed.
+       exit 1
+    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
+       # Could not run --version or --help.  This is probably someone
+       # running `$TOOL --version' or `$TOOL --help' to check whether
+       # $TOOL exists and not knowing $TOOL uses missing.
+       exit 1
+    fi
+    ;;
+esac
+
+# If it does not exist, or fails to run (possibly an outdated version),
+# try to emulate it.
+case $1 in
+  aclocal*)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`acinclude.m4' or \`${configure_ac}'.  You might want
+         to install the \`Automake' and \`Perl' packages.  Grab them from
+         any GNU archive site."
+    touch aclocal.m4
+    ;;
+
+  autoconf)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`${configure_ac}'.  You might want to install the
+         \`Autoconf' and \`GNU m4' packages.  Grab them from any GNU
+         archive site."
+    touch configure
+    ;;
+
+  autoheader)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`acconfig.h' or \`${configure_ac}'.  You might want
+         to install the \`Autoconf' and \`GNU m4' packages.  Grab them
+         from any GNU archive site."
+    files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
+    test -z "$files" && files="config.h"
+    touch_files=
+    for f in $files; do
+      case $f in
+      *:*) touch_files="$touch_files "`echo "$f" |
+				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
+      *) touch_files="$touch_files $f.in";;
+      esac
+    done
+    touch $touch_files
+    ;;
+
+  automake*)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
+         You might want to install the \`Automake' and \`Perl' packages.
+         Grab them from any GNU archive site."
+    find . -type f -name Makefile.am -print |
+	   sed 's/\.am$/.in/' |
+	   while read f; do touch "$f"; done
+    ;;
+
+  autom4te)
+    echo 1>&2 "\
+WARNING: \`$1' is needed, but is $msg.
+         You might have modified some files without having the
+         proper tools for further handling them.
+         You can get \`$1' as part of \`Autoconf' from any GNU
+         archive site."
+
+    file=`echo "$*" | sed -n "$sed_output"`
+    test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
+    if test -f "$file"; then
+	touch $file
+    else
+	test -z "$file" || exec >$file
+	echo "#! /bin/sh"
+	echo "# Created by GNU Automake missing as a replacement of"
+	echo "#  $ $@"
+	echo "exit 0"
+	chmod +x $file
+	exit 1
+    fi
+    ;;
+
+  bison|yacc)
+    echo 1>&2 "\
+WARNING: \`$1' $msg.  You should only need it if
+         you modified a \`.y' file.  You may need the \`Bison' package
+         in order for those modifications to take effect.  You can get
+         \`Bison' from any GNU archive site."
+    rm -f y.tab.c y.tab.h
+    if test $# -ne 1; then
+        eval LASTARG="\${$#}"
+	case $LASTARG in
+	*.y)
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
+	    if test -f "$SRCFILE"; then
+	         cp "$SRCFILE" y.tab.c
+	    fi
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
+	    if test -f "$SRCFILE"; then
+	         cp "$SRCFILE" y.tab.h
+	    fi
+	  ;;
+	esac
+    fi
+    if test ! -f y.tab.h; then
+	echo >y.tab.h
+    fi
+    if test ! -f y.tab.c; then
+	echo 'main() { return 0; }' >y.tab.c
+    fi
+    ;;
+
+  lex|flex)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified a \`.l' file.  You may need the \`Flex' package
+         in order for those modifications to take effect.  You can get
+         \`Flex' from any GNU archive site."
+    rm -f lex.yy.c
+    if test $# -ne 1; then
+        eval LASTARG="\${$#}"
+	case $LASTARG in
+	*.l)
+	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
+	    if test -f "$SRCFILE"; then
+	         cp "$SRCFILE" lex.yy.c
+	    fi
+	  ;;
+	esac
+    fi
+    if test ! -f lex.yy.c; then
+	echo 'main() { return 0; }' >lex.yy.c
+    fi
+    ;;
+
+  help2man)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+	 you modified a dependency of a manual page.  You may need the
+	 \`Help2man' package in order for those modifications to take
+	 effect.  You can get \`Help2man' from any GNU archive site."
+
+    file=`echo "$*" | sed -n "$sed_output"`
+    test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
+    if test -f "$file"; then
+	touch $file
+    else
+	test -z "$file" || exec >$file
+	echo ".ab help2man is required to generate this page"
+	exit 1
+    fi
+    ;;
+
+  makeinfo)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified a \`.texi' or \`.texinfo' file, or any other file
+         indirectly affecting the aspect of the manual.  The spurious
+         call might also be the consequence of using a buggy \`make' (AIX,
+         DU, IRIX).  You might want to install the \`Texinfo' package or
+         the \`GNU make' package.  Grab either from any GNU archive site."
+    # The file to touch is that specified with -o ...
+    file=`echo "$*" | sed -n "$sed_output"`
+    test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
+    if test -z "$file"; then
+      # ... or it is the one specified with @setfilename ...
+      infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
+      file=`sed -n '
+	/^@setfilename/{
+	  s/.* \([^ ]*\) *$/\1/
+	  p
+	  q
+	}' $infile`
+      # ... or it is derived from the source name (dir/f.texi becomes f.info)
+      test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
+    fi
+    # If the file does not exist, the user really needs makeinfo;
+    # let's fail without touching anything.
+    test -f $file || exit 1
+    touch $file
+    ;;
+
+  tar)
+    shift
+
+    # We have already tried tar in the generic part.
+    # Look for gnutar/gtar before invocation to avoid ugly error
+    # messages.
+    if (gnutar --version > /dev/null 2>&1); then
+       gnutar "$@" && exit 0
+    fi
+    if (gtar --version > /dev/null 2>&1); then
+       gtar "$@" && exit 0
+    fi
+    firstarg="$1"
+    if shift; then
+	case $firstarg in
+	*o*)
+	    firstarg=`echo "$firstarg" | sed s/o//`
+	    tar "$firstarg" "$@" && exit 0
+	    ;;
+	esac
+	case $firstarg in
+	*h*)
+	    firstarg=`echo "$firstarg" | sed s/h//`
+	    tar "$firstarg" "$@" && exit 0
+	    ;;
+	esac
+    fi
+
+    echo 1>&2 "\
+WARNING: I can't seem to be able to run \`tar' with the given arguments.
+         You may want to install GNU tar or Free paxutils, or check the
+         command line arguments."
+    exit 1
+    ;;
+
+  *)
+    echo 1>&2 "\
+WARNING: \`$1' is needed, and is $msg.
+         You might have modified some files without having the
+         proper tools for further handling them.  Check the \`README' file,
+         it often tells you about the needed prerequisites for installing
+         this package.  You may also peek at any GNU archive site, in case
+         some other package would contain this missing \`$1' program."
+    exit 1
+    ;;
+esac
+
+exit 0
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/src/charon/plugins/nm/gnome/mkinstalldirs b/src/charon/plugins/nm/gnome/mkinstalldirs
new file mode 100755
index 000000000..ef7e16fda
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/mkinstalldirs
@@ -0,0 +1,161 @@
+#! /bin/sh
+# mkinstalldirs --- make directory hierarchy
+
+scriptversion=2006-05-11.19
+
+# Original author: Noah Friedman <friedman@prep.ai.mit.edu>
+# Created: 1993-05-16
+# Public domain.
+#
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+nl='
+'
+IFS=" ""	$nl"
+errstatus=0
+dirmode=
+
+usage="\
+Usage: mkinstalldirs [-h] [--help] [--version] [-m MODE] DIR ...
+
+Create each directory DIR (with mode MODE, if specified), including all
+leading file name components.
+
+Report bugs to <bug-automake@gnu.org>."
+
+# process command line arguments
+while test $# -gt 0 ; do
+  case $1 in
+    -h | --help | --h*)         # -h for help
+      echo "$usage"
+      exit $?
+      ;;
+    -m)                         # -m PERM arg
+      shift
+      test $# -eq 0 && { echo "$usage" 1>&2; exit 1; }
+      dirmode=$1
+      shift
+      ;;
+    --version)
+      echo "$0 $scriptversion"
+      exit $?
+      ;;
+    --)                         # stop option processing
+      shift
+      break
+      ;;
+    -*)                         # unknown option
+      echo "$usage" 1>&2
+      exit 1
+      ;;
+    *)                          # first non-opt arg
+      break
+      ;;
+  esac
+done
+
+for file
+do
+  if test -d "$file"; then
+    shift
+  else
+    break
+  fi
+done
+
+case $# in
+  0) exit 0 ;;
+esac
+
+# Solaris 8's mkdir -p isn't thread-safe.  If you mkdir -p a/b and
+# mkdir -p a/c at the same time, both will detect that a is missing,
+# one will create a, then the other will try to create a and die with
+# a "File exists" error.  This is a problem when calling mkinstalldirs
+# from a parallel make.  We use --version in the probe to restrict
+# ourselves to GNU mkdir, which is thread-safe.
+case $dirmode in
+  '')
+    if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then
+      echo "mkdir -p -- $*"
+      exec mkdir -p -- "$@"
+    else
+      # On NextStep and OpenStep, the `mkdir' command does not
+      # recognize any option.  It will interpret all options as
+      # directories to create, and then abort because `.' already
+      # exists.
+      test -d ./-p && rmdir ./-p
+      test -d ./--version && rmdir ./--version
+    fi
+    ;;
+  *)
+    if mkdir -m "$dirmode" -p --version . >/dev/null 2>&1 &&
+       test ! -d ./--version; then
+      echo "mkdir -m $dirmode -p -- $*"
+      exec mkdir -m "$dirmode" -p -- "$@"
+    else
+      # Clean up after NextStep and OpenStep mkdir.
+      for d in ./-m ./-p ./--version "./$dirmode";
+      do
+        test -d $d && rmdir $d
+      done
+    fi
+    ;;
+esac
+
+for file
+do
+  case $file in
+    /*) pathcomp=/ ;;
+    *)  pathcomp= ;;
+  esac
+  oIFS=$IFS
+  IFS=/
+  set fnord $file
+  shift
+  IFS=$oIFS
+
+  for d
+  do
+    test "x$d" = x && continue
+
+    pathcomp=$pathcomp$d
+    case $pathcomp in
+      -*) pathcomp=./$pathcomp ;;
+    esac
+
+    if test ! -d "$pathcomp"; then
+      echo "mkdir $pathcomp"
+
+      mkdir "$pathcomp" || lasterr=$?
+
+      if test ! -d "$pathcomp"; then
+	errstatus=$lasterr
+      else
+	if test ! -z "$dirmode"; then
+	  echo "chmod $dirmode $pathcomp"
+	  lasterr=
+	  chmod "$dirmode" "$pathcomp" || lasterr=$?
+
+	  if test ! -z "$lasterr"; then
+	    errstatus=$lasterr
+	  fi
+	fi
+      fi
+    fi
+
+    pathcomp=$pathcomp/
+  done
+done
+
+exit $errstatus
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/src/charon/plugins/nm/gnome/nm-strongswan-service.conf b/src/charon/plugins/nm/gnome/nm-strongswan-service.conf
new file mode 100644
index 000000000..dccc19af9
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/nm-strongswan-service.conf
@@ -0,0 +1,16 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+	<policy user="root">
+		<allow own="org.freedesktop.NetworkManager.strongswan"/>
+		<allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
+		<allow send_interface="org.freedesktop.NetworkManager.strongswan"/>
+	</policy>
+	<policy context="default">
+		<deny own="org.freedesktop.NetworkManager.strongswan"/>
+		<deny send_destination="org.freedesktop.NetworkManager.strongswan"/>
+		<deny send_interface="org.freedesktop.NetworkManager.strongswan"/>
+	</policy>
+</busconfig>
+
diff --git a/src/charon/plugins/nm/gnome/nm-strongswan-service.name.in b/src/charon/plugins/nm/gnome/nm-strongswan-service.name.in
new file mode 100644
index 000000000..4120e55ae
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/nm-strongswan-service.name.in
@@ -0,0 +1,8 @@
+[VPN Connection]
+name=strongswan
+service=org.freedesktop.NetworkManager.strongswan
+program=@CHARON@
+
+[GNOME]
+auth-dialog=@LIBEXECDIR@/nm-strongswan-auth-dialog
+properties=libnm-strongswan-properties
diff --git a/src/charon/plugins/nm/gnome/po/LINGUAS b/src/charon/plugins/nm/gnome/po/LINGUAS
new file mode 100644
index 000000000..adc376a70
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/po/LINGUAS
@@ -0,0 +1,2 @@
+# please keep this list sorted alphabetically
+de
diff --git a/src/charon/plugins/nm/gnome/po/Makefile.in.in b/src/charon/plugins/nm/gnome/po/Makefile.in.in
new file mode 100644
index 000000000..6891e8f7d
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/po/Makefile.in.in
@@ -0,0 +1,218 @@
+# Makefile for program source directory in GNU NLS utilities package.
+# Copyright (C) 1995, 1996, 1997 by Ulrich Drepper <drepper@gnu.ai.mit.edu>
+# Copyright (C) 2004-2008 Rodney Dawes <dobey.pwns@gmail.com>
+#
+# This file may be copied and used freely without restrictions.  It may
+# be used in projects which are not available under a GNU Public License,
+# but which still want to provide support for the GNU gettext functionality.
+#
+# - Modified by Owen Taylor <otaylor@redhat.com> to use GETTEXT_PACKAGE
+#   instead of PACKAGE and to look for po2tbl in ./ not in intl/
+#
+# - Modified by jacob berkman <jacob@ximian.com> to install
+#   Makefile.in.in and po2tbl.sed.in for use with glib-gettextize
+#
+# - Modified by Rodney Dawes <dobey.pwns@gmail.com> for use with intltool
+#
+# We have the following line for use by intltoolize:
+# INTLTOOL_MAKEFILE
+
+GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
+PACKAGE = @PACKAGE@
+VERSION = @VERSION@
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+top_builddir = @top_builddir@
+VPATH = @srcdir@
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+datadir = @datadir@
+datarootdir = @datarootdir@
+libdir = @libdir@
+DATADIRNAME = @DATADIRNAME@
+itlocaledir = $(prefix)/$(DATADIRNAME)/locale
+subdir = po
+install_sh = @install_sh@
+# Automake >= 1.8 provides @mkdir_p@.
+# Until it can be supposed, use the safe fallback:
+mkdir_p = $(install_sh) -d
+
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+
+GMSGFMT = @GMSGFMT@
+MSGFMT = @MSGFMT@
+XGETTEXT = @XGETTEXT@
+INTLTOOL_UPDATE = @INTLTOOL_UPDATE@
+INTLTOOL_EXTRACT = @INTLTOOL_EXTRACT@
+MSGMERGE = INTLTOOL_EXTRACT=$(INTLTOOL_EXTRACT) srcdir=$(srcdir) $(INTLTOOL_UPDATE) --gettext-package $(GETTEXT_PACKAGE) --dist
+GENPOT   = INTLTOOL_EXTRACT=$(INTLTOOL_EXTRACT) srcdir=$(srcdir) $(INTLTOOL_UPDATE) --gettext-package $(GETTEXT_PACKAGE) --pot
+
+ALL_LINGUAS = @ALL_LINGUAS@
+
+PO_LINGUAS=$(shell if test -r $(srcdir)/LINGUAS; then grep -v "^\#" $(srcdir)/LINGUAS; fi)
+
+USER_LINGUAS=$(shell if test -n "$(LINGUAS)"; then LLINGUAS="$(LINGUAS)"; ALINGUAS="$(ALL_LINGUAS)"; for lang in $$LLINGUAS; do if test -n "`grep ^$$lang$$ $(srcdir)/LINGUAS`" -o -n "`echo $$ALINGUAS|grep ' ?$$lang ?'`"; then printf "$$lang "; fi; done; fi)
+
+USE_LINGUAS=$(shell if test -n "$(USER_LINGUAS)"; then LLINGUAS="$(USER_LINGUAS)"; else if test -n "$(PO_LINGUAS)"; then LLINGUAS="$(PO_LINGUAS)"; else LLINGUAS="$(ALL_LINGUAS)"; fi; fi; for lang in $$LLINGUAS; do printf "$$lang "; done)
+
+POFILES=$(shell LINGUAS="$(USE_LINGUAS)"; for lang in $$LINGUAS; do printf "$$lang.po "; done)
+
+DISTFILES = ChangeLog Makefile.in.in POTFILES.in $(POFILES)
+EXTRA_DISTFILES = POTFILES.skip Makevars LINGUAS
+
+POTFILES = \
+# This comment gets stripped out
+
+CATALOGS=$(shell LINGUAS="$(USE_LINGUAS)"; for lang in $$LINGUAS; do printf "$$lang.gmo "; done)
+
+.SUFFIXES:
+.SUFFIXES: .po .pox .gmo .mo .msg .cat
+
+.po.pox:
+	$(MAKE) $(GETTEXT_PACKAGE).pot
+	$(MSGMERGE) $< $(GETTEXT_PACKAGE).pot -o $*.pox
+
+.po.mo:
+	$(MSGFMT) -o $@ $<
+
+.po.gmo:
+	file=`echo $* | sed 's,.*/,,'`.gmo \
+	  && rm -f $$file && $(GMSGFMT) -o $$file $<
+
+.po.cat:
+	sed -f ../intl/po2msg.sed < $< > $*.msg \
+	  && rm -f $@ && gencat $@ $*.msg
+
+
+all: all-@USE_NLS@
+
+all-yes: $(CATALOGS)
+all-no:
+
+$(GETTEXT_PACKAGE).pot: $(POTFILES)
+	$(GENPOT)
+
+install: install-data
+install-data: install-data-@USE_NLS@
+install-data-no: all
+install-data-yes: all
+	$(mkdir_p) $(DESTDIR)$(itlocaledir)
+	linguas="$(USE_LINGUAS)"; \
+	for lang in $$linguas; do \
+	  dir=$(DESTDIR)$(itlocaledir)/$$lang/LC_MESSAGES; \
+	  $(mkdir_p) $$dir; \
+	  if test -r $$lang.gmo; then \
+	    $(INSTALL_DATA) $$lang.gmo $$dir/$(GETTEXT_PACKAGE).mo; \
+	    echo "installing $$lang.gmo as $$dir/$(GETTEXT_PACKAGE).mo"; \
+	  else \
+	    $(INSTALL_DATA) $(srcdir)/$$lang.gmo $$dir/$(GETTEXT_PACKAGE).mo; \
+	    echo "installing $(srcdir)/$$lang.gmo as" \
+		 "$$dir/$(GETTEXT_PACKAGE).mo"; \
+	  fi; \
+	  if test -r $$lang.gmo.m; then \
+	    $(INSTALL_DATA) $$lang.gmo.m $$dir/$(GETTEXT_PACKAGE).mo.m; \
+	    echo "installing $$lang.gmo.m as $$dir/$(GETTEXT_PACKAGE).mo.m"; \
+	  else \
+	    if test -r $(srcdir)/$$lang.gmo.m ; then \
+	      $(INSTALL_DATA) $(srcdir)/$$lang.gmo.m \
+		$$dir/$(GETTEXT_PACKAGE).mo.m; \
+	      echo "installing $(srcdir)/$$lang.gmo.m as" \
+		   "$$dir/$(GETTEXT_PACKAGE).mo.m"; \
+	    else \
+	      true; \
+	    fi; \
+	  fi; \
+	done
+
+# Empty stubs to satisfy archaic automake needs
+dvi info tags TAGS ID:
+
+# Define this as empty until I found a useful application.
+install-exec installcheck:
+
+uninstall:
+	linguas="$(USE_LINGUAS)"; \
+	for lang in $$linguas; do \
+	  rm -f $(DESTDIR)$(itlocaledir)/$$lang/LC_MESSAGES/$(GETTEXT_PACKAGE).mo; \
+	  rm -f $(DESTDIR)$(itlocaledir)/$$lang/LC_MESSAGES/$(GETTEXT_PACKAGE).mo.m; \
+	done
+
+check: all $(GETTEXT_PACKAGE).pot
+	rm -f missing notexist
+	srcdir=$(srcdir) $(INTLTOOL_UPDATE) -m
+	if [ -r missing -o -r notexist ]; then \
+	  exit 1; \
+	fi
+
+mostlyclean:
+	rm -f *.pox $(GETTEXT_PACKAGE).pot *.old.po cat-id-tbl.tmp
+	rm -f .intltool-merge-cache
+
+clean: mostlyclean
+
+distclean: clean
+	rm -f Makefile Makefile.in POTFILES stamp-it
+	rm -f *.mo *.msg *.cat *.cat.m *.gmo
+
+maintainer-clean: distclean
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+	rm -f Makefile.in.in
+
+distdir = ../$(PACKAGE)-$(VERSION)/$(subdir)
+dist distdir: $(DISTFILES)
+	dists="$(DISTFILES)"; \
+	extra_dists="$(EXTRA_DISTFILES)"; \
+	for file in $$extra_dists; do \
+	  test -f $(srcdir)/$$file && dists="$$dists $(srcdir)/$$file"; \
+	done; \
+	for file in $$dists; do \
+	  test -f $$file || file="$(srcdir)/$$file"; \
+	  ln $$file $(distdir) 2> /dev/null \
+	    || cp -p $$file $(distdir); \
+	done
+
+update-po: Makefile
+	$(MAKE) $(GETTEXT_PACKAGE).pot
+	tmpdir=`pwd`; \
+	linguas="$(USE_LINGUAS)"; \
+	for lang in $$linguas; do \
+	  echo "$$lang:"; \
+	  result="`$(MSGMERGE) -o $$tmpdir/$$lang.new.po $$lang`"; \
+	  if $$result; then \
+	    if cmp $(srcdir)/$$lang.po $$tmpdir/$$lang.new.po >/dev/null 2>&1; then \
+	      rm -f $$tmpdir/$$lang.new.po; \
+            else \
+	      if mv -f $$tmpdir/$$lang.new.po $$lang.po; then \
+	        :; \
+	      else \
+	        echo "msgmerge for $$lang.po failed: cannot move $$tmpdir/$$lang.new.po to $$lang.po" 1>&2; \
+	        rm -f $$tmpdir/$$lang.new.po; \
+	        exit 1; \
+	      fi; \
+	    fi; \
+	  else \
+	    echo "msgmerge for $$lang.gmo failed!"; \
+	    rm -f $$tmpdir/$$lang.new.po; \
+	  fi; \
+	done
+
+Makefile POTFILES: stamp-it
+	@if test ! -f $@; then \
+	  rm -f stamp-it; \
+	  $(MAKE) stamp-it; \
+	fi
+
+stamp-it: Makefile.in.in $(top_builddir)/config.status POTFILES.in
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/Makefile.in CONFIG_HEADERS= CONFIG_LINKS= \
+	       $(SHELL) ./config.status
+
+# Tell versions [3.59,3.63) of GNU make not to export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/po/POTFILES.in b/src/charon/plugins/nm/gnome/po/POTFILES.in
new file mode 100644
index 000000000..3732874e9
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/po/POTFILES.in
@@ -0,0 +1,5 @@
+# List of source files containing translatable strings.
+# Please keep this file sorted alphabetically.
+properties/nm-strongswan.c
+properties/nm-strongswan-dialog.glade
+auth-dialog/main.c
diff --git a/src/charon/plugins/nm/gnome/properties/Makefile.am b/src/charon/plugins/nm/gnome/properties/Makefile.am
new file mode 100644
index 000000000..acbab6357
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/properties/Makefile.am
@@ -0,0 +1,38 @@
+plugindir = $(libdir)/NetworkManager
+plugin_LTLIBRARIES = libnm-strongswan-properties.la
+
+libnm_strongswan_properties_la_SOURCES = \
+	nm-strongswan.c \
+	nm-strongswan.h
+
+gladedir = $(datadir)/gnome-vpn-properties/strongswan
+glade_DATA = nm-strongswan-dialog.glade
+
+libnm_strongswan_properties_la_CFLAGS =                          \
+        $(GLADE_CFLAGS)                                 \
+        $(GTK_CFLAGS)                                   \
+        $(GCONF_CFLAGS)                                 \
+        $(LIBGNOMEUI_CFLAGS)                            \
+        $(NM_UTILS_CFLAGS)                              \
+        -DICONDIR=\""$(datadir)/pixmaps"\"              \
+        -DGLADEDIR=\""$(gladedir)"\"                    \
+        -DG_DISABLE_DEPRECATED                          \
+        -DGDK_DISABLE_DEPRECATED                        \
+        -DGNOME_DISABLE_DEPRECATED                      \
+        -DGNOMELOCALEDIR=\"$(datadir)/locale\"		\
+        -DVERSION=\"$(VERSION)\"
+
+libnm_strongswan_properties_la_LIBADD = \
+        $(GLADE_LIBS) \
+        $(GTK_LIBS) \
+        $(GCONF_LIBS) \
+        $(LIBGNOMEUI_LIBS) \
+        $(NM_UTILS_LIBS)
+
+libnm_strongswan_properties_la_LDFLAGS =      \
+        -avoid-version
+
+CLEANFILES = *.bak *.gladep *~
+
+EXTRA_DIST =                            \
+        $(glade_DATA)
diff --git a/src/charon/plugins/nm/gnome/properties/Makefile.in b/src/charon/plugins/nm/gnome/properties/Makefile.in
new file mode 100644
index 000000000..fa48399b5
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/properties/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = properties
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(gladedir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libnm_strongswan_properties_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+am_libnm_strongswan_properties_la_OBJECTS =  \
+	libnm_strongswan_properties_la-nm-strongswan.lo
+libnm_strongswan_properties_la_OBJECTS =  \
+	$(am_libnm_strongswan_properties_la_OBJECTS)
+libnm_strongswan_properties_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(libnm_strongswan_properties_la_CFLAGS) $(CFLAGS) \
+	$(libnm_strongswan_properties_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libnm_strongswan_properties_la_SOURCES)
+DIST_SOURCES = $(libnm_strongswan_properties_la_SOURCES)
+gladeDATA_INSTALL = $(INSTALL_DATA)
+DATA = $(glade_DATA)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALL_LINGUAS = @ALL_LINGUAS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CATALOGS = @CATALOGS@
+CATOBJEXT = @CATOBJEXT@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DATADIRNAME = @DATADIRNAME@
+DBUS_CFLAGS = @DBUS_CFLAGS@
+DBUS_LIBS = @DBUS_LIBS@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GCONF_CFLAGS = @GCONF_CFLAGS@
+GCONF_LIBS = @GCONF_LIBS@
+GDK_PIXBUF_CFLAGS = @GDK_PIXBUF_CFLAGS@
+GDK_PIXBUF_LIBS = @GDK_PIXBUF_LIBS@
+GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
+GLADE_CFLAGS = @GLADE_CFLAGS@
+GLADE_LIBS = @GLADE_LIBS@
+GMOFILES = @GMOFILES@
+GMSGFMT = @GMSGFMT@
+GNOMEKEYRING_CFLAGS = @GNOMEKEYRING_CFLAGS@
+GNOMEKEYRING_LIBS = @GNOMEKEYRING_LIBS@
+GREP = @GREP@
+GTHREAD_CFLAGS = @GTHREAD_CFLAGS@
+GTHREAD_LIBS = @GTHREAD_LIBS@
+GTK_CFLAGS = @GTK_CFLAGS@
+GTK_LIBS = @GTK_LIBS@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INSTOBJEXT = @INSTOBJEXT@
+INTLLIBS = @INTLLIBS@
+INTLTOOL_CAVES_RULE = @INTLTOOL_CAVES_RULE@
+INTLTOOL_DESKTOP_RULE = @INTLTOOL_DESKTOP_RULE@
+INTLTOOL_DIRECTORY_RULE = @INTLTOOL_DIRECTORY_RULE@
+INTLTOOL_EXTRACT = @INTLTOOL_EXTRACT@
+INTLTOOL_KBD_RULE = @INTLTOOL_KBD_RULE@
+INTLTOOL_KEYS_RULE = @INTLTOOL_KEYS_RULE@
+INTLTOOL_MERGE = @INTLTOOL_MERGE@
+INTLTOOL_OAF_RULE = @INTLTOOL_OAF_RULE@
+INTLTOOL_PERL = @INTLTOOL_PERL@
+INTLTOOL_POLICY_RULE = @INTLTOOL_POLICY_RULE@
+INTLTOOL_PONG_RULE = @INTLTOOL_PONG_RULE@
+INTLTOOL_PROP_RULE = @INTLTOOL_PROP_RULE@
+INTLTOOL_SCHEMAS_RULE = @INTLTOOL_SCHEMAS_RULE@
+INTLTOOL_SERVER_RULE = @INTLTOOL_SERVER_RULE@
+INTLTOOL_SERVICE_RULE = @INTLTOOL_SERVICE_RULE@
+INTLTOOL_SHEET_RULE = @INTLTOOL_SHEET_RULE@
+INTLTOOL_SOUNDLIST_RULE = @INTLTOOL_SOUNDLIST_RULE@
+INTLTOOL_THEME_RULE = @INTLTOOL_THEME_RULE@
+INTLTOOL_UI_RULE = @INTLTOOL_UI_RULE@
+INTLTOOL_UPDATE = @INTLTOOL_UPDATE@
+INTLTOOL_XAM_RULE = @INTLTOOL_XAM_RULE@
+INTLTOOL_XML_NOMERGE_RULE = @INTLTOOL_XML_NOMERGE_RULE@
+INTLTOOL_XML_RULE = @INTLTOOL_XML_RULE@
+LDFLAGS = @LDFLAGS@
+LIBGNOMEUI_CFLAGS = @LIBGNOMEUI_CFLAGS@
+LIBGNOMEUI_LIBS = @LIBGNOMEUI_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MKINSTALLDIRS = @MKINSTALLDIRS@
+MSGFMT = @MSGFMT@
+MSGFMT_OPTS = @MSGFMT_OPTS@
+MSGMERGE = @MSGMERGE@
+NMEDIT = @NMEDIT@
+NM_UTILS_CFLAGS = @NM_UTILS_CFLAGS@
+NM_UTILS_LIBS = @NM_UTILS_LIBS@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PKG_CONFIG = @PKG_CONFIG@
+POFILES = @POFILES@
+POSUB = @POSUB@
+PO_IN_DATADIR_FALSE = @PO_IN_DATADIR_FALSE@
+PO_IN_DATADIR_TRUE = @PO_IN_DATADIR_TRUE@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+XGETTEXT = @XGETTEXT@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+charon = @charon@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+plugindir = $(libdir)/NetworkManager
+plugin_LTLIBRARIES = libnm-strongswan-properties.la
+libnm_strongswan_properties_la_SOURCES = \
+	nm-strongswan.c \
+	nm-strongswan.h
+
+gladedir = $(datadir)/gnome-vpn-properties/strongswan
+glade_DATA = nm-strongswan-dialog.glade
+libnm_strongswan_properties_la_CFLAGS = \
+        $(GLADE_CFLAGS)                                 \
+        $(GTK_CFLAGS)                                   \
+        $(GCONF_CFLAGS)                                 \
+        $(LIBGNOMEUI_CFLAGS)                            \
+        $(NM_UTILS_CFLAGS)                              \
+        -DICONDIR=\""$(datadir)/pixmaps"\"              \
+        -DGLADEDIR=\""$(gladedir)"\"                    \
+        -DG_DISABLE_DEPRECATED                          \
+        -DGDK_DISABLE_DEPRECATED                        \
+        -DGNOME_DISABLE_DEPRECATED                      \
+        -DGNOMELOCALEDIR=\"$(datadir)/locale\"		\
+        -DVERSION=\"$(VERSION)\"
+
+libnm_strongswan_properties_la_LIBADD = \
+        $(GLADE_LIBS) \
+        $(GTK_LIBS) \
+        $(GCONF_LIBS) \
+        $(LIBGNOMEUI_LIBS) \
+        $(NM_UTILS_LIBS)
+
+libnm_strongswan_properties_la_LDFLAGS = \
+        -avoid-version
+
+CLEANFILES = *.bak *.gladep *~
+EXTRA_DIST = \
+        $(glade_DATA)
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  properties/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  properties/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libnm-strongswan-properties.la: $(libnm_strongswan_properties_la_OBJECTS) $(libnm_strongswan_properties_la_DEPENDENCIES) 
+	$(libnm_strongswan_properties_la_LINK) -rpath $(plugindir) $(libnm_strongswan_properties_la_OBJECTS) $(libnm_strongswan_properties_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libnm_strongswan_properties_la-nm-strongswan.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+libnm_strongswan_properties_la-nm-strongswan.lo: nm-strongswan.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libnm_strongswan_properties_la_CFLAGS) $(CFLAGS) -MT libnm_strongswan_properties_la-nm-strongswan.lo -MD -MP -MF $(DEPDIR)/libnm_strongswan_properties_la-nm-strongswan.Tpo -c -o libnm_strongswan_properties_la-nm-strongswan.lo `test -f 'nm-strongswan.c' || echo '$(srcdir)/'`nm-strongswan.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/libnm_strongswan_properties_la-nm-strongswan.Tpo $(DEPDIR)/libnm_strongswan_properties_la-nm-strongswan.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='nm-strongswan.c' object='libnm_strongswan_properties_la-nm-strongswan.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libnm_strongswan_properties_la_CFLAGS) $(CFLAGS) -c -o libnm_strongswan_properties_la-nm-strongswan.lo `test -f 'nm-strongswan.c' || echo '$(srcdir)/'`nm-strongswan.c
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-gladeDATA: $(glade_DATA)
+	@$(NORMAL_INSTALL)
+	test -z "$(gladedir)" || $(MKDIR_P) "$(DESTDIR)$(gladedir)"
+	@list='$(glade_DATA)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(gladeDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(gladedir)/$$f'"; \
+	  $(gladeDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(gladedir)/$$f"; \
+	done
+
+uninstall-gladeDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(glade_DATA)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(gladedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(gladedir)/$$f"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(DATA)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(gladedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-gladeDATA install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-gladeDATA uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-gladeDATA \
+	install-html install-html-am install-info install-info-am \
+	install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-gladeDATA uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade b/src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
new file mode 100644
index 000000000..f77eb42e7
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
@@ -0,0 +1,334 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE glade-interface SYSTEM "glade-2.0.dtd">
+<!--*- mode: xml -*-->
+<glade-interface>
+  <widget class="GtkWindow" id="strongswan-widget">
+    <property name="title" translatable="yes">window1</property>
+    <child>
+      <widget class="GtkVBox" id="strongswan-vbox">
+        <property name="visible">True</property>
+        <property name="border_width">12</property>
+        <property name="spacing">16</property>
+        <child>
+          <widget class="GtkVBox" id="gateway-vbox">
+            <property name="visible">True</property>
+            <property name="spacing">6</property>
+            <child>
+              <widget class="GtkLabel" id="gateway-label">
+                <property name="visible">True</property>
+                <property name="xalign">0</property>
+                <property name="label" translatable="yes">&lt;b&gt;Gateway&lt;/b&gt;</property>
+                <property name="use_markup">True</property>
+              </widget>
+              <packing>
+                <property name="expand">False</property>
+                <property name="fill">False</property>
+              </packing>
+            </child>
+            <child>
+              <widget class="GtkAlignment" id="gateway-alignement">
+                <property name="visible">True</property>
+                <property name="left_padding">12</property>
+                <child>
+                  <widget class="GtkTable" id="gateway-table">
+                    <property name="visible">True</property>
+                    <property name="n_rows">2</property>
+                    <property name="n_columns">2</property>
+                    <property name="column_spacing">6</property>
+                    <property name="row_spacing">6</property>
+                    <child>
+                      <widget class="GtkLabel" id="address-label">
+                        <property name="visible">True</property>
+                        <property name="xalign">0</property>
+                        <property name="label" translatable="yes">_Address:</property>
+                        <property name="use_underline">True</property>
+                        <property name="mnemonic_widget">address-entry</property>
+                      </widget>
+                      <packing>
+                        <property name="x_options">GTK_FILL</property>
+                        <property name="y_options"></property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkEntry" id="address-entry">
+                        <property name="visible">True</property>
+                        <property name="can_focus">True</property>
+                        <property name="has_tooltip">True</property>
+                        <property name="tooltip_text">An IP address or hostname the Gateway can be contacted.</property>
+                      </widget>
+                      <packing>
+                        <property name="left_attach">1</property>
+                        <property name="right_attach">2</property>
+                        <property name="y_options"></property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkLabel" id="certificate-label">
+                        <property name="visible">True</property>
+                        <property name="xalign">0</property>
+                        <property name="label" translatable="yes">C_ertificate:</property>
+                        <property name="use_underline">True</property>
+                        <property name="mnemonic_widget">certificate-button</property>
+                      </widget>
+                      <packing>
+                        <property name="top_attach">1</property>
+                        <property name="bottom_attach">2</property>
+                        <property name="x_options">GTK_FILL</property>
+                        <property name="y_options"></property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkFileChooserButton" id="certificate-button">
+                        <property name="visible">True</property>
+                        <property name="tooltip_text">Gateway certificate to use for gateway authentication.</property>
+                      </widget>
+                      <packing>
+                        <property name="left_attach">1</property>
+                        <property name="right_attach">2</property>
+                        <property name="top_attach">1</property>
+                        <property name="bottom_attach">2</property>
+                      </packing>
+                    </child>
+                  </widget>
+                </child>
+              </widget>
+              <packing>
+                <property name="position">1</property>
+              </packing>
+            </child>
+          </widget>
+          <packing>
+            <property name="expand">False</property>
+          </packing>
+        </child>
+        <child>
+          <widget class="GtkVBox" id="client-vbox">
+            <property name="visible">True</property>
+            <property name="spacing">6</property>
+            <child>
+              <widget class="GtkLabel" id="client-label">
+                <property name="visible">True</property>
+                <property name="xalign">0</property>
+                <property name="label" translatable="yes">&lt;b&gt;Client&lt;/b&gt;</property>
+                <property name="use_markup">True</property>
+              </widget>
+              <packing>
+                <property name="expand">False</property>
+                <property name="fill">False</property>
+              </packing>
+            </child>
+            <child>
+              <widget class="GtkAlignment" id="client-aligement">
+                <property name="visible">True</property>
+                <property name="left_padding">12</property>
+                <child>
+                  <widget class="GtkTable" id="client-table">
+                    <property name="visible">True</property>
+                    <property name="n_rows">4</property>
+                    <property name="n_columns">2</property>
+                    <property name="column_spacing">6</property>
+                    <property name="row_spacing">6</property>
+                    <child>
+                      <widget class="GtkFileChooserButton" id="userkey-button">
+                        <property name="visible">True</property>
+                        <property name="tooltip_text">Private key to use for client authentication. This key has to match the certificates public key and may be encrypted..</property>
+                      </widget>
+                      <packing>
+                        <property name="left_attach">1</property>
+                        <property name="right_attach">2</property>
+                        <property name="top_attach">3</property>
+                        <property name="bottom_attach">4</property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkLabel" id="userkey-label">
+                        <property name="visible">True</property>
+                        <property name="xalign">0</property>
+                        <property name="label" translatable="yes">Private _key:</property>
+                        <property name="use_underline">True</property>
+                        <property name="mnemonic_widget">userkey-button</property>
+                      </widget>
+                      <packing>
+                        <property name="top_attach">3</property>
+                        <property name="bottom_attach">4</property>
+                        <property name="x_options">GTK_FILL</property>
+                        <property name="y_options"></property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkComboBox" id="method-combo">
+                        <property name="visible">True</property>
+                        <property name="has_tooltip">True</property>
+                        <property name="tooltip_text">Authentication Method to use for authentication against the Gateway. </property>
+                        <property name="items"></property>
+                      </widget>
+                      <packing>
+                        <property name="left_attach">1</property>
+                        <property name="right_attach">2</property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkLabel" id="method-label">
+                        <property name="visible">True</property>
+                        <property name="xalign">0</property>
+                        <property name="label" translatable="yes">Au_thentication:</property>
+                        <property name="use_underline">True</property>
+                        <property name="mnemonic_widget">method-combo</property>
+                      </widget>
+                      <packing>
+                        <property name="x_options">GTK_FILL</property>
+                        <property name="y_options"></property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkLabel" id="user-label">
+                        <property name="visible">True</property>
+                        <property name="xalign">0</property>
+                        <property name="label" translatable="yes">_Username:</property>
+                        <property name="use_underline">True</property>
+                        <property name="mnemonic_widget">user-entry</property>
+                      </widget>
+                      <packing>
+                        <property name="top_attach">1</property>
+                        <property name="bottom_attach">2</property>
+                        <property name="x_options">GTK_FILL</property>
+                        <property name="y_options"></property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkEntry" id="user-entry">
+                        <property name="visible">True</property>
+                        <property name="can_focus">True</property>
+                        <property name="has_tooltip">True</property>
+                        <property name="tooltip_text">The username (identity) to use for authentication against the gateway.</property>
+                      </widget>
+                      <packing>
+                        <property name="left_attach">1</property>
+                        <property name="right_attach">2</property>
+                        <property name="top_attach">1</property>
+                        <property name="bottom_attach">2</property>
+                        <property name="y_options"></property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkLabel" id="usercert-label">
+                        <property name="visible">True</property>
+                        <property name="xalign">0</property>
+                        <property name="label" translatable="yes">Ce_rtificate:</property>
+                        <property name="use_underline">True</property>
+                        <property name="mnemonic_widget">usercert-button</property>
+                      </widget>
+                      <packing>
+                        <property name="top_attach">2</property>
+                        <property name="bottom_attach">3</property>
+                        <property name="x_options">GTK_FILL</property>
+                        <property name="y_options"></property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkFileChooserButton" id="usercert-button">
+                        <property name="visible">True</property>
+                        <property name="tooltip_text">Client certificate to use for client authentication.</property>
+                      </widget>
+                      <packing>
+                        <property name="left_attach">1</property>
+                        <property name="right_attach">2</property>
+                        <property name="top_attach">2</property>
+                        <property name="bottom_attach">3</property>
+                      </packing>
+                    </child>
+                  </widget>
+                </child>
+              </widget>
+              <packing>
+                <property name="position">1</property>
+              </packing>
+            </child>
+          </widget>
+          <packing>
+            <property name="expand">False</property>
+            <property name="position">1</property>
+          </packing>
+        </child>
+        <child>
+          <widget class="GtkVBox" id="options-vbox">
+            <property name="visible">True</property>
+            <property name="spacing">6</property>
+            <child>
+              <widget class="GtkLabel" id="options-label">
+                <property name="visible">True</property>
+                <property name="xalign">0</property>
+                <property name="label" translatable="yes">&lt;b&gt;Options&lt;/b&gt;</property>
+                <property name="use_markup">True</property>
+              </widget>
+              <packing>
+                <property name="expand">False</property>
+                <property name="fill">False</property>
+              </packing>
+            </child>
+            <child>
+              <widget class="GtkAlignment" id="options-alignement">
+                <property name="visible">True</property>
+                <property name="left_padding">12</property>
+                <child>
+                  <widget class="GtkVBox" id="options-inner-vbox">
+                    <property name="visible">True</property>
+                    <child>
+                      <widget class="GtkCheckButton" id="virtual-check">
+                        <property name="visible">True</property>
+                        <property name="can_focus">True</property>
+                        <property name="has_tooltip">True</property>
+                        <property name="tooltip_text">The Gateway may provide addresses from a pool to use for communication in the Gateways network. Check to request such an address.</property>
+                        <property name="label" translatable="yes">Request an _inner IP address</property>
+                        <property name="use_underline">True</property>
+                        <property name="response_id">0</property>
+                        <property name="draw_indicator">True</property>
+                      </widget>
+                    </child>
+                    <child>
+                      <widget class="GtkCheckButton" id="encap-check">
+                        <property name="visible">True</property>
+                        <property name="can_focus">True</property>
+                        <property name="has_tooltip">True</property>
+                        <property name="tooltip_text">Some firewalls block ESP traffic. Enforcing UDP capsulation even if no NAT situation is detected might help in such cases.</property>
+                        <property name="label" translatable="yes">En_force UDP encapsulation</property>
+                        <property name="use_underline">True</property>
+                        <property name="response_id">0</property>
+                        <property name="draw_indicator">True</property>
+                      </widget>
+                      <packing>
+                        <property name="position">1</property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkCheckButton" id="ipcomp-check">
+                        <property name="visible">True</property>
+                        <property name="can_focus">True</property>
+                        <property name="has_tooltip">True</property>
+                        <property name="tooltip_text">IPComp compresses raw IP packets before they get encrypted. This saves some bandwith, but uses more processing power.</property>
+                        <property name="label" translatable="yes">Use IP c_ompression</property>
+                        <property name="use_underline">True</property>
+                        <property name="response_id">0</property>
+                        <property name="draw_indicator">True</property>
+                      </widget>
+                      <packing>
+                        <property name="position">2</property>
+                      </packing>
+                    </child>
+                  </widget>
+                </child>
+              </widget>
+              <packing>
+                <property name="position">1</property>
+              </packing>
+            </child>
+          </widget>
+          <packing>
+            <property name="expand">False</property>
+            <property name="position">2</property>
+          </packing>
+        </child>
+      </widget>
+    </child>
+  </widget>
+</glade-interface>
diff --git a/src/charon/plugins/nm/gnome/properties/nm-strongswan.c b/src/charon/plugins/nm/gnome/properties/nm-strongswan.c
new file mode 100644
index 000000000..e8a882cdf
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/properties/nm-strongswan.c
@@ -0,0 +1,526 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2005 David Zeuthen
+ * Copyright (C) 2005-2008 Dan Williams
+ *
+ * Based on NetworkManager's vpnc plugin
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <errno.h>
+#include <stdlib.h>
+#include <glib/gi18n-lib.h>
+#include <string.h>
+#include <gtk/gtk.h>
+#include <glade/glade.h>
+
+#define NM_VPN_API_SUBJECT_TO_CHANGE
+
+#include <nm-vpn-plugin-ui-interface.h>
+#include <nm-setting-vpn.h>
+#include <nm-setting-connection.h>
+#include <nm-setting-ip4-config.h>
+
+#include "nm-strongswan.h"
+
+#define STRONGSWAN_PLUGIN_NAME    _("IPsec/IKEv2 (strongswan)")
+#define STRONGSWAN_PLUGIN_DESC    _("IPsec with the IKEv2 key exchange protocol.")
+#define STRONGSWAN_PLUGIN_SERVICE "org.freedesktop.NetworkManager.strongswan"
+#define NM_DBUS_SERVICE_STRONGSWAN "org.freedesktop.NetworkManager.strongswan"
+
+/************** plugin class **************/
+
+static void strongswan_plugin_ui_interface_init (NMVpnPluginUiInterface *iface_class);
+
+G_DEFINE_TYPE_EXTENDED (StrongswanPluginUi, strongswan_plugin_ui, G_TYPE_OBJECT, 0,
+						G_IMPLEMENT_INTERFACE (NM_TYPE_VPN_PLUGIN_UI_INTERFACE,
+											   strongswan_plugin_ui_interface_init))
+
+/************** UI widget class **************/
+
+static void strongswan_plugin_ui_widget_interface_init (NMVpnPluginUiWidgetInterface *iface_class);
+
+G_DEFINE_TYPE_EXTENDED (StrongswanPluginUiWidget, strongswan_plugin_ui_widget, G_TYPE_OBJECT, 0,
+						G_IMPLEMENT_INTERFACE (NM_TYPE_VPN_PLUGIN_UI_WIDGET_INTERFACE,
+											   strongswan_plugin_ui_widget_interface_init))
+
+#define STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET, StrongswanPluginUiWidgetPrivate))
+
+typedef struct {
+	GladeXML *xml;
+	GtkWidget *widget;
+} StrongswanPluginUiWidgetPrivate;
+
+
+#define STRONGSWAN_PLUGIN_UI_ERROR strongswan_plugin_ui_error_quark ()
+
+static GQuark
+strongswan_plugin_ui_error_quark (void)
+{
+	static GQuark error_quark = 0;
+
+	if (G_UNLIKELY (error_quark == 0))
+		error_quark = g_quark_from_static_string ("strongswan-plugin-ui-error-quark");
+
+	return error_quark;
+}
+
+#define ENUM_ENTRY(NAME, DESC) { NAME, "" #NAME "", DESC }
+
+GType
+strongswan_plugin_ui_error_get_type (void)
+{
+	static GType etype = 0;
+
+	if (etype == 0) {
+		static const GEnumValue values[] = {
+			/* Unknown error. */
+			ENUM_ENTRY (STRONGSWAN_PLUGIN_UI_ERROR_UNKNOWN, "UnknownError"),
+			/* The specified property was invalid. */
+			ENUM_ENTRY (STRONGSWAN_PLUGIN_UI_ERROR_INVALID_PROPERTY, "InvalidProperty"),
+			/* The specified property was missing and is required. */
+			ENUM_ENTRY (STRONGSWAN_PLUGIN_UI_ERROR_MISSING_PROPERTY, "MissingProperty"),
+			{ 0, 0, 0 }
+		};
+		etype = g_enum_register_static ("StrongswanPluginUiError", values);
+	}
+	return etype;
+}
+
+static gboolean
+check_validity (StrongswanPluginUiWidget *self, GError **error)
+{
+	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
+	GtkWidget *widget;
+	char *str;
+
+	widget = glade_xml_get_widget (priv->xml, "address-entry");
+	str = (char *) gtk_entry_get_text (GTK_ENTRY (widget));
+	if (!str || !strlen (str)) {
+		g_set_error (error,
+		             STRONGSWAN_PLUGIN_UI_ERROR,
+		             STRONGSWAN_PLUGIN_UI_ERROR_INVALID_PROPERTY,
+		             "address");
+		return FALSE;
+	}
+	return TRUE;
+}
+
+static void update_layout (GtkWidget *widget, StrongswanPluginUiWidgetPrivate *priv)
+{
+	switch (gtk_combo_box_get_active (GTK_COMBO_BOX (widget)))
+	{
+		default:
+			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 0);
+			/* FALL */
+		case 0:
+			gtk_widget_show (glade_xml_get_widget (priv->xml, "usercert-label"));
+			gtk_widget_show (glade_xml_get_widget (priv->xml, "usercert-button"));
+			gtk_widget_show (glade_xml_get_widget (priv->xml, "userkey-label"));
+			gtk_widget_show (glade_xml_get_widget (priv->xml, "userkey-button"));
+			gtk_widget_hide (glade_xml_get_widget (priv->xml, "user-label"));
+			gtk_widget_hide (glade_xml_get_widget (priv->xml, "user-entry"));
+			break;
+		case 1:
+			gtk_widget_show (glade_xml_get_widget (priv->xml, "usercert-label"));
+			gtk_widget_show (glade_xml_get_widget (priv->xml, "usercert-button"));
+			gtk_widget_hide (glade_xml_get_widget (priv->xml, "user-label"));
+			gtk_widget_hide (glade_xml_get_widget (priv->xml, "user-entry"));
+			gtk_widget_hide (glade_xml_get_widget (priv->xml, "userkey-label"));
+			gtk_widget_hide (glade_xml_get_widget (priv->xml, "userkey-button"));
+			break;
+		case 2:
+			gtk_widget_show (glade_xml_get_widget (priv->xml, "user-label"));
+			gtk_widget_show (glade_xml_get_widget (priv->xml, "user-entry"));
+			gtk_widget_hide (glade_xml_get_widget (priv->xml, "usercert-label"));
+			gtk_widget_hide (glade_xml_get_widget (priv->xml, "usercert-button"));
+			gtk_widget_hide (glade_xml_get_widget (priv->xml, "userkey-label"));
+			gtk_widget_hide (glade_xml_get_widget (priv->xml, "userkey-button"));
+			break;
+	}
+
+}
+
+static void
+settings_changed_cb (GtkWidget *widget, gpointer user_data)
+{
+	StrongswanPluginUiWidget *self = STRONGSWAN_PLUGIN_UI_WIDGET (user_data);
+	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
+	
+	if (widget == glade_xml_get_widget (priv->xml, "method-combo"))
+	{
+		update_layout(glade_xml_get_widget (priv->xml, "method-combo"), priv);
+	}
+	g_signal_emit_by_name (STRONGSWAN_PLUGIN_UI_WIDGET (user_data), "changed");
+}
+
+static gboolean
+init_plugin_ui (StrongswanPluginUiWidget *self, NMConnection *connection, GError **error)
+{
+	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
+	NMSettingVPN *settings;
+	GtkWidget *widget;
+	char *value;
+	gboolean active;
+	
+	settings = NM_SETTING_VPN(nm_connection_get_setting(connection, NM_TYPE_SETTING_VPN));
+	widget = glade_xml_get_widget (priv->xml, "address-entry");
+	value = g_hash_table_lookup (settings->data, "address");
+	if (value)
+		gtk_entry_set_text (GTK_ENTRY (widget), value);
+	g_signal_connect (G_OBJECT (widget), "changed", G_CALLBACK (settings_changed_cb), self);
+
+	widget = glade_xml_get_widget (priv->xml, "certificate-button");
+	value = g_hash_table_lookup (settings->data, "certificate");
+	if (value)
+		gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), value);
+	g_signal_connect (G_OBJECT (widget), "selection-changed", G_CALLBACK (settings_changed_cb), self);
+
+	widget = glade_xml_get_widget (priv->xml, "user-label");
+	gtk_widget_set_no_show_all (widget, TRUE);
+	widget = glade_xml_get_widget (priv->xml, "user-entry");
+	gtk_widget_set_no_show_all (widget, TRUE);
+	value = g_hash_table_lookup (settings->data, "user");
+	if (value)
+		gtk_entry_set_text (GTK_ENTRY (widget), value);
+	g_signal_connect (G_OBJECT (widget), "changed", G_CALLBACK (settings_changed_cb), self);
+
+	widget = glade_xml_get_widget (priv->xml, "method-combo");
+	gtk_combo_box_append_text (GTK_COMBO_BOX (widget), _("Certificate/private key"));
+	gtk_combo_box_append_text (GTK_COMBO_BOX (widget), _("Certificate/ssh-agent"));
+	gtk_combo_box_append_text (GTK_COMBO_BOX (widget), _("EAP"));
+	value = g_hash_table_lookup (settings->data, "method");
+	if (value) {
+		if (g_strcasecmp (value, "key") == 0) {
+			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 0);
+		}
+		if (g_strcasecmp (value, "agent") == 0) {
+			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 1);
+		}
+		if (g_strcasecmp (value, "eap") == 0) {
+			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 2);
+		}
+	}
+	if (gtk_combo_box_get_active (GTK_COMBO_BOX (widget)) == -1)
+	{
+		gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 0);
+	}
+	update_layout (widget, priv);
+	g_signal_connect (G_OBJECT (widget), "changed", G_CALLBACK (settings_changed_cb), self);
+	
+	widget = glade_xml_get_widget (priv->xml, "usercert-label");
+	gtk_widget_set_no_show_all (widget, TRUE);
+	widget = glade_xml_get_widget (priv->xml, "usercert-button");
+	gtk_widget_set_no_show_all (widget, TRUE);
+	value = g_hash_table_lookup (settings->data, "usercert");
+	if (value)
+		gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), value);
+	g_signal_connect (G_OBJECT (widget), "selection-changed", G_CALLBACK (settings_changed_cb), self);
+	
+	widget = glade_xml_get_widget (priv->xml, "userkey-label");
+	gtk_widget_set_no_show_all (widget, TRUE);
+	widget = glade_xml_get_widget (priv->xml, "userkey-button");
+	gtk_widget_set_no_show_all (widget, TRUE);
+	value = g_hash_table_lookup (settings->data, "userkey");
+	if (value)
+		gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), value);
+	g_signal_connect (G_OBJECT (widget), "selection-changed", G_CALLBACK (settings_changed_cb), self);
+	
+	widget = glade_xml_get_widget (priv->xml, "virtual-check");
+	value = g_hash_table_lookup (settings->data, "virtual");
+	if (value && strcmp(value, "yes") == 0)
+	{
+		gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(widget), TRUE);
+	}
+	g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (settings_changed_cb), self);
+	
+	widget = glade_xml_get_widget (priv->xml, "encap-check");
+	value = g_hash_table_lookup (settings->data, "encap");
+	if (value && strcmp(value, "yes") == 0)
+	{
+		gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(widget), TRUE);
+	}
+	g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (settings_changed_cb), self);
+	
+	widget = glade_xml_get_widget (priv->xml, "ipcomp-check");
+	value = g_hash_table_lookup (settings->data, "ipcomp");
+	if (value && strcmp(value, "yes") == 0)
+	{
+		gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(widget), TRUE);
+	}
+	g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (settings_changed_cb), self);
+
+	return TRUE;
+}
+
+static GObject *
+get_widget (NMVpnPluginUiWidgetInterface *iface)
+{
+	StrongswanPluginUiWidget *self = STRONGSWAN_PLUGIN_UI_WIDGET (iface);
+	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
+
+	return G_OBJECT (priv->widget);
+}
+
+static gboolean
+update_connection (NMVpnPluginUiWidgetInterface *iface,
+                   NMConnection *connection,
+                   GError **error)
+{
+	StrongswanPluginUiWidget *self = STRONGSWAN_PLUGIN_UI_WIDGET (iface);
+	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
+	NMSettingVPN *settings;
+	GtkWidget *widget;
+	GValue *value;
+	gboolean active;
+	char *str;
+	GtkTreeModel *model;
+	GtkTreeIter iter;
+
+	if (!check_validity (self, error))
+		return FALSE;
+	settings = NM_SETTING_VPN (nm_setting_vpn_new ());
+	settings->service_type = g_strdup (NM_DBUS_SERVICE_STRONGSWAN);
+
+	widget = glade_xml_get_widget (priv->xml, "address-entry");
+	str = (char *) gtk_entry_get_text (GTK_ENTRY (widget));
+	if (str && strlen (str)) {
+		g_hash_table_insert (settings->data, g_strdup ("address"), g_strdup(str));
+	}
+
+	widget = glade_xml_get_widget (priv->xml, "certificate-button");
+	str = (char *) gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
+	if (str) {
+		g_hash_table_insert (settings->data, g_strdup ("certificate"), g_strdup(str));
+	}
+	
+	widget = glade_xml_get_widget (priv->xml, "method-combo");
+	switch (gtk_combo_box_get_active (GTK_COMBO_BOX (widget)))
+	{
+		default:
+		case 0:
+			widget = glade_xml_get_widget (priv->xml, "userkey-button");
+			str = (char *) gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
+			if (str) {
+				g_hash_table_insert (settings->data, g_strdup ("userkey"), g_strdup(str));
+			}
+			widget = glade_xml_get_widget (priv->xml, "usercert-button");
+			str = (char *) gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
+			if (str) {
+				g_hash_table_insert (settings->data, g_strdup ("usercert"), g_strdup(str));
+			}
+			str = "key";
+			break;
+		case 1:
+			widget = glade_xml_get_widget (priv->xml, "usercert-button");
+			str = (char *) gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
+			if (str) {
+				g_hash_table_insert (settings->data, g_strdup ("usercert"), g_strdup(str));
+			}
+			str = "agent";
+			break;
+		case 2:
+			widget = glade_xml_get_widget (priv->xml, "user-entry");
+			str = (char *) gtk_entry_get_text (GTK_ENTRY (widget));
+			if (str && strlen (str)) {
+				g_hash_table_insert (settings->data, g_strdup ("user"), g_strdup(str));
+			}
+			str = "eap";
+			break;
+	}
+	g_hash_table_insert (settings->data, g_strdup ("method"), g_strdup(str));
+	
+	widget = glade_xml_get_widget (priv->xml, "virtual-check");
+	active = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(widget));
+	g_hash_table_insert (settings->data, g_strdup ("virtual"),
+			             g_strdup(active ? "yes" : "no"));
+	                     
+	widget = glade_xml_get_widget (priv->xml, "encap-check");
+	active = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(widget));
+	g_hash_table_insert (settings->data, g_strdup ("encap"),
+			             g_strdup(active ? "yes" : "no"));
+	                     
+	widget = glade_xml_get_widget (priv->xml, "ipcomp-check");
+	active = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(widget));
+	g_hash_table_insert (settings->data, g_strdup ("ipcomp"),
+			             g_strdup(active ? "yes" : "no"));
+
+	nm_connection_add_setting (connection, NM_SETTING (settings));
+	return TRUE;
+}
+
+static NMVpnPluginUiWidgetInterface *
+nm_vpn_plugin_ui_widget_interface_new (NMConnection *connection, GError **error)
+{
+	NMVpnPluginUiWidgetInterface *object;
+	StrongswanPluginUiWidgetPrivate *priv;
+	char *glade_file;
+
+	if (error)
+		g_return_val_if_fail (*error == NULL, NULL);
+
+	object = NM_VPN_PLUGIN_UI_WIDGET_INTERFACE (g_object_new (STRONGSWAN_TYPE_PLUGIN_UI_WIDGET, NULL));
+	if (!object) {
+		g_set_error (error, STRONGSWAN_PLUGIN_UI_ERROR, 0, "could not create strongswan object");
+		return NULL;
+	}
+
+	priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (object);
+
+	glade_file = g_strdup_printf ("%s/%s", GLADEDIR, "nm-strongswan-dialog.glade");
+	priv->xml = glade_xml_new (glade_file, "strongswan-vbox", GETTEXT_PACKAGE);
+	if (priv->xml == NULL) {
+		g_set_error (error, STRONGSWAN_PLUGIN_UI_ERROR, 0,
+		             "could not load required resources at %s", glade_file);
+		g_free (glade_file);
+		g_object_unref (object);
+		return NULL;
+	}
+	g_free (glade_file);
+
+	priv->widget = glade_xml_get_widget (priv->xml, "strongswan-vbox");
+	if (!priv->widget) {
+		g_set_error (error, STRONGSWAN_PLUGIN_UI_ERROR, 0, "could not load UI widget");
+		g_object_unref (object);
+		return NULL;
+	}
+	g_object_ref_sink (priv->widget);
+
+	if (!init_plugin_ui (STRONGSWAN_PLUGIN_UI_WIDGET (object), connection, error)) {
+		g_object_unref (object);
+		return NULL;
+	}
+
+	return object;
+}
+
+static void
+dispose (GObject *object)
+{
+	StrongswanPluginUiWidget *plugin = STRONGSWAN_PLUGIN_UI_WIDGET (object);
+	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (plugin);
+
+	if (priv->widget)
+		g_object_unref (priv->widget);
+
+	if (priv->xml)
+		g_object_unref (priv->xml);
+
+	G_OBJECT_CLASS (strongswan_plugin_ui_widget_parent_class)->dispose (object);
+}
+
+static void
+strongswan_plugin_ui_widget_class_init (StrongswanPluginUiWidgetClass *req_class)
+{
+	GObjectClass *object_class = G_OBJECT_CLASS (req_class);
+
+	g_type_class_add_private (req_class, sizeof (StrongswanPluginUiWidgetPrivate));
+
+	object_class->dispose = dispose;
+}
+
+static void
+strongswan_plugin_ui_widget_init (StrongswanPluginUiWidget *plugin)
+{
+}
+
+static void
+strongswan_plugin_ui_widget_interface_init (NMVpnPluginUiWidgetInterface *iface_class)
+{
+	/* interface implementation */
+	iface_class->get_widget = get_widget;
+	iface_class->update_connection = update_connection;
+}
+
+static guint32
+get_capabilities (NMVpnPluginUiInterface *iface)
+{
+	return 0;
+}
+
+static NMVpnPluginUiWidgetInterface *
+ui_factory (NMVpnPluginUiInterface *iface, NMConnection *connection, GError **error)
+{
+	return nm_vpn_plugin_ui_widget_interface_new (connection, error);
+}
+
+static void
+get_property (GObject *object, guint prop_id,
+			  GValue *value, GParamSpec *pspec)
+{
+	switch (prop_id) {
+	case NM_VPN_PLUGIN_UI_INTERFACE_PROP_NAME:
+		g_value_set_string (value, STRONGSWAN_PLUGIN_NAME);
+		break;
+	case NM_VPN_PLUGIN_UI_INTERFACE_PROP_DESC:
+		g_value_set_string (value, STRONGSWAN_PLUGIN_DESC);
+		break;
+	case NM_VPN_PLUGIN_UI_INTERFACE_PROP_SERVICE:
+		g_value_set_string (value, STRONGSWAN_PLUGIN_SERVICE);
+		break;
+	default:
+		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+		break;
+	}
+}
+
+static void
+strongswan_plugin_ui_class_init (StrongswanPluginUiClass *req_class)
+{
+	GObjectClass *object_class = G_OBJECT_CLASS (req_class);
+
+	object_class->get_property = get_property;
+
+	g_object_class_override_property (object_class,
+									  NM_VPN_PLUGIN_UI_INTERFACE_PROP_NAME,
+									  NM_VPN_PLUGIN_UI_INTERFACE_NAME);
+
+	g_object_class_override_property (object_class,
+									  NM_VPN_PLUGIN_UI_INTERFACE_PROP_DESC,
+									  NM_VPN_PLUGIN_UI_INTERFACE_DESC);
+
+	g_object_class_override_property (object_class,
+									  NM_VPN_PLUGIN_UI_INTERFACE_PROP_SERVICE,
+									  NM_VPN_PLUGIN_UI_INTERFACE_SERVICE);
+}
+
+static void
+strongswan_plugin_ui_init (StrongswanPluginUi *plugin)
+{
+}
+
+static void
+strongswan_plugin_ui_interface_init (NMVpnPluginUiInterface *iface_class)
+{
+	/* interface implementation */
+	iface_class->ui_factory = ui_factory;
+	iface_class->get_capabilities = get_capabilities;
+	/* TODO: implement delete_connection to purge associated secrets */
+}
+
+
+G_MODULE_EXPORT NMVpnPluginUiInterface *
+nm_vpn_plugin_ui_factory (GError **error)
+{
+	if (error)
+		g_return_val_if_fail (*error == NULL, NULL);
+
+	return NM_VPN_PLUGIN_UI_INTERFACE (g_object_new (STRONGSWAN_TYPE_PLUGIN_UI, NULL));
+}
+
diff --git a/src/charon/plugins/nm/gnome/properties/nm-strongswan.h b/src/charon/plugins/nm/gnome/properties/nm-strongswan.h
new file mode 100644
index 000000000..793c3d97a
--- /dev/null
+++ b/src/charon/plugins/nm/gnome/properties/nm-strongswan.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2008 Dan Williams
+ *
+ * Based on NetworkManager's vpnc plugin
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#ifndef _NM_STRONGSWAN_H_
+#define _NM_STRONGSWAN_H_
+
+#include <glib-object.h>
+
+typedef enum
+{
+	STRONGSWAN_PLUGIN_UI_ERROR_UNKNOWN = 0,
+	STRONGSWAN_PLUGIN_UI_ERROR_INVALID_PROPERTY,
+	STRONGSWAN_PLUGIN_UI_ERROR_MISSING_PROPERTY
+} StrongswanPluginUiError;
+
+#define STRONGSWAN_TYPE_PLUGIN_UI_ERROR (strongswan_plugin_ui_error_get_type ()) 
+GType strongswan_plugin_ui_error_get_type (void);
+
+#define STRONGSWAN_TYPE_PLUGIN_UI            (strongswan_plugin_ui_get_type ())
+#define STRONGSWAN_PLUGIN_UI(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), STRONGSWAN_TYPE_PLUGIN_UI, StrongswanPluginUi))
+#define STRONGSWAN_PLUGIN_UI_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), STRONGSWAN_TYPE_PLUGIN_UI, StrongswanPluginUiClass))
+#define STRONGSWAN_IS_PLUGIN_UI(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), STRONGSWAN_TYPE_PLUGIN_UI))
+#define STRONGSWAN_IS_PLUGIN_UI_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((obj), STRONGSWAN_TYPE_PLUGIN_UI))
+#define STRONGSWAN_PLUGIN_UI_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), STRONGSWAN_TYPE_PLUGIN_UI, StrongswanPluginUiClass))
+
+typedef struct _StrongswanPluginUi StrongswanPluginUi;
+typedef struct _StrongswanPluginUiClass StrongswanPluginUiClass;
+
+struct _StrongswanPluginUi {
+	GObject parent;
+};
+
+struct _StrongswanPluginUiClass {
+	GObjectClass parent;
+};
+
+GType strongswan_plugin_ui_get_type (void);
+
+
+#define STRONGSWAN_TYPE_PLUGIN_UI_WIDGET            (strongswan_plugin_ui_widget_get_type ())
+#define STRONGSWAN_PLUGIN_UI_WIDGET(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET, StrongswanPluginUiWidget))
+#define STRONGSWAN_PLUGIN_UI_WIDGET_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET, StrongswanPluginUiWidgetClass))
+#define STRONGSWAN_IS_PLUGIN_UI_WIDGET(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET))
+#define STRONGSWAN_IS_PLUGIN_UI_WIDGET_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((obj), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET))
+#define STRONGSWAN_PLUGIN_UI_WIDGET_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET, StrongswanPluginUiWidgetClass))
+
+typedef struct _StrongswanPluginUiWidget StrongswanPluginUiWidget;
+typedef struct _StrongswanPluginUiWidgetClass StrongswanPluginUiWidgetClass;
+
+struct _StrongswanPluginUiWidget {
+	GObject parent;
+};
+
+struct _StrongswanPluginUiWidgetClass {
+	GObjectClass parent;
+};
+
+GType strongswan_plugin_ui_widget_get_type (void);
+
+#endif	/* _NM_STRONGSWAN_H_ */
+
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c
new file mode 100644
index 000000000..f165653ae
--- /dev/null
+++ b/src/charon/plugins/nm/nm_creds.c
@@ -0,0 +1,341 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#define _GNU_SOURCE
+#include <pthread.h>
+
+#include "nm_creds.h"
+
+#include <daemon.h>
+
+typedef struct private_nm_creds_t private_nm_creds_t;
+
+/**
+ * private data of nm_creds
+ */
+struct private_nm_creds_t {
+
+	/**
+	 * public functions
+	 */
+	nm_creds_t public;
+	
+	/**
+	 * gateway certificate
+	 */
+	certificate_t *cert;
+	
+	/**
+ 	 * User name
+ 	 */
+ 	identification_t *user;
+	
+	/**
+	 * User password
+	 */
+	char *pass;
+	
+	/**
+	 * users certificate
+	 */
+	certificate_t *usercert;
+	
+	/**
+	 * users private key
+	 */
+	private_key_t *key;
+	
+	/**
+	 * read/write lock
+	 */
+	pthread_rwlock_t lock;
+};
+
+/**
+ * Enumerator for user certificate
+ */
+static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
+							certificate_type_t cert, key_type_t key)
+{
+	public_key_t *public;
+	
+	if (cert != CERT_ANY && cert != this->usercert->get_type(this->usercert))
+	{
+		return NULL;
+	}
+	if (key != KEY_ANY)
+	{	
+		public = this->usercert->get_public_key(this->usercert);
+		if (!public)
+		{
+			return NULL;
+		}
+		if (public->get_type(public) != key)
+		{
+			public->destroy(public);
+			return NULL;
+		}
+		public->destroy(public);
+	}
+	pthread_rwlock_rdlock(&this->lock);
+	return enumerator_create_cleaner(
+								enumerator_create_single(this->usercert, NULL),
+								(void*)pthread_rwlock_unlock, &this->lock);
+}
+
+/**
+ * Implements credential_set_t.create_cert_enumerator
+ */
+static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
+							certificate_type_t cert, key_type_t key,
+							identification_t *id, bool trusted)
+{
+	if (id && this->usercert &&
+		id->equals(id, this->usercert->get_subject(this->usercert)))
+	{
+		return create_usercert_enumerator(this, cert, key);
+	}
+
+	if (!this->cert)
+	{
+		return NULL;
+	}
+	if (cert != CERT_ANY && cert != this->cert->get_type(this->cert))
+	{
+		return NULL;
+	}
+	if (id && !this->cert->has_subject(this->cert, id))
+	{
+		return NULL;
+	}
+	if (key != KEY_ANY)
+	{
+		public_key_t *public;
+	
+		public = this->cert->get_public_key(this->cert);
+		if (!public)
+		{
+			return NULL;
+		}
+		if (public->get_type(public) != key)
+		{
+			public->destroy(public);
+			return NULL;
+		}
+		public->destroy(public);
+	}
+	pthread_rwlock_rdlock(&this->lock);
+	return enumerator_create_cleaner(enumerator_create_single(this->cert, NULL),
+									 (void*)pthread_rwlock_unlock, &this->lock);
+}
+
+/**
+ * Implements credential_set_t.create_cert_enumerator
+ */
+static enumerator_t* create_private_enumerator(private_nm_creds_t *this,
+										key_type_t type, identification_t *id)
+{
+	if (this->key == NULL)
+	{
+		return NULL;
+	}
+	if (type != KEY_ANY && type != this->key->get_type(this->key))
+	{
+		return NULL;
+	}
+	if (id && id->get_type(id) != ID_ANY)
+	{
+		identification_t *keyid;
+		
+		keyid = this->key->get_id(this->key, id->get_type(id));
+		if (!keyid || !keyid->equals(keyid, id))
+		{
+			return NULL;
+		}
+	}
+	pthread_rwlock_rdlock(&this->lock);
+	return enumerator_create_cleaner(enumerator_create_single(this->key, NULL),
+									 (void*)pthread_rwlock_unlock, &this->lock);
+}
+
+/**
+ * shared key enumerator implementation
+ */
+typedef struct {
+	enumerator_t public;
+	private_nm_creds_t *this;
+	shared_key_t *key;
+	bool done;
+} shared_enumerator_t;
+
+/**
+ * enumerate function for shared enumerator
+ */
+static bool shared_enumerate(shared_enumerator_t *this, shared_key_t **key,
+							 id_match_t *me, id_match_t *other)
+{
+	if (this->done)
+	{
+		return FALSE;
+	}
+	*key = this->key;
+	*me = ID_MATCH_PERFECT;
+	*other = ID_MATCH_ANY;
+	this->done = TRUE;
+	return TRUE;
+}
+
+/**
+ * Destroy function for shared enumerator
+ */
+static void shared_destroy(shared_enumerator_t *this)
+{
+	this->key->destroy(this->key);
+	pthread_rwlock_unlock(&this->this->lock);
+	free(this);
+}
+/**
+ * Implements credential_set_t.create_cert_enumerator
+ */
+static enumerator_t* create_shared_enumerator(private_nm_creds_t *this, 
+							shared_key_type_t type,	identification_t *me,
+							identification_t *other)
+{
+	shared_enumerator_t *enumerator;
+
+	if (!this->pass || !this->user)
+	{
+		return NULL;
+	}
+	if (type != SHARED_EAP && type != SHARED_IKE)
+	{
+		return NULL;
+	}
+	if (me && !me->equals(me, this->user))
+	{
+		return NULL;
+	}
+	
+	enumerator = malloc_thing(shared_enumerator_t);
+	enumerator->public.enumerate = (void*)shared_enumerate;
+	enumerator->public.destroy = (void*)shared_destroy;
+	enumerator->this = this;
+	enumerator->done = FALSE;
+	pthread_rwlock_rdlock(&this->lock);
+	enumerator->key = shared_key_create(type,
+										chunk_clone(chunk_create(this->pass,
+													strlen(this->pass))));
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of nm_creds_t.set_certificate
+ */
+static void set_certificate(private_nm_creds_t *this, certificate_t *cert)
+{
+	pthread_rwlock_wrlock(&this->lock);
+	DESTROY_IF(this->cert);
+	this->cert = cert;
+	pthread_rwlock_unlock(&this->lock);
+}
+
+/**
+ * Implementation of nm_creds_t.set_password
+ */
+static void set_username_password(private_nm_creds_t *this, identification_t *id,
+						 char *password)
+{
+	pthread_rwlock_wrlock(&this->lock);
+	DESTROY_IF(this->user);
+	/* for EAP authentication, we use always use ID_EAP type */
+	this->user = identification_create_from_encoding(ID_EAP,
+													 id->get_encoding(id));
+	free(this->pass);
+	this->pass = password ? strdup(password) : NULL;
+	pthread_rwlock_unlock(&this->lock);
+}
+
+/**
+ * Implementation of nm_creds_t.set_cert_and_key
+ */
+static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,	
+							 private_key_t *key)
+{
+	pthread_rwlock_wrlock(&this->lock);
+	DESTROY_IF(this->key);
+	DESTROY_IF(this->usercert);
+	this->key = key;
+	this->usercert = cert;
+	pthread_rwlock_unlock(&this->lock);
+}	
+
+/**
+ * Implementation of nm_creds_t.clear
+ */
+static void clear(private_nm_creds_t *this)
+{
+	DESTROY_IF(this->cert);
+	DESTROY_IF(this->user);
+	free(this->pass);
+	DESTROY_IF(this->usercert);
+	DESTROY_IF(this->key);
+	this->key = NULL;
+	this->usercert = NULL;
+	this->pass = NULL;
+	this->cert = NULL;
+	this->user = NULL;
+}
+
+/**
+ * Implementation of nm_creds_t.destroy
+ */
+static void destroy(private_nm_creds_t *this)
+{
+	clear(this);
+	pthread_rwlock_destroy(&this->lock);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+nm_creds_t *nm_creds_create()
+{
+	private_nm_creds_t *this = malloc_thing(private_nm_creds_t);
+	
+	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
+	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
+	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+	this->public.set_certificate = (void(*)(nm_creds_t*, certificate_t *cert))set_certificate;
+	this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
+	this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
+	this->public.clear = (void(*)(nm_creds_t*))clear;
+	this->public.destroy = (void(*)(nm_creds_t*))destroy;
+	
+	pthread_rwlock_init(&this->lock, NULL);
+	
+	this->cert = NULL;
+	this->user = NULL;
+	this->pass = NULL;
+	this->usercert = NULL;
+	this->key = NULL;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/nm/nm_creds.h b/src/charon/plugins/nm/nm_creds.h
new file mode 100644
index 000000000..4bcc32191
--- /dev/null
+++ b/src/charon/plugins/nm/nm_creds.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup nm_creds nm_creds
+ * @{ @ingroup nm
+ */
+
+#ifndef NM_CREDS_H_
+#define NM_CREDS_H_
+
+#include <credentials/credential_set.h>
+
+typedef struct nm_creds_t nm_creds_t;
+
+/**
+ * NetworkManager credentials helper.
+ */
+struct nm_creds_t {
+
+	/**
+	 * Implements credential_set_t
+	 */
+	credential_set_t set;
+	
+	/**
+	 * Set the trusted gateway certificate to serve by this set.
+	 *
+	 * @param cert		certificate to serve
+	 */
+	void (*set_certificate)(nm_creds_t *this, certificate_t *cert);
+	
+	/**
+	 * Set the username/password for authentication.
+	 *
+	 * @param id		ID of the user
+	 * @param password	password to use for authentication
+	 */
+	void (*set_username_password)(nm_creds_t *this, identification_t *id,
+								  char *password);
+	/**
+	 * Set the certificate and private key to use for client authentication.
+	 *
+	 * @param cert		client certificate
+	 * @param key		associated private key
+	 */
+	void (*set_cert_and_key)(nm_creds_t *this, certificate_t *cert,
+							 private_key_t *key);
+	/**
+	 * Clear the stored credentials.
+	 */
+	void (*clear)(nm_creds_t *this);
+
+	/**
+	 * Destroy a nm_creds instance.
+	 */
+	void (*destroy)(nm_creds_t *this);
+};
+
+/**
+ * Create a nm_creds instance.
+ */
+nm_creds_t *nm_creds_create();
+
+#endif /* NM_CREDS_H_ @}*/
diff --git a/src/charon/plugins/nm/nm_plugin.c b/src/charon/plugins/nm/nm_plugin.c
new file mode 100644
index 000000000..1336293f4
--- /dev/null
+++ b/src/charon/plugins/nm/nm_plugin.c
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "nm_plugin.h"
+#include "nm_service.h"
+#include "nm_creds.h"
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+
+#define CAP_DAC_OVERRIDE 1
+
+typedef struct private_nm_plugin_t private_nm_plugin_t;
+
+/**
+ * private data of nm plugin
+ */
+struct private_nm_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	nm_plugin_t public;
+	
+	/**
+	 * NetworkManager service (VPNPlugin)
+	 */
+	NMStrongswanPlugin *plugin;
+	
+	/**
+	 * Glib main loop for a thread, handles DBUS calls
+	 */
+	GMainLoop *loop;
+	
+	/**
+	 * credential set registered at the daemon
+	 */
+	nm_creds_t *creds;
+};
+
+/**
+ * NM plugin processing routine, creates and handles NMVPNPlugin
+ */
+static job_requeue_t run(private_nm_plugin_t *this)
+{
+	this->loop = g_main_loop_new(NULL, FALSE);
+	g_main_loop_run(this->loop);
+	g_main_loop_unref(this->loop);
+	
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_nm_plugin_t *this)
+{
+	if (this->loop)
+	{
+		g_main_loop_quit(this->loop);
+	}
+	if (this->plugin)
+	{
+		g_object_unref(this->plugin);
+	}
+	charon->credentials->remove_set(charon->credentials, &this->creds->set);
+	this->creds->destroy(this->creds);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_nm_plugin_t *this = malloc_thing(private_nm_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	this->loop = NULL;
+	g_type_init ();
+	if (!g_thread_supported())
+	{
+		g_thread_init(NULL);
+	}
+	
+	this->creds = nm_creds_create();
+	charon->credentials->add_set(charon->credentials, &this->creds->set);
+	this->plugin = nm_strongswan_plugin_new(this->creds);
+	if (!this->plugin)
+	{
+		DBG1(DBG_CFG, "DBUS binding failed");
+		destroy(this);
+		return NULL;
+	}
+	
+	/* bypass file permissions to read from users ssh-agent */
+	charon->keep_cap(charon, CAP_DAC_OVERRIDE);
+	
+	charon->processor->queue_job(charon->processor, 
+		 (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL));
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/nm/nm_plugin.h b/src/charon/plugins/nm/nm_plugin.h
new file mode 100644
index 000000000..2604b80dd
--- /dev/null
+++ b/src/charon/plugins/nm/nm_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup nm nm
+ * @ingroup cplugins
+ *
+ * @defgroup nm_plugin nm_plugin
+ * @{ @ingroup nm
+ */
+
+#ifndef NM_PLUGIN_H_
+#define NM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct nm_plugin_t nm_plugin_t;
+
+/**
+ * NetworkManager integration plugin.
+ */
+struct nm_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a nm_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* NM_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
new file mode 100644
index 000000000..fbc094a3b
--- /dev/null
+++ b/src/charon/plugins/nm/nm_service.c
@@ -0,0 +1,499 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include <nm-setting-vpn.h>
+#include "nm_service.h"
+
+#include <daemon.h>
+#include <asn1/pem.h>
+#include <utils/host.h>
+#include <utils/identification.h>
+#include <config/peer_cfg.h>
+
+#include <stdio.h>
+
+#define CONFIG_NAME "NetworkManager"
+
+G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
+
+/**
+ * Private data of NMStrongswanPlugin
+ */
+typedef struct {
+	bus_listener_t listener;
+	ike_sa_t *ike_sa;
+	NMVPNPlugin *plugin;
+	nm_creds_t *creds;
+} NMStrongswanPluginPrivate;
+
+#define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
+			(G_TYPE_INSTANCE_GET_PRIVATE ((o), \
+				NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
+
+/**
+ * convert a traffic selector address range to subnet and its mask.
+ */
+static u_int ts2subnet(traffic_selector_t* ts, u_int8_t *mask)
+{
+	/* there is no way to do this cleanly, as the address range may
+	 * be anything else but a subnet. We use from_addr as subnet 
+	 * and try to calculate a usable subnet mask.
+	 */
+	int byte, bit, net;
+	bool found = FALSE;
+	chunk_t from, to;
+	size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+	
+	from = ts->get_from_address(ts);
+	to = ts->get_to_address(ts);
+	
+	*mask = (size * 8);
+	/* go trough all bits of the addresses, beginning in the front.
+	 * as long as they are equal, the subnet gets larger
+	 */
+	for (byte = 0; byte < size; byte++)
+	{
+		for (bit = 7; bit >= 0; bit--)
+		{
+			if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
+			{
+				*mask = ((7 - bit) + (byte * 8));
+				found = TRUE;
+				break;
+			}
+		}
+		if (found)
+		{
+			break;
+		}
+	}
+	net = *(u_int32_t*)from.ptr;
+	chunk_free(&from);
+	chunk_free(&to);
+	return net;
+}
+
+/**
+ * signal IPv4 config to NM, set connection as established
+ */
+static void signal_ipv4_config(NMVPNPlugin *plugin, child_sa_t *child_sa)
+{
+	linked_list_t *list;
+	traffic_selector_t *ts = NULL;
+	enumerator_t *enumerator;
+	
+	list = child_sa->get_traffic_selectors(child_sa, FALSE);
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		GValue *val;
+		GHashTable *config;
+		u_int8_t mask;
+		
+		config = g_hash_table_new(g_str_hash, g_str_equal);
+		
+		val = g_slice_new0(GValue);
+		g_value_init(val, G_TYPE_UINT);
+		g_value_set_uint(val, ts2subnet(ts, &mask));
+		g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
+		
+		val = g_slice_new0(GValue);
+		g_value_init(val, G_TYPE_UINT);
+		g_value_set_uint(val, mask);
+		g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
+		
+		nm_vpn_plugin_set_ip4_config(plugin, config);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Bus listen function to wait for SA establishing
+ */
+bool listen_bus(bus_listener_t *listener, signal_t signal, level_t level,
+				int thread, ike_sa_t *ike_sa, void *data, 
+				char* format, va_list args)
+{
+	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+	
+	if (private->ike_sa == ike_sa)
+	{
+		switch (signal)
+		{
+			case CHD_UP_SUCCESS:
+				if (data)
+				{
+					signal_ipv4_config(private->plugin, (child_sa_t*)data);
+					return FALSE;
+				}
+				/* FALL */
+			case IKE_UP_FAILED:
+			case CHD_UP_FAILED:
+				/* TODO: NM does not handle this failure!? 
+				nm_vpn_plugin_failure(private->plugin,
+									  NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); */
+				nm_vpn_plugin_set_state(private->plugin,
+										NM_VPN_SERVICE_STATE_STOPPED);
+				return FALSE;
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Connect function called from NM via DBUS
+ */
+static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
+						 GError **err)
+{
+	nm_creds_t *creds;
+	NMSettingVPN *settings;
+	identification_t *user = NULL, *gateway;
+	char *address, *str;
+	bool virtual, encap, ipcomp;
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	traffic_selector_t *ts;
+	ike_sa_t *ike_sa;
+	auth_info_t *auth;
+	auth_class_t auth_class = AUTH_CLASS_EAP;
+	certificate_t *cert = NULL;
+	bool agent = FALSE;
+	
+	/**
+	 * Read parameters
+	 */
+	settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
+														NM_TYPE_SETTING_VPN));
+	
+	DBG4(DBG_CFG, "received NetworkManager connection: %s",
+		 nm_setting_to_string(NM_SETTING(settings)));
+	address = g_hash_table_lookup(settings->data, "address");
+	if (!address || !*address)
+	{
+		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+				    "Gateway address missing.");
+		return FALSE;
+	}
+	str = g_hash_table_lookup(settings->data, "virtual");
+	virtual = str && streq(str, "yes");
+	str = g_hash_table_lookup(settings->data, "encap");
+	encap = str && streq(str, "yes");
+	str = g_hash_table_lookup(settings->data, "ipcomp");
+	ipcomp = str && streq(str, "yes");
+	str = g_hash_table_lookup(settings->data, "method");
+	if (str)
+	{
+		if (streq(str, "psk"))
+		{
+			auth_class = AUTH_CLASS_PSK;
+		}
+		else if (streq(str, "agent"))
+		{
+			auth_class = AUTH_CLASS_PUBKEY;
+			agent = TRUE;
+		}
+		else if (streq(str, "key"))
+		{
+			auth_class = AUTH_CLASS_PUBKEY;
+		}
+	}
+	
+	/**
+	 * Register credentials
+	 */
+	creds = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds;
+	creds->clear(creds);
+	
+	/* gateway cert */
+	str = g_hash_table_lookup(settings->data, "certificate");
+	if (str)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, str, BUILD_END);
+		creds->set_certificate(creds, cert);
+	}
+	if (!cert)
+	{
+		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+				    "Loading gateway certificate failed.");
+		return FALSE;
+	}
+	gateway = cert->get_subject(cert);
+	
+	if (auth_class == AUTH_CLASS_EAP)
+	{
+		/* username/password authentication ... */
+		str = g_hash_table_lookup(settings->data, "user");
+		if (str)
+		{
+			user = identification_create_from_string(str);
+			str = g_hash_table_lookup(settings->secrets, "password");
+			creds->set_username_password(creds, user, str);
+		}
+	}
+	
+	if (auth_class == AUTH_CLASS_PUBKEY)
+	{
+		/* ... or certificate/private key authenitcation */
+		str = g_hash_table_lookup(settings->data, "usercert");
+		if (str)
+		{
+			public_key_t *public;
+			private_key_t *private = NULL;
+			
+			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+									  BUILD_FROM_FILE, str, BUILD_END);	
+									  
+			/* try agent */  
+			str = g_hash_table_lookup(settings->secrets, "agent");
+			if (agent && str && cert)
+			{
+				public = cert->get_public_key(cert);
+				if (public)
+				{
+					private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+												 public->get_type(public),
+												 BUILD_AGENT_SOCKET, str,
+												 BUILD_PUBLIC_KEY, public,
+												 BUILD_END);
+					public->destroy(public);
+				}
+			}
+			/* ... or key file */  
+			str = g_hash_table_lookup(settings->data, "userkey");
+			if (!agent && str && cert)
+			{
+				chunk_t secret, chunk;
+				bool pgp = FALSE;
+				
+				secret.ptr = g_hash_table_lookup(settings->secrets, "password");
+				if (secret.ptr)
+				{
+					secret.len = strlen(secret.ptr);
+				}
+				if (pem_asn1_load_file(str, &secret, &chunk, &pgp))
+				{
+					private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								KEY_RSA, BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+					free(chunk.ptr);
+				}
+			}
+			if (private)
+			{
+				user = cert->get_subject(cert);
+				user = user->clone(user);
+				creds->set_cert_and_key(creds, cert, private);
+			}
+			else
+			{
+				DESTROY_IF(cert);
+				g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+							"Loading user certificate/private key failed.");
+				return FALSE;
+			}
+		}
+	}
+	
+	if (!user)
+	{
+		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+					"Configuration parameters missing.");
+		return FALSE;
+	}
+	
+	/**
+	 * Set up configurations
+	 */
+	ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", address);
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg,
+					user, gateway->clone(gateway),
+					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
+					36000, 0, /* rekey 10h, reauth none */
+					600, 600, /* jitter, over 10min */
+					TRUE, 0, /* mobike, DPD */
+					virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
+					NULL, FALSE, NULL, NULL); /* pool, mediation */
+	auth = peer_cfg->get_auth(peer_cfg);
+	auth->add_item(auth, AUTHN_AUTH_CLASS, &auth_class);
+	child_cfg = child_cfg_create(CONFIG_NAME,
+								 10800, 10200, /* lifetime 3h, rekey 2h50min */
+								 300, /* jitter 5min */
+								 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
+								 ACTION_NONE, ACTION_RESTART, ipcomp);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
+											 "0.0.0.0", 0,
+											 "255.255.255.255", 65535);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+	
+	/**
+	 * Start to initiate
+	 */
+	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+														peer_cfg);
+	if (!ike_sa->get_peer_cfg(ike_sa))
+	{
+		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+	}
+	else
+	{
+		peer_cfg->destroy(peer_cfg);
+	}
+	if (ike_sa->initiate(ike_sa, child_cfg) != SUCCESS)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+		
+		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+				    "Initiating failed.");
+		return FALSE;
+	}
+	
+	/**
+	 * Register listener
+	 */
+	NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->ike_sa = ike_sa;
+	charon->bus->add_listener(charon->bus, 
+							&NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->listener);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return TRUE;
+}
+
+/**
+ * NeedSecrets called from NM via DBUS 
+ */
+static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
+							 char **setting_name, GError **error)
+{
+	NMSettingVPN *settings;
+	char *method, *path;
+	chunk_t secret = chunk_empty, key;
+	bool pgp = FALSE;
+	
+	settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
+														NM_TYPE_SETTING_VPN));
+	method = g_hash_table_lookup(settings->data, "method");
+	if (method)
+	{
+		if (streq(method, "eap"))
+		{
+			if (g_hash_table_lookup(settings->secrets, "password"))
+			{
+				return FALSE;
+			}
+		}
+		else if (streq(method, "agent"))
+		{
+			if (g_hash_table_lookup(settings->secrets, "agent"))
+			{
+				return FALSE;
+			}
+		}
+		else if (streq(method, "key"))
+		{
+			path = g_hash_table_lookup(settings->data, "userkey");
+			if (path)
+			{
+				secret.ptr = g_hash_table_lookup(settings->secrets, "password");
+				if (secret.ptr)
+				{
+					secret.len = strlen(secret.ptr);
+				}
+				if (pem_asn1_load_file(path, &secret, &key, &pgp))
+				{
+					free(key.ptr);
+					return FALSE;
+				}
+			}
+		}
+	}
+	*setting_name = NM_SETTING_VPN_SETTING_NAME;
+	return TRUE;
+}
+
+/**
+ * Disconnect called from NM via DBUS 
+ */
+static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	u_int id;
+	
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (streq(CONFIG_NAME, ike_sa->get_name(ike_sa)))
+		{
+			id = ike_sa->get_unique_id(ike_sa);
+			enumerator->destroy(enumerator);
+			charon->controller->terminate_ike(charon->controller, id,
+											  controller_cb_empty, NULL);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Initializer
+ */
+static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
+{
+	NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->plugin = NM_VPN_PLUGIN(plugin);
+	NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->listener.signal = listen_bus;
+}
+
+/**
+ * Class constructor
+ */
+static void nm_strongswan_plugin_class_init(
+									NMStrongswanPluginClass *strongswan_class)
+{
+	NMVPNPluginClass *parent_class = NM_VPN_PLUGIN_CLASS(strongswan_class);
+	
+	g_type_class_add_private(G_OBJECT_CLASS(strongswan_class),
+							 sizeof(NMStrongswanPluginPrivate));
+	parent_class->connect = connect_;
+	parent_class->need_secrets = need_secrets;
+	parent_class->disconnect = disconnect;
+}
+
+/**
+ * Object constructor
+ */
+NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds)
+{
+	NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_object_new (
+					NM_TYPE_STRONGSWAN_PLUGIN,
+					NM_VPN_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
+					NULL);
+	if (plugin)
+	{
+		NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds = creds;
+	}
+	return plugin;
+}
+
diff --git a/src/charon/plugins/nm/nm_service.h b/src/charon/plugins/nm/nm_service.h
new file mode 100644
index 000000000..7cd0fc5e3
--- /dev/null
+++ b/src/charon/plugins/nm/nm_service.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup nm_service nm_service
+ * @{ @ingroup nm
+ */
+
+#ifndef NM_SERVICE_H_
+#define NM_SERVICE_H_
+
+#include <glib/gtypes.h>
+#include <glib-object.h>
+#include <nm-vpn-plugin.h>
+
+#include "nm_creds.h"
+
+#define NM_TYPE_STRONGSWAN_PLUGIN            (nm_strongswan_plugin_get_type ())
+#define NM_STRONGSWAN_PLUGIN(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPlugin))
+#define NM_STRONGSWAN_PLUGIN_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPluginClass))
+#define NM_IS_STRONGSWAN_PLUGIN(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_STRONGSWAN_PLUGIN))
+#define NM_IS_STRONGSWAN_PLUGIN_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((obj), NM_TYPE_STRONGSWAN_PLUGIN))
+#define NM_STRONGSWAN_PLUGIN_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPluginClass))
+
+#define NM_DBUS_SERVICE_STRONGSWAN    "org.freedesktop.NetworkManager.strongswan"
+#define NM_DBUS_INTERFACE_STRONGSWAN  "org.freedesktop.NetworkManager.strongswan"
+#define NM_DBUS_PATH_STRONGSWAN       "/org/freedesktop/NetworkManager/strongswan"
+
+typedef struct {
+	NMVPNPlugin parent;
+} NMStrongswanPlugin;
+
+typedef struct {
+	NMVPNPluginClass parent;
+} NMStrongswanPluginClass;
+
+GType nm_strongswan_plugin_get_type(void);
+
+NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds);
+
+#endif /* NM_SERVICE_H_ */
diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in
index 198526abb..b255b08fb 100644
--- a/src/charon/plugins/smp/Makefile.in
+++ b/src/charon/plugins/smp/Makefile.in
@@ -188,6 +188,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c
index 3b7fa0070..0870cad4c 100644
--- a/src/charon/plugins/smp/smp.c
+++ b/src/charon/plugins/smp/smp.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: smp.c 4073 2008-06-20 07:14:35Z martin $
+ * $Id: smp.c 4358 2008-09-25 13:56:23Z tobias $
  */
 
 #include <stdlib.h>
@@ -181,7 +181,7 @@ static void write_childend(xmlTextWriterPtr writer, child_sa_t *child, bool loca
  */
 static void write_child(xmlTextWriterPtr writer, child_sa_t *child)
 {
-	mode_t mode;
+	ipsec_mode_t mode;
 	encryption_algorithm_t encr;
 	integrity_algorithm_t int_algo;
 	size_t encr_len, int_len;
@@ -360,7 +360,7 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
  * callback which logs to a XML writer
  */
 static bool xml_callback(xmlTextWriterPtr writer, signal_t signal, level_t level,
-						 ike_sa_t* ike_sa, char* format, va_list args)
+						 ike_sa_t* ike_sa, void *data, char* format, va_list args)
 {
 	if (level <= 1)
 	{
diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in
index babc11ecb..83491333f 100644
--- a/src/charon/plugins/sql/Makefile.in
+++ b/src/charon/plugins/sql/Makefile.in
@@ -196,6 +196,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index 86ceddeee..b3ad72ab2 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -87,9 +87,8 @@ Usage:\n\
       name:   Name of the pool to resize\n\
       end:    New end address for the pool\n\
   \n\
-  ipsec pool --leases <name> [--filter <filter>] [--utc]\n\
+  ipsec pool --leases [--filter <filter>] [--utc]\n\
     Show lease information using filters:\n\
-      name:   Name of the pool to show leases from\n\
       filter: Filter string containing comma separated key=value filters,\n\
               e.g. id=alice@strongswan.org,addr=1.1.1.1\n\
                   pool:   name of the pool\n\
@@ -100,7 +99,7 @@ Usage:\n\
       utc:    Show times in UTC instead of local time\n\
   \n\
   ipsec pool --purge <name>\n\
-    Delete expired leases of a pool:\n\
+    Delete lease history of a pool:\n\
       name:   Name of the pool to purge\n\
   \n");
 	exit(0);
@@ -128,8 +127,8 @@ static void status(void)
 		{
 			if (!found)
 			{
-				printf("%8s %15s %15s %8s %6s %11s %11s\n",
-					   "name", "start", "end", "timeout", "size", "online", "leases");
+				printf("%8s %15s %15s %8s %6s %11s %11s\n", "name", "start",
+					   "end", "timeout", "size", "online", "usage");
 				found = TRUE;
 			}
 			
@@ -147,8 +146,8 @@ static void status(void)
 			}
 			printf("%6d ", size);
 			/* get number of online hosts */
-			lease = db->query(db, "SELECT COUNT(*) FROM leases "
-							  "WHERE pool = ? AND released IS NULL",
+			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
+							  "WHERE pool = ? AND released = 0",
 							  DB_UINT, id, DB_INT);
 			if (lease)
 			{
@@ -157,11 +156,12 @@ static void status(void)
 			}
 			printf("%5d (%2d%%) ", online, online*100/size);
 			/* get number of online or valid lieases */
-			lease = db->query(db, "SELECT COUNT(*) FROM leases JOIN pools "
-							  "ON leases.pool = pools.id "
-							  "WHERE pools.id = ? "
-							  "AND (released IS NULL OR released > ? - timeout) ",
-							  DB_UINT, id, DB_UINT, time(NULL), DB_UINT);
+			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
+							  "WHERE addresses.pool = ? "
+							  "AND ((? AND acquired != 0) "
+							  "     OR released = 0 OR released > ?) ",
+							  DB_UINT, id, DB_UINT, !timeout,
+							  DB_UINT, time(NULL) - timeout, DB_UINT);
 			if (lease)
 			{
 				lease->enumerate(lease, &used);
@@ -182,15 +182,34 @@ static void status(void)
 	exit(0);
 }
 
+/**
+ * increment a chunk, as it would reprensent a network order integer
+ */
+static void increment_chunk(chunk_t chunk)
+{
+	int i;
+	
+	for (i = chunk.len - 1; i >= 0; i--)
+	{
+		if (++chunk.ptr[i] != 0)
+		{
+			return;
+		}
+	}
+}
+
 /**
  * ipsec pool --add - add a new pool
  */
 static void add(char *name, host_t *start, host_t *end, int timeout)
 {
-	chunk_t start_addr, end_addr;
+	chunk_t start_addr, end_addr, cur_addr;
+	u_int id, count;
 	
 	start_addr = start->get_address(start);
 	end_addr = end->get_address(end);
+	cur_addr = chunk_clonea(start_addr);
+	count = get_pool_size(start_addr, end_addr);
 
 	if (start_addr.len != end_addr.len ||
 		memcmp(start_addr.ptr, end_addr.ptr, start_addr.len) > 0)
@@ -198,16 +217,39 @@ static void add(char *name, host_t *start, host_t *end, int timeout)
 		fprintf(stderr, "invalid start/end pair specified.\n");
 		exit(-1);
 	}
-	if (db->execute(db, NULL,
-			"INSERT INTO pools (name, start, end, next, timeout) "
-			"VALUES (?, ?, ?, ?, ?)",
+	if (db->execute(db, &id,
+			"INSERT INTO pools (name, start, end, timeout) "
+			"VALUES (?, ?, ?, ?)",
 			DB_TEXT, name, DB_BLOB, start_addr,
-			DB_BLOB, end_addr, DB_BLOB, start_addr,
-			DB_INT, timeout*3600) != 1)
+			DB_BLOB, end_addr, DB_INT, timeout*3600) != 1)
 	{
 		fprintf(stderr, "creating pool failed.\n");
 		exit(-1);
 	}
+	printf("allocating %d addresses... ", count);
+	fflush(stdout);
+	if (db->get_driver(db) == DB_SQLITE)
+	{	/* run population in a transaction for sqlite */
+		db->execute(db, NULL, "BEGIN TRANSACTION");
+	}
+	while (TRUE)
+	{
+		db->execute(db, NULL,
+			"INSERT INTO addresses (pool, address, identity, acquired, released) "
+			"VALUES (?, ?, ?, ?, ?)",
+			DB_UINT, id, DB_BLOB, cur_addr,	DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
+		if (chunk_equals(cur_addr, end_addr))
+		{
+			break;
+		}
+		increment_chunk(cur_addr);
+	}
+	if (db->get_driver(db) == DB_SQLITE)
+	{
+		db->execute(db, NULL, "END TRANSACTION");
+	}
+	printf("done.\n", count);
+	
 	exit(0);
 }
 
@@ -231,9 +273,12 @@ static void del(char *name)
 	{
 		found = TRUE;
 		if (db->execute(db, NULL,
-				"DELETE FROM pools WHERE id = ?", DB_UINT, id) != 1 ||
+				"DELETE FROM leases WHERE address IN ("
+				" SELECT id FROM addresses WHERE pool = ?)", DB_UINT, id) < 0 ||
+			db->execute(db, NULL,
+				"DELETE FROM addresses WHERE pool = ?", DB_UINT, id) < 0 ||
 			db->execute(db, NULL,
-				"DELETE FROM leases WHERE pool = ?", DB_UINT, id) < 0)
+				"DELETE FROM pools WHERE id = ?", DB_UINT, id) < 0)
 		{
 			fprintf(stderr, "deleting pool failed.\n");
 			query->destroy(query);
@@ -255,36 +300,58 @@ static void del(char *name)
 static void resize(char *name, host_t *end)
 {
 	enumerator_t *query;
-	chunk_t next_addr, end_addr;
+	chunk_t old_addr, new_addr, cur_addr;
+	u_int id, count;
 	
-	end_addr = end->get_address(end);
+	new_addr = end->get_address(end);
 	
-	query = db->query(db, "SELECT next FROM pools WHERE name = ?",
-					  DB_TEXT, name, DB_BLOB);
-	if (!query || !query->enumerate(query, &next_addr))
+	query = db->query(db, "SELECT id, end FROM pools WHERE name = ?",
+					  DB_TEXT, name, DB_UINT, DB_BLOB);
+	if (!query || !query->enumerate(query, &id, &old_addr))
 	{
 		DESTROY_IF(query);
 		fprintf(stderr, "resizing pool failed.\n");
 		exit(-1);
 	}
-	if (next_addr.len != end_addr.len ||
-		memcmp(end_addr.ptr, next_addr.ptr, end_addr.len) < 0)
+	if (old_addr.len != new_addr.len ||
+		memcmp(new_addr.ptr, old_addr.ptr, old_addr.len) < 0)
 	{
-		end = host_create_from_blob(next_addr);
-		fprintf(stderr, "pool addresses up to %H in use, resizing failed.\n", end);
-		end->destroy(end);
+		fprintf(stderr, "shrinking of pools not supported.\n");
 		query->destroy(query);
 		exit(-1);
 	}
+	cur_addr = chunk_clonea(old_addr);
+	count = get_pool_size(old_addr, new_addr) - 1;
 	query->destroy(query);
 
 	if (db->execute(db, NULL,
 			"UPDATE pools SET end = ? WHERE name = ?",
-			DB_BLOB, end_addr, DB_TEXT, name) <= 0)
+			DB_BLOB, new_addr, DB_TEXT, name) <= 0)
 	{
 		fprintf(stderr, "pool '%s' not found.\n", name);
 		exit(-1);
 	}
+	
+	printf("allocating %d new addresses... ", count);
+	fflush(stdout);
+	if (db->get_driver(db) == DB_SQLITE)
+	{	/* run population in a transaction for sqlite */
+		db->execute(db, NULL, "BEGIN TRANSACTION");
+	}
+	while (count-- > 0)
+	{
+		increment_chunk(cur_addr);
+		db->execute(db, NULL,
+			"INSERT INTO addresses (pool, address, identity, acquired, released) "
+			"VALUES (?, ?, ?, ?, ?)",
+			DB_UINT, id, DB_BLOB, cur_addr,	DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
+	}
+	if (db->get_driver(db) == DB_SQLITE)
+	{
+		db->execute(db, NULL, "END TRANSACTION");
+	}
+	printf("done.\n", count);
+	
 	exit(0);
 }
 
@@ -398,17 +465,27 @@ static enumerator_t *create_lease_query(char *filter)
 		}
 	}
 	query = db->query(db,
-				"SELECT name, address, identities.type, "
-				"identities.data, acquired, released, timeout "
-				"FROM leases JOIN pools ON leases.pool = pools.id "
+				"SELECT name, addresses.address, identities.type, "
+				"identities.data, leases.acquired, leases.released, timeout "
+				"FROM leases JOIN addresses ON leases.address = addresses.id "
+				"JOIN pools ON addresses.pool = pools.id "
 				"JOIN identities ON leases.identity = identities.id "
 				"WHERE (? OR name = ?) "
 				"AND (? OR (identities.type = ? AND identities.data = ?)) "
-				"AND (? OR address = ?) "
-				"AND (? OR (? >= acquired AND (? <= released OR released IS NULL))) "
-				"AND (? OR released IS NULL) "
-				"AND (? OR released > ? - timeout) "
-				"AND (? OR released < ? - timeout)",
+				"AND (? OR addresses.address = ?) "
+				"AND (? OR (? >= leases.acquired AND (? <= leases.released))) "
+				"AND (? OR leases.released > ? - timeout) "
+				"AND (? OR leases.released < ? - timeout) "
+				"AND ? "
+				"UNION "
+				"SELECT name, address, identities.type, identities.data, "
+				"acquired, released, timeout FROM addresses "
+				"JOIN pools ON addresses.pool = pools.id "
+				"JOIN identities ON addresses.identity = identities.id "
+				"WHERE ? AND released = 0 "
+				"AND (? OR name = ?) "
+				"AND (? OR (identities.type = ? AND identities.data = ?)) "
+				"AND (? OR address = ?)",
 				DB_INT, pool == NULL, DB_TEXT, pool,
 				DB_INT, id == NULL,
 					DB_INT, id ? id->get_type(id) : 0,
@@ -416,9 +493,18 @@ static enumerator_t *create_lease_query(char *filter)
 				DB_INT, addr == NULL,
 					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
 				DB_INT, tstamp == 0, DB_UINT, tstamp, DB_UINT, tstamp,
-				DB_INT, !online,
 				DB_INT, !valid, DB_INT, time(NULL),
 				DB_INT, !expired, DB_INT, time(NULL),
+				DB_INT, !online,
+				/* union */
+				DB_INT, !(valid || expired),
+				DB_INT, pool == NULL, DB_TEXT, pool,
+				DB_INT, id == NULL,
+					DB_INT, id ? id->get_type(id) : 0,
+					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
+				DB_INT, addr == NULL,
+					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
+				/* res */
 				DB_TEXT, DB_BLOB, DB_INT, DB_BLOB, DB_UINT, DB_UINT, DB_UINT);
 	/* id and addr leak but we can't destroy them until query is destroyed. */
 	return query;
@@ -507,30 +593,18 @@ static void leases(char *filter, bool utc)
  */
 static void purge(char *name)
 {
-	enumerator_t *query;
-	u_int id, timeout, purged = 0;
+	int purged = 0;
 	
-	query = db->query(db, "SELECT id, timeout FROM pools WHERE name = ?",
-					  DB_TEXT, name, DB_UINT, DB_UINT);
-	if (!query)
+	purged = db->execute(db, NULL,
+				"DELETE FROM leases WHERE address IN ("
+				" SELECT id FROM addresses WHERE pool IN ("
+				"  SELECT id FROM pools WHERE name = ?))",
+				DB_TEXT, name);
+	if (purged < 0)
 	{
-		fprintf(stderr, "purging pool failed.\n");
+		fprintf(stderr, "purging pool '%s' failed.\n", name);
 		exit(-1);
 	}
-	/* we have to keep one lease if we purge. It wouldn't be reallocateable
-	 * as we move on the "next" address for speedy allocation */
-	if (query->enumerate(query, &id, &timeout))
-	{
-		timeout = time(NULL) - timeout;
-		purged = db->execute(db, NULL,
-					"DELETE FROM leases WHERE pool = ? "
-					"AND released IS NOT NULL AND released < ? AND id NOT IN ("
-					" SELECT id FROM leases "
-					" WHERE released IS NOT NULL and released < ? "
-					" GROUP BY address)",
-					DB_UINT, id, DB_UINT, timeout, DB_UINT, timeout);
-	}
-	query->destroy(query);
 	fprintf(stderr, "purged %d leases in pool '%s'.\n", purged, name);
 	exit(0);
 }
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index 45c0750c7..1e5c28966 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -18,7 +18,6 @@
 #include "sql_attribute.h"
 
 #include <daemon.h>
-#include <utils/mutex.h>
 
 typedef struct private_sql_attribute_t private_sql_attribute_t;
 
@@ -38,185 +37,155 @@ struct private_sql_attribute_t {
 	database_t *db;
 	
 	/**
-	 * mutex to simulate transactions
+	 * wheter to record lease history in lease table
 	 */
-	mutex_t *mutex;
+	bool history;
 };
 
-/** 
- * convert a address blob to an ip of the correct family
+/**
+ * read a host_t address from the addresses table
  */
-static host_t *ip_from_chunk(chunk_t address)
+static host_t *host_from_chunk(chunk_t chunk)
 {
-	switch (address.len)
+	switch (chunk.len)
 	{
 		case 4:
-			return host_create_from_chunk(AF_INET, address, 0);
+			return host_create_from_chunk(AF_INET, chunk, 0);
 		case 16:
-			return host_create_from_chunk(AF_INET6, address, 0);
+			return host_create_from_chunk(AF_INET6, chunk, 0);
 		default:
 			return NULL;
-	}		
+	}
 }
 
 /**
- * increment a chunk, as it would reprensent a network order integer
+ * lookup/insert an identity
  */
-static void increment_chunk(chunk_t chunk)
+static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
 {
-	int i;
+	enumerator_t *e;
+	u_int row;
 	
-	for (i = chunk.len - 1; i >= 0; i++)
+	/* look for peer identity in the identities table */
+	e = this->db->query(this->db,
+						"SELECT id FROM identities WHERE type = ? AND data = ?",
+						DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
+						DB_UINT);
+						
+	if (e && e->enumerate(e, &row))
 	{
-		if (++chunk.ptr[i] != 0)
-		{
-			return;
-		}
+		e->destroy(e);
+		return row;
+	}
+	DESTROY_IF(e);
+	/* not found, insert new one */
+	if (this->db->execute(this->db, &row,
+				  "INSERT INTO identities (type, data) VALUES (?, ?)",
+				  DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) == 1)
+	{
+		return row;
 	}
+	return 0;
 }
 
 /**
- * Lookup if we have an existing lease
+ * Lookup pool by name
  */
-static host_t* get_lease(private_sql_attribute_t *this,
-						 char *name, identification_t *id)
+static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
 {
 	enumerator_t *e;
-	chunk_t address;
-	host_t *ip = NULL;
-	int lease;
-	
-	/* transaction simulation, see create_lease() */
-	this->mutex->lock(this->mutex);
-	
-	/* select a lease for "id" which still valid */
-	e = this->db->query(this->db,
-						"SELECT l.id, l.address FROM leases AS l "
-						"JOIN pools AS p ON l.pool = p.id "
-						"JOIN identities AS i ON l.identity = i.id "
-						"WHERE p.name = ? AND i.type = ? AND i.data = ? "
-						"AND (l.released IS NULL OR p.timeout = 0 "
-						" OR (l.released >= (? - p.timeout))) "
-						"ORDER BY l.acquired LIMIT 1", DB_TEXT, name,
-						DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
-						DB_UINT, time(NULL),
-						DB_UINT, DB_BLOB);
-	if (e)
+	u_int pool;
+
+	e = this->db->query(this->db, "SELECT id, timeout FROM pools WHERE name = ?",
+						DB_TEXT, name, DB_UINT, DB_UINT);
+	if (e && e->enumerate(e, &pool, timeout))
 	{
-		if (e->enumerate(e, &lease, &address))
-		{
-			/* found one, set the lease to active */
-			if (this->db->execute(this->db, NULL,
-						  "UPDATE leases SET released = NULL WHERE id = ?",
-						  DB_UINT, lease) > 0)
-			{
-				ip = ip_from_chunk(address);
-				DBG1(DBG_CFG, "reassigning address from valid lease "
-					 "from pool '%s'", name);
-			}
-		}
 		e->destroy(e);
+		return pool;
 	}
-	this->mutex->unlock(this->mutex);
-	return ip;
+	DBG1(DBG_CFG, "ip pool '%s' not found");
+	return 0;
 }
 
 /**
- * Create a new lease entry for client
+ * Lookup a lease
  */
-static host_t* create_lease(private_sql_attribute_t *this,
-							char *name, identification_t *id)
+static host_t *get_address(private_sql_attribute_t *this, char *name,
+						   u_int pool, u_int timeout, u_int identity)
 {
 	enumerator_t *e;
+	u_int id;
 	chunk_t address;
-	host_t *ip = NULL;
-	u_int pool, identity = 0, released, timeout;
-	bool new = FALSE;
+	host_t *host;
+	time_t now = time(NULL);
 	
-	/* we currently do not use database transactions. While this would be 
-	 * the clean way, there is no real advantage, but some disadvantages:
-	 * - we would require InnoDB for mysql, as MyISAM does not support trans.
-	 * - the mysql plugin uses connection pooling, and we would need a 
-	 *   mechanism to lock transactions to a single connection.
-	 */
-	this->mutex->lock(this->mutex);
+	/* We check for leases for that identity first and for other expired
+	 * leases afterwards. We select an address as a candidate, but double
+	 * check if it is still valid in the update. This allows us to work
+	 * without locking. */
 	
-	/* find an address which has outdated leases only. The HAVING clause filters
-	 * out leases which are active (released = NULL) or not expired */
-	e = this->db->query(this->db,
-						"SELECT pool, address, released, timeout FROM leases "
-						"JOIN pools ON leases.pool = pools.id "
-						"WHERE name = ? and timeout > 0 "
-						"GROUP BY address HAVING COUNT(released) = COUNT(*) "
-						"AND MAX(released) < (? - timeout) LIMIT 1",
-						DB_TEXT, name, DB_UINT, time(NULL),
-						DB_UINT, DB_BLOB, DB_UINT, DB_UINT);
-	
-	if (!e || !e->enumerate(e, &pool, &address, &released, &timeout))
+	/* check for an existing lease for that identity  */
+	while (TRUE)
 	{
-		DESTROY_IF(e);
-		/* no outdated lease found, acquire new address */
 		e = this->db->query(this->db,
-				"SELECT id, next FROM pools WHERE name = ? AND next <= end",
-				DB_TEXT, name,
-				DB_UINT, DB_BLOB);
-		if (!e || !e->enumerate(e, &pool, &address))
+				"SELECT id, address FROM addresses "
+				"WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1",
+				DB_UINT, pool, DB_UINT, identity, DB_UINT, DB_BLOB);
+		if (!e || !e->enumerate(e, &id, &address))
 		{
-			/* pool seems full */
 			DESTROY_IF(e);
-			this->mutex->unlock(this->mutex);
-			return NULL;
+			break;	
+		}
+		address = chunk_clonea(address);
+		e->destroy(e);
+		if (this->db->execute(this->db, NULL,
+				"UPDATE addresses SET acquired = ?, released = 0 "
+				"WHERE id = ? AND identity = ? AND released != 0",
+				DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0)
+		{
+			host = host_from_chunk(address);
+			if (host)
+			{
+				DBG1(DBG_CFG, "acquired existing lease "
+					 "for address %H in pool '%s'", host, name);
+				return host;
+			}
 		}
-		new = TRUE;
 	}
-	address = chunk_clonea(address);
-	e->destroy(e);
 	
-	/* look for peer identity in the identities table */
-	e = this->db->query(this->db,
-						"SELECT id FROM identities WHERE type = ? AND data = ?",
-						DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
-						DB_UINT);
-	if (!e || !e->enumerate(e, &identity))
-	{
-		DESTROY_IF(e);
-		/* not found, insert new one */
-		this->db->execute(this->db, &identity,
-					  "INSERT INTO identities (type, data) VALUES (?, ?)",
-					  DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id));
-	}
-	else
+	/* check for an expired lease */
+	while (TRUE)
 	{
+		e = this->db->query(this->db,
+				"SELECT id, address FROM addresses "
+				"WHERE pool = ? AND released != 0 AND released < ? LIMIT 1",
+				DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB);
+		if (!e || !e->enumerate(e, &id, &address))
+		{
+			DESTROY_IF(e);
+			break;	
+		}
+		address = chunk_clonea(address);
 		e->destroy(e);
-	}
-	/* if we have an identity, insert a new lease */
-	if (identity)
-	{
+			
 		if (this->db->execute(this->db, NULL,
-				"INSERT INTO leases (pool, address, identity, acquired) "
-				"VALUES (?, ?, ?, ?)",
-				DB_UINT, pool, DB_BLOB, address, DB_UINT, identity,
-				DB_UINT, time(NULL)) > 0)
+				"UPDATE addresses SET "
+				"acquired = ?, released = 0, identity = ? "
+				"WHERE id = ? AND released != 0 AND released < ?",
+				DB_UINT, now, DB_UINT, identity,
+				DB_UINT, id, DB_UINT, now - timeout) > 0)
 		{
-			ip = ip_from_chunk(address);
-			if (new)
-			{	/* update next address, as we have consumed one */
-				increment_chunk(address);
-				this->db->execute(this->db, NULL,
-								  "UPDATE pools SET next = ? WHERE id = ?",
-								  DB_BLOB, address, DB_UINT, pool);
-				DBG1(DBG_CFG, "assigning lease with new address "
-					 "from pool '%s'", name);
-			}
-			else
+			host = host_from_chunk(address);
+			if (host)
 			{
-				DBG1(DBG_CFG, "reassigning address from expired lease "
-					 "from pool '%s'", name);
+				DBG1(DBG_CFG, "acquired new lease "
+					 "for address %H in pool '%s'", host, name);
+				return host;
 			}
 		}
 	}
-	this->mutex->unlock(this->mutex);
-	return ip;
+	DBG1(DBG_CFG, "no available address found in pool '%s'", name);
+	return 0;
 }
 
 /**
@@ -226,14 +195,29 @@ static host_t* acquire_address(private_sql_attribute_t *this,
 							   char *name, identification_t *id,
 							   auth_info_t *auth, host_t *requested)
 {
-	host_t *ip;
+	enumerator_t *enumerator;
+	u_int pool, timeout, identity;
+	host_t *address = NULL;
 	
-	ip = get_lease(this, name, id);
-	if (!ip)
+	identity = get_identity(this, id);
+	if (identity)
 	{
-		ip = create_lease(this, name, id);
+		enumerator = enumerator_create_token(name, ",", " ");
+		while (enumerator->enumerate(enumerator, &name))
+		{
+			pool = get_pool(this, name, &timeout);
+			if (pool)
+			{
+				address = get_address(this, name, pool, timeout, identity);
+				if (address)
+				{
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
 	}
-	return ip;
+	return address;
 }
 
 /**
@@ -242,16 +226,39 @@ static host_t* acquire_address(private_sql_attribute_t *this,
 static bool release_address(private_sql_attribute_t *this,
 							char *name, host_t *address)
 {
-	if (this->db->execute(this->db, NULL,
-			"UPDATE leases SET released = ? WHERE "
-			"pool IN (SELECT id FROM pools WHERE name = ?) AND "
-			"address = ? AND released IS NULL",
-			DB_UINT, time(NULL),
-			DB_TEXT, name, DB_BLOB, address->get_address(address)) > 0)
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	time_t now = time(NULL);
+	
+	enumerator = enumerator_create_token(name, ",", " ");
+	while (enumerator->enumerate(enumerator, &name))
 	{
-		return TRUE;
+		u_int pool, timeout;
+		
+		pool = get_pool(this, name, &timeout);
+		if (pool)
+		{
+			if (this->history)
+			{
+				this->db->execute(this->db, NULL,
+					"INSERT INTO leases (address, identity, acquired, released)"
+					" SELECT id, identity, acquired, ? FROM addresses "
+					" WHERE pool = ? AND address = ?",
+					DB_UINT, now, DB_UINT, pool,
+					DB_BLOB, address->get_address(address));
+			}
+			if (this->db->execute(this->db, NULL,
+					"UPDATE addresses SET released = ? WHERE "
+					"pool = ? AND address = ?", DB_UINT, time(NULL),
+					DB_UINT, pool, DB_BLOB, address->get_address(address)) > 0)
+			{
+				found = TRUE;
+				break;
+			}
+		}
 	}
-	return FALSE;
+	enumerator->destroy(enumerator);
+	return found;
 }
 
 /**
@@ -259,7 +266,6 @@ static bool release_address(private_sql_attribute_t *this,
  */
 static void destroy(private_sql_attribute_t *this)
 {
-	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -269,19 +275,27 @@ static void destroy(private_sql_attribute_t *this)
 sql_attribute_t *sql_attribute_create(database_t *db)
 {
 	private_sql_attribute_t *this = malloc_thing(private_sql_attribute_t);
+	time_t now = time(NULL);
 	
 	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,auth_info_t *, host_t *))acquire_address;
 	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *))release_address;
 	this->public.destroy = (void(*)(sql_attribute_t*))destroy;
 	
 	this->db = db;
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->history = lib->settings->get_bool(lib->settings,
+									"charon.plugins.sql.lease_history", TRUE);
 	
 	/* close any "online" leases in the case we crashed */
+	if (this->history)
+	{
+		this->db->execute(this->db, NULL,
+					"INSERT INTO leases (address, identity, acquired, released)"
+					" SELECT id, identity, acquired, ? FROM addresses "
+					" WHERE released = 0", DB_UINT, now);
+	}
 	this->db->execute(this->db, NULL,
-					  "UPDATE leases SET released = ? WHERE released IS NULL",
-					  DB_UINT, time(NULL));
-	
+					  "UPDATE addresses SET released = ? WHERE released = 0",
+					  DB_UINT, now);
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c
index 3785839cf..41c5e9790 100644
--- a/src/charon/plugins/sql/sql_config.c
+++ b/src/charon/plugins/sql/sql_config.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sql_config.c 4044 2008-06-06 15:05:54Z martin $
+ * $Id: sql_config.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include <string.h>
@@ -267,6 +267,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		peer_cfg_t *peer_cfg, *mediated_cfg;
 		ike_cfg_t *ike;
 		host_t *vip = NULL;
+		auth_info_t *auth;
 		
 		local_id = identification_create_from_encoding(l_type, l_data);
 		remote_id = identification_create_from_encoding(r_type, r_data);
@@ -291,10 +292,19 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		{
 			peer_cfg = peer_cfg_create(
 					name, 2, ike, local_id, remote_id, cert_policy, uniqueid,
-					auth_method, eap_type, eap_vendor, keyingtries, 
-					rekeytime, reauthtime, jitter, overtime, mobike,
-					dpd_delay, vip, pool,
+					keyingtries, rekeytime, reauthtime, jitter, overtime,
+					mobike,	dpd_delay, vip, pool,
 					mediation, mediated_cfg, peer_id);
+			auth = peer_cfg->get_auth(peer_cfg);
+			auth->add_item(auth, AUTHN_AUTH_CLASS, &auth_method);
+			if (eap_type)
+			{
+				auth->add_item(auth, AUTHN_EAP_TYPE, &eap_type);
+				if (eap_vendor)
+				{
+					auth->add_item(auth, AUTHN_EAP_VENDOR, &eap_vendor);
+				}
+			}
 			add_child_cfgs(this, peer_cfg, id);
 			return peer_cfg;
 		}
diff --git a/src/charon/plugins/sql/sql_cred.c b/src/charon/plugins/sql/sql_cred.c
index 9d91973c2..7313b7eb8 100644
--- a/src/charon/plugins/sql/sql_cred.c
+++ b/src/charon/plugins/sql/sql_cred.c
@@ -64,7 +64,7 @@ static bool private_enumerator_enumerate(private_enumerator_t *this,
 	while (this->inner->enumerate(this->inner, &type, &blob))
 	{
 		this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-										   BUILD_BLOB_ASN1_DER, chunk_clone(blob),
+										   BUILD_BLOB_ASN1_DER, blob,
 										   BUILD_END);
 		if (this->current)
 		{
@@ -150,7 +150,7 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this,
 	while (this->inner->enumerate(this->inner, &type, &blob))
 	{
 		this->current = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
-										   BUILD_BLOB_ASN1_DER, chunk_clone(blob),
+										   BUILD_BLOB_ASN1_DER, blob,
 										   BUILD_END);
 		if (this->current)
 		{
diff --git a/src/charon/plugins/sql/sql_logger.c b/src/charon/plugins/sql/sql_logger.c
index 2fb5844b3..6a87f9f1d 100644
--- a/src/charon/plugins/sql/sql_logger.c
+++ b/src/charon/plugins/sql/sql_logger.c
@@ -54,7 +54,8 @@ struct private_sql_logger_t {
  * Implementation of bus_listener_t.signal.
  */
 static bool signal_(private_sql_logger_t *this, signal_t signal, level_t level,
-					int thread, ike_sa_t* ike_sa, char *format, va_list args)
+					int thread, ike_sa_t* ike_sa, void *data,
+					char *format, va_list args)
 {
 	if (this->recursive)
 	{
@@ -133,7 +134,7 @@ sql_logger_t *sql_logger_create(database_t *db)
 {
 	private_sql_logger_t *this = malloc_thing(private_sql_logger_t);
 	
-	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,char*,va_list))signal_;
+	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,void*,char*,va_list))signal_;
 	this->public.destroy = (void(*)(sql_logger_t*))destroy;
 	
 	this->db = db;
diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in
index a528377d0..1ff213165 100644
--- a/src/charon/plugins/stroke/Makefile.in
+++ b/src/charon/plugins/stroke/Makefile.in
@@ -190,6 +190,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index 897365eb0..8569f49c3 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -16,10 +16,12 @@
  * $Id$
  */
 
+#define _GNU_SOURCE
+#include <pthread.h>
+
 #include "stroke_ca.h"
 #include "stroke_cred.h"
 
-#include <utils/mutex.h>
 #include <utils/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
@@ -38,9 +40,9 @@ struct private_stroke_ca_t {
 	stroke_ca_t public;
 	
 	/**
-	 * mutex to lock access to list
+	 * read-write lock to lists
 	 */
-	mutex_t *mutex;
+	pthread_rwlock_t lock;
 	
 	/**
 	 * list of starters CA sections and its certificates (ca_section_t)
@@ -134,7 +136,7 @@ typedef struct {
  */
 static void cdp_data_destroy(cdp_data_t *data)
 {
-	data->this->mutex->unlock(data->this->mutex);
+	pthread_rwlock_unlock(&data->this->lock);
 	free(data);
 }
 
@@ -234,7 +236,7 @@ static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this,
 	data->type = type;
 	data->id = id;
 	
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_rdlock(&this->lock);
 	return enumerator_create_nested(this->sections->create_enumerator(this->sections),
 			(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp,
 			data, (void*)cdp_data_destroy);
@@ -276,9 +278,9 @@ static void add(private_stroke_ca_t *this, stroke_msg_t *msg)
 		{
 			ca->certuribase = strdup(msg->add_ca.certuribase);
 		}
-		this->mutex->lock(this->mutex);
+		pthread_rwlock_wrlock(&this->lock);
 		this->sections->insert_last(this->sections, ca);
-		this->mutex->unlock(this->mutex);
+		pthread_rwlock_unlock(&this->lock);
 		DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name);
 	}
 }
@@ -291,7 +293,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
 	enumerator_t *enumerator;
 	ca_section_t *ca = NULL;
 	
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_wrlock(&this->lock);
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, &ca))
 	{
@@ -303,7 +305,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
 		ca = NULL;
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 	if (ca == NULL)
 	{
 		DBG1(DBG_CFG, "no ca named '%s' found\n", msg->del_ca.name);
@@ -354,7 +356,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 		return;
 	}
 	
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_wrlock(&this->lock);
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, (void**)&section))
 	{
@@ -370,7 +372,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 	
 	hasher->destroy(hasher);
 }
@@ -384,7 +386,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 	ca_section_t *section;
 	enumerator_t *enumerator;
 	
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_rdlock(&this->lock);
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, (void**)&section))
 	{
@@ -417,7 +419,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 }
 
 /**
@@ -426,7 +428,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 static void destroy(private_stroke_ca_t *this)
 {
 	this->sections->destroy_function(this->sections, (void*)ca_section_destroy);
-	this->mutex->destroy(this->mutex);
+	pthread_rwlock_destroy(&this->lock);
 	free(this);
 }
 
@@ -449,7 +451,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
 	this->public.destroy = (void(*)(stroke_ca_t*))destroy;
 	
 	this->sections = linked_list_create();
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	pthread_rwlock_init(&this->lock, NULL);
 	this->cred = cred;
 	
 	return &this->public;
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index 0069191b5..f10fe2051 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -209,7 +209,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *nam
  */
 static identification_t *update_peerid(certificate_t *cert, identification_t *id)
 {
-	if (!cert->has_subject(cert, id))
+	if (id->get_type(id) == ID_ANY || !cert->has_subject(cert, id))
 	{
 		DBG1(DBG_CFG, "  peerid %D not confirmed by certificate, "
 			 "defaulting to subject DN", id);
@@ -335,7 +335,9 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
  * build a peer_cfg from a stroke msg
  */
 static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
-								  stroke_msg_t *msg, ike_cfg_t *ike_cfg)
+								  stroke_msg_t *msg, ike_cfg_t *ike_cfg,
+								  identification_t **my_issuer,
+								  identification_t **other_issuer)
 {
 	identification_t *me, *other, *peer_id = NULL;
 	peer_cfg_t *mediated_by = NULL;
@@ -420,6 +422,9 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 		cert = this->cred->load_peer(this->cred, msg->add_conn.me.cert);
 		if (cert)
 		{
+			identification_t *issuer = cert->get_issuer(cert);
+
+			*my_issuer = issuer->clone(issuer); 
 			this->ca->check_for_hash_and_url(this->ca, cert);
 			me = update_peerid(cert, me);
 			cert->destroy(cert);
@@ -430,6 +435,9 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 		cert = this->cred->load_peer(this->cred, msg->add_conn.other.cert);
 		if (cert)
 		{
+			identification_t *issuer = cert->get_issuer(cert);
+
+			*other_issuer = issuer->clone(issuer); 
 			other = update_peerid(cert, other);
 			cert->destroy(cert);
 		}
@@ -499,8 +507,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	 * uses to serve pool addresses. */
 	return peer_cfg_create(msg->add_conn.name,
 		msg->add_conn.ikev2 ? 2 : 1, ike_cfg, me, other,
-		msg->add_conn.me.sendcert, unique, msg->add_conn.auth_method,
-		msg->add_conn.eap_type,	msg->add_conn.eap_vendor,
+		msg->add_conn.me.sendcert, unique, 
 		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
 		msg->add_conn.mobike, msg->add_conn.dpd.delay,
 		vip, msg->add_conn.other.sourceip_size ?
@@ -512,18 +519,15 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
  * fill in auth_info from stroke message
  */
 static void build_auth_info(private_stroke_config_t *this,
-							stroke_msg_t *msg, auth_info_t *auth)
+							stroke_msg_t *msg, auth_info_t *auth,
+							identification_t *my_ca,
+							identification_t *other_ca)
 {
-	identification_t *my_ca = NULL, *other_ca = NULL;
+	identification_t *id;
 	bool my_ca_same = FALSE;
 	bool other_ca_same = FALSE;
 	cert_validation_t valid;
 
-	if (msg->add_conn.other.groups)
-	{
-		/* TODO: AC groups */
-	}
-	
 	switch (msg->add_conn.crl_policy)
 	{
 		case CRL_STRICT_YES:
@@ -540,6 +544,11 @@ static void build_auth_info(private_stroke_config_t *this,
 	
 	if (msg->add_conn.me.ca)
 	{
+		if (my_ca)
+		{
+			my_ca->destroy(my_ca);
+			my_ca = NULL;
+		}
 		if (streq(msg->add_conn.me.ca, "%same"))
 		{
 			my_ca_same = TRUE;
@@ -549,8 +558,14 @@ static void build_auth_info(private_stroke_config_t *this,
 			my_ca = identification_create_from_string(msg->add_conn.me.ca);
 		}
 	}
+
 	if (msg->add_conn.other.ca)
 	{
+		if (other_ca)
+		{
+			other_ca->destroy(other_ca);
+			other_ca = NULL;
+		}
 		if (streq(msg->add_conn.other.ca, "%same"))
 		{
 			other_ca_same = TRUE;
@@ -560,6 +575,7 @@ static void build_auth_info(private_stroke_config_t *this,
 			other_ca = identification_create_from_string(msg->add_conn.other.ca);
 		}
 	}
+
 	if (other_ca_same && my_ca)
 	{
 		other_ca = my_ca->clone(my_ca);
@@ -585,6 +601,7 @@ static void build_auth_info(private_stroke_config_t *this,
 		}
 		other_ca->destroy(other_ca);
 	}
+
 	if (my_ca)
 	{
 		DBG2(DBG_CFG, "  my ca:    %D", my_ca);
@@ -601,6 +618,66 @@ static void build_auth_info(private_stroke_config_t *this,
 		}
 		my_ca->destroy(my_ca);
 	}
+	auth->add_item(auth, AUTHN_AUTH_CLASS, &msg->add_conn.auth_method);
+	if (msg->add_conn.eap_type)
+	{
+		auth->add_item(auth, AUTHN_EAP_TYPE, &msg->add_conn.eap_type);
+		if (msg->add_conn.eap_vendor)
+		{
+			auth->add_item(auth, AUTHN_EAP_VENDOR, &msg->add_conn.eap_vendor);
+		}
+	}
+
+	if (msg->add_conn.eap_identity)
+	{
+		if (streq(msg->add_conn.eap_identity, "%identity"))
+		{
+			id = identification_create_from_encoding(ID_ANY, chunk_empty);
+		}
+		else
+		{
+			id = identification_create_from_encoding(ID_EAP, chunk_create(
+										msg->add_conn.eap_identity,
+										strlen(msg->add_conn.eap_identity)));
+		}
+		auth->add_item(auth, AUTHN_EAP_IDENTITY, id);
+		id->destroy(id);
+	}
+
+	if (msg->add_conn.other.groups)
+	{
+		chunk_t line = { msg->add_conn.other.groups,
+						 strlen(msg->add_conn.other.groups) };
+
+		while (eat_whitespace(&line))
+		{
+			chunk_t group;
+
+			/* extract the next comma-separated group attribute */
+			if (!extract_token(&group, ',', &line))
+			{
+				group = line;
+				line.len = 0;
+			}
+
+			/* remove any trailing spaces */
+			while (group.len > 0 && *(group.ptr + group.len - 1) == ' ')
+			{
+				group.len--;
+			}
+
+			/* add the group attribute to the list */
+			if (group.len > 0)
+			{
+				identification_t *ac_group;
+
+				ac_group = identification_create_from_encoding(
+									ID_IETF_ATTR_STRING, group);
+				auth->add_item(auth, AUTHZ_AC_GROUP, ac_group);
+				ac_group->destroy(ac_group);	
+			}
+		}
+	}
 }
 
 /**
@@ -696,7 +773,7 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 				msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
 				msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, 
 				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
-				msg->add_conn.mode, dpd, ACTION_NONE, msg->add_conn.ipcomp);
+				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp);
 	
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
 	add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
@@ -714,6 +791,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
 	ike_cfg_t *ike_cfg, *existing_ike;
 	peer_cfg_t *peer_cfg, *existing;
 	child_cfg_t *child_cfg;
+	identification_t *my_issuer = NULL, *other_issuer = NULL;
 	enumerator_t *enumerator;
 	bool use_existing = FALSE;
 
@@ -722,14 +800,15 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
 	{
 		return;
 	}
-	peer_cfg = build_peer_cfg(this, msg, ike_cfg);
+	peer_cfg = build_peer_cfg(this, msg, ike_cfg, &my_issuer, &other_issuer);
 	if (!peer_cfg)
 	{
 		ike_cfg->destroy(ike_cfg);
 		return;
 	}
 	
-	build_auth_info(this, msg, peer_cfg->get_auth(peer_cfg));
+	build_auth_info(this, msg, peer_cfg->get_auth(peer_cfg),
+					my_issuer, other_issuer);
 	enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
 	while (enumerator->enumerate(enumerator, &existing))
 	{
diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c
index 2956b1576..ed9dd7b16 100644
--- a/src/charon/plugins/stroke/stroke_control.c
+++ b/src/charon/plugins/stroke/stroke_control.c
@@ -18,6 +18,7 @@
 #include "stroke_control.h"
 
 #include <daemon.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_stroke_control_t private_stroke_control_t;
 
@@ -55,7 +56,7 @@ struct stroke_log_info_t {
  * logging to the stroke interface
  */
 static bool stroke_log(stroke_log_info_t *info, signal_t signal, level_t level,
-					   ike_sa_t *ike_sa, char *format, va_list args)
+					   ike_sa_t *ike_sa, void *data, char *format, va_list args)
 {
 	if (level <= info->level)
 	{
@@ -239,6 +240,75 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 	DBG1(DBG_CFG, "no such SA found");
 }
 
+/**
+ * Implementation of stroke_control_t.terminate_srcip.
+ */
+static void terminate_srcip(private_stroke_control_t *this,
+							stroke_msg_t *msg, FILE *out)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	host_t *start = NULL, *end = NULL, *vip;
+	chunk_t chunk_start, chunk_end, chunk_vip;
+	
+	if (msg->terminate_srcip.start)
+	{
+		start = host_create_from_string(msg->terminate_srcip.start, 0);
+	}
+	if (!start)
+	{
+		DBG1(DBG_CFG, "invalid start address: %s", msg->terminate_srcip.start);
+		return;
+	}
+	chunk_start = start->get_address(start);
+	if (msg->terminate_srcip.end)
+	{
+		end = host_create_from_string(msg->terminate_srcip.end, 0);
+		if (!end)
+		{
+			DBG1(DBG_CFG, "invalid end address: %s", msg->terminate_srcip.end);
+			start->destroy(start);
+			return;
+		}
+		chunk_end = end->get_address(end);
+	}
+	
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
+		if (!vip)
+		{
+			continue;
+		}
+		if (!end)
+		{
+			if (!vip->ip_equals(vip, start))
+			{
+				continue;
+			}
+		}
+		else
+		{
+			chunk_vip = vip->get_address(vip);
+			if (chunk_vip.len != chunk_start.len ||
+				chunk_vip.len != chunk_end.len ||
+				memcmp(chunk_vip.ptr, chunk_start.ptr, chunk_vip.len) < 0 ||
+				memcmp(chunk_vip.ptr, chunk_end.ptr, chunk_vip.len) > 0)
+			{
+				continue;
+			}
+		}
+
+		/* schedule delete asynchronously */
+		charon->processor->queue_job(charon->processor, (job_t*)
+						delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
+	}
+	enumerator->destroy(enumerator);
+	start->destroy(start);
+	DESTROY_IF(end);
+}
+
 /**
  * Implementation of stroke_control_t.route.
  */
@@ -336,6 +406,7 @@ stroke_control_t *stroke_control_create()
 	
 	this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate;
 	this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate;
+	this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip;
 	this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route;
 	this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute;
 	this->public.destroy = (void(*)(stroke_control_t*))destroy;
diff --git a/src/charon/plugins/stroke/stroke_control.h b/src/charon/plugins/stroke/stroke_control.h
index 917679209..926964458 100644
--- a/src/charon/plugins/stroke/stroke_control.h
+++ b/src/charon/plugins/stroke/stroke_control.h
@@ -48,6 +48,13 @@ struct stroke_control_t {
 	 */
 	void (*terminate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
 	
+	/**
+	 * Terminate a connection by peers virtual IP.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
+	
 	/**
 	 * Route a connection.
 	 *
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 223500488..c699a083e 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -15,17 +15,18 @@
  * $Id$
  */
 
-#include "stroke_cred.h"
-#include "stroke_shared_key.h"
-
+#define _GNU_SOURCE
+#include <pthread.h>
 #include <sys/stat.h>
 #include <limits.h>
 
+#include "stroke_cred.h"
+#include "stroke_shared_key.h"
+
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/ac.h>
 #include <utils/linked_list.h>
-#include <utils/mutex.h>
 #include <utils/lexparser.h>
 #include <asn1/pem.h>
 #include <daemon.h>
@@ -70,9 +71,9 @@ struct private_stroke_cred_t {
 	linked_list_t *private;
 	
 	/**
-	 * mutex to lock lists above
+	 * read-write lock to lists
 	 */
-	mutex_t *mutex;
+	pthread_rwlock_t lock;
 	
 	/**
 	 * cache CRLs to disk?
@@ -93,7 +94,7 @@ typedef struct {
  */
 static void id_data_destroy(id_data_t *data)
 {
-	data->this->mutex->unlock(data->this->mutex);
+	pthread_rwlock_unlock(&data->this->lock);
 	free(data);
 }
 
@@ -139,7 +140,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
 	data->this = this;
 	data->id = id;
 	
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_rdlock(&this->lock);
 	return enumerator_create_filter(this->private->create_enumerator(this->private),
 									(void*)private_filter, data,
 									(void*)id_data_destroy);
@@ -240,7 +241,7 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
 		data->this = this;
 		data->id = id;
 		
-		this->mutex->lock(this->mutex);
+		pthread_rwlock_rdlock(&this->lock);
 		return enumerator_create_filter(this->certs->create_enumerator(this->certs),
 					(cert == CERT_X509_CRL)? (void*)crl_filter : (void*)ac_filter,
 					data, (void*)id_data_destroy);
@@ -253,7 +254,7 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
 	data->this = this;
 	data->id = id;
 	
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_rdlock(&this->lock);
 	return enumerator_create_filter(this->certs->create_enumerator(this->certs),
 									(void*)certs_filter, data,
 									(void*)id_data_destroy);
@@ -271,7 +272,7 @@ typedef struct {
  */
 static void shared_data_destroy(shared_data_t *data)
 {
-	data->this->mutex->unlock(data->this->mutex);
+	pthread_rwlock_unlock(&data->this->lock);
 	free(data);
 }
 
@@ -323,7 +324,7 @@ static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
 	data->me = me;
 	data->other = other;
 	data->type = type;
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_rdlock(&this->lock);
 	return enumerator_create_filter(this->shared->create_enumerator(this->shared),
 									(void*)shared_filter, data,
 									(void*)shared_data_destroy);
@@ -338,7 +339,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
 	enumerator_t *enumerator;
 	bool new = TRUE;	
 
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_rdlock(&this->lock);
 	enumerator = this->certs->create_enumerator(this->certs);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
@@ -357,7 +358,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
 	{
 		this->certs->insert_last(this->certs, cert);
 	}
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 	return cert;
 }
 	
@@ -399,7 +400,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 	enumerator_t *enumerator;
 	bool new = TRUE, found = FALSE;	
 
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_wrlock(&this->lock);
 	enumerator = this->certs->create_enumerator(this->certs);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
@@ -447,7 +448,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 	{
 		this->certs->insert_last(this->certs, cert);
 	}
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 	return new;
 }
 
@@ -458,9 +459,9 @@ static bool add_ac(private_stroke_cred_t *this, ac_t* ac)
 {
 	certificate_t *cert = &ac->certificate;
 
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_wrlock(&this->lock);
 	this->certs->insert_last(this->certs, cert);
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 	return TRUE;
 }
 
@@ -697,7 +698,7 @@ static void load_secrets(private_stroke_cred_t *this)
 	fclose(fd);
 	src = chunk;
 
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_wrlock(&this->lock);
 	while (this->shared->remove_last(this->shared,
 		 								   (void**)&shared) == SUCCESS)
 	{
@@ -782,6 +783,7 @@ static void load_secrets(private_stroke_cred_t *this)
 			{
 				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
 										 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+				free(chunk.ptr);
 				if (key)
 				{
 					DBG1(DBG_CFG, "  loaded private key file '%s'", path);
@@ -826,20 +828,27 @@ static void load_secrets(private_stroke_cred_t *this)
 				{
 					continue;
 				}
-
-				/* NULL terminate the ID string */
-				*(id.ptr + id.len) = '\0';
-
-				peer_id = identification_create_from_string(id.ptr);
-				if (peer_id == NULL)
+				
+				if (type == SHARED_EAP)
 				{
-					DBG1(DBG_CFG, "line %d: malformed ID: %s", line_nr, id.ptr);
-					goto error;
+					/* we use a special EAP identity type for EAP secrets */
+					peer_id = identification_create_from_encoding(ID_EAP, id);
 				}
-				if (peer_id->get_type(peer_id) == ID_ANY)
+				else
 				{
-					peer_id->destroy(peer_id);
-					continue;
+					/* NULL terminate the ID string */
+					*(id.ptr + id.len) = '\0';
+					peer_id = identification_create_from_string(id.ptr);
+					if (peer_id == NULL)
+					{
+						DBG1(DBG_CFG, "line %d: malformed ID: %s", line_nr, id.ptr);
+						goto error;
+					}
+					if (peer_id->get_type(peer_id) == ID_ANY)
+					{
+						peer_id->destroy(peer_id);
+						continue;
+					}
 				}
 				
 				shared_key->add_owner(shared_key, peer_id);
@@ -859,7 +868,7 @@ static void load_secrets(private_stroke_cred_t *this)
 		}
 	}
 error:
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 	chunk_clear(&chunk);
 }
 
@@ -940,7 +949,7 @@ static void destroy(private_stroke_cred_t *this)
 	this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
 	this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy));
 	this->private->destroy_offset(this->private, offsetof(private_key_t, destroy));
-	this->mutex->destroy(this->mutex);
+	pthread_rwlock_destroy(&this->lock);
 	free(this);
 }
 
@@ -965,7 +974,7 @@ stroke_cred_t *stroke_cred_create()
 	this->certs = linked_list_create();
 	this->shared = linked_list_create();
 	this->private = linked_list_create();
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	pthread_rwlock_init(&this->lock, NULL);
 
 	load_certs(this);
 	load_secrets(this);
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 44699ba0a..d531dca47 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -22,6 +22,7 @@
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
 #include <credentials/certificates/crl.h>
+#include <config/peer_cfg.h>
 
 /* warning intervals for list functions */
 #define CERT_WARNING_INTERVAL  30	/* days */
@@ -46,6 +47,23 @@ struct private_stroke_list_t {
 	time_t uptime;
 };
 
+/**
+ * get the authentication class of a config
+ */
+auth_class_t get_auth_class(peer_cfg_t *config)
+{
+	auth_class_t *class;
+	auth_info_t *auth_info;
+	
+	auth_info = config->get_auth(config);
+	if (auth_info->get_item(auth_info, AUTHN_AUTH_CLASS, (void**)&class))
+	{
+		return *class;
+	}
+	/* fallback to pubkey authentication */
+	return AUTH_CLASS_PUBKEY;
+}
+
 /**
  * log an IKE_SA to out
  */
@@ -80,7 +98,8 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 			}
 			if (reauth)
 			{
-				fprintf(out, ", reauthentication in %V", &reauth);
+				fprintf(out, ", %N reauthentication in %V", auth_class_names,
+						get_auth_class(ike_sa->get_peer_cfg(ike_sa)), &reauth);
 			}
 			if (!rekey && !reauth)
 			{
@@ -108,7 +127,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 	encryption_algorithm_t encr_alg;
 	integrity_algorithm_t int_alg;
 	size_t encr_len, int_len;
-	mode_t mode;
+	ipsec_mode_t mode;
 	
 	child_sa->get_stats(child_sa, &mode, &encr_alg, &encr_len,
 						&int_alg, &int_len, &rekey, &use_in, &use_out,
@@ -117,15 +136,25 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 	fprintf(out, "%12s{%d}:  %N, %N", 
 			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
 			child_sa_state_names, child_sa->get_state(child_sa),
-			mode_names, mode);
+			ipsec_mode_names, mode);
 	
 	if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
 	{
+		u_int16_t my_cpi    = child_sa->get_cpi(child_sa, TRUE);
+		u_int16_t other_cpi = child_sa->get_cpi(child_sa, FALSE);		
+
 		fprintf(out, ", %N SPIs: %.8x_i %.8x_o",
 				protocol_id_names, child_sa->get_protocol(child_sa),
-				htonl(child_sa->get_spi(child_sa, TRUE)),
-				htonl(child_sa->get_spi(child_sa, FALSE)));
-		
+				ntohl(child_sa->get_spi(child_sa, TRUE)),
+				ntohl(child_sa->get_spi(child_sa, FALSE)));
+
+		/* Is IPCOMP activated ? */
+		if (my_cpi && other_cpi)
+		{
+			fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o",
+					ntohs(my_cpi), ntohs(other_cpi));
+		}
+
 		if (all)
 		{
 			fprintf(out, "\n%12s{%d}:  ", child_sa->get_name(child_sa), 
@@ -198,21 +227,20 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all)
 {
 	enumerator_t *enumerator, *children;
-	iterator_t *iterator;
-	host_t *host;
-	peer_cfg_t *peer_cfg;
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
 	ike_sa_t *ike_sa;
-	char *name = NULL, *plugin;
 	bool found = FALSE;
-	time_t uptime;
-	
-	name = msg->status.name;
+	char *name = msg->status.name;
 	
 	if (all)
 	{
-		uptime = time(NULL) - this->uptime;
+		peer_cfg_t *peer_cfg;
+		char *plugin;
+		host_t *host;
+		u_int32_t dpd;
+		time_t uptime = time(NULL) - this->uptime;
+
 		fprintf(out, "Performance:\n");
 		fprintf(out, "  uptime: %V, since %#T\n", &uptime, &this->uptime, FALSE);
 		fprintf(out, "  worker threads: %d idle of %d,",
@@ -231,40 +259,154 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		enumerator->destroy(enumerator);
 		fprintf(out, "\n");
 		
-		iterator = charon->kernel_interface->create_address_iterator(
-													charon->kernel_interface);
+		enumerator = charon->kernel_interface->create_address_enumerator(
+								charon->kernel_interface, FALSE, FALSE);
 		fprintf(out, "Listening IP addresses:\n");
-		while (iterator->iterate(iterator, (void**)&host))
+		while (enumerator->enumerate(enumerator, (void**)&host))
 		{
 			fprintf(out, "  %H\n", host);
 		}
-		iterator->destroy(iterator);
+		enumerator->destroy(enumerator);
 	
 		fprintf(out, "Connections:\n");
 		enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends);
 		while (enumerator->enumerate(enumerator, (void**)&peer_cfg))
 		{
+			void *ptr;
+			certificate_t *cert;
+			auth_item_t item;
+			auth_info_t *auth;
+			enumerator_t *auth_enumerator;
+			identification_t *my_ca = NULL, *other_ca = NULL;
+			identification_t *eap_identity = NULL;
+			u_int32_t *eap_type = NULL;
+			bool ac_groups = FALSE;
+
 			if (peer_cfg->get_ike_version(peer_cfg) != 2 ||
 				(name && !streq(name, peer_cfg->get_name(peer_cfg))))
 			{
 				continue;
 			}
 			
+			/* determine any required CAs, EAP type, EAP identity,
+			 * and the presence of AC groups
+			 */
+			auth = peer_cfg->get_auth(peer_cfg);
+			auth_enumerator = auth->create_item_enumerator(auth);
+			while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr))
+			{
+				switch (item)
+				{
+					case AUTHN_EAP_TYPE:
+						eap_type = (u_int32_t *)ptr;
+						break;
+					case AUTHN_EAP_IDENTITY:
+						eap_identity = (identification_t *)ptr;
+						break;
+					case AUTHN_CA_CERT:
+						cert = (certificate_t *)ptr;
+						my_ca = cert->get_subject(cert);
+						break;
+					case AUTHN_CA_CERT_NAME:
+						my_ca = (identification_t *)ptr;
+						break;
+					case AUTHZ_CA_CERT:
+						cert = (certificate_t *)ptr;
+						other_ca = cert->get_subject(cert);
+						break;
+					case AUTHZ_CA_CERT_NAME:
+						other_ca = (identification_t *)ptr;
+						break;
+					case AUTHZ_AC_GROUP:
+						ac_groups = TRUE;
+						break;
+					default:
+						break;
+				}
+			}
+			auth_enumerator->destroy(auth_enumerator);
+
 			ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
 			fprintf(out, "%12s:  %s[%D]...%s[%D]\n", peer_cfg->get_name(peer_cfg),
 					ike_cfg->get_my_addr(ike_cfg), peer_cfg->get_my_id(peer_cfg),
 					ike_cfg->get_other_addr(ike_cfg), peer_cfg->get_other_id(peer_cfg));
-			/* TODO: list CAs and groups */
+			if (my_ca || other_ca)
+			{
+				fprintf(out, "%12s:  CAs: ", peer_cfg->get_name(peer_cfg));
+				if (my_ca)
+				{
+					fprintf(out, "\"%D\"...", my_ca);
+				}
+				else
+				{
+					fprintf(out, "%%any...");
+				}
+				if (other_ca)
+				{
+					fprintf(out, "\"%D\"\n", other_ca);
+				}
+				else
+				{
+					fprintf(out, "%%any\n");
+				}
+			}
+
+			if (ac_groups)
+			{
+				bool first = TRUE;
+
+				fprintf(out, "%12s:  groups: ",  peer_cfg->get_name(peer_cfg));
+				auth_enumerator = auth->create_item_enumerator(auth);
+				while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr))
+				{
+					if (item == AUTHZ_AC_GROUP)
+					{
+						identification_t *group = (identification_t *)ptr;
+
+						fprintf(out, "%s%D", first? "":", ", group);
+						first = FALSE;
+					}
+				}
+				auth_enumerator->destroy(auth_enumerator);
+				fprintf(out, "\n");
+			}
+
+			fprintf(out, "%12s:  %N ",  peer_cfg->get_name(peer_cfg),
+					auth_class_names, get_auth_class(peer_cfg));
+			if (eap_type)
+			{
+				fprintf(out, "and %N ", eap_type_names, *eap_type);
+			}
+			fprintf(out, "authentication");
+			if (eap_identity)
+			{
+				fprintf(out, ", EAP identity: '%D'", eap_identity);
+			}
+			dpd = peer_cfg->get_dpd(peer_cfg);
+			if (dpd)
+			{
+				fprintf(out, ", dpddelay=%us", dpd);
+			}
+			fprintf(out, "\n");
+
 			children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 			while (children->enumerate(children, &child_cfg))
 			{
 				linked_list_t *my_ts, *other_ts;
+
 				my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
 				other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
-				fprintf(out, "%12s:    %#R=== %#R\n", child_cfg->get_name(child_cfg),
+				fprintf(out, "%12s:    %#R=== %#R", child_cfg->get_name(child_cfg),
 						my_ts, other_ts);
 				my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 				other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+
+				if (dpd)
+				{
+					fprintf(out, ", dpdaction=%N", action_names,
+							child_cfg->get_dpd_action(child_cfg));
+				}
+				fprintf(out, "\n");
 			}
 			children->destroy(children);
 		}
@@ -364,6 +506,53 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
 	return list;
 }
 
+/**
+ * list all raw public keys
+ */
+static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
+{
+	bool first = TRUE;
+
+	enumerator_t *enumerator = list->create_enumerator(list);
+	certificate_t *cert;
+
+	while (enumerator->enumerate(enumerator, (void**)&cert))
+	{
+		public_key_t *public = cert->get_public_key(cert);
+
+		if (public)
+		{
+			private_key_t *private = NULL;
+			identification_t *id, *keyid;
+			
+			if (first)
+			{
+				fprintf(out, "\n");
+				fprintf(out, "List of Raw Public Keys:\n");
+				first = FALSE;
+			}
+			fprintf(out, "\n");
+
+			/* list public key information */
+			id    = public->get_id(public, ID_PUBKEY_SHA1);
+			keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
+
+			private = charon->credentials->get_private(
+								charon->credentials, 
+								public->get_type(public), keyid, NULL);
+			fprintf(out, "  pubkey:    %N %d bits%s\n",
+					key_type_names, public->get_type(public),
+					public->get_keysize(public) * 8,
+					private ? ", has private key" : "");
+			fprintf(out, "  keyid:     %D\n", keyid);
+			fprintf(out, "  subjkey:   %D\n", id);
+			DESTROY_IF(private);
+			public->destroy(public);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
 /**
  * list all X.509 certificates matching the flags
  */
@@ -648,6 +837,58 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
 	enumerator->destroy(enumerator);
 }
 
+/**
+ * List of registered cryptographical algorithms
+ */
+static void list_algs(FILE *out)
+{
+	enumerator_t *enumerator;
+	encryption_algorithm_t encryption;
+	integrity_algorithm_t integrity;
+	hash_algorithm_t hash;
+	pseudo_random_function_t prf;
+	diffie_hellman_group_t group;
+	
+	fprintf(out, "\n");
+	fprintf(out, "List of registered IKEv2 Algorithms:\n");
+	fprintf(out, "\n  encryption: ");
+	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption))
+	{
+		fprintf(out, "%N ", encryption_algorithm_names, encryption);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n  integrity:  ");
+	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &integrity))
+	{
+		fprintf(out, "%N ", integrity_algorithm_names, integrity);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n  hasher:     ");
+	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &hash))
+	{
+		fprintf(out, "%N ", hash_algorithm_names, hash);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n  prf:        ");
+	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &prf))
+	{
+		fprintf(out, "%N ", pseudo_random_function_names, prf);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n  dh-group:   ");
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group))
+	{
+		fprintf(out, "%N ", diffie_hellman_group_names, group);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n");
+}
+
 /**
  * Implementation of stroke_list_t.list.
  */
@@ -655,6 +896,13 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 {
 	linked_list_t *cert_list = NULL;
 
+	if (msg->list.flags & LIST_PUBKEYS)
+	{
+		linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
+
+		stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
+		pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy)); 
+	}
 	if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
 	{
 		cert_list = create_unique_cert_list(CERT_X509);
@@ -698,8 +946,13 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 		linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
 
 		stroke_list_ocsp(ocsp_list, msg->list.utc, out);
+		
 		ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy)); 
 	}
+	if (msg->list.flags & LIST_ALGS)
+	{
+		list_algs(out);
+	}
 	DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
 }
 
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index 92e295a0c..175322aa8 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -169,10 +169,12 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
 	DBG2(DBG_CFG, "conn %s", msg->add_conn.name);
 	pop_end(msg, "left", &msg->add_conn.me);
 	pop_end(msg, "right", &msg->add_conn.other);
+	pop_string(msg, &msg->add_conn.eap_identity);
 	pop_string(msg, &msg->add_conn.algorithms.ike);
 	pop_string(msg, &msg->add_conn.algorithms.esp);
 	pop_string(msg, &msg->add_conn.ikeme.mediated_by);
 	pop_string(msg, &msg->add_conn.ikeme.peerid);
+	DBG2(DBG_CFG, "  eap_identity=%s", msg->add_conn.eap_identity);
 	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
 	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
 	DBG2(DBG_CFG, "  mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
@@ -215,6 +217,20 @@ static void stroke_terminate(private_stroke_socket_t *this, stroke_msg_t *msg, F
 	DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
 
 	this->control->terminate(this->control, msg, out);
+}	
+
+/**
+ * terminate a connection by peers virtual IP
+ */
+static void stroke_terminate_srcip(private_stroke_socket_t *this,
+								   stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->terminate_srcip.start);
+	pop_string(msg, &msg->terminate_srcip.end);
+	DBG1(DBG_CFG, "received stroke: terminate-srcip %s-%s",
+		 msg->terminate_srcip.start, msg->terminate_srcip.end);
+
+	this->control->terminate_srcip(this->control, msg, out);
 }
 
 /**
@@ -430,6 +446,9 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 		case STR_TERMINATE:
 			stroke_terminate(this, msg, out);
 			break;
+		case STR_TERMINATE_SRCIP:
+			stroke_terminate_srcip(this, msg, out);
+			break;
 		case STR_STATUS:
 			stroke_status(this, msg, out, FALSE);
 			break;
@@ -537,7 +556,7 @@ static bool open_socket(private_stroke_socket_t *this)
 			 strerror(errno));
 	}
 	
-	if (listen(this->socket, 0) < 0)
+	if (listen(this->socket, 10) < 0)
 	{
 		DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno));
 		close(this->socket);
diff --git a/src/charon/plugins/uci/Makefile.am b/src/charon/plugins/uci/Makefile.am
index 47a55ae17..0136bf5e9 100644
--- a/src/charon/plugins/uci/Makefile.am
+++ b/src/charon/plugins/uci/Makefile.am
@@ -6,7 +6,8 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-uci.la
 libstrongswan_uci_la_SOURCES = \
   uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \
-  uci_config.h uci_config.c uci_creds.h uci_creds.c
+  uci_config.h uci_config.c uci_creds.h uci_creds.c \
+  uci_control.h uci_control.c
 libstrongswan_uci_la_LDFLAGS = -module
 libstrongswan_uci_la_LIBADD = -luci
 
diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in
index 297f25768..17a1212f3 100644
--- a/src/charon/plugins/uci/Makefile.in
+++ b/src/charon/plugins/uci/Makefile.in
@@ -51,7 +51,7 @@ pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_uci_la_DEPENDENCIES =
 am_libstrongswan_uci_la_OBJECTS = uci_plugin.lo uci_parser.lo \
-	uci_config.lo uci_creds.lo
+	uci_config.lo uci_creds.lo uci_control.lo
 libstrongswan_uci_la_OBJECTS = $(am_libstrongswan_uci_la_OBJECTS)
 libstrongswan_uci_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -188,6 +188,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -212,7 +214,8 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-uci.la
 libstrongswan_uci_la_SOURCES = \
   uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \
-  uci_config.h uci_config.c uci_creds.h uci_creds.c
+  uci_config.h uci_config.c uci_creds.h uci_creds.c \
+  uci_control.h uci_control.c
 
 libstrongswan_uci_la_LDFLAGS = -module
 libstrongswan_uci_la_LIBADD = -luci
@@ -286,6 +289,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_control.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_creds.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_parser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_plugin.Plo@am__quote@
diff --git a/src/charon/plugins/uci/uci_config.c b/src/charon/plugins/uci/uci_config.c
index cc44eaa9b..c9d54a532 100644
--- a/src/charon/plugins/uci/uci_config.c
+++ b/src/charon/plugins/uci/uci_config.c
@@ -163,6 +163,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	char *remote_id, *remote_addr, *remote_net;
 	child_cfg_t *child_cfg;
 	ike_cfg_t *ike_cfg;
+	auth_info_t *auth;
+	auth_class_t class;
 	
 	/* defaults */
 	name = "unnamed";
@@ -186,13 +188,15 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 		ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
 		this->peer_cfg = peer_cfg_create(
 					name, 2, ike_cfg, create_id(local_id), create_id(remote_id),
-					CERT_SEND_IF_ASKED, UNIQUE_NO, CONF_AUTH_PSK,
-					0, 0, 							/* EAP method, vendor */
+					CERT_SEND_IF_ASKED, UNIQUE_NO,
 					1, create_rekey(ike_rekey), 0,  /* keytries, rekey, reauth */
 					1800, 900,						/* jitter, overtime */
 					TRUE, 60, 						/* mobike, dpddelay */
 					NULL, NULL, 					/* vip, pool */
 					FALSE, NULL, NULL); 			/* mediation, med by, peer id */
+		auth = this->peer_cfg->get_auth(this->peer_cfg);
+		class = AUTH_CLASS_PSK;
+		auth->add_item(auth, AUTHN_AUTH_CLASS, &class);
 		child_cfg = child_cfg_create(name,
 					create_rekey(esp_rekey) + 300, create_rekey(ike_rekey), 300,
 					NULL, TRUE,	MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
@@ -352,9 +356,8 @@ uci_config_t *uci_config_create(uci_parser_t *parser)
 	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
 	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
 	this->public.destroy = (void(*)(uci_config_t*))destroy;
-	
 	this->parser = parser;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/uci/uci_control.c b/src/charon/plugins/uci/uci_control.c
new file mode 100644
index 000000000..2ffdd2b7b
--- /dev/null
+++ b/src/charon/plugins/uci/uci_control.c
@@ -0,0 +1,301 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <pthread.h>
+
+#include "uci_control.h"
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+
+#define FIFO_FILE "/var/run/charon.fifo"
+
+
+typedef struct private_uci_control_t private_uci_control_t;
+
+/**
+ * private data of uci_control_t
+ */
+struct private_uci_control_t {
+
+	/**
+ 	 * Public part
+ 	 */
+	uci_control_t public;
+
+	/**
+ 	 * Job 
+ 	 */
+	callback_job_t *job;
+};
+
+/**
+ * write answer to fifo
+ */
+static void write_fifo(private_uci_control_t *this, char *format, ...)
+{
+	va_list args;
+	FILE *out;
+	
+	out = fopen(FIFO_FILE, "w");
+	if (out)
+	{
+		va_start(args, format);
+		vfprintf(out, format, args);
+		va_end(args);
+		fclose(out);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "writing to UCI fifo failed: %s", strerror(errno));
+	}
+}
+
+/**
+ * print IKE_SA status information
+ */
+static void status(private_uci_control_t *this, char *name)
+{
+	enumerator_t *configs, *sas;
+	iterator_t *children;
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+	peer_cfg_t *peer_cfg;
+	char buf[2048];
+	FILE *out = NULL;
+	
+    configs = charon->backends->create_peer_cfg_enumerator(charon->backends);
+    while (configs->enumerate(configs, &peer_cfg))
+    {
+    	if (name && !streq(name, peer_cfg->get_name(peer_cfg)))
+    	{
+    		continue;
+    	}
+		sas = charon->controller->create_ike_sa_enumerator(charon->controller);
+		while (sas->enumerate(sas, &ike_sa))
+		{
+			if (!streq(ike_sa->get_name(ike_sa), peer_cfg->get_name(peer_cfg)))
+			{
+				continue;
+			}
+			if (!out)
+			{
+				out = fmemopen(buf, sizeof(buf), "w");
+				if (!out)
+				{
+					continue;
+				}
+			}
+	    	fprintf(out, "%-8s %-20D %-16H ", ike_sa->get_name(ike_sa),
+	    		ike_sa->get_other_id(ike_sa), ike_sa->get_other_host(ike_sa));
+	    	
+			children = ike_sa->create_child_sa_iterator(ike_sa);
+			while (children->iterate(children, (void**)&child_sa))
+			{
+				fprintf(out, "%#R",
+						child_sa->get_traffic_selectors(child_sa, FALSE));
+			}
+			children->destroy(children);
+	    	fprintf(out, "\n");
+		}
+		sas->destroy(sas);
+	}
+	configs->destroy(configs);
+	if (out)
+	{
+		fclose(out);
+		write_fifo(this, "%s", buf);
+	}
+	else
+	{
+		write_fifo(this, "");
+	}
+}
+
+/**
+ * Initiate an IKE_SA
+ */
+static void initiate(private_uci_control_t *this, char *name)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	enumerator_t *enumerator;
+
+	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, name);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+		if (enumerator->enumerate(enumerator, &child_cfg) &&
+			charon->controller->initiate(charon->controller, peer_cfg,
+										 child_cfg->get_ref(child_cfg),
+										 controller_cb_empty, NULL) == SUCCESS)
+		{
+			write_fifo(this, "connection '%s' established\n", name);
+		}
+		else
+		{
+			write_fifo(this, "establishing connection '%s' failed\n", name);
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		write_fifo(this, "no connection named '%s' found\n", name);
+	}
+}
+
+/**
+ * terminate an IKE_SA
+ */
+static void terminate(private_uci_control_t *this, char *name)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	u_int id;
+
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (streq(name, ike_sa->get_name(ike_sa)))
+		{
+			id = ike_sa->get_unique_id(ike_sa);
+			enumerator->destroy(enumerator);
+			charon->controller->terminate_ike(charon->controller, id,
+											  controller_cb_empty, NULL);
+			write_fifo(this, "connection '%s' terminated\n", name);
+			return;
+		}
+	}
+	enumerator->destroy(enumerator);
+	write_fifo(this, "no active connection named '%s'\n", name);
+}
+
+/**
+ * dispatch control request
+ */
+static void process(private_uci_control_t *this, char *message)
+{
+	enumerator_t* enumerator;
+	
+	enumerator = enumerator_create_token(message, " \n", "");
+	if (enumerator->enumerate(enumerator, &message))
+	{
+		if (streq(message, "status"))
+		{
+			if (enumerator->enumerate(enumerator, &message))
+			{
+				status(this, message);
+			}
+			else
+			{
+				status(this, NULL);
+			}
+		}
+		else if (streq(message, "up") &&
+				 enumerator->enumerate(enumerator, &message))
+		{
+			initiate(this, message);
+		}
+		else if (streq(message, "down") && 
+				 enumerator->enumerate(enumerator, &message))
+		{
+			terminate(this, message);
+		}
+		else
+		{
+			write_fifo(this, "usage: status [<name>] | up <name> | down <name>\n"
+					   "  status format: name peer-id peer-addr tunnel(s)\n");
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * read from fifo
+ */
+static job_requeue_t receive(private_uci_control_t *this)
+{
+	char message[128];
+	int oldstate, len;
+	FILE *in;
+
+	memset(message, 0, sizeof(message));
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	in = fopen(FIFO_FILE, "r");
+	pthread_setcancelstate(oldstate, NULL);
+	if (in)
+	{
+		len = fread(message, 1, sizeof(message) - 1, in);
+		fclose(in);
+		if (len > 0)
+		{
+			process(this, message);
+		}
+		else
+		{
+			DBG1(DBG_DMN, "reading from UCI fifo failed: %s", strerror(errno));
+		}
+	}
+	else
+	{
+		DBG1(DBG_DMN, "opening UCI fifo failed: %s", strerror(errno));
+	}
+	return JOB_REQUEUE_FAIR;
+}
+
+/**
+ * Implementation of uci_control_t.destroy
+ */
+static void destroy(private_uci_control_t *this)
+{
+	this->job->cancel(this->job);
+	unlink(FIFO_FILE);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+uci_control_t *uci_control_create()
+{
+	private_uci_control_t *this = malloc_thing(private_uci_control_t);
+
+	this->public.destroy = (void(*)(uci_control_t*))destroy;
+
+	unlink(FIFO_FILE);
+	if (mkfifo(FIFO_FILE, S_IRUSR|S_IWUSR) != 0)
+	{
+		DBG1(DBG_CFG, "creating UCI control fifo '%s' failed: %s",
+			 FIFO_FILE, strerror(errno));
+	}
+	else
+	{
+		this->job = callback_job_create((callback_job_cb_t)receive,
+										this, NULL, NULL);
+		charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	}
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/uci/uci_control.h b/src/charon/plugins/uci/uci_control.h
new file mode 100644
index 000000000..774c42661
--- /dev/null
+++ b/src/charon/plugins/uci/uci_control.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup uci_control_t uci_control
+ * @{ @ingroup uci
+ */
+
+#ifndef UCI_CONTROL_H_
+#define UCI_CONTROL_H_
+
+typedef struct uci_control_t uci_control_t;
+
+struct uci_control_t {
+
+	/**
+ 	 * Destroy the controller
+ 	 */
+
+	void (*destroy)(uci_control_t *this);
+};
+
+/**
+ * Create a UCI based configuration backend.
+ */
+
+uci_control_t *uci_control_create();
+
+#endif /*UCI_CONTROL_H_@}*/
diff --git a/src/charon/plugins/uci/uci_parser.c b/src/charon/plugins/uci/uci_parser.c
index 796d2993a..8f4acb938 100644
--- a/src/charon/plugins/uci/uci_parser.c
+++ b/src/charon/plugins/uci/uci_parser.c
@@ -76,11 +76,18 @@ static bool section_enumerator_enumerate(section_enumerator_t *this, ...)
 	
 	va_start(args, this);
 
-	/* name is first parameter */	
 	value = va_arg(args, char**);
 	if (value)
 	{
-		*value = uci_to_section(this->current)->type;
+		if (uci_lookup(this->ctx, &element, this->package,
+					   this->current->name, "name") == UCI_OK)
+		{	/* use "name" attribute as config name if available ... */
+			*value = uci_to_option(element)->value;
+		}
+		else
+		{	/* ... or the section name becomes config name */
+			*value = uci_to_section(this->current)->type;
+		}
 	}
 	
 	/* followed by keyword parameters */
diff --git a/src/charon/plugins/uci/uci_plugin.c b/src/charon/plugins/uci/uci_plugin.c
index 918523826..fd84b224c 100644
--- a/src/charon/plugins/uci/uci_plugin.c
+++ b/src/charon/plugins/uci/uci_plugin.c
@@ -18,6 +18,7 @@
 #include "uci_plugin.h"
 #include "uci_config.h"
 #include "uci_creds.h"
+#include "uci_control.h"
 
 #include <daemon.h>
 
@@ -52,6 +53,11 @@ struct private_uci_plugin_t {
 	 * UCI parser wrapper
 	 */
 	uci_parser_t *parser;
+
+	/**
+	 * UCI control interface
+	 */
+	uci_control_t *control;
 };
 
 /**
@@ -64,6 +70,7 @@ static void destroy(private_uci_plugin_t *this)
 	this->config->destroy(this->config);
 	this->creds->destroy(this->creds);
 	this->parser->destroy(this->parser);
+	this->control->destroy(this->control);
 	free(this);
 }
 
@@ -75,10 +82,11 @@ plugin_t *plugin_create()
 	private_uci_plugin_t *this = malloc_thing(private_uci_plugin_t);
 	
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+	
 	this->parser = uci_parser_create(UCI_PACKAGE);
 	this->config = uci_config_create(this->parser);
 	this->creds = uci_creds_create(this->parser);
+	this->control = uci_control_create();
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
 	
diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am
index 2487cf207..238e5a1dc 100644
--- a/src/charon/plugins/unit_tester/Makefile.am
+++ b/src/charon/plugins/unit_tester/Makefile.am
@@ -5,7 +5,7 @@ AM_CFLAGS = -rdynamic
 
 plugin_LTLIBRARIES = libstrongswan-unit-tester.la
 
-libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h \
+libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
   tests/test_enumerator.c \
   tests/test_auth_info.c \
   tests/test_fips_prf.c \
@@ -16,6 +16,9 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h \
   tests/test_rsa_gen.c \
   tests/test_med_db.c \
   tests/test_aes.c \
-  tests/test_chunk.c
+  tests/test_chunk.c \
+  tests/test_pool.c \
+  tests/test_agent.c
+
 libstrongswan_unit_tester_la_LDFLAGS = -module
 
diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in
index fe5dfa6cf..837dcd73c 100644
--- a/src/charon/plugins/unit_tester/Makefile.in
+++ b/src/charon/plugins/unit_tester/Makefile.in
@@ -53,7 +53,8 @@ libstrongswan_unit_tester_la_LIBADD =
 am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
 	test_enumerator.lo test_auth_info.lo test_fips_prf.lo \
 	test_curl.lo test_mysql.lo test_sqlite.lo test_mutex.lo \
-	test_rsa_gen.lo test_med_db.lo test_aes.lo test_chunk.lo
+	test_rsa_gen.lo test_med_db.lo test_aes.lo test_chunk.lo \
+	test_pool.lo test_agent.lo
 libstrongswan_unit_tester_la_OBJECTS =  \
 	$(am_libstrongswan_unit_tester_la_OBJECTS)
 libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \
@@ -192,6 +193,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -214,7 +217,7 @@ xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-unit-tester.la
-libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h \
+libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
   tests/test_enumerator.c \
   tests/test_auth_info.c \
   tests/test_fips_prf.c \
@@ -225,7 +228,9 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h \
   tests/test_rsa_gen.c \
   tests/test_med_db.c \
   tests/test_aes.c \
-  tests/test_chunk.c
+  tests/test_chunk.c \
+  tests/test_pool.c \
+  tests/test_agent.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module
 all: all-am
@@ -298,6 +303,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_aes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_auth_info.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@
@@ -306,6 +312,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_med_db.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mysql.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pool.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rsa_gen.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_sqlite.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@
@@ -408,6 +415,20 @@ test_chunk.lo: tests/test_chunk.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
 
+test_pool.lo: tests/test_pool.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_pool.lo -MD -MP -MF $(DEPDIR)/test_pool.Tpo -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_pool.Tpo $(DEPDIR)/test_pool.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_pool.c' object='test_pool.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
+
+test_agent.lo: tests/test_agent.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_agent.lo -MD -MP -MF $(DEPDIR)/test_agent.Tpo -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_agent.Tpo $(DEPDIR)/test_agent.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_agent.c' object='test_agent.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h
new file mode 100644
index 000000000..058d1987d
--- /dev/null
+++ b/src/charon/plugins/unit_tester/tests.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: tests.h 4317 2008-09-02 11:00:13Z martin $
+ */
+
+/**
+ * @defgroup tests tests 
+ * @{ @ingroup unit_tester
+ */
+
+DEFINE_TEST("linked_list_t->remove()", test_list_remove, FALSE)
+DEFINE_TEST("simple enumerator", test_enumerate, FALSE)
+DEFINE_TEST("nested enumerator", test_enumerate_nested, FALSE)
+DEFINE_TEST("filtered enumerator", test_enumerate_filtered, FALSE)
+DEFINE_TEST("token enumerator", test_enumerate_token, FALSE)
+DEFINE_TEST("auth info", test_auth_info, FALSE)
+DEFINE_TEST("FIPS PRF", fips_prf_test, FALSE)
+DEFINE_TEST("CURL get", test_curl_get, FALSE)
+DEFINE_TEST("MySQL operations", test_mysql, FALSE)
+DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
+DEFINE_TEST("mutex primitive", test_mutex, FALSE)
+DEFINE_TEST("RSA key generation", test_rsa_gen, FALSE)
+DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, FALSE)
+DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE)
+DEFINE_TEST("AES-128 encryption", test_aes128, FALSE)
+DEFINE_TEST("AES-XCBC", test_aes_xcbc, FALSE)
+DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
+DEFINE_TEST("IP pool", test_pool, FALSE)
+DEFINE_TEST("SSH agent", test_agent, TRUE)
diff --git a/src/charon/plugins/unit_tester/tests/test_agent.c b/src/charon/plugins/unit_tester/tests/test_agent.c
new file mode 100644
index 000000000..fd76b9cf5
--- /dev/null
+++ b/src/charon/plugins/unit_tester/tests/test_agent.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+
+/*******************************************************************************
+ * SSH agent signature creation and verification
+ ******************************************************************************/
+bool test_agent()
+{
+	char *path, buf[] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08};
+	chunk_t sig, data = chunk_from_buf(buf);
+	private_key_t *private;
+	public_key_t *public;
+	
+	path = getenv("SSH_AUTH_SOCK");
+	if (!path)
+	{
+		DBG1(DBG_CFG, "ssh-agent not found.");
+		return FALSE;
+	}
+	
+	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								 BUILD_AGENT_SOCKET, path, BUILD_END);
+	if (!private)
+	{
+		return FALSE;
+	}
+	if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
+	{
+		return FALSE;
+	}
+	public = private->get_public_key(private);
+	if (!public)
+	{
+		return FALSE;;
+	}
+	if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
+	{
+		return FALSE;
+	}
+	free(sig.ptr);
+	buf[1] = 0x01; /* fake it */
+	if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
+	{
+		return FALSE;
+	}
+	
+	private->destroy(private);
+	public->destroy(public);
+	
+	return TRUE;
+}
+
diff --git a/src/charon/plugins/unit_tester/tests/test_auth_info.c b/src/charon/plugins/unit_tester/tests/test_auth_info.c
index 2640c951c..1719190b1 100644
--- a/src/charon/plugins/unit_tester/tests/test_auth_info.c
+++ b/src/charon/plugins/unit_tester/tests/test_auth_info.c
@@ -85,7 +85,7 @@ bool test_auth_info()
 	auth_item_t type;
 	
 	c1 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							BUILD_BLOB_ASN1_DER, chunk_clone(certchunk),
+							BUILD_BLOB_ASN1_DER, certchunk,
 							BUILD_END);
 	if (!c1)
 	{
diff --git a/src/charon/plugins/unit_tester/tests/test_chunk.c b/src/charon/plugins/unit_tester/tests/test_chunk.c
index e7a8586c9..5356c1d96 100644
--- a/src/charon/plugins/unit_tester/tests/test_chunk.c
+++ b/src/charon/plugins/unit_tester/tests/test_chunk.c
@@ -16,8 +16,6 @@
 #include <library.h>
 #include <daemon.h>
 
-#define countof(array) (sizeof(array)/sizeof(typeof(array[0])))
-
 /*******************************************************************************
  * Base64 encoding/decoding test
  ******************************************************************************/
diff --git a/src/charon/plugins/unit_tester/tests/test_enumerator.c b/src/charon/plugins/unit_tester/tests/test_enumerator.c
index d17d62bef..a7f3dd822 100644
--- a/src/charon/plugins/unit_tester/tests/test_enumerator.c
+++ b/src/charon/plugins/unit_tester/tests/test_enumerator.c
@@ -212,3 +212,53 @@ bool test_enumerate_filtered()
 	list->destroy(list);
 	return !bad_data;
 }
+
+/*******************************************************************************
+ * token parser test
+ ******************************************************************************/
+ 
+bool test_enumerate_token()
+{
+	enumerator_t *enumerator;
+	char *token;
+	int i, num;
+	struct {
+		char *string;
+		char *sep;
+		char *trim;
+	} tests[] = {
+		{"abc, cde, efg", ",", " "},
+		{" abc 1:2 cde;3  4efg5.  ", ":;.,", " 12345"},
+		{"abc.cde,efg", ",.", ""},
+		{"  abc   cde  efg  ", " ", " "},
+	};
+	
+	for (num = 0; num < countof(tests); num++)
+	{
+		i = 0;
+		enumerator = enumerator_create_token(
+							tests[num].string, tests[num].sep, tests[num].trim);
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			switch (i)
+			{
+				case 0:
+					if (!streq(token, "abc")) return FALSE;
+					break;
+				case 1:
+					if (!streq(token, "cde")) return FALSE;
+					break;
+				case 2:
+					if (!streq(token, "efg")) return FALSE;
+					break;
+				default:
+					return FALSE;
+			}
+			i++;
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	return TRUE;
+}
+
diff --git a/src/charon/plugins/unit_tester/tests/test_pool.c b/src/charon/plugins/unit_tester/tests/test_pool.c
new file mode 100644
index 000000000..5d5295bea
--- /dev/null
+++ b/src/charon/plugins/unit_tester/tests/test_pool.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/time.h>
+#include <time.h>
+
+#include <library.h>
+#include <daemon.h>
+
+#define ALLOCS 1000
+#define THREADS 20
+
+static void* testing(void *thread)
+{
+	int i;	
+	auth_info_t *auth;
+	host_t *addr[ALLOCS];
+	identification_t *id[ALLOCS];
+	
+	
+	auth = auth_info_create();
+	
+	/* prepare identities */
+	for (i = 0; i < ALLOCS; i++)
+	{
+		char buf[256];
+		
+		snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (int)thread, i);
+		id[i] = identification_create_from_string(buf);
+		if (!id[i])
+		{
+			return (void*)FALSE;
+		}
+	}
+	
+	/* allocate addresses */
+	for (i = 0; i < ALLOCS; i++)
+	{
+		addr[i] = charon->attributes->acquire_address(charon->attributes, 
+													  "test", id[i], auth, NULL);
+		if (!addr[i])
+		{
+			return (void*)FALSE;
+		}
+	}
+	
+	/* release addresses */
+	for (i = 0; i < ALLOCS; i++)
+	{
+		charon->attributes->release_address(charon->attributes, "test", addr[i]);
+	}
+	
+	/* cleanup */
+	for (i = 0; i < ALLOCS; i++)
+	{
+		addr[i]->destroy(addr[i]);
+		id[i]->destroy(id[i]);
+	}
+	auth->destroy(auth);
+	return (void*)TRUE;
+}
+
+
+/*******************************************************************************
+ * SQL pool performance test
+ ******************************************************************************/
+bool test_pool()
+{
+	int i;
+	void *res;
+	pthread_t thread[THREADS];
+	
+	for (i = 0; i < THREADS; i++)
+	{
+		if (pthread_create(&thread[i], NULL, (void*)testing, (void*)i) < 0)
+		{
+			return FALSE;
+		}
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		pthread_join(thread[i], &res);
+		if (res == NULL)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
diff --git a/src/charon/plugins/unit_tester/tests/test_rsa_gen.c b/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
index 783a4c913..f13bb5bbf 100644
--- a/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
+++ b/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
@@ -97,7 +97,7 @@ bool test_rsa_load_any()
 	public_key_t *public;
 	
 	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-								BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+								BUILD_BLOB_ASN1_DER, chunk,
 								BUILD_END);
 	if (!public || public->get_keysize(public) != 256)
 	{
diff --git a/src/charon/processing/jobs/initiate_mediation_job.c b/src/charon/processing/jobs/initiate_mediation_job.c
index de97daafa..ee9644045 100644
--- a/src/charon/processing/jobs/initiate_mediation_job.c
+++ b/src/charon/processing/jobs/initiate_mediation_job.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: initiate_mediation_job.c 3792 2008-04-10 12:51:04Z tobias $
+ * $Id: initiate_mediation_job.c 4192 2008-07-18 15:51:40Z martin $
  */
 
 #include "initiate_mediation_job.h"
@@ -56,10 +56,11 @@ static void destroy(private_initiate_mediation_job_t *this)
 /**
  * Callback to handle initiation of mediation connection
  */
-static bool initiate_callback(private_initiate_mediation_job_t *this, signal_t signal, level_t level,
-					 ike_sa_t *ike_sa, char *format, va_list args)
+static bool initiate_callback(private_initiate_mediation_job_t *this,
+							  signal_t signal, level_t level, ike_sa_t *ike_sa,
+							  void *data, char *format, va_list args)
 {
-	if (signal == CHILD_UP_SUCCESS)
+	if (signal == CHD_UP_SUCCESS)
 	{
 		/* mediation connection is up */
 		this->mediation_sa_id = ike_sa->get_id(ike_sa);
@@ -119,7 +120,7 @@ static void initiate(private_initiate_mediation_job_t *this)
 			mediation_cfg->destroy(mediation_cfg);
 			mediated_cfg->destroy(mediated_cfg);
 			charon->bus->set_sa(charon->bus, mediated_sa);
-			SIG(IKE_UP_FAILED, "mediation failed");
+			SIG_IKE(UP_FAILED, "mediation failed");
 			destroy(this);
 			return;
 		}
@@ -138,7 +139,7 @@ static void initiate(private_initiate_mediation_job_t *this)
 				charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, mediation_sa);
 				
 				charon->bus->set_sa(charon->bus, mediated_sa);
-				SIG(IKE_UP_FAILED, "mediation failed");
+				SIG_IKE(UP_FAILED, "mediation failed");
 				destroy(this);
 				return;
 			}
@@ -179,7 +180,7 @@ static void reinitiate(private_initiate_mediation_job_t *this)
 				charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, mediation_sa);
 				
 				charon->bus->set_sa(charon->bus, mediated_sa);
-				SIG(IKE_UP_FAILED, "mediation failed");
+				SIG_IKE(UP_FAILED, "mediation failed");
 				destroy(this);
 				return;
 			}
diff --git a/src/charon/processing/jobs/update_sa_job.c b/src/charon/processing/jobs/update_sa_job.c
new file mode 100644
index 000000000..acf263d25
--- /dev/null
+++ b/src/charon/processing/jobs/update_sa_job.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+
+#include "update_sa_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_update_sa_job_t private_update_sa_job_t;
+
+/**
+ * Private data of an update_sa_job_t Object
+ */
+struct private_update_sa_job_t {
+	/**
+	 * public update_sa_job_t interface
+	 */
+	update_sa_job_t public;
+	
+	/**
+	 * reqid of the CHILD_SA
+	 */
+	u_int32_t reqid;
+	
+	/**
+	 * New SA address and port
+	 */
+	host_t *new;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_update_sa_job_t *this)
+{
+	this->new->destroy(this->new);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute. 
+ */ 
+static void execute(private_update_sa_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													this->reqid, TRUE);
+	if (ike_sa == NULL)
+	{
+		DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for update", this->reqid);
+	}
+	else
+	{
+		/* we update only if other host is NATed, but not our */
+		if (ike_sa->has_condition(ike_sa, COND_NAT_THERE) &&
+			!ike_sa->has_condition(ike_sa, COND_NAT_HERE))
+		{
+			ike_sa->update_hosts(ike_sa, NULL, this->new);
+		}
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
+{
+	private_update_sa_job_t *this = malloc_thing(private_update_sa_job_t);
+	
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	
+	this->reqid = reqid;
+	this->new = new;
+
+	return &this->public;
+}
+
diff --git a/src/charon/processing/jobs/update_sa_job.h b/src/charon/processing/jobs/update_sa_job.h
new file mode 100644
index 000000000..5a350d939
--- /dev/null
+++ b/src/charon/processing/jobs/update_sa_job.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup update_sa_job update_sa_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef UPDATE_SA_JOB_H_
+#define UPDATE_SA_JOB_H_
+
+typedef struct update_sa_job_t update_sa_job_t;
+
+#include <library.h>
+#include <utils/host.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Update the addresses of an IKE and its CHILD_SAs.
+ */
+struct update_sa_job_t {
+
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job to update IKE and CHILD_SA addresses.
+ * 
+ * @param reqid			reqid of the CHILD_SA
+ * @param new			new address and port
+ * @return				update_sa_job_t object
+ */
+update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new);
+
+#endif /*UPDATE_SA_JOB_H_ @} */
diff --git a/src/charon/sa/authenticators/authenticator.c b/src/charon/sa/authenticators/authenticator.c
index c301e4933..827c7a69a 100644
--- a/src/charon/sa/authenticators/authenticator.c
+++ b/src/charon/sa/authenticators/authenticator.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: authenticator.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: authenticator.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include <string.h>
@@ -33,22 +33,27 @@ ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS,
 	"ECDSA-256 signature",
 	"ECDSA-384 signature",
 	"ECDSA-521 signature");
-ENUM_NEXT(auth_method_names, AUTH_EAP, AUTH_EAP, AUTH_ECDSA_521,
-	"EAP");
-ENUM_END(auth_method_names, AUTH_EAP);
+ENUM_END(auth_method_names, AUTH_ECDSA_521);
+
+ENUM(auth_class_names, AUTH_CLASS_PUBKEY, AUTH_CLASS_EAP,
+	"public key",
+	"pre-shared key",
+	"EAP",
+);
 
 /**
  * Described in header.
  */
-authenticator_t *authenticator_create(ike_sa_t *ike_sa, config_auth_method_t auth_method)
+authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
+												 auth_class_t class)
 {
-	switch (auth_method)
+	switch (class)
 	{
-		case CONF_AUTH_PUBKEY:
+		case AUTH_CLASS_PUBKEY:
 			return (authenticator_t*)pubkey_authenticator_create(ike_sa);
-		case CONF_AUTH_PSK:
+		case AUTH_CLASS_PSK:
 			return (authenticator_t*)psk_authenticator_create(ike_sa);
-		case CONF_AUTH_EAP:
+		case AUTH_CLASS_EAP:
 			return (authenticator_t*)eap_authenticator_create(ike_sa);
 		default:
 			return NULL;
@@ -58,9 +63,10 @@ authenticator_t *authenticator_create(ike_sa_t *ike_sa, config_auth_method_t aut
 /**
  * Described in header.
  */
-authenticator_t *authenticator_create_from_auth_payload(ike_sa_t *ike_sa, auth_payload_t *auth_payload)
+authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,
+												  auth_method_t method)
 {
-	switch (auth_payload->get_auth_method(auth_payload))
+	switch (method)
 	{
 		case AUTH_RSA:
 		case AUTH_ECDSA_256:
diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h
index 3c961d23e..aa5a73e86 100644
--- a/src/charon/sa/authenticators/authenticator.h
+++ b/src/charon/sa/authenticators/authenticator.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: authenticator.h 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: authenticator.h 4276 2008-08-22 10:44:51Z martin $
  */
 
 /**
@@ -26,6 +26,7 @@
 #define AUTHENTICATOR_H_
 
 typedef enum auth_method_t auth_method_t;
+typedef enum auth_class_t auth_class_t;
 typedef struct authenticator_t authenticator_t;
 
 #include <library.h>
@@ -34,7 +35,7 @@ typedef struct authenticator_t authenticator_t;
 #include <encoding/payloads/auth_payload.h>
 
 /**
- * Method to use for authentication.
+ * Method to use for authentication, as defined in IKEv2.
  */
 enum auth_method_t {
 	/**
@@ -70,12 +71,6 @@ enum auth_method_t {
 	 * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
 	 */
 	AUTH_ECDSA_521 = 11,
-	
-	/**
-	 * EAP authentication. This value is never negotiated and therefore
-	 * a value from private use.
-	 */
-	AUTH_EAP = 201,
 };
 
 /**
@@ -83,12 +78,32 @@ enum auth_method_t {
  */
 extern enum_name_t *auth_method_names;
 
+/**
+ * Class of authentication to use. This is different to auth_method_t in that
+ * it does not specify a method, but a class of acceptable methods. The found
+ * certificate finally dictates wich method is used.
+ */
+enum auth_class_t {
+	/** authentication using public keys (RSA, ECDSA) */
+	AUTH_CLASS_PUBKEY = 1,
+	/** authentication using a pre-shared secrets */
+	AUTH_CLASS_PSK = 2,
+	/** authentication using EAP */
+	AUTH_CLASS_EAP = 3,
+};
+
+/**
+ * enum strings for auth_class_t
+ */
+extern enum_name_t *auth_class_names;
+
 /**
  * Authenticator interface implemented by the various authenticators.
  *
  * Currently the following two AUTH methods are supported:
  *  - shared key message integrity code
  *  - RSA digital signature
+ *  - EAP using the EAP framework and one of the EAP plugins
  *  - ECDSA is supported using OpenSSL
  */
 struct authenticator_t {
@@ -96,15 +111,14 @@ struct authenticator_t {
 	/**
 	 * Verify a received authentication payload.
 	 *
-	 * @param ike_sa_init		binary representation of received ike_sa_init
-	 * @param my_nonce			the sent nonce
-	 * @param auth_payload		authentication payload to verify
-	 *
+	 * @param ike_sa_init	binary representation of received ike_sa_init
+	 * @param my_nonce		the sent nonce
+	 * @param auth_payload	authentication payload to verify
 	 * @return
-	 *							- SUCCESS,
-	 *							- FAILED if verification failed
-	 *							- INVALID_ARG if auth_method does not match
-	 *							- NOT_FOUND if credentials not found
+	 *						- SUCCESS,
+	 *						- FAILED if verification failed
+	 *						- INVALID_ARG if auth_method does not match
+	 *						- NOT_FOUND if credentials not found
 	 */
 	status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
 						chunk_t my_nonce, auth_payload_t *auth_payload);
@@ -112,13 +126,12 @@ struct authenticator_t {
 	/**
 	 * Build an authentication payload to send to the other peer.
 	 *
-	 * @param ike_sa_init		binary representation of sent ike_sa_init
-	 * @param other_nonce		the received nonce
-	 * @param[out] auth_payload	the resulting authentication payload
-	 *
+	 * @param ike_sa_init	binary representation of sent ike_sa_init
+	 * @param other_nonce	the received nonce
+	 * @param auth_payload	the resulting authentication payload
 	 * @return
-	 *							- SUCCESS,
-	 *							- NOT_FOUND if the data for AUTH method could not be found
+	 *						- SUCCESS,
+	 *						- NOT_FOUND if credentials not found
 	 */
 	status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
 					   chunk_t other_nonce, auth_payload_t **auth_payload);
@@ -130,23 +143,23 @@ struct authenticator_t {
 };
 
 /**
- * Creates an authenticator for the specified auth method (as configured).
+ * Creates an authenticator for the specified auth class (as configured).
  *
  * @param ike_sa		associated ike_sa
- * @param auth_method	authentication method to use for build()/verify()
- *
+ * @param class			class of authentication to use
  * @return				authenticator_t object
  */
-authenticator_t *authenticator_create(ike_sa_t *ike_sa, config_auth_method_t auth_method);
+authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
+												 auth_class_t class);
 
 /**
- * Creates an authenticator from the given auth payload.
+ * Creates an authenticator for method (as received in payload).
  * 
  * @param ike_sa		associated ike_sa
- * @param auth_payload	auth payload
- * 
+ * @param method		method as found in payload
  * @return				authenticator_t object
  */
-authenticator_t *authenticator_create_from_auth_payload(ike_sa_t *ike_sa, auth_payload_t *auth_payload);
+authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,	
+												  auth_method_t method);
 
 #endif /* AUTHENTICATOR_H_ @} */
diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c
index 5e2db5489..11b12fb49 100644
--- a/src/charon/sa/authenticators/eap/eap_method.c
+++ b/src/charon/sa/authenticators/eap/eap_method.c
@@ -12,19 +12,19 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_method.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: eap_method.c 4269 2008-08-21 12:10:07Z martin $
  */
 
 #include "eap_method.h"
 
-ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_TOKEN_CARD,
+ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
 	"EAP_IDENTITY",
 	"EAP_NOTIFICATION",
 	"EAP_NAK",
 	"EAP_MD5",
-	"EAP_ONE_TIME_PASSWORD",
-	"EAP_TOKEN_CARD");
-ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_TOKEN_CARD,
+	"EAP_OTP",
+	"EAP_GTC");
+ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC,
 	"EAP_SIM");
 ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
 	"EAP_AKA");
diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h
index eda6f545e..663117931 100644
--- a/src/charon/sa/authenticators/eap/eap_method.h
+++ b/src/charon/sa/authenticators/eap/eap_method.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_method.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: eap_method.h 4276 2008-08-22 10:44:51Z martin $
  */
 
 /**
@@ -52,8 +52,8 @@ enum eap_type_t {
 	EAP_NOTIFICATION = 2,
 	EAP_NAK = 3,
 	EAP_MD5 = 4,
-	EAP_ONE_TIME_PASSWORD = 5,
-	EAP_TOKEN_CARD = 6,
+	EAP_OTP = 5,
+	EAP_GTC = 6,
 	EAP_SIM = 18,
 	EAP_AKA = 23,
 	EAP_EXPANDED = 254,
@@ -95,6 +95,8 @@ extern enum_name_t *eap_code_names;
  * authentication. Even if a mutual EAP method is used, the traditional
  * AUTH payloads are required. Only these include the nonces and messages from
  * ike_sa_init and therefore prevent man in the middle attacks.
+ * The EAP method must use an initial EAP identifier value != 0, as a preceding
+ * EAP-Identity exchange always uses identifier 0.
  */
 struct eap_method_t {
 	
@@ -148,7 +150,8 @@ struct eap_method_t {
 	/**
 	 * Get the MSK established by this EAP method.
 	 *
-	 * Not all EAP methods establish a shared secret.
+	 * Not all EAP methods establish a shared secret. For implementations of
+	 * the EAP-Identity method, get_msk() returns the received identity.
 	 *
 	 * @param msk		chunk receiving internal stored MSK
 	 * @return
@@ -171,6 +174,8 @@ struct eap_method_t {
  * Constructors for server and peers are identical, to support both roles
  * of a EAP method, a plugin needs register two constructors in the
  * eap_manager_t.
+ * The passed identites are of type ID_EAP and valid only during the
+ * constructor invocation.
  *
  * @param server		ID of the server to use for credential lookup
  * @param peer			ID of the peer to use for credential lookup
diff --git a/src/charon/sa/authenticators/eap/sim_manager.c b/src/charon/sa/authenticators/eap/sim_manager.c
new file mode 100644
index 000000000..e6817ca20
--- /dev/null
+++ b/src/charon/sa/authenticators/eap/sim_manager.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "sim_manager.h"
+
+#include <utils/linked_list.h>
+
+typedef struct private_sim_manager_t private_sim_manager_t;
+
+/**
+ * Private data of an sim_manager_t object.
+ */
+struct private_sim_manager_t {
+	
+	/**
+	 * Public sim_manager_t interface.
+	 */
+	sim_manager_t public;
+	
+	/**
+	 * list of added cards
+	 */
+	linked_list_t *cards;
+	
+	/**
+	 * list of added provider
+	 */
+	linked_list_t *provider;
+};
+
+/**
+ * Implementation of sim_manager_t.add_card
+ */
+static void add_card(private_sim_manager_t *this, sim_card_t *card)
+{
+	this->cards->insert_last(this->cards, card);
+}
+
+/**
+ * Implementation of sim_manager_t.remove_card
+ */
+static void remove_card(private_sim_manager_t *this, sim_card_t *card)
+{
+	this->cards->remove(this->cards, card, NULL);
+}
+
+/**
+ * Implementation of sim_manager_t.create_card_enumerator
+ */
+static enumerator_t* create_card_enumerator(private_sim_manager_t *this)
+{
+	return this->cards->create_enumerator(this->cards);
+}
+
+/**
+ * Implementation of sim_manager_t.add_provider
+ */
+static void add_provider(private_sim_manager_t *this,
+							  sim_provider_t *provider)
+{
+	this->provider->insert_last(this->provider, provider);
+}
+
+/**
+ * Implementation of sim_manager_t.remove_provider
+ */
+static void remove_provider(private_sim_manager_t *this,
+								sim_provider_t *provider)
+{
+	this->provider->remove(this->provider, provider, NULL);
+}
+
+/**
+ * Implementation of sim_manager_t.create_provider_enumerator
+ */
+static enumerator_t* create_provider_enumerator(private_sim_manager_t *this)
+{
+	return this->provider->create_enumerator(this->provider);
+}
+
+/**
+ * Implementation of sim_manager_t.destroy.
+ */
+static void destroy(private_sim_manager_t *this)
+{
+	this->cards->destroy(this->cards);
+	this->provider->destroy(this->provider);
+	free(this);
+}
+
+/**
+ * See header
+ */
+sim_manager_t *sim_manager_create()
+{
+	private_sim_manager_t *this = malloc_thing(private_sim_manager_t);
+	
+	this->public.add_card = (void(*)(sim_manager_t*, sim_card_t *card))add_card;
+	this->public.remove_card = (void(*)(sim_manager_t*, sim_card_t *card))remove_card;
+	this->public.create_card_enumerator = (enumerator_t*(*)(sim_manager_t*))create_card_enumerator;
+	this->public.add_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))add_provider;
+	this->public.remove_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))remove_provider;
+	this->public.create_provider_enumerator = (enumerator_t*(*)(sim_manager_t*))create_provider_enumerator;
+	this->public.destroy = (void(*)(sim_manager_t*))destroy;
+	
+	this->cards = linked_list_create();
+	this->provider = linked_list_create();
+	
+	return &this->public;
+}
+
diff --git a/src/charon/sa/authenticators/eap/sim_manager.h b/src/charon/sa/authenticators/eap/sim_manager.h
new file mode 100644
index 000000000..7fb1f2858
--- /dev/null
+++ b/src/charon/sa/authenticators/eap/sim_manager.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sim_manager sim_manager
+ * @{ @ingroup eap
+ */
+
+#ifndef SIM_MANAGER_H_
+#define SIM_MANAGER_H_
+
+#include <utils/identification.h>
+#include <utils/enumerator.h>
+
+typedef struct sim_manager_t sim_manager_t;
+typedef struct sim_card_t sim_card_t;
+typedef struct sim_provider_t sim_provider_t;
+
+/**
+ * Interface for a SIM card (used as EAP client).
+ */
+struct sim_card_t {
+
+	/**
+	 * Get the identity of a SIM card.
+	 *
+	 * The returned identity owned by the sim_card and not destroyed outside.
+	 * The SIM card may return ID_ANY if it does not support/use an IMSI.
+	 *
+	 * @return		identity of type ID_EAP/ID_ANY
+	 */
+	identification_t* (*get_imsi)(sim_card_t *this);
+	
+	/**
+	 * Calculate SRES/KC from a RAND.
+	 *
+	 * @param rand	RAND input buffer, fixed size 16 bytes
+	 * @param sres	SRES output buffer, fixed size 4 byte
+	 * @param kc	KC output buffer, fixed size 8 bytes
+	 * @return		TRUE if SRES/KC calculated, FALSE on error
+	 */
+	bool (*get_triplet)(sim_card_t *this,
+						char rand[16], char sres[4], char kc[8]);
+};
+
+/**
+ * Interface for a triplet provider (used as EAP server).
+ */
+struct sim_provider_t {
+	
+	/**
+	 * Get a single triplet to authenticate a EAP client.
+	 *
+	 * @param imsi	client identity of type ID_EAP
+	 * @param rand	RAND output buffer, fixed size 16 bytes
+	 * @param sres	SRES output buffer, fixed size 4 byte
+	 * @param kc	KC output buffer, fixed size 8 bytes
+	 * @return		TRUE if triplet received, FALSE otherwise
+	 */
+	bool (*get_triplet)(sim_provider_t *this, identification_t *imsi,
+						char rand[16], char sres[4], char kc[8]);
+};
+
+/**
+ * The EAP-SIM manager handles multiple SIM cards and providers.
+ */
+struct sim_manager_t {
+	
+	/**
+	 * Register a SIM card (client) at the manager.
+	 *
+	 * @param card		sim card to register
+	 */
+	void (*add_card)(sim_manager_t *this, sim_card_t *card);
+	
+	/**
+	 * Unregister a previously registered card from the manager.
+	 *
+	 * @param card		sim card to unregister
+	 */
+	void (*remove_card)(sim_manager_t *this, sim_card_t *card);
+	
+	/**
+	 * Create an enumerator over all registered cards.
+	 *
+	 * @return			enumerator over sim_card_t's
+	 */
+	enumerator_t* (*create_card_enumerator)(sim_manager_t *this);
+	
+	/**
+	 * Register a triplet provider (server) at the manager.
+	 *
+	 * @param card		sim card to register
+	 */
+	void (*add_provider)(sim_manager_t *this, sim_provider_t *provider);
+	
+	/**
+	 * Unregister a previously registered provider from the manager.
+	 *
+	 * @param card		sim card to unregister
+	 */
+	void (*remove_provider)(sim_manager_t *this, sim_provider_t *provider);
+	
+	/**
+	 * Create an enumerator over all registered provider.
+	 *
+	 * @return			enumerator over sim_provider_t's
+	 */
+	enumerator_t* (*create_provider_enumerator)(sim_manager_t *this);
+	
+	/**
+	 * Destroy a manager instance.
+	 */
+	void (*destroy)(sim_manager_t *this);
+};
+
+/**
+ * Create an SIM manager to handle multiple SIM cards/providers.
+ *
+ * @return			sim_t object
+ */
+sim_manager_t *sim_manager_create();
+
+#endif /* SIM_MANAGER_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 95bb5e57f..0909d6563 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_authenticator.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: eap_authenticator.c 4292 2008-08-26 19:54:47Z andreas $
  */
 
 #include <string.h>
@@ -54,6 +54,21 @@ struct private_eap_authenticator_t {
 	 * MSK used to build and verify auth payload
 	 */
 	chunk_t msk;
+	
+	/**
+	 * should we do a EAP-Identity exchange as server?
+	 */
+	bool do_eap_identity;
+	
+	/**
+	 * saved EAP type if we do eap_identity
+	 */
+	eap_type_t type;
+	
+	/**
+	 * saved vendor id if we do eap_identity
+	 */
+	u_int32_t vendor;
 };
 
 /**
@@ -93,7 +108,7 @@ static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 	chunk_free(&auth_data);
 	
 	DBG1(DBG_IKE, "authentication of '%D' with %N successful",
-		 other_id, auth_method_names, AUTH_EAP);
+		 other_id, auth_class_names, AUTH_CLASS_EAP);
 	return SUCCESS;
 }
 
@@ -107,7 +122,7 @@ static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 	identification_t *my_id = this->ike_sa->get_my_id(this->ike_sa);
 	
 	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
-		 my_id, auth_method_names, AUTH_EAP);
+		 my_id, auth_class_names, AUTH_CLASS_EAP);
 
 	if (this->msk.len)
 	{	/* use MSK if EAP method established one... */
@@ -129,6 +144,79 @@ static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 	return SUCCESS;
 }
 
+/**
+ * get the peers identity to use in the EAP method
+ */
+static identification_t *get_peer_id(private_eap_authenticator_t *this)
+{
+	identification_t *id;
+	peer_cfg_t *config;
+	auth_info_t *auth;
+	
+	id = this->ike_sa->get_eap_identity(this->ike_sa);
+	if (!id)
+	{
+		config = this->ike_sa->get_peer_cfg(this->ike_sa);
+		auth = config->get_auth(config);
+		if (!auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id))
+		{
+			if (this->role == EAP_PEER)
+			{
+				id = this->ike_sa->get_my_id(this->ike_sa);
+			}
+			else
+			{
+				id = this->ike_sa->get_other_id(this->ike_sa);
+			}
+		}
+	}
+	if (id->get_type(id) == ID_EAP)
+	{
+		return id->clone(id);
+	}
+	return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
+}
+
+/**
+ * get the servers identity to use in the EAP method
+ */
+static identification_t *get_server_id(private_eap_authenticator_t *this)
+{
+	identification_t *id;
+	
+	if (this->role == EAP_SERVER)
+	{
+		id = this->ike_sa->get_my_id(this->ike_sa);
+	}
+	else
+	{
+		id = this->ike_sa->get_other_id(this->ike_sa);
+	}
+	if (id->get_type(id) == ID_EAP)
+	{
+		return id->clone(id);
+	}
+	return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
+}
+
+/**
+ * load an EAP method using the correct identities
+ */
+static eap_method_t *load_method(private_eap_authenticator_t *this,
+							eap_type_t type, u_int32_t vendor, eap_role_t role)
+{
+	identification_t *server, *peer;
+	eap_method_t *method;
+	
+	server = get_server_id(this);
+	peer = get_peer_id(this);
+	method = charon->eap->create_instance(charon->eap, type, vendor, role,
+										  server, peer);		 
+	server->destroy(server);
+	peer->destroy(peer);
+	return method;
+}
+
 /**
  * Implementation of eap_authenticator_t.initiate
  */
@@ -138,6 +226,14 @@ static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
 	/* if initiate() is called, role is always server */
 	this->role = EAP_SERVER;
 	
+	if (this->do_eap_identity)
+	{	/* do an EAP-Identity request first */
+		this->type = type;
+		this->vendor = vendor;
+		vendor = 0;
+		type = EAP_IDENTITY;
+	}
+	
 	if (type == 0)
 	{
 		DBG1(DBG_IKE,
@@ -148,20 +244,23 @@ static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
 	
 	if (vendor)
 	{
-		DBG1(DBG_IKE, "requesting vendor specific EAP authentication %d-%d",
+		DBG1(DBG_IKE, "requesting vendor specific EAP method %d-%d",
 			 type, vendor);
 	}
 	else
 	{
-		DBG1(DBG_IKE, "requesting %N authentication", eap_type_names, type);
+		DBG1(DBG_IKE, "requesting EAP method %N", eap_type_names, type);
 	}
-	this->method = charon->eap->create_instance(charon->eap, type, vendor,
-						this->role, this->ike_sa->get_my_id(this->ike_sa),
-						this->ike_sa->get_other_id(this->ike_sa));
-	
+	this->method = load_method(this, type, vendor, this->role);
 	if (this->method == NULL)
 	{
-
+		if (vendor == 0 && type == EAP_IDENTITY)
+		{
+			DBG1(DBG_IKE, "skipping %N, no implementation found",
+				 eap_type_names, type);
+			this->do_eap_identity = FALSE;
+			return initiate(this, this->type, this->vendor, out);
+		}
 		DBG1(DBG_IKE, "configured EAP server method not supported, sending %N",
 			 eap_code_names, EAP_FAILURE);
 		*out = eap_payload_create_code(EAP_FAILURE, 0);
@@ -192,10 +291,7 @@ static status_t process_peer(private_eap_authenticator_t *this,
 	{
 		eap_method_t *method;
 		
-		method = charon->eap->create_instance(charon->eap, type, 0, EAP_PEER,
-									this->ike_sa->get_other_id(this->ike_sa),
-									this->ike_sa->get_my_id(this->ike_sa));
-		
+		method = load_method(this, type, 0, EAP_PEER);
 		if (method == NULL || method->process(method, in, out) != SUCCESS)
 		{
 			DBG1(DBG_IKE, "EAP server requested %N, but unable to process",
@@ -203,10 +299,7 @@ static status_t process_peer(private_eap_authenticator_t *this,
 			DESTROY_IF(method);
 			return FAILED;
 		}
-		
-		DBG1(DBG_IKE, "EAP server requested %N, sending IKE identity",
-			 eap_type_names, type);
-			 
+		DBG1(DBG_IKE, "EAP server requested %N", eap_type_names, type);	 
 		method->destroy(method);
 		return NEED_MORE;
 	}
@@ -224,10 +317,7 @@ static status_t process_peer(private_eap_authenticator_t *this,
 			DBG1(DBG_IKE, "EAP server requested %N authentication",
 				 eap_type_names, type);
 		}
-		this->method = charon->eap->create_instance(charon->eap,
-									type, vendor, EAP_PEER,
-									this->ike_sa->get_other_id(this->ike_sa),
-									this->ike_sa->get_my_id(this->ike_sa));
+		this->method = load_method(this, type, vendor, EAP_PEER);
 		if (this->method == NULL)
 		{
 			DBG1(DBG_IKE, "EAP server requested unsupported "
@@ -251,7 +341,7 @@ static status_t process_peer(private_eap_authenticator_t *this,
 			}
 			else
 			{
-				DBG1(DBG_IKE, "EAP method %N succeded", eap_type_names, type);
+				DBG1(DBG_IKE, "EAP method %N succeeded", eap_type_names, type);
 			}
 			return SUCCESS;
 		case FAILED:
@@ -270,6 +360,27 @@ static status_t process_peer(private_eap_authenticator_t *this,
 	}
 }
 
+/**
+ * handle an EAP-Identity response on the server
+ */
+static status_t process_eap_identity(private_eap_authenticator_t *this,
+									 eap_payload_t **out)
+{
+	chunk_t data;
+	identification_t *id;
+
+	if (this->method->get_msk(this->method, &data) == SUCCESS)
+	{
+		id = identification_create_from_encoding(ID_EAP, data);
+		DBG1(DBG_IKE, "using EAP identity '%D'", id);
+		this->ike_sa->set_eap_identity(this->ike_sa, id);
+	}
+	/* restart EAP exchange, but with real method */
+	this->method->destroy(this->method);
+	this->do_eap_identity = FALSE;
+	return initiate(this, this->type, this->vendor, out);
+}
+
 /**
  * Processing method for a server
  */
@@ -286,6 +397,10 @@ static status_t process_server(private_eap_authenticator_t *this,
 		case NEED_MORE:
 			return NEED_MORE;
 		case SUCCESS:
+			if (this->do_eap_identity)
+			{
+				return process_eap_identity(this, out);
+			}
 			if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
 			{
 				this->msk = chunk_clone(this->msk);
@@ -409,6 +524,9 @@ static void destroy(private_eap_authenticator_t *this)
  */
 eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
 {
+	peer_cfg_t *config;
+	auth_info_t *auth;
+	identification_t *id;
 	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
 	
 	/* public functions */
@@ -425,6 +543,25 @@ eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
 	this->role = EAP_PEER;
 	this->method = NULL;
 	this->msk = chunk_empty;
+	this->do_eap_identity = FALSE;
+	this->type = 0;
+	this->vendor = 0;
 	
+	config = ike_sa->get_peer_cfg(ike_sa);
+	if (config)
+	{
+		auth = config->get_auth(config);
+		if (auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id))
+		{
+			if (id->get_type(id) == ID_ANY)
+			{	/* %any as configured EAP identity runs EAP-Identity first */
+				this->do_eap_identity = TRUE;
+			}
+			else
+			{
+				ike_sa->set_eap_identity(ike_sa, id->clone(id));
+			}
+		}
+	}
 	return &this->public;
 }
diff --git a/src/charon/sa/authenticators/eap_authenticator.h b/src/charon/sa/authenticators/eap_authenticator.h
index 2dad59fbb..bd300a584 100644
--- a/src/charon/sa/authenticators/eap_authenticator.h
+++ b/src/charon/sa/authenticators/eap_authenticator.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_authenticator.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: eap_authenticator.h 4276 2008-08-22 10:44:51Z martin $
  */
 
 /**
@@ -29,7 +29,7 @@ typedef struct eap_authenticator_t eap_authenticator_t;
 #include <encoding/payloads/eap_payload.h>
 
 /**
- * Implementation of the authenticator_t interface using AUTH_EAP.
+ * Implementation of the authenticator_t interface using AUTH_CLASS_EAP.
  *
  * Authentication using EAP involves the most complex authenticator. It stays
  * alive over multiple ike_auth transactions and handles multiple EAP
@@ -137,7 +137,7 @@ struct eap_authenticator_t {
 };
 
 /**
- * Creates an authenticator for AUTH_EAP.
+ * Creates an authenticator for AUTH_CLASS_EAP.
  *
  * @param ike_sa		associated ike_sa
  * @return				eap_authenticator_t object
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 2a6b6f67c..7c4b398cf 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_sa.c 3920 2008-05-08 16:19:11Z tobias $
+ * $Id: child_sa.c 4358 2008-09-25 13:56:23Z tobias $
  */
 
 #define _GNU_SOURCE
@@ -163,7 +163,7 @@ struct private_child_sa_t {
 	/**
 	 * mode this SA uses, tunnel/transport
 	 */
-	mode_t mode;
+	ipsec_mode_t mode;
 	
 	/**
 	 * virtual IP assinged to local host
@@ -209,6 +209,18 @@ u_int32_t get_spi(private_child_sa_t *this, bool inbound)
 	return this->other.spi;
 }
 
+/**
+ * Implements child_sa_t.get_cpi
+ */
+u_int16_t get_cpi(private_child_sa_t *this, bool inbound)
+{
+	if (inbound)
+	{
+		return this->me.cpi;
+	}
+	return this->other.cpi;
+}
+
 /**
  * Implements child_sa_t.get_protocol
  */
@@ -236,7 +248,7 @@ static child_cfg_t* get_config(private_child_sa_t *this)
 /**
  * Implementation of child_sa_t.get_stats.
  */
-static void get_stats(private_child_sa_t *this, mode_t *mode,
+static void get_stats(private_child_sa_t *this, ipsec_mode_t *mode,
 					  encryption_algorithm_t *encr_algo, size_t *encr_len,
 					  integrity_algorithm_t *int_algo, size_t *int_len,
 					  u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
@@ -514,7 +526,7 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
 }
 
 static status_t install(private_child_sa_t *this, proposal_t *proposal,
-						mode_t mode, prf_plus_t *prf_plus, bool mine)
+						ipsec_mode_t mode, prf_plus_t *prf_plus, bool mine)
 {
 	u_int32_t spi, soft, hard;
 	host_t *src;
@@ -605,7 +617,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal,
 }
 
 static status_t add(private_child_sa_t *this, proposal_t *proposal, 
-					mode_t mode, prf_plus_t *prf_plus)
+					ipsec_mode_t mode, prf_plus_t *prf_plus)
 {
 	u_int32_t outbound_spi, inbound_spi;
 	
@@ -637,7 +649,7 @@ static status_t add(private_child_sa_t *this, proposal_t *proposal,
 }
 
 static status_t update(private_child_sa_t *this, proposal_t *proposal,
-					   mode_t mode, prf_plus_t *prf_plus)
+					   ipsec_mode_t mode, prf_plus_t *prf_plus)
 {
 	u_int32_t inbound_spi;
 	
@@ -662,14 +674,19 @@ static status_t update(private_child_sa_t *this, proposal_t *proposal,
 }
 
 static status_t add_policies(private_child_sa_t *this,
-							 linked_list_t *my_ts_list,
-							 linked_list_t *other_ts_list, mode_t mode)
+					linked_list_t *my_ts_list, linked_list_t *other_ts_list,
+					ipsec_mode_t mode, protocol_id_t proto)
 {
 	iterator_t *my_iter, *other_iter;
 	traffic_selector_t *my_ts, *other_ts;
 	/* use low prio for ROUTED policies */
 	bool high_prio = (this->state != CHILD_CREATED);
 	
+	if (this->protocol == PROTO_NONE)
+	{	/* update if not set yet */
+		this->protocol = proto;
+	}
+	
 	/* iterate over both lists */
 	my_iter = my_ts_list->create_iterator(my_ts_list, TRUE);
 	other_iter = other_ts_list->create_iterator(other_ts_list, TRUE);
@@ -919,9 +936,9 @@ static void activate_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp,
 }
 
 /**
- * Implementation of child_sa_t.get_my_cpi.
+ * Implementation of child_sa_t.allocate_cpi.
  */
-static u_int16_t get_my_cpi(private_child_sa_t *this)
+static u_int16_t allocate_cpi(private_child_sa_t *this)
 {
 	if (!this->cpi_allocated)
 	{
@@ -968,7 +985,7 @@ static void destroy(private_child_sa_t *this)
 	if (this->me.cpi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
-							this->other.addr, htonl(ntohs(this->me.cpi)), IPPROTO_COMP);
+							this->me.addr, htonl(ntohs(this->me.cpi)), IPPROTO_COMP);
 	}
 	if (this->other.cpi)
 	{
@@ -1023,20 +1040,21 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->public.get_name = (char*(*)(child_sa_t*))get_name;
 	this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid;
 	this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
+	this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi;
 	this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
-	this->public.get_stats = (void(*)(child_sa_t*, mode_t*,encryption_algorithm_t*,size_t*,integrity_algorithm_t*,size_t*,u_int32_t*,u_int32_t*,u_int32_t*,u_int32_t*))get_stats;
+	this->public.get_stats = (void(*)(child_sa_t*, ipsec_mode_t*,encryption_algorithm_t*,size_t*,integrity_algorithm_t*,size_t*,u_int32_t*,u_int32_t*,u_int32_t*,u_int32_t*))get_stats;
 	this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
-	this->public.add = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))add;
-	this->public.update = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))update;
+	this->public.add = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,prf_plus_t*))add;
+	this->public.update = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,prf_plus_t*))update;
 	this->public.update_hosts = (status_t (*)(child_sa_t*,host_t*,host_t*,bool))update_hosts;
-	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,mode_t))add_policies;
+	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,ipsec_mode_t,protocol_id_t))add_policies;
 	this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
 	this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
 	this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
 	this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
 	this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
 	this->public.activate_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t,u_int16_t))activate_ipcomp;
-	this->public.get_my_cpi = (u_int16_t(*)(child_sa_t*))get_my_cpi;
+	this->public.allocate_cpi = (u_int16_t(*)(child_sa_t*))allocate_cpi;
 	this->public.set_virtual_ip = (void(*)(child_sa_t*,host_t*))set_virtual_ip;
 	this->public.destroy = (void(*)(child_sa_t*))destroy;
 
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index 5bd66acad..2f7961e03 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_sa.h 3920 2008-05-08 16:19:11Z tobias $
+ * $Id: child_sa.h 4358 2008-09-25 13:56:23Z tobias $
  */
 
 /**
@@ -114,10 +114,22 @@ struct child_sa_t {
 	 * FALSE to get those we use for sending packets.
 	 *
 	 * @param inbound	TRUE to get inbound SPI, FALSE for outbound.
-	 * @return 			spi of the CHILD SA
+	 * @return 			SPI of the CHILD SA
 	 */
 	u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
 	
+	/**
+	 * Get the CPI of this CHILD_SA.
+	 * 
+	 * Set the boolean parameter inbound to TRUE to
+	 * get the CPI for which we receive packets, use
+	 * FALSE to get those we use for sending packets.
+	 *
+	 * @param inbound	TRUE to get inbound CPI, FALSE for outbound.
+	 * @return 			CPI of the CHILD SA
+	 */
+	u_int16_t (*get_cpi) (child_sa_t *this, bool inbound);
+
 	/**
 	 * Get the protocol which this CHILD_SA uses to protect traffic.
 	 *
@@ -138,7 +150,7 @@ struct child_sa_t {
 	 * @param use_out	time when last traffic was seen going out
 	 * @param use_fwd	time when last traffic was getting forwarded
 	 */
-	void (*get_stats)(child_sa_t *this, mode_t *mode,
+	void (*get_stats)(child_sa_t *this, ipsec_mode_t *mode,
 					  encryption_algorithm_t *encr, size_t *encr_len,
 					  integrity_algorithm_t *int_algo, size_t *int_len,
 					  u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
@@ -165,7 +177,7 @@ struct child_sa_t {
 	 * @param prf_plus	key material to use for key derivation
 	 * @return			SUCCESS or FAILED
 	 */
-	status_t (*add)(child_sa_t *this, proposal_t *proposal, mode_t mode,
+	status_t (*add)(child_sa_t *this, proposal_t *proposal, ipsec_mode_t mode,
 					prf_plus_t *prf_plus);
 	
 	/**
@@ -178,7 +190,7 @@ struct child_sa_t {
 	 * @param prf_plus	key material to use for key derivation
 	 * @return			SUCCESS or FAILED
 	 */
-	status_t (*update)(child_sa_t *this, proposal_t *proposal, mode_t mode,
+	status_t (*update)(child_sa_t *this, proposal_t *proposal, ipsec_mode_t mode,
 					   prf_plus_t *prf_plus);
 
 	/**
@@ -203,10 +215,12 @@ struct child_sa_t {
 	 * @param my_ts		traffic selectors for local site
 	 * @param other_ts	traffic selectors for remote site
 	 * @param mode		mode for the SA: tunnel/transport
+	 * @param proto		protocol for policy, ESP/AH
 	 * @return			SUCCESS or FAILED
 	 */	
 	status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
-							 linked_list_t *other_ts_list, mode_t mode);
+							 linked_list_t *other_ts_list, ipsec_mode_t mode,
+							 protocol_id_t proto);
 	
 	/**
 	 * Get the traffic selectors of added policies of local host.
@@ -268,7 +282,7 @@ struct child_sa_t {
 	 * 
 	 * @return			allocated CPI
 	 */
-	u_int16_t (*get_my_cpi) (child_sa_t *this);
+	u_int16_t (*allocate_cpi) (child_sa_t *this);
 	
 	/**
 	 * Destroys a child_sa.
diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c
index 19ceea666..d24ce8fc7 100644
--- a/src/charon/sa/connect_manager.c
+++ b/src/charon/sa/connect_manager.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: connect_manager.c 3792 2008-04-10 12:51:04Z tobias $
+ * $Id: connect_manager.c 4192 2008-07-18 15:51:40Z martin $
  */
 
 #include "connect_manager.h"
@@ -1160,7 +1160,7 @@ static job_requeue_t initiate_mediated(initiate_data_t *data)
 			ike_sa_t *sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, waiting_sa);
 			if (sa->initiate_mediated(sa, pair->local, pair->remote, checklist->connect_id) != SUCCESS)
 			{
-				SIG(IKE_UP_FAILED, "establishing the mediated connection failed");
+				SIG_IKE(UP_FAILED, "establishing the mediated connection failed");
 				charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
 			}
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa);
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 384226380..7b2608e07 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa.c 4106 2008-06-25 11:40:50Z martin $
+ * $Id: ike_sa.c 4394 2008-10-09 08:25:11Z martin $
  */
 
 #include <sys/time.h>
@@ -169,6 +169,11 @@ struct private_ike_sa_t {
 	 */
 	identification_t *other_id;
 	
+	/**
+	 * EAP Identity exchange in EAP-Identity method
+	 */
+	identification_t *eap_identity;;
+	
 	/**
 	 * set of extensions the peer supports
 	 */
@@ -249,11 +254,21 @@ struct private_ike_sa_t {
 	 */
 	linked_list_t *additional_addresses;
 	
+	/**
+	 * previously value of received DESTINATION_IP hash
+	 */
+	chunk_t nat_detection_dest;
+	
 	/**
 	 * number pending UPDATE_SA_ADDRESS (MOBIKE)
 	 */
 	u_int32_t pending_updates;
 
+	/**
+	 * NAT keep alive interval
+	 */
+	u_int32_t keepalive_interval;
+
 	/**
 	 * Timestamps for this IKE_SA
 	 */
@@ -454,7 +469,7 @@ static void send_keepalive(private_ike_sa_t *this)
 	send_keepalive_job_t *job;
 	time_t last_out, now, diff;
 	
-	if (!(this->conditions & COND_NAT_HERE))
+	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
 	{	/* disable keep alives if we are not NATed anymore */
 		return;
 	}
@@ -464,7 +479,7 @@ static void send_keepalive(private_ike_sa_t *this)
 	
 	diff = now - last_out;
 	
-	if (diff >= KEEPALIVE_INTERVAL)
+	if (diff >= this->keepalive_interval)
 	{
 		packet_t *packet;
 		chunk_t data;
@@ -482,7 +497,7 @@ static void send_keepalive(private_ike_sa_t *this)
 	}
 	job = send_keepalive_job_create(this->ike_sa_id);
 	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
-									(KEEPALIVE_INTERVAL - diff) * 1000);
+									(this->keepalive_interval - diff) * 1000);
 }
 
 /**
@@ -616,8 +631,20 @@ static status_t send_dpd(private_ike_sa_t *this)
 		{
 			/* to long ago, initiate dead peer detection */
 			task_t *task;
+			ike_mobike_t *mobike;
 			
-			task = (task_t*)ike_dpd_create(TRUE);
+			if (supports_extension(this, EXT_MOBIKE) &&
+				has_condition(this, COND_NAT_HERE))
+			{
+				/* use mobike enabled DPD to detect NAT mapping changes */
+				mobike = ike_mobike_create(&this->public, TRUE);
+				mobike->dpd(mobike);
+				task = &mobike->task;
+			}
+			else
+			{
+				task = (task_t*)ike_dpd_create(TRUE);
+			}
 			diff = 0;
 			DBG1(DBG_IKE, "sending DPD request");
 			
@@ -645,8 +672,8 @@ static ike_sa_state_t get_state(private_ike_sa_t *this)
  */
 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 {
-	DBG1(DBG_IKE, "IKE_SA '%s' state change: %N => %N",
-		 get_name(this),
+	DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
+		 get_name(this), this->unique_id,
 		 ike_sa_state_names, this->state,
 		 ike_sa_state_names, state);
 	
@@ -807,7 +834,26 @@ static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
 	return this->additional_addresses->create_iterator(
 											this->additional_addresses, TRUE);
 }
-	
+
+/**
+ * Implementation of ike_sa_t.has_mapping_changed
+ */
+static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash)
+{
+	if (this->nat_detection_dest.ptr == NULL)
+	{
+		this->nat_detection_dest = chunk_clone(hash);
+		return FALSE;
+	}
+	if (chunk_equals(hash, this->nat_detection_dest))
+	{
+		return FALSE;
+	}
+	free(this->nat_detection_dest.ptr);
+	this->nat_detection_dest = chunk_clone(hash);
+	return TRUE;
+}
+
 /**
  * Implementation of ike_sa_t.set_pending_updates.
  */
@@ -831,11 +877,6 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 {
 	bool update = FALSE;
 	
-	if (supports_extension(this, EXT_MOBIKE))
-	{	/* if peer speaks mobike, address updates are explicit only */
-		return;
-	}
-	
 	if (me == NULL)
 	{
 		me = this->my_host;
@@ -1041,18 +1082,31 @@ static void resolve_hosts(private_ike_sa_t *this)
 {
 	host_t *host;
 	
-	host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg), 0, 
-								IKEV2_UDP_PORT);
+	host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
+								0, IKEV2_UDP_PORT);
 	if (host)
 	{
-		set_my_host(this, host);
+		set_other_host(this, host);
 	}
-	host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
+	
+	host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
 								this->my_host->get_family(this->my_host),
 								IKEV2_UDP_PORT);
+	
+	if (host && host->is_anyaddr(host) &&
+		!this->other_host->is_anyaddr(this->other_host))
+	{
+		host->destroy(host);
+		host = charon->kernel_interface->get_source_addr(
+							charon->kernel_interface, this->other_host, NULL);
+		if (host)
+		{
+			host->set_port(host, IKEV2_UDP_PORT);
+		}
+	}
 	if (host)
 	{
-		set_other_host(this, host);
+		set_my_host(this, host);
 	}
 }
 
@@ -1074,8 +1128,8 @@ static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_c
 			)
 		{
 			child_cfg->destroy(child_cfg);
-			SIG(IKE_UP_START, "initiating IKE_SA");
-			SIG(IKE_UP_FAILED, "unable to initiate to %%any");
+			SIG_IKE(UP_START, "initiating IKE_SA");
+			SIG_IKE(UP_FAILED, "unable to initiate to %%any");
 			return DESTROY_ME;
 		}
 		
@@ -1112,7 +1166,7 @@ static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_c
 		/* mediation connection */
 		if (this->state == IKE_ESTABLISHED)
 		{	/* FIXME: we should try to find a better solution to this */
-			SIG(CHILD_UP_SUCCESS, "mediation connection is already up and running");
+			SIG_CHD(UP_SUCCESS, NULL, "mediation connection is already up and running");
 		}
 		DESTROY_IF(child_cfg);
 	}
@@ -1162,8 +1216,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 	
 	if (this->state == IKE_DELETING)
 	{
-		SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
-		SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
+		SIG_CHD(UP_START, NULL, "acquiring CHILD_SA on kernel request");
+		SIG_CHD(UP_FAILED, NULL, "acquiring CHILD_SA {reqid %d} failed: "
 			"IKE_SA is deleting", reqid);
 		return FAILED;
 	}
@@ -1181,8 +1235,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 	iterator->destroy(iterator);
 	if (!child_sa)
 	{
-		SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
-		SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
+		SIG_CHD(UP_START, NULL, "acquiring CHILD_SA on kernel request");
+		SIG_CHD(UP_FAILED, NULL, "acquiring CHILD_SA {reqid %d} failed: "
 			"CHILD_SA not found", reqid);
 		return FAILED;
 	}
@@ -1204,7 +1258,7 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 	host_t *me, *other;
 	status_t status;
 	
-	SIG(CHILD_ROUTE_START, "routing CHILD_SA");
+	SIG_CHD(ROUTE_START, NULL, "routing CHILD_SA");
 	
 	/* check if not already routed*/
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
@@ -1214,7 +1268,7 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 			streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
 		{
 			iterator->destroy(iterator);
-			SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a config already routed");
+			SIG_CHD(ROUTE_FAILED, child_sa, "CHILD_SA with such a config already routed");
 			return FAILED;
 		}
 	}
@@ -1224,7 +1278,7 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 	{
 		case IKE_DELETING:
 		case IKE_REKEYING:
-			SIG(CHILD_ROUTE_FAILED,
+			SIG_CHD(ROUTE_FAILED, NULL, 
 				"unable to route CHILD_SA, as its IKE_SA gets deleted");
 			return FAILED;
 		case IKE_CREATED:
@@ -1253,17 +1307,17 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 	my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
 	other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
 	status = child_sa->add_policies(child_sa, my_ts, other_ts,
-									child_cfg->get_mode(child_cfg));
+									child_cfg->get_mode(child_cfg), PROTO_NONE);
 	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
 	if (status == SUCCESS)
 	{
 		this->child_sas->insert_last(this->child_sas, child_sa);
-		SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
+		SIG_CHD(ROUTE_SUCCESS, child_sa, "CHILD_SA routed");
 	}
 	else
 	{
-		SIG(CHILD_ROUTE_FAILED, "routing CHILD_SA failed");
+		SIG_CHD(ROUTE_FAILED, child_sa, "routing CHILD_SA failed");
 	}
 	return status;
 }
@@ -1277,7 +1331,7 @@ static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
 	child_sa_t *child_sa;
 	bool found = FALSE;
 	
-	SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA");
+	SIG_CHD(UNROUTE_START, NULL, "unrouting CHILD_SA");
 	
 	/* find CHILD_SA in ROUTED state */
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
@@ -1287,7 +1341,7 @@ static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
 			child_sa->get_reqid(child_sa) == reqid)
 		{
 			iterator->remove(iterator);
-			SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
+			SIG_CHD(UNROUTE_SUCCESS, child_sa, "CHILD_SA unrouted");
 			child_sa->destroy(child_sa);
 			found = TRUE;
 			break;
@@ -1297,7 +1351,7 @@ static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
 	
 	if (!found)
 	{
-		SIG(CHILD_UNROUTE_FAILED, "CHILD_SA to unroute not found");
+		SIG_CHD(UNROUTE_FAILED, NULL, "CHILD_SA to unroute not found");
 		return FAILED;
 	}
 	/* if we are not established, and we have no more routed childs, remove whole SA */
@@ -1397,13 +1451,15 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 			charon->scheduler->schedule_job(charon->scheduler, job,
 											HALF_OPEN_IKE_SA_TIMEOUT);
 		}
-		
+		this->time.inbound = time(NULL);
 		/* check if message is trustworthy, and update host information */
 		if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
 			message->get_exchange_type(message) != IKE_SA_INIT)
 		{
-			update_hosts(this, me, other);
-			this->time.inbound = time(NULL);
+			if (!supports_extension(this, EXT_MOBIKE))
+			{	/* with MOBIKE, we do no implicit updates */
+				update_hosts(this, me, other);
+			}
 		}
 		status = this->task_manager->process_message(this->task_manager, message);
 		if (status != DESTROY_ME)
@@ -1527,6 +1583,23 @@ static void set_other_id(private_ike_sa_t *this, identification_t *other)
 	this->other_id = other;
 }
 
+/**
+ * Implementation of ike_sa_t.get_eap_identity.
+ */
+static identification_t* get_eap_identity(private_ike_sa_t *this)
+{
+	return this->eap_identity;
+}
+
+/**
+ * Implementation of ike_sa_t.set_eap_identity.
+ */
+static void set_eap_identity(private_ike_sa_t *this, identification_t *id)
+{
+	DESTROY_IF(this->eap_identity);
+	this->eap_identity = id;
+}
+
 /**
  * Implementation of ike_sa_t.derive_keys.
  */
@@ -1866,10 +1939,10 @@ static status_t delete_(private_ike_sa_t *this)
 			this->task_manager->queue_task(this->task_manager, &ike_delete->task);
 			return this->task_manager->initiate(this->task_manager);
 		case IKE_CREATED:
-			SIG(IKE_DOWN_SUCCESS, "deleting unestablished IKE_SA");
+			SIG_IKE(DOWN_SUCCESS, "deleting unestablished IKE_SA");
 			break;
 		default:
-			SIG(IKE_DOWN_SUCCESS, "destroying IKE_SA in state %N "
+			SIG_IKE(DOWN_SUCCESS, "destroying IKE_SA in state %N "
 				"without notification", ike_sa_state_names, this->state);
 			break;
 	}
@@ -2073,19 +2146,19 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 				this->keyingtry++;
 				if (tries == 0 || tries > this->keyingtry)
 				{
-					SIG(IKE_UP_FAILED, "peer not responding, trying again "
+					SIG_IKE(UP_FAILED, "peer not responding, trying again "
 						"(%d/%d) in background ", this->keyingtry + 1, tries);
 					reset(this);
 					return this->task_manager->initiate(this->task_manager);
 				}
-				SIG(IKE_UP_FAILED, "establishing IKE_SA failed, peer not responding");
+				SIG_IKE(UP_FAILED, "establishing IKE_SA failed, peer not responding");
 				break;
 			}
 			case IKE_DELETING:
-				SIG(IKE_DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
+				SIG_IKE(DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
 				break;
 			case IKE_REKEYING:
-				SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
+				SIG_IKE(REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
 				/* FALL */
 			default:
 				reestablish(this);
@@ -2101,24 +2174,29 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
  */
 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
 {
-	job_t *job;
 	u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
+	u_int32_t reauth_time = time(NULL) + lifetime - reduction;
 
-	this->time.reauth = time(NULL) + lifetime - reduction;
-	job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
-	
 	if (lifetime < reduction)
 	{
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
 			 lifetime);
-		charon->processor->queue_job(charon->processor, job);
+		charon->processor->queue_job(charon->processor,
+		 			(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
 	}
-	else
+	else if (this->time.reauth == 0 || this->time.reauth > reauth_time) 
 	{
+		this->time.reauth = reauth_time;
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
 			 " in %ds", lifetime, lifetime - reduction);
-		charon->scheduler->schedule_job(charon->scheduler, job,
-								(lifetime - reduction) * 1000);
+		charon->scheduler->schedule_job(charon->scheduler,
+					(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
+					(lifetime - reduction) * 1000);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, reauthentication already "
+			 "scheduled in %ds", lifetime, this->time.reauth - time(NULL));
 	}
 }
 
@@ -2127,7 +2205,7 @@ static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
  */
 static status_t roam(private_ike_sa_t *this, bool address)
 {
-	host_t *me, *other;
+	host_t *src;
 	ike_mobike_t *mobike;
 	
 	switch (this->state)
@@ -2151,21 +2229,19 @@ static status_t roam(private_ike_sa_t *this, bool address)
 		return SUCCESS;
 	}
 	
-	/* get best address pair to use */
-	other = this->other_host;
-	me = charon->kernel_interface->get_source_addr(charon->kernel_interface,
-												   other);
-	
-	if (me)
+	/* keep existing path if possible */
+	src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+											this->other_host, this->my_host);
+	if (src)
 	{
-		if (me->ip_equals(me, this->my_host) &&
-			other->ip_equals(other, this->other_host))
+		if (src->ip_equals(src, this->my_host))
 		{
-			DBG2(DBG_IKE, "keeping connection path %H - %H", this->other_host, me);
-			me->destroy(me);
+			DBG2(DBG_IKE, "keeping connection path %H - %H",
+				 src, this->other_host);
+			src->destroy(src);
 			return SUCCESS;
 		}
-		me->destroy(me);
+		src->destroy(src);
 	}
 	
 	/* update addresses with mobike, if supported ... */
@@ -2177,7 +2253,7 @@ static status_t roam(private_ike_sa_t *this, bool address)
 		this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
 		return this->task_manager->initiate(this->task_manager);
 	}
-	DBG1(DBG_IKE, "reauthenticating IKE_SA due address change");
+	DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
 	/* ... reauth if not */
 	return reauth(this);
 }
@@ -2453,11 +2529,13 @@ static void destroy(private_ike_sa_t *this)
 	DESTROY_IF(this->server_reflexive_host);
 	chunk_free(&this->connect_id);
 #endif /* ME */
+	free(this->nat_detection_dest.ptr);
 	
 	DESTROY_IF(this->my_host);
 	DESTROY_IF(this->other_host);
 	DESTROY_IF(this->my_id);
 	DESTROY_IF(this->other_id);
+	DESTROY_IF(this->eap_identity);
 	
 	DESTROY_IF(this->ike_cfg);
 	DESTROY_IF(this->peer_cfg);
@@ -2502,6 +2580,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
 	this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
 	this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
+	this->public.get_eap_identity = (identification_t* (*)(ike_sa_t*)) get_eap_identity;
+	this->public.set_eap_identity = (void (*)(ike_sa_t*,identification_t*)) set_eap_identity;
 	this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
 	this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
 	this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
@@ -2511,6 +2591,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.is_ike_initiator = (bool (*)(ike_sa_t*))is_ike_initiator;
 	this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
 	this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
+	this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
 	this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
 	this->public.delete = (status_t (*)(ike_sa_t*))delete_;
 	this->public.destroy = (void (*)(ike_sa_t*))destroy;
@@ -2560,6 +2641,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->other_host = host_create_from_string("0.0.0.0", IKEV2_UDP_PORT);
 	this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
 	this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
+	this->eap_identity = NULL;
 	this->extensions = 0;
 	this->conditions = 0;
 	this->selected_proposal = NULL;
@@ -2572,6 +2654,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->skp_build = chunk_empty;
  	this->child_prf = NULL;
 	this->state = IKE_CREATED;
+	this->keepalive_interval = lib->settings->get_time(lib->settings,
+									"charon.keep_alive", KEEPALIVE_INTERVAL);
 	this->time.inbound = this->time.outbound = time(NULL);
 	this->time.established = 0;
 	this->time.rekey = 0;
@@ -2587,6 +2671,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->other_virtual_ip = NULL;
 	this->dns_servers = linked_list_create();
 	this->additional_addresses = linked_list_create();
+	this->nat_detection_dest = chunk_empty;
 	this->pending_updates = 0;
 	this->keyingtry = 0;
 	this->ike_initiator = FALSE;
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index 0935f5d6b..717d41647 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa.h 4086 2008-06-22 11:24:33Z andreas $
+ * $Id: ike_sa.h 4368 2008-10-06 13:37:04Z martin $
  */
 
 /**
@@ -329,6 +329,22 @@ struct ike_sa_t {
 	 */
 	void (*set_other_id) (ike_sa_t *this, identification_t *other);
 	
+	/**
+	 * Get the peers EAP identity.
+	 *
+	 * The EAP identity is exchanged in a EAP-Identity exchange.
+	 * 
+	 * @return				identification, NULL if none set
+	 */
+	identification_t* (*get_eap_identity) (ike_sa_t *this);
+	
+	/**
+	 * Set the peer's EAP identity.
+	 * 
+	 * @param id			identification
+	 */
+	void (*set_eap_identity) (ike_sa_t *this, identification_t *id);
+	
 	/**
 	 * Get the config used to setup this IKE_SA.
 	 * 
@@ -390,6 +406,14 @@ struct ike_sa_t {
 	 */
 	iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
 	
+	/**
+	 * Check if mappings have changed on a NAT for our source address.
+	 *
+	 * @param hash			received DESTINATION_IP hash
+	 * @return				TRUE if mappings have changed
+	 */
+	bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
+	
 	/**
 	 * Enable an extension the peer supports.
 	 *
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index 9c1b2d413..bd7b84c6f 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa_manager.c 4044 2008-06-06 15:05:54Z martin $
+ * $Id: ike_sa_manager.c 4234 2008-07-30 14:15:08Z martin $
  */
 
 #include <pthread.h>
@@ -79,6 +79,16 @@ struct entry_t {
 	 */
 	host_t *other;
 	
+	/**
+	 * own identity, required for duplicate checking
+	 */
+	identification_t *my_id;
+	
+	/**
+	 * remote identity, required for duplicate checking
+	 */
+	identification_t *other_id;
+	
 	/**
 	 * message ID currently processing, if any
 	 */
@@ -95,6 +105,8 @@ static status_t entry_destroy(entry_t *this)
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	chunk_free(&this->init_hash);
 	DESTROY_IF(this->other);
+	DESTROY_IF(this->my_id);
+	DESTROY_IF(this->other_id);
 	free(this);
 	return SUCCESS;
 }
@@ -116,6 +128,8 @@ static entry_t *entry_create(ike_sa_id_t *ike_sa_id)
 	this->message_id = -1;
 	this->init_hash = chunk_empty;
 	this->other = NULL;
+	this->my_id = NULL;
+	this->other_id = NULL;
 	
 	/* ike_sa_id is always cloned */
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
@@ -157,6 +171,11 @@ struct private_ike_sa_manager_t {
 	  * SHA1 hasher for IKE_SA_INIT retransmit detection
 	  */
 	 hasher_t *hasher;
+	
+	/**
+	 * reuse existing IKE_SAs in checkout_by_config
+	 */
+	 bool reuse_ikesa;
 };
 
 /**
@@ -504,7 +523,7 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 	
 	pthread_mutex_lock(&(this->mutex));
 	
-	if (my_host && other_host)
+	if (my_host && other_host && this->reuse_ikesa)
 	{
 		enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
 		while (enumerator->enumerate(enumerator, &entry))
@@ -721,10 +740,13 @@ static ike_sa_t* checkout_duplicate(private_ike_sa_manager_t *this,
 		{	/* self is not a duplicate */
 			continue;
 		}
-		if (wait_for_entry(this, entry))
-		{
-			if (me->equals(me, entry->ike_sa->get_my_id(entry->ike_sa)) &&
-				other->equals(other, entry->ike_sa->get_other_id(entry->ike_sa)))
+		if (entry->my_id && me->equals(me, entry->my_id) &&
+			entry->other_id && other->equals(other, entry->other_id))
+		{	
+			/* we are sure that the other entry is not calling 
+			 * checkout_duplicate here, as the identities in entry would not
+			 * have been set yet. Otherwise we would risk a deadlock. */
+			if (wait_for_entry(this, entry))
 			{
 				duplicate = entry->ike_sa;
 				entry->checked_out = TRUE;
@@ -784,6 +806,7 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 	entry_t *entry;
 	ike_sa_id_t *ike_sa_id;
 	host_t *other;
+	identification_t *my_id, *other_id;
 	
 	ike_sa_id = ike_sa->get_id(ike_sa);
 	
@@ -806,6 +829,21 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 			DESTROY_IF(entry->other);
 			entry->other = other->clone(other);
 		}
+		/* apply identities for diplicate test */
+		my_id = ike_sa->get_my_id(ike_sa);
+		other_id = ike_sa->get_other_id(ike_sa);
+		if (!entry->my_id ||
+			entry->my_id->get_type(entry->my_id) == ID_ANY)
+		{
+			DESTROY_IF(entry->my_id);
+			entry->my_id = my_id->clone(my_id);
+		}
+		if (!entry->other_id ||
+			entry->other_id->get_type(entry->other_id) == ID_ANY)
+		{
+			DESTROY_IF(entry->other_id);
+			entry->other_id = other_id->clone(other_id);
+		}
 		DBG2(DBG_MGR, "check-in of IKE_SA successful.");
 		pthread_cond_signal(&(entry->condvar));
 	 	retval = SUCCESS;
@@ -1009,6 +1047,8 @@ ike_sa_manager_t *ike_sa_manager_create()
 	}
 	this->ike_sa_list = linked_list_create();
 	pthread_mutex_init(&this->mutex, NULL);
+	this->reuse_ikesa = lib->settings->get_bool(lib->settings,
+												"charon.reuse_ikesa", TRUE);
 	return &this->public;
 }
 
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
index e453fff00..25089477b 100644
--- a/src/charon/sa/task_manager.c
+++ b/src/charon/sa/task_manager.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: task_manager.c 3666 2008-03-26 18:40:19Z tobias $
+ * $Id: task_manager.c 4320 2008-09-02 14:02:40Z martin $
  */
 
 #include "task_manager.h"
@@ -159,22 +159,22 @@ static void flush(private_task_manager_t *this)
 		switch (task->get_type(task))
 		{
 			case IKE_AUTH:
-				SIG(IKE_UP_FAILED, "establishing IKE_SA failed");
+				SIG_IKE(UP_FAILED, "establishing IKE_SA failed");
 				break;
 			case IKE_DELETE:
-				SIG(IKE_DOWN_FAILED, "IKE_SA deleted");
+				SIG_IKE(DOWN_FAILED, "IKE_SA deleted");
 				break;
 			case IKE_REKEY:
-				SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed");
+				SIG_IKE(REKEY_FAILED, "rekeying IKE_SA failed");
 				break;
 			case CHILD_CREATE:
-				SIG(CHILD_UP_FAILED, "establishing CHILD_SA failed");
+				SIG_CHD(UP_FAILED, NULL, "establishing CHILD_SA failed");
 				break;
 			case CHILD_DELETE:
-				SIG(CHILD_DOWN_FAILED, "deleting CHILD_SA failed");
+				SIG_CHD(DOWN_FAILED, NULL, "deleting CHILD_SA failed");
 				break;
 			case CHILD_REKEY:
-				SIG(IKE_REKEY_FAILED, "rekeying CHILD_SA failed");
+				SIG_IKE(REKEY_FAILED, "rekeying CHILD_SA failed");
 				break;
 			default:
 				break;
@@ -775,6 +775,8 @@ static status_t process_request(private_task_manager_t *this,
 							case UNACCEPTABLE_ADDRESSES:
 							case UNEXPECTED_NAT_DETECTED:
 							case COOKIE2:
+							case NAT_DETECTION_SOURCE_IP:
+							case NAT_DETECTION_DESTINATION_IP:
 								task = (task_t*)ike_mobike_create(
 														this->ike_sa, FALSE);
 								break;
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index 4638da03e..bddca621b 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_create.c 3920 2008-05-08 16:19:11Z tobias $
+ * $Id: child_create.c 4358 2008-09-25 13:56:23Z tobias $
  */
 
 #include "child_create.h"
@@ -26,6 +26,7 @@
 #include <encoding/payloads/ts_payload.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/notify_payload.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 
 typedef struct private_child_create_t private_child_create_t;
@@ -98,7 +99,7 @@ struct private_child_create_t {
 	/**
 	 * mode the new CHILD_SA uses (transport/tunnel/beet)
 	 */
-	mode_t mode;
+	ipsec_mode_t mode;
 	
 	/**
 	 * IPComp transform to use
@@ -198,12 +199,12 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	
 	if (this->proposals == NULL)
 	{
-		SIG(CHILD_UP_FAILED, "SA payload missing in message");
+		SIG_CHD(UP_FAILED, this->child_sa, "SA payload missing in message");
 		return FAILED;
 	}
 	if (this->tsi == NULL || this->tsr == NULL)
 	{
-		SIG(CHILD_UP_FAILED, "TS payloads missing in message");
+		SIG_CHD(UP_FAILED, this->child_sa, "TS payloads missing in message");
 		return NOT_FOUND;
 	}
 	
@@ -231,7 +232,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 												   no_dh);
 	if (this->proposal == NULL)
 	{
-		SIG(CHILD_UP_FAILED, "no acceptable proposal found");
+		SIG_CHD(UP_FAILED, this->child_sa, "no acceptable proposal found");
 		return FAILED;
 	}
 	
@@ -242,15 +243,15 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
 										  &group, NULL))
 		{
-			SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N",
-				diffie_hellman_group_names, this->dh_group,
-				diffie_hellman_group_names, group);
+			SIG_CHD(UP_FAILED, this->child_sa, "DH group %N inacceptable, "
+					"requesting %N", diffie_hellman_group_names, this->dh_group,
+					diffie_hellman_group_names, group);
 			this->dh_group = group;
 			return INVALID_ARG;
 		}
 		else
 		{
-			SIG(CHILD_UP_FAILED, "no acceptable proposal found");
+			SIG_CHD(UP_FAILED, this->child_sa, "no acceptable proposal found");
 			return FAILED;
 		}
 	}
@@ -278,7 +279,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	{
 		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-		SIG(CHILD_UP_FAILED, "no acceptable traffic selectors found");
+		SIG_CHD(UP_FAILED, this->child_sa, "no acceptable traffic selectors found");
 		return NOT_FOUND;
 	}
 	
@@ -330,7 +331,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	{
 		if (this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
 		{
-			SIG(CHILD_UP_FAILED, "DH exchange incomplete");
+			SIG_CHD(UP_FAILED, this->child_sa, "DH exchange incomplete");
 			return FAILED;
 		}
 		DBG3(DBG_IKE, "DH secret %B", &secret);
@@ -340,7 +341,6 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	{
 		seed = chunk_cata("cc", nonce_i, nonce_r);
 	}
-	prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
 	
 	if (this->ipcomp != IPCOMP_NONE)
 	{
@@ -348,6 +348,16 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 										this->other_cpi);
 	}
 	
+	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
+					this->mode, this->proposal->get_protocol(this->proposal));
+	if (status != SUCCESS)
+	{	
+		SIG_CHD(UP_FAILED, this->child_sa, 
+				"unable to install IPsec policies (SPD) in kernel");
+		return NOT_FOUND;
+	}
+	
+	prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
 	if (this->initiator)
 	{
 		status = this->child_sa->update(this->child_sa, this->proposal,
@@ -362,18 +372,10 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	
 	if (status != SUCCESS)
 	{
-		SIG(CHILD_UP_FAILED, "unable to install IPsec SA (SAD) in kernel");
+		SIG_CHD(UP_FAILED, this->child_sa, 
+				"unable to install IPsec SA (SAD) in kernel");
 		return FAILED;
 	}
-	
-	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
-										  this->mode);
-										  
-	if (status != SUCCESS)
-	{	
-		SIG(CHILD_UP_FAILED, "unable to install IPsec policies (SPD) in kernel");
-		return NOT_FOUND;
-	}
 	/* add to IKE_SA, and remove from task */
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
 	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
@@ -440,29 +442,30 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 /**
  * Adds an IPCOMP_SUPPORTED notify to the message, if possible
  */
-static void build_ipcomp_supported_notify(private_child_create_t *this, message_t *message)
+static void build_ipcomp_supported_notify(private_child_create_t *this,
+										  message_t *message)
 {
+	u_int16_t cpi;
+	u_int8_t tid;
+
 	if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
 	{
-		DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, IPComp is disabled");
+		DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
+			 "IPComp disabled");
 		this->ipcomp = IPCOMP_NONE;
 		return;
 	}
 	
-	u_int16_t cpi = this->child_sa->get_my_cpi(this->child_sa);
+	cpi = this->child_sa->allocate_cpi(this->child_sa);
+	tid = this->ipcomp;
 	if (cpi)
 	{
-		chunk_t cpi_chunk, tid_chunk, data;
-		u_int8_t tid = this->ipcomp;
-		cpi_chunk = chunk_from_thing(cpi);
-		tid_chunk = chunk_from_thing(tid);
-		data = chunk_cat("cc", cpi_chunk, tid_chunk);
-		message->add_notify(message, FALSE, IPCOMP_SUPPORTED, data);
-		chunk_free(&data);
+		message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
+				chunk_cata("cc", chunk_from_thing(cpi), chunk_from_thing(tid)));
 	}
 	else
 	{
-		DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp is disabled");
+		DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
 		this->ipcomp = IPCOMP_NONE;
 	}
 }
@@ -587,7 +590,16 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 			break;
 	}
 	
-	SIG(CHILD_UP_START, "establishing CHILD_SA");
+	if (this->reqid)
+	{
+		SIG_CHD(UP_START, NULL, "establishing CHILD_SA %s{%d}",
+				this->config->get_name(this->config), this->reqid);
+	}
+	else
+	{
+		SIG_CHD(UP_START, NULL, "establishing CHILD_SA %s",
+				this->config->get_name(this->config));
+	}
 	
 	/* reuse virtual IP if we already have one */
 	me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
@@ -638,7 +650,8 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 	
 	if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS)
 	{
-		SIG(CHILD_UP_FAILED, "unable to allocate SPIs from kernel");
+		SIG_CHD(UP_FAILED, this->child_sa,
+				"unable to allocate SPIs from kernel");
 		return FAILED;
 	}
 	
@@ -719,11 +732,32 @@ static status_t process_r(private_child_create_t *this, message_t *message)
 	return NEED_MORE;
 }
 
+/**
+ * handle CHILD_SA setup failure
+ */
+static void handle_child_sa_failure(private_child_create_t *this,
+									message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		lib->settings->get_bool(lib->settings,
+								"charon.close_ike_on_child_failure", FALSE))
+	{
+		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
+		 * first */
+		DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
+		charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+			delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
+			100);
+	}
+}
+
 /**
  * Implementation of task_t.build for responder
  */
 static status_t build_r(private_child_create_t *this, message_t *message)
 {
+	payload_t *payload;
+	iterator_t *iterator;
 	bool no_dh = TRUE;
 
 	switch (message->get_exchange_type(message))
@@ -733,7 +767,8 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		case CREATE_CHILD_SA:
 			if (generate_nonce(&this->my_nonce) != SUCCESS)
 			{
-				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
+									chunk_empty);
 				return SUCCESS;
 			}
 			no_dh = FALSE;
@@ -750,19 +785,47 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 	
 	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
 	{
-		SIG(CHILD_UP_FAILED, "unable to create CHILD_SA while rekeying IKE_SA");
+		SIG_CHD(UP_FAILED, NULL,
+				"unable to create CHILD_SA while rekeying IKE_SA");
 		message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
 		return SUCCESS;
 	}
 	
 	if (this->config == NULL)
 	{
-		SIG(CHILD_UP_FAILED, "traffic selectors %#R=== %#R inacceptable",
+		SIG_CHD(UP_FAILED, NULL, "traffic selectors %#R=== %#R inacceptable",
 			this->tsr, this->tsi);
 		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+		handle_child_sa_failure(this, message);
 		return SUCCESS;
 	}
 	
+	/* check if ike_config_t included non-critical error notifies */
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			
+			switch (notify->get_notify_type(notify))
+			{
+				case INTERNAL_ADDRESS_FAILURE:
+				case FAILED_CP_REQUIRED:
+				{
+					SIG_CHD(UP_FAILED, NULL, "configuration payload negotation "
+						"failed, no CHILD_SA built");
+					iterator->destroy(iterator);
+					handle_child_sa_failure(this, message);
+					return SUCCESS;
+				}
+				default:
+					break;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	
 	this->child_sa = child_sa_create(
 			this->ike_sa->get_my_host(this->ike_sa),
 			this->ike_sa->get_other_host(this->ike_sa),
@@ -770,14 +833,16 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 			this->ike_sa->get_other_id(this->ike_sa), this->config, this->reqid,
 			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
 	
-	if (this->config->use_ipcomp(this->config) && this->ipcomp_received != IPCOMP_NONE)
+	if (this->config->use_ipcomp(this->config) &&
+		this->ipcomp_received != IPCOMP_NONE)
 	{
 		this->ipcomp = this->ipcomp_received;
 		build_ipcomp_supported_notify(this, message);
 	}
 	else if (this->ipcomp_received != IPCOMP_NONE)
 	{
-		DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify but IPComp is disabled, ignoring");
+		DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
+			 notify_type_names, IPCOMP_SUPPORTED);
 	}
 	
 	switch (select_and_install(this, no_dh))
@@ -786,24 +851,33 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 			break;
 		case NOT_FOUND:
 			message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+			handle_child_sa_failure(this, message);
 			return SUCCESS;
 		case INVALID_ARG:
 		{
 			u_int16_t group = htons(this->dh_group);
 			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
 								chunk_from_thing(group));
+			handle_child_sa_failure(this, message);
 			return SUCCESS;
 		}
 		case FAILED:
 		default:
 			message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+			handle_child_sa_failure(this, message);
 			return SUCCESS;
 	}
 	
 	build_payloads(this, message);
 	
-	SIG(CHILD_UP_SUCCESS, "CHILD_SA '%s' established successfully",
-						   this->child_sa->get_name(this->child_sa));
+	SIG_CHD(UP_SUCCESS, this->child_sa, "CHILD_SA %s{%d} established "
+			"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+			this->child_sa->get_name(this->child_sa),
+			this->child_sa->get_reqid(this->child_sa),
+			ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+			ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
+			this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
+			this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
 
 	return SUCCESS;
 }
@@ -855,9 +929,10 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 				case TS_UNACCEPTABLE:
 				case INVALID_SELECTORS:
 				{
-					SIG(CHILD_UP_FAILED, "received %N notify, no CHILD_SA built",
-						notify_type_names, type);
+					SIG_CHD(UP_FAILED, this->child_sa, "received %N notify, "
+							"no CHILD_SA built", notify_type_names, type);
 					iterator->destroy(iterator);
+					handle_child_sa_failure(this, message);
 					/* an error in CHILD_SA creation is not critical */
 					return SUCCESS;
 				}
@@ -888,8 +963,9 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 	
 	if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
 	{
-		SIG(CHILD_UP_FAILED, "received an IPCOMP_SUPPORTED notify but we did not "
-					"send one previously, no CHILD_SA built");
+		SIG_CHD(UP_FAILED, this->child_sa, "received an IPCOMP_SUPPORTED notify"
+				" but we did not send one previously, no CHILD_SA built");
+		handle_child_sa_failure(this, message);
 		return SUCCESS;
 	}
 	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
@@ -900,15 +976,26 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 	}
 	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
 	{
-		SIG(CHILD_UP_FAILED, "received an IPCOMP_SUPPORTED notify for a transform "
-					"we did not propose, no CHILD_SA built");
+		SIG_CHD(UP_FAILED, this->child_sa, "received an IPCOMP_SUPPORTED notify"
+				" for a transform we did not propose, no CHILD_SA built");
+		handle_child_sa_failure(this, message);
 		return SUCCESS;
 	}
 	
 	if (select_and_install(this, no_dh) == SUCCESS)
 	{
-		SIG(CHILD_UP_SUCCESS, "CHILD_SA '%s' established successfully",
-							   this->child_sa->get_name(this->child_sa));
+		SIG_CHD(UP_SUCCESS, this->child_sa, "CHILD_SA %s{%d} established "
+				"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+				this->child_sa->get_name(this->child_sa),
+				this->child_sa->get_reqid(this->child_sa),
+				ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+				ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
+				this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
+				this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+	}
+	else
+	{
+		handle_child_sa_failure(this, message);
 	}
 	return SUCCESS;
 }
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
index 4156f9704..a3c74dc90 100644
--- a/src/charon/sa/tasks/child_delete.c
+++ b/src/charon/sa/tasks/child_delete.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_delete.c 3802 2008-04-14 08:17:18Z martin $
+ * $Id: child_delete.c 4366 2008-10-03 16:01:14Z martin $
  */
 
 #include "child_delete.h"
@@ -43,6 +43,11 @@ struct private_child_delete_t {
 	 */
 	bool initiator;
 	
+	/**
+ 	 * wheter to enforce delete action policy
+ 	 */
+ 	bool check_delete_action;
+	
 	/**
 	 * CHILD_SAs which get deleted
 	 */
@@ -54,16 +59,17 @@ struct private_child_delete_t {
  */
 static void build_payloads(private_child_delete_t *this, message_t *message)
 {
-	iterator_t *iterator;
 	delete_payload_t *ah = NULL, *esp = NULL;
-	u_int32_t spi;
+	iterator_t *iterator;
 	child_sa_t *child_sa;
 	
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{	
-		spi = child_sa->get_spi(child_sa, TRUE);
-		switch (child_sa->get_protocol(child_sa))
+		protocol_id_t protocol = child_sa->get_protocol(child_sa);
+		u_int32_t spi = child_sa->get_spi(child_sa, TRUE);
+
+		switch (protocol)
 		{
 			case PROTO_ESP:
 				if (esp == NULL)
@@ -72,6 +78,8 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
 					message->add_payload(message, (payload_t*)esp);
 				}
 				esp->add_spi(esp, spi);
+				DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x", 
+							   protocol_id_names, protocol, ntohl(spi));
 				break;
 			case PROTO_AH:
 				if (ah == NULL)
@@ -80,6 +88,8 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
 					message->add_payload(message, (payload_t*)ah);
 				}
 				ah->add_spi(ah, spi);
+				DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x", 
+							   protocol_id_names, protocol, ntohl(spi));
 				break;
 			default:
 				break;
@@ -119,11 +129,11 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 													  *spi, FALSE);
 				if (child_sa == NULL)
 				{
-					DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, "
+					DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x, "
 						 "but no such SA", protocol_id_names, protocol, ntohl(*spi));
 					continue;
 				}
-				DBG2(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x", 
+				DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x", 
 						protocol_id_names, protocol, ntohl(*spi));
 				
 				switch (child_sa->get_state(child_sa))
@@ -139,6 +149,11 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 														   protocol, *spi);
 							continue;
 						}
+					case CHILD_INSTALLED:
+						if (!this->initiator)
+						{	/* reestablish installed children if required */
+							this->check_delete_action = TRUE;
+						}
 					default:
 						break;
 				}
@@ -171,7 +186,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 		child_cfg = child_sa->get_config(child_sa);
 		child_cfg->get_ref(child_cfg);
 		this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
-		if (!this->initiator)
+		if (this->check_delete_action)
 		{	/* enforce child_cfg policy if deleted passively */
 			switch (child_cfg->get_close_action(child_cfg))
 			{
@@ -207,9 +222,14 @@ static void log_children(private_child_delete_t *this)
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
-		SIG(CHILD_DOWN_START, "closing CHILD_SA %#R=== %#R",
-			child_sa->get_traffic_selectors(child_sa, TRUE),
-			child_sa->get_traffic_selectors(child_sa, FALSE));
+		SIG_CHD(DOWN_START, child_sa, "closing CHILD_SA %s{%d} "
+				"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+				child_sa->get_name(child_sa),
+				child_sa->get_reqid(child_sa),
+				ntohl(child_sa->get_spi(child_sa, TRUE)),
+				ntohl(child_sa->get_spi(child_sa, FALSE)),
+				child_sa->get_traffic_selectors(child_sa, TRUE),
+				child_sa->get_traffic_selectors(child_sa, FALSE));
 	}
 	iterator->destroy(iterator);
 }
@@ -234,7 +254,7 @@ static status_t process_i(private_child_delete_t *this, message_t *message)
 	this->child_sas = linked_list_create();
 	
 	process_payloads(this, message);
-	SIG(CHILD_DOWN_SUCCESS, "CHILD_SA closed");
+	SIG_CHD(DOWN_SUCCESS, NULL, "CHILD_SA closed");
 	return destroy_and_reestablish(this);
 }
 
@@ -258,7 +278,7 @@ static status_t build_r(private_child_delete_t *this, message_t *message)
 	{
 		build_payloads(this, message);	
 	}
-	SIG(CHILD_DOWN_SUCCESS, "CHILD_SA closed");
+	SIG_CHD(DOWN_SUCCESS, NULL, "CHILD_SA closed");
 	return destroy_and_reestablish(this);
 }
 
@@ -285,6 +305,7 @@ static child_sa_t* get_child(private_child_delete_t *this)
  */
 static void migrate(private_child_delete_t *this, ike_sa_t *ike_sa)
 {
+	this->check_delete_action = FALSE;
 	this->ike_sa = ike_sa;
 	
 	this->child_sas->destroy(this->child_sas);
@@ -313,6 +334,7 @@ child_delete_t *child_delete_create(ike_sa_t *ike_sa, child_sa_t *child_sa)
 	this->public.task.destroy = (void(*)(task_t*))destroy;
 	
 	this->ike_sa = ike_sa;
+	this->check_delete_action = FALSE;
 	this->child_sas = linked_list_create();
 	
 	if (child_sa != NULL)
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index fd5012ee6..51f37f1b0 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details
  *
- * $Id: ike_auth.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: ike_auth.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include "ike_auth.h"
@@ -29,7 +29,6 @@
 #include <sa/authenticators/eap_authenticator.h>
 
 
-
 typedef struct private_ike_auth_t private_ike_auth_t;
 
 /**
@@ -150,6 +149,44 @@ static bool check_uniqueness(private_ike_auth_t *this)
 	return cancel;
 }
 
+/**
+ * get the authentication class of a config
+ */
+auth_class_t get_auth_class(peer_cfg_t *config)
+{
+	auth_class_t *class;
+	auth_info_t *auth_info;
+	
+	auth_info = config->get_auth(config);
+	if (auth_info->get_item(auth_info, AUTHN_AUTH_CLASS, (void**)&class))
+	{
+		return *class;
+	}
+	/* fallback to pubkey authentication */
+	return AUTH_CLASS_PUBKEY;
+}
+
+/**
+ * get the eap type/vendor
+ */
+static eap_type_t get_eap_type(peer_cfg_t *config, u_int32_t *vendor)
+{
+	auth_info_t *auth_info;
+	u_int *ptr;
+	
+	*vendor = 0;
+	auth_info = config->get_auth(config);
+	if (auth_info->get_item(auth_info, AUTHN_EAP_VENDOR, (void**)&ptr))
+	{
+		*vendor = *ptr;
+	}
+	if (auth_info->get_item(auth_info, AUTHN_EAP_TYPE, (void**)&ptr))
+	{
+		return *ptr;
+	}
+	return EAP_NAK;
+}
+
 /**
  * build the AUTH payload
  */
@@ -158,23 +195,21 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
 	authenticator_t *auth;
 	auth_payload_t *auth_payload;
 	peer_cfg_t *config;
-	config_auth_method_t method;
 	status_t status;
 	
 	/* create own authenticator and add auth payload */
 	config = this->ike_sa->get_peer_cfg(this->ike_sa);
 	if (!config)
 	{
-		SIG(IKE_UP_FAILED, "unable to authenticate, no peer config found");
+		SIG_IKE(UP_FAILED, "unable to authenticate, no peer config found");
 		return FAILED;
 	}
-	method = config->get_auth_method(config);
 	
-	auth = authenticator_create(this->ike_sa, method);
+	auth = authenticator_create_from_class(this->ike_sa, get_auth_class(config));
 	if (auth == NULL)
 	{
-		SIG(IKE_UP_FAILED, "configured authentication method %N not supported",
-			config_auth_method_names, method);
+		SIG_IKE(UP_FAILED, "configured authentication class %N not supported",
+			auth_class_names, get_auth_class(config));
 		return FAILED;
 	}
 	
@@ -183,7 +218,7 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
 	auth->destroy(auth);
 	if (status != SUCCESS)
 	{
-		SIG(IKE_UP_FAILED, "generating authentication data failed");
+		SIG_IKE(UP_FAILED, "generating authentication data failed");
 		return FAILED;
 	}
 	message->add_payload(message, (payload_t*)auth_payload);
@@ -208,7 +243,7 @@ static status_t build_id(private_ike_auth_t *this, message_t *message)
 		me = config->get_my_id(config);
 		if (me->contains_wildcards(me))
 		{
-			SIG(IKE_UP_FAILED, "negotiation of own ID failed");
+			SIG_IKE(UP_FAILED, "negotiation of own ID failed");
 			return FAILED;
 		}
 		this->ike_sa->set_my_id(this->ike_sa, me->clone(me));
@@ -245,11 +280,11 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
 	}
 	
 	auth_method = auth_payload->get_auth_method(auth_payload);
-	auth = authenticator_create_from_auth_payload(this->ike_sa, auth_payload);
-
+	auth = authenticator_create_from_method(this->ike_sa,
+									auth_payload->get_auth_method(auth_payload));
 	if (auth == NULL)
 	{
-		SIG(IKE_UP_FAILED, "authentication method %N used by '%D' not "
+		SIG_IKE(UP_FAILED, "authentication method %N used by '%D' not "
 			"supported", auth_method_names, auth_method,
 			this->ike_sa->get_other_id(this->ike_sa));
 		return NOT_SUPPORTED;
@@ -259,7 +294,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
 	auth->destroy(auth);
 	if (status != SUCCESS)
 	{
-		SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
+		SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
 			 this->ike_sa->get_other_id(this->ike_sa), 
 			 auth_method_names, auth_method);	
 		return FAILED;
@@ -280,7 +315,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
 
 	if ((this->initiator && idr == NULL) || (!this->initiator && idi == NULL))
 	{
-		SIG(IKE_UP_FAILED, "ID payload missing in message");
+		SIG_IKE(UP_FAILED, "ID payload missing in message");
 		return FAILED;
 	}
 	
@@ -290,7 +325,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
 		req = this->ike_sa->get_other_id(this->ike_sa);
 		if (!id->matches(id, req))
 		{
-			SIG(IKE_UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req);
+			SIG_IKE(UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req);
 			id->destroy(id);
 			return FAILED;
 		}
@@ -367,7 +402,7 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
 	if (auth->build(auth, this->my_packet->get_data(this->my_packet),
 		this->other_nonce, &auth_payload) != SUCCESS)
 	{
-		SIG(IKE_UP_FAILED, "generating authentication data failed");
+		SIG_IKE(UP_FAILED, "generating authentication data failed");
 		if (!this->initiator)
 		{
 			message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -378,12 +413,13 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
 	if (!this->initiator)
 	{
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+		SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
 			this->ike_sa->get_name(this->ike_sa),
+			this->ike_sa->get_unique_id(this->ike_sa),
 			this->ike_sa->get_my_host(this->ike_sa),
 			this->ike_sa->get_my_id(this->ike_sa), 
-			this->ike_sa->get_other_id(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa));
+			this->ike_sa->get_other_host(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa));
 		return SUCCESS;
 	}
 	return NEED_MORE;
@@ -412,9 +448,9 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
 
 	if (!this->peer_authenticated)
 	{
-		SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
+		SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
 			 this->ike_sa->get_other_id(this->ike_sa), 
-			 auth_method_names, AUTH_EAP);
+			 auth_class_names, AUTH_CLASS_EAP);
 		if (this->initiator)
 		{
 			return FAILED;
@@ -424,12 +460,13 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
 	if (this->initiator)
 	{
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+		SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
 			this->ike_sa->get_name(this->ike_sa),
+			this->ike_sa->get_unique_id(this->ike_sa),
 			this->ike_sa->get_my_host(this->ike_sa),
 			this->ike_sa->get_my_id(this->ike_sa), 
-			this->ike_sa->get_other_id(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa));
+			this->ike_sa->get_other_host(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa));
 		return SUCCESS;
 	}
 	return NEED_MORE;
@@ -445,7 +482,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
 	eap = (eap_payload_t*)message->get_payload(message, EXTENSIBLE_AUTHENTICATION);
 	if (eap == NULL)
 	{	
-		SIG(IKE_UP_FAILED, "EAP payload missing");
+		SIG_IKE(UP_FAILED, "EAP payload missing");
 		return FAILED;
 	}
 	switch (this->eap_auth->process(this->eap_auth, eap, &eap))
@@ -461,7 +498,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
 			return NEED_MORE;
 		default:
 			this->eap_payload = NULL;
-			SIG(IKE_UP_FAILED, "failed to authenticate against '%D' using EAP",
+			SIG_IKE(UP_FAILED, "failed to authenticate against '%D' using EAP",
 				this->ike_sa->get_other_id(this->ike_sa));
 			return FAILED;
 	}
@@ -496,7 +533,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
 		
 	if (this->eap_payload == NULL)
 	{
-		SIG(IKE_UP_FAILED, "EAP payload missing");
+		SIG_IKE(UP_FAILED, "EAP payload missing");
 		return FAILED;
 	}
 	
@@ -511,9 +548,9 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
 			this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
 			break;
 		default:
-			SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
+			SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
 				this->ike_sa->get_other_id(this->ike_sa),
-				auth_method_names, AUTH_EAP);
+				auth_class_names, AUTH_CLASS_EAP);
 			status = FAILED;
 			break;
 	}
@@ -539,7 +576,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 	}
 	
 	config = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (config->get_auth_method(config) == CONF_AUTH_EAP)
+	if (get_auth_class(config) == AUTH_CLASS_EAP)
 	{
 		this->eap_auth = eap_authenticator_create(this->ike_sa);
 	}
@@ -579,13 +616,14 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 		case NOT_FOUND:
 			/* use EAP if no AUTH payload found */
 			this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, TRUE);
-			this->eap_auth = eap_authenticator_create(this->ike_sa);
 			break;
 		default:
 			return NEED_MORE;
 	}
 
 	config = charon->backends->get_peer_cfg(charon->backends,
+									this->ike_sa->get_my_host(this->ike_sa),
+									this->ike_sa->get_other_host(this->ike_sa),
 									this->ike_sa->get_my_id(this->ike_sa),
 									this->ike_sa->get_other_id(this->ike_sa),
 									this->ike_sa->get_other_auth(this->ike_sa));
@@ -594,7 +632,10 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 		this->ike_sa->set_peer_cfg(this->ike_sa, config);
 		config->destroy(config);
 	}
-	
+	if (!this->peer_authenticated)
+	{	
+		this->eap_auth = eap_authenticator_create(this->ike_sa);
+	}
 	return NEED_MORE;
 }
 
@@ -624,7 +665,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 	config = this->ike_sa->get_peer_cfg(this->ike_sa);
 	if (config == NULL)
 	{
-		SIG(IKE_UP_FAILED, "no matching config found for '%D'...'%D'",
+		SIG_IKE(UP_FAILED, "no matching config found for '%D'...'%D'",
 			this->ike_sa->get_my_id(this->ike_sa),
 			this->ike_sa->get_other_id(this->ike_sa));
 		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -648,23 +689,24 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 	if (this->peer_authenticated)
 	{
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+		SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
 			this->ike_sa->get_name(this->ike_sa),
+			this->ike_sa->get_unique_id(this->ike_sa),
 			this->ike_sa->get_my_host(this->ike_sa),
 			this->ike_sa->get_my_id(this->ike_sa), 
-			this->ike_sa->get_other_id(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa));
+			this->ike_sa->get_other_host(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa));
 		return SUCCESS;
 	}
 	
 	/* initiate EAP authenitcation */
-	eap_type = config->get_eap_type(config, &eap_vendor);
+	eap_type = get_eap_type(config, &eap_vendor);
 	status = this->eap_auth->initiate(this->eap_auth, eap_type,
 									  eap_vendor, &eap_payload);
 	message->add_payload(message, (payload_t*)eap_payload);
 	if (status != NEED_MORE)
 	{
-		SIG(IKE_UP_FAILED, "unable to initiate EAP authentication");
+		SIG_IKE(UP_FAILED, "unable to initiate EAP authentication");
 		return FAILED;
 	}
 	
@@ -724,7 +766,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 				{
 					if (type < 16383)
 					{
-						SIG(IKE_UP_FAILED, "received %N notify error",
+						SIG_IKE(UP_FAILED, "received %N notify error",
 							 notify_type_names, type);
 						iterator->destroy(iterator);
 						return FAILED;	
@@ -756,17 +798,18 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 	auth = this->ike_sa->get_other_auth(this->ike_sa);
 	if (!auth->complies(auth, config->get_auth(config)))
 	{
-		SIG(IKE_UP_FAILED, "authorization of '%D' for config %s failed",
+		SIG_IKE(UP_FAILED, "authorization of '%D' for config %s failed",
 			this->ike_sa->get_other_id(this->ike_sa), config->get_name(config));
 		return FAILED;
 	}
 	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-	SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+	SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
 		this->ike_sa->get_name(this->ike_sa),
+		this->ike_sa->get_unique_id(this->ike_sa),
 		this->ike_sa->get_my_host(this->ike_sa),
 		this->ike_sa->get_my_id(this->ike_sa),
-		this->ike_sa->get_other_id(this->ike_sa),
-		this->ike_sa->get_other_host(this->ike_sa));
+		this->ike_sa->get_other_host(this->ike_sa),
+		this->ike_sa->get_other_id(this->ike_sa));
 	return SUCCESS;
 }
 
diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c
index 184868b28..cb533236e 100644
--- a/src/charon/sa/tasks/ike_cert_post.c
+++ b/src/charon/sa/tasks/ike_cert_post.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_cert_post.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: ike_cert_post.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include "ike_cert_post.h"
@@ -97,6 +97,11 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, certifi
 	return payload;
 }
 
+/**
+ * from ike_auth.c
+ */
+auth_class_t get_auth_class(peer_cfg_t *config);
+
 /**
  * add certificates to message
  */
@@ -105,7 +110,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 	peer_cfg_t *peer_cfg;
 	
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (peer_cfg && peer_cfg->get_auth_method(peer_cfg) == CONF_AUTH_PUBKEY)
+	if (peer_cfg && get_auth_class(peer_cfg) == AUTH_CLASS_PUBKEY)
 	{
 		switch (peer_cfg->get_cert_policy(peer_cfg))
 		{
diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c
index 3568a214e..353b76a22 100644
--- a/src/charon/sa/tasks/ike_cert_pre.c
+++ b/src/charon/sa/tasks/ike_cert_pre.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_cert_pre.c 3852 2008-04-18 21:27:08Z andreas $
+ * $Id: ike_cert_pre.c 4285 2008-08-26 05:15:34Z andreas $
  */
 
 #include "ike_cert_pre.h"
@@ -320,11 +320,10 @@ static void add_certreq_payload(message_t *message, certreq_payload_t **reqp,
 static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
 {
 	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
 	enumerator_t *enumerator;
 	certificate_t *cert;
-	auth_info_t *auth;
 	bool restricted = FALSE;
-	auth_item_t item;
 	certreq_payload_t *x509_req = NULL;
 	
 	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
@@ -332,19 +331,43 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
 	{
 		return;
 	}
-	auth = this->ike_sa->get_other_auth(this->ike_sa);
 
 	/* check if we require a specific CA for that peer */
-	enumerator = auth->create_item_enumerator(auth);
-	while (enumerator->enumerate(enumerator, &item, &cert))
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg)
 	{
-		if (item == AUTHN_CA_CERT)
+		void *ptr;
+		identification_t *id;
+		auth_item_t item;
+		auth_info_t *auth = peer_cfg->get_auth(peer_cfg);
+		enumerator_t *auth_enumerator = auth->create_item_enumerator(auth);
+
+		while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr))
 		{
-			restricted = TRUE;
-			add_certreq_payload(message, &x509_req, cert);
+			switch (item)
+			{
+				case AUTHZ_CA_CERT:
+					cert = (certificate_t *)ptr;
+					add_certreq_payload(message, &x509_req, cert);
+					restricted = TRUE;
+					break;
+				case AUTHZ_CA_CERT_NAME:
+					id = (identification_t *)ptr;
+					enumerator = charon->credentials->create_cert_enumerator(
+							charon->credentials, CERT_ANY, KEY_ANY, id, TRUE);
+					while (enumerator->enumerate(enumerator, &cert, TRUE))
+					{
+						add_certreq_payload(message, &x509_req, cert);
+						restricted = TRUE;
+					}
+					enumerator->destroy(enumerator);
+					break;
+				default:
+					break;
+			}
 		}
+		auth_enumerator->destroy(auth_enumerator);
 	}
-	enumerator->destroy(enumerator);
 		
 	if (!restricted)
 	{
diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c
index c31e62750..e89f381d3 100644
--- a/src/charon/sa/tasks/ike_config.c
+++ b/src/charon/sa/tasks/ike_config.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_config.c 3800 2008-04-14 07:18:16Z martin $
+ * $Id: ike_config.c 4129 2008-07-01 06:36:52Z martin $
  */
 
 #include "ike_config.h"
@@ -315,7 +315,10 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
 			}
 			if (ip == NULL)
 			{
-				DBG1(DBG_IKE, "not assigning a virtual IP to peer");
+				DBG1(DBG_IKE, "no virtual IP found, sending %N",
+					 notify_type_names, INTERNAL_ADDRESS_FAILURE);
+				message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE,
+									chunk_empty);
 				return SUCCESS;
 			}
 			DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip);
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
index aa7950ef7..295f908cb 100644
--- a/src/charon/sa/tasks/ike_delete.c
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_delete.c 3802 2008-04-14 08:17:18Z martin $
+ * $Id: ike_delete.c 4211 2008-07-23 18:46:34Z andreas $
  */
 
 #include "ike_delete.h"
@@ -56,11 +56,22 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
 {
 	delete_payload_t *delete_payload;
 
+	SIG_IKE(DOWN_START, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+			this->ike_sa->get_name(this->ike_sa),
+			this->ike_sa->get_unique_id(this->ike_sa),
+			this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_my_id(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa));
+
 	delete_payload = delete_payload_create(PROTO_IKE);
 	message->add_payload(message, (payload_t*)delete_payload);
-	
 	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
-	
+
+	DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]",
+			this->ike_sa->get_name(this->ike_sa),
+			this->ike_sa->get_unique_id(this->ike_sa));
+
 	return NEED_MORE;
 }
 
@@ -74,16 +85,26 @@ static status_t process_i(private_ike_delete_t *this, message_t *message)
 }
 
 /**
- * Implementation of task_t.process for initiator
+ * Implementation of task_t.process for responder
  */
 static status_t process_r(private_ike_delete_t *this, message_t *message)
 {
 	/* we don't even scan the payloads, as the message wouldn't have
 	 * come so far without being correct */
+	DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
+			this->ike_sa->get_name(this->ike_sa),
+			this->ike_sa->get_unique_id(this->ike_sa));
+	SIG_IKE(DOWN_START, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+			this->ike_sa->get_name(this->ike_sa),
+			this->ike_sa->get_unique_id(this->ike_sa),
+			this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_my_id(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa));
+
 	switch (this->ike_sa->get_state(this->ike_sa))
 	{
 		case IKE_ESTABLISHED:
-			DBG1(DBG_IKE, "deleting IKE_SA on request");
 			this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
 			this->ike_sa->reestablish(this->ike_sa);
 			break;
@@ -102,9 +123,11 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
  */
 static status_t build_r(private_ike_delete_t *this, message_t *message)
 {
+	SIG_IKE(DOWN_SUCCESS, "IKE_SA deleted");
+
 	if (this->simultaneous)
 	{
-		/* wait for peers response for our delete request, but set a timeout */
+		/* wait for peer's response for our delete request, but set a timeout */
 		return SUCCESS;
 	}
 	/* completed, delete IKE_SA by returning FAILED */
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
index 7def3a556..609b37a39 100644
--- a/src/charon/sa/tasks/ike_init.c
+++ b/src/charon/sa/tasks/ike_init.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_init.c 4086 2008-06-22 11:24:33Z andreas $
+ * $Id: ike_init.c 4206 2008-07-22 17:10:10Z andreas $
  */
 
 #include "ike_init.h"
@@ -26,6 +26,7 @@
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/ke_payload.h>
 #include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/vendor_id_payload.h>
 
 /** maximum retries to do with cookies/other dh groups */
 #define MAX_RETRIES 5
@@ -203,9 +204,17 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			case NONCE:
 			{
 				nonce_payload_t *nonce_payload = (nonce_payload_t*)payload;
+
 				this->other_nonce = nonce_payload->get_nonce(nonce_payload);
 				break;
 			}
+			case VENDOR_ID:
+			{
+				vendor_id_payload_t *vendor_id = (vendor_id_payload_t*)payload;
+				chunk_t vid = vendor_id->get_data(vendor_id);
+
+				DBG1(DBG_ENC, "received vendor id: %#B", &vid);					
+			}
 			default:
 				break;
 		}
@@ -221,14 +230,15 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
 	rng_t *rng;
 	
 	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
-	SIG(IKE_UP_START, "initiating IKE_SA '%s' to %H",
+	SIG_IKE(UP_START, "initiating IKE_SA %s[%d] to %H",
 		this->ike_sa->get_name(this->ike_sa),
+		this->ike_sa->get_unique_id(this->ike_sa),
 		this->ike_sa->get_other_host(this->ike_sa));
 	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
 	
 	if (this->retry++ >= MAX_RETRIES)
 	{
-		SIG(IKE_UP_FAILED, "giving up after %d retries", MAX_RETRIES);
+		SIG_IKE(UP_FAILED, "giving up after %d retries", MAX_RETRIES);
 		return FAILED;
 	}
 
@@ -239,7 +249,7 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
 		this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group);
 		if (this->dh == NULL)
 		{
-			SIG(IKE_UP_FAILED, "configured DH group %N not supported",
+			SIG_IKE(UP_FAILED, "configured DH group %N not supported",
 				diffie_hellman_group_names, this->dh_group);
 			return FAILED;
 		}
@@ -251,7 +261,7 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
 		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 		if (!rng)
 		{
-			SIG(IKE_UP_FAILED, "error generating nonce");
+			SIG_IKE(UP_FAILED, "error generating nonce");
 			return FAILED;
 		}
 		rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
@@ -286,7 +296,7 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
 	rng_t *rng;
 	
 	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
-	SIG(IKE_UP_START, "%H is initiating an IKE_SA",
+	SIG_IKE(UP_START, "%H is initiating an IKE_SA",
 		message->get_source(message));
 	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
 
@@ -366,7 +376,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
 	if (this->proposal == NULL ||
 		this->other_nonce.len == 0 || this->my_nonce.len == 0)
 	{
-		SIG(IKE_UP_FAILED, "received proposals inacceptable");
+		SIG_IKE(UP_FAILED, "received proposals inacceptable");
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return FAILED;
 	}
@@ -380,7 +390,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
 		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
 										  &group, NULL))
 		{
-			SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N",
+			SIG_CHD(UP_FAILED, NULL, "DH group %N inacceptable, requesting %N",
 				diffie_hellman_group_names, this->dh_group,
 				diffie_hellman_group_names, group);
 			this->dh_group = group;
@@ -390,7 +400,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
 		}
 		else
 		{
-			SIG(IKE_UP_FAILED, "no acceptable proposal found");
+			SIG_IKE(UP_FAILED, "no acceptable proposal found");
 		}
 		return FAILED;
 	}
@@ -420,7 +430,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
 	}
 	if (status != SUCCESS)
 	{
-		SIG(IKE_UP_FAILED, "key derivation failed");
+		SIG_IKE(UP_FAILED, "key derivation failed");
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return FAILED;
 	}
@@ -495,7 +505,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 				{
 					if (type < 16383)
 					{
-						SIG(IKE_UP_FAILED, "received %N notify error",
+						SIG_IKE(UP_FAILED, "received %N notify error",
 							 notify_type_names, type);
 						iterator->destroy(iterator);
 						return FAILED;	
@@ -515,7 +525,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 	if (this->proposal == NULL ||
 		this->other_nonce.len == 0 || this->my_nonce.len == 0)
 	{
-		SIG(IKE_UP_FAILED, "peer's proposal selection invalid");
+		SIG_IKE(UP_FAILED, "peer's proposal selection invalid");
 		return FAILED;
 	}
 	
@@ -523,7 +533,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 		!this->proposal->has_dh_group(this->proposal, this->dh_group) ||
 		this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
 	{
-		SIG(IKE_UP_FAILED, "peer's DH group selection invalid");
+		SIG_IKE(UP_FAILED, "peer's DH group selection invalid");
 		return FAILED;
 	}
 	
@@ -552,7 +562,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 	}
 	if (status != SUCCESS)
 	{
-		SIG(IKE_UP_FAILED, "key derivation failed");
+		SIG_IKE(UP_FAILED, "key derivation failed");
 		return FAILED;
 	}
 
diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c
index 2d7c64d70..a203dee58 100644
--- a/src/charon/sa/tasks/ike_me.c
+++ b/src/charon/sa/tasks/ike_me.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_me.c 3806 2008-04-15 05:56:35Z martin $
+ * $Id: ike_me.c 4355 2008-09-25 07:56:58Z tobias $
  */
  
 #include "ike_me.h"
@@ -128,7 +128,7 @@ static void add_endpoints_to_message(message_t *message, linked_list_t *endpoint
  */
 static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	host_t *addr, *host;
 	u_int16_t port;
 	
@@ -136,9 +136,9 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 	host = this->ike_sa->get_my_host(this->ike_sa);
 	port = host->get_port(host);
 	
-	iterator = charon->kernel_interface->create_address_iterator(
-												charon->kernel_interface);
-	while (iterator->iterate(iterator, (void**)&addr))
+	enumerator = charon->kernel_interface->create_address_enumerator(
+										charon->kernel_interface, FALSE, FALSE);
+	while (enumerator->enumerate(enumerator, (void**)&addr))
 	{
 		host = addr->clone(addr);
 		host->set_port(host, port);
@@ -148,7 +148,7 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 		
 		host->destroy(host);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
 	host = this->ike_sa->get_server_reflexive_host(this->ike_sa);
 	if (host)
@@ -461,7 +461,8 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
 				this->ike_sa->set_server_reflexive_host(this->ike_sa, endpoint->clone(endpoint));
 			}
 			/* FIXME: what if it failed? e.g. AUTH failure */
-			SIG(CHILD_UP_SUCCESS, "established mediation connection without CHILD_SA successfully");
+			SIG_CHD(UP_SUCCESS, NULL, "established mediation connection "
+					"without CHILD_SA successfully");
 			
 			break;
 		}
@@ -641,7 +642,8 @@ static status_t build_r_ms(private_ike_me_t *this, message_t *message)
 			/* FIXME: we actually must delete any existing IKE_SAs with the same remote id */
 			this->ike_sa->act_as_mediation_server(this->ike_sa);
 			
-			SIG(CHILD_UP_SUCCESS, "established mediation connection without CHILD_SA successfully");
+			SIG_CHD(UP_SUCCESS, NULL, "established mediation connection "
+					"without CHILD_SA successfully");
 			
 			break;
 		}
diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c
index 23c68b9e9..f6ee3f6ad 100644
--- a/src/charon/sa/tasks/ike_mobike.c
+++ b/src/charon/sa/tasks/ike_mobike.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_mobike.c 4006 2008-05-23 15:43:42Z martin $
+ * $Id: ike_mobike.c 4394 2008-10-09 08:25:11Z martin $
  */
 
 #include "ike_mobike.h"
@@ -117,8 +117,19 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 		{
 			case MOBIKE_SUPPORTED:
 			{
-				DBG1(DBG_IKE, "peer supports MOBIKE");
-				this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
+				peer_cfg_t *peer_cfg;
+				
+				peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+				if (!this->initiator && 
+					peer_cfg && !peer_cfg->use_mobike(peer_cfg))
+				{
+					DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
+				}
+				else
+				{
+					DBG1(DBG_IKE, "peer supports MOBIKE");
+					this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
+				}
 				break;
 			}
 			case COOKIE2:
@@ -177,15 +188,15 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
  */
 static void build_address_list(private_ike_mobike_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	host_t *host, *me;
 	notify_type_t type;
 	bool additional = FALSE;
 
 	me = this->ike_sa->get_my_host(this->ike_sa);
-	iterator = charon->kernel_interface->create_address_iterator(
-												charon->kernel_interface);
-	while (iterator->iterate(iterator, (void**)&host))
+	enumerator = charon->kernel_interface->create_address_enumerator(
+										charon->kernel_interface, FALSE, FALSE);
+	while (enumerator->enumerate(enumerator, (void**)&host))
 	{
 		if (me->ip_equals(me, host))
 		{	/* "ADDITIONAL" means do not include IKE_SAs host */
@@ -209,7 +220,7 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 	{
 		message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -266,7 +277,7 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 	other_old = this->ike_sa->get_other_host(this->ike_sa);
 	
 	me = charon->kernel_interface->get_source_addr(
-										charon->kernel_interface, other_old);
+									charon->kernel_interface, other_old, NULL);
 	if (me)
 	{
 		me->set_port(me, me->ip_equals(me, me_old) ?
@@ -278,7 +289,7 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 	while (iterator->iterate(iterator, (void**)&other))
 	{
 		me = charon->kernel_interface->get_source_addr(
-											charon->kernel_interface, other);
+										charon->kernel_interface, other, NULL);
 		if (me)
 		{
 			if (me->get_family(me) != other->get_family(other))
@@ -318,6 +329,24 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
 	}
 	else if (message->get_exchange_type(message) == INFORMATIONAL)
 	{
+		host_t *old, *new;
+		
+		/* we check if the existing address is still valid */ 
+		old = message->get_source(message);
+		new = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+										message->get_destination(message), old);
+		if (new)
+		{
+			if (!new->ip_equals(new, old))
+			{
+				new->set_port(new, old->get_port(old));
+				message->set_source(message, new);
+			}
+			else
+			{
+				new->destroy(new);
+			}
+		}
 		if (this->update)
 		{
 			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
@@ -423,7 +452,7 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 			return SUCCESS;
 		}
 		if (this->cookie2.ptr)
-		{	/* check cookie if we included none */
+		{	/* check cookie if we included one */
 			chunk_t cookie2;
 			
 			cookie2 = this->cookie2;
@@ -444,6 +473,13 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 		if (this->natd)
 		{
 			this->natd->task.process(&this->natd->task, message);
+			if (this->natd->has_mapping_changed(this->natd))
+			{
+				/* force an update if mappings have changed */
+				this->update = this->check = TRUE;
+				DBG1(DBG_IKE, "detected changes in NAT mappings, "
+					 "initiating MOBIKE update");
+			}
 		}
 		if (this->update)
 		{
@@ -495,6 +531,20 @@ static void roam(private_ike_mobike_t *this, bool address)
 							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
 }
 
+/**
+ * Implementation of ike_mobike_t.dpd
+ */
+static void dpd(private_ike_mobike_t *this)
+{
+	if (!this->natd)
+	{
+		this->natd = ike_natd_create(this->ike_sa, this->initiator);
+	}
+	this->address = FALSE;
+	this->ike_sa->set_pending_updates(this->ike_sa, 
+							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+}
+
 /**
  * Implementation of ike_mobike_t.is_probing.
  */
@@ -545,6 +595,7 @@ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
 	private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t);
 
 	this->public.roam = (void(*)(ike_mobike_t*,bool))roam;
+	this->public.dpd = (void(*)(ike_mobike_t*))dpd;
 	this->public.transmit = (void(*)(ike_mobike_t*,packet_t*))transmit;
 	this->public.is_probing = (bool(*)(ike_mobike_t*))is_probing;
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
diff --git a/src/charon/sa/tasks/ike_mobike.h b/src/charon/sa/tasks/ike_mobike.h
index 9dd29970e..f8f094456 100644
--- a/src/charon/sa/tasks/ike_mobike.h
+++ b/src/charon/sa/tasks/ike_mobike.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_mobike.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_mobike.h 4368 2008-10-06 13:37:04Z martin $
  */
 
 /**
@@ -54,6 +54,11 @@ struct ike_mobike_t {
 	 */
 	void (*roam)(ike_mobike_t *this, bool address);
 	
+	/**
+	 * Use the task for a DPD check which detects changes in NAT mappings.
+	 */
+	void (*dpd)(ike_mobike_t *this);
+	
 	/**
 	 * Transmision hook, called by task manager.
 	 *
diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c
index 69e5bac26..9e62fcbdf 100644
--- a/src/charon/sa/tasks/ike_natd.c
+++ b/src/charon/sa/tasks/ike_natd.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_natd.c 3806 2008-04-15 05:56:35Z martin $
+ * $Id: ike_natd.c 4386 2008-10-08 08:23:46Z martin $
  */
 
 #include "ike_natd.h"
@@ -72,6 +72,11 @@ struct private_ike_natd_t {
 	 * Have we found a matching destination address NAT hash?
 	 */
 	bool dst_matched;
+	
+	/**
+	 * whether NAT mappings for our NATed address has changed
+	 */
+	bool mapping_changed;
 };
 
 
@@ -192,15 +197,24 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 			case NAT_DETECTION_DESTINATION_IP:
 			{
 				this->dst_seen = TRUE;
+				hash = notify->get_notification_data(notify);
 				if (!this->dst_matched)
 				{
-					hash = notify->get_notification_data(notify);
 					DBG3(DBG_IKE, "received dst_hash %B", &hash);
 					if (chunk_equals(hash, dst_hash))
 					{
 						this->dst_matched = TRUE;
 					}
 				}
+				/* RFC4555 says we should also compare against IKE_SA_INIT
+				 * NATD payloads, but this does not work: We are running
+				 * there at port 500, but use 4500 afterwards... */
+				if (message->get_exchange_type(message) == INFORMATIONAL &&
+					this->initiator && !this->dst_matched)
+				{
+					this->mapping_changed = this->ike_sa->has_mapping_changed(
+															this->ike_sa, hash);
+				}
 				break;
 			}
 			case NAT_DETECTION_SOURCE_IP:
@@ -300,7 +314,7 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 static status_t build_i(private_ike_natd_t *this, message_t *message)
 {
 	notify_payload_t *notify;
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	host_t *host;
 	
 	if (this->hasher == NULL)
@@ -327,9 +341,8 @@ static status_t build_i(private_ike_natd_t *this, message_t *message)
 	}
 	else
 	{
-		host = charon->kernel_interface->get_source_addr(
-									charon->kernel_interface,
-									this->ike_sa->get_other_host(this->ike_sa));
+		host = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+							this->ike_sa->get_other_host(this->ike_sa), NULL);
 		if (host)
 		{	/* 2. */
 			host->set_port(host, IKEV2_UDP_PORT);
@@ -339,14 +352,14 @@ static status_t build_i(private_ike_natd_t *this, message_t *message)
 		}
 		else
 		{	/* 3. */
-			iterator = charon->kernel_interface->create_address_iterator(
-													charon->kernel_interface);
-			while (iterator->iterate(iterator, (void**)&host))
+			enumerator = charon->kernel_interface->create_address_enumerator(
+										charon->kernel_interface, FALSE, FALSE);
+			while (enumerator->enumerate(enumerator, (void**)&host))
 			{
 				notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
 				message->add_payload(message, (payload_t*)notify);
 			}
-			iterator->destroy(iterator);
+			enumerator->destroy(enumerator);
 		}
 	}
 	return NEED_MORE;
@@ -415,6 +428,15 @@ static void migrate(private_ike_natd_t *this, ike_sa_t *ike_sa)
 	this->dst_seen = FALSE;
 	this->src_matched = FALSE;
 	this->dst_matched = FALSE;
+	this->mapping_changed = FALSE;
+}
+
+/**
+ * Implementation of ike_natd_t.has_mapping_changed
+ */
+static bool has_mapping_changed(private_ike_natd_t *this)
+{
+	return this->mapping_changed;
 }
 
 /**
@@ -448,6 +470,8 @@ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
 	
+	this->public.has_mapping_changed = (bool(*)(ike_natd_t*))has_mapping_changed;
+	
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
@@ -455,6 +479,7 @@ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
 	this->dst_seen = FALSE;
 	this->src_matched = FALSE;
 	this->dst_matched = FALSE;
+	this->mapping_changed = FALSE;
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/ike_natd.h b/src/charon/sa/tasks/ike_natd.h
index d78c931d9..7e1e58bc0 100644
--- a/src/charon/sa/tasks/ike_natd.h
+++ b/src/charon/sa/tasks/ike_natd.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_natd.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_natd.h 4368 2008-10-06 13:37:04Z martin $
  */
 
 /**
@@ -38,6 +38,15 @@ struct ike_natd_t {
 	 * Implements the task_t interface
 	 */
 	task_t task;
+	
+	/**
+	 * Check if the NAT mapping has changed for our address.
+	 *
+	 * MOBIKE uses NAT payloads in DPD to detect changes in the NAT mappings.
+	 *
+	 * @return 	TRUE if mappings have changed
+	 */
+	bool (*has_mapping_changed)(ike_natd_t *this);
 };
 
 /**
diff --git a/src/charon/sa/tasks/ike_reauth.c b/src/charon/sa/tasks/ike_reauth.c
index 854e9359d..b84b2a387 100644
--- a/src/charon/sa/tasks/ike_reauth.c
+++ b/src/charon/sa/tasks/ike_reauth.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_reauth.c 3793 2008-04-11 08:14:48Z martin $
+ * $Id: ike_reauth.c 4211 2008-07-23 18:46:34Z andreas $
  */
 
 #include "ike_reauth.h"
@@ -65,7 +65,8 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 	
 	/* process delete response first */
 	this->ike_delete->task.process(&this->ike_delete->task, message);
-	
+	SIG_IKE(DOWN_SUCCESS, "IKE_SA deleted");
+
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 	
 	/* reauthenticate only if we have children */
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index 9c0d1805c..6c4ef4354 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_rekey.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_rekey.c 4211 2008-07-23 18:46:34Z andreas $
  */
 
 #include "ike_rekey.h"
@@ -69,6 +69,7 @@ struct private_ike_rekey_t {
 static status_t build_i(private_ike_rekey_t *this, message_t *message)
 {
 	peer_cfg_t *peer_cfg;
+	host_t *other_host;
 	
 	/* create new SA only on first try */
 	if (this->new_sa == NULL)
@@ -77,7 +78,9 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message)
 															TRUE);
 		
 		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+		other_host = this->ike_sa->get_other_host(this->ike_sa);
 		this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
+		this->new_sa->set_other_host(this->new_sa, other_host->clone(other_host));
 		this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
 		this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
 	}
@@ -87,7 +90,7 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message)
 }
 
 /**
- * Implementation of task_t.process for initiator
+ * Implementation of task_t.process for responder
  */
 static status_t process_r(private_ike_rekey_t *this, message_t *message)
 {
@@ -149,6 +152,13 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
 	
 	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+	SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+		this->new_sa->get_name(this->new_sa),
+		this->new_sa->get_unique_id(this->new_sa),
+		this->ike_sa->get_my_host(this->ike_sa),
+		this->ike_sa->get_my_id(this->ike_sa),
+		this->ike_sa->get_other_host(this->ike_sa),
+		this->ike_sa->get_other_id(this->ike_sa));
 	
 	return SUCCESS;
 }
@@ -188,6 +198,14 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 	}
 
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+	SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+		this->new_sa->get_name(this->new_sa),
+		this->new_sa->get_unique_id(this->new_sa),
+		this->ike_sa->get_my_host(this->ike_sa),
+		this->ike_sa->get_my_id(this->ike_sa),
+		this->ike_sa->get_other_host(this->ike_sa),
+		this->ike_sa->get_other_id(this->ike_sa));
+
 	to_delete = this->ike_sa->get_id(this->ike_sa);
 	
 	/* check for collisions */
diff --git a/src/dumm/Makefile.am b/src/dumm/Makefile.am
index 1e47e8907..11d65bba9 100644
--- a/src/dumm/Makefile.am
+++ b/src/dumm/Makefile.am
@@ -1,14 +1,19 @@
+EXTRA_DIST = ext/dumm.c ext/extconf.rb ext/README \
+  ext/lib/dumm.rb ext/lib/dumm/guest.rb
+
 lib_LTLIBRARIES = libdumm.la
-ipsec_PROGRAMS = dumm testing
+ipsec_PROGRAMS = dumm irdumm
 
 libdumm_la_SOURCES = dumm.c dumm.h guest.c guest.h iface.c iface.h \
   bridge.c bridge.h mconsole.c mconsole.h cowfs.h cowfs.c
 dumm_SOURCES = main.c
-testing_SOURCES = testing.c
+irdumm_SOURCES = irdumm.c
 
-libdumm_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lbridge -lfuse -lutil
+libdumm_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  -lbridge -lfuse -lutil
 dumm_LDADD = -ldumm ${gtk_LIBS}
-testing_LDADD = -ldumm
+irdumm_LDADD = -ldumm -lruby1.8
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS}
+INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
+  -I/usr/lib/ruby/1.8/i486-linux/
 AM_CFLAGS = -D_FILE_OFFSET_BITS=64
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 7dc53b8c0..333e616d3 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -33,7 +33,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-ipsec_PROGRAMS = dumm$(EXEEXT) testing$(EXEEXT)
+ipsec_PROGRAMS = dumm$(EXEEXT) irdumm$(EXEEXT)
 subdir = src/dumm
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -62,9 +62,9 @@ am_dumm_OBJECTS = main.$(OBJEXT)
 dumm_OBJECTS = $(am_dumm_OBJECTS)
 am__DEPENDENCIES_1 =
 dumm_DEPENDENCIES = $(am__DEPENDENCIES_1)
-am_testing_OBJECTS = testing.$(OBJEXT)
-testing_OBJECTS = $(am_testing_OBJECTS)
-testing_DEPENDENCIES =
+am_irdumm_OBJECTS = irdumm.$(OBJEXT)
+irdumm_OBJECTS = $(am_irdumm_OBJECTS)
+irdumm_DEPENDENCIES =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -77,9 +77,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libdumm_la_SOURCES) $(dumm_SOURCES) $(testing_SOURCES)
-DIST_SOURCES = $(libdumm_la_SOURCES) $(dumm_SOURCES) \
-	$(testing_SOURCES)
+SOURCES = $(libdumm_la_SOURCES) $(dumm_SOURCES) $(irdumm_SOURCES)
+DIST_SOURCES = $(libdumm_la_SOURCES) $(dumm_SOURCES) $(irdumm_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -198,6 +197,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -217,16 +218,23 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
+EXTRA_DIST = ext/dumm.c ext/extconf.rb ext/README \
+  ext/lib/dumm.rb ext/lib/dumm/guest.rb
+
 lib_LTLIBRARIES = libdumm.la
 libdumm_la_SOURCES = dumm.c dumm.h guest.c guest.h iface.c iface.h \
   bridge.c bridge.h mconsole.c mconsole.h cowfs.h cowfs.c
 
 dumm_SOURCES = main.c
-testing_SOURCES = testing.c
-libdumm_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lbridge -lfuse -lutil
+irdumm_SOURCES = irdumm.c
+libdumm_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  -lbridge -lfuse -lutil
+
 dumm_LDADD = -ldumm ${gtk_LIBS}
-testing_LDADD = -ldumm
-INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS}
+irdumm_LDADD = -ldumm -lruby1.8
+INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
+  -I/usr/lib/ruby/1.8/i486-linux/
+
 AM_CFLAGS = -D_FILE_OFFSET_BITS=64
 all: all-am
 
@@ -321,9 +329,9 @@ clean-ipsecPROGRAMS:
 dumm$(EXEEXT): $(dumm_OBJECTS) $(dumm_DEPENDENCIES) 
 	@rm -f dumm$(EXEEXT)
 	$(LINK) $(dumm_OBJECTS) $(dumm_LDADD) $(LIBS)
-testing$(EXEEXT): $(testing_OBJECTS) $(testing_DEPENDENCIES) 
-	@rm -f testing$(EXEEXT)
-	$(LINK) $(testing_OBJECTS) $(testing_LDADD) $(LIBS)
+irdumm$(EXEEXT): $(irdumm_OBJECTS) $(irdumm_DEPENDENCIES) 
+	@rm -f irdumm$(EXEEXT)
+	$(LINK) $(irdumm_OBJECTS) $(irdumm_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -336,9 +344,9 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dumm.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/guest.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iface.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/irdumm.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/main.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mconsole.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/testing.Po@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/dumm/bridge.c b/src/dumm/bridge.c
index cb8017c78..209e54fc1 100644
--- a/src/dumm/bridge.c
+++ b/src/dumm/bridge.c
@@ -111,20 +111,24 @@ static bool connect_iface(private_bridge_t *this, iface_t *iface)
  */
 static int instances = 0;
 
-/**
- * unregister an interface from bridge
- */
-static void unregister(iface_t *iface)
-{
-	iface->set_bridge(iface, NULL);
-}
-
 /**
  * Implementation of bridge_t.destroy.
  */
 static void destroy(private_bridge_t *this)
 {
-	this->ifaces->invoke_function(this->ifaces, (linked_list_invoke_t)unregister);
+	enumerator_t *enumerator;
+	iface_t *iface;
+
+	enumerator = this->ifaces->create_enumerator(this->ifaces);
+	while (enumerator->enumerate(enumerator, (void**)&iface))
+	{
+		if (br_del_interface(this->name, iface->get_hostif(iface)) != 0)
+		{
+			DBG1("disconnecting iface '%s' failed: %m", iface->get_hostif(iface));
+		}
+		iface->set_bridge(iface, NULL);
+	}
+	enumerator->destroy(enumerator);
 	this->ifaces->destroy(this->ifaces);
 	iface_control(this->name, FALSE);
 	if (br_del_bridge(this->name) != 0)
diff --git a/src/dumm/cowfs.c b/src/dumm/cowfs.c
index 4c16c7c5d..88041811e 100644
--- a/src/dumm/cowfs.c
+++ b/src/dumm/cowfs.c
@@ -709,8 +709,9 @@ static int cowfs_write(const char *path, const char *buf, size_t size,
 
 	rel(&path);
 
-	fd = get_rd(path);
-	if (fd == this->master_fd)
+	fd = get_wr(path);
+	if (fd == this->master_fd ||
+		(this->over_fd > 0 && fd == this->host_fd))
 	{
 		fd = copy(path);
 		if (fd < 0)
@@ -858,13 +859,15 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
     {
     	DBG1("failed to open master filesystem '%s'", master);
     	free(this);
+    	return NULL;
     }
     this->host_fd = open(host, O_RDONLY | O_DIRECTORY);
-	if (this->master_fd < 0)
+	if (this->host_fd < 0)
     {
     	DBG1("failed to open host filesystem '%s'", host);
     	close(this->master_fd);
     	free(this);
+    	return NULL;
     }
 	this->over_fd = -1;
 	
diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c
index 5db8eaee0..eaefddb60 100644
--- a/src/dumm/dumm.c
+++ b/src/dumm/dumm.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -29,8 +30,6 @@
 
 #define PERME (S_IRWXU | S_IRWXG)
 #define GUEST_DIR "guests"
-#define TEMPLATE_DIR "templates"
-#define TEMPLATE_DIR_DIR "diff"
 
 typedef struct private_dumm_t private_dumm_t;
 
@@ -41,27 +40,23 @@ struct private_dumm_t {
 	char *dir;
 	/** directory of guests */
 	char *guest_dir;
-	/** directory of templates */
-	char *template_dir;
 	/** directory of loaded template */
 	char *template;
 	/** list of managed guests */
 	linked_list_t *guests;
 	/** list of managed bridges */
 	linked_list_t *bridges;
-	/** do not catch signals if we are destroying */
-	bool destroying;
 };
 
 /**
  * Implementation of dumm_t.create_guest.
  */
 static guest_t* create_guest(private_dumm_t *this, char *name, char *kernel, 
-							 char *master, int mem)
+							 char *master, char *args)
 {
 	guest_t *guest;
 	
-	guest = guest_create(this->guest_dir, name, kernel, master, mem);
+	guest = guest_create(this->guest_dir, name, kernel, master, args);
 	if (guest)
 	{
 		this->guests->insert_last(this->guests, guest);
@@ -153,45 +148,36 @@ static void clear_template(private_dumm_t *this)
 /**
  * Implementation of dumm_t.load_template.
  */
-static bool load_template(private_dumm_t *this, char *name)
+static bool load_template(private_dumm_t *this, char *dir)
 {
 	enumerator_t *enumerator;
 	guest_t *guest;
-	char dir[PATH_MAX];
-	size_t len;
 	
 	clear_template(this);
 	
-	if (name == NULL)
+	if (dir == NULL)
 	{
 		return TRUE;
 	}
-
-	free(this->template);
-	asprintf(&this->template, "%s/%s", this->template_dir, name);
-	len = snprintf(dir, sizeof(dir), "%s/%s", this->template, TEMPLATE_DIR_DIR);
-	if (len < 0 || len >= sizeof(dir))
+	if (strlen(dir) > PATH_MAX)
 	{
+		DBG1("template directory string '%s' is too long", dir);
 		return FALSE;
 	}
 	
+	this->template = strdup(dir);
 	if (access(this->template, F_OK) != 0)
 	{	/* does not exist, create template */
-		if (mkdir(this->template, PERME) != 0)
+		if (!mkdir_p(this->template, PERME))
 		{
 			DBG1("creating template directory '%s' failed: %m", this->template);
 			return FALSE;
 		}
-		if (mkdir(dir, PERME) != 0)
-		{
-			DBG1("creating template overlay directory '%s' failed: %m", dir);
-			return FALSE;
-		}
 	}
 	enumerator = this->guests->create_enumerator(this->guests);
 	while (enumerator->enumerate(enumerator, (void**)&guest))
 	{
-		if (!guest->load_template(guest, dir))
+		if (!guest->load_template(guest, this->template))
 		{
 			enumerator->destroy(enumerator);
 			clear_template(this);
@@ -219,10 +205,12 @@ static void destroy(private_dumm_t *this)
 	}
 	enumerator->destroy(enumerator);
 	
-	this->destroying = TRUE;
-	this->guests->destroy_offset(this->guests, offsetof(guest_t, destroy));
+	while (this->guests->remove_last(this->guests, (void**)&guest) == SUCCESS)
+	{
+		guest->destroy(guest);
+	}
+	this->guests->destroy(this->guests);
 	free(this->guest_dir);
-	free(this->template_dir);
 	free(this->template);
 	free(this->dir);
 	free(this);
@@ -270,7 +258,7 @@ dumm_t *dumm_create(char *dir)
 	char cwd[PATH_MAX];
 	private_dumm_t *this = malloc_thing(private_dumm_t);
 	
-	this->public.create_guest = (guest_t*(*)(dumm_t*,char*,char*,char*,int))create_guest;
+	this->public.create_guest = (guest_t*(*)(dumm_t*,char*,char*,char*,char*))create_guest;
 	this->public.create_guest_enumerator = (enumerator_t*(*)(dumm_t*))create_guest_enumerator;
 	this->public.delete_guest = (void(*)(dumm_t*,guest_t*))delete_guest;
 	this->public.create_bridge = (bridge_t*(*)(dumm_t*, char *name))create_bridge;
@@ -279,8 +267,6 @@ dumm_t *dumm_create(char *dir)
 	this->public.load_template = (bool(*)(dumm_t*, char *name))load_template;
 	this->public.destroy = (void(*)(dumm_t*))destroy;
 	
-	this->destroying = FALSE;
-	
 	if (dir && *dir == '/')
 	{
 		this->dir = strdup(dir);
@@ -303,7 +289,6 @@ dumm_t *dumm_create(char *dir)
 	}
 	this->template = NULL;
 	asprintf(&this->guest_dir, "%s/%s", this->dir, GUEST_DIR);
-	asprintf(&this->template_dir, "%s/%s", this->dir, TEMPLATE_DIR);
 	this->guests = linked_list_create();
 	this->bridges = linked_list_create();
 	
@@ -313,13 +298,7 @@ dumm_t *dumm_create(char *dir)
 		destroy(this);
 		return NULL;
 	}
-	if (mkdir(this->template_dir, PERME) < 0 && errno != EEXIST)
-	{
-		DBG1("creating template directory '%s' failed: %m", this->template_dir);
-		destroy(this);
-		return NULL;
-	}
-	
+		
 	load_guests(this);
 	return &this->public;
 }
diff --git a/src/dumm/dumm.h b/src/dumm/dumm.h
index 6abf4fc92..f5db0e45b 100644
--- a/src/dumm/dumm.h
+++ b/src/dumm/dumm.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -39,11 +40,11 @@ struct dumm_t {
 	 * @param name		name of the guest
 	 * @param kernel	UML kernel to use for guest
 	 * @param master	mounted read only master filesystem
-	 * @param mem		amount of memory for guest, in MB
+	 * @param args		additional args to pass to kernel
 	 * @return			guest if started, NULL if failed
 	 */
 	guest_t* (*create_guest) (dumm_t *this, char *name, char *kernel, 
-							  char *master, int mem);
+							  char *master, char *args);
 	
 	/**
 	 * @brief Create an enumerator over all guests.
@@ -84,10 +85,10 @@ struct dumm_t {
 	/**
 	 * @brief Loads a template, create a new one if it does not exist.
 	 *
-	 * @param name		name of the template, NULL to close
+	 * @param name		dir to the template, NULL to close
 	 * @return			FALSE if load/create failed
 	 */
-	bool (*load_template)(dumm_t *this, char *name);
+	bool (*load_template)(dumm_t *this, char *dir);
 	
 	/**
 	 * @brief stop all guests and destroy the modeler
diff --git a/src/dumm/ext/README b/src/dumm/ext/README
new file mode 100644
index 000000000..270d9d59d
--- /dev/null
+++ b/src/dumm/ext/README
@@ -0,0 +1,8 @@
+DUMM Ruby Extension
+===================
+
+Build and Install
+
+  $ ruby extconf.rb
+  $ make
+  # make install
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
new file mode 100644
index 000000000..97f14ef85
--- /dev/null
+++ b/src/dumm/ext/dumm.c
@@ -0,0 +1,633 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ * 
+ * $Id: dumm.c 4410 2008-10-10 11:20:04Z martin $
+ */
+
+#include <stdio.h>
+#include <signal.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <library.h>
+#include <dumm.h>
+#include <debug.h>
+
+#undef PACKAGE_NAME
+#undef PACKAGE_TARNAME
+#undef PACKAGE_VERSION
+#undef PACKAGE_STRING
+#include <ruby.h>
+
+static dumm_t *dumm;
+
+static VALUE rbm_dumm;
+static VALUE rbc_guest;
+static VALUE rbc_bridge;
+static VALUE rbc_iface;
+static VALUE rbc_template;
+
+/**
+ * Guest invocation callback
+ */
+static pid_t invoke(void *null, guest_t *guest, char *args[], int argc)
+{
+	pid_t pid;
+	
+	pid = fork();
+	switch (pid)
+	{
+		case 0: /* child */
+			/* create a new process group in order to prevent signals (e.g.
+			 * SIGINT) sent to the parent from terminating the child */
+			setpgid(0, 0);
+			dup2(open("/dev/null", 0), 1);
+			dup2(open("/dev/null", 0), 2);
+			execvp(args[0], args);
+			/* FALL */
+		case -1:
+			return 0;
+		default:
+			return pid;
+	}
+}
+
+/**
+ * SIGCHLD signal handler
+ */
+static void sigchld_handler(int signal, siginfo_t *info, void* ptr)
+{
+	enumerator_t *enumerator;
+	guest_t *guest;
+	
+	enumerator = dumm->create_guest_enumerator(dumm);
+	while (enumerator->enumerate(enumerator, &guest))
+	{
+		if (guest->get_pid(guest) == info->si_pid)
+		{
+			guest->sigchild(guest);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+
+
+/**
+ * Guest bindings
+ */
+static VALUE guest_find(VALUE class, VALUE key)
+{
+	enumerator_t *enumerator;
+	guest_t *guest, *found = NULL;
+	if (TYPE(key) == T_SYMBOL) {
+		key = rb_convert_type(key, T_STRING, "String", "to_s");
+	}
+	enumerator = dumm->create_guest_enumerator(dumm);
+	while (enumerator->enumerate(enumerator, &guest))
+	{
+		if (streq(guest->get_name(guest), StringValuePtr(key)))
+		{
+			found = guest;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		return Qnil;
+	}
+	return Data_Wrap_Struct(class, NULL, NULL, found);
+}
+
+static VALUE guest_get(VALUE class, VALUE key)
+{
+	VALUE guest = guest_find(class, key);
+	if (NIL_P(guest))
+	{
+		rb_raise(rb_eRuntimeError, "guest not found");
+	}
+	return guest;
+}
+
+static VALUE guest_each(int argc, VALUE *argv, VALUE class)
+{
+	enumerator_t *enumerator;
+	guest_t *guest;
+
+	if (!rb_block_given_p())
+    {
+		rb_raise(rb_eArgError, "must be called with a block");
+	}
+	enumerator = dumm->create_guest_enumerator(dumm);
+	while (enumerator->enumerate(enumerator, &guest))
+	{
+  		rb_yield(Data_Wrap_Struct(class, NULL, NULL, guest));
+	}
+	enumerator->destroy(enumerator);
+	return class;
+}
+
+static VALUE guest_new(VALUE class, VALUE name, VALUE kernel,
+					   VALUE master, VALUE args)
+{
+	guest_t *guest;
+	
+	guest = dumm->create_guest(dumm, StringValuePtr(name), StringValuePtr(kernel),
+							   StringValuePtr(master), StringValuePtr(args));
+	if (!guest)
+	{
+		rb_raise(rb_eRuntimeError, "creating guest failed");
+	}
+	return Data_Wrap_Struct(class, NULL, NULL, guest);
+}
+
+static VALUE guest_to_s(VALUE self)
+{
+	guest_t *guest;
+	
+	Data_Get_Struct(self, guest_t, guest);
+	return rb_str_new2(guest->get_name(guest));
+}
+
+static VALUE guest_start(VALUE self)
+{
+	guest_t *guest;
+	
+	Data_Get_Struct(self, guest_t, guest);
+	
+	if (!guest->start(guest, invoke, NULL, NULL))
+	{
+		rb_raise(rb_eRuntimeError, "starting guest failed");
+	}
+	return self;
+}
+
+static VALUE guest_stop(VALUE self)
+{
+	guest_t *guest;
+	
+	Data_Get_Struct(self, guest_t, guest);
+	guest->stop(guest, NULL);
+	return self;
+}
+
+static VALUE guest_running(VALUE self)
+{
+	guest_t *guest;
+	
+	Data_Get_Struct(self, guest_t, guest);
+	return guest->get_pid(guest) ? Qtrue : Qfalse;
+}
+
+static void exec_cb(void *data, char *buf)
+{
+	rb_yield(rb_str_new2(buf));
+}
+
+static VALUE guest_exec(VALUE self, VALUE cmd)
+{
+	guest_t *guest;
+	bool block;
+	int ret;
+	
+	block = rb_block_given_p();
+	Data_Get_Struct(self, guest_t, guest);
+	if ((ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
+					"%s", StringValuePtr(cmd))) != 0)
+	{
+		rb_raise(rb_eRuntimeError, "executing command failed (%d)", ret);
+	}
+	return self;
+}
+
+static VALUE guest_add_iface(VALUE self, VALUE name)
+{
+	guest_t *guest;
+	iface_t *iface;
+	
+	Data_Get_Struct(self, guest_t, guest);
+	iface = guest->create_iface(guest, StringValuePtr(name));
+	if (!iface)
+	{
+		rb_raise(rb_eRuntimeError, "adding interface failed");
+	}
+	return Data_Wrap_Struct(rbc_iface, NULL, NULL, iface);
+}
+
+static VALUE guest_find_iface(VALUE self, VALUE key)
+{
+	enumerator_t *enumerator;
+	iface_t *iface, *found = NULL;
+	guest_t *guest;
+	if (TYPE(key) == T_SYMBOL) {
+		key = rb_convert_type(key, T_STRING, "String", "to_s");
+	}
+	Data_Get_Struct(self, guest_t, guest);
+	enumerator = guest->create_iface_enumerator(guest);
+	while (enumerator->enumerate(enumerator, &iface))
+	{
+		if (streq(iface->get_guestif(iface), StringValuePtr(key)))
+		{
+			found = iface;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		return Qnil;
+	}
+	return Data_Wrap_Struct(rbc_iface, NULL, NULL, iface);
+}
+
+static VALUE guest_get_iface(VALUE self, VALUE key)
+{
+	VALUE iface = guest_find_iface(self, key);
+	if (NIL_P(iface))
+	{
+		rb_raise(rb_eRuntimeError, "interface not found");
+	}
+	return iface;
+}
+
+static VALUE guest_each_iface(int argc, VALUE *argv, VALUE self)
+{
+	enumerator_t *enumerator;
+	guest_t *guest;
+	iface_t *iface;
+
+	if (!rb_block_given_p())
+    {
+		rb_raise(rb_eArgError, "must be called with a block");
+	}
+	Data_Get_Struct(self, guest_t, guest);
+	enumerator = guest->create_iface_enumerator(guest);
+	while (enumerator->enumerate(enumerator, &iface))
+	{
+  		rb_yield(Data_Wrap_Struct(rbc_iface, NULL, NULL, iface));
+	}
+	enumerator->destroy(enumerator);
+	return self;
+}
+
+static VALUE guest_delete(VALUE self)
+{
+	guest_t *guest;
+	
+	Data_Get_Struct(self, guest_t, guest);
+	dumm->delete_guest(dumm, guest);
+	return Qnil;
+}
+
+static void guest_init()
+{
+	rbc_guest = rb_define_class_under(rbm_dumm , "Guest", rb_cObject);
+	rb_include_module(rb_class_of(rbc_guest), rb_mEnumerable);
+	rb_include_module(rbc_guest, rb_mEnumerable);
+	
+	rb_define_singleton_method(rbc_guest, "[]", guest_get, 1);
+	rb_define_singleton_method(rbc_guest, "each", guest_each, -1);
+	rb_define_singleton_method(rbc_guest, "new", guest_new, 4);
+	rb_define_singleton_method(rbc_guest, "include?", guest_find, 1);
+	rb_define_singleton_method(rbc_guest, "guest?", guest_find, 1);
+	
+	rb_define_method(rbc_guest, "to_s", guest_to_s, 0);
+	rb_define_method(rbc_guest, "start", guest_start, 0);
+	rb_define_method(rbc_guest, "stop", guest_stop, 0);
+	rb_define_method(rbc_guest, "running?", guest_running, 0);
+	rb_define_method(rbc_guest, "exec", guest_exec, 1);
+	rb_define_method(rbc_guest, "add", guest_add_iface, 1);
+	rb_define_method(rbc_guest, "[]", guest_get_iface, 1);
+	rb_define_method(rbc_guest, "each", guest_each_iface, -1);
+	rb_define_method(rbc_guest, "include?", guest_find_iface, 1);
+	rb_define_method(rbc_guest, "iface?", guest_find_iface, 1);
+	rb_define_method(rbc_guest, "delete", guest_delete, 0);
+}
+
+/**
+ * Bridge binding
+ */
+static VALUE bridge_get(VALUE class, VALUE key)
+{
+	enumerator_t *enumerator;
+	bridge_t *bridge, *found = NULL;
+	
+	enumerator = dumm->create_bridge_enumerator(dumm);
+	while (enumerator->enumerate(enumerator, &bridge))
+	{
+		if (streq(bridge->get_name(bridge), StringValuePtr(key)))
+		{
+			found = bridge;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		rb_raise(rb_eRuntimeError, "bridge not found");
+	}
+	return Data_Wrap_Struct(class, NULL, NULL, found);
+}
+
+static VALUE bridge_each(int argc, VALUE *argv, VALUE class)
+{
+	enumerator_t *enumerator;
+	bridge_t *bridge;
+
+	if (!rb_block_given_p())
+    {
+		rb_raise(rb_eArgError, "must be called with a block");
+	}
+	enumerator = dumm->create_bridge_enumerator(dumm);
+	while (enumerator->enumerate(enumerator, &bridge))
+	{
+  		rb_yield(Data_Wrap_Struct(class, NULL, NULL, bridge));
+	}
+	enumerator->destroy(enumerator);
+	return class;
+}
+
+static VALUE bridge_new(VALUE class, VALUE name)
+
+{
+	bridge_t *bridge;
+	
+	bridge = dumm->create_bridge(dumm, StringValuePtr(name));
+	if (!bridge)
+	{
+		rb_raise(rb_eRuntimeError, "creating bridge failed");
+	}
+	return Data_Wrap_Struct(class, NULL, NULL, bridge);
+}
+
+static VALUE bridge_to_s(VALUE self)
+{
+	bridge_t *bridge;
+	
+	Data_Get_Struct(self, bridge_t, bridge);
+	return rb_str_new2(bridge->get_name(bridge));
+}
+
+static VALUE bridge_each_iface(int argc, VALUE *argv, VALUE self)
+{
+	enumerator_t *enumerator;
+	bridge_t *bridge;
+	iface_t *iface;
+
+	if (!rb_block_given_p())
+    {
+		rb_raise(rb_eArgError, "must be called with a block");
+	}
+	Data_Get_Struct(self, bridge_t, bridge);
+	enumerator = bridge->create_iface_enumerator(bridge);
+	while (enumerator->enumerate(enumerator, &iface))
+	{
+  		rb_yield(Data_Wrap_Struct(rbc_iface, NULL, NULL, iface));
+	}
+	enumerator->destroy(enumerator);
+	return self;
+}
+
+static VALUE bridge_delete(VALUE self)
+{
+	bridge_t *bridge;
+	
+	Data_Get_Struct(self, bridge_t, bridge);
+	dumm->delete_bridge(dumm, bridge);
+	return Qnil;
+}
+
+static void bridge_init()
+{
+	rbc_bridge = rb_define_class_under(rbm_dumm , "Bridge", rb_cObject);
+	rb_include_module(rb_class_of(rbc_bridge), rb_mEnumerable);
+	rb_include_module(rbc_bridge, rb_mEnumerable);
+	
+	rb_define_singleton_method(rbc_bridge, "[]", bridge_get, 1);
+	rb_define_singleton_method(rbc_bridge, "each", bridge_each, -1);
+	rb_define_singleton_method(rbc_bridge, "new", bridge_new, 1);
+	
+	rb_define_method(rbc_bridge, "to_s", bridge_to_s, 0);
+	rb_define_method(rbc_bridge, "each", bridge_each_iface, -1);
+	rb_define_method(rbc_bridge, "delete", bridge_delete, 0);
+}
+
+/**
+ * Iface wrapper
+ */
+static VALUE iface_to_s(VALUE self)
+{
+	iface_t *iface;
+	
+	Data_Get_Struct(self, iface_t, iface);
+	return rb_str_new2(iface->get_hostif(iface));
+}
+
+static VALUE iface_connect(VALUE self, VALUE vbridge)
+{
+	iface_t *iface;
+	bridge_t *bridge;
+	
+	Data_Get_Struct(self, iface_t, iface);
+	Data_Get_Struct(vbridge, bridge_t, bridge);
+	if (!bridge->connect_iface(bridge, iface))
+	{
+		rb_raise(rb_eRuntimeError, "connecting iface failed");
+	}
+	return self;
+}
+
+static VALUE iface_disconnect(VALUE self)
+{
+	iface_t *iface;
+	bridge_t *bridge;
+	
+	Data_Get_Struct(self, iface_t, iface);
+	bridge = iface->get_bridge(iface);
+	if (!bridge || !bridge->disconnect_iface(bridge, iface))
+	{
+		rb_raise(rb_eRuntimeError, "disconnecting iface failed");
+	}
+	return self;
+}
+
+static VALUE iface_add_addr(VALUE self, VALUE name)
+{
+	iface_t *iface;
+	host_t *addr;
+	
+	addr = host_create_from_string(StringValuePtr(name), 0);
+	if (!addr)
+	{
+		rb_raise(rb_eArgError, "invalid IP address");
+	}
+	Data_Get_Struct(self, iface_t, iface);
+	if (!iface->add_address(iface, addr))
+	{
+		addr->destroy(addr);
+		rb_raise(rb_eRuntimeError, "adding address failed");
+	}
+	if (rb_block_given_p()) {
+		rb_yield(self);
+		iface->delete_address(iface, addr);
+	}
+	addr->destroy(addr);
+	return self;
+}
+
+static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self)
+{
+	enumerator_t *enumerator;
+	iface_t *iface;
+	host_t *addr;
+	char buf[64];
+
+	if (!rb_block_given_p())
+    {
+		rb_raise(rb_eArgError, "must be called with a block");
+	}
+	Data_Get_Struct(self, iface_t, iface);
+	enumerator = iface->create_address_enumerator(iface);
+	while (enumerator->enumerate(enumerator, &addr))
+	{
+		snprintf(buf, sizeof(buf), "%H", addr);
+  		rb_yield(rb_str_new2(buf));
+	}
+	enumerator->destroy(enumerator);
+	return self;
+}
+
+static VALUE iface_del_addr(VALUE self, VALUE vaddr)
+{
+	iface_t *iface;
+	host_t *addr;
+	
+	addr = host_create_from_string(StringValuePtr(vaddr), 0);
+	if (!addr)
+	{
+		rb_raise(rb_eArgError, "invalid IP address");
+	}
+	Data_Get_Struct(self, iface_t, iface);
+	if (!iface->delete_address(iface, addr))
+	{
+		addr->destroy(addr);
+		rb_raise(rb_eRuntimeError, "address not found");
+	}
+	if (rb_block_given_p()) {
+		rb_yield(self);
+		iface->add_address(iface, addr);
+	}
+	addr->destroy(addr);
+	return self;
+}
+
+static VALUE iface_delete(VALUE self)
+{
+	guest_t *guest;
+	iface_t *iface;
+	
+	Data_Get_Struct(self, iface_t, iface);
+	guest = iface->get_guest(iface);
+	guest->destroy_iface(guest, iface);
+	return Qnil;
+}
+
+static void iface_init()
+{
+	rbc_iface = rb_define_class_under(rbm_dumm , "Iface", rb_cObject);
+	rb_include_module(rbc_iface, rb_mEnumerable);
+	
+	rb_define_method(rbc_iface, "to_s", iface_to_s, 0);
+	rb_define_method(rbc_iface, "connect", iface_connect, 1);
+	rb_define_method(rbc_iface, "disconnect", iface_disconnect, 0);
+	rb_define_method(rbc_iface, "add", iface_add_addr, 1);
+	rb_define_method(rbc_iface, "del", iface_del_addr, 1);
+	rb_define_method(rbc_iface, "each", iface_each_addr, -1);
+	rb_define_method(rbc_iface, "delete", iface_delete, 0);
+}
+
+static VALUE template_load(VALUE class, VALUE dir)
+{
+	if (!dumm->load_template(dumm, StringValuePtr(dir)))
+	{
+		rb_raise(rb_eRuntimeError, "loading template failed");
+	}
+	return class;
+}
+
+static VALUE template_unload(VALUE class)
+{
+	if (!dumm->load_template(dumm, NULL))
+	{
+		rb_raise(rb_eRuntimeError, "unloading template failed");
+	}
+	return class;
+}
+
+static void template_init()
+{
+	rbc_template = rb_define_class_under(rbm_dumm , "Template", rb_cObject);
+	
+	rb_define_singleton_method(rbc_template, "load", template_load, 1);
+	rb_define_singleton_method(rbc_template, "unload", template_unload, 0);
+}
+
+/**
+ * extension finalization
+ */
+void Final_dumm()
+{
+	struct sigaction action;
+	
+	dumm->destroy(dumm);
+	
+	sigemptyset(&action.sa_mask);
+	action.sa_handler = SIG_DFL;
+	action.sa_flags = 0;
+	sigaction(SIGCHLD, &action, NULL);
+	
+	library_deinit();
+}
+
+/**
+ * extension initialization
+ */
+void Init_dumm()
+{
+	struct sigaction action;
+	
+	/* there are too many to report, rubyruby... */
+	setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
+	
+	library_init(NULL);
+	
+	dumm = dumm_create(NULL);
+	
+	rbm_dumm = rb_define_module("Dumm");
+	
+	guest_init();
+	bridge_init();
+	iface_init();
+	template_init();
+	
+	sigemptyset(&action.sa_mask);
+	action.sa_sigaction = sigchld_handler;
+	action.sa_flags = SA_SIGINFO;
+	sigaction(SIGCHLD, &action, NULL);
+	
+	rb_set_end_proc(Final_dumm, 0);
+}
diff --git a/src/dumm/ext/extconf.rb b/src/dumm/ext/extconf.rb
new file mode 100644
index 000000000..136be5c2c
--- /dev/null
+++ b/src/dumm/ext/extconf.rb
@@ -0,0 +1,21 @@
+#
+# DUMM for Ruby
+#
+
+require "mkmf"
+
+dir_config("dumm")
+
+unless find_header('library.h', '../../libstrongswan') and
+       find_header('dumm.h', '..')
+  puts "... failed: one or more header files not found!"
+  exit
+end
+
+unless find_library('dumm', 'dumm_create')
+  puts "... failed: 'libdumm' not found!"
+  exit
+end
+
+create_makefile("dumm")
+
diff --git a/src/dumm/ext/lib/dumm.rb b/src/dumm/ext/lib/dumm.rb
new file mode 100644
index 000000000..2e860ae9f
--- /dev/null
+++ b/src/dumm/ext/lib/dumm.rb
@@ -0,0 +1,21 @@
+=begin
+  Copyright (C) 2008 Tobias Brunner
+  Hochschule fuer Technik Rapperswil
+
+  This program is free software; you can redistribute it and/or modify it
+  under the terms of the GNU General Public License as published by the
+  Free Software Foundation; either version 2 of the License, or (at your
+  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+
+  This program is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+  for more details.
+
+  $Id: dumm.rb 4295 2008-08-27 07:35:20Z tobias $
+=end
+
+require 'dumm.so'
+require 'dumm/guest'
+
+# vim:sw=2 ts=2 et
diff --git a/src/dumm/ext/lib/dumm/guest.rb b/src/dumm/ext/lib/dumm/guest.rb
new file mode 100644
index 000000000..bdd0c33d8
--- /dev/null
+++ b/src/dumm/ext/lib/dumm/guest.rb
@@ -0,0 +1,40 @@
+=begin
+  Copyright (C) 2008 Tobias Brunner
+  Hochschule fuer Technik Rapperswil
+
+  This program is free software; you can redistribute it and/or modify it
+  under the terms of the GNU General Public License as published by the
+  Free Software Foundation; either version 2 of the License, or (at your
+  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+
+  This program is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+  for more details.
+
+  $Id: guest.rb 4295 2008-08-27 07:35:20Z tobias $
+=end
+
+module Dumm
+  class Guest
+    # accessor for guests
+    # e.g. Guest.sun instead of Guest["sun"]
+    def self.method_missing(id, *args)
+      unless guest? id
+        super(id, *args)
+      end
+      Guest[id]
+    end
+    
+    # accessor for interfaces
+    # e.g. guest.eth0 instead of guest["eth0"]
+    def method_missing(id, *args)
+      unless iface? id
+        super(id, *args)
+      end
+      self[id]
+    end
+  end
+end
+
+# vim:sw=2 ts=2 et
diff --git a/src/dumm/guest.c b/src/dumm/guest.c
index 4b2652688..aed2a3e18 100644
--- a/src/dumm/guest.c
+++ b/src/dumm/guest.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -25,6 +26,7 @@
 #include <signal.h>
 #include <dirent.h>
 #include <termios.h>
+#include <stdarg.h>
 
 #include <debug.h>
 #include <utils/linked_list.h>
@@ -40,7 +42,7 @@
 #define MASTER_DIR "master"
 #define DIFF_DIR "diff"
 #define UNION_DIR "union"
-#define MEMORY_FILE "mem"
+#define ARGS_FILE "args"
 #define PID_FILE "pid"
 #define KERNEL_FILE "linux"
 #define LOG_FILE "boot.log"
@@ -58,8 +60,8 @@ struct private_guest_t {
 	int dir;
 	/** directory name of guest */
 	char *dirname;
-	/** amount of memory for guest, in MB */
-	int mem;
+	/** additional args to pass to guest */
+	char *args;
 	/** pid of guest child process */
 	int pid;
 	/** state of guest */
@@ -114,7 +116,7 @@ static iface_t* create_iface(private_guest_t *this, char *name)
 	}
 	enumerator->destroy(enumerator);
 
-	iface = iface_create(this->name, name, this->mconsole);
+	iface = iface_create(name, &this->public, this->mconsole);
 	if (iface)
 	{
 		this->ifaces->insert_last(this->ifaces, iface);
@@ -212,6 +214,7 @@ static void stop(private_guest_t *this, idle_function_t idle)
 			}
 		}
 		unlinkat(this->dir, PID_FILE, 0);
+		this->pid = 0;
 	}
 }
 
@@ -255,15 +258,19 @@ static bool start(private_guest_t *this, invoke_function_t invoke, void* data,
 	
 	notify = write_arg(&pos, &left, "%s/%s", this->dirname, NOTIFY_FILE);
 	
+	args[i++] = write_arg(&pos, &left, "nice");
 	args[i++] = write_arg(&pos, &left, "%s/%s", this->dirname, KERNEL_FILE);
 	args[i++] = write_arg(&pos, &left, "root=/dev/root");
 	args[i++] = write_arg(&pos, &left, "rootfstype=hostfs");
 	args[i++] = write_arg(&pos, &left, "rootflags=%s/%s", this->dirname, UNION_DIR);
 	args[i++] = write_arg(&pos, &left, "uml_dir=%s", this->dirname);
 	args[i++] = write_arg(&pos, &left, "umid=%s", this->name);
-	args[i++] = write_arg(&pos, &left, "mem=%dM", this->mem);
 	args[i++] = write_arg(&pos, &left, "mconsole=notify:%s", notify);
 	args[i++] = write_arg(&pos, &left, "con=null");
+	if (this->args)
+	{
+		args[i++] = this->args;
+	}
 	  
 	this->pid = invoke(data, &this->public, args, i);
 	if (!this->pid)
@@ -307,7 +314,7 @@ static bool load_template(private_guest_t *this, char *path)
 	}
 	if (access(dir, F_OK) != 0)
 	{
-		if (mkdir(dir, PERME) != 0)
+		if (!mkdir_p(dir, PERME))
 		{
 			DBG1("creating overlay for guest '%s' failed: %m", this->name);
 			return FALSE;
@@ -324,6 +331,119 @@ static bool load_template(private_guest_t *this, char *path)
 	return TRUE;
 }
 
+/**
+ * Variadic version of the exec function
+ */
+static int vexec(private_guest_t *this, void(*cb)(void*,char*,size_t), void *data,
+				 char *cmd, va_list args)
+{
+	char buf[1024];
+	size_t len;
+	
+	if (this->mconsole)
+	{
+		len = vsnprintf(buf, sizeof(buf), cmd, args);
+		
+		if (len > 0 && len < sizeof(buf))
+		{
+			return this->mconsole->exec(this->mconsole, cb, data, buf);
+		}
+	}
+	return -1;
+}
+
+/**
+ * Implementation of guest_t.exec
+ */
+static int exec(private_guest_t *this, void(*cb)(void*,char*,size_t), void *data,
+				char *cmd, ...)
+{
+	int res;
+	va_list args;
+	va_start(args, cmd);
+	res = vexec(this, cb, data, cmd, args);
+	va_end(args);
+	return res;
+}
+
+typedef struct {
+	chunk_t buf;
+	void (*cb)(void*,char*);
+	void *data;
+} exec_str_t;
+
+/**
+ * callback that combines chunks to a string. if a callback is given, the string
+ * is split at newlines and the callback is called for each line.
+ */
+static void exec_str_cb(exec_str_t *data, char *buf, size_t len)
+{
+	if (!data->buf.ptr)
+	{
+		data->buf = chunk_alloc(len + 1);
+		memcpy(data->buf.ptr, buf, len);
+		data->buf.ptr[len] = '\0';
+	}
+	else
+	{
+		size_t newlen = strlen(data->buf.ptr) + len + 1;
+		if (newlen > data->buf.len)
+		{
+			data->buf.ptr = realloc(data->buf.ptr, newlen);
+			data->buf.len = newlen;
+		}
+		strncat(data->buf.ptr, buf, len);
+	}
+	
+	if (data->cb)
+	{
+		char *nl;
+		while ((nl = strchr(data->buf.ptr, '\n')) != NULL)
+		{
+			*nl++ = '\0';
+			data->cb(data->data, data->buf.ptr);
+			memmove(data->buf.ptr, nl, strlen(nl) + 1);
+		}
+	}
+}
+
+/**
+ * Implementation of guest_t.exec_str
+ */
+static int exec_str(private_guest_t *this, void(*cb)(void*,char*), bool lines,
+					void *data, char *cmd, ...)
+{
+	int res;
+	va_list args;
+	va_start(args, cmd);
+	if (cb)
+	{
+		exec_str_t exec = { chunk_empty, NULL, NULL };
+		if (lines)
+		{
+			exec.cb = cb;
+			exec.data = data;
+		}
+		res = vexec(this, (void(*)(void*,char*,size_t))exec_str_cb, &exec, cmd, args);
+		if (exec.buf.ptr)
+		{
+			if (!lines || strlen(exec.buf.ptr) > 0)
+			{
+				/* return the complete string or the remaining stuff in the
+				 * buffer (i.e. when there was no newline at the end) */
+				cb(data, exec.buf.ptr);
+			}
+			chunk_free(&exec.buf);
+		}
+	}
+	else
+	{
+		res = vexec(this, NULL, NULL, cmd, args);
+	}
+	va_end(args);
+	return res;
+}
+
 /**
  * Implementation of guest_t.sigchild.
  */
@@ -373,38 +493,38 @@ static bool mount_unionfs(private_guest_t *this)
 }
 
 /**
- * load memory configuration from file
+ * load args configuration from file
  */
-int loadmem(private_guest_t *this)
+char *loadargs(private_guest_t *this)
 {
 	FILE *file;
-	int mem = 0;
+	char buf[512], *args = NULL;
 	
-	file = fdopen(openat(this->dir, MEMORY_FILE, O_RDONLY, PERM), "r");
+	file = fdopen(openat(this->dir, ARGS_FILE, O_RDONLY, PERM), "r");
 	if (file)
 	{
-		if (fscanf(file, "%d", &mem) <= 0)
+		if (fgets(buf, sizeof(buf), file))
 		{
-			mem = 0;
+			args = strdup(buf);
 		}
 		fclose(file);
 	}
-	return mem;
+	return args;
 }
 
 /**
- * save memory configuration to file
+ * save args configuration to file
  */
-bool savemem(private_guest_t *this, int mem)
+bool saveargs(private_guest_t *this, char *args)
 {
 	FILE *file;
 	bool retval = FALSE;
 	
-	file = fdopen(openat(this->dir, MEMORY_FILE, O_RDWR | O_CREAT | O_TRUNC,
+	file = fdopen(openat(this->dir, ARGS_FILE, O_RDWR | O_CREAT | O_TRUNC,
 						 PERM), "w");
 	if (file)
 	{
-		if (fprintf(file, "%d", mem) > 0)
+		if (fprintf(file, "%s", args) > 0)
 		{
 			retval = TRUE;
 		}
@@ -424,7 +544,9 @@ static void destroy(private_guest_t *this)
 	{
 		close(this->dir);
 	}
+	this->ifaces->destroy(this->ifaces);
 	free(this->dirname);
+	free(this->args);
 	free(this->name);
 	free(this);
 }
@@ -447,6 +569,8 @@ static private_guest_t *guest_create_generic(char *parent, char *name,
 	this->public.start = (void*)start;
 	this->public.stop = (void*)stop;
 	this->public.load_template = (bool(*)(guest_t*, char *path))load_template;
+	this->public.exec = (int(*)(guest_t*, void(*cb)(void*,char*,size_t),void*,char*,...))exec;
+	this->public.exec_str = (int(*)(guest_t*, void(*cb)(void*,char*),bool,void*,char*,...))exec_str;
 	this->public.sigchild = (void(*)(guest_t*))sigchild;
 	this->public.destroy = (void*)destroy;
 		
@@ -474,7 +598,7 @@ static private_guest_t *guest_create_generic(char *parent, char *name,
 	this->state = GUEST_STOPPED;
 	this->mconsole = NULL;
 	this->ifaces = linked_list_create();
-	this->mem = 0;
+	this->args = NULL;
 	this->name = strdup(name);
 	this->cowfs = NULL;
 	
@@ -505,7 +629,7 @@ static bool make_symlink(private_guest_t *this, char *old, char *new)
  * create the guest instance, including required dirs and mounts 
  */
 guest_t *guest_create(char *parent, char *name, char *kernel,
-					  char *master, int mem)
+					  char *master, char *args)
 {
 	private_guest_t *this = guest_create_generic(parent, name, TRUE);
 	
@@ -530,8 +654,8 @@ guest_t *guest_create(char *parent, char *name, char *kernel,
 		return NULL;
 	}
 	
-	this->mem = mem;
-	if (!savemem(this, mem))
+	this->args = args;
+	if (args && !saveargs(this, args))
 	{
 		destroy(this);
 		return NULL;
@@ -558,13 +682,7 @@ guest_t *guest_load(char *parent, char *name)
 		return NULL;
 	}
 	
-	this->mem = loadmem(this);
-	if (this->mem == 0)
-	{
-		DBG1("unable to open memory configuration file: %m", name);
-		destroy(this);
-		return NULL;
-	}
+	this->args = loadargs(this);
 	
 	if (!mount_unionfs(this))
 	{
diff --git a/src/dumm/guest.h b/src/dumm/guest.h
index 79a47fa62..0e48b1d06 100644
--- a/src/dumm/guest.h
+++ b/src/dumm/guest.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -19,11 +20,11 @@
 #include <library.h>
 #include <utils/enumerator.h>
 
-#include "iface.h"
-
 typedef enum guest_state_t guest_state_t;
 typedef struct guest_t guest_t;
 
+#include "iface.h"
+
 /**
  * @brief State of a guest (started, stopped, ...)
  */
@@ -107,9 +108,8 @@ struct guest_t {
 	 * @brief Kill the guest.
 	 *
 	 * @param idle		idle function to call while waiting to termination
-	 * @return			TRUE if guest was running and killed
 	 */
-	bool (*stop) (guest_t *this, idle_function_t idle);
+	void (*stop) (guest_t *this, idle_function_t idle);
 	
 	/**
 	 * @brief Create a new interface in the current scenario.
@@ -140,7 +140,35 @@ struct guest_t {
 	 * @return			FALSE if failed
 	 */
 	bool (*load_template)(guest_t *this, char *parent);
-
+	
+	/**
+	 * Execute a command in the guest.
+	 *
+	 * @param cb		callback to call for each read block
+	 * @param data		data to pass to callback
+	 * @param cmd		command to execute
+	 * @param ...		printf style argument list for cmd
+	 * @return			return value
+	 */
+	int (*exec)(guest_t *this, void(*cb)(void*,char*,size_t), void *data,
+				char *cmd, ...);
+	
+	/**
+	 * Execute a command in the guest and return the output by lines or as combined
+	 * string.
+	 * 
+	 * @note This function does not work with binary output (i.e. containing 0 bytes).
+	 * 
+	 * @param cb		callback to call for each line or for the complete output
+	 * @param lines		TRUE if the callback should be called for each line (instead of for the combined output)
+	 * @param data		data to pass to callback
+	 * @param cmd		command to execute
+	 * @param ...		printf style argument list for cmd
+	 * @return			return value
+	 */
+	int (*exec_str)(guest_t *this, void(*cb)(void*,char*), bool lines,
+				void *data, char *cmd, ...);
+	
 	/**
 	 * @brief Called whenever a SIGCHILD for the guests PID is received.
 	 */
@@ -159,10 +187,11 @@ struct guest_t {
  * @param name		name of the guest to create
  * @param kernel	kernel this guest uses
  * @param master	read-only master filesystem for guest
+ * @param args		additional args to pass to kernel
  * @param mem		amount of memory to give the guest
  */
 guest_t *guest_create(char *parent, char *name, char *kernel,
-					  char *master, int mem);
+					  char *master, char *args);
 
 /**
  * @brief Load a guest created with guest_create().
diff --git a/src/dumm/iface.c b/src/dumm/iface.c
index b78c10bec..78c6c7c92 100644
--- a/src/dumm/iface.c
+++ b/src/dumm/iface.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2002 Jeff Dike
@@ -25,6 +26,7 @@
 #include <linux/if_tun.h>
 
 #include <debug.h>
+#include <utils/linked_list.h>
 
 #include "iface.h"
 
@@ -39,12 +41,14 @@ struct private_iface_t {
 	char *hostif;
 	/** bridge this interface is attached to */
 	bridge_t *bridge;
+	/** guest this interface is attached to */
+	guest_t *guest;
 	/** mconsole for guest */
 	mconsole_t *mconsole;
 };
 
 /**
- * bring an interface up or down
+ * bring an interface up or down (host side)
  */
 bool iface_control(char *name, bool up)
 {
@@ -95,14 +99,93 @@ static char* get_hostif(private_iface_t *this)
 	return this->hostif;
 }
 
+/**
+ * Implementation of iface_t.add_address
+ */
+static bool add_address(private_iface_t *this, host_t *addr)
+{
+	return (this->guest->exec(this->guest, NULL, NULL, "ip addr add %H dev %s",
+						  addr, this->guestif) == 0);
+}
+
+/**
+ * compile a list of the addresses of an interface
+ */
+static void compile_address_list(linked_list_t *list, char *address)
+{
+	host_t *host = host_create_from_string(address, 0);
+	if (host)
+	{
+		list->insert_last(list, host);
+	}
+}
+
+/**
+ * delete the list of addresses
+ */
+static void destroy_address_list(linked_list_t *list)
+{
+	list->destroy_offset(list, offsetof(host_t, destroy));
+}
+
+/**
+ * Implementation of iface_t.create_address_enumerator
+ */
+static enumerator_t* create_address_enumerator(private_iface_t *this)
+{
+	linked_list_t *addresses = linked_list_create();
+	this->guest->exec_str(this->guest, (void(*)(void*,char*))compile_address_list,
+			TRUE, addresses,
+			"ip addr list dev %s scope global | "
+			"grep '^ \\+\\(inet6\\? \\)' | "
+			"awk -F '( +|/)' '{ print $3 }'", this->guestif);
+	return enumerator_create_cleaner(addresses->create_enumerator(addresses),
+					(void(*)(void*))destroy_address_list, addresses);
+}
+
+/**
+ * Implementation of iface_t.delete_address
+ */
+static bool delete_address(private_iface_t *this, host_t *addr)
+{
+	return (this->guest->exec(this->guest, NULL, NULL,
+					"ip addr del %H dev %s", addr, this->guestif) == 0);
+}
+
 /**
  * Implementation of iface_t.set_bridge.
  */
 static void set_bridge(private_iface_t *this, bridge_t *bridge)
 {
+	if (this->bridge == NULL && bridge)
+	{
+		this->guest->exec(this->guest, NULL, NULL,
+						  "ip link set %s up", this->guestif);
+	}
+	else if (this->bridge && bridge == NULL)
+	{
+		this->guest->exec(this->guest, NULL, NULL,
+						  "ip link set %s down", this->guestif);
+	}
 	this->bridge = bridge;
 }
 
+/**
+ * Implementation of iface_t.get_bridge
+ */
+static bridge_t *get_bridge(private_iface_t *this)
+{
+	return this->bridge;
+}
+
+/**
+ * Implementation of iface_t.get_guest
+ */
+static guest_t* get_guest(private_iface_t *this)
+{
+	return this->guest;
+}
+	
 /**
  * destroy the tap device
  */
@@ -139,14 +222,15 @@ static bool destroy_tap(private_iface_t *this)
 /**
  * create the tap device
  */
-static char* create_tap(private_iface_t *this, char *guest)
+static char* create_tap(private_iface_t *this)
 {
 	struct ifreq ifr;
 	int tap;
 
 	memset(&ifr, 0, sizeof(ifr));
 	ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
-	snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s-%s", guest, this->guestif);
+	snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s-%s",
+			 this->guest->get_name(this->guest), this->guestif);
 
 	tap = open(TAP_DEVICE, O_RDWR);
 	if (tap < 0)
@@ -175,6 +259,8 @@ static void destroy(private_iface_t *this)
 	{
 		this->bridge->disconnect_iface(this->bridge, &this->public);
 	}
+	/* TODO: iface mgmt is not blocking yet, so wait some ticks */
+	usleep(50000);
 	this->mconsole->del_iface(this->mconsole, this->guestif);
 	destroy_tap(this);
 	free(this->guestif);
@@ -185,18 +271,24 @@ static void destroy(private_iface_t *this)
 /**
  * create the iface instance
  */
-iface_t *iface_create(char *guest, char *guestif, mconsole_t *mconsole)
+iface_t *iface_create(char *name, guest_t *guest, mconsole_t *mconsole)
 {
 	private_iface_t *this = malloc_thing(private_iface_t);
 	
 	this->public.get_hostif = (char*(*)(iface_t*))get_hostif;
 	this->public.get_guestif = (char*(*)(iface_t*))get_guestif;
+	this->public.add_address = (bool(*)(iface_t*, host_t *addr))add_address;
+	this->public.create_address_enumerator = (enumerator_t*(*)(iface_t*))create_address_enumerator;
+	this->public.delete_address = (bool(*)(iface_t*, host_t *addr))delete_address;
 	this->public.set_bridge = (void(*)(iface_t*, bridge_t*))set_bridge;
+	this->public.get_bridge = (bridge_t*(*)(iface_t*))get_bridge;
+	this->public.get_guest = (guest_t*(*)(iface_t*))get_guest;
 	this->public.destroy = (void*)destroy;
 
 	this->mconsole = mconsole;
-	this->guestif = strdup(guestif);
-	this->hostif = create_tap(this, guest);
+	this->guestif = strdup(name);
+	this->guest = guest;
+	this->hostif = create_tap(this);
 	this->bridge = NULL;
 	if (this->hostif == NULL)
 	{
@@ -205,10 +297,6 @@ iface_t *iface_create(char *guest, char *guestif, mconsole_t *mconsole)
 		free(this);
 		return NULL;
 	}
-	if (!iface_control(this->hostif, TRUE))
-	{
-		DBG1("bringing iface '%s' up failed: %m", this->hostif);
-	}
 	if (!this->mconsole->add_iface(this->mconsole, this->guestif, this->hostif))
 	{
 		DBG1("creating interface '%s' in guest failed", this->guestif);
@@ -218,6 +306,10 @@ iface_t *iface_create(char *guest, char *guestif, mconsole_t *mconsole)
 		free(this);
 		return NULL;
 	}
+	if (!iface_control(this->hostif, TRUE))
+	{
+		DBG1("bringing iface '%s' up failed: %m", this->hostif);
+	}
 	return &this->public;
 }
 
diff --git a/src/dumm/iface.h b/src/dumm/iface.h
index e04fe4ed1..54a0554c0 100644
--- a/src/dumm/iface.h
+++ b/src/dumm/iface.h
@@ -18,6 +18,7 @@
 
 #include <library.h>
 #include <utils/enumerator.h>
+#include <utils/host.h>
 
 #define TAP_DEVICE "/dev/net/tun"
 
@@ -25,6 +26,7 @@ typedef struct iface_t iface_t;
 
 #include "mconsole.h"
 #include "bridge.h"
+#include "guest.h"
 
 /**
  * @brief Interface in a guest, connected to a tap device on the host.
@@ -45,6 +47,29 @@ struct iface_t {
 	 */
 	char* (*get_hostif)(iface_t *this);
 	
+	/**
+	 * Add an address to the interface.
+	 *
+	 * @param addr		address to add to interface
+	 * @return			TRUE if address added
+	 */
+	bool (*add_address)(iface_t *this, host_t *addr);
+	
+	/**
+	 * Create an enumerator over all installed addresses.
+	 *
+	 * @return			enumerator over host_t*
+	 */
+	enumerator_t* (*create_address_enumerator)(iface_t *this);
+	
+	/**
+	 * Remove an address from an interface.
+	 *
+	 * @param addr		address to remove
+	 * @return			TRUE if address removed
+	 */
+	bool (*delete_address)(iface_t *this, host_t *addr);	
+	
 	/**
 	 * @brief Set the bridge this interface is attached to.
 	 *
@@ -52,10 +77,19 @@ struct iface_t {
 	 */
 	void (*set_bridge)(iface_t *this, bridge_t *bridge);
 	
-	/*
-	bool (*add_addr) (iface_t *this, host_t *addr);
-	enumerator_t* (*create_addr_enumerator) (iface_t *this);
-	*/
+	/**
+	 * @brief Get the bridge this iface is connected, or NULL.
+	 *
+	 * @return			connected bridge, or NULL
+	 */
+	bridge_t* (*get_bridge)(iface_t *this);
+	
+	/**
+	 * @brief Get the guest this iface belongs to.
+	 *
+	 * @return			guest of this iface
+	 */
+	guest_t* (*get_guest)(iface_t *this);
 	
 	/**
 	 * @brief Destroy an interface
@@ -66,12 +100,12 @@ struct iface_t {
 /**
  * @brief Create a new interface for a guest
  *
- * @param guest		name of the guest for this interface
- * @param guestif	name of the interface in the guest
+ * @param name		name of the interface in the guest
+ * @param guest		guest this iface is connecting
  * @param mconsole	mconsole of guest
  * @return			interface descriptor, or NULL if failed
  */
-iface_t *iface_create(char *guest, char *guestif, mconsole_t *mconsole);
+iface_t *iface_create(char *name, guest_t *guest, mconsole_t *mconsole);
 
 #endif /* IFACE_H */
 
diff --git a/src/dumm/irdumm.c b/src/dumm/irdumm.c
new file mode 100644
index 000000000..bca8ce1db
--- /dev/null
+++ b/src/dumm/irdumm.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#undef PACKAGE_NAME
+#undef PACKAGE_TARNAME
+#undef PACKAGE_VERSION
+#undef PACKAGE_STRING
+#include <ruby.h>
+
+/**
+ * main routine, parses args and reads from console
+ */
+int main(int argc, char *argv[])
+{
+	int state, i;
+	char buf[512];
+	
+	ruby_init();
+	ruby_init_loadpath();
+	
+	rb_eval_string_protect("require 'dumm' and include Dumm", &state);
+	if (state)
+	{
+		rb_p(ruby_errinfo);
+		printf("Please install the ruby extension first!\n");
+	}
+	for (i = 1; i < argc; i++)
+	{
+		snprintf(buf, sizeof(buf), "load \"%s\"", argv[i]);
+		printf("%s\n", buf);
+		rb_eval_string_protect(buf, &state);
+		if (state)
+		{
+			rb_p(ruby_errinfo);
+		}
+	}
+	rb_require("irb");
+	rb_require("irb/completion");
+	rb_eval_string_protect("IRB.start", &state);
+	if (state)
+	{
+		rb_p(ruby_errinfo);
+	}
+	
+	ruby_finalize();
+	return 0;
+}
+
diff --git a/src/dumm/main.c b/src/dumm/main.c
index d4f2c5176..e2f2fc255 100644
--- a/src/dumm/main.c
+++ b/src/dumm/main.c
@@ -100,7 +100,6 @@ static page_t* get_page(int num)
 static pid_t invoke(void *vte, guest_t *guest,
 					char *args[], int argc)
 {
-	args[argc] = "con0=fd:0,fd:1";
 	return vte_terminal_fork_command(VTE_TERMINAL(vte), args[0], args, NULL,
 									 NULL, FALSE, FALSE, FALSE);
 }
@@ -374,7 +373,7 @@ static page_t* create_page(guest_t *guest)
 static void create_guest()
 {
 	guest_t *guest;
-	GtkWidget *dialog, *table, *label, *name, *kernel, *master, *memory;
+	GtkWidget *dialog, *table, *label, *name, *kernel, *master, *args;
 	
 	dialog = gtk_dialog_new_with_buttons("Create new guest", GTK_WINDOW(window),
 							GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
@@ -396,7 +395,7 @@ static void create_guest()
 	gtk_table_attach(GTK_TABLE(table), label, 0, 1, 2, 3, 0, 0, 0, 0);
 	gtk_widget_show(label);
 	
-	label = gtk_label_new("Memory (MB)");
+	label = gtk_label_new("Kernel arguments");
 	gtk_table_attach(GTK_TABLE(table), label, 0, 1, 3, 4, 0, 0, 0, 0);
 	gtk_widget_show(label);
 	
@@ -417,11 +416,10 @@ static void create_guest()
 					 GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
 	gtk_widget_show(master);
 	
-	memory = gtk_spin_button_new_with_range(1, 4096, 1);
-	gtk_spin_button_set_digits(GTK_SPIN_BUTTON(memory), 0);
-	gtk_table_attach(GTK_TABLE(table), memory, 1, 2, 3, 4,
+	args = gtk_entry_new();
+	gtk_table_attach(GTK_TABLE(table), args, 1, 2, 3, 4,
 					 GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
-	gtk_widget_show(memory);
+	gtk_widget_show(args);
 	
 	gtk_widget_show(table);
 	
@@ -431,19 +429,19 @@ static void create_guest()
 		{
 			case GTK_RESPONSE_ACCEPT:
 			{
-				char *sname, *skernel, *smaster;
+				char *sname, *skernel, *smaster, *sargs;
 				page_t *page;
 				
 				sname = (char*)gtk_entry_get_text(GTK_ENTRY(name));
 				skernel = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(kernel));
 				smaster = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(master));
+				sargs = (char*)gtk_entry_get_text(GTK_ENTRY(args));
 			
 				if (!sname[0] || !skernel || !smaster)
 				{
 					continue;
 				}
-				guest = dumm->create_guest(dumm, sname, skernel, smaster, 
-					   		gtk_spin_button_get_value(GTK_SPIN_BUTTON(memory)));
+				guest = dumm->create_guest(dumm, sname, skernel, smaster, sargs);
 				if (!guest)
 				{
 					error_dialog("creating guest failed!");
diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c
index d9864f676..c6e0c2f08 100644
--- a/src/dumm/mconsole.c
+++ b/src/dumm/mconsole.c
@@ -88,21 +88,21 @@ struct mconsole_notify {
 /**
  * send a request to UML using mconsole
  */
-static int request(private_mconsole_t *this, char *command,
-				   char buf[], size_t *size)
+static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
+				   void *data, char *command, ...)
 {
 	mconsole_request request;
 	mconsole_reply reply;
-	int len, total = 0, flags = 0;
+	int len, flags = 0;
+	va_list args;
 	
 	memset(&request, 0, sizeof(request));
 	request.magic = MCONSOLE_MAGIC;
 	request.version = MCONSOLE_VERSION;
-	request.len = min(strlen(command), sizeof(reply.data) - 1);
-	strncpy(request.data, command, request.len);
-	*buf = '\0';
-	(*size)--;
-
+	va_start(args, command);
+	request.len = vsnprintf(request.data, sizeof(request.data), command, args);
+	va_end(args);
+	
 	if (this->idle)
 	{
 		flags = MSG_DONTWAIT;
@@ -120,7 +120,7 @@ static int request(private_mconsole_t *this, char *command,
 	
 	if (len < 0)
 	{
-		snprintf(buf, *size, "sending mconsole command to UML failed: %m");
+		DBG1("sending mconsole command to UML failed: %m");
 		return -1;
 	}
 	do 
@@ -136,96 +136,87 @@ static int request(private_mconsole_t *this, char *command,
 		}
 		if (len < 0)
 		{
-			snprintf(buf, *size, "receiving from mconsole failed: %m");
+			DBG1("receiving from mconsole failed: %m");
 			return -1;
 		}
 		if (len > 0)
 		{
-			strncat(buf, reply.data, min(reply.len, *size - total));
-			total += reply.len;
+			if (cb)
+			{
+				cb(data, reply.data, reply.len);
+			}
+			else if (reply.err)
+			{
+				DBG1("received mconsole error %d: %*.s",
+					 reply.err, reply.len, reply.data);
+				break;
+			}
 		}
 	}
 	while (reply.more);
 	
-	*size = total;
 	return reply.err;
 }
 
+/**
+ * ignore error message
+ */
+static void ignore(void *data, char *buf, size_t len)
+{
+}
+
 /**
  * Implementation of mconsole_t.add_iface.
  */
 static bool add_iface(private_mconsole_t *this, char *guest, char *host)
 {
-	char buf[128];
-	int len;
+	int tries = 0;
 	
-	len = snprintf(buf, sizeof(buf), "config %s=tuntap,%s", guest, host);
-	if (len < 0 || len >= sizeof(buf))
-	{
-		return FALSE;
-	}
-	len = sizeof(buf);
-	if (request(this, buf, buf, &len) != 0)
+	while (tries++ < 5)
 	{
-		DBG1("adding interface failed: %.*s", len, buf);
-		return FALSE;
+		if (request(this, ignore, NULL, "config %s=tuntap,%s", guest, host) == 0)
+		{
+			return TRUE;
+		}
+		usleep(10000 * tries * tries);
 	}
-	return TRUE;
+	return FALSE;
 }
 
 /**
  * Implementation of mconsole_t.del_iface.
  */
 static bool del_iface(private_mconsole_t *this, char *guest)
-{
-	char buf[128];
-	int len;
-	
-	len = snprintf(buf, sizeof(buf), "remove %s", guest);
-	if (len < 0 || len >= sizeof(buf))
-	{
-		return FALSE;
-	}
-	if (request(this, buf, buf, &len) != 0)
+{	
+	if (request(this, NULL, NULL, "remove %s", guest) != 0)
 	{
-		DBG1("removing interface failed: %.*s", len, buf);
 		return FALSE;
 	}
 	return TRUE;
 }
 
+/**
+ * Implementation of mconsole_t.exec
+ */
+static int exec(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
+				void *data, char *cmd)
+{
+	return request(this, cb, data, "exec %s", cmd);
+}
+
 /**
  * Poll until guest is ready
  */
 static bool wait_bootup(private_mconsole_t *this)
 {
-	char buf[128];
-	int len, res;
-	
-	while (TRUE)
+	/* wait for init process to appear */
+	while (request(this, ignore, NULL, "exec ps -p 1 > /dev/null"))
 	{
-		len = sizeof(buf);
-		res = request(this, "config eth9=mcast", buf, &len);
-		if (res < 0)
-		{
-			return FALSE;
-		}
-		if (res == 0)
-		{
-			while (request(this, "remove eth9", buf, &len) != 0)
-			{
-				usleep(50000);
-			}
-			return TRUE;
-		}
 		if (this->idle)
 		{
 			this->idle();
 		}
-		else
-		{
-			usleep(50000);
-		}
+		usleep(100000);
 	}
 }
 
@@ -240,7 +231,7 @@ static void destroy(private_mconsole_t *this)
 }
 
 /**
- * setup the mconsole notify connection and wait for its readyness
+ * setup the mconsole notify connection and wait for its readiness
  */
 static bool wait_for_notify(private_mconsole_t *this, char *nsock)
 {
@@ -335,6 +326,7 @@ mconsole_t *mconsole_create(char *notify, void(*idle)(void))
 	
 	this->public.add_iface = (bool(*)(mconsole_t*, char *guest, char *host))add_iface;
 	this->public.del_iface = (bool(*)(mconsole_t*, char *guest))del_iface;
+	this->public.exec = (int(*)(mconsole_t*,  void(*cb)(void*,char*,size_t), void *data, char *cmd))exec;
 	this->public.destroy = (void*)destroy;
 	
 	this->idle = idle;
diff --git a/src/dumm/mconsole.h b/src/dumm/mconsole.h
index 55ce15dda..329c40c06 100644
--- a/src/dumm/mconsole.h
+++ b/src/dumm/mconsole.h
@@ -42,6 +42,17 @@ struct mconsole_t {
 	 */
 	bool (*del_iface)(mconsole_t *this, char *guest);
 	
+	/**
+	 * Execute a command in the UML host.
+	 *
+	 * @param cb			callback function to invoke for each line
+	 * @param data			data to pass to callback
+	 * @param cmd			command to invoke
+	 * @return				return value of command
+	 */
+	int (*exec)(mconsole_t *this, void(*cb)(void*,char*,size_t), void *data,
+				char *cmd);
+	
 	/**
 	 * @brief Destroy the mconsole instance
 	 */
diff --git a/src/dumm/testing.c b/src/dumm/testing.c
deleted file mode 100644
index c0d23296b..000000000
--- a/src/dumm/testing.c
+++ /dev/null
@@ -1,171 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <signal.h>
-#include <unistd.h>
-#include <fcntl.h>
-
-#include <library.h>
-#include <dumm.h>
-
-/**
- * number of running guests
- */
-static int running = 0;
-
-/**
- * Guest invocation callback
- */
-static pid_t invoke(void *vte, guest_t *guest,
-					char *args[], int argc)
-{
-	pid_t pid;
-	
-	args[argc] = "con0=xterm";
-	
-	pid = fork();
-	switch (pid)
-	{
-		case 0: /* child */
-			dup2(open("/dev/null", 0), 1);
-			dup2(open("/dev/null", 0), 2);
-			execvp(args[0], args);
-			exit(-1);
-		case -1:
-			fprintf(stderr, "starting guest '%s' failed\n", guest->get_name(guest));
-			return 0;
-		default:
-			printf("started guest '%s', pid: %d\n", guest->get_name(guest), pid);
-			running++;
-			return pid;
-	}
-}
-
-/**
- * main routine, parses args and reads from console
- */
-int main(int argc, char *argv[])
-{
-	dumm_t *dumm;
-	enumerator_t *enumerator;
-	guest_t *guest;
-	bridge_t *switch0, *switch1, *switch2;
-	iface_t *iface;
-	sigset_t set;
-	siginfo_t info;
-	
-	library_init(NULL);
-	
-	dumm = dumm_create(NULL);
-	
-	switch0 = dumm->create_bridge(dumm, "switch0");
-	switch1 = dumm->create_bridge(dumm, "switch1");
-	switch2 = dumm->create_bridge(dumm, "switch2");
-	
-	if (switch0 && switch1 && switch2)
-	{
-		enumerator = dumm->create_guest_enumerator(dumm);
-		while (enumerator->enumerate(enumerator, &guest))
-		{
-			if (!guest->start(guest, invoke, NULL, NULL))
-			{
-				continue;
-			}
-			if (streq(guest->get_name(guest), "alice"))
-			{
-				iface = guest->create_iface(guest, "eth0");
-				if (iface)
-				{
-					switch1->connect_iface(switch1, iface);
-				}
-				iface = guest->create_iface(guest, "eth1");
-				if (iface)
-				{
-					switch0->connect_iface(switch0, iface);
-				}
-			}
-			else if (streq(guest->get_name(guest), "moon") ||
-					 streq(guest->get_name(guest), "sun"))
-			{
-				iface = guest->create_iface(guest, "eth0");
-				if (iface)
-				{
-					switch0->connect_iface(switch0, iface);
-				}
-				iface = guest->create_iface(guest, "eth1");
-				if (iface)
-				{
-					switch1->connect_iface(switch1, iface);
-				}
-			}
-			else if (streq(guest->get_name(guest), "bob"))
-			{
-				iface = guest->create_iface(guest, "eth0");
-				if (iface)
-				{
-					switch2->connect_iface(switch2, iface);
-				}
-			}
-			else if (streq(guest->get_name(guest), "venus"))
-			{
-				iface = guest->create_iface(guest, "eth0");
-				if (iface)
-				{
-					switch1->connect_iface(switch1, iface);
-				}
-			}
-			else if (streq(guest->get_name(guest), "carol") ||
-					 streq(guest->get_name(guest), "winnetou") ||
-					 streq(guest->get_name(guest), "dave"))
-			{
-				iface = guest->create_iface(guest, "eth0");
-				if (iface)
-				{
-					switch0->connect_iface(switch0, iface);
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	
-		sigemptyset(&set);
-		sigaddset(&set, SIGINT); 
-		sigaddset(&set, SIGHUP); 
-		sigaddset(&set, SIGTERM);
-		sigaddset(&set, SIGCHLD);
-		sigprocmask(SIG_SETMASK, &set, NULL);
-		while (running)
-		{
-			if (sigwaitinfo(&set, &info) == SIGCHLD)
-			{
-				enumerator = dumm->create_guest_enumerator(dumm);
-				while (enumerator->enumerate(enumerator, &guest))
-				{
-					if (guest->get_pid(guest) == info.si_pid)
-					{
-						running--;
-						guest->sigchild(guest);
-						break;
-					}
-				}
-				enumerator->destroy(enumerator);
-			}
-		}
-	}
-	dumm->destroy(dumm);
-	
-	library_deinit();
-	return 0;
-}
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 126713f12..84f114999 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -157,6 +157,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h
index e31b8c84f..759885cb6 100644
--- a/src/include/linux/xfrm.h
+++ b/src/include/linux/xfrm.h
@@ -97,10 +97,10 @@ struct xfrm_algo {
 };
 
 struct xfrm_algo_aead {
-	char	alg_name[64];
-	int	alg_key_len;	/* in bits */
-	int	alg_icv_len;	/* in bits */
-	char	alg_key[0];
+	char		alg_name[64];
+	unsigned int	alg_key_len;	/* in bits */
+	unsigned int	alg_icv_len;	/* in bits */
+	char		alg_key[0];
 };
 
 struct xfrm_stats {
@@ -113,7 +113,8 @@ enum
 {
 	XFRM_POLICY_TYPE_MAIN	= 0,
 	XFRM_POLICY_TYPE_SUB	= 1,
-	XFRM_POLICY_TYPE_MAX	= 2
+	XFRM_POLICY_TYPE_MAX	= 2,
+	XFRM_POLICY_TYPE_ANY	= 255
 };
 
 enum
@@ -198,6 +199,9 @@ enum {
 #define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO
 	XFRM_MSG_GETSPDINFO,
 #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
+
+	XFRM_MSG_MAPPING,
+#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
 	__XFRM_MSG_MAX
 };
 #define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
@@ -338,6 +342,7 @@ struct xfrm_usersa_info {
 #define XFRM_STATE_NOPMTUDISC	4
 #define XFRM_STATE_WILDRECV	8
 #define XFRM_STATE_ICMP		16
+#define XFRM_STATE_AF_UNSPEC	32
 };
 
 struct xfrm_usersa_id {
@@ -426,6 +431,15 @@ struct xfrm_user_migrate {
 	__u16				new_family;
 };
 
+struct xfrm_user_mapping {
+	struct xfrm_usersa_id		id;
+	__u32				reqid;
+	xfrm_address_t			old_saddr;
+	xfrm_address_t			new_saddr;
+	__be16				old_sport;
+	__be16				new_sport;
+};
+
 #ifndef __KERNEL__
 /* backwards compatibility for userspace */
 #define XFRMGRP_ACQUIRE		1
@@ -452,6 +466,8 @@ enum xfrm_nlgroups {
 #define XFRMNLGRP_REPORT	XFRMNLGRP_REPORT
 	XFRMNLGRP_MIGRATE,
 #define XFRMNLGRP_MIGRATE	XFRMNLGRP_MIGRATE
+	XFRMNLGRP_MAPPING,
+#define XFRMNLGRP_MAPPING	XFRMNLGRP_MAPPING
 	__XFRMNLGRP_MAX
 };
 #define XFRMNLGRP_MAX	(__XFRMNLGRP_MAX - 1)
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index d50ae90f4..50175845c 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -165,6 +165,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in
index 707612e92..1b1332723 100755
--- a/src/ipsec/ipsec.in
+++ b/src/ipsec/ipsec.in
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: ipsec.in 3390 2007-12-12 22:27:40Z andreas $
+# RCSID $Id: ipsec.in 4401 2008-10-10 06:59:03Z martin $
 
 # define a minimum PATH environment in case it is not set
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
@@ -116,22 +116,37 @@ down)
 	fi
 	exit "$rc"
 	;;
-listalgs|listpubkeys|\listcards|\rereadgroups)
+down-srcip)
+	shift
+	if [ "$#" -lt 1 ]
+	then
+	    echo "Usage: ipsec down-srcip <start> [<end>]"
+	    exit 2
+	fi
+	rc=7
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		$IPSEC_STROKE down-srcip $*
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
+listcards|rereadgroups)
 	op="$1"
 	shift
 	if [ -e $IPSEC_PLUTO_PID ]
 	then
 		$IPSEC_WHACK "$@" "--$op"
-		exit "$?"
-	else
-		if [ -e $IPSEC_CHARON_PID ]
-		then
-			exit 3
-		else
-			exit 7
-		fi
+		rc="$?"
 	fi
+	if [ -e $IPSEC_CHARON_PID ] 
+	then 
+		exit 3 
+	else 
+		exit 7 
+	fi 
 	;;
+listalgs|\listpubkeys|\
 listcerts|listcacerts|listaacerts|\
 listacerts|listgroups|listocspcerts|\
 listcainfos|listcrls|listocsp|listall|\
@@ -168,7 +183,7 @@ reload)
 	if [ -e $IPSEC_STARTER_PID ]
 	then
 		echo "Reloading strongSwan IPsec configuration..." >&2
-		kill -s USR1 `cat $IPSEC_STARTER_PID` 2>/dev/null && rc=0
+		kill -USR1 `cat $IPSEC_STARTER_PID` 2>/dev/null && rc=0
 	else
 		echo "Reloading strongSwan IPsec failed: starter is not running" >&2
 	fi
@@ -228,6 +243,9 @@ secrets)
 	;;
 start)
 	shift
+	if [ -d /var/lock/subsys ]; then
+		touch /var/lock/subsys/ipsec
+	fi
 	exec $IPSEC_STARTER "$@"
 	;;
 status|statusall)
@@ -278,19 +296,22 @@ stop)
 			kill $spid 2>/dev/null
 			loop=5
 			while [ $loop -gt 0 ] ; do
-				kill -s 0 $spid 2>/dev/null || break
+				kill -0 $spid 2>/dev/null || break
 				sleep 1
 				loop=$(($loop - 1))
 			done
 			if [ $loop -eq 0 ]
 			then
-				kill -s KILL $spid 2>/dev/null
+				kill -KILL $spid 2>/dev/null
 				rm -f $IPSEC_STARTER_PID
 			fi
 		fi
 	else
 	    	echo "Stopping strongSwan IPsec failed: starter is not running" >&2
 	fi
+	if [ -d /var/lock/subsys ]; then
+		rm -f /var/lock/subsys/ipsec
+	fi
 	exit 0
 	;;
 up)
@@ -317,7 +338,7 @@ update)
 	if [ -e $IPSEC_STARTER_PID ]
 	then
 		echo "Updating strongSwan IPsec configuration..." >&2
-		kill -s HUP `cat $IPSEC_STARTER_PID`
+		kill -HUP `cat $IPSEC_STARTER_PID`
 		exit 0
 	else
 		echo "Updating strongSwan IPsec failed: starter is not running" >&2
@@ -325,9 +346,9 @@ update)
 	fi
 	;;
 version|--version)
-	echo "Linux $IPSEC_NAME $IPSEC_VERSION"
-	echo -e $IPSEC_DISTRO
-	echo "See \`ipsec --copyright' for copyright information."
+	printf "Linux $IPSEC_NAME $IPSEC_VERSION\n"
+	printf "$IPSEC_DISTRO\n"
+	printf "See 'ipsec --copyright' for copyright information.\n"
 	exit 0
 	;;
 --*)
diff --git a/src/libcrypto/Makefile.in b/src/libcrypto/Makefile.in
index 274f7986f..1c7f7a719 100644
--- a/src/libcrypto/Makefile.in
+++ b/src/libcrypto/Makefile.in
@@ -184,6 +184,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 5a1ab491e..8d3c2fba2 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -185,6 +185,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index bf605d1ff..e58bcc66d 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -197,6 +197,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libfreeswan/copyright.c b/src/libfreeswan/copyright.c
index 2e0f8543e..3c382160a 100644
--- a/src/libfreeswan/copyright.c
+++ b/src/libfreeswan/copyright.c
@@ -12,28 +12,29 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
  *
- * RCSID $Id: copyright.c 3265 2007-10-08 19:52:55Z andreas $
+ * RCSID $Id: copyright.c 4181 2008-07-16 12:28:29Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
 
 static const char *co[] = {
- "Copyright (C) 1999-2007  Henry Spencer, Richard Guy Briggs,",
+ "Copyright (C) 1999-2008  Henry Spencer, Richard Guy Briggs,",
  "    D. Hugh Redelmeier, Sandy Harris, Claudia Schmeing,",
  "    Michael Richardson, Angelos D. Keromytis, John Ioannidis,",
  "",
  "    Ken Bantoft, Stephen J. Bevan, JuanJo Ciarlante, Mathieu Lafon,",
  "    Stephane Laroche, Kai Martius, Stephan Scholz, Tuomo Soini, Herbert Xu,",
  "",
- "    Andreas Steffen, Martin Berner, Marco Bertossa, David Buechi,",
- "    Ueli Galizzi, Christoph Gysin, Andreas Hess, Patric Lichtsteiner,",
- "    Michael Meier, Andreas Schleiss, Ariane Seiler,",
- "    Mario Strasser, Lukas Suter, Roger Wegmann, Simon Zwahlen,",
+ "    Martin Berner, Marco Bertossa, David Buechi, Ueli Galizzi,",
+ "    Christoph Gysin, Andreas Hess, Patric Lichtsteiner, Michael Meier,",
+ "    Andreas Schleiss, Ariane Seiler, Mario Strasser, Lukas Suter,",
+ "    Roger Wegmann, Simon Zwahlen,",
  "    Zuercher Hochschule Winterthur (Switzerland).",
  "",
- "    Tobias Brunner, Andreas Eigenmann, Fabian Hartmann, Noah Heusser,",
- "    Jan Hutter, Daniel Roethlisberger, Joel Stillhart, Martin Willi,",
- "    Daniel Wydler, Andreas Steffen,",
+ "    Philip Boetschi, Tobias Brunner, Adrian Doerig, Andreas Eigenmann,",
+ "    Fabian Hartmann, Noah Heusser, Jan Hutter, Thomas Kallenberg,",
+ "    Daniel Roethlisberger, Joel Stillhart, Martin Willi, Daniel Wydler,",
+ "    Andreas Steffen,",
  "    Hochschule fuer Technik Rapperswil (Switzerland).",
  "",
  "This program is free software; you can redistribute it and/or modify it",
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 869f9677b..08409d503 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -156,15 +156,10 @@ if USE_OPENSSL
   SUBDIRS += plugins/openssl
 endif
 
-if USE_INTEGRITY_TEST
-  noinst_PROGRAMS = fips_signer
-  fips_signer_SOURCES = fips/fips_signer.c
-  fips_signer_LDADD = libstrongswan.la
-
-  BUILT_SOURCES += fips_signature.h
-  CLEANFILES = fips_signature.h fips_signer
-  AM_CFLAGS += -DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+if USE_AGENT
+  SUBDIRS += plugins/agent
+endif
 
-fips_signature.h : fips_signer
-		   ./fips_signer
+if USE_INTEGRITY_TEST
+  SUBDIRS += fips
 endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index fc6e40229..e73411aa6 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -14,7 +14,6 @@
 
 @SET_MAKE@
 
-
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -53,9 +52,8 @@ host_triplet = @host@
 @USE_SQLITE_TRUE@am__append_18 = plugins/sqlite
 @USE_PADLOCK_TRUE@am__append_19 = plugins/padlock
 @USE_OPENSSL_TRUE@am__append_20 = plugins/openssl
-@USE_INTEGRITY_TEST_TRUE@noinst_PROGRAMS = fips_signer$(EXEEXT)
-@USE_INTEGRITY_TEST_TRUE@am__append_21 = fips_signature.h
-@USE_INTEGRITY_TEST_TRUE@am__append_22 = -DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+@USE_AGENT_TRUE@am__append_21 = plugins/agent
+@USE_INTEGRITY_TEST_TRUE@am__append_22 = fips
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -150,12 +148,6 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 @USE_INTEGRITY_TEST_TRUE@	plugin_loader.lo $(am__objects_1) \
 @USE_INTEGRITY_TEST_TRUE@	fips_canister_end.lo
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
-PROGRAMS = $(noinst_PROGRAMS)
-am__fips_signer_SOURCES_DIST = fips/fips_signer.c
-@USE_INTEGRITY_TEST_TRUE@am_fips_signer_OBJECTS =  \
-@USE_INTEGRITY_TEST_TRUE@	fips_signer.$(OBJEXT)
-fips_signer_OBJECTS = $(am_fips_signer_OBJECTS)
-@USE_INTEGRITY_TEST_TRUE@fips_signer_DEPENDENCIES = libstrongswan.la
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -168,9 +160,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_la_SOURCES) $(fips_signer_SOURCES)
-DIST_SOURCES = $(am__libstrongswan_la_SOURCES_DIST) \
-	$(am__fips_signer_SOURCES_DIST)
+SOURCES = $(libstrongswan_la_SOURCES)
+DIST_SOURCES = $(am__libstrongswan_la_SOURCES_DIST)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
 	install-dvi-recursive install-exec-recursive \
@@ -186,7 +177,7 @@ DIST_SUBDIRS = . plugins/aes plugins/des plugins/md5 plugins/sha1 \
 	plugins/sha2 plugins/fips_prf plugins/gmp plugins/random \
 	plugins/hmac plugins/xcbc plugins/x509 plugins/pubkey \
 	plugins/curl plugins/ldap plugins/mysql plugins/sqlite \
-	plugins/padlock plugins/openssl
+	plugins/padlock plugins/openssl plugins/agent fips
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -303,6 +294,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -451,10 +444,9 @@ lib_LTLIBRARIES = libstrongswan.la
 libstrongswan_la_LIBADD = -lpthread -ldl
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \
-	$(am__append_22)
+	-DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1)
 EXTRA_DIST = asn1/oid.txt asn1/oid.pl
-BUILT_SOURCES = asn1/oid.c asn1/oid.h $(am__append_21)
+BUILT_SOURCES = asn1/oid.c asn1/oid.h
 MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
 
 # build plugins with their own Makefile
@@ -464,10 +456,8 @@ SUBDIRS = . $(am__append_3) $(am__append_4) $(am__append_5) \
 	$(am__append_9) $(am__append_10) $(am__append_11) \
 	$(am__append_12) $(am__append_13) $(am__append_14) \
 	$(am__append_15) $(am__append_16) $(am__append_17) \
-	$(am__append_18) $(am__append_19) $(am__append_20)
-@USE_INTEGRITY_TEST_TRUE@fips_signer_SOURCES = fips/fips_signer.c
-@USE_INTEGRITY_TEST_TRUE@fips_signer_LDADD = libstrongswan.la
-@USE_INTEGRITY_TEST_TRUE@CLEANFILES = fips_signature.h fips_signer
+	$(am__append_18) $(am__append_19) $(am__append_20) \
+	$(am__append_21) $(am__append_22)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -532,16 +522,6 @@ clean-libLTLIBRARIES:
 libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) 
 	$(LINK) -rpath $(libdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS)
 
-clean-noinstPROGRAMS:
-	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
-fips_signer$(EXEEXT): $(fips_signer_OBJECTS) $(fips_signer_DEPENDENCIES) 
-	@rm -f fips_signer$(EXEEXT)
-	$(LINK) $(fips_signer_OBJECTS) $(fips_signer_LDADD) $(LIBS)
-
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
 
@@ -566,7 +546,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_end.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_start.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_signer.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
@@ -866,20 +845,6 @@ fips_canister_end.lo: fips/fips_canister_end.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c
 
-fips_signer.o: fips/fips_signer.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_signer.o -MD -MP -MF $(DEPDIR)/fips_signer.Tpo -c -o fips_signer.o `test -f 'fips/fips_signer.c' || echo '$(srcdir)/'`fips/fips_signer.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_signer.Tpo $(DEPDIR)/fips_signer.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fips/fips_signer.c' object='fips_signer.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_signer.o `test -f 'fips/fips_signer.c' || echo '$(srcdir)/'`fips/fips_signer.c
-
-fips_signer.obj: fips/fips_signer.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_signer.obj -MD -MP -MF $(DEPDIR)/fips_signer.Tpo -c -o fips_signer.obj `if test -f 'fips/fips_signer.c'; then $(CYGPATH_W) 'fips/fips_signer.c'; else $(CYGPATH_W) '$(srcdir)/fips/fips_signer.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_signer.Tpo $(DEPDIR)/fips_signer.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fips/fips_signer.c' object='fips_signer.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_signer.obj `if test -f 'fips/fips_signer.c'; then $(CYGPATH_W) 'fips/fips_signer.c'; else $(CYGPATH_W) '$(srcdir)/fips/fips_signer.c'; fi`
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -1062,7 +1027,7 @@ distdir: $(DISTFILES)
 check-am: all-am
 check: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) check-recursive
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+all-am: Makefile $(LTLIBRARIES)
 installdirs: installdirs-recursive
 installdirs-am:
 	for dir in "$(DESTDIR)$(libdir)"; do \
@@ -1086,7 +1051,6 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -1099,7 +1063,7 @@ maintainer-clean-generic:
 clean: clean-recursive
 
 clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
-	clean-noinstPROGRAMS mostlyclean-am
+	mostlyclean-am
 
 distclean: distclean-recursive
 	-rm -rf ./$(DEPDIR)
@@ -1160,8 +1124,8 @@ uninstall-am: uninstall-libLTLIBRARIES
 
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am check check-am clean clean-generic \
-	clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS ctags \
-	ctags-recursive distclean distclean-compile distclean-generic \
+	clean-libLTLIBRARIES clean-libtool ctags ctags-recursive \
+	distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
 	install-data-am install-dvi install-dvi-am install-exec \
@@ -1180,9 +1144,6 @@ asn1/oid.c :	asn1/oid.txt asn1/oid.pl
 
 asn1/oid.h :	asn1/oid.txt asn1/oid.pl
 		cd asn1 && $(PERL) oid.pl
-
-@USE_INTEGRITY_TEST_TRUE@fips_signature.h : fips_signer
-@USE_INTEGRITY_TEST_TRUE@		   ./fips_signer
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index a0fb95f18..72049259a 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -1,4 +1,4 @@
-/* Object identifiers (OIDs) used by FreeS/WAN
+/* Object identifiers (OIDs) used by strongSwan
  * Copyright (C) 2003-2008 Andreas Steffen, Hochschule fuer Technik Rapperswil
  * 
  * This file has been automatically generated by the script oid.pl
diff --git a/src/libstrongswan/asn1/oid.pl b/src/libstrongswan/asn1/oid.pl
index 04030d3ee..373101cc0 100644
--- a/src/libstrongswan/asn1/oid.pl
+++ b/src/libstrongswan/asn1/oid.pl
@@ -26,7 +26,7 @@ print "oid.pl generating oid.h and oid.c\n";
 open(OID_H,  ">oid.h")
     or die "could not open 'oid.h': $!";
 
-print OID_H "/* Object identifiers (OIDs) used by FreeS/WAN\n",
+print OID_H "/* Object identifiers (OIDs) used by strongSwan\n",
 	    " * ", $copyright, "\n",
 	    " * \n",
 	    " * ", $automatic, "\n",
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index 7e7a7c69d..565f48fb0 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: chunk.c 3868 2008-04-24 13:26:22Z martin $
+ * $Id: chunk.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include <stdio.h>
@@ -298,16 +298,28 @@ static char hex2bin(char hex)
 chunk_t chunk_from_hex(chunk_t hex, char *buf)
 {
 	int i, len;
+	bool odd = FALSE;
 	
-	len = hex.len / 2;
+	len = (hex.len / 2);
+	if (hex.len % 2)
+	{
+		odd = TRUE;
+		len++;
+	}
 	if (!buf)
 	{
 		buf = malloc(len);
 	}
-	for (i = 0; i < len; i++)
+	/* buffer is filled from the right */
+	memset(buf, 0, len);
+	hex.ptr += hex.len;
+	for (i = len - 1; i >= 0; i--)
 	{
-		buf[i] =  hex2bin(*hex.ptr++) << 4;
-		buf[i] |= hex2bin(*hex.ptr++);
+		buf[i] = hex2bin(*(--hex.ptr));
+		if (i > 0 || !odd)
+		{
+			buf[i] |= hex2bin(*(--hex.ptr)) << 4;
+		}
 	}
 	return chunk_create(buf, len);
 }
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 146b175d6..7e70a2a2d 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: chunk.h 3868 2008-04-24 13:26:22Z martin $
+ * $Id: chunk.h 4276 2008-08-22 10:44:51Z martin $
  */
 
 /**
@@ -100,7 +100,8 @@ chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase);
 /**
  * Convert a hex encoded in a binary chunk.
  *
- * If buf is supplied, it must hold at least (hex.len / 2).
+ * If buf is supplied, it must hold at least (hex.len / 2) + (hex.len % 2)
+ * bytes. It is filled by the right to give correct values for short inputs.
  *
  * @param hex			hex encoded input data
  * @param buf			buffer to write decoded data, NULL to malloc
@@ -164,7 +165,7 @@ void chunk_clear(chunk_t *chunk);
 /**
  * Clone a chunk on heap
  */
-#define chunk_clone(chunk) chunk_create_clone(malloc(chunk.len), chunk)
+#define chunk_clone(chunk) chunk_create_clone((chunk).len ? malloc(chunk.len) : NULL, chunk)
 
 /**
  * Clone a chunk on stack
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index c13a8a860..4295b3094 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -15,8 +15,9 @@
 
 #include "builder.h"
 
-ENUM(builder_part_names, BUILD_BLOB_ASN1_DER, BUILD_END,
+ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_FROM_FILE",
+	"BUILD_AGENT_SOCKET",
 	"BUILD_BLOB_ASN1_DER",
 	"BUILD_BLOB_ASN1_PEM",
 	"BUILD_KEY_SIZE",
@@ -36,3 +37,12 @@ ENUM(builder_part_names, BUILD_BLOB_ASN1_DER, BUILD_END,
 	"BUILD_X509_FLAG",
 	"BUILD_END",
 );
+
+/**
+ * See header.
+ */
+void* builder_free(builder_t *this)
+{
+	free(this);
+	return NULL;
+}
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 22c106b7a..cd75236ba 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -40,6 +40,8 @@ typedef builder_t* (*builder_constructor_t)(int subtype);
 enum builder_part_t {
 	/** path to a file containing an ASN1 blob, char* */
 	BUILD_FROM_FILE,
+	/** unix socket of a ssh/pgp agent, char* */
+	BUILD_AGENT_SOCKET,
 	/** DER encoded ASN1 blob, chunk_t */
 	BUILD_BLOB_ASN1_DER,
 	/** PEM encoded ASN1 blob, null terminated char* */
@@ -94,8 +96,8 @@ struct builder_t {
 	/**
 	 * Add a part to the construct.
 	 *
-	 * Any added parts get owned by the builder/construct, so clone/refcount
-	 * them if needed.
+	 * Any added parts are cloned/refcounted by the builder implementation, a 
+	 * caller may need to free the passed ressources themself.
 	 *
 	 * @param part		kind of part
 	 * @param ...		part specific variable argument
@@ -112,4 +114,15 @@ struct builder_t {
 	void* (*build)(builder_t *this);
 };
 
+/**
+ * Helper macro to cancel a build in a builder
+ */
+#define builder_cancel(builder) { (builder)->add = (void*)nop; \
+								  (builder)->build = (void*)builder_free; }
+
+/**
+ * Helper function for a cancelled build.
+ */
+void* builder_free(builder_t *this);
+
 #endif /* BUILDER_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 52ee2060d..203317fa4 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: credential_factory.c 4059 2008-06-11 14:10:02Z martin $
+ * $Id: credential_factory.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "credential_factory.h"
@@ -62,31 +62,36 @@ struct entry_t {
 };
 
 /**
- * Implementation of credential_factory_t.create_builder.
+ * type/subtype filter function for builder_enumerator
  */
-static builder_t* create_builder(private_credential_factory_t *this,
-								 credential_type_t type, int subtype)
+static bool builder_filter(entry_t *data, entry_t **in, builder_t **out)
 {
-	enumerator_t *enumerator;
-	entry_t *entry;
-	builder_t *builder = NULL;
-	
-	this->mutex->lock(this->mutex);
-	enumerator = this->constructors->create_enumerator(this->constructors);
-	while (enumerator->enumerate(enumerator, &entry))
+	if (data->type == (*in)->type &&
+		data->subtype == (*in)->subtype)
 	{
-		if (entry->type == type && entry->subtype == subtype)
-		{
-			builder = entry->constructor(subtype);
-			if (builder)
-			{
-				break;
-			}
-		}
+		*out = (*in)->constructor(data->subtype);
+		return TRUE;
 	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-	return builder;
+	return FALSE;
+}
+
+/**
+ * Implementation of credential_factory_t.create_builder_enumerator.
+ */
+static enumerator_t* create_builder_enumerator(
+		private_credential_factory_t *this,	credential_type_t type, int subtype)
+{
+	entry_t *data = malloc_thing(entry_t);
+	
+	data->type = type;
+	data->subtype = subtype;
+	
+	this->mutex->lock(this->mutex);
+	return enumerator_create_cleaner(
+				enumerator_create_filter(
+					this->constructors->create_enumerator(this->constructors),
+					(void*)builder_filter, data, free), 
+				(void*)this->mutex->unlock, this->mutex);
 }
 
 /**
@@ -135,18 +140,19 @@ static void remove_builder(private_credential_factory_t *this,
 static void* create(private_credential_factory_t *this, credential_type_t type,
 					int subtype, ...)
 {
+	enumerator_t *enumerator;
 	builder_t *builder;
 	builder_part_t part;
 	va_list args;
+	void* construct = NULL;
 	
-	builder = create_builder(this, type, subtype);
-	if (builder)
+	enumerator = create_builder_enumerator(this, type, subtype);
+	while (enumerator->enumerate(enumerator, &builder))
 	{
 		va_start(args, subtype);
 		while (TRUE)
 		{
 			part = va_arg(args, builder_part_t);
-		
 			switch (part)
 			{
 				case BUILD_END:
@@ -167,6 +173,7 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
 					continue;
 				case BUILD_BLOB_ASN1_PEM:
 				case BUILD_FROM_FILE:
+				case BUILD_AGENT_SOCKET:
 				case BUILD_SIGNING_KEY:
 				case BUILD_PUBLIC_KEY:
 				case BUILD_SUBJECT:
@@ -179,105 +186,25 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
 				case BUILD_IETF_GROUP_ATTR:
 					builder->add(builder, part, va_arg(args, void*));
 					continue;
-				default:
-					DBG1("builder part %N not supported by factory",
-						 builder_part_names, part);
-					break;
+				/* no default to get a compiler warning */
 			}
 			break;
 		}
 		va_end(args);
-	
-		return builder->build(builder);
-	}
-	else
-	{
-		DBG1("failed to create a builder for credential type %N,"
-				" subtype (%d)", credential_type_names, type, subtype);
-	}
-	
-	/** shredder all data on failure */
-	va_start(args, subtype);
-	while (TRUE)
-	{
-		part = va_arg(args, builder_part_t);
 		
-		switch (part)
+		construct = builder->build(builder);
+		if (construct)
 		{
-			case BUILD_END:
-				break;
-			case BUILD_BLOB_ASN1_DER:
-			{
-				chunk_t chunk = va_arg(args, chunk_t);
-				free(chunk.ptr);
-				continue;
-			}
-			case BUILD_SERIAL:
-			{
-				va_arg(args, chunk_t);
-				continue;
-			}
-			case BUILD_X509_FLAG:
-			{
-				va_arg(args, x509_flag_t);
-				continue;
-			}
-			case BUILD_KEY_SIZE:
-			{
-				va_arg(args, u_int);
-				continue;
-			}
-			case BUILD_NOT_BEFORE_TIME:
-			case BUILD_NOT_AFTER_TIME:
-			{
-				va_arg(args, time_t);
-				continue;
-			}
-			case BUILD_SIGNING_KEY:
-			{
-				private_key_t *private = va_arg(args, private_key_t*);
-				private->destroy(private);
-				continue;
-			}
-			case BUILD_PUBLIC_KEY:
-			{
-				public_key_t *public = va_arg(args, public_key_t*);
-				public->destroy(public);
-				continue;
-			}
-			case BUILD_SUBJECT:
-			case BUILD_SUBJECT_ALTNAME:
-			case BUILD_ISSUER:
-			case BUILD_ISSUER_ALTNAME:
-			{
-				identification_t *id = va_arg(args, identification_t*);
-				id->destroy(id);
-				continue;
-			}
-			case BUILD_SIGNING_CERT:
-			case BUILD_CA_CERT:
-			case BUILD_CERT:
-			{
-				certificate_t *cert = va_arg(args, certificate_t*);
-				cert->destroy(cert);
-				continue;
-			}
-			case BUILD_BLOB_ASN1_PEM:
-			case BUILD_FROM_FILE:
-			case BUILD_IETF_GROUP_ATTR:
-			{
-				va_arg(args, void*);
-				continue;
-			}
-			default:
-				DBG1("builder part %N not supported by factory",
-					 builder_part_names, part);
-				continue;
+			break;
 		}
-		break;
 	}
-	va_end(args);
-	return NULL;
+	enumerator->destroy(enumerator);
+	if (!construct)
+	{
+		DBG1("failed to create a builder for credential type %N,"
+			 " subtype (%d)", credential_type_names, type, subtype);
+	}
+	return construct;
 }
 
 /**
@@ -298,7 +225,7 @@ credential_factory_t *credential_factory_create()
 	private_credential_factory_t *this = malloc_thing(private_credential_factory_t);
 
 	this->public.create = (void*(*)(credential_factory_t*, credential_type_t type, int subtype, ...))create;
-	this->public.create_builder = (builder_t*(*)(credential_factory_t*, credential_type_t type, int subtype))create_builder;
+	this->public.create_builder_enumerator = (enumerator_t*(*)(credential_factory_t*, credential_type_t type, int subtype))create_builder_enumerator;
 	this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_constructor_t constructor))add_builder;
 	this->public.remove_builder = (void(*)(credential_factory_t*,builder_constructor_t constructor))remove_builder;
 	this->public.destroy = (void(*)(credential_factory_t*))destroy;
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index 873cf8ab2..dc4d62679 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -56,6 +56,9 @@ struct credential_factory_t {
 	 *
 	 * The variable argument list takes builder_part_t types followed
 	 * by the type specific value. The list must be terminated using BUILD_END.
+	 * All passed parts get cloned/refcounted by the builder implementations,
+	 * so free up allocated ressources after successful and unsuccessful
+	 * invocations.
 	 *
 	 * @param type			credential type to build
 	 * @param subtype		subtype specific for type of the credential
@@ -66,14 +69,18 @@ struct credential_factory_t {
 					int subtype, ...);
 	
 	/**
-	 * Create a builder instance to build credentials.
+	 * Create an enumerator for a builder type.
+	 *
+	 * The build() method has to be called on each enumerated builder to 
+	 * cleanup associated ressources. 
 	 *
 	 * @param type			type of credentials the builder creates
 	 * @param subtype		type specific subtype, such as certificate_type_t
-	 * @return				builder instance
+	 * @return				enumerator over builder_t
 	 */
-	builder_t* (*create_builder)(credential_factory_t *this,
-								 credential_type_t type, int subtype);
+	enumerator_t* (*create_builder_enumerator)(credential_factory_t *this,
+										credential_type_t type, int subtype);
+	
 	/**
 	 * Register a builder_t constructor function.
 	 *
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 46fa983b2..9836ed468 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: crypto_factory.c 3806 2008-04-15 05:56:35Z martin $
+ * $Id: crypto_factory.c 4307 2008-08-28 09:24:42Z martin $
  */
 
 #include "crypto_factory.h"
@@ -20,52 +20,19 @@
 #include <utils/linked_list.h>
 #include <utils/mutex.h>
 
-typedef struct crypter_entry_t crypter_entry_t;
-struct crypter_entry_t {
-	/** encryption algorithm */
-	encryption_algorithm_t algo;
-	/** associated constructor */
-	crypter_constructor_t create;
-};
-
-typedef struct signer_entry_t signer_entry_t;
-struct signer_entry_t {
-	/** integrity algorithm */
-	integrity_algorithm_t algo;
-	/** associated constructor */
-	signer_constructor_t create;
-};
-
-typedef struct hasher_entry_t hasher_entry_t;
-struct hasher_entry_t {
-	/** hash algorithm */
-	hash_algorithm_t algo;
-	/** associated constructor */
-	hasher_constructor_t create;
-};
-
-typedef struct prf_entry_t prf_entry_t;
-struct prf_entry_t {
-	/** hash algorithm */
-	pseudo_random_function_t algo;
-	/** associated constructor */
-	prf_constructor_t create;
-};
-
-typedef struct rng_entry_t rng_entry_t;
-struct rng_entry_t {
-	/** quality of randomness */
-	rng_quality_t quality;
-	/** associated constructor */
-	rng_constructor_t create;
-};
-
-typedef struct dh_entry_t dh_entry_t;
-struct dh_entry_t {
-	/** hash algorithm */
-	diffie_hellman_group_t group;
-	/** associated constructor */
-	dh_constructor_t create;
+typedef struct entry_t entry_t;
+struct entry_t {
+	/** algorithm */
+	u_int algo;
+	/* constructor */
+	union {
+		crypter_constructor_t create_crypter;
+		signer_constructor_t create_signer;
+		hasher_constructor_t create_hasher;
+		prf_constructor_t create_prf;
+		rng_constructor_t create_rng;
+		dh_constructor_t create_dh;
+	};
 };
 
 typedef struct private_crypto_factory_t private_crypto_factory_t;
@@ -81,32 +48,32 @@ struct private_crypto_factory_t {
 	crypto_factory_t public;
 	
 	/**
-	 * registered crypters, as crypter_entry_t
+	 * registered crypters, as entry_t
 	 */
 	linked_list_t *crypters;
 	
 	/**
-	 * registered signers, as signer_entry_t
+	 * registered signers, as entry_t
 	 */
 	linked_list_t *signers;
 	
 	/**
-	 * registered hashers, as hasher_entry_t
+	 * registered hashers, as entry_t
 	 */
 	linked_list_t *hashers;
 	
 	/**
-	 * registered prfs, as prf_entry_t
+	 * registered prfs, as entry_t
 	 */
 	linked_list_t *prfs;
 	
 	/**
-	 * registered rngs, as rng_entry_t
+	 * registered rngs, as entry_t
 	 */
 	linked_list_t *rngs;
 	
 	/**
-	 * registered diffie hellman, as dh_entry_t
+	 * registered diffie hellman, as entry_t
 	 */
 	linked_list_t *dhs;
 	
@@ -123,7 +90,7 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 								 encryption_algorithm_t algo, size_t key_size)
 {
 	enumerator_t *enumerator;
-	crypter_entry_t *entry;
+	entry_t *entry;
 	crypter_t *crypter = NULL;
 
 	this->mutex->lock(this->mutex);
@@ -132,7 +99,7 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 	{
 		if (entry->algo == algo)
 		{
-			crypter = entry->create(algo, key_size);
+			crypter = entry->create_crypter(algo, key_size);
 			if (crypter)
 			{
 				break;
@@ -151,7 +118,7 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 							   integrity_algorithm_t algo)
 {
 	enumerator_t *enumerator;
-	signer_entry_t *entry;
+	entry_t *entry;
 	signer_t *signer = NULL;
 
 	this->mutex->lock(this->mutex);
@@ -160,7 +127,7 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 	{
 		if (entry->algo == algo)
 		{
-			signer = entry->create(algo);
+			signer = entry->create_signer(algo);
 			if (signer)
 			{
 				break;
@@ -180,7 +147,7 @@ static hasher_t* create_hasher(private_crypto_factory_t *this,
 							   hash_algorithm_t algo)
 {
 	enumerator_t *enumerator;
-	hasher_entry_t *entry;
+	entry_t *entry;
 	hasher_t *hasher = NULL;
 
 	this->mutex->lock(this->mutex);
@@ -189,7 +156,7 @@ static hasher_t* create_hasher(private_crypto_factory_t *this,
 	{
 		if (algo == HASH_PREFERRED || entry->algo == algo)
 		{
-			hasher = entry->create(entry->algo);
+			hasher = entry->create_hasher(entry->algo);
 			if (hasher)
 			{
 				break;
@@ -208,7 +175,7 @@ static prf_t* create_prf(private_crypto_factory_t *this,
 						 pseudo_random_function_t algo)
 {
 	enumerator_t *enumerator;
-	prf_entry_t *entry;
+	entry_t *entry;
 	prf_t *prf = NULL;
 
 	this->mutex->lock(this->mutex);
@@ -217,7 +184,7 @@ static prf_t* create_prf(private_crypto_factory_t *this,
 	{
 		if (entry->algo == algo)
 		{
-			prf = entry->create(algo);
+			prf = entry->create_prf(algo);
 			if (prf)
 			{
 				break;
@@ -235,7 +202,7 @@ static prf_t* create_prf(private_crypto_factory_t *this,
 static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
 {
 	enumerator_t *enumerator;
-	rng_entry_t *entry;
+	entry_t *entry;
 	u_int diff = ~0;
 	rng_constructor_t constr = NULL;
 
@@ -243,10 +210,10 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
 	enumerator = this->rngs->create_enumerator(this->rngs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{	/* find the best matching quality, but at least as good as requested */
-		if (entry->quality >= quality && diff > entry->quality - quality)
+		if (entry->algo >= quality && diff > entry->algo - quality)
 		{
-			diff = entry->quality - quality;
-			constr = entry->create;
+			diff = entry->algo - quality;
+			constr = entry->create_rng;
 			if (diff == 0)
 			{	/* perfect match, won't get better */
 				break;
@@ -269,16 +236,16 @@ static diffie_hellman_t* create_dh(private_crypto_factory_t *this,
 								   diffie_hellman_group_t group)
 {
 	enumerator_t *enumerator;
-	dh_entry_t *entry;
+	entry_t *entry;
 	diffie_hellman_t *diffie_hellman = NULL;
 
 	this->mutex->lock(this->mutex);
 	enumerator = this->dhs->create_enumerator(this->dhs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->group == group)
+		if (entry->algo == group)
 		{
-			diffie_hellman = entry->create(group);
+			diffie_hellman = entry->create_dh(group);
 			if (diffie_hellman)
 			{
 				break;
@@ -297,10 +264,10 @@ static void add_crypter(private_crypto_factory_t *this,
 						encryption_algorithm_t algo,
 						crypter_constructor_t create)
 {
-	crypter_entry_t *entry = malloc_thing(crypter_entry_t);
+	entry_t *entry = malloc_thing(entry_t);
 	
 	entry->algo = algo;
-	entry->create = create;
+	entry->create_crypter = create;
 	this->mutex->lock(this->mutex);
 	this->crypters->insert_last(this->crypters, entry);
 	this->mutex->unlock(this->mutex);
@@ -312,14 +279,14 @@ static void add_crypter(private_crypto_factory_t *this,
 static void remove_crypter(private_crypto_factory_t *this,
 						   crypter_constructor_t create)
 {
-	crypter_entry_t *entry;
+	entry_t *entry;
 	enumerator_t *enumerator;
 	
 	this->mutex->lock(this->mutex);
 	enumerator = this->crypters->create_enumerator(this->crypters);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->create == create)
+		if (entry->create_crypter == create)
 		{
 			this->crypters->remove_at(this->crypters, enumerator);
 			free(entry);
@@ -335,10 +302,10 @@ static void remove_crypter(private_crypto_factory_t *this,
 static void add_signer(private_crypto_factory_t *this,
 					   integrity_algorithm_t algo, signer_constructor_t create)
 {
-	signer_entry_t *entry = malloc_thing(signer_entry_t);
+	entry_t *entry = malloc_thing(entry_t);
 	
 	entry->algo = algo;
-	entry->create = create;
+	entry->create_signer = create;
 	this->mutex->lock(this->mutex);
 	this->signers->insert_last(this->signers, entry);
 	this->mutex->unlock(this->mutex);
@@ -350,14 +317,14 @@ static void add_signer(private_crypto_factory_t *this,
 static void remove_signer(private_crypto_factory_t *this,
 						  signer_constructor_t create)
 {
-	signer_entry_t *entry;
+	entry_t *entry;
 	enumerator_t *enumerator;
 	
 	this->mutex->lock(this->mutex);
 	enumerator = this->signers->create_enumerator(this->signers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->create == create)
+		if (entry->create_signer == create)
 		{
 			this->signers->remove_at(this->signers, enumerator);
 			free(entry);
@@ -373,10 +340,10 @@ static void remove_signer(private_crypto_factory_t *this,
 static void add_hasher(private_crypto_factory_t *this, hash_algorithm_t algo,
 					   hasher_constructor_t create)
 {
-	hasher_entry_t *entry = malloc_thing(hasher_entry_t);
+	entry_t *entry = malloc_thing(entry_t);
 	
 	entry->algo = algo;
-	entry->create = create;
+	entry->create_hasher = create;
 	this->mutex->lock(this->mutex);
 	this->hashers->insert_last(this->hashers, entry);
 	this->mutex->unlock(this->mutex);
@@ -388,14 +355,14 @@ static void add_hasher(private_crypto_factory_t *this, hash_algorithm_t algo,
 static void remove_hasher(private_crypto_factory_t *this,
 						  hasher_constructor_t create)
 {
-	hasher_entry_t *entry;
+	entry_t *entry;
 	enumerator_t *enumerator;
 	
 	this->mutex->lock(this->mutex);
 	enumerator = this->hashers->create_enumerator(this->hashers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->create == create)
+		if (entry->create_hasher == create)
 		{
 			this->hashers->remove_at(this->hashers, enumerator);
 			free(entry);
@@ -411,10 +378,10 @@ static void remove_hasher(private_crypto_factory_t *this,
 static void add_prf(private_crypto_factory_t *this,
 					pseudo_random_function_t algo, prf_constructor_t create)
 {
-	prf_entry_t *entry = malloc_thing(prf_entry_t);
+	entry_t *entry = malloc_thing(entry_t);
 	
 	entry->algo = algo;
-	entry->create = create;
+	entry->create_prf = create;
 	this->mutex->lock(this->mutex);
 	this->prfs->insert_last(this->prfs, entry);
 	this->mutex->unlock(this->mutex);
@@ -425,14 +392,14 @@ static void add_prf(private_crypto_factory_t *this,
  */
 static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create)
 {
-	prf_entry_t *entry;
+	entry_t *entry;
 	enumerator_t *enumerator;
 	
 	this->mutex->lock(this->mutex);
 	enumerator = this->prfs->create_enumerator(this->prfs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->create == create)
+		if (entry->create_prf == create)
 		{
 			this->prfs->remove_at(this->prfs, enumerator);
 			free(entry);
@@ -448,10 +415,10 @@ static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create)
 static void add_rng(private_crypto_factory_t *this, rng_quality_t quality,
 					rng_constructor_t create)
 {
-	rng_entry_t *entry = malloc_thing(rng_entry_t);
+	entry_t *entry = malloc_thing(entry_t);
 	
-	entry->quality = quality;
-	entry->create = create;
+	entry->algo = quality;
+	entry->create_rng = create;
 	this->mutex->lock(this->mutex);
 	this->rngs->insert_last(this->rngs, entry);
 	this->mutex->unlock(this->mutex);
@@ -462,14 +429,14 @@ static void add_rng(private_crypto_factory_t *this, rng_quality_t quality,
  */
 static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create)
 {
-	rng_entry_t *entry;
+	entry_t *entry;
 	enumerator_t *enumerator;
 	
 	this->mutex->lock(this->mutex);
 	enumerator = this->rngs->create_enumerator(this->rngs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->create == create)
+		if (entry->create_rng == create)
 		{
 			this->rngs->remove_at(this->rngs, enumerator);
 			free(entry);
@@ -485,10 +452,10 @@ static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create)
 static void add_dh(private_crypto_factory_t *this, diffie_hellman_group_t group,
 				   dh_constructor_t create)
 {
-	dh_entry_t *entry = malloc_thing(dh_entry_t);
+	entry_t *entry = malloc_thing(entry_t);
 	
-	entry->group = group;
-	entry->create = create;
+	entry->algo = group;
+	entry->create_dh = create;
 	this->mutex->lock(this->mutex);
 	this->dhs->insert_last(this->dhs, entry);
 	this->mutex->unlock(this->mutex);
@@ -499,14 +466,14 @@ static void add_dh(private_crypto_factory_t *this, diffie_hellman_group_t group,
  */
 static void remove_dh(private_crypto_factory_t *this, dh_constructor_t create)
 {
-	dh_entry_t *entry;
+	entry_t *entry;
 	enumerator_t *enumerator;
 	
 	this->mutex->lock(this->mutex);
 	enumerator = this->dhs->create_enumerator(this->dhs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->create == create)
+		if (entry->create_dh == create)
 		{
 			this->dhs->remove_at(this->dhs, enumerator);
 			free(entry);
@@ -516,6 +483,127 @@ static void remove_dh(private_crypto_factory_t *this, dh_constructor_t create)
 	this->mutex->unlock(this->mutex);
 }
 
+/**
+ * match algorithms of an entry?
+ */
+static bool entry_match(entry_t *a, entry_t *b)
+{
+	return a->algo == b->algo;
+}
+
+/**
+ * check for uniqueness of an entry
+ */
+static bool unique_check(linked_list_t *list, entry_t **in, entry_t **out)
+{
+	if (list->find_first(list, (void*)entry_match, NULL, *in) == SUCCESS)
+	{
+		return FALSE;
+	}
+	*out = *in;
+	list->insert_last(list, *in);
+	return TRUE;
+}
+
+/**
+ * create an enumerator over entry->algo in list with locking and unique check
+ */
+static enumerator_t *create_enumerator(private_crypto_factory_t *this,
+									   linked_list_t *list, void *filter)
+{
+	this->mutex->lock(this->mutex);
+	return enumerator_create_filter(
+				enumerator_create_filter(
+					list->create_enumerator(list), (void*)unique_check,
+					linked_list_create(), (void*)list->destroy),
+				filter,	this->mutex, (void*)this->mutex->unlock);
+}
+
+/**
+ * Filter function to enumerate algorithm, not entry
+ */
+static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *algo)
+{
+	*algo = (*entry)->algo;
+	return TRUE;
+}
+
+/**
+ * Implementation of crypto_factory_t.create_crypter_enumerator
+ */
+static enumerator_t* create_crypter_enumerator(private_crypto_factory_t *this)
+{
+	return create_enumerator(this, this->crypters, crypter_filter);
+}
+
+/**
+ * Filter function to enumerate algorithm, not entry
+ */
+static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo)
+{
+	*algo = (*entry)->algo;
+	return TRUE;
+}
+
+/**
+ * Implementation of crypto_factory_t.create_signer_enumerator
+ */
+static enumerator_t* create_signer_enumerator(private_crypto_factory_t *this)
+{
+	return create_enumerator(this, this->signers, signer_filter);
+}
+
+/**
+ * Filter function to enumerate algorithm, not entry
+ */
+static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo)
+{
+	*algo = (*entry)->algo;
+	return TRUE;
+}
+
+/**
+ * Implementation of crypto_factory_t.create_hasher_enumerator
+ */
+static enumerator_t* create_hasher_enumerator(private_crypto_factory_t *this)
+{
+	return create_enumerator(this, this->hashers, hasher_filter);
+}
+
+/**
+ * Filter function to enumerate algorithm, not entry
+ */
+static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo)
+{
+	*algo = (*entry)->algo;
+	return TRUE;
+}
+
+/**
+ * Implementation of crypto_factory_t.create_prf_enumerator
+ */
+static enumerator_t* create_prf_enumerator(private_crypto_factory_t *this)
+{
+	return create_enumerator(this, this->prfs, prf_filter);
+}
+
+/**
+ * Filter function to enumerate algorithm, not entry
+ */
+static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group)
+{
+	*group = (*entry)->algo;
+	return TRUE;
+}
+
+/**
+ * Implementation of crypto_factory_t.create_dh_enumerator
+ */
+static enumerator_t* create_dh_enumerator(private_crypto_factory_t *this)
+{
+	return create_enumerator(this, this->dhs, dh_filter);
+}
+
 /**
  * Implementation of crypto_factory_t.destroy
  */
@@ -556,6 +644,11 @@ crypto_factory_t *crypto_factory_create()
 	this->public.remove_rng = (void(*)(crypto_factory_t*, rng_constructor_t create))remove_rng;
 	this->public.add_dh = (void(*)(crypto_factory_t*, diffie_hellman_group_t algo, dh_constructor_t create))add_dh;
 	this->public.remove_dh = (void(*)(crypto_factory_t*, dh_constructor_t create))remove_dh;
+	this->public.create_crypter_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_crypter_enumerator;
+	this->public.create_signer_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_signer_enumerator;
+	this->public.create_hasher_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_hasher_enumerator;
+	this->public.create_prf_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_prf_enumerator;
+	this->public.create_dh_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_dh_enumerator;
 	this->public.destroy = (void(*)(crypto_factory_t*))destroy;
 	
 	this->crypters = linked_list_create();
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 6bf070c31..cdb9b47ba 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -221,6 +221,41 @@ struct crypto_factory_t {
 	 */
 	void (*remove_dh)(crypto_factory_t *this, dh_constructor_t create);
 	
+	/**
+	 * Create an enumerator over all registered crypter algorithms.
+	 *
+	 * @return				enumerator over encryption_algorithm_t
+	 */
+	enumerator_t* (*create_crypter_enumerator)(crypto_factory_t *this);
+	
+	/**
+	 * Create an enumerator over all registered signer algorithms.
+	 *
+	 * @return				enumerator over integrity_algorithm_t
+	 */
+	enumerator_t* (*create_signer_enumerator)(crypto_factory_t *this);
+	
+	/**
+	 * Create an enumerator over all registered hasher algorithms.
+	 *
+	 * @return				enumerator over hash_algorithm_t
+	 */
+	enumerator_t* (*create_hasher_enumerator)(crypto_factory_t *this);
+	
+	/**
+	 * Create an enumerator over all registered PRFs.
+	 *
+	 * @return				enumerator over pseudo_random_function_t
+	 */
+	enumerator_t* (*create_prf_enumerator)(crypto_factory_t *this);
+	
+	/**
+	 * Create an enumerator over all registered diffie hellman groups.
+	 *
+	 * @return				enumerator over diffie_hellman_group_t
+	 */
+	enumerator_t* (*create_dh_enumerator)(crypto_factory_t *this);
+	
 	/**
      * Destroy a crypto_factory instance.
      */
diff --git a/src/libstrongswan/database/database.h b/src/libstrongswan/database/database.h
index 1cf5c2542..39f909cd7 100644
--- a/src/libstrongswan/database/database.h
+++ b/src/libstrongswan/database/database.h
@@ -22,6 +22,7 @@
 #define DATABASE_H_
 
 typedef enum db_type_t db_type_t;
+typedef enum db_driver_t db_driver_t;
 typedef struct database_t database_t;
 
 #include <utils/enumerator.h>
@@ -44,6 +45,15 @@ enum db_type_t {
 	DB_NULL,
 };
 
+/**
+ * Database implementation type.
+ */
+enum db_driver_t {
+	/** SQLite database */
+	DB_SQLITE,
+	/** MySQL database */
+	DB_MYSQL,
+};
 
 /**
  * Interface for a database implementation.
@@ -94,6 +104,16 @@ struct database_t {
 	 */
 	int (*execute)(database_t *this, int *rowid, char *sql, ...);
 	
+	/**
+	 * Get the database implementation type.
+	 *
+	 * To allow driver specific SQL or performance optimizations each database
+	 * implementations can be queried for its type.
+	 *
+	 * @return			database implementation type
+	 */
+	db_driver_t (*get_driver)(database_t *this);
+	
 	/**
      * Destroy a database connection.
      */
diff --git a/src/libstrongswan/fips/Makefile.am b/src/libstrongswan/fips/Makefile.am
new file mode 100644
index 000000000..22a35701b
--- /dev/null
+++ b/src/libstrongswan/fips/Makefile.am
@@ -0,0 +1,19 @@
+noinst_PROGRAMS = fips_signer
+fips_signer_SOURCES = fips_signer.c
+fips_signer_LDADD = ../libstrongswan.la
+
+BUILT_SOURCES = fips_signature.h
+CLEANFILES = fips_signature.h fips_signer
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
+            -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\"
+if USE_SHA1
+  AM_CFLAGS += -DUSE_SHA1
+endif
+
+if USE_OPENSSL
+  AM_CFLAGS += -DUSE_OPENSSL
+endif
+
+fips_signature.h : fips_signer
+		   ./fips_signer
diff --git a/src/libstrongswan/fips/Makefile.in b/src/libstrongswan/fips/Makefile.in
new file mode 100644
index 000000000..9814d631f
--- /dev/null
+++ b/src/libstrongswan/fips/Makefile.in
@@ -0,0 +1,475 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+noinst_PROGRAMS = fips_signer$(EXEEXT)
+@USE_SHA1_TRUE@am__append_1 = -DUSE_SHA1
+@USE_OPENSSL_TRUE@am__append_2 = -DUSE_OPENSSL
+subdir = src/libstrongswan/fips
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+PROGRAMS = $(noinst_PROGRAMS)
+am_fips_signer_OBJECTS = fips_signer.$(OBJEXT)
+fips_signer_OBJECTS = $(am_fips_signer_OBJECTS)
+fips_signer_DEPENDENCIES = ../libstrongswan.la
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(fips_signer_SOURCES)
+DIST_SOURCES = $(fips_signer_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+fips_signer_SOURCES = fips_signer.c
+fips_signer_LDADD = ../libstrongswan.la
+BUILT_SOURCES = fips_signature.h
+CLEANFILES = fips_signature.h fips_signer
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
+	-DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\" \
+	$(am__append_1) $(am__append_2)
+all: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/fips/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/fips/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+fips_signer$(EXEEXT): $(fips_signer_OBJECTS) $(fips_signer_DEPENDENCIES) 
+	@rm -f fips_signer$(EXEEXT)
+	$(LINK) $(fips_signer_OBJECTS) $(fips_signer_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_signer.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+install: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstPROGRAMS ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am
+
+
+fips_signature.h : fips_signer
+		   ./fips_signer
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c
index 81a5874f7..4bf8b38dd 100644
--- a/src/libstrongswan/fips/fips_signer.c
+++ b/src/libstrongswan/fips/fips_signer.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: fips_signer.c 3964 2008-05-15 14:01:26Z martin $
+ * $Id: fips_signer.c 4258 2008-08-19 18:51:30Z andreas $
  */
 
 #include <stdio.h>
@@ -28,7 +28,13 @@ int main(int argc, char* argv[])
 
 	/* initialize library */
 	library_init(STRONGSWAN_CONF);
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, "sha1 hmac");
+#ifdef USE_SHA1
+	lib->plugins->load(lib->plugins, PLUGINDIR "/sha1/.libs", "sha1");
+#endif
+#ifdef USE_OPENSSL
+	lib->plugins->load(lib->plugins, PLUGINDIR "/openssl/.libs", "openssl");
+#endif
+	lib->plugins->load(lib->plugins, PLUGINDIR "/hmac/.libs", "hmac");
 
 	if (!fips_compute_hmac_signature(hmac_key, hmac_signature))
 	{
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index cc3ee6bd6..07d08fa51 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: library.c 3750 2008-04-04 11:38:16Z martin $
+ * $Id: library.c 4311 2008-08-28 16:27:48Z martin $
  */
 
 #include "library.h"
@@ -86,6 +86,8 @@ void library_init(char *settings)
 	private_library_t *this = malloc_thing(private_library_t);
 	lib = &this->public;
 	
+	lib->leak_detective = FALSE;
+	
 #ifdef LEAK_DETECTIVE
 	this->detective = leak_detective_create();
 #endif /* LEAK_DETECTIVE */
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 6cb57ef20..34a981054 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: library.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: library.h 4311 2008-08-28 16:27:48Z martin $
  */
 
 /**
@@ -108,6 +108,11 @@ struct library_t {
 	 * various settings loaded from settings file
 	 */
 	settings_t *settings;
+	
+	/**
+	 * is leak detective running?
+	 */
+	bool leak_detective;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index ed3dfb621..55faa07f0 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -187,6 +187,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am
new file mode 100644
index 000000000..bc022aa26
--- /dev/null
+++ b/src/libstrongswan/plugins/agent/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-agent.la
+
+libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
+  agent_private_key.c agent_private_key.h
+
+libstrongswan_agent_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
new file mode 100644
index 000000000..eb38b537a
--- /dev/null
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -0,0 +1,499 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/agent
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_agent_la_LIBADD =
+am_libstrongswan_agent_la_OBJECTS = agent_plugin.lo \
+	agent_private_key.lo
+libstrongswan_agent_la_OBJECTS = $(am_libstrongswan_agent_la_OBJECTS)
+libstrongswan_agent_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_agent_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_agent_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_agent_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-agent.la
+libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
+  agent_private_key.c agent_private_key.h
+
+libstrongswan_agent_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/agent/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/agent/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-agent.la: $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_DEPENDENCIES) 
+	$(libstrongswan_agent_la_LINK) -rpath $(plugindir) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/agent_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/agent_private_key.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
new file mode 100644
index 000000000..474171ad1
--- /dev/null
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "agent_plugin.h"
+
+#include <library.h>
+#include "agent_private_key.h"
+
+typedef struct private_agent_plugin_t private_agent_plugin_t;
+
+/**
+ * private data of agent_plugin
+ */
+struct private_agent_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	agent_plugin_t public;
+};
+
+/**
+ * Implementation of agent_plugin_t.agenttroy
+ */
+static void destroy(private_agent_plugin_t *this)
+{
+	lib->creds->remove_builder(lib->creds,
+							   (builder_constructor_t)agent_private_key_builder);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_agent_plugin_t *this = malloc_thing(private_agent_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+							(builder_constructor_t)agent_private_key_builder);
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.h b/src/libstrongswan/plugins/agent/agent_plugin.h
new file mode 100644
index 000000000..d12dd44ac
--- /dev/null
+++ b/src/libstrongswan/plugins/agent/agent_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup agent_p agent
+ * @ingroup plugins
+ * 
+ * @defgroup agent_plugin agent_plugin
+ * @{ @ingroup agent_p
+ */
+
+#ifndef AGENT_PLUGIN_H_
+#define AGENT_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct agent_plugin_t agent_plugin_t;
+
+/**
+ * Plugin to use private keys loaded in a ssh-agent.
+ */
+struct agent_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a agent_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* AGENT_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
new file mode 100644
index 000000000..a3b8eebf3
--- /dev/null
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -0,0 +1,590 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "agent_private_key.h"
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <arpa/inet.h>
+#include <errno.h>
+
+#include <library.h>
+#include <chunk.h>
+#include <debug.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+#ifndef UNIX_PATH_MAX
+#define UNIX_PATH_MAX 108
+#endif /* UNIX_PATH_MAX */
+
+typedef struct private_agent_private_key_t private_agent_private_key_t;
+typedef enum agent_msg_type_t agent_msg_type_t;
+
+/**
+ * Private data of a agent_private_key_t object.
+ */
+struct private_agent_private_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	agent_private_key_t public;
+	
+	/**
+	 * ssh-agent unix socket connection
+	 */
+	int socket;
+	
+	/**
+	 * key identity blob in ssh format
+	 */
+	chunk_t key;
+	
+	/**
+	 * keysize in bytes
+	 */
+	size_t key_size;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKey object
+	 */
+	identification_t* keyid;
+
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
+	 */
+	identification_t* keyid_info;
+	
+	/**
+	 * reference count
+	 */
+	refcount_t ref;	
+};
+
+/**
+ * Message types for ssh-agent protocol
+ */
+enum agent_msg_type_t {
+	SSH_AGENT_FAILURE = 5,
+	SSH_AGENT_SUCCESS =	6,
+	SSH_AGENT_ID_REQUEST = 11,
+	SSH_AGENT_ID_RESPONSE = 12,
+	SSH_AGENT_SIGN_REQUEST = 13,
+	SSH_AGENT_SIGN_RESPONSE = 14,
+};
+
+/**
+ * read a byte from a blob
+ */
+static u_char read_byte(chunk_t *blob)
+{
+	u_char val;
+
+	if (blob->len < sizeof(u_char))
+	{
+		return 0;
+	}
+	val = *(blob->ptr);
+	*blob = chunk_skip(*blob, sizeof(u_char));
+	return val;
+}
+
+/**
+ * read a u_int32_t from a blob
+ */
+static u_int32_t read_uint32(chunk_t *blob)
+{
+	u_int32_t val;
+
+	if (blob->len < sizeof(u_int32_t))
+	{
+		return 0;
+	}
+	val = ntohl(*(u_int32_t*)blob->ptr);
+	*blob = chunk_skip(*blob, sizeof(u_int32_t));
+	return val;
+}
+
+/**
+ * read a ssh-agent "string" length/value from a blob
+ */
+static chunk_t read_string(chunk_t *blob)
+{
+	int len;
+	chunk_t str;
+	
+	len = read_uint32(blob);
+	if (len > blob->len)
+	{
+		return chunk_empty;
+	}
+	str = chunk_create(blob->ptr, len);
+	*blob = chunk_skip(*blob, + len);
+	return str;
+}
+
+/**
+ * open socket connection to the ssh-agent
+ */
+static int open_connection(char *path)
+{
+	struct sockaddr_un addr;
+	int s;
+
+	s = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (s == -1)
+	{
+		DBG1("opening ssh-agent socket %s failed: %s:", path, strerror(errno));
+		return -1;
+	}
+	
+	addr.sun_family = AF_UNIX;
+	addr.sun_path[UNIX_PATH_MAX - 1] = '\0';
+	strncpy(addr.sun_path, path, UNIX_PATH_MAX - 1);
+	
+	if (connect(s, (struct sockaddr*)&addr, SUN_LEN(&addr)) != 0)
+	{
+		DBG1("connecting to ssh-agent socket failed: %s", strerror(errno));
+		close(s);
+		return -1;
+	}
+	return s;
+}
+
+/**
+ * check if the ssh agent key blob matches to our public key
+ */
+static bool matches_pubkey(chunk_t key, public_key_t *pubkey)
+{
+	chunk_t pubkeydata, hash, n, e;
+	hasher_t *hasher;
+	identification_t *id;
+	bool match;
+	
+	if (!pubkey)
+	{
+		return TRUE;
+	}
+	read_string(&key);
+	e = read_string(&key);
+	n = read_string(&key);
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		return FALSE;
+	}
+	pubkeydata = asn1_wrap(ASN1_SEQUENCE, "mm", 
+						asn1_wrap(ASN1_INTEGER, "c", n),
+						asn1_wrap(ASN1_INTEGER, "c", e));
+	hasher->allocate_hash(hasher, pubkeydata, &hash);
+	free(pubkeydata.ptr);
+	id = pubkey->get_id(pubkey, ID_PUBKEY_SHA1);
+	if (!id)
+	{
+		return FALSE;
+	}
+	match = chunk_equals(id->get_encoding(id), hash);
+	free(hash.ptr);
+	return match;
+}
+
+/** 
+ * Get the first usable key from the agent
+ */
+static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
+{
+	int len, count;
+	char buf[2048];
+	chunk_t blob = chunk_from_buf(buf), key, type, tmp;
+	
+	len = htonl(1);
+	write(this->socket, &len, sizeof(len));
+	buf[0] = SSH_AGENT_ID_REQUEST;
+	write(this->socket, &buf, 1);
+	
+	blob.len = read(this->socket, blob.ptr, blob.len);
+	
+	if (blob.len < sizeof(u_int32_t) + sizeof(u_char) ||
+		read_uint32(&blob) != blob.len ||
+		read_byte(&blob) != SSH_AGENT_ID_RESPONSE)
+	{
+		DBG1("received invalid ssh-agent identity response");
+		return FALSE;
+	}
+	count = read_uint32(&blob);
+	
+	while (blob.len)
+	{
+		key = read_string(&blob);
+		if (key.len)
+		{
+			tmp = key;
+			type = read_string(&tmp);
+			read_string(&tmp);
+			tmp = read_string(&tmp);
+			if (type.len && strneq("ssh-rsa", type.ptr, type.len) &&
+				tmp.len >= 512/8 && matches_pubkey(key, pubkey))
+			{
+				this->key = chunk_clone(key);
+				this->key_size = tmp.len;
+				if (tmp.ptr[0] == 0)
+				{
+					this->key_size--;
+				}
+				return TRUE;
+			}
+			continue;
+		}
+		break;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of agent_private_key.destroy.
+ */
+static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme, 
+				 chunk_t data, chunk_t *signature)
+{
+	u_int32_t len, flags;
+	char buf[2048];
+	chunk_t blob = chunk_from_buf(buf);
+	
+	if (scheme != SIGN_DEFAULT && scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
+	{
+		DBG1("signature scheme %N not supported by ssh-agent",
+			 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	
+	len = htonl(1 + sizeof(u_int32_t) * 3 + this->key.len + data.len);
+	write(this->socket, &len, sizeof(len));
+	buf[0] = SSH_AGENT_SIGN_REQUEST;
+	write(this->socket, &buf, 1);
+	
+	len = htonl(this->key.len);
+	write(this->socket, &len, sizeof(len));
+	write(this->socket, this->key.ptr, this->key.len);
+	
+	len = htonl(data.len);
+	write(this->socket, &len, sizeof(len));
+	write(this->socket, data.ptr, data.len);
+	
+	flags = htonl(0);
+	write(this->socket, &flags, sizeof(flags));
+	
+	blob.len = read(this->socket, blob.ptr, blob.len);
+	if (blob.len < sizeof(u_int32_t) + sizeof(u_char) ||
+		read_uint32(&blob) != blob.len ||
+		read_byte(&blob) != SSH_AGENT_SIGN_RESPONSE)
+	{
+		DBG1("received invalid ssh-agent signature response");
+		return FALSE;
+	}
+	/* parse length */
+	blob = read_string(&blob);
+	/* skip sig type */
+	read_string(&blob);
+	/* parse length */
+	blob = read_string(&blob);
+	if (!blob.len)
+	{
+		DBG1("received invalid ssh-agent signature response");
+		return FALSE;
+	}
+	*signature =  chunk_clone(blob);
+	return TRUE;
+}
+
+/**
+ * Implementation of agent_private_key.destroy.
+ */
+static key_type_t get_type(private_agent_private_key_t *this)
+{
+	return KEY_RSA;
+}
+
+/**
+ * Implementation of agent_private_key.destroy.
+ */
+static bool decrypt(private_agent_private_key_t *this,
+					chunk_t crypto, chunk_t *plain)
+{
+	DBG1("private key decryption not supported by ssh-agent");
+	return FALSE;
+}
+
+/**
+ * Implementation of agent_private_key.destroy.
+ */
+static size_t get_keysize(private_agent_private_key_t *this)
+{
+	return this->key_size;
+}
+
+/**
+ * Implementation of agent_private_key.destroy.
+ */
+static identification_t* get_id(private_agent_private_key_t *this,
+								id_type_t type)
+{
+	switch (type)
+	{
+		case ID_PUBKEY_INFO_SHA1:
+			return this->keyid_info;
+		case ID_PUBKEY_SHA1:
+			return this->keyid;
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Implementation of agent_private_key.get_public_key.
+ */
+static public_key_t* get_public_key(private_agent_private_key_t *this)
+{
+	chunk_t key, n, e, encoded;
+	public_key_t *public;
+	
+	key = this->key;
+	read_string(&key);
+	e = read_string(&key);
+	n = read_string(&key);
+	encoded = asn1_wrap(ASN1_SEQUENCE, "mm", 
+					asn1_wrap(ASN1_INTEGER, "c", n),
+					asn1_wrap(ASN1_INTEGER, "c", e));
+
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, 
+								BUILD_BLOB_ASN1_DER, encoded, BUILD_END);
+	free(encoded.ptr);
+	return public;
+}
+
+/**
+ * Implementation of agent_private_key.belongs_to.
+ */
+static bool belongs_to(private_agent_private_key_t *this, public_key_t *public)
+{
+	identification_t *keyid;
+
+	if (public->get_type(public) != KEY_RSA)
+	{
+		return FALSE;
+	}
+	keyid = public->get_id(public, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Build the RSA key identifier from n and e using SHA1 hashed publicKey(Info).
+ */
+static bool build_ids(private_agent_private_key_t *this)
+{
+	chunk_t publicKeyInfo, publicKey, hash, key, n, e;
+	hasher_t *hasher;
+	
+	key = this->key;
+	read_string(&key);
+	e = read_string(&key);
+	n = read_string(&key);
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1("SHA1 hash algorithm not supported, unable to use RSA");
+		return FALSE;
+	}
+	publicKey = asn1_wrap(ASN1_SEQUENCE, "mm", 
+					asn1_wrap(ASN1_INTEGER, "c", n),
+					asn1_wrap(ASN1_INTEGER, "c", e));
+	hasher->allocate_hash(hasher, publicKey, &hash);
+	this->keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
+	chunk_free(&hash);
+	
+	publicKeyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
+						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+						asn1_bitstring("m", publicKey));
+	hasher->allocate_hash(hasher, publicKeyInfo, &hash);
+	this->keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
+	chunk_free(&hash);
+	
+	hasher->destroy(hasher);
+	chunk_free(&publicKeyInfo);
+	return TRUE;
+}
+
+/**
+ * Implementation of private_key_t.get_encoding.
+ */
+static chunk_t get_encoding(private_agent_private_key_t *this)
+{
+	return chunk_empty;
+}
+
+/**
+ * Implementation of agent_private_key.get_ref.
+ */
+static private_agent_private_key_t* get_ref(private_agent_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of agent_private_key.destroy.
+ */
+static void destroy(private_agent_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		close(this->socket);
+		DESTROY_IF(this->keyid);
+		DESTROY_IF(this->keyid_info);
+		free(this->key.ptr);
+		free(this);
+	}
+}
+
+/**
+ * Internal constructor
+ */
+static agent_private_key_t *agent_private_key_create(char *path,
+													 public_key_t *pubkey)
+{
+	private_agent_private_key_t *this = malloc_thing(private_agent_private_key_t);
+	
+	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
+	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
+	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
+	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
+	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
+	this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
+	this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
+	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
+	
+	this->socket = open_connection(path);
+	if (this->socket < 0)
+	{
+		free(this);
+		return NULL;
+	}
+	this->key = chunk_empty;
+	this->keyid = NULL;
+	this->keyid_info = NULL;
+	this->ref = 1;
+	if (!read_key(this, pubkey) || !build_ids(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for key loading/generation
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** agent unix socket */
+	char *socket;
+	/** matching public key */
+	public_key_t *pubkey;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static agent_private_key_t *build(private_builder_t *this)
+{
+	agent_private_key_t *key = NULL;
+	
+	if (this->socket)
+	{
+		key = agent_private_key_create(this->socket, this->pubkey);
+	}
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	va_list args;
+	
+	switch (part)
+	{
+		case BUILD_AGENT_SOCKET:
+		{
+			va_start(args, part);
+			this->socket = va_arg(args, char*);
+			va_end(args);
+			return;
+		}
+		case BUILD_PUBLIC_KEY:
+		{
+			va_start(args, part);
+			this->pubkey = va_arg(args, public_key_t*);
+			va_end(args);
+			return;
+		}
+		default:
+			break;
+	}
+	builder_cancel(&this->public);
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *agent_private_key_builder(key_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != KEY_RSA)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->pubkey = NULL;
+	this->socket = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.h b/src/libstrongswan/plugins/agent/agent_private_key.h
new file mode 100644
index 000000000..4d678dd08
--- /dev/null
+++ b/src/libstrongswan/plugins/agent/agent_private_key.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup agent_private_key agent_private_key
+ * @{ @ingroup agent_p
+ */
+
+#ifndef AGENT_PRIVATE_KEY_H_
+#define AGENT_PRIVATE_KEY_H_
+
+#include <credentials/keys/private_key.h>
+
+typedef struct agent_private_key_t agent_private_key_t;
+
+/**
+ * private_key_t implementation using an ssh-agent.
+ */
+struct agent_private_key_t {
+
+	/**
+	 * Implements private_key_t interface
+	 */
+	private_key_t interface;
+};
+
+/**
+ * Create the builder for a private key.
+ *
+ * @param type		type of the key
+ * @return 			builder instance
+ */
+builder_t *agent_private_key_builder(key_type_t type);
+
+#endif /*AGENT_PRIVATE_KEY_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index d3f7b443d..cb44a4ffe 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -187,6 +187,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 5072a2cab..8824bd238 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -187,6 +187,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index c32096ad0..538138d8a 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: des_plugin.c 3488 2008-02-21 15:10:02Z martin $
+ * $Id: des_plugin.c 4309 2008-08-28 11:07:57Z martin $
  */
 
 #include "des_plugin.h"
@@ -52,10 +52,10 @@ plugin_t *plugin_create()
 	
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 	
-	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
-							 (crypter_constructor_t)des_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
 							 (crypter_constructor_t)des_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+							 (crypter_constructor_t)des_crypter_create);
 	
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index fa51b0db5..48a6c9b28 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -189,6 +189,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 1d9bfb88e..56642b7c9 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -188,6 +188,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index 3d9856b63..40e83fc4c 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: gmp_diffie_hellman.c 3806 2008-04-15 05:56:35Z martin $
+ * $Id: gmp_diffie_hellman.c 4346 2008-09-17 09:02:30Z martin $
  */
 
 #include <gmp.h>
@@ -343,7 +343,7 @@ struct private_gmp_diffie_hellman_t {
 	 * Generator value.
 	 */	
 	mpz_t g;
-
+	
 	/**
 	 * My private value.
 	 */
@@ -353,7 +353,7 @@ struct private_gmp_diffie_hellman_t {
 	 * My public value.
 	 */
 	mpz_t ya;
-
+	
 	/**
 	 * Other public value.
 	 */	
@@ -373,7 +373,7 @@ struct private_gmp_diffie_hellman_t {
 	 * Modulus length.
 	 */
 	size_t p_len;
-
+	
 	/**
 	 * True if shared secret is computed and stored in my_public_value.
 	 */
@@ -395,7 +395,7 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 	/* check public value: 
 	 * 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
 	 * 2. a public value larger or equal the modulus is invalid */
-	if (mpz_cmp_ui(this->yb, 1) > 0 ||
+	if (mpz_cmp_ui(this->yb, 1) > 0 &&
 		mpz_cmp(this->yb, p_min_1) < 0)
 	{
 #ifdef EXTENDED_DH_TEST
@@ -440,7 +440,11 @@ static status_t get_other_public_value(private_gmp_diffie_hellman_t *this,
 		return FAILED;
 	}
 	value->len = this->p_len;
-    value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb);
+	value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb);
+	if (value->ptr == NULL)
+	{
+		return FAILED;
+	}
 	return SUCCESS;
 }
 
@@ -451,6 +455,10 @@ static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *valu
 {
 	value->len = this->p_len;
     value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
+    if (value->ptr == NULL)
+    {
+    	value->len = 0;
+    }
 }
 
 /**
@@ -463,7 +471,11 @@ static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *s
 		return FAILED;
 	}
 	secret->len = this->p_len;
-    secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz);
+	secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz);
+	if (secret->ptr == NULL)
+	{
+		return FAILED;
+	}
 	return SUCCESS;
 }
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index 56fb0ddd8..7711b6d34 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: gmp_plugin.c 3962 2008-05-15 12:39:35Z tobias $
+ * $Id: gmp_plugin.c 4309 2008-08-28 11:07:57Z martin $
  */
 
 #include "gmp_plugin.h"
@@ -58,14 +58,10 @@ plugin_t *plugin_create()
 	
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 	
-	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
-						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
 						(dh_constructor_t)gmp_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, 
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
-						(dh_constructor_t)gmp_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, 
 						(dh_constructor_t)gmp_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, 
@@ -74,6 +70,10 @@ plugin_t *plugin_create()
 						(dh_constructor_t)gmp_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, 
 						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
+						(dh_constructor_t)gmp_diffie_hellman_create);
 	
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 						(builder_constructor_t)gmp_rsa_private_key_builder);
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index cd951f0e4..e445dd670 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: gmp_rsa_private_key.c 4014 2008-05-23 19:23:04Z andreas $
+ * $Id: gmp_rsa_private_key.c 4345 2008-09-17 08:10:48Z martin $
  */
 
 #include <gmp.h>
@@ -191,6 +191,10 @@ static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
 	
 	decrypted.len = this->k;
 	decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
+	if (decrypted.ptr == NULL)
+	{
+		decrypted.len = 0;
+	}
 	
 	mpz_clear_randomized(t1);
 	mpz_clear_randomized(t2);
@@ -789,34 +793,37 @@ static gmp_rsa_private_key_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	va_list args;
-	
-	if (this->key)
+	if (!this->key)
 	{
-		DBG1("ignoring surplus build part %N", builder_part_names, part);
-		return;
-	}
+		va_list args;
+		chunk_t chunk;
 	
-	switch (part)
-	{
-		case BUILD_BLOB_ASN1_DER:
+		switch (part)
 		{
-			va_start(args, part);
-			this->key = load(va_arg(args, chunk_t));
-			va_end(args);
-			break;
-		}		
-		case BUILD_KEY_SIZE:
-		{
-			va_start(args, part);
-			this->key = generate(va_arg(args, u_int));
-			va_end(args);
-			break;
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->key = load(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}		
+			case BUILD_KEY_SIZE:
+			{
+				va_start(args, part);
+				this->key = generate(va_arg(args, u_int));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
 		}
-		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
-			break;
 	}
+	if (this->key)
+	{
+		destroy((private_gmp_rsa_private_key_t*)this->key);
+	}
+	builder_cancel(&this->public);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index e4f898ecc..8a89849cd 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: gmp_rsa_public_key.c 3988 2008-05-21 13:01:58Z martin $
+ * $Id: gmp_rsa_public_key.c 4345 2008-09-17 08:10:48Z martin $
  */
  
 #include <gmp.h>
@@ -93,11 +93,15 @@ static chunk_t rsaep(private_gmp_rsa_public_key_t *this, chunk_t data)
 	
 	mpz_powm(c, m, this->e, this->n);
 
-    encrypted.len = this->k;
-    encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c);
+	encrypted.len = this->k;
+	encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c);
+	if (encrypted.ptr == NULL)
+	{
+		encrypted.len = 0;
+	}
 	
 	mpz_clear(c);
-	mpz_clear(m);	
+	mpz_clear(m);
 	
 	return encrypted;
 }
@@ -541,27 +545,30 @@ static gmp_rsa_public_key_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	va_list args;
-	
-	if (this->key)
+	if (!this->key)
 	{
-		DBG1("ignoring surplus build part %N", builder_part_names, part);
-		return;
-	}
+		va_list args;
+		chunk_t chunk;
 	
-	switch (part)
-	{
-		case BUILD_BLOB_ASN1_DER:
+		switch (part)
 		{
-			va_start(args, part);
-			this->key = load(va_arg(args, chunk_t));
-			va_end(args);
-			break;
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->key = load(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
 		}
-		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
-			break;
 	}
+	if (this->key)
+	{
+		destroy((private_gmp_rsa_public_key_t*)this->key);
+	}
+	builder_cancel(&this->public);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index b6e851cd4..ded48fbf2 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -188,6 +188,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index bfa2df35f..a0afc2a85 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: hmac_plugin.c 3488 2008-02-21 15:10:02Z martin $
+ * $Id: hmac_plugin.c 4309 2008-08-28 11:07:57Z martin $
  */
 
 #include "hmac_plugin.h"
@@ -55,25 +55,25 @@ plugin_t *plugin_create()
 	
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 	
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, 
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, 
 						 (prf_constructor_t)hmac_prf_create);
 	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, 
 						 (prf_constructor_t)hmac_prf_create);
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, 
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, 
 						 (prf_constructor_t)hmac_prf_create);
 	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, 
 						 (prf_constructor_t)hmac_prf_create);
 	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, 
 						 (prf_constructor_t)hmac_prf_create);
 	
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, 
-							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, 
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, 
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, 
 							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, 
+							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, 
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, 
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 8c28f1307..e828fbd44 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -187,6 +187,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 6a4b2a78b..43b921e63 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -187,6 +187,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 6de9dc13d..96dc33fe5 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -187,6 +187,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 58202c5ae..01f604fef 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: mysql_database.c 4111 2008-06-26 07:31:52Z martin $
+ * $Id: mysql_database.c 4193 2008-07-21 11:13:06Z martin $
  */
 
 #define _GNU_SOURCE
@@ -592,6 +592,14 @@ static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...)
 	conn_release(conn);
 	return affected;
 }
+	
+/**
+ * Implementation of database_t.get_driver
+ */
+static db_driver_t get_driver(private_mysql_database_t *this)
+{
+	return DB_MYSQL;
+}
 
 /**
  * Implementation of database_t.destroy
@@ -672,6 +680,7 @@ mysql_database_t *mysql_database_create(char *uri)
 	
 	this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
 	this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
+	this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
 	this->public.db.destroy = (void(*)(database_t*))destroy;
 	
 	if (!parse_uri(this, uri))
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index f83b0ce38..746b5cf4b 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -192,6 +192,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 9f7df4bca..aeab15f26 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_ec_private_key.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: openssl_ec_private_key.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "openssl_ec_private_key.h"
@@ -399,27 +399,30 @@ static openssl_ec_private_key_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	va_list args;
-	
-	if (this->key)
-	{
-		DBG1("ignoring surplus build part %N", builder_part_names, part);
-		return;
-	}
-	
-	switch (part)
+	if (!this->key)
 	{
-		case BUILD_BLOB_ASN1_DER:
+		va_list args;
+		chunk_t chunk;
+		
+		switch (part)
 		{
-			va_start(args, part);
-			this->key = load(va_arg(args, chunk_t));
-			va_end(args);
-			break;
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->key = load(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
 		}
-		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
-			break;
 	}
+	if (this->key)
+	{
+		destroy((private_openssl_ec_private_key_t*)this->key);
+	}
+	builder_cancel(&this->public);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 2056575ba..923df3938 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_ec_public_key.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: openssl_ec_public_key.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "openssl_ec_public_key.h"
@@ -401,27 +401,30 @@ static openssl_ec_public_key_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	va_list args;
-	
-	if (this->key)
+	if (!this->key)
 	{
-		DBG1("ignoring surplus build part %N", builder_part_names, part);
-		return;
-	}
+		va_list args;
+		chunk_t chunk;
 	
-	switch (part)
-	{
-		case BUILD_BLOB_ASN1_DER:
+		switch (part)
 		{
-			va_start(args, part);
-			this->key = load(va_arg(args, chunk_t));
-			va_end(args);
-			break;
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->key = load(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
 		}
-		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
-			break;
 	}
+	if (this->key)
+	{
+		destroy((private_openssl_ec_public_key_t*)this->key);
+	}
+	builder_cancel(&this->public);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 7fdd7c224..82c54a95e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_plugin.c 4107 2008-06-25 12:39:32Z tobias $
+ * $Id: openssl_plugin.c 4309 2008-08-28 11:07:57Z martin $
  */
 
 #include <openssl/evp.h>
@@ -87,7 +87,7 @@ plugin_t *plugin_create()
 	ENGINE_register_all_complete();
 	
 	/* crypter */
-	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)openssl_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
 					(crypter_constructor_t)openssl_crypter_create);
@@ -99,9 +99,9 @@ plugin_t *plugin_create()
 					(crypter_constructor_t)openssl_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_NULL,
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+	lib->crypto->add_crypter(lib->crypto, ENCR_NULL,
 					(crypter_constructor_t)openssl_crypter_create);
 	
 	/* hasher */
@@ -118,15 +118,23 @@ plugin_t *plugin_create()
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
 					(hasher_constructor_t)openssl_hasher_create);
 	
+	/* ec diffie hellman */
+	lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, ECP_224_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, ECP_384_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, ECP_521_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	
 	/* diffie hellman */
-	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
-						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, 
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
-						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, 
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, 
@@ -135,18 +143,10 @@ plugin_t *plugin_create()
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, 
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	
-	/* ec diffie hellman */
-	lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
-						(dh_constructor_t)openssl_ec_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, ECP_224_BIT,
-						(dh_constructor_t)openssl_ec_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
-						(dh_constructor_t)openssl_ec_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, ECP_384_BIT,
-						(dh_constructor_t)openssl_ec_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, ECP_521_BIT,
-						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
+						(dh_constructor_t)openssl_diffie_hellman_create);
 	
 	/* rsa */
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 7595eed3a..8ad75215a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_rsa_private_key.c 3963 2008-05-15 12:41:06Z tobias $
+ * $Id: openssl_rsa_private_key.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "openssl_rsa_private_key.h"
@@ -369,34 +369,37 @@ static openssl_rsa_private_key_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	va_list args;
-	
-	if (this->key)
+	if (!this->key)
 	{
-		DBG1("ignoring surplus build part %N", builder_part_names, part);
-		return;
-	}
+		va_list args;
+		chunk_t chunk;
 	
-	switch (part)
-	{
-		case BUILD_BLOB_ASN1_DER:
-		{
-			va_start(args, part);
-			this->key = load(va_arg(args, chunk_t));
-			va_end(args);
-			break;
-		}		
-		case BUILD_KEY_SIZE:
+		switch (part)
 		{
-			va_start(args, part);
-			this->key = generate(va_arg(args, u_int));
-			va_end(args);
-			break;
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->key = load(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}		
+			case BUILD_KEY_SIZE:
+			{
+				va_start(args, part);
+				this->key = generate(va_arg(args, u_int));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
 		}
-		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
-			break;
 	}
+	if (this->key)
+	{
+		destroy((private_openssl_rsa_private_key_t*)this->key);
+	}
+	builder_cancel(&this->public);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 755b86e96..61b5b9b64 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_rsa_public_key.c 3963 2008-05-15 12:41:06Z tobias $
+ * $Id: openssl_rsa_public_key.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "openssl_rsa_public_key.h"
@@ -387,27 +387,30 @@ static openssl_rsa_public_key_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	va_list args;
-	
-	if (this->key)
+	if (!this->key)
 	{
-		DBG1("ignoring surplus build part %N", builder_part_names, part);
-		return;
-	}
+		va_list args;
+		chunk_t chunk;
 	
-	switch (part)
-	{
-		case BUILD_BLOB_ASN1_DER:
+		switch (part)
 		{
-			va_start(args, part);
-			this->key = load(va_arg(args, chunk_t));
-			va_end(args);
-			break;
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->key = load(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
 		}
-		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
-			break;
 	}
+	if (this->key)
+	{
+		destroy((private_openssl_rsa_public_key_t*)this->key);
+	}
+	builder_cancel(&this->public);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index d96b2cf6d..1b032e3d4 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -189,6 +189,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 4c5095e4a..6480a2760 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: plugin_loader.c 4108 2008-06-25 14:53:49Z martin $
+ * $Id: plugin_loader.c 4144 2008-07-02 08:19:43Z martin $
  */
 
 #define _GNU_SOURCE
@@ -96,43 +96,22 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
 static int load(private_plugin_loader_t *this, char *path, char *list)
 {
 	plugin_t *plugin;
-	char *pos;
+	enumerator_t *enumerator;
+	char *token;
 	int count = 0;
 	
-	list = strdupa(list);
-	while (TRUE)
+	enumerator = enumerator_create_token(list, " ", " ");
+	while (enumerator->enumerate(enumerator, &token))
 	{
-		/* eat any whitespace in front */
-		while (*list == ' ')
-		{
-			list++;
-		}
-		/* have we reached the end of the list? */
-		if (!*list)
-		{
-			break;
-		}
-		pos = strchr(list, ' ');
-		if (pos)
-		{
-			*pos++ = '\0';
-		}
-		plugin = load_plugin(this, path, list);
+		plugin = load_plugin(this, path, token);
 		if (plugin)
 		{	/* insert in front to destroy them in reverse order */
 			this->plugins->insert_last(this->plugins, plugin);
-			this->names->insert_last(this->names, strdup(list));
+			this->names->insert_last(this->names, strdup(token));
 			count++;
 		}
-		if (pos)
-		{
-			list = pos;
-		}
-		else
-		{
-			break;
-		}
 	}
+	enumerator->destroy(enumerator);
 	return count;
 }
 
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index ced339d15..ef1004672 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -189,6 +189,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index 63dffb47b..762557094 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -19,6 +19,11 @@
 
 #include <debug.h>
 
+/**
+ * defined in pubkey_public_key.c
+ */
+extern public_key_t *pubkey_public_key_load(chunk_t blob);
+
 typedef struct private_pubkey_cert_t private_pubkey_cert_t;
 
 /**
@@ -60,7 +65,7 @@ static certificate_type_t get_type(private_pubkey_cert_t *this)
  */
 static identification_t* get_subject(private_pubkey_cert_t *this)
 {
-	return this->key->get_id(this->key, ID_PUBKEY_SHA1);
+	return this->key->get_id(this->key, ID_PUBKEY_INFO_SHA1);
 }
 
 /**
@@ -109,7 +114,7 @@ static bool equals(private_pubkey_cert_t *this, certificate_t *other)
 	{
 		return FALSE;
 	}
-	return other->has_subject(other, this->key->get_id(this->key, ID_PUBKEY_SHA1));
+	return other->has_subject(other, this->key->get_id(this->key, ID_PUBKEY_INFO_SHA1));
 }
 
 /**
@@ -211,6 +216,13 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key)
 	return &this->public;
 }
 
+static pubkey_cert_t *pubkey_cert_create_from_chunk(chunk_t blob)
+{
+	public_key_t *key = pubkey_public_key_load(chunk_clone(blob));
+
+	return (key)? pubkey_cert_create(key) : NULL;
+}
+
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for key loading
@@ -238,27 +250,35 @@ static pubkey_cert_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	va_list args;
-	
-	if (this->key)
+	if (!this->key)
 	{
-		DBG1("ignoring surplus build part %N", builder_part_names, part);
-		return;
-	}
+		va_list args;
 	
-	switch (part)
-	{
-		case BUILD_PUBLIC_KEY:
+		switch (part)
 		{
-			va_start(args, part);
-			this->key = pubkey_cert_create(va_arg(args, public_key_t*));
-			va_end(args);
-			break;
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				this->key = pubkey_cert_create_from_chunk(va_arg(args, chunk_t));
+				va_end(args);
+				return;
+			}
+			case BUILD_PUBLIC_KEY:
+			{
+				va_start(args, part);
+				this->key = pubkey_cert_create(va_arg(args, public_key_t*));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
 		}
-		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
-			break;
 	}
+	if (this->key)
+	{
+		destroy((private_pubkey_cert_t*)this->key);
+	}
+	builder_cancel(&this->public);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_public_key.c b/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
index 0527ed758..4b5f4aac2 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: pubkey_public_key.c 4059 2008-06-11 14:10:02Z martin $
+ * $Id: pubkey_public_key.c 4379 2008-10-08 01:19:26Z andreas $
  */
 
 #include "pubkey_public_key.h"
@@ -39,9 +39,10 @@ static const asn1Object_t pkinfoObjects[] = {
 
 
 /**
- * Load a public key from an ASN1 encoded blob
+ * Load a public key from an ASN.1 encoded blob
+ * Also used by pubkey_cert.c
  */
-static public_key_t *load(chunk_t blob)
+public_key_t *pubkey_public_key_load(chunk_t blob)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
@@ -67,9 +68,8 @@ static public_key_t *load(chunk_t blob)
 				else if (oid == OID_EC_PUBLICKEY)
 				{
 					/* we need the whole subjectPublicKeyInfo for EC public keys */
-					key = lib->creds->create(lib->creds,
-								CRED_PUBLIC_KEY, KEY_ECDSA, BUILD_BLOB_ASN1_DER,
-								chunk_clone(blob), BUILD_END);
+					key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, 
+								KEY_ECDSA, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
 					goto end;
 				}
 				else
@@ -86,8 +86,7 @@ static public_key_t *load(chunk_t blob)
 					object = chunk_skip(object, 1);
 				}
 				key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type,
-										 BUILD_BLOB_ASN1_DER, chunk_clone(object),
-										 BUILD_END);
+										 BUILD_BLOB_ASN1_DER, object, BUILD_END);
 				break;
 		}
 	} 
@@ -125,41 +124,43 @@ static public_key_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	va_list args;
-	
-	if (this->key)
-	{
-		DBG1("ignoring surplus build part %N", builder_part_names, part);
-		return;
-	}
-	va_start(args, part);
-	switch (part)
+	if (!this->key)
 	{
-		case BUILD_BLOB_ASN1_DER:
+		va_list args;
+		chunk_t blob;
+		
+		switch (part)
 		{
-			this->key = load(va_arg(args, chunk_t));
-			break;
-		}
-		case BUILD_BLOB_ASN1_PEM:
-		{
-			bool pgp;
-			char *pem;
-			chunk_t blob;
-			
-			pem = va_arg(args, char *);
-			blob = chunk_clone(chunk_create(pem, strlen(pem)));
-			if (pem_to_bin(&blob, &chunk_empty, &pgp))
+			case BUILD_BLOB_ASN1_DER:
 			{
-				this->key = load(chunk_clone(blob));
+				va_start(args, part);
+				blob = va_arg(args, chunk_t);
+				this->key = pubkey_public_key_load(chunk_clone(blob));
+				va_end(args);
+				return;
 			}
-			free(blob.ptr);
-			break;
+			case BUILD_BLOB_ASN1_PEM:
+			{
+				bool pgp;
+				char *pem;
+			
+				va_start(args, part);
+				pem = va_arg(args, char *);
+				blob = chunk_clone(chunk_create(pem, strlen(pem)));
+				if (pem_to_bin(&blob, &chunk_empty, &pgp))
+				{
+					this->key = pubkey_public_key_load(chunk_clone(blob));
+				}
+				free(blob.ptr);
+				va_end(args);
+				return;
+			}
+			default:
+				break;
 		}
-		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
-			break;
 	}
-	va_end(args);
+	DESTROY_IF(this->key);
+	builder_cancel(&this->public);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index c4baa04b3..90b319520 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -188,6 +188,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 1aadc88bd..45a1b5138 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -63,7 +63,8 @@ struct private_random_rng_t {
 static void get_bytes(private_random_rng_t *this, size_t bytes,
 					  u_int8_t *buffer)
 {
-	size_t done, got;
+	size_t done;
+	ssize_t got;
 	
 	done = 0;
 	
diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am
index 299e85083..5de45e4e8 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.am
+++ b/src/libstrongswan/plugins/sha1/Makefile.am
@@ -5,6 +5,7 @@ AM_CFLAGS = -rdynamic
 
 plugin_LTLIBRARIES = libstrongswan-sha1.la
 
-libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c sha1_hasher.c sha1_hasher.h
+libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
+	sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
 libstrongswan_sha1_la_LDFLAGS = -module
 
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index b57c46aee..df6845b43 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -50,7 +50,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_sha1_la_LIBADD =
-am_libstrongswan_sha1_la_OBJECTS = sha1_plugin.lo sha1_hasher.lo
+am_libstrongswan_sha1_la_OBJECTS = sha1_plugin.lo sha1_hasher.lo \
+	sha1_prf.lo
 libstrongswan_sha1_la_OBJECTS = $(am_libstrongswan_sha1_la_OBJECTS)
 libstrongswan_sha1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -187,6 +188,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -209,7 +212,9 @@ xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-sha1.la
-libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c sha1_hasher.c sha1_hasher.h
+libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
+	sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
+
 libstrongswan_sha1_la_LDFLAGS = -module
 all: all-am
 
@@ -282,6 +287,7 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1_hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1_prf.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libstrongswan/plugins/sha1/sha1_hasher.c b/src/libstrongswan/plugins/sha1/sha1_hasher.c
index c496be8f4..ea0882cb5 100644
--- a/src/libstrongswan/plugins/sha1/sha1_hasher.c
+++ b/src/libstrongswan/plugins/sha1/sha1_hasher.c
@@ -16,7 +16,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sha1_hasher.c 3619 2008-03-19 14:02:52Z martin $
+ * $Id: sha1_hasher.c 4308 2008-08-28 10:57:24Z martin $
  */
 
 #include <string.h>
@@ -47,7 +47,6 @@
 
 
 typedef struct private_sha1_hasher_t private_sha1_hasher_t;
-typedef struct private_sha1_keyed_prf_t private_sha1_keyed_prf_t;
 
 /**
  * Private data structure with hasing context.
@@ -59,28 +58,13 @@ struct private_sha1_hasher_t {
 	sha1_hasher_t public;
 	
 	/*
-	 * State of the hasher.
+	 * State of the hasher. Shared with sha1_prf.c, do not change it!!!
 	 */
 	u_int32_t state[5];
     u_int32_t count[2];
     u_int8_t buffer[64];
 };
 
-/**
- * Private data structure with keyed prf context.
- */
-struct private_sha1_keyed_prf_t {
-	/**
-	 * public prf interface
-	 */
-	sha1_keyed_prf_t public;
-
-	/**
-	 * internal used hasher
-	 */
-	private_sha1_hasher_t *hasher;
-};
-
 /* 
  * Hash a single 512-bit block. This is the core of the algorithm. *
  */
@@ -132,10 +116,10 @@ static void SHA1Transform(u_int32_t state[5], const unsigned char buffer[64])
     memset(block, '\0', sizeof(block));
 }
 
-/* 
- * Run your data through this. 
+/**
+ * Run your data through this. Also used in sha1_prf.
  */
-static void SHA1Update(private_sha1_hasher_t* this, u_int8_t *data, u_int32_t len)
+void SHA1Update(private_sha1_hasher_t* this, u_int8_t *data, u_int32_t len)
 {
 	u_int32_t i;
 	u_int32_t j;
@@ -275,92 +259,3 @@ sha1_hasher_t *sha1_hasher_create(hash_algorithm_t algo)
 	return &(this->public);
 }
 
-/**
- * Implementation of prf_t.get_bytes.
- */
-static void get_bytes(private_sha1_keyed_prf_t *this, chunk_t seed, u_int8_t *bytes)
-{
-	u_int32_t *hash = (u_int32_t*)bytes;
-
-	SHA1Update(this->hasher, seed.ptr, seed.len);
-
-	hash[0] = htonl(this->hasher->state[0]);
-	hash[1] = htonl(this->hasher->state[1]);
-	hash[2] = htonl(this->hasher->state[2]);
-	hash[3] = htonl(this->hasher->state[3]);
-	hash[4] = htonl(this->hasher->state[4]);
-}
-
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_block_size(private_sha1_keyed_prf_t *this)
-{
-	return HASH_SIZE_SHA1;
-}
-
-/**
- * Implementation of prf_t.allocate_bytes.
- */
-static void allocate_bytes(private_sha1_keyed_prf_t *this, chunk_t seed, chunk_t *chunk)
-{
-	*chunk = chunk_alloc(HASH_SIZE_SHA1);
-	get_bytes(this, seed, chunk->ptr);
-}
-
-/**
- * Implementation of prf_t.get_key_size.
- */
-static size_t get_key_size(private_sha1_keyed_prf_t *this)
-{
-	return sizeof(this->hasher->state);
-}
-
-/**
- * Implementation of prf_t.set_key.
- */
-static void set_key(private_sha1_keyed_prf_t *this, chunk_t key)
-{
-	int i, rounds;
-	u_int32_t *iv = (u_int32_t*)key.ptr;
-	
-	reset(this->hasher);
-	rounds = min(key.len/sizeof(u_int32_t), sizeof(this->hasher->state));
-	for (i = 0; i < rounds; i++)
-	{
-		this->hasher->state[i] ^= htonl(iv[i]);
-	}
-}
-
-/**
- * Implementation of prf_t.destroy.
- */
-static void destroy_p(private_sha1_keyed_prf_t *this)
-{
-	destroy(this->hasher);
-	free(this);
-}
-
-/**
- * see header
- */
-sha1_keyed_prf_t *sha1_keyed_prf_create(pseudo_random_function_t algo)
-{
-	private_sha1_keyed_prf_t *this;
-	if (algo != PRF_KEYED_SHA1)
-	{
-		return NULL;
-	}
-	this = malloc_thing(private_sha1_keyed_prf_t);
-	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
-	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
-	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
-	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
-	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
-	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy_p;
-	
-	this->hasher = (private_sha1_hasher_t*)sha1_hasher_create(HASH_SHA1);
-	
-	return &(this->public);
-}
-
diff --git a/src/libstrongswan/plugins/sha1/sha1_hasher.h b/src/libstrongswan/plugins/sha1/sha1_hasher.h
index 2e44797d8..7dcb0b8b3 100644
--- a/src/libstrongswan/plugins/sha1/sha1_hasher.h
+++ b/src/libstrongswan/plugins/sha1/sha1_hasher.h
@@ -23,10 +23,8 @@
 #define SHA1_HASHER_H_
 
 typedef struct sha1_hasher_t sha1_hasher_t;
-typedef struct sha1_keyed_prf_t sha1_keyed_prf_t;
 
 #include <crypto/hashers/hasher.h>
-#include <crypto/prfs/prf.h>
 
 /**
  * Implementation of hasher_t interface using the SHA1 algorithm.
@@ -39,17 +37,6 @@ struct sha1_hasher_t {
 	hasher_t hasher_interface;
 };
 
-/**
- * Implementation of prf_t interface using keyed SHA1 algorithm (used for EAP-AKA).
- */
-struct sha1_keyed_prf_t {
-	
-	/**
-	 * Implements prf_t interface.
-	 */
-	prf_t prf_interface;
-};
-
 /**
  * Creates a new sha1_hasher_t.
  *
@@ -58,12 +45,4 @@ struct sha1_keyed_prf_t {
  */
 sha1_hasher_t *sha1_hasher_create(hash_algorithm_t algo);
 
-/**
- * Creates a new sha1_keyed_prf_t.
- *
- * @param algo		algorithm, must be PRF_KEYED_SHA1
- * @return			sha1_keyed_prf_tobject
- */
-sha1_keyed_prf_t *sha1_keyed_prf_create(pseudo_random_function_t algo);
-
 #endif /*SHA1_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c
index e8da99e6c..58f0faf56 100644
--- a/src/libstrongswan/plugins/sha1/sha1_plugin.c
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c
@@ -12,13 +12,14 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sha1_plugin.c 3619 2008-03-19 14:02:52Z martin $
+ * $Id: sha1_plugin.c 4308 2008-08-28 10:57:24Z martin $
  */
 
 #include "sha1_plugin.h"
 
 #include <library.h>
 #include "sha1_hasher.h"
+#include "sha1_prf.h"
 
 typedef struct private_sha1_plugin_t private_sha1_plugin_t;
 
@@ -41,7 +42,7 @@ static void destroy(private_sha1_plugin_t *this)
 	lib->crypto->remove_hasher(lib->crypto,
 							   (hasher_constructor_t)sha1_hasher_create);
 	lib->crypto->remove_prf(lib->crypto,
-							   (prf_constructor_t)sha1_keyed_prf_create);
+							   (prf_constructor_t)sha1_prf_create);
 	free(this);
 }
 
@@ -57,7 +58,7 @@ plugin_t *plugin_create()
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
 							(hasher_constructor_t)sha1_hasher_create);
 	lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
-							(prf_constructor_t)sha1_keyed_prf_create);
+							(prf_constructor_t)sha1_prf_create);
 	
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/sha1/sha1_prf.c b/src/libstrongswan/plugins/sha1/sha1_prf.c
new file mode 100644
index 000000000..668801caf
--- /dev/null
+++ b/src/libstrongswan/plugins/sha1/sha1_prf.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "sha1_prf.h"
+#include "sha1_hasher.h"
+
+#include <arpa/inet.h>
+
+typedef struct private_sha1_prf_t private_sha1_prf_t;
+typedef struct private_sha1_hasher_t private_sha1_hasher_t;
+
+/**
+ * Private data structure with hasing context.
+ */
+struct private_sha1_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	sha1_hasher_t public;
+	
+	/*
+	 * State of the hasher. From sha1_hasher.c, do not change it!
+	 */
+	u_int32_t state[5];
+    u_int32_t count[2];
+    u_int8_t buffer[64];
+};
+
+/**
+ * Private data structure with keyed prf context.
+ */
+struct private_sha1_prf_t {
+
+	/**
+	 * public prf interface
+	 */
+	sha1_prf_t public;
+
+	/**
+	 * internal used hasher
+	 */
+	private_sha1_hasher_t *hasher;
+};
+
+/**
+ * From sha1_hasher.c
+ */
+extern void SHA1Update(private_sha1_hasher_t* this, u_int8_t *data, u_int32_t len);
+
+/**
+ * Implementation of prf_t.get_bytes.
+ */
+static void get_bytes(private_sha1_prf_t *this, chunk_t seed, u_int8_t *bytes)
+{
+	u_int32_t *hash = (u_int32_t*)bytes;
+
+	SHA1Update(this->hasher, seed.ptr, seed.len);
+
+	hash[0] = htonl(this->hasher->state[0]);
+	hash[1] = htonl(this->hasher->state[1]);
+	hash[2] = htonl(this->hasher->state[2]);
+	hash[3] = htonl(this->hasher->state[3]);
+	hash[4] = htonl(this->hasher->state[4]);
+}
+
+/**
+ * Implementation of prf_t.get_block_size.
+ */
+static size_t get_block_size(private_sha1_prf_t *this)
+{
+	return HASH_SIZE_SHA1;
+}
+
+/**
+ * Implementation of prf_t.allocate_bytes.
+ */
+static void allocate_bytes(private_sha1_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(HASH_SIZE_SHA1);
+	get_bytes(this, seed, chunk->ptr);
+}
+
+/**
+ * Implementation of prf_t.get_key_size.
+ */
+static size_t get_key_size(private_sha1_prf_t *this)
+{
+	return sizeof(this->hasher->state);
+}
+
+/**
+ * Implementation of prf_t.set_key.
+ */
+static void set_key(private_sha1_prf_t *this, chunk_t key)
+{
+	int i, rounds;
+	u_int32_t *iv = (u_int32_t*)key.ptr;
+	
+	this->hasher->public.hasher_interface.reset(&this->hasher->public.hasher_interface);
+	rounds = min(key.len/sizeof(u_int32_t), sizeof(this->hasher->state));
+	for (i = 0; i < rounds; i++)
+	{
+		this->hasher->state[i] ^= htonl(iv[i]);
+	}
+}
+
+/**
+ * Implementation of prf_t.destroy.
+ */
+static void destroy(private_sha1_prf_t *this)
+{
+	this->hasher->public.hasher_interface.destroy(&this->hasher->public.hasher_interface);
+	free(this);
+}
+
+/**
+ * see header
+ */
+sha1_prf_t *sha1_prf_create(pseudo_random_function_t algo)
+{
+	private_sha1_prf_t *this;
+	if (algo != PRF_KEYED_SHA1)
+	{
+		return NULL;
+	}
+	this = malloc_thing(private_sha1_prf_t);
+	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
+	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
+	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
+	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
+	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
+	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+	
+	this->hasher = (private_sha1_hasher_t*)sha1_hasher_create(HASH_SHA1);
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/sha1/sha1_prf.h b/src/libstrongswan/plugins/sha1/sha1_prf.h
new file mode 100644
index 000000000..a0f56b681
--- /dev/null
+++ b/src/libstrongswan/plugins/sha1/sha1_prf.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sha1_prf sha1_prf
+ * @{ @ingroup sha1_p
+ */
+
+#ifndef SHA1_PRF_H_
+#define SHA1_PRF_H_
+
+typedef struct sha1_prf_t sha1_prf_t;
+
+#include <crypto/prfs/prf.h>
+
+/**
+ * Implementation of prf_t interface using keyed SHA1 algorithm (used for EAP-AKA).
+ */
+struct sha1_prf_t {
+	
+	/**
+	 * Implements prf_t interface.
+	 */
+	prf_t prf_interface;
+};
+
+/**
+ * Creates a new sha1_prf_t.
+ *
+ * @param algo		algorithm, must be PRF_KEYED_SHA1
+ * @return			sha1_keyed_prf_tobject
+ */
+sha1_prf_t *sha1_prf_create(pseudo_random_function_t algo);
+
+#endif /*SHA1_PRF_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index ec0e45248..ea5610671 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -187,6 +187,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 3a73829dc..21773de32 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -189,6 +189,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index d5a03894d..c8d9e5beb 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -12,12 +12,13 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sqlite_database.c 3911 2008-05-07 14:41:13Z martin $
+ * $Id: sqlite_database.c 4268 2008-08-21 11:58:58Z andreas $
  */
 
 #include "sqlite_database.h"
 
 #include <sqlite3.h>
+#include <unistd.h>
 #include <library.h>
 #include <debug.h>
 #include <utils/mutex.h>
@@ -131,8 +132,8 @@ typedef struct {
 	int count;
 	/** column types */
 	db_type_t *columns;
-	/** reference to db connection */
-	sqlite3 *db;
+	/** back reference to parent */
+	private_sqlite_database_t *database;
 } sqlite_enumerator_t;
 
 /**
@@ -141,6 +142,9 @@ typedef struct {
 static void sqlite_enumerator_destroy(sqlite_enumerator_t *this)
 {
 	sqlite3_finalize(this->stmt);
+#if SQLITE_VERSION_NUMBER < 3005000
+	this->database->mutex->unlock(this->database->mutex);
+#endif
 	free(this->columns);
 	free(this);
 }
@@ -158,7 +162,8 @@ static bool sqlite_enumerator_enumerate(sqlite_enumerator_t *this, ...)
 		case SQLITE_ROW:
 			break;
 		default:
-			DBG1("stepping sqlite statement failed: %s", sqlite3_errmsg(this->db));
+			DBG1("stepping sqlite statement failed: %s",
+				 sqlite3_errmsg(this->database->db));
 			/* fall */
 		case SQLITE_DONE:
 			return FALSE;
@@ -218,6 +223,10 @@ static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...)
 	sqlite_enumerator_t *enumerator = NULL;
 	int i;
 	
+#if SQLITE_VERSION_NUMBER < 3005000
+	/* sqlite connections prior to 3.5 may be used by a single thread only, */
+	this->mutex->lock(this->mutex);
+#endif
 	
 	va_start(args, sql);
 	stmt = run(this, sql, &args);
@@ -229,7 +238,7 @@ static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...)
 		enumerator->stmt = stmt;
 		enumerator->count = sqlite3_column_count(stmt);
 		enumerator->columns = malloc(sizeof(db_type_t) * enumerator->count);
-		enumerator->db = this->db;
+		enumerator->database = this;
 		for (i = 0; i < enumerator->count; i++)
 		{
 			enumerator->columns[i] = va_arg(args, db_type_t);
@@ -273,6 +282,25 @@ static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...)
 	return affected;
 }
 
+/**
+ * Implementation of database_t.get_driver
+ */
+static db_driver_t get_driver(private_sqlite_database_t *this)
+{
+	return DB_SQLITE;
+}
+
+/**
+ * Busy handler implementation
+ */
+static int busy_handler(private_sqlite_database_t *this, int count)
+{
+	/* add a backoff time, quadratically increasing with every try */
+	usleep(count * count * 1000);
+	/* always retry */
+	return 1;
+}
+
 /**
  * Implementation of database_t.destroy
  */
@@ -304,9 +332,10 @@ sqlite_database_t *sqlite_database_create(char *uri)
 	
 	this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
 	this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
+	this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
 	this->public.db.destroy = (void(*)(database_t*))destroy;
 	
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_RECURSIVE);
 	
 	if (sqlite3_open(file, &this->db) != SQLITE_OK)
 	{
@@ -316,6 +345,8 @@ sqlite_database_t *sqlite_database_create(char *uri)
 		return NULL;
 	}
 	
+	sqlite3_busy_handler(this->db, (void*)busy_handler, this);
+	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 9178d6c8c..01093e862 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -189,6 +189,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index cfa38c66b..caae5e08d 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -1054,6 +1054,7 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 {
 	va_list args;
 	certificate_t *cert;
+	chunk_t chunk;
 
 	va_start(args, part);
 	switch (part)
@@ -1070,7 +1071,8 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 			{
 				destroy(this->ac);
 			}
-			this->ac = create_from_chunk(va_arg(args, chunk_t));
+			chunk = va_arg(args, chunk_t);
+			this->ac = create_from_chunk(chunk_clone(chunk));
 			break;
 		case BUILD_NOT_BEFORE_TIME:
 			this->ac->notBefore = va_arg(args, time_t);
@@ -1079,7 +1081,8 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 			this->ac->notAfter = va_arg(args, time_t);
 			break;
 		case BUILD_SERIAL:
-			this->ac->serialNumber = va_arg(args, chunk_t);
+			chunk = va_arg(args, chunk_t);
+			this->ac->serialNumber = chunk_clone(chunk);
 			break;
 		case BUILD_IETF_GROUP_ATTR:
 			ietfAttr_list_create_from_string(va_arg(args, char*),
@@ -1089,29 +1092,27 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 			cert = va_arg(args, certificate_t*);
 			if (cert->get_type(cert) == CERT_X509)
 			{
-				this->ac->holderCert = cert;
-			}
-			else
-			{
-				cert->destroy(cert);
+				this->ac->holderCert = cert->get_ref(cert);
 			}
 			break;
 		case BUILD_SIGNING_CERT:
 			cert = va_arg(args, certificate_t*);
 			if (cert->get_type(cert) == CERT_X509)
 			{
-				this->ac->signerCert = cert;
-			}
-			else
-			{
-				cert->destroy(cert);
+				this->ac->signerCert = cert->get_ref(cert);
 			}
 			break;
 		case BUILD_SIGNING_KEY:
 			this->ac->signerKey = va_arg(args, private_key_t*);
+			this->ac->signerKey->get_ref(this->ac->signerKey);
 			break;
 		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			/* abort if unsupported option */
+			if (this->ac)
+			{
+				destroy(this->ac);
+			}
+			builder_cancel(&this->public);
 			break;
 	}
 	va_end(args);
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 714258865..c82d14a17 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -17,7 +17,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_cert.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: x509_cert.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #define _GNU_SOURCE
@@ -722,7 +722,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 				break;
 			case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
 				this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
-						KEY_ANY, BUILD_BLOB_ASN1_DER, chunk_clone(object), BUILD_END);
+						KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
 				if (this->public_key == NULL)
 				{
 					DBG1("could not create public key");
@@ -1251,6 +1251,7 @@ static private_x509_cert_t *build(private_builder_t *this)
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
 	va_list args;
+	chunk_t chunk;
 	
 	va_start(args, part);
 	switch (part)
@@ -1259,13 +1260,19 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 			this->cert = create_from_file(va_arg(args, char*));
 			break;
 		case BUILD_BLOB_ASN1_DER:
-			this->cert = create_from_chunk(va_arg(args, chunk_t));
+			chunk = va_arg(args, chunk_t);
+			this->cert = create_from_chunk(chunk_clone(chunk));
 			break;
 		case BUILD_X509_FLAG:
 			this->flags = va_arg(args, x509_flag_t);
 			break;
 		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			/* abort if unsupported option */
+			if (this->cert)
+			{
+				destroy(this->cert);
+			}
+			builder_cancel(&this->public);
 			break;
 	}
 	va_end(args);
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 3bdda1701..eb9bfe903 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_crl.c 4091 2008-06-22 17:41:07Z andreas $
+ * $Id: x509_crl.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "x509_crl.h"
@@ -693,30 +693,37 @@ static private_x509_crl_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	va_list args;
-	
-	if (this->crl)
+	if (!this->crl)
 	{
-		DBG1("ignoring surplus build part %N", builder_part_names, part);
-		return;
-	}
+		va_list args;
+		chunk_t chunk;
 	
-	va_start(args, part);
-	switch (part)
-	{
-		case BUILD_FROM_FILE:
-			this->crl = create_from_file(va_arg(args, char*));
-			break;
-		case BUILD_BLOB_ASN1_DER:
+		switch (part)
 		{
-			this->crl = create_from_chunk(va_arg(args, chunk_t));
-			break;
+			case BUILD_FROM_FILE:
+			{
+				va_start(args, part);
+				this->crl = create_from_file(va_arg(args, char*));
+				va_end(args);
+				return;
+			}
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->crl = create_from_chunk(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
 		}
-		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
-			break;
 	}
-	va_end(args);
+	if (this->crl)
+	{
+		destroy(this->crl);
+	}
+	builder_cancel(&this->public);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index 590a974f7..7b97b990d 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_ocsp_request.c 4091 2008-06-22 17:41:07Z andreas $
+ * $Id: x509_ocsp_request.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "x509_ocsp_request.h"
@@ -547,6 +547,8 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 {
 	va_list args;
 	certificate_t *cert;
+	identification_t *subject;
+	private_key_t *private;
 	
 	va_start(args, part);
 	switch (part)
@@ -555,35 +557,36 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 			cert = va_arg(args, certificate_t*);
 			if (cert->get_type(cert) == CERT_X509)
 			{
-				this->req->ca = (x509_t*)cert;
-			}
-			else
-			{
-				cert->destroy(cert);
+				this->req->ca = (x509_t*)cert->get_ref(cert);
 			}
 			break;
 		case BUILD_CERT:
 			cert = va_arg(args, certificate_t*);
 			if (cert->get_type(cert) == CERT_X509)
 			{
-				this->req->candidates->insert_last(this->req->candidates, cert);
-			}
-			else
-			{
-				cert->destroy(cert);
+				this->req->candidates->insert_last(this->req->candidates,
+												   cert->get_ref(cert));
 			}
 			break;
 		case BUILD_SIGNING_CERT:
-			this->req->cert = va_arg(args, certificate_t*);
+			cert = va_arg(args, certificate_t*);
+			this->req->cert = cert->get_ref(cert);
 			break;
 		case BUILD_SIGNING_KEY:
-			this->req->key = va_arg(args, private_key_t*);
+			private = va_arg(args, private_key_t*);
+			this->req->key = private->get_ref(private);
 			break;
 		case BUILD_SUBJECT:
-			this->req->requestor = va_arg(args, identification_t*);
+			subject = va_arg(args, identification_t*);
+			this->req->requestor = subject->clone(subject);
 			break;
 		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
+			/* cancel if option not supported */
+			if (this->req)
+			{
+				destroy(this->req);
+			}
+			builder_cancel(&this->public);
 			break;
 	}
 	va_end(args);
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 33cf73cd2..01f35864d 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_ocsp_response.c 4091 2008-06-22 17:41:07Z andreas $
+ * $Id: x509_ocsp_response.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "x509_ocsp_response.h"
@@ -560,8 +560,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 			case BASIC_RESPONSE_CERTIFICATE:
 			{
 				cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,CERT_X509,
-										  BUILD_BLOB_ASN1_DER,
-										  chunk_clone(object),
+										  BUILD_BLOB_ASN1_DER, object,
 										  BUILD_END);
 				if (cert)
 				{
@@ -944,27 +943,30 @@ static x509_ocsp_response_t *build(private_builder_t *this)
  */
 static void add(private_builder_t *this, builder_part_t part, ...)
 {
-	va_list args;
-	
-	if (this->res)
-	{
-		DBG1("ignoring surplus build part %N", builder_part_names, part);
-		return;
-	}
-	
-	switch (part)
+	if (!this->res)
 	{
-		case BUILD_BLOB_ASN1_DER:
+		va_list args;
+		chunk_t chunk;
+		
+		switch (part)
 		{
-			va_start(args, part);
-			this->res = load(va_arg(args, chunk_t));
-			va_end(args);
-			break;
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->res = load(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
 		}
-		default:
-			DBG1("ignoring unsupported build part %N", builder_part_names, part);
-			break;
 	}
+	if (this->res)
+	{
+		destroy((private_x509_ocsp_response_t*)this->res);
+	}
+	builder_cancel(&this->public);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 3fdf46955..898142582 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -188,6 +188,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c
index 7c87dccd8..6f9e40395 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/settings.c
@@ -203,8 +203,44 @@ static int get_int(private_settings_t *this, char *key, int def)
 }
 
 /**
- * destry a section
-*/
+ * Implementation of settings_t.get_time.
+ */
+static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def)
+{
+	char *value, *endptr;
+	u_int32_t timeval;
+	
+	value = find(this->top, key);
+	if (value)
+	{
+		errno = 0;
+		timeval = strtol(value, &endptr, 10);
+		if (errno == 0 && timeval >= 0)
+		{
+			switch (*endptr)
+			{
+				case 'd':		/* time in days */
+					timeval *= 24 * 3600;
+					break;
+				case 'h':		/* time in hours */
+					timeval *= 3600;
+					break;
+				case 'm':		/* time in minutes */
+					timeval *= 60;
+					break;
+				case 's':		/* time in seconds */
+					default:
+					break;
+			}
+			return timeval;
+		}
+	}
+	return def;
+}
+
+/**
+ * destroy a section
+ */
 static void section_destroy(section_t *this)
 {
 	this->kv->destroy_function(this->kv, free);
@@ -365,7 +401,8 @@ settings_t *settings_create(char *file)
 	private_settings_t *this = malloc_thing(private_settings_t);
 	
 	this->public.get_str = (char*(*)(settings_t*, char *key, char* def))get_str;
-	this->public.get_int = (int(*)(settings_t*, char *key, bool def))get_int;
+	this->public.get_int = (int(*)(settings_t*, char *key, int def))get_int;
+	this->public.get_time = (u_int32_t(*)(settings_t*, char *key, u_int32_t def))get_time;
 	this->public.get_bool = (bool(*)(settings_t*, char *key, bool def))get_bool;
 	this->public.destroy = (void(*)(settings_t*))destroy;
 	
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
index 91770973b..451c2a583 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/settings.h
@@ -80,8 +80,17 @@ struct settings_t {
 	 * @param def		default value to return if key not found
 	 * @return			value of the key
 	 */
-	int (*get_int)(settings_t *this, char *key, bool def);
+	int (*get_int)(settings_t *this, char *key, int def);
 	
+	/**
+	 * Get a time value.
+	 *
+	 * @param key		key including sections
+	 * @param def		default value to return if key not found
+	 * @return			value of the key
+	 */
+	u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def);
+
 	/**
      * Destroy a settings instance.
      */
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index bd13b7c4d..b2134dfc7 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,16 +13,20 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: utils.c 3820 2008-04-17 11:22:37Z martin $
+ * $Id: utils.c 4305 2008-08-28 07:47:55Z tobias $
  */
 
 #include "utils.h"
 
+#include <sys/stat.h>
 #include <string.h>
 #include <pthread.h>
 #include <stdio.h>
+#include <unistd.h>
+#include <dirent.h>
 
 #include <enum.h>
+#include <debug.h>
 
 ENUM(status_names, SUCCESS, DESTROY_ME,
 	"SUCCESS",
@@ -63,6 +68,52 @@ void memxor(u_int8_t dest[], u_int8_t src[], size_t n)
 	}
 }
 
+/**
+ * Described in header.
+ */
+bool mkdir_p(const char *path, mode_t mode)
+{
+	size_t len;
+	char *pos, full[PATH_MAX];
+	pos = full;
+	if (!path || *path == '\0')
+	{
+		return TRUE;
+	}
+	len = snprintf(full, sizeof(full)-1, "%s", path);
+	if (len < 0 || len >= sizeof(full)-1)
+	{
+		DBG1("path string %s too long", path);
+		return FALSE;
+	}
+	/* ensure that the path ends with a '/' */
+	if (full[len-1] != '/')
+	{
+		full[len++] = '/';
+		full[len] = '\0';
+	}
+	/* skip '/' at the beginning */
+	while (*pos == '/')
+	{
+		pos++;
+	}
+	while ((pos = strchr(pos, '/')))
+	{
+		*pos = '\0';
+		if (access(full, F_OK) < 0)
+		{
+			if (mkdir(full, mode) < 0)
+			{
+				DBG1("failed to create directory %s", full);
+				return FALSE;
+			}
+		}
+		*pos = '/';
+		pos++;
+	}
+	return TRUE;
+}
+
 /**
  * return null
  */
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index ee3ebbd41..4af7df9ad 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: utils.h 3820 2008-04-17 11:22:37Z martin $
+ * $Id: utils.h 4305 2008-08-28 07:47:55Z tobias $
  */
 
 /**
@@ -89,6 +90,11 @@
  */
 #define malloc_thing(thing) ((thing*)malloc(sizeof(thing)))
 
+/**
+ * Get the number of elements in an array
+ */
+#define countof(array) (sizeof(array)/sizeof(array[0]))
+
 /**
  * Assign a function as a class method
  */
@@ -103,8 +109,12 @@
  * General purpose boolean type.
  */
 typedef int bool;
-#define FALSE 0
-#define TRUE  1
+#ifndef FALSE
+# define FALSE 0
+#endif /* FALSE */
+#ifndef TRUE
+# define TRUE  1
+#endif /* TRUE */
 
 typedef enum status_t status_t;
 
@@ -209,6 +219,15 @@ void *clalloc(void *pointer, size_t size);
  */
 void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
 
+/**
+ * Creates a directory and all required parent directories. 
+ *
+ * @param	path	path to the new directory
+ * @param	mode	permissions of the new directory/directories 
+ * @return			TRUE on success
+ */
+bool mkdir_p(const char *path, mode_t mode);
+
 /**
  * returns null
  */
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c
index cac5d73fa..4ebc2e097 100644
--- a/src/libstrongswan/utils/enumerator.c
+++ b/src/libstrongswan/utils/enumerator.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: enumerator.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: enumerator.c 4142 2008-07-02 08:09:07Z martin $
  */
 
 #include "enumerator.h"
@@ -153,6 +153,145 @@ enumerator_t* enumerator_create_directory(char *path)
 	return &this->public;
 }
 
+/**
+ * Enumerator implementation for directory enumerator
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** string to parse */
+	char *string;
+	/** current position */
+	char *pos;
+	/** separater chars */
+	char *sep;
+	/** trim chars */
+	char *trim;
+} token_enum_t;
+
+/**
+ * Implementation of enumerator_create_token().destroy
+ */
+static void destroy_token_enum(token_enum_t *this)
+{
+	free(this->string);
+	free(this);
+}
+
+/**
+ * Implementation of enumerator_create_token().enumerate
+ */
+static bool enumerate_token_enum(token_enum_t *this, char **token)
+{
+	char *pos = NULL, *tmp, *sep, *trim;
+	bool last = FALSE;
+	
+	/* trim leading characters/separators */
+	while (*this->pos)
+	{
+		trim = this->trim;
+		while (*trim)
+		{
+			if (*trim == *this->pos)
+			{
+				this->pos++;
+				break;
+			}
+			trim++;
+		}
+		sep = this->sep;
+		while (*sep)
+		{
+			if (*sep == *this->pos)
+			{
+				this->pos++;
+				break;
+			}
+			sep++;
+		}
+		if (!*trim && !*sep)
+		{
+			break;
+		}
+	}
+	
+	/* find separators */
+	sep = this->sep;
+	while (*sep)
+	{
+		tmp = strchr(this->pos, *sep);
+		if (tmp && (pos == NULL || tmp < pos))
+		{
+			pos = tmp;
+		}
+		sep++;
+	}
+	*token = this->pos;
+	if (pos)
+	{
+		*pos = '\0';
+		this->pos = pos + 1;
+	}
+	else
+	{
+		last = TRUE;
+		pos = this->pos = strchr(this->pos, '\0');
+	}
+	
+	/* trim trailing characters/separators */
+	pos--;
+	while (pos >= *token)
+	{
+		trim = this->trim;
+		while (*trim)
+		{
+			if (*trim == *pos)
+			{
+				*(pos--) = '\0';
+				break;
+			}
+			trim++;
+		}
+		sep = this->sep;
+		while (*sep)
+		{
+			if (*sep == *pos)
+			{
+				*(pos--) = '\0';
+				break;
+			}
+			sep++;
+		}
+		if (!*trim && !*sep)
+		{
+			break;
+		}
+	}
+	
+	if (!last || pos > *token)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * See header
+ */
+enumerator_t* enumerator_create_token(char *string, char *sep, char *trim)
+{
+	token_enum_t *enumerator = malloc_thing(token_enum_t);
+	
+	enumerator->public.enumerate = (void*)enumerate_token_enum;
+	enumerator->public.destroy = (void*)destroy_token_enum;
+	enumerator->string = strdup(string);
+	enumerator->pos = enumerator->string;
+	enumerator->sep = sep;
+	enumerator->trim = trim;
+	
+	return &enumerator->public;
+}
+
 /**
  * enumerator for nested enumerations
  */
diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/utils/enumerator.h
index 6b91fee72..d82f650db 100644
--- a/src/libstrongswan/utils/enumerator.h
+++ b/src/libstrongswan/utils/enumerator.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: enumerator.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: enumerator.h 4142 2008-07-02 08:09:07Z martin $
  */
  
 /**
@@ -97,6 +97,19 @@ enumerator_t *enumerator_create_single(void *item, void (*cleanup)(void *item));
  */
 enumerator_t* enumerator_create_directory(char *path);
 
+/**
+ * Create an enumerator over tokens of a string.
+ *
+ * Tokens are separated by one of the characters in sep and trimmed by the
+ * characters in trim.
+ *
+ * @param string	string to parse
+ * @param sep		separator characters
+ * @param trim		characters to trim from tokens
+ * @return			enumerator over char* tokens
+ */
+enumerator_t* enumerator_create_token(char *string, char *sep, char *trim);
+
 /**
  * Creates an enumerator which enumerates over enumerated enumerators :-).
  * 
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 39d49bf6c..db442e9ab 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: identification.c 4064 2008-06-13 15:10:01Z martin $
+ * $Id: identification.c 4344 2008-09-17 02:17:01Z andreas $
  */
 
 #define _GNU_SOURCE
@@ -915,6 +915,8 @@ static int print(FILE *stream, const struct printf_info *info,
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
+		case ID_EAP:
+		case ID_IETF_ATTR_STRING:
 			proper = sanitize_chunk(this->encoded);
 			snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
 			chunk_free(&proper);
@@ -1169,6 +1171,8 @@ identification_t *identification_create_from_encoding(id_type_t type, chunk_t en
 		case ID_PUBKEY_INFO_SHA1:
 		case ID_PUBKEY_SHA1:
 		case ID_CERT_DER_SHA1:
+		case ID_EAP:
+		case ID_IETF_ATTR_STRING:
 		default:
 			break;
 	}
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 591909411..3b895961d 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: identification.h 3838 2008-04-18 11:24:45Z tobias $
+ * $Id: identification.h 4344 2008-09-17 02:17:01Z andreas $
  */
  
 /**
@@ -131,17 +131,27 @@ enum id_type_t {
 	/**
 	 * SHA1 hash over PKCS#1 subjectPublicKeyInfo
 	 */
-	ID_PUBKEY_INFO_SHA1,
+	ID_PUBKEY_INFO_SHA1 = 202,
 	
 	/**
 	 * SHA1 hash over PKCS#1 subjectPublicKey
 	 */
-	ID_PUBKEY_SHA1,
+	ID_PUBKEY_SHA1 = 203,
 	
 	/**
 	 * SHA1 hash of the binary DER encoding of a certificate
 	 */
-	ID_CERT_DER_SHA1,
+	ID_CERT_DER_SHA1 = 204,
+	
+	/**
+	 * Generic EAP identity
+	 */
+	ID_EAP = 205,
+
+	/**
+	 * IETF Attribute Syntax String (RFC 3281)
+	 */
+	ID_IETF_ATTR_STRING = 206,
 };
 
 /**
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index cff5a1c81..bc7f56ebd 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: leak_detective.c 4044 2008-06-06 15:05:54Z martin $
+ * $Id: leak_detective.c 4311 2008-08-28 16:27:48Z martin $
  */
 
 #ifdef HAVE_DLADDR
@@ -262,6 +262,7 @@ char *whitelist[] = {
 	/* ignore dlopen, as we do not dlclose to get proper leak reports */
 	"dlopen",
 	"dlerror",
+	"dlclose",
 	/* mysql functions */
 	"mysql_init_character_set",
 	"init_client_errs",
@@ -277,6 +278,7 @@ char *whitelist[] = {
 	/* OpenSSL */
 	"RSA_new_method",
 	"DH_new_method",
+	"ENGINE_load_builtin_engines",
 };
 
 /**
@@ -558,6 +560,7 @@ leak_detective_t *leak_detective_create()
 	
 	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
 	{
+		lib->leak_detective = TRUE;
 		install_hooks();
 	}
 	return &this->public;
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index c79dce4d4..900d94b3a 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -212,6 +212,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/manager/main.c b/src/manager/main.c
index 59d534e30..e556a7415 100644
--- a/src/manager/main.c
+++ b/src/manager/main.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: main.c 3967 2008-05-16 08:52:32Z martin $
+ * $Id: main.c 4333 2008-09-04 16:19:46Z andreas $
  */
 
 #include <dispatcher.h>
@@ -42,7 +42,7 @@ int main (int arc, char *argv[])
 	
 	socket = lib->settings->get_str(lib->settings, "manager.socket", NULL);
 	debug = lib->settings->get_bool(lib->settings, "manager.debug", FALSE);
-	timeout = lib->settings->get_int(lib->settings, "manager.timeout", 900);
+	timeout = lib->settings->get_time(lib->settings, "manager.timeout", 900);
 	threads = lib->settings->get_int(lib->settings, "manager.threads", 10);
 	database = lib->settings->get_str(lib->settings, "manager.database", NULL);
 	if (!database)
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 4c2ced763..42b3db6c6 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -198,6 +198,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/medsrv/main.c b/src/medsrv/main.c
index 00975e93a..1f7b675bb 100644
--- a/src/medsrv/main.c
+++ b/src/medsrv/main.c
@@ -41,7 +41,7 @@ int main(int arc, char *argv[])
 	
 	socket = lib->settings->get_str(lib->settings, "medsrv.socket", NULL);
 	debug = lib->settings->get_bool(lib->settings, "medsrv.debug", FALSE);
-	timeout = lib->settings->get_int(lib->settings, "medsrv.timeout", 900);
+	timeout = lib->settings->get_time(lib->settings, "medsrv.timeout", 900);
 	threads = lib->settings->get_int(lib->settings, "medsrv.threads", 5);
 	uri = lib->settings->get_str(lib->settings, "medsrv.database", NULL);
 	if (uri == NULL)
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 00977e038..f25073a21 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -184,6 +184,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 48dc57ece..5d9cd92d3 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -20,7 +20,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: openac.c 3967 2008-05-16 08:52:32Z martin $
+ * RCSID $Id: openac.c 4345 2008-09-17 08:10:48Z martin $
  */
 
 #include <stdio.h>
@@ -103,6 +103,10 @@ static chunk_t mpz_to_chunk(mpz_t number)
 
 	chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
 	chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
+	if (chunk.ptr == NULL)
+	{
+		chunk.len = 0;
+	}
 	return chunk;
 }
 
@@ -191,6 +195,7 @@ static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
 	}
 	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 							 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	free(chunk.ptr);
 	if (key == NULL)
 	{
 		DBG1("  could not parse loaded private key file '%s'", path);
@@ -527,14 +532,15 @@ int main(int argc, char **argv)
 
 		attr_cert = lib->creds->create(lib->creds,
 							CRED_CERTIFICATE, CERT_X509_AC,
-							BUILD_CERT, userCert->get_ref(userCert),
+							BUILD_CERT, userCert,
 							BUILD_NOT_BEFORE_TIME, notBefore,
 							BUILD_NOT_AFTER_TIME, notAfter,
 							BUILD_SERIAL, serial,
 							BUILD_IETF_GROUP_ATTR, groups,
-							BUILD_SIGNING_CERT, signerCert->get_ref(signerCert),
-							BUILD_SIGNING_KEY, signerKey->get_ref(signerKey),
+							BUILD_SIGNING_CERT, signerCert,
+							BUILD_SIGNING_KEY, signerKey,
 							BUILD_END);
+		free(serial.ptr);
 		if (!attr_cert)
 		{
 			goto end;
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 156b81018..c28fbf6e0 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -139,3 +139,7 @@ if USE_SMARTCARD
   AM_CFLAGS += -DSMARTCARD
 endif
 
+if USE_CAPABILITIES
+  pluto_LDADD += -lcap
+endif
+
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 42017641c..6ea863973 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -60,6 +60,7 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
 
 # This compile option activates smartcard support
 @USE_SMARTCARD_TRUE@am__append_9 = -DSMARTCARD
+@USE_CAPABILITIES_TRUE@am__append_10 = -lcap
 subdir = src/pluto
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in TODO
@@ -102,7 +103,7 @@ pluto_OBJECTS = $(am_pluto_OBJECTS)
 am__DEPENDENCIES_1 =
 pluto_DEPENDENCIES = oid.o $(LIBFREESWANDIR)/libfreeswan.a \
 	$(LIBCRYPTODIR)/libcrypto.a $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -239,6 +240,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -339,7 +342,7 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
 	$(am__append_8) $(am__append_9)
 pluto_LDADD = oid.o $(LIBFREESWANDIR)/libfreeswan.a \
 	$(LIBCRYPTODIR)/libcrypto.a -lgmp -lresolv -lpthread -ldl \
-	$(am__append_5) $(am__append_7)
+	$(am__append_5) $(am__append_7) $(am__append_10)
 _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv -ldl
diff --git a/src/pluto/log.c b/src/pluto/log.c
index 0fb5f1d25..b7c1ba8b8 100644
--- a/src/pluto/log.c
+++ b/src/pluto/log.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: log.c 4024 2008-05-29 07:49:47Z andreas $
+ * RCSID $Id: log.c 4246 2008-08-03 18:01:21Z andreas $
  */
 
 #include <stdio.h>
@@ -95,8 +95,8 @@ void
 close_peerlog(void)
 {
     /* exit if the queue has not been initialized */
-    if (TAILQ_LAST(&perpeer_list, perpeer) == NULL)
-       return;
+    if (perpeer_list.tqh_first == NULL)
+      return;
 
     /* end of queue is given by pointer to "HEAD" */
     while (TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list)
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index 5662c5c41..a39934f1f 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: plutomain.c 3914 2008-05-08 10:58:04Z martin $
+ * RCSID $Id: plutomain.c 4313 2008-08-29 09:24:14Z martin $
  */
 
 #include <stdio.h>
@@ -29,11 +29,14 @@
 #include <resolv.h>
 #include <arpa/nameser.h>	/* missing from <resolv.h> on old systems */
 #include <sys/queue.h>
-#include <linux/capability.h>
 #include <sys/prctl.h>
 #include <pwd.h>
 #include <grp.h>
 
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif /* CAPABILITIES */
+
 #include <freeswan.h>
 
 #include <pfkeyv2.h>
@@ -68,11 +71,6 @@
 #include "nat_traversal.h"
 #include "virtual.h"
 
-/* on some distros, a capset() definition is missing */
-#ifdef NO_CAPSET_DEFINED
-extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
-#endif /* NO_CAPSET_DEFINED */
-
 static void
 usage(const char *mess)
 {
@@ -236,8 +234,10 @@ main(int argc, char **argv)
     bool force_keepalive = FALSE;
     char *virtual_private = NULL;
     int lockfd;
-    struct __user_cap_header_struct hdr;
-    struct __user_cap_data_struct data;
+#ifdef CAPABILITIES
+    cap_t caps;
+    int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
+#endif /* CAPABILITIES */
 
     /* handle arguments */
     for (;;)
@@ -619,14 +619,6 @@ main(int argc, char **argv)
     init_fetch();
 
     /* drop unneeded capabilities and change UID/GID */
-#ifdef _LINUX_CAPABILITY_VERSION_1
-    hdr.version = _LINUX_CAPABILITY_VERSION_1;
-#else
-    hdr.version = _LINUX_CAPABILITY_VERSION;
-#endif
-    hdr.pid = 0;
-    data.inheritable = data.effective = data.permitted = 
-				1<<CAP_NET_ADMIN | 1<<CAP_NET_BIND_SERVICE;
 
     prctl(PR_SET_KEEPCAPS, 1);
 	
@@ -656,11 +648,19 @@ main(int argc, char **argv)
 	}
 	}
 #endif
-    if (capset(&hdr, &data))
+
+#ifdef CAPABILITIES
+    caps = cap_init();
+    cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET);
+    cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET);
+    cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET);
+    if (cap_set_proc(caps) != 0)
     {
-	plog("unable to drop root privileges");
+	plog("unable to drop daemon capabilities");
 	abort();
     }
+    cap_free(caps);
+#endif /* CAPABILITIES */
 
     /* loading X.509 CA certificates */
     load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index 3b779ed24..1db4027d1 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.c 4016 2008-05-25 10:35:39Z andreas $
+ * RCSID $Id: vendor.c 4348 2008-09-18 00:42:22Z andreas $
  */
 
 #include <stdlib.h>
@@ -206,7 +206,11 @@ static struct vid_struct _vid_tab[] = {
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.4")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.8")
+	DEC_MD5_VID(STRONGSWAN_4_2_7, "strongSwan 4.2.7")
+	DEC_MD5_VID(STRONGSWAN_4_2_6, "strongSwan 4.2.6")
+	DEC_MD5_VID(STRONGSWAN_4_2_5, "strongSwan 4.2.5")
+	DEC_MD5_VID(STRONGSWAN_4_2_4, "strongSwan 4.2.4")
 	DEC_MD5_VID(STRONGSWAN_4_2_3, "strongSwan 4.2.3")
 	DEC_MD5_VID(STRONGSWAN_4_2_2, "strongSwan 4.2.2")
 	DEC_MD5_VID(STRONGSWAN_4_2_1, "strongSwan 4.2.1")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index c1d8870bc..cf6b68e51 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.h 4016 2008-05-25 10:35:39Z andreas $
+ * RCSID $Id: vendor.h 4348 2008-09-18 00:42:22Z andreas $
  */
 
 #ifndef _VENDOR_H_
@@ -120,6 +120,10 @@ enum known_vendorid {
   VID_STRONGSWAN_4_2_1		=101,
   VID_STRONGSWAN_4_2_2		=102,
   VID_STRONGSWAN_4_2_3		=103,
+  VID_STRONGSWAN_4_2_4		=104,
+  VID_STRONGSWAN_4_2_5		=105,
+  VID_STRONGSWAN_4_2_6		=106,
+  VID_STRONGSWAN_4_2_7		=107,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=151,
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 9198ab229..0e751d00b 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -197,6 +197,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 03bb318a5..4150a60e7 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -191,6 +191,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/starter/args.c b/src/starter/args.c
index 8a0262d8d..7af3b6310 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: args.c 3932 2008-05-12 10:05:49Z andreas $
+ * RCSID $Id: args.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include <stddef.h>
@@ -202,6 +202,7 @@ static const token_info_t token_info[] =
     { ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
     { ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
     { ARG_MISC, 0, NULL  /* KW_EAP */                                              },
+    { ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
     { ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
     { ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
     { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index df9be43bb..959a98b77 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: confread.c 4051 2008-06-10 09:08:27Z tobias $
+ * RCSID $Id: confread.c 4269 2008-08-21 12:10:07Z martin $
  */
 
 #include <stddef.h>
@@ -588,6 +588,10 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 			{
 				conn->eap_type = 4;
 			}
+			else if (streq(kw->value, "gtc"))
+			{
+				conn->eap_type = 6;
+			}
 			else
 			{
 				conn->eap_type = atoi(kw->value);
@@ -931,8 +935,9 @@ confread_load(const char *file)
 	/* load IPSec configuration file  */
 	cfgp = parser_load_conf(file);
 	if (!cfgp)
+	{
 		return NULL;
-
+	}
 	cfg = (starter_config_t *)alloc_thing(starter_config_t, "starter_config_t");
 
 	/* set default values */
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 41f02476f..2c6e45984 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: confread.h 3932 2008-05-12 10:05:49Z andreas $
+ * RCSID $Id: confread.h 4276 2008-08-22 10:44:51Z martin $
  */
 
 #ifndef _IPSEC_CONFREAD_H_
@@ -105,6 +105,7 @@ struct starter_conn {
 	keyexchange_t	keyexchange;
 	u_int32_t	eap_type;
 	u_int32_t	eap_vendor;
+	char		*eap_identity;
 	lset_t 		policy;
 	time_t 		sa_ike_life_seconds;
 	time_t		sa_ipsec_life_seconds;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 849a0af32..96baa4773 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: invokecharon.c 3928 2008-05-11 07:59:00Z andreas $
+ * RCSID $Id: invokecharon.c 4243 2008-08-01 10:35:59Z andreas $
  */
 
 #include <sys/types.h>
@@ -63,38 +63,46 @@ starter_charon_sigchild(pid_t pid)
 int
 starter_stop_charon (void)
 {
-    pid_t pid;
     int i;
+    pid_t pid = _charon_pid;
 
-    pid = _charon_pid;
     if (pid)
     {
 	_stop_requested = 1;
 
 	/* be more and more aggressive */
-	for (i = 0; i < 20 && (pid = _charon_pid) != 0; i++)
+	for (i = 0; i < 50 && (pid = _charon_pid) != 0; i++)
 	{
-		if (i == 0)
-			kill(pid, SIGINT);
-	    else if (i < 10)
-			kill(pid, SIGTERM);
-	    else if (i == 10)
+	    if (i == 0)
 	    {
-			kill(pid, SIGKILL);
-			plog("starter_stop_charon(): charon does not respond, sending KILL");
+		kill(pid, SIGINT);
+	    }
+	    else if (i < 40)
+	    {
+		kill(pid, SIGTERM);
+	    }
+	    else if (i == 40)
+	    {
+		kill(pid, SIGKILL);
+		plog("starter_stop_charon(): charon does not respond, sending KILL");
 	    }
 	    else
-			kill(pid, SIGKILL);
-	    usleep(200000);
+	    {
+		kill(pid, SIGKILL);
+	    }
+	    usleep(200000); /* sleep for 200 ms */
 	}
 	if (_charon_pid == 0)
+	{
+	    plog("charon stopped after %d ms", 200*i);
 	    return 0;
+	}
 	plog("starter_stop_charon(): can't stop charon !!!");
 	return -1;
     }
     else
     {
-	plog("stater_stop_charon(): charon is not started...");
+	plog("stater_stop_charon(): charon was not started...");
     }
     return -1;
 }
@@ -177,15 +185,13 @@ starter_start_charon (starter_config_t *cfg, bool no_fork)
 	default:
 	    /* father */
 		_charon_pid = pid;
-		for (i = 0; i < 50 && _charon_pid; i++)
+		for (i = 0; i < 500 && _charon_pid; i++)
 	    {
-		/* wait for charon */
+		/* wait for charon for a maximum of 500 x 20 ms = 10 s */
 		usleep(20000);
 		if (stat(CHARON_PID_FILE, &stb) == 0)
 		{
-		    DBG(DBG_CONTROL,
-			DBG_log("charon (%d) started", _charon_pid)
-		    )
+		    plog("charon (%d) started after %d ms", _charon_pid, 20*(i+1));
 		    return 0;
 		}
 	    }
@@ -195,12 +201,18 @@ starter_start_charon (starter_config_t *cfg, bool no_fork)
 		plog("charon too long to start... - kill kill");
 		for (i = 0; i < 20 && (pid = _charon_pid) != 0; i++)
 		{
-			if (i == 0)
+		    if (i == 0)
+		    {
 			kill(pid, SIGINT);
+		    }
 		    else if (i < 10)
+		    {
 			kill(pid, SIGTERM);
+		    }
 		    else
+		    {
 			kill(pid, SIGKILL);
+		    }
 		    usleep(20000);
 		}
 	    }
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index bf8bcc0d2..40ff27d0b 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -1,5 +1,5 @@
 .TH IPSEC.CONF 5 "27 Jun 2007"
-.\" RCSID $Id: ipsec.conf.5 3934 2008-05-12 12:46:30Z andreas $
+.\" RCSID $Id: ipsec.conf.5 4360 2008-09-30 12:36:58Z martin $
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -366,6 +366,14 @@ in the form
 .B eap=7-12345
 ) can be used to specify vendor specific EAP types.
 .TP
+.B eap_identity
+defines the identity the client uses to reply to a EAP Identity request.
+If defined on the EAP server, the defined identity will be used as peer
+identity during EAP authentication. The special value 
+.B %identity
+uses the EAP Identity method to ask the client for a EAP identity. If not
+defined, the IKEv2 identity will be used as EAP identity.
+.TP
 .B esp
 ESP encryption/authentication algorithm to be used
 for the connection, e.g.
@@ -678,8 +686,8 @@ enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
 .BR no .
 If set to
 .BR no ,
-the IKEv2 charon daemon will not actively propose MOBIKE but will still
-accept and support the protocol as a responder.
+the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
+ignore the MOBIKE_SUPPORTED notify as responder.
 .TP
 .B modeconfig
 defines which mode is used to assign a virtual IP.
@@ -706,6 +714,10 @@ PFS is enforced by defining a Diffie-Hellman modp group in the
 .B esp
 parameter.
 .TP
+.B pfsgroup 
+defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
+differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
+.TP
 .B reauth
 whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
 reauthentication is always done. In IKEv2, a value of
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index b96019d83..35c17b9b5 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -44,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keywords.txt 3928 2008-05-11 07:59:00Z andreas $
+ * RCSID $Id: keywords.txt 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include <string.h>
@@ -56,12 +56,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 100
+#define TOTAL_KEYWORDS 101
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
 #define MIN_HASH_VALUE 6
-#define MAX_HASH_VALUE 263
-/* maximum key range = 258, duplicates = 0 */
+#define MAX_HASH_VALUE 248
+/* maximum key range = 243, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,34 +75,34 @@ hash (str, len)
      register const char *str;
      register unsigned int len;
 {
-  static const unsigned short asso_values[] =
+  static const unsigned char asso_values[] =
     {
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264,  10,
-        0, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264,  15, 264,   0,
-      100,   5,  90,  85,  60,   0, 264,  60,  10,  55,
-       80,  75,  15, 264,   0,  50,  35,   5,  25, 264,
-       10,  75,   0, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264, 264, 264, 264, 264,
-      264, 264, 264, 264, 264, 264
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249,  25,
+       10, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 110, 249,   0,
+      100,   5,  75,  65,  90,   0, 249,  60,  10,  15,
+       80,  60,  15, 249,   0,  50,  35,  15,  30, 249,
+        0,  75,   0, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
+      249, 249, 249, 249, 249, 249
     };
   return len + asso_values[(unsigned char)str[1]] + asso_values[(unsigned char)str[0]] + asso_values[(unsigned char)str[len - 1]];
 }
@@ -111,40 +111,39 @@ static const struct kw_entry wordlist[] =
   {
     {""}, {""}, {""}, {""}, {""}, {""},
     {"crluri",            KW_CRLURI},
-    {"crluri2",           KW_CRLURI2},
-    {""}, {""}, {""}, {""}, {""}, {""},
+    {""}, {""}, {""}, {""}, {""}, {""}, {""},
     {"rekeyfuzz",         KW_REKEYFUZZ},
     {""}, {""},
-    {"crluri1",           KW_CRLURI},
+    {"crluri2",           KW_CRLURI2},
     {""}, {""}, {""},
     {"certuribase",       KW_CERTURIBASE},
-    {"rightca",           KW_RIGHTCA},
+    {""},
     {"rightfirewall",     KW_RIGHTFIREWALL},
     {""},
     {"rightnatip",        KW_RIGHTNATIP},
     {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
     {"rightnexthop",      KW_RIGHTNEXTHOP},
     {"rightsourceip",     KW_RIGHTSOURCEIP},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {"leftca",            KW_LEFTCA},
+    {""}, {""}, {""},
+    {"crluri1",           KW_CRLURI},
+    {""}, {""}, {""}, {""},
     {"leftfirewall",      KW_LEFTFIREWALL},
-    {"eap",               KW_EAP},
+    {""},
     {"leftnatip",         KW_LEFTNATIP},
     {"right",             KW_RIGHT},
     {"leftnexthop",       KW_LEFTNEXTHOP},
     {"leftsourceip",      KW_LEFTSOURCEIP},
     {""},
     {"rightcert",         KW_RIGHTCERT},
-    {"virtual_private",   KW_VIRTUAL_PRIVATE},
+    {""},
     {"rightsubnet",       KW_RIGHTSUBNET},
     {""},
     {"rightsendcert",     KW_RIGHTSENDCERT},
     {"rightprotoport",    KW_RIGHTPROTOPORT},
-    {""}, {""}, {""}, {""},
+    {"virtual_private",   KW_VIRTUAL_PRIVATE},
+    {""}, {""}, {""},
     {"left",              KW_LEFT},
-    {""},
-    {"cacert",            KW_CACERT},
-    {""},
+    {""}, {""}, {""},
     {"leftcert",          KW_LEFTCERT,},
     {""},
     {"leftsubnet",        KW_LEFTSUBNET},
@@ -153,29 +152,30 @@ static const struct kw_entry wordlist[] =
     {"leftprotoport",     KW_LEFTPROTOPORT},
     {""},
     {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {""}, {""},
+    {""},
+    {"ocspuri",           KW_OCSPURI},
     {"ike",               KW_IKE},
     {""},
     {"plutostart",        KW_PLUTOSTART},
-    {"reauth",            KW_REAUTH},
-    {""},
+    {""}, {""},
     {"esp",               KW_ESP},
-    {"cachecrls",         KW_CACHECRLS},
+    {""},
     {"leftgroups",        KW_LEFTGROUPS},
     {"ikelifetime",       KW_IKELIFETIME},
     {"keylife",           KW_KEYLIFE},
-    {"packetdefault",     KW_PACKETDEFAULT},
+    {"ocspuri2",          KW_OCSPURI2},
     {"lefthostaccess",    KW_LEFTHOSTACCESS},
     {"keep_alive",        KW_KEEP_ALIVE},
     {"keyexchange",       KW_KEYEXCHANGE},
-    {"ocspuri",           KW_OCSPURI},
-    {"ocspuri2",          KW_OCSPURI2},
-    {"auth",              KW_AUTH},
+    {""},
+    {"prepluto",          KW_PREPLUTO},
+    {""},
     {"rekey",             KW_REKEY},
-    {""}, {""},
+    {"mobike",	           KW_MOBIKE},
+    {""},
     {"rightallowany",     KW_RIGHTALLOWANY},
     {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
-    {"xauth",             KW_XAUTH},
+    {""},
     {"rightupdown",       KW_RIGHTUPDOWN},
     {"pkcs11module",      KW_PKCS11MODULE},
     {"ocspuri1",          KW_OCSPURI},
@@ -183,78 +183,90 @@ static const struct kw_entry wordlist[] =
     {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
     {"rekeymargin",       KW_REKEYMARGIN},
     {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
-    {"prepluto",          KW_PREPLUTO},
-    {"auto",              KW_AUTO},
+    {"fragicmp",          KW_FRAGICMP},
     {""},
-    {"authby",            KW_AUTHBY},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"reauth",            KW_REAUTH},
     {"leftallowany",      KW_LEFTALLOWANY},
     {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {"also",              KW_ALSO},
+    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
     {"leftupdown",        KW_LEFTUPDOWN},
-    {"charonstart",       KW_CHARONSTART},
+    {"mediated_by",       KW_MEDIATED_BY},
     {"rightid",           KW_RIGHTID},
-    {""}, {""}, {""},
+    {""},
+    {"mediation",         KW_MEDIATION},
+    {""},
     {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {"dumpdir",           KW_DUMPDIR},
-    {"fragicmp",          KW_FRAGICMP},
+    {""},
+    {"pfsgroup",          KW_PFSGROUP},
     {""}, {""},
     {"overridemtu",       KW_OVERRIDEMTU},
-    {"hidetos",           KW_HIDETOS},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
+    {"rightca",           KW_RIGHTCA},
+    {"compress",          KW_COMPRESS},
     {"type",              KW_TYPE},
-    {"plutodebug",        KW_PLUTODEBUG},
-    {"leftid",            KW_LEFTID},
     {""},
+    {"leftid",            KW_LEFTID},
+    {"dumpdir",           KW_DUMPDIR},
     {"ldapbase",          KW_LDAPBASE},
-    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
-    {""},
+    {""}, {""},
     {"keyingtries",       KW_KEYINGTRIES},
+    {""}, {""},
+    {"me_peerid",         KW_ME_PEERID},
     {""},
-    {"pfsgroup",          KW_PFSGROUP},
-    {""}, {""}, {""}, {""},
-    {"compress",          KW_COMPRESS},
-    {""}, {""}, {""}, {""}, {""},
+    {"leftca",            KW_LEFTCA},
+    {""},
+    {"eap",               KW_EAP},
+    {""}, {""},
+    {"charonstart",       KW_CHARONSTART},
+    {""}, {""},
     {"pkcs11initargs",    KW_PKCS11INITARGS},
     {"interfaces",        KW_INTERFACES},
-    {"mobike",	           KW_MOBIKE},
     {""}, {""},
-    {"uniqueids",         KW_UNIQUEIDS},
+    {"pfs",               KW_PFS},
+    {"postpluto",         KW_POSTPLUTO},
+    {"klipsdebug",        KW_KLIPSDEBUG},
     {""},
-    {"mediated_by",       KW_MEDIATED_BY},
-    {""}, {""},
-    {"mediation",         KW_MEDIATION},
-    {""}, {""}, {""},
-    {"ldaphost",          KW_LDAPHOST},
+    {"hidetos",           KW_HIDETOS},
     {""}, {""},
-    {"charondebug",       KW_CHARONDEBUG},
-    {""},
-    {"pfs",               KW_PFS},
+    {"modeconfig",        KW_MODECONFIG},
+    {"cacert",            KW_CACERT},
     {""},
+    {"ldaphost",          KW_LDAPHOST},
+    {"uniqueids",         KW_UNIQUEIDS},
+    {"force_keepalive",   KW_FORCE_KEEPALIVE},
+    {""}, {""}, {""}, {""},
     {"dpdtimeout",        KW_DPDTIMEOUT},
     {"pkcs11proxy",       KW_PKCS11PROXY},
-    {""}, {""}, {""},
-    {"klipsdebug",        KW_KLIPSDEBUG},
-    {""}, {""}, {""},
-    {"me_peerid",         KW_ME_PEERID},
     {""}, {""}, {""}, {""},
-    {"postpluto",         KW_POSTPLUTO},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {"force_keepalive",   KW_FORCE_KEEPALIVE},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {"charondebug",       KW_CHARONDEBUG},
+    {""}, {""},
+    {"cachecrls",         KW_CACHECRLS},
     {""}, {""}, {""},
+    {"packetdefault",     KW_PACKETDEFAULT},
+    {""},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {"also",              KW_ALSO},
+    {""}, {""}, {""}, {""},
+    {"auto",              KW_AUTO},
+    {""}, {""}, {""}, {""}, {""}, {""},
+    {"forceencaps",       KW_FORCEENCAPS},
+    {""},
     {"dpddelay",          KW_DPDDELAY},
-    {""}, {""}, {""}, {""}, {""},
+    {""}, {""}, {""},
+    {"eap_identity",      KW_EAP_IDENTITY},
+    {""},
     {"dpdaction",         KW_DPDACTION},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {""}, {""},
-    {"modeconfig",        KW_MODECONFIG},
-    {"forceencaps",       KW_FORCEENCAPS},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {"xauth",             KW_XAUTH},
+    {"authby",            KW_AUTHBY},
+    {""}, {""}, {""}, {""}, {""}, {""},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
+    {""}, {""}, {""}, {""}, {""},
+    {"auth",              KW_AUTH},
     {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
     {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
     {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {""},
     {"nocrsend",          KW_NOCRSEND}
   };
 
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 39b544267..1efa5dc2b 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keywords.h 3928 2008-05-11 07:59:00Z andreas $
+ * RCSID $Id: keywords.h 4276 2008-08-22 10:44:51Z martin $
  */
 
 #ifndef _KEYWORDS_H_
@@ -71,6 +71,7 @@ typedef enum {
     KW_AUTH,
     KW_AUTHBY,
     KW_EAP,
+    KW_EAP_IDENTITY,
     KW_MOBIKE,
     KW_FORCEENCAPS,
     KW_IKELIFETIME,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index d0435d1c7..29bd404b5 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keywords.txt 3928 2008-05-11 07:59:00Z andreas $
+ * RCSID $Id: keywords.txt 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include <string.h>
@@ -50,6 +50,7 @@ keep_alive,        KW_KEEP_ALIVE
 force_keepalive,   KW_FORCE_KEEPALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
 eap,               KW_EAP
+eap_identity,      KW_EAP_IDENTITY
 mobike,	           KW_MOBIKE
 forceencaps,       KW_FORCEENCAPS
 pkcs11module,      KW_PKCS11MODULE
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 6ff0ac29c..61f21d88c 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starter.c 3914 2008-05-08 10:58:04Z martin $
+ * RCSID $Id: starter.c 4140 2008-07-02 05:51:49Z andreas $
  */
 
 #include <sys/types.h>
@@ -452,7 +452,7 @@ int main (int argc, char **argv)
 	       );
 	    new_cfg = confread_load(CONFIG_FILE);
 
-	    if (new_cfg->err + new_cfg->non_fatal_err == 0)
+	    if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
 	    {
 		/* Switch to new config. New conn will be loaded below */
 		if (!starter_cmp_defaultroute(&new_cfg->defaultroute
@@ -546,7 +546,10 @@ int main (int argc, char **argv)
 	    else
 	    {
 		plog("can't reload config file due to errors -- keeping old one");
-		confread_free(new_cfg);
+		if (new_cfg)
+		{
+		    confread_free(new_cfg);
+		}
 	    }
 	    _action_ &= ~FLAG_ACTION_UPDATE;
 	    last_reload = time(NULL);
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index ffd5d28a6..4ee73128b 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starterstroke.c 4100 2008-06-24 13:36:10Z martin $
+ * RCSID $Id: starterstroke.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include <sys/types.h>
@@ -227,6 +227,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	}
 	msg.add_conn.eap_type = conn->eap_type;
 	msg.add_conn.eap_vendor = conn->eap_vendor;
+	msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
 	
 	if (conn->policy & POLICY_TUNNEL)
 	{
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 4f3373d23..06d9e07ef 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -179,6 +179,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 55f98f751..d100c2107 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke.c 3875 2008-04-25 12:41:37Z martin $
+ * RCSID $Id: stroke.c 4384 2008-10-08 07:00:13Z andreas $
  */
 
 #include <stdlib.h>
@@ -158,6 +158,17 @@ static int terminate_connection(char *name)
 	return send_stroke_msg(&msg);
 }
 
+static int terminate_connection_srcip(char *start, char *end)
+{
+	stroke_msg_t msg;
+	
+	msg.type = STR_TERMINATE_SRCIP;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.terminate_srcip.start = push_string(&msg, start);
+	msg.terminate_srcip.end = push_string(&msg, end);
+	return send_stroke_msg(&msg);
+}
+
 static int route_connection(char *name)
 {
 	stroke_msg_t msg;
@@ -189,6 +200,7 @@ static int show_status(stroke_keyword_t kw, char *connection)
 }
 
 static int list_flags[] = {
+	LIST_PUBKEYS,
 	LIST_CERTS,
 	LIST_CACERTS,
 	LIST_OCSPCERTS,
@@ -198,6 +210,7 @@ static int list_flags[] = {
 	LIST_CAINFOS,
 	LIST_CRLS,
 	LIST_OCSP,
+	LIST_ALGS,
 	LIST_ALL
 };
 
@@ -284,6 +297,9 @@ static void exit_usage(char *error)
 	printf("  Terminate a connection:\n");
 	printf("    stroke down NAME\n");
 	printf("    where: NAME is a connection name added with \"stroke add\"\n");
+	printf("  Terminate a connection by remote srcip:\n");
+	printf("    stroke down-srcip START [END]\n");
+	printf("    where: START and optional END define the clients source IP\n");
 	printf("  Set loglevel for a logging type:\n");
 	printf("    stroke loglevel TYPE LEVEL\n");
 	printf("    where: TYPE is any|dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib\n");
@@ -294,6 +310,8 @@ static void exit_usage(char *error)
 	printf("    stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
 	printf("  Show list of end entity certificates, ca info records  and crls:\n");
 	printf("    stroke listcerts|listcainfos|listcrls|listall\n");
+	printf("  Show list of supported algorithms:\n");
+	printf("    stroke listalgs\n");
 	printf("  Reload authority and attribute certificates:\n");
 	printf("    stroke rereadcacerts|rereadocspcerts|rereadaacerts|rereadacerts\n");
 	printf("  Reload secrets and crls:\n");
@@ -354,6 +372,13 @@ int main(int argc, char *argv[])
 			}
 			res = terminate_connection(argv[2]);
 			break;
+		case STROKE_DOWN_SRCIP:
+			if (argc < 3)
+			{
+				exit_usage("\"down-srcip\" needs start and optional end address");
+			}
+			res = terminate_connection_srcip(argv[2], argc > 3 ? argv[3] : NULL);
+			break;
 		case STROKE_ROUTE:
 			if (argc < 3)
 			{
@@ -379,6 +404,7 @@ int main(int argc, char *argv[])
 		case STROKE_STATUSALL:
 			res = show_status(token->kw, argc > 2 ? argv[2] : NULL);
 			break;
+		case STROKE_LIST_PUBKEYS:
 		case STROKE_LIST_CERTS:
 		case STROKE_LIST_CACERTS:
 		case STROKE_LIST_OCSPCERTS:
@@ -387,6 +413,7 @@ int main(int argc, char *argv[])
 		case STROKE_LIST_CAINFOS:
 		case STROKE_LIST_CRLS:
 		case STROKE_LIST_OCSP:
+		case STROKE_LIST_ALGS:
 		case STROKE_LIST_ALL:
 			res = list(token->kw, argc > 2 && strcmp(argv[2], "--utc") == 0);
 			break;
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index ad37732fa..17bcda47c 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -44,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke_keywords.txt 3271 2007-10-08 20:12:25Z andreas $
+ * RCSID $Id: stroke_keywords.txt 4384 2008-10-08 07:00:13Z andreas $
  */
 
 #include <string.h>
@@ -56,12 +56,12 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 28
+#define TOTAL_KEYWORDS 31
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
 #define MIN_HASH_VALUE 3
-#define MAX_HASH_VALUE 45
-/* maximum key range = 43, duplicates = 0 */
+#define MAX_HASH_VALUE 48
+/* maximum key range = 46, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -77,32 +77,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46,  0, 46,  5,
-      28,  0, 46,  0, 46, 20, 46, 46,  0, 46,
-      46, 20,  0, 46, 10, 10,  0, 10, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46, 46, 46, 46, 46,
-      46, 46, 46, 46, 46, 46
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49,  0, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49,  0,  0,  5,
+      28,  0, 49, 10, 49, 20, 49, 49,  0, 49,
+      49, 20,  0, 49, 10, 10,  0, 10, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+      49, 49, 49, 49, 49, 49
     };
   register int hval = len;
 
@@ -134,13 +134,14 @@ static const struct stroke_token wordlist[] =
     {"loglevel",        STROKE_LOGLEVEL},
     {""},
     {"listacerts",      STROKE_LIST_ACERTS},
-    {""},
+    {"listpubkeys",     STROKE_LIST_PUBKEYS},
     {"up",              STROKE_UP},
     {"listcrls",        STROKE_LIST_CRLS},
     {"purgeocsp",       STROKE_PURGE_OCSP},
     {"route",           STROKE_ROUTE},
     {"listaacerts",     STROKE_LIST_AACERTS},
-    {""}, {""},
+    {""},
+    {"listalgs",        STROKE_LIST_ALGS},
     {"rereadall",       STROKE_REREAD_ALL},
     {""},
     {"listcacerts",     STROKE_LIST_CACERTS},
@@ -152,7 +153,7 @@ static const struct stroke_token wordlist[] =
     {"unroute",         STROKE_UNROUTE},
     {"rereadcacerts",   STROKE_REREAD_CACERTS},
     {"statusall",       STROKE_STATUSALL},
-    {"listgroups",      STROKE_LIST_GROUPS},
+    {""},
     {"del",             STROKE_DEL},
     {"down",            STROKE_DOWN},
     {"rereadsecrets",   STROKE_REREAD_SECRETS},
@@ -161,10 +162,14 @@ static const struct stroke_token wordlist[] =
     {"listcainfos",     STROKE_LIST_CAINFOS},
     {""},
     {"listocsp",        STROKE_LIST_OCSP},
-    {""}, {""}, {""}, {""},
+    {""},
+    {"listgroups",      STROKE_LIST_GROUPS},
+    {""}, {""},
     {"listocspcerts",   STROKE_LIST_OCSPCERTS},
     {""},
-    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS}
+    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
+    {""}, {""},
+    {"down-srcip",      STROKE_DOWN_SRCIP}
   };
 
 #ifdef __GNUC__
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index e73aa5ca9..0ad221153 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke_keywords.h 3271 2007-10-08 20:12:25Z andreas $
+ * RCSID $Id: stroke_keywords.h 4384 2008-10-08 07:00:13Z andreas $
  */
 
 #ifndef _STROKE_KEYWORDS_H_
@@ -26,9 +26,11 @@ typedef enum {
 	STROKE_UNROUTE,
 	STROKE_UP,
 	STROKE_DOWN,
+	STROKE_DOWN_SRCIP,
 	STROKE_LOGLEVEL,
 	STROKE_STATUS,
 	STROKE_STATUSALL,
+	STROKE_LIST_PUBKEYS,
 	STROKE_LIST_CERTS,
 	STROKE_LIST_CACERTS,
 	STROKE_LIST_OCSPCERTS,
@@ -38,6 +40,7 @@ typedef enum {
 	STROKE_LIST_CAINFOS,
 	STROKE_LIST_CRLS,
 	STROKE_LIST_OCSP,
+	STROKE_LIST_ALGS,
 	STROKE_LIST_ALL,
 	STROKE_REREAD_SECRETS,
 	STROKE_REREAD_CACERTS,
@@ -49,7 +52,7 @@ typedef enum {
 	STROKE_PURGE_OCSP
 } stroke_keyword_t;
 
-#define STROKE_LIST_FIRST		STROKE_LIST_CERTS
+#define STROKE_LIST_FIRST		STROKE_LIST_PUBKEYS
 #define STROKE_REREAD_FIRST		STROKE_REREAD_SECRETS
 #define STROKE_PURGE_FIRST		STROKE_PURGE_OCSP
 
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index f36beb19a..ba35e8bcc 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke_keywords.txt 3271 2007-10-08 20:12:25Z andreas $
+ * RCSID $Id: stroke_keywords.txt 4384 2008-10-08 07:00:13Z andreas $
  */
 
 #include <string.h>
@@ -33,9 +33,11 @@ route,           STROKE_ROUTE
 unroute,         STROKE_UNROUTE
 up,              STROKE_UP
 down,            STROKE_DOWN
+down-srcip,      STROKE_DOWN_SRCIP
 loglevel,        STROKE_LOGLEVEL
 status,          STROKE_STATUS
 statusall,       STROKE_STATUSALL
+listpubkeys,     STROKE_LIST_PUBKEYS
 listcerts,       STROKE_LIST_CERTS
 listcacerts,     STROKE_LIST_CACERTS
 listocspcerts,   STROKE_LIST_OCSPCERTS
@@ -45,6 +47,7 @@ listgroups,      STROKE_LIST_GROUPS
 listcainfos,     STROKE_LIST_CAINFOS
 listcrls,        STROKE_LIST_CRLS
 listocsp,        STROKE_LIST_OCSP
+listalgs,        STROKE_LIST_ALGS
 listall,         STROKE_LIST_ALL
 rereadsecrets,   STROKE_REREAD_SECRETS
 rereadcacerts,   STROKE_REREAD_CACERTS
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 6aa5d8a49..4d2fb1071 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -19,7 +19,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke_msg.h 3920 2008-05-08 16:19:11Z tobias $
+ * RCSID $Id: stroke_msg.h 4384 2008-10-08 07:00:13Z andreas $
  */
 
 #ifndef STROKE_MSG_H_
@@ -43,26 +43,30 @@ typedef enum list_flag_t list_flag_t;
 enum list_flag_t {
 	/** don't list anything */
 	LIST_NONE =			0x0000,
+	/** list all raw public keys */
+	LIST_PUBKEYS =		0x0001,
 	/** list all host/user certs */
-	LIST_CERTS =		0x0001,
+	LIST_CERTS =		0x0002,
 	/** list all ca certs */
-	LIST_CACERTS =		0x0002,
+	LIST_CACERTS =		0x0004,
 	/** list all ocsp signer certs */
-	LIST_OCSPCERTS =	0x0004,
+	LIST_OCSPCERTS =	0x0008,
 	/** list all aa certs */
-	LIST_AACERTS =		0x0008,
+	LIST_AACERTS =		0x0010,
 	/** list all attribute certs */
-	LIST_ACERTS =		0x0010,
+	LIST_ACERTS =		0x0020,
 	/** list all access control groups */
-	LIST_GROUPS =		0x0020,
+	LIST_GROUPS =		0x0040,
 	/** list all ca information records */
-	LIST_CAINFOS =		0x0040,
+	LIST_CAINFOS =		0x0080,
 	/** list all crls */
-	LIST_CRLS =			0x0080,
+	LIST_CRLS =			0x0100,
 	/** list all ocsp cache entries */
-	LIST_OCSP =			0x0100,
+	LIST_OCSP =			0x0200,
+	/** list all supported algorithms */
+	LIST_ALGS =			0x0400,
 	/** all list options */
-	LIST_ALL =			0x01FF,
+	LIST_ALL =			0x07FF,
 };
 
 typedef enum reread_flag_t reread_flag_t;
@@ -158,6 +162,8 @@ struct stroke_msg_t {
 		STR_DEL_CONN,
 		/* terminate connection */
 		STR_TERMINATE,
+		/* terminate connection by peers srcip/virtual ip */
+		STR_TERMINATE_SRCIP,
 		/* show connection status */
 		STR_STATUS,
 		/* show verbose connection status */
@@ -187,6 +193,12 @@ struct stroke_msg_t {
 		struct {
 			char *name;
 		} initiate, route, unroute, terminate, status, del_conn, del_ca;
+		
+		/* data for STR_TERMINATE_SRCIP */
+		struct {
+			char *start;
+			char *end;
+		} terminate_srcip;
 
 		/* data for STR_ADD_CONN */
 		struct {
@@ -195,6 +207,7 @@ struct stroke_msg_t {
 			int auth_method;
 			u_int32_t eap_type;
 			u_int32_t eap_vendor;
+			char *eap_identity;
 			int mode;
 			int mobike;
 			int force_encap;
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index 86f92790a..1ca24ef3a 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -179,6 +179,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/testing/INSTALL b/testing/INSTALL
index f7124cfd7..69cdd7624 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,17 +53,16 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.5.tar.bz2
 
-    * Starting with Linux kernel 2.6.9 no patch must be applied any more in order
-      to make the vanilla kernel UML-capable. For older kernels you'll find
-      a matching UML patch at
+    * The Linux kernel 2.6.26 requires the following patch for the uml guest kernel
+      to successfully start up:
 
-      http://prdownloads.sourceforge.net/user-mode-linux/
+      http://download.strongswan.org/uml/uml-2.6.26.patch.bz2
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.24
+      http://download.strongswan.org/uml/.config-2.6.26
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
@@ -71,7 +70,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.2.4.tar.bz2
+      http://download.strongswan.org/strongswan-4.2.8.tar.bz2
 
 
 3. Creating the environment
@@ -146,5 +145,5 @@ README document.
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: INSTALL 4016 2008-05-25 10:35:39Z andreas $
+This file is RCSID $Id: INSTALL 4348 2008-09-18 00:42:22Z andreas $
 
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 62e84dbf8..3ceb82887 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -160,6 +160,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql
index 6b5be2bcf..269709542 100644
--- a/testing/hosts/default/etc/ipsec.d/tables.sql
+++ b/testing/hosts/default/etc/ipsec.d/tables.sql
@@ -145,35 +145,42 @@ CREATE TABLE pools (
   name TEXT NOT NULL,
   start BLOB NOT NULL,
   end BLOB NOT NULL,
-  next BLOB NOT NULL,
-  timeout INTEGER DEFAULT NULL,
-  UNIQUE (name)
+  timeout INTEGER NOT NULL
 );
 DROP INDEX IF EXISTS pools_name;
 CREATE INDEX pools_name ON pools (
   name
 );
 
-DROP TABLE IF EXISTS leases;
-CREATE TABLE leases (
+DROP TABLE IF EXISTS addresses;
+CREATE TABLE addresses (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
   pool INTEGER NOT NULL,
   address BLOB NOT NULL,
-  identity INTEGER NOT NULL,
-  acquired INTEGER NOT NULL,
-  released INTEGER DEFAULT NULL
+  identity INTEGER NOT NULL DEFAULT 0,
+  acquired INTEGER NOT NULL DEFAULT 0,
+  released INTEGER NOT NULL DEFAULT 1
 );
-DROP INDEX IF EXISTS leases_pool;
-CREATE INDEX leases_pool ON leases (
+DROP INDEX IF EXISTS addresses_pool;
+CREATE INDEX addresses_pool ON addresses (
   pool
 );
-DROP INDEX IF EXISTS leases_identity;
-CREATE INDEX leases_identity ON leases (
+DROP INDEX IF EXISTS addresses_address;
+CREATE INDEX addresses_address ON addresses (
+  address
+);
+DROP INDEX IF EXISTS addresses_identity;
+CREATE INDEX addresses_identity ON addresses (
   identity
 );
-DROP INDEX IF EXISTS leases_released;
-CREATE INDEX leases_released ON leases (
-  released
+
+DROP TABLE IF EXISTS leases;
+CREATE TABLE leases (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  address INTEGER NOT NULL,
+  identity INTEGER NOT NULL,
+  acquired INTEGER NOT NULL,
+  released INTEGER NOT NULL
 );
 
 DROP TABLE IF EXISTS ike_sas;
diff --git a/testing/images/a-m-c-w-d-s.png b/testing/images/a-m-c-w-d-s.png
new file mode 100644
index 000000000..e6b81549c
Binary files /dev/null and b/testing/images/a-m-c-w-d-s.png differ
diff --git a/testing/images/a-m-w-s-b-ip4-in-ip6.png b/testing/images/a-m-w-s-b-ip4-in-ip6.png
new file mode 100644
index 000000000..119ae36f6
Binary files /dev/null and b/testing/images/a-m-w-s-b-ip4-in-ip6.png differ
diff --git a/testing/images/a-m-w-s-b-ip6-in-ip4.png b/testing/images/a-m-w-s-b-ip6-in-ip4.png
new file mode 100644
index 000000000..a63295f0e
Binary files /dev/null and b/testing/images/a-m-w-s-b-ip6-in-ip4.png differ
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index 6a385dd28..b54493de8 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: build-umlrootfs 4035 2008-06-05 07:25:27Z andreas $
+# RCSID $Id: build-umlrootfs 4425 2008-10-13 22:54:09Z andreas $
 
 DIR=`dirname $0`
 
@@ -148,6 +148,7 @@ fi
 if [ "$USE_EAP_SIM" = "yes" ]
 then
     echo -n " --enable-eap-sim" >> $INSTALLSHELL
+    echo -n " --enable-eap-sim-file" >> $INSTALLSHELL
     fi
 
 if [ "$USE_EAP_MD5" = "yes" ]
@@ -155,6 +156,11 @@ then
     echo -n " --enable-eap-md5" >> $INSTALLSHELL
     fi
 
+if [ "$USE_EAP_IDENTITY" = "yes" ]
+then
+    echo -n " --enable-eap-identity" >> $INSTALLSHELL
+fi
+
 if [ "$USE_SQL" = "yes" ]
 then
     echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
@@ -169,7 +175,12 @@ if [ "$USE_OPENSSL" = "yes" ]
 then
     echo -n " --enable-openssl" >> $INSTALLSHELL
 fi
-    
+
+if [ "$USE_KERNEL_PFKEY" = "yes" ]
+then
+    echo -n " --enable-kernel-pfkey" >> $INSTALLSHELL
+fi
+  
 if [ "$USE_INTEGRITY_TEST" = "yes" ]
 then
     echo -n " --enable-integrity-test" >> $INSTALLSHELL
diff --git a/testing/scripts/gstart-umls b/testing/scripts/gstart-umls
index 40869d0a8..e5e993661 100755
--- a/testing/scripts/gstart-umls
+++ b/testing/scripts/gstart-umls
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: gstart-umls 3912 2008-05-08 08:22:07Z andreas $
+# RCSID $Id: gstart-umls 4370 2008-10-07 04:56:50Z andreas $
 
 DIR=`dirname $0`
 
@@ -119,6 +119,7 @@ do
 
     if [ "$host" = "alice" ]
     then
+	sleep 5
 	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
 	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
     fi
diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls
index 62cbf83cf..b67382a25 100755
--- a/testing/scripts/kstart-umls
+++ b/testing/scripts/kstart-umls
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: kstart-umls 3514 2008-02-29 17:00:07Z andreas $
+# RCSID $Id: kstart-umls 4370 2008-10-07 04:56:50Z andreas $
 
 DIR=`dirname $0`
 
@@ -119,6 +119,7 @@ do
 
     if [ "$host" = "alice" ]
     then
+	sleep 5
 	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
 	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
     fi
diff --git a/testing/scripts/start-umls b/testing/scripts/start-umls
index 7490cdf0b..823a53f5b 100755
--- a/testing/scripts/start-umls
+++ b/testing/scripts/start-umls
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: start-umls 3590 2008-03-13 14:20:20Z martin $
+# RCSID $Id: start-umls 4370 2008-10-07 04:56:50Z andreas $
 
 DIR=`dirname $0`
 
@@ -110,6 +110,7 @@ do
 
     if [ "$host" = "alice" ]
     then
+	sleep 5
 	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
 	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
     fi
diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls
index 8d2a70c4d..f03452844 100755
--- a/testing/scripts/xstart-umls
+++ b/testing/scripts/xstart-umls
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: xstart-umls 3590 2008-03-13 14:20:20Z martin $
+# RCSID $Id: xstart-umls 4370 2008-10-07 04:56:50Z andreas $
 
 DIR=`dirname $0`
 
@@ -119,6 +119,7 @@ do
 
     if [ "$host" = "alice" ]
     then
+	sleep 5
 	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
 	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
     fi
diff --git a/testing/testing.conf b/testing/testing.conf
index ae4bc92ae..e5af9174c 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -14,14 +14,14 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: testing.conf 4022 2008-05-28 14:13:40Z andreas $
+# RCSID $Id: testing.conf 4417 2008-10-13 00:09:44Z andreas $
 
 # Root directory of testing
 UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.26-rc3.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.27.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
@@ -30,21 +30,22 @@ KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 KERNELCONFIG=$UMLTESTDIR/.config-2.6.26
 
 # Bzipped uml patch for kernel
-# (not needed anymore for 2.6.9 kernel or higher)
-#UMLPATCH=$UMLTESTDIR/uml_jmpbuf-2.6.18.patch.bz2
+UMLPATCH=$UMLTESTDIR/uml-2.6.26.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.2.4.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.2.8.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
 USE_LDAP="yes"
 USE_EAP_AKA="yes"
-USE EAP_SIM="yes"
+USE_EAP_SIM="yes"
 USE_EAP_MD5="yes"
+USE_EAP_IDENTITY="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"
 USE_OPENSSL="yes"
+USE_KERNEL_PFKEY="no"
 USE_INTEGRITY_TEST="no"
 USE_LEAK_DETECTIVE="no"
 
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/any-interface/description.txt b/testing/tests/ikev2/any-interface/description.txt
new file mode 100644
index 000000000..5ce8bec34
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/description.txt
@@ -0,0 +1,8 @@
+By setting <b>left=%any</b> this scenario tests the ability of the IKEv2 daemon
+to automatically determine its own IP address of an IPsec SA to be established.
+This is achieved by finding a route via the correct network interface to the remote IPsec peer.
+<p>
+The hosts <b>moon</b> and <b>bob</b> act as initiators by setting <b>auto=route</b>
+whereas the hosts <b>alice</b> and <b>sun</b> act as responders by setting <b>auto=add</b>.
+Pings from <b>moon</b> to <b>alice</b> and <b>sun</b> as well as a ping from <b>bob</b>
+to <b>sun</b> set up three compressed IPsec Transport Mode connections.
diff --git a/testing/tests/ikev2/any-interface/evaltest.dat b/testing/tests/ikev2/any-interface/evaltest.dat
new file mode 100644
index 000000000..cd8fa2b60
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/evaltest.dat
@@ -0,0 +1,14 @@
+moon::cat /var/log/daemon.log::creating acquire job for CHILD_SA::YES
+bob::cat /var/log/daemon.log::creating acquire job for CHILD_SA::YES
+moon::ipsec statusall::alice.*INSTALLED, TRANSPORT::YES
+moon::ipsec statusall::sun.*INSTALLED, TRANSPORT::YES
+alice::ipsec statusall::remote.*INSTALLED, TRANSPORT::YES
+sun::ipsec statusall::remote.*INSTALLED, TRANSPORT::YES
+bob::ipsec statusall::sun.*INSTALLED, TRANSPORT::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP bob.strongswan.org > sun1.strongswan.org: ESP::YES
+bob::tcpdump::IP sun1.strongswan.org > bob.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..eb7dfe848
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+	type=transport
+	compress=yes
+	dpdaction=clear
+	dpddelay=10
+	left=%any
+	leftcert=aliceCert.pem
+
+conn remote
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf
new file mode 100755
index 000000000..40d029b3e
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+	type=transport
+	compress=yes
+	dpdaction=hold
+	dpddelay=10
+	left=%any
+	leftcert=bobCert.pem
+
+conn sun 
+	right=PH_IP_SUN1
+	rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
+	auto=route
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ab0534331
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+	type=transport
+	compress=yes
+	dpdaction=hold
+	dpddelay=10
+	left=%any
+	leftcert=moonCert.pem
+
+conn alice
+	right=PH_IP_ALICE
+	rightid="C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org"
+	auto=route
+
+conn sun 
+	right=PH_IP_SUN
+	rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
+	auto=route
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..71699b08e
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+	type=transport
+	compress=yes
+	dpdaction=clear
+	dpddelay=10
+	left=%any
+	leftcert=sunCert.pem
+
+conn remote
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/any-interface/posttest.dat b/testing/tests/ikev2/any-interface/posttest.dat
new file mode 100644
index 000000000..8e26c78de
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/posttest.dat
@@ -0,0 +1,6 @@
+alice::ipsec stop
+moon::ipsec stop
+sun::ipsec stop
+bob::ipsec stop
+winnetou::ip route del 10.1.0.0/16 via PH_IP_MOON
+winnetou::ip route del 10.2.0.0/16 via PH_IP_SUN
diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2/any-interface/pretest.dat
new file mode 100644
index 000000000..b8e91194e
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/pretest.dat
@@ -0,0 +1,12 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
+winnetou::ip route add 10.2.0.0/16 via PH_IP_SUN
+alice::ipsec start
+moon::ipsec start
+sun::ipsec start
+bob::ipsec start
+moon::sleep 2 
+moon::ping -n -c 3 -s 8184 -p deadbeef PH_IP_ALICE
+moon::ping -n -c 3 -s 8184 -p deadbeef PH_IP_SUN
+bob::ping -n -c 3 -s 8184 -p deadbeef PH_IP_SUN1
diff --git a/testing/tests/ikev2/any-interface/test.conf b/testing/tests/ikev2/any-interface/test.conf
new file mode 100644
index 000000000..25e5cd872
--- /dev/null
+++ b/testing/tests/ikev2/any-interface/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice sun bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice moon sun bob"
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
index 1949d3abc..c234f3a32 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
index 1949d3abc..c234f3a32 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat
index 07d17b338..d12e10959 100644
--- a/testing/tests/ikev2/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat
@@ -9,7 +9,7 @@ dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave::ipsec status::home.*INSTALLED::YES
 dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::assigning lease with new address from pool.*bigpool::YES
+moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
 moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/description.txt b/testing/tests/ikev2/ip-two-pools-db/description.txt
new file mode 100644
index 000000000..14a3f17b5
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/description.txt
@@ -0,0 +1,14 @@
+The hosts <b>alice</b>, <b>venus</b>, <b>carol</b>, and <b>dave</b> set up tunnel connections
+to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b> 
+with the <b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual
+IP addresses from a pool named <b>extpool</b> [10.3.0.1..10.3.255.254] to hosts connecting
+to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a pool named <b>intpool</b>
+[10.4.0.1..10.4.255.254] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
+Thus <b>carol</b> and <b>dave</b> are assigned <b>PH_IP_CAROL1</b> and <b>PH_IP_DAVE1</b>,
+respectively, whereas <b>alice</b> and <b>venus</b> get <b>10.4.0.1</b> and <b>10.4.0.2</b>,
+respectively.
+<p> 
+By defining the composite IPsec SA: <b>rightsubnet=10.3.0.0/16,10.4.0.0/16</b>, each of the four
+spokes can securely reach any other spoke via the central hub <b>moon</b>. This is
+demonstrated by <b>alice</b> and <b>dave</b> pinging the assigned virtual IP addresses
+of <b>carol</b> and <b>venus</b>.
diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
new file mode 100644
index 000000000..74c967def
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
@@ -0,0 +1,31 @@
+carol::ipsec status::home.*INSTALLED::YES
+dave::ipsec status::home.*INSTALLED::YES
+alice::ipsec status::home.*INSTALLED::YES
+venus::ipsec status::home.*INSTALLED::YES
+moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::ext.*ESTABLISHED.*dave@strongswan.org::YES
+moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
+moon::ipsec status::int.*ESTABLISHED.*venus.strongswan.org::YES
+moon::ipsec pool --status::extpool.*10.3.0.1.*10.3.255.254.*48h.*2::YES
+moon::ipsec pool --status::intpool.*10.4.0.1.*10.4.255.254.*static.*2::YES
+moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
+moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES
+moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org::online::YES
+moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
+alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
+alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
+dave::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES
+venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..97b773645
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..d925a2564
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn home 
+	left=%defaultroute
+	leftsourceip=%config
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON1
+	rightid=@moon.strongswan.org
+	rightsubnet=10.3.0.0/16,10.4.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..2b673ec4d
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.3.0.0/16,10.4.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..22f9b6634
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.3.0.0/16,10.4.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..bb9d03acd
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,91 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# masquerade crl fetches to winnetou
+	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a4c37e117
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+
+conn int 
+	left=PH_IP_MOON1
+	leftsubnet=10.3.0.0/16,10.4.0.0/16
+	rightsourceip=%intpool
+	auto=add
+
+conn ext 
+	left=PH_IP_MOON
+	leftsubnet=10.3.0.0/16,10.4.0.0/16
+	rightsourceip=%extpool
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0834739b2
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql kernel-netlink
+}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
new file mode 100755
index 000000000..97b773645
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..2dbd84fe7
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn home 
+	left=%defaultroute
+	leftsourceip=%config
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON1
+	rightid=@moon.strongswan.org
+	rightsubnet=10.3.0.0/16,10.4.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
new file mode 100644
index 000000000..5ea5128ce
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -0,0 +1,16 @@
+alice::ipsec stop
+venus::ipsec stop
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::ip route del 10.3.0.0/16 via PH_IP_MOON
+moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
+moon::conntrack -F
+moon::ipsec pool --del extpool
+moon::ipsec pool --del intpool
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
new file mode 100644
index 000000000..3870a2919
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
@@ -0,0 +1,22 @@
+moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.255.254 --timeout 48 
+moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.255.254 --timeout  0
+moon::ip route add 10.3.0.0/16 via PH_IP_MOON
+moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::ipsec start
+venus::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+alice::ipsec up home
+venus::ipsec up home
+alice::sleep 1
diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf
new file mode 100644
index 000000000..ea1307b16
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice venus carol dave"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus moon carol dave"
diff --git a/testing/tests/ikev2/ip-two-pools/description.txt b/testing/tests/ikev2/ip-two-pools/description.txt
new file mode 100644
index 000000000..45b84f135
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/description.txt
@@ -0,0 +1,9 @@
+The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
+Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload by using the
+<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
+addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
+to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a simple pool defined 
+by <b>rightsourceip=10.4.0.0/28</b> to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
+<p>
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and 
+both ping the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/ip-two-pools/evaltest.dat b/testing/tests/ikev2/ip-two-pools/evaltest.dat
new file mode 100644
index 000000000..479a3ae3d
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/evaltest.dat
@@ -0,0 +1,14 @@
+carol::ipsec status::home.*INSTALLED::YES
+alice::ipsec status::home.*INSTALLED::YES
+moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
+moon::cat /var/log/daemon.log::adding virtual IP address pool.*int.*10.4.0.0/28::YES
+moon::cat /var/log/daemon.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..97b773645
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..f5ce1687e
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn home 
+	left=%defaultroute
+	leftsourceip=%config
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON1
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..e647f1e36
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..bb9d03acd
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,91 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# masquerade crl fetches to winnetou
+	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..8435479fa
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+
+conn int 
+	left=PH_IP_MOON1
+	rightsourceip=10.4.0.0/28
+	auto=add
+
+conn ext 
+	left=PH_IP_MOON
+	rightsourceip=10.3.0.0/28
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
new file mode 100644
index 000000000..f849b7e1a
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -0,0 +1,8 @@
+alice::ipsec stop
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+alice::/etc/init.d/iptables stop 2> /dev/null
+moon::conntrack -F
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat
new file mode 100644
index 000000000..db422a105
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+alice::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+alice::ipsec up home
+alice::sleep 1
diff --git a/testing/tests/ikev2/ip-two-pools/test.conf b/testing/tests/ikev2/ip-two-pools/test.conf
new file mode 100644
index 000000000..329774c0a
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice carol"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt
new file mode 100644
index 000000000..0ace25731
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt
@@ -0,0 +1,8 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The hosts <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess
+copies of the Research and Sales CA certificates and must therefore request them from
+the initiators <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat
new file mode 100644
index 000000000..d2453bbee
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status::alice.*INSTALLED::YES
+moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+dave::ipsec status::venus.*INSTALLED::YES
+moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a8a6d2b8f
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..8647ac813
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn venus
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..b76032480
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
+GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
+p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
+ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
+Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
+DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
+Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..12f0c95bf
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://crl.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftsendcert=ifasked
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=PH_IP_DAVE
+	rightid=dave@strongswan.org
+	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/posttest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/posttest.dat
new file mode 100644
index 000000000..24cd041ed
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
new file mode 100644
index 000000000..c8e7adcb7
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
@@ -0,0 +1,7 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+moon::sleep 2
+moon::ipsec up alice
+moon::ipsec up venus
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt
new file mode 100644
index 000000000..b26c8c5d0
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt
@@ -0,0 +1,8 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
+copies of the Research and Sales CA certificates and must therefore request them from
+the initiators <b>carol</b> and <b>dave</b>.
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
new file mode 100644
index 000000000..d2453bbee
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status::alice.*INSTALLED::YES
+moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+dave::ipsec status::venus.*INSTALLED::YES
+moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9031a948c
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..0168be8e1
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..b76032480
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
+GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
+p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
+ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
+Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
+DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
+Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d0240a333
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://crl.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftsendcert=ifasked
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/posttest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/posttest.dat
new file mode 100644
index 000000000..24cd041ed
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
new file mode 100644
index 000000000..f15265e32
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
@@ -0,0 +1,7 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+dave::ipsec up venus
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index 1949d3abc..c234f3a32 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index 1949d3abc..c234f3a32 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index 1949d3abc..c234f3a32 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
index ca22de61f..29dcd052c 100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  keep_alive = 1d 
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/description.txt b/testing/tests/ikev2/rw-eap-aka-identity/description.txt
new file mode 100644
index 000000000..e7d2c784a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with the <i>Authentication and Key Agreement</i> protocol
+(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
+in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
+In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
+uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionaly uses an <b>RSA signature</b>
+to authenticate itself against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-identity/evaltest.dat
new file mode 100644
index 000000000..5d0b469bf
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::using EAP identity.*carol::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..8cffbe3b3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=eap
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..44ba3fa25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..2f86e72e4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity
+}
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..350fc48b6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eapaka
+	authby=rsasig
+	eap=aka
+	eap_identity=%identity
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftfirewall=yes
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..3868b62f4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..2f86e72e4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity
+}
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/posttest.dat b/testing/tests/ikev2/rw-eap-aka-identity/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/pretest.dat b/testing/tests/ikev2/rw-eap-aka-identity/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/test.conf b/testing/tests/ikev2/rw-eap-aka-identity/test.conf
new file mode 100644
index 000000000..2bd21499b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-identity/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index f699d5e27..e8bba1170 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapaka
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index f699d5e27..e8bba1170 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapaka
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
index 3a359eff2..3c749d01f 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapmd5
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
index 3a359eff2..3c749d01f 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapmd5
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index 8812814d6..d1adc88e7 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapsim
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index 8812814d6..d1adc88e7 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapsim
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
index af0f9953b..ace98d1ef 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
index af0f9953b..ace98d1ef 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
index af0f9953b..ace98d1ef 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/description.txt b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/description.txt
new file mode 100644
index 000000000..62fff0b30
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/description.txt
@@ -0,0 +1,4 @@
+An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
+It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on
+X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client <b>alice</b> behind <b>moon</b>
+sends an IPv4 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping command.
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
new file mode 100644
index 000000000..76c138e63
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*INSTALLED::YES
+sun::ipsec status::net.net.*INSTALLED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
+sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..25074a0f1
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,107 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow last UDP fragment
+	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ddc965c01
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	crlcheckinterval=180
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	also=host-host
+	leftsubnet=10.1.0.0/16
+	rightsubnet=10.2.0.0/16
+
+conn host-host
+	left=PH_IP6_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	right=PH_IP6_SUN
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
new file mode 100755
index 000000000..25074a0f1
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
@@ -0,0 +1,107 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow last UDP fragment
+	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..b02136ffe
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	crlcheckinterval=180
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	also=host-host
+	leftsubnet=10.2.0.0/16
+	rightsubnet=10.1.0.0/16
+
+conn host-host
+	left=PH_IP6_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	right=PH_IP6_MOON
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ef63f7262
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
new file mode 100644
index 000000000..dff181797
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+sun::ipsec stop
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
new file mode 100644
index 000000000..071827b66
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
@@ -0,0 +1,6 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+moon::ipsec up net-net
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
new file mode 100644
index 000000000..cab801a1c
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b-ip4-in-ip6.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt
new file mode 100644
index 000000000..5952ecc2d
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt
@@ -0,0 +1,6 @@
+An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
+It connects the two subnets hiding behind their respective gateways. The authentication is based on
+X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
+In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b>
+sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command.
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
new file mode 100644
index 000000000..833553f27
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*INSTALLED::YES
+sun::ipsec status::net.net.*INSTALLED::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..25074a0f1
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,107 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow last UDP fragment
+	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..468322544
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	crlcheckinterval=180
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftsubnet=fec1::0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	right=PH_IP_SUN
+	rightsubnet=fec2::0/16
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9aedf04b9
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  install_routes = no
+}
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
new file mode 100755
index 000000000..25074a0f1
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
@@ -0,0 +1,107 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow last UDP fragment
+	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..03b7bc680
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	crlcheckinterval=180
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=fec2::0/16
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=fec1::0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..d6774b266
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  install_routes=no
+}
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
new file mode 100644
index 000000000..7a8af32bc
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+alice::"ip route del fec2:\:/16 via fec1:\:1"
+moon::"ip route del fec2:\:/16 via fec0:\:2" 
+sun::"ip route del fec1:\:/16 via fec0:\:1" 
+bob::"ip route del fec1:\:/16 via fec2:\:1"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
new file mode 100644
index 000000000..ae300697e
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
@@ -0,0 +1,10 @@
+moon::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+sun::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+alice::"ip route add fec2:\:/16 via fec1:\:1"
+moon::"ip route add fec2:\:/16 via fec0:\:2" 
+sun::"ip route add fec1:\:/16 via fec0:\:1" 
+bob::"ip route add fec1:\:/16 via fec2:\:1"
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+moon::ipsec up net-net
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
new file mode 100644
index 000000000..d5d55c749
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b-ip6-in-ip4.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/description.txt b/testing/tests/ipv6/net2net-ipv4-ikev2/description.txt
deleted file mode 100644
index 62fff0b30..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
-It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on
-X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client <b>alice</b> behind <b>moon</b>
-sends an IPv4 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping command.
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat
deleted file mode 100644
index 76c138e63..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net.net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
-sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index ddc965c01..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	mobike=no
-
-conn net-net
-	also=host-host
-	leftsubnet=10.1.0.0/16
-	rightsubnet=10.2.0.0/16
-
-conn host-host
-	left=PH_IP6_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	right=PH_IP6_SUN
-	rightid=@sun.strongswan.org
-	auto=add
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index ca22de61f..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
-}
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index b02136ffe..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	mobike=no
-
-conn net-net
-	also=host-host
-	leftsubnet=10.2.0.0/16
-	rightsubnet=10.1.0.0/16
-
-conn host-host
-	left=PH_IP6_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	right=PH_IP6_MOON
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index ca22de61f..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
-}
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat
deleted file mode 100644
index dff181797..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat
deleted file mode 100644
index 071827b66..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2 
-moon::ipsec up net-net
diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/test.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/test.conf
deleted file mode 100644
index 991d884db..000000000
--- a/testing/tests/ipv6/net2net-ipv4-ikev2/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
- 
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b-ip6.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
index c252ebde6..27f03d4a3 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 8c610d28a..90e0cb9f8 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 8c610d28a..90e0cb9f8 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 8c610d28a..90e0cb9f8 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-high/description.txt b/testing/tests/openssl/ike-alg-ecp-high/description.txt
index 38606ca0b..b8efbe87e 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/description.txt
+++ b/testing/tests/openssl/ike-alg-ecp-high/description.txt
@@ -7,7 +7,7 @@ the Elliptic Curve Diffie-Hellman groups only.
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
 <b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
-ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_521 the roadwarriors
+ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
 fall back to ECP_384 and ECP_521, respectively.
 <p>
 Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf
index 8c610d28a..90e0cb9f8 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf
index d9a94e19c..db26dfa69 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke
+  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf
index 8c610d28a..90e0cb9f8 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf
index 8c610d28a..90e0cb9f8 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf
index d9a94e19c..db26dfa69 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke
+  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf
index 8c610d28a..90e0cb9f8 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf
index 8c610d28a..90e0cb9f8 100644
--- a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf
index d67f07a1a..770b86d2a 100644
--- a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf
index 8c610d28a..90e0cb9f8 100644
--- a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
index ca22de61f..ef63f7262 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
index 5d9d9441a..91dd9dff6 100644
--- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
@@ -9,9 +9,9 @@ dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave::ipsec status::home.*INSTALLED::YES
 dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::reassigning address from expired lease from pool.*bigpool::YES
+moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*1h.*2::YES
+moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES
 moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
index 8671f3070..83c2353f6 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
@@ -42,6 +42,12 @@ INSERT INTO identities (
   3, X'64617665407374726f6e677377616e2e6f7267'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* alice@strongswan.org */
+  3, X'616c696365407374726f6e677377616e2e6f7267'
+ );
+
 /* Certificates */
 
 INSERT INTO certificates (
@@ -153,19 +159,55 @@ INSERT INTO child_config_traffic_selector (
 /* Pools */
 
 INSERT INTO pools (
-  name, start, end, next, timeout
+  name, start, end, timeout
 ) VALUES (
-  'bigpool', X'0a030001', X'0a03fffe', X'0a030003', 3600 
+  'bigpool', X'0a030001', X'0a030006', 3600 
 );
 
-INSERT INTO leases (
+INSERT INTO addresses (
   pool, address, identity, acquired, released
 ) VALUES (
   1, X'0a030001', 7, 1211299013 , 1211299205
 );
 
-INSERT INTO leases (
+INSERT INTO addresses (
   pool, address, identity, acquired, released
 ) VALUES (
-  1, X'0a030002', 6, 1211299031, 1211299187
+  1, X'0a030002', 8, 1211299031, 1211299187
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030003'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030004'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030005'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030006'
+);
+
+INSERT INTO leases (
+  address, identity, acquired, released
+) VALUES (
+  1, 7, 1211299013 , 1211299205
+);
+
+INSERT INTO leases (
+  address, identity, acquired, released
+) VALUES (
+  2, 8, 1211299031, 1211299187
 );
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
index 5db30da40..7a33cb6ba 100644
--- a/testing/tests/sql/ip-pool-db-restart/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
@@ -9,9 +9,9 @@ dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave::ipsec status::home.*INSTALLED::YES
 dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::reassigning address from valid lease from pool.*bigpool::YES
+moon::cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES
+moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES
 moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
index d250628e7..a55e82501 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
@@ -153,19 +153,55 @@ INSERT INTO child_config_traffic_selector (
 /* Pools */
 
 INSERT INTO pools (
-  name, start, end, next, timeout
+  name, start, end, timeout
 ) VALUES (
-  'bigpool', X'0a030001', X'0a03fffe', X'0a030003', 0 
+  'bigpool', X'0a030001', X'0a030006', 0 
 );
 
-INSERT INTO leases (
+INSERT INTO addresses (
   pool, address, identity, acquired, released
 ) VALUES (
   1, X'0a030001', 6, 1211299013 , 1211299205
 );
 
-INSERT INTO leases (
+INSERT INTO addresses (
   pool, address, identity, acquired, released
 ) VALUES (
   1, X'0a030002', 7, 1211299031, 1211299187
 );
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030003'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030004'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030005'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030006'
+);
+
+INSERT INTO leases (
+  address, identity, acquired, released
+) VALUES (
+  1, 6, 1211299013 , 1211299205
+);
+
+INSERT INTO leases (
+  address, identity, acquired, released
+) VALUES (
+  2, 7, 1211299031, 1211299187
+);
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat
index 07d17b338..0aeeff9c8 100644
--- a/testing/tests/sql/ip-pool-db/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db/evaltest.dat
@@ -9,9 +9,9 @@ dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave::ipsec status::home.*INSTALLED::YES
 dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::assigning lease with new address from pool.*bigpool::YES
+moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES
+moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES
 moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
index b7585f56b..0d9399b5a 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
@@ -141,7 +141,43 @@ INSERT INTO child_config_traffic_selector (
 /* Pools */
 
 INSERT INTO pools (
-  name, start, end, next, timeout
+  name, start, end, timeout
 ) VALUES (
-  'bigpool', X'0a030001', X'0a03fffe', X'0a030001', 0 
+  'bigpool', X'0a030001', X'0a030006', 0 
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030001'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030002'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030003'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030004'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030005'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030006'
 );
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
index 1a4ac234e..84b63f185 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
index 1a4ac234e..84b63f185 100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/description.txt b/testing/tests/sql/rw-eap-aka-rsa/description.txt
new file mode 100644
index 000000000..b4f766d6f
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with the <i>Authentication and Key Agreement</i> protocol
+(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
+in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
+Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
+against <b>carol</b>.
diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
new file mode 100644
index 000000000..5de841c03
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..f160fe1d7
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -0,0 +1,128 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org */
+  3, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org as an EAP identity */
+  205, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org as an EAP identity */
+  205, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+/* Shared Secrets */
+
+INSERT INTO shared_secrets (
+  type, data
+) VALUES ( 
+  2, X'4172336574546e703031716c704f6762'
+);
+
+INSERT INTO shared_secret_identity (
+  shared_secret, identity
+) VALUES (
+  1, 5
+);
+
+INSERT INTO shared_secret_identity (
+  shared_secret, identity
+) VALUES (
+  1, 6
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_CAROL', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, auth_method
+) VALUES (
+  'home', 1, 3, 4, 3
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..65075739c
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 fips-prf gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql eapaka
+}
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..153c454a9
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -0,0 +1,172 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* %any */
+  0, X''
+);
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org as an EAP identity */
+  205, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org as an EAP identity */
+  205, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
+  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4
+);
+
+/* Shared Secrets */
+
+INSERT INTO shared_secrets (
+  type, data
+) VALUES ( 
+  2, X'4172336574546e703031716c704f6762'
+);
+
+INSERT INTO shared_secret_identity (
+  shared_secret, identity
+) VALUES (
+  1, 6
+);
+
+INSERT INTO shared_secret_identity (
+  shared_secret, identity
+) VALUES (
+  1, 7
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote, certreq
+) VALUES (
+  'PH_IP_MOON', '0.0.0.0', 0
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, eap_type
+) VALUES (
+  'rw-eapaka', 1, 3, 5, 23
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'rw-eapaka', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 3
+);
+
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e07b6ebed
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = aes des sha1 sha2 md5 fips-prf gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql eapaka
+}
diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
new file mode 100644
index 000000000..23eeb0d17
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*
+carol::rm /etc/ipsec.d/ipsec.*
+~
diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
new file mode 100644
index 000000000..b78fd480f
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
@@ -0,0 +1,12 @@
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/sql/rw-eap-aka-rsa/test.conf b/testing/tests/sql/rw-eap-aka-rsa/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 1a4ac234e..84b63f185 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 1a4ac234e..84b63f185 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 1a4ac234e..84b63f185 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
index 1a4ac234e..84b63f185 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
index 1a4ac234e..84b63f185 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
index 1a4ac234e..84b63f185 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index 5a35561ba..f70c4cbcb 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/description.txt b/testing/tests/sql/rw-rsa-keyid/description.txt
new file mode 100644
index 000000000..9d59ad664
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>raw RSA public keys</b>
+and <b>ID_KEY_ID</b> identities.
+Upon the successful establishment of the IPsec tunnels, automatically inserted
+iptables-based firewall rules let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/sql/rw-rsa-keyid/evaltest.dat b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
new file mode 100644
index 000000000..ff52c91d9
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*ESTABLISHED.*d7:0d:.*:ca:95.*98:5c:.*:d4:82::YES
+moon::ipsec statusall::rw.*ESTABLISHED.*d7:0d:.*:ca:95.*f6:51:.*:ea:25::YES
+carol::ipsec statusall::home.*ESTABLISHED.*98:5c:.*:d4:82.*d7:0d:.*:ca:95::YES
+dave::ipsec statusall::home.*ESTABLISHED.*f6:51:.*:ea:25.*d7:0d:.*:ca:95::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..bdb963542
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
@@ -0,0 +1,134 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org */
+  3, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of carol@strongswan.org */
+  11, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of moon.strongswan.org */
+  11, X'd70dbd46d5133519064f12f100525ead0802ca95'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* carol@strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* moon.strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of carol@strongswan.org' */
+  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_CAROL', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id
+) VALUES (
+  'home', 1, 3, 4
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f70c4cbcb
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+}
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..fc7af4dec
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
@@ -0,0 +1,133 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* dave@strongswan.org */
+  3, X'64617665407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of dave@strongswan.org */
+  11, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of moon.strongswan.org */
+  11, X'd70dbd46d5133519064f12f100525ead0802ca95'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* dave@strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* moon.strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+$INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of dave@strongswan.org */
+  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_DAVE', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id
+) VALUES (
+  'home', 1, 3, 4
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f70c4cbcb
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+}
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..bb82bdac2
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
@@ -0,0 +1,170 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org */
+  3, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* dave@strongswan.org */
+  3, X'64617665407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* %any */
+  0, '%any'
+);
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of moon.strongswan.org */
+  11, X'd70dbd46d5133519064f12f100525ead0802ca95'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of carol@strongswan.org */
+  11, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of dave@strongswan.org */
+  11, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+ );
+
+/* Raw RSA public keys */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* moon.strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* carol@strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* dave@strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 5
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  3, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  3, 7
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of CN=moon.strongswan.org' */
+  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 5
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_MOON', '0.0.0.0'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id
+) VALUES (
+  'rw', 1, 5, 4
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'rw', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 3
+);
+
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f70c4cbcb
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+}
diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat
new file mode 100644
index 000000000..b10aeb3aa
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.db
+carol::rm /etc/ipsec.d/ipsec.db
+dave::rm /etc/ipsec.d/ipsec.db
+~
diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat
new file mode 100644
index 000000000..76316f33d
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat
@@ -0,0 +1,18 @@
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/sql/rw-rsa-keyid/test.conf b/testing/tests/sql/rw-rsa-keyid/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-rsa/description.txt b/testing/tests/sql/rw-rsa/description.txt
new file mode 100644
index 000000000..51f22ad49
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>raw RSA public keys</b>
+with <b>ID_RFC822_ADDR</b> and <b>ID_FQDN</b> identities for the roadwarriors and
+gateway, respectively.
+Upon the successful establishment of the IPsec tunnels, automatically inserted
+iptables-based firewall rules let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/sql/rw-rsa/evaltest.dat b/testing/tests/sql/rw-rsa/evaltest.dat
new file mode 100644
index 000000000..cc565fb98
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon::ipsec statusall::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave::ipsec statusall::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..7c7e5e095
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -0,0 +1,134 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org */
+  3, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of carol@strongswan.org */
+  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of moon.strongswan.org */
+  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* carol@strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* moon.strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of carol@strongswan.org' */
+  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_CAROL', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id
+) VALUES (
+  'home', 1, 1, 2 
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f70c4cbcb
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+}
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..9e7d6d5a3
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
@@ -0,0 +1,133 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* dave@strongswan.org */
+  3, X'64617665407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of dave@strongswan.org */
+  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of moon.strongswan.org */
+  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* dave@strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* moon.strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+$INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of dave@strongswan.org */
+  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_DAVE', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id
+) VALUES (
+  'home', 1, 1, 2 
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f70c4cbcb
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+}
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..95dbc6e3d
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -0,0 +1,170 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org */
+  3, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* dave@strongswan.org */
+  3, X'64617665407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* %any */
+  0, '%any'
+);
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of moon.strongswan.org */
+  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of carol@strongswan.org */
+  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of dave@strongswan.org */
+  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+ );
+
+/* Raw RSA public keys */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* moon.strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* carol@strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* dave@strongswan.org */
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 5
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  3, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  3, 7
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of CN=moon.strongswan.org' */
+  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 5
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_MOON', '0.0.0.0'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id
+) VALUES (
+  'rw', 1, 1, 4
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'rw', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 3
+);
+
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f70c4cbcb
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+}
diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat
new file mode 100644
index 000000000..b10aeb3aa
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.db
+carol::rm /etc/ipsec.d/ipsec.db
+dave::rm /etc/ipsec.d/ipsec.db
+~
diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat
new file mode 100644
index 000000000..76316f33d
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/pretest.dat
@@ -0,0 +1,18 @@
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/sql/rw-rsa/test.conf b/testing/tests/sql/rw-rsa/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
-- 
cgit v1.2.3


From c7f1b0530b85bc7654e68992f25ed8ced5d0a80d Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Fri, 5 Dec 2008 16:15:54 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.2.9)

---
 ChangeLog                                          | 1082 +-------
 NEWS                                               |   39 +
 configure                                          |  241 +-
 configure.in                                       |   46 +-
 scripts/thread_analysis.c                          |    6 +-
 src/_copyright/Makefile.am                         |    2 +-
 src/_copyright/Makefile.in                         |    5 +-
 src/charon/Makefile.am                             |   22 +
 src/charon/Makefile.in                             |  147 +-
 src/charon/bus/bus.c                               |  335 ++-
 src/charon/bus/bus.h                               |  376 ++-
 src/charon/bus/listeners/file_logger.c             |   45 +-
 src/charon/bus/listeners/file_logger.h             |   14 +-
 src/charon/bus/listeners/sys_logger.c              |   39 +-
 src/charon/bus/listeners/sys_logger.h              |   16 +-
 src/charon/config/backend_manager.c                |   19 +-
 src/charon/config/child_cfg.c                      |   99 +-
 src/charon/config/child_cfg.h                      |   41 +-
 src/charon/config/peer_cfg.c                       |   60 +-
 src/charon/config/proposal.c                       |    2 +-
 src/charon/config/traffic_selector.c               |  109 +-
 src/charon/config/traffic_selector.h               |   28 +-
 src/charon/control/controller.c                    |  505 ++--
 src/charon/control/controller.h                    |   20 +-
 src/charon/credentials/credential_manager.c        |   49 +-
 src/charon/credentials/sets/cert_cache.c           |   28 +-
 src/charon/daemon.c                                |  257 +-
 src/charon/daemon.h                                |   17 +-
 src/charon/encoding/payloads/payload.c             |   20 +-
 .../payloads/traffic_selector_substructure.c       |    6 +-
 src/charon/kernel/kernel_interface.c               |  122 +-
 src/charon/kernel/kernel_interface.h               |   79 +-
 src/charon/kernel/kernel_ipsec.c                   |    9 +-
 src/charon/kernel/kernel_ipsec.h                   |   73 +-
 src/charon/network/sender.c                        |   49 +-
 src/charon/network/socket-raw.c                    |  136 +-
 src/charon/network/socket.c                        |  109 +-
 src/charon/network/socket.h                        |   24 +-
 src/charon/plugins/eap_aka/eap_aka.c               |    3 +-
 src/charon/plugins/kernel_klips/Makefile.am        |   10 +
 src/charon/plugins/kernel_klips/Makefile.in        |  501 ++++
 .../plugins/kernel_klips/kernel_klips_ipsec.c      | 2659 ++++++++++++++++++++
 .../plugins/kernel_klips/kernel_klips_ipsec.h      |   48 +
 .../plugins/kernel_klips/kernel_klips_plugin.c     |   58 +
 .../plugins/kernel_klips/kernel_klips_plugin.h     |   49 +
 src/charon/plugins/kernel_klips/pfkeyv2.h          |  322 +++
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |  864 ++++---
 .../plugins/kernel_netlink/kernel_netlink_net.c    |  269 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.c |   20 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.h |   12 +-
 src/charon/plugins/kernel_pfkey/Makefile.am        |   10 +
 src/charon/plugins/kernel_pfkey/Makefile.in        |  501 ++++
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      | 1991 +++++++++++++++
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.h      |   48 +
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.c     |   58 +
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.h     |   49 +
 src/charon/plugins/load_tester/Makefile.am         |   16 +
 src/charon/plugins/load_tester/Makefile.in         |  509 ++++
 .../plugins/load_tester/load_tester_config.c       |  143 ++
 .../plugins/load_tester/load_tester_config.h       |   53 +
 src/charon/plugins/load_tester/load_tester_creds.c |  236 ++
 src/charon/plugins/load_tester/load_tester_creds.h |   53 +
 src/charon/plugins/load_tester/load_tester_ipsec.c |  165 ++
 src/charon/plugins/load_tester/load_tester_ipsec.h |   48 +
 .../plugins/load_tester/load_tester_listener.c     |   75 +
 .../plugins/load_tester/load_tester_listener.h     |   53 +
 .../plugins/load_tester/load_tester_plugin.c       |  175 ++
 .../plugins/load_tester/load_tester_plugin.h       |   51 +
 src/charon/plugins/medcli/medcli_listener.c        |   76 +-
 src/charon/plugins/medcli/medcli_listener.h        |    2 +-
 src/charon/plugins/nm/Makefile.am                  |    2 +-
 src/charon/plugins/nm/Makefile.in                  |    2 +-
 src/charon/plugins/nm/nm_creds.c                   |   38 +-
 src/charon/plugins/nm/nm_service.c                 |  154 +-
 src/charon/plugins/smp/smp.c                       |   18 +-
 src/charon/plugins/sql/pool.c                      |   14 +-
 src/charon/plugins/sql/sql_attribute.c             |   22 +-
 src/charon/plugins/sql/sql_logger.c                |   13 +-
 src/charon/plugins/sql/sql_logger.h                |    2 +-
 src/charon/plugins/stroke/stroke_ca.c              |   30 +-
 src/charon/plugins/stroke/stroke_config.c          |    4 +-
 src/charon/plugins/stroke/stroke_control.c         |    4 +-
 src/charon/plugins/stroke/stroke_cred.c            |   37 +-
 src/charon/plugins/stroke/stroke_list.c            |  104 +-
 src/charon/plugins/stroke/stroke_socket.c          |   36 +-
 src/charon/plugins/unit_tester/tests/test_pool.c   |    1 +
 src/charon/plugins/updown/Makefile.am              |   12 +
 src/charon/plugins/updown/Makefile.in              |  501 ++++
 src/charon/plugins/updown/updown_listener.c        |  320 +++
 src/charon/plugins/updown/updown_listener.h        |   51 +
 src/charon/plugins/updown/updown_plugin.c          |   65 +
 src/charon/plugins/updown/updown_plugin.h          |   49 +
 src/charon/processing/jobs/acquire_job.c           |   31 +-
 src/charon/processing/jobs/acquire_job.h           |    9 +-
 src/charon/processing/jobs/callback_job.c          |   30 +-
 .../processing/jobs/initiate_mediation_job.c       |   82 +-
 src/charon/processing/jobs/migrate_job.c           |  152 ++
 src/charon/processing/jobs/migrate_job.h           |   65 +
 src/charon/processing/processor.c                  |   68 +-
 src/charon/sa/authenticators/eap/eap_manager.c     |   22 +-
 src/charon/sa/authenticators/eap_authenticator.c   |   57 +-
 src/charon/sa/authenticators/psk_authenticator.c   |   97 +-
 .../sa/authenticators/pubkey_authenticator.c       |   47 +-
 src/charon/sa/child_sa.c                           | 1112 ++++----
 src/charon/sa/child_sa.h                           |  138 +-
 src/charon/sa/connect_manager.c                    |   72 +-
 src/charon/sa/ike_sa.c                             |  694 ++---
 src/charon/sa/ike_sa.h                             |  143 +-
 src/charon/sa/ike_sa_manager.c                     |   97 +-
 src/charon/sa/ike_sa_manager.h                     |    8 +-
 src/charon/sa/keymat.c                             |  568 +++++
 src/charon/sa/keymat.h                             |  154 ++
 src/charon/sa/mediation_manager.c                  |   34 +-
 src/charon/sa/task_manager.c                       |   39 +-
 src/charon/sa/tasks/child_create.c                 |  223 +-
 src/charon/sa/tasks/child_delete.c                 |   21 +-
 src/charon/sa/tasks/child_rekey.c                  |   28 +-
 src/charon/sa/tasks/ike_auth.c                     |  108 +-
 src/charon/sa/tasks/ike_auth_lifetime.c            |    7 +-
 src/charon/sa/tasks/ike_delete.c                   |   41 +-
 src/charon/sa/tasks/ike_init.c                     |  160 +-
 src/charon/sa/tasks/ike_me.c                       |   10 +-
 src/charon/sa/tasks/ike_mobike.c                   |   16 +-
 src/charon/sa/tasks/ike_reauth.c                   |   11 +-
 src/charon/sa/tasks/ike_rekey.c                    |   65 +-
 src/charon/sa/tasks/task.c                         |   25 +-
 src/dumm/Makefile.am                               |    4 +-
 src/dumm/Makefile.in                               |    8 +-
 src/dumm/dumm.c                                    |   17 +-
 src/dumm/ext/dumm.c                                |   19 +-
 src/dumm/guest.c                                   |   15 +-
 src/dumm/guest.h                                   |   14 +-
 src/dumm/iface.c                                   |   12 +-
 src/dumm/main.c                                    |    1 +
 src/dumm/mconsole.c                                |   14 +-
 src/dumm/mconsole.h                                |    2 +-
 src/include/linux/ipsec.h                          |    5 +-
 src/include/linux/pfkeyv2.h                        |   20 +-
 src/include/linux/xfrm.h                           |   10 +
 src/libfreeswan/freeswan.h                         |    3 +-
 src/libstrongswan/Makefile.am                      |   13 +-
 src/libstrongswan/Makefile.in                      |   88 +-
 src/libstrongswan/crypto/crypters/crypter.h        |    2 +-
 src/libstrongswan/crypto/crypto_factory.c          |   86 +-
 src/libstrongswan/crypto/diffie_hellman.h          |   12 +-
 src/libstrongswan/crypto/prf_plus.c                |   15 +-
 src/libstrongswan/fetcher/fetcher_manager.c        |   24 +-
 .../plugins/agent/agent_private_key.c              |   38 +-
 src/libstrongswan/plugins/curl/curl_fetcher.c      |    4 +-
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c |   68 +-
 .../plugins/openssl/openssl_diffie_hellman.c       |  115 +-
 .../plugins/openssl/openssl_ec_diffie_hellman.c    |   21 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |  124 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |   21 +-
 .../plugins/openssl/openssl_rsa_public_key.c       |   10 +-
 src/libstrongswan/plugins/x509/x509_ac.c           |    2 +
 src/libstrongswan/plugins/x509/x509_cert.c         |    3 +-
 src/libstrongswan/plugins/x509/x509_crl.c          |    4 +-
 src/libstrongswan/settings.c                       |  120 +-
 src/libstrongswan/settings.h                       |   50 +-
 src/libstrongswan/utils.h                          |    7 +-
 src/libstrongswan/utils/backtrace.c                |  183 ++
 src/libstrongswan/utils/backtrace.h                |   63 +
 src/libstrongswan/utils/host.c                     |  139 +-
 src/libstrongswan/utils/host.h                     |    6 +-
 src/libstrongswan/utils/iterator.h                 |   57 +-
 src/libstrongswan/utils/leak_detective.c           |  155 +-
 src/libstrongswan/utils/leak_detective.h           |    5 -
 src/libstrongswan/utils/linked_list.c              |  113 +-
 src/libstrongswan/utils/linked_list.h              |   29 +-
 src/libstrongswan/utils/mutex.c                    |  280 ++-
 src/libstrongswan/utils/mutex.h                    |   53 +
 src/pluto/ac.c                                     |    4 +-
 src/pluto/ca.c                                     |    4 +-
 src/pluto/constants.c                              |    4 +-
 src/pluto/constants.h                              |    7 +-
 src/pluto/crl.c                                    |    4 +-
 src/pluto/defs.c                                   |   11 +-
 src/pluto/fetch.c                                  |    8 +-
 src/pluto/vendor.c                                 |    5 +-
 src/pluto/vendor.h                                 |    3 +-
 src/scepclient/scep.c                              |    2 +-
 src/starter/Makefile.am                            |   20 +-
 src/starter/Makefile.in                            |   25 +-
 src/starter/args.c                                 |    3 +-
 src/starter/confread.c                             |   31 +-
 src/starter/confread.h                             |    4 +-
 src/starter/files.h                                |    5 +-
 src/starter/invokepluto.c                          |    6 +-
 src/starter/ipsec.conf.5                           |   22 +-
 src/starter/keywords.c                             |    7 +-
 src/starter/keywords.h                             |    3 +-
 src/starter/keywords.txt                           |    3 +-
 src/starter/klips.c                                |   82 +
 src/starter/klips.h                                |   24 +
 src/starter/lex.yy.c                               |   43 +-
 src/starter/netkey.c                               |   22 +-
 src/starter/parser.l                               |    3 +-
 src/starter/starter.c                              |   13 +-
 src/starter/starterstroke.c                        |   36 +-
 src/stroke/Makefile.am                             |    2 +-
 src/stroke/Makefile.in                             |    2 +-
 src/stroke/stroke_msg.h                            |    5 +-
 src/whack/whack.c                                  |    4 +-
 testing/INSTALL                                    |    8 +-
 testing/testing.conf                               |    8 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/ikev2/any-interface/evaltest.dat     |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../config-payload/hosts/carol/etc/strongswan.conf |    2 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |    2 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ikev2/crl-ldap/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/crl-ldap/hosts/moon/etc/strongswan.conf  |    2 +-
 .../default-keys/hosts/carol/etc/strongswan.conf   |    2 +-
 .../default-keys/hosts/moon/etc/strongswan.conf    |    2 +-
 .../double-nat-net/hosts/alice/etc/strongswan.conf |    2 +-
 .../double-nat-net/hosts/bob/etc/strongswan.conf   |    2 +-
 .../double-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/double-nat/hosts/bob/etc/strongswan.conf |    2 +-
 .../dpd-clear/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/dpd-hold/hosts/carol/etc/strongswan.conf |    2 +-
 .../dpd-restart/hosts/carol/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../force-udp-encaps/hosts/sun/etc/strongswan.conf |    2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ip-pool-wish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-pool-wish/hosts/dave/etc/strongswan.conf    |    2 +-
 .../ip-pool-wish/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ikev2/ip-pool/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/ip-pool/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/ip-pool/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ip-two-pools-db/hosts/dave/etc/strongswan.conf |    2 +-
 .../ip-two-pools-db/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../ip-two-pools/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/moon/etc/strongswan.conf    |    2 +-
 .../mobike-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/mobike-nat/hosts/sun/etc/strongswan.conf |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ikev2/mobike/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ikev2/mobike/hosts/sun/etc/strongswan.conf     |    2 +-
 .../tests/ikev2/multi-level-ca-ldap/evaltest.dat   |    2 -
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 testing/tests/ikev2/multi-level-ca/evaltest.dat    |    2 -
 .../nat-one-rw/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf |    2 +-
 .../nat-two-rw-psk/hosts/alice/etc/strongswan.conf |    2 +-
 .../nat-two-rw-psk/hosts/sun/etc/strongswan.conf   |    2 +-
 .../nat-two-rw-psk/hosts/venus/etc/strongswan.conf |    2 +-
 .../nat-two-rw/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf |    2 +-
 .../nat-two-rw/hosts/venus/etc/strongswan.conf     |    2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    2 +-
 .../net2net-psk/hosts/moon/etc/strongswan.conf     |    2 +-
 .../net2net-psk/hosts/sun/etc/strongswan.conf      |    2 +-
 testing/tests/ikev2/net2net-route/evaltest.dat     |    2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    2 +-
 .../net2net-start/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-start/hosts/sun/etc/strongswan.conf    |    2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 testing/tests/ikev2/protoport-route/evaltest.dat   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |    2 +-
 .../reauth-early/hosts/carol/etc/strongswan.conf   |    2 +-
 .../reauth-early/hosts/moon/etc/strongswan.conf    |    2 +-
 .../reauth-late/hosts/carol/etc/strongswan.conf    |    2 +-
 .../reauth-late/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-hash-and-url/hosts/dave/etc/strongswan.conf |    2 +-
 .../rw-hash-and-url/hosts/moon/etc/strongswan.conf |    2 +-
 .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-psk-no-idr/hosts/carol/etc/strongswan.conf  |    2 +-
 .../rw-psk-no-idr/hosts/dave/etc/strongswan.conf   |    2 +-
 .../rw-psk-no-idr/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../two-certs/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/two-certs/hosts/dave/etc/strongswan.conf |    2 +-
 .../ikev2/two-certs/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../virtual-ip/hosts/carol/etc/strongswan.conf     |    2 +-
 .../virtual-ip/hosts/dave/etc/strongswan.conf      |    2 +-
 .../virtual-ip/hosts/moon/etc/strongswan.conf      |    2 +-
 .../host2host-ikev2/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev2/hosts/sun/etc/strongswan.conf  |    2 +-
 .../net2net-ikev2/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-ikev2/hosts/sun/etc/strongswan.conf    |    2 +-
 .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf   |    2 +-
 .../rw-psk-ikev2/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw-psk-ikev2/hosts/dave/etc/strongswan.conf    |    2 +-
 .../rw-psk-ikev2/hosts/moon/etc/strongswan.conf    |    2 +-
 .../transport-ikev2/hosts/moon/etc/strongswan.conf |    2 +-
 .../transport-ikev2/hosts/sun/etc/strongswan.conf  |    2 +-
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ike-alg-ecp-low/hosts/dave/etc/strongswan.conf |    2 +-
 .../ike-alg-ecp-low/hosts/moon/etc/strongswan.conf |    2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../openssl/rw-cert/hosts/dave/etc/strongswan.conf |    2 +-
 .../openssl/rw-cert/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../medsrv-psk/hosts/alice/etc/strongswan.conf     |    2 +-
 .../medsrv-psk/hosts/bob/etc/strongswan.conf       |    2 +-
 .../medsrv-psk/hosts/carol/etc/strongswan.conf     |    2 +-
 testing/tests/pfkey/alg-aes-xcbc/description.txt   |    4 +
 testing/tests/pfkey/alg-aes-xcbc/evaltest.dat      |    9 +
 .../pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf  |   25 +
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |    5 +
 .../pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf   |   24 +
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |    5 +
 testing/tests/pfkey/alg-aes-xcbc/posttest.dat      |    4 +
 testing/tests/pfkey/alg-aes-xcbc/pretest.dat       |    6 +
 testing/tests/pfkey/alg-aes-xcbc/test.conf         |   21 +
 .../pfkey/host2host-transport/description.txt      |    4 +
 .../tests/pfkey/host2host-transport/evaltest.dat   |    8 +
 .../host2host-transport/hosts/moon/etc/ipsec.conf  |   24 +
 .../hosts/moon/etc/strongswan.conf                 |    5 +
 .../host2host-transport/hosts/sun/etc/ipsec.conf   |   24 +
 .../hosts/sun/etc/strongswan.conf                  |    5 +
 .../tests/pfkey/host2host-transport/posttest.dat   |    4 +
 .../tests/pfkey/host2host-transport/pretest.dat    |    6 +
 testing/tests/pfkey/host2host-transport/test.conf  |   21 +
 testing/tests/pfkey/nat-two-rw/description.txt     |    5 +
 testing/tests/pfkey/nat-two-rw/evaltest.dat        |    9 +
 .../pfkey/nat-two-rw/hosts/alice/etc/ipsec.conf    |   23 +
 .../nat-two-rw/hosts/alice/etc/strongswan.conf     |    5 +
 .../pfkey/nat-two-rw/hosts/sun/etc/ipsec.conf      |   35 +
 .../pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf |    5 +
 .../pfkey/nat-two-rw/hosts/venus/etc/ipsec.conf    |   23 +
 .../nat-two-rw/hosts/venus/etc/strongswan.conf     |    5 +
 testing/tests/pfkey/nat-two-rw/posttest.dat        |    8 +
 testing/tests/pfkey/nat-two-rw/pretest.dat         |   14 +
 testing/tests/pfkey/nat-two-rw/test.conf           |   21 +
 testing/tests/pfkey/net2net-route/description.txt  |    9 +
 testing/tests/pfkey/net2net-route/evaltest.dat     |    6 +
 .../pfkey/net2net-route/hosts/moon/etc/ipsec.conf  |   25 +
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    5 +
 .../pfkey/net2net-route/hosts/sun/etc/ipsec.conf   |   25 +
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    5 +
 testing/tests/pfkey/net2net-route/posttest.dat     |    4 +
 testing/tests/pfkey/net2net-route/pretest.dat      |    6 +
 testing/tests/pfkey/net2net-route/test.conf        |   21 +
 testing/tests/pfkey/protoport-dual/description.txt |    6 +
 testing/tests/pfkey/protoport-dual/evaltest.dat    |    9 +
 .../protoport-dual/hosts/carol/etc/ipsec.conf      |   29 +
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    5 +
 .../pfkey/protoport-dual/hosts/moon/etc/ipsec.conf |   29 +
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    5 +
 testing/tests/pfkey/protoport-dual/posttest.dat    |    4 +
 testing/tests/pfkey/protoport-dual/pretest.dat     |    7 +
 testing/tests/pfkey/protoport-dual/test.conf       |   21 +
 .../tests/pfkey/protoport-route/description.txt    |    8 +
 testing/tests/pfkey/protoport-route/evaltest.dat   |   10 +
 .../protoport-route/hosts/carol/etc/ipsec.conf     |   29 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../protoport-route/hosts/moon/etc/ipsec.conf      |   29 +
 .../protoport-route/hosts/moon/etc/strongswan.conf |    5 +
 testing/tests/pfkey/protoport-route/posttest.dat   |    4 +
 testing/tests/pfkey/protoport-route/pretest.dat    |    8 +
 testing/tests/pfkey/protoport-route/test.conf      |   21 +
 testing/tests/pfkey/rw-cert/description.txt        |    6 +
 testing/tests/pfkey/rw-cert/evaltest.dat           |   10 +
 .../tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf |   23 +
 .../pfkey/rw-cert/hosts/carol/etc/strongswan.conf  |    5 +
 .../tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf  |   23 +
 .../pfkey/rw-cert/hosts/dave/etc/strongswan.conf   |    5 +
 .../tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf  |   22 +
 .../pfkey/rw-cert/hosts/moon/etc/strongswan.conf   |    5 +
 testing/tests/pfkey/rw-cert/posttest.dat           |    6 +
 testing/tests/pfkey/rw-cert/pretest.dat            |    9 +
 testing/tests/pfkey/rw-cert/test.conf              |   21 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf |    2 +-
 .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf  |    2 +-
 .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf  |    2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../sql/net2net-cert/hosts/sun/etc/strongswan.conf |    2 +-
 .../sql/net2net-psk/hosts/moon/etc/strongswan.conf |    2 +-
 .../sql/net2net-psk/hosts/sun/etc/strongswan.conf  |    2 +-
 .../sql/rw-cert/hosts/carol/etc/strongswan.conf    |    2 +-
 .../sql/rw-cert/hosts/dave/etc/strongswan.conf     |    2 +-
 .../sql/rw-cert/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |    2 +-
 .../sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf |    2 +-
 .../sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf |    2 +-
 .../rw-psk-ipv6/hosts/carol/etc/strongswan.conf    |    2 +-
 .../sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf |    2 +-
 .../sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-rsa-keyid/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw-rsa-keyid/hosts/dave/etc/strongswan.conf    |    2 +-
 .../rw-rsa-keyid/hosts/moon/etc/strongswan.conf    |    2 +-
 .../sql/rw-rsa/hosts/carol/etc/strongswan.conf     |    2 +-
 .../sql/rw-rsa/hosts/dave/etc/strongswan.conf      |    2 +-
 .../sql/rw-rsa/hosts/moon/etc/strongswan.conf      |    2 +-
 461 files changed, 16984 insertions(+), 6029 deletions(-)
 create mode 100644 src/charon/plugins/kernel_klips/Makefile.am
 create mode 100644 src/charon/plugins/kernel_klips/Makefile.in
 create mode 100644 src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
 create mode 100644 src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
 create mode 100644 src/charon/plugins/kernel_klips/kernel_klips_plugin.c
 create mode 100644 src/charon/plugins/kernel_klips/kernel_klips_plugin.h
 create mode 100644 src/charon/plugins/kernel_klips/pfkeyv2.h
 create mode 100644 src/charon/plugins/kernel_pfkey/Makefile.am
 create mode 100644 src/charon/plugins/kernel_pfkey/Makefile.in
 create mode 100644 src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
 create mode 100644 src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
 create mode 100644 src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
 create mode 100644 src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
 create mode 100644 src/charon/plugins/load_tester/Makefile.am
 create mode 100644 src/charon/plugins/load_tester/Makefile.in
 create mode 100644 src/charon/plugins/load_tester/load_tester_config.c
 create mode 100644 src/charon/plugins/load_tester/load_tester_config.h
 create mode 100644 src/charon/plugins/load_tester/load_tester_creds.c
 create mode 100644 src/charon/plugins/load_tester/load_tester_creds.h
 create mode 100644 src/charon/plugins/load_tester/load_tester_ipsec.c
 create mode 100644 src/charon/plugins/load_tester/load_tester_ipsec.h
 create mode 100644 src/charon/plugins/load_tester/load_tester_listener.c
 create mode 100644 src/charon/plugins/load_tester/load_tester_listener.h
 create mode 100644 src/charon/plugins/load_tester/load_tester_plugin.c
 create mode 100644 src/charon/plugins/load_tester/load_tester_plugin.h
 create mode 100644 src/charon/plugins/updown/Makefile.am
 create mode 100644 src/charon/plugins/updown/Makefile.in
 create mode 100644 src/charon/plugins/updown/updown_listener.c
 create mode 100644 src/charon/plugins/updown/updown_listener.h
 create mode 100644 src/charon/plugins/updown/updown_plugin.c
 create mode 100644 src/charon/plugins/updown/updown_plugin.h
 create mode 100644 src/charon/processing/jobs/migrate_job.c
 create mode 100644 src/charon/processing/jobs/migrate_job.h
 create mode 100644 src/charon/sa/keymat.c
 create mode 100644 src/charon/sa/keymat.h
 create mode 100644 src/libstrongswan/utils/backtrace.c
 create mode 100644 src/libstrongswan/utils/backtrace.h
 create mode 100644 src/starter/klips.c
 create mode 100644 src/starter/klips.h
 create mode 100644 testing/tests/pfkey/alg-aes-xcbc/description.txt
 create mode 100644 testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
 create mode 100755 testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/pfkey/alg-aes-xcbc/posttest.dat
 create mode 100644 testing/tests/pfkey/alg-aes-xcbc/pretest.dat
 create mode 100644 testing/tests/pfkey/alg-aes-xcbc/test.conf
 create mode 100644 testing/tests/pfkey/host2host-transport/description.txt
 create mode 100644 testing/tests/pfkey/host2host-transport/evaltest.dat
 create mode 100755 testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/pfkey/host2host-transport/posttest.dat
 create mode 100644 testing/tests/pfkey/host2host-transport/pretest.dat
 create mode 100644 testing/tests/pfkey/host2host-transport/test.conf
 create mode 100644 testing/tests/pfkey/nat-two-rw/description.txt
 create mode 100644 testing/tests/pfkey/nat-two-rw/evaltest.dat
 create mode 100755 testing/tests/pfkey/nat-two-rw/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/nat-two-rw/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/nat-two-rw/hosts/venus/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
 create mode 100644 testing/tests/pfkey/nat-two-rw/posttest.dat
 create mode 100644 testing/tests/pfkey/nat-two-rw/pretest.dat
 create mode 100644 testing/tests/pfkey/nat-two-rw/test.conf
 create mode 100644 testing/tests/pfkey/net2net-route/description.txt
 create mode 100644 testing/tests/pfkey/net2net-route/evaltest.dat
 create mode 100755 testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/pfkey/net2net-route/posttest.dat
 create mode 100644 testing/tests/pfkey/net2net-route/pretest.dat
 create mode 100644 testing/tests/pfkey/net2net-route/test.conf
 create mode 100644 testing/tests/pfkey/protoport-dual/description.txt
 create mode 100644 testing/tests/pfkey/protoport-dual/evaltest.dat
 create mode 100755 testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/pfkey/protoport-dual/posttest.dat
 create mode 100644 testing/tests/pfkey/protoport-dual/pretest.dat
 create mode 100644 testing/tests/pfkey/protoport-dual/test.conf
 create mode 100644 testing/tests/pfkey/protoport-route/description.txt
 create mode 100644 testing/tests/pfkey/protoport-route/evaltest.dat
 create mode 100755 testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/pfkey/protoport-route/posttest.dat
 create mode 100644 testing/tests/pfkey/protoport-route/pretest.dat
 create mode 100644 testing/tests/pfkey/protoport-route/test.conf
 create mode 100644 testing/tests/pfkey/rw-cert/description.txt
 create mode 100644 testing/tests/pfkey/rw-cert/evaltest.dat
 create mode 100755 testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/pfkey/rw-cert/posttest.dat
 create mode 100644 testing/tests/pfkey/rw-cert/pretest.dat
 create mode 100644 testing/tests/pfkey/rw-cert/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/ChangeLog b/ChangeLog
index f52898a8e..41f530506 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,1079 +1,3 @@
- strongswan-4.1.0 / R:2552 
-===========================
-
-fixed nat detection bug
-OCSP support
-updated NEWS, TODO and man page
-respecting "keyingtries" parameter on IKE_SA setup
-cleanups
-fixed reset()
-not installing a route when policy gets updated
-renamed keyingtries attribute
-adjusted loglevels
-delay OCSP response by 5 seconds
-always update reqid on policy install, fixes dpdaction=hold issue
-EAP-SIM cleanups
-fixed CHILD_SA rekeying/delete bug on 64bit machines
-removed obsolete methods in delete_payload
-Shortened distribution string
-Shortened distribution string
-shortened distribution string
-add daemon.log to web page
-remove /etc/resolv.conf
-version bump to 4.1.0
-added apache2/ocsp log directory to winnetou
-removed killall openssl
-removed killall openssl
-deleted
-deleted
-create apach2/ocsp/ logging directory on winnetou
-do not check for type of dpd action any more
-create /var/log/apache2/ocsp on winnetou
-added
-added
-added
-delete virtual IP addresses after use
-deleted
-added
-fixed case of missing subjectKeyID
-corrected typo
-version bump to 4.1.0
-added
-use CURLOPT_NOSIGNAL
-added --with-sim-reader option to configure script
-some cleanups in eap_sim
-removed dublicated code in eap_authenticator
-log reception of trusted signer certificate
-version bump to 4.1.0
-deleted
-added
-changed OCSPSigner to OCSPSigning
-fixed carry bug in FIPS prf
-user standard cert
-deleted
-deleted
-added
-added
-modified description.txt and evaltest.dat
-version number selection fix
-some cleanups
-cleaned up and fixed DPD handling code
-removed cfg-payload dns test code
-added
-added
-version bump to strongswan-4.1.0 and linux-2.6.20.3
-cosmetics
-increased control debugging output
-added EAP-SIM authentication
-  client side only
-  uses an external SIM reader library specified with SIM_READER_LIB
-  untested
-not detaching from bus when IKE_SA_INIT is retried
-added AES-192/256 proposals to IKE
-added generic EAP_IDENTITY client implementation using peers IKEv2 ID
-fixed compilation warnings and errors when not using curl
-results from the single responses is stored in the corresponding certinfo_t structs
-moved credential_store.h from charon/config/credentials to libstrongswan
-last patch removed, changed CURLOPT_FILE to CURLOPT_WRITEDATA
-fixed memory leak by calling curl_slist_free_all(headers)
-fixed memory leak by calling curl_slist_free_all(headers)
-whitelisting static Curl_getaddrinfo() memory leak
-fixed a certinfo_t memory leak in verify()
-fixed a memory leak in response_t
-ocsp signer certificate and ocsp response signature can be verified
-fixed memleaks when using EAP authentication
-fixed configuration payloads when using EAP
-fixed payload order (again)
-including peers certificate when his certreq is empty
-implemented cookies as initiator
-proper logging of notifies in IKE_SA setup
-disabling routing for IPv6, does not work correctly
-fixed call of add_auth_certificate()
-generalized get_ca_certificate() to get_auth_certificate(auth_flags)
-added fetcher_finalize() to clean up libcurl
-some cleanups
-not installing %any DNS servers
-support of setting and getting authority flags
-support if ocsp signing certificates
-support if ocsp signing certificates
-fixed payload order in IKE_AUTH
-removed SHA2 kernel proposals from default, the kernel doesn't support them yet
-allocation fixes, not complete
-handling "No policy found" properly
-added more debugging output for policy lookup
-returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE 
-fixed CHILD_SA creation within existing IKE_SA
-added ocsp_parse_single_response
-ported changes from EAP branch, renabling EAP framework
-added (not yet supported) sha2 algorithms to kernel
-only adding a route if using tunnel mode
-added SHA2 MAC and PRF to default proposal
-added more debug output 
-experimental SHA2 HMAC and PRF implementations
-parsing basic ocsp response
-forgot to assign public.is_ocsp_signer() method
-added parsing level to x509_create_from_chunk()
-added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method
-http post fetching using libcurl implemented
-added fetcher.h and fetcher.c
-added
-corrected @ingroup to utils
-corrected comment
-start ocsp checking only if there are any ocspuris present
-conntrack -F is used to flush the NAT states
-the hostaccess=yes parameters are not needed anymore
-use conntrack -F to flush NAT states
-replaced actual virtual IP addresses by symbolic ones
-removed unnecessary double quotes
-nonce in ocsp_t was not properly initialized
-ocsp request is now fully built but without requestor signature
-starting to build ocsp request
-prevent from initiating  multiple exchanges the same time
-updated apidoc documentation
-fixed notify handling in IKE_AUTH
-moved nonce payload before TS in CHILD_SA setup
-moved REKEY_SA notify to the beginning of the message
-fixed traffic selector redundancy removal code (not completely tested)
-add crl and ocsp uris to linked list after partial verification
-added print hook for certinfo_t printing
-fixed typo
-sending an SPI of 0 as responder when IKE_SA_INIT fails
-iterate certinfos linked list for matching serialNumber
-some cleanups
-not assigning %any virtual IPs to peer anymore
-fixed double free bug
-added
-fixed ID selection bug when peer doesn't include IDr payload
-allowing vendor ID in any messag
-moved listing of crls to local_credential_store and ca
-refactored ca_info_t
-refactored ca_info_t
-fixed netlink socket receiver code
-implemented interface enumeration code with netlink: no getifaddrs reqired anymore
-refactored kernel interface, works reliable again
-implemented get_iface() using RTM_GETADDR
-added support for multi-header netlink messages
-really ugly now, need a lot of refactoring
-added debuggin for interface lookup
-fixed address lookup when !using getifaddrs()
-added firewalling support when using virtual IPs
-added support for 0.0.0.0/0 traffic selectors
-fixed routing to make correct 0.0.0.0/0 routes
-config-payload scenario fixes
-preparations for PLUTO_MY_SOURCEIP
-corrected typo
-added cert with OCSP access info
-dpd now takes 180 s and 5 retransmits
-changed grep to creating aquire job for CHILD SA
-replaced actual virtual IPs by place holders
-virtual-ip scenario has been replaces by config-payload scenario
-added
-added
-added ocsp.h and ocsp.c
-added
-r2398 | tobias | 2007-02-28 16:20:10 +0100 (Wed, 28 Feb 2007) | 2 lines
-virtual ip uml test
-fixed reauthentication when connections other is %any
-merged tasking branch into trunk
-fixed big endian bug in md5 hasher
-cosmetics
-added once flag to certinfo_t
-cosmetics
-added certinfos linked list
-changed ca info to ca
-support of ca info sections
-added support of OCSP accessLocations
-correct interface definition
-added support of OCSP accessLocations
-full support of ca info records
-added the create_crluri_iterator method
-replace ca is realized as del_ca followed by add_ca
-last CA keyword is KW_OCSPURI2
-full support of ca info records
-full support of ca info records
-alphabetically sorting print commands
-listing ca_info items
-replace printf.h by stdio.h
-addin get_keyid() method
-support of ca info records
-support of ca info records
-version bump to 4.0.8
-support of ca info records
-support of ca info records
-typo
-SHA512-HMAC bug fix and hash function self-test support
-SHA512-HMAC bug fix and hash function self-test support
-handle strong SHA-2 signatures in X.509 certificates
-SHA-2 fixes and add-ons
-version bumps
-remove strong certs and keys after test
-added
-using "left" as my host per default, swapping to "right" when needed
-respecting source address when sending packets
-added PRINT_CAINFO hook
-stroke now recognizes the keywords listocspcerts|cainfos|ocsp, rereadocspcerts and purgeocsp
-enable IP forwarding
-prepared support of ca information records and ocsp functionality
-added support of ca information records and ocsp keywords
-enabled adding and deleting ca information records
-fixed starter crash due to freeing default IPSEC_EAPDIR string
-add --eapdir option only if defined in ipsec.conf
-removed eap aka module due nda
-merged EAP framework from branch into trunk
-includes a lot of other modifications
-%T requires time_t ptr
-removed my time_t printf handler patch, applied the one of andreas (64bit save)
-fixed printf() hooks for time
-added support for NULL encryption in ESP
-be more liberal in accepting notifies with a protocol id
-include NO_EXT_SEQUENCE_NUMBER in default proposal
-output peer id if RSA public key is not found
-fixed typo
-version bump to 4.0.8
-added address listing without getifaddrs for uclibc (only IPv4 yet)
-added threads to support multiple simultaneous stroke requests
-renamed all static clone() functions to avoid naming conflicts with uclibc
-sending proper signal to the bus when detecting a dead peer
-added configuration of XAUTH and ModeConfig push mode
-version bump
-version bump
-Cisco XAUTH interoperability
-XAUTH interoperability with Cisco
-removed IPSECPOLICY compile option
-unload xauth_module only if XAUTH_DEFAULT_LIB is defined
-loading the XAUTH module requires libdl
-added some more attributes, inst XAUTH_TYPE in reply
-Mode Config refactoring
-XAUTH fixes and Cisco Unity support
-log APPLICATION_VERSION and UNITY_DDNS_HOSTNAME strings
-added Cisco Unity ModeCfg attributes
-version bump to 4.0.7
-fixed 64 bit issue with print time
-fixed XAUTHResp bug
-included xauth.h
-use uml_mconsole to check end of booting process
-name the created CHILD_SA
-doubled PAYLIMIT to 40 payloads
-version bump
-show rekeying|reauthentication time
-show name of created CHILD_SA
-combined use_in and use_fwd
-corrected typo
-cosmetics
-cosmetics
-fixed an enumeration error, added CISCO_IOS VID
-fixed mismatch in interface definition of get_secret()
-forward declaration of struct state not needed
-cosmetics
-added firewall support to scenario
-updated changelog for 4.0.6
-fixed crash when CA for certrequest not found
-fixed build when !using smartcard
-removed unused debugging code
-updated NEWS for 4.0.6
-
-
- strongswan-4.0.6 / R:2131 
-===========================
-
-updated NEWS for 4.0.6
-readded tranport mode test using new status output
-removed dublicated host2host-transport test
-fixed reauthentication when using %any hosts
-support for transport in create_child_sa
-include TRANSPORT/TUNNEL information in statusall
-load xauth module via dlopen()
-define path to xauth module
-added host2host-transport scenario
-removed trailing lines
-added XAUTH support
-fixed typo
-added XAUTH server and client support
-load and unload XAUTH module
-added xauth.h and xauth.c
-added enable-cisco-quirks configure option
-added xauth scenarios
-added config option for BEET mode
-fixed reuathentication when connections other host is %any
-fixed host conversion length check
-negated POLICY_REAUTH to POLICY_DONT_REAUTH
-negated POLICY_REAUTH to POLICY_DONT_REAUTH
-enable XAUTH_VID by default
-added support for transport mode and (experimental!) BEET mode
-support for the type=transport/tunnel parameter in charon
-fixed charset & cleanups
-added XAUTH server and client support
-additional parentheses for same_chunk() macro
-renamed to appear in doxygen build
-added a roadmap of the strongSwan project (TODO)
-added some NEWS
-first try to update ipsec.conf manual
-implemented reauthentication using the new reauth=yes|no parameter 
-fixed more uClibc issues
-should compile against a uClibc > 0.9.28 (untested)
-added XAUTH client states
-version bump to 4.0.6
-fixed stddef.h include
-fixed encoding rules string
-updated todo
-fixed some byte-order issues
-fixed HAVE_BACKTRACE checks
-starter Makefile now uses proper $(COMPILE) to build pluto objects
-made backtrace() calls optional to support uClibc
-XAUTH support
-XAUTH support
-fixed bug in ifdef CISCO_QUIRKS
-added XAUTH support
-support of Cisco Unity VID
-added new VIDs
-version bump to 4.0.6
-fixed case with wildcard peer ID and static peer address
-added simple script to port trunk changes into branches
-start kdevelop with project file from actual branch
-updated changelog
-fixed typos
-
-
- strongswan-4.0.5 / R:1447 
-===========================
-
-fixed typos
-improved selection of ipsec status|statusall <name>
-fixed NEWS (runtime debug level options)
-fixed credits
-fixed very old bug in linked_list's remove_first and remove_last
-proper "ipsec up" signal handling when initiating to %any
-removed iterator hook for replace
-fixed output of proto/port selectors
-cosmetics
-due to console logging, no need for final sleep anymore
-adapted checks to changed ipsec status output
-due to narrowing no need for rightsubnetwithin
-no need to send certreq
-fixed ipsec status|statusall <name>
-log IKE SPIs on a separate line
-redesigned formatting of ipsec status|statusall
-cosmetics
-version bumps of strongSwan, Linux kernel and Gentoo root file system
-corrected description
-added dpd-hold scenario
-added new features
-fixed 64 bit issue
-solved 64 bit issue by changing long to int
-solved 64 bit issue in push/pop stroke interface
-fixed 64 bit issue
-some fixes for doxygen
-better split up of library files "types.h" & "definitions.h"
-centralized all printf specifier character definitions
-reuse of arginfo handlers
-more cleanups
-fixed more AMD64 issues
-added DEBUG_LEVEL compile flag to exclude DBGn() statements
-added nodebug configure script without any debug messages and without -g
-preparations to include certreqs in policy decisions
-do not sent certreq payloads when the peer is known to use PSK
-position of (myself) moved in log output
-do not sent certreq payloads when using self-signed certs
-moved (myself) in log output
-moved typedefs to beginning of files to solve some include problems
-splitted authenticator to have a separate implementation for each auth_method_t
-using va_copy to clone va_lists, should fix proplems on AMD64
-some other cleanups
-do not sanitize '*' character
-fixed SIGSEGV when setup of an additional CHILD_SA fails
-added IKEv2 clarifications RFC
-changed debug level of certreq log output
-cosmetics in debug output
-support of certreq payload in IKE_AUTH messages
-chunk_to_hex() function declaration deleted
-added function certreq_payload_create_from_x509()
-send a certreq as initiator if other_ca is set
-added method get_ca_certificate()
-added methods get_my_ca() and get_other_ca()
-added methods get_my_ca() and get_other_ca()
-added some missing 'AUD' entries
-cosmetics
-cosmetics
-change due to change debug output
-spaces should not be sanitized
-fixed due to new logging concept
-some improvements in signaling code
-include only source NATD payloads really needed
-updated for NAT team
-improved signal handling and emitting
-support of ModeCfg Push mode
-support of mixed RSA/PSK static connections
-support of ipsec statusall in state output
-output of 'DPD active' in ISAKMP SAs
-support of ipsec statusall in state output
-added natip support
-added has_natip flag
-added ModeCfg push policy and states
-added ModeCfg push policy and states
-fixed typo in debug statement
-redesigned list output format
-added 'modeconfig=pull|push' and 'left|rightnatip' keywords
-added has_natip flag
-added has_natip flag
-added 'exit' statement in listcerts,.. case
-fixed two bugs in the time_t and chunk_ct print functions
-redesigned format of print function
-replaced 'times' by 'dates'
-added private flag to asn1_init
-added private flag to asn1_ctx_t
-removed DES-EDE3-CBC only comment
-removed deprecated iterator methods (has_next & current)
-added iterator hook to manipulate iterator the clean way
-linked list cleanups
-added list methods invoke(), destroy_offset(), destroy_function()
-simplified list destruction when destroying its items
-added verbosity level to stroke
-upgrade to new Gentoo root file system and tcpdump command
-added
-deleted
-renamed ikev1 scenario and added ikev2 scenario
-added new scenarios
-Version bumps of UML kernel, Gentoo root file system and strongSwan release
-code cleanups in printf handlers
-added eap authentication draft for ikev2
-updated stroke to allow run-time manipulation of debug levels
-added charondebug config parameter to set debug level at startup
-introduced new logging subsystem using bus:
-  passive listeners can register on the bus
-  active listeners wait for signals actively
-  multiplexing allows multiple listeners to receive debug signals
-  a lot more...
-updated file filter for kdev project
-include CREDITS file in distribution
-moved various scripts in scripts/ dir
-add configure script wrappers
-removed txt files from doxygen
-removed module tests, outdated. We need something more system-test like
-added missing -DDEBUG compile option
-fixed auxillary message data parsing for IPV6 socket
-using SOL_* constants for socket level
-fixed IPV6_PKTINFO setsockopt() to work with most kernel headers
-replaced strerror(errno) with %m printf specifier
-added stronger certs for moon, carol, and dave
-added IPv6 hw and multicast addresses
-adapted to new tcpdump ipv6 output
-multi-level-ca scenarios use unencrypted private key
-added scenario
-fixed timing
-new gentoo root file system
-fixed bug with openldap 2.3
-removed ipsec.conf version information
-carolKey.pem is now protected by 3DES passphrase
-updated net runlevel scripts
-updated net init scripts
-new net configuration format
-HW addresses must be predefined
-cosmetics
-added USE_LIBCURL
-cosmetics
-found libraries are not appended to LIBS anymore
-version bump to 4.0.5
-fixed DPD to survive IKE_SA rekeying
-introduced printf() specifiers for:
-  host_t (%H)
-  identification_t (%D)
-  chunk pointers (%B)
-  memory pointer/length (%b)
-added a signaling bus:
-  receives event and debug messages, sends them to its listeners
-  stream_logger, sys_logger, file_logger added, listen to bus
-some other tweaks here and there
-added often used RFCs and drafts
-DES for private key encryption is not supported
-updated NEWS and ChangeLog for 4.0.4 release
-fixed retransmission policy for responder
-fixed dpd for responder
-added ID_ANY check to matches_binary()
-replaced 'missing value' warning by zero length chunk_t value
-defined maximum hash size
-support of AES-192-CBC private key encryption
-added hostaccess support
-added hostaccess support
-moved auth_method to policy
-added hostaccess support
-added hostaccess support
-more consistent authentication logging
-added hostaccess support
-moved auth_method to policy
-moved auth_method to policy
-added hostaccess support; moved auth_method to policy
-added hostaccess support
-added hostaccess support
-added new test scenarios
-fixed some compiler warnings
-
-
- strongswan-4.0.4 / R:1289 
-===========================
-
-fixed some compiler warnings
-extended statusall output
-  added job/event-queue statistics
-  added allocation statistics when using LEAK_DETECTIVE
-fixed include typo
-public declaration of all HASH_SIZEs in hasher.h
-support of encrypted private key files
-added copyright notice to sha2_hasher
-included SHA2 in build process
-implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512
-added support for 3DES encryption algorithm in IKE
-fixed the ids parsing bug
-fixed the ids parsing bug
-updated TODOs
-fixed memleak
-fixed proper handling of id parsing errors
-proper return value when no PSK found
-added HOST_ACCESS for firewall script as default
-more debugging output for PSK authentication
-some cleanups here and there
-added auth_method field
-added auth_method field
-cosmetics
-verify_emsa_pkcs1_signature returns status_t
-cosmetics
-added PSK support
-enabled firewall support
-proper error handling for socket creation
-handle certificate parsing error more generous
-fixed certificate verification bug!
-fixed memleak when receiving invalid certificate
-version bump to 4.0.4
-version bump to 4.0.4
-two new test scenarios
-fixed path to images directory
-implemented updown script to handle firewalling
-add priority management for kernel policy
-let ROUTED policies installed, until manuall removed
-introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs
-ike_sa_manager cleanups
-implemented handling of dpdaction and dpddelay ipsec.conf parameters
-reuse reqid when a ROUTED child_sa gets INSTALLED
-fixed a bug in retransmission code
-added support for the "keyingtries" ipsec.conf parameter
-added support for the "dpddelay" ipsec.conf parameter
-done some work for "dpdaction" behavior
-some other cleanups and fixes
-fixed a at-least-one-year-old bug which caused crashed in the scheduler
-added raw socket filter for IPv6
-implemented NAT detection for IPv6
-removed unneeded constructor
-initial support for IPv6 (more testing needed)
-  socket works (without v6 filter)
-  traffic selector handle IPv4/v4 cleanly
-    improvements in traffic selector code
-  kernel interface accepts v6 traffic selectors and hosts
-  host_t class has full IPv6 support
-added stddef.h include for compilers which do not support the offsetof() directive
-moved interface enumeration code to socket, where it belongs
-query interfaces every time we need it to respect changes in network config
-added address listing on startup and "ipsec statusall"
-version bump of UML kernel to 2.6.17.11
-fixed crash bug when doing "ipsec down" with an unknown connection
-added name property in CHILD_SA, allows proper status output
-fixed bug which prevented port float when nat is detected
-version bumps
-'sha' and 'sha1' are now treated as synonyms
-updated Changelog and other docs
-
-
- strongswan-4.0.3 / R:1235 
-===========================
-
-fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)
-implement proper handling of most simultaneous IKE_SA rekeying cases
-version bump to 4.0.3
-implemented proper refcounting using atomic operations
-implemented IKE_SA rekeying
-	uses ikelifetime, rekeymargin and rekeyfuzz config settings
-	no handling of simultaneus exchanges yet!
-added possibility to route CHILD_SAs, without to set them up
-	support for auto=route parameter
-	support for ipsec route and ipsec unroute
-	initiating of CHILD and/or IKE_SAs based on kernel acquires
-reuse an existing IKE_SA to set up additional CHILD_SAs
-introduced refcounting on policy and connections
-	aren't stored in the IKE_SA anymore, they are queried on the fly
-	are immutable now, allows it to share them
-policy selection based on traffic selectors, leads to valid lookup results
-	rekeying queries the policy based on its traffic selectors
-cleanups in kernel interface code
-added proper traffic selector to string conversion
-some cleanups here & there
-X.509 certificate trust path verification
-added
-fixed UDP decapsulation by adding inbound bypass policy for send socket
-updated mixed tests to new charon output
-corrected DPD entry
-reenabled module tests for charon
-fixed bug which erroneously detected KE payload when rekeying
-added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT
-improved logging on verify errors for some payloads
-enforcing IKE_SA shutdown, even when transactions are outstanding
-proper reject of CREATE_CHILD_SA message with KE payload
-added test cases from NAT team
-updated all IKEv2 tests to work with new status output
-added tcpdumpcount function from NATT guys
-added possibility to mount the strongswan tree into all UMLs
-added script for installing from shared tree in all UMLs
-added script to shut down all UMLs properly
-removed in favour of tests from NAT team
-fixed CREATE_CHILD_SA transaction dispatching
-added CHILD_SA states, which allows us to detect further simultaneous transactions
-reimplemented the buggy message id handling
-updated some inline docs
-fixed crypter/signer in/out to conform with standard
-fixed payload order
-added message id logging
-added all currently known notify payload types
-added policy cache to kernel interface
-	allows refcounting of multiple installed policies
-	finally brings us stable simultaneous rekeying
-leak detective blanks memory on free & alloc, allows further membug detection
-code cleanups
-identification_t.matches() supports multiple wildcard counts
-identification_t.matches() supports multiple wildcard counts
-further work done for simultaneous rekeying/delete
-	still some cases which cause trouble
-fixed compiler warnings in parser when using -O2
-reenabled check_expiry
-updated copyright information
-reimplemented CHILD_SA rekeying & delete
-	no simultanous transaction with CHILD_SAs yet!
-removed NAT_TRAVERSAL and VIRTUAL_IP compile options
-removed NAT_TRAVERSAL compile option
-removed NAT_TRAVERSAL and VIRTUAL_IP compile options
-added
-updated NEWS
-added support for leftprotoport and rightprotoport
-improved CHILD_SA output for "ipsec statusall"
-updated whitelist (getprotobynumber)
-redesigned IKE_SA using a transaction mechanism:
-	removed old state machine
-	reimplemented IKE_SA setup and delete
-	implemented dead peer detection
-	implemented keep-alives
-	a lot of fixes
-	no rekeying yet		
-fixed compiler warnings
-made thread ids unsigned again, to avoid negative thread ids on some systems
-fixed memleak when initiating a connection already up
-updated leak detective whitelist
-applied latest NATT patch with some fixes and cleanups
-test currently without firewall
-added
-added
-added
-removed
-removed version information from ipsec.conf
-log entries start with lowcercase character
-restored lost IKEv2 packet suppression
-added USE_LEAK_DETECTIVE option
-fixed natd_hash memory leak
-tests with subdirectory structure
-removed tests
-introduced subdirectory structure
-support of cert payloads
-lowercase log entries
-distributed by ITA
-added support of updown parameter
-generation of default key
-cosmetics
-added support of updown parameter
-version bump to 4.0.2
-added X.509 trust chain verification
-version bump to 4.0.2
-ESP packet size changed
-fixed bad_proposal_syntax bug
-updated ingorelist for stroke_keywords.c
-applied new changes from NATT team
-	DPD only done when no IPsec and IKE traffic processed
-	minor changes here and there
-some message code cleanups
-fixed identification_t clone to apply function pointers
-cleaner error handling on UDP encapsultion sockopt failure
-added mysterious UDP encapsulation socket option to get encapsulation working
-fixed BAD_PROPOSAL_SYNTAX vulnerability
-first merge of NATT code
-fixed testing build
-updated for 4.0.1 release
-updated news for 4.0.1 release
-fixed whitelist detection
-
-
- strongswan-4.0.1 / R:1144 
-===========================
-
-fixed whitelist detection
-reworked function ignore mechanism to not-report whitelist
-  rather than overriding functions
-fixed execv call args to work when using strictcrl and syslog
-fixed bug: usage of already freed mem
-readded local_credential_store
-added sendcert policy to connection
-some other cleanups
-implemented rereadcrls rereadcacerts
-implemented rereadcrls rereadcacerts
-implemented rereadcrls rereadcacerts
-removed local_credential_store
-fixed SPI when acting as initiator of rekeying
-fixed SPI when rekeying and deleting CHILD_SAs
-change key derivation order to fullfill RFC
-added crl support
-added listcrls
-added chunk_equals_or_null()
-added crl support
-changed tabs from 8 to 4 spaces
-added crl support
-cosmetics
-cosmetics (space)
-fixed compilation error
-updated for release
-fixed aes code, we support now aes128, aes192, aes256 in IKE
-added support for "ike" and "esp" keywords
-fixed bugs in proposal code
-algorithm selection for charon works now with ipsec.conf
-a lot of other fixes
-implemented clean spi allocation behavior when using multiple proposals
-fixed logleve(l) keyword typo
-handling of "rekey=no" parameter added
-changed default algorithms to:
-  ike: aes128-sha-modp2048
-  esp: aes128-sha1, 3des-md5
-added default CRL directory path
-added strictcrlpolicy command line argument
-added option parsing
-added local CRLs
-added rekeying parameters
-corrected some descriptions
-moved RSA key size constraints to definitions.h
-fixed down keyword
-debug and logging improvements
-support for stroke listcerts|listcacerts|listcrls|listall
-support for stroke listcerts|listcacerts|listall and left|rightca=
-gperf creates optimum hash table for stroke keywords
-using same reqid if a child sa rekeys an existing one
-NULL string argument is treated as %any
-add_certificate() now returns pointer to added cert
-cosmetics
-single tests now start up faster
-workaround for peers rekeying at the same time
-loading lifetime policies from ipsec.conf
-old child_sa gets deleted after rekeying
-rekeying almost complete, but:
-	IKE_SA get in an invalid state when both initiate rekeying at the same time,
-corrected type
-improved kernel interface logging
-fixed clone/destroy behavior when not using CAs
-specifying keysize in bits, as it is required in IKEv2
-added generic kernel SA algorithm handling, which brings us:
-        aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
-added support for leftsendcert= and left|rightca= parameters
-discard cert if CA basic constraints flag is not set and warn if cert is not valide
-added public methods is_ca() and is_valid()
-changed ASN.1 CONTROL log output to LEVEL2
-cosmetics
-removed unused Makefile
-stroke.h requires libstrongswan/types.h
-fixed compile warnings when using -Wall
-further CHILD_SA rekeying work done:
-	creation of a new CHILD_SA on a expire from a kernel works
-	delete of old CHILD_SA still missing
-	some issues when both initiate rekeing 
-updated INSTALL to conform with autotools
-added a short HACKING introduction
-further work for rekeying:
-  get liftimes from policy
-  added new state
-  initiation of rekeying done
-proposal redone:
-  removed support for AH+ESP proposals
-proper leak detective hook for realloc
-excluded pthread_setspecific from leak detective
-fixed a memleak
-cosmetics
-ipv6-host2host scenario added
-created IPv6 environment
-job management:
-  moved job code from thread_pool to job, jobs have an "execute" method now
-  added two new jobs: delete_child_sa & rekey_child_sa
-kernel interface:
-  listens now for ACQUIRE & EXPIRE
-  supports hard and soft lifetimes
-  fires jobs for delete and rekey child sa
-ike sa manager:
-  can checkout IKE SAs by requid of owned CHILD SAs
-we have now the infrastructure to do the rekeying... :-)
-fixed some memleaks/freebugs
-leak detective works almost usable now (?!)
-added host2host test for ikev2
-fixed host-host tunnel traffic selection, host-host works now
-bug fixed circumventing an assertion in delete_connection when ikev1 is not set
-minimized prefixed on stroke logger output
-charon outputs strongSwan version
-tests with subjectAltNames now
-fixed event queue for events >36min
-included charons module tests to build & dist
-full support of ikev1 and ikev2 connection flags
-cosmetics in log_status output
-use of streq
-added testing files to dist
-  required the use of the "ustar" format to support 
-  filenames longer than 99 chars
-lookup of private key based on keyid of public key
-new functions to add certificates and retrieve private and public keys
-changed log level
-list ca certificates
-computation of SHA-1 hash over publicKeyInfo object
-moved abbreviated thread_id in front of brackets
-added has_key parameter to log_certificates()
-log_certificates() now shows keyid and availability of matching private key
-indented loaded file log entry
-moved TIMETOA_BUF definition to types.h
-moved TIMETOA_BUF definition from asn1.h
-define default CA_CERTIFICATE_DIR
-load all ca certificates
-fixed daemon destruction order to prevent
-  crashes on termination
-fixed memleak when deleting a connection
-updated todo list
-policies contain a connections name now
-  used for initiate and delete
-connections won't get initiated twice anymore
-deleting of connections is now possible, which allows us to use
-  ipsec update and ipsec reload
-changed iterator->remove behavior
-ipsec up|down|route|delete require a connection name
-stroke now uses constant size string buffer
-changed to standard connection log output
-reworked parsing and matching of subjectAltNames
-added memeq() macro
-moved timetoa() from asn1.c to types.c
-corrected type
-some logging improvements and cosmetics
-handle IKE_SA setup without a piggy-packed CHILD_SA
-  more IKEv2 conform
-initiate IKE_SA deletion befor manager destruction
-improved code of chunk_equals
-added streq() macro and defined default BUF_LEN
-typo
-build gets perl and gperf from configure now
-moved built sources to maintainer-clean
-show connection templates in status & statusall
-don't complain on termination of IKEv1 connections
-updated ipsec.conf manual to reflect actual state of
-  keyexchange-parameter
-using hubs instead of switches, which allows us
-  to sniff the traffic from the host system.
-changed config load strategy:
-  starter loads both connections in charon & pluto,
-  charon ignores anything with keyexchange!=ikev2.
-  pluto needs the same behavior.
- changed build order to fix build error after distclean
-load_end_certificate() now loads certificates
-cosmetics
-moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber
-moved definition of generalNames_t to identification.h
-corrrected description
-reimplemented proper IKE SA deletion using a seperate state,
-  should conform now to IKEv2
-fixed build when using --enable-leak-detective
-added removed files to svn:ignore
-fixed bug in pluto/Makefile.am
-removed perl-generated oid.c/h from svn,
-  added them to "dist" and "distclean"
-removed lex, yacc and gperf output from svn,
-  added them to "dist" and "distclean"
-storing release revision in svn property "release-revision", because I forget it all the times
-fixed ignorelist, should work now
-added ingorelist for builded files
-re-added doxygen apidoc, buildable with "make apidoc"
-added missing ipsec.conf.5 to distribution :-/
-fixed another typo
-added missing ipsec.conf ipsec.conf.5
-existing ipsec.conf won't get overwritten anymore
-fixed typo in Makefile which corrupted the build
-applied patch from the NAT-T team fixing several typos
-applied patch from andreas, which allows certificate listing via stroke
-added ipsec.conf template and man page back
-removed old Makefiles
-added new strongswan KDevelop project & startup hack
-fixed Revision in changelog fo 4.0.0
-started ChangeLog
-simple script for ChangeLog update via "svn log"
-fixed compliation error using --enable-smartcard
-added test for ikev1-ikev2 mixed mode
-added test ikev2 roadwarrior scenario
-applied andreas's patch
-  logger output improvements
-  testin gupdates
-  and a lot more
-updated testsuite to autotools
-added random source ./configure options
-fixed default-pkcs11 option
-testcommit
-fixed errors when --enable-pkcs11
-added autogen script
-introduced autotools
-  first working version
-  make dist should work
-  things to do:
-    UML testing!
-    more cleanups
-fixed build
-started to rebuild source layout
-fixed stroke error output to starter
-using random SPIs now, but without collision checks
-applied some -W's from strongswan
-fixed that warnings
-removed IKEV2 ifdefs
-applied patch from andreas
-  added charonstart option to config
-  new ikev2 tests for UML
-
- strongSwan-4.0.0 / R:967
-==========================
-
-removed IKEV2 ifdefs
-applied patch from andreas
-  added charonstart option to config
-  new ikev2 tests for UML
-applied patch from andreas
-  pem loading
-  secrets file parsing
-  ikev2 testcase
-  some other additions here and there
-connection termination is handled cleanly by name now
-fixed bad bug, certs load now cleanly again
-fixed make install (subdir order)
-fixed include path
-added missing script
-finished initial import of strongswan file tree
-removed a lot of old and unused stuff
-moved RFCs from ikev2 into doc dir
-added missing files for starter
-applied patch for charon (this time really)
-import of strongswan-2.7.0
-applied patch for charon
-renamed get_block_size of hasher
-reworked usage of IDs in various states
-using ID_ANY for any, not NULL as before
-initiator sends IDr payload in IKE_AUTH when ID unique
-fixed charon checks
-using status & statusall
-patch for 2.7.0 
-add connection names to connections
-stroke status / ipsec status shows them
-added statusall for stroke
-added status by connection name
-some tests repaired, more to come
-fixed spi conversion
-improved "stroke status" output
-setup PID file after daemon initilization, to correctly inform
-  starter about daemon startup
-added separate implementation for connection_store, credential_store, policy_store
-added folder structure to config
-credentials are fetched solely on IDs now
-identification_t supports now almost all id types
-x509 certificates work with identification_t now
-fixes here, fixes there
-fixed doxygen build
-seperates now in lib and charon
-library initialization done at a central point (library.c)
-some leak_detective fixes
-updated Todos
-fixed log-to-syslog behavior
-added patch against strongswan-2.6.4
-x509 certificate loading with pluto asn1 code
-x509 needs a lot more attention!
-renamed some files
-using asn1 pluto stuff now
-removed, since we use pluto asn1 stuff
-leak detective is usable, but does not show static function names
-  a script which gets address via ldd and resolves address via addr2line would be nice
-fixed a leak in child_sa with new detective ;-)
-some improvements to new asn1 stuff
-to be continued
-fixed bad bugs in kernel interface
-added some logging info
-works now much more stable
-startet importing pluto ASN1 stuff
-der PKCS#1 key loading works (as it did with der_decoder)
-split up in libstrong, charon, stroke, testing done
-new leak detective with malloc hook in library
-  useable, but needs improvements
-logger_manager has now a single instance per library
-  allows use of loggers from any linking prog
-a LOT of other things
-../svn-commit.tmp
-added misssing stroke.h
-improved strokeing
-  down connection
-  status
-some other tweaks
-rewrote a lot of RSA stuff
-done major work for ASN1/decoder
-allow loading of ASN1 der encoded private keys, public keys and certificates
-extracting public key from certificates
-passing certificates from stroke to charon
-=> basic authentication with RSA certificates works!
-starter work on asn1 with der de/encoder
-RSA private and public key can load read key from ASN1 DER
-some other fixes here and there
-rewrite of logger_manager, uses now one instance per context
-cleanups for logger here and there
-removed critical flag check in payload verification (conformance to IKEv2)
-so thats and theres everywere... ;-)
-patch for strongswan-2.6.3
-added charon support for strongswan build process
-ipsec starter supports charon startup and control
-removed old diploma thesis scripts
-some cleanups
-compatibility to strongswan, Makefile can be called by "make programs"
-  and "make install" (ikev2 patch must be applied to strongswan)
-first version of stroke control utility
-moved output to doc/api, since doc is used for other docs now
-some first documentation in english
-removed old eclipse project files
-works quite well now with ipsec.conf & ipsec starter
-belongs to previous commit ;-)
-reworked configuration framework completly
-configuration is now split up in: connections, policies, credentials and daemon config
-further alloc/free fixes needed!
-first attempt for connection loading and starting via "stroke"
-some improvements here and there
-configuration_manager replaced by configuration_t interface
-current configuration_manager is now static_configuration (testing)
-first draft of starter_configuration, which should once interact with ipsec starter (via whack?)
-some cleanups
-socket_t uses RAW socket, which allows parallel service of pluto/charon
-comments and cleanups
-working policy installation and removal
-fixed policy setup bug
-proposal setup implementation begun
-fixed socket code, so we know on which address we receive traffic
-AH/ESP setup in kernel is working now!!! :-)))
-installing of child sa works
-need correct IP adresses to actually use IPsec
-new RFCs of IKEv2, IKEv2 algs and IPSec arch added
-update of IKEv2 clarification document
-refactored ike proposal
-uses now proposal_t, wich is also used by child proposals
-ike key derivation refactored
-crypter_t api has get_key_size now
-some other improvements here and there
-config uses uml hosts alice and bob
-key derivation for child_sa works
-some fixes here and there
-fixed memleaks
-works with new proposal code
-still some(!) memleaks
-fixed alot of bugs in child_proposal
-near to working state ;-)
-dead end implementation
-
-... there is a lot more of it, but nothing of interest
+A summary of changes is available in the NEWS file. For a more 
+detailed Changelog, use the repository (see HACKING) or the
+online interface available at http://trac.strongswan.org.
diff --git a/NEWS b/NEWS
index 5ccc7c05f..d2d1b325e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,42 @@
+strongswan-4.2.9
+----------------
+
+- Flexible configuration of logging subsystem allowing to log to multiple
+  syslog facilities or to files using fine-grained log levels for each target.
+
+- Load testing plugin to do stress testing of the IKEv2 daemon against self
+  or another host. Found and fixed issues during tests in the multi-threaded
+  use of the OpenSSL plugin.
+
+- Added profiling code to synchronization primitives to find bottlenecks if
+  running on multiple cores. Found and fixed an issue where parts of the
+  Diffie-Hellman calculation acquired an exclusive lock. This greatly improves
+  parallelization to multiple cores.
+
+- updown script invocation has been separated into a plugin of its own to
+  further slim down the daemon core.
+
+- Separated IKE_SA/CHILD_SA key derivation process into a closed system,
+  allowing future implementations to use a secured environment in e.g. kernel
+  memory or hardware.
+
+- The kernel interface of charon has been modularized. XFRM NETLINK (default)
+  and PFKEY (--enable-kernel-pfkey) interface plugins for the native IPsec
+  stack of the Linux 2.6 kernel as well as a PFKEY interface for the KLIPS
+  IPsec stack (--enable-kernel-klips) are provided.
+
+- Basic Mobile IPv6 support has been introduced, securing Binding Update
+  messages as well as tunneled traffic between Mobile Node and Home Agent.
+  The installpolicy=no option allows peaceful cooperation with a dominant
+  mip6d daemon and the new type=transport_proxy implements the special MIPv6
+  IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address
+  but the IPsec SA is set up for the Home Adress.
+
+- Implemented migration of Mobile IPv6 connections using the KMADDRESS
+  field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon
+  via the Linux 2.6.28 (or appropriately patched) kernel.
+
+
 strongswan-4.2.8
 ----------------
 
diff --git a/configure b/configure
index acbd93ada..d993f76a1 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for strongSwan 4.2.8.
+# Generated by GNU Autoconf 2.61 for strongSwan 4.2.9.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
 # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
@@ -726,8 +726,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.2.8'
-PACKAGE_STRING='strongSwan 4.2.8'
+PACKAGE_VERSION='4.2.9'
+PACKAGE_STRING='strongSwan 4.2.9'
 PACKAGE_BUGREPORT=''
 
 # Factoring default headers for most tests.
@@ -950,8 +950,12 @@ USE_SMP_TRUE
 USE_SMP_FALSE
 USE_SQL_TRUE
 USE_SQL_FALSE
+USE_UPDOWN_TRUE
+USE_UPDOWN_FALSE
 USE_UNIT_TESTS_TRUE
 USE_UNIT_TESTS_FALSE
+USE_LOAD_TESTS_TRUE
+USE_LOAD_TESTS_FALSE
 USE_EAP_SIM_TRUE
 USE_EAP_SIM_FALSE
 USE_EAP_SIM_FILE_TRUE
@@ -966,12 +970,18 @@ USE_EAP_AKA_TRUE
 USE_EAP_AKA_FALSE
 USE_KERNEL_NETLINK_TRUE
 USE_KERNEL_NETLINK_FALSE
+USE_KERNEL_PFKEY_TRUE
+USE_KERNEL_PFKEY_FALSE
+USE_KERNEL_KLIPS_TRUE
+USE_KERNEL_KLIPS_FALSE
 USE_SMARTCARD_TRUE
 USE_SMARTCARD_FALSE
 USE_CISCO_QUIRKS_TRUE
 USE_CISCO_QUIRKS_FALSE
 USE_LEAK_DETECTIVE_TRUE
 USE_LEAK_DETECTIVE_FALSE
+USE_LOCK_PROFILER_TRUE
+USE_LOCK_PROFILER_FALSE
 USE_NAT_TRANSPORT_TRUE
 USE_NAT_TRANSPORT_FALSE
 USE_VENDORID_TRUE
@@ -998,8 +1008,6 @@ USE_CHARON_TRUE
 USE_CHARON_FALSE
 USE_TOOLS_TRUE
 USE_TOOLS_FALSE
-USE_UPDOWN_TRUE
-USE_UPDOWN_FALSE
 USE_LIBSTRONGSWAN_TRUE
 USE_LIBSTRONGSWAN_FALSE
 USE_FILE_CONFIG_TRUE
@@ -1533,7 +1541,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.2.8 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.2.9 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1603,7 +1611,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.2.8:";;
+     short | recursive ) echo "Configuration of strongSwan 4.2.9:";;
    esac
   cat <<\_ACEOF
 
@@ -1658,8 +1666,11 @@ Optional Features:
   --enable-cisco-quirks   enable support of Cisco VPN client (default is NO).
   --enable-leak-detective enable malloc hooks to find memory leaks (default is
                           NO).
+  --enable-lock-profiling enable lock/mutex profiling code (default is NO).
   --enable-unit-tests     enable unit tests on IKEv2 daemon startup (default
                           is NO).
+  --enable-load-tests     enable load testing plugin for IKEv2 daemon (default
+                          is NO).
   --enable-eap-sim        build SIM authenication module for EAP (default is
                           NO).
   --enable-eap-sim-file   build EAP-SIM backend based on a triplet file
@@ -1675,6 +1686,8 @@ Optional Features:
   --disable-kernel-netlink
                           disable the netlink kernel interface. (default is
                           NO).
+  --enable-kernel-pfkey   enable the PF_KEY kernel interface. (default is NO).
+  --enable-kernel-klips   enable the KLIPS kernel interface. (default is NO).
   --enable-nat-transport  enable NAT traversal with IPsec transport mode
                           (default is NO).
   --disable-vendor-id     disable the sending of the strongSwan vendor ID
@@ -1696,8 +1709,8 @@ Optional Features:
                           NO).
   --disable-tools         disable additional utilities (openac and
                           scepclient). (default is NO).
-  --disable-updown        disable installation of firewall scripts. (default
-                          is NO).
+  --disable-updown        disable updown firewall script plugin. (default is
+                          NO).
   --enable-padlock        enables VIA Padlock crypto plugin. (default is NO).
   --enable-openssl        enables the OpenSSL crypto plugin. (default is NO).
   --enable-agent          enables the ssh-agent signing plugin. (default is
@@ -1848,7 +1861,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.2.8
+strongSwan configure 4.2.9
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1862,7 +1875,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.2.8, which was
+It was created by strongSwan $as_me 4.2.9, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -2552,7 +2565,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.2.8'
+ VERSION='4.2.9'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -5373,6 +5386,15 @@ if test "${enable_leak_detective+set}" = set; then
 fi
 
 
+# Check whether --enable-lock-profiler was given.
+if test "${enable_lock_profiler+set}" = set; then
+  enableval=$enable_lock_profiler; if test x$enableval = xyes; then
+		lock_profiler=true
+	fi
+
+fi
+
+
 # Check whether --enable-unit-tests was given.
 if test "${enable_unit_tests+set}" = set; then
   enableval=$enable_unit_tests; if test x$enableval = xyes; then
@@ -5382,6 +5404,15 @@ if test "${enable_unit_tests+set}" = set; then
 fi
 
 
+# Check whether --enable-load-tests was given.
+if test "${enable_load_tests+set}" = set; then
+  enableval=$enable_load_tests; if test x$enableval = xyes; then
+		loadtest=true
+	fi
+
+fi
+
+
 # Check whether --enable-eap-sim was given.
 if test "${enable_eap_sim+set}" = set; then
   enableval=$enable_eap_sim; if test x$enableval = xyes; then
@@ -5449,6 +5480,24 @@ else
 fi
 
 
+# Check whether --enable-kernel-pfkey was given.
+if test "${enable_kernel_pfkey+set}" = set; then
+  enableval=$enable_kernel_pfkey; if test x$enableval = xyes; then
+		kernel_pfkey=true
+	fi
+
+fi
+
+
+# Check whether --enable-kernel-klips was given.
+if test "${enable_kernel_klips+set}" = set; then
+  enableval=$enable_kernel_klips; if test x$enableval = xyes; then
+		kernel_klips=true
+	fi
+
+fi
+
+
 # Check whether --enable-nat-transport was given.
 if test "${enable_nat_transport+set}" = set; then
   enableval=$enable_nat_transport; if test x$enableval = xyes; then
@@ -6369,7 +6418,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 6372 "configure"' > conftest.$ac_ext
+  echo '#line 6421 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -8947,11 +8996,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8950: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8999: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8954: \$? = $ac_status" >&5
+   echo "$as_me:9003: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9237,11 +9286,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9240: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9289: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9244: \$? = $ac_status" >&5
+   echo "$as_me:9293: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9341,11 +9390,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9344: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9393: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9348: \$? = $ac_status" >&5
+   echo "$as_me:9397: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -11718,7 +11767,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 11721 "configure"
+#line 11770 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -11818,7 +11867,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 11821 "configure"
+#line 11870 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -14219,11 +14268,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14222: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14271: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:14226: \$? = $ac_status" >&5
+   echo "$as_me:14275: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -14323,11 +14372,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14326: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14375: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:14330: \$? = $ac_status" >&5
+   echo "$as_me:14379: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -15921,11 +15970,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15924: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15973: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:15928: \$? = $ac_status" >&5
+   echo "$as_me:15977: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16025,11 +16074,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16028: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16077: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16032: \$? = $ac_status" >&5
+   echo "$as_me:16081: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -18245,11 +18294,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18248: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18297: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:18252: \$? = $ac_status" >&5
+   echo "$as_me:18301: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -18535,11 +18584,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18538: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18587: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:18542: \$? = $ac_status" >&5
+   echo "$as_me:18591: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -18639,11 +18688,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18642: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18691: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:18646: \$? = $ac_status" >&5
+   echo "$as_me:18695: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -25632,6 +25681,14 @@ else
   USE_SQL_FALSE=
 fi
 
+ if test x$updown = xtrue; then
+  USE_UPDOWN_TRUE=
+  USE_UPDOWN_FALSE='#'
+else
+  USE_UPDOWN_TRUE='#'
+  USE_UPDOWN_FALSE=
+fi
+
  if test x$unittest = xtrue; then
   USE_UNIT_TESTS_TRUE=
   USE_UNIT_TESTS_FALSE='#'
@@ -25640,6 +25697,14 @@ else
   USE_UNIT_TESTS_FALSE=
 fi
 
+ if test x$loadtest = xtrue; then
+  USE_LOAD_TESTS_TRUE=
+  USE_LOAD_TESTS_FALSE='#'
+else
+  USE_LOAD_TESTS_TRUE='#'
+  USE_LOAD_TESTS_FALSE=
+fi
+
  if test x$eap_sim = xtrue; then
   USE_EAP_SIM_TRUE=
   USE_EAP_SIM_FALSE='#'
@@ -25696,6 +25761,22 @@ else
   USE_KERNEL_NETLINK_FALSE=
 fi
 
+ if test x$kernel_pfkey = xtrue; then
+  USE_KERNEL_PFKEY_TRUE=
+  USE_KERNEL_PFKEY_FALSE='#'
+else
+  USE_KERNEL_PFKEY_TRUE='#'
+  USE_KERNEL_PFKEY_FALSE=
+fi
+
+ if test x$kernel_klips = xtrue; then
+  USE_KERNEL_KLIPS_TRUE=
+  USE_KERNEL_KLIPS_FALSE='#'
+else
+  USE_KERNEL_KLIPS_TRUE='#'
+  USE_KERNEL_KLIPS_FALSE=
+fi
+
 
  if test x$smartcard = xtrue; then
   USE_SMARTCARD_TRUE=
@@ -25721,6 +25802,14 @@ else
   USE_LEAK_DETECTIVE_FALSE=
 fi
 
+ if test x$lock_profiler = xtrue; then
+  USE_LOCK_PROFILER_TRUE=
+  USE_LOCK_PROFILER_FALSE='#'
+else
+  USE_LOCK_PROFILER_TRUE='#'
+  USE_LOCK_PROFILER_FALSE=
+fi
+
  if test x$nat_transport = xtrue; then
   USE_NAT_TRANSPORT_TRUE=
   USE_NAT_TRANSPORT_FALSE='#'
@@ -25825,14 +25914,6 @@ else
   USE_TOOLS_FALSE=
 fi
 
- if test x$updown = xtrue; then
-  USE_UPDOWN_TRUE=
-  USE_UPDOWN_FALSE='#'
-else
-  USE_UPDOWN_TRUE='#'
-  USE_UPDOWN_FALSE=
-fi
-
  if test x$charon = xtrue -o x$tools = xtrue; then
   USE_LIBSTRONGSWAN_TRUE=
   USE_LIBSTRONGSWAN_FALSE='#'
@@ -25865,7 +25946,7 @@ _ACEOF
 fi
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/fips/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/unit_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/fips/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -26203,6 +26284,13 @@ echo "$as_me: error: conditional \"USE_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_UPDOWN\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_UPDOWN\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_UNIT_TESTS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -26210,6 +26298,13 @@ echo "$as_me: error: conditional \"USE_UNIT_TESTS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_LOAD_TESTS_TRUE}" && test -z "${USE_LOAD_TESTS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LOAD_TESTS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LOAD_TESTS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_EAP_SIM_TRUE}" && test -z "${USE_EAP_SIM_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -26259,6 +26354,20 @@ echo "$as_me: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_SMARTCARD\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -26280,6 +26389,13 @@ echo "$as_me: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_LOCK_PROFILER_TRUE}" && test -z "${USE_LOCK_PROFILER_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LOCK_PROFILER\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LOCK_PROFILER\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_NAT_TRANSPORT_TRUE}" && test -z "${USE_NAT_TRANSPORT_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -26371,13 +26487,6 @@ echo "$as_me: error: conditional \"USE_TOOLS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
-if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_UPDOWN\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_UPDOWN\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
 if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -26692,7 +26801,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.2.8, which was
+This file was extended by strongSwan $as_me 4.2.9, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -26739,7 +26848,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-strongSwan config.status 4.2.8
+strongSwan config.status 4.2.9
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
@@ -26881,6 +26990,8 @@ do
     "src/charon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim/Makefile" ;;
     "src/charon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim_file/Makefile" ;;
     "src/charon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_netlink/Makefile" ;;
+    "src/charon/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_pfkey/Makefile" ;;
+    "src/charon/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_klips/Makefile" ;;
     "src/charon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/smp/Makefile" ;;
     "src/charon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/sql/Makefile" ;;
     "src/charon/plugins/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/medsrv/Makefile" ;;
@@ -26888,7 +26999,9 @@ do
     "src/charon/plugins/nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/nm/Makefile" ;;
     "src/charon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/uci/Makefile" ;;
     "src/charon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/stroke/Makefile" ;;
+    "src/charon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/updown/Makefile" ;;
     "src/charon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/unit_tester/Makefile" ;;
+    "src/charon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/load_tester/Makefile" ;;
     "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
     "src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;;
     "src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;;
@@ -27189,16 +27302,16 @@ USE_SMP_TRUE!$USE_SMP_TRUE$ac_delim
 USE_SMP_FALSE!$USE_SMP_FALSE$ac_delim
 USE_SQL_TRUE!$USE_SQL_TRUE$ac_delim
 USE_SQL_FALSE!$USE_SQL_FALSE$ac_delim
+USE_UPDOWN_TRUE!$USE_UPDOWN_TRUE$ac_delim
+USE_UPDOWN_FALSE!$USE_UPDOWN_FALSE$ac_delim
 USE_UNIT_TESTS_TRUE!$USE_UNIT_TESTS_TRUE$ac_delim
 USE_UNIT_TESTS_FALSE!$USE_UNIT_TESTS_FALSE$ac_delim
+USE_LOAD_TESTS_TRUE!$USE_LOAD_TESTS_TRUE$ac_delim
+USE_LOAD_TESTS_FALSE!$USE_LOAD_TESTS_FALSE$ac_delim
 USE_EAP_SIM_TRUE!$USE_EAP_SIM_TRUE$ac_delim
 USE_EAP_SIM_FALSE!$USE_EAP_SIM_FALSE$ac_delim
 USE_EAP_SIM_FILE_TRUE!$USE_EAP_SIM_FILE_TRUE$ac_delim
 USE_EAP_SIM_FILE_FALSE!$USE_EAP_SIM_FILE_FALSE$ac_delim
-USE_EAP_IDENTITY_TRUE!$USE_EAP_IDENTITY_TRUE$ac_delim
-USE_EAP_IDENTITY_FALSE!$USE_EAP_IDENTITY_FALSE$ac_delim
-USE_EAP_MD5_TRUE!$USE_EAP_MD5_TRUE$ac_delim
-USE_EAP_MD5_FALSE!$USE_EAP_MD5_FALSE$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -27240,18 +27353,28 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+USE_EAP_IDENTITY_TRUE!$USE_EAP_IDENTITY_TRUE$ac_delim
+USE_EAP_IDENTITY_FALSE!$USE_EAP_IDENTITY_FALSE$ac_delim
+USE_EAP_MD5_TRUE!$USE_EAP_MD5_TRUE$ac_delim
+USE_EAP_MD5_FALSE!$USE_EAP_MD5_FALSE$ac_delim
 USE_EAP_GTC_TRUE!$USE_EAP_GTC_TRUE$ac_delim
 USE_EAP_GTC_FALSE!$USE_EAP_GTC_FALSE$ac_delim
 USE_EAP_AKA_TRUE!$USE_EAP_AKA_TRUE$ac_delim
 USE_EAP_AKA_FALSE!$USE_EAP_AKA_FALSE$ac_delim
 USE_KERNEL_NETLINK_TRUE!$USE_KERNEL_NETLINK_TRUE$ac_delim
 USE_KERNEL_NETLINK_FALSE!$USE_KERNEL_NETLINK_FALSE$ac_delim
+USE_KERNEL_PFKEY_TRUE!$USE_KERNEL_PFKEY_TRUE$ac_delim
+USE_KERNEL_PFKEY_FALSE!$USE_KERNEL_PFKEY_FALSE$ac_delim
+USE_KERNEL_KLIPS_TRUE!$USE_KERNEL_KLIPS_TRUE$ac_delim
+USE_KERNEL_KLIPS_FALSE!$USE_KERNEL_KLIPS_FALSE$ac_delim
 USE_SMARTCARD_TRUE!$USE_SMARTCARD_TRUE$ac_delim
 USE_SMARTCARD_FALSE!$USE_SMARTCARD_FALSE$ac_delim
 USE_CISCO_QUIRKS_TRUE!$USE_CISCO_QUIRKS_TRUE$ac_delim
 USE_CISCO_QUIRKS_FALSE!$USE_CISCO_QUIRKS_FALSE$ac_delim
 USE_LEAK_DETECTIVE_TRUE!$USE_LEAK_DETECTIVE_TRUE$ac_delim
 USE_LEAK_DETECTIVE_FALSE!$USE_LEAK_DETECTIVE_FALSE$ac_delim
+USE_LOCK_PROFILER_TRUE!$USE_LOCK_PROFILER_TRUE$ac_delim
+USE_LOCK_PROFILER_FALSE!$USE_LOCK_PROFILER_FALSE$ac_delim
 USE_NAT_TRANSPORT_TRUE!$USE_NAT_TRANSPORT_TRUE$ac_delim
 USE_NAT_TRANSPORT_FALSE!$USE_NAT_TRANSPORT_FALSE$ac_delim
 USE_VENDORID_TRUE!$USE_VENDORID_TRUE$ac_delim
@@ -27278,8 +27401,6 @@ USE_CHARON_TRUE!$USE_CHARON_TRUE$ac_delim
 USE_CHARON_FALSE!$USE_CHARON_FALSE$ac_delim
 USE_TOOLS_TRUE!$USE_TOOLS_TRUE$ac_delim
 USE_TOOLS_FALSE!$USE_TOOLS_FALSE$ac_delim
-USE_UPDOWN_TRUE!$USE_UPDOWN_TRUE$ac_delim
-USE_UPDOWN_FALSE!$USE_UPDOWN_FALSE$ac_delim
 USE_LIBSTRONGSWAN_TRUE!$USE_LIBSTRONGSWAN_TRUE$ac_delim
 USE_LIBSTRONGSWAN_FALSE!$USE_LIBSTRONGSWAN_FALSE$ac_delim
 USE_FILE_CONFIG_TRUE!$USE_FILE_CONFIG_TRUE$ac_delim
@@ -27288,7 +27409,7 @@ LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 46; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 54; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
diff --git a/configure.in b/configure.in
index 6c8c1accc..54ff358d1 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.2.8)
+AC_INIT(strongSwan,4.2.9)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_C_BIGENDIAN
 AC_SUBST(confdir, '${sysconfdir}')
@@ -377,6 +377,14 @@ AC_ARG_ENABLE(
 	fi]
 )
 
+AC_ARG_ENABLE(
+	[lock-profiler],
+	AS_HELP_STRING([--enable-lock-profiling],[enable lock/mutex profiling code (default is NO).]),
+	[if test x$enableval = xyes; then
+		lock_profiler=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[unit-tests],
 	AS_HELP_STRING([--enable-unit-tests],[enable unit tests on IKEv2 daemon startup (default is NO).]),
@@ -385,6 +393,14 @@ AC_ARG_ENABLE(
 	fi]
 )
 
+AC_ARG_ENABLE(
+	[load-tests],
+	AS_HELP_STRING([--enable-load-tests],[enable load testing plugin for IKEv2 daemon (default is NO).]),
+	[if test x$enableval = xyes; then
+		loadtest=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[eap-sim],
 	AS_HELP_STRING([--enable-eap-sim],[build SIM authenication module for EAP (default is NO).]),
@@ -444,6 +460,22 @@ AC_ARG_ENABLE(
 	kernel_netlink=true
 )
 
+AC_ARG_ENABLE(
+	[kernel-pfkey],
+	AS_HELP_STRING([--enable-kernel-pfkey],[enable the PF_KEY kernel interface. (default is NO).]),
+	[if test x$enableval = xyes; then
+		kernel_pfkey=true
+	fi]
+)
+
+AC_ARG_ENABLE(
+	[kernel-klips],
+	AS_HELP_STRING([--enable-kernel-klips],[enable the KLIPS kernel interface. (default is NO).]),
+	[if test x$enableval = xyes; then
+		kernel_klips=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[nat-transport],
 	AS_HELP_STRING([--enable-nat-transport],[enable NAT traversal with IPsec transport mode (default is NO).]),
@@ -561,7 +593,7 @@ AC_ARG_ENABLE(
 
 AC_ARG_ENABLE(
 	[updown],
-	AS_HELP_STRING([--disable-updown],[disable installation of firewall scripts. (default is NO).]),
+	AS_HELP_STRING([--disable-updown],[disable updown firewall script plugin. (default is NO).]),
 	[if test x$enableval = xyes; then
 		updown=true
 	 else
@@ -866,7 +898,9 @@ AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
 AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
 AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
+AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
 AM_CONDITIONAL(USE_UNIT_TESTS, test x$unittest = xtrue)
+AM_CONDITIONAL(USE_LOAD_TESTS, test x$loadtest = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
 AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
@@ -874,12 +908,15 @@ AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
 AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
 AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
 AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
+AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
 
 dnl other options
 dnl =============
 AM_CONDITIONAL(USE_SMARTCARD, test x$smartcard = xtrue)
 AM_CONDITIONAL(USE_CISCO_QUIRKS, test x$cisco_quirks = xtrue)
 AM_CONDITIONAL(USE_LEAK_DETECTIVE, test x$leak_detective = xtrue)
+AM_CONDITIONAL(USE_LOCK_PROFILER, test x$lock_profiler = xtrue)
 AM_CONDITIONAL(USE_NAT_TRANSPORT, test x$nat_transport = xtrue)
 AM_CONDITIONAL(USE_VENDORID, test x$vendor_id = xtrue)
 AM_CONDITIONAL(USE_XAUTH_VID, test x$xauth_vid = xtrue)
@@ -893,7 +930,6 @@ AM_CONDITIONAL(USE_CAPABILITIES, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
-AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
 AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
 
@@ -949,6 +985,8 @@ AC_OUTPUT(
 	src/charon/plugins/eap_sim/Makefile
 	src/charon/plugins/eap_sim_file/Makefile
 	src/charon/plugins/kernel_netlink/Makefile
+	src/charon/plugins/kernel_pfkey/Makefile
+	src/charon/plugins/kernel_klips/Makefile
 	src/charon/plugins/smp/Makefile
 	src/charon/plugins/sql/Makefile
 	src/charon/plugins/medsrv/Makefile
@@ -956,7 +994,9 @@ AC_OUTPUT(
 	src/charon/plugins/nm/Makefile
 	src/charon/plugins/uci/Makefile
 	src/charon/plugins/stroke/Makefile
+	src/charon/plugins/updown/Makefile
 	src/charon/plugins/unit_tester/Makefile
+	src/charon/plugins/load_tester/Makefile
 	src/stroke/Makefile
 	src/ipsec/Makefile
 	src/starter/Makefile
diff --git a/scripts/thread_analysis.c b/scripts/thread_analysis.c
index a03e8c994..b0e6c539b 100644
--- a/scripts/thread_analysis.c
+++ b/scripts/thread_analysis.c
@@ -33,10 +33,10 @@ enum state_t {
 	STATE_ERROR = 5
 };
 
-typedef enum mode_t mode_t;
+typedef enum print_t print_t;
 
 enum print_t {
-    MODE_ANY	= 0,
+	MODE_ANY	= 0,
 	MODE_ADD	= 1,
 	MODE_DEL	= 2
 };
@@ -95,7 +95,7 @@ int main(int argc, char *argv[])
 	/* threads 1..5 and 9 are always busy */
 	for (th = 1; th <= THREADS; th++)
 	{
-		state[th] = (th <= 5 || th == 9 )? STATE_BUSY : STATE_IDLE;
+		state[th] = (th <= 7 && th != 3)? STATE_BUSY : STATE_IDLE;
 	}
   
 	/* open the log file */
diff --git a/src/_copyright/Makefile.am b/src/_copyright/Makefile.am
index d8dcfb3f1..00d5fb2ff 100644
--- a/src/_copyright/Makefile.am
+++ b/src/_copyright/Makefile.am
@@ -3,4 +3,4 @@ _copyright_SOURCES = _copyright.c
 dist_man8_MANS = _copyright.8
 
 INCLUDES = -I$(top_srcdir)/src/libfreeswan
-_copyright_LDADD = $(top_srcdir)/src/libfreeswan/libfreeswan.a
+_copyright_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index a8f14689a..031b0846d 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -47,7 +47,8 @@ ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am__copyright_OBJECTS = _copyright.$(OBJEXT)
 _copyright_OBJECTS = $(am__copyright_OBJECTS)
-_copyright_DEPENDENCIES = $(top_srcdir)/src/libfreeswan/libfreeswan.a
+_copyright_DEPENDENCIES =  \
+	$(top_builddir)/src/libfreeswan/libfreeswan.a
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -207,7 +208,7 @@ xml_LIBS = @xml_LIBS@
 _copyright_SOURCES = _copyright.c
 dist_man8_MANS = _copyright.8
 INCLUDES = -I$(top_srcdir)/src/libfreeswan
-_copyright_LDADD = $(top_srcdir)/src/libfreeswan/libfreeswan.a
+_copyright_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index c9f63ac9d..e3d3e8e14 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -52,6 +52,7 @@ processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
 processing/jobs/callback_job.c processing/jobs/callback_job.h \
 processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
+processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
 processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
 processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
@@ -74,6 +75,7 @@ sa/ike_sa.c sa/ike_sa.h \
 sa/ike_sa_id.c sa/ike_sa_id.h \
 sa/ike_sa_manager.c sa/ike_sa_manager.h \
 sa/task_manager.c sa/task_manager.h \
+sa/keymat.c sa/keymat.h \
 sa/tasks/child_create.c sa/tasks/child_create.h \
 sa/tasks/child_delete.c sa/tasks/child_delete.h \
 sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
@@ -144,6 +146,21 @@ endif
 SUBDIRS = . 
 PLUGINS = ${libstrongswan_plugins}
 
+if USE_LOAD_TESTS
+  SUBDIRS += plugins/load_tester
+  PLUGINS += load-tester
+endif
+
+if USE_KERNEL_PFKEY
+  SUBDIRS += plugins/kernel_pfkey
+  PLUGINS += kernel-pfkey
+endif
+
+if USE_KERNEL_KLIPS
+  SUBDIRS += plugins/kernel_klips
+  PLUGINS += kernel-klips
+endif
+
 if USE_KERNEL_NETLINK
   SUBDIRS += plugins/kernel_netlink
   PLUGINS += kernel-netlink
@@ -164,6 +181,11 @@ if USE_SQL
   PLUGINS += sql
 endif
 
+if USE_UPDOWN
+  SUBDIRS += plugins/updown
+  PLUGINS += updown
+endif
+
 if USE_EAP_IDENTITY
   SUBDIRS += plugins/eap_identity
   PLUGINS += eapidentity
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 8d13f16e9..c8a817f45 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -50,36 +50,44 @@ ipsec_PROGRAMS = charon$(EXEEXT)
 @USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
 @USE_SELF_TEST_TRUE@am__append_5 = -DSELF_TEST
 @USE_CAPABILITIES_TRUE@am__append_6 = -lcap
-@USE_KERNEL_NETLINK_TRUE@am__append_7 = plugins/kernel_netlink
-@USE_KERNEL_NETLINK_TRUE@am__append_8 = kernel-netlink
-@USE_STROKE_TRUE@am__append_9 = plugins/stroke
-@USE_STROKE_TRUE@am__append_10 = stroke
-@USE_SMP_TRUE@am__append_11 = plugins/smp
-@USE_SMP_TRUE@am__append_12 = smp
-@USE_SQL_TRUE@am__append_13 = plugins/sql
-@USE_SQL_TRUE@am__append_14 = sql
-@USE_EAP_IDENTITY_TRUE@am__append_15 = plugins/eap_identity
-@USE_EAP_IDENTITY_TRUE@am__append_16 = eapidentity
-@USE_EAP_SIM_TRUE@am__append_17 = plugins/eap_sim
-@USE_EAP_SIM_TRUE@am__append_18 = eapsim
-@USE_EAP_SIM_FILE_TRUE@am__append_19 = plugins/eap_sim_file
-@USE_EAP_SIM_FILE_TRUE@am__append_20 = eapsim-file
-@USE_EAP_MD5_TRUE@am__append_21 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_22 = eapmd5
-@USE_EAP_GTC_TRUE@am__append_23 = plugins/eap_gtc
-@USE_EAP_GTC_TRUE@am__append_24 = eapgtc
-@USE_EAP_AKA_TRUE@am__append_25 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_26 = eapaka
-@USE_MEDSRV_TRUE@am__append_27 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_28 = medsrv
-@USE_MEDCLI_TRUE@am__append_29 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_30 = medcli
-@USE_NM_TRUE@am__append_31 = plugins/nm
-@USE_NM_TRUE@am__append_32 = nm
-@USE_UCI_TRUE@am__append_33 = plugins/uci
-@USE_UCI_TRUE@am__append_34 = uci
-@USE_UNIT_TESTS_TRUE@am__append_35 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_36 = unit-tester
+@USE_LOAD_TESTS_TRUE@am__append_7 = plugins/load_tester
+@USE_LOAD_TESTS_TRUE@am__append_8 = load-tester
+@USE_KERNEL_PFKEY_TRUE@am__append_9 = plugins/kernel_pfkey
+@USE_KERNEL_PFKEY_TRUE@am__append_10 = kernel-pfkey
+@USE_KERNEL_KLIPS_TRUE@am__append_11 = plugins/kernel_klips
+@USE_KERNEL_KLIPS_TRUE@am__append_12 = kernel-klips
+@USE_KERNEL_NETLINK_TRUE@am__append_13 = plugins/kernel_netlink
+@USE_KERNEL_NETLINK_TRUE@am__append_14 = kernel-netlink
+@USE_STROKE_TRUE@am__append_15 = plugins/stroke
+@USE_STROKE_TRUE@am__append_16 = stroke
+@USE_SMP_TRUE@am__append_17 = plugins/smp
+@USE_SMP_TRUE@am__append_18 = smp
+@USE_SQL_TRUE@am__append_19 = plugins/sql
+@USE_SQL_TRUE@am__append_20 = sql
+@USE_UPDOWN_TRUE@am__append_21 = plugins/updown
+@USE_UPDOWN_TRUE@am__append_22 = updown
+@USE_EAP_IDENTITY_TRUE@am__append_23 = plugins/eap_identity
+@USE_EAP_IDENTITY_TRUE@am__append_24 = eapidentity
+@USE_EAP_SIM_TRUE@am__append_25 = plugins/eap_sim
+@USE_EAP_SIM_TRUE@am__append_26 = eapsim
+@USE_EAP_SIM_FILE_TRUE@am__append_27 = plugins/eap_sim_file
+@USE_EAP_SIM_FILE_TRUE@am__append_28 = eapsim-file
+@USE_EAP_MD5_TRUE@am__append_29 = plugins/eap_md5
+@USE_EAP_MD5_TRUE@am__append_30 = eapmd5
+@USE_EAP_GTC_TRUE@am__append_31 = plugins/eap_gtc
+@USE_EAP_GTC_TRUE@am__append_32 = eapgtc
+@USE_EAP_AKA_TRUE@am__append_33 = plugins/eap_aka
+@USE_EAP_AKA_TRUE@am__append_34 = eapaka
+@USE_MEDSRV_TRUE@am__append_35 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_36 = medsrv
+@USE_MEDCLI_TRUE@am__append_37 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_38 = medcli
+@USE_NM_TRUE@am__append_39 = plugins/nm
+@USE_NM_TRUE@am__append_40 = nm
+@USE_UCI_TRUE@am__append_41 = plugins/uci
+@USE_UCI_TRUE@am__append_42 = uci
+@USE_UNIT_TESTS_TRUE@am__append_43 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_44 = unit-tester
 subdir = src/charon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -154,6 +162,7 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
 	processing/jobs/delete_child_sa_job.h \
 	processing/jobs/delete_ike_sa_job.c \
 	processing/jobs/delete_ike_sa_job.h \
+	processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 	processing/jobs/process_message_job.c \
 	processing/jobs/process_message_job.h \
 	processing/jobs/rekey_child_sa_job.c \
@@ -185,10 +194,11 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
 	sa/authenticators/pubkey_authenticator.h sa/child_sa.c \
 	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
 	sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
-	sa/task_manager.c sa/task_manager.h sa/tasks/child_create.c \
-	sa/tasks/child_create.h sa/tasks/child_delete.c \
-	sa/tasks/child_delete.h sa/tasks/child_rekey.c \
-	sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+	sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
+	sa/tasks/child_create.c sa/tasks/child_create.h \
+	sa/tasks/child_delete.c sa/tasks/child_delete.h \
+	sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
+	sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
 	sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
 	sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
 	sa/tasks/ike_config.c sa/tasks/ike_config.h \
@@ -242,17 +252,18 @@ am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
 	kernel_ipsec.$(OBJEXT) packet.$(OBJEXT) receiver.$(OBJEXT) \
 	sender.$(OBJEXT) acquire_job.$(OBJEXT) callback_job.$(OBJEXT) \
 	delete_child_sa_job.$(OBJEXT) delete_ike_sa_job.$(OBJEXT) \
-	process_message_job.$(OBJEXT) rekey_child_sa_job.$(OBJEXT) \
-	rekey_ike_sa_job.$(OBJEXT) retransmit_job.$(OBJEXT) \
-	send_dpd_job.$(OBJEXT) send_keepalive_job.$(OBJEXT) \
-	roam_job.$(OBJEXT) update_sa_job.$(OBJEXT) scheduler.$(OBJEXT) \
+	migrate_job.$(OBJEXT) process_message_job.$(OBJEXT) \
+	rekey_child_sa_job.$(OBJEXT) rekey_ike_sa_job.$(OBJEXT) \
+	retransmit_job.$(OBJEXT) send_dpd_job.$(OBJEXT) \
+	send_keepalive_job.$(OBJEXT) roam_job.$(OBJEXT) \
+	update_sa_job.$(OBJEXT) scheduler.$(OBJEXT) \
 	processor.$(OBJEXT) authenticator.$(OBJEXT) \
 	eap_authenticator.$(OBJEXT) eap_method.$(OBJEXT) \
 	eap_manager.$(OBJEXT) sim_manager.$(OBJEXT) \
 	psk_authenticator.$(OBJEXT) pubkey_authenticator.$(OBJEXT) \
 	child_sa.$(OBJEXT) ike_sa.$(OBJEXT) ike_sa_id.$(OBJEXT) \
 	ike_sa_manager.$(OBJEXT) task_manager.$(OBJEXT) \
-	child_create.$(OBJEXT) child_delete.$(OBJEXT) \
+	keymat.$(OBJEXT) child_create.$(OBJEXT) child_delete.$(OBJEXT) \
 	child_rekey.$(OBJEXT) ike_auth.$(OBJEXT) \
 	ike_cert_pre.$(OBJEXT) ike_cert_post.$(OBJEXT) \
 	ike_config.$(OBJEXT) ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) \
@@ -293,11 +304,12 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/kernel_netlink plugins/stroke plugins/smp \
-	plugins/sql plugins/eap_identity plugins/eap_sim \
-	plugins/eap_sim_file plugins/eap_md5 plugins/eap_gtc \
-	plugins/eap_aka plugins/medsrv plugins/medcli plugins/nm \
-	plugins/uci plugins/unit_tester
+DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
+	plugins/kernel_klips plugins/kernel_netlink plugins/stroke \
+	plugins/smp plugins/sql plugins/updown plugins/eap_identity \
+	plugins/eap_sim plugins/eap_sim_file plugins/eap_md5 \
+	plugins/eap_gtc plugins/eap_aka plugins/medsrv plugins/medcli \
+	plugins/nm plugins/uci plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -498,6 +510,7 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
 	processing/jobs/delete_child_sa_job.h \
 	processing/jobs/delete_ike_sa_job.c \
 	processing/jobs/delete_ike_sa_job.h \
+	processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 	processing/jobs/process_message_job.c \
 	processing/jobs/process_message_job.h \
 	processing/jobs/rekey_child_sa_job.c \
@@ -529,10 +542,11 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
 	sa/authenticators/pubkey_authenticator.h sa/child_sa.c \
 	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
 	sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
-	sa/task_manager.c sa/task_manager.h sa/tasks/child_create.c \
-	sa/tasks/child_create.h sa/tasks/child_delete.c \
-	sa/tasks/child_delete.h sa/tasks/child_rekey.c \
-	sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+	sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
+	sa/tasks/child_create.c sa/tasks/child_create.h \
+	sa/tasks/child_delete.c sa/tasks/child_delete.h \
+	sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
+	sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
 	sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
 	sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
 	sa/tasks/ike_config.c sa/tasks/ike_config.h \
@@ -568,13 +582,16 @@ SUBDIRS = . $(am__append_7) $(am__append_9) $(am__append_11) \
 	$(am__append_13) $(am__append_15) $(am__append_17) \
 	$(am__append_19) $(am__append_21) $(am__append_23) \
 	$(am__append_25) $(am__append_27) $(am__append_29) \
-	$(am__append_31) $(am__append_33) $(am__append_35)
+	$(am__append_31) $(am__append_33) $(am__append_35) \
+	$(am__append_37) $(am__append_39) $(am__append_41) \
+	$(am__append_43)
 PLUGINS = ${libstrongswan_plugins} $(am__append_8) $(am__append_10) \
 	$(am__append_12) $(am__append_14) $(am__append_16) \
 	$(am__append_18) $(am__append_20) $(am__append_22) \
 	$(am__append_24) $(am__append_26) $(am__append_28) \
 	$(am__append_30) $(am__append_32) $(am__append_34) \
-	$(am__append_36)
+	$(am__append_36) $(am__append_38) $(am__append_40) \
+	$(am__append_42) $(am__append_44)
 all: all-recursive
 
 .SUFFIXES:
@@ -704,9 +721,11 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_ipsec.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keymat.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_manager.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/migrate_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/notify_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Po@am__quote@
@@ -1410,6 +1429,20 @@ delete_ike_sa_job.obj: processing/jobs/delete_ike_sa_job.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.obj `if test -f 'processing/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_ike_sa_job.c'; fi`
 
+migrate_job.o: processing/jobs/migrate_job.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.o -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.o `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/migrate_job.c' object='migrate_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.o `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
+
+migrate_job.obj: processing/jobs/migrate_job.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.obj -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.obj `if test -f 'processing/jobs/migrate_job.c'; then $(CYGPATH_W) 'processing/jobs/migrate_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/migrate_job.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/migrate_job.c' object='migrate_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.obj `if test -f 'processing/jobs/migrate_job.c'; then $(CYGPATH_W) 'processing/jobs/migrate_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/migrate_job.c'; fi`
+
 process_message_job.o: processing/jobs/process_message_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.o -MD -MP -MF $(DEPDIR)/process_message_job.Tpo -c -o process_message_job.o `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Po
@@ -1718,6 +1751,20 @@ task_manager.obj: sa/task_manager.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`
 
+keymat.o: sa/keymat.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.o -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.o `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/keymat.c' object='keymat.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.o `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
+
+keymat.obj: sa/keymat.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.obj -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.obj `if test -f 'sa/keymat.c'; then $(CYGPATH_W) 'sa/keymat.c'; else $(CYGPATH_W) '$(srcdir)/sa/keymat.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/keymat.c' object='keymat.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.obj `if test -f 'sa/keymat.c'; then $(CYGPATH_W) 'sa/keymat.c'; else $(CYGPATH_W) '$(srcdir)/sa/keymat.c'; fi`
+
 child_create.o: sa/tasks/child_create.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.o -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Po
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
index a102a3984..504947465 100644
--- a/src/charon/bus/bus.c
+++ b/src/charon/bus/bus.c
@@ -12,20 +12,18 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: bus.c 4198 2008-07-21 14:23:43Z martin $
+ * $Id: bus.c 4622 2008-11-11 10:52:37Z martin $
  */
 
 #include "bus.h"
 
 #include <pthread.h>
+#include <stdint.h>
 
 #include <daemon.h>
 #include <utils/mutex.h>
 
-ENUM(signal_names, SIG_ANY, SIG_MAX,
-	/** should not get printed */
-	"SIG_ANY",
-	/** debugging message types */
+ENUM(debug_names, DBG_DMN, DBG_LIB,
 	"DMN",
 	"MGR",
 	"IKE",
@@ -36,19 +34,19 @@ ENUM(signal_names, SIG_ANY, SIG_MAX,
 	"NET",
 	"ENC",
 	"LIB",
-	/** should not get printed */
-	"SIG_DBG_MAX",
-	/** all level0 signals are AUDIT signals */
-	"AUD", "AUD", "AUD",
-	"AUD", "AUD", "AUD",
-	"AUD", "AUD", "AUD",
-	"AUD", "AUD", "AUD",
-	"AUD", "AUD", "AUD",
-	"AUD", "AUD", "AUD",
-	"AUD", "AUD", "AUD",
-	"AUD", "AUD", "AUD",
-	/** should not get printed */
-	"SIG_MAX",
+);
+
+ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
+	"dmn",
+	"mgr",
+	"ike",
+	"chd",
+	"job",
+	"cfg",
+	"knl",
+	"net",
+	"enc",
+	"lib",
 );
 
 typedef struct private_bus_t private_bus_t;
@@ -93,7 +91,7 @@ struct entry_t {
 	/**
 	 * registered listener interface
 	 */
-	bus_listener_t *listener;
+	listener_t *listener;
 	
 	/**
 	 * is this a active listen() call with a blocking thread
@@ -103,7 +101,7 @@ struct entry_t {
 	/**
 	 * are we currently calling this listener
 	 */
-	bool calling;
+	int calling;
 	
 	/**
 	 * condvar where active listeners wait
@@ -114,13 +112,13 @@ struct entry_t {
 /**
  * create a listener entry
  */
-static entry_t *entry_create(bus_listener_t *listener, bool blocker)
+static entry_t *entry_create(listener_t *listener, bool blocker)
 {
 	entry_t *this = malloc_thing(entry_t);
 	
 	this->listener = listener;
 	this->blocker = blocker;
-	this->calling = FALSE;
+	this->calling = 0;
 	this->condvar = condvar_create(CONDVAR_DEFAULT);
 	
 	return this;
@@ -140,12 +138,12 @@ static void entry_destroy(entry_t *entry)
  * pthread_self returns large and ugly numbers, use this function
  * for logging; these numbers are incremental starting at 1
  */
-static int get_thread_number(private_bus_t *this)
+static u_int get_thread_number(private_bus_t *this)
 {
-	static long current_num = 0;
-	long stored_num;
+	static uintptr_t current_num = 0;
+	uintptr_t stored_num;
 	
-	stored_num = (long)pthread_getspecific(this->thread_id);
+	stored_num = (uintptr_t)pthread_getspecific(this->thread_id);
 	if (stored_num == 0)
 	{	/* first call of current thread */
 		pthread_setspecific(this->thread_id, (void*)++current_num);
@@ -160,7 +158,7 @@ static int get_thread_number(private_bus_t *this)
 /**
  * Implementation of bus_t.add_listener.
  */
-static void add_listener(private_bus_t *this, bus_listener_t *listener)
+static void add_listener(private_bus_t *this, listener_t *listener)
 {
 	this->mutex->lock(this->mutex);
 	this->listeners->insert_last(this->listeners, entry_create(listener, FALSE));
@@ -170,23 +168,23 @@ static void add_listener(private_bus_t *this, bus_listener_t *listener)
 /**
  * Implementation of bus_t.remove_listener.
  */
-static void remove_listener(private_bus_t *this, bus_listener_t *listener)
+static void remove_listener(private_bus_t *this, listener_t *listener)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	entry_t *entry;
 
 	this->mutex->lock(this->mutex);
-	iterator = this->listeners->create_iterator(this->listeners, TRUE);
-	while (iterator->iterate(iterator, (void**)&entry))
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
 	{
 		if (entry->listener == listener)
 		{
-			iterator->remove(iterator);
+			this->listeners->remove_at(this->listeners, enumerator);
 			entry_destroy(entry);
 			break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
 }
 
@@ -207,26 +205,14 @@ struct cleanup_data_t {
  */
 static void listener_cleanup(cleanup_data_t *data)
 {
-	iterator_t *iterator;
-	entry_t *entry;
-
-	iterator = data->this->listeners->create_iterator(data->this->listeners, TRUE);
-	while (iterator->iterate(iterator, (void**)&entry))
-	{
-		if (entry == data->entry)
-		{
-			iterator->remove(iterator);
-			entry_destroy(entry);
-			break;
-		}
-	}
-	iterator->destroy(iterator);
+	data->this->listeners->remove(data->this->listeners, data->entry, NULL);
+	entry_destroy(data->entry);
 }
 
 /**
  * Implementation of bus_t.listen.
  */
-static void listen_(private_bus_t *this, bus_listener_t *listener, job_t *job)
+static void listen_(private_bus_t *this, listener_t *listener, job_t *job)
 {
 	int old;
 	cleanup_data_t data;
@@ -267,33 +253,31 @@ typedef struct {
 	ike_sa_t *ike_sa;
 	/** invoking thread */
 	long thread;
-	/** signal type */
-	signal_t signal;
-	/** signal level */
+	/** debug group */
+	debug_t group;
+	/** debug level */
 	level_t level;
-	/** signal specific user data */
-	void *user;
 	/** format string */
 	char *format;
 	/** argument list */
 	va_list args;
-} signal_data_t;
+} log_data_t;
 
 /**
- * listener invocation as a list remove callback
+ * listener->log() invocation as a list remove callback
  */
-static bool signal_cb(entry_t *entry, signal_data_t *data)
+static bool log_cb(entry_t *entry, log_data_t *data)
 {
 	va_list args;
 
-	if (entry->calling)
+	if (entry->calling || !entry->listener->log)
 	{	/* avoid recursive calls */
 		return FALSE;
 	}
-	entry->calling = TRUE;
+	entry->calling++;
 	va_copy(args, data->args);
-	if (!entry->listener->signal(entry->listener, data->signal, data->level,
-					data->thread, data->ike_sa, data->user, data->format, args))
+	if (!entry->listener->log(entry->listener, data->group, data->level,
+							  data->thread, data->ike_sa, data->format, args))
 	{
 		if (entry->blocker)
 		{
@@ -305,51 +289,237 @@ static bool signal_cb(entry_t *entry, signal_data_t *data)
 			entry_destroy(entry);
 		}
 		va_end(args);
-		entry->calling = FALSE;
+		entry->calling--;
 		return TRUE;
 	}
 	va_end(args);
-	entry->calling = FALSE;
+	entry->calling--;
 	return FALSE;
 }
 
 /**
- * Implementation of bus_t.vsignal.
+ * Implementation of bus_t.vlog.
  */
-static void vsignal(private_bus_t *this, signal_t signal, level_t level,
-					void *user, char* format, va_list args)
+static void vlog(private_bus_t *this, debug_t group, level_t level,
+				 char* format, va_list args)
 {
-	signal_data_t data;
+	log_data_t data;
 	
 	data.ike_sa = pthread_getspecific(this->thread_sa);
 	data.thread = get_thread_number(this);
-	data.signal = signal;
+	data.group = group;
 	data.level = level;
-	data.user = user;
 	data.format = format;
 	va_copy(data.args, args);
 	
 	this->mutex->lock(this->mutex);
-	/* we use the remove() method to invoke all listeners with small overhead */
-	this->listeners->remove(this->listeners, &data, (void*)signal_cb);
+	/* We use the remove() method to invoke all listeners. This is cheap and
+	 * does not require an allocation for this performance critical function. */
+	this->listeners->remove(this->listeners, &data, (void*)log_cb);
 	this->mutex->unlock(this->mutex);
 	
 	va_end(data.args);
 }
 
 /**
- * Implementation of bus_t.signal.
+ * Implementation of bus_t.log.
  */
-static void signal_(private_bus_t *this, signal_t signal, level_t level, 
-					void* data, char* format, ...)
+static void log_(private_bus_t *this, debug_t group, level_t level,
+				 char* format, ...)
 {
 	va_list args;
 	
 	va_start(args, format);
-	vsignal(this, signal, level, data, format, args);
+	vlog(this, group, level, format, args);
 	va_end(args);
 }
 
+/**
+ * unregister a listener
+ */
+static void unregister_listener(private_bus_t *this, entry_t *entry,
+								enumerator_t *enumerator)
+{
+	if (entry->blocker)
+	{
+		entry->blocker = FALSE;
+		entry->condvar->signal(entry->condvar);
+	}
+	else
+	{
+		entry_destroy(entry);
+	}
+	this->listeners->remove_at(this->listeners, enumerator);
+}
+
+/**
+ * Implementation of bus_t.ike_state_change
+ */
+static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa,
+							 ike_sa_state_t state)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_state_change)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_state_change(entry->listener, ike_sa, state);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_state_change
+ */
+static void child_state_change(private_bus_t *this, child_sa_t *child_sa,
+							   child_sa_state_t state)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+	
+	ike_sa = pthread_getspecific(this->thread_sa);
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->child_state_change)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->child_state_change(entry->listener, ike_sa,
+												   child_sa, state);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.message
+ */
+static void message(private_bus_t *this, message_t *message, bool incoming)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+	
+	ike_sa = pthread_getspecific(this->thread_sa);
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->message)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->message(entry->listener, ike_sa,
+										message, incoming);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.ike_keys
+ */
+static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa,
+					 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
+					 ike_sa_t *rekey)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_keys)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_keys(entry->listener, ike_sa, dh,
+										 nonce_i, nonce_r, rekey);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_keys
+ */
+static void child_keys(private_bus_t *this, child_sa_t *child_sa,
+					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+	
+	ike_sa = pthread_getspecific(this->thread_sa);
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->child_keys)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->child_keys(entry->listener, ike_sa, child_sa,
+										   dh, nonce_i, nonce_r);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
 /**
  * Implementation of bus_t.destroy.
  */
@@ -367,16 +537,21 @@ bus_t *bus_create()
 {
 	private_bus_t *this = malloc_thing(private_bus_t);
 	
-	this->public.add_listener = (void(*)(bus_t*,bus_listener_t*))add_listener;
-	this->public.remove_listener = (void(*)(bus_t*,bus_listener_t*))remove_listener;
-	this->public.listen = (void(*)(bus_t*, bus_listener_t *listener, job_t *job))listen_;
+	this->public.add_listener = (void(*)(bus_t*,listener_t*))add_listener;
+	this->public.remove_listener = (void(*)(bus_t*,listener_t*))remove_listener;
+	this->public.listen = (void(*)(bus_t*, listener_t *listener, job_t *job))listen_;
 	this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa;
-	this->public.signal = (void(*)(bus_t*,signal_t,level_t,void*,char*,...))signal_;
-	this->public.vsignal = (void(*)(bus_t*,signal_t,level_t,void*,char*,va_list))vsignal;
+	this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_;
+	this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog;
+	this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change;
+	this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change;
+	this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
+	this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
+	this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
 	this->public.destroy = (void(*)(bus_t*)) destroy;
 	
 	this->listeners = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_RECURSIVE);
 	pthread_key_create(&this->thread_id, NULL);
 	pthread_key_create(&this->thread_sa, NULL);
 	
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index db417064f..383678488 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: bus.h 4192 2008-07-18 15:51:40Z martin $
+ * $Id: bus.h 4622 2008-11-11 10:52:37Z martin $
  */
 
 /**
@@ -23,9 +23,9 @@
 #ifndef BUS_H_
 #define BUS_H_
 
-typedef enum signal_t signal_t;
+typedef enum debug_t debug_t;
 typedef enum level_t level_t;
-typedef struct bus_listener_t bus_listener_t;
+typedef struct listener_t listener_t;
 typedef struct bus_t bus_t;
 
 #include <stdarg.h>
@@ -34,145 +34,87 @@ typedef struct bus_t bus_t;
 #include <sa/child_sa.h>
 #include <processing/jobs/job.h>
 
-
 /**
- * signals emitted by the daemon.
- *
- * Signaling is for different purporses. First, it allows debugging via
- * "debugging signal messages", sencondly, it allows to follow certain
- * mechanisms currently going on in the daemon. As we are multithreaded,
- * and multiple transactions are involved, it's not possible to follow
- * one connection setup without further infrastructure. These infrastructure
- * is provided by the bus and the signals the daemon emits to the bus.
- *
- * There are different scenarios to follow these signals, but all have
- * the same scheme. First, a START signal is emitted to indicate the daemon
- * has started to do something. After a start signal, a SUCCESS or a FAILED
- * signal of the same type follows. This allows to track the operation. Any
- * Debug signal betwee a START and a SUCCESS/FAILED belongs to that operation
- * if the IKE_SA is the same. The thread may change, as multiple threads
- * may be involved in a complex scenario.
+ * Debug message group.
  */
-enum signal_t {
-	/** pseudo signal, representing any other signal */
-	SIG_ANY,
-	
-	/** debugging message from daemon main loop */
+enum debug_t {
+	/** daemon main loop */
 	DBG_DMN,
-	/** debugging message from IKE_SA_MANAGER */
+	/** IKE_SA_MANAGER */
 	DBG_MGR,
-	/** debugging message from an IKE_SA */
+	/** IKE_SA */
 	DBG_IKE,
-	/** debugging message from a CHILD_SA */
+	/** CHILD_SA */
 	DBG_CHD,
-	/** debugging message from job processing */
+	/** job processing */
 	DBG_JOB,
-	/** debugging message from configuration backends */
+	/** configuration backends */
 	DBG_CFG,
-	/** debugging message from kernel interface */
+	/** kernel interface */
 	DBG_KNL,
-	/** debugging message from networking */
+	/** networking/sockets */
 	DBG_NET,
-	/** debugging message from message encoding/decoding */
+	/** message encoding/decoding */
 	DBG_ENC,
-	/** debugging message from libstrongswan via logging hook */
+	/** libstrongswan via logging hook */
 	DBG_LIB,
-	
-	/** number of debug signals */
+	/** number of groups */
 	DBG_MAX,
-	
-	/** signals for IKE_SA establishment */
-	IKE_UP_START,
-	IKE_UP_SUCCESS,
-	IKE_UP_FAILED,
-	
-	/** signals for IKE_SA delete */
-	IKE_DOWN_START,
-	IKE_DOWN_SUCCESS,
-	IKE_DOWN_FAILED,
-	
-	/** signals for IKE_SA rekeying */
-	IKE_REKEY_START,
-	IKE_REKEY_SUCCESS,
-	IKE_REKEY_FAILED,
-	
-	/** signals for CHILD_SA establishment */
-	CHD_UP_START,
-	CHD_UP_SUCCESS,
-	CHD_UP_FAILED,
-	
-	/** signals for CHILD_SA delete */
-	CHD_DOWN_START,
-	CHD_DOWN_SUCCESS,
-	CHD_DOWN_FAILED,
-	
-	/** signals for CHILD_SA rekeying */
-	CHD_REKEY_START,
-	CHD_REKEY_SUCCESS,
-	CHD_REKEY_FAILED,
-	
-	/** signals for CHILD_SA routing */
-	CHD_ROUTE_START,
-	CHD_ROUTE_SUCCESS,
-	CHD_ROUTE_FAILED,
-	
-	/** signals for CHILD_SA routing */
-	CHD_UNROUTE_START,
-	CHD_UNROUTE_SUCCESS,
-	CHD_UNROUTE_FAILED,
-	
-	SIG_MAX
+	/** pseudo group with all groups */
+	DBG_ANY = DBG_MAX,
 };
 
 /**
- * short names of signals using 3 chars
+ * short names of debug message group.
  */
-extern enum_name_t *signal_names;
+extern enum_name_t *debug_names;
 
 /**
- * Signal levels used to control output verbosity.
+ * short names of debug message group, lower case.
+ */
+extern enum_name_t *debug_lower_names;
+
+/**
+ * Debug levels used to control output verbosity.
  */
 enum level_t {
-	/** numerical levels from 0 to 4 */
-	LEVEL_0 = 0,
-	LEVEL_1 = 1,
-	LEVEL_2 = 2,
-	LEVEL_3 = 3,
-	LEVEL_4 = 4,
-	/** absolutely silent, no signal is emitted with this level */
-	LEVEL_SILENT = -1,
-	/** alias for numberical levels */
-	LEVEL_AUDIT = LEVEL_0,
-	LEVEL_CTRL = LEVEL_1,
-	LEVEL_CTRLMORE = LEVEL_2,
-	LEVEL_RAW = LEVEL_3,
-	LEVEL_PRIVATE = LEVEL_4,
+	/** absolutely silent */
+	LEVEL_SILENT = 	-1,
+	/** most important auditing logs */
+	LEVEL_AUDIT = 	 0,
+	/** control flow */
+	LEVEL_CTRL = 	 1,
+	/** diagnose problems */
+	LEVEL_DIAG = 	 2,
+	/** raw binary blobs */
+	LEVEL_RAW = 	 3,
+	/** including sensitive data (private keys) */
+	LEVEL_PRIVATE =  4,
 };
 
 #ifndef DEBUG_LEVEL
 # define DEBUG_LEVEL 4
 #endif /* DEBUG_LEVEL */
 
+#if DEBUG_LEVEL >= 0
+#define DBG0(group, format, ...) charon->bus->log(charon->bus, group, 0, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL >= 0 */
 #if DEBUG_LEVEL >= 1
-/**
- * Log a debug message via the signal bus.
- *
- * @param signal	signal_t signal description
- * @param format	printf() style format string
- * @param ...		printf() style agument list
- */
-# define DBG1(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_1, NULL, format, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL */
+#define DBG1(group, format, ...) charon->bus->log(charon->bus, group, 1, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL >= 1 */
 #if DEBUG_LEVEL >= 2
-#define DBG2(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_2, NULL, format, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL */
+#define DBG2(group, format, ...) charon->bus->log(charon->bus, group, 2, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL >= 2 */
 #if DEBUG_LEVEL >= 3
-#define DBG3(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_3, NULL, format, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL */
+#define DBG3(group, format, ...) charon->bus->log(charon->bus, group, 3, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL >= 3 */
 #if DEBUG_LEVEL >= 4
-#define DBG4(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_4, NULL, format, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL */
+#define DBG4(group, format, ...) charon->bus->log(charon->bus, group, 4, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL >= 4 */
 
+#ifndef DBG0
+# define DBG0(...) {}
+#endif /* DBG0 */
 #ifndef DBG1
 # define DBG1(...) {}
 #endif /* DBG1 */
@@ -186,101 +128,115 @@ enum level_t {
 # define DBG4(...) {}
 #endif /* DBG4 */
 
-/**
- * Raise a signal for an IKE_SA event.
- *
- * @param sig		signal_t signal description
- * @param format	printf() style format string
- * @param ...		printf() style agument list
- */
-#define SIG_IKE(sig, format, ...) charon->bus->signal(charon->bus, IKE_##sig, LEVEL_0, NULL, format, ##__VA_ARGS__)
 
 /**
- * Raise a signal for an IKE event.
- *
- * @param sig		signal_t signal description
- * @param format	printf() style format string
- * @param ...		printf() style agument list
- */
-#define SIG_CHD(sig, chd, format, ...) charon->bus->signal(charon->bus, CHD_##sig, LEVEL_0, chd, format, ##__VA_ARGS__)
-
-/**
- * Get the type of a signal.
- *
- * A signal may be a debugging signal with a specific context. They have
- * a level specific for their context > 0. All audit signals use the
- * type 0. This allows filtering of singals by their type.
- *
- * @param signal	signal to get the type from
- * @return			type of the signal, between 0..(DBG_MAX-1)
- */
-#define SIG_TYPE(sig) (sig > DBG_MAX ? SIG_ANY : sig)
-
-
-/**
- * Interface for registering at the signal bus.
- *
- * To receive signals from the bus, the client implementing the
- * bus_listener_t interface registers itself at the signal bus.
+ * Listener interface, listens to events if registered to the bus.
  */
-struct bus_listener_t {
+struct listener_t {
 	
 	/**
-	 * Send a signal to a bus listener.
+	 * Log a debugging message.
 	 *
-	 * A numerical identification for the thread is included, as the
-	 * associated IKE_SA, if any. Signal specifies the type of
-	 * the event occured. The format string specifies
-	 * an additional informational or error message with a printf() like
-	 * variable argument list. This is in the va_list form, as forwarding
-	 * a "..." parameters to functions is not (cleanly) possible.
 	 * The implementing signal function returns TRUE to stay registered
 	 * to the bus, or FALSE to unregister itself.
-	 * Calling bus_t.signal() inside of a registered listener is possible,
+	 * Calling bus_t.log() inside of a registered listener is possible,
 	 * but the bus does not invoke listeners recursively.
 	 *
 	 * @param singal	kind of the signal (up, down, rekeyed, ...)
 	 * @param level		verbosity level of the signal
 	 * @param thread	ID of the thread raised this signal
 	 * @param ike_sa	IKE_SA associated to the event
-	 * @param data		additional signal specific user data
 	 * @param format	printf() style format string
 	 * @param args		vprintf() style va_list argument list
 	 " @return			TRUE to stay registered, FALSE to unregister
 	 */
-	bool (*signal) (bus_listener_t *this, signal_t signal, level_t level,
-					int thread, ike_sa_t *ike_sa, void *data, 
-					char* format, va_list args);
+	bool (*log) (listener_t *this, debug_t group, level_t level, int thread,
+				 ike_sa_t *ike_sa, char* format, va_list args);
+	
+	/**
+	 * Handle state changes in an IKE_SA.
+	 *
+	 * @param ike_sa	IKE_SA which changes its state
+	 * @param state		new IKE_SA state this IKE_SA changes to
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa,
+							 ike_sa_state_t state);
+	
+	/**
+	 * Handle state changes in a CHILD_SA.
+	 *
+	 * @param ike_sa	IKE_SA containing the affected CHILD_SA
+	 * @param child_sa	CHILD_SA which changes its state
+	 * @param state		new CHILD_SA state this CHILD_SA changes to
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa,
+							   child_sa_t *child_sa, child_sa_state_t state);
+	
+	/**
+	 * Hook called for received/sent messages of an IKE_SA.
+	 *
+	 * @param ike_sa	IKE_SA sending/receving a message
+	 * @param message	message object
+	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
+					bool incoming);
+	
+	/**
+	 * Hook called with IKE_SA key material.
+	 *
+	 * @param ike_sa	IKE_SA this keymat belongs to
+	 * @param dh		diffie hellman shared secret
+	 * @param nonce_i	initiators nonce
+	 * @param nonce_r	responders nonce
+	 * @param rekey		IKE_SA we are rekeying, if any
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+	
+	/**
+	 * Hook called with CHILD_SA key material.
+	 *
+	 * @param ike_sa	IKE_SA the child sa belongs to
+	 * @param child_sa	CHILD_SA this keymat is used for
+	 * @param dh		diffie hellman shared secret
+	 * @param nonce_i	initiators nonce
+	 * @param nonce_r	responders nonce
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
 };
 
 /**
- * Signal bus which sends signals to registered listeners.
+ * The bus receives events and sends them to all registered listeners.
  *
- * The signal bus is not much more than a multiplexer. A listener interested
- * in receiving event signals registers at the bus. Any signals sent to
- * are delivered to all registered listeners.
- * To deliver signals to threads, the blocking listen() call may be used
- * to wait for a signal.
+ * Any events sent to are delivered to all registered listeners. Threads
+ * may wait actively to events using the blocking listen() call.
  */
 struct bus_t {
 	
 	/**
 	 * Register a listener to the bus.
 	 *
-	 * A registered listener receives all signals which are sent to the bus.
-	 * The listener is passive; the thread which emitted the signal
+	 * A registered listener receives all events which are sent to the bus.
+	 * The listener is passive; the thread which emitted the event
 	 * processes the listener routine.
 	 *
 	 * @param listener	listener to register.
 	 */
-	void (*add_listener) (bus_t *this, bus_listener_t *listener);
+	void (*add_listener) (bus_t *this, listener_t *listener);
 	
 	/**
 	 * Unregister a listener from the bus.
 	 *
 	 * @param listener	listener to unregister.
 	 */
-	void (*remove_listener) (bus_t *this, bus_listener_t *listener);
+	void (*remove_listener) (bus_t *this, listener_t *listener);
 	
 	/**
 	 * Register a listener and block the calling thread.
@@ -288,69 +244,109 @@ struct bus_t {
 	 * This call registers a listener and blocks the calling thread until
 	 * its listeners function returns FALSE. This allows to wait for certain
 	 * events. The associated job is executed after the listener has been
-	 * registered, this allows to listen on events we initiate with the job
-	 * without missing any signals.
+	 * registered: This allows to listen on events we initiate with the job,
+	 * without missing any events to job may fire.
 	 *
 	 * @param listener	listener to register
 	 * @param job		job to execute asynchronously when registered, or NULL
 	 */
-	void (*listen)(bus_t *this, bus_listener_t *listener, job_t *job);
+	void (*listen)(bus_t *this, listener_t *listener, job_t *job);
 	
 	/**
 	 * Set the IKE_SA the calling thread is using.
 	 *
-	 * To associate an received signal to an IKE_SA without passing it as
-	 * parameter each time, the thread registers it's used IKE_SA each
-	 * time it checked it out. Before checking it in, the thread unregisters
-	 * the IKE_SA (by passing NULL). This IKE_SA is stored per-thread, so each
-	 * thread has one IKE_SA registered (or not).
+	 * To associate an received log message to an IKE_SA without passing it as
+	 * parameter each time, the thread registers the currenlty used IKE_SA
+	 * during check-out. Before check-in, the thread unregisters the IKE_SA. 
+	 * This IKE_SA is stored per-thread, so each thread has its own IKE_SA
+	 * registered.
 	 * 
 	 * @param ike_sa	ike_sa to register, or NULL to unregister
 	 */
 	void (*set_sa) (bus_t *this, ike_sa_t *ike_sa);
 	
 	/**
-	 * Send a signal to the bus.
+	 * Send a log message to the bus.
 	 *
 	 * The signal specifies the type of the event occured. The format string
 	 * specifies an additional informational or error message with a
 	 * printf() like variable argument list.
-	 * Some useful macros are available to shorten this call.
-	 * @see SIG(), DBG1()
+	 * Use the DBG() macros.
 	 *
-	 * @param singal	kind of the signal (up, down, rekeyed, ...)
+	 * @param group		debugging group
 	 * @param level		verbosity level of the signal
-	 * @param data		additional signal specific user data
 	 * @param format	printf() style format string
 	 * @param ...		printf() style argument list
 	 */
-	void (*signal) (bus_t *this, signal_t signal, level_t level,
-					void *data, char* format, ...);
+	void (*log)(bus_t *this, debug_t group, level_t level, char* format, ...);
 	
 	/**
-	 * Send a signal to the bus using va_list arguments.
+	 * Send a log message to the bus using va_list arguments.
 	 *
 	 * Same as bus_t.signal(), but uses va_list argument list.
 	 *
-	 * @param singal	kind of the signal (up, down, rekeyed, ...)
+	 * @param group		kind of the signal (up, down, rekeyed, ...)
 	 * @param level		verbosity level of the signal
-	 * @param data		additional signal specific user data
 	 * @param format	printf() style format string
 	 * @param args		va_list arguments
 	 */
-	void (*vsignal) (bus_t *this, signal_t signal, level_t level,
-					 void *data, char* format, va_list args);
+	void (*vlog)(bus_t *this, debug_t group, level_t level,
+				 char* format, va_list args);
+	/**
+	 * Send a IKE_SA state change event to the bus.
+	 *
+	 * @param ike_sa	IKE_SA which changes its state
+	 * @param state		new state IKE_SA changes to
+	 */
+	void (*ike_state_change)(bus_t *this, ike_sa_t *ike_sa,
+							 ike_sa_state_t state);
+	/**
+	 * Send a CHILD_SA state change event to the bus.
+	 *
+	 * @param child_sa	CHILD_SA which changes its state
+	 * @param state		new state CHILD_SA changes to
+	 */
+	void (*child_state_change)(bus_t *this, child_sa_t *child_sa,
+							   child_sa_state_t state);
+	/**
+	 * Message send/receive hook.
+	 *
+	 * @param message	message to send/receive
+	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
+	 */
+	void (*message)(bus_t *this, message_t *message, bool incoming);
 	
 	/**
-	 * Destroy the signal bus.
+	 * IKE_SA keymat hook.
+	 *
+	 * @param ike_sa	IKE_SA this keymat belongs to
+	 * @param dh		diffie hellman shared secret
+	 * @param nonce_i	initiators nonce
+	 * @param nonce_r	responders nonce
+	 * @param rekey		IKE_SA we are rekeying, if any
+	 */
+	void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+	/**
+	 * CHILD_SA keymat hook.
+	 *
+	 * @param child_sa	CHILD_SA this keymat is used for
+	 * @param dh		diffie hellman shared secret
+	 * @param nonce_i	initiators nonce
+	 * @param nonce_r	responders nonce
+	 */
+	void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
+					   chunk_t nonce_i, chunk_t nonce_r);
+	/**
+	 * Destroy the event bus.
 	 */
 	void (*destroy) (bus_t *this);
 };
 
 /**
- * Create the signal bus which multiplexes signals to its listeners.
+ * Create the event bus which forwards events to its listeners.
  *
- * @return		signal bus instance
+ * @return		event bus instance
  */
 bus_t *bus_create();
 
diff --git a/src/charon/bus/listeners/file_logger.c b/src/charon/bus/listeners/file_logger.c
index 8a7f66360..4259630ec 100644
--- a/src/charon/bus/listeners/file_logger.c
+++ b/src/charon/bus/listeners/file_logger.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: file_logger.c 4192 2008-07-18 15:51:40Z martin $
+ * $Id: file_logger.c 4622 2008-11-11 10:52:37Z martin $
  */
 
 #include <stdio.h>
@@ -39,20 +39,18 @@ struct private_file_logger_t {
 	FILE *out;
 	
 	/**
-	 * Maximum level to log
+	 * Maximum level to log, for each group
 	 */
 	level_t levels[DBG_MAX];
 };
 
-
 /**
- * Implementation of bus_listener_t.signal.
+ * Implementation of bus_listener_t.log.
  */
-static bool signal_(private_file_logger_t *this, signal_t signal, level_t level,
-					int thread, ike_sa_t* ike_sa, void *data,
-					char *format, va_list args)
+static bool log_(private_file_logger_t *this, debug_t group, level_t level,
+				 int thread, ike_sa_t* ike_sa, char *format, va_list args)
 {
-	if (level <= this->levels[SIG_TYPE(signal)])
+	if (level <= this->levels[group])
 	{
 		char buffer[8192];
 		char *current = buffer, *next;
@@ -68,7 +66,8 @@ static bool signal_(private_file_logger_t *this, signal_t signal, level_t level,
 			{
 				*(next++) = '\0';
 			}
-			fprintf(this->out, "%.2d[%N] %s\n", thread, signal_names, signal, current);
+			fprintf(this->out, "%.2d[%N] %s\n",
+					thread, debug_names, group, current);
 			current = next;
 		}
 	}
@@ -79,20 +78,18 @@ static bool signal_(private_file_logger_t *this, signal_t signal, level_t level,
 /**
  * Implementation of file_logger_t.set_level.
  */
-static void set_level(private_file_logger_t *this, signal_t signal, level_t level)
+static void set_level(private_file_logger_t *this, debug_t group, level_t level)
 {
-	if (signal == SIG_ANY)
+	if (group < DBG_ANY)
 	{
-		int i;
-		for (i = 0; i < DBG_MAX; i++)
-		{
-			this->levels[i] = level;
-		}
+		this->levels[group] = level;
 	}
 	else
 	{
-		
-		this->levels[SIG_TYPE(signal)] = level;
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			this->levels[group] = level;
+		}
 	}
 }
 
@@ -101,6 +98,10 @@ static void set_level(private_file_logger_t *this, signal_t signal, level_t leve
  */
 static void destroy(private_file_logger_t *this)
 {
+	if (this->out != stdout && this->out != stderr)
+	{
+		fclose(this->out);
+	}
 	free(this);
 }
 
@@ -112,13 +113,15 @@ file_logger_t *file_logger_create(FILE *out)
 	private_file_logger_t *this = malloc_thing(private_file_logger_t);
 	
 	/* public functions */
-	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,void*,char*,va_list))signal_;
-	this->public.set_level = (void(*)(file_logger_t*,signal_t,level_t))set_level;
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
+	this->public.set_level = (void(*)(file_logger_t*,debug_t,level_t))set_level;
 	this->public.destroy = (void(*)(file_logger_t*))destroy;
 	
 	/* private variables */
 	this->out = out;
-	set_level(this, SIG_ANY, LEVEL_SILENT);
+	set_level(this, DBG_ANY, LEVEL_SILENT);
 	
 	return &this->public;
 }
+
diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h
index 86b79c002..18a7c9765 100644
--- a/src/charon/bus/listeners/file_logger.h
+++ b/src/charon/bus/listeners/file_logger.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: file_logger.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: file_logger.h 4434 2008-10-14 08:52:13Z martin $
  */
 
 /**
@@ -28,22 +28,22 @@ typedef struct file_logger_t file_logger_t;
 #include <bus/bus.h>
 
 /**
- * Logger to files which implements bus_listener_t.
+ * Logger to files which implements listener_t.
  */
 struct file_logger_t {
 	
 	/**
-	 * Implements the bus_listener_t interface.
+	 * Implements the listener_t interface.
 	 */
-	bus_listener_t listener;
+	listener_t listener;
 	
 	/**
-	 * Set the loglevel for a signal type.
+	 * Set the loglevel for a debug group.
 	 *
-	 * @param singal	type of signal
+	 * @param group		debug group to set
 	 * @param level		max level to log (0..4)
 	 */
-	void (*set_level) (file_logger_t *this, signal_t signal, level_t level);
+	void (*set_level) (file_logger_t *this, debug_t group, level_t level);
 	
 	/**
 	 * Destroys a file_logger_t object.
diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c
index 4f5b6fc3b..37dbce926 100644
--- a/src/charon/bus/listeners/sys_logger.c
+++ b/src/charon/bus/listeners/sys_logger.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sys_logger.c 4192 2008-07-18 15:51:40Z martin $
+ * $Id: sys_logger.c 4434 2008-10-14 08:52:13Z martin $
  */
 
 #include <stdio.h>
@@ -40,20 +40,18 @@ struct private_sys_logger_t {
 	int facility;
 	
 	/**
-	 * Maximum level to log
+	 * Maximum level to log, for each group
 	 */
 	level_t levels[DBG_MAX];
 };
 
-
 /**
- * Implementation of bus_listener_t.signal.
+ * Implementation of listener_t.log.
  */
-static bool signal_(private_sys_logger_t *this, signal_t signal, level_t level,
-					int thread, ike_sa_t* ike_sa, void *data, 
-					char *format, va_list args)
+static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
+				 int thread, ike_sa_t* ike_sa, char *format, va_list args)
 {
-	if (level <= this->levels[SIG_TYPE(signal)])
+	if (level <= this->levels[group])
 	{
 		char buffer[8192];
 		char *current = buffer, *next;
@@ -70,7 +68,7 @@ static bool signal_(private_sys_logger_t *this, signal_t signal, level_t level,
 				*(next++) = '\0';
 			}
 			syslog(this->facility|LOG_INFO, "%.2d[%N] %s\n",
-				   thread, signal_names, signal, current);
+				   thread, debug_names, group, current);
 			current = next;
 		}
 	}
@@ -81,20 +79,18 @@ static bool signal_(private_sys_logger_t *this, signal_t signal, level_t level,
 /**
  * Implementation of sys_logger_t.set_level.
  */
-static void set_level(private_sys_logger_t *this, signal_t signal, level_t level)
+static void set_level(private_sys_logger_t *this, debug_t group, level_t level)
 {
-	if (signal == SIG_ANY)
+	if (group < DBG_ANY)
 	{
-		int i;
-		for (i = 0; i < DBG_MAX; i++)
-		{
-			this->levels[i] = level;
-		}
+		this->levels[group] = level;
 	}
 	else
 	{
-		
-		this->levels[SIG_TYPE(signal)] = level;
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			this->levels[group] = level;
+		}
 	}
 }
 
@@ -115,13 +111,14 @@ sys_logger_t *sys_logger_create(int facility)
 	private_sys_logger_t *this = malloc_thing(private_sys_logger_t);
 	
 	/* public functions */
-	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,void*,char*,va_list))signal_;
-	this->public.set_level = (void(*)(sys_logger_t*,signal_t,level_t))set_level;
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
+	this->public.set_level = (void(*)(sys_logger_t*,debug_t,level_t))set_level;
 	this->public.destroy = (void(*)(sys_logger_t*))destroy;
 	
 	/* private variables */
 	this->facility = facility;
-	set_level(this, SIG_ANY, LEVEL_SILENT);
+	set_level(this, DBG_ANY, LEVEL_SILENT);
 	
 	return &this->public;
 }
diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h
index 0aade375a..08cf4dd63 100644
--- a/src/charon/bus/listeners/sys_logger.h
+++ b/src/charon/bus/listeners/sys_logger.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sys_logger.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: sys_logger.h 4434 2008-10-14 08:52:13Z martin $
  */
 
 /**
@@ -30,22 +30,22 @@ typedef struct sys_logger_t sys_logger_t;
 #include <bus/bus.h>
 
 /**
- * Logger for syslog which implements bus_listener_t.
+ * Logger for syslog which implements listener_t.
  */
 struct sys_logger_t {
 	
 	/**
-	 * Implements the bus_listener_t interface.
+	 * Implements the listener_t interface.
 	 */
-	bus_listener_t listener;
+	listener_t listener;
 	
 	/**
-	 * Set the loglevel for a signal type.
+	 * Set the loglevel for a debug group.
 	 *
-	 * @param singal	type of signal
-	 * @param level		max level to log
+	 * @param group		debug group to set
+	 * @param level		max level to log (0..4)
 	 */
-	void (*set_level) (sys_logger_t *this, signal_t signal, level_t level);
+	void (*set_level) (sys_logger_t *this, debug_t group, level_t level);
 	
 	/**
 	 * Destroys a sys_logger_t object.
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index c2b408ca9..3f92ee96a 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: backend_manager.c 4134 2008-07-01 11:10:37Z martin $
+ * $Id: backend_manager.c 4610 2008-11-11 06:19:37Z andreas $
  */
 
 #include "backend_manager.h"
@@ -175,7 +175,7 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 	data->me = me;
 	data->other = other;
 	
-	DBG2(DBG_CFG, "looking for a config for %H...%H", me, other);
+	DBG2(DBG_CFG, "looking for an ike config for %H...%H", me, other);
 	
 	this->mutex->lock(this->mutex);
 	enumerator = enumerator_create_nested(
@@ -188,8 +188,8 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 		if (match)
 		{
 			DBG2(DBG_CFG, "  candidate: %s...%s, prio %d", 
-				 current->get_my_addr(current), current->get_other_addr(current),
-				 match);
+				 current->get_my_addr(current), 
+				 current->get_other_addr(current), match);
 			if (match > best)
 			{
 				DESTROY_IF(found);
@@ -201,6 +201,11 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
+	if (found)
+	{
+		DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d", 
+			 found->get_my_addr(found), found->get_other_addr(found), best);
+	}
 	return found;
 }
 
@@ -227,7 +232,7 @@ static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
 	ike_cfg_match_t best_ike = MATCH_NONE;
 	peer_data_t *data;
 	
-	DBG2(DBG_CFG, "looking for a config for %H[%D]...%H[%D]",
+	DBG2(DBG_CFG, "looking for a peer config for %H[%D]...%H[%D]",
 		 me, my_id, other, other_id);
 	
 	data = malloc_thing(peer_data_t);
@@ -262,7 +267,7 @@ static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
 		if (m1 && m2 && match_ike && 
 			auth->complies(auth, current->get_auth(current)))
 		{
-			DBG2(DBG_CFG, "  candidate '%s': %D...%D, prio %d.%d",
+			DBG2(DBG_CFG, "  candidate \"%s\": %D...%D with prio %d.%d",
 			 	 current->get_name(current), my_cand, other_cand,
 			 	 match_peer, match_ike);
 			if (match_peer >= best_peer && match_ike > best_ike)
@@ -277,7 +282,7 @@ static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
 	}
 	if (found)
 	{
-		DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d.%d",
+		DBG1(DBG_CFG, "found matching peer config \"%s\": %D...%D with prio %d.%d",
 			 found->get_name(found), found->get_my_id(found),
 			 found->get_other_id(found), best_peer, best_ike);
 	}
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index 24242345b..ab083b212 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_cfg.c 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: child_cfg.c 4611 2008-11-11 06:29:25Z andreas $
  */
 
 #include "child_cfg.h"
@@ -118,10 +118,20 @@ struct private_child_cfg_t {
 	 * enable IPComp
 	 */
 	bool use_ipcomp;
+
+	/**
+	 * set up IPsec transport SA in MIPv6 proxy mode
+	 */
+	bool proxy_mode;
+
+	/**
+	 * enable installation and removal of kernel IPsec policies
+	 */
+	bool install_policy;
 };
 
 /**
- * Implementation of child_cfg_t.get_name
+ * Implementation of child_cfg_t.get_name.
  */
 static char *get_name(private_child_cfg_t *this)
 {
@@ -129,7 +139,7 @@ static char *get_name(private_child_cfg_t *this)
 }
 
 /**
- * Implementation of child_cfg_t.add_proposal
+ * Implementation of child_cfg_t.add_proposal.
  */
 static void add_proposal(private_child_cfg_t *this, proposal_t *proposal)
 {
@@ -137,7 +147,7 @@ static void add_proposal(private_child_cfg_t *this, proposal_t *proposal)
 }
 
 /**
- * Implementation of child_cfg_t.get_proposals
+ * Implementation of child_cfg_t.get_proposals.
  */
 static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
 {
@@ -161,7 +171,7 @@ static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
 }
 
 /**
- * Implementation of child_cfg_t.get_name
+ * Implementation of child_cfg_t.select_proposal.
  */
 static proposal_t* select_proposal(private_child_cfg_t*this,
 								   linked_list_t *proposals, bool strip_dh)
@@ -210,7 +220,7 @@ static proposal_t* select_proposal(private_child_cfg_t*this,
 }
 
 /**
- * Implementation of child_cfg_t.get_name
+ * Implementation of child_cfg_t.add_traffic_selector.
  */
 static void add_traffic_selector(private_child_cfg_t *this, bool local,
 								 traffic_selector_t *ts)
@@ -226,7 +236,7 @@ static void add_traffic_selector(private_child_cfg_t *this, bool local,
 }
 
 /**
- * Implementation of child_cfg_t.get_name
+ * Implementation of child_cfg_t.get_traffic_selectors.
  */
 static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool local,
 											linked_list_t *supplied,
@@ -337,7 +347,36 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 }
 
 /**
- * Implementation of child_cfg_t.get_name
+ * Implementation of child_cfg_t.equal_traffic_selectors.
+ */
+bool equal_traffic_selectors(private_child_cfg_t *this, bool local,
+							 linked_list_t *ts_list, host_t *host)
+{
+	linked_list_t *this_list;
+	traffic_selector_t *this_ts, *ts;
+	bool result;
+
+	this_list = (local) ? this->my_ts : this->other_ts;
+
+	/* currently equality is established for single traffic selectors only */
+	if (this_list->get_count(this_list) != 1 || ts_list->get_count(ts_list) != 1)
+	{
+		return FALSE;
+	}
+
+	this_list->get_first(this_list, (void**)&this_ts);
+	this_ts = this_ts->clone(this_ts);
+	this_ts->set_address(this_ts, host);
+	ts_list->get_first(ts_list, (void**)&ts);
+
+	result = ts->equals(ts, this_ts);
+
+	this_ts->destroy(this_ts);
+	return result;
+}
+
+/**
+ * Implementation of child_cfg_t.get_updown.
  */
 static char* get_updown(private_child_cfg_t *this)
 {
@@ -345,7 +384,7 @@ static char* get_updown(private_child_cfg_t *this)
 }
 
 /**
- * Implementation of child_cfg_t.get_name
+ * Implementation of child_cfg_t.get_hostaccess.
  */
 static bool get_hostaccess(private_child_cfg_t *this)
 {
@@ -353,7 +392,7 @@ static bool get_hostaccess(private_child_cfg_t *this)
 }
 
 /**
- * Implementation of child_cfg_t.get_name
+ * Implementation of child_cfg_t.get_lifetime.
  */
 static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
 {
@@ -369,7 +408,7 @@ static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
 }
 
 /**
- * Implementation of child_cfg_t.get_mode
+ * Implementation of child_cfg_t.get_mode.
  */
 static ipsec_mode_t get_mode(private_child_cfg_t *this)
 {
@@ -377,7 +416,7 @@ static ipsec_mode_t get_mode(private_child_cfg_t *this)
 }
 
 /**
- * Implementation of child_cfg_t.get_dpd_action
+ * Implementation of child_cfg_t.get_dpd_action.
  */
 static action_t get_dpd_action(private_child_cfg_t *this)
 {
@@ -385,7 +424,7 @@ static action_t get_dpd_action(private_child_cfg_t *this)
 }
 
 /**
- * Implementation of child_cfg_t.get_close_action
+ * Implementation of child_cfg_t.get_close_action.
  */
 static action_t get_close_action(private_child_cfg_t *this)
 {
@@ -422,7 +461,33 @@ static bool use_ipcomp(private_child_cfg_t *this)
 }
 
 /**
- * Implementation of child_cfg_t.get_name
+ * Implementation of child_cfg_t.set_mipv6_options.
+ */
+static void set_mipv6_options(private_child_cfg_t *this, bool proxy_mode,
+														 bool install_policy)
+{
+	this->proxy_mode = proxy_mode;
+	this->install_policy = install_policy;
+}
+
+/**
+ * Implementation of child_cfg_t.use_proxy_mode.
+ */
+static bool use_proxy_mode(private_child_cfg_t *this)
+{
+	return this->proxy_mode;
+}
+
+/**
+ * Implementation of child_cfg_t.install_policy.
+ */
+static bool install_policy(private_child_cfg_t *this)
+{
+	return this->install_policy;
+}
+
+/**
+ * Implementation of child_cfg_t.get_ref.
  */
 static child_cfg_t* get_ref(private_child_cfg_t *this)
 {
@@ -462,6 +527,7 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 	this->public.get_name = (char* (*) (child_cfg_t*))get_name;
 	this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector;
 	this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
+	this->public.equal_traffic_selectors = (bool (*)(child_cfg_t*,bool,linked_list_t*,host_t*))equal_traffic_selectors;
 	this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
 	this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
 	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
@@ -472,7 +538,10 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 	this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
 	this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
 	this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
+	this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
 	this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
+	this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode;
+	this->public.install_policy = (bool (*) (child_cfg_t *))install_policy;
 	this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref;
 	this->public.destroy = (void (*) (child_cfg_t*))destroy;
 	
@@ -486,6 +555,8 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 	this->dpd_action = dpd_action;
 	this->close_action = close_action;
 	this->use_ipcomp = ipcomp; 
+	this->proxy_mode = FALSE;
+	this->install_policy = TRUE; 
 	this->refcount = 1;
 	this->proposals = linked_list_create();
 	this->my_ts = linked_list_create();
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 83d6cafe6..787324dca 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_cfg.h 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: child_cfg.h 4611 2008-11-11 06:29:25Z andreas $
  */
 
 /**
@@ -153,6 +153,17 @@ struct child_cfg_t {
 											linked_list_t *supplied,
 											host_t *host);
 
+	/**
+	 * Checks [single] traffic selectors for equality 
+	 *
+	 * @param local			TRUE for TS on local side, FALSE for remote
+	 * @param ts			list with single traffic selector to compare with
+	 * @param host			address to use for narrowing "dynamic" TS', or NULL
+	 * @return				TRUE if TS are equal, FALSE otherwise
+	 */ 
+	bool (*equal_traffic_selectors)(child_cfg_t *this, bool local,
+								   linked_list_t *ts_list, host_t *host);
+
 	/**
 	 * Get the updown script to run for the CHILD_SA.
 	 * 
@@ -219,6 +230,31 @@ struct child_cfg_t {
 	 * 						FALSE, otherwise
 	 */
 	bool (*use_ipcomp)(child_cfg_t *this);
+
+	/**
+	 * Sets two options needed for Mobile IPv6 interoperability
+	 * 
+	 * @proxy_mode			use IPsec transport proxy mode (default FALSE)
+	 * @install_policy		install IPsec kernel policies (default TRUE)
+	 */
+	void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mod,
+												 bool install_policy);
+
+	/**
+	 * Check whether IPsec transport SA should be set up in proxy mode
+	 * 
+	 * @return				TRUE, if proxy mode should be used
+	 * 						FALSE, otherwise
+	 */
+	bool (*use_proxy_mode)(child_cfg_t *this);
+	
+	/**
+	 * Check whether IPsec policies should be installed in the kernel
+	 * 
+	 * @return				TRUE, if IPsec kernel policies should be installed
+	 * 						FALSE, otherwise
+	 */
+	bool (*install_policy)(child_cfg_t *this);
 	
 	/**
 	 * Increase the reference count.
@@ -261,7 +297,6 @@ struct child_cfg_t {
 child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 							  u_int32_t rekeytime, u_int32_t jitter,
 							  char *updown, bool hostaccess, ipsec_mode_t mode,
-							  action_t dpd_action, action_t close_action,
-							  bool ipcomp);
+							  action_t dpd_action, action_t close_action, bool ipcomp);
 
 #endif /* CHILD_CFG_H_ @} */
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index 04f323128..9cbca040d 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -14,14 +14,16 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: peer_cfg.c 4276 2008-08-22 10:44:51Z martin $
+ * $Id: peer_cfg.c 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #include <string.h>
-#include <pthread.h>
 
 #include "peer_cfg.h"
 
+#include <daemon.h>
+
+#include <utils/mutex.h>
 #include <utils/linked_list.h>
 #include <utils/identification.h>
 
@@ -77,7 +79,7 @@ struct private_peer_cfg_t {
 	/**
 	 * mutex to lock access to list of child_cfgs
 	 */
-	pthread_mutex_t mutex;
+	mutex_t *mutex;
 	
 	/**
 	 * id to use to identify us
@@ -197,9 +199,9 @@ static ike_cfg_t* get_ike_cfg(private_peer_cfg_t *this)
  */
 static void add_child_cfg(private_peer_cfg_t *this, child_cfg_t *child_cfg)
 {
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	this->child_cfgs->insert_last(this->child_cfgs, child_cfg);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -207,9 +209,9 @@ static void add_child_cfg(private_peer_cfg_t *this, child_cfg_t *child_cfg)
  */
 static void remove_child_cfg(private_peer_cfg_t *this, enumerator_t *enumerator)
 {
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	this->child_cfgs->remove_at(this->child_cfgs, enumerator);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -219,25 +221,29 @@ static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this)
 {
 	enumerator_t *enumerator;
 
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	enumerator = this->child_cfgs->create_enumerator(this->child_cfgs);
 	return enumerator_create_cleaner(enumerator,
-									 (void*)pthread_mutex_unlock, &this->mutex);
+									 (void*)this->mutex->unlock, this->mutex);
 }
 
 /**
  * Check if child_cfg contains traffic selectors
  */
-static bool contains_ts(child_cfg_t *child, bool mine, linked_list_t *ts,
+static int contains_ts(child_cfg_t *child, bool mine, linked_list_t *ts,
 						host_t *host)
 {
 	linked_list_t *selected;
-	bool contains = FALSE;
+	int prio;
 	
+	if (child->equal_traffic_selectors(child, mine, ts, host))
+	{
+		return 2;
+	}
 	selected = child->get_traffic_selectors(child, mine, ts, host);
-	contains = selected->get_count(selected);
+	prio = selected->get_count(selected) ? 1 : 0;
 	selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy));
-	return contains;
+	return prio;
 }
 
 /**
@@ -250,18 +256,33 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this,
 {
 	child_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
-	
+	int best = 0;
+
+	DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);	
 	enumerator = create_child_cfg_enumerator(this);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (contains_ts(current, TRUE, my_ts, my_host) &&
-			contains_ts(current, FALSE, other_ts, other_host))
+		int prio = contains_ts(current, TRUE, my_ts, my_host) +
+				   contains_ts(current, FALSE, other_ts, other_host);
+
+		if (prio)
 		{
-			found = current->get_ref(current);
-			break;
+			DBG2(DBG_CFG, "  candidate \"%s\" with prio %d",
+				 current->get_name(current), prio);
+			if (prio > best)
+			{
+				best = prio;
+				DESTROY_IF(found);
+				found = current->get_ref(current);
+			}
 		}
 	}
 	enumerator->destroy(enumerator);
+	if (found)
+	{
+		DBG2(DBG_CFG, "found matching child config \"%s\" with prio %d",
+			 found->get_name(found), best);
+	}
 	return found;
 }
 
@@ -480,6 +501,7 @@ static void destroy(private_peer_cfg_t *this)
 		DESTROY_IF(this->mediated_by);
 		DESTROY_IF(this->peer_id);
 #endif /* ME */
+		this->mutex->destroy(this->mutex);
 		free(this->name);
 		free(this->pool);
 		free(this);
@@ -536,7 +558,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->ike_version = ike_version;
 	this->ike_cfg = ike_cfg;
 	this->child_cfgs = linked_list_create();
-	pthread_mutex_init(&this->mutex, NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
 	this->my_id = my_id;
 	this->other_id = other_id;
 	this->cert_policy = cert_policy;
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index b1c049fe8..202dc913a 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: proposal.c 4390 2008-10-08 12:57:11Z martin $
+ * $Id: proposal.c 4635 2008-11-12 08:27:48Z martin $
  */
 
 #include <string.h>
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
index 63172f855..d4235c32a 100644
--- a/src/charon/config/traffic_selector.c
+++ b/src/charon/config/traffic_selector.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector.c 4199 2008-07-21 19:08:03Z andreas $
+ * $Id: traffic_selector.c 4639 2008-11-12 15:09:24Z martin $
  */
 
 #include <arpa/inet.h>
@@ -134,8 +134,9 @@ static u_int8_t calc_netbits(private_traffic_selector_t *this)
 	int byte, bit;
 	size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
 	
-	/* go trough all bits of the addresses, begging in the front. 
-	 * As longer as they equal, the subnet gets larger */
+	/* go trough all bits of the addresses, beginning in the front.
+	 * as long as they are equal, the subnet gets larger
+	 */
 	for (byte = 0; byte < size; byte++)
 	{
 		for (bit = 7; bit >= 0; bit--)
@@ -405,26 +406,15 @@ static bool equals(private_traffic_selector_t *this, private_traffic_selector_t
  */
 static chunk_t get_from_address(private_traffic_selector_t *this)
 {
-	chunk_t from = chunk_empty;
-	
 	switch (this->type)
 	{
 		case TS_IPV4_ADDR_RANGE:
-		{
-			from.len = sizeof(this->from4);
-			from.ptr = malloc(from.len);
-			memcpy(from.ptr, this->from4, from.len);
-			break;
-		}
+			return chunk_create(this->from, sizeof(this->from4));
 		case TS_IPV6_ADDR_RANGE:
-		{
-			from.len = sizeof(this->from6);
-			from.ptr = malloc(from.len);
-			memcpy(from.ptr, this->from6, from.len);
-			break;
-		}
+			return chunk_create(this->from, sizeof(this->from6));
+		default:
+			return chunk_empty;
 	}
-	return from;
 }
 	
 /**
@@ -432,26 +422,15 @@ static chunk_t get_from_address(private_traffic_selector_t *this)
  */
 static chunk_t get_to_address(private_traffic_selector_t *this)
 {
-	chunk_t to = chunk_empty;
-	
 	switch (this->type)
 	{
 		case TS_IPV4_ADDR_RANGE:
-		{
-			to.len = sizeof(this->to4);
-			to.ptr = malloc(to.len);
-			memcpy(to.ptr, this->to4, to.len);
-			break;
-		}
+			return chunk_create(this->to, sizeof(this->to4));
 		case TS_IPV6_ADDR_RANGE:
-		{
-			to.len = sizeof(this->to6);
-			to.ptr = malloc(to.len);
-			memcpy(to.ptr, this->to6, to.len);
-			break;
-		}
+			return chunk_create(this->to, sizeof(this->to6));
+		default:
+			return chunk_empty;
 	}
-	return to;
 }
 	
 /**
@@ -524,6 +503,14 @@ static bool is_host(private_traffic_selector_t *this, host_t *host)
 	return FALSE;
 }
 
+/**
+ * Implementation of traffic_selector_t.is_dynamic
+ */
+static bool is_dynamic(private_traffic_selector_t *this)
+{
+	return this->dynamic;
+}
+
 /**
  * Implements traffic_selector_t.set_address.
  */
@@ -582,6 +569,60 @@ static bool includes(private_traffic_selector_t *this, host_t *host)
 	return FALSE;	
 }
 
+/**
+ * Implements traffic_selector_t.to_subnet.
+ */
+static void to_subnet(private_traffic_selector_t *this, host_t **net, u_int8_t *mask)
+{
+	/* there is no way to do this cleanly, as the address range may
+	 * be anything else but a subnet. We use from_addr as subnet 
+	 * and try to calculate a usable subnet mask.
+	 */
+	int family, byte;
+	u_int16_t port = 0;
+	chunk_t net_chunk;
+	
+	*mask = calc_netbits(this);
+	
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+		{
+			family = AF_INET;
+			net_chunk.len = sizeof(this->from4);
+			break;
+		}
+		case TS_IPV6_ADDR_RANGE:
+		{
+			family = AF_INET6;
+			net_chunk.len = sizeof(this->from6);
+			break;
+		}
+		default:
+		{
+			/* unreachable */
+			return;
+		}
+	}
+	
+	net_chunk.ptr = malloc(net_chunk.len);
+	memcpy(net_chunk.ptr, this->from, net_chunk.len);
+	
+	for (byte = net_chunk.len - 1; byte >= (*mask / 8); --byte)
+	{
+		int shift = (byte + 1) * 8 - *mask;
+		net_chunk.ptr[byte] = net_chunk.ptr[byte] & (0xFF << shift);
+	}
+	
+	if (this->to_port == this->from_port)
+	{
+		port = this->to_port;
+	}
+	
+	*net = host_create_from_chunk(family, net_chunk, port);	
+	chunk_free(&net_chunk);
+}
+
 /**
  * Implements traffic_selector_t.clone.
  */
@@ -814,9 +855,11 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 	this->public.get_type = (ts_type_t(*)(traffic_selector_t*))get_type;
 	this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol;
 	this->public.is_host = (bool(*)(traffic_selector_t*,host_t*))is_host;
+	this->public.is_dynamic = (bool(*)(traffic_selector_t*))is_dynamic;
 	this->public.is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in;
 	this->public.includes = (bool(*)(traffic_selector_t*,host_t*))includes;
 	this->public.set_address = (void(*)(traffic_selector_t*,host_t*))set_address;
+	this->public.to_subnet = (void(*)(traffic_selector_t*,host_t**,u_int8_t*))to_subnet;
 	this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone_;
 	this->public.destroy = (void(*)(traffic_selector_t*))destroy;
 	
diff --git a/src/charon/config/traffic_selector.h b/src/charon/config/traffic_selector.h
index 4b079a8e0..d97ffdea0 100644
--- a/src/charon/config/traffic_selector.h
+++ b/src/charon/config/traffic_selector.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector.h 3658 2008-03-26 10:06:45Z martin $
+ * $Id: traffic_selector.h 4643 2008-11-12 22:57:46Z andreas $
  */
 
 /**
@@ -92,7 +92,7 @@ struct traffic_selector_t {
 	/**
 	 * Get starting address of this ts as a chunk.
 	 *
-	 * Chunk is in network order gets allocated.
+	 * Chunk is in network order and points to internal data.
 	 *
 	 * @return			chunk containing the address
 	 */
@@ -101,7 +101,7 @@ struct traffic_selector_t {
 	/**
 	 * Get ending address of this ts as a chunk.
 	 *
-	 * Chunk is in network order gets allocated.
+	 * Chunk is in network order and points to internal data.
 	 *
 	 * @return			chunk containing the address
 	 */
@@ -154,6 +154,13 @@ struct traffic_selector_t {
 	 */
 	bool (*is_host) (traffic_selector_t *this, host_t* host);
 	
+	/**
+	 * Check if a traffic selector has been created by create_dynamic().
+	 *
+	 * @return			TRUE if TS is dynamic
+	 */
+	bool (*is_dynamic)(traffic_selector_t *this);
+	
 	/**
 	 * Update the address of a traffic selector.
 	 *
@@ -168,7 +175,7 @@ struct traffic_selector_t {
 	 * Compare two traffic selectors for equality.
 	 * 
 	 * @param other		ts to compare with this
-	 * @return 			pointer to a string.
+	 * @return 			TRUE if equal, FALSE otherwise
 	 */
 	bool (*equals) (traffic_selector_t *this, traffic_selector_t *other);
 	
@@ -190,6 +197,17 @@ struct traffic_selector_t {
 	 */
 	bool (*includes) (traffic_selector_t *this, host_t *host);
 	
+	/**
+	 * Convert a traffic selector address range to a subnet
+	 * and its net mask.
+	 * If from and to ports of this traffic selector are equal,
+	 * the port of the returned host_t is set to that port.
+	 * 
+	 * @param net		converted subnet (has to be freed)
+	 * @param mask		converted net mask
+	 */
+	void (*to_subnet) (traffic_selector_t *this, host_t **net, u_int8_t *mask);
+	
 	/**
 	 * Destroys the ts object
 	 */
@@ -225,7 +243,7 @@ traffic_selector_t *traffic_selector_create_from_string(
  * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
  * @param from_address	start of address range, network order
  * @param from_port		port number, host order
- * @param to_address	end of address range as string, network
+ * @param to_address	end of address range, network order
  * @param to_port		port number, host order
  * @return				traffic_selector_t object
  */
diff --git a/src/charon/control/controller.c b/src/charon/control/controller.c
index c124f439a..ed52cb0d6 100644
--- a/src/charon/control/controller.c
+++ b/src/charon/control/controller.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: controller.c 4192 2008-07-18 15:51:40Z martin $
+ * $Id: controller.c 4434 2008-10-14 08:52:13Z martin $
  */
 
 #include "controller.h"
@@ -27,7 +27,7 @@
 
 
 typedef struct private_controller_t private_controller_t;
-typedef struct interface_bus_listener_t interface_bus_listener_t;
+typedef struct interface_listener_t interface_listener_t;
 
 /**
  * Private data of an stroke_t object.
@@ -40,27 +40,21 @@ struct private_controller_t {
 	controller_t public;
 };
 
-
 /**
- * helper struct to map bus listener callbacks to interface callbacks
+ * helper struct to map listener callbacks to interface callbacks
  */
-struct interface_bus_listener_t {
+struct interface_listener_t {
 
 	/**
 	 * public bus listener interface
 	 */
-	bus_listener_t public;
+	listener_t public;
 	
 	/**
 	 * status of the operation, return to method callers
 	 */
 	status_t status;
 	
-	/**
-	 * IKE SA to filter log output
-	 */
-	ike_sa_t *ike_sa;
-	
 	/**
 	 *  interface callback (listener gets redirected to here)
 	 */
@@ -81,6 +75,16 @@ struct interface_bus_listener_t {
 	 */
 	peer_cfg_t *peer_cfg;
 	
+	/**
+	 * IKE_SA to handle
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * CHILD_SA to handle
+	 */
+	child_sa_t *child_sa;
+	
 	/**
 	 * unique ID, used for various methods
 	 */
@@ -102,38 +106,88 @@ struct interface_job_t {
 	/** 
 	 * associated listener 
 	 */
-	interface_bus_listener_t listener;
+	interface_listener_t listener;
 };
 
 /**
- * Implementation of controller_t.create_ike_sa_iterator.
+ * listener log function
  */
-static enumerator_t* create_ike_sa_enumerator(controller_t *this)
+static bool listener_log(interface_listener_t *this, debug_t group,
+						 level_t level, int thread, ike_sa_t *ike_sa,
+						 char* format, va_list args)
 {
-	return charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager);
+	if (this->ike_sa == ike_sa)
+	{
+		if (!this->callback(this->param, group, level, ike_sa, format, args))
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
 }
 
 /**
- * listener function for initiate
+ * Implementation of listener_t.ike_state_change
  */
-static bool initiate_listener(interface_bus_listener_t *this, signal_t signal,
-							  level_t level, int thread, ike_sa_t *ike_sa,
-							  void* data, char* format, va_list args)
+static bool listener_ike_state(interface_listener_t *this, ike_sa_t *ike_sa,
+							   ike_sa_state_t state)
 {
 	if (this->ike_sa == ike_sa)
 	{
-		if (!this->callback(this->param, signal, level, ike_sa, data,
-							format, args))
+		switch (state)
 		{
-			return FALSE;
+#ifdef ME
+			case IKE_ESTABLISHED:
+			{	/* mediation connections are complete without CHILD_SA */
+				peer_cfg_t *peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+				
+				if (peer_cfg->is_mediation(peer_cfg))
+				{
+					this->status = SUCCESS;
+					return FALSE;
+				}
+				break;
+			}
+#endif /* ME */
+			case IKE_DESTROYING:
+				if (ike_sa->get_state(ike_sa) == IKE_DELETING)
+				{	/* proper termination */
+					this->status = SUCCESS;
+				}
+				return FALSE;
+			default:
+				break;
 		}
-		switch (signal)
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.child_state_change
+ */
+static bool listener_child_state(interface_listener_t *this, ike_sa_t *ike_sa,
+								 child_sa_t *child_sa, child_sa_state_t state)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		switch (state)
 		{
-			case CHD_UP_SUCCESS:
+			case CHILD_ROUTED:
+			case CHILD_INSTALLED:
 				this->status = SUCCESS;
 				return FALSE;
-			case IKE_UP_FAILED:
-			case CHD_UP_FAILED:
+			case CHILD_DESTROYING:
+				switch (child_sa->get_state(child_sa))
+				{
+					case CHILD_ROUTED:
+						/* has been unrouted */
+					case CHILD_DELETING:
+						/* proper delete */
+						this->status = SUCCESS;
+						break;
+					default:
+						break;
+				}
 				return FALSE;
 			default:
 				break;
@@ -142,13 +196,33 @@ static bool initiate_listener(interface_bus_listener_t *this, signal_t signal,
 	return TRUE;
 }
 
+/**
+ * cleanup job if job is never executed
+ */
+static void recheckin(interface_job_t *job)
+{
+	if (job->listener.ike_sa)
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager,
+										job->listener.ike_sa);
+	}
+}
+
+/**
+ * Implementation of controller_t.create_ike_sa_iterator.
+ */
+static enumerator_t* create_ike_sa_enumerator(controller_t *this)
+{
+	return charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager);
+}
+
 /**
  * execute function for initiate
  */
 static status_t initiate_execute(interface_job_t *job)
 {
 	ike_sa_t *ike_sa;
-	interface_bus_listener_t *listener = &job->listener;
+	interface_listener_t *listener = &job->listener;
 	peer_cfg_t *peer_cfg = listener->peer_cfg;
 	
 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
@@ -176,72 +250,41 @@ static status_t initiate(private_controller_t *this,
 						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 						 controller_cb_t callback, void *param)
 {
-	interface_job_t job;
-
-	job.listener.public.signal = (void*)initiate_listener;
-	job.listener.ike_sa = NULL;
-	job.listener.callback = callback;
-	job.listener.param = param;
-	job.listener.status = FAILED;
-	job.listener.child_cfg = child_cfg;
-	job.listener.peer_cfg = peer_cfg;
-	job.public.execute = (void*)initiate_execute;
-	job.public.destroy = nop;
-
+	interface_job_t job = {
+		.listener = {
+			.public = {
+				.log = (void*)listener_log,
+				.ike_state_change = (void*)listener_ike_state,
+				.child_state_change = (void*)listener_child_state,
+			},
+			.callback = callback,
+			.param = param,
+			.status = FAILED,
+			.child_cfg = child_cfg,
+			.peer_cfg = peer_cfg,
+		},
+		.public = {
+			.execute = (void*)initiate_execute,
+			.destroy = (void*)recheckin,
+		},
+	};
 	if (callback == NULL)
 	{
 		return initiate_execute(&job);
 	}
-	charon->bus->listen(charon->bus, (bus_listener_t*)&job.listener, (job_t*)&job);
+	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
 	return job.listener.status;
 }
 
-/**
- * listener function for terminate_ike
- */
-static bool terminate_ike_listener(interface_bus_listener_t *this, signal_t signal,
-								   level_t level, int thread, ike_sa_t *ike_sa,
-								   void* data, char* format, va_list args)
-{
-	if (this->ike_sa == ike_sa)
-	{
-		if (!this->callback(this->param, signal, level, ike_sa,
-							data, format, args))
-		{
-			return FALSE;
-		}
-		switch (signal)
-		{
-			case IKE_DOWN_SUCCESS:
-				this->status = SUCCESS;
-				return FALSE;
-			case IKE_DOWN_FAILED:
-				return FALSE;
-			default:
-				break;
-		}
-	}
-	return TRUE;
-}
-
 /**
  * execute function for terminate_ike
  */
 static status_t terminate_ike_execute(interface_job_t *job)
 {
-	ike_sa_t *ike_sa;
-	interface_bus_listener_t *listener = &job->listener;
-	
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													listener->id, FALSE);
-	if (ike_sa == NULL)
-	{
-		SIG_IKE(DOWN_FAILED, "unable to terminate, IKE_SA with "
-			"ID %d not found", listener->id);
-		return NOT_FOUND;
-	}	
-	listener->ike_sa = ike_sa;						
+	interface_listener_t *listener = &job->listener;
+	ike_sa_t *ike_sa = listener->ike_sa;
 	
+	charon->bus->set_sa(charon->bus, ike_sa);
 	if (ike_sa->delete(ike_sa) == DESTROY_ME)
 	{
 		return charon->ike_sa_manager->checkin_and_destroy(
@@ -256,79 +299,103 @@ static status_t terminate_ike_execute(interface_job_t *job)
 static status_t terminate_ike(controller_t *this, u_int32_t unique_id, 
 							  controller_cb_t callback, void *param)
 {
-	interface_job_t job;
+	ike_sa_t *ike_sa;
+	interface_job_t job = {
+		.listener = {
+			.public = {
+				.log = (void*)listener_log,
+				.ike_state_change = (void*)listener_ike_state,
+				.child_state_change = (void*)listener_child_state,
+			},
+			.callback = callback,
+			.param = param,
+			.status = FAILED,
+			.id = unique_id,
+		},
+		.public = {
+			.execute = (void*)terminate_ike_execute,
+			.destroy = (void*)recheckin,
+		},
+	};
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													unique_id, FALSE);
+	if (ike_sa == NULL)
+	{
+		DBG1(DBG_IKE, "unable to terminate IKE_SA: ID %d not found", unique_id);
+		return NOT_FOUND;
+	}
+	job.listener.ike_sa = ike_sa;
 	
-	job.listener.public.signal = (void*)terminate_ike_listener;
-	job.listener.ike_sa = NULL;
-	job.listener.callback = callback;
-	job.listener.param = param;
-	job.listener.status = FAILED;
-	job.listener.id = unique_id;
-	job.public.execute = (void*)terminate_ike_execute;
-	job.public.destroy = nop;
-
 	if (callback == NULL)
 	{
 		return terminate_ike_execute(&job);
 	}
-	charon->bus->listen(charon->bus, (bus_listener_t*)&job.listener, (job_t*)&job);
+	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
 	return job.listener.status;
 }
+
 /**
- * listener function for terminate_child
+ * execute function for terminate_child
  */
-static bool terminate_child_listener(interface_bus_listener_t *this, signal_t signal,
-									 level_t level, int thread, ike_sa_t *ike_sa,
-									 void* data, char* format, va_list args)
+static status_t terminate_child_execute(interface_job_t *job)
 {
-	if (this->ike_sa == ike_sa)
+	interface_listener_t *listener = &job->listener;
+	ike_sa_t *ike_sa = listener->ike_sa;
+	child_sa_t *child_sa = listener->child_sa;
+	
+	charon->bus->set_sa(charon->bus, ike_sa);
+	if (ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa),
+								child_sa->get_spi(child_sa, TRUE)) == DESTROY_ME)
 	{
-		if (!this->callback(this->param, signal, level, ike_sa,
-							data, format, args))
-		{
-			return FALSE;
-		}
-		switch (signal)
-		{
-			case CHD_DOWN_SUCCESS:
-			case IKE_DOWN_SUCCESS:
-				this->status = SUCCESS;
-				return FALSE;
-			case IKE_DOWN_FAILED:
-			case CHD_DOWN_FAILED:
-				return FALSE;
-			default:
-				break;
-		}
+		return charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
 	}
-	return TRUE;
+	return charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 }
 
 /**
- * execute function for terminate_child
+ * Implementation of controller_t.terminate_child.
  */
-static status_t terminate_child_execute(interface_job_t *job)
+static status_t terminate_child(controller_t *this, u_int32_t reqid, 
+								controller_cb_t callback, void *param)
 {
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
 	iterator_t *iterator;
-	interface_bus_listener_t *listener = &job->listener;
+	interface_job_t job = {
+		.listener = {
+			.public = {
+				.log = (void*)listener_log,
+				.ike_state_change = (void*)listener_ike_state,
+				.child_state_change = (void*)listener_child_state,
+			},
+			.callback = callback,
+			.param = param,
+			.status = FAILED,
+			.id = reqid,
+		},
+		.public = {
+			.execute = (void*)terminate_child_execute,
+			.destroy = (void*)recheckin,
+		},
+	};
 	
 	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													listener->id, TRUE);							
+													reqid, TRUE);							
 	if (ike_sa == NULL)
 	{
-		SIG_CHD(DOWN_FAILED, NULL, "unable to terminate, CHILD_SA with "
-				"ID %d not found", listener->id);
+		DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found",
+			 reqid);
 		return NOT_FOUND;
 	}
-	listener->ike_sa = ike_sa;
+	job.listener.ike_sa = ike_sa;
 	
 	iterator = ike_sa->create_child_sa_iterator(ike_sa);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
 		if (child_sa->get_state(child_sa) != CHILD_ROUTED &&
-			child_sa->get_reqid(child_sa) == listener->id)
+			child_sa->get_reqid(child_sa) == reqid)
 		{
 			break;
 		}
@@ -338,90 +405,30 @@ static status_t terminate_child_execute(interface_job_t *job)
 	
 	if (child_sa == NULL)
 	{
-		SIG_CHD(DOWN_FAILED, NULL, "unable to terminate, established "
-				"CHILD_SA with ID %d not found", listener->id);
+		DBG1(DBG_IKE, "unable to terminate, established "
+			 "CHILD_SA with ID %d not found", reqid);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		return NOT_FOUND;
 	}
-	
-	if (ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa),
-								child_sa->get_spi(child_sa, TRUE)) == DESTROY_ME)
-	{
-		return charon->ike_sa_manager->checkin_and_destroy(
-												charon->ike_sa_manager, ike_sa);
-	}
-	return charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-}
-
-/**
- * Implementation of controller_t.terminate_child.
- */
-static status_t terminate_child(controller_t *this, u_int32_t reqid, 
-								controller_cb_t callback, void *param)
-{
-	interface_job_t job;
-	
-	job.listener.public.signal = (void*)terminate_child_listener;
-	job.listener.ike_sa = NULL;
-	job.listener.callback = callback;
-	job.listener.param = param;
-	job.listener.status = FAILED;
-	job.listener.id = reqid;
-	job.public.execute = (void*)terminate_child_execute;
-	job.public.destroy = nop;
+	job.listener.child_sa = child_sa;
 
 	if (callback == NULL)
 	{
 		return terminate_child_execute(&job);
 	}
-	charon->bus->listen(charon->bus, (bus_listener_t*)&job.listener, (job_t*)&job);	
+	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
 	return job.listener.status;
 }
 
-/**
- * listener function for route
- */
-static bool route_listener(interface_bus_listener_t *this, signal_t signal,
-						   level_t level, int thread, ike_sa_t *ike_sa,
-						   void* data, char* format, va_list args)
-{
-	if (this->ike_sa == ike_sa)
-	{
-		if (!this->callback(this->param, signal, level, ike_sa,
-							data, format, args))
-		{
-			return FALSE;
-		}
-		switch (signal)
-		{
-			case CHD_ROUTE_SUCCESS:
-				this->status = SUCCESS;
-				return FALSE;
-			case CHD_ROUTE_FAILED:
-				return FALSE;
-			default:
-				break;
-		}
-	}
-	return TRUE;
-}
-
 /**
  * execute function for route
  */
 static status_t route_execute(interface_job_t *job)
 {
-	ike_sa_t *ike_sa;
-	interface_bus_listener_t *listener = &job->listener;
-	peer_cfg_t *peer_cfg = listener->peer_cfg;
-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
-														peer_cfg);
-	listener->ike_sa = ike_sa;
+	interface_listener_t *listener = &job->listener;
+	ike_sa_t *ike_sa = listener->ike_sa;
 	
-	if (ike_sa->get_peer_cfg(ike_sa) == NULL)
-	{
-		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
-	}
+	charon->bus->set_sa(charon->bus, ike_sa);
 	if (ike_sa->route(ike_sa, listener->child_cfg) == DESTROY_ME)
 	{
 		return charon->ike_sa_manager->checkin_and_destroy(
@@ -437,70 +444,49 @@ static status_t route(controller_t *this,
 					  peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 					  controller_cb_t callback, void *param)
 {
-	interface_job_t job;
+	ike_sa_t *ike_sa;
+	interface_job_t job = {
+		.listener = {
+			.public = {
+				.log = (void*)listener_log,
+				.ike_state_change = (void*)listener_ike_state,
+				.child_state_change = (void*)listener_child_state,
+			},
+			.callback = callback,
+			.param = param,
+			.status = FAILED,
+			.peer_cfg = peer_cfg,
+			.child_cfg = child_cfg,
+		},
+		.public = {
+			.execute = (void*)route_execute,
+			.destroy = (void*)recheckin,
+		},
+	};
 	
-	job.listener.public.signal = (void*)route_listener;
-	job.listener.ike_sa = NULL;
-	job.listener.callback = callback;
-	job.listener.param = param;
-	job.listener.status = FAILED;
-	job.listener.peer_cfg = peer_cfg;
-	job.listener.child_cfg = child_cfg;
-	job.public.execute = (void*)route_execute;
-	job.public.destroy = nop;
-
+	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+														peer_cfg);
+	if (ike_sa->get_peer_cfg(ike_sa) == NULL)
+	{
+		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+	}
+	job.listener.ike_sa = ike_sa;
 	if (callback == NULL)
 	{
 		return route_execute(&job);
 	}
-	charon->bus->listen(charon->bus, (bus_listener_t*)&job.listener, (job_t*)&job);
+	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
 	return job.listener.status;
 }
 
-/**
- * listener function for unroute
- */
-static bool unroute_listener(interface_bus_listener_t *this, signal_t signal,
-						     level_t level, int thread, ike_sa_t *ike_sa,
-						     void* data, char* format, va_list args)
-{
-	if (this->ike_sa == ike_sa)
-	{
-		if (!this->callback(this->param, signal, level, ike_sa, 
-							data, format, args))
-		{
-			return FALSE;
-		}
-		switch (signal)
-		{
-			case CHD_UNROUTE_SUCCESS:
-				this->status = SUCCESS;
-				return FALSE;
-			case CHD_UNROUTE_FAILED:
-				return FALSE;
-			default:
-				break;
-		}
-	}
-	return TRUE;
-}
 /**
  * execute function for unroute
  */
 static status_t unroute_execute(interface_job_t *job)
 {
-	ike_sa_t *ike_sa;
-	interface_bus_listener_t *listener = &job->listener;
+	interface_listener_t *listener = &job->listener;
+	ike_sa_t *ike_sa = listener->ike_sa;
 	
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													listener->id, TRUE);
-	if (ike_sa == NULL)
-	{
-		SIG_CHD(DOWN_FAILED, NULL, "unable to unroute, CHILD_SA with "
-				"ID %d not found", listener->id);
-		return NOT_FOUND;
-	}
-	listener->ike_sa = ike_sa;
 	if (ike_sa->unroute(ike_sa, listener->id) == DESTROY_ME)
 	{
 		return charon->ike_sa_manager->checkin_and_destroy(
@@ -515,30 +501,47 @@ static status_t unroute_execute(interface_job_t *job)
 static status_t unroute(controller_t *this, u_int32_t reqid, 
 						controller_cb_t callback, void *param)
 {
-	interface_job_t job;
+	ike_sa_t *ike_sa;
+	interface_job_t job = {
+		.listener = {
+			.public = {
+				.log = (void*)listener_log,
+				.ike_state_change = (void*)listener_ike_state,
+				.child_state_change = (void*)listener_child_state,
+			},
+			.callback = callback,
+			.param = param,
+			.status = FAILED,
+			.id = reqid,
+		},
+		.public = {
+			.execute = (void*)unroute_execute,
+			.destroy = (void*)recheckin,
+		},
+	};
 	
-	job.listener.public.signal = (void*)unroute_listener;
-	job.listener.ike_sa = NULL;
-	job.listener.callback = callback;
-	job.listener.param = param;
-	job.listener.status = FAILED;
-	job.listener.id = reqid;
-	job.public.execute = (void*)unroute_execute;
-	job.public.destroy = nop;
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													reqid, TRUE);
+	if (ike_sa == NULL)
+	{
+		DBG1(DBG_IKE, "unable to unroute, CHILD_SA with ID %d not found", reqid);
+		return NOT_FOUND;
+	}
+	job.listener.ike_sa = ike_sa;
 
 	if (callback == NULL)
 	{
 		return unroute_execute(&job);
 	}
-	charon->bus->listen(charon->bus, (bus_listener_t*)&job.listener, (job_t*)&job);	
+	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);	
 	return job.listener.status;
 }
 
 /**
  * See header
  */
-bool controller_cb_empty(void *param, signal_t signal, level_t level,
-					ike_sa_t *ike_sa, void *data, char *format, va_list args)
+bool controller_cb_empty(void *param, debug_t group, level_t level,
+					ike_sa_t *ike_sa, char *format, va_list args)
 {
 	return TRUE;
 }
diff --git a/src/charon/control/controller.h b/src/charon/control/controller.h
index f40af0260..4609d7a8b 100644
--- a/src/charon/control/controller.h
+++ b/src/charon/control/controller.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: controller.h 4192 2008-07-18 15:51:40Z martin $
+ * $Id: controller.h 4624 2008-11-11 13:11:44Z tobias $
  */
 
 /**
@@ -29,26 +29,24 @@
  * callback to log things triggered by controller.
  *
  * @param param			echoed parameter supplied when function invoked
- * @param signal		type of signal
+ * @param group			debugging group
  * @param level			verbosity level if log
  * @param ike_sa		associated IKE_SA, if any
  * @param format		printf like format string
  * @param args			list of arguments to use for format
  * @return				FALSE to return from invoked function
  */
-typedef bool(*controller_cb_t)(void* param, signal_t signal, level_t level,
-							   ike_sa_t* ike_sa, void *data,
-							   char* format, va_list args);
+typedef bool(*controller_cb_t)(void* param, debug_t group, level_t level,
+							   ike_sa_t* ike_sa, char* format, va_list args);
 
 /**
  * Empty callback function for controller_t functions.
  *
- * If you wan't to do a syncrhonous call, but don't need a callback, pass
+ * If you want to do a synchronous call, but don't need a callback, pass
  * this function to the controllers methods.
  */
-bool controller_cb_empty(void *param, signal_t signal, level_t level,
-						 ike_sa_t *ike_sa, void *data,
-						 char *format, va_list args);
+bool controller_cb_empty(void *param, debug_t group, level_t level,
+						 ike_sa_t *ike_sa, char *format, va_list args);
 
 typedef struct controller_t controller_t;
 
@@ -59,7 +57,7 @@ typedef struct controller_t controller_t;
  * evaluate the result of the operation by listening on the bus.
  *
  * Passing NULL as callback to the managers function calls them asynchronously.
- * If a callback is specified, they are called synchronoulsy. There is a default
+ * If a callback is specified, they are called synchronously. There is a default
  * callback "controller_cb_empty" if you wan't to call a function
  * synchronously, but don't need a callback.
  */
@@ -78,7 +76,7 @@ struct controller_t {
 	/**
 	 * Initiate a CHILD_SA, and if required, an IKE_SA.
 	 *
-	 * The inititate() function is synchronous and thus blocks until the
+	 * The initiate() function is synchronous and thus blocks until the
 	 * IKE_SA is established or failed. Because of this, the initiate() function
 	 * contains a thread cancellation point.
 	 *
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index b11cdc0df..309115280 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -12,16 +12,15 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: credential_manager.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: credential_manager.c 4591 2008-11-05 16:12:54Z martin $
  */
 
-/* some clibs need it for rwlocks */
-#define _GNU_SOURCE
 #include <pthread.h>
 
 #include "credential_manager.h"
 
 #include <daemon.h>
+#include <utils/mutex.h>
 #include <utils/linked_list.h>
 #include <credentials/sets/cert_cache.h>
 #include <credentials/sets/auth_info_wrapper.h>
@@ -68,7 +67,7 @@ struct private_credential_manager_t {
 	/**
 	 * read-write lock to sets list
 	 */
-	pthread_rwlock_t lock;
+	rwlock_t *lock;
 };
 
 /** data to pass to create_private_enumerator */
@@ -170,7 +169,7 @@ static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
  */
 static void destroy_cert_data(cert_data_t *data)
 {
-	pthread_rwlock_unlock(&data->this->lock);
+	data->this->lock->unlock(data->this->lock);
 	free(data);
 }
 
@@ -197,7 +196,7 @@ static enumerator_t *create_cert_enumerator(private_credential_manager_t *this,
 	data->id = id;
 	data->trusted = trusted;
 	
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(create_sets_enumerator(this),
 									(void*)create_cert, data,
 									(void*)destroy_cert_data);
@@ -229,7 +228,7 @@ static certificate_t *get_cert(private_credential_manager_t *this,
  */
 static void destroy_cdp_data(cdp_data_t *data)
 {
-	pthread_rwlock_unlock(&data->this->lock);
+	data->this->lock->unlock(data->this->lock);
 	free(data);
 }
 
@@ -251,7 +250,7 @@ static enumerator_t * create_cdp_enumerator(private_credential_manager_t *this,
 	data->type = type;
 	data->id = id;
 	
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(create_sets_enumerator(this),
 									(void*)create_cdp, data,
 									(void*)destroy_cdp_data);
@@ -262,7 +261,7 @@ static enumerator_t * create_cdp_enumerator(private_credential_manager_t *this,
  */
 static void destroy_private_data(private_data_t *data)
 {
-	pthread_rwlock_unlock(&data->this->lock);
+	data->this->lock->unlock(data->this->lock);
 	free(data);
 }
 
@@ -287,7 +286,7 @@ static enumerator_t* create_private_enumerator(
 	data->this = this;
 	data->type = key;
 	data->keyid = keyid;
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(create_sets_enumerator(this),
 									(void*)create_private, data,
 									(void*)destroy_private_data);
@@ -316,7 +315,7 @@ static private_key_t *get_private_by_keyid(private_credential_manager_t *this,
  */
 static void destroy_shared_data(shared_data_t *data)
 {
-	pthread_rwlock_unlock(&data->this->lock);
+	data->this->lock->unlock(data->this->lock);
 	free(data);
 }
 
@@ -341,7 +340,7 @@ static enumerator_t *create_shared_enumerator(private_credential_manager_t *this
 	data->me = me;
 	data->other = other;
 	
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(create_sets_enumerator(this),
 									(void*)create_shared, data, 
 									(void*)destroy_shared_data);
@@ -412,7 +411,7 @@ static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
 	credential_set_t *set;
 	enumerator_t *enumerator;
 	
-	if (pthread_rwlock_trywrlock(&this->lock) == 0)
+	if (this->lock->try_write_lock(this->lock))
 	{
 		enumerator = this->sets->create_enumerator(this->sets);
 		while (enumerator->enumerate(enumerator, &set))
@@ -423,10 +422,10 @@ static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
 	}
 	else
 	{	/* we can't cache now as other threads are active, queue for later */
-		pthread_rwlock_rdlock(&this->lock);
+		this->lock->read_lock(this->lock);
 		this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert));
 	}
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -439,7 +438,7 @@ static void cache_queue(private_credential_manager_t *this)
 	enumerator_t *enumerator;
 	
 	if (this->cache_queue->get_count(this->cache_queue) > 0 &&
-		pthread_rwlock_trywrlock(&this->lock) == 0)
+		this->lock->try_write_lock(this->lock))
 	{
 		while (this->cache_queue->remove_last(this->cache_queue,
 											  (void**)&cert) == SUCCESS)
@@ -452,7 +451,7 @@ static void cache_queue(private_credential_manager_t *this)
 			enumerator->destroy(enumerator);
 			cert->destroy(cert);
 		}
-		pthread_rwlock_unlock(&this->lock);
+		this->lock->unlock(this->lock);
 	}
 }
 
@@ -1302,7 +1301,7 @@ static void public_destroy(public_enumerator_t *this)
 		remove_local_set(this->this, &this->wrapper->set);
 		this->wrapper->destroy(this->wrapper);
 	}
-	pthread_rwlock_unlock(&this->this->lock);
+	this->this->lock->unlock(this->this->lock);
 	
 	/* check for delayed certificate cache queue */
 	cache_queue(this->this);
@@ -1328,7 +1327,7 @@ static enumerator_t* create_public_enumerator(private_credential_manager_t *this
 		enumerator->wrapper = auth_info_wrapper_create(auth);
 		add_local_set(this, &enumerator->wrapper->set);
 	}
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return &enumerator->public;
 }
 
@@ -1525,9 +1524,9 @@ static void flush_cache(private_credential_manager_t *this,
 static void add_set(private_credential_manager_t *this,
 							   credential_set_t *set)
 {
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	this->sets->insert_last(this->sets, set);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -1535,9 +1534,9 @@ static void add_set(private_credential_manager_t *this,
  */
 static void remove_set(private_credential_manager_t *this, credential_set_t *set)
 {
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	this->sets->remove(this->sets, set, NULL);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -1551,7 +1550,7 @@ static void destroy(private_credential_manager_t *this)
 	this->sets->destroy(this->sets);
 	pthread_key_delete(this->local_sets);
 	this->cache->destroy(this->cache);
-	pthread_rwlock_destroy(&this->lock);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -1580,7 +1579,7 @@ credential_manager_t *credential_manager_create()
 	this->cache = cert_cache_create();
 	this->cache_queue = linked_list_create();
 	this->sets->insert_first(this->sets, this->cache);
-	pthread_rwlock_init(&this->lock, NULL);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
index 4a9a97149..79b5f0203 100644
--- a/src/charon/credentials/sets/cert_cache.c
+++ b/src/charon/credentials/sets/cert_cache.c
@@ -15,12 +15,12 @@
  * $Id$
  */
 
-#define _GNU_SOURCE
-#include <pthread.h>
-
 #include "cert_cache.h"
 
+#include <time.h>
+
 #include <daemon.h>
+#include <utils/mutex.h>
 #include <utils/linked_list.h>
 
 #define CACHE_SIZE 30
@@ -56,7 +56,7 @@ struct private_cert_cache_t {
 	/**
 	 * read-write lock to sets list
 	 */
-	pthread_rwlock_t lock;
+	rwlock_t *lock;
 };
 
 /**
@@ -90,7 +90,7 @@ static void check_cache(private_cert_cache_t *this)
 	{
 		this->check_required = TRUE;
 	}
-	else if (pthread_rwlock_trywrlock(&this->lock) == 0)
+	else if (this->lock->try_write_lock(this->lock))
 	{	/* never blocks, only done if lock is available */
 		while (this->relations->get_count(this->relations) > CACHE_SIZE)
 		{
@@ -110,7 +110,7 @@ static void check_cache(private_cert_cache_t *this)
 			relation_destroy(oldest);
 		}
 		this->check_required = FALSE;
-		pthread_rwlock_unlock(&this->lock);
+		this->lock->unlock(this->lock);
 	}
 }
 
@@ -124,7 +124,7 @@ static bool issued_by(private_cert_cache_t *this,
 	enumerator_t *enumerator;
 	
 	/* lookup cache */
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	enumerator = this->relations->create_enumerator(this->relations);
 	while (enumerator->enumerate(enumerator, &current))
 	{
@@ -149,7 +149,7 @@ static bool issued_by(private_cert_cache_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 	if (found)
 	{
 		return TRUE;
@@ -233,7 +233,7 @@ static bool certs_filter(cert_data_t *data, relation_t **in, certificate_t **out
 static void certs_destroy(cert_data_t *data)
 {
 	ref_put(&data->this->enumerating);
-	pthread_rwlock_unlock(&data->this->lock);
+	data->this->lock->unlock(data->this->lock);
 	if (data->this->check_required)
 	{
 		check_cache(data->this);
@@ -260,7 +260,7 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this,
 	data->id = id;
 	data->this = this;
 	
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	ref_get(&this->enumerating);
 	return enumerator_create_filter(
 							this->relations->create_enumerator(this->relations),
@@ -275,7 +275,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
 	enumerator_t *enumerator;
 	relation_t *relation;
 	
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	enumerator = this->relations->create_enumerator(this->relations);
 	while (enumerator->enumerate(enumerator, &relation))
 	{
@@ -287,7 +287,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -296,7 +296,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
 static void destroy(private_cert_cache_t *this)
 {
 	this->relations->destroy_function(this->relations, (void*)relation_destroy);
-	pthread_rwlock_destroy(&this->lock);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -319,7 +319,7 @@ cert_cache_t *cert_cache_create()
 	this->relations = linked_list_create();
 	this->enumerating = 0;
 	this->check_required = FALSE;
-	pthread_rwlock_init(&this->lock, NULL);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 065f7d701..b9f173901 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -16,11 +16,6 @@
  * for more details.
  */
 
-#ifdef HAVE_DLADDR
-# define _GNU_SOURCE
-# include <dlfcn.h>
-#endif /* HAVE_DLADDR */
-
 #include <stdio.h>
 #include <sys/prctl.h>
 #include <signal.h>
@@ -34,9 +29,6 @@
 #include <errno.h>
 #include <pwd.h>
 #include <grp.h>
-#ifdef HAVE_BACKTRACE
-# include <execinfo.h>
-#endif /* HAVE_BACKTRACE */
 #ifdef CAPABILITIES
 #include <sys/capability.h>
 #endif /* CAPABILITIES */
@@ -44,6 +36,7 @@
 #include "daemon.h"
 
 #include <library.h>
+#include <utils/backtrace.h>
 #include <config/traffic_selector.h>
 #include <config/proposal.h>
 
@@ -99,7 +92,7 @@ static void dbg_bus(int level, char *fmt, ...)
 	va_list args;
 	
 	va_start(args, fmt);
-	charon->bus->vsignal(charon->bus, DBG_LIB, level, NULL, fmt, args);
+	charon->bus->vlog(charon->bus, DBG_LIB, level, fmt, args);
 	va_end(args);
 }
 
@@ -212,9 +205,10 @@ static void destroy(private_daemon_t *this)
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_stderr;
 	DESTROY_IF(this->public.bus);
-	DESTROY_IF(this->public.outlog);
-	DESTROY_IF(this->public.syslog);
-	DESTROY_IF(this->public.authlog);
+	this->public.file_loggers->destroy_offset(this->public.file_loggers,
+											offsetof(file_logger_t, destroy));
+	this->public.sys_loggers->destroy_offset(this->public.sys_loggers,
+											offsetof(sys_logger_t, destroy));
 	free(this);
 }
 
@@ -316,39 +310,152 @@ static void lookup_uid_gid(private_daemon_t *this)
 #endif
 }
 
+/**
+ * Log loaded plugins
+ */
+static void print_plugins()
+{
+	char buf[512], *plugin;
+	int len = 0;
+	enumerator_t *enumerator;
+	
+	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
+	while (len < sizeof(buf) && enumerator->enumerate(enumerator, &plugin))
+	{
+		len += snprintf(&buf[len], sizeof(buf)-len, "%s ", plugin);
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_DMN, "loaded plugins: %s", buf);
+}
+
+/**
+ * Initialize logging
+ */
+static void initialize_loggers(private_daemon_t *this, bool use_stderr,
+							   level_t levels[])
+{
+	sys_logger_t *sys_logger;
+	file_logger_t *file_logger;
+	enumerator_t *enumerator;
+	char *facility, *filename;
+	int loggers_defined = 0;
+	debug_t group;
+	level_t  def;
+	bool append;
+	FILE *file;
+	
+	/* setup sysloggers */
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+														  "charon.syslog");
+	while (enumerator->enumerate(enumerator, &facility))
+	{
+		loggers_defined++;
+		if (streq(facility, "daemon"))
+		{
+			sys_logger = sys_logger_create(LOG_DAEMON);
+		}
+		else if (streq(facility, "auth"))
+		{
+			sys_logger = sys_logger_create(LOG_AUTHPRIV);
+		}
+		else
+		{
+			continue;
+		}
+		def = lib->settings->get_int(lib->settings,
+									 "charon.syslog.%s.default", 1, facility);
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			sys_logger->set_level(sys_logger, group,
+				lib->settings->get_int(lib->settings,
+									   "charon.syslog.%s.%N", def,
+									   facility, debug_lower_names, group));
+		}
+		this->public.sys_loggers->insert_last(this->public.sys_loggers,
+											  sys_logger);
+		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
+	}
+	enumerator->destroy(enumerator);
+	
+	/* and file loggers */
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+														  "charon.filelog");
+	while (enumerator->enumerate(enumerator, &filename))
+	{
+		loggers_defined++;
+		if (streq(filename, "stderr"))
+		{
+			file = stderr;
+		}
+		else if (streq(filename, "stdout"))
+		{
+			file = stdout;
+		}
+		else
+		{
+			append = lib->settings->get_bool(lib->settings,
+									"charon.filelog.%s.append", TRUE, filename);
+			file = fopen(filename, append ? "a" : "w");
+			if (file == NULL)
+			{
+				DBG1(DBG_DMN, "opening file %s for logging failed: %s",
+					 filename, strerror(errno));
+				continue;
+			}
+		}
+		file_logger = file_logger_create(file);
+		def = lib->settings->get_int(lib->settings,
+									 "charon.filelog.%s.default", 1, filename);
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			file_logger->set_level(file_logger, group,
+				lib->settings->get_int(lib->settings,
+									   "charon.filelog.%s.%N", def,
+									   filename, debug_lower_names, group));
+		}
+		this->public.file_loggers->insert_last(this->public.file_loggers,
+											   file_logger);
+		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
+	
+	}
+	enumerator->destroy(enumerator);
+	
+	/* setup legacy style default loggers provided via command-line */
+	if (!loggers_defined)
+	{
+		file_logger = file_logger_create(stdout);
+		sys_logger = sys_logger_create(LOG_DAEMON);
+		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
+		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
+		this->public.file_loggers->insert_last(this->public.file_loggers,
+											   file_logger);
+		this->public.sys_loggers->insert_last(this->public.sys_loggers,
+											  sys_logger);
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			sys_logger->set_level(sys_logger, group, levels[group]);
+			if (use_stderr)
+			{
+				file_logger->set_level(file_logger, group, levels[group]);
+			}
+		}
+	}
+}
+
 /**
  * Initialize the daemon
  */
 static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 {
-	signal_t signal;
-	
 	/* for uncritical pseudo random numbers */
 	srandom(time(NULL) + getpid());
 	
 	/* setup bus and it's listeners first to enable log output */
 	this->public.bus = bus_create();
-	this->public.outlog = file_logger_create(stdout);
-	this->public.syslog = sys_logger_create(LOG_DAEMON);
-	this->public.authlog = sys_logger_create(LOG_AUTHPRIV);
-	this->public.bus->add_listener(this->public.bus, &this->public.syslog->listener);
-	this->public.bus->add_listener(this->public.bus, &this->public.outlog->listener);
-	this->public.bus->add_listener(this->public.bus, &this->public.authlog->listener);
-	this->public.authlog->set_level(this->public.authlog, SIG_ANY, LEVEL_AUDIT);
 	/* set up hook to log dbg message in library via charons message bus */
 	dbg = dbg_bus;
 	
-	/* apply loglevels */
-	for (signal = 0; signal < DBG_MAX; signal++)
-	{
-		this->public.syslog->set_level(this->public.syslog,
-									   signal, levels[signal]);
-		if (!syslog)
-		{
-			this->public.outlog->set_level(this->public.outlog,
-										   signal, levels[signal]);
-		}
-	}
+	initialize_loggers(this, !syslog, levels);
 	
 	DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION);
 
@@ -368,6 +475,8 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
 		lib->settings->get_str(lib->settings, "charon.load", PLUGINS));
 	
+	print_plugins();
+	
 	/* create the kernel interfaces */
 	this->public.kernel_interface->create_interfaces(this->public.kernel_interface);
 	
@@ -413,45 +522,13 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
  */
 static void segv_handler(int signal)
 {
-#ifdef HAVE_BACKTRACE
-	void *array[20];
-	size_t size;
-	char **strings;
-	size_t i;
-
-	size = backtrace(array, 20);
-	strings = backtrace_symbols(array, size);
-
-	DBG1(DBG_JOB, "thread %u received %s. Dumping %d frames from stack:",
-		 pthread_self(), signal == SIGSEGV ? "SIGSEGV" : "SIGILL", size);
-
-	for (i = 0; i < size; i++)
-	{
-#ifdef HAVE_DLADDR
-		Dl_info info;
-		
-		if (dladdr(array[i], &info))
-		{
-			void *ptr = array[i];
-			if (strstr(info.dli_fname, ".so"))
-			{
-				ptr = (void*)(array[i] - info.dli_fbase);
-			}
-			DBG1(DBG_DMN, "    %s [%p]", info.dli_fname, ptr);
-		}
-		else
-		{
-#endif /* HAVE_DLADDR */
-			DBG1(DBG_DMN, "    %s", strings[i]);
-#ifdef HAVE_DLADDR
-		}
-#endif /* HAVE_DLADDR */
-	}
-	free (strings);
-#else /* !HAVE_BACKTRACE */
-	DBG1(DBG_DMN, "thread %u received %s",
-		 pthread_self(), signal == SIGSEGV ? "SIGSEGV" : "SIGILL");
-#endif /* HAVE_BACKTRACE */
+	backtrace_t *backtrace;
+	
+	DBG1(DBG_DMN, "thread %u received %d", pthread_self(), signal);
+	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, stderr);
+	backtrace->destroy(backtrace);
+	
 	DBG1(DBG_DMN, "killing ourself, received critical signal");
 	raise(SIGKILL);
 }
@@ -483,9 +560,8 @@ private_daemon_t *daemon_create(void)
 	this->public.eap = NULL;
 	this->public.sim = NULL;
 	this->public.bus = NULL;
-	this->public.outlog = NULL;
-	this->public.syslog = NULL;
-	this->public.authlog = NULL;
+	this->public.file_loggers = linked_list_create();
+	this->public.sys_loggers = linked_list_create();
 #ifdef ME
 	this->public.connect_manager = NULL;
 	this->public.mediation_manager = NULL;
@@ -514,6 +590,7 @@ private_daemon_t *daemon_create(void)
 	sigaddset(&action.sa_mask, SIGHUP);
 	sigaction(SIGSEGV, &action, NULL);
 	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
 	action.sa_handler = SIG_IGN;
 	sigaction(SIGPIPE, &action, NULL);
 	
@@ -555,7 +632,7 @@ int main(int argc, char *argv[])
 	FILE *pid_file;
 	struct stat stb;
 	level_t levels[DBG_MAX];
-	int signal;
+	int group;
 	
 	/* logging for library during initialization, as we have no bus yet */
 	dbg = dbg_stderr;
@@ -572,9 +649,9 @@ int main(int argc, char *argv[])
 	lookup_uid_gid(private_charon);
 	
 	/* use CTRL loglevel for default */
-	for (signal = 0; signal < DBG_MAX; signal++)
+	for (group = 0; group < DBG_MAX; group++)
 	{
-		levels[signal] = LEVEL_CTRL;
+		levels[group] = LEVEL_CTRL;
 	}
 	
 	/* handle arguments */
@@ -585,16 +662,16 @@ int main(int argc, char *argv[])
 			{ "version", no_argument, NULL, 'v' },
 			{ "use-syslog", no_argument, NULL, 'l' },
 			/* TODO: handle "debug-all" */
-			{ "debug-dmn", required_argument, &signal, DBG_DMN },
-			{ "debug-mgr", required_argument, &signal, DBG_MGR },
-			{ "debug-ike", required_argument, &signal, DBG_IKE },
-			{ "debug-chd", required_argument, &signal, DBG_CHD },
-			{ "debug-job", required_argument, &signal, DBG_JOB },
-			{ "debug-cfg", required_argument, &signal, DBG_CFG },
-			{ "debug-knl", required_argument, &signal, DBG_KNL },
-			{ "debug-net", required_argument, &signal, DBG_NET },
-			{ "debug-enc", required_argument, &signal, DBG_ENC },
-			{ "debug-lib", required_argument, &signal, DBG_LIB },
+			{ "debug-dmn", required_argument, &group, DBG_DMN },
+			{ "debug-mgr", required_argument, &group, DBG_MGR },
+			{ "debug-ike", required_argument, &group, DBG_IKE },
+			{ "debug-chd", required_argument, &group, DBG_CHD },
+			{ "debug-job", required_argument, &group, DBG_JOB },
+			{ "debug-cfg", required_argument, &group, DBG_CFG },
+			{ "debug-knl", required_argument, &group, DBG_KNL },
+			{ "debug-net", required_argument, &group, DBG_NET },
+			{ "debug-enc", required_argument, &group, DBG_ENC },
+			{ "debug-lib", required_argument, &group, DBG_LIB },
 			{ 0,0,0,0 }
 		};
 		
@@ -613,8 +690,8 @@ int main(int argc, char *argv[])
 				use_syslog = TRUE;
 				continue;
 			case 0:
-				/* option is in signal */
-				levels[signal] = atoi(optarg);
+				/* option is in group */
+				levels[group] = atoi(optarg);
 				continue;
 			default:
 				usage("");
@@ -642,7 +719,7 @@ int main(int argc, char *argv[])
 	if (pid_file)
 	{
 		fprintf(pid_file, "%d\n", getpid());
-		fchown(fileno(pid_file), charon->uid, charon->gid);
+		ignore_result(fchown(fileno(pid_file), charon->uid, charon->gid));
 		fclose(pid_file);
 	}
 	
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index 62a286f04..89e03eb93 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: daemon.h 4406 2008-10-10 08:36:01Z martin $
+ * $Id: daemon.h 4622 2008-11-11 10:52:37Z martin $
  */
 
 /**
@@ -217,7 +217,7 @@ struct daemon_t {
 	backend_manager_t *backends;
 	
 	/**
-	 * Manager IKEv2 cfg payload attributes
+	 * Manager for IKEv2 cfg payload attributes
 	 */
 	attribute_manager_t *attributes;
 	
@@ -252,19 +252,14 @@ struct daemon_t {
 	bus_t *bus;
 	
 	/**
-	 * A bus listener logging to stdout
+	 * A list of installed file_logger_t's
 	 */
-	file_logger_t *outlog;
+	linked_list_t *file_loggers;
 	
 	/**
-	 * A bus listener logging to syslog
+	 * A list of installed sys_logger_t's
 	 */
-	sys_logger_t *syslog;
-	
-	/**
-	 * A bus listener logging most important events
-	 */
-	sys_logger_t *authlog;
+	linked_list_t *sys_loggers;
 	
 	/**
 	 * Kernel Interface to communicate with kernel
diff --git a/src/charon/encoding/payloads/payload.c b/src/charon/encoding/payloads/payload.c
index 17986dd58..71350458f 100644
--- a/src/charon/encoding/payloads/payload.c
+++ b/src/charon/encoding/payloads/payload.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: payload.c 3666 2008-03-26 18:40:19Z tobias $
+ * $Id: payload.c 4618 2008-11-11 09:22:00Z tobias $
  */
 
 
@@ -62,9 +62,15 @@ ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, N
 ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION,
 	"ID_PEER");
 ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER,
+	"HEADER",
+	"PROPOSAL_SUBSTRUCTURE",
+	"TRANSFORM_SUBSTRUCTURE",
+	"TRANSFORM_ATTRIBUTE",
+	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
+	"CONFIGURATION_ATTRIBUTE",
+	"UNKNOWN_PAYLOAD");
 #else
 ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION,
-#endif /* ME */
 	"HEADER",
 	"PROPOSAL_SUBSTRUCTURE",
 	"TRANSFORM_SUBSTRUCTURE",
@@ -72,6 +78,7 @@ ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION
 	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
 	"CONFIGURATION_ATTRIBUTE",
 	"UNKNOWN_PAYLOAD");
+#endif /* ME */
 ENUM_END(payload_type_names, UNKNOWN_PAYLOAD);
 
 /* short forms of payload names */
@@ -98,9 +105,15 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICAT
 ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION,
 	"IDp");
 ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER,
+	"HDR",
+	"PROP",
+	"TRANS",
+	"TRANSATTR",
+	"TSSUB",
+	"CPATTR",
+	"??");
 #else
 ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION,
-#endif /* ME */
 	"HDR",
 	"PROP",
 	"TRANS",
@@ -108,6 +121,7 @@ ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTI
 	"TSSUB",
 	"CPATTR",
 	"??");
+#endif /* ME */
 ENUM_END(payload_type_short_names, UNKNOWN_PAYLOAD);
 
 /*
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.c b/src/charon/encoding/payloads/traffic_selector_substructure.c
index f6042b4b6..eb5bbc626 100644
--- a/src/charon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/charon/encoding/payloads/traffic_selector_substructure.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector_substructure.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: traffic_selector_substructure.c 4639 2008-11-12 15:09:24Z martin $
  */
 
 #include "traffic_selector_substructure.h"
@@ -269,8 +269,8 @@ traffic_selector_substructure_t *traffic_selector_substructure_create_from_traff
 	this->ip_protocol_id = traffic_selector->get_protocol(traffic_selector);
 	this->start_port = traffic_selector->get_from_port(traffic_selector);
 	this->end_port = traffic_selector->get_to_port(traffic_selector);
-	this->starting_address = traffic_selector->get_from_address(traffic_selector);
-	this->ending_address = traffic_selector->get_to_address(traffic_selector);
+	this->starting_address = chunk_clone(traffic_selector->get_from_address(traffic_selector));
+	this->ending_address = chunk_clone(traffic_selector->get_to_address(traffic_selector));
 	
 	compute_length(this);
 	
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index 3c82b580e..f078f3a00 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_interface.c 4406 2008-10-10 08:36:01Z martin $
+ * $Id: kernel_interface.c 4655 2008-11-14 13:04:22Z martin $
  */
 
 #include "kernel_interface.h"
@@ -85,43 +85,34 @@ static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *d
 static status_t add_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
 				u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
 				u_int64_t expire_soft, u_int64_t expire_hard,
-				u_int16_t enc_alg, u_int16_t enc_size,
-				u_int16_t int_alg, u_int16_t int_size,
-				prf_plus_t *prf_plus, ipsec_mode_t mode, u_int16_t ipcomp, bool encap,
-				bool update)
+				u_int16_t enc_alg, chunk_t enc_key,
+				u_int16_t int_alg, chunk_t int_key,
+				ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
+				bool inbound)
 {
 	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
-			expire_soft, expire_hard, enc_alg, enc_size, int_alg, int_size,
-			prf_plus, mode, ipcomp, encap, update);
+			expire_soft, expire_hard, enc_alg, enc_key, int_alg, int_key,
+			mode, ipcomp, cpi, encap, inbound);
 }
 
 /**
  * Implementation of kernel_interface_t.update_sa
  */
 static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
-				   protocol_id_t protocol, host_t *src, host_t *dst, 
-				   host_t *new_src, host_t *new_dst, bool encap)
+				   protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, 
+				   host_t *new_src, host_t *new_dst, bool encap, bool new_encap)
 {
-	return this->ipsec->update_sa(this->ipsec, spi, protocol, src, dst, new_src,
-			new_dst, encap);
-}
-
-/**
- * Implementation of kernel_interface_t.query_sa
- */
-static status_t query_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi, 
-				  protocol_id_t protocol, u_int32_t *use_time)
-{
-	return this->ipsec->query_sa(this->ipsec, dst, spi, protocol, use_time);
+	return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
+			new_src, new_dst, encap, new_encap);
 }
 
 /**
  * Implementation of kernel_interface_t.del_sa
  */
 static status_t del_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi,
-				protocol_id_t protocol)
+				protocol_id_t protocol, u_int16_t cpi)
 {
-	return this->ipsec->del_sa(this->ipsec, dst, spi, protocol);
+	return this->ipsec->del_sa(this->ipsec, dst, spi, protocol, cpi);
 }
 
 /**
@@ -129,12 +120,12 @@ static status_t del_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t
  */
 static status_t add_policy(private_kernel_interface_t *this, host_t *src, host_t *dst,
 					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-					policy_dir_t direction, protocol_id_t protocol,
-					u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
-					u_int16_t ipcomp)
+					policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+					u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+					bool routed)
 {
 	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-			direction, protocol, reqid, high_prio, mode, ipcomp);
+			direction, spi, protocol, reqid, mode, ipcomp, cpi, routed);
 }
 
 /**
@@ -152,9 +143,9 @@ static status_t query_policy(private_kernel_interface_t *this,
  */
 static status_t del_policy(private_kernel_interface_t *this,
 					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-					policy_dir_t direction)
+					policy_dir_t direction, bool unrouted)
 {
-	return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts, direction);
+	return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts, direction, unrouted);
 }
 
 /**
@@ -230,6 +221,64 @@ static status_t del_route(private_kernel_interface_t *this, chunk_t dst_net,
 }
 
 
+/**
+ * Implementation of kernel_interface_t.get_address_by_ts
+ */
+static status_t get_address_by_ts(private_kernel_interface_t *this,
+								  traffic_selector_t *ts, host_t **ip)
+{
+	enumerator_t *addrs;
+	host_t *host;
+	int family;
+	bool found = FALSE;
+	
+	DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
+	
+	/* if we have a family which includes localhost, we do not
+	 * search for an IP, we use the default */
+	family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
+	
+	if (family == AF_INET)
+	{
+		host = host_create_from_string("127.0.0.1", 0);
+	}
+	else
+	{
+		host = host_create_from_string("::1", 0);
+	}
+	
+	if (ts->includes(ts, host))
+	{
+		*ip = host_create_any(family);
+		host->destroy(host);
+		DBG2(DBG_KNL, "using host %H", *ip);
+		return SUCCESS;
+	}
+	host->destroy(host);
+	
+	addrs = create_address_enumerator(this, TRUE, TRUE);
+	while (addrs->enumerate(addrs, (void**)&host))
+	{
+		if (ts->includes(ts, host))
+		{
+			found = TRUE;
+			*ip = host->clone(host);
+			break;
+		}
+	}
+	addrs->destroy(addrs);
+	
+	if (!found)
+	{
+		DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
+		return FAILED;
+	}
+	
+	DBG2(DBG_KNL, "using host %H", *ip);
+	return SUCCESS;
+}
+
+
 /**
  * Implementation of kernel_interface_t.add_ipsec_interface.
  */
@@ -253,7 +302,7 @@ static void remove_ipsec_interface(private_kernel_interface_t *this,
 }
 
 /**
- * Implementation of kernel_interface_t.add_ipsec_interface.
+ * Implementation of kernel_interface_t.add_net_interface.
  */
 static void add_net_interface(private_kernel_interface_t *this,
 		kernel_net_constructor_t *create)
@@ -264,7 +313,7 @@ static void add_net_interface(private_kernel_interface_t *this,
 }
 
 /**
- * Implementation of kernel_interface_t.remove_ipsec_interface.
+ * Implementation of kernel_interface_t.remove_net_interface.
  */
 static void remove_net_interface(private_kernel_interface_t *this,
 		kernel_net_constructor_t *create)
@@ -322,13 +371,12 @@ kernel_interface_t *kernel_interface_create()
 	
 	this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
-	this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
-	this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
-	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
-	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
+	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
-	this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
+	this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
 	
 	this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest, host_t *src))get_source_addr;
 	this->public.get_nexthop = (host_t*(*)(kernel_interface_t*, host_t *dest))get_nexthop;
@@ -339,6 +387,8 @@ kernel_interface_t *kernel_interface_create()
 	this->public.add_route = (status_t(*)(kernel_interface_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
 	this->public.del_route = (status_t(*)(kernel_interface_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
 	
+	this->public.get_address_by_ts = (status_t(*)(kernel_interface_t*,traffic_selector_t*,host_t**))get_address_by_ts;
+	
 	this->public.add_ipsec_interface = (void(*)(kernel_interface_t*, kernel_ipsec_constructor_t))add_ipsec_interface;
 	this->public.remove_ipsec_interface = (void(*)(kernel_interface_t*, kernel_ipsec_constructor_t))remove_ipsec_interface;
 	this->public.add_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))add_net_interface;
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index b3bf907e5..3c3b05c81 100644
--- a/src/charon/kernel/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_interface.h 4386 2008-10-08 08:23:46Z martin $
+ * $Id: kernel_interface.h 4618 2008-11-11 09:22:00Z tobias $
  */
 
 /**
@@ -56,10 +56,6 @@ struct kernel_interface_t {
 	/**
 	 * Get a SPI from the kernel.
 	 *
-	 * @warning get_spi() implicitly creates an SA with
-	 * the allocated SPI, therefore the replace flag
-	 * in add_sa() must be set when installing this SA.
-	 * 
 	 * @param src		source address of SA
 	 * @param dst		destination address of SA
 	 * @param protocol	protocol for SA (ESP/AH)
@@ -101,25 +97,24 @@ struct kernel_interface_t {
 	 * @param expire_soft	lifetime in seconds before rekeying
 	 * @param expire_hard	lifetime in seconds before delete
 	 * @param enc_alg		Algorithm to use for encryption (ESP only)
-	 * @param enc_size		key length of encryption algorithm, if dynamic
+	 * @param enc_key		key to use for encryption
 	 * @param int_alg		Algorithm to use for integrity protection
-	 * @param int_size		key length of integrity algorithm, if dynamic
-	 * @param prf_plus		PRF to derive keys from
+	 * @param int_key		key to use for integrity protection
 	 * @param mode			mode of the SA (tunnel, transport)
 	 * @param ipcomp		IPComp transform to use
+	 * @param cpi			CPI for IPComp
 	 * @param encap			enable UDP encapsulation for NAT traversal
-	 * @param replace		Should an already installed SA be updated?
+	 * @param inbound		TRUE if this is an inbound SA
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_sa) (kernel_interface_t *this,
 						host_t *src, host_t *dst, u_int32_t spi,
 						protocol_id_t protocol, u_int32_t reqid,
 						u_int64_t expire_soft, u_int64_t expire_hard,
-					    u_int16_t enc_alg, u_int16_t enc_size,
-					    u_int16_t int_alg, u_int16_t int_size,
-						prf_plus_t *prf_plus, ipsec_mode_t mode,
-						u_int16_t ipcomp, bool encap,
-						bool update);
+					    u_int16_t enc_alg, chunk_t enc_key,
+					    u_int16_t int_alg, chunk_t int_key,
+						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						bool encap, bool inbound);
 	
 	/**
 	 * Update the hosts on an installed SA.
@@ -131,32 +126,21 @@ struct kernel_interface_t {
 	 *
 	 * @param spi			SPI of the SA
 	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
 	 * @param src			current source address
 	 * @param dst			current destination address
 	 * @param new_src		new source address
 	 * @param new_dst		new destination address
-	 * @param encap			use UDP encapsulation
-	 * @return				SUCCESS if operation completed
+	 * @param encap			current use of UDP encapsulation
+	 * @param new_encap		new use of UDP encapsulation
+	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
+	 *                      the kernel interface can't update the SA
 	 */
 	status_t (*update_sa)(kernel_interface_t *this,
-						  u_int32_t spi, protocol_id_t protocol,
+						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
 						  host_t *src, host_t *dst, 
-						  host_t *new_src, host_t *new_dst, bool encap);
-	
-	/**
-	 * Query the use time of an SA.
-	 *
-	 * The use time of an SA is not the time of the last usage, but 
-	 * the time of the first usage of the SA.
-	 * 
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param use_time		pointer receives the time of this SA's last use
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*query_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, 
-						  protocol_id_t protocol, u_int32_t *use_time);
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap);
 	
 	/**
 	 * Delete a previously installed SA from the SAD.
@@ -164,10 +148,11 @@ struct kernel_interface_t {
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp or 0
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol);
+						protocol_id_t protocol, u_int16_t cpi);
 	
 	/**
 	 * Add a policy to the SPD.
@@ -180,20 +165,23 @@ struct kernel_interface_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param spi			SPI of SA
 	 * @param protocol		protocol to use to protect traffic (AH/ESP)
 	 * @param reqid			unique ID of an SA to use to enforce policy
-	 * @param high_prio		if TRUE, uses a higher priority than any with FALSE
 	 * @param mode			mode of SA (tunnel, transport)
 	 * @param ipcomp		the IPComp transform used
+	 * @param cpi			CPI for IPComp
+	 * @param routed		TRUE, if this policy is routed in the kernel
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_policy) (kernel_interface_t *this,
 							host_t *src, host_t *dst,
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction, protocol_id_t protocol,
-							u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
-							u_int16_t ipcomp);
+							policy_dir_t direction, u_int32_t spi,
+							protocol_id_t protocol, u_int32_t reqid,
+							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+							bool routed);
 	
 	/**
 	 * Query the use time of a policy.
@@ -223,12 +211,14 @@ struct kernel_interface_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_policy) (kernel_interface_t *this,
 							traffic_selector_t *src_ts, 
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction);
+							policy_dir_t direction,
+							bool unrouted);
 	
 	/**
 	 * Get our outgoing source address for a destination.
@@ -334,6 +324,17 @@ struct kernel_interface_t {
 	 * manager methods
 	 */
 	
+	/**
+	 * Tries to find an ip address of a local interface that is included in the
+	 * supplied traffic selector.
+	 * 
+	 * @param ts			traffic selector
+	 * @param ip			returned ip (has to be destroyed)
+	 * @return				SUCCESS if address found
+	 */
+	status_t (*get_address_by_ts) (kernel_interface_t *this,
+										traffic_selector_t *ts, host_t **ip);
+	
 	/**
 	 * Register an ipsec kernel interface constructor on the manager.
 	 *
diff --git a/src/charon/kernel/kernel_ipsec.c b/src/charon/kernel/kernel_ipsec.c
index bae8ee125..1fef2acca 100644
--- a/src/charon/kernel/kernel_ipsec.c
+++ b/src/charon/kernel/kernel_ipsec.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_ipsec.c 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: kernel_ipsec.c 4430 2008-10-14 08:46:31Z tobias $
  */
 
 #include "kernel_ipsec.h"
@@ -24,3 +24,10 @@ ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_BEET,
 	"3",
 	"BEET",
 );
+
+ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
+	"in",
+	"out",
+	"fwd"
+);
+
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
index 67786a74f..de7068fb9 100644
--- a/src/charon/kernel/kernel_ipsec.h
+++ b/src/charon/kernel/kernel_ipsec.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_ipsec.h 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: kernel_ipsec.h 4618 2008-11-11 09:22:00Z tobias $
  */
 
 /**
@@ -67,6 +67,11 @@ enum policy_dir_t {
 	POLICY_FWD = 2,
 };
 
+/**
+ * enum names for policy_dir_t.
+ */
+extern enum_name_t *policy_dir_names;
+
 /**
  * Interface to the ipsec subsystem of the kernel.
  * 
@@ -83,10 +88,6 @@ struct kernel_ipsec_t {
 	/**
 	 * Get a SPI from the kernel.
 	 *
-	 * @warning get_spi() implicitly creates an SA with
-	 * the allocated SPI, therefore the replace flag
-	 * in add_sa() must be set when installing this SA.
-	 * 
 	 * @param src		source address of SA
 	 * @param dst		destination address of SA
 	 * @param protocol	protocol for SA (ESP/AH)
@@ -128,25 +129,24 @@ struct kernel_ipsec_t {
 	 * @param expire_soft	lifetime in seconds before rekeying
 	 * @param expire_hard	lifetime in seconds before delete
 	 * @param enc_alg		Algorithm to use for encryption (ESP only)
-	 * @param enc_size		key length of encryption algorithm, if dynamic
+	 * @param enc_key		key to use for encryption
 	 * @param int_alg		Algorithm to use for integrity protection
-	 * @param int_size		key length of integrity algorithm, if dynamic
-	 * @param prf_plus		PRF to derive keys from
+	 * @param int_key		key to use for integrity protection
 	 * @param mode			mode of the SA (tunnel, transport)
 	 * @param ipcomp		IPComp transform to use
+	 * @param cpi			CPI for IPComp
 	 * @param encap			enable UDP encapsulation for NAT traversal
-	 * @param replace		Should an already installed SA be updated?
+	 * @param inbound		TRUE if this is an inbound SA
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_sa) (kernel_ipsec_t *this,
 						host_t *src, host_t *dst, u_int32_t spi,
 						protocol_id_t protocol, u_int32_t reqid,
 						u_int64_t expire_soft, u_int64_t expire_hard,
-					    u_int16_t enc_alg, u_int16_t enc_size,
-					    u_int16_t int_alg, u_int16_t int_size,
-						prf_plus_t *prf_plus, ipsec_mode_t mode,
-						u_int16_t ipcomp, bool encap,
-						bool update);
+					    u_int16_t enc_alg, chunk_t enc_key,
+					    u_int16_t int_alg, chunk_t int_key,
+						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						bool encap, bool inbound);
 	
 	/**
 	 * Update the hosts on an installed SA.
@@ -158,32 +158,21 @@ struct kernel_ipsec_t {
 	 *
 	 * @param spi			SPI of the SA
 	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
 	 * @param src			current source address
 	 * @param dst			current destination address
 	 * @param new_src		new source address
 	 * @param new_dst		new destination address
-	 * @param encap			use UDP encapsulation
-	 * @return				SUCCESS if operation completed
+	 * @param encap			current use of UDP encapsulation
+	 * @param new_encap		new use of UDP encapsulation
+	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
+	 *                      the kernel interface can't update the SA
 	 */
 	status_t (*update_sa)(kernel_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol,
+						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
 						  host_t *src, host_t *dst, 
-						  host_t *new_src, host_t *new_dst, bool encap);
-	
-	/**
-	 * Query the use time of an SA.
-	 *
-	 * The use time of an SA is not the time of the last usage, but 
-	 * the time of the first usage of the SA.
-	 * 
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param use_time		pointer receives the time of this SA's last use
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*query_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi, 
-						  protocol_id_t protocol, u_int32_t *use_time);
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap);
 	
 	/**
 	 * Delete a previusly installed SA from the SAD.
@@ -191,10 +180,11 @@ struct kernel_ipsec_t {
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp or 0
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol);
+						protocol_id_t protocol, u_int16_t cpi);
 	
 	/**
 	 * Add a policy to the SPD.
@@ -207,20 +197,23 @@ struct kernel_ipsec_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param spi			SPI of SA
 	 * @param protocol		protocol to use to protect traffic (AH/ESP)
 	 * @param reqid			unique ID of an SA to use to enforce policy
-	 * @param high_prio		if TRUE, uses a higher priority than any with FALSE
 	 * @param mode			mode of SA (tunnel, transport)
 	 * @param ipcomp		the IPComp transform used
+	 * @param cpi			CPI for IPComp
+	 * @param routed		TRUE, if this policy is routed in the kernel
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_policy) (kernel_ipsec_t *this,
 							host_t *src, host_t *dst,
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction, protocol_id_t protocol,
-							u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
-							u_int16_t ipcomp);
+							policy_dir_t direction, u_int32_t spi,
+							protocol_id_t protocol, u_int32_t reqid,
+							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+							bool routed);
 	
 	/**
 	 * Query the use time of a policy.
@@ -250,12 +243,14 @@ struct kernel_ipsec_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_policy) (kernel_ipsec_t *this,
 							traffic_selector_t *src_ts, 
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction);
+							policy_dir_t direction,
+							bool unrouted);
 	
 	/**
 	 * Destroy the implementation.
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
index 60a08d0c3..3295ec2df 100644
--- a/src/charon/network/sender.c
+++ b/src/charon/network/sender.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sender.c 3742 2008-04-03 09:19:12Z tobias $
+ * $Id: sender.c 4582 2008-11-05 12:24:36Z martin $
  */
 
 #include <stdlib.h>
@@ -24,6 +24,7 @@
 #include <daemon.h>
 #include <network/socket.h>
 #include <processing/jobs/callback_job.h>
+#include <utils/mutex.h>
 
 
 typedef struct private_sender_t private_sender_t;
@@ -50,17 +51,17 @@ struct private_sender_t {
 	/**
 	 * mutex to synchronize access to list
 	 */
-	pthread_mutex_t mutex;
+	mutex_t *mutex;
 
 	/**
 	 * condvar to signal for packets added to list
 	 */
-	pthread_cond_t gotone;
+	condvar_t *got;
 	
 	/**
 	 * condvar to signal for packets sent
 	 */
-	pthread_cond_t sentone;
+	condvar_t *sent;
 };
 
 /**
@@ -74,10 +75,10 @@ static void send_(private_sender_t *this, packet_t *packet)
 	dst = packet->get_destination(packet);
 	DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	this->list->insert_last(this->list, packet);
-	pthread_cond_signal(&this->gotone);
-	pthread_mutex_unlock(&this->mutex);
+	this->got->signal(this->got);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -88,21 +89,21 @@ static job_requeue_t send_packets(private_sender_t * this)
 	packet_t *packet;
 	int oldstate;
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	while (this->list->get_count(this->list) == 0)
 	{
 		/* add cleanup handler, wait for packet, remove cleanup handler */
-		pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&this->mutex);
+		pthread_cleanup_push((void(*)(void*))this->mutex->unlock, this->mutex);
 		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
 		
-		pthread_cond_wait(&this->gotone, &this->mutex);
+		this->got->wait(this->got, this->mutex);
 		
 		pthread_setcancelstate(oldstate, NULL);
 		pthread_cleanup_pop(0);
 	}
 	this->list->remove_first(this->list, (void**)&packet);
-	pthread_cond_signal(&this->sentone);
-	pthread_mutex_unlock(&this->mutex);
+	this->sent->signal(this->sent);
+	this->mutex->unlock(this->mutex);
 	
 	charon->socket->send(charon->socket, packet);
 	packet->destroy(packet);
@@ -115,15 +116,17 @@ static job_requeue_t send_packets(private_sender_t * this)
 static void destroy(private_sender_t *this)
 {
 	/* send all packets in the queue */
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	while (this->list->get_count(this->list))
 	{
-		pthread_cond_wait(&this->sentone, &this->mutex);
+		this->sent->wait(this->sent, this->mutex);
 	}
-	pthread_mutex_unlock(&this->mutex);
-	pthread_mutex_destroy(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	this->job->cancel(this->job);
 	this->list->destroy(this->list);
+	this->got->destroy(this->got);
+	this->sent->destroy(this->sent);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -133,19 +136,19 @@ static void destroy(private_sender_t *this)
 sender_t * sender_create()
 {
 	private_sender_t *this = malloc_thing(private_sender_t);
-
+	
 	this->public.send = (void(*)(sender_t*,packet_t*))send_;
 	this->public.destroy = (void(*)(sender_t*)) destroy;
-
+	
 	this->list = linked_list_create();
-	pthread_mutex_init(&this->mutex, NULL);
-	pthread_cond_init(&this->gotone, NULL);
-	pthread_cond_init(&this->sentone, NULL);
-
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->got = condvar_create(CONDVAR_DEFAULT);
+	this->sent = condvar_create(CONDVAR_DEFAULT);
+	
 	this->job = callback_job_create((callback_job_cb_t)send_packets,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+	
 	return &this->public;
 }
 
diff --git a/src/charon/network/socket-raw.c b/src/charon/network/socket-raw.c
index 5d1623ffd..40218f67d 100644
--- a/src/charon/network/socket-raw.c
+++ b/src/charon/network/socket-raw.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: socket-raw.c 3870 2008-04-24 13:49:20Z martin $
+ * $Id: socket-raw.c 4646 2008-11-13 07:15:45Z martin $
  */
 
 /* for struct in6_pktinfo */
@@ -33,7 +33,7 @@
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 #include <netinet/udp.h>
-#include <linux/ipsec.h>
+#include <linux/types.h>
 #include <linux/filter.h>
 #include <net/if.h>
 
@@ -53,11 +53,6 @@
 #define IKE_VERSION_OFFSET 17
 #define IKE_LENGTH_OFFSET 24
 
-/* from linux/in.h */
-#ifndef IP_IPSEC_POLICY
-#define IP_IPSEC_POLICY 16
-#endif /*IP_IPSEC_POLICY*/
-
 /* from linux/udp.h */
 #ifndef UDP_ENCAP
 #define UDP_ENCAP 100
@@ -72,11 +67,6 @@
 #define IPV6_2292PKTINFO 2
 #endif /*IPV6_2292PKTINFO*/
 
-/* missing on uclibc */
-#ifndef IPV6_IPSEC_POLICY
-#define IPV6_IPSEC_POLICY 34
-#endif /*IPV6_IPSEC_POLICY*/
-
 typedef struct private_socket_t private_socket_t;
 
 /**
@@ -440,8 +430,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 	int on = TRUE;
 	int type = UDP_ENCAP_ESPINUDP;
 	struct sockaddr_storage addr;
-	u_int sol, ipsec_policy;
-	struct sadb_x_policy policy;
+	u_int sol;
 	int skt;
 	
 	memset(&addr, 0, sizeof(addr));
@@ -455,7 +444,6 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 			sin->sin_addr.s_addr = INADDR_ANY;
 			sin->sin_port = htons(port);
 			sol = SOL_IP;
-			ipsec_policy = IP_IPSEC_POLICY;
 			break;
 		}
 		case AF_INET6:
@@ -465,7 +453,6 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
 			sin6->sin6_port = htons(port);
 			sol = SOL_IPV6;
-			ipsec_policy = IPV6_IPSEC_POLICY;
 			break;
 		}
 		default:
@@ -487,32 +474,6 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 		return 0;
 	}
 	
-	/* bypass outgoung IKE traffic on send socket */
-	memset(&policy, 0, sizeof(policy));
-	policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
-	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-	policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
-	
-	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-	{
-		DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-	
-	/* We don't receive packets on the send socket, but we need a INBOUND policy.
-	 * Otherwise, UDP decapsulation does not work!!! */
-	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-	{
-		DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %s", 
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-	
 	/* bind the send socket */
 	if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
 	{
@@ -542,8 +503,7 @@ static int open_recv_socket(private_socket_t *this, int family)
 {
 	int skt;
 	int on = TRUE;
-	u_int proto_offset, ip_len, sol, ipsec_policy, udp_header, ike_header;
-	struct sadb_x_policy policy;
+	u_int proto_offset, ip_len, sol, udp_header, ike_header;
 	
 	/* precalculate constants depending on address family */
 	switch (family)
@@ -552,13 +512,11 @@ static int open_recv_socket(private_socket_t *this, int family)
 			proto_offset = IP_PROTO_OFFSET;
 			ip_len = IP_LEN;
 			sol = SOL_IP;
-			ipsec_policy = IP_IPSEC_POLICY;
 			break;
 		case AF_INET6:
 			proto_offset = IP6_PROTO_OFFSET;
 			ip_len = 0; /* IPv6 raw sockets contain no IP header */
 			sol = SOL_IPV6;
-			ipsec_policy = IPV6_IPSEC_POLICY;
 			break;
 		default:
 			return 0;
@@ -633,22 +591,67 @@ static int open_recv_socket(private_socket_t *this, int family)
 		return 0;
 	}
 	
-	/* bypass incomining IKE traffic on this socket */
-	memset(&policy, 0, sizeof(policy));
-	policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
-	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+	return skt;
+}
+
+/**
+ * enumerator for underlying sockets
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** sockets we enumerate */
+	private_socket_t *socket;
+	/** counter */
+	int index;
+} socket_enumerator_t;
+
+/**
+ * enumerate function for socket_enumerator_t
+ */
+static bool enumerate(socket_enumerator_t *this, int *fd, int *family, int *port)
+{
+	static const struct {
+		int fd_offset;
+		int family;
+		int port;
+	} sockets[] = {
+		{ offsetof(private_socket_t, recv4), AF_INET, IKEV2_UDP_PORT },
+		{ offsetof(private_socket_t, recv6), AF_INET6, IKEV2_UDP_PORT },
+		{ offsetof(private_socket_t, send4), AF_INET, IKEV2_UDP_PORT },
+		{ offsetof(private_socket_t, send6), AF_INET6, IKEV2_UDP_PORT },
+		{ offsetof(private_socket_t, send4_natt), AF_INET, IKEV2_NATT_PORT },
+		{ offsetof(private_socket_t, send6_natt), AF_INET6, IKEV2_NATT_PORT }
+	};
 	
-	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	while(++this->index < countof(sockets))
 	{
-		DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
+		int sock = *(int*)((char*)this->socket + sockets[this->index].fd_offset);
+		if (!sock)
+		{
+			continue;
+		}
+		*fd = sock;
+		*family = sockets[this->index].family;
+		*port = sockets[this->index].port;
+		return TRUE;
 	}
-	
-	return skt;
+	return FALSE;
+}
+
+/**
+ * implementation of socket_t.create_enumerator
+ */
+static enumerator_t *create_enumerator(private_socket_t *this)
+{
+	socket_enumerator_t *enumerator;
+	
+	enumerator = malloc_thing(socket_enumerator_t);
+	enumerator->index = -1;
+	enumerator->socket = this;
+	enumerator->public.enumerate = (void*)enumerate;
+	enumerator->public.destroy = (void*)free;
+	return &enumerator->public;
 }
 
 /**
@@ -688,12 +691,12 @@ static void destroy(private_socket_t *this)
  */
 socket_t *socket_create()
 {
-	int key;
 	private_socket_t *this = malloc_thing(private_socket_t);
-
+	
 	/* public functions */
 	this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
 	this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
+	this->public.create_enumerator = (enumerator_t*(*)(socket_t*))create_enumerator;
 	this->public.destroy = (void(*)(socket_t*)) destroy;
 	
 	this->recv4 = 0;
@@ -703,15 +706,6 @@ socket_t *socket_create()
 	this->send4_natt = 0;
 	this->send6_natt = 0;
 	
-	/* we open a AF_KEY socket to autoload the af_key module. Otherwise
-	 * setsockopt(IPSEC_POLICY) won't work. */
-	key = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (key == 0)
-	{
-		charon->kill(charon, "could not open AF_KEY socket");
-	}
-	close(key);
-	
 	this->recv4 = open_recv_socket(this, AF_INET);
 	if (this->recv4 == 0)
 	{
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index 60ea5f7c8..6be59ef62 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -14,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: socket.c 3870 2008-04-24 13:49:20Z martin $
+ * $Id: socket.c 4646 2008-11-13 07:15:45Z martin $
  */
 
 /* for struct in6_pktinfo */
@@ -33,7 +34,7 @@
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 #include <netinet/udp.h>
-#include <linux/ipsec.h>
+#include <linux/types.h>
 #include <linux/filter.h>
 #include <net/if.h>
 
@@ -44,11 +45,6 @@
 /* length of non-esp marker */
 #define MARKER_LEN sizeof(u_int32_t)
 
-/* from linux/in.h */
-#ifndef IP_IPSEC_POLICY
-#define IP_IPSEC_POLICY 16
-#endif /*IP_IPSEC_POLICY*/
-
 /* from linux/udp.h */
 #ifndef UDP_ENCAP
 #define UDP_ENCAP 100
@@ -405,8 +401,7 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 	int on = TRUE;
 	int type = UDP_ENCAP_ESPINUDP;
 	struct sockaddr_storage addr;
-	u_int sol, ipsec_policy, pktinfo;
-	struct sadb_x_policy policy;
+	u_int sol, pktinfo;
 	int skt;
 	
 	memset(&addr, 0, sizeof(addr));
@@ -420,7 +415,6 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 			sin->sin_addr.s_addr = INADDR_ANY;
 			sin->sin_port = htons(port);
 			sol = SOL_IP;
-			ipsec_policy = IP_IPSEC_POLICY;
 			pktinfo = IP_PKTINFO;
 			break;
 		}
@@ -431,7 +425,6 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
 			sin6->sin6_port = htons(port);
 			sol = SOL_IPV6;
-			ipsec_policy = IPV6_IPSEC_POLICY;
 			pktinfo = IPV6_2292PKTINFO;
 			break;
 		}
@@ -452,29 +445,6 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 		return 0;
 	}
 	
-	/* bypass IKE traffic on socket */
-	memset(&policy, 0, sizeof(policy));
-	policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
-	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-	
-	policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
-	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-	{
-		DBG1(DBG_NET, "unable to set IPSEC_POLICY on socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-	{
-		DBG1(DBG_NET, "unable to set IPSEC_POLICY on socket: %s", 
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-	
 	/* bind the send socket */
 	if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
 	{
@@ -500,6 +470,64 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 	return skt;
 }
 
+/**
+ * enumerator for underlying sockets
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** sockets we enumerate */
+	private_socket_t *socket;
+	/** counter */
+	int index;
+} socket_enumerator_t;
+
+/**
+ * enumerate function for socket_enumerator_t
+ */
+static bool enumerate(socket_enumerator_t *this, int *fd, int *family, int *port)
+{
+	static const struct {
+		int fd_offset;
+		int family;
+		int port;
+	} sockets[] = {
+		{ offsetof(private_socket_t, ipv4), AF_INET, IKEV2_UDP_PORT },
+		{ offsetof(private_socket_t, ipv6), AF_INET6, IKEV2_UDP_PORT },
+		{ offsetof(private_socket_t, ipv4_natt), AF_INET, IKEV2_NATT_PORT },
+		{ offsetof(private_socket_t, ipv6_natt), AF_INET6, IKEV2_NATT_PORT }
+	};
+	
+	while(++this->index < countof(sockets))
+	{
+		int sock = *(int*)((char*)this->socket + sockets[this->index].fd_offset);
+		if (!sock)
+		{
+			continue;
+		}
+		*fd = sock;
+		*family = sockets[this->index].family;
+		*port = sockets[this->index].port;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * implementation of socket_t.create_enumerator
+ */
+static enumerator_t *create_enumerator(private_socket_t *this)
+{
+	socket_enumerator_t *enumerator;
+	
+	enumerator = malloc_thing(socket_enumerator_t);
+	enumerator->index = -1;
+	enumerator->socket = this;
+	enumerator->public.enumerate = (void*)enumerate;
+	enumerator->public.destroy = (void*)free;
+	return &enumerator->public;
+}
+
 /**
  * implementation of socket_t.destroy
  */
@@ -529,12 +557,12 @@ static void destroy(private_socket_t *this)
  */
 socket_t *socket_create()
 {
-	int key;
 	private_socket_t *this = malloc_thing(private_socket_t);
 
 	/* public functions */
 	this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
 	this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
+	this->public.create_enumerator = (enumerator_t*(*)(socket_t*))create_enumerator;
 	this->public.destroy = (void(*)(socket_t*)) destroy;
 	
 	this->ipv4 = 0;
@@ -542,15 +570,6 @@ socket_t *socket_create()
 	this->ipv4_natt = 0;
 	this->ipv6_natt = 0;
 	
-	/* we open a AF_KEY socket to autoload the af_key module. Otherwise
-	 * setsockopt(IPSEC_POLICY) won't work. */
-	key = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (key == 0)
-	{
-		charon->kill(charon, "could not open AF_KEY socket");
-	}
-	close(key);
-
 	this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
 	if (this->ipv4 == 0)
 	{
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
index b76a9b0c3..4e967f721 100644
--- a/src/charon/network/socket.h
+++ b/src/charon/network/socket.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: socket.h 4355 2008-09-25 07:56:58Z tobias $
+ * $Id: socket.h 4647 2008-11-13 07:48:27Z martin $
  */
 
 /**
@@ -30,15 +30,13 @@ typedef struct socket_t socket_t;
 #include <library.h>
 #include <network/packet.h>
 #include <utils/host.h>
-#include <utils/linked_list.h>
+#include <utils/enumerator.h>
 
 /**
  * Maximum size of a packet.
  *
- * 3000 Bytes should be sufficient, see IKEv2 RFC. However, we currently
- * do not support HASH_AND_URL certificates, so we require to transmit
- * the full certificates. To run our multi-CA test with 2 intermediate CAs,
- * 5000 bytes is sufficient.
+ * 3000 Bytes should be sufficient, see IKEv2 RFC. However, to run our
+ * multi-CA test with 2 intermediate CAs, we increase that to 5000 bytes.
  */
 #define MAX_PACKET 5000
 
@@ -73,9 +71,8 @@ struct socket_t {
 	/**
 	 * Send a packet.
 	 * 
-	 * Sends a packet to the net using destination from the packet.
-	 * Packet is sent using default routing mechanisms, thus the 
-	 * source address in packet is ignored.
+	 * Sends a packet to the net using source and destination addresses of
+	 * the packet.
 	 * 
 	 * @param packet		packet_t to send
 	 * @return 				
@@ -84,6 +81,13 @@ struct socket_t {
 	 */
 	status_t (*send) (socket_t *this, packet_t *packet);
 	
+	/**
+	 * Enumerate all underlying socket file descriptors.
+	 * 
+	 * @return				enumerator over (int fd, int family, int port)
+	 */
+	enumerator_t *(*create_enumerator) (socket_t *this);
+	
 	/**
 	 * Destroy socket.
 	 */
diff --git a/src/charon/plugins/eap_aka/eap_aka.c b/src/charon/plugins/eap_aka/eap_aka.c
index 4c0f76b7f..bb3825d3d 100644
--- a/src/charon/plugins/eap_aka/eap_aka.c
+++ b/src/charon/plugins/eap_aka/eap_aka.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_aka.c 4276 2008-08-22 10:44:51Z martin $
+ * $Id: eap_aka.c 4628 2008-11-11 15:19:13Z martin $
  */
 
 
@@ -35,6 +35,7 @@
  *   - server_initiate_challenge() - Initiation of AKA-Challenge
  */
 
+#include <limits.h>
 #include <string.h>
 #include <unistd.h>
 #include <sys/time.h>
diff --git a/src/charon/plugins/kernel_klips/Makefile.am b/src/charon/plugins/kernel_klips/Makefile.am
new file mode 100644
index 000000000..dc0234775
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
+
+libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
+	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
+libstrongswan_kernel_klips_la_LDFLAGS = -module
diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in
new file mode 100644
index 000000000..702b38394
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/Makefile.in
@@ -0,0 +1,501 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/kernel_klips
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_kernel_klips_la_LIBADD =
+am_libstrongswan_kernel_klips_la_OBJECTS = kernel_klips_plugin.lo \
+	kernel_klips_ipsec.lo
+libstrongswan_kernel_klips_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_klips_la_OBJECTS)
+libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_klips_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
+libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
+	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
+
+libstrongswan_kernel_klips_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/kernel_klips/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/kernel_klips/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_klips_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
new file mode 100644
index 000000000..91bef0a54
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -0,0 +1,2659 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_klips_ipsec.c 4631 2008-11-11 18:35:10Z martin $
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <stdint.h>
+#include "pfkeyv2.h"
+#include <linux/udp.h>
+#include <net/if.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <errno.h>
+
+#include "kernel_klips_ipsec.h"
+
+#include <daemon.h>
+#include <utils/mutex.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/update_sa_job.h>
+
+/** default timeout for generated SPIs (in seconds) */
+#define SPI_TIMEOUT 30
+
+/** buffer size for PF_KEY messages */
+#define PFKEY_BUFFER_SIZE 2048
+
+/** PF_KEY messages are 64 bit aligned */
+#define PFKEY_ALIGNMENT 8
+/** aligns len to 64 bits */
+#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
+/** calculates the properly padded length in 64 bit chunks */
+#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
+/** calculates user mode length i.e. in bytes */
+#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
+
+/** given a PF_KEY message header and an extension this updates the length in the header */
+#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
+/** given a PF_KEY message header this returns a pointer to the next extension */
+#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
+/** copy an extension and append it to a PF_KEY message */
+#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
+/** given a PF_KEY extension this returns a pointer to the next extension */
+#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
+/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
+#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
+/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
+#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len <= (len))
+
+/** special SPI values used for policies in KLIPS */
+#define SPI_PASS 256
+#define SPI_DROP 257
+#define SPI_REJECT 258
+#define SPI_HOLD 259
+#define SPI_TRAP 260
+#define SPI_TRAPSUBNET 261
+
+/** the prefix of the name of KLIPS ipsec devices */
+#define IPSEC_DEV_PREFIX "ipsec"
+/** this is the default number of ipsec devices */
+#define DEFAULT_IPSEC_DEV_COUNT 4 
+/** TRUE if the given name matches an ipsec device */
+#define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1))
+
+/** the following stuff is from ipsec_tunnel.h */
+struct ipsectunnelconf
+{
+	__u32	cf_cmd;
+	union
+	{
+		char 	cfu_name[12];
+	} cf_u;
+#define cf_name cf_u.cfu_name
+};
+
+#define IPSEC_SET_DEV (SIOCDEVPRIVATE)
+#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1)
+#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2)
+
+typedef struct private_kernel_klips_ipsec_t private_kernel_klips_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_klips class.
+ */
+struct private_kernel_klips_ipsec_t
+{
+	/**
+	 * Public part of the kernel_klips_t object.
+	 */
+	kernel_klips_ipsec_t public;
+	
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+	
+	/**
+	 * List of installed policies (policy_entry_t)
+	 */
+	linked_list_t *policies;
+	
+	/**
+	 * List of allocated SPIs without installed SA (sa_entry_t)
+	 */
+	linked_list_t *allocated_spis;
+	
+	/**
+	 * List of installed SAs (sa_entry_t)
+	 */
+	linked_list_t *installed_sas;
+	
+	/**
+	 * whether to install routes along policies
+	 */
+	bool install_routes;
+	
+	/**
+	 * List of ipsec devices (ipsec_dev_t)
+	 */
+	linked_list_t *ipsec_devices;
+	
+	/**
+	 * job receiving PF_KEY events
+	 */
+	callback_job_t *job;
+	
+	/**
+	 * mutex to lock access to the PF_KEY socket
+	 */
+	mutex_t *mutex_pfkey;
+	
+	/**
+	 * PF_KEY socket to communicate with the kernel
+	 */
+	int socket;
+	
+	/**
+	 * PF_KEY socket to receive acquire and expire events
+	 */
+	int socket_events;
+	
+	/**
+	 * sequence number for messages sent to the kernel
+	 */
+	int seq;
+	
+};
+
+
+typedef struct ipsec_dev_t ipsec_dev_t;
+
+/**
+ * ipsec device
+ */
+struct ipsec_dev_t {
+	/** name of the virtual ipsec interface */
+	char name[IFNAMSIZ];
+	
+	/** name of the physical interface */
+	char phys_name[IFNAMSIZ];
+	
+	/** by how many CHILD_SA's this ipsec device is used */
+	u_int refcount;
+};
+
+/**
+ * compare the given name with the virtual device name
+ */
+static inline bool ipsec_dev_match_byname(ipsec_dev_t *current, char *name)
+{
+	return name && streq(current->name, name);
+}
+
+/**
+ * compare the given name with the physical device name
+ */
+static inline bool ipsec_dev_match_byphys(ipsec_dev_t *current, char *name)
+{
+	return name && streq(current->phys_name, name);
+}
+
+/**
+ * matches free ipsec devices
+ */
+static inline bool ipsec_dev_match_free(ipsec_dev_t *current)
+{
+	return current->refcount == 0;
+}
+
+/**
+ * tries to find an ipsec_dev_t object by name
+ */
+static status_t find_ipsec_dev(private_kernel_klips_ipsec_t *this, char *name,
+							   ipsec_dev_t **dev)
+{
+	linked_list_match_t match = (linked_list_match_t)(IS_IPSEC_DEV(name) ?
+								ipsec_dev_match_byname : ipsec_dev_match_byphys);
+	return this->ipsec_devices->find_first(this->ipsec_devices, match,
+												(void**)dev, name);
+}
+
+/**
+ * attach an ipsec device to a physical interface
+ */
+static status_t attach_ipsec_dev(char* name, char *phys_name)
+{
+	int sock;
+	struct ifreq req;
+	struct ipsectunnelconf *itc = (struct ipsectunnelconf*)&req.ifr_data;
+	short phys_flags;
+	int mtu;
+	
+	DBG2(DBG_KNL, "attaching virtual interface %s to %s", name, phys_name);
+	
+	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
+	{
+		return FAILED;
+	}
+	
+	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+	{
+		close(sock);
+		return FAILED;
+	}
+	phys_flags = req.ifr_flags;
+
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+	{
+		close(sock);
+		return FAILED;
+	}
+	
+	if (req.ifr_flags & IFF_UP)
+	{
+		/* if it's already up, it is already attached, detach it first */
+		ioctl(sock, IPSEC_DEL_DEV, &req);
+	}
+	
+	/* attach it */
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	strncpy(itc->cf_name, phys_name, sizeof(itc->cf_name));
+	ioctl(sock, IPSEC_SET_DEV, &req);
+	
+	/* copy address from physical to virtual */
+	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFADDR, &req) == 0)
+	{
+		strncpy(req.ifr_name, name, IFNAMSIZ);
+		ioctl(sock, SIOCSIFADDR, &req);
+	}
+	
+	/* copy net mask from physical to virtual */
+	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
+	{
+		strncpy(req.ifr_name, name, IFNAMSIZ);
+		ioctl(sock, SIOCSIFNETMASK, &req);
+	}
+	
+	/* copy other flags and addresses */
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
+	{
+		if (phys_flags & IFF_POINTOPOINT)
+		{
+			req.ifr_flags |= IFF_POINTOPOINT;
+			req.ifr_flags &= ~IFF_BROADCAST;
+			ioctl(sock, SIOCSIFFLAGS, &req);
+			
+			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+			if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0)
+			{
+				strncpy(req.ifr_name, name, IFNAMSIZ);
+				ioctl(sock, SIOCSIFDSTADDR, &req);
+			}
+		}
+		else if (phys_flags & IFF_BROADCAST)
+		{
+			req.ifr_flags &= ~IFF_POINTOPOINT;
+			req.ifr_flags |= IFF_BROADCAST;
+			ioctl(sock, SIOCSIFFLAGS, &req);
+			
+			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+			if (ioctl(sock, SIOCGIFBRDADDR, &req)==0)
+			{
+				strncpy(req.ifr_name, name, IFNAMSIZ);
+				ioctl(sock, SIOCSIFBRDADDR, &req);
+			}
+		}
+		else
+		{
+			req.ifr_flags &= ~IFF_POINTOPOINT;
+			req.ifr_flags &= ~IFF_BROADCAST;
+			ioctl(sock, SIOCSIFFLAGS, &req);
+		}
+	}
+
+	mtu = lib->settings->get_int(lib->settings,
+						"charon.plugins.kernel_klips.ipsec_dev_mtu", 0);
+	if (mtu <= 0)
+	{
+		/* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
+		 * ESP overhead      : 73 bytes
+		 * NAT-T overhead    :  8 bytes ==> 81 bytes
+		 * 
+		 * assuming tunnel mode with AES encryption and integrity
+		 * outer IP header  : 20 bytes
+		 * (NAT-T UDP header:  8 bytes)
+		 * ESP header       :  8 bytes
+		 * IV               : 16 bytes
+		 * padding          : 15 bytes (worst-case)
+		 * pad len / NH     :  2 bytes
+		 * auth data        : 12 bytes
+		 */
+		strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+		ioctl(sock, SIOCGIFMTU, &req);
+		mtu = req.ifr_mtu - 81;
+	}
+	
+	/* set MTU */
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	req.ifr_mtu = mtu;
+	ioctl(sock, SIOCSIFMTU, &req);
+	
+	/* bring ipsec device UP */
+	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
+	{
+		req.ifr_flags |= IFF_UP;
+		ioctl(sock, SIOCSIFFLAGS, &req);
+	}
+	
+	close(sock);
+	return SUCCESS;
+}
+
+/**
+ * detach an ipsec device from a physical interface
+ */
+static status_t detach_ipsec_dev(char* name, char *phys_name)
+{
+	int sock;
+	struct ifreq req;
+	
+	DBG2(DBG_KNL, "detaching virtual interface %s from %s", name,
+			strlen(phys_name) ? phys_name : "any physical interface");
+	
+	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
+	{
+		return FAILED;
+	}
+	
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+	{
+		close(sock);
+		return FAILED;
+	}
+	
+	/* shutting interface down */
+	if (req.ifr_flags & IFF_UP)
+	{
+		req.ifr_flags &= ~IFF_UP;
+		ioctl(sock, SIOCSIFFLAGS, &req);
+	}
+	
+	/* unset address */
+	memset(&req.ifr_addr, 0, sizeof(req.ifr_addr));
+	req.ifr_addr.sa_family = AF_INET;
+	ioctl(sock, SIOCSIFADDR, &req);
+	
+	/* detach interface */
+	ioctl(sock, IPSEC_DEL_DEV, &req);
+	
+	close(sock);
+	return SUCCESS;
+}
+
+/**
+ * destroy an ipsec_dev_t object
+ */
+static void ipsec_dev_destroy(ipsec_dev_t *this)
+{
+	detach_ipsec_dev(this->name, this->phys_name);
+	free(this);
+}
+
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+	
+	/** Source ip of the route */
+	host_t *src_ip;
+	
+	/** Gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	this->src_ip->destroy(this->src_ip);
+	this->gateway->destroy(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+	
+	/** reqid of this policy, if setup as trap */
+	u_int32_t reqid;
+	
+	/** direction of this policy: in, out, forward */
+	u_int8_t direction;
+	
+	/** parameters of installed policy */
+	struct {
+		/** subnet and port */
+		host_t *net;
+		/** subnet mask */
+		u_int8_t mask;
+		/** protocol */
+		u_int8_t proto;
+	} src, dst;
+	
+	/** associated route installed for this policy */
+	route_entry_t *route;
+	
+	/** by how many CHILD_SA's this policy is actively used */
+	u_int activecount;
+	
+	/** by how many CHILD_SA's this policy is trapped */
+	u_int trapcount;
+};
+
+/**
+ * convert a numerical netmask to a host_t
+ */
+static host_t *mask2host(int family, u_int8_t mask)
+{
+	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+	chunk_t chunk = chunk_alloca(family == AF_INET ? 4 : 16);
+	int bytes = mask / 8, bits = mask % 8;
+	memset(chunk.ptr, 0xFF, bytes);
+	memset(chunk.ptr + bytes, 0, chunk.len - bytes);
+	if (bits)
+	{
+		chunk.ptr[bytes] =  bitmask[bits];
+	}
+	return host_create_from_chunk(family, chunk, 0);
+}
+
+/**
+ * check if a host is in a subnet (host with netmask in bits)
+ */
+static bool is_host_in_net(host_t *host, host_t *net, u_int8_t mask)
+{
+	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+	chunk_t host_chunk, net_chunk;
+	int bytes = mask / 8, bits = mask % 8;
+	
+	host_chunk = host->get_address(host);
+	net_chunk = net->get_address(net);
+	
+	if (host_chunk.len != net_chunk.len)
+	{
+		return FALSE;
+	}
+	
+	if (memeq(host_chunk.ptr, net_chunk.ptr, bytes))
+	{
+		return (bits == 0) ||
+			   (host_chunk.ptr[bytes] & bitmask[bits]) == 
+				   (net_chunk.ptr[bytes] & bitmask[bits]);
+	}
+	
+	return FALSE;
+}
+
+/**
+ * create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+		traffic_selector_t *dst_ts, policy_dir_t dir)
+{
+	policy_entry_t *policy = malloc_thing(policy_entry_t);
+	policy->reqid = 0;
+	policy->direction = dir;
+	policy->route = NULL;
+	policy->activecount = 0;
+	policy->trapcount = 0;
+	
+	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
+	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
+	
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
+	policy->src.proto = policy->src.proto ? policy->src.proto : 0; 
+	policy->dst.proto = policy->src.proto;
+	
+	return policy;
+}
+
+/**
+ * destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+	DESTROY_IF(this->src.net);
+	DESTROY_IF(this->dst.net);
+	if (this->route)
+	{
+		route_entry_destroy(this->route);
+	}
+	free(this);
+}
+
+/**
+ * compares two policy_entry_t
+ */
+static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
+{
+	return current->direction == policy->direction &&
+		   current->src.proto == policy->src.proto &&
+		   current->dst.proto == policy->dst.proto &&
+		   current->src.mask == policy->src.mask &&
+		   current->dst.mask == policy->dst.mask &&
+		   current->src.net->equals(current->src.net, policy->src.net) &&
+		   current->dst.net->equals(current->dst.net, policy->dst.net);
+}
+
+static inline bool policy_entry_match_byaddrs(policy_entry_t *current, host_t *src,
+		host_t *dst)
+{
+	return is_host_in_net(src, current->src.net, current->src.mask) &&
+			is_host_in_net(dst, current->dst.net, current->dst.mask);
+}
+
+typedef struct sa_entry_t sa_entry_t;
+
+/**
+ * used for two things:
+ * - allocated SPIs that have not yet resulted in an installed SA
+ * - installed inbound SAs with enabled UDP encapsulation
+ */
+struct sa_entry_t {
+	
+	/** protocol of this SA */
+	protocol_id_t protocol;
+	
+	/** reqid of this SA */
+	u_int32_t reqid;
+	
+	/** SPI of this SA */
+	u_int32_t spi;
+	
+	/** src address of this SA */
+	host_t *src;
+	
+	/** dst address of this SA */
+	host_t *dst;
+	
+	/** TRUE if this SA uses UDP encapsulation */
+	bool encap;
+	
+	/** TRUE if this SA is inbound */
+	bool inbound;
+};
+
+/**
+ * create an sa_entry_t object
+ */
+static sa_entry_t *create_sa_entry(protocol_id_t protocol, u_int32_t spi,
+								   u_int32_t reqid, host_t *src, host_t *dst,
+								   bool encap, bool inbound)
+{
+	sa_entry_t *sa = malloc_thing(sa_entry_t);
+	sa->protocol = protocol;
+	sa->reqid = reqid;
+	sa->spi = spi;
+	sa->src = src ? src->clone(src) : NULL;
+	sa->dst = dst ? dst->clone(dst) : NULL;
+	sa->encap = encap;
+	sa->inbound = inbound;
+	return sa;
+}
+
+/**
+ * destroy an sa_entry_t object
+ */
+static void sa_entry_destroy(sa_entry_t *this)
+{
+	DESTROY_IF(this->src);
+	DESTROY_IF(this->dst);
+	free(this);
+}
+
+/**
+ * match an sa_entry_t for an inbound SA that uses UDP encapsulation by spi and src (remote) address
+ */
+static inline bool sa_entry_match_encapbysrc(sa_entry_t *current, u_int32_t *spi,
+		host_t *src)
+{
+	return current->encap && current->inbound &&
+		   current->spi == *spi && src->ip_equals(src, current->src);
+}
+
+/**
+ * match an sa_entry_t by protocol, spi and dst address (as the kernel does it)
+ */
+static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *protocol,
+		u_int32_t *spi, host_t *dst)
+{
+	return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst);
+}
+
+/**
+ * match an sa_entry_t by protocol, reqid and spi
+ */
+static inline bool sa_entry_match_byid(sa_entry_t *current, protocol_id_t *protocol,
+		u_int32_t *spi, u_int32_t *reqid)
+{
+	return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid;
+}
+
+typedef struct pfkey_msg_t pfkey_msg_t;
+
+struct pfkey_msg_t
+{
+	/**
+	 * PF_KEY message base
+	 */
+	struct sadb_msg *msg;
+	
+	
+	/**
+	 * PF_KEY message extensions
+	 */
+	union {
+		struct sadb_ext *ext[SADB_EXT_MAX + 1];
+		struct {
+			struct sadb_ext *reserved;				/* SADB_EXT_RESERVED */
+			struct sadb_sa *sa;						/* SADB_EXT_SA */
+			struct sadb_lifetime *lft_current;		/* SADB_EXT_LIFETIME_CURRENT */
+			struct sadb_lifetime *lft_hard;			/* SADB_EXT_LIFETIME_HARD */
+			struct sadb_lifetime *lft_soft;			/* SADB_EXT_LIFETIME_SOFT */
+			struct sadb_address *src;				/* SADB_EXT_ADDRESS_SRC */
+			struct sadb_address *dst;				/* SADB_EXT_ADDRESS_DST */
+			struct sadb_address *proxy;				/* SADB_EXT_ADDRESS_PROXY */
+			struct sadb_key *key_auth;				/* SADB_EXT_KEY_AUTH */
+			struct sadb_key *key_encr;				/* SADB_EXT_KEY_ENCRYPT */
+			struct sadb_ident *id_src;				/* SADB_EXT_IDENTITY_SRC */
+			struct sadb_ident *id_dst;				/* SADB_EXT_IDENTITY_DST */
+			struct sadb_sens *sensitivity;			/* SADB_EXT_SENSITIVITY */
+			struct sadb_prop *proposal;				/* SADB_EXT_PROPOSAL */
+			struct sadb_supported *supported_auth;	/* SADB_EXT_SUPPORTED_AUTH */
+			struct sadb_supported *supported_encr;	/* SADB_EXT_SUPPORTED_ENCRYPT */
+			struct sadb_spirange *spirange;			/* SADB_EXT_SPIRANGE */
+			struct sadb_x_kmprivate *x_kmprivate;	/* SADB_X_EXT_KMPRIVATE */
+			struct sadb_ext *x_policy;				/* SADB_X_EXT_SATYPE2 */
+			struct sadb_ext *x_sa2;					/* SADB_X_EXT_SA2 */
+			struct sadb_address *x_dst2;			/* SADB_X_EXT_ADDRESS_DST2 */
+			struct sadb_address *x_src_flow;		/* SADB_X_EXT_ADDRESS_SRC_FLOW */
+			struct sadb_address *x_dst_flow;		/* SADB_X_EXT_ADDRESS_DST_FLOW */
+			struct sadb_address *x_src_mask;		/* SADB_X_EXT_ADDRESS_SRC_MASK */
+			struct sadb_address *x_dst_mask;		/* SADB_X_EXT_ADDRESS_DST_MASK */
+			struct sadb_x_debug *x_debug;			/* SADB_X_EXT_DEBUG */
+			struct sadb_protocol *x_protocol;		/* SADB_X_EXT_PROTOCOL */
+			struct sadb_x_nat_t_type *x_natt_type;	/* SADB_X_EXT_NAT_T_TYPE */
+			struct sadb_x_nat_t_port *x_natt_sport;	/* SADB_X_EXT_NAT_T_SPORT */
+			struct sadb_x_nat_t_port *x_natt_dport;	/* SADB_X_EXT_NAT_T_DPORT */
+			struct sadb_address *x_natt_oa;			/* SADB_X_EXT_NAT_T_OA */
+		} __attribute__((__packed__));
+	};
+};
+
+/**
+ * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
+ */
+static u_int8_t proto_ike2satype(protocol_id_t proto)
+{
+	switch (proto)
+	{
+		case PROTO_ESP:
+			return SADB_SATYPE_ESP;
+		case PROTO_AH:
+			return SADB_SATYPE_AH;
+		case IPPROTO_COMP:
+			return SADB_X_SATYPE_COMP;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
+ */
+static protocol_id_t proto_satype2ike(u_int8_t proto)
+{
+	switch (proto)
+	{
+		case SADB_SATYPE_ESP:
+			return PROTO_ESP;
+		case SADB_SATYPE_AH:
+			return PROTO_AH;
+		case SADB_X_SATYPE_COMP:
+			return IPPROTO_COMP;
+		default:
+			return proto;
+	}
+}
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 algorithms to PF_KEY algorithms
+ */
+struct kernel_algorithm_t {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2;
+	
+	/**
+	 * Identifier as defined in pfkeyv2.h
+	 */
+	int kernel;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64, 			0							}, */
+	{ENCR_DES, 					SADB_EALG_DESCBC			},
+	{ENCR_3DES, 				SADB_EALG_3DESCBC			},
+/*	{ENCR_RC5, 					0							}, */
+/*	{ENCR_IDEA, 				0							}, */
+/*	{ENCR_CAST, 				0							}, */
+	{ENCR_BLOWFISH, 			SADB_EALG_BFCBC				},
+/*	{ENCR_3IDEA, 				0							}, */
+/*	{ENCR_DES_IV32, 			0							}, */
+	{ENCR_NULL, 				SADB_EALG_NULL				},
+	{ENCR_AES_CBC,	 			SADB_EALG_AESCBC			},
+/*	{ENCR_AES_CTR, 				0							}, */
+/*	{ENCR_AES_CCM_ICV8,			0							}, */
+/*	{ENCR_AES_CCM_ICV12,		0							}, */
+/*	{ENCR_AES_CCM_ICV16,		0							}, */
+/*	{ENCR_AES_GCM_ICV8,			0							}, */
+/*	{ENCR_AES_GCM_ICV12,		0							}, */
+/*	{ENCR_AES_GCM_ICV16,		0							}, */
+	{END_OF_LIST, 				0							},
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+	{AUTH_HMAC_MD5_96, 			SADB_AALG_MD5HMAC			},
+	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
+	{AUTH_HMAC_SHA2_256_128,	SADB_AALG_SHA256_HMAC		},
+	{AUTH_HMAC_SHA2_384_192,	SADB_AALG_SHA384_HMAC		},
+	{AUTH_HMAC_SHA2_512_256,	SADB_AALG_SHA512_HMAC		},
+/*	{AUTH_DES_MAC,				0,							}, */
+/*	{AUTH_KPDK_MD5,				0,							}, */
+/*	{AUTH_AES_XCBC_96,			0,							}, */
+	{END_OF_LIST, 				0,							},
+};
+
+#if 0
+/**
+ * Algorithms for IPComp, unused yet
+ */
+static kernel_algorithm_t compression_algs[] = {
+/*	{IPCOMP_OUI, 				0							}, */
+	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
+	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
+/*	{IPCOMP_LZJH,				0							}, */
+	{END_OF_LIST, 				0							},
+};
+#endif
+
+/**
+ * Look up a kernel algorithm ID and its key size
+ */
+static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+{
+	while (list->ikev2 != END_OF_LIST)
+	{
+		if (ikev2 == list->ikev2)
+		{
+			return list->kernel;
+		}
+		list++;
+	}
+	return 0;
+}
+
+/**
+ * add a host behind a sadb_address extension
+ */
+static void host2ext(host_t *host, struct sadb_address *ext)
+{
+	sockaddr_t *host_addr = host->get_sockaddr(host);
+	socklen_t *len = host->get_sockaddr_len(host);
+ 	memcpy((char*)(ext + 1), host_addr, *len);
+ 	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+}
+
+/**
+ * add a host behind a sadb_address extension
+ */
+static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type)
+{
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	host2ext(host, addr);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * adds an empty address extension to the given sadb_msg
+ */
+static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
+{
+	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
+										  sizeof(struct sockaddr_in6);
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
+	saddr->sa_family = family;
+ 	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * add udp encap extensions to a sadb_msg
+ */
+static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst,
+							bool ports_only)
+{
+	struct sadb_x_nat_t_type* nat_type;
+	struct sadb_x_nat_t_port* nat_port;
+	
+	if (!ports_only)
+	{
+		nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
+		nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+		nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
+		nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
+		PFKEY_EXT_ADD(msg, nat_type);
+	}
+	
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = src->get_port(src);
+	PFKEY_EXT_ADD(msg, nat_port);
+	
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = dst->get_port(dst);
+	PFKEY_EXT_ADD(msg, nat_port);
+}
+
+/**
+ * build an SADB_X_ADDFLOW msg
+ */
+static void build_addflow(struct sadb_msg *msg, u_int8_t satype, u_int32_t spi,
+		host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
+		host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
+{
+	struct sadb_sa *sa;
+	struct sadb_protocol *proto;
+	host_t *host;
+	
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_ADDFLOW;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_flags = replace ? SADB_X_SAFLAGS_REPLACEFLOW : 0;
+	PFKEY_EXT_ADD(msg, sa);
+	
+	if (!src)
+	{
+		add_anyaddr_ext(msg, src_net->get_family(src_net), SADB_EXT_ADDRESS_SRC);
+	}
+	else
+	{
+		add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	}
+	
+	if (!dst)
+	{
+		add_anyaddr_ext(msg, dst_net->get_family(dst_net), SADB_EXT_ADDRESS_DST);
+	}
+	else
+	{
+		add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+	}
+	
+	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
+	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
+	
+	host = mask2host(src_net->get_family(src_net), src_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
+	host->destroy(host);
+	
+	host = mask2host(dst_net->get_family(dst_net), dst_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
+	host->destroy(host);
+	
+	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
+	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
+	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
+	proto->sadb_protocol_proto = protocol;
+	PFKEY_EXT_ADD(msg, proto);
+}
+
+/**
+ * build an SADB_X_DELFLOW msg
+ */
+static void build_delflow(struct sadb_msg *msg, u_int8_t satype,
+		host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
+		u_int8_t protocol)
+{
+	struct sadb_protocol *proto;
+	host_t *host;
+	
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_DELFLOW;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
+	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
+	
+	host = mask2host(src_net->get_family(src_net),
+					 src_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
+	host->destroy(host);
+	
+	host = mask2host(dst_net->get_family(dst_net),
+					 dst_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
+	host->destroy(host);
+	
+	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
+	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
+	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
+	proto->sadb_protocol_proto = protocol;
+	PFKEY_EXT_ADD(msg, proto);
+}
+
+/**
+ * Parses a pfkey message received from the kernel
+ */
+static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
+{
+	struct sadb_ext* ext;
+	size_t len;
+	
+	memset(out, 0, sizeof(pfkey_msg_t));
+	out->msg = msg;
+	
+	len = msg->sadb_msg_len;
+	len -= PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
+	
+	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
+	{
+		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
+			ext->sadb_ext_len > len)
+		{
+			DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+			break;
+		}
+		
+		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
+		{
+			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+			break;
+		}
+		
+		if (out->ext[ext->sadb_ext_type])
+		{
+			DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);			
+			break;
+		}
+		
+		out->ext[ext->sadb_ext_type] = ext;
+		ext = PFKEY_EXT_NEXT_LEN(ext, len);
+	}
+
+	if (len)
+	{
+		DBG1(DBG_KNL, "PF_KEY message length is invalid");
+		return FAILED;
+	}
+	
+	return SUCCESS;
+}
+
+/**
+ * Send a message to a specific PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_socket(private_kernel_klips_ipsec_t *this, int socket,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg;
+	int in_len, len;
+	
+	this->mutex_pfkey->lock(this->mutex_pfkey);
+
+	in->sadb_msg_seq = ++this->seq;
+	in->sadb_msg_pid = getpid();
+
+	in_len = PFKEY_USER_LEN(in->sadb_msg_len);
+
+	while (TRUE)
+	{
+		len = send(socket, in, in_len, 0);
+
+		if (len != in_len)
+		{
+			switch (errno)
+			{
+				case EINTR:
+					/* interrupted, try again */
+					continue;
+				case EINVAL:
+				case EEXIST:
+				case ESRCH:
+					/* we should also get a response for these from KLIPS */
+					break;
+				default:
+					this->mutex_pfkey->unlock(this->mutex_pfkey);
+					DBG1(DBG_KNL, "error sending to PF_KEY socket: %s (%d)",
+							strerror(errno), errno);
+					return FAILED;
+			}
+		}
+		break;
+	}
+	
+	while (TRUE)
+	{	
+		msg = (struct sadb_msg*)buf;
+		
+		len = recv(socket, buf, sizeof(buf), 0);
+		
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				DBG1(DBG_KNL, "got interrupted");
+				/* interrupted, try again */
+				continue;
+			}
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
+			return FAILED;
+		}
+		if (len < sizeof(struct sadb_msg) ||
+			msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+		{
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "received corrupted PF_KEY message");
+			return FAILED;
+		}
+		if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+		{
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+			return FAILED;
+		}
+		if (msg->sadb_msg_pid != in->sadb_msg_pid)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
+			continue;
+		}
+		if (msg->sadb_msg_seq != this->seq)
+		{
+			DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number,"
+					" was %d expected %d", msg->sadb_msg_seq, this->seq);
+			if (msg->sadb_msg_seq < this->seq)
+			{
+				continue;
+			}
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (msg->sadb_msg_type != in->sadb_msg_type)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message of wrong type,"
+					" was %d expected %d, ignoring",
+					msg->sadb_msg_type, in->sadb_msg_type);
+		}
+		break;
+	}
+	
+	*out_len = len;
+	*out = (struct sadb_msg*)malloc(len);
+	memcpy(*out, buf, len);
+		
+	this->mutex_pfkey->unlock(this->mutex_pfkey);
+	
+	return SUCCESS;
+}
+
+/**
+ * Send a message to the default PF_KEY socket.
+ */
+static status_t pfkey_send(private_kernel_klips_ipsec_t *this,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	return pfkey_send_socket(this, this->socket, in, out, out_len);
+}
+
+/**
+ * Send a message to the default PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_ack(private_kernel_klips_ipsec_t *this, struct sadb_msg *in)
+{
+	struct sadb_msg *out;
+	size_t len;
+	
+	if (pfkey_send(this, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "PF_KEY error: %s (%d)",
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Add an eroute to KLIPS
+ */
+static status_t add_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
+		u_int32_t spi, host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
+		host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)request;
+	
+	memset(&request, 0, sizeof(request));
+	
+	build_addflow(msg, satype, spi, src, dst, src_net, src_mask,
+			dst_net, dst_mask, protocol, replace);
+	
+	return pfkey_send_ack(this, msg);
+}
+
+/**
+ * Delete an eroute fom KLIPS
+ */
+static status_t del_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
+		host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
+		u_int8_t protocol)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)request;
+	
+	memset(&request, 0, sizeof(request));
+	
+	build_delflow(msg, satype, src_net, src_mask, dst_net, dst_mask, protocol);
+	
+	return pfkey_send_ack(this, msg);
+}
+
+/**
+ * Process a SADB_ACQUIRE message from the kernel
+ */
+static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	host_t *src, *dst;
+	u_int32_t reqid;
+	u_int8_t proto;
+	policy_entry_t *policy;
+	job_t *job;
+	
+	switch (msg->sadb_msg_satype)
+	{
+		case SADB_SATYPE_UNSPEC:
+		case SADB_SATYPE_ESP:
+		case SADB_SATYPE_AH:
+			break;
+		default:
+			/* acquire for AH/ESP only */
+			return;
+	}
+	
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
+		return;
+	}
+	
+	/* KLIPS provides us only with the source and destination address,
+	 * and the transport protocol of the packet that triggered the policy.
+	 * we use this information to find a matching policy in our cache.
+	 * because KLIPS installs a narrow %hold eroute covering only this information,
+	 * we replace both the %trap and this %hold eroutes with a broader %hold
+	 * eroute covering the whole policy */
+	src = host_create_from_sockaddr((sockaddr_t*)(response.src + 1));
+	dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
+	proto = response.src->sadb_address_proto;
+	if (!src || !dst || src->get_family(src) != dst->get_family(dst))
+	{
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE with invalid hosts");
+		return;
+	}
+	
+	DBG2(DBG_KNL, "received an SADB_ACQUIRE for %H == %H : %d", src, dst, proto);
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_match_byaddrs,
+				(void**)&policy, src, dst) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but found no matching policy");
+		return;
+	}
+	if ((reqid = policy->reqid) == 0)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but policy is not routed anymore");
+		return;
+	}
+	
+	/* add a broad %hold eroute that replaces the %trap eroute */
+	add_eroute(this, SADB_X_SATYPE_INT, htonl(SPI_HOLD), NULL, NULL,
+			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
+			policy->src.proto, TRUE);
+	
+	/* remove the narrow %hold eroute installed by KLIPS */
+	del_eroute(this, SADB_X_SATYPE_INT, src, 32, dst, 32, proto);
+	
+	this->mutex->unlock(this->mutex);
+	
+	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
+	DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
+	job = (job_t*)acquire_job_create(reqid, NULL, NULL);
+	charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
+ */
+static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	u_int32_t spi, reqid;
+	host_t *old_src, *new_src;
+	job_t *job;
+	
+	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
+	
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
+		return;
+	}
+	
+	spi = response.sa->sadb_sa_spi;
+	
+	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
+	{
+		sa_entry_t *sa;
+		sockaddr_t *addr = (sockaddr_t*)(response.src + 1);
+		old_src = host_create_from_sockaddr(addr);
+		
+		this->mutex->lock(this->mutex);
+		if (!old_src || this->installed_sas->find_first(this->installed_sas,
+				(linked_list_match_t)sa_entry_match_encapbysrc,
+					(void**)&sa, &spi, old_src) != SUCCESS)
+		{
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING, but found no matching SA");
+			return;
+		}
+		reqid = sa->reqid;
+		this->mutex->unlock(this->mutex);
+		
+		addr = (sockaddr_t*)(response.dst + 1);
+		switch (addr->sa_family)
+		{
+			case AF_INET:
+			{
+				struct sockaddr_in *sin = (struct sockaddr_in*)addr;
+				sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			case AF_INET6:
+			{
+				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr;
+				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);				
+			}
+			default:
+				break;
+		}
+		new_src = host_create_from_sockaddr(addr);
+		if (new_src)
+		{
+			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and"
+				" reqid {%d} changed, queuing update job", ntohl(spi), reqid);
+			job = (job_t*)update_sa_job_create(reqid, new_src);
+			charon->processor->queue_job(charon->processor, job);
+		}
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)buf;
+	int len, oldstate;
+	
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	len = recv(this->socket_events, buf, sizeof(buf), 0);
+	pthread_setcancelstate(oldstate, NULL);
+	
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+	
+	if (len < sizeof(struct sadb_msg) ||
+		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+	{
+		DBG2(DBG_KNL, "received corrupted PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+	{
+		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+	
+	switch (msg->sadb_msg_type)
+	{
+		case SADB_ACQUIRE:
+			process_acquire(this, msg);
+			break;
+		case SADB_EXPIRE:
+			/* SADB_EXPIRE events in KLIPS are only triggered by traffic (even for
+			 * the time based limits). So if there is no traffic for a longer
+			 * period than configured as hard limit, we wouldn't be able to rekey
+			 * the SA and just receive the hard expire and thus delete the SA.
+			 * To avoid this behavior and to make charon behave as with the other
+			 * kernel plugins, we implement the expiration of SAs ourselves. */
+			break;
+		case SADB_X_NAT_T_NEW_MAPPING:
+			process_mapping(this, msg);
+			break;
+		default:
+			break;
+	}
+	
+	return JOB_REQUEUE_DIRECT;
+}
+
+typedef enum {
+	/** an SPI has expired */
+	EXPIRE_TYPE_SPI,
+	/** a CHILD_SA has to be rekeyed */
+	EXPIRE_TYPE_SOFT,
+	/** a CHILD_SA has to be deleted */
+	EXPIRE_TYPE_HARD
+} expire_type_t;
+
+typedef struct sa_expire_t sa_expire_t;
+
+struct sa_expire_t {
+	/** kernel interface */
+	private_kernel_klips_ipsec_t *this;
+	/** the SPI of the expiring SA */
+	u_int32_t spi;
+	/** the protocol of the expiring SA */
+	protocol_id_t protocol;
+	/** the reqid of the expiring SA*/
+	u_int32_t reqid;
+	/** what type of expire this is */
+	expire_type_t type;
+};
+
+/**
+ * Called when an SA expires
+ */
+static job_requeue_t sa_expires(sa_expire_t *expire)
+{
+	private_kernel_klips_ipsec_t *this = expire->this;
+	protocol_id_t protocol = expire->protocol;
+	u_int32_t spi = expire->spi, reqid = expire->reqid;
+	bool hard = expire->type != EXPIRE_TYPE_SOFT;
+	sa_entry_t *cached_sa;
+	linked_list_t *list;
+	job_t *job;
+	
+	/* for an expired SPI we first check whether the CHILD_SA got installed
+	 * in the meantime, for expired SAs we check whether they are still installed */
+	list = expire->type == EXPIRE_TYPE_SPI ? this->allocated_spis : this->installed_sas;
+	
+	this->mutex->lock(this->mutex);
+	if (list->find_first(list, (linked_list_match_t)sa_entry_match_byid,
+			(void**)&cached_sa, &protocol, &spi, &reqid) != SUCCESS)
+	{
+		/* we found no entry:
+		 * - for SPIs, a CHILD_SA has been installed
+		 * - for SAs, the CHILD_SA has already been deleted */
+		this->mutex->unlock(this->mutex);
+		return JOB_REQUEUE_NONE;
+	}
+	else
+	{
+		list->remove(list, cached_sa, NULL);
+		sa_entry_destroy(cached_sa);
+	}
+	this->mutex->unlock(this->mutex);
+	
+	DBG2(DBG_KNL, "%N CHILD_SA with SPI %.8x and reqid {%d} expired",
+			protocol_id_names, protocol, ntohl(spi), reqid);
+	
+	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
+		 hard ? "delete" : "rekey",  protocol_id_names,
+		 protocol, ntohl(spi), reqid);
+	if (hard)
+	{
+		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+	}
+	else
+	{
+		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+	}
+	charon->processor->queue_job(charon->processor, job);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedule an expire job for an SA. Time is in seconds. 
+ */
+static void schedule_expire(private_kernel_klips_ipsec_t *this,
+							protocol_id_t protocol, u_int32_t spi,
+							u_int32_t reqid, expire_type_t type, u_int32_t time)
+{
+	callback_job_t *job;
+	sa_expire_t *expire = malloc_thing(sa_expire_t);
+	expire->this = this;
+	expire->protocol = protocol;
+	expire->spi = spi;
+	expire->reqid = reqid;
+	expire->type = type;
+	job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL);
+	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time * 1000);
+}
+
+/**
+ * Implementation of kernel_interface_t.get_spi.
+ */
+static status_t get_spi(private_kernel_klips_ipsec_t *this, 
+						host_t *src, host_t *dst, 
+						protocol_id_t protocol, u_int32_t reqid,
+						u_int32_t *spi)
+{
+	/* we cannot use SADB_GETSPI because KLIPS does not allow us to set the
+	 * NAT-T type in an SADB_UPDATE which we would have to use to update the
+	 * implicitly created SA.
+	 */
+	rng_t *rng;
+	u_int32_t spi_gen;
+	
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_KNL, "allocating SPI failed: no RNG");
+		return FAILED;
+	}
+	rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen);
+	rng->destroy(rng);
+	
+	/* charon's SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
+	spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF);
+	
+	DBG2(DBG_KNL, "allocated SPI %.8x for %N SA between %#H..%#H",
+			spi_gen, protocol_id_names, protocol, src, dst);
+	
+	*spi = htonl(spi_gen);
+	
+	this->mutex->lock(this->mutex);
+	this->allocated_spis->insert_last(this->allocated_spis,
+			create_sa_entry(protocol, *spi, reqid, NULL, NULL, FALSE, TRUE));
+	this->mutex->unlock(this->mutex);
+	schedule_expire(this, protocol, *spi, reqid, EXPIRE_TYPE_SPI, SPI_TIMEOUT);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_cpi.
+ */
+static status_t get_cpi(private_kernel_klips_ipsec_t *this, 
+						host_t *src, host_t *dst, 
+						u_int32_t reqid, u_int16_t *cpi)
+{
+	return FAILED;
+}
+
+/**
+ * Add a pseudo IPIP SA for tunnel mode with KLIPS.
+ */
+static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi, u_int32_t reqid)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "adding pseudo IPIP SA with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_ADD;
+	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+	
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * group the IPIP SA required for tunnel mode with the outer SA
+ */
+static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi,
+					   protocol_id_t protocol, u_int32_t reqid)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_x_satype *satype;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "grouping SAs with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_GRPSA;
+	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+	
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+	
+	satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg);
+	satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
+	satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype));
+	satype->sadb_x_satype_satype = proto_ike2satype(protocol);
+	PFKEY_EXT_ADD(msg, satype);
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_X_EXT_SA2;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+	
+	add_addr_ext(msg, dst, SADB_X_EXT_ADDRESS_DST2);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_sa.
+ */
+static status_t add_sa(private_kernel_klips_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi,
+					   protocol_id_t protocol, u_int32_t reqid,
+					   u_int64_t expire_soft, u_int64_t expire_hard,
+					   u_int16_t enc_alg, chunk_t enc_key,
+					   u_int16_t int_alg, chunk_t int_key,
+					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+					   bool encap, bool inbound)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_key *key;
+	size_t len;
+	
+	if (inbound)
+	{
+		/* for inbound SAs we allocated an SPI via get_spi, so we first check
+		 * whether that SPI has already expired (race condition) */
+		sa_entry_t *alloc_spi;
+		this->mutex->lock(this->mutex);
+		if (this->allocated_spis->find_first(this->allocated_spis,
+				(linked_list_match_t)sa_entry_match_byid, (void**)&alloc_spi,
+					&protocol, &spi, &reqid) != SUCCESS)
+		{
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_KNL, "allocated SPI %.8x has already expired", ntohl(spi));
+			return FAILED;
+		}
+		else
+		{
+			this->allocated_spis->remove(this->allocated_spis, alloc_spi, NULL);
+			sa_entry_destroy(alloc_spi);
+		}
+		this->mutex->unlock(this->mutex);
+	}
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_ADD;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
+	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
+	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+	PFKEY_EXT_ADD(msg, sa);
+	
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+	
+	if (enc_alg != ENCR_UNDEFINED)
+	{
+		if (!sa->sadb_sa_encrypt)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 encryption_algorithm_names, enc_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+		
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
+		key->sadb_key_bits = enc_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
+		memcpy(key + 1, enc_key.ptr, enc_key.len);
+		
+		PFKEY_EXT_ADD(msg, key);
+	}
+	
+	if (int_alg != AUTH_UNDEFINED)
+	{
+		if (!sa->sadb_sa_auth)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 integrity_algorithm_names, int_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
+			 integrity_algorithm_names, int_alg, int_key.len * 8);
+		
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
+		key->sadb_key_bits = int_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
+		memcpy(key + 1, int_key.ptr, int_key.len);
+		
+		PFKEY_EXT_ADD(msg, key);
+	}
+	
+	if (ipcomp != IPCOMP_NONE)
+	{
+		/*TODO*/
+	}
+	
+	if (encap)
+	{
+		add_encap_ext(msg, src, dst, FALSE);
+	}
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	
+	/* for tunnel mode SAs we have to install an additional IPIP SA and
+	 * group the two SAs together */
+	if (mode == MODE_TUNNEL)
+	{
+		if (add_ipip_sa(this, src, dst, spi, reqid) != SUCCESS ||
+			group_ipip_sa(this, src, dst, spi, protocol, reqid) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+			return FAILED;
+		}
+	}
+	
+	this->mutex->lock(this->mutex);
+	/* we cache this SA for two reasons:
+	 * - in case an SADB_X_NAT_T_MAPPING_NEW event occurs (we need to find the reqid then)
+	 * - to decide if an expired SA is still installed */
+	this->installed_sas->insert_last(this->installed_sas,
+				create_sa_entry(protocol, spi, reqid, src, dst, encap, inbound));
+	this->mutex->unlock(this->mutex);
+	
+	/* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime
+	 * of SAs manually in the plugin. Refer to the comments in receive_events()
+	 * for details. */
+	if (expire_soft)
+	{
+		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, expire_soft);
+	}
+	
+	if (expire_hard)
+	{
+		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, expire_hard);
+	}
+		
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.update_sa.
+ */
+static status_t update_sa(private_kernel_klips_ipsec_t *this,
+						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	size_t len;
+	
+	/* we can't update the SA if any of the ip addresses have changed.
+	 * that's because we can't use SADB_UPDATE and by deleting and readding the
+	 * SA the sequence numbers would get lost */
+	if (!src->ip_equals(src, new_src) ||
+		!dst->ip_equals(dst, new_dst))
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
+				" are not supported", ntohl(spi));
+		return NOT_SUPPORTED;
+	}
+	
+	/* because KLIPS does not allow us to change the NAT-T type in an SADB_UPDATE,
+	 * we can't update the SA if the encap flag has changed since installing it */
+	if (encap != new_encap)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: change of UDP"
+				" encapsulation is not supported", ntohl(spi));
+		return NOT_SUPPORTED;
+	}
+	
+	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+	
+	memset(&request, 0, sizeof(request));
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_UPDATE;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_encrypt = SADB_EALG_AESCBC; /* ignored */
+	sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; /* ignored */
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+	
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+			
+	add_encap_ext(msg, new_src, new_dst, TRUE);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *dst,
+					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	sa_entry_t *cached_sa;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	/* all grouped SAs are automatically deleted by KLIPS as soon as
+	 * one of them is deleted, therefore we delete only the main one */
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+	
+	this->mutex->lock(this->mutex);
+	/* this should not fail, but we don't care if it does, let the kernel decide
+	 * whether this SA exists or not */
+	if (this->installed_sas->find_first(this->installed_sas,
+			(linked_list_match_t)sa_entry_match_bydst, (void**)&cached_sa,
+			&protocol, &spi, dst) == SUCCESS)
+	{
+		this->installed_sas->remove(this->installed_sas, cached_sa, NULL);
+		sa_entry_destroy(cached_sa);
+	}
+	this->mutex->unlock(this->mutex);
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_DELETE;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+	
+	/* the kernel wants an SADB_EXT_ADDRESS_SRC to be present even though
+	 * it is not used for anything. */
+	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	
+	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_policy.
+ */
+static status_t add_policy(private_kernel_klips_ipsec_t *this, 
+						   host_t *src, host_t *dst,
+						   traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, u_int32_t spi,
+						   protocol_id_t protocol, u_int32_t reqid,
+						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						   bool routed)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	policy_entry_t *policy, *found = NULL;
+	u_int8_t satype;
+	size_t len;	
+	
+	if (direction == POLICY_FWD)
+	{
+		/* no forward policies for KLIPS */
+		return SUCCESS;
+	}
+	
+	/* tunnel mode policies direct the packets into the pseudo IPIP SA */
+	satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
+									 proto_ike2satype(protocol);
+	
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+	
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+	{
+		/* use existing policy */
+		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing"
+					  " refcount", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{
+		/* apply the new one, if we have no such policy */
+		this->policies->insert_last(this->policies, policy);
+	}
+		
+	if (routed)
+	{
+		/* we install this as a %trap eroute in the kernel, later to be
+		 * triggered by packets matching the policy (-> ACQUIRE). */
+		spi = htonl(SPI_TRAP);
+		satype = SADB_X_SATYPE_INT;
+		
+		/* the reqid is always set to the latest child SA that trapped this
+		 * policy. we will need this reqid upon receiving an acquire. */
+		policy->reqid = reqid;
+		
+		/* increase the trap counter */
+		policy->trapcount++;
+		
+		if (policy->activecount)
+		{
+			/* we do not replace the current policy in the kernel while a
+			 * policy is actively used */
+			this->mutex->unlock(this->mutex);
+			return SUCCESS;
+		}
+	}
+	else
+	{
+		/* increase the reference counter */
+		policy->activecount++;
+	}
+	
+	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+	
+	memset(&request, 0, sizeof(request));
+	
+	msg = (struct sadb_msg*)request;
+	
+	/* FIXME: SADB_X_SAFLAGS_INFLOW may be required, if we add an inbound policy for an IPIP SA */
+	build_addflow(msg, satype, spi, routed ? NULL : src, routed ? NULL : dst,
+			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
+			policy->src.proto, found != NULL);
+	
+	this->mutex->unlock(this->mutex);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
+					   policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	
+	this->mutex->lock(this->mutex);
+	
+	/* we try to find the policy again and install the route if needed */
+	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG2(DBG_KNL, "the policy %R === %R %N is already gone, ignoring",
+				src_ts, dst_ts, policy_dir_names, direction);
+		return SUCCESS;
+	}
+	
+	/* KLIPS requires a special route that directs traffic that matches this
+	 * policy to one of the virtual ipsec interfaces. The virtual interface
+	 * has to be attached to the physical one the traffic runs over.
+	 * This is a special case of the source route we install in other kernel
+	 * interfaces.
+	 * In the following cases we do NOT install a source route (but just a
+	 * regular route):
+	 * - we are not in tunnel mode
+	 * - we are using IPv6 (does not work correctly yet!)
+	 * - routing is disabled via strongswan.conf
+	 */
+	if (policy->route == NULL && direction == POLICY_OUT)
+	{
+		char *iface;
+		ipsec_dev_t *dev;
+		route_entry_t *route = malloc_thing(route_entry_t);
+		route->src_ip = NULL;
+		
+		if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+			this->install_routes)
+		{
+			charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+						src_ts, &route->src_ip);
+		}
+		
+		if (!route->src_ip)
+		{
+			route->src_ip = host_create_any(src->get_family(src));
+		}
+		
+		/* find the virtual interface */
+		iface = charon->kernel_interface->get_interface(charon->kernel_interface,
+														src);
+		if (find_ipsec_dev(this, iface, &dev) == SUCCESS)
+		{
+			/* above, we got either the name of a virtual or a physical
+			 * interface. for both cases it means we already have the devices
+			 * properly attached (assuming that we are exclusively attaching
+			 * ipsec devices). */
+			dev->refcount++;
+		}
+		else
+		{
+			/* there is no record of a mapping with the returned interface.
+			 * thus, we attach the first free virtual interface we find to
+			 * it. As above we assume we are the only client fiddling with
+			 * ipsec devices. */
+			if (this->ipsec_devices->find_first(this->ipsec_devices,
+					(linked_list_match_t)ipsec_dev_match_free,
+						(void**)&dev) == SUCCESS)
+			{
+				if (attach_ipsec_dev(dev->name, iface) == SUCCESS)
+				{
+					strncpy(dev->phys_name, iface, IFNAMSIZ);
+					dev->refcount = 1;
+				}
+				else
+				{
+					DBG1(DBG_KNL, "failed to attach virtual interface %s"
+							" to %s", dev->name, iface);
+					this->mutex->unlock(this->mutex);
+					free(iface);
+					return FAILED;
+				}
+			}
+			else
+			{
+				this->mutex->unlock(this->mutex);
+				DBG1(DBG_KNL, "failed to attach a virtual interface to %s: no"
+						" virtual interfaces left", iface);
+				free(iface);
+				return FAILED;
+			}
+		}
+		free(iface);
+		route->if_name = strdup(dev->name);
+		
+		/* get the nexthop to dst */
+		route->gateway = charon->kernel_interface->get_nexthop(
+										charon->kernel_interface, dst);
+		route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net));
+		route->prefixlen = policy->dst.mask;
+		
+		switch (charon->kernel_interface->add_route(charon->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name))
+		{
+			default:
+				DBG1(DBG_KNL, "unable to install route for policy %R === %R",
+					 src_ts, dst_ts);
+				/* FALL */
+			case ALREADY_DONE:
+				/* route exists, do not uninstall */
+				route_entry_destroy(route);
+				break;
+			case SUCCESS:
+				/* cache the installed route */
+				policy->route = route;
+				break;
+		}
+	}	
+	
+	this->mutex->unlock(this->mutex);	
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_policy.
+ */
+static status_t query_policy(private_kernel_klips_ipsec_t *this,
+							 traffic_selector_t *src_ts, 
+							 traffic_selector_t *dst_ts,
+							 policy_dir_t direction, u_int32_t *use_time)
+{
+	#define IDLE_PREFIX "idle="
+	static const char *path_eroute = "/proc/net/ipsec_eroute";
+	static const char *path_spi = "/proc/net/ipsec_spi";
+	FILE *file;
+	char line[1024], src[INET6_ADDRSTRLEN + 9], dst[INET6_ADDRSTRLEN + 9];
+	char *said = NULL, *pos;
+	policy_entry_t *policy, *found = NULL;
+	status_t status = FAILED;
+	
+	if (direction == POLICY_FWD)
+	{
+		/* we do not install forward policies */
+		return FAILED;
+	}
+	
+	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+	
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+	
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		return NOT_FOUND;
+	}
+	policy_entry_destroy(policy);
+	policy = found;
+	
+	/* src and dst selectors in KLIPS are of the form NET_ADDR/NETBITS:PROTO */
+	snprintf(src, sizeof(src), "%H/%d:%d", policy->src.net, policy->src.mask,
+			policy->src.proto);
+	src[sizeof(src) - 1] = '\0';
+	snprintf(dst, sizeof(dst), "%H/%d:%d", policy->dst.net, policy->dst.mask,
+			policy->dst.proto);
+	dst[sizeof(dst) - 1] = '\0';
+	
+	this->mutex->unlock(this->mutex);
+	
+	/* we try to find the matching eroute first */
+	file = fopen(path_eroute, "r");
+	if (file == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+				dst_ts, policy_dir_names, direction, strerror(errno), errno);
+		return FAILED;
+	}
+	
+	/* read line by line where each line looks like:
+	 * packets  src  ->  dst  =>  said */
+	while (fgets(line, sizeof(line), file))
+	{
+		enumerator_t *enumerator;
+		char *token;
+		int i = 0;
+		
+		enumerator = enumerator_create_token(line, " \t", " \t\n");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			switch (i++)
+			{
+				case 0: /* packets */
+					continue;
+				case 1: /* src */
+					if (streq(token, src))
+					{
+						continue;
+					}
+					break;
+				case 2: /* -> */
+					continue;
+				case 3: /* dst */
+					if (streq(token, dst))
+					{
+						continue;
+					}
+					break;
+				case 4: /* => */
+					continue;
+				case 5: /* said */
+					said = strdup(token);
+					break;
+			}
+			break;
+		}
+		enumerator->destroy(enumerator);
+		
+		if (i == 5)
+		{
+			/* eroute matched */
+			break;
+		}
+	}
+	fclose(file);
+	
+	if (said == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: found no matching"
+				" eroute", src_ts, dst_ts, policy_dir_names, direction);
+		return FAILED;
+	}
+	
+	/* compared with the one in the spi entry the SA ID from the eroute entry
+	 * has an additional ":PROTO" appended, which we need to cut off */
+	pos = strrchr(said, ':');
+	*pos = '\0';
+	
+	/* now we try to find the matching spi entry */
+	file = fopen(path_spi, "r");
+	if (file == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+				dst_ts, policy_dir_names, direction, strerror(errno), errno);
+		return FAILED;
+	}
+	
+	while (fgets(line, sizeof(line), file))
+	{
+		if (strneq(line, said, strlen(said)))
+		{
+			/* fine we found the correct line, now find the idle time */
+			u_int32_t idle_time;
+			pos = strstr(line, IDLE_PREFIX);
+			if (pos == NULL)
+			{
+				/* no idle time, i.e. this SA has not been used yet */
+				break;
+			}
+			if (sscanf(pos, IDLE_PREFIX"%u", &idle_time) <= 0)
+			{
+				/* idle time not valid */
+				break;
+			}
+			
+			*use_time = time(NULL) - idle_time;
+			status = SUCCESS;
+			break;
+		}
+	}
+	fclose(file);
+	free(said);
+	
+	return status;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_policy.
+ */
+static status_t del_policy(private_kernel_klips_ipsec_t *this,
+						   traffic_selector_t *src_ts, 
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, bool unrouted)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)request, *out;
+	policy_entry_t *policy, *found = NULL;
+	route_entry_t *route;
+	size_t len;
+	
+	if (direction == POLICY_FWD)
+	{
+		/* no forward policies for KLIPS */
+		return SUCCESS;
+	}
+	
+	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+	
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+	
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		return NOT_FOUND;
+	}
+	policy_entry_destroy(policy);
+	
+	/* decrease appropriate counter */
+	unrouted ? found->trapcount-- : found->activecount--;
+	
+	if (found->trapcount == 0)
+	{
+		/* if this policy is finally unrouted, we reset the reqid because it
+		 * may still be actively used and there might be a pending acquire for
+		 * this policy. */
+		found->reqid = 0;
+	}
+	
+	if (found->activecount > 0)
+	{
+		/* is still used by SAs, keep in kernel */
+		this->mutex->unlock(this->mutex);
+		DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+		return SUCCESS;
+	}
+	else if (found->activecount == 0 && found->trapcount > 0)
+	{
+		/* for a policy that is not used actively anymore, but is still trapped
+		 * by another child SA we replace the current eroute with a %trap eroute */
+		DBG2(DBG_KNL, "policy still routed by another CHILD_SA, not removed");
+		memset(&request, 0, sizeof(request));
+		build_addflow(msg, SADB_X_SATYPE_INT, htonl(SPI_TRAP), NULL, NULL,
+				found->src.net, found->src.mask, found->dst.net,
+				found->dst.mask, found->src.proto, TRUE);
+		this->mutex->unlock(this->mutex);
+		return pfkey_send_ack(this, msg);
+	}
+	
+	/* remove if last reference */
+	this->policies->remove(this->policies, found, NULL);
+	policy = found;
+	
+	this->mutex->unlock(this->mutex);
+		
+	memset(&request, 0, sizeof(request));
+	
+	build_delflow(msg, 0, policy->src.net, policy->src.mask, policy->dst.net,
+			policy->dst.mask, policy->src.proto);
+	
+	route = policy->route;
+	policy->route = NULL;
+	policy_entry_destroy(policy);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
+					   dst_ts, policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	
+	if (route)
+	{
+		ipsec_dev_t *dev;
+		
+		if (charon->kernel_interface->del_route(charon->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with"
+						  " policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}
+		
+		/* we have to detach the ipsec interface from the physical one over which
+		 * this SA ran (if it is not used by any other) */
+		this->mutex->lock(this->mutex);
+		
+		if (find_ipsec_dev(this, route->if_name, &dev) == SUCCESS)
+		{
+			/* fine, we found a matching device object, let's check if we have
+			 * to detach it. */
+			if (--dev->refcount == 0)
+			{
+				if (detach_ipsec_dev(dev->name, dev->phys_name) != SUCCESS)
+				{
+					DBG1(DBG_KNL, "failed to detach virtual interface %s"
+							" from %s", dev->name, dev->phys_name);
+				}
+				dev->phys_name[0] = '\0';
+			}
+		}
+		
+		this->mutex->unlock(this->mutex);
+		
+		route_entry_destroy(route);
+	}
+	
+	return SUCCESS;
+}
+
+/**
+ * Initialize the list of ipsec devices
+ */
+static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
+{
+	int i, count = lib->settings->get_int(lib->settings,
+						"charon.plugins.kernel_klips.ipsec_dev_count",
+						DEFAULT_IPSEC_DEV_COUNT);
+	
+	for (i = 0; i < count; ++i)
+	{
+		ipsec_dev_t *dev = malloc_thing(ipsec_dev_t);
+		snprintf(dev->name, IFNAMSIZ, IPSEC_DEV_PREFIX"%d", i);
+		dev->name[IFNAMSIZ - 1] = '\0';
+		dev->phys_name[0] = '\0';
+		dev->refcount = 0;
+		this->ipsec_devices->insert_last(this->ipsec_devices, dev);
+		
+		/* detach any previously attached ipsec device */
+		detach_ipsec_dev(dev->name, dev->phys_name);
+	}
+}
+
+/**
+ * Register a socket for AQUIRE/EXPIRE messages
+ */
+static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8_t satype)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_REGISTER;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket");
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.destroy.
+ */
+static void destroy(private_kernel_klips_ipsec_t *this)
+{
+	this->job->cancel(this->job);
+	close(this->socket);
+	close(this->socket_events);
+	this->mutex_pfkey->destroy(this->mutex_pfkey);
+	this->mutex->destroy(this->mutex);
+	this->ipsec_devices->destroy_function(this->ipsec_devices, (void*)ipsec_dev_destroy);
+	this->installed_sas->destroy_function(this->installed_sas, (void*)sa_entry_destroy);
+	this->allocated_spis->destroy_function(this->allocated_spis, (void*)sa_entry_destroy);
+	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_klips_ipsec_t *kernel_klips_ipsec_create()
+{
+	private_kernel_klips_ipsec_t *this = malloc_thing(private_kernel_klips_ipsec_t);
+	
+	/* public functions */
+	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
+	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
+	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
+	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
+	
+	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
+
+	/* private members */
+	this->policies = linked_list_create();
+	this->allocated_spis = linked_list_create();
+	this->installed_sas = linked_list_create();
+	this->ipsec_devices = linked_list_create();
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
+	this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE);
+	this->seq = 0;
+	
+	/* initialize ipsec devices */
+	init_ipsec_devices(this);
+	
+	/* create a PF_KEY socket to communicate with the kernel */
+	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket <= 0)
+	{
+		charon->kill(charon, "unable to create PF_KEY socket");
+	}
+	
+	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
+	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket_events <= 0)
+	{
+		charon->kill(charon, "unable to create PF_KEY event socket");
+	}
+	
+	/* register the event socket */
+	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
+		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
+	{
+		charon->kill(charon, "unable to register PF_KEY event socket");
+	}
+	
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	
+	return &this->public;
+}
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
new file mode 100644
index 000000000..b16390ab4
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_klips_ipsec.h 4617 2008-11-11 08:45:19Z tobias $
+ */
+
+/**
+ * @defgroup kernel_klips_ipsec_i kernel_klips_ipsec
+ * @{ @ingroup kernel_klips
+ */
+
+#ifndef KERNEL_KLIPS_IPSEC_H_
+#define KERNEL_KLIPS_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_klips_ipsec_t kernel_klips_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using PF_KEY.
+ */
+struct kernel_klips_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a PF_KEY kernel ipsec interface instance.
+ *
+ * @return			kernel_klips_ipsec_t instance
+ */
+kernel_klips_ipsec_t *kernel_klips_ipsec_create();
+
+#endif /* KERNEL_KLIPS_IPSEC_H_ @} */
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.c b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
new file mode 100644
index 000000000..42d7307ec
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_klips_plugin.c 4617 2008-11-11 08:45:19Z tobias $
+ */
+
+
+#include "kernel_klips_plugin.h"
+
+#include "kernel_klips_ipsec.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t;
+
+/**
+ * private data of kernel PF_KEY plugin
+ */
+struct private_kernel_klips_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_klips_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_klips_plugin_t *this)
+{
+	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
+	
+	return &this->public.plugin;
+}
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.h b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
new file mode 100644
index 000000000..67c3b74c6
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_klips_plugin.h 4617 2008-11-11 08:45:19Z tobias $
+ */
+
+/**
+ * @defgroup kernel_klips kernel_klips
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_klips_plugin kernel_klips_plugin
+ * @{ @ingroup kernel_klips
+ */
+
+#ifndef KERNEL_KLIPS_PLUGIN_H_
+#define KERNEL_KLIPS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_klips_plugin_t kernel_klips_plugin_t;
+
+/**
+ * PF_KEY kernel interface plugin
+ */
+struct kernel_klips_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a kernel_klips_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* KERNEL_KLIPS_PLUGIN_H_ @} */
diff --git a/src/charon/plugins/kernel_klips/pfkeyv2.h b/src/charon/plugins/kernel_klips/pfkeyv2.h
new file mode 100644
index 000000000..78d3dfa91
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/pfkeyv2.h
@@ -0,0 +1,322 @@
+/*
+RFC 2367               PF_KEY Key Management API               July 1998
+
+
+Appendix D: Sample Header File
+
+This file defines structures and symbols for the PF_KEY Version 2
+key management interface. It was written at the U.S. Naval Research
+Laboratory. This file is in the public domain. The authors ask that
+you leave this credit intact on any copies of this file.
+*/
+#ifndef __PFKEY_V2_H
+#define __PFKEY_V2_H 1
+
+#define PF_KEY_V2 2
+#define PFKEYV2_REVISION        199806L
+
+#define SADB_RESERVED    0
+#define SADB_GETSPI      1
+#define SADB_UPDATE      2
+#define SADB_ADD         3
+#define SADB_DELETE      4
+#define SADB_GET         5
+#define SADB_ACQUIRE     6
+#define SADB_REGISTER    7
+#define SADB_EXPIRE      8
+#define SADB_FLUSH       9
+#define SADB_DUMP       10
+#define SADB_X_PROMISC  11
+#define SADB_X_PCHANGE  12
+#define SADB_X_GRPSA    13
+#define SADB_X_ADDFLOW	14
+#define SADB_X_DELFLOW	15
+#define SADB_X_DEBUG	16
+#define SADB_X_NAT_T_NEW_MAPPING  17
+#define SADB_MAX                  17
+
+struct sadb_msg {
+  uint8_t sadb_msg_version;
+  uint8_t sadb_msg_type;
+  uint8_t sadb_msg_errno;
+  uint8_t sadb_msg_satype;
+  uint16_t sadb_msg_len;
+  uint16_t sadb_msg_reserved;
+  uint32_t sadb_msg_seq;
+  uint32_t sadb_msg_pid;
+};
+
+struct sadb_ext {
+  uint16_t sadb_ext_len;
+  uint16_t sadb_ext_type;
+};
+
+struct sadb_sa {
+  uint16_t sadb_sa_len;
+  uint16_t sadb_sa_exttype;
+  uint32_t sadb_sa_spi;
+  uint8_t sadb_sa_replay;
+  uint8_t sadb_sa_state;
+  uint8_t sadb_sa_auth;
+  uint8_t sadb_sa_encrypt;
+  uint32_t sadb_sa_flags;
+};
+
+struct sadb_lifetime {
+  uint16_t sadb_lifetime_len;
+  uint16_t sadb_lifetime_exttype;
+  uint32_t sadb_lifetime_allocations;
+  uint64_t sadb_lifetime_bytes;
+  uint64_t sadb_lifetime_addtime;
+  uint64_t sadb_lifetime_usetime;
+  uint32_t sadb_x_lifetime_packets;
+  uint32_t sadb_x_lifetime_reserved;
+};
+
+struct sadb_address {
+  uint16_t sadb_address_len;
+  uint16_t sadb_address_exttype;
+  uint8_t sadb_address_proto;
+  uint8_t sadb_address_prefixlen;
+  uint16_t sadb_address_reserved;
+};
+
+struct sadb_key {
+  uint16_t sadb_key_len;
+  uint16_t sadb_key_exttype;
+  uint16_t sadb_key_bits;
+  uint16_t sadb_key_reserved;
+};
+
+struct sadb_ident {
+  uint16_t sadb_ident_len;
+  uint16_t sadb_ident_exttype;
+  uint16_t sadb_ident_type;
+  uint16_t sadb_ident_reserved;
+  uint64_t sadb_ident_id;
+};
+
+struct sadb_sens {
+  uint16_t sadb_sens_len;
+  uint16_t sadb_sens_exttype;
+  uint32_t sadb_sens_dpd;
+  uint8_t sadb_sens_sens_level;
+  uint8_t sadb_sens_sens_len;
+  uint8_t sadb_sens_integ_level;
+  uint8_t sadb_sens_integ_len;
+  uint32_t sadb_sens_reserved;
+};
+
+struct sadb_prop {
+  uint16_t sadb_prop_len;
+  uint16_t sadb_prop_exttype;
+  uint8_t sadb_prop_replay;
+  uint8_t sadb_prop_reserved[3];
+};
+
+struct sadb_comb {
+  uint8_t sadb_comb_auth;
+  uint8_t sadb_comb_encrypt;
+  uint16_t sadb_comb_flags;
+  uint16_t sadb_comb_auth_minbits;
+  uint16_t sadb_comb_auth_maxbits;
+  uint16_t sadb_comb_encrypt_minbits;
+  uint16_t sadb_comb_encrypt_maxbits;
+  uint32_t sadb_comb_reserved;
+  uint32_t sadb_comb_soft_allocations;
+  uint32_t sadb_comb_hard_allocations;
+  uint64_t sadb_comb_soft_bytes;
+  uint64_t sadb_comb_hard_bytes;
+  uint64_t sadb_comb_soft_addtime;
+  uint64_t sadb_comb_hard_addtime;
+  uint64_t sadb_comb_soft_usetime;
+  uint64_t sadb_comb_hard_usetime;
+  uint32_t sadb_x_comb_soft_packets;
+  uint32_t sadb_x_comb_hard_packets;
+};
+
+struct sadb_supported {
+  uint16_t sadb_supported_len;
+  uint16_t sadb_supported_exttype;
+  uint32_t sadb_supported_reserved;
+};
+
+struct sadb_alg {
+  uint8_t sadb_alg_id;
+  uint8_t sadb_alg_ivlen;
+  uint16_t sadb_alg_minbits;
+  uint16_t sadb_alg_maxbits;
+  uint16_t sadb_alg_reserved;
+};
+
+struct sadb_spirange {
+  uint16_t sadb_spirange_len;
+  uint16_t sadb_spirange_exttype;
+  uint32_t sadb_spirange_min;
+  uint32_t sadb_spirange_max;
+  uint32_t sadb_spirange_reserved;
+};
+
+struct sadb_x_kmprivate {
+  uint16_t sadb_x_kmprivate_len;
+  uint16_t sadb_x_kmprivate_exttype;
+  uint32_t sadb_x_kmprivate_reserved;
+};
+
+struct sadb_x_satype {
+  uint16_t sadb_x_satype_len;
+  uint16_t sadb_x_satype_exttype;
+  uint8_t sadb_x_satype_satype;
+  uint8_t sadb_x_satype_reserved[3];
+};
+  
+struct sadb_x_debug {
+  uint16_t sadb_x_debug_len;
+  uint16_t sadb_x_debug_exttype;
+  uint32_t sadb_x_debug_tunnel;
+  uint32_t sadb_x_debug_netlink;
+  uint32_t sadb_x_debug_xform;
+  uint32_t sadb_x_debug_eroute;
+  uint32_t sadb_x_debug_spi;
+  uint32_t sadb_x_debug_radij;
+  uint32_t sadb_x_debug_esp;
+  uint32_t sadb_x_debug_ah;
+  uint32_t sadb_x_debug_rcv;
+  uint32_t sadb_x_debug_pfkey;
+  uint32_t sadb_x_debug_ipcomp;
+  uint32_t sadb_x_debug_verbose;
+  uint8_t sadb_x_debug_reserved[4];
+};
+
+struct sadb_x_nat_t_type {
+  uint16_t sadb_x_nat_t_type_len;
+  uint16_t sadb_x_nat_t_type_exttype;
+  uint8_t sadb_x_nat_t_type_type;
+  uint8_t sadb_x_nat_t_type_reserved[3];
+};
+struct sadb_x_nat_t_port {
+  uint16_t sadb_x_nat_t_port_len;
+  uint16_t sadb_x_nat_t_port_exttype;
+  uint16_t sadb_x_nat_t_port_port;
+  uint16_t sadb_x_nat_t_port_reserved;
+};
+  
+/*
+ * A protocol structure for passing through the transport level
+ * protocol.  It contains more fields than are actually used/needed
+ * but it is this way to be compatible with the structure used in
+ * OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
+ */
+struct sadb_protocol {
+  uint16_t sadb_protocol_len;
+  uint16_t sadb_protocol_exttype;
+  uint8_t  sadb_protocol_proto;
+  uint8_t  sadb_protocol_direction;
+  uint8_t  sadb_protocol_flags;
+  uint8_t  sadb_protocol_reserved2;
+};
+
+#define SADB_EXT_RESERVED             0
+#define SADB_EXT_SA                   1
+#define SADB_EXT_LIFETIME_CURRENT     2
+#define SADB_EXT_LIFETIME_HARD        3
+#define SADB_EXT_LIFETIME_SOFT        4
+#define SADB_EXT_ADDRESS_SRC          5
+#define SADB_EXT_ADDRESS_DST          6
+#define SADB_EXT_ADDRESS_PROXY        7
+#define SADB_EXT_KEY_AUTH             8
+#define SADB_EXT_KEY_ENCRYPT          9
+#define SADB_EXT_IDENTITY_SRC         10
+#define SADB_EXT_IDENTITY_DST         11
+#define SADB_EXT_SENSITIVITY          12
+#define SADB_EXT_PROPOSAL             13
+#define SADB_EXT_SUPPORTED_AUTH       14
+#define SADB_EXT_SUPPORTED_ENCRYPT    15
+#define SADB_EXT_SPIRANGE             16
+#define SADB_X_EXT_KMPRIVATE          17
+#define SADB_X_EXT_SATYPE2            18
+#define SADB_X_EXT_SA2                19
+#define SADB_X_EXT_ADDRESS_DST2       20
+#define SADB_X_EXT_ADDRESS_SRC_FLOW   21
+#define SADB_X_EXT_ADDRESS_DST_FLOW   22
+#define SADB_X_EXT_ADDRESS_SRC_MASK   23
+#define SADB_X_EXT_ADDRESS_DST_MASK   24
+#define SADB_X_EXT_DEBUG              25
+#define SADB_X_EXT_PROTOCOL           26
+#define SADB_X_EXT_NAT_T_TYPE         27
+#define SADB_X_EXT_NAT_T_SPORT        28
+#define SADB_X_EXT_NAT_T_DPORT        29
+#define SADB_X_EXT_NAT_T_OA           30
+#define SADB_EXT_MAX                  30
+
+/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
+#define SADB_X_EXT_ADDRESS_DELFLOW \
+	( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
+	| (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
+	| (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
+	| (1<<SADB_X_EXT_ADDRESS_DST_MASK))
+
+#define SADB_SATYPE_UNSPEC    0
+#define SADB_SATYPE_AH        2
+#define SADB_SATYPE_ESP       3
+#define SADB_SATYPE_RSVP      5
+#define SADB_SATYPE_OSPFV2    6
+#define SADB_SATYPE_RIPV2     7
+#define SADB_SATYPE_MIP       8
+#define SADB_X_SATYPE_IPIP    9
+#define SADB_X_SATYPE_COMP    10
+#define SADB_X_SATYPE_INT     11
+#define SADB_SATYPE_MAX       11
+
+#define SADB_SASTATE_LARVAL   0
+#define SADB_SASTATE_MATURE   1
+#define SADB_SASTATE_DYING    2
+#define SADB_SASTATE_DEAD     3
+#define SADB_SASTATE_MAX      3
+
+#define SADB_SAFLAGS_PFS		1
+#define SADB_X_SAFLAGS_REPLACEFLOW	2
+#define SADB_X_SAFLAGS_CLEARFLOW	4
+#define SADB_X_SAFLAGS_INFLOW		8
+
+#define SADB_AALG_NONE        0
+#define SADB_AALG_MD5HMAC     2
+#define SADB_AALG_SHA1HMAC    3
+#define	SADB_AALG_SHA256_HMAC    5
+#define	SADB_AALG_SHA384_HMAC    6
+#define	SADB_AALG_SHA512_HMAC    7
+#define	SADB_AALG_RIPEMD160HMAC      8
+#define	SADB_AALG_MAX         15
+
+#define SADB_EALG_NONE        0
+#define SADB_EALG_DESCBC      2
+#define SADB_EALG_3DESCBC     3
+#define SADB_EALG_BFCBC	      7
+#define SADB_EALG_NULL        11
+#define SADB_EALG_AESCBC      12
+#define SADB_EALG_MAX         255
+
+#define SADB_X_CALG_NONE          0
+#define SADB_X_CALG_OUI           1
+#define SADB_X_CALG_DEFLATE       2
+#define SADB_X_CALG_LZS           3
+#define SADB_X_CALG_V42BIS        4
+#define SADB_X_CALG_MAX           4
+
+#define SADB_X_TALG_NONE          0
+#define SADB_X_TALG_IPv4_in_IPv4  1
+#define SADB_X_TALG_IPv6_in_IPv4  2
+#define SADB_X_TALG_IPv4_in_IPv6  3
+#define SADB_X_TALG_IPv6_in_IPv6  4
+#define SADB_X_TALG_MAX           4
+
+
+#define SADB_IDENTTYPE_RESERVED   0
+#define SADB_IDENTTYPE_PREFIX     1
+#define SADB_IDENTTYPE_FQDN       2
+#define SADB_IDENTTYPE_USERFQDN   3
+#define SADB_X_IDENTTYPE_CONNECTION 4
+#define SADB_IDENTTYPE_MAX        4
+
+#define SADB_KEY_FLAGS_MAX     0
+#endif /* __PFKEY_V2_H */
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 7b78f9eb1..70a0b3e7c 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2008 Andreas Steffen
  * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -16,17 +17,18 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_ipsec.c 4406 2008-10-10 08:36:01Z martin $
+ * $Id: kernel_netlink_ipsec.c 4662 2008-11-16 21:19:58Z andreas $
  */
 
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/time.h>
+#include <stdint.h>
+#include <linux/ipsec.h>
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>
 #include <linux/xfrm.h>
 #include <linux/udp.h>
-#include <netinet/in.h>
 #include <pthread.h>
 #include <unistd.h>
 #include <errno.h>
@@ -36,9 +38,11 @@
 #include "kernel_netlink_shared.h"
 
 #include <daemon.h>
+#include <utils/mutex.h>
 #include <utils/linked_list.h>
 #include <processing/jobs/callback_job.h>
 #include <processing/jobs/acquire_job.h>
+#include <processing/jobs/migrate_job.h>
 #include <processing/jobs/rekey_child_sa_job.h>
 #include <processing/jobs/delete_child_sa_job.h>
 #include <processing/jobs/update_sa_job.h>
@@ -48,6 +52,11 @@
 #define XFRM_STATE_AF_UNSPEC	32
 #endif
 
+/** from linux/in.h */
+#ifndef IP_IPSEC_POLICY
+#define IP_IPSEC_POLICY 16
+#endif
+
 /** default priority of installed policies */
 #define PRIO_LOW 3000
 #define PRIO_HIGH 2000
@@ -76,30 +85,41 @@
 typedef struct kernel_algorithm_t kernel_algorithm_t;
 
 /**
- * Mapping from the algorithms defined in IKEv2 to
- * kernel level algorithm names and their key length
+ * Mapping of IKEv2 kernel identifier to linux crypto API names
  */
 struct kernel_algorithm_t {
 	/**
 	 * Identifier specified in IKEv2
 	 */
-	int ikev2_id;
+	int ikev2;
 	
 	/**
-	 * Name of the algorithm, as used as kernel identifier
+	 * Name of the algorithm in linux crypto API
 	 */
 	char *name;
-	
-	/**
-	 * Key length in bits, if fixed size
-	 */
-	u_int key_size;
 };
 
-ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
-	"in",
-	"out",
-	"fwd"
+ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
+	"XFRMA_UNSPEC",
+	"XFRMA_ALG_AUTH",
+	"XFRMA_ALG_CRYPT",
+	"XFRMA_ALG_COMP",
+	"XFRMA_ENCAP",
+	"XFRMA_TMPL",
+	"XFRMA_SA",
+	"XFRMA_POLICY",
+	"XFRMA_SEC_CTX",
+	"XFRMA_LTIME_VAL",
+	"XFRMA_REPLAY_VAL",
+	"XFRMA_REPLAY_THRESH",
+	"XFRMA_ETIMER_THRESH",
+	"XFRMA_SRCADDR",
+	"XFRMA_COADDR",
+	"XFRMA_LASTUSED",
+	"XFRMA_POLICY_TYPE",
+	"XFRMA_MIGRATE",
+	"XFRMA_ALG_AEAD",
+	"XFRMA_KMADDRESS"
 );
 
 #define END_OF_LIST -1
@@ -108,71 +128,65 @@ ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
  * Algorithms for encryption
  */
 static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64, 		"***", 					0}, */
-	{ENCR_DES, 				"des", 					64},
-	{ENCR_3DES, 			"des3_ede",				192},
-/*	{ENCR_RC5, 				"***", 					0}, */
-/*	{ENCR_IDEA, 			"***",					0}, */
-	{ENCR_CAST, 			"cast128",				0},
-	{ENCR_BLOWFISH, 		"blowfish",				0},
-/*	{ENCR_3IDEA, 			"***",					0}, */
-/*	{ENCR_DES_IV32, 		"***",					0}, */
-	{ENCR_NULL, 			"cipher_null",			0},
-	{ENCR_AES_CBC,	 		"aes",					0},
-/*	{ENCR_AES_CTR, 			"***",					0}, */
-	{ENCR_AES_CCM_ICV8,		"rfc4309(ccm(aes))",	64},	/* key_size = ICV size */
-	{ENCR_AES_CCM_ICV12,	"rfc4309(ccm(aes))",	96},	/* key_size = ICV size */
-	{ENCR_AES_CCM_ICV16,	"rfc4309(ccm(aes))",	128},	/* key_size = ICV size */
-	{ENCR_AES_GCM_ICV8,		"rfc4106(gcm(aes))",	64},	/* key_size = ICV size */
-	{ENCR_AES_GCM_ICV12,	"rfc4106(gcm(aes))",	96},	/* key_size = ICV size */
-	{ENCR_AES_GCM_ICV16,	"rfc4106(gcm(aes))",	128},	/* key_size = ICV size */
-	{END_OF_LIST, 		NULL,			0},
+/*	{ENCR_DES_IV64, 			"***"				}, */
+	{ENCR_DES, 					"des" 				},
+	{ENCR_3DES, 				"des3_ede"			},
+/*	{ENCR_RC5, 					"***" 				}, */
+/*	{ENCR_IDEA, 				"***"				}, */
+	{ENCR_CAST, 				"cast128"			},
+	{ENCR_BLOWFISH, 			"blowfish"			},
+/*	{ENCR_3IDEA, 				"***"				}, */
+/*	{ENCR_DES_IV32, 			"***"				}, */
+	{ENCR_NULL, 				"cipher_null"		},
+	{ENCR_AES_CBC,	 			"aes"				},
+/*	{ENCR_AES_CTR, 				"***"				}, */
+	{ENCR_AES_CCM_ICV8,			"rfc4309(ccm(aes))"	},
+	{ENCR_AES_CCM_ICV12,		"rfc4309(ccm(aes))"	},
+	{ENCR_AES_CCM_ICV16,		"rfc4309(ccm(aes))"	},
+	{ENCR_AES_GCM_ICV8,			"rfc4106(gcm(aes))"	},
+	{ENCR_AES_GCM_ICV12,		"rfc4106(gcm(aes))"	},
+	{ENCR_AES_GCM_ICV16,		"rfc4106(gcm(aes))"	},
+	{END_OF_LIST, 				NULL				},
 };
 
 /**
  * Algorithms for integrity protection
  */
 static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96, 			"md5",			128},
-	{AUTH_HMAC_SHA1_96,			"sha1",			160},
-	{AUTH_HMAC_SHA2_256_128,	"sha256",		256},
-	{AUTH_HMAC_SHA2_384_192,	"sha384",		384},
-	{AUTH_HMAC_SHA2_512_256,	"sha512",		512},
-/*	{AUTH_DES_MAC,				"***",			0}, */
-/*	{AUTH_KPDK_MD5,				"***",			0}, */
-	{AUTH_AES_XCBC_96,			"xcbc(aes)",	128},
-	{END_OF_LIST, 				NULL,			0},
+	{AUTH_HMAC_MD5_96, 			"md5"				},
+	{AUTH_HMAC_SHA1_96,			"sha1"				},
+	{AUTH_HMAC_SHA2_256_128,	"sha256"			},
+	{AUTH_HMAC_SHA2_384_192,	"sha384"			},
+	{AUTH_HMAC_SHA2_512_256,	"sha512"			},
+/*	{AUTH_DES_MAC,				"***"				}, */
+/*	{AUTH_KPDK_MD5,				"***"				}, */
+	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
+	{END_OF_LIST, 				NULL				},
 };
 
 /**
  * Algorithms for IPComp
  */
 static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI, 			"***",			0}, */
-	{IPCOMP_DEFLATE,		"deflate",		0},
-	{IPCOMP_LZS,			"lzs",			0},
-	{IPCOMP_LZJH,			"lzjh",			0},
-	{END_OF_LIST, 			NULL,			0},
+/*	{IPCOMP_OUI, 				"***"				}, */
+	{IPCOMP_DEFLATE,			"deflate"			},
+	{IPCOMP_LZS,				"lzs"				},
+	{IPCOMP_LZJH,				"lzjh"				},
+	{END_OF_LIST, 				NULL				},
 };
 
 /**
  * Look up a kernel algorithm name and its key size
  */
-static char* lookup_algorithm(kernel_algorithm_t *kernel_algo, 
-					   u_int16_t ikev2_algo, u_int16_t *key_size)
+static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
 {
-	while (kernel_algo->ikev2_id != END_OF_LIST)
+	while (list->ikev2 != END_OF_LIST)
 	{
-		if (ikev2_algo == kernel_algo->ikev2_id)
+		if (list->ikev2 == ikev2)
 		{
-			/* match, evaluate key length */
-			if (key_size && *key_size == 0)
-			{	/* update key size if not set */
-				*key_size = kernel_algo->key_size;
-			}
-			return kernel_algo->name;
+			return list->name;
 		}
-		kernel_algo++;
+		list++;
 	}
 	return NULL;
 }
@@ -221,9 +235,6 @@ struct policy_entry_t {
 	/** direction of this policy: in, out, forward */
 	u_int8_t direction;
 	
-	/** reqid of the policy */
-	u_int32_t reqid;
-	
 	/** parameters of installed policy */
 	struct xfrm_selector sel;
 	
@@ -248,7 +259,7 @@ struct private_kernel_netlink_ipsec_t {
 	/**
 	 * mutex to lock access to various lists
 	 */
-	pthread_mutex_t mutex;
+	mutex_t *mutex;
 	
 	/**
 	 * List of installed policies (policy_entry_t)
@@ -344,41 +355,13 @@ static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
 static void ts2subnet(traffic_selector_t* ts, 
 					  xfrm_address_t *net, u_int8_t *mask)
 {
-	/* there is no way to do this cleanly, as the address range may
-	 * be anything else but a subnet. We use from_addr as subnet 
-	 * and try to calculate a usable subnet mask.
-	 */
-	int byte, bit;
-	bool found = FALSE;
-	chunk_t from, to;
-	size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-	
-	from = ts->get_from_address(ts);
-	to = ts->get_to_address(ts);
+	host_t *net_host;
+	chunk_t net_chunk;
 	
-	*mask = (size * 8);
-	/* go trough all bits of the addresses, beginning in the front.
-	 * as long as they are equal, the subnet gets larger
-	 */
-	for (byte = 0; byte < size; byte++)
-	{
-		for (bit = 7; bit >= 0; bit--)
-		{
-			if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
-			{
-				*mask = ((7 - bit) + (byte * 8));
-				found = TRUE;
-				break;
-			}
-		}
-		if (found)
-		{
-			break;
-		}
-	}
-	memcpy(net, from.ptr, from.len);
-	chunk_free(&from);
-	chunk_free(&to);
+	ts->to_subnet(ts, &net_host, mask);
+	net_chunk = net_host->get_address(net_host);
+	memcpy(net, net_chunk.ptr, net_chunk.len);
+	net_host->destroy(net_host);
 }
 
 /**
@@ -430,6 +413,57 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
 	return sel;
 }
 
+/**
+ * convert a xfrm_selector to a src|dst traffic_selector 
+ */
+static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+{
+	int family;
+	chunk_t addr;
+	u_int8_t prefixlen;
+	u_int16_t port, port_mask;
+	host_t *host;
+	traffic_selector_t *ts;
+
+	if (src)
+	{
+		addr.ptr = (u_char*)&sel->saddr;
+		prefixlen = sel->prefixlen_s;
+		port = sel->sport;
+		port_mask = sel->sport_mask;
+	}
+    else
+	{
+		addr.ptr = (u_char*)&sel->daddr;
+		prefixlen = sel->prefixlen_d;
+		port = sel->dport;
+		port_mask = sel->dport_mask;
+	}
+
+	/* The Linux 2.6 kernel does not set the selector's family field,
+     * so as a kludge we additionally test the prefix length. 
+	 */
+	if (sel->family == AF_INET || sel->prefixlen_s == 32)
+	{
+		family = AF_INET;
+		addr.len = 4;
+	}
+	else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
+	{
+		family = AF_INET6;
+		addr.len = 16;
+	}
+	else
+	{
+		return NULL;
+	}
+	host = host_create_from_chunk(family, addr, 0);
+	port = (port_mask == 0) ? 0 : ntohs(port); 
+
+	ts = traffic_selector_create_from_subnet(host, prefixlen, sel->proto, port);
+	host->destroy(host); 		
+	return ts;
+}
 
 /**
  * process a XFRM_MSG_ACQUIRE from kernel
@@ -438,18 +472,31 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd
 {
 	u_int32_t reqid = 0;
 	int proto = 0;
+	traffic_selector_t *src_ts, *dst_ts;
+	struct xfrm_user_acquire *acquire;
+	struct rtattr *rta;
+	size_t rtasize;
 	job_t *job;
-	struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
-	size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
 	
-	if (RTA_OK(rtattr, rtsize))
+	acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
+	rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
+	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
+
+	DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
+
+	while (RTA_OK(rta, rtasize))
 	{
-		if (rtattr->rta_type == XFRMA_TMPL)
+		DBG2(DBG_KNL, "  %N", xfrm_attr_type_names, rta->rta_type);
+
+		if (rta->rta_type == XFRMA_TMPL)
 		{
-			struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
+			struct xfrm_user_tmpl* tmpl;
+
+			tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
 			reqid = tmpl->reqid;
 			proto = tmpl->id.proto;
 		}
+		rta = RTA_NEXT(rta, rtasize);
 	}
 	switch (proto)
 	{
@@ -461,14 +508,11 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd
 			/* acquire for AH/ESP only, not for IPCOMP */
 			return;
 	}
-	if (reqid == 0)
-	{
-		DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
-		return;
-	}
-	DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
-	DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
-	job = (job_t*)acquire_job_create(reqid);
+	src_ts = selector2ts(&acquire->sel, TRUE);
+	dst_ts = selector2ts(&acquire->sel, FALSE);
+	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
+					src_ts, dst_ts, reqid);
+	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
 	charon->processor->queue_job(charon->processor, job);
 }
 
@@ -491,7 +535,7 @@ static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr
 	
 	if (protocol != PROTO_ESP && protocol != PROTO_AH)
 	{
-		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%d} "
+		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
 					  "which is not a CHILD_SA", ntohl(spi), reqid);
 		return;
 	}
@@ -510,6 +554,86 @@ static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr
 	charon->processor->queue_job(charon->processor, job);
 }
 
+/**
+ * process a XFRM_MSG_MIGRATE from kernel
+ */
+static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
+{
+	traffic_selector_t *src_ts, *dst_ts;
+	host_t *local = NULL, *remote = NULL;
+	host_t *old_src = NULL, *old_dst = NULL;
+	host_t *new_src = NULL, *new_dst = NULL;
+	struct xfrm_userpolicy_id *policy_id;
+	struct rtattr *rta;
+	size_t rtasize;
+	u_int32_t reqid = 0;
+	policy_dir_t dir;
+	job_t *job;
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	rta     = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
+	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
+
+	DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
+	
+	src_ts = selector2ts(&policy_id->sel, TRUE);
+	dst_ts = selector2ts(&policy_id->sel, FALSE);
+	dir = (policy_dir_t)policy_id->dir;
+
+	DBG2(DBG_KNL, "  policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
+
+	while (RTA_OK(rta, rtasize))
+	{
+		DBG2(DBG_KNL, "  %N", xfrm_attr_type_names, rta->rta_type);
+		if (rta->rta_type == XFRMA_KMADDRESS)
+		{
+			struct xfrm_user_kmaddress *kmaddress;
+
+			kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
+			local  = xfrm2host(kmaddress->family, &kmaddress->local, 0);
+			remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
+			DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
+		}
+		else if (rta->rta_type == XFRMA_MIGRATE)
+		{
+			struct xfrm_user_migrate *migrate;
+			protocol_id_t proto;
+
+			migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
+			old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
+			old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
+			new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
+			new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
+			proto = proto_kernel2ike(migrate->proto);
+			reqid = migrate->reqid;
+			DBG2(DBG_KNL, "  migrate %N %H...%H to %H...%H, reqid {%u}",
+							 protocol_id_names, proto, old_src, old_dst,
+							 new_src, new_dst, reqid);
+			DESTROY_IF(old_src);
+			DESTROY_IF(old_dst);
+			DESTROY_IF(new_src);
+			DESTROY_IF(new_dst);
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+
+	if (src_ts && dst_ts && local && remote)
+	{
+		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
+					   src_ts, dst_ts, policy_dir_names, dir, reqid, local);
+		job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
+										 local, remote);
+		charon->processor->queue_job(charon->processor, job);
+	}
+	else
+	{
+		DESTROY_IF(src_ts);
+		DESTROY_IF(dst_ts);
+		DESTROY_IF(local);
+		DESTROY_IF(remote);
+	}
+}
+
 /**
  * process a XFRM_MSG_MAPPING from kernel
  */
@@ -534,7 +658,7 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
 		if (host)
 		{
 			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
-				"reqid {%d} changed, queueing update job", ntohl(spi), reqid);
+				"reqid {%u} changed, queuing update job", ntohl(spi), reqid);
 			job = (job_t*)update_sa_job_create(reqid, host);
 			charon->processor->queue_job(charon->processor, job);
 		}
@@ -589,6 +713,9 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
 			case XFRM_MSG_EXPIRE:
 				process_expire(this, hdr);
 				break;
+			case XFRM_MSG_MIGRATE:
+				process_migrate(this, hdr);
+				break;
 			case XFRM_MSG_MAPPING:
 				process_mapping(this, hdr);
 				break;
@@ -600,64 +727,6 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
 	return JOB_REQUEUE_DIRECT;
 }
 
-/**
- * Tries to find an ip address of a local interface that is included in the
- * supplied traffic selector.
- */
-static status_t get_address_by_ts(private_kernel_netlink_ipsec_t *this,
-								  traffic_selector_t *ts, host_t **ip)
-{
-	enumerator_t *addrs;
-	host_t *host;
-	int family;
-	bool found = FALSE;
-	
-	DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
-	
-	/* if we have a family which includes localhost, we do not
-	 * search for an IP, we use the default */
-	family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
-	
-	if (family == AF_INET)
-	{
-		host = host_create_from_string("127.0.0.1", 0);
-	}
-	else
-	{
-		host = host_create_from_string("::1", 0);
-	}
-	
-	if (ts->includes(ts, host))
-	{
-		*ip = host_create_any(family);
-		host->destroy(host);
-		DBG2(DBG_KNL, "using host %H", *ip);
-		return SUCCESS;
-	}
-	host->destroy(host);
-	
-	addrs = charon->kernel_interface->create_address_enumerator(
-				charon->kernel_interface, TRUE, TRUE);
-	while (addrs->enumerate(addrs, (void**)&host))
-	{
-		if (ts->includes(ts, host))
-		{
-			found = TRUE;
-			*ip = host->clone(host);
-			break;
-		}
-	}
-	addrs->destroy(addrs);
-	
-	if (!found)
-	{
-		DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
-		return FAILED;
-	}
-	DBG2(DBG_KNL, "using host %H", *ip);
-	return SUCCESS;
-}
-
 /**
  * Get an SPI for a specific protocol from the kernel.
  */
@@ -665,7 +734,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 		host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
 		u_int32_t reqid, u_int32_t *spi)
 {
-	unsigned char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out;
 	struct xfrm_userspi_info *userspi;
 	u_int32_t received_spi = 0;
@@ -737,16 +806,16 @@ static status_t get_spi(private_kernel_netlink_ipsec_t *this,
 						protocol_id_t protocol, u_int32_t reqid,
 						u_int32_t *spi)
 {
-	DBG2(DBG_KNL, "getting SPI for reqid {%d}", reqid);
+	DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
 	
 	if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
 			0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to get SPI for reqid {%d}", reqid);
+		DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
 		return FAILED;
 	}
 	
-	DBG2(DBG_KNL, "got SPI %.8x for reqid {%d}", ntohl(*spi), reqid);
+	DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
 	
 	return SUCCESS;
 }
@@ -760,18 +829,18 @@ static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
 {
 	u_int32_t received_spi = 0;
 
-	DBG2(DBG_KNL, "getting CPI for reqid {%d}", reqid);
+	DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
 	
 	if (get_spi_internal(this, src, dst,
 			IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to get CPI for reqid {%d}", reqid);
+		DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
 		return FAILED;
 	}
 	
 	*cpi = htons((u_int16_t)ntohl(received_spi));
 	
-	DBG2(DBG_KNL, "got CPI %.4x for reqid {%d}", ntohs(*cpi), reqid);
+	DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
 	
 	return SUCCESS;
 }
@@ -783,26 +852,35 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 					   host_t *src, host_t *dst, u_int32_t spi,
 					   protocol_id_t protocol, u_int32_t reqid,
 					   u_int64_t expire_soft, u_int64_t expire_hard,
-					   u_int16_t enc_alg, u_int16_t enc_size,
-					   u_int16_t int_alg, u_int16_t int_size,
-					   prf_plus_t *prf_plus, ipsec_mode_t mode,
-					   u_int16_t ipcomp, bool encap,
-					   bool replace)
+					   u_int16_t enc_alg, chunk_t enc_key,
+					   u_int16_t int_alg, chunk_t int_key,
+					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+					   bool encap, bool inbound)
 {
-	unsigned char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	char *alg_name;
-	/* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
-	u_int16_t add_keymat = 32; 
 	struct nlmsghdr *hdr;
 	struct xfrm_usersa_info *sa;
+	u_int16_t icv_size = 64;	
+	
+	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
+	 * we are in the recursive call below */
+	if (ipcomp != IPCOMP_NONE && cpi != 0)
+	{
+		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, 0, 0,
+ 			   ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
+ 			   mode, ipcomp, 0, FALSE, inbound);
+		ipcomp = IPCOMP_NONE;
+	}
 	
 	memset(&request, 0, sizeof(request));
 	
-	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
+		 ntohl(spi), reqid);
+	
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+	hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
 	
 	sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
@@ -836,19 +914,19 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 		case ENCR_UNDEFINED:
 			/* no encryption */
 			break;
-		case ENCR_AES_CCM_ICV8:
-		case ENCR_AES_CCM_ICV12:
 		case ENCR_AES_CCM_ICV16:
-			/* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
-			add_keymat = 24;
-			/* fall-through */
-		case ENCR_AES_GCM_ICV8:
-		case ENCR_AES_GCM_ICV12:
 		case ENCR_AES_GCM_ICV16:
+			icv_size += 32;
+			/* FALL */
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_GCM_ICV12:
+			icv_size += 32;
+			/* FALL */
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_GCM_ICV8:
 		{
-			u_int16_t icv_size = 0;
 			rthdr->rta_type = XFRMA_ALG_AEAD;
-			alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
+			alg_name = lookup_algorithm(encryption_algs, enc_alg);
 			if (alg_name == NULL)
 			{
 				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
@@ -856,12 +934,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 				return FAILED;
 			}
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-				 encryption_algorithm_names, enc_alg, enc_size);
+				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
 			
-			/* additional KEYMAT required */
-			enc_size += add_keymat;
-			
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
 			hdr->nlmsg_len += rthdr->rta_len;
 			if (hdr->nlmsg_len > sizeof(request))
 			{
@@ -869,10 +944,10 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 			}
 			
 			struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
-			algo->alg_key_len = enc_size;
+			algo->alg_key_len = enc_key.len * 8;
 			algo->alg_icv_len = icv_size;
 			strcpy(algo->alg_name, alg_name);
-			prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
+			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
 			
 			rthdr = XFRM_RTA_NEXT(rthdr);
 			break;
@@ -880,7 +955,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 		default:
 		{
 			rthdr->rta_type = XFRMA_ALG_CRYPT;
-			alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
+			alg_name = lookup_algorithm(encryption_algs, enc_alg);
 			if (alg_name == NULL)
 			{
 				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
@@ -888,9 +963,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 				return FAILED;
 			}
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-				 encryption_algorithm_names, enc_alg, enc_size);
+				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
 			
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
 			hdr->nlmsg_len += rthdr->rta_len;
 			if (hdr->nlmsg_len > sizeof(request))
 			{
@@ -898,9 +973,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 			}
 			
 			struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-			algo->alg_key_len = enc_size;
+			algo->alg_key_len = enc_key.len * 8;
 			strcpy(algo->alg_name, alg_name);
-			prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
+			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
 			
 			rthdr = XFRM_RTA_NEXT(rthdr);
 			break;
@@ -910,7 +985,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 	if (int_alg  != AUTH_UNDEFINED)
 	{
 		rthdr->rta_type = XFRMA_ALG_AUTH;
-		alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
+		alg_name = lookup_algorithm(integrity_algs, int_alg);
 		if (alg_name == NULL)
 		{
 			DBG1(DBG_KNL, "algorithm %N not supported by kernel!", 
@@ -918,9 +993,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 			return FAILED;
 		}
 		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
-			 integrity_algorithm_names, int_alg, int_size);
+			 integrity_algorithm_names, int_alg, int_key.len * 8);
 		
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
 		hdr->nlmsg_len += rthdr->rta_len;
 		if (hdr->nlmsg_len > sizeof(request))
 		{
@@ -928,9 +1003,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 		}
 		
 		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-		algo->alg_key_len = int_size;
+		algo->alg_key_len = int_key.len * 8;
 		strcpy(algo->alg_name, alg_name);
-		prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
+		memcpy(algo->alg_key, int_key.ptr, int_key.len);
 		
 		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
@@ -938,7 +1013,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 	if (ipcomp != IPCOMP_NONE)
 	{
 		rthdr->rta_type = XFRMA_ALG_COMP;
-		alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
+		alg_name = lookup_algorithm(compression_algs, ipcomp);
 		if (alg_name == NULL)
 		{
 			DBG1(DBG_KNL, "algorithm %N not supported by kernel!", 
@@ -1005,7 +1080,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 						  u_int32_t spi, protocol_id_t protocol, host_t *dst,
 						  struct xfrm_replay_state *replay)
 {
-	unsigned char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out = NULL;
 	struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
 	size_t len;
@@ -1020,7 +1095,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETAE;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
-
+	
 	aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
 	aevent_id->flags = XFRM_AE_RVAL;
 	
@@ -1070,9 +1145,10 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 	rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
 	while(RTA_OK(rta, rtasize))
 	{
-		if (rta->rta_type == XFRMA_REPLAY_VAL)
+		if (rta->rta_type == XFRMA_REPLAY_VAL &&
+			RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
 		{
-			memcpy(replay, RTA_DATA(rta), rta->rta_len);
+			memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
 			free(out);
 			return SUCCESS;
 		}
@@ -1085,15 +1161,57 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 	return FAILED;
 }
 
+/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
+					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct xfrm_usersa_id *sa_id;
+	
+	/* if IPComp was used, we first delete the additional IPComp SA */
+	if (cpi)
+	{
+		del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
+	}
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+	
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_DELSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+	
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->family = dst->get_family(dst);
+	
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	return SUCCESS;
+}
+
 /**
  * Implementation of kernel_interface_t.update_sa.
  */
 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol,
+						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
 						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst, bool encap)
+						  host_t *new_src, host_t *new_dst,
+						  bool old_encap, bool new_encap)
 {
-	unsigned char request[NETLINK_BUFFER_SIZE], *pos;
+	netlink_buf_t request;
+	u_char *pos;
 	struct nlmsghdr *hdr, *out = NULL;
 	struct xfrm_usersa_id *sa_id;
 	struct xfrm_usersa_info *out_sa = NULL, *sa;
@@ -1101,19 +1219,26 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 	struct rtattr *rta;
 	size_t rtasize;
 	struct xfrm_encap_tmpl* tmpl = NULL;
-	bool got_replay_state;
+	bool got_replay_state = FALSE;
 	struct xfrm_replay_state replay;
 	
+	/* if IPComp is used, we first update the IPComp SA */
+	if (cpi)
+	{
+		update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
+				  src, dst, new_src, new_dst, FALSE, FALSE);
+	}
+	
 	memset(&request, 0, sizeof(request));
 	
 	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
-
+	
 	/* query the existing SA first */
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
+	
 	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
 	host2xfrm(dst, &sa_id->daddr);
 	sa_id->spi = spi;
@@ -1156,11 +1281,13 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 	}
 	
 	/* try to get the replay state */
-	got_replay_state = (get_replay_state(
-						this, spi, protocol, dst, &replay) == SUCCESS);
+	if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
+	{
+		got_replay_state = TRUE;
+	}
 	
-	/* delete the old SA */
-	if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
+	/* delete the old SA (without affecting the IPComp SA) */
+	if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
 		free(out);
@@ -1169,7 +1296,6 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 	
 	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
 		 ntohl(spi), src, dst, new_src, new_dst);
-	
 	/* copy over the SA from out to request */
 	hdr = (struct nlmsghdr*)request;
 	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
@@ -1194,7 +1320,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 	while(RTA_OK(rta, rtasize))
 	{
 		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
-		if (rta->rta_type != XFRMA_ENCAP || encap)
+		if (rta->rta_type != XFRMA_ENCAP || new_encap)
 		{
 			if (rta->rta_type == XFRMA_ENCAP)
 			{	/* update encap tmpl */
@@ -1210,7 +1336,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 	}
 	
 	rta = (struct rtattr*)pos;
-	if (tmpl == NULL && encap)
+	if (tmpl == NULL && new_encap)
 	{	/* add tmpl if we are enabling it */
 		rta->rta_type = XFRMA_ENCAP;
 		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
@@ -1256,108 +1382,6 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 	return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.query_sa.
- */
-static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
-						 u_int32_t spi, protocol_id_t protocol,
-						 u_int32_t *use_time)
-{
-	unsigned char request[NETLINK_BUFFER_SIZE];
-	struct nlmsghdr *out = NULL, *hdr;
-	struct xfrm_usersa_id *sa_id;
-	struct xfrm_usersa_info *sa = NULL;
-	size_t len;
-	
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-	memset(&request, 0, sizeof(request));
-	
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
-	sa_id->family = dst->get_family(dst);
-	
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWSA:
-				{
-					sa = NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-	
-	if (sa == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-	
-	*use_time = sa->curlft.use_time;
-	free (out);
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.del_sa.
- */
-static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
-					   u_int32_t spi, protocol_id_t protocol)
-{
-	unsigned char request[NETLINK_BUFFER_SIZE];
-	struct nlmsghdr *hdr;
-	struct xfrm_usersa_id *sa_id;
-	
-	memset(&request, 0, sizeof(request));
-	
-	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-	
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = XFRM_MSG_DELSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-	
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
-	sa_id->family = dst->get_family(dst);
-	
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
-	return SUCCESS;
-}
-
 /**
  * Implementation of kernel_interface_t.add_policy.
  */
@@ -1365,14 +1389,15 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 						   host_t *src, host_t *dst,
 						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, protocol_id_t protocol,
-						   u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
-						   u_int16_t ipcomp)
+						   policy_dir_t direction, u_int32_t spi,
+						   protocol_id_t protocol, u_int32_t reqid,
+						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						   bool routed)
 {
 	iterator_t *iterator;
 	policy_entry_t *current, *policy;
 	bool found = FALSE;
-	unsigned char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	struct xfrm_userpolicy_info *policy_info;
 	struct nlmsghdr *hdr;
 	
@@ -1383,7 +1408,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 	policy->direction = direction;
 	
 	/* find the policy, which matches EXACTLY */
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	iterator = this->policies->create_iterator(this->policies, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
@@ -1421,13 +1446,13 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 	policy_info->sel = policy->sel;
 	policy_info->dir = policy->direction;
 	/* calculate priority based on source selector size, small size = high prio */
-	policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
+	policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
 	policy_info->priority -= policy->sel.prefixlen_s * 10;
 	policy_info->priority -= policy->sel.proto ? 2 : 0;
 	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
 	policy_info->action = XFRM_POLICY_ALLOW;
 	policy_info->share = XFRM_SHARE_ANY;
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	
 	/* policies don't expire */
 	policy_info->lft.soft_byte_limit = XFRM_INF;
@@ -1503,7 +1528,8 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 	{
 		route_entry_t *route = malloc_thing(route_entry_t);
 		
-		if (get_address_by_ts(this, dst_ts, &route->src_ip) == SUCCESS)
+		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+				dst_ts, &route->src_ip) == SUCCESS)
 		{
 			/* get the nexthop to src (src as we are in POLICY_FWD).*/
 			route->gateway = charon->kernel_interface->get_nexthop(
@@ -1514,22 +1540,30 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
 			route->prefixlen = policy->sel.prefixlen_s;
 			
-			switch (charon->kernel_interface->add_route(charon->kernel_interface,
-					route->dst_net, route->prefixlen, route->gateway,
-					route->src_ip, route->if_name))
+			if (route->if_name)
+			{			
+				switch (charon->kernel_interface->add_route(
+									charon->kernel_interface, route->dst_net,
+									route->prefixlen, route->gateway,
+									route->src_ip, route->if_name))
+				{
+					default:
+						DBG1(DBG_KNL, "unable to install source route for %H",
+							 route->src_ip);
+						/* FALL */
+					case ALREADY_DONE:
+						/* route exists, do not uninstall */
+						route_entry_destroy(route);
+						break;
+					case SUCCESS:
+						/* cache the installed route */
+						policy->route = route;
+						break;
+				}
+			}
+			else
 			{
-				default:
-					DBG1(DBG_KNL, "unable to install source route for %H",
-						 route->src_ip);
-					/* FALL */
-				case ALREADY_DONE:
-					/* route exists, do not uninstall */
-					route_entry_destroy(route);
-					break;
-				case SUCCESS:
-					/* cache the installed route */
-					policy->route = route;
-					break;
+				route_entry_destroy(route);
 			}
 		}
 		else
@@ -1537,7 +1571,6 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 			free(route);
 		}
 	}
-
 	return SUCCESS;
 }
 
@@ -1549,7 +1582,7 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this,
 							 traffic_selector_t *dst_ts,
 							 policy_dir_t direction, u_int32_t *use_time)
 {
-	unsigned char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	struct nlmsghdr *out = NULL, *hdr;
 	struct xfrm_userpolicy_id *policy_id;
 	struct xfrm_userpolicy_info *policy = NULL;
@@ -1617,14 +1650,14 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this,
 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
 						   traffic_selector_t *src_ts, 
 						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction)
+						   policy_dir_t direction, bool unrouted)
 {
 	policy_entry_t *current, policy, *to_delete = NULL;
 	route_entry_t *route;
-	unsigned char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct xfrm_userpolicy_id *policy_id;
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	
 	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
@@ -1635,10 +1668,11 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
 	policy.direction = direction;
 	
 	/* find the policy */
-	iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
-	while (iterator->iterate(iterator, (void**)&current))
+	this->mutex->lock(this->mutex);
+	enumerator = this->policies->create_enumerator(this->policies);
+	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
+		if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
 			policy.direction == current->direction)
 		{
 			to_delete = current;
@@ -1646,15 +1680,17 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
 			{
 				/* is used by more SAs, keep in kernel */
 				DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
-				iterator->destroy(iterator);
+				this->mutex->unlock(this->mutex);
+				enumerator->destroy(enumerator);
 				return SUCCESS;
 			}
 			/* remove if last reference */
-			iterator->remove(iterator);
+			this->policies->remove_at(this->policies, enumerator);
 			break;
 		}
 	}
-	iterator->destroy(iterator);
+	this->mutex->unlock(this->mutex);
+	enumerator->destroy(enumerator);
 	if (!to_delete)
 	{
 		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
@@ -1707,9 +1743,75 @@ static void destroy(private_kernel_netlink_ipsec_t *this)
 	close(this->socket_xfrm_events);
 	this->socket_xfrm->destroy(this->socket_xfrm);
 	this->policies->destroy(this->policies);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
+/**
+ * Add bypass policies for IKE on the sockets used by charon
+ */
+static bool add_bypass_policies()
+{
+	int fd, family, port;
+	enumerator_t *sockets;
+	bool status = TRUE;
+	
+	/* we open an AF_KEY socket to autoload the af_key module. Otherwise
+	 * setsockopt(IPSEC_POLICY) won't work. */
+	fd = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (fd == 0)
+	{
+		DBG1(DBG_KNL, "could not open AF_KEY socket");
+		return FALSE;
+	}
+	close(fd);
+	
+	sockets = charon->socket->create_enumerator(charon->socket);
+	while (sockets->enumerate(sockets, &fd, &family, &port))
+	{
+		struct sadb_x_policy policy;
+		u_int sol, ipsec_policy;
+		
+		switch (family)
+		{
+			case AF_INET:
+				sol = SOL_IP;
+				ipsec_policy = IP_IPSEC_POLICY;
+				break;
+			case AF_INET6:
+				sol = SOL_IPV6;
+				ipsec_policy = IPV6_IPSEC_POLICY;
+				break;
+			default:
+				continue;
+		}
+		
+		memset(&policy, 0, sizeof(policy));
+		policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+		policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+		policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+	
+		policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+		{
+			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+				 strerror(errno));
+			status = FALSE;
+			break;
+		}
+		policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+		{
+			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", 
+				 strerror(errno));
+			status = FALSE;
+			break;
+		}
+	}
+	sockets->destroy(sockets);
+	return status;
+}
+
 /*
  * Described in header.
  */
@@ -1721,33 +1823,39 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	/* public functions */
 	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
-	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
-	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
-	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
-	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
+	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
 	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
 
 	/* private members */
 	this->policies = linked_list_create();
-	pthread_mutex_init(&this->mutex, NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
 	this->install_routes = lib->settings->get_bool(lib->settings,
 					"charon.install_routes", TRUE);
 	
+	/* add bypass policies on the sockets used by charon */
+	if (!add_bypass_policies())
+	{
+		charon->kill(charon, "unable to add bypass policies on sockets");
+	}
+	
 	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
 	
 	memset(&addr, 0, sizeof(addr));
 	addr.nl_family = AF_NETLINK;
 	
-	/* create and bind XFRM socket for ACQUIRE & EXPIRE */
+	/* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
 	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
 	if (this->socket_xfrm_events <= 0)
 	{
 		charon->kill(charon, "unable to create XFRM event socket");
 	}
-	addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) | XFRMNLGRP(MAPPING);
+	addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
+					 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
 	if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
 	{
 		charon->kill(charon, "unable to bind XFRM event socket");
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
index d8bba9412..69a781c14 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_net.c 4391 2008-10-09 05:44:00Z andreas $
+ * $Id: kernel_netlink_net.c 4660 2008-11-14 14:23:11Z martin $
  */
 
 #include <sys/socket.h>
@@ -29,6 +29,7 @@
 #include "kernel_netlink_shared.h"
 
 #include <daemon.h>
+#include <utils/mutex.h>
 #include <utils/linked_list.h>
 #include <processing/jobs/callback_job.h>
 #include <processing/jobs/roam_job.h>
@@ -116,12 +117,12 @@ struct private_kernel_netlink_net_t {
 	/**
 	 * mutex to lock access to various lists
 	 */
-	pthread_mutex_t mutex;
+	mutex_t *mutex;
 	
 	/**
 	 * condition variable to signal virtual IP add/removal
 	 */
-	pthread_cond_t cond;
+	condvar_t *condvar;
 	
 	/**
 	 * Cached list of interfaces and its addresses (iface_entry_t)
@@ -157,7 +158,7 @@ struct private_kernel_netlink_net_t {
 	 * priority of used routing table
 	 */
 	int routing_table_prio;
-
+	
 	/**
 	 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
 	 */
@@ -206,7 +207,7 @@ static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
 static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
 {
 	struct timeval now;
-		
+	
 	if (gettimeofday(&now, NULL) == 0)
 	{
 		if (timercmp(&now, &this->last_roam, >))
@@ -233,7 +234,7 @@ static void process_link(private_kernel_netlink_net_t *this,
 	struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
 	struct rtattr *rta = IFLA_RTA(msg);
 	size_t rtasize = IFLA_PAYLOAD (hdr);
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	iface_entry_t *current, *entry = NULL;
 	char *name = NULL;
 	bool update = FALSE;
@@ -253,6 +254,7 @@ static void process_link(private_kernel_netlink_net_t *this,
 		name = "(unknown)";
 	}
 	
+	this->mutex->lock(this->mutex);
 	switch (hdr->nlmsg_type)
 	{
 		case RTM_NEWLINK:
@@ -261,9 +263,8 @@ static void process_link(private_kernel_netlink_net_t *this,
 			{	/* ignore loopback interfaces */
 				break;
 			}
-			iterator = this->ifaces->create_iterator_locked(this->ifaces,
-															&this->mutex);
-			while (iterator->iterate(iterator, (void**)&current))
+			enumerator = this->ifaces->create_enumerator(this->ifaces);
+			while (enumerator->enumerate(enumerator, &current))
 			{
 				if (current->ifindex == msg->ifi_index)
 				{
@@ -271,6 +272,7 @@ static void process_link(private_kernel_netlink_net_t *this,
 					break;
 				}
 			}
+			enumerator->destroy(enumerator);
 			if (!entry)
 			{
 				entry = malloc_thing(iface_entry_t);
@@ -295,14 +297,12 @@ static void process_link(private_kernel_netlink_net_t *this,
 				}
 			}
 			entry->flags = msg->ifi_flags;
-			iterator->destroy(iterator);
 			break;
 		}
 		case RTM_DELLINK:
 		{
-			iterator = this->ifaces->create_iterator_locked(this->ifaces,
-															&this->mutex);
-			while (iterator->iterate(iterator, (void**)&current))
+			enumerator = this->ifaces->create_enumerator(this->ifaces);
+			while (enumerator->enumerate(enumerator, &current))
 			{
 				if (current->ifindex == msg->ifi_index)
 				{
@@ -312,10 +312,11 @@ static void process_link(private_kernel_netlink_net_t *this,
 					break;
 				}
 			}
-			iterator->destroy(iterator);
+			enumerator->destroy(enumerator);
 			break;
 		}
 	}
+	this->mutex->unlock(this->mutex);
 	
 	/* send an update to all IKE_SAs */
 	if (update && event)
@@ -334,7 +335,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
 	struct rtattr *rta = IFA_RTA(msg);
 	size_t rtasize = IFA_PAYLOAD (hdr);
 	host_t *host = NULL;
-	iterator_t *ifaces, *addrs;
+	enumerator_t *ifaces, *addrs;
 	iface_entry_t *iface;
 	addr_entry_t *addr;
 	chunk_t local = chunk_empty, address = chunk_empty;
@@ -373,20 +374,21 @@ static void process_addr(private_kernel_netlink_net_t *this,
 		return;
 	}
 	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
 	{
 		if (iface->ifindex == msg->ifa_index)
 		{
-			addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-			while (addrs->iterate(addrs, (void**)&addr))
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
 			{
 				if (host->ip_equals(host, addr->ip))
 				{
 					found = TRUE;
 					if (hdr->nlmsg_type == RTM_DELADDR)
 					{
-						addrs->remove(addrs);
+						iface->addrs->remove_at(iface->addrs, addrs);
 						if (!addr->virtual)
 						{
 							changed = TRUE;
@@ -430,6 +432,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
 		}
 	}
 	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
 	host->destroy(host);
 	
 	/* send an update to all IKE_SAs */
@@ -468,10 +471,12 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
 	}
 	if (host)
 	{
+		this->mutex->lock(this->mutex);
 		if (!get_vip_refcount(this, host))
 		{	/* ignore routes added for virtual IPs */
 			fire_roam_job(this, FALSE);
 		}
+		this->mutex->unlock(this->mutex);
 		host->destroy(host);
 	}
 }
@@ -522,12 +527,12 @@ static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
 			case RTM_NEWADDR:
 			case RTM_DELADDR:
 				process_addr(this, hdr, TRUE);
-				pthread_cond_broadcast(&this->cond);
+				this->condvar->broadcast(this->condvar);
 				break;
 			case RTM_NEWLINK:
 			case RTM_DELLINK:
 				process_link(this, hdr, TRUE);
-				pthread_cond_broadcast(&this->cond);
+				this->condvar->broadcast(this->condvar);
 				break;
 			case RTM_NEWROUTE:
 			case RTM_DELROUTE:
@@ -558,7 +563,7 @@ typedef struct {
  */
 static void address_enumerator_destroy(address_enumerator_t *data)
 {
-	pthread_mutex_unlock(&data->this->mutex);
+	data->this->mutex->unlock(data->this->mutex);
 	free(data);
 }
 
@@ -612,7 +617,7 @@ static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *thi
 	data->include_down_ifaces = include_down_ifaces;
 	data->include_virtual_ips = include_virtual_ips;
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	return enumerator_create_nested(
 				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
 							(void*)filter_interfaces, data, NULL),
@@ -624,18 +629,19 @@ static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *thi
  */
 static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
 {
-	iterator_t *ifaces, *addrs;
+	enumerator_t *ifaces, *addrs;
 	iface_entry_t *iface;
 	addr_entry_t *addr;
 	char *name = NULL;
 	
 	DBG2(DBG_KNL, "getting interface name for %H", ip);
 	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
 	{
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
 		{
 			if (ip->ip_equals(ip, addr->ip))
 			{
@@ -650,6 +656,7 @@ static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
 		}
 	}
 	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
 	
 	if (name)
 	{
@@ -667,14 +674,15 @@ static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
  */
 static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
 {
-	iterator_t *ifaces;
+	enumerator_t *ifaces;
 	iface_entry_t *iface;
 	int ifindex = 0;
 	
 	DBG2(DBG_KNL, "getting iface index for %s", name);
 	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces,	&this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
 	{
 		if (streq(name, iface->ifname))
 		{
@@ -683,6 +691,7 @@ static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
 		}
 	}
 	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
 
 	if (ifindex == 0)
 	{
@@ -691,6 +700,28 @@ static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
 	return ifindex;
 }
 
+/**
+ * Check if an interface with a given index is up
+ */
+static bool is_interface_up(private_kernel_netlink_net_t *this, int index)
+{
+	enumerator_t *ifaces;
+	iface_entry_t *iface;
+	bool up = FALSE;
+	
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == index)
+		{
+			up = iface->flags & IFF_UP;
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	return up;
+}
+
 /**
  * check if an address (chunk) addr is in subnet (net with net_len net bits)
  */
@@ -730,7 +761,7 @@ static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
 static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 						 bool nexthop, host_t *candidate)
 {
-	unsigned char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out, *current;
 	struct rtmsg *msg;
 	chunk_t chunk;
@@ -763,6 +794,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 		DBG1(DBG_KNL, "getting address to %H failed", dest);
 		return NULL;
 	}
+	this->mutex->lock(this->mutex);
 	current = out;
 	while (NLMSG_OK(current, len))
 	{
@@ -776,6 +808,9 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 				size_t rtasize;
 				chunk_t rta_gtw, rta_src, rta_dst;
 				u_int32_t rta_oif = 0;
+				enumerator_t *ifaces, *addrs;
+				iface_entry_t *iface;
+				addr_entry_t *addr;
 				
 				rta_gtw = rta_src = rta_dst = chunk_empty;
 				msg = (struct rtmsg*)(NLMSG_DATA(current));
@@ -803,79 +838,80 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 					}
 					rta = RTA_NEXT(rta, rtasize);
 				}
+				if (rta_oif && !is_interface_up(this, rta_oif))
+				{	/* interface is down */
+					goto next;
+				}
+				if (this->routing_table != 0 &&
+					msg->rtm_table == this->routing_table)
+				{	/* route is from our own ipsec routing table */
+					goto next;
+				}
+				if (msg->rtm_dst_len <= best)
+				{	/* not better than a previous one */
+					goto next;
+				}
+				if (msg->rtm_dst_len != 0 &&
+					(!rta_dst.ptr ||
+					 !addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len)))
+				{	/* is not the default route and not contained in our dst */
+					goto next;
+				}
 				
-				/* apply the route if:
-				 * - it is not from our own ipsec routing table
-				 * - is better than a previous one
-				 * - is the default route or
-				 * - its destination net contains our destination
-				 */
-				if ((this->routing_table == 0 ||msg->rtm_table != this->routing_table)
-					&&  msg->rtm_dst_len > best
-					&& (msg->rtm_dst_len == 0 || /* default route */
-					(rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
+				best = msg->rtm_dst_len;
+				if (nexthop)
 				{
-					iterator_t *ifaces, *addrs;
-					iface_entry_t *iface;
-					addr_entry_t *addr;
-					
-					best = msg->rtm_dst_len;
-					if (nexthop)
-					{
-						DESTROY_IF(gtw);
-						gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
-					}
-					else if (rta_src.ptr)
-					{
+					DESTROY_IF(gtw);
+					gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
+					goto next;
+				}
+				if (rta_src.ptr)
+				{
+					DESTROY_IF(src);
+					src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
+					if (get_vip_refcount(this, src))
+					{	/* skip source address if it is installed by us */
 						DESTROY_IF(src);
-						src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
-						if (get_vip_refcount(this, src))
-						{	/* skip source address if it is installed by us */
-							DESTROY_IF(src);
-							src = NULL;
-							current = NLMSG_NEXT(current, len);
-							continue;
-						}
+						src = NULL;
 					}
-					else
+					goto next;
+				}
+				/* no source addr, get one from the interfaces */
+				ifaces = this->ifaces->create_enumerator(this->ifaces);
+				while (ifaces->enumerate(ifaces, &iface))
+				{
+					if (iface->ifindex == rta_oif && 
+						iface->flags & IFF_UP)
 					{
-						/* no source addr, get one from the interfaces */
-						ifaces = this->ifaces->create_iterator_locked(
-													this->ifaces, &this->mutex);
-						while (ifaces->iterate(ifaces, (void**)&iface))
+						addrs = iface->addrs->create_enumerator(iface->addrs);
+						while (addrs->enumerate(addrs, &addr))
 						{
-							if (iface->ifindex == rta_oif)
+							chunk_t ip = addr->ip->get_address(addr->ip);
+							if ((msg->rtm_dst_len == 0 && 
+								 addr->ip->get_family(addr->ip) ==
+								 	dest->get_family(dest)) ||
+								addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
 							{
-								addrs = iface->addrs->create_iterator(
-															iface->addrs, TRUE);
-								while (addrs->iterate(addrs, (void**)&addr))
-								{
-									chunk_t ip = addr->ip->get_address(addr->ip);
-									if ((msg->rtm_dst_len == 0 && 
-										 addr->ip->get_family(addr->ip) ==
-										 	dest->get_family(dest)) ||
-										addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
-									{
-										DESTROY_IF(src);
-										src = addr->ip->clone(addr->ip);
-										break;
-									}
-								}
-								addrs->destroy(addrs);
+								DESTROY_IF(src);
+								src = addr->ip->clone(addr->ip);
+								break;
 							}
 						}
-						ifaces->destroy(ifaces);
+						addrs->destroy(addrs);
 					}
 				}
-				/* FALL through */
+				ifaces->destroy(ifaces);
+				goto next;
 			}
 			default:
+			next:
 				current = NLMSG_NEXT(current, len);
 				continue;
 		}
 		break;
 	}
 	free(out);
+	this->mutex->unlock(this->mutex);
 	
 	if (nexthop)
 	{
@@ -912,7 +948,7 @@ static host_t* get_nexthop(private_kernel_netlink_net_t *this, host_t *dest)
 static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
 							  int flags, int if_index, host_t *ip)
 {
-	unsigned char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct ifaddrmsg *msg;
 	chunk_t chunk;
@@ -946,18 +982,19 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
 {
 	iface_entry_t *iface;
 	addr_entry_t *addr;
-	iterator_t *addrs, *ifaces;
+	enumerator_t *addrs, *ifaces;
 	int ifindex;
 
 	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
 	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
 	{
 		bool iface_found = FALSE;
 	
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
 		{
 			if (iface_ip->ip_equals(iface_ip, addr->ip))
 			{
@@ -970,6 +1007,7 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
 					 virtual_ip, iface->ifname);
 				addrs->destroy(addrs);
 				ifaces->destroy(ifaces);
+				this->mutex->unlock(this->mutex);
 				return SUCCESS;
 			}
 		}
@@ -990,17 +1028,20 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
 			{
 				while (get_vip_refcount(this, virtual_ip) == 0)
 				{	/* wait until address appears */
-					pthread_cond_wait(&this->cond, &this->mutex);
+					this->condvar->wait(this->condvar, this->mutex);
 				}
 				ifaces->destroy(ifaces);
+				this->mutex->unlock(this->mutex);
 				return SUCCESS;
 			}
 			ifaces->destroy(ifaces);
+			this->mutex->unlock(this->mutex);
 			DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
 			return FAILED;
 		}
 	}
 	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
 	
 	DBG1(DBG_KNL, "interface address %H not found, unable to install"
 		 "virtual IP %H", iface_ip, virtual_ip);
@@ -1014,17 +1055,18 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
 {
 	iface_entry_t *iface;
 	addr_entry_t *addr;
-	iterator_t *addrs, *ifaces;
+	enumerator_t *addrs, *ifaces;
 	status_t status;
 	int ifindex;
 
 	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
 	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
 	{
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
 		{
 			if (virtual_ip->ip_equals(virtual_ip, addr->ip))
 			{
@@ -1037,11 +1079,12 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
 					{	/* wait until the address is really gone */
 						while (get_vip_refcount(this, virtual_ip) > 0)
 						{
-							pthread_cond_wait(&this->cond, &this->mutex);
+							this->condvar->wait(this->condvar, this->mutex);
 						}
 					}
 					addrs->destroy(addrs);
 					ifaces->destroy(ifaces);
+					this->mutex->unlock(this->mutex);
 					return status;
 				}
 				else
@@ -1052,12 +1095,14 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
 					 virtual_ip);
 				addrs->destroy(addrs);
 				ifaces->destroy(ifaces);
+				this->mutex->unlock(this->mutex);
 				return SUCCESS;
 			}
 		}
 		addrs->destroy(addrs);
 	}
 	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
 	
 	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
 	return FAILED;
@@ -1071,7 +1116,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty
 								int flags, chunk_t dst_net, u_int8_t prefixlen,
 								host_t *gateway, host_t *src_ip, char *if_name)
 {
-	unsigned char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct rtmsg *msg;
 	int ifindex;
@@ -1151,11 +1196,11 @@ status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
  */
 static status_t init_address_list(private_kernel_netlink_net_t *this)
 {
-	char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	struct nlmsghdr *out, *current, *in;
 	struct rtgenmsg *msg;
 	size_t len;
-	iterator_t *ifaces, *addrs;
+	enumerator_t *ifaces, *addrs;
 	iface_entry_t *iface;
 	addr_entry_t *addr;
 	
@@ -1217,14 +1262,15 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
 	}
 	free(out);
 	
-	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
-	while (ifaces->iterate(ifaces, (void**)&iface))
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
 	{
 		if (iface->flags & IFF_UP)
 		{
 			DBG1(DBG_KNL, "  %s", iface->ifname);
-			addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-			while (addrs->iterate(addrs, (void**)&addr))
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, (void**)&addr))
 			{
 				DBG1(DBG_KNL, "    %H", addr->ip);
 			}
@@ -1232,6 +1278,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
 		}
 	}
 	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
 	return SUCCESS;
 }
 
@@ -1241,7 +1288,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
 static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
 							u_int32_t table, u_int32_t prio)
 {
-	unsigned char request[NETLINK_BUFFER_SIZE];
+	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct rtmsg *msg;
 	chunk_t chunk;
@@ -1284,6 +1331,8 @@ static void destroy(private_kernel_netlink_net_t *this)
 	close(this->socket_events);
 	this->socket->destroy(this->socket);
 	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -1308,8 +1357,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 
 	/* private members */
 	this->ifaces = linked_list_create();
-	pthread_mutex_init(&this->mutex, NULL);
-	pthread_cond_init(&this->cond, NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_DEFAULT);
 	timerclear(&this->last_roam);
 	this->routing_table = lib->settings->get_int(lib->settings,
 					"charon.routing_table", IPSEC_ROUTING_TABLE);
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
index 55d08c5e5..3de56bf48 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_shared.c 4350 2008-09-18 15:16:43Z tobias $
+ * $Id: kernel_netlink_shared.c 4579 2008-11-05 11:29:56Z martin $
  */
 
 #include <sys/socket.h>
@@ -24,6 +24,7 @@
 #include "kernel_netlink_shared.h"
 
 #include <daemon.h>
+#include <utils/mutex.h>
 
 typedef struct private_netlink_socket_t private_netlink_socket_t;
 
@@ -39,7 +40,7 @@ struct private_netlink_socket_t {
 	/**
 	 * mutex to lock access to netlink socket
 	 */
-	pthread_mutex_t mutex;
+	mutex_t *mutex;
 
 	/**
 	 * current sequence number for netlink request
@@ -63,7 +64,7 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 	chunk_t result = chunk_empty, tmp;
 	struct nlmsghdr *msg, peek;
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	
 	in->nlmsg_seq = ++this->seq;
 	in->nlmsg_pid = getpid();
@@ -85,7 +86,7 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 				/* interrupted, try again */
 				continue;
 			}
-			pthread_mutex_unlock(&this->mutex);
+			this->mutex->unlock(this->mutex);
 			DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
 			return FAILED;
 		}
@@ -117,14 +118,14 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 				continue;
 			}
 			DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
-			pthread_mutex_unlock(&this->mutex);
+			this->mutex->unlock(this->mutex);
 			free(result.ptr);
 			return FAILED;
 		}
 		if (!NLMSG_OK(msg, len))
 		{
 			DBG1(DBG_KNL, "received corrupted netlink message");
-			pthread_mutex_unlock(&this->mutex);
+			this->mutex->unlock(this->mutex);
 			free(result.ptr);
 			return FAILED;
 		}
@@ -135,7 +136,7 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 			{
 				continue;
 			}
-			pthread_mutex_unlock(&this->mutex);
+			this->mutex->unlock(this->mutex);
 			free(result.ptr);
 			return FAILED;
 		}
@@ -161,7 +162,7 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 	*out_len = result.len;
 	*out = (struct nlmsghdr*)result.ptr;
 	
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	
 	return SUCCESS;
 }
@@ -221,6 +222,7 @@ static status_t netlink_send_ack(private_netlink_socket_t *this, struct nlmsghdr
 static void destroy(private_netlink_socket_t *this)
 {
 	close(this->socket);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -238,7 +240,7 @@ netlink_socket_t *netlink_socket_create(int protocol) {
 
 	/* private members */
 	this->seq = 200;
-	pthread_mutex_init(&this->mutex, NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
 	
 	memset(&addr, 0, sizeof(addr));
 	addr.nl_family = AF_NETLINK;
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
index 6428cc9a2..90e464796 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_shared.h 4350 2008-09-18 15:16:43Z tobias $
+ * $Id: kernel_netlink_shared.h 4660 2008-11-14 14:23:11Z martin $
  */
 
 #ifndef KERNEL_NETLINK_SHARED_H_
@@ -20,7 +20,15 @@
 
 #include <library.h>
 
-#define NETLINK_BUFFER_SIZE 1024
+#include <linux/rtnetlink.h>
+
+/**
+ * General purpose netlink buffer.
+ *
+ * 1024 byte is currently sufficient for all operations. Some platform
+ * require an enforced aligment to four bytes (e.g. ARM).
+ */
+typedef u_char netlink_buf_t[1024] __attribute__((aligned(RTA_ALIGNTO)));
 
 typedef struct netlink_socket_t netlink_socket_t;
 
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.am b/src/charon/plugins/kernel_pfkey/Makefile.am
new file mode 100644
index 000000000..c9d66b5de
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+
+libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in
new file mode 100644
index 000000000..41bad9715
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/Makefile.in
@@ -0,0 +1,501 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/kernel_pfkey
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_kernel_pfkey_la_LIBADD =
+am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \
+	kernel_pfkey_ipsec.lo
+libstrongswan_kernel_pfkey_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_pfkey_la_OBJECTS)
+libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/kernel_pfkey/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/kernel_pfkey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_pfkey_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
new file mode 100644
index 000000000..77f3cbed8
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -0,0 +1,1991 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_pfkey_ipsec.c 4662 2008-11-16 21:19:58Z andreas $
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <stdint.h>
+#include <linux/ipsec.h>
+#include <linux/pfkeyv2.h>
+#include <linux/udp.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <errno.h>
+
+#include "kernel_pfkey_ipsec.h"
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <utils/mutex.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/migrate_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/update_sa_job.h>
+
+/** from linux/in.h */
+#ifndef IP_IPSEC_POLICY
+#define IP_IPSEC_POLICY 16
+#endif
+
+/** default priority of installed policies */
+#define PRIO_LOW 3000
+#define PRIO_HIGH 2000
+
+/** buffer size for PF_KEY messages */
+#define PFKEY_BUFFER_SIZE 4096
+
+/** PF_KEY messages are 64 bit aligned */
+#define PFKEY_ALIGNMENT 8
+/** aligns len to 64 bits */
+#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
+/** calculates the properly padded length in 64 bit chunks */
+#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
+/** calculates user mode length i.e. in bytes */
+#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
+
+/** given a PF_KEY message header and an extension this updates the length in the header */
+#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
+/** given a PF_KEY message header this returns a pointer to the next extension */
+#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
+/** copy an extension and append it to a PF_KEY message */
+#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
+/** given a PF_KEY extension this returns a pointer to the next extension */
+#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
+/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
+#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
+/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
+#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len <= (len))
+
+typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_pfkey class.
+ */
+struct private_kernel_pfkey_ipsec_t
+{
+	/**
+	 * Public part of the kernel_pfkey_t object.
+	 */
+	kernel_pfkey_ipsec_t public;
+	
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+	
+	/**
+	 * List of installed policies (policy_entry_t)
+	 */
+	linked_list_t *policies;
+	
+	/**
+	 * whether to install routes along policies
+	 */
+	bool install_routes;
+	
+	/**
+	 * job receiving PF_KEY events
+	 */
+	callback_job_t *job;
+	
+	/**
+	 * mutex to lock access to the PF_KEY socket
+	 */
+	mutex_t *mutex_pfkey;
+	
+	/**
+	 * PF_KEY socket to communicate with the kernel
+	 */
+	int socket;
+	
+	/**
+	 * PF_KEY socket to receive acquire and expire events
+	 */
+	int socket_events;
+	
+	/**
+	 * sequence number for messages sent to the kernel
+	 */
+	int seq;
+};
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+	
+	/** Source ip of the route */
+	host_t *src_ip;
+	
+	/** gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	this->src_ip->destroy(this->src_ip);
+	this->gateway->destroy(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+	
+	/** reqid of this policy */
+	u_int32_t reqid;
+	
+	/** index assigned by the kernel */
+	u_int32_t index;
+	
+	/** direction of this policy: in, out, forward */
+	u_int8_t direction;
+	
+	/** parameters of installed policy */
+	struct {
+		/** subnet and port */
+		host_t *net;
+		/** subnet mask */
+		u_int8_t mask;
+		/** protocol */
+		u_int8_t proto;
+	} src, dst;
+	
+	/** associated route installed for this policy */
+	route_entry_t *route;
+	
+	/** by how many CHILD_SA's this policy is used */
+	u_int refcount;
+};
+
+/**
+ * create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+		traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
+{
+	policy_entry_t *policy = malloc_thing(policy_entry_t);
+	policy->reqid = reqid;
+	policy->index = 0;
+	policy->direction = dir;
+	policy->route = NULL;
+	policy->refcount = 0;
+	
+	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
+	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
+	
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
+	policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; 
+	policy->dst.proto = policy->src.proto;
+	
+	return policy;
+}
+
+/**
+ * destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+	DESTROY_IF(this->src.net);
+	DESTROY_IF(this->dst.net);
+	if (this->route)
+	{
+		route_entry_destroy(this->route);
+	}
+	free(this);
+}
+
+/**
+ * compares two policy_entry_t
+ */
+static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
+{
+	return current->direction == policy->direction &&
+		   current->src.proto == policy->src.proto &&
+		   current->dst.proto == policy->dst.proto &&
+		   current->src.mask == policy->src.mask &&
+		   current->dst.mask == policy->dst.mask &&
+		   current->src.net->equals(current->src.net, policy->src.net) &&
+		   current->dst.net->equals(current->dst.net, policy->dst.net);
+}
+
+/**
+ * compare the given kernel index with that of a policy
+ */
+static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
+{
+	return current->index == *index;
+}
+
+typedef struct pfkey_msg_t pfkey_msg_t;
+
+struct pfkey_msg_t
+{
+	/**
+	 * PF_KEY message base
+	 */
+	struct sadb_msg *msg;
+	
+	
+	/**
+	 * PF_KEY message extensions
+	 */
+	union {
+		struct sadb_ext *ext[SADB_EXT_MAX + 1];
+		struct {
+			struct sadb_ext *reserved;				/* SADB_EXT_RESERVED */
+			struct sadb_sa *sa;						/* SADB_EXT_SA */
+			struct sadb_lifetime *lft_current;		/* SADB_EXT_LIFETIME_CURRENT */
+			struct sadb_lifetime *lft_hard;			/* SADB_EXT_LIFETIME_HARD */
+			struct sadb_lifetime *lft_soft;			/* SADB_EXT_LIFETIME_SOFT */
+			struct sadb_address *src;				/* SADB_EXT_ADDRESS_SRC */
+			struct sadb_address *dst;				/* SADB_EXT_ADDRESS_DST */
+			struct sadb_address *proxy;				/* SADB_EXT_ADDRESS_PROXY */
+			struct sadb_key *key_auth;				/* SADB_EXT_KEY_AUTH */
+			struct sadb_key *key_encr;				/* SADB_EXT_KEY_ENCRYPT */
+			struct sadb_ident *id_src;				/* SADB_EXT_IDENTITY_SRC */
+			struct sadb_ident *id_dst;				/* SADB_EXT_IDENTITY_DST */
+			struct sadb_sens *sensitivity;			/* SADB_EXT_SENSITIVITY */
+			struct sadb_prop *proposal;				/* SADB_EXT_PROPOSAL */
+			struct sadb_supported *supported_auth;	/* SADB_EXT_SUPPORTED_AUTH */
+			struct sadb_supported *supported_encr;	/* SADB_EXT_SUPPORTED_ENCRYPT */
+			struct sadb_spirange *spirange;			/* SADB_EXT_SPIRANGE */
+			struct sadb_x_kmprivate *x_kmprivate;	/* SADB_X_EXT_KMPRIVATE */
+			struct sadb_x_policy *x_policy;			/* SADB_X_EXT_POLICY */
+			struct sadb_x_sa2 *x_sa2;				/* SADB_X_EXT_SA2 */
+			struct sadb_x_nat_t_type *x_natt_type;	/* SADB_X_EXT_NAT_T_TYPE */
+			struct sadb_x_nat_t_port *x_natt_sport;	/* SADB_X_EXT_NAT_T_SPORT */
+			struct sadb_x_nat_t_port *x_natt_dport;	/* SADB_X_EXT_NAT_T_DPORT */
+			struct sadb_address *x_natt_oa;			/* SADB_X_EXT_NAT_T_OA */
+			struct sadb_x_sec_ctx *x_sec_ctx;		/* SADB_X_EXT_SEC_CTX */
+			struct sadb_x_kmaddress *x_kmaddress;	/* SADB_X_EXT_KMADDRESS */
+		} __attribute__((__packed__));
+	};
+};
+
+ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
+	"SADB_EXT_RESERVED",
+	"SADB_EXT_SA",
+	"SADB_EXT_LIFETIME_CURRENT",
+	"SADB_EXT_LIFETIME_HARD",
+	"SADB_EXT_LIFETIME_SOFT",
+	"SADB_EXT_ADDRESS_SRC",
+	"SADB_EXT_ADDRESS_DST",
+	"SADB_EXT_ADDRESS_PROXY",
+	"SADB_EXT_KEY_AUTH",
+	"SADB_EXT_KEY_ENCRYPT",
+	"SADB_EXT_IDENTITY_SRC",
+	"SADB_EXT_IDENTITY_DST",
+	"SADB_EXT_SENSITIVITY",
+	"SADB_EXT_PROPOSAL",
+	"SADB_EXT_SUPPORTED_AUTH",
+	"SADB_EXT_SUPPORTED_ENCRYPT",
+	"SADB_EXT_SPIRANGE",
+	"SADB_X_EXT_KMPRIVATE",
+	"SADB_X_EXT_POLICY",
+	"SADB_X_EXT_SA2",
+	"SADB_X_EXT_NAT_T_TYPE",
+	"SADB_X_EXT_NAT_T_SPORT",
+	"SADB_X_EXT_NAT_T_DPORT",
+	"SADB_X_EXT_NAT_T_OA",
+	"SADB_X_EXT_SEC_CTX",
+	"SADB_X_EXT_KMADDRESS"
+);
+/**
+ * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
+ */
+static u_int8_t proto_ike2satype(protocol_id_t proto)
+{
+	switch (proto)
+	{
+		case PROTO_ESP:
+			return SADB_SATYPE_ESP;
+		case PROTO_AH:
+			return SADB_SATYPE_AH;
+		case IPPROTO_COMP:
+			return SADB_X_SATYPE_IPCOMP;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
+ */
+static protocol_id_t proto_satype2ike(u_int8_t proto)
+{
+	switch (proto)
+	{
+		case SADB_SATYPE_ESP:
+			return PROTO_ESP;
+		case SADB_SATYPE_AH:
+			return PROTO_AH;
+		case SADB_X_SATYPE_IPCOMP:
+			return IPPROTO_COMP;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert a IKEv2 specific protocol identifier to the IP protocol identifier
+ */
+static u_int8_t proto_ike2ip(protocol_id_t proto)
+{
+	switch (proto)
+	{
+		case PROTO_ESP:
+			return IPPROTO_ESP;
+		case PROTO_AH:
+			return IPPROTO_AH;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert the general ipsec mode to the one defined in ipsec.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+	switch (mode)
+	{
+		case MODE_TRANSPORT:
+			return IPSEC_MODE_TRANSPORT;
+		case MODE_TUNNEL:
+			return IPSEC_MODE_TUNNEL;
+		case MODE_BEET:
+			return IPSEC_MODE_BEET;
+		default:
+			return mode;
+	}
+}
+
+/**
+ * convert the general policy direction to the one defined in ipsec.h
+ */
+static u_int8_t dir2kernel(policy_dir_t dir)
+{
+	switch (dir)
+	{
+		case POLICY_IN:
+			return IPSEC_DIR_INBOUND;
+		case POLICY_OUT:
+			return IPSEC_DIR_OUTBOUND;
+		case POLICY_FWD:
+			return IPSEC_DIR_FWD;
+		default:
+			return dir;
+	}
+}
+
+/**
+ * convert the policy direction in ipsec.h to the general one.
+ */
+static policy_dir_t kernel2dir(u_int8_t  dir)
+{
+	switch (dir)
+	{
+		case IPSEC_DIR_INBOUND:
+			return POLICY_IN;
+		case IPSEC_DIR_OUTBOUND:
+			return POLICY_OUT;
+		case IPSEC_DIR_FWD:
+			return POLICY_FWD;
+		default:
+			return dir;
+	}
+}
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 algorithms to PF_KEY algorithms
+ */
+struct kernel_algorithm_t {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2;
+	
+	/**
+	 * Identifier as defined in pfkeyv2.h
+	 */
+	int kernel;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64, 			0							}, */
+	{ENCR_DES, 					SADB_EALG_DESCBC			},
+	{ENCR_3DES, 				SADB_EALG_3DESCBC			},
+/*	{ENCR_RC5, 					0							}, */
+/*	{ENCR_IDEA, 				0							}, */
+	{ENCR_CAST, 				SADB_X_EALG_CASTCBC			},
+	{ENCR_BLOWFISH, 			SADB_X_EALG_BLOWFISHCBC		},
+/*	{ENCR_3IDEA, 				0							}, */
+/*	{ENCR_DES_IV32, 			0							}, */
+	{ENCR_NULL, 				SADB_EALG_NULL				},
+	{ENCR_AES_CBC,	 			SADB_X_EALG_AESCBC			},
+/*	{ENCR_AES_CTR, 				SADB_X_EALG_AESCTR			}, */
+/*  {ENCR_AES_CCM_ICV8,			SADB_X_EALG_AES_CCM_ICV8	}, */
+/*	{ENCR_AES_CCM_ICV12,		SADB_X_EALG_AES_CCM_ICV12	}, */
+/*	{ENCR_AES_CCM_ICV16,		SADB_X_EALG_AES_CCM_ICV16	}, */
+/*	{ENCR_AES_GCM_ICV8,			SADB_X_EALG_AES_GCM_ICV8	}, */
+/*	{ENCR_AES_GCM_ICV12,		SADB_X_EALG_AES_GCM_ICV12	}, */
+/*	{ENCR_AES_GCM_ICV16,		SADB_X_EALG_AES_GCM_ICV16	}, */
+	{END_OF_LIST, 				0							},
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+	{AUTH_HMAC_MD5_96, 			SADB_AALG_MD5HMAC			},
+	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
+	{AUTH_HMAC_SHA2_256_128,	SADB_X_AALG_SHA2_256HMAC	},
+	{AUTH_HMAC_SHA2_384_192,	SADB_X_AALG_SHA2_384HMAC	},
+	{AUTH_HMAC_SHA2_512_256,	SADB_X_AALG_SHA2_512HMAC	},
+/*	{AUTH_DES_MAC,				0,							}, */
+/*	{AUTH_KPDK_MD5,				0,							}, */
+	{AUTH_AES_XCBC_96,			SADB_X_AALG_AES_XCBC_MAC,	},
+	{END_OF_LIST, 				0,							},
+};
+
+#if 0
+/**
+ * Algorithms for IPComp, unused yet
+ */
+static kernel_algorithm_t compression_algs[] = {
+/*	{IPCOMP_OUI, 				0							}, */
+	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
+	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
+	{IPCOMP_LZJH,				SADB_X_CALG_LZJH			},
+	{END_OF_LIST, 				0							},
+};
+#endif
+
+/**
+ * Look up a kernel algorithm ID and its key size
+ */
+static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+{
+	while (list->ikev2 != END_OF_LIST)
+	{
+		if (ikev2 == list->ikev2)
+		{
+			return list->kernel;
+		}
+		list++;
+	}
+	return 0;
+}
+
+/**
+ * add a host behind a sadb_address extension
+ */
+static void host2ext(host_t *host, struct sadb_address *ext)
+{
+	sockaddr_t *host_addr = host->get_sockaddr(host);
+	socklen_t *len = host->get_sockaddr_len(host);
+ 	memcpy((char*)(ext + 1), host_addr, *len);
+ 	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+}
+
+/**
+ * add udp encap extensions to a sadb_msg
+ */
+static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
+{
+	struct sadb_x_nat_t_type* nat_type;
+	struct sadb_x_nat_t_port* nat_port;
+	
+	nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+	nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
+	nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
+	PFKEY_EXT_ADD(msg, nat_type);
+	
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
+	PFKEY_EXT_ADD(msg, nat_port);
+	
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
+	PFKEY_EXT_ADD(msg, nat_port);
+}
+
+/**
+ * Convert a sadb_address to a traffic_selector
+ */
+static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
+{
+	traffic_selector_t *ts;
+	host_t *host;
+
+	/* The Linux 2.6 kernel does not set the protocol and port information
+     * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
+     */
+	host = host_create_from_sockaddr((sockaddr_t*)&address[1])	;
+	ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
+ 				address->sadb_address_proto, host->get_port(host));
+	host->destroy(host);
+	return ts;
+}
+
+/**
+ * Parses a pfkey message received from the kernel
+ */
+static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
+{
+	struct sadb_ext* ext;
+	size_t len;
+	
+	memset(out, 0, sizeof(pfkey_msg_t));
+	out->msg = msg;
+	
+	len = msg->sadb_msg_len;
+	len -= PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
+	
+	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
+	{
+		DBG2(DBG_KNL, "  %N", sadb_ext_type_names, ext->sadb_ext_type);
+		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
+			ext->sadb_ext_len > len)
+		{
+			DBG1(DBG_KNL, "length of %N extension is invalid",
+						   sadb_ext_type_names, ext->sadb_ext_type);
+			break;
+		}
+		
+		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
+		{
+			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+			break;
+		}
+		
+		if (out->ext[ext->sadb_ext_type])
+		{
+			DBG1(DBG_KNL, "duplicate %N extension",			
+						   sadb_ext_type_names, ext->sadb_ext_type);
+			break;
+		}
+		
+		out->ext[ext->sadb_ext_type] = ext;
+		ext = PFKEY_EXT_NEXT_LEN(ext, len);
+	}
+
+	if (len)
+	{
+		DBG1(DBG_KNL, "PF_KEY message length is invalid");
+		return FAILED;
+	}
+	
+	return SUCCESS;
+}
+
+/**
+ * Send a message to a specific PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg;
+	int in_len, len;
+	
+	this->mutex_pfkey->lock(this->mutex_pfkey);
+
+	in->sadb_msg_seq = ++this->seq;
+	in->sadb_msg_pid = getpid();
+
+	in_len = PFKEY_USER_LEN(in->sadb_msg_len);
+
+	while (TRUE)
+	{
+		len = send(socket, in, in_len, 0);
+
+		if (len != in_len)
+		{
+			if (errno == EINTR)
+			{
+				/* interrupted, try again */
+				continue;
+			}
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
+			return FAILED;
+		}
+		break;
+	}
+	
+	while (TRUE)
+	{	
+		msg = (struct sadb_msg*)buf;
+		
+		len = recv(socket, buf, sizeof(buf), 0);
+		
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				DBG1(DBG_KNL, "got interrupted");
+				/* interrupted, try again */
+				continue;
+			}
+			DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (len < sizeof(struct sadb_msg) ||
+			msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+		{
+			DBG1(DBG_KNL, "received corrupted PF_KEY message");
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+		{
+			DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (msg->sadb_msg_pid != in->sadb_msg_pid)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
+			continue;
+		}
+		if (msg->sadb_msg_seq != this->seq)
+		{
+			DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
+					"was %d expected %d", msg->sadb_msg_seq, this->seq);
+			if (msg->sadb_msg_seq < this->seq)
+			{
+				continue;
+			}
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (msg->sadb_msg_type != in->sadb_msg_type)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
+					"was %d expected %d, ignoring",
+					msg->sadb_msg_type, in->sadb_msg_type);
+		}
+		break;
+	}
+	
+	*out_len = len;
+	*out = (struct sadb_msg*)malloc(len);
+	memcpy(*out, buf, len);
+		
+	this->mutex_pfkey->unlock(this->mutex_pfkey);
+	
+	return SUCCESS;
+}
+
+/**
+ * Send a message to the default PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	return pfkey_send_socket(this, this->socket, in, out, out_len);
+}
+
+/**
+ * Process a SADB_ACQUIRE message from the kernel
+ */
+static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	u_int32_t index, reqid = 0;
+	traffic_selector_t *src_ts, *dst_ts;
+	policy_entry_t *policy;
+	job_t *job;
+	
+	switch (msg->sadb_msg_satype)
+	{
+		case SADB_SATYPE_UNSPEC:
+		case SADB_SATYPE_ESP:
+		case SADB_SATYPE_AH:
+			break;
+		default:
+			/* acquire for AH/ESP only */
+			return;
+	}
+	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
+	
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
+		return;
+	}
+	
+	index = response.x_policy->sadb_x_policy_id;
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
+	{
+		reqid = policy->reqid;
+	}
+	else
+	{
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
+					   index);
+	}
+	src_ts = sadb_address2ts(response.src);
+	dst_ts = sadb_address2ts(response.dst);
+	this->mutex->unlock(this->mutex);
+	
+	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
+				   src_ts, dst_ts, reqid);
+	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
+	charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * Process a SADB_EXPIRE message from the kernel
+ */
+static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	protocol_id_t protocol;
+	u_int32_t spi, reqid;
+	bool hard;
+	job_t *job;
+	
+	DBG2(DBG_KNL, "received an SADB_EXPIRE");
+	
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
+		return;
+	}
+	
+	protocol = proto_satype2ike(msg->sadb_msg_satype);
+	spi = response.sa->sadb_sa_spi;
+	reqid = response.x_sa2->sadb_x_sa2_reqid;
+	hard = response.lft_hard != NULL;
+	
+	if (protocol != PROTO_ESP && protocol != PROTO_AH)
+	{
+		DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
+					  "which is not a CHILD_SA", ntohl(spi), reqid);
+		return;
+	}
+	
+	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
+		 hard ? "delete" : "rekey",  protocol_id_names,
+		 protocol, ntohl(spi), reqid);
+	if (hard)
+	{
+		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+	}
+	else
+	{
+		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+	}
+	charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * Process a SADB_MIGRATE message from the kernel
+ */
+static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	traffic_selector_t *src_ts, *dst_ts;
+	policy_dir_t dir;
+	u_int32_t reqid = 0;
+	host_t *local = NULL, *remote = NULL;
+	job_t *job;
+
+	DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
+		return;
+	}
+	src_ts = sadb_address2ts(response.src);
+	dst_ts = sadb_address2ts(response.dst);
+	dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
+	DBG2(DBG_KNL, "  policy %R === %R %N, id %u", src_ts, dst_ts,
+					 policy_dir_names, dir);
+	
+	/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */   
+	if (response.x_kmaddress)
+	{
+		sockaddr_t *local_addr, *remote_addr;
+		u_int32_t local_len;
+
+		local_addr  = (sockaddr_t*)&response.x_kmaddress[1];
+		local = host_create_from_sockaddr(local_addr);
+		local_len = (local_addr->sa_family == AF_INET6)?
+					sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
+		remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
+		remote = host_create_from_sockaddr(remote_addr);
+		DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
+	}
+	
+	if (src_ts && dst_ts && local && remote)
+	{
+		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
+					   src_ts, dst_ts, policy_dir_names, dir, reqid, local);
+		job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
+										 local, remote);
+		charon->processor->queue_job(charon->processor, job);
+	}
+	else
+	{
+		DESTROY_IF(src_ts);
+		DESTROY_IF(dst_ts);
+		DESTROY_IF(local);
+		DESTROY_IF(remote);
+	}
+}
+
+/**
+ * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
+ */
+static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	u_int32_t spi, reqid;
+	host_t *host;
+	job_t *job;
+	
+	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
+	
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
+		return;
+	}
+	
+	if (!response.x_sa2)
+	{
+		DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
+		return;
+	}
+	
+	spi = response.sa->sadb_sa_spi;
+	reqid = response.x_sa2->sadb_x_sa2_reqid;
+	
+	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
+	{
+		sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
+		switch (sa->sa_family)
+		{
+			case AF_INET:
+			{
+				struct sockaddr_in *sin = (struct sockaddr_in*)sa;
+				sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			case AF_INET6:
+			{
+				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
+				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			default:
+				break;
+		}
+		host = host_create_from_sockaddr(sa);
+		if (host)
+		{
+			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
+				"reqid {%u} changed, queuing update job", ntohl(spi), reqid);
+			job = (job_t*)update_sa_job_create(reqid, host);
+			charon->processor->queue_job(charon->processor, job);
+		}
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)buf;
+	int len, oldstate;
+	
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	len = recv(this->socket_events, buf, sizeof(buf), 0);
+	pthread_setcancelstate(oldstate, NULL);
+	
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+	
+	if (len < sizeof(struct sadb_msg) ||
+		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+	{
+		DBG2(DBG_KNL, "received corrupted PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+	{
+		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+	
+	switch (msg->sadb_msg_type)
+	{
+		case SADB_ACQUIRE:
+			process_acquire(this, msg);
+			break;
+		case SADB_EXPIRE:
+			process_expire(this, msg);
+			break;
+		case SADB_X_MIGRATE:
+			process_migrate(this, msg);
+			break;
+		case SADB_X_NAT_T_NEW_MAPPING:
+			process_mapping(this, msg);
+			break;
+		default:
+			break;
+	}
+	
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_spi.
+ */
+static status_t get_spi(private_kernel_pfkey_ipsec_t *this, 
+						host_t *src, host_t *dst, 
+						protocol_id_t protocol, u_int32_t reqid,
+						u_int32_t *spi)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_sa2 *sa2;
+	struct sadb_address *addr;
+	struct sadb_spirange *range;
+	pfkey_msg_t response;
+	u_int32_t received_spi = 0;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_GETSPI;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
+	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+	sa2->sadb_x_sa2_reqid = reqid;
+	PFKEY_EXT_ADD(msg, sa2);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+	host2ext(src, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+	host2ext(dst, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
+	range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
+	range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+	range->sadb_spirange_min = 0xc0000000;
+	range->sadb_spirange_max = 0xcFFFFFFF;
+	PFKEY_EXT_ADD(msg, range);
+	
+	if (pfkey_send(this, msg, &out, &len) == SUCCESS)
+	{
+		if (out->sadb_msg_errno)
+		{
+			DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
+					strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		}
+		else if (parse_pfkey_message(out, &response) == SUCCESS)
+		{
+			received_spi = response.sa->sadb_sa_spi;
+		}
+		free(out);	
+	}
+	
+	if (received_spi == 0)
+	{
+		return FAILED;
+	}
+	
+	*spi = received_spi;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_cpi.
+ */
+static status_t get_cpi(private_kernel_pfkey_ipsec_t *this, 
+						host_t *src, host_t *dst, 
+						u_int32_t reqid, u_int16_t *cpi)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_sa.
+ */
+static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi,
+					   protocol_id_t protocol, u_int32_t reqid,
+					   u_int64_t expire_soft, u_int64_t expire_hard,
+					   u_int16_t enc_alg, chunk_t enc_key,
+					   u_int16_t int_alg, chunk_t int_key,
+					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+					   bool encap, bool inbound)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_x_sa2 *sa2;
+	struct sadb_address *addr;
+	struct sadb_lifetime *lft;
+	struct sadb_key *key;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
+	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
+	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+	PFKEY_EXT_ADD(msg, sa);
+	
+	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
+	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+	sa2->sadb_x_sa2_mode = mode2kernel(mode);
+	sa2->sadb_x_sa2_reqid = reqid;
+	PFKEY_EXT_ADD(msg, sa2);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+	host2ext(src, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+	host2ext(dst, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
+	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+	lft->sadb_lifetime_addtime = expire_soft;
+	PFKEY_EXT_ADD(msg, lft);
+	
+	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+	lft->sadb_lifetime_addtime = expire_hard;
+	PFKEY_EXT_ADD(msg, lft);
+	
+	if (enc_alg != ENCR_UNDEFINED)
+	{
+		if (!sa->sadb_sa_encrypt)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 encryption_algorithm_names, enc_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+		
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
+		key->sadb_key_bits = enc_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
+		memcpy(key + 1, enc_key.ptr, enc_key.len);
+		
+		PFKEY_EXT_ADD(msg, key);
+	}
+	
+	if (int_alg != AUTH_UNDEFINED)
+	{
+		if (!sa->sadb_sa_auth)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 integrity_algorithm_names, int_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
+			 integrity_algorithm_names, int_alg, int_key.len * 8);
+		
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
+		key->sadb_key_bits = int_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
+		memcpy(key + 1, int_key.ptr, int_key.len);
+		
+		PFKEY_EXT_ADD(msg, key);
+	}
+	
+	if (ipcomp != IPCOMP_NONE)
+	{
+		/*TODO*/
+	}
+	
+	if (encap)
+	{
+		add_encap_ext(msg, src, dst);
+	}
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.update_sa.
+ */
+static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
+						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_address *addr;
+	pfkey_msg_t response;
+	size_t len;
+	
+	/* we can't update the SA if any of the ip addresses have changed.
+	 * that's because we can't use SADB_UPDATE and by deleting and readding the
+	 * SA the sequence numbers would get lost */
+	if (!src->ip_equals(src, new_src) ||
+		!dst->ip_equals(dst, new_dst))
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
+				" are not supported", ntohl(spi));
+		return NOT_SUPPORTED;
+	}
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_GET;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+	
+	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
+	 * it is not used for anything, so we just send dst twice */
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+	host2ext(dst, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+	host2ext(dst, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
+				ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+			ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
+				"from kernel failed", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	
+	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+	
+	memset(&request, 0, sizeof(request));
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_UPDATE;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	PFKEY_EXT_COPY(msg, response.sa);
+	PFKEY_EXT_COPY(msg, response.x_sa2);
+	
+	PFKEY_EXT_COPY(msg, response.src);
+	PFKEY_EXT_COPY(msg, response.dst);
+	
+	PFKEY_EXT_COPY(msg, response.lft_soft);
+	PFKEY_EXT_COPY(msg, response.lft_hard);
+	
+	if (response.key_encr)
+	{
+		PFKEY_EXT_COPY(msg, response.key_encr);
+	}
+	
+	if (response.key_auth)
+	{
+		PFKEY_EXT_COPY(msg, response.key_auth);
+	}
+	
+	if (new_encap)
+	{
+		add_encap_ext(msg, new_src, new_dst);
+	}
+	
+	free(out);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
+					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_address *addr;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_DELETE;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+	
+	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
+	 * it is not used for anything, so we just send dst twice */
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+	host2ext(dst, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+	host2ext(dst, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	
+	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_policy.
+ */
+static status_t add_policy(private_kernel_pfkey_ipsec_t *this, 
+						   host_t *src, host_t *dst,
+						   traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, u_int32_t spi,
+						   protocol_id_t protocol, u_int32_t reqid,
+						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						   bool routed)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_policy *pol;
+	struct sadb_address *addr;
+	struct sadb_x_ipsecrequest *req;
+	policy_entry_t *policy, *found = NULL;
+	pfkey_msg_t response;
+	size_t len;
+	
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
+	
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+	{
+		/* use existing policy */
+		found->refcount++;
+		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
+					  "refcount", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{
+		/* apply the new one, if we have no such policy */
+		this->policies->insert_last(this->policies, policy);
+		policy->refcount = 1;
+	}
+		
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
+	msg->sadb_msg_satype = 0;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+	pol->sadb_x_policy_id = 0;
+	pol->sadb_x_policy_dir = dir2kernel(direction);
+	/* calculate priority based on source selector size, small size = high prio */
+	pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
+	pol->sadb_x_policy_priority -= policy->src.mask * 10;
+	pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
+	pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+	
+	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
+	req = (struct sadb_x_ipsecrequest*)(pol + 1);
+	req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
+	/* !!! the length of this struct MUST be in octets instead of 64 bit words */
+	req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
+	req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
+	req->sadb_x_ipsecrequest_reqid = reqid;
+	req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
+	if (mode == MODE_TUNNEL)
+	{
+		sockaddr_t *sa;
+		socklen_t sl;
+		sa = src->get_sockaddr(src);
+		sl = *src->get_sockaddr_len(src);
+		memcpy(req + 1, sa, sl);
+		sa = dst->get_sockaddr(dst);
+		memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
+		req->sadb_x_ipsecrequest_len += sl * 2;
+	}
+	
+	pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
+	PFKEY_EXT_ADD(msg, pol);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+	addr->sadb_address_proto = policy->src.proto;
+	addr->sadb_address_prefixlen = policy->src.mask;
+	host2ext(policy->src.net, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+	addr->sadb_address_proto = policy->dst.proto;
+	addr->sadb_address_prefixlen = policy->dst.mask;
+	host2ext(policy->dst.net, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	this->mutex->unlock(this->mutex);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
+					   policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
+				"from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+	
+	this->mutex->lock(this->mutex);
+	
+	/* we try to find the policy again and update the kernel index */
+	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
+	{
+		DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
+				"already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
+		this->mutex->unlock(this->mutex);
+		free(out);
+		return SUCCESS;
+	}
+	policy->index = response.x_policy->sadb_x_policy_id;
+	free(out);
+	
+	/* install a route, if:
+	 * - we are NOT updating a policy
+	 * - this is a forward policy (to just get one for each child)
+	 * - we are in tunnel mode
+	 * - we are not using IPv6 (does not work correctly yet!)
+	 * - routing is not disabled via strongswan.conf
+	 */
+	if (policy->route == NULL && direction == POLICY_FWD &&
+		mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+		this->install_routes)
+	{
+		route_entry_t *route = malloc_thing(route_entry_t);
+		
+		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+				dst_ts, &route->src_ip) == SUCCESS)
+		{
+			/* get the nexthop to src (src as we are in POLICY_FWD).*/
+			route->gateway = charon->kernel_interface->get_nexthop(
+									charon->kernel_interface, src);
+			route->if_name = charon->kernel_interface->get_interface(
+									charon->kernel_interface, dst);
+			route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
+			route->prefixlen = policy->src.mask;
+			
+			switch (charon->kernel_interface->add_route(charon->kernel_interface,
+					route->dst_net, route->prefixlen, route->gateway,
+					route->src_ip, route->if_name))
+			{
+				default:
+					DBG1(DBG_KNL, "unable to install source route for %H",
+						 route->src_ip);
+					/* FALL */
+				case ALREADY_DONE:
+					/* route exists, do not uninstall */
+					route_entry_destroy(route);
+					break;
+				case SUCCESS:
+					/* cache the installed route */
+					policy->route = route;
+					break;
+			}
+		}
+		else
+		{
+			free(route);
+		}
+	}	
+	
+	this->mutex->unlock(this->mutex);	
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_policy.
+ */
+static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
+							 traffic_selector_t *src_ts, 
+							 traffic_selector_t *dst_ts,
+							 policy_dir_t direction, u_int32_t *use_time)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_policy *pol;
+	struct sadb_address *addr;
+	policy_entry_t *policy, *found = NULL;
+	pfkey_msg_t response;
+	size_t len;
+	
+	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
+	
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		this->mutex->unlock(this->mutex);
+		return NOT_FOUND;
+	}
+	policy_entry_destroy(policy);
+	policy = found;
+	
+	memset(&request, 0, sizeof(request));
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_SPDGET;
+	msg->sadb_msg_satype = 0;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	pol->sadb_x_policy_id = policy->index;
+	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+	PFKEY_EXT_ADD(msg, pol);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+	addr->sadb_address_proto = policy->src.proto;
+	addr->sadb_address_prefixlen = policy->src.mask;
+	host2ext(policy->src.net, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+	addr->sadb_address_proto = policy->dst.proto;
+	addr->sadb_address_prefixlen = policy->dst.mask;
+	host2ext(policy->dst.net, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	this->mutex->unlock(this->mutex);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+					   dst_ts, policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
+				"from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+	
+	*use_time = response.lft_current->sadb_lifetime_usetime;
+	
+	free(out);
+			
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_policy.
+ */
+static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
+						   traffic_selector_t *src_ts, 
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, bool unrouted)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_policy *pol;
+	struct sadb_address *addr;
+	policy_entry_t *policy, *found = NULL;
+	route_entry_t *route;
+	size_t len;
+	
+	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+	
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
+	
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+	{
+		if (--found->refcount > 0)
+		{
+			/* is used by more SAs, keep in kernel */
+			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");	
+			policy_entry_destroy(policy);
+			this->mutex->unlock(this->mutex);
+			return SUCCESS;
+		}
+		/* remove if last reference */
+		this->policies->remove(this->policies, found, NULL);
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{
+		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		this->mutex->unlock(this->mutex);
+		return NOT_FOUND;
+	}
+	this->mutex->unlock(this->mutex);
+		
+	memset(&request, 0, sizeof(request));
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_SPDDELETE;
+	msg->sadb_msg_satype = 0;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+	PFKEY_EXT_ADD(msg, pol);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+	addr->sadb_address_proto = policy->src.proto;
+	addr->sadb_address_prefixlen = policy->src.mask;
+	host2ext(policy->src.net, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+	addr->sadb_address_proto = policy->dst.proto;
+	addr->sadb_address_prefixlen = policy->dst.mask;
+	host2ext(policy->dst.net, addr);
+	PFKEY_EXT_ADD(msg, addr);
+	
+	route = policy->route;
+	policy->route = NULL;
+	policy_entry_destroy(policy);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
+					   dst_ts, policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	
+	if (route)
+	{
+		if (charon->kernel_interface->del_route(charon->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with "
+						  "policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}		
+		route_entry_destroy(route);
+	}
+	
+	return SUCCESS;
+}
+
+/**
+ * Register a socket for AQUIRE/EXPIRE messages
+ */
+static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_REGISTER;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket");
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.destroy.
+ */
+static void destroy(private_kernel_pfkey_ipsec_t *this)
+{
+	this->job->cancel(this->job);
+	close(this->socket);
+	close(this->socket_events);
+	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+	this->mutex->destroy(this->mutex);
+	this->mutex_pfkey->destroy(this->mutex_pfkey);
+	free(this);
+}
+
+/**
+ * Add bypass policies for IKE on the sockets of charon
+ */
+static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
+{
+	int fd, family, port;
+	enumerator_t *sockets;
+	bool status = TRUE;
+	
+	sockets = charon->socket->create_enumerator(charon->socket);
+	while (sockets->enumerate(sockets, &fd, &family, &port))
+	{
+		struct sadb_x_policy policy;
+		u_int sol, ipsec_policy;
+		
+		switch (family)
+		{
+			case AF_INET:
+				sol = SOL_IP;
+				ipsec_policy = IP_IPSEC_POLICY;
+				break;
+			case AF_INET6:
+			{
+				sol = SOL_IPV6;
+				ipsec_policy = IPV6_IPSEC_POLICY;
+				break;
+			}
+		}
+		
+		memset(&policy, 0, sizeof(policy));
+		policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+		policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+		policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+	
+		policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+		{
+			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+				 strerror(errno));
+			status = FALSE;
+			break;
+		}
+		policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+		{
+			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", 
+				 strerror(errno));
+			status = FALSE;
+			break;
+		}
+	}
+	sockets->destroy(sockets);
+	return status;
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
+{
+	private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
+	
+	/* public functions */
+	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
+	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
+	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
+	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
+	
+	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
+
+	/* private members */
+	this->policies = linked_list_create();
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
+	this->install_routes = lib->settings->get_bool(lib->settings,
+												"charon.install_routes", TRUE);
+	this->seq = 0;
+	
+	/* create a PF_KEY socket to communicate with the kernel */
+	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket <= 0)
+	{
+		charon->kill(charon, "unable to create PF_KEY socket");
+	}
+	
+	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
+	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket_events <= 0)
+	{
+		charon->kill(charon, "unable to create PF_KEY event socket");
+	}
+	
+	/* add bypass policies on the sockets used by charon */
+	if (!add_bypass_policies(this))
+	{
+		charon->kill(charon, "unable to add bypass policies on sockets");
+	}
+	
+	/* register the event socket */
+	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
+		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
+	{
+		charon->kill(charon, "unable to register PF_KEY event socket");
+	}
+	
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	
+	return &this->public;
+}
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
new file mode 100644
index 000000000..6e2ec5377
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_pfkey_ipsec.h 4361 2008-10-01 16:47:51Z tobias $
+ */
+
+/**
+ * @defgroup kernel_pfkey_ipsec_i kernel_pfkey_ipsec
+ * @{ @ingroup kernel_pfkey
+ */
+
+#ifndef KERNEL_PFKEY_IPSEC_H_
+#define KERNEL_PFKEY_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_pfkey_ipsec_t kernel_pfkey_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using PF_KEY.
+ */
+struct kernel_pfkey_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a PF_KEY kernel ipsec interface instance.
+ *
+ * @return			kernel_pfkey_ipsec_t instance
+ */
+kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create();
+
+#endif /* KERNEL_PFKEY_IPSEC_H_ @} */
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
new file mode 100644
index 000000000..93015d75a
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_pfkey_plugin.c 4361 2008-10-01 16:47:51Z tobias $
+ */
+
+
+#include "kernel_pfkey_plugin.h"
+
+#include "kernel_pfkey_ipsec.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t;
+
+/**
+ * private data of kernel PF_KEY plugin
+ */
+struct private_kernel_pfkey_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_pfkey_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfkey_plugin_t *this)
+{
+	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
+	
+	return &this->public.plugin;
+}
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
new file mode 100644
index 000000000..5e256ca74
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_pfkey_plugin.h 4361 2008-10-01 16:47:51Z tobias $
+ */
+
+/**
+ * @defgroup kernel_pfkey kernel_pfkey
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin
+ * @{ @ingroup kernel_pfkey
+ */
+
+#ifndef KERNEL_PFKEY_PLUGIN_H_
+#define KERNEL_PFKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfkey_plugin_t kernel_pfkey_plugin_t;
+
+/**
+ * PF_KEY kernel interface plugin
+ */
+struct kernel_pfkey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a kernel_pfkey_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* KERNEL_PFKEY_PLUGIN_H_ @} */
diff --git a/src/charon/plugins/load_tester/Makefile.am b/src/charon/plugins/load_tester/Makefile.am
new file mode 100644
index 000000000..88a6b688c
--- /dev/null
+++ b/src/charon/plugins/load_tester/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-load-tester.la
+
+libstrongswan_load_tester_la_SOURCES = \
+  load_tester_plugin.c load_tester_plugin.h \
+  load_tester_config.c load_tester_config.h \
+  load_tester_creds.c load_tester_creds.h \
+  load_tester_ipsec.c load_tester_ipsec.h \
+  load_tester_listener.c load_tester_listener.h
+
+libstrongswan_load_tester_la_LDFLAGS = -module
+
diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in
new file mode 100644
index 000000000..a0a749b87
--- /dev/null
+++ b/src/charon/plugins/load_tester/Makefile.in
@@ -0,0 +1,509 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/load_tester
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_load_tester_la_LIBADD =
+am_libstrongswan_load_tester_la_OBJECTS = load_tester_plugin.lo \
+	load_tester_config.lo load_tester_creds.lo \
+	load_tester_ipsec.lo load_tester_listener.lo
+libstrongswan_load_tester_la_OBJECTS =  \
+	$(am_libstrongswan_load_tester_la_OBJECTS)
+libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_load_tester_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_load_tester_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-load-tester.la
+libstrongswan_load_tester_la_SOURCES = \
+  load_tester_plugin.c load_tester_plugin.h \
+  load_tester_config.c load_tester_config.h \
+  load_tester_creds.c load_tester_creds.h \
+  load_tester_ipsec.c load_tester_ipsec.h \
+  load_tester_listener.c load_tester_listener.h
+
+libstrongswan_load_tester_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/load_tester/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/load_tester/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES) 
+	$(libstrongswan_load_tester_la_LINK) -rpath $(plugindir) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/load_tester/load_tester_config.c b/src/charon/plugins/load_tester/load_tester_config.c
new file mode 100644
index 000000000..8e93d24bb
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_config.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_config.h"
+
+#include <daemon.h>
+
+typedef struct private_load_tester_config_t private_load_tester_config_t;
+
+/**
+ * Private data of an load_tester_config_t object
+ */
+struct private_load_tester_config_t {
+
+	/**
+	 * Public part
+	 */
+	load_tester_config_t public;
+	
+	/**
+	 * peer config
+	 */
+	peer_cfg_t *peer_cfg;
+};
+
+/**
+ * Implementation of backend_t.create_peer_cfg_enumerator.
+ */
+static enumerator_t* create_peer_cfg_enumerator(private_load_tester_config_t *this,
+												identification_t *me, 
+												identification_t *other)
+{
+	return enumerator_create_single(this->peer_cfg, NULL);
+}
+
+/**
+ * Implementation of backend_t.create_ike_cfg_enumerator.
+ */
+static enumerator_t* create_ike_cfg_enumerator(private_load_tester_config_t *this,
+											   host_t *me, host_t *other)
+{
+	ike_cfg_t *ike_cfg;
+
+	ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
+	return enumerator_create_single(ike_cfg, NULL);
+}
+
+/**
+ * implements backend_t.get_peer_cfg_by_name.
+ */
+static peer_cfg_t *get_peer_cfg_by_name(private_load_tester_config_t *this,
+										char *name)
+{
+	if (streq(name, "load-test"))
+	{
+		return this->peer_cfg->get_ref(this->peer_cfg);;
+	}
+	return NULL;
+}
+
+/**
+ * Implementation of load_tester_config_t.destroy.
+ */
+static void destroy(private_load_tester_config_t *this)
+{
+	this->peer_cfg->destroy(this->peer_cfg);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+load_tester_config_t *load_tester_config_create()
+{
+	private_load_tester_config_t *this = malloc_thing(private_load_tester_config_t);
+	ike_cfg_t *ike_cfg;
+	child_cfg_t *child_cfg;
+	proposal_t *proposal;
+	traffic_selector_t *ts;
+	auth_info_t *auth;
+	auth_class_t class;
+	char *remote, *pool;
+	host_t *vip = NULL;
+	
+	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
+	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
+	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
+	this->public.destroy = (void(*)(load_tester_config_t*))destroy;
+	
+	if (lib->settings->get_bool(lib->settings,
+				"charon.plugins.load_tester.request_virtual_ip", FALSE))
+	{
+		vip = host_create_from_string("0.0.0.0", 0);
+	}
+	pool = lib->settings->get_str(lib->settings,
+				"charon.plugins.load_tester.pool", NULL);
+	remote = lib->settings->get_str(lib->settings, 
+				"charon.plugins.load_tester.remote", "127.0.0.1");
+	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", remote);
+	proposal = proposal_create_from_string(PROTO_IKE,
+			lib->settings->get_str(lib->settings,
+				"charon.plugins.load_tester.proposal", "aes128-sha1-modp768"));
+	if (!proposal)
+	{	/* fallback */
+		proposal = proposal_create_from_string(PROTO_IKE, "aes128-sha1-modp768");
+	}
+	ike_cfg->add_proposal(ike_cfg, proposal);
+	this->peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
+			identification_create_from_string("load-test@strongswan.org"),
+			identification_create_from_string("load-test@strongswan.org"),
+			CERT_SEND_IF_ASKED, UNIQUE_NO, 1, 0, 0, /* keytries, rekey, reauth */
+			0, 0, TRUE, 60,	/* jitter, overtime, mobike, dpddelay */
+			vip, pool, FALSE, NULL, NULL);
+	auth = this->peer_cfg->get_auth(this->peer_cfg);
+	class = AUTH_CLASS_PUBKEY;
+	auth->add_item(auth, AUTHN_AUTH_CLASS, &class);
+	child_cfg = child_cfg_create("load-test", 600, 400, 100, NULL, TRUE,
+								 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
+	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
+	child_cfg->add_proposal(child_cfg, proposal);
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	this->peer_cfg->add_child_cfg(this->peer_cfg, child_cfg);
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/load_tester/load_tester_config.h b/src/charon/plugins/load_tester/load_tester_config.h
new file mode 100644
index 000000000..d5391da63
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_config.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester_config_t load_tester_config
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_CONFIG_H_
+#define LOAD_TESTER_CONFIG_H_
+
+#include <config/backend.h>
+
+typedef struct load_tester_config_t load_tester_config_t;
+
+/**
+ * Provide configurations for load testing.
+ */
+struct load_tester_config_t {
+
+	/**
+	 * Implements backend_t interface
+	 */
+	backend_t backend;
+	
+	/**
+	 * Destroy the backend.
+	 */
+	void (*destroy)(load_tester_config_t *this);	
+};
+
+/**
+ * Create a configuration backend for load testing.
+ *
+ * @return			configuration backend
+ */
+load_tester_config_t *load_tester_config_create();
+
+#endif /* LOAD_TESTER_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_creds.c b/src/charon/plugins/load_tester/load_tester_creds.c
new file mode 100644
index 000000000..ec69a1ac9
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_creds.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_creds.h"
+
+#include <daemon.h>
+#include <credentials/keys/shared_key.h>
+#include <utils/identification.h>
+
+typedef struct private_load_tester_creds_t private_load_tester_creds_t;
+
+/**
+ * Private data of an load_tester_creds_t object
+ */
+struct private_load_tester_creds_t {
+	/**
+	 * Public part
+	 */
+	load_tester_creds_t public;
+	
+	/**
+	 * Private key to create signatures
+	 */
+	private_key_t *private;
+	
+	/**
+	 * Trusted certificate to verify signatures
+	 */
+	certificate_t *cert;
+};
+
+/**
+ * 1024-bit RSA key:
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDQXr7poAPYZLxmTCqR51STGRuk9Hc5SWtTcs6b2RzpnP8EVRLx
+JEVxOKE9Mw6n7mD1pNrupCpnpGRdLAV5VznTPhSQ6k7ppJJrxosRYg0pHTZqBUEC
+7nQFwAe10g8q0UnM1wa4lJzGxDH78d21cVweJgbkxAeyriS0jhNs7gO5nQIDAQAB
+AoGACVACtkxJf7VY2jWTPXwaQoy/uIqYfX3zhwI9i6eTbDlxCE+JDi/xzpKaWjLa
+99RmjvP0OPArWQB239ck03x7gAm2obutosGbqbKzJZS5cyIayzyW9djZDHBdt9Ho
+quKB39aspWit3xPzkrr+QeIkiggtmBKALTBxTwxAU+P6euECQQD4IPdrzKbCrO79
+LKvoPrQQtTjL6ogag9rI9n2ZuoK3/XVybh2byOXT8tA5G5jSz9Ac8XeVOsnH9gT5
+3WXeaLOFAkEA1vrm/hVSEasp5eATgQ7ig9CF+GGKqhTwXp/uOSl/h3IRmStu5J0C
+9AkYyx0bn3j5R8iUEX/C00KSE1kQNh4NOQJAVOsLYlRG2idPH0xThQc4nuM2jes1
+K0Xm8ZISSDNhm1BeCoyPC4rExTW7d1/vfG5svgsRrvvQpOOYrl7MB0Lz9QJBALhg
+AWJiyLsskEd90Vx7dpvUaEHo7jMGuEx/X6GYzK5Oj3dNP9NEMfc4IhJ5SWqRJ0KA
+bTVA3MexLXT4iqXPSkkCQQDSjLhBwvEnSuW4ElIMzBwLbu7573z2gzU82Mj6trrw
+Osoox/vmcepT1Wjy4AvPZHgxp7vEXNSeS+M5L29QNTp8
+-----END RSA PRIVATE KEY-----
+ */
+static char private[] = {
+  0x30,0x82,0x02,0x5d,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xd0,0x5e,0xbe,0xe9,0xa0,
+  0x03,0xd8,0x64,0xbc,0x66,0x4c,0x2a,0x91,0xe7,0x54,0x93,0x19,0x1b,0xa4,0xf4,0x77,
+  0x39,0x49,0x6b,0x53,0x72,0xce,0x9b,0xd9,0x1c,0xe9,0x9c,0xff,0x04,0x55,0x12,0xf1,
+  0x24,0x45,0x71,0x38,0xa1,0x3d,0x33,0x0e,0xa7,0xee,0x60,0xf5,0xa4,0xda,0xee,0xa4,
+  0x2a,0x67,0xa4,0x64,0x5d,0x2c,0x05,0x79,0x57,0x39,0xd3,0x3e,0x14,0x90,0xea,0x4e,
+  0xe9,0xa4,0x92,0x6b,0xc6,0x8b,0x11,0x62,0x0d,0x29,0x1d,0x36,0x6a,0x05,0x41,0x02,
+  0xee,0x74,0x05,0xc0,0x07,0xb5,0xd2,0x0f,0x2a,0xd1,0x49,0xcc,0xd7,0x06,0xb8,0x94,
+  0x9c,0xc6,0xc4,0x31,0xfb,0xf1,0xdd,0xb5,0x71,0x5c,0x1e,0x26,0x06,0xe4,0xc4,0x07,
+  0xb2,0xae,0x24,0xb4,0x8e,0x13,0x6c,0xee,0x03,0xb9,0x9d,0x02,0x03,0x01,0x00,0x01,
+  0x02,0x81,0x80,0x09,0x50,0x02,0xb6,0x4c,0x49,0x7f,0xb5,0x58,0xda,0x35,0x93,0x3d,
+  0x7c,0x1a,0x42,0x8c,0xbf,0xb8,0x8a,0x98,0x7d,0x7d,0xf3,0x87,0x02,0x3d,0x8b,0xa7,
+  0x93,0x6c,0x39,0x71,0x08,0x4f,0x89,0x0e,0x2f,0xf1,0xce,0x92,0x9a,0x5a,0x32,0xda,
+  0xf7,0xd4,0x66,0x8e,0xf3,0xf4,0x38,0xf0,0x2b,0x59,0x00,0x76,0xdf,0xd7,0x24,0xd3,
+  0x7c,0x7b,0x80,0x09,0xb6,0xa1,0xbb,0xad,0xa2,0xc1,0x9b,0xa9,0xb2,0xb3,0x25,0x94,
+  0xb9,0x73,0x22,0x1a,0xcb,0x3c,0x96,0xf5,0xd8,0xd9,0x0c,0x70,0x5d,0xb7,0xd1,0xe8,
+  0xaa,0xe2,0x81,0xdf,0xd6,0xac,0xa5,0x68,0xad,0xdf,0x13,0xf3,0x92,0xba,0xfe,0x41,
+  0xe2,0x24,0x8a,0x08,0x2d,0x98,0x12,0x80,0x2d,0x30,0x71,0x4f,0x0c,0x40,0x53,0xe3,
+  0xfa,0x7a,0xe1,0x02,0x41,0x00,0xf8,0x20,0xf7,0x6b,0xcc,0xa6,0xc2,0xac,0xee,0xfd,
+  0x2c,0xab,0xe8,0x3e,0xb4,0x10,0xb5,0x38,0xcb,0xea,0x88,0x1a,0x83,0xda,0xc8,0xf6,
+  0x7d,0x99,0xba,0x82,0xb7,0xfd,0x75,0x72,0x6e,0x1d,0x9b,0xc8,0xe5,0xd3,0xf2,0xd0,
+  0x39,0x1b,0x98,0xd2,0xcf,0xd0,0x1c,0xf1,0x77,0x95,0x3a,0xc9,0xc7,0xf6,0x04,0xf9,
+  0xdd,0x65,0xde,0x68,0xb3,0x85,0x02,0x41,0x00,0xd6,0xfa,0xe6,0xfe,0x15,0x52,0x11,
+  0xab,0x29,0xe5,0xe0,0x13,0x81,0x0e,0xe2,0x83,0xd0,0x85,0xf8,0x61,0x8a,0xaa,0x14,
+  0xf0,0x5e,0x9f,0xee,0x39,0x29,0x7f,0x87,0x72,0x11,0x99,0x2b,0x6e,0xe4,0x9d,0x02,
+  0xf4,0x09,0x18,0xcb,0x1d,0x1b,0x9f,0x78,0xf9,0x47,0xc8,0x94,0x11,0x7f,0xc2,0xd3,
+  0x42,0x92,0x13,0x59,0x10,0x36,0x1e,0x0d,0x39,0x02,0x40,0x54,0xeb,0x0b,0x62,0x54,
+  0x46,0xda,0x27,0x4f,0x1f,0x4c,0x53,0x85,0x07,0x38,0x9e,0xe3,0x36,0x8d,0xeb,0x35,
+  0x2b,0x45,0xe6,0xf1,0x92,0x12,0x48,0x33,0x61,0x9b,0x50,0x5e,0x0a,0x8c,0x8f,0x0b,
+  0x8a,0xc4,0xc5,0x35,0xbb,0x77,0x5f,0xef,0x7c,0x6e,0x6c,0xbe,0x0b,0x11,0xae,0xfb,
+  0xd0,0xa4,0xe3,0x98,0xae,0x5e,0xcc,0x07,0x42,0xf3,0xf5,0x02,0x41,0x00,0xb8,0x60,
+  0x01,0x62,0x62,0xc8,0xbb,0x2c,0x90,0x47,0x7d,0xd1,0x5c,0x7b,0x76,0x9b,0xd4,0x68,
+  0x41,0xe8,0xee,0x33,0x06,0xb8,0x4c,0x7f,0x5f,0xa1,0x98,0xcc,0xae,0x4e,0x8f,0x77,
+  0x4d,0x3f,0xd3,0x44,0x31,0xf7,0x38,0x22,0x12,0x79,0x49,0x6a,0x91,0x27,0x42,0x80,
+  0x6d,0x35,0x40,0xdc,0xc7,0xb1,0x2d,0x74,0xf8,0x8a,0xa5,0xcf,0x4a,0x49,0x02,0x41,
+  0x00,0xd2,0x8c,0xb8,0x41,0xc2,0xf1,0x27,0x4a,0xe5,0xb8,0x12,0x52,0x0c,0xcc,0x1c,
+  0x0b,0x6e,0xee,0xf9,0xef,0x7c,0xf6,0x83,0x35,0x3c,0xd8,0xc8,0xfa,0xb6,0xba,0xf0,
+  0x3a,0xca,0x28,0xc7,0xfb,0xe6,0x71,0xea,0x53,0xd5,0x68,0xf2,0xe0,0x0b,0xcf,0x64,
+  0x78,0x31,0xa7,0xbb,0xc4,0x5c,0xd4,0x9e,0x4b,0xe3,0x39,0x2f,0x6f,0x50,0x35,0x3a,
+  0x7c,
+};
+
+/**
+ * And an associated self-signed certificate
+-----BEGIN CERTIFICATE-----
+MIIB2zCCAUSgAwIBAgIRAKmSLQc+3QV4WswVkpxqY5kwDQYJKoZIhvcNAQEFBQAw
+FzEVMBMGA1UEAxMMbG9hZC10ZXN0aW5nMB4XDTA4MTAyMTEyNDk0MFoXDTEzMTAy
+MDEyNDk0MFowFzEVMBMGA1UEAxMMbG9hZC10ZXN0aW5nMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDQXr7poAPYZLxmTCqR51STGRuk9Hc5SWtTcs6b2RzpnP8E
+VRLxJEVxOKE9Mw6n7mD1pNrupCpnpGRdLAV5VznTPhSQ6k7ppJJrxosRYg0pHTZq
+BUEC7nQFwAe10g8q0UnM1wa4lJzGxDH78d21cVweJgbkxAeyriS0jhNs7gO5nQID
+AQABoycwJTAjBgNVHREEHDAagRhsb2FkLXRlc3RAc3Ryb25nc3dhbi5vcmcwDQYJ
+KoZIhvcNAQEFBQADgYEATyQ3KLVU13Q3U3uZZtQL56rm680wMLu0+2z164PnxcTu
+Donp19AwPfvl4y0kjCdQYqUA6NXczub40ZrCMfmZEbVarW9oAys9lWef8sqfW0pv
+asNWsTOOwgg4gcASh1VCYsMX73C8R1pegWM/btyX2SEa7+R1rBEZwHVtIxgFcnM=
+-----END CERTIFICATE-----
+ */
+static char cert[] = {
+  0x30,0x82,0x01,0xdb,0x30,0x82,0x01,0x44,0xa0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
+  0xa9,0x92,0x2d,0x07,0x3e,0xdd,0x05,0x78,0x5a,0xcc,0x15,0x92,0x9c,0x6a,0x63,0x99,
+  0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,
+  0x17,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x6c,0x6f,0x61,0x64,
+  0x2d,0x74,0x65,0x73,0x74,0x69,0x6e,0x67,0x30,0x1e,0x17,0x0d,0x30,0x38,0x31,0x30,
+  0x32,0x31,0x31,0x32,0x34,0x39,0x34,0x30,0x5a,0x17,0x0d,0x31,0x33,0x31,0x30,0x32,
+  0x30,0x31,0x32,0x34,0x39,0x34,0x30,0x5a,0x30,0x17,0x31,0x15,0x30,0x13,0x06,0x03,
+  0x55,0x04,0x03,0x13,0x0c,0x6c,0x6f,0x61,0x64,0x2d,0x74,0x65,0x73,0x74,0x69,0x6e,
+  0x67,0x30,0x81,0x9f,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
+  0x01,0x05,0x00,0x03,0x81,0x8d,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xd0,0x5e,
+  0xbe,0xe9,0xa0,0x03,0xd8,0x64,0xbc,0x66,0x4c,0x2a,0x91,0xe7,0x54,0x93,0x19,0x1b,
+  0xa4,0xf4,0x77,0x39,0x49,0x6b,0x53,0x72,0xce,0x9b,0xd9,0x1c,0xe9,0x9c,0xff,0x04,
+  0x55,0x12,0xf1,0x24,0x45,0x71,0x38,0xa1,0x3d,0x33,0x0e,0xa7,0xee,0x60,0xf5,0xa4,
+  0xda,0xee,0xa4,0x2a,0x67,0xa4,0x64,0x5d,0x2c,0x05,0x79,0x57,0x39,0xd3,0x3e,0x14,
+  0x90,0xea,0x4e,0xe9,0xa4,0x92,0x6b,0xc6,0x8b,0x11,0x62,0x0d,0x29,0x1d,0x36,0x6a,
+  0x05,0x41,0x02,0xee,0x74,0x05,0xc0,0x07,0xb5,0xd2,0x0f,0x2a,0xd1,0x49,0xcc,0xd7,
+  0x06,0xb8,0x94,0x9c,0xc6,0xc4,0x31,0xfb,0xf1,0xdd,0xb5,0x71,0x5c,0x1e,0x26,0x06,
+  0xe4,0xc4,0x07,0xb2,0xae,0x24,0xb4,0x8e,0x13,0x6c,0xee,0x03,0xb9,0x9d,0x02,0x03,
+  0x01,0x00,0x01,0xa3,0x27,0x30,0x25,0x30,0x23,0x06,0x03,0x55,0x1d,0x11,0x04,0x1c,
+  0x30,0x1a,0x81,0x18,0x6c,0x6f,0x61,0x64,0x2d,0x74,0x65,0x73,0x74,0x40,0x73,0x74,
+  0x72,0x6f,0x6e,0x67,0x73,0x77,0x61,0x6e,0x2e,0x6f,0x72,0x67,0x30,0x0d,0x06,0x09,
+  0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x81,0x81,0x00,0x4f,
+  0x24,0x37,0x28,0xb5,0x54,0xd7,0x74,0x37,0x53,0x7b,0x99,0x66,0xd4,0x0b,0xe7,0xaa,
+  0xe6,0xeb,0xcd,0x30,0x30,0xbb,0xb4,0xfb,0x6c,0xf5,0xeb,0x83,0xe7,0xc5,0xc4,0xee,
+  0x0e,0x89,0xe9,0xd7,0xd0,0x30,0x3d,0xfb,0xe5,0xe3,0x2d,0x24,0x8c,0x27,0x50,0x62,
+  0xa5,0x00,0xe8,0xd5,0xdc,0xce,0xe6,0xf8,0xd1,0x9a,0xc2,0x31,0xf9,0x99,0x11,0xb5,
+  0x5a,0xad,0x6f,0x68,0x03,0x2b,0x3d,0x95,0x67,0x9f,0xf2,0xca,0x9f,0x5b,0x4a,0x6f,
+  0x6a,0xc3,0x56,0xb1,0x33,0x8e,0xc2,0x08,0x38,0x81,0xc0,0x12,0x87,0x55,0x42,0x62,
+  0xc3,0x17,0xef,0x70,0xbc,0x47,0x5a,0x5e,0x81,0x63,0x3f,0x6e,0xdc,0x97,0xd9,0x21,
+  0x1a,0xef,0xe4,0x75,0xac,0x11,0x19,0xc0,0x75,0x6d,0x23,0x18,0x05,0x72,0x73,
+};
+
+/**
+ * Implements credential_set_t.create_private_enumerator
+ */
+static enumerator_t* create_private_enumerator(private_load_tester_creds_t *this,
+							key_type_t type, identification_t *id)
+{
+	if (this->private == NULL)
+	{
+		return NULL;
+	}
+	if (type != KEY_ANY && type != KEY_RSA)
+	{
+		return NULL;
+	}
+	if (id)
+	{
+		identification_t *keyid;
+		
+		keyid = this->private->get_id(this->private, id->get_type(id));
+		if (!keyid || !keyid->equals(keyid, id))
+		{
+			return NULL;
+		}
+	}
+	return enumerator_create_single(this->private, NULL);
+}
+
+/**
+ * Implements credential_set_t.create_cert_enumerator
+ */
+static enumerator_t* create_cert_enumerator(private_load_tester_creds_t *this,
+							certificate_type_t cert, key_type_t key,
+							identification_t *id, bool trusted)
+{
+	if (this->cert == NULL)
+	{
+		return NULL;
+	}
+	if (cert != CERT_ANY && cert != CERT_X509)
+	{
+		return NULL;
+	}
+	if (key != KEY_ANY && key != KEY_RSA)
+	{
+		return NULL;
+	}
+	if (id && !this->cert->has_subject(this->cert, id))
+	{
+		return NULL;
+	}
+	return enumerator_create_single(this->cert, NULL);
+}
+
+/**
+ * Implementation of load_tester_creds_t.destroy
+ */
+static void destroy(private_load_tester_creds_t *this)
+{
+	DESTROY_IF(this->private);
+	DESTROY_IF(this->cert);
+	free(this);
+}
+
+load_tester_creds_t *load_tester_creds_create()
+{
+	private_load_tester_creds_t *this = malloc_thing(private_load_tester_creds_t);
+
+	this->public.credential_set.create_shared_enumerator = (enumerator_t*(*)(credential_set_t*, shared_key_type_t, identification_t*, identification_t*))return_null;
+	this->public.credential_set.create_private_enumerator = (enumerator_t*(*) (credential_set_t*, key_type_t, identification_t*))create_private_enumerator;
+	this->public.credential_set.create_cert_enumerator = (enumerator_t*(*) (credential_set_t*,	certificate_type_t, key_type_t,identification_t *, bool))create_cert_enumerator;
+	this->public.credential_set.create_cdp_enumerator  = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
+	this->public.credential_set.cache_cert = (void (*)(credential_set_t *, certificate_t *))nop;
+	this->public.destroy = (void(*) (load_tester_creds_t*))destroy;
+	
+	this->private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+		BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)), BUILD_END);	
+	
+	this->cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+		BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)), BUILD_END);			   
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/load_tester/load_tester_creds.h b/src/charon/plugins/load_tester/load_tester_creds.h
new file mode 100644
index 000000000..bc092bd12
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_creds.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester_creds_t load_tester_creds
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_CREDS_H_
+#define LOAD_TESTER_CREDS_H_
+
+#include <credentials/credential_set.h>
+
+typedef struct load_tester_creds_t load_tester_creds_t;
+
+/**
+ * Provide hard-coded credentials for load testing.
+ */
+struct load_tester_creds_t {
+
+	/**
+	 * Implements credential set interface.
+	 */
+	credential_set_t credential_set;
+	
+	/**
+	 * Destroy the backend.
+	 */
+	void (*destroy)(load_tester_creds_t *this);	
+};
+
+/**
+ * Create a credential set for load testing.
+ *
+ * @return			credential set
+ */
+load_tester_creds_t *load_tester_creds_create();
+
+#endif /* LOAD_TESTER_CREDS_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c
new file mode 100644
index 000000000..9abd65195
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_ipsec.h"
+
+#include <time.h>
+
+typedef struct private_load_tester_ipsec_t private_load_tester_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_pfkey class.
+ */
+struct private_load_tester_ipsec_t {
+	/**
+	 * Public interface.
+	 */
+	load_tester_ipsec_t public;
+	
+	/**
+	 * faked SPI counter
+	 */
+	u_int32_t spi;
+};
+
+/**
+ * Implementation of kernel_interface_t.get_spi.
+ */
+static status_t get_spi(private_load_tester_ipsec_t *this, 
+						host_t *src, host_t *dst, 
+						protocol_id_t protocol, u_int32_t reqid,
+						u_int32_t *spi)
+{
+	*spi = ++this->spi;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_cpi.
+ */
+static status_t get_cpi(private_load_tester_ipsec_t *this, 
+						host_t *src, host_t *dst, 
+						u_int32_t reqid, u_int16_t *cpi)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_sa.
+ */
+static status_t add_sa(private_load_tester_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi,
+					   protocol_id_t protocol, u_int32_t reqid,
+					   u_int64_t expire_soft, u_int64_t expire_hard,
+					   u_int16_t enc_alg, chunk_t enc_key,
+					   u_int16_t int_alg, chunk_t int_key,
+					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+					   bool encap, bool inbound)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.update_sa.
+ */
+static status_t update_sa(private_load_tester_ipsec_t *this,
+						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_load_tester_ipsec_t *this, host_t *dst,
+					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_policy.
+ */
+static status_t add_policy(private_load_tester_ipsec_t *this,
+						   host_t *src, host_t *dst,
+						   traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, u_int32_t spi,
+						   protocol_id_t protocol, u_int32_t reqid,
+						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						   bool routed)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_policy.
+ */
+static status_t query_policy(private_load_tester_ipsec_t *this,
+							 traffic_selector_t *src_ts, 
+							 traffic_selector_t *dst_ts,
+							 policy_dir_t direction, u_int32_t *use_time)
+{
+	*use_time = time(NULL);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_policy.
+ */
+static status_t del_policy(private_load_tester_ipsec_t *this,
+						   traffic_selector_t *src_ts, 
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, bool unrouted)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.destroy.
+ */
+static void destroy(private_load_tester_ipsec_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+load_tester_ipsec_t *load_tester_ipsec_create()
+{
+	private_load_tester_ipsec_t *this = malloc_thing(private_load_tester_ipsec_t);
+	
+	/* public functions */
+	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
+	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
+	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
+	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
+	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
+	
+	this->spi = 0;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.h b/src/charon/plugins/load_tester/load_tester_ipsec.h
new file mode 100644
index 000000000..34a99dcbd
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester_ipsec_i load_tester_ipsec
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_IPSEC_H_
+#define LOAD_TESTER_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct load_tester_ipsec_t load_tester_ipsec_t;
+
+/**
+ * Implementation of a fake kernel ipsec interface for load testing.
+ */
+struct load_tester_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a faked kernel ipsec interface instance.
+ *
+ * @return			kernel_load_tester_ipsec_t instance
+ */
+load_tester_ipsec_t *load_tester_ipsec_create();
+
+#endif /* LOAD_TESTER_IPSEC_H_ @} */
diff --git a/src/charon/plugins/load_tester/load_tester_listener.c b/src/charon/plugins/load_tester/load_tester_listener.c
new file mode 100644
index 000000000..991408a44
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_listener.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_listener.h"
+
+#include <daemon.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+typedef struct private_load_tester_listener_t private_load_tester_listener_t;
+
+/**
+ * Private data of an load_tester_listener_t object
+ */
+struct private_load_tester_listener_t {
+	/**
+	 * Public part
+	 */
+	load_tester_listener_t public;
+	
+	/**
+	 * Delete IKE_SA after it has been established
+	 */
+	bool delete_after_established;
+};
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(private_load_tester_listener_t *this,
+							 ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	if (this->delete_after_established && state == IKE_ESTABLISHED)
+	{
+		charon->processor->queue_job(charon->processor,
+				(job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of load_tester_listener_t.destroy
+ */
+static void destroy(private_load_tester_listener_t *this)
+{
+	free(this);
+}
+
+load_tester_listener_t *load_tester_listener_create()
+{
+	private_load_tester_listener_t *this = malloc_thing(private_load_tester_listener_t);
+	
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.ike_state_change = (void*)ike_state_change;
+	this->public.destroy = (void(*) (load_tester_listener_t*))destroy;
+	
+	this->delete_after_established = lib->settings->get_bool(lib->settings,
+				"charon.plugins.load_tester.delete_after_established", FALSE);
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/load_tester/load_tester_listener.h b/src/charon/plugins/load_tester/load_tester_listener.h
new file mode 100644
index 000000000..28bb57d05
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_listener.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester_listener_t load_tester_listener
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_LISTENER_H_
+#define LOAD_TESTER_LISTENER_H_
+
+#include <bus/bus.h>
+
+typedef struct load_tester_listener_t load_tester_listener_t;
+
+/**
+ * Provide hard-coded credentials for load testing.
+ */
+struct load_tester_listener_t {
+
+	/**
+	 * Implements listener set interface.
+	 */
+	listener_t listener;
+	
+	/**
+	 * Destroy the backend.
+	 */
+	void (*destroy)(load_tester_listener_t *this);	
+};
+
+/**
+ * Create a listener to handle special events during load test
+ *
+ * @return			listener
+ */
+load_tester_listener_t *load_tester_listener_create();
+
+#endif /* LOAD_TESTER_LISTENER_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c
new file mode 100644
index 000000000..aff83a9a7
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_plugin.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_plugin.h"
+#include "load_tester_config.h"
+#include "load_tester_creds.h"
+#include "load_tester_ipsec.h"
+#include "load_tester_listener.h"
+
+#include <unistd.h>
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_load_tester_plugin_t private_load_tester_plugin_t;
+
+/**
+ * private data of load_tester plugin
+ */
+struct private_load_tester_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	load_tester_plugin_t public;
+	
+	/**
+	 * load_tester configuration backend
+	 */
+	load_tester_config_t *config;
+	
+	/**
+	 * load_tester credential set implementation
+	 */
+	load_tester_creds_t *creds;
+	
+	/**
+	 * event handler, listens on bus
+	 */
+	load_tester_listener_t *listener;
+	
+	/**
+	 * number of iterations per thread
+	 */
+	int iterations;
+	
+	/**
+	 * number of threads
+	 */
+	int initiators;
+	
+	/**
+	 * delay between initiations, in ms
+	 */
+	int delay;
+};
+
+/**
+ * Begin the load test
+ */
+static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg = NULL;;
+	enumerator_t *enumerator;
+	int i, s = 0, ms = 0;
+	
+	if (this->delay)
+	{
+		s = this->delay / 1000;
+		ms = this->delay % 1000;
+	}
+	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+													  "load-test");
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+		if (enumerator->enumerate(enumerator, &child_cfg))
+		{
+			child_cfg->get_ref(child_cfg);
+		}
+		enumerator->destroy(enumerator);
+		
+		if (child_cfg)
+		{
+			for (i = 0; this->iterations == 0 || i < this->iterations; i++)
+			{
+				charon->controller->initiate(charon->controller,
+					peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
+					NULL, NULL);
+				
+				if (s)
+				{
+					sleep(s);
+				}
+				if (ms)
+				{
+					usleep(ms * 1000);
+				}
+			}
+			child_cfg->destroy(child_cfg);
+		}
+		peer_cfg->destroy(peer_cfg);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_load_tester_plugin_t *this)
+{
+	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface,
+						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
+	charon->backends->remove_backend(charon->backends, &this->config->backend);
+	charon->credentials->remove_set(charon->credentials, &this->creds->credential_set);
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->config->destroy(this->config);
+	this->creds->destroy(this->creds);
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_load_tester_plugin_t *this = malloc_thing(private_load_tester_plugin_t);
+	int i;
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	this->config = load_tester_config_create();
+	this->creds = load_tester_creds_create();
+	this->listener = load_tester_listener_create();
+	charon->backends->add_backend(charon->backends, &this->config->backend);
+	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+	
+	if (lib->settings->get_bool(lib->settings,
+								"charon.plugins.load_tester.fake_kernel", FALSE))
+	{
+		charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, 
+						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
+	}
+	this->delay = lib->settings->get_int(lib->settings,
+								"charon.plugins.load_tester.delay", 0);
+	this->iterations = lib->settings->get_int(lib->settings,
+								"charon.plugins.load_tester.iterations", 1);
+	this->initiators = lib->settings->get_int(lib->settings,
+								"charon.plugins.load_tester.initiators", 0);
+	for (i = 0; i < this->initiators; i++)
+	{
+		charon->processor->queue_job(charon->processor, 
+					(job_t*)callback_job_create((callback_job_cb_t)do_load_test,
+												this, NULL, NULL));
+	}
+	return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.h b/src/charon/plugins/load_tester/load_tester_plugin.h
new file mode 100644
index 000000000..10088bfa2
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_plugin.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester load_tester
+ * @ingroup cplugins
+ *
+ * @defgroup load_tester_plugin load_tester_plugin
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_PLUGIN_H_
+#define LOAD_TESTER_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct load_tester_plugin_t load_tester_plugin_t;
+
+/**
+ * Load tester plugin to inspect system core under high load.
+ *
+ * This plugin 
+ */
+struct load_tester_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a load_tester_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* LOAD_TESTER_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/medcli/medcli_listener.c b/src/charon/plugins/medcli/medcli_listener.c
index 3b4156903..c057ea2b5 100644
--- a/src/charon/plugins/medcli/medcli_listener.c
+++ b/src/charon/plugins/medcli/medcli_listener.c
@@ -51,36 +51,55 @@ struct private_medcli_listener_t {
 /**
  * Implementation of bus_listener_t.signal.
  */
-static bool signal_(private_medcli_listener_t *this, signal_t signal,
-					level_t level, int thread, ike_sa_t* ike_sa, void *data,
-					char *format, va_list args)
+static void set_state(private_medcli_listener_t *this, char *alias,
+					  mediated_state_t state)
 {
-	mediated_state_t state;
-	
-	if (!ike_sa)
+	this->db->execute(this->db, NULL,
+					  "UPDATE Connection SET Status = ? WHERE Alias = ?",
+					  DB_UINT, state, DB_TEXT, alias);
+}
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(private_medcli_listener_t *this,
+							 ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	if (ike_sa)
 	{
-		return TRUE;
+		switch (state)
+		{
+			case IKE_CONNECTING:
+				set_state(this, ike_sa->get_name(ike_sa), STATE_CONNECTING);
+				break;
+			case IKE_DESTROYING:
+				set_state(this, ike_sa->get_name(ike_sa), STATE_DOWN);
+			default:
+				break;
+		}
 	}
+	return TRUE;
+}
 
-	switch (signal)
+/**
+ * Implementation of listener_t.child_state_change
+ */
+static bool child_state_change(private_medcli_listener_t *this,
+				ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state)
+{
+	if (ike_sa && child_sa)
 	{
-		case IKE_UP_START:
-			state = STATE_CONNECTING;
-			break;
-		case IKE_UP_FAILED:
-		case IKE_DOWN_SUCCESS:
-		case IKE_DOWN_FAILED:
-			state = STATE_DOWN;
-			break;
-		case IKE_UP_SUCCESS:
-			state = STATE_UP;
-			break;
-		default:
-			return TRUE;
+		switch (state)
+		{
+			case CHILD_INSTALLED:
+				set_state(this, child_sa->get_name(child_sa), STATE_UP);
+				break;
+			case CHILD_DESTROYING:
+				set_state(this, child_sa->get_name(child_sa), STATE_DOWN);
+				break;
+			default:
+				break;
+		}
 	}
-	this->db->execute(this->db, NULL,
-					  "UPDATE Connection SET Status = ? WHERE Alias = ?",
-					  DB_UINT, state, DB_TEXT, ike_sa->get_name(ike_sa));
 	return TRUE;
 }
 
@@ -91,7 +110,7 @@ static void destroy(private_medcli_listener_t *this)
 {
 	this->db->execute(this->db, NULL, "UPDATE Connection SET Status = ?",
 					  DB_UINT, STATE_DOWN);
-    free(this);
+	free(this);
 }
 
 /**
@@ -100,8 +119,11 @@ static void destroy(private_medcli_listener_t *this)
 medcli_listener_t *medcli_listener_create(database_t *db)
 {
 	private_medcli_listener_t *this = malloc_thing(private_medcli_listener_t);
-
-	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,void*,char*,va_list))signal_;
+	
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	
+	this->public.listener.ike_state_change = (void*)ike_state_change;
+	this->public.listener.child_state_change = (void*)child_state_change;
 	this->public.destroy = (void (*)(medcli_listener_t*))destroy;
 	
 	this->db = db;
diff --git a/src/charon/plugins/medcli/medcli_listener.h b/src/charon/plugins/medcli/medcli_listener.h
index f07218d78..4cec3caad 100644
--- a/src/charon/plugins/medcli/medcli_listener.h
+++ b/src/charon/plugins/medcli/medcli_listener.h
@@ -36,7 +36,7 @@ struct medcli_listener_t {
 	/**
 	 * Implements bus_listener_t interface
 	 */
-	bus_listener_t listener;
+	listener_t listener;
 	
 	/**
 	 * Destroy the credentials databse.
diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
index 107ca1a31..bb5436443 100644
--- a/src/charon/plugins/nm/Makefile.am
+++ b/src/charon/plugins/nm/Makefile.am
@@ -25,4 +25,4 @@ EXTRA_DIST = gnome/configure gnome/po/LINGUAS gnome/po/POTFILES.in gnome/po/Make
 	gnome/config.sub gnome/missing
 
 gnome/configure :	gnome/configure.in
-					cd gnome && ./autogen.sh; cd ..
+					(cd `dirname $<` && ./autogen.sh)
diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in
index 46e4ab851..4f75da14f 100644
--- a/src/charon/plugins/nm/Makefile.in
+++ b/src/charon/plugins/nm/Makefile.in
@@ -513,7 +513,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 
 
 gnome/configure :	gnome/configure.in
-					cd gnome && ./autogen.sh; cd ..
+					(cd `dirname $<` && ./autogen.sh)
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c
index f165653ae..e7cd640a7 100644
--- a/src/charon/plugins/nm/nm_creds.c
+++ b/src/charon/plugins/nm/nm_creds.c
@@ -15,12 +15,10 @@
  * $Id$
  */
 
-#define _GNU_SOURCE
-#include <pthread.h>
-
 #include "nm_creds.h"
 
 #include <daemon.h>
+#include <utils/mutex.h>
 
 typedef struct private_nm_creds_t private_nm_creds_t;
 
@@ -62,7 +60,7 @@ struct private_nm_creds_t {
 	/**
 	 * read/write lock
 	 */
-	pthread_rwlock_t lock;
+	rwlock_t *lock;
 };
 
 /**
@@ -91,10 +89,10 @@ static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
 		}
 		public->destroy(public);
 	}
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_cleaner(
 								enumerator_create_single(this->usercert, NULL),
-								(void*)pthread_rwlock_unlock, &this->lock);
+								(void*)this->lock->unlock, this->lock);
 }
 
 /**
@@ -138,9 +136,9 @@ static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
 		}
 		public->destroy(public);
 	}
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_cleaner(enumerator_create_single(this->cert, NULL),
-									 (void*)pthread_rwlock_unlock, &this->lock);
+									 (void*)this->lock->unlock, this->lock);
 }
 
 /**
@@ -167,9 +165,9 @@ static enumerator_t* create_private_enumerator(private_nm_creds_t *this,
 			return NULL;
 		}
 	}
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_cleaner(enumerator_create_single(this->key, NULL),
-									 (void*)pthread_rwlock_unlock, &this->lock);
+									 (void*)this->lock->unlock, this->lock);
 }
 
 /**
@@ -205,7 +203,7 @@ static bool shared_enumerate(shared_enumerator_t *this, shared_key_t **key,
 static void shared_destroy(shared_enumerator_t *this)
 {
 	this->key->destroy(this->key);
-	pthread_rwlock_unlock(&this->this->lock);
+	this->this->lock->unlock(this->this->lock);
 	free(this);
 }
 /**
@@ -235,7 +233,7 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
 	enumerator->public.destroy = (void*)shared_destroy;
 	enumerator->this = this;
 	enumerator->done = FALSE;
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	enumerator->key = shared_key_create(type,
 										chunk_clone(chunk_create(this->pass,
 													strlen(this->pass))));
@@ -247,10 +245,10 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
  */
 static void set_certificate(private_nm_creds_t *this, certificate_t *cert)
 {
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	DESTROY_IF(this->cert);
 	this->cert = cert;
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -259,14 +257,14 @@ static void set_certificate(private_nm_creds_t *this, certificate_t *cert)
 static void set_username_password(private_nm_creds_t *this, identification_t *id,
 						 char *password)
 {
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	DESTROY_IF(this->user);
 	/* for EAP authentication, we use always use ID_EAP type */
 	this->user = identification_create_from_encoding(ID_EAP,
 													 id->get_encoding(id));
 	free(this->pass);
 	this->pass = password ? strdup(password) : NULL;
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -275,12 +273,12 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id
 static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,	
 							 private_key_t *key)
 {
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	DESTROY_IF(this->key);
 	DESTROY_IF(this->usercert);
 	this->key = key;
 	this->usercert = cert;
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 }	
 
 /**
@@ -306,7 +304,7 @@ static void clear(private_nm_creds_t *this)
 static void destroy(private_nm_creds_t *this)
 {
 	clear(this);
-	pthread_rwlock_destroy(&this->lock);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -328,7 +326,7 @@ nm_creds_t *nm_creds_create()
 	this->public.clear = (void(*)(nm_creds_t*))clear;
 	this->public.destroy = (void(*)(nm_creds_t*))destroy;
 	
-	pthread_rwlock_init(&this->lock, NULL);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	
 	this->cert = NULL;
 	this->user = NULL;
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index fbc094a3b..f90bfa448 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -34,7 +34,7 @@ G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
  * Private data of NMStrongswanPlugin
  */
 typedef struct {
-	bus_listener_t listener;
+	listener_t listener;
 	ike_sa_t *ike_sa;
 	NMVPNPlugin *plugin;
 	nm_creds_t *creds;
@@ -45,109 +45,88 @@ typedef struct {
 				NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
 
 /**
- * convert a traffic selector address range to subnet and its mask.
+ * signal IPv4 config to NM, set connection as established
  */
-static u_int ts2subnet(traffic_selector_t* ts, u_int8_t *mask)
+static void signal_ipv4_config(NMVPNPlugin *plugin,
+							   ike_sa_t *ike_sa, child_sa_t *child_sa)
 {
-	/* there is no way to do this cleanly, as the address range may
-	 * be anything else but a subnet. We use from_addr as subnet 
-	 * and try to calculate a usable subnet mask.
-	 */
-	int byte, bit, net;
-	bool found = FALSE;
-	chunk_t from, to;
-	size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+	GValue *val;
+	GHashTable *config;
+	host_t *me, *other;
 	
-	from = ts->get_from_address(ts);
-	to = ts->get_to_address(ts);
+	config = g_hash_table_new(g_str_hash, g_str_equal);
+	me = ike_sa->get_my_host(ike_sa);
+	other = ike_sa->get_other_host(ike_sa);
 	
-	*mask = (size * 8);
-	/* go trough all bits of the addresses, beginning in the front.
-	 * as long as they are equal, the subnet gets larger
-	 */
-	for (byte = 0; byte < size; byte++)
-	{
-		for (bit = 7; bit >= 0; bit--)
-		{
-			if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
-			{
-				*mask = ((7 - bit) + (byte * 8));
-				found = TRUE;
-				break;
-			}
-		}
-		if (found)
-		{
-			break;
-		}
-	}
-	net = *(u_int32_t*)from.ptr;
-	chunk_free(&from);
-	chunk_free(&to);
-	return net;
+	/* NM requires a tundev, but netkey does not use one. Passing an invalid
+	 * iface makes NM complain, but it accepts it without fiddling on eth0. */
+	val = g_slice_new0 (GValue);
+	g_value_init (val, G_TYPE_STRING);
+	g_value_set_string (val, "none");
+	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
+	
+	val = g_slice_new0(GValue);
+	g_value_init(val, G_TYPE_UINT);
+	g_value_set_uint(val, *(u_int32_t*)me->get_address(me).ptr);
+	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
+	
+	val = g_slice_new0(GValue);
+	g_value_init(val, G_TYPE_UINT);
+	g_value_set_uint(val, me->get_address(me).len * 8);
+	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
+	
+	nm_vpn_plugin_set_ip4_config(plugin, config);
 }
 
 /**
- * signal IPv4 config to NM, set connection as established
+ * signal failure to NM, connecting failed
  */
-static void signal_ipv4_config(NMVPNPlugin *plugin, child_sa_t *child_sa)
+static void signal_failure(NMVPNPlugin *plugin)
 {
-	linked_list_t *list;
-	traffic_selector_t *ts = NULL;
-	enumerator_t *enumerator;
+	/* TODO: NM does not handle this failure!? 
+	nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); */
+	nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
+}
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
+							 ike_sa_state_t state)
+{
+	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
 	
-	list = child_sa->get_traffic_selectors(child_sa, FALSE);
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, &ts))
+	if (private->ike_sa == ike_sa)
 	{
-		GValue *val;
-		GHashTable *config;
-		u_int8_t mask;
-		
-		config = g_hash_table_new(g_str_hash, g_str_equal);
-		
-		val = g_slice_new0(GValue);
-		g_value_init(val, G_TYPE_UINT);
-		g_value_set_uint(val, ts2subnet(ts, &mask));
-		g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
-		
-		val = g_slice_new0(GValue);
-		g_value_init(val, G_TYPE_UINT);
-		g_value_set_uint(val, mask);
-		g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
-		
-		nm_vpn_plugin_set_ip4_config(plugin, config);
+		switch (state)
+		{
+			case IKE_DESTROYING:
+				signal_failure(private->plugin);
+				return FALSE;
+			default:
+				break;
+		}
 	}
-	enumerator->destroy(enumerator);
+	return TRUE;
 }
 
 /**
- * Bus listen function to wait for SA establishing
+ * Implementation of listener_t.child_state_change
  */
-bool listen_bus(bus_listener_t *listener, signal_t signal, level_t level,
-				int thread, ike_sa_t *ike_sa, void *data, 
-				char* format, va_list args)
+static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
+							   child_sa_t *child_sa, child_sa_state_t state)
 {
 	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-	
+
 	if (private->ike_sa == ike_sa)
 	{
-		switch (signal)
+		switch (state)
 		{
-			case CHD_UP_SUCCESS:
-				if (data)
-				{
-					signal_ipv4_config(private->plugin, (child_sa_t*)data);
-					return FALSE;
-				}
-				/* FALL */
-			case IKE_UP_FAILED:
-			case CHD_UP_FAILED:
-				/* TODO: NM does not handle this failure!? 
-				nm_vpn_plugin_failure(private->plugin,
-									  NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); */
-				nm_vpn_plugin_set_state(private->plugin,
-										NM_VPN_SERVICE_STATE_STOPPED);
+			case CHILD_INSTALLED:
+				signal_ipv4_config(private->plugin, ike_sa, child_sa);
+				return FALSE;
+			case CHILD_DESTROYING:
+				signal_failure(private->plugin);
 				return FALSE;
 			default:
 				break;
@@ -462,8 +441,13 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
  */
 static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
 {
-	NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->plugin = NM_VPN_PLUGIN(plugin);
-	NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->listener.signal = listen_bus;
+	NMStrongswanPluginPrivate *private;
+	
+	private = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+	private->plugin = NM_VPN_PLUGIN(plugin);
+	memset(&private->listener.log, 0, sizeof(listener_t));
+	private->listener.ike_state_change = ike_state_change;
+	private->listener.child_state_change = child_state_change;
 }
 
 /**
diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c
index 0870cad4c..237e9d86a 100644
--- a/src/charon/plugins/smp/smp.c
+++ b/src/charon/plugins/smp/smp.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: smp.c 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: smp.c 4446 2008-10-15 12:24:44Z martin $
  */
 
 #include <stdlib.h>
@@ -181,19 +181,13 @@ static void write_childend(xmlTextWriterPtr writer, child_sa_t *child, bool loca
  */
 static void write_child(xmlTextWriterPtr writer, child_sa_t *child)
 {
-	ipsec_mode_t mode;
-	encryption_algorithm_t encr;
-	integrity_algorithm_t int_algo;
-	size_t encr_len, int_len;
-	u_int32_t rekey, use_in, use_out, use_fwd;
 	child_cfg_t *config;
 	
 	config = child->get_config(child);
-	child->get_stats(child, &mode, &encr, &encr_len, &int_algo, &int_len,
-					 &rekey, &use_in, &use_out, &use_fwd);
 
 	xmlTextWriterStartElement(writer, "childsa");
-	xmlTextWriterWriteFormatElement(writer, "reqid", "%d", child->get_reqid(child));
+	xmlTextWriterWriteFormatElement(writer, "reqid", "%d",
+									child->get_reqid(child));
 	xmlTextWriterWriteFormatElement(writer, "childconfig", "%s", 
 									config->get_name(config));
 	xmlTextWriterStartElement(writer, "local");
@@ -359,15 +353,15 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 /**
  * callback which logs to a XML writer
  */
-static bool xml_callback(xmlTextWriterPtr writer, signal_t signal, level_t level,
-						 ike_sa_t* ike_sa, void *data, char* format, va_list args)
+static bool xml_callback(xmlTextWriterPtr writer, debug_t group, level_t level,
+						 ike_sa_t* ike_sa, char* format, va_list args)
 {
 	if (level <= 1)
 	{
 		/* <item> */
 		xmlTextWriterStartElement(writer, "item");
 		xmlTextWriterWriteFormatAttribute(writer, "level", "%d", level);
-		xmlTextWriterWriteFormatAttribute(writer, "source", "%N", signal_names, signal);
+		xmlTextWriterWriteFormatAttribute(writer, "source", "%N", debug_names, group);
 		xmlTextWriterWriteFormatAttribute(writer, "thread", "%u", pthread_self());
 		xmlTextWriterWriteVFormatString(writer, format, args);
 		xmlTextWriterEndElement(writer);
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index b3ad72ab2..8f5dc54dd 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -35,14 +35,6 @@ database_t *db;
  */
 host_t *start = NULL, *end = NULL;
 
-/**
- * create a host from a blob
- */
-static host_t *host_create_from_blob(chunk_t blob)
-{
-	return host_create_from_chunk(blob.len == 4 ? AF_INET : AF_INET6, blob, 0);
-}
-
 /**
  * calculate the size of a pool using start and end address chunk
  */
@@ -132,8 +124,8 @@ static void status(void)
 				found = TRUE;
 			}
 			
-			start = host_create_from_blob(start_chunk);
-			end = host_create_from_blob(end_chunk);
+			start = host_create_from_chunk(AF_UNSPEC, start_chunk, 0);
+			end = host_create_from_chunk(AF_UNSPEC, end_chunk, 0);
 			size = get_pool_size(start_chunk, end_chunk);
 			printf("%8s %15H %15H ", name, start, end);
 			if (timeout)
@@ -541,7 +533,7 @@ static void leases(char *filter, bool utc)
 			printf("%-8s %-15s %-7s  %-*s %-*s %s\n",
 				   "name", "address", "status", len, "start", len, "end", "identity");
 		}
-		address = host_create_from_blob(address_chunk);
+		address = host_create_from_chunk(AF_UNSPEC, address_chunk, 0);
 		identity = identification_create_from_encoding(identity_type, identity_chunk);
 		
 		printf("%-8s %-15H ", name, address);
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index 1e5c28966..486a432ca 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -17,6 +17,8 @@
 
 #include "sql_attribute.h"
 
+#include <time.h>
+
 #include <daemon.h>
 
 typedef struct private_sql_attribute_t private_sql_attribute_t;
@@ -42,22 +44,6 @@ struct private_sql_attribute_t {
 	bool history;
 };
 
-/**
- * read a host_t address from the addresses table
- */
-static host_t *host_from_chunk(chunk_t chunk)
-{
-	switch (chunk.len)
-	{
-		case 4:
-			return host_create_from_chunk(AF_INET, chunk, 0);
-		case 16:
-			return host_create_from_chunk(AF_INET6, chunk, 0);
-		default:
-			return NULL;
-	}
-}
-
 /**
  * lookup/insert an identity
  */
@@ -143,7 +129,7 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
 				"WHERE id = ? AND identity = ? AND released != 0",
 				DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0)
 		{
-			host = host_from_chunk(address);
+			host = host_create_from_chunk(AF_UNSPEC, address, 0);
 			if (host)
 			{
 				DBG1(DBG_CFG, "acquired existing lease "
@@ -175,7 +161,7 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
 				DB_UINT, now, DB_UINT, identity,
 				DB_UINT, id, DB_UINT, now - timeout) > 0)
 		{
-			host = host_from_chunk(address);
+			host = host_create_from_chunk(AF_UNSPEC, address, 0);
 			if (host)
 			{
 				DBG1(DBG_CFG, "acquired new lease "
diff --git a/src/charon/plugins/sql/sql_logger.c b/src/charon/plugins/sql/sql_logger.c
index 6a87f9f1d..4cbaaa3e6 100644
--- a/src/charon/plugins/sql/sql_logger.c
+++ b/src/charon/plugins/sql/sql_logger.c
@@ -49,13 +49,11 @@ struct private_sql_logger_t {
 	bool recursive;
 };
 
-
 /**
- * Implementation of bus_listener_t.signal.
+ * Implementation of bus_listener_t.log.
  */
-static bool signal_(private_sql_logger_t *this, signal_t signal, level_t level,
-					int thread, ike_sa_t* ike_sa, void *data,
-					char *format, va_list args)
+static bool log_(private_sql_logger_t *this, debug_t group, level_t level,
+				 int thread, ike_sa_t* ike_sa, char *format, va_list args)
 {
 	if (this->recursive)
 	{
@@ -111,7 +109,7 @@ static bool signal_(private_sql_logger_t *this, signal_t signal, level_t level,
 						  DB_BLOB, remote_host->get_address(remote_host));
 		this->db->execute(this->db, NULL, "INSERT INTO logs ("
 						  "local_spi, signal, level, msg) VALUES (?, ?, ?, ?)",
-						  DB_BLOB, local_spi, DB_INT, signal, DB_INT, level,
+						  DB_BLOB, local_spi, DB_INT, group, DB_INT, level,
 						  DB_TEXT, buffer);
 	}
 	this->recursive = FALSE;
@@ -134,7 +132,8 @@ sql_logger_t *sql_logger_create(database_t *db)
 {
 	private_sql_logger_t *this = malloc_thing(private_sql_logger_t);
 	
-	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,void*,char*,va_list))signal_;
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
 	this->public.destroy = (void(*)(sql_logger_t*))destroy;
 	
 	this->db = db;
diff --git a/src/charon/plugins/sql/sql_logger.h b/src/charon/plugins/sql/sql_logger.h
index 30507bcaf..a2c6fb5e9 100644
--- a/src/charon/plugins/sql/sql_logger.h
+++ b/src/charon/plugins/sql/sql_logger.h
@@ -36,7 +36,7 @@ struct sql_logger_t {
 	/**
 	 * Implements bus_listener_t interface
 	 */
-	bus_listener_t listener;
+	listener_t listener;
 	
 	/**
 	 * Destry the backend.
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index 8569f49c3..54356436f 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -16,12 +16,10 @@
  * $Id$
  */
 
-#define _GNU_SOURCE
-#include <pthread.h>
-
 #include "stroke_ca.h"
 #include "stroke_cred.h"
 
+#include <utils/mutex.h>
 #include <utils/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
@@ -42,7 +40,7 @@ struct private_stroke_ca_t {
 	/**
 	 * read-write lock to lists
 	 */
-	pthread_rwlock_t lock;
+	rwlock_t *lock;
 	
 	/**
 	 * list of starters CA sections and its certificates (ca_section_t)
@@ -136,7 +134,7 @@ typedef struct {
  */
 static void cdp_data_destroy(cdp_data_t *data)
 {
-	pthread_rwlock_unlock(&data->this->lock);
+	data->this->lock->unlock(data->this->lock);
 	free(data);
 }
 
@@ -236,7 +234,7 @@ static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this,
 	data->type = type;
 	data->id = id;
 	
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(this->sections->create_enumerator(this->sections),
 			(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp,
 			data, (void*)cdp_data_destroy);
@@ -278,9 +276,9 @@ static void add(private_stroke_ca_t *this, stroke_msg_t *msg)
 		{
 			ca->certuribase = strdup(msg->add_ca.certuribase);
 		}
-		pthread_rwlock_wrlock(&this->lock);
+		this->lock->write_lock(this->lock);
 		this->sections->insert_last(this->sections, ca);
-		pthread_rwlock_unlock(&this->lock);
+		this->lock->unlock(this->lock);
 		DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name);
 	}
 }
@@ -293,7 +291,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
 	enumerator_t *enumerator;
 	ca_section_t *ca = NULL;
 	
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, &ca))
 	{
@@ -305,7 +303,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
 		ca = NULL;
 	}
 	enumerator->destroy(enumerator);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 	if (ca == NULL)
 	{
 		DBG1(DBG_CFG, "no ca named '%s' found\n", msg->del_ca.name);
@@ -356,7 +354,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 		return;
 	}
 	
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, (void**)&section))
 	{
@@ -372,7 +370,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 	
 	hasher->destroy(hasher);
 }
@@ -386,7 +384,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 	ca_section_t *section;
 	enumerator_t *enumerator;
 	
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, (void**)&section))
 	{
@@ -419,7 +417,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -428,7 +426,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 static void destroy(private_stroke_ca_t *this)
 {
 	this->sections->destroy_function(this->sections, (void*)ca_section_destroy);
-	pthread_rwlock_destroy(&this->lock);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -451,7 +449,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
 	this->public.destroy = (void(*)(stroke_ca_t*))destroy;
 	
 	this->sections = linked_list_create();
-	pthread_rwlock_init(&this->lock, NULL);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	this->cred = cred;
 	
 	return &this->public;
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index f10fe2051..cb91ecb72 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -19,6 +19,7 @@
 
 #include <daemon.h>
 #include <utils/mutex.h>
+#include <utils/lexparser.h>
 
 typedef struct private_stroke_config_t private_stroke_config_t;
 
@@ -774,7 +775,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 				msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, 
 				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
 				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp);
-	
+	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
+											msg->add_conn.install_policy);
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
 	add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
 	
diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c
index ed9dd7b16..08d50519c 100644
--- a/src/charon/plugins/stroke/stroke_control.c
+++ b/src/charon/plugins/stroke/stroke_control.c
@@ -55,8 +55,8 @@ struct stroke_log_info_t {
 /**
  * logging to the stroke interface
  */
-static bool stroke_log(stroke_log_info_t *info, signal_t signal, level_t level,
-					   ike_sa_t *ike_sa, void *data, char *format, va_list args)
+static bool stroke_log(stroke_log_info_t *info, debug_t group, level_t level,
+					   ike_sa_t *ike_sa, char *format, va_list args)
 {
 	if (level <= info->level)
 	{
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index c699a083e..23a6f99b0 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -15,8 +15,6 @@
  * $Id$
  */
 
-#define _GNU_SOURCE
-#include <pthread.h>
 #include <sys/stat.h>
 #include <limits.h>
 
@@ -28,6 +26,7 @@
 #include <credentials/certificates/ac.h>
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
+#include <utils/mutex.h>
 #include <asn1/pem.h>
 #include <daemon.h>
 
@@ -73,7 +72,7 @@ struct private_stroke_cred_t {
 	/**
 	 * read-write lock to lists
 	 */
-	pthread_rwlock_t lock;
+	rwlock_t *lock;
 	
 	/**
 	 * cache CRLs to disk?
@@ -94,7 +93,7 @@ typedef struct {
  */
 static void id_data_destroy(id_data_t *data)
 {
-	pthread_rwlock_unlock(&data->this->lock);
+	data->this->lock->unlock(data->this->lock);
 	free(data);
 }
 
@@ -140,7 +139,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
 	data->this = this;
 	data->id = id;
 	
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->private->create_enumerator(this->private),
 									(void*)private_filter, data,
 									(void*)id_data_destroy);
@@ -241,7 +240,7 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
 		data->this = this;
 		data->id = id;
 		
-		pthread_rwlock_rdlock(&this->lock);
+		this->lock->read_lock(this->lock);
 		return enumerator_create_filter(this->certs->create_enumerator(this->certs),
 					(cert == CERT_X509_CRL)? (void*)crl_filter : (void*)ac_filter,
 					data, (void*)id_data_destroy);
@@ -254,7 +253,7 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
 	data->this = this;
 	data->id = id;
 	
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->certs->create_enumerator(this->certs),
 									(void*)certs_filter, data,
 									(void*)id_data_destroy);
@@ -272,7 +271,7 @@ typedef struct {
  */
 static void shared_data_destroy(shared_data_t *data)
 {
-	pthread_rwlock_unlock(&data->this->lock);
+	data->this->lock->unlock(data->this->lock);
 	free(data);
 }
 
@@ -324,7 +323,7 @@ static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
 	data->me = me;
 	data->other = other;
 	data->type = type;
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->shared->create_enumerator(this->shared),
 									(void*)shared_filter, data,
 									(void*)shared_data_destroy);
@@ -339,7 +338,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
 	enumerator_t *enumerator;
 	bool new = TRUE;	
 
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	enumerator = this->certs->create_enumerator(this->certs);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
@@ -358,7 +357,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
 	{
 		this->certs->insert_last(this->certs, cert);
 	}
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 	return cert;
 }
 	
@@ -400,7 +399,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 	enumerator_t *enumerator;
 	bool new = TRUE, found = FALSE;	
 
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	enumerator = this->certs->create_enumerator(this->certs);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
@@ -448,7 +447,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 	{
 		this->certs->insert_last(this->certs, cert);
 	}
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 	return new;
 }
 
@@ -459,9 +458,9 @@ static bool add_ac(private_stroke_cred_t *this, ac_t* ac)
 {
 	certificate_t *cert = &ac->certificate;
 
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	this->certs->insert_last(this->certs, cert);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 	return TRUE;
 }
 
@@ -698,7 +697,7 @@ static void load_secrets(private_stroke_cred_t *this)
 	fclose(fd);
 	src = chunk;
 
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	while (this->shared->remove_last(this->shared,
 		 								   (void**)&shared) == SUCCESS)
 	{
@@ -868,7 +867,7 @@ static void load_secrets(private_stroke_cred_t *this)
 		}
 	}
 error:
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 	chunk_clear(&chunk);
 }
 
@@ -949,7 +948,7 @@ static void destroy(private_stroke_cred_t *this)
 	this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
 	this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy));
 	this->private->destroy_offset(this->private, offsetof(private_key_t, destroy));
-	pthread_rwlock_destroy(&this->lock);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -974,7 +973,7 @@ stroke_cred_t *stroke_cred_create()
 	this->certs = linked_list_create();
 	this->shared = linked_list_create();
 	this->private = linked_list_create();
-	pthread_rwlock_init(&this->lock, NULL);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 
 	load_certs(this);
 	load_secrets(this);
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index d531dca47..7d0ad4557 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -17,6 +17,8 @@
 
 #include "stroke_list.h"
 
+#include <time.h>
+
 #include <daemon.h>
 #include <utils/linked_list.h>
 #include <credentials/certificates/x509.h>
@@ -79,25 +81,32 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 	
 	if (all)
 	{
-		char *ike_proposal = ike_sa->get_proposal(ike_sa);
-
+		proposal_t *ike_proposal;
+		
+		ike_proposal = ike_sa->get_proposal(ike_sa);
+		
 		fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s",
 				ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
 				id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
 				id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
-	
-
+		
+		
 		if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
 		{
-			u_int32_t rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY_TIME);
-			u_int32_t reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH_TIME);
-
+			u_int32_t rekey, reauth, now;
+			
+			now = time(NULL);
+			rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY);
+			reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH);
+			
 			if (rekey)
 			{
+				rekey -= now;
 				fprintf(out, ", rekeying in %V", &rekey);
 			}
 			if (reauth)
 			{
+				reauth -= now;
 				fprintf(out, ", %N reauthentication in %V", auth_class_names,
 						get_auth_class(ike_sa->get_peer_cfg(ike_sa)), &reauth);
 			}
@@ -107,13 +116,16 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 			}
 		}
 		fprintf(out, "\n");
-
+		
 		if (ike_proposal)
 		{
+			char buf[BUF_LEN];
+			
+			snprintf(buf, BUF_LEN, "%P", ike_proposal);
 			fprintf(out, "%12s[%d]: IKE proposal: %s\n",
 					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
-					ike_proposal);
-		}		
+					buf+4);
+		}
 	}
 }
 
@@ -123,68 +135,67 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 {
 	u_int32_t rekey, now = time(NULL);
-	u_int32_t use_in, use_out, use_fwd;
-	encryption_algorithm_t encr_alg;
-	integrity_algorithm_t int_alg;
-	size_t encr_len, int_len;
-	ipsec_mode_t mode;
-	
-	child_sa->get_stats(child_sa, &mode, &encr_alg, &encr_len,
-						&int_alg, &int_len, &rekey, &use_in, &use_out,
-						&use_fwd);
+	u_int32_t use_in, use_out;
+	proposal_t *proposal;
+	child_cfg_t *config = child_sa->get_config(child_sa);
 	
-	fprintf(out, "%12s{%d}:  %N, %N", 
+	fprintf(out, "%12s{%d}:  %N, %N%s", 
 			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
 			child_sa_state_names, child_sa->get_state(child_sa),
-			ipsec_mode_names, mode);
+			ipsec_mode_names, child_sa->get_mode(child_sa),
+			config->use_proxy_mode(config) ? "_PROXY" : "");
 	
 	if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
 	{
-		u_int16_t my_cpi    = child_sa->get_cpi(child_sa, TRUE);
-		u_int16_t other_cpi = child_sa->get_cpi(child_sa, FALSE);		
-
-		fprintf(out, ", %N SPIs: %.8x_i %.8x_o",
+		fprintf(out, ", %N%s SPIs: %.8x_i %.8x_o",
 				protocol_id_names, child_sa->get_protocol(child_sa),
+				child_sa->has_encap(child_sa) ? " in UDP" : "",
 				ntohl(child_sa->get_spi(child_sa, TRUE)),
 				ntohl(child_sa->get_spi(child_sa, FALSE)));
-
-		/* Is IPCOMP activated ? */
-		if (my_cpi && other_cpi)
+		
+		if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE)
 		{
 			fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o",
-					ntohs(my_cpi), ntohs(other_cpi));
+					ntohs(child_sa->get_cpi(child_sa, TRUE)),
+					ntohs(child_sa->get_cpi(child_sa, FALSE)));
 		}
-
+		
 		if (all)
 		{
 			fprintf(out, "\n%12s{%d}:  ", child_sa->get_name(child_sa), 
 					child_sa->get_reqid(child_sa));
 			
-			
-			if (child_sa->get_protocol(child_sa) == PROTO_ESP)
+			proposal = child_sa->get_proposal(child_sa);
+			if (proposal)
 			{
-				fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+				u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
+				u_int16_t encr_size = 0, int_size = 0;
 				
-				if (encr_len)
+				proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+										&encr_alg, &encr_size);
+				proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+										&int_alg, &int_size);
+				
+				if (encr_alg != ENCR_UNDEFINED)
 				{
-					fprintf(out, "-%d", encr_len);
+					fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+					if (encr_size)
+					{
+						fprintf(out, "-%d", encr_size);
+					}
 				}
 				if (int_alg != AUTH_UNDEFINED)
 				{
-					fprintf(out, "/");
-				}
-			}
-			
-			if (int_alg != AUTH_UNDEFINED)
-			{
-				fprintf(out, "%N", integrity_algorithm_names, int_alg);
-				if (int_len)
-				{
-					fprintf(out, "-%d", int_len);
+					fprintf(out, "/%N", integrity_algorithm_names, int_alg);
+					if (int_size)
+					{
+						fprintf(out, "-%d", int_size);
+					}
 				}
 			}
 			fprintf(out, ", rekeying ");
 			
+			rekey = child_sa->get_lifetime(child_sa, FALSE);
 			if (rekey)
 			{
 				fprintf(out, "in %#V", &now, &rekey);
@@ -195,7 +206,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			}
 			
 			fprintf(out, ", last use: ");
-			use_in = max(use_in, use_fwd);
+			use_in = child_sa->get_usetime(child_sa, TRUE);
 			if (use_in)
 			{
 				fprintf(out, "%ds_i ", now - use_in);
@@ -204,6 +215,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			{
 				fprintf(out, "no_i ");
 			}
+			use_out = child_sa->get_usetime(child_sa, FALSE);
 			if (use_out)
 			{
 				fprintf(out, "%ds_o ", now - use_out);
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index 175322aa8..8c4ab7804 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -25,6 +25,7 @@
 #include <sys/fcntl.h>
 #include <unistd.h>
 #include <errno.h>
+#include <pthread.h>
 
 #include <processing/jobs/callback_job.h>
 #include <daemon.h>
@@ -336,9 +337,9 @@ static void stroke_purge(private_stroke_socket_t *this,
 									 CERT_X509_OCSP_RESPONSE);
 }
 
-signal_t get_signal_from_logtype(char *type)
+debug_t get_group_from_name(char *type)
 {
-	if      (strcasecmp(type, "any") == 0) return SIG_ANY;
+	if (strcasecmp(type, "any") == 0) return DBG_ANY;
 	else if (strcasecmp(type, "mgr") == 0) return DBG_MGR;
 	else if (strcasecmp(type, "ike") == 0) return DBG_IKE;
 	else if (strcasecmp(type, "chd") == 0) return DBG_CHD;
@@ -354,29 +355,44 @@ signal_t get_signal_from_logtype(char *type)
 /**
  * set the verbosity debug output
  */
-static void stroke_loglevel(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+static void stroke_loglevel(private_stroke_socket_t *this,
+							stroke_msg_t *msg, FILE *out)
 {
-	signal_t signal;
+	enumerator_t *enumerator;
+	sys_logger_t *sys_logger;
+	file_logger_t *file_logger;
+	debug_t group;
 	
 	pop_string(msg, &(msg->loglevel.type));
 	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
 		 msg->loglevel.level, msg->loglevel.type);
 	
-	signal = get_signal_from_logtype(msg->loglevel.type);
-	if (signal < 0)
+	group = get_group_from_name(msg->loglevel.type);
+	if (group < 0)
 	{
 		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
 		return;
 	}
-	
-	charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level);
-	charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
+	/* we set the loglevel on ALL sys- and file-loggers */
+	enumerator = charon->sys_loggers->create_enumerator(charon->sys_loggers);
+	while (enumerator->enumerate(enumerator, &sys_logger))
+	{
+		sys_logger->set_level(sys_logger, group, msg->loglevel.level);
+	}
+	enumerator->destroy(enumerator);
+	enumerator = charon->file_loggers->create_enumerator(charon->file_loggers);
+	while (enumerator->enumerate(enumerator, &file_logger))
+	{
+		file_logger->set_level(file_logger, group, msg->loglevel.level);
+	}
+	enumerator->destroy(enumerator);
 }
 
 /**
  * set various config options
  */
-static void stroke_config(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+static void stroke_config(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out)
 {
 	this->cred->cachecrl(this->cred, msg->config.cachecrl);
 }
diff --git a/src/charon/plugins/unit_tester/tests/test_pool.c b/src/charon/plugins/unit_tester/tests/test_pool.c
index 5d5295bea..40334335d 100644
--- a/src/charon/plugins/unit_tester/tests/test_pool.c
+++ b/src/charon/plugins/unit_tester/tests/test_pool.c
@@ -15,6 +15,7 @@
 
 #include <sys/time.h>
 #include <time.h>
+#include <pthread.h>
 
 #include <library.h>
 #include <daemon.h>
diff --git a/src/charon/plugins/updown/Makefile.am b/src/charon/plugins/updown/Makefile.am
new file mode 100644
index 000000000..de60d9fbf
--- /dev/null
+++ b/src/charon/plugins/updown/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-updown.la
+libstrongswan_updown_la_SOURCES = \
+  updown_plugin.h updown_plugin.c \
+  updown_listener.h updown_listener.c 
+libstrongswan_updown_la_LDFLAGS = -module
+
+
diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in
new file mode 100644
index 000000000..603000a09
--- /dev/null
+++ b/src/charon/plugins/updown/Makefile.in
@@ -0,0 +1,501 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/updown
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_updown_la_LIBADD =
+am_libstrongswan_updown_la_OBJECTS = updown_plugin.lo \
+	updown_listener.lo
+libstrongswan_updown_la_OBJECTS =  \
+	$(am_libstrongswan_updown_la_OBJECTS)
+libstrongswan_updown_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_updown_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_updown_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_updown_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-updown.la
+libstrongswan_updown_la_SOURCES = \
+  updown_plugin.h updown_plugin.c \
+  updown_listener.h updown_listener.c 
+
+libstrongswan_updown_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/updown/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/updown/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES) 
+	$(libstrongswan_updown_la_LINK) -rpath $(plugindir) $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/updown/updown_listener.c b/src/charon/plugins/updown/updown_listener.c
new file mode 100644
index 000000000..7dfb874cb
--- /dev/null
+++ b/src/charon/plugins/updown/updown_listener.c
@@ -0,0 +1,320 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#include "updown_listener.h"
+
+#include <daemon.h>
+#include <config/child_cfg.h>
+
+typedef struct private_updown_listener_t private_updown_listener_t;
+
+/**
+ * Private data of an updown_listener_t object.
+ */
+struct private_updown_listener_t {
+	
+	/**
+	 * Public updown_listener_t interface.
+	 */
+	updown_listener_t public;
+	
+	/**
+	 * List of cached interface names
+	 */
+	linked_list_t *iface_cache;
+};
+
+typedef struct cache_entry_t cache_entry_t;
+
+/**
+ * Cache line in the interface name cache.
+ */
+struct cache_entry_t {
+	/** requid of the CHILD_SA */
+	u_int32_t reqid;
+	/** cached interface name */
+	char *iface;
+};
+
+/**
+ * Insert an interface name to the cache
+ */
+static void cache_iface(private_updown_listener_t *this, u_int32_t reqid,
+						char *iface)
+{
+	cache_entry_t *entry = malloc_thing(cache_entry_t);
+	
+	entry->reqid = reqid;
+	entry->iface = strdup(iface);
+	
+	this->iface_cache->insert_first(this->iface_cache, entry);
+}
+
+/**
+ * Remove a cached interface name and return it.
+ */
+static char* uncache_iface(private_updown_listener_t *this, u_int32_t reqid)
+{
+	enumerator_t *enumerator;
+	cache_entry_t *entry;
+	char *iface = NULL;
+	
+	enumerator = this->iface_cache->create_enumerator(this->iface_cache);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->reqid == reqid)
+		{
+			this->iface_cache->remove_at(this->iface_cache, enumerator);
+			iface = entry->iface;
+			free(entry);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return iface;
+}
+
+/**
+ * Run the up/down script
+ */
+static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
+				   child_sa_t *child_sa, bool up)
+{
+	traffic_selector_t *my_ts, *other_ts;
+	enumerator_t *enumerator;
+	child_cfg_t *config;
+	host_t *vip, *me, *other;
+	char *script;
+	
+	config = child_sa->get_config(child_sa);
+	vip = ike_sa->get_virtual_ip(ike_sa, TRUE);
+	script = config->get_updown(config);
+	me = ike_sa->get_my_host(ike_sa);
+	other = ike_sa->get_other_host(ike_sa);
+	
+	if (script == NULL)
+	{
+		return;
+	}
+	
+	enumerator = child_sa->create_policy_enumerator(child_sa);
+	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+	{
+		char command[1024];
+		char *my_client, *other_client, *my_client_mask, *other_client_mask;
+		char *pos, *virtual_ip, *iface;
+		FILE *shell;
+
+		/* get subnet/bits from string */
+		if (asprintf(&my_client, "%R", my_ts) < 0)
+		{
+			my_client = NULL;
+		}
+		pos = strchr(my_client, '/');
+		*pos = '\0';
+		my_client_mask = pos + 1;
+		pos = strchr(my_client_mask, '[');
+		if (pos)
+		{
+			*pos = '\0';
+		}
+		if (asprintf(&other_client, "%R", other_ts) < 0)
+		{
+			other_client = NULL;
+		}
+		pos = strchr(other_client, '/');
+		*pos = '\0';
+		other_client_mask = pos + 1;
+		pos = strchr(other_client_mask, '[');
+		if (pos)
+		{
+			*pos = '\0';
+		}
+
+		if (vip)
+		{
+			if (asprintf(&virtual_ip, "PLUTO_MY_SOURCEIP='%H' ", vip) < 0)
+			{
+				virtual_ip = NULL;
+			}
+		}
+		else
+		{
+			if (asprintf(&virtual_ip, "") < 0)
+			{
+				virtual_ip = NULL;
+			}
+		}
+		
+		if (up)
+		{
+			iface = charon->kernel_interface->get_interface(
+												charon->kernel_interface, me);
+			if (iface)
+			{
+				cache_iface(this, child_sa->get_reqid(child_sa), iface);
+			}
+		}
+		else
+		{
+			iface = uncache_iface(this, child_sa->get_reqid(child_sa));
+		}
+		
+		/* build the command with all env variables.
+		 * TODO: PLUTO_PEER_CA and PLUTO_NEXT_HOP are currently missing
+		 */
+		snprintf(command, sizeof(command),
+				 "2>&1 "
+				"PLUTO_VERSION='1.1' "
+				"PLUTO_VERB='%s%s%s' "
+				"PLUTO_CONNECTION='%s' "
+				"PLUTO_INTERFACE='%s' "
+				"PLUTO_REQID='%u' "
+				"PLUTO_ME='%H' "
+				"PLUTO_MY_ID='%D' "
+				"PLUTO_MY_CLIENT='%s/%s' "
+				"PLUTO_MY_CLIENT_NET='%s' "
+				"PLUTO_MY_CLIENT_MASK='%s' "
+				"PLUTO_MY_PORT='%u' "
+				"PLUTO_MY_PROTOCOL='%u' "
+				"PLUTO_PEER='%H' "
+				"PLUTO_PEER_ID='%D' "
+				"PLUTO_PEER_CLIENT='%s/%s' "
+				"PLUTO_PEER_CLIENT_NET='%s' "
+				"PLUTO_PEER_CLIENT_MASK='%s' "
+				"PLUTO_PEER_PORT='%u' "
+				"PLUTO_PEER_PROTOCOL='%u' "
+				"%s"
+				"%s"
+				"%s",
+				 up ? "up" : "down",
+				 my_ts->is_host(my_ts, me) ? "-host" : "-client",
+				 me->get_family(me) == AF_INET ? "" : "-v6",
+				 config->get_name(config),
+				 iface ? iface : "unknown",
+				 child_sa->get_reqid(child_sa),
+				 me, ike_sa->get_my_id(ike_sa),
+				 my_client, my_client_mask,
+				 my_client, my_client_mask,
+				 my_ts->get_from_port(my_ts),
+				 my_ts->get_protocol(my_ts),
+				 other, ike_sa->get_other_id(ike_sa),
+				 other_client, other_client_mask,
+				 other_client, other_client_mask,
+				 other_ts->get_from_port(other_ts),
+				 other_ts->get_protocol(other_ts),
+				 virtual_ip,
+				 config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "",
+				 script);
+		free(my_client);
+		free(other_client);
+		free(virtual_ip);
+		free(iface);
+		
+		DBG3(DBG_CHD, "running updown script: %s", command);
+		shell = popen(command, "r");
+
+		if (shell == NULL)
+		{
+			DBG1(DBG_CHD, "could not execute updown script '%s'", script);
+			return;
+		}
+		
+		while (TRUE)
+		{
+			char resp[128];
+			
+			if (fgets(resp, sizeof(resp), shell) == NULL)
+			{
+				if (ferror(shell))
+				{
+					DBG1(DBG_CHD, "error reading output from updown script");
+					return;
+				}
+				else
+				{
+					break;
+				}
+			}
+			else
+			{
+				char *e = resp + strlen(resp);
+				if (e > resp && e[-1] == '\n')
+				{	/* trim trailing '\n' */
+					e[-1] = '\0';
+				}
+				DBG1(DBG_CHD, "updown: %s", resp);
+			}
+		}
+		pclose(shell);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Listener implementation
+ */
+static bool child_state_change(private_updown_listener_t *this, ike_sa_t *ike_sa,
+							   child_sa_t *child_sa, child_sa_state_t state)
+{
+	child_sa_state_t old;
+	
+	if (ike_sa)
+	{
+		old = child_sa->get_state(child_sa);
+		
+		if ((old == CHILD_INSTALLED && state != CHILD_REKEYING ) ||
+			(old == CHILD_DELETING && state == CHILD_DESTROYING))
+		{
+			updown(this, ike_sa, child_sa, FALSE);
+		}
+		else if (state == CHILD_INSTALLED)
+		{
+			updown(this, ike_sa, child_sa, TRUE);
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of updown_listener_t.destroy.
+ */
+static void destroy(private_updown_listener_t *this)
+{
+	this->iface_cache->destroy(this->iface_cache);
+	free(this);
+}
+
+/**
+ * See header
+ */
+updown_listener_t *updown_listener_create()
+{
+	private_updown_listener_t *this = malloc_thing(private_updown_listener_t);
+	
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.child_state_change = (void*)child_state_change;
+	this->public.destroy = (void(*)(updown_listener_t*))destroy;
+	
+	this->iface_cache = linked_list_create();
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/updown/updown_listener.h b/src/charon/plugins/updown/updown_listener.h
new file mode 100644
index 000000000..569d5817e
--- /dev/null
+++ b/src/charon/plugins/updown/updown_listener.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup updown_listener updown_listener
+ * @{ @ingroup updown
+ */
+
+#ifndef UPDOWN_LISTENER_H_
+#define UPDOWN_LISTENER_H_
+
+#include <bus/bus.h>
+
+typedef struct updown_listener_t updown_listener_t;
+
+/**
+ * Listener which invokes the scripts on CHILD_SA up/down.
+ */
+struct updown_listener_t {
+	
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+	
+	/**
+	 * Destroy a updown_listener_t.
+	 */
+	void (*destroy)(updown_listener_t *this);
+};
+
+/**
+ * Create a updown_listener instance.
+ */
+updown_listener_t *updown_listener_create();
+
+#endif /* UPDOWN_LISTENER_ @}*/
diff --git a/src/charon/plugins/updown/updown_plugin.c b/src/charon/plugins/updown/updown_plugin.c
new file mode 100644
index 000000000..2e5884222
--- /dev/null
+++ b/src/charon/plugins/updown/updown_plugin.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "updown_plugin.h"
+#include "updown_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_updown_plugin_t private_updown_plugin_t;
+
+/**
+ * private data of updown plugin
+ */
+struct private_updown_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	updown_plugin_t public;
+	
+	/**
+	 * Listener interface, listens to CHILD_SA state changes
+	 */
+	updown_listener_t *listener;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_updown_plugin_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_updown_plugin_t *this = malloc_thing(private_updown_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	this->listener = updown_listener_create();
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/updown/updown_plugin.h b/src/charon/plugins/updown/updown_plugin.h
new file mode 100644
index 000000000..4d0a930c2
--- /dev/null
+++ b/src/charon/plugins/updown/updown_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup updown updown
+ * @ingroup cplugins
+ *
+ * @defgroup updown_plugin updown_plugin
+ * @{ @ingroup updown
+ */
+
+#ifndef UPDOWN_PLUGIN_H_
+#define UPDOWN_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct updown_plugin_t updown_plugin_t;
+
+/**
+ * Updown firewall script invocation plugin, compatible to pluto ones.
+ */
+struct updown_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a updown_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* UPDOWN_PLUGIN_H_ @}*/
diff --git a/src/charon/processing/jobs/acquire_job.c b/src/charon/processing/jobs/acquire_job.c
index b39e8e680..50cebd88a 100644
--- a/src/charon/processing/jobs/acquire_job.c
+++ b/src/charon/processing/jobs/acquire_job.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: acquire_job.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: acquire_job.c 4535 2008-10-31 01:43:23Z andreas $
  */
 
 #include "acquire_job.h"
@@ -35,6 +35,16 @@ struct private_acquire_job_t {
 	 * reqid of the child to rekey
 	 */
 	u_int32_t reqid;
+
+	/**
+	 * acquired source traffic selector
+	 */
+	traffic_selector_t *src_ts;
+
+	/**
+	 * acquired destination traffic selector
+	 */
+	traffic_selector_t *dst_ts;
 };
 
 /**
@@ -42,6 +52,8 @@ struct private_acquire_job_t {
  */
 static void destroy(private_acquire_job_t *this)
 {
+	DESTROY_IF(this->src_ts);
+	DESTROY_IF(this->dst_ts);
 	free(this);
 }
 
@@ -50,13 +62,16 @@ static void destroy(private_acquire_job_t *this)
  */
 static void execute(private_acquire_job_t *this)
 {
-	ike_sa_t *ike_sa;
+	ike_sa_t *ike_sa = NULL;
 	
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													this->reqid, TRUE);
+	if (this->reqid)
+	{
+		ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+														this->reqid, TRUE);
+	}
 	if (ike_sa == NULL)
 	{
-		DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for acquiring",
+		DBG1(DBG_JOB, "acquire job found no CHILD_SA with reqid {%d}",
 			 this->reqid);
 	}
 	else
@@ -71,7 +86,9 @@ static void execute(private_acquire_job_t *this)
 /*
  * Described in header
  */
-acquire_job_t *acquire_job_create(u_int32_t reqid)
+acquire_job_t *acquire_job_create(u_int32_t reqid,
+								  traffic_selector_t *src_ts,
+								  traffic_selector_t *dst_ts)
 {
 	private_acquire_job_t *this = malloc_thing(private_acquire_job_t);
 	
@@ -81,6 +98,8 @@ acquire_job_t *acquire_job_create(u_int32_t reqid)
 	
 	/* private variables */
 	this->reqid = reqid;
+	this->src_ts = src_ts;
+	this->dst_ts = dst_ts;
 	
 	return &this->public;
 }
diff --git a/src/charon/processing/jobs/acquire_job.h b/src/charon/processing/jobs/acquire_job.h
index 17c993d8e..7459ccc21 100644
--- a/src/charon/processing/jobs/acquire_job.h
+++ b/src/charon/processing/jobs/acquire_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: acquire_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: acquire_job.h 4535 2008-10-31 01:43:23Z andreas $
  */
 
 /**
@@ -26,6 +26,7 @@
 typedef struct acquire_job_t acquire_job_t;
 
 #include <library.h>
+#include <config/traffic_selector.h>
 #include <processing/jobs/job.h>
 
 /**
@@ -46,8 +47,12 @@ struct acquire_job_t {
  * We use the reqid to find the routed CHILD_SA.
  *
  * @param reqid		reqid of the CHILD_SA to acquire
+ * @param src_ts	source traffic selector
+ * @param dst_ts	destination traffic selector
  * @return			acquire_job_t object
  */
-acquire_job_t *acquire_job_create(u_int32_t reqid);
+acquire_job_t *acquire_job_create(u_int32_t reqid,
+								  traffic_selector_t *src_ts,
+								  traffic_selector_t *dst_ts);
 
 #endif /* REKEY_CHILD_SA_JOB_H_ @} */
diff --git a/src/charon/processing/jobs/callback_job.c b/src/charon/processing/jobs/callback_job.c
index e8892ee82..f0cebd473 100644
--- a/src/charon/processing/jobs/callback_job.c
+++ b/src/charon/processing/jobs/callback_job.c
@@ -12,12 +12,15 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: callback_job.c 3742 2008-04-03 09:19:12Z tobias $
+ * $Id: callback_job.c 4579 2008-11-05 11:29:56Z martin $
  */
  
 #include "callback_job.h"
 
+#include <pthread.h>
+
 #include <daemon.h>
+#include <utils/mutex.h>
 
 typedef struct private_callback_job_t private_callback_job_t;
 
@@ -49,12 +52,12 @@ struct private_callback_job_t {
 	 * thread ID of the job, if running
 	 */
 	pthread_t thread;
-
+	
 	/**
 	 * mutex to access jobs interna
 	 */
-	pthread_mutex_t mutex;
-
+	mutex_t *mutex;
+	
 	/**
 	 * list of asociated child jobs
 	 */
@@ -76,6 +79,7 @@ static void destroy(private_callback_job_t *this)
 		this->cleanup(this->data);
 	}
 	this->children->destroy(this->children);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -89,7 +93,7 @@ static void unregister(private_callback_job_t *this)
 		iterator_t *iterator;
 		private_callback_job_t *child;
 		
-		pthread_mutex_lock(&this->parent->mutex);
+		this->parent->mutex->lock(this->parent->mutex);
 		iterator = this->parent->children->create_iterator(this->parent->children, TRUE);
 		while (iterator->iterate(iterator, (void**)&child))
 		{
@@ -100,7 +104,7 @@ static void unregister(private_callback_job_t *this)
 			}
 		}
 		iterator->destroy(iterator);
-		pthread_mutex_unlock(&this->parent->mutex);
+		this->parent->mutex->unlock(this->parent->mutex);
 	}
 }
 
@@ -111,12 +115,12 @@ static void cancel(private_callback_job_t *this)
 {
 	pthread_t thread;
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	thread = this->thread;
 	
 	/* terminate its children */
 	this->children->invoke_offset(this->children, offsetof(callback_job_t, cancel));
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	
 	/* terminate thread */
 	if (thread)
@@ -133,9 +137,9 @@ static void execute(private_callback_job_t *this)
 {
 	bool cleanup = FALSE;
 
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	this->thread = pthread_self();
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	
 	pthread_cleanup_push((void*)destroy, this);
 	while (TRUE)
@@ -180,7 +184,7 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
 	this->public.cancel = (void(*)(callback_job_t*))cancel;
 
 	/* private variables */
-	pthread_mutex_init(&this->mutex, NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
 	this->callback = cb;
 	this->data = data;
 	this->cleanup = cleanup;
@@ -191,9 +195,9 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
 	/* register us at parent */
 	if (parent)
 	{
-		pthread_mutex_lock(&this->parent->mutex);
+		this->parent->mutex->lock(this->parent->mutex);
 		this->parent->children->insert_last(this->parent->children, this);
-		pthread_mutex_unlock(&this->parent->mutex);
+		this->parent->mutex->unlock(this->parent->mutex);
 	}
 	
 	return &this->public;
diff --git a/src/charon/processing/jobs/initiate_mediation_job.c b/src/charon/processing/jobs/initiate_mediation_job.c
index ee9644045..4d4fd8dc6 100644
--- a/src/charon/processing/jobs/initiate_mediation_job.c
+++ b/src/charon/processing/jobs/initiate_mediation_job.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: initiate_mediation_job.c 4192 2008-07-18 15:51:40Z martin $
+ * $Id: initiate_mediation_job.c 4625 2008-11-11 13:12:05Z tobias $
  */
 
 #include "initiate_mediation_job.h"
@@ -57,15 +57,13 @@ static void destroy(private_initiate_mediation_job_t *this)
  * Callback to handle initiation of mediation connection
  */
 static bool initiate_callback(private_initiate_mediation_job_t *this,
-							  signal_t signal, level_t level, ike_sa_t *ike_sa,
-							  void *data, char *format, va_list args)
+			debug_t group, level_t level, ike_sa_t *ike_sa,
+			char *format, va_list args)
 {
-	if (signal == CHD_UP_SUCCESS)
+	if (ike_sa && !this->mediation_sa_id)
 	{
-		/* mediation connection is up */
 		this->mediation_sa_id = ike_sa->get_id(ike_sa);
 		this->mediation_sa_id = this->mediation_sa_id->clone(this->mediation_sa_id);
-		return FALSE;
 	}
 	return TRUE;
 }
@@ -74,16 +72,15 @@ static bool initiate_callback(private_initiate_mediation_job_t *this,
  * Implementation of job_t.execute.
  */ 
 static void initiate(private_initiate_mediation_job_t *this)
-{	/* FIXME: check the logging */
+{
 	ike_sa_t *mediated_sa, *mediation_sa;
 	peer_cfg_t *mediated_cfg, *mediation_cfg;
 	
 	mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-											  this->mediated_sa_id);
+												   this->mediated_sa_id);
 	if (mediated_sa)
 	{
 		mediated_cfg = mediated_sa->get_peer_cfg(mediated_sa);
-		/* get_peer_cfg returns an internal object */
 		mediated_cfg->get_ref(mediated_cfg); 
 		
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
@@ -98,29 +95,35 @@ static void initiate(private_initiate_mediation_job_t *this)
 		{
 			mediated_cfg->destroy(mediated_cfg);
 			mediation_cfg->destroy(mediation_cfg);
-			/* this pointer should still be valid */
-			charon->bus->set_sa(charon->bus, mediated_sa);
-			DBG1(DBG_IKE, "mediation with the same peer is already in progress, queued");
+			
+			mediated_sa = charon->ike_sa_manager->checkout(
+								charon->ike_sa_manager, this->mediated_sa_id);
+			if (mediated_sa)
+			{
+				DBG1(DBG_IKE, "mediation with the same peer is already in "
+					 "progress, queued");
+				charon->ike_sa_manager->checkin(
+								charon->ike_sa_manager, mediated_sa);
+			}
 			destroy(this);
 			return;
 		}
 		/* we need an additional reference because initiate consumes one */
 		mediation_cfg->get_ref(mediation_cfg); 
 
-		/* this function call blocks until the connection is up or failed
-		 * we do not check the status, but NEED_MORE would be returned on success
-		 * because the registered callback returns FALSE then
-		 * this->mediation_sa_id is set in the callback */
-		charon->controller->initiate(charon->controller,
-				mediation_cfg, NULL, (controller_cb_t)initiate_callback, this);
-		if (!this->mediation_sa_id)
+		if (charon->controller->initiate(charon->controller, mediation_cfg,
+					NULL, (controller_cb_t)initiate_callback, this) != SUCCESS)
 		{
-			DBG1(DBG_JOB, "initiating mediation connection '%s' failed",
-					mediation_cfg->get_name(mediation_cfg));
 			mediation_cfg->destroy(mediation_cfg);
 			mediated_cfg->destroy(mediated_cfg);
-			charon->bus->set_sa(charon->bus, mediated_sa);
-			SIG_IKE(UP_FAILED, "mediation failed");
+			mediated_sa = charon->ike_sa_manager->checkout(
+								charon->ike_sa_manager, this->mediated_sa_id);
+			if (mediated_sa)
+			{
+				DBG1(DBG_IKE, "initiating mediation connection failed");
+				charon->ike_sa_manager->checkin_and_destroy(
+									charon->ike_sa_manager, mediated_sa);
+			}
 			destroy(this);
 			return;
 		}
@@ -131,15 +134,20 @@ static void initiate(private_initiate_mediation_job_t *this)
 		
 		if (mediation_sa)
 		{
-			if (mediation_sa->initiate_mediation(mediation_sa, mediated_cfg) != SUCCESS)
+			if (mediation_sa->initiate_mediation(mediation_sa,
+												 mediated_cfg) != SUCCESS)
 			{
-				DBG1(DBG_JOB, "initiating mediated connection '%s' failed",
-						mediated_cfg->get_name(mediated_cfg));
 				mediated_cfg->destroy(mediated_cfg);
-				charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, mediation_sa);
-				
-				charon->bus->set_sa(charon->bus, mediated_sa);
-				SIG_IKE(UP_FAILED, "mediation failed");
+				charon->ike_sa_manager->checkin_and_destroy(
+								charon->ike_sa_manager, mediation_sa);
+				mediated_sa = charon->ike_sa_manager->checkout(
+								charon->ike_sa_manager, this->mediated_sa_id);
+				if (mediated_sa)
+				{
+					DBG1(DBG_IKE, "establishing mediation connection failed");
+					charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager, mediated_sa);
+				}
 				destroy(this);
 				return;
 			}
@@ -156,7 +164,7 @@ static void initiate(private_initiate_mediation_job_t *this)
  * Implementation of job_t.execute.
  */ 
 static void reinitiate(private_initiate_mediation_job_t *this)
-{	/* FIXME: check the logging */
+{
 	ike_sa_t *mediated_sa, *mediation_sa;
 	peer_cfg_t *mediated_cfg;
 	
@@ -178,13 +186,17 @@ static void reinitiate(private_initiate_mediation_job_t *this)
 						mediated_cfg->get_name(mediated_cfg));
 				mediated_cfg->destroy(mediated_cfg);
 				charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, mediation_sa);
-				
-				charon->bus->set_sa(charon->bus, mediated_sa);
-				SIG_IKE(UP_FAILED, "mediation failed");
+				mediated_sa = charon->ike_sa_manager->checkout(
+								charon->ike_sa_manager, this->mediated_sa_id);
+				if (mediated_sa)
+				{
+					DBG1(DBG_IKE, "establishing mediation connection failed");
+					charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager, mediated_sa);
+				}
 				destroy(this);
 				return;
 			}
-			
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediation_sa);
 		}
 		
diff --git a/src/charon/processing/jobs/migrate_job.c b/src/charon/processing/jobs/migrate_job.c
new file mode 100644
index 000000000..ec0a76fb9
--- /dev/null
+++ b/src/charon/processing/jobs/migrate_job.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: migrate_job.c 4662 2008-11-16 21:19:58Z andreas $
+ */
+
+#include "migrate_job.h"
+
+#include <daemon.h>
+
+#include <config/child_cfg.h>
+
+
+typedef struct private_migrate_job_t private_migrate_job_t;
+
+/**
+ * Private data of a migrate_job_t object.
+ */
+struct private_migrate_job_t {
+	/**
+	 * Public migrate_job_t interface.
+	 */
+	migrate_job_t public;
+	
+	/**
+	 * reqid of the CHILD_SA if it already exists
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * source traffic selector
+	 */
+	traffic_selector_t *src_ts;
+
+	/**
+	 * destination traffic selector
+	 */
+	traffic_selector_t *dst_ts;
+
+	/**
+	 * local host address to be used for IKE
+	 */
+	host_t *local;
+
+	/**
+	 * remote host address to be used for IKE
+	 */
+	host_t *remote;
+};
+
+/**
+ * Implementation of job_t.destroy.
+ */
+static void destroy(private_migrate_job_t *this)
+{
+	DESTROY_IF(this->src_ts);
+	DESTROY_IF(this->dst_ts);
+	DESTROY_IF(this->local);
+	DESTROY_IF(this->remote);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_migrate_job_t *this)
+{
+	ike_sa_t *ike_sa = NULL;
+	
+	if (this->reqid)
+	{
+		ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+														this->reqid, TRUE);
+	}
+	if (ike_sa)
+	{
+		iterator_t *children;
+		child_sa_t *child_sa;
+		host_t *host;
+
+		children = ike_sa->create_child_sa_iterator(ike_sa);
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			if (child_sa->get_reqid(child_sa) == this->reqid)
+			{
+				break;
+			}
+		}
+		children->destroy(children);
+		DBG2(DBG_JOB, "found CHILD_SA with reqid {%d}", this->reqid);
+
+		ike_sa->set_kmaddress(ike_sa, this->local, this->remote);
+
+		host = this->local->clone(this->local);
+		host->set_port(host, IKEV2_UDP_PORT);
+		ike_sa->set_my_host(ike_sa, host);
+
+		host = this->remote->clone(this->remote);
+		host->set_port(host, IKEV2_UDP_PORT);
+		ike_sa->set_other_host(ike_sa, host);
+
+		if (child_sa->update_hosts(child_sa, this->local, this->remote,
+				ike_sa->get_virtual_ip(ike_sa, TRUE),
+			 	ike_sa->has_condition(ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
+		{
+			ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
+								   child_sa->get_spi(child_sa, TRUE));
+		}
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	else
+	{
+		DBG1(DBG_JOB, "no CHILD_SA found with reqid {%d}", this->reqid);
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+migrate_job_t *migrate_job_create(u_int32_t reqid,
+								  traffic_selector_t *src_ts,
+								  traffic_selector_t *dst_ts,
+								  policy_dir_t dir,
+								  host_t *local, host_t *remote)
+{
+	private_migrate_job_t *this = malloc_thing(private_migrate_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+	
+	/* private variables */
+	this->reqid = reqid;
+	this->src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts;
+	this->dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts;
+	this->local = local;
+	this->remote = remote;
+	
+	return &this->public;
+}
diff --git a/src/charon/processing/jobs/migrate_job.h b/src/charon/processing/jobs/migrate_job.h
new file mode 100644
index 000000000..a99ffbb0c
--- /dev/null
+++ b/src/charon/processing/jobs/migrate_job.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: migrate_job.h 4662 2008-11-16 21:19:58Z andreas $
+ */
+
+/**
+ * @defgroup migrate_job migrate_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef MIGRATE_JOB_H_
+#define MIGRATE_JOB_H_
+
+typedef struct migrate_job_t migrate_job_t;
+
+#include <library.h>
+#include <utils/host.h>
+#include <config/traffic_selector.h>
+#include <kernel/kernel_ipsec.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Class representing a MIGRATE Job.
+ * 
+ * This job sets a routed CHILD_SA for an existing IPsec policy. 
+ */
+struct migrate_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type MIGRATE.
+ *
+ * We use the reqid or the traffic selectors to find a matching CHILD_SA.
+ *
+ * @param reqid		reqid of the CHILD_SA to acquire
+ * @param src_ts	source traffic selector to be used in the policy
+ * @param dst_ts	destination traffic selector to be used in the policy
+ * @param dir       direction of the policy (in|out)
+ * @param local     local host address to be used in the IKE_SA
+ * @param remote    remote host address to be used in the IKE_SA
+ * @return			migrate_job_t object
+ */
+migrate_job_t *migrate_job_create(u_int32_t reqid,
+								  traffic_selector_t *src_ts,
+								  traffic_selector_t *dst_ts,
+								  policy_dir_t dir,
+								  host_t *local, host_t *remote);
+
+#endif /* MIGRATE_JOB_H_ @} */
diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c
index 010f6624f..9cff090bf 100644
--- a/src/charon/processing/processor.c
+++ b/src/charon/processing/processor.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: processor.c 3742 2008-04-03 09:19:12Z tobias $
+ * $Id: processor.c 4579 2008-11-05 11:29:56Z martin $
  */
  
 #include <stdlib.h>
@@ -24,6 +24,7 @@
 #include "processor.h"
 
 #include <daemon.h>
+#include <utils/mutex.h>
 #include <utils/linked_list.h>
 
 
@@ -61,17 +62,17 @@ struct private_processor_t {
 	/**
 	 * access to linked_list is locked through this mutex
 	 */
-	pthread_mutex_t mutex;
+	mutex_t *mutex;
 
 	/**
 	 * Condvar to wait for new jobs
 	 */
-	pthread_cond_t jobadded;
+	condvar_t *job_added;
 	
 	/**
 	 * Condvar to wait for terminated threads
 	 */
-	pthread_cond_t threadterminated;
+	condvar_t *thread_terminated;
 };
 
 static void process_jobs(private_processor_t *this);
@@ -85,10 +86,10 @@ static void restart(private_processor_t *this)
 	
 	if (pthread_create(&thread, NULL, (void*)process_jobs, this) != 0)
 	{
-		pthread_mutex_lock(&this->mutex);
+		this->mutex->lock(this->mutex);
 		this->total_threads--;
-		pthread_cond_broadcast(&this->threadterminated);
-		pthread_mutex_unlock(&this->mutex);
+		this->thread_terminated->broadcast(this->thread_terminated);
+		this->mutex->unlock(this->mutex);
 	}
 }
 
@@ -103,7 +104,7 @@ static void process_jobs(private_processor_t *this)
 	
 	DBG2(DBG_JOB, "started worker thread, thread_ID: %06u", (int)pthread_self());
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	while (this->desired_threads >= this->total_threads)
 	{
 		job_t *job;
@@ -111,21 +112,21 @@ static void process_jobs(private_processor_t *this)
 		if (this->list->get_count(this->list) == 0)
 		{
 			this->idle_threads++;
-			pthread_cond_wait(&this->jobadded, &this->mutex);
+			this->job_added->wait(this->job_added, this->mutex);
 			this->idle_threads--;
 			continue;
 		}
 		this->list->remove_first(this->list, (void**)&job);
-		pthread_mutex_unlock(&this->mutex);
+		this->mutex->unlock(this->mutex);
 		/* terminated threads are restarted, so we have a constant pool */
 		pthread_cleanup_push((void*)restart, this);
 		job->execute(job);
 		pthread_cleanup_pop(0);
-		pthread_mutex_lock(&this->mutex);
+		this->mutex->lock(this->mutex);
 	}
 	this->total_threads--;
-	pthread_cond_signal(&this->threadterminated);
-	pthread_mutex_unlock(&this->mutex);
+	this->thread_terminated->signal(this->thread_terminated);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -134,9 +135,9 @@ static void process_jobs(private_processor_t *this)
 static u_int get_total_threads(private_processor_t *this)
 {
 	u_int count;
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	count = this->total_threads; 
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	return count;
 }
 
@@ -146,9 +147,9 @@ static u_int get_total_threads(private_processor_t *this)
 static u_int get_idle_threads(private_processor_t *this)
 {
 	u_int count;
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	count = this->idle_threads;
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	return count;
 }
 
@@ -158,9 +159,9 @@ static u_int get_idle_threads(private_processor_t *this)
 static u_int get_job_load(private_processor_t *this)
 {
 	u_int load;
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	load = this->list->get_count(this->list);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	return load;
 }
 
@@ -169,10 +170,10 @@ static u_int get_job_load(private_processor_t *this)
  */
 static void queue_job(private_processor_t *this, job_t *job)
 {
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	this->list->insert_last(this->list, job);
-	pthread_cond_signal(&this->jobadded);
-	pthread_mutex_unlock(&this->mutex);
+	this->job_added->signal(this->job_added);
+	this->mutex->unlock(this->mutex);
 }
 	
 /**
@@ -180,7 +181,7 @@ static void queue_job(private_processor_t *this, job_t *job)
  */
 static void set_threads(private_processor_t *this, u_int count)
 {
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	if (count > this->total_threads)
 	{	/* increase thread count */
 		int i;
@@ -200,8 +201,8 @@ static void set_threads(private_processor_t *this, u_int count)
 	{	/* decrease thread count */
 		this->desired_threads = count;
 	}
-	pthread_cond_broadcast(&this->jobadded);
-	pthread_mutex_unlock(&this->mutex);
+	this->job_added->broadcast(this->job_added);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -210,13 +211,16 @@ static void set_threads(private_processor_t *this, u_int count)
 static void destroy(private_processor_t *this)
 {
 	set_threads(this, 0);
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	while (this->total_threads > 0)
 	{
-		pthread_cond_broadcast(&this->jobadded);
-		pthread_cond_wait(&this->threadterminated, &this->mutex);
+		this->job_added->broadcast(this->job_added);
+		this->thread_terminated->wait(this->thread_terminated, this->mutex);
 	}
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
+	this->thread_terminated->destroy(this->thread_terminated);
+	this->job_added->destroy(this->job_added);
+	this->mutex->destroy(this->mutex);
 	this->list->destroy_offset(this->list, offsetof(job_t, destroy));
 	free(this);
 }
@@ -236,9 +240,9 @@ processor_t *processor_create(size_t pool_size)
 	this->public.destroy = (void(*)(processor_t*))destroy;
 	
 	this->list = linked_list_create();
-	pthread_mutex_init(&this->mutex, NULL);
-	pthread_cond_init(&this->jobadded, NULL);
-	pthread_cond_init(&this->threadterminated, NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->job_added = condvar_create(CONDVAR_DEFAULT);
+	this->thread_terminated = condvar_create(CONDVAR_DEFAULT);
 	this->total_threads = 0;
 	this->desired_threads = 0;
 	this->idle_threads = 0;
diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c
index 44d84156c..c1c2d6fce 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.c
+++ b/src/charon/sa/authenticators/eap/eap_manager.c
@@ -12,14 +12,13 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_manager.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: eap_manager.c 4579 2008-11-05 11:29:56Z martin $
  */
 
 #include "eap_manager.h"
 
-#include <pthread.h>
-
 #include <utils/linked_list.h>
+#include <utils/mutex.h>
 
 typedef struct private_eap_manager_t private_eap_manager_t;
 typedef struct eap_entry_t eap_entry_t;
@@ -68,7 +67,7 @@ struct private_eap_manager_t {
 	/**
 	 * mutex to lock methods
 	 */
-	pthread_mutex_t mutex;
+	mutex_t *mutex;
 };
 
 /**
@@ -85,9 +84,9 @@ static void add_method(private_eap_manager_t *this, eap_type_t type,
 	entry->role = role;
 	entry->constructor = constructor;
 
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	this->methods->insert_last(this->methods, entry);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -98,7 +97,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
 	enumerator_t *enumerator;
 	eap_entry_t *entry;
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	enumerator = this->methods->create_enumerator(this->methods);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -109,7 +108,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -124,7 +123,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 	eap_entry_t *entry;
 	eap_method_t *method = NULL;
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	enumerator = this->methods->create_enumerator(this->methods);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -139,7 +138,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	return method;
 }
 
@@ -149,6 +148,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 static void destroy(private_eap_manager_t *this)
 {
 	this->methods->destroy_function(this->methods, free);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -165,7 +165,7 @@ eap_manager_t *eap_manager_create()
 	this->public.destroy = (void(*)(eap_manager_t*))destroy;
 	
 	this->methods = linked_list_create();
-	pthread_mutex_init(&this->mutex, NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 0909d6563..5c22f3df2 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_authenticator.c 4292 2008-08-26 19:54:47Z andreas $
+ * $Id: eap_authenticator.c 4495 2008-10-28 16:07:06Z martin $
  */
 
 #include <string.h>
@@ -70,36 +70,24 @@ struct private_eap_authenticator_t {
 	 */
 	u_int32_t vendor;
 };
-
-/**
- * reuse shared key signature function from PSK authenticator
- */
-extern chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
-										  chunk_t secret, identification_t *id,
-										  chunk_t skp, prf_t *prf);
 /**
  * Implementation of authenticator_t.verify.
  */
 static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 					   chunk_t my_nonce, auth_payload_t *auth_payload)
 {
-	chunk_t auth_data, recv_auth_data, secret;
-	identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
+	chunk_t auth_data, recv_auth_data;
+	identification_t *other_id;
+	keymat_t *keymat;
 	
-	if (this->msk.len)
-	{	/* use MSK if EAP method established one... */
-		secret = this->msk;
-	}
-	else
-	{	/* ... or use SKp if not */
-		secret = this->ike_sa->get_skp_verify(this->ike_sa);
-	}
-	auth_data = build_shared_key_signature(ike_sa_init, my_nonce, secret,
-						other_id, this->ike_sa->get_skp_verify(this->ike_sa),
-						this->ike_sa->get_prf(this->ike_sa));
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	
+	auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
+									this->msk, other_id);
 	
 	recv_auth_data = auth_payload->get_data(auth_payload);
-	if (!chunk_equals(auth_data, recv_auth_data))
+	if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
 	{
 		DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
 		chunk_free(&auth_data);
@@ -118,23 +106,18 @@ static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 					  chunk_t other_nonce, auth_payload_t **auth_payload)
 {
-	chunk_t auth_data, secret;
-	identification_t *my_id = this->ike_sa->get_my_id(this->ike_sa);
+	identification_t *my_id;
+	chunk_t auth_data;
+	keymat_t *keymat;
+	
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	
 	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
 		 my_id, auth_class_names, AUTH_CLASS_EAP);
-
-	if (this->msk.len)
-	{	/* use MSK if EAP method established one... */
-		secret = this->msk;
-	}
-	else
-	{	/* ... or use SKp if not */
-		secret = this->ike_sa->get_skp_build(this->ike_sa);
-	}
-	auth_data = build_shared_key_signature(ike_sa_init, other_nonce, secret,
-							my_id, this->ike_sa->get_skp_build(this->ike_sa),
-							this->ike_sa->get_prf(this->ike_sa));
+	
+	auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
+									this->msk, my_id);
 	
 	*auth_payload = auth_payload_create();
 	(*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
index d003dc2c9..ae5a66479 100644
--- a/src/charon/sa/authenticators/psk_authenticator.c
+++ b/src/charon/sa/authenticators/psk_authenticator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: psk_authenticator.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: psk_authenticator.c 4495 2008-10-28 16:07:06Z martin $
  */
 
 #include <string.h>
@@ -23,12 +23,6 @@
 #include <daemon.h>
 #include <credentials/auth_info.h>
 
-/**
- * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- */
-#define IKEV2_KEY_PAD "Key Pad for IKEv2"
-#define IKEV2_KEY_PAD_LENGTH 17
-
 
 typedef struct private_psk_authenticator_t private_psk_authenticator_t;
 
@@ -48,55 +42,6 @@ struct private_psk_authenticator_t {
 	ike_sa_t *ike_sa;
 };
 
-/**
- * Builds the octets to be signed as described in section 2.15 of RFC 4306
- */
-chunk_t build_tbs_octets(chunk_t ike_sa_init, chunk_t nonce,
-						 identification_t *id, prf_t *prf)
-{
-	u_int8_t id_header_buf[] = {0x00, 0x00, 0x00, 0x00};
-	chunk_t id_header = chunk_from_buf(id_header_buf);
-	chunk_t id_with_header, id_prfd, id_encoding;
-	
-	id_header_buf[0] = id->get_type(id);
-	id_encoding = id->get_encoding(id);
-	
-	id_with_header = chunk_cat("cc", id_header, id_encoding);
-	prf->allocate_bytes(prf, id_with_header, &id_prfd);
-	chunk_free(&id_with_header);
-	
-	return chunk_cat("ccm", ike_sa_init, nonce, id_prfd);
-}
-
-/**
- * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- */
-chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
-								   chunk_t secret, identification_t *id,
-								   chunk_t skp, prf_t *prf)
-{
-	chunk_t key_pad, key, auth_data, octets;
-	
-	prf->set_key(prf, skp);
-	octets = build_tbs_octets(ike_sa_init, nonce, id, prf);
-	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
-	key_pad.ptr = IKEV2_KEY_PAD;
-	key_pad.len = IKEV2_KEY_PAD_LENGTH;
-	prf->set_key(prf, secret);
-	prf->allocate_bytes(prf, key_pad, &key);
-	prf->set_key(prf, key);
-	prf->allocate_bytes(prf, octets, &auth_data);
-	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
-	DBG3(DBG_IKE, "secret %B", &secret);
-	DBG3(DBG_IKE, "keypad %B", &key_pad);
-	DBG3(DBG_IKE, "prf(secret, keypad) %B", &key);
-	DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data);
-	chunk_free(&octets);
-	chunk_free(&key);
-	
-	return auth_data;
-}
-
 /**
  * Implementation of authenticator_t.verify.
  */
@@ -105,25 +50,25 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 {
 	chunk_t auth_data, recv_auth_data;
 	identification_t *my_id, *other_id;
-	shared_key_t *shared_key;
+	shared_key_t *key;
 	enumerator_t *enumerator;
 	bool authenticated = FALSE;
 	int keys_found = 0;
+	keymat_t *keymat;
 	
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	recv_auth_data = auth_payload->get_data(auth_payload);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	enumerator = charon->credentials->create_shared_enumerator(
 							charon->credentials, SHARED_IKE, my_id, other_id);
-	while (!authenticated && enumerator->enumerate(enumerator, &shared_key, NULL, NULL))
+	while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
 	{
 		keys_found++;
-		auth_data = build_shared_key_signature(ike_sa_init, my_nonce,
-									shared_key->get_key(shared_key), other_id,
-									this->ike_sa->get_skp_verify(this->ike_sa),
-									this->ike_sa->get_prf(this->ike_sa));
-		recv_auth_data = auth_payload->get_data(auth_payload);
-		if (auth_data.len == recv_auth_data.len &&
-			memeq(auth_data.ptr, recv_auth_data.ptr, auth_data.len))
+		
+		auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
+										key->get_key(key), other_id);
+		if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
 		{
 			DBG1(DBG_IKE, "authentication of '%D' with %N successful",
 				 other_id, auth_method_names, AUTH_PSK);
@@ -153,26 +98,26 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 					  chunk_t other_nonce, auth_payload_t **auth_payload)
 {
-	shared_key_t *shared_key;
-	chunk_t auth_data;
 	identification_t *my_id, *other_id;
+	shared_key_t *key;
+	chunk_t auth_data;
+	keymat_t *keymat;
 	
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
 		 my_id, auth_method_names, AUTH_PSK);
-	shared_key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
-												 my_id, other_id);
-	if (shared_key == NULL)
+	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
+										  my_id, other_id);
+	if (key == NULL)
 	{
 		DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
 		return NOT_FOUND;
 	}
-	auth_data = build_shared_key_signature(ike_sa_init, other_nonce,
-									shared_key->get_key(shared_key), my_id,
-									this->ike_sa->get_skp_build(this->ike_sa),
-									this->ike_sa->get_prf(this->ike_sa));
-	shared_key->destroy(shared_key);
+	auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
+									key->get_key(key), my_id);
+	key->destroy(key);
 	DBG2(DBG_IKE, "successfully created shared key MAC");
 	*auth_payload = auth_payload_create();
 	(*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c
index 2c02ca84c..c16f3b888 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.c
+++ b/src/charon/sa/authenticators/pubkey_authenticator.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: pubkey_authenticator.c 4054 2008-06-10 20:31:53Z andreas $
+ * $Id: pubkey_authenticator.c 4495 2008-10-28 16:07:06Z martin $
  */
 
 #include <string.h>
@@ -43,12 +43,6 @@ struct private_pubkey_authenticator_t {
 	ike_sa_t *ike_sa;
 };
 
-/**
- * Function implemented in psk_authenticator.c
- */
-extern chunk_t build_tbs_octets(chunk_t ike_sa_init, chunk_t nonce,
-								identification_t *id, prf_t *prf);
-
 /**
  * Implementation of authenticator_t.verify.
  */
@@ -58,15 +52,15 @@ static status_t verify(private_pubkey_authenticator_t *this, chunk_t ike_sa_init
 	public_key_t *public;
 	auth_method_t auth_method;
 	chunk_t auth_data, octets;
-	identification_t *other_id;
-	prf_t *prf;
+	identification_t *id;
 	auth_info_t *auth, *current_auth;
 	enumerator_t *enumerator;
 	key_type_t key_type = KEY_ECDSA;
 	signature_scheme_t scheme;
 	status_t status = FAILED;
+	keymat_t *keymat;
 	
-	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	id = this->ike_sa->get_other_id(this->ike_sa);
 	auth_method = auth_payload->get_auth_method(auth_payload);
 	switch (auth_method)
 	{
@@ -89,19 +83,17 @@ static status_t verify(private_pubkey_authenticator_t *this, chunk_t ike_sa_init
 			return INVALID_ARG;
 	}
 	auth_data = auth_payload->get_data(auth_payload);
-	prf = this->ike_sa->get_prf(this->ike_sa);
-	prf->set_key(prf, this->ike_sa->get_skp_verify(this->ike_sa));
-	octets = build_tbs_octets(ike_sa_init, my_nonce, other_id, prf);
-	
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	octets = keymat->get_auth_octets(keymat, TRUE, ike_sa_init, my_nonce, id);
 	auth = this->ike_sa->get_other_auth(this->ike_sa);
 	enumerator = charon->credentials->create_public_enumerator(
-								charon->credentials, key_type, other_id, auth);
+										charon->credentials, key_type, id, auth);
 	while (enumerator->enumerate(enumerator, &public, &current_auth))
 	{
 		if (public->verify(public, scheme, octets, auth_data))
 		{
 			DBG1(DBG_IKE, "authentication of '%D' with %N successful",
-						   other_id, auth_method_names, auth_method);
+						   id, auth_method_names, auth_method);
 			status = SUCCESS;
 			auth->merge(auth, current_auth);
 			break;
@@ -125,19 +117,19 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
 	chunk_t octets, auth_data;
 	status_t status = FAILED;
 	private_key_t *private;
-	identification_t *my_id;
-	prf_t *prf;
+	identification_t *id;
 	auth_info_t *auth;
 	auth_method_t auth_method;
 	signature_scheme_t scheme;
+	keymat_t *keymat;
 
-	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	id = this->ike_sa->get_my_id(this->ike_sa);
 	auth = this->ike_sa->get_my_auth(this->ike_sa);
 	private = charon->credentials->get_private(charon->credentials, KEY_ANY,
-											   my_id, auth);
+											   id, auth);
 	if (private == NULL)
 	{
-		DBG1(DBG_IKE, "no private key found for '%D'", my_id);
+		DBG1(DBG_IKE, "no private key found for '%D'", id);
 		return NOT_FOUND;
 	}
 	
@@ -176,9 +168,8 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
 					key_type_names, private->get_type(private));
 			return status;
 	}
-	prf = this->ike_sa->get_prf(this->ike_sa);
-	prf->set_key(prf, this->ike_sa->get_skp_build(this->ike_sa));
-	octets = build_tbs_octets(ike_sa_init, other_nonce, my_id, prf);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	octets = keymat->get_auth_octets(keymat, FALSE, ike_sa_init, other_nonce, id);
 	
 	if (private->sign(private, scheme, octets, &auth_data))
 	{
@@ -189,9 +180,9 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
 		chunk_free(&auth_data);
 		status = SUCCESS;
 	}
-	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", my_id,
-			auth_method_names, auth_method,
-			(status == SUCCESS)? "successful":"failed");
+	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id,
+		 auth_method_names, auth_method, 
+		 (status == SUCCESS)? "successful":"failed");
 	chunk_free(&octets);
 	private->destroy(private);
 	
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 7c4b398cf..d7a63d5e8 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_sa.c 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: child_sa.c 4665 2008-11-17 00:01:34Z andreas $
  */
 
 #define _GNU_SOURCE
@@ -23,36 +23,21 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <time.h>
 
 #include <daemon.h>
 
-ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DELETING,
+ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
 	"CREATED",
 	"ROUTED",
+	"INSTALLING",
 	"INSTALLED",
+	"UPDATING",
 	"REKEYING",
 	"DELETING",
+	"DESTROYING",
 );
 
-typedef struct sa_policy_t sa_policy_t;
-
-/**
- * Struct used to store information for a policy. This
- * is needed since we must provide all this information
- * for deleting a policy...
- */
-struct sa_policy_t {
-	/**
-	 * Traffic selector for us
-	 */
-	traffic_selector_t *my_ts;
-	
-	/**
-	 * Traffic selector for other
-	 */
-	traffic_selector_t *other_ts;
-};
-
 typedef struct private_child_sa_t private_child_sa_t;
 
 /**
@@ -64,82 +49,76 @@ struct private_child_sa_t {
 	 */
 	child_sa_t public;
 	
-	struct {
-		/** address of peer */
-		host_t *addr;
-		/** id of peer */
-		identification_t *id;
-		/** actual used SPI, 0 if unused */
-		u_int32_t spi;
-		/** Compression Parameter Index (CPI) used, 0 if unused */
-		u_int16_t cpi;
-	} me, other;
-	
 	/**
-	 * Allocated SPI for a ESP proposal candidates
+	 * address of us
 	 */
-	u_int32_t alloc_esp_spi;
+	host_t *my_addr;
 	
 	/**
-	 * Allocated SPI for a AH proposal candidates
+	 * address of remote
 	 */
-	u_int32_t alloc_ah_spi;
+	host_t *other_addr;
 	
 	/**
-	 * Protocol used to protect this SA, ESP|AH
+	 * our actually used SPI, 0 if unused
 	 */
-	protocol_id_t protocol;
+	u_int32_t my_spi;
 	
 	/**
-	 * List containing sa_policy_t objects 
+	 * others used SPI, 0 if unused
 	 */
-	linked_list_t *policies;
+	u_int32_t other_spi;
 	
 	/**
-	 * Seperate list for local traffic selectors
+	 * our Compression Parameter Index (CPI) used, 0 if unused
 	 */
-	linked_list_t *my_ts;
+	u_int16_t my_cpi;
 	
 	/**
-	 * Seperate list for remote traffic selectors
+	 * others Compression Parameter Index (CPI) used, 0 if unused
 	 */
-	linked_list_t *other_ts;
+	u_int16_t other_cpi;
 	
 	/**
-	 * reqid used for this child_sa
+	 * List for local traffic selectors
 	 */
-	u_int32_t reqid;
+	linked_list_t *my_ts;
 	
 	/**
-	 * encryption algorithm used for this SA
+	 * List for remote traffic selectors
 	 */
-	u_int16_t enc_alg;
+	linked_list_t *other_ts;
 	
 	/**
-	 * key size of enc_alg
+	 * Allocated SPI for a ESP proposal candidates
 	 */
-	u_int16_t enc_size;
+	u_int32_t alloc_esp_spi;
 	
 	/**
-	 * integrity protection algorithm used for this SA
+	 * Allocated SPI for a AH proposal candidates
 	 */
-	u_int16_t int_alg;
+	u_int32_t alloc_ah_spi;
 	
 	/**
-	 * key size of int_alg
+	 * Protocol used to protect this SA, ESP|AH
 	 */
-	u_int16_t int_size;
+	protocol_id_t protocol;
 	
 	/**
-	 * time, on which SA was installed
+	 * reqid used for this child_sa
 	 */
-	time_t install_time;
+	u_int32_t reqid;
 	
 	/**
-	 * absolute time when rekeying is sceduled
+	 * absolute time when rekeying is scheduled
 	 */
 	time_t rekey_time;
 	
+	/**
+	 * absolute time when the SA expires
+	 */
+	time_t expire_time;
+	
 	/**
 	 * state of the CHILD_SA
 	 */
@@ -166,23 +145,18 @@ struct private_child_sa_t {
 	ipsec_mode_t mode;
 	
 	/**
-	 * virtual IP assinged to local host
-	 */
-	host_t *virtual_ip;
+ 	 * selected proposal
+ 	 */
+ 	proposal_t *proposal;
 	
 	/**
 	 * config used to create this child
 	 */
 	child_cfg_t *config;
-	
-	/**
-	 * cached interface name for iptables
-	 */
-	char *iface;
 };
 
 /**
- * Implementation of child_sa_t.get_name.
+ * Implementation of child_sa_t.get_name
  */
 static char *get_name(private_child_sa_t *this)
 {
@@ -202,11 +176,7 @@ static u_int32_t get_reqid(private_child_sa_t *this)
  */
 u_int32_t get_spi(private_child_sa_t *this, bool inbound)
 {
-	if (inbound)
-	{
-		return this->me.spi;
-	}
-	return this->other.spi;
+	return inbound ? this->my_spi : this->other_spi;
 }
 
 /**
@@ -214,11 +184,7 @@ u_int32_t get_spi(private_child_sa_t *this, bool inbound)
  */
 u_int16_t get_cpi(private_child_sa_t *this, bool inbound)
 {
-	if (inbound)
-	{
-		return this->me.cpi;
-	}
-	return this->other.cpi;
+	return inbound ? this->my_cpi : this->other_cpi;
 }
 
 /**
@@ -229,6 +195,30 @@ protocol_id_t get_protocol(private_child_sa_t *this)
 	return this->protocol;
 }
 
+/**
+ * Implementation of child_sa_t.get_mode
+ */
+static ipsec_mode_t get_mode(private_child_sa_t *this)
+{
+	return this->mode;
+}
+
+/**
+ * Implementation of child_sa_t.has_encap
+ */
+static bool has_encap(private_child_sa_t *this)
+{
+	return this->encap;
+}
+
+/**
+ * Implementation of child_sa_t.get_ipcomp
+ */
+static ipcomp_transform_t get_ipcomp(private_child_sa_t *this)
+{
+	return this->ipcomp;
+}
+
 /**
  * Implements child_sa_t.get_state
  */
@@ -245,207 +235,134 @@ static child_cfg_t* get_config(private_child_sa_t *this)
 	return this->config;
 }
 
+typedef struct policy_enumerator_t policy_enumerator_t;
+
 /**
- * Implementation of child_sa_t.get_stats.
+ * Private policy enumerator
  */
-static void get_stats(private_child_sa_t *this, ipsec_mode_t *mode,
-					  encryption_algorithm_t *encr_algo, size_t *encr_len,
-					  integrity_algorithm_t *int_algo, size_t *int_len,
-					  u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
-					  u_int32_t *use_fwd)
+struct policy_enumerator_t {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** enumerator over own TS */
+	enumerator_t *mine;
+	/** enumerator over others TS */
+	enumerator_t *other;
+	/** list of others TS, to recreate enumerator */
+	linked_list_t *list;
+	/** currently enumerating TS for "me" side */
+	traffic_selector_t *ts;
+};
+
+/**
+ * enumerator function of create_policy_enumerator()
+ */
+static bool policy_enumerate(policy_enumerator_t *this,
+				 traffic_selector_t **my_out, traffic_selector_t **other_out)
 {
-	sa_policy_t *policy;
-	iterator_t *iterator;
-	u_int32_t in = 0, out = 0, fwd = 0, time;
+	traffic_selector_t *other_ts;
 	
-	iterator = this->policies->create_iterator(this->policies, TRUE);
-	while (iterator->iterate(iterator, (void**)&policy))
+	while (this->ts || this->mine->enumerate(this->mine, &this->ts))
 	{
-
-		if (charon->kernel_interface->query_policy(charon->kernel_interface,
-				policy->other_ts, policy->my_ts, POLICY_IN, &time) == SUCCESS)
-		{
-			in = max(in, time);
+		if (!this->other->enumerate(this->other, &other_ts))
+		{	/* end of others list, restart with new of mine */
+			this->other->destroy(this->other);
+			this->other = this->list->create_enumerator(this->list);
+			this->ts = NULL;
+			continue;
 		}
-		if (charon->kernel_interface->query_policy(charon->kernel_interface,
-				policy->my_ts, policy->other_ts, POLICY_OUT, &time) == SUCCESS)
-		{
-			out = max(out, time);
+		if (this->ts->get_type(this->ts) != other_ts->get_type(other_ts))
+		{	/* family mismatch */
+			continue;
 		}
-		if (charon->kernel_interface->query_policy(charon->kernel_interface,
-				policy->other_ts, policy->my_ts, POLICY_FWD, &time) == SUCCESS)
-		{
-			fwd = max(fwd, time);
+		if (this->ts->get_protocol(this->ts) &&
+			other_ts->get_protocol(other_ts) &&
+			this->ts->get_protocol(this->ts) != other_ts->get_protocol(other_ts))
+		{	/* protocol mismatch */
+			continue;
 		}
+		*my_out = this->ts;
+		*other_out = other_ts;
+		return TRUE;
 	}
-	iterator->destroy(iterator);
+	return FALSE;
+}
 
-	*mode = this->mode;
-	*encr_algo = this->enc_alg;
-	*encr_len = this->enc_size;
-	*int_algo = this->int_alg;
-	*int_len = this->int_size;
-	*rekey = this->rekey_time;
-	*use_in = in;
-	*use_out = out;
-	*use_fwd = fwd;
+/**
+ * destroy function of create_policy_enumerator()
+ */
+static void policy_destroy(policy_enumerator_t *this)
+{
+	this->mine->destroy(this->mine);
+	this->other->destroy(this->other);
+	free(this);
 }
 
 /**
- * Run the up/down script
+ * Implementation of child_sa_t.create_policy_enumerator
  */
-static void updown(private_child_sa_t *this, bool up)
+static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
 {
-	sa_policy_t *policy;
-	iterator_t *iterator;
-	char *script;
-	
-	script = this->config->get_updown(this->config);
+	policy_enumerator_t *e = malloc_thing(policy_enumerator_t);
 	
-	if (script == NULL)
-	{
-		return;
-	}
+	e->public.enumerate = (void*)policy_enumerate;
+	e->public.destroy = (void*)policy_destroy;
+	e->mine = this->my_ts->create_enumerator(this->my_ts);
+	e->other = this->other_ts->create_enumerator(this->other_ts);
+	e->list = this->other_ts;
+	e->ts = NULL;
 	
-	iterator = this->policies->create_iterator(this->policies, TRUE);
-	while (iterator->iterate(iterator, (void**)&policy))
-	{
-		char command[1024];
-		char *my_client, *other_client, *my_client_mask, *other_client_mask;
-		char *pos, *virtual_ip;
-		FILE *shell;
-
-		/* get subnet/bits from string */
-		asprintf(&my_client, "%R", policy->my_ts);
-		pos = strchr(my_client, '/');
-		*pos = '\0';
-		my_client_mask = pos + 1;
-		pos = strchr(my_client_mask, '[');
-		if (pos)
-		{
-			*pos = '\0';
-		}
-		asprintf(&other_client, "%R", policy->other_ts);
-		pos = strchr(other_client, '/');
-		*pos = '\0';
-		other_client_mask = pos + 1;
-		pos = strchr(other_client_mask, '[');
-		if (pos)
-		{
-			*pos = '\0';
-		}
-
-		if (this->virtual_ip)
-		{
-			asprintf(&virtual_ip, "PLUTO_MY_SOURCEIP='%H' ",
-		        		 this->virtual_ip);
-		}
-		else
-		{
-			asprintf(&virtual_ip, "");
-		}
+	return &e->public;
+}
 
-		/* we cache the iface name, as it may not be available when
-		 * the SA gets deleted */
-		if (up)
-		{
-			free(this->iface); 
-			this->iface = charon->kernel_interface->get_interface(
-								charon->kernel_interface, this->me.addr);
-		}
-		
-		/* build the command with all env variables.
-		 * TODO: PLUTO_PEER_CA and PLUTO_NEXT_HOP are currently missing
-		 */
-		snprintf(command, sizeof(command),
-				 "2>&1 "
-				"PLUTO_VERSION='1.1' "
-				"PLUTO_VERB='%s%s%s' "
-				"PLUTO_CONNECTION='%s' "
-				"PLUTO_INTERFACE='%s' "
-				"PLUTO_REQID='%u' "
-				"PLUTO_ME='%H' "
-				"PLUTO_MY_ID='%D' "
-				"PLUTO_MY_CLIENT='%s/%s' "
-				"PLUTO_MY_CLIENT_NET='%s' "
-				"PLUTO_MY_CLIENT_MASK='%s' "
-				"PLUTO_MY_PORT='%u' "
-				"PLUTO_MY_PROTOCOL='%u' "
-				"PLUTO_PEER='%H' "
-				"PLUTO_PEER_ID='%D' "
-				"PLUTO_PEER_CLIENT='%s/%s' "
-				"PLUTO_PEER_CLIENT_NET='%s' "
-				"PLUTO_PEER_CLIENT_MASK='%s' "
-				"PLUTO_PEER_PORT='%u' "
-				"PLUTO_PEER_PROTOCOL='%u' "
-				"%s"
-				"%s"
-				"%s",
-				 up ? "up" : "down",
-				 policy->my_ts->is_host(policy->my_ts,
-							this->me.addr) ? "-host" : "-client",
-				 this->me.addr->get_family(this->me.addr) == AF_INET ? "" : "-v6",
-				 this->config->get_name(this->config),
-				 this->iface ? this->iface : "unknown",
-				 this->reqid,
-				 this->me.addr,
-				 this->me.id,
-				 my_client, my_client_mask,
-				 my_client, my_client_mask,
-				 policy->my_ts->get_from_port(policy->my_ts),
-				 policy->my_ts->get_protocol(policy->my_ts),
-				 this->other.addr,
-				 this->other.id,
-				 other_client, other_client_mask,
-				 other_client, other_client_mask,
-				 policy->other_ts->get_from_port(policy->other_ts),
-				 policy->other_ts->get_protocol(policy->other_ts),
-				 virtual_ip,
-				 this->config->get_hostaccess(this->config) ?
-				 	"PLUTO_HOST_ACCESS='1' " : "",
-				 script);
-		free(my_client);
-		free(other_client);
-		free(virtual_ip);
-		
-		DBG3(DBG_CHD, "running updown script: %s", command);
-		shell = popen(command, "r");
+/**
+ * Implementation of child_sa_t.get_usetime
+ */
+static u_int32_t get_usetime(private_child_sa_t *this, bool inbound)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *my_ts, *other_ts;
+	u_int32_t last_use = 0;
 
-		if (shell == NULL)
-		{
-			DBG1(DBG_CHD, "could not execute updown script '%s'", script);
-			return;
-		}
+	enumerator = create_policy_enumerator(this);
+	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+	{
+		u_int32_t in, out, fwd;
 		
-		while (TRUE)
+		if (inbound) 
 		{
-			char resp[128];
-			
-			if (fgets(resp, sizeof(resp), shell) == NULL)
+			if (charon->kernel_interface->query_policy(charon->kernel_interface,
+								other_ts, my_ts, POLICY_IN, &in) == SUCCESS)
 			{
-				if (ferror(shell))
-				{
-					DBG1(DBG_CHD, "error reading output from updown script");
-					return;
-				}
-				else
+				last_use = max(last_use, in);
+			}
+			if (this->mode != MODE_TRANSPORT)
+			{
+				if (charon->kernel_interface->query_policy(charon->kernel_interface,
+								other_ts, my_ts, POLICY_FWD, &fwd) == SUCCESS)
 				{
-					break;
+					last_use = max(last_use, fwd);
 				}
 			}
-			else
+		}
+		else
+		{
+			if (charon->kernel_interface->query_policy(charon->kernel_interface,
+								my_ts, other_ts, POLICY_OUT, &out) == SUCCESS)
 			{
-				char *e = resp + strlen(resp);
-				if (e > resp && e[-1] == '\n')
-				{	/* trim trailing '\n' */
-					e[-1] = '\0';
-				}
-				DBG1(DBG_CHD, "updown: %s", resp);
+				last_use = max(last_use, out);
 			}
 		}
-		pclose(shell);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
+	return last_use;
+}
+
+/**
+ * Implementation of child_sa_t.get_lifetime
+ */
+static u_int32_t get_lifetime(private_child_sa_t *this, bool hard)
+{
+	return hard ? this->expire_time : this->rekey_time;
 }
 
 /**
@@ -453,11 +370,8 @@ static void updown(private_child_sa_t *this, bool up)
  */
 static void set_state(private_child_sa_t *this, child_sa_state_t state)
 {
+	charon->bus->child_state_change(charon->bus, &this->public, state);
 	this->state = state;
-	if (state == CHILD_INSTALLED)
-	{
-		updown(this, TRUE);
-	}
 }
 
 /**
@@ -474,7 +388,7 @@ static status_t alloc_proposal(private_child_sa_t *this, proposal_t *proposal)
 		{
 			if (charon->kernel_interface->get_spi(
 						 charon->kernel_interface, 
-						 this->other.addr, this->me.addr,
+						 this->other_addr, this->my_addr,
 						 PROTO_AH, this->reqid,
 						 &this->alloc_ah_spi) != SUCCESS)
 			{
@@ -490,7 +404,7 @@ static status_t alloc_proposal(private_child_sa_t *this, proposal_t *proposal)
 		{
 			if (charon->kernel_interface->get_spi(
 						 charon->kernel_interface,
-						 this->other.addr, this->me.addr,
+						 this->other_addr, this->my_addr,
 						 PROTO_ESP, this->reqid,
 						 &this->alloc_esp_spi) != SUCCESS)
 			{
@@ -502,7 +416,6 @@ static status_t alloc_proposal(private_child_sa_t *this, proposal_t *proposal)
 	return SUCCESS;
 }
 
-
 /**
  * Implements child_sa_t.alloc
  */
@@ -525,237 +438,213 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
 	return SUCCESS;
 }
 
+/**
+ * Install an SA for one direction
+ */
 static status_t install(private_child_sa_t *this, proposal_t *proposal,
-						ipsec_mode_t mode, prf_plus_t *prf_plus, bool mine)
+						ipsec_mode_t mode, chunk_t integ, chunk_t encr, bool in)
 {
-	u_int32_t spi, soft, hard;
-	host_t *src;
-	host_t *dst;
+	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
+	u_int32_t spi, soft, hard, now;
+	host_t *src, *dst;
 	status_t status;
 	
-	this->protocol = proposal->get_protocol(proposal);
-	
-	/* now we have to decide which spi to use. Use self allocated, if "mine",
-	 * or the one in the proposal, if not "mine" (others). Additionally,
+	/* now we have to decide which spi to use. Use self allocated, if "in",
+	 * or the one in the proposal, if not "in" (others). Additionally,
 	 * source and dest host switch depending on the role */
-	if (mine)
+	if (in)
 	{
 		/* if we have allocated SPIs for AH and ESP, we must delete the unused
 		 * one. */
 		if (this->protocol == PROTO_ESP)
 		{
-			this->me.spi = this->alloc_esp_spi;
+			this->my_spi = this->alloc_esp_spi;
 			if (this->alloc_ah_spi)
 			{
-				charon->kernel_interface->del_sa(charon->kernel_interface, this->me.addr, 
-						this->alloc_ah_spi, PROTO_AH);
+				charon->kernel_interface->del_sa(charon->kernel_interface,
+								this->my_addr, this->alloc_ah_spi, 0, PROTO_AH);
 			}
 		}
 		else
 		{
-			this->me.spi = this->alloc_ah_spi;
+			this->my_spi = this->alloc_ah_spi;
 			if (this->alloc_esp_spi)
 			{
-				charon->kernel_interface->del_sa(charon->kernel_interface, this->me.addr, 
-						this->alloc_esp_spi, PROTO_ESP);
+				charon->kernel_interface->del_sa(charon->kernel_interface,
+								this->my_addr, this->alloc_esp_spi, 0, PROTO_ESP);
 			}
 		}
-		spi = this->me.spi;
-		dst = this->me.addr;
-		src = this->other.addr;
+		spi = this->my_spi;
+		dst = this->my_addr;
+		src = this->other_addr;
 	}
 	else
 	{
-		this->other.spi = proposal->get_spi(proposal);
-		spi = this->other.spi;
-		src = this->me.addr;
-		dst = this->other.addr;
+		this->other_spi = proposal->get_spi(proposal);
+		spi = this->other_spi;
+		src = this->my_addr;
+		dst = this->other_addr;
 	}
 	
-	DBG2(DBG_CHD, "adding %s %N SA", mine ? "inbound" : "outbound",
+	DBG2(DBG_CHD, "adding %s %N SA", in ? "inbound" : "outbound",
 		 protocol_id_names, this->protocol);
 	
-	/* select encryption algo */
-	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
-								&this->enc_alg, &this->enc_size))
-	{
-		DBG2(DBG_CHD, "  using %N for encryption", 
-			 encryption_algorithm_names, this->enc_alg);
-	}
-	
-	/* select integrity algo */
-	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
-								&this->int_alg, &this->int_size))
-	{
-		DBG2(DBG_CHD, "  using %N for integrity",
-			 integrity_algorithm_names, this->int_alg);
-	}
-	soft = this->config->get_lifetime(this->config, TRUE);
-	hard = this->config->get_lifetime(this->config, FALSE);
-	
 	/* send SA down to the kernel */
 	DBG2(DBG_CHD, "  SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
 	
-	if (this->ipcomp != IPCOMP_NONE)
-	{
-		/* we install an additional IPComp SA */
-		u_int32_t cpi = htonl(ntohs(mine ? this->me.cpi : this->other.cpi));
-		status = charon->kernel_interface->add_sa(charon->kernel_interface,
-				src, dst, cpi, IPPROTO_COMP, this->reqid, 0, 0,
-				ENCR_UNDEFINED, 0, AUTH_UNDEFINED, 0, NULL, mode,
-				this->ipcomp, FALSE, mine);
-	}
+	proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg, &size);
+	proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, &size);
 	
+	soft = this->config->get_lifetime(this->config, TRUE);
+	hard = this->config->get_lifetime(this->config, FALSE);
+
 	status = charon->kernel_interface->add_sa(charon->kernel_interface,
-				src, dst, spi, this->protocol, this->reqid, mine ? soft : 0, hard, 
-				this->enc_alg, this->enc_size, this->int_alg, this->int_size,
-				prf_plus, mode, IPCOMP_NONE, this->encap, mine);
-					
-	this->install_time = time(NULL);
-	this->rekey_time = this->install_time + soft;
+				src, dst, spi, this->protocol, this->reqid,
+				in ? soft : 0, hard, enc_alg, encr, int_alg, integ,
+				mode, this->ipcomp, in ? this->my_cpi : this->other_cpi,
+				this->encap, in);
+	
+	now = time(NULL);
+	this->rekey_time = now + soft;
+	this->expire_time = now + hard;
 	return status;
 }
 
-static status_t add(private_child_sa_t *this, proposal_t *proposal, 
-					ipsec_mode_t mode, prf_plus_t *prf_plus)
+/**
+ * Implementation of child_sa_t.add
+ */
+static status_t add(private_child_sa_t *this, 
+					proposal_t *proposal, ipsec_mode_t mode,
+					chunk_t integ_in, chunk_t integ_out,
+					chunk_t encr_in, chunk_t encr_out)
 {
-	u_int32_t outbound_spi, inbound_spi;
-	
-	/* backup outbound spi, as alloc overwrites it */
-	outbound_spi = proposal->get_spi(proposal);
+	this->proposal = proposal->clone(proposal);
+	this->protocol = proposal->get_protocol(proposal);
 	
-	/* get SPIs inbound SAs */
+	/* get SPIs for inbound SAs, write to proposal */
 	if (alloc_proposal(this, proposal) != SUCCESS)
 	{
 		return FAILED;
 	}
-	inbound_spi = proposal->get_spi(proposal);
-	
-	/* install inbound SAs */
-	if (install(this, proposal, mode, prf_plus, TRUE) != SUCCESS)
+	/* install inbound SAs using allocated SPI */
+	if (install(this, proposal, mode, integ_in, encr_in, TRUE) != SUCCESS)
 	{
 		return FAILED;
 	}
-	
-	/* install outbound SAs, restore spi*/
-	proposal->set_spi(proposal, outbound_spi);
-	if (install(this, proposal, mode, prf_plus, FALSE) != SUCCESS)
+	/* install outbound SAs using received SPI*/
+	if (install(this, this->proposal, mode, integ_out, encr_out, FALSE) != SUCCESS)
 	{
 		return FAILED;
 	}
-	proposal->set_spi(proposal, inbound_spi);
-	
 	return SUCCESS;
 }
 
-static status_t update(private_child_sa_t *this, proposal_t *proposal,
-					   ipsec_mode_t mode, prf_plus_t *prf_plus)
+/**
+ * Implementation of child_sa_t.update
+ */
+static status_t update(private_child_sa_t *this,
+					   proposal_t *proposal, ipsec_mode_t mode,
+					   chunk_t integ_in, chunk_t integ_out,
+					   chunk_t encr_in, chunk_t encr_out)
 {
-	u_int32_t inbound_spi;
-	
-	/* backup received spi, as install() overwrites it */
-	inbound_spi = proposal->get_spi(proposal);
+	this->proposal = proposal->clone(proposal);
+	this->protocol = proposal->get_protocol(proposal);
 	
 	/* install outbound SAs */
-	if (install(this, proposal, mode, prf_plus, FALSE) != SUCCESS)
+	if (install(this, proposal, mode, integ_out, encr_out, FALSE) != SUCCESS)
 	{
 		return FAILED;
 	}
-	
-	/* restore spi */
-	proposal->set_spi(proposal, inbound_spi);
 	/* install inbound SAs */
-	if (install(this, proposal, mode, prf_plus, TRUE) != SUCCESS)
+	if (install(this, proposal, mode, integ_in, encr_in, TRUE) != SUCCESS)
 	{
 		return FAILED;
 	}
-	
 	return SUCCESS;
 }
 
+/**
+ * Implementation of child_sa_t.get_proposal
+ */
+static proposal_t* get_proposal(private_child_sa_t *this)
+{
+	return this->proposal;
+}
+
+/**
+ * Implementation of child_sa_t.add_policies
+ */
 static status_t add_policies(private_child_sa_t *this,
 					linked_list_t *my_ts_list, linked_list_t *other_ts_list,
 					ipsec_mode_t mode, protocol_id_t proto)
 {
-	iterator_t *my_iter, *other_iter;
+	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
-	/* use low prio for ROUTED policies */
-	bool high_prio = (this->state != CHILD_CREATED);
+	status_t status = SUCCESS;
+	bool routed = (this->state == CHILD_CREATED);
 	
 	if (this->protocol == PROTO_NONE)
 	{	/* update if not set yet */
 		this->protocol = proto;
 	}
+
+	/* apply traffic selectors */
+	enumerator = my_ts_list->create_enumerator(my_ts_list);
+	while (enumerator->enumerate(enumerator, &my_ts))
+	{
+		this->my_ts->insert_last(this->my_ts, my_ts->clone(my_ts));
+	}
+	enumerator->destroy(enumerator);
+	enumerator = other_ts_list->create_enumerator(other_ts_list);
+	while (enumerator->enumerate(enumerator, &other_ts))
+	{
+		this->other_ts->insert_last(this->other_ts, other_ts->clone(other_ts));
+	}
+	enumerator->destroy(enumerator);
 	
-	/* iterate over both lists */
-	my_iter = my_ts_list->create_iterator(my_ts_list, TRUE);
-	other_iter = other_ts_list->create_iterator(other_ts_list, TRUE);
-	while (my_iter->iterate(my_iter, (void**)&my_ts))
+	if (this->config->install_policy(this->config))
 	{
-		other_iter->reset(other_iter);
-		while (other_iter->iterate(other_iter, (void**)&other_ts))
+		/* enumerate pairs of traffic selectors */
+		enumerator = create_policy_enumerator(this);
+		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 		{
-			/* set up policies for every entry in my_ts_list to every entry in other_ts_list */
-			status_t status;
-			sa_policy_t *policy;
-			
-			if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts))
-			{
-				DBG2(DBG_CHD,
-					 "CHILD_SA policy uses two different IP families - ignored");
-				continue;
-			}
-			
-			/* only set up policies if protocol matches, or if one is zero (any) */
-			if (my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts) &&
-				my_ts->get_protocol(my_ts) && other_ts->get_protocol(other_ts))
-			{
-				DBG2(DBG_CHD,
-					 "CHILD_SA policy uses two different protocols - ignored");
-				continue;
-			}
-			
 			/* install 3 policies: out, in and forward */
-			status = charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->me.addr, this->other.addr, my_ts, other_ts, POLICY_OUT,
-					this->protocol, this->reqid, high_prio, mode, this->ipcomp);
-			
 			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->other.addr, this->me.addr, other_ts, my_ts, POLICY_IN,
-					this->protocol, this->reqid, high_prio, mode, this->ipcomp);
+					this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT,
+					this->other_spi, this->protocol, this->reqid, mode, this->ipcomp,
+					this->other_cpi, routed);
 			
 			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->other.addr, this->me.addr, other_ts, my_ts, POLICY_FWD,
-					this->protocol, this->reqid, high_prio, mode, this->ipcomp);
+					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN,
+					this->my_spi, this->protocol, this->reqid, mode, this->ipcomp,
+					this->my_cpi, routed);
+			if (mode != MODE_TRANSPORT)
+			{
+				status |= charon->kernel_interface->add_policy(charon->kernel_interface,
+					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD,
+					this->my_spi, this->protocol, this->reqid, mode, this->ipcomp,
+					this->my_cpi, routed);
+			}
 			
 			if (status != SUCCESS)
 			{
-				my_iter->destroy(my_iter);
-				other_iter->destroy(other_iter);
-				return status;
+				break;
 			}
-			
-			/* store policy to delete/update them later */
-			policy = malloc_thing(sa_policy_t);
-			policy->my_ts = my_ts->clone(my_ts);
-			policy->other_ts = other_ts->clone(other_ts);
-			this->policies->insert_last(this->policies, policy);
-			/* add to separate list to query them via get_*_traffic_selectors() */
-			this->my_ts->insert_last(this->my_ts, policy->my_ts);
-			this->other_ts->insert_last(this->other_ts, policy->other_ts);
 		}
+		enumerator->destroy(enumerator);
 	}
-	my_iter->destroy(my_iter);
-	other_iter->destroy(other_iter);
 	
-	/* switch to routed state if no SAD entry set up */
-	if (this->state == CHILD_CREATED)
+	if (status == SUCCESS)
 	{
-		this->state = CHILD_ROUTED;
+		/* switch to routed state if no SAD entry set up */
+		if (this->state == CHILD_CREATED)
+		{
+			set_state(this, CHILD_ROUTED);
+		}
+		/* needed to update hosts */
+		this->mode = mode;
 	}
-	/* needed to update hosts */
-	this->mode = mode;
-	return SUCCESS;
+	return status;
 }
 
 /**
@@ -763,166 +652,143 @@ static status_t add_policies(private_child_sa_t *this,
  */
 static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local)
 {
-	if (local)
-	{
-		return this->my_ts;
-	}
-	return this->other_ts;
-}
-
-/**
- * Implementation of child_sa_t.get_use_time
- */
-static status_t get_use_time(private_child_sa_t *this, bool inbound, time_t *use_time)
-{
-	iterator_t *iterator;
-	sa_policy_t *policy;
-	status_t status = FAILED;
-	
-	*use_time = UNDEFINED_TIME;
-
-	iterator = this->policies->create_iterator(this->policies, TRUE);
-	while (iterator->iterate(iterator, (void**)&policy))
-	{
-		if (inbound) 
-		{
-			time_t in = UNDEFINED_TIME, fwd = UNDEFINED_TIME;
-			
-			status = charon->kernel_interface->query_policy(
-									charon->kernel_interface,
-									policy->other_ts, policy->my_ts,
-									POLICY_IN, (u_int32_t*)&in);
-			status |= charon->kernel_interface->query_policy(
-									charon->kernel_interface,
-									policy->other_ts, policy->my_ts,
-									POLICY_FWD, (u_int32_t*)&fwd);
-			*use_time = max(in, fwd);
-		}
-		else
-		{
-			status = charon->kernel_interface->query_policy(
-									charon->kernel_interface,
-									policy->my_ts, policy->other_ts, 
-									POLICY_OUT, (u_int32_t*)use_time);
-		}
-	}
-	iterator->destroy(iterator);
-	return status;
+	return local ? this->my_ts : this->other_ts;
 }
 
 /**
  * Implementation of child_sa_t.update_hosts.
  */
 static status_t update_hosts(private_child_sa_t *this, 
-							 host_t *me, host_t *other, bool encap) 
+							 host_t *me, host_t *other, host_t *vip, bool encap) 
 {
+	child_sa_state_t old;
+	bool transport_proxy_mode;
+	
 	/* anything changed at all? */
-	if (me->equals(me, this->me.addr) && 
-		other->equals(other, this->other.addr) && this->encap == encap)
+	if (me->equals(me, this->my_addr) && 
+		other->equals(other, this->other_addr) && this->encap == encap)
 	{
 		return SUCCESS;
 	}
-	/* run updown script to remove iptables rules */
-	updown(this, FALSE);
-	
-	this->encap = encap;
-	
-	if (this->ipcomp != IPCOMP_NONE)
-	{
-		/* update our (initator) IPComp SA */
-		charon->kernel_interface->update_sa(charon->kernel_interface, htonl(ntohs(this->me.cpi)),
-				IPPROTO_COMP, this->other.addr, this->me.addr, other, me, FALSE);
-		/* update his (responder) IPComp SA */
-		charon->kernel_interface->update_sa(charon->kernel_interface, htonl(ntohs(this->other.cpi)), 
-				IPPROTO_COMP, this->me.addr, this->other.addr, me, other, FALSE);
-	}
 	
-	/* update our (initator) SA */
-	charon->kernel_interface->update_sa(charon->kernel_interface, this->me.spi,
-			this->protocol, this->other.addr, this->me.addr, other, me, encap);
-	/* update his (responder) SA */
-	charon->kernel_interface->update_sa(charon->kernel_interface, this->other.spi, 
-			this->protocol, this->me.addr, this->other.addr, me, other, encap);
+	old = this->state;
+	set_state(this, CHILD_UPDATING);
+	transport_proxy_mode = this->config->use_proxy_mode(this->config) &&
+						   this->mode == MODE_TRANSPORT;
 	
-	/* update policies */
-	if (!me->ip_equals(me, this->me.addr) ||
-		!other->ip_equals(other, this->other.addr))
+	if (!transport_proxy_mode)
 	{
-		iterator_t *iterator;
-		sa_policy_t *policy;
-		
-		/* always use high priorities, as hosts getting updated are INSTALLED */
-		iterator = this->policies->create_iterator(this->policies, TRUE);
-		while (iterator->iterate(iterator, (void**)&policy))
+		/* update our (initator) SA */
+		if (this->my_spi)
 		{
-			/* remove old policies first */
-			charon->kernel_interface->del_policy(charon->kernel_interface,
-								policy->my_ts, policy->other_ts, POLICY_OUT);
-			charon->kernel_interface->del_policy(charon->kernel_interface,
-								policy->other_ts, policy->my_ts,  POLICY_IN);
-			charon->kernel_interface->del_policy(charon->kernel_interface,
-								policy->other_ts, policy->my_ts, POLICY_FWD);
-		
-			/* check wether we have to update a "dynamic" traffic selector */
-			if (!me->ip_equals(me, this->me.addr) &&
-				policy->my_ts->is_host(policy->my_ts, this->me.addr))
+			if (charon->kernel_interface->update_sa(charon->kernel_interface,
+							this->my_spi, this->protocol,
+							this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
+							this->other_addr, this->my_addr, other, me,
+							this->encap, encap) == NOT_SUPPORTED)
 			{
-				policy->my_ts->set_address(policy->my_ts, me);
+				return NOT_SUPPORTED;
 			}
-			if (!other->ip_equals(other, this->other.addr) &&
-				policy->other_ts->is_host(policy->other_ts, this->other.addr))
+		}
+		
+		/* update his (responder) SA */
+		if (this->other_spi)
+		{
+			if (charon->kernel_interface->update_sa(charon->kernel_interface,
+							this->other_spi, this->protocol,
+					 		this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
+							this->my_addr, this->other_addr, me, other,
+							this->encap, encap) == NOT_SUPPORTED)
 			{
-				policy->other_ts->set_address(policy->other_ts, other);
+				return NOT_SUPPORTED;
 			}
+		}
+	}
+	
+	if (this->config->install_policy(this->config))
+	{
+		/* update policies */
+		if (!me->ip_equals(me, this->my_addr) ||
+			!other->ip_equals(other, this->other_addr))
+		{
+			enumerator_t *enumerator;
+			traffic_selector_t *my_ts, *other_ts;
 			
-			/* we reinstall the virtual IP to handle interface romaing
-			 * correctly */
-			if (this->virtual_ip)
+			/* always use high priorities, as hosts getting updated are INSTALLED */
+			enumerator = create_policy_enumerator(this);
+			while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 			{
-				charon->kernel_interface->del_ip(charon->kernel_interface,
-												 this->virtual_ip);
-				charon->kernel_interface->add_ip(charon->kernel_interface,
-												 this->virtual_ip, me);
+				/* remove old policies first */
+				charon->kernel_interface->del_policy(charon->kernel_interface,
+											my_ts, other_ts, POLICY_OUT, FALSE);
+				charon->kernel_interface->del_policy(charon->kernel_interface,
+											other_ts, my_ts,  POLICY_IN, FALSE);
+				if (this->mode != MODE_TRANSPORT)
+				{
+					charon->kernel_interface->del_policy(charon->kernel_interface,
+											other_ts, my_ts, POLICY_FWD, FALSE);
+				}
+				
+				/* check whether we have to update a "dynamic" traffic selector */
+				if (!me->ip_equals(me, this->my_addr) &&
+					my_ts->is_host(my_ts, this->my_addr))
+				{
+					my_ts->set_address(my_ts, me);
+				}
+				if (!other->ip_equals(other, this->other_addr) &&
+					other_ts->is_host(other_ts, this->other_addr))
+				{
+					other_ts->set_address(other_ts, other);
+				}
+				
+				/* we reinstall the virtual IP to handle interface roaming
+				 * correctly */
+				if (vip)
+				{
+					charon->kernel_interface->del_ip(charon->kernel_interface, vip);
+					charon->kernel_interface->add_ip(charon->kernel_interface, vip, me);
+				}
+				
+				/* reinstall updated policies */
+				charon->kernel_interface->add_policy(charon->kernel_interface,
+						me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
+						this->protocol, this->reqid, this->mode, this->ipcomp,
+						this->other_cpi, FALSE);
+				charon->kernel_interface->add_policy(charon->kernel_interface, 
+						other, me, other_ts, my_ts, POLICY_IN, this->my_spi,
+						this->protocol, this->reqid, this->mode, this->ipcomp,
+						this->my_cpi, FALSE);
+				if (this->mode != MODE_TRANSPORT)
+				{
+					charon->kernel_interface->add_policy(charon->kernel_interface,
+						other, me, other_ts, my_ts, POLICY_FWD, this->my_spi,
+						this->protocol, this->reqid, this->mode, this->ipcomp,
+						this->my_cpi, FALSE);
+				}
 			}
-		
-			/* reinstall updated policies */
-			charon->kernel_interface->add_policy(charon->kernel_interface,
-					me, other, policy->my_ts, policy->other_ts, POLICY_OUT,
-					this->protocol,	this->reqid, TRUE, this->mode, this->ipcomp);
-			charon->kernel_interface->add_policy(charon->kernel_interface, 
-					other, me, policy->other_ts, policy->my_ts, POLICY_IN,
-					this->protocol, this->reqid, TRUE, this->mode, this->ipcomp);
-			charon->kernel_interface->add_policy(charon->kernel_interface,
-					other, me, policy->other_ts, policy->my_ts, POLICY_FWD,
-					this->protocol, this->reqid, TRUE, this->mode, this->ipcomp);
+			enumerator->destroy(enumerator);
 		}
-		iterator->destroy(iterator);
 	}
 
-	/* apply hosts */
-	if (!me->equals(me, this->me.addr))
+	if (!transport_proxy_mode)
 	{
-		this->me.addr->destroy(this->me.addr);
-		this->me.addr = me->clone(me);
-	}
-	if (!other->equals(other, this->other.addr))
-	{
-		this->other.addr->destroy(this->other.addr);
-		this->other.addr = other->clone(other);
+		/* apply hosts */
+		if (!me->equals(me, this->my_addr))
+		{
+			this->my_addr->destroy(this->my_addr);
+			this->my_addr = me->clone(me);
+		}
+		if (!other->equals(other, this->other_addr))
+		{
+			this->other_addr->destroy(this->other_addr);
+			this->other_addr = other->clone(other);
+		}
 	}
-	
-	/* install new iptables rules */
-	updown(this, TRUE);
-	
-	return SUCCESS;
-}
 
-/**
- * Implementation of child_sa_t.set_virtual_ip.
- */
-static void set_virtual_ip(private_child_sa_t *this, host_t *ip)
-{
-	this->virtual_ip = ip->clone(ip);
+	this->encap = encap;
+	set_state(this, old);
+
+	return SUCCESS;
 }
 
 /**
@@ -932,7 +798,7 @@ static void activate_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp,
 		u_int16_t other_cpi)
 {
 	this->ipcomp = ipcomp;
-	this->other.cpi = other_cpi;
+	this->other_cpi = other_cpi;
 }
 
 /**
@@ -943,10 +809,10 @@ static u_int16_t allocate_cpi(private_child_sa_t *this)
 	if (!this->cpi_allocated)
 	{
 		charon->kernel_interface->get_cpi(charon->kernel_interface,
-			this->other.addr, this->me.addr, this->reqid, &this->me.cpi);
+			this->other_addr, this->my_addr, this->reqid, &this->my_cpi);
 		this->cpi_allocated = TRUE;
 	}
-	return this->me.cpi;
+	return this->my_cpi;
 }
 
 /**
@@ -954,75 +820,61 @@ static u_int16_t allocate_cpi(private_child_sa_t *this)
  */
 static void destroy(private_child_sa_t *this)
 {
-	sa_policy_t *policy;
+	enumerator_t *enumerator;
+	traffic_selector_t *my_ts, *other_ts;
+	bool unrouted = (this->state == CHILD_ROUTED);
 	
-	if (this->state == CHILD_DELETING || this->state == CHILD_INSTALLED)
-	{
-		updown(this, FALSE);
-	}
+	set_state(this, CHILD_DESTROYING);
 	
 	/* delete SAs in the kernel, if they are set up */
-	if (this->me.spi)
-	{
-		charon->kernel_interface->del_sa(charon->kernel_interface,
-										 this->me.addr, this->me.spi, this->protocol);
-	}
-	if (this->alloc_esp_spi && this->alloc_esp_spi != this->me.spi)
+	if (this->my_spi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
-										 this->me.addr, this->alloc_esp_spi, PROTO_ESP);
+					this->my_addr, this->my_spi, this->protocol,
+					this->my_cpi);
 	}
-	if (this->alloc_ah_spi && this->alloc_ah_spi != this->me.spi)
+	if (this->alloc_esp_spi && this->alloc_esp_spi != this->my_spi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
-										 this->me.addr, this->alloc_ah_spi, PROTO_AH);
+					this->my_addr, this->alloc_esp_spi, PROTO_ESP, 0);
 	}
-	if (this->other.spi)
+	if (this->alloc_ah_spi && this->alloc_ah_spi != this->my_spi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
-										 this->other.addr, this->other.spi, this->protocol);
+					this->my_addr, this->alloc_ah_spi, PROTO_AH, 0);
 	}
-	if (this->me.cpi)
+	if (this->other_spi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
-							this->me.addr, htonl(ntohs(this->me.cpi)), IPPROTO_COMP);
-	}
-	if (this->other.cpi)
-	{
-		charon->kernel_interface->del_sa(charon->kernel_interface,
-							this->other.addr, htonl(ntohs(this->other.cpi)), IPPROTO_COMP);
+					this->other_addr, this->other_spi, this->protocol,
+					this->other_cpi);
 	}
 	
-	/* delete all policies in the kernel */
-	while (this->policies->remove_last(this->policies, (void**)&policy) == SUCCESS)
+	if (this->config->install_policy(this->config))
 	{
-		/* let rekeyed policies, as they are used by another child_sa */
-		charon->kernel_interface->del_policy(charon->kernel_interface,
-											 policy->my_ts, policy->other_ts,
-											 POLICY_OUT);
-		
-		charon->kernel_interface->del_policy(charon->kernel_interface,
-											 policy->other_ts, policy->my_ts,
-											 POLICY_IN);
-		
-		charon->kernel_interface->del_policy(charon->kernel_interface,
-											 policy->other_ts, policy->my_ts,
-											 POLICY_FWD);
-		policy->my_ts->destroy(policy->my_ts);
-		policy->other_ts->destroy(policy->other_ts);
-		free(policy);
+		/* delete all policies in the kernel */
+		enumerator = create_policy_enumerator(this);
+		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+		{
+			charon->kernel_interface->del_policy(charon->kernel_interface,
+										my_ts, other_ts, POLICY_OUT, unrouted);
+			charon->kernel_interface->del_policy(charon->kernel_interface,
+										other_ts, my_ts, POLICY_IN, unrouted);
+			if (this->mode != MODE_TRANSPORT)
+			{
+				charon->kernel_interface->del_policy(charon->kernel_interface,
+										other_ts, my_ts, POLICY_FWD, unrouted);
+			}
+		}
+		enumerator->destroy(enumerator);
 	}
-	this->policies->destroy(this->policies);
 	
-	this->my_ts->destroy(this->my_ts);
-	this->other_ts->destroy(this->other_ts);
-	this->me.addr->destroy(this->me.addr);
-	this->other.addr->destroy(this->other.addr);
-	this->me.id->destroy(this->me.id);
-	this->other.id->destroy(this->other.id);
+	this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
+	this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
+	this->my_addr->destroy(this->my_addr);
+	this->other_addr->destroy(this->other_addr);
+	DESTROY_IF(this->proposal);
 	this->config->destroy(this->config);
-	free(this->iface);
-	DESTROY_IF(this->virtual_ip);
 	free(this);
 }
 
@@ -1030,7 +882,6 @@ static void destroy(private_child_sa_t *this)
  * Described in header.
  */
 child_sa_t * child_sa_create(host_t *me, host_t* other,
-							 identification_t *my_id, identification_t *other_id,
 							 child_cfg_t *config, u_int32_t rekey, bool encap)
 {
 	static u_int32_t reqid = 0;
@@ -1042,31 +893,33 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
 	this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi;
 	this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
-	this->public.get_stats = (void(*)(child_sa_t*, ipsec_mode_t*,encryption_algorithm_t*,size_t*,integrity_algorithm_t*,size_t*,u_int32_t*,u_int32_t*,u_int32_t*,u_int32_t*))get_stats;
+	this->public.get_mode = (ipsec_mode_t(*)(child_sa_t*))get_mode;
+	this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
+	this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
+	this->public.get_lifetime = (u_int32_t(*)(child_sa_t*, bool))get_lifetime;
+	this->public.get_usetime = (u_int32_t(*)(child_sa_t*, bool))get_usetime;
 	this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
-	this->public.add = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,prf_plus_t*))add;
-	this->public.update = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,prf_plus_t*))update;
-	this->public.update_hosts = (status_t (*)(child_sa_t*,host_t*,host_t*,bool))update_hosts;
+	this->public.add = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,chunk_t,chunk_t,chunk_t,chunk_t))add;
+	this->public.update = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,chunk_t,chunk_t,chunk_t,chunk_t))update;
+	this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal;
+	this->public.update_hosts = (status_t (*)(child_sa_t*,host_t*,host_t*,host_t*,bool))update_hosts;
 	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,ipsec_mode_t,protocol_id_t))add_policies;
 	this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
-	this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
+	this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
 	this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
 	this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
 	this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
 	this->public.activate_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t,u_int16_t))activate_ipcomp;
 	this->public.allocate_cpi = (u_int16_t(*)(child_sa_t*))allocate_cpi;
-	this->public.set_virtual_ip = (void(*)(child_sa_t*,host_t*))set_virtual_ip;
 	this->public.destroy = (void(*)(child_sa_t*))destroy;
 
 	/* private data */
-	this->me.addr = me->clone(me);
-	this->other.addr = other->clone(other);
-	this->me.id = my_id->clone(my_id);
-	this->other.id = other_id->clone(other_id);
-	this->me.spi = 0;
-	this->me.cpi = 0;
-	this->other.spi = 0;
-	this->other.cpi = 0;
+	this->my_addr = me->clone(me);
+	this->other_addr = other->clone(other);
+	this->my_spi = 0;
+	this->my_cpi = 0;
+	this->other_spi = 0;
+	this->other_cpi = 0;
 	this->alloc_ah_spi = 0;
 	this->alloc_esp_spi = 0;
 	this->encap = encap;
@@ -1075,19 +928,70 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->state = CHILD_CREATED;
 	/* reuse old reqid if we are rekeying an existing CHILD_SA */
 	this->reqid = rekey ? rekey : ++reqid;
-	this->enc_alg = ENCR_UNDEFINED;
-	this->enc_size = 0;
-	this->int_alg = AUTH_UNDEFINED;
-	this->int_size = 0;
-	this->policies = linked_list_create();
 	this->my_ts = linked_list_create();
 	this->other_ts = linked_list_create();
 	this->protocol = PROTO_NONE;
 	this->mode = MODE_TUNNEL;
-	this->virtual_ip = NULL;
-	this->iface = NULL;
+	this->proposal = NULL;
 	this->config = config;
 	config->get_ref(config);
+
+	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */	
+	if (config->get_mode(config) == MODE_TRANSPORT &&
+	    config->use_proxy_mode(config))
+	{
+		ts_type_t type;
+		int family;
+		chunk_t addr;
+		host_t *host;
+		enumerator_t *enumerator;
+		linked_list_t *my_ts_list, *other_ts_list;
+		traffic_selector_t *my_ts, *other_ts;
+
+		this->mode = MODE_TRANSPORT;
+
+		my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, me);
+		enumerator = my_ts_list->create_enumerator(my_ts_list);
+		if (enumerator->enumerate(enumerator, &my_ts))
+		{
+			if (my_ts->is_host(my_ts, NULL) &&
+			   !my_ts->is_host(my_ts, this->my_addr))
+			{
+				type = my_ts->get_type(my_ts);
+				family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
+				addr = my_ts->get_from_address(my_ts);
+				host = host_create_from_chunk(family, addr, 0);
+				free(addr.ptr);
+				DBG1(DBG_CHD, "my address: %H is a transport mode proxy for %H",
+							   this->my_addr, host); 
+				this->my_addr->destroy(this->my_addr);
+				this->my_addr = host;
+			}
+		}
+		enumerator->destroy(enumerator);
+		my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy));
+
+		other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, other);
+		enumerator = other_ts_list->create_enumerator(other_ts_list);
+		if (enumerator->enumerate(enumerator, &other_ts))
+		{
+			if (other_ts->is_host(other_ts, NULL) &&
+			   !other_ts->is_host(other_ts, this->other_addr))
+			{
+				type = other_ts->get_type(other_ts);
+				family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
+				addr = other_ts->get_from_address(other_ts);
+				host = host_create_from_chunk(family, addr, 0);
+				free(addr.ptr);
+				DBG1(DBG_CHD, "other address: %H is a transport mode proxy for %H",
+							   this->other_addr, host); 
+				this->other_addr->destroy(this->other_addr);
+				this->other_addr = host;
+			}
+		}
+		enumerator->destroy(enumerator);
+		other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy));
+	}
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index 2f7961e03..7109de5cd 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_sa.h 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: child_sa.h 4618 2008-11-11 09:22:00Z tobias $
  */
 
 /**
@@ -49,11 +49,21 @@ enum child_sa_state_t {
 	 */
 	CHILD_ROUTED,
 	
+	/**
+	 * Installing an in-use CHILD_SA
+	 */
+	CHILD_INSTALLING,
+	
 	/**
 	 * Installed an in-use CHILD_SA
 	 */
 	CHILD_INSTALLED,
 	
+	/**
+	 * While updating hosts, in update_hosts()
+	 */
+	CHILD_UPDATING,
+	
 	/**
 	 * CHILD_SA which is rekeying
 	 */
@@ -63,6 +73,11 @@ enum child_sa_state_t {
 	 * CHILD_SA in progress of delete
 	 */
 	CHILD_DELETING,
+	
+	/**
+	 * CHILD_SA object gets destroyed
+	 */
+	CHILD_DESTROYING,
 };
 
 /**
@@ -138,23 +153,41 @@ struct child_sa_t {
 	protocol_id_t (*get_protocol) (child_sa_t *this);
 	
 	/**
-	 * Get info and statistics about this CHILD_SA.
+	 * Get the IPsec mode of this CHILD_SA.
+	 *
+	 * @return			TUNNEL | TRANSPORT | BEET
+	 */
+	ipsec_mode_t (*get_mode)(child_sa_t *this);
+	
+	/**
+	 * Get the used IPComp algorithm.
+	 *
+	 * @return			IPComp compression algorithm.
+	 */
+	ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
+	
+	/**
+	 * Check if this CHILD_SA uses UDP encapsulation.
+	 *
+	 * @return			TRUE if SA encapsulates ESP packets
+	 */
+	bool (*has_encap)(child_sa_t *this);
+	
+	/**
+	 * Get the lifetime of the CHILD_SA.
 	 *
-	 * @param mode		mode this IKE_SA uses
-	 * @param encr_algo	encryption algorithm used by this CHILD_SA.
-	 * @param encr_len	key length of the algorithm, if any
-	 * @param int_algo	integrity algorithm used by this CHILD_SA
-	 * @param int_len	key length of the algorithm, if any
-	 * @param rekey		time when rekeying is scheduled
-	 * @param use_in	time when last traffic was seen coming in
-	 * @param use_out	time when last traffic was seen going out
-	 * @param use_fwd	time when last traffic was getting forwarded
+	 * @param hard		TRUE for hard lifetime, FALSE for soft (rekey) lifetime
+	 * @return			lifetime in seconds
 	 */
-	void (*get_stats)(child_sa_t *this, ipsec_mode_t *mode,
-					  encryption_algorithm_t *encr, size_t *encr_len,
-					  integrity_algorithm_t *int_algo, size_t *int_len,
-					  u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
-					  u_int32_t *use_fwd);
+	u_int32_t (*get_lifetime)(child_sa_t *this, bool hard);
+	
+	/**
+	 * Get last use time of the CHILD_SA.
+	 *
+	 * @param inbound	TRUE for inbound traffic, FALSE for outbound
+	 * @return			time of last use in seconds
+	 */
+	u_int32_t (*get_usetime)(child_sa_t *this, bool inbound);
 	
 	/**
 	 * Allocate SPIs for given proposals.
@@ -174,12 +207,15 @@ struct child_sa_t {
 	 *
 	 * @param proposal	proposal for which SPIs are allocated
 	 * @param mode		mode for the CHILD_SA
-	 * @param prf_plus	key material to use for key derivation
+	 * @param integ_in	integrity key for inbound traffic
+	 * @param integ_out	integrity key for outbound traffic
+	 * @param encr_in	encryption key for inbound traffic
+	 * @param enc_out	encryption key for outbound traffic
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*add)(child_sa_t *this, proposal_t *proposal, ipsec_mode_t mode,
-					prf_plus_t *prf_plus);
-	
+					chunk_t integ_in, chunk_t integ_out,
+					chunk_t encr_in, chunk_t encr_out);
 	/**
 	 * Install the kernel SAs for a proposal, after SPIs have been allocated.
 	 *
@@ -187,12 +223,22 @@ struct child_sa_t {
 	 *
 	 * @param proposal	proposal for which SPIs are allocated
 	 * @param mode		mode for the CHILD_SA
-	 * @param prf_plus	key material to use for key derivation
+	 * @param integ_in	integrity key for inbound traffic
+	 * @param integ_out	integrity key for outbound traffic
+	 * @param encr_in	encryption key for inbound traffic
+	 * @param enc_out	encryption key for outbound traffic
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*update)(child_sa_t *this, proposal_t *proposal, ipsec_mode_t mode,
-					   prf_plus_t *prf_plus);
-
+					   chunk_t integ_in, chunk_t integ_out,
+					   chunk_t encr_in, chunk_t encr_out);
+	/**
+	 * Get the selected proposal passed to add()/update().
+	 *
+	 * @return			selected proposal
+	 */
+	proposal_t* (*get_proposal)(child_sa_t *this);
+	
 	/**
 	 * Update the hosts in the kernel SAs and policies.
 	 *
@@ -200,11 +246,12 @@ struct child_sa_t {
 	 *
 	 * @param me		the new local host
 	 * @param other		the new remote host
+	 * @param vip		virtual IP, if any
 	 * @param			TRUE to use UDP encapsulation for NAT traversal
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*update_hosts)(child_sa_t *this, host_t *me, host_t *other,
-							 bool encap);
+							 host_t *vip, bool encap);
 	
 	/**
 	 * Install the policies using some traffic selectors.
@@ -231,13 +278,11 @@ struct child_sa_t {
 	linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
 	
 	/**
-	 * Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
-	 * 
-	 * @param inbound	query for in- or outbound usage
-	 * @param use_time	the time
-	 * @return			SUCCESS or FAILED
-	 */	
-	status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
+	 * Create an enumerator over installed policies.
+	 *
+	 * @return			enumerator over pairs of traffic selectors.
+	 */
+	enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
 	
 	/**
 	 * Get the state of the CHILD_SA.
@@ -258,16 +303,6 @@ struct child_sa_t {
 	 */
 	child_cfg_t* (*get_config) (child_sa_t *this);
 	
-	/**
-	 * Set the virtual IP used received from IRAS.
-	 *
-	 * To allow proper setup of firewall rules, the virtual IP is required
-	 * for filtering.
-	 *
-	 * @param ip		own virtual IP
-	 */
-	void (*set_virtual_ip) (child_sa_t *this, host_t *ip);
-	
 	/**
 	 * Activate IPComp by setting the transform ID and CPI values.
 	 * 
@@ -275,7 +310,7 @@ struct child_sa_t {
 	 * @param other_cpi	other Compression Parameter Index
 	 */
 	void (*activate_ipcomp) (child_sa_t *this, ipcomp_transform_t ipcomp,
-						u_int16_t other_cpi);
+							 u_int16_t other_cpi);
 	
 	/**
 	 * Returns the Compression Parameter Index (CPI) allocated from the kernel.
@@ -293,17 +328,16 @@ struct child_sa_t {
 /**
  * Constructor to create a new child_sa_t.
  *
- * @param me			own address
- * @param other			remote address
- * @param my_id			id of own peer
- * @param other_id		id of remote peer
- * @param config		config to use for this CHILD_SA
- * @param reqid			reqid of old CHILD_SA when rekeying, 0 otherwise
- * @param encap			TRUE to enable UDP encapsulation (NAT traversal)
- * @return				child_sa_t object
+ * @param me				own address
+ * @param other				remote address
+ * @param my_id				id of own peer
+ * @param other_id			id of remote peer
+ * @param config			config to use for this CHILD_SA
+ * @param reqid				reqid of old CHILD_SA when rekeying, 0 otherwise
+ * @param encap				TRUE to enable UDP encapsulation (NAT traversal)
+ * @return					child_sa_t object
  */
-child_sa_t * child_sa_create(host_t *me, host_t *other,
-							 identification_t *my_id, identification_t* other_id,
-							 child_cfg_t *config, u_int32_t reqid, bool encap);
+child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
+							 u_int32_t reqid, bool encap);
 
 #endif /*CHILD_SA_H_ @} */
diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c
index d24ce8fc7..b9141ffc1 100644
--- a/src/charon/sa/connect_manager.c
+++ b/src/charon/sa/connect_manager.c
@@ -12,15 +12,15 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: connect_manager.c 4192 2008-07-18 15:51:40Z martin $
+ * $Id: connect_manager.c 4579 2008-11-05 11:29:56Z martin $
  */
 
 #include "connect_manager.h"
 
-#include <pthread.h>
 #include <math.h>
 
 #include <daemon.h>
+#include <utils/mutex.h>
 #include <utils/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
@@ -59,7 +59,7 @@ struct private_connect_manager_t {
 	 /**
 	  * Lock for exclusivly accessing the manager.
 	  */
-	 pthread_mutex_t mutex;
+	 mutex_t *mutex;
 	 
 	 /**
 	  * Hasher to generate signatures
@@ -845,20 +845,20 @@ static job_requeue_t initiator_finish(callback_data_t *data)
 {
 	private_connect_manager_t *this = data->connect_manager;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 
 	check_list_t *checklist;
 	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't finish connectivity checks",
 				&data->connect_id);
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return JOB_REQUEUE_NONE;
 	}
 	
 	finish_checks(this, checklist);
 	
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	
 	return JOB_REQUEUE_NONE;
 }
@@ -929,14 +929,14 @@ static job_requeue_t retransmit(callback_data_t *data)
 {
 	private_connect_manager_t *this = data->connect_manager;
 	
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 
 	check_list_t *checklist;
 	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't retransmit connectivity check",
 				&data->connect_id);
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return JOB_REQUEUE_NONE;
 	}
 	
@@ -980,7 +980,7 @@ retransmit_end:
 			break;
 	}
 	
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	
 	/* we reschedule it manually */
 	return JOB_REQUEUE_NONE;
@@ -1078,14 +1078,14 @@ static job_requeue_t sender(callback_data_t *data)
 {
 	private_connect_manager_t *this = data->connect_manager;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	
 	check_list_t *checklist;
 	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't send connectivity check",
 				&data->connect_id);
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return JOB_REQUEUE_NONE;
 	}
 	
@@ -1100,7 +1100,7 @@ static job_requeue_t sender(callback_data_t *data)
 		if (checklist->pairs->find_first(checklist->pairs,
 				(linked_list_match_t)match_waiting_pair, (void**)&pair) != SUCCESS)
 		{
-			pthread_mutex_unlock(&(this->mutex));
+			this->mutex->unlock(this->mutex);
 			DBG1(DBG_IKE, "no pairs in waiting state, aborting");
 			return JOB_REQUEUE_NONE;
 		}
@@ -1126,7 +1126,7 @@ static job_requeue_t sender(callback_data_t *data)
 	/* schedule this job again */
 	schedule_checks(this, checklist, ME_INTERVAL);
 	
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	
 	/* we reschedule it manually */
 	return JOB_REQUEUE_NONE;
@@ -1160,7 +1160,7 @@ static job_requeue_t initiate_mediated(initiate_data_t *data)
 			ike_sa_t *sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, waiting_sa);
 			if (sa->initiate_mediated(sa, pair->local, pair->remote, checklist->connect_id) != SUCCESS)
 			{
-				SIG_IKE(UP_FAILED, "establishing the mediated connection failed");
+				DBG1(DBG_IKE, "establishing mediated connection failed");
 				charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
 			}
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa);
@@ -1345,7 +1345,7 @@ static void process_check(private_connect_manager_t *this, message_t *message)
 		return;
 	}
 	
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	
 	check_list_t *checklist;
 	if (get_checklist_by_id(this, check->connect_id, &checklist) != SUCCESS)
@@ -1353,7 +1353,7 @@ static void process_check(private_connect_manager_t *this, message_t *message)
 		DBG1(DBG_IKE, "checklist with id '%#B' not found",
 				&check->connect_id);
 		check_destroy(check);
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return;
 	}
 	
@@ -1363,7 +1363,7 @@ static void process_check(private_connect_manager_t *this, message_t *message)
 		DBG1(DBG_IKE, "connectivity check verification failed");
 		check_destroy(check);
 		chunk_free(&sig);
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return;
 	}
 	chunk_free(&sig);
@@ -1377,7 +1377,7 @@ static void process_check(private_connect_manager_t *this, message_t *message)
 		process_response(this, check, checklist);
 	}
 	
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	
 	check_destroy(check);
 }
@@ -1392,7 +1392,7 @@ static bool check_and_register(private_connect_manager_t *this,
 	initiated_t *initiated;
 	bool already_there = TRUE;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 
 	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
 	{
@@ -1408,7 +1408,7 @@ static bool check_and_register(private_connect_manager_t *this,
 		initiated->mediated->insert_last(initiated->mediated, mediated_sa->clone(mediated_sa));
 	}
 
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 
 	return already_there;
 }
@@ -1421,12 +1421,12 @@ static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *med
 {
 	initiated_t *initiated;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 
 	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
 	{
 		DBG2(DBG_IKE, "no waiting mediated connections with '%D'", peer_id);
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return;
 	}
 	
@@ -1439,7 +1439,7 @@ static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *med
 	}
 	iterator->destroy(iterator);
 
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -1451,20 +1451,20 @@ static status_t set_initiator_data(private_connect_manager_t *this,
 {
 	check_list_t *checklist;
 	
-	pthread_mutex_lock(&(this->mutex));	
+	this->mutex->lock(this->mutex);	
 	
 	if (get_checklist_by_id(this, connect_id, NULL) == SUCCESS)
 	{
 		DBG1(DBG_IKE, "checklist with id '%#B' already exists, aborting",
 				&connect_id);
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return FAILED;
 	}
 	
 	checklist = check_list_create(initiator, responder, connect_id, key, endpoints, is_initiator);
 	this->checklists->insert_last(this->checklists, checklist);
 	
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	
 	return SUCCESS;
 }
@@ -1477,13 +1477,13 @@ static status_t set_responder_data(private_connect_manager_t *this,
 {
 	check_list_t *checklist;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	
 	if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "checklist with id '%#B' not found",
 				&connect_id);
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return NOT_FOUND;
 	}
 	
@@ -1496,7 +1496,7 @@ static status_t set_responder_data(private_connect_manager_t *this,
 	/* send the first check immediately */
 	schedule_checks(this, checklist, 0);
 	
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	
 	return SUCCESS;
 }
@@ -1508,13 +1508,13 @@ static status_t stop_checks(private_connect_manager_t *this, chunk_t connect_id)
 {
 	check_list_t *checklist;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	
 	if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "checklist with id '%#B' not found",
 				&connect_id);
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return NOT_FOUND;
 	}
 	
@@ -1523,7 +1523,7 @@ static status_t stop_checks(private_connect_manager_t *this, chunk_t connect_id)
 	remove_checklist(this, checklist);
 	check_list_destroy(checklist);
 	
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	
 	return SUCCESS;
 }
@@ -1533,14 +1533,14 @@ static status_t stop_checks(private_connect_manager_t *this, chunk_t connect_id)
  */
 static void destroy(private_connect_manager_t *this)
 {
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	
 	this->hasher->destroy(this->hasher);
 	this->checklists->destroy_function(this->checklists, (void*)check_list_destroy);
 	this->initiated->destroy_function(this->initiated, (void*)initiated_destroy);
 	
-	pthread_mutex_unlock(&(this->mutex));	
-	pthread_mutex_destroy(&(this->mutex));
+	this->mutex->unlock(this->mutex);	
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -1570,7 +1570,7 @@ connect_manager_t *connect_manager_create()
 	this->checklists = linked_list_create();
 	this->initiated = linked_list_create();
 	
-	pthread_mutex_init(&(this->mutex), NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
 	
 	return (connect_manager_t*)this;
 }
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 7b2608e07..d9bb01c60 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2006-2008 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa.c 4394 2008-10-09 08:25:11Z martin $
+ * $Id: ike_sa.c 4652 2008-11-14 08:38:53Z martin $
  */
 
 #include <sys/time.h>
@@ -23,6 +23,7 @@
 #include <printf.h>
 #include <sys/stat.h>
 #include <errno.h>
+#include <time.h>
 
 #include "ike_sa.h"
 
@@ -30,17 +31,6 @@
 #include <daemon.h>
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
-#include <crypto/diffie_hellman.h>
-#include <crypto/prf_plus.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/hashers/hasher.h>
-#include <encoding/payloads/sa_payload.h>
-#include <encoding/payloads/nonce_payload.h>
-#include <encoding/payloads/ke_payload.h>
-#include <encoding/payloads/delete_payload.h>
-#include <encoding/payloads/transform_substructure.h>
-#include <encoding/payloads/transform_attribute.h>
-#include <encoding/payloads/ts_payload.h>
 #include <sa/task_manager.h>
 #include <sa/tasks/ike_init.h>
 #include <sa/tasks/ike_natd.h>
@@ -72,12 +62,13 @@
 #define RESOLV_CONF "/etc/resolv.conf"
 #endif
 
-ENUM(ike_sa_state_names, IKE_CREATED, IKE_DELETING,
+ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
 	"CREATED",
 	"CONNECTING",
 	"ESTABLISHED",
 	"REKEYING",
 	"DELETING",
+	"DESTROYING",
 );
 
 typedef struct private_ike_sa_t private_ike_sa_t;
@@ -127,6 +118,11 @@ struct private_ike_sa_t {
 	 */
 	auth_info_t *other_auth;
 	
+	/**
+	 * Selected IKE proposal
+	 */
+	proposal_t *proposal;
+	
 	/**
 	 * Juggles tasks to process messages
 	 */
@@ -190,49 +186,9 @@ struct private_ike_sa_t {
 	linked_list_t *child_sas;
 	
 	/**
-	 * String describing the selected IKE proposal
-	 */
-	char *selected_proposal;
-
-	/**
-	 * crypter for inbound traffic
-	 */
-	crypter_t *crypter_in;
-	
-	/**
-	 * crypter for outbound traffic
-	 */
-	crypter_t *crypter_out;
-	
-	/**
-	 * Signer for inbound traffic
-	 */
-	signer_t *signer_in;
-	
-	/**
-	 * Signer for outbound traffic
+	 * keymat of this IKE_SA
 	 */
-	signer_t *signer_out;
-	
-	/**
-	 * Multi purpose prf, set key, use it, forget it
-	 */
-	prf_t *prf;
-	
-	/**
-	 * Prf function for derivating keymat child SAs
-	 */
-	prf_t *child_prf;
-	
-	/**
-	 * Key to build outging authentication data (SKp)
-	 */
-	chunk_t skp_build;
-
-	/**
-	 * Key to verify incoming authentication data (SKp)
-	 */
-	chunk_t skp_verify;
+	keymat_t *keymat;
 	
 	/**
 	 * Virtual IP on local host, if any
@@ -268,34 +224,26 @@ struct private_ike_sa_t {
 	 * NAT keep alive interval
 	 */
 	u_int32_t keepalive_interval;
-
+	
 	/**
 	 * Timestamps for this IKE_SA
 	 */
-	struct {
-		/** last IKE message received */
-		u_int32_t inbound;
-		/** last IKE message sent */
-		u_int32_t outbound;
-		/** when IKE_SA became established */
-		u_int32_t established;
-		/** when IKE_SA gets rekeyed */
-		u_int32_t rekey;
-		/** when IKE_SA gets reauthenticated */
-		u_int32_t reauth;
-		/** when IKE_SA gets deleted */
-		u_int32_t delete;
-	} time;
+	u_int32_t stats[STAT_MAX];
 	
 	/**
 	 * how many times we have retried so far (keyingtries)
 	 */
 	u_int32_t keyingtry;
-	
+
 	/**
-	 * are we the initiator of this IKE_SA (rekeying does not affect this flag)
+	 * local host address to be used for IKE, set via MIGRATE kernel message
 	 */
-	bool ike_initiator;
+	host_t *local_host;
+
+	/**
+	 * remote host address to be used for IKE, set via MIGRATE kernel message
+	 */
+	host_t *remote_host;
 };
 
 /**
@@ -303,28 +251,26 @@ struct private_ike_sa_t {
  */
 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	child_sa_t *child_sa;
-	time_t latest = 0, use_time;
-	
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
-		{
-			latest = max(latest, use_time);
-		}
-	}
-	iterator->destroy(iterator);
+	time_t use_time;
 	
 	if (inbound)
 	{
-		return max(this->time.inbound, latest);
+		use_time = this->stats[STAT_INBOUND];
 	}
 	else
 	{
-		return max(this->time.outbound, latest);
+		use_time = this->stats[STAT_OUTBOUND];
+	}
+	enumerator = this->child_sas->create_enumerator(this->child_sas);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		use_time = max(use_time, child_sa->get_usetime(child_sa, inbound));
 	}
+	enumerator->destroy(enumerator);
+	
+	return use_time;
 }
 
 /**
@@ -352,24 +298,9 @@ static char *get_name(private_ike_sa_t *this)
  */
 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
 {
-	time_t now = time(NULL);
-	
-	switch (kind)
+	if (kind < STAT_MAX)
 	{
-		case STAT_REKEY_TIME:
-			if (this->time.rekey > now)
-			{
-				return this->time.rekey - now;
-			}
-			break;
-		case STAT_REAUTH_TIME:
-			if (this->time.reauth > now)
-			{
-				return this->time.reauth - now;
-			}
-			break;
-		default:
-			break;
+		return this->stats[kind];
 	}
 	return 0;
 }
@@ -461,6 +392,23 @@ static auth_info_t* get_other_auth(private_ike_sa_t *this)
 	return this->other_auth;
 }
 
+/**
+ * Implementation of ike_sa_t.get_proposal
+ */
+static proposal_t* get_proposal(private_ike_sa_t *this)
+{
+	return this->proposal;
+}
+
+/**
+ * Implementation of ike_sa_t.set_proposal
+ */
+static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
+{
+	DESTROY_IF(this->proposal);
+	this->proposal = proposal->clone(proposal);
+}
+
 /**
  * Implementation of ike_sa_t.send_keepalive
  */
@@ -517,14 +465,6 @@ static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
 	this->ike_cfg = ike_cfg;
 }
 
-/**
- * Implementation of ike_sa_t.is_ike_initiator
- */
-static bool is_ike_initiator(private_ike_sa_t *this)
-{
-	return this->ike_initiator;
-}
-
 /**
  * Implementation of ike_sa_t.enable_extension.
  */
@@ -687,47 +627,48 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 				u_int32_t t;
 			
 				/* calculate rekey, reauth and lifetime */
-				this->time.established = time(NULL);
+				this->stats[STAT_ESTABLISHED] = time(NULL);
 				
 				/* schedule rekeying if we have a time which is smaller than
 				 * an already scheduled rekeying */
 				t = this->peer_cfg->get_rekey_time(this->peer_cfg);
-				if (t && (this->time.rekey == 0 || 
-					(this->time.rekey > t + this->time.established)))
+				if (t && (this->stats[STAT_REKEY] == 0 || 
+					(this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
 				{
-					this->time.rekey = t + this->time.established;
+					this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
 					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
 					charon->scheduler->schedule_job(charon->scheduler,
 													job, t * 1000);
 					DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
 				}
 				t = this->peer_cfg->get_reauth_time(this->peer_cfg);
-				if (t && (this->time.reauth == 0 || 
-					(this->time.reauth > t + this->time.established)))
+				if (t && (this->stats[STAT_REAUTH] == 0 || 
+					(this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
 				{
-					this->time.reauth = t + this->time.established;
+					this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
 					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
 					charon->scheduler->schedule_job(charon->scheduler,
 													job, t * 1000);
 					DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
 				}
 				t = this->peer_cfg->get_over_time(this->peer_cfg);
-				if (this->time.rekey || this->time.reauth)
+				if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
 				{
-					if (this->time.reauth == 0)
+					if (this->stats[STAT_REAUTH] == 0)
 					{
-						this->time.delete = this->time.rekey;
+						this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
 					}
-					else if (this->time.rekey == 0)
+					else if (this->stats[STAT_REKEY] == 0)
 					{
-						this->time.delete = this->time.reauth;
+						this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
 					}
 					else
 					{
-						this->time.delete = min(this->time.rekey, this->time.reauth);
+						this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
+													   this->stats[STAT_REAUTH]);
 					}
-					this->time.delete += t;
-					t = this->time.delete - this->time.established;
+					this->stats[STAT_DELETE] += t;
+					t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
 					job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
 					charon->scheduler->schedule_job(charon->scheduler, job,
 													t * 1000);
@@ -750,7 +691,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 		default:
 			break;
 	}
-	
+	charon->bus->ike_state_change(charon->bus, &this->public, state);
 	this->state = state;
 }
 
@@ -770,6 +711,14 @@ static void reset(private_ike_sa_t *this)
 	this->task_manager->reset(this->task_manager);
 }
 
+/**
+ * Implementation of ike_sa_t.get_keymat
+ */
+static keymat_t* get_keymat(private_ike_sa_t *this)
+{
+	return this->keymat;
+}
+
 /**
  * Implementation of ike_sa_t.set_virtual_ip
  */
@@ -925,8 +874,14 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 		iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 		while (iterator->iterate(iterator, (void**)&child_sa))
 		{
-			child_sa->update_hosts(child_sa, this->my_host, this->other_host,
-								   has_condition(this, COND_NAT_ANY));
+			if (child_sa->update_hosts(child_sa, this->my_host,
+						this->other_host, this->my_virtual_ip,
+						has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
+			{
+				this->public.rekey_child_sa(&this->public,
+						child_sa->get_protocol(child_sa),
+						child_sa->get_spi(child_sa, TRUE));
+			}
 		}
 		iterator->destroy(iterator);
 	}
@@ -938,9 +893,11 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 static status_t generate_message(private_ike_sa_t *this, message_t *message,
 								 packet_t **packet)
 {
-	this->time.outbound = time(NULL);
+	this->stats[STAT_OUTBOUND] = time(NULL);
 	message->set_ike_sa_id(message, this->ike_sa_id);
-	return message->generate(message, this->crypter_out, this->signer_out, packet);
+	return message->generate(message,
+				this->keymat->get_crypter(this->keymat, FALSE),
+				this->keymat->get_signer(this->keymat, FALSE), packet);
 }
 
 /**
@@ -978,6 +935,17 @@ static void send_notify_response(private_ike_sa_t *this, message_t *request,
 	response->destroy(response);
 }
 
+/**
+ * Implementation of ike_sa_t.set_kmaddress.
+ */
+static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote)
+{
+	DESTROY_IF(this->local_host);
+	DESTROY_IF(this->remote_host);
+	this->local_host = local->clone(local);
+	this->remote_host = remote->clone(remote);
+}
+
 #ifdef ME
 /**
  * Implementation of ike_sa_t.act_as_mediation_server.
@@ -1082,26 +1050,42 @@ static void resolve_hosts(private_ike_sa_t *this)
 {
 	host_t *host;
 	
-	host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
-								0, IKEV2_UDP_PORT);
+	if (this->remote_host)
+	{
+		host = this->remote_host->clone(this->remote_host);
+		host->set_port(host, IKEV2_UDP_PORT);
+	}
+	else
+	{
+		host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
+									0, IKEV2_UDP_PORT);
+	}
 	if (host)
 	{
 		set_other_host(this, host);
 	}
 	
-	host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
-								this->my_host->get_family(this->my_host),
-								IKEV2_UDP_PORT);
-	
-	if (host && host->is_anyaddr(host) &&
-		!this->other_host->is_anyaddr(this->other_host))
+	if (this->local_host)
 	{
-		host->destroy(host);
-		host = charon->kernel_interface->get_source_addr(
-							charon->kernel_interface, this->other_host, NULL);
-		if (host)
+		host = this->local_host->clone(this->local_host);
+		host->set_port(host, IKEV2_UDP_PORT);
+	}
+	else
+	{
+		host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
+									this->my_host->get_family(this->my_host),
+									IKEV2_UDP_PORT);
+	
+		if (host && host->is_anyaddr(host) &&
+			!this->other_host->is_anyaddr(this->other_host))
 		{
-			host->set_port(host, IKEV2_UDP_PORT);
+			host->destroy(host);
+			host = charon->kernel_interface->get_source_addr(
+							charon->kernel_interface, this->other_host, NULL);
+			if (host)
+			{
+				host->set_port(host, IKEV2_UDP_PORT);
+			}
 		}
 	}
 	if (host)
@@ -1128,12 +1112,11 @@ static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_c
 			)
 		{
 			child_cfg->destroy(child_cfg);
-			SIG_IKE(UP_START, "initiating IKE_SA");
-			SIG_IKE(UP_FAILED, "unable to initiate to %%any");
+			DBG1(DBG_IKE, "unable to initiate to %%any");
 			return DESTROY_ME;
 		}
 		
-		this->ike_initiator = TRUE;
+		set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
 		
 		task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
 		this->task_manager->queue_task(this->task_manager, task);
@@ -1163,10 +1146,12 @@ static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_c
 #ifdef ME
 	if (this->peer_cfg->is_mediation(this->peer_cfg))
 	{
-		/* mediation connection */
 		if (this->state == IKE_ESTABLISHED)
-		{	/* FIXME: we should try to find a better solution to this */
-			SIG_CHD(UP_SUCCESS, NULL, "mediation connection is already up and running");
+		{
+			/* mediation connection is already established, retrigger state change
+			 * to notify bus listeners */
+			DBG1(DBG_IKE, "mediation connection is already up");
+			set_state(this, IKE_ESTABLISHED);
 		}
 		DESTROY_IF(child_cfg);
 	}
@@ -1216,9 +1201,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 	
 	if (this->state == IKE_DELETING)
 	{
-		SIG_CHD(UP_START, NULL, "acquiring CHILD_SA on kernel request");
-		SIG_CHD(UP_FAILED, NULL, "acquiring CHILD_SA {reqid %d} failed: "
-			"IKE_SA is deleting", reqid);
+		DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
+			 "IKE_SA is deleting", reqid);
 		return FAILED;
 	}
 	
@@ -1235,9 +1219,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 	iterator->destroy(iterator);
 	if (!child_sa)
 	{
-		SIG_CHD(UP_START, NULL, "acquiring CHILD_SA on kernel request");
-		SIG_CHD(UP_FAILED, NULL, "acquiring CHILD_SA {reqid %d} failed: "
-			"CHILD_SA not found", reqid);
+		DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
+			 "CHILD_SA not found", reqid);
 		return FAILED;
 	}
 	
@@ -1258,8 +1241,6 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 	host_t *me, *other;
 	status_t status;
 	
-	SIG_CHD(ROUTE_START, NULL, "routing CHILD_SA");
-	
 	/* check if not already routed*/
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
@@ -1268,7 +1249,7 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 			streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
 		{
 			iterator->destroy(iterator);
-			SIG_CHD(ROUTE_FAILED, child_sa, "CHILD_SA with such a config already routed");
+			DBG1(DBG_IKE, "routing CHILD_SA failed: already routed");
 			return FAILED;
 		}
 	}
@@ -1278,8 +1259,8 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 	{
 		case IKE_DELETING:
 		case IKE_REKEYING:
-			SIG_CHD(ROUTE_FAILED, NULL, 
-				"unable to route CHILD_SA, as its IKE_SA gets deleted");
+			DBG1(DBG_IKE, "routing CHILD_SA failed: IKE_SA is %N",
+				 ike_sa_state_names, this->state);
 			return FAILED;
 		case IKE_CREATED:
 		case IKE_CONNECTING:
@@ -1291,8 +1272,8 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 	resolve_hosts(this);
 
 	/* install kernel policies */
-	child_sa = child_sa_create(this->my_host, this->other_host, this->my_id,
-							   this->other_id, child_cfg, 0, FALSE);
+	child_sa = child_sa_create(this->my_host, this->other_host,
+							   child_cfg, 0, FALSE);
 	me = this->my_host;
 	if (this->my_virtual_ip)
 	{
@@ -1306,18 +1287,21 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 	
 	my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
 	other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
+
 	status = child_sa->add_policies(child_sa, my_ts, other_ts,
-									child_cfg->get_mode(child_cfg), PROTO_NONE);
+							child_cfg->get_mode(child_cfg),	PROTO_NONE);
+
 	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
 	if (status == SUCCESS)
 	{
 		this->child_sas->insert_last(this->child_sas, child_sa);
-		SIG_CHD(ROUTE_SUCCESS, child_sa, "CHILD_SA routed");
+		DBG1(DBG_IKE, "CHILD_SA routed");
 	}
 	else
 	{
-		SIG_CHD(ROUTE_FAILED, child_sa, "routing CHILD_SA failed");
+		child_sa->destroy(child_sa);
+		DBG1(DBG_IKE, "routing CHILD_SA failed");
 	}
 	return status;
 }
@@ -1331,8 +1315,6 @@ static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
 	child_sa_t *child_sa;
 	bool found = FALSE;
 	
-	SIG_CHD(UNROUTE_START, NULL, "unrouting CHILD_SA");
-	
 	/* find CHILD_SA in ROUTED state */
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
@@ -1341,7 +1323,7 @@ static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
 			child_sa->get_reqid(child_sa) == reqid)
 		{
 			iterator->remove(iterator);
-			SIG_CHD(UNROUTE_SUCCESS, child_sa, "CHILD_SA unrouted");
+			DBG1(DBG_IKE, "CHILD_SA unrouted");
 			child_sa->destroy(child_sa);
 			found = TRUE;
 			break;
@@ -1351,7 +1333,7 @@ static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
 	
 	if (!found)
 	{
-		SIG_CHD(UNROUTE_FAILED, NULL, "CHILD_SA to unroute not found");
+		DBG1(DBG_IKE, "unrouting CHILD_SA failed: reqid %d not found", reqid);
 		return FAILED;
 	}
 	/* if we are not established, and we have no more routed childs, remove whole SA */
@@ -1362,6 +1344,7 @@ static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
 	}
 	return SUCCESS;
 }
+
 /**
  * Implementation of ike_sa_t.process_message.
  */
@@ -1372,7 +1355,9 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 	
 	is_request = message->get_request(message);
 	
-	status = message->parse_body(message, this->crypter_in, this->signer_in);
+	status = message->parse_body(message,
+								 this->keymat->get_crypter(this->keymat, TRUE),
+								 this->keymat->get_signer(this->keymat, TRUE));
 	if (status != SUCCESS)
 	{
 		
@@ -1431,7 +1416,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 		
 		me = message->get_destination(message);
 		other = message->get_source(message);
-	
+
 		/* if this IKE_SA is virgin, we check for a config */
 		if (this->ike_cfg == NULL)
 		{
@@ -1451,7 +1436,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 			charon->scheduler->schedule_job(charon->scheduler, job,
 											HALF_OPEN_IKE_SA_TIMEOUT);
 		}
-		this->time.inbound = time(NULL);
+		this->stats[STAT_INBOUND] = time(NULL);
 		/* check if message is trustworthy, and update host information */
 		if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
 			message->get_exchange_type(message) != IKE_SA_INIT)
@@ -1509,38 +1494,6 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 	}
 }
 
-/**
- * Implementation of ike_sa_t.get_prf.
- */
-static prf_t *get_prf(private_ike_sa_t *this)
-{
-	return this->prf;
-}
-
-/**
- * Implementation of ike_sa_t.get_prf.
- */
-static prf_t *get_child_prf(private_ike_sa_t *this)
-{
-	return this->child_prf;
-}
-
-/**
- * Implementation of ike_sa_t.get_skp_bild
- */
-static chunk_t get_skp_build(private_ike_sa_t *this)
-{
-	return this->skp_build;
-}
-
-/**
- * Implementation of ike_sa_t.get_skp_verify
- */
-static chunk_t get_skp_verify(private_ike_sa_t *this)
-{
-	return this->skp_verify;
-}
-
 /**
  * Implementation of ike_sa_t.get_id.
  */
@@ -1600,230 +1553,6 @@ static void set_eap_identity(private_ike_sa_t *this, identification_t *id)
 	this->eap_identity = id;
 }
 
-/**
- * Implementation of ike_sa_t.derive_keys.
- */
-static status_t derive_keys(private_ike_sa_t *this,
-							proposal_t *proposal, chunk_t secret,
-							chunk_t nonce_i, chunk_t nonce_r,
-							bool initiator, prf_t *child_prf, prf_t *old_prf)
-{
-	prf_plus_t *prf_plus;
-	chunk_t skeyseed, key, full_nonce, fixed_nonce, prf_plus_seed;
-	u_int16_t alg, key_size;
-	crypter_t *crypter_i, *crypter_r;
-	signer_t *signer_i, *signer_r;
-	u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
-	chunk_t spi_i = chunk_from_buf(spi_i_buf);
-	chunk_t spi_r = chunk_from_buf(spi_r_buf);
-	
-	/* Create SAs general purpose PRF first, we may use it here */
-	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
-	{
-		DBG1(DBG_IKE, "no %N selected",
-			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
-		return FAILED;
-	}
-	this->prf = lib->crypto->create_prf(lib->crypto, alg);
-	if (this->prf == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N not supported!",
-			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
-			 pseudo_random_function_names, alg);
-		return FAILED;
-	}
-	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
-	/* full nonce is used as seed for PRF+ ... */
-	full_nonce = chunk_cat("cc", nonce_i, nonce_r);
-	/* but the PRF may need a fixed key which only uses the first bytes of
-	 * the nonces. */
-	switch (alg)
-	{
-		case PRF_AES128_XCBC:
-			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
-			 * not and therefore fixed key semantics apply to XCBC for key
-			 * derivation. */
-			nonce_i.len = min(nonce_i.len, this->prf->get_key_size(this->prf)/2);
-			nonce_r.len = min(nonce_r.len, this->prf->get_key_size(this->prf)/2);
-			break;
-		default:
-			/* all other algorithms use variable key length, full nonce */
-			break;
-	}
-	fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
-	*((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
-	*((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
-	prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
-	
-	/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr) 
-	 *
-	 * if we are rekeying, SKEYSEED is built on another way
-	 */
-	if (child_prf == NULL) /* not rekeying */
-	{
-		/* SKEYSEED = prf(Ni | Nr, g^ir) */
-		this->prf->set_key(this->prf, fixed_nonce);
-		this->prf->allocate_bytes(this->prf, secret, &skeyseed);
-		DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
-		this->prf->set_key(this->prf, skeyseed);
-		chunk_free(&skeyseed);
-		chunk_free(&secret);
-		prf_plus = prf_plus_create(this->prf, prf_plus_seed);
-	}
-	else
-	{
-		/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr) 
-		 * use OLD SAs PRF functions for both prf_plus and prf */
-		secret = chunk_cat("mc", secret, full_nonce);
-		child_prf->allocate_bytes(child_prf, secret, &skeyseed);
-		DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
-		old_prf->set_key(old_prf, skeyseed);
-		chunk_free(&skeyseed);
-		chunk_free(&secret);
-		prf_plus = prf_plus_create(old_prf, prf_plus_seed);
-	}
-	chunk_free(&full_nonce);
-	chunk_free(&fixed_nonce);
-	chunk_free(&prf_plus_seed);
-	
-	/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
-	
-	/* SK_d is used for generating CHILD_SA key mat => child_prf */
-	proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL);
-	this->child_prf = lib->crypto->create_prf(lib->crypto, alg);
-	key_size = this->child_prf->get_key_size(this->child_prf);
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_d secret %B", &key);
-	this->child_prf->set_key(this->child_prf, key);
-	chunk_free(&key);
-	
-	/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
-	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
-	{
-		DBG1(DBG_IKE, "no %N selected",
-			 transform_type_names, INTEGRITY_ALGORITHM);
-		return FAILED;
-	}
-	signer_i = lib->crypto->create_signer(lib->crypto, alg);
-	signer_r = lib->crypto->create_signer(lib->crypto, alg);
-	if (signer_i == NULL || signer_r == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N not supported!",
-			 transform_type_names, INTEGRITY_ALGORITHM,
-			 integrity_algorithm_names ,alg);
-		prf_plus->destroy(prf_plus);
-		return FAILED;
-	}
-	key_size = signer_i->get_key_size(signer_i);
-	
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
-	signer_i->set_key(signer_i, key);
-	chunk_free(&key);
-	
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
-	signer_r->set_key(signer_r, key);
-	chunk_free(&key);
-	
-	if (initiator)
-	{
-		this->signer_in = signer_r;
-		this->signer_out = signer_i;
-	}
-	else
-	{
-		this->signer_in = signer_i;
-		this->signer_out = signer_r;
-	}
-	
-	/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
-	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
-	{
-		DBG1(DBG_IKE, "no %N selected",
-			 transform_type_names, ENCRYPTION_ALGORITHM);
-		prf_plus->destroy(prf_plus);
-		return FAILED;
-	}
-	crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
-	crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
-	if (crypter_i == NULL || crypter_r == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
-			 transform_type_names, ENCRYPTION_ALGORITHM,
-			 encryption_algorithm_names, alg, key_size);
-		prf_plus->destroy(prf_plus);
-		return FAILED;
-	}
-	key_size = crypter_i->get_key_size(crypter_i);
-	
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
-	crypter_i->set_key(crypter_i, key);
-	chunk_free(&key);
-	
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_er secret %B", &key);
-	crypter_r->set_key(crypter_r, key);
-	chunk_free(&key);
-	
-	if (initiator)
-	{
-		this->crypter_in = crypter_r;
-		this->crypter_out = crypter_i;
-	}
-	else
-	{
-		this->crypter_in = crypter_i;
-		this->crypter_out = crypter_r;
-	}
-	
-	/* SK_pi/SK_pr used for authentication => stored for later */	
-	key_size = this->prf->get_key_size(this->prf);
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_pi secret %B", &key);
-	if (initiator)
-	{
-		this->skp_build = key;
-	}
-	else
-	{
-		this->skp_verify = key;
-	}
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_pr secret %B", &key);
-	if (initiator)
-	{
-		this->skp_verify = key;
-	}
-	else
-	{
-		this->skp_build = key;
-	}
-	
-	/* all done, prf_plus not needed anymore */
-	prf_plus->destroy(prf_plus);
-	
-	return SUCCESS;
-}
-
-/**
- * Implementation of ike_sa_t.get_proposal.
- */
-static char* get_proposal(private_ike_sa_t *this)
-{
-	return this->selected_proposal;
-}
-
-/**
- * Implementation of ike_sa_t.set_proposal.
- */
-static void set_proposal(private_ike_sa_t *this, char *proposal)
-{
-	free(this->selected_proposal);
-	this->selected_proposal = strdup(proposal);
-}
-
 /**
  * Implementation of ike_sa_t.add_child_sa.
  */
@@ -1939,10 +1668,10 @@ static status_t delete_(private_ike_sa_t *this)
 			this->task_manager->queue_task(this->task_manager, &ike_delete->task);
 			return this->task_manager->initiate(this->task_manager);
 		case IKE_CREATED:
-			SIG_IKE(DOWN_SUCCESS, "deleting unestablished IKE_SA");
+			DBG1(DBG_IKE, "deleting unestablished IKE_SA");
 			break;
 		default:
-			SIG_IKE(DOWN_SUCCESS, "destroying IKE_SA in state %N "
+			DBG1(DBG_IKE, "destroying IKE_SA in state %N "
 				"without notification", ike_sa_state_names, this->state);
 			break;
 	}
@@ -1972,7 +1701,7 @@ static status_t reauth(private_ike_sa_t *this)
 	/* we can't reauthenticate as responder when we use EAP or virtual IPs.
 	 * If the peer does not support RFC4478, there is no way to keep the
 	 * IKE_SA up. */
-	if (!this->ike_initiator)
+	if (!has_condition(this, COND_ORIGINAL_INITIATOR))
 	{
 		DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
 		if (this->other_virtual_ip != NULL ||
@@ -1985,7 +1714,8 @@ static status_t reauth(private_ike_sa_t *this)
 		{
 			time_t now = time(NULL);
 			
-			DBG1(DBG_IKE, "IKE_SA will timeout in %#V", &now, &this->time.delete);
+			DBG1(DBG_IKE, "IKE_SA will timeout in %#V",
+				 &now, &this->stats[STAT_DELETE]);
 			return FAILED;
 		}
 		else
@@ -2049,7 +1779,7 @@ static status_t reestablish(private_ike_sa_t *this)
 	}
 	
 	/* check if we are able to reestablish this IKE_SA */
-	if (!this->ike_initiator &&
+	if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
 		(this->other_virtual_ip != NULL ||
 		 has_condition(this, COND_EAP_AUTHENTICATED)
 #ifdef ME
@@ -2133,7 +1863,7 @@ static status_t reestablish(private_ike_sa_t *this)
  */
 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 {
-	this->time.outbound = time(NULL);
+	this->stats[STAT_OUTBOUND] = time(NULL);
 	if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
 	{
 		/* send a proper signal to brief interested bus listeners */
@@ -2146,19 +1876,19 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 				this->keyingtry++;
 				if (tries == 0 || tries > this->keyingtry)
 				{
-					SIG_IKE(UP_FAILED, "peer not responding, trying again "
-						"(%d/%d) in background ", this->keyingtry + 1, tries);
+					DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
+						 this->keyingtry + 1, tries);
 					reset(this);
 					return this->task_manager->initiate(this->task_manager);
 				}
-				SIG_IKE(UP_FAILED, "establishing IKE_SA failed, peer not responding");
+				DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
 				break;
 			}
 			case IKE_DELETING:
-				SIG_IKE(DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
+				DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
 				break;
 			case IKE_REKEYING:
-				SIG_IKE(REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
+				DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
 				/* FALL */
 			default:
 				reestablish(this);
@@ -2184,9 +1914,10 @@ static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
 		charon->processor->queue_job(charon->processor,
 		 			(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
 	}
-	else if (this->time.reauth == 0 || this->time.reauth > reauth_time) 
+	else if (this->stats[STAT_REAUTH] == 0 ||
+			 this->stats[STAT_REAUTH] > reauth_time) 
 	{
-		this->time.reauth = reauth_time;
+		this->stats[STAT_REAUTH] = reauth_time;
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
 			 " in %ds", lifetime, lifetime - reduction);
 		charon->scheduler->schedule_job(charon->scheduler,
@@ -2196,7 +1927,7 @@ static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
 	else
 	{
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, reauthentication already "
-			 "scheduled in %ds", lifetime, this->time.reauth - time(NULL));
+			 "scheduled in %ds", lifetime, this->stats[STAT_REAUTH] - time(NULL));
 	}
 }
 
@@ -2275,7 +2006,6 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 	this->other_host = other->other_host->clone(other->other_host);
 	this->my_id = other->my_id->clone(other->my_id);
 	this->other_id = other->other_id->clone(other->other_id);
-	this->ike_initiator = other->ike_initiator;
 	
 	/* apply virtual assigned IPs... */
 	if (other->my_virtual_ip)
@@ -2296,7 +2026,7 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 		this->dns_servers->insert_first(this->dns_servers, ip);
 	}
 
-	/* inherit NAT-T conditions */
+	/* inherit all conditions */
 	this->conditions = other->conditions;
 	if (this->conditions & COND_NAT_HERE)
 	{
@@ -2326,14 +2056,14 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 	this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
 	
 	/* reauthentication timeout survives a rekeying */
-	if (other->time.reauth)
+	if (other->stats[STAT_REAUTH])
 	{
 		time_t reauth, delete, now = time(NULL);
 	
-		this->time.reauth = other->time.reauth;
-		reauth = this->time.reauth - now;
+		this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
+		reauth = this->stats[STAT_REAUTH] - now;
 		delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
-		this->time.delete = this->time.reauth + delete;
+		this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
 		DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
 			 "lifetime reduced to %ds", reauth, delete);
 		charon->scheduler->schedule_job(charon->scheduler, 
@@ -2421,7 +2151,7 @@ static void remove_dns_servers(private_ike_sa_t *this)
 		if (!found)
 		{	
 			/* write line untouched back to file */
-			fwrite(orig_line.ptr, orig_line.len, 1, file);
+			ignore_result(fwrite(orig_line.ptr, orig_line.len, 1, file));
 			fprintf(file, "\n");
 		}
 	}
@@ -2475,7 +2205,7 @@ static void add_dns_server(private_ike_sa_t *this, host_t *dns)
 	{
 		this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
 	}
-	fwrite(contents.ptr, contents.len, 1, file);
+	ignore_result(fwrite(contents.ptr, contents.len, 1, file));
 	
 	fclose(file);	
 }
@@ -2485,19 +2215,17 @@ static void add_dns_server(private_ike_sa_t *this, host_t *dns)
  */
 static void destroy(private_ike_sa_t *this)
 {
+	charon->bus->set_sa(charon->bus, &this->public);
+	
+	set_state(this, IKE_DESTROYING);
+	
 	this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
 	
-	this->task_manager->destroy(this->task_manager);
+	/* unset SA after here to avoid usage by the listeners */
+	charon->bus->set_sa(charon->bus, NULL);
 	
-	DESTROY_IF(this->crypter_in);
-	DESTROY_IF(this->crypter_out);
-	DESTROY_IF(this->signer_in);
-	DESTROY_IF(this->signer_out);
-	DESTROY_IF(this->prf);
-	DESTROY_IF(this->child_prf);
-	chunk_free(&this->skp_verify);
-	chunk_free(&this->skp_build);
-	free(this->selected_proposal);
+	this->task_manager->destroy(this->task_manager);
+	this->keymat->destroy(this->keymat);
 	
 	if (this->my_virtual_ip)
 	{
@@ -2535,12 +2263,15 @@ static void destroy(private_ike_sa_t *this)
 	DESTROY_IF(this->other_host);
 	DESTROY_IF(this->my_id);
 	DESTROY_IF(this->other_id);
+	DESTROY_IF(this->local_host);
+	DESTROY_IF(this->remote_host);
 	DESTROY_IF(this->eap_identity);
 	
 	DESTROY_IF(this->ike_cfg);
 	DESTROY_IF(this->peer_cfg);
 	DESTROY_IF(this->my_auth);
 	DESTROY_IF(this->other_auth);
+	DESTROY_IF(this->proposal);
 	
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	free(this);
@@ -2570,6 +2301,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
 	this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
 	this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
+	this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
+	this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
 	this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
 	this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
 	this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
@@ -2588,7 +2321,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
 	this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
 	this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
-	this->public.is_ike_initiator = (bool (*)(ike_sa_t*))is_ike_initiator;
 	this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
 	this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
 	this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
@@ -2597,13 +2329,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.destroy = (void (*)(ike_sa_t*))destroy;
 	this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
 	this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
-	this->public.get_prf = (prf_t* (*)(ike_sa_t*)) get_prf;
-	this->public.get_child_prf = (prf_t* (*)(ike_sa_t *)) get_child_prf;
-	this->public.get_skp_verify = (chunk_t (*)(ike_sa_t *)) get_skp_verify;
-	this->public.get_skp_build = (chunk_t (*)(ike_sa_t *)) get_skp_build;
-	this->public.derive_keys = (status_t (*)(ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
-	this->public.get_proposal = (char* (*)(ike_sa_t*)) get_proposal;
-	this->public.set_proposal = (void (*)(ike_sa_t*,char*)) set_proposal;
+	this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat;
 	this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
 	this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
 	this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
@@ -2622,6 +2348,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
 	this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
 	this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
+	this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
 #ifdef ME
 	this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
 	this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
@@ -2637,34 +2364,24 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	/* initialize private fields */
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 	this->child_sas = linked_list_create();
-	this->my_host = host_create_from_string("0.0.0.0", IKEV2_UDP_PORT);
-	this->other_host = host_create_from_string("0.0.0.0", IKEV2_UDP_PORT);
+	this->my_host = host_create_any(AF_INET);
+	this->other_host = host_create_any(AF_INET);
 	this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
 	this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
 	this->eap_identity = NULL;
 	this->extensions = 0;
 	this->conditions = 0;
-	this->selected_proposal = NULL;
-	this->crypter_in = NULL;
-	this->crypter_out = NULL;
-	this->signer_in = NULL;
-	this->signer_out = NULL;
-	this->prf = NULL;
-	this->skp_verify = chunk_empty;
-	this->skp_build = chunk_empty;
- 	this->child_prf = NULL;
+	this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id));
 	this->state = IKE_CREATED;
 	this->keepalive_interval = lib->settings->get_time(lib->settings,
 									"charon.keep_alive", KEEPALIVE_INTERVAL);
-	this->time.inbound = this->time.outbound = time(NULL);
-	this->time.established = 0;
-	this->time.rekey = 0;
-	this->time.reauth = 0;
-	this->time.delete = 0;
+	memset(this->stats, 0, sizeof(this->stats));
+	this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time(NULL);
 	this->ike_cfg = NULL;
 	this->peer_cfg = NULL;
 	this->my_auth = auth_info_create();
 	this->other_auth = auth_info_create();
+	this->proposal = NULL;
 	this->task_manager = task_manager_create(&this->public);
 	this->unique_id = ++unique_id;
 	this->my_virtual_ip = NULL;
@@ -2674,7 +2391,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->nat_detection_dest = chunk_empty;
 	this->pending_updates = 0;
 	this->keyingtry = 0;
-	this->ike_initiator = FALSE;
+	this->local_host = NULL;
+	this->remote_host = NULL;
 #ifdef ME
 	this->is_mediation_server = FALSE;
 	this->server_reflexive_host = NULL;
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index 717d41647..5aa458704 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2006-2008 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa.h 4368 2008-10-06 13:37:04Z martin $
+ * $Id: ike_sa.h 4640 2008-11-12 16:07:17Z martin $
  */
 
 /**
@@ -38,9 +38,7 @@ typedef struct ike_sa_t ike_sa_t;
 #include <sa/ike_sa_id.h>
 #include <sa/child_sa.h>
 #include <sa/tasks/task.h>
-#include <crypto/prfs/prf.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
+#include <sa/keymat.h>
 #include <config/peer_cfg.h>
 #include <config/ike_cfg.h>
 #include <credentials/auth_info.h>
@@ -110,32 +108,41 @@ enum ike_condition_t {
 	 * Faking NAT to enforce UDP encapsulation
 	 */
 	COND_NAT_FAKE = (1<<3),
-
+	
 	/**
 	 * peer has ben authenticated using EAP
 	 */
 	COND_EAP_AUTHENTICATED = (1<<4),
-
+	
 	/**
 	 * received a certificate request from the peer
 	 */
 	COND_CERTREQ_SEEN = (1<<5),
+	
+	/**
+	 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
+	 */
+	COND_ORIGINAL_INITIATOR = (1<<6),
 };
 
 /**
- * Information and statistics to query from an SA
+ * Timing information and statistics to query from an SA
  */
 enum statistic_t {
-	
-	/**
-	 * Relative time for scheduled rekeying
-	 */
-	STAT_REKEY_TIME,
-	
-	/**
-	 * Relative time for scheduled reauthentication
-	 */
-	STAT_REAUTH_TIME,
+	/** Timestamp of SA establishement */
+	STAT_ESTABLISHED = 0,
+	/** Timestamp of scheudled rekeying */
+	STAT_REKEY,
+	/** Timestamp of scheudled reauthentication */
+	STAT_REAUTH,
+	/** Timestamp of scheudled delete */
+	STAT_DELETE,
+	/** Timestamp of last inbound IKE packet */
+	STAT_INBOUND,
+	/** Timestamp of last outbound IKE packet */
+	STAT_OUTBOUND,
+	
+	STAT_MAX
 };
 
 /**
@@ -201,6 +208,11 @@ enum ike_sa_state_t {
 	 * IKE_SA is in progress of deletion
 	 */
 	IKE_DELETING,
+	
+	/**
+	 * IKE_SA object gets destroyed
+	 */
+	IKE_DESTROYING,
 };
 
 /**
@@ -387,6 +399,20 @@ struct ike_sa_t {
 	 */
 	auth_info_t* (*get_other_auth)(ike_sa_t *this);
 	
+	/**
+	 * Get the selected proposal of this IKE_SA.
+	 *
+	 * @return				selected proposal
+	 */
+	proposal_t* (*get_proposal)(ike_sa_t *this);
+	
+	/**
+	 * Set the proposal selected for this IKE_SA.
+	 *
+	 * @param				selected proposal
+	 */
+	void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
+	
 	/**
 	 * Add an additional address for the peer.
 	 *
@@ -462,13 +488,6 @@ struct ike_sa_t {
 	 */
 	void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
 	
-	/**
-	 * Check if we are the original initiator of this IKE_SA (rekeying does not
-	 * change this flag).
-	 */
-	bool (*is_ike_initiator)(ike_sa_t *this);
-	
-
 #ifdef ME
 	/**
 	 * Activate mediation server functionality for this IKE_SA.
@@ -705,70 +724,13 @@ struct ike_sa_t {
 	 * was sent.
 	 */
 	void (*send_keepalive) (ike_sa_t *this);
-
-	/**
-	 * Derive all keys and create the transforms for IKE communication.
-	 *
-	 * Keys are derived using the diffie hellman secret, nonces and internal
-	 * stored SPIs.
-	 * Key derivation differs when an IKE_SA is set up to replace an
-	 * existing IKE_SA (rekeying). The SK_d key from the old IKE_SA
-	 * is included in the derivation process.
-	 *
-	 * @param proposal		proposal which contains algorithms to use
-	 * @param secret		secret derived from DH exchange, gets freed
-	 * @param nonce_i		initiators nonce
-	 * @param nonce_r		responders nonce
-	 * @param initiator		TRUE if initiator, FALSE otherwise
-	 * @param child_prf		PRF with SK_d key when rekeying, NULL otherwise
-	 * @param old_prf		general purpose PRF of old SA when rekeying
-	 */
-	status_t (*derive_keys)(ike_sa_t *this, proposal_t* proposal, chunk_t secret,
-							chunk_t nonce_i, chunk_t nonce_r,
-							bool initiator, prf_t *child_prf, prf_t *old_prf);
 	
 	/**
-	 * Get the selected IKE proposal string
+	 * Get the keying material of this IKE_SA.
 	 *
-	 * @return				string describing the selected IKE proposal
-	 */
-	char* (*get_proposal)(ike_sa_t *this);			
-
-	/**
-	 * Set the selected IKE proposal string for status information purposes
-	 * (the "%P" printf format handler is used)
-     *
-	 * @param proposal		string describing the selected IKE proposal
-	 */
-	void (*set_proposal)(ike_sa_t *this, char *proposal);			
-
-	/**
-	 * Get a multi purpose prf for the negotiated PRF function.
-	 * 
-	 * @return				pointer to prf_t object
-	 */
-	prf_t *(*get_prf) (ike_sa_t *this);
-	
-	/**
-	 * Get the prf-object, which is used to derive keys for child SAs.
-	 * 
-	 * @return				pointer to prf_t object
-	 */
-	prf_t *(*get_child_prf) (ike_sa_t *this);
-	
-	/**
-	 * Get the key to build outgoing authentication data.
-	 * 
-	 * @return				pointer to prf_t object
-	 */
-	chunk_t (*get_skp_build) (ike_sa_t *this);
-	
-	/**
-	 * Get the key to verify incoming authentication data.
-	 * 
-	 * @return				pointer to prf_t object
+	 * @return				per IKE_SA keymat instance
 	 */
-	chunk_t (*get_skp_verify) (ike_sa_t *this);
+	keymat_t* (*get_keymat)(ike_sa_t *this);
 	
 	/**
 	 * Associates a child SA to this IKE SA
@@ -900,6 +862,17 @@ struct ike_sa_t {
 	 */
 	void (*add_dns_server) (ike_sa_t *this, host_t *dns);
 	
+	/**
+	 * Set local and remote host addresses to be used for IKE.
+	 *
+	 * These addresses are communicated via the KMADDRESS field of a MIGRATE
+	 * message sent via the NETLINK or PF _KEY kernel socket interface.
+	 *
+	 * @param local			local kmaddress
+	 * @param remote		remote kmaddress
+	 */
+	void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
+
 	/**
 	 * Inherit all attributes of other to this after rekeying.
 	 *
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index bd7b84c6f..a760409c0 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -13,10 +13,9 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa_manager.c 4234 2008-07-30 14:15:08Z martin $
+ * $Id: ike_sa_manager.c 4579 2008-11-05 11:29:56Z martin $
  */
 
-#include <pthread.h>
 #include <string.h>
 
 #include "ike_sa_manager.h"
@@ -24,6 +23,7 @@
 #include <daemon.h>
 #include <sa/ike_sa_id.h>
 #include <bus/bus.h>
+#include <utils/mutex.h>
 #include <utils/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
@@ -42,7 +42,7 @@ struct entry_t {
 	/**
 	 * Condvar where threads can wait until ike_sa_t object is free for use again.
 	 */
-	pthread_cond_t condvar;
+	condvar_t *condvar;
 	
 	/**
 	 * Is this ike_sa currently checked out?
@@ -107,6 +107,7 @@ static status_t entry_destroy(entry_t *this)
 	DESTROY_IF(this->other);
 	DESTROY_IF(this->my_id);
 	DESTROY_IF(this->other_id);
+	this->condvar->destroy(this->condvar);
 	free(this);
 	return SUCCESS;
 }
@@ -119,7 +120,7 @@ static entry_t *entry_create(ike_sa_id_t *ike_sa_id)
 	entry_t *this = malloc_thing(entry_t);
 	
 	this->waiting_threads = 0;
-	pthread_cond_init(&this->condvar, NULL);
+	this->condvar = condvar_create(CONDVAR_DEFAULT);
 	
 	/* we set checkout flag when we really give it out */
 	this->checked_out = FALSE;
@@ -155,7 +156,7 @@ struct private_ike_sa_manager_t {
 	 /**
 	  * Lock for exclusivly accessing the manager.
 	  */
-	 pthread_mutex_t mutex;
+	 mutex_t *mutex;
 
 	 /**
 	  * Linked list with entries for the ike_sa_t objects.
@@ -278,9 +279,9 @@ static status_t delete_entry(private_ike_sa_manager_t *this, entry_t *entry)
 			while (entry->waiting_threads)
 			{
 				/* wake up all */
-				pthread_cond_broadcast(&(entry->condvar));
+				entry->condvar->broadcast(entry->condvar);
 				/* they will wake us again when their work is done */
-				pthread_cond_wait(&(entry->condvar), &(this->mutex));
+				entry->condvar->wait(entry->condvar, this->mutex);
 			}
 			
 			DBG2(DBG_MGR,  "found entry by pointer, deleting it");
@@ -310,14 +311,14 @@ static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry)
 		/* so wait until we can get it for us.
 		 * we register us as waiting. */
 		entry->waiting_threads++;
-		pthread_cond_wait(&(entry->condvar), &(this->mutex));
+		entry->condvar->wait(entry->condvar, this->mutex);
 		entry->waiting_threads--;
 	}
 	/* hm, a deletion request forbids us to get this SA, get next one */
 	if (entry->driveout_waiting_threads)
 	{
 		/* we must signal here, others may be waiting on it, too */
-		pthread_cond_signal(&(entry->condvar));
+		entry->condvar->signal(entry->condvar);
 		return FALSE;
 	}
 	return TRUE;
@@ -345,7 +346,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
 	DBG2(DBG_MGR, "checkout IKE_SA, %d IKE_SAs in manager",
 		 this->ike_sa_list->get_count(this->ike_sa_list));
 	
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	if (get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
 	{
 		if (wait_for_entry(this, entry))
@@ -355,7 +356,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
 			ike_sa = entry->ike_sa;
 		}
 	}
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
 }
@@ -378,10 +379,10 @@ static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
 	}
 	entry = entry_create(id);
 	id->destroy(id);
-	pthread_mutex_lock(&this->mutex);	
+	this->mutex->lock(this->mutex);	
 	this->ike_sa_list->insert_last(this->ike_sa_list, entry);
 	entry->checked_out = TRUE;
-	pthread_mutex_unlock(&this->mutex);	
+	this->mutex->unlock(this->mutex);	
 	DBG2(DBG_MGR, "created IKE_SA, %d IKE_SAs in manager",
 		 this->ike_sa_list->get_count(this->ike_sa_list));
 	return entry->ike_sa;
@@ -413,7 +414,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 		this->hasher->allocate_hash(this->hasher, data, &hash);
 		chunk_free(&data);
 		
-		pthread_mutex_lock(&this->mutex);
+		this->mutex->lock(this->mutex);
 		enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
 		while (enumerator->enumerate(enumerator, &entry))
 		{
@@ -422,7 +423,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 				if (entry->message_id == 0)
 				{
 					enumerator->destroy(enumerator);
-					pthread_mutex_unlock(&this->mutex);
+					this->mutex->unlock(this->mutex);
 					chunk_free(&hash);
 					id->destroy(id);
 					DBG1(DBG_MGR, "ignoring IKE_SA_INIT, already processing");
@@ -439,7 +440,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 			}
 		}
 		enumerator->destroy(enumerator);
-		pthread_mutex_unlock(&this->mutex);
+		this->mutex->unlock(this->mutex);
 		
 		if (ike_sa == NULL)
 		{
@@ -450,11 +451,11 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 				id->set_responder_spi(id, get_next_spi(this));
 				entry = entry_create(id);
 				
-				pthread_mutex_lock(&this->mutex);
+				this->mutex->lock(this->mutex);
 				this->ike_sa_list->insert_last(this->ike_sa_list, entry);
 				entry->checked_out = TRUE;
 				entry->message_id = message->get_message_id(message);
-				pthread_mutex_unlock(&this->mutex);
+				this->mutex->unlock(this->mutex);
 				entry->init_hash = hash;
 				ike_sa = entry->ike_sa;
 			}
@@ -473,7 +474,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 		return ike_sa;
 	}
 	
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	if (get_entry_by_id(this, id, &entry) == SUCCESS)
 	{
 		/* only check out if we are not processing this request */
@@ -496,7 +497,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 			ike_sa = entry->ike_sa;
 		}
 	}
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	id->destroy(id);
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
@@ -521,7 +522,7 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 	my_host = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg), 0, 0);
 	other_host = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg), 0, 0);
 	
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	
 	if (my_host && other_host && this->reuse_ikesa)
 	{
@@ -553,8 +554,9 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 				/* IKE_SA has no IDs yet, so we can't use it */
 				continue;
 			}
-			DBG2(DBG_MGR, "candidate IKE_SA for \n\t"
-				 "%H[%D]...%H[%D]\n\t%H[%D]...%H[%D]",
+			DBG2(DBG_MGR, "candidate IKE_SA for \n"
+				 "  %H[%D]...%H[%D]\n"
+				 "  %H[%D]...%H[%D]",
 				 my_host, my_id, other_host, other_id,
 				 found_my_host, found_my_id, found_other_host, found_other_id);
 			/* compare ID and hosts. Supplied ID may contain wildcards, and IP
@@ -603,7 +605,7 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 		new_entry->checked_out = TRUE;
 		ike_sa = new_entry->ike_sa;
 	}
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
 }
@@ -620,7 +622,7 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
 	ike_sa_t *ike_sa = NULL;
 	child_sa_t *child_sa;
 	
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	
 	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -657,7 +659,7 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
@@ -675,7 +677,7 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
 	ike_sa_t *ike_sa = NULL;
 	child_sa_t *child_sa;
 	
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	
 	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -712,7 +714,7 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
@@ -732,7 +734,7 @@ static ike_sa_t* checkout_duplicate(private_ike_sa_manager_t *this,
 	me = ike_sa->get_my_id(ike_sa);
 	other = ike_sa->get_other_id(ike_sa);
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -755,7 +757,7 @@ static ike_sa_t* checkout_duplicate(private_ike_sa_manager_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	return duplicate;
 }
 
@@ -764,7 +766,7 @@ static ike_sa_t* checkout_duplicate(private_ike_sa_manager_t *this,
  */
 static void enumerator_unlock(private_ike_sa_manager_t *this)
 {
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -786,7 +788,7 @@ static bool enumerator_filter(private_ike_sa_manager_t *this,
  */
 static enumerator_t *create_enumerator(private_ike_sa_manager_t* this)
 {
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	return enumerator_create_filter(
 						this->ike_sa_list->create_enumerator(this->ike_sa_list),
 						(void*)enumerator_filter, this, (void*)enumerator_unlock);
@@ -812,7 +814,7 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 	
 	DBG2(DBG_MGR, "checkin IKE_SA");
 	
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 
 	/* look for the entry */
 	if (get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
@@ -845,7 +847,7 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 			entry->other_id = other_id->clone(other_id);
 		}
 		DBG2(DBG_MGR, "check-in of IKE_SA successful.");
-		pthread_cond_signal(&(entry->condvar));
+		entry->condvar->signal(entry->condvar);
 	 	retval = SUCCESS;
 	}
 	else
@@ -857,7 +859,7 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 	
 	DBG2(DBG_MGR, "%d IKE_SAs in manager now",
 		 this->ike_sa_list->get_count(this->ike_sa_list));
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	
 	charon->bus->set_sa(charon->bus, NULL);
 	return retval;
@@ -880,9 +882,8 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik
 	
 	ike_sa_id = ike_sa->get_id(ike_sa);
 	DBG2(DBG_MGR, "checkin and destroy IKE_SA");
-	charon->bus->set_sa(charon->bus, NULL);
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 
 	if (get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
 	{
@@ -899,8 +900,9 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik
 		DBG2(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
 		retval = NOT_FOUND;
 	}
+	charon->bus->set_sa(charon->bus, NULL);
 	
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	return retval;
 }
 
@@ -913,7 +915,7 @@ static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
 	entry_t *entry;
 	int count = 0;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -937,7 +939,7 @@ static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
 	}
 	enumerator->destroy(enumerator);
 	
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 	return count;
 }
 
@@ -950,7 +952,7 @@ static void flush(private_ike_sa_manager_t *this)
 	enumerator_t *enumerator;
 	entry_t *entry;
 	
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
 	/* Step 1: drive out all waiting threads  */
 	DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's");
@@ -970,9 +972,9 @@ static void flush(private_ike_sa_manager_t *this)
 		while (entry->waiting_threads)
 		{
 			/* wake up all */
-			pthread_cond_broadcast(&(entry->condvar));
+			entry->condvar->broadcast(entry->condvar);
 			/* go sleeping until they are gone */
-			pthread_cond_wait(&(entry->condvar), &(this->mutex));
+			entry->condvar->wait(entry->condvar, this->mutex);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -981,6 +983,7 @@ static void flush(private_ike_sa_manager_t *this)
 	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
+		charon->bus->set_sa(charon->bus, entry->ike_sa);
 		entry->ike_sa->delete(entry->ike_sa);
 	}
 	enumerator->destroy(enumerator);
@@ -990,9 +993,11 @@ static void flush(private_ike_sa_manager_t *this)
 	while (this->ike_sa_list->remove_last(this->ike_sa_list,
 										  (void**)&entry) == SUCCESS)
 	{
+		charon->bus->set_sa(charon->bus, entry->ike_sa);
 		entry_destroy(entry);
 	}
-	pthread_mutex_unlock(&(this->mutex));
+	charon->bus->set_sa(charon->bus, NULL);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -1003,7 +1008,7 @@ static void destroy(private_ike_sa_manager_t *this)
 	this->ike_sa_list->destroy(this->ike_sa_list);
 	this->rng->destroy(this->rng);
 	this->hasher->destroy(this->hasher);
-	
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -1046,7 +1051,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 		return NULL;
 	}
 	this->ike_sa_list = linked_list_create();
-	pthread_mutex_init(&this->mutex, NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
 	this->reuse_ikesa = lib->settings->get_bool(lib->settings,
 												"charon.reuse_ikesa", TRUE);
 	return &this->public;
diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h
index 04b6d96c2..3f0752cc8 100644
--- a/src/charon/sa/ike_sa_manager.h
+++ b/src/charon/sa/ike_sa_manager.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa_manager.h 3819 2008-04-17 10:46:25Z martin $
+ * $Id: ike_sa_manager.h 4624 2008-11-11 13:11:44Z tobias $
  */
 
 /**
@@ -59,7 +59,7 @@ struct ike_sa_manager_t {
 	 * Create and check out a new IKE_SA.
 	 * 
 	 * @param initiator			TRUE for initiator, FALSE otherwise
-	 * @returns 				created andchecked out IKE_SA
+	 * @returns 				created and checked out IKE_SA
 	 */
 	ike_sa_t* (*checkout_new) (ike_sa_manager_t* this, bool initiator);
 	
@@ -67,13 +67,13 @@ struct ike_sa_manager_t {
 	 * Checkout an IKE_SA by a message.
 	 * 
 	 * In some situations, it is necessary that the manager knows the
-	 * message to use for the checkout. This has the folloing reasons:
+	 * message to use for the checkout. This has the following reasons:
 	 * 
 	 * 1. If the targeted IKE_SA is already processing a message, we do not
 	 *    check it out if the message ID is the same.
 	 * 2. If it is an IKE_SA_INIT request, we have to check if it is a 
 	 *    retransmission. If so, we have to drop the message, we would
-	 *    create another unneded IKE_SA for each retransmitted packet.
+	 *    create another unneeded IKE_SA for each retransmitted packet.
 	 *
 	 * A call to checkout_by_message() returns a (maybe new created) IKE_SA.
 	 * If processing the message does not make sense (for the reasons above),
diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c
new file mode 100644
index 000000000..c65bfc3b7
--- /dev/null
+++ b/src/charon/sa/keymat.c
@@ -0,0 +1,568 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "keymat.h"
+
+#include <daemon.h>
+#include <crypto/prf_plus.h>
+
+typedef struct private_keymat_t private_keymat_t;
+
+/**
+ * Private data of an keymat_t object.
+ */
+struct private_keymat_t {
+	
+	/**
+	 * Public keymat_t interface.
+	 */
+	keymat_t public;
+	
+	/**
+ 	 * IKE_SA Role, initiator or responder
+ 	 */
+ 	bool initiator;
+	
+	/**
+	 * inbound signer (verify)
+	 */
+	signer_t *signer_in;
+	
+	/**
+	 * outbound signer (sign)
+	 */
+	signer_t *signer_out;
+	
+	/**
+	 * inbound crypter (decrypt)
+	 */
+	crypter_t *crypter_in;
+	
+	/**
+	 * outbound crypter (encrypt)
+	 */
+	crypter_t *crypter_out;
+	
+	/**
+	 * General purpose PRF
+	 */
+	prf_t *prf;
+	
+	/**
+	 * Key to derive key material from for CHILD_SAs, rekeying
+	 */
+	chunk_t skd;
+	
+	/**
+	 * Key to build outging authentication data (SKp)
+	 */
+	chunk_t skp_build;
+
+	/**
+	 * Key to verify incoming authentication data (SKp)
+	 */
+	chunk_t skp_verify;
+};
+
+typedef struct keylen_entry_t keylen_entry_t;
+
+/**
+ * Implicit key length for an algorithm
+ */
+struct keylen_entry_t {
+	/** IKEv2 algorithm identifier */
+	int algo;
+	/** key length in bits */
+	int len;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Keylen for encryption algos
+ */
+keylen_entry_t keylen_enc[] = {
+	{ENCR_DES, 					 64},
+	{ENCR_3DES, 				192},
+	{END_OF_LIST,				  0}
+};
+
+/**
+ * Keylen for integrity algos
+ */
+keylen_entry_t keylen_int[] = {
+	{AUTH_HMAC_MD5_96, 			128},
+	{AUTH_HMAC_SHA1_96,			160},
+	{AUTH_HMAC_SHA2_256_128,	256},
+	{AUTH_HMAC_SHA2_384_192,	384},
+	{AUTH_HMAC_SHA2_512_256,	512},
+	{AUTH_AES_XCBC_96,			128},
+	{END_OF_LIST,				  0}
+};
+
+/**
+ * Lookup key length of an algorithm
+ */
+static int lookup_keylen(keylen_entry_t *list, int algo)
+{
+	while (list->algo != END_OF_LIST)
+	{
+		if (algo == list->algo)
+		{
+			return list->len;
+		}
+		list++;
+	}
+	return 0;
+}
+
+/**
+ * Implementation of keymat_t.create_dh
+ */
+static diffie_hellman_t* create_dh(private_keymat_t *this,
+								   diffie_hellman_group_t group)
+{
+	return lib->crypto->create_dh(lib->crypto, group);;
+}
+
+/**
+ * Implementation of keymat_t.derive_keys
+ */
+static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
+							diffie_hellman_t *dh, chunk_t nonce_i,
+							chunk_t nonce_r, ike_sa_id_t *id,
+							private_keymat_t *rekey)
+{
+	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
+	chunk_t spi_i, spi_r;
+	crypter_t *crypter_i, *crypter_r;
+	signer_t *signer_i, *signer_r;
+	prf_plus_t *prf_plus;
+	u_int16_t alg, key_size;
+	
+	spi_i = chunk_alloca(sizeof(u_int64_t));
+	spi_r = chunk_alloca(sizeof(u_int64_t));
+	
+	if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+	{
+		return FALSE;
+	}
+	
+	/* Create SAs general purpose PRF first, we may use it here */
+	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
+	{
+		DBG1(DBG_IKE, "no %N selected",
+			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
+		return FALSE;
+	}
+	this->prf = lib->crypto->create_prf(lib->crypto, alg);
+	if (this->prf == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
+			 pseudo_random_function_names, alg);
+		return FALSE;
+	}
+	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
+	/* full nonce is used as seed for PRF+ ... */
+	full_nonce = chunk_cat("cc", nonce_i, nonce_r);
+	/* but the PRF may need a fixed key which only uses the first bytes of
+	 * the nonces. */
+	switch (alg)
+	{
+		case PRF_AES128_XCBC:
+			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
+			 * not and therefore fixed key semantics apply to XCBC for key
+			 * derivation. */
+			key_size = this->prf->get_key_size(this->prf)/2;
+			nonce_i.len = min(nonce_i.len, key_size);
+			nonce_r.len = min(nonce_r.len, key_size);
+			break;
+		default:
+			/* all other algorithms use variable key length, full nonce */
+			break;
+	}
+	fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
+	*((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
+	*((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
+	prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
+	
+	/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr) 
+	 *
+	 * if we are rekeying, SKEYSEED is built on another way
+	 */
+	if (rekey == NULL) /* not rekeying */
+	{
+		/* SKEYSEED = prf(Ni | Nr, g^ir) */
+		this->prf->set_key(this->prf, fixed_nonce);
+		this->prf->allocate_bytes(this->prf, secret, &skeyseed);
+		this->prf->set_key(this->prf, skeyseed);
+		prf_plus = prf_plus_create(this->prf, prf_plus_seed);
+	}
+	else
+	{
+		/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr) 
+		 * use OLD SAs PRF functions for both prf_plus and prf */
+		secret = chunk_cat("mc", secret, full_nonce);
+		rekey->prf->set_key(rekey->prf, rekey->skd);
+		rekey->prf->allocate_bytes(rekey->prf, secret, &skeyseed);
+		rekey->prf->set_key(rekey->prf, skeyseed);
+		prf_plus = prf_plus_create(rekey->prf, prf_plus_seed);
+	}
+	DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
+	
+	chunk_clear(&skeyseed);
+	chunk_clear(&secret);
+	chunk_free(&full_nonce);
+	chunk_free(&fixed_nonce);
+	chunk_clear(&prf_plus_seed);
+	
+	/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
+	
+	/* SK_d is used for generating CHILD_SA key mat => store for later use */
+	key_size = this->prf->get_key_size(this->prf);
+	prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
+	DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
+	
+	/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
+	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
+	{
+		DBG1(DBG_IKE, "no %N selected",
+			 transform_type_names, INTEGRITY_ALGORITHM);
+		return FALSE;
+	}
+	signer_i = lib->crypto->create_signer(lib->crypto, alg);
+	signer_r = lib->crypto->create_signer(lib->crypto, alg);
+	if (signer_i == NULL || signer_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, INTEGRITY_ALGORITHM,
+			 integrity_algorithm_names ,alg);
+		prf_plus->destroy(prf_plus);
+		return FALSE;
+	}
+	key_size = signer_i->get_key_size(signer_i);
+	
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
+	signer_i->set_key(signer_i, key);
+	chunk_clear(&key);
+	
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
+	signer_r->set_key(signer_r, key);
+	chunk_clear(&key);
+	
+	if (this->initiator)
+	{
+		this->signer_in = signer_r;
+		this->signer_out = signer_i;
+	}
+	else
+	{
+		this->signer_in = signer_i;
+		this->signer_out = signer_r;
+	}
+	
+	/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
+	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
+	{
+		DBG1(DBG_IKE, "no %N selected",
+			 transform_type_names, ENCRYPTION_ALGORITHM);
+		prf_plus->destroy(prf_plus);
+		return FALSE;
+	}
+	crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	if (crypter_i == NULL || crypter_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, alg, key_size);
+		prf_plus->destroy(prf_plus);
+		return FALSE;
+	}
+	key_size = crypter_i->get_key_size(crypter_i);
+	
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
+	crypter_i->set_key(crypter_i, key);
+	chunk_clear(&key);
+	
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_er secret %B", &key);
+	crypter_r->set_key(crypter_r, key);
+	chunk_clear(&key);
+	
+	if (this->initiator)
+	{
+		this->crypter_in = crypter_r;
+		this->crypter_out = crypter_i;
+	}
+	else
+	{
+		this->crypter_in = crypter_i;
+		this->crypter_out = crypter_r;
+	}
+	
+	/* SK_pi/SK_pr used for authentication => stored for later */	
+	key_size = this->prf->get_key_size(this->prf);
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_pi secret %B", &key);
+	if (this->initiator)
+	{
+		this->skp_build = key;
+	}
+	else
+	{
+		this->skp_verify = key;
+	}
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_pr secret %B", &key);
+	if (this->initiator)
+	{
+		this->skp_verify = key;
+	}
+	else
+	{
+		this->skp_build = key;
+	}
+	
+	/* all done, prf_plus not needed anymore */
+	prf_plus->destroy(prf_plus);
+	
+	return TRUE;
+}
+
+/**
+ * Implementation of keymat_t.derive_child_keys
+ */
+static bool derive_child_keys(private_keymat_t *this,
+							  proposal_t *proposal, diffie_hellman_t *dh,
+							  chunk_t nonce_i, chunk_t nonce_r,
+							  chunk_t *encr_i, chunk_t *integ_i,
+							  chunk_t *encr_r, chunk_t *integ_r)
+{
+	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
+	chunk_t seed, secret = chunk_empty;
+	prf_plus_t *prf_plus;
+	
+	if (dh)
+	{
+		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+		{
+			return FALSE;
+		}
+		DBG4(DBG_CHD, "DH secret %B", &secret);
+	}
+	seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
+	DBG4(DBG_CHD, "seed %B", &seed);
+	
+	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+								&enc_alg, &enc_size))
+	{
+		DBG2(DBG_CHD, "  using %N for encryption", 
+			 encryption_algorithm_names, enc_alg);
+		
+		if (!enc_size)
+		{
+			enc_size = lookup_keylen(keylen_enc, enc_alg);
+		}
+		if (!enc_size)
+		{
+			DBG1(DBG_CHD, "no keylenth defined for %N",
+				 encryption_algorithm_names, enc_alg);
+			return FALSE;
+		}
+		/* to bytes */
+		enc_size /= 8;
+		
+	 	/* CCM/GCM needs additional bytes */
+		switch (enc_alg)
+		{
+			case ENCR_AES_CCM_ICV8:
+			case ENCR_AES_CCM_ICV12:
+			case ENCR_AES_CCM_ICV16:
+				enc_size += 3;
+				break;		
+			case ENCR_AES_GCM_ICV8:
+			case ENCR_AES_GCM_ICV12:
+			case ENCR_AES_GCM_ICV16:
+				enc_size += 4;
+				break;
+			default:
+				break;
+		}
+	}
+	
+	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+								&int_alg, &int_size))
+	{
+		DBG2(DBG_CHD, "  using %N for integrity",
+			 integrity_algorithm_names, int_alg);
+		
+		if (!int_size)
+		{
+			int_size = lookup_keylen(keylen_int, int_alg);
+		}
+		if (!int_size)
+		{
+			DBG1(DBG_CHD, "no keylenth defined for %N",
+				 integrity_algorithm_names, int_alg);
+			return FALSE;
+		}
+		/* to bytes */
+		int_size /= 8;
+	}
+	
+	this->prf->set_key(this->prf, this->skd);
+	prf_plus = prf_plus_create(this->prf, seed);
+	
+	prf_plus->allocate_bytes(prf_plus, enc_size, encr_i);
+	prf_plus->allocate_bytes(prf_plus, int_size, integ_i);
+	prf_plus->allocate_bytes(prf_plus, enc_size, encr_r);
+	prf_plus->allocate_bytes(prf_plus, int_size, integ_r);
+	
+	prf_plus->destroy(prf_plus);
+	
+	return TRUE;
+}
+
+/**
+ * Implementation of keymat_t.get_signer
+ */
+static signer_t* get_signer(private_keymat_t *this, bool in)
+{
+	return in ? this->signer_in : this->signer_out;
+}
+
+/**
+ * Implementation of keymat_t.get_crypter
+ */
+static crypter_t* get_crypter(private_keymat_t *this, bool in)
+{
+	return in ? this->crypter_in : this->crypter_out;
+}
+
+/**
+ * Implementation of keymat_t.get_auth_octets
+ */
+static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
+							   chunk_t ike_sa_init, chunk_t nonce,
+							   identification_t *id)
+{
+	chunk_t chunk, idx, octets;
+	chunk_t skp;
+	
+	skp = verify ? this->skp_verify : this->skp_build;
+	
+	chunk = chunk_alloca(4);
+	memset(chunk.ptr, 0, chunk.len);
+	chunk.ptr[0] = id->get_type(id);
+	idx = chunk_cata("cc", chunk, id->get_encoding(id));
+	
+	DBG3(DBG_IKE, "IDx' %B", &idx);
+	DBG3(DBG_IKE, "SK_p %B", &skp);
+	this->prf->set_key(this->prf, skp);
+	this->prf->allocate_bytes(this->prf, idx, &chunk);
+	
+	octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
+	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
+	return octets;
+}
+
+/**
+ * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
+ */
+#define IKEV2_KEY_PAD "Key Pad for IKEv2"
+#define IKEV2_KEY_PAD_LENGTH 17
+
+/**
+ * Implementation of keymat_t.get_psk_sig
+ */
+static chunk_t get_psk_sig(private_keymat_t *this, bool verify, 
+						   chunk_t ike_sa_init, chunk_t nonce, chunk_t secret,
+						   identification_t *id)
+{
+	chunk_t key_pad, key, sig, octets;
+	
+	if (!secret.len)
+	{	/* EAP uses SK_p if no MSK has been established */
+		secret = verify ? this->skp_verify : this->skp_build;
+	}
+	octets = get_auth_octets(this, verify, ike_sa_init, nonce, id);
+	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
+	key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
+	this->prf->set_key(this->prf, secret);
+	this->prf->allocate_bytes(this->prf, key_pad, &key);
+	this->prf->set_key(this->prf, key);
+	this->prf->allocate_bytes(this->prf, octets, &sig);
+	DBG4(DBG_IKE, "secret %B", &secret);
+	DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
+	DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
+	chunk_free(&octets);
+	chunk_free(&key);
+	
+	return sig;
+}
+
+/**
+ * Implementation of keymat_t.destroy.
+ */
+static void destroy(private_keymat_t *this)
+{
+	DESTROY_IF(this->signer_in);
+	DESTROY_IF(this->signer_out);
+	DESTROY_IF(this->crypter_in);
+	DESTROY_IF(this->crypter_out);
+	DESTROY_IF(this->prf);
+	chunk_clear(&this->skd);
+	chunk_clear(&this->skp_verify);
+	chunk_clear(&this->skp_build);
+	free(this);
+}
+
+/**
+ * See header
+ */
+keymat_t *keymat_create(bool initiator)
+{
+	private_keymat_t *this = malloc_thing(private_keymat_t);
+	
+	this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
+	this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, keymat_t *rekey))derive_ike_keys;
+	this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
+	this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
+	this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
+	this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
+	this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig;
+	this->public.destroy = (void(*)(keymat_t*))destroy;
+	
+	this->initiator = initiator;
+	
+	this->signer_in = NULL;
+	this->signer_out = NULL;
+	this->crypter_in = NULL;
+	this->crypter_out = NULL;
+	this->prf = NULL;
+	this->skd = chunk_empty;
+	this->skp_verify = chunk_empty;
+	this->skp_build = chunk_empty;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/sa/keymat.h b/src/charon/sa/keymat.h
new file mode 100644
index 000000000..3ca25da9e
--- /dev/null
+++ b/src/charon/sa/keymat.h
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup keymat keymat
+ * @{ @ingroup sa
+ */
+
+#ifndef KEYMAT_H_
+#define KEYMAT_H_
+
+#include <library.h>
+#include <utils/identification.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <config/proposal.h>
+#include <sa/ike_sa_id.h>
+
+typedef struct keymat_t keymat_t;
+
+/**
+ * Derivation an management of sensitive keying material.
+ */
+struct keymat_t {
+	
+	/**
+	 * Create a diffie hellman object for key agreement.
+	 *
+	 * The diffie hellman is either for IKE negotiation/rekeying or
+	 * CHILD_SA rekeying (using PFS). The resulting DH object must be passed
+	 * to derive_keys or to derive_child_keys and destroyed after use
+	 *
+	 * @param group			diffie hellman group
+	 * @return				DH object, NULL if group not supported
+	 */
+	diffie_hellman_t* (*create_dh)(keymat_t *this, diffie_hellman_group_t group);
+	
+	/**
+	 * Derive keys for the IKE_SA.
+	 *
+	 * These keys are not handed out, but are used by the associated signers,
+	 * crypters and authentication functions.
+	 *
+	 * @param proposal	selected algorithms
+	 * @param dh		diffie hellman key allocated by create_dh()
+	 * @param nonce_i	initiators nonce value
+	 * @param nonce_r	responders nonce value
+	 * @param id		IKE_SA identifier
+	 * @param rekey		keymat of old SA if we are rekeying
+	 * @return			TRUE on success
+	 */
+	bool (*derive_ike_keys)(keymat_t *this, proposal_t *proposal,
+							diffie_hellman_t *dh, chunk_t nonce_i,
+							chunk_t nonce_r, ike_sa_id_t *id, keymat_t *rekey);
+	/**
+	 * Derive keys for a CHILD_SA.
+	 *
+	 * The keys for the CHILD_SA are allocated in the integ and encr chunks.
+	 * An implementation might hand out encrypted keys only, which are
+	 * decrypted in the kernel before use.
+	 * If no PFS is used for the CHILD_SA, dh can be NULL.
+	 *
+	 * @param proposal	selected algorithms
+	 * @param dh		diffie hellman key allocated by create_dh(), or NULL
+	 * @param nonce_i	initiators nonce value
+	 * @param nonce_r	responders nonce value
+	 * @param encr_i	chunk to write initiators encryption key to
+	 * @param integ_i	chunk to write initiators integrity key to
+	 * @param encr_r	chunk to write responders encryption key to
+	 * @param integ_r	chunk to write responders integrity key to
+	 * @return			TRUE on success
+	 */
+	bool (*derive_child_keys)(keymat_t *this, 
+							  proposal_t *proposal, diffie_hellman_t *dh,
+							  chunk_t nonce_i, chunk_t nonce_r,
+							  chunk_t *encr_i, chunk_t *integ_i,
+							  chunk_t *encr_r, chunk_t *integ_r);
+	/**
+	 * Get a signer to sign/verify IKE messages.
+	 *
+	 * @param in		TRUE for inbound (verify), FALSE for outbound (sign)
+	 * @return			signer
+	 */
+	signer_t* (*get_signer)(keymat_t *this, bool in);
+	
+	/*
+	 * Get a crypter to en-/decrypt IKE messages.
+	 *
+	 * @param in		TRUE for inbound (decrypt), FALSE for outbound (encrypt)
+	 * @return			crypter
+	 */
+	crypter_t* (*get_crypter)(keymat_t *this, bool in);
+	
+	/**
+	 * Generate octets to use for authentication procedure (RFC4306 2.15).
+	 *
+	 * This method creates the plain octets and is usually signed by a private
+	 * key. PSK and EAP authentication include a secret into the data, use
+	 * the get_psk_sig() method instead.
+	 *
+	 * @param verify		TRUE to create for verfification, FALSE to sign
+	 * @param ike_sa_init	encoded ike_sa_init message
+	 * @param nonce			nonce value
+	 * @param id			identity
+	 * @return				authentication octets
+	 */
+	chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init,
+							   chunk_t nonce, identification_t *id);
+	/**
+	 * Build the shared secret signature used for PSK and EAP authentication.
+	 *
+	 * This method wraps the get_auth_octets() method and additionally
+	 * includes the secret into the signature. If no secret is given, SK_p is
+	 * used as secret (used for EAP methods without MSK).
+	 *
+	 * @param verify		TRUE to create for verfification, FALSE to sign
+	 * @param ike_sa_init	encoded ike_sa_init message
+	 * @param nonce			nonce value
+	 * @param secret		optional secret to include into signature
+	 * @param id			identity
+	 * @return				signature octets
+	 */
+	chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init,
+						   chunk_t nonce, chunk_t secret, identification_t *id);
+	/**
+	 * Destroy a keymat_t.
+	 */
+	void (*destroy)(keymat_t *this);
+};
+
+/**
+ * Create a keymat instance.
+ *
+ * @param initiator		TRUE if we are the initiator
+ * @return				keymat instance
+ */
+keymat_t *keymat_create(bool initiator);
+
+#endif /* KEYMAT_ @}*/
diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c
index d15f4c100..b508c48c3 100644
--- a/src/charon/sa/mediation_manager.c
+++ b/src/charon/sa/mediation_manager.c
@@ -12,13 +12,13 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: mediation_manager.c 3773 2008-04-07 09:36:52Z tobias $
+ * $Id: mediation_manager.c 4579 2008-11-05 11:29:56Z martin $
  */
 
 #include "mediation_manager.h"
 
-#include <pthread.h>
 #include <daemon.h>
+#include <utils/mutex.h>
 #include <utils/linked_list.h>
 #include <processing/jobs/mediation_job.h>
 
@@ -80,7 +80,7 @@ struct private_mediation_manager_t {
 	 /**
 	  * Lock for exclusivly accessing the manager.
 	  */
-	 pthread_mutex_t mutex;
+	 mutex_t *mutex;
 
 	 /**
 	  * Linked list with state entries.
@@ -182,7 +182,7 @@ static void remove_sa(private_mediation_manager_t *this, ike_sa_id_t *ike_sa_id)
 	iterator_t *iterator;
 	peer_t *peer;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	
 	iterator = this->peers->create_iterator(this->peers, TRUE);
 	while (iterator->iterate(iterator, (void**)&peer))
@@ -199,7 +199,7 @@ static void remove_sa(private_mediation_manager_t *this, ike_sa_id_t *ike_sa_id)
 	}
 	iterator->destroy(iterator);
 
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -211,7 +211,7 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe
 	peer_t *peer;
 	bool found = FALSE;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 
 	iterator = this->peers->create_iterator(this->peers, TRUE);
 	while (iterator->iterate(iterator, (void**)&peer))
@@ -244,7 +244,7 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe
 		requester->destroy(requester);
 	}
 	
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -256,17 +256,17 @@ static ike_sa_id_t *check(private_mediation_manager_t *this,
 	peer_t *peer;
 	ike_sa_id_t *ike_sa_id;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 
 	if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
 	{
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return NULL;
 	}
 
 	ike_sa_id = peer->ike_sa_id;
 
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 
 	return ike_sa_id;
 }
@@ -280,7 +280,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
 	peer_t *peer;
 	ike_sa_id_t *ike_sa_id;
 
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 
 	if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
 	{
@@ -294,13 +294,13 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
 		/* the peer is not online */
 		DBG2(DBG_IKE, "requested peer '%D' is offline, registering peer '%D'", peer_id, requester);
 		register_peer(peer, requester);
-		pthread_mutex_unlock(&(this->mutex));
+		this->mutex->unlock(this->mutex);
 		return NULL;
 	}
 
 	ike_sa_id = peer->ike_sa_id;
 
-	pthread_mutex_unlock(&(this->mutex));
+	this->mutex->unlock(this->mutex);
 
 	return ike_sa_id;
 }
@@ -310,12 +310,12 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
  */
 static void destroy(private_mediation_manager_t *this)
 {
-	pthread_mutex_lock(&(this->mutex));
+	this->mutex->lock(this->mutex);
 	
 	this->peers->destroy_function(this->peers, (void*)peer_destroy);
 	
-	pthread_mutex_unlock(&(this->mutex));	
-	pthread_mutex_destroy(&(this->mutex));
+	this->mutex->unlock(this->mutex);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -333,7 +333,7 @@ mediation_manager_t *mediation_manager_create()
 	this->public.check_and_register = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*,identification_t*))check_and_register;
 	
 	this->peers = linked_list_create();
-	pthread_mutex_init(&(this->mutex), NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
 	
 	return (mediation_manager_t*)this;
 }
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
index 25089477b..0630647c9 100644
--- a/src/charon/sa/task_manager.c
+++ b/src/charon/sa/task_manager.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: task_manager.c 4320 2008-09-02 14:02:40Z martin $
+ * $Id: task_manager.c 4484 2008-10-27 11:13:33Z martin $
  */
 
 #include "task_manager.h"
@@ -145,44 +145,15 @@ struct private_task_manager_t {
  */
 static void flush(private_task_manager_t *this)
 {
-	task_t *task;
-	
 	this->queued_tasks->destroy_offset(this->queued_tasks, 
 										offsetof(task_t, destroy));
 	this->passive_tasks->destroy_offset(this->passive_tasks,
 										offsetof(task_t, destroy));
-	
-	/* emmit outstanding signals for tasks */
-	while (this->active_tasks->remove_last(this->active_tasks,
-										   (void**)&task) == SUCCESS)
-	{
-		switch (task->get_type(task))
-		{
-			case IKE_AUTH:
-				SIG_IKE(UP_FAILED, "establishing IKE_SA failed");
-				break;
-			case IKE_DELETE:
-				SIG_IKE(DOWN_FAILED, "IKE_SA deleted");
-				break;
-			case IKE_REKEY:
-				SIG_IKE(REKEY_FAILED, "rekeying IKE_SA failed");
-				break;
-			case CHILD_CREATE:
-				SIG_CHD(UP_FAILED, NULL, "establishing CHILD_SA failed");
-				break;
-			case CHILD_DELETE:
-				SIG_CHD(DOWN_FAILED, NULL, "deleting CHILD_SA failed");
-				break;
-			case CHILD_REKEY:
-				SIG_IKE(REKEY_FAILED, "rekeying CHILD_SA failed");
-				break;
-			default:
-				break;
-		}
-		task->destroy(task);
-	}
+	this->active_tasks->destroy_offset(this->active_tasks,
+										offsetof(task_t, destroy));
 	this->queued_tasks = linked_list_create();
 	this->passive_tasks = linked_list_create();
+	this->active_tasks = linked_list_create();
 }
 
 /**
@@ -648,6 +619,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	DESTROY_IF(this->responding.packet);
 	status = this->ike_sa->generate_message(this->ike_sa, message,
 											&this->responding.packet);
+	charon->bus->message(charon->bus, message, FALSE);
 	message->destroy(message);
 	if (status != SUCCESS)
 	{
@@ -867,6 +839,7 @@ static status_t process_message(private_task_manager_t *this, message_t *msg)
 	{
 		if (mid == this->responding.mid)
 		{
+			charon->bus->message(charon->bus, msg, TRUE);
 			if (process_request(this, msg) != SUCCESS)
 			{
 				flush(this);
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index bddca621b..767ceef55 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_create.c 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: child_create.c 4618 2008-11-11 09:22:00Z tobias $
  */
 
 #include "child_create.h"
@@ -96,6 +96,11 @@ struct private_child_create_t {
 	 */
 	diffie_hellman_group_t dh_group;
 	
+	/**
+	 * IKE_SAs keymat
+	 */
+	keymat_t *keymat;
+	
 	/**
 	 * mode the new CHILD_SA uses (transport/tunnel/beet)
 	 */
@@ -191,38 +196,22 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host)
  */
 static status_t select_and_install(private_child_create_t *this, bool no_dh)
 {
-	prf_plus_t *prf_plus;
 	status_t status;
-	chunk_t nonce_i, nonce_r, secret, seed;
+	chunk_t nonce_i, nonce_r, encr_i, integ_i, encr_r, integ_r;
 	linked_list_t *my_ts, *other_ts;
 	host_t *me, *other, *other_vip, *my_vip;
 	
 	if (this->proposals == NULL)
 	{
-		SIG_CHD(UP_FAILED, this->child_sa, "SA payload missing in message");
+		DBG1(DBG_IKE, "SA payload missing in message");
 		return FAILED;
 	}
 	if (this->tsi == NULL || this->tsr == NULL)
 	{
-		SIG_CHD(UP_FAILED, this->child_sa, "TS payloads missing in message");
+		DBG1(DBG_IKE, "TS payloads missing in message");
 		return NOT_FOUND;
 	}
 	
-	if (this->initiator)
-	{
-		nonce_i = this->my_nonce;
-		nonce_r = this->other_nonce;
-		my_ts = this->tsi;
-		other_ts = this->tsr;
-	}
-	else
-	{
-		nonce_r = this->my_nonce;
-		nonce_i = this->other_nonce;
-		my_ts = this->tsr;
-		other_ts = this->tsi;
-	}
-	
 	me = this->ike_sa->get_my_host(this->ike_sa);
 	other = this->ike_sa->get_other_host(this->ike_sa);
 	my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
@@ -232,7 +221,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 												   no_dh);
 	if (this->proposal == NULL)
 	{
-		SIG_CHD(UP_FAILED, this->child_sa, "no acceptable proposal found");
+		DBG1(DBG_IKE, "no acceptable proposal found");
 		return FAILED;
 	}
 	
@@ -243,15 +232,15 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
 										  &group, NULL))
 		{
-			SIG_CHD(UP_FAILED, this->child_sa, "DH group %N inacceptable, "
-					"requesting %N", diffie_hellman_group_names, this->dh_group,
-					diffie_hellman_group_names, group);
+			DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
+				 diffie_hellman_group_names, this->dh_group,
+				 diffie_hellman_group_names, group);
 			this->dh_group = group;
 			return INVALID_ARG;
 		}
 		else
 		{
-			SIG_CHD(UP_FAILED, this->child_sa, "no acceptable proposal found");
+			DBG1(DBG_IKE, "no acceptable proposal found");
 			return FAILED;
 		}
 	}
@@ -260,16 +249,25 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	{
 		my_vip = me;
 	}
-	else if (this->initiator)
-	{
-		/* to setup firewall rules correctly, CHILD_SA needs the virtual IP */
-		this->child_sa->set_virtual_ip(this->child_sa, my_vip);
-	}
 	if (other_vip == NULL)
 	{
 		other_vip = other;
 	}
 	
+	if (this->initiator)
+	{
+		nonce_i = this->my_nonce;
+		nonce_r = this->other_nonce;
+		my_ts = this->tsi;
+		other_ts = this->tsr;
+	}
+	else
+	{
+		nonce_r = this->my_nonce;
+		nonce_i = this->other_nonce;
+		my_ts = this->tsr;
+		other_ts = this->tsi;
+	}
 	my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
 												my_vip);
 	other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts, 
@@ -279,7 +277,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	{
 		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-		SIG_CHD(UP_FAILED, this->child_sa, "no acceptable traffic selectors found");
+		DBG1(DBG_IKE, "no acceptable traffic selectors found");
 		return NOT_FOUND;
 	}
 	
@@ -302,16 +300,18 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		switch (this->mode)
 		{
 			case MODE_TRANSPORT:
-				if (!ts_list_is_host(this->tsi, other) ||
-					!ts_list_is_host(this->tsr, me))
+				if (!this->config->use_proxy_mode(this->config) &&
+					   (!ts_list_is_host(this->tsi, other) ||
+						!ts_list_is_host(this->tsr, me))
+				   )
 				{
 					this->mode = MODE_TUNNEL;
-					DBG1(DBG_IKE, "not using tranport mode, not host-to-host");
+					DBG1(DBG_IKE, "not using transport mode, not host-to-host");
 				}
 				else if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
 				{
 					this->mode = MODE_TUNNEL;
-					DBG1(DBG_IKE, "not using tranport mode, connection NATed");
+					DBG1(DBG_IKE, "not using transport mode, connection NATed");
 				}
 				break;
 			case MODE_BEET:
@@ -327,55 +327,51 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		}
 	}
 	
-	if (this->dh)
+	this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
+	
+	if (this->ipcomp != IPCOMP_NONE)
 	{
-		if (this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
-		{
-			SIG_CHD(UP_FAILED, this->child_sa, "DH exchange incomplete");
-			return FAILED;
-		}
-		DBG3(DBG_IKE, "DH secret %B", &secret);
-		seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
+		this->child_sa->activate_ipcomp(this->child_sa, this->ipcomp,
+										this->other_cpi);
 	}
-	else
+	
+	status = FAILED;
+	if (this->keymat->derive_child_keys(this->keymat, this->proposal,
+			this->dh, nonce_i, nonce_r,	&encr_i, &integ_i, &encr_r, &integ_r))
 	{
-		seed = chunk_cata("cc", nonce_i, nonce_r);
+		if (this->initiator)
+		{
+			status = this->child_sa->update(this->child_sa, this->proposal,
+							this->mode, integ_r, integ_i, encr_r, encr_i);
+		}
+		else
+		{
+			status = this->child_sa->add(this->child_sa, this->proposal,
+							this->mode, integ_i, integ_r, encr_i, encr_r);
+		}
 	}
+	chunk_clear(&integ_i);
+	chunk_clear(&integ_r);
+	chunk_clear(&encr_i);
+	chunk_clear(&encr_r);
 	
-	if (this->ipcomp != IPCOMP_NONE)
+	if (status != SUCCESS)
 	{
-		this->child_sa->activate_ipcomp(this->child_sa, this->ipcomp,
-										this->other_cpi);
+		DBG1(DBG_IKE, "unable to install IPsec SA (SAD) in kernel");
+		return FAILED;
 	}
 	
 	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
 					this->mode, this->proposal->get_protocol(this->proposal));
 	if (status != SUCCESS)
 	{	
-		SIG_CHD(UP_FAILED, this->child_sa, 
-				"unable to install IPsec policies (SPD) in kernel");
+		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
 		return NOT_FOUND;
 	}
 	
-	prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
-	if (this->initiator)
-	{
-		status = this->child_sa->update(this->child_sa, this->proposal,
-										this->mode, prf_plus);
-	}
-	else
-	{
-		status = this->child_sa->add(this->child_sa, this->proposal,
-									 this->mode, prf_plus);
-	}
-	prf_plus->destroy(prf_plus);
+	charon->bus->child_keys(charon->bus, this->child_sa, this->dh,
+							nonce_i, nonce_r);
 	
-	if (status != SUCCESS)
-	{
-		SIG_CHD(UP_FAILED, this->child_sa, 
-				"unable to install IPsec SA (SAD) in kernel");
-		return FAILED;
-	}
 	/* add to IKE_SA, and remove from task */
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
 	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
@@ -499,7 +495,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 				if (!this->initiator)
 				{
 					this->dh_group = ke_payload->get_dh_group_number(ke_payload);
-					this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group);
+					this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
 				}
 				if (this->dh)
 				{
@@ -592,13 +588,13 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 	
 	if (this->reqid)
 	{
-		SIG_CHD(UP_START, NULL, "establishing CHILD_SA %s{%d}",
-				this->config->get_name(this->config), this->reqid);
+		DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
+			 this->config->get_name(this->config), this->reqid);
 	}
 	else
 	{
-		SIG_CHD(UP_START, NULL, "establishing CHILD_SA %s",
-				this->config->get_name(this->config));
+		DBG0(DBG_IKE, "establishing CHILD_SA %s",
+			 this->config->get_name(this->config));
 	}
 	
 	/* reuse virtual IP if we already have one */
@@ -641,23 +637,19 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 												  this->dh_group == MODP_NONE);
 	this->mode = this->config->get_mode(this->config);
 	
-	this->child_sa = child_sa_create(
-			this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa),
-			this->ike_sa->get_my_id(this->ike_sa), 
-			this->ike_sa->get_other_id(this->ike_sa), this->config, this->reqid,
+	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
 			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
 	
 	if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS)
 	{
-		SIG_CHD(UP_FAILED, this->child_sa,
-				"unable to allocate SPIs from kernel");
+		DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
 		return FAILED;
 	}
 	
 	if (this->dh_group != MODP_NONE)
 	{
-		this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group);
+		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
 	}
 	
 	if (this->config->use_ipcomp(this->config)) {
@@ -679,7 +671,7 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 }
 
 /**
- * Implementation of task_t.process for initiator
+ * Implementation of task_t.process for responder
  */
 static status_t process_r(private_child_create_t *this, message_t *message)
 {
@@ -785,16 +777,15 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 	
 	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
 	{
-		SIG_CHD(UP_FAILED, NULL,
-				"unable to create CHILD_SA while rekeying IKE_SA");
+		DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
 		message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
 		return SUCCESS;
 	}
 	
 	if (this->config == NULL)
 	{
-		SIG_CHD(UP_FAILED, NULL, "traffic selectors %#R=== %#R inacceptable",
-			this->tsr, this->tsi);
+		DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
+			 this->tsr, this->tsi);
 		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
 		handle_child_sa_failure(this, message);
 		return SUCCESS;
@@ -813,8 +804,8 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 				case INTERNAL_ADDRESS_FAILURE:
 				case FAILED_CP_REQUIRED:
 				{
-					SIG_CHD(UP_FAILED, NULL, "configuration payload negotation "
-						"failed, no CHILD_SA built");
+					DBG1(DBG_IKE,"configuration payload negotation "
+						 "failed, no CHILD_SA built");
 					iterator->destroy(iterator);
 					handle_child_sa_failure(this, message);
 					return SUCCESS;
@@ -826,11 +817,8 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 	}
 	iterator->destroy(iterator);
 	
-	this->child_sa = child_sa_create(
-			this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa),
-			this->ike_sa->get_my_id(this->ike_sa),
-			this->ike_sa->get_other_id(this->ike_sa), this->config, this->reqid,
+	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
 			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
 	
 	if (this->config->use_ipcomp(this->config) &&
@@ -870,14 +858,14 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 	
 	build_payloads(this, message);
 	
-	SIG_CHD(UP_SUCCESS, this->child_sa, "CHILD_SA %s{%d} established "
-			"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-			this->child_sa->get_name(this->child_sa),
-			this->child_sa->get_reqid(this->child_sa),
-			ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
-			ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
-			this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
-			this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
+		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+		 this->child_sa->get_name(this->child_sa),
+		 this->child_sa->get_reqid(this->child_sa),
+		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
+		 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
+		 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
 
 	return SUCCESS;
 }
@@ -929,8 +917,8 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 				case TS_UNACCEPTABLE:
 				case INVALID_SELECTORS:
 				{
-					SIG_CHD(UP_FAILED, this->child_sa, "received %N notify, "
-							"no CHILD_SA built", notify_type_names, type);
+					DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
+						 notify_type_names, type);
 					iterator->destroy(iterator);
 					handle_child_sa_failure(this, message);
 					/* an error in CHILD_SA creation is not critical */
@@ -963,35 +951,35 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 	
 	if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
 	{
-		SIG_CHD(UP_FAILED, this->child_sa, "received an IPCOMP_SUPPORTED notify"
-				" but we did not send one previously, no CHILD_SA built");
+		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
+			 " one, no CHILD_SA built");
 		handle_child_sa_failure(this, message);
 		return SUCCESS;
 	}
 	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
 	{
 		DBG1(DBG_IKE, "peer didn't accept our proposed IPComp transforms, "
-				"IPComp is disabled");
+			 "IPComp is disabled");
 		this->ipcomp = IPCOMP_NONE;
 	}
 	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
 	{
-		SIG_CHD(UP_FAILED, this->child_sa, "received an IPCOMP_SUPPORTED notify"
-				" for a transform we did not propose, no CHILD_SA built");
+		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
+			 "no CHILD_SA built");
 		handle_child_sa_failure(this, message);
 		return SUCCESS;
 	}
 	
 	if (select_and_install(this, no_dh) == SUCCESS)
 	{
-		SIG_CHD(UP_SUCCESS, this->child_sa, "CHILD_SA %s{%d} established "
-				"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-				this->child_sa->get_name(this->child_sa),
-				this->child_sa->get_reqid(this->child_sa),
-				ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
-				ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
-				this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
-				this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+		DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
+			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+			 this->child_sa->get_name(this->child_sa),
+			 this->child_sa->get_reqid(this->child_sa),
+			 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+			 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
+			 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
+			 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
 	}
 	else
 	{
@@ -1144,6 +1132,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config)
 	this->tsr = NULL;
 	this->dh = NULL;
 	this->dh_group = MODP_NONE;
+	this->keymat = ike_sa->get_keymat(ike_sa);
 	this->child_sa = NULL;
 	this->mode = MODE_TUNNEL;
 	this->ipcomp = IPCOMP_NONE;
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
index a3c74dc90..cab1d63f0 100644
--- a/src/charon/sa/tasks/child_delete.c
+++ b/src/charon/sa/tasks/child_delete.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_delete.c 4366 2008-10-03 16:01:14Z martin $
+ * $Id: child_delete.c 4434 2008-10-14 08:52:13Z martin $
  */
 
 #include "child_delete.h"
@@ -222,14 +222,13 @@ static void log_children(private_child_delete_t *this)
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
-		SIG_CHD(DOWN_START, child_sa, "closing CHILD_SA %s{%d} "
-				"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-				child_sa->get_name(child_sa),
-				child_sa->get_reqid(child_sa),
-				ntohl(child_sa->get_spi(child_sa, TRUE)),
-				ntohl(child_sa->get_spi(child_sa, FALSE)),
-				child_sa->get_traffic_selectors(child_sa, TRUE),
-				child_sa->get_traffic_selectors(child_sa, FALSE));
+		DBG0(DBG_IKE, "closing CHILD_SA %s{%d} "
+			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			 ntohl(child_sa->get_spi(child_sa, TRUE)),
+			 ntohl(child_sa->get_spi(child_sa, FALSE)),
+			 child_sa->get_traffic_selectors(child_sa, TRUE),
+			 child_sa->get_traffic_selectors(child_sa, FALSE));
 	}
 	iterator->destroy(iterator);
 }
@@ -254,7 +253,7 @@ static status_t process_i(private_child_delete_t *this, message_t *message)
 	this->child_sas = linked_list_create();
 	
 	process_payloads(this, message);
-	SIG_CHD(DOWN_SUCCESS, NULL, "CHILD_SA closed");
+	DBG1(DBG_IKE, "CHILD_SA closed");
 	return destroy_and_reestablish(this);
 }
 
@@ -278,7 +277,7 @@ static status_t build_r(private_child_delete_t *this, message_t *message)
 	{
 		build_payloads(this, message);	
 	}
-	SIG_CHD(DOWN_SUCCESS, NULL, "CHILD_SA closed");
+	DBG1(DBG_IKE, "CHILD_SA closed");
 	return destroy_and_reestablish(this);
 }
 
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
index 3953951a3..e50ad33be 100644
--- a/src/charon/sa/tasks/child_rekey.c
+++ b/src/charon/sa/tasks/child_rekey.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_rekey.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: child_rekey.c 4659 2008-11-14 14:05:47Z martin $
  */
 
 #include "child_rekey.h"
@@ -23,6 +23,7 @@
 #include <sa/tasks/child_create.h>
 #include <sa/tasks/child_delete.h>
 #include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
 
 
 typedef struct private_child_rekey_t private_child_rekey_t;
@@ -177,6 +178,31 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 	protocol_id_t protocol;
 	u_int32_t spi;
 	child_sa_t *to_delete;
+	iterator_t *iterator;
+	payload_t *payload;
+	
+	/* handle NO_ADDITIONAL_SAS notify */
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			
+			if (notify->get_notify_type(notify) == NO_ADDITIONAL_SAS)
+			{
+				DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
+					 "starting reauthentication");
+				this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+				charon->processor->queue_job(charon->processor,
+						(job_t*)rekey_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), TRUE));
+				iterator->destroy(iterator);
+				return SUCCESS;
+			}
+		}
+	}
+	iterator->destroy(iterator);
 	
 	if (this->child_create->task.process(&this->child_create->task, message) == NEED_MORE)
 	{
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 51f37f1b0..5c3f33cbd 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details
  *
- * $Id: ike_auth.c 4276 2008-08-22 10:44:51Z martin $
+ * $Id: ike_auth.c 4463 2008-10-20 11:38:16Z martin $
  */
 
 #include "ike_auth.h"
@@ -146,6 +146,8 @@ static bool check_uniqueness(private_ike_auth_t *this)
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, duplicate);
 		}
 	}
+	/* set threads active IKE_SA after checkin */
+	charon->bus->set_sa(charon->bus, this->ike_sa);
 	return cancel;
 }
 
@@ -201,15 +203,15 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
 	config = this->ike_sa->get_peer_cfg(this->ike_sa);
 	if (!config)
 	{
-		SIG_IKE(UP_FAILED, "unable to authenticate, no peer config found");
+		DBG1(DBG_IKE, "unable to authenticate, no peer config found");
 		return FAILED;
 	}
 	
 	auth = authenticator_create_from_class(this->ike_sa, get_auth_class(config));
 	if (auth == NULL)
 	{
-		SIG_IKE(UP_FAILED, "configured authentication class %N not supported",
-			auth_class_names, get_auth_class(config));
+		DBG1(DBG_IKE, "configured authentication class %N not supported",
+			 auth_class_names, get_auth_class(config));
 		return FAILED;
 	}
 	
@@ -218,7 +220,7 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
 	auth->destroy(auth);
 	if (status != SUCCESS)
 	{
-		SIG_IKE(UP_FAILED, "generating authentication data failed");
+		DBG1(DBG_IKE, "generating authentication data failed");
 		return FAILED;
 	}
 	message->add_payload(message, (payload_t*)auth_payload);
@@ -243,7 +245,7 @@ static status_t build_id(private_ike_auth_t *this, message_t *message)
 		me = config->get_my_id(config);
 		if (me->contains_wildcards(me))
 		{
-			SIG_IKE(UP_FAILED, "negotiation of own ID failed");
+			DBG1(DBG_IKE, "negotiation of own ID failed");
 			return FAILED;
 		}
 		this->ike_sa->set_my_id(this->ike_sa, me->clone(me));
@@ -284,8 +286,8 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
 									auth_payload->get_auth_method(auth_payload));
 	if (auth == NULL)
 	{
-		SIG_IKE(UP_FAILED, "authentication method %N used by '%D' not "
-			"supported", auth_method_names, auth_method,
+		DBG1(DBG_IKE, "authentication method %N used by '%D' not supported",
+			auth_method_names, auth_method,
 			this->ike_sa->get_other_id(this->ike_sa));
 		return NOT_SUPPORTED;
 	}
@@ -294,7 +296,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
 	auth->destroy(auth);
 	if (status != SUCCESS)
 	{
-		SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
+		DBG0(DBG_IKE, "authentication of '%D' with %N failed",
 			 this->ike_sa->get_other_id(this->ike_sa), 
 			 auth_method_names, auth_method);	
 		return FAILED;
@@ -315,7 +317,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
 
 	if ((this->initiator && idr == NULL) || (!this->initiator && idi == NULL))
 	{
-		SIG_IKE(UP_FAILED, "ID payload missing in message");
+		DBG1(DBG_IKE, "ID payload missing in message");
 		return FAILED;
 	}
 	
@@ -325,7 +327,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
 		req = this->ike_sa->get_other_id(this->ike_sa);
 		if (!id->matches(id, req))
 		{
-			SIG_IKE(UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req);
+			DBG0(DBG_IKE, "peer ID '%D' unacceptable, '%D' required", id, req);
 			id->destroy(id);
 			return FAILED;
 		}
@@ -402,7 +404,7 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
 	if (auth->build(auth, this->my_packet->get_data(this->my_packet),
 		this->other_nonce, &auth_payload) != SUCCESS)
 	{
-		SIG_IKE(UP_FAILED, "generating authentication data failed");
+		DBG1(DBG_IKE, "generating authentication data failed");
 		if (!this->initiator)
 		{
 			message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -413,13 +415,13 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
 	if (!this->initiator)
 	{
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
-			this->ike_sa->get_name(this->ike_sa),
-			this->ike_sa->get_unique_id(this->ike_sa),
-			this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_my_id(this->ike_sa), 
-			this->ike_sa->get_other_host(this->ike_sa),
-			this->ike_sa->get_other_id(this->ike_sa));
+		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+			 this->ike_sa->get_name(this->ike_sa),
+			 this->ike_sa->get_unique_id(this->ike_sa),
+			 this->ike_sa->get_my_host(this->ike_sa),
+			 this->ike_sa->get_my_id(this->ike_sa), 
+			 this->ike_sa->get_other_host(this->ike_sa),
+			 this->ike_sa->get_other_id(this->ike_sa));
 		return SUCCESS;
 	}
 	return NEED_MORE;
@@ -448,7 +450,7 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
 
 	if (!this->peer_authenticated)
 	{
-		SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
+		DBG0(DBG_IKE, "authentication of '%D' with %N failed",
 			 this->ike_sa->get_other_id(this->ike_sa), 
 			 auth_class_names, AUTH_CLASS_EAP);
 		if (this->initiator)
@@ -460,13 +462,13 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
 	if (this->initiator)
 	{
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
-			this->ike_sa->get_name(this->ike_sa),
-			this->ike_sa->get_unique_id(this->ike_sa),
-			this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_my_id(this->ike_sa), 
-			this->ike_sa->get_other_host(this->ike_sa),
-			this->ike_sa->get_other_id(this->ike_sa));
+		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+			 this->ike_sa->get_name(this->ike_sa),
+			 this->ike_sa->get_unique_id(this->ike_sa),
+			 this->ike_sa->get_my_host(this->ike_sa),
+			 this->ike_sa->get_my_id(this->ike_sa), 
+			 this->ike_sa->get_other_host(this->ike_sa),
+			 this->ike_sa->get_other_id(this->ike_sa));
 		return SUCCESS;
 	}
 	return NEED_MORE;
@@ -482,7 +484,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
 	eap = (eap_payload_t*)message->get_payload(message, EXTENSIBLE_AUTHENTICATION);
 	if (eap == NULL)
 	{	
-		SIG_IKE(UP_FAILED, "EAP payload missing");
+		DBG1(DBG_IKE, "EAP payload missing");
 		return FAILED;
 	}
 	switch (this->eap_auth->process(this->eap_auth, eap, &eap))
@@ -498,7 +500,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
 			return NEED_MORE;
 		default:
 			this->eap_payload = NULL;
-			SIG_IKE(UP_FAILED, "failed to authenticate against '%D' using EAP",
+			DBG0(DBG_IKE, "failed to authenticate against '%D' using EAP",
 				this->ike_sa->get_other_id(this->ike_sa));
 			return FAILED;
 	}
@@ -533,7 +535,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
 		
 	if (this->eap_payload == NULL)
 	{
-		SIG_IKE(UP_FAILED, "EAP payload missing");
+		DBG1(DBG_IKE, "EAP payload missing");
 		return FAILED;
 	}
 	
@@ -548,9 +550,9 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
 			this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
 			break;
 		default:
-			SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
-				this->ike_sa->get_other_id(this->ike_sa),
-				auth_class_names, AUTH_CLASS_EAP);
+			DBG0(DBG_IKE, "authentication of '%D' with %N failed",
+				 this->ike_sa->get_other_id(this->ike_sa),
+				 auth_class_names, AUTH_CLASS_EAP);
 			status = FAILED;
 			break;
 	}
@@ -665,9 +667,9 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 	config = this->ike_sa->get_peer_cfg(this->ike_sa);
 	if (config == NULL)
 	{
-		SIG_IKE(UP_FAILED, "no matching config found for '%D'...'%D'",
-			this->ike_sa->get_my_id(this->ike_sa),
-			this->ike_sa->get_other_id(this->ike_sa));
+		DBG1(DBG_IKE, "no matching config found for '%D'...'%D'",
+			 this->ike_sa->get_my_id(this->ike_sa),
+			 this->ike_sa->get_other_id(this->ike_sa));
 		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
 		return FAILED;
 	}
@@ -689,13 +691,13 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 	if (this->peer_authenticated)
 	{
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
-			this->ike_sa->get_name(this->ike_sa),
-			this->ike_sa->get_unique_id(this->ike_sa),
-			this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_my_id(this->ike_sa), 
-			this->ike_sa->get_other_host(this->ike_sa),
-			this->ike_sa->get_other_id(this->ike_sa));
+		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+			 this->ike_sa->get_name(this->ike_sa),
+			 this->ike_sa->get_unique_id(this->ike_sa),
+			 this->ike_sa->get_my_host(this->ike_sa),
+			 this->ike_sa->get_my_id(this->ike_sa), 
+			 this->ike_sa->get_other_host(this->ike_sa),
+			 this->ike_sa->get_other_id(this->ike_sa));
 		return SUCCESS;
 	}
 	
@@ -706,7 +708,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 	message->add_payload(message, (payload_t*)eap_payload);
 	if (status != NEED_MORE)
 	{
-		SIG_IKE(UP_FAILED, "unable to initiate EAP authentication");
+		DBG1(DBG_IKE, "unable to initiate EAP authentication");
 		return FAILED;
 	}
 	
@@ -766,7 +768,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 				{
 					if (type < 16383)
 					{
-						SIG_IKE(UP_FAILED, "received %N notify error",
+						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
 						iterator->destroy(iterator);
 						return FAILED;	
@@ -798,18 +800,18 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 	auth = this->ike_sa->get_other_auth(this->ike_sa);
 	if (!auth->complies(auth, config->get_auth(config)))
 	{
-		SIG_IKE(UP_FAILED, "authorization of '%D' for config %s failed",
+		DBG0(DBG_IKE, "authorization of '%D' for config %s failed",
 			this->ike_sa->get_other_id(this->ike_sa), config->get_name(config));
 		return FAILED;
 	}
 	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-	SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
-		this->ike_sa->get_name(this->ike_sa),
-		this->ike_sa->get_unique_id(this->ike_sa),
-		this->ike_sa->get_my_host(this->ike_sa),
-		this->ike_sa->get_my_id(this->ike_sa),
-		this->ike_sa->get_other_host(this->ike_sa),
-		this->ike_sa->get_other_id(this->ike_sa));
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
 	return SUCCESS;
 }
 
diff --git a/src/charon/sa/tasks/ike_auth_lifetime.c b/src/charon/sa/tasks/ike_auth_lifetime.c
index 2d18c6a1e..cb17cc2dc 100644
--- a/src/charon/sa/tasks/ike_auth_lifetime.c
+++ b/src/charon/sa/tasks/ike_auth_lifetime.c
@@ -12,11 +12,13 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_auth_lifetime.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_auth_lifetime.c 4576 2008-11-05 08:32:38Z martin $
  */
 
 #include "ike_auth_lifetime.h"
 
+#include <time.h>
+
 #include <daemon.h>
 #include <encoding/payloads/notify_payload.h>
 
@@ -47,9 +49,10 @@ static void add_auth_lifetime(private_ike_auth_lifetime_t *this, message_t *mess
 	chunk_t chunk;
 	u_int32_t lifetime;
 	
-	lifetime = this->ike_sa->get_statistic(this->ike_sa, STAT_REAUTH_TIME);
+	lifetime = this->ike_sa->get_statistic(this->ike_sa, STAT_REAUTH);
 	if (lifetime)
 	{
+		lifetime -= time(NULL);
 		chunk = chunk_from_thing(lifetime);
 		*(u_int32_t*)chunk.ptr = htonl(lifetime);
 		message->add_notify(message, FALSE, AUTH_LIFETIME, chunk);
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
index 295f908cb..1c051853c 100644
--- a/src/charon/sa/tasks/ike_delete.c
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_delete.c 4211 2008-07-23 18:46:34Z andreas $
+ * $Id: ike_delete.c 4458 2008-10-17 03:44:06Z andreas $
  */
 
 #include "ike_delete.h"
@@ -56,21 +56,21 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
 {
 	delete_payload_t *delete_payload;
 
-	SIG_IKE(DOWN_START, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
-			this->ike_sa->get_name(this->ike_sa),
-			this->ike_sa->get_unique_id(this->ike_sa),
-			this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_my_id(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa),
-			this->ike_sa->get_other_id(this->ike_sa));
+	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
 
 	delete_payload = delete_payload_create(PROTO_IKE);
 	message->add_payload(message, (payload_t*)delete_payload);
 	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
 
 	DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]",
-			this->ike_sa->get_name(this->ike_sa),
-			this->ike_sa->get_unique_id(this->ike_sa));
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa));
 
 	return NEED_MORE;
 }
@@ -80,6 +80,7 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
  */
 static status_t process_i(private_ike_delete_t *this, message_t *message)
 {
+	DBG0(DBG_IKE, "IKE_SA deleted");
 	/* completed, delete IKE_SA by returning FAILED */
 	return FAILED;
 }
@@ -92,15 +93,15 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
 	/* we don't even scan the payloads, as the message wouldn't have
 	 * come so far without being correct */
 	DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
-			this->ike_sa->get_name(this->ike_sa),
-			this->ike_sa->get_unique_id(this->ike_sa));
-	SIG_IKE(DOWN_START, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
-			this->ike_sa->get_name(this->ike_sa),
-			this->ike_sa->get_unique_id(this->ike_sa),
-			this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_my_id(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa),
-			this->ike_sa->get_other_id(this->ike_sa));
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa));
+	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
 
 	switch (this->ike_sa->get_state(this->ike_sa))
 	{
@@ -123,7 +124,7 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
  */
 static status_t build_r(private_ike_delete_t *this, message_t *message)
 {
-	SIG_IKE(DOWN_SUCCESS, "IKE_SA deleted");
+	DBG0(DBG_IKE, "IKE_SA deleted");
 
 	if (this->simultaneous)
 	{
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
index 609b37a39..bd2cd39bb 100644
--- a/src/charon/sa/tasks/ike_init.c
+++ b/src/charon/sa/tasks/ike_init.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_init.c 4206 2008-07-22 17:10:10Z andreas $
+ * $Id: ike_init.c 4531 2008-10-30 12:58:54Z martin $
  */
 
 #include "ike_init.h"
@@ -64,10 +64,15 @@ struct private_ike_init_t {
 	diffie_hellman_group_t dh_group;
 	
 	/**
-	 * Diffie hellman object used to generate public DH value.
+	 * diffie hellman key exchange
 	 */
 	diffie_hellman_t *dh;
 	
+	/**
+	 * Keymat derivation (from IKE_SA)
+	 */
+	keymat_t *keymat;
+	
 	/**
 	 * nonce chosen by us
 	 */
@@ -192,7 +197,8 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 				this->dh_group = ke_payload->get_dh_group_number(ke_payload);
 				if (!this->initiator)
 				{
-					this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group);
+					this->dh = this->keymat->create_dh(this->keymat,
+													   this->dh_group);
 				}
 				if (this->dh)
 				{
@@ -230,26 +236,26 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
 	rng_t *rng;
 	
 	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
-	SIG_IKE(UP_START, "initiating IKE_SA %s[%d] to %H",
-		this->ike_sa->get_name(this->ike_sa),
-		this->ike_sa->get_unique_id(this->ike_sa),
-		this->ike_sa->get_other_host(this->ike_sa));
+	DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa));
 	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
 	
 	if (this->retry++ >= MAX_RETRIES)
 	{
-		SIG_IKE(UP_FAILED, "giving up after %d retries", MAX_RETRIES);
+		DBG1(DBG_IKE, "giving up after %d retries", MAX_RETRIES);
 		return FAILED;
 	}
-
+	
 	/* if the DH group is set via use_dh_group(), we already have a DH object */
 	if (!this->dh)
 	{
 		this->dh_group = this->config->get_dh_group(this->config);
-		this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group);
-		if (this->dh == NULL)
+		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+		if (!this->dh)
 		{
-			SIG_IKE(UP_FAILED, "configured DH group %N not supported",
+			DBG1(DBG_IKE, "configured DH group %N not supported",
 				diffie_hellman_group_names, this->dh_group);
 			return FAILED;
 		}
@@ -261,7 +267,7 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
 		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 		if (!rng)
 		{
-			SIG_IKE(UP_FAILED, "error generating nonce");
+			DBG1(DBG_IKE, "error generating nonce");
 			return FAILED;
 		}
 		rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
@@ -296,8 +302,7 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
 	rng_t *rng;
 	
 	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
-	SIG_IKE(UP_START, "%H is initiating an IKE_SA",
-		message->get_source(message));
+	DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message));
 	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
@@ -369,30 +374,30 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
  */
 static status_t build_r(private_ike_init_t *this, message_t *message)
 {
-	chunk_t secret;
-	status_t status;
-
+	keymat_t *old_keymat = NULL;
+	ike_sa_id_t *id;
+	
 	/* check if we have everything we need */
 	if (this->proposal == NULL ||
 		this->other_nonce.len == 0 || this->my_nonce.len == 0)
 	{
-		SIG_IKE(UP_FAILED, "received proposals inacceptable");
+		DBG1(DBG_IKE, "received proposals inacceptable");
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return FAILED;
 	}
+	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 	
 	if (this->dh == NULL ||
-		!this->proposal->has_dh_group(this->proposal, this->dh_group) ||
-		this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
+		!this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
 		u_int16_t group;
 		
 		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
 										  &group, NULL))
 		{
-			SIG_CHD(UP_FAILED, NULL, "DH group %N inacceptable, requesting %N",
-				diffie_hellman_group_names, this->dh_group,
-				diffie_hellman_group_names, group);
+			DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
+				 diffie_hellman_group_names, this->dh_group,
+				 diffie_hellman_group_names, group);
 			this->dh_group = group;
 			group = htons(group);
 			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
@@ -400,49 +405,28 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
 		}
 		else
 		{
-			SIG_IKE(UP_FAILED, "no acceptable proposal found");
+			DBG1(DBG_IKE, "no acceptable proposal found");
 		}
 		return FAILED;
 	}
 	
+	id = this->ike_sa->get_id(this->ike_sa);
 	if (this->old_sa)
-	{
-		ike_sa_id_t *id;
-		prf_t *prf, *child_prf;
-				
-		/* Apply SPI if we are rekeying */
-		id = this->ike_sa->get_id(this->ike_sa);
+	{	/* rekeying: Apply SPI, include keymat from old SA in key derivation */
 		id->set_initiator_spi(id, this->proposal->get_spi(this->proposal));
-	
-		/* setup crypto keys for the rekeyed SA */
-		prf = this->old_sa->get_prf(this->old_sa);
-		child_prf = this->old_sa->get_child_prf(this->old_sa);
-		status = this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret, 
-										   this->other_nonce, this->my_nonce,
-										   FALSE, child_prf, prf);
+		old_keymat = this->old_sa->get_keymat(this->old_sa);
 	}
-	else
+	if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
+							this->other_nonce, this->my_nonce, id, old_keymat))
 	{
-		/* setup crypto keys */
-		status =  this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret, 
-										    this->other_nonce, this->my_nonce,
-										    FALSE, NULL, NULL);
-	}
-	if (status != SUCCESS)
-	{
-		SIG_IKE(UP_FAILED, "key derivation failed");
+		DBG1(DBG_IKE, "key derivation failed");
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return FAILED;
 	}
-
-	/* Keep the selected IKE proposal for status information purposes */
-	{
-		char buf[BUF_LEN];
-
-		snprintf(buf, BUF_LEN, "%P", this->proposal);
-		this->ike_sa->set_proposal(this->ike_sa, buf+4);
-	}
-
+	
+	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
+						  this->other_nonce, this->my_nonce, this->old_sa);
+	
 	build_payloads(this, message);
 	return SUCCESS;
 }
@@ -452,8 +436,8 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
  */
 static status_t process_i(private_ike_init_t *this, message_t *message)
 {
-	chunk_t secret;
-	status_t status;
+	keymat_t *old_keymat = NULL;
+	ike_sa_id_t *id;
 	iterator_t *iterator;
 	payload_t *payload;
 
@@ -505,7 +489,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 				{
 					if (type < 16383)
 					{
-						SIG_IKE(UP_FAILED, "received %N notify error",
+						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
 						iterator->destroy(iterator);
 						return FAILED;	
@@ -525,55 +509,34 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 	if (this->proposal == NULL ||
 		this->other_nonce.len == 0 || this->my_nonce.len == 0)
 	{
-		SIG_IKE(UP_FAILED, "peer's proposal selection invalid");
+		DBG1(DBG_IKE, "peers proposal selection invalid");
 		return FAILED;
 	}
+	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 	
 	if (this->dh == NULL ||
-		!this->proposal->has_dh_group(this->proposal, this->dh_group) ||
-		this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
+		!this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
-		SIG_IKE(UP_FAILED, "peer's DH group selection invalid");
+		DBG1(DBG_IKE, "peer DH group selection invalid");
 		return FAILED;
 	}
 	
-	/* Apply SPI if we are rekeying */
+	id = this->ike_sa->get_id(this->ike_sa);
 	if (this->old_sa)
-	{
-		ike_sa_id_t *id;
-		prf_t *prf, *child_prf;
-		
-		id = this->ike_sa->get_id(this->ike_sa);
+	{	/* rekeying: Apply SPI, include keymat from old SA in key derivation */
 		id->set_responder_spi(id, this->proposal->get_spi(this->proposal));
-		
-		/* setup crypto keys for the rekeyed SA */
-		prf = this->old_sa->get_prf(this->old_sa);
-		child_prf = this->old_sa->get_child_prf(this->old_sa);
-		status = this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret, 
-										    this->my_nonce, this->other_nonce,
-										    TRUE, child_prf, prf);
+		old_keymat = this->old_sa->get_keymat(this->old_sa);
 	}
-	else
+	if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
+							this->my_nonce, this->other_nonce, id, old_keymat))
 	{
-		/* setup crypto keys for a new SA */
-		status = this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret, 
-										   this->my_nonce, this->other_nonce,
-										   TRUE, NULL, NULL);
-	}
-	if (status != SUCCESS)
-	{
-		SIG_IKE(UP_FAILED, "key derivation failed");
+		DBG1(DBG_IKE, "key derivation failed");
 		return FAILED;
 	}
-
-	/* Keep the selected IKE proposal for status information purposes */
-	{
-		char buf[BUF_LEN];
-
-		snprintf(buf, BUF_LEN, "%P", this->proposal);
-		this->ike_sa->set_proposal(this->ike_sa, buf+4);
-	}
-
+	
+	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
+						  this->my_nonce, this->other_nonce, this->old_sa);
+	
 	return SUCCESS;
 }
 
@@ -607,12 +570,12 @@ static chunk_t get_lower_nonce(private_ike_init_t *this)
 static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa)
 {
 	DESTROY_IF(this->proposal);
-	DESTROY_IF(this->dh);
 	chunk_free(&this->other_nonce);
 	
 	this->ike_sa = ike_sa;
 	this->proposal = NULL;
-	this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group);
+	DESTROY_IF(this->dh);
+	this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
 }
 
 /**
@@ -620,8 +583,8 @@ static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa)
  */
 static void destroy(private_ike_init_t *this)
 {
-	DESTROY_IF(this->proposal);
 	DESTROY_IF(this->dh);
+	DESTROY_IF(this->proposal);
 	chunk_free(&this->my_nonce);
 	chunk_free(&this->other_nonce);
 	chunk_free(&this->cookie);
@@ -654,6 +617,7 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 	this->initiator = initiator;
 	this->dh_group = MODP_NONE;
 	this->dh = NULL;
+	this->keymat = ike_sa->get_keymat(ike_sa);
 	this->my_nonce = chunk_empty;
 	this->other_nonce = chunk_empty;
 	this->cookie = chunk_empty;
diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c
index a203dee58..f58d51341 100644
--- a/src/charon/sa/tasks/ike_me.c
+++ b/src/charon/sa/tasks/ike_me.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_me.c 4355 2008-09-25 07:56:58Z tobias $
+ * $Id: ike_me.c 4640 2008-11-12 16:07:17Z martin $
  */
  
 #include "ike_me.h"
@@ -461,8 +461,7 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
 				this->ike_sa->set_server_reflexive_host(this->ike_sa, endpoint->clone(endpoint));
 			}
 			/* FIXME: what if it failed? e.g. AUTH failure */
-			SIG_CHD(UP_SUCCESS, NULL, "established mediation connection "
-					"without CHILD_SA successfully");
+			DBG1(DBG_IKE, "established mediation connection successfully");
 			
 			break;
 		}
@@ -642,8 +641,7 @@ static status_t build_r_ms(private_ike_me_t *this, message_t *message)
 			/* FIXME: we actually must delete any existing IKE_SAs with the same remote id */
 			this->ike_sa->act_as_mediation_server(this->ike_sa);
 			
-			SIG_CHD(UP_SUCCESS, NULL, "established mediation connection "
-					"without CHILD_SA successfully");
+			DBG1(DBG_IKE, "established mediation connection successfully");
 			
 			break;
 		}
@@ -787,7 +785,7 @@ ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator)
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
 	
-	if (ike_sa->is_ike_initiator(ike_sa))
+	if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
 	{
 		if (initiator)
 		{
diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c
index f6ee3f6ad..a791d1892 100644
--- a/src/charon/sa/tasks/ike_mobike.c
+++ b/src/charon/sa/tasks/ike_mobike.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_mobike.c 4394 2008-10-09 08:25:11Z martin $
+ * $Id: ike_mobike.c 4618 2008-11-11 09:22:00Z tobias $
  */
 
 #include "ike_mobike.h"
@@ -251,10 +251,16 @@ static void update_children(private_ike_mobike_t *this)
 	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
-		child_sa->update_hosts(child_sa,
-						this->ike_sa->get_my_host(this->ike_sa), 
-						this->ike_sa->get_other_host(this->ike_sa),
-						this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+		if (child_sa->update_hosts(child_sa,
+				this->ike_sa->get_my_host(this->ike_sa), 
+				this->ike_sa->get_other_host(this->ike_sa),
+				this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
+				this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
+		{
+			this->ike_sa->rekey_child_sa(this->ike_sa,
+					child_sa->get_protocol(child_sa),
+					child_sa->get_spi(child_sa, TRUE));
+		}
 	}
 	iterator->destroy(iterator);
 }
diff --git a/src/charon/sa/tasks/ike_reauth.c b/src/charon/sa/tasks/ike_reauth.c
index b84b2a387..61701075f 100644
--- a/src/charon/sa/tasks/ike_reauth.c
+++ b/src/charon/sa/tasks/ike_reauth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2007 Martin Willi
+ * Copyright (C) 2006-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_reauth.c 4211 2008-07-23 18:46:34Z andreas $
+ * $Id: ike_reauth.c 4495 2008-10-28 16:07:06Z martin $
  */
 
 #include "ike_reauth.h"
@@ -65,7 +65,6 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 	
 	/* process delete response first */
 	this->ike_delete->task.process(&this->ike_delete->task, message);
-	SIG_IKE(DOWN_SUCCESS, "IKE_SA deleted");
 
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 	
@@ -105,6 +104,8 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 		{
 			charon->ike_sa_manager->checkin_and_destroy(
 								charon->ike_sa_manager, new);
+			/* set threads active IKE_SA after checkin */
+			charon->bus->set_sa(charon->bus, this->ike_sa);
 			DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
 			return FAILED;
 		}
@@ -132,6 +133,8 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 					iterator->destroy(iterator);
 					charon->ike_sa_manager->checkin_and_destroy(
 										charon->ike_sa_manager, new);
+					/* set threads active IKE_SA after checkin */
+					charon->bus->set_sa(charon->bus, this->ike_sa);
 					DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
 					return FAILED;
 				}
@@ -141,6 +144,8 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 	}
 	iterator->destroy(iterator);
 	charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
+	/* set threads active IKE_SA after checkin */
+	charon->bus->set_sa(charon->bus, this->ike_sa);
 	
 	/* we always return failed to delete the obsolete IKE_SA */
 	return FAILED;
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index 6c4ef4354..28d63cca7 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_rekey.c 4211 2008-07-23 18:46:34Z andreas $
+ * $Id: ike_rekey.c 4659 2008-11-14 14:05:47Z martin $
  */
 
 #include "ike_rekey.h"
@@ -144,7 +144,7 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return SUCCESS;
 	}
-
+	
 	if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
 	{
 		return SUCCESS;
@@ -152,13 +152,13 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
 	
 	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
-	SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
-		this->new_sa->get_name(this->new_sa),
-		this->new_sa->get_unique_id(this->new_sa),
-		this->ike_sa->get_my_host(this->ike_sa),
-		this->ike_sa->get_my_id(this->ike_sa),
-		this->ike_sa->get_other_host(this->ike_sa),
-		this->ike_sa->get_other_id(this->ike_sa));
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+		 this->new_sa->get_name(this->new_sa),
+		 this->new_sa->get_unique_id(this->new_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
 	
 	return SUCCESS;
 }
@@ -170,7 +170,32 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 {
 	job_t *job;
 	ike_sa_id_t *to_delete;
+	iterator_t *iterator;
+	payload_t *payload;
 
+	/* handle NO_ADDITIONAL_SAS notify */
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			
+			if (notify->get_notify_type(notify) == NO_ADDITIONAL_SAS)
+			{
+				DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
+					 "starting reauthentication");
+				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+				charon->processor->queue_job(charon->processor,
+						(job_t*)rekey_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), TRUE));
+				iterator->destroy(iterator);
+				return SUCCESS;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	
 	switch (this->ike_init->task.process(&this->ike_init->task, message))
 	{
 		case FAILED:
@@ -198,13 +223,13 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 	}
 
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
-	SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
-		this->new_sa->get_name(this->new_sa),
-		this->new_sa->get_unique_id(this->new_sa),
-		this->ike_sa->get_my_host(this->ike_sa),
-		this->ike_sa->get_my_id(this->ike_sa),
-		this->ike_sa->get_other_host(this->ike_sa),
-		this->ike_sa->get_other_id(this->ike_sa));
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+		 this->new_sa->get_name(this->new_sa),
+		 this->new_sa->get_unique_id(this->new_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
 
 	to_delete = this->ike_sa->get_id(this->ike_sa);
 	
@@ -242,6 +267,8 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 			this->new_sa = other->new_sa;
 			other->new_sa = NULL;
 		}
+		/* set threads active IKE_SA after checkin */
+		charon->bus->set_sa(charon->bus, this->ike_sa);
 	}
 	
 	job = (job_t*)delete_ike_sa_job_create(to_delete, TRUE);
@@ -277,6 +304,8 @@ static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
 	{
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
 													this->new_sa);
+		/* set threads active IKE_SA after checkin */
+		charon->bus->set_sa(charon->bus, this->ike_sa);
 	}
 	DESTROY_IF(this->collision);
 
@@ -303,6 +332,8 @@ static void destroy(private_ike_rekey_t *this)
 			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
 														this->new_sa);
 		}
+		/* set threads active IKE_SA after checkin */
+		charon->bus->set_sa(charon->bus, this->ike_sa);
 	}
 	if (this->ike_init)
 	{
diff --git a/src/charon/sa/tasks/task.c b/src/charon/sa/tasks/task.c
index 3192b688a..fd15379f3 100644
--- a/src/charon/sa/tasks/task.c
+++ b/src/charon/sa/tasks/task.c
@@ -13,11 +13,12 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: task.c 3666 2008-03-26 18:40:19Z tobias $
+ * $Id: task.c 4618 2008-11-11 09:22:00Z tobias $
  */
 
 #include "task.h"
 
+#ifdef ME
 ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
 	"IKE_INIT",
 	"IKE_NATD",
@@ -31,11 +32,27 @@ ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
 	"IKE_REAUTH",
 	"IKE_DELETE",
 	"IKE_DPD",
-#ifdef ME
 	"IKE_ME",
-#endif /* ME */
 	"CHILD_CREATE",
 	"CHILD_DELETE",
 	"CHILD_REKEY",
 );
-
+#else
+ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
+	"IKE_INIT",
+	"IKE_NATD",
+	"IKE_MOBIKE",
+	"IKE_AUTHENTICATE",
+	"IKE_AUTH_LIFETIME",
+	"IKE_CERT_PRE",
+	"IKE_CERT_POST",
+	"IKE_CONFIG",
+	"IKE_REKEY",
+	"IKE_REAUTH",
+	"IKE_DELETE",
+	"IKE_DPD",
+	"CHILD_CREATE",
+	"CHILD_DELETE",
+	"CHILD_REKEY",
+);
+#endif /* ME */
diff --git a/src/dumm/Makefile.am b/src/dumm/Makefile.am
index 11d65bba9..029290fb6 100644
--- a/src/dumm/Makefile.am
+++ b/src/dumm/Makefile.am
@@ -11,8 +11,8 @@ irdumm_SOURCES = irdumm.c
 
 libdumm_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
   -lbridge -lfuse -lutil
-dumm_LDADD = -ldumm ${gtk_LIBS}
-irdumm_LDADD = -ldumm -lruby1.8
+dumm_LDADD = libdumm.la ${gtk_LIBS}
+irdumm_LDADD = libdumm.la -lruby1.8
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
   -I/usr/lib/ruby/1.8/i486-linux/
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 333e616d3..7c3f28191 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -61,10 +61,10 @@ PROGRAMS = $(ipsec_PROGRAMS)
 am_dumm_OBJECTS = main.$(OBJEXT)
 dumm_OBJECTS = $(am_dumm_OBJECTS)
 am__DEPENDENCIES_1 =
-dumm_DEPENDENCIES = $(am__DEPENDENCIES_1)
+dumm_DEPENDENCIES = libdumm.la $(am__DEPENDENCIES_1)
 am_irdumm_OBJECTS = irdumm.$(OBJEXT)
 irdumm_OBJECTS = $(am_irdumm_OBJECTS)
-irdumm_DEPENDENCIES =
+irdumm_DEPENDENCIES = libdumm.la
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -230,8 +230,8 @@ irdumm_SOURCES = irdumm.c
 libdumm_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
   -lbridge -lfuse -lutil
 
-dumm_LDADD = -ldumm ${gtk_LIBS}
-irdumm_LDADD = -ldumm -lruby1.8
+dumm_LDADD = libdumm.la ${gtk_LIBS}
+irdumm_LDADD = libdumm.la -lruby1.8
 INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
   -I/usr/lib/ruby/1.8/i486-linux/
 
diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c
index eaefddb60..cf8d9719c 100644
--- a/src/dumm/dumm.c
+++ b/src/dumm/dumm.c
@@ -87,7 +87,7 @@ static void delete_guest(private_dumm_t *this, guest_t *guest)
 		guest->destroy(guest);
 		if (len > 8 && len < 512)
 		{
-			system(buf);
+			ignore_result(system(buf));
 		}
 	}
 }
@@ -280,7 +280,10 @@ dumm_t *dumm_create(char *dir)
 	 	}
 		if (dir)
 		{
-			asprintf(&this->dir, "%s/%s", cwd, dir);
+			if (asprintf(&this->dir, "%s/%s", cwd, dir) < 0)
+			{
+				this->dir = NULL;
+			}
 		}
 		else
 		{
@@ -288,17 +291,21 @@ dumm_t *dumm_create(char *dir)
 		}
 	}
 	this->template = NULL;
-	asprintf(&this->guest_dir, "%s/%s", this->dir, GUEST_DIR);
+	if (asprintf(&this->guest_dir, "%s/%s", this->dir, GUEST_DIR) < 0)
+	{
+		this->guest_dir = NULL;
+	}
 	this->guests = linked_list_create();
 	this->bridges = linked_list_create();
 	
-	if (mkdir(this->guest_dir, PERME) < 0 && errno != EEXIST)
+	if (this->dir == NULL || this->guest_dir == NULL ||
+		(mkdir(this->guest_dir, PERME) < 0 && errno != EEXIST))
 	{
 		DBG1("creating guest directory '%s' failed: %m", this->guest_dir);
 		destroy(this);
 		return NULL;
 	}
-		
+	
 	load_guests(this);
 	return &this->public;
 }
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index 97f14ef85..2610affc3 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  * 
- * $Id: dumm.c 4410 2008-10-10 11:20:04Z martin $
+ * $Id: dumm.c 4447 2008-10-15 14:47:52Z martin $
  */
 
 #include <stdio.h>
@@ -204,6 +204,22 @@ static VALUE guest_exec(VALUE self, VALUE cmd)
 	bool block;
 	int ret;
 	
+	block = rb_block_given_p();
+	Data_Get_Struct(self, guest_t, guest);
+	if ((ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
+					"exec %s", StringValuePtr(cmd))) != 0)
+	{
+		rb_raise(rb_eRuntimeError, "executing command failed (%d)", ret);
+	}
+	return self;
+}
+
+static VALUE guest_mconsole(VALUE self, VALUE cmd)
+{
+	guest_t *guest;
+	bool block;
+	int ret;
+	
 	block = rb_block_given_p();
 	Data_Get_Struct(self, guest_t, guest);
 	if ((ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
@@ -310,6 +326,7 @@ static void guest_init()
 	rb_define_method(rbc_guest, "stop", guest_stop, 0);
 	rb_define_method(rbc_guest, "running?", guest_running, 0);
 	rb_define_method(rbc_guest, "exec", guest_exec, 1);
+	rb_define_method(rbc_guest, "mconsole", guest_mconsole, 1);
 	rb_define_method(rbc_guest, "add", guest_add_iface, 1);
 	rb_define_method(rbc_guest, "[]", guest_get_iface, 1);
 	rb_define_method(rbc_guest, "each", guest_each_iface, -1);
diff --git a/src/dumm/guest.c b/src/dumm/guest.c
index aed2a3e18..014a9113f 100644
--- a/src/dumm/guest.c
+++ b/src/dumm/guest.c
@@ -576,11 +576,22 @@ static private_guest_t *guest_create_generic(char *parent, char *name,
 		
 	if (*parent == '/' || getcwd(cwd, sizeof(cwd)) == NULL)
 	{
-		asprintf(&this->dirname, "%s/%s", parent, name);
+		if (asprintf(&this->dirname, "%s/%s", parent, name) < 0)
+		{
+			this->dirname = NULL;
+		}
 	}
 	else
 	{
-		asprintf(&this->dirname, "%s/%s/%s", cwd, parent, name);
+		if (asprintf(&this->dirname, "%s/%s/%s", cwd, parent, name) < 0)
+		{
+			this->dirname = NULL;
+		}
+	}
+	if (this->dirname == NULL)
+	{
+		free(this);
+		return NULL;
 	}
 	if (create)
 	{
diff --git a/src/dumm/guest.h b/src/dumm/guest.h
index 0e48b1d06..19dc8a8bf 100644
--- a/src/dumm/guest.h
+++ b/src/dumm/guest.h
@@ -142,7 +142,7 @@ struct guest_t {
 	bool (*load_template)(guest_t *this, char *parent);
 	
 	/**
-	 * Execute a command in the guest.
+	 * Execute a command on the guests mconsole.
 	 *
 	 * @param cb		callback to call for each read block
 	 * @param data		data to pass to callback
@@ -154,20 +154,22 @@ struct guest_t {
 				char *cmd, ...);
 	
 	/**
-	 * Execute a command in the guest and return the output by lines or as combined
-	 * string.
+	 * Execute a command on the guests mconsole, with output formatter.
 	 * 
-	 * @note This function does not work with binary output (i.e. containing 0 bytes).
+	 * If lines is TRUE, callback is invoked for each output line. Otherwise
+	 * the full result is returned in one callback invocation.
+	 * 
+	 * @note This function does not work with binary output.
 	 * 
 	 * @param cb		callback to call for each line or for the complete output
-	 * @param lines		TRUE if the callback should be called for each line (instead of for the combined output)
+	 * @param lines		TRUE if the callback should be called for each line
 	 * @param data		data to pass to callback
 	 * @param cmd		command to execute
 	 * @param ...		printf style argument list for cmd
 	 * @return			return value
 	 */
 	int (*exec_str)(guest_t *this, void(*cb)(void*,char*), bool lines,
-				void *data, char *cmd, ...);
+					void *data, char *cmd, ...);
 	
 	/**
 	 * @brief Called whenever a SIGCHILD for the guests PID is received.
diff --git a/src/dumm/iface.c b/src/dumm/iface.c
index 78c6c7c92..bf73c82a5 100644
--- a/src/dumm/iface.c
+++ b/src/dumm/iface.c
@@ -104,8 +104,8 @@ static char* get_hostif(private_iface_t *this)
  */
 static bool add_address(private_iface_t *this, host_t *addr)
 {
-	return (this->guest->exec(this->guest, NULL, NULL, "ip addr add %H dev %s",
-						  addr, this->guestif) == 0);
+	return (this->guest->exec(this->guest, NULL, NULL, 
+				  "exec ip addr add %H dev %s", addr, this->guestif) == 0);
 }
 
 /**
@@ -136,7 +136,7 @@ static enumerator_t* create_address_enumerator(private_iface_t *this)
 	linked_list_t *addresses = linked_list_create();
 	this->guest->exec_str(this->guest, (void(*)(void*,char*))compile_address_list,
 			TRUE, addresses,
-			"ip addr list dev %s scope global | "
+			"exec ip addr list dev %s scope global | "
 			"grep '^ \\+\\(inet6\\? \\)' | "
 			"awk -F '( +|/)' '{ print $3 }'", this->guestif);
 	return enumerator_create_cleaner(addresses->create_enumerator(addresses),
@@ -149,7 +149,7 @@ static enumerator_t* create_address_enumerator(private_iface_t *this)
 static bool delete_address(private_iface_t *this, host_t *addr)
 {
 	return (this->guest->exec(this->guest, NULL, NULL,
-					"ip addr del %H dev %s", addr, this->guestif) == 0);
+					"exec ip addr del %H dev %s", addr, this->guestif) == 0);
 }
 
 /**
@@ -160,12 +160,12 @@ static void set_bridge(private_iface_t *this, bridge_t *bridge)
 	if (this->bridge == NULL && bridge)
 	{
 		this->guest->exec(this->guest, NULL, NULL,
-						  "ip link set %s up", this->guestif);
+						  "exec ip link set %s up", this->guestif);
 	}
 	else if (this->bridge && bridge == NULL)
 	{
 		this->guest->exec(this->guest, NULL, NULL,
-						  "ip link set %s down", this->guestif);
+						  "exec ip link set %s down", this->guestif);
 	}
 	this->bridge = bridge;
 }
diff --git a/src/dumm/main.c b/src/dumm/main.c
index e2f2fc255..ba2801760 100644
--- a/src/dumm/main.c
+++ b/src/dumm/main.c
@@ -19,6 +19,7 @@
 
 #include <sys/types.h>
 #include <unistd.h>
+#include <sched.h>
 
 #include <glib.h>
 #include <gtk/gtk.h>
diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c
index c6e0c2f08..02db5ab7e 100644
--- a/src/dumm/mconsole.c
+++ b/src/dumm/mconsole.c
@@ -201,13 +201,13 @@ static bool del_iface(private_mconsole_t *this, char *guest)
 static int exec(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
 				void *data, char *cmd)
 {
-	return request(this, cb, data, "exec %s", cmd);
+	return request(this, cb, data, "%s", cmd);
 }
 
 /**
  * Poll until guest is ready
  */
-static bool wait_bootup(private_mconsole_t *this)
+static void wait_bootup(private_mconsole_t *this)
 {
 	/* wait for init process to appear */
 	while (request(this, ignore, NULL, "exec ps -p 1 > /dev/null"))
@@ -247,7 +247,7 @@ static bool wait_for_notify(private_mconsole_t *this, char *nsock)
 	}
 	memset(&addr, 0, sizeof(addr));
 	addr.sun_family = AF_UNIX;
-	strncpy(addr.sun_path, nsock, sizeof(addr));
+	strncpy(addr.sun_path, nsock, sizeof(addr.sun_path));
 	if (bind(this->notify, (struct sockaddr*)&addr, sizeof(addr)) < 0)
 	{
 		DBG1("binding mconsole notify socket to '%s' failed: %m", nsock);
@@ -306,7 +306,7 @@ static bool setup_console(private_mconsole_t *this)
 	}
 	memset(&addr, 0, sizeof(addr));
 	addr.sun_family = AF_UNIX;
-	snprintf(&addr.sun_path[1], sizeof(addr.sun_path), "%5d-%d",
+	snprintf(&addr.sun_path[1], sizeof(addr.sun_path)-1, "%5d-%d",
 			 getpid(), this->console);
 	if (bind(this->console, (struct sockaddr*)&addr, sizeof(addr)) < 0)
 	{
@@ -346,11 +346,7 @@ mconsole_t *mconsole_create(char *notify, void(*idle)(void))
 	}
 	unlink(notify);
 	
-	if (!wait_bootup(this))
-	{
-		destroy(this);
-		return NULL;
-	}
+	wait_bootup(this);
 	
 	return &this->public;
 }
diff --git a/src/dumm/mconsole.h b/src/dumm/mconsole.h
index 329c40c06..e8493b5bb 100644
--- a/src/dumm/mconsole.h
+++ b/src/dumm/mconsole.h
@@ -43,7 +43,7 @@ struct mconsole_t {
 	bool (*del_iface)(mconsole_t *this, char *guest);
 	
 	/**
-	 * Execute a command in the UML host.
+	 * Execute a command on the mconsole.
 	 *
 	 * @param cb			callback function to invoke for each line
 	 * @param data			data to pass to callback
diff --git a/src/include/linux/ipsec.h b/src/include/linux/ipsec.h
index 81ac63a18..d17a6302a 100644
--- a/src/include/linux/ipsec.h
+++ b/src/include/linux/ipsec.h
@@ -3,7 +3,7 @@
 
 /* The definitions, required to talk to KAME racoon IKE. */
 
-#include "pfkeyv2.h"
+#include <linux/pfkeyv2.h>
 
 #define IPSEC_PORT_ANY		0
 #define IPSEC_ULPROTO_ANY	255
@@ -12,7 +12,8 @@
 enum {
 	IPSEC_MODE_ANY		= 0,	/* We do not support this for SA */
 	IPSEC_MODE_TRANSPORT	= 1,
-	IPSEC_MODE_TUNNEL	= 2
+	IPSEC_MODE_TUNNEL	= 2,
+	IPSEC_MODE_BEET         = 3
 };
 
 enum {
diff --git a/src/include/linux/pfkeyv2.h b/src/include/linux/pfkeyv2.h
index 4de9d7761..b4b0712a4 100644
--- a/src/include/linux/pfkeyv2.h
+++ b/src/include/linux/pfkeyv2.h
@@ -226,6 +226,15 @@ struct sadb_x_sec_ctx {
 } __attribute__((packed));
 /* sizeof(struct sadb_sec_ctx) = 8 */
 
+/* Used by MIGRATE to pass addresses IKE will use to perform
+ * negotiation with the peer */
+struct sadb_x_kmaddress {
+	uint16_t	sadb_x_kmaddress_len;
+	uint16_t	sadb_x_kmaddress_exttype;
+	uint32_t	sadb_x_kmaddress_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_kmaddress) == 8 */
+
 /* Message types */
 #define SADB_RESERVED		0
 #define SADB_GETSPI		1
@@ -298,6 +307,13 @@ struct sadb_x_sec_ctx {
 #define SADB_X_EALG_BLOWFISHCBC		7
 #define SADB_EALG_NULL			11
 #define SADB_X_EALG_AESCBC		12
+#define SADB_X_EALG_AESCTR		13
+#define SADB_X_EALG_AES_CCM_ICV8	14
+#define SADB_X_EALG_AES_CCM_ICV12	15
+#define SADB_X_EALG_AES_CCM_ICV16	16
+#define SADB_X_EALG_AES_GCM_ICV8	18
+#define SADB_X_EALG_AES_GCM_ICV12	19
+#define SADB_X_EALG_AES_GCM_ICV16	20
 #define SADB_X_EALG_CAMELLIACBC		22
 #define SADB_EALG_MAX                   253 /* last EALG */
 /* private allocations should use 249-255 (RFC2407) */
@@ -339,7 +355,9 @@ struct sadb_x_sec_ctx {
 #define SADB_X_EXT_NAT_T_DPORT		22
 #define SADB_X_EXT_NAT_T_OA		23
 #define SADB_X_EXT_SEC_CTX		24
-#define SADB_EXT_MAX			24
+/* Used with MIGRATE to pass @ to IKE for negotiation */
+#define SADB_X_EXT_KMADDRESS		25
+#define SADB_EXT_MAX			25
 
 /* Identity Extension values */
 #define SADB_IDENTTYPE_RESERVED	0
diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h
index 759885cb6..52f3abd45 100644
--- a/src/include/linux/xfrm.h
+++ b/src/include/linux/xfrm.h
@@ -282,6 +282,7 @@ enum xfrm_attr_type_t {
 	XFRMA_POLICY_TYPE,	/* struct xfrm_userpolicy_type */
 	XFRMA_MIGRATE,
 	XFRMA_ALG_AEAD,		/* struct xfrm_algo_aead */
+	XFRMA_KMADDRESS,        /* struct xfrm_user_kmaddress */
 	__XFRMA_MAX
 
 #define XFRMA_MAX (__XFRMA_MAX - 1)
@@ -418,6 +419,15 @@ struct xfrm_user_report {
 	struct xfrm_selector		sel;
 };
 
+/* Used by MIGRATE to pass addresses IKE should use to perform
+ * SA negotiation with the peer */
+struct xfrm_user_kmaddress {
+	xfrm_address_t                  local;
+	xfrm_address_t                  remote;
+	__u32				reserved;
+	__u16				family;
+};
+
 struct xfrm_user_migrate {
 	xfrm_address_t			old_daddr;
 	xfrm_address_t			old_saddr;
diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h
index 59e6f0d9b..cbb8e2db4 100644
--- a/src/libfreeswan/freeswan.h
+++ b/src/libfreeswan/freeswan.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
  *
- * RCSID $Id: freeswan.h 3265 2007-10-08 19:52:55Z andreas $
+ * RCSID $Id: freeswan.h 4632 2008-11-11 18:37:19Z martin $
  */
 #define	_FREESWAN_H	/* seen it, no need to see it again */
 
@@ -446,6 +446,7 @@ bitstomask(
 /* option pickup from files (userland only because of use of FILE) */
 const char *optionsfrom(const char *filename, int *argcp, char ***argvp,
 						int optind, FILE *errorreport);
+#define ignore_result(call) { if (call); }
 #endif
 
 /*
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 08409d503..1423db5c3 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -50,6 +50,7 @@ utils/linked_list.c utils/linked_list.h \
 utils/enumerator.c utils/enumerator.h \
 utils/optionsfrom.c utils/optionsfrom.h \
 utils/mutex.c utils/mutex.h \
+utils/backtrace.c utils/backtrace.h \
 plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
 
 libstrongswan_la_LIBADD = -lpthread -ldl
@@ -63,6 +64,10 @@ if USE_LEAK_DETECTIVE
   libstrongswan_la_SOURCES += utils/leak_detective.c utils/leak_detective.h
 endif
 
+if USE_LOCK_PROFILER
+  AM_CFLAGS += -DLOCK_PROFILER
+endif
+
 if USE_INTEGRITY_TEST
   libstrongswan_la_SOURCES += \
   fips/fips_canister_end.c
@@ -72,11 +77,11 @@ EXTRA_DIST = asn1/oid.txt asn1/oid.pl
 BUILT_SOURCES = asn1/oid.c asn1/oid.h
 MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
 
-asn1/oid.c :	asn1/oid.txt asn1/oid.pl
-		cd asn1 && $(PERL) oid.pl
+asn1/oid.c :	asn1/oid.pl asn1/oid.txt
+		(cd `dirname $<` && $(PERL) `basename $<`)
 
-asn1/oid.h :	asn1/oid.txt asn1/oid.pl
-		cd asn1 && $(PERL) oid.pl
+asn1/oid.h :	asn1/oid.pl asn1/oid.txt
+		(cd `dirname $<` && $(PERL) `basename $<`)
 
 
 # build plugins with their own Makefile
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index e73411aa6..f1cf4f554 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -34,26 +34,27 @@ build_triplet = @build@
 host_triplet = @host@
 @USE_LEAK_DETECTIVE_TRUE@am__append_1 = -DLEAK_DETECTIVE
 @USE_LEAK_DETECTIVE_TRUE@am__append_2 = utils/leak_detective.c utils/leak_detective.h
-@USE_AES_TRUE@am__append_3 = plugins/aes
-@USE_DES_TRUE@am__append_4 = plugins/des
-@USE_MD5_TRUE@am__append_5 = plugins/md5
-@USE_SHA1_TRUE@am__append_6 = plugins/sha1
-@USE_SHA2_TRUE@am__append_7 = plugins/sha2
-@USE_FIPS_PRF_TRUE@am__append_8 = plugins/fips_prf
-@USE_GMP_TRUE@am__append_9 = plugins/gmp
-@USE_RANDOM_TRUE@am__append_10 = plugins/random
-@USE_HMAC_TRUE@am__append_11 = plugins/hmac
-@USE_XCBC_TRUE@am__append_12 = plugins/xcbc
-@USE_X509_TRUE@am__append_13 = plugins/x509
-@USE_PUBKEY_TRUE@am__append_14 = plugins/pubkey
-@USE_CURL_TRUE@am__append_15 = plugins/curl
-@USE_LDAP_TRUE@am__append_16 = plugins/ldap
-@USE_MYSQL_TRUE@am__append_17 = plugins/mysql
-@USE_SQLITE_TRUE@am__append_18 = plugins/sqlite
-@USE_PADLOCK_TRUE@am__append_19 = plugins/padlock
-@USE_OPENSSL_TRUE@am__append_20 = plugins/openssl
-@USE_AGENT_TRUE@am__append_21 = plugins/agent
-@USE_INTEGRITY_TEST_TRUE@am__append_22 = fips
+@USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER
+@USE_AES_TRUE@am__append_4 = plugins/aes
+@USE_DES_TRUE@am__append_5 = plugins/des
+@USE_MD5_TRUE@am__append_6 = plugins/md5
+@USE_SHA1_TRUE@am__append_7 = plugins/sha1
+@USE_SHA2_TRUE@am__append_8 = plugins/sha2
+@USE_FIPS_PRF_TRUE@am__append_9 = plugins/fips_prf
+@USE_GMP_TRUE@am__append_10 = plugins/gmp
+@USE_RANDOM_TRUE@am__append_11 = plugins/random
+@USE_HMAC_TRUE@am__append_12 = plugins/hmac
+@USE_XCBC_TRUE@am__append_13 = plugins/xcbc
+@USE_X509_TRUE@am__append_14 = plugins/x509
+@USE_PUBKEY_TRUE@am__append_15 = plugins/pubkey
+@USE_CURL_TRUE@am__append_16 = plugins/curl
+@USE_LDAP_TRUE@am__append_17 = plugins/ldap
+@USE_MYSQL_TRUE@am__append_18 = plugins/mysql
+@USE_SQLITE_TRUE@am__append_19 = plugins/sqlite
+@USE_PADLOCK_TRUE@am__append_20 = plugins/padlock
+@USE_OPENSSL_TRUE@am__append_21 = plugins/openssl
+@USE_AGENT_TRUE@am__append_22 = plugins/agent
+@USE_INTEGRITY_TEST_TRUE@am__append_23 = fips
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -105,7 +106,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	utils/iterator.h utils/lexparser.c utils/lexparser.h \
 	utils/linked_list.c utils/linked_list.h utils/enumerator.c \
 	utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \
-	utils/mutex.c utils/mutex.h plugins/plugin_loader.c \
+	utils/mutex.c utils/mutex.h utils/backtrace.c \
+	utils/backtrace.h plugins/plugin_loader.c \
 	plugins/plugin_loader.h plugins/plugin.h \
 	utils/leak_detective.c utils/leak_detective.h \
 	fips/fips_canister_start.c fips/fips.c fips/fips.h \
@@ -126,7 +128,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 @USE_INTEGRITY_TEST_FALSE@	database_factory.lo utils.lo host.lo \
 @USE_INTEGRITY_TEST_FALSE@	identification.lo lexparser.lo \
 @USE_INTEGRITY_TEST_FALSE@	linked_list.lo enumerator.lo \
-@USE_INTEGRITY_TEST_FALSE@	optionsfrom.lo mutex.lo \
+@USE_INTEGRITY_TEST_FALSE@	optionsfrom.lo mutex.lo backtrace.lo \
 @USE_INTEGRITY_TEST_FALSE@	plugin_loader.lo $(am__objects_1)
 @USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS =  \
 @USE_INTEGRITY_TEST_TRUE@	fips_canister_start.lo fips.lo \
@@ -144,7 +146,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 @USE_INTEGRITY_TEST_TRUE@	database_factory.lo utils.lo host.lo \
 @USE_INTEGRITY_TEST_TRUE@	identification.lo lexparser.lo \
 @USE_INTEGRITY_TEST_TRUE@	linked_list.lo enumerator.lo \
-@USE_INTEGRITY_TEST_TRUE@	optionsfrom.lo mutex.lo \
+@USE_INTEGRITY_TEST_TRUE@	optionsfrom.lo mutex.lo backtrace.lo \
 @USE_INTEGRITY_TEST_TRUE@	plugin_loader.lo $(am__objects_1) \
 @USE_INTEGRITY_TEST_TRUE@	fips_canister_end.lo
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
@@ -375,7 +377,8 @@ lib_LTLIBRARIES = libstrongswan.la
 @USE_INTEGRITY_TEST_FALSE@	utils/enumerator.h \
 @USE_INTEGRITY_TEST_FALSE@	utils/optionsfrom.c \
 @USE_INTEGRITY_TEST_FALSE@	utils/optionsfrom.h utils/mutex.c \
-@USE_INTEGRITY_TEST_FALSE@	utils/mutex.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/mutex.h utils/backtrace.c \
+@USE_INTEGRITY_TEST_FALSE@	utils/backtrace.h \
 @USE_INTEGRITY_TEST_FALSE@	plugins/plugin_loader.c \
 @USE_INTEGRITY_TEST_FALSE@	plugins/plugin_loader.h \
 @USE_INTEGRITY_TEST_FALSE@	plugins/plugin.h $(am__append_2)
@@ -437,27 +440,30 @@ lib_LTLIBRARIES = libstrongswan.la
 @USE_INTEGRITY_TEST_TRUE@	utils/enumerator.c utils/enumerator.h \
 @USE_INTEGRITY_TEST_TRUE@	utils/optionsfrom.c \
 @USE_INTEGRITY_TEST_TRUE@	utils/optionsfrom.h utils/mutex.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/mutex.h plugins/plugin_loader.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/mutex.h utils/backtrace.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/backtrace.h \
+@USE_INTEGRITY_TEST_TRUE@	plugins/plugin_loader.c \
 @USE_INTEGRITY_TEST_TRUE@	plugins/plugin_loader.h \
 @USE_INTEGRITY_TEST_TRUE@	plugins/plugin.h $(am__append_2) \
 @USE_INTEGRITY_TEST_TRUE@	fips/fips_canister_end.c
 libstrongswan_la_LIBADD = -lpthread -ldl
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1)
+	-DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \
+	$(am__append_3)
 EXTRA_DIST = asn1/oid.txt asn1/oid.pl
 BUILT_SOURCES = asn1/oid.c asn1/oid.h
 MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
 
 # build plugins with their own Makefile
 #######################################
-SUBDIRS = . $(am__append_3) $(am__append_4) $(am__append_5) \
-	$(am__append_6) $(am__append_7) $(am__append_8) \
-	$(am__append_9) $(am__append_10) $(am__append_11) \
-	$(am__append_12) $(am__append_13) $(am__append_14) \
-	$(am__append_15) $(am__append_16) $(am__append_17) \
-	$(am__append_18) $(am__append_19) $(am__append_20) \
-	$(am__append_21) $(am__append_22)
+SUBDIRS = . $(am__append_4) $(am__append_5) $(am__append_6) \
+	$(am__append_7) $(am__append_8) $(am__append_9) \
+	$(am__append_10) $(am__append_11) $(am__append_12) \
+	$(am__append_13) $(am__append_14) $(am__append_15) \
+	$(am__append_16) $(am__append_17) $(am__append_18) \
+	$(am__append_19) $(am__append_20) $(am__append_21) \
+	$(am__append_22) $(am__append_23)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -530,6 +536,7 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backtrace.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@
@@ -810,6 +817,13 @@ mutex.lo: utils/mutex.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mutex.lo `test -f 'utils/mutex.c' || echo '$(srcdir)/'`utils/mutex.c
 
+backtrace.lo: utils/backtrace.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backtrace.lo -MD -MP -MF $(DEPDIR)/backtrace.Tpo -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/backtrace.Tpo $(DEPDIR)/backtrace.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/backtrace.c' object='backtrace.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
+
 plugin_loader.lo: plugins/plugin_loader.c
 @am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
@@ -1139,11 +1153,11 @@ uninstall-am: uninstall-libLTLIBRARIES
 	uninstall-libLTLIBRARIES
 
 
-asn1/oid.c :	asn1/oid.txt asn1/oid.pl
-		cd asn1 && $(PERL) oid.pl
+asn1/oid.c :	asn1/oid.pl asn1/oid.txt
+		(cd `dirname $<` && $(PERL) `basename $<`)
 
-asn1/oid.h :	asn1/oid.txt asn1/oid.pl
-		cd asn1 && $(PERL) oid.pl
+asn1/oid.h :	asn1/oid.pl asn1/oid.txt
+		(cd `dirname $<` && $(PERL) `basename $<`)
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index aade888fa..fb06af97d 100644
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: crypter.h 3971 2008-05-16 13:27:21Z tobias $
+ * $Id: crypter.h 4532 2008-10-30 13:21:21Z martin $
  */
  
 /**
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 9836ed468..dcc881f1d 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: crypto_factory.c 4307 2008-08-28 09:24:42Z martin $
+ * $Id: crypto_factory.c 4592 2008-11-05 16:21:57Z martin $
  */
 
 #include "crypto_factory.h"
@@ -78,9 +78,9 @@ struct private_crypto_factory_t {
 	linked_list_t *dhs;
 	
 	/**
-	 * mutex to lock access to modules
+	 * rwlock to lock access to modules
 	 */
-	mutex_t *mutex;
+	rwlock_t *lock;
 };
 
 /**
@@ -93,7 +93,7 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 	entry_t *entry;
 	crypter_t *crypter = NULL;
 
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = this->crypters->create_enumerator(this->crypters);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -107,7 +107,7 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	return crypter;
 }
 
@@ -121,7 +121,7 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 	entry_t *entry;
 	signer_t *signer = NULL;
 
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = this->signers->create_enumerator(this->signers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -135,7 +135,7 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 
 	return signer;
 }
@@ -150,7 +150,7 @@ static hasher_t* create_hasher(private_crypto_factory_t *this,
 	entry_t *entry;
 	hasher_t *hasher = NULL;
 
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = this->hashers->create_enumerator(this->hashers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -164,7 +164,7 @@ static hasher_t* create_hasher(private_crypto_factory_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	return hasher;
 }
 
@@ -178,7 +178,7 @@ static prf_t* create_prf(private_crypto_factory_t *this,
 	entry_t *entry;
 	prf_t *prf = NULL;
 
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = this->prfs->create_enumerator(this->prfs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -192,7 +192,7 @@ static prf_t* create_prf(private_crypto_factory_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	return prf;
 }
 
@@ -206,7 +206,7 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
 	u_int diff = ~0;
 	rng_constructor_t constr = NULL;
 
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = this->rngs->create_enumerator(this->rngs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{	/* find the best matching quality, but at least as good as requested */
@@ -221,7 +221,7 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	if (constr)
 	{
 		return constr(quality);
@@ -239,7 +239,7 @@ static diffie_hellman_t* create_dh(private_crypto_factory_t *this,
 	entry_t *entry;
 	diffie_hellman_t *diffie_hellman = NULL;
 
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = this->dhs->create_enumerator(this->dhs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -253,7 +253,7 @@ static diffie_hellman_t* create_dh(private_crypto_factory_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	return diffie_hellman;
 }
 
@@ -268,9 +268,9 @@ static void add_crypter(private_crypto_factory_t *this,
 	
 	entry->algo = algo;
 	entry->create_crypter = create;
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->crypters->insert_last(this->crypters, entry);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -282,7 +282,7 @@ static void remove_crypter(private_crypto_factory_t *this,
 	entry_t *entry;
 	enumerator_t *enumerator;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	enumerator = this->crypters->create_enumerator(this->crypters);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -293,7 +293,7 @@ static void remove_crypter(private_crypto_factory_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -306,9 +306,9 @@ static void add_signer(private_crypto_factory_t *this,
 	
 	entry->algo = algo;
 	entry->create_signer = create;
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->signers->insert_last(this->signers, entry);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -320,7 +320,7 @@ static void remove_signer(private_crypto_factory_t *this,
 	entry_t *entry;
 	enumerator_t *enumerator;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	enumerator = this->signers->create_enumerator(this->signers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -331,7 +331,7 @@ static void remove_signer(private_crypto_factory_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -344,9 +344,9 @@ static void add_hasher(private_crypto_factory_t *this, hash_algorithm_t algo,
 	
 	entry->algo = algo;
 	entry->create_hasher = create;
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->hashers->insert_last(this->hashers, entry);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -358,7 +358,7 @@ static void remove_hasher(private_crypto_factory_t *this,
 	entry_t *entry;
 	enumerator_t *enumerator;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	enumerator = this->hashers->create_enumerator(this->hashers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -369,7 +369,7 @@ static void remove_hasher(private_crypto_factory_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -382,9 +382,9 @@ static void add_prf(private_crypto_factory_t *this,
 	
 	entry->algo = algo;
 	entry->create_prf = create;
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->prfs->insert_last(this->prfs, entry);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -395,7 +395,7 @@ static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create)
 	entry_t *entry;
 	enumerator_t *enumerator;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	enumerator = this->prfs->create_enumerator(this->prfs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -406,7 +406,7 @@ static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create)
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -419,9 +419,9 @@ static void add_rng(private_crypto_factory_t *this, rng_quality_t quality,
 	
 	entry->algo = quality;
 	entry->create_rng = create;
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->rngs->insert_last(this->rngs, entry);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -432,7 +432,7 @@ static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create)
 	entry_t *entry;
 	enumerator_t *enumerator;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	enumerator = this->rngs->create_enumerator(this->rngs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -443,7 +443,7 @@ static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create)
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -456,9 +456,9 @@ static void add_dh(private_crypto_factory_t *this, diffie_hellman_group_t group,
 	
 	entry->algo = group;
 	entry->create_dh = create;
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->dhs->insert_last(this->dhs, entry);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -469,7 +469,7 @@ static void remove_dh(private_crypto_factory_t *this, dh_constructor_t create)
 	entry_t *entry;
 	enumerator_t *enumerator;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	enumerator = this->dhs->create_enumerator(this->dhs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -480,7 +480,7 @@ static void remove_dh(private_crypto_factory_t *this, dh_constructor_t create)
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -511,12 +511,12 @@ static bool unique_check(linked_list_t *list, entry_t **in, entry_t **out)
 static enumerator_t *create_enumerator(private_crypto_factory_t *this,
 									   linked_list_t *list, void *filter)
 {
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(
 				enumerator_create_filter(
 					list->create_enumerator(list), (void*)unique_check,
 					linked_list_create(), (void*)list->destroy),
-				filter,	this->mutex, (void*)this->mutex->unlock);
+				filter,	this->lock, (void*)this->lock->unlock);
 }
 
 /**
@@ -615,7 +615,7 @@ static void destroy(private_crypto_factory_t *this)
 	this->prfs->destroy_function(this->prfs, free);
 	this->rngs->destroy_function(this->rngs, free);
 	this->dhs->destroy_function(this->dhs, free);
-	this->mutex->destroy(this->mutex);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -657,7 +657,7 @@ crypto_factory_t *crypto_factory_create()
 	this->prfs = linked_list_create();
 	this->rngs = linked_list_create();
 	this->dhs = linked_list_create();
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index c66ae56c3..ce8ab8e21 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: diffie_hellman.h 4023 2008-05-29 06:55:03Z andreas $
+ * $Id: diffie_hellman.h 4566 2008-11-04 13:12:11Z martin $
  */
  
 /**
@@ -84,16 +84,6 @@ struct diffie_hellman_t {
 	 */
 	void (*set_other_public_value) (diffie_hellman_t *this, chunk_t value);
 	
-	/**
-	 * Gets the public value of partner.
-	 * 	
-	 * Space for returned chunk is allocated and must be freed by the caller.
-	 * 
-	 * @param value 	public value of partner is stored at this location
-	 * @return 			SUCCESS, FAILED if other public value not set
-	 */
-	status_t (*get_other_public_value) (diffie_hellman_t *this, chunk_t *value);
-	
 	/**
 	 * Gets the own public value to transmit.
 	 * 	
diff --git a/src/libstrongswan/crypto/prf_plus.c b/src/libstrongswan/crypto/prf_plus.c
index de7dbff84..3d37d4ef7 100644
--- a/src/libstrongswan/crypto/prf_plus.c
+++ b/src/libstrongswan/crypto/prf_plus.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: prf_plus.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: prf_plus.c 4524 2008-10-29 14:12:54Z martin $
  */
 
 #include <string.h>
@@ -96,9 +96,16 @@ static void get_bytes(private_prf_plus_t *this, size_t length, u_int8_t *buffer)
  */	
 static void allocate_bytes(private_prf_plus_t *this, size_t length, chunk_t *chunk)
 {
-	chunk->ptr = malloc(length);
-	chunk->len = length;
-	this->public.get_bytes(&(this->public), length, chunk->ptr);
+	if (length)
+	{
+		chunk->ptr = malloc(length);
+		chunk->len = length;
+		get_bytes(this, length, chunk->ptr);
+	}
+	else
+	{
+		*chunk = chunk_empty;
+	}
 }
 
 /**
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index 517c9dfc9..5d58f224e 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -12,16 +12,14 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: fetcher_manager.c 3630 2008-03-20 11:27:55Z martin $
+ * $Id: fetcher_manager.c 4591 2008-11-05 16:12:54Z martin $
  */
 
-#define _GNU_SOURCE
-
 #include "fetcher_manager.h"
 
 #include <debug.h>
-#include <utils/linked_list.h>
 #include <utils/mutex.h>
+#include <utils/linked_list.h>
 
 typedef struct private_fetcher_manager_t private_fetcher_manager_t;
 
@@ -43,7 +41,7 @@ struct private_fetcher_manager_t {
 	/**
 	 * read write lock to list
 	 */
-	pthread_rwlock_t lock;
+	rwlock_t *lock;
 };
 
 typedef struct {
@@ -73,7 +71,7 @@ static status_t fetch(private_fetcher_manager_t *this,
 	entry_t *entry;
 	bool capable = FALSE;
 	
-	pthread_rwlock_rdlock(&this->lock);
+	this->lock->read_lock(this->lock);
 	enumerator = this->fetchers->create_enumerator(this->fetchers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -131,7 +129,7 @@ static status_t fetch(private_fetcher_manager_t *this,
 		break;
 	}
 	enumerator->destroy(enumerator);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 	if (!capable)
 	{
 		DBG1("unable to fetch from %s, no capable fetcher found", url);
@@ -150,9 +148,9 @@ static void add_fetcher(private_fetcher_manager_t *this,
 	entry->url = strdup(url);
 	entry->create = create;
 
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	this->fetchers->insert_last(this->fetchers, entry);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -164,7 +162,7 @@ static void remove_fetcher(private_fetcher_manager_t *this,
 	enumerator_t *enumerator;
 	entry_t *entry;
 	
-	pthread_rwlock_wrlock(&this->lock);
+	this->lock->write_lock(this->lock);
 	enumerator = this->fetchers->create_enumerator(this->fetchers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -175,7 +173,7 @@ static void remove_fetcher(private_fetcher_manager_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_rwlock_unlock(&this->lock);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -184,7 +182,7 @@ static void remove_fetcher(private_fetcher_manager_t *this,
 static void destroy(private_fetcher_manager_t *this)
 {
 	this->fetchers->destroy_function(this->fetchers, (void*)entry_destroy);
-	pthread_rwlock_destroy(&this->lock);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -201,7 +199,7 @@ fetcher_manager_t *fetcher_manager_create()
 	this->public.destroy = (void(*)(fetcher_manager_t*))destroy;
 	
 	this->fetchers = linked_list_create();
-	pthread_rwlock_init(&this->lock, NULL);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index a3b8eebf3..5e7d0839e 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -215,9 +215,13 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 	chunk_t blob = chunk_from_buf(buf), key, type, tmp;
 	
 	len = htonl(1);
-	write(this->socket, &len, sizeof(len));
 	buf[0] = SSH_AGENT_ID_REQUEST;
-	write(this->socket, &buf, 1);
+	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
+		write(this->socket, &buf, 1) != 1)
+	{
+		DBG1("writing to ssh-agent failed");
+		return FALSE;
+	}
 	
 	blob.len = read(this->socket, blob.ptr, blob.len);
 	
@@ -275,20 +279,36 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	}
 	
 	len = htonl(1 + sizeof(u_int32_t) * 3 + this->key.len + data.len);
-	write(this->socket, &len, sizeof(len));
 	buf[0] = SSH_AGENT_SIGN_REQUEST;
-	write(this->socket, &buf, 1);
+	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
+		write(this->socket, &buf, 1) != 1)
+	{
+		DBG1("writing to ssh-agent failed");
+		return FALSE;
+	}
 	
 	len = htonl(this->key.len);
-	write(this->socket, &len, sizeof(len));
-	write(this->socket, this->key.ptr, this->key.len);
+	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
+		write(this->socket, this->key.ptr, this->key.len) != this->key.len)
+	{
+		DBG1("writing to ssh-agent failed");
+		return FALSE;
+	}
 	
 	len = htonl(data.len);
-	write(this->socket, &len, sizeof(len));
-	write(this->socket, data.ptr, data.len);
+	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
+		write(this->socket, data.ptr, data.len) != data.len)
+	{
+		DBG1("writing to ssh-agent failed");
+		return FALSE;
+	}
 	
 	flags = htonl(0);
-	write(this->socket, &flags, sizeof(flags));
+	if (write(this->socket, &flags, sizeof(flags)) != sizeof(flags))
+	{
+		DBG1("writing to ssh-agent failed");
+		return FALSE;
+	}
 	
 	blob.len = read(this->socket, blob.ptr, blob.len);
 	if (blob.len < sizeof(u_int32_t) + sizeof(u_char) ||
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 4754d569e..cd54c76a3 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: curl_fetcher.c 3529 2008-03-05 15:26:24Z martin $
+ * $Id: curl_fetcher.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <curl/curl.h>
@@ -123,7 +123,7 @@ static bool set_option(private_curl_fetcher_t *this, fetcher_option_t option, ..
 		case FETCH_REQUEST_DATA:
 		{
 			chunk_t data = va_arg(args, chunk_t);
-			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, data.ptr);
+			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, (char*)data.ptr);
 			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, data.len);
 			return TRUE;
 		}
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index 40e83fc4c..294fb722f 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: gmp_diffie_hellman.c 4346 2008-09-17 09:02:30Z martin $
+ * $Id: gmp_diffie_hellman.c 4566 2008-11-04 13:12:11Z martin $
  */
 
 #include <gmp.h>
@@ -303,6 +303,11 @@ struct modulus_entry_t {
 	 */	
 	size_t modulus_len;
 	
+	/* 
+	 * Optimum length of exponent in bytes.
+	 */	
+	size_t opt_exponent_len;
+
 	/* 
 	 * Generator value.
 	 */	
@@ -310,17 +315,17 @@ struct modulus_entry_t {
 };
 
 /**
- * All supported modulus values.
+ * All supported modulus values - optimum exponent size according to RFC 3526.
  */
 static modulus_entry_t modulus_entries[] = {
-	{MODP_768_BIT, group1_modulus, sizeof(group1_modulus), 2},
-	{MODP_1024_BIT, group2_modulus, sizeof(group2_modulus), 2},
-	{MODP_1536_BIT, group5_modulus, sizeof(group5_modulus), 2},
-	{MODP_2048_BIT, group14_modulus, sizeof(group14_modulus), 2},
-	{MODP_3072_BIT, group15_modulus, sizeof(group15_modulus), 2},
-	{MODP_4096_BIT, group16_modulus, sizeof(group16_modulus), 2},
-	{MODP_6144_BIT, group17_modulus, sizeof(group17_modulus), 2},
-	{MODP_8192_BIT, group18_modulus, sizeof(group18_modulus), 2},
+	{MODP_768_BIT,  group1_modulus,  sizeof(group1_modulus),  32, 2},
+	{MODP_1024_BIT, group2_modulus,  sizeof(group2_modulus),  32, 2},
+	{MODP_1536_BIT, group5_modulus,  sizeof(group5_modulus),  32, 2},
+	{MODP_2048_BIT, group14_modulus, sizeof(group14_modulus), 48, 2},
+	{MODP_3072_BIT, group15_modulus, sizeof(group15_modulus), 48, 2},
+	{MODP_4096_BIT, group16_modulus, sizeof(group16_modulus), 64, 2},
+	{MODP_6144_BIT, group17_modulus, sizeof(group17_modulus), 64, 2},
+	{MODP_8192_BIT, group18_modulus, sizeof(group18_modulus), 64, 2},
 };
 
 typedef struct private_gmp_diffie_hellman_t private_gmp_diffie_hellman_t;
@@ -374,6 +379,11 @@ struct private_gmp_diffie_hellman_t {
 	 */
 	size_t p_len;
 	
+	/**
+	 * Optimal exponent length.
+	 */
+	size_t opt_exponent_len;
+
 	/**
 	 * True if shared secret is computed and stored in my_public_value.
 	 */
@@ -429,25 +439,6 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 	mpz_clear(p_min_1);
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_other_public_value.
- */
-static status_t get_other_public_value(private_gmp_diffie_hellman_t *this, 
-									   chunk_t *value)
-{
-	if (!this->computed)
-	{
-		return FAILED;
-	}
-	value->len = this->p_len;
-	value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb);
-	if (value->ptr == NULL)
-	{
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
 /**
  * Implementation of gmp_diffie_hellman_t.get_my_public_value.
  */
@@ -504,6 +495,7 @@ static status_t set_modulus(private_gmp_diffie_hellman_t *this)
 			chunk.len = modulus_entries[i].modulus_len;
 			mpz_import(this->p, chunk.len, 1, 1, 1, 0, chunk.ptr);
 			this->p_len = chunk.len;
+			this->opt_exponent_len = modulus_entries[i].opt_exponent_len;
 			mpz_set_ui(this->g, modulus_entries[i].generator);
 			status = SUCCESS;
 			break;
@@ -534,11 +526,12 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	private_gmp_diffie_hellman_t *this = malloc_thing(private_gmp_diffie_hellman_t);
 	rng_t *rng;
 	chunk_t random;
+	bool ansi_x9_42;
+	size_t exponent_len;
 
 	/* public functions */
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
 	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_other_public_value = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_other_public_value;
 	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
@@ -567,11 +560,22 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 		destroy(this);
 		return NULL;
 	}
-	rng->allocate_bytes(rng, this->p_len, &random);
+
+	ansi_x9_42 = lib->settings->get_int(lib->settings,
+					 "charon.dh_exponent_ansi_x9_42", TRUE);
+	exponent_len = (ansi_x9_42) ? this->p_len : this->opt_exponent_len;	
+	rng->allocate_bytes(rng, exponent_len, &random);
 	rng->destroy(rng);
+
+	if (ansi_x9_42)
+	{
+		/* achieve bitsof(p)-1 by setting MSB to 0 */
+		*random.ptr &= 0x7F;
+	}
 	mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr);
 	chunk_free(&random);
-	
+	DBG2("size of DH secret exponent: %u bits", mpz_sizeinbase(this->xa, 2));
+
 	mpz_powm(this->ya, this->g, this->xa, this->p);
 	
 	return &this->public;
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index 95c079b0b..7c83b3dea 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_diffie_hellman.c 3896 2008-04-29 15:42:34Z tobias $
+ * $Id: openssl_diffie_hellman.c 4639 2008-11-12 15:09:24Z martin $
  */
 
 #include <openssl/dh.h>
@@ -37,6 +38,11 @@ struct modulus_entry_t {
 	 */
 	BIGNUM *(*get_prime)(BIGNUM *bn);
 	
+	/* 
+	 * Optimum length of exponent in bits.
+	 */	
+	long opt_exponent_len;
+	
 	/* 
 	 * Generator value.
 	 */	
@@ -44,17 +50,17 @@ struct modulus_entry_t {
 };
 
 /**
- * All supported modulus values.
+ * All supported modulus values - optimum exponent size according to RFC 3526.
  */
 static modulus_entry_t modulus_entries[] = {
-	{MODP_768_BIT,  get_rfc2409_prime_768,  2},
-	{MODP_1024_BIT, get_rfc2409_prime_1024, 2},
-	{MODP_1536_BIT, get_rfc3526_prime_1536, 2},
-	{MODP_2048_BIT, get_rfc3526_prime_2048, 2},
-	{MODP_3072_BIT, get_rfc3526_prime_3072, 2},
-	{MODP_4096_BIT, get_rfc3526_prime_4096, 2},
-	{MODP_6144_BIT, get_rfc3526_prime_6144, 2},
-	{MODP_8192_BIT, get_rfc3526_prime_8192, 2},
+	{MODP_768_BIT,  get_rfc2409_prime_768,  256, 2},
+	{MODP_1024_BIT, get_rfc2409_prime_1024, 256, 2},
+	{MODP_1536_BIT, get_rfc3526_prime_1536, 256, 2},
+	{MODP_2048_BIT, get_rfc3526_prime_2048, 384, 2},
+	{MODP_3072_BIT, get_rfc3526_prime_3072, 384, 2},
+	{MODP_4096_BIT, get_rfc3526_prime_4096, 512, 2},
+	{MODP_6144_BIT, get_rfc3526_prime_6144, 512, 2},
+	{MODP_8192_BIT, get_rfc3526_prime_8192, 512, 2},
 };
 
 typedef struct private_openssl_diffie_hellman_t private_openssl_diffie_hellman_t;
@@ -87,7 +93,7 @@ struct private_openssl_diffie_hellman_t {
 	 * Shared secret
 	 */
 	chunk_t shared_secret;
-
+	
 	/**
 	 * True if shared secret is computed
 	 */
@@ -95,68 +101,57 @@ struct private_openssl_diffie_hellman_t {
 };
 
 /**
- * Convert a BIGNUM to a chunk
- */
-static void bn2chunk(BIGNUM *bn, chunk_t *chunk)
-{
-	chunk->len = BN_num_bytes(bn);
-	chunk->ptr = malloc(chunk->len);
-	BN_bn2bin(bn, chunk->ptr);
-}
-
-/**
- * Implementation of openssl_diffie_hellman_t.set_other_public_value.
+ * Implementation of openssl_diffie_hellman_t.get_my_public_value.
  */
-static void set_other_public_value(private_openssl_diffie_hellman_t *this, chunk_t value)
+static void get_my_public_value(private_openssl_diffie_hellman_t *this,
+								chunk_t *value)
 {
-	int len;
-	BN_bin2bn(value.ptr, value.len, this->pub_key);
-
-	len = DH_size(this->dh);
-	chunk_free(&this->shared_secret);
-	this->shared_secret = chunk_alloc(len);
-	
-	if (DH_compute_key(this->shared_secret.ptr, this->pub_key, this->dh) < 0) {
-    	DBG1("DH shared secret computation failed");
-    	return;
-    }
-	
-    this->computed = TRUE;
+	*value = chunk_alloc(DH_size(this->dh));
+	memset(value->ptr, 0, value->len);
+	BN_bn2bin(this->dh->pub_key,
+			  value->ptr + value->len - BN_num_bytes(this->dh->pub_key));
 }
 
 /**
- * Implementation of openssl_diffie_hellman_t.get_other_public_value.
+ * Implementation of openssl_diffie_hellman_t.get_shared_secret.
  */
-static status_t get_other_public_value(private_openssl_diffie_hellman_t *this, 
-									   chunk_t *value)
+static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
+								  chunk_t *secret)
 {
 	if (!this->computed)
 	{
 		return FAILED;
 	}
-	bn2chunk(this->pub_key, value);
+	/* shared secret should requires a len according the DH group */
+	*secret = chunk_alloc(DH_size(this->dh));
+	memset(secret->ptr, 0, secret->len);
+	memcpy(secret->ptr + secret->len - this->shared_secret.len, 
+		   this->shared_secret.ptr, this->shared_secret.len);
+
 	return SUCCESS;
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_openssl_diffie_hellman_t *this,chunk_t *value)
-{
-	bn2chunk(this->dh->pub_key, value);
-}
 
 /**
- * Implementation of openssl_diffie_hellman_t.get_shared_secret.
+ * Implementation of openssl_diffie_hellman_t.set_other_public_value.
  */
-static status_t get_shared_secret(private_openssl_diffie_hellman_t *this, chunk_t *secret)
+static void set_other_public_value(private_openssl_diffie_hellman_t *this,
+								   chunk_t value)
 {
-	if (!this->computed)
+	int len;
+	
+	BN_bin2bn(value.ptr, value.len, this->pub_key);
+	chunk_clear(&this->shared_secret);
+	this->shared_secret.ptr = malloc(DH_size(this->dh));
+	memset(this->shared_secret.ptr, 0xFF, this->shared_secret.len);
+	len = DH_compute_key(this->shared_secret.ptr, this->pub_key, this->dh);
+	if (len < 0)
 	{
-		return FAILED;
+		DBG1("DH shared secret computation failed");
+		return;
 	}
-	*secret = chunk_clone(this->shared_secret);
-	return SUCCESS;
+	this->shared_secret.len = len;
+	this->computed = TRUE;
 }
 
 /**
@@ -173,6 +168,11 @@ static diffie_hellman_group_t get_dh_group(private_openssl_diffie_hellman_t *thi
 static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 {
 	int i;
+	bool ansi_x9_42;
+	
+	ansi_x9_42 = lib->settings->get_bool(lib->settings,
+										 "charon.dh_exponent_ansi_x9_42", TRUE);
+	
 	for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
 	{
 		if (modulus_entries[i].group == this->group)
@@ -180,6 +180,10 @@ static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 			this->dh->p = modulus_entries[i].get_prime(NULL);
 			this->dh->g = BN_new();
 			BN_set_word(this->dh->g, modulus_entries[i].generator);
+			if (!ansi_x9_42)
+			{
+				this->dh->length = modulus_entries[i].opt_exponent_len;
+			}
 			return SUCCESS;
 		}
 	}
@@ -193,7 +197,7 @@ static void destroy(private_openssl_diffie_hellman_t *this)
 {
 	BN_clear_free(this->pub_key);
 	DH_free(this->dh);
-	chunk_free(&this->shared_secret);
+	chunk_clear(&this->shared_secret);
 	free(this);
 }
 
@@ -206,7 +210,6 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 	
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
 	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_other_public_value = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_other_public_value;
 	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
@@ -220,7 +223,6 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 	
 	this->group = group;
 	this->computed = FALSE;
-	
 	this->pub_key = BN_new();
 	this->shared_secret = chunk_empty;
 	
@@ -237,6 +239,7 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 		destroy(this);
 		return NULL;
 	}
+	DBG2("size of DH secret exponent: %d bits", BN_num_bits(this->dh->priv_key));
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 9d2bd44cd..9a89ad045 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_ec_diffie_hellman.c 4052 2008-06-10 09:19:18Z tobias $
+ * $Id: openssl_ec_diffie_hellman.c 4566 2008-11-04 13:12:11Z martin $
  */
 
 #include <openssl/ec.h>
@@ -216,24 +216,6 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
 	this->computed = TRUE;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.get_other_public_value.
- */
-static status_t get_other_public_value(private_openssl_ec_diffie_hellman_t *this, 
-									   chunk_t *value)
-{
-	if (!this->computed)
-	{
-		return FAILED;
-	}
-	
-	if (!ecp2chunk(this->ec_group, this->pub_key, value))
-	{
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
 /**
  * Implementation of openssl_ec_diffie_hellman_t.get_my_public_value.
  */
@@ -283,7 +265,6 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro
 	
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
 	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_other_public_value = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_other_public_value;
 	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 82c54a95e..dcc78aed6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,15 +13,18 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_plugin.c 4309 2008-08-28 11:07:57Z martin $
+ * $Id: openssl_plugin.c 4583 2008-11-05 12:37:37Z martin $
  */
 
 #include <openssl/evp.h>
 #include <openssl/engine.h>
+#include <openssl/crypto.h>
+#include <pthread.h>
 
 #include "openssl_plugin.h"
 
 #include <library.h>
+#include <utils/mutex.h>
 #include "openssl_crypter.h"
 #include "openssl_hasher.h"
 #include "openssl_diffie_hellman.h"
@@ -43,6 +47,120 @@ struct private_openssl_plugin_t {
 	openssl_plugin_t public;
 };
 
+/**
+ * Array of static mutexs, with CRYPTO_num_locks() mutex
+ */
+static mutex_t **mutex = NULL;
+
+/**
+ * Locking callback for static locks
+ */
+static void locking_function(int mode, int type, const char *file, int line)
+{
+	if (mutex)
+	{
+		if (mode & CRYPTO_LOCK)
+		{
+			mutex[type]->lock(mutex[type]);
+		}
+		else
+		{
+			mutex[type]->unlock(mutex[type]);
+		}
+	}
+}
+
+/**
+ * Implementation of dynlock
+ */
+struct CRYPTO_dynlock_value {
+	mutex_t *mutex;
+};
+
+/**
+ * Callback to create a dynamic lock
+ */
+static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
+{
+	struct CRYPTO_dynlock_value *lock;
+	
+	lock = malloc_thing(struct CRYPTO_dynlock_value);
+	lock->mutex = mutex_create(MUTEX_DEFAULT);
+	return lock;
+}
+
+/**
+ * Callback to (un-)lock a dynamic lock
+ */
+static void lock_function(int mode, struct CRYPTO_dynlock_value *lock,
+						  const char *file, int line)
+{
+	if (mode & CRYPTO_LOCK)
+	{
+		lock->mutex->lock(lock->mutex);
+	}
+	else
+	{
+		lock->mutex->unlock(lock->mutex);
+	}
+}
+
+/**
+ * Callback to destroy a dynamic lock
+ */
+static void destroy_function(struct CRYPTO_dynlock_value *lock,
+							 const char *file, int line)
+{
+	lock->mutex->destroy(lock->mutex);
+	free(lock);
+}
+
+/**
+ * Thread-ID callback function
+ */
+static unsigned long id_function(void)
+{
+	return pthread_self();
+}
+
+/**
+ * initialize OpenSSL for multi-threaded use
+ */
+static void threading_init()
+{
+	int i, num_locks;
+
+	CRYPTO_set_id_callback(id_function);
+ 	CRYPTO_set_locking_callback(locking_function);
+	
+	CRYPTO_set_dynlock_create_callback(create_function);
+	CRYPTO_set_dynlock_lock_callback(lock_function);
+	CRYPTO_set_dynlock_destroy_callback(destroy_function);
+	
+	num_locks = CRYPTO_num_locks();
+	mutex = malloc(sizeof(mutex_t*) * num_locks);
+	for (i = 0; i < num_locks; i++)
+	{
+		mutex[i] = mutex_create(MUTEX_DEFAULT);
+	}
+}
+
+/**
+ * cleanup OpenSSL threading locks
+ */
+static void threading_cleanup()
+{
+	int i, num_locks;
+	
+	num_locks = CRYPTO_num_locks();
+	for (i = 0; i < num_locks; i++)
+	{
+		mutex[i]->destroy(mutex[i]);
+	}
+	free(mutex);
+	mutex = NULL;
+}
+
 /**
  * Implementation of openssl_plugin_t.destroy
  */
@@ -68,6 +186,8 @@ static void destroy(private_openssl_plugin_t *this)
 	ENGINE_cleanup();
 	EVP_cleanup();
 	
+	threading_cleanup();
+	
 	free(this);
 }
 
@@ -80,6 +200,8 @@ plugin_t *plugin_create()
 	
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 	
+	threading_init();
+	
 	OpenSSL_add_all_algorithms();
 	
 	/* activate support for hardware accelerators */
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 8ad75215a..a815ce622 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_rsa_private_key.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: openssl_rsa_private_key.c 4564 2008-11-04 13:01:36Z martin $
  */
 
 #include "openssl_rsa_private_key.h"
@@ -74,9 +74,11 @@ openssl_rsa_public_key_t *openssl_rsa_public_key_create_from_n_e(BIGNUM *n, BIGN
  * Build an EMPSA PKCS1 signature described in PKCS#1
  */
 static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this,
-									   int type, chunk_t data, chunk_t *signature)
+									   int type, chunk_t data, chunk_t *out)
 {
 	bool success = FALSE;
+	u_char *sig = NULL;
+	u_int len;
 	const EVP_MD *hasher = EVP_get_digestbynid(type);
 	if (!hasher)
 	{
@@ -105,14 +107,17 @@ static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this,
 		goto error;
 	}
 	
-	*signature = chunk_alloc(RSA_size(this->rsa));
-	
-	if (!EVP_SignFinal(ctx, signature->ptr, &signature->len, key))
+	sig = malloc(EVP_PKEY_size(key));
+	if (EVP_SignFinal(ctx, sig, &len, key))
 	{
-		goto error;
+		out->ptr = sig;
+		out->len = len;
+		success = TRUE;
+	}
+	else
+	{
+		free(sig);
 	}
-	
-	success = TRUE;
 	
 error:
 	if (key)
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 61b5b9b64..794fa8123 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_rsa_public_key.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: openssl_rsa_public_key.c 4567 2008-11-04 14:05:42Z martin $
  */
 
 #include "openssl_rsa_public_key.h"
@@ -90,13 +90,11 @@ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
 		goto error;
 	}
 	
-	/* remove any preceding 0-bytes from signature */
-	while (signature.len && *(signature.ptr) == 0x00)
+	/* VerifyFinal expects a signature of exactly RSA size (no leading 0x00) */
+	if (signature.len > RSA_size(this->rsa))
 	{
-		signature.len -= 1;
-		signature.ptr++;
+		signature = chunk_skip(signature, signature.len - RSA_size(this->rsa));
 	}
-	
 	valid = (EVP_VerifyFinal(ctx, signature.ptr, signature.len, key) == 1);
 	
 error:
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index caae5e08d..257a903e4 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -21,6 +21,8 @@
 #include "x509_ac.h"
 #include "ietf_attr_list.h"
 
+#include <time.h>
+
 #include <library.h>
 #include <debug.h>
 #include <asn1/oid.h>
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index c82d14a17..9f76c3486 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -17,7 +17,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_cert.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: x509_cert.c 4576 2008-11-05 08:32:38Z martin $
  */
 
 #define _GNU_SOURCE
@@ -25,6 +25,7 @@
 #include "x509_cert.h"
 
 #include <sys/stat.h>
+#include <time.h>
 #include <unistd.h>
 #include <string.h>
 #include <stdio.h>
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index eb9bfe903..8375d88ef 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_crl.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: x509_crl.c 4576 2008-11-05 08:32:38Z martin $
  */
 
 #include "x509_crl.h"
@@ -20,6 +20,8 @@
 typedef struct private_x509_crl_t private_x509_crl_t;
 typedef struct revoked_t revoked_t;
 
+#include <time.h>
+
 #include <debug.h>
 #include <library.h>
 #include <asn1/oid.h>
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c
index 6f9e40395..a02823ba0 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/settings.c
@@ -88,9 +88,50 @@ struct kv_t {
 	char *value;
 };
 
-static char *find(section_t *section, char *key)
+/**
+ * find a section by a given key
+ */
+static section_t *find_section(section_t *section, char *key, va_list args)
+{
+	char name[512], *pos;
+	enumerator_t *enumerator;
+	section_t *current, *found = NULL;
+	
+	if (section == NULL)
+	{
+		return NULL;
+	}
+	if (vsnprintf(name, sizeof(name), key, args) >= sizeof(name))
+	{
+		return NULL;
+	}
+	
+	pos = strchr(name, '.');
+	if (pos)
+	{
+		*pos = '\0';
+		pos++;
+	}
+	enumerator = section->sections->create_enumerator(section->sections);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (streq(current->name, name))
+		{
+			found = current;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (found && pos)
+	{
+		return find_section(found, pos, args);
+	}
+	return found;
+}
+
+static char *find_value(section_t *section, char *key, va_list args)
 {
-	char *name, *pos, *value = NULL;
+	char name[512], *pos, *value = NULL;
 	enumerator_t *enumerator;
 	kv_t *kv;
 	section_t *current, *found = NULL;
@@ -100,7 +141,10 @@ static char *find(section_t *section, char *key)
 		return NULL;
 	}
 	
-	name = strdupa(key);
+	if (vsnprintf(name, sizeof(name), key, args) >= sizeof(name))
+	{
+		return NULL;
+	}
 	
 	pos = strchr(name, '.');
 	if (pos)
@@ -119,7 +163,7 @@ static char *find(section_t *section, char *key)
 		enumerator->destroy(enumerator);
 		if (found)
 		{
-			return find(found, pos);
+			return find_value(found, pos, args);
 		}
 	}
 	else
@@ -141,11 +185,14 @@ static char *find(section_t *section, char *key)
 /**
  * Implementation of settings_t.get.
  */
-static char* get_str(private_settings_t *this, char *key, char *def)
+static char* get_str(private_settings_t *this, char *key, char *def, ...)
 {
 	char *value;
+	va_list args;
 	
-	value = find(this->top, key);
+	va_start(args, def);
+	value = find_value(this->top, key, args);
+	va_end(args);
 	if (value)
 	{
 		return value;
@@ -156,11 +203,14 @@ static char* get_str(private_settings_t *this, char *key, char *def)
 /**
  * Implementation of settings_t.get_bool.
  */
-static bool get_bool(private_settings_t *this, char *key, bool def)
+static bool get_bool(private_settings_t *this, char *key, bool def, ...)
 {
 	char *value;
+	va_list args;
 	
-	value = find(this->top, key);
+	va_start(args, def);
+	value = find_value(this->top, key, args);
+	va_end(args);
 	if (value)
 	{
 		if (strcasecmp(value, "true") == 0 ||
@@ -184,12 +234,15 @@ static bool get_bool(private_settings_t *this, char *key, bool def)
 /**
  * Implementation of settings_t.get_int.
  */
-static int get_int(private_settings_t *this, char *key, int def)
+static int get_int(private_settings_t *this, char *key, int def, ...)
 {
 	char *value;
 	int intval;
+	va_list args;
 	
-	value = find(this->top, key);
+	va_start(args, def);
+	value = find_value(this->top, key, args);
+	va_end(args);
 	if (value)
 	{
 		errno = 0;
@@ -205,12 +258,15 @@ static int get_int(private_settings_t *this, char *key, int def)
 /**
  * Implementation of settings_t.get_time.
  */
-static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def)
+static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, ...)
 {
 	char *value, *endptr;
 	u_int32_t timeval;
+	va_list args;
 	
-	value = find(this->top, key);
+	va_start(args, def);
+	value = find_value(this->top, key, args);
+	va_end(args);
 	if (value)
 	{
 		errno = 0;
@@ -238,6 +294,37 @@ static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def)
 	return def;
 }
 
+/**
+ * Enumerate section names, not sections
+ */
+static bool section_filter(void *null, section_t **in, char **out)
+{
+	*out = (*in)->name;
+	return TRUE;
+}
+
+/**
+ * Implementation of settings_t.create_section_enumerator
+ */
+static enumerator_t* create_section_enumerator(private_settings_t *this,
+											   char *key, ...)
+{
+	section_t *section;
+	va_list args;
+	
+	va_start(args, key);
+	section = find_section(this->top, key, args);
+	va_end(args);
+	
+	if (!section)
+	{	
+		return enumerator_create_empty();
+	}
+	return enumerator_create_filter(
+					section->sections->create_enumerator(section->sections),
+					(void*)section_filter, NULL, NULL);
+}
+
 /**
  * destroy a section
  */
@@ -400,10 +487,11 @@ settings_t *settings_create(char *file)
 {
 	private_settings_t *this = malloc_thing(private_settings_t);
 	
-	this->public.get_str = (char*(*)(settings_t*, char *key, char* def))get_str;
-	this->public.get_int = (int(*)(settings_t*, char *key, int def))get_int;
-	this->public.get_time = (u_int32_t(*)(settings_t*, char *key, u_int32_t def))get_time;
-	this->public.get_bool = (bool(*)(settings_t*, char *key, bool def))get_bool;
+	this->public.get_str = (char*(*)(settings_t*, char *key, char* def, ...))get_str;
+	this->public.get_int = (int(*)(settings_t*, char *key, int def, ...))get_int;
+	this->public.get_time = (u_int32_t(*)(settings_t*, char *key, u_int32_t def, ...))get_time;
+	this->public.get_bool = (bool(*)(settings_t*, char *key, bool def, ...))get_bool;
+	this->public.create_section_enumerator = (enumerator_t*(*)(settings_t*,char *section, ...))create_section_enumerator;
 	this->public.destroy = (void(*)(settings_t*))destroy;
 	
 	this->top = NULL;
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
index 451c2a583..0f41878c5 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/settings.h
@@ -26,11 +26,12 @@
 typedef struct settings_t settings_t;
 
 #include <library.h>
+#include <utils/enumerator.h>
 
 /**
  * Generic configuration options read from a config file.
  *
- * The sytax is quite simple:
+ * The syntax is quite simple:
  *
  * settings := (section|keyvalue)*
  * section  := name { settings }
@@ -38,8 +39,8 @@ typedef struct settings_t settings_t;
  *
  * E.g.:
  * @code
-   a = b
-   section-one {
+  	a = b
+  	section-one {
   		somevalue = asdf
   		subsection {
   			othervalue = xxx
@@ -58,43 +59,56 @@ struct settings_t {
 	/**
 	 * Get a settings value as a string.
 	 *
-	 * @param key		key including sections
+	 * @param key		key including sections, printf style format
 	 * @param def		value returned if key not found
+	 * @param ...		argument list for key
 	 * @return			value pointing to internal string
 	 */
-	char* (*get_str)(settings_t *this, char *key, char *def);
+	char* (*get_str)(settings_t *this, char *key, char *def, ...);
 	
 	/**
 	 * Get a boolean yes|no, true|false value.
 	 *
-	 * @param jey		key including sections
-	 * @param def		default value returned if key not found
+	 * @param key		key including sections, printf style format
+	 * @param def		value returned if key not found
+	 * @param ...		argument list for key
 	 * @return			value of the key
 	 */
-	bool (*get_bool)(settings_t *this, char *key, bool def);
+	bool (*get_bool)(settings_t *this, char *key, bool def, ...);
 	
 	/**
 	 * Get an integer value.
 	 *
-	 * @param key		key including sections
-	 * @param def		default value to return if key not found
+	 * @param key		key including sections, printf style format
+	 * @param def		value returned if key not found
+	 * @param ...		argument list for key
 	 * @return			value of the key
 	 */
-	int (*get_int)(settings_t *this, char *key, int def);
+	int (*get_int)(settings_t *this, char *key, int def, ...);
 	
 	/**
 	 * Get a time value.
 	 *
-	 * @param key		key including sections
-	 * @param def		default value to return if key not found
+	 * @param key		key including sections, printf style format
+	 * @param def		value returned if key not found
+	 * @param ...		argument list for key
 	 * @return			value of the key
 	 */
-	u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def);
-
+	u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def, ...);
+	
 	/**
-     * Destroy a settings instance.
-     */
-    void (*destroy)(settings_t *this);
+	 * Create an enumerator over subsection names of a section.
+	 *
+	 * @param section	section including parents, printf style format
+	 * @param ...		argument list for key
+	 * @return			enumerator over subsection names
+	 */
+	enumerator_t* (*create_section_enumerator)(settings_t *this,
+											   char *section, ...);
+	/**
+	 * Destroy a settings instance.
+	 */
+	void (*destroy)(settings_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index 4af7df9ad..a5900201a 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: utils.h 4305 2008-08-28 07:47:55Z tobias $
+ * $Id: utils.h 4632 2008-11-11 18:37:19Z martin $
  */
 
 /**
@@ -95,6 +95,11 @@
  */
 #define countof(array) (sizeof(array)/sizeof(array[0]))
 
+/**
+ * Ignore result of functions tagged with warn_unused_result attributes
+ */
+#define ignore_result(call) { if(call); }
+
 /**
  * Assign a function as a class method
  */
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
new file mode 100644
index 000000000..3caafdc38
--- /dev/null
+++ b/src/libstrongswan/utils/backtrace.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#define _GNU_SOURCE
+
+#ifdef HAVE_DLADDR
+# include <dlfcn.h>
+#endif /* HAVE_DLADDR */
+
+#ifdef HAVE_BACKTRACE
+# include <execinfo.h>
+#endif /* HAVE_BACKTRACE */
+
+#include "backtrace.h"
+
+typedef struct private_backtrace_t private_backtrace_t;
+
+/**
+ * Private data of an backtrace_t object.
+ */
+struct private_backtrace_t {
+	
+	/**
+	 * Public backtrace_t interface.
+	 */
+	backtrace_t public;
+	
+	/**
+	 * Number of stacks frames obtained in stack_frames
+	 */
+	int frame_count;
+	
+	/**
+	 * Recorded stack frames.
+	 */
+	void *frames[];
+};
+
+/**
+ * Implementation of backtrace_t.log
+ */
+static void log_(private_backtrace_t *this, FILE *file)
+{
+#ifdef HAVE_BACKTRACE
+	size_t i;
+	char **strings;
+	
+	strings = backtrace_symbols(this->frames, this->frame_count);
+
+	fprintf(file, " dumping %d stack frame addresses:\n", this->frame_count);
+	for (i = 0; i < this->frame_count; i++)
+	{
+#ifdef HAVE_DLADDR
+		Dl_info info;
+		
+		if (dladdr(this->frames[i], &info))
+		{
+			char cmd[1024];
+			FILE *output;
+			char c;
+			void *ptr = this->frames[i];
+			
+			if (strstr(info.dli_fname, ".so"))
+			{
+				ptr = (void*)(this->frames[i] - info.dli_fbase);
+			}
+			snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", info.dli_fname, ptr);
+			if (info.dli_sname)
+			{
+				fprintf(file, "  \e[33m%s\e[0m @ %p (\e[31m%s\e[0m+0x%x) [%p]\n",
+						info.dli_fname, info.dli_fbase, info.dli_sname,
+						this->frames[i] - info.dli_saddr, this->frames[i]);
+			}
+			else
+			{
+				fprintf(file, "  \e[33m%s\e[0m @ %p [%p]\n", info.dli_fname,
+						info.dli_fbase, this->frames[i]);
+			}
+			fprintf(file, "    -> \e[32m");
+			output = popen(cmd, "r");
+			if (output)
+			{
+				while (TRUE)
+				{
+					c = getc(output);
+					if (c == '\n' || c == EOF)
+					{
+						break;
+					}
+					fputc(c, file);
+				}
+				pclose(output);
+			}
+			else
+			{
+#endif /* HAVE_DLADDR */
+				fprintf(file, "    %s\n", strings[i]);
+#ifdef HAVE_DLADDR
+			}
+			fprintf(file, "\n\e[0m");
+		}
+		else
+		{
+			fprintf(file, "    %s\n", strings[i]);
+		}
+#endif /* HAVE_DLADDR */
+	}
+	free (strings);
+#else /* !HAVE_BACKTRACE */
+	fprintf(file, "C library does not support backtrace().\n");
+#endif /* HAVE_BACKTRACE */
+}
+
+/**
+ * Implementation of backtrace_t.contains_function
+ */
+static bool contains_function(private_backtrace_t *this, char *function)
+{
+#ifdef HAVE_DLADDR
+	int i;
+
+	for (i = 0; i< this->frame_count; i++)
+	{
+		Dl_info info;
+		
+		if (dladdr(this->frames[i], &info) && info.dli_sname)
+		{
+			if (streq(info.dli_sname, function))
+			{
+				return TRUE;
+			}
+		}
+	}
+#endif /* HAVE_DLADDR */
+	return FALSE;
+}
+
+/**
+ * Implementation of backtrace_t.destroy.
+ */
+static void destroy(private_backtrace_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+backtrace_t *backtrace_create(int skip)
+{
+	private_backtrace_t *this;
+	void *frames[50];
+	int frame_count = 0;
+	
+#ifdef HAVE_BACKTRACE
+	frame_count = backtrace(frames, countof(frames));
+#endif /* HAVE_BACKTRACE */
+	frame_count = max(frame_count - skip, 0);
+	this = malloc(sizeof(private_backtrace_t) + frame_count * sizeof(void*));
+	memcpy(this->frames, frames + skip, frame_count * sizeof(void*));
+	this->frame_count = frame_count;
+	
+	this->public.log = (void(*)(backtrace_t*,FILE*))log_;
+	this->public.contains_function = (bool(*)(backtrace_t*, char *function))contains_function;
+	this->public.destroy = (void(*)(backtrace_t*))destroy;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h
new file mode 100644
index 000000000..72effd01e
--- /dev/null
+++ b/src/libstrongswan/utils/backtrace.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup backtrace backtrace
+ * @{ @ingroup utils
+ */
+
+#ifndef BACKTRACE_H_
+#define BACKTRACE_H_
+
+#include <stdio.h>
+
+#include <library.h>
+
+typedef struct backtrace_t backtrace_t;
+
+/**
+ * A backtrace registers the frames on the stack during creation.
+ */
+struct backtrace_t {
+	
+	/**
+	 * Log the backtrace to a FILE stream.
+	 */
+	void (*log)(backtrace_t *this, FILE *file);
+	
+	/**
+	 * Check if the backtrace contains a frame in a specific function.
+	 *
+	 * @param		function name
+	 * @return		TRUE if function is in the stack
+	 */
+	bool (*contains_function)(backtrace_t *this, char *function);
+	
+	/**
+	 * Destroy a backtrace instance.
+	 */
+	void (*destroy)(backtrace_t *this);
+};
+
+/**
+ * Create a backtrace of the current stack.
+ *
+ * @param skip		how many of the innerst frames to skip
+ * @return			backtrace
+ */
+backtrace_t *backtrace_create(int skip);
+
+#endif /* BACKTRACE_H_ @}*/
+
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index eb87f27bc..4702222e8 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: host.c 4056 2008-06-11 07:44:23Z martin $
+ * $Id: host.c 4639 2008-11-12 15:09:24Z martin $
  */
 
 #define _GNU_SOURCE
@@ -27,6 +27,9 @@
 
 #include <debug.h>
 
+#define IPV4_LEN	 4
+#define IPV6_LEN	16
+
 typedef struct private_host_t private_host_t;
 
 /**
@@ -83,17 +86,17 @@ static bool is_anyaddr(private_host_t *this)
 	{
 		case AF_INET:
 		{
-			u_int8_t default_route[4];
-			memset(default_route, 0, sizeof(default_route));
-			return memeq(default_route, &(this->address4.sin_addr.s_addr),
-						 sizeof(default_route));
+			u_int8_t zeroes[IPV4_LEN];
+
+			memset(zeroes, 0, IPV4_LEN);
+			return memeq(zeroes, &(this->address4.sin_addr.s_addr), IPV4_LEN);
 		}
 		case AF_INET6:
 		{
-			u_int8_t default_route[16];
-			memset(default_route, 0, sizeof(default_route));
-			return memeq(default_route, &(this->address6.sin6_addr.s6_addr),
-						 sizeof(default_route));
+			u_int8_t zeroes[IPV6_LEN];
+
+			memset(zeroes, 0, IPV6_LEN);
+			return memeq(zeroes, &(this->address6.sin6_addr.s6_addr), IPV6_LEN);
 		}
 		default:
 		{
@@ -196,13 +199,13 @@ static chunk_t get_address(private_host_t *this)
 		case AF_INET:
 		{
 			address.ptr = (char*)&(this->address4.sin_addr.s_addr);
-			address.len = 4;
+			address.len = IPV4_LEN;
 			return address;
 		}
 		case AF_INET6:
 		{
 			address.ptr = (char*)&(this->address6.sin6_addr.s6_addr);
-			address.len = 16;
+			address.len = IPV6_LEN;
 			return address;
 		}
 		default:
@@ -285,33 +288,21 @@ static bool ip_equals(private_host_t *this, private_host_t *other)
 {
 	if (this->address.sa_family != other->address.sa_family)
 	{
-		/* 0.0.0.0 and ::0 are equal */
-		if (is_anyaddr(this) && is_anyaddr(other))
-		{
-			return TRUE;
-		}
-		
-		return FALSE;
+		/* 0.0.0.0 and 0::0 are equal */
+		return (is_anyaddr(this) && is_anyaddr(other));
 	}
 	
 	switch (this->address.sa_family)
 	{
 		case AF_INET:
 		{
-			if (memeq(&this->address4.sin_addr, &other->address4.sin_addr,
-					  sizeof(this->address4.sin_addr)))
-			{
-				return TRUE;
-			}
-			break;
+			return memeq(&this->address4.sin_addr, &other->address4.sin_addr,
+						 sizeof(this->address4.sin_addr));
 		}
 		case AF_INET6:
 		{
-			if (memeq(&this->address6.sin6_addr, &other->address6.sin6_addr,
-					  sizeof(this->address6.sin6_addr)))
-			{
-				return TRUE;
-			}
+			return memeq(&this->address6.sin6_addr, &other->address6.sin6_addr,
+						 sizeof(this->address6.sin6_addr));
 		}
 		default:
 			break;
@@ -340,7 +331,7 @@ static host_diff_t get_differences(host_t *this, host_t *other)
 }
 
 /**
- * Impelements host_t.equals
+ * Implements host_t.equals
  */
 static bool equals(private_host_t *this, private_host_t *other)
 {
@@ -353,19 +344,11 @@ static bool equals(private_host_t *this, private_host_t *other)
 	{
 		case AF_INET:
 		{
-			if (this->address4.sin_port == other->address4.sin_port)
-			{
-				return TRUE;
-			}
-			break;
+			return (this->address4.sin_port == other->address4.sin_port);
 		}
 		case AF_INET6:
 		{
-			if (this->address6.sin6_port == other->address6.sin6_port)
-			{
-				return TRUE;
-			}
-			break;
+			return (this->address6.sin6_port == other->address6.sin6_port);
 		}
 		default:
 			break;
@@ -409,8 +392,14 @@ static private_host_t *host_create_empty(void)
  */
 host_t *host_create_from_string(char *string, u_int16_t port)
 {
-	private_host_t *this = host_create_empty();
+	private_host_t *this;
 	
+	if (streq(string, "%any"))
+	{
+		return host_create_any(AF_INET);
+	}
+	
+	this = host_create_empty();
 	if (strchr(string, '.'))
 	{
 		this->address.sa_family = AF_INET;
@@ -419,7 +408,6 @@ host_t *host_create_from_string(char *string, u_int16_t port)
 	{
 		this->address.sa_family = AF_INET6;
 	}
-
 	switch (this->address.sa_family)
 	{
 		case AF_INET:
@@ -460,9 +448,14 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 	struct hostent host, *ptr;
 	char buf[512];
 	int err, ret;
-	
-	if (strchr(string, ':'))
-	{	/* gethostbyname does not like IPv6 addresses, fallback */
+
+	if (streq(string, "%any"))
+	{
+		return host_create_any(af ? af : AF_INET);
+	}
+	else if (strchr(string, ':'))
+	{
+		/* gethostbyname does not like IPv6 addresses - fallback */
 		return host_create_from_string(string, port);
 	}
 	
@@ -511,38 +504,56 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
  */
 host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
 {
-	private_host_t *this = host_create_empty();
+	private_host_t *this;
 	
-	this->address.sa_family = family;
 	switch (family)
 	{
 		case AF_INET:
-		{
-			if (address.len != 4)
+			if (address.len < IPV4_LEN)
 			{
-				break;
+				return NULL;
 			}
-			memcpy(&(this->address4.sin_addr.s_addr), address.ptr,4);
-			this->address4.sin_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in);
-			return &(this->public);
-		}
+			address.len = IPV4_LEN;
+			break;
 		case AF_INET6:
-		{
-			if (address.len != 16)
+			if (address.len < IPV6_LEN)
 			{
-				break;
+				return NULL;
+			}
+			address.len = IPV6_LEN;
+			break;
+		case AF_UNSPEC:
+			switch (address.len)
+			{
+				case IPV4_LEN:
+					family = AF_INET;
+					break;
+				case IPV6_LEN:
+					family = AF_INET6;
+					break;
+				default:
+					return NULL;
 			}
-			memcpy(&(this->address6.sin6_addr.s6_addr), address.ptr, 16);
+			break;
+		default:
+			return NULL;
+	}
+	this = host_create_empty();
+	this->address.sa_family = family;
+	switch (family)
+	{
+		case AF_INET:
+			memcpy(&this->address4.sin_addr.s_addr, address.ptr, address.len);
+			this->address4.sin_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in);
+			break;
+		case AF_INET6:
+			memcpy(&this->address6.sin6_addr.s6_addr, address.ptr, address.len);
 			this->address6.sin6_port = htons(port);
 			this->socklen = sizeof(struct sockaddr_in6);
-			return &this->public;
-		}
-		default:
 			break;
 	}
-	free(this);
-	return NULL;
+	return &this->public;
 }
 
 /*
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h
index 6a1d824c6..667cc6bcc 100644
--- a/src/libstrongswan/utils/host.h
+++ b/src/libstrongswan/utils/host.h
@@ -170,10 +170,12 @@ host_t *host_create_from_string(char *string, u_int16_t port);
 host_t *host_create_from_dns(char *string, int family, u_int16_t port);
 
 /**
- * Constructor to create a host_t object from an address chunk
+ * Constructor to create a host_t object from an address chunk.
+ *
+ * If family is AF_UNSPEC, it is guessed using address.len.
  *
  * @param family 		Address family, such as AF_INET or AF_INET6
- * @param address		address as chunk_t in networ order
+ * @param address		address as chunk_t in network order
  * @param port			port number
  * @return 				host_t, NULL if family not supported/chunk invalid
  */
diff --git a/src/libstrongswan/utils/iterator.h b/src/libstrongswan/utils/iterator.h
index a1bdad1d6..28ee74cd6 100644
--- a/src/libstrongswan/utils/iterator.h
+++ b/src/libstrongswan/utils/iterator.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: iterator.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: iterator.h 4577 2008-11-05 08:37:09Z martin $
  */
  
 /**
@@ -26,43 +26,6 @@
 
 #include <library.h>
 
-typedef enum hook_result_t hook_result_t;
-
-/**
- * Return value of an iterator hook.
- *
- * Returning HOOK_AGAIN is useful to "inject" additional elements in an
- * iteration, HOOK_NEXT is the normal iterator behavior, and HOOK_SKIP may
- * be used to filter elements out.
- */
-enum hook_result_t {
-
-	/**
-	 * A value was placed in out, hook is called again with the same "in"
-	 */
-	HOOK_AGAIN,
-	
-	/**
-	 * A value was placed in out, hook is called again with next "in" (if any)
-	 */
-	HOOK_NEXT,
-	
-	/**
-	 * No value in out, call again with next "in" (if any)
-	 */
-	HOOK_SKIP,
-};
-
-/**
- * Iterator hook function prototype.
- *
- * @param param		user supplied parameter
- * @param in		the value the hook receives from the iterator
- * @param out		the value supplied as a result to the iterator
- * @return			a hook_result_t
- */
-typedef hook_result_t (iterator_hook_t)(void *param, void *in, void **out);
-
 
 typedef struct iterator_t iterator_t;
 
@@ -93,24 +56,6 @@ struct iterator_t {
 	 */
 	bool (*iterate) (iterator_t *this, void** value);
 	
-	/**
-	 * Hook a function into the iterator.
-	 *
-	 * Sometimes it is useful to hook in an iterator. The hook function is
-	 * called before any successful return of iterate(). It takes the
-	 * iterator value, may manipulate it (or the references object), and returns
-	 * the value that the iterate() function returns. Depending on the hook
-	 * return value, the hook is called again, called with next, or skipped.
-	 * A value of NULL deactivates the iterator hook.
-	 * If an iterator is hooked, only the iterate() method is valid,
-	 * all other methods behave undefined.
-	 * 
-	 * @param hook		iterator hook which manipulates the iterated value
-	 * @param param		user supplied parameter to pass back to the hook
-	 */
-	void (*set_iterator_hook) (iterator_t *this, iterator_hook_t *hook,
-							   void *param);
-	
 	/**
 	 * Inserts a new item before the given iterator position.
 	 * 
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index bc7f56ebd..73409158d 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -12,13 +12,8 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: leak_detective.c 4311 2008-08-28 16:27:48Z martin $
+ * $Id: leak_detective.c 4609 2008-11-10 16:44:27Z martin $
  */
-
-#ifdef HAVE_DLADDR
-# define _GNU_SOURCE
-# include <dlfcn.h>
-#endif /* HAVE_DLADDR */
 	
 #include <stddef.h>
 #include <string.h>
@@ -28,21 +23,18 @@
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
-#include <dlfcn.h>
 #include <unistd.h>
 #include <syslog.h>
 #include <pthread.h>
 #include <netdb.h>
 #include <printf.h>
 #include <locale.h>
-#ifdef HAVE_BACKTRACE
-# include <execinfo.h>
-#endif /* HAVE_BACKTRACE */
 
 #include "leak_detective.h"
 
 #include <library.h>
 #include <debug.h>
+#include <utils/backtrace.h>
 
 typedef struct private_leak_detective_t private_leak_detective_t;
 
@@ -105,16 +97,6 @@ struct memory_header_t {
 	 */
 	u_int bytes;
 	
-	/**
-	 * Stack frames at the time of allocation
-	 */
-	void *stack_frames[STACK_FRAMES_COUNT];
-	
-	/**
-	 * Number of stacks frames obtained in stack_frames
-	 */
-	int stack_frame_count;
-	
 	/**
 	 * Pointer to previous entry in linked list
 	 */
@@ -125,6 +107,11 @@ struct memory_header_t {
 	 */
 	memory_header_t *next;
 	
+	/**
+	 * backtrace taken during (re-)allocation
+	 */
+	backtrace_t *backtrace;
+	
 	/**
 	 * magic bytes to detect bad free or heap underflow, MEMORY_HEADER_MAGIC
 	 */
@@ -151,7 +138,7 @@ struct memory_tail_t {
 static memory_header_t first_header = {
 	magic: MEMORY_HEADER_MAGIC,
 	bytes: 0,
-	stack_frame_count: 0,
+	backtrace: NULL,
 	previous: NULL,
 	next: NULL
 };
@@ -161,76 +148,6 @@ static memory_header_t first_header = {
  */
 static bool installed = FALSE;
 
-/**
- * log stack frames queried by backtrace()
- * TODO: Dump symbols of static functions. This could be done with
- * the addr2line utility or the GNU BFD Library...
- */
-static void log_stack_frames(void **stack_frames, int stack_frame_count)
-{
-#ifdef HAVE_BACKTRACE
-	size_t i;
-	char **strings;
-	
-	strings = backtrace_symbols(stack_frames, stack_frame_count);
-
-	fprintf(stderr, " dumping %d stack frame addresses:\n", stack_frame_count);
-	for (i = 0; i < stack_frame_count; i++)
-	{
-#ifdef HAVE_DLADDR
-		Dl_info info;
-		
-		if (dladdr(stack_frames[i], &info))
-		{
-			char cmd[1024];
-			FILE *output;
-			char c;
-			void *ptr = stack_frames[i];
-			
-			if (strstr(info.dli_fname, ".so"))
-			{
-				ptr = (void*)(stack_frames[i] - info.dli_fbase);
-			}
-			snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", info.dli_fname, ptr);
-			if (info.dli_sname)
-			{
-				fprintf(stderr, "  \e[33m%s\e[0m @ %p (\e[31m%s\e[0m+0x%x) [%p]\n",
-						info.dli_fname, info.dli_fbase, info.dli_sname,
-						stack_frames[i] - info.dli_saddr, stack_frames[i]);
-			}
-			else
-			{
-				fprintf(stderr, "  \e[33m%s\e[0m @ %p [%p]\n", info.dli_fname,
-						info.dli_fbase, stack_frames[i]);
-			}
-			fprintf(stderr, "    -> \e[32m");
-			output = popen(cmd, "r");
-			if (output)
-			{
-				while (TRUE)
-				{
-					c = getc(output);
-					if (c == '\n' || c == EOF)
-					{
-						break;
-					}
-					fputc(c, stderr);
-				}
-			}
-			else
-			{
-#endif /* HAVE_DLADDR */
-				fprintf(stderr, "    %s\n", strings[i]);
-#ifdef HAVE_DLADDR
-			}
-			fprintf(stderr, "\n\e[0m");
-		}
-#endif /* HAVE_DLADDR */
-	}
-	free (strings);
-#endif /* HAVE_BACKTRACE */
-}
-
 /**
  * Leak report white list
  *
@@ -238,12 +155,15 @@ static void log_stack_frames(void **stack_frames, int stack_frame_count)
  * otherwise on leak report. 
  */
 char *whitelist[] = {
+	/* backtraces, including own */
+	"backtrace_create",
 	/* pthread stuff */
 	"pthread_create",
 	"pthread_setspecific",
 	/* glibc functions */
 	"mktime",
 	"__gmtime_r",
+	"localtime_r",
 	"tzset",
 	"inet_ntoa",
 	"strerror",
@@ -284,27 +204,16 @@ char *whitelist[] = {
 /**
  * check if a stack frame contains functions listed above
  */
-static bool is_whitelisted(void **stack_frames, int stack_frame_count)
+static bool is_whitelisted(backtrace_t *backtrace)
 {
-	int i, j;
-	
-#ifdef HAVE_DLADDR
-	for (i=0; i< stack_frame_count; i++)
+	int i;
+	for (i = 0; i < sizeof(whitelist)/sizeof(char*); i++)
 	{
-		Dl_info info;
-		
-		if (dladdr(stack_frames[i], &info) && info.dli_sname)
-		{	
-			for (j = 0; j < sizeof(whitelist)/sizeof(char*); j++)
-			{
-				if (streq(info.dli_sname, whitelist[j]))
-				{
-					return TRUE;
-				}
-			}
+		if (backtrace->contains_function(backtrace, whitelist[i]))
+		{
+			return TRUE;
 		}
 	}
-#endif /* HAVE_DLADDR */
 	return FALSE;
 }
 
@@ -318,7 +227,7 @@ void report_leaks()
 	
 	for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
 	{
-		if (is_whitelisted(hdr->stack_frames, hdr->stack_frame_count))
+		if (is_whitelisted(hdr->backtrace))
 		{
 			whitelisted++;
 		}
@@ -326,7 +235,7 @@ void report_leaks()
 		{
 			fprintf(stderr, "Leak (%d bytes at %p):\n", hdr->bytes, hdr + 1);
 			/* skip the first frame, contains leak detective logic */
-			log_stack_frames(hdr->stack_frames + 1, hdr->stack_frame_count - 1);
+			hdr->backtrace->log(hdr->backtrace, stderr);
 			leaks++;
 		}
 	}
@@ -403,7 +312,7 @@ void *malloc_hook(size_t bytes, const void *caller)
 	
 	hdr->magic = MEMORY_HEADER_MAGIC;
 	hdr->bytes = bytes;
-	hdr->stack_frame_count = backtrace(hdr->stack_frames, STACK_FRAMES_COUNT);
+	hdr->backtrace = backtrace_create(3);
 	tail->magic = MEMORY_TAIL_MAGIC;
 	install_hooks();
 	
@@ -426,10 +335,9 @@ void *malloc_hook(size_t bytes, const void *caller)
  */
 void free_hook(void *ptr, const void *caller)
 {
-	void *stack_frames[STACK_FRAMES_COUNT];
-	int stack_frame_count;
 	memory_header_t *hdr;
 	memory_tail_t *tail;
+    backtrace_t *backtrace;
 	pthread_t thread_id = pthread_self();
     int oldpolicy;
     struct sched_param oldparams, params;
@@ -455,8 +363,9 @@ void free_hook(void *ptr, const void *caller)
 		fprintf(stderr, "freeing invalid memory (%p): "
 				"header magic 0x%x, tail magic 0x%x:\n",
 				ptr, hdr->magic, tail->magic);
-		stack_frame_count = backtrace(stack_frames, STACK_FRAMES_COUNT);
-		log_stack_frames(stack_frames, stack_frame_count);
+		backtrace = backtrace_create(3);
+		backtrace->log(backtrace, stderr);
+		backtrace->destroy(backtrace);
 	}
 	else
 	{
@@ -466,10 +375,11 @@ void free_hook(void *ptr, const void *caller)
 			hdr->next->previous = hdr->previous;
 		}
 		hdr->previous->next = hdr->next;
-	
+		hdr->backtrace->destroy(hdr->backtrace);
+		
 		/* clear MAGIC, set mem to something remarkable */
 		memset(hdr, MEMORY_FREE_PATTERN, hdr->bytes + sizeof(memory_header_t));
-	
+		
 		free(hdr);
 	}
 	
@@ -483,9 +393,8 @@ void free_hook(void *ptr, const void *caller)
 void *realloc_hook(void *old, size_t bytes, const void *caller)
 {
 	memory_header_t *hdr;
-	void *stack_frames[STACK_FRAMES_COUNT];
-	int stack_frame_count;
 	memory_tail_t *tail;
+	backtrace_t *backtrace;
 	pthread_t thread_id = pthread_self();
     int oldpolicy;
     struct sched_param oldparams, params;
@@ -512,8 +421,9 @@ void *realloc_hook(void *old, size_t bytes, const void *caller)
 		fprintf(stderr, "reallocating invalid memory (%p): "
 				"header magic 0x%x, tail magic 0x%x:\n",
 				old, hdr->magic, tail->magic);
-		stack_frame_count = backtrace(stack_frames, STACK_FRAMES_COUNT);
-		log_stack_frames(stack_frames, stack_frame_count);
+		backtrace = backtrace_create(3);
+		backtrace->log(backtrace, stderr);
+		backtrace->destroy(backtrace);
 	}
 	/* clear tail magic, allocate, set tail magic */
 	memset(&tail->magic, MEMORY_ALLOC_PATTERN, sizeof(tail->magic));
@@ -523,7 +433,8 @@ void *realloc_hook(void *old, size_t bytes, const void *caller)
 
 	/* update statistics */
 	hdr->bytes = bytes;
-	hdr->stack_frame_count = backtrace(hdr->stack_frames, STACK_FRAMES_COUNT);
+	hdr->backtrace->destroy(hdr->backtrace);
+	hdr->backtrace = backtrace_create(3);
 
 	/* update header of linked list neighbours */
 	if (hdr->next)
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
index 763814726..3773fb8e5 100644
--- a/src/libstrongswan/utils/leak_detective.h
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -21,11 +21,6 @@
 #ifndef LEAK_DETECTIVE_H_
 #define LEAK_DETECTIVE_H_
 
-/**
- * Maximum depth stack frames to register
- */
-#define STACK_FRAMES_COUNT 20
-
 typedef struct leak_detective_t leak_detective_t;
 
 /**
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c
index 80c4e6f9f..068d13f99 100644
--- a/src/libstrongswan/utils/linked_list.c
+++ b/src/libstrongswan/utils/linked_list.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: linked_list.c 3841 2008-04-18 11:48:53Z tobias $
+ * $Id: linked_list.c 4580 2008-11-05 11:55:17Z martin $
  */
 
 #include <stdlib.h>
@@ -119,21 +119,6 @@ struct private_iterator_t {
 	 * Direction of iterator.
 	 */
 	bool forward;
-	
-	/**
-	 * Mutex to use to synchronize access
-	 */
-	pthread_mutex_t *mutex;
-	
-	/**
-	 * iteration hook
-	 */
-	iterator_hook_t *hook;
-	
-	/**
-	 * user parameter for iterator hook
-	 */
-	void *hook_param;
 };
 
 typedef struct private_enumerator_t private_enumerator_t;
@@ -208,75 +193,23 @@ static int get_list_count(private_iterator_t *this)
 }
 
 /**
- * default iterator hook which does nothing
- */
-static hook_result_t iterator_hook(void *param, void *in, void **out)
-{
-	*out = in;
-	return HOOK_NEXT;
-}
-
-/**
- * Implementation of iterator_t.set_iterator_hook.
+ * Implementation of iterator_t.iterate.
  */
-static void set_iterator_hook(private_iterator_t *this, iterator_hook_t *hook,
-							  void* param)
+static bool iterate(private_iterator_t *this, void** value)
 {
-	if (hook == NULL)
+	if (this->forward)
 	{
-		this->hook = iterator_hook;
-		this->hook_param = NULL;
+		this->current = this->current ? this->current->next : this->list->first;
 	}
 	else
 	{
-		this->hook = hook;
-		this->hook_param = param;
+		this->current = this->current ? this->current->previous : this->list->last;
 	}
-}
-
-/**
- * Implementation of iterator_t.iterate.
- */
-static bool iterate(private_iterator_t *this, void** value)
-{
-	while (TRUE)
+	if (this->current == NULL)
 	{
-		if (this->forward)
-		{
-			this->current = this->current ? this->current->next : this->list->first;
-		}
-		else
-		{
-			this->current = this->current ? this->current->previous : this->list->last;
-		}
-
-		if (this->current == NULL)
-		{
-			return FALSE;
-		}
-	
-		switch (this->hook(this->hook_param, this->current->value, value))
-		{
-			case HOOK_AGAIN:
-				/* rewind */
-				if (this->forward)
-				{
-					this->current = this->current->previous;
-				}
-				else
-				{
-					this->current = this->current->next;
-				}
-				break;
-			case HOOK_NEXT:
-				/* normal iteration */
-				break;
-			case HOOK_SKIP:
-				/* advance */
-				continue;
-		}
-		break;
+		return FALSE;
 	}
+	*value = this->current->value;
 	return TRUE;
 }
 
@@ -428,10 +361,6 @@ static void insert_after(private_iterator_t *iterator, void *item)
  */
 static void iterator_destroy(private_iterator_t *this)
 {
-	if (this->mutex)
-	{
-		pthread_mutex_unlock(this->mutex);
-	}
 	free(this);
 }
 
@@ -632,7 +561,8 @@ static status_t find_first(private_linked_list_t *this, linked_list_match_t matc
 	
 	while (current)
 	{
-		if (match(current->value, d1, d2, d3, d4, d5))
+		if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
+			(!match && item && current->value == *item))
 		{
 			if (item != NULL)
 			{
@@ -655,7 +585,8 @@ static status_t find_last(private_linked_list_t *this, linked_list_match_t match
 	
 	while (current)
 	{
-		if (match(current->value, d1, d2, d3, d4, d5))
+		if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
+			(!match && item && current->value == *item))
 		{
 			if (item != NULL)
 			{
@@ -793,7 +724,6 @@ static iterator_t *create_iterator(private_linked_list_t *linked_list, bool forw
 	
 	this->public.get_count = (int (*) (iterator_t*)) get_list_count;
 	this->public.iterate = (bool (*) (iterator_t*, void **value)) iterate;
-	this->public.set_iterator_hook = (void(*)(iterator_t*, iterator_hook_t*, void*))set_iterator_hook;
 	this->public.insert_before = (void (*) (iterator_t*, void *item)) insert_before;
 	this->public.insert_after = (void (*) (iterator_t*, void *item)) insert_after;
 	this->public.replace = (status_t (*) (iterator_t*, void **, void *)) replace;
@@ -804,22 +734,6 @@ static iterator_t *create_iterator(private_linked_list_t *linked_list, bool forw
 	this->forward = forward;
 	this->current = NULL;
 	this->list = linked_list;
-	this->mutex = NULL;
-	this->hook = iterator_hook;
-	
-	return &this->public;
-}
-
-/**
- * Implementation of linked_list_t.create_iterator_locked.
- */
-static iterator_t *create_iterator_locked(private_linked_list_t *linked_list,
-										  pthread_mutex_t *mutex)
-{
-	private_iterator_t *this = (private_iterator_t*)create_iterator(linked_list, TRUE);
-	this->mutex = mutex;
-	
-	pthread_mutex_lock(mutex);
 	
 	return &this->public;
 }
@@ -833,7 +747,6 @@ linked_list_t *linked_list_create()
 
 	this->public.get_count = (int (*) (linked_list_t *)) get_count;
 	this->public.create_iterator = (iterator_t * (*) (linked_list_t *,bool))create_iterator;
-	this->public.create_iterator_locked = (iterator_t * (*) (linked_list_t *,pthread_mutex_t*))create_iterator_locked;
 	this->public.create_enumerator = (enumerator_t*(*)(linked_list_t*))create_enumerator;
 	this->public.get_first = (status_t (*) (linked_list_t *, void **item))get_first;
 	this->public.get_last = (status_t (*) (linked_list_t *, void **item))get_last;
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h
index 310e91e3c..ba47e7dfb 100644
--- a/src/libstrongswan/utils/linked_list.h
+++ b/src/libstrongswan/utils/linked_list.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2007-2008 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: linked_list.h 3841 2008-04-18 11:48:53Z tobias $
+ * $Id: linked_list.h 4576 2008-11-05 08:32:38Z martin $
  */
  
 /**
@@ -27,13 +27,10 @@
 
 typedef struct linked_list_t linked_list_t;
 
-#include <pthread.h>
-
 #include <library.h>
 #include <utils/iterator.h>
 #include <utils/enumerator.h>
 
-
 /**
  * Method to match elements in a linked list (used in find_* functions)
  *
@@ -80,18 +77,6 @@ struct linked_list_t {
 	 */
 	iterator_t *(*create_iterator) (linked_list_t *this, bool forward);
 	
-	/**
-	 * Creates a iterator, locking a mutex.
-	 *
-	 * The supplied mutex is acquired immediately, and released
-	 * when the iterator gets destroyed.
-	 * 
-	 * @param mutex 	mutex to use for exclusive access
-	 * @return			new iterator_t object
-	 */
-	iterator_t *(*create_iterator_locked) (linked_list_t *this,
-										   pthread_mutex_t *mutex);
-	
 	/**
 	 * Create an enumerator over the list.
 	 *
@@ -130,7 +115,7 @@ struct linked_list_t {
 	 * If a compare function is given, it is called for each item, where
 	 * the first parameter is the current list item and the second parameter
 	 * is the supplied item parameter.
-	 * If compare is NULL, compare is is done by pointer.
+	 * If compare is NULL, compare is done by pointer.
 	 *
 	 * @param item		item to remove/pass to comparator
 	 * @param compare	compare function, or NULL
@@ -179,10 +164,12 @@ struct linked_list_t {
 	 * If the supplied function returns TRUE this function returns SUCCESS, and
 	 * the current object is returned in the third parameter, otherwise,
 	 * the next item is checked.
+	 *
+	 * If match is NULL, *item and the current object are compared.
 	 * 
 	 * @warning Only use pointers as user supplied data.
 	 *
-	 * @param match			comparison function to call on each object
+	 * @param match			comparison function to call on each object, or NULL
 	 * @param item			the list item, if found
 	 * @param ...			user data to supply to match function (limited to 5 arguments)
 	 * @return				SUCCESS if found, NOT_FOUND otherwise
@@ -198,9 +185,11 @@ struct linked_list_t {
 	 * the current object is returned in the third parameter, otherwise,
 	 * the next item is checked.
 	 * 
+	 * If match is NULL, *item and the current object are compared.
+	 * 
 	 * @warning Only use pointers as user supplied data.
 	 *
-	 * @param match			comparison function to call on each object
+	 * @param match			comparison function to call on each object, or NULL
 	 * @param item			the list item, if found
 	 * @param ...			user data to supply to match function (limited to 5 arguments)
 	 * @return				SUCCESS if found, NOT_FOUND otherwise
diff --git a/src/libstrongswan/utils/mutex.c b/src/libstrongswan/utils/mutex.c
index 425389b4f..ddb0d2df6 100644
--- a/src/libstrongswan/utils/mutex.c
+++ b/src/libstrongswan/utils/mutex.c
@@ -12,24 +12,92 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: mutex.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: mutex.c 4591 2008-11-05 16:12:54Z martin $
  */
 
-#include "mutex.h"
-
-#include <library.h>
-#include <debug.h>
-
+#define _GNU_SOURCE
 #include <pthread.h>
 #include <sys/time.h>
+#include <stdint.h>
 #include <time.h>
 #include <errno.h>
 
+#include "mutex.h"
+
+#include <library.h>
+#include <debug.h>
 
 typedef struct private_mutex_t private_mutex_t;
-typedef struct private_n_mutex_t private_n_mutex_t;
 typedef struct private_r_mutex_t private_r_mutex_t;
 typedef struct private_condvar_t private_condvar_t;
+typedef struct private_rwlock_t private_rwlock_t;
+
+#ifdef LOCK_PROFILER
+
+/**
+ * Do not report mutexes with an overall waiting time smaller than this (in us)
+ */
+#define PROFILE_TRESHHOLD 1000
+
+#include <utils/backtrace.h>
+
+typedef struct lock_profile_t lock_profile_t;
+
+struct lock_profile_t {
+
+	/**
+	 * how long threads have waited for the lock in this mutex so far
+	 */
+	struct timeval waited;
+	
+	/**
+	 * backtrace where mutex has been created
+	 */
+	backtrace_t *backtrace;
+};
+
+/**
+ * Print and cleanup mutex profiler
+ */
+static void profiler_cleanup(lock_profile_t *profile)
+{
+	if (profile->waited.tv_sec > 0 ||
+		profile->waited.tv_usec > PROFILE_TRESHHOLD)
+	{
+		fprintf(stderr, "%d.%06ds in lock created at:",
+				profile->waited.tv_sec, profile->waited.tv_usec);
+		profile->backtrace->log(profile->backtrace, stderr);
+	}
+	profile->backtrace->destroy(profile->backtrace);
+}
+
+/**
+ * Initialize mutex profiler
+ */
+static void profiler_init(lock_profile_t *profile)
+{
+	profile->backtrace = backtrace_create(3);
+	timerclear(&profile->waited);
+}
+
+#define profiler_start(profile) { \
+	struct timeval _start, _end, _diff; \
+	gettimeofday(&_start, NULL);
+	
+#define profiler_end(profile) \
+	gettimeofday(&_end, NULL); \
+	timersub(&_end, &_start, &_diff); \
+	timeradd(&(profile)->waited, &_diff, &(profile)->waited); }
+
+#else /* !LOCK_PROFILER */
+
+#define lock_profile_t struct {}
+#define profiler_cleanup(...) {}
+#define profiler_init(...) {}
+#define profiler_start(...) {}
+#define profiler_end(...) {}
+
+#endif /* LOCK_PROFILER */
 
 /**
  * private data of mutex
@@ -45,6 +113,16 @@ struct private_mutex_t {
 	 * wrapped pthread mutex
 	 */
 	pthread_mutex_t mutex;
+	
+	/**
+	 * is this a recursiv emutex, implementing private_r_mutex_t?
+	 */
+	bool recursive;
+	
+	/**
+	 * profiling info, if enabled
+	 */
+	lock_profile_t profile;
 };
 
 /**
@@ -53,7 +131,7 @@ struct private_mutex_t {
 struct private_r_mutex_t {
 
 	/**
-	 * public functions
+	 * Extends private_mutex_t
 	 */
 	private_mutex_t generic;
 	
@@ -63,9 +141,9 @@ struct private_r_mutex_t {
 	pthread_t thread;
 	
 	/**
-	 * times we have locked the lock
+	 * times we have locked the lock, stored per thread
 	 */
-	int times;
+	pthread_key_t times;
 };
 
 /**
@@ -84,15 +162,38 @@ struct private_condvar_t {
 	pthread_cond_t condvar;
 };
 
+/**
+ * private data of rwlock
+ */
+struct private_rwlock_t {
+
+	/**
+	 * public functions
+	 */
+	rwlock_t public;
+	
+	/**
+	 * wrapped pthread rwlock
+	 */
+	pthread_rwlock_t rwlock;
+	
+	/**
+	 * profiling info, if enabled
+	 */
+	lock_profile_t profile;
+};
+
 /**
  * Implementation of mutex_t.lock.
  */
 static void lock(private_mutex_t *this)
 {
+	profiler_start(&this->profile);
 	if (pthread_mutex_lock(&this->mutex))
 	{
 		DBG1("!!!! MUTEX %sLOCK ERROR, your code is buggy !!!", "");
 	}
+	profiler_end(&this->profile);
 }
 
 /**
@@ -115,12 +216,19 @@ static void lock_r(private_r_mutex_t *this)
 
 	if (this->thread == self)
 	{
-		this->times++;
-		return;
+		uintptr_t times;
+		
+		/* times++ */
+		times = (uintptr_t)pthread_getspecific(this->times);
+		pthread_setspecific(this->times, (void*)times + 1);
+	}
+	else
+	{
+		lock(&this->generic);
+		this->thread = self;
+		/* times = 1 */
+		pthread_setspecific(this->times, (void*)1);
 	}
-	lock(&this->generic);
-	this->thread = self;
-	this->times = 1;
 }
 
 /**
@@ -128,7 +236,13 @@ static void lock_r(private_r_mutex_t *this)
  */
 static void unlock_r(private_r_mutex_t *this)
 {
-	if (--this->times == 0)
+	uintptr_t times;
+
+	/* times-- */
+	times = (uintptr_t)pthread_getspecific(this->times);
+	pthread_setspecific(this->times, (void*)--times);
+	
+	if (times == 0)
 	{
 		this->thread = 0;
 		unlock(&this->generic);
@@ -140,10 +254,22 @@ static void unlock_r(private_r_mutex_t *this)
  */
 static void mutex_destroy(private_mutex_t *this)
 {
+	profiler_cleanup(&this->profile);
 	pthread_mutex_destroy(&this->mutex);
 	free(this);
 }
 
+/**
+ * Implementation of mutex_t.destroy for recursive mutex'
+ */
+static void mutex_destroy_r(private_r_mutex_t *this)
+{
+	profiler_cleanup(&this->generic.profile);
+	pthread_mutex_destroy(&this->generic.mutex);
+	pthread_key_delete(this->times);
+	free(this);
+}
+
 /*
  * see header file
  */
@@ -154,15 +280,17 @@ mutex_t *mutex_create(mutex_type_t type)
 		case MUTEX_RECURSIVE:
 		{
 			private_r_mutex_t *this = malloc_thing(private_r_mutex_t);
-	
+			
 			this->generic.public.lock = (void(*)(mutex_t*))lock_r;
 			this->generic.public.unlock = (void(*)(mutex_t*))unlock_r;
-			this->generic.public.destroy = (void(*)(mutex_t*))mutex_destroy;	
-	
+			this->generic.public.destroy = (void(*)(mutex_t*))mutex_destroy_r;	
+			
 			pthread_mutex_init(&this->generic.mutex, NULL);
+			pthread_key_create(&this->times, NULL);
+			this->generic.recursive = TRUE;
+			profiler_init(&this->generic.profile);
 			this->thread = 0;
-			this->times = 0;
-	
+			
 			return &this->generic.public;
 		}
 		case MUTEX_DEFAULT:
@@ -173,9 +301,11 @@ mutex_t *mutex_create(mutex_type_t type)
 			this->public.lock = (void(*)(mutex_t*))lock;
 			this->public.unlock = (void(*)(mutex_t*))unlock;
 			this->public.destroy = (void(*)(mutex_t*))mutex_destroy;
-		
+			
 			pthread_mutex_init(&this->mutex, NULL);
-		
+			this->recursive = FALSE;
+			profiler_init(&this->profile);
+			
 			return &this->public;
 		}
 	}
@@ -186,7 +316,19 @@ mutex_t *mutex_create(mutex_type_t type)
  */
 static void wait(private_condvar_t *this, private_mutex_t *mutex)
 {
-	pthread_cond_wait(&this->condvar, &mutex->mutex);
+	if (mutex->recursive)
+	{
+		private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
+		
+		/* mutex owner gets cleared during condvar wait */
+		recursive->thread = 0;
+		pthread_cond_wait(&this->condvar, &mutex->mutex);
+		recursive->thread = pthread_self();
+	}
+	else
+	{
+		pthread_cond_wait(&this->condvar, &mutex->mutex);
+	}
 }
 
 /**
@@ -198,6 +340,7 @@ static bool timed_wait(private_condvar_t *this, private_mutex_t *mutex,
 	struct timespec ts;
 	struct timeval tv;
 	u_int s, ms;
+	bool timed_out;
 	
 	gettimeofday(&tv, NULL);
 	
@@ -211,8 +354,21 @@ static bool timed_wait(private_condvar_t *this, private_mutex_t *mutex,
 		ts.tv_nsec -= 1000000000;
 		ts.tv_sec++;
 	}
-	return (pthread_cond_timedwait(&this->condvar, &mutex->mutex,
-								   &ts) == ETIMEDOUT);
+	if (mutex->recursive)
+	{
+		private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
+		
+		recursive->thread = 0;
+		timed_out = pthread_cond_timedwait(&this->condvar, &mutex->mutex,
+										   &ts) == ETIMEDOUT;
+		recursive->thread = pthread_self();
+	}
+	else
+	{
+		timed_out = pthread_cond_timedwait(&this->condvar, &mutex->mutex,
+										   &ts) == ETIMEDOUT;
+	}
+	return timed_out;
 }
 
 /**
@@ -265,3 +421,75 @@ condvar_t *condvar_create(condvar_type_t type)
 	}
 }
 
+/**
+ * Implementation of rwlock_t.read_lock
+ */
+static void read_lock(private_rwlock_t *this)
+{
+	profiler_start(&this->profile);
+	pthread_rwlock_rdlock(&this->rwlock);
+	profiler_end(&this->profile);
+}
+
+/**
+ * Implementation of rwlock_t.write_lock
+ */
+static void write_lock(private_rwlock_t *this)
+{
+	profiler_start(&this->profile);
+	pthread_rwlock_wrlock(&this->rwlock);
+	profiler_end(&this->profile);
+}
+
+/**
+ * Implementation of rwlock_t.try_write_lock
+ */
+static bool try_write_lock(private_rwlock_t *this)
+{
+	return pthread_rwlock_trywrlock(&this->rwlock) == 0;
+}
+
+/**
+ * Implementation of rwlock_t.unlock
+ */
+static void rw_unlock(private_rwlock_t *this)
+{
+	pthread_rwlock_unlock(&this->rwlock);
+}
+
+/**
+ * Implementation of rwlock_t.destroy
+ */
+static void rw_destroy(private_rwlock_t *this)
+{
+	pthread_rwlock_destroy(&this->rwlock);
+	profiler_cleanup(&this->profile);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+rwlock_t *rwlock_create(rwlock_type_t type)
+{
+	switch (type)
+	{
+		case RWLOCK_DEFAULT:
+		default:
+		{
+			private_rwlock_t *this = malloc_thing(private_rwlock_t);
+			
+			this->public.read_lock = (void(*)(rwlock_t*))read_lock;
+			this->public.write_lock = (void(*)(rwlock_t*))write_lock;
+			this->public.try_write_lock = (bool(*)(rwlock_t*))try_write_lock;
+			this->public.unlock = (void(*)(rwlock_t*))rw_unlock;
+			this->public.destroy = (void(*)(rwlock_t*))rw_destroy;
+			
+			pthread_rwlock_init(&this->rwlock, NULL);
+			profiler_init(&this->profile);
+			
+			return &this->public;
+		}
+	}
+}
+
diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h
index cf557c35c..a0a198024 100644
--- a/src/libstrongswan/utils/mutex.h
+++ b/src/libstrongswan/utils/mutex.h
@@ -23,8 +23,10 @@
 
 typedef struct mutex_t mutex_t;
 typedef struct condvar_t condvar_t;
+typedef struct rwlock_t rwlock_t;
 typedef enum mutex_type_t mutex_type_t;
 typedef enum condvar_type_t condvar_type_t;
+typedef enum rwlock_type_t rwlock_type_t;
 
 #include <library.h>
 
@@ -46,6 +48,14 @@ enum condvar_type_t {
 	CONDVAR_DEFAULT	= 0,
 };
 
+/**
+ * Type of read-write lock.
+ */
+enum rwlock_type_t {
+	/** default condvar */
+	RWLOCK_DEFAULT	= 0,
+};
+
 /**
  * Mutex wrapper implements simple, portable and advanced mutex functions.
  */
@@ -104,6 +114,41 @@ struct condvar_t {
 	void (*destroy)(condvar_t *this);
 };
 
+/**
+ * Read-Write lock wrapper.
+ */
+struct rwlock_t {
+
+	/**
+	 * Acquire the read lock.
+	 */
+	void (*read_lock)(rwlock_t *this);
+	
+	/**
+	 * Acquire the write lock.
+	 */
+	void (*write_lock)(rwlock_t *this);
+	
+	/**
+	 * Try to acquire the write lock.
+	 *
+	 * Never blocks, but returns FALSE if the lock was already occupied.
+	 *
+	 * @return		TRUE if lock acquired
+	 */
+	bool (*try_write_lock)(rwlock_t *this);	
+	
+	/**
+	 * Release any acquired lock.
+	 */
+	void (*unlock)(rwlock_t *this);
+	
+	/**
+	 * Destroy the read-write lock.
+	 */
+	void (*destroy)(rwlock_t *this);
+};
+
 /**
  * Create a mutex instance.
  *
@@ -120,4 +165,12 @@ mutex_t *mutex_create(mutex_type_t type);
  */
 condvar_t *condvar_create(condvar_type_t type);
 
+/**
+ * Create a read-write lock instance.
+ *
+ * @param type		type of rwlock to create
+ * @return			unlocked rwlock instance
+ */
+rwlock_t *rwlock_create(rwlock_type_t type);
+
 #endif /* MUTEX_H_ @}*/
diff --git a/src/pluto/ac.c b/src/pluto/ac.c
index 77e0b40bb..6745ff484 100644
--- a/src/pluto/ac.c
+++ b/src/pluto/ac.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ac.c 3686 2008-03-28 11:48:14Z martin $
+ * RCSID $Id: ac.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdlib.h>
@@ -860,7 +860,7 @@ load_acerts(void)
 	}
     }
     /* restore directory path */
-    chdir(save_dir);
+    ignore_result(chdir(save_dir));
 }
 
 /*
diff --git a/src/pluto/ca.c b/src/pluto/ca.c
index 099699056..70b26c32c 100644
--- a/src/pluto/ca.c
+++ b/src/pluto/ca.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ca.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: ca.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdlib.h>
@@ -295,7 +295,7 @@ load_authcerts(const char *type, const char *path, u_char auth_flags)
 	}
     }
     /* restore directory path */
-    chdir(save_dir);
+    ignore_result(chdir(save_dir));
 }
 
 /*
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index ca548afab..50a75c0aa 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: constants.c 3839 2008-04-18 11:25:37Z andreas $
+ * RCSID $Id: constants.c 4612 2008-11-11 06:37:37Z andreas $
  */
 
 /*
@@ -517,6 +517,8 @@ const char *const sa_policy_bit_names[] = {
 	"DONTREAUTH",
 	"BEET",
 	"MOBIKE",
+	"ECDSA",
+	"PROXY",
 	NULL
     };
 
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index e6357164f..409dd1d61 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: constants.h 4051 2008-06-10 09:08:27Z tobias $
+ * RCSID $Id: constants.h 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #ifndef _CONSTANTS_H
@@ -279,7 +279,7 @@ extern const char sparse_end[];
 	"4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47" \
 	"9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71" \
 	"60C980DD 98EDD3DF FFFFFFFF FFFFFFFF"
-#define LOCALSECRETSIZE		(256 / BITS_PER_BYTE)
+#define LOCALSECRETSIZE		(512 / BITS_PER_BYTE)
 
 /* limits on nonce sizes.  See RFC2409 "The internet key exchange (IKE)" 5 */
 #define MINIMUM_NONCE_SIZE	8	/* bytes */
@@ -877,7 +877,8 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_BEET		LELEM(22)	/* bound end2end tunnel, IKEv2 */
 #define POLICY_MOBIKE		LELEM(23)	/* enable MOBIKE for IKEv2  */
 #define POLICY_FORCE_ENCAP	LELEM(24)	/* force UDP encapsulation (IKEv2)  */
-#define POLICY_ECDSASIG	LELEM(25)   /* ecdsa signature (IKEv2) */
+#define POLICY_ECDSASIG		LELEM(25)	/* ECDSA signature (IKEv2) */
+#define POLICY_PROXY		LELEM(26)	/* proxy transport mode (MIPv6) */
 
 /* Any IPsec policy?  If not, a connection description
  * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index 6e1093661..c891d19e6 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: crl.c 3686 2008-03-28 11:48:14Z martin $
+ * RCSID $Id: crl.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdlib.h>
@@ -373,7 +373,7 @@ load_crls(void)
 	}
     }
     /* restore directory path */
-    chdir(save_dir);
+    ignore_result(chdir(save_dir));
 }
 
 /*
diff --git a/src/pluto/defs.c b/src/pluto/defs.c
index 5b9defb60..f2c1eab48 100644
--- a/src/pluto/defs.c
+++ b/src/pluto/defs.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: defs.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: defs.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdlib.h>
@@ -249,6 +249,7 @@ write_chunk(const char *filename, const char *label, chunk_t ch
 {
     mode_t oldmask;
     FILE *fd;
+    size_t written;
 
     if (!force)
     {
@@ -268,8 +269,14 @@ write_chunk(const char *filename, const char *label, chunk_t ch
 
     if (fd)
     {
-	fwrite(ch.ptr, sizeof(u_char), ch.len, fd);
+	written = fwrite(ch.ptr, sizeof(u_char), ch.len, fd);
 	fclose(fd);
+	if (written != ch.len)
+	{
+	    plog("  writing to %s file '%s' failed", label, filename);
+	    umask(oldmask);
+	    return FALSE;
+	}
 	plog("  written %s file '%s' (%d bytes)", label, filename, (int)ch.len);
 	umask(oldmask);
 	return TRUE;
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
index cd8b58df2..c8a98cd9b 100644
--- a/src/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: fetch.c 3686 2008-03-28 11:48:14Z martin $
+ * RCSID $Id: fetch.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdlib.h>
@@ -324,7 +324,7 @@ fetch_curl(char *url, chunk_t *blob)
 	curl_easy_setopt(curl, CURLOPT_URL, url);
 	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
 	curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
-	curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, &errorbuffer);
+	curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
 	curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE);
 	curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT);
 
@@ -705,9 +705,9 @@ fetch_ocsp_status(ocsp_location_t* location)
 	curl_easy_setopt(curl, CURLOPT_URL, uri);
 	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
 	curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
-	curl_easy_setopt(curl, CURLOPT_POSTFIELDS, request.ptr);
+	curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (void*)request.ptr);
 	curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, request.len);
-	curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, &errorbuffer);
+	curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
 	curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE);
 	curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT);
 
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index 1db4027d1..e4fda0f1f 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.c 4348 2008-09-18 00:42:22Z andreas $
+ * RCSID $Id: vendor.c 4426 2008-10-14 01:53:37Z andreas $
  */
 
 #include <stdlib.h>
@@ -206,7 +206,8 @@ static struct vid_struct _vid_tab[] = {
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.8")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.9")
+	DEC_MD5_VID(STRONGSWAN_4_2_8, "strongSwan 4.2.8")
 	DEC_MD5_VID(STRONGSWAN_4_2_7, "strongSwan 4.2.7")
 	DEC_MD5_VID(STRONGSWAN_4_2_6, "strongSwan 4.2.6")
 	DEC_MD5_VID(STRONGSWAN_4_2_5, "strongSwan 4.2.5")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index cf6b68e51..819dbd99d 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.h 4348 2008-09-18 00:42:22Z andreas $
+ * RCSID $Id: vendor.h 4426 2008-10-14 01:53:37Z andreas $
  */
 
 #ifndef _VENDOR_H_
@@ -124,6 +124,7 @@ enum known_vendorid {
   VID_STRONGSWAN_4_2_5		=105,
   VID_STRONGSWAN_4_2_6		=106,
   VID_STRONGSWAN_4_2_7		=107,
+  VID_STRONGSWAN_4_2_8		=108,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=151,
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 0c1265918..1b01044df 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -522,7 +522,7 @@ scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op
 	    headers = curl_slist_append(headers, "Content-Type:");
 	    headers = curl_slist_append(headers, "Expect:");
 	    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); 
-	    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, pkcs7.ptr);
+	    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (char*)pkcs7.ptr);
 	    curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, pkcs7.len);
 	}
     }
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index e6346a585..5ee614f1b 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -1,13 +1,13 @@
 ipsec_PROGRAMS = starter
 starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \
 starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h  interfaces.h args.c \
+starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
 keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
-exec.h invokecharon.h lex.yy.c loglite.c
+exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
 
 INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
-starter_LDADD = defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a
+starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
 dist_man_MANS = ipsec.conf.5 starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
@@ -15,17 +15,17 @@ MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 PLUTODIR=$(top_srcdir)/src/pluto
 SCEPCLIENTDIR=$(top_srcdir)/src/scepclient
 
-lex.yy.c:	y.tab.c parser.l parser.y parser.h
-		$(LEX) --nounput parser.l 
+lex.yy.c:	parser.l parser.y parser.h y.tab.c
+		$(LEX) --nounput $< 
 
-y.tab.c:	parser.l parser.y parser.h
-		$(YACC) -v -d parser.y
+y.tab.c:	parser.y parser.l parser.h
+		$(YACC) -v -d $<
 
-y.tab.h:	parser.l parser.y parser.h
-		$(YACC) -v -d parser.y
+y.tab.h:	parser.y parser.l parser.h
+		$(YACC) -v -d $<
 
 keywords.c:	keywords.txt keywords.h
-		$(GPERF) -C -G -t < keywords.txt > keywords.c
+		$(GPERF) -C -G -t < $< > $@
 
 defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) -c -o $@ $<
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 4150a60e7..446edf8c5 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -51,10 +51,10 @@ am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
 	invokepluto.$(OBJEXT) confread.$(OBJEXT) interfaces.$(OBJEXT) \
 	args.$(OBJEXT) keywords.$(OBJEXT) cmp.$(OBJEXT) \
 	starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \
-	lex.yy.$(OBJEXT) loglite.$(OBJEXT)
+	lex.yy.$(OBJEXT) loglite.$(OBJEXT) klips.$(OBJEXT)
 starter_OBJECTS = $(am_starter_OBJECTS)
 starter_DEPENDENCIES = defs.o \
-	$(top_srcdir)/src/libfreeswan/libfreeswan.a
+	$(top_builddir)/src/libfreeswan/libfreeswan.a
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -214,13 +214,13 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \
 starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h  interfaces.h args.c \
+starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
 keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
-exec.h invokecharon.h lex.yy.c loglite.c
+exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
 
 INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
-starter_LDADD = defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a
+starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
 dist_man_MANS = ipsec.conf.5 starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
@@ -305,6 +305,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokecharon.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokepluto.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keywords.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/klips.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.yy.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/netkey.Po@am__quote@
@@ -615,17 +616,17 @@ uninstall-man: uninstall-man5 uninstall-man8
 	uninstall-man8
 
 
-lex.yy.c:	y.tab.c parser.l parser.y parser.h
-		$(LEX) --nounput parser.l 
+lex.yy.c:	parser.l parser.y parser.h y.tab.c
+		$(LEX) --nounput $< 
 
-y.tab.c:	parser.l parser.y parser.h
-		$(YACC) -v -d parser.y
+y.tab.c:	parser.y parser.l parser.h
+		$(YACC) -v -d $<
 
-y.tab.h:	parser.l parser.y parser.h
-		$(YACC) -v -d parser.y
+y.tab.h:	parser.y parser.l parser.h
+		$(YACC) -v -d $<
 
 keywords.c:	keywords.txt keywords.h
-		$(GPERF) -C -G -t < keywords.txt > keywords.c
+		$(GPERF) -C -G -t < $< > $@
 
 defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) -c -o $@ $<
diff --git a/src/starter/args.c b/src/starter/args.c
index 7af3b6310..c09bea986 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: args.c 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: args.c 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #include <stddef.h>
@@ -199,6 +199,7 @@ static const token_info_t token_info[] =
     { ARG_MISC, 0, NULL  /* KW_TYPE */                                             },
     { ARG_MISC, 0, NULL  /* KW_PFS */                                              },
     { ARG_MISC, 0, NULL  /* KW_COMPRESS */                                         },
+    { ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool                 },
     { ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
     { ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
     { ARG_MISC, 0, NULL  /* KW_EAP */                                              },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 959a98b77..1560266c1 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: confread.c 4269 2008-08-21 12:10:07Z martin $
+ * RCSID $Id: confread.c 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #include <stddef.h>
@@ -79,6 +79,7 @@ static void default_values(starter_config_t *cfg)
 	cfg->conn_default.sa_keying_tries       = SA_REPLACEMENT_RETRIES_DEFAULT;
 	cfg->conn_default.addr_family           = AF_INET;
 	cfg->conn_default.tunnel_addr_family    = AF_INET;
+	cfg->conn_default.install_policy	= TRUE;
 	cfg->conn_default.dpd_delay		=  30; /* seconds */
 	cfg->conn_default.dpd_timeout		= 150; /* seconds */
 
@@ -497,15 +498,29 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 		case KW_TYPE:
 			conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
 			if (streq(kw->value, "tunnel"))
+			{
 				conn->policy |= POLICY_TUNNEL;
+			}
 			else if (streq(kw->value, "beet"))
+			{
 				conn->policy |= POLICY_BEET;
+			}
+			else if (streq(kw->value, "transport_proxy"))
+			{
+				conn->policy |= POLICY_PROXY;			
+			}	
 			else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
+			{
 				conn->policy |= POLICY_SHUNT_PASS;
+			}
 			else if (streq(kw->value, "drop"))
+			{
 				conn->policy |= POLICY_SHUNT_DROP;
+			}
 			else if (streq(kw->value, "reject"))
+			{
 				conn->policy |= POLICY_SHUNT_REJECT;
+			}
 			else if (strcmp(kw->value, "transport") != 0)
 			{
 				plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
@@ -530,21 +545,33 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 				char *second = strchr(kw->value, '|');
 
 				if (second != NULL)
+				{
 					*second = '\0';
+				}
 
 				/* also handles the cases secret|rsasig and rsasig|secret */
 				for (;;)
 				{
 					if (streq(value, "rsa") || streq(value, "rsasig"))
+					{
 						conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT;
+					}
 					else if (streq(value, "secret") || streq(value, "psk"))
+					{
 						conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
+					}
 					else if (streq(value, "ecdsa") || streq(value, "ecdsasig"))
+					{
 						conn->policy |= POLICY_ECDSASIG | POLICY_ENCRYPT;
+					}
 					else if (streq(value, "xauthrsasig"))
+					{
 						conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
+					}
 					else if (streq(value, "xauthpsk"))
+					{
 						conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
+					}
 					else
 					{
 						plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
@@ -552,7 +579,9 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 						break;
 					}
 					if (second == NULL)
+					{
 						break;
+					}
 					value = second;
 					second = NULL; /* traverse the loop no more than twice */
 				}
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 2c6e45984..24a8d073e 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: confread.h 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: confread.h 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #ifndef _IPSEC_CONFREAD_H_
@@ -114,7 +114,7 @@ struct starter_conn {
 	unsigned long	sa_rekey_fuzz;
 	sa_family_t	addr_family;
 	sa_family_t	tunnel_addr_family;
-	
+	bool		install_policy;
 	starter_end_t	left, right;
 
 	unsigned long	id;
diff --git a/src/starter/files.h b/src/starter/files.h
index b21db8bd1..a40574594 100644
--- a/src/starter/files.h
+++ b/src/starter/files.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: files.h 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: files.h 4618 2008-11-11 09:22:00Z tobias $
  */
 
 #ifndef _STARTER_FILES_H_
@@ -19,7 +19,8 @@
 
 #define STARTER_PID_FILE IPSEC_PIDDIR "/starter.pid"
 
-#define PROC_NETKEY	"/proc/net/pfkey"
+#define PROC_NETKEY		"/proc/net/pfkey"
+#define PROC_KLIPS		"/proc/net/pf_key"
 #define PROC_MODULES	"/proc/modules"
 
 #define CONFIG_FILE     IPSEC_CONFDIR "/ipsec.conf"
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index a3cf3a786..e18d6e38d 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: invokepluto.c 3942 2008-05-13 07:37:08Z martin $
+ * RCSID $Id: invokepluto.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <sys/types.h>
@@ -215,7 +215,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork)
 	_stop_requested = 0;
 
 	if (cfg->setup.prepluto)
-	    system(cfg->setup.prepluto);
+	    ignore_result(system(cfg->setup.prepluto));
 
 	pid = fork();
 	switch (pid)
@@ -258,7 +258,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork)
 			DBG_log("pluto (%d) started", _pluto_pid)
 		    )
 		    if (cfg->setup.postpluto)
-			system(cfg->setup.postpluto);
+			ignore_result(system(cfg->setup.postpluto));
 		    return 0;
 		}
 	    }
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 40ff27d0b..10ce8348e 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -1,5 +1,5 @@
 .TH IPSEC.CONF 5 "27 Jun 2007"
-.\" RCSID $Id: ipsec.conf.5 4360 2008-09-30 12:36:58Z martin $
+.\" RCSID $Id: ipsec.conf.5 4645 2008-11-13 06:29:53Z andreas $
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -397,6 +397,15 @@ may be included, such as
 how long the keying channel of a connection ('ISAKMP/IKE SA')
 should last before being renegotiated.
 .TP
+.B installpolicy
+decides whether IPsec policies are installed in the kernel by the IKEv2
+charon daemon for a given connection. Allows peaceful co-existence e.g. with
+the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
+Acceptable values are
+.B yes
+(the default) and
+.BR no .
+.TP
 .B keyexchange
 method of key exchange;
 which protocol should be used to initialize the connection. Connections marked with
@@ -782,17 +791,20 @@ are
 signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
 .BR transport ,
 signifying host-to-host transport mode;
+.BR transport_proxy ,
+signifying the special Mobile IPv6 transport proxy mode;
 .BR passthrough ,
 signifying that no IPsec processing should be done at all;
 .BR drop ,
 signifying that packets should be discarded; and
 .BR reject ,
 signifying that packets should be discarded and a diagnostic ICMP returned.
-Charon currently supports only 
-.BR tunnel
+Charon currently supports
+.BR tunnel ,
+.BR transport ,
 and
-.BR transport
-connection types.
+.BR tunnel_proxy
+connection types, only .
 .TP
 .B xauth
 specifies the role in the XAUTH protocol if activated by
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 35c17b9b5..e51780dc1 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -44,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keywords.txt 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: keywords.txt 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #include <string.h>
@@ -56,7 +56,7 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 101
+#define TOTAL_KEYWORDS 102
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
 #define MIN_HASH_VALUE 6
@@ -239,7 +239,8 @@ static const struct kw_entry wordlist[] =
     {"pkcs11proxy",       KW_PKCS11PROXY},
     {""}, {""}, {""}, {""},
     {"charondebug",       KW_CHARONDEBUG},
-    {""}, {""},
+    {""},
+    {"installpolicy",     KW_INSTALLPOLICY},
     {"cachecrls",         KW_CACHECRLS},
     {""}, {""}, {""},
     {"packetdefault",     KW_PACKETDEFAULT},
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 1efa5dc2b..756c33075 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keywords.h 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: keywords.h 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #ifndef _KEYWORDS_H_
@@ -68,6 +68,7 @@ typedef enum {
     KW_TYPE,
     KW_PFS,
     KW_COMPRESS,
+	KW_INSTALLPOLICY,
     KW_AUTH,
     KW_AUTHBY,
     KW_EAP,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 29bd404b5..8dfa03325 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keywords.txt 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: keywords.txt 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #include <string.h>
@@ -61,6 +61,7 @@ keyexchange,       KW_KEYEXCHANGE
 type,              KW_TYPE
 pfs,               KW_PFS
 compress,          KW_COMPRESS
+installpolicy,     KW_INSTALLPOLICY
 auth,              KW_AUTH
 authby,            KW_AUTHBY
 keylife,           KW_KEYLIFE
diff --git a/src/starter/klips.c b/src/starter/klips.c
new file mode 100644
index 000000000..5c8164419
--- /dev/null
+++ b/src/starter/klips.c
@@ -0,0 +1,82 @@
+/* strongSwan KLIPS starter
+ * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: klips.c 4632 2008-11-11 18:37:19Z martin $
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdlib.h>
+
+#include <freeswan.h>
+
+#include "../pluto/constants.h"
+#include "../pluto/defs.h"
+#include "../pluto/log.h"
+
+#include "files.h"
+
+bool
+starter_klips_init(void)
+{
+    struct stat stb;
+
+    if (stat(PROC_KLIPS, &stb) != 0)
+    {
+	/* ipsec module makes the pf_key proc interface visible */
+	if (stat(PROC_MODULES, &stb) == 0)
+	{
+	    ignore_result(system("modprobe -qv ipsec"));
+	}
+
+	/* now test again */
+	if (stat(PROC_KLIPS, &stb) != 0)
+	{
+	    DBG(DBG_CONTROL,
+		DBG_log("kernel appears to lack the KLIPS IPsec stack")
+	    )
+	    return FALSE;
+	}
+    }
+    
+    /* load crypto algorithm modules */
+    ignore_result(system("modprobe -qv ipsec_aes"));
+    ignore_result(system("modprobe -qv ipsec_blowfish"));
+    ignore_result(system("modprobe -qv ipsec_sha2"));
+
+    DBG(DBG_CONTROL,
+	DBG_log("Found KLIPS IPsec stack")
+    )
+    
+    return TRUE;
+}
+
+void
+starter_klips_cleanup(void)
+{
+    if (system("type eroute > /dev/null 2>&1") == 0)
+    {
+	ignore_result(system("spi --clear"));
+	ignore_result(system("eroute --clear"));
+    }
+	else if (system("type setkey > /dev/null 2>&1") == 0)
+    {
+	ignore_result(system("setkey -F"));
+	ignore_result(system("setkey -FP"));
+    }
+    else
+    {
+	plog("WARNING: cannot flush IPsec state/policy database");
+    }
+}
+
diff --git a/src/starter/klips.h b/src/starter/klips.h
new file mode 100644
index 000000000..60055b4f1
--- /dev/null
+++ b/src/starter/klips.h
@@ -0,0 +1,24 @@
+/* strongSwan KLIPS initialization and cleanup 
+ * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: klips.h 4618 2008-11-11 09:22:00Z tobias $
+ */
+
+#ifndef _STARTER_KLIPS_H_
+#define _STARTER_KLIPS_H_
+
+extern bool starter_klips_init (void);
+extern void starter_klips_cleanup (void);
+
+#endif /* _STARTER_KLIPS_H_ */
+
diff --git a/src/starter/lex.yy.c b/src/starter/lex.yy.c
index cd3535318..4b3405eda 100644
--- a/src/starter/lex.yy.c
+++ b/src/starter/lex.yy.c
@@ -500,7 +500,7 @@ char *yytext;
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: parser.l 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: parser.l 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <string.h>
@@ -511,6 +511,7 @@ char *yytext;
 
 #define MAX_INCLUDE_DEPTH  20
 
+#define YY_NO_INPUT
 #define YY_NO_UNPUT
 extern void yyerror(const char *);
 extern int yylex (void);
@@ -617,7 +618,7 @@ int _parser_y_include (const char *filename)
     return 0;
 }
 
-#line 621 "lex.yy.c"
+#line 622 "lex.yy.c"
 
 #define INITIAL 0
 
@@ -771,10 +772,10 @@ YY_DECL
 	register char *yy_cp, *yy_bp;
 	register int yy_act;
     
-#line 134 "parser.l"
+#line 135 "parser.l"
 
 
-#line 778 "lex.yy.c"
+#line 779 "lex.yy.c"
 
 	if ( !(yy_init) )
 		{
@@ -859,7 +860,7 @@ do_action:	/* This label is used only to access EOF actions. */
 			goto yy_find_action;
 
 case YY_STATE_EOF(INITIAL):
-#line 136 "parser.l"
+#line 137 "parser.l"
 {
 	if (__parser_y_private.filename[__parser_y_private.stack_ptr]) {
 		free(__parser_y_private.filename[__parser_y_private.stack_ptr]);
@@ -879,23 +880,23 @@ case YY_STATE_EOF(INITIAL):
 	YY_BREAK
 case 1:
 YY_RULE_SETUP
-#line 153 "parser.l"
+#line 154 "parser.l"
 return FIRST_SPACES;
 	YY_BREAK
 case 2:
 YY_RULE_SETUP
-#line 155 "parser.l"
+#line 156 "parser.l"
 /* ignore spaces in line */ ;
 	YY_BREAK
 case 3:
 YY_RULE_SETUP
-#line 157 "parser.l"
+#line 158 "parser.l"
 return EQUAL;
 	YY_BREAK
 case 4:
 /* rule 4 can match eol */
 YY_RULE_SETUP
-#line 159 "parser.l"
+#line 160 "parser.l"
 {
 					__parser_y_private.line[__parser_y_private.stack_ptr]++;
 					return EOL;
@@ -903,37 +904,37 @@ YY_RULE_SETUP
 	YY_BREAK
 case 5:
 YY_RULE_SETUP
-#line 164 "parser.l"
+#line 165 "parser.l"
 return CONFIG;
 	YY_BREAK
 case 6:
 YY_RULE_SETUP
-#line 165 "parser.l"
+#line 166 "parser.l"
 return SETUP;
 	YY_BREAK
 case 7:
 YY_RULE_SETUP
-#line 166 "parser.l"
+#line 167 "parser.l"
 return CONN;
 	YY_BREAK
 case 8:
 YY_RULE_SETUP
-#line 167 "parser.l"
+#line 168 "parser.l"
 return CA;
 	YY_BREAK
 case 9:
 YY_RULE_SETUP
-#line 168 "parser.l"
+#line 169 "parser.l"
 return INCLUDE;
 	YY_BREAK
 case 10:
 YY_RULE_SETUP
-#line 169 "parser.l"
+#line 170 "parser.l"
 return FILE_VERSION;
 	YY_BREAK
 case 11:
 YY_RULE_SETUP
-#line 171 "parser.l"
+#line 172 "parser.l"
 {
 					yylval.s = strdup(yytext);
 					return STRING;
@@ -941,7 +942,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 12:
 YY_RULE_SETUP
-#line 176 "parser.l"
+#line 177 "parser.l"
 {
 					yylval.s = strdup(yytext+1);
 					if (yylval.s) yylval.s[strlen(yylval.s)-1]='\0';
@@ -950,15 +951,15 @@ YY_RULE_SETUP
 	YY_BREAK
 case 13:
 YY_RULE_SETUP
-#line 182 "parser.l"
+#line 183 "parser.l"
 yyerror(yytext);
 	YY_BREAK
 case 14:
 YY_RULE_SETUP
-#line 184 "parser.l"
+#line 185 "parser.l"
 ECHO;
 	YY_BREAK
-#line 962 "lex.yy.c"
+#line 963 "lex.yy.c"
 
 	case YY_END_OF_BUFFER:
 		{
@@ -1920,7 +1921,7 @@ void yyfree (void * ptr )
 
 #define YYTABLES_NAME "yytables"
 
-#line 184 "parser.l"
+#line 185 "parser.l"
 
 
 
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index d3c181456..1490abf29 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: netkey.c 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: netkey.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <sys/types.h>
@@ -36,7 +36,7 @@ starter_netkey_init(void)
 	/* af_key module makes the netkey proc interface visible */
 	if (stat(PROC_MODULES, &stb) == 0)
 	{
-	    system("modprobe -qv af_key");
+	    ignore_result(system("modprobe -qv af_key"));
 	}
 
 	/* now test again */
@@ -52,11 +52,11 @@ starter_netkey_init(void)
     /* make sure that all required IPsec modules are loaded */
     if (stat(PROC_MODULES, &stb) == 0)
     {
-	system("modprobe -qv ah4");
-	system("modprobe -qv esp4");
-	system("modprobe -qv ipcomp");
-	system("modprobe -qv xfrm4_tunnel");
-	system("modprobe -qv xfrm_user");
+	ignore_result(system("modprobe -qv ah4"));
+	ignore_result(system("modprobe -qv esp4"));
+	ignore_result(system("modprobe -qv ipcomp"));
+	ignore_result(system("modprobe -qv xfrm4_tunnel"));
+	ignore_result(system("modprobe -qv xfrm_user"));
     }
 
     DBG(DBG_CONTROL,
@@ -70,13 +70,13 @@ starter_netkey_cleanup(void)
 {
     if (system("ip xfrm state > /dev/null 2>&1") == 0)
     {
-	system("ip xfrm state flush");
-	system("ip xfrm policy flush");
+	ignore_result(system("ip xfrm state flush"));
+	ignore_result(system("ip xfrm policy flush"));
     }
     else if (system("type setkey > /dev/null 2>&1") == 0)
     {
-	system("setkey -F");
-        system("setkey -FP");
+	ignore_result(system("setkey -F"));
+	ignore_result(system("setkey -FP"));
     }
     else
     {
diff --git a/src/starter/parser.l b/src/starter/parser.l
index 68d3b5556..e51d655df 100644
--- a/src/starter/parser.l
+++ b/src/starter/parser.l
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: parser.l 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: parser.l 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <string.h>
@@ -23,6 +23,7 @@
 
 #define MAX_INCLUDE_DEPTH  20
 
+#define YY_NO_INPUT
 #define YY_NO_UNPUT
 extern void yyerror(const char *);
 extern int yylex (void);
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 61f21d88c..e4ad5286c 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starter.c 4140 2008-07-02 05:51:49Z andreas $
+ * RCSID $Id: starter.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <sys/types.h>
@@ -42,6 +42,7 @@
 #include "invokepluto.h"
 #include "invokecharon.h"
 #include "netkey.h"
+#include "klips.h"
 #include "cmp.h"
 #include "interfaces.h"
 
@@ -179,7 +180,7 @@ static void generate_selfcert()
 #endif
 	    setegid(gid);
 	    seteuid(uid);
-	    system("ipsec scepclient --out pkcs1 --out cert-self --quiet");
+	    ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
 	    seteuid(0);
 	    setegid(0);
 
@@ -194,7 +195,7 @@ static void generate_selfcert()
 		fprintf(f, ": RSA myKey.der\n");
 		fclose(f);
 	    }
-	    chown(SECRETS_FILE, uid, gid);
+	    ignore_result(chown(SECRETS_FILE, uid, gid));
 	    umask(oldmask);
 	}
 }
@@ -324,7 +325,11 @@ int main (int argc, char **argv)
     if (!starter_netkey_init())
     {
 	plog("no netkey IPSec stack detected");
-	exit(LSB_RC_FAILURE);
+	if (!starter_klips_init())
+	{
+	    plog("no KLIPS IPSec stack detected");
+	    exit(LSB_RC_FAILURE);
+	}
     }
 
     last_reload = time(NULL);
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 4ee73128b..481b7de34 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starterstroke.c 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: starterstroke.c 4614 2008-11-11 07:28:52Z andreas $
  */
 
 #include <sys/types.h>
@@ -24,6 +24,7 @@
 #include <errno.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
+#include <linux/xfrm.h>
 
 #include <freeswan.h>
 
@@ -37,6 +38,9 @@
 #include "confread.h"
 #include "files.h"
 
+#define IPV4_LEN	 4
+#define IPV6_LEN	16
+
 /**
  * Authentication methods, must be the same as in charons authenticator.h
  */
@@ -126,7 +130,11 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len)
 		case AF_INET:
 		{
 			struct sockaddr_in* sin = (struct sockaddr_in*)addr;
-			if (inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
+			u_int8_t zeroes[IPV4_LEN];
+
+			memset(zeroes, 0, IPV4_LEN);
+			if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) &&
+				inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
 			{
 				return;
 			}
@@ -135,7 +143,11 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len)
 		case AF_INET6:
 		{
 			struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
-			if (inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
+			u_int8_t zeroes[IPV6_LEN];
+
+			memset(zeroes, 0, IPV6_LEN);
+			if (memcmp(zeroes, &(sin6->sin6_addr.s6_addr), IPV6_LEN) &&
+				inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
 			{
 				return;
 			}
@@ -144,8 +156,8 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len)
 		default:
 			break;
 	}
-	/* failed */
-	snprintf(buffer, len, "0.0.0.0");
+	/* default */
+	snprintf(buffer, len, "%%any");
 }
 
 
@@ -231,17 +243,22 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	
 	if (conn->policy & POLICY_TUNNEL)
 	{
-		msg.add_conn.mode = 1; /* XFRM_MODE_TRANSPORT */
+		msg.add_conn.mode = XFRM_MODE_TUNNEL;
 	}
 	else if (conn->policy & POLICY_BEET)
 	{
-		msg.add_conn.mode = 4; /* XFRM_MODE_BEET */
+		msg.add_conn.mode = XFRM_MODE_BEET;
 	}
+	else if (conn->policy & POLICY_PROXY)
+	{
+		msg.add_conn.mode = XFRM_MODE_TRANSPORT;
+		msg.add_conn.proxy_mode = TRUE;
+	} 
 	else
 	{
-		msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
+		msg.add_conn.mode = XFRM_MODE_TRANSPORT;
 	}
- 
+
 	if (!(conn->policy & POLICY_DONT_REKEY))
 	{
 		msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
@@ -254,6 +271,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
 	msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP;
 	msg.add_conn.ipcomp = conn->policy & POLICY_COMPRESS;
+	msg.add_conn.install_policy = conn->install_policy;
 	msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
 	msg.add_conn.unique = cfg->setup.uniqueids;
 	msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am
index aaedfc787..df20252e2 100644
--- a/src/stroke/Makefile.am
+++ b/src/stroke/Makefile.am
@@ -7,4 +7,4 @@ MAINTAINERCLEANFILES = stroke_keywords.c
 AM_CFLAGS = -DIPSEC_PIDDIR=\"${piddir}\"
 
 stroke_keywords.c:	stroke_keywords.txt stroke_keywords.h
-		$(GPERF) -C -G -t < stroke_keywords.txt > stroke_keywords.c
+		$(GPERF) -C -G -t < $< > $@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 06d9e07ef..62d1bb83e 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -488,7 +488,7 @@ uninstall-am: uninstall-ipsecPROGRAMS
 
 
 stroke_keywords.c:	stroke_keywords.txt stroke_keywords.h
-		$(GPERF) -C -G -t < stroke_keywords.txt > stroke_keywords.c
+		$(GPERF) -C -G -t < $< > $@
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 4d2fb1071..38f44f923 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -19,7 +19,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke_msg.h 4384 2008-10-08 07:00:13Z andreas $
+ * RCSID $Id: stroke_msg.h 4614 2008-11-11 07:28:52Z andreas $
  */
 
 #ifndef STROKE_MSG_H_
@@ -212,6 +212,9 @@ struct stroke_msg_t {
 			int mobike;
 			int force_encap;
 			int ipcomp;
+			int proxy_mode;
+			int install_policy;
+
 			crl_policy_t crl_policy;
 			int unique;
 			struct {
diff --git a/src/whack/whack.c b/src/whack/whack.c
index 5958991f2..a4236a8b4 100644
--- a/src/whack/whack.c
+++ b/src/whack/whack.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: whack.c 3264 2007-10-08 19:49:56Z andreas $
+ * RCSID $Id: whack.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdio.h>
@@ -1868,7 +1868,7 @@ main(int argc, char **argv)
 		    }
 
 		    le++;	/* include NL in line */
-		    write(1, ls, le - ls);
+		    ignore_result(write(1, ls, le - ls));
 
 		    /* figure out prefix number
 		     * and how it should affect our exit status
diff --git a/testing/INSTALL b/testing/INSTALL
index 69cdd7624..5e67b3bf9 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,7 +53,7 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.5.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.5.tar.bz2
 
     * The Linux kernel 2.6.26 requires the following patch for the uml guest kernel
       to successfully start up:
@@ -62,7 +62,7 @@ are required for the strongSwan testing environment:
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.26
+      http://download.strongswan.org/uml/.config-2.6.27
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
@@ -70,7 +70,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.2.8.tar.bz2
+      http://download.strongswan.org/strongswan-4.2.9.tar.bz2
 
 
 3. Creating the environment
@@ -145,5 +145,5 @@ README document.
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: INSTALL 4348 2008-09-18 00:42:22Z andreas $
+This file is RCSID $Id: INSTALL 4663 2008-11-16 21:23:56Z andreas $
 
diff --git a/testing/testing.conf b/testing/testing.conf
index e5af9174c..fdfab383a 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: testing.conf 4417 2008-10-13 00:09:44Z andreas $
+# RCSID $Id: testing.conf 4442 2008-10-15 00:22:51Z andreas $
 
 # Root directory of testing
 UMLTESTDIR=~/strongswan-testing
@@ -27,13 +27,13 @@ KERNEL=$UMLTESTDIR/linux-2.6.27.tar.bz2
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.26
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.27
 
 # Bzipped uml patch for kernel
 UMLPATCH=$UMLTESTDIR/uml-2.6.26.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.2.8.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.2.9.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -45,7 +45,7 @@ USE_EAP_IDENTITY="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"
 USE_OPENSSL="yes"
-USE_KERNEL_PFKEY="no"
+USE_KERNEL_PFKEY="yes"
 USE_INTEGRITY_TEST="no"
 USE_LEAK_DETECTIVE="no"
 
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/any-interface/evaltest.dat b/testing/tests/ikev2/any-interface/evaltest.dat
index cd8fa2b60..f475ba70b 100644
--- a/testing/tests/ikev2/any-interface/evaltest.dat
+++ b/testing/tests/ikev2/any-interface/evaltest.dat
@@ -1,5 +1,5 @@
-moon::cat /var/log/daemon.log::creating acquire job for CHILD_SA::YES
-bob::cat /var/log/daemon.log::creating acquire job for CHILD_SA::YES
+moon::cat /var/log/daemon.log::creating acquire job::YES
+bob::cat /var/log/daemon.log::creating acquire job::YES
 moon::ipsec statusall::alice.*INSTALLED, TRANSPORT::YES
 moon::ipsec statusall::sun.*INSTALLED, TRANSPORT::YES
 alice::ipsec statusall::remote.*INSTALLED, TRANSPORT::YES
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
index c234f3a32..7ab4e2a42 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
index c234f3a32..7ab4e2a42 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index f70c4cbcb..0d900b871 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
index 0834739b2..7a9cd5311 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
index ca0bdba44..8656c8e3a 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
@@ -9,12 +9,10 @@ moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
 carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 carol::ipsec status::venus.*INSTALLED::NO
 moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES
-moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES
 moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
 dave::ipsec status::venus.*INSTALLED::YES
 moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
 dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 dave::ipsec status::alice.*INSTALLED::NO
 moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
-moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES
 moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index c234f3a32..7ab4e2a42 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat
index e4eafe966..8ba69ff9b 100644
--- a/testing/tests/ikev2/multi-level-ca/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat
@@ -9,12 +9,10 @@ moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
 carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 carol::ipsec status::venus.*INSTALLED::NO
 moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES
-moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES
 moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
 dave::ipsec status::venus.*INSTALLED::YES
 moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
 dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 dave::ipsec status::alice.*INSTALLED::NO
 moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
-moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES
 moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
index 29dcd052c..8a6df98fa 100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   keep_alive = 1d 
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/net2net-route/evaltest.dat b/testing/tests/ikev2/net2net-route/evaltest.dat
index d5350467e..a89e5a298 100644
--- a/testing/tests/ikev2/net2net-route/evaltest.dat
+++ b/testing/tests/ikev2/net2net-route/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::creating acquire job for CHILD_SA::YES
+moon::cat /var/log/daemon.log::creating acquire job::YES
 moon::ipsec statusall::net-net.*INSTALLED::YES
 sun::ipsec statusall::net-net.*INSTALLED::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/protoport-route/evaltest.dat b/testing/tests/ikev2/protoport-route/evaltest.dat
index d6ce409f5..78d062918 100644
--- a/testing/tests/ikev2/protoport-route/evaltest.dat
+++ b/testing/tests/ikev2/protoport-route/evaltest.dat
@@ -1,7 +1,7 @@
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
 carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
-carol::cat /var/log/daemon.log::creating acquire job for CHILD_SA::YES
+carol::cat /var/log/daemon.log::creating acquire job::YES
 carol::ipsec statusall::home-icmp.*INSTALLED::YES
 carol::ipsec statusall::home-ssh.*INSTALLED::YES
 moon::ipsec statusall::rw-icmp.*INSTALLED::YES
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf
index 2f86e72e4..831d9e663 100644
--- a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf
index 2f86e72e4..831d9e663 100644
--- a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index e8bba1170..42619b3ee 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index e8bba1170..42619b3ee 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
index 3c749d01f..a53e44f50 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
index 3c749d01f..a53e44f50 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index d1adc88e7..e2388268c 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index d1adc88e7..e2388268c 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
index ace98d1ef..8451ac81a 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
index ace98d1ef..8451ac81a 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
index ace98d1ef..8451ac81a 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
index 27f03d4a3..20c58007c 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 90e0cb9f8..e10230384 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 90e0cb9f8..e10230384 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 90e0cb9f8..e10230384 100644
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf
index 90e0cb9f8..e10230384 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf
index db26dfa69..7ffdcc204 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf
index 90e0cb9f8..e10230384 100644
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf
index 90e0cb9f8..e10230384 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf
index db26dfa69..7ffdcc204 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf
index 90e0cb9f8..e10230384 100644
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf
index 90e0cb9f8..e10230384 100644
--- a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf
index 770b86d2a..d46082bdd 100644
--- a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf
index 90e0cb9f8..e10230384 100644
--- a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
index ef63f7262..40eb84b8a 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/description.txt b/testing/tests/pfkey/alg-aes-xcbc/description.txt
new file mode 100644
index 000000000..24a4afe57
--- /dev/null
+++ b/testing/tests/pfkey/alg-aes-xcbc/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
+in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
new file mode 100644
index 000000000..853746cd4
--- /dev/null
+++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
+moon::ipsec statusall::rw.*AES_CBC-256/AES_XCBC_96,::YES
+carol::ipsec statusall::home.*AES_CBC-256/AES_XCBC_96,::YES
+moon::ip xfrm state::auth xcbc(aes)::YES
+carol::ip xfrm state::auth xcbc(aes)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..edd0aaaf8
--- /dev/null
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-aesxcbc-modp2048!
+	esp=aes256-aesxcbc-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..18618929f
--- /dev/null
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-aesxcbc-modp2048!
+	esp=aes256-aesxcbc-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/alg-aes-xcbc/posttest.dat b/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/pfkey/alg-aes-xcbc/test.conf b/testing/tests/pfkey/alg-aes-xcbc/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/pfkey/alg-aes-xcbc/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/host2host-transport/description.txt b/testing/tests/pfkey/host2host-transport/description.txt
new file mode 100644
index 000000000..fe3482c96
--- /dev/null
+++ b/testing/tests/pfkey/host2host-transport/description.txt
@@ -0,0 +1,4 @@
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b> is
+successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+<b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/pfkey/host2host-transport/evaltest.dat b/testing/tests/pfkey/host2host-transport/evaltest.dat
new file mode 100644
index 000000000..b3cade48c
--- /dev/null
+++ b/testing/tests/pfkey/host2host-transport/evaltest.dat
@@ -0,0 +1,8 @@
+moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
+moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
+sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
+moon::ip xfrm state::mode transport::YES
+sun::ip xfrm state::mode transport::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..7f6c5a58a
--- /dev/null
+++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	mobike=no
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..af52fb22b
--- /dev/null
+++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	mobike=no
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/host2host-transport/posttest.dat b/testing/tests/pfkey/host2host-transport/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/pfkey/host2host-transport/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/pfkey/host2host-transport/pretest.dat b/testing/tests/pfkey/host2host-transport/pretest.dat
new file mode 100644
index 000000000..e2d98f2eb
--- /dev/null
+++ b/testing/tests/pfkey/host2host-transport/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-host
diff --git a/testing/tests/pfkey/host2host-transport/test.conf b/testing/tests/pfkey/host2host-transport/test.conf
new file mode 100644
index 000000000..cf2e704fd
--- /dev/null
+++ b/testing/tests/pfkey/host2host-transport/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/pfkey/nat-two-rw/description.txt b/testing/tests/pfkey/nat-two-rw/description.txt
new file mode 100644
index 000000000..dcf4b94bd
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/description.txt
@@ -0,0 +1,5 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/pfkey/nat-two-rw/evaltest.dat b/testing/tests/pfkey/nat-two-rw/evaltest.dat
new file mode 100644
index 000000000..bd0a4b52b
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/evaltest.dat
@@ -0,0 +1,9 @@
+alice::ipsec statusall::nat-t.*INSTALLED::YES
+venus::ipsec statusall::nat-t.*INSTALLED::YES
+sun::ipsec statusall::nat-t.*INSTALLED::YES
+sun::ipsec status::alice@strongswan.org::YES
+sun::ipsec status::venus.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/ipsec.conf b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..3da2fcf86
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn nat-t
+	left=%defaultroute
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..d8b426318
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+
+conn net-net
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+conn host-host
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
+
+conn nat-t
+	leftsubnet=10.2.0.0/16
+	right=%any
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/ipsec.conf b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..3a70b3434
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%defaultroute
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/nat-two-rw/posttest.dat b/testing/tests/pfkey/nat-two-rw/posttest.dat
new file mode 100644
index 000000000..52572ece8
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/pfkey/nat-two-rw/pretest.dat b/testing/tests/pfkey/nat-two-rw/pretest.dat
new file mode 100644
index 000000000..e365ff5c5
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/pretest.dat
@@ -0,0 +1,14 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up nat-t
+venus::sleep 2 
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/pfkey/nat-two-rw/test.conf b/testing/tests/pfkey/nat-two-rw/test.conf
new file mode 100644
index 000000000..84317fd70
--- /dev/null
+++ b/testing/tests/pfkey/nat-two-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/pfkey/net2net-route/description.txt b/testing/tests/pfkey/net2net-route/description.txt
new file mode 100644
index 000000000..323f09555
--- /dev/null
+++ b/testing/tests/pfkey/net2net-route/description.txt
@@ -0,0 +1,9 @@
+A tunnel that will connect the subnets behind the gateways <b>moon</b>
+and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute
+on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
+A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
+<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
+leads to the automatic establishment of the subnet-to-subnet tunnel.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
diff --git a/testing/tests/pfkey/net2net-route/evaltest.dat b/testing/tests/pfkey/net2net-route/evaltest.dat
new file mode 100644
index 000000000..a89e5a298
--- /dev/null
+++ b/testing/tests/pfkey/net2net-route/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/daemon.log::creating acquire job::YES
+moon::ipsec statusall::net-net.*INSTALLED::YES
+sun::ipsec statusall::net-net.*INSTALLED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..8a2f8b77c
--- /dev/null
+++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=route
diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..24e5df519
--- /dev/null
+++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/net2net-route/posttest.dat b/testing/tests/pfkey/net2net-route/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/pfkey/net2net-route/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/pfkey/net2net-route/pretest.dat b/testing/tests/pfkey/net2net-route/pretest.dat
new file mode 100644
index 000000000..2eef7de19
--- /dev/null
+++ b/testing/tests/pfkey/net2net-route/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+alice::ping -c 10 PH_IP_BOB
diff --git a/testing/tests/pfkey/net2net-route/test.conf b/testing/tests/pfkey/net2net-route/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/pfkey/net2net-route/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/pfkey/protoport-dual/description.txt b/testing/tests/pfkey/protoport-dual/description.txt
new file mode 100644
index 000000000..7bed8b959
--- /dev/null
+++ b/testing/tests/pfkey/protoport-dual/description.txt
@@ -0,0 +1,6 @@
+Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
+defined. The first IPsec SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections. The established tunnels are tested
+by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and
+then setting up an SSH session to the same client.
diff --git a/testing/tests/pfkey/protoport-dual/evaltest.dat b/testing/tests/pfkey/protoport-dual/evaltest.dat
new file mode 100644
index 000000000..bd24b911c
--- /dev/null
+++ b/testing/tests/pfkey/protoport-dual/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec statusall::home-icmp.*INSTALLED::YES
+carol::ipsec statusall::home-ssh.*INSTALLED::YES
+moon::ipsec statusall::rw-icmp.*INSTALLED::YES
+moon::ipsec statusall::rw-ssh.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..51971a13c
--- /dev/null
+++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+	
+conn home-icmp
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn home-ssh
+	leftprotoport=tcp
+	rightprotoport=tcp/ssh
diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0d7e8db3f
--- /dev/null
+++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
+
+conn rw-icmp
+	lefthostaccess=yes
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn rw-ssh
+	leftprotoport=tcp/ssh
+	rightprotoport=tcp
diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/protoport-dual/posttest.dat b/testing/tests/pfkey/protoport-dual/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/pfkey/protoport-dual/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/pfkey/protoport-dual/pretest.dat b/testing/tests/pfkey/protoport-dual/pretest.dat
new file mode 100644
index 000000000..d3d0061c3
--- /dev/null
+++ b/testing/tests/pfkey/protoport-dual/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home-icmp
+carol::ipsec up home-ssh
diff --git a/testing/tests/pfkey/protoport-dual/test.conf b/testing/tests/pfkey/protoport-dual/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/pfkey/protoport-dual/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/protoport-route/description.txt b/testing/tests/pfkey/protoport-route/description.txt
new file mode 100644
index 000000000..ec7ec69b0
--- /dev/null
+++ b/testing/tests/pfkey/protoport-route/description.txt
@@ -0,0 +1,8 @@
+Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
+defined. The first IPsec SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections. Using <b>add=route</b> %trap
+eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending
+a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute
+is triggered and the corresponding IPsec tunnel is set up. In the same
+way an ssh session to <b>alice</b> over the second IPsec SA is established.
diff --git a/testing/tests/pfkey/protoport-route/evaltest.dat b/testing/tests/pfkey/protoport-route/evaltest.dat
new file mode 100644
index 000000000..78d062918
--- /dev/null
+++ b/testing/tests/pfkey/protoport-route/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ssh PH_IP_ALICE hostname::alice::YES
+carol::cat /var/log/daemon.log::creating acquire job::YES
+carol::ipsec statusall::home-icmp.*INSTALLED::YES
+carol::ipsec statusall::home-ssh.*INSTALLED::YES
+moon::ipsec statusall::rw-icmp.*INSTALLED::YES
+moon::ipsec statusall::rw-ssh.*INSTALLED::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..d76a6ee17
--- /dev/null
+++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=route
+	
+conn home-icmp
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn home-ssh
+	leftprotoport=tcp
+	rightprotoport=tcp/ssh
diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0d7e8db3f
--- /dev/null
+++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
+
+conn rw-icmp
+	lefthostaccess=yes
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn rw-ssh
+	leftprotoport=tcp/ssh
+	rightprotoport=tcp
diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/protoport-route/posttest.dat b/testing/tests/pfkey/protoport-route/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/pfkey/protoport-route/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/pfkey/protoport-route/pretest.dat b/testing/tests/pfkey/protoport-route/pretest.dat
new file mode 100644
index 000000000..0aded0f4d
--- /dev/null
+++ b/testing/tests/pfkey/protoport-route/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ssh PH_IP_ALICE hostname
+carol::ping -c 1 PH_IP_ALICE > /dev/null
+carol::sleep 2
diff --git a/testing/tests/pfkey/protoport-route/test.conf b/testing/tests/pfkey/protoport-route/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/pfkey/protoport-route/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/rw-cert/description.txt b/testing/tests/pfkey/rw-cert/description.txt
new file mode 100644
index 000000000..15b3822b5
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/pfkey/rw-cert/evaltest.dat b/testing/tests/pfkey/rw-cert/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..bcdb8641b
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ea8bc92a7
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..274521386
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/rw-cert/posttest.dat b/testing/tests/pfkey/rw-cert/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/pfkey/rw-cert/pretest.dat b/testing/tests/pfkey/rw-cert/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/pfkey/rw-cert/test.conf b/testing/tests/pfkey/rw-cert/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/pfkey/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
index 84b63f185..0595de2f9 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
index 84b63f185..0595de2f9 100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index 65075739c..d0bbaf726 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 fips-prf gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql eapaka
+  load = curl aes des sha1 sha2 md5 fips-prf gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql eapaka
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index e07b6ebed..32e183aa8 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 fips-prf gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql eapaka
+  load = aes des sha1 sha2 md5 fips-prf gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql eapaka
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 84b63f185..0595de2f9 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 84b63f185..0595de2f9 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 84b63f185..0595de2f9 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
index 84b63f185..0595de2f9 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
index 84b63f185..0595de2f9 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
index 84b63f185..0595de2f9 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink sqlite sql
+  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
index f70c4cbcb..29e2395e8 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
-- 
cgit v1.2.3


From 19364e11c66714324bd3d5d0dc9212db397085cb Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Sat, 28 Feb 2009 22:02:31 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.2.12)

---
 Makefile.in                                        |    18 +-
 NEWS                                               |    49 +
 aclocal.m4                                         | 10276 +++---
 config.guess                                       |    32 +-
 config.sub                                         |    44 +-
 configure                                          | 30992 +++++++------------
 configure.in                                       |    55 +-
 ltmain.sh                                          | 12692 ++++----
 scripts/Makefile.in                                |    18 +-
 scripts/thread_analysis.c                          |     2 +-
 src/Makefile.in                                    |    18 +-
 src/_copyright/Makefile.in                         |    18 +-
 src/_updown/Makefile.in                            |    18 +-
 src/_updown_espmark/Makefile.in                    |    18 +-
 src/charon/Makefile.am                             |     5 +
 src/charon/Makefile.in                             |    49 +-
 src/charon/config/attributes/attribute_manager.c   |    30 +-
 src/charon/config/attributes/attribute_manager.h   |     3 +-
 src/charon/config/attributes/attribute_provider.h  |     3 +-
 src/charon/config/backend_manager.c                |    65 +-
 src/charon/config/child_cfg.c                      |     4 +-
 src/charon/config/proposal.c                       |     9 +-
 src/charon/config/traffic_selector.c               |    19 +-
 src/charon/config/traffic_selector.h               |     2 +-
 src/charon/control/controller.c                    |    49 +-
 src/charon/credentials/auth_info.c                 |    15 +-
 src/charon/credentials/auth_info.h                 |     5 +
 src/charon/credentials/sets/cert_cache.c           |   374 +-
 src/charon/daemon.c                                |    28 +-
 src/charon/daemon.h                                |     7 +-
 src/charon/encoding/generator.c                    |   428 +-
 src/charon/encoding/generator.h                    |     6 +-
 src/charon/encoding/parser.c                       |   250 +-
 .../encoding/payloads/configuration_attribute.c    |     7 +-
 .../encoding/payloads/configuration_attribute.h    |     7 +-
 src/charon/encoding/payloads/nonce_payload.h       |     4 +-
 src/charon/encoding/payloads/notify_payload.c      |    18 +-
 src/charon/encoding/payloads/notify_payload.h      |     5 +-
 src/charon/encoding/payloads/payload.h             |     4 +-
 src/charon/network/receiver.c                      |    46 +-
 src/charon/network/socket.c                        |     7 +-
 src/charon/plugins/eap_aka/Makefile.in             |    18 +-
 src/charon/plugins/eap_gtc/Makefile.in             |    18 +-
 src/charon/plugins/eap_identity/Makefile.in        |    18 +-
 src/charon/plugins/eap_md5/Makefile.in             |    18 +-
 src/charon/plugins/eap_mschapv2/Makefile.am        |    12 +
 src/charon/plugins/eap_mschapv2/Makefile.in        |   502 +
 src/charon/plugins/eap_mschapv2/eap_mschapv2.c     |  1208 +
 src/charon/plugins/eap_mschapv2/eap_mschapv2.h     |    59 +
 .../plugins/eap_mschapv2/eap_mschapv2_plugin.c     |    52 +
 .../plugins/eap_mschapv2/eap_mschapv2_plugin.h     |    49 +
 src/charon/plugins/eap_sim/Makefile.in             |    18 +-
 src/charon/plugins/eap_sim/eap_sim.c               |     3 +-
 src/charon/plugins/eap_sim_file/Makefile.in        |    18 +-
 src/charon/plugins/kernel_klips/Makefile.in        |    18 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.c      |     4 +-
 src/charon/plugins/kernel_netlink/Makefile.in      |    18 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |   185 +-
 .../plugins/kernel_netlink/kernel_netlink_net.c    |     5 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.c |    22 +-
 src/charon/plugins/kernel_pfkey/Makefile.in        |    18 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |   143 +-
 src/charon/plugins/load_tester/Makefile.am         |     3 +-
 src/charon/plugins/load_tester/Makefile.in         |    25 +-
 .../plugins/load_tester/load_tester_config.c       |   141 +-
 src/charon/plugins/load_tester/load_tester_creds.c |   172 +-
 .../load_tester/load_tester_diffie_hellman.c       |    69 +
 .../load_tester/load_tester_diffie_hellman.h       |    50 +
 .../plugins/load_tester/load_tester_listener.c     |    37 +-
 .../plugins/load_tester/load_tester_listener.h     |     5 +-
 .../plugins/load_tester/load_tester_plugin.c       |   130 +-
 src/charon/plugins/medcli/Makefile.in              |    18 +-
 src/charon/plugins/medsrv/Makefile.in              |    18 +-
 src/charon/plugins/nm/Makefile.am                  |    18 -
 src/charon/plugins/nm/Makefile.in                  |    35 +-
 src/charon/plugins/nm/gnome/Makefile.am            |    24 -
 src/charon/plugins/nm/gnome/Makefile.in            |   767 -
 src/charon/plugins/nm/gnome/aclocal.m4             |  8398 -----
 .../.deps/nm_strongswan_auth_dialog-main.Po        |     1 -
 src/charon/plugins/nm/gnome/auth-dialog/Makefile   |   566 -
 .../plugins/nm/gnome/auth-dialog/Makefile.am       |    27 -
 .../plugins/nm/gnome/auth-dialog/Makefile.in       |   566 -
 src/charon/plugins/nm/gnome/auth-dialog/main.c     |   244 -
 src/charon/plugins/nm/gnome/autogen.sh             |    15 -
 src/charon/plugins/nm/gnome/compile                |   142 -
 src/charon/plugins/nm/gnome/config.guess           |  1516 -
 src/charon/plugins/nm/gnome/config.h.in            |   112 -
 src/charon/plugins/nm/gnome/config.sub             |  1626 -
 src/charon/plugins/nm/gnome/configure              | 25583 ---------------
 src/charon/plugins/nm/gnome/configure.in           |   128 -
 src/charon/plugins/nm/gnome/depcomp                |   589 -
 src/charon/plugins/nm/gnome/install-sh             |   519 -
 src/charon/plugins/nm/gnome/intltool-extract.in    |   875 -
 src/charon/plugins/nm/gnome/intltool-merge.in      |  1506 -
 src/charon/plugins/nm/gnome/intltool-update.in     |  1166 -
 src/charon/plugins/nm/gnome/ltmain.sh              |  6964 -----
 src/charon/plugins/nm/gnome/missing                |   367 -
 src/charon/plugins/nm/gnome/mkinstalldirs          |   161 -
 .../plugins/nm/gnome/nm-strongswan-service.conf    |    16 -
 .../plugins/nm/gnome/nm-strongswan-service.name.in |     8 -
 src/charon/plugins/nm/gnome/po/LINGUAS             |     2 -
 src/charon/plugins/nm/gnome/po/Makefile.in.in      |   218 -
 src/charon/plugins/nm/gnome/po/POTFILES.in         |     5 -
 src/charon/plugins/nm/gnome/properties/Makefile.am |    38 -
 src/charon/plugins/nm/gnome/properties/Makefile.in |   600 -
 .../nm/gnome/properties/nm-strongswan-dialog.glade |   334 -
 .../plugins/nm/gnome/properties/nm-strongswan.c    |   526 -
 .../plugins/nm/gnome/properties/nm-strongswan.h    |    78 -
 src/charon/plugins/nm/nm_service.c                 |     3 +-
 src/charon/plugins/smp/Makefile.in                 |    18 +-
 src/charon/plugins/sql/Makefile.in                 |    18 +-
 src/charon/plugins/sql/sql_attribute.c             |     4 +-
 src/charon/plugins/sql/sql_config.c                |     2 +-
 src/charon/plugins/sql/sql_plugin.c                |     3 +-
 src/charon/plugins/stroke/Makefile.in              |    18 +-
 src/charon/plugins/stroke/stroke_attribute.c       |   319 +-
 src/charon/plugins/stroke/stroke_attribute.h       |    29 +-
 src/charon/plugins/stroke/stroke_config.c          |     6 +
 src/charon/plugins/stroke/stroke_cred.c            |    90 +-
 src/charon/plugins/stroke/stroke_list.c            |   127 +-
 src/charon/plugins/stroke/stroke_list.h            |    20 +-
 src/charon/plugins/stroke/stroke_socket.c          |    17 +-
 src/charon/plugins/uci/Makefile.in                 |    18 +-
 src/charon/plugins/unit_tester/Makefile.am         |     4 +-
 src/charon/plugins/unit_tester/Makefile.in         |    42 +-
 src/charon/plugins/unit_tester/tests.h             |     6 +-
 src/charon/plugins/unit_tester/tests/test_cert.c   |   108 +
 .../plugins/unit_tester/tests/test_enumerator.c    |    52 +-
 src/charon/plugins/unit_tester/tests/test_pool.c   |     2 +-
 src/charon/plugins/unit_tester/tests/test_rng.c    |   221 +
 src/charon/plugins/updown/Makefile.in              |    18 +-
 src/charon/processing/jobs/delete_ike_sa_job.c     |     7 +-
 src/charon/processing/jobs/migrate_job.c           |     4 +-
 src/charon/processing/processor.c                  |     6 +-
 src/charon/processing/scheduler.c                  |   201 +-
 src/charon/sa/authenticators/eap/eap_method.c      |     6 +-
 src/charon/sa/authenticators/eap/eap_method.h      |     3 +-
 src/charon/sa/authenticators/eap_authenticator.c   |     3 +-
 src/charon/sa/child_sa.c                           |   411 +-
 src/charon/sa/child_sa.h                           |   205 +-
 src/charon/sa/ike_sa.c                             |    96 +-
 src/charon/sa/ike_sa.h                             |    22 +-
 src/charon/sa/ike_sa_manager.c                     |  1365 +-
 src/charon/sa/ike_sa_manager.h                     |    64 +-
 src/charon/sa/keymat.c                             |    55 +-
 src/charon/sa/keymat.h                             |    15 +-
 src/charon/sa/task_manager.c                       |   292 +-
 src/charon/sa/task_manager.h                       |    14 +-
 src/charon/sa/tasks/child_create.c                 |   242 +-
 src/charon/sa/tasks/child_delete.c                 |    36 +-
 src/charon/sa/tasks/child_delete.h                 |     8 +-
 src/charon/sa/tasks/child_rekey.c                  |   112 +-
 src/charon/sa/tasks/child_rekey.h                  |     8 +-
 src/charon/sa/tasks/ike_auth.c                     |    76 +-
 src/charon/sa/tasks/ike_config.c                   |   106 +-
 src/charon/sa/tasks/ike_init.c                     |    69 +-
 src/charon/sa/tasks/ike_mobike.c                   |    21 +-
 src/charon/sa/tasks/ike_rekey.c                    |    48 +-
 src/dumm/Makefile.in                               |    18 +-
 src/include/Makefile.in                            |    18 +-
 src/ipsec/Makefile.in                              |    18 +-
 src/ipsec/ipsec.in                                 |    18 +-
 src/libcrypto/Makefile.in                          |    18 +-
 src/libfast/Makefile.in                            |    18 +-
 src/libfreeswan/Makefile.in                        |    18 +-
 src/libstrongswan/Makefile.am                      |     5 +
 src/libstrongswan/Makefile.in                      |   107 +-
 src/libstrongswan/asn1/asn1.c                      |    11 +-
 src/libstrongswan/chunk.c                          |   135 +-
 src/libstrongswan/chunk.h                          |    52 +-
 src/libstrongswan/credentials/builder.c            |     2 +
 src/libstrongswan/credentials/builder.h            |     4 +
 src/libstrongswan/credentials/credential_factory.c |    24 +-
 src/libstrongswan/crypto/crypters/crypter.c        |     6 +-
 src/libstrongswan/crypto/crypters/crypter.h        |     5 +-
 src/libstrongswan/crypto/diffie_hellman.c          |     6 +-
 src/libstrongswan/crypto/diffie_hellman.h          |     4 +-
 src/libstrongswan/crypto/hashers/hasher.c          |     7 +-
 src/libstrongswan/crypto/hashers/hasher.h          |     4 +-
 src/libstrongswan/fips/Makefile.in                 |    18 +-
 src/libstrongswan/plugins/aes/Makefile.in          |    18 +-
 src/libstrongswan/plugins/agent/Makefile.in        |    18 +-
 src/libstrongswan/plugins/curl/Makefile.in         |    18 +-
 src/libstrongswan/plugins/des/Makefile.in          |    18 +-
 src/libstrongswan/plugins/des/des_crypter.c        |   107 +-
 src/libstrongswan/plugins/des/des_plugin.c         |     4 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |    18 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |    18 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |    18 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |    18 +-
 src/libstrongswan/plugins/md4/Makefile.am          |    10 +
 src/libstrongswan/plugins/md4/Makefile.in          |   496 +
 src/libstrongswan/plugins/md4/md4_hasher.c         |   359 +
 src/libstrongswan/plugins/md4/md4_hasher.h         |    48 +
 src/libstrongswan/plugins/md4/md4_plugin.c         |    60 +
 src/libstrongswan/plugins/md4/md4_plugin.h         |    47 +
 src/libstrongswan/plugins/md5/Makefile.in          |    18 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |    18 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |    18 +-
 .../plugins/openssl/openssl_crypter.c              |     5 +-
 src/libstrongswan/plugins/openssl/openssl_hasher.c |     5 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |     9 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |    98 +-
 src/libstrongswan/plugins/padlock/Makefile.am      |     3 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |    24 +-
 src/libstrongswan/plugins/padlock/padlock_plugin.c |   136 +-
 src/libstrongswan/plugins/padlock/padlock_rng.c    |   136 +
 src/libstrongswan/plugins/padlock/padlock_rng.h    |    49 +
 src/libstrongswan/plugins/pubkey/Makefile.in       |    18 +-
 src/libstrongswan/plugins/random/Makefile.in       |    18 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |    18 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |    18 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |    18 +-
 src/libstrongswan/plugins/x509/Makefile.in         |    18 +-
 src/libstrongswan/plugins/x509/x509_ac.c           |     4 +-
 src/libstrongswan/plugins/x509/x509_cert.c         |   293 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |    18 +-
 src/libstrongswan/utils.c                          |    52 +-
 src/libstrongswan/utils.h                          |    18 +-
 src/libstrongswan/utils/enumerator.c               |    62 +-
 src/libstrongswan/utils/hashtable.c                |   433 +
 src/libstrongswan/utils/hashtable.h                |   116 +
 src/libstrongswan/utils/host.c                     |     6 +-
 src/libstrongswan/utils/identification.c           |     3 +-
 src/libstrongswan/utils/leak_detective.c           |    16 +-
 src/libstrongswan/utils/lexparser.c                |    28 +-
 src/libstrongswan/utils/lexparser.h                |     8 +-
 src/libstrongswan/utils/mutex.c                    |    52 +-
 src/libstrongswan/utils/mutex.h                    |    12 +
 src/manager/Makefile.in                            |    18 +-
 src/medsrv/Makefile.in                             |    18 +-
 src/openac/Makefile.in                             |    18 +-
 src/openac/openac.c                                |     3 +-
 src/pluto/Makefile.am                              |     9 +-
 src/pluto/Makefile.in                              |    27 +-
 src/pluto/ca.c                                     |     3 +-
 src/pluto/ocsp.c                                   |     3 +-
 src/pluto/smartcard.h                              |     7 +-
 src/pluto/vendor.c                                 |     7 +-
 src/pluto/vendor.h                                 |     5 +-
 src/scepclient/Makefile.am                         |     5 +-
 src/scepclient/Makefile.in                         |    30 +-
 src/starter/Makefile.am                            |     2 +-
 src/starter/Makefile.in                            |    20 +-
 src/starter/confread.c                             |     6 +-
 src/starter/invokecharon.c                         |    13 +-
 src/starter/ipsec.conf.5                           |    12 +-
 src/starter/lex.yy.c                               |    51 +-
 src/starter/starterstroke.c                        |    33 +-
 src/stroke/Makefile.in                             |    18 +-
 src/stroke/stroke.c                                |    20 +-
 src/stroke/stroke_keywords.c                       |    80 +-
 src/stroke/stroke_keywords.h                       |     5 +-
 src/stroke/stroke_keywords.txt                     |     7 +-
 src/stroke/stroke_msg.h                            |    12 +-
 src/whack/Makefile.in                              |    18 +-
 src/whack/whack.h                                  |    13 +-
 testing/INSTALL                                    |    14 +-
 testing/Makefile.in                                |    18 +-
 testing/scripts/build-umlrootfs                    |    17 +-
 testing/testing.conf                               |    15 +-
 .../ikev1/attr-cert/hosts/moon/etc/strongswan.conf |     3 +
 testing/tests/ikev1/attr-cert/pretest.dat          |     4 +-
 testing/tests/ikev2/config-payload/evaltest.dat    |     2 +
 .../config-payload/hosts/moon/etc/strongswan.conf  |     2 +
 testing/tests/ikev2/esp-alg-null/description.txt   |     3 +
 testing/tests/ikev2/esp-alg-null/evaltest.dat      |     7 +
 .../ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf  |    25 +
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |     5 +
 .../ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf   |    24 +
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |     5 +
 testing/tests/ikev2/esp-alg-null/posttest.dat      |     4 +
 testing/tests/ikev2/esp-alg-null/pretest.dat       |     6 +
 testing/tests/ikev2/esp-alg-null/test.conf         |    21 +
 testing/tests/ikev2/ip-pool-db/evaltest.dat        |     6 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |     4 +
 testing/tests/ikev2/ip-pool-db/posttest.dat        |     2 +-
 testing/tests/ikev2/ip-pool-db/pretest.dat         |     2 +-
 testing/tests/ikev2/ip-pool-wish/description.txt   |     6 +-
 testing/tests/ikev2/ip-pool-wish/evaltest.dat      |     2 +-
 .../ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf  |     2 +-
 .../ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf   |     2 +-
 testing/tests/ikev2/ip-pool-wish/pretest.dat       |     6 +-
 testing/tests/ikev2/ip-pool/evaltest.dat           |     3 +
 testing/tests/ikev2/ip-two-pools-db/evaltest.dat   |    12 +-
 .../ip-two-pools-db/hosts/moon/etc/strongswan.conf |     4 +
 testing/tests/ikev2/ip-two-pools-db/posttest.dat   |     4 +-
 testing/tests/ikev2/ip-two-pools-db/pretest.dat    |     4 +-
 testing/tests/ikev2/ip-two-pools/evaltest.dat      |     4 +
 .../ikev2/mobike/hosts/alice/etc/init.d/iptables   |     4 +
 .../tests/ikev2/mobike/hosts/alice/etc/ipsec.conf  |     1 -
 .../ikev2/rw-eap-mschapv2-rsa/description.txt      |     8 +
 .../tests/ikev2/rw-eap-mschapv2-rsa/evaltest.dat   |    11 +
 .../rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.conf |    22 +
 .../hosts/carol/etc/ipsec.secrets                  |     3 +
 .../hosts/carol/etc/strongswan.conf                |     5 +
 .../rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.conf  |    26 +
 .../hosts/moon/etc/ipsec.secrets                   |     5 +
 .../hosts/moon/etc/strongswan.conf                 |     5 +
 .../tests/ikev2/rw-eap-mschapv2-rsa/posttest.dat   |     4 +
 .../tests/ikev2/rw-eap-mschapv2-rsa/pretest.dat    |     7 +
 testing/tests/ikev2/rw-eap-mschapv2-rsa/test.conf  |    21 +
 testing/tests/pfkey/esp-alg-null/description.txt   |     3 +
 testing/tests/pfkey/esp-alg-null/evaltest.dat      |     7 +
 .../pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf  |    25 +
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |     5 +
 .../pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf   |    24 +
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |     5 +
 testing/tests/pfkey/esp-alg-null/posttest.dat      |     4 +
 testing/tests/pfkey/esp-alg-null/pretest.dat       |     6 +
 testing/tests/pfkey/esp-alg-null/test.conf         |    21 +
 testing/tests/sql/ip-pool-db-expired/evaltest.dat  |     6 +-
 .../hosts/moon/etc/strongswan.conf                 |     4 +
 testing/tests/sql/ip-pool-db-expired/pretest.dat   |     2 +-
 testing/tests/sql/ip-pool-db-restart/evaltest.dat  |     6 +-
 .../hosts/moon/etc/strongswan.conf                 |     4 +
 testing/tests/sql/ip-pool-db-restart/pretest.dat   |     2 +-
 testing/tests/sql/ip-pool-db/evaltest.dat          |     6 +-
 .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf  |     4 +
 319 files changed, 34632 insertions(+), 87017 deletions(-)
 create mode 100644 src/charon/plugins/eap_mschapv2/Makefile.am
 create mode 100644 src/charon/plugins/eap_mschapv2/Makefile.in
 create mode 100644 src/charon/plugins/eap_mschapv2/eap_mschapv2.c
 create mode 100644 src/charon/plugins/eap_mschapv2/eap_mschapv2.h
 create mode 100644 src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
 create mode 100644 src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
 create mode 100644 src/charon/plugins/load_tester/load_tester_diffie_hellman.c
 create mode 100644 src/charon/plugins/load_tester/load_tester_diffie_hellman.h
 delete mode 100644 src/charon/plugins/nm/gnome/Makefile.am
 delete mode 100644 src/charon/plugins/nm/gnome/Makefile.in
 delete mode 100644 src/charon/plugins/nm/gnome/aclocal.m4
 delete mode 100644 src/charon/plugins/nm/gnome/auth-dialog/.deps/nm_strongswan_auth_dialog-main.Po
 delete mode 100644 src/charon/plugins/nm/gnome/auth-dialog/Makefile
 delete mode 100644 src/charon/plugins/nm/gnome/auth-dialog/Makefile.am
 delete mode 100644 src/charon/plugins/nm/gnome/auth-dialog/Makefile.in
 delete mode 100644 src/charon/plugins/nm/gnome/auth-dialog/main.c
 delete mode 100755 src/charon/plugins/nm/gnome/autogen.sh
 delete mode 100755 src/charon/plugins/nm/gnome/compile
 delete mode 100755 src/charon/plugins/nm/gnome/config.guess
 delete mode 100644 src/charon/plugins/nm/gnome/config.h.in
 delete mode 100755 src/charon/plugins/nm/gnome/config.sub
 delete mode 100755 src/charon/plugins/nm/gnome/configure
 delete mode 100644 src/charon/plugins/nm/gnome/configure.in
 delete mode 100755 src/charon/plugins/nm/gnome/depcomp
 delete mode 100755 src/charon/plugins/nm/gnome/install-sh
 delete mode 100644 src/charon/plugins/nm/gnome/intltool-extract.in
 delete mode 100644 src/charon/plugins/nm/gnome/intltool-merge.in
 delete mode 100644 src/charon/plugins/nm/gnome/intltool-update.in
 delete mode 100644 src/charon/plugins/nm/gnome/ltmain.sh
 delete mode 100755 src/charon/plugins/nm/gnome/missing
 delete mode 100755 src/charon/plugins/nm/gnome/mkinstalldirs
 delete mode 100644 src/charon/plugins/nm/gnome/nm-strongswan-service.conf
 delete mode 100644 src/charon/plugins/nm/gnome/nm-strongswan-service.name.in
 delete mode 100644 src/charon/plugins/nm/gnome/po/LINGUAS
 delete mode 100644 src/charon/plugins/nm/gnome/po/Makefile.in.in
 delete mode 100644 src/charon/plugins/nm/gnome/po/POTFILES.in
 delete mode 100644 src/charon/plugins/nm/gnome/properties/Makefile.am
 delete mode 100644 src/charon/plugins/nm/gnome/properties/Makefile.in
 delete mode 100644 src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
 delete mode 100644 src/charon/plugins/nm/gnome/properties/nm-strongswan.c
 delete mode 100644 src/charon/plugins/nm/gnome/properties/nm-strongswan.h
 create mode 100644 src/charon/plugins/unit_tester/tests/test_cert.c
 create mode 100644 src/charon/plugins/unit_tester/tests/test_rng.c
 create mode 100644 src/libstrongswan/plugins/md4/Makefile.am
 create mode 100644 src/libstrongswan/plugins/md4/Makefile.in
 create mode 100644 src/libstrongswan/plugins/md4/md4_hasher.c
 create mode 100644 src/libstrongswan/plugins/md4/md4_hasher.h
 create mode 100644 src/libstrongswan/plugins/md4/md4_plugin.c
 create mode 100644 src/libstrongswan/plugins/md4/md4_plugin.h
 create mode 100644 src/libstrongswan/plugins/padlock/padlock_rng.c
 create mode 100644 src/libstrongswan/plugins/padlock/padlock_rng.h
 create mode 100644 src/libstrongswan/utils/hashtable.c
 create mode 100644 src/libstrongswan/utils/hashtable.h
 create mode 100644 testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/esp-alg-null/description.txt
 create mode 100644 testing/tests/ikev2/esp-alg-null/evaltest.dat
 create mode 100755 testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/esp-alg-null/posttest.dat
 create mode 100644 testing/tests/ikev2/esp-alg-null/pretest.dat
 create mode 100644 testing/tests/ikev2/esp-alg-null/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/test.conf
 create mode 100644 testing/tests/pfkey/esp-alg-null/description.txt
 create mode 100644 testing/tests/pfkey/esp-alg-null/evaltest.dat
 create mode 100755 testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/pfkey/esp-alg-null/posttest.dat
 create mode 100644 testing/tests/pfkey/esp-alg-null/pretest.dat
 create mode 100644 testing/tests/pfkey/esp-alg-null/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/Makefile.in b/Makefile.in
index 4d7240711..dfe5a2eca 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -81,22 +81,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -106,6 +101,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -114,12 +110,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -142,8 +142,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -182,6 +181,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/NEWS b/NEWS
index d2d1b325e..73bec5e27 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,52 @@
+strongswan-4.2.12
+'----------------
+
+- Support of the EAP-MSCHAPv2 protocol enabled by the option
+  --enable-eap-mschapv2. Requires the MD4 hash algorithm enabled
+  either by --enable-md4 or --enable-openssl.
+
+- Assignment of up to two DNS and up to two WINS servers to peers via
+  the IKEv2 Configuration Payload (CP). The IPv4 or IPv6 nameserver 
+  addresses are defined in strongswan.conf.
+
+- The strongSwan applet for the Gnome NetworkManager is now built and
+  distributed as a separate tarball under the name NetworkManager-strongswan.
+
+ 
+strongswan-4.2.11
+-----------------
+
+- Fixed ESP NULL encryption broken by the refactoring of keymat.c.
+  Also introduced proper initialization and disposal of keying material.
+
+- Fixed the missing listing of connection definitions in ipsec statusall
+  broken by an unfortunate local variable overload.
+
+
+strongswan-4.2.10
+-----------------
+
+- Several performance improvements to handle thousands of tunnels with almost
+  linear upscaling. All relevant data structures have been replaced by faster
+  counterparts with better lookup times.
+
+- Better parallelization to run charon on multiple cores. Due to improved
+  ressource locking and other optimizations the daemon can take full
+  advantage of 16 or even more cores.
+
+- The load-tester plugin can use a NULL Diffie-Hellman group and simulate
+  unique identities and certificates by signing peer certificates using a CA
+  on the fly.
+
+- The redesigned stroke in-memory IP pool handles leases. The "ipsec leases"
+  command queries assigned leases.
+
+- Added support for smartcards in charon by using the ENGINE API provided by
+  OpenSSL, based on patches by Michael Roßberg.
+
+- The Padlock plugin supports the hardware RNG found on VIA CPUs to provide a
+  reliable source of randomness.
+
 strongswan-4.2.9
 ----------------
 
diff --git a/aclocal.m4 b/aclocal.m4
index 4fa9f2263..23c6a61b4 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -20,101 +20,187 @@ If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
 
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
+#
+#   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
+#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#   Written by Gordon Matzigkeit, 1996
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+m4_define([_LT_COPYING], [dnl
+#   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
+#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#   Written by Gordon Matzigkeit, 1996
+#
+#   This file is part of GNU Libtool.
+#
+# GNU Libtool is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# As a special exception to the GNU General Public License,
+# if you distribute this file as part of a program or library that
+# is built using GNU Libtool, you may include this file under the
+# same distribution terms that you use for the rest of that program.
+#
+# GNU Libtool is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GNU Libtool; see the file COPYING.  If not, a copy
+# can be downloaded from http://www.gnu.org/licenses/gpl.html, or
+# obtained by writing to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+])
 
-# serial 52 Debian 1.5.26-1ubuntu1 AC_PROG_LIBTOOL
+# serial 56 LT_INIT
 
 
-# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
-# -----------------------------------------------------------
-# If this macro is not defined by Autoconf, define it here.
-m4_ifdef([AC_PROVIDE_IFELSE],
-         [],
-         [m4_define([AC_PROVIDE_IFELSE],
-	         [m4_ifdef([AC_PROVIDE_$1],
-		           [$2], [$3])])])
+# LT_PREREQ(VERSION)
+# ------------------
+# Complain and exit if this libtool version is less that VERSION.
+m4_defun([LT_PREREQ],
+[m4_if(m4_version_compare(m4_defn([LT_PACKAGE_VERSION]), [$1]), -1,
+       [m4_default([$3],
+		   [m4_fatal([Libtool version $1 or higher is required],
+		             63)])],
+       [$2])])
 
 
-# AC_PROG_LIBTOOL
-# ---------------
-AC_DEFUN([AC_PROG_LIBTOOL],
-[AC_REQUIRE([_AC_PROG_LIBTOOL])dnl
-dnl If AC_PROG_CXX has already been expanded, run AC_LIBTOOL_CXX
-dnl immediately, otherwise, hook it in at the end of AC_PROG_CXX.
-  AC_PROVIDE_IFELSE([AC_PROG_CXX],
-    [AC_LIBTOOL_CXX],
-    [define([AC_PROG_CXX], defn([AC_PROG_CXX])[AC_LIBTOOL_CXX
-  ])])
-dnl And a similar setup for Fortran 77 support
-  AC_PROVIDE_IFELSE([AC_PROG_F77],
-    [AC_LIBTOOL_F77],
-    [define([AC_PROG_F77], defn([AC_PROG_F77])[AC_LIBTOOL_F77
-])])
-
-dnl Quote A][M_PROG_GCJ so that aclocal doesn't bring it in needlessly.
-dnl If either AC_PROG_GCJ or A][M_PROG_GCJ have already been expanded, run
-dnl AC_LIBTOOL_GCJ immediately, otherwise, hook it in at the end of both.
-  AC_PROVIDE_IFELSE([AC_PROG_GCJ],
-    [AC_LIBTOOL_GCJ],
-    [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
-      [AC_LIBTOOL_GCJ],
-      [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],
-	[AC_LIBTOOL_GCJ],
-      [ifdef([AC_PROG_GCJ],
-	     [define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])
-       ifdef([A][M_PROG_GCJ],
-	     [define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[AC_LIBTOOL_GCJ])])
-       ifdef([LT_AC_PROG_GCJ],
-	     [define([LT_AC_PROG_GCJ],
-		defn([LT_AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])])])
-])])# AC_PROG_LIBTOOL
-
-
-# _AC_PROG_LIBTOOL
-# ----------------
-AC_DEFUN([_AC_PROG_LIBTOOL],
-[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
-AC_BEFORE([$0],[AC_LIBTOOL_CXX])dnl
-AC_BEFORE([$0],[AC_LIBTOOL_F77])dnl
-AC_BEFORE([$0],[AC_LIBTOOL_GCJ])dnl
+# _LT_CHECK_BUILDDIR
+# ------------------
+# Complain if the absolute build directory name contains unusual characters
+m4_defun([_LT_CHECK_BUILDDIR],
+[case `pwd` in
+  *\ * | *\	*)
+    AC_MSG_WARN([Libtool does not cope well with whitespace in `pwd`]) ;;
+esac
+])
+
+
+# LT_INIT([OPTIONS])
+# ------------------
+AC_DEFUN([LT_INIT],
+[AC_PREREQ([2.58])dnl We use AC_INCLUDES_DEFAULT
+AC_BEFORE([$0], [LT_LANG])dnl
+AC_BEFORE([$0], [LT_OUTPUT])dnl
+AC_BEFORE([$0], [LTDL_INIT])dnl
+m4_require([_LT_CHECK_BUILDDIR])dnl
+
+dnl Autoconf doesn't catch unexpanded LT_ macros by default:
+m4_pattern_forbid([^_?LT_[A-Z_]+$])dnl
+m4_pattern_allow([^(_LT_EOF|LT_DLGLOBAL|LT_DLLAZY_OR_NOW|LT_MULTI_MODULE)$])dnl
+dnl aclocal doesn't pull ltoptions.m4, ltsugar.m4, or ltversion.m4
+dnl unless we require an AC_DEFUNed macro:
+AC_REQUIRE([LTOPTIONS_VERSION])dnl
+AC_REQUIRE([LTSUGAR_VERSION])dnl
+AC_REQUIRE([LTVERSION_VERSION])dnl
+AC_REQUIRE([LTOBSOLETE_VERSION])dnl
+m4_require([_LT_PROG_LTMAIN])dnl
+
+dnl Parse OPTIONS
+_LT_SET_OPTIONS([$0], [$1])
 
 # This can be used to rebuild libtool when needed
-LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
+LIBTOOL_DEPS="$ltmain"
 
 # Always use our own libtool.
 LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 AC_SUBST(LIBTOOL)dnl
 
-# Prevent multiple expansion
-define([AC_PROG_LIBTOOL], [])
-])# _AC_PROG_LIBTOOL
+_LT_SETUP
 
+# Only expand once:
+m4_define([LT_INIT])
+])# LT_INIT
 
-# AC_LIBTOOL_SETUP
-# ----------------
-AC_DEFUN([AC_LIBTOOL_SETUP],
-[AC_PREREQ(2.50)dnl
-AC_REQUIRE([AC_ENABLE_SHARED])dnl
-AC_REQUIRE([AC_ENABLE_STATIC])dnl
-AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
-AC_REQUIRE([AC_CANONICAL_HOST])dnl
+# Old names:
+AU_ALIAS([AC_PROG_LIBTOOL], [LT_INIT])
+AU_ALIAS([AM_PROG_LIBTOOL], [LT_INIT])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_PROG_LIBTOOL], [])
+dnl AC_DEFUN([AM_PROG_LIBTOOL], [])
+
+
+# _LT_CC_BASENAME(CC)
+# -------------------
+# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
+m4_defun([_LT_CC_BASENAME],
+[for cc_temp in $1""; do
+  case $cc_temp in
+    compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
+    distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+])
+
+
+# _LT_FILEUTILS_DEFAULTS
+# ----------------------
+# It is okay to use these file commands and assume they have been set
+# sensibly after `m4_require([_LT_FILEUTILS_DEFAULTS])'.
+m4_defun([_LT_FILEUTILS_DEFAULTS],
+[: ${CP="cp -f"}
+: ${MV="mv -f"}
+: ${RM="rm -f"}
+])# _LT_FILEUTILS_DEFAULTS
+
+
+# _LT_SETUP
+# ---------
+m4_defun([_LT_SETUP],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+_LT_DECL([], [host_alias], [0], [The host system])dnl
+_LT_DECL([], [host], [0])dnl
+_LT_DECL([], [host_os], [0])dnl
+dnl
+_LT_DECL([], [build_alias], [0], [The build system])dnl
+_LT_DECL([], [build], [0])dnl
+_LT_DECL([], [build_os], [0])dnl
+dnl
 AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AC_PROG_LD])dnl
-AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl
-AC_REQUIRE([AC_PROG_NM])dnl
-
+AC_REQUIRE([LT_PATH_LD])dnl
+AC_REQUIRE([LT_PATH_NM])dnl
+dnl
 AC_REQUIRE([AC_PROG_LN_S])dnl
-AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
-# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
-AC_REQUIRE([AC_OBJEXT])dnl
-AC_REQUIRE([AC_EXEEXT])dnl
+test -z "$LN_S" && LN_S="ln -s"
+_LT_DECL([], [LN_S], [1], [Whether we need soft or hard links])dnl
+dnl
+AC_REQUIRE([LT_CMD_MAX_LEN])dnl
+_LT_DECL([objext], [ac_objext], [0], [Object file suffix (normally "o")])dnl
+_LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl
 dnl
-AC_LIBTOOL_SYS_MAX_CMD_LEN
-AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
-AC_LIBTOOL_OBJDIR
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_CHECK_SHELL_FEATURES])dnl
+m4_require([_LT_CMD_RELOAD])dnl
+m4_require([_LT_CHECK_MAGIC_METHOD])dnl
+m4_require([_LT_CMD_OLD_ARCHIVE])dnl
+m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
+
+_LT_CONFIG_LIBTOOL_INIT([
+# See if we are running on zsh, and set the options which allow our
+# commands through without removal of \ escapes INIT.
+if test -n "\${ZSH_VERSION+set}" ; then
+   setopt NO_GLOB_SUBST
+fi
+])
+if test -n "${ZSH_VERSION+set}" ; then
+   setopt NO_GLOB_SUBST
+fi
+
+_LT_CHECK_OBJDIR
 
-AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
-_LT_AC_PROG_ECHO_BACKSLASH
+m4_require([_LT_TAG_COMPILER])dnl
+_LT_PROG_ECHO_BACKSLASH
 
 case $host_os in
 aix3*)
@@ -130,116 +216,653 @@ esac
 
 # Sed substitution that helps us do robust quoting.  It backslashifies
 # metacharacters that are still active within double-quoted strings.
-Xsed='sed -e 1s/^X//'
-[sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g']
+sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
 
 # Same as above, but do not quote variable references.
-[double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g']
+double_quote_subst='s/\([["`\\]]\)/\\\1/g'
 
 # Sed substitution to delay expansion of an escaped shell variable in a
 # double_quote_subst'ed string.
 delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
 
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
+
 # Sed substitution to avoid accidental globbing in evaled expressions
 no_glob_subst='s/\*/\\\*/g'
 
-# Constants:
-rm="rm -f"
-
 # Global variables:
-default_ofile=libtool
+ofile=libtool
 can_build_shared=yes
 
 # All known linkers require a `.a' archive for static linking (except MSVC,
 # which needs '.lib').
 libext=a
-ltmain="$ac_aux_dir/ltmain.sh"
-ofile="$default_ofile"
-with_gnu_ld="$lt_cv_prog_gnu_ld"
 
-AC_CHECK_TOOL(AR, ar, false)
-AC_CHECK_TOOL(RANLIB, ranlib, :)
-AC_CHECK_TOOL(STRIP, strip, :)
+with_gnu_ld="$lt_cv_prog_gnu_ld"
 
 old_CC="$CC"
 old_CFLAGS="$CFLAGS"
 
 # Set sane defaults for various variables
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
-test -z "$AS" && AS=as
 test -z "$CC" && CC=cc
 test -z "$LTCC" && LTCC=$CC
 test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
-test -z "$DLLTOOL" && DLLTOOL=dlltool
 test -z "$LD" && LD=ld
-test -z "$LN_S" && LN_S="ln -s"
-test -z "$MAGIC_CMD" && MAGIC_CMD=file
-test -z "$NM" && NM=nm
-test -z "$SED" && SED=sed
-test -z "$OBJDUMP" && OBJDUMP=objdump
-test -z "$RANLIB" && RANLIB=:
-test -z "$STRIP" && STRIP=:
 test -z "$ac_objext" && ac_objext=o
 
-# Determine commands to create old-style static archives.
-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
-old_postinstall_cmds='chmod 644 $oldlib'
-old_postuninstall_cmds=
-
-if test -n "$RANLIB"; then
-  case $host_os in
-  openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
-    ;;
-  *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
-    ;;
-  esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
-fi
-
 _LT_CC_BASENAME([$compiler])
 
 # Only perform the check for file, if the check method requires it
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
 case $deplibs_check_method in
 file_magic*)
   if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    AC_PATH_MAGIC
+    _LT_PATH_MAGIC
   fi
   ;;
 esac
 
-_LT_REQUIRED_DARWIN_CHECKS
+# Use C for the default configuration in the libtool script
+LT_SUPPORTED_TAG([CC])
+_LT_LANG_C_CONFIG
+_LT_LANG_DEFAULT_CONFIG
+_LT_CONFIG_COMMANDS
+])# _LT_SETUP
 
-AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no)
-AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
-enable_win32_dll=yes, enable_win32_dll=no)
 
-AC_ARG_ENABLE([libtool-lock],
-    [AC_HELP_STRING([--disable-libtool-lock],
-	[avoid locking (might break parallel builds)])])
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+# _LT_PROG_LTMAIN
+# ---------------
+# Note that this code is called both from `configure', and `config.status'
+# now that we use AC_CONFIG_COMMANDS to generate libtool.  Notably,
+# `config.status' has no value for ac_aux_dir unless we are using Automake,
+# so we pass a copy along to make sure it has a sensible value anyway.
+m4_defun([_LT_PROG_LTMAIN],
+[m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([ltmain.sh])])dnl
+_LT_CONFIG_LIBTOOL_INIT([ac_aux_dir='$ac_aux_dir'])
+ltmain="$ac_aux_dir/ltmain.sh"
+])# _LT_PROG_LTMAIN
 
-AC_ARG_WITH([pic],
-    [AC_HELP_STRING([--with-pic],
-	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [pic_mode="$withval"],
-    [pic_mode=default])
-test -z "$pic_mode" && pic_mode=default
 
-# Use C for the default configuration in the libtool script
-tagname=
-AC_LIBTOOL_LANG_C_CONFIG
-_LT_AC_TAGCONFIG
-])# AC_LIBTOOL_SETUP
+
+# So that we can recreate a full libtool script including additional
+# tags, we accumulate the chunks of code to send to AC_CONFIG_COMMANDS
+# in macros and then make a single call at the end using the `libtool'
+# label.
+
+
+# _LT_CONFIG_LIBTOOL_INIT([INIT-COMMANDS])
+# ----------------------------------------
+# Register INIT-COMMANDS to be passed to AC_CONFIG_COMMANDS later.
+m4_define([_LT_CONFIG_LIBTOOL_INIT],
+[m4_ifval([$1],
+          [m4_append([_LT_OUTPUT_LIBTOOL_INIT],
+                     [$1
+])])])
+
+# Initialize.
+m4_define([_LT_OUTPUT_LIBTOOL_INIT])
+
+
+# _LT_CONFIG_LIBTOOL([COMMANDS])
+# ------------------------------
+# Register COMMANDS to be passed to AC_CONFIG_COMMANDS later.
+m4_define([_LT_CONFIG_LIBTOOL],
+[m4_ifval([$1],
+          [m4_append([_LT_OUTPUT_LIBTOOL_COMMANDS],
+                     [$1
+])])])
+
+# Initialize.
+m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS])
+
+
+# _LT_CONFIG_SAVE_COMMANDS([COMMANDS], [INIT_COMMANDS])
+# -----------------------------------------------------
+m4_defun([_LT_CONFIG_SAVE_COMMANDS],
+[_LT_CONFIG_LIBTOOL([$1])
+_LT_CONFIG_LIBTOOL_INIT([$2])
+])
+
+
+# _LT_FORMAT_COMMENT([COMMENT])
+# -----------------------------
+# Add leading comment marks to the start of each line, and a trailing
+# full-stop to the whole comment if one is not present already.
+m4_define([_LT_FORMAT_COMMENT],
+[m4_ifval([$1], [
+m4_bpatsubst([m4_bpatsubst([$1], [^ *], [# ])],
+              [['`$\]], [\\\&])]m4_bmatch([$1], [[!?.]$], [], [.])
+)])
+
+
+
+
+
+# _LT_DECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION], [IS-TAGGED?])
+# -------------------------------------------------------------------
+# CONFIGNAME is the name given to the value in the libtool script.
+# VARNAME is the (base) name used in the configure script.
+# VALUE may be 0, 1 or 2 for a computed quote escaped value based on
+# VARNAME.  Any other value will be used directly.
+m4_define([_LT_DECL],
+[lt_if_append_uniq([lt_decl_varnames], [$2], [, ],
+    [lt_dict_add_subkey([lt_decl_dict], [$2], [libtool_name],
+	[m4_ifval([$1], [$1], [$2])])
+    lt_dict_add_subkey([lt_decl_dict], [$2], [value], [$3])
+    m4_ifval([$4],
+	[lt_dict_add_subkey([lt_decl_dict], [$2], [description], [$4])])
+    lt_dict_add_subkey([lt_decl_dict], [$2],
+	[tagged?], [m4_ifval([$5], [yes], [no])])])
+])
+
+
+# _LT_TAGDECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION])
+# --------------------------------------------------------
+m4_define([_LT_TAGDECL], [_LT_DECL([$1], [$2], [$3], [$4], [yes])])
+
+
+# lt_decl_tag_varnames([SEPARATOR], [VARNAME1...])
+# ------------------------------------------------
+m4_define([lt_decl_tag_varnames],
+[_lt_decl_filter([tagged?], [yes], $@)])
+
+
+# _lt_decl_filter(SUBKEY, VALUE, [SEPARATOR], [VARNAME1..])
+# ---------------------------------------------------------
+m4_define([_lt_decl_filter],
+[m4_case([$#],
+  [0], [m4_fatal([$0: too few arguments: $#])],
+  [1], [m4_fatal([$0: too few arguments: $#: $1])],
+  [2], [lt_dict_filter([lt_decl_dict], [$1], [$2], [], lt_decl_varnames)],
+  [3], [lt_dict_filter([lt_decl_dict], [$1], [$2], [$3], lt_decl_varnames)],
+  [lt_dict_filter([lt_decl_dict], $@)])[]dnl
+])
+
+
+# lt_decl_quote_varnames([SEPARATOR], [VARNAME1...])
+# --------------------------------------------------
+m4_define([lt_decl_quote_varnames],
+[_lt_decl_filter([value], [1], $@)])
+
+
+# lt_decl_dquote_varnames([SEPARATOR], [VARNAME1...])
+# ---------------------------------------------------
+m4_define([lt_decl_dquote_varnames],
+[_lt_decl_filter([value], [2], $@)])
+
+
+# lt_decl_varnames_tagged([SEPARATOR], [VARNAME1...])
+# ---------------------------------------------------
+m4_define([lt_decl_varnames_tagged],
+[_$0(m4_quote(m4_default([$1], [[, ]])),
+     m4_quote(m4_if([$2], [],
+		     m4_quote(lt_decl_tag_varnames),
+		  m4_quote(m4_shift($@)))),
+     m4_split(m4_normalize(m4_quote(_LT_TAGS))))])
+m4_define([_lt_decl_varnames_tagged], [lt_combine([$1], [$2], [_], $3)])
+
+
+# lt_decl_all_varnames([SEPARATOR], [VARNAME1...])
+# ------------------------------------------------
+m4_define([lt_decl_all_varnames],
+[_$0(m4_quote(m4_default([$1], [[, ]])),
+     m4_if([$2], [],
+	   m4_quote(lt_decl_varnames),
+	m4_quote(m4_shift($@))))[]dnl
+])
+m4_define([_lt_decl_all_varnames],
+[lt_join($@, lt_decl_varnames_tagged([$1],
+			lt_decl_tag_varnames([[, ]], m4_shift($@))))dnl
+])
+
+
+# _LT_CONFIG_STATUS_DECLARE([VARNAME])
+# ------------------------------------
+# Quote a variable value, and forward it to `config.status' so that its
+# declaration there will have the same value as in `configure'.  VARNAME
+# must have a single quote delimited value for this to work.
+m4_define([_LT_CONFIG_STATUS_DECLARE],
+[$1='`$ECHO "X$][$1" | $Xsed -e "$delay_single_quote_subst"`'])
+
+
+# _LT_CONFIG_STATUS_DECLARATIONS
+# ------------------------------
+# We delimit libtool config variables with single quotes, so when
+# we write them to config.status, we have to be sure to quote all
+# embedded single quotes properly.  In configure, this macro expands
+# each variable declared with _LT_DECL (and _LT_TAGDECL) into:
+#
+#    <var>='`$ECHO "X$<var>" | $Xsed -e "$delay_single_quote_subst"`'
+m4_defun([_LT_CONFIG_STATUS_DECLARATIONS],
+[m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames),
+    [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])])
 
 
-# _LT_AC_SYS_COMPILER
+# _LT_LIBTOOL_TAGS
+# ----------------
+# Output comment and list of tags supported by the script
+m4_defun([_LT_LIBTOOL_TAGS],
+[_LT_FORMAT_COMMENT([The names of the tagged configurations supported by this script])dnl
+available_tags="_LT_TAGS"dnl
+])
+
+
+# _LT_LIBTOOL_DECLARE(VARNAME, [TAG])
+# -----------------------------------
+# Extract the dictionary values for VARNAME (optionally with TAG) and
+# expand to a commented shell variable setting:
+#
+#    # Some comment about what VAR is for.
+#    visible_name=$lt_internal_name
+m4_define([_LT_LIBTOOL_DECLARE],
+[_LT_FORMAT_COMMENT(m4_quote(lt_dict_fetch([lt_decl_dict], [$1],
+					   [description])))[]dnl
+m4_pushdef([_libtool_name],
+    m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [libtool_name])))[]dnl
+m4_case(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [value])),
+    [0], [_libtool_name=[$]$1],
+    [1], [_libtool_name=$lt_[]$1],
+    [2], [_libtool_name=$lt_[]$1],
+    [_libtool_name=lt_dict_fetch([lt_decl_dict], [$1], [value])])[]dnl
+m4_ifval([$2], [_$2])[]m4_popdef([_libtool_name])[]dnl
+])
+
+
+# _LT_LIBTOOL_CONFIG_VARS
+# -----------------------
+# Produce commented declarations of non-tagged libtool config variables
+# suitable for insertion in the LIBTOOL CONFIG section of the `libtool'
+# script.  Tagged libtool config variables (even for the LIBTOOL CONFIG
+# section) are produced by _LT_LIBTOOL_TAG_VARS.
+m4_defun([_LT_LIBTOOL_CONFIG_VARS],
+[m4_foreach([_lt_var],
+    m4_quote(_lt_decl_filter([tagged?], [no], [], lt_decl_varnames)),
+    [m4_n([_LT_LIBTOOL_DECLARE(_lt_var)])])])
+
+
+# _LT_LIBTOOL_TAG_VARS(TAG)
+# -------------------------
+m4_define([_LT_LIBTOOL_TAG_VARS],
+[m4_foreach([_lt_var], m4_quote(lt_decl_tag_varnames),
+    [m4_n([_LT_LIBTOOL_DECLARE(_lt_var, [$1])])])])
+
+
+# _LT_TAGVAR(VARNAME, [TAGNAME])
+# ------------------------------
+m4_define([_LT_TAGVAR], [m4_ifval([$2], [$1_$2], [$1])])
+
+
+# _LT_CONFIG_COMMANDS
 # -------------------
-AC_DEFUN([_LT_AC_SYS_COMPILER],
+# Send accumulated output to $CONFIG_STATUS.  Thanks to the lists of
+# variables for single and double quote escaping we saved from calls
+# to _LT_DECL, we can put quote escaped variables declarations
+# into `config.status', and then the shell code to quote escape them in
+# for loops in `config.status'.  Finally, any additional code accumulated
+# from calls to _LT_CONFIG_LIBTOOL_INIT is expanded.
+m4_defun([_LT_CONFIG_COMMANDS],
+[AC_PROVIDE_IFELSE([LT_OUTPUT],
+	dnl If the libtool generation code has been placed in $CONFIG_LT,
+	dnl instead of duplicating it all over again into config.status,
+	dnl then we will have config.status run $CONFIG_LT later, so it
+	dnl needs to know what name is stored there:
+        [AC_CONFIG_COMMANDS([libtool],
+            [$SHELL $CONFIG_LT || AS_EXIT(1)], [CONFIG_LT='$CONFIG_LT'])],
+    dnl If the libtool generation code is destined for config.status,
+    dnl expand the accumulated commands and init code now:
+    [AC_CONFIG_COMMANDS([libtool],
+        [_LT_OUTPUT_LIBTOOL_COMMANDS], [_LT_OUTPUT_LIBTOOL_COMMANDS_INIT])])
+])#_LT_CONFIG_COMMANDS
+
+
+# Initialize.
+m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS_INIT],
+[
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+sed_quote_subst='$sed_quote_subst'
+double_quote_subst='$double_quote_subst'
+delay_variable_subst='$delay_variable_subst'
+_LT_CONFIG_STATUS_DECLARATIONS
+LTCC='$LTCC'
+LTCFLAGS='$LTCFLAGS'
+compiler='$compiler_DEFAULT'
+
+# Quote evaled strings.
+for var in lt_decl_all_varnames([[ \
+]], lt_decl_quote_varnames); do
+    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    *[[\\\\\\\`\\"\\\$]]*)
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
+      ;;
+    *)
+      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
+      ;;
+    esac
+done
+
+# Double-quote double-evaled strings.
+for var in lt_decl_all_varnames([[ \
+]], lt_decl_dquote_varnames); do
+    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    *[[\\\\\\\`\\"\\\$]]*)
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
+      ;;
+    *)
+      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
+      ;;
+    esac
+done
+
+# Fix-up fallback echo if it was mangled by the above quoting rules.
+case \$lt_ECHO in
+*'\\\[$]0 --fallback-echo"')dnl "
+  lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\[$]0 --fallback-echo"\[$]/\[$]0 --fallback-echo"/'\`
+  ;;
+esac
+
+_LT_OUTPUT_LIBTOOL_INIT
+])
+
+
+# LT_OUTPUT
+# ---------
+# This macro allows early generation of the libtool script (before
+# AC_OUTPUT is called), incase it is used in configure for compilation
+# tests.
+AC_DEFUN([LT_OUTPUT],
+[: ${CONFIG_LT=./config.lt}
+AC_MSG_NOTICE([creating $CONFIG_LT])
+cat >"$CONFIG_LT" <<_LTEOF
+#! $SHELL
+# Generated by $as_me.
+# Run this file to recreate a libtool stub with the current configuration.
+
+lt_cl_silent=false
+SHELL=\${CONFIG_SHELL-$SHELL}
+_LTEOF
+
+cat >>"$CONFIG_LT" <<\_LTEOF
+AS_SHELL_SANITIZE
+_AS_PREPARE
+
+exec AS_MESSAGE_FD>&1
+exec AS_MESSAGE_LOG_FD>>config.log
+{
+  echo
+  AS_BOX([Running $as_me.])
+} >&AS_MESSAGE_LOG_FD
+
+lt_cl_help="\
+\`$as_me' creates a local libtool stub from the current configuration,
+for use in further configure time tests before the real libtool is
+generated.
+
+Usage: $[0] [[OPTIONS]]
+
+  -h, --help      print this help, then exit
+  -V, --version   print version number, then exit
+  -q, --quiet     do not print progress messages
+  -d, --debug     don't remove temporary files
+
+Report bugs to <bug-libtool@gnu.org>."
+
+lt_cl_version="\
+m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
+m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
+configured by $[0], generated by m4_PACKAGE_STRING.
+
+Copyright (C) 2008 Free Software Foundation, Inc.
+This config.lt script is free software; the Free Software Foundation
+gives unlimited permision to copy, distribute and modify it."
+
+while test $[#] != 0
+do
+  case $[1] in
+    --version | --v* | -V )
+      echo "$lt_cl_version"; exit 0 ;;
+    --help | --h* | -h )
+      echo "$lt_cl_help"; exit 0 ;;
+    --debug | --d* | -d )
+      debug=: ;;
+    --quiet | --q* | --silent | --s* | -q )
+      lt_cl_silent=: ;;
+
+    -*) AC_MSG_ERROR([unrecognized option: $[1]
+Try \`$[0] --help' for more information.]) ;;
+
+    *) AC_MSG_ERROR([unrecognized argument: $[1]
+Try \`$[0] --help' for more information.]) ;;
+  esac
+  shift
+done
+
+if $lt_cl_silent; then
+  exec AS_MESSAGE_FD>/dev/null
+fi
+_LTEOF
+
+cat >>"$CONFIG_LT" <<_LTEOF
+_LT_OUTPUT_LIBTOOL_COMMANDS_INIT
+_LTEOF
+
+cat >>"$CONFIG_LT" <<\_LTEOF
+AC_MSG_NOTICE([creating $ofile])
+_LT_OUTPUT_LIBTOOL_COMMANDS
+AS_EXIT(0)
+_LTEOF
+chmod +x "$CONFIG_LT"
+
+# configure is writing to config.log, but config.lt does its own redirection,
+# appending to config.log, which fails on DOS, as config.log is still kept
+# open by configure.  Here we exec the FD to /dev/null, effectively closing
+# config.log, so it can be properly (re)opened and appended to by config.lt.
+if test "$no_create" != yes; then
+  lt_cl_success=:
+  test "$silent" = yes &&
+    lt_config_lt_args="$lt_config_lt_args --quiet"
+  exec AS_MESSAGE_LOG_FD>/dev/null
+  $SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
+  exec AS_MESSAGE_LOG_FD>>config.log
+  $lt_cl_success || AS_EXIT(1)
+fi
+])# LT_OUTPUT
+
+
+# _LT_CONFIG(TAG)
+# ---------------
+# If TAG is the built-in tag, create an initial libtool script with a
+# default configuration from the untagged config vars.  Otherwise add code
+# to config.status for appending the configuration named by TAG from the
+# matching tagged config vars.
+m4_defun([_LT_CONFIG],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+_LT_CONFIG_SAVE_COMMANDS([
+  m4_define([_LT_TAG], m4_if([$1], [], [C], [$1]))dnl
+  m4_if(_LT_TAG, [C], [
+    # See if we are running on zsh, and set the options which allow our
+    # commands through without removal of \ escapes.
+    if test -n "${ZSH_VERSION+set}" ; then
+      setopt NO_GLOB_SUBST
+    fi
+
+    cfgfile="${ofile}T"
+    trap "$RM \"$cfgfile\"; exit 1" 1 2 15
+    $RM "$cfgfile"
+
+    cat <<_LT_EOF >> "$cfgfile"
+#! $SHELL
+
+# `$ECHO "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $as_me ($PACKAGE$TIMESTAMP) $VERSION
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+_LT_COPYING
+_LT_LIBTOOL_TAGS
+
+# ### BEGIN LIBTOOL CONFIG
+_LT_LIBTOOL_CONFIG_VARS
+_LT_LIBTOOL_TAG_VARS
+# ### END LIBTOOL CONFIG
+
+_LT_EOF
+
+  case $host_os in
+  aix3*)
+    cat <<\_LT_EOF >> "$cfgfile"
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+_LT_EOF
+    ;;
+  esac
+
+  _LT_PROG_LTMAIN
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \
+    || (rm -f "$cfgfile"; exit 1)
+
+  _LT_PROG_XSI_SHELLFNS
+
+  sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \
+    || (rm -f "$cfgfile"; exit 1)
+
+  mv -f "$cfgfile" "$ofile" ||
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+],
+[cat <<_LT_EOF >> "$ofile"
+
+dnl Unfortunately we have to use $1 here, since _LT_TAG is not expanded
+dnl in a comment (ie after a #).
+# ### BEGIN LIBTOOL TAG CONFIG: $1
+_LT_LIBTOOL_TAG_VARS(_LT_TAG)
+# ### END LIBTOOL TAG CONFIG: $1
+_LT_EOF
+])dnl /m4_if
+],
+[m4_if([$1], [], [
+    PACKAGE='$PACKAGE'
+    VERSION='$VERSION'
+    TIMESTAMP='$TIMESTAMP'
+    RM='$RM'
+    ofile='$ofile'], [])
+])dnl /_LT_CONFIG_SAVE_COMMANDS
+])# _LT_CONFIG
+
+
+# LT_SUPPORTED_TAG(TAG)
+# ---------------------
+# Trace this macro to discover what tags are supported by the libtool
+# --tag option, using:
+#    autoconf --trace 'LT_SUPPORTED_TAG:$1'
+AC_DEFUN([LT_SUPPORTED_TAG], [])
+
+
+# C support is built-in for now
+m4_define([_LT_LANG_C_enabled], [])
+m4_define([_LT_TAGS], [])
+
+
+# LT_LANG(LANG)
+# -------------
+# Enable libtool support for the given language if not already enabled.
+AC_DEFUN([LT_LANG],
+[AC_BEFORE([$0], [LT_OUTPUT])dnl
+m4_case([$1],
+  [C],			[_LT_LANG(C)],
+  [C++],		[_LT_LANG(CXX)],
+  [Java],		[_LT_LANG(GCJ)],
+  [Fortran 77],		[_LT_LANG(F77)],
+  [Fortran],		[_LT_LANG(FC)],
+  [Windows Resource],	[_LT_LANG(RC)],
+  [m4_ifdef([_LT_LANG_]$1[_CONFIG],
+    [_LT_LANG($1)],
+    [m4_fatal([$0: unsupported language: "$1"])])])dnl
+])# LT_LANG
+
+
+# _LT_LANG(LANGNAME)
+# ------------------
+m4_defun([_LT_LANG],
+[m4_ifdef([_LT_LANG_]$1[_enabled], [],
+  [LT_SUPPORTED_TAG([$1])dnl
+  m4_append([_LT_TAGS], [$1 ])dnl
+  m4_define([_LT_LANG_]$1[_enabled], [])dnl
+  _LT_LANG_$1_CONFIG($1)])dnl
+])# _LT_LANG
+
+
+# _LT_LANG_DEFAULT_CONFIG
+# -----------------------
+m4_defun([_LT_LANG_DEFAULT_CONFIG],
+[AC_PROVIDE_IFELSE([AC_PROG_CXX],
+  [LT_LANG(CXX)],
+  [m4_define([AC_PROG_CXX], defn([AC_PROG_CXX])[LT_LANG(CXX)])])
+
+AC_PROVIDE_IFELSE([AC_PROG_F77],
+  [LT_LANG(F77)],
+  [m4_define([AC_PROG_F77], defn([AC_PROG_F77])[LT_LANG(F77)])])
+
+AC_PROVIDE_IFELSE([AC_PROG_FC],
+  [LT_LANG(FC)],
+  [m4_define([AC_PROG_FC], defn([AC_PROG_FC])[LT_LANG(FC)])])
+
+dnl The call to [A][M_PROG_GCJ] is quoted like that to stop aclocal
+dnl pulling things in needlessly.
+AC_PROVIDE_IFELSE([AC_PROG_GCJ],
+  [LT_LANG(GCJ)],
+  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
+    [LT_LANG(GCJ)],
+    [AC_PROVIDE_IFELSE([LT_PROG_GCJ],
+      [LT_LANG(GCJ)],
+      [m4_ifdef([AC_PROG_GCJ],
+	[m4_define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[LT_LANG(GCJ)])])
+       m4_ifdef([A][M_PROG_GCJ],
+	[m4_define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[LT_LANG(GCJ)])])
+       m4_ifdef([LT_PROG_GCJ],
+	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
+
+AC_PROVIDE_IFELSE([LT_PROG_RC],
+  [LT_LANG(RC)],
+  [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
+])# _LT_LANG_DEFAULT_CONFIG
+
+# Obsolete macros:
+AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)])
+AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)])
+AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)])
+AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_CXX], [])
+dnl AC_DEFUN([AC_LIBTOOL_F77], [])
+dnl AC_DEFUN([AC_LIBTOOL_FC], [])
+dnl AC_DEFUN([AC_LIBTOOL_GCJ], [])
+
+
+# _LT_TAG_COMPILER
+# ----------------
+m4_defun([_LT_TAG_COMPILER],
 [AC_REQUIRE([AC_PROG_CC])dnl
 
+_LT_DECL([LTCC], [CC], [1], [A C compiler])dnl
+_LT_DECL([LTCFLAGS], [CFLAGS], [1], [LTCC compiler flags])dnl
+_LT_TAGDECL([CC], [compiler], [1], [A language specific compiler])dnl
+_LT_TAGDECL([with_gcc], [GCC], [0], [Is the compiler the GNU compiler?])dnl
+
 # If no C compiler was specified, use CC.
 LTCC=${LTCC-"$CC"}
 
@@ -248,36 +871,20 @@ LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
 
 # Allow CC to be a program name with arguments.
 compiler=$CC
-])# _LT_AC_SYS_COMPILER
-
-
-# _LT_CC_BASENAME(CC)
-# -------------------
-# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
-AC_DEFUN([_LT_CC_BASENAME],
-[for cc_temp in $1""; do
-  case $cc_temp in
-    compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
-    distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-])
+])# _LT_TAG_COMPILER
 
 
 # _LT_COMPILER_BOILERPLATE
 # ------------------------
 # Check for compiler boilerplate output or warnings with
 # the simple compiler test code.
-AC_DEFUN([_LT_COMPILER_BOILERPLATE],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
+m4_defun([_LT_COMPILER_BOILERPLATE],
+[m4_require([_LT_DECL_SED])dnl
 ac_outfile=conftest.$ac_objext
 echo "$lt_simple_compile_test_code" >conftest.$ac_ext
 eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
+$RM conftest*
 ])# _LT_COMPILER_BOILERPLATE
 
 
@@ -285,39 +892,57 @@ $rm conftest*
 # ----------------------
 # Check for linker boilerplate output or warnings with
 # the simple link test code.
-AC_DEFUN([_LT_LINKER_BOILERPLATE],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
+m4_defun([_LT_LINKER_BOILERPLATE],
+[m4_require([_LT_DECL_SED])dnl
 ac_outfile=conftest.$ac_objext
 echo "$lt_simple_link_test_code" >conftest.$ac_ext
 eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
+$RM -r conftest*
 ])# _LT_LINKER_BOILERPLATE
 
 # _LT_REQUIRED_DARWIN_CHECKS
-# --------------------------
-# Check for some things on darwin
-AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS],[
+# -------------------------
+m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
   case $host_os in
     rhapsody* | darwin*)
     AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:])
     AC_CHECK_TOOL([NMEDIT], [nmedit], [:])
+    AC_CHECK_TOOL([LIPO], [lipo], [:])
+    AC_CHECK_TOOL([OTOOL], [otool], [:])
+    AC_CHECK_TOOL([OTOOL64], [otool64], [:])
+    _LT_DECL([], [DSYMUTIL], [1],
+      [Tool to manipulate archived DWARF debug symbol files on Mac OS X])
+    _LT_DECL([], [NMEDIT], [1],
+      [Tool to change global to local symbols on Mac OS X])
+    _LT_DECL([], [LIPO], [1],
+      [Tool to manipulate fat objects and archives on Mac OS X])
+    _LT_DECL([], [OTOOL], [1],
+      [ldd/readelf like tool for Mach-O binaries on Mac OS X])
+    _LT_DECL([], [OTOOL64], [1],
+      [ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4])
 
     AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod],
       [lt_cv_apple_cc_single_mod=no
       if test -z "${LT_MULTI_MODULE}"; then
-   # By default we will add the -single_module flag. You can override
-   # by either setting the environment variable LT_MULTI_MODULE
-   # non-empty at configure time, or by adding -multi_module to the
-   # link flags.
-   echo "int foo(void){return 1;}" > conftest.c
-   $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
-     -dynamiclib ${wl}-single_module conftest.c
-   if test -f libconftest.dylib; then
-     lt_cv_apple_cc_single_mod=yes
-     rm -rf libconftest.dylib*
-   fi
-   rm conftest.c
+	# By default we will add the -single_module flag. You can override
+	# by either setting the environment variable LT_MULTI_MODULE
+	# non-empty at configure time, or by adding -multi_module to the
+	# link flags.
+	rm -rf libconftest.dylib*
+	echo "int foo(void){return 1;}" > conftest.c
+	echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+-dynamiclib -Wl,-single_module conftest.c" >&AS_MESSAGE_LOG_FD
+	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
+        _lt_result=$?
+	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	  lt_cv_apple_cc_single_mod=yes
+	else
+	  cat conftest.err >&AS_MESSAGE_LOG_FD
+	fi
+	rm -rf libconftest.dylib*
+	rm -f conftest.*
       fi])
     AC_CACHE_CHECK([for -exported_symbols_list linker flag],
       [lt_cv_ld_exported_symbols_list],
@@ -326,26 +951,26 @@ AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS],[
       echo "_main" > conftest.sym
       LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
       AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
-   [lt_cv_ld_exported_symbols_list=yes],
-   [lt_cv_ld_exported_symbols_list=no])
-   LDFLAGS="$save_LDFLAGS"
+	[lt_cv_ld_exported_symbols_list=yes],
+	[lt_cv_ld_exported_symbols_list=no])
+	LDFLAGS="$save_LDFLAGS"
     ])
     case $host_os in
-    rhapsody* | darwin1.[[0123]])
+    rhapsody* | darwin1.[[012]])
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
     darwin1.*)
-     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-    darwin*)
+      _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+    darwin*) # darwin 5.x on 
       # if running on 10.5 or later, the deployment target defaults
       # to the OS version, if on x86, and 10.4, the deployment
-      # target defaults to 10.4. Don't you love it?
+      # target defaults to 10.4. Don't you love it? 
       case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
-   10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
-     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
-   10.[[012]]*)
-     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-   10.*)
-     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+	10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
+	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+	10.[[012]]*)
+	  _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+	10.*)
+	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
       esac
     ;;
   esac
@@ -355,10 +980,10 @@ AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS],[
     if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
       _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
     else
-      _lt_dar_export_syms="~$NMEDIT -s \$output_objdir/\${libname}-symbols.expsym \${lib}"
+      _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
     fi
     if test "$DSYMUTIL" != ":"; then
-      _lt_dsymutil="~$DSYMUTIL \$lib || :"
+      _lt_dsymutil='~$DSYMUTIL $lib || :'
     else
       _lt_dsymutil=
     fi
@@ -366,16 +991,47 @@ AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS],[
   esac
 ])
 
-# _LT_AC_SYS_LIBPATH_AIX
-# ----------------------
+
+# _LT_DARWIN_LINKER_FEATURES
+# --------------------------
+# Checks for linker and compiler features on darwin
+m4_defun([_LT_DARWIN_LINKER_FEATURES],
+[
+  m4_require([_LT_REQUIRED_DARWIN_CHECKS])
+  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+  _LT_TAGVAR(hardcode_direct, $1)=no
+  _LT_TAGVAR(hardcode_automatic, $1)=yes
+  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  _LT_TAGVAR(whole_archive_flag_spec, $1)=''
+  _LT_TAGVAR(link_all_deplibs, $1)=yes
+  _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
+  if test "$GCC" = "yes"; then
+    output_verbose_link_cmd=echo
+    _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+    _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+    _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+    _LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
+    m4_if([$1], [CXX],
+[   if test "$lt_cv_apple_cc_single_mod" != "yes"; then
+      _LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
+      _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
+    fi
+],[])
+  else
+  _LT_TAGVAR(ld_shlibs, $1)=no
+  fi
+])
+
+# _LT_SYS_MODULE_PATH_AIX
+# -----------------------
 # Links a minimal program and checks the executable
 # for the system default hardcoded library path. In most cases,
 # this is /usr/lib:/lib, but when the MPI compilers are used
 # the location of the communication and MPI libs are included too.
 # If we don't find anything, use the default library path according
 # to the aix ld manual.
-AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
+m4_defun([_LT_SYS_MODULE_PATH_AIX],
+[m4_require([_LT_DECL_SED])dnl
 AC_LINK_IFELSE(AC_LANG_PROGRAM,[
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -390,45 +1046,45 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi],[])
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-])# _LT_AC_SYS_LIBPATH_AIX
+])# _LT_SYS_MODULE_PATH_AIX
 
 
-# _LT_AC_SHELL_INIT(ARG)
-# ----------------------
-AC_DEFUN([_LT_AC_SHELL_INIT],
+# _LT_SHELL_INIT(ARG)
+# -------------------
+m4_define([_LT_SHELL_INIT],
 [ifdef([AC_DIVERSION_NOTICE],
 	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
 	 [AC_DIVERT_PUSH(NOTICE)])
 $1
 AC_DIVERT_POP
-])# _LT_AC_SHELL_INIT
+])# _LT_SHELL_INIT
 
 
-# _LT_AC_PROG_ECHO_BACKSLASH
-# --------------------------
+# _LT_PROG_ECHO_BACKSLASH
+# -----------------------
 # Add some code to the start of the generated configure script which
 # will find an echo command which doesn't interpret backslashes.
-AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH],
-[_LT_AC_SHELL_INIT([
+m4_defun([_LT_PROG_ECHO_BACKSLASH],
+[_LT_SHELL_INIT([
 # Check that we are running under the correct shell.
 SHELL=${CONFIG_SHELL-/bin/sh}
 
-case X$ECHO in
+case X$lt_ECHO in
 X*--fallback-echo)
   # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
+  ECHO=`echo "$lt_ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
   ;;
 esac
 
-echo=${ECHO-echo}
+ECHO=${lt_ECHO-echo}
 if test "X[$]1" = X--no-reexec; then
   # Discard the --no-reexec flag, and continue.
   shift
 elif test "X[$]1" = X--fallback-echo; then
   # Avoid inline document here, it may be left over
   :
-elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $echo works!
+elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $ECHO works!
   :
 else
   # Restart under the correct shell.
@@ -438,9 +1094,9 @@ fi
 if test "X[$]1" = X--fallback-echo; then
   # used as fallback echo
   shift
-  cat <<EOF
+  cat <<_LT_EOF
 [$]*
-EOF
+_LT_EOF
   exit 0
 fi
 
@@ -448,124 +1104,127 @@ fi
 # if CDPATH is set.
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
-if test -z "$ECHO"; then
-if test "X${echo_test_string+set}" != Xset; then
-# find a string as large as possible, as long as the shell can cope with it
-  for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
-    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
-       echo_test_string=`eval $cmd` &&
-       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
-    then
-      break
-    fi
-  done
-fi
+if test -z "$lt_ECHO"; then
+  if test "X${echo_test_string+set}" != Xset; then
+    # find a string as large as possible, as long as the shell can cope with it
+    for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
+      # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+      if { echo_test_string=`eval $cmd`; } 2>/dev/null &&
+	 { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null
+      then
+        break
+      fi
+    done
+  fi
 
-if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-   test "X$echo_testing_string" = "X$echo_test_string"; then
-  :
-else
-  # The Solaris, AIX, and Digital Unix default echo programs unquote
-  # backslashes.  This makes it impossible to quote backslashes using
-  #   echo "$something" | sed 's/\\/\\\\/g'
-  #
-  # So, first we look for a working echo in the user's PATH.
+  if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
+     echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
+     test "X$echo_testing_string" = "X$echo_test_string"; then
+    :
+  else
+    # The Solaris, AIX, and Digital Unix default echo programs unquote
+    # backslashes.  This makes it impossible to quote backslashes using
+    #   echo "$something" | sed 's/\\/\\\\/g'
+    #
+    # So, first we look for a working echo in the user's PATH.
 
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for dir in $PATH /usr/ucb; do
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for dir in $PATH /usr/ucb; do
+      IFS="$lt_save_ifs"
+      if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+         test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+         echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+         test "X$echo_testing_string" = "X$echo_test_string"; then
+        ECHO="$dir/echo"
+        break
+      fi
+    done
     IFS="$lt_save_ifs"
-    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      echo="$dir/echo"
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
 
-  if test "X$echo" = Xecho; then
-    # We didn't find a better echo, so look for alternatives.
-    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      # This shell has a builtin print -r that does the trick.
-      echo='print -r'
-    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
-	 test "X$CONFIG_SHELL" != X/bin/ksh; then
-      # If we have ksh, try running configure again with it.
-      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-      export ORIGINAL_CONFIG_SHELL
-      CONFIG_SHELL=/bin/ksh
-      export CONFIG_SHELL
-      exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
-    else
-      # Try using printf.
-      echo='printf %s\n'
-      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-	 test "X$echo_testing_string" = "X$echo_test_string"; then
-	# Cool, printf works
-	:
-      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	export CONFIG_SHELL
-	SHELL="$CONFIG_SHELL"
-	export SHELL
-	echo="$CONFIG_SHELL [$]0 --fallback-echo"
-      elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+    if test "X$ECHO" = Xecho; then
+      # We didn't find a better echo, so look for alternatives.
+      if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' &&
+         echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` &&
+         test "X$echo_testing_string" = "X$echo_test_string"; then
+        # This shell has a builtin print -r that does the trick.
+        ECHO='print -r'
+      elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } &&
+	   test "X$CONFIG_SHELL" != X/bin/ksh; then
+        # If we have ksh, try running configure again with it.
+        ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+        export ORIGINAL_CONFIG_SHELL
+        CONFIG_SHELL=/bin/ksh
+        export CONFIG_SHELL
+        exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
       else
-	# maybe with a smaller string...
-	prev=:
+        # Try using printf.
+        ECHO='printf %s\n'
+        if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
+	   echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	  # Cool, printf works
+	  :
+        elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	     test "X$echo_testing_string" = 'X\t' &&
+	     echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	     test "X$echo_testing_string" = "X$echo_test_string"; then
+	  CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	  export CONFIG_SHELL
+	  SHELL="$CONFIG_SHELL"
+	  export SHELL
+	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
+        elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	     test "X$echo_testing_string" = 'X\t' &&
+	     echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	     test "X$echo_testing_string" = "X$echo_test_string"; then
+	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
+        else
+	  # maybe with a smaller string...
+	  prev=:
 
-	for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
-	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
-	  then
-	    break
-	  fi
-	  prev="$cmd"
-	done
+	  for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
+	    if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null
+	    then
+	      break
+	    fi
+	    prev="$cmd"
+	  done
 
-	if test "$prev" != 'sed 50q "[$]0"'; then
-	  echo_test_string=`eval $prev`
-	  export echo_test_string
-	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
-	else
-	  # Oops.  We lost completely, so just stick with echo.
-	  echo=echo
-	fi
+	  if test "$prev" != 'sed 50q "[$]0"'; then
+	    echo_test_string=`eval $prev`
+	    export echo_test_string
+	    exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
+	  else
+	    # Oops.  We lost completely, so just stick with echo.
+	    ECHO=echo
+	  fi
+        fi
       fi
     fi
   fi
 fi
-fi
 
 # Copy echo and quote the copy suitably for passing to libtool from
 # the Makefile, instead of quoting the original, which is used later.
-ECHO=$echo
-if test "X$ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
-   ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
+lt_ECHO=$ECHO
+if test "X$lt_ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
+   lt_ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
 fi
 
-AC_SUBST(ECHO)
-])])# _LT_AC_PROG_ECHO_BACKSLASH
+AC_SUBST(lt_ECHO)
+])
+_LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts])
+_LT_DECL([], [ECHO], [1],
+    [An echo program that does not interpret backslashes])
+])# _LT_PROG_ECHO_BACKSLASH
 
 
-# _LT_AC_LOCK
-# -----------
-AC_DEFUN([_LT_AC_LOCK],
+# _LT_ENABLE_LOCK
+# ---------------
+m4_defun([_LT_ENABLE_LOCK],
 [AC_ARG_ENABLE([libtool-lock],
-    [AC_HELP_STRING([--disable-libtool-lock],
-	[avoid locking (might break parallel builds)])])
+  [AS_HELP_STRING([--disable-libtool-lock],
+    [avoid locking (might break parallel builds)])])
 test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
 
 # Some flags need to be propagated to the compiler or linker for good
@@ -576,12 +1235,12 @@ ia64-*-hpux*)
   echo 'int i;' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     case `/usr/bin/file conftest.$ac_objext` in
-    *ELF-32*)
-      HPUX_IA64_MODE="32"
-      ;;
-    *ELF-64*)
-      HPUX_IA64_MODE="64"
-      ;;
+      *ELF-32*)
+	HPUX_IA64_MODE="32"
+	;;
+      *ELF-64*)
+	HPUX_IA64_MODE="64"
+	;;
     esac
   fi
   rm -rf conftest*
@@ -590,79 +1249,79 @@ ia64-*-hpux*)
   # Find out which ABI we are using.
   echo '[#]line __oline__ "configure"' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
-   if test "$lt_cv_prog_gnu_ld" = yes; then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -melf32bsmip"
-      ;;
-    *N32*)
-      LD="${LD-ld} -melf32bmipn32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -melf64bmip"
-      ;;
-    esac
-   else
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -32"
-      ;;
-    *N32*)
-      LD="${LD-ld} -n32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -64"
-      ;;
-    esac
-   fi
+    if test "$lt_cv_prog_gnu_ld" = yes; then
+      case `/usr/bin/file conftest.$ac_objext` in
+	*32-bit*)
+	  LD="${LD-ld} -melf32bsmip"
+	  ;;
+	*N32*)
+	  LD="${LD-ld} -melf32bmipn32"
+	  ;;
+	*64-bit*)
+	  LD="${LD-ld} -melf64bmip"
+	;;
+      esac
+    else
+      case `/usr/bin/file conftest.$ac_objext` in
+	*32-bit*)
+	  LD="${LD-ld} -32"
+	  ;;
+	*N32*)
+	  LD="${LD-ld} -n32"
+	  ;;
+	*64-bit*)
+	  LD="${LD-ld} -64"
+	  ;;
+      esac
+    fi
   fi
   rm -rf conftest*
   ;;
 
 x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
-s390*-*linux*|sparc*-*linux*)
+s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     case `/usr/bin/file conftest.o` in
-    *32-bit*)
-      case $host in
-        x86_64-*kfreebsd*-gnu)
-          LD="${LD-ld} -m elf_i386_fbsd"
-          ;;
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_i386"
-          ;;
-        ppc64-*linux*|powerpc64-*linux*)
-          LD="${LD-ld} -m elf32ppclinux"
-          ;;
-        s390x-*linux*)
-          LD="${LD-ld} -m elf_s390"
-          ;;
-        sparc64-*linux*)
-          LD="${LD-ld} -m elf32_sparc"
-          ;;
-      esac
-      ;;
-    *64-bit*)
-      case $host in
-        x86_64-*kfreebsd*-gnu)
-          LD="${LD-ld} -m elf_x86_64_fbsd"
-          ;;
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_x86_64"
-          ;;
-        ppc*-*linux*|powerpc*-*linux*)
-          LD="${LD-ld} -m elf64ppc"
-          ;;
-        s390*-*linux*)
-          LD="${LD-ld} -m elf64_s390"
-          ;;
-        sparc*-*linux*)
-          LD="${LD-ld} -m elf64_sparc"
-          ;;
-      esac
-      ;;
+      *32-bit*)
+	case $host in
+	  x86_64-*kfreebsd*-gnu)
+	    LD="${LD-ld} -m elf_i386_fbsd"
+	    ;;
+	  x86_64-*linux*)
+	    LD="${LD-ld} -m elf_i386"
+	    ;;
+	  ppc64-*linux*|powerpc64-*linux*)
+	    LD="${LD-ld} -m elf32ppclinux"
+	    ;;
+	  s390x-*linux*)
+	    LD="${LD-ld} -m elf_s390"
+	    ;;
+	  sparc64-*linux*)
+	    LD="${LD-ld} -m elf32_sparc"
+	    ;;
+	esac
+	;;
+      *64-bit*)
+	case $host in
+	  x86_64-*kfreebsd*-gnu)
+	    LD="${LD-ld} -m elf_x86_64_fbsd"
+	    ;;
+	  x86_64-*linux*)
+	    LD="${LD-ld} -m elf_x86_64"
+	    ;;
+	  ppc*-*linux*|powerpc*-*linux*)
+	    LD="${LD-ld} -m elf64ppc"
+	    ;;
+	  s390*-*linux*|s390*-*tpf*)
+	    LD="${LD-ld} -m elf64_s390"
+	    ;;
+	  sparc*-*linux*)
+	    LD="${LD-ld} -m elf64_sparc"
+	    ;;
+	esac
+	;;
     esac
   fi
   rm -rf conftest*
@@ -674,7 +1333,7 @@ s390*-*linux*|sparc*-*linux*)
   CFLAGS="$CFLAGS -belf"
   AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
     [AC_LANG_PUSH(C)
-     AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
+     AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],[[]])],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
      AC_LANG_POP])
   if test x"$lt_cv_cc_needs_belf" != x"yes"; then
     # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
@@ -690,7 +1349,7 @@ sparc*-*solaris*)
       case $lt_cv_prog_gnu_ld in
       yes*) LD="${LD-ld} -m elf64_sparc" ;;
       *)
-        if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
+	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
 	fi
 	;;
@@ -700,30 +1359,63 @@ sparc*-*solaris*)
   fi
   rm -rf conftest*
   ;;
-
-AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
-[*-*-cygwin* | *-*-mingw* | *-*-pw32*)
-  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
-  AC_CHECK_TOOL(AS, as, false)
-  AC_CHECK_TOOL(OBJDUMP, objdump, false)
-  ;;
-  ])
 esac
 
 need_locks="$enable_libtool_lock"
+])# _LT_ENABLE_LOCK
+
+
+# _LT_CMD_OLD_ARCHIVE
+# -------------------
+m4_defun([_LT_CMD_OLD_ARCHIVE],
+[AC_CHECK_TOOL(AR, ar, false)
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+_LT_DECL([], [AR], [1], [The archiver])
+_LT_DECL([], [AR_FLAGS], [1])
+
+AC_CHECK_TOOL(STRIP, strip, :)
+test -z "$STRIP" && STRIP=:
+_LT_DECL([], [STRIP], [1], [A symbol stripping program])
+
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+test -z "$RANLIB" && RANLIB=:
+_LT_DECL([], [RANLIB], [1],
+    [Commands used to install an old-style archive])
 
-])# _LT_AC_LOCK
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    ;;
+  *)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+fi
+_LT_DECL([], [old_postinstall_cmds], [2])
+_LT_DECL([], [old_postuninstall_cmds], [2])
+_LT_TAGDECL([], [old_archive_cmds], [2],
+    [Commands used to build an old-style archive])
+])# _LT_CMD_OLD_ARCHIVE
 
 
-# AC_LIBTOOL_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+# _LT_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
 #		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
 # ----------------------------------------------------------------
 # Check whether the given compiler option works
-AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION],
-[AC_REQUIRE([LT_AC_PROG_SED])
+AC_DEFUN([_LT_COMPILER_OPTION],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_SED])dnl
 AC_CACHE_CHECK([$1], [$2],
   [$2=no
-  ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
+   m4_if([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
    echo "$lt_simple_compile_test_code" > conftest.$ac_ext
    lt_compiler_flag="$3"
    # Insert the option either (1) after the last *FLAGS variable, or
@@ -743,29 +1435,35 @@ AC_CACHE_CHECK([$1], [$2],
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
      $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
      if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        $2=yes
      fi
    fi
-   $rm conftest*
+   $RM conftest*
 ])
 
 if test x"[$]$2" = xyes; then
-    ifelse([$5], , :, [$5])
+    m4_if([$5], , :, [$5])
 else
-    ifelse([$6], , :, [$6])
+    m4_if([$6], , :, [$6])
 fi
-])# AC_LIBTOOL_COMPILER_OPTION
+])# _LT_COMPILER_OPTION
 
+# Old name:
+AU_ALIAS([AC_LIBTOOL_COMPILER_OPTION], [_LT_COMPILER_OPTION])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], [])
 
-# AC_LIBTOOL_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
-#                          [ACTION-SUCCESS], [ACTION-FAILURE])
-# ------------------------------------------------------------
-# Check whether the given compiler option works
-AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
+
+# _LT_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#                  [ACTION-SUCCESS], [ACTION-FAILURE])
+# ----------------------------------------------------
+# Check whether the given linker option works
+AC_DEFUN([_LT_LINKER_OPTION],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_SED])dnl
 AC_CACHE_CHECK([$1], [$2],
   [$2=no
    save_LDFLAGS="$LDFLAGS"
@@ -777,7 +1475,7 @@ AC_CACHE_CHECK([$1], [$2],
      if test -s conftest.err; then
        # Append any errors to the config.log.
        cat conftest.err 1>&AS_MESSAGE_LOG_FD
-       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
        $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
        if diff conftest.exp conftest.er2 >/dev/null; then
          $2=yes
@@ -786,22 +1484,28 @@ AC_CACHE_CHECK([$1], [$2],
        $2=yes
      fi
    fi
-   $rm -r conftest*
+   $RM -r conftest*
    LDFLAGS="$save_LDFLAGS"
 ])
 
 if test x"[$]$2" = xyes; then
-    ifelse([$4], , :, [$4])
+    m4_if([$4], , :, [$4])
 else
-    ifelse([$5], , :, [$5])
+    m4_if([$5], , :, [$5])
 fi
-])# AC_LIBTOOL_LINKER_OPTION
+])# _LT_LINKER_OPTION
 
+# Old name:
+AU_ALIAS([AC_LIBTOOL_LINKER_OPTION], [_LT_LINKER_OPTION])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], [])
 
-# AC_LIBTOOL_SYS_MAX_CMD_LEN
-# --------------------------
-AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN],
-[# find the maximum length of command line arguments
+
+# LT_CMD_MAX_LEN
+#---------------
+AC_DEFUN([LT_CMD_MAX_LEN],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+# find the maximum length of command line arguments
 AC_MSG_CHECKING([the maximum length of command line arguments])
 AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
   i=0
@@ -878,7 +1582,7 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
   sysv5* | sco5v6* | sysv4.2uw2*)
     kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
     if test -n "$kargmax"; then
-      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ 	]]//'`
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[	 ]]//'`
     else
       lt_cv_sys_max_cmd_len=32768
     fi
@@ -889,20 +1593,28 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
     else
+      # Make teststring a little bigger before we do anything with it.
+      # a 1K string should be a reasonable start.
+      for i in 1 2 3 4 5 6 7 8 ; do
+        teststring=$teststring$teststring
+      done
       SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-      while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \
-	       = "XX$teststring") >/dev/null 2>&1 &&
-	      new_result=`expr "X$teststring" : ".*" 2>&1` &&
-	      lt_cv_sys_max_cmd_len=$new_result &&
+      # If test is not a shell built-in, we'll probably end up computing a
+      # maximum length that is only half of the actual maximum length, but
+      # we can't tell.
+      while { test "X"`$SHELL [$]0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \
+	         = "XX$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
         i=`expr $i + 1`
         teststring=$teststring$teststring
       done
+      # Only check the string length outside the loop.
+      lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1`
       teststring=
-      # Add a significant safety factor because C++ compilers can tack on massive
-      # amounts of additional arguments before passing them to the linker.
-      # It appears as though 1/2 is a usable value.
+      # Add a significant safety factor because C++ compilers can tack on
+      # massive amounts of additional arguments before passing them to the
+      # linker.  It appears as though 1/2 is a usable value.
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
     fi
     ;;
@@ -913,27 +1625,35 @@ if test -n $lt_cv_sys_max_cmd_len ; then
 else
   AC_MSG_RESULT(none)
 fi
-])# AC_LIBTOOL_SYS_MAX_CMD_LEN
+max_cmd_len=$lt_cv_sys_max_cmd_len
+_LT_DECL([], [max_cmd_len], [0],
+    [What is the maximum length of a command?])
+])# LT_CMD_MAX_LEN
 
+# Old name:
+AU_ALIAS([AC_LIBTOOL_SYS_MAX_CMD_LEN], [LT_CMD_MAX_LEN])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], [])
 
-# _LT_AC_CHECK_DLFCN
-# ------------------
-AC_DEFUN([_LT_AC_CHECK_DLFCN],
-[AC_CHECK_HEADERS(dlfcn.h)dnl
-])# _LT_AC_CHECK_DLFCN
+
+# _LT_HEADER_DLFCN
+# ----------------
+m4_defun([_LT_HEADER_DLFCN],
+[AC_CHECK_HEADERS([dlfcn.h], [], [], [AC_INCLUDES_DEFAULT])dnl
+])# _LT_HEADER_DLFCN
 
 
-# _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
-#                           ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
-# ---------------------------------------------------------------------
-AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF],
-[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+# _LT_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
+#                      ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
+# ----------------------------------------------------------------
+m4_defun([_LT_TRY_DLOPEN_SELF],
+[m4_require([_LT_HEADER_DLFCN])dnl
 if test "$cross_compiling" = yes; then :
   [$4]
 else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
+  cat > conftest.$ac_ext <<_LT_EOF
 [#line __oline__ "configure"
 #include "confdefs.h"
 
@@ -996,7 +1716,7 @@ int main ()
 
     exit (status);
 }]
-EOF
+_LT_EOF
   if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
     (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null
     lt_status=$?
@@ -1011,13 +1731,13 @@ EOF
   fi
 fi
 rm -fr conftest*
-])# _LT_AC_TRY_DLOPEN_SELF
+])# _LT_TRY_DLOPEN_SELF
 
 
-# AC_LIBTOOL_DLOPEN_SELF
-# ----------------------
-AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF],
-[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+# LT_SYS_DLOPEN_SELF
+# ------------------
+AC_DEFUN([LT_SYS_DLOPEN_SELF],
+[m4_require([_LT_HEADER_DLFCN])dnl
 if test "x$enable_dlopen" != xyes; then
   enable_dlopen=unknown
   enable_dlopen_self=unknown
@@ -1036,12 +1756,12 @@ else
   mingw* | pw32*)
     lt_cv_dlopen="LoadLibrary"
     lt_cv_dlopen_libs=
-   ;;
+    ;;
 
   cygwin*)
     lt_cv_dlopen="dlopen"
     lt_cv_dlopen_libs=
-   ;;
+    ;;
 
   darwin*)
   # if libdl is installed we need to link against it
@@ -1051,7 +1771,7 @@ else
     lt_cv_dlopen_libs=
     lt_cv_dlopen_self=yes
     ])
-   ;;
+    ;;
 
   *)
     AC_CHECK_FUNC([shl_load],
@@ -1093,7 +1813,7 @@ else
 
     AC_CACHE_CHECK([whether a program can dlopen itself],
 	  lt_cv_dlopen_self, [dnl
-	  _LT_AC_TRY_DLOPEN_SELF(
+	  _LT_TRY_DLOPEN_SELF(
 	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
 	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
     ])
@@ -1101,8 +1821,8 @@ else
     if test "x$lt_cv_dlopen_self" = xyes; then
       wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
       AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
-    	  lt_cv_dlopen_self_static, [dnl
-	  _LT_AC_TRY_DLOPEN_SELF(
+	  lt_cv_dlopen_self_static, [dnl
+	  _LT_TRY_DLOPEN_SELF(
 	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
 	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
       ])
@@ -1124,19 +1844,32 @@ else
   *) enable_dlopen_self_static=unknown ;;
   esac
 fi
-])# AC_LIBTOOL_DLOPEN_SELF
+_LT_DECL([dlopen_support], [enable_dlopen], [0],
+	 [Whether dlopen is supported])
+_LT_DECL([dlopen_self], [enable_dlopen_self], [0],
+	 [Whether dlopen of programs is supported])
+_LT_DECL([dlopen_self_static], [enable_dlopen_self_static], [0],
+	 [Whether dlopen of statically linked programs is supported])
+])# LT_SYS_DLOPEN_SELF
 
+# Old name:
+AU_ALIAS([AC_LIBTOOL_DLOPEN_SELF], [LT_SYS_DLOPEN_SELF])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], [])
 
-# AC_LIBTOOL_PROG_CC_C_O([TAGNAME])
-# ---------------------------------
-# Check to see if options -c and -o are simultaneously supported by compiler
-AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+
+# _LT_COMPILER_C_O([TAGNAME])
+# ---------------------------
+# Check to see if options -c and -o are simultaneously supported by compiler.
+# This macro does not hard code the compiler like AC_PROG_CC_C_O.
+m4_defun([_LT_COMPILER_C_O],
+[m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_TAG_COMPILER])dnl
 AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
-  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
-  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
-   $rm -r conftest 2>/dev/null
+  [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
+  [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
+   $RM -r conftest 2>/dev/null
    mkdir conftest
    cd conftest
    mkdir out
@@ -1160,37 +1893,41 @@ AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
      $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
      if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+       _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
      fi
    fi
    chmod u+w . 2>&AS_MESSAGE_LOG_FD
-   $rm conftest*
+   $RM conftest*
    # SGI C++ compiler will create directory out/ii_files/ for
    # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
+   test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files
+   $RM out/* && rmdir out
    cd ..
-   rmdir conftest
-   $rm conftest*
+   $RM -r conftest
+   $RM conftest*
 ])
-])# AC_LIBTOOL_PROG_CC_C_O
+_LT_TAGDECL([compiler_c_o], [lt_cv_prog_compiler_c_o], [1],
+	[Does compiler simultaneously support -c and -o options?])
+])# _LT_COMPILER_C_O
 
 
-# AC_LIBTOOL_SYS_HARD_LINK_LOCKS([TAGNAME])
-# -----------------------------------------
+# _LT_COMPILER_FILE_LOCKS([TAGNAME])
+# ----------------------------------
 # Check to see if we can do hard links to lock some files if needed
-AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS],
-[AC_REQUIRE([_LT_AC_LOCK])dnl
+m4_defun([_LT_COMPILER_FILE_LOCKS],
+[m4_require([_LT_ENABLE_LOCK])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+_LT_COMPILER_C_O([$1])
 
 hard_links="nottested"
-if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
+if test "$_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
   AC_MSG_CHECKING([if we can lock with hard links])
   hard_links=yes
-  $rm conftest*
+  $RM conftest*
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
@@ -1203,12 +1940,13 @@ if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks"
 else
   need_locks=no
 fi
-])# AC_LIBTOOL_SYS_HARD_LINK_LOCKS
+_LT_DECL([], [need_locks], [1], [Must we lock files when doing compilation?])
+])# _LT_COMPILER_FILE_LOCKS
 
 
-# AC_LIBTOOL_OBJDIR
-# -----------------
-AC_DEFUN([AC_LIBTOOL_OBJDIR],
+# _LT_CHECK_OBJDIR
+# ----------------
+m4_defun([_LT_CHECK_OBJDIR],
 [AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
 [rm -f .libs 2>/dev/null
 mkdir .libs 2>/dev/null
@@ -1220,40 +1958,46 @@ else
 fi
 rmdir .libs 2>/dev/null])
 objdir=$lt_cv_objdir
-])# AC_LIBTOOL_OBJDIR
+_LT_DECL([], [objdir], [0],
+         [The name of the directory that contains temporary libtool files])dnl
+m4_pattern_allow([LT_OBJDIR])dnl
+AC_DEFINE_UNQUOTED(LT_OBJDIR, "$lt_cv_objdir/",
+  [Define to the sub-directory in which libtool stores uninstalled libraries.])
+])# _LT_CHECK_OBJDIR
 
 
-# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH([TAGNAME])
-# ----------------------------------------------
+# _LT_LINKER_HARDCODE_LIBPATH([TAGNAME])
+# --------------------------------------
 # Check hardcoding attributes.
-AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH],
+m4_defun([_LT_LINKER_HARDCODE_LIBPATH],
 [AC_MSG_CHECKING([how to hardcode library paths into programs])
-_LT_AC_TAGVAR(hardcode_action, $1)=
-if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \
-   test -n "$_LT_AC_TAGVAR(runpath_var, $1)" || \
-   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
+_LT_TAGVAR(hardcode_action, $1)=
+if test -n "$_LT_TAGVAR(hardcode_libdir_flag_spec, $1)" ||
+   test -n "$_LT_TAGVAR(runpath_var, $1)" ||
+   test "X$_LT_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
 
-  # We can hardcode non-existant directories.
-  if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no &&
+  # We can hardcode non-existent directories.
+  if test "$_LT_TAGVAR(hardcode_direct, $1)" != no &&
      # If the only mechanism to avoid hardcoding is shlibpath_var, we
      # have to relink, otherwise we might link with an installed library
      # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
-     test "$_LT_AC_TAGVAR(hardcode_minus_L, $1)" != no; then
+     ## test "$_LT_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
+     test "$_LT_TAGVAR(hardcode_minus_L, $1)" != no; then
     # Linking always hardcodes the temporary library directory.
-    _LT_AC_TAGVAR(hardcode_action, $1)=relink
+    _LT_TAGVAR(hardcode_action, $1)=relink
   else
     # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    _LT_AC_TAGVAR(hardcode_action, $1)=immediate
+    _LT_TAGVAR(hardcode_action, $1)=immediate
   fi
 else
   # We cannot hardcode anything, or else we can only hardcode existing
   # directories.
-  _LT_AC_TAGVAR(hardcode_action, $1)=unsupported
+  _LT_TAGVAR(hardcode_action, $1)=unsupported
 fi
-AC_MSG_RESULT([$_LT_AC_TAGVAR(hardcode_action, $1)])
+AC_MSG_RESULT([$_LT_TAGVAR(hardcode_action, $1)])
 
-if test "$_LT_AC_TAGVAR(hardcode_action, $1)" = relink; then
+if test "$_LT_TAGVAR(hardcode_action, $1)" = relink ||
+   test "$_LT_TAGVAR(inherit_rpath, $1)" = yes; then
   # Fast installation is not supported
   enable_fast_install=no
 elif test "$shlibpath_overrides_runpath" = yes ||
@@ -1261,73 +2005,69 @@ elif test "$shlibpath_overrides_runpath" = yes ||
   # Fast installation is not necessary
   enable_fast_install=needless
 fi
-])# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH
+_LT_TAGDECL([], [hardcode_action], [0],
+    [How to hardcode a shared library path into an executable])
+])# _LT_LINKER_HARDCODE_LIBPATH
 
 
-# AC_LIBTOOL_SYS_LIB_STRIP
-# ------------------------
-AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP],
-[striplib=
+# _LT_CMD_STRIPLIB
+# ----------------
+m4_defun([_LT_CMD_STRIPLIB],
+[m4_require([_LT_DECL_EGREP])
+striplib=
 old_striplib=
 AC_MSG_CHECKING([whether stripping libraries is possible])
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
   test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
   test -z "$striplib" && striplib="$STRIP --strip-unneeded"
   AC_MSG_RESULT([yes])
 else
 # FIXME - insert some real tests, host_os isn't really good enough
   case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         old_striplib="$STRIP -S"
-         AC_MSG_RESULT([yes])
-       else
-  AC_MSG_RESULT([no])
-fi
-       ;;
-   *)
-  AC_MSG_RESULT([no])
+  darwin*)
+    if test -n "$STRIP" ; then
+      striplib="$STRIP -x"
+      old_striplib="$STRIP -S"
+      AC_MSG_RESULT([yes])
+    else
+      AC_MSG_RESULT([no])
+    fi
+    ;;
+  *)
+    AC_MSG_RESULT([no])
     ;;
   esac
 fi
-])# AC_LIBTOOL_SYS_LIB_STRIP
+_LT_DECL([], [old_striplib], [1], [Commands to strip libraries])
+_LT_DECL([], [striplib], [1])
+])# _LT_CMD_STRIPLIB
 
 
-# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+# _LT_SYS_DYNAMIC_LINKER([TAG])
 # -----------------------------
 # PORTME Fill in your ld.so characteristics
-AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
+m4_defun([_LT_SYS_DYNAMIC_LINKER],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_SED])dnl
 AC_MSG_CHECKING([dynamic linker characteristics])
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-m4_if($1,[],[
+m4_if([$1],
+	[], [
 if test "$GCC" = yes; then
   case $host_os in
     darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
     *) lt_awk_arg="/^libraries:/" ;;
   esac
   lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then
+  if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then
     # if the path contains ";" then we assume it to be the separator
     # otherwise default to the standard path separator (i.e. ":") - it is
     # assumed that no part of a normal pathname contains ";" but that should
     # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'`
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'`
   else
-    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
   fi
   # Ok, now we have the path, separated by spaces, we can step through it
   # and add multilib dir if necessary.
@@ -1341,7 +2081,7 @@ if test "$GCC" = yes; then
 	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
     fi
   done
-  lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk '
+  lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk '
 BEGIN {RS=" "; FS="/|\n";} {
   lt_foo="";
   lt_count=0;
@@ -1361,10 +2101,23 @@ BEGIN {RS=" "; FS="/|\n";} {
   if (lt_foo != "") { lt_freq[[lt_foo]]++; }
   if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
 }'`
-  sys_lib_search_path_spec=`echo $lt_search_path_spec`
+  sys_lib_search_path_spec=`$ECHO $lt_search_path_spec`
 else
   sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
 fi])
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
 need_lib_prefix=unknown
 hardcode_into_libs=no
 
@@ -1401,7 +2154,7 @@ aix[[4-9]]*)
       aix4 | aix4.[[01]] | aix4.[[01]].*)
       if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
 	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	   echo '#endif'; } | ${CC} -E - | $GREP yes > /dev/null; then
 	:
       else
 	can_build_shared=no
@@ -1427,9 +2180,18 @@ aix[[4-9]]*)
   ;;
 
 amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  case $host_cpu in
+  powerpc)
+    # Since July 2007 AmigaOS4 officially supports .so libraries.
+    # When compiling the executable, add -use-dynld -Lsobjs: to the compileline.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    ;;
+  m68k)
+    library_names_spec='$libname.ixlibrary $libname.a'
+    # Create ${libname}_ixlibrary.a entries in /sys/libs.
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    ;;
+  esac
   ;;
 
 beos*)
@@ -1463,14 +2225,17 @@ cygwin* | mingw* | pw32*)
     library_names_spec='$libname.dll.a'
     # DLL is installed to $(libdir)/../bin by postinstall_cmds
     postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
       dldir=$destdir/`dirname \$dlpath`~
       test -d \$dldir || mkdir -p \$dldir~
       $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname'
+      chmod a+x \$dldir/$dlname~
+      if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then
+        eval '\''$striplib \$dldir/$dlname'\'' || exit \$?;
+      fi'
     postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
       dlpath=$dir/\$dldll~
-       $rm \$dlpath'
+       $RM \$dlpath'
     shlibpath_overrides_runpath=yes
 
     case $host_os in
@@ -1482,17 +2247,17 @@ cygwin* | mingw* | pw32*)
     mingw*)
       # MinGW DLLs use traditional 'lib' prefix
       soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | [grep ';[c-zC-Z]:/' >/dev/null]; then
+      sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
         # It is most probably a Windows format PATH printed by
         # mingw gcc, but we are running on Cygwin. Gcc prints its search
         # path with ; separators, and with drive letters. We can handle the
         # drive letters (cygwin fileutils understands them), so leave them,
         # especially as we might pass files found there to a mingw objdump,
         # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
       else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
       fi
       ;;
     pw32*)
@@ -1516,13 +2281,13 @@ darwin* | rhapsody*)
   version_type=darwin
   need_lib_prefix=no
   need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext'
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
   shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-  m4_if([$1], [],[
-  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) 
+m4_if([$1], [],[
+  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"])
   sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
   ;;
 
@@ -1615,18 +2380,18 @@ hpux9* | hpux10* | hpux11*)
     fi
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
+  hppa*64*)
+    shrext_cmds='.sl'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+  *)
     shrext_cmds='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
@@ -1703,6 +2468,17 @@ linux* | k*bsd*-gnu)
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=no
+  # Some binutils ld are patched to set DT_RUNPATH
+  save_LDFLAGS=$LDFLAGS
+  save_libdir=$libdir
+  eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
+       LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
+  AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
+    [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
+       [shlibpath_overrides_runpath=yes])])
+  LDFLAGS=$save_LDFLAGS
+  libdir=$save_libdir
+
   # This implies no fast_install, which is unacceptable.
   # Some rework will be needed to allow for fast_install
   # before this can be enabled.
@@ -1710,7 +2486,7 @@ linux* | k*bsd*-gnu)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -1739,7 +2515,7 @@ netbsd*)
   version_type=sunos
   need_lib_prefix=no
   need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
     finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
     dynamic_linker='NetBSD (a.out) ld.so'
@@ -1760,14 +2536,16 @@ newsos6)
   shlibpath_overrides_runpath=yes
   ;;
 
-nto-qnx*)
-  version_type=linux
+*nto* | *qnx*)
+  version_type=qnx
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='ldqnx.so'
   ;;
 
 openbsd*)
@@ -1776,13 +2554,13 @@ openbsd*)
   need_lib_prefix=no
   # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
   case $host_os in
-    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
-    *)                         need_version=no  ;;
+    openbsd3.3 | openbsd3.3.*)	need_version=yes ;;
+    *)				need_version=no  ;;
   esac
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
     case $host_os in
       openbsd2.[[89]] | openbsd2.[[89]].*)
 	shlibpath_overrides_runpath=no
@@ -1854,7 +2632,6 @@ sysv4 | sysv4.3*)
     sni)
       shlibpath_overrides_runpath=no
       need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
       runpath_var=LD_RUN_PATH
       ;;
     siemens)
@@ -1885,13 +2662,12 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
   hardcode_into_libs=yes
   if test "$with_gnu_ld" = yes; then
     sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-    shlibpath_overrides_runpath=no
   else
     sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    shlibpath_overrides_runpath=yes
     case $host_os in
       sco3.2v5*)
         sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
@@ -1901,6 +2677,17 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
   sys_lib_dlsearch_path_spec='/usr/lib'
   ;;
 
+tpf*)
+  # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_name_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
 uts4*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -1915,288 +2702,58 @@ esac
 AC_MSG_RESULT([$dynamic_linker])
 test "$dynamic_linker" = no && can_build_shared=no
 
-AC_CACHE_VAL([lt_cv_sys_lib_search_path_spec],
-[lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"])
-sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-AC_CACHE_VAL([lt_cv_sys_lib_dlsearch_path_spec],
-[lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"])
-sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
-
 variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
 if test "$GCC" = yes; then
   variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
 fi
-])# AC_LIBTOOL_SYS_DYNAMIC_LINKER
-
-
-# _LT_AC_TAGCONFIG
-# ----------------
-AC_DEFUN([_LT_AC_TAGCONFIG],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_ARG_WITH([tags],
-    [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@],
-        [include additional configurations @<:@automatic@:>@])],
-    [tagnames="$withval"])
-
-if test -f "$ltmain" && test -n "$tagnames"; then
-  if test ! -f "${ofile}"; then
-    AC_MSG_WARN([output file `$ofile' does not exist])
-  fi
-
-  if test -z "$LTCC"; then
-    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
-    if test -z "$LTCC"; then
-      AC_MSG_WARN([output file `$ofile' does not look like a libtool script])
-    else
-      AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile'])
-    fi
-  fi
-  if test -z "$LTCFLAGS"; then
-    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
-  fi
-
-  # Extract list of available tagged configurations in $ofile.
-  # Note that this assumes the entire list is on one line.
-  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
-
-  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-  for tagname in $tagnames; do
-    IFS="$lt_save_ifs"
-    # Check whether tagname contains only valid characters
-    case `$echo "X$tagname" | $Xsed -e 's:[[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]]::g'` in
-    "") ;;
-    *)  AC_MSG_ERROR([invalid tag name: $tagname])
-	;;
-    esac
+ 
+if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
+  sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
+fi
+if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
+  sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
+fi
 
-    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
-    then
-      AC_MSG_ERROR([tag name \"$tagname\" already exists])
-    fi
-
-    # Update the list of available tags.
-    if test -n "$tagname"; then
-      echo appending configuration tag \"$tagname\" to $ofile
-
-      case $tagname in
-      CXX)
-	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-	    (test "X$CXX" != "Xg++"))) ; then
-	  AC_LIBTOOL_LANG_CXX_CONFIG
-	else
-	  tagname=""
-	fi
-	;;
-
-      F77)
-	if test -n "$F77" && test "X$F77" != "Xno"; then
-	  AC_LIBTOOL_LANG_F77_CONFIG
-	else
-	  tagname=""
-	fi
-	;;
-
-      GCJ)
-	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
-	  AC_LIBTOOL_LANG_GCJ_CONFIG
-	else
-	  tagname=""
-	fi
-	;;
-
-      RC)
-	AC_LIBTOOL_LANG_RC_CONFIG
-	;;
-
-      *)
-	AC_MSG_ERROR([Unsupported tag name: $tagname])
-	;;
-      esac
-
-      # Append the new tag name to the list of available tags.
-      if test -n "$tagname" ; then
-      available_tags="$available_tags $tagname"
-    fi
-    fi
-  done
-  IFS="$lt_save_ifs"
-
-  # Now substitute the updated list of available tags.
-  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
-    mv "${ofile}T" "$ofile"
-    chmod +x "$ofile"
-  else
-    rm -f "${ofile}T"
-    AC_MSG_ERROR([unable to update list of available tagged configurations.])
-  fi
-fi
-])# _LT_AC_TAGCONFIG
-
-
-# AC_LIBTOOL_DLOPEN
-# -----------------
-# enable checks for dlopen support
-AC_DEFUN([AC_LIBTOOL_DLOPEN],
- [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])
-])# AC_LIBTOOL_DLOPEN
-
-
-# AC_LIBTOOL_WIN32_DLL
-# --------------------
-# declare package support for building win32 DLLs
-AC_DEFUN([AC_LIBTOOL_WIN32_DLL],
-[AC_BEFORE([$0], [AC_LIBTOOL_SETUP])
-])# AC_LIBTOOL_WIN32_DLL
-
-
-# AC_ENABLE_SHARED([DEFAULT])
-# ---------------------------
-# implement the --enable-shared flag
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-AC_DEFUN([AC_ENABLE_SHARED],
-[define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE([shared],
-    [AC_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
-	[build shared libraries @<:@default=]AC_ENABLE_SHARED_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_shared=yes ;;
-    no) enable_shared=no ;;
-    *)
-      enable_shared=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_shared=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_shared=]AC_ENABLE_SHARED_DEFAULT)
-])# AC_ENABLE_SHARED
-
-
-# AC_DISABLE_SHARED
-# -----------------
-# set the default shared flag to --disable-shared
-AC_DEFUN([AC_DISABLE_SHARED],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_SHARED(no)
-])# AC_DISABLE_SHARED
-
-
-# AC_ENABLE_STATIC([DEFAULT])
-# ---------------------------
-# implement the --enable-static flag
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-AC_DEFUN([AC_ENABLE_STATIC],
-[define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE([static],
-    [AC_HELP_STRING([--enable-static@<:@=PKGS@:>@],
-	[build static libraries @<:@default=]AC_ENABLE_STATIC_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_static=yes ;;
-    no) enable_static=no ;;
-    *)
-     enable_static=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_static=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_static=]AC_ENABLE_STATIC_DEFAULT)
-])# AC_ENABLE_STATIC
-
-
-# AC_DISABLE_STATIC
-# -----------------
-# set the default static flag to --disable-static
-AC_DEFUN([AC_DISABLE_STATIC],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_STATIC(no)
-])# AC_DISABLE_STATIC
-
-
-# AC_ENABLE_FAST_INSTALL([DEFAULT])
-# ---------------------------------
-# implement the --enable-fast-install flag
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-AC_DEFUN([AC_ENABLE_FAST_INSTALL],
-[define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE([fast-install],
-    [AC_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
-    [optimize for fast installation @<:@default=]AC_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_fast_install=yes ;;
-    no) enable_fast_install=no ;;
-    *)
-      enable_fast_install=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_fast_install=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_fast_install=]AC_ENABLE_FAST_INSTALL_DEFAULT)
-])# AC_ENABLE_FAST_INSTALL
-
-
-# AC_DISABLE_FAST_INSTALL
-# -----------------------
-# set the default to --disable-fast-install
-AC_DEFUN([AC_DISABLE_FAST_INSTALL],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_FAST_INSTALL(no)
-])# AC_DISABLE_FAST_INSTALL
-
-
-# AC_LIBTOOL_PICMODE([MODE])
+_LT_DECL([], [variables_saved_for_relink], [1],
+    [Variables whose values should be saved in libtool wrapper scripts and
+    restored at link time])
+_LT_DECL([], [need_lib_prefix], [0],
+    [Do we need the "lib" prefix for modules?])
+_LT_DECL([], [need_version], [0], [Do we need a version for libraries?])
+_LT_DECL([], [version_type], [0], [Library versioning type])
+_LT_DECL([], [runpath_var], [0],  [Shared library runtime path variable])
+_LT_DECL([], [shlibpath_var], [0],[Shared library path variable])
+_LT_DECL([], [shlibpath_overrides_runpath], [0],
+    [Is shlibpath searched before the hard-coded library search path?])
+_LT_DECL([], [libname_spec], [1], [Format of library name prefix])
+_LT_DECL([], [library_names_spec], [1],
+    [[List of archive names.  First name is the real one, the rest are links.
+    The last name is the one that the linker finds with -lNAME]])
+_LT_DECL([], [soname_spec], [1],
+    [[The coded name of the library, if different from the real name]])
+_LT_DECL([], [postinstall_cmds], [2],
+    [Command to use after installation of a shared archive])
+_LT_DECL([], [postuninstall_cmds], [2],
+    [Command to use after uninstallation of a shared archive])
+_LT_DECL([], [finish_cmds], [2],
+    [Commands used to finish a libtool library installation in a directory])
+_LT_DECL([], [finish_eval], [1],
+    [[As "finish_cmds", except a single script fragment to be evaled but
+    not shown]])
+_LT_DECL([], [hardcode_into_libs], [0],
+    [Whether we should hardcode library paths into libraries])
+_LT_DECL([], [sys_lib_search_path_spec], [2],
+    [Compile-time system search path for libraries])
+_LT_DECL([], [sys_lib_dlsearch_path_spec], [2],
+    [Run-time system search path for libraries])
+])# _LT_SYS_DYNAMIC_LINKER
+
+
+# _LT_PATH_TOOL_PREFIX(TOOL)
 # --------------------------
-# implement the --with-pic flag
-# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
-AC_DEFUN([AC_LIBTOOL_PICMODE],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-pic_mode=ifelse($#,1,$1,default)
-])# AC_LIBTOOL_PICMODE
-
-
-# AC_PROG_EGREP
-# -------------
-# This is predefined starting with Autoconf 2.54, so this conditional
-# definition can be removed once we require Autoconf 2.54 or later.
-m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP],
-[AC_CACHE_CHECK([for egrep], [ac_cv_prog_egrep],
-   [if echo a | (grep -E '(a|b)') >/dev/null 2>&1
-    then ac_cv_prog_egrep='grep -E'
-    else ac_cv_prog_egrep='egrep'
-    fi])
- EGREP=$ac_cv_prog_egrep
- AC_SUBST([EGREP])
-])])
-
-
-# AC_PATH_TOOL_PREFIX
-# -------------------
 # find a file program which can recognize shared library
-AC_DEFUN([AC_PATH_TOOL_PREFIX],
-[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_DEFUN([_LT_PATH_TOOL_PREFIX],
+[m4_require([_LT_DECL_EGREP])dnl
 AC_MSG_CHECKING([for $1])
 AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
 [case $MAGIC_CMD in
@@ -2209,7 +2766,7 @@ AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
 dnl $ac_dummy forces splitting on constant user-supplied paths.
 dnl POSIX.2 word splitting is done only on the output of word expansions,
 dnl not every word.  This closes a longstanding sh security hole.
-  ac_dummy="ifelse([$2], , $PATH, [$2])"
+  ac_dummy="m4_if([$2], , $PATH, [$2])"
   for ac_dir in $ac_dummy; do
     IFS="$lt_save_ifs"
     test -z "$ac_dir" && ac_dir=.
@@ -2224,7 +2781,7 @@ dnl not every word.  This closes a longstanding sh security hole.
 	    $EGREP "$file_magic_regex" > /dev/null; then
 	    :
 	  else
-	    cat <<EOF 1>&2
+	    cat <<_LT_EOF 1>&2
 
 *** Warning: the command libtool uses to detect shared libraries,
 *** $file_magic_cmd, produces output that libtool cannot recognize.
@@ -2235,7 +2792,7 @@ dnl not every word.  This closes a longstanding sh security hole.
 *** may want to report the problem to your system manager and/or to
 *** bug-libtool@gnu.org
 
-EOF
+_LT_EOF
 	  fi ;;
 	esac
       fi
@@ -2252,37 +2809,47 @@ if test -n "$MAGIC_CMD"; then
 else
   AC_MSG_RESULT(no)
 fi
-])# AC_PATH_TOOL_PREFIX
+_LT_DECL([], [MAGIC_CMD], [0],
+	 [Used to examine libraries when file_magic_cmd begins with "file"])dnl
+])# _LT_PATH_TOOL_PREFIX
 
+# Old name:
+AU_ALIAS([AC_PATH_TOOL_PREFIX], [_LT_PATH_TOOL_PREFIX])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_PATH_TOOL_PREFIX], [])
 
-# AC_PATH_MAGIC
-# -------------
+
+# _LT_PATH_MAGIC
+# --------------
 # find a file program which can recognize a shared library
-AC_DEFUN([AC_PATH_MAGIC],
-[AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
+m4_defun([_LT_PATH_MAGIC],
+[_LT_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
 if test -z "$lt_cv_path_MAGIC_CMD"; then
   if test -n "$ac_tool_prefix"; then
-    AC_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
+    _LT_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
   else
     MAGIC_CMD=:
   fi
 fi
-])# AC_PATH_MAGIC
+])# _LT_PATH_MAGIC
 
 
-# AC_PROG_LD
+# LT_PATH_LD
 # ----------
 # find the pathname to the GNU or non-GNU linker
-AC_DEFUN([AC_PROG_LD],
-[AC_ARG_WITH([gnu-ld],
-    [AC_HELP_STRING([--with-gnu-ld],
-	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
-    [test "$withval" = no || with_gnu_ld=yes],
-    [with_gnu_ld=no])
-AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_REQUIRE([AC_PROG_CC])dnl
+AC_DEFUN([LT_PATH_LD],
+[AC_REQUIRE([AC_PROG_CC])dnl
 AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_DECL_EGREP])dnl
+
+AC_ARG_WITH([gnu-ld],
+    [AS_HELP_STRING([--with-gnu-ld],
+	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
+    [test "$withval" = no || with_gnu_ld=yes],
+    [with_gnu_ld=no])dnl
+
 ac_prog=ld
 if test "$GCC" = yes; then
   # Check if gcc -print-prog-name=ld gives a path.
@@ -2299,9 +2866,9 @@ if test "$GCC" = yes; then
     [[\\/]]* | ?:[[\\/]]*)
       re_direlt='/[[^/]][[^/]]*/\.\./'
       # Canonicalize the pathname of ld
-      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'`
+      while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"`
       done
       test -z "$LD" && LD="$ac_prog"
       ;;
@@ -2351,15 +2918,24 @@ else
   AC_MSG_RESULT(no)
 fi
 test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
-AC_PROG_LD_GNU
-])# AC_PROG_LD
+_LT_PATH_LD_GNU
+AC_SUBST([LD])
 
+_LT_TAGDECL([], [LD], [1], [The linker used to build libraries])
+])# LT_PATH_LD
 
-# AC_PROG_LD_GNU
-# --------------
-AC_DEFUN([AC_PROG_LD_GNU],
-[AC_REQUIRE([AC_PROG_EGREP])dnl
-AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
+# Old names:
+AU_ALIAS([AM_PROG_LD], [LT_PATH_LD])
+AU_ALIAS([AC_PROG_LD], [LT_PATH_LD])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_PROG_LD], [])
+dnl AC_DEFUN([AC_PROG_LD], [])
+
+
+# _LT_PATH_LD_GNU
+#- --------------
+m4_defun([_LT_PATH_LD_GNU],
+[AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
 [# I'd rather use --version here, but apparently some GNU lds only accept -v.
 case `$LD -v 2>&1 </dev/null` in
 *GNU* | *'with BFD'*)
@@ -2370,14 +2946,14 @@ case `$LD -v 2>&1 </dev/null` in
   ;;
 esac])
 with_gnu_ld=$lt_cv_prog_gnu_ld
-])# AC_PROG_LD_GNU
+])# _LT_PATH_LD_GNU
 
 
-# AC_PROG_LD_RELOAD_FLAG
-# ----------------------
+# _LT_CMD_RELOAD
+# --------------
 # find reload flag for linker
 #   -- PORTME Some linkers may need a different reload flag.
-AC_DEFUN([AC_PROG_LD_RELOAD_FLAG],
+m4_defun([_LT_CMD_RELOAD],
 [AC_CACHE_CHECK([for $LD option to reload object files],
   lt_cv_ld_reload_flag,
   [lt_cv_ld_reload_flag='-r'])
@@ -2396,15 +2972,18 @@ case $host_os in
     fi
     ;;
 esac
-])# AC_PROG_LD_RELOAD_FLAG
+_LT_DECL([], [reload_flag], [1], [How to create reloadable object files])dnl
+_LT_DECL([], [reload_cmds], [2])dnl
+])# _LT_CMD_RELOAD
 
 
-# AC_DEPLIBS_CHECK_METHOD
-# -----------------------
+# _LT_CHECK_MAGIC_METHOD
+# ----------------------
 # how to check for library dependencies
 #  -- PORTME fill in with the dynamic library characteristics
-AC_DEFUN([AC_DEPLIBS_CHECK_METHOD],
-[AC_CACHE_CHECK([how to recognize dependent libraries],
+m4_defun([_LT_CHECK_MAGIC_METHOD],
+[m4_require([_LT_DECL_EGREP])
+AC_CACHE_CHECK([how to recognize dependent libraries],
 lt_cv_deplibs_check_method,
 [lt_cv_file_magic_cmd='$MAGIC_CMD'
 lt_cv_file_magic_test_file=
@@ -2459,7 +3038,7 @@ darwin* | rhapsody*)
   ;;
 
 freebsd* | dragonfly*)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     case $host_cpu in
     i*86 )
       # Not sure whether the presence of OpenBSD here was a mistake.
@@ -2517,7 +3096,7 @@ linux* | k*bsd*-gnu)
   ;;
 
 netbsd* | netbsdelf*-gnu)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
   else
     lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
@@ -2530,12 +3109,12 @@ newos6*)
   lt_cv_file_magic_test_file=/usr/lib/libnls.so
   ;;
 
-nto-qnx*)
-  lt_cv_deplibs_check_method=unknown
+*nto* | *qnx*)
+  lt_cv_deplibs_check_method=pass_all
   ;;
 
 openbsd*)
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
     lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
   else
     lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
@@ -2554,6 +3133,10 @@ solaris*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
 sysv4 | sysv4.3*)
   case $host_vendor in
   motorola)
@@ -2581,7 +3164,7 @@ sysv4 | sysv4.3*)
   esac
   ;;
 
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+tpf*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 esac
@@ -2589,14 +3172,20 @@ esac
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
 test -z "$deplibs_check_method" && deplibs_check_method=unknown
-])# AC_DEPLIBS_CHECK_METHOD
+
+_LT_DECL([], [deplibs_check_method], [1],
+    [Method to check whether dependent libraries are shared objects])
+_LT_DECL([], [file_magic_cmd], [1],
+    [Command to use when deplibs_check_method == "file_magic"])
+])# _LT_CHECK_MAGIC_METHOD
 
 
-# AC_PROG_NM
+# LT_PATH_NM
 # ----------
-# find the pathname to a BSD-compatible name lister
-AC_DEFUN([AC_PROG_NM],
-[AC_CACHE_CHECK([for BSD-compatible nm], lt_cv_path_NM,
+# find the pathname to a BSD- or MS-compatible name lister
+AC_DEFUN([LT_PATH_NM],
+[AC_REQUIRE([AC_PROG_CC])dnl
+AC_CACHE_CHECK([for BSD- or MS-compatible name lister (nm)], lt_cv_path_NM,
 [if test -n "$NM"; then
   # Let the user override the test.
   lt_cv_path_NM="$NM"
@@ -2638,16 +3227,51 @@ else
     done
     IFS="$lt_save_ifs"
   done
-  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
+  : ${lt_cv_path_NM=no}
 fi])
-NM="$lt_cv_path_NM"
-])# AC_PROG_NM
+if test "$lt_cv_path_NM" != "no"; then
+  NM="$lt_cv_path_NM"
+else
+  # Didn't find any BSD compatible name lister, look for dumpbin.
+  AC_CHECK_TOOLS(DUMPBIN, ["dumpbin -symbols" "link -dump -symbols"], :)
+  AC_SUBST([DUMPBIN])
+  if test "$DUMPBIN" != ":"; then
+    NM="$DUMPBIN"
+  fi
+fi
+test -z "$NM" && NM=nm
+AC_SUBST([NM])
+_LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl
+
+AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface],
+  [lt_cv_nm_interface="BSD nm"
+  echo "int some_variable = 0;" > conftest.$ac_ext
+  (eval echo "\"\$as_me:__oline__: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
+  (eval "$ac_compile" 2>conftest.err)
+  cat conftest.err >&AS_MESSAGE_LOG_FD
+  (eval echo "\"\$as_me:__oline__: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
+  (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
+  cat conftest.err >&AS_MESSAGE_LOG_FD
+  (eval echo "\"\$as_me:__oline__: output\"" >&AS_MESSAGE_LOG_FD)
+  cat conftest.out >&AS_MESSAGE_LOG_FD
+  if $GREP 'External.*some_variable' conftest.out > /dev/null; then
+    lt_cv_nm_interface="MS dumpbin"
+  fi
+  rm -f conftest*])
+])# LT_PATH_NM
 
+# Old names:
+AU_ALIAS([AM_PROG_NM], [LT_PATH_NM])
+AU_ALIAS([AC_PROG_NM], [LT_PATH_NM])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_PROG_NM], [])
+dnl AC_DEFUN([AC_PROG_NM], [])
 
-# AC_CHECK_LIBM
-# -------------
+
+# LT_LIB_M
+# --------
 # check for math library
-AC_DEFUN([AC_CHECK_LIBM],
+AC_DEFUN([LT_LIB_M],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 LIBM=
 case $host in
@@ -2662,4015 +3286,4653 @@ case $host in
   AC_CHECK_LIB(m, cos, LIBM="-lm")
   ;;
 esac
-])# AC_CHECK_LIBM
+AC_SUBST([LIBM])
+])# LT_LIB_M
 
+# Old name:
+AU_ALIAS([AC_CHECK_LIBM], [LT_LIB_M])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_CHECK_LIBM], [])
 
-# AC_LIBLTDL_CONVENIENCE([DIRECTORY])
-# -----------------------------------
-# sets LIBLTDL to the link flags for the libltdl convenience library and
-# LTDLINCL to the include flags for the libltdl header and adds
-# --enable-ltdl-convenience to the configure arguments.  Note that
-# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
-# it is assumed to be `libltdl'.  LIBLTDL will be prefixed with
-# '${top_builddir}/' and LTDLINCL will be prefixed with '${top_srcdir}/'
-# (note the single quotes!).  If your package is not flat and you're not
-# using automake, define top_builddir and top_srcdir appropriately in
-# the Makefiles.
-AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-  case $enable_ltdl_convenience in
-  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
-  "") enable_ltdl_convenience=yes
-      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
-  esac
-  LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la
-  LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
-  # For backwards non-gettext consistent compatibility...
-  INCLTDL="$LTDLINCL"
-])# AC_LIBLTDL_CONVENIENCE
 
+# _LT_COMPILER_NO_RTTI([TAGNAME])
+# -------------------------------
+m4_defun([_LT_COMPILER_NO_RTTI],
+[m4_require([_LT_TAG_COMPILER])dnl
 
-# AC_LIBLTDL_INSTALLABLE([DIRECTORY])
-# -----------------------------------
-# sets LIBLTDL to the link flags for the libltdl installable library and
-# LTDLINCL to the include flags for the libltdl header and adds
-# --enable-ltdl-install to the configure arguments.  Note that
-# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
-# and an installed libltdl is not found, it is assumed to be `libltdl'.
-# LIBLTDL will be prefixed with '${top_builddir}/'# and LTDLINCL with
-# '${top_srcdir}/' (note the single quotes!).  If your package is not
-# flat and you're not using automake, define top_builddir and top_srcdir
-# appropriately in the Makefiles.
-# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
-AC_DEFUN([AC_LIBLTDL_INSTALLABLE],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-  AC_CHECK_LIB(ltdl, lt_dlinit,
-  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
-  [if test x"$enable_ltdl_install" = xno; then
-     AC_MSG_WARN([libltdl not installed, but installation disabled])
-   else
-     enable_ltdl_install=yes
-   fi
-  ])
-  if test x"$enable_ltdl_install" = x"yes"; then
-    ac_configure_args="$ac_configure_args --enable-ltdl-install"
-    LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la
-    LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
-  else
-    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
-    LIBLTDL="-lltdl"
-    LTDLINCL=
-  fi
-  # For backwards non-gettext consistent compatibility...
-  INCLTDL="$LTDLINCL"
-])# AC_LIBLTDL_INSTALLABLE
+_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
 
+if test "$GCC" = yes; then
+  _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
 
-# AC_LIBTOOL_CXX
-# --------------
-# enable support for C++ libraries
-AC_DEFUN([AC_LIBTOOL_CXX],
-[AC_REQUIRE([_LT_AC_LANG_CXX])
-])# AC_LIBTOOL_CXX
+  _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
+    lt_cv_prog_compiler_rtti_exceptions,
+    [-fno-rtti -fno-exceptions], [],
+    [_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
+fi
+_LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1],
+	[Compiler flag to turn off builtin functions])
+])# _LT_COMPILER_NO_RTTI
 
 
-# _LT_AC_LANG_CXX
-# ---------------
-AC_DEFUN([_LT_AC_LANG_CXX],
-[AC_REQUIRE([AC_PROG_CXX])
-AC_REQUIRE([_LT_AC_PROG_CXXCPP])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
-])# _LT_AC_LANG_CXX
+# _LT_CMD_GLOBAL_SYMBOLS
+# ----------------------
+m4_defun([_LT_CMD_GLOBAL_SYMBOLS],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([LT_PATH_NM])dnl
+AC_REQUIRE([LT_PATH_LD])dnl
+m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_TAG_COMPILER])dnl
 
-# _LT_AC_PROG_CXXCPP
-# ------------------
-AC_DEFUN([_LT_AC_PROG_CXXCPP],
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+AC_MSG_CHECKING([command to parse $NM output from $compiler object])
+AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
 [
-AC_REQUIRE([AC_PROG_CXX])
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  AC_PROG_CXXCPP
-fi
-])# _LT_AC_PROG_CXXCPP
-
-# AC_LIBTOOL_F77
-# --------------
-# enable support for Fortran 77 libraries
-AC_DEFUN([AC_LIBTOOL_F77],
-[AC_REQUIRE([_LT_AC_LANG_F77])
-])# AC_LIBTOOL_F77
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
 
+# Character class describing NM global symbol codes.
+symcode='[[BCDEGRST]]'
 
-# _LT_AC_LANG_F77
-# ---------------
-AC_DEFUN([_LT_AC_LANG_F77],
-[AC_REQUIRE([AC_PROG_F77])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}F77])
-])# _LT_AC_LANG_F77
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
 
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[[BCDT]]'
+  ;;
+cygwin* | mingw* | pw32*)
+  symcode='[[ABCDGISTW]]'
+  ;;
+hpux*)
+  if test "$host_cpu" = ia64; then
+    symcode='[[ABCDEGRST]]'
+  fi
+  ;;
+irix* | nonstopux*)
+  symcode='[[BCDEGRST]]'
+  ;;
+osf*)
+  symcode='[[BCDEGQRST]]'
+  ;;
+solaris*)
+  symcode='[[BDRT]]'
+  ;;
+sco3.2v5*)
+  symcode='[[DT]]'
+  ;;
+sysv4.2uw2*)
+  symcode='[[DT]]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[[ABDT]]'
+  ;;
+sysv4)
+  symcode='[[DFNSTU]]'
+  ;;
+esac
 
-# AC_LIBTOOL_GCJ
-# --------------
-# enable support for GCJ libraries
-AC_DEFUN([AC_LIBTOOL_GCJ],
-[AC_REQUIRE([_LT_AC_LANG_GCJ])
-])# AC_LIBTOOL_GCJ
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[[ABCDGIRSTW]]' ;;
+esac
 
+# Transform an extracted symbol line into a proper C declaration.
+# Some systems (esp. on ia64) link data and code symbols differently,
+# so use this general approach.
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
 
-# _LT_AC_LANG_GCJ
-# ---------------
-AC_DEFUN([_LT_AC_LANG_GCJ],
-[AC_PROVIDE_IFELSE([AC_PROG_GCJ],[],
-  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],[],
-    [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],[],
-      [ifdef([AC_PROG_GCJ],[AC_REQUIRE([AC_PROG_GCJ])],
-	 [ifdef([A][M_PROG_GCJ],[AC_REQUIRE([A][M_PROG_GCJ])],
-	   [AC_REQUIRE([A][C_PROG_GCJ_OR_A][M_PROG_GCJ])])])])])])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ])
-])# _LT_AC_LANG_GCJ
-
-
-# AC_LIBTOOL_RC
-# -------------
-# enable support for Windows resource files
-AC_DEFUN([AC_LIBTOOL_RC],
-[AC_REQUIRE([LT_AC_PROG_RC])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}RC])
-])# AC_LIBTOOL_RC
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
 
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
 
-# AC_LIBTOOL_LANG_C_CONFIG
-# ------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG], [_LT_AC_LANG_C_CONFIG])
-AC_DEFUN([_LT_AC_LANG_C_CONFIG],
-[lt_save_CC="$CC"
-AC_LANG_PUSH(C)
+# Try without a prefix underscore, then with it.
+for ac_symprfx in "" "_"; do
 
-# Source file extension for C test sources.
-ac_ext=c
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
 
-# Object file extension for compiled C test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
+  # Write the raw and C identifiers.
+  if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+    # Fake it for dumpbin and say T for any non-static function
+    # and D for any global variable.
+    # Also find C++ and __fastcall symbols from MSVC++,
+    # which start with @ or ?.
+    lt_cv_sys_global_symbol_pipe="$AWK ['"\
+"     {last_section=section; section=\$ 3};"\
+"     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
+"     \$ 0!~/External *\|/{next};"\
+"     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
+"     {if(hide[section]) next};"\
+"     {f=0}; \$ 0~/\(\).*\|/{f=1}; {printf f ? \"T \" : \"D \"};"\
+"     {split(\$ 0, a, /\||\r/); split(a[2], s)};"\
+"     s[1]~/^[@?]/{print s[1], s[1]; next};"\
+"     s[1]~prfx {split(s[1],t,\"@\"); print t[1], substr(t[1],length(prfx))}"\
+"     ' prfx=^$ac_symprfx]"
+  else
+    lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[	 ]]\($symcode$symcode*\)[[	 ]][[	 ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+  fi
 
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;"
+  # Check to see that the pipe works correctly.
+  pipe_works=no
 
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}'
-
-_LT_AC_SYS_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF
-
-# Report which library types will actually be built
-AC_MSG_CHECKING([if libtool supports shared libraries])
-AC_MSG_RESULT([$can_build_shared])
-
-AC_MSG_CHECKING([whether to build shared libraries])
-test "$can_build_shared" = "no" && enable_shared=no
-
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case $host_os in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
-
-aix[[4-9]]*)
-  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-    test "$enable_shared" = yes && enable_static=no
-  fi
-    ;;
-esac
-AC_MSG_RESULT([$enable_shared])
-
-AC_MSG_CHECKING([whether to build static libraries])
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-AC_MSG_RESULT([$enable_static])
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_POP
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_C_CONFIG
-
-
-# AC_LIBTOOL_LANG_CXX_CONFIG
-# --------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)])
-AC_DEFUN([_LT_AC_LANG_CXX_CONFIG],
-[AC_LANG_PUSH(C++)
-AC_REQUIRE([AC_PROG_CXX])
-AC_REQUIRE([_LT_AC_PROG_CXXCPP])
-
-_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_AC_TAGVAR(allow_undefined_flag, $1)=
-_LT_AC_TAGVAR(always_export_symbols, $1)=no
-_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
-_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_direct, $1)=no
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
-_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-_LT_AC_TAGVAR(hardcode_automatic, $1)=no
-_LT_AC_TAGVAR(module_cmds, $1)=
-_LT_AC_TAGVAR(module_expsym_cmds, $1)=
-_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_AC_TAGVAR(no_undefined_flag, $1)=
-_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Dependencies to place before and after the object being linked:
-_LT_AC_TAGVAR(predep_objects, $1)=
-_LT_AC_TAGVAR(postdep_objects, $1)=
-_LT_AC_TAGVAR(predeps, $1)=
-_LT_AC_TAGVAR(postdeps, $1)=
-_LT_AC_TAGVAR(compiler_lib_search_path, $1)=
-_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=
-
-# Source file extension for C++ test sources.
-ac_ext=cpp
-
-# Object file extension for compiled C++ test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC=$CC
-lt_save_LD=$LD
-lt_save_GCC=$GCC
-GCC=$GXX
-lt_save_with_gnu_ld=$with_gnu_ld
-lt_save_path_LD=$lt_cv_path_LD
-if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
-  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
-else
-  $as_unset lt_cv_prog_gnu_ld
-fi
-if test -n "${lt_cv_path_LDCXX+set}"; then
-  lt_cv_path_LD=$lt_cv_path_LDCXX
-else
-  $as_unset lt_cv_path_LD
-fi
-test -z "${LDCXX+set}" || LD=$LDCXX
-CC=${CXX-"c++"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-_LT_CC_BASENAME([$compiler])
+  rm -f conftest*
+  cat > conftest.$ac_ext <<_LT_EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(void);
+void nm_test_func(void){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+_LT_EOF
 
-# We don't want -fno-exception wen compiling C++ code, so set the
-# no_builtin_flag separately
-if test "$GXX" = yes; then
-  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
-else
-  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
-fi
+  if AC_TRY_EVAL(ac_compile); then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
 
-if test "$GXX" = yes; then
-  # Set up default GNU C++ configuration
+      # Make sure that we snagged all the symbols we need.
+      if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
+	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<_LT_EOF > conftest.$ac_ext
+#ifdef __cplusplus
+extern "C" {
+#endif
 
-  AC_PROG_LD
+_LT_EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext'
 
-  # Check if GNU C++ uses GNU ld as the underlying linker, since the
-  # archiving commands below assume that GNU ld is being used.
-  if test "$with_gnu_ld" = yes; then
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  cat <<_LT_EOF >> conftest.$ac_ext
 
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+/* The mapping between symbol names and symbols.  */
+const struct {
+  const char *name;
+  void       *address;
+}
+lt__PROGRAM__LTX_preloaded_symbols[[]] =
+{
+  { "@PROGRAM@", (void *) 0 },
+_LT_EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (void *) \&\2},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext
+	  cat <<\_LT_EOF >> conftest.$ac_ext
+  {0, (void *) 0}
+};
 
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
-    #     investigate it a little bit more. (MM)
-    wlarc='${wl}'
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt__PROGRAM__LTX_preloaded_symbols;
+}
+#endif
 
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
-	grep 'no-whole-archive' > /dev/null; then
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+#ifdef __cplusplus
+}
+#endif
+_LT_EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_save_LIBS="$LIBS"
+	  lt_save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$ac_objext"
+	  CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
+	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
+	    pipe_works=yes
+	  fi
+	  LIBS="$lt_save_LIBS"
+	  CFLAGS="$lt_save_CFLAGS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
+      fi
     else
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
     fi
   else
-    with_gnu_ld=no
-    wlarc=
-
-    # A generic and very simple default shared library creation
-    # command for GNU C++ for the case where it uses the native
-    # linker, instead of GNU ld.  If possible, this setting should
-    # overridden to take advantage of the native linker features on
-    # the platform it is being used on.
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
+    cat conftest.$ac_ext >&5
   fi
+  rm -rf conftest* conftst*
 
-  # Commands to make compiler produce verbose output that lists
-  # what "hidden" libraries, object files and flags are used when
-  # linking a shared library.
-  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+])
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  AC_MSG_RESULT(failed)
 else
-  GXX=no
-  with_gnu_ld=no
-  wlarc=
+  AC_MSG_RESULT(ok)
 fi
 
-# PORTME: fill in a description of your system's C++ link characteristics
-AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
-_LT_AC_TAGVAR(ld_shlibs, $1)=yes
-case $host_os in
-  aix3*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  aix[[4-9]]*)
-    if test "$host_cpu" = ia64; then
-      # On IA64, the linker does run time linking by default, so we don't
-      # have to do anything special.
-      aix_use_runtimelinking=no
-      exp_sym_flag='-Bexport'
-      no_entry_flag=""
-    else
-      aix_use_runtimelinking=no
-
-      # Test if we are trying to use run time linking or normal
-      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
-      # need to do runtime linking.
-      case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
-	for ld_flag in $LDFLAGS; do
-	  case $ld_flag in
-	  *-brtl*)
-	    aix_use_runtimelinking=yes
-	    break
-	    ;;
-	  esac
-	done
-	;;
-      esac
-
-      exp_sym_flag='-bexport'
-      no_entry_flag='-bnoentry'
-    fi
+_LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1],
+    [Take the output of nm and produce a listing of raw symbols and C names])
+_LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1],
+    [Transform the output of nm in a proper C declaration])
+_LT_DECL([global_symbol_to_c_name_address],
+    [lt_cv_sys_global_symbol_to_c_name_address], [1],
+    [Transform the output of nm in a C name address pair])
+_LT_DECL([global_symbol_to_c_name_address_lib_prefix],
+    [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1],
+    [Transform the output of nm in a C name address pair when lib prefix is needed])
+]) # _LT_CMD_GLOBAL_SYMBOLS
 
-    # When large executables or shared objects are built, AIX ld can
-    # have problems creating the table of contents.  If linking a library
-    # or program results in "error TOC overflow" add -mminimal-toc to
-    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
 
-    _LT_AC_TAGVAR(archive_cmds, $1)=''
-    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
-    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+# _LT_COMPILER_PIC([TAGNAME])
+# ---------------------------
+m4_defun([_LT_COMPILER_PIC],
+[m4_require([_LT_TAG_COMPILER])dnl
+_LT_TAGVAR(lt_prog_compiler_wl, $1)=
+_LT_TAGVAR(lt_prog_compiler_pic, $1)=
+_LT_TAGVAR(lt_prog_compiler_static, $1)=
 
-    if test "$GXX" = yes; then
-      case $host_os in aix4.[[012]]|aix4.[[012]].*)
-      # We only want to do this on AIX 4.2 and lower, the check
-      # below for broken collect2 doesn't work under 4.3+
-	collect2name=`${CC} -print-prog-name=collect2`
-	if test -f "$collect2name" && \
-	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	then
-	  # We have reworked collect2
-	  :
-	else
-	  # We have old collect2
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
-	  # It fails to find uninstalled libraries when the uninstalled
-	  # path is not listed in the libpath.  Setting hardcode_minus_L
-	  # to unsupported forces relinking
-	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-	fi
-	;;
-      esac
-      shared_flag='-shared'
-      if test "$aix_use_runtimelinking" = yes; then
-	shared_flag="$shared_flag "'${wl}-G'
-      fi
-    else
-      # not using gcc
-      if test "$host_cpu" = ia64; then
-	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-	# chokes on -Wl,-G. The following line is correct:
-	shared_flag='-G'
-      else
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag='${wl}-G'
-	else
-	  shared_flag='${wl}-bM:SRE'
-	fi
-      fi
-    fi
+AC_MSG_CHECKING([for $compiler option to produce PIC])
+m4_if([$1], [CXX], [
+  # C++ specific cases for pic, static, wl, etc.
+  if test "$GXX" = yes; then
+    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
 
-    # It seems that -bexpall does not export symbols beginning with
-    # underscore (_), so it is better to generate a list of symbols to export.
-    _LT_AC_TAGVAR(always_export_symbols, $1)=yes
-    if test "$aix_use_runtimelinking" = yes; then
-      # Warning - without using the other runtime loading flags (-brtl),
-      # -berok will link without error, but may produce a broken library.
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
-      # Determine the default libpath from the value encoded in an empty executable.
-      _LT_AC_SYS_LIBPATH_AIX
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-     else
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
       if test "$host_cpu" = ia64; then
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-      else
-	# Determine the default libpath from the value encoded in an empty executable.
-	_LT_AC_SYS_LIBPATH_AIX
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	# Warning - without using the other run time loading flags,
-	# -berok will link without error, but may produce a broken library.
-	_LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	# Exported symbols can be pulled into shared objects from archives
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
-	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-	# This is similar to how AIX traditionally builds its shared libraries.
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	# AIX 5 now supports IA64 processor
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
       fi
-    fi
-    ;;
-
-  beos*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-      # support --undefined.  This deserves some investigation.  FIXME
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-    else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    fi
-    ;;
-
-  chorus*)
-    case $cc_basename in
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
+      ;;
 
-  cygwin* | mingw* | pw32*)
-    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-    # as there is no search path for DLLs.
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-    _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-    _LT_AC_TAGVAR(always_export_symbols, $1)=no
-    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-
-    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      # If the export-symbols file already is a .def file (1st line
-      # is EXPORTS), use it as is; otherwise, prepend...
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	cp $export_symbols $output_objdir/$soname.def;
-      else
-	echo EXPORTS > $output_objdir/$soname.def;
-	cat $export_symbols >> $output_objdir/$soname.def;
-      fi~
-      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-    else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    fi
-  ;;
-      darwin* | rhapsody*)
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
-      if test "$GXX" = yes ; then
-      output_verbose_link_cmd='echo'
-      _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-      _LT_AC_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-      _LT_AC_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-      if test "$lt_cv_apple_cc_single_mod" != "yes"; then
-        _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
-        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
-      fi
-      else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-          _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         _LT_AC_TAGVAR(ld_shlibs, $1)=no
-          ;;
-      esac
-      fi
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+        ;;
+      m68k)
+            # FIXME: we need at least 68020 code to build shared libraries, but
+            # adding the `-m68020' flag to GCC prevents building anything better,
+            # like `-m68040'.
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
         ;;
+      esac
+      ;;
 
-  dgux*)
-    case $cc_basename in
-      ec++*)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      ghcx*)
-	# Green Hills C++ Compiler
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | cygwin* | os2* | pw32*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      m4_if([$1], [GCJ], [],
+	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+      ;;
+    interix[[3-9]]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
 	;;
       *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
 	;;
-    esac
-    ;;
-  freebsd[[12]]*)
-    # C++ shared libraries reported to be fairly broken before switch to ELF
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  freebsd-elf*)
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    ;;
-  freebsd* | dragonfly*)
-    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
-    # conventions
-    _LT_AC_TAGVAR(ld_shlibs, $1)=yes
-    ;;
-  gnu*)
-    ;;
-  hpux9*)
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-    _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-				# but as the default
-				# location of the library.
-
-    case $cc_basename in
-    CC*)
-      # FIXME: insert proper C++ library support
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      esac
       ;;
-    aCC*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      # Commands to make compiler produce verbose output that lists
-      # what "hidden" libraries, object files and flags are used when
-      # linking a shared library.
-      #
-      # There doesn't appear to be a way to prevent this compiler from
-      # explicitly linking system object files so we need to strip them
-      # from the output so that they don't get included in the library
-      # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[[-]]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+    *qnx* | *nto*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
       ;;
     *)
-      if test "$GXX" = yes; then
-        _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-        # FIXME: insert proper C++ library support
-        _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-    esac
-    ;;
-  hpux10*|hpux11*)
-    if test $with_gnu_ld = no; then
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-      case $host_cpu in
-      hppa*64*|ia64*) ;;
-      *)
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-        ;;
-      esac
-    fi
-    case $host_cpu in
-    hppa*64*|ia64*)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-    *)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
       ;;
     esac
-
-    case $cc_basename in
-      CC*)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+  else
+    case $host_os in
+      aix[[4-9]]*)
+	# All AIX code is PIC.
+	if test "$host_cpu" = ia64; then
+	  # AIX 5 now supports IA64 processor
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	else
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+	fi
 	;;
-      aCC*)
-	case $host_cpu in
-	hppa*64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+      chorus*)
+	case $cc_basename in
+	cxch68*)
+	  # Green Hills C++ Compiler
+	  # _LT_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
 	  ;;
 	esac
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
 	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test $with_gnu_ld = no; then
+      dgux*)
+	case $cc_basename in
+	  ec++*)
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  ghcx*)
+	    # Green Hills C++ Compiler
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | dragonfly*)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+	    if test "$host_cpu" != ia64; then
+	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	    fi
+	    ;;
+	  aCC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
 	    case $host_cpu in
-	    hppa*64*)
-	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    ia64*)
-	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	    hppa*64*|ia64*)
+	      # +Z the default
 	      ;;
 	    *)
-	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
 	      ;;
 	    esac
-	  fi
-	else
-	  # FIXME: insert proper C++ library support
-	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-    esac
-    ;;
-  interix[[3-9]]*)
-    _LT_AC_TAGVAR(hardcode_direct, $1)=no
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-    # Instead, shared libraries are loaded at an image base (0x10000000 by
-    # default) and relocated if they conflict, which is a slow very memory
-    # consuming and fragmenting process.  To avoid this, we pick a random,
-    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-    ;;
-  irix5* | irix6*)
-    case $cc_basename in
-      CC*)
-	# SGI C++
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-
-	# Archives containing C++ object files must be created using
-	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test "$with_gnu_ld" = no; then
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	  else
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
-	  fi
-	fi
-	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-	;;
-    esac
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-    ;;
-  linux* | k*bsd*-gnu)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath,$libdir'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
-	;;
-      icpc*)
-	# Intel C++
-	with_gnu_ld=yes
-	# version 8.0 and above of icpc choke on multiply defined symbols
-	# if we add $predep_objects and $postdep_objects, however 7.1 and
-	# earlier do not add the objects themselves.
-	case `$CC -V 2>&1` in
-	*"Version 7."*)
-  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	*)  # Version 8.0 or newer
-	  tmp_idyn=
-	  case $host_cpu in
-	    ia64*) tmp_idyn=' -i_dynamic';;
-	  esac
-  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
+	    ;;
+	  *)
+	    ;;
 	esac
-	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
 	;;
-      pgCC* | pgcpp*)
-        # Portland Group C++ compiler
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
-  	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-        ;;
-      cxx*)
-	# Compaq C++
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
-
-	runpath_var=LD_RUN_PATH
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      interix*)
+	# This is c89, which is MS Visual C++ (no shared libs)
+	# Anyone wants to do a port?
 	;;
-      *)
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C++ 5.9
-	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-
-	  # Not sure whether something based on
-	  # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
-	  # would be better.
-	  output_verbose_link_cmd='echo'
-
-	  # Archives containing C++ object files must be created using
-	  # "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	  # necessary to make sure instantiated templates are included
-	  # in the archive.
-	  _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
-	  ;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
 	esac
 	;;
-    esac
-    ;;
-  lynxos*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  m88k*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  mvs*)
-    case $cc_basename in
-      cxx*)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  netbsd* | netbsdelf*-gnu)
-    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
-      wlarc=
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    fi
-    # Workaround some broken pre-1.5 toolchains
-    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
-    ;;
-  openbsd2*)
-    # C++ shared libraries are fairly broken
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  openbsd*)
-    if test -f /usr/libexec/ld.so; then
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      fi
-      output_verbose_link_cmd='echo'
-    else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    fi
-    ;;
-  osf3*)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
-
-	;;
-      RCC*)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      cxx*)
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-    esac
-    ;;
-  osf4* | osf5*)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Archives containing C++ object files must be created using
-	# the KAI C++ compiler.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs'
+      linux* | k*bsd*-gnu)
+	case $cc_basename in
+	  KCC*)
+	    # KAI C++ Compiler
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  icpc* | ecpc* )
+	    # Intel C++
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
+	  pgCC* | pgcpp*)
+	    # Portland Group C++ compiler
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  cxx*)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  xlc* | xlC*)
+	    # IBM XL 8.0 on PPC
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
+	    ;;
+	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	      ;;
+	    esac
+	    ;;
+	esac
 	;;
-      RCC*)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      lynxos*)
 	;;
-      cxx*)
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
-	  echo "-hidden">> $lib.exp~
-	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
-	  $rm $lib.exp'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      m88k*)
 	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	fi
+      mvs*)
+	case $cc_basename in
+	  cxx*)
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
 	;;
-    esac
-    ;;
-  psos*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  sunos4*)
-    case $cc_basename in
-      CC*)
-	# Sun C++ 4.x
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      netbsd* | netbsdelf*-gnu)
 	;;
-      lcc*)
-	# Lucid
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      *qnx* | *nto*)
+        # QNX uses GNU C++, but need to define -shared option too, otherwise
+        # it will coredump.
+        _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+        ;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    ;;
+	  RCC*)
+	    # Rational C++ 2.4.1
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  cxx*)
+	    # Digital/Compaq C++
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
 	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      psos*)
 	;;
-    esac
-    ;;
-  solaris*)
-    case $cc_basename in
-      CC*)
-	# Sun C++ 4.2, 5.x and Centerline C++
-        _LT_AC_TAGVAR(archive_cmds_need_lc,$1)=yes
-	_LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	case $host_os in
-	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+      solaris*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	    ;;
+	  gcx*)
+	    # Green Hills C++ Compiler
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	    ;;
 	  *)
-	    # The compiler driver will combine and reorder linker options,
-	    # but understands `-z linker_flag'.
-	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
 	    ;;
 	esac
-	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-
-	output_verbose_link_cmd='echo'
-
-	# Archives containing C++ object files must be created using
-	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
-	;;
-      gcx*)
-	# Green Hills C++ Compiler
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-
-	# The C++ compiler must be used to create the archive.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
 	;;
-      *)
-	# GNU C++ compiler with Solaris linker
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
-	  if $CC --version | grep -v '^2\.7' > /dev/null; then
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  else
-	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
-	    # platform.
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  fi
-
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
-	  case $host_os in
-	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+      sunos4*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.x
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  lcc*)
+	    # Lucid
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
 	  *)
-	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
 	    ;;
-	  esac
-	fi
+	esac
 	;;
-    esac
-    ;;
-  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
-    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    runpath_var='LD_RUN_PATH'
-
-    case $cc_basename in
-      CC*)
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+	case $cc_basename in
+	  CC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	esac
 	;;
-      *)
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      tandem*)
+	case $cc_basename in
+	  NCC*)
+	    # NonStop-UX NCC 3.20
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
 	;;
-    esac
-    ;;
-  sysv5* | sco3.2v5* | sco5v6*)
-    # Note: We can NOT use -z defs as we might desire, because we do not
-    # link with -lc, and that would cause any symbols used from libc to
-    # always be unresolved, which means just about no library would
-    # ever link correctly.  If we're not using GNU ld we use -z text
-    # though, which does catch some bad symbols but isn't as heavy-handed
-    # as -z defs.
-    # For security reasons, it is highly recommended that you always
-    # use absolute paths for naming shared libraries, and exclude the
-    # DT_RUNPATH tag from executables and libraries.  But doing so
-    # requires that you compile everything twice, which is a pain.
-    # So that behaviour is only enabled if SCOABSPATH is set to a
-    # non-empty value in the environment.  Most likely only useful for
-    # creating official distributions of packages.
-    # This is a hack until libtool officially supports absolute path
-    # names for shared libraries.
-    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-    _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
-    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-    runpath_var='LD_RUN_PATH'
-
-    case $cc_basename in
-      CC*)
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      vxworks*)
 	;;
       *)
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
 	;;
     esac
-    ;;
-  tandem*)
-    case $cc_basename in
-      NCC*)
-	# NonStop-UX NCC 3.20
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  vxworks*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  *)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-esac
-AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
-test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+  fi
+],
+[
+  if test "$GCC" = yes; then
+    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
 
-_LT_AC_TAGVAR(GCC, $1)="$GXX"
-_LT_AC_TAGVAR(LD, $1)="$LD"
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
 
-AC_LIBTOOL_POSTDEP_PREDEP($1)
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+        ;;
+      m68k)
+            # FIXME: we need at least 68020 code to build shared libraries, but
+            # adding the `-m68020' flag to GCC prevents building anything better,
+            # like `-m68040'.
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+        ;;
+      esac
+      ;;
 
-AC_LIBTOOL_CONFIG($1)
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
 
-AC_LANG_POP
-CC=$lt_save_CC
-LDCXX=$LD
-LD=$lt_save_LD
-GCC=$lt_save_GCC
-with_gnu_ldcxx=$with_gnu_ld
-with_gnu_ld=$lt_save_with_gnu_ld
-lt_cv_path_LDCXX=$lt_cv_path_LD
-lt_cv_path_LD=$lt_save_path_LD
-lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
-lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
-])# AC_LIBTOOL_LANG_CXX_CONFIG
-
-# AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME])
-# ------------------------------------
-# Figure out "hidden" library dependencies from verbose
-# compiler output when linking a shared library.
-# Parse the compiler output and extract the necessary
-# objects, libraries and library flags.
-AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-dnl we can't use the lt_simple_compile_test_code here,
-dnl because it contains code intended for an executable,
-dnl not a library.  It's possible we should let each
-dnl tag define a new lt_????_link_test_code variable,
-dnl but it's only used here...
-ifelse([$1],[],[cat > conftest.$ac_ext <<EOF
-int a;
-void foo (void) { a = 0; }
-EOF
-],[$1],[CXX],[cat > conftest.$ac_ext <<EOF
-class Foo
-{
-public:
-  Foo (void) { a = 0; }
-private:
-  int a;
-};
-EOF
-],[$1],[F77],[cat > conftest.$ac_ext <<EOF
-      subroutine foo
-      implicit none
-      integer*4 a
-      a=0
-      return
-      end
-EOF
-],[$1],[GCJ],[cat > conftest.$ac_ext <<EOF
-public class foo {
-  private int a;
-  public void bar (void) {
-    a = 0;
-  }
-};
-EOF
-])
-dnl Parse the compiler output and extract the necessary
-dnl objects, libraries and library flags.
-if AC_TRY_EVAL(ac_compile); then
-  # Parse the compiler output and extract the necessary
-  # objects, libraries and library flags.
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      m4_if([$1], [GCJ], [],
+	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      ;;
 
-  # Sentinel used to keep track of whether or not we are before
-  # the conftest object file.
-  pre_test_object_deps_done=no
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
 
-  # The `*' in the case matches for architectures that use `case' in
-  # $output_verbose_cmd can trigger glob expansion during the loop
-  # eval without this substitution.
-  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
 
-  for p in `eval $output_verbose_link_cmd`; do
-    case $p in
+    interix[[3-9]]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
 
-    -L* | -R* | -l*)
-       # Some compilers place space between "-{L,R}" and the path.
-       # Remove the space.
-       if test $p = "-L" \
-	  || test $p = "-R"; then
-	 prev=$p
-	 continue
-       else
-	 prev=
-       fi
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      enable_shared=no
+      ;;
 
-       if test "$pre_test_object_deps_done" = no; then
-	 case $p in
-	 -L* | -R*)
-	   # Internal compiler library paths should come after those
-	   # provided the user.  The postdeps already come after the
-	   # user supplied libs so there is no need to process them.
-	   if test -z "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
-	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
-	   else
-	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${_LT_AC_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
-	   fi
-	   ;;
-	 # The "-l" case would never come before the object being
-	 # linked, so don't bother handling this case.
-	 esac
-       else
-	 if test -z "$_LT_AC_TAGVAR(postdeps, $1)"; then
-	   _LT_AC_TAGVAR(postdeps, $1)="${prev}${p}"
-	 else
-	   _LT_AC_TAGVAR(postdeps, $1)="${_LT_AC_TAGVAR(postdeps, $1)} ${prev}${p}"
-	 fi
-       fi
-       ;;
+    *nto* | *qnx*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+      ;;
 
-    *.$objext)
-       # This assumes that the test object file only shows up
-       # once in the compiler output.
-       if test "$p" = "conftest.$objext"; then
-	 pre_test_object_deps_done=yes
-	 continue
-       fi
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
 
-       if test "$pre_test_object_deps_done" = no; then
-	 if test -z "$_LT_AC_TAGVAR(predep_objects, $1)"; then
-	   _LT_AC_TAGVAR(predep_objects, $1)="$p"
-	 else
-	   _LT_AC_TAGVAR(predep_objects, $1)="$_LT_AC_TAGVAR(predep_objects, $1) $p"
-	 fi
-       else
-	 if test -z "$_LT_AC_TAGVAR(postdep_objects, $1)"; then
-	   _LT_AC_TAGVAR(postdep_objects, $1)="$p"
-	 else
-	   _LT_AC_TAGVAR(postdep_objects, $1)="$_LT_AC_TAGVAR(postdep_objects, $1) $p"
-	 fi
-       fi
-       ;;
+    *)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      else
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
 
-    *) ;; # Ignore the rest.
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      m4_if([$1], [GCJ], [],
+	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      ;;
 
-    esac
-  done
+    hpux9* | hpux10* | hpux11*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+      ;;
 
-  # Clean up.
-  rm -f a.out a.exe
-else
-  echo "libtool.m4: error: problem compiling $1 test program"
-fi
+    irix5* | irix6* | nonstopux*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC (with -KPIC) is the default.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
 
-$rm -f confest.$objext
+    linux* | k*bsd*-gnu)
+      case $cc_basename in
+      icc* | ecc* | ifort*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+        ;;
+      ccc*)
+        _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+        # All Alpha code is PIC.
+        _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+        ;;
+      xl*)
+	# IBM XL C 8.0/Fortran 10.1 on PPC
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
+	;;
+      *)
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
+	  ;;
+	esac
+	;;
+      esac
+      ;;
 
-_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=
-if test -n "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
-  _LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_AC_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
-fi
+    newsos6)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
 
-# PORTME: override above test on systems where it is broken
-ifelse([$1],[CXX],
-[case $host_os in
-interix[[3-9]]*)
-  # Interix 3.5 installs completely hosed .la files for C++, so rather than
-  # hack all around it, let's just trust "g++" to DTRT.
-  _LT_AC_TAGVAR(predep_objects,$1)=
-  _LT_AC_TAGVAR(postdep_objects,$1)=
-  _LT_AC_TAGVAR(postdeps,$1)=
-  ;;
+    *nto* | *qnx*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+      ;;
 
-linux*)
-  case `$CC -V 2>&1 | sed 5q` in
-  *Sun\ C*)
-    # Sun C++ 5.9
-    #
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
+    osf3* | osf4* | osf5*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # All OSF/1 code is PIC.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
       ;;
-    esac
-    if test "$solaris_use_stlport4" != yes; then
-      _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
-  ;;
 
-solaris*)
-  case $cc_basename in
-  CC*)
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
+    rdos*)
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
       ;;
-    esac
 
-    # Adding this requires a known-good setup of shared libraries for
-    # Sun compiler versions before 5.6, else PIC objects from an old
-    # archive will be linked into the output, leading to subtle bugs.
-    if test "$solaris_use_stlport4" != yes; then
-      _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
-  ;;
-esac
-])
-case " $_LT_AC_TAGVAR(postdeps, $1) " in
-*" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;;
-esac
-])# AC_LIBTOOL_POSTDEP_PREDEP
-
-# AC_LIBTOOL_LANG_F77_CONFIG
-# --------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG], [_LT_AC_LANG_F77_CONFIG(F77)])
-AC_DEFUN([_LT_AC_LANG_F77_CONFIG],
-[AC_REQUIRE([AC_PROG_F77])
-AC_LANG_PUSH(Fortran 77)
+    solaris*)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
+      esac
+      ;;
 
-_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_AC_TAGVAR(allow_undefined_flag, $1)=
-_LT_AC_TAGVAR(always_export_symbols, $1)=no
-_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
-_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_direct, $1)=no
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
-_LT_AC_TAGVAR(hardcode_automatic, $1)=no
-_LT_AC_TAGVAR(module_cmds, $1)=
-_LT_AC_TAGVAR(module_expsym_cmds, $1)=
-_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_AC_TAGVAR(no_undefined_flag, $1)=
-_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+    sunos4*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
 
-# Source file extension for f77 test sources.
-ac_ext=f
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
 
-# Object file extension for compiled f77 test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
 
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="\
-      subroutine t
-      return
-      end
-"
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
 
-# Code to be used in simple link tests
-lt_simple_link_test_code="\
-      program t
-      end
-"
+    unicos*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
 
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
+    uts4*)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
 
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
+    *)
+      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+    esac
+  fi
+])
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+    ;;
+  *)
+    _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])"
+    ;;
+esac
+AC_MSG_RESULT([$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
+_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
+	[How to pass a linker flag through the compiler])
 
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${F77-"f77"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-_LT_CC_BASENAME([$compiler])
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
+  _LT_COMPILER_OPTION([if $compiler PIC flag $_LT_TAGVAR(lt_prog_compiler_pic, $1) works],
+    [_LT_TAGVAR(lt_cv_prog_compiler_pic_works, $1)],
+    [$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])], [],
+    [case $_LT_TAGVAR(lt_prog_compiler_pic, $1) in
+     "" | " "*) ;;
+     *) _LT_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_TAGVAR(lt_prog_compiler_pic, $1)" ;;
+     esac],
+    [_LT_TAGVAR(lt_prog_compiler_pic, $1)=
+     _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
+fi
+_LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1],
+	[Additional compiler flags for building library objects])
 
-AC_MSG_CHECKING([if libtool supports shared libraries])
-AC_MSG_RESULT([$can_build_shared])
+#
+# Check to make sure the static flag actually works.
+#
+wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_TAGVAR(lt_prog_compiler_static, $1)\"
+_LT_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
+  _LT_TAGVAR(lt_cv_prog_compiler_static_works, $1),
+  $lt_tmp_static_flag,
+  [],
+  [_LT_TAGVAR(lt_prog_compiler_static, $1)=])
+_LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1],
+	[Compiler flag to prevent dynamic linking])
+])# _LT_COMPILER_PIC
 
-AC_MSG_CHECKING([whether to build shared libraries])
-test "$can_build_shared" = "no" && enable_shared=no
 
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case $host_os in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
+# _LT_LINKER_SHLIBS([TAGNAME])
+# ----------------------------
+# See if the linker supports building shared libraries.
+m4_defun([_LT_LINKER_SHLIBS],
+[AC_REQUIRE([LT_PATH_LD])dnl
+AC_REQUIRE([LT_PATH_NM])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
+m4_require([_LT_TAG_COMPILER])dnl
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+m4_if([$1], [CXX], [
+  _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  case $host_os in
+  aix[[4-9]]*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+    else
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
   ;;
-aix[[4-9]]*)
-  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-    test "$enable_shared" = yes && enable_static=no
-  fi
+  cygwin* | mingw*)
+    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
   ;;
-esac
-AC_MSG_RESULT([$enable_shared])
-
-AC_MSG_CHECKING([whether to build static libraries])
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-AC_MSG_RESULT([$enable_static])
+  linux* | k*bsd*-gnu)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+  ;;
+  *)
+    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  esac
+  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
+], [
+  runpath_var=
+  _LT_TAGVAR(allow_undefined_flag, $1)=
+  _LT_TAGVAR(always_export_symbols, $1)=no
+  _LT_TAGVAR(archive_cmds, $1)=
+  _LT_TAGVAR(archive_expsym_cmds, $1)=
+  _LT_TAGVAR(compiler_needs_object, $1)=no
+  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+  _LT_TAGVAR(export_dynamic_flag_spec, $1)=
+  _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  _LT_TAGVAR(hardcode_automatic, $1)=no
+  _LT_TAGVAR(hardcode_direct, $1)=no
+  _LT_TAGVAR(hardcode_direct_absolute, $1)=no
+  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+  _LT_TAGVAR(hardcode_libdir_separator, $1)=
+  _LT_TAGVAR(hardcode_minus_L, $1)=no
+  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  _LT_TAGVAR(inherit_rpath, $1)=no
+  _LT_TAGVAR(link_all_deplibs, $1)=unknown
+  _LT_TAGVAR(module_cmds, $1)=
+  _LT_TAGVAR(module_expsym_cmds, $1)=
+  _LT_TAGVAR(old_archive_from_new_cmds, $1)=
+  _LT_TAGVAR(old_archive_from_expsyms_cmds, $1)=
+  _LT_TAGVAR(thread_safe_flag_spec, $1)=
+  _LT_TAGVAR(whole_archive_flag_spec, $1)=
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  _LT_TAGVAR(include_expsyms, $1)=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  # Exclude shared library initialization/finalization symbols.
+dnl Note also adjust exclude_expsyms for C++ above.
+  extract_expsyms_cmds=
 
-_LT_AC_TAGVAR(GCC, $1)="$G77"
-_LT_AC_TAGVAR(LD, $1)="$LD"
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
 
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+  _LT_TAGVAR(ld_shlibs, $1)=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
 
-AC_LIBTOOL_CONFIG($1)
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
+      _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      _LT_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>&1` in
+      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
 
-AC_LANG_POP
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_F77_CONFIG
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix[[3-9]]*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
 
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
 
-# AC_LIBTOOL_LANG_GCJ_CONFIG
-# --------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG], [_LT_AC_LANG_GCJ_CONFIG(GCJ)])
-AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG],
-[AC_LANG_SAVE
+_LT_EOF
+      fi
+      ;;
 
-# Source file extension for Java test sources.
-ac_ext=java
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+            _LT_TAGVAR(archive_expsym_cmds, $1)=''
+        ;;
+      m68k)
+            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+            _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+            _LT_TAGVAR(hardcode_minus_L, $1)=yes
+        ;;
+      esac
+      ;;
 
-# Object file extension for compiled Java test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
+    beos*)
+      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	_LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
 
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}"
+    cygwin* | mingw* | pw32*)
+      # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+      # as there is no search path for DLLs.
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_TAGVAR(always_export_symbols, $1)=no
+      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	_LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
 
-# Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }'
+    interix[[3-9]]*)
+      _LT_TAGVAR(hardcode_direct, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
 
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
+    gnu* | linux* | tpf* | k*bsd*-gnu)
+      tmp_diet=no
+      if test "$host_os" = linux-dietlibc; then
+	case $cc_basename in
+	  diet\ *) tmp_diet=yes;;	# linux-dietlibc with static linking (!diet-dyn)
+	esac
+      fi
+      if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
+	 && test "$tmp_diet" = no
+      then
+	tmp_addflag=
+	tmp_sharedflag='-shared'
+	case $cc_basename,$host_cpu in
+        pgcc*)				# Portland Group C compiler
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	xl[[cC]]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
+	  tmp_sharedflag='-qmkshrobj'
+	  tmp_addflag= ;;
+	esac
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(compiler_needs_object, $1)=yes
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	esac
+	_LT_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
+        if test "x$supports_anon_versioning" = xyes; then
+          _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
+	    cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+	    echo "local: *; };" >> $output_objdir/$libname.ver~
+	    $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+        fi
 
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${GCJ-"gcj"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-_LT_CC_BASENAME([$compiler])
+	case $cc_basename in
+	xlf*)
+	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+	  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib'
+	  if test "x$supports_anon_versioning" = xyes; then
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
+	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+	      echo "local: *; };" >> $output_objdir/$libname.ver~
+	      $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	  fi
+	  ;;
+	esac
+      else
+        _LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
 
-# GCJ did not exist at the time GCC didn't implicitly link libc in.
-_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
 
-_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+    solaris*)
+      if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
 
-AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
 
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_RESTORE
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_GCJ_CONFIG
-
-
-# AC_LIBTOOL_LANG_RC_CONFIG
-# -------------------------
-# Ensure that the configuration vars for the Windows resource compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG], [_LT_AC_LANG_RC_CONFIG(RC)])
-AC_DEFUN([_LT_AC_LANG_RC_CONFIG],
-[AC_LANG_SAVE
-
-# Source file extension for RC test sources.
-ac_ext=rc
-
-# Object file extension for compiled RC test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="$lt_simple_compile_test_code"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${RC-"windres"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-_LT_CC_BASENAME([$compiler])
-_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+_LT_EOF
+      elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
 
-AC_LIBTOOL_CONFIG($1)
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
 
-AC_LANG_RESTORE
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_RC_CONFIG
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
 
+_LT_EOF
+	;;
+	*)
+	  # For security reasons, it is highly recommended that you always
+	  # use absolute paths for naming shared libraries, and exclude the
+	  # DT_RUNPATH tag from executables and libraries.  But doing so
+	  # requires that you compile everything twice, which is a pain.
+	  if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  else
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	;;
+      esac
+      ;;
 
-# AC_LIBTOOL_CONFIG([TAGNAME])
-# ----------------------------
-# If TAGNAME is not passed, then create an initial libtool script
-# with a default configuration from the untagged config vars.  Otherwise
-# add code to config.status for appending the configuration named by
-# TAGNAME from the matching tagged config vars.
-AC_DEFUN([AC_LIBTOOL_CONFIG],
-[# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    _LT_AC_TAGVAR(compiler, $1) \
-    _LT_AC_TAGVAR(CC, $1) \
-    _LT_AC_TAGVAR(LD, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_static, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) \
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1) \
-    _LT_AC_TAGVAR(thread_safe_flag_spec, $1) \
-    _LT_AC_TAGVAR(whole_archive_flag_spec, $1) \
-    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) \
-    _LT_AC_TAGVAR(old_archive_cmds, $1) \
-    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) \
-    _LT_AC_TAGVAR(predep_objects, $1) \
-    _LT_AC_TAGVAR(postdep_objects, $1) \
-    _LT_AC_TAGVAR(predeps, $1) \
-    _LT_AC_TAGVAR(postdeps, $1) \
-    _LT_AC_TAGVAR(compiler_lib_search_path, $1) \
-    _LT_AC_TAGVAR(compiler_lib_search_dirs, $1) \
-    _LT_AC_TAGVAR(archive_cmds, $1) \
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1) \
-    _LT_AC_TAGVAR(postinstall_cmds, $1) \
-    _LT_AC_TAGVAR(postuninstall_cmds, $1) \
-    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) \
-    _LT_AC_TAGVAR(allow_undefined_flag, $1) \
-    _LT_AC_TAGVAR(no_undefined_flag, $1) \
-    _LT_AC_TAGVAR(export_symbols_cmds, $1) \
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) \
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) \
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1) \
-    _LT_AC_TAGVAR(hardcode_automatic, $1) \
-    _LT_AC_TAGVAR(module_cmds, $1) \
-    _LT_AC_TAGVAR(module_expsym_cmds, $1) \
-    _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \
-    _LT_AC_TAGVAR(fix_srcfile_path, $1) \
-    _LT_AC_TAGVAR(exclude_expsyms, $1) \
-    _LT_AC_TAGVAR(include_expsyms, $1); do
-
-    case $var in
-    _LT_AC_TAGVAR(old_archive_cmds, $1) | \
-    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) | \
-    _LT_AC_TAGVAR(archive_cmds, $1) | \
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1) | \
-    _LT_AC_TAGVAR(module_cmds, $1) | \
-    _LT_AC_TAGVAR(module_expsym_cmds, $1) | \
-    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) | \
-    _LT_AC_TAGVAR(export_symbols_cmds, $1) | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+    sunos4*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
+
     *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
       ;;
     esac
-  done
-
-  case $lt_echo in
-  *'\[$]0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\[$]0 --fallback-echo"[$]/[$]0 --fallback-echo"/'`
-    ;;
-  esac
-
-ifelse([$1], [],
-  [cfgfile="${ofile}T"
-  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
-  $rm -f "$cfgfile"
-  AC_MSG_NOTICE([creating $ofile])],
-  [cfgfile="$ofile"])
-
-  cat <<__EOF__ >> "$cfgfile"
-ifelse([$1], [],
-[#! $SHELL
-
-# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
-# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
-# NOTE: Changes made to this file will be lost: look at ltmain.sh.
-#
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
-# Free Software Foundation, Inc.
-#
-# This file is part of GNU Libtool:
-# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# A sed program that does not truncate output.
-SED=$lt_SED
-
-# Sed that helps us avoid accidentally triggering echo(1) options like -n.
-Xsed="$SED -e 1s/^X//"
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-# The names of the tagged configurations supported by this script.
-available_tags=
-
-# ### BEGIN LIBTOOL CONFIG],
-[# ### BEGIN LIBTOOL TAG CONFIG: $tagname])
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
 
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
+    if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then
+      runpath_var=
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)=
+      _LT_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_TAGVAR(always_export_symbols, $1)=yes
+      _LT_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	_LT_TAGVAR(hardcode_direct, $1)=unsupported
+      fi
+      ;;
 
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
+    aix[[4-9]]*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
+	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	else
+	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
 
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
+	  for ld_flag in $LDFLAGS; do
+	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+	    aix_use_runtimelinking=yes
+	    break
+	  fi
+	  done
+	  ;;
+	esac
 
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
 
-# A C compiler.
-LTCC=$lt_LTCC
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
 
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
+      _LT_TAGVAR(archive_cmds, $1)=''
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_TAGVAR(file_list_spec, $1)='${wl}-f,'
 
-# A language-specific compiler.
-CC=$lt_[]_LT_AC_TAGVAR(compiler, $1)
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[[012]]|aix4.[[012]].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" &&
+	   strings "$collect2name" | $GREP resolve_lib_name >/dev/null
+	  then
+	  # We have reworked collect2
+	  :
+	  else
+	  # We have old collect2
+	  _LT_TAGVAR(hardcode_direct, $1)=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  _LT_TAGVAR(hardcode_minus_L, $1)=yes
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+	_LT_TAGVAR(link_all_deplibs, $1)=no
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
 
-# Is the compiler the GNU C compiler?
-with_gcc=$_LT_AC_TAGVAR(GCC, $1)
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      _LT_TAGVAR(always_export_symbols, $1)=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	_LT_TAGVAR(allow_undefined_flag, $1)='-berok'
+        # Determine the default libpath from the value encoded in an
+        # empty executable.
+        _LT_SYS_MODULE_PATH_AIX
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+      else
+	if test "$host_cpu" = ia64; then
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	  _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an
+	 # empty executable.
+	 _LT_SYS_MODULE_PATH_AIX
+	 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	  _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
 
-# An ERE matcher.
-EGREP=$lt_EGREP
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+            _LT_TAGVAR(archive_expsym_cmds, $1)=''
+        ;;
+      m68k)
+            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+            _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+            _LT_TAGVAR(hardcode_minus_L, $1)=yes
+        ;;
+      esac
+      ;;
 
-# The linker used to build libraries.
-LD=$lt_[]_LT_AC_TAGVAR(LD, $1)
+    bsdi[[45]]*)
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
+      ;;
 
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      _LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+      # FIXME: Should let the user specify the lib program.
+      _LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
+      _LT_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
+      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      ;;
 
-# A BSD-compatible nm program.
-NM=$lt_NM
+    darwin* | rhapsody*)
+      _LT_DARWIN_LINKER_FEATURES($1)
+      ;;
 
-# A symbol stripping program
-STRIP=$lt_STRIP
+    dgux*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
 
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
+    freebsd1*)
+      _LT_TAGVAR(ld_shlibs, $1)=no
+      ;;
 
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
 
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
 
-# Used on cygwin: assembler.
-AS="$AS"
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | dragonfly*)
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
 
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
+    hpux9*)
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_TAGVAR(hardcode_direct, $1)=yes
 
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      ;;
 
-# How to pass a linker flag through the compiler.
-wl=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
+	_LT_TAGVAR(hardcode_direct, $1)=yes
+	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	_LT_TAGVAR(hardcode_minus_L, $1)=yes
+      fi
+      ;;
 
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
 
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  _LT_TAGVAR(hardcode_direct, $1)=no
+	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  ;;
+	*)
+	  _LT_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
 
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	esac
+      fi
+      ;;
 
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	# Try to use the -exported_symbol ld option, if it does not
+	# work, assume that -exports_file does not work either and
+	# implicitly export all symbols.
+        save_LDFLAGS="$LDFLAGS"
+        LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
+        AC_LINK_IFELSE(int foo(void) {},
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
+        )
+        LDFLAGS="$save_LDFLAGS"
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
+      fi
+      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_TAGVAR(inherit_rpath, $1)=yes
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
 
-# Do we need a version for libraries?
-need_version=$need_version
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
 
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
+    newsos6)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
 
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
+    *nto* | *qnx*)
+      ;;
 
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
+    openbsd*)
+      if test -f /usr/libexec/ld.so; then
+	_LT_TAGVAR(hardcode_direct, $1)=yes
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	else
+	  case $host_os in
+	   openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
+	     _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	     _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	     ;;
+	   *)
+	     _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	     _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	     ;;
+	  esac
+	fi
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
 
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_static, $1)
+    os2*)
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      _LT_TAGVAR(old_archive_from_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
 
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)
+    osf3*)
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
 
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_[]_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      else
+	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
+	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
 
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_[]_LT_AC_TAGVAR(whole_archive_flag_spec, $1)
+	# Both c and cxx compiler support -rpath directly
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+      fi
+      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
 
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_[]_LT_AC_TAGVAR(thread_safe_flag_spec, $1)
+    solaris*)
+      _LT_TAGVAR(no_undefined_flag, $1)=' -z defs'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+      else
+	case `$CC -V 2>&1` in
+	*"Compilers 5.0"*)
+	  wlarc=''
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	  $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp'
+	  ;;
+	*)
+	  wlarc='${wl}'
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	  $CC -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  ;;
+	esac
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      case $host_os in
+      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+      *)
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
+	# Supported since Solaris 2.6 (maybe 2.5.1?)
+	if test "$GCC" = yes; then
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+	fi
+	;;
+      esac
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
 
-# Library versioning type.
-version_type=$version_type
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
 
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
+    sysv4)
+      case $host_vendor in
+	sni)
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(hardcode_direct, $1)=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
+	  _LT_TAGVAR(hardcode_direct, $1)=no
+        ;;
+	motorola)
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
 
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
+    sysv4.3*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
+      ;;
 
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	_LT_TAGVAR(ld_shlibs, $1)=yes
+      fi
+      ;;
 
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_cmds, $1)
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
 
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_new_cmds, $1)
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
 
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
 
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_[]_LT_AC_TAGVAR(archive_cmds, $1)
-archive_expsym_cmds=$lt_[]_LT_AC_TAGVAR(archive_expsym_cmds, $1)
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
 
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_[]_LT_AC_TAGVAR(module_cmds, $1)
-module_expsym_cmds=$lt_[]_LT_AC_TAGVAR(module_expsym_cmds, $1)
+    uts4*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
 
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
+    *)
+      _LT_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    esac
 
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_[]_LT_AC_TAGVAR(predep_objects, $1)
+    if test x$host_vendor = xsni; then
+      case $host in
+      sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Blargedynsym'
+	;;
+      esac
+    fi
+  fi
+])
+AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)])
+test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
 
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_[]_LT_AC_TAGVAR(postdep_objects, $1)
+_LT_TAGVAR(with_gnu_ld, $1)=$with_gnu_ld
 
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1)
+_LT_DECL([], [libext], [0], [Old archive suffix (normally "a")])dnl
+_LT_DECL([], [shrext_cmds], [1], [Shared library suffix (normally ".so")])dnl
+_LT_DECL([], [extract_expsyms_cmds], [2],
+    [The commands to extract the exported symbol list from a shared archive])
 
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1)
+#
+# Do we need to explicitly link libc?
+#
+case "x$_LT_TAGVAR(archive_cmds_need_lc, $1)" in
+x|xyes)
+  # Assume -lc should be added
+  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
 
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $_LT_TAGVAR(archive_cmds, $1) in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
+      $RM conftest*
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1)
+      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
+	pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
+        _LT_TAGVAR(allow_undefined_flag, $1)=
+        if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
+        then
+	  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+        else
+	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+        fi
+        _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $RM conftest*
+      AC_MSG_RESULT([$_LT_TAGVAR(archive_cmds_need_lc, $1)])
+      ;;
+    esac
+  fi
+  ;;
+esac
 
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
+_LT_TAGDECL([build_libtool_need_lc], [archive_cmds_need_lc], [0],
+    [Whether or not to add -lc for building shared libraries])
+_LT_TAGDECL([allow_libtool_libs_with_static_runtimes],
+    [enable_shared_with_static_runtimes], [0],
+    [Whether or not to disallow shared libs when runtime libs are static])
+_LT_TAGDECL([], [export_dynamic_flag_spec], [1],
+    [Compiler flag to allow reflexive dlopens])
+_LT_TAGDECL([], [whole_archive_flag_spec], [1],
+    [Compiler flag to generate shared objects directly from archives])
+_LT_TAGDECL([], [compiler_needs_object], [1],
+    [Whether the compiler copes with passing no objects directly])
+_LT_TAGDECL([], [old_archive_from_new_cmds], [2],
+    [Create an old-style archive from a shared archive])
+_LT_TAGDECL([], [old_archive_from_expsyms_cmds], [2],
+    [Create a temporary old-style archive to link instead of a shared archive])
+_LT_TAGDECL([], [archive_cmds], [2], [Commands used to build a shared archive])
+_LT_TAGDECL([], [archive_expsym_cmds], [2])
+_LT_TAGDECL([], [module_cmds], [2],
+    [Commands used to build a loadable module if different from building
+    a shared archive.])
+_LT_TAGDECL([], [module_expsym_cmds], [2])
+_LT_TAGDECL([], [with_gnu_ld], [1],
+    [Whether we are building with GNU ld or not])
+_LT_TAGDECL([], [allow_undefined_flag], [1],
+    [Flag that allows shared libraries with undefined symbols to be built])
+_LT_TAGDECL([], [no_undefined_flag], [1],
+    [Flag that enforces no undefined symbols])
+_LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
+    [Flag to hardcode $libdir into a binary during linking.
+    This must work even if $libdir does not exist])
+_LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1],
+    [[If ld is used when linking, flag to hardcode $libdir into a binary
+    during linking.  This must work even if $libdir does not exist]])
+_LT_TAGDECL([], [hardcode_libdir_separator], [1],
+    [Whether we need a single "-rpath" flag with a separated argument])
+_LT_TAGDECL([], [hardcode_direct], [0],
+    [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes
+    DIR into the resulting binary])
+_LT_TAGDECL([], [hardcode_direct_absolute], [0],
+    [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes
+    DIR into the resulting binary and the resulting library dependency is
+    "absolute", i.e impossible to change by setting ${shlibpath_var} if the
+    library is relocated])
+_LT_TAGDECL([], [hardcode_minus_L], [0],
+    [Set to "yes" if using the -LDIR flag during linking hardcodes DIR
+    into the resulting binary])
+_LT_TAGDECL([], [hardcode_shlibpath_var], [0],
+    [Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR
+    into the resulting binary])
+_LT_TAGDECL([], [hardcode_automatic], [0],
+    [Set to "yes" if building a shared library automatically hardcodes DIR
+    into the library and all subsequent libraries and executables linked
+    against it])
+_LT_TAGDECL([], [inherit_rpath], [0],
+    [Set to yes if linker adds runtime paths of dependent libraries
+    to runtime path list])
+_LT_TAGDECL([], [link_all_deplibs], [0],
+    [Whether libtool must link a program against all its dependency libraries])
+_LT_TAGDECL([], [fix_srcfile_path], [1],
+    [Fix the shell variable $srcfile for the compiler])
+_LT_TAGDECL([], [always_export_symbols], [0],
+    [Set to "yes" if exported symbols are required])
+_LT_TAGDECL([], [export_symbols_cmds], [2],
+    [The commands to list exported symbols])
+_LT_TAGDECL([], [exclude_expsyms], [1],
+    [Symbols that should not be listed in the preloaded symbols])
+_LT_TAGDECL([], [include_expsyms], [1],
+    [Symbols that must always be exported])
+_LT_TAGDECL([], [prelink_cmds], [2],
+    [Commands necessary for linking programs (against libraries) with templates])
+_LT_TAGDECL([], [file_list_spec], [1],
+    [Specify filename containing input files])
+dnl FIXME: Not yet implemented
+dnl _LT_TAGDECL([], [thread_safe_flag_spec], [1],
+dnl    [Compiler flag to generate thread safe objects])
+])# _LT_LINKER_SHLIBS
+
+
+# _LT_LANG_C_CONFIG([TAG])
+# ------------------------
+# Ensure that the configuration variables for a C compiler are suitably
+# defined.  These variables are subsequently used by _LT_CONFIG to write
+# the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_C_CONFIG],
+[m4_require([_LT_DECL_EGREP])dnl
+lt_save_CC="$CC"
+AC_LANG_PUSH(C)
 
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
+# Source file extension for C test sources.
+ac_ext=c
 
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_[]_LT_AC_TAGVAR(allow_undefined_flag, $1)
+# Object file extension for compiled C test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
 
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_[]_LT_AC_TAGVAR(no_undefined_flag, $1)
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;"
 
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}'
 
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
+_LT_TAG_COMPILER
+# Save the default compiler, since it gets overwritten when the other
+# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP.
+compiler_DEFAULT=$CC
 
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
 
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_SYS_DYNAMIC_LINKER($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+  LT_SYS_DLOPEN_SELF
+  _LT_CMD_STRIPLIB
+
+  # Report which library types will actually be built
+  AC_MSG_CHECKING([if libtool supports shared libraries])
+  AC_MSG_RESULT([$can_build_shared])
+
+  AC_MSG_CHECKING([whether to build shared libraries])
+  test "$can_build_shared" = "no" && enable_shared=no
+
+  # On AIX, shared libraries and static libraries use the same namespace, and
+  # are all built from PIC.
+  case $host_os in
+  aix3*)
+    test "$enable_shared" = yes && enable_static=no
+    if test -n "$RANLIB"; then
+      archive_cmds="$archive_cmds~\$RANLIB \$lib"
+      postinstall_cmds='$RANLIB $lib'
+    fi
+    ;;
 
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+  aix[[4-9]]*)
+    if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+      test "$enable_shared" = yes && enable_static=no
+    fi
+    ;;
+  esac
+  AC_MSG_RESULT([$enable_shared])
 
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
+  AC_MSG_CHECKING([whether to build static libraries])
+  # Make sure either enable_shared or enable_static is yes.
+  test "$enable_shared" = yes || enable_static=yes
+  AC_MSG_RESULT([$enable_static])
 
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
+  _LT_CONFIG($1)
+fi
+AC_LANG_POP
+CC="$lt_save_CC"
+])# _LT_LANG_C_CONFIG
 
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
 
-# How to hardcode a shared library path into an executable.
-hardcode_action=$_LT_AC_TAGVAR(hardcode_action, $1)
+# _LT_PROG_CXX
+# ------------
+# Since AC_PROG_CXX is broken, in that it returns g++ if there is no c++
+# compiler, we have our own version here.
+m4_defun([_LT_PROG_CXX],
+[
+pushdef([AC_MSG_ERROR], [_lt_caught_CXX_error=yes])
+AC_PROG_CXX
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  AC_PROG_CXXCPP
+else
+  _lt_caught_CXX_error=yes
+fi
+popdef([AC_MSG_ERROR])
+])# _LT_PROG_CXX
 
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([_LT_PROG_CXX], [])
 
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)
 
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)
+# _LT_LANG_CXX_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for a C++ compiler are suitably
+# defined.  These variables are subsequently used by _LT_CONFIG to write
+# the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_CXX_CONFIG],
+[AC_REQUIRE([_LT_PROG_CXX])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_EGREP])dnl
+
+AC_LANG_PUSH(C++)
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_TAGVAR(allow_undefined_flag, $1)=
+_LT_TAGVAR(always_export_symbols, $1)=no
+_LT_TAGVAR(archive_expsym_cmds, $1)=
+_LT_TAGVAR(compiler_needs_object, $1)=no
+_LT_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_TAGVAR(hardcode_direct, $1)=no
+_LT_TAGVAR(hardcode_direct_absolute, $1)=no
+_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_TAGVAR(hardcode_minus_L, $1)=no
+_LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+_LT_TAGVAR(hardcode_automatic, $1)=no
+_LT_TAGVAR(inherit_rpath, $1)=no
+_LT_TAGVAR(module_cmds, $1)=
+_LT_TAGVAR(module_expsym_cmds, $1)=
+_LT_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(no_undefined_flag, $1)=
+_LT_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
 
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_separator, $1)
+# Source file extension for C++ test sources.
+ac_ext=cpp
 
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$_LT_AC_TAGVAR(hardcode_direct, $1)
+# Object file extension for compiled C++ test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# No sense in running all these tests if we already determined that
+# the CXX compiler isn't working.  Some variables (like enable_shared)
+# are currently assumed to apply to all compilers on this platform,
+# and will be corrupted by setting them based on a non-working compiler.
+if test "$_lt_caught_CXX_error" != yes; then
+  # Code to be used in simple compile tests
+  lt_simple_compile_test_code="int some_variable = 0;"
+
+  # Code to be used in simple link tests
+  lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }'
+
+  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
+  _LT_TAG_COMPILER
+
+  # save warnings/boilerplate of simple test code
+  _LT_COMPILER_BOILERPLATE
+  _LT_LINKER_BOILERPLATE
+
+  # Allow CC to be a program name with arguments.
+  lt_save_CC=$CC
+  lt_save_LD=$LD
+  lt_save_GCC=$GCC
+  GCC=$GXX
+  lt_save_with_gnu_ld=$with_gnu_ld
+  lt_save_path_LD=$lt_cv_path_LD
+  if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+    lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+  else
+    $as_unset lt_cv_prog_gnu_ld
+  fi
+  if test -n "${lt_cv_path_LDCXX+set}"; then
+    lt_cv_path_LD=$lt_cv_path_LDCXX
+  else
+    $as_unset lt_cv_path_LD
+  fi
+  test -z "${LDCXX+set}" || LD=$LDCXX
+  CC=${CXX-"c++"}
+  compiler=$CC
+  _LT_TAGVAR(compiler, $1)=$CC
+  _LT_CC_BASENAME([$compiler])
 
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$_LT_AC_TAGVAR(hardcode_minus_L, $1)
+  if test -n "$compiler"; then
+    # We don't want -fno-exception when compiling C++ code, so set the
+    # no_builtin_flag separately
+    if test "$GXX" = yes; then
+      _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+    else
+      _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+    fi
 
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)
+    if test "$GXX" = yes; then
+      # Set up default GNU C++ configuration
 
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$_LT_AC_TAGVAR(hardcode_automatic, $1)
+      LT_PATH_LD
 
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
+      # Check if GNU C++ uses GNU ld as the underlying linker, since the
+      # archiving commands below assume that GNU ld is being used.
+      if test "$with_gnu_ld" = yes; then
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$_LT_AC_TAGVAR(link_all_deplibs, $1)
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
 
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+        # If archive_cmds runs LD, not CC, wlarc should be empty
+        # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+        #     investigate it a little bit more. (MM)
+        wlarc='${wl}'
 
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+        # ancient GNU ld didn't support --whole-archive et. al.
+        if eval "`$CC -print-prog-name=ld` --help 2>&1" |
+	  $GREP 'no-whole-archive' > /dev/null; then
+          _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+        else
+          _LT_TAGVAR(whole_archive_flag_spec, $1)=
+        fi
+      else
+        with_gnu_ld=no
+        wlarc=
+
+        # A generic and very simple default shared library creation
+        # command for GNU C++ for the case where it uses the native
+        # linker, instead of GNU ld.  If possible, this setting should
+        # overridden to take advantage of the native linker features on
+        # the platform it is being used on.
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+      fi
 
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
 
-# Set to yes if exported symbols are required.
-always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1)
+    else
+      GXX=no
+      with_gnu_ld=no
+      wlarc=
+    fi
 
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_[]_LT_AC_TAGVAR(export_symbols_cmds, $1)
+    # PORTME: fill in a description of your system's C++ link characteristics
+    AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+    _LT_TAGVAR(ld_shlibs, $1)=yes
+    case $host_os in
+      aix3*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+      aix[[4-9]]*)
+        if test "$host_cpu" = ia64; then
+          # On IA64, the linker does run time linking by default, so we don't
+          # have to do anything special.
+          aix_use_runtimelinking=no
+          exp_sym_flag='-Bexport'
+          no_entry_flag=""
+        else
+          aix_use_runtimelinking=no
+
+          # Test if we are trying to use run time linking or normal
+          # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+          # need to do runtime linking.
+          case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
+	    for ld_flag in $LDFLAGS; do
+	      case $ld_flag in
+	      *-brtl*)
+	        aix_use_runtimelinking=yes
+	        break
+	        ;;
+	      esac
+	    done
+	    ;;
+          esac
 
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
+          exp_sym_flag='-bexport'
+          no_entry_flag='-bnoentry'
+        fi
 
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_[]_LT_AC_TAGVAR(exclude_expsyms, $1)
+        # When large executables or shared objects are built, AIX ld can
+        # have problems creating the table of contents.  If linking a library
+        # or program results in "error TOC overflow" add -mminimal-toc to
+        # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+        # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+        _LT_TAGVAR(archive_cmds, $1)=''
+        _LT_TAGVAR(hardcode_direct, $1)=yes
+        _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+        _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+        _LT_TAGVAR(link_all_deplibs, $1)=yes
+        _LT_TAGVAR(file_list_spec, $1)='${wl}-f,'
+
+        if test "$GXX" = yes; then
+          case $host_os in aix4.[[012]]|aix4.[[012]].*)
+          # We only want to do this on AIX 4.2 and lower, the check
+          # below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" &&
+	     strings "$collect2name" | $GREP resolve_lib_name >/dev/null
+	  then
+	    # We have reworked collect2
+	    :
+	  else
+	    # We have old collect2
+	    _LT_TAGVAR(hardcode_direct, $1)=unsupported
+	    # It fails to find uninstalled libraries when the uninstalled
+	    # path is not listed in the libpath.  Setting hardcode_minus_L
+	    # to unsupported forces relinking
+	    _LT_TAGVAR(hardcode_minus_L, $1)=yes
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+          esac
+          shared_flag='-shared'
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag="$shared_flag "'${wl}-G'
+	  fi
+        else
+          # not using gcc
+          if test "$host_cpu" = ia64; then
+	  # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	  # chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+          else
+	    if test "$aix_use_runtimelinking" = yes; then
+	      shared_flag='${wl}-G'
+	    else
+	      shared_flag='${wl}-bM:SRE'
+	    fi
+          fi
+        fi
 
-# Symbols that must always be exported.
-include_expsyms=$lt_[]_LT_AC_TAGVAR(include_expsyms, $1)
+        # It seems that -bexpall does not export symbols beginning with
+        # underscore (_), so it is better to generate a list of symbols to
+	# export.
+        _LT_TAGVAR(always_export_symbols, $1)=yes
+        if test "$aix_use_runtimelinking" = yes; then
+          # Warning - without using the other runtime loading flags (-brtl),
+          # -berok will link without error, but may produce a broken library.
+          _LT_TAGVAR(allow_undefined_flag, $1)='-berok'
+          # Determine the default libpath from the value encoded in an empty
+          # executable.
+          _LT_SYS_MODULE_PATH_AIX
+          _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+        else
+          if test "$host_cpu" = ia64; then
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	    _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	    _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+          else
+	    # Determine the default libpath from the value encoded in an
+	    # empty executable.
+	    _LT_SYS_MODULE_PATH_AIX
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	    # Warning - without using the other run time loading flags,
+	    # -berok will link without error, but may produce a broken library.
+	    _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	    _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	    # Exported symbols can be pulled into shared objects from archives
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	    _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+	    # This is similar to how AIX traditionally builds its shared
+	    # libraries.
+	    _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+          fi
+        fi
+        ;;
 
-ifelse([$1],[],
-[# ### END LIBTOOL CONFIG],
-[# ### END LIBTOOL TAG CONFIG: $tagname])
+      beos*)
+	if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	  # support --undefined.  This deserves some investigation.  FIXME
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	else
+	  _LT_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
 
-__EOF__
+      chorus*)
+        case $cc_basename in
+          *)
+	  # FIXME: insert proper C++ library support
+	  _LT_TAGVAR(ld_shlibs, $1)=no
+	  ;;
+        esac
+        ;;
 
-ifelse([$1],[], [
-  case $host_os in
-  aix3*)
-    cat <<\EOF >> "$cfgfile"
+      cygwin* | mingw* | pw32*)
+        # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+        # as there is no search path for DLLs.
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+        _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+        _LT_TAGVAR(always_export_symbols, $1)=no
+        _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+        if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+          # If the export-symbols file already is a .def file (1st line
+          # is EXPORTS), use it as is; otherwise, prepend...
+          _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	    cp $export_symbols $output_objdir/$soname.def;
+          else
+	    echo EXPORTS > $output_objdir/$soname.def;
+	    cat $export_symbols >> $output_objdir/$soname.def;
+          fi~
+          $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+        else
+          _LT_TAGVAR(ld_shlibs, $1)=no
+        fi
+        ;;
+      darwin* | rhapsody*)
+        _LT_DARWIN_LINKER_FEATURES($1)
+	;;
 
-# AIX sometimes has problems with the GCC collect2 program.  For some
-# reason, if we set the COLLECT_NAMES environment variable, the problems
-# vanish in a puff of smoke.
-if test "X${COLLECT_NAMES+set}" != Xset; then
-  COLLECT_NAMES=
-  export COLLECT_NAMES
-fi
-EOF
-    ;;
-  esac
+      dgux*)
+        case $cc_basename in
+          ec++*)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          ghcx*)
+	    # Green Hills C++ Compiler
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+        esac
+        ;;
 
-  # We use sed instead of cat because bash on DJGPP gets confused if
-  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
-  # text mode, it properly converts lines to CR/LF.  This bash problem
-  # is reportedly fixed, but why not run on old versions too?
-  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
+      freebsd[[12]]*)
+        # C++ shared libraries reported to be fairly broken before
+	# switch to ELF
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
 
-  mv -f "$cfgfile" "$ofile" || \
-    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
-  chmod +x "$ofile"
-])
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-])# AC_LIBTOOL_CONFIG
+      freebsd-elf*)
+        _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+        ;;
 
+      freebsd* | dragonfly*)
+        # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+        # conventions
+        _LT_TAGVAR(ld_shlibs, $1)=yes
+        ;;
 
-# AC_LIBTOOL_PROG_COMPILER_NO_RTTI([TAGNAME])
-# -------------------------------------------
-AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI],
-[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+      gnu*)
+        ;;
 
-_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+      hpux9*)
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+        _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+        _LT_TAGVAR(hardcode_direct, $1)=yes
+        _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+				             # but as the default
+				             # location of the library.
+
+        case $cc_basename in
+          CC*)
+            # FIXME: insert proper C++ library support
+            _LT_TAGVAR(ld_shlibs, $1)=no
+            ;;
+          aCC*)
+            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+            # Commands to make compiler produce verbose output that lists
+            # what "hidden" libraries, object files and flags are used when
+            # linking a shared library.
+            #
+            # There doesn't appear to be a way to prevent this compiler from
+            # explicitly linking system object files so we need to strip them
+            # from the output so that they don't get included in the library
+            # dependencies.
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+            ;;
+          *)
+            if test "$GXX" = yes; then
+              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+            else
+              # FIXME: insert proper C++ library support
+              _LT_TAGVAR(ld_shlibs, $1)=no
+            fi
+            ;;
+        esac
+        ;;
 
-if test "$GCC" = yes; then
-  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+      hpux10*|hpux11*)
+        if test $with_gnu_ld = no; then
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	  _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+          case $host_cpu in
+            hppa*64*|ia64*)
+              ;;
+            *)
+	      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+              ;;
+          esac
+        fi
+        case $host_cpu in
+          hppa*64*|ia64*)
+            _LT_TAGVAR(hardcode_direct, $1)=no
+            _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+            ;;
+          *)
+            _LT_TAGVAR(hardcode_direct, $1)=yes
+            _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+            _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					         # but as the default
+					         # location of the library.
+            ;;
+        esac
+
+        case $cc_basename in
+          CC*)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          aCC*)
+	    case $host_cpu in
+	      hppa*64*)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	        ;;
+	      ia64*)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	        ;;
+	      *)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	        ;;
+	    esac
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    ;;
+          *)
+	    if test "$GXX" = yes; then
+	      if test $with_gnu_ld = no; then
+	        case $host_cpu in
+	          hppa*64*)
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            ;;
+	          ia64*)
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            ;;
+	          *)
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            ;;
+	        esac
+	      fi
+	    else
+	      # FIXME: insert proper C++ library support
+	      _LT_TAGVAR(ld_shlibs, $1)=no
+	    fi
+	    ;;
+        esac
+        ;;
 
-  AC_LIBTOOL_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
-    lt_cv_prog_compiler_rtti_exceptions,
-    [-fno-rtti -fno-exceptions], [],
-    [_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
-fi
-])# AC_LIBTOOL_PROG_COMPILER_NO_RTTI
+      interix[[3-9]]*)
+	_LT_TAGVAR(hardcode_direct, $1)=no
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	# Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+	# Instead, shared libraries are loaded at an image base (0x10000000 by
+	# default) and relocated if they conflict, which is a slow very memory
+	# consuming and fragmenting process.  To avoid this, we pick a random,
+	# 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+	# time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+	;;
+      irix5* | irix6*)
+        case $cc_basename in
+          CC*)
+	    # SGI C++
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+
+	    # Archives containing C++ object files must be created using
+	    # "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	    # necessary to make sure instantiated templates are included
+	    # in the archive.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	    ;;
+          *)
+	    if test "$GXX" = yes; then
+	      if test "$with_gnu_ld" = no; then
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	      else
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` -o $lib'
+	      fi
+	    fi
+	    _LT_TAGVAR(link_all_deplibs, $1)=yes
+	    ;;
+        esac
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+        _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+        _LT_TAGVAR(inherit_rpath, $1)=yes
+        ;;
 
+      linux* | k*bsd*-gnu)
+        case $cc_basename in
+          KCC*)
+	    # Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	    # KCC will only create a shared library if the output file
+	    # ends with ".so" (or ".sl" for HP-UX), so rename the library
+	    # to its proper name (with version) after linking.
+	    _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+	    # Archives containing C++ object files must be created using
+	    # "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+	    ;;
+	  icpc* | ecpc* )
+	    # Intel C++
+	    with_gnu_ld=yes
+	    # version 8.0 and above of icpc choke on multiply defined symbols
+	    # if we add $predep_objects and $postdep_objects, however 7.1 and
+	    # earlier do not add the objects themselves.
+	    case `$CC -V 2>&1` in
+	      *"Version 7."*)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+		_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+		;;
+	      *)  # Version 8.0 or newer
+	        tmp_idyn=
+	        case $host_cpu in
+		  ia64*) tmp_idyn=' -i_dynamic';;
+		esac
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+		_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+		;;
+	    esac
+	    _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	    ;;
+          pgCC* | pgcpp*)
+            # Portland Group C++ compiler
+	    case `$CC -V` in
+	    *pgCC\ [[1-5]]* | *pgcpp\ [[1-5]]*)
+	      _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
+		rm -rf $tpldir~
+		$CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+		compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
+	      _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
+		rm -rf $tpldir~
+		$CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+		$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
+		$RANLIB $oldlib'
+	      _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
+		rm -rf $tpldir~
+		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
+		rm -rf $tpldir~
+		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+	      ;;
+	    *) # Version 6 will use weak symbols
+	      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+	      ;;
+	    esac
 
-# AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
-# ---------------------------------
-AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE],
-[AC_REQUIRE([AC_CANONICAL_HOST])
-AC_REQUIRE([LT_AC_PROG_SED])
-AC_REQUIRE([AC_PROG_NM])
-AC_REQUIRE([AC_OBJEXT])
-# Check for command to grab the raw symbol name followed by C symbol from nm.
-AC_MSG_CHECKING([command to parse $NM output from $compiler object])
-AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
-[
-# These are sane defaults that work on at least a few old systems.
-# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+            ;;
+	  cxx*)
+	    # Compaq C++
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
 
-# Character class describing NM global symbol codes.
-symcode='[[BCDEGRST]]'
+	    runpath_var=LD_RUN_PATH
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
 
-# Regexp to match symbols that can be accessed directly from C.
-sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    ;;
+	  xl*)
+	    # IBM XL 8.0 on PPC, with GNU ld
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	    if test "x$supports_anon_versioning" = xyes; then
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
+		cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+		echo "local: *; };" >> $output_objdir/$libname.ver~
+		$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	    fi
+	    ;;
+	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	      _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
+	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	      _LT_TAGVAR(compiler_needs_object, $1)=yes
+
+	      # Not sure whether something based on
+	      # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
+	      # would be better.
+	      output_verbose_link_cmd='echo'
+
+	      # Archives containing C++ object files must be created using
+	      # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	      # necessary to make sure instantiated templates are included
+	      # in the archive.
+	      _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	      ;;
+	    esac
+	    ;;
+	esac
+	;;
 
-# Transform an extracted symbol line into a proper C declaration
-lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
+      lynxos*)
+        # FIXME: insert proper C++ library support
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	;;
 
-# Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+      m88k*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+	;;
 
-# Define system-specific variables.
-case $host_os in
-aix*)
-  symcode='[[BCDT]]'
-  ;;
-cygwin* | mingw* | pw32*)
-  symcode='[[ABCDGISTW]]'
-  ;;
-hpux*) # Its linker distinguishes data from code symbols
-  if test "$host_cpu" = ia64; then
-    symcode='[[ABCDEGRST]]'
-  fi
-  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  ;;
-linux* | k*bsd*-gnu)
-  if test "$host_cpu" = ia64; then
-    symcode='[[ABCDGIRSTW]]'
-    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  fi
-  ;;
-irix* | nonstopux*)
-  symcode='[[BCDEGRST]]'
-  ;;
-osf*)
-  symcode='[[BCDEGQRST]]'
-  ;;
-solaris*)
-  symcode='[[BDRT]]'
-  ;;
-sco3.2v5*)
-  symcode='[[DT]]'
-  ;;
-sysv4.2uw2*)
-  symcode='[[DT]]'
-  ;;
-sysv5* | sco5v6* | unixware* | OpenUNIX*)
-  symcode='[[ABDT]]'
-  ;;
-sysv4)
-  symcode='[[DFNSTU]]'
-  ;;
-esac
+      mvs*)
+        case $cc_basename in
+          cxx*)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+	  *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+	esac
+	;;
 
-# Handle CRLF in mingw tool chain
-opt_cr=
-case $build_os in
-mingw*)
-  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
-  ;;
-esac
+      netbsd*)
+        if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+	  wlarc=
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	  _LT_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	fi
+	# Workaround some broken pre-1.5 toolchains
+	output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+	;;
 
-# If we're using GNU nm, then use its standard symbol codes.
-case `$NM -V 2>&1` in
-*GNU* | *'with BFD'*)
-  symcode='[[ABCDGIRSTW]]' ;;
-esac
+      *nto* | *qnx*)
+        _LT_TAGVAR(ld_shlibs, $1)=yes
+	;;
 
-# Try without a prefix undercore, then with it.
-for ac_symprfx in "" "_"; do
+      openbsd2*)
+        # C++ shared libraries are fairly broken
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	;;
 
-  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
-  symxfrm="\\1 $ac_symprfx\\2 \\2"
+      openbsd*)
+	if test -f /usr/libexec/ld.so; then
+	  _LT_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+	  fi
+	  output_verbose_link_cmd=echo
+	else
+	  _LT_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
 
-  # Write the raw and C identifiers.
-  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+      osf3* | osf4* | osf5*)
+        case $cc_basename in
+          KCC*)
+	    # Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	    # KCC will only create a shared library if the output file
+	    # ends with ".so" (or ".sl" for HP-UX), so rename the library
+	    # to its proper name (with version) after linking.
+	    _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo "$lib" | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	    # Archives containing C++ object files must be created using
+	    # the KAI C++ compiler.
+	    case $host in
+	      osf3*) _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;;
+	      *) _LT_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' ;;
+	    esac
+	    ;;
+          RCC*)
+	    # Rational C++ 2.4.1
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          cxx*)
+	    case $host in
+	      osf3*)
+	        _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && $ECHO "X${wl}-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+		;;
+	      *)
+	        _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+	          echo "-hidden">> $lib.exp~
+	          $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp  `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~
+	          $RM $lib.exp'
+	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+		;;
+	    esac
 
-  # Check to see that the pipe works correctly.
-  pipe_works=no
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
 
-  rm -f conftest*
-  cat > conftest.$ac_ext <<EOF
-#ifdef __cplusplus
-extern "C" {
-#endif
-char nm_test_var;
-void nm_test_func(){}
-#ifdef __cplusplus
-}
-#endif
-int main(){nm_test_var='a';nm_test_func();return(0);}
-EOF
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    ;;
+	  *)
+	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	      _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	      case $host in
+	        osf3*)
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+		  ;;
+	        *)
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+		  ;;
+	      esac
+
+	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	      # Commands to make compiler produce verbose output that lists
+	      # what "hidden" libraries, object files and flags are used when
+	      # linking a shared library.
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+
+	    else
+	      # FIXME: insert proper C++ library support
+	      _LT_TAGVAR(ld_shlibs, $1)=no
+	    fi
+	    ;;
+        esac
+        ;;
 
-  if AC_TRY_EVAL(ac_compile); then
-    # Now try to grab the symbols.
-    nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
-      # Try sorting and uniquifying the output.
-      if sort "$nlist" | uniq > "$nlist"T; then
-	mv -f "$nlist"T "$nlist"
-      else
-	rm -f "$nlist"T
-      fi
+      psos*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
 
-      # Make sure that we snagged all the symbols we need.
-      if grep ' nm_test_var$' "$nlist" >/dev/null; then
-	if grep ' nm_test_func$' "$nlist" >/dev/null; then
-	  cat <<EOF > conftest.$ac_ext
-#ifdef __cplusplus
-extern "C" {
-#endif
+      sunos4*)
+        case $cc_basename in
+          CC*)
+	    # Sun C++ 4.x
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          lcc*)
+	    # Lucid
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+        esac
+        ;;
 
-EOF
-	  # Now generate the symbol file.
-	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
+      solaris*)
+        case $cc_basename in
+          CC*)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+            _LT_TAGVAR(archive_cmds_need_lc,$1)=yes
+	    _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	      $CC -G${allow_undefined_flag} ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	    _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	    case $host_os in
+	      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+	      *)
+		# The compiler driver will combine and reorder linker options,
+		# but understands `-z linker_flag'.
+	        # Supported since Solaris 2.6 (maybe 2.5.1?)
+		_LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+	        ;;
+	    esac
+	    _LT_TAGVAR(link_all_deplibs, $1)=yes
 
-	  cat <<EOF >> conftest.$ac_ext
-#if defined (__STDC__) && __STDC__
-# define lt_ptr_t void *
-#else
-# define lt_ptr_t char *
-# define const
-#endif
+	    output_verbose_link_cmd='echo'
 
-/* The mapping between symbol names and symbols. */
-const struct {
-  const char *name;
-  lt_ptr_t address;
-}
-lt_preloaded_symbols[[]] =
-{
-EOF
-	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
-	  cat <<\EOF >> conftest.$ac_ext
-  {0, (lt_ptr_t) 0}
-};
+	    # Archives containing C++ object files must be created using
+	    # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	    # necessary to make sure instantiated templates are included
+	    # in the archive.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	    ;;
+          gcx*)
+	    # Green Hills C++ Compiler
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
 
-#ifdef __cplusplus
-}
-#endif
-EOF
-	  # Now try linking the two files.
-	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
-	  LIBS="conftstm.$ac_objext"
-	  CFLAGS="$CFLAGS$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
-	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
-	    pipe_works=yes
-	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
-	else
-	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
-	fi
-      else
-	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
-      fi
-    else
-      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
-    fi
-  else
-    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
-    cat conftest.$ac_ext >&5
-  fi
-  rm -rf conftest* conftst*
-
-  # Do not use the global_symbol_pipe unless it works.
-  if test "$pipe_works" = yes; then
-    break
-  else
-    lt_cv_sys_global_symbol_pipe=
-  fi
-done
-])
-if test -z "$lt_cv_sys_global_symbol_pipe"; then
-  lt_cv_sys_global_symbol_to_cdecl=
-fi
-if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  AC_MSG_RESULT(failed)
-else
-  AC_MSG_RESULT(ok)
-fi
-]) # AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
-
-
-# AC_LIBTOOL_PROG_COMPILER_PIC([TAGNAME])
-# ---------------------------------------
-AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC],
-[_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=
-_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=
+	    # The C++ compiler must be used to create the archive.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	    ;;
+          *)
+	    # GNU C++ compiler with Solaris linker
+	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	      _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
+	      if $CC --version | $GREP -v '^2\.7' > /dev/null; then
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+		  $CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+
+	        # Commands to make compiler produce verbose output that lists
+	        # what "hidden" libraries, object files and flags are used when
+	        # linking a shared library.
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	      else
+	        # g++ 2.7 appears to require `-G' NOT `-shared' on this
+	        # platform.
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+		  $CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+
+	        # Commands to make compiler produce verbose output that lists
+	        # what "hidden" libraries, object files and flags are used when
+	        # linking a shared library.
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	      fi
+
+	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
+	      case $host_os in
+		solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+		*)
+		  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+		  ;;
+	      esac
+	    fi
+	    ;;
+        esac
+        ;;
 
-AC_MSG_CHECKING([for $compiler option to produce PIC])
- ifelse([$1],[CXX],[
-  # C++ specific cases for pic, static, wl, etc.
-  if test "$GXX" = yes; then
-    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
 
-    case $host_os in
-    aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
-      ;;
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-    mingw* | cygwin* | os2* | pw32*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      m4_if([$1], [GCJ], [],
-	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
-      ;;
-    *djgpp*)
-      # DJGPP does not support shared libraries at all
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-      ;;
-    interix[[3-9]]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
-      fi
-      ;;
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	;;
+      case $cc_basename in
+        CC*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
       esac
       ;;
-    *)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-      ;;
-    esac
-  else
-    case $host_os in
-      aix[[4-9]]*)
-	# All AIX code is PIC.
-	if test "$host_cpu" = ia64; then
-	  # AIX 5 now supports IA64 processor
-	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	else
-	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
-	fi
-	;;
-      chorus*)
-	case $cc_basename in
-	cxch68*)
-	  # Green Hills C++ Compiler
-	  # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
-	  ;;
-	esac
-	;;
-       darwin*)
-         # PIC is the default on this platform
-         # Common symbols not allowed in MH_DYLIB files
-         case $cc_basename in
-           xlc*)
-           _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
-           _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-           ;;
-         esac
-       ;;
-      dgux*)
-	case $cc_basename in
-	  ec++*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    ;;
-	  ghcx*)
-	    # Green Hills C++ Compiler
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      freebsd* | dragonfly*)
-	# FreeBSD uses GNU C++
-	;;
-      hpux9* | hpux10* | hpux11*)
-	case $cc_basename in
-	  CC*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-	    if test "$host_cpu" != ia64; then
-	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	    fi
-	    ;;
-	  aCC*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-	    case $host_cpu in
-	    hppa*64*|ia64*)
-	      # +Z the default
-	      ;;
-	    *)
-	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	      ;;
-	    esac
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      interix*)
-	# This is c89, which is MS Visual C++ (no shared libs)
-	# Anyone wants to do a port?
-	;;
-      irix5* | irix6* | nonstopux*)
-	case $cc_basename in
-	  CC*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    # CC pic flag -KPIC is the default.
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      linux* | k*bsd*-gnu)
-	case $cc_basename in
-	  KCC*)
-	    # KAI C++ Compiler
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	    ;;
-	  icpc* | ecpc*)
-	    # Intel C++
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
-	    ;;
-	  pgCC* | pgcpp*)
-	    # Portland Group C++ compiler.
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	  cxx*)
-	    # Compaq C++
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    ;;
-	  *)
-	    case `$CC -V 2>&1 | sed 5q` in
-	    *Sun\ C*)
-	      # Sun C++ 5.9
-	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-	      ;;
-	    esac
-	    ;;
-	esac
-	;;
-      lynxos*)
-	;;
-      m88k*)
-	;;
-      mvs*)
-	case $cc_basename in
-	  cxx*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      netbsd* | netbsdelf*-gnu)
-	;;
-      osf3* | osf4* | osf5*)
-	case $cc_basename in
-	  KCC*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
-	    ;;
-	  RCC*)
-	    # Rational C++ 2.4.1
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  cxx*)
-	    # Digital/Compaq C++
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      psos*)
-	;;
-      solaris*)
-	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.2, 5.x and Centerline C++
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-	    ;;
-	  gcx*)
-	    # Green Hills C++ Compiler
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sunos4*)
+
+      sysv5* | sco3.2v5* | sco5v6*)
+	# Note: We can NOT use -z defs as we might desire, because we do not
+	# link with -lc, and that would cause any symbols used from libc to
+	# always be unresolved, which means just about no library would
+	# ever link correctly.  If we're not using GNU ld we use -z text
+	# though, which does catch some bad symbols but isn't as heavy-handed
+	# as -z defs.
+	_LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+	_LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+	_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir'
+	_LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+	_LT_TAGVAR(link_all_deplibs, $1)=yes
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+	runpath_var='LD_RUN_PATH'
+
 	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.x
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	  lcc*)
-	    # Lucid
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+          CC*)
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
 	    ;;
 	  *)
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
 	    ;;
 	esac
-	;;
+      ;;
+
       tandem*)
-	case $cc_basename in
-	  NCC*)
+        case $cc_basename in
+          NCC*)
 	    # NonStop-UX NCC 3.20
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
 	    ;;
-	  *)
+          *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
 	    ;;
-	esac
-	;;
-      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-	case $cc_basename in
-	  CC*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	esac
-	;;
+        esac
+        ;;
+
       vxworks*)
-	;;
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+
       *)
-	_LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-	;;
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
     esac
-  fi
-],
+
+    AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)])
+    test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+    _LT_TAGVAR(GCC, $1)="$GXX"
+    _LT_TAGVAR(LD, $1)="$LD"
+
+    ## CAVEAT EMPTOR:
+    ## There is no encapsulation within the following macros, do not change
+    ## the running order or otherwise move them around unless you know exactly
+    ## what you are doing...
+    _LT_SYS_HIDDEN_LIBDEPS($1)
+    _LT_COMPILER_PIC($1)
+    _LT_COMPILER_C_O($1)
+    _LT_COMPILER_FILE_LOCKS($1)
+    _LT_LINKER_SHLIBS($1)
+    _LT_SYS_DYNAMIC_LINKER($1)
+    _LT_LINKER_HARDCODE_LIBPATH($1)
+
+    _LT_CONFIG($1)
+  fi # test -n "$compiler"
+
+  CC=$lt_save_CC
+  LDCXX=$LD
+  LD=$lt_save_LD
+  GCC=$lt_save_GCC
+  with_gnu_ld=$lt_save_with_gnu_ld
+  lt_cv_path_LDCXX=$lt_cv_path_LD
+  lt_cv_path_LD=$lt_save_path_LD
+  lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+  lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+fi # test "$_lt_caught_CXX_error" != yes
+
+AC_LANG_POP
+])# _LT_LANG_CXX_CONFIG
+
+
+# _LT_SYS_HIDDEN_LIBDEPS([TAGNAME])
+# ---------------------------------
+# Figure out "hidden" library dependencies from verbose
+# compiler output when linking a shared library.
+# Parse the compiler output and extract the necessary
+# objects, libraries and library flags.
+m4_defun([_LT_SYS_HIDDEN_LIBDEPS],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+# Dependencies to place before and after the object being linked:
+_LT_TAGVAR(predep_objects, $1)=
+_LT_TAGVAR(postdep_objects, $1)=
+_LT_TAGVAR(predeps, $1)=
+_LT_TAGVAR(postdeps, $1)=
+_LT_TAGVAR(compiler_lib_search_path, $1)=
+
+dnl we can't use the lt_simple_compile_test_code here,
+dnl because it contains code intended for an executable,
+dnl not a library.  It's possible we should let each
+dnl tag define a new lt_????_link_test_code variable,
+dnl but it's only used here...
+m4_if([$1], [], [cat > conftest.$ac_ext <<_LT_EOF
+int a;
+void foo (void) { a = 0; }
+_LT_EOF
+], [$1], [CXX], [cat > conftest.$ac_ext <<_LT_EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+_LT_EOF
+], [$1], [F77], [cat > conftest.$ac_ext <<_LT_EOF
+      subroutine foo
+      implicit none
+      integer*4 a
+      a=0
+      return
+      end
+_LT_EOF
+], [$1], [FC], [cat > conftest.$ac_ext <<_LT_EOF
+      subroutine foo
+      implicit none
+      integer a
+      a=0
+      return
+      end
+_LT_EOF
+], [$1], [GCJ], [cat > conftest.$ac_ext <<_LT_EOF
+public class foo {
+  private int a;
+  public void bar (void) {
+    a = 0;
+  }
+};
+_LT_EOF
+])
+dnl Parse the compiler output and extract the necessary
+dnl objects, libraries and library flags.
+if AC_TRY_EVAL(ac_compile); then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  for p in `eval "$output_verbose_link_cmd"`; do
+    case $p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test $p = "-L" ||
+          test $p = "-R"; then
+	 prev=$p
+	 continue
+       else
+	 prev=
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 case $p in
+	 -L* | -R*)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$_LT_TAGVAR(compiler_lib_search_path, $1)"; then
+	     _LT_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
+	   else
+	     _LT_TAGVAR(compiler_lib_search_path, $1)="${_LT_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$_LT_TAGVAR(postdeps, $1)"; then
+	   _LT_TAGVAR(postdeps, $1)="${prev}${p}"
+	 else
+	   _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} ${prev}${p}"
+	 fi
+       fi
+       ;;
+
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 if test -z "$_LT_TAGVAR(predep_objects, $1)"; then
+	   _LT_TAGVAR(predep_objects, $1)="$p"
+	 else
+	   _LT_TAGVAR(predep_objects, $1)="$_LT_TAGVAR(predep_objects, $1) $p"
+	 fi
+       else
+	 if test -z "$_LT_TAGVAR(postdep_objects, $1)"; then
+	   _LT_TAGVAR(postdep_objects, $1)="$p"
+	 else
+	   _LT_TAGVAR(postdep_objects, $1)="$_LT_TAGVAR(postdep_objects, $1) $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling $1 test program"
+fi
+
+$RM -f confest.$objext
+
+# PORTME: override above test on systems where it is broken
+m4_if([$1], [CXX],
+[case $host_os in
+interix[[3-9]]*)
+  # Interix 3.5 installs completely hosed .la files for C++, so rather than
+  # hack all around it, let's just trust "g++" to DTRT.
+  _LT_TAGVAR(predep_objects,$1)=
+  _LT_TAGVAR(postdep_objects,$1)=
+  _LT_TAGVAR(postdeps,$1)=
+  ;;
+
+linux*)
+  case `$CC -V 2>&1 | sed 5q` in
+  *Sun\ C*)
+    # Sun C++ 5.9
+
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+
+    if test "$solaris_use_stlport4" != yes; then
+      _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+
+solaris*)
+  case $cc_basename in
+  CC*)
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+
+    # Adding this requires a known-good setup of shared libraries for
+    # Sun compiler versions before 5.6, else PIC objects from an old
+    # archive will be linked into the output, leading to subtle bugs.
+    if test "$solaris_use_stlport4" != yes; then
+      _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+esac
+])
+
+case " $_LT_TAGVAR(postdeps, $1) " in
+*" -lc "*) _LT_TAGVAR(archive_cmds_need_lc, $1)=no ;;
+esac
+ _LT_TAGVAR(compiler_lib_search_dirs, $1)=
+if test -n "${_LT_TAGVAR(compiler_lib_search_path, $1)}"; then
+ _LT_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
+fi
+_LT_TAGDECL([], [compiler_lib_search_dirs], [1],
+    [The directories searched by this compiler when creating a shared library])
+_LT_TAGDECL([], [predep_objects], [1],
+    [Dependencies to place before and after the objects being linked to
+    create a shared library])
+_LT_TAGDECL([], [postdep_objects], [1])
+_LT_TAGDECL([], [predeps], [1])
+_LT_TAGDECL([], [postdeps], [1])
+_LT_TAGDECL([], [compiler_lib_search_path], [1],
+    [The library search path used internally by the compiler when linking
+    a shared library])
+])# _LT_SYS_HIDDEN_LIBDEPS
+
+
+# _LT_PROG_F77
+# ------------
+# Since AC_PROG_F77 is broken, in that it returns the empty string
+# if there is no fortran compiler, we have our own version here.
+m4_defun([_LT_PROG_F77],
 [
-  if test "$GCC" = yes; then
-    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+pushdef([AC_MSG_ERROR], [_lt_disable_F77=yes])
+AC_PROG_F77
+if test -z "$F77" || test "X$F77" = "Xno"; then
+  _lt_disable_F77=yes
+fi
+popdef([AC_MSG_ERROR])
+])# _LT_PROG_F77
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([_LT_PROG_F77], [])
+
+
+# _LT_LANG_F77_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for a Fortran 77 compiler are
+# suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_F77_CONFIG],
+[AC_REQUIRE([_LT_PROG_F77])dnl
+AC_LANG_PUSH(Fortran 77)
+
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_TAGVAR(allow_undefined_flag, $1)=
+_LT_TAGVAR(always_export_symbols, $1)=no
+_LT_TAGVAR(archive_expsym_cmds, $1)=
+_LT_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_TAGVAR(hardcode_direct, $1)=no
+_LT_TAGVAR(hardcode_direct_absolute, $1)=no
+_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_TAGVAR(hardcode_minus_L, $1)=no
+_LT_TAGVAR(hardcode_automatic, $1)=no
+_LT_TAGVAR(inherit_rpath, $1)=no
+_LT_TAGVAR(module_cmds, $1)=
+_LT_TAGVAR(module_expsym_cmds, $1)=
+_LT_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(no_undefined_flag, $1)=
+_LT_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# No sense in running all these tests if we already determined that
+# the F77 compiler isn't working.  Some variables (like enable_shared)
+# are currently assumed to apply to all compilers on this platform,
+# and will be corrupted by setting them based on a non-working compiler.
+if test "$_lt_disable_F77" != yes; then
+  # Code to be used in simple compile tests
+  lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
+
+  # Code to be used in simple link tests
+  lt_simple_link_test_code="\
+      program t
+      end
+"
+
+  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
+  _LT_TAG_COMPILER
+
+  # save warnings/boilerplate of simple test code
+  _LT_COMPILER_BOILERPLATE
+  _LT_LINKER_BOILERPLATE
+
+  # Allow CC to be a program name with arguments.
+  lt_save_CC="$CC"
+  lt_save_GCC=$GCC
+  CC=${F77-"f77"}
+  compiler=$CC
+  _LT_TAGVAR(compiler, $1)=$CC
+  _LT_CC_BASENAME([$compiler])
+  GCC=$G77
+  if test -n "$compiler"; then
+    AC_MSG_CHECKING([if libtool supports shared libraries])
+    AC_MSG_RESULT([$can_build_shared])
+
+    AC_MSG_CHECKING([whether to build shared libraries])
+    test "$can_build_shared" = "no" && enable_shared=no
+
+    # On AIX, shared libraries and static libraries use the same namespace, and
+    # are all built from PIC.
+    case $host_os in
+      aix3*)
+        test "$enable_shared" = yes && enable_static=no
+        if test -n "$RANLIB"; then
+          archive_cmds="$archive_cmds~\$RANLIB \$lib"
+          postinstall_cmds='$RANLIB $lib'
+        fi
+        ;;
+      aix[[4-9]]*)
+	if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+	  test "$enable_shared" = yes && enable_static=no
+	fi
+        ;;
+    esac
+    AC_MSG_RESULT([$enable_shared])
+
+    AC_MSG_CHECKING([whether to build static libraries])
+    # Make sure either enable_shared or enable_static is yes.
+    test "$enable_shared" = yes || enable_static=yes
+    AC_MSG_RESULT([$enable_static])
+
+    _LT_TAGVAR(GCC, $1)="$G77"
+    _LT_TAGVAR(LD, $1)="$LD"
+
+    ## CAVEAT EMPTOR:
+    ## There is no encapsulation within the following macros, do not change
+    ## the running order or otherwise move them around unless you know exactly
+    ## what you are doing...
+    _LT_COMPILER_PIC($1)
+    _LT_COMPILER_C_O($1)
+    _LT_COMPILER_FILE_LOCKS($1)
+    _LT_LINKER_SHLIBS($1)
+    _LT_SYS_DYNAMIC_LINKER($1)
+    _LT_LINKER_HARDCODE_LIBPATH($1)
+
+    _LT_CONFIG($1)
+  fi # test -n "$compiler"
+
+  GCC=$lt_save_GCC
+  CC="$lt_save_CC"
+fi # test "$_lt_disable_F77" != yes
+
+AC_LANG_POP
+])# _LT_LANG_F77_CONFIG
+
+
+# _LT_PROG_FC
+# -----------
+# Since AC_PROG_FC is broken, in that it returns the empty string
+# if there is no fortran compiler, we have our own version here.
+m4_defun([_LT_PROG_FC],
+[
+pushdef([AC_MSG_ERROR], [_lt_disable_FC=yes])
+AC_PROG_FC
+if test -z "$FC" || test "X$FC" = "Xno"; then
+  _lt_disable_FC=yes
+fi
+popdef([AC_MSG_ERROR])
+])# _LT_PROG_FC
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([_LT_PROG_FC], [])
+
+
+# _LT_LANG_FC_CONFIG([TAG])
+# -------------------------
+# Ensure that the configuration variables for a Fortran compiler are
+# suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_FC_CONFIG],
+[AC_REQUIRE([_LT_PROG_FC])dnl
+AC_LANG_PUSH(Fortran)
+
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_TAGVAR(allow_undefined_flag, $1)=
+_LT_TAGVAR(always_export_symbols, $1)=no
+_LT_TAGVAR(archive_expsym_cmds, $1)=
+_LT_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_TAGVAR(hardcode_direct, $1)=no
+_LT_TAGVAR(hardcode_direct_absolute, $1)=no
+_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_TAGVAR(hardcode_minus_L, $1)=no
+_LT_TAGVAR(hardcode_automatic, $1)=no
+_LT_TAGVAR(inherit_rpath, $1)=no
+_LT_TAGVAR(module_cmds, $1)=
+_LT_TAGVAR(module_expsym_cmds, $1)=
+_LT_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(no_undefined_flag, $1)=
+_LT_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for fc test sources.
+ac_ext=${ac_fc_srcext-f}
+
+# Object file extension for compiled fc test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# No sense in running all these tests if we already determined that
+# the FC compiler isn't working.  Some variables (like enable_shared)
+# are currently assumed to apply to all compilers on this platform,
+# and will be corrupted by setting them based on a non-working compiler.
+if test "$_lt_disable_FC" != yes; then
+  # Code to be used in simple compile tests
+  lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
+
+  # Code to be used in simple link tests
+  lt_simple_link_test_code="\
+      program t
+      end
+"
+
+  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
+  _LT_TAG_COMPILER
+
+  # save warnings/boilerplate of simple test code
+  _LT_COMPILER_BOILERPLATE
+  _LT_LINKER_BOILERPLATE
+
+  # Allow CC to be a program name with arguments.
+  lt_save_CC="$CC"
+  lt_save_GCC=$GCC
+  CC=${FC-"f95"}
+  compiler=$CC
+  GCC=$ac_cv_fc_compiler_gnu
+
+  _LT_TAGVAR(compiler, $1)=$CC
+  _LT_CC_BASENAME([$compiler])
+
+  if test -n "$compiler"; then
+    AC_MSG_CHECKING([if libtool supports shared libraries])
+    AC_MSG_RESULT([$can_build_shared])
+
+    AC_MSG_CHECKING([whether to build shared libraries])
+    test "$can_build_shared" = "no" && enable_shared=no
+
+    # On AIX, shared libraries and static libraries use the same namespace, and
+    # are all built from PIC.
+    case $host_os in
+      aix3*)
+        test "$enable_shared" = yes && enable_static=no
+        if test -n "$RANLIB"; then
+          archive_cmds="$archive_cmds~\$RANLIB \$lib"
+          postinstall_cmds='$RANLIB $lib'
+        fi
+        ;;
+      aix[[4-9]]*)
+	if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+	  test "$enable_shared" = yes && enable_static=no
+	fi
+        ;;
+    esac
+    AC_MSG_RESULT([$enable_shared])
+
+    AC_MSG_CHECKING([whether to build static libraries])
+    # Make sure either enable_shared or enable_static is yes.
+    test "$enable_shared" = yes || enable_static=yes
+    AC_MSG_RESULT([$enable_static])
+
+    _LT_TAGVAR(GCC, $1)="$ac_cv_fc_compiler_gnu"
+    _LT_TAGVAR(LD, $1)="$LD"
+
+    ## CAVEAT EMPTOR:
+    ## There is no encapsulation within the following macros, do not change
+    ## the running order or otherwise move them around unless you know exactly
+    ## what you are doing...
+    _LT_SYS_HIDDEN_LIBDEPS($1)
+    _LT_COMPILER_PIC($1)
+    _LT_COMPILER_C_O($1)
+    _LT_COMPILER_FILE_LOCKS($1)
+    _LT_LINKER_SHLIBS($1)
+    _LT_SYS_DYNAMIC_LINKER($1)
+    _LT_LINKER_HARDCODE_LIBPATH($1)
+
+    _LT_CONFIG($1)
+  fi # test -n "$compiler"
+
+  GCC=$lt_save_GCC
+  CC="$lt_save_CC"
+fi # test "$_lt_disable_FC" != yes
 
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
+AC_LANG_POP
+])# _LT_LANG_FC_CONFIG
 
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
-      ;;
 
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
+# _LT_LANG_GCJ_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for the GNU Java Compiler compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_GCJ_CONFIG],
+[AC_REQUIRE([LT_PROG_GCJ])dnl
+AC_LANG_SAVE
 
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      m4_if([$1], [GCJ], [],
-	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
+# Source file extension for Java test sources.
+ac_ext=java
 
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
-      ;;
+# Object file extension for compiled Java test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
 
-    interix[[3-9]]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}"
 
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      enable_shared=no
-      ;;
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }'
 
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
-      fi
-      ;;
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
 
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	;;
-      esac
-      ;;
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
 
-    *)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      else
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case $cc_basename in
-         xlc*)
-         _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
-         _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-         ;;
-       esac
-       ;;
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+lt_save_GCC=$GCC
+GCC=yes
+CC=${GCJ-"gcj"}
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_TAGVAR(LD, $1)="$LD"
+_LT_CC_BASENAME([$compiler])
 
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      m4_if([$1], [GCJ], [],
-	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
 
-    hpux9* | hpux10* | hpux11*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-      ;;
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
 
-    irix5* | irix6* | nonstopux*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # PIC (with -KPIC) is the default.
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
 
-    newsos6)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
+  _LT_CONFIG($1)
+fi
 
-    linux* | k*bsd*-gnu)
-      case $cc_basename in
-      icc* | ecc*)
-	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
-        ;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
-        # Portland Group compilers (*not* the Pentium gcc compiler,
-	# which looks to be a dead project)
-	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-        ;;
-      ccc*)
-        _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-        # All Alpha code is PIC.
-        _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-        ;;
-      *)
-        case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C 5.9
-	  _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=''
-	  ;;
-	esac
-	;;
-      esac
-      ;;
+AC_LANG_RESTORE
 
-    osf3* | osf4* | osf5*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # All OSF/1 code is PIC.
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
+GCC=$lt_save_GCC
+CC="$lt_save_CC"
+])# _LT_LANG_GCJ_CONFIG
 
-    rdos*)
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
 
-    solaris*)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      case $cc_basename in
-      f77* | f90* | f95*)
-	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
-      esac
-      ;;
+# _LT_LANG_RC_CONFIG([TAG])
+# -------------------------
+# Ensure that the configuration variables for the Windows resource compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_RC_CONFIG],
+[AC_REQUIRE([LT_PROG_RC])dnl
+AC_LANG_SAVE
 
-    sunos4*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
+# Source file extension for RC test sources.
+ac_ext=rc
 
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
+# Object file extension for compiled RC test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
 
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
 
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
+# Code to be used in simple link tests
+lt_simple_link_test_code="$lt_simple_compile_test_code"
 
-    unicos*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      ;;
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+lt_save_GCC=$GCC
+GCC=
+CC=${RC-"windres"}
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+
+if test -n "$compiler"; then
+  :
+  _LT_CONFIG($1)
+fi
+
+GCC=$lt_save_GCC
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# _LT_LANG_RC_CONFIG
+
+
+# LT_PROG_GCJ
+# -----------
+AC_DEFUN([LT_PROG_GCJ],
+[m4_ifdef([AC_PROG_GCJ], [AC_PROG_GCJ],
+  [m4_ifdef([A][M_PROG_GCJ], [A][M_PROG_GCJ],
+    [AC_CHECK_TOOL(GCJ, gcj,)
+      test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
+      AC_SUBST(GCJFLAGS)])])[]dnl
+])
+
+# Old name:
+AU_ALIAS([LT_AC_PROG_GCJ], [LT_PROG_GCJ])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
+
+
+# LT_PROG_RC
+# ----------
+AC_DEFUN([LT_PROG_RC],
+[AC_CHECK_TOOL(RC, windres,)
+])
+
+# Old name:
+AU_ALIAS([LT_AC_PROG_RC], [LT_PROG_RC])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([LT_AC_PROG_RC], [])
+
+
+# _LT_DECL_EGREP
+# --------------
+# If we don't have a new enough Autoconf to choose the best grep
+# available, choose the one first in the user's PATH.
+m4_defun([_LT_DECL_EGREP],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_REQUIRE([AC_PROG_FGREP])dnl
+test -z "$GREP" && GREP=grep
+_LT_DECL([], [GREP], [1], [A grep program that handles long lines])
+_LT_DECL([], [EGREP], [1], [An ERE matcher])
+_LT_DECL([], [FGREP], [1], [A literal string matcher])
+dnl Non-bleeding-edge autoconf doesn't subst GREP, so do it here too
+AC_SUBST([GREP])
+])
+
+
+# _LT_DECL_SED
+# ------------
+# Check for a fully-functional sed program, that truncates
+# as few characters as possible.  Prefer GNU sed if found.
+m4_defun([_LT_DECL_SED],
+[AC_PROG_SED
+test -z "$SED" && SED=sed
+Xsed="$SED -e 1s/^X//"
+_LT_DECL([], [SED], [1], [A sed program that does not truncate output])
+_LT_DECL([], [Xsed], ["\$SED -e 1s/^X//"],
+    [Sed that helps us avoid accidentally triggering echo(1) options like -n])
+])# _LT_DECL_SED
+
+m4_ifndef([AC_PROG_SED], [
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+
+m4_defun([AC_PROG_SED],
+[AC_MSG_CHECKING([for a sed that does not truncate output])
+AC_CACHE_VAL(lt_cv_path_SED,
+[# Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+IFS=$as_save_IFS
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f $lt_ac_sed && continue
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test $lt_ac_count -gt 10 && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test $lt_ac_count -gt $lt_ac_max; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+])
+SED=$lt_cv_path_SED
+AC_SUBST([SED])
+AC_MSG_RESULT([$SED])
+])#AC_PROG_SED
+])#m4_ifndef
 
-    uts4*)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
+# Old name:
+AU_ALIAS([LT_AC_PROG_SED], [AC_PROG_SED])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([LT_AC_PROG_SED], [])
 
-    *)
-      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      ;;
-    esac
-  fi
-])
-AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)])
 
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
-  AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works],
-    _LT_AC_TAGVAR(lt_cv_prog_compiler_pic_works, $1),
-    [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [],
-    [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in
-     "" | " "*) ;;
-     *) _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)" ;;
-     esac],
-    [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-     _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
+# _LT_CHECK_SHELL_FEATURES
+# ------------------------
+# Find out whether the shell is Bourne or XSI compatible,
+# or has some other useful features.
+m4_defun([_LT_CHECK_SHELL_FEATURES],
+[AC_MSG_CHECKING([whether the shell understands some XSI constructs])
+# Try some XSI features
+xsi_shell=no
+( _lt_dummy="a/b/c"
+  test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \
+      = c,a/b,, \
+    && eval 'test $(( 1 + 1 )) -eq 2 \
+    && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
+  && xsi_shell=yes
+AC_MSG_RESULT([$xsi_shell])
+_LT_CONFIG_LIBTOOL_INIT([xsi_shell='$xsi_shell'])
+
+AC_MSG_CHECKING([whether the shell understands "+="])
+lt_shell_append=no
+( foo=bar; set foo baz; eval "$[1]+=\$[2]" && test "$foo" = barbaz ) \
+    >/dev/null 2>&1 \
+  && lt_shell_append=yes
+AC_MSG_RESULT([$lt_shell_append])
+_LT_CONFIG_LIBTOOL_INIT([lt_shell_append='$lt_shell_append'])
+
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  lt_unset=unset
+else
+  lt_unset=false
 fi
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-    ;;
-  *)
-    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])"
-    ;;
+_LT_DECL([], [lt_unset], [0], [whether the shell understands "unset"])dnl
+
+# test EBCDIC or ASCII
+case `echo X|tr X '\101'` in
+ A) # ASCII based system
+    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
+  lt_SP2NL='tr \040 \012'
+  lt_NL2SP='tr \015\012 \040\040'
+  ;;
+ *) # EBCDIC based system
+  lt_SP2NL='tr \100 \n'
+  lt_NL2SP='tr \r\n \100\100'
+  ;;
 esac
+_LT_DECL([SP2NL], [lt_SP2NL], [1], [turn spaces into newlines])dnl
+_LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl
+])# _LT_CHECK_SHELL_FEATURES
 
-#
-# Check to make sure the static flag actually works.
-#
-wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_AC_TAGVAR(lt_prog_compiler_static, $1)\"
-AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
-  _LT_AC_TAGVAR(lt_cv_prog_compiler_static_works, $1),
-  $lt_tmp_static_flag,
-  [],
-  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
-])
 
+# _LT_PROG_XSI_SHELLFNS
+# ---------------------
+# Bourne and XSI compatible variants of some useful shell functions.
+m4_defun([_LT_PROG_XSI_SHELLFNS],
+[case $xsi_shell in
+  yes)
+    cat << \_LT_EOF >> "$cfgfile"
+
+# func_dirname file append nondir_replacement
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+func_dirname ()
+{
+  case ${1} in
+    */*) func_dirname_result="${1%/*}${2}" ;;
+    *  ) func_dirname_result="${3}" ;;
+  esac
+}
+
+# func_basename file
+func_basename ()
+{
+  func_basename_result="${1##*/}"
+}
 
-# AC_LIBTOOL_PROG_LD_SHLIBS([TAGNAME])
-# ------------------------------------
-# See if the linker supports building shared libraries.
-AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
-ifelse([$1],[CXX],[
-  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  case $host_os in
-  aix[[4-9]]*)
-    # If we're using GNU nm, then we don't want the "-C" option.
-    # -C means demangle to AIX nm, but means don't demangle with GNU nm
-    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-    else
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-    fi
-    ;;
-  pw32*)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
-  ;;
-  cygwin* | mingw*)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
-  ;;
-  linux* | k*bsd*-gnu)
-    _LT_AC_TAGVAR(link_all_deplibs, $1)=no
-  ;;
-  *)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
+# func_dirname_and_basename file append nondir_replacement
+# perform func_basename and func_dirname in a single function
+# call:
+#   dirname:  Compute the dirname of FILE.  If nonempty,
+#             add APPEND to the result, otherwise set result
+#             to NONDIR_REPLACEMENT.
+#             value returned in "$func_dirname_result"
+#   basename: Compute filename of FILE.
+#             value retuned in "$func_basename_result"
+# Implementation must be kept synchronized with func_dirname
+# and func_basename. For efficiency, we do not delegate to
+# those functions but instead duplicate the functionality here.
+func_dirname_and_basename ()
+{
+  case ${1} in
+    */*) func_dirname_result="${1%/*}${2}" ;;
+    *  ) func_dirname_result="${3}" ;;
   esac
-  _LT_AC_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
-],[
-  runpath_var=
-  _LT_AC_TAGVAR(allow_undefined_flag, $1)=
-  _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-  _LT_AC_TAGVAR(archive_cmds, $1)=
-  _LT_AC_TAGVAR(archive_expsym_cmds, $1)=
-  _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)=
-  _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)=
-  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-  _LT_AC_TAGVAR(thread_safe_flag_spec, $1)=
-  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-  _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
-  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-  _LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
-  _LT_AC_TAGVAR(hardcode_automatic, $1)=no
-  _LT_AC_TAGVAR(module_cmds, $1)=
-  _LT_AC_TAGVAR(module_expsym_cmds, $1)=
-  _LT_AC_TAGVAR(always_export_symbols, $1)=no
-  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  _LT_AC_TAGVAR(include_expsyms, $1)=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  _LT_AC_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  # Exclude shared library initialization/finalization symbols.
-dnl Note also adjust exclude_expsyms for C++ above.
-  extract_expsyms_cmds=
-  # Just being paranoid about ensuring that cc_basename is set.
-  _LT_CC_BASENAME([$compiler])
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
+  func_basename_result="${1##*/}"
+}
+
+# func_stripname prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+func_stripname ()
+{
+  # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
+  # positional parameters, so assign one to ordinary parameter first.
+  func_stripname_result=${3}
+  func_stripname_result=${func_stripname_result#"${1}"}
+  func_stripname_result=${func_stripname_result%"${2}"}
+}
+
+# func_opt_split
+func_opt_split ()
+{
+  func_opt_split_opt=${1%%=*}
+  func_opt_split_arg=${1#*=}
+}
+
+# func_lo2o object
+func_lo2o ()
+{
+  case ${1} in
+    *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
+    *)    func_lo2o_result=${1} ;;
   esac
+}
 
-  _LT_AC_TAGVAR(ld_shlibs, $1)=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
+# func_xform libobj-or-source
+func_xform ()
+{
+  func_xform_result=${1%.*}.lo
+}
 
-    # Set some defaults for GNU ld with shared library support. These
-    # are reset later if shared libraries are not supported. Putting them
-    # here allows them to be overridden if necessary.
-    runpath_var=LD_RUN_PATH
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-    fi
-    supports_anon_versioning=no
-    case `$LD -v 2>/dev/null` in
-      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
-      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-      *\ 2.11.*) ;; # other 2.11 versions
-      *) supports_anon_versioning=yes ;;
-    esac
+# func_arith arithmetic-term...
+func_arith ()
+{
+  func_arith_result=$(( $[*] ))
+}
 
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix[[3-9]]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	cat <<EOF 1>&2
+# func_len string
+# STRING may not start with a hyphen.
+func_len ()
+{
+  func_len_result=${#1}
+}
 
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
+_LT_EOF
+    ;;
+  *) # Bourne compatible functions.
+    cat << \_LT_EOF >> "$cfgfile"
 
-EOF
-      fi
-      ;;
+# func_dirname file append nondir_replacement
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+func_dirname ()
+{
+  # Extract subdirectory from the argument.
+  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
+  if test "X$func_dirname_result" = "X${1}"; then
+    func_dirname_result="${3}"
+  else
+    func_dirname_result="$func_dirname_result${2}"
+  fi
+}
 
-    amigaos*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
+# func_basename file
+func_basename ()
+{
+  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
+}
 
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
+dnl func_dirname_and_basename
+dnl A portable version of this function is already defined in general.m4sh
+dnl so there is no need for it here.
+
+# func_stripname prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+# func_strip_suffix prefix name
+func_stripname ()
+{
+  case ${2} in
+    .*) func_stripname_result=`$ECHO "X${3}" \
+           | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;;
+    *)  func_stripname_result=`$ECHO "X${3}" \
+           | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;;
+  esac
+}
 
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-      # as there is no search path for DLLs.
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_AC_TAGVAR(always_export_symbols, $1)=no
-      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
+# sed scripts:
+my_sed_long_opt='1s/^\(-[[^=]]*\)=.*/\1/;q'
+my_sed_long_arg='1s/^-[[^=]]*=//'
 
-    interix[[3-9]]*)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-      # Instead, shared libraries are loaded at an image base (0x10000000 by
-      # default) and relocated if they conflict, which is a slow very memory
-      # consuming and fragmenting process.  To avoid this, we pick a random,
-      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      ;;
+# func_opt_split
+func_opt_split ()
+{
+  func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"`
+  func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"`
+}
 
-    gnu* | linux* | k*bsd*-gnu)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	tmp_addflag=
-	case $cc_basename,$host_cpu in
-	pgcc*)				# Portland Group C compiler
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag'
-	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag -Mnomain' ;;
-	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
-	  tmp_addflag=' -i_dynamic' ;;
-	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
-	  tmp_addflag=' -i_dynamic -nofor_main' ;;
-	ifc* | ifort*)			# Intel Fortran compiler
-	  tmp_addflag=' -nofor_main' ;;
-	esac
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)			# Sun C 5.9
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_sharedflag='-G' ;;
-	*Sun\ F*)			# Sun Fortran 8.3
-	  tmp_sharedflag='-G' ;;
-	*)
-	  tmp_sharedflag='-shared' ;;
-	esac
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+# func_lo2o object
+func_lo2o ()
+{
+  func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"`
+}
 
-	if test $supports_anon_versioning = yes; then
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
-  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-  $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-	fi
-	_LT_AC_TAGVAR(link_all_deplibs, $1)=no
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
+# func_xform libobj-or-source
+func_xform ()
+{
+  func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[[^.]]*$/.lo/'`
+}
 
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
+# func_arith arithmetic-term...
+func_arith ()
+{
+  func_arith_result=`expr "$[@]"`
+}
 
-    solaris*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	cat <<EOF 1>&2
+# func_len string
+# STRING may not start with a hyphen.
+func_len ()
+{
+  func_len_result=`expr "$[1]" : ".*" 2>/dev/null || echo $max_cmd_len`
+}
 
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
+_LT_EOF
+esac
 
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
+case $lt_shell_append in
+  yes)
+    cat << \_LT_EOF >> "$cfgfile"
 
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	cat <<_LT_EOF 1>&2
+# func_append var value
+# Append VALUE to the end of shell variable VAR.
+func_append ()
+{
+  eval "$[1]+=\$[2]"
+}
+_LT_EOF
+    ;;
+  *)
+    cat << \_LT_EOF >> "$cfgfile"
 
-*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
-*** reliably create shared libraries on SCO systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
+# func_append var value
+# Append VALUE to the end of shell variable VAR.
+func_append ()
+{
+  eval "$[1]=\$$[1]\$[2]"
+}
 
 _LT_EOF
-	;;
-	*)
-	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
-	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
-	  else
-	    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	  fi
-	;;
-      esac
-      ;;
+    ;;
+  esac
+])
+
+# Helper functions for option handling.                    -*- Autoconf -*-
+#
+#   Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
+#   Written by Gary V. Vaughan, 2004
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# serial 6 ltoptions.m4
+
+# This is to help aclocal find these macros, as it can't see m4_define.
+AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
+
 
-    sunos4*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
+# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME)
+# ------------------------------------------
+m4_define([_LT_MANGLE_OPTION],
+[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])])
 
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-    esac
 
-    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no; then
-      runpath_var=
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	_LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
-      fi
-      ;;
+# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME)
+# ---------------------------------------
+# Set option OPTION-NAME for macro MACRO-NAME, and if there is a
+# matching handler defined, dispatch to it.  Other OPTION-NAMEs are
+# saved as a flag.
+m4_define([_LT_SET_OPTION],
+[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl
+m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]),
+        _LT_MANGLE_DEFUN([$1], [$2]),
+    [m4_warning([Unknown $1 option `$2'])])[]dnl
+])
 
-    aix[[4-9]]*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-	else
-	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
 
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	  ;;
-	esac
+# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET])
+# ------------------------------------------------------------
+# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
+m4_define([_LT_IF_OPTION],
+[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])])
+
+
+# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET)
+# -------------------------------------------------------
+# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME
+# are set.
+m4_define([_LT_UNLESS_OPTIONS],
+[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
+	    [m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option),
+		      [m4_define([$0_found])])])[]dnl
+m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3
+])[]dnl
+])
 
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
 
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST)
+# ----------------------------------------
+# OPTION-LIST is a space-separated list of Libtool options associated
+# with MACRO-NAME.  If any OPTION has a matching handler declared with
+# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about
+# the unknown option and exit.
+m4_defun([_LT_SET_OPTIONS],
+[# Set options
+m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
+    [_LT_SET_OPTION([$1], _LT_Option)])
+
+m4_if([$1],[LT_INIT],[
+  dnl
+  dnl Simply set some default values (i.e off) if boolean options were not
+  dnl specified:
+  _LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no
+  ])
+  _LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no
+  ])
+  dnl
+  dnl If no reference was made to various pairs of opposing options, then
+  dnl we run the default mode handler for the pair.  For example, if neither
+  dnl `shared' nor `disable-shared' was passed, we enable building of shared
+  dnl archives by default:
+  _LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED])
+  _LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC])
+  _LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC])
+  _LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install],
+  		   [_LT_ENABLE_FAST_INSTALL])
+  ])
+])# _LT_SET_OPTIONS
 
-      _LT_AC_TAGVAR(archive_cmds, $1)=''
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
 
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[[012]]|aix4.[[012]].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  :
-	  else
-  	  # We have old collect2
-  	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-  	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-  	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-	  fi
-	  ;;
-	esac
-	shared_flag='-shared'
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag="$shared_flag "'${wl}-G'
-	fi
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-	  fi
-	fi
-      fi
 
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       _LT_AC_SYS_LIBPATH_AIX
-       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 _LT_AC_SYS_LIBPATH_AIX
-	 _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
-	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-	  # This is similar to how AIX traditionally builds its shared libraries.
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
+# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME)
+# -----------------------------------------
+m4_define([_LT_MANGLE_DEFUN],
+[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])])
 
-    amigaos*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      # see comment about different semantics on the GNU ld section
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
 
-    bsdi[[45]]*)
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
-      ;;
+# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE)
+# -----------------------------------------------
+m4_define([LT_OPTION_DEFINE],
+[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl
+])# LT_OPTION_DEFINE
 
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
-      # FIXME: Should let the user specify the lib program.
-      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      _LT_AC_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
-      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      ;;
 
-    darwin* | rhapsody*)
-      case $host_os in
-        rhapsody* | darwin1.[[012]])
-         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[[012]])
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-        _LT_AC_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-        _LT_AC_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-    else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-         _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-         _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         _LT_AC_TAGVAR(ld_shlibs, $1)=no
-          ;;
-      esac
-    fi
-      ;;
+# dlopen
+# ------
+LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes
+])
 
-    dgux*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
+AU_DEFUN([AC_LIBTOOL_DLOPEN],
+[_LT_SET_OPTION([LT_INIT], [dlopen])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you
+put the `dlopen' option into LT_INIT's first parameter.])
+])
 
-    freebsd1*)
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], [])
 
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
 
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
+# win32-dll
+# ---------
+# Declare package support for building win32 dll's.
+LT_OPTION_DEFINE([LT_INIT], [win32-dll],
+[enable_win32_dll=yes
 
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | dragonfly*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
+case $host in
+*-*-cygwin* | *-*-mingw* | *-*-pw32*)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+  ;;
+esac
 
-    hpux9*)
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+test -z "$AS" && AS=as
+_LT_DECL([], [AS],      [0], [Assembler program])dnl
 
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      ;;
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
 
-    hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      if test "$with_gnu_ld" = no; then
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+test -z "$OBJDUMP" && OBJDUMP=objdump
+_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
+])# win32-dll
 
-	_LT_AC_TAGVAR(hardcode_direct, $1)=yes
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+_LT_SET_OPTION([LT_INIT], [win32-dll])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you
+put the `win32-dll' option into LT_INIT's first parameter.])
+])
 
-	# hardcode_minus_L: Not really in the search PATH,
-	# but as the default location of the library.
-	_LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      fi
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], [])
+
+
+# _LT_ENABLE_SHARED([DEFAULT])
+# ----------------------------
+# implement the --enable-shared flag, and supports the `shared' and
+# `disable-shared' LT_INIT options.
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+m4_define([_LT_ENABLE_SHARED],
+[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl
+AC_ARG_ENABLE([shared],
+    [AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
+	[build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
       ;;
+    esac],
+    [enable_shared=]_LT_ENABLE_SHARED_DEFAULT)
 
-    hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case $host_cpu in
-	hppa*64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case $host_cpu in
-	hppa*64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    _LT_DECL([build_libtool_libs], [enable_shared], [0],
+	[Whether or not to build shared libraries])
+])# _LT_ENABLE_SHARED
 
-	case $host_cpu in
-	hppa*64*|ia64*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])])
+LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])])
 
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-	  ;;
-	esac
-      fi
-      ;;
+# Old names:
+AC_DEFUN([AC_ENABLE_SHARED],
+[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared])
+])
 
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-      ;;
+AC_DEFUN([AC_DISABLE_SHARED],
+[_LT_SET_OPTION([LT_INIT], [disable-shared])
+])
 
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)])
+AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_ENABLE_SHARED], [])
+dnl AC_DEFUN([AM_DISABLE_SHARED], [])
+
+
+
+# _LT_ENABLE_STATIC([DEFAULT])
+# ----------------------------
+# implement the --enable-static flag, and support the `static' and
+# `disable-static' LT_INIT options.
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+m4_define([_LT_ENABLE_STATIC],
+[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl
+AC_ARG_ENABLE([static],
+    [AS_HELP_STRING([--enable-static@<:@=PKGS@:>@],
+	[build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
       ;;
+    esac],
+    [enable_static=]_LT_ENABLE_STATIC_DEFAULT)
 
-    newsos6)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
+    _LT_DECL([build_old_libs], [enable_static], [0],
+	[Whether or not to build static libraries])
+])# _LT_ENABLE_STATIC
 
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-	_LT_AC_TAGVAR(hardcode_direct, $1)=yes
-	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	else
-	  case $host_os in
-	   openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
-	     _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	     _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	     ;;
-	   *)
-	     _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	     _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	     ;;
-	  esac
-        fi
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
+LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])])
+LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])])
 
-    os2*)
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_AC_TAGVAR(archive_cmds, $1)='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
+# Old names:
+AC_DEFUN([AC_ENABLE_STATIC],
+[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static])
+])
 
-    osf3*)
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      ;;
+AC_DEFUN([AC_DISABLE_STATIC],
+[_LT_SET_OPTION([LT_INIT], [disable-static])
+])
 
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      else
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)])
+AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
 
-	# Both c and cxx compiler support -rpath directly
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      ;;
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_ENABLE_STATIC], [])
+dnl AC_DEFUN([AM_DISABLE_STATIC], [])
 
-    solaris*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
-      if test "$GCC" = yes; then
-	wlarc='${wl}'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	wlarc=''
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      case $host_os in
-      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-      *)
-	# The compiler driver will combine and reorder linker options,
-	# but understands `-z linker_flag'.  GCC discards it without `$wl',
-	# but is careful enough not to reorder.
- 	# Supported since Solaris 2.6 (maybe 2.5.1?)
-	if test "$GCC" = yes; then
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	else
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+
+
+# _LT_ENABLE_FAST_INSTALL([DEFAULT])
+# ----------------------------------
+# implement the --enable-fast-install flag, and support the `fast-install'
+# and `disable-fast-install' LT_INIT options.
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+m4_define([_LT_ENABLE_FAST_INSTALL],
+[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl
+AC_ARG_ENABLE([fast-install],
+    [AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
+    [optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
 	fi
-	;;
-      esac
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      done
+      IFS="$lt_save_ifs"
       ;;
+    esac],
+    [enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT)
 
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
+_LT_DECL([fast_install], [enable_fast_install], [0],
+	 [Whether or not to optimize for fast installation])dnl
+])# _LT_ENABLE_FAST_INSTALL
 
-    sysv4)
-      case $host_vendor in
-	sni)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_AC_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-        ;;
-	motorola)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
+LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])])
+LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])])
 
-    sysv4.3*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
-      ;;
+# Old names:
+AU_DEFUN([AC_ENABLE_FAST_INSTALL],
+[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you put
+the `fast-install' option into LT_INIT's first parameter.])
+])
 
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	_LT_AC_TAGVAR(ld_shlibs, $1)=yes
-      fi
-      ;;
+AU_DEFUN([AC_DISABLE_FAST_INSTALL],
+[_LT_SET_OPTION([LT_INIT], [disable-fast-install])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you put
+the `disable-fast-install' option into LT_INIT's first parameter.])
+])
 
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      runpath_var='LD_RUN_PATH'
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], [])
+dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
 
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
 
-    sysv5* | sco3.2v5* | sco5v6*)
-      # Note: We can NOT use -z defs as we might desire, because we do not
-      # link with -lc, and that would cause any symbols used from libc to
-      # always be unresolved, which means just about no library would
-      # ever link correctly.  If we're not using GNU ld we use -z text
-      # though, which does catch some bad symbols but isn't as heavy-handed
-      # as -z defs.
-      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-      runpath_var='LD_RUN_PATH'
+# _LT_WITH_PIC([MODE])
+# --------------------
+# implement the --with-pic flag, and support the `pic-only' and `no-pic'
+# LT_INIT options.
+# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
+m4_define([_LT_WITH_PIC],
+[AC_ARG_WITH([pic],
+    [AS_HELP_STRING([--with-pic],
+	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
+    [pic_mode="$withval"],
+    [pic_mode=default])
 
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
+test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
 
-    uts4*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
+_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl
+])# _LT_WITH_PIC
 
-    *)
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-    esac
-  fi
+LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])])
+LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])])
+
+# Old name:
+AU_DEFUN([AC_LIBTOOL_PICMODE],
+[_LT_SET_OPTION([LT_INIT], [pic-only])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you
+put the `pic-only' option into LT_INIT's first parameter.])
 ])
-AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
-test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
 
-#
-# Do we need to explicitly link libc?
-#
-case "x$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)" in
-x|xyes)
-  # Assume -lc should be added
-  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_PICMODE], [])
 
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $_LT_AC_TAGVAR(archive_cmds, $1) in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
-      $rm conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
-	pic_flag=$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$_LT_AC_TAGVAR(allow_undefined_flag, $1)
-        _LT_AC_TAGVAR(allow_undefined_flag, $1)=
-        if AC_TRY_EVAL(_LT_AC_TAGVAR(archive_cmds, $1) 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1)
-        then
-	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-        else
-	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-        fi
-        _LT_AC_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      AC_MSG_RESULT([$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)])
-      ;;
-    esac
-  fi
-  ;;
-esac
-])# AC_LIBTOOL_PROG_LD_SHLIBS
+m4_define([_LTDL_MODE], [])
+LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive],
+		 [m4_define([_LTDL_MODE], [nonrecursive])])
+LT_OPTION_DEFINE([LTDL_INIT], [recursive],
+		 [m4_define([_LTDL_MODE], [recursive])])
+LT_OPTION_DEFINE([LTDL_INIT], [subproject],
+		 [m4_define([_LTDL_MODE], [subproject])])
 
+m4_define([_LTDL_TYPE], [])
+LT_OPTION_DEFINE([LTDL_INIT], [installable],
+		 [m4_define([_LTDL_TYPE], [installable])])
+LT_OPTION_DEFINE([LTDL_INIT], [convenience],
+		 [m4_define([_LTDL_TYPE], [convenience])])
 
-# _LT_AC_FILE_LTDLL_C
-# -------------------
-# Be careful that the start marker always follows a newline.
-AC_DEFUN([_LT_AC_FILE_LTDLL_C], [
-# /* ltdll.c starts here */
-# #define WIN32_LEAN_AND_MEAN
-# #include <windows.h>
-# #undef WIN32_LEAN_AND_MEAN
-# #include <stdio.h>
-#
-# #ifndef __CYGWIN__
-# #  ifdef __CYGWIN32__
-# #    define __CYGWIN__ __CYGWIN32__
-# #  endif
-# #endif
+# ltsugar.m4 -- libtool m4 base layer.                         -*-Autoconf-*-
 #
-# #ifdef __cplusplus
-# extern "C" {
-# #endif
-# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
-# #ifdef __cplusplus
-# }
-# #endif
+#   Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
+#   Written by Gary V. Vaughan, 2004
 #
-# #ifdef __CYGWIN__
-# #include <cygwin/cygwin_dll.h>
-# DECLARE_CYGWIN_DLL( DllMain );
-# #endif
-# HINSTANCE __hDllInstance_base;
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# serial 5 ltsugar.m4
+
+# This is to help aclocal find these macros, as it can't see m4_define.
+AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])])
+
+
+# lt_join(SEP, ARG1, [ARG2...])
+# -----------------------------
+# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their
+# associated separator.
+# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier
+# versions in m4sugar had bugs.
+m4_define([lt_join],
+[m4_if([$#], [1], [],
+       [$#], [2], [[$2]],
+       [m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])])
+m4_define([_lt_join],
+[m4_if([$#$2], [2], [],
+       [m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])])
+
+
+# lt_car(LIST)
+# lt_cdr(LIST)
+# ------------
+# Manipulate m4 lists.
+# These macros are necessary as long as will still need to support
+# Autoconf-2.59 which quotes differently.
+m4_define([lt_car], [[$1]])
+m4_define([lt_cdr],
+[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
+       [$#], 1, [],
+       [m4_dquote(m4_shift($@))])])
+m4_define([lt_unquote], $1)
+
+
+# lt_append(MACRO-NAME, STRING, [SEPARATOR])
+# ------------------------------------------
+# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'.
+# Note that neither SEPARATOR nor STRING are expanded; they are appended
+# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked).
+# No SEPARATOR is output if MACRO-NAME was previously undefined (different
+# than defined and empty).
 #
-# BOOL APIENTRY
-# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
-# {
-#   __hDllInstance_base = hInst;
-#   return TRUE;
-# }
-# /* ltdll.c ends here */
-])# _LT_AC_FILE_LTDLL_C
+# This macro is needed until we can rely on Autoconf 2.62, since earlier
+# versions of m4sugar mistakenly expanded SEPARATOR but not STRING.
+m4_define([lt_append],
+[m4_define([$1],
+	   m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])])
+
+
+
+# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...])
+# ----------------------------------------------------------
+# Produce a SEP delimited list of all paired combinations of elements of
+# PREFIX-LIST with SUFFIX1 through SUFFIXn.  Each element of the list
+# has the form PREFIXmINFIXSUFFIXn.
+m4_define([lt_combine],
+[m4_if([$2], [], [],
+  [m4_if([$4], [], [],
+    [lt_join(m4_quote(m4_default([$1], [[, ]])),
+      lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_prefix, [$2],
+		   [m4_foreach(_Lt_suffix, lt_car([m4_shiftn(3, $@)]),
+			       [_Lt_prefix[]$3[]_Lt_suffix ])])))))])])dnl
+])
 
 
-# _LT_AC_TAGVAR(VARNAME, [TAGNAME])
-# ---------------------------------
-AC_DEFUN([_LT_AC_TAGVAR], [ifelse([$2], [], [$1], [$1_$2])])
+# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ])
+# -----------------------------------------------------------------------
+# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited
+# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ.
+m4_define([lt_if_append_uniq],
+[m4_ifdef([$1],
+	  [m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1],
+		 [lt_append([$1], [$2], [$3])$4],
+		 [$5])],
+	  [lt_append([$1], [$2], [$3])$4])])
 
 
-# old names
-AC_DEFUN([AM_PROG_LIBTOOL],   [AC_PROG_LIBTOOL])
-AC_DEFUN([AM_ENABLE_SHARED],  [AC_ENABLE_SHARED($@)])
-AC_DEFUN([AM_ENABLE_STATIC],  [AC_ENABLE_STATIC($@)])
-AC_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
-AC_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
-AC_DEFUN([AM_PROG_LD],        [AC_PROG_LD])
-AC_DEFUN([AM_PROG_NM],        [AC_PROG_NM])
+# lt_dict_add(DICT, KEY, VALUE)
+# -----------------------------
+m4_define([lt_dict_add],
+[m4_define([$1($2)], [$3])])
 
-# This is just to silence aclocal about the macro not being used
-ifelse([AC_DISABLE_FAST_INSTALL])
 
-AC_DEFUN([LT_AC_PROG_GCJ],
-[AC_CHECK_TOOL(GCJ, gcj, no)
-  test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
-  AC_SUBST(GCJFLAGS)
-])
+# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE)
+# --------------------------------------------
+m4_define([lt_dict_add_subkey],
+[m4_define([$1($2:$3)], [$4])])
 
-AC_DEFUN([LT_AC_PROG_RC],
-[AC_CHECK_TOOL(RC, windres, no)
-])
 
+# lt_dict_fetch(DICT, KEY, [SUBKEY])
+# ----------------------------------
+m4_define([lt_dict_fetch],
+[m4_ifval([$3],
+	m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]),
+    m4_ifdef([$1($2)], [m4_defn([$1($2)])]))])
 
-# Cheap backport of AS_EXECUTABLE_P and required macros
-# from Autoconf 2.59; we should not use $as_executable_p directly.
 
-# _AS_TEST_PREPARE
-# ----------------
-m4_ifndef([_AS_TEST_PREPARE],
-[m4_defun([_AS_TEST_PREPARE],
-[if test -x / >/dev/null 2>&1; then
-  as_executable_p='test -x'
-else
-  as_executable_p='test -f'
-fi
-])])# _AS_TEST_PREPARE
+# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE])
+# -----------------------------------------------------------------
+m4_define([lt_if_dict_fetch],
+[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4],
+	[$5],
+    [$6])])
 
-# AS_EXECUTABLE_P
-# ---------------
-# Check whether a file is executable.
-m4_ifndef([AS_EXECUTABLE_P],
-[m4_defun([AS_EXECUTABLE_P],
-[AS_REQUIRE([_AS_TEST_PREPARE])dnl
-$as_executable_p $1[]dnl
-])])# AS_EXECUTABLE_P
 
-# NOTE: This macro has been submitted for inclusion into   #
-#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
-#  a released version of Autoconf we should remove this    #
-#  macro and use it instead.                               #
-# LT_AC_PROG_SED
-# --------------
-# Check for a fully-functional sed program, that truncates
-# as few characters as possible.  Prefer GNU sed if found.
-AC_DEFUN([LT_AC_PROG_SED],
-[AC_MSG_CHECKING([for a sed that does not truncate output])
-AC_CACHE_VAL(lt_cv_path_SED,
-[# Loop through the user's path and test for sed and gsed.
-# Then use that list of sed's as ones to test for truncation.
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for lt_ac_prog in sed gsed; do
-    for ac_exec_ext in '' $ac_executable_extensions; do
-      if AS_EXECUTABLE_P(["$as_dir/$lt_ac_prog$ac_exec_ext"]); then
-        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
-      fi
-    done
-  done
-done
-IFS=$as_save_IFS
-lt_ac_max=0
-lt_ac_count=0
-# Add /usr/xpg4/bin/sed as it is typically found on Solaris
-# along with /bin/sed that truncates output.
-for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && continue
-  cat /dev/null > conftest.in
-  lt_ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
-  # Check for GNU sed and select it if it is found.
-  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
-    lt_cv_path_SED=$lt_ac_sed
-    break
-  fi
-  while true; do
-    cat conftest.in conftest.in >conftest.tmp
-    mv conftest.tmp conftest.in
-    cp conftest.in conftest.nl
-    echo >>conftest.nl
-    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
-    cmp -s conftest.out conftest.nl || break
-    # 10000 chars as input seems more than enough
-    test $lt_ac_count -gt 10 && break
-    lt_ac_count=`expr $lt_ac_count + 1`
-    if test $lt_ac_count -gt $lt_ac_max; then
-      lt_ac_max=$lt_ac_count
-      lt_cv_path_SED=$lt_ac_sed
-    fi
-  done
-done
+# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...])
+# --------------------------------------------------------------
+m4_define([lt_dict_filter],
+[m4_if([$5], [], [],
+  [lt_join(m4_quote(m4_default([$4], [[, ]])),
+           lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]),
+		      [lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl
 ])
-SED=$lt_cv_path_SED
-AC_SUBST([SED])
-AC_MSG_RESULT([$SED])
+
+# ltversion.m4 -- version numbers			-*- Autoconf -*-
+#
+#   Copyright (C) 2004 Free Software Foundation, Inc.
+#   Written by Scott James Remnant, 2004
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# Generated from ltversion.in.
+
+# serial 2976 ltversion.m4
+# This file is part of GNU Libtool
+
+m4_define([LT_PACKAGE_VERSION], [2.2.4])
+m4_define([LT_PACKAGE_REVISION], [1.2976])
+
+AC_DEFUN([LTVERSION_VERSION],
+[macro_version='2.2.4'
+macro_revision='1.2976'
+_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
+_LT_DECL(, macro_revision, 0)
 ])
 
+# lt~obsolete.m4 -- aclocal satisfying obsolete definitions.    -*-Autoconf-*-
+#
+#   Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
+#   Written by Scott James Remnant, 2004.
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# serial 4 lt~obsolete.m4
+
+# These exist entirely to fool aclocal when bootstrapping libtool.
+#
+# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN)
+# which have later been changed to m4_define as they aren't part of the
+# exported API, or moved to Autoconf or Automake where they belong.
+#
+# The trouble is, aclocal is a bit thick.  It'll see the old AC_DEFUN
+# in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us
+# using a macro with the same name in our local m4/libtool.m4 it'll
+# pull the old libtool.m4 in (it doesn't see our shiny new m4_define
+# and doesn't know about Autoconf macros at all.)
+#
+# So we provide this file, which has a silly filename so it's always
+# included after everything else.  This provides aclocal with the
+# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything
+# because those macros already exist, or will be overwritten later.
+# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6. 
+#
+# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here.
+# Yes, that means every name once taken will need to remain here until
+# we give up compatibility with versions before 1.7, at which point
+# we need to keep only those names which we still refer to.
+
+# This is to help aclocal find these macros, as it can't see m4_define.
+AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])])
+
+m4_ifndef([AC_LIBTOOL_LINKER_OPTION],	[AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])])
+m4_ifndef([AC_PROG_EGREP],		[AC_DEFUN([AC_PROG_EGREP])])
+m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH],	[AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])])
+m4_ifndef([_LT_AC_SHELL_INIT],		[AC_DEFUN([_LT_AC_SHELL_INIT])])
+m4_ifndef([_LT_AC_SYS_LIBPATH_AIX],	[AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])])
+m4_ifndef([_LT_PROG_LTMAIN],		[AC_DEFUN([_LT_PROG_LTMAIN])])
+m4_ifndef([_LT_AC_TAGVAR],		[AC_DEFUN([_LT_AC_TAGVAR])])
+m4_ifndef([AC_LTDL_ENABLE_INSTALL],	[AC_DEFUN([AC_LTDL_ENABLE_INSTALL])])
+m4_ifndef([AC_LTDL_PREOPEN],		[AC_DEFUN([AC_LTDL_PREOPEN])])
+m4_ifndef([_LT_AC_SYS_COMPILER],	[AC_DEFUN([_LT_AC_SYS_COMPILER])])
+m4_ifndef([_LT_AC_LOCK],		[AC_DEFUN([_LT_AC_LOCK])])
+m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE],	[AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])])
+m4_ifndef([_LT_AC_TRY_DLOPEN_SELF],	[AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])])
+m4_ifndef([AC_LIBTOOL_PROG_CC_C_O],	[AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])])
+m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])])
+m4_ifndef([AC_LIBTOOL_OBJDIR],		[AC_DEFUN([AC_LIBTOOL_OBJDIR])])
+m4_ifndef([AC_LTDL_OBJDIR],		[AC_DEFUN([AC_LTDL_OBJDIR])])
+m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])])
+m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP],	[AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])])
+m4_ifndef([AC_PATH_MAGIC],		[AC_DEFUN([AC_PATH_MAGIC])])
+m4_ifndef([AC_PROG_LD_GNU],		[AC_DEFUN([AC_PROG_LD_GNU])])
+m4_ifndef([AC_PROG_LD_RELOAD_FLAG],	[AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])])
+m4_ifndef([AC_DEPLIBS_CHECK_METHOD],	[AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])])
+m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])])
+m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])])
+m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])])
+m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS],	[AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])])
+m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP],	[AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])])
+m4_ifndef([LT_AC_PROG_EGREP],		[AC_DEFUN([LT_AC_PROG_EGREP])])
+m4_ifndef([LT_AC_PROG_SED],		[AC_DEFUN([LT_AC_PROG_SED])])
+m4_ifndef([_LT_CC_BASENAME],		[AC_DEFUN([_LT_CC_BASENAME])])
+m4_ifndef([_LT_COMPILER_BOILERPLATE],	[AC_DEFUN([_LT_COMPILER_BOILERPLATE])])
+m4_ifndef([_LT_LINKER_BOILERPLATE],	[AC_DEFUN([_LT_LINKER_BOILERPLATE])])
+m4_ifndef([_AC_PROG_LIBTOOL],		[AC_DEFUN([_AC_PROG_LIBTOOL])])
+m4_ifndef([AC_LIBTOOL_SETUP],		[AC_DEFUN([AC_LIBTOOL_SETUP])])
+m4_ifndef([_LT_AC_CHECK_DLFCN],		[AC_DEFUN([_LT_AC_CHECK_DLFCN])])
+m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER],	[AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])])
+m4_ifndef([_LT_AC_TAGCONFIG],		[AC_DEFUN([_LT_AC_TAGCONFIG])])
+m4_ifndef([AC_DISABLE_FAST_INSTALL],	[AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
+m4_ifndef([_LT_AC_LANG_CXX],		[AC_DEFUN([_LT_AC_LANG_CXX])])
+m4_ifndef([_LT_AC_LANG_F77],		[AC_DEFUN([_LT_AC_LANG_F77])])
+m4_ifndef([_LT_AC_LANG_GCJ],		[AC_DEFUN([_LT_AC_LANG_GCJ])])
+m4_ifndef([AC_LIBTOOL_RC],		[AC_DEFUN([AC_LIBTOOL_RC])])
+m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
+m4_ifndef([_LT_AC_LANG_C_CONFIG],	[AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
+m4_ifndef([_LT_AC_LANG_CXX_CONFIG],	[AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])])
+m4_ifndef([_LT_AC_LANG_F77_CONFIG],	[AC_DEFUN([_LT_AC_LANG_F77_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])])
+m4_ifndef([_LT_AC_LANG_GCJ_CONFIG],	[AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
+m4_ifndef([_LT_AC_LANG_RC_CONFIG],	[AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
+m4_ifndef([AC_LIBTOOL_CONFIG],		[AC_DEFUN([AC_LIBTOOL_CONFIG])])
+m4_ifndef([_LT_AC_FILE_LTDLL_C],	[AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
+
 # pkg.m4 - Macros to locate and utilise pkg-config.            -*- Autoconf -*-
 # 
 # Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
diff --git a/config.guess b/config.guess
index 278f9e9e0..f32079abd 100755
--- a/config.guess
+++ b/config.guess
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
-#   Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
+#   Free Software Foundation, Inc.
 
-timestamp='2007-07-22'
+timestamp='2008-01-23'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -56,8 +56,8 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
-Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -532,7 +532,7 @@ EOF
 		echo rs6000-ibm-aix3.2
 	fi
 	exit ;;
-    *:AIX:*:[45])
+    *:AIX:*:[456])
 	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
 	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
 		IBM_ARCH=rs6000
@@ -799,6 +799,9 @@ EOF
 	    EM64T | authenticamd)
 		echo x86_64-unknown-interix${UNAME_RELEASE}
 		exit ;;
+	    IA64)
+		echo ia64-unknown-interix${UNAME_RELEASE}
+		exit ;;
 	esac ;;
     [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
 	echo i${UNAME_MACHINE}-pc-mks
@@ -833,7 +836,14 @@ EOF
 	echo ${UNAME_MACHINE}-pc-minix
 	exit ;;
     arm*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	eval $set_cc_for_build
+	if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
+	    | grep -q __ARM_EABI__
+	then
+	    echo ${UNAME_MACHINE}-unknown-linux-gnu
+	else
+	    echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+	fi
 	exit ;;
     avr32*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
@@ -954,8 +964,8 @@ EOF
     x86_64:Linux:*:*)
 	echo x86_64-unknown-linux-gnu
 	exit ;;
-    xtensa:Linux:*:*)
-    	echo xtensa-unknown-linux-gnu
+    xtensa*:Linux:*:*)
+    	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     i*86:Linux:*:*)
 	# The BFD linker knows what the default object file format is, so
@@ -1474,9 +1484,9 @@ This script, last modified $timestamp, has failed to recognize
 the operating system you are using. It is advised that you
 download the most up to date version of the config scripts from
 
-  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
+  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
 and
-  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
+  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
 
 If the version you run ($0) is already up to date, please
 send the following data and any information you think might be
diff --git a/config.sub b/config.sub
index 1761d8bdf..6759825a5 100755
--- a/config.sub
+++ b/config.sub
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
-#   Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
+#   Free Software Foundation, Inc.
 
-timestamp='2007-06-28'
+timestamp='2008-01-16'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -72,8 +72,8 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)
 
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
-Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -369,10 +369,14 @@ case $basic_machine in
 	| v850-* | v850e-* | vax-* \
 	| we32k-* \
 	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
-	| xstormy16-* | xtensa-* \
+	| xstormy16-* | xtensa*-* \
 	| ymp-* \
 	| z8k-*)
 		;;
+	# Recognize the basic CPU types without company name, with glob match.
+	xtensa*)
+		basic_machine=$basic_machine-unknown
+		;;
 	# Recognize the various machine names and aliases which stand
 	# for a CPU type and a company and sometimes even an OS.
 	386bsd)
@@ -443,6 +447,14 @@ case $basic_machine in
 		basic_machine=ns32k-sequent
 		os=-dynix
 		;;
+	blackfin)
+		basic_machine=bfin-unknown
+		os=-linux
+		;;
+	blackfin-*)
+		basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'`
+		os=-linux
+		;;
 	c90)
 		basic_machine=c90-cray
 		os=-unicos
@@ -668,6 +680,14 @@ case $basic_machine in
 		basic_machine=m68k-isi
 		os=-sysv
 		;;
+	m68knommu)
+		basic_machine=m68k-unknown
+		os=-linux
+		;;
+	m68knommu-*)
+		basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'`
+		os=-linux
+		;;
 	m88k-omron*)
 		basic_machine=m88k-omron
 		;;
@@ -813,6 +833,14 @@ case $basic_machine in
 		basic_machine=i860-intel
 		os=-osf
 		;;
+	parisc)
+		basic_machine=hppa-unknown
+		os=-linux
+		;;
+	parisc-*)
+		basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'`
+		os=-linux
+		;;
 	pbd)
 		basic_machine=sparc-tti
 		;;
@@ -1021,6 +1049,10 @@ case $basic_machine in
 		basic_machine=tic6x-unknown
 		os=-coff
 		;;
+	tile*)
+		basic_machine=tile-unknown
+		os=-linux-gnu
+		;;
 	tx39)
 		basic_machine=mipstx39-unknown
 		;;
diff --git a/configure b/configure
index d993f76a1..6c018dc76 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for strongSwan 4.2.9.
+# Generated by GNU Autoconf 2.61 for strongSwan 4.2.12.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
 # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
@@ -553,22 +553,22 @@ as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 # Check that we are running under the correct shell.
 SHELL=${CONFIG_SHELL-/bin/sh}
 
-case X$ECHO in
+case X$lt_ECHO in
 X*--fallback-echo)
   # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$ECHO" | sed 's,\\\\\$\\$0,'$0','`
+  ECHO=`echo "$lt_ECHO" | sed 's,\\\\\$\\$0,'$0','`
   ;;
 esac
 
-echo=${ECHO-echo}
+ECHO=${lt_ECHO-echo}
 if test "X$1" = X--no-reexec; then
   # Discard the --no-reexec flag, and continue.
   shift
 elif test "X$1" = X--fallback-echo; then
   # Avoid inline document here, it may be left over
   :
-elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $echo works!
+elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $ECHO works!
   :
 else
   # Restart under the correct shell.
@@ -578,9 +578,9 @@ fi
 if test "X$1" = X--fallback-echo; then
   # used as fallback echo
   shift
-  cat <<EOF
+  cat <<_LT_EOF
 $*
-EOF
+_LT_EOF
   exit 0
 fi
 
@@ -588,121 +588,116 @@ fi
 # if CDPATH is set.
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
-if test -z "$ECHO"; then
-if test "X${echo_test_string+set}" != Xset; then
-# find a string as large as possible, as long as the shell can cope with it
-  for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
-    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
-       echo_test_string=`eval $cmd` &&
-       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
-    then
-      break
-    fi
-  done
-fi
+if test -z "$lt_ECHO"; then
+  if test "X${echo_test_string+set}" != Xset; then
+    # find a string as large as possible, as long as the shell can cope with it
+    for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
+      # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+      if { echo_test_string=`eval $cmd`; } 2>/dev/null &&
+	 { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null
+      then
+        break
+      fi
+    done
+  fi
 
-if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-   test "X$echo_testing_string" = "X$echo_test_string"; then
-  :
-else
-  # The Solaris, AIX, and Digital Unix default echo programs unquote
-  # backslashes.  This makes it impossible to quote backslashes using
-  #   echo "$something" | sed 's/\\/\\\\/g'
-  #
-  # So, first we look for a working echo in the user's PATH.
+  if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
+     echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
+     test "X$echo_testing_string" = "X$echo_test_string"; then
+    :
+  else
+    # The Solaris, AIX, and Digital Unix default echo programs unquote
+    # backslashes.  This makes it impossible to quote backslashes using
+    #   echo "$something" | sed 's/\\/\\\\/g'
+    #
+    # So, first we look for a working echo in the user's PATH.
 
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for dir in $PATH /usr/ucb; do
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for dir in $PATH /usr/ucb; do
+      IFS="$lt_save_ifs"
+      if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+         test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+         echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+         test "X$echo_testing_string" = "X$echo_test_string"; then
+        ECHO="$dir/echo"
+        break
+      fi
+    done
     IFS="$lt_save_ifs"
-    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      echo="$dir/echo"
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
 
-  if test "X$echo" = Xecho; then
-    # We didn't find a better echo, so look for alternatives.
-    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      # This shell has a builtin print -r that does the trick.
-      echo='print -r'
-    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
-	 test "X$CONFIG_SHELL" != X/bin/ksh; then
-      # If we have ksh, try running configure again with it.
-      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-      export ORIGINAL_CONFIG_SHELL
-      CONFIG_SHELL=/bin/ksh
-      export CONFIG_SHELL
-      exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"}
-    else
-      # Try using printf.
-      echo='printf %s\n'
-      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-	 test "X$echo_testing_string" = "X$echo_test_string"; then
-	# Cool, printf works
-	:
-      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	export CONFIG_SHELL
-	SHELL="$CONFIG_SHELL"
-	export SHELL
-	echo="$CONFIG_SHELL $0 --fallback-echo"
-      elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	echo="$CONFIG_SHELL $0 --fallback-echo"
+    if test "X$ECHO" = Xecho; then
+      # We didn't find a better echo, so look for alternatives.
+      if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' &&
+         echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` &&
+         test "X$echo_testing_string" = "X$echo_test_string"; then
+        # This shell has a builtin print -r that does the trick.
+        ECHO='print -r'
+      elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } &&
+	   test "X$CONFIG_SHELL" != X/bin/ksh; then
+        # If we have ksh, try running configure again with it.
+        ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+        export ORIGINAL_CONFIG_SHELL
+        CONFIG_SHELL=/bin/ksh
+        export CONFIG_SHELL
+        exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"}
       else
-	# maybe with a smaller string...
-	prev=:
+        # Try using printf.
+        ECHO='printf %s\n'
+        if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
+	   echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	  # Cool, printf works
+	  :
+        elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
+	     test "X$echo_testing_string" = 'X\t' &&
+	     echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	     test "X$echo_testing_string" = "X$echo_test_string"; then
+	  CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	  export CONFIG_SHELL
+	  SHELL="$CONFIG_SHELL"
+	  export SHELL
+	  ECHO="$CONFIG_SHELL $0 --fallback-echo"
+        elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
+	     test "X$echo_testing_string" = 'X\t' &&
+	     echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	     test "X$echo_testing_string" = "X$echo_test_string"; then
+	  ECHO="$CONFIG_SHELL $0 --fallback-echo"
+        else
+	  # maybe with a smaller string...
+	  prev=:
 
-	for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
-	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
-	  then
-	    break
-	  fi
-	  prev="$cmd"
-	done
+	  for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
+	    if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null
+	    then
+	      break
+	    fi
+	    prev="$cmd"
+	  done
 
-	if test "$prev" != 'sed 50q "$0"'; then
-	  echo_test_string=`eval $prev`
-	  export echo_test_string
-	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"}
-	else
-	  # Oops.  We lost completely, so just stick with echo.
-	  echo=echo
-	fi
+	  if test "$prev" != 'sed 50q "$0"'; then
+	    echo_test_string=`eval $prev`
+	    export echo_test_string
+	    exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"}
+	  else
+	    # Oops.  We lost completely, so just stick with echo.
+	    ECHO=echo
+	  fi
+        fi
       fi
     fi
   fi
 fi
-fi
 
 # Copy echo and quote the copy suitably for passing to libtool from
 # the Makefile, instead of quoting the original, which is used later.
-ECHO=$echo
-if test "X$ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then
-   ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo"
+lt_ECHO=$ECHO
+if test "X$lt_ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then
+   lt_ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo"
 fi
 
 
 
 
-tagnames=${tagnames+${tagnames},}CXX
-
-tagnames=${tagnames+${tagnames},}F77
-
 exec 7<&0 </dev/null 6>&1
 
 # Name of the host.
@@ -726,8 +721,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.2.9'
-PACKAGE_STRING='strongSwan 4.2.9'
+PACKAGE_VERSION='4.2.12'
+PACKAGE_STRING='strongSwan 4.2.12'
 PACKAGE_BUGREPORT=''
 
 # Factoring default headers for most tests.
@@ -858,6 +853,7 @@ IPSEC_ROUTING_TABLE
 IPSEC_ROUTING_TABLE_PRIO
 ipsecuser
 ipsecgroup
+LIBTOOL
 build
 build_cpu
 build_vendor
@@ -867,23 +863,20 @@ host_cpu
 host_vendor
 host_os
 SED
+FGREP
+LD
+DUMPBIN
+ac_ct_DUMPBIN
+NM
 LN_S
-ECHO
 AR
 RANLIB
+lt_ECHO
 DSYMUTIL
 NMEDIT
-CXX
-CXXFLAGS
-ac_ct_CXX
-CXXDEPMODE
-am__fastdepCXX_TRUE
-am__fastdepCXX_FALSE
-CXXCPP
-F77
-FFLAGS
-ac_ct_F77
-LIBTOOL
+LIPO
+OTOOL
+OTOOL64
 LEX
 LEX_OUTPUT_ROOT
 LEXLIB
@@ -906,6 +899,8 @@ USE_AES_TRUE
 USE_AES_FALSE
 USE_DES_TRUE
 USE_DES_FALSE
+USE_MD4_TRUE
+USE_MD4_FALSE
 USE_MD5_TRUE
 USE_MD5_FALSE
 USE_SHA1_TRUE
@@ -968,6 +963,8 @@ USE_EAP_GTC_TRUE
 USE_EAP_GTC_FALSE
 USE_EAP_AKA_TRUE
 USE_EAP_AKA_FALSE
+USE_EAP_MSCHAPV2_TRUE
+USE_EAP_MSCHAPV2_FALSE
 USE_KERNEL_NETLINK_TRUE
 USE_KERNEL_NETLINK_FALSE
 USE_KERNEL_PFKEY_TRUE
@@ -1004,6 +1001,8 @@ USE_CAPABILITIES_TRUE
 USE_CAPABILITIES_FALSE
 USE_PLUTO_TRUE
 USE_PLUTO_FALSE
+USE_THREADS_TRUE
+USE_THREADS_FALSE
 USE_CHARON_TRUE
 USE_CHARON_FALSE
 USE_TOOLS_TRUE
@@ -1025,12 +1024,6 @@ LIBS
 CPPFLAGS
 CPP
 PKG_CONFIG
-CXX
-CXXFLAGS
-CCC
-CXXCPP
-F77
-FFLAGS
 YACC
 YFLAGS
 xml_CFLAGS
@@ -1541,7 +1534,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.2.9 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.2.12 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1611,7 +1604,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.2.9:";;
+     short | recursive ) echo "Configuration of strongSwan 4.2.12:";;
    esac
   cat <<\_ACEOF
 
@@ -1628,6 +1621,8 @@ Optional Features:
                           (default is NO).
   --disable-des           disable own DES/3DES software implementation plugin.
                           (default is NO).
+  --enable-md4            enable MD4 software implementation plugin (default
+                          is NO).
   --disable-md5           disable own MD5 software implementation plugin.
                           (default is NO).
   --disable-sha1          disable own SHA1 software implementation plugin.
@@ -1666,7 +1661,7 @@ Optional Features:
   --enable-cisco-quirks   enable support of Cisco VPN client (default is NO).
   --enable-leak-detective enable malloc hooks to find memory leaks (default is
                           NO).
-  --enable-lock-profiling enable lock/mutex profiling code (default is NO).
+  --enable-lock-profiler  enable lock/mutex profiling code (default is NO).
   --enable-unit-tests     enable unit tests on IKEv2 daemon startup (default
                           is NO).
   --enable-load-tests     enable load testing plugin for IKEv2 daemon (default
@@ -1683,6 +1678,8 @@ Optional Features:
                           (default is NO).
   --enable-eap-aka        build AKA authentication module for EAP (default is
                           NO).
+  --enable-eap-mschapv2   build MS-CHAPv2 authenication module for EAP
+                          (default is NO).
   --disable-kernel-netlink
                           disable the netlink kernel interface. (default is
                           NO).
@@ -1705,6 +1702,8 @@ Optional Features:
                           is NO).
   --disable-pluto         disable the IKEv1 keying daemon pluto. (default is
                           NO).
+  --disable-threads       disable the use of threads in pluto. Charon always
+                          uses threads. (default is NO).
   --disable-charon        disable the IKEv2 keying daemon charon. (default is
                           NO).
   --disable-tools         disable additional utilities (openac and
@@ -1766,10 +1765,9 @@ Optional Packages:
   --with-capabilities=libcap
                           capability dropping using libcap. Currenlty only the
                           value "libcap" is supported (default is NO).
-  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-pic              try to use only PIC/non-PIC objects [default=use
                           both]
-  --with-tags[=TAGS]      include additional configurations [automatic]
+  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
 
 Some influential environment variables:
   CC          C compiler command
@@ -1781,11 +1779,6 @@ Some influential environment variables:
               you have headers in a nonstandard directory <include dir>
   CPP         C preprocessor
   PKG_CONFIG  path to pkg-config utility
-  CXX         C++ compiler command
-  CXXFLAGS    C++ compiler flags
-  CXXCPP      C++ preprocessor
-  F77         Fortran 77 compiler command
-  FFLAGS      Fortran 77 compiler flags
   YACC        The `Yet Another C Compiler' implementation to use. Defaults to
               the first program found out of: `bison -y', `byacc', `yacc'.
   YFLAGS      The list of arguments that will be passed by default to $YACC.
@@ -1861,7 +1854,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.2.9
+strongSwan configure 4.2.12
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1875,7 +1868,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.2.9, which was
+It was created by strongSwan $as_me 4.2.12, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -2565,7 +2558,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.2.9'
+ VERSION='4.2.12'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -5162,6 +5155,15 @@ else
 fi
 
 
+# Check whether --enable-md4 was given.
+if test "${enable_md4+set}" = set; then
+  enableval=$enable_md4; if test x$enableval = xyes; then
+		md4=true
+	fi
+
+fi
+
+
 # Check whether --enable-md5 was given.
 if test "${enable_md5+set}" = set; then
   enableval=$enable_md5; if test x$enableval = xyes; then
@@ -5467,6 +5469,15 @@ if test "${enable_eap_aka+set}" = set; then
 fi
 
 
+# Check whether --enable-eap-mschapv2 was given.
+if test "${enable_eap_mschapv2+set}" = set; then
+  enableval=$enable_eap_mschapv2; if test x$enableval = xyes; then
+		eap_mschapv2=true
+	fi
+
+fi
+
+
 # Check whether --enable-kernel-netlink was given.
 if test "${enable_kernel_netlink+set}" = set; then
   enableval=$enable_kernel_netlink; if test x$enableval = xyes; then
@@ -5605,6 +5616,19 @@ else
 fi
 
 
+# Check whether --enable-threads was given.
+if test "${enable_threads+set}" = set; then
+  enableval=$enable_threads; if test x$enableval = xyes; then
+		threads=true
+	 else
+		threads=false
+	fi
+else
+  threads=true
+
+fi
+
+
 # Check whether --enable-charon was given.
 if test "${enable_charon+set}" = set; then
   enableval=$enable_charon; if test x$enableval = xyes; then
@@ -5773,77 +5797,30 @@ test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
 
 test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
 
-# Check whether --enable-shared was given.
-if test "${enable_shared+set}" = set; then
-  enableval=$enable_shared; p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_shared=yes ;;
-    no) enable_shared=no ;;
-    *)
-      enable_shared=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_shared=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac
-else
-  enable_shared=yes
-fi
+case `pwd` in
+  *\ * | *\	*)
+    { echo "$as_me:$LINENO: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5
+echo "$as_me: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&2;} ;;
+esac
+
+
+
+macro_version='2.2.4'
+macro_revision='1.2976'
+
+
+
+
+
+
+
+
 
 
-# Check whether --enable-static was given.
-if test "${enable_static+set}" = set; then
-  enableval=$enable_static; p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_static=yes ;;
-    no) enable_static=no ;;
-    *)
-     enable_static=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_static=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac
-else
-  enable_static=yes
-fi
 
 
-# Check whether --enable-fast-install was given.
-if test "${enable_fast_install+set}" = set; then
-  enableval=$enable_fast_install; p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_fast_install=yes ;;
-    no) enable_fast_install=no ;;
-    *)
-      enable_fast_install=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_fast_install=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac
-else
-  enable_fast_install=yes
-fi
 
+ltmain="$ac_aux_dir/ltmain.sh"
 
 # Make sure we can run config.sub.
 $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
@@ -5930,150 +5907,290 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
 
 { echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
 echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6; }
-if test "${lt_cv_path_SED+set}" = set; then
+if test "${ac_cv_path_SED+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+            ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/
+     for ac_i in 1 2 3 4 5 6 7; do
+       ac_script="$ac_script$as_nl$ac_script"
+     done
+     echo "$ac_script" | sed 99q >conftest.sed
+     $as_unset ac_script || ac_script=
+     # Extract the first word of "sed gsed" to use in msg output
+if test -z "$SED"; then
+set dummy sed gsed; ac_prog_name=$2
+if test "${ac_cv_path_SED+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  # Loop through the user's path and test for sed and gsed.
-# Then use that list of sed's as ones to test for truncation.
+  ac_path_SED_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for lt_ac_prog in sed gsed; do
-    for ac_exec_ext in '' $ac_executable_extensions; do
-      if { test -f "$as_dir/$lt_ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$lt_ac_prog$ac_exec_ext"; }; then
-        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
-      fi
-    done
-  done
-done
-IFS=$as_save_IFS
-lt_ac_max=0
-lt_ac_count=0
-# Add /usr/xpg4/bin/sed as it is typically found on Solaris
-# along with /bin/sed that truncates output.
-for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && continue
-  cat /dev/null > conftest.in
-  lt_ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
-  # Check for GNU sed and select it if it is found.
-  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
-    lt_cv_path_SED=$lt_ac_sed
-    break
-  fi
-  while true; do
-    cat conftest.in conftest.in >conftest.tmp
-    mv conftest.tmp conftest.in
-    cp conftest.in conftest.nl
-    echo >>conftest.nl
-    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
-    cmp -s conftest.out conftest.nl || break
-    # 10000 chars as input seems more than enough
-    test $lt_ac_count -gt 10 && break
-    lt_ac_count=`expr $lt_ac_count + 1`
-    if test $lt_ac_count -gt $lt_ac_max; then
-      lt_ac_max=$lt_ac_count
-      lt_cv_path_SED=$lt_ac_sed
+  for ac_prog in sed gsed; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_SED="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue
+    # Check for GNU ac_path_SED and select it if it is found.
+  # Check for GNU $ac_path_SED
+case `"$ac_path_SED" --version 2>&1` in
+*GNU*)
+  ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo '' >> "conftest.nl"
+    "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_SED_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_SED="$ac_path_SED"
+      ac_path_SED_max=$ac_count
     fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
   done
-done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
 
-fi
 
-SED=$lt_cv_path_SED
+    $ac_path_SED_found && break 3
+  done
+done
 
-{ echo "$as_me:$LINENO: result: $SED" >&5
-echo "${ECHO_T}$SED" >&6; }
+done
+IFS=$as_save_IFS
 
 
-# Check whether --with-gnu-ld was given.
-if test "${with_gnu_ld+set}" = set; then
-  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
-else
-  with_gnu_ld=no
 fi
 
-ac_prog=ld
-if test "$GCC" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
-  case $host in
-  *-*-mingw*)
-    # gcc leaves a trailing carriage return which upsets mingw
-    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
-  *)
-    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
-  esac
-  case $ac_prog in
-    # Accept absolute paths.
-    [\\/]* | ?:[\\/]*)
-      re_direlt='/[^/][^/]*/\.\./'
-      # Canonicalize the pathname of ld
-      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  { echo "$as_me:$LINENO: checking for GNU ld" >&5
-echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
-else
-  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
+SED="$ac_cv_path_SED"
+if test -z "$SED"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in \$PATH" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in \$PATH" >&2;}
+   { (exit 1); exit 1; }; }
 fi
-if test "${lt_cv_path_LD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$LD"; then
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      lt_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some variants of GNU ld only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
-      *GNU* | *'with BFD'*)
-	test "$with_gnu_ld" != no && break
-	;;
-      *)
-	test "$with_gnu_ld" != yes && break
-	;;
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
+
 else
-  lt_cv_path_LD="$LD" # Let the user override the test with a path.
-fi
+  ac_cv_path_SED=$SED
 fi
 
-LD="$lt_cv_path_LD"
-if test -n "$LD"; then
-  { echo "$as_me:$LINENO: result: $LD" >&5
-echo "${ECHO_T}$LD" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
 fi
-test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
-echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
-   { (exit 1); exit 1; }; }
+{ echo "$as_me:$LINENO: result: $ac_cv_path_SED" >&5
+echo "${ECHO_T}$ac_cv_path_SED" >&6; }
+ SED="$ac_cv_path_SED"
+  rm -f conftest.sed
+
+test -z "$SED" && SED=sed
+Xsed="$SED -e 1s/^X//"
+
+
+
+
+
+
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking for fgrep" >&5
+echo $ECHO_N "checking for fgrep... $ECHO_C" >&6; }
+if test "${ac_cv_path_FGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1
+   then ac_cv_path_FGREP="$GREP -F"
+   else
+     # Extract the first word of "fgrep" to use in msg output
+if test -z "$FGREP"; then
+set dummy fgrep; ac_prog_name=$2
+if test "${ac_cv_path_FGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_path_FGREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in fgrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue
+    # Check for GNU ac_path_FGREP and select it if it is found.
+  # Check for GNU $ac_path_FGREP
+case `"$ac_path_FGREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_FGREP="$ac_path_FGREP" ac_path_FGREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'FGREP' >> "conftest.nl"
+    "$ac_path_FGREP" FGREP < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_FGREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_FGREP="$ac_path_FGREP"
+      ac_path_FGREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_FGREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+FGREP="$ac_cv_path_FGREP"
+if test -z "$FGREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_FGREP=$FGREP
+fi
+
+
+   fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_FGREP" >&5
+echo "${ECHO_T}$ac_cv_path_FGREP" >&6; }
+ FGREP="$ac_cv_path_FGREP"
+
+
+test -z "$GREP" && GREP=grep
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Check whether --with-gnu-ld was given.
+if test "${with_gnu_ld+set}" = set; then
+  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi
+
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [\\/]* | ?:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'`
+      while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  { echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
+else
+  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
+fi
+if test "${lt_cv_path_LD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some variants of GNU ld only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi
+fi
+
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  { echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
+echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+   { (exit 1); exit 1; }; }
 { echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
 echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
 if test "${lt_cv_prog_gnu_ld+set}" = set; then
@@ -6094,33 +6211,15 @@ echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
 with_gnu_ld=$lt_cv_prog_gnu_ld
 
 
-{ echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
-echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6; }
-if test "${lt_cv_ld_reload_flag+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_ld_reload_flag='-r'
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
-echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6; }
-reload_flag=$lt_cv_ld_reload_flag
-case $reload_flag in
-"" | " "*) ;;
-*) reload_flag=" $reload_flag" ;;
-esac
-reload_cmds='$LD$reload_flag -o $output$reload_objs'
-case $host_os in
-  darwin*)
-    if test "$GCC" = yes; then
-      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
-    else
-      reload_cmds='$LD$reload_flag -o $output$reload_objs'
-    fi
-    ;;
-esac
 
-{ echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
-echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6; }
+
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking for BSD- or MS-compatible name lister (nm)" >&5
+echo $ECHO_N "checking for BSD- or MS-compatible name lister (nm)... $ECHO_C" >&6; }
 if test "${lt_cv_path_NM+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6165,687 +6264,678 @@ else
     done
     IFS="$lt_save_ifs"
   done
-  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
+  : ${lt_cv_path_NM=no}
 fi
 fi
 { echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
 echo "${ECHO_T}$lt_cv_path_NM" >&6; }
-NM="$lt_cv_path_NM"
+if test "$lt_cv_path_NM" != "no"; then
+  NM="$lt_cv_path_NM"
+else
+  # Didn't find any BSD compatible name lister, look for dumpbin.
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in "dumpbin -symbols" "link -dump -symbols"
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_DUMPBIN+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$DUMPBIN"; then
+  ac_cv_prog_DUMPBIN="$DUMPBIN" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-{ echo "$as_me:$LINENO: checking whether ln -s works" >&5
-echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6; }
-LN_S=$as_ln_s
-if test "$LN_S" = "ln -s"; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+fi
+fi
+DUMPBIN=$ac_cv_prog_DUMPBIN
+if test -n "$DUMPBIN"; then
+  { echo "$as_me:$LINENO: result: $DUMPBIN" >&5
+echo "${ECHO_T}$DUMPBIN" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no, using $LN_S" >&5
-echo "${ECHO_T}no, using $LN_S" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-{ echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5
-echo $ECHO_N "checking how to recognize dependent libraries... $ECHO_C" >&6; }
-if test "${lt_cv_deplibs_check_method+set}" = set; then
+
+    test -n "$DUMPBIN" && break
+  done
+fi
+if test -z "$DUMPBIN"; then
+  ac_ct_DUMPBIN=$DUMPBIN
+  for ac_prog in "dumpbin -symbols" "link -dump -symbols"
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  lt_cv_file_magic_cmd='$MAGIC_CMD'
-lt_cv_file_magic_test_file=
-lt_cv_deplibs_check_method='unknown'
-# Need to set the preceding variable on all platforms that support
-# interlibrary dependencies.
-# 'none' -- dependencies not supported.
-# `unknown' -- same as none, but documents that we really don't know.
-# 'pass_all' -- all dependencies passed with no checks.
-# 'test_compile' -- check by making test program.
-# 'file_magic [[regex]]' -- check by looking for files in library path
-# which responds to the $file_magic_cmd with a given extended regex.
-# If you have `file' or equivalent on your system and you're not sure
-# whether `pass_all' will *always* work, you probably want this one.
-
-case $host_os in
-aix[4-9]*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
+  if test -n "$ac_ct_DUMPBIN"; then
+  ac_cv_prog_ac_ct_DUMPBIN="$ac_ct_DUMPBIN" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_DUMPBIN="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-beos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
+fi
+fi
+ac_ct_DUMPBIN=$ac_cv_prog_ac_ct_DUMPBIN
+if test -n "$ac_ct_DUMPBIN"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_DUMPBIN" >&5
+echo "${ECHO_T}$ac_ct_DUMPBIN" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-bsdi[45]*)
-  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
-  lt_cv_file_magic_cmd='/usr/bin/file -L'
-  lt_cv_file_magic_test_file=/shlib/libc.so
-  ;;
 
-cygwin*)
-  # func_win32_libid is a shell function defined in ltmain.sh
-  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='func_win32_libid'
-  ;;
+  test -n "$ac_ct_DUMPBIN" && break
+done
 
-mingw* | pw32*)
-  # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump',
-  # unless we find 'file', for example because we are cross-compiling.
-  if ( file / ) >/dev/null 2>&1; then
-    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-    lt_cv_file_magic_cmd='func_win32_libid'
+  if test "x$ac_ct_DUMPBIN" = x; then
+    DUMPBIN=":"
   else
-    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
-    lt_cv_file_magic_cmd='$OBJDUMP -f'
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    DUMPBIN=$ac_ct_DUMPBIN
   fi
-  ;;
+fi
 
-darwin* | rhapsody*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
 
-freebsd* | dragonfly*)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
-    case $host_cpu in
-    i*86 )
-      # Not sure whether the presence of OpenBSD here was a mistake.
-      # Let's accept both of them until this is cleared up.
-      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library'
-      lt_cv_file_magic_cmd=/usr/bin/file
-      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
-      ;;
-    esac
-  else
-    lt_cv_deplibs_check_method=pass_all
+  if test "$DUMPBIN" != ":"; then
+    NM="$DUMPBIN"
   fi
-  ;;
+fi
+test -z "$NM" && NM=nm
 
-gnu*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
 
-hpux10.20* | hpux11*)
-  lt_cv_file_magic_cmd=/usr/bin/file
-  case $host_cpu in
-  ia64*)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64'
-    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
-    ;;
-  hppa*64*)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'
-    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
-    ;;
-  *)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
-    lt_cv_file_magic_test_file=/usr/lib/libc.sl
-    ;;
-  esac
-  ;;
 
-interix[3-9]*)
-  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
-  lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$'
-  ;;
 
-irix5* | irix6* | nonstopux*)
-  case $LD in
-  *-32|*"-32 ") libmagic=32-bit;;
-  *-n32|*"-n32 ") libmagic=N32;;
-  *-64|*"-64 ") libmagic=64-bit;;
-  *) libmagic=never-match;;
-  esac
-  lt_cv_deplibs_check_method=pass_all
-  ;;
 
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
 
-netbsd* | netbsdelf*-gnu)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$'
+{ echo "$as_me:$LINENO: checking the name lister ($NM) interface" >&5
+echo $ECHO_N "checking the name lister ($NM) interface... $ECHO_C" >&6; }
+if test "${lt_cv_nm_interface+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_nm_interface="BSD nm"
+  echo "int some_variable = 0;" > conftest.$ac_ext
+  (eval echo "\"\$as_me:6399: $ac_compile\"" >&5)
+  (eval "$ac_compile" 2>conftest.err)
+  cat conftest.err >&5
+  (eval echo "\"\$as_me:6402: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
+  cat conftest.err >&5
+  (eval echo "\"\$as_me:6405: output\"" >&5)
+  cat conftest.out >&5
+  if $GREP 'External.*some_variable' conftest.out > /dev/null; then
+    lt_cv_nm_interface="MS dumpbin"
   fi
-  ;;
-
-newos6*)
-  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)'
-  lt_cv_file_magic_cmd=/usr/bin/file
-  lt_cv_file_magic_test_file=/usr/lib/libnls.so
-  ;;
+  rm -f conftest*
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_nm_interface" >&5
+echo "${ECHO_T}$lt_cv_nm_interface" >&6; }
 
-nto-qnx*)
-  lt_cv_deplibs_check_method=unknown
-  ;;
+{ echo "$as_me:$LINENO: checking whether ln -s works" >&5
+echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6; }
+LN_S=$as_ln_s
+if test "$LN_S" = "ln -s"; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no, using $LN_S" >&5
+echo "${ECHO_T}no, using $LN_S" >&6; }
+fi
 
-openbsd*)
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
-  fi
-  ;;
+# find the maximum length of command line arguments
+{ echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
+echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; }
+if test "${lt_cv_sys_max_cmd_len+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+    i=0
+  teststring="ABCD"
 
-osf3* | osf4* | osf5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
 
-rdos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
 
-solaris*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
+  cygwin* | mingw*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
 
-sysv4 | sysv4.3*)
-  case $host_vendor in
-  motorola)
-    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
-    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
     ;;
-  ncr)
-    lt_cv_deplibs_check_method=pass_all
+
+  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
+    # This has been around since 386BSD, at least.  Likely further.
+    if test -x /sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
+    elif test -x /usr/sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
+    else
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
+    fi
+    # And add a safety zone
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
     ;;
-  sequent)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )'
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
     ;;
-  sni)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib"
-    lt_cv_file_magic_test_file=/lib/libc.so
+
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
     ;;
-  siemens)
-    lt_cv_deplibs_check_method=pass_all
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
     ;;
-  pc)
-    lt_cv_deplibs_check_method=pass_all
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[	 ]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
     ;;
-  esac
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-esac
+  *)
+    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
+    if test -n "$lt_cv_sys_max_cmd_len"; then
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    else
+      # Make teststring a little bigger before we do anything with it.
+      # a 1K string should be a reasonable start.
+      for i in 1 2 3 4 5 6 7 8 ; do
+        teststring=$teststring$teststring
+      done
+      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+      # If test is not a shell built-in, we'll probably end up computing a
+      # maximum length that is only half of the actual maximum length, but
+      # we can't tell.
+      while { test "X"`$SHELL $0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \
+	         = "XX$teststring$teststring"; } >/dev/null 2>&1 &&
+	      test $i != 17 # 1/2 MB should be enough
+      do
+        i=`expr $i + 1`
+        teststring=$teststring$teststring
+      done
+      # Only check the string length outside the loop.
+      lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1`
+      teststring=
+      # Add a significant safety factor because C++ compilers can tack on
+      # massive amounts of additional arguments before passing them to the
+      # linker.  It appears as though 1/2 is a usable value.
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    fi
+    ;;
+  esac
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
-echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6; }
-file_magic_cmd=$lt_cv_file_magic_cmd
-deplibs_check_method=$lt_cv_deplibs_check_method
-test -z "$deplibs_check_method" && deplibs_check_method=unknown
+
+if test -n $lt_cv_sys_max_cmd_len ; then
+  { echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
+echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6; }
+else
+  { echo "$as_me:$LINENO: result: none" >&5
+echo "${ECHO_T}none" >&6; }
+fi
+max_cmd_len=$lt_cv_sys_max_cmd_len
 
 
 
 
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
 
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
 
-# Allow CC to be a program name with arguments.
-compiler=$CC
+: ${CP="cp -f"}
+: ${MV="mv -f"}
+: ${RM="rm -f"}
 
-# Check whether --enable-libtool-lock was given.
-if test "${enable_libtool_lock+set}" = set; then
-  enableval=$enable_libtool_lock;
+{ echo "$as_me:$LINENO: checking whether the shell understands some XSI constructs" >&5
+echo $ECHO_N "checking whether the shell understands some XSI constructs... $ECHO_C" >&6; }
+# Try some XSI features
+xsi_shell=no
+( _lt_dummy="a/b/c"
+  test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \
+      = c,a/b,, \
+    && eval 'test $(( 1 + 1 )) -eq 2 \
+    && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
+  && xsi_shell=yes
+{ echo "$as_me:$LINENO: result: $xsi_shell" >&5
+echo "${ECHO_T}$xsi_shell" >&6; }
+
+
+{ echo "$as_me:$LINENO: checking whether the shell understands \"+=\"" >&5
+echo $ECHO_N "checking whether the shell understands \"+=\"... $ECHO_C" >&6; }
+lt_shell_append=no
+( foo=bar; set foo baz; eval "$1+=\$2" && test "$foo" = barbaz ) \
+    >/dev/null 2>&1 \
+  && lt_shell_append=yes
+{ echo "$as_me:$LINENO: result: $lt_shell_append" >&5
+echo "${ECHO_T}$lt_shell_append" >&6; }
+
+
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  lt_unset=unset
+else
+  lt_unset=false
 fi
 
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
 
-# Some flags need to be propagated to the compiler or linker for good
-# libtool support.
-case $host in
-ia64-*-hpux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *ELF-32*)
-      HPUX_IA64_MODE="32"
-      ;;
-    *ELF-64*)
-      HPUX_IA64_MODE="64"
-      ;;
-    esac
-  fi
-  rm -rf conftest*
+
+
+
+# test EBCDIC or ASCII
+case `echo X|tr X '\101'` in
+ A) # ASCII based system
+    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
+  lt_SP2NL='tr \040 \012'
+  lt_NL2SP='tr \015\012 \040\040'
   ;;
-*-*-irix6*)
-  # Find out which ABI we are using.
-  echo '#line 6421 "configure"' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-   if test "$lt_cv_prog_gnu_ld" = yes; then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -melf32bsmip"
-      ;;
-    *N32*)
-      LD="${LD-ld} -melf32bmipn32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -melf64bmip"
-      ;;
-    esac
-   else
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -32"
-      ;;
-    *N32*)
-      LD="${LD-ld} -n32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -64"
-      ;;
-    esac
-   fi
-  fi
-  rm -rf conftest*
+ *) # EBCDIC based system
+  lt_SP2NL='tr \100 \n'
+  lt_NL2SP='tr \r\n \100\100'
   ;;
+esac
+
 
-x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
-s390*-*linux*|sparc*-*linux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-    case `/usr/bin/file conftest.o` in
-    *32-bit*)
-      case $host in
-        x86_64-*kfreebsd*-gnu)
-          LD="${LD-ld} -m elf_i386_fbsd"
-          ;;
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_i386"
-          ;;
-        ppc64-*linux*|powerpc64-*linux*)
-          LD="${LD-ld} -m elf32ppclinux"
-          ;;
-        s390x-*linux*)
-          LD="${LD-ld} -m elf_s390"
-          ;;
-        sparc64-*linux*)
-          LD="${LD-ld} -m elf32_sparc"
-          ;;
-      esac
-      ;;
-    *64-bit*)
-      case $host in
-        x86_64-*kfreebsd*-gnu)
-          LD="${LD-ld} -m elf_x86_64_fbsd"
-          ;;
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_x86_64"
-          ;;
-        ppc*-*linux*|powerpc*-*linux*)
-          LD="${LD-ld} -m elf64ppc"
-          ;;
-        s390*-*linux*)
-          LD="${LD-ld} -m elf64_s390"
-          ;;
-        sparc*-*linux*)
-          LD="${LD-ld} -m elf64_sparc"
-          ;;
-      esac
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
 
-*-*-sco3.2v5*)
-  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
-  SAVE_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS -belf"
-  { echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
-echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6; }
-if test "${lt_cv_cc_needs_belf+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-     cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-int
-main ()
-{
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  lt_cv_cc_needs_belf=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	lt_cv_cc_needs_belf=no
-fi
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-     ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
+{ echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
+echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6; }
+if test "${lt_cv_ld_reload_flag+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_ld_reload_flag='-r'
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
-echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6; }
-  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
-    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
-    CFLAGS="$SAVE_CFLAGS"
-  fi
-  ;;
-sparc*-*solaris*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-    case `/usr/bin/file conftest.o` in
-    *64-bit*)
-      case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
-      *)
-        if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
-	  LD="${LD-ld} -64"
-	fi
-	;;
-      esac
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
+{ echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
+echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6; }
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+case $host_os in
+  darwin*)
+    if test "$GCC" = yes; then
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
+    else
+      reload_cmds='$LD$reload_flag -o $output$reload_objs'
+    fi
+    ;;
+esac
 
 
-esac
 
-need_locks="$enable_libtool_lock"
 
 
 
-for ac_header in dlfcn.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+
+
+
+
+{ echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5
+echo $ECHO_N "checking how to recognize dependent libraries... $ECHO_C" >&6; }
+if test "${lt_cv_deplibs_check_method+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
 else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given extended regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
 
-	ac_header_compiler=no
-fi
+case $host_os in
+aix[4-9]*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
 
-# Is the header present?
-{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+bsdi[45]*)
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
 
-  ac_header_preproc=no
-fi
+cygwin*)
+  # func_win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='func_win32_libid'
+  ;;
 
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # func_win32_libid shell function, so use a weaker test based on 'objdump',
+  # unless we find 'file', for example because we are cross-compiling.
+  if ( file / ) >/dev/null 2>&1; then
+    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+    lt_cv_file_magic_cmd='func_win32_libid'
+  else
+    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    lt_cv_file_magic_cmd='$OBJDUMP -f'
+  fi
+  ;;
 
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | dragonfly*)
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
 
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case $host_cpu in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
     ;;
-esac
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=\$ac_header_preproc"
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
+  hppa*64*)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
 
-fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
+interix[3-9]*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$'
+  ;;
 
-fi
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
 
-done
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
 
-ac_ext=cpp
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-if test -z "$CXX"; then
-  if test -n "$CCC"; then
-    CXX=$CCC
+netbsd* | netbsdelf*-gnu)
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
   else
-    if test -n "$ac_tool_prefix"; then
-  for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CXX"; then
-  ac_cv_prog_CXX="$CXX" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CXX="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$'
   fi
-done
-done
-IFS=$as_save_IFS
+  ;;
 
-fi
-fi
-CXX=$ac_cv_prog_CXX
-if test -n "$CXX"; then
-  { echo "$as_me:$LINENO: result: $CXX" >&5
-echo "${ECHO_T}$CXX" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
 
+*nto* | *qnx*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
 
-    test -n "$CXX" && break
-  done
-fi
-if test -z "$CXX"; then
-  ac_ct_CXX=$CXX
-  for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CXX"; then
-  ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_CXX="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
+openbsd*)
+  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
   fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_CXX=$ac_cv_prog_ac_ct_CXX
-if test -n "$ac_ct_CXX"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5
-echo "${ECHO_T}$ac_ct_CXX" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
+  ;;
 
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
 
-  test -n "$ac_ct_CXX" && break
+rdos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.3*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+tpf*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
+echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6; }
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+
+
+
+
+
+
+
+
+
+
+
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ar; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_AR+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AR"; then
+  ac_cv_prog_AR="$AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_AR="${ac_tool_prefix}ar"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+AR=$ac_cv_prog_AR
+if test -n "$AR"; then
+  { echo "$as_me:$LINENO: result: $AR" >&5
+echo "${ECHO_T}$AR" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_AR"; then
+  ac_ct_AR=$AR
+  # Extract the first word of "ar", so it can be a program name with args.
+set dummy ar; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_AR"; then
+  ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_AR="ar"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
 done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_AR=$ac_cv_prog_ac_ct_AR
+if test -n "$ac_ct_AR"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
+echo "${ECHO_T}$ac_ct_AR" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-  if test "x$ac_ct_CXX" = x; then
-    CXX="g++"
+  if test "x$ac_ct_AR" = x; then
+    AR="false"
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
@@ -6857,628 +6947,147 @@ whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
 esac
-    CXX=$ac_ct_CXX
+    AR=$ac_ct_AR
   fi
+else
+  AR="$ac_cv_prog_AR"
 fi
 
-  fi
-fi
-# Provide some information about the compiler.
-echo "$as_me:$LINENO: checking for C++ compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (ac_try="$ac_compiler --version >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler --version >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -v >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -v >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -V >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -V >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
 
-{ echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C++ compiler... $ECHO_C" >&6; }
-if test "${ac_cv_cxx_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-int
-main ()
-{
-#ifndef __GNUC__
-       choke me
-#endif
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_compiler_gnu=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_compiler_gnu=no
-fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_cxx_compiler_gnu=$ac_compiler_gnu
 
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_cxx_compiler_gnu" >&6; }
-GXX=`test $ac_compiler_gnu = yes && echo yes`
-ac_test_CXXFLAGS=${CXXFLAGS+set}
-ac_save_CXXFLAGS=$CXXFLAGS
-{ echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5
-echo $ECHO_N "checking whether $CXX accepts -g... $ECHO_C" >&6; }
-if test "${ac_cv_prog_cxx_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_save_cxx_werror_flag=$ac_cxx_werror_flag
-   ac_cxx_werror_flag=yes
-   ac_cv_prog_cxx_g=no
-   CXXFLAGS="-g"
-   cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-int
-main ()
-{
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cxx_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	CXXFLAGS=""
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-int
-main ()
-{
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  :
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cxx_werror_flag=$ac_save_cxx_werror_flag
-	 CXXFLAGS="-g"
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cxx_g=yes
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-   ac_cxx_werror_flag=$ac_save_cxx_werror_flag
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cxx_g" >&6; }
-if test "$ac_test_CXXFLAGS" = set; then
-  CXXFLAGS=$ac_save_CXXFLAGS
-elif test $ac_cv_prog_cxx_g = yes; then
-  if test "$GXX" = yes; then
-    CXXFLAGS="-g -O2"
-  else
-    CXXFLAGS="-g"
-  fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  { echo "$as_me:$LINENO: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6; }
 else
-  if test "$GXX" = yes; then
-    CXXFLAGS="-O2"
-  else
-    CXXFLAGS=
-  fi
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
-ac_ext=cpp
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
 
-depcc="$CXX"  am_compiler_list=
 
-{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
-echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
-if test "${am_cv_CXX_dependencies_compiler_type+set}" = set; then
+fi
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
-  # We make a subdir and do the tests there.  Otherwise we can end up
-  # making bogus files that we don't know about and never remove.  For
-  # instance it was reported that on HP-UX the gcc test will end up
-  # making a dummy file named `D' -- because `-MD' means `put the output
-  # in D'.
-  mkdir conftest.dir
-  # Copy depcomp to subdir because otherwise we won't find it if we're
-  # using a relative directory.
-  cp "$am_depcomp" conftest.dir
-  cd conftest.dir
-  # We will build objects and dependencies in a subdirectory because
-  # it helps to detect inapplicable dependency modes.  For instance
-  # both Tru64's cc and ICC support -MD to output dependencies as a
-  # side effect of compilation, but ICC will put the dependencies in
-  # the current directory while Tru64 will put them in the object
-  # directory.
-  mkdir sub
-
-  am_cv_CXX_dependencies_compiler_type=none
-  if test "$am_compiler_list" = ""; then
-     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_STRIP="strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
   fi
-  for depmode in $am_compiler_list; do
-    # Setup a source with many dependencies, because some compilers
-    # like to wrap large dependency lists on column 80 (with \), and
-    # we should not choose a depcomp mode which is confused by this.
-    #
-    # We need to recreate these files for each test, as the compiler may
-    # overwrite some of them when testing with obscure command lines.
-    # This happens at least with the AIX C compiler.
-    : > sub/conftest.c
-    for i in 1 2 3 4 5 6; do
-      echo '#include "conftst'$i'.h"' >> sub/conftest.c
-      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
-      # Solaris 8's {/usr,}/bin/sh.
-      touch sub/conftst$i.h
-    done
-    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
-
-    case $depmode in
-    nosideeffect)
-      # after this tag, mechanisms are not by side-effect, so they'll
-      # only be used when explicitly requested
-      if test "x$enable_dependency_tracking" = xyes; then
-	continue
-      else
-	break
-      fi
-      ;;
-    none) break ;;
-    esac
-    # We check with `-c' and `-o' for the sake of the "dashmstdout"
-    # mode.  It turns out that the SunPro C++ compiler does not properly
-    # handle `-M -o', and we need to detect this.
-    if depmode=$depmode \
-       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
-       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
-       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
-         >/dev/null 2>conftest.err &&
-       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
-       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
-      # icc doesn't choke on unknown options, it will just issue warnings
-      # or remarks (even with -Werror).  So we grep stderr for any message
-      # that says an option was ignored or not supported.
-      # When given -MP, icc 7.0 and 7.1 complain thusly:
-      #   icc: Command line warning: ignoring option '-M'; no argument required
-      # The diagnosis changed in icc 8.0:
-      #   icc: Command line remark: option '-MP' not supported
-      if (grep 'ignoring option' conftest.err ||
-          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
-        am_cv_CXX_dependencies_compiler_type=$depmode
-        break
-      fi
-    fi
-  done
+done
+done
+IFS=$as_save_IFS
 
-  cd ..
-  rm -rf conftest.dir
-else
-  am_cv_CXX_dependencies_compiler_type=none
 fi
-
 fi
-{ echo "$as_me:$LINENO: result: $am_cv_CXX_dependencies_compiler_type" >&5
-echo "${ECHO_T}$am_cv_CXX_dependencies_compiler_type" >&6; }
-CXXDEPMODE=depmode=$am_cv_CXX_dependencies_compiler_type
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
- if
-  test "x$enable_dependency_tracking" != xno \
-  && test "$am_cv_CXX_dependencies_compiler_type" = gcc3; then
-  am__fastdepCXX_TRUE=
-  am__fastdepCXX_FALSE='#'
+  if test "x$ac_ct_STRIP" = x; then
+    STRIP=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    STRIP=$ac_ct_STRIP
+  fi
 else
-  am__fastdepCXX_TRUE='#'
-  am__fastdepCXX_FALSE=
+  STRIP="$ac_cv_prog_STRIP"
 fi
 
+test -z "$STRIP" && STRIP=:
+
+
 
 
 
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  ac_ext=cpp
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-{ echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5
-echo $ECHO_N "checking how to run the C++ preprocessor... $ECHO_C" >&6; }
-if test -z "$CXXCPP"; then
-  if test "${ac_cv_prog_CXXCPP+set}" = set; then
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_RANLIB+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-      # Double quotes because CXXCPP needs to be expanded
-    for CXXCPP in "$CXX -E" "/lib/cpp"
-    do
-      ac_preproc_ok=false
-for ac_cxx_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether nonexistent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  break
-fi
-
-    done
-    ac_cv_prog_CXXCPP=$CXXCPP
-
-fi
-  CXXCPP=$ac_cv_prog_CXXCPP
-else
-  ac_cv_prog_CXXCPP=$CXXCPP
-fi
-{ echo "$as_me:$LINENO: result: $CXXCPP" >&5
-echo "${ECHO_T}$CXXCPP" >&6; }
-ac_preproc_ok=false
-for ac_cxx_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether nonexistent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: C++ preprocessor \"$CXXCPP\" fails sanity check
-See \`config.log' for more details." >&5
-echo "$as_me: error: C++ preprocessor \"$CXXCPP\" fails sanity check
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-ac_ext=cpp
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-
-fi
-
-
-ac_ext=f
-ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
-ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_f77_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$F77"; then
-  ac_cv_prog_F77="$F77" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_F77="$ac_tool_prefix$ac_prog"
+    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -7488,32 +7097,28 @@ IFS=$as_save_IFS
 
 fi
 fi
-F77=$ac_cv_prog_F77
-if test -n "$F77"; then
-  { echo "$as_me:$LINENO: result: $F77" >&5
-echo "${ECHO_T}$F77" >&6; }
+RANLIB=$ac_cv_prog_RANLIB
+if test -n "$RANLIB"; then
+  { echo "$as_me:$LINENO: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 fi
 
 
-    test -n "$F77" && break
-  done
 fi
-if test -z "$F77"; then
-  ac_ct_F77=$F77
-  for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
+if test -z "$ac_cv_prog_RANLIB"; then
+  ac_ct_RANLIB=$RANLIB
+  # Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
 { echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_F77+set}" = set; then
+if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$ac_ct_F77"; then
-  ac_cv_prog_ac_ct_F77="$ac_ct_F77" # Let the user override the test.
+  if test -n "$ac_ct_RANLIB"; then
+  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -7522,7 +7127,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_F77="$ac_prog"
+    ac_cv_prog_ac_ct_RANLIB="ranlib"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -7532,21 +7137,17 @@ IFS=$as_save_IFS
 
 fi
 fi
-ac_ct_F77=$ac_cv_prog_ac_ct_F77
-if test -n "$ac_ct_F77"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_F77" >&5
-echo "${ECHO_T}$ac_ct_F77" >&6; }
+ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
+if test -n "$ac_ct_RANLIB"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 fi
 
-
-  test -n "$ac_ct_F77" && break
-done
-
-  if test "x$ac_ct_F77" = x; then
-    F77=""
+  if test "x$ac_ct_RANLIB" = x; then
+    RANLIB=":"
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
@@ -7558,289 +7159,79 @@ whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
 esac
-    F77=$ac_ct_F77
+    RANLIB=$ac_ct_RANLIB
   fi
+else
+  RANLIB="$ac_cv_prog_RANLIB"
 fi
 
+test -z "$RANLIB" && RANLIB=:
 
-# Provide some information about the compiler.
-echo "$as_me:$LINENO: checking for Fortran 77 compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (ac_try="$ac_compiler --version >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler --version >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -v >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -v >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -V >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -V >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-rm -f a.out
-
-# If we don't use `.F' as extension, the preprocessor is not run on the
-# input file.  (Note that this only needs to work for GNU compilers.)
-ac_save_ext=$ac_ext
-ac_ext=F
-{ echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU Fortran 77 compiler... $ECHO_C" >&6; }
-if test "${ac_cv_f77_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-      program main
-#ifndef __GNUC__
-       choke me
-#endif
 
-      end
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_f77_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_compiler_gnu=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_compiler_gnu=no
-fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_f77_compiler_gnu=$ac_compiler_gnu
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_f77_compiler_gnu" >&6; }
-ac_ext=$ac_save_ext
-ac_test_FFLAGS=${FFLAGS+set}
-ac_save_FFLAGS=$FFLAGS
-FFLAGS=
-{ echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5
-echo $ECHO_N "checking whether $F77 accepts -g... $ECHO_C" >&6; }
-if test "${ac_cv_prog_f77_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  FFLAGS=-g
-cat >conftest.$ac_ext <<_ACEOF
-      program main
 
-      end
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_f77_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_f77_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_cv_prog_f77_g=no
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    ;;
+  *)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5
-echo "${ECHO_T}$ac_cv_prog_f77_g" >&6; }
-if test "$ac_test_FFLAGS" = set; then
-  FFLAGS=$ac_save_FFLAGS
-elif test $ac_cv_prog_f77_g = yes; then
-  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
-    FFLAGS="-g -O2"
-  else
-    FFLAGS="-g"
-  fi
-else
-  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
-    FFLAGS="-O2"
-  else
-    FFLAGS=
-  fi
-fi
 
-G77=`test $ac_compiler_gnu = yes && echo yes`
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 
-# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
-# find the maximum length of command line arguments
-{ echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
-echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; }
-if test "${lt_cv_sys_max_cmd_len+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-    i=0
-  teststring="ABCD"
 
-  case $build_os in
-  msdosdjgpp*)
-    # On DJGPP, this test can blow up pretty badly due to problems in libc
-    # (any single argument exceeding 2000 bytes causes a buffer overrun
-    # during glob expansion).  Even if it were fixed, the result of this
-    # check would be larger than it should be.
-    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
-    ;;
 
-  gnu*)
-    # Under GNU Hurd, this test is not required because there is
-    # no limit to the length of command line arguments.
-    # Libtool will interpret -1 as no limit whatsoever
-    lt_cv_sys_max_cmd_len=-1;
-    ;;
 
-  cygwin* | mingw*)
-    # On Win9x/ME, this test blows up -- it succeeds, but takes
-    # about 5 minutes as the teststring grows exponentially.
-    # Worse, since 9x/ME are not pre-emptively multitasking,
-    # you end up with a "frozen" computer, even though with patience
-    # the test eventually succeeds (with a max line length of 256k).
-    # Instead, let's just punt: use the minimum linelength reported by
-    # all of the supported platforms: 8192 (on NT/2K/XP).
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
 
-  amigaos*)
-    # On AmigaOS with pdksh, this test takes hours, literally.
-    # So we just punt and use a minimum line length of 8192.
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
 
-  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
-    # This has been around since 386BSD, at least.  Likely further.
-    if test -x /sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
-    elif test -x /usr/sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
-    else
-      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
-    fi
-    # And add a safety zone
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
-    ;;
 
-  interix*)
-    # We know the value 262144 and hardcode it with a safety zone (like BSD)
-    lt_cv_sys_max_cmd_len=196608
-    ;;
 
-  osf*)
-    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
-    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
-    # nice to cause kernel panics so lets avoid the loop below.
-    # First set a reasonable default.
-    lt_cv_sys_max_cmd_len=16384
-    #
-    if test -x /sbin/sysconfig; then
-      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
-        *1*) lt_cv_sys_max_cmd_len=-1 ;;
-      esac
-    fi
-    ;;
-  sco3.2v5*)
-    lt_cv_sys_max_cmd_len=102400
-    ;;
-  sysv5* | sco5v6* | sysv4.2uw2*)
-    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
-    if test -n "$kargmax"; then
-      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[ 	]//'`
-    else
-      lt_cv_sys_max_cmd_len=32768
-    fi
-    ;;
-  *)
-    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
-    if test -n "$lt_cv_sys_max_cmd_len"; then
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
-    else
-      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-      while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \
-	       = "XX$teststring") >/dev/null 2>&1 &&
-	      new_result=`expr "X$teststring" : ".*" 2>&1` &&
-	      lt_cv_sys_max_cmd_len=$new_result &&
-	      test $i != 17 # 1/2 MB should be enough
-      do
-        i=`expr $i + 1`
-        teststring=$teststring$teststring
-      done
-      teststring=
-      # Add a significant safety factor because C++ compilers can tack on massive
-      # amounts of additional arguments before passing them to the linker.
-      # It appears as though 1/2 is a usable value.
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
-    fi
-    ;;
-  esac
 
-fi
 
-if test -n $lt_cv_sys_max_cmd_len ; then
-  { echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
-echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6; }
-else
-  { echo "$as_me:$LINENO: result: none" >&5
-echo "${ECHO_T}none" >&6; }
-fi
 
 
 
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
 # Check for command to grab the raw symbol name followed by C symbol from nm.
 { echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
 echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6; }
@@ -7857,12 +7248,6 @@ symcode='[BCDEGRST]'
 # Regexp to match symbols that can be accessed directly from C.
 sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
 
-# Transform an extracted symbol line into a proper C declaration
-lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
-
-# Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-
 # Define system-specific variables.
 case $host_os in
 aix*)
@@ -7871,19 +7256,10 @@ aix*)
 cygwin* | mingw* | pw32*)
   symcode='[ABCDGISTW]'
   ;;
-hpux*) # Its linker distinguishes data from code symbols
+hpux*)
   if test "$host_cpu" = ia64; then
     symcode='[ABCDEGRST]'
   fi
-  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  ;;
-linux* | k*bsd*-gnu)
-  if test "$host_cpu" = ia64; then
-    symcode='[ABCDGIRSTW]'
-    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  fi
   ;;
 irix* | nonstopux*)
   symcode='[BCDEGRST]'
@@ -7908,44 +7284,72 @@ sysv4)
   ;;
 esac
 
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[ABCDGIRSTW]' ;;
+esac
+
+# Transform an extracted symbol line into a proper C declaration.
+# Some systems (esp. on ia64) link data and code symbols differently,
+# so use this general approach.
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
+
 # Handle CRLF in mingw tool chain
 opt_cr=
 case $build_os in
 mingw*)
-  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp
   ;;
 esac
 
-# If we're using GNU nm, then use its standard symbol codes.
-case `$NM -V 2>&1` in
-*GNU* | *'with BFD'*)
-  symcode='[ABCDGIRSTW]' ;;
-esac
-
-# Try without a prefix undercore, then with it.
+# Try without a prefix underscore, then with it.
 for ac_symprfx in "" "_"; do
 
   # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
   symxfrm="\\1 $ac_symprfx\\2 \\2"
 
   # Write the raw and C identifiers.
-  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ 	]\($symcode$symcode*\)[ 	][ 	]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+  if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+    # Fake it for dumpbin and say T for any non-static function
+    # and D for any global variable.
+    # Also find C++ and __fastcall symbols from MSVC++,
+    # which start with @ or ?.
+    lt_cv_sys_global_symbol_pipe="$AWK '"\
+"     {last_section=section; section=\$ 3};"\
+"     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
+"     \$ 0!~/External *\|/{next};"\
+"     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
+"     {if(hide[section]) next};"\
+"     {f=0}; \$ 0~/\(\).*\|/{f=1}; {printf f ? \"T \" : \"D \"};"\
+"     {split(\$ 0, a, /\||\r/); split(a[2], s)};"\
+"     s[1]~/^[@?]/{print s[1], s[1]; next};"\
+"     s[1]~prfx {split(s[1],t,\"@\"); print t[1], substr(t[1],length(prfx))}"\
+"     ' prfx=^$ac_symprfx"
+  else
+    lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[	 ]\($symcode$symcode*\)[	 ][	 ]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+  fi
 
   # Check to see that the pipe works correctly.
   pipe_works=no
 
   rm -f conftest*
-  cat > conftest.$ac_ext <<EOF
+  cat > conftest.$ac_ext <<_LT_EOF
 #ifdef __cplusplus
 extern "C" {
 #endif
 char nm_test_var;
-void nm_test_func(){}
+void nm_test_func(void);
+void nm_test_func(void){}
 #ifdef __cplusplus
 }
 #endif
 int main(){nm_test_var='a';nm_test_func();return(0);}
-EOF
+_LT_EOF
 
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
@@ -7967,42 +7371,44 @@ EOF
       fi
 
       # Make sure that we snagged all the symbols we need.
-      if grep ' nm_test_var$' "$nlist" >/dev/null; then
-	if grep ' nm_test_func$' "$nlist" >/dev/null; then
-	  cat <<EOF > conftest.$ac_ext
+      if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
+	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<_LT_EOF > conftest.$ac_ext
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-EOF
+_LT_EOF
 	  # Now generate the symbol file.
-	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext'
 
-	  cat <<EOF >> conftest.$ac_ext
-#if defined (__STDC__) && __STDC__
-# define lt_ptr_t void *
-#else
-# define lt_ptr_t char *
-# define const
-#endif
+	  cat <<_LT_EOF >> conftest.$ac_ext
 
-/* The mapping between symbol names and symbols. */
+/* The mapping between symbol names and symbols.  */
 const struct {
   const char *name;
-  lt_ptr_t address;
+  void       *address;
 }
-lt_preloaded_symbols[] =
+lt__PROGRAM__LTX_preloaded_symbols[] =
 {
-EOF
-	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
-	  cat <<\EOF >> conftest.$ac_ext
-  {0, (lt_ptr_t) 0}
+  { "@PROGRAM@", (void *) 0 },
+_LT_EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (void *) \&\2},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext
+	  cat <<\_LT_EOF >> conftest.$ac_ext
+  {0, (void *) 0}
 };
 
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt__PROGRAM__LTX_preloaded_symbols;
+}
+#endif
+
 #ifdef __cplusplus
 }
 #endif
-EOF
+_LT_EOF
 	  # Now try linking the two files.
 	  mv conftest.$ac_objext conftstm.$ac_objext
 	  lt_save_LIBS="$LIBS"
@@ -8054,80 +7460,258 @@ else
 echo "${ECHO_T}ok" >&6; }
 fi
 
-{ echo "$as_me:$LINENO: checking for objdir" >&5
-echo $ECHO_N "checking for objdir... $ECHO_C" >&6; }
-if test "${lt_cv_objdir+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  rm -f .libs 2>/dev/null
-mkdir .libs 2>/dev/null
-if test -d .libs; then
-  lt_cv_objdir=.libs
-else
-  # MS-DOS does not allow filenames that begin with a dot.
-  lt_cv_objdir=_libs
-fi
-rmdir .libs 2>/dev/null
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
-echo "${ECHO_T}$lt_cv_objdir" >&6; }
-objdir=$lt_cv_objdir
 
 
 
 
 
-case $host_os in
-aix3*)
-  # AIX sometimes has problems with the GCC collect2 program.  For some
-  # reason, if we set the COLLECT_NAMES environment variable, the problems
-  # vanish in a puff of smoke.
-  if test "X${COLLECT_NAMES+set}" != Xset; then
-    COLLECT_NAMES=
-    export COLLECT_NAMES
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Check whether --enable-libtool-lock was given.
+if test "${enable_libtool_lock+set}" = set; then
+  enableval=$enable_libtool_lock;
+fi
+
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.$ac_objext` in
+      *ELF-32*)
+	HPUX_IA64_MODE="32"
+	;;
+      *ELF-64*)
+	HPUX_IA64_MODE="64"
+	;;
+    esac
   fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '#line 7515 "configure"' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    if test "$lt_cv_prog_gnu_ld" = yes; then
+      case `/usr/bin/file conftest.$ac_objext` in
+	*32-bit*)
+	  LD="${LD-ld} -melf32bsmip"
+	  ;;
+	*N32*)
+	  LD="${LD-ld} -melf32bmipn32"
+	  ;;
+	*64-bit*)
+	  LD="${LD-ld} -melf64bmip"
+	;;
+      esac
+    else
+      case `/usr/bin/file conftest.$ac_objext` in
+	*32-bit*)
+	  LD="${LD-ld} -32"
+	  ;;
+	*N32*)
+	  LD="${LD-ld} -n32"
+	  ;;
+	*64-bit*)
+	  LD="${LD-ld} -64"
+	  ;;
+      esac
+    fi
+  fi
+  rm -rf conftest*
   ;;
-esac
 
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed='sed -e 1s/^X//'
-sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'
+x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
+s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.o` in
+      *32-bit*)
+	case $host in
+	  x86_64-*kfreebsd*-gnu)
+	    LD="${LD-ld} -m elf_i386_fbsd"
+	    ;;
+	  x86_64-*linux*)
+	    LD="${LD-ld} -m elf_i386"
+	    ;;
+	  ppc64-*linux*|powerpc64-*linux*)
+	    LD="${LD-ld} -m elf32ppclinux"
+	    ;;
+	  s390x-*linux*)
+	    LD="${LD-ld} -m elf_s390"
+	    ;;
+	  sparc64-*linux*)
+	    LD="${LD-ld} -m elf32_sparc"
+	    ;;
+	esac
+	;;
+      *64-bit*)
+	case $host in
+	  x86_64-*kfreebsd*-gnu)
+	    LD="${LD-ld} -m elf_x86_64_fbsd"
+	    ;;
+	  x86_64-*linux*)
+	    LD="${LD-ld} -m elf_x86_64"
+	    ;;
+	  ppc*-*linux*|powerpc*-*linux*)
+	    LD="${LD-ld} -m elf64ppc"
+	    ;;
+	  s390*-*linux*|s390*-*tpf*)
+	    LD="${LD-ld} -m elf64_s390"
+	    ;;
+	  sparc*-*linux*)
+	    LD="${LD-ld} -m elf64_sparc"
+	    ;;
+	esac
+	;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
 
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  { echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
+echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6; }
+if test "${lt_cv_cc_needs_belf+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+     cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
+int
+main ()
+{
 
-# Constants:
-rm="rm -f"
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  lt_cv_cc_needs_belf=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Global variables:
-default_ofile=libtool
-can_build_shared=yes
+	lt_cv_cc_needs_belf=no
+fi
 
-# All known linkers require a `.a' archive for static linking (except MSVC,
-# which needs '.lib').
-libext=a
-ltmain="$ac_aux_dir/ltmain.sh"
-ofile="$default_ofile"
-with_gnu_ld="$lt_cv_prog_gnu_ld"
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+     ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ar; ac_word=$2
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
+echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6; }
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+sparc*-*solaris*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      *)
+	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
+	  LD="${LD-ld} -64"
+	fi
+	;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+esac
+
+need_locks="$enable_libtool_lock"
+
+
+  case $host_os in
+    rhapsody* | darwin*)
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args.
+set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
 { echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_AR+set}" = set; then
+if test "${ac_cv_prog_DSYMUTIL+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$AR"; then
-  ac_cv_prog_AR="$AR" # Let the user override the test.
+  if test -n "$DSYMUTIL"; then
+  ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -8136,7 +7720,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_AR="${ac_tool_prefix}ar"
+    ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -8146,10 +7730,10 @@ IFS=$as_save_IFS
 
 fi
 fi
-AR=$ac_cv_prog_AR
-if test -n "$AR"; then
-  { echo "$as_me:$LINENO: result: $AR" >&5
-echo "${ECHO_T}$AR" >&6; }
+DSYMUTIL=$ac_cv_prog_DSYMUTIL
+if test -n "$DSYMUTIL"; then
+  { echo "$as_me:$LINENO: result: $DSYMUTIL" >&5
+echo "${ECHO_T}$DSYMUTIL" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
@@ -8157,17 +7741,17 @@ fi
 
 
 fi
-if test -z "$ac_cv_prog_AR"; then
-  ac_ct_AR=$AR
-  # Extract the first word of "ar", so it can be a program name with args.
-set dummy ar; ac_word=$2
+if test -z "$ac_cv_prog_DSYMUTIL"; then
+  ac_ct_DSYMUTIL=$DSYMUTIL
+  # Extract the first word of "dsymutil", so it can be a program name with args.
+set dummy dsymutil; ac_word=$2
 { echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
+if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$ac_ct_AR"; then
-  ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
+  if test -n "$ac_ct_DSYMUTIL"; then
+  ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -8176,7 +7760,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_AR="ar"
+    ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -8186,17 +7770,17 @@ IFS=$as_save_IFS
 
 fi
 fi
-ac_ct_AR=$ac_cv_prog_ac_ct_AR
-if test -n "$ac_ct_AR"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
-echo "${ECHO_T}$ac_ct_AR" >&6; }
+ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL
+if test -n "$ac_ct_DSYMUTIL"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5
+echo "${ECHO_T}$ac_ct_DSYMUTIL" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 fi
 
-  if test "x$ac_ct_AR" = x; then
-    AR="false"
+  if test "x$ac_ct_DSYMUTIL" = x; then
+    DSYMUTIL=":"
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
@@ -8208,22 +7792,22 @@ whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
 esac
-    AR=$ac_ct_AR
+    DSYMUTIL=$ac_ct_DSYMUTIL
   fi
 else
-  AR="$ac_cv_prog_AR"
+  DSYMUTIL="$ac_cv_prog_DSYMUTIL"
 fi
 
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args.
+set dummy ${ac_tool_prefix}nmedit; ac_word=$2
 { echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_RANLIB+set}" = set; then
+if test "${ac_cv_prog_NMEDIT+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$RANLIB"; then
-  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+  if test -n "$NMEDIT"; then
+  ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -8232,7 +7816,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+    ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -8242,10 +7826,10 @@ IFS=$as_save_IFS
 
 fi
 fi
-RANLIB=$ac_cv_prog_RANLIB
-if test -n "$RANLIB"; then
-  { echo "$as_me:$LINENO: result: $RANLIB" >&5
-echo "${ECHO_T}$RANLIB" >&6; }
+NMEDIT=$ac_cv_prog_NMEDIT
+if test -n "$NMEDIT"; then
+  { echo "$as_me:$LINENO: result: $NMEDIT" >&5
+echo "${ECHO_T}$NMEDIT" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
@@ -8253,17 +7837,17 @@ fi
 
 
 fi
-if test -z "$ac_cv_prog_RANLIB"; then
-  ac_ct_RANLIB=$RANLIB
-  # Extract the first word of "ranlib", so it can be a program name with args.
-set dummy ranlib; ac_word=$2
+if test -z "$ac_cv_prog_NMEDIT"; then
+  ac_ct_NMEDIT=$NMEDIT
+  # Extract the first word of "nmedit", so it can be a program name with args.
+set dummy nmedit; ac_word=$2
 { echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
+if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$ac_ct_RANLIB"; then
-  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
+  if test -n "$ac_ct_NMEDIT"; then
+  ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -8272,7 +7856,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_RANLIB="ranlib"
+    ac_cv_prog_ac_ct_NMEDIT="nmedit"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -8282,17 +7866,17 @@ IFS=$as_save_IFS
 
 fi
 fi
-ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
-if test -n "$ac_ct_RANLIB"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
-echo "${ECHO_T}$ac_ct_RANLIB" >&6; }
+ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT
+if test -n "$ac_ct_NMEDIT"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5
+echo "${ECHO_T}$ac_ct_NMEDIT" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 fi
 
-  if test "x$ac_ct_RANLIB" = x; then
-    RANLIB=":"
+  if test "x$ac_ct_NMEDIT" = x; then
+    NMEDIT=":"
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
@@ -8304,22 +7888,22 @@ whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
 esac
-    RANLIB=$ac_ct_RANLIB
+    NMEDIT=$ac_ct_NMEDIT
   fi
 else
-  RANLIB="$ac_cv_prog_RANLIB"
+  NMEDIT="$ac_cv_prog_NMEDIT"
 fi
 
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
-set dummy ${ac_tool_prefix}strip; ac_word=$2
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}lipo", so it can be a program name with args.
+set dummy ${ac_tool_prefix}lipo; ac_word=$2
 { echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then
+if test "${ac_cv_prog_LIPO+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$STRIP"; then
-  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+  if test -n "$LIPO"; then
+  ac_cv_prog_LIPO="$LIPO" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -8328,7 +7912,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+    ac_cv_prog_LIPO="${ac_tool_prefix}lipo"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -8338,10 +7922,10 @@ IFS=$as_save_IFS
 
 fi
 fi
-STRIP=$ac_cv_prog_STRIP
-if test -n "$STRIP"; then
-  { echo "$as_me:$LINENO: result: $STRIP" >&5
-echo "${ECHO_T}$STRIP" >&6; }
+LIPO=$ac_cv_prog_LIPO
+if test -n "$LIPO"; then
+  { echo "$as_me:$LINENO: result: $LIPO" >&5
+echo "${ECHO_T}$LIPO" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
@@ -8349,17 +7933,17 @@ fi
 
 
 fi
-if test -z "$ac_cv_prog_STRIP"; then
-  ac_ct_STRIP=$STRIP
-  # Extract the first word of "strip", so it can be a program name with args.
-set dummy strip; ac_word=$2
+if test -z "$ac_cv_prog_LIPO"; then
+  ac_ct_LIPO=$LIPO
+  # Extract the first word of "lipo", so it can be a program name with args.
+set dummy lipo; ac_word=$2
 { echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
+if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$ac_ct_STRIP"; then
-  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+  if test -n "$ac_ct_LIPO"; then
+  ac_cv_prog_ac_ct_LIPO="$ac_ct_LIPO" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -8368,7 +7952,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_STRIP="strip"
+    ac_cv_prog_ac_ct_LIPO="lipo"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -8378,17 +7962,17 @@ IFS=$as_save_IFS
 
 fi
 fi
-ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
-if test -n "$ac_ct_STRIP"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
-echo "${ECHO_T}$ac_ct_STRIP" >&6; }
+ac_ct_LIPO=$ac_cv_prog_ac_ct_LIPO
+if test -n "$ac_ct_LIPO"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_LIPO" >&5
+echo "${ECHO_T}$ac_ct_LIPO" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 fi
 
-  if test "x$ac_ct_STRIP" = x; then
-    STRIP=":"
+  if test "x$ac_ct_LIPO" = x; then
+    LIPO=":"
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
@@ -8400,210 +7984,118 @@ whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
 esac
-    STRIP=$ac_ct_STRIP
+    LIPO=$ac_ct_LIPO
   fi
 else
-  STRIP="$ac_cv_prog_STRIP"
+  LIPO="$ac_cv_prog_LIPO"
 fi
 
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}otool", so it can be a program name with args.
+set dummy ${ac_tool_prefix}otool; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_OTOOL+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$OTOOL"; then
+  ac_cv_prog_OTOOL="$OTOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_OTOOL="${ac_tool_prefix}otool"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-old_CC="$CC"
-old_CFLAGS="$CFLAGS"
-
-# Set sane defaults for various variables
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
-test -z "$AS" && AS=as
-test -z "$CC" && CC=cc
-test -z "$LTCC" && LTCC=$CC
-test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
-test -z "$DLLTOOL" && DLLTOOL=dlltool
-test -z "$LD" && LD=ld
-test -z "$LN_S" && LN_S="ln -s"
-test -z "$MAGIC_CMD" && MAGIC_CMD=file
-test -z "$NM" && NM=nm
-test -z "$SED" && SED=sed
-test -z "$OBJDUMP" && OBJDUMP=objdump
-test -z "$RANLIB" && RANLIB=:
-test -z "$STRIP" && STRIP=:
-test -z "$ac_objext" && ac_objext=o
-
-# Determine commands to create old-style static archives.
-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
-old_postinstall_cmds='chmod 644 $oldlib'
-old_postuninstall_cmds=
-
-if test -n "$RANLIB"; then
-  case $host_os in
-  openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
-    ;;
-  *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
-    ;;
-  esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
 fi
-
-for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+fi
+OTOOL=$ac_cv_prog_OTOOL
+if test -n "$OTOOL"; then
+  { echo "$as_me:$LINENO: result: $OTOOL" >&5
+echo "${ECHO_T}$OTOOL" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
 
-# Only perform the check for file, if the check method requires it
-case $deplibs_check_method in
-file_magic*)
-  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    { echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
-echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+fi
+if test -z "$ac_cv_prog_OTOOL"; then
+  ac_ct_OTOOL=$OTOOL
+  # Extract the first word of "otool", so it can be a program name with args.
+set dummy otool; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  case $MAGIC_CMD in
-[\\/*] |  ?:[\\/]*)
-  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
-  ;;
-*)
-  lt_save_MAGIC_CMD="$MAGIC_CMD"
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
-  for ac_dir in $ac_dummy; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/${ac_tool_prefix}file; then
-      lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file"
-      if test -n "$file_magic_test_file"; then
-	case $deplibs_check_method in
-	"file_magic "*)
-	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
-	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
-	    $EGREP "$file_magic_regex" > /dev/null; then
-	    :
-	  else
-	    cat <<EOF 1>&2
-
-*** Warning: the command libtool uses to detect shared libraries,
-*** $file_magic_cmd, produces output that libtool cannot recognize.
-*** The result is that libtool may fail to recognize shared libraries
-*** as such.  This will affect the creation of libtool libraries that
-*** depend on shared libraries, but programs linked with such libtool
-*** libraries will work regardless of this problem.  Nevertheless, you
-*** may want to report the problem to your system manager and/or to
-*** bug-libtool@gnu.org
+  if test -n "$ac_ct_OTOOL"; then
+  ac_cv_prog_ac_ct_OTOOL="$ac_ct_OTOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_OTOOL="otool"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-EOF
-	  fi ;;
-	esac
-      fi
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-  MAGIC_CMD="$lt_save_MAGIC_CMD"
-  ;;
-esac
 fi
-
-MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-if test -n "$MAGIC_CMD"; then
-  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-echo "${ECHO_T}$MAGIC_CMD" >&6; }
+fi
+ac_ct_OTOOL=$ac_cv_prog_ac_ct_OTOOL
+if test -n "$ac_ct_OTOOL"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_OTOOL" >&5
+echo "${ECHO_T}$ac_ct_OTOOL" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 fi
 
-if test -z "$lt_cv_path_MAGIC_CMD"; then
-  if test -n "$ac_tool_prefix"; then
-    { echo "$as_me:$LINENO: checking for file" >&5
-echo $ECHO_N "checking for file... $ECHO_C" >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  if test "x$ac_ct_OTOOL" = x; then
+    OTOOL=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    OTOOL=$ac_ct_OTOOL
+  fi
 else
-  case $MAGIC_CMD in
-[\\/*] |  ?:[\\/]*)
-  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
-  ;;
-*)
-  lt_save_MAGIC_CMD="$MAGIC_CMD"
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
-  for ac_dir in $ac_dummy; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/file; then
-      lt_cv_path_MAGIC_CMD="$ac_dir/file"
-      if test -n "$file_magic_test_file"; then
-	case $deplibs_check_method in
-	"file_magic "*)
-	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
-	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
-	    $EGREP "$file_magic_regex" > /dev/null; then
-	    :
-	  else
-	    cat <<EOF 1>&2
-
-*** Warning: the command libtool uses to detect shared libraries,
-*** $file_magic_cmd, produces output that libtool cannot recognize.
-*** The result is that libtool may fail to recognize shared libraries
-*** as such.  This will affect the creation of libtool libraries that
-*** depend on shared libraries, but programs linked with such libtool
-*** libraries will work regardless of this problem.  Nevertheless, you
-*** may want to report the problem to your system manager and/or to
-*** bug-libtool@gnu.org
-
-EOF
-	  fi ;;
-	esac
-      fi
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-  MAGIC_CMD="$lt_save_MAGIC_CMD"
-  ;;
-esac
-fi
-
-MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-if test -n "$MAGIC_CMD"; then
-  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-echo "${ECHO_T}$MAGIC_CMD" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-  else
-    MAGIC_CMD=:
-  fi
+  OTOOL="$ac_cv_prog_OTOOL"
 fi
 
-  fi
-  ;;
-esac
-
-
-  case $host_os in
-    rhapsody* | darwin*)
     if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args.
-set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
+  # Extract the first word of "${ac_tool_prefix}otool64", so it can be a program name with args.
+set dummy ${ac_tool_prefix}otool64; ac_word=$2
 { echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_DSYMUTIL+set}" = set; then
+if test "${ac_cv_prog_OTOOL64+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$DSYMUTIL"; then
-  ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test.
+  if test -n "$OTOOL64"; then
+  ac_cv_prog_OTOOL64="$OTOOL64" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -8612,7 +8104,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
+    ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -8622,10 +8114,10 @@ IFS=$as_save_IFS
 
 fi
 fi
-DSYMUTIL=$ac_cv_prog_DSYMUTIL
-if test -n "$DSYMUTIL"; then
-  { echo "$as_me:$LINENO: result: $DSYMUTIL" >&5
-echo "${ECHO_T}$DSYMUTIL" >&6; }
+OTOOL64=$ac_cv_prog_OTOOL64
+if test -n "$OTOOL64"; then
+  { echo "$as_me:$LINENO: result: $OTOOL64" >&5
+echo "${ECHO_T}$OTOOL64" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
@@ -8633,17 +8125,17 @@ fi
 
 
 fi
-if test -z "$ac_cv_prog_DSYMUTIL"; then
-  ac_ct_DSYMUTIL=$DSYMUTIL
-  # Extract the first word of "dsymutil", so it can be a program name with args.
-set dummy dsymutil; ac_word=$2
+if test -z "$ac_cv_prog_OTOOL64"; then
+  ac_ct_OTOOL64=$OTOOL64
+  # Extract the first word of "otool64", so it can be a program name with args.
+set dummy otool64; ac_word=$2
 { echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then
+if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$ac_ct_DSYMUTIL"; then
-  ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test.
+  if test -n "$ac_ct_OTOOL64"; then
+  ac_cv_prog_ac_ct_OTOOL64="$ac_ct_OTOOL64" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -8652,7 +8144,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
+    ac_cv_prog_ac_ct_OTOOL64="otool64"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -8662,17 +8154,17 @@ IFS=$as_save_IFS
 
 fi
 fi
-ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL
-if test -n "$ac_ct_DSYMUTIL"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5
-echo "${ECHO_T}$ac_ct_DSYMUTIL" >&6; }
+ac_ct_OTOOL64=$ac_cv_prog_ac_ct_OTOOL64
+if test -n "$ac_ct_OTOOL64"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_OTOOL64" >&5
+echo "${ECHO_T}$ac_ct_OTOOL64" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 fi
 
-  if test "x$ac_ct_DSYMUTIL" = x; then
-    DSYMUTIL=":"
+  if test "x$ac_ct_OTOOL64" = x; then
+    OTOOL64=":"
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
@@ -8684,107 +8176,36 @@ whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
 esac
-    DSYMUTIL=$ac_ct_DSYMUTIL
+    OTOOL64=$ac_ct_OTOOL64
   fi
 else
-  DSYMUTIL="$ac_cv_prog_DSYMUTIL"
+  OTOOL64="$ac_cv_prog_OTOOL64"
 fi
 
-    if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args.
-set dummy ${ac_tool_prefix}nmedit; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_NMEDIT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$NMEDIT"; then
-  ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
 
-fi
-fi
-NMEDIT=$ac_cv_prog_NMEDIT
-if test -n "$NMEDIT"; then
-  { echo "$as_me:$LINENO: result: $NMEDIT" >&5
-echo "${ECHO_T}$NMEDIT" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
 
 
-fi
-if test -z "$ac_cv_prog_NMEDIT"; then
-  ac_ct_NMEDIT=$NMEDIT
-  # Extract the first word of "nmedit", so it can be a program name with args.
-set dummy nmedit; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_NMEDIT"; then
-  ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_NMEDIT="nmedit"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
 
-fi
-fi
-ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT
-if test -n "$ac_ct_NMEDIT"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5
-echo "${ECHO_T}$ac_ct_NMEDIT" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
 
-  if test "x$ac_ct_NMEDIT" = x; then
-    NMEDIT=":"
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    NMEDIT=$ac_ct_NMEDIT
-  fi
-else
-  NMEDIT="$ac_cv_prog_NMEDIT"
-fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 
     { echo "$as_me:$LINENO: checking for -single_module linker flag" >&5
@@ -8794,18 +8215,24 @@ if test "${lt_cv_apple_cc_single_mod+set}" = set; then
 else
   lt_cv_apple_cc_single_mod=no
       if test -z "${LT_MULTI_MODULE}"; then
-   # By default we will add the -single_module flag. You can override
-   # by either setting the environment variable LT_MULTI_MODULE
-   # non-empty at configure time, or by adding -multi_module to the
-   # link flags.
-   echo "int foo(void){return 1;}" > conftest.c
-   $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
-     -dynamiclib ${wl}-single_module conftest.c
-   if test -f libconftest.dylib; then
-     lt_cv_apple_cc_single_mod=yes
-     rm -rf libconftest.dylib*
-   fi
-   rm conftest.c
+	# By default we will add the -single_module flag. You can override
+	# by either setting the environment variable LT_MULTI_MODULE
+	# non-empty at configure time, or by adding -multi_module to the
+	# link flags.
+	rm -rf libconftest.dylib*
+	echo "int foo(void){return 1;}" > conftest.c
+	echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+-dynamiclib -Wl,-single_module conftest.c" >&5
+	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
+        _lt_result=$?
+	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	  lt_cv_apple_cc_single_mod=yes
+	else
+	  cat conftest.err >&5
+	fi
+	rm -rf libconftest.dylib*
+	rm -f conftest.*
       fi
 fi
 { echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5
@@ -8862,27 +8289,27 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
-   LDFLAGS="$save_LDFLAGS"
+	LDFLAGS="$save_LDFLAGS"
 
 fi
 { echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5
 echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; }
     case $host_os in
-    rhapsody* | darwin1.[0123])
+    rhapsody* | darwin1.[012])
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
     darwin1.*)
-     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-    darwin*)
+      _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+    darwin*) # darwin 5.x on
       # if running on 10.5 or later, the deployment target defaults
       # to the OS version, if on x86, and 10.4, the deployment
       # target defaults to 10.4. Don't you love it?
       case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
-   10.0,*86*-darwin8*|10.0,*-darwin[91]*)
-     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
-   10.[012]*)
-     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-   10.*)
-     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+	10.0,*86*-darwin8*|10.0,*-darwin[91]*)
+	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+	10.[012]*)
+	  _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+	10.*)
+	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
       esac
     ;;
   esac
@@ -8892,10 +8319,10 @@ echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; }
     if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
       _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
     else
-      _lt_dar_export_syms="~$NMEDIT -s \$output_objdir/\${libname}-symbols.expsym \${lib}"
+      _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
     fi
     if test "$DSYMUTIL" != ":"; then
-      _lt_dsymutil="~$DSYMUTIL \$lib || :"
+      _lt_dsymutil='~$DSYMUTIL $lib || :'
     else
       _lt_dsymutil=
     fi
@@ -8903,2508 +8330,1554 @@ echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; }
   esac
 
 
-enable_dlopen=no
-enable_win32_dll=no
+for ac_header in dlfcn.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
 
-# Check whether --enable-libtool-lock was given.
-if test "${enable_libtool_lock+set}" = set; then
-  enableval=$enable_libtool_lock;
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
 fi
 
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
 
+fi
 
-# Check whether --with-pic was given.
-if test "${with_pic+set}" = set; then
-  withval=$with_pic; pic_mode="$withval"
-else
-  pic_mode=default
-fi
-
-test -z "$pic_mode" && pic_mode=default
+done
 
-# Use C for the default configuration in the libtool script
-tagname=
-lt_save_CC="$CC"
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-# Source file extension for C test sources.
-ac_ext=c
+# Set options
 
-# Object file extension for compiled C test sources.
-objext=o
-objext=$objext
 
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;"
 
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}'
+        enable_dlopen=no
 
 
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
+  enable_win32_dll=no
 
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
 
-# Allow CC to be a program name with arguments.
-compiler=$CC
+            # Check whether --enable-shared was given.
+if test "${enable_shared+set}" = set; then
+  enableval=$enable_shared; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
+else
+  enable_shared=yes
+fi
 
 
-# save warnings/boilerplate of simple test code
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
 
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
 
 
 
-lt_prog_compiler_no_builtin_flag=
 
-if test "$GCC" = yes; then
-  lt_prog_compiler_no_builtin_flag=' -fno-builtin'
 
 
-{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  # Check whether --enable-static was given.
+if test "${enable_static+set}" = set; then
+  enableval=$enable_static; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
 else
-  lt_cv_prog_compiler_rtti_exceptions=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="-fno-rtti -fno-exceptions"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8999: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:9003: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_rtti_exceptions=yes
-     fi
-   fi
-   $rm conftest*
-
+  enable_static=yes
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
 
-if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
-    lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
-else
-    :
-fi
 
-fi
 
-lt_prog_compiler_wl=
-lt_prog_compiler_pic=
-lt_prog_compiler_static=
 
-{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
-  if test "$GCC" = yes; then
-    lt_prog_compiler_wl='-Wl,'
-    lt_prog_compiler_static='-static'
 
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static='-Bstatic'
-      fi
-      ;;
 
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4'
-      ;;
 
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
 
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      lt_prog_compiler_pic='-DDLL_EXPORT'
-      ;;
 
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic='-fno-common'
-      ;;
+# Check whether --with-pic was given.
+if test "${with_pic+set}" = set; then
+  withval=$with_pic; pic_mode="$withval"
+else
+  pic_mode=default
+fi
+
+
+test -z "$pic_mode" && pic_mode=default
+
+
 
-    interix[3-9]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
 
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      lt_prog_compiler_can_build_shared=no
-      enable_shared=no
-      ;;
 
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic=-Kconform_pic
-      fi
-      ;;
 
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic='-fPIC'
-	;;
-      esac
-      ;;
 
+  # Check whether --enable-fast-install was given.
+if test "${enable_fast_install+set}" = set; then
+  enableval=$enable_fast_install; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
     *)
-      lt_prog_compiler_pic='-fPIC'
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
       ;;
     esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      lt_prog_compiler_wl='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static='-Bstatic'
-      else
-	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case $cc_basename in
-         xlc*)
-         lt_prog_compiler_pic='-qnocommon'
-         lt_prog_compiler_wl='-Wl,'
-         ;;
-       esac
-       ;;
+else
+  enable_fast_install=yes
+fi
+
+
+
+
+
+
+
+
+
+
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ltmain"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+
+
 
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic='-DDLL_EXPORT'
-      ;;
 
-    hpux9* | hpux10* | hpux11*)
-      lt_prog_compiler_wl='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      lt_prog_compiler_static='${wl}-a ${wl}archive'
-      ;;
 
-    irix5* | irix6* | nonstopux*)
-      lt_prog_compiler_wl='-Wl,'
-      # PIC (with -KPIC) is the default.
-      lt_prog_compiler_static='-non_shared'
-      ;;
 
-    newsos6)
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
 
-    linux* | k*bsd*-gnu)
-      case $cc_basename in
-      icc* | ecc*)
-	lt_prog_compiler_wl='-Wl,'
-	lt_prog_compiler_pic='-KPIC'
-	lt_prog_compiler_static='-static'
-        ;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
-        # Portland Group compilers (*not* the Pentium gcc compiler,
-	# which looks to be a dead project)
-	lt_prog_compiler_wl='-Wl,'
-	lt_prog_compiler_pic='-fpic'
-	lt_prog_compiler_static='-Bstatic'
-        ;;
-      ccc*)
-        lt_prog_compiler_wl='-Wl,'
-        # All Alpha code is PIC.
-        lt_prog_compiler_static='-non_shared'
-        ;;
-      *)
-        case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C 5.9
-	  lt_prog_compiler_pic='-KPIC'
-	  lt_prog_compiler_static='-Bstatic'
-	  lt_prog_compiler_wl='-Wl,'
-	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  lt_prog_compiler_pic='-KPIC'
-	  lt_prog_compiler_static='-Bstatic'
-	  lt_prog_compiler_wl=''
-	  ;;
-	esac
-	;;
-      esac
-      ;;
 
-    osf3* | osf4* | osf5*)
-      lt_prog_compiler_wl='-Wl,'
-      # All OSF/1 code is PIC.
-      lt_prog_compiler_static='-non_shared'
-      ;;
 
-    rdos*)
-      lt_prog_compiler_static='-non_shared'
-      ;;
 
-    solaris*)
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      case $cc_basename in
-      f77* | f90* | f95*)
-	lt_prog_compiler_wl='-Qoption ld ';;
-      *)
-	lt_prog_compiler_wl='-Wl,';;
-      esac
-      ;;
 
-    sunos4*)
-      lt_prog_compiler_wl='-Qoption ld '
-      lt_prog_compiler_pic='-PIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
 
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      lt_prog_compiler_wl='-Wl,'
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
 
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	lt_prog_compiler_pic='-Kconform_pic'
-	lt_prog_compiler_static='-Bstatic'
-      fi
-      ;;
 
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      lt_prog_compiler_wl='-Wl,'
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
 
-    unicos*)
-      lt_prog_compiler_wl='-Wl,'
-      lt_prog_compiler_can_build_shared=no
-      ;;
 
-    uts4*)
-      lt_prog_compiler_pic='-pic'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
 
-    *)
-      lt_prog_compiler_can_build_shared=no
-      ;;
-    esac
-  fi
 
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic" >&6; }
 
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic"; then
 
-{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_pic_works+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_pic_works=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic -DPIC"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9289: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:9293: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_pic_works=yes
-     fi
-   fi
-   $rm conftest*
 
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_pic_works" >&6; }
 
-if test x"$lt_cv_prog_compiler_pic_works" = xyes; then
-    case $lt_prog_compiler_pic in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;;
-     esac
-else
-    lt_prog_compiler_pic=
-     lt_prog_compiler_can_build_shared=no
-fi
 
-fi
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic=
-    ;;
-  *)
-    lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
-    ;;
-esac
 
-#
-# Check to make sure the static flag actually works.
-#
-wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
-{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_static_works+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_static_works=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&5
-       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         lt_cv_prog_compiler_static_works=yes
-       fi
-     else
-       lt_cv_prog_compiler_static_works=yes
-     fi
-   fi
-   $rm -r conftest*
-   LDFLAGS="$save_LDFLAGS"
 
+test -z "$LN_S" && LN_S="ln -s"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+if test -n "${ZSH_VERSION+set}" ; then
+   setopt NO_GLOB_SUBST
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_static_works" >&6; }
 
-if test x"$lt_cv_prog_compiler_static_works" = xyes; then
-    :
+{ echo "$as_me:$LINENO: checking for objdir" >&5
+echo $ECHO_N "checking for objdir... $ECHO_C" >&6; }
+if test "${lt_cv_objdir+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-    lt_prog_compiler_static=
+  rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null
 fi
+{ echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
+echo "${ECHO_T}$lt_cv_objdir" >&6; }
+objdir=$lt_cv_objdir
 
 
-{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9393: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:9397: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_c_o=yes
-     fi
-   fi
-   chmod u+w . 2>&5
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
 
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
 
+cat >>confdefs.h <<_ACEOF
+#define LT_OBJDIR "$lt_cv_objdir/"
+_ACEOF
 
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6; }
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
 
-{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
-  runpath_var=
-  allow_undefined_flag=
-  enable_shared_with_static_runtimes=no
-  archive_cmds=
-  archive_expsym_cmds=
-  old_archive_From_new_cmds=
-  old_archive_from_expsyms_cmds=
-  export_dynamic_flag_spec=
-  whole_archive_flag_spec=
-  thread_safe_flag_spec=
-  hardcode_libdir_flag_spec=
-  hardcode_libdir_flag_spec_ld=
-  hardcode_libdir_separator=
-  hardcode_direct=no
-  hardcode_minus_L=no
-  hardcode_shlibpath_var=unsupported
-  link_all_deplibs=unknown
-  hardcode_automatic=no
-  module_cmds=
-  module_expsym_cmds=
-  always_export_symbols=no
-  export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  include_expsyms=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  exclude_expsyms='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  # Exclude shared library initialization/finalization symbols.
-  extract_expsyms_cmds=
-  # Just being paranoid about ensuring that cc_basename is set.
-  for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
 
-  ld_shlibs=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
 
-    # Set some defaults for GNU ld with shared library support. These
-    # are reset later if shared libraries are not supported. Putting them
-    # here allows them to be overridden if necessary.
-    runpath_var=LD_RUN_PATH
-    hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir'
-    export_dynamic_flag_spec='${wl}--export-dynamic'
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
-	whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec=
-    fi
-    supports_anon_versioning=no
-    case `$LD -v 2>/dev/null` in
-      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-      *\ 2.11.*) ;; # other 2.11 versions
-      *) supports_anon_versioning=yes ;;
-    esac
 
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix[3-9]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	ld_shlibs=no
-	cat <<EOF 1>&2
 
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
 
-EOF
-      fi
-      ;;
 
-    amigaos*)
-      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
 
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      ld_shlibs=no
-      ;;
 
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	allow_undefined_flag=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
 
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
-      # as there is no search path for DLLs.
-      hardcode_libdir_flag_spec='-L$libdir'
-      allow_undefined_flag=unsupported
-      always_export_symbols=no
-      enable_shared_with_static_runtimes=yes
-      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
 
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
 
-    interix[3-9]*)
-      hardcode_direct=no
-      hardcode_shlibpath_var=no
-      hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-      export_dynamic_flag_spec='${wl}-E'
-      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-      # Instead, shared libraries are loaded at an image base (0x10000000 by
-      # default) and relocated if they conflict, which is a slow very memory
-      # consuming and fragmenting process.  To avoid this, we pick a random,
-      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-      archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      ;;
 
-    gnu* | linux* | k*bsd*-gnu)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	tmp_addflag=
-	case $cc_basename,$host_cpu in
-	pgcc*)				# Portland Group C compiler
-	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag'
-	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag -Mnomain' ;;
-	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
-	  tmp_addflag=' -i_dynamic' ;;
-	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
-	  tmp_addflag=' -i_dynamic -nofor_main' ;;
-	ifc* | ifort*)			# Intel Fortran compiler
-	  tmp_addflag=' -nofor_main' ;;
-	esac
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)			# Sun C 5.9
-	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_sharedflag='-G' ;;
-	*Sun\ F*)			# Sun Fortran 8.3
-	  tmp_sharedflag='-G' ;;
-	*)
-	  tmp_sharedflag='-shared' ;;
-	esac
-	archive_cmds='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 
-	if test $supports_anon_versioning = yes; then
-	  archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
-  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-  $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-	fi
-	link_all_deplibs=no
-      else
-	ld_shlibs=no
-      fi
-      ;;
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
 
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
 
-    solaris*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	ld_shlibs=no
-	cat <<EOF 1>&2
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\(["`\\]\)/\\\1/g'
 
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
 
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
 
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
-	ld_shlibs=no
-	cat <<_LT_EOF 1>&2
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
 
-*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
-*** reliably create shared libraries on SCO systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
+# Global variables:
+ofile=libtool
+can_build_shared=yes
 
-_LT_EOF
-	;;
-	*)
-	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	    hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
-	    archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
-	    archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
-	  else
-	    ld_shlibs=no
-	  fi
-	;;
-      esac
-      ;;
+# All known linkers require a `.a' archive for static linking (except MSVC,
+# which needs '.lib').
+libext=a
 
-    sunos4*)
-      archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
+with_gnu_ld="$lt_cv_prog_gnu_ld"
 
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-    esac
-
-    if test "$ld_shlibs" = no; then
-      runpath_var=
-      hardcode_libdir_flag_spec=
-      export_dynamic_flag_spec=
-      whole_archive_flag_spec=
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      allow_undefined_flag=unsupported
-      always_export_symbols=yes
-      archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      hardcode_minus_L=yes
-      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	hardcode_direct=unsupported
-      fi
-      ;;
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
 
-    aix[4-9]*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	else
-	  export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
+# Set sane defaults for various variables
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
+test -z "$LD" && LD=ld
+test -z "$ac_objext" && ac_objext=o
 
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	  ;;
-	esac
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
 
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+# Only perform the check for file, if the check method requires it
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    { echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
+echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6; }
+if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $MAGIC_CMD in
+[\\/*] |  ?:[\\/]*)
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/${ac_tool_prefix}file; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<_LT_EOF 1>&2
 
-      archive_cmds=''
-      hardcode_direct=yes
-      hardcode_libdir_separator=':'
-      link_all_deplibs=yes
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
 
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[012]|aix4.[012].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  :
-	  else
-  	  # We have old collect2
-  	  hardcode_direct=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  hardcode_minus_L=yes
-  	  hardcode_libdir_flag_spec='-L$libdir'
-  	  hardcode_libdir_separator=
-	  fi
-	  ;;
+_LT_EOF
+	  fi ;;
 	esac
-	shared_flag='-shared'
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag="$shared_flag "'${wl}-G'
-	fi
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-	  fi
-	fi
       fi
-
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      always_export_symbols=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	allow_undefined_flag='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
 
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
-       hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
-	  allow_undefined_flag="-z nodefs"
-	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-int
-main ()
-{
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
 
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    { echo "$as_me:$LINENO: checking for file" >&5
+echo $ECHO_N "checking for file... $ECHO_C" >&6; }
+if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  case $MAGIC_CMD in
+[\\/*] |  ?:[\\/]*)
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/file; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/file"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<_LT_EOF 1>&2
 
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
 
+_LT_EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  no_undefined_flag=' ${wl}-bernotok'
-	  allow_undefined_flag=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec='$convenience'
-	  archive_cmds_need_lc=yes
-	  # This is similar to how AIX traditionally builds its shared libraries.
-	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
 
-    amigaos*)
-      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-      # see comment about different semantics on the GNU ld section
-      ld_shlibs=no
-      ;;
+  else
+    MAGIC_CMD=:
+  fi
+fi
 
-    bsdi[45]*)
-      export_dynamic_flag_spec=-rdynamic
-      ;;
+  fi
+  ;;
+esac
 
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec=' '
-      allow_undefined_flag=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_From_new_cmds='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes=yes
-      ;;
+# Use C for the default configuration in the libtool script
 
-    darwin* | rhapsody*)
-      case $host_os in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      archive_cmds_need_lc=no
-      hardcode_direct=no
-      hardcode_automatic=yes
-      hardcode_shlibpath_var=unsupported
-      whole_archive_flag_spec=''
-      link_all_deplibs=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-        module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-        archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-        module_expsym_cmds="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-    else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-         module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-         archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs=no
-          ;;
-      esac
-    fi
-      ;;
+lt_save_CC="$CC"
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-    dgux*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_shlibpath_var=no
-      ;;
 
-    freebsd1*)
-      ld_shlibs=no
-      ;;
+# Source file extension for C test sources.
+ac_ext=c
 
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
+# Object file extension for compiled C test sources.
+objext=o
+objext=$objext
 
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct=yes
-      hardcode_minus_L=yes
-      hardcode_shlibpath_var=no
-      ;;
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;"
 
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | dragonfly*)
-      archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}'
 
-    hpux9*)
-      if test "$GCC" = yes; then
-	archive_cmds='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator=:
-      hardcode_direct=yes
 
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      hardcode_minus_L=yes
-      export_dynamic_flag_spec='${wl}-E'
-      ;;
 
-    hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator=:
 
-	hardcode_direct=yes
-	export_dynamic_flag_spec='${wl}-E'
 
-	# hardcode_minus_L: Not really in the search PATH,
-	# but as the default location of the library.
-	hardcode_minus_L=yes
-      fi
-      ;;
 
-    hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator=:
 
-	case $host_cpu in
-	hppa*64*|ia64*)
-	  hardcode_libdir_flag_spec_ld='+b $libdir'
-	  hardcode_direct=no
-	  hardcode_shlibpath_var=no
-	  ;;
-	*)
-	  hardcode_direct=yes
-	  export_dynamic_flag_spec='${wl}-E'
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
 
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L=yes
-	  ;;
-	esac
-      fi
-      ;;
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
 
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_ld='-rpath $libdir'
-      fi
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      link_all_deplibs=yes
-      ;;
+# Allow CC to be a program name with arguments.
+compiler=$CC
 
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
+# Save the default compiler, since it gets overwritten when the other
+# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP.
+compiler_DEFAULT=$CC
 
-    newsos6)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct=yes
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      hardcode_shlibpath_var=no
-      ;;
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$RM conftest*
 
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-	hardcode_direct=yes
-	hardcode_shlibpath_var=no
-	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	  archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	  archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	  hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-	  export_dynamic_flag_spec='${wl}-E'
-	else
-	  case $host_os in
-	   openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-	     archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	     hardcode_libdir_flag_spec='-R$libdir'
-	     ;;
-	   *)
-	     archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	     hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-	     ;;
-	  esac
-        fi
-      else
-	ld_shlibs=no
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$RM -r conftest*
+
+
+if test -n "$compiler"; then
+
+lt_prog_compiler_no_builtin_flag=
+
+if test "$GCC" = yes; then
+  lt_prog_compiler_no_builtin_flag=' -fno-builtin'
+
+  { echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_rtti_exceptions=no
+   ac_outfile=conftest.$ac_objext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="-fno-rtti -fno-exceptions"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:8888: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:8892: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_rtti_exceptions=yes
+     fi
+   fi
+   $RM conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
+
+if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
+    lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
+else
+    :
+fi
+
+fi
+
+
+
+
+
+
+  lt_prog_compiler_wl=
+lt_prog_compiler_pic=
+lt_prog_compiler_static=
+
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+
+  if test "$GCC" = yes; then
+    lt_prog_compiler_wl='-Wl,'
+    lt_prog_compiler_static='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static='-Bstatic'
       fi
       ;;
 
-    os2*)
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-      allow_undefined_flag=unsupported
-      archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      old_archive_From_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            lt_prog_compiler_pic='-fPIC'
+        ;;
+      m68k)
+            # FIXME: we need at least 68020 code to build shared libraries, but
+            # adding the `-m68020' flag to GCC prevents building anything better,
+            # like `-m68040'.
+            lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4'
+        ;;
+      esac
       ;;
 
-    osf3*)
-      if test "$GCC" = yes; then
-	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
       ;;
 
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      else
-	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      lt_prog_compiler_pic='-DDLL_EXPORT'
+      ;;
 
-	# Both c and cxx compiler support -rpath directly
-	hardcode_libdir_flag_spec='-rpath $libdir'
-      fi
-      hardcode_libdir_separator=:
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic='-fno-common'
       ;;
 
-    solaris*)
-      no_undefined_flag=' -z text'
-      if test "$GCC" = yes; then
-	wlarc='${wl}'
-	archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	wlarc=''
-	archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_shlibpath_var=no
-      case $host_os in
-      solaris2.[0-5] | solaris2.[0-5].*) ;;
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
       *)
-	# The compiler driver will combine and reorder linker options,
-	# but understands `-z linker_flag'.  GCC discards it without `$wl',
-	# but is careful enough not to reorder.
- 	# Supported since Solaris 2.6 (maybe 2.5.1?)
-	if test "$GCC" = yes; then
-	  whole_archive_flag_spec='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	else
-	  whole_archive_flag_spec='-z allextract$convenience -z defaultextract'
-	fi
+	lt_prog_compiler_pic='-fPIC'
 	;;
       esac
-      link_all_deplibs=yes
       ;;
 
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_direct=yes
-      hardcode_minus_L=yes
-      hardcode_shlibpath_var=no
+    interix[3-9]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
       ;;
 
-    sysv4)
-      case $host_vendor in
-	sni)
-	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  reload_cmds='$CC -r -o $output$reload_objs'
-	  hardcode_direct=no
-        ;;
-	motorola)
-	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var=no
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared=no
+      enable_shared=no
       ;;
 
-    sysv4.3*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var=no
-      export_dynamic_flag_spec='-Bexport'
+    *nto* | *qnx*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      lt_prog_compiler_pic='-fPIC -shared'
       ;;
 
     sysv4*MP*)
       if test -d /usr/nec; then
-	archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	hardcode_shlibpath_var=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	ld_shlibs=yes
+	lt_prog_compiler_pic=-Kconform_pic
       fi
       ;;
 
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
-      no_undefined_flag='${wl}-z,text'
-      archive_cmds_need_lc=no
-      hardcode_shlibpath_var=no
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
+    *)
+      lt_prog_compiler_pic='-fPIC'
       ;;
-
-    sysv5* | sco3.2v5* | sco5v6*)
-      # Note: We can NOT use -z defs as we might desire, because we do not
-      # link with -lc, and that would cause any symbols used from libc to
-      # always be unresolved, which means just about no library would
-      # ever link correctly.  If we're not using GNU ld we use -z text
-      # though, which does catch some bad symbols but isn't as heavy-handed
-      # as -z defs.
-      no_undefined_flag='${wl}-z,text'
-      allow_undefined_flag='${wl}-z,nodefs'
-      archive_cmds_need_lc=no
-      hardcode_shlibpath_var=no
-      hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-      hardcode_libdir_separator=':'
-      link_all_deplibs=yes
-      export_dynamic_flag_spec='${wl}-Bexport'
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	archive_cmds='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static='-Bstatic'
       else
-	archive_cmds='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
 
-    uts4*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_shlibpath_var=no
+    mingw* | cygwin* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic='-DDLL_EXPORT'
       ;;
 
-    *)
-      ld_shlibs=no
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static='${wl}-a ${wl}archive'
       ;;
-    esac
-  fi
 
-{ echo "$as_me:$LINENO: result: $ld_shlibs" >&5
-echo "${ECHO_T}$ld_shlibs" >&6; }
-test "$ld_shlibs" = no && can_build_shared=no
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static='-non_shared'
+      ;;
 
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc=yes
+    linux* | k*bsd*-gnu)
+      case $cc_basename in
+      icc* | ecc* | ifort*)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-KPIC'
+	lt_prog_compiler_static='-static'
+        ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-fpic'
+	lt_prog_compiler_static='-Bstatic'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static='-non_shared'
+        ;;
+      xl*)
+	# IBM XL C 8.0/Fortran 10.1 on PPC
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-qpic'
+	lt_prog_compiler_static='-qstaticlink'
+	;;
+      *)
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl=''
+	  ;;
+	esac
+	;;
+      esac
+      ;;
 
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
+    newsos6)
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
       ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
-      $rm conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl
-	pic_flag=$lt_prog_compiler_pic
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag
-        allow_undefined_flag=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc=no
-        else
-	  archive_cmds_need_lc=yes
-        fi
-        allow_undefined_flag=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
-echo "${ECHO_T}$archive_cmds_need_lc" >&6; }
+    *nto* | *qnx*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      lt_prog_compiler_pic='-fPIC -shared'
       ;;
-    esac
-  fi
-  ;;
-esac
 
-{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static='-non_shared'
+      ;;
 
-if test "$GCC" = yes; then
-  case $host_os in
-    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
-    *) lt_awk_arg="/^libraries:/" ;;
-  esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-  # Ok, now we have the path, separated by spaces, we can step through it
-  # and add multilib dir if necessary.
-  lt_tmp_lt_search_path_spec=
-  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
-  for lt_sys_path in $lt_search_path_spec; do
-    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
-      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
-    else
-      test -d "$lt_sys_path" && \
-	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
-    fi
-  done
-  lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk '
-BEGIN {RS=" "; FS="/|\n";} {
-  lt_foo="";
-  lt_count=0;
-  for (lt_i = NF; lt_i > 0; lt_i--) {
-    if ($lt_i != "" && $lt_i != ".") {
-      if ($lt_i == "..") {
-        lt_count++;
-      } else {
-        if (lt_count == 0) {
-          lt_foo="/" $lt_i lt_foo;
-        } else {
-          lt_count--;
-        }
-      }
-    }
-  }
-  if (lt_foo != "") { lt_freq[lt_foo]++; }
-  if (lt_freq[lt_foo] == 1) { print lt_foo; }
-}'`
-  sys_lib_search_path_spec=`echo $lt_search_path_spec`
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
-need_lib_prefix=unknown
-hardcode_into_libs=no
+    rdos*)
+      lt_prog_compiler_static='-non_shared'
+      ;;
 
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
+    solaris*)
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	lt_prog_compiler_wl='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl='-Wl,';;
+      esac
+      ;;
 
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
+    sunos4*)
+      lt_prog_compiler_wl='-Qoption ld '
+      lt_prog_compiler_pic='-PIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
 
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
 
-aix[4-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	lt_prog_compiler_pic='-Kconform_pic'
+	lt_prog_compiler_static='-Bstatic'
       fi
       ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
 
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
 
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+    unicos*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_can_build_shared=no
       ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
+
+    uts4*)
+      lt_prog_compiler_pic='-pic'
+      lt_prog_compiler_static='-Bstatic'
       ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+
+    *)
+      lt_prog_compiler_can_build_shared=no
       ;;
     esac
-    ;;
+  fi
 
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic=
+    ;;
   *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
     ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
+esac
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic" >&6; }
 
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
 
-  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
 
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
 
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
-  else
-    case $host_os in
-    freebsd[123]*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
-  fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
-  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
 
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic"; then
+  { echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_pic_works+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_pic_works=no
+   ac_outfile=conftest.$ac_objext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic -DPIC"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:9212: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:9216: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_pic_works=yes
+     fi
+   fi
+   $RM conftest*
 
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_pic_works" >&6; }
 
-interix[3-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
+if test x"$lt_cv_prog_compiler_pic_works" = xyes; then
+    case $lt_prog_compiler_pic in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;;
+     esac
+else
+    lt_prog_compiler_pic=
+     lt_prog_compiler_can_build_shared=no
+fi
 
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
+fi
 
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
 
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
 
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
 
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
 
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
 
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_static_works+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_static_works=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_cv_prog_compiler_static_works=yes
+       fi
+     else
+       lt_cv_prog_compiler_static_works=yes
+     fi
+   fi
+   $RM -r conftest*
+   LDFLAGS="$save_LDFLAGS"
 
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_static_works" >&6; }
 
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
+if test x"$lt_cv_prog_compiler_static_works" = xyes; then
+    :
+else
+    lt_prog_compiler_static=
+fi
 
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
-    *)                         need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
 
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
 
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
 
-rdos*)
-  dynamic_linker=no
-  ;;
 
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
 
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
 
-sysv4 | sysv4.3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
+  { echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_c_o+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o=no
+   $RM -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:9317: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:9321: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $RM conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files
+   $RM out/* && rmdir out
+   cd ..
+   $RM -r conftest
+   $RM conftest*
 
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-    shlibpath_overrides_runpath=no
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    shlibpath_overrides_runpath=yes
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
-  fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
 
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
 
-*)
-  dynamic_linker=no
-  ;;
-esac
-{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6; }
-test "$dynamic_linker" = no && can_build_shared=no
 
-if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
-fi
 
-sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
+
+
+  { echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_c_o+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
-fi
+  lt_cv_prog_compiler_c_o=no
+   $RM -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:9372: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:9376: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $RM conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files
+   $RM out/* && rmdir out
+   cd ..
+   $RM -r conftest
+   $RM conftest*
 
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
 fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
 
-{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
-hardcode_action=
-if test -n "$hardcode_libdir_flag_spec" || \
-   test -n "$runpath_var" || \
-   test "X$hardcode_automatic" = "Xyes" ; then
 
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, )" != no &&
-     test "$hardcode_minus_L" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action=unsupported
-fi
-{ echo "$as_me:$LINENO: result: $hardcode_action" >&5
-echo "${ECHO_T}$hardcode_action" >&6; }
 
-if test "$hardcode_action" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
 
-striplib=
-old_striplib=
-{ echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6; }
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
+  hard_links=yes
+  $RM conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
 else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         old_striplib="$STRIP -S"
-         { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-       else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-       ;;
-   *)
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-    ;;
-  esac
+  need_locks=no
 fi
 
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
 
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
 
-  mingw* | pw32*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-   ;;
 
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-   ;;
 
-  darwin*)
-  # if libdl is installed we need to link against it
-    { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  { echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
-	ac_cv_lib_dl_dlopen=no
-fi
+  runpath_var=
+  allow_undefined_flag=
+  always_export_symbols=no
+  archive_cmds=
+  archive_expsym_cmds=
+  compiler_needs_object=no
+  enable_shared_with_static_runtimes=no
+  export_dynamic_flag_spec=
+  export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  hardcode_automatic=no
+  hardcode_direct=no
+  hardcode_direct_absolute=no
+  hardcode_libdir_flag_spec=
+  hardcode_libdir_flag_spec_ld=
+  hardcode_libdir_separator=
+  hardcode_minus_L=no
+  hardcode_shlibpath_var=unsupported
+  inherit_rpath=no
+  link_all_deplibs=unknown
+  module_cmds=
+  module_expsym_cmds=
+  old_archive_from_new_cmds=
+  old_archive_from_expsyms_cmds=
+  thread_safe_flag_spec=
+  whole_archive_flag_spec=
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  exclude_expsyms='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  # Exclude shared library initialization/finalization symbols.
+  extract_expsyms_cmds=
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
 
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
+  ld_shlibs=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
 
-fi
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+    export_dynamic_flag_spec='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
+      whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      whole_archive_flag_spec=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>&1` in
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
 
-   ;;
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix[3-9]*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	ld_shlibs=no
+	cat <<_LT_EOF 1>&2
 
-  *)
-    { echo "$as_me:$LINENO: checking for shl_load" >&5
-echo $ECHO_N "checking for shl_load... $ECHO_C" >&6; }
-if test "${ac_cv_func_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define shl_load innocuous_shl_load
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
 
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char shl_load (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
+_LT_EOF
+      fi
+      ;;
 
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+            archive_expsym_cmds=''
+        ;;
+      m68k)
+            archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+            hardcode_libdir_flag_spec='-L$libdir'
+            hardcode_minus_L=yes
+        ;;
+      esac
+      ;;
 
-#undef shl_load
+    beos*)
+      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char shl_load ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_shl_load || defined __stub___shl_load
-choke me
-#endif
+    cygwin* | mingw* | pw32*)
+      # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec='-L$libdir'
+      allow_undefined_flag=unsupported
+      always_export_symbols=no
+      enable_shared_with_static_runtimes=yes
+      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
 
-int
-main ()
-{
-return shl_load ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_func_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+      if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
 
-	ac_cv_func_shl_load=no
-fi
+    interix[3-9]*)
+      hardcode_direct=no
+      hardcode_shlibpath_var=no
+      hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+      export_dynamic_flag_spec='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-echo "${ECHO_T}$ac_cv_func_shl_load" >&6; }
-if test $ac_cv_func_shl_load = yes; then
-  lt_cv_dlopen="shl_load"
-else
-  { echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
+    gnu* | linux* | tpf* | k*bsd*-gnu)
+      tmp_diet=no
+      if test "$host_os" = linux-dietlibc; then
+	case $cc_basename in
+	  diet\ *) tmp_diet=yes;;	# linux-dietlibc with static linking (!diet-dyn)
+	esac
+      fi
+      if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
+	 && test "$tmp_diet" = no
+      then
+	tmp_addflag=
+	tmp_sharedflag='-shared'
+	case $cc_basename,$host_cpu in
+        pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	xl[cC]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
+	  tmp_sharedflag='-qmkshrobj'
+	  tmp_addflag= ;;
+	esac
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  compiler_needs_object=yes
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	esac
+	archive_cmds='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+        if test "x$supports_anon_versioning" = xyes; then
+          archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
+	    cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+	    echo "local: *; };" >> $output_objdir/$libname.ver~
+	    $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+        fi
+
+	case $cc_basename in
+	xlf*)
+	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
+	  whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
+	  hardcode_libdir_flag_spec=
+	  hardcode_libdir_flag_spec_ld='-rpath $libdir'
+	  archive_cmds='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib'
+	  if test "x$supports_anon_versioning" = xyes; then
+	    archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
+	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+	      echo "local: *; };" >> $output_objdir/$libname.ver~
+	      $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	  fi
+	  ;;
+	esac
+      else
+        ld_shlibs=no
+      fi
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then
+	ld_shlibs=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+      elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  # For security reasons, it is highly recommended that you always
+	  # use absolute paths for naming shared libraries, and exclude the
+	  # DT_RUNPATH tag from executables and libraries.  But doing so
+	  # requires that you compile everything twice, which is a pain.
+	  if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+	    archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	    archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  else
+	    ld_shlibs=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+    esac
+
+    if test "$ld_shlibs" = no; then
+      runpath_var=
+      hardcode_libdir_flag_spec=
+      export_dynamic_flag_spec=
+      whole_archive_flag_spec=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag=unsupported
+      always_export_symbols=yes
+      archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct=unsupported
+      fi
+      ;;
+
+    aix[4-9]*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
+	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
+	  for ld_flag in $LDFLAGS; do
+	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+	    aix_use_runtimelinking=yes
+	    break
+	  fi
+	  done
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds=''
+      hardcode_direct=yes
+      hardcode_direct_absolute=yes
+      hardcode_libdir_separator=':'
+      link_all_deplibs=yes
+      file_list_spec='${wl}-f,'
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" &&
+	   strings "$collect2name" | $GREP resolve_lib_name >/dev/null
+	  then
+	  # We have reworked collect2
+	  :
+	  else
+	  # We have old collect2
+	  hardcode_direct=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  hardcode_minus_L=yes
+	  hardcode_libdir_flag_spec='-L$libdir'
+	  hardcode_libdir_separator=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+	link_all_deplibs=no
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag='-berok'
+        # Determine the default libpath from the value encoded in an
+        # empty executable.
+        cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char shl_load ();
 int
 main ()
 {
-return shl_load ();
+
   ;
   return 0;
 }
@@ -11427,69 +9900,51 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
 	 test ! -s conftest.err
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dld_shl_load=yes
+
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_cv_lib_dld_shl_load=no
+
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; }
-if test $ac_cv_lib_dld_shl_load = yes; then
-  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
-else
-  { echo "$as_me:$LINENO: checking for dlopen" >&5
-echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; }
-if test "${ac_cv_func_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+        hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
+        archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+      else
+	if test "$host_cpu" = ia64; then
+	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag="-z nodefs"
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an
+	 # empty executable.
+	 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define dlopen innocuous_dlopen
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char dlopen (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef dlopen
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_dlopen || defined __stub___dlopen
-choke me
-#endif
 
 int
 main ()
 {
-return dlopen ();
+
   ;
   return 0;
 }
@@ -11512,50 +9967,237 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
 	 test ! -s conftest.err
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
-  ac_cv_func_dlopen=yes
+
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_cv_func_dlopen=no
+
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-echo "${ECHO_T}$ac_cv_func_dlopen" >&6; }
-if test $ac_cv_func_dlopen = yes; then
-  lt_cv_dlopen="dlopen"
-else
-  { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
+	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag=' ${wl}-bernotok'
+	  allow_undefined_flag=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  whole_archive_flag_spec='$convenience'
+	  archive_cmds_need_lc=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+            archive_expsym_cmds=''
+        ;;
+      m68k)
+            archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+            hardcode_libdir_flag_spec='-L$libdir'
+            hardcode_minus_L=yes
+        ;;
+      esac
+      ;;
+
+    bsdi[45]*)
+      export_dynamic_flag_spec=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec=' '
+      allow_undefined_flag=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_from_new_cmds='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      enable_shared_with_static_runtimes=yes
+      ;;
+
+    darwin* | rhapsody*)
+
+
+  archive_cmds_need_lc=no
+  hardcode_direct=no
+  hardcode_automatic=yes
+  hardcode_shlibpath_var=unsupported
+  whole_archive_flag_spec=''
+  link_all_deplibs=yes
+  allow_undefined_flag="$_lt_dar_allow_undefined"
+  if test "$GCC" = "yes"; then
+    output_verbose_link_cmd=echo
+    archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+    module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+    archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+    module_expsym_cmds="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
+
+  else
+  ld_shlibs=no
+  fi
+
+      ;;
+
+    dgux*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_shlibpath_var=no
+      ;;
+
+    freebsd1*)
+      ld_shlibs=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | dragonfly*)
+      archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	archive_cmds='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator=:
+      hardcode_direct=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L=yes
+      export_dynamic_flag_spec='${wl}-E'
+      ;;
+
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	hardcode_libdir_flag_spec_ld='+b $libdir'
+	hardcode_libdir_separator=:
+	hardcode_direct=yes
+	hardcode_direct_absolute=yes
+	export_dynamic_flag_spec='${wl}-E'
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  hardcode_direct=no
+	  hardcode_shlibpath_var=no
+	  ;;
+	*)
+	  hardcode_direct=yes
+	  hardcode_direct_absolute=yes
+	  export_dynamic_flag_spec='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	# Try to use the -exported_symbol ld option, if it does not
+	# work, assume that -exports_file does not work either and
+	# implicitly export all symbols.
+        save_LDFLAGS="$LDFLAGS"
+        LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
+        cat >conftest.$ac_ext <<_ACEOF
+int foo(void) {}
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
 if { (ac_try="$ac_link"
@@ -11575,4972 +10217,2356 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
 	 test ! -s conftest.err
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dl_dlopen=yes
+  archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
+
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_cv_lib_dl_dlopen=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-  { echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
-echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6; }
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsvld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_svld_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_svld_dlopen=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6; }
-if test $ac_cv_lib_svld_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
-else
-  { echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
-echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dld_link ();
-int
-main ()
-{
-return dld_link ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dld_dld_link=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_cv_lib_dld_dld_link=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; }
-if test $ac_cv_lib_dld_dld_link = yes; then
-  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
-fi
-
+        LDFLAGS="$save_LDFLAGS"
+      else
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
+      fi
+      archive_cmds_need_lc='no'
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      inherit_rpath=yes
+      link_all_deplibs=yes
+      ;;
 
-fi
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
 
+    newsos6)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      hardcode_shlibpath_var=no
+      ;;
 
-fi
+    *nto* | *qnx*)
+      ;;
 
+    openbsd*)
+      if test -f /usr/libexec/ld.so; then
+	hardcode_direct=yes
+	hardcode_shlibpath_var=no
+	hardcode_direct_absolute=yes
+	if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	  archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	  hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+	  export_dynamic_flag_spec='${wl}-E'
+	else
+	  case $host_os in
+	   openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+	     archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	     hardcode_libdir_flag_spec='-R$libdir'
+	     ;;
+	   *)
+	     archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	     hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+	     ;;
+	  esac
+	fi
+      else
+	ld_shlibs=no
+      fi
+      ;;
 
-fi
+    os2*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      allow_undefined_flag=unsupported
+      archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
 
+    osf3*)
+      if test "$GCC" = yes; then
+	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	allow_undefined_flag=' -expect_unresolved \*'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      archive_cmds_need_lc='no'
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      ;;
 
-fi
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      else
+	allow_undefined_flag=' -expect_unresolved \*'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
+	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
 
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec='-rpath $libdir'
+      fi
+      archive_cmds_need_lc='no'
+      hardcode_libdir_separator=:
+      ;;
 
-fi
+    solaris*)
+      no_undefined_flag=' -z defs'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	archive_cmds='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+      else
+	case `$CC -V 2>&1` in
+	*"Compilers 5.0"*)
+	  wlarc=''
+	  archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	  $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp'
+	  ;;
+	*)
+	  wlarc='${wl}'
+	  archive_cmds='$CC -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	  $CC -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  ;;
+	esac
+      fi
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_shlibpath_var=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *)
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
+	# Supported since Solaris 2.6 (maybe 2.5.1?)
+	if test "$GCC" = yes; then
+	  whole_archive_flag_spec='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  whole_archive_flag_spec='-z allextract$convenience -z defaultextract'
+	fi
+	;;
+      esac
+      link_all_deplibs=yes
+      ;;
 
-    ;;
-  esac
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      hardcode_shlibpath_var=no
+      ;;
 
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds='$CC -r -o $output$reload_objs'
+	  hardcode_direct=no
+        ;;
+	motorola)
+	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var=no
+      ;;
 
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+    sysv4.3*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var=no
+      export_dynamic_flag_spec='-Bexport'
+      ;;
 
-    save_LDFLAGS="$LDFLAGS"
-    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs=yes
+      fi
+      ;;
 
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
+      no_undefined_flag='${wl}-z,text'
+      archive_cmds_need_lc=no
+      hardcode_shlibpath_var=no
+      runpath_var='LD_RUN_PATH'
 
-    { echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
-echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6; }
-if test "${lt_cv_dlopen_self+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 11770 "configure"
-#include "confdefs.h"
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
 
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag='${wl}-z,text'
+      allow_undefined_flag='${wl}-z,nodefs'
+      archive_cmds_need_lc=no
+      hardcode_shlibpath_var=no
+      hardcode_libdir_flag_spec='${wl}-R,$libdir'
+      hardcode_libdir_separator=':'
+      link_all_deplibs=yes
+      export_dynamic_flag_spec='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
 
-#include <stdio.h>
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
 
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
+    uts4*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_shlibpath_var=no
+      ;;
 
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
+    *)
+      ld_shlibs=no
+      ;;
+    esac
 
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
+    if test x$host_vendor = xsni; then
+      case $host in
+      sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+	export_dynamic_flag_spec='${wl}-Blargedynsym'
+	;;
+      esac
+    fi
+  fi
 
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
+{ echo "$as_me:$LINENO: result: $ld_shlibs" >&5
+echo "${ECHO_T}$ld_shlibs" >&6; }
+test "$ld_shlibs" = no && can_build_shared=no
 
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-  else
-    puts (dlerror ());
+with_gnu_ld=$with_gnu_ld
 
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) >&5 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self=no
-  fi
-fi
-rm -fr conftest*
 
 
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self" >&6; }
 
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
-      { echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
-echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6; }
-if test "${lt_cv_dlopen_self_static+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self_static=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 11870 "configure"
-#include "confdefs.h"
 
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
 
-#include <stdio.h>
 
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
 
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
 
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
 
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
 
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-  else
-    puts (dlerror ());
 
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) >&5 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;;
+
+
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
+      $RM conftest*
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl
+	pic_flag=$lt_prog_compiler_pic
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag
+        allow_undefined_flag=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc=no
+        else
+	  archive_cmds_need_lc=yes
+        fi
+        allow_undefined_flag=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $RM conftest*
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
+echo "${ECHO_T}$archive_cmds_need_lc" >&6; }
+      ;;
     esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self_static=no
   fi
-fi
-rm -fr conftest*
+  ;;
+esac
 
 
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6; }
-    fi
 
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
 
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
 
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
 
 
-# Report which library types will actually be built
-{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
-{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
-echo "${ECHO_T}$can_build_shared" >&6; }
 
-{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
-test "$can_build_shared" = "no" && enable_shared=no
 
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case $host_os in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
 
-aix[4-9]*)
-  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-    test "$enable_shared" = yes && enable_static=no
-  fi
-    ;;
-esac
-{ echo "$as_me:$LINENO: result: $enable_shared" >&5
-echo "${ECHO_T}$enable_shared" >&6; }
 
-{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-{ echo "$as_me:$LINENO: result: $enable_static" >&5
-echo "${ECHO_T}$enable_static" >&6; }
 
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler \
-    CC \
-    LD \
-    lt_prog_compiler_wl \
-    lt_prog_compiler_pic \
-    lt_prog_compiler_static \
-    lt_prog_compiler_no_builtin_flag \
-    export_dynamic_flag_spec \
-    thread_safe_flag_spec \
-    whole_archive_flag_spec \
-    enable_shared_with_static_runtimes \
-    old_archive_cmds \
-    old_archive_from_new_cmds \
-    predep_objects \
-    postdep_objects \
-    predeps \
-    postdeps \
-    compiler_lib_search_path \
-    compiler_lib_search_dirs \
-    archive_cmds \
-    archive_expsym_cmds \
-    postinstall_cmds \
-    postuninstall_cmds \
-    old_archive_from_expsyms_cmds \
-    allow_undefined_flag \
-    no_undefined_flag \
-    export_symbols_cmds \
-    hardcode_libdir_flag_spec \
-    hardcode_libdir_flag_spec_ld \
-    hardcode_libdir_separator \
-    hardcode_automatic \
-    module_cmds \
-    module_expsym_cmds \
-    lt_cv_prog_compiler_c_o \
-    fix_srcfile_path \
-    exclude_expsyms \
-    include_expsyms; do
-
-    case $var in
-    old_archive_cmds | \
-    old_archive_from_new_cmds | \
-    archive_cmds | \
-    archive_expsym_cmds | \
-    module_cmds | \
-    module_expsym_cmds | \
-    old_archive_from_expsyms_cmds | \
-    export_symbols_cmds | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
 
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
 
-cfgfile="${ofile}T"
-  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
-  $rm -f "$cfgfile"
-  { echo "$as_me:$LINENO: creating $ofile" >&5
-echo "$as_me: creating $ofile" >&6;}
 
-  cat <<__EOF__ >> "$cfgfile"
-#! $SHELL
 
-# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
-# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
-# NOTE: Changes made to this file will be lost: look at ltmain.sh.
-#
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
-# Free Software Foundation, Inc.
-#
-# This file is part of GNU Libtool:
-# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
 
-# A sed program that does not truncate output.
-SED=$lt_SED
 
-# Sed that helps us avoid accidentally triggering echo(1) options like -n.
-Xsed="$SED -e 1s/^X//"
 
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
-# The names of the tagged configurations supported by this script.
-available_tags=
 
-# ### BEGIN LIBTOOL CONFIG
 
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
 
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
 
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
 
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc
 
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes
 
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
 
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
 
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
 
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
 
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
 
-# A C compiler.
-LTCC=$lt_LTCC
 
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
 
-# A language-specific compiler.
-CC=$lt_compiler
 
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC
 
-# An ERE matcher.
-EGREP=$lt_EGREP
 
-# The linker used to build libraries.
-LD=$lt_LD
 
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
 
-# A BSD-compatible nm program.
-NM=$lt_NM
 
-# A symbol stripping program
-STRIP=$lt_STRIP
 
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
 
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
 
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
 
-# Used on cygwin: assembler.
-AS="$AS"
 
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
 
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
 
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl
 
-# Object file suffix (normally "o").
-objext="$ac_objext"
 
-# Old archive suffix (normally "a").
-libext="$libext"
 
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
 
-# Executable file suffix (normally "").
-exeext="$exeext"
 
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic
-pic_mode=$pic_mode
 
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
 
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o
 
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
 
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
 
-# Do we need a version for libraries?
-need_version=$need_version
 
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
 
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
 
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
 
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static
 
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
 
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec
 
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec
 
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec
 
-# Library versioning type.
-version_type=$version_type
 
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
 
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
 
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
 
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
 
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds
 
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds
 
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds
-archive_expsym_cmds=$lt_archive_expsym_cmds
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
 
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds
-module_expsym_cmds=$lt_module_expsym_cmds
 
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
 
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects
 
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects
 
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps
 
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps
 
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_compiler_lib_search_dirs
 
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path
 
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
 
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
 
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag
 
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag
 
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
 
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
 
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
 
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
 
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
 
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
 
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
 
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
 
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action
 
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
 
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
 
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
 
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator
 
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct
 
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L
 
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var
 
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic
 
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
 
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs
 
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
 
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
 
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
 
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols
 
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds
 
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
 
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms
 
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms
 
-# ### END LIBTOOL CONFIG
 
-__EOF__
 
 
-  case $host_os in
-  aix3*)
-    cat <<\EOF >> "$cfgfile"
 
-# AIX sometimes has problems with the GCC collect2 program.  For some
-# reason, if we set the COLLECT_NAMES environment variable, the problems
-# vanish in a puff of smoke.
-if test "X${COLLECT_NAMES+set}" != Xset; then
-  COLLECT_NAMES=
-  export COLLECT_NAMES
-fi
-EOF
-    ;;
-  esac
 
-  # We use sed instead of cat because bash on DJGPP gets confused if
-  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
-  # text mode, it properly converts lines to CR/LF.  This bash problem
-  # is reportedly fixed, but why not run on old versions too?
-  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
 
-  mv -f "$cfgfile" "$ofile" || \
-    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
-  chmod +x "$ofile"
 
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
 
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-CC="$lt_save_CC"
 
 
-# Check whether --with-tags was given.
-if test "${with_tags+set}" = set; then
-  withval=$with_tags; tagnames="$withval"
-fi
 
 
-if test -f "$ltmain" && test -n "$tagnames"; then
-  if test ! -f "${ofile}"; then
-    { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not exist" >&5
-echo "$as_me: WARNING: output file \`$ofile' does not exist" >&2;}
-  fi
 
-  if test -z "$LTCC"; then
-    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
-    if test -z "$LTCC"; then
-      { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not look like a libtool script" >&5
-echo "$as_me: WARNING: output file \`$ofile' does not look like a libtool script" >&2;}
-    else
-      { echo "$as_me:$LINENO: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&5
-echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;}
-    fi
-  fi
-  if test -z "$LTCFLAGS"; then
-    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
-  fi
 
-  # Extract list of available tagged configurations in $ofile.
-  # Note that this assumes the entire list is on one line.
-  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
 
-  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-  for tagname in $tagnames; do
-    IFS="$lt_save_ifs"
-    # Check whether tagname contains only valid characters
-    case `$echo "X$tagname" | $Xsed -e 's:[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]::g'` in
-    "") ;;
-    *)  { { echo "$as_me:$LINENO: error: invalid tag name: $tagname" >&5
-echo "$as_me: error: invalid tag name: $tagname" >&2;}
-   { (exit 1); exit 1; }; }
-	;;
-    esac
 
-    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
-    then
-      { { echo "$as_me:$LINENO: error: tag name \"$tagname\" already exists" >&5
-echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
-   { (exit 1); exit 1; }; }
-    fi
 
-    # Update the list of available tags.
-    if test -n "$tagname"; then
-      echo appending configuration tag \"$tagname\" to $ofile
-
-      case $tagname in
-      CXX)
-	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-	    (test "X$CXX" != "Xg++"))) ; then
-	  ac_ext=cpp
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-
-
-
-
-archive_cmds_need_lc_CXX=no
-allow_undefined_flag_CXX=
-always_export_symbols_CXX=no
-archive_expsym_cmds_CXX=
-export_dynamic_flag_spec_CXX=
-hardcode_direct_CXX=no
-hardcode_libdir_flag_spec_CXX=
-hardcode_libdir_flag_spec_ld_CXX=
-hardcode_libdir_separator_CXX=
-hardcode_minus_L_CXX=no
-hardcode_shlibpath_var_CXX=unsupported
-hardcode_automatic_CXX=no
-module_cmds_CXX=
-module_expsym_cmds_CXX=
-link_all_deplibs_CXX=unknown
-old_archive_cmds_CXX=$old_archive_cmds
-no_undefined_flag_CXX=
-whole_archive_flag_spec_CXX=
-enable_shared_with_static_runtimes_CXX=no
-
-# Dependencies to place before and after the object being linked:
-predep_objects_CXX=
-postdep_objects_CXX=
-predeps_CXX=
-postdeps_CXX=
-compiler_lib_search_path_CXX=
-compiler_lib_search_dirs_CXX=
-
-# Source file extension for C++ test sources.
-ac_ext=cpp
-
-# Object file extension for compiled C++ test sources.
-objext=o
-objext_CXX=$objext
 
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;"
 
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *[]) { return(0); }'
 
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
 
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
 
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
 
-# Allow CC to be a program name with arguments.
-compiler=$CC
 
 
-# save warnings/boilerplate of simple test code
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
 
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
 
 
-# Allow CC to be a program name with arguments.
-lt_save_CC=$CC
-lt_save_LD=$LD
-lt_save_GCC=$GCC
-GCC=$GXX
-lt_save_with_gnu_ld=$with_gnu_ld
-lt_save_path_LD=$lt_cv_path_LD
-if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
-  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
-else
-  $as_unset lt_cv_prog_gnu_ld
-fi
-if test -n "${lt_cv_path_LDCXX+set}"; then
-  lt_cv_path_LD=$lt_cv_path_LDCXX
-else
-  $as_unset lt_cv_path_LD
-fi
-test -z "${LDCXX+set}" || LD=$LDCXX
-CC=${CXX-"c++"}
-compiler=$CC
-compiler_CXX=$CC
-for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 
 
-# We don't want -fno-exception wen compiling C++ code, so set the
-# no_builtin_flag separately
-if test "$GXX" = yes; then
-  lt_prog_compiler_no_builtin_flag_CXX=' -fno-builtin'
-else
-  lt_prog_compiler_no_builtin_flag_CXX=
-fi
 
-if test "$GXX" = yes; then
-  # Set up default GNU C++ configuration
 
 
-# Check whether --with-gnu-ld was given.
-if test "${with_gnu_ld+set}" = set; then
-  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
-else
-  with_gnu_ld=no
-fi
 
-ac_prog=ld
-if test "$GCC" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
-  case $host in
-  *-*-mingw*)
-    # gcc leaves a trailing carriage return which upsets mingw
-    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
-  *)
-    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
-  esac
-  case $ac_prog in
-    # Accept absolute paths.
-    [\\/]* | ?:[\\/]*)
-      re_direlt='/[^/][^/]*/\.\./'
-      # Canonicalize the pathname of ld
-      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  { echo "$as_me:$LINENO: checking for GNU ld" >&5
-echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
-else
-  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
-fi
-if test "${lt_cv_path_LD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$LD"; then
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      lt_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some variants of GNU ld only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
-      *GNU* | *'with BFD'*)
-	test "$with_gnu_ld" != no && break
-	;;
-      *)
-	test "$with_gnu_ld" != yes && break
-	;;
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-else
-  lt_cv_path_LD="$LD" # Let the user override the test with a path.
-fi
-fi
 
-LD="$lt_cv_path_LD"
-if test -n "$LD"; then
-  { echo "$as_me:$LINENO: result: $LD" >&5
-echo "${ECHO_T}$LD" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
-echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
-   { (exit 1); exit 1; }; }
-{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
-echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
-if test "${lt_cv_prog_gnu_ld+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # I'd rather use --version here, but apparently some GNU lds only accept -v.
-case `$LD -v 2>&1 </dev/null` in
-*GNU* | *'with BFD'*)
-  lt_cv_prog_gnu_ld=yes
-  ;;
-*)
-  lt_cv_prog_gnu_ld=no
-  ;;
-esac
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
-echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
-with_gnu_ld=$lt_cv_prog_gnu_ld
 
 
 
-  # Check if GNU C++ uses GNU ld as the underlying linker, since the
-  # archiving commands below assume that GNU ld is being used.
-  if test "$with_gnu_ld" = yes; then
-    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-    archive_expsym_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 
-    hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
-    export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
 
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
-    #     investigate it a little bit more. (MM)
-    wlarc='${wl}'
 
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
-	grep 'no-whole-archive' > /dev/null; then
-      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    else
-      whole_archive_flag_spec_CXX=
-    fi
+  { echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
+
+if test "$GCC" = yes; then
+  case $host_os in
+    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
+    *) lt_awk_arg="/^libraries:/" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'`
   else
-    with_gnu_ld=no
-    wlarc=
-
-    # A generic and very simple default shared library creation
-    # command for GNU C++ for the case where it uses the native
-    # linker, instead of GNU ld.  If possible, this setting should
-    # overridden to take advantage of the native linker features on
-    # the platform it is being used on.
-    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
   fi
-
-  # Commands to make compiler produce verbose output that lists
-  # what "hidden" libraries, object files and flags are used when
-  # linking a shared library.
-  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
+  # Ok, now we have the path, separated by spaces, we can step through it
+  # and add multilib dir if necessary.
+  lt_tmp_lt_search_path_spec=
+  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
+  for lt_sys_path in $lt_search_path_spec; do
+    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
+      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
+    else
+      test -d "$lt_sys_path" && \
+	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
+    fi
+  done
+  lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk '
+BEGIN {RS=" "; FS="/|\n";} {
+  lt_foo="";
+  lt_count=0;
+  for (lt_i = NF; lt_i > 0; lt_i--) {
+    if ($lt_i != "" && $lt_i != ".") {
+      if ($lt_i == "..") {
+        lt_count++;
+      } else {
+        if (lt_count == 0) {
+          lt_foo="/" $lt_i lt_foo;
+        } else {
+          lt_count--;
+        }
+      }
+    }
+  }
+  if (lt_foo != "") { lt_freq[lt_foo]++; }
+  if (lt_freq[lt_foo] == 1) { print lt_foo; }
+}'`
+  sys_lib_search_path_spec=`$ECHO $lt_search_path_spec`
 else
-  GXX=no
-  with_gnu_ld=no
-  wlarc=
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
 fi
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
 
-# PORTME: fill in a description of your system's C++ link characteristics
-{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
-ld_shlibs_CXX=yes
 case $host_os in
-  aix3*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  aix[4-9]*)
-    if test "$host_cpu" = ia64; then
-      # On IA64, the linker does run time linking by default, so we don't
-      # have to do anything special.
-      aix_use_runtimelinking=no
-      exp_sym_flag='-Bexport'
-      no_entry_flag=""
-    else
-      aix_use_runtimelinking=no
-
-      # Test if we are trying to use run time linking or normal
-      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
-      # need to do runtime linking.
-      case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
-	for ld_flag in $LDFLAGS; do
-	  case $ld_flag in
-	  *-brtl*)
-	    aix_use_runtimelinking=yes
-	    break
-	    ;;
-	  esac
-	done
-	;;
-      esac
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
 
-      exp_sym_flag='-bexport'
-      no_entry_flag='-bnoentry'
-    fi
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
 
-    # When large executables or shared objects are built, AIX ld can
-    # have problems creating the table of contents.  If linking a library
-    # or program results in "error TOC overflow" add -mminimal-toc to
-    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-    archive_cmds_CXX=''
-    hardcode_direct_CXX=yes
-    hardcode_libdir_separator_CXX=':'
-    link_all_deplibs_CXX=yes
-
-    if test "$GXX" = yes; then
-      case $host_os in aix4.[012]|aix4.[012].*)
-      # We only want to do this on AIX 4.2 and lower, the check
-      # below for broken collect2 doesn't work under 4.3+
-	collect2name=`${CC} -print-prog-name=collect2`
-	if test -f "$collect2name" && \
-	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	then
-	  # We have reworked collect2
-	  :
-	else
-	  # We have old collect2
-	  hardcode_direct_CXX=unsupported
-	  # It fails to find uninstalled libraries when the uninstalled
-	  # path is not listed in the libpath.  Setting hardcode_minus_L
-	  # to unsupported forces relinking
-	  hardcode_minus_L_CXX=yes
-	  hardcode_libdir_flag_spec_CXX='-L$libdir'
-	  hardcode_libdir_separator_CXX=
-	fi
-	;;
-      esac
-      shared_flag='-shared'
-      if test "$aix_use_runtimelinking" = yes; then
-	shared_flag="$shared_flag "'${wl}-G'
-      fi
-    else
-      # not using gcc
-      if test "$host_cpu" = ia64; then
-	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-	# chokes on -Wl,-G. The following line is correct:
-	shared_flag='-G'
+aix[4-9]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | $GREP yes > /dev/null; then
+	:
       else
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag='${wl}-G'
-	else
-	  shared_flag='${wl}-bM:SRE'
-	fi
+	can_build_shared=no
       fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
     fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
 
-    # It seems that -bexpall does not export symbols beginning with
-    # underscore (_), so it is better to generate a list of symbols to export.
-    always_export_symbols_CXX=yes
-    if test "$aix_use_runtimelinking" = yes; then
-      # Warning - without using the other runtime loading flags (-brtl),
-      # -berok will link without error, but may produce a broken library.
-      allow_undefined_flag_CXX='-berok'
-      # Determine the default libpath from the value encoded in an empty executable.
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+amigaos*)
+  case $host_cpu in
+  powerpc)
+    # Since July 2007 AmigaOS4 officially supports .so libraries.
+    # When compiling the executable, add -use-dynld -Lsobjs: to the compileline.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    ;;
+  m68k)
+    library_names_spec='$libname.ixlibrary $libname.a'
+    # Create ${libname}_ixlibrary.a entries in /sys/libs.
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    ;;
+  esac
+  ;;
 
-int
-main ()
-{
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+bsdi[45]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
 
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
 
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname~
+      if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then
+        eval '\''$striplib \$dldir/$dlname'\'' || exit \$?;
+      fi'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
 
-fi
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
 
-      hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
 
-      archive_expsym_cmds_CXX="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-     else
-      if test "$host_cpu" = ia64; then
-	hardcode_libdir_flag_spec_CXX='${wl}-R $libdir:/usr/lib:/lib'
-	allow_undefined_flag_CXX="-z nodefs"
-	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-      else
-	# Determine the default libpath from the value encoded in an empty executable.
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
 
-int
-main ()
-{
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
-	# Warning - without using the other run time loading flags,
-	# -berok will link without error, but may produce a broken library.
-	no_undefined_flag_CXX=' ${wl}-bernotok'
-	allow_undefined_flag_CXX=' ${wl}-berok'
-	# Exported symbols can be pulled into shared objects from archives
-	whole_archive_flag_spec_CXX='$convenience'
-	archive_cmds_need_lc_CXX=yes
-	# This is similar to how AIX traditionally builds its shared libraries.
-	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-      fi
-    fi
-    ;;
-
-  beos*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-      allow_undefined_flag_CXX=unsupported
-      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-      # support --undefined.  This deserves some investigation.  FIXME
-      archive_cmds_CXX='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-    else
-      ld_shlibs_CXX=no
-    fi
-    ;;
-
-  chorus*)
-    case $cc_basename in
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-
-  cygwin* | mingw* | pw32*)
-    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, CXX) is actually meaningless,
-    # as there is no search path for DLLs.
-    hardcode_libdir_flag_spec_CXX='-L$libdir'
-    allow_undefined_flag_CXX=unsupported
-    always_export_symbols_CXX=no
-    enable_shared_with_static_runtimes_CXX=yes
-
-    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-      archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      # If the export-symbols file already is a .def file (1st line
-      # is EXPORTS), use it as is; otherwise, prepend...
-      archive_expsym_cmds_CXX='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	cp $export_symbols $output_objdir/$soname.def;
-      else
-	echo EXPORTS > $output_objdir/$soname.def;
-	cat $export_symbols >> $output_objdir/$soname.def;
-      fi~
-      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-    else
-      ld_shlibs_CXX=no
-    fi
+freebsd1*)
+  dynamic_linker=no
   ;;
-      darwin* | rhapsody*)
-      archive_cmds_need_lc_CXX=no
-      hardcode_direct_CXX=no
-      hardcode_automatic_CXX=yes
-      hardcode_shlibpath_var_CXX=unsupported
-      whole_archive_flag_spec_CXX=''
-      link_all_deplibs_CXX=yes
-      allow_undefined_flag_CXX="$_lt_dar_allow_undefined"
-      if test "$GXX" = yes ; then
-      output_verbose_link_cmd='echo'
-      archive_cmds_CXX="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-      module_cmds_CXX="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-      archive_expsym_cmds_CXX="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-      module_expsym_cmds_CXX="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-      if test "$lt_cv_apple_cc_single_mod" != "yes"; then
-        archive_cmds_CXX="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
-        archive_expsym_cmds_CXX="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
-      fi
-      else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-          archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-          module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-          archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_CXX=no
-          ;;
-      esac
-      fi
-        ;;
 
-  dgux*)
-    case $cc_basename in
-      ec++*)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      ghcx*)
-	# Green Hills C++ Compiler
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
     esac
-    ;;
-  freebsd[12]*)
-    # C++ shared libraries reported to be fairly broken before switch to ELF
-    ld_shlibs_CXX=no
-    ;;
-  freebsd-elf*)
-    archive_cmds_need_lc_CXX=no
-    ;;
-  freebsd* | dragonfly*)
-    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
-    # conventions
-    ld_shlibs_CXX=yes
-    ;;
-  gnu*)
-    ;;
-  hpux9*)
-    hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
-    hardcode_libdir_separator_CXX=:
-    export_dynamic_flag_spec_CXX='${wl}-E'
-    hardcode_direct_CXX=yes
-    hardcode_minus_L_CXX=yes # Not in the search PATH,
-				# but as the default
-				# location of the library.
-
-    case $cc_basename in
-    CC*)
-      # FIXME: insert proper C++ library support
-      ld_shlibs_CXX=no
-      ;;
-    aCC*)
-      archive_cmds_CXX='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      # Commands to make compiler produce verbose output that lists
-      # what "hidden" libraries, object files and flags are used when
-      # linking a shared library.
-      #
-      # There doesn't appear to be a way to prevent this compiler from
-      # explicitly linking system object files so we need to strip them
-      # from the output so that they don't get included in the library
-      # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[-]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+  fi
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
       ;;
-    *)
-      if test "$GXX" = yes; then
-        archive_cmds_CXX='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-        # FIXME: insert proper C++ library support
-        ld_shlibs_CXX=no
-      fi
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
       ;;
-    esac
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
     ;;
-  hpux10*|hpux11*)
-    if test $with_gnu_ld = no; then
-      hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator_CXX=:
-
-      case $host_cpu in
-      hppa*64*|ia64*) ;;
-      *)
-	export_dynamic_flag_spec_CXX='${wl}-E'
-        ;;
-      esac
-    fi
-    case $host_cpu in
-    hppa*64*|ia64*)
-      hardcode_direct_CXX=no
-      hardcode_shlibpath_var_CXX=no
-      ;;
-    *)
-      hardcode_direct_CXX=yes
-      hardcode_minus_L_CXX=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
-      ;;
-    esac
-
-    case $cc_basename in
-      CC*)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      aCC*)
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	esac
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test $with_gnu_ld = no; then
-	    case $host_cpu in
-	    hppa*64*)
-	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    ia64*)
-	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    *)
-	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    esac
-	  fi
-	else
-	  # FIXME: insert proper C++ library support
-	  ld_shlibs_CXX=no
-	fi
-	;;
-    esac
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
     ;;
-  interix[3-9]*)
-    hardcode_direct_CXX=no
-    hardcode_shlibpath_var_CXX=no
-    hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-    export_dynamic_flag_spec_CXX='${wl}-E'
-    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-    # Instead, shared libraries are loaded at an image base (0x10000000 by
-    # default) and relocated if they conflict, which is a slow very memory
-    # consuming and fragmenting process.  To avoid this, we pick a random,
-    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-    archive_cmds_CXX='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-    archive_expsym_cmds_CXX='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
     ;;
-  irix5* | irix6*)
-    case $cc_basename in
-      CC*)
-	# SGI C++
-	archive_cmds_CXX='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-
-	# Archives containing C++ object files must be created using
-	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	old_archive_cmds_CXX='$CC -ar -WR,-u -o $oldlib $oldobjs'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test "$with_gnu_ld" = no; then
-	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	  else
-	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
-	  fi
-	fi
-	link_all_deplibs_CXX=yes
-	;;
-    esac
-    hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-    hardcode_libdir_separator_CXX=:
+  *) # from 4.6 on, and DragonFly
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
     ;;
-  linux* | k*bsd*-gnu)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-	archive_expsym_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-
-	hardcode_libdir_flag_spec_CXX='${wl}--rpath,$libdir'
-	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
-	;;
-      icpc*)
-	# Intel C++
-	with_gnu_ld=yes
-	# version 8.0 and above of icpc choke on multiply defined symbols
-	# if we add $predep_objects and $postdep_objects, however 7.1 and
-	# earlier do not add the objects themselves.
-	case `$CC -V 2>&1` in
-	*"Version 7."*)
-  	  archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	  archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	*)  # Version 8.0 or newer
-	  tmp_idyn=
-	  case $host_cpu in
-	    ia64*) tmp_idyn=' -i_dynamic';;
-	  esac
-  	  archive_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	  archive_expsym_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	esac
-	archive_cmds_need_lc_CXX=no
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
-	whole_archive_flag_spec_CXX='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
-	;;
-      pgCC* | pgcpp*)
-        # Portland Group C++ compiler
-	archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
-  	archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
-	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
-	whole_archive_flag_spec_CXX='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-        ;;
-      cxx*)
-	# Compaq C++
-	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
+  esac
+  ;;
 
-	runpath_var=LD_RUN_PATH
-	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C++ 5.9
-	  no_undefined_flag_CXX=' -zdefs'
-	  archive_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  archive_expsym_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
-	  hardcode_libdir_flag_spec_CXX='-R$libdir'
-	  whole_archive_flag_spec_CXX='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-
-	  # Not sure whether something based on
-	  # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
-	  # would be better.
-	  output_verbose_link_cmd='echo'
-
-	  # Archives containing C++ object files must be created using
-	  # "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	  # necessary to make sure instantiated templates are included
-	  # in the archive.
-	  old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
-	  ;;
-	esac
-	;;
-    esac
-    ;;
-  lynxos*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  m88k*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  mvs*)
-    case $cc_basename in
-      cxx*)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  netbsd* | netbsdelf*-gnu)
-    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-      archive_cmds_CXX='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
-      wlarc=
-      hardcode_libdir_flag_spec_CXX='-R$libdir'
-      hardcode_direct_CXX=yes
-      hardcode_shlibpath_var_CXX=no
-    fi
-    # Workaround some broken pre-1.5 toolchains
-    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
-    ;;
-  openbsd2*)
-    # C++ shared libraries are fairly broken
-    ld_shlibs_CXX=no
-    ;;
-  openbsd*)
-    if test -f /usr/libexec/ld.so; then
-      hardcode_direct_CXX=yes
-      hardcode_shlibpath_var_CXX=no
-      archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-      hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-	export_dynamic_flag_spec_CXX='${wl}-E'
-	whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      fi
-      output_verbose_link_cmd='echo'
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
     else
-      ld_shlibs_CXX=no
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
     fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
-  osf3*)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
-
-	;;
-      RCC*)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      cxx*)
-	allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	  archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-
-	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-	  hardcode_libdir_separator_CXX=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  ld_shlibs_CXX=no
-	fi
-	;;
-    esac
+  hppa*64*)
+    shrext_cmds='.sl'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
-  osf4* | osf5*)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Archives containing C++ object files must be created using
-	# the KAI C++ compiler.
-	old_archive_cmds_CXX='$CC -o $oldlib $oldobjs'
-	;;
-      RCC*)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      cxx*)
-	allow_undefined_flag_CXX=' -expect_unresolved \*'
-	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds_CXX='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
-	  echo "-hidden">> $lib.exp~
-	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
-	  $rm $lib.exp'
-
-	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	 archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-
-	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-	  hardcode_libdir_separator_CXX=:
+  *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
 
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+interix[3-9]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
 
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
 	else
-	  # FIXME: insert proper C++ library support
-	  ld_shlibs_CXX=no
-	fi
-	;;
-    esac
-    ;;
-  psos*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
     ;;
-  sunos4*)
-    case $cc_basename in
-      CC*)
-	# Sun C++ 4.x
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      lcc*)
-	# Lucid
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
     esac
     ;;
-  solaris*)
-    case $cc_basename in
-      CC*)
-	# Sun C++ 4.2, 5.x and Centerline C++
-        archive_cmds_need_lc_CXX=yes
-	no_undefined_flag_CXX=' -zdefs'
-	archive_cmds_CXX='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	hardcode_libdir_flag_spec_CXX='-R$libdir'
-	hardcode_shlibpath_var_CXX=no
-	case $host_os in
-	  solaris2.[0-5] | solaris2.[0-5].*) ;;
-	  *)
-	    # The compiler driver will combine and reorder linker options,
-	    # but understands `-z linker_flag'.
-	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    whole_archive_flag_spec_CXX='-z allextract$convenience -z defaultextract'
-	    ;;
-	esac
-	link_all_deplibs_CXX=yes
-
-	output_verbose_link_cmd='echo'
-
-	# Archives containing C++ object files must be created using
-	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
-	;;
-      gcx*)
-	# Green Hills C++ Compiler
-	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-
-	# The C++ compiler must be used to create the archive.
-	old_archive_cmds_CXX='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
-	;;
-      *)
-	# GNU C++ compiler with Solaris linker
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  no_undefined_flag_CXX=' ${wl}-z ${wl}defs'
-	  if $CC --version | grep -v '^2\.7' > /dev/null; then
-	    archive_cmds_CXX='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  else
-	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
-	    # platform.
-	    archive_cmds_CXX='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  fi
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
 
-	  hardcode_libdir_flag_spec_CXX='${wl}-R $wl$libdir'
-	  case $host_os in
-	  solaris2.[0-5] | solaris2.[0-5].*) ;;
-	  *)
-	    whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	    ;;
-	  esac
-	fi
-	;;
-    esac
-    ;;
-  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
-    no_undefined_flag_CXX='${wl}-z,text'
-    archive_cmds_need_lc_CXX=no
-    hardcode_shlibpath_var_CXX=no
-    runpath_var='LD_RUN_PATH'
-
-    case $cc_basename in
-      CC*)
-	archive_cmds_CXX='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-      *)
-	archive_cmds_CXX='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-    esac
-    ;;
-  sysv5* | sco3.2v5* | sco5v6*)
-    # Note: We can NOT use -z defs as we might desire, because we do not
-    # link with -lc, and that would cause any symbols used from libc to
-    # always be unresolved, which means just about no library would
-    # ever link correctly.  If we're not using GNU ld we use -z text
-    # though, which does catch some bad symbols but isn't as heavy-handed
-    # as -z defs.
-    # For security reasons, it is highly recommended that you always
-    # use absolute paths for naming shared libraries, and exclude the
-    # DT_RUNPATH tag from executables and libraries.  But doing so
-    # requires that you compile everything twice, which is a pain.
-    # So that behaviour is only enabled if SCOABSPATH is set to a
-    # non-empty value in the environment.  Most likely only useful for
-    # creating official distributions of packages.
-    # This is a hack until libtool officially supports absolute path
-    # names for shared libraries.
-    no_undefined_flag_CXX='${wl}-z,text'
-    allow_undefined_flag_CXX='${wl}-z,nodefs'
-    archive_cmds_need_lc_CXX=no
-    hardcode_shlibpath_var_CXX=no
-    hardcode_libdir_flag_spec_CXX='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-    hardcode_libdir_separator_CXX=':'
-    link_all_deplibs_CXX=yes
-    export_dynamic_flag_spec_CXX='${wl}-Bexport'
-    runpath_var='LD_RUN_PATH'
-
-    case $cc_basename in
-      CC*)
-	archive_cmds_CXX='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-      *)
-	archive_cmds_CXX='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-    esac
-    ;;
-  tandem*)
-    case $cc_basename in
-      NCC*)
-	# NonStop-UX NCC 3.20
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  vxworks*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  *)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-esac
-{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
-echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
-test "$ld_shlibs_CXX" = no && can_build_shared=no
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
 
-GCC_CXX="$GXX"
-LD_CXX="$LD"
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # Some binutils ld are patched to set DT_RUNPATH
+  save_LDFLAGS=$LDFLAGS
+  save_libdir=$libdir
+  eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \
+       LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\""
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-cat > conftest.$ac_ext <<EOF
-class Foo
+int
+main ()
 {
-public:
-  Foo (void) { a = 0; }
-private:
-  int a;
-};
-EOF
 
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # Parse the compiler output and extract the necessary
-  # objects, libraries and library flags.
-
-  # Sentinel used to keep track of whether or not we are before
-  # the conftest object file.
-  pre_test_object_deps_done=no
-
-  # The `*' in the case matches for architectures that use `case' in
-  # $output_verbose_cmd can trigger glob expansion during the loop
-  # eval without this substitution.
-  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
-
-  for p in `eval $output_verbose_link_cmd`; do
-    case $p in
-
-    -L* | -R* | -l*)
-       # Some compilers place space between "-{L,R}" and the path.
-       # Remove the space.
-       if test $p = "-L" \
-	  || test $p = "-R"; then
-	 prev=$p
-	 continue
-       else
-	 prev=
-       fi
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  if  ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then
+  shlibpath_overrides_runpath=yes
+fi
 
-       if test "$pre_test_object_deps_done" = no; then
-	 case $p in
-	 -L* | -R*)
-	   # Internal compiler library paths should come after those
-	   # provided the user.  The postdeps already come after the
-	   # user supplied libs so there is no need to process them.
-	   if test -z "$compiler_lib_search_path_CXX"; then
-	     compiler_lib_search_path_CXX="${prev}${p}"
-	   else
-	     compiler_lib_search_path_CXX="${compiler_lib_search_path_CXX} ${prev}${p}"
-	   fi
-	   ;;
-	 # The "-l" case would never come before the object being
-	 # linked, so don't bother handling this case.
-	 esac
-       else
-	 if test -z "$postdeps_CXX"; then
-	   postdeps_CXX="${prev}${p}"
-	 else
-	   postdeps_CXX="${postdeps_CXX} ${prev}${p}"
-	 fi
-       fi
-       ;;
-
-    *.$objext)
-       # This assumes that the test object file only shows up
-       # once in the compiler output.
-       if test "$p" = "conftest.$objext"; then
-	 pre_test_object_deps_done=yes
-	 continue
-       fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-       if test "$pre_test_object_deps_done" = no; then
-	 if test -z "$predep_objects_CXX"; then
-	   predep_objects_CXX="$p"
-	 else
-	   predep_objects_CXX="$predep_objects_CXX $p"
-	 fi
-       else
-	 if test -z "$postdep_objects_CXX"; then
-	   postdep_objects_CXX="$p"
-	 else
-	   postdep_objects_CXX="$postdep_objects_CXX $p"
-	 fi
-       fi
-       ;;
 
-    *) ;; # Ignore the rest.
+fi
 
-    esac
-  done
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+  LDFLAGS=$save_LDFLAGS
+  libdir=$save_libdir
 
-  # Clean up.
-  rm -f a.out a.exe
-else
-  echo "libtool.m4: error: problem compiling CXX test program"
-fi
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
 
-$rm -f confest.$objext
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
 
-compiler_lib_search_dirs_CXX=
-if test -n "$compiler_lib_search_path_CXX"; then
-  compiler_lib_search_dirs_CXX=`echo " ${compiler_lib_search_path_CXX}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
-fi
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
 
-# PORTME: override above test on systems where it is broken
-case $host_os in
-interix[3-9]*)
-  # Interix 3.5 installs completely hosed .la files for C++, so rather than
-  # hack all around it, let's just trust "g++" to DTRT.
-  predep_objects_CXX=
-  postdep_objects_CXX=
-  postdeps_CXX=
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
   ;;
 
-linux*)
-  case `$CC -V 2>&1 | sed 5q` in
-  *Sun\ C*)
-    # Sun C++ 5.9
-    #
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
-      ;;
-    esac
-    if test "$solaris_use_stlport4" != yes; then
-      postdeps_CXX='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
   ;;
 
-solaris*)
-  case $cc_basename in
-  CC*)
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
-      ;;
-    esac
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
 
-    # Adding this requires a known-good setup of shared libraries for
-    # Sun compiler versions before 5.6, else PIC objects from an old
-    # archive will be linked into the output, leading to subtle bugs.
-    if test "$solaris_use_stlport4" != yes; then
-      postdeps_CXX='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
+*nto* | *qnx*)
+  version_type=qnx
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='ldqnx.so'
   ;;
-esac
 
-case " $postdeps_CXX " in
-*" -lc "*) archive_cmds_need_lc_CXX=no ;;
-esac
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*)	need_version=yes ;;
+    *)				need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
 
-lt_prog_compiler_wl_CXX=
-lt_prog_compiler_pic_CXX=
-lt_prog_compiler_static_CXX=
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
 
-{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
 
-  # C++ specific cases for pic, static, wl, etc.
-  if test "$GXX" = yes; then
-    lt_prog_compiler_wl_CXX='-Wl,'
-    lt_prog_compiler_static_CXX='-static'
+rdos*)
+  dynamic_linker=no
+  ;;
 
-    case $host_os in
-    aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_CXX='-Bstatic'
-      fi
-      ;;
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic_CXX='-m68020 -resident32 -malways-restore-a4'
-      ;;
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-    mingw* | cygwin* | os2* | pw32*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      lt_prog_compiler_pic_CXX='-DDLL_EXPORT'
-      ;;
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic_CXX='-fno-common'
-      ;;
-    *djgpp*)
-      # DJGPP does not support shared libraries at all
-      lt_prog_compiler_pic_CXX=
-      ;;
-    interix[3-9]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic_CXX=-Kconform_pic
-      fi
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      runpath_var=LD_RUN_PATH
       ;;
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	;;
-      *)
-	lt_prog_compiler_pic_CXX='-fPIC'
-	;;
-      esac
+    siemens)
+      need_lib_prefix=no
       ;;
-    *)
-      lt_prog_compiler_pic_CXX='-fPIC'
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
       ;;
-    esac
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
   else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
     case $host_os in
-      aix[4-9]*)
-	# All AIX code is PIC.
-	if test "$host_cpu" = ia64; then
-	  # AIX 5 now supports IA64 processor
-	  lt_prog_compiler_static_CXX='-Bstatic'
-	else
-	  lt_prog_compiler_static_CXX='-bnso -bI:/lib/syscalls.exp'
-	fi
-	;;
-      chorus*)
-	case $cc_basename in
-	cxch68*)
-	  # Green Hills C++ Compiler
-	  # _LT_AC_TAGVAR(lt_prog_compiler_static, CXX)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
-	  ;;
-	esac
-	;;
-       darwin*)
-         # PIC is the default on this platform
-         # Common symbols not allowed in MH_DYLIB files
-         case $cc_basename in
-           xlc*)
-           lt_prog_compiler_pic_CXX='-qnocommon'
-           lt_prog_compiler_wl_CXX='-Wl,'
-           ;;
-         esac
-       ;;
-      dgux*)
-	case $cc_basename in
-	  ec++*)
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    ;;
-	  ghcx*)
-	    # Green Hills C++ Compiler
-	    lt_prog_compiler_pic_CXX='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      freebsd* | dragonfly*)
-	# FreeBSD uses GNU C++
-	;;
-      hpux9* | hpux10* | hpux11*)
-	case $cc_basename in
-	  CC*)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX='${wl}-a ${wl}archive'
-	    if test "$host_cpu" != ia64; then
-	      lt_prog_compiler_pic_CXX='+Z'
-	    fi
-	    ;;
-	  aCC*)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX='${wl}-a ${wl}archive'
-	    case $host_cpu in
-	    hppa*64*|ia64*)
-	      # +Z the default
-	      ;;
-	    *)
-	      lt_prog_compiler_pic_CXX='+Z'
-	      ;;
-	    esac
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      interix*)
-	# This is c89, which is MS Visual C++ (no shared libs)
-	# Anyone wants to do a port?
-	;;
-      irix5* | irix6* | nonstopux*)
-	case $cc_basename in
-	  CC*)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX='-non_shared'
-	    # CC pic flag -KPIC is the default.
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      linux* | k*bsd*-gnu)
-	case $cc_basename in
-	  KCC*)
-	    # KAI C++ Compiler
-	    lt_prog_compiler_wl_CXX='--backend -Wl,'
-	    lt_prog_compiler_pic_CXX='-fPIC'
-	    ;;
-	  icpc* | ecpc*)
-	    # Intel C++
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    lt_prog_compiler_static_CXX='-static'
-	    ;;
-	  pgCC* | pgcpp*)
-	    # Portland Group C++ compiler.
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_pic_CXX='-fpic'
-	    lt_prog_compiler_static_CXX='-Bstatic'
-	    ;;
-	  cxx*)
-	    # Compaq C++
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    lt_prog_compiler_pic_CXX=
-	    lt_prog_compiler_static_CXX='-non_shared'
-	    ;;
-	  *)
-	    case `$CC -V 2>&1 | sed 5q` in
-	    *Sun\ C*)
-	      # Sun C++ 5.9
-	      lt_prog_compiler_pic_CXX='-KPIC'
-	      lt_prog_compiler_static_CXX='-Bstatic'
-	      lt_prog_compiler_wl_CXX='-Qoption ld '
-	      ;;
-	    esac
-	    ;;
-	esac
-	;;
-      lynxos*)
-	;;
-      m88k*)
-	;;
-      mvs*)
-	case $cc_basename in
-	  cxx*)
-	    lt_prog_compiler_pic_CXX='-W c,exportall'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      netbsd* | netbsdelf*-gnu)
-	;;
-      osf3* | osf4* | osf5*)
-	case $cc_basename in
-	  KCC*)
-	    lt_prog_compiler_wl_CXX='--backend -Wl,'
-	    ;;
-	  RCC*)
-	    # Rational C++ 2.4.1
-	    lt_prog_compiler_pic_CXX='-pic'
-	    ;;
-	  cxx*)
-	    # Digital/Compaq C++
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    lt_prog_compiler_pic_CXX=
-	    lt_prog_compiler_static_CXX='-non_shared'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      psos*)
-	;;
-      solaris*)
-	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.2, 5.x and Centerline C++
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    lt_prog_compiler_static_CXX='-Bstatic'
-	    lt_prog_compiler_wl_CXX='-Qoption ld '
-	    ;;
-	  gcx*)
-	    # Green Hills C++ Compiler
-	    lt_prog_compiler_pic_CXX='-PIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sunos4*)
-	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.x
-	    lt_prog_compiler_pic_CXX='-pic'
-	    lt_prog_compiler_static_CXX='-Bstatic'
-	    ;;
-	  lcc*)
-	    # Lucid
-	    lt_prog_compiler_pic_CXX='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      tandem*)
-	case $cc_basename in
-	  NCC*)
-	    # NonStop-UX NCC 3.20
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-	case $cc_basename in
-	  CC*)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    lt_prog_compiler_static_CXX='-Bstatic'
-	    ;;
-	esac
-	;;
-      vxworks*)
-	;;
-      *)
-	lt_prog_compiler_can_build_shared_CXX=no
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
 	;;
     esac
   fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
 
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_CXX" >&6; }
+tpf*)
+  # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_name_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
 
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic_CXX"; then
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
 
-{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_pic_works_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_pic_works_CXX=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic_CXX -DPIC"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14271: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:14275: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_pic_works_CXX=yes
-     fi
-   fi
-   $rm conftest*
+*)
+  dynamic_linker=no
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
+test "$dynamic_linker" = no && can_build_shared=no
 
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_CXX" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_CXX" >&6; }
 
-if test x"$lt_cv_prog_compiler_pic_works_CXX" = xyes; then
-    case $lt_prog_compiler_pic_CXX in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic_CXX=" $lt_prog_compiler_pic_CXX" ;;
-     esac
-else
-    lt_prog_compiler_pic_CXX=
-     lt_prog_compiler_can_build_shared_CXX=no
+if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
+  sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
 fi
-
+if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
+  sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
 fi
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic_CXX=
-    ;;
-  *)
-    lt_prog_compiler_pic_CXX="$lt_prog_compiler_pic_CXX -DPIC"
-    ;;
-esac
 
-#
-# Check to make sure the static flag actually works.
-#
-wl=$lt_prog_compiler_wl_CXX eval lt_tmp_static_flag=\"$lt_prog_compiler_static_CXX\"
-{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_static_works_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_static_works_CXX=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&5
-       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         lt_cv_prog_compiler_static_works_CXX=yes
-       fi
-     else
-       lt_cv_prog_compiler_static_works_CXX=yes
-     fi
-   fi
-   $rm -r conftest*
-   LDFLAGS="$save_LDFLAGS"
 
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_CXX" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_static_works_CXX" >&6; }
 
-if test x"$lt_cv_prog_compiler_static_works_CXX" = xyes; then
-    :
-else
-    lt_prog_compiler_static_CXX=
-fi
 
 
-{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_c_o_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o_CXX=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14375: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:14379: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_c_o_CXX=yes
-     fi
-   fi
-   chmod u+w . 2>&5
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
 
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_CXX" >&6; }
 
 
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o_CXX" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6; }
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
 
-{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
-  export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  case $host_os in
-  aix[4-9]*)
-    # If we're using GNU nm, then we don't want the "-C" option.
-    # -C means demangle to AIX nm, but means don't demangle with GNU nm
-    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-      export_symbols_cmds_CXX='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-    else
-      export_symbols_cmds_CXX='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-    fi
-    ;;
-  pw32*)
-    export_symbols_cmds_CXX="$ltdll_cmds"
-  ;;
-  cygwin* | mingw*)
-    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;/^.*[ ]__nm__/s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
-  ;;
-  linux* | k*bsd*-gnu)
-    link_all_deplibs_CXX=no
-  ;;
-  *)
-    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  esac
-  exclude_expsyms_CXX='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
 
-{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
-echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
-test "$ld_shlibs_CXX" = no && can_build_shared=no
 
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc_CXX" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc_CXX=yes
 
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds_CXX in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
-      $rm conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl_CXX
-	pic_flag=$lt_prog_compiler_pic_CXX
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag_CXX
-        allow_undefined_flag_CXX=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc_CXX=no
-        else
-	  archive_cmds_need_lc_CXX=yes
-        fi
-        allow_undefined_flag_CXX=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_CXX" >&6; }
-      ;;
-    esac
-  fi
-  ;;
-esac
 
-{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
 
-need_lib_prefix=unknown
-hardcode_into_libs=no
 
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
 
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
 
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
 
-aix[4-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
 
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
 
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
 
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
 
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
 
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
 
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
 
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
 
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
 
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
 
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
 
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
-  else
-    case $host_os in
-    freebsd[123]*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
-  fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
-  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
 
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
 
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
 
-interix[3-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
 
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
 
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
 
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
 
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
 
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
 
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
 
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
 
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
 
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
 
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
-    *)                         need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-rdos*)
-  dynamic_linker=no
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
 
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
 
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-    shlibpath_overrides_runpath=no
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    shlibpath_overrides_runpath=yes
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
-  fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
 
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
 
-*)
-  dynamic_linker=no
-  ;;
-esac
-{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6; }
-test "$dynamic_linker" = no && can_build_shared=no
 
-if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
-fi
 
-sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
-fi
 
-sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
 
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
 
-{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
-hardcode_action_CXX=
-if test -n "$hardcode_libdir_flag_spec_CXX" || \
-   test -n "$runpath_var_CXX" || \
-   test "X$hardcode_automatic_CXX" = "Xyes" ; then
 
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct_CXX" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, CXX)" != no &&
-     test "$hardcode_minus_L_CXX" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action_CXX=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action_CXX=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action_CXX=unsupported
-fi
-{ echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5
-echo "${ECHO_T}$hardcode_action_CXX" >&6; }
 
-if test "$hardcode_action_CXX" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
 
 
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_CXX \
-    CC_CXX \
-    LD_CXX \
-    lt_prog_compiler_wl_CXX \
-    lt_prog_compiler_pic_CXX \
-    lt_prog_compiler_static_CXX \
-    lt_prog_compiler_no_builtin_flag_CXX \
-    export_dynamic_flag_spec_CXX \
-    thread_safe_flag_spec_CXX \
-    whole_archive_flag_spec_CXX \
-    enable_shared_with_static_runtimes_CXX \
-    old_archive_cmds_CXX \
-    old_archive_from_new_cmds_CXX \
-    predep_objects_CXX \
-    postdep_objects_CXX \
-    predeps_CXX \
-    postdeps_CXX \
-    compiler_lib_search_path_CXX \
-    compiler_lib_search_dirs_CXX \
-    archive_cmds_CXX \
-    archive_expsym_cmds_CXX \
-    postinstall_cmds_CXX \
-    postuninstall_cmds_CXX \
-    old_archive_from_expsyms_cmds_CXX \
-    allow_undefined_flag_CXX \
-    no_undefined_flag_CXX \
-    export_symbols_cmds_CXX \
-    hardcode_libdir_flag_spec_CXX \
-    hardcode_libdir_flag_spec_ld_CXX \
-    hardcode_libdir_separator_CXX \
-    hardcode_automatic_CXX \
-    module_cmds_CXX \
-    module_expsym_cmds_CXX \
-    lt_cv_prog_compiler_c_o_CXX \
-    fix_srcfile_path_CXX \
-    exclude_expsyms_CXX \
-    include_expsyms_CXX; do
-
-    case $var in
-    old_archive_cmds_CXX | \
-    old_archive_from_new_cmds_CXX | \
-    archive_cmds_CXX | \
-    archive_expsym_cmds_CXX | \
-    module_cmds_CXX | \
-    module_expsym_cmds_CXX | \
-    old_archive_from_expsyms_cmds_CXX | \
-    export_symbols_cmds_CXX | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
 
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
 
-cfgfile="$ofile"
 
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
 
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
 
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
 
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
 
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_CXX
 
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_CXX
 
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
 
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
 
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
 
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
 
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
 
-# A C compiler.
-LTCC=$lt_LTCC
 
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
 
-# A language-specific compiler.
-CC=$lt_compiler_CXX
 
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_CXX
 
-# An ERE matcher.
-EGREP=$lt_EGREP
 
-# The linker used to build libraries.
-LD=$lt_LD_CXX
 
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
 
-# A BSD-compatible nm program.
-NM=$lt_NM
 
-# A symbol stripping program
-STRIP=$lt_STRIP
 
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
 
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
 
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
 
-# Used on cygwin: assembler.
-AS="$AS"
 
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
+  { echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
+hardcode_action=
+if test -n "$hardcode_libdir_flag_spec" ||
+   test -n "$runpath_var" ||
+   test "X$hardcode_automatic" = "Xyes" ; then
 
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
+  # We can hardcode non-existent directories.
+  if test "$hardcode_direct" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_TAGVAR(hardcode_shlibpath_var, )" != no &&
+     test "$hardcode_minus_L" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action=unsupported
+fi
+{ echo "$as_me:$LINENO: result: $hardcode_action" >&5
+echo "${ECHO_T}$hardcode_action" >&6; }
 
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_CXX
+if test "$hardcode_action" = relink ||
+   test "$inherit_rpath" = yes; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
 
-# Object file suffix (normally "o").
-objext="$ac_objext"
 
-# Old archive suffix (normally "a").
-libext="$libext"
 
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
 
-# Executable file suffix (normally "").
-exeext="$exeext"
 
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_CXX
-pic_mode=$pic_mode
 
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
+  if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
 
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_CXX
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
 
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+    ;;
 
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+    ;;
 
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
+  darwin*)
+  # if libdl is installed we need to link against it
+    { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
+	ac_cv_lib_dl_dlopen=no
+fi
 
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_CXX
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
 
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_CXX
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
 
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_CXX
+fi
 
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_CXX
+    ;;
 
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_CXX
+  *)
+    { echo "$as_me:$LINENO: checking for shl_load" >&5
+echo $ECHO_N "checking for shl_load... $ECHO_C" >&6; }
+if test "${ac_cv_func_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define shl_load innocuous_shl_load
 
-# Library versioning type.
-version_type=$version_type
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shl_load (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
 
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
 
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
+#undef shl_load
 
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_shl_load || defined __stub___shl_load
+choke me
+#endif
 
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_CXX
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
+int
+main ()
+{
+return shl_load ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_CXX
+	ac_cv_func_shl_load=no
+fi
 
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_CXX
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
+echo "${ECHO_T}$ac_cv_func_shl_load" >&6; }
+if test $ac_cv_func_shl_load = yes; then
+  lt_cv_dlopen="shl_load"
+else
+  { echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
+echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dld_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_CXX
-archive_expsym_cmds=$lt_archive_expsym_cmds_CXX
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load ();
+int
+main ()
+{
+return shl_load ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dld_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_CXX
-module_expsym_cmds=$lt_module_expsym_cmds_CXX
+	ac_cv_lib_dld_shl_load=no
+fi
 
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; }
+if test $ac_cv_lib_dld_shl_load = yes; then
+  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
+else
+  { echo "$as_me:$LINENO: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; }
+if test "${ac_cv_func_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define dlopen innocuous_dlopen
 
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_CXX
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char dlopen (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
 
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_CXX
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
 
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_CXX
+#undef dlopen
 
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_CXX
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_dlopen || defined __stub___dlopen
+choke me
+#endif
 
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_CXX
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_CXX
+	ac_cv_func_dlopen=no
+fi
 
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
+echo "${ECHO_T}$ac_cv_func_dlopen" >&6; }
+if test $ac_cv_func_dlopen = yes; then
+  lt_cv_dlopen="dlopen"
+else
+  { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_CXX
+	ac_cv_lib_dl_dlopen=no
+fi
 
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_CXX
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+  { echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
+echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6; }
+if test "${ac_cv_lib_svld_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsvld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_svld_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
+	ac_cv_lib_svld_dlopen=no
+fi
 
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6; }
+if test $ac_cv_lib_svld_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
+else
+  { echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
+echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dld_dld_link+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dld_link ();
+int
+main ()
+{
+return dld_link ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dld_dld_link=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+	ac_cv_lib_dld_dld_link=no
+fi
 
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; }
+if test $ac_cv_lib_dld_dld_link = yes; then
+  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
+fi
 
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
 
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_CXX
+fi
 
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
 
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_CXX
+fi
 
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_CXX
 
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_CXX
+fi
 
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_CXX
 
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_CXX
+fi
 
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_CXX
 
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_CXX
+fi
 
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
+    ;;
+  esac
 
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_CXX
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
 
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
 
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+    save_LDFLAGS="$LDFLAGS"
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
 
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
 
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_CXX
+    { echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
+echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6; }
+if test "${lt_cv_dlopen_self+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<_LT_EOF
+#line 12133 "configure"
+#include "confdefs.h"
 
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_CXX
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
 
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
+#include <stdio.h>
 
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_CXX
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
 
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_CXX
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
 
-# ### END LIBTOOL TAG CONFIG: $tagname
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
 
-__EOF__
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
 
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
 
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
+    exit (status);
+}
+_LT_EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) >&5 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self=no
   fi
 fi
+rm -fr conftest*
 
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC=$lt_save_CC
-LDCXX=$LD
-LD=$lt_save_LD
-GCC=$lt_save_GCC
-with_gnu_ldcxx=$with_gnu_ld
-with_gnu_ld=$lt_save_with_gnu_ld
-lt_cv_path_LDCXX=$lt_cv_path_LD
-lt_cv_path_LD=$lt_save_path_LD
-lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
-lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self" >&6; }
 
-	else
-	  tagname=""
-	fi
-	;;
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
+      { echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
+echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6; }
+if test "${lt_cv_dlopen_self_static+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self_static=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<_LT_EOF
+#line 12233 "configure"
+#include "confdefs.h"
 
-      F77)
-	if test -n "$F77" && test "X$F77" != "Xno"; then
-
-ac_ext=f
-ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
-ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_f77_compiler_gnu
-
-
-archive_cmds_need_lc_F77=no
-allow_undefined_flag_F77=
-always_export_symbols_F77=no
-archive_expsym_cmds_F77=
-export_dynamic_flag_spec_F77=
-hardcode_direct_F77=no
-hardcode_libdir_flag_spec_F77=
-hardcode_libdir_flag_spec_ld_F77=
-hardcode_libdir_separator_F77=
-hardcode_minus_L_F77=no
-hardcode_automatic_F77=no
-module_cmds_F77=
-module_expsym_cmds_F77=
-link_all_deplibs_F77=unknown
-old_archive_cmds_F77=$old_archive_cmds
-no_undefined_flag_F77=
-whole_archive_flag_spec_F77=
-enable_shared_with_static_runtimes_F77=no
-
-# Source file extension for f77 test sources.
-ac_ext=f
-
-# Object file extension for compiled f77 test sources.
-objext=o
-objext_F77=$objext
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
 
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="\
-      subroutine t
-      return
-      end
-"
+#include <stdio.h>
 
-# Code to be used in simple link tests
-lt_simple_link_test_code="\
-      program t
-      end
-"
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
 
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
 
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
 
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
 
-# Allow CC to be a program name with arguments.
-compiler=$CC
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
 
+    exit (status);
+}
+_LT_EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) >&5 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self_static=no
+  fi
+fi
+rm -fr conftest*
 
-# save warnings/boilerplate of simple test code
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
 
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6; }
+    fi
 
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
 
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${F77-"f77"}
-compiler=$CC
-compiler_F77=$CC
-for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
   esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
 
-{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
-{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
-echo "${ECHO_T}$can_build_shared" >&6; }
 
-{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
-test "$can_build_shared" = "no" && enable_shared=no
 
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case $host_os in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
-aix[4-9]*)
-  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-    test "$enable_shared" = yes && enable_static=no
-  fi
-  ;;
-esac
-{ echo "$as_me:$LINENO: result: $enable_shared" >&5
-echo "${ECHO_T}$enable_shared" >&6; }
 
-{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-{ echo "$as_me:$LINENO: result: $enable_static" >&5
-echo "${ECHO_T}$enable_static" >&6; }
 
-GCC_F77="$G77"
-LD_F77="$LD"
 
-lt_prog_compiler_wl_F77=
-lt_prog_compiler_pic_F77=
-lt_prog_compiler_static_F77=
 
-{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
-  if test "$GCC" = yes; then
-    lt_prog_compiler_wl_F77='-Wl,'
-    lt_prog_compiler_static_F77='-static'
 
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_F77='-Bstatic'
-      fi
-      ;;
 
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic_F77='-m68020 -resident32 -malways-restore-a4'
-      ;;
 
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
 
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
-      ;;
 
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic_F77='-fno-common'
-      ;;
 
-    interix[3-9]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
 
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      lt_prog_compiler_can_build_shared_F77=no
-      enable_shared=no
-      ;;
 
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic_F77=-Kconform_pic
-      fi
-      ;;
 
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_F77='-fPIC'
-	;;
-      esac
-      ;;
+striplib=
+old_striplib=
+{ echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6; }
+if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+  darwin*)
+    if test -n "$STRIP" ; then
+      striplib="$STRIP -x"
+      old_striplib="$STRIP -S"
+      { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+    else
+      { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+    fi
+    ;;
+  *)
+    { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+    ;;
+  esac
+fi
 
-    *)
-      lt_prog_compiler_pic_F77='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_F77='-Bstatic'
-      else
-	lt_prog_compiler_static_F77='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case $cc_basename in
-         xlc*)
-         lt_prog_compiler_pic_F77='-qnocommon'
-         lt_prog_compiler_wl_F77='-Wl,'
-         ;;
-       esac
-       ;;
 
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
-      ;;
 
-    hpux9* | hpux10* | hpux11*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_F77='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      lt_prog_compiler_static_F77='${wl}-a ${wl}archive'
-      ;;
 
-    irix5* | irix6* | nonstopux*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      # PIC (with -KPIC) is the default.
-      lt_prog_compiler_static_F77='-non_shared'
-      ;;
 
-    newsos6)
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
 
-    linux* | k*bsd*-gnu)
-      case $cc_basename in
-      icc* | ecc*)
-	lt_prog_compiler_wl_F77='-Wl,'
-	lt_prog_compiler_pic_F77='-KPIC'
-	lt_prog_compiler_static_F77='-static'
-        ;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
-        # Portland Group compilers (*not* the Pentium gcc compiler,
-	# which looks to be a dead project)
-	lt_prog_compiler_wl_F77='-Wl,'
-	lt_prog_compiler_pic_F77='-fpic'
-	lt_prog_compiler_static_F77='-Bstatic'
-        ;;
-      ccc*)
-        lt_prog_compiler_wl_F77='-Wl,'
-        # All Alpha code is PIC.
-        lt_prog_compiler_static_F77='-non_shared'
-        ;;
-      *)
-        case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C 5.9
-	  lt_prog_compiler_pic_F77='-KPIC'
-	  lt_prog_compiler_static_F77='-Bstatic'
-	  lt_prog_compiler_wl_F77='-Wl,'
-	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  lt_prog_compiler_pic_F77='-KPIC'
-	  lt_prog_compiler_static_F77='-Bstatic'
-	  lt_prog_compiler_wl_F77=''
-	  ;;
-	esac
-	;;
-      esac
-      ;;
 
-    osf3* | osf4* | osf5*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      # All OSF/1 code is PIC.
-      lt_prog_compiler_static_F77='-non_shared'
-      ;;
 
-    rdos*)
-      lt_prog_compiler_static_F77='-non_shared'
-      ;;
 
-    solaris*)
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      case $cc_basename in
-      f77* | f90* | f95*)
-	lt_prog_compiler_wl_F77='-Qoption ld ';;
-      *)
-	lt_prog_compiler_wl_F77='-Wl,';;
-      esac
-      ;;
 
-    sunos4*)
-      lt_prog_compiler_wl_F77='-Qoption ld '
-      lt_prog_compiler_pic_F77='-PIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
 
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
 
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	lt_prog_compiler_pic_F77='-Kconform_pic'
-	lt_prog_compiler_static_F77='-Bstatic'
-      fi
-      ;;
+  # Report which library types will actually be built
+  { echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
+  { echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6; }
 
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
+  { echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
+  test "$can_build_shared" = "no" && enable_shared=no
 
-    unicos*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      lt_prog_compiler_can_build_shared_F77=no
-      ;;
+  # On AIX, shared libraries and static libraries use the same namespace, and
+  # are all built from PIC.
+  case $host_os in
+  aix3*)
+    test "$enable_shared" = yes && enable_static=no
+    if test -n "$RANLIB"; then
+      archive_cmds="$archive_cmds~\$RANLIB \$lib"
+      postinstall_cmds='$RANLIB $lib'
+    fi
+    ;;
 
-    uts4*)
-      lt_prog_compiler_pic_F77='-pic'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
+  aix[4-9]*)
+    if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+      test "$enable_shared" = yes && enable_static=no
+    fi
+    ;;
+  esac
+  { echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6; }
 
-    *)
-      lt_prog_compiler_can_build_shared_F77=no
-      ;;
-    esac
-  fi
+  { echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
+  # Make sure either enable_shared or enable_static is yes.
+  test "$enable_shared" = yes || enable_static=yes
+  { echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6; }
 
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_F77" >&6; }
 
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic_F77"; then
 
-{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_pic_works_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_pic_works_F77=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic_F77"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15973: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:15977: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_pic_works_F77=yes
-     fi
-   fi
-   $rm conftest*
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_F77" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_F77" >&6; }
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-if test x"$lt_cv_prog_compiler_pic_works_F77" = xyes; then
-    case $lt_prog_compiler_pic_F77 in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic_F77=" $lt_prog_compiler_pic_F77" ;;
-     esac
-else
-    lt_prog_compiler_pic_F77=
-     lt_prog_compiler_can_build_shared_F77=no
-fi
+CC="$lt_save_CC"
 
-fi
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic_F77=
-    ;;
-  *)
-    lt_prog_compiler_pic_F77="$lt_prog_compiler_pic_F77"
-    ;;
-esac
 
-#
-# Check to make sure the static flag actually works.
-#
-wl=$lt_prog_compiler_wl_F77 eval lt_tmp_static_flag=\"$lt_prog_compiler_static_F77\"
-{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_static_works_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_static_works_F77=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&5
-       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         lt_cv_prog_compiler_static_works_F77=yes
-       fi
-     else
-       lt_cv_prog_compiler_static_works_F77=yes
-     fi
-   fi
-   $rm -r conftest*
-   LDFLAGS="$save_LDFLAGS"
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_F77" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_static_works_F77" >&6; }
 
-if test x"$lt_cv_prog_compiler_static_works_F77" = xyes; then
-    :
-else
-    lt_prog_compiler_static_F77=
-fi
 
 
-{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_c_o_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o_F77=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16077: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:16081: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_c_o_F77=yes
-     fi
-   fi
-   chmod u+w . 2>&5
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
 
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_F77" >&6; }
 
 
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o_F77" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6; }
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
 
-{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
-  runpath_var=
-  allow_undefined_flag_F77=
-  enable_shared_with_static_runtimes_F77=no
-  archive_cmds_F77=
-  archive_expsym_cmds_F77=
-  old_archive_From_new_cmds_F77=
-  old_archive_from_expsyms_cmds_F77=
-  export_dynamic_flag_spec_F77=
-  whole_archive_flag_spec_F77=
-  thread_safe_flag_spec_F77=
-  hardcode_libdir_flag_spec_F77=
-  hardcode_libdir_flag_spec_ld_F77=
-  hardcode_libdir_separator_F77=
-  hardcode_direct_F77=no
-  hardcode_minus_L_F77=no
-  hardcode_shlibpath_var_F77=unsupported
-  link_all_deplibs_F77=unknown
-  hardcode_automatic_F77=no
-  module_cmds_F77=
-  module_expsym_cmds_F77=
-  always_export_symbols_F77=no
-  export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  include_expsyms_F77=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  exclude_expsyms_F77='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  # Exclude shared library initialization/finalization symbols.
-  extract_expsyms_cmds=
-  # Just being paranoid about ensuring that cc_basename is set.
-  for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
 
-  ld_shlibs_F77=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
+        ac_config_commands="$ac_config_commands libtool"
 
-    # Set some defaults for GNU ld with shared library support. These
-    # are reset later if shared libraries are not supported. Putting them
-    # here allows them to be overridden if necessary.
-    runpath_var=LD_RUN_PATH
-    hardcode_libdir_flag_spec_F77='${wl}--rpath ${wl}$libdir'
-    export_dynamic_flag_spec_F77='${wl}--export-dynamic'
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
-	whole_archive_flag_spec_F77="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec_F77=
-    fi
-    supports_anon_versioning=no
-    case `$LD -v 2>/dev/null` in
-      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-      *\ 2.11.*) ;; # other 2.11 versions
-      *) supports_anon_versioning=yes ;;
-    esac
 
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix[3-9]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	ld_shlibs_F77=no
-	cat <<EOF 1>&2
 
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
 
-EOF
-      fi
-      ;;
+# Only expand once:
 
-    amigaos*)
-      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_minus_L_F77=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      ld_shlibs_F77=no
-      ;;
 
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	allow_undefined_flag_F77=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	archive_cmds_F77='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
+for ac_prog in flex lex
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_LEX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$LEX"; then
+  ac_cv_prog_LEX="$LEX" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_LEX="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, F77) is actually meaningless,
-      # as there is no search path for DLLs.
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      allow_undefined_flag_F77=unsupported
-      always_export_symbols_F77=no
-      enable_shared_with_static_runtimes_F77=yes
-      export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	archive_expsym_cmds_F77='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
+fi
+fi
+LEX=$ac_cv_prog_LEX
+if test -n "$LEX"; then
+  { echo "$as_me:$LINENO: result: $LEX" >&5
+echo "${ECHO_T}$LEX" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-    interix[3-9]*)
-      hardcode_direct_F77=no
-      hardcode_shlibpath_var_F77=no
-      hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
-      export_dynamic_flag_spec_F77='${wl}-E'
-      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-      # Instead, shared libraries are loaded at an image base (0x10000000 by
-      # default) and relocated if they conflict, which is a slow very memory
-      # consuming and fragmenting process.  To avoid this, we pick a random,
-      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-      archive_cmds_F77='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      archive_expsym_cmds_F77='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      ;;
 
-    gnu* | linux* | k*bsd*-gnu)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	tmp_addflag=
-	case $cc_basename,$host_cpu in
-	pgcc*)				# Portland Group C compiler
-	  whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag'
-	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag -Mnomain' ;;
-	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
-	  tmp_addflag=' -i_dynamic' ;;
-	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
-	  tmp_addflag=' -i_dynamic -nofor_main' ;;
-	ifc* | ifort*)			# Intel Fortran compiler
-	  tmp_addflag=' -nofor_main' ;;
-	esac
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)			# Sun C 5.9
-	  whole_archive_flag_spec_F77='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_sharedflag='-G' ;;
-	*Sun\ F*)			# Sun Fortran 8.3
-	  tmp_sharedflag='-G' ;;
-	*)
-	  tmp_sharedflag='-shared' ;;
-	esac
-	archive_cmds_F77='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+  test -n "$LEX" && break
+done
+test -n "$LEX" || LEX=":"
 
-	if test $supports_anon_versioning = yes; then
-	  archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~
-  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-  $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-	fi
-	link_all_deplibs_F77=no
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
+if test "x$LEX" != "x:"; then
+  cat >conftest.l <<_ACEOF
+%%
+a { ECHO; }
+b { REJECT; }
+c { yymore (); }
+d { yyless (1); }
+e { yyless (input () != 0); }
+f { unput (yytext[0]); }
+. { BEGIN INITIAL; }
+%%
+#ifdef YYTEXT_POINTER
+extern char *yytext;
+#endif
+int
+main (void)
+{
+  return ! yylex () + ! yywrap ();
+}
+_ACEOF
+{ (ac_try="$LEX conftest.l"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$LEX conftest.l") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ echo "$as_me:$LINENO: checking lex output file root" >&5
+echo $ECHO_N "checking lex output file root... $ECHO_C" >&6; }
+if test "${ac_cv_prog_lex_root+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
 
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_F77='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	ld_shlibs_F77=no
-	cat <<EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
-	ld_shlibs_F77=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
-*** reliably create shared libraries on SCO systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-_LT_EOF
-	;;
-	*)
-	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	    hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
-	    archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
-	    archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
-	  else
-	    ld_shlibs_F77=no
-	  fi
-	;;
-      esac
-      ;;
-
-    sunos4*)
-      archive_cmds_F77='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-    esac
-
-    if test "$ld_shlibs_F77" = no; then
-      runpath_var=
-      hardcode_libdir_flag_spec_F77=
-      export_dynamic_flag_spec_F77=
-      whole_archive_flag_spec_F77=
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      allow_undefined_flag_F77=unsupported
-      always_export_symbols_F77=yes
-      archive_expsym_cmds_F77='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      hardcode_minus_L_F77=yes
-      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	hardcode_direct_F77=unsupported
-      fi
-      ;;
-
-    aix[4-9]*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  export_symbols_cmds_F77='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	else
-	  export_symbols_cmds_F77='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	  ;;
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      archive_cmds_F77=''
-      hardcode_direct_F77=yes
-      hardcode_libdir_separator_F77=':'
-      link_all_deplibs_F77=yes
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[012]|aix4.[012].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  :
-	  else
-  	  # We have old collect2
-  	  hardcode_direct_F77=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  hardcode_minus_L_F77=yes
-  	  hardcode_libdir_flag_spec_F77='-L$libdir'
-  	  hardcode_libdir_separator_F77=
-	  fi
-	  ;;
-	esac
-	shared_flag='-shared'
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag="$shared_flag "'${wl}-G'
-	fi
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-	  fi
-	fi
-      fi
+if test -f lex.yy.c; then
+  ac_cv_prog_lex_root=lex.yy
+elif test -f lexyy.c; then
+  ac_cv_prog_lex_root=lexyy
+else
+  { { echo "$as_me:$LINENO: error: cannot find output from $LEX; giving up" >&5
+echo "$as_me: error: cannot find output from $LEX; giving up" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_lex_root" >&5
+echo "${ECHO_T}$ac_cv_prog_lex_root" >&6; }
+LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
 
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      always_export_symbols_F77=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	allow_undefined_flag_F77='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       cat >conftest.$ac_ext <<_ACEOF
-      program main
+if test -z "${LEXLIB+set}"; then
+  { echo "$as_me:$LINENO: checking lex library" >&5
+echo $ECHO_N "checking lex library... $ECHO_C" >&6; }
+if test "${ac_cv_lib_lex+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
 
-      end
+    ac_save_LIBS=$LIBS
+    ac_cv_lib_lex='none needed'
+    for ac_lib in '' -lfl -ll; do
+      LIBS="$ac_lib $ac_save_LIBS"
+      cat >conftest.$ac_ext <<_ACEOF
+`cat $LEX_OUTPUT_ROOT.c`
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
 if { (ac_try="$ac_link"
@@ -16556,23 +12582,11 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
-	 test -z "$ac_f77_werror_flag" ||
+	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+  ac_cv_lib_lex=$ac_lib
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -16582,21 +12596,31 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+      test "$ac_cv_lib_lex" != 'none needed' && break
+    done
+    LIBS=$ac_save_LIBS
 
-       hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds_F77="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  hardcode_libdir_flag_spec_F77='${wl}-R $libdir:/usr/lib:/lib'
-	  allow_undefined_flag_F77="-z nodefs"
-	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 cat >conftest.$ac_ext <<_ACEOF
-      program main
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_lex" >&5
+echo "${ECHO_T}$ac_cv_lib_lex" >&6; }
+  test "$ac_cv_lib_lex" != 'none needed' && LEXLIB=$ac_cv_lib_lex
+fi
 
-      end
+
+{ echo "$as_me:$LINENO: checking whether yytext is a pointer" >&5
+echo $ECHO_N "checking whether yytext is a pointer... $ECHO_C" >&6; }
+if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # POSIX says lex can declare yytext either as a pointer or an array; the
+# default is implementation-dependent.  Figure out which it is, since
+# not all implementations provide the %pointer and %array declarations.
+ac_cv_prog_lex_yytext_pointer=no
+ac_save_LIBS=$LIBS
+LIBS="$LEXLIB $ac_save_LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#define YYTEXT_POINTER 1
+`cat $LEX_OUTPUT_ROOT.c`
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
 if { (ac_try="$ac_link"
@@ -16612,23 +12636,11 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
-	 test -z "$ac_f77_werror_flag" ||
+	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+  ac_cv_prog_lex_yytext_pointer=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -16638,2542 +12650,2379 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	 hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  no_undefined_flag_F77=' ${wl}-bernotok'
-	  allow_undefined_flag_F77=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec_F77='$convenience'
-	  archive_cmds_need_lc_F77=yes
-	  # This is similar to how AIX traditionally builds its shared libraries.
-	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_minus_L_F77=yes
-      # see comment about different semantics on the GNU ld section
-      ld_shlibs_F77=no
-      ;;
-
-    bsdi[45]*)
-      export_dynamic_flag_spec_F77=-rdynamic
-      ;;
+LIBS=$ac_save_LIBS
 
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec_F77=' '
-      allow_undefined_flag_F77=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds_F77='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_From_new_cmds_F77='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds_F77='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path_F77='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes_F77=yes
-      ;;
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_lex_yytext_pointer" >&5
+echo "${ECHO_T}$ac_cv_prog_lex_yytext_pointer" >&6; }
+if test $ac_cv_prog_lex_yytext_pointer = yes; then
 
-    darwin* | rhapsody*)
-      case $host_os in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_F77='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_F77='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      archive_cmds_need_lc_F77=no
-      hardcode_direct_F77=no
-      hardcode_automatic_F77=yes
-      hardcode_shlibpath_var_F77=unsupported
-      whole_archive_flag_spec_F77=''
-      link_all_deplibs_F77=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds_F77="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-        module_cmds_F77="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-        archive_expsym_cmds_F77="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-        module_expsym_cmds_F77="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-    else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-         module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-         archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_F77=no
-          ;;
-      esac
-    fi
-      ;;
+cat >>confdefs.h <<\_ACEOF
+#define YYTEXT_POINTER 1
+_ACEOF
 
-    dgux*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_shlibpath_var_F77=no
-      ;;
+fi
+rm -f conftest.l $LEX_OUTPUT_ROOT.c
 
-    freebsd1*)
-      ld_shlibs_F77=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_F77=yes
-      hardcode_minus_L_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
+fi
+for ac_prog in 'bison -y' byacc
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_YACC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$YACC"; then
+  ac_cv_prog_YACC="$YACC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_YACC="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | dragonfly*)
-      archive_cmds_F77='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
+fi
+fi
+YACC=$ac_cv_prog_YACC
+if test -n "$YACC"; then
+  { echo "$as_me:$LINENO: result: $YACC" >&5
+echo "${ECHO_T}$YACC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-    hpux9*)
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	archive_cmds_F77='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      hardcode_direct_F77=yes
 
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      hardcode_minus_L_F77=yes
-      export_dynamic_flag_spec_F77='${wl}-E'
-      ;;
+  test -n "$YACC" && break
+done
+test -n "$YACC" || YACC="yacc"
 
-    hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_F77='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator_F77=:
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}gcc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-	hardcode_direct_F77=yes
-	export_dynamic_flag_spec_F77='${wl}-E'
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-	# hardcode_minus_L: Not really in the search PATH,
-	# but as the default location of the library.
-	hardcode_minus_L_F77=yes
-      fi
-      ;;
 
-    hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator_F77=:
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CC="gcc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-	case $host_cpu in
-	hppa*64*|ia64*)
-	  hardcode_libdir_flag_spec_ld_F77='+b $libdir'
-	  hardcode_direct_F77=no
-	  hardcode_shlibpath_var_F77=no
-	  ;;
-	*)
-	  hardcode_direct_F77=yes
-	  export_dynamic_flag_spec_F77='${wl}-E'
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L_F77=yes
-	  ;;
-	esac
-      fi
-      ;;
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+else
+  CC="$ac_cv_prog_CC"
+fi
 
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	archive_cmds_F77='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_ld_F77='-rpath $libdir'
-      fi
-      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      link_all_deplibs_F77=yes
-      ;;
+if test -z "$CC"; then
+          if test -n "$ac_tool_prefix"; then
+    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	archive_cmds_F77='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-    newsos6)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_F77=yes
-      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      hardcode_shlibpath_var_F77=no
-      ;;
 
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-	hardcode_direct_F77=yes
-	hardcode_shlibpath_var_F77=no
-	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	  archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	  archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	  hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
-	  export_dynamic_flag_spec_F77='${wl}-E'
-	else
-	  case $host_os in
-	   openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-	     archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	     hardcode_libdir_flag_spec_F77='-R$libdir'
-	     ;;
-	   *)
-	     archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	     hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
-	     ;;
-	  esac
-        fi
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-
-    os2*)
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_minus_L_F77=yes
-      allow_undefined_flag_F77=unsupported
-      archive_cmds_F77='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      old_archive_From_new_cmds_F77='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	allow_undefined_flag_F77=' -expect_unresolved \*'
-	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      else
-	allow_undefined_flag_F77=' -expect_unresolved \*'
-	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds_F77='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	hardcode_libdir_flag_spec_F77='-rpath $libdir'
-      fi
-      hardcode_libdir_separator_F77=:
-      ;;
-
-    solaris*)
-      no_undefined_flag_F77=' -z text'
-      if test "$GCC" = yes; then
-	wlarc='${wl}'
-	archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	wlarc=''
-	archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_shlibpath_var_F77=no
-      case $host_os in
-      solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *)
-	# The compiler driver will combine and reorder linker options,
-	# but understands `-z linker_flag'.  GCC discards it without `$wl',
-	# but is careful enough not to reorder.
- 	# Supported since Solaris 2.6 (maybe 2.5.1?)
-	if test "$GCC" = yes; then
-	  whole_archive_flag_spec_F77='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	else
-	  whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract'
-	fi
-	;;
-      esac
-      link_all_deplibs_F77=yes
-      ;;
+  fi
+fi
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+       ac_prog_rejected=yes
+       continue
+     fi
+    ac_cv_prog_CC="cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	archive_cmds_F77='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_F77='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_direct_F77=yes
-      hardcode_minus_L_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# != 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+  fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-    sysv4)
-      case $host_vendor in
-	sni)
-	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_F77=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  archive_cmds_F77='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  reload_cmds_F77='$CC -r -o $output$reload_objs'
-	  hardcode_direct_F77=no
-        ;;
-	motorola)
-	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_F77=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var_F77=no
-      ;;
 
-    sysv4.3*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var_F77=no
-      export_dynamic_flag_spec_F77='-Bexport'
-      ;;
+fi
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in cl.exe
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	hardcode_shlibpath_var_F77=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	ld_shlibs_F77=yes
-      fi
-      ;;
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
-      no_undefined_flag_F77='${wl}-z,text'
-      archive_cmds_need_lc_F77=no
-      hardcode_shlibpath_var_F77=no
-      runpath_var='LD_RUN_PATH'
 
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_F77='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
+    test -n "$CC" && break
+  done
+fi
+if test -z "$CC"; then
+  ac_ct_CC=$CC
+  for ac_prog in cl.exe
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CC="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-    sysv5* | sco3.2v5* | sco5v6*)
-      # Note: We can NOT use -z defs as we might desire, because we do not
-      # link with -lc, and that would cause any symbols used from libc to
-      # always be unresolved, which means just about no library would
-      # ever link correctly.  If we're not using GNU ld we use -z text
-      # though, which does catch some bad symbols but isn't as heavy-handed
-      # as -z defs.
-      no_undefined_flag_F77='${wl}-z,text'
-      allow_undefined_flag_F77='${wl}-z,nodefs'
-      archive_cmds_need_lc_F77=no
-      hardcode_shlibpath_var_F77=no
-      hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-      hardcode_libdir_separator_F77=':'
-      link_all_deplibs_F77=yes
-      export_dynamic_flag_spec_F77='${wl}-Bexport'
-      runpath_var='LD_RUN_PATH'
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_F77='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
 
-    uts4*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_shlibpath_var_F77=no
-      ;;
+  test -n "$ac_ct_CC" && break
+done
 
-    *)
-      ld_shlibs_F77=no
-      ;;
-    esac
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
   fi
+fi
 
-{ echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5
-echo "${ECHO_T}$ld_shlibs_F77" >&6; }
-test "$ld_shlibs_F77" = no && can_build_shared=no
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc_F77" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc_F77=yes
+fi
 
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds_F77 in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
-      $rm conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
+test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&5
+echo "$as_me: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+
+# Provide some information about the compiler.
+echo "$as_me:$LINENO: checking for C compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl_F77
-	pic_flag=$lt_prog_compiler_pic_F77
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag_F77
-        allow_undefined_flag_F77=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-        then
-	  archive_cmds_need_lc_F77=no
-        else
-	  archive_cmds_need_lc_F77=yes
-        fi
-        allow_undefined_flag_F77=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_F77" >&6; }
-      ;;
-    esac
-  fi
-  ;;
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
 esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
 
-{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
+if test "${ac_cv_c_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-need_lib_prefix=unknown
-hardcode_into_libs=no
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
 
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
+	ac_compiler_gnu=no
+fi
 
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
 
-aix[4-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
+GCC=`test $ac_compiler_gnu = yes && echo yes`
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_save_c_werror_flag=$ac_c_werror_flag
+   ac_c_werror_flag=yes
+   ac_cv_prog_cc_g=no
+   CFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
+int
+main ()
+{
 
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
+	CFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
+int
+main ()
+{
 
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
+	ac_c_werror_flag=$ac_save_c_werror_flag
+	 CFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
+int
+main ()
+{
 
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
 
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
+fi
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
 
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_c_werror_flag=$ac_save_c_werror_flag
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
   else
-    case $host_os in
-    freebsd[123]*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
+    CFLAGS="-g"
   fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
-  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_prog_cc_c89=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
 
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
+   function prototypes and stuff, but not '\xHH' hex character constants.
+   These don't provoke an error unfortunately, instead are silently treated
+   as 'x'.  The following induces an error, until -std is added to get
+   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
+   array size at least.  It's necessary to write '\x00'==0 to get something
+   that's true only with -std.  */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
 
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-interix[3-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+   inside strings and character constants.  */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
 
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_c89=$ac_arg
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
 
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
+fi
 
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c89" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
 
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+  x)
+    { echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6; } ;;
+  xno)
+    { echo "$as_me:$LINENO: result: unsupported" >&5
+echo "${ECHO_T}unsupported" >&6; } ;;
+  *)
+    CC="$CC $ac_cv_prog_cc_c89"
+    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
+esac
 
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
 
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
+depcc="$CC"   am_compiler_list=
 
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
+{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
+echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
+if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
+  # We make a subdir and do the tests there.  Otherwise we can end up
+  # making bogus files that we don't know about and never remove.  For
+  # instance it was reported that on HP-UX the gcc test will end up
+  # making a dummy file named `D' -- because `-MD' means `put the output
+  # in D'.
+  mkdir conftest.dir
+  # Copy depcomp to subdir because otherwise we won't find it if we're
+  # using a relative directory.
+  cp "$am_depcomp" conftest.dir
+  cd conftest.dir
+  # We will build objects and dependencies in a subdirectory because
+  # it helps to detect inapplicable dependency modes.  For instance
+  # both Tru64's cc and ICC support -MD to output dependencies as a
+  # side effect of compilation, but ICC will put the dependencies in
+  # the current directory while Tru64 will put them in the object
+  # directory.
+  mkdir sub
 
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
-    *)                         need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
+  am_cv_CC_dependencies_compiler_type=none
+  if test "$am_compiler_list" = ""; then
+     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
   fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
+  for depmode in $am_compiler_list; do
+    # Setup a source with many dependencies, because some compilers
+    # like to wrap large dependency lists on column 80 (with \), and
+    # we should not choose a depcomp mode which is confused by this.
+    #
+    # We need to recreate these files for each test, as the compiler may
+    # overwrite some of them when testing with obscure command lines.
+    # This happens at least with the AIX C compiler.
+    : > sub/conftest.c
+    for i in 1 2 3 4 5 6; do
+      echo '#include "conftst'$i'.h"' >> sub/conftest.c
+      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
+      # Solaris 8's {/usr,}/bin/sh.
+      touch sub/conftst$i.h
+    done
+    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
 
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
+    case $depmode in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode=$depmode \
+       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
+       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+         >/dev/null 2>conftest.err &&
+       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
+      # icc doesn't choke on unknown options, it will just issue warnings
+      # or remarks (even with -Werror).  So we grep stderr for any message
+      # that says an option was ignored or not supported.
+      # When given -MP, icc 7.0 and 7.1 complain thusly:
+      #   icc: Command line warning: ignoring option '-M'; no argument required
+      # The diagnosis changed in icc 8.0:
+      #   icc: Command line remark: option '-MP' not supported
+      if (grep 'ignoring option' conftest.err ||
+          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
+        am_cv_CC_dependencies_compiler_type=$depmode
+        break
+      fi
+    fi
+  done
 
-rdos*)
-  dynamic_linker=no
-  ;;
+  cd ..
+  rm -rf conftest.dir
+else
+  am_cv_CC_dependencies_compiler_type=none
+fi
 
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
+fi
+{ echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5
+echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6; }
+CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type
 
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
+ if
+  test "x$enable_dependency_tracking" != xno \
+  && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then
+  am__fastdepCC_TRUE=
+  am__fastdepCC_FALSE='#'
+else
+  am__fastdepCC_TRUE='#'
+  am__fastdepCC_FALSE=
+fi
 
-sysv4 | sysv4.3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
 
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
+# Extract the first word of "gperf", so it can be a program name with args.
+set dummy gperf; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_GPERF+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $GPERF in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_GPERF="$GPERF" # Let the user override the test with a path.
   ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-    shlibpath_overrides_runpath=no
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    shlibpath_overrides_runpath=yes
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
   fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
+done
+done
+IFS=$as_save_IFS
 
-*)
-  dynamic_linker=no
   ;;
 esac
-{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6; }
-test "$dynamic_linker" = no && can_build_shared=no
-
-if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+GPERF=$ac_cv_path_GPERF
+if test -n "$GPERF"; then
+  { echo "$as_me:$LINENO: result: $GPERF" >&5
+echo "${ECHO_T}$GPERF" >&6; }
 else
-  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
+
+# Extract the first word of "perl", so it can be a program name with args.
+set dummy perl; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_PERL+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
+  case $PERL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PERL=$ac_cv_path_PERL
+if test -n "$PERL"; then
+  { echo "$as_me:$LINENO: result: $PERL" >&5
+echo "${ECHO_T}$PERL" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
 
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
 
-{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
-hardcode_action_F77=
-if test -n "$hardcode_libdir_flag_spec_F77" || \
-   test -n "$runpath_var_F77" || \
-   test "X$hardcode_automatic_F77" = "Xyes" ; then
 
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct_F77" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, F77)" != no &&
-     test "$hardcode_minus_L_F77" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action_F77=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action_F77=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action_F77=unsupported
+if test x$pluto = xtrue; then
+	gmp=true;
 fi
-{ echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5
-echo "${ECHO_T}$hardcode_action_F77" >&6; }
 
-if test "$hardcode_action_F77" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
+if test x$tools = xtrue; then
+	gmp=true;
 fi
 
+if test x$smp = xtrue; then
+	xml=true
+fi
 
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_F77 \
-    CC_F77 \
-    LD_F77 \
-    lt_prog_compiler_wl_F77 \
-    lt_prog_compiler_pic_F77 \
-    lt_prog_compiler_static_F77 \
-    lt_prog_compiler_no_builtin_flag_F77 \
-    export_dynamic_flag_spec_F77 \
-    thread_safe_flag_spec_F77 \
-    whole_archive_flag_spec_F77 \
-    enable_shared_with_static_runtimes_F77 \
-    old_archive_cmds_F77 \
-    old_archive_from_new_cmds_F77 \
-    predep_objects_F77 \
-    postdep_objects_F77 \
-    predeps_F77 \
-    postdeps_F77 \
-    compiler_lib_search_path_F77 \
-    compiler_lib_search_dirs_F77 \
-    archive_cmds_F77 \
-    archive_expsym_cmds_F77 \
-    postinstall_cmds_F77 \
-    postuninstall_cmds_F77 \
-    old_archive_from_expsyms_cmds_F77 \
-    allow_undefined_flag_F77 \
-    no_undefined_flag_F77 \
-    export_symbols_cmds_F77 \
-    hardcode_libdir_flag_spec_F77 \
-    hardcode_libdir_flag_spec_ld_F77 \
-    hardcode_libdir_separator_F77 \
-    hardcode_automatic_F77 \
-    module_cmds_F77 \
-    module_expsym_cmds_F77 \
-    lt_cv_prog_compiler_c_o_F77 \
-    fix_srcfile_path_F77 \
-    exclude_expsyms_F77 \
-    include_expsyms_F77; do
-
-    case $var in
-    old_archive_cmds_F77 | \
-    old_archive_from_new_cmds_F77 | \
-    archive_cmds_F77 | \
-    archive_expsym_cmds_F77 | \
-    module_cmds_F77 | \
-    module_expsym_cmds_F77 | \
-    old_archive_from_expsyms_cmds_F77 | \
-    export_symbols_cmds_F77 | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
+if test x$manager = xtrue; then
+	fast=true
+fi
 
-cfgfile="$ofile"
+if test x$medsrv = xtrue; then
+	me=true
+	fast=true
+fi
 
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+if test x$medcli = xtrue; then
+	me=true
+fi
 
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
 
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
+{ echo "$as_me:$LINENO: checking for main in -ldl" >&5
+echo $ECHO_N "checking for main in -ldl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dl_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
 
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_F77
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dl_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_F77
+	ac_cv_lib_dl_main=no
+fi
 
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_main" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_main" >&6; }
+if test $ac_cv_lib_dl_main = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBDL 1
+_ACEOF
 
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
+  LIBS="-ldl $LIBS"
 
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
+fi
+ac_cv_lib_dl=ac_cv_lib_dl_main
 
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
 
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
+for ac_func in backtrace
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
 
-# A C compiler.
-LTCC=$lt_LTCC
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
 
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
 
-# A language-specific compiler.
-CC=$lt_compiler_F77
+#undef $ac_func
 
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_F77
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
 
-# An ERE matcher.
-EGREP=$lt_EGREP
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# The linker used to build libraries.
-LD=$lt_LD_F77
+	eval "$as_ac_var=no"
+fi
 
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
 
-# A BSD-compatible nm program.
-NM=$lt_NM
+fi
+done
 
-# A symbol stripping program
-STRIP=$lt_STRIP
 
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
+for ac_func in dladdr
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
 
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
 
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
 
-# Used on cygwin: assembler.
-AS="$AS"
+#undef $ac_func
 
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
 
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_F77
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Executable file suffix (normally "").
-exeext="$exeext"
+	eval "$as_ac_var=no"
+fi
 
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_F77
-pic_mode=$pic_mode
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
 
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
+fi
+done
 
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_F77
 
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
+{ echo "$as_me:$LINENO: checking for gcc atomic operations" >&5
+echo $ECHO_N "checking for gcc atomic operations... $ECHO_C" >&6; }
+if test "$cross_compiling" = yes; then
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
+	int main() {
+		volatile int ref = 1;
+		__sync_fetch_and_add (&ref, 1);
+		__sync_sub_and_fetch (&ref, 1);
+		/* Make sure test fails if operations are not supported */
+		__sync_val_compare_and_swap(&ref, 1, 0);
+		return ref;
+	}
 
-# Do we need a version for libraries?
-need_version=$need_version
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }; cat >>confdefs.h <<\_ACEOF
+#define HAVE_GCC_ATOMIC_OPERATIONS 1
+_ACEOF
 
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
+( exit $ac_status )
+{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
 
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
 
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_F77
 
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_F77
+if test x$gmp = xtrue; then
+	{ echo "$as_me:$LINENO: checking for main in -lgmp" >&5
+echo $ECHO_N "checking for main in -lgmp... $ECHO_C" >&6; }
+if test "${ac_cv_lib_gmp_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lgmp  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_F77
 
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_F77
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_gmp_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_F77
+	ac_cv_lib_gmp_main=no
+fi
 
-# Library versioning type.
-version_type=$version_type
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_gmp_main" >&5
+echo "${ECHO_T}$ac_cv_lib_gmp_main" >&6; }
+if test $ac_cv_lib_gmp_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: GNU Multi Precision library gmp not found" >&5
+echo "$as_me: error: GNU Multi Precision library gmp not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_gmp=ac_cv_lib_gmp_main
 
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
+	{ echo "$as_me:$LINENO: checking gmp.h version >= 4.1.4" >&5
+echo $ECHO_N "checking gmp.h version >= 4.1.4... $ECHO_C" >&6; }
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include "gmp.h"
+int
+main ()
+{
 
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
+			#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
+				#error bad gmp
+			#endif
 
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_F77
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }; { { echo "$as_me:$LINENO: error: No usable gmp.h found!" >&5
+echo "$as_me: error: No usable gmp.h found!" >&2;}
+   { (exit 1); exit 1; }; }
 
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_F77
+fi
 
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_F77
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
 
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_F77
-archive_expsym_cmds=$lt_archive_expsym_cmds_F77
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
+if test x$ldap = xtrue; then
+	{ echo "$as_me:$LINENO: checking for main in -lldap" >&5
+echo $ECHO_N "checking for main in -lldap... $ECHO_C" >&6; }
+if test "${ac_cv_lib_ldap_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lldap  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_F77
-module_expsym_cmds=$lt_module_expsym_cmds_F77
 
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_F77
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_F77
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_F77
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_F77
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_ldap_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_F77
+	ac_cv_lib_ldap_main=no
+fi
 
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_F77
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_ldap_main" >&5
+echo "${ECHO_T}$ac_cv_lib_ldap_main" >&6; }
+if test $ac_cv_lib_ldap_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: LDAP library ldap not found" >&5
+echo "$as_me: error: LDAP library ldap not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_ldap=ac_cv_lib_ldap_main
 
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
+	{ echo "$as_me:$LINENO: checking for main in -llber" >&5
+echo $ECHO_N "checking for main in -llber... $ECHO_C" >&6; }
+if test "${ac_cv_lib_lber_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-llber  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
 
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_F77
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_lber_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_F77
+	ac_cv_lib_lber_main=no
+fi
 
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_lber_main" >&5
+echo "${ECHO_T}$ac_cv_lib_lber_main" >&6; }
+if test $ac_cv_lib_lber_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: LDAP library lber not found" >&5
+echo "$as_me: error: LDAP library lber not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_lber=ac_cv_lib_lber_main
 
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
+	if test "${ac_cv_header_ldap_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for ldap.h" >&5
+echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_ldap_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
+echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking ldap.h usability" >&5
+echo $ECHO_N "checking ldap.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <ldap.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+	ac_header_compiler=no
+fi
 
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+# Is the header present?
+{ echo "$as_me:$LINENO: checking ldap.h presence" >&5
+echo $ECHO_N "checking ldap.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ldap.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
+  ac_header_preproc=no
+fi
 
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: ldap.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: ldap.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: ldap.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: ldap.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: ldap.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: ldap.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: ldap.h: in the future, the compiler will take precedence" >&2;}
 
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_F77
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for ldap.h" >&5
+echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_ldap_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_ldap_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
+echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
 
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
+fi
+if test $ac_cv_header_ldap_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: LDAP header ldap.h not found!" >&5
+echo "$as_me: error: LDAP header ldap.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_F77
 
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_F77
+fi
 
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_F77
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_F77
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_F77
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_F77
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_F77
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_F77
+if test x$curl = xtrue; then
+	{ echo "$as_me:$LINENO: checking for main in -lcurl" >&5
+echo $ECHO_N "checking for main in -lcurl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_curl_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcurl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
 
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_curl_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
+	ac_cv_lib_curl_main=no
+fi
 
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_F77
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_curl_main" >&5
+echo "${ECHO_T}$ac_cv_lib_curl_main" >&6; }
+if test $ac_cv_lib_curl_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: CURL library curl not found" >&5
+echo "$as_me: error: CURL library curl not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_curl=ac_cv_lib_curl_main
 
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_F77
+	if test "${ac_cv_header_curl_curl_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for curl/curl.h" >&5
+echo $ECHO_N "checking for curl/curl.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_curl_curl_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
+echo "${ECHO_T}$ac_cv_header_curl_curl_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking curl/curl.h usability" >&5
+echo $ECHO_N "checking curl/curl.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <curl/curl.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
+	ac_header_compiler=no
+fi
 
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_F77
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_F77
+# Is the header present?
+{ echo "$as_me:$LINENO: checking curl/curl.h presence" >&5
+echo $ECHO_N "checking curl/curl.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <curl/curl.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# ### END LIBTOOL TAG CONFIG: $tagname
+  ac_header_preproc=no
+fi
 
-__EOF__
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: curl/curl.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: curl/curl.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: curl/curl.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&2;}
 
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for curl/curl.h" >&5
+echo $ECHO_N "checking for curl/curl.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_curl_curl_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
+  ac_cv_header_curl_curl_h=$ac_header_preproc
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
+echo "${ECHO_T}$ac_cv_header_curl_curl_h" >&6; }
 
+fi
+if test $ac_cv_header_curl_curl_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: CURL header curl/curl.h not found!" >&5
+echo "$as_me: error: CURL header curl/curl.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-	else
-	  tagname=""
-	fi
-	;;
 
-      GCJ)
-	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
+fi
 
+if test x$xml = xtrue; then
 
-# Source file extension for Java test sources.
-ac_ext=java
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for xml" >&5
+echo $ECHO_N "checking for xml... $ECHO_C" >&6; }
 
-# Object file extension for compiled Java test sources.
-objext=o
-objext_GCJ=$objext
+if test -n "$PKG_CONFIG"; then
+    if test -n "$xml_CFLAGS"; then
+        pkg_cv_xml_CFLAGS="$xml_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_xml_CFLAGS=`$PKG_CONFIG --cflags "libxml-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$xml_LIBS"; then
+        pkg_cv_xml_LIBS="$xml_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_xml_LIBS=`$PKG_CONFIG --libs "libxml-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
 
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}"
 
-# Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }'
 
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+if test $pkg_failed = yes; then
 
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libxml-2.0"`
+        else
+	        xml_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libxml-2.0"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$xml_PKG_ERRORS" >&5
 
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+	{ { echo "$as_me:$LINENO: error: Package requirements (libxml-2.0) were not met:
 
-# Allow CC to be a program name with arguments.
-compiler=$CC
+$xml_PKG_ERRORS
 
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
 
-# save warnings/boilerplate of simple test code
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
+Alternatively, you may set the environment variables xml_CFLAGS
+and xml_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (libxml-2.0) were not met:
 
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
+$xml_PKG_ERRORS
 
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
 
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${GCJ-"gcj"}
-compiler=$CC
-compiler_GCJ=$CC
-for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+Alternatively, you may set the environment variables xml_CFLAGS
+and xml_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables xml_CFLAGS
+and xml_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
 
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
 
-# GCJ did not exist at the time GCC didn't implicitly link libc in.
-archive_cmds_need_lc_GCJ=no
+Alternatively, you may set the environment variables xml_CFLAGS
+and xml_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
 
-old_archive_cmds_GCJ=$old_archive_cmds
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	xml_CFLAGS=$pkg_cv_xml_CFLAGS
+	xml_LIBS=$pkg_cv_xml_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
 
 
-lt_prog_compiler_no_builtin_flag_GCJ=
+fi
 
-if test "$GCC" = yes; then
-  lt_prog_compiler_no_builtin_flag_GCJ=' -fno-builtin'
+if test x$dumm = xtrue; then
 
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for gtk" >&5
+echo $ECHO_N "checking for gtk... $ECHO_C" >&6; }
 
-{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+if test -n "$PKG_CONFIG"; then
+    if test -n "$gtk_CFLAGS"; then
+        pkg_cv_gtk_CFLAGS="$gtk_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null`
 else
-  lt_cv_prog_compiler_rtti_exceptions=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="-fno-rtti -fno-exceptions"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18297: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:18301: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_rtti_exceptions=yes
-     fi
-   fi
-   $rm conftest*
-
+  pkg_failed=yes
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
-
-if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
-    lt_prog_compiler_no_builtin_flag_GCJ="$lt_prog_compiler_no_builtin_flag_GCJ -fno-rtti -fno-exceptions"
+    fi
 else
-    :
+	pkg_failed=untried
 fi
-
+if test -n "$PKG_CONFIG"; then
+    if test -n "$gtk_LIBS"; then
+        pkg_cv_gtk_LIBS="$gtk_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\"") >&5
+  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
 fi
 
-lt_prog_compiler_wl_GCJ=
-lt_prog_compiler_pic_GCJ=
-lt_prog_compiler_static_GCJ=
-
-{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
-  if test "$GCC" = yes; then
-    lt_prog_compiler_wl_GCJ='-Wl,'
-    lt_prog_compiler_static_GCJ='-static'
 
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_GCJ='-Bstatic'
-      fi
-      ;;
+if test $pkg_failed = yes; then
 
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic_GCJ='-m68020 -resident32 -malways-restore-a4'
-      ;;
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gtk+-2.0 vte"`
+        else
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gtk+-2.0 vte"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$gtk_PKG_ERRORS" >&5
 
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
+	{ { echo "$as_me:$LINENO: error: Package requirements (gtk+-2.0 vte) were not met:
 
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
+$gtk_PKG_ERRORS
 
-      ;;
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
 
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic_GCJ='-fno-common'
-      ;;
+Alternatively, you may set the environment variables gtk_CFLAGS
+and gtk_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (gtk+-2.0 vte) were not met:
 
-    interix[3-9]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
+$gtk_PKG_ERRORS
 
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      lt_prog_compiler_can_build_shared_GCJ=no
-      enable_shared=no
-      ;;
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
 
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic_GCJ=-Kconform_pic
-      fi
-      ;;
+Alternatively, you may set the environment variables gtk_CFLAGS
+and gtk_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
 
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_GCJ='-fPIC'
-	;;
-      esac
-      ;;
+Alternatively, you may set the environment variables gtk_CFLAGS
+and gtk_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
 
-    *)
-      lt_prog_compiler_pic_GCJ='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_GCJ='-Bstatic'
-      else
-	lt_prog_compiler_static_GCJ='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case $cc_basename in
-         xlc*)
-         lt_prog_compiler_pic_GCJ='-qnocommon'
-         lt_prog_compiler_wl_GCJ='-Wl,'
-         ;;
-       esac
-       ;;
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
 
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_GCJ='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      lt_prog_compiler_static_GCJ='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      # PIC (with -KPIC) is the default.
-      lt_prog_compiler_static_GCJ='-non_shared'
-      ;;
-
-    newsos6)
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    linux* | k*bsd*-gnu)
-      case $cc_basename in
-      icc* | ecc*)
-	lt_prog_compiler_wl_GCJ='-Wl,'
-	lt_prog_compiler_pic_GCJ='-KPIC'
-	lt_prog_compiler_static_GCJ='-static'
-        ;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
-        # Portland Group compilers (*not* the Pentium gcc compiler,
-	# which looks to be a dead project)
-	lt_prog_compiler_wl_GCJ='-Wl,'
-	lt_prog_compiler_pic_GCJ='-fpic'
-	lt_prog_compiler_static_GCJ='-Bstatic'
-        ;;
-      ccc*)
-        lt_prog_compiler_wl_GCJ='-Wl,'
-        # All Alpha code is PIC.
-        lt_prog_compiler_static_GCJ='-non_shared'
-        ;;
-      *)
-        case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C 5.9
-	  lt_prog_compiler_pic_GCJ='-KPIC'
-	  lt_prog_compiler_static_GCJ='-Bstatic'
-	  lt_prog_compiler_wl_GCJ='-Wl,'
-	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  lt_prog_compiler_pic_GCJ='-KPIC'
-	  lt_prog_compiler_static_GCJ='-Bstatic'
-	  lt_prog_compiler_wl_GCJ=''
-	  ;;
-	esac
-	;;
-      esac
-      ;;
-
-    osf3* | osf4* | osf5*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      # All OSF/1 code is PIC.
-      lt_prog_compiler_static_GCJ='-non_shared'
-      ;;
-
-    rdos*)
-      lt_prog_compiler_static_GCJ='-non_shared'
-      ;;
-
-    solaris*)
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      case $cc_basename in
-      f77* | f90* | f95*)
-	lt_prog_compiler_wl_GCJ='-Qoption ld ';;
-      *)
-	lt_prog_compiler_wl_GCJ='-Wl,';;
-      esac
-      ;;
-
-    sunos4*)
-      lt_prog_compiler_wl_GCJ='-Qoption ld '
-      lt_prog_compiler_pic_GCJ='-PIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	lt_prog_compiler_pic_GCJ='-Kconform_pic'
-	lt_prog_compiler_static_GCJ='-Bstatic'
-      fi
-      ;;
-
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    unicos*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      lt_prog_compiler_can_build_shared_GCJ=no
-      ;;
-
-    uts4*)
-      lt_prog_compiler_pic_GCJ='-pic'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
+Alternatively, you may set the environment variables gtk_CFLAGS
+and gtk_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
 
-    *)
-      lt_prog_compiler_can_build_shared_GCJ=no
-      ;;
-    esac
-  fi
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
+	gtk_LIBS=$pkg_cv_gtk_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
 
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_GCJ" >&6; }
 
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic_GCJ"; then
+fi
 
-{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_pic_works_GCJ+set}" = set; then
+if test x$fast = xtrue; then
+	{ echo "$as_me:$LINENO: checking for main in -lneo_cgi" >&5
+echo $ECHO_N "checking for main in -lneo_cgi... $ECHO_C" >&6; }
+if test "${ac_cv_lib_neo_cgi_main+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  lt_cv_prog_compiler_pic_works_GCJ=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic_GCJ"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18587: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:18591: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_pic_works_GCJ=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_GCJ" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_GCJ" >&6; }
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lneo_cgi  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-if test x"$lt_cv_prog_compiler_pic_works_GCJ" = xyes; then
-    case $lt_prog_compiler_pic_GCJ in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic_GCJ=" $lt_prog_compiler_pic_GCJ" ;;
-     esac
-else
-    lt_prog_compiler_pic_GCJ=
-     lt_prog_compiler_can_build_shared_GCJ=no
-fi
 
-fi
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic_GCJ=
-    ;;
-  *)
-    lt_prog_compiler_pic_GCJ="$lt_prog_compiler_pic_GCJ"
-    ;;
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
 esac
-
-#
-# Check to make sure the static flag actually works.
-#
-wl=$lt_prog_compiler_wl_GCJ eval lt_tmp_static_flag=\"$lt_prog_compiler_static_GCJ\"
-{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_static_works_GCJ+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_neo_cgi_main=yes
 else
-  lt_cv_prog_compiler_static_works_GCJ=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&5
-       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         lt_cv_prog_compiler_static_works_GCJ=yes
-       fi
-     else
-       lt_cv_prog_compiler_static_works_GCJ=yes
-     fi
-   fi
-   $rm -r conftest*
-   LDFLAGS="$save_LDFLAGS"
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+	ac_cv_lib_neo_cgi_main=no
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_GCJ" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_static_works_GCJ" >&6; }
 
-if test x"$lt_cv_prog_compiler_static_works_GCJ" = xyes; then
-    :
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_neo_cgi_main" >&5
+echo "${ECHO_T}$ac_cv_lib_neo_cgi_main" >&6; }
+if test $ac_cv_lib_neo_cgi_main = yes; then
+  LIBS="$LIBS"
 else
-    lt_prog_compiler_static_GCJ=
+  { { echo "$as_me:$LINENO: error: ClearSilver library neo_cgi not found!" >&5
+echo "$as_me: error: ClearSilver library neo_cgi not found!" >&2;}
+   { (exit 1); exit 1; }; }
 fi
+ac_cv_lib_neo_cgi=ac_cv_lib_neo_cgi_main
 
-
-{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_c_o_GCJ+set}" = set; then
+	{ echo "$as_me:$LINENO: checking for main in -lneo_utl" >&5
+echo $ECHO_N "checking for main in -lneo_utl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_neo_utl_main+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  lt_cv_prog_compiler_c_o_GCJ=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18691: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:18695: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_c_o_GCJ=yes
-     fi
-   fi
-   chmod u+w . 2>&5
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_GCJ" >&6; }
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lneo_utl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
 
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o_GCJ" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6; }
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_neo_utl_main=yes
 else
-  need_locks=no
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_neo_utl_main=no
 fi
 
-{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_neo_utl_main" >&5
+echo "${ECHO_T}$ac_cv_lib_neo_utl_main" >&6; }
+if test $ac_cv_lib_neo_utl_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: ClearSilver library neo_utl not found!" >&5
+echo "$as_me: error: ClearSilver library neo_utl not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_neo_utl=ac_cv_lib_neo_utl_main
 
-  runpath_var=
-  allow_undefined_flag_GCJ=
-  enable_shared_with_static_runtimes_GCJ=no
-  archive_cmds_GCJ=
-  archive_expsym_cmds_GCJ=
-  old_archive_From_new_cmds_GCJ=
-  old_archive_from_expsyms_cmds_GCJ=
-  export_dynamic_flag_spec_GCJ=
-  whole_archive_flag_spec_GCJ=
-  thread_safe_flag_spec_GCJ=
-  hardcode_libdir_flag_spec_GCJ=
-  hardcode_libdir_flag_spec_ld_GCJ=
-  hardcode_libdir_separator_GCJ=
-  hardcode_direct_GCJ=no
-  hardcode_minus_L_GCJ=no
-  hardcode_shlibpath_var_GCJ=unsupported
-  link_all_deplibs_GCJ=unknown
-  hardcode_automatic_GCJ=no
-  module_cmds_GCJ=
-  module_expsym_cmds_GCJ=
-  always_export_symbols_GCJ=no
-  export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  include_expsyms_GCJ=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  exclude_expsyms_GCJ='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  # Exclude shared library initialization/finalization symbols.
-  extract_expsyms_cmds=
-  # Just being paranoid about ensuring that cc_basename is set.
-  for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+	{ echo "$as_me:$LINENO: checking for main in -lz" >&5
+echo $ECHO_N "checking for main in -lz... $ECHO_C" >&6; }
+if test "${ac_cv_lib_z_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lz  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
 
-  ld_shlibs_GCJ=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_z_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-    # Set some defaults for GNU ld with shared library support. These
-    # are reset later if shared libraries are not supported. Putting them
-    # here allows them to be overridden if necessary.
-    runpath_var=LD_RUN_PATH
-    hardcode_libdir_flag_spec_GCJ='${wl}--rpath ${wl}$libdir'
-    export_dynamic_flag_spec_GCJ='${wl}--export-dynamic'
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
-	whole_archive_flag_spec_GCJ="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec_GCJ=
-    fi
-    supports_anon_versioning=no
-    case `$LD -v 2>/dev/null` in
-      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-      *\ 2.11.*) ;; # other 2.11 versions
-      *) supports_anon_versioning=yes ;;
-    esac
+	ac_cv_lib_z_main=no
+fi
 
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix[3-9]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	ld_shlibs_GCJ=no
-	cat <<EOF 1>&2
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_z_main" >&5
+echo "${ECHO_T}$ac_cv_lib_z_main" >&6; }
+if test $ac_cv_lib_z_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: ClearSilver dependency zlib not found!" >&5
+echo "$as_me: error: ClearSilver dependency zlib not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_z=ac_cv_lib_z_main
 
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
 
-EOF
-      fi
-      ;;
+	{ echo "$as_me:$LINENO: checking for main in -lfcgi" >&5
+echo $ECHO_N "checking for main in -lfcgi... $ECHO_C" >&6; }
+if test "${ac_cv_lib_fcgi_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lfcgi  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-    amigaos*)
-      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_minus_L_GCJ=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      ld_shlibs_GCJ=no
-      ;;
 
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	allow_undefined_flag_GCJ=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	archive_cmds_GCJ='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_fcgi_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, GCJ) is actually meaningless,
-      # as there is no search path for DLLs.
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      allow_undefined_flag_GCJ=unsupported
-      always_export_symbols_GCJ=no
-      enable_shared_with_static_runtimes_GCJ=yes
-      export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	archive_expsym_cmds_GCJ='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
+	ac_cv_lib_fcgi_main=no
+fi
 
-    interix[3-9]*)
-      hardcode_direct_GCJ=no
-      hardcode_shlibpath_var_GCJ=no
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
-      export_dynamic_flag_spec_GCJ='${wl}-E'
-      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-      # Instead, shared libraries are loaded at an image base (0x10000000 by
-      # default) and relocated if they conflict, which is a slow very memory
-      # consuming and fragmenting process.  To avoid this, we pick a random,
-      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-      archive_cmds_GCJ='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      archive_expsym_cmds_GCJ='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      ;;
-
-    gnu* | linux* | k*bsd*-gnu)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	tmp_addflag=
-	case $cc_basename,$host_cpu in
-	pgcc*)				# Portland Group C compiler
-	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag'
-	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag -Mnomain' ;;
-	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
-	  tmp_addflag=' -i_dynamic' ;;
-	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
-	  tmp_addflag=' -i_dynamic -nofor_main' ;;
-	ifc* | ifort*)			# Intel Fortran compiler
-	  tmp_addflag=' -nofor_main' ;;
-	esac
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)			# Sun C 5.9
-	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_sharedflag='-G' ;;
-	*Sun\ F*)			# Sun Fortran 8.3
-	  tmp_sharedflag='-G' ;;
-	*)
-	  tmp_sharedflag='-shared' ;;
-	esac
-	archive_cmds_GCJ='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-
-	if test $supports_anon_versioning = yes; then
-	  archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~
-  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-  $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-	fi
-	link_all_deplibs_GCJ=no
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_GCJ='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	ld_shlibs_GCJ=no
-	cat <<EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
-	ld_shlibs_GCJ=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
-*** reliably create shared libraries on SCO systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-_LT_EOF
-	;;
-	*)
-	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	    hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
-	    archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
-	    archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
-	  else
-	    ld_shlibs_GCJ=no
-	  fi
-	;;
-      esac
-      ;;
-
-    sunos4*)
-      archive_cmds_GCJ='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-    esac
-
-    if test "$ld_shlibs_GCJ" = no; then
-      runpath_var=
-      hardcode_libdir_flag_spec_GCJ=
-      export_dynamic_flag_spec_GCJ=
-      whole_archive_flag_spec_GCJ=
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      allow_undefined_flag_GCJ=unsupported
-      always_export_symbols_GCJ=yes
-      archive_expsym_cmds_GCJ='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      hardcode_minus_L_GCJ=yes
-      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	hardcode_direct_GCJ=unsupported
-      fi
-      ;;
-
-    aix[4-9]*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  export_symbols_cmds_GCJ='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	else
-	  export_symbols_cmds_GCJ='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	  ;;
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      archive_cmds_GCJ=''
-      hardcode_direct_GCJ=yes
-      hardcode_libdir_separator_GCJ=':'
-      link_all_deplibs_GCJ=yes
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[012]|aix4.[012].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  :
-	  else
-  	  # We have old collect2
-  	  hardcode_direct_GCJ=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  hardcode_minus_L_GCJ=yes
-  	  hardcode_libdir_flag_spec_GCJ='-L$libdir'
-  	  hardcode_libdir_separator_GCJ=
-	  fi
-	  ;;
-	esac
-	shared_flag='-shared'
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag="$shared_flag "'${wl}-G'
-	fi
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-	  fi
-	fi
-      fi
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_fcgi_main" >&5
+echo "${ECHO_T}$ac_cv_lib_fcgi_main" >&6; }
+if test $ac_cv_lib_fcgi_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: FastCGI library fcgi not found!" >&5
+echo "$as_me: error: FastCGI library fcgi not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      always_export_symbols_GCJ=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	allow_undefined_flag_GCJ='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       cat >conftest.$ac_ext <<_ACEOF
+	if test "${ac_cv_header_fcgiapp_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for fcgiapp.h" >&5
+echo $ECHO_N "checking for fcgiapp.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_fcgiapp_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_fcgiapp_h" >&5
+echo "${ECHO_T}$ac_cv_header_fcgiapp_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking fcgiapp.h usability" >&5
+echo $ECHO_N "checking fcgiapp.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
+$ac_includes_default
+#include <fcgiapp.h>
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
 eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
@@ -19182,8668 +15031,4897 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-
+	ac_header_compiler=no
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
-       hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds_GCJ="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  hardcode_libdir_flag_spec_GCJ='${wl}-R $libdir:/usr/lib:/lib'
-	  allow_undefined_flag_GCJ="-z nodefs"
-	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 cat >conftest.$ac_ext <<_ACEOF
+# Is the header present?
+{ echo "$as_me:$LINENO: checking fcgiapp.h presence" >&5
+echo $ECHO_N "checking fcgiapp.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
+#include <fcgiapp.h>
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
+if { (ac_try="$ac_cpp conftest.$ac_ext"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
 eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+       }; then
+  ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-
+  ac_header_preproc=no
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	 hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  no_undefined_flag_GCJ=' ${wl}-bernotok'
-	  allow_undefined_flag_GCJ=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec_GCJ='$convenience'
-	  archive_cmds_need_lc_GCJ=yes
-	  # This is similar to how AIX traditionally builds its shared libraries.
-	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_minus_L_GCJ=yes
-      # see comment about different semantics on the GNU ld section
-      ld_shlibs_GCJ=no
-      ;;
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
-    bsdi[45]*)
-      export_dynamic_flag_spec_GCJ=-rdynamic
-      ;;
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: fcgiapp.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: fcgiapp.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: fcgiapp.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: fcgiapp.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: fcgiapp.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: fcgiapp.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: fcgiapp.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: fcgiapp.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: fcgiapp.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: fcgiapp.h: in the future, the compiler will take precedence" >&2;}
 
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec_GCJ=' '
-      allow_undefined_flag_GCJ=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds_GCJ='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_From_new_cmds_GCJ='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds_GCJ='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path_GCJ='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes_GCJ=yes
-      ;;
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for fcgiapp.h" >&5
+echo $ECHO_N "checking for fcgiapp.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_fcgiapp_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_fcgiapp_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_fcgiapp_h" >&5
+echo "${ECHO_T}$ac_cv_header_fcgiapp_h" >&6; }
 
-    darwin* | rhapsody*)
-      case $host_os in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_GCJ='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_GCJ='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      archive_cmds_need_lc_GCJ=no
-      hardcode_direct_GCJ=no
-      hardcode_automatic_GCJ=yes
-      hardcode_shlibpath_var_GCJ=unsupported
-      whole_archive_flag_spec_GCJ=''
-      link_all_deplibs_GCJ=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds_GCJ="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-        module_cmds_GCJ="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-        archive_expsym_cmds_GCJ="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-        module_expsym_cmds_GCJ="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-    else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-         module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-         archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_GCJ=no
-          ;;
-      esac
-    fi
-      ;;
+fi
+if test $ac_cv_header_fcgiapp_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: FastCGI header file fcgiapp.h not found!" >&5
+echo "$as_me: error: FastCGI header file fcgiapp.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
-    dgux*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_shlibpath_var_GCJ=no
-      ;;
 
-    freebsd1*)
-      ld_shlibs_GCJ=no
-      ;;
+fi
 
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
+if test x$mysql = xtrue; then
+	{ echo "$as_me:$LINENO: checking for main in -lmysqlclient_r" >&5
+echo $ECHO_N "checking for main in -lmysqlclient_r... $ECHO_C" >&6; }
+if test "${ac_cv_lib_mysqlclient_r_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lmysqlclient_r  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_GCJ=yes
-      hardcode_minus_L_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
 
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | dragonfly*)
-      archive_cmds_GCJ='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_mysqlclient_r_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-    hpux9*)
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	archive_cmds_GCJ='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      hardcode_direct_GCJ=yes
+	ac_cv_lib_mysqlclient_r_main=no
+fi
 
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      hardcode_minus_L_GCJ=yes
-      export_dynamic_flag_spec_GCJ='${wl}-E'
-      ;;
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_mysqlclient_r_main" >&5
+echo "${ECHO_T}$ac_cv_lib_mysqlclient_r_main" >&6; }
+if test $ac_cv_lib_mysqlclient_r_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: MySQL library mysqlclient_r not found" >&5
+echo "$as_me: error: MySQL library mysqlclient_r not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_mysqlclient_r=ac_cv_lib_mysqlclient_r_main
 
-    hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_GCJ='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator_GCJ=:
+	if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for mysql/mysql.h" >&5
+echo $ECHO_N "checking for mysql/mysql.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_mysql_mysql_h" >&5
+echo "${ECHO_T}$ac_cv_header_mysql_mysql_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking mysql/mysql.h usability" >&5
+echo $ECHO_N "checking mysql/mysql.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <mysql/mysql.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-	hardcode_direct_GCJ=yes
-	export_dynamic_flag_spec_GCJ='${wl}-E'
+	ac_header_compiler=no
+fi
 
-	# hardcode_minus_L: Not really in the search PATH,
-	# but as the default location of the library.
-	hardcode_minus_L_GCJ=yes
-      fi
-      ;;
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
-    hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator_GCJ=:
-
-	case $host_cpu in
-	hppa*64*|ia64*)
-	  hardcode_libdir_flag_spec_ld_GCJ='+b $libdir'
-	  hardcode_direct_GCJ=no
-	  hardcode_shlibpath_var_GCJ=no
-	  ;;
-	*)
-	  hardcode_direct_GCJ=yes
-	  export_dynamic_flag_spec_GCJ='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L_GCJ=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	archive_cmds_GCJ='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_ld_GCJ='-rpath $libdir'
-      fi
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      link_all_deplibs_GCJ=yes
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	archive_cmds_GCJ='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    newsos6)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_GCJ=yes
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-	hardcode_direct_GCJ=yes
-	hardcode_shlibpath_var_GCJ=no
-	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	  archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	  archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	  hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
-	  export_dynamic_flag_spec_GCJ='${wl}-E'
-	else
-	  case $host_os in
-	   openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-	     archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	     hardcode_libdir_flag_spec_GCJ='-R$libdir'
-	     ;;
-	   *)
-	     archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	     hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
-	     ;;
-	  esac
-        fi
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
+# Is the header present?
+{ echo "$as_me:$LINENO: checking mysql/mysql.h presence" >&5
+echo $ECHO_N "checking mysql/mysql.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <mysql/mysql.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-    os2*)
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_minus_L_GCJ=yes
-      allow_undefined_flag_GCJ=unsupported
-      archive_cmds_GCJ='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      old_archive_From_new_cmds_GCJ='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
+  ac_header_preproc=no
+fi
 
-    osf3*)
-      if test "$GCC" = yes; then
-	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	allow_undefined_flag_GCJ=' -expect_unresolved \*'
-	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      ;;
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      else
-	allow_undefined_flag_GCJ=' -expect_unresolved \*'
-	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds_GCJ='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: mysql/mysql.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: mysql/mysql.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: mysql/mysql.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: mysql/mysql.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: mysql/mysql.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: mysql/mysql.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: mysql/mysql.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: mysql/mysql.h: in the future, the compiler will take precedence" >&2;}
 
-	# Both c and cxx compiler support -rpath directly
-	hardcode_libdir_flag_spec_GCJ='-rpath $libdir'
-      fi
-      hardcode_libdir_separator_GCJ=:
-      ;;
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for mysql/mysql.h" >&5
+echo $ECHO_N "checking for mysql/mysql.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_mysql_mysql_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_mysql_mysql_h" >&5
+echo "${ECHO_T}$ac_cv_header_mysql_mysql_h" >&6; }
 
-    solaris*)
-      no_undefined_flag_GCJ=' -z text'
-      if test "$GCC" = yes; then
-	wlarc='${wl}'
-	archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	wlarc=''
-	archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_shlibpath_var_GCJ=no
-      case $host_os in
-      solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *)
-	# The compiler driver will combine and reorder linker options,
-	# but understands `-z linker_flag'.  GCC discards it without `$wl',
-	# but is careful enough not to reorder.
- 	# Supported since Solaris 2.6 (maybe 2.5.1?)
-	if test "$GCC" = yes; then
-	  whole_archive_flag_spec_GCJ='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	else
-	  whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract'
-	fi
-	;;
-      esac
-      link_all_deplibs_GCJ=yes
-      ;;
+fi
+if test $ac_cv_header_mysql_mysql_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: MySQL header mysql/mysql.h not found!" >&5
+echo "$as_me: error: MySQL header mysql/mysql.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	archive_cmds_GCJ='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_GCJ='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_minus_L_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
 
-    sysv4)
-      case $host_vendor in
-	sni)
-	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_GCJ=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  archive_cmds_GCJ='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  reload_cmds_GCJ='$CC -r -o $output$reload_objs'
-	  hardcode_direct_GCJ=no
-        ;;
-	motorola)
-	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_GCJ=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var_GCJ=no
-      ;;
+fi
 
-    sysv4.3*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var_GCJ=no
-      export_dynamic_flag_spec_GCJ='-Bexport'
-      ;;
+if test x$sqlite = xtrue; then
+	{ echo "$as_me:$LINENO: checking for main in -lsqlite3" >&5
+echo $ECHO_N "checking for main in -lsqlite3... $ECHO_C" >&6; }
+if test "${ac_cv_lib_sqlite3_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsqlite3  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	hardcode_shlibpath_var_GCJ=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	ld_shlibs_GCJ=yes
-      fi
-      ;;
 
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
-      no_undefined_flag_GCJ='${wl}-z,text'
-      archive_cmds_need_lc_GCJ=no
-      hardcode_shlibpath_var_GCJ=no
-      runpath_var='LD_RUN_PATH'
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_sqlite3_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_GCJ='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
+	ac_cv_lib_sqlite3_main=no
+fi
 
-    sysv5* | sco3.2v5* | sco5v6*)
-      # Note: We can NOT use -z defs as we might desire, because we do not
-      # link with -lc, and that would cause any symbols used from libc to
-      # always be unresolved, which means just about no library would
-      # ever link correctly.  If we're not using GNU ld we use -z text
-      # though, which does catch some bad symbols but isn't as heavy-handed
-      # as -z defs.
-      no_undefined_flag_GCJ='${wl}-z,text'
-      allow_undefined_flag_GCJ='${wl}-z,nodefs'
-      archive_cmds_need_lc_GCJ=no
-      hardcode_shlibpath_var_GCJ=no
-      hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-      hardcode_libdir_separator_GCJ=':'
-      link_all_deplibs_GCJ=yes
-      export_dynamic_flag_spec_GCJ='${wl}-Bexport'
-      runpath_var='LD_RUN_PATH'
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_sqlite3_main" >&5
+echo "${ECHO_T}$ac_cv_lib_sqlite3_main" >&6; }
+if test $ac_cv_lib_sqlite3_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: SQLite library sqlite3 not found" >&5
+echo "$as_me: error: SQLite library sqlite3 not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_GCJ='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
+	if test "${ac_cv_header_sqlite3_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for sqlite3.h" >&5
+echo $ECHO_N "checking for sqlite3.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_sqlite3_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_sqlite3_h" >&5
+echo "${ECHO_T}$ac_cv_header_sqlite3_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking sqlite3.h usability" >&5
+echo $ECHO_N "checking sqlite3.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <sqlite3.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-    uts4*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_shlibpath_var_GCJ=no
-      ;;
+	ac_header_compiler=no
+fi
 
-    *)
-      ld_shlibs_GCJ=no
-      ;;
-    esac
-  fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
-{ echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5
-echo "${ECHO_T}$ld_shlibs_GCJ" >&6; }
-test "$ld_shlibs_GCJ" = no && can_build_shared=no
+# Is the header present?
+{ echo "$as_me:$LINENO: checking sqlite3.h presence" >&5
+echo $ECHO_N "checking sqlite3.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sqlite3.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc_GCJ" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc_GCJ=yes
+  ac_header_preproc=no
+fi
 
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds_GCJ in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
-      $rm conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl_GCJ
-	pic_flag=$lt_prog_compiler_pic_GCJ
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag_GCJ
-        allow_undefined_flag_GCJ=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc_GCJ=no
-        else
-	  archive_cmds_need_lc_GCJ=yes
-        fi
-        allow_undefined_flag_GCJ=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_GCJ" >&6; }
-      ;;
-    esac
-  fi
-  ;;
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: sqlite3.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: sqlite3.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sqlite3.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: sqlite3.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: sqlite3.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: sqlite3.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sqlite3.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: sqlite3.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sqlite3.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: sqlite3.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sqlite3.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: sqlite3.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sqlite3.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: sqlite3.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sqlite3.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: sqlite3.h: in the future, the compiler will take precedence" >&2;}
+
+    ;;
 esac
+{ echo "$as_me:$LINENO: checking for sqlite3.h" >&5
+echo $ECHO_N "checking for sqlite3.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_sqlite3_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_sqlite3_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_sqlite3_h" >&5
+echo "${ECHO_T}$ac_cv_header_sqlite3_h" >&6; }
 
-{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
+fi
+if test $ac_cv_header_sqlite3_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: SQLite header sqlite3.h not found!" >&5
+echo "$as_me: error: SQLite header sqlite3.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
-need_lib_prefix=unknown
-hardcode_into_libs=no
 
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
+	{ echo "$as_me:$LINENO: checking sqlite3_prepare_v2" >&5
+echo $ECHO_N "checking sqlite3_prepare_v2... $ECHO_C" >&6; }
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sqlite3.h>
+int
+main ()
+{
 
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
+			void *test = sqlite3_prepare_v2;
 
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }; cat >>confdefs.h <<_ACEOF
+#define HAVE_SQLITE3_PREPARE_V2 1
+_ACEOF
 
-aix[4-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	{ echo "$as_me:$LINENO: checking sqlite3.h version >= 3.3.1" >&5
+echo $ECHO_N "checking sqlite3.h version >= 3.3.1... $ECHO_C" >&6; }
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sqlite3.h>
+int
+main ()
+{
 
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
+			#if SQLITE_VERSION_NUMBER < 3003001
+				#error bad sqlite
+			#endif
 
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }; { { echo "$as_me:$LINENO: error: SQLite version >= 3.3.1 required!" >&5
+echo "$as_me: error: SQLite version >= 3.3.1 required!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
 
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
+if test x$openssl = xtrue; then
+	{ echo "$as_me:$LINENO: checking for main in -lcrypto" >&5
+echo $ECHO_N "checking for main in -lcrypto... $ECHO_C" >&6; }
+if test "${ac_cv_lib_crypto_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcrypto  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
 
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_crypto_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
+	ac_cv_lib_crypto_main=no
+fi
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_crypto_main" >&5
+echo "${ECHO_T}$ac_cv_lib_crypto_main" >&6; }
+if test $ac_cv_lib_crypto_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: OpenSSL crypto library not found" >&5
+echo "$as_me: error: OpenSSL crypto library not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_crypto=ac_cv_lib_crypto_main
 
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
-  else
-    case $host_os in
-    freebsd[123]*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
-  fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
-  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
+	if test "${ac_cv_header_openssl_evp_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for openssl/evp.h" >&5
+echo $ECHO_N "checking for openssl/evp.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_openssl_evp_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_openssl_evp_h" >&5
+echo "${ECHO_T}$ac_cv_header_openssl_evp_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking openssl/evp.h usability" >&5
+echo $ECHO_N "checking openssl/evp.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <openssl/evp.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
+	ac_header_compiler=no
+fi
 
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
-interix[3-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
+# Is the header present?
+{ echo "$as_me:$LINENO: checking openssl/evp.h presence" >&5
+echo $ECHO_N "checking openssl/evp.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <openssl/evp.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: openssl/evp.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: openssl/evp.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
     ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: openssl/evp.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: openssl/evp.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: openssl/evp.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: openssl/evp.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: openssl/evp.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: openssl/evp.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: openssl/evp.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: openssl/evp.h: in the future, the compiler will take precedence" >&2;}
+
     ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
+esac
+{ echo "$as_me:$LINENO: checking for openssl/evp.h" >&5
+echo $ECHO_N "checking for openssl/evp.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_openssl_evp_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_openssl_evp_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_openssl_evp_h" >&5
+echo "${ECHO_T}$ac_cv_header_openssl_evp_h" >&6; }
 
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
+fi
+if test $ac_cv_header_openssl_evp_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: OpenSSL header openssl/evp.h not found!" >&5
+echo "$as_me: error: OpenSSL header openssl/evp.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
 
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
+fi
 
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
+if test x$uci = xtrue; then
+	{ echo "$as_me:$LINENO: checking for main in -luci" >&5
+echo $ECHO_N "checking for main in -luci... $ECHO_C" >&6; }
+if test "${ac_cv_lib_uci_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-luci  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
 
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_uci_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
+	ac_cv_lib_uci_main=no
+fi
 
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_uci_main" >&5
+echo "${ECHO_T}$ac_cv_lib_uci_main" >&6; }
+if test $ac_cv_lib_uci_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: UCI library libuci not found" >&5
+echo "$as_me: error: UCI library libuci not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_uci=ac_cv_lib_uci_main
 
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
-    *)                         need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
+	if test "${ac_cv_header_uci_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for uci.h" >&5
+echo $ECHO_N "checking for uci.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_uci_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_uci_h" >&5
+echo "${ECHO_T}$ac_cv_header_uci_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking uci.h usability" >&5
+echo $ECHO_N "checking uci.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <uci.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
+	ac_header_compiler=no
+fi
 
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
-rdos*)
-  dynamic_linker=no
-  ;;
+# Is the header present?
+{ echo "$as_me:$LINENO: checking uci.h presence" >&5
+echo $ECHO_N "checking uci.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <uci.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
+  ac_header_preproc=no
+fi
 
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
-sysv4 | sysv4.3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-    shlibpath_overrides_runpath=no
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    shlibpath_overrides_runpath=yes
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
-  fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: uci.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: uci.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: uci.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: uci.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: uci.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: uci.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: uci.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: uci.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: uci.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: uci.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: uci.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: uci.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: uci.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: uci.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: uci.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: uci.h: in the future, the compiler will take precedence" >&2;}
 
-*)
-  dynamic_linker=no
-  ;;
+    ;;
 esac
-{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6; }
-test "$dynamic_linker" = no && can_build_shared=no
-
-if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
+{ echo "$as_me:$LINENO: checking for uci.h" >&5
+echo $ECHO_N "checking for uci.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_uci_h+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
+  ac_cv_header_uci_h=$ac_header_preproc
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_uci_h" >&5
+echo "${ECHO_T}$ac_cv_header_uci_h" >&6; }
 
-sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+if test $ac_cv_header_uci_h = yes; then
+  :
 else
-  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
+  { { echo "$as_me:$LINENO: error: UCI header uci.h not found!" >&5
+echo "$as_me: error: UCI header uci.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
 fi
 
-sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
 
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
 fi
 
-{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
-hardcode_action_GCJ=
-if test -n "$hardcode_libdir_flag_spec_GCJ" || \
-   test -n "$runpath_var_GCJ" || \
-   test "X$hardcode_automatic_GCJ" = "Xyes" ; then
+if test x$nm = xtrue; then
 
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct_GCJ" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, GCJ)" != no &&
-     test "$hardcode_minus_L_GCJ" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action_GCJ=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action_GCJ=immediate
-  fi
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for nm" >&5
+echo $ECHO_N "checking for nm... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$nm_CFLAGS"; then
+        pkg_cv_nm_CFLAGS="$nm_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager libnm_glib_vpn gthread-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager libnm_glib_vpn gthread-2.0" 2>/dev/null`
 else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action_GCJ=unsupported
+  pkg_failed=yes
 fi
-{ echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5
-echo "${ECHO_T}$hardcode_action_GCJ" >&6; }
-
-if test "$hardcode_action_GCJ" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$nm_LIBS"; then
+        pkg_cv_nm_LIBS="$nm_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager libnm_glib_vpn gthread-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager libnm_glib_vpn gthread-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
 fi
 
 
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_GCJ \
-    CC_GCJ \
-    LD_GCJ \
-    lt_prog_compiler_wl_GCJ \
-    lt_prog_compiler_pic_GCJ \
-    lt_prog_compiler_static_GCJ \
-    lt_prog_compiler_no_builtin_flag_GCJ \
-    export_dynamic_flag_spec_GCJ \
-    thread_safe_flag_spec_GCJ \
-    whole_archive_flag_spec_GCJ \
-    enable_shared_with_static_runtimes_GCJ \
-    old_archive_cmds_GCJ \
-    old_archive_from_new_cmds_GCJ \
-    predep_objects_GCJ \
-    postdep_objects_GCJ \
-    predeps_GCJ \
-    postdeps_GCJ \
-    compiler_lib_search_path_GCJ \
-    compiler_lib_search_dirs_GCJ \
-    archive_cmds_GCJ \
-    archive_expsym_cmds_GCJ \
-    postinstall_cmds_GCJ \
-    postuninstall_cmds_GCJ \
-    old_archive_from_expsyms_cmds_GCJ \
-    allow_undefined_flag_GCJ \
-    no_undefined_flag_GCJ \
-    export_symbols_cmds_GCJ \
-    hardcode_libdir_flag_spec_GCJ \
-    hardcode_libdir_flag_spec_ld_GCJ \
-    hardcode_libdir_separator_GCJ \
-    hardcode_automatic_GCJ \
-    module_cmds_GCJ \
-    module_expsym_cmds_GCJ \
-    lt_cv_prog_compiler_c_o_GCJ \
-    fix_srcfile_path_GCJ \
-    exclude_expsyms_GCJ \
-    include_expsyms_GCJ; do
-
-    case $var in
-    old_archive_cmds_GCJ | \
-    old_archive_from_new_cmds_GCJ | \
-    archive_cmds_GCJ | \
-    archive_expsym_cmds_GCJ | \
-    module_cmds_GCJ | \
-    module_expsym_cmds_GCJ | \
-    old_archive_from_expsyms_cmds_GCJ | \
-    export_symbols_cmds_GCJ | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="$ofile"
-
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
 
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+if test $pkg_failed = yes; then
 
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager libnm_glib_vpn gthread-2.0"`
+        else
+	        nm_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager libnm_glib_vpn gthread-2.0"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$nm_PKG_ERRORS" >&5
 
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
+	{ { echo "$as_me:$LINENO: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
 
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
+$nm_PKG_ERRORS
 
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_GCJ
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
 
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_GCJ
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&5
+echo "$as_me: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
 
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
+$nm_PKG_ERRORS
 
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
 
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
 
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
 
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&5
+echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
 
-# A C compiler.
-LTCC=$lt_LTCC
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
 
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+else
+	nm_CFLAGS=$pkg_cv_nm_CFLAGS
+	nm_LIBS=$pkg_cv_nm_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
 
-# A language-specific compiler.
-CC=$lt_compiler_GCJ
 
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_GCJ
+fi
 
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD_GCJ
+if test x$eap_gtc = xtrue; then
+	{ echo "$as_me:$LINENO: checking for main in -lpam" >&5
+echo $ECHO_N "checking for main in -lpam... $ECHO_C" >&6; }
+if test "${ac_cv_lib_pam_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpam  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
 
-# A BSD-compatible nm program.
-NM=$lt_NM
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_pam_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# A symbol stripping program
-STRIP=$lt_STRIP
+	ac_cv_lib_pam_main=no
+fi
 
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_pam_main" >&5
+echo "${ECHO_T}$ac_cv_lib_pam_main" >&6; }
+if test $ac_cv_lib_pam_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: PAM library not found" >&5
+echo "$as_me: error: PAM library not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_pam=ac_cv_lib_pam_main
 
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
+	if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
+echo $ECHO_N "checking for security/pam_appl.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
+echo "${ECHO_T}$ac_cv_header_security_pam_appl_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking security/pam_appl.h usability" >&5
+echo $ECHO_N "checking security/pam_appl.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <security/pam_appl.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
+	ac_header_compiler=no
+fi
 
-# Used on cygwin: assembler.
-AS="$AS"
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
+# Is the header present?
+{ echo "$as_me:$LINENO: checking security/pam_appl.h presence" >&5
+echo $ECHO_N "checking security/pam_appl.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <security/pam_appl.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
+  ac_header_preproc=no
+fi
 
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_GCJ
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
-# Object file suffix (normally "o").
-objext="$ac_objext"
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: security/pam_appl.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: security/pam_appl.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&2;}
 
-# Old archive suffix (normally "a").
-libext="$libext"
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
+echo $ECHO_N "checking for security/pam_appl.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_security_pam_appl_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
+echo "${ECHO_T}$ac_cv_header_security_pam_appl_h" >&6; }
 
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+fi
+if test $ac_cv_header_security_pam_appl_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: PAM header security/pam_appl.h not found!" >&5
+echo "$as_me: error: PAM header security/pam_appl.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
-# Executable file suffix (normally "").
-exeext="$exeext"
 
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_GCJ
-pic_mode=$pic_mode
+fi
 
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
+if test x$capabilities = xlibcap; then
+	{ echo "$as_me:$LINENO: checking for main in -lcap" >&5
+echo $ECHO_N "checking for main in -lcap... $ECHO_C" >&6; }
+if test "${ac_cv_lib_cap_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcap  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_GCJ
 
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_cap_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
+	ac_cv_lib_cap_main=no
+fi
 
-# Do we need a version for libraries?
-need_version=$need_version
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_main" >&5
+echo "${ECHO_T}$ac_cv_lib_cap_main" >&6; }
+if test $ac_cv_lib_cap_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: libcap library not found" >&5
+echo "$as_me: error: libcap library not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_cap=ac_cv_lib_cap_main
 
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
+	if test "${ac_cv_header_sys_capability_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for sys/capability.h" >&5
+echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_sys_capability_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
+echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking sys/capability.h usability" >&5
+echo $ECHO_N "checking sys/capability.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <sys/capability.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
+	ac_header_compiler=no
+fi
 
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_GCJ
+# Is the header present?
+{ echo "$as_me:$LINENO: checking sys/capability.h presence" >&5
+echo $ECHO_N "checking sys/capability.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/capability.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_GCJ
+  ac_header_preproc=no
+fi
 
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_GCJ
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_GCJ
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;}
 
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_GCJ
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5
+echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_sys_capability_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_sys_capability_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
+echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
 
-# Library versioning type.
-version_type=$version_type
+fi
+if test $ac_cv_header_sys_capability_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: libcap header sys/capability.h not found!" >&5
+echo "$as_me: error: libcap header sys/capability.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
 
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
+fi
 
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
 
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_GCJ
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
+libstrongswan_plugins=
 
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_GCJ
+if test x$curl = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" curl"
+fi
+if test x$ldap = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" ldap"
+fi
+if test x$aes = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" aes"
+fi
+if test x$des = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" des"
+fi
+if test x$sha1 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
+fi
+if test x$sha2 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
+fi
+if test x$md4 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" md4"
+fi
+if test x$md5 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" md5"
+fi
+if test x$fips_prf = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
+fi
+if test x$random = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" random"
+fi
+if test x$x509 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" x509"
+fi
+if test x$pubkey = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
+fi
+if test x$xcbc = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
+fi
+if test x$hmac = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
+fi
+if test x$mysql = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
+fi
+if test x$sqlite = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
+fi
+if test x$padlock = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
+fi
+if test x$openssl = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
+fi
+if test x$agent = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" agent"
+fi
+if test x$gmp = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
+fi
 
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_GCJ
 
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_GCJ
-archive_expsym_cmds=$lt_archive_expsym_cmds_GCJ
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
 
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_GCJ
-module_expsym_cmds=$lt_module_expsym_cmds_GCJ
 
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
+ if test x$curl = xtrue; then
+  USE_CURL_TRUE=
+  USE_CURL_FALSE='#'
+else
+  USE_CURL_TRUE='#'
+  USE_CURL_FALSE=
+fi
 
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_GCJ
+ if test x$ldap = xtrue; then
+  USE_LDAP_TRUE=
+  USE_LDAP_FALSE='#'
+else
+  USE_LDAP_TRUE='#'
+  USE_LDAP_FALSE=
+fi
 
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_GCJ
+ if test x$aes = xtrue; then
+  USE_AES_TRUE=
+  USE_AES_FALSE='#'
+else
+  USE_AES_TRUE='#'
+  USE_AES_FALSE=
+fi
 
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_GCJ
+ if test x$des = xtrue; then
+  USE_DES_TRUE=
+  USE_DES_FALSE='#'
+else
+  USE_DES_TRUE='#'
+  USE_DES_FALSE=
+fi
 
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_GCJ
-
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_GCJ
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_GCJ
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_GCJ
+ if test x$md4 = xtrue; then
+  USE_MD4_TRUE=
+  USE_MD4_FALSE='#'
+else
+  USE_MD4_TRUE='#'
+  USE_MD4_FALSE=
+fi
 
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_GCJ
+ if test x$md5 = xtrue; then
+  USE_MD5_TRUE=
+  USE_MD5_FALSE='#'
+else
+  USE_MD5_TRUE='#'
+  USE_MD5_FALSE=
+fi
 
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
+ if test x$sha1 = xtrue; then
+  USE_SHA1_TRUE=
+  USE_SHA1_FALSE='#'
+else
+  USE_SHA1_TRUE='#'
+  USE_SHA1_FALSE=
+fi
 
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
+ if test x$sha2 = xtrue; then
+  USE_SHA2_TRUE=
+  USE_SHA2_FALSE='#'
+else
+  USE_SHA2_TRUE='#'
+  USE_SHA2_FALSE=
+fi
 
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+ if test x$fips_prf = xtrue; then
+  USE_FIPS_PRF_TRUE=
+  USE_FIPS_PRF_FALSE='#'
+else
+  USE_FIPS_PRF_TRUE='#'
+  USE_FIPS_PRF_FALSE=
+fi
 
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+ if test x$gmp = xtrue; then
+  USE_GMP_TRUE=
+  USE_GMP_FALSE='#'
+else
+  USE_GMP_TRUE='#'
+  USE_GMP_FALSE=
+fi
 
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+ if test x$random = xtrue; then
+  USE_RANDOM_TRUE=
+  USE_RANDOM_FALSE='#'
+else
+  USE_RANDOM_TRUE='#'
+  USE_RANDOM_FALSE=
+fi
 
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
+ if test x$x509 = xtrue; then
+  USE_X509_TRUE=
+  USE_X509_FALSE='#'
+else
+  USE_X509_TRUE='#'
+  USE_X509_FALSE=
+fi
 
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
+ if test x$pubkey = xtrue; then
+  USE_PUBKEY_TRUE=
+  USE_PUBKEY_FALSE='#'
+else
+  USE_PUBKEY_TRUE='#'
+  USE_PUBKEY_FALSE=
+fi
 
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+ if test x$hmac = xtrue; then
+  USE_HMAC_TRUE=
+  USE_HMAC_FALSE='#'
+else
+  USE_HMAC_TRUE='#'
+  USE_HMAC_FALSE=
+fi
 
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_GCJ
+ if test x$xcbc = xtrue; then
+  USE_XCBC_TRUE=
+  USE_XCBC_FALSE='#'
+else
+  USE_XCBC_TRUE='#'
+  USE_XCBC_FALSE=
+fi
 
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
+ if test x$mysql = xtrue; then
+  USE_MYSQL_TRUE=
+  USE_MYSQL_FALSE='#'
+else
+  USE_MYSQL_TRUE='#'
+  USE_MYSQL_FALSE=
+fi
 
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_GCJ
+ if test x$sqlite = xtrue; then
+  USE_SQLITE_TRUE=
+  USE_SQLITE_FALSE='#'
+else
+  USE_SQLITE_TRUE='#'
+  USE_SQLITE_FALSE=
+fi
 
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_GCJ
+ if test x$padlock = xtrue; then
+  USE_PADLOCK_TRUE=
+  USE_PADLOCK_FALSE='#'
+else
+  USE_PADLOCK_TRUE='#'
+  USE_PADLOCK_FALSE=
+fi
 
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_GCJ
+ if test x$openssl = xtrue; then
+  USE_OPENSSL_TRUE=
+  USE_OPENSSL_FALSE='#'
+else
+  USE_OPENSSL_TRUE='#'
+  USE_OPENSSL_FALSE=
+fi
 
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_GCJ
+ if test x$agent = xtrue; then
+  USE_AGENT_TRUE=
+  USE_AGENT_FALSE='#'
+else
+  USE_AGENT_TRUE='#'
+  USE_AGENT_FALSE=
+fi
 
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_GCJ
 
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_GCJ
+ if test x$stroke = xtrue; then
+  USE_STROKE_TRUE=
+  USE_STROKE_FALSE='#'
+else
+  USE_STROKE_TRUE='#'
+  USE_STROKE_FALSE=
+fi
 
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_GCJ
+ if test x$medsrv = xtrue; then
+  USE_MEDSRV_TRUE=
+  USE_MEDSRV_FALSE='#'
+else
+  USE_MEDSRV_TRUE='#'
+  USE_MEDSRV_FALSE=
+fi
 
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
+ if test x$medcli = xtrue; then
+  USE_MEDCLI_TRUE=
+  USE_MEDCLI_FALSE='#'
+else
+  USE_MEDCLI_TRUE='#'
+  USE_MEDCLI_FALSE=
+fi
 
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_GCJ
+ if test x$nm = xtrue; then
+  USE_NM_TRUE=
+  USE_NM_FALSE='#'
+else
+  USE_NM_TRUE='#'
+  USE_NM_FALSE=
+fi
 
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+ if test x$uci = xtrue; then
+  USE_UCI_TRUE=
+  USE_UCI_FALSE='#'
+else
+  USE_UCI_TRUE='#'
+  USE_UCI_FALSE=
+fi
 
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+ if test x$smp = xtrue; then
+  USE_SMP_TRUE=
+  USE_SMP_FALSE='#'
+else
+  USE_SMP_TRUE='#'
+  USE_SMP_FALSE=
+fi
 
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
+ if test x$sql = xtrue; then
+  USE_SQL_TRUE=
+  USE_SQL_FALSE='#'
+else
+  USE_SQL_TRUE='#'
+  USE_SQL_FALSE=
+fi
 
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_GCJ
+ if test x$updown = xtrue; then
+  USE_UPDOWN_TRUE=
+  USE_UPDOWN_FALSE='#'
+else
+  USE_UPDOWN_TRUE='#'
+  USE_UPDOWN_FALSE=
+fi
 
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_GCJ
+ if test x$unittest = xtrue; then
+  USE_UNIT_TESTS_TRUE=
+  USE_UNIT_TESTS_FALSE='#'
+else
+  USE_UNIT_TESTS_TRUE='#'
+  USE_UNIT_TESTS_FALSE=
+fi
 
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
+ if test x$loadtest = xtrue; then
+  USE_LOAD_TESTS_TRUE=
+  USE_LOAD_TESTS_FALSE='#'
+else
+  USE_LOAD_TESTS_TRUE='#'
+  USE_LOAD_TESTS_FALSE=
+fi
 
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_GCJ
+ if test x$eap_sim = xtrue; then
+  USE_EAP_SIM_TRUE=
+  USE_EAP_SIM_FALSE='#'
+else
+  USE_EAP_SIM_TRUE='#'
+  USE_EAP_SIM_FALSE=
+fi
 
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_GCJ
+ if test x$eap_sim_file = xtrue; then
+  USE_EAP_SIM_FILE_TRUE=
+  USE_EAP_SIM_FILE_FALSE='#'
+else
+  USE_EAP_SIM_FILE_TRUE='#'
+  USE_EAP_SIM_FILE_FALSE=
+fi
 
-# ### END LIBTOOL TAG CONFIG: $tagname
+ if test x$eap_identity = xtrue; then
+  USE_EAP_IDENTITY_TRUE=
+  USE_EAP_IDENTITY_FALSE='#'
+else
+  USE_EAP_IDENTITY_TRUE='#'
+  USE_EAP_IDENTITY_FALSE=
+fi
 
-__EOF__
+ if test x$eap_md5 = xtrue; then
+  USE_EAP_MD5_TRUE=
+  USE_EAP_MD5_FALSE='#'
+else
+  USE_EAP_MD5_TRUE='#'
+  USE_EAP_MD5_FALSE=
+fi
 
+ if test x$eap_gtc = xtrue; then
+  USE_EAP_GTC_TRUE=
+  USE_EAP_GTC_FALSE='#'
+else
+  USE_EAP_GTC_TRUE='#'
+  USE_EAP_GTC_FALSE=
+fi
 
+ if test x$eap_aka = xtrue; then
+  USE_EAP_AKA_TRUE=
+  USE_EAP_AKA_FALSE='#'
 else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
+  USE_EAP_AKA_TRUE='#'
+  USE_EAP_AKA_FALSE=
 fi
 
+ if test x$eap_mschapv2 = xtrue; then
+  USE_EAP_MSCHAPV2_TRUE=
+  USE_EAP_MSCHAPV2_FALSE='#'
+else
+  USE_EAP_MSCHAPV2_TRUE='#'
+  USE_EAP_MSCHAPV2_FALSE=
+fi
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-	else
-	  tagname=""
-	fi
-	;;
-
-      RC)
-
+ if test x$kernel_netlink = xtrue; then
+  USE_KERNEL_NETLINK_TRUE=
+  USE_KERNEL_NETLINK_FALSE='#'
+else
+  USE_KERNEL_NETLINK_TRUE='#'
+  USE_KERNEL_NETLINK_FALSE=
+fi
 
-# Source file extension for RC test sources.
-ac_ext=rc
+ if test x$kernel_pfkey = xtrue; then
+  USE_KERNEL_PFKEY_TRUE=
+  USE_KERNEL_PFKEY_FALSE='#'
+else
+  USE_KERNEL_PFKEY_TRUE='#'
+  USE_KERNEL_PFKEY_FALSE=
+fi
 
-# Object file extension for compiled RC test sources.
-objext=o
-objext_RC=$objext
+ if test x$kernel_klips = xtrue; then
+  USE_KERNEL_KLIPS_TRUE=
+  USE_KERNEL_KLIPS_FALSE='#'
+else
+  USE_KERNEL_KLIPS_TRUE='#'
+  USE_KERNEL_KLIPS_FALSE=
+fi
 
-# Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
 
-# Code to be used in simple link tests
-lt_simple_link_test_code="$lt_simple_compile_test_code"
+ if test x$smartcard = xtrue; then
+  USE_SMARTCARD_TRUE=
+  USE_SMARTCARD_FALSE='#'
+else
+  USE_SMARTCARD_TRUE='#'
+  USE_SMARTCARD_FALSE=
+fi
 
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+ if test x$cisco_quirks = xtrue; then
+  USE_CISCO_QUIRKS_TRUE=
+  USE_CISCO_QUIRKS_FALSE='#'
+else
+  USE_CISCO_QUIRKS_TRUE='#'
+  USE_CISCO_QUIRKS_FALSE=
+fi
 
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
+ if test x$leak_detective = xtrue; then
+  USE_LEAK_DETECTIVE_TRUE=
+  USE_LEAK_DETECTIVE_FALSE='#'
+else
+  USE_LEAK_DETECTIVE_TRUE='#'
+  USE_LEAK_DETECTIVE_FALSE=
+fi
 
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+ if test x$lock_profiler = xtrue; then
+  USE_LOCK_PROFILER_TRUE=
+  USE_LOCK_PROFILER_FALSE='#'
+else
+  USE_LOCK_PROFILER_TRUE='#'
+  USE_LOCK_PROFILER_FALSE=
+fi
 
-# Allow CC to be a program name with arguments.
-compiler=$CC
+ if test x$nat_transport = xtrue; then
+  USE_NAT_TRANSPORT_TRUE=
+  USE_NAT_TRANSPORT_FALSE='#'
+else
+  USE_NAT_TRANSPORT_TRUE='#'
+  USE_NAT_TRANSPORT_FALSE=
+fi
 
+ if test x$vendor_id = xtrue; then
+  USE_VENDORID_TRUE=
+  USE_VENDORID_FALSE='#'
+else
+  USE_VENDORID_TRUE='#'
+  USE_VENDORID_FALSE=
+fi
 
-# save warnings/boilerplate of simple test code
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
+ if test x$xauth_vid = xtrue; then
+  USE_XAUTH_VID_TRUE=
+  USE_XAUTH_VID_FALSE='#'
+else
+  USE_XAUTH_VID_TRUE='#'
+  USE_XAUTH_VID_FALSE=
+fi
 
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
+ if test x$dumm = xtrue; then
+  USE_DUMM_TRUE=
+  USE_DUMM_FALSE='#'
+else
+  USE_DUMM_TRUE='#'
+  USE_DUMM_FALSE=
+fi
 
+ if test x$fast = xtrue; then
+  USE_FAST_TRUE=
+  USE_FAST_FALSE='#'
+else
+  USE_FAST_TRUE='#'
+  USE_FAST_FALSE=
+fi
 
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${RC-"windres"}
-compiler=$CC
-compiler_RC=$CC
-for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-
-lt_cv_prog_compiler_c_o_RC=yes
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_RC \
-    CC_RC \
-    LD_RC \
-    lt_prog_compiler_wl_RC \
-    lt_prog_compiler_pic_RC \
-    lt_prog_compiler_static_RC \
-    lt_prog_compiler_no_builtin_flag_RC \
-    export_dynamic_flag_spec_RC \
-    thread_safe_flag_spec_RC \
-    whole_archive_flag_spec_RC \
-    enable_shared_with_static_runtimes_RC \
-    old_archive_cmds_RC \
-    old_archive_from_new_cmds_RC \
-    predep_objects_RC \
-    postdep_objects_RC \
-    predeps_RC \
-    postdeps_RC \
-    compiler_lib_search_path_RC \
-    compiler_lib_search_dirs_RC \
-    archive_cmds_RC \
-    archive_expsym_cmds_RC \
-    postinstall_cmds_RC \
-    postuninstall_cmds_RC \
-    old_archive_from_expsyms_cmds_RC \
-    allow_undefined_flag_RC \
-    no_undefined_flag_RC \
-    export_symbols_cmds_RC \
-    hardcode_libdir_flag_spec_RC \
-    hardcode_libdir_flag_spec_ld_RC \
-    hardcode_libdir_separator_RC \
-    hardcode_automatic_RC \
-    module_cmds_RC \
-    module_expsym_cmds_RC \
-    lt_cv_prog_compiler_c_o_RC \
-    fix_srcfile_path_RC \
-    exclude_expsyms_RC \
-    include_expsyms_RC; do
-
-    case $var in
-    old_archive_cmds_RC | \
-    old_archive_from_new_cmds_RC | \
-    archive_cmds_RC | \
-    archive_expsym_cmds_RC | \
-    module_cmds_RC | \
-    module_expsym_cmds_RC | \
-    old_archive_from_expsyms_cmds_RC | \
-    export_symbols_cmds_RC | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
+ if test x$manager = xtrue; then
+  USE_MANAGER_TRUE=
+  USE_MANAGER_FALSE='#'
+else
+  USE_MANAGER_TRUE='#'
+  USE_MANAGER_FALSE=
+fi
 
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
+ if test x$me = xtrue; then
+  USE_ME_TRUE=
+  USE_ME_FALSE='#'
+else
+  USE_ME_TRUE='#'
+  USE_ME_FALSE=
+fi
 
-cfgfile="$ofile"
+ if test x$integrity_test = xtrue; then
+  USE_INTEGRITY_TEST_TRUE=
+  USE_INTEGRITY_TEST_FALSE='#'
+else
+  USE_INTEGRITY_TEST_TRUE='#'
+  USE_INTEGRITY_TEST_FALSE=
+fi
 
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+ if test x$self_test = xtrue; then
+  USE_SELF_TEST_TRUE=
+  USE_SELF_TEST_FALSE='#'
+else
+  USE_SELF_TEST_TRUE='#'
+  USE_SELF_TEST_FALSE=
+fi
 
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+ if test x$capabilities = xlibcap; then
+  USE_CAPABILITIES_TRUE=
+  USE_CAPABILITIES_FALSE='#'
+else
+  USE_CAPABILITIES_TRUE='#'
+  USE_CAPABILITIES_FALSE=
+fi
 
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
+ if test x$pluto = xtrue; then
+  USE_PLUTO_TRUE=
+  USE_PLUTO_FALSE='#'
+else
+  USE_PLUTO_TRUE='#'
+  USE_PLUTO_FALSE=
+fi
 
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
+ if test x$threads = xtrue; then
+  USE_THREADS_TRUE=
+  USE_THREADS_FALSE='#'
+else
+  USE_THREADS_TRUE='#'
+  USE_THREADS_FALSE=
+fi
 
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
+ if test x$charon = xtrue; then
+  USE_CHARON_TRUE=
+  USE_CHARON_FALSE='#'
+else
+  USE_CHARON_TRUE='#'
+  USE_CHARON_FALSE=
+fi
 
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_RC
+ if test x$tools = xtrue; then
+  USE_TOOLS_TRUE=
+  USE_TOOLS_FALSE='#'
+else
+  USE_TOOLS_TRUE='#'
+  USE_TOOLS_FALSE=
+fi
 
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_RC
+ if test x$charon = xtrue -o x$tools = xtrue; then
+  USE_LIBSTRONGSWAN_TRUE=
+  USE_LIBSTRONGSWAN_FALSE='#'
+else
+  USE_LIBSTRONGSWAN_TRUE='#'
+  USE_LIBSTRONGSWAN_FALSE=
+fi
 
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
+ if test x$pluto = xtrue -o x$stroke = xtrue; then
+  USE_FILE_CONFIG_TRUE=
+  USE_FILE_CONFIG_FALSE='#'
+else
+  USE_FILE_CONFIG_TRUE='#'
+  USE_FILE_CONFIG_FALSE=
+fi
 
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
 
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
 
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
+if test x$me = xtrue; then
+	cat >>confdefs.h <<\_ACEOF
+#define ME 1
+_ACEOF
 
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
+fi
+if test x$capabilities = xlibcap; then
+	cat >>confdefs.h <<\_ACEOF
+#define CAPABILITIES 1
+_ACEOF
 
-# A C compiler.
-LTCC=$lt_LTCC
+fi
 
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
 
-# A language-specific compiler.
-CC=$lt_compiler_RC
+ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/fips/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile"
 
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_RC
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems.  If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overridden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
 
-# An ERE matcher.
-EGREP=$lt_EGREP
+_ACEOF
 
-# The linker used to build libraries.
-LD=$lt_LD_RC
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_RC
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_RC
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_RC
-
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_RC
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_RC
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_RC
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_RC
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_RC
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_RC
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_RC
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_RC
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_RC
-archive_expsym_cmds=$lt_archive_expsym_cmds_RC
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_RC
-module_expsym_cmds=$lt_module_expsym_cmds_RC
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_RC
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_RC
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_RC
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_RC
-
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_RC
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_RC
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_RC
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_RC
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_RC
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_RC
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_RC
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_RC
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_RC
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_RC
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_RC
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_RC
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_RC
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_RC
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_RC
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_RC
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_RC
-
-# ### END LIBTOOL TAG CONFIG: $tagname
-
-__EOF__
-
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-	;;
-
-      *)
-	{ { echo "$as_me:$LINENO: error: Unsupported tag name: $tagname" >&5
-echo "$as_me: error: Unsupported tag name: $tagname" >&2;}
-   { (exit 1); exit 1; }; }
-	;;
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, we kill variables containing newlines.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(
+  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
       esac
-
-      # Append the new tag name to the list of available tags.
-      if test -n "$tagname" ; then
-      available_tags="$available_tags $tagname"
-    fi
-    fi
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
   done
-  IFS="$lt_save_ifs"
 
-  # Now substitute the updated list of available tags.
-  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
-    mv "${ofile}T" "$ofile"
-    chmod +x "$ofile"
+  (set) 2>&1 |
+    case $as_nl`(ac_space=' '; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
+      # `set' does not quote correctly, so add quotes (double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      sed -n \
+	"s/'/'\\\\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;; #(
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+      ;;
+    esac |
+    sort
+) |
+  sed '
+     /^ac_cv_env_/b end
+     t clear
+     :clear
+     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+     t end
+     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     :end' >>confcache
+if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+  if test -w "$cache_file"; then
+    test "x$cache_file" != "x/dev/null" &&
+      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+echo "$as_me: updating cache $cache_file" >&6;}
+    cat confcache >$cache_file
   else
-    rm -f "${ofile}T"
-    { { echo "$as_me:$LINENO: error: unable to update list of available tagged configurations." >&5
-echo "$as_me: error: unable to update list of available tagged configurations." >&2;}
-   { (exit 1); exit 1; }; }
+    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+echo "$as_me: not updating unwritable cache $cache_file" >&6;}
   fi
 fi
+rm -f confcache
 
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
 
-
-# This can be used to rebuild libtool when needed
-LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
-
-# Always use our own libtool.
-LIBTOOL='$(SHELL) $(top_builddir)/libtool'
-
-# Prevent multiple expansion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+# Transform confdefs.h into DEFS.
+# Protect against shell expansion while executing Makefile rules.
+# Protect against Makefile macro expansion.
+#
+# If the first sed substitution is executed (which looks for macros that
+# take arguments), then branch to the quote section.  Otherwise,
+# look for a macro that doesn't take arguments.
+ac_script='
+t clear
+:clear
+s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
+t quote
+s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)/-D\1=\2/g
+t quote
+b any
+:quote
+s/[	 `~#$^&*(){}\\|;'\''"<>?]/\\&/g
+s/\[/\\&/g
+s/\]/\\&/g
+s/\$/$$/g
+H
+:any
+${
+	g
+	s/^\n//
+	s/\n/ /g
+	p
+}
+'
+DEFS=`sed -n "$ac_script" confdefs.h`
 
 
+ac_libobjs=
+ac_ltlibobjs=
+for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+  # 1. Remove the extension, and $U if already installed.
+  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+  ac_i=`echo "$ac_i" | sed "$ac_script"`
+  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
+  #    will be set to the directory where LIBOBJS objects are built.
+  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
+done
+LIBOBJS=$ac_libobjs
 
+LTLIBOBJS=$ac_ltlibobjs
 
-for ac_prog in flex lex
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_LEX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$LEX"; then
-  ac_cv_prog_LEX="$LEX" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_LEX="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
 
+if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"AMDEP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
+if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-LEX=$ac_cv_prog_LEX
-if test -n "$LEX"; then
-  { echo "$as_me:$LINENO: result: $LEX" >&5
-echo "${ECHO_T}$LEX" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-
-  test -n "$LEX" && break
-done
-test -n "$LEX" || LEX=":"
-
-if test "x$LEX" != "x:"; then
-  cat >conftest.l <<_ACEOF
-%%
-a { ECHO; }
-b { REJECT; }
-c { yymore (); }
-d { yyless (1); }
-e { yyless (input () != 0); }
-f { unput (yytext[0]); }
-. { BEGIN INITIAL; }
-%%
-#ifdef YYTEXT_POINTER
-extern char *yytext;
-#endif
-int
-main (void)
-{
-  return ! yylex () + ! yywrap ();
-}
-_ACEOF
-{ (ac_try="$LEX conftest.l"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$LEX conftest.l") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ echo "$as_me:$LINENO: checking lex output file root" >&5
-echo $ECHO_N "checking lex output file root... $ECHO_C" >&6; }
-if test "${ac_cv_prog_lex_root+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-
-if test -f lex.yy.c; then
-  ac_cv_prog_lex_root=lex.yy
-elif test -f lexyy.c; then
-  ac_cv_prog_lex_root=lexyy
-else
-  { { echo "$as_me:$LINENO: error: cannot find output from $LEX; giving up" >&5
-echo "$as_me: error: cannot find output from $LEX; giving up" >&2;}
+if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_CURL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_CURL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_LDAP_TRUE}" && test -z "${USE_LDAP_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LDAP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LDAP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_lex_root" >&5
-echo "${ECHO_T}$ac_cv_prog_lex_root" >&6; }
-LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
-
-if test -z "${LEXLIB+set}"; then
-  { echo "$as_me:$LINENO: checking lex library" >&5
-echo $ECHO_N "checking lex library... $ECHO_C" >&6; }
-if test "${ac_cv_lib_lex+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-
-    ac_save_LIBS=$LIBS
-    ac_cv_lib_lex='none needed'
-    for ac_lib in '' -lfl -ll; do
-      LIBS="$ac_lib $ac_save_LIBS"
-      cat >conftest.$ac_ext <<_ACEOF
-`cat $LEX_OUTPUT_ROOT.c`
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_lex=$ac_lib
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
+if test -z "${USE_AES_TRUE}" && test -z "${USE_AES_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_AES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_AES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-      test "$ac_cv_lib_lex" != 'none needed' && break
-    done
-    LIBS=$ac_save_LIBS
-
+if test -z "${USE_DES_TRUE}" && test -z "${USE_DES_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_DES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_DES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_lex" >&5
-echo "${ECHO_T}$ac_cv_lib_lex" >&6; }
-  test "$ac_cv_lib_lex" != 'none needed' && LEXLIB=$ac_cv_lib_lex
+if test -z "${USE_MD4_TRUE}" && test -z "${USE_MD4_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_MD4\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_MD4\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-
-{ echo "$as_me:$LINENO: checking whether yytext is a pointer" >&5
-echo $ECHO_N "checking whether yytext is a pointer... $ECHO_C" >&6; }
-if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # POSIX says lex can declare yytext either as a pointer or an array; the
-# default is implementation-dependent.  Figure out which it is, since
-# not all implementations provide the %pointer and %array declarations.
-ac_cv_prog_lex_yytext_pointer=no
-ac_save_LIBS=$LIBS
-LIBS="$LEXLIB $ac_save_LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-#define YYTEXT_POINTER 1
-`cat $LEX_OUTPUT_ROOT.c`
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_prog_lex_yytext_pointer=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
+if test -z "${USE_MD5_TRUE}" && test -z "${USE_MD5_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_MD5\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_MD5\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_save_LIBS
-
+if test -z "${USE_SHA1_TRUE}" && test -z "${USE_SHA1_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_SHA1\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_SHA1\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_lex_yytext_pointer" >&5
-echo "${ECHO_T}$ac_cv_prog_lex_yytext_pointer" >&6; }
-if test $ac_cv_prog_lex_yytext_pointer = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define YYTEXT_POINTER 1
-_ACEOF
-
+if test -z "${USE_SHA2_TRUE}" && test -z "${USE_SHA2_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_SHA2\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_SHA2\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-rm -f conftest.l $LEX_OUTPUT_ROOT.c
-
+if test -z "${USE_FIPS_PRF_TRUE}" && test -z "${USE_FIPS_PRF_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_FIPS_PRF\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_FIPS_PRF\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-for ac_prog in 'bison -y' byacc
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_YACC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$YACC"; then
-  ac_cv_prog_YACC="$YACC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_YACC="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
+if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_GMP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_GMP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_RANDOM_TRUE}" && test -z "${USE_RANDOM_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_RANDOM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_RANDOM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-YACC=$ac_cv_prog_YACC
-if test -n "$YACC"; then
-  { echo "$as_me:$LINENO: result: $YACC" >&5
-echo "${ECHO_T}$YACC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+if test -z "${USE_X509_TRUE}" && test -z "${USE_X509_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_X509\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_X509\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-
-  test -n "$YACC" && break
-done
-test -n "$YACC" || YACC="yacc"
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}gcc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="${ac_tool_prefix}gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
+if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_PUBKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_PUBKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_HMAC_TRUE}" && test -z "${USE_HMAC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_HMAC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_HMAC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+if test -z "${USE_XCBC_TRUE}" && test -z "${USE_XCBC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_XCBC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_XCBC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-
+if test -z "${USE_MYSQL_TRUE}" && test -z "${USE_MYSQL_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_MYSQL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_MYSQL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "gcc", so it can be a program name with args.
-set dummy gcc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_CC="gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
+if test -z "${USE_SQLITE_TRUE}" && test -z "${USE_SQLITE_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_SQLITE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_SQLITE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_PADLOCK_TRUE}" && test -z "${USE_PADLOCK_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_PADLOCK\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_PADLOCK\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+if test -z "${USE_OPENSSL_TRUE}" && test -z "${USE_OPENSSL_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_OPENSSL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_OPENSSL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-  if test "x$ac_ct_CC" = x; then
-    CC=""
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    CC=$ac_ct_CC
-  fi
-else
-  CC="$ac_cv_prog_CC"
+if test -z "${USE_AGENT_TRUE}" && test -z "${USE_AGENT_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_AGENT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_AGENT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-if test -z "$CC"; then
-          if test -n "$ac_tool_prefix"; then
-    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}cc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="${ac_tool_prefix}cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
+if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_STROKE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_STROKE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_MEDSRV_TRUE}" && test -z "${USE_MEDSRV_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_MEDSRV\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_MEDSRV\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+if test -z "${USE_MEDCLI_TRUE}" && test -z "${USE_MEDCLI_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_MEDCLI\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_MEDCLI\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-
-  fi
+if test -z "${USE_NM_TRUE}" && test -z "${USE_NM_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_NM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_NM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-if test -z "$CC"; then
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-  ac_prog_rejected=no
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
-       ac_prog_rejected=yes
-       continue
-     fi
-    ac_cv_prog_CC="cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-if test $ac_prog_rejected = yes; then
-  # We found a bogon in the path, so make sure we never use it.
-  set dummy $ac_cv_prog_CC
-  shift
-  if test $# != 0; then
-    # We chose a different compiler from the bogus one.
-    # However, it has the same basename, so the bogon will be chosen
-    # first if we set CC to just the basename; use the full file name.
-    shift
-    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
-  fi
+if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_UCI\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_UCI\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_SMP_TRUE}" && test -z "${USE_SMP_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_SMP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_SMP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_SQL_TRUE}" && test -z "${USE_SQL_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_SQL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_SQL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_UPDOWN\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_UPDOWN\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-
+if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_UNIT_TESTS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_UNIT_TESTS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  for ac_prog in cl.exe
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
+if test -z "${USE_LOAD_TESTS_TRUE}" && test -z "${USE_LOAD_TESTS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LOAD_TESTS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LOAD_TESTS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_EAP_SIM_TRUE}" && test -z "${USE_EAP_SIM_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_EAP_SIM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+if test -z "${USE_EAP_SIM_FILE_TRUE}" && test -z "${USE_EAP_SIM_FILE_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-
-
-    test -n "$CC" && break
-  done
+if test -z "${USE_EAP_IDENTITY_TRUE}" && test -z "${USE_EAP_IDENTITY_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_IDENTITY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_EAP_IDENTITY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-if test -z "$CC"; then
-  ac_ct_CC=$CC
-  for ac_prog in cl.exe
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_CC="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
+if test -z "${USE_EAP_MD5_TRUE}" && test -z "${USE_EAP_MD5_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_MD5\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_EAP_MD5\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_EAP_GTC_TRUE}" && test -z "${USE_EAP_GTC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_GTC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_EAP_GTC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+if test -z "${USE_EAP_AKA_TRUE}" && test -z "${USE_EAP_AKA_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_AKA\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_EAP_AKA\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_EAP_MSCHAPV2_TRUE}" && test -z "${USE_EAP_MSCHAPV2_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_MSCHAPV2\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_EAP_MSCHAPV2\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_SMARTCARD\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_SMARTCARD\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_CISCO_QUIRKS_TRUE}" && test -z "${USE_CISCO_QUIRKS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_LOCK_PROFILER_TRUE}" && test -z "${USE_LOCK_PROFILER_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LOCK_PROFILER\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LOCK_PROFILER\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_NAT_TRANSPORT_TRUE}" && test -z "${USE_NAT_TRANSPORT_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_VENDORID_TRUE}" && test -z "${USE_VENDORID_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_VENDORID\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_VENDORID\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_XAUTH_VID_TRUE}" && test -z "${USE_XAUTH_VID_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_XAUTH_VID\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_XAUTH_VID\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_DUMM_TRUE}" && test -z "${USE_DUMM_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_DUMM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_DUMM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_FAST_TRUE}" && test -z "${USE_FAST_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_FAST\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_FAST\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_MANAGER_TRUE}" && test -z "${USE_MANAGER_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_MANAGER\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_MANAGER\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_ME_TRUE}" && test -z "${USE_ME_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_ME\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_ME\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_INTEGRITY_TEST_TRUE}" && test -z "${USE_INTEGRITY_TEST_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_INTEGRITY_TEST\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_INTEGRITY_TEST\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_SELF_TEST_TRUE}" && test -z "${USE_SELF_TEST_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_SELF_TEST\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_SELF_TEST\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_CAPABILITIES_TRUE}" && test -z "${USE_CAPABILITIES_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_CAPABILITIES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_CAPABILITIES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_PLUTO_TRUE}" && test -z "${USE_PLUTO_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_PLUTO\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_PLUTO\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_THREADS_TRUE}" && test -z "${USE_THREADS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_THREADS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_THREADS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_CHARON_TRUE}" && test -z "${USE_CHARON_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_CHARON\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_CHARON\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_TOOLS_TRUE}" && test -z "${USE_TOOLS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_TOOLS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_TOOLS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_FILE_CONFIG\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_FILE_CONFIG\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
 fi
 
-
-  test -n "$ac_ct_CC" && break
-done
-
-  if test "x$ac_ct_CC" = x; then
-    CC=""
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
+: ${CONFIG_STATUS=./config.status}
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+echo "$as_me: creating $CONFIG_STATUS" >&6;}
+cat >$CONFIG_STATUS <<_ACEOF
+#! $SHELL
+# Generated by $as_me.
+# Run this file to recreate the current configuration.
+# Compiler output produced by configure, useful for debugging
+# configure, is in config.log if it exists.
+
+debug=false
+ac_cs_recheck=false
+ac_cs_silent=false
+SHELL=\${CONFIG_SHELL-$SHELL}
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+## --------------------- ##
+## M4sh Initialization.  ##
+## --------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
 esac
-    CC=$ac_ct_CC
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
   fi
+  rm -f conf$$.sh
 fi
 
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
 fi
 
 
-test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&5
-echo "$as_me: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
 
-# Provide some information about the compiler.
-echo "$as_me:$LINENO: checking for C compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (ac_try="$ac_compiler --version >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler --version >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -v >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -v >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -V >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+     ;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -V >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
 
-{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
-if test "${ac_cv_c_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+# Work around bugs in pre-3.0 UWIN ksh.
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
 
-int
-main ()
-{
-#ifndef __GNUC__
-       choke me
-#endif
+# NLS nuisances.
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+  fi
+done
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_compiler_gnu=yes
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_compiler_gnu=no
+  as_expr=false
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_c_compiler_gnu=$ac_compiler_gnu
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
-GCC=`test $ac_compiler_gnu = yes && echo yes`
-ac_test_CFLAGS=${CFLAGS+set}
-ac_save_CFLAGS=$CFLAGS
-{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
-if test "${ac_cv_prog_cc_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+  as_basename=basename
 else
-  ac_save_c_werror_flag=$ac_c_werror_flag
-   ac_c_werror_flag=yes
-   ac_cv_prog_cc_g=no
-   CFLAGS="-g"
-   cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
+  as_basename=false
+fi
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	CFLAGS=""
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+# Name of the executable.
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
 
-int
-main ()
-{
+# CDPATH.
+$as_unset CDPATH
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_c_werror_flag=$ac_save_c_werror_flag
-	 CFLAGS="-g"
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-int
-main ()
-{
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+  # uniformly replaced by the line number.  The first 'sed' inserts a
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
+  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
+    sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
+      N
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+      t loop
+      s/-\n.*//
+    ' >$as_me.lineno &&
+  chmod +x "$as_me.lineno" ||
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+   { (exit 1); exit 1; }; }
+
+  # Don't try to exec as it changes $[0], causing all sort of problems
+  # (the dirname of $[0] is not the place where we might find the
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
+  # Exit status is that of the last command.
+  exit
+}
 
 
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
+esac
+
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
+echo >conf$$.file
+if ln -s conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+    as_ln_s='cp -p'
+elif ln conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s=ln
+else
+  as_ln_s='cp -p'
 fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-   ac_c_werror_flag=$ac_save_c_werror_flag
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p=:
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
-if test "$ac_test_CFLAGS" = set; then
-  CFLAGS=$ac_save_CFLAGS
-elif test $ac_cv_prog_cc_g = yes; then
-  if test "$GCC" = yes; then
-    CFLAGS="-g -O2"
-  else
-    CFLAGS="-g"
-  fi
+
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
 else
-  if test "$GCC" = yes; then
-    CFLAGS="-O2"
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
   else
-    CFLAGS=
+    as_ls_L_option=
   fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
 fi
-{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
-echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
-if test "${ac_cv_prog_cc_c89+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_prog_cc_c89=no
-ac_save_CC=$CC
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdarg.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
-struct buf { int x; };
-FILE * (*rcsopen) (struct buf *, struct stat *, int);
-static char *e (p, i)
-     char **p;
-     int i;
-{
-  return p[i];
-}
-static char *f (char * (*g) (char **, int), char **p, ...)
-{
-  char *s;
-  va_list v;
-  va_start (v,p);
-  s = g (p, va_arg (v,int));
-  va_end (v);
-  return s;
-}
+as_executable_p=$as_test_x
 
-/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
-   function prototypes and stuff, but not '\xHH' hex character constants.
-   These don't provoke an error unfortunately, instead are silently treated
-   as 'x'.  The following induces an error, until -std is added to get
-   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
-   array size at least.  It's necessary to write '\x00'==0 to get something
-   that's true only with -std.  */
-int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 
-/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
-   inside strings and character constants.  */
-#define FOO(x) 'x'
-int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
-int test (int i, double x);
-struct s1 {int (*f) (int a);};
-struct s2 {int (*f) (double a);};
-int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
-int argc;
-char **argv;
-int
-main ()
-{
-return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
-  ;
-  return 0;
-}
-_ACEOF
-for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
-	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
-do
-  CC="$ac_save_CC $ac_arg"
-  rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_c89=$ac_arg
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
+exec 6>&1
 
-fi
+# Save the log message, to keep $[0] and so on meaningful, and to
+# report actual input values of CONFIG_FILES etc. instead of their
+# values after options handling.
+ac_log="
+This file was extended by strongSwan $as_me 4.2.12, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
 
-rm -f core conftest.err conftest.$ac_objext
-  test "x$ac_cv_prog_cc_c89" != "xno" && break
-done
-rm -f conftest.$ac_ext
-CC=$ac_save_CC
+  CONFIG_FILES    = $CONFIG_FILES
+  CONFIG_HEADERS  = $CONFIG_HEADERS
+  CONFIG_LINKS    = $CONFIG_LINKS
+  CONFIG_COMMANDS = $CONFIG_COMMANDS
+  $ $0 $@
 
-fi
-# AC_CACHE_VAL
-case "x$ac_cv_prog_cc_c89" in
-  x)
-    { echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6; } ;;
-  xno)
-    { echo "$as_me:$LINENO: result: unsupported" >&5
-echo "${ECHO_T}unsupported" >&6; } ;;
-  *)
-    CC="$CC $ac_cv_prog_cc_c89"
-    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
-esac
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+"
 
+_ACEOF
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-depcc="$CC"   am_compiler_list=
+cat >>$CONFIG_STATUS <<_ACEOF
+# Files that config.status was made for.
+config_files="$ac_config_files"
+config_commands="$ac_config_commands"
 
-{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
-echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
-if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
-  # We make a subdir and do the tests there.  Otherwise we can end up
-  # making bogus files that we don't know about and never remove.  For
-  # instance it was reported that on HP-UX the gcc test will end up
-  # making a dummy file named `D' -- because `-MD' means `put the output
-  # in D'.
-  mkdir conftest.dir
-  # Copy depcomp to subdir because otherwise we won't find it if we're
-  # using a relative directory.
-  cp "$am_depcomp" conftest.dir
-  cd conftest.dir
-  # We will build objects and dependencies in a subdirectory because
-  # it helps to detect inapplicable dependency modes.  For instance
-  # both Tru64's cc and ICC support -MD to output dependencies as a
-  # side effect of compilation, but ICC will put the dependencies in
-  # the current directory while Tru64 will put them in the object
-  # directory.
-  mkdir sub
+_ACEOF
 
-  am_cv_CC_dependencies_compiler_type=none
-  if test "$am_compiler_list" = ""; then
-     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
-  fi
-  for depmode in $am_compiler_list; do
-    # Setup a source with many dependencies, because some compilers
-    # like to wrap large dependency lists on column 80 (with \), and
-    # we should not choose a depcomp mode which is confused by this.
-    #
-    # We need to recreate these files for each test, as the compiler may
-    # overwrite some of them when testing with obscure command lines.
-    # This happens at least with the AIX C compiler.
-    : > sub/conftest.c
-    for i in 1 2 3 4 5 6; do
-      echo '#include "conftst'$i'.h"' >> sub/conftest.c
-      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
-      # Solaris 8's {/usr,}/bin/sh.
-      touch sub/conftst$i.h
-    done
-    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
+cat >>$CONFIG_STATUS <<\_ACEOF
+ac_cs_usage="\
+\`$as_me' instantiates files from templates according to the
+current configuration.
 
-    case $depmode in
-    nosideeffect)
-      # after this tag, mechanisms are not by side-effect, so they'll
-      # only be used when explicitly requested
-      if test "x$enable_dependency_tracking" = xyes; then
-	continue
-      else
-	break
-      fi
-      ;;
-    none) break ;;
-    esac
-    # We check with `-c' and `-o' for the sake of the "dashmstdout"
-    # mode.  It turns out that the SunPro C++ compiler does not properly
-    # handle `-M -o', and we need to detect this.
-    if depmode=$depmode \
-       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
-       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
-       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
-         >/dev/null 2>conftest.err &&
-       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
-       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
-      # icc doesn't choke on unknown options, it will just issue warnings
-      # or remarks (even with -Werror).  So we grep stderr for any message
-      # that says an option was ignored or not supported.
-      # When given -MP, icc 7.0 and 7.1 complain thusly:
-      #   icc: Command line warning: ignoring option '-M'; no argument required
-      # The diagnosis changed in icc 8.0:
-      #   icc: Command line remark: option '-MP' not supported
-      if (grep 'ignoring option' conftest.err ||
-          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
-        am_cv_CC_dependencies_compiler_type=$depmode
-        break
-      fi
-    fi
-  done
+Usage: $0 [OPTIONS] [FILE]...
 
-  cd ..
-  rm -rf conftest.dir
-else
-  am_cv_CC_dependencies_compiler_type=none
-fi
+  -h, --help       print this help, then exit
+  -V, --version    print version number and configuration settings, then exit
+  -q, --quiet      do not print progress messages
+  -d, --debug      don't remove temporary files
+      --recheck    update $as_me by reconfiguring in the same conditions
+  --file=FILE[:TEMPLATE]
+		   instantiate the configuration file FILE
 
-fi
-{ echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5
-echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6; }
-CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type
+Configuration files:
+$config_files
 
- if
-  test "x$enable_dependency_tracking" != xno \
-  && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then
-  am__fastdepCC_TRUE=
-  am__fastdepCC_FALSE='#'
-else
-  am__fastdepCC_TRUE='#'
-  am__fastdepCC_FALSE=
-fi
+Configuration commands:
+$config_commands
 
+Report bugs to <bug-autoconf@gnu.org>."
 
-# Extract the first word of "gperf", so it can be a program name with args.
-set dummy gperf; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_GPERF+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $GPERF in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_GPERF="$GPERF" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
-for as_dir in $as_dummy
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+ac_cs_version="\\
+strongSwan config.status 4.2.12
+configured by $0, generated by GNU Autoconf 2.61,
+  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
-  ;;
-esac
-fi
-GPERF=$ac_cv_path_GPERF
-if test -n "$GPERF"; then
-  { echo "$as_me:$LINENO: result: $GPERF" >&5
-echo "${ECHO_T}$GPERF" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
+Copyright (C) 2006 Free Software Foundation, Inc.
+This config.status script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it."
 
+ac_pwd='$ac_pwd'
+srcdir='$srcdir'
+INSTALL='$INSTALL'
+MKDIR_P='$MKDIR_P'
+_ACEOF
 
-# Extract the first word of "perl", so it can be a program name with args.
-set dummy perl; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_PERL+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $PERL in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
-for as_dir in $as_dummy
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If no file are specified by the user, then we need to provide default
+# value.  By we need to know if files were specified by the user.
+ac_need_defaults=:
+while test $# != 0
 do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
+  case $1 in
+  --*=*)
+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
+    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
+    ac_shift=:
+    ;;
+  *)
+    ac_option=$1
+    ac_optarg=$2
+    ac_shift=shift
+    ;;
+  esac
 
-  ;;
-esac
-fi
-PERL=$ac_cv_path_PERL
-if test -n "$PERL"; then
-  { echo "$as_me:$LINENO: result: $PERL" >&5
-echo "${ECHO_T}$PERL" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
+  case $ac_option in
+  # Handling of the options.
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    ac_cs_recheck=: ;;
+  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+    echo "$ac_cs_version"; exit ;;
+  --debug | --debu | --deb | --de | --d | -d )
+    debug=: ;;
+  --file | --fil | --fi | --f )
+    $ac_shift
+    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
+    ac_need_defaults=false;;
+  --he | --h |  --help | --hel | -h )
+    echo "$ac_cs_usage"; exit ;;
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil | --si | --s)
+    ac_cs_silent=: ;;
 
+  # This is an error.
+  -*) { echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2
+   { (exit 1); exit 1; }; } ;;
 
+  *) ac_config_targets="$ac_config_targets $1"
+     ac_need_defaults=false ;;
 
+  esac
+  shift
+done
 
-if test x$pluto = xtrue; then
-	gmp=true;
-fi
-
-if test x$tools = xtrue; then
-	gmp=true;
-fi
-
-if test x$smp = xtrue; then
-	xml=true
-fi
-
-if test x$manager = xtrue; then
-	fast=true
-fi
-
-if test x$medsrv = xtrue; then
-	me=true
-	fast=true
-fi
+ac_configure_extra_args=
 
-if test x$medcli = xtrue; then
-	me=true
+if $ac_cs_silent; then
+  exec 6>/dev/null
+  ac_configure_extra_args="$ac_configure_extra_args --silent"
 fi
 
-
-
-{ echo "$as_me:$LINENO: checking for main in -ldl" >&5
-echo $ECHO_N "checking for main in -ldl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dl_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dl_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_dl_main=no
+cat >>$CONFIG_STATUS <<_ACEOF
+if \$ac_cs_recheck; then
+  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+  CONFIG_SHELL=$SHELL
+  export CONFIG_SHELL
+  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_main" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_main" >&6; }
-if test $ac_cv_lib_dl_main = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBDL 1
 _ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+exec 5>>config.log
+{
+  echo
+  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+  echo "$ac_log"
+} >&5
 
-  LIBS="-ldl $LIBS"
-
-fi
-ac_cv_lib_dl=ac_cv_lib_dl_main
-
-
-for ac_func in backtrace
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
 _ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
+cat >>$CONFIG_STATUS <<_ACEOF
+#
+# INIT-COMMANDS
+#
+AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
 
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
 
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
-#undef $ac_func
+sed_quote_subst='$sed_quote_subst'
+double_quote_subst='$double_quote_subst'
+delay_variable_subst='$delay_variable_subst'
+macro_version='`$ECHO "X$macro_version" | $Xsed -e "$delay_single_quote_subst"`'
+macro_revision='`$ECHO "X$macro_revision" | $Xsed -e "$delay_single_quote_subst"`'
+enable_shared='`$ECHO "X$enable_shared" | $Xsed -e "$delay_single_quote_subst"`'
+enable_static='`$ECHO "X$enable_static" | $Xsed -e "$delay_single_quote_subst"`'
+pic_mode='`$ECHO "X$pic_mode" | $Xsed -e "$delay_single_quote_subst"`'
+enable_fast_install='`$ECHO "X$enable_fast_install" | $Xsed -e "$delay_single_quote_subst"`'
+host_alias='`$ECHO "X$host_alias" | $Xsed -e "$delay_single_quote_subst"`'
+host='`$ECHO "X$host" | $Xsed -e "$delay_single_quote_subst"`'
+host_os='`$ECHO "X$host_os" | $Xsed -e "$delay_single_quote_subst"`'
+build_alias='`$ECHO "X$build_alias" | $Xsed -e "$delay_single_quote_subst"`'
+build='`$ECHO "X$build" | $Xsed -e "$delay_single_quote_subst"`'
+build_os='`$ECHO "X$build_os" | $Xsed -e "$delay_single_quote_subst"`'
+SED='`$ECHO "X$SED" | $Xsed -e "$delay_single_quote_subst"`'
+Xsed='`$ECHO "X$Xsed" | $Xsed -e "$delay_single_quote_subst"`'
+GREP='`$ECHO "X$GREP" | $Xsed -e "$delay_single_quote_subst"`'
+EGREP='`$ECHO "X$EGREP" | $Xsed -e "$delay_single_quote_subst"`'
+FGREP='`$ECHO "X$FGREP" | $Xsed -e "$delay_single_quote_subst"`'
+LD='`$ECHO "X$LD" | $Xsed -e "$delay_single_quote_subst"`'
+NM='`$ECHO "X$NM" | $Xsed -e "$delay_single_quote_subst"`'
+LN_S='`$ECHO "X$LN_S" | $Xsed -e "$delay_single_quote_subst"`'
+max_cmd_len='`$ECHO "X$max_cmd_len" | $Xsed -e "$delay_single_quote_subst"`'
+ac_objext='`$ECHO "X$ac_objext" | $Xsed -e "$delay_single_quote_subst"`'
+exeext='`$ECHO "X$exeext" | $Xsed -e "$delay_single_quote_subst"`'
+lt_unset='`$ECHO "X$lt_unset" | $Xsed -e "$delay_single_quote_subst"`'
+lt_SP2NL='`$ECHO "X$lt_SP2NL" | $Xsed -e "$delay_single_quote_subst"`'
+lt_NL2SP='`$ECHO "X$lt_NL2SP" | $Xsed -e "$delay_single_quote_subst"`'
+reload_flag='`$ECHO "X$reload_flag" | $Xsed -e "$delay_single_quote_subst"`'
+reload_cmds='`$ECHO "X$reload_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+deplibs_check_method='`$ECHO "X$deplibs_check_method" | $Xsed -e "$delay_single_quote_subst"`'
+file_magic_cmd='`$ECHO "X$file_magic_cmd" | $Xsed -e "$delay_single_quote_subst"`'
+AR='`$ECHO "X$AR" | $Xsed -e "$delay_single_quote_subst"`'
+AR_FLAGS='`$ECHO "X$AR_FLAGS" | $Xsed -e "$delay_single_quote_subst"`'
+STRIP='`$ECHO "X$STRIP" | $Xsed -e "$delay_single_quote_subst"`'
+RANLIB='`$ECHO "X$RANLIB" | $Xsed -e "$delay_single_quote_subst"`'
+old_postinstall_cmds='`$ECHO "X$old_postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+old_postuninstall_cmds='`$ECHO "X$old_postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+old_archive_cmds='`$ECHO "X$old_archive_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+CC='`$ECHO "X$CC" | $Xsed -e "$delay_single_quote_subst"`'
+CFLAGS='`$ECHO "X$CFLAGS" | $Xsed -e "$delay_single_quote_subst"`'
+compiler='`$ECHO "X$compiler" | $Xsed -e "$delay_single_quote_subst"`'
+GCC='`$ECHO "X$GCC" | $Xsed -e "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_pipe='`$ECHO "X$lt_cv_sys_global_symbol_pipe" | $Xsed -e "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_cdecl='`$ECHO "X$lt_cv_sys_global_symbol_to_cdecl" | $Xsed -e "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address" | $Xsed -e "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`'
+objdir='`$ECHO "X$objdir" | $Xsed -e "$delay_single_quote_subst"`'
+SHELL='`$ECHO "X$SHELL" | $Xsed -e "$delay_single_quote_subst"`'
+ECHO='`$ECHO "X$ECHO" | $Xsed -e "$delay_single_quote_subst"`'
+MAGIC_CMD='`$ECHO "X$MAGIC_CMD" | $Xsed -e "$delay_single_quote_subst"`'
+lt_prog_compiler_no_builtin_flag='`$ECHO "X$lt_prog_compiler_no_builtin_flag" | $Xsed -e "$delay_single_quote_subst"`'
+lt_prog_compiler_wl='`$ECHO "X$lt_prog_compiler_wl" | $Xsed -e "$delay_single_quote_subst"`'
+lt_prog_compiler_pic='`$ECHO "X$lt_prog_compiler_pic" | $Xsed -e "$delay_single_quote_subst"`'
+lt_prog_compiler_static='`$ECHO "X$lt_prog_compiler_static" | $Xsed -e "$delay_single_quote_subst"`'
+lt_cv_prog_compiler_c_o='`$ECHO "X$lt_cv_prog_compiler_c_o" | $Xsed -e "$delay_single_quote_subst"`'
+need_locks='`$ECHO "X$need_locks" | $Xsed -e "$delay_single_quote_subst"`'
+DSYMUTIL='`$ECHO "X$DSYMUTIL" | $Xsed -e "$delay_single_quote_subst"`'
+NMEDIT='`$ECHO "X$NMEDIT" | $Xsed -e "$delay_single_quote_subst"`'
+LIPO='`$ECHO "X$LIPO" | $Xsed -e "$delay_single_quote_subst"`'
+OTOOL='`$ECHO "X$OTOOL" | $Xsed -e "$delay_single_quote_subst"`'
+OTOOL64='`$ECHO "X$OTOOL64" | $Xsed -e "$delay_single_quote_subst"`'
+libext='`$ECHO "X$libext" | $Xsed -e "$delay_single_quote_subst"`'
+shrext_cmds='`$ECHO "X$shrext_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+extract_expsyms_cmds='`$ECHO "X$extract_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+archive_cmds_need_lc='`$ECHO "X$archive_cmds_need_lc" | $Xsed -e "$delay_single_quote_subst"`'
+enable_shared_with_static_runtimes='`$ECHO "X$enable_shared_with_static_runtimes" | $Xsed -e "$delay_single_quote_subst"`'
+export_dynamic_flag_spec='`$ECHO "X$export_dynamic_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
+whole_archive_flag_spec='`$ECHO "X$whole_archive_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
+compiler_needs_object='`$ECHO "X$compiler_needs_object" | $Xsed -e "$delay_single_quote_subst"`'
+old_archive_from_new_cmds='`$ECHO "X$old_archive_from_new_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+old_archive_from_expsyms_cmds='`$ECHO "X$old_archive_from_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+archive_cmds='`$ECHO "X$archive_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+archive_expsym_cmds='`$ECHO "X$archive_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+module_cmds='`$ECHO "X$module_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+module_expsym_cmds='`$ECHO "X$module_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+with_gnu_ld='`$ECHO "X$with_gnu_ld" | $Xsed -e "$delay_single_quote_subst"`'
+allow_undefined_flag='`$ECHO "X$allow_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`'
+no_undefined_flag='`$ECHO "X$no_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`'
+hardcode_libdir_flag_spec='`$ECHO "X$hardcode_libdir_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
+hardcode_libdir_flag_spec_ld='`$ECHO "X$hardcode_libdir_flag_spec_ld" | $Xsed -e "$delay_single_quote_subst"`'
+hardcode_libdir_separator='`$ECHO "X$hardcode_libdir_separator" | $Xsed -e "$delay_single_quote_subst"`'
+hardcode_direct='`$ECHO "X$hardcode_direct" | $Xsed -e "$delay_single_quote_subst"`'
+hardcode_direct_absolute='`$ECHO "X$hardcode_direct_absolute" | $Xsed -e "$delay_single_quote_subst"`'
+hardcode_minus_L='`$ECHO "X$hardcode_minus_L" | $Xsed -e "$delay_single_quote_subst"`'
+hardcode_shlibpath_var='`$ECHO "X$hardcode_shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`'
+hardcode_automatic='`$ECHO "X$hardcode_automatic" | $Xsed -e "$delay_single_quote_subst"`'
+inherit_rpath='`$ECHO "X$inherit_rpath" | $Xsed -e "$delay_single_quote_subst"`'
+link_all_deplibs='`$ECHO "X$link_all_deplibs" | $Xsed -e "$delay_single_quote_subst"`'
+fix_srcfile_path='`$ECHO "X$fix_srcfile_path" | $Xsed -e "$delay_single_quote_subst"`'
+always_export_symbols='`$ECHO "X$always_export_symbols" | $Xsed -e "$delay_single_quote_subst"`'
+export_symbols_cmds='`$ECHO "X$export_symbols_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+exclude_expsyms='`$ECHO "X$exclude_expsyms" | $Xsed -e "$delay_single_quote_subst"`'
+include_expsyms='`$ECHO "X$include_expsyms" | $Xsed -e "$delay_single_quote_subst"`'
+prelink_cmds='`$ECHO "X$prelink_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+file_list_spec='`$ECHO "X$file_list_spec" | $Xsed -e "$delay_single_quote_subst"`'
+variables_saved_for_relink='`$ECHO "X$variables_saved_for_relink" | $Xsed -e "$delay_single_quote_subst"`'
+need_lib_prefix='`$ECHO "X$need_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`'
+need_version='`$ECHO "X$need_version" | $Xsed -e "$delay_single_quote_subst"`'
+version_type='`$ECHO "X$version_type" | $Xsed -e "$delay_single_quote_subst"`'
+runpath_var='`$ECHO "X$runpath_var" | $Xsed -e "$delay_single_quote_subst"`'
+shlibpath_var='`$ECHO "X$shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`'
+shlibpath_overrides_runpath='`$ECHO "X$shlibpath_overrides_runpath" | $Xsed -e "$delay_single_quote_subst"`'
+libname_spec='`$ECHO "X$libname_spec" | $Xsed -e "$delay_single_quote_subst"`'
+library_names_spec='`$ECHO "X$library_names_spec" | $Xsed -e "$delay_single_quote_subst"`'
+soname_spec='`$ECHO "X$soname_spec" | $Xsed -e "$delay_single_quote_subst"`'
+postinstall_cmds='`$ECHO "X$postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+postuninstall_cmds='`$ECHO "X$postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+finish_cmds='`$ECHO "X$finish_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+finish_eval='`$ECHO "X$finish_eval" | $Xsed -e "$delay_single_quote_subst"`'
+hardcode_into_libs='`$ECHO "X$hardcode_into_libs" | $Xsed -e "$delay_single_quote_subst"`'
+sys_lib_search_path_spec='`$ECHO "X$sys_lib_search_path_spec" | $Xsed -e "$delay_single_quote_subst"`'
+sys_lib_dlsearch_path_spec='`$ECHO "X$sys_lib_dlsearch_path_spec" | $Xsed -e "$delay_single_quote_subst"`'
+hardcode_action='`$ECHO "X$hardcode_action" | $Xsed -e "$delay_single_quote_subst"`'
+enable_dlopen='`$ECHO "X$enable_dlopen" | $Xsed -e "$delay_single_quote_subst"`'
+enable_dlopen_self='`$ECHO "X$enable_dlopen_self" | $Xsed -e "$delay_single_quote_subst"`'
+enable_dlopen_self_static='`$ECHO "X$enable_dlopen_self_static" | $Xsed -e "$delay_single_quote_subst"`'
+old_striplib='`$ECHO "X$old_striplib" | $Xsed -e "$delay_single_quote_subst"`'
+striplib='`$ECHO "X$striplib" | $Xsed -e "$delay_single_quote_subst"`'
+
+LTCC='$LTCC'
+LTCFLAGS='$LTCFLAGS'
+compiler='$compiler_DEFAULT'
+
+# Quote evaled strings.
+for var in SED \
+GREP \
+EGREP \
+FGREP \
+LD \
+NM \
+LN_S \
+lt_SP2NL \
+lt_NL2SP \
+reload_flag \
+deplibs_check_method \
+file_magic_cmd \
+AR \
+AR_FLAGS \
+STRIP \
+RANLIB \
+CC \
+CFLAGS \
+compiler \
+lt_cv_sys_global_symbol_pipe \
+lt_cv_sys_global_symbol_to_cdecl \
+lt_cv_sys_global_symbol_to_c_name_address \
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix \
+SHELL \
+ECHO \
+lt_prog_compiler_no_builtin_flag \
+lt_prog_compiler_wl \
+lt_prog_compiler_pic \
+lt_prog_compiler_static \
+lt_cv_prog_compiler_c_o \
+need_locks \
+DSYMUTIL \
+NMEDIT \
+LIPO \
+OTOOL \
+OTOOL64 \
+shrext_cmds \
+export_dynamic_flag_spec \
+whole_archive_flag_spec \
+compiler_needs_object \
+with_gnu_ld \
+allow_undefined_flag \
+no_undefined_flag \
+hardcode_libdir_flag_spec \
+hardcode_libdir_flag_spec_ld \
+hardcode_libdir_separator \
+fix_srcfile_path \
+exclude_expsyms \
+include_expsyms \
+file_list_spec \
+variables_saved_for_relink \
+libname_spec \
+library_names_spec \
+soname_spec \
+finish_eval \
+old_striplib \
+striplib; do
+    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    *[\\\\\\\`\\"\\\$]*)
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
+      ;;
+    *)
+      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
+      ;;
+    esac
+done
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
+# Double-quote double-evaled strings.
+for var in reload_cmds \
+old_postinstall_cmds \
+old_postuninstall_cmds \
+old_archive_cmds \
+extract_expsyms_cmds \
+old_archive_from_new_cmds \
+old_archive_from_expsyms_cmds \
+archive_cmds \
+archive_expsym_cmds \
+module_cmds \
+module_expsym_cmds \
+export_symbols_cmds \
+prelink_cmds \
+postinstall_cmds \
+postuninstall_cmds \
+finish_cmds \
+sys_lib_search_path_spec \
+sys_lib_dlsearch_path_spec; do
+    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    *[\\\\\\\`\\"\\\$]*)
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
+      ;;
+    *)
+      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
+      ;;
+    esac
+done
 
-int
-main ()
-{
-return $ac_func ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
+# Fix-up fallback echo if it was mangled by the above quoting rules.
+case \$lt_ECHO in
+*'\\\$0 --fallback-echo"')  lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\$0 --fallback-echo"\$/\$0 --fallback-echo"/'\`
+  ;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	eval "$as_ac_var=no"
-fi
+ac_aux_dir='$ac_aux_dir'
+xsi_shell='$xsi_shell'
+lt_shell_append='$lt_shell_append'
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+# See if we are running on zsh, and set the options which allow our
+# commands through without removal of \ escapes INIT.
+if test -n "\${ZSH_VERSION+set}" ; then
+   setopt NO_GLOB_SUBST
 fi
-ac_res=`eval echo '${'$as_ac_var'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
 
-fi
-done
 
+    PACKAGE='$PACKAGE'
+    VERSION='$VERSION'
+    TIMESTAMP='$TIMESTAMP'
+    RM='$RM'
+    ofile='$ofile'
 
-for ac_func in dladdr
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
 
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
 
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 
-#undef $ac_func
+_ACEOF
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
+cat >>$CONFIG_STATUS <<\_ACEOF
 
-int
-main ()
-{
-return $ac_func ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_var=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_var'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+# Handling of arguments.
+for ac_config_target in $ac_config_targets
+do
+  case $ac_config_target in
+    "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
+    "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;;
+    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
+    "src/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/include/Makefile" ;;
+    "src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;;
+    "src/libstrongswan/plugins/aes/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/aes/Makefile" ;;
+    "src/libstrongswan/plugins/des/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/des/Makefile" ;;
+    "src/libstrongswan/plugins/md4/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md4/Makefile" ;;
+    "src/libstrongswan/plugins/md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md5/Makefile" ;;
+    "src/libstrongswan/plugins/sha1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha1/Makefile" ;;
+    "src/libstrongswan/plugins/sha2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha2/Makefile" ;;
+    "src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;;
+    "src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;;
+    "src/libstrongswan/plugins/random/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/random/Makefile" ;;
+    "src/libstrongswan/plugins/hmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/hmac/Makefile" ;;
+    "src/libstrongswan/plugins/xcbc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/xcbc/Makefile" ;;
+    "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;;
+    "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;;
+    "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;;
+    "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;;
+    "src/libstrongswan/plugins/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mysql/Makefile" ;;
+    "src/libstrongswan/plugins/sqlite/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sqlite/Makefile" ;;
+    "src/libstrongswan/plugins/padlock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/padlock/Makefile" ;;
+    "src/libstrongswan/plugins/openssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/openssl/Makefile" ;;
+    "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
+    "src/libstrongswan/fips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/fips/Makefile" ;;
+    "src/libcrypto/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcrypto/Makefile" ;;
+    "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
+    "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
+    "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
+    "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
+    "src/charon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_aka/Makefile" ;;
+    "src/charon/plugins/eap_identity/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_identity/Makefile" ;;
+    "src/charon/plugins/eap_md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_md5/Makefile" ;;
+    "src/charon/plugins/eap_gtc/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_gtc/Makefile" ;;
+    "src/charon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim/Makefile" ;;
+    "src/charon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim_file/Makefile" ;;
+    "src/charon/plugins/eap_mschapv2/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_mschapv2/Makefile" ;;
+    "src/charon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_netlink/Makefile" ;;
+    "src/charon/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_pfkey/Makefile" ;;
+    "src/charon/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_klips/Makefile" ;;
+    "src/charon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/smp/Makefile" ;;
+    "src/charon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/sql/Makefile" ;;
+    "src/charon/plugins/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/medsrv/Makefile" ;;
+    "src/charon/plugins/medcli/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/medcli/Makefile" ;;
+    "src/charon/plugins/nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/nm/Makefile" ;;
+    "src/charon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/uci/Makefile" ;;
+    "src/charon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/stroke/Makefile" ;;
+    "src/charon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/updown/Makefile" ;;
+    "src/charon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/unit_tester/Makefile" ;;
+    "src/charon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/load_tester/Makefile" ;;
+    "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
+    "src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;;
+    "src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;;
+    "src/_updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown/Makefile" ;;
+    "src/_updown_espmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown_espmark/Makefile" ;;
+    "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
+    "src/openac/Makefile") CONFIG_FILES="$CONFIG_FILES src/openac/Makefile" ;;
+    "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
+    "src/dumm/Makefile") CONFIG_FILES="$CONFIG_FILES src/dumm/Makefile" ;;
+    "src/libfast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfast/Makefile" ;;
+    "src/manager/Makefile") CONFIG_FILES="$CONFIG_FILES src/manager/Makefile" ;;
+    "src/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/medsrv/Makefile" ;;
+    "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
+    "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
-fi
+  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+   { (exit 1); exit 1; }; };;
+  esac
 done
 
 
-if test x$gmp = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lgmp" >&5
-echo $ECHO_N "checking for main in -lgmp... $ECHO_C" >&6; }
-if test "${ac_cv_lib_gmp_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lgmp  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
+# If the user did not use the arguments to specify the items to instantiate,
+# then the envvar interface is used.  Set only those that are not.
+# We use the long form for the default assignment because of an extremely
+# bizarre bug on SunOS 4.1.3.
+if $ac_need_defaults; then
+  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
+  test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands
+fi
 
-int
-main ()
+# Have a temporary directory for convenience.  Make it in the build tree
+# simply because there is no reason against having it here, and in addition,
+# creating and moving files from /tmp can sometimes cause problems.
+# Hook for its removal unless debugging.
+# Note that there is a small window in which the directory will not be cleaned:
+# after its creation but before its name has been assigned to `$tmp'.
+$debug ||
 {
-return main ();
-  ;
-  return 0;
+  tmp=
+  trap 'exit_status=$?
+  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+' 0
+  trap '{ (exit 1); exit 1; }' 1 2 13 15
 }
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_gmp_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_gmp_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_gmp_main" >&5
-echo "${ECHO_T}$ac_cv_lib_gmp_main" >&6; }
-if test $ac_cv_lib_gmp_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: GNU Multi Precision library gmp not found" >&5
-echo "$as_me: error: GNU Multi Precision library gmp not found" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_gmp=ac_cv_lib_gmp_main
+# Create a (secure) tmp directory for tmp files.
 
-	{ echo "$as_me:$LINENO: checking gmp.h version >= 4.1.4" >&5
-echo $ECHO_N "checking gmp.h version >= 4.1.4... $ECHO_C" >&6; }
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include "gmp.h"
-int
-main ()
 {
+  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
+  test -n "$tmp" && test -d "$tmp"
+}  ||
+{
+  tmp=./conf$$-$RANDOM
+  (umask 077 && mkdir "$tmp")
+} ||
+{
+   echo "$me: cannot create a temporary directory in ." >&2
+   { (exit 1); exit 1; }
+}
 
-			#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
-				#error bad gmp
-			#endif
+#
+# Set up the sed scripts for CONFIG_FILES section.
+#
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+# No need to generate the scripts if there are no CONFIG_FILES.
+# This happens for instance when ./config.status config.h
+if test -n "$CONFIG_FILES"; then
 
-	{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }; { { echo "$as_me:$LINENO: error: No usable gmp.h found!" >&5
-echo "$as_me: error: No usable gmp.h found!" >&2;}
-   { (exit 1); exit 1; }; }
+_ACEOF
 
-fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
 
-if test x$ldap = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lldap" >&5
-echo $ECHO_N "checking for main in -lldap... $ECHO_C" >&6; }
-if test "${ac_cv_lib_ldap_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lldap  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+SHELL!$SHELL$ac_delim
+PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+exec_prefix!$exec_prefix$ac_delim
+prefix!$prefix$ac_delim
+program_transform_name!$program_transform_name$ac_delim
+bindir!$bindir$ac_delim
+sbindir!$sbindir$ac_delim
+libexecdir!$libexecdir$ac_delim
+datarootdir!$datarootdir$ac_delim
+datadir!$datadir$ac_delim
+sysconfdir!$sysconfdir$ac_delim
+sharedstatedir!$sharedstatedir$ac_delim
+localstatedir!$localstatedir$ac_delim
+includedir!$includedir$ac_delim
+oldincludedir!$oldincludedir$ac_delim
+docdir!$docdir$ac_delim
+infodir!$infodir$ac_delim
+htmldir!$htmldir$ac_delim
+dvidir!$dvidir$ac_delim
+pdfdir!$pdfdir$ac_delim
+psdir!$psdir$ac_delim
+libdir!$libdir$ac_delim
+localedir!$localedir$ac_delim
+mandir!$mandir$ac_delim
+DEFS!$DEFS$ac_delim
+ECHO_C!$ECHO_C$ac_delim
+ECHO_N!$ECHO_N$ac_delim
+ECHO_T!$ECHO_T$ac_delim
+LIBS!$LIBS$ac_delim
+build_alias!$build_alias$ac_delim
+host_alias!$host_alias$ac_delim
+target_alias!$target_alias$ac_delim
+INSTALL_PROGRAM!$INSTALL_PROGRAM$ac_delim
+INSTALL_SCRIPT!$INSTALL_SCRIPT$ac_delim
+INSTALL_DATA!$INSTALL_DATA$ac_delim
+am__isrc!$am__isrc$ac_delim
+CYGPATH_W!$CYGPATH_W$ac_delim
+PACKAGE!$PACKAGE$ac_delim
+VERSION!$VERSION$ac_delim
+ACLOCAL!$ACLOCAL$ac_delim
+AUTOCONF!$AUTOCONF$ac_delim
+AUTOMAKE!$AUTOMAKE$ac_delim
+AUTOHEADER!$AUTOHEADER$ac_delim
+MAKEINFO!$MAKEINFO$ac_delim
+install_sh!$install_sh$ac_delim
+STRIP!$STRIP$ac_delim
+INSTALL_STRIP_PROGRAM!$INSTALL_STRIP_PROGRAM$ac_delim
+mkdir_p!$mkdir_p$ac_delim
+AWK!$AWK$ac_delim
+SET_MAKE!$SET_MAKE$ac_delim
+am__leading_dot!$am__leading_dot$ac_delim
+AMTAR!$AMTAR$ac_delim
+am__tar!$am__tar$ac_delim
+am__untar!$am__untar$ac_delim
+CC!$CC$ac_delim
+CFLAGS!$CFLAGS$ac_delim
+LDFLAGS!$LDFLAGS$ac_delim
+CPPFLAGS!$CPPFLAGS$ac_delim
+ac_ct_CC!$ac_ct_CC$ac_delim
+EXEEXT!$EXEEXT$ac_delim
+OBJEXT!$OBJEXT$ac_delim
+DEPDIR!$DEPDIR$ac_delim
+am__include!$am__include$ac_delim
+am__quote!$am__quote$ac_delim
+AMDEP_TRUE!$AMDEP_TRUE$ac_delim
+AMDEP_FALSE!$AMDEP_FALSE$ac_delim
+AMDEPBACKSLASH!$AMDEPBACKSLASH$ac_delim
+CCDEPMODE!$CCDEPMODE$ac_delim
+am__fastdepCC_TRUE!$am__fastdepCC_TRUE$ac_delim
+am__fastdepCC_FALSE!$am__fastdepCC_FALSE$ac_delim
+CPP!$CPP$ac_delim
+GREP!$GREP$ac_delim
+EGREP!$EGREP$ac_delim
+confdir!$confdir$ac_delim
+PKG_CONFIG!$PKG_CONFIG$ac_delim
+resolv_conf!$resolv_conf$ac_delim
+strongswan_conf!$strongswan_conf$ac_delim
+piddir!$piddir$ac_delim
+ipsecdir!$ipsecdir$ac_delim
+plugindir!$plugindir$ac_delim
+simreader!$simreader$ac_delim
+linuxdir!$linuxdir$ac_delim
+LINUX_HEADERS!$LINUX_HEADERS$ac_delim
+IPSEC_ROUTING_TABLE!$IPSEC_ROUTING_TABLE$ac_delim
+IPSEC_ROUTING_TABLE_PRIO!$IPSEC_ROUTING_TABLE_PRIO$ac_delim
+ipsecuser!$ipsecuser$ac_delim
+ipsecgroup!$ipsecgroup$ac_delim
+LIBTOOL!$LIBTOOL$ac_delim
+build!$build$ac_delim
+build_cpu!$build_cpu$ac_delim
+build_vendor!$build_vendor$ac_delim
+build_os!$build_os$ac_delim
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_ldap_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_ldap_main=no
-fi
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_ldap_main" >&5
-echo "${ECHO_T}$ac_cv_lib_ldap_main" >&6; }
-if test $ac_cv_lib_ldap_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: LDAP library ldap not found" >&5
-echo "$as_me: error: LDAP library ldap not found" >&2;}
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
    { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
 fi
-ac_cv_lib_ldap=ac_cv_lib_ldap_main
 
-	{ echo "$as_me:$LINENO: checking for main in -llber" >&5
-echo $ECHO_N "checking for main in -llber... $ECHO_C" >&6; }
-if test "${ac_cv_lib_lber_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-llber  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
 _ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+CEOF$ac_eof
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_lber_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_cv_lib_lber_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_lber_main" >&5
-echo "${ECHO_T}$ac_cv_lib_lber_main" >&6; }
-if test $ac_cv_lib_lber_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: LDAP library lber not found" >&5
-echo "$as_me: error: LDAP library lber not found" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_lber=ac_cv_lib_lber_main
 
-	if test "${ac_cv_header_ldap_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for ldap.h" >&5
-echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_ldap_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
-echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking ldap.h usability" >&5
-echo $ECHO_N "checking ldap.h usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <ldap.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking ldap.h presence" >&5
-echo $ECHO_N "checking ldap.h presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ldap.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: ldap.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: ldap.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: ldap.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: ldap.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: ldap.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: ldap.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: ldap.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for ldap.h" >&5
-echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_ldap_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_ldap_h=$ac_header_preproc
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
-echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
-
-fi
-if test $ac_cv_header_ldap_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: LDAP header ldap.h not found!" >&5
-echo "$as_me: error: LDAP header ldap.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-fi
-
-if test x$curl = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lcurl" >&5
-echo $ECHO_N "checking for main in -lcurl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_curl_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lcurl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_curl_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_curl_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_curl_main" >&5
-echo "${ECHO_T}$ac_cv_lib_curl_main" >&6; }
-if test $ac_cv_lib_curl_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: CURL library curl not found" >&5
-echo "$as_me: error: CURL library curl not found" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_curl=ac_cv_lib_curl_main
-
-	if test "${ac_cv_header_curl_curl_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for curl/curl.h" >&5
-echo $ECHO_N "checking for curl/curl.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_curl_curl_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
-echo "${ECHO_T}$ac_cv_header_curl_curl_h" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking curl/curl.h usability" >&5
-echo $ECHO_N "checking curl/curl.h usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <curl/curl.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking curl/curl.h presence" >&5
-echo $ECHO_N "checking curl/curl.h presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <curl/curl.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: curl/curl.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: curl/curl.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: curl/curl.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for curl/curl.h" >&5
-echo $ECHO_N "checking for curl/curl.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_curl_curl_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_curl_curl_h=$ac_header_preproc
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
-echo "${ECHO_T}$ac_cv_header_curl_curl_h" >&6; }
-
-fi
-if test $ac_cv_header_curl_curl_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: CURL header curl/curl.h not found!" >&5
-echo "$as_me: error: CURL header curl/curl.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-fi
-
-if test x$xml = xtrue; then
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for xml" >&5
-echo $ECHO_N "checking for xml... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$xml_CFLAGS"; then
-        pkg_cv_xml_CFLAGS="$xml_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_xml_CFLAGS=`$PKG_CONFIG --cflags "libxml-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$xml_LIBS"; then
-        pkg_cv_xml_LIBS="$xml_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_xml_LIBS=`$PKG_CONFIG --libs "libxml-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libxml-2.0"`
-        else
-	        xml_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libxml-2.0"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$xml_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (libxml-2.0) were not met:
-
-$xml_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables xml_CFLAGS
-and xml_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (libxml-2.0) were not met:
-
-$xml_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables xml_CFLAGS
-and xml_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables xml_CFLAGS
-and xml_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables xml_CFLAGS
-and xml_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	xml_CFLAGS=$pkg_cv_xml_CFLAGS
-	xml_LIBS=$pkg_cv_xml_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-fi
-
-if test x$dumm = xtrue; then
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for gtk" >&5
-echo $ECHO_N "checking for gtk... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$gtk_CFLAGS"; then
-        pkg_cv_gtk_CFLAGS="$gtk_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$gtk_LIBS"; then
-        pkg_cv_gtk_LIBS="$gtk_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gtk+-2.0 vte"`
-        else
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gtk+-2.0 vte"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$gtk_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (gtk+-2.0 vte) were not met:
-
-$gtk_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables gtk_CFLAGS
-and gtk_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (gtk+-2.0 vte) were not met:
-
-$gtk_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables gtk_CFLAGS
-and gtk_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables gtk_CFLAGS
-and gtk_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables gtk_CFLAGS
-and gtk_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
-	gtk_LIBS=$pkg_cv_gtk_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-fi
-
-if test x$fast = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lneo_cgi" >&5
-echo $ECHO_N "checking for main in -lneo_cgi... $ECHO_C" >&6; }
-if test "${ac_cv_lib_neo_cgi_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lneo_cgi  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_neo_cgi_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_neo_cgi_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_neo_cgi_main" >&5
-echo "${ECHO_T}$ac_cv_lib_neo_cgi_main" >&6; }
-if test $ac_cv_lib_neo_cgi_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: ClearSilver library neo_cgi not found!" >&5
-echo "$as_me: error: ClearSilver library neo_cgi not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_neo_cgi=ac_cv_lib_neo_cgi_main
-
-	{ echo "$as_me:$LINENO: checking for main in -lneo_utl" >&5
-echo $ECHO_N "checking for main in -lneo_utl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_neo_utl_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lneo_utl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_neo_utl_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_neo_utl_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_neo_utl_main" >&5
-echo "${ECHO_T}$ac_cv_lib_neo_utl_main" >&6; }
-if test $ac_cv_lib_neo_utl_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: ClearSilver library neo_utl not found!" >&5
-echo "$as_me: error: ClearSilver library neo_utl not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_neo_utl=ac_cv_lib_neo_utl_main
-
-	{ echo "$as_me:$LINENO: checking for main in -lz" >&5
-echo $ECHO_N "checking for main in -lz... $ECHO_C" >&6; }
-if test "${ac_cv_lib_z_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lz  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_z_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_z_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_z_main" >&5
-echo "${ECHO_T}$ac_cv_lib_z_main" >&6; }
-if test $ac_cv_lib_z_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: ClearSilver dependency zlib not found!" >&5
-echo "$as_me: error: ClearSilver dependency zlib not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_z=ac_cv_lib_z_main
-
-
-	{ echo "$as_me:$LINENO: checking for main in -lfcgi" >&5
-echo $ECHO_N "checking for main in -lfcgi... $ECHO_C" >&6; }
-if test "${ac_cv_lib_fcgi_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lfcgi  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_fcgi_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_fcgi_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_fcgi_main" >&5
-echo "${ECHO_T}$ac_cv_lib_fcgi_main" >&6; }
-if test $ac_cv_lib_fcgi_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: FastCGI library fcgi not found!" >&5
-echo "$as_me: error: FastCGI library fcgi not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
-
-	if test "${ac_cv_header_fcgiapp_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for fcgiapp.h" >&5
-echo $ECHO_N "checking for fcgiapp.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_fcgiapp_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_fcgiapp_h" >&5
-echo "${ECHO_T}$ac_cv_header_fcgiapp_h" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking fcgiapp.h usability" >&5
-echo $ECHO_N "checking fcgiapp.h usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <fcgiapp.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking fcgiapp.h presence" >&5
-echo $ECHO_N "checking fcgiapp.h presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <fcgiapp.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: fcgiapp.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: fcgiapp.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: fcgiapp.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: fcgiapp.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: fcgiapp.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: fcgiapp.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: fcgiapp.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: fcgiapp.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for fcgiapp.h" >&5
-echo $ECHO_N "checking for fcgiapp.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_fcgiapp_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_fcgiapp_h=$ac_header_preproc
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_fcgiapp_h" >&5
-echo "${ECHO_T}$ac_cv_header_fcgiapp_h" >&6; }
-
-fi
-if test $ac_cv_header_fcgiapp_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: FastCGI header file fcgiapp.h not found!" >&5
-echo "$as_me: error: FastCGI header file fcgiapp.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-fi
-
-if test x$mysql = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lmysqlclient_r" >&5
-echo $ECHO_N "checking for main in -lmysqlclient_r... $ECHO_C" >&6; }
-if test "${ac_cv_lib_mysqlclient_r_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lmysqlclient_r  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_mysqlclient_r_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_mysqlclient_r_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_mysqlclient_r_main" >&5
-echo "${ECHO_T}$ac_cv_lib_mysqlclient_r_main" >&6; }
-if test $ac_cv_lib_mysqlclient_r_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: MySQL library mysqlclient_r not found" >&5
-echo "$as_me: error: MySQL library mysqlclient_r not found" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_mysqlclient_r=ac_cv_lib_mysqlclient_r_main
-
-	if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for mysql/mysql.h" >&5
-echo $ECHO_N "checking for mysql/mysql.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_mysql_mysql_h" >&5
-echo "${ECHO_T}$ac_cv_header_mysql_mysql_h" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking mysql/mysql.h usability" >&5
-echo $ECHO_N "checking mysql/mysql.h usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <mysql/mysql.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking mysql/mysql.h presence" >&5
-echo $ECHO_N "checking mysql/mysql.h presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <mysql/mysql.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: mysql/mysql.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: mysql/mysql.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: mysql/mysql.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: mysql/mysql.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: mysql/mysql.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: mysql/mysql.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: mysql/mysql.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: mysql/mysql.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for mysql/mysql.h" >&5
-echo $ECHO_N "checking for mysql/mysql.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_mysql_mysql_h=$ac_header_preproc
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_mysql_mysql_h" >&5
-echo "${ECHO_T}$ac_cv_header_mysql_mysql_h" >&6; }
-
-fi
-if test $ac_cv_header_mysql_mysql_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: MySQL header mysql/mysql.h not found!" >&5
-echo "$as_me: error: MySQL header mysql/mysql.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-fi
-
-if test x$sqlite = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lsqlite3" >&5
-echo $ECHO_N "checking for main in -lsqlite3... $ECHO_C" >&6; }
-if test "${ac_cv_lib_sqlite3_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsqlite3  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_sqlite3_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_sqlite3_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_sqlite3_main" >&5
-echo "${ECHO_T}$ac_cv_lib_sqlite3_main" >&6; }
-if test $ac_cv_lib_sqlite3_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: SQLite library sqlite3 not found" >&5
-echo "$as_me: error: SQLite library sqlite3 not found" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
-
-	if test "${ac_cv_header_sqlite3_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for sqlite3.h" >&5
-echo $ECHO_N "checking for sqlite3.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_sqlite3_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_sqlite3_h" >&5
-echo "${ECHO_T}$ac_cv_header_sqlite3_h" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking sqlite3.h usability" >&5
-echo $ECHO_N "checking sqlite3.h usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <sqlite3.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking sqlite3.h presence" >&5
-echo $ECHO_N "checking sqlite3.h presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sqlite3.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: sqlite3.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: sqlite3.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: sqlite3.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: sqlite3.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: sqlite3.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: sqlite3.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: sqlite3.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: sqlite3.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for sqlite3.h" >&5
-echo $ECHO_N "checking for sqlite3.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_sqlite3_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_sqlite3_h=$ac_header_preproc
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_sqlite3_h" >&5
-echo "${ECHO_T}$ac_cv_header_sqlite3_h" >&6; }
-
-fi
-if test $ac_cv_header_sqlite3_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: SQLite header sqlite3.h not found!" >&5
-echo "$as_me: error: SQLite header sqlite3.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-	{ echo "$as_me:$LINENO: checking sqlite3_prepare_v2" >&5
-echo $ECHO_N "checking sqlite3_prepare_v2... $ECHO_C" >&6; }
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sqlite3.h>
-int
-main ()
-{
-
-			void *test = sqlite3_prepare_v2;
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }; cat >>confdefs.h <<_ACEOF
-#define HAVE_SQLITE3_PREPARE_V2 1
-_ACEOF
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-	{ echo "$as_me:$LINENO: checking sqlite3.h version >= 3.3.1" >&5
-echo $ECHO_N "checking sqlite3.h version >= 3.3.1... $ECHO_C" >&6; }
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sqlite3.h>
-int
-main ()
-{
-
-			#if SQLITE_VERSION_NUMBER < 3003001
-				#error bad sqlite
-			#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }; { { echo "$as_me:$LINENO: error: SQLite version >= 3.3.1 required!" >&5
-echo "$as_me: error: SQLite version >= 3.3.1 required!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-
-if test x$openssl = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lcrypto" >&5
-echo $ECHO_N "checking for main in -lcrypto... $ECHO_C" >&6; }
-if test "${ac_cv_lib_crypto_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lcrypto  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_crypto_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_crypto_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_crypto_main" >&5
-echo "${ECHO_T}$ac_cv_lib_crypto_main" >&6; }
-if test $ac_cv_lib_crypto_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: OpenSSL crypto library not found" >&5
-echo "$as_me: error: OpenSSL crypto library not found" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_crypto=ac_cv_lib_crypto_main
-
-	if test "${ac_cv_header_openssl_evp_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for openssl/evp.h" >&5
-echo $ECHO_N "checking for openssl/evp.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_openssl_evp_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_openssl_evp_h" >&5
-echo "${ECHO_T}$ac_cv_header_openssl_evp_h" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking openssl/evp.h usability" >&5
-echo $ECHO_N "checking openssl/evp.h usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <openssl/evp.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking openssl/evp.h presence" >&5
-echo $ECHO_N "checking openssl/evp.h presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <openssl/evp.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: openssl/evp.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: openssl/evp.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: openssl/evp.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: openssl/evp.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: openssl/evp.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: openssl/evp.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: openssl/evp.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: openssl/evp.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for openssl/evp.h" >&5
-echo $ECHO_N "checking for openssl/evp.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_openssl_evp_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_openssl_evp_h=$ac_header_preproc
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_openssl_evp_h" >&5
-echo "${ECHO_T}$ac_cv_header_openssl_evp_h" >&6; }
-
-fi
-if test $ac_cv_header_openssl_evp_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: OpenSSL header openssl/evp.h not found!" >&5
-echo "$as_me: error: OpenSSL header openssl/evp.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-fi
-
-if test x$uci = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -luci" >&5
-echo $ECHO_N "checking for main in -luci... $ECHO_C" >&6; }
-if test "${ac_cv_lib_uci_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-luci  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_uci_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_uci_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_uci_main" >&5
-echo "${ECHO_T}$ac_cv_lib_uci_main" >&6; }
-if test $ac_cv_lib_uci_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: UCI library libuci not found" >&5
-echo "$as_me: error: UCI library libuci not found" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_uci=ac_cv_lib_uci_main
-
-	if test "${ac_cv_header_uci_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for uci.h" >&5
-echo $ECHO_N "checking for uci.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_uci_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_uci_h" >&5
-echo "${ECHO_T}$ac_cv_header_uci_h" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking uci.h usability" >&5
-echo $ECHO_N "checking uci.h usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <uci.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking uci.h presence" >&5
-echo $ECHO_N "checking uci.h presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <uci.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: uci.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: uci.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: uci.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: uci.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: uci.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: uci.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: uci.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: uci.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: uci.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: uci.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for uci.h" >&5
-echo $ECHO_N "checking for uci.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_uci_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_uci_h=$ac_header_preproc
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_uci_h" >&5
-echo "${ECHO_T}$ac_cv_header_uci_h" >&6; }
-
-fi
-if test $ac_cv_header_uci_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: UCI header uci.h not found!" >&5
-echo "$as_me: error: UCI header uci.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-fi
-
-if test x$nm = xtrue; then
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for nm" >&5
-echo $ECHO_N "checking for nm... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$nm_CFLAGS"; then
-        pkg_cv_nm_CFLAGS="$nm_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager libnm_glib_vpn gthread-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager libnm_glib_vpn gthread-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$nm_LIBS"; then
-        pkg_cv_nm_LIBS="$nm_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager libnm_glib_vpn gthread-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager libnm_glib_vpn gthread-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager libnm_glib_vpn gthread-2.0"`
-        else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager libnm_glib_vpn gthread-2.0"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$nm_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
-
-$nm_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables nm_CFLAGS
-and nm_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
-
-$nm_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables nm_CFLAGS
-and nm_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables nm_CFLAGS
-and nm_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables nm_CFLAGS
-and nm_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	nm_CFLAGS=$pkg_cv_nm_CFLAGS
-	nm_LIBS=$pkg_cv_nm_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-fi
-
-if test x$eap_gtc = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lpam" >&5
-echo $ECHO_N "checking for main in -lpam... $ECHO_C" >&6; }
-if test "${ac_cv_lib_pam_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpam  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_pam_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_pam_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_pam_main" >&5
-echo "${ECHO_T}$ac_cv_lib_pam_main" >&6; }
-if test $ac_cv_lib_pam_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: PAM library not found" >&5
-echo "$as_me: error: PAM library not found" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_pam=ac_cv_lib_pam_main
-
-	if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
-echo $ECHO_N "checking for security/pam_appl.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
-echo "${ECHO_T}$ac_cv_header_security_pam_appl_h" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking security/pam_appl.h usability" >&5
-echo $ECHO_N "checking security/pam_appl.h usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <security/pam_appl.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking security/pam_appl.h presence" >&5
-echo $ECHO_N "checking security/pam_appl.h presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <security/pam_appl.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: security/pam_appl.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: security/pam_appl.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
-echo $ECHO_N "checking for security/pam_appl.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_security_pam_appl_h=$ac_header_preproc
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
-echo "${ECHO_T}$ac_cv_header_security_pam_appl_h" >&6; }
-
-fi
-if test $ac_cv_header_security_pam_appl_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: PAM header security/pam_appl.h not found!" >&5
-echo "$as_me: error: PAM header security/pam_appl.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-fi
-
-if test x$capabilities = xlibcap; then
-	{ echo "$as_me:$LINENO: checking for main in -lcap" >&5
-echo $ECHO_N "checking for main in -lcap... $ECHO_C" >&6; }
-if test "${ac_cv_lib_cap_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lcap  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_cap_main=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_cap_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_main" >&5
-echo "${ECHO_T}$ac_cv_lib_cap_main" >&6; }
-if test $ac_cv_lib_cap_main = yes; then
-  LIBS="$LIBS"
-else
-  { { echo "$as_me:$LINENO: error: libcap library not found" >&5
-echo "$as_me: error: libcap library not found" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_cap=ac_cv_lib_cap_main
-
-	if test "${ac_cv_header_sys_capability_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for sys/capability.h" >&5
-echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_sys_capability_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
-echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking sys/capability.h usability" >&5
-echo $ECHO_N "checking sys/capability.h usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <sys/capability.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking sys/capability.h presence" >&5
-echo $ECHO_N "checking sys/capability.h presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/capability.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5
-echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_sys_capability_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_sys_capability_h=$ac_header_preproc
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
-echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
-
-fi
-if test $ac_cv_header_sys_capability_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: libcap header sys/capability.h not found!" >&5
-echo "$as_me: error: libcap header sys/capability.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-fi
-
-
-libstrongswan_plugins=
-
-if test x$curl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" curl"
-fi
-if test x$ldap = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" ldap"
-fi
-if test x$aes = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" aes"
-fi
-if test x$des = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" des"
-fi
-if test x$sha1 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
-fi
-if test x$sha2 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
-fi
-if test x$md5 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md5"
-fi
-if test x$fips_prf = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
-fi
-if test x$random = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" random"
-fi
-if test x$x509 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" x509"
-fi
-if test x$pubkey = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
-fi
-if test x$xcbc = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
-fi
-if test x$hmac = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
-fi
-if test x$mysql = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
-fi
-if test x$sqlite = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
-fi
-if test x$padlock = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
-fi
-if test x$openssl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
-fi
-if test x$agent = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" agent"
-fi
-if test x$gmp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
-fi
-
-
-
-
- if test x$curl = xtrue; then
-  USE_CURL_TRUE=
-  USE_CURL_FALSE='#'
-else
-  USE_CURL_TRUE='#'
-  USE_CURL_FALSE=
-fi
-
- if test x$ldap = xtrue; then
-  USE_LDAP_TRUE=
-  USE_LDAP_FALSE='#'
-else
-  USE_LDAP_TRUE='#'
-  USE_LDAP_FALSE=
-fi
-
- if test x$aes = xtrue; then
-  USE_AES_TRUE=
-  USE_AES_FALSE='#'
-else
-  USE_AES_TRUE='#'
-  USE_AES_FALSE=
-fi
-
- if test x$des = xtrue; then
-  USE_DES_TRUE=
-  USE_DES_FALSE='#'
-else
-  USE_DES_TRUE='#'
-  USE_DES_FALSE=
-fi
-
- if test x$md5 = xtrue; then
-  USE_MD5_TRUE=
-  USE_MD5_FALSE='#'
-else
-  USE_MD5_TRUE='#'
-  USE_MD5_FALSE=
-fi
-
- if test x$sha1 = xtrue; then
-  USE_SHA1_TRUE=
-  USE_SHA1_FALSE='#'
-else
-  USE_SHA1_TRUE='#'
-  USE_SHA1_FALSE=
-fi
-
- if test x$sha2 = xtrue; then
-  USE_SHA2_TRUE=
-  USE_SHA2_FALSE='#'
-else
-  USE_SHA2_TRUE='#'
-  USE_SHA2_FALSE=
-fi
-
- if test x$fips_prf = xtrue; then
-  USE_FIPS_PRF_TRUE=
-  USE_FIPS_PRF_FALSE='#'
-else
-  USE_FIPS_PRF_TRUE='#'
-  USE_FIPS_PRF_FALSE=
-fi
-
- if test x$gmp = xtrue; then
-  USE_GMP_TRUE=
-  USE_GMP_FALSE='#'
-else
-  USE_GMP_TRUE='#'
-  USE_GMP_FALSE=
-fi
-
- if test x$random = xtrue; then
-  USE_RANDOM_TRUE=
-  USE_RANDOM_FALSE='#'
-else
-  USE_RANDOM_TRUE='#'
-  USE_RANDOM_FALSE=
-fi
-
- if test x$x509 = xtrue; then
-  USE_X509_TRUE=
-  USE_X509_FALSE='#'
-else
-  USE_X509_TRUE='#'
-  USE_X509_FALSE=
-fi
-
- if test x$pubkey = xtrue; then
-  USE_PUBKEY_TRUE=
-  USE_PUBKEY_FALSE='#'
-else
-  USE_PUBKEY_TRUE='#'
-  USE_PUBKEY_FALSE=
-fi
-
- if test x$hmac = xtrue; then
-  USE_HMAC_TRUE=
-  USE_HMAC_FALSE='#'
-else
-  USE_HMAC_TRUE='#'
-  USE_HMAC_FALSE=
-fi
-
- if test x$xcbc = xtrue; then
-  USE_XCBC_TRUE=
-  USE_XCBC_FALSE='#'
-else
-  USE_XCBC_TRUE='#'
-  USE_XCBC_FALSE=
-fi
-
- if test x$mysql = xtrue; then
-  USE_MYSQL_TRUE=
-  USE_MYSQL_FALSE='#'
-else
-  USE_MYSQL_TRUE='#'
-  USE_MYSQL_FALSE=
-fi
-
- if test x$sqlite = xtrue; then
-  USE_SQLITE_TRUE=
-  USE_SQLITE_FALSE='#'
-else
-  USE_SQLITE_TRUE='#'
-  USE_SQLITE_FALSE=
-fi
-
- if test x$padlock = xtrue; then
-  USE_PADLOCK_TRUE=
-  USE_PADLOCK_FALSE='#'
-else
-  USE_PADLOCK_TRUE='#'
-  USE_PADLOCK_FALSE=
-fi
-
- if test x$openssl = xtrue; then
-  USE_OPENSSL_TRUE=
-  USE_OPENSSL_FALSE='#'
-else
-  USE_OPENSSL_TRUE='#'
-  USE_OPENSSL_FALSE=
-fi
-
- if test x$agent = xtrue; then
-  USE_AGENT_TRUE=
-  USE_AGENT_FALSE='#'
-else
-  USE_AGENT_TRUE='#'
-  USE_AGENT_FALSE=
-fi
-
-
- if test x$stroke = xtrue; then
-  USE_STROKE_TRUE=
-  USE_STROKE_FALSE='#'
-else
-  USE_STROKE_TRUE='#'
-  USE_STROKE_FALSE=
-fi
-
- if test x$medsrv = xtrue; then
-  USE_MEDSRV_TRUE=
-  USE_MEDSRV_FALSE='#'
-else
-  USE_MEDSRV_TRUE='#'
-  USE_MEDSRV_FALSE=
-fi
-
- if test x$medcli = xtrue; then
-  USE_MEDCLI_TRUE=
-  USE_MEDCLI_FALSE='#'
-else
-  USE_MEDCLI_TRUE='#'
-  USE_MEDCLI_FALSE=
-fi
-
- if test x$nm = xtrue; then
-  USE_NM_TRUE=
-  USE_NM_FALSE='#'
-else
-  USE_NM_TRUE='#'
-  USE_NM_FALSE=
-fi
-
- if test x$uci = xtrue; then
-  USE_UCI_TRUE=
-  USE_UCI_FALSE='#'
-else
-  USE_UCI_TRUE='#'
-  USE_UCI_FALSE=
-fi
-
- if test x$smp = xtrue; then
-  USE_SMP_TRUE=
-  USE_SMP_FALSE='#'
-else
-  USE_SMP_TRUE='#'
-  USE_SMP_FALSE=
-fi
-
- if test x$sql = xtrue; then
-  USE_SQL_TRUE=
-  USE_SQL_FALSE='#'
-else
-  USE_SQL_TRUE='#'
-  USE_SQL_FALSE=
-fi
-
- if test x$updown = xtrue; then
-  USE_UPDOWN_TRUE=
-  USE_UPDOWN_FALSE='#'
-else
-  USE_UPDOWN_TRUE='#'
-  USE_UPDOWN_FALSE=
-fi
-
- if test x$unittest = xtrue; then
-  USE_UNIT_TESTS_TRUE=
-  USE_UNIT_TESTS_FALSE='#'
-else
-  USE_UNIT_TESTS_TRUE='#'
-  USE_UNIT_TESTS_FALSE=
-fi
-
- if test x$loadtest = xtrue; then
-  USE_LOAD_TESTS_TRUE=
-  USE_LOAD_TESTS_FALSE='#'
-else
-  USE_LOAD_TESTS_TRUE='#'
-  USE_LOAD_TESTS_FALSE=
-fi
-
- if test x$eap_sim = xtrue; then
-  USE_EAP_SIM_TRUE=
-  USE_EAP_SIM_FALSE='#'
-else
-  USE_EAP_SIM_TRUE='#'
-  USE_EAP_SIM_FALSE=
-fi
-
- if test x$eap_sim_file = xtrue; then
-  USE_EAP_SIM_FILE_TRUE=
-  USE_EAP_SIM_FILE_FALSE='#'
-else
-  USE_EAP_SIM_FILE_TRUE='#'
-  USE_EAP_SIM_FILE_FALSE=
-fi
-
- if test x$eap_identity = xtrue; then
-  USE_EAP_IDENTITY_TRUE=
-  USE_EAP_IDENTITY_FALSE='#'
-else
-  USE_EAP_IDENTITY_TRUE='#'
-  USE_EAP_IDENTITY_FALSE=
-fi
-
- if test x$eap_md5 = xtrue; then
-  USE_EAP_MD5_TRUE=
-  USE_EAP_MD5_FALSE='#'
-else
-  USE_EAP_MD5_TRUE='#'
-  USE_EAP_MD5_FALSE=
-fi
-
- if test x$eap_gtc = xtrue; then
-  USE_EAP_GTC_TRUE=
-  USE_EAP_GTC_FALSE='#'
-else
-  USE_EAP_GTC_TRUE='#'
-  USE_EAP_GTC_FALSE=
-fi
-
- if test x$eap_aka = xtrue; then
-  USE_EAP_AKA_TRUE=
-  USE_EAP_AKA_FALSE='#'
-else
-  USE_EAP_AKA_TRUE='#'
-  USE_EAP_AKA_FALSE=
-fi
-
- if test x$kernel_netlink = xtrue; then
-  USE_KERNEL_NETLINK_TRUE=
-  USE_KERNEL_NETLINK_FALSE='#'
-else
-  USE_KERNEL_NETLINK_TRUE='#'
-  USE_KERNEL_NETLINK_FALSE=
-fi
-
- if test x$kernel_pfkey = xtrue; then
-  USE_KERNEL_PFKEY_TRUE=
-  USE_KERNEL_PFKEY_FALSE='#'
-else
-  USE_KERNEL_PFKEY_TRUE='#'
-  USE_KERNEL_PFKEY_FALSE=
-fi
-
- if test x$kernel_klips = xtrue; then
-  USE_KERNEL_KLIPS_TRUE=
-  USE_KERNEL_KLIPS_FALSE='#'
-else
-  USE_KERNEL_KLIPS_TRUE='#'
-  USE_KERNEL_KLIPS_FALSE=
-fi
-
-
- if test x$smartcard = xtrue; then
-  USE_SMARTCARD_TRUE=
-  USE_SMARTCARD_FALSE='#'
-else
-  USE_SMARTCARD_TRUE='#'
-  USE_SMARTCARD_FALSE=
-fi
-
- if test x$cisco_quirks = xtrue; then
-  USE_CISCO_QUIRKS_TRUE=
-  USE_CISCO_QUIRKS_FALSE='#'
-else
-  USE_CISCO_QUIRKS_TRUE='#'
-  USE_CISCO_QUIRKS_FALSE=
-fi
-
- if test x$leak_detective = xtrue; then
-  USE_LEAK_DETECTIVE_TRUE=
-  USE_LEAK_DETECTIVE_FALSE='#'
-else
-  USE_LEAK_DETECTIVE_TRUE='#'
-  USE_LEAK_DETECTIVE_FALSE=
-fi
-
- if test x$lock_profiler = xtrue; then
-  USE_LOCK_PROFILER_TRUE=
-  USE_LOCK_PROFILER_FALSE='#'
-else
-  USE_LOCK_PROFILER_TRUE='#'
-  USE_LOCK_PROFILER_FALSE=
-fi
-
- if test x$nat_transport = xtrue; then
-  USE_NAT_TRANSPORT_TRUE=
-  USE_NAT_TRANSPORT_FALSE='#'
-else
-  USE_NAT_TRANSPORT_TRUE='#'
-  USE_NAT_TRANSPORT_FALSE=
-fi
-
- if test x$vendor_id = xtrue; then
-  USE_VENDORID_TRUE=
-  USE_VENDORID_FALSE='#'
-else
-  USE_VENDORID_TRUE='#'
-  USE_VENDORID_FALSE=
-fi
-
- if test x$xauth_vid = xtrue; then
-  USE_XAUTH_VID_TRUE=
-  USE_XAUTH_VID_FALSE='#'
-else
-  USE_XAUTH_VID_TRUE='#'
-  USE_XAUTH_VID_FALSE=
-fi
-
- if test x$dumm = xtrue; then
-  USE_DUMM_TRUE=
-  USE_DUMM_FALSE='#'
-else
-  USE_DUMM_TRUE='#'
-  USE_DUMM_FALSE=
-fi
-
- if test x$fast = xtrue; then
-  USE_FAST_TRUE=
-  USE_FAST_FALSE='#'
-else
-  USE_FAST_TRUE='#'
-  USE_FAST_FALSE=
-fi
-
- if test x$manager = xtrue; then
-  USE_MANAGER_TRUE=
-  USE_MANAGER_FALSE='#'
-else
-  USE_MANAGER_TRUE='#'
-  USE_MANAGER_FALSE=
-fi
-
- if test x$me = xtrue; then
-  USE_ME_TRUE=
-  USE_ME_FALSE='#'
-else
-  USE_ME_TRUE='#'
-  USE_ME_FALSE=
-fi
-
- if test x$integrity_test = xtrue; then
-  USE_INTEGRITY_TEST_TRUE=
-  USE_INTEGRITY_TEST_FALSE='#'
-else
-  USE_INTEGRITY_TEST_TRUE='#'
-  USE_INTEGRITY_TEST_FALSE=
-fi
-
- if test x$self_test = xtrue; then
-  USE_SELF_TEST_TRUE=
-  USE_SELF_TEST_FALSE='#'
-else
-  USE_SELF_TEST_TRUE='#'
-  USE_SELF_TEST_FALSE=
-fi
-
- if test x$capabilities = xlibcap; then
-  USE_CAPABILITIES_TRUE=
-  USE_CAPABILITIES_FALSE='#'
-else
-  USE_CAPABILITIES_TRUE='#'
-  USE_CAPABILITIES_FALSE=
-fi
-
- if test x$pluto = xtrue; then
-  USE_PLUTO_TRUE=
-  USE_PLUTO_FALSE='#'
-else
-  USE_PLUTO_TRUE='#'
-  USE_PLUTO_FALSE=
-fi
-
- if test x$charon = xtrue; then
-  USE_CHARON_TRUE=
-  USE_CHARON_FALSE='#'
-else
-  USE_CHARON_TRUE='#'
-  USE_CHARON_FALSE=
-fi
-
- if test x$tools = xtrue; then
-  USE_TOOLS_TRUE=
-  USE_TOOLS_FALSE='#'
-else
-  USE_TOOLS_TRUE='#'
-  USE_TOOLS_FALSE=
-fi
-
- if test x$charon = xtrue -o x$tools = xtrue; then
-  USE_LIBSTRONGSWAN_TRUE=
-  USE_LIBSTRONGSWAN_FALSE='#'
-else
-  USE_LIBSTRONGSWAN_TRUE='#'
-  USE_LIBSTRONGSWAN_FALSE=
-fi
-
- if test x$pluto = xtrue -o x$stroke = xtrue; then
-  USE_FILE_CONFIG_TRUE=
-  USE_FILE_CONFIG_FALSE='#'
-else
-  USE_FILE_CONFIG_TRUE='#'
-  USE_FILE_CONFIG_FALSE=
-fi
-
-
-
-if test x$me = xtrue; then
-	cat >>confdefs.h <<\_ACEOF
-#define ME 1
-_ACEOF
-
-fi
-if test x$capabilities = xlibcap; then
-	cat >>confdefs.h <<\_ACEOF
-#define CAPABILITIES 1
-_ACEOF
-
-fi
-
-
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/fips/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile"
-
-cat >confcache <<\_ACEOF
-# This file is a shell script that caches the results of configure
-# tests run on this system so they can be shared between configure
-# scripts and configure runs, see configure's option --config-cache.
-# It is not useful on other systems.  If it contains results you don't
-# want to keep, you may remove or edit it.
-#
-# config.status only pays attention to the cache file if you give it
-# the --recheck option to rerun configure.
-#
-# `ac_cv_env_foo' variables (set or unset) will be overridden when
-# loading this file, other *unset* `ac_cv_foo' will be assigned the
-# following values.
-
-_ACEOF
-
-# The following way of writing the cache mishandles newlines in values,
-# but we know of no workaround that is simple, portable, and efficient.
-# So, we kill variables containing newlines.
-# Ultrix sh set writes to stderr and can't be redirected directly,
-# and sets the high bit in the cache file unless we assign to the vars.
-(
-  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
-    eval ac_val=\$$ac_var
-    case $ac_val in #(
-    *${as_nl}*)
-      case $ac_var in #(
-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
-      esac
-      case $ac_var in #(
-      _ | IFS | as_nl) ;; #(
-      *) $as_unset $ac_var ;;
-      esac ;;
-    esac
-  done
-
-  (set) 2>&1 |
-    case $as_nl`(ac_space=' '; set) 2>&1` in #(
-    *${as_nl}ac_space=\ *)
-      # `set' does not quote correctly, so add quotes (double-quote
-      # substitution turns \\\\ into \\, and sed turns \\ into \).
-      sed -n \
-	"s/'/'\\\\''/g;
-	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
-      ;; #(
-    *)
-      # `set' quotes correctly as required by POSIX, so do not add quotes.
-      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
-      ;;
-    esac |
-    sort
-) |
-  sed '
-     /^ac_cv_env_/b end
-     t clear
-     :clear
-     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
-     t end
-     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
-     :end' >>confcache
-if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
-  if test -w "$cache_file"; then
-    test "x$cache_file" != "x/dev/null" &&
-      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
-echo "$as_me: updating cache $cache_file" >&6;}
-    cat confcache >$cache_file
-  else
-    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
-echo "$as_me: not updating unwritable cache $cache_file" >&6;}
-  fi
-fi
-rm -f confcache
-
-test "x$prefix" = xNONE && prefix=$ac_default_prefix
-# Let make expand exec_prefix.
-test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
-
-# Transform confdefs.h into DEFS.
-# Protect against shell expansion while executing Makefile rules.
-# Protect against Makefile macro expansion.
-#
-# If the first sed substitution is executed (which looks for macros that
-# take arguments), then branch to the quote section.  Otherwise,
-# look for a macro that doesn't take arguments.
-ac_script='
-t clear
-:clear
-s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
-t quote
-s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)/-D\1=\2/g
-t quote
-b any
-:quote
-s/[	 `~#$^&*(){}\\|;'\''"<>?]/\\&/g
-s/\[/\\&/g
-s/\]/\\&/g
-s/\$/$$/g
-H
-:any
-${
-	g
-	s/^\n//
-	s/\n/ /g
-	p
-}
-'
-DEFS=`sed -n "$ac_script" confdefs.h`
-
-
-ac_libobjs=
-ac_ltlibobjs=
-for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
-  # 1. Remove the extension, and $U if already installed.
-  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
-  ac_i=`echo "$ac_i" | sed "$ac_script"`
-  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
-  #    will be set to the directory where LIBOBJS objects are built.
-  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
-  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
-done
-LIBOBJS=$ac_libobjs
-
-LTLIBOBJS=$ac_ltlibobjs
-
-
-if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"AMDEP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${am__fastdepCXX_TRUE}" && test -z "${am__fastdepCXX_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCXX\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"am__fastdepCXX\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_CURL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_CURL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_LDAP_TRUE}" && test -z "${USE_LDAP_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_LDAP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_LDAP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_AES_TRUE}" && test -z "${USE_AES_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_AES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_AES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_DES_TRUE}" && test -z "${USE_DES_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_DES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_DES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_MD5_TRUE}" && test -z "${USE_MD5_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MD5\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MD5\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_SHA1_TRUE}" && test -z "${USE_SHA1_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SHA1\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SHA1\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_SHA2_TRUE}" && test -z "${USE_SHA2_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SHA2\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SHA2\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_FIPS_PRF_TRUE}" && test -z "${USE_FIPS_PRF_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_FIPS_PRF\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_FIPS_PRF\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_GMP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_GMP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_RANDOM_TRUE}" && test -z "${USE_RANDOM_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_RANDOM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_RANDOM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_X509_TRUE}" && test -z "${USE_X509_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_X509\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_X509\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_PUBKEY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_PUBKEY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_HMAC_TRUE}" && test -z "${USE_HMAC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_HMAC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_HMAC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_XCBC_TRUE}" && test -z "${USE_XCBC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_XCBC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_XCBC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_MYSQL_TRUE}" && test -z "${USE_MYSQL_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MYSQL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MYSQL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_SQLITE_TRUE}" && test -z "${USE_SQLITE_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SQLITE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SQLITE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_PADLOCK_TRUE}" && test -z "${USE_PADLOCK_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_PADLOCK\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_PADLOCK\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_OPENSSL_TRUE}" && test -z "${USE_OPENSSL_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_OPENSSL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_OPENSSL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_AGENT_TRUE}" && test -z "${USE_AGENT_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_AGENT\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_AGENT\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_STROKE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_STROKE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_MEDSRV_TRUE}" && test -z "${USE_MEDSRV_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MEDSRV\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MEDSRV\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_MEDCLI_TRUE}" && test -z "${USE_MEDCLI_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MEDCLI\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MEDCLI\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_NM_TRUE}" && test -z "${USE_NM_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_NM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_NM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_UCI\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_UCI\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_SMP_TRUE}" && test -z "${USE_SMP_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SMP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SMP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_SQL_TRUE}" && test -z "${USE_SQL_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SQL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SQL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_UPDOWN\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_UPDOWN\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_UNIT_TESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_UNIT_TESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_LOAD_TESTS_TRUE}" && test -z "${USE_LOAD_TESTS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_LOAD_TESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_LOAD_TESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_EAP_SIM_TRUE}" && test -z "${USE_EAP_SIM_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_SIM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_EAP_SIM_FILE_TRUE}" && test -z "${USE_EAP_SIM_FILE_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_EAP_IDENTITY_TRUE}" && test -z "${USE_EAP_IDENTITY_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_IDENTITY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_IDENTITY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_EAP_MD5_TRUE}" && test -z "${USE_EAP_MD5_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_MD5\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_MD5\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_EAP_GTC_TRUE}" && test -z "${USE_EAP_GTC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_GTC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_GTC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_EAP_AKA_TRUE}" && test -z "${USE_EAP_AKA_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_AKA\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_AKA\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SMARTCARD\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SMARTCARD\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_CISCO_QUIRKS_TRUE}" && test -z "${USE_CISCO_QUIRKS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_LOCK_PROFILER_TRUE}" && test -z "${USE_LOCK_PROFILER_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_LOCK_PROFILER\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_LOCK_PROFILER\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_NAT_TRANSPORT_TRUE}" && test -z "${USE_NAT_TRANSPORT_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_VENDORID_TRUE}" && test -z "${USE_VENDORID_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_VENDORID\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_VENDORID\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_XAUTH_VID_TRUE}" && test -z "${USE_XAUTH_VID_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_XAUTH_VID\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_XAUTH_VID\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_DUMM_TRUE}" && test -z "${USE_DUMM_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_DUMM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_DUMM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_FAST_TRUE}" && test -z "${USE_FAST_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_FAST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_FAST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_MANAGER_TRUE}" && test -z "${USE_MANAGER_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MANAGER\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MANAGER\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_ME_TRUE}" && test -z "${USE_ME_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_ME\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_ME\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_INTEGRITY_TEST_TRUE}" && test -z "${USE_INTEGRITY_TEST_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_INTEGRITY_TEST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_INTEGRITY_TEST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_SELF_TEST_TRUE}" && test -z "${USE_SELF_TEST_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SELF_TEST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SELF_TEST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_CAPABILITIES_TRUE}" && test -z "${USE_CAPABILITIES_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_CAPABILITIES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_CAPABILITIES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_PLUTO_TRUE}" && test -z "${USE_PLUTO_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_PLUTO\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_PLUTO\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_CHARON_TRUE}" && test -z "${USE_CHARON_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_CHARON\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_CHARON\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_TOOLS_TRUE}" && test -z "${USE_TOOLS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_TOOLS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_TOOLS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+host!$host$ac_delim
+host_cpu!$host_cpu$ac_delim
+host_vendor!$host_vendor$ac_delim
+host_os!$host_os$ac_delim
+SED!$SED$ac_delim
+FGREP!$FGREP$ac_delim
+LD!$LD$ac_delim
+DUMPBIN!$DUMPBIN$ac_delim
+ac_ct_DUMPBIN!$ac_ct_DUMPBIN$ac_delim
+NM!$NM$ac_delim
+LN_S!$LN_S$ac_delim
+AR!$AR$ac_delim
+RANLIB!$RANLIB$ac_delim
+lt_ECHO!$lt_ECHO$ac_delim
+DSYMUTIL!$DSYMUTIL$ac_delim
+NMEDIT!$NMEDIT$ac_delim
+LIPO!$LIPO$ac_delim
+OTOOL!$OTOOL$ac_delim
+OTOOL64!$OTOOL64$ac_delim
+LEX!$LEX$ac_delim
+LEX_OUTPUT_ROOT!$LEX_OUTPUT_ROOT$ac_delim
+LEXLIB!$LEXLIB$ac_delim
+YACC!$YACC$ac_delim
+YFLAGS!$YFLAGS$ac_delim
+GPERF!$GPERF$ac_delim
+PERL!$PERL$ac_delim
+xml_CFLAGS!$xml_CFLAGS$ac_delim
+xml_LIBS!$xml_LIBS$ac_delim
+gtk_CFLAGS!$gtk_CFLAGS$ac_delim
+gtk_LIBS!$gtk_LIBS$ac_delim
+nm_CFLAGS!$nm_CFLAGS$ac_delim
+nm_LIBS!$nm_LIBS$ac_delim
+libstrongswan_plugins!$libstrongswan_plugins$ac_delim
+USE_CURL_TRUE!$USE_CURL_TRUE$ac_delim
+USE_CURL_FALSE!$USE_CURL_FALSE$ac_delim
+USE_LDAP_TRUE!$USE_LDAP_TRUE$ac_delim
+USE_LDAP_FALSE!$USE_LDAP_FALSE$ac_delim
+USE_AES_TRUE!$USE_AES_TRUE$ac_delim
+USE_AES_FALSE!$USE_AES_FALSE$ac_delim
+USE_DES_TRUE!$USE_DES_TRUE$ac_delim
+USE_DES_FALSE!$USE_DES_FALSE$ac_delim
+USE_MD4_TRUE!$USE_MD4_TRUE$ac_delim
+USE_MD4_FALSE!$USE_MD4_FALSE$ac_delim
+USE_MD5_TRUE!$USE_MD5_TRUE$ac_delim
+USE_MD5_FALSE!$USE_MD5_FALSE$ac_delim
+USE_SHA1_TRUE!$USE_SHA1_TRUE$ac_delim
+USE_SHA1_FALSE!$USE_SHA1_FALSE$ac_delim
+USE_SHA2_TRUE!$USE_SHA2_TRUE$ac_delim
+USE_SHA2_FALSE!$USE_SHA2_FALSE$ac_delim
+USE_FIPS_PRF_TRUE!$USE_FIPS_PRF_TRUE$ac_delim
+USE_FIPS_PRF_FALSE!$USE_FIPS_PRF_FALSE$ac_delim
+USE_GMP_TRUE!$USE_GMP_TRUE$ac_delim
+USE_GMP_FALSE!$USE_GMP_FALSE$ac_delim
+USE_RANDOM_TRUE!$USE_RANDOM_TRUE$ac_delim
+USE_RANDOM_FALSE!$USE_RANDOM_FALSE$ac_delim
+USE_X509_TRUE!$USE_X509_TRUE$ac_delim
+USE_X509_FALSE!$USE_X509_FALSE$ac_delim
+USE_PUBKEY_TRUE!$USE_PUBKEY_TRUE$ac_delim
+USE_PUBKEY_FALSE!$USE_PUBKEY_FALSE$ac_delim
+USE_HMAC_TRUE!$USE_HMAC_TRUE$ac_delim
+USE_HMAC_FALSE!$USE_HMAC_FALSE$ac_delim
+USE_XCBC_TRUE!$USE_XCBC_TRUE$ac_delim
+USE_XCBC_FALSE!$USE_XCBC_FALSE$ac_delim
+USE_MYSQL_TRUE!$USE_MYSQL_TRUE$ac_delim
+USE_MYSQL_FALSE!$USE_MYSQL_FALSE$ac_delim
+USE_SQLITE_TRUE!$USE_SQLITE_TRUE$ac_delim
+USE_SQLITE_FALSE!$USE_SQLITE_FALSE$ac_delim
+USE_PADLOCK_TRUE!$USE_PADLOCK_TRUE$ac_delim
+USE_PADLOCK_FALSE!$USE_PADLOCK_FALSE$ac_delim
+USE_OPENSSL_TRUE!$USE_OPENSSL_TRUE$ac_delim
+USE_OPENSSL_FALSE!$USE_OPENSSL_FALSE$ac_delim
+USE_AGENT_TRUE!$USE_AGENT_TRUE$ac_delim
+USE_AGENT_FALSE!$USE_AGENT_FALSE$ac_delim
+USE_STROKE_TRUE!$USE_STROKE_TRUE$ac_delim
+USE_STROKE_FALSE!$USE_STROKE_FALSE$ac_delim
+USE_MEDSRV_TRUE!$USE_MEDSRV_TRUE$ac_delim
+USE_MEDSRV_FALSE!$USE_MEDSRV_FALSE$ac_delim
+USE_MEDCLI_TRUE!$USE_MEDCLI_TRUE$ac_delim
+USE_MEDCLI_FALSE!$USE_MEDCLI_FALSE$ac_delim
+USE_NM_TRUE!$USE_NM_TRUE$ac_delim
+USE_NM_FALSE!$USE_NM_FALSE$ac_delim
+USE_UCI_TRUE!$USE_UCI_TRUE$ac_delim
+USE_UCI_FALSE!$USE_UCI_FALSE$ac_delim
+USE_SMP_TRUE!$USE_SMP_TRUE$ac_delim
+USE_SMP_FALSE!$USE_SMP_FALSE$ac_delim
+USE_SQL_TRUE!$USE_SQL_TRUE$ac_delim
+USE_SQL_FALSE!$USE_SQL_FALSE$ac_delim
+USE_UPDOWN_TRUE!$USE_UPDOWN_TRUE$ac_delim
+USE_UPDOWN_FALSE!$USE_UPDOWN_FALSE$ac_delim
+USE_UNIT_TESTS_TRUE!$USE_UNIT_TESTS_TRUE$ac_delim
+USE_UNIT_TESTS_FALSE!$USE_UNIT_TESTS_FALSE$ac_delim
+USE_LOAD_TESTS_TRUE!$USE_LOAD_TESTS_TRUE$ac_delim
+USE_LOAD_TESTS_FALSE!$USE_LOAD_TESTS_FALSE$ac_delim
+USE_EAP_SIM_TRUE!$USE_EAP_SIM_TRUE$ac_delim
+USE_EAP_SIM_FALSE!$USE_EAP_SIM_FALSE$ac_delim
+USE_EAP_SIM_FILE_TRUE!$USE_EAP_SIM_FILE_TRUE$ac_delim
+USE_EAP_SIM_FILE_FALSE!$USE_EAP_SIM_FILE_FALSE$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
    { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
 fi
-if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_FILE_CONFIG\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_FILE_CONFIG\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+CEOF$ac_eof
+_ACEOF
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+USE_EAP_IDENTITY_TRUE!$USE_EAP_IDENTITY_TRUE$ac_delim
+USE_EAP_IDENTITY_FALSE!$USE_EAP_IDENTITY_FALSE$ac_delim
+USE_EAP_MD5_TRUE!$USE_EAP_MD5_TRUE$ac_delim
+USE_EAP_MD5_FALSE!$USE_EAP_MD5_FALSE$ac_delim
+USE_EAP_GTC_TRUE!$USE_EAP_GTC_TRUE$ac_delim
+USE_EAP_GTC_FALSE!$USE_EAP_GTC_FALSE$ac_delim
+USE_EAP_AKA_TRUE!$USE_EAP_AKA_TRUE$ac_delim
+USE_EAP_AKA_FALSE!$USE_EAP_AKA_FALSE$ac_delim
+USE_EAP_MSCHAPV2_TRUE!$USE_EAP_MSCHAPV2_TRUE$ac_delim
+USE_EAP_MSCHAPV2_FALSE!$USE_EAP_MSCHAPV2_FALSE$ac_delim
+USE_KERNEL_NETLINK_TRUE!$USE_KERNEL_NETLINK_TRUE$ac_delim
+USE_KERNEL_NETLINK_FALSE!$USE_KERNEL_NETLINK_FALSE$ac_delim
+USE_KERNEL_PFKEY_TRUE!$USE_KERNEL_PFKEY_TRUE$ac_delim
+USE_KERNEL_PFKEY_FALSE!$USE_KERNEL_PFKEY_FALSE$ac_delim
+USE_KERNEL_KLIPS_TRUE!$USE_KERNEL_KLIPS_TRUE$ac_delim
+USE_KERNEL_KLIPS_FALSE!$USE_KERNEL_KLIPS_FALSE$ac_delim
+USE_SMARTCARD_TRUE!$USE_SMARTCARD_TRUE$ac_delim
+USE_SMARTCARD_FALSE!$USE_SMARTCARD_FALSE$ac_delim
+USE_CISCO_QUIRKS_TRUE!$USE_CISCO_QUIRKS_TRUE$ac_delim
+USE_CISCO_QUIRKS_FALSE!$USE_CISCO_QUIRKS_FALSE$ac_delim
+USE_LEAK_DETECTIVE_TRUE!$USE_LEAK_DETECTIVE_TRUE$ac_delim
+USE_LEAK_DETECTIVE_FALSE!$USE_LEAK_DETECTIVE_FALSE$ac_delim
+USE_LOCK_PROFILER_TRUE!$USE_LOCK_PROFILER_TRUE$ac_delim
+USE_LOCK_PROFILER_FALSE!$USE_LOCK_PROFILER_FALSE$ac_delim
+USE_NAT_TRANSPORT_TRUE!$USE_NAT_TRANSPORT_TRUE$ac_delim
+USE_NAT_TRANSPORT_FALSE!$USE_NAT_TRANSPORT_FALSE$ac_delim
+USE_VENDORID_TRUE!$USE_VENDORID_TRUE$ac_delim
+USE_VENDORID_FALSE!$USE_VENDORID_FALSE$ac_delim
+USE_XAUTH_VID_TRUE!$USE_XAUTH_VID_TRUE$ac_delim
+USE_XAUTH_VID_FALSE!$USE_XAUTH_VID_FALSE$ac_delim
+USE_DUMM_TRUE!$USE_DUMM_TRUE$ac_delim
+USE_DUMM_FALSE!$USE_DUMM_FALSE$ac_delim
+USE_FAST_TRUE!$USE_FAST_TRUE$ac_delim
+USE_FAST_FALSE!$USE_FAST_FALSE$ac_delim
+USE_MANAGER_TRUE!$USE_MANAGER_TRUE$ac_delim
+USE_MANAGER_FALSE!$USE_MANAGER_FALSE$ac_delim
+USE_ME_TRUE!$USE_ME_TRUE$ac_delim
+USE_ME_FALSE!$USE_ME_FALSE$ac_delim
+USE_INTEGRITY_TEST_TRUE!$USE_INTEGRITY_TEST_TRUE$ac_delim
+USE_INTEGRITY_TEST_FALSE!$USE_INTEGRITY_TEST_FALSE$ac_delim
+USE_SELF_TEST_TRUE!$USE_SELF_TEST_TRUE$ac_delim
+USE_SELF_TEST_FALSE!$USE_SELF_TEST_FALSE$ac_delim
+USE_CAPABILITIES_TRUE!$USE_CAPABILITIES_TRUE$ac_delim
+USE_CAPABILITIES_FALSE!$USE_CAPABILITIES_FALSE$ac_delim
+USE_PLUTO_TRUE!$USE_PLUTO_TRUE$ac_delim
+USE_PLUTO_FALSE!$USE_PLUTO_FALSE$ac_delim
+USE_THREADS_TRUE!$USE_THREADS_TRUE$ac_delim
+USE_THREADS_FALSE!$USE_THREADS_FALSE$ac_delim
+USE_CHARON_TRUE!$USE_CHARON_TRUE$ac_delim
+USE_CHARON_FALSE!$USE_CHARON_FALSE$ac_delim
+USE_TOOLS_TRUE!$USE_TOOLS_TRUE$ac_delim
+USE_TOOLS_FALSE!$USE_TOOLS_FALSE$ac_delim
+USE_LIBSTRONGSWAN_TRUE!$USE_LIBSTRONGSWAN_TRUE$ac_delim
+USE_LIBSTRONGSWAN_FALSE!$USE_LIBSTRONGSWAN_FALSE$ac_delim
+USE_FILE_CONFIG_TRUE!$USE_FILE_CONFIG_TRUE$ac_delim
+USE_FILE_CONFIG_FALSE!$USE_FILE_CONFIG_FALSE$ac_delim
+LIBOBJS!$LIBOBJS$ac_delim
+LTLIBOBJS!$LTLIBOBJS$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 58; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
    { (exit 1); exit 1; }; }
-fi
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
 
-: ${CONFIG_STATUS=./config.status}
-ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files $CONFIG_STATUS"
-{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
-echo "$as_me: creating $CONFIG_STATUS" >&6;}
-cat >$CONFIG_STATUS <<_ACEOF
-#! $SHELL
-# Generated by $as_me.
-# Run this file to recreate the current configuration.
-# Compiler output produced by configure, useful for debugging
-# configure, is in config.log if it exists.
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
 
-debug=false
-ac_cs_recheck=false
-ac_cs_silent=false
-SHELL=\${CONFIG_SHELL-$SHELL}
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-3.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+:end
+s/|#_!!_#|//g
+CEOF$ac_eof
 _ACEOF
 
+
+# VPATH may cause trouble with some makes, so we remove $(srcdir),
+# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
+s/:*\$(srcdir):*/:/
+s/:*\${srcdir}:*/:/
+s/:*@srcdir@:*/:/
+s/^\([^=]*=[	 ]*\):*/\1/
+s/:*$//
+s/^[^=]*=[	 ]*$//
+}'
+fi
+
 cat >>$CONFIG_STATUS <<\_ACEOF
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
+fi # test -n "$CONFIG_FILES"
 
-# Be more Bourne compatible
-DUALCASE=1; export DUALCASE # for MKS sh
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-  setopt NO_GLOB_SUBST
-else
-  case `(set -o) 2>/dev/null` in
-  *posix*) set -o posix ;;
-esac
 
-fi
+for ac_tag in  :F $CONFIG_FILES      :C $CONFIG_COMMANDS
+do
+  case $ac_tag in
+  :[FHLC]) ac_mode=$ac_tag; continue;;
+  esac
+  case $ac_mode$ac_tag in
+  :[FHL]*:*);;
+  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+   { (exit 1); exit 1; }; };;
+  :[FH]-) ac_tag=-:-;;
+  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+  esac
+  ac_save_IFS=$IFS
+  IFS=:
+  set x $ac_tag
+  IFS=$ac_save_IFS
+  shift
+  ac_file=$1
+  shift
+
+  case $ac_mode in
+  :L) ac_source=$1;;
+  :[FH])
+    ac_file_inputs=
+    for ac_f
+    do
+      case $ac_f in
+      -) ac_f="$tmp/stdin";;
+      *) # Look for the file first in the build tree, then in the source tree
+	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
+	 # because $ac_f cannot contain `:'.
+	 test -f "$ac_f" ||
+	   case $ac_f in
+	   [\\/$]*) false;;
+	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+	   esac ||
+	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+   { (exit 1); exit 1; }; };;
+      esac
+      ac_file_inputs="$ac_file_inputs $ac_f"
+    done
 
+    # Let's still pretend it is `configure' which instantiates (i.e., don't
+    # use $as_me), people would be surprised to read:
+    #    /* config.h.  Generated by config.status.  */
+    configure_input="Generated from "`IFS=:
+	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
+    if test x"$ac_file" != x-; then
+      configure_input="$ac_file.  $configure_input"
+      { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+    fi
 
+    case $ac_tag in
+    *:-:* | *:-) cat >"$tmp/stdin";;
+    esac
+    ;;
+  esac
 
+  ac_dir=`$as_dirname -- "$ac_file" ||
+$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$ac_file" : 'X\(//\)[^/]' \| \
+	 X"$ac_file" : 'X\(//\)$' \| \
+	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  { as_dir="$ac_dir"
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
+    as_dirs=
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
+    done
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
+   { (exit 1); exit 1; }; }; }
+  ac_builddir=.
 
-# PATH needs CR
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
 
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
+case $srcdir in
+  .)  # We are building in place.
+    ac_srcdir=.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
 
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
 
+  case $ac_mode in
+  :F)
+  #
+  # CONFIG_FILE
+  #
 
-# IFS
-# We need space, tab and new line, in precisely that order.  Quoting is
-# there to prevent editors from complaining about space-tab.
-# (If _AS_PATH_WALK were called with IFS unset, it would disable word
-# splitting by setting IFS to empty value.)
-as_nl='
-'
-IFS=" ""	$as_nl"
+  case $INSTALL in
+  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
+  *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
+  esac
+  ac_MKDIR_P=$MKDIR_P
+  case $MKDIR_P in
+  [\\/$]* | ?:[\\/]* ) ;;
+  */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;;
+  esac
+_ACEOF
 
-# Find who we are.  Look in the path if we contain no directory separator.
-case $0 in
-  *[\\/]* ) as_myself=$0 ;;
-  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
-IFS=$as_save_IFS
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If the template does not know about datarootdir, expand it.
+# FIXME: This hack should be removed a few years after 2.60.
+ac_datarootdir_hack=; ac_datarootdir_seen=
 
-     ;;
+case `sed -n '/datarootdir/ {
+  p
+  q
+}
+/@datadir@/p
+/@docdir@/p
+/@infodir@/p
+/@localedir@/p
+/@mandir@/p
+' $ac_file_inputs` in
+*datarootdir*) ac_datarootdir_seen=yes;;
+*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+  ac_datarootdir_hack='
+  s&@datadir@&$datadir&g
+  s&@docdir@&$docdir&g
+  s&@infodir@&$infodir&g
+  s&@localedir@&$localedir&g
+  s&@mandir@&$mandir&g
+    s&\\\${datarootdir}&$datarootdir&g' ;;
 esac
-# We did not find ourselves, most probably we were run as `sh COMMAND'
-# in which case we are not to be found in the path.
-if test "x$as_myself" = x; then
-  as_myself=$0
-fi
-if test ! -f "$as_myself"; then
-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-  { (exit 1); exit 1; }
-fi
+_ACEOF
+
+# Neutralize VPATH when `$srcdir' = `.'.
+# Shell code in configure.ac might set extrasub.
+# FIXME: do we really want to maintain this feature?
+cat >>$CONFIG_STATUS <<_ACEOF
+  sed "$ac_vpsub
+$extrasub
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+:t
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+s&@configure_input@&$configure_input&;t t
+s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@srcdir@&$ac_srcdir&;t t
+s&@abs_srcdir@&$ac_abs_srcdir&;t t
+s&@top_srcdir@&$ac_top_srcdir&;t t
+s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
+s&@builddir@&$ac_builddir&;t t
+s&@abs_builddir@&$ac_abs_builddir&;t t
+s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+s&@INSTALL@&$ac_INSTALL&;t t
+s&@MKDIR_P@&$ac_MKDIR_P&;t t
+$ac_datarootdir_hack
+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" >$tmp/out
 
-# Work around bugs in pre-3.0 UWIN ksh.
-for as_var in ENV MAIL MAILPATH
-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-done
-PS1='$ '
-PS2='> '
-PS4='+ '
+test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&5
+echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&2;}
 
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-  fi
-done
+  rm -f "$tmp/stdin"
+  case $ac_file in
+  -) cat "$tmp/out"; rm -f "$tmp/out";;
+  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
+  esac
+ ;;
 
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1 &&
-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
-  as_expr=expr
-else
-  as_expr=false
-fi
 
-if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
+  :C)  { echo "$as_me:$LINENO: executing $ac_file commands" >&5
+echo "$as_me: executing $ac_file commands" >&6;}
+ ;;
+  esac
 
 
-# Name of the executable.
-as_me=`$as_basename -- "$0" ||
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{
+  case $ac_file$ac_mode in
+    "depfiles":C) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do
+  # Strip MF so we end up with the name of the file.
+  mf=`echo "$mf" | sed -e 's/:.*$//'`
+  # Check whether this is an Automake generated Makefile or not.
+  # We used to match only the files named `Makefile.in', but
+  # some people rename them; so instead we look at the file content.
+  # Grep'ing the first line is not enough: some people post-process
+  # each Makefile.in and add a new line on top of each file to say so.
+  # Grep'ing the whole file is not good either: AIX grep has a line
+  # limit of 2048, but all sed's we know have understand at least 4000.
+  if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
+    dirpart=`$as_dirname -- "$mf" ||
+$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$mf" : 'X\(//\)[^/]' \| \
+	 X"$mf" : 'X\(//\)$' \| \
+	 X"$mf" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$mf" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
 	    s//\1/
 	    q
 	  }
-	  /^X\/\(\/\/\)$/{
+	  /^X\(\/\/\)[^/].*/{
 	    s//\1/
 	    q
 	  }
-	  /^X\/\(\/\).*/{
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  else
+    continue
+  fi
+  # Extract the definition of DEPDIR, am__include, and am__quote
+  # from the Makefile without running `make'.
+  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
+  test -z "$DEPDIR" && continue
+  am__include=`sed -n 's/^am__include = //p' < "$mf"`
+  test -z "am__include" && continue
+  am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
+  # When using ansi2knr, U may be empty or an underscore; expand it
+  U=`sed -n 's/^U = //p' < "$mf"`
+  # Find all dependency output files, they are included files with
+  # $(DEPDIR) in their names.  We invoke sed twice because it is the
+  # simplest approach to changing $(DEPDIR) to its actual value in the
+  # expansion.
+  for file in `sed -n "
+    s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
+       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+    # Make sure the directory exists.
+    test -f "$dirpart/$file" && continue
+    fdir=`$as_dirname -- "$file" ||
+$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$file" : 'X\(//\)[^/]' \| \
+	 X"$file" : 'X\(//\)$' \| \
+	 X"$file" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+    { as_dir=$dirpart/$fdir
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
+    as_dirs=
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
 	    s//\1/
 	    q
 	  }
 	  s/.*/./; q'`
+      test -d "$as_dir" && break
+    done
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
+   { (exit 1); exit 1; }; }; }
+    # echo "creating $dirpart/$file"
+    echo '# dummy' > "$dirpart/$file"
+  done
+done
+ ;;
+    "libtool":C)
 
-# CDPATH.
-$as_unset CDPATH
+    # See if we are running on zsh, and set the options which allow our
+    # commands through without removal of \ escapes.
+    if test -n "${ZSH_VERSION+set}" ; then
+      setopt NO_GLOB_SUBST
+    fi
 
+    cfgfile="${ofile}T"
+    trap "$RM \"$cfgfile\"; exit 1" 1 2 15
+    $RM "$cfgfile"
 
+    cat <<_LT_EOF >> "$cfgfile"
+#! $SHELL
 
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+# `$ECHO "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $as_me ($PACKAGE$TIMESTAMP) $VERSION
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+#   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
+#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#   Written by Gordon Matzigkeit, 1996
+#
+#   This file is part of GNU Libtool.
+#
+# GNU Libtool is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# As a special exception to the GNU General Public License,
+# if you distribute this file as part of a program or library that
+# is built using GNU Libtool, you may include this file under the
+# same distribution terms that you use for the rest of that program.
+#
+# GNU Libtool is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GNU Libtool; see the file COPYING.  If not, a copy
+# can be downloaded from http://www.gnu.org/licenses/gpl.html, or
+# obtained by writing to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line after each line using $LINENO; the second 'sed'
-  # does the real work.  The second script uses 'N' to pair each
-  # line-number line with the line containing $LINENO, and appends
-  # trailing '-' during substitution so that $LINENO is not a special
-  # case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
-  # E. McMahon (1931-1989) for sed's syntax.  :-)
-  sed -n '
-    p
-    /[$]LINENO/=
-  ' <$as_myself |
-    sed '
-      s/[$]LINENO.*/&-/
-      t lineno
-      b
-      :lineno
-      N
-      :loop
-      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
-      t loop
-      s/-\n.*//
-    ' >$as_me.lineno &&
-  chmod +x "$as_me.lineno" ||
-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-   { (exit 1); exit 1; }; }
 
-  # Don't try to exec as it changes $[0], causing all sort of problems
-  # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensitive to this).
-  . "./$as_me.lineno"
-  # Exit status is that of the last command.
-  exit
-}
+# The names of the tagged configurations supported by this script.
+available_tags=""
+
+# ### BEGIN LIBTOOL CONFIG
+
+# Which release of libtool.m4 was used?
+macro_version=$macro_version
+macro_revision=$macro_revision
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# What type of objects to build.
+pic_mode=$pic_mode
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# A sed program that does not truncate output.
+SED=$lt_SED
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="\$SED -e 1s/^X//"
 
+# A grep program that handles long lines.
+GREP=$lt_GREP
 
-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-  as_dirname=dirname
-else
-  as_dirname=false
-fi
+# An ERE matcher.
+EGREP=$lt_EGREP
 
-ECHO_C= ECHO_N= ECHO_T=
-case `echo -n x` in
--n*)
-  case `echo 'x\c'` in
-  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
-  *)   ECHO_C='\c';;
-  esac;;
-*)
-  ECHO_N='-n';;
-esac
+# A literal string matcher.
+FGREP=$lt_FGREP
 
-if expr a : '\(a\)' >/dev/null 2>&1 &&
-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
-  as_expr=expr
-else
-  as_expr=false
-fi
+# A BSD- or MS-compatible name lister.
+NM=$lt_NM
 
-rm -f conf$$ conf$$.exe conf$$.file
-if test -d conf$$.dir; then
-  rm -f conf$$.dir/conf$$.file
-else
-  rm -f conf$$.dir
-  mkdir conf$$.dir
-fi
-echo >conf$$.file
-if ln -s conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s='ln -s'
-  # ... but there are two gotchas:
-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-  # In both cases, we have to default to `cp -p'.
-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-    as_ln_s='cp -p'
-elif ln conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s=ln
-else
-  as_ln_s='cp -p'
-fi
-rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
-rmdir conf$$.dir 2>/dev/null
+# Whether we need soft or hard links.
+LN_S=$lt_LN_S
 
-if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
-else
-  test -d ./-p && rmdir ./-p
-  as_mkdir_p=false
-fi
+# What is the maximum length of a command?
+max_cmd_len=$max_cmd_len
 
-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-        test -d "$1/.";
-      else
-	case $1 in
-        -*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+# Object file suffix (normally "o").
+objext=$ac_objext
 
-# Sed expression to map a string onto a valid CPP name.
-as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+# Executable file suffix (normally "").
+exeext=$exeext
 
-# Sed expression to map a string onto a valid variable name.
-as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+# whether the shell understands "unset".
+lt_unset=$lt_unset
 
+# turn spaces into newlines.
+SP2NL=$lt_lt_SP2NL
 
-exec 6>&1
+# turn newlines into spaces.
+NL2SP=$lt_lt_NL2SP
 
-# Save the log message, to keep $[0] and so on meaningful, and to
-# report actual input values of CONFIG_FILES etc. instead of their
-# values after options handling.
-ac_log="
-This file was extended by strongSwan $as_me 4.2.9, which was
-generated by GNU Autoconf 2.61.  Invocation command line was
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
 
-  CONFIG_FILES    = $CONFIG_FILES
-  CONFIG_HEADERS  = $CONFIG_HEADERS
-  CONFIG_LINKS    = $CONFIG_LINKS
-  CONFIG_COMMANDS = $CONFIG_COMMANDS
-  $ $0 $@
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
 
-on `(hostname || uname -n) 2>/dev/null | sed 1q`
-"
+# Command to use when deplibs_check_method == "file_magic".
+file_magic_cmd=$lt_file_magic_cmd
 
-_ACEOF
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
 
-cat >>$CONFIG_STATUS <<_ACEOF
-# Files that config.status was made for.
-config_files="$ac_config_files"
-config_commands="$ac_config_commands"
+# A symbol stripping program.
+STRIP=$lt_STRIP
 
-_ACEOF
+# Commands used to install an old-style archive.
+RANLIB=$lt_RANLIB
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
 
-cat >>$CONFIG_STATUS <<\_ACEOF
-ac_cs_usage="\
-\`$as_me' instantiates files from templates according to the
-current configuration.
+# A C compiler.
+LTCC=$lt_CC
 
-Usage: $0 [OPTIONS] [FILE]...
+# LTCC compiler flags.
+LTCFLAGS=$lt_CFLAGS
 
-  -h, --help       print this help, then exit
-  -V, --version    print version number and configuration settings, then exit
-  -q, --quiet      do not print progress messages
-  -d, --debug      don't remove temporary files
-      --recheck    update $as_me by reconfiguring in the same conditions
-  --file=FILE[:TEMPLATE]
-		   instantiate the configuration file FILE
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
 
-Configuration files:
-$config_files
+# Transform the output of nm in a proper C declaration.
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
 
-Configuration commands:
-$config_commands
+# Transform the output of nm in a C name address pair.
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
 
-Report bugs to <bug-autoconf@gnu.org>."
+# Transform the output of nm in a C name address pair when lib prefix is needed.
+global_symbol_to_c_name_address_lib_prefix=$lt_lt_cv_sys_global_symbol_to_c_name_address_lib_prefix
 
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-ac_cs_version="\\
-strongSwan config.status 4.2.9
-configured by $0, generated by GNU Autoconf 2.61,
-  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
 
-Copyright (C) 2006 Free Software Foundation, Inc.
-This config.status script is free software; the Free Software Foundation
-gives unlimited permission to copy, distribute and modify it."
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
 
-ac_pwd='$ac_pwd'
-srcdir='$srcdir'
-INSTALL='$INSTALL'
-MKDIR_P='$MKDIR_P'
-_ACEOF
+# An echo program that does not interpret backslashes.
+ECHO=$lt_ECHO
 
-cat >>$CONFIG_STATUS <<\_ACEOF
-# If no file are specified by the user, then we need to provide default
-# value.  By we need to know if files were specified by the user.
-ac_need_defaults=:
-while test $# != 0
-do
-  case $1 in
-  --*=*)
-    ac_option=`expr "X$1" : 'X\([^=]*\)='`
-    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
-    ac_shift=:
-    ;;
-  *)
-    ac_option=$1
-    ac_optarg=$2
-    ac_shift=shift
-    ;;
-  esac
+# Used to examine libraries when file_magic_cmd begins with "file".
+MAGIC_CMD=$MAGIC_CMD
 
-  case $ac_option in
-  # Handling of the options.
-  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
-    ac_cs_recheck=: ;;
-  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
-    echo "$ac_cs_version"; exit ;;
-  --debug | --debu | --deb | --de | --d | -d )
-    debug=: ;;
-  --file | --fil | --fi | --f )
-    $ac_shift
-    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
-    ac_need_defaults=false;;
-  --he | --h |  --help | --hel | -h )
-    echo "$ac_cs_usage"; exit ;;
-  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-  | -silent | --silent | --silen | --sile | --sil | --si | --s)
-    ac_cs_silent=: ;;
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
 
-  # This is an error.
-  -*) { echo "$as_me: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&2
-   { (exit 1); exit 1; }; } ;;
+# Tool to manipulate archived DWARF debug symbol files on Mac OS X.
+DSYMUTIL=$lt_DSYMUTIL
 
-  *) ac_config_targets="$ac_config_targets $1"
-     ac_need_defaults=false ;;
+# Tool to change global to local symbols on Mac OS X.
+NMEDIT=$lt_NMEDIT
 
-  esac
-  shift
-done
+# Tool to manipulate fat objects and archives on Mac OS X.
+LIPO=$lt_LIPO
 
-ac_configure_extra_args=
+# ldd/readelf like tool for Mach-O binaries on Mac OS X.
+OTOOL=$lt_OTOOL
 
-if $ac_cs_silent; then
-  exec 6>/dev/null
-  ac_configure_extra_args="$ac_configure_extra_args --silent"
-fi
+# ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4.
+OTOOL64=$lt_OTOOL64
 
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-if \$ac_cs_recheck; then
-  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
-  CONFIG_SHELL=$SHELL
-  export CONFIG_SHELL
-  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-fi
+# Old archive suffix (normally "a").
+libext=$libext
+
+# Shared library suffix (normally ".so").
+shrext_cmds=$lt_shrext_cmds
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at link time.
+variables_saved_for_relink=$lt_variables_saved_for_relink
+
+# Do we need the "lib" prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Library versioning type.
+version_type=$version_type
+
+# Shared library runtime path variable.
+runpath_var=$runpath_var
+
+# Shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
 
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-exec 5>>config.log
-{
-  echo
-  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
-## Running $as_me. ##
-_ASBOX
-  echo "$ac_log"
-} >&5
+# Command to use after installation of a shared archive.
+postinstall_cmds=$lt_postinstall_cmds
 
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-#
-# INIT-COMMANDS
-#
-AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
+# Command to use after uninstallation of a shared archive.
+postuninstall_cmds=$lt_postuninstall_cmds
 
-_ACEOF
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
 
-cat >>$CONFIG_STATUS <<\_ACEOF
+# As "finish_cmds", except a single script fragment to be evaled but
+# not shown.
+finish_eval=$lt_finish_eval
 
-# Handling of arguments.
-for ac_config_target in $ac_config_targets
-do
-  case $ac_config_target in
-    "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
-    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
-    "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
-    "src/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/include/Makefile" ;;
-    "src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;;
-    "src/libstrongswan/plugins/aes/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/aes/Makefile" ;;
-    "src/libstrongswan/plugins/des/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/des/Makefile" ;;
-    "src/libstrongswan/plugins/md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md5/Makefile" ;;
-    "src/libstrongswan/plugins/sha1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha1/Makefile" ;;
-    "src/libstrongswan/plugins/sha2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha2/Makefile" ;;
-    "src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;;
-    "src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;;
-    "src/libstrongswan/plugins/random/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/random/Makefile" ;;
-    "src/libstrongswan/plugins/hmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/hmac/Makefile" ;;
-    "src/libstrongswan/plugins/xcbc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/xcbc/Makefile" ;;
-    "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;;
-    "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;;
-    "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;;
-    "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;;
-    "src/libstrongswan/plugins/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mysql/Makefile" ;;
-    "src/libstrongswan/plugins/sqlite/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sqlite/Makefile" ;;
-    "src/libstrongswan/plugins/padlock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/padlock/Makefile" ;;
-    "src/libstrongswan/plugins/openssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/openssl/Makefile" ;;
-    "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
-    "src/libstrongswan/fips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/fips/Makefile" ;;
-    "src/libcrypto/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcrypto/Makefile" ;;
-    "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
-    "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
-    "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
-    "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
-    "src/charon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_aka/Makefile" ;;
-    "src/charon/plugins/eap_identity/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_identity/Makefile" ;;
-    "src/charon/plugins/eap_md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_md5/Makefile" ;;
-    "src/charon/plugins/eap_gtc/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_gtc/Makefile" ;;
-    "src/charon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim/Makefile" ;;
-    "src/charon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim_file/Makefile" ;;
-    "src/charon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_netlink/Makefile" ;;
-    "src/charon/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_pfkey/Makefile" ;;
-    "src/charon/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_klips/Makefile" ;;
-    "src/charon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/smp/Makefile" ;;
-    "src/charon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/sql/Makefile" ;;
-    "src/charon/plugins/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/medsrv/Makefile" ;;
-    "src/charon/plugins/medcli/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/medcli/Makefile" ;;
-    "src/charon/plugins/nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/nm/Makefile" ;;
-    "src/charon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/uci/Makefile" ;;
-    "src/charon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/stroke/Makefile" ;;
-    "src/charon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/updown/Makefile" ;;
-    "src/charon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/unit_tester/Makefile" ;;
-    "src/charon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/load_tester/Makefile" ;;
-    "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
-    "src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;;
-    "src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;;
-    "src/_updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown/Makefile" ;;
-    "src/_updown_espmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown_espmark/Makefile" ;;
-    "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
-    "src/openac/Makefile") CONFIG_FILES="$CONFIG_FILES src/openac/Makefile" ;;
-    "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
-    "src/dumm/Makefile") CONFIG_FILES="$CONFIG_FILES src/dumm/Makefile" ;;
-    "src/libfast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfast/Makefile" ;;
-    "src/manager/Makefile") CONFIG_FILES="$CONFIG_FILES src/manager/Makefile" ;;
-    "src/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/medsrv/Makefile" ;;
-    "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
-    "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
 
-  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
-echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
-   { (exit 1); exit 1; }; };;
-  esac
-done
+# Compile-time system search path for libraries.
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
 
+# Run-time system search path for libraries.
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
 
-# If the user did not use the arguments to specify the items to instantiate,
-# then the envvar interface is used.  Set only those that are not.
-# We use the long form for the default assignment because of an extremely
-# bizarre bug on SunOS 4.1.3.
-if $ac_need_defaults; then
-  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
-  test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands
-fi
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
 
-# Have a temporary directory for convenience.  Make it in the build tree
-# simply because there is no reason against having it here, and in addition,
-# creating and moving files from /tmp can sometimes cause problems.
-# Hook for its removal unless debugging.
-# Note that there is a small window in which the directory will not be cleaned:
-# after its creation but before its name has been assigned to `$tmp'.
-$debug ||
-{
-  tmp=
-  trap 'exit_status=$?
-  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
-' 0
-  trap '{ (exit 1); exit 1; }' 1 2 13 15
-}
-# Create a (secure) tmp directory for tmp files.
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
 
-{
-  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
-  test -n "$tmp" && test -d "$tmp"
-}  ||
-{
-  tmp=./conf$$-$RANDOM
-  (umask 077 && mkdir "$tmp")
-} ||
-{
-   echo "$me: cannot create a temporary directory in ." >&2
-   { (exit 1); exit 1; }
-}
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
 
-#
-# Set up the sed scripts for CONFIG_FILES section.
-#
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
 
-# No need to generate the scripts if there are no CONFIG_FILES.
-# This happens for instance when ./config.status config.h
-if test -n "$CONFIG_FILES"; then
 
-_ACEOF
+# The linker used to build libraries.
+LD=$lt_LD
 
+# Commands used to build an old-style archive.
+old_archive_cmds=$lt_old_archive_cmds
 
+# A language specific compiler.
+CC=$lt_compiler
 
-ac_delim='%!_!# '
-for ac_last_try in false false false false false :; do
-  cat >conf$$subs.sed <<_ACEOF
-SHELL!$SHELL$ac_delim
-PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
-PACKAGE_NAME!$PACKAGE_NAME$ac_delim
-PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
-PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
-PACKAGE_STRING!$PACKAGE_STRING$ac_delim
-PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
-exec_prefix!$exec_prefix$ac_delim
-prefix!$prefix$ac_delim
-program_transform_name!$program_transform_name$ac_delim
-bindir!$bindir$ac_delim
-sbindir!$sbindir$ac_delim
-libexecdir!$libexecdir$ac_delim
-datarootdir!$datarootdir$ac_delim
-datadir!$datadir$ac_delim
-sysconfdir!$sysconfdir$ac_delim
-sharedstatedir!$sharedstatedir$ac_delim
-localstatedir!$localstatedir$ac_delim
-includedir!$includedir$ac_delim
-oldincludedir!$oldincludedir$ac_delim
-docdir!$docdir$ac_delim
-infodir!$infodir$ac_delim
-htmldir!$htmldir$ac_delim
-dvidir!$dvidir$ac_delim
-pdfdir!$pdfdir$ac_delim
-psdir!$psdir$ac_delim
-libdir!$libdir$ac_delim
-localedir!$localedir$ac_delim
-mandir!$mandir$ac_delim
-DEFS!$DEFS$ac_delim
-ECHO_C!$ECHO_C$ac_delim
-ECHO_N!$ECHO_N$ac_delim
-ECHO_T!$ECHO_T$ac_delim
-LIBS!$LIBS$ac_delim
-build_alias!$build_alias$ac_delim
-host_alias!$host_alias$ac_delim
-target_alias!$target_alias$ac_delim
-INSTALL_PROGRAM!$INSTALL_PROGRAM$ac_delim
-INSTALL_SCRIPT!$INSTALL_SCRIPT$ac_delim
-INSTALL_DATA!$INSTALL_DATA$ac_delim
-am__isrc!$am__isrc$ac_delim
-CYGPATH_W!$CYGPATH_W$ac_delim
-PACKAGE!$PACKAGE$ac_delim
-VERSION!$VERSION$ac_delim
-ACLOCAL!$ACLOCAL$ac_delim
-AUTOCONF!$AUTOCONF$ac_delim
-AUTOMAKE!$AUTOMAKE$ac_delim
-AUTOHEADER!$AUTOHEADER$ac_delim
-MAKEINFO!$MAKEINFO$ac_delim
-install_sh!$install_sh$ac_delim
-STRIP!$STRIP$ac_delim
-INSTALL_STRIP_PROGRAM!$INSTALL_STRIP_PROGRAM$ac_delim
-mkdir_p!$mkdir_p$ac_delim
-AWK!$AWK$ac_delim
-SET_MAKE!$SET_MAKE$ac_delim
-am__leading_dot!$am__leading_dot$ac_delim
-AMTAR!$AMTAR$ac_delim
-am__tar!$am__tar$ac_delim
-am__untar!$am__untar$ac_delim
-CC!$CC$ac_delim
-CFLAGS!$CFLAGS$ac_delim
-LDFLAGS!$LDFLAGS$ac_delim
-CPPFLAGS!$CPPFLAGS$ac_delim
-ac_ct_CC!$ac_ct_CC$ac_delim
-EXEEXT!$EXEEXT$ac_delim
-OBJEXT!$OBJEXT$ac_delim
-DEPDIR!$DEPDIR$ac_delim
-am__include!$am__include$ac_delim
-am__quote!$am__quote$ac_delim
-AMDEP_TRUE!$AMDEP_TRUE$ac_delim
-AMDEP_FALSE!$AMDEP_FALSE$ac_delim
-AMDEPBACKSLASH!$AMDEPBACKSLASH$ac_delim
-CCDEPMODE!$CCDEPMODE$ac_delim
-am__fastdepCC_TRUE!$am__fastdepCC_TRUE$ac_delim
-am__fastdepCC_FALSE!$am__fastdepCC_FALSE$ac_delim
-CPP!$CPP$ac_delim
-GREP!$GREP$ac_delim
-EGREP!$EGREP$ac_delim
-confdir!$confdir$ac_delim
-PKG_CONFIG!$PKG_CONFIG$ac_delim
-resolv_conf!$resolv_conf$ac_delim
-strongswan_conf!$strongswan_conf$ac_delim
-piddir!$piddir$ac_delim
-ipsecdir!$ipsecdir$ac_delim
-plugindir!$plugindir$ac_delim
-simreader!$simreader$ac_delim
-linuxdir!$linuxdir$ac_delim
-LINUX_HEADERS!$LINUX_HEADERS$ac_delim
-IPSEC_ROUTING_TABLE!$IPSEC_ROUTING_TABLE$ac_delim
-IPSEC_ROUTING_TABLE_PRIO!$IPSEC_ROUTING_TABLE_PRIO$ac_delim
-ipsecuser!$ipsecuser$ac_delim
-ipsecgroup!$ipsecgroup$ac_delim
-build!$build$ac_delim
-build_cpu!$build_cpu$ac_delim
-build_vendor!$build_vendor$ac_delim
-build_os!$build_os$ac_delim
-host!$host$ac_delim
-_ACEOF
+# Is the compiler the GNU compiler?
+with_gcc=$GCC
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
-    break
-  elif $ac_last_try; then
-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-  else
-    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
-  fi
-done
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
 
-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
-if test -n "$ac_eof"; then
-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
-  ac_eof=`expr $ac_eof + 1`
-fi
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl
 
-cat >>$CONFIG_STATUS <<_ACEOF
-cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-_ACEOF
-sed '
-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
-s/^/s,@/; s/!/@,|#_!!_#|/
-:n
-t n
-s/'"$ac_delim"'$/,g/; t
-s/$/\\/; p
-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
-' >>$CONFIG_STATUS <conf$$subs.sed
-rm -f conf$$subs.sed
-cat >>$CONFIG_STATUS <<_ACEOF
-CEOF$ac_eof
-_ACEOF
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic
 
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static
 
-ac_delim='%!_!# '
-for ac_last_try in false false false false false :; do
-  cat >conf$$subs.sed <<_ACEOF
-host_cpu!$host_cpu$ac_delim
-host_vendor!$host_vendor$ac_delim
-host_os!$host_os$ac_delim
-SED!$SED$ac_delim
-LN_S!$LN_S$ac_delim
-ECHO!$ECHO$ac_delim
-AR!$AR$ac_delim
-RANLIB!$RANLIB$ac_delim
-DSYMUTIL!$DSYMUTIL$ac_delim
-NMEDIT!$NMEDIT$ac_delim
-CXX!$CXX$ac_delim
-CXXFLAGS!$CXXFLAGS$ac_delim
-ac_ct_CXX!$ac_ct_CXX$ac_delim
-CXXDEPMODE!$CXXDEPMODE$ac_delim
-am__fastdepCXX_TRUE!$am__fastdepCXX_TRUE$ac_delim
-am__fastdepCXX_FALSE!$am__fastdepCXX_FALSE$ac_delim
-CXXCPP!$CXXCPP$ac_delim
-F77!$F77$ac_delim
-FFLAGS!$FFLAGS$ac_delim
-ac_ct_F77!$ac_ct_F77$ac_delim
-LIBTOOL!$LIBTOOL$ac_delim
-LEX!$LEX$ac_delim
-LEX_OUTPUT_ROOT!$LEX_OUTPUT_ROOT$ac_delim
-LEXLIB!$LEXLIB$ac_delim
-YACC!$YACC$ac_delim
-YFLAGS!$YFLAGS$ac_delim
-GPERF!$GPERF$ac_delim
-PERL!$PERL$ac_delim
-xml_CFLAGS!$xml_CFLAGS$ac_delim
-xml_LIBS!$xml_LIBS$ac_delim
-gtk_CFLAGS!$gtk_CFLAGS$ac_delim
-gtk_LIBS!$gtk_LIBS$ac_delim
-nm_CFLAGS!$nm_CFLAGS$ac_delim
-nm_LIBS!$nm_LIBS$ac_delim
-libstrongswan_plugins!$libstrongswan_plugins$ac_delim
-USE_CURL_TRUE!$USE_CURL_TRUE$ac_delim
-USE_CURL_FALSE!$USE_CURL_FALSE$ac_delim
-USE_LDAP_TRUE!$USE_LDAP_TRUE$ac_delim
-USE_LDAP_FALSE!$USE_LDAP_FALSE$ac_delim
-USE_AES_TRUE!$USE_AES_TRUE$ac_delim
-USE_AES_FALSE!$USE_AES_FALSE$ac_delim
-USE_DES_TRUE!$USE_DES_TRUE$ac_delim
-USE_DES_FALSE!$USE_DES_FALSE$ac_delim
-USE_MD5_TRUE!$USE_MD5_TRUE$ac_delim
-USE_MD5_FALSE!$USE_MD5_FALSE$ac_delim
-USE_SHA1_TRUE!$USE_SHA1_TRUE$ac_delim
-USE_SHA1_FALSE!$USE_SHA1_FALSE$ac_delim
-USE_SHA2_TRUE!$USE_SHA2_TRUE$ac_delim
-USE_SHA2_FALSE!$USE_SHA2_FALSE$ac_delim
-USE_FIPS_PRF_TRUE!$USE_FIPS_PRF_TRUE$ac_delim
-USE_FIPS_PRF_FALSE!$USE_FIPS_PRF_FALSE$ac_delim
-USE_GMP_TRUE!$USE_GMP_TRUE$ac_delim
-USE_GMP_FALSE!$USE_GMP_FALSE$ac_delim
-USE_RANDOM_TRUE!$USE_RANDOM_TRUE$ac_delim
-USE_RANDOM_FALSE!$USE_RANDOM_FALSE$ac_delim
-USE_X509_TRUE!$USE_X509_TRUE$ac_delim
-USE_X509_FALSE!$USE_X509_FALSE$ac_delim
-USE_PUBKEY_TRUE!$USE_PUBKEY_TRUE$ac_delim
-USE_PUBKEY_FALSE!$USE_PUBKEY_FALSE$ac_delim
-USE_HMAC_TRUE!$USE_HMAC_TRUE$ac_delim
-USE_HMAC_FALSE!$USE_HMAC_FALSE$ac_delim
-USE_XCBC_TRUE!$USE_XCBC_TRUE$ac_delim
-USE_XCBC_FALSE!$USE_XCBC_FALSE$ac_delim
-USE_MYSQL_TRUE!$USE_MYSQL_TRUE$ac_delim
-USE_MYSQL_FALSE!$USE_MYSQL_FALSE$ac_delim
-USE_SQLITE_TRUE!$USE_SQLITE_TRUE$ac_delim
-USE_SQLITE_FALSE!$USE_SQLITE_FALSE$ac_delim
-USE_PADLOCK_TRUE!$USE_PADLOCK_TRUE$ac_delim
-USE_PADLOCK_FALSE!$USE_PADLOCK_FALSE$ac_delim
-USE_OPENSSL_TRUE!$USE_OPENSSL_TRUE$ac_delim
-USE_OPENSSL_FALSE!$USE_OPENSSL_FALSE$ac_delim
-USE_AGENT_TRUE!$USE_AGENT_TRUE$ac_delim
-USE_AGENT_FALSE!$USE_AGENT_FALSE$ac_delim
-USE_STROKE_TRUE!$USE_STROKE_TRUE$ac_delim
-USE_STROKE_FALSE!$USE_STROKE_FALSE$ac_delim
-USE_MEDSRV_TRUE!$USE_MEDSRV_TRUE$ac_delim
-USE_MEDSRV_FALSE!$USE_MEDSRV_FALSE$ac_delim
-USE_MEDCLI_TRUE!$USE_MEDCLI_TRUE$ac_delim
-USE_MEDCLI_FALSE!$USE_MEDCLI_FALSE$ac_delim
-USE_NM_TRUE!$USE_NM_TRUE$ac_delim
-USE_NM_FALSE!$USE_NM_FALSE$ac_delim
-USE_UCI_TRUE!$USE_UCI_TRUE$ac_delim
-USE_UCI_FALSE!$USE_UCI_FALSE$ac_delim
-USE_SMP_TRUE!$USE_SMP_TRUE$ac_delim
-USE_SMP_FALSE!$USE_SMP_FALSE$ac_delim
-USE_SQL_TRUE!$USE_SQL_TRUE$ac_delim
-USE_SQL_FALSE!$USE_SQL_FALSE$ac_delim
-USE_UPDOWN_TRUE!$USE_UPDOWN_TRUE$ac_delim
-USE_UPDOWN_FALSE!$USE_UPDOWN_FALSE$ac_delim
-USE_UNIT_TESTS_TRUE!$USE_UNIT_TESTS_TRUE$ac_delim
-USE_UNIT_TESTS_FALSE!$USE_UNIT_TESTS_FALSE$ac_delim
-USE_LOAD_TESTS_TRUE!$USE_LOAD_TESTS_TRUE$ac_delim
-USE_LOAD_TESTS_FALSE!$USE_LOAD_TESTS_FALSE$ac_delim
-USE_EAP_SIM_TRUE!$USE_EAP_SIM_TRUE$ac_delim
-USE_EAP_SIM_FALSE!$USE_EAP_SIM_FALSE$ac_delim
-USE_EAP_SIM_FILE_TRUE!$USE_EAP_SIM_FILE_TRUE$ac_delim
-USE_EAP_SIM_FILE_FALSE!$USE_EAP_SIM_FILE_FALSE$ac_delim
-_ACEOF
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
-    break
-  elif $ac_last_try; then
-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-  else
-    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
-  fi
-done
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc
 
-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
-if test -n "$ac_eof"; then
-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
-  ac_eof=`expr $ac_eof + 1`
-fi
+# Whether or not to disallow shared libs when runtime libs are static.
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes
 
-cat >>$CONFIG_STATUS <<_ACEOF
-cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-_ACEOF
-sed '
-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
-s/^/s,@/; s/!/@,|#_!!_#|/
-:n
-t n
-s/'"$ac_delim"'$/,g/; t
-s/$/\\/; p
-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
-' >>$CONFIG_STATUS <conf$$subs.sed
-rm -f conf$$subs.sed
-cat >>$CONFIG_STATUS <<_ACEOF
-CEOF$ac_eof
-_ACEOF
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec
 
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec
 
-ac_delim='%!_!# '
-for ac_last_try in false false false false false :; do
-  cat >conf$$subs.sed <<_ACEOF
-USE_EAP_IDENTITY_TRUE!$USE_EAP_IDENTITY_TRUE$ac_delim
-USE_EAP_IDENTITY_FALSE!$USE_EAP_IDENTITY_FALSE$ac_delim
-USE_EAP_MD5_TRUE!$USE_EAP_MD5_TRUE$ac_delim
-USE_EAP_MD5_FALSE!$USE_EAP_MD5_FALSE$ac_delim
-USE_EAP_GTC_TRUE!$USE_EAP_GTC_TRUE$ac_delim
-USE_EAP_GTC_FALSE!$USE_EAP_GTC_FALSE$ac_delim
-USE_EAP_AKA_TRUE!$USE_EAP_AKA_TRUE$ac_delim
-USE_EAP_AKA_FALSE!$USE_EAP_AKA_FALSE$ac_delim
-USE_KERNEL_NETLINK_TRUE!$USE_KERNEL_NETLINK_TRUE$ac_delim
-USE_KERNEL_NETLINK_FALSE!$USE_KERNEL_NETLINK_FALSE$ac_delim
-USE_KERNEL_PFKEY_TRUE!$USE_KERNEL_PFKEY_TRUE$ac_delim
-USE_KERNEL_PFKEY_FALSE!$USE_KERNEL_PFKEY_FALSE$ac_delim
-USE_KERNEL_KLIPS_TRUE!$USE_KERNEL_KLIPS_TRUE$ac_delim
-USE_KERNEL_KLIPS_FALSE!$USE_KERNEL_KLIPS_FALSE$ac_delim
-USE_SMARTCARD_TRUE!$USE_SMARTCARD_TRUE$ac_delim
-USE_SMARTCARD_FALSE!$USE_SMARTCARD_FALSE$ac_delim
-USE_CISCO_QUIRKS_TRUE!$USE_CISCO_QUIRKS_TRUE$ac_delim
-USE_CISCO_QUIRKS_FALSE!$USE_CISCO_QUIRKS_FALSE$ac_delim
-USE_LEAK_DETECTIVE_TRUE!$USE_LEAK_DETECTIVE_TRUE$ac_delim
-USE_LEAK_DETECTIVE_FALSE!$USE_LEAK_DETECTIVE_FALSE$ac_delim
-USE_LOCK_PROFILER_TRUE!$USE_LOCK_PROFILER_TRUE$ac_delim
-USE_LOCK_PROFILER_FALSE!$USE_LOCK_PROFILER_FALSE$ac_delim
-USE_NAT_TRANSPORT_TRUE!$USE_NAT_TRANSPORT_TRUE$ac_delim
-USE_NAT_TRANSPORT_FALSE!$USE_NAT_TRANSPORT_FALSE$ac_delim
-USE_VENDORID_TRUE!$USE_VENDORID_TRUE$ac_delim
-USE_VENDORID_FALSE!$USE_VENDORID_FALSE$ac_delim
-USE_XAUTH_VID_TRUE!$USE_XAUTH_VID_TRUE$ac_delim
-USE_XAUTH_VID_FALSE!$USE_XAUTH_VID_FALSE$ac_delim
-USE_DUMM_TRUE!$USE_DUMM_TRUE$ac_delim
-USE_DUMM_FALSE!$USE_DUMM_FALSE$ac_delim
-USE_FAST_TRUE!$USE_FAST_TRUE$ac_delim
-USE_FAST_FALSE!$USE_FAST_FALSE$ac_delim
-USE_MANAGER_TRUE!$USE_MANAGER_TRUE$ac_delim
-USE_MANAGER_FALSE!$USE_MANAGER_FALSE$ac_delim
-USE_ME_TRUE!$USE_ME_TRUE$ac_delim
-USE_ME_FALSE!$USE_ME_FALSE$ac_delim
-USE_INTEGRITY_TEST_TRUE!$USE_INTEGRITY_TEST_TRUE$ac_delim
-USE_INTEGRITY_TEST_FALSE!$USE_INTEGRITY_TEST_FALSE$ac_delim
-USE_SELF_TEST_TRUE!$USE_SELF_TEST_TRUE$ac_delim
-USE_SELF_TEST_FALSE!$USE_SELF_TEST_FALSE$ac_delim
-USE_CAPABILITIES_TRUE!$USE_CAPABILITIES_TRUE$ac_delim
-USE_CAPABILITIES_FALSE!$USE_CAPABILITIES_FALSE$ac_delim
-USE_PLUTO_TRUE!$USE_PLUTO_TRUE$ac_delim
-USE_PLUTO_FALSE!$USE_PLUTO_FALSE$ac_delim
-USE_CHARON_TRUE!$USE_CHARON_TRUE$ac_delim
-USE_CHARON_FALSE!$USE_CHARON_FALSE$ac_delim
-USE_TOOLS_TRUE!$USE_TOOLS_TRUE$ac_delim
-USE_TOOLS_FALSE!$USE_TOOLS_FALSE$ac_delim
-USE_LIBSTRONGSWAN_TRUE!$USE_LIBSTRONGSWAN_TRUE$ac_delim
-USE_LIBSTRONGSWAN_FALSE!$USE_LIBSTRONGSWAN_FALSE$ac_delim
-USE_FILE_CONFIG_TRUE!$USE_FILE_CONFIG_TRUE$ac_delim
-USE_FILE_CONFIG_FALSE!$USE_FILE_CONFIG_FALSE$ac_delim
-LIBOBJS!$LIBOBJS$ac_delim
-LTLIBOBJS!$LTLIBOBJS$ac_delim
-_ACEOF
+# Whether the compiler copes with passing no objects directly.
+compiler_needs_object=$lt_compiler_needs_object
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds
+
+# Commands used to build a shared archive.
+archive_cmds=$lt_archive_cmds
+archive_expsym_cmds=$lt_archive_expsym_cmds
+
+# Commands used to build a loadable module if different from building
+# a shared archive.
+module_cmds=$lt_module_cmds
+module_expsym_cmds=$lt_module_expsym_cmds
+
+# Whether we are building with GNU ld or not.
+with_gnu_ld=$lt_with_gnu_ld
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag
+
+# Flag that enforces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
+
+# If ld is used when linking, flag to hardcode \$libdir into a binary
+# during linking.  This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
+
+# Whether we need a single "-rpath" flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator
+
+# Set to "yes" if using DIR/libNAME\${shared_ext} during linking hardcodes
+# DIR into the resulting binary.
+hardcode_direct=$hardcode_direct
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 54; then
-    break
-  elif $ac_last_try; then
-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-  else
-    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
-  fi
-done
+# Set to "yes" if using DIR/libNAME\${shared_ext} during linking hardcodes
+# DIR into the resulting binary and the resulting library dependency is
+# "absolute",i.e impossible to change by setting \${shlibpath_var} if the
+# library is relocated.
+hardcode_direct_absolute=$hardcode_direct_absolute
 
-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
-if test -n "$ac_eof"; then
-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
-  ac_eof=`expr $ac_eof + 1`
-fi
+# Set to "yes" if using the -LDIR flag during linking hardcodes DIR
+# into the resulting binary.
+hardcode_minus_L=$hardcode_minus_L
 
-cat >>$CONFIG_STATUS <<_ACEOF
-cat >"\$tmp/subs-3.sed" <<\CEOF$ac_eof
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
-_ACEOF
-sed '
-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
-s/^/s,@/; s/!/@,|#_!!_#|/
-:n
-t n
-s/'"$ac_delim"'$/,g/; t
-s/$/\\/; p
-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
-' >>$CONFIG_STATUS <conf$$subs.sed
-rm -f conf$$subs.sed
-cat >>$CONFIG_STATUS <<_ACEOF
-:end
-s/|#_!!_#|//g
-CEOF$ac_eof
-_ACEOF
+# Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR
+# into the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var
 
+# Set to "yes" if building a shared library automatically hardcodes DIR
+# into the library and all subsequent libraries and executables linked
+# against it.
+hardcode_automatic=$hardcode_automatic
 
-# VPATH may cause trouble with some makes, so we remove $(srcdir),
-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-# trailing colons and then remove the whole line if VPATH becomes empty
-# (actually we leave an empty line to preserve line numbers).
-if test "x$srcdir" = x.; then
-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
-s/:*\$(srcdir):*/:/
-s/:*\${srcdir}:*/:/
-s/:*@srcdir@:*/:/
-s/^\([^=]*=[	 ]*\):*/\1/
-s/:*$//
-s/^[^=]*=[	 ]*$//
-}'
+# Set to yes if linker adds runtime paths of dependent libraries
+# to runtime path list.
+inherit_rpath=$inherit_rpath
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path=$lt_fix_srcfile_path
+
+# Set to "yes" if exported symbols are required.
+always_export_symbols=$always_export_symbols
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms
+
+# Commands necessary for linking programs (against libraries) with templates.
+prelink_cmds=$lt_prelink_cmds
+
+# Specify filename containing input files.
+file_list_spec=$lt_file_list_spec
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action
+
+# ### END LIBTOOL CONFIG
+
+_LT_EOF
+
+  case $host_os in
+  aix3*)
+    cat <<\_LT_EOF >> "$cfgfile"
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
 fi
+_LT_EOF
+    ;;
+  esac
 
-cat >>$CONFIG_STATUS <<\_ACEOF
-fi # test -n "$CONFIG_FILES"
 
+ltmain="$ac_aux_dir/ltmain.sh"
 
-for ac_tag in  :F $CONFIG_FILES      :C $CONFIG_COMMANDS
-do
-  case $ac_tag in
-  :[FHLC]) ac_mode=$ac_tag; continue;;
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \
+    || (rm -f "$cfgfile"; exit 1)
+
+  case $xsi_shell in
+  yes)
+    cat << \_LT_EOF >> "$cfgfile"
+
+# func_dirname file append nondir_replacement
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+func_dirname ()
+{
+  case ${1} in
+    */*) func_dirname_result="${1%/*}${2}" ;;
+    *  ) func_dirname_result="${3}" ;;
   esac
-  case $ac_mode$ac_tag in
-  :[FHL]*:*);;
-  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
-echo "$as_me: error: Invalid tag $ac_tag." >&2;}
-   { (exit 1); exit 1; }; };;
-  :[FH]-) ac_tag=-:-;;
-  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+}
+
+# func_basename file
+func_basename ()
+{
+  func_basename_result="${1##*/}"
+}
+
+# func_dirname_and_basename file append nondir_replacement
+# perform func_basename and func_dirname in a single function
+# call:
+#   dirname:  Compute the dirname of FILE.  If nonempty,
+#             add APPEND to the result, otherwise set result
+#             to NONDIR_REPLACEMENT.
+#             value returned in "$func_dirname_result"
+#   basename: Compute filename of FILE.
+#             value retuned in "$func_basename_result"
+# Implementation must be kept synchronized with func_dirname
+# and func_basename. For efficiency, we do not delegate to
+# those functions but instead duplicate the functionality here.
+func_dirname_and_basename ()
+{
+  case ${1} in
+    */*) func_dirname_result="${1%/*}${2}" ;;
+    *  ) func_dirname_result="${3}" ;;
   esac
-  ac_save_IFS=$IFS
-  IFS=:
-  set x $ac_tag
-  IFS=$ac_save_IFS
-  shift
-  ac_file=$1
-  shift
+  func_basename_result="${1##*/}"
+}
 
-  case $ac_mode in
-  :L) ac_source=$1;;
-  :[FH])
-    ac_file_inputs=
-    for ac_f
-    do
-      case $ac_f in
-      -) ac_f="$tmp/stdin";;
-      *) # Look for the file first in the build tree, then in the source tree
-	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
-	 # because $ac_f cannot contain `:'.
-	 test -f "$ac_f" ||
-	   case $ac_f in
-	   [\\/$]*) false;;
-	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
-	   esac ||
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
-echo "$as_me: error: cannot find input file: $ac_f" >&2;}
-   { (exit 1); exit 1; }; };;
-      esac
-      ac_file_inputs="$ac_file_inputs $ac_f"
-    done
+# func_stripname prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+func_stripname ()
+{
+  # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
+  # positional parameters, so assign one to ordinary parameter first.
+  func_stripname_result=${3}
+  func_stripname_result=${func_stripname_result#"${1}"}
+  func_stripname_result=${func_stripname_result%"${2}"}
+}
 
-    # Let's still pretend it is `configure' which instantiates (i.e., don't
-    # use $as_me), people would be surprised to read:
-    #    /* config.h.  Generated by config.status.  */
-    configure_input="Generated from "`IFS=:
-	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
-    if test x"$ac_file" != x-; then
-      configure_input="$ac_file.  $configure_input"
-      { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-    fi
+# func_opt_split
+func_opt_split ()
+{
+  func_opt_split_opt=${1%%=*}
+  func_opt_split_arg=${1#*=}
+}
 
-    case $ac_tag in
-    *:-:* | *:-) cat >"$tmp/stdin";;
-    esac
-    ;;
+# func_lo2o object
+func_lo2o ()
+{
+  case ${1} in
+    *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
+    *)    func_lo2o_result=${1} ;;
   esac
+}
 
-  ac_dir=`$as_dirname -- "$ac_file" ||
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$ac_file" : 'X\(//\)[^/]' \| \
-	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-  { as_dir="$ac_dir"
-  case $as_dir in #(
-  -*) as_dir=./$as_dir;;
-  esac
-  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
-    as_dirs=
-    while :; do
-      case $as_dir in #(
-      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
-      *) as_qdir=$as_dir;;
-      esac
-      as_dirs="'$as_qdir' $as_dirs"
-      as_dir=`$as_dirname -- "$as_dir" ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-      test -d "$as_dir" && break
-    done
-    test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
-echo "$as_me: error: cannot create directory $as_dir" >&2;}
-   { (exit 1); exit 1; }; }; }
-  ac_builddir=.
+# func_xform libobj-or-source
+func_xform ()
+{
+  func_xform_result=${1%.*}.lo
+}
 
-case "$ac_dir" in
-.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
-*)
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A ".." for each directory in $ac_dir_suffix.
-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
-  case $ac_top_builddir_sub in
-  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
-  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
-  esac ;;
-esac
-ac_abs_top_builddir=$ac_pwd
-ac_abs_builddir=$ac_pwd$ac_dir_suffix
-# for backward compatibility:
-ac_top_builddir=$ac_top_build_prefix
+# func_arith arithmetic-term...
+func_arith ()
+{
+  func_arith_result=$(( $* ))
+}
+
+# func_len string
+# STRING may not start with a hyphen.
+func_len ()
+{
+  func_len_result=${#1}
+}
+
+_LT_EOF
+    ;;
+  *) # Bourne compatible functions.
+    cat << \_LT_EOF >> "$cfgfile"
 
-case $srcdir in
-  .)  # We are building in place.
-    ac_srcdir=.
-    ac_top_srcdir=$ac_top_builddir_sub
-    ac_abs_top_srcdir=$ac_pwd ;;
-  [\\/]* | ?:[\\/]* )  # Absolute name.
-    ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir
-    ac_abs_top_srcdir=$srcdir ;;
-  *) # Relative name.
-    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_build_prefix$srcdir
-    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
-esac
-ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+# func_dirname file append nondir_replacement
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+func_dirname ()
+{
+  # Extract subdirectory from the argument.
+  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
+  if test "X$func_dirname_result" = "X${1}"; then
+    func_dirname_result="${3}"
+  else
+    func_dirname_result="$func_dirname_result${2}"
+  fi
+}
 
+# func_basename file
+func_basename ()
+{
+  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
+}
 
-  case $ac_mode in
-  :F)
-  #
-  # CONFIG_FILE
-  #
 
-  case $INSTALL in
-  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
-  *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
-  esac
-  ac_MKDIR_P=$MKDIR_P
-  case $MKDIR_P in
-  [\\/$]* | ?:[\\/]* ) ;;
-  */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;;
+# func_stripname prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+# func_strip_suffix prefix name
+func_stripname ()
+{
+  case ${2} in
+    .*) func_stripname_result=`$ECHO "X${3}" \
+           | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;;
+    *)  func_stripname_result=`$ECHO "X${3}" \
+           | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;;
   esac
-_ACEOF
+}
 
-cat >>$CONFIG_STATUS <<\_ACEOF
-# If the template does not know about datarootdir, expand it.
-# FIXME: This hack should be removed a few years after 2.60.
-ac_datarootdir_hack=; ac_datarootdir_seen=
+# sed scripts:
+my_sed_long_opt='1s/^\(-[^=]*\)=.*/\1/;q'
+my_sed_long_arg='1s/^-[^=]*=//'
 
-case `sed -n '/datarootdir/ {
-  p
-  q
+# func_opt_split
+func_opt_split ()
+{
+  func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"`
+  func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"`
 }
-/@datadir@/p
-/@docdir@/p
-/@infodir@/p
-/@localedir@/p
-/@mandir@/p
-' $ac_file_inputs` in
-*datarootdir*) ac_datarootdir_seen=yes;;
-*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
-  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
-echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-  ac_datarootdir_hack='
-  s&@datadir@&$datadir&g
-  s&@docdir@&$docdir&g
-  s&@infodir@&$infodir&g
-  s&@localedir@&$localedir&g
-  s&@mandir@&$mandir&g
-    s&\\\${datarootdir}&$datarootdir&g' ;;
+
+# func_lo2o object
+func_lo2o ()
+{
+  func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"`
+}
+
+# func_xform libobj-or-source
+func_xform ()
+{
+  func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[^.]*$/.lo/'`
+}
+
+# func_arith arithmetic-term...
+func_arith ()
+{
+  func_arith_result=`expr "$@"`
+}
+
+# func_len string
+# STRING may not start with a hyphen.
+func_len ()
+{
+  func_len_result=`expr "$1" : ".*" 2>/dev/null || echo $max_cmd_len`
+}
+
+_LT_EOF
 esac
-_ACEOF
 
-# Neutralize VPATH when `$srcdir' = `.'.
-# Shell code in configure.ac might set extrasub.
-# FIXME: do we really want to maintain this feature?
-cat >>$CONFIG_STATUS <<_ACEOF
-  sed "$ac_vpsub
-$extrasub
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-:t
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-s&@configure_input@&$configure_input&;t t
-s&@top_builddir@&$ac_top_builddir_sub&;t t
-s&@srcdir@&$ac_srcdir&;t t
-s&@abs_srcdir@&$ac_abs_srcdir&;t t
-s&@top_srcdir@&$ac_top_srcdir&;t t
-s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
-s&@builddir@&$ac_builddir&;t t
-s&@abs_builddir@&$ac_abs_builddir&;t t
-s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
-s&@INSTALL@&$ac_INSTALL&;t t
-s&@MKDIR_P@&$ac_MKDIR_P&;t t
-$ac_datarootdir_hack
-" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" >$tmp/out
+case $lt_shell_append in
+  yes)
+    cat << \_LT_EOF >> "$cfgfile"
 
-test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
-  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
-  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
-  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-which seems to be undefined.  Please make sure it is defined." >&5
-echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-which seems to be undefined.  Please make sure it is defined." >&2;}
+# func_append var value
+# Append VALUE to the end of shell variable VAR.
+func_append ()
+{
+  eval "$1+=\$2"
+}
+_LT_EOF
+    ;;
+  *)
+    cat << \_LT_EOF >> "$cfgfile"
 
-  rm -f "$tmp/stdin"
-  case $ac_file in
-  -) cat "$tmp/out"; rm -f "$tmp/out";;
-  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
+# func_append var value
+# Append VALUE to the end of shell variable VAR.
+func_append ()
+{
+  eval "$1=\$$1\$2"
+}
+
+_LT_EOF
+    ;;
   esac
- ;;
 
 
-  :C)  { echo "$as_me:$LINENO: executing $ac_file commands" >&5
-echo "$as_me: executing $ac_file commands" >&6;}
- ;;
-  esac
+  sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \
+    || (rm -f "$cfgfile"; exit 1)
 
+  mv -f "$cfgfile" "$ofile" ||
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
 
-  case $ac_file$ac_mode in
-    "depfiles":C) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do
-  # Strip MF so we end up with the name of the file.
-  mf=`echo "$mf" | sed -e 's/:.*$//'`
-  # Check whether this is an Automake generated Makefile or not.
-  # We used to match only the files named `Makefile.in', but
-  # some people rename them; so instead we look at the file content.
-  # Grep'ing the first line is not enough: some people post-process
-  # each Makefile.in and add a new line on top of each file to say so.
-  # Grep'ing the whole file is not good either: AIX grep has a line
-  # limit of 2048, but all sed's we know have understand at least 4000.
-  if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
-    dirpart=`$as_dirname -- "$mf" ||
-$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$mf" : 'X\(//\)[^/]' \| \
-	 X"$mf" : 'X\(//\)$' \| \
-	 X"$mf" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$mf" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-  else
-    continue
-  fi
-  # Extract the definition of DEPDIR, am__include, and am__quote
-  # from the Makefile without running `make'.
-  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
-  test -z "$DEPDIR" && continue
-  am__include=`sed -n 's/^am__include = //p' < "$mf"`
-  test -z "am__include" && continue
-  am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
-  # When using ansi2knr, U may be empty or an underscore; expand it
-  U=`sed -n 's/^U = //p' < "$mf"`
-  # Find all dependency output files, they are included files with
-  # $(DEPDIR) in their names.  We invoke sed twice because it is the
-  # simplest approach to changing $(DEPDIR) to its actual value in the
-  # expansion.
-  for file in `sed -n "
-    s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
-       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
-    # Make sure the directory exists.
-    test -f "$dirpart/$file" && continue
-    fdir=`$as_dirname -- "$file" ||
-$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$file" : 'X\(//\)[^/]' \| \
-	 X"$file" : 'X\(//\)$' \| \
-	 X"$file" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-    { as_dir=$dirpart/$fdir
-  case $as_dir in #(
-  -*) as_dir=./$as_dir;;
-  esac
-  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
-    as_dirs=
-    while :; do
-      case $as_dir in #(
-      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
-      *) as_qdir=$as_dir;;
-      esac
-      as_dirs="'$as_qdir' $as_dirs"
-      as_dir=`$as_dirname -- "$as_dir" ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-      test -d "$as_dir" && break
-    done
-    test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
-echo "$as_me: error: cannot create directory $as_dir" >&2;}
-   { (exit 1); exit 1; }; }; }
-    # echo "creating $dirpart/$file"
-    echo '# dummy' > "$dirpart/$file"
-  done
-done
  ;;
 
   esac
diff --git a/configure.in b/configure.in
index 54ff358d1..b0405130e 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.2.9)
+AC_INIT(strongSwan,4.2.12)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_C_BIGENDIAN
 AC_SUBST(confdir, '${sysconfdir}')
@@ -184,6 +184,14 @@ AC_ARG_ENABLE(
 	des=true
 )
 
+AC_ARG_ENABLE(
+	[md4],
+	AS_HELP_STRING([--enable-md4],[enable MD4 software implementation plugin (default is NO).]),
+	[if test x$enableval = xyes; then
+		md4=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[md5],
 	AS_HELP_STRING([--disable-md5],[disable own MD5 software implementation plugin. (default is NO).]),
@@ -379,7 +387,7 @@ AC_ARG_ENABLE(
 
 AC_ARG_ENABLE(
 	[lock-profiler],
-	AS_HELP_STRING([--enable-lock-profiling],[enable lock/mutex profiling code (default is NO).]),
+	AS_HELP_STRING([--enable-lock-profiler],[enable lock/mutex profiling code (default is NO).]),
 	[if test x$enableval = xyes; then
 		lock_profiler=true
 	fi]
@@ -449,6 +457,14 @@ AC_ARG_ENABLE(
 	fi]
 )
 
+AC_ARG_ENABLE(
+	[eap-mschapv2],
+	AS_HELP_STRING([--enable-eap-mschapv2],[build MS-CHAPv2 authenication module for EAP (default is NO).]),
+	[if test x$enableval = xyes; then
+		eap_mschapv2=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[kernel-netlink],
 	AS_HELP_STRING([--disable-kernel-netlink],[disable the netlink kernel interface. (default is NO).]),
@@ -569,6 +585,17 @@ AC_ARG_ENABLE(
 	pluto=true
 )
 
+AC_ARG_ENABLE(
+	[threads],
+	AS_HELP_STRING([--disable-threads],[disable the use of threads in pluto. Charon always uses threads. (default is NO).]),
+	[if test x$enableval = xyes; then
+		threads=true
+	 else
+		threads=false
+	fi],
+	threads=true
+)
+
 AC_ARG_ENABLE(
 	[charon],
 	AS_HELP_STRING([--disable-charon],[disable the IKEv2 keying daemon charon. (default is NO).]),
@@ -697,6 +724,22 @@ AC_HAVE_LIBRARY(dl)
 AC_CHECK_FUNCS(backtrace)
 AC_CHECK_FUNCS(dladdr)
 
+AC_MSG_CHECKING([for gcc atomic operations])
+AC_TRY_RUN(
+[
+	int main() {
+		volatile int ref = 1;
+		__sync_fetch_and_add (&ref, 1);
+		__sync_sub_and_fetch (&ref, 1);
+		/* Make sure test fails if operations are not supported */
+		__sync_val_compare_and_swap(&ref, 1, 0);
+		return ref;
+	}
+],
+[AC_MSG_RESULT([yes]); AC_DEFINE(HAVE_GCC_ATOMIC_OPERATIONS)],
+[AC_MSG_RESULT([no])],
+[AC_MSG_RESULT([no])])
+
 if test x$gmp = xtrue; then
 	AC_HAVE_LIBRARY([gmp],[LIBS="$LIBS"],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])
 	AC_MSG_CHECKING([gmp.h version >= 4.1.4])
@@ -821,6 +864,9 @@ fi
 if test x$sha2 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
 fi
+if test x$md4 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" md4"
+fi
 if test x$md5 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" md5"
 fi
@@ -873,6 +919,7 @@ AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
 AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
 AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
 AM_CONDITIONAL(USE_DES, test x$des = xtrue)
+AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue)
 AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
 AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
 AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
@@ -907,6 +954,7 @@ AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
 AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
 AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
 AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
+AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
 AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
 AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
@@ -928,6 +976,7 @@ AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
 AM_CONDITIONAL(USE_SELF_TEST, test x$self_test = xtrue)
 AM_CONDITIONAL(USE_CAPABILITIES, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
+AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
 AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue)
@@ -955,6 +1004,7 @@ AC_OUTPUT(
 	src/libstrongswan/Makefile
 	src/libstrongswan/plugins/aes/Makefile
 	src/libstrongswan/plugins/des/Makefile
+	src/libstrongswan/plugins/md4/Makefile
 	src/libstrongswan/plugins/md5/Makefile
 	src/libstrongswan/plugins/sha1/Makefile
 	src/libstrongswan/plugins/sha2/Makefile
@@ -984,6 +1034,7 @@ AC_OUTPUT(
 	src/charon/plugins/eap_gtc/Makefile
 	src/charon/plugins/eap_sim/Makefile
 	src/charon/plugins/eap_sim_file/Makefile
+	src/charon/plugins/eap_mschapv2/Makefile
 	src/charon/plugins/kernel_netlink/Makefile
 	src/charon/plugins/kernel_pfkey/Makefile
 	src/charon/plugins/kernel_klips/Makefile
diff --git a/ltmain.sh b/ltmain.sh
index e420facf5..6d056ecf3 100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,52 +1,83 @@
-# ltmain.sh - Provide generalized library-building support services.
-# NOTE: Changing this file will not affect anything until you rerun configure.
-#
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
-# 2007, 2008  Free Software Foundation, Inc.
-# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-#
-# This program is free software; you can redistribute it and/or modify
+# Generated from ltmain.m4sh.
+
+# ltmain.sh (GNU libtool) 2.2.4
+# Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.  There is NO
+# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+# GNU Libtool is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
-# This program is distributed in the hope that it will be useful, but
+# As a special exception to the GNU General Public License,
+# if you distribute this file as part of a program or library that
+# is built using GNU Libtool, you may include this file under the
+# same distribution terms that you use for the rest of that program.
+#
+# GNU Libtool is distributed in the hope that it will be useful, but
 # WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-basename="s,^.*/,,g"
-
-# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
-# is ksh but when the shell is invoked as "sh" and the current value of
-# the _XPG environment variable is not equal to 1 (one), the special
-# positional parameter $0, within a function call, is the name of the
-# function.
-progpath="$0"
-
-# The name of this program:
-progname=`echo "$progpath" | $SED $basename`
-modename="$progname"
+# along with GNU Libtool; see the file COPYING.  If not, a copy
+# can be downloaded from http://www.gnu.org/licenses/gpl.html,
+# or obtained by writing to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 
-# Global variables:
-EXIT_SUCCESS=0
-EXIT_FAILURE=1
+# Usage: $progname [OPTION]... [MODE-ARG]...
+#
+# Provide generalized library-building support services.
+#
+#     --config             show all configuration variables
+#     --debug              enable verbose shell tracing
+# -n, --dry-run            display commands without modifying any files
+#     --features           display basic configuration information and exit
+#     --mode=MODE          use operation mode MODE
+#     --preserve-dup-deps  don't remove duplicate dependency libraries
+#     --quiet, --silent    don't print informational messages
+#     --tag=TAG            use configuration variables from tag TAG
+# -v, --verbose            print informational messages (default)
+#     --version            print version information
+# -h, --help               print short or long help message
+#
+# MODE must be one of the following:
+#
+#       clean              remove files from the build directory
+#       compile            compile a source file into a libtool object
+#       execute            automatically set library path, then run a program
+#       finish             complete the installation of libtool libraries
+#       install            install libraries or executables
+#       link               create a library or an executable
+#       uninstall          remove libraries from an installed directory
+#
+# MODE-ARGS vary depending on the MODE.
+# Try `$progname --help --mode=MODE' for a more detailed description of MODE.
+#
+# When reporting a bug, please describe a test case to reproduce it and
+# include the following information:
+#
+#       host-triplet:	$host
+#       shell:		$SHELL
+#       compiler:		$LTCC
+#       compiler flags:		$LTCFLAGS
+#       linker:		$LD (gnu? $with_gnu_ld)
+#       $progname:		(GNU libtool) 2.2.4 Debian-2.2.4-0ubuntu4
+#       automake:		$automake_version
+#       autoconf:		$autoconf_version
+#
+# Report bugs to <bug-libtool@gnu.org>.
 
 PROGRAM=ltmain.sh
 PACKAGE=libtool
-VERSION="1.5.26 Debian 1.5.26-1ubuntu1"
-TIMESTAMP=" (1.1220.2.493 2008/02/01 16:58:18)"
+VERSION="2.2.4 Debian-2.2.4-0ubuntu4"
+TIMESTAMP=""
+package_revision=1.2976
 
-# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE).
+# Be Bourne compatible
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
@@ -60,104 +91,261 @@ fi
 BIN_SH=xpg4; export BIN_SH # for Tru64
 DUALCASE=1; export DUALCASE # for MKS sh
 
-# Check that we have a working $echo.
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
-  # Yippee, $echo works!
-  :
-else
-  # Restart under the correct shell, and then maybe $echo will work.
-  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
-fi
-
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-$*
-EOF
-  exit $EXIT_SUCCESS
-fi
-
-default_mode=
-help="Try \`$progname --help' for more information."
-magic="%%%MAGIC variable%%%"
-mkdir="mkdir"
-mv="mv -f"
-rm="rm -f"
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed="${SED}"' -e 1s/^X//'
-sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
-# test EBCDIC or ASCII
-case `echo X|tr X '\101'` in
- A) # ASCII based system
-    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
-  SP2NL='tr \040 \012'
-  NL2SP='tr \015\012 \040\040'
-  ;;
- *) # EBCDIC based system
-  SP2NL='tr \100 \n'
-  NL2SP='tr \r\n \100\100'
-  ;;
-esac
-
-# NLS nuisances.
+# NLS nuisances: We save the old values to restore during execute mode.
 # Only set LANG and LC_ALL to C if already set.
 # These must not be set unconditionally because not all systems understand
 # e.g. LANG=C (notably SCO).
-# We save the old values to restore during execute mode.
-lt_env=
+lt_user_locale=
+lt_safe_locale=
 for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
 do
   eval "if test \"\${$lt_var+set}\" = set; then
-	  save_$lt_var=\$$lt_var
-	  lt_env=\"$lt_var=\$$lt_var \$lt_env\"
-	  $lt_var=C
+          save_$lt_var=\$$lt_var
+          $lt_var=C
 	  export $lt_var
+	  lt_user_locale=\"$lt_var=\\\$save_\$lt_var; \$lt_user_locale\"
+	  lt_safe_locale=\"$lt_var=C; \$lt_safe_locale\"
 	fi"
 done
 
-if test -n "$lt_env"; then
-  lt_env="env $lt_env"
-fi
+$lt_unset CDPATH
+
+
+
+
+
+: ${CP="cp -f"}
+: ${ECHO="echo"}
+: ${EGREP="/bin/grep -E"}
+: ${FGREP="/bin/grep -F"}
+: ${GREP="/bin/grep"}
+: ${LN_S="ln -s"}
+: ${MAKE="make"}
+: ${MKDIR="mkdir"}
+: ${MV="mv -f"}
+: ${RM="rm -f"}
+: ${SED="/bin/sed"}
+: ${SHELL="${CONFIG_SHELL-/bin/sh}"}
+: ${Xsed="$SED -e 1s/^X//"}
+
+# Global variables:
+EXIT_SUCCESS=0
+EXIT_FAILURE=1
+EXIT_MISMATCH=63  # $? = 63 is used to indicate version mismatch to missing.
+EXIT_SKIP=77	  # $? = 77 is used to indicate a skipped test to automake.
+
+exit_status=$EXIT_SUCCESS
 
 # Make sure IFS has a sensible default
 lt_nl='
 '
 IFS=" 	$lt_nl"
 
-if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
-  $echo "$modename: not configured to build any kind of library" 1>&2
-  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-  exit $EXIT_FAILURE
-fi
+dirname="s,/[^/]*$,,"
+basename="s,^.*/,,"
+
+# func_dirname_and_basename file append nondir_replacement
+# perform func_basename and func_dirname in a single function
+# call:
+#   dirname:  Compute the dirname of FILE.  If nonempty,
+#             add APPEND to the result, otherwise set result
+#             to NONDIR_REPLACEMENT.
+#             value returned in "$func_dirname_result"
+#   basename: Compute filename of FILE.
+#             value retuned in "$func_basename_result"
+# Implementation must be kept synchronized with func_dirname
+# and func_basename. For efficiency, we do not delegate to
+# those functions but instead duplicate the functionality here.
+func_dirname_and_basename ()
+{
+  # Extract subdirectory from the argument.
+  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
+  if test "X$func_dirname_result" = "X${1}"; then
+    func_dirname_result="${3}"
+  else
+    func_dirname_result="$func_dirname_result${2}"
+  fi
+  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
+}
 
-# Global variables.
-mode=$default_mode
-nonopt=
-prev=
-prevopt=
-run=
-show="$echo"
-show_help=
-execute_dlfiles=
-duplicate_deps=no
-preserve_args=
-lo2o="s/\\.lo\$/.${objext}/"
-o2lo="s/\\.${objext}\$/.lo/"
-extracted_archives=
-extracted_serial=0
+# Generated shell functions inserted here.
+
+# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
+# is ksh but when the shell is invoked as "sh" and the current value of
+# the _XPG environment variable is not equal to 1 (one), the special
+# positional parameter $0, within a function call, is the name of the
+# function.
+progpath="$0"
+
+# The name of this program:
+# In the unlikely event $progname began with a '-', it would play havoc with
+# func_echo (imagine progname=-n), so we prepend ./ in that case:
+func_dirname_and_basename "$progpath"
+progname=$func_basename_result
+case $progname in
+  -*) progname=./$progname ;;
+esac
+
+# Make sure we have an absolute path for reexecution:
+case $progpath in
+  [\\/]*|[A-Za-z]:\\*) ;;
+  *[\\/]*)
+     progdir=$func_dirname_result
+     progdir=`cd "$progdir" && pwd`
+     progpath="$progdir/$progname"
+     ;;
+  *)
+     save_IFS="$IFS"
+     IFS=:
+     for progdir in $PATH; do
+       IFS="$save_IFS"
+       test -x "$progdir/$progname" && break
+     done
+     IFS="$save_IFS"
+     test -n "$progdir" || progdir=`pwd`
+     progpath="$progdir/$progname"
+     ;;
+esac
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed="${SED}"' -e 1s/^X//'
+sed_quote_subst='s/\([`"$\\]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\(["`\\]\)/\\\1/g'
+
+# Re-`\' parameter expansions in output of double_quote_subst that were
+# `\'-ed in input to the same.  If an odd number of `\' preceded a '$'
+# in input to double_quote_subst, that '$' was protected from expansion.
+# Since each input `\' is now two `\'s, look for any number of runs of
+# four `\'s followed by two `\'s and then a '$'.  `\' that '$'.
+bs='\\'
+bs2='\\\\'
+bs4='\\\\\\\\'
+dollar='\$'
+sed_double_backslash="\
+  s/$bs4/&\\
+/g
+  s/^$bs2$dollar/$bs&/
+  s/\\([^$bs]\\)$bs2$dollar/\\1$bs2$bs$dollar/g
+  s/\n//g"
+
+# Standard options:
+opt_dry_run=false
+opt_help=false
+opt_quiet=false
+opt_verbose=false
+opt_warning=:
+
+# func_echo arg...
+# Echo program name prefixed message, along with the current mode
+# name if it has been set yet.
+func_echo ()
+{
+    $ECHO "$progname${mode+: }$mode: $*"
+}
+
+# func_verbose arg...
+# Echo program name prefixed message in verbose mode only.
+func_verbose ()
+{
+    $opt_verbose && func_echo ${1+"$@"}
+
+    # A bug in bash halts the script if the last line of a function
+    # fails when set -e is in force, so we need another command to
+    # work around that:
+    :
+}
+
+# func_error arg...
+# Echo program name prefixed message to standard error.
+func_error ()
+{
+    $ECHO "$progname${mode+: }$mode: "${1+"$@"} 1>&2
+}
+
+# func_warning arg...
+# Echo program name prefixed warning message to standard error.
+func_warning ()
+{
+    $opt_warning && $ECHO "$progname${mode+: }$mode: warning: "${1+"$@"} 1>&2
+
+    # bash bug again:
+    :
+}
+
+# func_fatal_error arg...
+# Echo program name prefixed message to standard error, and exit.
+func_fatal_error ()
+{
+    func_error ${1+"$@"}
+    exit $EXIT_FAILURE
+}
+
+# func_fatal_help arg...
+# Echo program name prefixed message to standard error, followed by
+# a help hint, and exit.
+func_fatal_help ()
+{
+    func_error ${1+"$@"}
+    func_fatal_error "$help"
+}
+help="Try \`$progname --help' for more information."  ## default
+
+
+# func_grep expression filename
+# Check whether EXPRESSION matches any line of FILENAME, without output.
+func_grep ()
+{
+    $GREP "$1" "$2" >/dev/null 2>&1
+}
+
+
+# func_mkdir_p directory-path
+# Make sure the entire path to DIRECTORY-PATH is available.
+func_mkdir_p ()
+{
+    my_directory_path="$1"
+    my_dir_list=
+
+    if test -n "$my_directory_path" && test "$opt_dry_run" != ":"; then
+
+      # Protect directory names starting with `-'
+      case $my_directory_path in
+        -*) my_directory_path="./$my_directory_path" ;;
+      esac
+
+      # While some portion of DIR does not yet exist...
+      while test ! -d "$my_directory_path"; do
+        # ...make a list in topmost first order.  Use a colon delimited
+	# list incase some portion of path contains whitespace.
+        my_dir_list="$my_directory_path:$my_dir_list"
+
+        # If the last portion added has no slash in it, the list is done
+        case $my_directory_path in */*) ;; *) break ;; esac
+
+        # ...otherwise throw away the child directory and loop
+        my_directory_path=`$ECHO "X$my_directory_path" | $Xsed -e "$dirname"`
+      done
+      my_dir_list=`$ECHO "X$my_dir_list" | $Xsed -e 's,:*$,,'`
+
+      save_mkdir_p_IFS="$IFS"; IFS=':'
+      for my_dir in $my_dir_list; do
+	IFS="$save_mkdir_p_IFS"
+        # mkdir can fail with a `File exist' error if two processes
+        # try to create one of the directories concurrently.  Don't
+        # stop in that case!
+        $MKDIR "$my_dir" 2>/dev/null || :
+      done
+      IFS="$save_mkdir_p_IFS"
+
+      # Bail out if we (or some other process) failed to create a directory.
+      test -d "$my_directory_path" || \
+        func_fatal_error "Failed to create \`$1'"
+    fi
+}
 
-#####################################
-# Shell function definitions:
-# This seems to be the best place for them
 
 # func_mktempdir [string]
 # Make a temporary directory that won't clash with other running
@@ -167,7 +355,7 @@ func_mktempdir ()
 {
     my_template="${TMPDIR-/tmp}/${1-$progname}"
 
-    if test "$run" = ":"; then
+    if test "$opt_dry_run" = ":"; then
       # Return a directory name, but don't create it in dry-run mode
       my_tmpdir="${my_template}-$$"
     else
@@ -176,526 +364,786 @@ func_mktempdir ()
       my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null`
 
       if test ! -d "$my_tmpdir"; then
-	# Failing that, at least try and use $RANDOM to avoid a race
-	my_tmpdir="${my_template}-${RANDOM-0}$$"
+        # Failing that, at least try and use $RANDOM to avoid a race
+        my_tmpdir="${my_template}-${RANDOM-0}$$"
 
-	save_mktempdir_umask=`umask`
-	umask 0077
-	$mkdir "$my_tmpdir"
-	umask $save_mktempdir_umask
+        save_mktempdir_umask=`umask`
+        umask 0077
+        $MKDIR "$my_tmpdir"
+        umask $save_mktempdir_umask
       fi
 
       # If we're not in dry-run mode, bomb out on failure
-      test -d "$my_tmpdir" || {
-        $echo "cannot create temporary directory \`$my_tmpdir'" 1>&2
-	exit $EXIT_FAILURE
-      }
+      test -d "$my_tmpdir" || \
+        func_fatal_error "cannot create temporary directory \`$my_tmpdir'"
     fi
 
-    $echo "X$my_tmpdir" | $Xsed
+    $ECHO "X$my_tmpdir" | $Xsed
 }
 
 
-# func_win32_libid arg
-# return the library type of file 'arg'
-#
-# Need a lot of goo to handle *both* DLLs and import libs
-# Has to be a shell function in order to 'eat' the argument
-# that is supplied when $file_magic_command is called.
-func_win32_libid ()
+# func_quote_for_eval arg
+# Aesthetically quote ARG to be evaled later.
+# This function returns two values: FUNC_QUOTE_FOR_EVAL_RESULT
+# is double-quoted, suitable for a subsequent eval, whereas
+# FUNC_QUOTE_FOR_EVAL_UNQUOTED_RESULT has merely all characters
+# which are still active within double quotes backslashified.
+func_quote_for_eval ()
 {
-  win32_libid_type="unknown"
-  win32_fileres=`file -L $1 2>/dev/null`
-  case $win32_fileres in
-  *ar\ archive\ import\ library*) # definitely import
-    win32_libid_type="x86 archive import"
-    ;;
-  *ar\ archive*) # could be an import, or static
-    if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \
-      $EGREP -e 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
-      win32_nmres=`eval $NM -f posix -A $1 | \
-	$SED -n -e '1,100{
-		/ I /{
-			s,.*,import,
-			p
-			q
-			}
-		}'`
-      case $win32_nmres in
-      import*)  win32_libid_type="x86 archive import";;
-      *)        win32_libid_type="x86 archive static";;
-      esac
-    fi
-    ;;
-  *DLL*)
-    win32_libid_type="x86 DLL"
-    ;;
-  *executable*) # but shell scripts are "executable" too...
-    case $win32_fileres in
-    *MS\ Windows\ PE\ Intel*)
-      win32_libid_type="x86 DLL"
-      ;;
+    case $1 in
+      *[\\\`\"\$]*)
+	func_quote_for_eval_unquoted_result=`$ECHO "X$1" | $Xsed -e "$sed_quote_subst"` ;;
+      *)
+        func_quote_for_eval_unquoted_result="$1" ;;
+    esac
+
+    case $func_quote_for_eval_unquoted_result in
+      # Double-quote args containing shell metacharacters to delay
+      # word splitting, command substitution and and variable
+      # expansion for a subsequent eval.
+      # Many Bourne shells cannot handle close brackets correctly
+      # in scan sets, so we specify it separately.
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+        func_quote_for_eval_result="\"$func_quote_for_eval_unquoted_result\""
+        ;;
+      *)
+        func_quote_for_eval_result="$func_quote_for_eval_unquoted_result"
     esac
-    ;;
-  esac
-  $echo $win32_libid_type
 }
 
 
-# func_infer_tag arg
-# Infer tagged configuration to use if any are available and
-# if one wasn't chosen via the "--tag" command line option.
-# Only attempt this if the compiler in the base compile
-# command doesn't match the default compiler.
-# arg is usually of the form 'gcc ...'
-func_infer_tag ()
+# func_quote_for_expand arg
+# Aesthetically quote ARG to be evaled later; same as above,
+# but do not quote variable references.
+func_quote_for_expand ()
 {
-    if test -n "$available_tags" && test -z "$tagname"; then
-      CC_quoted=
-      for arg in $CC; do
-	case $arg in
-	  *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-	CC_quoted="$CC_quoted $arg"
-      done
-      case $@ in
-      # Blanks in the command may have been stripped by the calling shell,
-      # but not from the CC environment variable when configure was run.
-      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*) ;;
-      # Blanks at the start of $base_compile will cause this to fail
-      # if we don't check for them as well.
+    case $1 in
+      *[\\\`\"]*)
+	my_arg=`$ECHO "X$1" | $Xsed \
+	    -e "$double_quote_subst" -e "$sed_double_backslash"` ;;
       *)
-	for z in $available_tags; do
-	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
-	    # Evaluate the configuration.
-	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
-	    CC_quoted=
-	    for arg in $CC; do
-	    # Double-quote args containing other shell metacharacters.
-	    case $arg in
-	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	      arg="\"$arg\""
-	      ;;
-	    esac
-	    CC_quoted="$CC_quoted $arg"
-	  done
-	    case "$@ " in
-	      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*)
-	      # The compiler in the base compile command matches
-	      # the one in the tagged configuration.
-	      # Assume this is the tagged configuration we want.
-	      tagname=$z
-	      break
-	      ;;
-	    esac
-	  fi
-	done
-	# If $tagname still isn't set, then no tagged configuration
-	# was found and let the user know that the "--tag" command
-	# line option must be used.
-	if test -z "$tagname"; then
-	  $echo "$modename: unable to infer tagged configuration"
-	  $echo "$modename: specify a tag with \`--tag'" 1>&2
-	  exit $EXIT_FAILURE
-#        else
-#          $echo "$modename: using $tagname tagged configuration"
-	fi
-	;;
-      esac
-    fi
+        my_arg="$1" ;;
+    esac
+
+    case $my_arg in
+      # Double-quote args containing shell metacharacters to delay
+      # word splitting and command substitution for a subsequent eval.
+      # Many Bourne shells cannot handle close brackets correctly
+      # in scan sets, so we specify it separately.
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+        my_arg="\"$my_arg\""
+        ;;
+    esac
+
+    func_quote_for_expand_result="$my_arg"
 }
 
 
-# func_extract_an_archive dir oldlib
-func_extract_an_archive ()
+# func_show_eval cmd [fail_exp]
+# Unless opt_silent is true, then output CMD.  Then, if opt_dryrun is
+# not true, evaluate CMD.  If the evaluation of CMD fails, and FAIL_EXP
+# is given, then evaluate it.
+func_show_eval ()
 {
-    f_ex_an_ar_dir="$1"; shift
-    f_ex_an_ar_oldlib="$1"
+    my_cmd="$1"
+    my_fail_exp="${2-:}"
 
-    $show "(cd $f_ex_an_ar_dir && $AR x $f_ex_an_ar_oldlib)"
-    $run eval "(cd \$f_ex_an_ar_dir && $AR x \$f_ex_an_ar_oldlib)" || exit $?
-    if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
-     :
-    else
-      $echo "$modename: ERROR: object name conflicts: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" 1>&2
-      exit $EXIT_FAILURE
+    ${opt_silent-false} || {
+      func_quote_for_expand "$my_cmd"
+      eval "func_echo $func_quote_for_expand_result"
+    }
+
+    if ${opt_dry_run-false}; then :; else
+      eval "$my_cmd"
+      my_status=$?
+      if test "$my_status" -eq 0; then :; else
+	eval "(exit $my_status); $my_fail_exp"
+      fi
     fi
 }
 
-# func_extract_archives gentop oldlib ...
-func_extract_archives ()
+
+# func_show_eval_locale cmd [fail_exp]
+# Unless opt_silent is true, then output CMD.  Then, if opt_dryrun is
+# not true, evaluate CMD.  If the evaluation of CMD fails, and FAIL_EXP
+# is given, then evaluate it.  Use the saved locale for evaluation.
+func_show_eval_locale ()
 {
-    my_gentop="$1"; shift
-    my_oldlibs=${1+"$@"}
-    my_oldobjs=""
-    my_xlib=""
-    my_xabs=""
-    my_xdir=""
-    my_status=""
-
-    $show "${rm}r $my_gentop"
-    $run ${rm}r "$my_gentop"
-    $show "$mkdir $my_gentop"
-    $run $mkdir "$my_gentop"
-    my_status=$?
-    if test "$my_status" -ne 0 && test ! -d "$my_gentop"; then
-      exit $my_status
+    my_cmd="$1"
+    my_fail_exp="${2-:}"
+
+    ${opt_silent-false} || {
+      func_quote_for_expand "$my_cmd"
+      eval "func_echo $func_quote_for_expand_result"
+    }
+
+    if ${opt_dry_run-false}; then :; else
+      eval "$lt_user_locale
+	    $my_cmd"
+      my_status=$?
+      eval "$lt_safe_locale"
+      if test "$my_status" -eq 0; then :; else
+	eval "(exit $my_status); $my_fail_exp"
+      fi
     fi
+}
 
-    for my_xlib in $my_oldlibs; do
-      # Extract the objects.
-      case $my_xlib in
-	[\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;;
-	*) my_xabs=`pwd`"/$my_xlib" ;;
-      esac
-      my_xlib=`$echo "X$my_xlib" | $Xsed -e 's%^.*/%%'`
-      my_xlib_u=$my_xlib
-      while :; do
-        case " $extracted_archives " in
-	*" $my_xlib_u "*)
-	  extracted_serial=`expr $extracted_serial + 1`
-	  my_xlib_u=lt$extracted_serial-$my_xlib ;;
-	*) break ;;
-	esac
-      done
-      extracted_archives="$extracted_archives $my_xlib_u"
-      my_xdir="$my_gentop/$my_xlib_u"
 
-      $show "${rm}r $my_xdir"
-      $run ${rm}r "$my_xdir"
-      $show "$mkdir $my_xdir"
-      $run $mkdir "$my_xdir"
-      exit_status=$?
-      if test "$exit_status" -ne 0 && test ! -d "$my_xdir"; then
-	exit $exit_status
-      fi
-      case $host in
-      *-darwin*)
-	$show "Extracting $my_xabs"
-	# Do not bother doing anything if just a dry run
-	if test -z "$run"; then
-	  darwin_orig_dir=`pwd`
-	  cd $my_xdir || exit $?
-	  darwin_archive=$my_xabs
-	  darwin_curdir=`pwd`
-	  darwin_base_archive=`$echo "X$darwin_archive" | $Xsed -e 's%^.*/%%'`
-	  darwin_arches=`lipo -info "$darwin_archive" 2>/dev/null | $EGREP Architectures 2>/dev/null`
-	  if test -n "$darwin_arches"; then 
-	    darwin_arches=`echo "$darwin_arches" | $SED -e 's/.*are://'`
-	    darwin_arch=
-	    $show "$darwin_base_archive has multiple architectures $darwin_arches"
-	    for darwin_arch in  $darwin_arches ; do
-	      mkdir -p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      lipo -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
-	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      func_extract_an_archive "`pwd`" "${darwin_base_archive}"
-	      cd "$darwin_curdir"
-	      $rm "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}"
-	    done # $darwin_arches
-      ## Okay now we have a bunch of thin objects, gotta fatten them up :)
-	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print| xargs basename | sort -u | $NL2SP`
-	    darwin_file=
-	    darwin_files=
-	    for darwin_file in $darwin_filelist; do
-	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
-	      lipo -create -output "$darwin_file" $darwin_files
-	    done # $darwin_filelist
-	    ${rm}r unfat-$$
-	    cd "$darwin_orig_dir"
-	  else
-	    cd "$darwin_orig_dir"
- 	    func_extract_an_archive "$my_xdir" "$my_xabs"
-	  fi # $darwin_arches
-	fi # $run
-	;;
-      *)
-        func_extract_an_archive "$my_xdir" "$my_xabs"
-        ;;
-      esac
-      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
-    done
-    func_extract_archives_result="$my_oldobjs"
+
+
+
+# func_version
+# Echo version message to standard output and exit.
+func_version ()
+{
+    $SED -n '/^# '$PROGRAM' (GNU /,/# warranty; / {
+        s/^# //
+	s/^# *$//
+        s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/
+        p
+     }' < "$progpath"
+     exit $?
+}
+
+# func_usage
+# Echo short help message to standard output and exit.
+func_usage ()
+{
+    $SED -n '/^# Usage:/,/# -h/ {
+        s/^# //
+	s/^# *$//
+	s/\$progname/'$progname'/
+	p
+    }' < "$progpath"
+    $ECHO
+    $ECHO "run \`$progname --help | more' for full usage"
+    exit $?
+}
+
+# func_help
+# Echo long help message to standard output and exit.
+func_help ()
+{
+    $SED -n '/^# Usage:/,/# Report bugs to/ {
+        s/^# //
+	s/^# *$//
+	s*\$progname*'$progname'*
+	s*\$host*'"$host"'*
+	s*\$SHELL*'"$SHELL"'*
+	s*\$LTCC*'"$LTCC"'*
+	s*\$LTCFLAGS*'"$LTCFLAGS"'*
+	s*\$LD*'"$LD"'*
+	s/\$with_gnu_ld/'"$with_gnu_ld"'/
+	s/\$automake_version/'"`(automake --version) 2>/dev/null |$SED 1q`"'/
+	s/\$autoconf_version/'"`(autoconf --version) 2>/dev/null |$SED 1q`"'/
+	p
+     }' < "$progpath"
+    exit $?
+}
+
+# func_missing_arg argname
+# Echo program name prefixed message to standard error and set global
+# exit_cmd.
+func_missing_arg ()
+{
+    func_error "missing argument for $1"
+    exit_cmd=exit
 }
-# End of Shell function definitions
-#####################################
 
-# Darwin sucks
-eval std_shrext=\"$shrext_cmds\"
+exit_cmd=:
 
-disable_libs=no
 
-# Parse our command line options once, thoroughly.
-while test "$#" -gt 0
-do
-  arg="$1"
+
+
+
+# Check that we have a working $ECHO.
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
   shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t'; then
+  # Yippee, $ECHO works!
+  :
+else
+  # Restart under the correct shell, and then maybe $ECHO will work.
+  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
+fi
 
-  case $arg in
-  -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit $EXIT_SUCCESS
+fi
 
-  # If the previous option needs an argument, assign it.
-  if test -n "$prev"; then
-    case $prev in
-    execute_dlfiles)
-      execute_dlfiles="$execute_dlfiles $arg"
-      ;;
-    tag)
-      tagname="$arg"
-      preserve_args="${preserve_args}=$arg"
-
-      # Check whether tagname contains only valid characters
-      case $tagname in
-      *[!-_A-Za-z0-9,/]*)
-	$echo "$progname: invalid tag name: $tagname" 1>&2
-	exit $EXIT_FAILURE
-	;;
-      esac
+magic="%%%MAGIC variable%%%"
+magic_exe="%%%MAGIC EXE variable%%%"
 
-      case $tagname in
-      CC)
-	# Don't test for the "default" C tag, as we know, it's there, but
-	# not specially marked.
-	;;
-      *)
-	if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$progpath" > /dev/null; then
-	  taglist="$taglist $tagname"
-	  # Evaluate the configuration.
-	  eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $progpath`"
-	else
-	  $echo "$progname: ignoring unknown tag $tagname" 1>&2
-	fi
-	;;
-      esac
-      ;;
-    *)
-      eval "$prev=\$arg"
-      ;;
-    esac
+# Global variables.
+# $mode is unset
+nonopt=
+execute_dlfiles=
+preserve_args=
+lo2o="s/\\.lo\$/.${objext}/"
+o2lo="s/\\.${objext}\$/.lo/"
+extracted_archives=
+extracted_serial=0
 
-    prev=
-    prevopt=
-    continue
-  fi
+opt_dry_run=false
+opt_duplicate_deps=false
+opt_silent=false
+opt_debug=:
 
-  # Have we seen a non-optional argument yet?
-  case $arg in
-  --help)
-    show_help=yes
-    ;;
+# If this variable is set in any of the actions, the command in it
+# will be execed at the end.  This prevents here-documents from being
+# left over by shells.
+exec_cmd=
+
+# func_fatal_configuration arg...
+# Echo program name prefixed message to standard error, followed by
+# a configuration failure hint, and exit.
+func_fatal_configuration ()
+{
+    func_error ${1+"$@"}
+    func_error "See the $PACKAGE documentation for more information."
+    func_fatal_error "Fatal configuration error."
+}
 
-  --version)
-    echo "\
-$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP
 
-Copyright (C) 2008  Free Software Foundation, Inc.
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-    exit $?
-    ;;
+# func_config
+# Display the configuration for all the tags in this script.
+func_config ()
+{
+    re_begincf='^# ### BEGIN LIBTOOL'
+    re_endcf='^# ### END LIBTOOL'
+
+    # Default configuration.
+    $SED "1,/$re_begincf CONFIG/d;/$re_endcf CONFIG/,\$d" < "$progpath"
 
-  --config)
-    ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $progpath
     # Now print the configurations for the tags.
     for tagname in $taglist; do
-      ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$progpath"
+      $SED -n "/$re_begincf TAG CONFIG: $tagname\$/,/$re_endcf TAG CONFIG: $tagname\$/p" < "$progpath"
     done
-    exit $?
-    ;;
-
-  --debug)
-    $echo "$progname: enabling shell trace mode"
-    set -x
-    preserve_args="$preserve_args $arg"
-    ;;
 
-  --dry-run | -n)
-    run=:
-    ;;
+    exit $?
+}
 
-  --features)
-    $echo "host: $host"
+# func_features
+# Display the features supported by this script.
+func_features ()
+{
+    $ECHO "host: $host"
     if test "$build_libtool_libs" = yes; then
-      $echo "enable shared libraries"
+      $ECHO "enable shared libraries"
     else
-      $echo "disable shared libraries"
+      $ECHO "disable shared libraries"
     fi
     if test "$build_old_libs" = yes; then
-      $echo "enable static libraries"
+      $ECHO "enable static libraries"
     else
-      $echo "disable static libraries"
+      $ECHO "disable static libraries"
     fi
+
     exit $?
-    ;;
+}
 
-  --finish) mode="finish" ;;
+# func_enable_tag tagname
+# Verify that TAGNAME is valid, and either flag an error and exit, or
+# enable the TAGNAME tag.  We also add TAGNAME to the global $taglist
+# variable here.
+func_enable_tag ()
+{
+  # Global variable:
+  tagname="$1"
 
-  --mode) prevopt="--mode" prev=mode ;;
-  --mode=*) mode="$optarg" ;;
+  re_begincf="^# ### BEGIN LIBTOOL TAG CONFIG: $tagname\$"
+  re_endcf="^# ### END LIBTOOL TAG CONFIG: $tagname\$"
+  sed_extractcf="/$re_begincf/,/$re_endcf/p"
 
-  --preserve-dup-deps) duplicate_deps="yes" ;;
+  # Validate tagname.
+  case $tagname in
+    *[!-_A-Za-z0-9,/]*)
+      func_fatal_error "invalid tag name: $tagname"
+      ;;
+  esac
 
-  --quiet | --silent)
-    show=:
-    preserve_args="$preserve_args $arg"
-    ;;
+  # Don't test for the "default" C tag, as we know it's
+  # there but not specially marked.
+  case $tagname in
+    CC) ;;
+    *)
+      if $GREP "$re_begincf" "$progpath" >/dev/null 2>&1; then
+	taglist="$taglist $tagname"
+
+	# Evaluate the configuration.  Be careful to quote the path
+	# and the sed script, to avoid splitting on whitespace, but
+	# also don't use non-portable quotes within backquotes within
+	# quotes we have to do it in 2 steps:
+	extractedcf=`$SED -n -e "$sed_extractcf" < "$progpath"`
+	eval "$extractedcf"
+      else
+	func_error "ignoring unknown tag $tagname"
+      fi
+      ;;
+  esac
+}
+
+# Parse options once, thoroughly.  This comes as soon as possible in
+# the script to make things like `libtool --version' happen quickly.
+{
 
-  --tag)
-    prevopt="--tag"
-    prev=tag
-    preserve_args="$preserve_args --tag"
+  # Shorthand for --mode=foo, only valid as the first argument
+  case $1 in
+  clean|clea|cle|cl)
+    shift; set dummy --mode clean ${1+"$@"}; shift
     ;;
-  --tag=*)
-    set tag "$optarg" ${1+"$@"}
-    shift
-    prev=tag
-    preserve_args="$preserve_args --tag"
+  compile|compil|compi|comp|com|co|c)
+    shift; set dummy --mode compile ${1+"$@"}; shift
     ;;
-
-  -dlopen)
-    prevopt="-dlopen"
-    prev=execute_dlfiles
+  execute|execut|execu|exec|exe|ex|e)
+    shift; set dummy --mode execute ${1+"$@"}; shift
     ;;
-
-  -*)
-    $echo "$modename: unrecognized option \`$arg'" 1>&2
-    $echo "$help" 1>&2
-    exit $EXIT_FAILURE
+  finish|finis|fini|fin|fi|f)
+    shift; set dummy --mode finish ${1+"$@"}; shift
     ;;
-
-  *)
-    nonopt="$arg"
-    break
+  install|instal|insta|inst|ins|in|i)
+    shift; set dummy --mode install ${1+"$@"}; shift
+    ;;
+  link|lin|li|l)
+    shift; set dummy --mode link ${1+"$@"}; shift
+    ;;
+  uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
+    shift; set dummy --mode uninstall ${1+"$@"}; shift
     ;;
   esac
-done
 
-if test -n "$prevopt"; then
-  $echo "$modename: option \`$prevopt' requires an argument" 1>&2
-  $echo "$help" 1>&2
-  exit $EXIT_FAILURE
-fi
+  # Parse non-mode specific arguments:
+  while test "$#" -gt 0; do
+    opt="$1"
+    shift
 
-case $disable_libs in
-no) 
-  ;;
-shared)
-  build_libtool_libs=no
-  build_old_libs=yes
-  ;;
-static)
-  build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac`
-  ;;
-esac
+    case $opt in
+      --config)		func_config					;;
 
-# If this variable is set in any of the actions, the command in it
-# will be execed at the end.  This prevents here-documents from being
-# left over by shells.
-exec_cmd=
+      --debug)		preserve_args="$preserve_args $opt"
+			func_echo "enabling shell trace mode"
+			opt_debug='set -x'
+			$opt_debug
+			;;
 
-if test -z "$show_help"; then
+      -dlopen)		test "$#" -eq 0 && func_missing_arg "$opt" && break
+			execute_dlfiles="$execute_dlfiles $1"
+			shift
+			;;
 
-  # Infer the operation mode.
-  if test -z "$mode"; then
-    $echo "*** Warning: inferring the mode of operation is deprecated." 1>&2
-    $echo "*** Future versions of Libtool will require --mode=MODE be specified." 1>&2
-    case $nonopt in
-    *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*)
-      mode=link
-      for arg
-      do
-	case $arg in
-	-c)
-	   mode=compile
-	   break
-	   ;;
-	esac
-      done
-      ;;
-    *db | *dbx | *strace | *truss)
-      mode=execute
-      ;;
-    *install*|cp|mv)
-      mode=install
-      ;;
-    *rm)
-      mode=uninstall
+      --dry-run | -n)	opt_dry_run=:					;;
+      --features)       func_features					;;
+      --finish)		mode="finish"					;;
+
+      --mode)		test "$#" -eq 0 && func_missing_arg "$opt" && break
+			case $1 in
+			  # Valid mode arguments:
+			  clean)	;;
+			  compile)	;;
+			  execute)	;;
+			  finish)	;;
+			  install)	;;
+			  link)		;;
+			  relink)	;;
+			  uninstall)	;;
+
+			  # Catch anything else as an error
+			  *) func_error "invalid argument for $opt"
+			     exit_cmd=exit
+			     break
+			     ;;
+		        esac
+
+			mode="$1"
+			shift
+			;;
+
+      --preserve-dup-deps)
+			opt_duplicate_deps=:				;;
+
+      --quiet|--silent)	preserve_args="$preserve_args $opt"
+			opt_silent=:
+			;;
+
+      --verbose| -v)	preserve_args="$preserve_args $opt"
+			opt_silent=false
+			;;
+
+      --tag)		test "$#" -eq 0 && func_missing_arg "$opt" && break
+			preserve_args="$preserve_args $opt $1"
+			func_enable_tag "$1"	# tagname is set here
+			shift
+			;;
+
+      # Separate optargs to long options:
+      -dlopen=*|--mode=*|--tag=*)
+			func_opt_split "$opt"
+			set dummy "$func_opt_split_opt" "$func_opt_split_arg" ${1+"$@"}
+			shift
+			;;
+
+      -\?|-h)		func_usage					;;
+      --help)		opt_help=:					;;
+      --version)	func_version					;;
+
+      -*)		func_fatal_help "unrecognized option \`$opt'"	;;
+
+      *)		nonopt="$opt"
+			break
+			;;
+    esac
+  done
+
+
+  case $host in
+    *cygwin* | *mingw* | *pw32*)
+      # don't eliminate duplications in $postdeps and $predeps
+      opt_duplicate_compiler_generated_deps=:
       ;;
     *)
-      # If we have no mode, but dlfiles were specified, then do execute mode.
-      test -n "$execute_dlfiles" && mode=execute
+      opt_duplicate_compiler_generated_deps=$opt_duplicate_deps
+      ;;
+  esac
 
-      # Just use the default operation mode.
-      if test -z "$mode"; then
-	if test -n "$nonopt"; then
-	  $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
-	else
-	  $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
-	fi
+  # Having warned about all mis-specified options, bail out if
+  # anything was wrong.
+  $exit_cmd $EXIT_FAILURE
+}
+
+# func_check_version_match
+# Ensure that we are using m4 macros, and libtool script from the same
+# release of libtool.
+func_check_version_match ()
+{
+  if test "$package_revision" != "$macro_revision"; then
+    if test "$VERSION" != "$macro_version"; then
+      if test -z "$macro_version"; then
+        cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
+$progname: definition of this LT_INIT comes from an older release.
+$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
+$progname: and run autoconf again.
+_LT_EOF
+      else
+        cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
+$progname: definition of this LT_INIT comes from $PACKAGE $macro_version.
+$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
+$progname: and run autoconf again.
+_LT_EOF
       fi
-      ;;
-    esac
+    else
+      cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, revision $package_revision,
+$progname: but the definition of this LT_INIT comes from revision $macro_revision.
+$progname: You should recreate aclocal.m4 with macros from revision $package_revision
+$progname: of $PACKAGE $VERSION and run autoconf again.
+_LT_EOF
+    fi
+
+    exit $EXIT_MISMATCH
   fi
+}
+
+
+## ----------- ##
+##    Main.    ##
+## ----------- ##
+
+$opt_help || {
+  # Sanity checks first:
+  func_check_version_match
+
+  if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+    func_fatal_configuration "not configured to build any kind of library"
+  fi
+
+  test -z "$mode" && func_fatal_error "error: you must specify a MODE."
+
+
+  # Darwin sucks
+  eval std_shrext=\"$shrext_cmds\"
+
 
   # Only execute mode is allowed to have -dlopen flags.
   if test -n "$execute_dlfiles" && test "$mode" != execute; then
-    $echo "$modename: unrecognized option \`-dlopen'" 1>&2
-    $echo "$help" 1>&2
+    func_error "unrecognized option \`-dlopen'"
+    $ECHO "$help" 1>&2
     exit $EXIT_FAILURE
   fi
 
   # Change the help message to a mode-specific one.
   generic_help="$help"
-  help="Try \`$modename --help --mode=$mode' for more information."
+  help="Try \`$progname --help --mode=$mode' for more information."
+}
 
-  # These modes are in order of execution frequency so that they run quickly.
-  case $mode in
-  # libtool compile mode
-  compile)
-    modename="$modename: compile"
-    # Get the compilation command and the source file.
-    base_compile=
-    srcfile="$nonopt"  #  always keep a non-empty value in "srcfile"
-    suppress_opt=yes
-    suppress_output=
-    arg_mode=normal
-    libobj=
-    later=
 
-    for arg
-    do
-      case $arg_mode in
-      arg  )
-	# do not "continue".  Instead, add this to base_compile
-	lastarg="$arg"
-	arg_mode=normal
-	;;
+# func_lalib_p file
+# True iff FILE is a libtool `.la' library or `.lo' object file.
+# This function is only a basic sanity check; it will hardly flush out
+# determined imposters.
+func_lalib_p ()
+{
+    $SED -e 4q "$1" 2>/dev/null \
+      | $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1
+}
 
-      target )
-	libobj="$arg"
-	arg_mode=normal
-	continue
-	;;
+# func_lalib_unsafe_p file
+# True iff FILE is a libtool `.la' library or `.lo' object file.
+# This function implements the same check as func_lalib_p without
+# resorting to external programs.  To this end, it redirects stdin and
+# closes it afterwards, without saving the original file descriptor.
+# As a safety measure, use it only where a negative result would be
+# fatal anyway.  Works if `file' does not exist.
+func_lalib_unsafe_p ()
+{
+    lalib_p=no
+    if test -r "$1" && exec 5<&0 <"$1"; then
+	for lalib_p_l in 1 2 3 4
+	do
+	    read lalib_p_line
+	    case "$lalib_p_line" in
+		\#\ Generated\ by\ *$PACKAGE* ) lalib_p=yes; break;;
+	    esac
+	done
+	exec 0<&5 5<&-
+    fi
+    test "$lalib_p" = yes
+}
 
-      normal )
-	# Accept any command-line options.
-	case $arg in
-	-o)
-	  if test -n "$libobj" ; then
-	    $echo "$modename: you cannot specify \`-o' more than once" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  arg_mode=target
-	  continue
-	  ;;
+# func_ltwrapper_script_p file
+# True iff FILE is a libtool wrapper script
+# This function is only a basic sanity check; it will hardly flush out
+# determined imposters.
+func_ltwrapper_script_p ()
+{
+    func_lalib_p "$1"
+}
 
-	-static | -prefer-pic | -prefer-non-pic)
-	  later="$later $arg"
-	  continue
-	  ;;
+# func_ltwrapper_executable_p file
+# True iff FILE is a libtool wrapper executable
+# This function is only a basic sanity check; it will hardly flush out
+# determined imposters.
+func_ltwrapper_executable_p ()
+{
+    func_ltwrapper_exec_suffix=
+    case $1 in
+    *.exe) ;;
+    *) func_ltwrapper_exec_suffix=.exe ;;
+    esac
+    $GREP "$magic_exe" "$1$func_ltwrapper_exec_suffix" >/dev/null 2>&1
+}
+
+# func_ltwrapper_scriptname file
+# Assumes file is an ltwrapper_executable
+# uses $file to determine the appropriate filename for a
+# temporary ltwrapper_script.
+func_ltwrapper_scriptname ()
+{
+    func_ltwrapper_scriptname_result=""
+    if func_ltwrapper_executable_p "$1"; then
+	func_dirname_and_basename "$1" "" "."
+	func_stripname '' '.exe' "$func_basename_result"
+	func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper"
+    fi
+}
+
+# func_ltwrapper_p file
+# True iff FILE is a libtool wrapper script or wrapper executable
+# This function is only a basic sanity check; it will hardly flush out
+# determined imposters.
+func_ltwrapper_p ()
+{
+    func_ltwrapper_script_p "$1" || func_ltwrapper_executable_p "$1"
+}
+
+
+# func_execute_cmds commands fail_cmd
+# Execute tilde-delimited COMMANDS.
+# If FAIL_CMD is given, eval that upon failure.
+# FAIL_CMD may read-access the current command in variable CMD!
+func_execute_cmds ()
+{
+    $opt_debug
+    save_ifs=$IFS; IFS='~'
+    for cmd in $1; do
+      IFS=$save_ifs
+      eval cmd=\"$cmd\"
+      func_show_eval "$cmd" "${2-:}"
+    done
+    IFS=$save_ifs
+}
+
+
+# func_source file
+# Source FILE, adding directory component if necessary.
+# Note that it is not necessary on cygwin/mingw to append a dot to
+# FILE even if both FILE and FILE.exe exist: automatic-append-.exe
+# behavior happens only for exec(3), not for open(2)!  Also, sourcing
+# `FILE.' does not work on cygwin managed mounts.
+func_source ()
+{
+    $opt_debug
+    case $1 in
+    */* | *\\*)	. "$1" ;;
+    *)		. "./$1" ;;
+    esac
+}
+
+
+# func_infer_tag arg
+# Infer tagged configuration to use if any are available and
+# if one wasn't chosen via the "--tag" command line option.
+# Only attempt this if the compiler in the base compile
+# command doesn't match the default compiler.
+# arg is usually of the form 'gcc ...'
+func_infer_tag ()
+{
+    $opt_debug
+    if test -n "$available_tags" && test -z "$tagname"; then
+      CC_quoted=
+      for arg in $CC; do
+        func_quote_for_eval "$arg"
+	CC_quoted="$CC_quoted $func_quote_for_eval_result"
+      done
+      case $@ in
+      # Blanks in the command may have been stripped by the calling shell,
+      # but not from the CC environment variable when configure was run.
+      " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*) ;;
+      # Blanks at the start of $base_compile will cause this to fail
+      # if we don't check for them as well.
+      *)
+	for z in $available_tags; do
+	  if $GREP "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
+	    # Evaluate the configuration.
+	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
+	    CC_quoted=
+	    for arg in $CC; do
+	      # Double-quote args containing other shell metacharacters.
+	      func_quote_for_eval "$arg"
+	      CC_quoted="$CC_quoted $func_quote_for_eval_result"
+	    done
+	    case "$@ " in
+	      " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*)
+	      # The compiler in the base compile command matches
+	      # the one in the tagged configuration.
+	      # Assume this is the tagged configuration we want.
+	      tagname=$z
+	      break
+	      ;;
+	    esac
+	  fi
+	done
+	# If $tagname still isn't set, then no tagged configuration
+	# was found and let the user know that the "--tag" command
+	# line option must be used.
+	if test -z "$tagname"; then
+	  func_echo "unable to infer tagged configuration"
+	  func_fatal_error "specify a tag with \`--tag'"
+#	else
+#	  func_verbose "using $tagname tagged configuration"
+	fi
+	;;
+      esac
+    fi
+}
+
+
+
+# func_write_libtool_object output_name pic_name nonpic_name
+# Create a libtool object file (analogous to a ".la" file),
+# but don't create it if we're doing a dry run.
+func_write_libtool_object ()
+{
+    write_libobj=${1}
+    if test "$build_libtool_libs" = yes; then
+      write_lobj=\'${2}\'
+    else
+      write_lobj=none
+    fi
+
+    if test "$build_old_libs" = yes; then
+      write_oldobj=\'${3}\'
+    else
+      write_oldobj=none
+    fi
+
+    $opt_dry_run || {
+      cat >${write_libobj}T <<EOF
+# $write_libobj - a libtool object file
+# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# Name of the PIC object.
+pic_object=$write_lobj
+
+# Name of the non-PIC object
+non_pic_object=$write_oldobj
+
+EOF
+      $MV "${write_libobj}T" "${write_libobj}"
+    }
+}
+
+# func_mode_compile arg...
+func_mode_compile ()
+{
+    $opt_debug
+    # Get the compilation command and the source file.
+    base_compile=
+    srcfile="$nonopt"  #  always keep a non-empty value in "srcfile"
+    suppress_opt=yes
+    suppress_output=
+    arg_mode=normal
+    libobj=
+    later=
+    pie_flag=
+
+    for arg
+    do
+      case $arg_mode in
+      arg  )
+	# do not "continue".  Instead, add this to base_compile
+	lastarg="$arg"
+	arg_mode=normal
+	;;
+
+      target )
+	libobj="$arg"
+	arg_mode=normal
+	continue
+	;;
+
+      normal )
+	# Accept any command-line options.
+	case $arg in
+	-o)
+	  test -n "$libobj" && \
+	    func_fatal_error "you cannot specify \`-o' more than once"
+	  arg_mode=target
+	  continue
+	  ;;
+
+	-pie | -fpie | -fPIE)
+          pie_flag="$pie_flag $arg"
+	  continue
+	  ;;
+
+	-shared | -static | -prefer-pic | -prefer-non-pic)
+	  later="$later $arg"
+	  continue
+	  ;;
 
 	-no-suppress)
 	  suppress_opt=no
@@ -708,31 +1156,25 @@ if test -z "$show_help"; then
 	  ;;            #  replaced later.  I would guess that would be a bug.
 
 	-Wc,*)
-	  args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
+	  func_stripname '-Wc,' '' "$arg"
+	  args=$func_stripname_result
 	  lastarg=
 	  save_ifs="$IFS"; IFS=','
- 	  for arg in $args; do
+	  for arg in $args; do
 	    IFS="$save_ifs"
-
-	    # Double-quote args containing other shell metacharacters.
-	    # Many Bourne shells cannot handle close brackets correctly
-	    # in scan sets, so we specify it separately.
-	    case $arg in
-	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	      arg="\"$arg\""
-	      ;;
-	    esac
-	    lastarg="$lastarg $arg"
+	    func_quote_for_eval "$arg"
+	    lastarg="$lastarg $func_quote_for_eval_result"
 	  done
 	  IFS="$save_ifs"
-	  lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"`
+	  func_stripname ' ' '' "$lastarg"
+	  lastarg=$func_stripname_result
 
 	  # Add the arguments to base_compile.
 	  base_compile="$base_compile $lastarg"
 	  continue
 	  ;;
 
-	* )
+	*)
 	  # Accept the current argument as the source file.
 	  # The previous "srcfile" becomes the current argument.
 	  #
@@ -744,66 +1186,42 @@ if test -z "$show_help"; then
       esac    #  case $arg_mode
 
       # Aesthetically quote the previous argument.
-      lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
-
-      case $lastarg in
-      # Double-quote args containing other shell metacharacters.
-      # Many Bourne shells cannot handle close brackets correctly
-      # in scan sets, and some SunOS ksh mistreat backslash-escaping
-      # in scan sets (worked around with variable expansion),
-      # and furthermore cannot handle '|' '&' '(' ')' in scan sets 
-      # at all, so we specify them separately.
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	lastarg="\"$lastarg\""
-	;;
-      esac
-
-      base_compile="$base_compile $lastarg"
+      func_quote_for_eval "$lastarg"
+      base_compile="$base_compile $func_quote_for_eval_result"
     done # for arg
 
     case $arg_mode in
     arg)
-      $echo "$modename: you must specify an argument for -Xcompile"
-      exit $EXIT_FAILURE
+      func_fatal_error "you must specify an argument for -Xcompile"
       ;;
     target)
-      $echo "$modename: you must specify a target with \`-o'" 1>&2
-      exit $EXIT_FAILURE
+      func_fatal_error "you must specify a target with \`-o'"
       ;;
     *)
       # Get the name of the library object.
-      [ -z "$libobj" ] && libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'`
+      test -z "$libobj" && {
+	func_basename "$srcfile"
+	libobj="$func_basename_result"
+      }
       ;;
     esac
 
     # Recognize several different file suffixes.
     # If the user specifies -o file.o, it is replaced with file.lo
-    xform='[cCFSifmso]'
     case $libobj in
-    *.ada) xform=ada ;;
-    *.adb) xform=adb ;;
-    *.ads) xform=ads ;;
-    *.asm) xform=asm ;;
-    *.c++) xform=c++ ;;
-    *.cc) xform=cc ;;
-    *.ii) xform=ii ;;
-    *.class) xform=class ;;
-    *.cpp) xform=cpp ;;
-    *.cxx) xform=cxx ;;
-    *.[fF][09]?) xform=[fF][09]. ;;
-    *.for) xform=for ;;
-    *.java) xform=java ;;
-    *.obj) xform=obj ;;
-    *.sx) xform=sx ;;
+    *.[cCFSifmso] | \
+    *.ada | *.adb | *.ads | *.asm | \
+    *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \
+    *.[fF][09]? | *.for | *.java | *.obj | *.sx)
+      func_xform "$libobj"
+      libobj=$func_xform_result
+      ;;
     esac
 
-    libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
-
     case $libobj in
-    *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
+    *.lo) func_lo2o "$libobj"; obj=$func_lo2o_result ;;
     *)
-      $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
-      exit $EXIT_FAILURE
+      func_fatal_error "cannot determine name of library object from \`$libobj'"
       ;;
     esac
 
@@ -811,7 +1229,15 @@ if test -z "$show_help"; then
 
     for arg in $later; do
       case $arg in
+      -shared)
+	test "$build_libtool_libs" != yes && \
+	  func_fatal_configuration "can not build a shared library"
+	build_old_libs=no
+	continue
+	;;
+
       -static)
+	build_libtool_libs=no
 	build_old_libs=yes
 	continue
 	;;
@@ -828,28 +1254,17 @@ if test -z "$show_help"; then
       esac
     done
 
-    qlibobj=`$echo "X$libobj" | $Xsed -e "$sed_quote_subst"`
-    case $qlibobj in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	qlibobj="\"$qlibobj\"" ;;
-    esac
-    test "X$libobj" != "X$qlibobj" \
-	&& $echo "X$libobj" | grep '[]~#^*{};<>?"'"'"' 	&()|`$[]' \
-	&& $echo "$modename: libobj name \`$libobj' may not contain shell special characters."
-    objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
-    xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
-    if test "X$xdir" = "X$obj"; then
-      xdir=
-    else
-      xdir=$xdir/
-    fi
+    func_quote_for_eval "$libobj"
+    test "X$libobj" != "X$func_quote_for_eval_result" \
+      && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"'	 &()|`$[]' \
+      && func_warning "libobj name \`$libobj' may not contain shell special characters."
+    func_dirname_and_basename "$obj" "/" ""
+    objname="$func_basename_result"
+    xdir="$func_dirname_result"
     lobj=${xdir}$objdir/$objname
 
-    if test -z "$base_compile"; then
-      $echo "$modename: you must specify a compilation command" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
+    test -z "$base_compile" && \
+      func_fatal_help "you must specify a compilation command"
 
     # Delete any leftover library objects.
     if test "$build_old_libs" = yes; then
@@ -858,9 +1273,6 @@ if test -z "$show_help"; then
       removelist="$lobj $libobj ${libobj}T"
     fi
 
-    $run $rm $removelist
-    trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
-
     # On Cygwin there's no "real" PIC flag so we must build both object types
     case $host_os in
     cygwin* | mingw* | pw32* | os2*)
@@ -875,10 +1287,8 @@ if test -z "$show_help"; then
     # Calculate the filename of the output object if compiler does
     # not support -o with -c
     if test "$compiler_c_o" = no; then
-      output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
+      output_obj=`$ECHO "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
       lockfile="$output_obj.lock"
-      removelist="$removelist $output_obj $lockfile"
-      trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
     else
       output_obj=
       need_locks=no
@@ -888,13 +1298,13 @@ if test -z "$show_help"; then
     # Lock this critical section if it is needed
     # We use this script file to make the link, it avoids creating a new file
     if test "$need_locks" = yes; then
-      until $run ln "$progpath" "$lockfile" 2>/dev/null; do
-	$show "Waiting for $lockfile to be removed"
+      until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do
+	func_echo "Waiting for $lockfile to be removed"
 	sleep 2
       done
     elif test "$need_locks" = warn; then
       if test -f "$lockfile"; then
-	$echo "\
+	$ECHO "\
 *** ERROR, $lockfile exists and contains:
 `cat $lockfile 2>/dev/null`
 
@@ -905,34 +1315,22 @@ repeat this compilation, it may succeed, by chance, but you had better
 avoid parallel builds (make -j) in this platform, or get a better
 compiler."
 
-	$run $rm $removelist
+	$opt_dry_run || $RM $removelist
 	exit $EXIT_FAILURE
       fi
-      $echo "$srcfile" > "$lockfile"
+      removelist="$removelist $output_obj"
+      $ECHO "$srcfile" > "$lockfile"
     fi
 
+    $opt_dry_run || $RM $removelist
+    removelist="$removelist $lockfile"
+    trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15
+
     if test -n "$fix_srcfile_path"; then
       eval srcfile=\"$fix_srcfile_path\"
     fi
-    qsrcfile=`$echo "X$srcfile" | $Xsed -e "$sed_quote_subst"`
-    case $qsrcfile in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-      qsrcfile="\"$qsrcfile\"" ;;
-    esac
-
-    $run $rm "$libobj" "${libobj}T"
-
-    # Create a libtool object file (analogous to a ".la" file),
-    # but don't create it if we're doing a dry run.
-    test -z "$run" && cat > ${libobj}T <<EOF
-# $libobj - a libtool object file
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-#
-# Please DO NOT delete this file!
-# It is necessary for linking the library.
-
-# Name of the PIC object.
-EOF
+    func_quote_for_eval "$srcfile"
+    qsrcfile=$func_quote_for_eval_result
 
     # Only build a PIC object if we are building libtool libraries.
     if test "$build_libtool_libs" = yes; then
@@ -946,32 +1344,19 @@ EOF
 	command="$base_compile $qsrcfile"
       fi
 
-      if test ! -d "${xdir}$objdir"; then
-	$show "$mkdir ${xdir}$objdir"
-	$run $mkdir ${xdir}$objdir
-	exit_status=$?
-	if test "$exit_status" -ne 0 && test ! -d "${xdir}$objdir"; then
-	  exit $exit_status
-	fi
-      fi
+      func_mkdir_p "$xdir$objdir"
 
       if test -z "$output_obj"; then
 	# Place PIC objects in $objdir
 	command="$command -o $lobj"
       fi
 
-      $run $rm "$lobj" "$output_obj"
-
-      $show "$command"
-      if $run eval $lt_env "$command"; then :
-      else
-	test -n "$output_obj" && $run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
+      func_show_eval_locale "$command"	\
+          'test -n "$output_obj" && $RM $removelist; exit $EXIT_FAILURE'
 
       if test "$need_locks" = warn &&
 	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
-	$echo "\
+	$ECHO "\
 *** ERROR, $lockfile contains:
 `cat $lockfile 2>/dev/null`
 
@@ -985,45 +1370,27 @@ repeat this compilation, it may succeed, by chance, but you had better
 avoid parallel builds (make -j) in this platform, or get a better
 compiler."
 
-	$run $rm $removelist
+	$opt_dry_run || $RM $removelist
 	exit $EXIT_FAILURE
       fi
 
       # Just move the object if needed, then go on to compile the next one
       if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then
-	$show "$mv $output_obj $lobj"
-	if $run $mv $output_obj $lobj; then :
-	else
-	  error=$?
-	  $run $rm $removelist
-	  exit $error
-	fi
+	func_show_eval '$MV "$output_obj" "$lobj"' \
+	  'error=$?; $opt_dry_run || $RM $removelist; exit $error'
       fi
 
-      # Append the name of the PIC object to the libtool object file.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-pic_object='$objdir/$objname'
-
-EOF
-
       # Allow error messages only from the first compilation.
       if test "$suppress_opt" = yes; then
-        suppress_output=' >/dev/null 2>&1'
+	suppress_output=' >/dev/null 2>&1'
       fi
-    else
-      # No PIC object so indicate it doesn't exist in the libtool
-      # object file.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-pic_object=none
-
-EOF
     fi
 
     # Only build a position-dependent object if we build old libraries.
     if test "$build_old_libs" = yes; then
       if test "$pic_mode" != yes; then
 	# Don't build PIC code
-	command="$base_compile $qsrcfile"
+	command="$base_compile $qsrcfile$pie_flag"
       else
 	command="$base_compile $qsrcfile $pic_flag"
       fi
@@ -1033,17 +1400,12 @@ EOF
 
       # Suppress compiler output if we already did a PIC compilation.
       command="$command$suppress_output"
-      $run $rm "$obj" "$output_obj"
-      $show "$command"
-      if $run eval $lt_env "$command"; then :
-      else
-	$run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
+      func_show_eval_locale "$command" \
+        '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE'
 
       if test "$need_locks" = warn &&
 	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
-	$echo "\
+	$ECHO "\
 *** ERROR, $lockfile contains:
 `cat $lockfile 2>/dev/null`
 
@@ -1057,3460 +1419,2569 @@ repeat this compilation, it may succeed, by chance, but you had better
 avoid parallel builds (make -j) in this platform, or get a better
 compiler."
 
-	$run $rm $removelist
+	$opt_dry_run || $RM $removelist
 	exit $EXIT_FAILURE
       fi
 
       # Just move the object if needed
       if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then
-	$show "$mv $output_obj $obj"
-	if $run $mv $output_obj $obj; then :
-	else
-	  error=$?
-	  $run $rm $removelist
-	  exit $error
-	fi
+	func_show_eval '$MV "$output_obj" "$obj"' \
+	  'error=$?; $opt_dry_run || $RM $removelist; exit $error'
       fi
-
-      # Append the name of the non-PIC object the libtool object file.
-      # Only append if the libtool object file exists.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-# Name of the non-PIC object.
-non_pic_object='$objname'
-
-EOF
-    else
-      # Append the name of the non-PIC object the libtool object file.
-      # Only append if the libtool object file exists.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-# Name of the non-PIC object.
-non_pic_object=none
-
-EOF
     fi
 
-    $run $mv "${libobj}T" "${libobj}"
+    $opt_dry_run || {
+      func_write_libtool_object "$libobj" "$objdir/$objname" "$objname"
 
-    # Unlock the critical section if it was locked
-    if test "$need_locks" != no; then
-      $run $rm "$lockfile"
-    fi
+      # Unlock the critical section if it was locked
+      if test "$need_locks" != no; then
+	removelist=$lockfile
+        $RM "$lockfile"
+      fi
+    }
 
     exit $EXIT_SUCCESS
-    ;;
-
-  # libtool link mode
-  link | relink)
-    modename="$modename: link"
-    case $host in
-    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
-      # It is impossible to link a dll without this setting, and
-      # we shouldn't force the makefile maintainer to figure out
-      # which system we are compiling for in order to pass an extra
-      # flag for every libtool invocation.
-      # allow_undefined=no
+}
 
-      # FIXME: Unfortunately, there are problems with the above when trying
-      # to make a dll which has undefined symbols, in which case not
-      # even a static library is built.  For now, we need to specify
-      # -no-undefined on the libtool link line when we can be certain
-      # that all symbols are satisfied, otherwise we get a static library.
-      allow_undefined=yes
-      ;;
-    *)
-      allow_undefined=yes
-      ;;
-    esac
-    libtool_args="$nonopt"
-    base_compile="$nonopt $@"
-    compile_command="$nonopt"
-    finalize_command="$nonopt"
+$opt_help || {
+test "$mode" = compile && func_mode_compile ${1+"$@"}
+}
 
-    compile_rpath=
-    finalize_rpath=
-    compile_shlibpath=
-    finalize_shlibpath=
-    convenience=
-    old_convenience=
-    deplibs=
-    old_deplibs=
-    compiler_flags=
-    linker_flags=
-    dllsearchpath=
-    lib_search_path=`pwd`
-    inst_prefix_dir=
+func_mode_help ()
+{
+    # We need to display help for each of the modes.
+    case $mode in
+      "")
+        # Generic help is extracted from the usage comments
+        # at the start of this file.
+        func_help
+        ;;
 
-    avoid_version=no
-    dlfiles=
-    dlprefiles=
-    dlself=no
-    export_dynamic=no
-    export_symbols=
-    export_symbols_regex=
-    generated=
-    libobjs=
-    ltlibs=
-    module=no
-    no_install=no
-    objs=
-    non_pic_objects=
-    notinst_path= # paths that contain not-installed libtool libraries
-    precious_files_regex=
-    prefer_static_libs=no
-    preload=no
-    prev=
-    prevarg=
-    release=
-    rpath=
-    xrpath=
-    perm_rpath=
-    temp_rpath=
-    thread_safe=no
-    vinfo=
-    vinfo_number=no
-    single_module="${wl}-single_module"
+      clean)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
 
-    func_infer_tag $base_compile
+Remove files from the build directory.
 
-    # We need to know -static, to get the right output filenames.
-    for arg
-    do
-      case $arg in
-      -all-static | -static | -static-libtool-libs)
-	case $arg in
-	-all-static)
-	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
-	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
-	  fi
-	  if test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	  prefer_static_libs=yes
-	  ;;
-	-static)
-	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	  prefer_static_libs=built
-	  ;;
-	-static-libtool-libs)
-	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	  prefer_static_libs=yes
-	  ;;
-	esac
-	build_libtool_libs=no
-	build_old_libs=yes
-	break
-	;;
-      esac
-    done
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
 
-    # See if our shared archives depend on static archives.
-    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
+If FILE is a libtool library, object or program, all the files associated
+with it are deleted. Otherwise, only FILE itself is deleted using RM."
+        ;;
 
-    # Go through the arguments, transforming them on the way.
-    while test "$#" -gt 0; do
-      arg="$1"
-      shift
-      case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test
-	;;
-      *) qarg=$arg ;;
-      esac
-      libtool_args="$libtool_args $qarg"
+      compile)
+      $ECHO \
+"Usage: $progname [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
 
-      # If the previous option needs an argument, assign it.
-      if test -n "$prev"; then
-	case $prev in
-	output)
-	  compile_command="$compile_command @OUTPUT@"
-	  finalize_command="$finalize_command @OUTPUT@"
-	  ;;
-	esac
+Compile a source file into a libtool library object.
 
-	case $prev in
-	dlfiles|dlprefiles)
-	  if test "$preload" = no; then
-	    # Add the symbol object into the linking commands.
-	    compile_command="$compile_command @SYMFILE@"
-	    finalize_command="$finalize_command @SYMFILE@"
-	    preload=yes
-	  fi
-	  case $arg in
-	  *.la | *.lo) ;;  # We handle these cases below.
-	  force)
-	    if test "$dlself" = no; then
-	      dlself=needless
-	      export_dynamic=yes
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  self)
-	    if test "$prev" = dlprefiles; then
-	      dlself=yes
-	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
-	      dlself=yes
-	    else
-	      dlself=needless
-	      export_dynamic=yes
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  *)
-	    if test "$prev" = dlfiles; then
-	      dlfiles="$dlfiles $arg"
-	    else
-	      dlprefiles="$dlprefiles $arg"
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  esac
-	  ;;
-	expsyms)
-	  export_symbols="$arg"
-	  if test ! -f "$arg"; then
-	    $echo "$modename: symbol file \`$arg' does not exist"
-	    exit $EXIT_FAILURE
-	  fi
-	  prev=
-	  continue
-	  ;;
-	expsyms_regex)
-	  export_symbols_regex="$arg"
-	  prev=
-	  continue
-	  ;;
-	inst_prefix)
-	  inst_prefix_dir="$arg"
-	  prev=
-	  continue
-	  ;;
-	precious_regex)
-	  precious_files_regex="$arg"
-	  prev=
-	  continue
-	  ;;
-	release)
-	  release="-$arg"
-	  prev=
-	  continue
-	  ;;
-	objectlist)
-	  if test -f "$arg"; then
-	    save_arg=$arg
-	    moreargs=
-	    for fil in `cat $save_arg`
-	    do
-#	      moreargs="$moreargs $fil"
-	      arg=$fil
-	      # A libtool-controlled object.
+This mode accepts the following additional options:
 
-	      # Check to see that this really is a libtool object.
-	      if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-		pic_object=
-		non_pic_object=
+  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
+  -no-suppress      do not suppress compiler output for multiple passes
+  -prefer-pic       try to building PIC objects only
+  -prefer-non-pic   try to building non-PIC objects only
+  -shared           do not build a \`.o' file suitable for static linking
+  -static           only build a \`.o' file suitable for static linking
 
-		# Read the .lo file
-		# If there is no directory component, then add one.
-		case $arg in
-		*/* | *\\*) . $arg ;;
-		*) . ./$arg ;;
-		esac
+COMPILE-COMMAND is a command to be used in creating a \`standard' object file
+from the given SOURCEFILE.
 
-		if test -z "$pic_object" || \
-		   test -z "$non_pic_object" ||
-		   test "$pic_object" = none && \
-		   test "$non_pic_object" = none; then
-		  $echo "$modename: cannot find name of object for \`$arg'" 1>&2
-		  exit $EXIT_FAILURE
-		fi
+The output file name is determined by removing the directory component from
+SOURCEFILE, then substituting the C source code suffix \`.c' with the
+library object suffix, \`.lo'."
+        ;;
 
-		# Extract subdirectory from the argument.
-		xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-		if test "X$xdir" = "X$arg"; then
-		  xdir=
-		else
-		  xdir="$xdir/"
-		fi
+      execute)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=execute COMMAND [ARGS]...
 
-		if test "$pic_object" != none; then
-		  # Prepend the subdirectory the object is found in.
-		  pic_object="$xdir$pic_object"
+Automatically set library path, then run a program.
 
-		  if test "$prev" = dlfiles; then
-		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		      dlfiles="$dlfiles $pic_object"
-		      prev=
-		      continue
-		    else
-		      # If libtool objects are unsupported, then we need to preload.
-		      prev=dlprefiles
-		    fi
-		  fi
+This mode accepts the following additional options:
 
-		  # CHECK ME:  I think I busted this.  -Ossama
-		  if test "$prev" = dlprefiles; then
-		    # Preload the old-style object.
-		    dlprefiles="$dlprefiles $pic_object"
-		    prev=
-		  fi
+  -dlopen FILE      add the directory containing FILE to the library path
 
-		  # A PIC object.
-		  libobjs="$libobjs $pic_object"
-		  arg="$pic_object"
-		fi
+This mode sets the library path environment variable according to \`-dlopen'
+flags.
 
-		# Non-PIC object.
-		if test "$non_pic_object" != none; then
-		  # Prepend the subdirectory the object is found in.
-		  non_pic_object="$xdir$non_pic_object"
+If any of the ARGS are libtool executable wrappers, then they are translated
+into their corresponding uninstalled binary, and any of their required library
+directories are added to the library path.
 
-		  # A standard non-PIC object
-		  non_pic_objects="$non_pic_objects $non_pic_object"
-		  if test -z "$pic_object" || test "$pic_object" = none ; then
-		    arg="$non_pic_object"
-		  fi
-		else
-		  # If the PIC object exists, use it instead.
-		  # $xdir was prepended to $pic_object above.
-		  non_pic_object="$pic_object"
-		  non_pic_objects="$non_pic_objects $non_pic_object"
-		fi
-	      else
-		# Only an error if not doing a dry-run.
-		if test -z "$run"; then
-		  $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
-		  exit $EXIT_FAILURE
-		else
-		  # Dry-run case.
+Then, COMMAND is executed, with ARGS as arguments."
+        ;;
 
-		  # Extract subdirectory from the argument.
-		  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-		  if test "X$xdir" = "X$arg"; then
-		    xdir=
-		  else
-		    xdir="$xdir/"
-		  fi
+      finish)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=finish [LIBDIR]...
 
-		  pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
-		  non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
-		  libobjs="$libobjs $pic_object"
-		  non_pic_objects="$non_pic_objects $non_pic_object"
-		fi
-	      fi
-	    done
-	  else
-	    $echo "$modename: link input file \`$save_arg' does not exist"
-	    exit $EXIT_FAILURE
-	  fi
-	  arg=$save_arg
-	  prev=
-	  continue
-	  ;;
-	rpath | xrpath)
-	  # We need an absolute path.
-	  case $arg in
-	  [\\/]* | [A-Za-z]:[\\/]*) ;;
-	  *)
-	    $echo "$modename: only absolute run-paths are allowed" 1>&2
-	    exit $EXIT_FAILURE
-	    ;;
-	  esac
-	  if test "$prev" = rpath; then
-	    case "$rpath " in
-	    *" $arg "*) ;;
-	    *) rpath="$rpath $arg" ;;
-	    esac
-	  else
-	    case "$xrpath " in
-	    *" $arg "*) ;;
-	    *) xrpath="$xrpath $arg" ;;
-	    esac
-	  fi
-	  prev=
-	  continue
-	  ;;
-	xcompiler)
-	  compiler_flags="$compiler_flags $qarg"
-	  prev=
-	  compile_command="$compile_command $qarg"
-	  finalize_command="$finalize_command $qarg"
-	  continue
-	  ;;
-	xlinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $wl$qarg"
-	  prev=
-	  compile_command="$compile_command $wl$qarg"
-	  finalize_command="$finalize_command $wl$qarg"
-	  continue
-	  ;;
-	xcclinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $qarg"
-	  prev=
-	  compile_command="$compile_command $qarg"
-	  finalize_command="$finalize_command $qarg"
-	  continue
-	  ;;
-	shrext)
-  	  shrext_cmds="$arg"
-	  prev=
-	  continue
-	  ;;
-	darwin_framework|darwin_framework_skip)
-	  test "$prev" = "darwin_framework" && compiler_flags="$compiler_flags $arg"
-	  compile_command="$compile_command $arg"
-	  finalize_command="$finalize_command $arg"
-	  prev=
-	  continue
-	  ;;
-	*)
-	  eval "$prev=\"\$arg\""
-	  prev=
-	  continue
-	  ;;
-	esac
-      fi # test -n "$prev"
-
-      prevarg="$arg"
+Complete the installation of libtool libraries.
 
-      case $arg in
-      -all-static)
-	if test -n "$link_static_flag"; then
-	  compile_command="$compile_command $link_static_flag"
-	  finalize_command="$finalize_command $link_static_flag"
-	fi
-	continue
-	;;
+Each LIBDIR is a directory that contains libtool libraries.
 
-      -allow-undefined)
-	# FIXME: remove this flag sometime in the future.
-	$echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2
-	continue
-	;;
+The commands that this mode executes may require superuser privileges.  Use
+the \`--dry-run' option if you just want to see what would be executed."
+        ;;
 
-      -avoid-version)
-	avoid_version=yes
-	continue
-	;;
+      install)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=install INSTALL-COMMAND...
 
-      -dlopen)
-	prev=dlfiles
-	continue
-	;;
+Install executables or libraries.
 
-      -dlpreopen)
-	prev=dlprefiles
-	continue
-	;;
+INSTALL-COMMAND is the installation command.  The first component should be
+either the \`install' or \`cp' program.
 
-      -export-dynamic)
-	export_dynamic=yes
-	continue
-	;;
+The following components of INSTALL-COMMAND are treated specially:
 
-      -export-symbols | -export-symbols-regex)
-	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
-	  $echo "$modename: more than one -exported-symbols argument is not allowed"
-	  exit $EXIT_FAILURE
-	fi
-	if test "X$arg" = "X-export-symbols"; then
-	  prev=expsyms
-	else
-	  prev=expsyms_regex
-	fi
-	continue
-	;;
+  -inst-prefix PREFIX-DIR  Use PREFIX-DIR as a staging area for installation
 
-      -framework|-arch|-isysroot)
-	case " $CC " in
-	  *" ${arg} ${1} "* | *" ${arg}	${1} "*) 
-		prev=darwin_framework_skip ;;
-	  *) compiler_flags="$compiler_flags $arg"
-	     prev=darwin_framework ;;
-	esac
-	compile_command="$compile_command $arg"
-	finalize_command="$finalize_command $arg"
-	continue
-	;;
+The rest of the components are interpreted as arguments to that command (only
+BSD-compatible install options are recognized)."
+        ;;
 
-      -inst-prefix-dir)
-	prev=inst_prefix
-	continue
-	;;
+      link)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=link LINK-COMMAND...
 
-      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
-      # so, if we see these flags be careful not to treat them like -L
-      -L[A-Z][A-Z]*:*)
-	case $with_gcc/$host in
-	no/*-*-irix* | /*-*-irix*)
-	  compile_command="$compile_command $arg"
-	  finalize_command="$finalize_command $arg"
-	  ;;
-	esac
-	continue
-	;;
+Link object files or libraries together to form another library, or to
+create an executable program.
 
-      -L*)
-	dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
-	# We need an absolute path.
-	case $dir in
-	[\\/]* | [A-Za-z]:[\\/]*) ;;
-	*)
-	  absdir=`cd "$dir" && pwd`
-	  if test -z "$absdir"; then
-	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
-	    absdir="$dir"
-	    notinst_path="$notinst_path $dir"
-	  fi
-	  dir="$absdir"
-	  ;;
-	esac
-	case "$deplibs " in
-	*" -L$dir "*) ;;
-	*)
-	  deplibs="$deplibs -L$dir"
-	  lib_search_path="$lib_search_path $dir"
-	  ;;
-	esac
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
-	  testbindir=`$echo "X$dir" | $Xsed -e 's*/lib$*/bin*'`
-	  case :$dllsearchpath: in
-	  *":$dir:"*) ;;
-	  *) dllsearchpath="$dllsearchpath:$dir";;
-	  esac
-	  case :$dllsearchpath: in
-	  *":$testbindir:"*) ;;
-	  *) dllsearchpath="$dllsearchpath:$testbindir";;
-	  esac
-	  ;;
-	esac
-	continue
-	;;
+LINK-COMMAND is a command using the C compiler that you would use to create
+a program from several object files.
 
-      -l*)
-	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
-	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos*)
-	    # These systems don't actually have a C or math library (as such)
-	    continue
-	    ;;
-	  *-*-os2*)
-	    # These systems don't actually have a C library (as such)
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
-	    # Do not include libc due to us having libc/libc_r.
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-rhapsody* | *-*-darwin1.[012])
-	    # Rhapsody C and math libraries are in the System framework
-	    deplibs="$deplibs -framework System"
-	    continue
-	    ;;
-	  *-*-sco3.2v5* | *-*-sco5v6*)
-	    # Causes problems with __ctype
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
-	    # Compiler inserts libc in the correct place for threads to work
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  esac
-	elif test "X$arg" = "X-lc_r"; then
-	 case $host in
-	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
-	   # Do not include libc_r directly, use -pthread flag.
-	   continue
-	   ;;
-	 esac
-	fi
-	deplibs="$deplibs $arg"
-	continue
-	;;
+The following components of LINK-COMMAND are treated specially:
 
-      # Tru64 UNIX uses -model [arg] to determine the layout of C++
-      # classes, name mangling, and exception handling.
-      -model)
-	compile_command="$compile_command $arg"
-	compiler_flags="$compiler_flags $arg"
-	finalize_command="$finalize_command $arg"
-	prev=xcompiler
-	continue
-	;;
+  -all-static       do not do any dynamic linking at all
+  -avoid-version    do not add a version suffix if possible
+  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
+  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
+  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
+  -export-symbols SYMFILE
+                    try to export only the symbols listed in SYMFILE
+  -export-symbols-regex REGEX
+                    try to export only the symbols matching REGEX
+  -LLIBDIR          search LIBDIR for required installed libraries
+  -lNAME            OUTPUT-FILE requires the installed library libNAME
+  -module           build a library that can dlopened
+  -no-fast-install  disable the fast-install mode
+  -no-install       link a not-installable executable
+  -no-undefined     declare that a library does not refer to external symbols
+  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
+  -objectlist FILE  Use a list of object files found in FILE to specify objects
+  -precious-files-regex REGEX
+                    don't remove output files matching REGEX
+  -release RELEASE  specify package release information
+  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
+  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
+  -shared           only do dynamic linking of libtool libraries
+  -shrext SUFFIX    override the standard shared library file extension
+  -static           do not do any dynamic linking of uninstalled libtool libraries
+  -static-libtool-libs
+                    do not do any dynamic linking of libtool libraries
+  -version-info CURRENT[:REVISION[:AGE]]
+                    specify library version info [each variable defaults to 0]
+  -weak LIBNAME     declare that the target provides the LIBNAME interface
 
-     -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
-	compiler_flags="$compiler_flags $arg"
-	compile_command="$compile_command $arg"
-	finalize_command="$finalize_command $arg"
-	continue
-	;;
+All other options (arguments beginning with \`-') are ignored.
 
-      -multi_module)
-	single_module="${wl}-multi_module"
-	continue
-	;;
+Every other argument is treated as a filename.  Files ending in \`.la' are
+treated as uninstalled libtool libraries, other files are standard or library
+object files.
 
-      -module)
-	module=yes
-	continue
-	;;
+If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
+only library objects (\`.lo' files) may be specified, and \`-rpath' is
+required, except when creating a convenience library.
 
-      # -64, -mips[0-9] enable 64-bit mode on the SGI compiler
-      # -r[0-9][0-9]* specifies the processor on the SGI compiler
-      # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler
-      # +DA*, +DD* enable 64-bit mode on the HP compiler
-      # -q* pass through compiler args for the IBM compiler
-      # -m* pass through architecture-specific compiler args for GCC
-      # -m*, -t[45]*, -txscale* pass through architecture-specific
-      # compiler args for GCC
-      # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC
-      # -F/path gives path to uninstalled frameworks, gcc on darwin
-      # @file GCC response files
-      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
-      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*)
+If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
+using \`ar' and \`ranlib', or on Windows using \`lib'.
 
-	# Unknown arguments in both finalize_command and compile_command need
-	# to be aesthetically quoted because they are evaled later.
-	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-	case $arg in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-        compile_command="$compile_command $arg"
-        finalize_command="$finalize_command $arg"
-        compiler_flags="$compiler_flags $arg"
-        continue
+If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
+is created, otherwise an executable program is created."
         ;;
 
-      -shrext)
-	prev=shrext
-	continue
-	;;
-
-      -no-fast-install)
-	fast_install=no
-	continue
-	;;
+      uninstall)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
 
-      -no-install)
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin*)
-	  # The PATH hackery in wrapper scripts is required on Windows
-	  # and Darwin in order for the loader to find any dlls it needs.
-	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
-	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
-	  fast_install=no
-	  ;;
-	*) no_install=yes ;;
-	esac
-	continue
-	;;
+Remove libraries from an installation directory.
 
-      -no-undefined)
-	allow_undefined=no
-	continue
-	;;
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
 
-      -objectlist)
-	prev=objectlist
-	continue
-	;;
+If FILE is a libtool library, all the files associated with it are deleted.
+Otherwise, only FILE itself is deleted using RM."
+        ;;
 
-      -o) prev=output ;;
+      *)
+        func_fatal_help "invalid operation mode \`$mode'"
+        ;;
+    esac
 
-      -precious-files-regex)
-	prev=precious_regex
-	continue
-	;;
+    $ECHO
+    $ECHO "Try \`$progname --help' for more information about other modes."
 
-      -release)
-	prev=release
-	continue
-	;;
+    exit $?
+}
 
-      -rpath)
-	prev=rpath
-	continue
-	;;
+  # Now that we've collected a possible --mode arg, show help if necessary
+  $opt_help && func_mode_help
 
-      -R)
-	prev=xrpath
-	continue
-	;;
 
-      -R*)
-	dir=`$echo "X$arg" | $Xsed -e 's/^-R//'`
-	# We need an absolute path.
-	case $dir in
-	[\\/]* | [A-Za-z]:[\\/]*) ;;
-	*)
-	  $echo "$modename: only absolute run-paths are allowed" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-	case "$xrpath " in
-	*" $dir "*) ;;
-	*) xrpath="$xrpath $dir" ;;
-	esac
-	continue
-	;;
+# func_mode_execute arg...
+func_mode_execute ()
+{
+    $opt_debug
+    # The first argument is the command name.
+    cmd="$nonopt"
+    test -z "$cmd" && \
+      func_fatal_help "you must specify a COMMAND"
 
-      -static | -static-libtool-libs)
-	# The effects of -static are defined in a previous loop.
-	# We used to do the same as -all-static on platforms that
-	# didn't have a PIC flag, but the assumption that the effects
-	# would be equivalent was wrong.  It would break on at least
-	# Digital Unix and AIX.
-	continue
-	;;
+    # Handle -dlopen flags immediately.
+    for file in $execute_dlfiles; do
+      test -f "$file" \
+	|| func_fatal_help "\`$file' is not a file"
 
-      -thread-safe)
-	thread_safe=yes
-	continue
-	;;
+      dir=
+      case $file in
+      *.la)
+	# Check to see that this really is a libtool archive.
+	func_lalib_unsafe_p "$file" \
+	  || func_fatal_help "\`$lib' is not a valid libtool archive"
 
-      -version-info)
-	prev=vinfo
-	continue
-	;;
-      -version-number)
-	prev=vinfo
-	vinfo_number=yes
-	continue
-	;;
+	# Read the libtool library.
+	dlname=
+	library_names=
+	func_source "$file"
 
-      -Wc,*)
-	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'`
-	arg=
-	save_ifs="$IFS"; IFS=','
-	for flag in $args; do
-	  IFS="$save_ifs"
-	  case $flag in
-	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	    flag="\"$flag\""
-	    ;;
-	  esac
-	  arg="$arg $wl$flag"
-	  compiler_flags="$compiler_flags $flag"
-	done
-	IFS="$save_ifs"
-	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
-	;;
+	# Skip this library if it cannot be dlopened.
+	if test -z "$dlname"; then
+	  # Warn if it was a shared library.
+	  test -n "$library_names" && \
+	    func_warning "\`$file' was not linked with \`-export-dynamic'"
+	  continue
+	fi
 
-      -Wl,*)
-	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'`
-	arg=
-	save_ifs="$IFS"; IFS=','
-	for flag in $args; do
-	  IFS="$save_ifs"
-	  case $flag in
-	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	    flag="\"$flag\""
-	    ;;
-	  esac
-	  arg="$arg $wl$flag"
-	  compiler_flags="$compiler_flags $wl$flag"
-	  linker_flags="$linker_flags $flag"
-	done
-	IFS="$save_ifs"
-	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
-	;;
+	func_dirname "$file" "" "."
+	dir="$func_dirname_result"
 
-      -Xcompiler)
-	prev=xcompiler
-	continue
+	if test -f "$dir/$objdir/$dlname"; then
+	  dir="$dir/$objdir"
+	else
+	  if test ! -f "$dir/$dlname"; then
+	    func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'"
+	  fi
+	fi
 	;;
 
-      -Xlinker)
-	prev=xlinker
-	continue
+      *.lo)
+	# Just add the directory containing the .lo file.
+	func_dirname "$file" "" "."
+	dir="$func_dirname_result"
 	;;
 
-      -XCClinker)
-	prev=xcclinker
+      *)
+	func_warning "\`-dlopen' is ignored for non-libtool libraries and objects"
 	continue
 	;;
+      esac
 
-      # Some other compiler flag.
-      -* | +*)
-	# Unknown arguments in both finalize_command and compile_command need
-	# to be aesthetically quoted because they are evaled later.
-	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-	case $arg in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-	;;
-
-      *.$objext)
-	# A standard object.
-	objs="$objs $arg"
-	;;
-
-      *.lo)
-	# A libtool-controlled object.
-
-	# Check to see that this really is a libtool object.
-	if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	  pic_object=
-	  non_pic_object=
+      # Get the absolute pathname.
+      absdir=`cd "$dir" && pwd`
+      test -n "$absdir" && dir="$absdir"
 
-	  # Read the .lo file
-	  # If there is no directory component, then add one.
-	  case $arg in
-	  */* | *\\*) . $arg ;;
-	  *) . ./$arg ;;
-	  esac
+      # Now add the directory to shlibpath_var.
+      if eval "test -z \"\$$shlibpath_var\""; then
+	eval "$shlibpath_var=\"\$dir\""
+      else
+	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
+      fi
+    done
 
-	  if test -z "$pic_object" || \
-	     test -z "$non_pic_object" ||
-	     test "$pic_object" = none && \
-	     test "$non_pic_object" = none; then
-	    $echo "$modename: cannot find name of object for \`$arg'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
+    # This variable tells wrapper scripts just to set shlibpath_var
+    # rather than running their programs.
+    libtool_execute_magic="$magic"
 
-	  # Extract subdirectory from the argument.
-	  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-	  if test "X$xdir" = "X$arg"; then
-	    xdir=
- 	  else
-	    xdir="$xdir/"
-	  fi
+    # Check if any of the arguments is a wrapper script.
+    args=
+    for file
+    do
+      case $file in
+      -*) ;;
+      *)
+	# Do a test to see if this is really a libtool program.
+	if func_ltwrapper_script_p "$file"; then
+	  func_source "$file"
+	  # Transform arg to wrapped name.
+	  file="$progdir/$program"
+	elif func_ltwrapper_executable_p "$file"; then
+	  func_ltwrapper_scriptname "$file"
+	  func_source "$func_ltwrapper_scriptname_result"
+	  # Transform arg to wrapped name.
+	  file="$progdir/$program"
+	fi
+	;;
+      esac
+      # Quote arguments (to preserve shell metacharacters).
+      func_quote_for_eval "$file"
+      args="$args $func_quote_for_eval_result"
+    done
 
-	  if test "$pic_object" != none; then
-	    # Prepend the subdirectory the object is found in.
-	    pic_object="$xdir$pic_object"
+    if test "X$opt_dry_run" = Xfalse; then
+      if test -n "$shlibpath_var"; then
+	# Export the shlibpath_var.
+	eval "export $shlibpath_var"
+      fi
 
-	    if test "$prev" = dlfiles; then
-	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		dlfiles="$dlfiles $pic_object"
-		prev=
-		continue
+      # Restore saved environment variables
+      for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
+      do
+	eval "if test \"\${save_$lt_var+set}\" = set; then
+                $lt_var=\$save_$lt_var; export $lt_var
 	      else
-		# If libtool objects are unsupported, then we need to preload.
-		prev=dlprefiles
-	      fi
-	    fi
+		$lt_unset $lt_var
+	      fi"
+      done
 
-	    # CHECK ME:  I think I busted this.  -Ossama
-	    if test "$prev" = dlprefiles; then
-	      # Preload the old-style object.
-	      dlprefiles="$dlprefiles $pic_object"
-	      prev=
-	    fi
+      # Now prepare to actually exec the command.
+      exec_cmd="\$cmd$args"
+    else
+      # Display what would be done.
+      if test -n "$shlibpath_var"; then
+	eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\""
+	$ECHO "export $shlibpath_var"
+      fi
+      $ECHO "$cmd$args"
+      exit $EXIT_SUCCESS
+    fi
+}
 
-	    # A PIC object.
-	    libobjs="$libobjs $pic_object"
-	    arg="$pic_object"
-	  fi
+test "$mode" = execute && func_mode_execute ${1+"$@"}
 
-	  # Non-PIC object.
-	  if test "$non_pic_object" != none; then
-	    # Prepend the subdirectory the object is found in.
-	    non_pic_object="$xdir$non_pic_object"
 
-	    # A standard non-PIC object
-	    non_pic_objects="$non_pic_objects $non_pic_object"
-	    if test -z "$pic_object" || test "$pic_object" = none ; then
-	      arg="$non_pic_object"
-	    fi
-	  else
-	    # If the PIC object exists, use it instead.
-	    # $xdir was prepended to $pic_object above.
-	    non_pic_object="$pic_object"
-	    non_pic_objects="$non_pic_objects $non_pic_object"
-	  fi
-	else
-	  # Only an error if not doing a dry-run.
-	  if test -z "$run"; then
-	    $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
-	    exit $EXIT_FAILURE
-	  else
-	    # Dry-run case.
+# func_mode_finish arg...
+func_mode_finish ()
+{
+    $opt_debug
+    libdirs="$nonopt"
+    admincmds=
 
-	    # Extract subdirectory from the argument.
-	    xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-	    if test "X$xdir" = "X$arg"; then
-	      xdir=
-	    else
-	      xdir="$xdir/"
-	    fi
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      for dir
+      do
+	libdirs="$libdirs $dir"
+      done
 
-	    pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
-	    non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
-	    libobjs="$libobjs $pic_object"
-	    non_pic_objects="$non_pic_objects $non_pic_object"
-	  fi
+      for libdir in $libdirs; do
+	if test -n "$finish_cmds"; then
+	  # Do each command in the finish commands.
+	  func_execute_cmds "$finish_cmds" 'admincmds="$admincmds
+'"$cmd"'"'
 	fi
-	;;
+	if test -n "$finish_eval"; then
+	  # Do the single finish_eval.
+	  eval cmds=\"$finish_eval\"
+	  $opt_dry_run || eval "$cmds" || admincmds="$admincmds
+       $cmds"
+	fi
+      done
+    fi
 
-      *.$libext)
-	# An archive.
-	deplibs="$deplibs $arg"
-	old_deplibs="$old_deplibs $arg"
-	continue
-	;;
+    # Exit here if they wanted silent mode.
+    $opt_silent && exit $EXIT_SUCCESS
 
-      *.la)
-	# A libtool-controlled library.
+    $ECHO "X----------------------------------------------------------------------" | $Xsed
+    $ECHO "Libraries have been installed in:"
+    for libdir in $libdirs; do
+      $ECHO "   $libdir"
+    done
+    $ECHO
+    $ECHO "If you ever happen to want to link against installed libraries"
+    $ECHO "in a given directory, LIBDIR, you must either use libtool, and"
+    $ECHO "specify the full pathname of the library, or use the \`-LLIBDIR'"
+    $ECHO "flag during linking and do at least one of the following:"
+    if test -n "$shlibpath_var"; then
+      $ECHO "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+      $ECHO "     during execution"
+    fi
+    if test -n "$runpath_var"; then
+      $ECHO "   - add LIBDIR to the \`$runpath_var' environment variable"
+      $ECHO "     during linking"
+    fi
+    if test -n "$hardcode_libdir_flag_spec"; then
+      libdir=LIBDIR
+      eval flag=\"$hardcode_libdir_flag_spec\"
 
-	if test "$prev" = dlfiles; then
-	  # This library was specified with -dlopen.
-	  dlfiles="$dlfiles $arg"
-	  prev=
-	elif test "$prev" = dlprefiles; then
-	  # The library was specified with -dlpreopen.
-	  dlprefiles="$dlprefiles $arg"
+      $ECHO "   - use the \`$flag' linker flag"
+    fi
+    if test -n "$admincmds"; then
+      $ECHO "   - have your system administrator run these commands:$admincmds"
+    fi
+    if test -f /etc/ld.so.conf; then
+      $ECHO "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+    fi
+    $ECHO
+
+    $ECHO "See any operating system documentation about shared libraries for"
+    case $host in
+      solaris2.[6789]|solaris2.1[0-9])
+        $ECHO "more information, such as the ld(1), crle(1) and ld.so(8) manual"
+	$ECHO "pages."
+	;;
+      *)
+        $ECHO "more information, such as the ld(1) and ld.so(8) manual pages."
+        ;;
+    esac
+    $ECHO "X----------------------------------------------------------------------" | $Xsed
+    exit $EXIT_SUCCESS
+}
+
+test "$mode" = finish && func_mode_finish ${1+"$@"}
+
+
+# func_mode_install arg...
+func_mode_install ()
+{
+    $opt_debug
+    # There may be an optional sh(1) argument at the beginning of
+    # install_prog (especially on Windows NT).
+    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
+       # Allow the use of GNU shtool's install command.
+       $ECHO "X$nonopt" | $GREP shtool >/dev/null; then
+      # Aesthetically quote it.
+      func_quote_for_eval "$nonopt"
+      install_prog="$func_quote_for_eval_result "
+      arg=$1
+      shift
+    else
+      install_prog=
+      arg=$nonopt
+    fi
+
+    # The real first argument should be the name of the installation program.
+    # Aesthetically quote it.
+    func_quote_for_eval "$arg"
+    install_prog="$install_prog$func_quote_for_eval_result"
+
+    # We need to accept at least all the BSD install flags.
+    dest=
+    files=
+    opts=
+    prev=
+    install_type=
+    isdir=no
+    stripme=
+    for arg
+    do
+      if test -n "$dest"; then
+	files="$files $dest"
+	dest=$arg
+	continue
+      fi
+
+      case $arg in
+      -d) isdir=yes ;;
+      -f)
+	case " $install_prog " in
+	*[\\\ /]cp\ *) ;;
+	*) prev=$arg ;;
+	esac
+	;;
+      -g | -m | -o)
+	prev=$arg
+	;;
+      -s)
+	stripme=" -s"
+	continue
+	;;
+      -*)
+	;;
+      *)
+	# If the previous option needed an argument, then skip it.
+	if test -n "$prev"; then
 	  prev=
 	else
-	  deplibs="$deplibs $arg"
+	  dest=$arg
+	  continue
 	fi
-	continue
 	;;
+      esac
 
-      # Some other compiler argument.
-      *)
-	# Unknown arguments in both finalize_command and compile_command need
-	# to be aesthetically quoted because they are evaled later.
-	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-	case $arg in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-	;;
-      esac # arg
+      # Aesthetically quote the argument.
+      func_quote_for_eval "$arg"
+      install_prog="$install_prog $func_quote_for_eval_result"
+    done
 
-      # Now actually substitute the argument into the commands.
-      if test -n "$arg"; then
-	compile_command="$compile_command $arg"
-	finalize_command="$finalize_command $arg"
-      fi
-    done # argument parsing loop
+    test -z "$install_prog" && \
+      func_fatal_help "you must specify an install program"
 
-    if test -n "$prev"; then
-      $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
+    test -n "$prev" && \
+      func_fatal_help "the \`$prev' option requires an argument"
 
-    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
-      eval arg=\"$export_dynamic_flag_spec\"
-      compile_command="$compile_command $arg"
-      finalize_command="$finalize_command $arg"
+    if test -z "$files"; then
+      if test -z "$dest"; then
+	func_fatal_help "no file or destination specified"
+      else
+	func_fatal_help "you must specify a destination"
+      fi
     fi
 
-    oldlibs=
-    # calculate the name of the file, without its directory
-    outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
-    libobjs_save="$libobjs"
+    # Strip any trailing slash from the destination.
+    func_stripname '' '/' "$dest"
+    dest=$func_stripname_result
 
-    if test -n "$shlibpath_var"; then
-      # get the directories listed in $shlibpath_var
-      eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+    # Check to see that the destination is a directory.
+    test -d "$dest" && isdir=yes
+    if test "$isdir" = yes; then
+      destdir="$dest"
+      destname=
     else
-      shlib_search_path=
-    fi
-    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
-    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
+      func_dirname_and_basename "$dest" "" "."
+      destdir="$func_dirname_result"
+      destname="$func_basename_result"
 
-    output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
-    if test "X$output_objdir" = "X$output"; then
-      output_objdir="$objdir"
-    else
-      output_objdir="$output_objdir/$objdir"
-    fi
-    # Create the object directory.
-    if test ! -d "$output_objdir"; then
-      $show "$mkdir $output_objdir"
-      $run $mkdir $output_objdir
-      exit_status=$?
-      if test "$exit_status" -ne 0 && test ! -d "$output_objdir"; then
-	exit $exit_status
-      fi
+      # Not a directory, so check to see that there is only one file specified.
+      set dummy $files; shift
+      test "$#" -gt 1 && \
+	func_fatal_help "\`$dest' is not a directory"
     fi
-
-    # Determine the type of output
-    case $output in
-    "")
-      $echo "$modename: you must specify an output file" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-      ;;
-    *.$libext) linkmode=oldlib ;;
-    *.lo | *.$objext) linkmode=obj ;;
-    *.la) linkmode=lib ;;
-    *) linkmode=prog ;; # Anything else should be a program.
-    esac
-
-    case $host in
-    *cygwin* | *mingw* | *pw32*)
-      # don't eliminate duplications in $postdeps and $predeps
-      duplicate_compiler_generated_deps=yes
-      ;;
+    case $destdir in
+    [\\/]* | [A-Za-z]:[\\/]*) ;;
     *)
-      duplicate_compiler_generated_deps=$duplicate_deps
+      for file in $files; do
+	case $file in
+	*.lo) ;;
+	*)
+	  func_fatal_help "\`$destdir' must be an absolute directory name"
+	  ;;
+	esac
+      done
       ;;
     esac
-    specialdeplibs=
 
-    libs=
-    # Find all interdependent deplibs by searching for libraries
-    # that are linked more than once (e.g. -la -lb -la)
-    for deplib in $deplibs; do
-      if test "X$duplicate_deps" = "Xyes" ; then
-	case "$libs " in
-	*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	esac
-      fi
-      libs="$libs $deplib"
-    done
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
 
-    if test "$linkmode" = lib; then
-      libs="$predeps $libs $compiler_lib_search_path $postdeps"
+    staticlibs=
+    future_libdirs=
+    current_libdirs=
+    for file in $files; do
 
-      # Compute libraries that are listed more than once in $predeps
-      # $postdeps and mark them as special (i.e., whose duplicates are
-      # not to be eliminated).
-      pre_post_deps=
-      if test "X$duplicate_compiler_generated_deps" = "Xyes" ; then
-	for pre_post_dep in $predeps $postdeps; do
-	  case "$pre_post_deps " in
-	  *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;;
+      # Do each installation.
+      case $file in
+      *.$libext)
+	# Do the static libraries later.
+	staticlibs="$staticlibs $file"
+	;;
+
+      *.la)
+	# Check to see that this really is a libtool archive.
+	func_lalib_unsafe_p "$file" \
+	  || func_fatal_help "\`$file' is not a valid libtool archive"
+
+	library_names=
+	old_library=
+	relink_command=
+	func_source "$file"
+
+	# Add the libdir to current_libdirs if it is the destination.
+	if test "X$destdir" = "X$libdir"; then
+	  case "$current_libdirs " in
+	  *" $libdir "*) ;;
+	  *) current_libdirs="$current_libdirs $libdir" ;;
 	  esac
-	  pre_post_deps="$pre_post_deps $pre_post_dep"
-	done
-      fi
-      pre_post_deps=
-    fi
+	else
+	  # Note the libdir as a future libdir.
+	  case "$future_libdirs " in
+	  *" $libdir "*) ;;
+	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  esac
+	fi
 
-    deplibs=
-    newdependency_libs=
-    newlib_search_path=
-    need_relink=no # whether we're linking any uninstalled libtool libraries
-    notinst_deplibs= # not-installed libtool libraries
-    case $linkmode in
-    lib)
-	passes="conv link"
-	for file in $dlfiles $dlprefiles; do
-	  case $file in
-	  *.la) ;;
-	  *)
-	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
-	    exit $EXIT_FAILURE
+	func_dirname "$file" "/" ""
+	dir="$func_dirname_result"
+	dir="$dir$objdir"
+
+	if test -n "$relink_command"; then
+	  # Determine the prefix the user has applied to our future dir.
+	  inst_prefix_dir=`$ECHO "X$destdir" | $Xsed -e "s%$libdir\$%%"`
+
+	  # Don't allow the user to place us outside of our expected
+	  # location b/c this prevents finding dependent libraries that
+	  # are installed to the same prefix.
+	  # At present, this check doesn't affect windows .dll's that
+	  # are installed into $libdir/../bin (currently, that works fine)
+	  # but it's something to keep an eye on.
+	  test "$inst_prefix_dir" = "$destdir" && \
+	    func_fatal_error "error: cannot install \`$file' to a directory not ending in $libdir"
+
+	  if test -n "$inst_prefix_dir"; then
+	    # Stick the inst_prefix_dir data into the link command.
+	    relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
+	  else
+	    relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%%"`
+	  fi
+
+	  func_warning "relinking \`$file'"
+	  func_show_eval "$relink_command" \
+	    'func_fatal_error "error: relink \`$file'\'' with the above command before installing it"'
+	fi
+
+	# See the names of the shared library.
+	set dummy $library_names; shift
+	if test -n "$1"; then
+	  realname="$1"
+	  shift
+
+	  srcname="$realname"
+	  test -n "$relink_command" && srcname="$realname"T
+
+	  # Install the shared library and build the symlinks.
+	  func_show_eval "$install_prog $dir/$srcname $destdir/$realname" \
+	      'exit $?'
+	  tstripme="$stripme"
+	  case $host_os in
+	  cygwin* | mingw* | pw32*)
+	    case $realname in
+	    *.dll.a)
+	      tstripme=""
+	      ;;
+	    esac
 	    ;;
 	  esac
-	done
-	;;
-    prog)
-	compile_deplibs=
-	finalize_deplibs=
-	alldeplibs=no
-	newdlfiles=
-	newdlprefiles=
-	passes="conv scan dlopen dlpreopen link"
-	;;
-    *)  passes="conv"
-	;;
-    esac
-    for pass in $passes; do
-      if test "$linkmode,$pass" = "lib,link" ||
-	 test "$linkmode,$pass" = "prog,scan"; then
-	libs="$deplibs"
-	deplibs=
-      fi
-      if test "$linkmode" = prog; then
-	case $pass in
-	dlopen) libs="$dlfiles" ;;
-	dlpreopen) libs="$dlprefiles" ;;
-	link)
-	  libs="$deplibs %DEPLIBS%"
-	  test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs"
-	  ;;
-	esac
-      fi
-      if test "$pass" = dlopen; then
-	# Collect dlpreopened libraries
-	save_deplibs="$deplibs"
-	deplibs=
-      fi
-      for deplib in $libs; do
-	lib=
-	found=no
-	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
-	  if test "$linkmode,$pass" = "prog,link"; then
-	    compile_deplibs="$deplib $compile_deplibs"
-	    finalize_deplibs="$deplib $finalize_deplibs"
-	  else
-	    compiler_flags="$compiler_flags $deplib"
-	  fi
-	  continue
-	  ;;
-	-l*)
-	  if test "$linkmode" != lib && test "$linkmode" != prog; then
-	    $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2
-	    continue
-	  fi
-	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
-	  if test "$linkmode" = lib; then
-	    searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path"
-	  else
-	    searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path"
+	  if test -n "$tstripme" && test -n "$striplib"; then
+	    func_show_eval "$striplib $destdir/$realname" 'exit $?'
 	  fi
-	  for searchdir in $searchdirs; do
-	    for search_ext in .la $std_shrext .so .a; do
-	      # Search the libtool library
-	      lib="$searchdir/lib${name}${search_ext}"
-	      if test -f "$lib"; then
-		if test "$search_ext" = ".la"; then
-		  found=yes
-		else
-		  found=no
-		fi
-		break 2
-	      fi
+
+	  if test "$#" -gt 0; then
+	    # Delete the old symlinks, and create new ones.
+	    # Try `ln -sf' first, because the `ln' binary might depend on
+	    # the symlink we replace!  Solaris /bin/ln does not understand -f,
+	    # so we also need to try rm && ln -s.
+	    for linkname
+	    do
+	      test "$linkname" != "$realname" \
+		&& func_show_eval "(cd $destdir && { $LN_S -f $realname $linkname || { $RM $linkname && $LN_S $realname $linkname; }; })"
 	    done
-	  done
-	  if test "$found" != yes; then
-	    # deplib doesn't seem to be a libtool library
-	    if test "$linkmode,$pass" = "prog,link"; then
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    else
-	      deplibs="$deplib $deplibs"
-	      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
-	    fi
-	    continue
-	  else # deplib is a libtool library
-	    # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib,
-	    # We need to do some special things here, and not later.
-	    if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-	      case " $predeps $postdeps " in
-	      *" $deplib "*)
-		if (${SED} -e '2q' $lib |
-                    grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-		  library_names=
-		  old_library=
-		  case $lib in
-		  */* | *\\*) . $lib ;;
-		  *) . ./$lib ;;
-		  esac
-		  for l in $old_library $library_names; do
-		    ll="$l"
-		  done
-		  if test "X$ll" = "X$old_library" ; then # only static version available
-		    found=no
-		    ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
-		    test "X$ladir" = "X$lib" && ladir="."
-		    lib=$ladir/$old_library
-		    if test "$linkmode,$pass" = "prog,link"; then
-		      compile_deplibs="$deplib $compile_deplibs"
-		      finalize_deplibs="$deplib $finalize_deplibs"
-		    else
-		      deplibs="$deplib $deplibs"
-		      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
-		    fi
-		    continue
-		  fi
-		fi
-	        ;;
-	      *) ;;
-	      esac
-	    fi
-	  fi
-	  ;; # -l
-	-L*)
-	  case $linkmode in
-	  lib)
-	    deplibs="$deplib $deplibs"
-	    test "$pass" = conv && continue
-	    newdependency_libs="$deplib $newdependency_libs"
-	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
-	    ;;
-	  prog)
-	    if test "$pass" = conv; then
-	      deplibs="$deplib $deplibs"
-	      continue
-	    fi
-	    if test "$pass" = scan; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    fi
-	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
-	    ;;
-	  *)
-	    $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2
-	    ;;
-	  esac # linkmode
-	  continue
-	  ;; # -L
-	-R*)
-	  if test "$pass" = link; then
-	    dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'`
-	    # Make sure the xrpath contains only unique directories.
-	    case "$xrpath " in
-	    *" $dir "*) ;;
-	    *) xrpath="$xrpath $dir" ;;
-	    esac
-	  fi
-	  deplibs="$deplib $deplibs"
-	  continue
-	  ;;
-	*.la) lib="$deplib" ;;
-	*.$libext)
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	    continue
-	  fi
-	  case $linkmode in
-	  lib)
-	    valid_a_lib=no
-	    case $deplibs_check_method in
-	      match_pattern*)
-		set dummy $deplibs_check_method
-	        match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
-		if eval $echo \"$deplib\" 2>/dev/null \
-		    | $SED 10q \
-		    | $EGREP "$match_pattern_regex" > /dev/null; then
-		  valid_a_lib=yes
-		fi
-		;;
-	      pass_all)
-		valid_a_lib=yes
-		;;
-            esac
-	    if test "$valid_a_lib" != yes; then
-	      $echo
-	      $echo "*** Warning: Trying to link with static lib archive $deplib."
-	      $echo "*** I have the capability to make that library automatically link in when"
-	      $echo "*** you link to this library.  But I can only do this if you have a"
-	      $echo "*** shared version of the library, which you do not appear to have"
-	      $echo "*** because the file extensions .$libext of this argument makes me believe"
-	      $echo "*** that it is just a static archive that I should not used here."
-	    else
-	      $echo
-	      $echo "*** Warning: Linking the shared library $output against the"
-	      $echo "*** static library $deplib is not portable!"
-	      deplibs="$deplib $deplibs"
-	    fi
-	    continue
-	    ;;
-	  prog)
-	    if test "$pass" != link; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    fi
-	    continue
-	    ;;
-	  esac # linkmode
-	  ;; # *.$libext
-	*.lo | *.$objext)
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	  elif test "$linkmode" = prog; then
-	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
-	      # If there is no dlopen support or we're linking statically,
-	      # we need to preload.
-	      newdlprefiles="$newdlprefiles $deplib"
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    else
-	      newdlfiles="$newdlfiles $deplib"
-	    fi
 	  fi
-	  continue
-	  ;;
-	%DEPLIBS%)
-	  alldeplibs=yes
-	  continue
-	  ;;
-	esac # case $deplib
-	if test "$found" = yes || test -f "$lib"; then :
-	else
-	  $echo "$modename: cannot find the library \`$lib' or unhandled argument \`$deplib'" 1>&2
-	  exit $EXIT_FAILURE
-	fi
 
-	# Check to see that this really is a libtool archive.
-	if (${SED} -e '2q' $lib | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-	else
-	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-	  exit $EXIT_FAILURE
+	  # Do each command in the postinstall commands.
+	  lib="$destdir/$realname"
+	  func_execute_cmds "$postinstall_cmds" 'exit $?'
 	fi
 
-	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
-	test "X$ladir" = "X$lib" && ladir="."
+	# Install the pseudo-library for information purposes.
+	func_basename "$file"
+	name="$func_basename_result"
+	instname="$dir/$name"i
+	func_show_eval "$install_prog $instname $destdir/$name" 'exit $?'
 
-	dlname=
-	dlopen=
-	dlpreopen=
-	libdir=
-	library_names=
-	old_library=
-	# If the library was installed with an old release of libtool,
-	# it will not redefine variables installed, or shouldnotlink
-	installed=yes
-	shouldnotlink=no
-	avoidtemprpath=
+	# Maybe install the static library, too.
+	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	;;
 
+      *.lo)
+	# Install (i.e. copy) a libtool object.
 
-	# Read the .la file
-	case $lib in
-	*/* | *\\*) . $lib ;;
-	*) . ./$lib ;;
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  func_basename "$file"
+	  destfile="$func_basename_result"
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Deduce the name of the destination old-style object file.
+	case $destfile in
+	*.lo)
+	  func_lo2o "$destfile"
+	  staticdest=$func_lo2o_result
+	  ;;
+	*.$objext)
+	  staticdest="$destfile"
+	  destfile=
+	  ;;
+	*)
+	  func_fatal_help "cannot copy a libtool object to \`$destfile'"
+	  ;;
 	esac
 
-	if test "$linkmode,$pass" = "lib,link" ||
-	   test "$linkmode,$pass" = "prog,scan" ||
-	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
-	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
-	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	# Install the libtool object if requested.
+	test -n "$destfile" && \
+	  func_show_eval "$install_prog $file $destfile" 'exit $?'
+
+	# Install the old object if enabled.
+	if test "$build_old_libs" = yes; then
+	  # Deduce the name of the old-style object file.
+	  func_lo2o "$file"
+	  staticobj=$func_lo2o_result
+	  func_show_eval "$install_prog \$staticobj \$staticdest" 'exit $?'
 	fi
+	exit $EXIT_SUCCESS
+	;;
 
-	if test "$pass" = conv; then
-	  # Only check for convenience libraries
-	  deplibs="$lib $deplibs"
-	  if test -z "$libdir"; then
-	    if test -z "$old_library"; then
-	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
-	      exit $EXIT_FAILURE
-	    fi
-	    # It is a libtool convenience library, so add in its objects.
-	    convenience="$convenience $ladir/$objdir/$old_library"
-	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
-	    tmp_libs=
-	    for deplib in $dependency_libs; do
-	      deplibs="$deplib $deplibs"
-              if test "X$duplicate_deps" = "Xyes" ; then
-	        case "$tmp_libs " in
-	        *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	        esac
-              fi
-	      tmp_libs="$tmp_libs $deplib"
-	    done
-	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
-	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  continue
-	fi # $pass = conv
+      *)
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  func_basename "$file"
+	  destfile="$func_basename_result"
+	  destfile="$destdir/$destfile"
+	fi
 
+	# If the file is missing, and there is a .exe on the end, strip it
+	# because it is most likely a libtool script we actually want to
+	# install
+	stripped_ext=""
+	case $file in
+	  *.exe)
+	    if test ! -f "$file"; then
+	      func_stripname '' '.exe' "$file"
+	      file=$func_stripname_result
+	      stripped_ext=".exe"
+	    fi
+	    ;;
+	esac
 
-	# Get the name of the library we link against.
-	linklib=
-	for l in $old_library $library_names; do
-	  linklib="$l"
-	done
-	if test -z "$linklib"; then
-	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
-	  exit $EXIT_FAILURE
-	fi
+	# Do a test to see if this is really a libtool program.
+	case $host in
+	*cygwin*|*mingw*)
+	    if func_ltwrapper_executable_p "$file"; then
+	      func_ltwrapper_scriptname "$file"
+	      wrapper=$func_ltwrapper_scriptname_result
+	    else
+	      func_stripname '' '.exe' "$file"
+	      wrapper=$func_stripname_result
+	    fi
+	    ;;
+	*)
+	    wrapper=$file
+	    ;;
+	esac
+	if func_ltwrapper_script_p "$wrapper"; then
+	  notinst_deplibs=
+	  relink_command=
 
-	# This library was specified with -dlopen.
-	if test "$pass" = dlopen; then
-	  if test -z "$libdir"; then
-	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  if test -z "$dlname" ||
-	     test "$dlopen_support" != yes ||
-	     test "$build_libtool_libs" = no; then
-	    # If there is no dlname, no dlopen support or we're linking
-	    # statically, we need to preload.  We also need to preload any
-	    # dependent libraries so libltdl's deplib preloader doesn't
-	    # bomb out in the load deplibs phase.
-	    dlprefiles="$dlprefiles $lib $dependency_libs"
+	  func_source "$wrapper"
+
+	  # Check the variables that should have been set.
+	  test -z "$generated_by_libtool_version" && \
+	    func_fatal_error "invalid libtool wrapper script \`$wrapper'"
+
+	  finalize=yes
+	  for lib in $notinst_deplibs; do
+	    # Check to see that each library is installed.
+	    libdir=
+	    if test -f "$lib"; then
+	      func_source "$lib"
+	    fi
+	    libfile="$libdir/"`$ECHO "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    if test -n "$libdir" && test ! -f "$libfile"; then
+	      func_warning "\`$lib' has not been installed in \`$libdir'"
+	      finalize=no
+	    fi
+	  done
+
+	  relink_command=
+	  func_source "$wrapper"
+
+	  outputname=
+	  if test "$fast_install" = no && test -n "$relink_command"; then
+	    $opt_dry_run || {
+	      if test "$finalize" = yes; then
+	        tmpdir=`func_mktempdir`
+		func_basename "$file$stripped_ext"
+		file="$func_basename_result"
+	        outputname="$tmpdir/$file"
+	        # Replace the output file specification.
+	        relink_command=`$ECHO "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+
+	        $opt_silent || {
+	          func_quote_for_expand "$relink_command"
+		  eval "func_echo $func_quote_for_expand_result"
+	        }
+	        if eval "$relink_command"; then :
+	          else
+		  func_error "error: relink \`$file' with the above command before installing it"
+		  $opt_dry_run || ${RM}r "$tmpdir"
+		  continue
+	        fi
+	        file="$outputname"
+	      else
+	        func_warning "cannot relink \`$file'"
+	      fi
+	    }
 	  else
-	    newdlfiles="$newdlfiles $lib"
+	    # Install the binary that we compiled earlier.
+	    file=`$ECHO "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
 	  fi
-	  continue
-	fi # $pass = dlopen
+	fi
 
-	# We need an absolute path.
-	case $ladir in
-	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
-	*)
-	  abs_ladir=`cd "$ladir" && pwd`
-	  if test -z "$abs_ladir"; then
-	    $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2
-	    $echo "$modename: passing it literally to the linker, although it might fail" 1>&2
-	    abs_ladir="$ladir"
-	  fi
+	# remove .exe since cygwin /usr/bin/install will append another
+	# one anyway
+	case $install_prog,$host in
+	*/usr/bin/install*,*cygwin*)
+	  case $file:$destfile in
+	  *.exe:*.exe)
+	    # this is ok
+	    ;;
+	  *.exe:*)
+	    destfile=$destfile.exe
+	    ;;
+	  *:*.exe)
+	    func_stripname '' '.exe' "$destfile"
+	    destfile=$func_stripname_result
+	    ;;
+	  esac
 	  ;;
 	esac
-	laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	func_show_eval "$install_prog\$stripme \$file \$destfile" 'exit $?'
+	$opt_dry_run || if test -n "$outputname"; then
+	  ${RM}r "$tmpdir"
+	fi
+	;;
+      esac
+    done
 
-	# Find the relevant object directory and library name.
-	if test "X$installed" = Xyes; then
-	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    $echo "$modename: warning: library \`$lib' was moved." 1>&2
-	    dir="$ladir"
-	    absdir="$abs_ladir"
-	    libdir="$abs_ladir"
-	  else
-	    dir="$libdir"
-	    absdir="$libdir"
+    for file in $staticlibs; do
+      func_basename "$file"
+      name="$func_basename_result"
+
+      # Set up the ranlib parameters.
+      oldlib="$destdir/$name"
+
+      func_show_eval "$install_prog \$file \$oldlib" 'exit $?'
+
+      if test -n "$stripme" && test -n "$old_striplib"; then
+	func_show_eval "$old_striplib $oldlib" 'exit $?'
+      fi
+
+      # Do each command in the postinstall commands.
+      func_execute_cmds "$old_postinstall_cmds" 'exit $?'
+    done
+
+    test -n "$future_libdirs" && \
+      func_warning "remember to run \`$progname --finish$future_libdirs'"
+
+    if test -n "$current_libdirs"; then
+      # Maybe just do a dry run.
+      $opt_dry_run && current_libdirs=" -n$current_libdirs"
+      exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs'
+    else
+      exit $EXIT_SUCCESS
+    fi
+}
+
+test "$mode" = install && func_mode_install ${1+"$@"}
+
+
+# func_generate_dlsyms outputname originator pic_p
+# Extract symbols from dlprefiles and create ${outputname}S.o with
+# a dlpreopen symbol table.
+func_generate_dlsyms ()
+{
+    $opt_debug
+    my_outputname="$1"
+    my_originator="$2"
+    my_pic_p="${3-no}"
+    my_prefix=`$ECHO "$my_originator" | sed 's%[^a-zA-Z0-9]%_%g'`
+    my_dlsyms=
+
+    if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+      if test -n "$NM" && test -n "$global_symbol_pipe"; then
+	my_dlsyms="${my_outputname}S.c"
+      else
+	func_error "not configured to extract global symbols from dlpreopened files"
+      fi
+    fi
+
+    if test -n "$my_dlsyms"; then
+      case $my_dlsyms in
+      "") ;;
+      *.c)
+	# Discover the nlist of each of the dlfiles.
+	nlist="$output_objdir/${my_outputname}.nm"
+
+	func_show_eval "$RM $nlist ${nlist}S ${nlist}T"
+
+	# Parse the name list into a source file.
+	func_verbose "creating $output_objdir/$my_dlsyms"
+
+	$opt_dry_run || $ECHO > "$output_objdir/$my_dlsyms" "\
+/* $my_dlsyms - symbol resolution table for \`$my_outputname' dlsym emulation. */
+/* Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION */
+
+#ifdef __cplusplus
+extern \"C\" {
+#endif
+
+/* External symbol declarations for the compiler. */\
+"
+
+	if test "$dlself" = yes; then
+	  func_verbose "generating symbol list for \`$output'"
+
+	  $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist"
+
+	  # Add our own program objects to the symbol list.
+	  progfiles=`$ECHO "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	  for progfile in $progfiles; do
+	    func_verbose "extracting global C symbols from \`$progfile'"
+	    $opt_dry_run || eval "$NM $progfile | $global_symbol_pipe >> '$nlist'"
+	  done
+
+	  if test -n "$exclude_expsyms"; then
+	    $opt_dry_run || {
+	      eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
+	      eval '$MV "$nlist"T "$nlist"'
+	    }
 	  fi
-	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
-	else
-	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    dir="$ladir"
-	    absdir="$abs_ladir"
-	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
+
+	  if test -n "$export_symbols_regex"; then
+	    $opt_dry_run || {
+	      eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T'
+	      eval '$MV "$nlist"T "$nlist"'
+	    }
+	  fi
+
+	  # Prepare the list of exported symbols
+	  if test -z "$export_symbols"; then
+	    export_symbols="$output_objdir/$outputname.exp"
+	    $opt_dry_run || {
+	      $RM $export_symbols
+	      eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+	      case $host in
+	      *cygwin* | *mingw* )
+                eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+                eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"'
+	        ;;
+	      esac
+	    }
 	  else
-	    dir="$ladir/$objdir"
-	    absdir="$abs_ladir/$objdir"
-	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
+	    $opt_dry_run || {
+	      eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
+	      eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
+	      eval '$MV "$nlist"T "$nlist"'
+	      case $host in
+	        *cygwin | *mingw* )
+	          eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+	          eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
+	          ;;
+	      esac
+	    }
 	  fi
-	fi # $installed = yes
-	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+	fi
 
-	# This library was specified with -dlpreopen.
-	if test "$pass" = dlpreopen; then
-	  if test -z "$libdir"; then
-	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
-	    exit $EXIT_FAILURE
+	for dlprefile in $dlprefiles; do
+	  func_verbose "extracting global C symbols from \`$dlprefile'"
+	  func_basename "$dlprefile"
+	  name="$func_basename_result"
+	  $opt_dry_run || {
+	    eval '$ECHO ": $name " >> "$nlist"'
+	    eval "$NM $dlprefile 2>/dev/null | $global_symbol_pipe >> '$nlist'"
+	  }
+	done
+
+	$opt_dry_run || {
+	  # Make sure we have at least an empty file.
+	  test -f "$nlist" || : > "$nlist"
+
+	  if test -n "$exclude_expsyms"; then
+	    $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
+	    $MV "$nlist"T "$nlist"
 	  fi
-	  # Prefer using a static library (so that no silly _DYNAMIC symbols
-	  # are required to link).
-	  if test -n "$old_library"; then
-	    newdlprefiles="$newdlprefiles $dir/$old_library"
-	  # Otherwise, use the dlname, so that lt_dlopen finds it.
-	  elif test -n "$dlname"; then
-	    newdlprefiles="$newdlprefiles $dir/$dlname"
+
+	  # Try sorting and uniquifying the output.
+	  if $GREP -v "^: " < "$nlist" |
+	      if sort -k 3 </dev/null >/dev/null 2>&1; then
+		sort -k 3
+	      else
+		sort +2
+	      fi |
+	      uniq > "$nlist"S; then
+	    :
 	  else
-	    newdlprefiles="$newdlprefiles $dir/$linklib"
+	    $GREP -v "^: " < "$nlist" > "$nlist"S
 	  fi
-	fi # $pass = dlpreopen
 
-	if test -z "$libdir"; then
-	  # Link the convenience library
-	  if test "$linkmode" = lib; then
-	    deplibs="$dir/$old_library $deplibs"
-	  elif test "$linkmode,$pass" = "prog,link"; then
-	    compile_deplibs="$dir/$old_library $compile_deplibs"
-	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
+	  if test -f "$nlist"S; then
+	    eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"'
 	  else
-	    deplibs="$lib $deplibs" # used for prog,scan pass
+	    $ECHO '/* NONE */' >> "$output_objdir/$my_dlsyms"
 	  fi
-	  continue
-	fi
 
+	  $ECHO >> "$output_objdir/$my_dlsyms" "\
 
-	if test "$linkmode" = prog && test "$pass" != link; then
-	  newlib_search_path="$newlib_search_path $ladir"
-	  deplibs="$lib $deplibs"
+/* The mapping between symbol names and symbols.  */
+typedef struct {
+  const char *name;
+  void *address;
+} lt_dlsymlist;
+"
+	  case $host in
+	  *cygwin* | *mingw* )
+	    $ECHO >> "$output_objdir/$my_dlsyms" "\
+/* DATA imports from DLLs on WIN32 con't be const, because
+   runtime relocations are performed -- see ld's documentation
+   on pseudo-relocs.  */"
+	    lt_dlsym_const= ;;
+	  *osf5*)
+	    echo >> "$output_objdir/$my_dlsyms" "\
+/* This system does not cope well with relocations in const data */"
+	    lt_dlsym_const= ;;
+	  *)
+	    lt_dlsym_const=const ;;
+	  esac
 
-	  linkalldeplibs=no
-	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
-	     test "$build_libtool_libs" = no; then
-	    linkalldeplibs=yes
-	  fi
+	  $ECHO >> "$output_objdir/$my_dlsyms" "\
+extern $lt_dlsym_const lt_dlsymlist
+lt_${my_prefix}_LTX_preloaded_symbols[];
+$lt_dlsym_const lt_dlsymlist
+lt_${my_prefix}_LTX_preloaded_symbols[] =
+{\
+  { \"$my_originator\", (void *) 0 },"
 
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    case $deplib in
-	    -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test
-	    esac
-	    # Need to link against all dependency_libs?
-	    if test "$linkalldeplibs" = yes; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      # Need to hardcode shared library paths
-	      # or/and link against static libraries
-	      newdependency_libs="$deplib $newdependency_libs"
-	    fi
-	    if test "X$duplicate_deps" = "Xyes" ; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	      esac
-	    fi
-	    tmp_libs="$tmp_libs $deplib"
-	  done # for deplib
-	  continue
-	fi # $linkmode = prog...
+	  case $need_lib_prefix in
+	  no)
+	    eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$my_dlsyms"
+	    ;;
+	  *)
+	    eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms"
+	    ;;
+	  esac
+	  $ECHO >> "$output_objdir/$my_dlsyms" "\
+  {0, (void *) 0}
+};
 
-	if test "$linkmode,$pass" = "prog,link"; then
-	  if test -n "$library_names" &&
-	     { { test "$prefer_static_libs" = no ||
-		 test "$prefer_static_libs,$installed" = "built,yes"; } ||
-	       test -z "$old_library"; }; then
-	    # We need to hardcode the library path
-	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then
-	      # Make sure the rpath contains only unique directories.
-	      case "$temp_rpath " in
-	      *" $dir "*) ;;
-	      *" $absdir "*) ;;
-	      *) temp_rpath="$temp_rpath $absdir" ;;
-	      esac
-	    fi
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt_${my_prefix}_LTX_preloaded_symbols;
+}
+#endif
 
-	    # Hardcode the library path.
-	    # Skip directories that are in the system default run-time
-	    # search path.
-	    case " $sys_lib_dlsearch_path " in
-	    *" $absdir "*) ;;
-	    *)
-	      case "$compile_rpath " in
-	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
-	      esac
-	      ;;
-	    esac
-	    case " $sys_lib_dlsearch_path " in
-	    *" $libdir "*) ;;
-	    *)
-	      case "$finalize_rpath " in
-	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
-	      esac
-	      ;;
-	    esac
-	  fi # $linkmode,$pass = prog,link...
+#ifdef __cplusplus
+}
+#endif\
+"
+	} # !$opt_dry_run
 
-	  if test "$alldeplibs" = yes &&
-	     { test "$deplibs_check_method" = pass_all ||
-	       { test "$build_libtool_libs" = yes &&
-		 test -n "$library_names"; }; }; then
-	    # We only need to search for static libraries
-	    continue
-	  fi
-	fi
+	pic_flag_for_symtable=
+	case "$compile_command " in
+	*" -static "*) ;;
+	*)
+	  case $host in
+	  # compiling the symbol table file with pic_flag works around
+	  # a FreeBSD bug that causes programs to crash when -lm is
+	  # linked before any other PIC object.  But we must not use
+	  # pic_flag when linking with -static.  The problem exists in
+	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
+	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	    pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;;
+	  *-*-hpux*)
+	    pic_flag_for_symtable=" $pic_flag"  ;;
+	  *)
+	    if test "X$my_pic_p" != Xno; then
+	      pic_flag_for_symtable=" $pic_flag"
+	    fi
+	    ;;
+	  esac
+	  ;;
+	esac
+	symtab_cflags=
+	for arg in $LTCFLAGS; do
+	  case $arg in
+	  -pie | -fpie | -fPIE) ;;
+	  *) symtab_cflags="$symtab_cflags $arg" ;;
+	  esac
+	done
 
-	link_static=no # Whether the deplib will be linked statically
-	use_static_libs=$prefer_static_libs
-	if test "$use_static_libs" = built && test "$installed" = yes ; then
-	  use_static_libs=no
-	fi
-	if test -n "$library_names" &&
-	   { test "$use_static_libs" = no || test -z "$old_library"; }; then
-	  if test "$installed" = no; then
-	    notinst_deplibs="$notinst_deplibs $lib"
-	    need_relink=yes
-	  fi
-	  # This is a shared library
+	# Now compile the dynamic symbol file.
+	func_show_eval '(cd $output_objdir && $LTCC$symtab_cflags -c$no_builtin_flag$pic_flag_for_symtable "$my_dlsyms")' 'exit $?'
 
-	  # Warn about portability, can't link against -module's on
-	  # some systems (darwin)
-	  if test "$shouldnotlink" = yes && test "$pass" = link ; then
-	    $echo
-	    if test "$linkmode" = prog; then
-	      $echo "*** Warning: Linking the executable $output against the loadable module"
-	    else
-	      $echo "*** Warning: Linking the shared library $output against the loadable module"
-	    fi
-	    $echo "*** $linklib is not portable!"
-	  fi
-	  if test "$linkmode" = lib &&
-	     test "$hardcode_into_libs" = yes; then
-	    # Hardcode the library path.
-	    # Skip directories that are in the system default run-time
-	    # search path.
-	    case " $sys_lib_dlsearch_path " in
-	    *" $absdir "*) ;;
-	    *)
-	      case "$compile_rpath " in
-	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
-	      esac
-	      ;;
-	    esac
-	    case " $sys_lib_dlsearch_path " in
-	    *" $libdir "*) ;;
-	    *)
-	      case "$finalize_rpath " in
-	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
-	      esac
-	      ;;
-	    esac
+	# Clean up the generated files.
+	func_show_eval '$RM "$output_objdir/$my_dlsyms" "$nlist" "${nlist}S" "${nlist}T"'
+
+	# Transform the symbol file into the correct name.
+	symfileobj="$output_objdir/${my_outputname}S.$objext"
+	case $host in
+	*cygwin* | *mingw* )
+	  if test -f "$output_objdir/$my_outputname.def"; then
+	    compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
+	    finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
+	  else
+	    compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
+	    finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
 	  fi
+	  ;;
+	*)
+	  compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
+	  finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
+	  ;;
+	esac
+	;;
+      *)
+	func_fatal_error "unknown suffix for \`$my_dlsyms'"
+	;;
+      esac
+    else
+      # We keep going just in case the user didn't refer to
+      # lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
+      # really was required.
 
-	  if test -n "$old_archive_from_expsyms_cmds"; then
-	    # figure out the soname
-	    set dummy $library_names
-	    realname="$2"
-	    shift; shift
-	    libname=`eval \\$echo \"$libname_spec\"`
-	    # use dlname if we got it. it's perfectly good, no?
-	    if test -n "$dlname"; then
-	      soname="$dlname"
-	    elif test -n "$soname_spec"; then
-	      # bleh windows
-	      case $host in
-	      *cygwin* | mingw*)
-		major=`expr $current - $age`
-		versuffix="-$major"
-		;;
-	      esac
-	      eval soname=\"$soname_spec\"
-	    else
-	      soname="$realname"
-	    fi
+      # Nullify the symbol file.
+      compile_command=`$ECHO "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
+      finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+    fi
+}
 
-	    # Make a new name for the extract_expsyms_cmds to use
-	    soroot="$soname"
-	    soname=`$echo $soroot | ${SED} -e 's/^.*\///'`
-	    newlib="libimp-`$echo $soname | ${SED} 's/^lib//;s/\.dll$//'`.a"
+# func_win32_libid arg
+# return the library type of file 'arg'
+#
+# Need a lot of goo to handle *both* DLLs and import libs
+# Has to be a shell function in order to 'eat' the argument
+# that is supplied when $file_magic_command is called.
+func_win32_libid ()
+{
+  $opt_debug
+  win32_libid_type="unknown"
+  win32_fileres=`file -L $1 2>/dev/null`
+  case $win32_fileres in
+  *ar\ archive\ import\ library*) # definitely import
+    win32_libid_type="x86 archive import"
+    ;;
+  *ar\ archive*) # could be an import, or static
+    if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null |
+       $EGREP 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
+      win32_nmres=`eval $NM -f posix -A $1 |
+	$SED -n -e '
+	    1,100{
+		/ I /{
+		    s,.*,import,
+		    p
+		    q
+		}
+	    }'`
+      case $win32_nmres in
+      import*)  win32_libid_type="x86 archive import";;
+      *)        win32_libid_type="x86 archive static";;
+      esac
+    fi
+    ;;
+  *DLL*)
+    win32_libid_type="x86 DLL"
+    ;;
+  *executable*) # but shell scripts are "executable" too...
+    case $win32_fileres in
+    *MS\ Windows\ PE\ Intel*)
+      win32_libid_type="x86 DLL"
+      ;;
+    esac
+    ;;
+  esac
+  $ECHO "$win32_libid_type"
+}
 
-	    # If the library has no export list, then create one now
-	    if test -f "$output_objdir/$soname-def"; then :
-	    else
-	      $show "extracting exported symbol list from \`$soname'"
-	      save_ifs="$IFS"; IFS='~'
-	      cmds=$extract_expsyms_cmds
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd" || exit $?
-	      done
-	      IFS="$save_ifs"
-	    fi
 
-	    # Create $newlib
-	    if test -f "$output_objdir/$newlib"; then :; else
-	      $show "generating import library for \`$soname'"
-	      save_ifs="$IFS"; IFS='~'
-	      cmds=$old_archive_from_expsyms_cmds
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd" || exit $?
-	      done
-	      IFS="$save_ifs"
-	    fi
-	    # make sure the library variables are pointing to the new library
-	    dir=$output_objdir
-	    linklib=$newlib
-	  fi # test -n "$old_archive_from_expsyms_cmds"
 
-	  if test "$linkmode" = prog || test "$mode" != relink; then
-	    add_shlibpath=
-	    add_dir=
-	    add=
-	    lib_linked=yes
-	    case $hardcode_action in
-	    immediate | unsupported)
-	      if test "$hardcode_direct" = no; then
-		add="$dir/$linklib"
-		case $host in
-		  *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;;
-		  *-*-sysv4*uw2*) add_dir="-L$dir" ;;
-		  *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \
-		    *-*-unixware7*) add_dir="-L$dir" ;;
-		  *-*-darwin* )
-		    # if the lib is a module then we can not link against
-		    # it, someone is ignoring the new warnings I added
-		    if /usr/bin/file -L $add 2> /dev/null |
-                      $EGREP ": [^:]* bundle" >/dev/null ; then
-		      $echo "** Warning, lib $linklib is a module, not a shared library"
-		      if test -z "$old_library" ; then
-		        $echo
-		        $echo "** And there doesn't seem to be a static archive available"
-		        $echo "** The link will probably fail, sorry"
-		      else
-		        add="$dir/$old_library"
-		      fi
-		    fi
-		esac
-	      elif test "$hardcode_minus_L" = no; then
-		case $host in
-		*-*-sunos*) add_shlibpath="$dir" ;;
-		esac
-		add_dir="-L$dir"
-		add="-l$name"
-	      elif test "$hardcode_shlibpath_var" = no; then
-		add_shlibpath="$dir"
-		add="-l$name"
-	      else
-		lib_linked=no
-	      fi
-	      ;;
-	    relink)
-	      if test "$hardcode_direct" = yes; then
-		add="$dir/$linklib"
-	      elif test "$hardcode_minus_L" = yes; then
-		add_dir="-L$dir"
-		# Try looking first in the location we're being installed to.
-		if test -n "$inst_prefix_dir"; then
-		  case $libdir in
-		    [\\/]*)
-		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
-		      ;;
-		  esac
-		fi
-		add="-l$name"
-	      elif test "$hardcode_shlibpath_var" = yes; then
-		add_shlibpath="$dir"
-		add="-l$name"
-	      else
-		lib_linked=no
-	      fi
-	      ;;
-	    *) lib_linked=no ;;
-	    esac
+# func_extract_an_archive dir oldlib
+func_extract_an_archive ()
+{
+    $opt_debug
+    f_ex_an_ar_dir="$1"; shift
+    f_ex_an_ar_oldlib="$1"
+    func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" 'exit $?'
+    if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
+     :
+    else
+      func_fatal_error "object name conflicts in archive: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib"
+    fi
+}
 
-	    if test "$lib_linked" != yes; then
-	      $echo "$modename: configuration error: unsupported hardcode properties"
-	      exit $EXIT_FAILURE
-	    fi
 
-	    if test -n "$add_shlibpath"; then
-	      case :$compile_shlibpath: in
-	      *":$add_shlibpath:"*) ;;
-	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
-	      esac
-	    fi
-	    if test "$linkmode" = prog; then
-	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
-	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
-	    else
-	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
-	      test -n "$add" && deplibs="$add $deplibs"
-	      if test "$hardcode_direct" != yes && \
-		 test "$hardcode_minus_L" != yes && \
-		 test "$hardcode_shlibpath_var" = yes; then
-		case :$finalize_shlibpath: in
-		*":$libdir:"*) ;;
-		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
-		esac
-	      fi
-	    fi
-	  fi
+# func_extract_archives gentop oldlib ...
+func_extract_archives ()
+{
+    $opt_debug
+    my_gentop="$1"; shift
+    my_oldlibs=${1+"$@"}
+    my_oldobjs=""
+    my_xlib=""
+    my_xabs=""
+    my_xdir=""
 
-	  if test "$linkmode" = prog || test "$mode" = relink; then
-	    add_shlibpath=
-	    add_dir=
-	    add=
-	    # Finalize command for both is simple: just hardcode it.
-	    if test "$hardcode_direct" = yes; then
-	      add="$libdir/$linklib"
-	    elif test "$hardcode_minus_L" = yes; then
-	      add_dir="-L$libdir"
-	      add="-l$name"
-	    elif test "$hardcode_shlibpath_var" = yes; then
-	      case :$finalize_shlibpath: in
-	      *":$libdir:"*) ;;
-	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
-	      esac
-	      add="-l$name"
-	    elif test "$hardcode_automatic" = yes; then
-	      if test -n "$inst_prefix_dir" &&
-		 test -f "$inst_prefix_dir$libdir/$linklib" ; then
-	        add="$inst_prefix_dir$libdir/$linklib"
-	      else
-	        add="$libdir/$linklib"
-	      fi
-	    else
-	      # We cannot seem to hardcode it, guess we'll fake it.
-	      add_dir="-L$libdir"
-	      # Try looking first in the location we're being installed to.
-	      if test -n "$inst_prefix_dir"; then
-		case $libdir in
-		  [\\/]*)
-		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
-		    ;;
-		esac
-	      fi
-	      add="-l$name"
-	    fi
+    for my_xlib in $my_oldlibs; do
+      # Extract the objects.
+      case $my_xlib in
+	[\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;;
+	*) my_xabs=`pwd`"/$my_xlib" ;;
+      esac
+      func_basename "$my_xlib"
+      my_xlib="$func_basename_result"
+      my_xlib_u=$my_xlib
+      while :; do
+        case " $extracted_archives " in
+	*" $my_xlib_u "*)
+	  func_arith $extracted_serial + 1
+	  extracted_serial=$func_arith_result
+	  my_xlib_u=lt$extracted_serial-$my_xlib ;;
+	*) break ;;
+	esac
+      done
+      extracted_archives="$extracted_archives $my_xlib_u"
+      my_xdir="$my_gentop/$my_xlib_u"
 
-	    if test "$linkmode" = prog; then
-	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
-	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
-	    else
-	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
-	      test -n "$add" && deplibs="$add $deplibs"
-	    fi
-	  fi
-	elif test "$linkmode" = prog; then
-	  # Here we assume that one of hardcode_direct or hardcode_minus_L
-	  # is not unsupported.  This is valid on all known static and
-	  # shared platforms.
-	  if test "$hardcode_direct" != unsupported; then
-	    test -n "$old_library" && linklib="$old_library"
-	    compile_deplibs="$dir/$linklib $compile_deplibs"
-	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
-	  else
-	    compile_deplibs="-l$name -L$dir $compile_deplibs"
-	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
-	  fi
-	elif test "$build_libtool_libs" = yes; then
-	  # Not a shared library
-	  if test "$deplibs_check_method" != pass_all; then
-	    # We're trying link a shared library against a static one
-	    # but the system doesn't support it.
+      func_mkdir_p "$my_xdir"
 
-	    # Just print a warning and add the library to dependency_libs so
-	    # that the program can be linked against the static library.
-	    $echo
-	    $echo "*** Warning: This system can not link to static lib archive $lib."
-	    $echo "*** I have the capability to make that library automatically link in when"
-	    $echo "*** you link to this library.  But I can only do this if you have a"
-	    $echo "*** shared version of the library, which you do not appear to have."
-	    if test "$module" = yes; then
-	      $echo "*** But as you try to build a module library, libtool will still create "
-	      $echo "*** a static module, that should work as long as the dlopening application"
-	      $echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
-	      if test -z "$global_symbol_pipe"; then
-		$echo
-		$echo "*** However, this would only work if libtool was able to extract symbol"
-		$echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
-		$echo "*** not find such a program.  So, this module is probably useless."
-		$echo "*** \`nm' from GNU binutils and a full rebuild may help."
-	      fi
-	      if test "$build_old_libs" = no; then
-		build_libtool_libs=module
-		build_old_libs=yes
-	      else
-		build_libtool_libs=no
-	      fi
-	    fi
+      case $host in
+      *-darwin*)
+	func_verbose "Extracting $my_xabs"
+	# Do not bother doing anything if just a dry run
+	$opt_dry_run || {
+	  darwin_orig_dir=`pwd`
+	  cd $my_xdir || exit $?
+	  darwin_archive=$my_xabs
+	  darwin_curdir=`pwd`
+	  darwin_base_archive=`basename "$darwin_archive"`
+	  darwin_arches=`$LIPO -info "$darwin_archive" 2>/dev/null | $GREP Architectures 2>/dev/null || true`
+	  if test -n "$darwin_arches"; then
+	    darwin_arches=`$ECHO "$darwin_arches" | $SED -e 's/.*are://'`
+	    darwin_arch=
+	    func_verbose "$darwin_base_archive has multiple architectures $darwin_arches"
+	    for darwin_arch in  $darwin_arches ; do
+	      func_mkdir_p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
+	      $LIPO -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
+	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
+	      func_extract_an_archive "`pwd`" "${darwin_base_archive}"
+	      cd "$darwin_curdir"
+	      $RM "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}"
+	    done # $darwin_arches
+            ## Okay now we've a bunch of thin objects, gotta fatten them up :)
+	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print | $SED -e "$basename" | sort -u`
+	    darwin_file=
+	    darwin_files=
+	    for darwin_file in $darwin_filelist; do
+	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
+	      $LIPO -create -output "$darwin_file" $darwin_files
+	    done # $darwin_filelist
+	    $RM -rf unfat-$$
+	    cd "$darwin_orig_dir"
 	  else
-	    deplibs="$dir/$old_library $deplibs"
-	    link_static=yes
-	  fi
-	fi # link shared/static library?
+	    cd $darwin_orig_dir
+	    func_extract_an_archive "$my_xdir" "$my_xabs"
+	  fi # $darwin_arches
+	} # !$opt_dry_run
+	;;
+      *)
+        func_extract_an_archive "$my_xdir" "$my_xabs"
+	;;
+      esac
+      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+    done
 
-	if test "$linkmode" = lib; then
-	  if test -n "$dependency_libs" &&
-	     { test "$hardcode_into_libs" != yes ||
-	       test "$build_old_libs" = yes ||
-	       test "$link_static" = yes; }; then
-	    # Extract -R from dependency_libs
-	    temp_deplibs=
-	    for libdir in $dependency_libs; do
-	      case $libdir in
-	      -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'`
-		   case " $xrpath " in
-		   *" $temp_xrpath "*) ;;
-		   *) xrpath="$xrpath $temp_xrpath";;
-		   esac;;
-	      *) temp_deplibs="$temp_deplibs $libdir";;
-	      esac
-	    done
-	    dependency_libs="$temp_deplibs"
-	  fi
+    func_extract_archives_result="$my_oldobjs"
+}
 
-	  newlib_search_path="$newlib_search_path $absdir"
-	  # Link against this library
-	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
-	  # ... and its dependency_libs
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    newdependency_libs="$deplib $newdependency_libs"
-	    if test "X$duplicate_deps" = "Xyes" ; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	      esac
-	    fi
-	    tmp_libs="$tmp_libs $deplib"
-	  done
 
-	  if test "$link_all_deplibs" != no; then
-	    # Add the search paths of all dependency libraries
-	    for deplib in $dependency_libs; do
-	      case $deplib in
-	      -L*) path="$deplib" ;;
-	      *.la)
-		dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'`
-		test "X$dir" = "X$deplib" && dir="."
-		# We need an absolute path.
-		case $dir in
-		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
-		*)
-		  absdir=`cd "$dir" && pwd`
-		  if test -z "$absdir"; then
-		    $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2
-		    absdir="$dir"
-		  fi
-		  ;;
-		esac
-		if grep "^installed=no" $deplib > /dev/null; then
-		  path="$absdir/$objdir"
-		else
-		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
-		  if test -z "$libdir"; then
-		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
-		    exit $EXIT_FAILURE
-		  fi
-		  if test "$absdir" != "$libdir"; then
-		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
-		  fi
-		  path="$absdir"
-		fi
-		depdepl=
-		case $host in
-		*-*-darwin*)
-		  # we do not want to link against static libs,
-		  # but need to link against shared
-		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
-		  eval deplibdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
-		  if test -n "$deplibrary_names" ; then
-		    for tmp in $deplibrary_names ; do
-		      depdepl=$tmp
-		    done
-		    if test -f "$deplibdir/$depdepl" ; then
-		      depdepl="$deplibdir/$depdepl"
-	      	    elif test -f "$path/$depdepl" ; then
-		      depdepl="$path/$depdepl"
-		    else
-		      # Can't find it, oh well...
-		      depdepl=
-		    fi
-		    # do not add paths which are already there
-		    case " $newlib_search_path " in
-		    *" $path "*) ;;
-		    *) newlib_search_path="$newlib_search_path $path";;
-		    esac
-		  fi
-		  path=""
-		  ;;
-		*)
-		  path="-L$path"
-		  ;;
-		esac
-		;;
-	      -l*)
-		case $host in
-		*-*-darwin*)
-		  # Again, we only want to link against shared libraries
-		  eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"`
-		  for tmp in $newlib_search_path ; do
-		    if test -f "$tmp/lib$tmp_libs.dylib" ; then
-		      eval depdepl="$tmp/lib$tmp_libs.dylib"
-		      break
-		    fi
-		  done
-		  path=""
-		  ;;
-		*) continue ;;
-		esac
-		;;
-	      *) continue ;;
-	      esac
-	      case " $deplibs " in
-	      *" $path "*) ;;
-	      *) deplibs="$path $deplibs" ;;
-	      esac
-	      case " $deplibs " in
-	      *" $depdepl "*) ;;
-	      *) deplibs="$depdepl $deplibs" ;;
-	      esac
-	    done
-	  fi # link_all_deplibs != no
-	fi # linkmode = lib
-      done # for deplib in $libs
-      dependency_libs="$newdependency_libs"
-      if test "$pass" = dlpreopen; then
-	# Link the dlpreopened libraries before other libraries
-	for deplib in $save_deplibs; do
-	  deplibs="$deplib $deplibs"
-	done
-      fi
-      if test "$pass" != dlopen; then
-	if test "$pass" != conv; then
-	  # Make sure lib_search_path contains only unique directories.
-	  lib_search_path=
-	  for dir in $newlib_search_path; do
-	    case "$lib_search_path " in
-	    *" $dir "*) ;;
-	    *) lib_search_path="$lib_search_path $dir" ;;
-	    esac
-	  done
-	  newlib_search_path=
-	fi
 
-	if test "$linkmode,$pass" != "prog,link"; then
-	  vars="deplibs"
-	else
-	  vars="compile_deplibs finalize_deplibs"
+# func_emit_wrapper arg
+#
+# emit a libtool wrapper script on stdout
+# don't directly open a file because we may want to
+# incorporate the script contents within a cygwin/mingw
+# wrapper executable.  Must ONLY be called from within
+# func_mode_link because it depends on a number of variable
+# set therein.
+#
+# arg is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
+# variable will take.  If 'yes', then the emitted script
+# will assume that the directory in which it is stored is
+# the '.lib' directory.  This is a cygwin/mingw-specific
+# behavior.
+func_emit_wrapper ()
+{
+	func_emit_wrapper_arg1=no
+	if test -n "$1" ; then
+	  func_emit_wrapper_arg1=$1
 	fi
-	for var in $vars dependency_libs; do
-	  # Add libraries to $var in reverse order
-	  eval tmp_libs=\"\$$var\"
-	  new_libs=
-	  for deplib in $tmp_libs; do
-	    # FIXME: Pedantically, this is the right thing to do, so
-	    #        that some nasty dependency loop isn't accidentally
-	    #        broken:
-	    #new_libs="$deplib $new_libs"
-	    # Pragmatically, this seems to cause very few problems in
-	    # practice:
-	    case $deplib in
-	    -L*) new_libs="$deplib $new_libs" ;;
-	    -R*) ;;
-	    *)
-	      # And here is the reason: when a library appears more
-	      # than once as an explicit dependence of a library, or
-	      # is implicitly linked in more than once by the
-	      # compiler, it is considered special, and multiple
-	      # occurrences thereof are not removed.  Compare this
-	      # with having the same library being listed as a
-	      # dependency of multiple other libraries: in this case,
-	      # we know (pedantically, we assume) the library does not
-	      # need to be listed more than once, so we keep only the
-	      # last copy.  This is not always right, but it is rare
-	      # enough that we require users that really mean to play
-	      # such unportable linking tricks to link the library
-	      # using -Wl,-lname, so that libtool does not consider it
-	      # for duplicate removal.
-	      case " $specialdeplibs " in
-	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
-	      *)
-		case " $new_libs " in
-		*" $deplib "*) ;;
-		*) new_libs="$deplib $new_libs" ;;
-		esac
-		;;
-	      esac
-	      ;;
-	    esac
-	  done
-	  tmp_libs=
-	  for deplib in $new_libs; do
-	    case $deplib in
-	    -L*)
-	      case " $tmp_libs " in
-	      *" $deplib "*) ;;
-	      *) tmp_libs="$tmp_libs $deplib" ;;
-	      esac
-	      ;;
-	    *) tmp_libs="$tmp_libs $deplib" ;;
-	    esac
-	  done
-	  eval $var=\"$tmp_libs\"
-	done # for var
-      fi
-      # Last step: remove runtime libs from dependency_libs
-      # (they stay in deplibs)
-      tmp_libs=
-      for i in $dependency_libs ; do
-	case " $predeps $postdeps $compiler_lib_search_path " in
-	*" $i "*)
-	  i=""
-	  ;;
-	esac
-	if test -n "$i" ; then
-	  tmp_libs="$tmp_libs $i"
-	fi
-      done
-      dependency_libs=$tmp_libs
-    done # for pass
-    if test "$linkmode" = prog; then
-      dlfiles="$newdlfiles"
-      dlprefiles="$newdlprefiles"
+
+	$ECHO "\
+#! $SHELL
+
+# $output - temporary wrapper script for $objdir/$outputname
+# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
+#
+# The $output program cannot be directly executed until all the libtool
+# libraries that it depends on are installed.
+#
+# This wrapper script should never be moved out of the build directory.
+# If it is, it will not operate correctly.
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='${SED} -e 1s/^X//'
+sed_quote_subst='$sed_quote_subst'
+
+# Be Bourne compatible
+if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '\${1+\"\$@\"}'='\"\$@\"'
+  setopt NO_GLOB_SUBST
+else
+  case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac
+fi
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+relink_command=\"$relink_command\"
+
+# This environment variable determines our operation mode.
+if test \"\$libtool_install_magic\" = \"$magic\"; then
+  # install mode needs the following variables:
+  generated_by_libtool_version='$macro_version'
+  notinst_deplibs='$notinst_deplibs'
+else
+  # When we are sourced in execute mode, \$file and \$ECHO are already set.
+  if test \"\$libtool_execute_magic\" != \"$magic\"; then
+    ECHO=\"$qecho\"
+    file=\"\$0\"
+    # Make sure echo works.
+    if test \"X\$1\" = X--no-reexec; then
+      # Discard the --no-reexec flag, and continue.
+      shift
+    elif test \"X\`{ \$ECHO '\t'; } 2>/dev/null\`\" = 'X\t'; then
+      # Yippee, \$ECHO works!
+      :
+    else
+      # Restart under the correct shell, and then maybe \$ECHO will work.
+      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
     fi
+  fi\
+"
+	$ECHO "\
 
-    case $linkmode in
-    oldlib)
-      case " $deplibs" in
-      *\ -l* | *\ -L*)
-	$echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2 ;;
+  # Find the directory that this script lives in.
+  thisdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
+
+  # Follow symbolic links until we get to the real thisdir.
+  file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\`
+  while test -n \"\$file\"; do
+    destdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+
+    # If there was a directory component, then change thisdir.
+    if test \"x\$destdir\" != \"x\$file\"; then
+      case \"\$destdir\" in
+      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
+      *) thisdir=\"\$thisdir/\$destdir\" ;;
       esac
+    fi
 
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
-      fi
+    file=\`\$ECHO \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
+  done
 
-      if test -n "$rpath"; then
-	$echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
-      fi
+  # Usually 'no', except on cygwin/mingw when embedded into
+  # the cwrapper.
+  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1
+  if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then
+    # special case for '.'
+    if test \"\$thisdir\" = \".\"; then
+      thisdir=\`pwd\`
+    fi
+    # remove .libs from thisdir
+    case \"\$thisdir\" in
+    *[\\\\/]$objdir ) thisdir=\`\$ECHO \"X\$thisdir\" | \$Xsed -e 's%[\\\\/][^\\\\/]*$%%'\` ;;
+    $objdir )   thisdir=. ;;
+    esac
+  fi
 
-      if test -n "$xrpath"; then
-	$echo "$modename: warning: \`-R' is ignored for archives" 1>&2
-      fi
+  # Try to get the absolute directory name.
+  absdir=\`cd \"\$thisdir\" && pwd\`
+  test -n \"\$absdir\" && thisdir=\"\$absdir\"
+"
 
-      if test -n "$vinfo"; then
-	$echo "$modename: warning: \`-version-info/-version-number' is ignored for archives" 1>&2
-      fi
+	if test "$fast_install" = yes; then
+	  $ECHO "\
+  program=lt-'$outputname'$exeext
+  progdir=\"\$thisdir/$objdir\"
 
-      if test -n "$release"; then
-	$echo "$modename: warning: \`-release' is ignored for archives" 1>&2
-      fi
+  if test ! -f \"\$progdir/\$program\" ||
+     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\
+       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
 
-      if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
-	$echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
-      fi
+    file=\"\$\$-\$program\"
 
-      # Now set the variables for building old libraries.
-      build_libtool_libs=no
-      oldlibs="$output"
-      objs="$objs$old_deplibs"
-      ;;
+    if test ! -d \"\$progdir\"; then
+      $MKDIR \"\$progdir\"
+    else
+      $RM \"\$progdir/\$file\"
+    fi"
 
-    lib)
-      # Make sure we only generate libraries of the form `libNAME.la'.
-      case $outputname in
-      lib*)
-	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
-	eval shared_ext=\"$shrext_cmds\"
-	eval libname=\"$libname_spec\"
-	;;
-      *)
-	if test "$module" = no; then
-	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-	if test "$need_lib_prefix" != no; then
-	  # Add the "lib" prefix for modules if required
-	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
-	  eval shared_ext=\"$shrext_cmds\"
-	  eval libname=\"$libname_spec\"
-	else
-	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
-	fi
-	;;
-      esac
+	  $ECHO "\
 
-      if test -n "$objs"; then
-	if test "$deplibs_check_method" != pass_all; then
-	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
-	  exit $EXIT_FAILURE
+    # relink executable if necessary
+    if test -n \"\$relink_command\"; then
+      if relink_command_output=\`eval \$relink_command 2>&1\`; then :
+      else
+	$ECHO \"\$relink_command_output\" >&2
+	$RM \"\$progdir/\$file\"
+	exit 1
+      fi
+    fi
+
+    $MV \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
+    { $RM \"\$progdir/\$program\";
+      $MV \"\$progdir/\$file\" \"\$progdir/\$program\"; }
+    $RM \"\$progdir/\$file\"
+  fi"
 	else
-	  $echo
-	  $echo "*** Warning: Linking the shared library $output against the non-libtool"
-	  $echo "*** objects $objs is not portable!"
-	  libobjs="$libobjs $objs"
+	  $ECHO "\
+  program='$outputname'
+  progdir=\"\$thisdir/$objdir\"
+"
 	fi
-      fi
 
-      if test "$dlself" != no; then
-	$echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2
-      fi
+	$ECHO "\
 
-      set dummy $rpath
-      if test "$#" -gt 2; then
-	$echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2
-      fi
-      install_libdir="$2"
+  if test -f \"\$progdir/\$program\"; then"
 
-      oldlibs=
-      if test -z "$rpath"; then
-	if test "$build_libtool_libs" = yes; then
-	  # Building a libtool convenience library.
-	  # Some compilers have problems with a `.al' extension so
-	  # convenience libraries should have the same extension an
-	  # archive normally would.
-	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
-	  build_libtool_libs=convenience
-	  build_old_libs=yes
-	fi
+	# Export our shlibpath_var if we have one.
+	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	  $ECHO "\
+    # Add our own library path to $shlibpath_var
+    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
 
-	if test -n "$vinfo"; then
-	  $echo "$modename: warning: \`-version-info/-version-number' is ignored for convenience libraries" 1>&2
-	fi
+    # Some systems cannot cope with colon-terminated $shlibpath_var
+    # The second colon is a workaround for a bug in BeOS R4 sed
+    $shlibpath_var=\`\$ECHO \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
 
-	if test -n "$release"; then
-	  $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2
+    export $shlibpath_var
+"
 	fi
-      else
-
-	# Parse the version information argument.
-	save_ifs="$IFS"; IFS=':'
-	set dummy $vinfo 0 0 0
-	IFS="$save_ifs"
 
-	if test -n "$8"; then
-	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
+	# fixup the dll searchpath if we need to.
+	if test -n "$dllsearchpath"; then
+	  $ECHO "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
 	fi
 
-	# convert absolute version numbers to libtool ages
-	# this retains compatibility with .la files and attempts
-	# to make the code below a bit more comprehensible
+	$ECHO "\
+    if test \"\$libtool_execute_magic\" != \"$magic\"; then
+      # Run the actual program with our arguments.
+"
+	case $host in
+	# Backslashes separate directories on plain windows
+	*-*-mingw | *-*-os2*)
+	  $ECHO "\
+      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
+"
+	  ;;
 
-	case $vinfo_number in
-	yes)
-	  number_major="$2"
-	  number_minor="$3"
-	  number_revision="$4"
-	  #
-	  # There are really only two kinds -- those that
-	  # use the current revision as the major version
-	  # and those that subtract age and use age as
-	  # a minor version.  But, then there is irix
-	  # which has an extra 1 added just for fun
-	  #
-	  case $version_type in
-	  darwin|linux|osf|windows|none)
-	    current=`expr $number_major + $number_minor`
-	    age="$number_minor"
-	    revision="$number_revision"
-	    ;;
-	  freebsd-aout|freebsd-elf|sunos)
-	    current="$number_major"
-	    revision="$number_minor"
-	    age="0"
-	    ;;
-	  irix|nonstopux)
-	    current=`expr $number_major + $number_minor`
-	    age="$number_minor"
-	    revision="$number_minor"
-	    lt_irix_increment=no
-	    ;;
-	  *)
-	    $echo "$modename: unknown library version type \`$version_type'" 1>&2
-	    $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-	    exit $EXIT_FAILURE
-	    ;;
-	  esac
-	  ;;
-	no)
-	  current="$2"
-	  revision="$3"
-	  age="$4"
-	  ;;
-	esac
-
-	# Check that each of the things are valid numbers.
-	case $current in
-	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
 	*)
-	  $echo "$modename: CURRENT \`$current' must be a nonnegative integer" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
+	  $ECHO "\
+      exec \"\$progdir/\$program\" \${1+\"\$@\"}
+"
 	  ;;
 	esac
+	$ECHO "\
+      \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2
+      exit 1
+    fi
+  else
+    # The program doesn't exist.
+    \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
+    \$ECHO \"This script is just a wrapper for \$program.\" 1>&2
+    $ECHO \"See the $PACKAGE documentation for more information.\" 1>&2
+    exit 1
+  fi
+fi\
+"
+}
+# end: func_emit_wrapper
 
-	case $revision in
-	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
-	*)
-	  $echo "$modename: REVISION \`$revision' must be a nonnegative integer" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
+# func_emit_cwrapperexe_src
+# emit the source code for a wrapper executable on stdout
+# Must ONLY be called from within func_mode_link because
+# it depends on a number of variable set therein.
+func_emit_cwrapperexe_src ()
+{
+	cat <<EOF
 
-	case $age in
-	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
-	*)
-	  $echo "$modename: AGE \`$age' must be a nonnegative integer" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
+/* $cwrappersource - temporary wrapper executable for $objdir/$outputname
+   Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
 
-	if test "$age" -gt "$current"; then
-	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	fi
+   The $output program cannot be directly executed until all the libtool
+   libraries that it depends on are installed.
 
-	# Calculate the version variables.
-	major=
-	versuffix=
-	verstring=
-	case $version_type in
-	none) ;;
+   This wrapper executable should never be moved out of the build directory.
+   If it is, it will not operate correctly.
 
-	darwin)
-	  # Like Linux, but with the current version available in
-	  # verstring for coding it into the library header
-	  major=.`expr $current - $age`
-	  versuffix="$major.$age.$revision"
-	  # Darwin ld doesn't like 0 for these options...
-	  minor_current=`expr $current + 1`
-	  xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
-	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
-	  ;;
+   Currently, it simply execs the wrapper *script* "$SHELL $output",
+   but could eventually absorb all of the scripts functionality and
+   exec $objdir/$outputname directly.
+*/
+EOF
+	    cat <<"EOF"
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef _MSC_VER
+# include <direct.h>
+# include <process.h>
+# include <io.h>
+# define setmode _setmode
+#else
+# include <unistd.h>
+# include <stdint.h>
+# ifdef __CYGWIN__
+#  include <io.h>
+# endif
+#endif
+#include <malloc.h>
+#include <stdarg.h>
+#include <assert.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/stat.h>
 
-	freebsd-aout)
-	  major=".$current"
-	  versuffix=".$current.$revision";
-	  ;;
+#if defined(PATH_MAX)
+# define LT_PATHMAX PATH_MAX
+#elif defined(MAXPATHLEN)
+# define LT_PATHMAX MAXPATHLEN
+#else
+# define LT_PATHMAX 1024
+#endif
 
-	freebsd-elf)
-	  major=".$current"
-	  versuffix=".$current";
-	  ;;
+#ifndef S_IXOTH
+# define S_IXOTH 0
+#endif
+#ifndef S_IXGRP
+# define S_IXGRP 0
+#endif
 
-	irix | nonstopux)
-	  if test "X$lt_irix_increment" = "Xno"; then
-	    major=`expr $current - $age`
-	  else
-	    major=`expr $current - $age + 1`
-	  fi
-	  case $version_type in
-	    nonstopux) verstring_prefix=nonstopux ;;
-	    *)         verstring_prefix=sgi ;;
-	  esac
-	  verstring="$verstring_prefix$major.$revision"
+#ifdef _MSC_VER
+# define S_IXUSR _S_IEXEC
+# define stat _stat
+# ifndef _INTPTR_T_DEFINED
+#  define intptr_t int
+# endif
+#endif
 
-	  # Add in all the interfaces that we are compatible with.
-	  loop=$revision
-	  while test "$loop" -ne 0; do
-	    iface=`expr $revision - $loop`
-	    loop=`expr $loop - 1`
-	    verstring="$verstring_prefix$major.$iface:$verstring"
-	  done
+#ifndef DIR_SEPARATOR
+# define DIR_SEPARATOR '/'
+# define PATH_SEPARATOR ':'
+#endif
 
-	  # Before this point, $major must not contain `.'.
-	  major=.$major
-	  versuffix="$major.$revision"
-	  ;;
+#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
+  defined (__OS2__)
+# define HAVE_DOS_BASED_FILE_SYSTEM
+# define FOPEN_WB "wb"
+# ifndef DIR_SEPARATOR_2
+#  define DIR_SEPARATOR_2 '\\'
+# endif
+# ifndef PATH_SEPARATOR_2
+#  define PATH_SEPARATOR_2 ';'
+# endif
+#endif
 
-	linux)
-	  major=.`expr $current - $age`
-	  versuffix="$major.$age.$revision"
-	  ;;
+#ifndef DIR_SEPARATOR_2
+# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR)
+#else /* DIR_SEPARATOR_2 */
+# define IS_DIR_SEPARATOR(ch) \
+	(((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
+#endif /* DIR_SEPARATOR_2 */
 
-	osf)
-	  major=.`expr $current - $age`
-	  versuffix=".$current.$age.$revision"
-	  verstring="$current.$age.$revision"
+#ifndef PATH_SEPARATOR_2
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR)
+#else /* PATH_SEPARATOR_2 */
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
+#endif /* PATH_SEPARATOR_2 */
 
-	  # Add in all the interfaces that we are compatible with.
-	  loop=$age
-	  while test "$loop" -ne 0; do
-	    iface=`expr $current - $loop`
-	    loop=`expr $loop - 1`
-	    verstring="$verstring:${iface}.0"
-	  done
+#ifdef __CYGWIN__
+# define FOPEN_WB "wb"
+#endif
 
-	  # Make executables depend on our current version.
-	  verstring="$verstring:${current}.0"
-	  ;;
+#ifndef FOPEN_WB
+# define FOPEN_WB "w"
+#endif
+#ifndef _O_BINARY
+# define _O_BINARY 0
+#endif
 
-	sunos)
-	  major=".$current"
-	  versuffix=".$current.$revision"
-	  ;;
+#define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
+#define XFREE(stale) do { \
+  if (stale) { free ((void *) stale); stale = 0; } \
+} while (0)
 
-	windows)
-	  # Use '-' rather than '.', since we only want one
-	  # extension on DOS 8.3 filesystems.
-	  major=`expr $current - $age`
-	  versuffix="-$major"
-	  ;;
+#undef LTWRAPPER_DEBUGPRINTF
+#if defined DEBUGWRAPPER
+# define LTWRAPPER_DEBUGPRINTF(args) ltwrapper_debugprintf args
+static void
+ltwrapper_debugprintf (const char *fmt, ...)
+{
+    va_list args;
+    va_start (args, fmt);
+    (void) vfprintf (stderr, fmt, args);
+    va_end (args);
+}
+#else
+# define LTWRAPPER_DEBUGPRINTF(args)
+#endif
 
-	*)
-	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
-	  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
+const char *program_name = NULL;
 
-	# Clear the version info if we defaulted, and they specified a release.
-	if test -z "$vinfo" && test -n "$release"; then
-	  major=
-	  case $version_type in
-	  darwin)
-	    # we can't check for "0.0" in archive_cmds due to quoting
-	    # problems, so we reset it completely
-	    verstring=
-	    ;;
-	  *)
-	    verstring="0.0"
-	    ;;
-	  esac
-	  if test "$need_version" = no; then
-	    versuffix=
-	  else
-	    versuffix=".0.0"
-	  fi
-	fi
+void *xmalloc (size_t num);
+char *xstrdup (const char *string);
+const char *base_name (const char *name);
+char *find_executable (const char *wrapper);
+char *chase_symlinks (const char *pathspec);
+int make_executable (const char *path);
+int check_executable (const char *path);
+char *strendzap (char *str, const char *pat);
+void lt_fatal (const char *message, ...);
 
-	# Remove version info from name if versioning should be avoided
-	if test "$avoid_version" = yes && test "$need_version" = no; then
-	  major=
-	  versuffix=
-	  verstring=""
-	fi
+static const char *script_text =
+EOF
 
-	# Check to see if the archive will have undefined symbols.
-	if test "$allow_undefined" = yes; then
-	  if test "$allow_undefined_flag" = unsupported; then
-	    $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2
-	    build_libtool_libs=no
-	    build_old_libs=yes
-	  fi
-	else
-	  # Don't allow undefined symbols.
-	  allow_undefined_flag="$no_undefined_flag"
-	fi
-      fi
+	    func_emit_wrapper yes |
+	        $SED -e 's/\([\\"]\)/\\\1/g' \
+	             -e 's/^/  "/' -e 's/$/\\n"/'
+	    echo ";"
 
-      if test "$mode" != relink; then
-	# Remove our outputs, but don't remove object files since they
-	# may have been created when compiling PIC objects.
-	removelist=
-	tempremovelist=`$echo "$output_objdir/*"`
-	for p in $tempremovelist; do
-	  case $p in
-	    *.$objext)
-	       ;;
-	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
-	       if test "X$precious_files_regex" != "X"; then
-	         if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
-	         then
-		   continue
-		 fi
-	       fi
-	       removelist="$removelist $p"
-	       ;;
-	    *) ;;
-	  esac
-	done
-	if test -n "$removelist"; then
-	  $show "${rm}r $removelist"
-	  $run ${rm}r $removelist
-	fi
-      fi
+	    cat <<EOF
+const char * MAGIC_EXE = "$magic_exe";
 
-      # Now set the variables for building old libraries.
-      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
-	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+int
+main (int argc, char *argv[])
+{
+  char **newargz;
+  char *tmp_pathspec;
+  char *actual_cwrapper_path;
+  char *shwrapper_name;
+  intptr_t rval = 127;
+  FILE *shwrapper;
 
-	# Transform .lo files to .o files.
-	oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
-      fi
+  const char *dumpscript_opt = "--lt-dump-script";
+  int i;
 
-      # Eliminate all temporary directories.
-      #for path in $notinst_path; do
-      #	lib_search_path=`$echo "$lib_search_path " | ${SED} -e "s% $path % %g"`
-      #	deplibs=`$echo "$deplibs " | ${SED} -e "s% -L$path % %g"`
-      #	dependency_libs=`$echo "$dependency_libs " | ${SED} -e "s% -L$path % %g"`
-      #done
+  program_name = (char *) xstrdup (base_name (argv[0]));
+  LTWRAPPER_DEBUGPRINTF (("(main) argv[0]      : %s\n", argv[0]));
+  LTWRAPPER_DEBUGPRINTF (("(main) program_name : %s\n", program_name));
 
-      if test -n "$xrpath"; then
-	# If the user specified any rpath flags, then add them.
-	temp_xrpath=
-	for libdir in $xrpath; do
-	  temp_xrpath="$temp_xrpath -R$libdir"
-	  case "$finalize_rpath " in
-	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
-	  esac
-	done
-	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
-	  dependency_libs="$temp_xrpath $dependency_libs"
-	fi
-      fi
+  /* very simple arg parsing; don't want to rely on getopt */
+  for (i = 1; i < argc; i++)
+    {
+      if (strcmp (argv[i], dumpscript_opt) == 0)
+	{
+EOF
+	    case "$host" in
+	      *mingw* | *cygwin* )
+		# make stdout use "unix" line endings
+		echo "          setmode(1,_O_BINARY);"
+		;;
+	      esac
 
-      # Make sure dlfiles contains only unique files that won't be dlpreopened
-      old_dlfiles="$dlfiles"
-      dlfiles=
-      for lib in $old_dlfiles; do
-	case " $dlprefiles $dlfiles " in
-	*" $lib "*) ;;
-	*) dlfiles="$dlfiles $lib" ;;
-	esac
-      done
+	    cat <<EOF
+	  printf ("%s", script_text);
+	  return 0;
+	}
+    }
 
-      # Make sure dlprefiles contains only unique files
-      old_dlprefiles="$dlprefiles"
-      dlprefiles=
-      for lib in $old_dlprefiles; do
-	case "$dlprefiles " in
-	*" $lib "*) ;;
-	*) dlprefiles="$dlprefiles $lib" ;;
-	esac
-      done
+  newargz = XMALLOC (char *, argc + 2);
+EOF
 
-      if test "$build_libtool_libs" = yes; then
-	if test -n "$rpath"; then
-	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*)
-	    # these systems don't actually have a c library (as such)!
-	    ;;
-	  *-*-rhapsody* | *-*-darwin1.[012])
-	    # Rhapsody C library is in the System framework
-	    deplibs="$deplibs -framework System"
-	    ;;
-	  *-*-netbsd*)
-	    # Don't link with libc until the a.out ld.so is fixed.
-	    ;;
-	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
-	    # Do not include libc due to us having libc/libc_r.
-	    ;;
-	  *-*-sco3.2v5* | *-*-sco5v6*)
-	    # Causes problems with __ctype
-	    ;;
-	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
-	    # Compiler inserts libc in the correct place for threads to work
-	    ;;
- 	  *)
-	    # Add libc to deplibs on all other systems if necessary.
-	    if test "$build_libtool_need_lc" = "yes"; then
-	      deplibs="$deplibs -lc"
+	    if test -n "$TARGETSHELL" ; then
+	      # no path translation at all
+	      lt_newargv0=$TARGETSHELL
+	    else
+	      case "$host" in
+		*mingw* )
+		  # awkward: cmd appends spaces to result
+		  lt_sed_strip_trailing_spaces="s/[ ]*\$//"
+		  lt_newargv0=`( cmd //c echo $SHELL | $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo $SHELL`
+		  case $lt_newargv0 in
+		    *.exe | *.EXE) ;;
+		    *) lt_newargv0=$lt_newargv0.exe ;;
+		  esac
+		  ;;
+		* ) lt_newargv0=$SHELL ;;
+	      esac
 	    fi
+
+		cat <<EOF
+  newargz[0] = (char *) xstrdup ("$lt_newargv0");
+EOF
+
+	    cat <<"EOF"
+  tmp_pathspec = find_executable (argv[0]);
+  if (tmp_pathspec == NULL)
+    lt_fatal ("Couldn't find %s", argv[0]);
+  LTWRAPPER_DEBUGPRINTF (("(main) found exe (before symlink chase) at : %s\n",
+			  tmp_pathspec));
+
+  actual_cwrapper_path = chase_symlinks (tmp_pathspec);
+  LTWRAPPER_DEBUGPRINTF (("(main) found exe (after symlink chase) at : %s\n",
+			  actual_cwrapper_path));
+  XFREE (tmp_pathspec);
+
+  shwrapper_name = (char *) xstrdup (base_name (actual_cwrapper_path));
+  strendzap (actual_cwrapper_path, shwrapper_name);
+
+  /* shwrapper_name transforms */
+  strendzap (shwrapper_name, ".exe");
+  tmp_pathspec = XMALLOC (char, (strlen (shwrapper_name) +
+				 strlen ("_ltshwrapperTMP") + 1));
+  strcpy (tmp_pathspec, shwrapper_name);
+  strcat (tmp_pathspec, "_ltshwrapperTMP");
+  XFREE (shwrapper_name);
+  shwrapper_name = tmp_pathspec;
+  tmp_pathspec = 0;
+  LTWRAPPER_DEBUGPRINTF (("(main) libtool shell wrapper name: %s\n",
+			  shwrapper_name));
+EOF
+
+	    cat <<EOF
+  newargz[1] =
+    XMALLOC (char, (strlen (actual_cwrapper_path) +
+		    strlen ("$objdir") + 1 + strlen (shwrapper_name) + 1));
+  strcpy (newargz[1], actual_cwrapper_path);
+  strcat (newargz[1], "$objdir");
+  strcat (newargz[1], "/");
+  strcat (newargz[1], shwrapper_name);
+EOF
+
+
+	    case $host_os in
+	      mingw*)
+	    cat <<"EOF"
+  {
+    char* p;
+    while ((p = strchr (newargz[1], '\\')) != NULL)
+      {
+	*p = '/';
+      }
+  }
+EOF
 	    ;;
-	  esac
-	fi
+	    esac
+
+	    cat <<"EOF"
+  XFREE (shwrapper_name);
+  XFREE (actual_cwrapper_path);
+
+  /* always write in binary mode */
+  if ((shwrapper = fopen (newargz[1], FOPEN_WB)) == 0)
+    {
+      lt_fatal ("Could not open %s for writing", newargz[1]);
+    }
+  fprintf (shwrapper, "%s", script_text);
+  fclose (shwrapper);
+
+  make_executable (newargz[1]);
+
+  for (i = 1; i < argc; i++)
+    newargz[i + 1] = xstrdup (argv[i]);
+  newargz[argc + 1] = NULL;
+
+  for (i = 0; i < argc + 1; i++)
+    {
+      LTWRAPPER_DEBUGPRINTF (("(main) newargz[%d]   : %s\n", i, newargz[i]));
+    }
 
-	# Transform deplibs into only deplibs that can be linked in shared.
-	name_save=$name
-	libname_save=$libname
-	release_save=$release
-	versuffix_save=$versuffix
-	major_save=$major
-	# I'm not sure if I'm treating the release correctly.  I think
-	# release should show up in the -l (ie -lgmp5) so we don't want to
-	# add it in twice.  Is that correct?
-	release=""
-	versuffix=""
-	major=""
-	newdeplibs=
-	droppeddeps=no
-	case $deplibs_check_method in
-	pass_all)
-	  # Don't check for shared/static.  Everything works.
-	  # This might be a little naive.  We might want to check
-	  # whether the library exists or not.  But this is on
-	  # osf3 & osf4 and I'm not really sure... Just
-	  # implementing what was already the behavior.
-	  newdeplibs=$deplibs
-	  ;;
-	test_compile)
-	  # This code stresses the "libraries are programs" paradigm to its
-	  # limits. Maybe even breaks it.  We compile a program, linking it
-	  # against the deplibs as a proxy for the library.  Then we can check
-	  # whether they linked in statically or dynamically with ldd.
-	  $rm conftest.c
-	  cat > conftest.c <<EOF
-	  int main() { return 0; }
 EOF
-	  $rm conftest
-	  if $LTCC $LTCFLAGS -o conftest conftest.c $deplibs; then
-	    ldd_output=`ldd conftest`
-	    for i in $deplibs; do
-	      name=`expr $i : '-l\(.*\)'`
-	      # If $name is empty we are operating on a -L argument.
-              if test "$name" != "" && test "$name" != "0"; then
-		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		  case " $predeps $postdeps " in
-		  *" $i "*)
-		    newdeplibs="$newdeplibs $i"
-		    i=""
-		    ;;
-		  esac
-	        fi
-		if test -n "$i" ; then
-		  libname=`eval \\$echo \"$libname_spec\"`
-		  deplib_matches=`eval \\$echo \"$library_names_spec\"`
-		  set dummy $deplib_matches
-		  deplib_match=$2
-		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		    newdeplibs="$newdeplibs $i"
-		  else
-		    droppeddeps=yes
-		    $echo
-		    $echo "*** Warning: dynamic linker does not accept needed library $i."
-		    $echo "*** I have the capability to make that library automatically link in when"
-		    $echo "*** you link to this library.  But I can only do this if you have a"
-		    $echo "*** shared version of the library, which I believe you do not have"
-		    $echo "*** because a test_compile did reveal that the linker did not use it for"
-		    $echo "*** its dynamic dependency list that programs get resolved with at runtime."
-		  fi
-		fi
+
+	    case $host_os in
+	      mingw*)
+		cat <<EOF
+  /* execv doesn't actually work on mingw as expected on unix */
+  rval = _spawnv (_P_WAIT, "$lt_newargv0", (const char * const *) newargz);
+  if (rval == -1)
+    {
+      /* failed to start process */
+      LTWRAPPER_DEBUGPRINTF (("(main) failed to launch target \"$lt_newargv0\": errno = %d\n", errno));
+      return 127;
+    }
+  return rval;
+}
+EOF
+		;;
+	      *)
+		cat <<EOF
+  execv ("$lt_newargv0", newargz);
+  return rval; /* =127, but avoids unused variable warning */
+}
+EOF
+		;;
+	    esac
+
+	    cat <<"EOF"
+
+void *
+xmalloc (size_t num)
+{
+  void *p = (void *) malloc (num);
+  if (!p)
+    lt_fatal ("Memory exhausted");
+
+  return p;
+}
+
+char *
+xstrdup (const char *string)
+{
+  return string ? strcpy ((char *) xmalloc (strlen (string) + 1),
+			  string) : NULL;
+}
+
+const char *
+base_name (const char *name)
+{
+  const char *base;
+
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  /* Skip over the disk name in MSDOS pathnames. */
+  if (isalpha ((unsigned char) name[0]) && name[1] == ':')
+    name += 2;
+#endif
+
+  for (base = name; *name; name++)
+    if (IS_DIR_SEPARATOR (*name))
+      base = name + 1;
+  return base;
+}
+
+int
+check_executable (const char *path)
+{
+  struct stat st;
+
+  LTWRAPPER_DEBUGPRINTF (("(check_executable)  : %s\n",
+			  path ? (*path ? path : "EMPTY!") : "NULL!"));
+  if ((!path) || (!*path))
+    return 0;
+
+  if ((stat (path, &st) >= 0)
+      && (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))
+    return 1;
+  else
+    return 0;
+}
+
+int
+make_executable (const char *path)
+{
+  int rval = 0;
+  struct stat st;
+
+  LTWRAPPER_DEBUGPRINTF (("(make_executable)   : %s\n",
+			  path ? (*path ? path : "EMPTY!") : "NULL!"));
+  if ((!path) || (!*path))
+    return 0;
+
+  if (stat (path, &st) >= 0)
+    {
+      rval = chmod (path, st.st_mode | S_IXOTH | S_IXGRP | S_IXUSR);
+    }
+  return rval;
+}
+
+/* Searches for the full path of the wrapper.  Returns
+   newly allocated full path name if found, NULL otherwise
+   Does not chase symlinks, even on platforms that support them.
+*/
+char *
+find_executable (const char *wrapper)
+{
+  int has_slash = 0;
+  const char *p;
+  const char *p_next;
+  /* static buffer for getcwd */
+  char tmp[LT_PATHMAX + 1];
+  int tmp_len;
+  char *concat_name;
+
+  LTWRAPPER_DEBUGPRINTF (("(find_executable)   : %s\n",
+			  wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!"));
+
+  if ((wrapper == NULL) || (*wrapper == '\0'))
+    return NULL;
+
+  /* Absolute path? */
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  if (isalpha ((unsigned char) wrapper[0]) && wrapper[1] == ':')
+    {
+      concat_name = xstrdup (wrapper);
+      if (check_executable (concat_name))
+	return concat_name;
+      XFREE (concat_name);
+    }
+  else
+    {
+#endif
+      if (IS_DIR_SEPARATOR (wrapper[0]))
+	{
+	  concat_name = xstrdup (wrapper);
+	  if (check_executable (concat_name))
+	    return concat_name;
+	  XFREE (concat_name);
+	}
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+    }
+#endif
+
+  for (p = wrapper; *p; p++)
+    if (*p == '/')
+      {
+	has_slash = 1;
+	break;
+      }
+  if (!has_slash)
+    {
+      /* no slashes; search PATH */
+      const char *path = getenv ("PATH");
+      if (path != NULL)
+	{
+	  for (p = path; *p; p = p_next)
+	    {
+	      const char *q;
+	      size_t p_len;
+	      for (q = p; *q; q++)
+		if (IS_PATH_SEPARATOR (*q))
+		  break;
+	      p_len = q - p;
+	      p_next = (*q == '\0' ? q : q + 1);
+	      if (p_len == 0)
+		{
+		  /* empty path: current directory */
+		  if (getcwd (tmp, LT_PATHMAX) == NULL)
+		    lt_fatal ("getcwd failed");
+		  tmp_len = strlen (tmp);
+		  concat_name =
+		    XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
+		  memcpy (concat_name, tmp, tmp_len);
+		  concat_name[tmp_len] = '/';
+		  strcpy (concat_name + tmp_len + 1, wrapper);
+		}
 	      else
-		newdeplibs="$newdeplibs $i"
-	      fi
-	    done
-	  else
-	    # Error occurred in the first compile.  Let's try to salvage
-	    # the situation: Compile a separate program for each library.
-	    for i in $deplibs; do
-	      name=`expr $i : '-l\(.*\)'`
-	      # If $name is empty we are operating on a -L argument.
-              if test "$name" != "" && test "$name" != "0"; then
-		$rm conftest
-		if $LTCC $LTCFLAGS -o conftest conftest.c $i; then
-		  ldd_output=`ldd conftest`
-		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		    case " $predeps $postdeps " in
-		    *" $i "*)
-		      newdeplibs="$newdeplibs $i"
-		      i=""
-		      ;;
-		    esac
-		  fi
-		  if test -n "$i" ; then
-		    libname=`eval \\$echo \"$libname_spec\"`
-		    deplib_matches=`eval \\$echo \"$library_names_spec\"`
-		    set dummy $deplib_matches
-		    deplib_match=$2
-		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		      newdeplibs="$newdeplibs $i"
-		    else
-		      droppeddeps=yes
-		      $echo
-		      $echo "*** Warning: dynamic linker does not accept needed library $i."
-		      $echo "*** I have the capability to make that library automatically link in when"
-		      $echo "*** you link to this library.  But I can only do this if you have a"
-		      $echo "*** shared version of the library, which you do not appear to have"
-		      $echo "*** because a test_compile did reveal that the linker did not use this one"
-		      $echo "*** as a dynamic dependency that programs can get resolved with at runtime."
-		    fi
-		  fi
-		else
-		  droppeddeps=yes
-		  $echo
-		  $echo "*** Warning!  Library $i is needed by this library but I was not able to"
-		  $echo "*** make it link in!  You will probably need to install it or some"
-		  $echo "*** library that it depends on before this library will be fully"
-		  $echo "*** functional.  Installing it before continuing would be even better."
-		fi
-	      else
-		newdeplibs="$newdeplibs $i"
-	      fi
-	    done
-	  fi
-	  ;;
-	file_magic*)
-	  set dummy $deplibs_check_method
-	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
-	  for a_deplib in $deplibs; do
-	    name=`expr $a_deplib : '-l\(.*\)'`
-	    # If $name is empty we are operating on a -L argument.
-            if test "$name" != "" && test  "$name" != "0"; then
-	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		case " $predeps $postdeps " in
-		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
-		  a_deplib=""
-		  ;;
-		esac
-	      fi
-	      if test -n "$a_deplib" ; then
-		libname=`eval \\$echo \"$libname_spec\"`
-		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
-		  for potent_lib in $potential_libs; do
-		      # Follow soft links.
-		      if ls -lLd "$potent_lib" 2>/dev/null \
-			 | grep " -> " >/dev/null; then
-			continue
-		      fi
-		      # The statement above tries to avoid entering an
-		      # endless loop below, in case of cyclic links.
-		      # We might still enter an endless loop, since a link
-		      # loop can be closed while we follow links,
-		      # but so what?
-		      potlib="$potent_lib"
-		      while test -h "$potlib" 2>/dev/null; do
-			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
-			case $potliblink in
-			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
-			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
-			esac
-		      done
-		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
-			 | ${SED} 10q \
-			 | $EGREP "$file_magic_regex" > /dev/null; then
-			newdeplibs="$newdeplibs $a_deplib"
-			a_deplib=""
-			break 2
-		      fi
-		  done
-		done
-	      fi
-	      if test -n "$a_deplib" ; then
-		droppeddeps=yes
-		$echo
-		$echo "*** Warning: linker path does not have real file for library $a_deplib."
-		$echo "*** I have the capability to make that library automatically link in when"
-		$echo "*** you link to this library.  But I can only do this if you have a"
-		$echo "*** shared version of the library, which you do not appear to have"
-		$echo "*** because I did check the linker path looking for a file starting"
-		if test -z "$potlib" ; then
-		  $echo "*** with $libname but no candidates were found. (...for file magic test)"
-		else
-		  $echo "*** with $libname and none of the candidates passed a file format test"
-		  $echo "*** using a file magic. Last file checked: $potlib"
-		fi
-	      fi
-	    else
-	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
-	    fi
-	  done # Gone through all deplibs.
-	  ;;
-	match_pattern*)
-	  set dummy $deplibs_check_method
-	  match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
-	  for a_deplib in $deplibs; do
-	    name=`expr $a_deplib : '-l\(.*\)'`
-	    # If $name is empty we are operating on a -L argument.
-	    if test -n "$name" && test "$name" != "0"; then
-	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		case " $predeps $postdeps " in
-		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
-		  a_deplib=""
-		  ;;
-		esac
-	      fi
-	      if test -n "$a_deplib" ; then
-		libname=`eval \\$echo \"$libname_spec\"`
-		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
-		  for potent_lib in $potential_libs; do
-		    potlib="$potent_lib" # see symlink-check above in file_magic test
-		    if eval $echo \"$potent_lib\" 2>/dev/null \
-		        | ${SED} 10q \
-		        | $EGREP "$match_pattern_regex" > /dev/null; then
-		      newdeplibs="$newdeplibs $a_deplib"
-		      a_deplib=""
-		      break 2
-		    fi
-		  done
-		done
-	      fi
-	      if test -n "$a_deplib" ; then
-		droppeddeps=yes
-		$echo
-		$echo "*** Warning: linker path does not have real file for library $a_deplib."
-		$echo "*** I have the capability to make that library automatically link in when"
-		$echo "*** you link to this library.  But I can only do this if you have a"
-		$echo "*** shared version of the library, which you do not appear to have"
-		$echo "*** because I did check the linker path looking for a file starting"
-		if test -z "$potlib" ; then
-		  $echo "*** with $libname but no candidates were found. (...for regex pattern test)"
-		else
-		  $echo "*** with $libname and none of the candidates passed a file format test"
-		  $echo "*** using a regex pattern. Last file checked: $potlib"
-		fi
-	      fi
-	    else
-	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
-	    fi
-	  done # Gone through all deplibs.
-	  ;;
-	none | unknown | *)
-	  newdeplibs=""
-	  tmp_deplibs=`$echo "X $deplibs" | $Xsed -e 's/ -lc$//' \
-	    -e 's/ -[LR][^ ]*//g'`
-	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-	    for i in $predeps $postdeps ; do
-	      # can't use Xsed below, because $i might contain '/'
-	      tmp_deplibs=`$echo "X $tmp_deplibs" | ${SED} -e "1s,^X,," -e "s,$i,,"`
-	    done
-	  fi
-	  if $echo "X $tmp_deplibs" | $Xsed -e 's/[ 	]//g' \
-	    | grep . >/dev/null; then
-	    $echo
-	    if test "X$deplibs_check_method" = "Xnone"; then
-	      $echo "*** Warning: inter-library dependencies are not supported in this platform."
-	    else
-	      $echo "*** Warning: inter-library dependencies are not known to be supported."
-	    fi
-	    $echo "*** All declared inter-library dependencies are being dropped."
-	    droppeddeps=yes
-	  fi
-	  ;;
-	esac
-	versuffix=$versuffix_save
-	major=$major_save
-	release=$release_save
-	libname=$libname_save
-	name=$name_save
+		{
+		  concat_name =
+		    XMALLOC (char, p_len + 1 + strlen (wrapper) + 1);
+		  memcpy (concat_name, p, p_len);
+		  concat_name[p_len] = '/';
+		  strcpy (concat_name + p_len + 1, wrapper);
+		}
+	      if (check_executable (concat_name))
+		return concat_name;
+	      XFREE (concat_name);
+	    }
+	}
+      /* not found in PATH; assume curdir */
+    }
+  /* Relative path | not found in path: prepend cwd */
+  if (getcwd (tmp, LT_PATHMAX) == NULL)
+    lt_fatal ("getcwd failed");
+  tmp_len = strlen (tmp);
+  concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
+  memcpy (concat_name, tmp, tmp_len);
+  concat_name[tmp_len] = '/';
+  strcpy (concat_name + tmp_len + 1, wrapper);
 
-	case $host in
-	*-*-rhapsody* | *-*-darwin1.[012])
-	  # On Rhapsody replace the C library is the System framework
-	  newdeplibs=`$echo "X $newdeplibs" | $Xsed -e 's/ -lc / -framework System /'`
-	  ;;
-	esac
+  if (check_executable (concat_name))
+    return concat_name;
+  XFREE (concat_name);
+  return NULL;
+}
 
-	if test "$droppeddeps" = yes; then
-	  if test "$module" = yes; then
-	    $echo
-	    $echo "*** Warning: libtool could not satisfy all declared inter-library"
-	    $echo "*** dependencies of module $libname.  Therefore, libtool will create"
-	    $echo "*** a static module, that should work as long as the dlopening"
-	    $echo "*** application is linked with the -dlopen flag."
-	    if test -z "$global_symbol_pipe"; then
-	      $echo
-	      $echo "*** However, this would only work if libtool was able to extract symbol"
-	      $echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
-	      $echo "*** not find such a program.  So, this module is probably useless."
-	      $echo "*** \`nm' from GNU binutils and a full rebuild may help."
-	    fi
-	    if test "$build_old_libs" = no; then
-	      oldlibs="$output_objdir/$libname.$libext"
-	      build_libtool_libs=module
-	      build_old_libs=yes
-	    else
-	      build_libtool_libs=no
-	    fi
-	  else
-	    $echo "*** The inter-library dependencies that have been dropped here will be"
-	    $echo "*** automatically added whenever a program is linked with this library"
-	    $echo "*** or is declared to -dlopen it."
+char *
+chase_symlinks (const char *pathspec)
+{
+#ifndef S_ISLNK
+  return xstrdup (pathspec);
+#else
+  char buf[LT_PATHMAX];
+  struct stat s;
+  char *tmp_pathspec = xstrdup (pathspec);
+  char *p;
+  int has_symlinks = 0;
+  while (strlen (tmp_pathspec) && !has_symlinks)
+    {
+      LTWRAPPER_DEBUGPRINTF (("checking path component for symlinks: %s\n",
+			      tmp_pathspec));
+      if (lstat (tmp_pathspec, &s) == 0)
+	{
+	  if (S_ISLNK (s.st_mode) != 0)
+	    {
+	      has_symlinks = 1;
+	      break;
+	    }
 
-	    if test "$allow_undefined" = no; then
-	      $echo
-	      $echo "*** Since this library must not contain undefined symbols,"
-	      $echo "*** because either the platform does not support them or"
-	      $echo "*** it was explicitly requested with -no-undefined,"
-	      $echo "*** libtool will only create a static version of it."
-	      if test "$build_old_libs" = no; then
-		oldlibs="$output_objdir/$libname.$libext"
-		build_libtool_libs=module
-		build_old_libs=yes
-	      else
-		build_libtool_libs=no
-	      fi
-	    fi
-	  fi
-	fi
-	# Done checking deplibs!
-	deplibs=$newdeplibs
-      fi
+	  /* search backwards for last DIR_SEPARATOR */
+	  p = tmp_pathspec + strlen (tmp_pathspec) - 1;
+	  while ((p > tmp_pathspec) && (!IS_DIR_SEPARATOR (*p)))
+	    p--;
+	  if ((p == tmp_pathspec) && (!IS_DIR_SEPARATOR (*p)))
+	    {
+	      /* no more DIR_SEPARATORS left */
+	      break;
+	    }
+	  *p = '\0';
+	}
+      else
+	{
+	  char *errstr = strerror (errno);
+	  lt_fatal ("Error accessing file %s (%s)", tmp_pathspec, errstr);
+	}
+    }
+  XFREE (tmp_pathspec);
 
+  if (!has_symlinks)
+    {
+      return xstrdup (pathspec);
+    }
 
-      # move library search paths that coincide with paths to not yet
-      # installed libraries to the beginning of the library search list
-      new_libs=
-      for path in $notinst_path; do
-	case " $new_libs " in
-	*" -L$path/$objdir "*) ;;
-	*)
-	  case " $deplibs " in
-	  *" -L$path/$objdir "*)
-	    new_libs="$new_libs -L$path/$objdir" ;;
-	  esac
-	  ;;
-	esac
-      done
-      for deplib in $deplibs; do
-	case $deplib in
-	-L*)
-	  case " $new_libs " in
-	  *" $deplib "*) ;;
-	  *) new_libs="$new_libs $deplib" ;;
-	  esac
-	  ;;
-	*) new_libs="$new_libs $deplib" ;;
-	esac
-      done
-      deplibs="$new_libs"
+  tmp_pathspec = realpath (pathspec, buf);
+  if (tmp_pathspec == 0)
+    {
+      lt_fatal ("Could not follow symlinks for %s", pathspec);
+    }
+  return xstrdup (tmp_pathspec);
+#endif
+}
 
+char *
+strendzap (char *str, const char *pat)
+{
+  size_t len, patlen;
 
-      # All the library-specific variables (install_libdir is set above).
-      library_names=
-      old_library=
-      dlname=
+  assert (str != NULL);
+  assert (pat != NULL);
 
-      # Test again, we may have decided not to build it any more
-      if test "$build_libtool_libs" = yes; then
-	if test "$hardcode_into_libs" = yes; then
-	  # Hardcode the library paths
-	  hardcode_libdirs=
-	  dep_rpath=
-	  rpath="$finalize_rpath"
-	  test "$mode" != relink && rpath="$compile_rpath$rpath"
-	  for libdir in $rpath; do
-	    if test -n "$hardcode_libdir_flag_spec"; then
-	      if test -n "$hardcode_libdir_separator"; then
-		if test -z "$hardcode_libdirs"; then
-		  hardcode_libdirs="$libdir"
-		else
-		  # Just accumulate the unique libdirs.
-		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		    ;;
-		  *)
-		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		    ;;
-		  esac
-		fi
-	      else
-		eval flag=\"$hardcode_libdir_flag_spec\"
-		dep_rpath="$dep_rpath $flag"
-	      fi
-	    elif test -n "$runpath_var"; then
-	      case "$perm_rpath " in
-	      *" $libdir "*) ;;
-	      *) perm_rpath="$perm_rpath $libdir" ;;
-	      esac
-	    fi
-	  done
-	  # Substitute the hardcoded libdirs into the rpath.
-	  if test -n "$hardcode_libdir_separator" &&
-	     test -n "$hardcode_libdirs"; then
-	    libdir="$hardcode_libdirs"
-	    if test -n "$hardcode_libdir_flag_spec_ld"; then
-	      case $archive_cmds in
-	      *\$LD*) eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\" ;;
-	      *)      eval dep_rpath=\"$hardcode_libdir_flag_spec\" ;;
-	      esac
-	    else
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
-	    fi
-	  fi
-	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
-	    # We should set the runpath_var.
-	    rpath=
-	    for dir in $perm_rpath; do
-	      rpath="$rpath$dir:"
-	    done
-	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
-	  fi
-	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
-	fi
-
-	shlibpath="$finalize_shlibpath"
-	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
-	if test -n "$shlibpath"; then
-	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
-	fi
+  len = strlen (str);
+  patlen = strlen (pat);
 
-	# Get the real and link names of the library.
-	eval shared_ext=\"$shrext_cmds\"
-	eval library_names=\"$library_names_spec\"
-	set dummy $library_names
-	realname="$2"
-	shift; shift
+  if (patlen <= len)
+    {
+      str += len - patlen;
+      if (strcmp (str, pat) == 0)
+	*str = '\0';
+    }
+  return str;
+}
 
-	if test -n "$soname_spec"; then
-	  eval soname=\"$soname_spec\"
-	else
-	  soname="$realname"
-	fi
-	if test -z "$dlname"; then
-	  dlname=$soname
-	fi
+static void
+lt_error_core (int exit_status, const char *mode,
+	       const char *message, va_list ap)
+{
+  fprintf (stderr, "%s: %s: ", program_name, mode);
+  vfprintf (stderr, message, ap);
+  fprintf (stderr, ".\n");
 
-	lib="$output_objdir/$realname"
-	linknames=
-	for link
-	do
-	  linknames="$linknames $link"
-	done
+  if (exit_status >= 0)
+    exit (exit_status);
+}
 
-	# Use standard objects if they are pic
-	test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+void
+lt_fatal (const char *message, ...)
+{
+  va_list ap;
+  va_start (ap, message);
+  lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
+  va_end (ap);
+}
+EOF
+}
+# end: func_emit_cwrapperexe_src
 
-	# Prepare the list of exported symbols
-	if test -z "$export_symbols"; then
-	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
-	    $show "generating symbol list for \`$libname.la'"
-	    export_symbols="$output_objdir/$libname.exp"
-	    $run $rm $export_symbols
-	    cmds=$export_symbols_cmds
-	    save_ifs="$IFS"; IFS='~'
-	    for cmd in $cmds; do
-	      IFS="$save_ifs"
-	      eval cmd=\"$cmd\"
-	      if len=`expr "X$cmd" : ".*"` &&
-	       test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	        $show "$cmd"
-	        $run eval "$cmd" || exit $?
-	        skipped_export=false
-	      else
-	        # The command line is too long to execute in one step.
-	        $show "using reloadable object file for export list..."
-	        skipped_export=:
-		# Break out early, otherwise skipped_export may be
-		# set to false by a later but shorter cmd.
-		break
-	      fi
-	    done
-	    IFS="$save_ifs"
-	    if test -n "$export_symbols_regex"; then
-	      $show "$EGREP -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\""
-	      $run eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
-	      $show "$mv \"${export_symbols}T\" \"$export_symbols\""
-	      $run eval '$mv "${export_symbols}T" "$export_symbols"'
-	    fi
-	  fi
-	fi
+# func_mode_link arg...
+func_mode_link ()
+{
+    $opt_debug
+    case $host in
+    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+      # It is impossible to link a dll without this setting, and
+      # we shouldn't force the makefile maintainer to figure out
+      # which system we are compiling for in order to pass an extra
+      # flag for every libtool invocation.
+      # allow_undefined=no
 
-	if test -n "$export_symbols" && test -n "$include_expsyms"; then
-	  $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"'
-	fi
+      # FIXME: Unfortunately, there are problems with the above when trying
+      # to make a dll which has undefined symbols, in which case not
+      # even a static library is built.  For now, we need to specify
+      # -no-undefined on the libtool link line when we can be certain
+      # that all symbols are satisfied, otherwise we get a static library.
+      allow_undefined=yes
+      ;;
+    *)
+      allow_undefined=yes
+      ;;
+    esac
+    libtool_args=$nonopt
+    base_compile="$nonopt $@"
+    compile_command=$nonopt
+    finalize_command=$nonopt
 
-	tmp_deplibs=
-	for test_deplib in $deplibs; do
-		case " $convenience " in
-		*" $test_deplib "*) ;;
-		*)
-			tmp_deplibs="$tmp_deplibs $test_deplib"
-			;;
-		esac
-	done
-	deplibs="$tmp_deplibs"
+    compile_rpath=
+    finalize_rpath=
+    compile_shlibpath=
+    finalize_shlibpath=
+    convenience=
+    old_convenience=
+    deplibs=
+    old_deplibs=
+    compiler_flags=
+    linker_flags=
+    dllsearchpath=
+    lib_search_path=`pwd`
+    inst_prefix_dir=
+    new_inherited_linker_flags=
 
-	if test -n "$convenience"; then
-	  if test -n "$whole_archive_flag_spec"; then
-	    save_libobjs=$libobjs
-	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
-	  else
-	    gentop="$output_objdir/${outputname}x"
-	    generated="$generated $gentop"
+    avoid_version=no
+    dlfiles=
+    dlprefiles=
+    dlself=no
+    export_dynamic=no
+    export_symbols=
+    export_symbols_regex=
+    generated=
+    libobjs=
+    ltlibs=
+    module=no
+    no_install=no
+    objs=
+    non_pic_objects=
+    precious_files_regex=
+    prefer_static_libs=no
+    preload=no
+    prev=
+    prevarg=
+    release=
+    rpath=
+    xrpath=
+    perm_rpath=
+    temp_rpath=
+    thread_safe=no
+    vinfo=
+    vinfo_number=no
+    weak_libs=
+    single_module="${wl}-single_module"
+    func_infer_tag $base_compile
 
-	    func_extract_archives $gentop $convenience
-	    libobjs="$libobjs $func_extract_archives_result"
+    # We need to know -static, to get the right output filenames.
+    for arg
+    do
+      case $arg in
+      -shared)
+	test "$build_libtool_libs" != yes && \
+	  func_fatal_configuration "can not build a shared library"
+	build_old_libs=no
+	break
+	;;
+      -all-static | -static | -static-libtool-libs)
+	case $arg in
+	-all-static)
+	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
+	    func_warning "complete static linking is impossible in this configuration"
 	  fi
-	fi
-	
-	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
-	  eval flag=\"$thread_safe_flag_spec\"
-	  linker_flags="$linker_flags $flag"
-	fi
-
-	# Make a backup of the uninstalled library when relinking
-	if test "$mode" = relink; then
-	  $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $?
-	fi
-
-	# Do each of the archive commands.
-	if test "$module" = yes && test -n "$module_cmds" ; then
-	  if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
-	    eval test_cmds=\"$module_expsym_cmds\"
-	    cmds=$module_expsym_cmds
-	  else
-	    eval test_cmds=\"$module_cmds\"
-	    cmds=$module_cmds
+	  if test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
 	  fi
-	else
-	if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
-	  eval test_cmds=\"$archive_expsym_cmds\"
-	  cmds=$archive_expsym_cmds
-	else
-	  eval test_cmds=\"$archive_cmds\"
-	  cmds=$archive_cmds
+	  prefer_static_libs=yes
+	  ;;
+	-static)
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
 	  fi
-	fi
-
-	if test "X$skipped_export" != "X:" &&
-	   len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
-	   test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	  :
-	else
-	  # The command line is too long to link in one step, link piecewise.
-	  $echo "creating reloadable object files..."
-
-	  # Save the value of $output and $libobjs because we want to
-	  # use them later.  If we have whole_archive_flag_spec, we
-	  # want to use save_libobjs as it was before
-	  # whole_archive_flag_spec was expanded, because we can't
-	  # assume the linker understands whole_archive_flag_spec.
-	  # This may have to be revisited, in case too many
-	  # convenience libraries get linked in and end up exceeding
-	  # the spec.
-	  if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then
-	    save_libobjs=$libobjs
+	  prefer_static_libs=built
+	  ;;
+	-static-libtool-libs)
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
 	  fi
-	  save_output=$output
-	  output_la=`$echo "X$output" | $Xsed -e "$basename"`
-
-	  # Clear the reloadable object creation command queue and
-	  # initialize k to one.
-	  test_cmds=
-	  concat_cmds=
-	  objlist=
-	  delfiles=
-	  last_robj=
-	  k=1
-	  output=$output_objdir/$output_la-${k}.$objext
-	  # Loop over the list of objects to be linked.
-	  for obj in $save_libobjs
-	  do
-	    eval test_cmds=\"$reload_cmds $objlist $last_robj\"
-	    if test "X$objlist" = X ||
-	       { len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
-		 test "$len" -le "$max_cmd_len"; }; then
-	      objlist="$objlist $obj"
-	    else
-	      # The command $test_cmds is almost too long, add a
-	      # command to the queue.
-	      if test "$k" -eq 1 ; then
-		# The first file doesn't have a previous command to add.
-		eval concat_cmds=\"$reload_cmds $objlist $last_robj\"
-	      else
-		# All subsequent reloadable object files will link in
-		# the last one created.
-		eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\"
-	      fi
-	      last_robj=$output_objdir/$output_la-${k}.$objext
-	      k=`expr $k + 1`
-	      output=$output_objdir/$output_la-${k}.$objext
-	      objlist=$obj
-	      len=1
-	    fi
-	  done
-	  # Handle the remaining objects by creating one last
-	  # reloadable object file.  All subsequent reloadable object
-	  # files will link in the last one created.
-	  test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	  eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\"
-
-	  if ${skipped_export-false}; then
-	    $show "generating symbol list for \`$libname.la'"
-	    export_symbols="$output_objdir/$libname.exp"
-	    $run $rm $export_symbols
-	    libobjs=$output
-	    # Append the command to create the export file.
-	    eval concat_cmds=\"\$concat_cmds~$export_symbols_cmds\"
-          fi
-
-	  # Set up a command to remove the reloadable object files
-	  # after they are used.
-	  i=0
-	  while test "$i" -lt "$k"
-	  do
-	    i=`expr $i + 1`
-	    delfiles="$delfiles $output_objdir/$output_la-${i}.$objext"
-	  done
+	  prefer_static_libs=yes
+	  ;;
+	esac
+	build_libtool_libs=no
+	build_old_libs=yes
+	break
+	;;
+      esac
+    done
 
-	  $echo "creating a temporary reloadable object file: $output"
+    # See if our shared archives depend on static archives.
+    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
 
-	  # Loop through the commands generated above and execute them.
-	  save_ifs="$IFS"; IFS='~'
-	  for cmd in $concat_cmds; do
-	    IFS="$save_ifs"
-	    $show "$cmd"
-	    $run eval "$cmd" || exit $?
-	  done
-	  IFS="$save_ifs"
+    # Go through the arguments, transforming them on the way.
+    while test "$#" -gt 0; do
+      arg="$1"
+      shift
+      func_quote_for_eval "$arg"
+      qarg=$func_quote_for_eval_unquoted_result
+      func_append libtool_args " $func_quote_for_eval_result"
 
-	  libobjs=$output
-	  # Restore the value of output.
-	  output=$save_output
+      # If the previous option needs an argument, assign it.
+      if test -n "$prev"; then
+	case $prev in
+	output)
+	  func_append compile_command " @OUTPUT@"
+	  func_append finalize_command " @OUTPUT@"
+	  ;;
+	esac
 
-	  if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then
-	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	case $prev in
+	dlfiles|dlprefiles)
+	  if test "$preload" = no; then
+	    # Add the symbol object into the linking commands.
+	    func_append compile_command " @SYMFILE@"
+	    func_append finalize_command " @SYMFILE@"
+	    preload=yes
 	  fi
-	  # Expand the library linking commands again to reset the
-	  # value of $libobjs for piecewise linking.
-
-	  # Do each of the archive commands.
-	  if test "$module" = yes && test -n "$module_cmds" ; then
-	    if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
-	      cmds=$module_expsym_cmds
-	    else
-	      cmds=$module_cmds
+	  case $arg in
+	  *.la | *.lo) ;;  # We handle these cases below.
+	  force)
+	    if test "$dlself" = no; then
+	      dlself=needless
+	      export_dynamic=yes
 	    fi
-	  else
-	  if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
-	    cmds=$archive_expsym_cmds
-	  else
-	    cmds=$archive_cmds
+	    prev=
+	    continue
+	    ;;
+	  self)
+	    if test "$prev" = dlprefiles; then
+	      dlself=yes
+	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
+	      dlself=yes
+	    else
+	      dlself=needless
+	      export_dynamic=yes
 	    fi
-	  fi
-
-	  # Append the command to remove the reloadable object files
-	  # to the just-reset $cmds.
-	  eval cmds=\"\$cmds~\$rm $delfiles\"
-	fi
-	save_ifs="$IFS"; IFS='~'
-	for cmd in $cmds; do
-	  IFS="$save_ifs"
-	  eval cmd=\"$cmd\"
-	  $show "$cmd"
-	  $run eval "$cmd" || {
-	    lt_exit=$?
-
-	    # Restore the uninstalled library and exit
-	    if test "$mode" = relink; then
-	      $run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
+	    prev=
+	    continue
+	    ;;
+	  *)
+	    if test "$prev" = dlfiles; then
+	      dlfiles="$dlfiles $arg"
+	    else
+	      dlprefiles="$dlprefiles $arg"
 	    fi
+	    prev=
+	    continue
+	    ;;
+	  esac
+	  ;;
+	expsyms)
+	  export_symbols="$arg"
+	  test -f "$arg" \
+	    || func_fatal_error "symbol file \`$arg' does not exist"
+	  prev=
+	  continue
+	  ;;
+	expsyms_regex)
+	  export_symbols_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	framework)
+	  case $host in
+	    *-*-darwin*)
+	      case "$deplibs " in
+		*" $qarg.ltframework "*) ;;
+		*) deplibs="$deplibs $qarg.ltframework" # this is fixed later
+		   ;;
+	      esac
+	      ;;
+	  esac
+	  prev=
+	  continue
+	  ;;
+	inst_prefix)
+	  inst_prefix_dir="$arg"
+	  prev=
+	  continue
+	  ;;
+	objectlist)
+	  if test -f "$arg"; then
+	    save_arg=$arg
+	    moreargs=
+	    for fil in `cat "$save_arg"`
+	    do
+#	      moreargs="$moreargs $fil"
+	      arg=$fil
+	      # A libtool-controlled object.
 
-	    exit $lt_exit
-	  }
-	done
-	IFS="$save_ifs"
-
-	# Restore the uninstalled library and exit
-	if test "$mode" = relink; then
-	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
+	      # Check to see that this really is a libtool object.
+	      if func_lalib_unsafe_p "$arg"; then
+		pic_object=
+		non_pic_object=
 
-	  if test -n "$convenience"; then
-	    if test -z "$whole_archive_flag_spec"; then
-	      $show "${rm}r $gentop"
-	      $run ${rm}r "$gentop"
-	    fi
-	  fi
+		# Read the .lo file
+		func_source "$arg"
 
-	  exit $EXIT_SUCCESS
-	fi
+		if test -z "$pic_object" ||
+		   test -z "$non_pic_object" ||
+		   test "$pic_object" = none &&
+		   test "$non_pic_object" = none; then
+		  func_fatal_error "cannot find name of object for \`$arg'"
+		fi
 
-	# Create links to the real library.
-	for linkname in $linknames; do
-	  if test "$realname" != "$linkname"; then
-	    $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)"
-	    $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $?
-	  fi
-	done
+		# Extract subdirectory from the argument.
+		func_dirname "$arg" "/" ""
+		xdir="$func_dirname_result"
 
-	# If -module or -export-dynamic was specified, set the dlname.
-	if test "$module" = yes || test "$export_dynamic" = yes; then
-	  # On all known operating systems, these are identical.
-	  dlname="$soname"
-	fi
-      fi
-      ;;
+		if test "$pic_object" != none; then
+		  # Prepend the subdirectory the object is found in.
+		  pic_object="$xdir$pic_object"
 
-    obj)
-      case " $deplibs" in
-      *\ -l* | *\ -L*)
-	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2 ;;
-      esac
+		  if test "$prev" = dlfiles; then
+		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+		      dlfiles="$dlfiles $pic_object"
+		      prev=
+		      continue
+		    else
+		      # If libtool objects are unsupported, then we need to preload.
+		      prev=dlprefiles
+		    fi
+		  fi
 
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
-      fi
+		  # CHECK ME:  I think I busted this.  -Ossama
+		  if test "$prev" = dlprefiles; then
+		    # Preload the old-style object.
+		    dlprefiles="$dlprefiles $pic_object"
+		    prev=
+		  fi
 
-      if test -n "$rpath"; then
-	$echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
-      fi
+		  # A PIC object.
+		  func_append libobjs " $pic_object"
+		  arg="$pic_object"
+		fi
 
-      if test -n "$xrpath"; then
-	$echo "$modename: warning: \`-R' is ignored for objects" 1>&2
-      fi
+		# Non-PIC object.
+		if test "$non_pic_object" != none; then
+		  # Prepend the subdirectory the object is found in.
+		  non_pic_object="$xdir$non_pic_object"
 
-      if test -n "$vinfo"; then
-	$echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
-      fi
+		  # A standard non-PIC object
+		  func_append non_pic_objects " $non_pic_object"
+		  if test -z "$pic_object" || test "$pic_object" = none ; then
+		    arg="$non_pic_object"
+		  fi
+		else
+		  # If the PIC object exists, use it instead.
+		  # $xdir was prepended to $pic_object above.
+		  non_pic_object="$pic_object"
+		  func_append non_pic_objects " $non_pic_object"
+		fi
+	      else
+		# Only an error if not doing a dry-run.
+		if $opt_dry_run; then
+		  # Extract subdirectory from the argument.
+		  func_dirname "$arg" "/" ""
+		  xdir="$func_dirname_result"
+
+		  func_lo2o "$arg"
+		  pic_object=$xdir$objdir/$func_lo2o_result
+		  non_pic_object=$xdir$func_lo2o_result
+		  func_append libobjs " $pic_object"
+		  func_append non_pic_objects " $non_pic_object"
+	        else
+		  func_fatal_error "\`$arg' is not a valid libtool object"
+		fi
+	      fi
+	    done
+	  else
+	    func_fatal_error "link input file \`$arg' does not exist"
+	  fi
+	  arg=$save_arg
+	  prev=
+	  continue
+	  ;;
+	precious_regex)
+	  precious_files_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	release)
+	  release="-$arg"
+	  prev=
+	  continue
+	  ;;
+	rpath | xrpath)
+	  # We need an absolute path.
+	  case $arg in
+	  [\\/]* | [A-Za-z]:[\\/]*) ;;
+	  *)
+	    func_fatal_error "only absolute run-paths are allowed"
+	    ;;
+	  esac
+	  if test "$prev" = rpath; then
+	    case "$rpath " in
+	    *" $arg "*) ;;
+	    *) rpath="$rpath $arg" ;;
+	    esac
+	  else
+	    case "$xrpath " in
+	    *" $arg "*) ;;
+	    *) xrpath="$xrpath $arg" ;;
+	    esac
+	  fi
+	  prev=
+	  continue
+	  ;;
+	shrext)
+	  shrext_cmds="$arg"
+	  prev=
+	  continue
+	  ;;
+	weak)
+	  weak_libs="$weak_libs $arg"
+	  prev=
+	  continue
+	  ;;
+	xcclinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  func_append compile_command " $qarg"
+	  func_append finalize_command " $qarg"
+	  continue
+	  ;;
+	xcompiler)
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  func_append compile_command " $qarg"
+	  func_append finalize_command " $qarg"
+	  continue
+	  ;;
+	xlinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $wl$qarg"
+	  prev=
+	  func_append compile_command " $wl$qarg"
+	  func_append finalize_command " $wl$qarg"
+	  continue
+	  ;;
+	*)
+	  eval "$prev=\"\$arg\""
+	  prev=
+	  continue
+	  ;;
+	esac
+      fi # test -n "$prev"
 
-      if test -n "$release"; then
-	$echo "$modename: warning: \`-release' is ignored for objects" 1>&2
-      fi
+      prevarg="$arg"
 
-      case $output in
-      *.lo)
-	if test -n "$objs$old_deplibs"; then
-	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
-	  exit $EXIT_FAILURE
+      case $arg in
+      -all-static)
+	if test -n "$link_static_flag"; then
+	  # See comment for -static flag below, for more details.
+	  func_append compile_command " $link_static_flag"
+	  func_append finalize_command " $link_static_flag"
 	fi
-	libobj="$output"
-	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
-	;;
-      *)
-	libobj=
-	obj="$output"
+	continue
 	;;
-      esac
 
-      # Delete the old objects.
-      $run $rm $obj $libobj
-
-      # Objects from convenience libraries.  This assumes
-      # single-version convenience libraries.  Whenever we create
-      # different ones for PIC/non-PIC, this we'll have to duplicate
-      # the extraction.
-      reload_conv_objs=
-      gentop=
-      # reload_cmds runs $LD directly, so let us get rid of
-      # -Wl from whole_archive_flag_spec and hope we can get by with
-      # turning comma into space..
-      wl=
-
-      if test -n "$convenience"; then
-	if test -n "$whole_archive_flag_spec"; then
-	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
-	  reload_conv_objs=$reload_objs\ `$echo "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'`
-	else
-	  gentop="$output_objdir/${obj}x"
-	  generated="$generated $gentop"
-
-	  func_extract_archives $gentop $convenience
-	  reload_conv_objs="$reload_objs $func_extract_archives_result"
-	fi
-      fi
+      -allow-undefined)
+	# FIXME: remove this flag sometime in the future.
+	func_fatal_error "\`-allow-undefined' must not be used because it is the default"
+	;;
 
-      # Create the old-style object.
-      reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+      -avoid-version)
+	avoid_version=yes
+	continue
+	;;
 
-      output="$obj"
-      cmds=$reload_cmds
-      save_ifs="$IFS"; IFS='~'
-      for cmd in $cmds; do
-	IFS="$save_ifs"
-	eval cmd=\"$cmd\"
-	$show "$cmd"
-	$run eval "$cmd" || exit $?
-      done
-      IFS="$save_ifs"
+      -dlopen)
+	prev=dlfiles
+	continue
+	;;
 
-      # Exit if we aren't doing a library object file.
-      if test -z "$libobj"; then
-	if test -n "$gentop"; then
-	  $show "${rm}r $gentop"
-	  $run ${rm}r $gentop
-	fi
+      -dlpreopen)
+	prev=dlprefiles
+	continue
+	;;
 
-	exit $EXIT_SUCCESS
-      fi
+      -export-dynamic)
+	export_dynamic=yes
+	continue
+	;;
 
-      if test "$build_libtool_libs" != yes; then
-	if test -n "$gentop"; then
-	  $show "${rm}r $gentop"
-	  $run ${rm}r $gentop
+      -export-symbols | -export-symbols-regex)
+	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	  func_fatal_error "more than one -exported-symbols argument is not allowed"
 	fi
-
-	# Create an invalid libtool object if no PIC, so that we don't
-	# accidentally link it into a program.
-	# $show "echo timestamp > $libobj"
-	# $run eval "echo timestamp > $libobj" || exit $?
-	exit $EXIT_SUCCESS
-      fi
-
-      if test -n "$pic_flag" || test "$pic_mode" != default; then
-	# Only do commands if we really have different PIC objects.
-	reload_objs="$libobjs $reload_conv_objs"
-	output="$libobj"
-	cmds=$reload_cmds
-	save_ifs="$IFS"; IFS='~'
-	for cmd in $cmds; do
-	  IFS="$save_ifs"
-	  eval cmd=\"$cmd\"
-	  $show "$cmd"
-	  $run eval "$cmd" || exit $?
-	done
-	IFS="$save_ifs"
-      fi
-
-      if test -n "$gentop"; then
-	$show "${rm}r $gentop"
-	$run ${rm}r $gentop
-      fi
-
-      exit $EXIT_SUCCESS
-      ;;
-
-    prog)
-      case $host in
-	*cygwin*) output=`$echo $output | ${SED} -e 's,.exe$,,;s,$,.exe,'` ;;
-      esac
-      if test -n "$vinfo"; then
-	$echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
-      fi
-
-      if test -n "$release"; then
-	$echo "$modename: warning: \`-release' is ignored for programs" 1>&2
-      fi
-
-      if test "$preload" = yes; then
-	if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown &&
-	   test "$dlopen_self_static" = unknown; then
-	  $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support."
+	if test "X$arg" = "X-export-symbols"; then
+	  prev=expsyms
+	else
+	  prev=expsyms_regex
 	fi
-      fi
+	continue
+	;;
 
-      case $host in
-      *-*-rhapsody* | *-*-darwin1.[012])
-	# On Rhapsody replace the C library is the System framework
-	compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
-	finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+      -framework)
+	prev=framework
+	continue
 	;;
-      esac
 
-      case $host in
-      *darwin*)
-        # Don't allow lazy linking, it breaks C++ global constructors
-        if test "$tagname" = CXX ; then
-        compile_command="$compile_command ${wl}-bind_at_load"
-        finalize_command="$finalize_command ${wl}-bind_at_load"
-        fi
-        ;;
-      esac
+      -inst-prefix-dir)
+	prev=inst_prefix
+	continue
+	;;
 
+      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
+      # so, if we see these flags be careful not to treat them like -L
+      -L[A-Z][A-Z]*:*)
+	case $with_gcc/$host in
+	no/*-*-irix* | /*-*-irix*)
+	  func_append compile_command " $arg"
+	  func_append finalize_command " $arg"
+	  ;;
+	esac
+	continue
+	;;
 
-      # move library search paths that coincide with paths to not yet
-      # installed libraries to the beginning of the library search list
-      new_libs=
-      for path in $notinst_path; do
-	case " $new_libs " in
-	*" -L$path/$objdir "*) ;;
+      -L*)
+	func_stripname '-L' '' "$arg"
+	dir=$func_stripname_result
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
 	*)
-	  case " $compile_deplibs " in
-	  *" -L$path/$objdir "*)
-	    new_libs="$new_libs -L$path/$objdir" ;;
-	  esac
+	  absdir=`cd "$dir" && pwd`
+	  test -z "$absdir" && \
+	    func_fatal_error "cannot determine absolute directory name of \`$dir'"
+	  dir="$absdir"
 	  ;;
 	esac
-      done
-      for deplib in $compile_deplibs; do
-	case $deplib in
-	-L*)
-	  case " $new_libs " in
-	  *" $deplib "*) ;;
-	  *) new_libs="$new_libs $deplib" ;;
-	  esac
+	case "$deplibs " in
+	*" -L$dir "*) ;;
+	*)
+	  deplibs="$deplibs -L$dir"
+	  lib_search_path="$lib_search_path $dir"
 	  ;;
-	*) new_libs="$new_libs $deplib" ;;
 	esac
-      done
-      compile_deplibs="$new_libs"
-
-
-      compile_command="$compile_command $compile_deplibs"
-      finalize_command="$finalize_command $finalize_deplibs"
-
-      if test -n "$rpath$xrpath"; then
-	# If the user specified any rpath flags, then add them.
-	for libdir in $rpath $xrpath; do
-	  # This is the magic to use -rpath.
-	  case "$finalize_rpath " in
-	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
-	  esac
-	done
-      fi
-
-      # Now hardcode the library paths
-      rpath=
-      hardcode_libdirs=
-      for libdir in $compile_rpath $finalize_rpath; do
-	if test -n "$hardcode_libdir_flag_spec"; then
-	  if test -n "$hardcode_libdir_separator"; then
-	    if test -z "$hardcode_libdirs"; then
-	      hardcode_libdirs="$libdir"
-	    else
-	      # Just accumulate the unique libdirs.
-	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		;;
-	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		;;
-	      esac
-	    fi
-	  else
-	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
-	  fi
-	elif test -n "$runpath_var"; then
-	  case "$perm_rpath " in
-	  *" $libdir "*) ;;
-	  *) perm_rpath="$perm_rpath $libdir" ;;
-	  esac
-	fi
 	case $host in
 	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
-	  testbindir=`$echo "X$libdir" | $Xsed -e 's*/lib$*/bin*'`
+	  testbindir=`$ECHO "X$dir" | $Xsed -e 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
-	  *":$libdir:"*) ;;
-	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  *":$dir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$dir";;
 	  esac
 	  case :$dllsearchpath: in
 	  *":$testbindir:"*) ;;
@@ -4518,2024 +3989,3682 @@ EOF
 	  esac
 	  ;;
 	esac
-      done
-      # Substitute the hardcoded libdirs into the rpath.
-      if test -n "$hardcode_libdir_separator" &&
-	 test -n "$hardcode_libdirs"; then
-	libdir="$hardcode_libdirs"
-	eval rpath=\" $hardcode_libdir_flag_spec\"
-      fi
-      compile_rpath="$rpath"
-
-      rpath=
-      hardcode_libdirs=
-      for libdir in $finalize_rpath; do
-	if test -n "$hardcode_libdir_flag_spec"; then
-	  if test -n "$hardcode_libdir_separator"; then
-	    if test -z "$hardcode_libdirs"; then
-	      hardcode_libdirs="$libdir"
-	    else
-	      # Just accumulate the unique libdirs.
-	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		;;
-	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		;;
-	      esac
-	    fi
-	  else
-	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
-	  fi
-	elif test -n "$runpath_var"; then
-	  case "$finalize_perm_rpath " in
-	  *" $libdir "*) ;;
-	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
-	  esac
-	fi
-      done
-      # Substitute the hardcoded libdirs into the rpath.
-      if test -n "$hardcode_libdir_separator" &&
-	 test -n "$hardcode_libdirs"; then
-	libdir="$hardcode_libdirs"
-	eval rpath=\" $hardcode_libdir_flag_spec\"
-      fi
-      finalize_rpath="$rpath"
-
-      if test -n "$libobjs" && test "$build_old_libs" = yes; then
-	# Transform all the library objects into standard objects.
-	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-      fi
-
-      dlsyms=
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	if test -n "$NM" && test -n "$global_symbol_pipe"; then
-	  dlsyms="${outputname}S.c"
-	else
-	  $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
-	fi
-      fi
-
-      if test -n "$dlsyms"; then
-	case $dlsyms in
-	"") ;;
-	*.c)
-	  # Discover the nlist of each of the dlfiles.
-	  nlist="$output_objdir/${outputname}.nm"
-
-	  $show "$rm $nlist ${nlist}S ${nlist}T"
-	  $run $rm "$nlist" "${nlist}S" "${nlist}T"
-
-	  # Parse the name list into a source file.
-	  $show "creating $output_objdir/$dlsyms"
-
-	  test -z "$run" && $echo > "$output_objdir/$dlsyms" "\
-/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
-/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */
+	continue
+	;;
 
-#ifdef __cplusplus
-extern \"C\" {
-#endif
+      -l*)
+	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos*)
+	    # These systems don't actually have a C or math library (as such)
+	    continue
+	    ;;
+	  *-*-os2*)
+	    # These systems don't actually have a C library (as such)
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	    # Do not include libc due to us having libc/libc_r.
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C and math libraries are in the System framework
+	    deplibs="$deplibs System.ltframework"
+	    continue
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  esac
+	elif test "X$arg" = "X-lc_r"; then
+	 case $host in
+	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	   # Do not include libc_r directly, use -pthread flag.
+	   continue
+	   ;;
+	 esac
+	fi
+	deplibs="$deplibs $arg"
+	continue
+	;;
 
-/* Prevent the only kind of declaration conflicts we can make. */
-#define lt_preloaded_symbols some_other_symbol
+      -module)
+	module=yes
+	continue
+	;;
 
-/* External symbol declarations for the compiler. */\
-"
+      # Tru64 UNIX uses -model [arg] to determine the layout of C++
+      # classes, name mangling, and exception handling.
+      # Darwin uses the -arch flag to determine output architecture.
+      -model|-arch|-isysroot)
+	compiler_flags="$compiler_flags $arg"
+	func_append compile_command " $arg"
+	func_append finalize_command " $arg"
+	prev=xcompiler
+	continue
+	;;
 
-	  if test "$dlself" = yes; then
-	    $show "generating symbol list for \`$output'"
+      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+	compiler_flags="$compiler_flags $arg"
+	func_append compile_command " $arg"
+	func_append finalize_command " $arg"
+	case "$new_inherited_linker_flags " in
+	    *" $arg "*) ;;
+	    * ) new_inherited_linker_flags="$new_inherited_linker_flags $arg" ;;
+	esac
+	continue
+	;;
 
-	    test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist"
+      -multi_module)
+	single_module="${wl}-multi_module"
+	continue
+	;;
 
-	    # Add our own program objects to the symbol list.
-	    progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-	    for arg in $progfiles; do
-	      $show "extracting global C symbols from \`$arg'"
-	      $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
-	    done
+      -no-fast-install)
+	fast_install=no
+	continue
+	;;
 
-	    if test -n "$exclude_expsyms"; then
-	      $run eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
-	      $run eval '$mv "$nlist"T "$nlist"'
-	    fi
+      -no-install)
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin*)
+	  # The PATH hackery in wrapper scripts is required on Windows
+	  # and Darwin in order for the loader to find any dlls it needs.
+	  func_warning "\`-no-install' is ignored for $host"
+	  func_warning "assuming \`-no-fast-install' instead"
+	  fast_install=no
+	  ;;
+	*) no_install=yes ;;
+	esac
+	continue
+	;;
 
-	    if test -n "$export_symbols_regex"; then
-	      $run eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T'
-	      $run eval '$mv "$nlist"T "$nlist"'
-	    fi
+      -no-undefined)
+	allow_undefined=no
+	continue
+	;;
 
-	    # Prepare the list of exported symbols
-	    if test -z "$export_symbols"; then
-	      export_symbols="$output_objdir/$outputname.exp"
-	      $run $rm $export_symbols
-	      $run eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
-              case $host in
-              *cygwin* | *mingw* )
-	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
-		$run eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"'
-                ;;
-              esac
-	    else
-	      $run eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
-	      $run eval 'grep -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
-	      $run eval 'mv "$nlist"T "$nlist"'
-              case $host in
-              *cygwin* | *mingw* )
-	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
-		$run eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
-                ;;
-              esac
-	    fi
-	  fi
+      -objectlist)
+	prev=objectlist
+	continue
+	;;
 
-	  for arg in $dlprefiles; do
-	    $show "extracting global C symbols from \`$arg'"
-	    name=`$echo "$arg" | ${SED} -e 's%^.*/%%'`
-	    $run eval '$echo ": $name " >> "$nlist"'
-	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
-	  done
+      -o) prev=output ;;
 
-	  if test -z "$run"; then
-	    # Make sure we have at least an empty file.
-	    test -f "$nlist" || : > "$nlist"
+      -precious-files-regex)
+	prev=precious_regex
+	continue
+	;;
 
-	    if test -n "$exclude_expsyms"; then
-	      $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
-	      $mv "$nlist"T "$nlist"
-	    fi
+      -release)
+	prev=release
+	continue
+	;;
 
-	    # Try sorting and uniquifying the output.
-	    if grep -v "^: " < "$nlist" |
-		if sort -k 3 </dev/null >/dev/null 2>&1; then
-		  sort -k 3
-		else
-		  sort +2
-		fi |
-		uniq > "$nlist"S; then
-	      :
-	    else
-	      grep -v "^: " < "$nlist" > "$nlist"S
-	    fi
+      -rpath)
+	prev=rpath
+	continue
+	;;
 
-	    if test -f "$nlist"S; then
-	      eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"'
-	    else
-	      $echo '/* NONE */' >> "$output_objdir/$dlsyms"
-	    fi
+      -R)
+	prev=xrpath
+	continue
+	;;
 
-	    $echo >> "$output_objdir/$dlsyms" "\
+      -R*)
+	func_stripname '-R' '' "$arg"
+	dir=$func_stripname_result
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  func_fatal_error "only absolute run-paths are allowed"
+	  ;;
+	esac
+	case "$xrpath " in
+	*" $dir "*) ;;
+	*) xrpath="$xrpath $dir" ;;
+	esac
+	continue
+	;;
 
-#undef lt_preloaded_symbols
+      -shared)
+	# The effects of -shared are defined in a previous loop.
+	continue
+	;;
 
-#if defined (__STDC__) && __STDC__
-# define lt_ptr void *
-#else
-# define lt_ptr char *
-# define const
-#endif
+      -shrext)
+	prev=shrext
+	continue
+	;;
 
-/* The mapping between symbol names and symbols. */
-"
+      -static | -static-libtool-libs)
+	# The effects of -static are defined in a previous loop.
+	# We used to do the same as -all-static on platforms that
+	# didn't have a PIC flag, but the assumption that the effects
+	# would be equivalent was wrong.  It would break on at least
+	# Digital Unix and AIX.
+	continue
+	;;
 
-	    case $host in
-	    *cygwin* | *mingw* )
-	  $echo >> "$output_objdir/$dlsyms" "\
-/* DATA imports from DLLs on WIN32 can't be const, because
-   runtime relocations are performed -- see ld's documentation
-   on pseudo-relocs */
-struct {
-"
-	      ;;
-	    * )
-	  $echo >> "$output_objdir/$dlsyms" "\
-const struct {
-"
-	      ;;
-	    esac
+      -thread-safe)
+	thread_safe=yes
+	continue
+	;;
 
+      -version-info)
+	prev=vinfo
+	continue
+	;;
 
-	  $echo >> "$output_objdir/$dlsyms" "\
-  const char *name;
-  lt_ptr address;
-}
-lt_preloaded_symbols[] =
-{\
-"
+      -version-number)
+	prev=vinfo
+	vinfo_number=yes
+	continue
+	;;
 
-	    eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$dlsyms"
+      -weak)
+        prev=weak
+	continue
+	;;
 
-	    $echo >> "$output_objdir/$dlsyms" "\
-  {0, (lt_ptr) 0}
-};
+      -Wc,*)
+	func_stripname '-Wc,' '' "$arg"
+	args=$func_stripname_result
+	arg=
+	save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+          func_quote_for_eval "$flag"
+	  arg="$arg $wl$func_quote_for_eval_result"
+	  compiler_flags="$compiler_flags $func_quote_for_eval_result"
+	done
+	IFS="$save_ifs"
+	func_stripname ' ' '' "$arg"
+	arg=$func_stripname_result
+	;;
 
-/* This works around a problem in FreeBSD linker */
-#ifdef FREEBSD_WORKAROUND
-static const void *lt_preloaded_setup() {
-  return lt_preloaded_symbols;
-}
-#endif
+      -Wl,*)
+	func_stripname '-Wl,' '' "$arg"
+	args=$func_stripname_result
+	arg=
+	save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+          func_quote_for_eval "$flag"
+	  arg="$arg $wl$func_quote_for_eval_result"
+	  compiler_flags="$compiler_flags $wl$func_quote_for_eval_result"
+	  linker_flags="$linker_flags $func_quote_for_eval_result"
+	done
+	IFS="$save_ifs"
+	func_stripname ' ' '' "$arg"
+	arg=$func_stripname_result
+	;;
 
-#ifdef __cplusplus
-}
-#endif\
-"
-	  fi
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
 
-	  pic_flag_for_symtable=
-	  case $host in
-	  # compiling the symbol table file with pic_flag works around
-	  # a FreeBSD bug that causes programs to crash when -lm is
-	  # linked before any other PIC object.  But we must not use
-	  # pic_flag when linking with -static.  The problem exists in
-	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
-	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
-	    case "$compile_command " in
-	    *" -static "*) ;;
-	    *) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND";;
-	    esac;;
-	  *-*-hpux*)
-	    case "$compile_command " in
-	    *" -static "*) ;;
-	    *) pic_flag_for_symtable=" $pic_flag";;
-	    esac
-	  esac
+      -Xlinker)
+	prev=xlinker
+	continue
+	;;
 
-	  # Now compile the dynamic symbol file.
-	  $show "(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
-	  $run eval '(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
-
-	  # Clean up the generated files.
-	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
-	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
-
-	  # Transform the symbol file into the correct name.
-          case $host in
-          *cygwin* | *mingw* )
-            if test -f "$output_objdir/${outputname}.def" ; then
-              compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP`
-              finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP`
-            else
-              compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
-              finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
-             fi
-            ;;
-          * )
-            compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
-            finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
-            ;;
-          esac
-	  ;;
-	*)
-	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-      else
-	# We keep going just in case the user didn't refer to
-	# lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
-	# really was required.
+      -XCClinker)
+	prev=xcclinker
+	continue
+	;;
 
-	# Nullify the symbol file.
-	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP`
-	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP`
-      fi
+      # -msg_* for osf cc
+      -msg_*)
+	func_quote_for_eval "$arg"
+	arg="$func_quote_for_eval_result"
+	;;
 
-      if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
-	# Replace the output file specification.
-	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$output"'%g' | $NL2SP`
-	link_command="$compile_command$compile_rpath"
+      # -64, -mips[0-9] enable 64-bit mode on the SGI compiler
+      # -r[0-9][0-9]* specifies the processor on the SGI compiler
+      # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler
+      # +DA*, +DD* enable 64-bit mode on the HP compiler
+      # -q* pass through compiler args for the IBM compiler
+      # -m*, -t[45]*, -txscale* pass through architecture-specific
+      # compiler args for GCC
+      # -F/path gives path to uninstalled frameworks, gcc on darwin
+      # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC
+      # @file GCC response files
+      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
+      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*)
+        func_quote_for_eval "$arg"
+	arg="$func_quote_for_eval_result"
+        func_append compile_command " $arg"
+        func_append finalize_command " $arg"
+        compiler_flags="$compiler_flags $arg"
+        continue
+        ;;
 
-	# We have no uninstalled library dependencies, so finalize right now.
-	$show "$link_command"
-	$run eval "$link_command"
-	exit_status=$?
+      # Some other compiler flag.
+      -* | +*)
+        func_quote_for_eval "$arg"
+	arg="$func_quote_for_eval_result"
+	;;
 
-	# Delete the generated files.
-	if test -n "$dlsyms"; then
-	  $show "$rm $output_objdir/${outputname}S.${objext}"
-	  $run $rm "$output_objdir/${outputname}S.${objext}"
-	fi
+      *.$objext)
+	# A standard object.
+	objs="$objs $arg"
+	;;
 
-	exit $exit_status
-      fi
+      *.lo)
+	# A libtool-controlled object.
 
-      if test -n "$shlibpath_var"; then
-	# We should set the shlibpath_var
-	rpath=
-	for dir in $temp_rpath; do
-	  case $dir in
-	  [\\/]* | [A-Za-z]:[\\/]*)
-	    # Absolute path.
-	    rpath="$rpath$dir:"
-	    ;;
-	  *)
-	    # Relative path: add a thisdir entry.
-	    rpath="$rpath\$thisdir/$dir:"
-	    ;;
-	  esac
-	done
-	temp_rpath="$rpath"
-      fi
+	# Check to see that this really is a libtool object.
+	if func_lalib_unsafe_p "$arg"; then
+	  pic_object=
+	  non_pic_object=
 
-      if test -n "$compile_shlibpath$finalize_shlibpath"; then
-	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
-      fi
-      if test -n "$finalize_shlibpath"; then
-	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
-      fi
+	  # Read the .lo file
+	  func_source "$arg"
 
-      compile_var=
-      finalize_var=
-      if test -n "$runpath_var"; then
-	if test -n "$perm_rpath"; then
-	  # We should set the runpath_var.
-	  rpath=
-	  for dir in $perm_rpath; do
-	    rpath="$rpath$dir:"
-	  done
-	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
-	fi
-	if test -n "$finalize_perm_rpath"; then
-	  # We should set the runpath_var.
-	  rpath=
-	  for dir in $finalize_perm_rpath; do
-	    rpath="$rpath$dir:"
-	  done
-	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
-	fi
-      fi
+	  if test -z "$pic_object" ||
+	     test -z "$non_pic_object" ||
+	     test "$pic_object" = none &&
+	     test "$non_pic_object" = none; then
+	    func_fatal_error "cannot find name of object for \`$arg'"
+	  fi
 
-      if test "$no_install" = yes; then
-	# We don't need to create a wrapper script.
-	link_command="$compile_var$compile_command$compile_rpath"
-	# Replace the output file specification.
-	link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
-	# Delete the old output file.
-	$run $rm $output
-	# Link the executable and exit
-	$show "$link_command"
-	$run eval "$link_command" || exit $?
-	exit $EXIT_SUCCESS
-      fi
+	  # Extract subdirectory from the argument.
+	  func_dirname "$arg" "/" ""
+	  xdir="$func_dirname_result"
 
-      if test "$hardcode_action" = relink; then
-	# Fast installation is not supported
-	link_command="$compile_var$compile_command$compile_rpath"
-	relink_command="$finalize_var$finalize_command$finalize_rpath"
+	  if test "$pic_object" != none; then
+	    # Prepend the subdirectory the object is found in.
+	    pic_object="$xdir$pic_object"
 
-	$echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2
-	$echo "$modename: \`$output' will be relinked during installation" 1>&2
-      else
-	if test "$fast_install" != no; then
-	  link_command="$finalize_var$compile_command$finalize_rpath"
-	  if test "$fast_install" = yes; then
-	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $SP2NL | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g' | $NL2SP`
+	    if test "$prev" = dlfiles; then
+	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+		dlfiles="$dlfiles $pic_object"
+		prev=
+		continue
+	      else
+		# If libtool objects are unsupported, then we need to preload.
+		prev=dlprefiles
+	      fi
+	    fi
+
+	    # CHECK ME:  I think I busted this.  -Ossama
+	    if test "$prev" = dlprefiles; then
+	      # Preload the old-style object.
+	      dlprefiles="$dlprefiles $pic_object"
+	      prev=
+	    fi
+
+	    # A PIC object.
+	    func_append libobjs " $pic_object"
+	    arg="$pic_object"
+	  fi
+
+	  # Non-PIC object.
+	  if test "$non_pic_object" != none; then
+	    # Prepend the subdirectory the object is found in.
+	    non_pic_object="$xdir$non_pic_object"
+
+	    # A standard non-PIC object
+	    func_append non_pic_objects " $non_pic_object"
+	    if test -z "$pic_object" || test "$pic_object" = none ; then
+	      arg="$non_pic_object"
+	    fi
 	  else
-	    # fast_install is set to needless
-	    relink_command=
+	    # If the PIC object exists, use it instead.
+	    # $xdir was prepended to $pic_object above.
+	    non_pic_object="$pic_object"
+	    func_append non_pic_objects " $non_pic_object"
 	  fi
 	else
-	  link_command="$compile_var$compile_command$compile_rpath"
-	  relink_command="$finalize_var$finalize_command$finalize_rpath"
+	  # Only an error if not doing a dry-run.
+	  if $opt_dry_run; then
+	    # Extract subdirectory from the argument.
+	    func_dirname "$arg" "/" ""
+	    xdir="$func_dirname_result"
+
+	    func_lo2o "$arg"
+	    pic_object=$xdir$objdir/$func_lo2o_result
+	    non_pic_object=$xdir$func_lo2o_result
+	    func_append libobjs " $pic_object"
+	    func_append non_pic_objects " $non_pic_object"
+	  else
+	    func_fatal_error "\`$arg' is not a valid libtool object"
+	  fi
 	fi
-      fi
-
-      # Replace the output file specification.
-      link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+	;;
 
-      # Delete the old output files.
-      $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname
+      *.$libext)
+	# An archive.
+	deplibs="$deplibs $arg"
+	old_deplibs="$old_deplibs $arg"
+	continue
+	;;
 
-      $show "$link_command"
-      $run eval "$link_command" || exit $?
+      *.la)
+	# A libtool-controlled library.
 
-      # Now create the wrapper script.
-      $show "creating $output"
+	if test "$prev" = dlfiles; then
+	  # This library was specified with -dlopen.
+	  dlfiles="$dlfiles $arg"
+	  prev=
+	elif test "$prev" = dlprefiles; then
+	  # The library was specified with -dlpreopen.
+	  dlprefiles="$dlprefiles $arg"
+	  prev=
+	else
+	  deplibs="$deplibs $arg"
+	fi
+	continue
+	;;
 
-      # Quote the relink command for shipping.
-      if test -n "$relink_command"; then
-	# Preserve any variables that may affect compiler behavior
-	for var in $variables_saved_for_relink; do
-	  if eval test -z \"\${$var+set}\"; then
-	    relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
-	  elif eval var_value=\$$var; test -z "$var_value"; then
-	    relink_command="$var=; export $var; $relink_command"
-	  else
-	    var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
-	    relink_command="$var=\"$var_value\"; export $var; $relink_command"
-	  fi
-	done
-	relink_command="(cd `pwd`; $relink_command)"
-	relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP`
-      fi
+      # Some other compiler argument.
+      *)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	func_quote_for_eval "$arg"
+	arg="$func_quote_for_eval_result"
+	;;
+      esac # arg
 
-      # Quote $echo for shipping.
-      if test "X$echo" = "X$SHELL $progpath --fallback-echo"; then
-	case $progpath in
-	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
-	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
-	esac
-	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
-      else
-	qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
+      # Now actually substitute the argument into the commands.
+      if test -n "$arg"; then
+	func_append compile_command " $arg"
+	func_append finalize_command " $arg"
       fi
+    done # argument parsing loop
 
-      # Only actually do things if our run command is non-null.
-      if test -z "$run"; then
-	# win32 will think the script is a binary if it has
-	# a .exe suffix, so we strip it off here.
-	case $output in
-	  *.exe) output=`$echo $output|${SED} 's,.exe$,,'` ;;
-	esac
-	# test for cygwin because mv fails w/o .exe extensions
-	case $host in
-	  *cygwin*)
-	    exeext=.exe
-	    outputname=`$echo $outputname|${SED} 's,.exe$,,'` ;;
-	  *) exeext= ;;
-	esac
-	case $host in
-	  *cygwin* | *mingw* )
-            output_name=`basename $output`
-            output_path=`dirname $output`
-            cwrappersource="$output_path/$objdir/lt-$output_name.c"
-            cwrapper="$output_path/$output_name.exe"
-            $rm $cwrappersource $cwrapper
-            trap "$rm $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
-
-	    cat > $cwrappersource <<EOF
+    test -n "$prev" && \
+      func_fatal_help "the \`$prevarg' option requires an argument"
 
-/* $cwrappersource - temporary wrapper executable for $objdir/$outputname
-   Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
+      eval arg=\"$export_dynamic_flag_spec\"
+      func_append compile_command " $arg"
+      func_append finalize_command " $arg"
+    fi
 
-   The $output program cannot be directly executed until all the libtool
-   libraries that it depends on are installed.
+    oldlibs=
+    # calculate the name of the file, without its directory
+    func_basename "$output"
+    outputname="$func_basename_result"
+    libobjs_save="$libobjs"
 
-   This wrapper executable should never be moved out of the build directory.
-   If it is, it will not operate correctly.
+    if test -n "$shlibpath_var"; then
+      # get the directories listed in $shlibpath_var
+      eval shlib_search_path=\`\$ECHO \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+    else
+      shlib_search_path=
+    fi
+    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
+    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
 
-   Currently, it simply execs the wrapper *script* "/bin/sh $output",
-   but could eventually absorb all of the scripts functionality and
-   exec $objdir/$outputname directly.
-*/
-EOF
-	    cat >> $cwrappersource<<"EOF"
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <malloc.h>
-#include <stdarg.h>
-#include <assert.h>
-#include <string.h>
-#include <ctype.h>
-#include <sys/stat.h>
+    func_dirname "$output" "/" ""
+    output_objdir="$func_dirname_result$objdir"
+    # Create the object directory.
+    func_mkdir_p "$output_objdir"
 
-#if defined(PATH_MAX)
-# define LT_PATHMAX PATH_MAX
-#elif defined(MAXPATHLEN)
-# define LT_PATHMAX MAXPATHLEN
-#else
-# define LT_PATHMAX 1024
-#endif
+    # Determine the type of output
+    case $output in
+    "")
+      func_fatal_help "you must specify an output file"
+      ;;
+    *.$libext) linkmode=oldlib ;;
+    *.lo | *.$objext) linkmode=obj ;;
+    *.la) linkmode=lib ;;
+    *) linkmode=prog ;; # Anything else should be a program.
+    esac
 
-#ifndef DIR_SEPARATOR
-# define DIR_SEPARATOR '/'
-# define PATH_SEPARATOR ':'
-#endif
+    specialdeplibs=
 
-#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
-  defined (__OS2__)
-# define HAVE_DOS_BASED_FILE_SYSTEM
-# ifndef DIR_SEPARATOR_2
-#  define DIR_SEPARATOR_2 '\\'
-# endif
-# ifndef PATH_SEPARATOR_2
-#  define PATH_SEPARATOR_2 ';'
-# endif
-#endif
+    libs=
+    # Find all interdependent deplibs by searching for libraries
+    # that are linked more than once (e.g. -la -lb -la)
+    for deplib in $deplibs; do
+      if $opt_duplicate_deps ; then
+	case "$libs " in
+	*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	esac
+      fi
+      libs="$libs $deplib"
+    done
 
-#ifndef DIR_SEPARATOR_2
-# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR)
-#else /* DIR_SEPARATOR_2 */
-# define IS_DIR_SEPARATOR(ch) \
-        (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
-#endif /* DIR_SEPARATOR_2 */
+    if test "$linkmode" = lib; then
+      libs="$predeps $libs $compiler_lib_search_path $postdeps"
 
-#ifndef PATH_SEPARATOR_2
-# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR)
-#else /* PATH_SEPARATOR_2 */
-# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
-#endif /* PATH_SEPARATOR_2 */
+      # Compute libraries that are listed more than once in $predeps
+      # $postdeps and mark them as special (i.e., whose duplicates are
+      # not to be eliminated).
+      pre_post_deps=
+      if $opt_duplicate_compiler_generated_deps; then
+	for pre_post_dep in $predeps $postdeps; do
+	  case "$pre_post_deps " in
+	  *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;;
+	  esac
+	  pre_post_deps="$pre_post_deps $pre_post_dep"
+	done
+      fi
+      pre_post_deps=
+    fi
+
+    deplibs=
+    newdependency_libs=
+    newlib_search_path=
+    need_relink=no # whether we're linking any uninstalled libtool libraries
+    notinst_deplibs= # not-installed libtool libraries
+    notinst_path= # paths that contain not-installed libtool libraries
+
+    case $linkmode in
+    lib)
+	passes="conv dlpreopen link"
+	for file in $dlfiles $dlprefiles; do
+	  case $file in
+	  *.la) ;;
+	  *)
+	    func_fatal_help "libraries can \`-dlopen' only libtool libraries: $file"
+	    ;;
+	  esac
+	done
+	;;
+    prog)
+	compile_deplibs=
+	finalize_deplibs=
+	alldeplibs=no
+	newdlfiles=
+	newdlprefiles=
+	passes="conv scan dlopen dlpreopen link"
+	;;
+    *)  passes="conv"
+	;;
+    esac
+
+    for pass in $passes; do
+      # The preopen pass in lib mode reverses $deplibs; put it back here
+      # so that -L comes before libs that need it for instance...
+      if test "$linkmode,$pass" = "lib,link"; then
+	## FIXME: Find the place where the list is rebuilt in the wrong
+	##        order, and fix it there properly
+        tmp_deplibs=
+	for deplib in $deplibs; do
+	  tmp_deplibs="$deplib $tmp_deplibs"
+	done
+	deplibs="$tmp_deplibs"
+      fi
+
+      if test "$linkmode,$pass" = "lib,link" ||
+	 test "$linkmode,$pass" = "prog,scan"; then
+	libs="$deplibs"
+	deplibs=
+      fi
+      if test "$linkmode" = prog; then
+	case $pass in
+	dlopen) libs="$dlfiles" ;;
+	dlpreopen) libs="$dlprefiles" ;;
+	link)
+	  libs="$deplibs %DEPLIBS%"
+	  test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs"
+	  ;;
+	esac
+      fi
+      if test "$linkmode,$pass" = "lib,dlpreopen"; then
+	# Collect and forward deplibs of preopened libtool libs
+	for lib in $dlprefiles; do
+	  # Ignore non-libtool-libs
+	  dependency_libs=
+	  case $lib in
+	  *.la)	func_source "$lib" ;;
+	  esac
+
+	  # Collect preopened libtool deplibs, except any this library
+	  # has declared as weak libs
+	  for deplib in $dependency_libs; do
+            deplib_base=`$ECHO "X$deplib" | $Xsed -e "$basename"`
+	    case " $weak_libs " in
+	    *" $deplib_base "*) ;;
+	    *) deplibs="$deplibs $deplib" ;;
+	    esac
+	  done
+	done
+	libs="$dlprefiles"
+      fi
+      if test "$pass" = dlopen; then
+	# Collect dlpreopened libraries
+	save_deplibs="$deplibs"
+	deplibs=
+      fi
+
+      for deplib in $libs; do
+	lib=
+	found=no
+	case $deplib in
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+	  if test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$deplib $compile_deplibs"
+	    finalize_deplibs="$deplib $finalize_deplibs"
+	  else
+	    compiler_flags="$compiler_flags $deplib"
+	    if test "$linkmode" = lib ; then
+		case "$new_inherited_linker_flags " in
+		    *" $deplib "*) ;;
+		    * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;;
+		esac
+	    fi
+	  fi
+	  continue
+	  ;;
+	-l*)
+	  if test "$linkmode" != lib && test "$linkmode" != prog; then
+	    func_warning "\`-l' is ignored for archives/objects"
+	    continue
+	  fi
+	  func_stripname '-l' '' "$deplib"
+	  name=$func_stripname_result
+	  if test "$linkmode" = lib; then
+	    searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path"
+	  else
+	    searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path"
+	  fi
+	  for searchdir in $searchdirs; do
+	    for search_ext in .la $std_shrext .so .a; do
+	      # Search the libtool library
+	      lib="$searchdir/lib${name}${search_ext}"
+	      if test -f "$lib"; then
+		if test "$search_ext" = ".la"; then
+		  found=yes
+		else
+		  found=no
+		fi
+		break 2
+	      fi
+	    done
+	  done
+	  if test "$found" != yes; then
+	    # deplib doesn't seem to be a libtool library
+	    if test "$linkmode,$pass" = "prog,link"; then
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      deplibs="$deplib $deplibs"
+	      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    continue
+	  else # deplib is a libtool library
+	    # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib,
+	    # We need to do some special things here, and not later.
+	    if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	      case " $predeps $postdeps " in
+	      *" $deplib "*)
+		if func_lalib_p "$lib"; then
+		  library_names=
+		  old_library=
+		  func_source "$lib"
+		  for l in $old_library $library_names; do
+		    ll="$l"
+		  done
+		  if test "X$ll" = "X$old_library" ; then # only static version available
+		    found=no
+		    func_dirname "$lib" "" "."
+		    ladir="$func_dirname_result"
+		    lib=$ladir/$old_library
+		    if test "$linkmode,$pass" = "prog,link"; then
+		      compile_deplibs="$deplib $compile_deplibs"
+		      finalize_deplibs="$deplib $finalize_deplibs"
+		    else
+		      deplibs="$deplib $deplibs"
+		      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
+		    fi
+		    continue
+		  fi
+		fi
+		;;
+	      *) ;;
+	      esac
+	    fi
+	  fi
+	  ;; # -l
+	*.ltframework)
+	  if test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$deplib $compile_deplibs"
+	    finalize_deplibs="$deplib $finalize_deplibs"
+	  else
+	    deplibs="$deplib $deplibs"
+	    if test "$linkmode" = lib ; then
+		case "$new_inherited_linker_flags " in
+		    *" $deplib "*) ;;
+		    * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;;
+		esac
+	    fi
+	  fi
+	  continue
+	  ;;
+	-L*)
+	  case $linkmode in
+	  lib)
+	    deplibs="$deplib $deplibs"
+	    test "$pass" = conv && continue
+	    newdependency_libs="$deplib $newdependency_libs"
+	    func_stripname '-L' '' "$deplib"
+	    newlib_search_path="$newlib_search_path $func_stripname_result"
+	    ;;
+	  prog)
+	    if test "$pass" = conv; then
+	      deplibs="$deplib $deplibs"
+	      continue
+	    fi
+	    if test "$pass" = scan; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    func_stripname '-L' '' "$deplib"
+	    newlib_search_path="$newlib_search_path $func_stripname_result"
+	    ;;
+	  *)
+	    func_warning "\`-L' is ignored for archives/objects"
+	    ;;
+	  esac # linkmode
+	  continue
+	  ;; # -L
+	-R*)
+	  if test "$pass" = link; then
+	    func_stripname '-R' '' "$deplib"
+	    dir=$func_stripname_result
+	    # Make sure the xrpath contains only unique directories.
+	    case "$xrpath " in
+	    *" $dir "*) ;;
+	    *) xrpath="$xrpath $dir" ;;
+	    esac
+	  fi
+	  deplibs="$deplib $deplibs"
+	  continue
+	  ;;
+	*.la) lib="$deplib" ;;
+	*.$libext)
+	  if test "$pass" = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  case $linkmode in
+	  lib)
+	    # Linking convenience modules into shared libraries is allowed,
+	    # but linking other static libraries is non-portable.
+	    case " $dlpreconveniencelibs " in
+	    *" $deplib "*) ;;
+	    *)
+	      valid_a_lib=no
+	      case $deplibs_check_method in
+		match_pattern*)
+		  set dummy $deplibs_check_method; shift
+		  match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
+		  if eval "\$ECHO \"X$deplib\"" 2>/dev/null | $Xsed -e 10q \
+		    | $EGREP "$match_pattern_regex" > /dev/null; then
+		    valid_a_lib=yes
+		  fi
+		;;
+		pass_all)
+		  valid_a_lib=yes
+		;;
+	      esac
+	      if test "$valid_a_lib" != yes; then
+		$ECHO
+		$ECHO "*** Warning: Trying to link with static lib archive $deplib."
+		$ECHO "*** I have the capability to make that library automatically link in when"
+		$ECHO "*** you link to this library.  But I can only do this if you have a"
+		$ECHO "*** shared version of the library, which you do not appear to have"
+		$ECHO "*** because the file extensions .$libext of this argument makes me believe"
+		$ECHO "*** that it is just a static archive that I should not use here."
+	      else
+		$ECHO
+		$ECHO "*** Warning: Linking the shared library $output against the"
+		$ECHO "*** static library $deplib is not portable!"
+		deplibs="$deplib $deplibs"
+	      fi
+	      ;;
+	    esac
+	    continue
+	    ;;
+	  prog)
+	    if test "$pass" != link; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    continue
+	    ;;
+	  esac # linkmode
+	  ;; # *.$libext
+	*.lo | *.$objext)
+	  if test "$pass" = conv; then
+	    deplibs="$deplib $deplibs"
+	  elif test "$linkmode" = prog; then
+	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	      # If there is no dlopen support or we're linking statically,
+	      # we need to preload.
+	      newdlprefiles="$newdlprefiles $deplib"
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      newdlfiles="$newdlfiles $deplib"
+	    fi
+	  fi
+	  continue
+	  ;;
+	%DEPLIBS%)
+	  alldeplibs=yes
+	  continue
+	  ;;
+	esac # case $deplib
+
+	if test "$found" = yes || test -f "$lib"; then :
+	else
+	  func_fatal_error "cannot find the library \`$lib' or unhandled argument \`$deplib'"
+	fi
+
+	# Check to see that this really is a libtool archive.
+	func_lalib_unsafe_p "$lib" \
+	  || func_fatal_error "\`$lib' is not a valid libtool archive"
+
+	func_dirname "$lib" "" "."
+	ladir="$func_dirname_result"
+
+	dlname=
+	dlopen=
+	dlpreopen=
+	libdir=
+	library_names=
+	old_library=
+	inherited_linker_flags=
+	# If the library was installed with an old release of libtool,
+	# it will not redefine variables installed, or shouldnotlink
+	installed=yes
+	shouldnotlink=no
+	avoidtemprpath=
+
+
+	# Read the .la file
+	func_source "$lib"
+
+	# Convert "-framework foo" to "foo.ltframework"
+	if test -n "$inherited_linker_flags"; then
+	  tmp_inherited_linker_flags=`$ECHO "X$inherited_linker_flags" | $Xsed -e 's/-framework \([^ $]*\)/\1.ltframework/g'`
+	  for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do
+	    case " $new_inherited_linker_flags " in
+	      *" $tmp_inherited_linker_flag "*) ;;
+	      *) new_inherited_linker_flags="$new_inherited_linker_flags $tmp_inherited_linker_flag";;
+	    esac
+	  done
+	fi
+	dependency_libs=`$ECHO "X $dependency_libs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	if test "$linkmode,$pass" = "lib,link" ||
+	   test "$linkmode,$pass" = "prog,scan" ||
+	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
+	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
+	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	fi
+
+	if test "$pass" = conv; then
+	  # Only check for convenience libraries
+	  deplibs="$lib $deplibs"
+	  if test -z "$libdir"; then
+	    if test -z "$old_library"; then
+	      func_fatal_error "cannot find name of link library for \`$lib'"
+	    fi
+	    # It is a libtool convenience library, so add in its objects.
+	    convenience="$convenience $ladir/$objdir/$old_library"
+	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
+	    func_fatal_error "\`$lib' is not a convenience library"
+	  fi
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    deplibs="$deplib $deplibs"
+	    if $opt_duplicate_deps ; then
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	    fi
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+	  continue
+	fi # $pass = conv
+
+
+	# Get the name of the library we link against.
+	linklib=
+	for l in $old_library $library_names; do
+	  linklib="$l"
+	done
+	if test -z "$linklib"; then
+	  func_fatal_error "cannot find name of link library for \`$lib'"
+	fi
+
+	# This library was specified with -dlopen.
+	if test "$pass" = dlopen; then
+	  if test -z "$libdir"; then
+	    func_fatal_error "cannot -dlopen a convenience library: \`$lib'"
+	  fi
+	  if test -z "$dlname" ||
+	     test "$dlopen_support" != yes ||
+	     test "$build_libtool_libs" = no; then
+	    # If there is no dlname, no dlopen support or we're linking
+	    # statically, we need to preload.  We also need to preload any
+	    # dependent libraries so libltdl's deplib preloader doesn't
+	    # bomb out in the load deplibs phase.
+	    dlprefiles="$dlprefiles $lib $dependency_libs"
+	  else
+	    newdlfiles="$newdlfiles $lib"
+	  fi
+	  continue
+	fi # $pass = dlopen
+
+	# We need an absolute path.
+	case $ladir in
+	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
+	*)
+	  abs_ladir=`cd "$ladir" && pwd`
+	  if test -z "$abs_ladir"; then
+	    func_warning "cannot determine absolute directory name of \`$ladir'"
+	    func_warning "passing it literally to the linker, although it might fail"
+	    abs_ladir="$ladir"
+	  fi
+	  ;;
+	esac
+	func_basename "$lib"
+	laname="$func_basename_result"
+
+	# Find the relevant object directory and library name.
+	if test "X$installed" = Xyes; then
+	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    func_warning "library \`$lib' was moved."
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    libdir="$abs_ladir"
+	  else
+	    dir="$libdir"
+	    absdir="$libdir"
+	  fi
+	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
+	else
+	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    # Remove this search path later
+	    notinst_path="$notinst_path $abs_ladir"
+	  else
+	    dir="$ladir/$objdir"
+	    absdir="$abs_ladir/$objdir"
+	    # Remove this search path later
+	    notinst_path="$notinst_path $abs_ladir"
+	  fi
+	fi # $installed = yes
+	func_stripname 'lib' '.la' "$laname"
+	name=$func_stripname_result
+
+	# This library was specified with -dlpreopen.
+	if test "$pass" = dlpreopen; then
+	  if test -z "$libdir" && test "$linkmode" = prog; then
+	    func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'"
+	  fi
+	  # Prefer using a static library (so that no silly _DYNAMIC symbols
+	  # are required to link).
+	  if test -n "$old_library"; then
+	    newdlprefiles="$newdlprefiles $dir/$old_library"
+	    # Keep a list of preopened convenience libraries to check
+	    # that they are being used correctly in the link pass.
+	    test -z "$libdir" && \
+		dlpreconveniencelibs="$dlpreconveniencelibs $dir/$old_library"
+	  # Otherwise, use the dlname, so that lt_dlopen finds it.
+	  elif test -n "$dlname"; then
+	    newdlprefiles="$newdlprefiles $dir/$dlname"
+	  else
+	    newdlprefiles="$newdlprefiles $dir/$linklib"
+	  fi
+	fi # $pass = dlpreopen
+
+	if test -z "$libdir"; then
+	  # Link the convenience library
+	  if test "$linkmode" = lib; then
+	    deplibs="$dir/$old_library $deplibs"
+	  elif test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$dir/$old_library $compile_deplibs"
+	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
+	  else
+	    deplibs="$lib $deplibs" # used for prog,scan pass
+	  fi
+	  continue
+	fi
+
+
+	if test "$linkmode" = prog && test "$pass" != link; then
+	  newlib_search_path="$newlib_search_path $ladir"
+	  deplibs="$lib $deplibs"
+
+	  linkalldeplibs=no
+	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
+	     test "$build_libtool_libs" = no; then
+	    linkalldeplibs=yes
+	  fi
+
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    case $deplib in
+	    -L*) func_stripname '-L' '' "$deplib"
+	         newlib_search_path="$newlib_search_path $func_stripname_result"
+		 ;;
+	    esac
+	    # Need to link against all dependency_libs?
+	    if test "$linkalldeplibs" = yes; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      # Need to hardcode shared library paths
+	      # or/and link against static libraries
+	      newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    if $opt_duplicate_deps ; then
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	    fi
+	    tmp_libs="$tmp_libs $deplib"
+	  done # for deplib
+	  continue
+	fi # $linkmode = prog...
+
+	if test "$linkmode,$pass" = "prog,link"; then
+	  if test -n "$library_names" &&
+	     { { test "$prefer_static_libs" = no ||
+	         test "$prefer_static_libs,$installed" = "built,yes"; } ||
+	       test -z "$old_library"; }; then
+	    # We need to hardcode the library path
+	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then
+	      # Make sure the rpath contains only unique directories.
+	      case "$temp_rpath:" in
+	      *"$absdir:"*) ;;
+	      *) temp_rpath="$temp_rpath$absdir:" ;;
+	      esac
+	    fi
+
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi # $linkmode,$pass = prog,link...
+
+	  if test "$alldeplibs" = yes &&
+	     { test "$deplibs_check_method" = pass_all ||
+	       { test "$build_libtool_libs" = yes &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+	fi
+
+	link_static=no # Whether the deplib will be linked statically
+	use_static_libs=$prefer_static_libs
+	if test "$use_static_libs" = built && test "$installed" = yes; then
+	  use_static_libs=no
+	fi
+	if test -n "$library_names" &&
+	   { test "$use_static_libs" = no || test -z "$old_library"; }; then
+	  case $host in
+	  *cygwin* | *mingw*)
+	      # No point in relinking DLLs because paths are not encoded
+	      notinst_deplibs="$notinst_deplibs $lib"
+	      need_relink=no
+	    ;;
+	  *)
+	    if test "$installed" = no; then
+	      notinst_deplibs="$notinst_deplibs $lib"
+	      need_relink=yes
+	    fi
+	    ;;
+	  esac
+	  # This is a shared library
+
+	  # Warn about portability, can't link against -module's on some
+	  # systems (darwin).  Don't bleat about dlopened modules though!
+	  dlopenmodule=""
+	  for dlpremoduletest in $dlprefiles; do
+	    if test "X$dlpremoduletest" = "X$lib"; then
+	      dlopenmodule="$dlpremoduletest"
+	      break
+	    fi
+	  done
+	  if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then
+	    $ECHO
+	    if test "$linkmode" = prog; then
+	      $ECHO "*** Warning: Linking the executable $output against the loadable module"
+	    else
+	      $ECHO "*** Warning: Linking the shared library $output against the loadable module"
+	    fi
+	    $ECHO "*** $linklib is not portable!"
+	  fi
+	  if test "$linkmode" = lib &&
+	     test "$hardcode_into_libs" = yes; then
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi
+
+	  if test -n "$old_archive_from_expsyms_cmds"; then
+	    # figure out the soname
+	    set dummy $library_names
+	    shift
+	    realname="$1"
+	    shift
+	    libname=`eval "\\$ECHO \"$libname_spec\""`
+	    # use dlname if we got it. it's perfectly good, no?
+	    if test -n "$dlname"; then
+	      soname="$dlname"
+	    elif test -n "$soname_spec"; then
+	      # bleh windows
+	      case $host in
+	      *cygwin* | mingw*)
+	        func_arith $current - $age
+		major=$func_arith_result
+		versuffix="-$major"
+		;;
+	      esac
+	      eval soname=\"$soname_spec\"
+	    else
+	      soname="$realname"
+	    fi
+
+	    # Make a new name for the extract_expsyms_cmds to use
+	    soroot="$soname"
+	    func_basename "$soroot"
+	    soname="$func_basename_result"
+	    func_stripname 'lib' '.dll' "$soname"
+	    newlib=libimp-$func_stripname_result.a
+
+	    # If the library has no export list, then create one now
+	    if test -f "$output_objdir/$soname-def"; then :
+	    else
+	      func_verbose "extracting exported symbol list from \`$soname'"
+	      func_execute_cmds "$extract_expsyms_cmds" 'exit $?'
+	    fi
+
+	    # Create $newlib
+	    if test -f "$output_objdir/$newlib"; then :; else
+	      func_verbose "generating import library for \`$soname'"
+	      func_execute_cmds "$old_archive_from_expsyms_cmds" 'exit $?'
+	    fi
+	    # make sure the library variables are pointing to the new library
+	    dir=$output_objdir
+	    linklib=$newlib
+	  fi # test -n "$old_archive_from_expsyms_cmds"
+
+	  if test "$linkmode" = prog || test "$mode" != relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    lib_linked=yes
+	    case $hardcode_action in
+	    immediate | unsupported)
+	      if test "$hardcode_direct" = no; then
+		add="$dir/$linklib"
+		case $host in
+		  *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;;
+		  *-*-sysv4*uw2*) add_dir="-L$dir" ;;
+		  *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \
+		    *-*-unixware7*) add_dir="-L$dir" ;;
+		  *-*-darwin* )
+		    # if the lib is a (non-dlopened) module then we can not
+		    # link against it, someone is ignoring the earlier warnings
+		    if /usr/bin/file -L $add 2> /dev/null |
+			 $GREP ": [^:]* bundle" >/dev/null ; then
+		      if test "X$dlopenmodule" != "X$lib"; then
+			$ECHO "*** Warning: lib $linklib is a module, not a shared library"
+			if test -z "$old_library" ; then
+			  $ECHO
+			  $ECHO "*** And there doesn't seem to be a static archive available"
+			  $ECHO "*** The link will probably fail, sorry"
+			else
+			  add="$dir/$old_library"
+			fi
+		      elif test -n "$old_library"; then
+			add="$dir/$old_library"
+		      fi
+		    fi
+		esac
+	      elif test "$hardcode_minus_L" = no; then
+		case $host in
+		*-*-sunos*) add_shlibpath="$dir" ;;
+		esac
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = no; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    relink)
+	      if test "$hardcode_direct" = yes &&
+	         test "$hardcode_direct_absolute" = no; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = yes; then
+		add_dir="-L$dir"
+		# Try looking first in the location we're being installed to.
+		if test -n "$inst_prefix_dir"; then
+		  case $libdir in
+		    [\\/]*)
+		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		      ;;
+		  esac
+		fi
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = yes; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    *) lib_linked=no ;;
+	    esac
+
+	    if test "$lib_linked" != yes; then
+	      func_fatal_configuration "unsupported hardcode properties"
+	    fi
+
+	    if test -n "$add_shlibpath"; then
+	      case :$compile_shlibpath: in
+	      *":$add_shlibpath:"*) ;;
+	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      esac
+	    fi
+	    if test "$linkmode" = prog; then
+	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
+	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	      if test "$hardcode_direct" != yes &&
+		 test "$hardcode_minus_L" != yes &&
+		 test "$hardcode_shlibpath_var" = yes; then
+		case :$finalize_shlibpath: in
+		*":$libdir:"*) ;;
+		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		esac
+	      fi
+	    fi
+	  fi
+
+	  if test "$linkmode" = prog || test "$mode" = relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    # Finalize command for both is simple: just hardcode it.
+	    if test "$hardcode_direct" = yes &&
+	       test "$hardcode_direct_absolute" = no; then
+	      add="$libdir/$linklib"
+	    elif test "$hardcode_minus_L" = yes; then
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    elif test "$hardcode_shlibpath_var" = yes; then
+	      case :$finalize_shlibpath: in
+	      *":$libdir:"*) ;;
+	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      esac
+	      add="-l$name"
+	    elif test "$hardcode_automatic" = yes; then
+	      if test -n "$inst_prefix_dir" &&
+		 test -f "$inst_prefix_dir$libdir/$linklib" ; then
+		add="$inst_prefix_dir$libdir/$linklib"
+	      else
+		add="$libdir/$linklib"
+	      fi
+	    else
+	      # We cannot seem to hardcode it, guess we'll fake it.
+	      add_dir="-L$libdir"
+	      # Try looking first in the location we're being installed to.
+	      if test -n "$inst_prefix_dir"; then
+		case $libdir in
+		  [\\/]*)
+		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		    ;;
+		esac
+	      fi
+	      add="-l$name"
+	    fi
+
+	    if test "$linkmode" = prog; then
+	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
+	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	    fi
+	  fi
+	elif test "$linkmode" = prog; then
+	  # Here we assume that one of hardcode_direct or hardcode_minus_L
+	  # is not unsupported.  This is valid on all known static and
+	  # shared platforms.
+	  if test "$hardcode_direct" != unsupported; then
+	    test -n "$old_library" && linklib="$old_library"
+	    compile_deplibs="$dir/$linklib $compile_deplibs"
+	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
+	  else
+	    compile_deplibs="-l$name -L$dir $compile_deplibs"
+	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
+	  fi
+	elif test "$build_libtool_libs" = yes; then
+	  # Not a shared library
+	  if test "$deplibs_check_method" != pass_all; then
+	    # We're trying link a shared library against a static one
+	    # but the system doesn't support it.
+
+	    # Just print a warning and add the library to dependency_libs so
+	    # that the program can be linked against the static library.
+	    $ECHO
+	    $ECHO "*** Warning: This system can not link to static lib archive $lib."
+	    $ECHO "*** I have the capability to make that library automatically link in when"
+	    $ECHO "*** you link to this library.  But I can only do this if you have a"
+	    $ECHO "*** shared version of the library, which you do not appear to have."
+	    if test "$module" = yes; then
+	      $ECHO "*** But as you try to build a module library, libtool will still create "
+	      $ECHO "*** a static module, that should work as long as the dlopening application"
+	      $ECHO "*** is linked with the -dlopen flag to resolve symbols at runtime."
+	      if test -z "$global_symbol_pipe"; then
+		$ECHO
+		$ECHO "*** However, this would only work if libtool was able to extract symbol"
+		$ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could"
+		$ECHO "*** not find such a program.  So, this module is probably useless."
+		$ECHO "*** \`nm' from GNU binutils and a full rebuild may help."
+	      fi
+	      if test "$build_old_libs" = no; then
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  else
+	    deplibs="$dir/$old_library $deplibs"
+	    link_static=yes
+	  fi
+	fi # link shared/static library?
+
+	if test "$linkmode" = lib; then
+	  if test -n "$dependency_libs" &&
+	     { test "$hardcode_into_libs" != yes ||
+	       test "$build_old_libs" = yes ||
+	       test "$link_static" = yes; }; then
+	    # Extract -R from dependency_libs
+	    temp_deplibs=
+	    for libdir in $dependency_libs; do
+	      case $libdir in
+	      -R*) func_stripname '-R' '' "$libdir"
+	           temp_xrpath=$func_stripname_result
+		   case " $xrpath " in
+		   *" $temp_xrpath "*) ;;
+		   *) xrpath="$xrpath $temp_xrpath";;
+		   esac;;
+	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      esac
+	    done
+	    dependency_libs="$temp_deplibs"
+	  fi
+
+	  newlib_search_path="$newlib_search_path $absdir"
+	  # Link against this library
+	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
+	  # ... and its dependency_libs
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    newdependency_libs="$deplib $newdependency_libs"
+	    if $opt_duplicate_deps ; then
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	    fi
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+
+	  if test "$link_all_deplibs" != no; then
+	    # Add the search paths of all dependency libraries
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      -L*) path="$deplib" ;;
+	      *.la)
+	        func_dirname "$deplib" "" "."
+		dir="$func_dirname_result"
+		# We need an absolute path.
+		case $dir in
+		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
+		*)
+		  absdir=`cd "$dir" && pwd`
+		  if test -z "$absdir"; then
+		    func_warning "cannot determine absolute directory name of \`$dir'"
+		    absdir="$dir"
+		  fi
+		  ;;
+		esac
+		if $GREP "^installed=no" $deplib > /dev/null; then
+		case $host in
+		*-*-darwin*)
+		  depdepl=
+		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
+		  if test -n "$deplibrary_names" ; then
+		    for tmp in $deplibrary_names ; do
+		      depdepl=$tmp
+		    done
+		    if test -f "$absdir/$objdir/$depdepl" ; then
+		      depdepl="$absdir/$objdir/$depdepl"
+		      darwin_install_name=`${OTOOL} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'`
+                      if test -z "$darwin_install_name"; then
+                          darwin_install_name=`${OTOOL64} -L $depdepl  | awk '{if (NR == 2) {print $1;exit}}'`
+                      fi
+		      compiler_flags="$compiler_flags ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}"
+		      linker_flags="$linker_flags -dylib_file ${darwin_install_name}:${depdepl}"
+		      path=
+		    fi
+		  fi
+		  ;;
+		*)
+		  path="-L$absdir/$objdir"
+		  ;;
+		esac
+		else
+		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  test -z "$libdir" && \
+		    func_fatal_error "\`$deplib' is not a valid libtool archive"
+		  test "$absdir" != "$libdir" && \
+		    func_warning "\`$deplib' seems to be moved"
+
+		  path="-L$absdir"
+		fi
+		;;
+	      esac
+	      case " $deplibs " in
+	      *" $path "*) ;;
+	      *) deplibs="$path $deplibs" ;;
+	      esac
+	    done
+	  fi # link_all_deplibs != no
+	fi # linkmode = lib
+      done # for deplib in $libs
+      if test "$pass" = link; then
+	if test "$linkmode" = "prog"; then
+	  compile_deplibs="$new_inherited_linker_flags $compile_deplibs"
+	  finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs"
+	else
+	  compiler_flags="$compiler_flags "`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	fi
+      fi
+      dependency_libs="$newdependency_libs"
+      if test "$pass" = dlpreopen; then
+	# Link the dlpreopened libraries before other libraries
+	for deplib in $save_deplibs; do
+	  deplibs="$deplib $deplibs"
+	done
+      fi
+      if test "$pass" != dlopen; then
+	if test "$pass" != conv; then
+	  # Make sure lib_search_path contains only unique directories.
+	  lib_search_path=
+	  for dir in $newlib_search_path; do
+	    case "$lib_search_path " in
+	    *" $dir "*) ;;
+	    *) lib_search_path="$lib_search_path $dir" ;;
+	    esac
+	  done
+	  newlib_search_path=
+	fi
+
+	if test "$linkmode,$pass" != "prog,link"; then
+	  vars="deplibs"
+	else
+	  vars="compile_deplibs finalize_deplibs"
+	fi
+	for var in $vars dependency_libs; do
+	  # Add libraries to $var in reverse order
+	  eval tmp_libs=\"\$$var\"
+	  new_libs=
+	  for deplib in $tmp_libs; do
+	    # FIXME: Pedantically, this is the right thing to do, so
+	    #        that some nasty dependency loop isn't accidentally
+	    #        broken:
+	    #new_libs="$deplib $new_libs"
+	    # Pragmatically, this seems to cause very few problems in
+	    # practice:
+	    case $deplib in
+	    -L*) new_libs="$deplib $new_libs" ;;
+	    -R*) ;;
+	    *)
+	      # And here is the reason: when a library appears more
+	      # than once as an explicit dependence of a library, or
+	      # is implicitly linked in more than once by the
+	      # compiler, it is considered special, and multiple
+	      # occurrences thereof are not removed.  Compare this
+	      # with having the same library being listed as a
+	      # dependency of multiple other libraries: in this case,
+	      # we know (pedantically, we assume) the library does not
+	      # need to be listed more than once, so we keep only the
+	      # last copy.  This is not always right, but it is rare
+	      # enough that we require users that really mean to play
+	      # such unportable linking tricks to link the library
+	      # using -Wl,-lname, so that libtool does not consider it
+	      # for duplicate removal.
+	      case " $specialdeplibs " in
+	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
+	      *)
+		case " $new_libs " in
+		*" $deplib "*) ;;
+		*) new_libs="$deplib $new_libs" ;;
+		esac
+		;;
+	      esac
+	      ;;
+	    esac
+	  done
+	  tmp_libs=
+	  for deplib in $new_libs; do
+	    case $deplib in
+	    -L*)
+	      case " $tmp_libs " in
+	      *" $deplib "*) ;;
+	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      esac
+	      ;;
+	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    esac
+	  done
+	  eval $var=\"$tmp_libs\"
+	done # for var
+      fi
+      # Last step: remove runtime libs from dependency_libs
+      # (they stay in deplibs)
+      tmp_libs=
+      for i in $dependency_libs ; do
+	case " $predeps $postdeps $compiler_lib_search_path " in
+	*" $i "*)
+	  i=""
+	  ;;
+	esac
+	if test -n "$i" ; then
+	  tmp_libs="$tmp_libs $i"
+	fi
+      done
+      dependency_libs=$tmp_libs
+    done # for pass
+    if test "$linkmode" = prog; then
+      dlfiles="$newdlfiles"
+    fi
+    if test "$linkmode" = prog || test "$linkmode" = lib; then
+      dlprefiles="$newdlprefiles"
+    fi
 
-#define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
-#define XFREE(stale) do { \
-  if (stale) { free ((void *) stale); stale = 0; } \
-} while (0)
+    case $linkmode in
+    oldlib)
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	func_warning "\`-dlopen' is ignored for archives"
+      fi
 
-/* -DDEBUG is fairly common in CFLAGS.  */
-#undef DEBUG
-#if defined DEBUGWRAPPER
-# define DEBUG(format, ...) fprintf(stderr, format, __VA_ARGS__)
-#else
-# define DEBUG(format, ...)
-#endif
+      case " $deplibs" in
+      *\ -l* | *\ -L*)
+	func_warning "\`-l' and \`-L' are ignored for archives" ;;
+      esac
 
-const char *program_name = NULL;
+      test -n "$rpath" && \
+	func_warning "\`-rpath' is ignored for archives"
 
-void * xmalloc (size_t num);
-char * xstrdup (const char *string);
-const char * base_name (const char *name);
-char * find_executable(const char *wrapper);
-int    check_executable(const char *path);
-char * strendzap(char *str, const char *pat);
-void lt_fatal (const char *message, ...);
+      test -n "$xrpath" && \
+	func_warning "\`-R' is ignored for archives"
 
-int
-main (int argc, char *argv[])
-{
-  char **newargz;
-  int i;
+      test -n "$vinfo" && \
+	func_warning "\`-version-info/-version-number' is ignored for archives"
 
-  program_name = (char *) xstrdup (base_name (argv[0]));
-  DEBUG("(main) argv[0]      : %s\n",argv[0]);
-  DEBUG("(main) program_name : %s\n",program_name);
-  newargz = XMALLOC(char *, argc+2);
-EOF
+      test -n "$release" && \
+	func_warning "\`-release' is ignored for archives"
 
-            cat >> $cwrappersource <<EOF
-  newargz[0] = (char *) xstrdup("$SHELL");
-EOF
+      test -n "$export_symbols$export_symbols_regex" && \
+	func_warning "\`-export-symbols' is ignored for archives"
 
-            cat >> $cwrappersource <<"EOF"
-  newargz[1] = find_executable(argv[0]);
-  if (newargz[1] == NULL)
-    lt_fatal("Couldn't find %s", argv[0]);
-  DEBUG("(main) found exe at : %s\n",newargz[1]);
-  /* we know the script has the same name, without the .exe */
-  /* so make sure newargz[1] doesn't end in .exe */
-  strendzap(newargz[1],".exe");
-  for (i = 1; i < argc; i++)
-    newargz[i+1] = xstrdup(argv[i]);
-  newargz[argc+1] = NULL;
+      # Now set the variables for building old libraries.
+      build_libtool_libs=no
+      oldlibs="$output"
+      objs="$objs$old_deplibs"
+      ;;
 
-  for (i=0; i<argc+1; i++)
-  {
-    DEBUG("(main) newargz[%d]   : %s\n",i,newargz[i]);
-    ;
-  }
+    lib)
+      # Make sure we only generate libraries of the form `libNAME.la'.
+      case $outputname in
+      lib*)
+	func_stripname 'lib' '.la' "$outputname"
+	name=$func_stripname_result
+	eval shared_ext=\"$shrext_cmds\"
+	eval libname=\"$libname_spec\"
+	;;
+      *)
+	test "$module" = no && \
+	  func_fatal_help "libtool library \`$output' must begin with \`lib'"
 
-EOF
+	if test "$need_lib_prefix" != no; then
+	  # Add the "lib" prefix for modules if required
+	  func_stripname '' '.la' "$outputname"
+	  name=$func_stripname_result
+	  eval shared_ext=\"$shrext_cmds\"
+	  eval libname=\"$libname_spec\"
+	else
+	  func_stripname '' '.la' "$outputname"
+	  libname=$func_stripname_result
+	fi
+	;;
+      esac
 
-            case $host_os in
-              mingw*)
-                cat >> $cwrappersource <<EOF
-  execv("$SHELL",(char const **)newargz);
-EOF
-              ;;
-              *)
-                cat >> $cwrappersource <<EOF
-  execv("$SHELL",newargz);
-EOF
-              ;;
-            esac
+      if test -n "$objs"; then
+	if test "$deplibs_check_method" != pass_all; then
+	  func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs"
+	else
+	  $ECHO
+	  $ECHO "*** Warning: Linking the shared library $output against the non-libtool"
+	  $ECHO "*** objects $objs is not portable!"
+	  libobjs="$libobjs $objs"
+	fi
+      fi
 
-            cat >> $cwrappersource <<"EOF"
-  return 127;
-}
+      test "$dlself" != no && \
+	func_warning "\`-dlopen self' is ignored for libtool libraries"
 
-void *
-xmalloc (size_t num)
-{
-  void * p = (void *) malloc (num);
-  if (!p)
-    lt_fatal ("Memory exhausted");
+      set dummy $rpath
+      shift
+      test "$#" -gt 1 && \
+	func_warning "ignoring multiple \`-rpath's for a libtool library"
 
-  return p;
-}
+      install_libdir="$1"
 
-char *
-xstrdup (const char *string)
-{
-  return string ? strcpy ((char *) xmalloc (strlen (string) + 1), string) : NULL
-;
-}
+      oldlibs=
+      if test -z "$rpath"; then
+	if test "$build_libtool_libs" = yes; then
+	  # Building a libtool convenience library.
+	  # Some compilers have problems with a `.al' extension so
+	  # convenience libraries should have the same extension an
+	  # archive normally would.
+	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
+	  build_libtool_libs=convenience
+	  build_old_libs=yes
+	fi
 
-const char *
-base_name (const char *name)
-{
-  const char *base;
+	test -n "$vinfo" && \
+	  func_warning "\`-version-info/-version-number' is ignored for convenience libraries"
 
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  /* Skip over the disk name in MSDOS pathnames. */
-  if (isalpha ((unsigned char)name[0]) && name[1] == ':')
-    name += 2;
-#endif
+	test -n "$release" && \
+	  func_warning "\`-release' is ignored for convenience libraries"
+      else
 
-  for (base = name; *name; name++)
-    if (IS_DIR_SEPARATOR (*name))
-      base = name + 1;
-  return base;
-}
+	# Parse the version information argument.
+	save_ifs="$IFS"; IFS=':'
+	set dummy $vinfo 0 0 0
+	shift
+	IFS="$save_ifs"
 
-int
-check_executable(const char * path)
-{
-  struct stat st;
+	test -n "$7" && \
+	  func_fatal_help "too many parameters to \`-version-info'"
 
-  DEBUG("(check_executable)  : %s\n", path ? (*path ? path : "EMPTY!") : "NULL!");
-  if ((!path) || (!*path))
-    return 0;
+	# convert absolute version numbers to libtool ages
+	# this retains compatibility with .la files and attempts
+	# to make the code below a bit more comprehensible
 
-  if ((stat (path, &st) >= 0) &&
-      (
-        /* MinGW & native WIN32 do not support S_IXOTH or S_IXGRP */
-#if defined (S_IXOTH)
-       ((st.st_mode & S_IXOTH) == S_IXOTH) ||
-#endif
-#if defined (S_IXGRP)
-       ((st.st_mode & S_IXGRP) == S_IXGRP) ||
-#endif
-       ((st.st_mode & S_IXUSR) == S_IXUSR))
-      )
-    return 1;
-  else
-    return 0;
-}
+	case $vinfo_number in
+	yes)
+	  number_major="$1"
+	  number_minor="$2"
+	  number_revision="$3"
+	  #
+	  # There are really only two kinds -- those that
+	  # use the current revision as the major version
+	  # and those that subtract age and use age as
+	  # a minor version.  But, then there is irix
+	  # which has an extra 1 added just for fun
+	  #
+	  case $version_type in
+	  darwin|linux|osf|windows|none)
+	    func_arith $number_major + $number_minor
+	    current=$func_arith_result
+	    age="$number_minor"
+	    revision="$number_revision"
+	    ;;
+	  freebsd-aout|freebsd-elf|sunos)
+	    current="$number_major"
+	    revision="$number_minor"
+	    age="0"
+	    ;;
+	  irix|nonstopux)
+	    func_arith $number_major + $number_minor
+	    current=$func_arith_result
+	    age="$number_minor"
+	    revision="$number_minor"
+	    lt_irix_increment=no
+	    ;;
+	  *)
+	    func_fatal_configuration "$modename: unknown library version type \`$version_type'"
+	    ;;
+	  esac
+	  ;;
+	no)
+	  current="$1"
+	  revision="$2"
+	  age="$3"
+	  ;;
+	esac
 
-/* Searches for the full path of the wrapper.  Returns
-   newly allocated full path name if found, NULL otherwise */
-char *
-find_executable (const char* wrapper)
-{
-  int has_slash = 0;
-  const char* p;
-  const char* p_next;
-  /* static buffer for getcwd */
-  char tmp[LT_PATHMAX + 1];
-  int tmp_len;
-  char* concat_name;
+	# Check that each of the things are valid numbers.
+	case $current in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  func_error "CURRENT \`$current' must be a nonnegative integer"
+	  func_fatal_error "\`$vinfo' is not valid version information"
+	  ;;
+	esac
+
+	case $revision in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  func_error "REVISION \`$revision' must be a nonnegative integer"
+	  func_fatal_error "\`$vinfo' is not valid version information"
+	  ;;
+	esac
+
+	case $age in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  func_error "AGE \`$age' must be a nonnegative integer"
+	  func_fatal_error "\`$vinfo' is not valid version information"
+	  ;;
+	esac
 
-  DEBUG("(find_executable)  : %s\n", wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!");
+	if test "$age" -gt "$current"; then
+	  func_error "AGE \`$age' is greater than the current interface number \`$current'"
+	  func_fatal_error "\`$vinfo' is not valid version information"
+	fi
 
-  if ((wrapper == NULL) || (*wrapper == '\0'))
-    return NULL;
+	# Calculate the version variables.
+	major=
+	versuffix=
+	verstring=
+	case $version_type in
+	none) ;;
+
+	darwin)
+	  # Like Linux, but with the current version available in
+	  # verstring for coding it into the library header
+	  func_arith $current - $age
+	  major=.$func_arith_result
+	  versuffix="$major.$age.$revision"
+	  # Darwin ld doesn't like 0 for these options...
+	  func_arith $current + 1
+	  minor_current=$func_arith_result
+	  xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
+	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
+	  ;;
+
+	freebsd-aout)
+	  major=".$current"
+	  versuffix=".$current.$revision";
+	  ;;
+
+	freebsd-elf)
+	  major=".$current"
+	  versuffix=".$current"
+	  ;;
+
+	irix | nonstopux)
+	  if test "X$lt_irix_increment" = "Xno"; then
+	    func_arith $current - $age
+	  else
+	    func_arith $current - $age + 1
+	  fi
+	  major=$func_arith_result
+
+	  case $version_type in
+	    nonstopux) verstring_prefix=nonstopux ;;
+	    *)         verstring_prefix=sgi ;;
+	  esac
+	  verstring="$verstring_prefix$major.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$revision
+	  while test "$loop" -ne 0; do
+	    func_arith $revision - $loop
+	    iface=$func_arith_result
+	    func_arith $loop - 1
+	    loop=$func_arith_result
+	    verstring="$verstring_prefix$major.$iface:$verstring"
+	  done
+
+	  # Before this point, $major must not contain `.'.
+	  major=.$major
+	  versuffix="$major.$revision"
+	  ;;
+
+	linux)
+	  func_arith $current - $age
+	  major=.$func_arith_result
+	  versuffix="$major.$age.$revision"
+	  ;;
+
+	osf)
+	  func_arith $current - $age
+	  major=.$func_arith_result
+	  versuffix=".$current.$age.$revision"
+	  verstring="$current.$age.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$age
+	  while test "$loop" -ne 0; do
+	    func_arith $current - $loop
+	    iface=$func_arith_result
+	    func_arith $loop - 1
+	    loop=$func_arith_result
+	    verstring="$verstring:${iface}.0"
+	  done
+
+	  # Make executables depend on our current version.
+	  verstring="$verstring:${current}.0"
+	  ;;
+
+	qnx)
+	  major=".$current"
+	  versuffix=".$current"
+	  ;;
+
+	sunos)
+	  major=".$current"
+	  versuffix=".$current.$revision"
+	  ;;
+
+	windows)
+	  # Use '-' rather than '.', since we only want one
+	  # extension on DOS 8.3 filesystems.
+	  func_arith $current - $age
+	  major=$func_arith_result
+	  versuffix="-$major"
+	  ;;
+
+	*)
+	  func_fatal_configuration "unknown library version type \`$version_type'"
+	  ;;
+	esac
 
-  /* Absolute path? */
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  if (isalpha ((unsigned char)wrapper[0]) && wrapper[1] == ':')
-  {
-    concat_name = xstrdup (wrapper);
-    if (check_executable(concat_name))
-      return concat_name;
-    XFREE(concat_name);
-  }
-  else
-  {
-#endif
-    if (IS_DIR_SEPARATOR (wrapper[0]))
-    {
-      concat_name = xstrdup (wrapper);
-      if (check_executable(concat_name))
-        return concat_name;
-      XFREE(concat_name);
-    }
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  }
-#endif
+	# Clear the version info if we defaulted, and they specified a release.
+	if test -z "$vinfo" && test -n "$release"; then
+	  major=
+	  case $version_type in
+	  darwin)
+	    # we can't check for "0.0" in archive_cmds due to quoting
+	    # problems, so we reset it completely
+	    verstring=
+	    ;;
+	  *)
+	    verstring="0.0"
+	    ;;
+	  esac
+	  if test "$need_version" = no; then
+	    versuffix=
+	  else
+	    versuffix=".0.0"
+	  fi
+	fi
 
-  for (p = wrapper; *p; p++)
-    if (*p == '/')
-    {
-      has_slash = 1;
-      break;
-    }
-  if (!has_slash)
-  {
-    /* no slashes; search PATH */
-    const char* path = getenv ("PATH");
-    if (path != NULL)
-    {
-      for (p = path; *p; p = p_next)
-      {
-        const char* q;
-        size_t p_len;
-        for (q = p; *q; q++)
-          if (IS_PATH_SEPARATOR(*q))
-            break;
-        p_len = q - p;
-        p_next = (*q == '\0' ? q : q + 1);
-        if (p_len == 0)
-        {
-          /* empty path: current directory */
-          if (getcwd (tmp, LT_PATHMAX) == NULL)
-            lt_fatal ("getcwd failed");
-          tmp_len = strlen(tmp);
-          concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
-          memcpy (concat_name, tmp, tmp_len);
-          concat_name[tmp_len] = '/';
-          strcpy (concat_name + tmp_len + 1, wrapper);
-        }
-        else
-        {
-          concat_name = XMALLOC(char, p_len + 1 + strlen(wrapper) + 1);
-          memcpy (concat_name, p, p_len);
-          concat_name[p_len] = '/';
-          strcpy (concat_name + p_len + 1, wrapper);
-        }
-        if (check_executable(concat_name))
-          return concat_name;
-        XFREE(concat_name);
-      }
-    }
-    /* not found in PATH; assume curdir */
-  }
-  /* Relative path | not found in path: prepend cwd */
-  if (getcwd (tmp, LT_PATHMAX) == NULL)
-    lt_fatal ("getcwd failed");
-  tmp_len = strlen(tmp);
-  concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
-  memcpy (concat_name, tmp, tmp_len);
-  concat_name[tmp_len] = '/';
-  strcpy (concat_name + tmp_len + 1, wrapper);
+	# Remove version info from name if versioning should be avoided
+	if test "$avoid_version" = yes && test "$need_version" = no; then
+	  major=
+	  versuffix=
+	  verstring=""
+	fi
 
-  if (check_executable(concat_name))
-    return concat_name;
-  XFREE(concat_name);
-  return NULL;
-}
+	# Check to see if the archive will have undefined symbols.
+	if test "$allow_undefined" = yes; then
+	  if test "$allow_undefined_flag" = unsupported; then
+	    func_warning "undefined symbols not allowed in $host shared libraries"
+	    build_libtool_libs=no
+	    build_old_libs=yes
+	  fi
+	else
+	  # Don't allow undefined symbols.
+	  allow_undefined_flag="$no_undefined_flag"
+	fi
 
-char *
-strendzap(char *str, const char *pat)
-{
-  size_t len, patlen;
+      fi
 
-  assert(str != NULL);
-  assert(pat != NULL);
+      func_generate_dlsyms "$libname" "$libname" "yes"
+      libobjs="$libobjs $symfileobj"
+      test "X$libobjs" = "X " && libobjs=
 
-  len = strlen(str);
-  patlen = strlen(pat);
+      if test "$mode" != relink; then
+	# Remove our outputs, but don't remove object files since they
+	# may have been created when compiling PIC objects.
+	removelist=
+	tempremovelist=`$ECHO "$output_objdir/*"`
+	for p in $tempremovelist; do
+	  case $p in
+	    *.$objext)
+	       ;;
+	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
+	       if test "X$precious_files_regex" != "X"; then
+		 if $ECHO "$p" | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
+		 then
+		   continue
+		 fi
+	       fi
+	       removelist="$removelist $p"
+	       ;;
+	    *) ;;
+	  esac
+	done
+	test -n "$removelist" && \
+	  func_show_eval "${RM}r \$removelist"
+      fi
 
-  if (patlen <= len)
-  {
-    str += len - patlen;
-    if (strcmp(str, pat) == 0)
-      *str = '\0';
-  }
-  return str;
-}
+      # Now set the variables for building old libraries.
+      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
+	oldlibs="$oldlibs $output_objdir/$libname.$libext"
 
-static void
-lt_error_core (int exit_status, const char * mode,
-          const char * message, va_list ap)
-{
-  fprintf (stderr, "%s: %s: ", program_name, mode);
-  vfprintf (stderr, message, ap);
-  fprintf (stderr, ".\n");
+	# Transform .lo files to .o files.
+	oldobjs="$objs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
+      fi
 
-  if (exit_status >= 0)
-    exit (exit_status);
-}
+      # Eliminate all temporary directories.
+      #for path in $notinst_path; do
+      #	lib_search_path=`$ECHO "X$lib_search_path " | $Xsed -e "s% $path % %g"`
+      #	deplibs=`$ECHO "X$deplibs " | $Xsed -e "s% -L$path % %g"`
+      #	dependency_libs=`$ECHO "X$dependency_libs " | $Xsed -e "s% -L$path % %g"`
+      #done
 
-void
-lt_fatal (const char *message, ...)
-{
-  va_list ap;
-  va_start (ap, message);
-  lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
-  va_end (ap);
-}
-EOF
-          # we should really use a build-platform specific compiler
-          # here, but OTOH, the wrappers (shell script and this C one)
-          # are only useful if you want to execute the "real" binary.
-          # Since the "real" binary is built for $host, then this
-          # wrapper might as well be built for $host, too.
-          $run $LTCC $LTCFLAGS -s -o $cwrapper $cwrappersource
-          ;;
-        esac
-        $rm $output
-        trap "$rm $output; exit $EXIT_FAILURE" 1 2 15
-
-	$echo > $output "\
-#! $SHELL
+      if test -n "$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	temp_xrpath=
+	for libdir in $xrpath; do
+	  temp_xrpath="$temp_xrpath -R$libdir"
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
+	  dependency_libs="$temp_xrpath $dependency_libs"
+	fi
+      fi
 
-# $output - temporary wrapper script for $objdir/$outputname
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-#
-# The $output program cannot be directly executed until all the libtool
-# libraries that it depends on are installed.
-#
-# This wrapper script should never be moved out of the build directory.
-# If it is, it will not operate correctly.
+      # Make sure dlfiles contains only unique files that won't be dlpreopened
+      old_dlfiles="$dlfiles"
+      dlfiles=
+      for lib in $old_dlfiles; do
+	case " $dlprefiles $dlfiles " in
+	*" $lib "*) ;;
+	*) dlfiles="$dlfiles $lib" ;;
+	esac
+      done
 
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed='${SED} -e 1s/^X//'
-sed_quote_subst='$sed_quote_subst'
+      # Make sure dlprefiles contains only unique files
+      old_dlprefiles="$dlprefiles"
+      dlprefiles=
+      for lib in $old_dlprefiles; do
+	case "$dlprefiles " in
+	*" $lib "*) ;;
+	*) dlprefiles="$dlprefiles $lib" ;;
+	esac
+      done
 
-# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE).
-if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '\${1+\"\$@\"}'='\"\$@\"'
-  setopt NO_GLOB_SUBST
-else
-  case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac
-fi
-BIN_SH=xpg4; export BIN_SH # for Tru64
-DUALCASE=1; export DUALCASE # for MKS sh
+      if test "$build_libtool_libs" = yes; then
+	if test -n "$rpath"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*)
+	    # these systems don't actually have a c library (as such)!
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C library is in the System framework
+	    deplibs="$deplibs System.ltframework"
+	    ;;
+	  *-*-netbsd*)
+	    # Don't link with libc until the a.out ld.so is fixed.
+	    ;;
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	    # Do not include libc due to us having libc/libc_r.
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
+	    ;;
+	  *)
+	    # Add libc to deplibs on all other systems if necessary.
+	    if test "$build_libtool_need_lc" = "yes"; then
+	      deplibs="$deplibs -lc"
+	    fi
+	    ;;
+	  esac
+	fi
 
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+	# Transform deplibs into only deplibs that can be linked in shared.
+	name_save=$name
+	libname_save=$libname
+	release_save=$release
+	versuffix_save=$versuffix
+	major_save=$major
+	# I'm not sure if I'm treating the release correctly.  I think
+	# release should show up in the -l (ie -lgmp5) so we don't want to
+	# add it in twice.  Is that correct?
+	release=""
+	versuffix=""
+	major=""
+	newdeplibs=
+	droppeddeps=no
+	case $deplibs_check_method in
+	pass_all)
+	  # Don't check for shared/static.  Everything works.
+	  # This might be a little naive.  We might want to check
+	  # whether the library exists or not.  But this is on
+	  # osf3 & osf4 and I'm not really sure... Just
+	  # implementing what was already the behavior.
+	  newdeplibs=$deplibs
+	  ;;
+	test_compile)
+	  # This code stresses the "libraries are programs" paradigm to its
+	  # limits. Maybe even breaks it.  We compile a program, linking it
+	  # against the deplibs as a proxy for the library.  Then we can check
+	  # whether they linked in statically or dynamically with ldd.
+	  $opt_dry_run || $RM conftest.c
+	  cat > conftest.c <<EOF
+	  int main() { return 0; }
+EOF
+	  $opt_dry_run || $RM conftest
+	  if $LTCC $LTCFLAGS -o conftest conftest.c $deplibs; then
+	    ldd_output=`ldd conftest`
+	    for i in $deplibs; do
+	      case $i in
+	      -l*)
+		func_stripname -l '' "$i"
+		name=$func_stripname_result
+		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		  case " $predeps $postdeps " in
+		  *" $i "*)
+		    newdeplibs="$newdeplibs $i"
+		    i=""
+		    ;;
+		  esac
+		fi
+		if test -n "$i" ; then
+		  libname=`eval "\\$ECHO \"$libname_spec\""`
+		  deplib_matches=`eval "\\$ECHO \"$library_names_spec\""`
+		  set dummy $deplib_matches; shift
+		  deplib_match=$1
+		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		    newdeplibs="$newdeplibs $i"
+		  else
+		    droppeddeps=yes
+		    $ECHO
+		    $ECHO "*** Warning: dynamic linker does not accept needed library $i."
+		    $ECHO "*** I have the capability to make that library automatically link in when"
+		    $ECHO "*** you link to this library.  But I can only do this if you have a"
+		    $ECHO "*** shared version of the library, which I believe you do not have"
+		    $ECHO "*** because a test_compile did reveal that the linker did not use it for"
+		    $ECHO "*** its dynamic dependency list that programs get resolved with at runtime."
+		  fi
+		fi
+		;;
+	      *)
+		newdeplibs="$newdeplibs $i"
+		;;
+	      esac
+	    done
+	  else
+	    # Error occurred in the first compile.  Let's try to salvage
+	    # the situation: Compile a separate program for each library.
+	    for i in $deplibs; do
+	      case $i in
+	      -l*)
+		func_stripname -l '' "$i"
+		name=$func_stripname_result
+		$opt_dry_run || $RM conftest
+		if $LTCC $LTCFLAGS -o conftest conftest.c $i; then
+		  ldd_output=`ldd conftest`
+		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		    case " $predeps $postdeps " in
+		    *" $i "*)
+		      newdeplibs="$newdeplibs $i"
+		      i=""
+		      ;;
+		    esac
+		  fi
+		  if test -n "$i" ; then
+		    libname=`eval "\\$ECHO \"$libname_spec\""`
+		    deplib_matches=`eval "\\$ECHO \"$library_names_spec\""`
+		    set dummy $deplib_matches; shift
+		    deplib_match=$1
+		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		      newdeplibs="$newdeplibs $i"
+		    else
+		      droppeddeps=yes
+		      $ECHO
+		      $ECHO "*** Warning: dynamic linker does not accept needed library $i."
+		      $ECHO "*** I have the capability to make that library automatically link in when"
+		      $ECHO "*** you link to this library.  But I can only do this if you have a"
+		      $ECHO "*** shared version of the library, which you do not appear to have"
+		      $ECHO "*** because a test_compile did reveal that the linker did not use this one"
+		      $ECHO "*** as a dynamic dependency that programs can get resolved with at runtime."
+		    fi
+		  fi
+		else
+		  droppeddeps=yes
+		  $ECHO
+		  $ECHO "*** Warning!  Library $i is needed by this library but I was not able to"
+		  $ECHO "*** make it link in!  You will probably need to install it or some"
+		  $ECHO "*** library that it depends on before this library will be fully"
+		  $ECHO "*** functional.  Installing it before continuing would be even better."
+		fi
+		;;
+	      *)
+		newdeplibs="$newdeplibs $i"
+		;;
+	      esac
+	    done
+	  fi
+	  ;;
+	file_magic*)
+	  set dummy $deplibs_check_method; shift
+	  file_magic_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    case $a_deplib in
+	    -l*)
+	      func_stripname -l '' "$a_deplib"
+	      name=$func_stripname_result
+	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		case " $predeps $postdeps " in
+		*" $a_deplib "*)
+		  newdeplibs="$newdeplibs $a_deplib"
+		  a_deplib=""
+		  ;;
+		esac
+	      fi
+	      if test -n "$a_deplib" ; then
+		libname=`eval "\\$ECHO \"$libname_spec\""`
+		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  for potent_lib in $potential_libs; do
+		      # Follow soft links.
+		      if ls -lLd "$potent_lib" 2>/dev/null |
+			 $GREP " -> " >/dev/null; then
+			continue
+		      fi
+		      # The statement above tries to avoid entering an
+		      # endless loop below, in case of cyclic links.
+		      # We might still enter an endless loop, since a link
+		      # loop can be closed while we follow links,
+		      # but so what?
+		      potlib="$potent_lib"
+		      while test -h "$potlib" 2>/dev/null; do
+			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
+			case $potliblink in
+			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
+			*) potlib=`$ECHO "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			esac
+		      done
+		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null |
+			 $SED -e 10q |
+			 $EGREP "$file_magic_regex" > /dev/null; then
+			newdeplibs="$newdeplibs $a_deplib"
+			a_deplib=""
+			break 2
+		      fi
+		  done
+		done
+	      fi
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		$ECHO
+		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
+		$ECHO "*** I have the capability to make that library automatically link in when"
+		$ECHO "*** you link to this library.  But I can only do this if you have a"
+		$ECHO "*** shared version of the library, which you do not appear to have"
+		$ECHO "*** because I did check the linker path looking for a file starting"
+		if test -z "$potlib" ; then
+		  $ECHO "*** with $libname but no candidates were found. (...for file magic test)"
+		else
+		  $ECHO "*** with $libname and none of the candidates passed a file format test"
+		  $ECHO "*** using a file magic. Last file checked: $potlib"
+		fi
+	      fi
+	      ;;
+	    *)
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	      ;;
+	    esac
+	  done # Gone through all deplibs.
+	  ;;
+	match_pattern*)
+	  set dummy $deplibs_check_method; shift
+	  match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    case $a_deplib in
+	    -l*)
+	      func_stripname -l '' "$a_deplib"
+	      name=$func_stripname_result
+	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		case " $predeps $postdeps " in
+		*" $a_deplib "*)
+		  newdeplibs="$newdeplibs $a_deplib"
+		  a_deplib=""
+		  ;;
+		esac
+	      fi
+	      if test -n "$a_deplib" ; then
+		libname=`eval "\\$ECHO \"$libname_spec\""`
+		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  for potent_lib in $potential_libs; do
+		    potlib="$potent_lib" # see symlink-check above in file_magic test
+		    if eval "\$ECHO \"X$potent_lib\"" 2>/dev/null | $Xsed -e 10q | \
+		       $EGREP "$match_pattern_regex" > /dev/null; then
+		      newdeplibs="$newdeplibs $a_deplib"
+		      a_deplib=""
+		      break 2
+		    fi
+		  done
+		done
+	      fi
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		$ECHO
+		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
+		$ECHO "*** I have the capability to make that library automatically link in when"
+		$ECHO "*** you link to this library.  But I can only do this if you have a"
+		$ECHO "*** shared version of the library, which you do not appear to have"
+		$ECHO "*** because I did check the linker path looking for a file starting"
+		if test -z "$potlib" ; then
+		  $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)"
+		else
+		  $ECHO "*** with $libname and none of the candidates passed a file format test"
+		  $ECHO "*** using a regex pattern. Last file checked: $potlib"
+		fi
+	      fi
+	      ;;
+	    *)
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	      ;;
+	    esac
+	  done # Gone through all deplibs.
+	  ;;
+	none | unknown | *)
+	  newdeplibs=""
+	  tmp_deplibs=`$ECHO "X $deplibs" | $Xsed \
+	      -e 's/ -lc$//' -e 's/ -[LR][^ ]*//g'`
+	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	    for i in $predeps $postdeps ; do
+	      # can't use Xsed below, because $i might contain '/'
+	      tmp_deplibs=`$ECHO "X $tmp_deplibs" | $Xsed -e "s,$i,,"`
+	    done
+	  fi
+	  if $ECHO "X $tmp_deplibs" | $Xsed -e 's/[	 ]//g' |
+	     $GREP . >/dev/null; then
+	    $ECHO
+	    if test "X$deplibs_check_method" = "Xnone"; then
+	      $ECHO "*** Warning: inter-library dependencies are not supported in this platform."
+	    else
+	      $ECHO "*** Warning: inter-library dependencies are not known to be supported."
+	    fi
+	    $ECHO "*** All declared inter-library dependencies are being dropped."
+	    droppeddeps=yes
+	  fi
+	  ;;
+	esac
+	versuffix=$versuffix_save
+	major=$major_save
+	release=$release_save
+	libname=$libname_save
+	name=$name_save
 
-relink_command=\"$relink_command\"
+	case $host in
+	*-*-rhapsody* | *-*-darwin1.[012])
+	  # On Rhapsody replace the C library with the System framework
+	  newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
+	  ;;
+	esac
 
-# This environment variable determines our operation mode.
-if test \"\$libtool_install_magic\" = \"$magic\"; then
-  # install mode needs the following variable:
-  notinst_deplibs='$notinst_deplibs'
-else
-  # When we are sourced in execute mode, \$file and \$echo are already set.
-  if test \"\$libtool_execute_magic\" != \"$magic\"; then
-    echo=\"$qecho\"
-    file=\"\$0\"
-    # Make sure echo works.
-    if test \"X\$1\" = X--no-reexec; then
-      # Discard the --no-reexec flag, and continue.
-      shift
-    elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then
-      # Yippee, \$echo works!
-      :
-    else
-      # Restart under the correct shell, and then maybe \$echo will work.
-      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
-    fi
-  fi\
-"
-	$echo >> $output "\
+	if test "$droppeddeps" = yes; then
+	  if test "$module" = yes; then
+	    $ECHO
+	    $ECHO "*** Warning: libtool could not satisfy all declared inter-library"
+	    $ECHO "*** dependencies of module $libname.  Therefore, libtool will create"
+	    $ECHO "*** a static module, that should work as long as the dlopening"
+	    $ECHO "*** application is linked with the -dlopen flag."
+	    if test -z "$global_symbol_pipe"; then
+	      $ECHO
+	      $ECHO "*** However, this would only work if libtool was able to extract symbol"
+	      $ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      $ECHO "*** not find such a program.  So, this module is probably useless."
+	      $ECHO "*** \`nm' from GNU binutils and a full rebuild may help."
+	    fi
+	    if test "$build_old_libs" = no; then
+	      oldlibs="$output_objdir/$libname.$libext"
+	      build_libtool_libs=module
+	      build_old_libs=yes
+	    else
+	      build_libtool_libs=no
+	    fi
+	  else
+	    $ECHO "*** The inter-library dependencies that have been dropped here will be"
+	    $ECHO "*** automatically added whenever a program is linked with this library"
+	    $ECHO "*** or is declared to -dlopen it."
 
-  # Find the directory that this script lives in.
-  thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
-  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
+	    if test "$allow_undefined" = no; then
+	      $ECHO
+	      $ECHO "*** Since this library must not contain undefined symbols,"
+	      $ECHO "*** because either the platform does not support them or"
+	      $ECHO "*** it was explicitly requested with -no-undefined,"
+	      $ECHO "*** libtool will only create a static version of it."
+	      if test "$build_old_libs" = no; then
+		oldlibs="$output_objdir/$libname.$libext"
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  fi
+	fi
+	# Done checking deplibs!
+	deplibs=$newdeplibs
+      fi
+      # Time to change all our "foo.ltframework" stuff back to "-framework foo"
+      case $host in
+	*-*-darwin*)
+	  newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  new_inherited_linker_flags=`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  deplibs=`$ECHO "X $deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  ;;
+      esac
 
-  # Follow symbolic links until we get to the real thisdir.
-  file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\`
-  while test -n \"\$file\"; do
-    destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $deplibs " in
+	  *" -L$path/$objdir "*)
+	    new_libs="$new_libs -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) new_libs="$new_libs $deplib" ;;
+	  esac
+	  ;;
+	*) new_libs="$new_libs $deplib" ;;
+	esac
+      done
+      deplibs="$new_libs"
 
-    # If there was a directory component, then change thisdir.
-    if test \"x\$destdir\" != \"x\$file\"; then
-      case \"\$destdir\" in
-      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
-      *) thisdir=\"\$thisdir/\$destdir\" ;;
-      esac
-    fi
+      # All the library-specific variables (install_libdir is set above).
+      library_names=
+      old_library=
+      dlname=
 
-    file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
-    file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
-  done
+      # Test again, we may have decided not to build it any more
+      if test "$build_libtool_libs" = yes; then
+	if test "$hardcode_into_libs" = yes; then
+	  # Hardcode the library paths
+	  hardcode_libdirs=
+	  dep_rpath=
+	  rpath="$finalize_rpath"
+	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  for libdir in $rpath; do
+	    if test -n "$hardcode_libdir_flag_spec"; then
+	      if test -n "$hardcode_libdir_separator"; then
+		if test -z "$hardcode_libdirs"; then
+		  hardcode_libdirs="$libdir"
+		else
+		  # Just accumulate the unique libdirs.
+		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		    ;;
+		  *)
+		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    ;;
+		  esac
+		fi
+	      else
+		eval flag=\"$hardcode_libdir_flag_spec\"
+		dep_rpath="$dep_rpath $flag"
+	      fi
+	    elif test -n "$runpath_var"; then
+	      case "$perm_rpath " in
+	      *" $libdir "*) ;;
+	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      esac
+	    fi
+	  done
+	  # Substitute the hardcoded libdirs into the rpath.
+	  if test -n "$hardcode_libdir_separator" &&
+	     test -n "$hardcode_libdirs"; then
+	    libdir="$hardcode_libdirs"
+	    if test -n "$hardcode_libdir_flag_spec_ld"; then
+	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
+	    else
+	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
+	    fi
+	  fi
+	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
+	    # We should set the runpath_var.
+	    rpath=
+	    for dir in $perm_rpath; do
+	      rpath="$rpath$dir:"
+	    done
+	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
+	  fi
+	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
+	fi
 
-  # Try to get the absolute directory name.
-  absdir=\`cd \"\$thisdir\" && pwd\`
-  test -n \"\$absdir\" && thisdir=\"\$absdir\"
-"
+	shlibpath="$finalize_shlibpath"
+	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	if test -n "$shlibpath"; then
+	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
+	fi
 
-	if test "$fast_install" = yes; then
-	  $echo >> $output "\
-  program=lt-'$outputname'$exeext
-  progdir=\"\$thisdir/$objdir\"
+	# Get the real and link names of the library.
+	eval shared_ext=\"$shrext_cmds\"
+	eval library_names=\"$library_names_spec\"
+	set dummy $library_names
+	shift
+	realname="$1"
+	shift
 
-  if test ! -f \"\$progdir/\$program\" || \\
-     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\
-       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
+	if test -n "$soname_spec"; then
+	  eval soname=\"$soname_spec\"
+	else
+	  soname="$realname"
+	fi
+	if test -z "$dlname"; then
+	  dlname=$soname
+	fi
 
-    file=\"\$\$-\$program\"
+	lib="$output_objdir/$realname"
+	linknames=
+	for link
+	do
+	  linknames="$linknames $link"
+	done
 
-    if test ! -d \"\$progdir\"; then
-      $mkdir \"\$progdir\"
-    else
-      $rm \"\$progdir/\$file\"
-    fi"
+	# Use standard objects if they are pic
+	test -z "$pic_flag" && libobjs=`$ECHO "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	test "X$libobjs" = "X " && libobjs=
 
-	  $echo >> $output "\
+	delfiles=
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp"
+	  export_symbols="$output_objdir/$libname.uexp"
+	  delfiles="$delfiles $export_symbols"
+	fi
 
-    # relink executable if necessary
-    if test -n \"\$relink_command\"; then
-      if relink_command_output=\`eval \$relink_command 2>&1\`; then :
-      else
-	$echo \"\$relink_command_output\" >&2
-	$rm \"\$progdir/\$file\"
-	exit $EXIT_FAILURE
-      fi
-    fi
+	orig_export_symbols=
+	case $host_os in
+	cygwin* | mingw*)
+	  if test -n "$export_symbols" && test -z "$export_symbols_regex"; then
+	    # exporting using user supplied symfile
+	    if test "x`$SED 1q $export_symbols`" != xEXPORTS; then
+	      # and it's NOT already a .def file. Must figure out
+	      # which of the given symbols are data symbols and tag
+	      # them as such. So, trigger use of export_symbols_cmds.
+	      # export_symbols gets reassigned inside the "prepare
+	      # the list of exported symbols" if statement, so the
+	      # include_expsyms logic still works.
+	      orig_export_symbols="$export_symbols"
+	      export_symbols=
+	      always_export_symbols=yes
+	    fi
+	  fi
+	  ;;
+	esac
 
-    $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
-    { $rm \"\$progdir/\$program\";
-      $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; }
-    $rm \"\$progdir/\$file\"
-  fi"
-	else
-	  $echo >> $output "\
-  program='$outputname'
-  progdir=\"\$thisdir/$objdir\"
-"
+	# Prepare the list of exported symbols
+	if test -z "$export_symbols"; then
+	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
+	    func_verbose "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $opt_dry_run || $RM $export_symbols
+	    cmds=$export_symbols_cmds
+	    save_ifs="$IFS"; IFS='~'
+	    for cmd in $cmds; do
+	      IFS="$save_ifs"
+	      eval cmd=\"$cmd\"
+	      func_len " $cmd"
+	      len=$func_len_result
+	      if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+		func_show_eval "$cmd" 'exit $?'
+		skipped_export=false
+	      else
+		# The command line is too long to execute in one step.
+		func_verbose "using reloadable object file for export list..."
+		skipped_export=:
+		# Break out early, otherwise skipped_export may be
+		# set to false by a later but shorter cmd.
+		break
+	      fi
+	    done
+	    IFS="$save_ifs"
+	    if test -n "$export_symbols_regex" && test "X$skipped_export" != "X:"; then
+	      func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      func_show_eval '$MV "${export_symbols}T" "$export_symbols"'
+	    fi
+	  fi
 	fi
 
-	$echo >> $output "\
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  tmp_export_symbols="$export_symbols"
+	  test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
+	  $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"'
+	fi
 
-  if test -f \"\$progdir/\$program\"; then"
+	if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then
+	  # The given exports_symbols file has to be filtered, so filter it.
+	  func_verbose "filter symbol list for \`$libname.la' to tag DATA exports"
+	  # FIXME: $output_objdir/$libname.filter potentially contains lots of
+	  # 's' commands which not all seds can handle. GNU sed should be fine
+	  # though. Also, the filter scales superlinearly with the number of
+	  # global variables. join(1) would be nice here, but unfortunately
+	  # isn't a blessed tool.
+	  $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
+	  delfiles="$delfiles $export_symbols $output_objdir/$libname.filter"
+	  export_symbols=$output_objdir/$libname.def
+	  $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
+	fi
 
-	# Export our shlibpath_var if we have one.
-	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
-	  $echo >> $output "\
-    # Add our own library path to $shlibpath_var
-    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
+	tmp_deplibs=
+	for test_deplib in $deplibs; do
+	  case " $convenience " in
+	  *" $test_deplib "*) ;;
+	  *)
+	    tmp_deplibs="$tmp_deplibs $test_deplib"
+	    ;;
+	  esac
+	done
+	deplibs="$tmp_deplibs"
 
-    # Some systems cannot cope with colon-terminated $shlibpath_var
-    # The second colon is a workaround for a bug in BeOS R4 sed
-    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
+	if test -n "$convenience"; then
+	  if test -n "$whole_archive_flag_spec" &&
+	    test "$compiler_needs_object" = yes &&
+	    test -z "$libobjs"; then
+	    # extract the archives, so we have objects to list.
+	    # TODO: could optimize this to just extract one archive.
+	    whole_archive_flag_spec=
+	  fi
+	  if test -n "$whole_archive_flag_spec"; then
+	    save_libobjs=$libobjs
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	    test "X$libobjs" = "X " && libobjs=
+	  else
+	    gentop="$output_objdir/${outputname}x"
+	    generated="$generated $gentop"
 
-    export $shlibpath_var
-"
+	    func_extract_archives $gentop $convenience
+	    libobjs="$libobjs $func_extract_archives_result"
+	    test "X$libobjs" = "X " && libobjs=
+	  fi
 	fi
 
-	# fixup the dll searchpath if we need to.
-	if test -n "$dllsearchpath"; then
-	  $echo >> $output "\
-    # Add the dll search path components to the executable PATH
-    PATH=$dllsearchpath:\$PATH
-"
+	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
+	  eval flag=\"$thread_safe_flag_spec\"
+	  linker_flags="$linker_flags $flag"
 	fi
 
-	$echo >> $output "\
-    if test \"\$libtool_execute_magic\" != \"$magic\"; then
-      # Run the actual program with our arguments.
-"
-	case $host in
-	# Backslashes separate directories on plain windows
-	*-*-mingw | *-*-os2*)
-	  $echo >> $output "\
-      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
-"
-	  ;;
-
-	*)
-	  $echo >> $output "\
-      exec \"\$progdir/\$program\" \${1+\"\$@\"}
-"
-	  ;;
-	esac
-	$echo >> $output "\
-      \$echo \"\$0: cannot exec \$program \$*\"
-      exit $EXIT_FAILURE
-    fi
-  else
-    # The program doesn't exist.
-    \$echo \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
-    \$echo \"This script is just a wrapper for \$program.\" 1>&2
-    $echo \"See the $PACKAGE documentation for more information.\" 1>&2
-    exit $EXIT_FAILURE
-  fi
-fi\
-"
-	chmod +x $output
-      fi
-      exit $EXIT_SUCCESS
-      ;;
-    esac
-
-    # See if we need to build an old-fashioned archive.
-    for oldlib in $oldlibs; do
+	# Make a backup of the uninstalled library when relinking
+	if test "$mode" = relink; then
+	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $?
+	fi
 
-      if test "$build_libtool_libs" = convenience; then
-	oldobjs="$libobjs_save"
-	addlibs="$convenience"
-	build_libtool_libs=no
-      else
-	if test "$build_libtool_libs" = module; then
-	  oldobjs="$libobjs_save"
-	  build_libtool_libs=no
+	# Do each of the archive commands.
+	if test "$module" = yes && test -n "$module_cmds" ; then
+	  if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
+	    eval test_cmds=\"$module_expsym_cmds\"
+	    cmds=$module_expsym_cmds
+	  else
+	    eval test_cmds=\"$module_cmds\"
+	    cmds=$module_cmds
+	  fi
 	else
-	  oldobjs="$old_deplibs $non_pic_objects"
+	  if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	    eval test_cmds=\"$archive_expsym_cmds\"
+	    cmds=$archive_expsym_cmds
+	  else
+	    eval test_cmds=\"$archive_cmds\"
+	    cmds=$archive_cmds
+	  fi
 	fi
-	addlibs="$old_convenience"
-      fi
 
-      if test -n "$addlibs"; then
-	gentop="$output_objdir/${outputname}x"
-	generated="$generated $gentop"
+	if test "X$skipped_export" != "X:" &&
+	   func_len " $test_cmds" &&
+	   len=$func_len_result &&
+	   test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	  :
+	else
+	  # The command line is too long to link in one step, link piecewise
+	  # or, if using GNU ld and skipped_export is not :, use a linker
+	  # script.
 
-	func_extract_archives $gentop $addlibs
-	oldobjs="$oldobjs $func_extract_archives_result"
-      fi
+	  # Save the value of $output and $libobjs because we want to
+	  # use them later.  If we have whole_archive_flag_spec, we
+	  # want to use save_libobjs as it was before
+	  # whole_archive_flag_spec was expanded, because we can't
+	  # assume the linker understands whole_archive_flag_spec.
+	  # This may have to be revisited, in case too many
+	  # convenience libraries get linked in and end up exceeding
+	  # the spec.
+	  if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then
+	    save_libobjs=$libobjs
+	  fi
+	  save_output=$output
+	  output_la=`$ECHO "X$output" | $Xsed -e "$basename"`
 
-      # Do each command in the archive commands.
-      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
-       cmds=$old_archive_from_new_cmds
-      else
-	# POSIX demands no paths to be encoded in archives.  We have
-	# to avoid creating archives with duplicate basenames if we
-	# might have to extract them afterwards, e.g., when creating a
-	# static archive out of a convenience library, or when linking
-	# the entirety of a libtool archive into another (currently
-	# not supported by libtool).
-	if (for obj in $oldobjs
+	  # Clear the reloadable object creation command queue and
+	  # initialize k to one.
+	  test_cmds=
+	  concat_cmds=
+	  objlist=
+	  last_robj=
+	  k=1
+
+	  if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then
+	    output=${output_objdir}/${output_la}.lnkscript
+	    func_verbose "creating GNU ld script: $output"
+	    $ECHO 'INPUT (' > $output
+	    for obj in $save_libobjs
 	    do
-	      $echo "X$obj" | $Xsed -e 's%^.*/%%'
-	    done | sort | sort -uc >/dev/null 2>&1); then
-	  :
-	else
-	  $echo "copying selected object files to avoid basename conflicts..."
+	      $ECHO "$obj" >> $output
+	    done
+	    $ECHO ')' >> $output
+	    delfiles="$delfiles $output"
+	  elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then
+	    output=${output_objdir}/${output_la}.lnk
+	    func_verbose "creating linker input file list: $output"
+	    : > $output
+	    set x $save_libobjs
+	    shift
+	    firstobj=
+	    if test "$compiler_needs_object" = yes; then
+	      firstobj="$1 "
+	      shift
+	    fi
+	    for obj
+	    do
+	      $ECHO "$obj" >> $output
+	    done
+	    delfiles="$delfiles $output"
+	    output=$firstobj\"$file_list_spec$output\"
+	  else
+	    if test -n "$save_libobjs"; then
+	      func_verbose "creating reloadable object files..."
+	      output=$output_objdir/$output_la-${k}.$objext
+	      eval test_cmds=\"$reload_cmds\"
+	      func_len " $test_cmds"
+	      len0=$func_len_result
+	      len=$len0
+
+	      # Loop over the list of objects to be linked.
+	      for obj in $save_libobjs
+	      do
+		func_len " $obj"
+		func_arith $len + $func_len_result
+		len=$func_arith_result
+		if test "X$objlist" = X ||
+		   test "$len" -lt "$max_cmd_len"; then
+		  func_append objlist " $obj"
+		else
+		  # The command $test_cmds is almost too long, add a
+		  # command to the queue.
+		  if test "$k" -eq 1 ; then
+		    # The first file doesn't have a previous command to add.
+		    eval concat_cmds=\"$reload_cmds $objlist $last_robj\"
+		  else
+		    # All subsequent reloadable object files will link in
+		    # the last one created.
+		    eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj~\$RM $last_robj\"
+		  fi
+		  last_robj=$output_objdir/$output_la-${k}.$objext
+		  func_arith $k + 1
+		  k=$func_arith_result
+		  output=$output_objdir/$output_la-${k}.$objext
+		  objlist=$obj
+		  func_len " $last_robj"
+		  func_arith $len0 + $func_len_result
+		  len=$func_arith_result
+		fi
+	      done
+	      # Handle the remaining objects by creating one last
+	      # reloadable object file.  All subsequent reloadable object
+	      # files will link in the last one created.
+	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	      eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\"
+	      if test -n "$last_robj"; then
+	        eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\"
+	      fi
+	      delfiles="$delfiles $output"
 
-	  if test -z "$gentop"; then
-	    gentop="$output_objdir/${outputname}x"
-	    generated="$generated $gentop"
+	    else
+	      output=
+	    fi
 
-	    $show "${rm}r $gentop"
-	    $run ${rm}r "$gentop"
-	    $show "$mkdir $gentop"
-	    $run $mkdir "$gentop"
-	    exit_status=$?
-	    if test "$exit_status" -ne 0 && test ! -d "$gentop"; then
-	      exit $exit_status
+	    if ${skipped_export-false}; then
+	      func_verbose "generating symbol list for \`$libname.la'"
+	      export_symbols="$output_objdir/$libname.exp"
+	      $opt_dry_run || $RM $export_symbols
+	      libobjs=$output
+	      # Append the command to create the export file.
+	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	      eval concat_cmds=\"\$concat_cmds$export_symbols_cmds\"
+	      if test -n "$last_robj"; then
+		eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\"
+	      fi
 	    fi
-	  fi
 
-	  save_oldobjs=$oldobjs
-	  oldobjs=
-	  counter=1
-	  for obj in $save_oldobjs
-	  do
-	    objbase=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
-	    case " $oldobjs " in
-	    " ") oldobjs=$obj ;;
-	    *[\ /]"$objbase "*)
-	      while :; do
-		# Make sure we don't pick an alternate name that also
-		# overlaps.
-		newobj=lt$counter-$objbase
-		counter=`expr $counter + 1`
-		case " $oldobjs " in
-		*[\ /]"$newobj "*) ;;
-		*) if test ! -f "$gentop/$newobj"; then break; fi ;;
-		esac
-	      done
-	      $show "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
-	      $run ln "$obj" "$gentop/$newobj" ||
-	      $run cp "$obj" "$gentop/$newobj"
-	      oldobjs="$oldobjs $gentop/$newobj"
-	      ;;
-	    *) oldobjs="$oldobjs $obj" ;;
-	    esac
-	  done
-	fi
+	    test -n "$save_libobjs" &&
+	      func_verbose "creating a temporary reloadable object file: $output"
 
-	eval cmds=\"$old_archive_cmds\"
+	    # Loop through the commands generated above and execute them.
+	    save_ifs="$IFS"; IFS='~'
+	    for cmd in $concat_cmds; do
+	      IFS="$save_ifs"
+	      $opt_silent || {
+		  func_quote_for_expand "$cmd"
+		  eval "func_echo $func_quote_for_expand_result"
+	      }
+	      $opt_dry_run || eval "$cmd" || {
+		lt_exit=$?
+
+		# Restore the uninstalled library and exit
+		if test "$mode" = relink; then
+		  ( cd "$output_objdir" && \
+		    $RM "${realname}T" && \
+		    $MV "${realname}U" "$realname" )
+		fi
 
-	if len=`expr "X$cmds" : ".*"` &&
-	     test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	  cmds=$old_archive_cmds
-	else
-	  # the command line is too long to link in one step, link in parts
-	  $echo "using piecewise archive linking..."
-	  save_RANLIB=$RANLIB
-	  RANLIB=:
-	  objlist=
-	  concat_cmds=
-	  save_oldobjs=$oldobjs
+		exit $lt_exit
+	      }
+	    done
+	    IFS="$save_ifs"
 
-	  # Is there a better way of finding the last object in the list?
-	  for obj in $save_oldobjs
-	  do
-	    last_oldobj=$obj
-	  done
-	  for obj in $save_oldobjs
-	  do
-	    oldobjs="$objlist $obj"
-	    objlist="$objlist $obj"
-	    eval test_cmds=\"$old_archive_cmds\"
-	    if len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
-	       test "$len" -le "$max_cmd_len"; then
-	      :
-	    else
-	      # the above command should be used before it gets too long
-	      oldobjs=$objlist
-	      if test "$obj" = "$last_oldobj" ; then
-	        RANLIB=$save_RANLIB
-	      fi
-	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
-	      objlist=
+	    if test -n "$export_symbols_regex" && ${skipped_export-false}; then
+	      func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      func_show_eval '$MV "${export_symbols}T" "$export_symbols"'
 	    fi
-	  done
-	  RANLIB=$save_RANLIB
-	  oldobjs=$objlist
-	  if test "X$oldobjs" = "X" ; then
-	    eval cmds=\"\$concat_cmds\"
-	  else
-	    eval cmds=\"\$concat_cmds~\$old_archive_cmds\"
 	  fi
-	fi
-      fi
-      save_ifs="$IFS"; IFS='~'
-      for cmd in $cmds; do
-        eval cmd=\"$cmd\"
-	IFS="$save_ifs"
-	$show "$cmd"
-	$run eval "$cmd" || exit $?
-      done
-      IFS="$save_ifs"
-    done
 
-    if test -n "$generated"; then
-      $show "${rm}r$generated"
-      $run ${rm}r$generated
-    fi
+          if ${skipped_export-false}; then
+	    if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	      tmp_export_symbols="$export_symbols"
+	      test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
+	      $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"'
+	    fi
 
-    # Now create the libtool archive.
-    case $output in
-    *.la)
-      old_library=
-      test "$build_old_libs" = yes && old_library="$libname.$libext"
-      $show "creating $output"
+	    if test -n "$orig_export_symbols"; then
+	      # The given exports_symbols file has to be filtered, so filter it.
+	      func_verbose "filter symbol list for \`$libname.la' to tag DATA exports"
+	      # FIXME: $output_objdir/$libname.filter potentially contains lots of
+	      # 's' commands which not all seds can handle. GNU sed should be fine
+	      # though. Also, the filter scales superlinearly with the number of
+	      # global variables. join(1) would be nice here, but unfortunately
+	      # isn't a blessed tool.
+	      $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
+	      delfiles="$delfiles $export_symbols $output_objdir/$libname.filter"
+	      export_symbols=$output_objdir/$libname.def
+	      $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
+	    fi
+	  fi
 
-      # Preserve any variables that may affect compiler behavior
-      for var in $variables_saved_for_relink; do
-	if eval test -z \"\${$var+set}\"; then
-	  relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
-	elif eval var_value=\$$var; test -z "$var_value"; then
-	  relink_command="$var=; export $var; $relink_command"
-	else
-	  var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
-	  relink_command="$var=\"$var_value\"; export $var; $relink_command"
-	fi
-      done
-      # Quote the link command for shipping.
-      relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
-      relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP`
-      if test "$hardcode_automatic" = yes ; then
-	relink_command=
-      fi
+	  libobjs=$output
+	  # Restore the value of output.
+	  output=$save_output
 
+	  if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	    test "X$libobjs" = "X " && libobjs=
+	  fi
+	  # Expand the library linking commands again to reset the
+	  # value of $libobjs for piecewise linking.
 
-      # Only create the output if not a dry run.
-      if test -z "$run"; then
-	for installed in no yes; do
-	  if test "$installed" = yes; then
-	    if test -z "$install_libdir"; then
-	      break
+	  # Do each of the archive commands.
+	  if test "$module" = yes && test -n "$module_cmds" ; then
+	    if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
+	      cmds=$module_expsym_cmds
+	    else
+	      cmds=$module_cmds
 	    fi
-	    output="$output_objdir/$outputname"i
-	    # Replace all uninstalled libtool libraries with the installed ones
-	    newdependency_libs=
-	    for deplib in $dependency_libs; do
-	      case $deplib in
-	      *.la)
-		name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'`
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
-		if test -z "$libdir"; then
-		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
-		  exit $EXIT_FAILURE
-		fi
-		newdependency_libs="$newdependency_libs $libdir/$name"
-		;;
-	      *) newdependency_libs="$newdependency_libs $deplib" ;;
-	      esac
-	    done
-	    dependency_libs="$newdependency_libs"
-	    newdlfiles=
-	    for lib in $dlfiles; do
-	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
-	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
-	      if test -z "$libdir"; then
-		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-		exit $EXIT_FAILURE
-	      fi
-	      newdlfiles="$newdlfiles $libdir/$name"
-	    done
-	    dlfiles="$newdlfiles"
-	    newdlprefiles=
-	    for lib in $dlprefiles; do
-	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
-	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
-	      if test -z "$libdir"; then
-		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-		exit $EXIT_FAILURE
-	      fi
-	      newdlprefiles="$newdlprefiles $libdir/$name"
-	    done
-	    dlprefiles="$newdlprefiles"
 	  else
-	    newdlfiles=
-	    for lib in $dlfiles; do
-	      case $lib in
-		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
-		*) abs=`pwd`"/$lib" ;;
-	      esac
-	      newdlfiles="$newdlfiles $abs"
-	    done
-	    dlfiles="$newdlfiles"
-	    newdlprefiles=
-	    for lib in $dlprefiles; do
-	      case $lib in
-		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
-		*) abs=`pwd`"/$lib" ;;
-	      esac
-	      newdlprefiles="$newdlprefiles $abs"
-	    done
-	    dlprefiles="$newdlprefiles"
+	    if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	      cmds=$archive_expsym_cmds
+	    else
+	      cmds=$archive_cmds
+	    fi
 	  fi
-	  $rm $output
-	  # place dlname in correct position for cygwin
-	  tdlname=$dlname
-	  case $host,$output,$installed,$module,$dlname in
-	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
-	  esac
-	  $echo > $output "\
-# $outputname - a libtool library file
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-#
-# Please DO NOT delete this file!
-# It is necessary for linking the library.
+	fi
 
-# The name that we can dlopen(3).
-dlname='$tdlname'
+	if test -n "$delfiles"; then
+	  # Append the command to remove temporary files to $cmds.
+	  eval cmds=\"\$cmds~\$RM $delfiles\"
+	fi
 
-# Names of this library.
-library_names='$library_names'
+	# Add any objects from preloaded convenience libraries
+	if test -n "$dlprefiles"; then
+	  gentop="$output_objdir/${outputname}x"
+	  generated="$generated $gentop"
 
-# The name of the static archive.
-old_library='$old_library'
+	  func_extract_archives $gentop $dlprefiles
+	  libobjs="$libobjs $func_extract_archives_result"
+	  test "X$libobjs" = "X " && libobjs=
+	fi
 
-# Libraries that this one depends upon.
-dependency_libs='$dependency_libs'
+	save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  eval cmd=\"$cmd\"
+	  $opt_silent || {
+	    func_quote_for_expand "$cmd"
+	    eval "func_echo $func_quote_for_expand_result"
+	  }
+	  $opt_dry_run || eval "$cmd" || {
+	    lt_exit=$?
 
-# Version information for $libname.
-current=$current
-age=$age
-revision=$revision
+	    # Restore the uninstalled library and exit
+	    if test "$mode" = relink; then
+	      ( cd "$output_objdir" && \
+	        $RM "${realname}T" && \
+		$MV "${realname}U" "$realname" )
+	    fi
 
-# Is this an already installed library?
-installed=$installed
+	    exit $lt_exit
+	  }
+	done
+	IFS="$save_ifs"
 
-# Should we warn about portability when linking against -modules?
-shouldnotlink=$module
+	# Restore the uninstalled library and exit
+	if test "$mode" = relink; then
+	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $?
 
-# Files to dlopen/dlpreopen
-dlopen='$dlfiles'
-dlpreopen='$dlprefiles'
+	  if test -n "$convenience"; then
+	    if test -z "$whole_archive_flag_spec"; then
+	      func_show_eval '${RM}r "$gentop"'
+	    fi
+	  fi
 
-# Directory that this library needs to be installed in:
-libdir='$install_libdir'"
-	  if test "$installed" = no && test "$need_relink" = yes; then
-	    $echo >> $output "\
-relink_command=\"$relink_command\""
+	  exit $EXIT_SUCCESS
+	fi
+
+	# Create links to the real library.
+	for linkname in $linknames; do
+	  if test "$realname" != "$linkname"; then
+	    func_show_eval '(cd "$output_objdir" && $RM "$linkname" && $LN_S "$realname" "$linkname")' 'exit $?'
 	  fi
 	done
-      fi
 
-      # Do a symbolic link so that the libtool archive can be found in
-      # LD_LIBRARY_PATH before the program is installed.
-      $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)"
-      $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
+	# If -module or -export-dynamic was specified, set the dlname.
+	if test "$module" = yes || test "$export_dynamic" = yes; then
+	  # On all known operating systems, these are identical.
+	  dlname="$soname"
+	fi
+      fi
       ;;
-    esac
-    exit $EXIT_SUCCESS
-    ;;
 
-  # libtool install mode
-  install)
-    modename="$modename: install"
+    obj)
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	func_warning "\`-dlopen' is ignored for objects"
+      fi
 
-    # There may be an optional sh(1) argument at the beginning of
-    # install_prog (especially on Windows NT).
-    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
-       # Allow the use of GNU shtool's install command.
-       $echo "X$nonopt" | grep shtool > /dev/null; then
-      # Aesthetically quote it.
-      arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
-      case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	arg="\"$arg\""
-	;;
+      case " $deplibs" in
+      *\ -l* | *\ -L*)
+	func_warning "\`-l' and \`-L' are ignored for objects" ;;
       esac
-      install_prog="$arg "
-      arg="$1"
-      shift
-    else
-      install_prog=
-      arg=$nonopt
-    fi
 
-    # The real first argument should be the name of the installation program.
-    # Aesthetically quote it.
-    arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-    case $arg in
-    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-      arg="\"$arg\""
-      ;;
-    esac
-    install_prog="$install_prog$arg"
+      test -n "$rpath" && \
+	func_warning "\`-rpath' is ignored for objects"
+
+      test -n "$xrpath" && \
+	func_warning "\`-R' is ignored for objects"
+
+      test -n "$vinfo" && \
+	func_warning "\`-version-info' is ignored for objects"
+
+      test -n "$release" && \
+	func_warning "\`-release' is ignored for objects"
 
-    # We need to accept at least all the BSD install flags.
-    dest=
-    files=
-    opts=
-    prev=
-    install_type=
-    isdir=no
-    stripme=
-    for arg
-    do
-      if test -n "$dest"; then
-	files="$files $dest"
-	dest=$arg
-	continue
-      fi
+      case $output in
+      *.lo)
+	test -n "$objs$old_deplibs" && \
+	  func_fatal_error "cannot build library object \`$output' from non-libtool objects"
 
-      case $arg in
-      -d) isdir=yes ;;
-      -f) 
-      	case " $install_prog " in
-	*[\\\ /]cp\ *) ;;
-	*) prev=$arg ;;
-	esac
-	;;
-      -g | -m | -o) prev=$arg ;;
-      -s)
-	stripme=" -s"
-	continue
-	;;
-      -*)
+	libobj=$output
+	func_lo2o "$libobj"
+	obj=$func_lo2o_result
 	;;
       *)
-	# If the previous option needed an argument, then skip it.
-	if test -n "$prev"; then
-	  prev=
-	else
-	  dest=$arg
-	  continue
-	fi
+	libobj=
+	obj="$output"
 	;;
       esac
 
-      # Aesthetically quote the argument.
-      arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-      case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	arg="\"$arg\""
-	;;
-      esac
-      install_prog="$install_prog $arg"
-    done
+      # Delete the old objects.
+      $opt_dry_run || $RM $obj $libobj
 
-    if test -z "$install_prog"; then
-      $echo "$modename: you must specify an install program" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
+      # Objects from convenience libraries.  This assumes
+      # single-version convenience libraries.  Whenever we create
+      # different ones for PIC/non-PIC, this we'll have to duplicate
+      # the extraction.
+      reload_conv_objs=
+      gentop=
+      # reload_cmds runs $LD directly, so let us get rid of
+      # -Wl from whole_archive_flag_spec and hope we can get by with
+      # turning comma into space..
+      wl=
 
-    if test -n "$prev"; then
-      $echo "$modename: the \`$prev' option requires an argument" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
+      if test -n "$convenience"; then
+	if test -n "$whole_archive_flag_spec"; then
+	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
+	  reload_conv_objs=$reload_objs\ `$ECHO "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'`
+	else
+	  gentop="$output_objdir/${obj}x"
+	  generated="$generated $gentop"
 
-    if test -z "$files"; then
-      if test -z "$dest"; then
-	$echo "$modename: no file or destination specified" 1>&2
-      else
-	$echo "$modename: you must specify a destination" 1>&2
+	  func_extract_archives $gentop $convenience
+	  reload_conv_objs="$reload_objs $func_extract_archives_result"
+	fi
       fi
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
 
-    # Strip any trailing slash from the destination.
-    dest=`$echo "X$dest" | $Xsed -e 's%/$%%'`
+      # Create the old-style object.
+      reload_objs="$objs$old_deplibs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
 
-    # Check to see that the destination is a directory.
-    test -d "$dest" && isdir=yes
-    if test "$isdir" = yes; then
-      destdir="$dest"
-      destname=
-    else
-      destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'`
-      test "X$destdir" = "X$dest" && destdir=.
-      destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'`
+      output="$obj"
+      func_execute_cmds "$reload_cmds" 'exit $?'
 
-      # Not a directory, so check to see that there is only one file specified.
-      set dummy $files
-      if test "$#" -gt 2; then
-	$echo "$modename: \`$dest' is not a directory" 1>&2
-	$echo "$help" 1>&2
-	exit $EXIT_FAILURE
+      # Exit if we aren't doing a library object file.
+      if test -z "$libobj"; then
+	if test -n "$gentop"; then
+	  func_show_eval '${RM}r "$gentop"'
+	fi
+
+	exit $EXIT_SUCCESS
       fi
-    fi
-    case $destdir in
-    [\\/]* | [A-Za-z]:[\\/]*) ;;
-    *)
-      for file in $files; do
-	case $file in
-	*.lo) ;;
-	*)
-	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-      done
+
+      if test "$build_libtool_libs" != yes; then
+	if test -n "$gentop"; then
+	  func_show_eval '${RM}r "$gentop"'
+	fi
+
+	# Create an invalid libtool object if no PIC, so that we don't
+	# accidentally link it into a program.
+	# $show "echo timestamp > $libobj"
+	# $opt_dry_run || eval "echo timestamp > $libobj" || exit $?
+	exit $EXIT_SUCCESS
+      fi
+
+      if test -n "$pic_flag" || test "$pic_mode" != default; then
+	# Only do commands if we really have different PIC objects.
+	reload_objs="$libobjs $reload_conv_objs"
+	output="$libobj"
+	func_execute_cmds "$reload_cmds" 'exit $?'
+      fi
+
+      if test -n "$gentop"; then
+	func_show_eval '${RM}r "$gentop"'
+      fi
+
+      exit $EXIT_SUCCESS
       ;;
-    esac
 
-    # This variable tells wrapper scripts just to set variables rather
-    # than running their programs.
-    libtool_install_magic="$magic"
+    prog)
+      case $host in
+	*cygwin*) func_stripname '' '.exe' "$output"
+	          output=$func_stripname_result.exe;;
+      esac
+      test -n "$vinfo" && \
+	func_warning "\`-version-info' is ignored for programs"
 
-    staticlibs=
-    future_libdirs=
-    current_libdirs=
-    for file in $files; do
+      test -n "$release" && \
+	func_warning "\`-release' is ignored for programs"
 
-      # Do each installation.
-      case $file in
-      *.$libext)
-	# Do the static libraries later.
-	staticlibs="$staticlibs $file"
+      test "$preload" = yes \
+        && test "$dlopen_support" = unknown \
+	&& test "$dlopen_self" = unknown \
+	&& test "$dlopen_self_static" = unknown && \
+	  func_warning "\`LT_INIT([dlopen])' not used. Assuming no dlopen support."
+
+      case $host in
+      *-*-rhapsody* | *-*-darwin1.[012])
+	# On Rhapsody replace the C library is the System framework
+	compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
+	finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
 	;;
+      esac
 
-      *.la)
-	# Check to see that this really is a libtool archive.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-	else
-	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
+      case $host in
+      *-*-darwin*)
+	# Don't allow lazy linking, it breaks C++ global constructors
+	# But is supposedly fixed on 10.4 or later (yay!).
+	if test "$tagname" = CXX ; then
+	  case ${MACOSX_DEPLOYMENT_TARGET-10.0} in
+	    10.[0123])
+	      compile_command="$compile_command ${wl}-bind_at_load"
+	      finalize_command="$finalize_command ${wl}-bind_at_load"
+	    ;;
+	  esac
 	fi
+	# Time to change all our "foo.ltframework" stuff back to "-framework foo"
+	compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	;;
+      esac
 
-	library_names=
-	old_library=
-	relink_command=
-	# If there is no directory component, then add one.
-	case $file in
-	*/* | *\\*) . $file ;;
-	*) . ./$file ;;
-	esac
 
-	# Add the libdir to current_libdirs if it is the destination.
-	if test "X$destdir" = "X$libdir"; then
-	  case "$current_libdirs " in
-	  *" $libdir "*) ;;
-	  *) current_libdirs="$current_libdirs $libdir" ;;
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $compile_deplibs " in
+	  *" -L$path/$objdir "*)
+	    new_libs="$new_libs -L$path/$objdir" ;;
 	  esac
-	else
-	  # Note the libdir as a future libdir.
-	  case "$future_libdirs " in
-	  *" $libdir "*) ;;
-	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  ;;
+	esac
+      done
+      for deplib in $compile_deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) new_libs="$new_libs $deplib" ;;
 	  esac
-	fi
+	  ;;
+	*) new_libs="$new_libs $deplib" ;;
+	esac
+      done
+      compile_deplibs="$new_libs"
 
-	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/
-	test "X$dir" = "X$file/" && dir=
-	dir="$dir$objdir"
 
-	if test -n "$relink_command"; then
-	  # Determine the prefix the user has applied to our future dir.
-	  inst_prefix_dir=`$echo "$destdir" | $SED "s%$libdir\$%%"`
+      compile_command="$compile_command $compile_deplibs"
+      finalize_command="$finalize_command $finalize_deplibs"
 
-	  # Don't allow the user to place us outside of our expected
-	  # location b/c this prevents finding dependent libraries that
-	  # are installed to the same prefix.
-	  # At present, this check doesn't affect windows .dll's that
-	  # are installed into $libdir/../bin (currently, that works fine)
-	  # but it's something to keep an eye on.
-	  if test "$inst_prefix_dir" = "$destdir"; then
-	    $echo "$modename: error: cannot install \`$file' to a directory not ending in $libdir" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
+      if test -n "$rpath$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	for libdir in $rpath $xrpath; do
+	  # This is the magic to use -rpath.
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+      fi
 
-	  if test -n "$inst_prefix_dir"; then
-	    # Stick the inst_prefix_dir data into the link command.
-	    relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%" | $NL2SP`
+      # Now hardcode the library paths
+      rpath=
+      hardcode_libdirs=
+      for libdir in $compile_rpath $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
 	  else
-	    relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%%" | $NL2SP`
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
 	  fi
+	elif test -n "$runpath_var"; then
+	  case "$perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  esac
+	fi
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  testbindir=`${ECHO} "$libdir" | ${SED} -e 's*/lib$*/bin*'`
+	  case :$dllsearchpath: in
+	  *":$libdir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  esac
+	  ;;
+	esac
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      compile_rpath="$rpath"
 
-	  $echo "$modename: warning: relinking \`$file'" 1>&2
-	  $show "$relink_command"
-	  if $run eval "$relink_command"; then :
+      rpath=
+      hardcode_libdirs=
+      for libdir in $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
 	  else
-	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
-	    exit $EXIT_FAILURE
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
 	  fi
+	elif test -n "$runpath_var"; then
+	  case "$finalize_perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  esac
 	fi
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      finalize_rpath="$rpath"
 
-	# See the names of the shared library.
-	set dummy $library_names
-	if test -n "$2"; then
-	  realname="$2"
-	  shift
-	  shift
+      if test -n "$libobjs" && test "$build_old_libs" = yes; then
+	# Transform all the library objects into standard objects.
+	compile_command=`$ECHO "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	finalize_command=`$ECHO "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+      fi
 
-	  srcname="$realname"
-	  test -n "$relink_command" && srcname="$realname"T
+      func_generate_dlsyms "$outputname" "@PROGRAM@" "no"
 
-	  # Install the shared library and build the symlinks.
-	  $show "$install_prog $dir/$srcname $destdir/$realname"
-	  $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $?
-	  if test -n "$stripme" && test -n "$striplib"; then
-	    $show "$striplib $destdir/$realname"
-	    $run eval "$striplib $destdir/$realname" || exit $?
-	  fi
+      # template prelinking step
+      if test -n "$prelink_cmds"; then
+	func_execute_cmds "$prelink_cmds" 'exit $?'
+      fi
 
-	  if test "$#" -gt 0; then
-	    # Delete the old symlinks, and create new ones.
-	    # Try `ln -sf' first, because the `ln' binary might depend on
-	    # the symlink we replace!  Solaris /bin/ln does not understand -f,
-	    # so we also need to try rm && ln -s.
-	    for linkname
-	    do
-	      if test "$linkname" != "$realname"; then
-                $show "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
-                $run eval "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
-	      fi
-	    done
-	  fi
+      wrappers_required=yes
+      case $host in
+      *cygwin* | *mingw* )
+        if test "$build_libtool_libs" != yes; then
+          wrappers_required=no
+        fi
+        ;;
+      *)
+        if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
+          wrappers_required=no
+        fi
+        ;;
+      esac
+      if test "$wrappers_required" = no; then
+	# Replace the output file specification.
+	compile_command=`$ECHO "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	link_command="$compile_command$compile_rpath"
 
-	  # Do each command in the postinstall commands.
-	  lib="$destdir/$realname"
-	  cmds=$postinstall_cmds
-	  save_ifs="$IFS"; IFS='~'
-	  for cmd in $cmds; do
-	    IFS="$save_ifs"
-	    eval cmd=\"$cmd\"
-	    $show "$cmd"
-	    $run eval "$cmd" || {
-	      lt_exit=$?
-
-	      # Restore the uninstalled library and exit
-	      if test "$mode" = relink; then
-		$run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
-	      fi
+	# We have no uninstalled library dependencies, so finalize right now.
+	exit_status=0
+	func_show_eval "$link_command" 'exit_status=$?'
 
-	      exit $lt_exit
-	    }
-	  done
-	  IFS="$save_ifs"
+	# Delete the generated files.
+	if test -f "$output_objdir/${outputname}S.${objext}"; then
+	  func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"'
 	fi
 
-	# Install the pseudo-library for information purposes.
-	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-	instname="$dir/$name"i
-	$show "$install_prog $instname $destdir/$name"
-	$run eval "$install_prog $instname $destdir/$name" || exit $?
-
-	# Maybe install the static library, too.
-	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
-	;;
+	exit $exit_status
+      fi
 
-      *.lo)
-	# Install (i.e. copy) a libtool object.
+      if test -n "$compile_shlibpath$finalize_shlibpath"; then
+	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
+      fi
+      if test -n "$finalize_shlibpath"; then
+	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+      fi
 
-	# Figure out destination file name, if it wasn't already specified.
-	if test -n "$destname"; then
-	  destfile="$destdir/$destname"
-	else
-	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-	  destfile="$destdir/$destfile"
+      compile_var=
+      finalize_var=
+      if test -n "$runpath_var"; then
+	if test -n "$perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
 	fi
-
-	# Deduce the name of the destination old-style object file.
-	case $destfile in
-	*.lo)
-	  staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
-	  ;;
-	*.$objext)
-	  staticdest="$destfile"
-	  destfile=
-	  ;;
-	*)
-	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	# Install the libtool object if requested.
-	if test -n "$destfile"; then
-	  $show "$install_prog $file $destfile"
-	  $run eval "$install_prog $file $destfile" || exit $?
+	if test -n "$finalize_perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $finalize_perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
 	fi
+      fi
 
-	# Install the old object if enabled.
-	if test "$build_old_libs" = yes; then
-	  # Deduce the name of the old-style object file.
-	  staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
-
-	  $show "$install_prog $staticobj $staticdest"
-	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
-	fi
+      if test "$no_install" = yes; then
+	# We don't need to create a wrapper script.
+	link_command="$compile_var$compile_command$compile_rpath"
+	# Replace the output file specification.
+	link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	# Delete the old output file.
+	$opt_dry_run || $RM $output
+	# Link the executable and exit
+	func_show_eval "$link_command" 'exit $?'
 	exit $EXIT_SUCCESS
-	;;
+      fi
 
-      *)
-	# Figure out destination file name, if it wasn't already specified.
-	if test -n "$destname"; then
-	  destfile="$destdir/$destname"
+      if test "$hardcode_action" = relink; then
+	# Fast installation is not supported
+	link_command="$compile_var$compile_command$compile_rpath"
+	relink_command="$finalize_var$finalize_command$finalize_rpath"
+
+	func_warning "this platform does not like uninstalled shared libraries"
+	func_warning "\`$output' will be relinked during installation"
+      else
+	if test "$fast_install" != no; then
+	  link_command="$finalize_var$compile_command$finalize_rpath"
+	  if test "$fast_install" = yes; then
+	    relink_command=`$ECHO "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	  else
+	    # fast_install is set to needless
+	    relink_command=
+	  fi
 	else
-	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-	  destfile="$destdir/$destfile"
+	  link_command="$compile_var$compile_command$compile_rpath"
+	  relink_command="$finalize_var$finalize_command$finalize_rpath"
 	fi
+      fi
 
-	# If the file is missing, and there is a .exe on the end, strip it
-	# because it is most likely a libtool script we actually want to
-	# install
-	stripped_ext=""
-	case $file in
-	  *.exe)
-	    if test ! -f "$file"; then
-	      file=`$echo $file|${SED} 's,.exe$,,'`
-	      stripped_ext=".exe"
-	    fi
-	    ;;
-	esac
-
-	# Do a test to see if this is really a libtool program.
-	case $host in
-	*cygwin*|*mingw*)
-	    wrapper=`$echo $file | ${SED} -e 's,.exe$,,'`
-	    ;;
-	*)
-	    wrapper=$file
-	    ;;
-	esac
-	if (${SED} -e '4q' $wrapper | grep "^# Generated by .*$PACKAGE")>/dev/null 2>&1; then
-	  notinst_deplibs=
-	  relink_command=
-
-	  # Note that it is not necessary on cygwin/mingw to append a dot to
-	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
-	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
-	  # `FILE.' does not work on cygwin managed mounts.
-	  #
-	  # If there is no directory component, then add one.
-	  case $wrapper in
-	  */* | *\\*) . ${wrapper} ;;
-	  *) . ./${wrapper} ;;
-	  esac
+      # Replace the output file specification.
+      link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
 
-	  # Check the variables that should have been set.
-	  if test -z "$notinst_deplibs"; then
-	    $echo "$modename: invalid libtool wrapper script \`$wrapper'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
+      # Delete the old output files.
+      $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname
 
-	  finalize=yes
-	  for lib in $notinst_deplibs; do
-	    # Check to see that each library is installed.
-	    libdir=
-	    if test -f "$lib"; then
-	      # If there is no directory component, then add one.
-	      case $lib in
-	      */* | *\\*) . $lib ;;
-	      *) . ./$lib ;;
-	      esac
-	    fi
-	    libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
-	    if test -n "$libdir" && test ! -f "$libfile"; then
-	      $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
-	      finalize=no
-	    fi
-	  done
+      func_show_eval "$link_command" 'exit $?'
 
-	  relink_command=
-	  # Note that it is not necessary on cygwin/mingw to append a dot to
-	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
-	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
-	  # `FILE.' does not work on cygwin managed mounts.
-	  #
-	  # If there is no directory component, then add one.
-	  case $wrapper in
-	  */* | *\\*) . ${wrapper} ;;
-	  *) . ./${wrapper} ;;
-	  esac
+      # Now create the wrapper script.
+      func_verbose "creating $output"
 
-	  outputname=
-	  if test "$fast_install" = no && test -n "$relink_command"; then
-	    if test "$finalize" = yes && test -z "$run"; then
-	      tmpdir=`func_mktempdir`
-	      file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
-	      outputname="$tmpdir/$file"
-	      # Replace the output file specification.
-	      relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g' | $NL2SP`
-
-	      $show "$relink_command"
-	      if $run eval "$relink_command"; then :
-	      else
-		$echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
-		${rm}r "$tmpdir"
-		continue
-	      fi
-	      file="$outputname"
-	    else
-	      $echo "$modename: warning: cannot relink \`$file'" 1>&2
-	    fi
+      # Quote the relink command for shipping.
+      if test -n "$relink_command"; then
+	# Preserve any variables that may affect compiler behavior
+	for var in $variables_saved_for_relink; do
+	  if eval test -z \"\${$var+set}\"; then
+	    relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command"
+	  elif eval var_value=\$$var; test -z "$var_value"; then
+	    relink_command="$var=; export $var; $relink_command"
 	  else
-	    # Install the binary that we compiled earlier.
-	    file=`$echo "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+	    func_quote_for_eval "$var_value"
+	    relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command"
 	  fi
-	fi
+	done
+	relink_command="(cd `pwd`; $relink_command)"
+	relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      fi
 
-	# remove .exe since cygwin /usr/bin/install will append another
-	# one anyway 
-	case $install_prog,$host in
-	*/usr/bin/install*,*cygwin*)
-	  case $file:$destfile in
-	  *.exe:*.exe)
-	    # this is ok
-	    ;;
-	  *.exe:*)
-	    destfile=$destfile.exe
-	    ;;
-	  *:*.exe)
-	    destfile=`$echo $destfile | ${SED} -e 's,.exe$,,'`
-	    ;;
-	  esac
-	  ;;
+      # Quote $ECHO for shipping.
+      if test "X$ECHO" = "X$SHELL $progpath --fallback-echo"; then
+	case $progpath in
+	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
+	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
+	esac
+	qecho=`$ECHO "X$qecho" | $Xsed -e "$sed_quote_subst"`
+      else
+	qecho=`$ECHO "X$ECHO" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Only actually do things if not in dry run mode.
+      $opt_dry_run || {
+	# win32 will think the script is a binary if it has
+	# a .exe suffix, so we strip it off here.
+	case $output in
+	  *.exe) func_stripname '' '.exe' "$output"
+	         output=$func_stripname_result ;;
+	esac
+	# test for cygwin because mv fails w/o .exe extensions
+	case $host in
+	  *cygwin*)
+	    exeext=.exe
+	    func_stripname '' '.exe' "$outputname"
+	    outputname=$func_stripname_result ;;
+	  *) exeext= ;;
 	esac
-	$show "$install_prog$stripme $file $destfile"
-	$run eval "$install_prog\$stripme \$file \$destfile" || exit $?
-	test -n "$outputname" && ${rm}r "$tmpdir"
-	;;
-      esac
-    done
+	case $host in
+	  *cygwin* | *mingw* )
+	    func_dirname_and_basename "$output" "" "."
+	    output_name=$func_basename_result
+	    output_path=$func_dirname_result
+	    cwrappersource="$output_path/$objdir/lt-$output_name.c"
+	    cwrapper="$output_path/$output_name.exe"
+	    $RM $cwrappersource $cwrapper
+	    trap "$RM $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
+
+	    func_emit_cwrapperexe_src > $cwrappersource
+
+	    # we should really use a build-platform specific compiler
+	    # here, but OTOH, the wrappers (shell script and this C one)
+	    # are only useful if you want to execute the "real" binary.
+	    # Since the "real" binary is built for $host, then this
+	    # wrapper might as well be built for $host, too.
+	    $opt_dry_run || {
+	      $LTCC $LTCFLAGS -o $cwrapper $cwrappersource
+	      $STRIP $cwrapper
+	    }
 
-    for file in $staticlibs; do
-      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	    # Now, create the wrapper script for func_source use:
+	    func_ltwrapper_scriptname $cwrapper
+	    $RM $func_ltwrapper_scriptname_result
+	    trap "$RM $func_ltwrapper_scriptname_result; exit $EXIT_FAILURE" 1 2 15
+	    $opt_dry_run || {
+	      # note: this script will not be executed, so do not chmod.
+	      if test "x$build" = "x$host" ; then
+		$cwrapper --lt-dump-script > $func_ltwrapper_scriptname_result
+	      else
+		func_emit_wrapper no > $func_ltwrapper_scriptname_result
+	      fi
+	    }
+	  ;;
+	  * )
+	    $RM $output
+	    trap "$RM $output; exit $EXIT_FAILURE" 1 2 15
 
-      # Set up the ranlib parameters.
-      oldlib="$destdir/$name"
+	    func_emit_wrapper no > $output
+	    chmod +x $output
+	  ;;
+	esac
+      }
+      exit $EXIT_SUCCESS
+      ;;
+    esac
 
-      $show "$install_prog $file $oldlib"
-      $run eval "$install_prog \$file \$oldlib" || exit $?
+    # See if we need to build an old-fashioned archive.
+    for oldlib in $oldlibs; do
 
-      if test -n "$stripme" && test -n "$old_striplib"; then
-	$show "$old_striplib $oldlib"
-	$run eval "$old_striplib $oldlib" || exit $?
+      if test "$build_libtool_libs" = convenience; then
+	oldobjs="$libobjs_save $symfileobj"
+	addlibs="$convenience"
+	build_libtool_libs=no
+      else
+	if test "$build_libtool_libs" = module; then
+	  oldobjs="$libobjs_save"
+	  build_libtool_libs=no
+	else
+	  oldobjs="$old_deplibs $non_pic_objects"
+	  if test "$preload" = yes && test -f "$symfileobj"; then
+	    oldobjs="$oldobjs $symfileobj"
+	  fi
+	fi
+	addlibs="$old_convenience"
       fi
 
-      # Do each command in the postinstall commands.
-      cmds=$old_postinstall_cmds
-      save_ifs="$IFS"; IFS='~'
-      for cmd in $cmds; do
-	IFS="$save_ifs"
-	eval cmd=\"$cmd\"
-	$show "$cmd"
-	$run eval "$cmd" || exit $?
-      done
-      IFS="$save_ifs"
-    done
+      if test -n "$addlibs"; then
+	gentop="$output_objdir/${outputname}x"
+	generated="$generated $gentop"
 
-    if test -n "$future_libdirs"; then
-      $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2
-    fi
+	func_extract_archives $gentop $addlibs
+	oldobjs="$oldobjs $func_extract_archives_result"
+      fi
 
-    if test -n "$current_libdirs"; then
-      # Maybe just do a dry run.
-      test -n "$run" && current_libdirs=" -n$current_libdirs"
-      exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs'
-    else
-      exit $EXIT_SUCCESS
-    fi
-    ;;
+      # Do each command in the archive commands.
+      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
+	cmds=$old_archive_from_new_cmds
+      else
 
-  # libtool finish mode
-  finish)
-    modename="$modename: finish"
-    libdirs="$nonopt"
-    admincmds=
+	# Add any objects from preloaded convenience libraries
+	if test -n "$dlprefiles"; then
+	  gentop="$output_objdir/${outputname}x"
+	  generated="$generated $gentop"
 
-    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
-      for dir
-      do
-	libdirs="$libdirs $dir"
-      done
+	  func_extract_archives $gentop $dlprefiles
+	  oldobjs="$oldobjs $func_extract_archives_result"
+	fi
 
-      for libdir in $libdirs; do
-	if test -n "$finish_cmds"; then
-	  # Do each command in the finish commands.
-	  cmds=$finish_cmds
-	  save_ifs="$IFS"; IFS='~'
-	  for cmd in $cmds; do
-	    IFS="$save_ifs"
-	    eval cmd=\"$cmd\"
-	    $show "$cmd"
-	    $run eval "$cmd" || admincmds="$admincmds
-       $cmd"
+	# POSIX demands no paths to be encoded in archives.  We have
+	# to avoid creating archives with duplicate basenames if we
+	# might have to extract them afterwards, e.g., when creating a
+	# static archive out of a convenience library, or when linking
+	# the entirety of a libtool archive into another (currently
+	# not supported by libtool).
+	if (for obj in $oldobjs
+	    do
+	      func_basename "$obj"
+	      $ECHO "$func_basename_result"
+	    done | sort | sort -uc >/dev/null 2>&1); then
+	  :
+	else
+	  $ECHO "copying selected object files to avoid basename conflicts..."
+	  gentop="$output_objdir/${outputname}x"
+	  generated="$generated $gentop"
+	  func_mkdir_p "$gentop"
+	  save_oldobjs=$oldobjs
+	  oldobjs=
+	  counter=1
+	  for obj in $save_oldobjs
+	  do
+	    func_basename "$obj"
+	    objbase="$func_basename_result"
+	    case " $oldobjs " in
+	    " ") oldobjs=$obj ;;
+	    *[\ /]"$objbase "*)
+	      while :; do
+		# Make sure we don't pick an alternate name that also
+		# overlaps.
+		newobj=lt$counter-$objbase
+		func_arith $counter + 1
+		counter=$func_arith_result
+		case " $oldobjs " in
+		*[\ /]"$newobj "*) ;;
+		*) if test ! -f "$gentop/$newobj"; then break; fi ;;
+		esac
+	      done
+	      func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
+	      oldobjs="$oldobjs $gentop/$newobj"
+	      ;;
+	    *) oldobjs="$oldobjs $obj" ;;
+	    esac
 	  done
-	  IFS="$save_ifs"
 	fi
-	if test -n "$finish_eval"; then
-	  # Do the single finish_eval.
-	  eval cmds=\"$finish_eval\"
-	  $run eval "$cmds" || admincmds="$admincmds
-       $cmds"
-	fi
-      done
-    fi
-
-    # Exit here if they wanted silent mode.
-    test "$show" = : && exit $EXIT_SUCCESS
+	eval cmds=\"$old_archive_cmds\"
 
-    $echo "X----------------------------------------------------------------------" | $Xsed
-    $echo "Libraries have been installed in:"
-    for libdir in $libdirs; do
-      $echo "   $libdir"
+	func_len " $cmds"
+	len=$func_len_result
+	if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	  cmds=$old_archive_cmds
+	else
+	  # the command line is too long to link in one step, link in parts
+	  func_verbose "using piecewise archive linking..."
+	  save_RANLIB=$RANLIB
+	  RANLIB=:
+	  objlist=
+	  concat_cmds=
+	  save_oldobjs=$oldobjs
+	  oldobjs=
+	  # Is there a better way of finding the last object in the list?
+	  for obj in $save_oldobjs
+	  do
+	    last_oldobj=$obj
+	  done
+	  eval test_cmds=\"$old_archive_cmds\"
+	  func_len " $test_cmds"
+	  len0=$func_len_result
+	  len=$len0
+	  for obj in $save_oldobjs
+	  do
+	    func_len " $obj"
+	    func_arith $len + $func_len_result
+	    len=$func_arith_result
+	    func_append objlist " $obj"
+	    if test "$len" -lt "$max_cmd_len"; then
+	      :
+	    else
+	      # the above command should be used before it gets too long
+	      oldobjs=$objlist
+	      if test "$obj" = "$last_oldobj" ; then
+		RANLIB=$save_RANLIB
+	      fi
+	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
+	      objlist=
+	      len=$len0
+	    fi
+	  done
+	  RANLIB=$save_RANLIB
+	  oldobjs=$objlist
+	  if test "X$oldobjs" = "X" ; then
+	    eval cmds=\"\$concat_cmds\"
+	  else
+	    eval cmds=\"\$concat_cmds~\$old_archive_cmds\"
+	  fi
+	fi
+      fi
+      func_execute_cmds "$cmds" 'exit $?'
     done
-    $echo
-    $echo "If you ever happen to want to link against installed libraries"
-    $echo "in a given directory, LIBDIR, you must either use libtool, and"
-    $echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
-    $echo "flag during linking and do at least one of the following:"
-    if test -n "$shlibpath_var"; then
-      $echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
-      $echo "     during execution"
-    fi
-    if test -n "$runpath_var"; then
-      $echo "   - add LIBDIR to the \`$runpath_var' environment variable"
-      $echo "     during linking"
-    fi
-    if test -n "$hardcode_libdir_flag_spec"; then
-      libdir=LIBDIR
-      eval flag=\"$hardcode_libdir_flag_spec\"
-
-      $echo "   - use the \`$flag' linker flag"
-    fi
-    if test -n "$admincmds"; then
-      $echo "   - have your system administrator run these commands:$admincmds"
-    fi
-    if test -f /etc/ld.so.conf; then
-      $echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
-    fi
-    $echo
-    $echo "See any operating system documentation about shared libraries for"
-    $echo "more information, such as the ld(1) and ld.so(8) manual pages."
-    $echo "X----------------------------------------------------------------------" | $Xsed
-    exit $EXIT_SUCCESS
-    ;;
 
-  # libtool execute mode
-  execute)
-    modename="$modename: execute"
-
-    # The first argument is the command name.
-    cmd="$nonopt"
-    if test -z "$cmd"; then
-      $echo "$modename: you must specify a COMMAND" 1>&2
-      $echo "$help"
-      exit $EXIT_FAILURE
-    fi
+    test -n "$generated" && \
+      func_show_eval "${RM}r$generated"
 
-    # Handle -dlopen flags immediately.
-    for file in $execute_dlfiles; do
-      if test ! -f "$file"; then
-	$echo "$modename: \`$file' is not a file" 1>&2
-	$echo "$help" 1>&2
-	exit $EXIT_FAILURE
-      fi
+    # Now create the libtool archive.
+    case $output in
+    *.la)
+      old_library=
+      test "$build_old_libs" = yes && old_library="$libname.$libext"
+      func_verbose "creating $output"
 
-      dir=
-      case $file in
-      *.la)
-	# Check to see that this really is a libtool archive.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+      # Preserve any variables that may affect compiler behavior
+      for var in $variables_saved_for_relink; do
+	if eval test -z \"\${$var+set}\"; then
+	  relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command"
+	elif eval var_value=\$$var; test -z "$var_value"; then
+	  relink_command="$var=; export $var; $relink_command"
 	else
-	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
+	  func_quote_for_eval "$var_value"
+	  relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command"
 	fi
+      done
+      # Quote the link command for shipping.
+      relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
+      relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      if test "$hardcode_automatic" = yes ; then
+	relink_command=
+      fi
 
-	# Read the libtool library.
-	dlname=
-	library_names=
+      # Only create the output if not a dry run.
+      $opt_dry_run || {
+	for installed in no yes; do
+	  if test "$installed" = yes; then
+	    if test -z "$install_libdir"; then
+	      break
+	    fi
+	    output="$output_objdir/$outputname"i
+	    # Replace all uninstalled libtool libraries with the installed ones
+	    newdependency_libs=
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      *.la)
+		func_basename "$deplib"
+		name="$func_basename_result"
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		test -z "$libdir" && \
+		  func_fatal_error "\`$deplib' is not a valid libtool archive"
+		newdependency_libs="$newdependency_libs $libdir/$name"
+		;;
+	      *) newdependency_libs="$newdependency_libs $deplib" ;;
+	      esac
+	    done
+	    dependency_libs="$newdependency_libs"
+	    newdlfiles=
+
+	    for lib in $dlfiles; do
+	      case $lib in
+	      *.la)
+	        func_basename "$lib"
+		name="$func_basename_result"
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+		test -z "$libdir" && \
+		  func_fatal_error "\`$lib' is not a valid libtool archive"
+		newdlfiles="$newdlfiles $libdir/$name"
+		;;
+	      *) newdlfiles="$newdlfiles $lib" ;;
+	      esac
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      case $lib in
+	      *.la)
+		# Only pass preopened files to the pseudo-archive (for
+		# eventual linking with the app. that links it) if we
+		# didn't already link the preopened objects directly into
+		# the library:
+		func_basename "$lib"
+		name="$func_basename_result"
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+		test -z "$libdir" && \
+		  func_fatal_error "\`$lib' is not a valid libtool archive"
+		newdlprefiles="$newdlprefiles $libdir/$name"
+		;;
+	      esac
+	    done
+	    dlprefiles="$newdlprefiles"
+	  else
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      case $lib in
+		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
+		*) abs=`pwd`"/$lib" ;;
+	      esac
+	      newdlfiles="$newdlfiles $abs"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      case $lib in
+		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
+		*) abs=`pwd`"/$lib" ;;
+	      esac
+	      newdlprefiles="$newdlprefiles $abs"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  fi
+	  $RM $output
+	  # place dlname in correct position for cygwin
+	  tdlname=$dlname
+	  case $host,$output,$installed,$module,$dlname in
+	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
+	  esac
+	  $ECHO > $output "\
+# $outputname - a libtool library file
+# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
 
-	# If there is no directory component, then add one.
-	case $file in
-	*/* | *\\*) . $file ;;
-	*) . ./$file ;;
-	esac
+# The name that we can dlopen(3).
+dlname='$tdlname'
 
-	# Skip this library if it cannot be dlopened.
-	if test -z "$dlname"; then
-	  # Warn if it was a shared library.
-	  test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'"
-	  continue
-	fi
+# Names of this library.
+library_names='$library_names'
 
-	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
-	test "X$dir" = "X$file" && dir=.
+# The name of the static archive.
+old_library='$old_library'
 
-	if test -f "$dir/$objdir/$dlname"; then
-	  dir="$dir/$objdir"
-	else
-	  if test ! -f "$dir/$dlname"; then
-	    $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	fi
-	;;
+# Linker flags that can not go in dependency_libs.
+inherited_linker_flags='$new_inherited_linker_flags'
 
-      *.lo)
-	# Just add the directory containing the .lo file.
-	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
-	test "X$dir" = "X$file" && dir=.
-	;;
+# Libraries that this one depends upon.
+dependency_libs='$dependency_libs'
 
-      *)
-	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
-	continue
-	;;
-      esac
+# Names of additional weak libraries provided by this library
+weak_library_names='$weak_libs'
 
-      # Get the absolute pathname.
-      absdir=`cd "$dir" && pwd`
-      test -n "$absdir" && dir="$absdir"
+# Version information for $libname.
+current=$current
+age=$age
+revision=$revision
 
-      # Now add the directory to shlibpath_var.
-      if eval "test -z \"\$$shlibpath_var\""; then
-	eval "$shlibpath_var=\"\$dir\""
-      else
-	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
-      fi
-    done
+# Is this an already installed library?
+installed=$installed
 
-    # This variable tells wrapper scripts just to set shlibpath_var
-    # rather than running their programs.
-    libtool_execute_magic="$magic"
+# Should we warn about portability when linking against -modules?
+shouldnotlink=$module
 
-    # Check if any of the arguments is a wrapper script.
-    args=
-    for file
-    do
-      case $file in
-      -*) ;;
-      *)
-	# Do a test to see if this is really a libtool program.
-	if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	  # If there is no directory component, then add one.
-	  case $file in
-	  */* | *\\*) . $file ;;
-	  *) . ./$file ;;
-	  esac
+# Files to dlopen/dlpreopen
+dlopen='$dlfiles'
+dlpreopen='$dlprefiles'
 
-	  # Transform arg to wrapped name.
-	  file="$progdir/$program"
-	fi
-	;;
-      esac
-      # Quote arguments (to preserve shell metacharacters).
-      file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
-      args="$args \"$file\""
-    done
+# Directory that this library needs to be installed in:
+libdir='$install_libdir'"
+	  if test "$installed" = no && test "$need_relink" = yes; then
+	    $ECHO >> $output "\
+relink_command=\"$relink_command\""
+	  fi
+	done
+      }
 
-    if test -z "$run"; then
-      if test -n "$shlibpath_var"; then
-	# Export the shlibpath_var.
-	eval "export $shlibpath_var"
-      fi
+      # Do a symbolic link so that the libtool archive can be found in
+      # LD_LIBRARY_PATH before the program is installed.
+      func_show_eval '( cd "$output_objdir" && $RM "$outputname" && $LN_S "../$outputname" "$outputname" )' 'exit $?'
+      ;;
+    esac
+    exit $EXIT_SUCCESS
+}
 
-      # Restore saved environment variables
-      for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
-      do
-	eval "if test \"\${save_$lt_var+set}\" = set; then
-		$lt_var=\$save_$lt_var; export $lt_var
-	      fi"
-      done
+{ test "$mode" = link || test "$mode" = relink; } &&
+    func_mode_link ${1+"$@"}
 
-      # Now prepare to actually exec the command.
-      exec_cmd="\$cmd$args"
-    else
-      # Display what would be done.
-      if test -n "$shlibpath_var"; then
-	eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
-	$echo "export $shlibpath_var"
-      fi
-      $echo "$cmd$args"
-      exit $EXIT_SUCCESS
-    fi
-    ;;
 
-  # libtool clean and uninstall mode
-  clean | uninstall)
-    modename="$modename: $mode"
-    rm="$nonopt"
+# func_mode_uninstall arg...
+func_mode_uninstall ()
+{
+    $opt_debug
+    RM="$nonopt"
     files=
     rmforce=
     exit_status=0
@@ -6547,30 +7676,28 @@ relink_command=\"$relink_command\""
     for arg
     do
       case $arg in
-      -f) rm="$rm $arg"; rmforce=yes ;;
-      -*) rm="$rm $arg" ;;
+      -f) RM="$RM $arg"; rmforce=yes ;;
+      -*) RM="$RM $arg" ;;
       *) files="$files $arg" ;;
       esac
     done
 
-    if test -z "$rm"; then
-      $echo "$modename: you must specify an RM program" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
+    test -z "$RM" && \
+      func_fatal_help "you must specify an RM program"
 
     rmdirs=
 
     origobjdir="$objdir"
     for file in $files; do
-      dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
-      if test "X$dir" = "X$file"; then
-	dir=.
+      func_dirname "$file" "" "."
+      dir="$func_dirname_result"
+      if test "X$dir" = X.; then
 	objdir="$origobjdir"
       else
 	objdir="$dir/$origobjdir"
       fi
-      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+      func_basename "$file"
+      name="$func_basename_result"
       test "$mode" = uninstall && objdir="$dir"
 
       # Remember objdir for removal later, being careful to avoid duplicates
@@ -6582,9 +7709,9 @@ relink_command=\"$relink_command\""
       fi
 
       # Don't error if the file doesn't exist and rm -f was used.
-      if (test -L "$file") >/dev/null 2>&1 \
-	|| (test -h "$file") >/dev/null 2>&1 \
-	|| test -f "$file"; then
+      if { test -L "$file"; } >/dev/null 2>&1 ||
+	 { test -h "$file"; } >/dev/null 2>&1 ||
+	 test -f "$file"; then
 	:
       elif test -d "$file"; then
 	exit_status=1
@@ -6598,8 +7725,8 @@ relink_command=\"$relink_command\""
       case $name in
       *.la)
 	# Possibly a libtool archive, so verify it.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	  . $dir/$name
+	if func_lalib_p "$file"; then
+	  func_source $dir/$name
 
 	  # Delete the libtool libraries and symlinks.
 	  for n in $library_names; do
@@ -6614,39 +7741,17 @@ relink_command=\"$relink_command\""
 	    *" $dlname "*) ;;
 	    *) rmfiles="$rmfiles $objdir/$dlname" ;;
 	    esac
-	     test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+	    test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
 	    ;;
 	  uninstall)
 	    if test -n "$library_names"; then
 	      # Do each command in the postuninstall commands.
-	      cmds=$postuninstall_cmds
-	      save_ifs="$IFS"; IFS='~'
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd"
-		if test "$?" -ne 0 && test "$rmforce" != yes; then
-		  exit_status=1
-		fi
-	      done
-	      IFS="$save_ifs"
+	      func_execute_cmds "$postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1'
 	    fi
 
 	    if test -n "$old_library"; then
 	      # Do each command in the old_postuninstall commands.
-	      cmds=$old_postuninstall_cmds
-	      save_ifs="$IFS"; IFS='~'
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd"
-		if test "$?" -ne 0 && test "$rmforce" != yes; then
-		  exit_status=1
-		fi
-	      done
-	      IFS="$save_ifs"
+	      func_execute_cmds "$old_postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1'
 	    fi
 	    # FIXME: should reinstall the best remaining shared library.
 	    ;;
@@ -6656,20 +7761,20 @@ relink_command=\"$relink_command\""
 
       *.lo)
 	# Possibly a libtool object, so verify it.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	if func_lalib_p "$file"; then
 
 	  # Read the .lo file
-	  . $dir/$name
+	  func_source $dir/$name
 
 	  # Add PIC object to the list of files to remove.
-	  if test -n "$pic_object" \
-	     && test "$pic_object" != none; then
+	  if test -n "$pic_object" &&
+	     test "$pic_object" != none; then
 	    rmfiles="$rmfiles $dir/$pic_object"
 	  fi
 
 	  # Add non-PIC object to the list of files to remove.
-	  if test -n "$non_pic_object" \
-	     && test "$non_pic_object" != none; then
+	  if test -n "$non_pic_object" &&
+	     test "$non_pic_object" != none; then
 	    rmfiles="$rmfiles $dir/$non_pic_object"
 	  fi
 	fi
@@ -6680,17 +7785,26 @@ relink_command=\"$relink_command\""
 	  noexename=$name
 	  case $file in
 	  *.exe)
-	    file=`$echo $file|${SED} 's,.exe$,,'`
-	    noexename=`$echo $name|${SED} 's,.exe$,,'`
+	    func_stripname '' '.exe' "$file"
+	    file=$func_stripname_result
+	    func_stripname '' '.exe' "$name"
+	    noexename=$func_stripname_result
 	    # $file with .exe has already been added to rmfiles,
 	    # add $file without .exe
 	    rmfiles="$rmfiles $file"
 	    ;;
 	  esac
 	  # Do a test to see if this is a libtool program.
-	  if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	    relink_command=
-	    . $dir/$noexename
+	  if func_ltwrapper_p "$file"; then
+	    if func_ltwrapper_executable_p "$file"; then
+	      func_ltwrapper_scriptname "$file"
+	      relink_command=
+	      func_source $func_ltwrapper_scriptname_result
+	      rmfiles="$rmfiles $func_ltwrapper_scriptname_result"
+	    else
+	      relink_command=
+	      func_source $dir/$noexename
+	    fi
 
 	    # note $name still contains .exe if it was in $file originally
 	    # as does the version of $file that was added into $rmfiles
@@ -6705,239 +7819,38 @@ relink_command=\"$relink_command\""
 	fi
 	;;
       esac
-      $show "$rm $rmfiles"
-      $run $rm $rmfiles || exit_status=1
+      func_show_eval "$RM $rmfiles" 'exit_status=1'
     done
     objdir="$origobjdir"
 
     # Try to remove the ${objdir}s in the directories where we deleted files
     for dir in $rmdirs; do
       if test -d "$dir"; then
-	$show "rmdir $dir"
-	$run rmdir $dir >/dev/null 2>&1
+	func_show_eval "rmdir $dir >/dev/null 2>&1"
       fi
     done
 
     exit $exit_status
-    ;;
+}
 
-  "")
-    $echo "$modename: you must specify a MODE" 1>&2
-    $echo "$generic_help" 1>&2
-    exit $EXIT_FAILURE
-    ;;
-  esac
+{ test "$mode" = uninstall || test "$mode" = clean; } &&
+    func_mode_uninstall ${1+"$@"}
 
-  if test -z "$exec_cmd"; then
-    $echo "$modename: invalid operation mode \`$mode'" 1>&2
-    $echo "$generic_help" 1>&2
-    exit $EXIT_FAILURE
-  fi
-fi # test -z "$show_help"
+test -z "$mode" && {
+  help="$generic_help"
+  func_fatal_help "you must specify a MODE"
+}
+
+test -z "$exec_cmd" && \
+  func_fatal_help "invalid operation mode \`$mode'"
 
 if test -n "$exec_cmd"; then
-  eval exec $exec_cmd
+  eval exec "$exec_cmd"
   exit $EXIT_FAILURE
 fi
 
-# We need to display help for each of the modes.
-case $mode in
-"") $echo \
-"Usage: $modename [OPTION]... [MODE-ARG]...
-
-Provide generalized library-building support services.
-
-    --config          show all configuration variables
-    --debug           enable verbose shell tracing
--n, --dry-run         display commands without modifying any files
-    --features        display basic configuration information and exit
-    --finish          same as \`--mode=finish'
-    --help            display this help message and exit
-    --mode=MODE       use operation mode MODE [default=inferred from MODE-ARGS]
-    --quiet           same as \`--silent'
-    --silent          don't print informational messages
-    --tag=TAG         use configuration variables from tag TAG
-    --version         print version information
-
-MODE must be one of the following:
-
-      clean           remove files from the build directory
-      compile         compile a source file into a libtool object
-      execute         automatically set library path, then run a program
-      finish          complete the installation of libtool libraries
-      install         install libraries or executables
-      link            create a library or an executable
-      uninstall       remove libraries from an installed directory
-
-MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
-a more detailed description of MODE.
-
-Report bugs to <bug-libtool@gnu.org>."
-  exit $EXIT_SUCCESS
-  ;;
-
-clean)
-  $echo \
-"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
-
-Remove files from the build directory.
-
-RM is the name of the program to use to delete files associated with each FILE
-(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
-to RM.
-
-If FILE is a libtool library, object or program, all the files associated
-with it are deleted. Otherwise, only FILE itself is deleted using RM."
-  ;;
-
-compile)
-  $echo \
-"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
-
-Compile a source file into a libtool library object.
-
-This mode accepts the following additional options:
-
-  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
-  -prefer-pic       try to building PIC objects only
-  -prefer-non-pic   try to building non-PIC objects only
-  -static           always build a \`.o' file suitable for static linking
-
-COMPILE-COMMAND is a command to be used in creating a \`standard' object file
-from the given SOURCEFILE.
-
-The output file name is determined by removing the directory component from
-SOURCEFILE, then substituting the C source code suffix \`.c' with the
-library object suffix, \`.lo'."
-  ;;
-
-execute)
-  $echo \
-"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]...
-
-Automatically set library path, then run a program.
-
-This mode accepts the following additional options:
-
-  -dlopen FILE      add the directory containing FILE to the library path
-
-This mode sets the library path environment variable according to \`-dlopen'
-flags.
-
-If any of the ARGS are libtool executable wrappers, then they are translated
-into their corresponding uninstalled binary, and any of their required library
-directories are added to the library path.
-
-Then, COMMAND is executed, with ARGS as arguments."
-  ;;
-
-finish)
-  $echo \
-"Usage: $modename [OPTION]... --mode=finish [LIBDIR]...
-
-Complete the installation of libtool libraries.
-
-Each LIBDIR is a directory that contains libtool libraries.
-
-The commands that this mode executes may require superuser privileges.  Use
-the \`--dry-run' option if you just want to see what would be executed."
-  ;;
-
-install)
-  $echo \
-"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND...
-
-Install executables or libraries.
-
-INSTALL-COMMAND is the installation command.  The first component should be
-either the \`install' or \`cp' program.
-
-The rest of the components are interpreted as arguments to that command (only
-BSD-compatible install options are recognized)."
-  ;;
-
-link)
-  $echo \
-"Usage: $modename [OPTION]... --mode=link LINK-COMMAND...
-
-Link object files or libraries together to form another library, or to
-create an executable program.
+exit $exit_status
 
-LINK-COMMAND is a command using the C compiler that you would use to create
-a program from several object files.
-
-The following components of LINK-COMMAND are treated specially:
-
-  -all-static       do not do any dynamic linking at all
-  -avoid-version    do not add a version suffix if possible
-  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
-  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
-  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
-  -export-symbols SYMFILE
-                    try to export only the symbols listed in SYMFILE
-  -export-symbols-regex REGEX
-                    try to export only the symbols matching REGEX
-  -LLIBDIR          search LIBDIR for required installed libraries
-  -lNAME            OUTPUT-FILE requires the installed library libNAME
-  -module           build a library that can dlopened
-  -no-fast-install  disable the fast-install mode
-  -no-install       link a not-installable executable
-  -no-undefined     declare that a library does not refer to external symbols
-  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
-  -objectlist FILE  Use a list of object files found in FILE to specify objects
-  -precious-files-regex REGEX
-                    don't remove output files matching REGEX
-  -release RELEASE  specify package release information
-  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
-  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
-  -static           do not do any dynamic linking of uninstalled libtool libraries
-  -static-libtool-libs
-                    do not do any dynamic linking of libtool libraries
-  -version-info CURRENT[:REVISION[:AGE]]
-                    specify library version info [each variable defaults to 0]
-
-All other options (arguments beginning with \`-') are ignored.
-
-Every other argument is treated as a filename.  Files ending in \`.la' are
-treated as uninstalled libtool libraries, other files are standard or library
-object files.
-
-If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
-only library objects (\`.lo' files) may be specified, and \`-rpath' is
-required, except when creating a convenience library.
-
-If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
-using \`ar' and \`ranlib', or on Windows using \`lib'.
-
-If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
-is created, otherwise an executable program is created."
-  ;;
-
-uninstall)
-  $echo \
-"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
-
-Remove libraries from an installation directory.
-
-RM is the name of the program to use to delete files associated with each FILE
-(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
-to RM.
-
-If FILE is a libtool library, all the files associated with it are deleted.
-Otherwise, only FILE itself is deleted using RM."
-  ;;
-
-*)
-  $echo "$modename: invalid operation mode \`$mode'" 1>&2
-  $echo "$help" 1>&2
-  exit $EXIT_FAILURE
-  ;;
-esac
-
-$echo
-$echo "Try \`$modename --help' for more information about other modes."
-
-exit $?
 
 # The TAGs below are defined such that we never get into a situation
 # in which we disable both kinds of libraries.  Given conflicting
@@ -6951,14 +7864,17 @@ exit $?
 # configuration.  But we'll never go from static-only to shared-only.
 
 # ### BEGIN LIBTOOL TAG CONFIG: disable-shared
-disable_libs=shared
+build_libtool_libs=no
+build_old_libs=yes
 # ### END LIBTOOL TAG CONFIG: disable-shared
 
 # ### BEGIN LIBTOOL TAG CONFIG: disable-static
-disable_libs=static
+build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac`
 # ### END LIBTOOL TAG CONFIG: disable-static
 
 # Local Variables:
 # mode:shell-script
 # sh-indentation:2
 # End:
+# vi:sw=2
+
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 36c547b21..8a237e48c 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -97,22 +97,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -122,6 +117,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -130,12 +126,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -158,8 +158,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -198,6 +197,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/scripts/thread_analysis.c b/scripts/thread_analysis.c
index b0e6c539b..53cd04359 100644
--- a/scripts/thread_analysis.c
+++ b/scripts/thread_analysis.c
@@ -102,7 +102,7 @@ int main(int argc, char *argv[])
 	fd = fopen(LOGFILE, "r");
 	if (!fd)
 	{
-		printf("could not open log file '%s'\n");
+		printf("could not open log file '%s'\n", LOGFILE);
 		return 1;
 	}
 
diff --git a/src/Makefile.in b/src/Makefile.in
index 98c4daa06..7dab32d21 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -79,22 +79,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -104,6 +99,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -112,12 +108,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -140,8 +140,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -180,6 +179,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 031b0846d..c86e56bce 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -81,22 +81,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -106,6 +101,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -114,12 +110,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -142,8 +142,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -182,6 +181,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 6de07b931..059c56383 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -62,22 +62,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -87,6 +82,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -95,12 +91,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -123,8 +123,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -163,6 +162,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 99dddf247..7838e94ac 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -62,22 +62,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -87,6 +82,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -95,12 +91,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -123,8 +123,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -163,6 +162,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index e3d3e8e14..3393b4516 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -216,6 +216,11 @@ if USE_EAP_AKA
   PLUGINS += eapaka
 endif
 
+if USE_EAP_MSCHAPV2
+  SUBDIRS += plugins/eap_mschapv2
+  PLUGINS += eapmschapv2
+endif
+
 if USE_MEDSRV
   SUBDIRS += plugins/medsrv
   PLUGINS += medsrv
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index c8a817f45..33098d4a7 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -78,16 +78,18 @@ ipsec_PROGRAMS = charon$(EXEEXT)
 @USE_EAP_GTC_TRUE@am__append_32 = eapgtc
 @USE_EAP_AKA_TRUE@am__append_33 = plugins/eap_aka
 @USE_EAP_AKA_TRUE@am__append_34 = eapaka
-@USE_MEDSRV_TRUE@am__append_35 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_36 = medsrv
-@USE_MEDCLI_TRUE@am__append_37 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_38 = medcli
-@USE_NM_TRUE@am__append_39 = plugins/nm
-@USE_NM_TRUE@am__append_40 = nm
-@USE_UCI_TRUE@am__append_41 = plugins/uci
-@USE_UCI_TRUE@am__append_42 = uci
-@USE_UNIT_TESTS_TRUE@am__append_43 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_44 = unit-tester
+@USE_EAP_MSCHAPV2_TRUE@am__append_35 = plugins/eap_mschapv2
+@USE_EAP_MSCHAPV2_TRUE@am__append_36 = eapmschapv2
+@USE_MEDSRV_TRUE@am__append_37 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_38 = medsrv
+@USE_MEDCLI_TRUE@am__append_39 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_40 = medcli
+@USE_NM_TRUE@am__append_41 = plugins/nm
+@USE_NM_TRUE@am__append_42 = nm
+@USE_UCI_TRUE@am__append_43 = plugins/uci
+@USE_UCI_TRUE@am__append_44 = uci
+@USE_UNIT_TESTS_TRUE@am__append_45 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_46 = unit-tester
 subdir = src/charon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -308,8 +310,9 @@ DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
 	plugins/kernel_klips plugins/kernel_netlink plugins/stroke \
 	plugins/smp plugins/sql plugins/updown plugins/eap_identity \
 	plugins/eap_sim plugins/eap_sim_file plugins/eap_md5 \
-	plugins/eap_gtc plugins/eap_aka plugins/medsrv plugins/medcli \
-	plugins/nm plugins/uci plugins/unit_tester
+	plugins/eap_gtc plugins/eap_aka plugins/eap_mschapv2 \
+	plugins/medsrv plugins/medcli plugins/nm plugins/uci \
+	plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -323,22 +326,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -348,6 +346,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -356,12 +355,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -384,8 +387,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -424,6 +426,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
@@ -584,14 +587,14 @@ SUBDIRS = . $(am__append_7) $(am__append_9) $(am__append_11) \
 	$(am__append_25) $(am__append_27) $(am__append_29) \
 	$(am__append_31) $(am__append_33) $(am__append_35) \
 	$(am__append_37) $(am__append_39) $(am__append_41) \
-	$(am__append_43)
+	$(am__append_43) $(am__append_45)
 PLUGINS = ${libstrongswan_plugins} $(am__append_8) $(am__append_10) \
 	$(am__append_12) $(am__append_14) $(am__append_16) \
 	$(am__append_18) $(am__append_20) $(am__append_22) \
 	$(am__append_24) $(am__append_26) $(am__append_28) \
 	$(am__append_30) $(am__append_32) $(am__append_34) \
 	$(am__append_36) $(am__append_38) $(am__append_40) \
-	$(am__append_42) $(am__append_44)
+	$(am__append_42) $(am__append_44) $(am__append_46)
 all: all-recursive
 
 .SUFFIXES:
diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c
index 0ec84c7be..b919c4261 100644
--- a/src/charon/config/attributes/attribute_manager.c
+++ b/src/charon/config/attributes/attribute_manager.c
@@ -38,9 +38,9 @@ struct private_attribute_manager_t {
 	linked_list_t *providers;
 	
 	/**
-	 * mutex to lock provider list
+	 * rwlock provider list
 	 */
-	mutex_t *mutex;
+	rwlock_t *lock;
 };
 
 /**
@@ -54,7 +54,7 @@ static host_t* acquire_address(private_attribute_manager_t *this,
 	attribute_provider_t *current;
 	host_t *host = NULL;
 
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = this->providers->create_enumerator(this->providers);
 	while (enumerator->enumerate(enumerator, &current))
 	{
@@ -65,7 +65,7 @@ static host_t* acquire_address(private_attribute_manager_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	
 	return host;
 }
@@ -74,22 +74,22 @@ static host_t* acquire_address(private_attribute_manager_t *this,
  * Implementation of attribute_manager_t.release_address.
  */
 static void release_address(private_attribute_manager_t *this,
-							char *pool, host_t *address)
+							char *pool, host_t *address, identification_t *id)
 {
 	enumerator_t *enumerator;
 	attribute_provider_t *current;
 
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = this->providers->create_enumerator(this->providers);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (current->release_address(current, pool, address))
+		if (current->release_address(current, pool, address, id))
 		{
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -98,9 +98,9 @@ static void release_address(private_attribute_manager_t *this,
 static void add_provider(private_attribute_manager_t *this,
 						 attribute_provider_t *provider)
 {
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->providers->insert_last(this->providers, provider);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -109,9 +109,9 @@ static void add_provider(private_attribute_manager_t *this,
 static void remove_provider(private_attribute_manager_t *this,
 							attribute_provider_t *provider)
 {
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->providers->remove(this->providers, provider, NULL);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -120,7 +120,7 @@ static void remove_provider(private_attribute_manager_t *this,
 static void destroy(private_attribute_manager_t *this)
 {
 	this->providers->destroy(this->providers);
-	this->mutex->destroy(this->mutex);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -132,13 +132,13 @@ attribute_manager_t *attribute_manager_create()
 	private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t);
 	
 	this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,auth_info_t*,host_t*))acquire_address;
-	this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*))release_address;
+	this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address;
 	this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider;
 	this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider;
 	this->public.destroy = (void(*)(attribute_manager_t*))destroy;
 	
 	this->providers = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/config/attributes/attribute_manager.h b/src/charon/config/attributes/attribute_manager.h
index 540e054fd..d2b69e02d 100644
--- a/src/charon/config/attributes/attribute_manager.h
+++ b/src/charon/config/attributes/attribute_manager.h
@@ -50,9 +50,10 @@ struct attribute_manager_t {
 	 *
 	 * @param pool			pool name from which the address was acquired
 	 * @param address		address to release
+	 * @param id			peer identity to get address for
 	 */
 	void (*release_address)(attribute_manager_t *this,
-							char *pool, host_t *address);
+							char *pool, host_t *address, identification_t *id);
 	
 	/**
 	 * Register an attribute provider to the manager.
diff --git a/src/charon/config/attributes/attribute_provider.h b/src/charon/config/attributes/attribute_provider.h
index 1712bd188..9810c0354 100644
--- a/src/charon/config/attributes/attribute_provider.h
+++ b/src/charon/config/attributes/attribute_provider.h
@@ -51,10 +51,11 @@ struct attribute_provider_t {
 	 *
 	 * @param pool			name of the pool this address was acquired from
 	 * @param address		address to release
+	 * @param id			peer ID
 	 * @return				TRUE if the address has been released by the provider
 	 */
 	bool (*release_address)(attribute_provider_t *this,
-							char *pool, host_t *address);
+							char *pool, host_t *address, identification_t *id);
 };
 
 #endif /* ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index 3f92ee96a..a9fe974af 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: backend_manager.c 4610 2008-11-11 06:19:37Z andreas $
+ * $Id: backend_manager.c 4758 2008-12-04 23:16:10Z andreas $
  */
 
 #include "backend_manager.h"
@@ -43,9 +43,9 @@ struct private_backend_manager_t {
 	linked_list_t *backends;
 	
 	/**
-	 * locking mutex
+	 * rwlock for backends
 	 */
-	mutex_t *mutex;
+	rwlock_t *lock;
 };
 
 /**
@@ -76,24 +76,6 @@ typedef struct {
 	identification_t *other;
 } peer_data_t;
 
-/**
- * destroy IKE enumerator data and unlock list
- */
-static void ike_enum_destroy(ike_data_t *data)
-{
-	data->this->mutex->unlock(data->this->mutex);
-	free(data);
-}
-
-/**
- * destroy PEER enumerator data and unlock list
- */
-static void peer_enum_destroy(peer_data_t *data)
-{
-	data->this->mutex->unlock(data->this->mutex);
-	free(data);
-}
-
 /**
  * inner enumerator constructor for IKE cfgs
  */
@@ -177,14 +159,14 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 	
 	DBG2(DBG_CFG, "looking for an ike config for %H...%H", me, other);
 	
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = enumerator_create_nested(
 						this->backends->create_enumerator(this->backends),
-						(void*)ike_enum_create, data, (void*)ike_enum_destroy);
+						(void*)ike_enum_create, data, (void*)free);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
 		match = get_match(current, me, other);
-
+		
 		if (match)
 		{
 			DBG2(DBG_CFG, "  candidate: %s...%s, prio %d", 
@@ -200,7 +182,7 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	if (found)
 	{
 		DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d", 
@@ -212,11 +194,11 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 
 static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this)
 {
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(
 							this->backends->create_enumerator(this->backends),
-							(void*)peer_enum_create_all, this->mutex,
-							(void*)this->mutex->unlock);
+							(void*)peer_enum_create_all, this->lock,
+							(void*)this->lock->unlock);
 }
 
 /**
@@ -240,16 +222,16 @@ static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
 	data->me = my_id;
 	data->other = other_id;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = enumerator_create_nested(
 						this->backends->create_enumerator(this->backends),
-						(void*)peer_enum_create, data, (void*)peer_enum_destroy);
+						(void*)peer_enum_create, data, (void*)free);
 	while (enumerator->enumerate(enumerator, &current))
 	{
 		identification_t *my_cand, *other_cand;
 		id_match_t m1, m2, match_peer;
 		ike_cfg_match_t match_ike;
-
+		
 		my_cand = current->get_my_id(current);
 		other_cand = current->get_other_id(current);
 		
@@ -270,7 +252,8 @@ static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
 			DBG2(DBG_CFG, "  candidate \"%s\": %D...%D with prio %d.%d",
 			 	 current->get_name(current), my_cand, other_cand,
 			 	 match_peer, match_ike);
-			if (match_peer >= best_peer && match_ike > best_ike)
+			if ((match_peer > best_peer && match_ike >= best_ike) ||
+				(match_peer >= best_peer && match_ike > best_ike))
 			{
 				DESTROY_IF(found);
 				found = current;
@@ -287,7 +270,7 @@ static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
 			 found->get_other_id(found), best_peer, best_ike);
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	return found;
 }
 
@@ -300,14 +283,14 @@ static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *n
 	peer_cfg_t *config = NULL;
 	enumerator_t *enumerator;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = this->backends->create_enumerator(this->backends);
 	while (config == NULL && enumerator->enumerate(enumerator, (void**)&backend))
 	{
 		config = backend->get_peer_cfg_by_name(backend, name);
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	return config;
 }
 
@@ -316,9 +299,9 @@ static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *n
  */
 static void remove_backend(private_backend_manager_t *this, backend_t *backend)
 {
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->backends->remove(this->backends, backend, NULL);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -326,9 +309,9 @@ static void remove_backend(private_backend_manager_t *this, backend_t *backend)
  */
 static void add_backend(private_backend_manager_t *this, backend_t *backend)
 {
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->backends->insert_last(this->backends, backend);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -337,7 +320,7 @@ static void add_backend(private_backend_manager_t *this, backend_t *backend)
 static void destroy(private_backend_manager_t *this)
 {
 	this->backends->destroy(this->backends);
-	this->mutex->destroy(this->mutex);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -357,7 +340,7 @@ backend_manager_t *backend_manager_create()
 	this->public.destroy = (void (*)(backend_manager_t*))destroy;
 	
 	this->backends = linked_list_create();
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index ab083b212..737a38e89 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_cfg.c 4611 2008-11-11 06:29:25Z andreas $
+ * $Id: child_cfg.c 4862 2009-02-11 16:41:37Z andreas $
  */
 
 #include "child_cfg.h"
@@ -301,7 +301,7 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 				else
 				{
 					DBG2(DBG_CFG, " config: %R, received: %R => no match",
-						 ts1, ts2, selected);
+						 ts1, ts2);
 				}
 			}
 			e2->destroy(e2);
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index 202dc913a..8fcbdc960 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: proposal.c 4635 2008-11-12 08:27:48Z martin $
+ * $Id: proposal.c 4685 2008-11-22 16:14:55Z martin $
  */
 
 #include <string.h>
@@ -739,6 +739,10 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0);
 		}
 	}
+	else if (strncmp(alg.ptr, "modpnull", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0);
+	}
 	else if (strncmp(alg.ptr, "modp768", alg.len) == 0)
 	{
 		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0);
@@ -1030,6 +1034,9 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 	{
 		switch (group)
 		{
+			case MODP_NULL:
+				/* only for testing purposes */
+				break;
 			case MODP_768_BIT:
 				/* weak */
 				break;
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
index d4235c32a..7442fc7ef 100644
--- a/src/charon/config/traffic_selector.c
+++ b/src/charon/config/traffic_selector.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector.c 4639 2008-11-12 15:09:24Z martin $
+ * $Id: traffic_selector.c 4860 2009-02-11 13:09:52Z martin $
  */
 
 #include <arpa/inet.h>
@@ -196,8 +196,7 @@ static int print(FILE *stream, const struct printf_info *info,
 		memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) && 
 		memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
 	{
-		written += fprintf(stream, "dynamic/%d",
-						   this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
+		written += fprintf(stream, "dynamic");
 	}
 	else
 	{
@@ -521,9 +520,17 @@ static void set_address(private_traffic_selector_t *this, host_t *host)
 		this->type = host->get_family(host) == AF_INET ?
 				TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
 		
-		chunk_t from = host->get_address(host);
-		memcpy(this->from, from.ptr, from.len);
-		memcpy(this->to, from.ptr, from.len);
+		if (host->is_anyaddr(host))
+		{
+			memset(this->from6, 0x00, sizeof(this->from6));
+			memset(this->to6, 0xFF, sizeof(this->to6));
+		}
+		else
+		{
+			chunk_t from = host->get_address(host);
+			memcpy(this->from, from.ptr, from.len);
+			memcpy(this->to, from.ptr, from.len);
+		}
 	}
 }
 
diff --git a/src/charon/config/traffic_selector.h b/src/charon/config/traffic_selector.h
index d97ffdea0..69c04c605 100644
--- a/src/charon/config/traffic_selector.h
+++ b/src/charon/config/traffic_selector.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector.h 4643 2008-11-12 22:57:46Z andreas $
+ * $Id: traffic_selector.h 4860 2009-02-11 13:09:52Z martin $
  */
 
 /**
diff --git a/src/charon/control/controller.c b/src/charon/control/controller.c
index ed52cb0d6..989167a53 100644
--- a/src/charon/control/controller.c
+++ b/src/charon/control/controller.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: controller.c 4434 2008-10-14 08:52:13Z martin $
+ * $Id: controller.c 4704 2008-11-26 14:32:55Z martin $
  */
 
 #include "controller.h"
@@ -235,12 +235,13 @@ static status_t initiate_execute(interface_job_t *job)
 	}
 	peer_cfg->destroy(peer_cfg);
 	
-	if (ike_sa->initiate(ike_sa, listener->child_cfg) != SUCCESS)
+	if (ike_sa->initiate(ike_sa, listener->child_cfg) == SUCCESS)
 	{
-		return charon->ike_sa_manager->checkin_and_destroy(
-												charon->ike_sa_manager, ike_sa);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return SUCCESS;
 	}
-	return charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	return FAILED;
 }
 
 /**
@@ -285,12 +286,15 @@ static status_t terminate_ike_execute(interface_job_t *job)
 	ike_sa_t *ike_sa = listener->ike_sa;
 	
 	charon->bus->set_sa(charon->bus, ike_sa);
-	if (ike_sa->delete(ike_sa) == DESTROY_ME)
+	
+	if (ike_sa->delete(ike_sa) != DESTROY_ME)
 	{
-		return charon->ike_sa_manager->checkin_and_destroy(
-												charon->ike_sa_manager, ike_sa);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		/* delete failed */
+		return FAILED;
 	}
-	return charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	return SUCCESS;
 }
 
 /**
@@ -346,12 +350,13 @@ static status_t terminate_child_execute(interface_job_t *job)
 	
 	charon->bus->set_sa(charon->bus, ike_sa);
 	if (ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa),
-								child_sa->get_spi(child_sa, TRUE)) == DESTROY_ME)
+								child_sa->get_spi(child_sa, TRUE)) != DESTROY_ME)
 	{
-		return charon->ike_sa_manager->checkin_and_destroy(
-												charon->ike_sa_manager, ike_sa);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return SUCCESS;
 	}
-	return charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	return FAILED;
 }
 
 /**
@@ -429,12 +434,13 @@ static status_t route_execute(interface_job_t *job)
 	ike_sa_t *ike_sa = listener->ike_sa;
 	
 	charon->bus->set_sa(charon->bus, ike_sa);
-	if (ike_sa->route(ike_sa, listener->child_cfg) == DESTROY_ME)
+	if (ike_sa->route(ike_sa, listener->child_cfg) != DESTROY_ME)
 	{
-		return charon->ike_sa_manager->checkin_and_destroy(
-												charon->ike_sa_manager, ike_sa);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return SUCCESS;
 	}
-	return charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	return FAILED;
 }
 
 /**
@@ -487,12 +493,13 @@ static status_t unroute_execute(interface_job_t *job)
 	interface_listener_t *listener = &job->listener;
 	ike_sa_t *ike_sa = listener->ike_sa;
 	
-	if (ike_sa->unroute(ike_sa, listener->id) == DESTROY_ME)
+	if (ike_sa->unroute(ike_sa, listener->id) != DESTROY_ME)
 	{
-		return charon->ike_sa_manager->checkin_and_destroy(
-												charon->ike_sa_manager, ike_sa);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return SUCCESS;
 	}
-	return charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	return SUCCESS;
 }
 
 /**
diff --git a/src/charon/credentials/auth_info.c b/src/charon/credentials/auth_info.c
index 028ca35c9..ed725b889 100644
--- a/src/charon/credentials/auth_info.c
+++ b/src/charon/credentials/auth_info.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: auth_info.c 4276 2008-08-22 10:44:51Z martin $
+ * $Id: auth_info.c 4774 2008-12-09 14:34:15Z martin $
  */
 
 
@@ -560,9 +560,9 @@ static void destroy_item_value(item_t *item)
 }
 
 /**
- * Implementation of auth_info_t.destroy
+ * Implementation of auth_info_t.purge
  */
-static void destroy(private_auth_info_t *this)
+static void purge(private_auth_info_t *this)
 {
 	item_t *item;
 	
@@ -571,6 +571,14 @@ static void destroy(private_auth_info_t *this)
 		destroy_item_value(item);
 		free(item);
 	}
+}
+
+/**
+ * Implementation of auth_info_t.destroy
+ */
+static void destroy(private_auth_info_t *this)
+{
+	purge(this);
 	this->items->destroy(this->items);
 	free(this);
 }
@@ -588,6 +596,7 @@ auth_info_t *auth_info_create()
 	this->public.create_item_enumerator = (enumerator_t*(*)(auth_info_t*))create_item_enumerator;
 	this->public.complies = (bool(*)(auth_info_t*, auth_info_t *))complies;
 	this->public.merge = (void(*)(auth_info_t*, auth_info_t *other))merge;
+	this->public.purge = (void(*)(auth_info_t*))purge;
 	this->public.equals = (bool(*)(auth_info_t*, auth_info_t *other))equals;
 	this->public.destroy = (void(*)(auth_info_t*))destroy;
 	
diff --git a/src/charon/credentials/auth_info.h b/src/charon/credentials/auth_info.h
index 52433433a..161698a65 100644
--- a/src/charon/credentials/auth_info.h
+++ b/src/charon/credentials/auth_info.h
@@ -171,6 +171,11 @@ struct auth_info_t {
 	 */
 	void (*merge)(auth_info_t *this, auth_info_t *other);
 	
+	/**
+	 * Purge all items in auth_info.
+	 */
+	void (*purge)(auth_info_t *this);
+	
 	/**
 	 * Check two auth_infos for equality.
 	 *
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
index 79b5f0203..83ba8263d 100644
--- a/src/charon/credentials/sets/cert_cache.c
+++ b/src/charon/credentials/sets/cert_cache.c
@@ -18,99 +18,119 @@
 #include "cert_cache.h"
 
 #include <time.h>
+#include <sched.h>
 
 #include <daemon.h>
 #include <utils/mutex.h>
 #include <utils/linked_list.h>
 
-#define CACHE_SIZE 30
+/** cache size, a power of 2 for fast modulo */
+#define CACHE_SIZE 32
+
+/** attempts to acquire a cache lock */
+#define REPLACE_TRIES 5
 
 typedef struct private_cert_cache_t private_cert_cache_t;
 typedef struct relation_t relation_t;
 
 /**
- * private data of cert_cache
+ * A trusted relation between subject and issuer
  */
-struct private_cert_cache_t {
-
-	/**
-	 * public functions
-	 */
-	cert_cache_t public;
+struct relation_t {
 	
 	/**
-	 * list of trusted subject-issuer relations, as relation_t
+	 * subject of this relation
 	 */
-	linked_list_t *relations;
+	certificate_t *subject;
 	
 	/**
-	 * do we have an active enumerator
+	 * issuer of this relation
 	 */
-	refcount_t enumerating;
+	certificate_t *issuer;
 	
 	/**
-	 * have we increased the cache without a check_cache?
+	 * Cache hits
 	 */
-	bool check_required;
+	u_int hits;
 	
 	/**
-	 * read-write lock to sets list
+	 * Lock for this relation
 	 */
 	rwlock_t *lock;
 };
 
 /**
- * A trusted relation between subject and issuer
+ * private data of cert_cache
  */
-struct relation_t {
-	/** subject of this relation */
-	certificate_t *subject;
-	/** issuer of this relation */
-	certificate_t *issuer;
-	/** time of last use */
-	time_t last_use;
+struct private_cert_cache_t {
+	
+	/**
+	 * public functions
+	 */
+	cert_cache_t public;
+	
+	/**
+	 * array of trusted subject-issuer relations
+	 */
+	relation_t relations[CACHE_SIZE];
 };
 
 /**
- * destroy a relation_t structure
- */
-static void relation_destroy(relation_t *this)
-{
-	this->subject->destroy(this->subject);
-	this->issuer->destroy(this->issuer);
-	free(this);
-}
-
-/**
- * check the cache for oversize
+ * Cache relation in a free slot/replace an other
  */
-static void check_cache(private_cert_cache_t *this)
+static void cache(private_cert_cache_t *this,
+				  certificate_t *subject, certificate_t *issuer)
 {
-	if (this->enumerating)
+	relation_t *rel;
+	int i, offset, try;
+	u_int total_hits = 0;
+	
+	/* check for a unused relation slot first */
+	for (i = 0; i < CACHE_SIZE; i++)
 	{
-		this->check_required = TRUE;
+		rel = &this->relations[i];
+		
+		if (!rel->subject && rel->lock->try_write_lock(rel->lock))
+		{
+			/* double-check having lock */
+			if (!rel->subject)
+			{
+				rel->subject = subject->get_ref(subject);
+				rel->issuer = issuer->get_ref(issuer);
+				return rel->lock->unlock(rel->lock);
+			}
+			rel->lock->unlock(rel->lock);
+		}
+		total_hits += rel->hits;
 	}
-	else if (this->lock->try_write_lock(this->lock))
-	{	/* never blocks, only done if lock is available */
-		while (this->relations->get_count(this->relations) > CACHE_SIZE)
+	/* run several attempts to replace a random slot, never block. */
+	for (try = 0; try < REPLACE_TRIES; try++)
+	{
+		/* replace a random relation */
+		offset = random();
+		for (i = 0; i < CACHE_SIZE; i++)
 		{
-			relation_t *oldest = NULL, *current;
-			enumerator_t *enumerator;
+			rel = &this->relations[(i + offset) % CACHE_SIZE];
 			
-			enumerator = this->relations->create_enumerator(this->relations);
-			while (enumerator->enumerate(enumerator, &current))
+			if (rel->hits > total_hits / CACHE_SIZE)
+			{	/* skip often used slots */
+				continue;
+			}
+			if (rel->lock->try_write_lock(rel->lock))
 			{
-				if (oldest == NULL || oldest->last_use <= current->last_use)
+				if (rel->subject)
 				{
-					oldest = current;
+					rel->subject->destroy(rel->subject);
+					rel->issuer->destroy(rel->issuer);
 				}
+				rel->subject = subject->get_ref(subject);
+				rel->issuer = issuer->get_ref(issuer);
+				rel->hits = 0;
+				return rel->lock->unlock(rel->lock);
 			}
-			enumerator->destroy(enumerator);
-			this->relations->remove(this->relations, oldest, NULL);
-			relation_destroy(oldest);
 		}
-		this->check_required = FALSE;
-		this->lock->unlock(this->lock);
+		/* give other threads a chance to release locks */
+		sched_yield();
 	}
 }
 
@@ -121,108 +141,118 @@ static bool issued_by(private_cert_cache_t *this,
 					  certificate_t *subject, certificate_t *issuer)
 {
 	relation_t *found = NULL, *current;
-	enumerator_t *enumerator;
+	int i;
 	
-	/* lookup cache */
-	this->lock->read_lock(this->lock);
-	enumerator = this->relations->create_enumerator(this->relations);
-	while (enumerator->enumerate(enumerator, &current))
+	for (i = 0; i < CACHE_SIZE; i++)
 	{
-		bool match = FALSE;
-	
-		/* check for equal certificates */
-		if (subject->equals(subject, current->subject))
-		{
-			match = TRUE;
-			subject = current->subject;
-		}
-		if (issuer->equals(issuer, current->issuer))
+		current = &this->relations[i];
+		
+		current->lock->read_lock(current->lock);
+		if (current->subject)
 		{
-			issuer = current->issuer;
-			/* if both certs match, we already have a relation */
-			if (match)
+			/* check for equal issuer */
+			if (issuer->equals(issuer, current->issuer))
 			{
-				current->last_use = time(NULL);
-				found = current;
-				break;
+				/* reuse issuer instance in cache() */
+				issuer = current->issuer;
+				if (subject->equals(subject, current->subject))
+				{
+					/* write hit counter is not locked, but not critical */
+					current->hits++;
+					found = current;
+				}
 			}
 		}
+		current->lock->unlock(current->lock);
+		if (found)
+		{
+			return TRUE;
+		}
 	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	if (found)
+	/* no cache hit, check and cache signature */
+	if (subject->issued_by(subject, issuer))
 	{
+		cache(this, subject, issuer);
 		return TRUE;
 	}
-	/* no cache hit, check signature */
-	if (!subject->issued_by(subject, issuer))
-	{
-		return FALSE;
-	}
-	/* cache if good, respect cache limit */
-	found = malloc_thing(relation_t);
-	found->subject = subject->get_ref(subject);
-	found->issuer = issuer->get_ref(issuer);
-	found->last_use = time(NULL);
-	/* insert should be ok without lock */
-	this->relations->insert_last(this->relations, found);
-	check_cache(this);
-	return TRUE;
+	return FALSE;
 }
 
 /**
- * data associated to a cert enumeration 
+ * certificate enumerator implemenation
  */
 typedef struct {
+	/** implements enumerator_t interface */
+	enumerator_t public;
 	/** type of requested certificate */
 	certificate_type_t cert;
 	/** type of requested key */
 	key_type_t key;
-	/** ID to get a cert from */
+	/** ID to get a cert for */
 	identification_t *id;
-	/** reverse pointer to cache */
-	private_cert_cache_t *this;
-} cert_data_t;
+	/** cache */
+	relation_t *relations;
+	/** current position in array cache */
+	int index;
+	/** currently locked relation */
+	int locked;
+} cert_enumerator_t;
 
 /**
  * filter function for certs enumerator
  */
-static bool certs_filter(cert_data_t *data, relation_t **in, certificate_t **out)
+static bool cert_enumerate(cert_enumerator_t *this, certificate_t **out)
 {
 	public_key_t *public;
-	certificate_t *cert;
+	relation_t *rel;
 	
-	cert = (*in)->subject;
-	if (data->key == KEY_ANY && data->id && 
-		(data->cert == CERT_ANY || data->cert == CERT_X509_CRL) &&
-		cert->get_type(cert) == CERT_X509_CRL)
-	{	/* CRL lookup is done using issuer/authkeyidentifier */
-		if (cert->has_issuer(cert, data->id))
-		{
-			*out = cert;
-			return TRUE;
-		}
+	if (this->locked >= 0)
+	{
+		rel = &this->relations[this->locked];
+		rel->lock->unlock(rel->lock);
+		this->locked = -1;
 	}
 	
-	if ((data->cert == CERT_ANY || cert->get_type(cert) == data->cert) &&
-		(!data->id || cert->has_subject(cert, data->id)))
+	while (++this->index < CACHE_SIZE)
 	{
-		if (data->key == KEY_ANY)
-		{
-			*out = cert;
-			return TRUE;
-		}
-		public = cert->get_public_key(cert);
-		if (public)
+		rel = &this->relations[this->index];
+		rel->lock->read_lock(rel->lock);
+		this->locked = this->index;
+		if (rel->subject)
 		{
-			if (public->get_type(public) == data->key)
+			/* CRL lookup is done using issuer/authkeyidentifier */
+			if (this->key == KEY_ANY && this->id && 
+				(this->cert == CERT_ANY || this->cert == CERT_X509_CRL) &&
+				rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
+				rel->subject->has_issuer(rel->subject, this->id))
 			{
-				public->destroy(public);
-				*out = cert;
+				*out = rel->subject;
 				return TRUE;
 			}
-			public->destroy(public);
+			if ((this->cert == CERT_ANY ||
+				 rel->subject->get_type(rel->subject) == this->cert) &&
+				(!this->id || rel->subject->has_subject(rel->subject, this->id)))
+			{
+				if (this->key == KEY_ANY)
+				{
+					*out = rel->subject;
+					return TRUE;
+				}
+				public = rel->subject->get_public_key(rel->subject);
+				if (public)
+				{
+					if (public->get_type(public) == this->key)
+					{
+						public->destroy(public);
+						*out = rel->subject;
+						return TRUE;
+					}
+					public->destroy(public);
+				}
+			}
 		}
+		this->locked = -1;
+		rel->lock->unlock(rel->lock);
 	}
 	return FALSE;
 }
@@ -230,15 +260,16 @@ static bool certs_filter(cert_data_t *data, relation_t **in, certificate_t **out
 /**
  * clean up enumeration data
  */
-static void certs_destroy(cert_data_t *data)
+static void cert_enumerator_destroy(cert_enumerator_t *this)
 {
-	ref_put(&data->this->enumerating);
-	data->this->lock->unlock(data->this->lock);
-	if (data->this->check_required)
+	relation_t *rel;
+	
+	if (this->locked >= 0)
 	{
-		check_cache(data->this);
+		rel = &this->relations[this->locked];
+		rel->lock->unlock(rel->lock);
 	}
-	free(data);
+	free(this);
 }
 
 /**
@@ -248,23 +279,23 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this,
 									   certificate_type_t cert, key_type_t key, 
 									   identification_t *id, bool trusted)
 {
-	cert_data_t *data;
+	cert_enumerator_t *enumerator;
 	
 	if (trusted)
 	{
 		return NULL;
 	}
-	data = malloc_thing(cert_data_t);
-	data->cert = cert;
-	data->key = key;
-	data->id = id;
-	data->this = this;
+	enumerator = malloc_thing(cert_enumerator_t);
+	enumerator->public.enumerate = (void*)cert_enumerate;
+	enumerator->public.destroy = (void*)cert_enumerator_destroy;
+	enumerator->cert = cert;
+	enumerator->key = key;
+	enumerator->id = id;
+	enumerator->relations = this->relations;
+	enumerator->index = -1;
+	enumerator->locked = -1;
 	
-	this->lock->read_lock(this->lock);
-	ref_get(&this->enumerating);
-	return enumerator_create_filter(
-							this->relations->create_enumerator(this->relations),
-							(void*)certs_filter, data, (void*)certs_destroy);
+	return &enumerator->public;
 }
 
 /**
@@ -272,22 +303,42 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this,
  */
 static void flush(private_cert_cache_t *this, certificate_type_t type)
 {
-	enumerator_t *enumerator;
-	relation_t *relation;
+	relation_t *rel;
+	int i;
 	
-	this->lock->write_lock(this->lock);
-	enumerator = this->relations->create_enumerator(this->relations);
-	while (enumerator->enumerate(enumerator, &relation))
+	for (i = 0; i < CACHE_SIZE; i++)
 	{
-		if (type == CERT_ANY ||
-			type == relation->subject->get_type(relation->subject))
+		rel = &this->relations[i];
+		if (!rel->subject)
+		{
+			continue;
+		}
+		/* check with cheap read lock first */
+		if (type != CERT_ANY)
 		{
-			this->relations->remove_at(this->relations, enumerator);
-			relation_destroy(relation);
+			rel->lock->read_lock(rel->lock);
+			if (!rel->subject || type != rel->subject->get_type(rel->subject))
+			{
+				rel->lock->unlock(rel->lock);
+				continue;
+			}
+			rel->lock->unlock(rel->lock);
+		}
+		/* double check in write lock */
+		rel->lock->write_lock(rel->lock);
+		if (rel->subject)
+		{
+			if (type == CERT_ANY || type == rel->subject->get_type(rel->subject))
+			{
+				rel->subject->destroy(rel->subject);
+				rel->issuer->destroy(rel->issuer);
+				rel->subject = NULL;
+				rel->issuer = NULL;
+				rel->hits = 0;
+			}
 		}
+		rel->lock->unlock(rel->lock);
 	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
 }
 
 /**
@@ -295,8 +346,19 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
  */
 static void destroy(private_cert_cache_t *this)
 {
-	this->relations->destroy_function(this->relations, (void*)relation_destroy);
-	this->lock->destroy(this->lock);
+	relation_t *rel;
+	int i;
+	
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		rel = &this->relations[i];
+		if (rel->subject)
+		{
+			rel->subject->destroy(rel->subject);
+			rel->issuer->destroy(rel->issuer);
+		}
+		rel->lock->destroy(rel->lock);
+	}
 	free(this);
 }
 
@@ -305,8 +367,10 @@ static void destroy(private_cert_cache_t *this)
  */
 cert_cache_t *cert_cache_create()
 {
-	private_cert_cache_t *this = malloc_thing(private_cert_cache_t);
+	private_cert_cache_t *this;
+	int i;
 	
+	this = malloc_thing(private_cert_cache_t);
 	this->public.set.create_private_enumerator = (void*)return_null;
 	this->public.set.create_cert_enumerator = (void*)create_enumerator;
 	this->public.set.create_shared_enumerator = (void*)return_null;
@@ -316,11 +380,13 @@ cert_cache_t *cert_cache_create()
 	this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
 	this->public.destroy = (void(*)(cert_cache_t*))destroy;
 	
-	this->relations = linked_list_create();
-	this->enumerating = 0;
-	this->check_required = FALSE;
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
-	
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		this->relations[i].subject = NULL;
+		this->relations[i].issuer = NULL;
+		this->relations[i].hits = 0;
+		this->relations[i].lock = rwlock_create(RWLOCK_DEFAULT);
+	}
 	return &this->public;
 }
 
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index b9f173901..78cbeec83 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -60,11 +60,6 @@ struct private_daemon_t {
 	 * Signal set used for signal handling.
 	 */
 	sigset_t signal_set;
-	
-	/** 
-	 * The thread_id of main-thread.
-	 */
-	pthread_t main_thread_id;
 
 #ifdef CAPABILITIES
 	/**
@@ -226,7 +221,7 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 	{
 		fprintf(stderr, "killing daemon: %s\n", reason);
 	}
-	if (this->main_thread_id == pthread_self())
+	if (this->public.main_thread_id == pthread_self())
 	{
 		/* initialization failed, terminate daemon */
 		unlink(PID_FILE);
@@ -235,7 +230,7 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 	else
 	{
 		DBG1(DBG_DMN, "sending SIGTERM to ourself");
-		raise(SIGTERM);
+		pthread_kill(this->public.main_thread_id, SIGTERM);
 		/* thread must die, since he produced a ciritcal failure and can't continue */
 		pthread_exit(NULL);
 	}
@@ -303,7 +298,7 @@ static void lookup_uid_gid(private_daemon_t *this)
 		if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
 			grp == NULL)
 		{
-			kill_daemon(this, "reslvoing group '"IPSEC_GROUP"' failed");
+			kill_daemon(this, "resolving group '"IPSEC_GROUP"' failed");
 		}
 		charon->gid = grp->gr_gid;
 	}
@@ -420,15 +415,17 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 	}
 	enumerator->destroy(enumerator);
 	
-	/* setup legacy style default loggers provided via command-line */
+	/* set up legacy style default loggers provided via command-line */
 	if (!loggers_defined)
 	{
+		/* set up default stdout file_logger */
 		file_logger = file_logger_create(stdout);
-		sys_logger = sys_logger_create(LOG_DAEMON);
 		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
-		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
 		this->public.file_loggers->insert_last(this->public.file_loggers,
 											   file_logger);
+		/* set up default daemon sys_logger */
+		sys_logger = sys_logger_create(LOG_DAEMON);
+		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
 		this->public.sys_loggers->insert_last(this->public.sys_loggers,
 											  sys_logger);
 		for (group = 0; group < DBG_MAX; group++)
@@ -439,6 +436,13 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 				file_logger->set_level(file_logger, group, levels[group]);
 			}
 		}
+		
+		/* set up default auth sys_logger */
+		sys_logger = sys_logger_create(LOG_AUTHPRIV);
+		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
+		this->public.sys_loggers->insert_last(this->public.sys_loggers,
+											  sys_logger);
+		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
 	}
 }
 
@@ -569,7 +573,7 @@ private_daemon_t *daemon_create(void)
 	this->public.uid = 0;
 	this->public.gid = 0;
 	
-	this->main_thread_id = pthread_self();
+	this->public.main_thread_id = pthread_self();
 #ifdef CAPABILITIES
 	this->caps = cap_init();
 	keep_cap(this, CAP_NET_ADMIN);
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index 89e03eb93..1b9392f8e 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: daemon.h 4622 2008-11-11 10:52:37Z martin $
+ * $Id: daemon.h 4797 2008-12-12 09:13:06Z martin $
  */
 
 /**
@@ -303,6 +303,11 @@ struct daemon_t {
 	 */
 	gid_t gid;
 	
+	/** 
+	 * The thread_id of main-thread.
+	 */
+	pthread_t main_thread_id;
+	
 	/**
 	 * Do not drop a given capability after initialization.
 	 *
diff --git a/src/charon/encoding/generator.c b/src/charon/encoding/generator.c
index 3b68af84e..dea4f0e21 100644
--- a/src/charon/encoding/generator.c
+++ b/src/charon/encoding/generator.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: generator.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: generator.c 4702 2008-11-26 10:42:54Z martin $
  */
 
 #include <stdlib.h>
@@ -56,125 +56,6 @@ struct private_generator_t {
 	 * Public part of a generator_t object.
 	 */
 	 generator_t public;
-	 
-	/**
-	 * Generates a U_INT-Field type and writes it to buffer.
-	 *
-	 * @param this 					private_generator_t object
-	 * @param int_type 				type of U_INT field (U_INT_4, U_INT_8, etc.)
-	 * 								ATTRIBUTE_TYPE is also generated in this function
-	 * @param offset 				offset of value in data struct
-	 * @param generator_contexts	generator_contexts_t object where the context is written or read from
-	 * @return
-	 *  							- SUCCESS
-	 * 								- FAILED if allignment is wrong
-	 */
-	void (*generate_u_int_type) (private_generator_t *this,encoding_type_t int_type,u_int32_t offset);
-
-	/**
-	 * Get size of current buffer in bytes.
-	 *
-	 * @param this 					private_generator_t object
-	 * @return 						Size of buffer in bytes
-	 */
-	size_t (*get_current_buffer_size) (private_generator_t *this);
-	
-	/**
-	 * Get free space of current buffer in bytes.
-	 *
-	 * @param this 					private_generator_t object
-	 * @return 						space in buffer in bytes
-	 */
-	size_t (*get_current_buffer_space) (private_generator_t *this);
-
-	/**
-	 * Get length of data in buffer (in bytes).
-	 *
-	 * @param this 					private_generator_t object
-	 * @return 						length of data in bytes
-	 */	
-	size_t (*get_current_data_length) (private_generator_t *this);
-
-	/**
-	 * Get current offset in buffer (in bytes).
-	 *
-	 * @param this 					private_generator_t object
-	 * @return 						offset in bytes
-	 */	
-	u_int32_t (*get_current_buffer_offset) (private_generator_t *this);
-	
-	/**
-	 * Generates a RESERVED BIT field or a RESERVED BYTE field and writes 
-	 * it to the buffer.
-	 *
-	 * @param this 					private_generator_t object
-	 * @param generator_contexts	generator_contexts_t object where the context is written or read from
-	 * @param bits 					number of bits to generate
-	 */
-	void (*generate_reserved_field) (private_generator_t *this,int bits);
-	
-	/**
-	 * Generates a FLAG field.
-	 *
-	 * @param this 					private_generator_t object
-	 * @param generator_contexts	generator_contexts_t object where the context is written or read from
-	 * @param offset				offset of flag value in data struct
-	 */
-	void (*generate_flag) (private_generator_t *this,u_int32_t offset);
-	
-	/**
-	 * Writes the current buffer content into a chunk_t.
-	 * 
-	 * Memory of specific chunk_t gets allocated.
-	 *
- 	 * @param this				calling private_generator_t object
-	 * @param data				pointer of chunk_t to write to
-	 */
-	void (*write_chunk) (private_generator_t *this,chunk_t *data);
-	
-	/**
-	 * Generates a bytestream from a chunk_t.
-	 *
-	 * @param this 				private_generator_t object
-	 * @param offset			offset of chunk_t value in data struct
-	 */
-	void (*generate_from_chunk) (private_generator_t *this,u_int32_t offset);	
-
-	/**
-	 * Makes sure enough space is available in buffer to store amount of bits.
-     *
-	 * If buffer is to small to hold the specific amount of bits it 
-	 * is increased using reallocation function of allocator.
-	 *
- 	 * @param this 				calling private_generator_t object
-	 * @param bits 				number of bits to make available in buffer
-	 */
-	void (*make_space_available) (private_generator_t *this,size_t bits);
-
-	/**
-	 * Writes a specific amount of byte into the buffer.
-	 * 
-	 * If buffer is to small to hold the specific amount of bytes it 
-	 * is increased.
-	 *
- 	 * @param this				calling private_generator_t object
-	 * @param bytes 			pointer to bytes to write
-	 * @param number_of_bytes	number of bytes to write into buffer
-	 */
-	void (*write_bytes_to_buffer) (private_generator_t *this,void * bytes,size_t number_of_bytes);
-	
-	
-	/**
-	 * Writes a specific amount of byte into the buffer at a specific offset.
-	 * 
-	 * @warning buffer size is not check to hold the data if offset is to large.
-	 *
- 	 * @param this				calling private_generator_t object
-	 * @param bytes 			pointer to bytes to write
-	 * @param number_of_bytes	number of bytes to write into buffer
-	 * @param offset			offset to write the data into
-	 */
-	void (*write_bytes_to_buffer_at_offset) (private_generator_t *this,void * bytes,size_t number_of_bytes,u_int32_t offset);
 	
 	/**
 	 * Buffer used to generate the data into.
@@ -232,43 +113,116 @@ struct private_generator_t {
 };
 
 /**
- * Implementation of private_generator_t.get_current_buffer_size.
+ * Get size of current buffer in bytes.
  */
-static size_t get_current_buffer_size (private_generator_t *this)
+static size_t get_current_buffer_size(private_generator_t *this)
 {
-	return ((this->roof_position) - (this->buffer));
+	return this->roof_position - this->buffer;
 }
 
 /**
- * Implementation of private_generator_t.get_current_buffer_space.
+ * Get free space of current buffer in bytes.
  */
-static size_t get_current_buffer_space (private_generator_t *this)
+static size_t get_current_buffer_space(private_generator_t *this)
 {
-	/* we know, one byte more */
-	size_t space = (this->roof_position) - (this->out_position);
-	return (space);
+	return this->roof_position - this->out_position;
 }
 
 /**
- * Implementation of private_generator_t.get_current_data_length.
+ * Get length of data in buffer (in bytes).
  */
-static size_t get_current_data_length (private_generator_t *this)
+static size_t get_current_data_length(private_generator_t *this)
 {
-	return (this->out_position - this->buffer);
+	return this->out_position - this->buffer;
 }
 
 /**
- * Implementation of private_generator_t.get_current_buffer_offset.
+ * Get current offset in buffer (in bytes).
  */
-static u_int32_t get_current_buffer_offset (private_generator_t *this)
+static u_int32_t get_current_buffer_offset(private_generator_t *this)
 {
-	return (this->out_position - this->buffer);
+	return this->out_position - this->buffer;
 }
 
 /**
- * Implementation of private_generator_t.generate_u_int_type.
+ * Makes sure enough space is available in buffer to store amount of bits.
  */
-static void generate_u_int_type (private_generator_t *this,encoding_type_t int_type,u_int32_t offset)
+static void make_space_available (private_generator_t *this, size_t bits)
+{
+	while ((get_current_buffer_space(this) * 8 - this->current_bit) < bits)
+	{
+		/* must increase buffer */
+		size_t old_buffer_size = get_current_buffer_size(this);
+		size_t new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
+		size_t out_position_offset = ((this->out_position) - (this->buffer));
+
+		DBG2(DBG_ENC, "increased gen buffer from %d to %d byte", 
+			 old_buffer_size, new_buffer_size);
+		
+		/* Reallocate space for new buffer */
+		this->buffer = realloc(this->buffer,new_buffer_size);
+
+		this->out_position = (this->buffer + out_position_offset);
+		this->roof_position = (this->buffer + new_buffer_size);
+	}
+}
+
+/**
+ * Writes a specific amount of byte into the buffer.
+ */
+static void write_bytes_to_buffer(private_generator_t *this, void * bytes,
+								  size_t number_of_bytes)
+{
+	int i;
+	u_int8_t *read_position = (u_int8_t *) bytes;
+	
+	make_space_available(this, number_of_bytes * 8);
+	
+	for (i = 0; i < number_of_bytes; i++)
+	{
+		*(this->out_position) = *(read_position);
+		read_position++;
+		this->out_position++;
+	}
+}
+
+/**
+ * Writes a specific amount of byte into the buffer at a specific offset.
+ */
+static void write_bytes_to_buffer_at_offset (private_generator_t *this,
+						void *bytes, size_t number_of_bytes, u_int32_t offset)
+{
+	int i;
+	u_int8_t *read_position = (u_int8_t *) bytes;
+	u_int8_t *write_position;
+	u_int32_t free_space_after_offset = get_current_buffer_size(this) - offset;
+
+	/* check first if enough space for new data is available */	
+	if (number_of_bytes > free_space_after_offset)
+	{
+		make_space_available(this, (number_of_bytes - free_space_after_offset) * 8);
+	}
+	
+	write_position = this->buffer + offset;
+	for (i = 0; i < number_of_bytes; i++)
+	{
+		*write_position = *read_position;
+		read_position++;
+		write_position++;
+	}
+}
+
+/**
+ * Generates a U_INT-Field type and writes it to buffer.
+ *
+ * @param this 					private_generator_t object
+ * @param int_type 				type of U_INT field (U_INT_4, U_INT_8, etc.)
+ * 								ATTRIBUTE_TYPE is also generated in this function
+ * @param offset 				offset of value in data struct
+ * @param generator_contexts	generator_contexts_t object where the context is written or read from
+ */
+static void generate_u_int_type(private_generator_t *this,
+								encoding_type_t int_type,u_int32_t offset)
 {
 	size_t number_of_bits = 0;
 
@@ -316,7 +270,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
 	}
 	
 	/* make sure enough space is available in buffer */
-	this->make_space_available(this,number_of_bits);
+	make_space_available(this, number_of_bits);
 	/* now handle each u int type differently */
 	switch (int_type)
 	{
@@ -386,7 +340,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
 			int16_val = htons(int16_val);
 			DBG3(DBG_ENC, "   => %d", int16_val);
 			/* write bytes to buffer (set bit is overwritten)*/				
-			this->write_bytes_to_buffer(this,&int16_val,sizeof(u_int16_t));
+			write_bytes_to_buffer(this, &int16_val, sizeof(u_int16_t));
 			this->current_bit = 0;
 			break;
 			
@@ -396,14 +350,14 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
 		{
 			u_int16_t int16_val = htons(*((u_int16_t*)(this->data_struct + offset)));
 			DBG3(DBG_ENC, "   => %b", (void*)&int16_val, sizeof(int16_val));
-			this->write_bytes_to_buffer(this,&int16_val,sizeof(u_int16_t));
+			write_bytes_to_buffer(this, &int16_val, sizeof(u_int16_t));
 			break;
 		}
 		case U_INT_32:
 		{
 			u_int32_t int32_val = htonl(*((u_int32_t*)(this->data_struct + offset)));
 			DBG3(DBG_ENC, "   => %b", (void*)&int32_val, sizeof(int32_val));
-			this->write_bytes_to_buffer(this,&int32_val,sizeof(u_int32_t));
+			write_bytes_to_buffer(this, &int32_val, sizeof(u_int32_t));
 			break;
 		}
 		case U_INT_64:
@@ -415,15 +369,15 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
 				 (void*)&int32_val_low, sizeof(int32_val_low),
 				 (void*)&int32_val_high, sizeof(int32_val_high));
 			/* TODO add support for big endian machines */
-			this->write_bytes_to_buffer(this,&int32_val_high,sizeof(u_int32_t));
-			this->write_bytes_to_buffer(this,&int32_val_low,sizeof(u_int32_t));
+			write_bytes_to_buffer(this, &int32_val_high, sizeof(u_int32_t));
+			write_bytes_to_buffer(this, &int32_val_low, sizeof(u_int32_t));
 			break;
 		}
 		
 		case IKE_SPI:
 		{
 			/* 64 bit are written as they come :-) */
-			this->write_bytes_to_buffer(this,(this->data_struct + offset),sizeof(u_int64_t));
+			write_bytes_to_buffer(this, this->data_struct + offset, sizeof(u_int64_t));
 			DBG3(DBG_ENC, "   => %b", (void*)(this->data_struct + offset), sizeof(u_int64_t));
 			break;
 		}
@@ -437,9 +391,9 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
 }
 
 /**
- * Implementation of private_generator_t.generate_reserved_field.
+ * Generate a reserved bit or byte
  */
-static void generate_reserved_field(private_generator_t *this,int bits)
+static void generate_reserved_field(private_generator_t *this, int bits)
 {
 	/* only one bit or 8 bit fields are supported */
 	if ((bits != 1) && (bits != 8))
@@ -448,7 +402,7 @@ static void generate_reserved_field(private_generator_t *this,int bits)
 		return ;
 	}
 	/* make sure enough space is available in buffer */
-	this->make_space_available(this,bits);
+	make_space_available(this, bits);
 	
 	if (bits == 1)
 	{	
@@ -460,8 +414,6 @@ static void generate_reserved_field(private_generator_t *this,int bits)
 			/* memory must be zero */
 			*(this->out_position) = 0x00;
 		}
-
-
 		this->current_bit++;
 		if (this->current_bit >= 8)
 		{
@@ -484,9 +436,9 @@ static void generate_reserved_field(private_generator_t *this,int bits)
 }
 
 /**
- * Implementation of private_generator_t.generate_flag.
+ * Generate a FLAG filed
  */
-static void generate_flag (private_generator_t *this,u_int32_t offset)
+static void generate_flag(private_generator_t *this, u_int32_t offset)
 {
 	/* value of current flag */
 	u_int8_t flag_value;
@@ -499,7 +451,7 @@ static void generate_flag (private_generator_t *this,u_int32_t offset)
 	flag = (flag_value << (7 - this->current_bit));
 	
 	/* make sure one bit is available in buffer */
-	this->make_space_available(this,1);
+	make_space_available(this, 1);
 	if (this->current_bit == 0)
 	{
 		/* memory must be zero */
@@ -520,9 +472,9 @@ static void generate_flag (private_generator_t *this,u_int32_t offset)
 }
 
 /**
- * Implementation of private_generator_t.generate_from_chunk.
+ * Generates a bytestream from a chunk_t.
  */
-static void generate_from_chunk (private_generator_t *this,u_int32_t offset)
+static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
 {
 	if (this->current_bit != 0)
 	{
@@ -536,73 +488,7 @@ static void generate_from_chunk (private_generator_t *this,u_int32_t offset)
 	DBG3(DBG_ENC, "   => %B", attribute_value);
 	
 	/* use write_bytes_to_buffer function to do the job */
-	this->write_bytes_to_buffer(this,attribute_value->ptr,attribute_value->len);
-}
-
-/**
- * Implementation of private_generator_t.make_space_available.
- */
-static void make_space_available (private_generator_t *this, size_t bits)
-{
-	while (((this->get_current_buffer_space(this) * 8) - this->current_bit) < bits)
-	{
-		/* must increase buffer */
-		size_t old_buffer_size = this->get_current_buffer_size(this);
-		size_t new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
-		size_t out_position_offset = ((this->out_position) - (this->buffer));
-
-		DBG2(DBG_ENC, "increased gen buffer from %d to %d byte", 
-			 old_buffer_size, new_buffer_size);
-		
-		/* Reallocate space for new buffer */
-		this->buffer = realloc(this->buffer,new_buffer_size);
-
-		this->out_position = (this->buffer + out_position_offset);
-		this->roof_position = (this->buffer + new_buffer_size);
-	}
-}
-
-/**
- * Implementation of private_generator_t.write_bytes_to_buffer.
- */
-static void write_bytes_to_buffer (private_generator_t *this,void * bytes, size_t number_of_bytes)
-{
-	int i;
-	u_int8_t *read_position = (u_int8_t *) bytes;
-	
-	this->make_space_available(this,number_of_bytes * 8);
-
-	for (i = 0; i < number_of_bytes; i++)
-	{
-		*(this->out_position) = *(read_position);
-		read_position++;
-		this->out_position++;
-	}
-}
-
-/**
- * Implementation of private_generator_t.write_bytes_to_buffer_at_offset.
- */
-static void write_bytes_to_buffer_at_offset (private_generator_t *this,void * bytes,size_t number_of_bytes,u_int32_t offset)
-{
-	int i;
-	u_int8_t *read_position = (u_int8_t *) bytes;
-	u_int8_t *write_position;
-	u_int32_t free_space_after_offset = (this->get_current_buffer_size(this) - offset);
-
-	/* check first if enough space for new data is available */	
-	if (number_of_bytes > free_space_after_offset)
-	{
-		this->make_space_available(this,(number_of_bytes - free_space_after_offset) * 8);
-	}
-	
-	write_position = this->buffer + offset;
-	for (i = 0; i < number_of_bytes; i++)
-	{
-		*(write_position) = *(read_position);
-		read_position++;
-		write_position++;
-	}
+	write_bytes_to_buffer(this, attribute_value->ptr, attribute_value->len);
 }
 
 /**
@@ -610,14 +496,15 @@ static void write_bytes_to_buffer_at_offset (private_generator_t *this,void * by
  */
 static void write_to_chunk (private_generator_t *this,chunk_t *data)
 {
-	size_t data_length = this->get_current_data_length(this);
+	size_t data_length = get_current_data_length(this);
 	u_int32_t header_length_field = data_length;
 	
 	/* write length into header length field */
 	if (this->header_length_position_offset > 0)
 	{
 		u_int32_t int32_val = htonl(header_length_field);
-		this->write_bytes_to_buffer_at_offset(this,&int32_val,sizeof(u_int32_t),this->header_length_position_offset);
+		write_bytes_to_buffer_at_offset(this, &int32_val, sizeof(u_int32_t),
+										this->header_length_position_offset);
 	}
 
 	if (this->current_bit > 0)
@@ -660,7 +547,6 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			 i, encoding_type_names, rules[i].type);
 		switch (rules[i].type)
 		{
-			/* all u int values, IKE_SPI,TS_TYPE and ATTRIBUTE_TYPE are generated in generate_u_int_type */
 			case U_INT_4:
 			case U_INT_8:
 			case U_INT_16:
@@ -671,56 +557,56 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			case ATTRIBUTE_TYPE:
 			case CONFIGURATION_ATTRIBUTE_LENGTH:
 			{
-				this->generate_u_int_type(this,rules[i].type,rules[i].offset);
+				generate_u_int_type(this, rules[i].type,rules[i].offset);
 				break;
 			}
 			case RESERVED_BIT:
 			{
-				this->generate_reserved_field(this,1);
+				generate_reserved_field(this, 1);
 				break;
 			}
 			case RESERVED_BYTE:
 			{
-				this->generate_reserved_field(this,8);
+				generate_reserved_field(this, 8);
 				break;
 			} 
 			case FLAG:
 			{
-				this->generate_flag(this,rules[i].offset);
+				generate_flag(this, rules[i].offset);
 				break;
 			}
 			case PAYLOAD_LENGTH:
 			{
 				/* position of payload lenght field is temporary stored */
-				this->last_payload_length_position_offset = this->get_current_buffer_offset(this);
+				this->last_payload_length_position_offset = get_current_buffer_offset(this);
 				/* payload length is generated like an U_INT_16 */
-				this->generate_u_int_type(this,U_INT_16,rules[i].offset);
+				generate_u_int_type(this, U_INT_16,rules[i].offset);
 				break;
 			}
 			case HEADER_LENGTH:
 			{
 				/* position of header length field is temporary stored */			
-				this->header_length_position_offset = this->get_current_buffer_offset(this);	
+				this->header_length_position_offset = get_current_buffer_offset(this);	
 				/* header length is generated like an U_INT_32 */
-				this->generate_u_int_type(this,U_INT_32,rules[i].offset);
+				generate_u_int_type(this ,U_INT_32, rules[i].offset);
 				break;
 			}
 			case SPI_SIZE:
 				/* spi size is handled as 8 bit unsigned integer */
-				this->generate_u_int_type(this,U_INT_8,rules[i].offset);
+				generate_u_int_type(this, U_INT_8, rules[i].offset);
 				/* last spi size is temporary stored */
 				this->last_spi_size = *((u_int8_t *)(this->data_struct + rules[i].offset));
 				break;
 			case ADDRESS:
 			{
 				/* the Address value is generated from chunk */
-				this->generate_from_chunk(this,rules[i].offset);
+				generate_from_chunk(this, rules[i].offset);
 				break;
 			}
 			case SPI:
 			{
 				/* the SPI value is generated from chunk */
-				this->generate_from_chunk(this,rules[i].offset);
+				generate_from_chunk(this, rules[i].offset);
 				break;
 			}
 			case KEY_EXCHANGE_DATA:
@@ -780,16 +666,17 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				}
 				
 				/* the data value is generated from chunk */
-				this->generate_from_chunk(this,rules[i].offset);
-
+				generate_from_chunk(this, rules[i].offset);
+				
 				payload_length_position_offset = this->last_payload_length_position_offset;
 				
 				
 				/* Length of payload is calculated */
 				length_of_payload = header_length + ((chunk_t *)(this->data_struct + rules[i].offset))->len;
-
+				
 				length_in_network_order = htons(length_of_payload);			
-				this->write_bytes_to_buffer_at_offset(this,&length_in_network_order,sizeof(u_int16_t),payload_length_position_offset);
+				write_bytes_to_buffer_at_offset(this, &length_in_network_order,
+							sizeof(u_int16_t),payload_length_position_offset);
 				break;
 			}
 			case PROPOSALS:
@@ -812,9 +699,9 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
 					
-					before_generate_position_offset = this->get_current_buffer_offset(this);
+					before_generate_position_offset = get_current_buffer_offset(this);
 					this->public.generate_payload(&(this->public),current_proposal);
-					after_generate_position_offset = this->get_current_buffer_offset(this);
+					after_generate_position_offset = get_current_buffer_offset(this);
 					
 					/* increase size of transform */
 					length_of_sa_payload += (after_generate_position_offset - before_generate_position_offset);
@@ -822,7 +709,8 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				iterator->destroy(iterator);
 				
 				int16_val = htons(length_of_sa_payload);
-				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
+				write_bytes_to_buffer_at_offset(this, &int16_val,
+							sizeof(u_int16_t),payload_length_position_offset);
 				break;
 			}
 			case TRANSFORMS:
@@ -842,9 +730,9 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
 					
-					before_generate_position_offset = this->get_current_buffer_offset(this);
+					before_generate_position_offset = get_current_buffer_offset(this);
 					this->public.generate_payload(&(this->public),current_transform);
-					after_generate_position_offset = this->get_current_buffer_offset(this);
+					after_generate_position_offset = get_current_buffer_offset(this);
 					
 					/* increase size of transform */
 					length_of_proposal += (after_generate_position_offset - before_generate_position_offset);
@@ -853,7 +741,8 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				iterator->destroy(iterator);
 				
 				int16_val = htons(length_of_proposal);
-				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
+				write_bytes_to_buffer_at_offset(this, &int16_val,
+							sizeof(u_int16_t), payload_length_position_offset);
 				
 				break;
 			}	
@@ -874,9 +763,9 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
 					
-					before_generate_position_offset = this->get_current_buffer_offset(this);
+					before_generate_position_offset = get_current_buffer_offset(this);
 					this->public.generate_payload(&(this->public),current_attribute);
-					after_generate_position_offset = this->get_current_buffer_offset(this);
+					after_generate_position_offset = get_current_buffer_offset(this);
 					
 					/* increase size of transform */
 					length_of_transform += (after_generate_position_offset - before_generate_position_offset);
@@ -885,7 +774,8 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				iterator->destroy(iterator);
 				
 				int16_val = htons(length_of_transform);
-				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),transform_length_position_offset);
+				write_bytes_to_buffer_at_offset(this, &int16_val, 
+							sizeof(u_int16_t),transform_length_position_offset);
 				
 				break;
 			}
@@ -906,9 +796,9 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
 					
-					before_generate_position_offset = this->get_current_buffer_offset(this);
+					before_generate_position_offset = get_current_buffer_offset(this);
 					this->public.generate_payload(&(this->public),current_attribute);
-					after_generate_position_offset = this->get_current_buffer_offset(this);
+					after_generate_position_offset = get_current_buffer_offset(this);
 					
 					/* increase size of transform */
 					length_of_configurations += (after_generate_position_offset - before_generate_position_offset);
@@ -917,13 +807,14 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				iterator->destroy(iterator);
 				
 				int16_val = htons(length_of_configurations);
-				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),configurations_length_position_offset);
+				write_bytes_to_buffer_at_offset(this, &int16_val, 
+					 sizeof(u_int16_t),configurations_length_position_offset);
 				
 				break;
 			}	
 			case ATTRIBUTE_FORMAT:
 			{
-				this->generate_flag(this,rules[i].offset);
+				generate_flag(this, rules[i].offset);
 				/* Attribute format is a flag which is stored in context*/
 				this->attribute_format = *((bool *) (this->data_struct + rules[i].offset));
 				break;
@@ -933,13 +824,13 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			{
 				if (this->attribute_format == FALSE)
 				{
-					this->generate_u_int_type(this,U_INT_16,rules[i].offset);
+					generate_u_int_type(this, U_INT_16, rules[i].offset);
 					/* this field hold the length of the attribute */
 					this->attribute_length = *((u_int16_t *)(this->data_struct + rules[i].offset));
 				}
 				else
 				{
-					this->generate_u_int_type(this,U_INT_16,rules[i].offset);
+					generate_u_int_type(this, U_INT_16, rules[i].offset);
 				}
 				break;
 			}
@@ -949,7 +840,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				{
 					DBG2(DBG_ENC, "attribute value has not fixed size");
 					/* the attribute value is generated */
-					this->generate_from_chunk(this,rules[i].offset);
+					generate_from_chunk(this, rules[i].offset);
 				}
 				break;
 			}
@@ -973,9 +864,9 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
 
-					before_generate_position_offset = this->get_current_buffer_offset(this);
+					before_generate_position_offset = get_current_buffer_offset(this);
 					this->public.generate_payload(&(this->public),current_traffic_selector_substructure);
-					after_generate_position_offset = this->get_current_buffer_offset(this);
+					after_generate_position_offset = get_current_buffer_offset(this);
 					
 					/* increase size of transform */
 					length_of_ts_payload += (after_generate_position_offset - before_generate_position_offset);
@@ -983,13 +874,14 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				iterator->destroy(iterator);
 				
 				int16_val = htons(length_of_ts_payload);
-				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
+				write_bytes_to_buffer_at_offset(this, &int16_val,
+							sizeof(u_int16_t),payload_length_position_offset);
 				break;
 			}	
 			
 			case ENCRYPTED_DATA:
 			{
-				this->generate_from_chunk(this, rules[i].offset);
+				generate_from_chunk(this, rules[i].offset);
 				break;
 			}
 			default:
@@ -1028,24 +920,9 @@ generator_t *generator_create()
 	this->public.destroy = (void(*)(generator_t*)) destroy;
 	this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *)) write_to_chunk;
 	
-	
-	/* initiate private functions */
-	this->get_current_buffer_size = get_current_buffer_size;
-	this->get_current_buffer_space = get_current_buffer_space;
-	this->get_current_data_length = get_current_data_length;
-	this->get_current_buffer_offset = get_current_buffer_offset;
-	this->generate_u_int_type = generate_u_int_type;
-	this->generate_reserved_field = generate_reserved_field;
-	this->generate_flag = generate_flag;
-	this->generate_from_chunk = generate_from_chunk;
-	this->make_space_available = make_space_available;
-	this->write_bytes_to_buffer = write_bytes_to_buffer;
-	this->write_bytes_to_buffer_at_offset = write_bytes_to_buffer_at_offset;
-
-
 	/* allocate memory for buffer */
 	this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE);
-
+	
 	/* initiate private variables */
 	this->out_position = this->buffer;
 	this->roof_position = this->buffer + GENERATOR_DATA_BUFFER_SIZE;
@@ -1053,6 +930,7 @@ generator_t *generator_create()
 	this->current_bit = 0;
 	this->last_payload_length_position_offset = 0;
 	this->header_length_position_offset = 0;
-
+	
 	return &(this->public);
 }
+
diff --git a/src/charon/encoding/generator.h b/src/charon/encoding/generator.h
index b6f2af2cb..d1d3522d0 100644
--- a/src/charon/encoding/generator.h
+++ b/src/charon/encoding/generator.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: generator.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: generator.h 4702 2008-11-26 10:42:54Z martin $
  */
 
 /**
@@ -32,12 +32,12 @@ typedef struct generator_t generator_t;
 
 /**
  * Generating is done in a data buffer.
- * This is thehe start size of this buffer in bytes.
+ * This is the start size of this buffer in bytes.
  */
 #define GENERATOR_DATA_BUFFER_SIZE 500
 
 /**
- * Number of bytes to increase the buffer, if it is to small.
+ * Number of bytes to increase the buffer, if it is too small.
  */
 #define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500
 
diff --git a/src/charon/encoding/parser.c b/src/charon/encoding/parser.c
index 1b03aacb2..396054810 100644
--- a/src/charon/encoding/parser.c
+++ b/src/charon/encoding/parser.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: parser.c 4010 2008-05-23 18:23:17Z martin $
+ * $Id: parser.c 4703 2008-11-26 10:54:08Z martin $
  */
 
 #include <stdlib.h>
@@ -61,147 +61,6 @@ struct private_parser_t {
 	 */
 	parser_t public;
 	
-	/**
-	 * Parse a 4-Bit unsigned integer from the current parsing position.
-	 * 
-	 * @param this				parser_t object
-	 * @param rule_number		number of current rule
-	 * @param[out] output_pos	pointer where to write the parsed result
-	 * @return 					
-	 * 							- SUCCESS or
-	 * 							- PARSE_ERROR when not successful
-	 */
-	status_t (*parse_uint4)  (private_parser_t *this, int rule_number, u_int8_t *output_pos);
-	
-	/**
-	 * Parse a 8-Bit unsigned integer from the current parsing position.
-	 * 
-	 * @param this				parser_t object
-	 * @param rule_number		number of current rule
-	 * @param[out] output_pos	pointer where to write the parsed result
-	 * @return 					
-	 * 							- SUCCESS or
-	 * 							- PARSE_ERROR when not successful
-	 */
-	status_t (*parse_uint8)  (private_parser_t *this, int rule_number, u_int8_t *output_pos);
-	
-	/**
-	 * Parse a 15-Bit unsigned integer from the current parsing position.
-	 * 
-	 * This is a special case used for ATTRIBUTE_TYPE.
-	 * Big-/Little-endian conversion is done here.
-	 * 
-	 * @param this				parser_t object
-	 * @param rule_number		number of current rule
-	 * @param[out] output_pos	pointer where to write the parsed result
-	 * @return 					
-	 * 							- SUCCESS or
-	 * 							- PARSE_ERROR when not successful
-	 */
-	status_t (*parse_uint15) (private_parser_t *this, int rule_number, u_int16_t *output_pos);
-	
-	/**
-	 * Parse a 16-Bit unsigned integer from the current parsing position.
-	 * 
-	 * Big-/Little-endian conversion is done here.
-	 * 
-	 * @param this				parser_t object
-	 * @param rule_number		number of current rule
-	 * @param[out] output_pos	pointer where to write the parsed result
-	 * @return 					
-	 * 							- SUCCESS or
-	 * 							- PARSE_ERROR when not successful
-	 */
-	status_t (*parse_uint16) (private_parser_t *this, int rule_number, u_int16_t *output_pos);
-	
-	/**
-	 * Parse a 32-Bit unsigned integer from the current parsing position.
-	 * 
-	 * Big-/Little-endian conversion is done here.
-	 * 
-	 * @param this				parser_t object
-	 * @param rule_number		number of current rule
-	 * @param[out] output_pos	pointer where to write the parsed result
-	 * @return 					
-	 * 							- SUCCESS or
-	 * 							- PARSE_ERROR when not successful
-	 */
-	status_t (*parse_uint32) (private_parser_t *this, int rule_number, u_int32_t *output_pos);
-	
-	/**
-	 * Parse a 64-Bit unsigned integer from the current parsing position.
-	 * 
-	 * @todo add support for big-endian machines.
-	 * 
-	 * @param this				parser_t object
-	 * @param rule_number		number of current rule
-	 * @param[out] output_pos	pointer where to write the parsed result
-	 * @return 					
-	 * 							- SUCCESS or
-	 * 							- PARSE_ERROR when not successful
-	 */
-	status_t (*parse_uint64) (private_parser_t *this, int rule_number, u_int64_t *output_pos);
-	
-	/**
-	 * Parse a given amount of bytes and writes them to a specific location
-	 * 
-	 * @param this				parser_t object
-	 * @param rule_number		number of current rule
-	 * @param[out] output_pos	pointer where to write the parsed result
-	 * @param bytes				number of bytes to parse
-	 * @return 					
-	 * 							- SUCCESS or
-	 * 							- PARSE_ERROR when not successful
-	 */
-	status_t (*parse_bytes) (private_parser_t *this, int rule_number, u_int8_t *output_pos,size_t bytes);
-	
-	/**
-	 * Parse a single Bit from the current parsing position
-	 * 
-	 * @param this				parser_t object
-	 * @param rule_number		number of current rule
-	 * @param[out] output_pos	pointer where to write the parsed result
-	 * @return 					
-	 * 							- SUCCESS or
-	 * 							- PARSE_ERROR when not successful
-	 */
-	status_t (*parse_bit)    (private_parser_t *this, int rule_number, bool *output_pos);
-	
-	/**
-	 * Parse substructures in a list
-	 * 
-	 * This function calls the parser recursively to parse contained substructures
-	 * in a linked_list_t. The list must already be created. Payload defines
-	 * the type of the substructures. parsing is continued until the specified length
-	 * is completely parsed.
-	 * 
-	 * @param this				parser_t object
-	 * @param rule_number		number of current rule
-	 * @param[out] output_pos	pointer of a linked_list where substructures are added
-	 * @param payload_type		type of the contained substructures to parse
-	 * @param length			number of bytes to parse in this list
-	 * @return 					
-	 * 							- SUCCESS or
-	 * 							- PARSE_ERROR when not successful
-	 */
-	status_t (*parse_list)   (private_parser_t *this, int rule_number, linked_list_t **output_pos, payload_type_t payload_ype, size_t length);
-	
-	/**
-	 * Parse data from current parsing position in a chunk.
-	 * 
-	 * This function clones length number of bytes to output_pos, without 
-	 * modifiyng them. Space will be allocated and must be freed by caller.
-	 * 
-	 * @param this				parser_t object
-	 * @param rule_number		number of current rule
-	 * @param[out] output_pos	pointer of a chunk which will point to the allocated data
-	 * @param length			number of bytes to clone
-	 * @return 					
-	 * 							- SUCCESS or
-	 * 							- PARSE_ERROR when not successful
-	 */
-	status_t (*parse_chunk)  (private_parser_t *this, int rule_number, chunk_t *output_pos, size_t length);
-
 	/**
 	 * Current bit for reading in input data.
 	 */
@@ -229,7 +88,7 @@ struct private_parser_t {
 };
 
 /**
- * Implementation of private_parser_t.parse_uint4.
+ * Parse a 4-Bit unsigned integer from the current parsing position.
  */
 static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *output_pos)
 {
@@ -274,7 +133,7 @@ static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *o
 }
 
 /**
- * Implementation of private_parser_t.parse_uint8.
+ * Parse a 8-Bit unsigned integer from the current parsing position.
  */
 static status_t parse_uint8(private_parser_t *this, int rule_number, u_int8_t *output_pos)
 {
@@ -304,7 +163,7 @@ static status_t parse_uint8(private_parser_t *this, int rule_number, u_int8_t *o
 }
 
 /**
- * Implementation of private_parser_t.parse_uint15.
+ * Parse a 15-Bit unsigned integer from the current parsing position.
  */
 static status_t parse_uint15(private_parser_t *this, int rule_number, u_int16_t *output_pos)
 {
@@ -333,7 +192,7 @@ static status_t parse_uint15(private_parser_t *this, int rule_number, u_int16_t
 }
 
 /**
- * Implementation of private_parser_t.parse_uint16.
+ * Parse a 16-Bit unsigned integer from the current parsing position.
  */
 static status_t parse_uint16(private_parser_t *this, int rule_number, u_int16_t *output_pos)
 {
@@ -361,7 +220,7 @@ static status_t parse_uint16(private_parser_t *this, int rule_number, u_int16_t
 	return SUCCESS;
 }
 /**
- * Implementation of private_parser_t.parse_uint32.
+ * Parse a 32-Bit unsigned integer from the current parsing position.
  */
 static status_t parse_uint32(private_parser_t *this, int rule_number, u_int32_t *output_pos)
 {
@@ -390,7 +249,7 @@ static status_t parse_uint32(private_parser_t *this, int rule_number, u_int32_t
 }
 
 /**
- * Implementation of private_parser_t.parse_uint64.
+ * Parse a 64-Bit unsigned integer from the current parsing position.
  */
 static status_t parse_uint64(private_parser_t *this, int rule_number, u_int64_t *output_pos)
 {
@@ -421,7 +280,7 @@ static status_t parse_uint64(private_parser_t *this, int rule_number, u_int64_t
 }
 
 /**
- * Implementation of private_parser_t.parse_bytes.
+ * Parse a given amount of bytes and writes them to a specific location
  */
 static status_t parse_bytes (private_parser_t *this, int rule_number, u_int8_t *output_pos,size_t bytes)
 {
@@ -451,7 +310,7 @@ static status_t parse_bytes (private_parser_t *this, int rule_number, u_int8_t *
 }
 
 /**
- * Implementation of private_parser_t.parse_bit.
+ * Parse a single Bit from the current parsing position
  */
 static status_t parse_bit(private_parser_t *this, int rule_number, bool *output_pos)
 {
@@ -486,7 +345,7 @@ static status_t parse_bit(private_parser_t *this, int rule_number, bool *output_
 }
 
 /**
- * Implementation of private_parser_t.parse_list.
+ * Parse substructures in a list.
  */
 static status_t parse_list(private_parser_t *this, int rule_number, linked_list_t **output_pos, payload_type_t payload_type, size_t length)
 {
@@ -528,7 +387,7 @@ static status_t parse_list(private_parser_t *this, int rule_number, linked_list_
 }
 
 /**
- * Implementation of private_parser_t.parse_chunk.
+ * Parse data from current parsing position in a chunk.
  */
 static status_t parse_chunk(private_parser_t *this, int rule_number, chunk_t *output_pos, size_t length)
 {
@@ -598,7 +457,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 		{
 			case U_INT_4:
 			{
-				if (this->parse_uint4(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint4(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -607,7 +466,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case U_INT_8:
 			{
-				if (this->parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -616,7 +475,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case U_INT_16:
 			{
-				if (this->parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -625,7 +484,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case U_INT_32:
 			{
-				if (this->parse_uint32(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint32(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -634,7 +493,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case U_INT_64:
 			{
-				if (this->parse_uint64(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint64(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -643,7 +502,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case IKE_SPI:
 			{
-				if (this->parse_bytes(this, rule_number, output + rule->offset,8) != SUCCESS) 
+				if (parse_bytes(this, rule_number, output + rule->offset,8) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -652,7 +511,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case RESERVED_BIT:
 			{
-				if (this->parse_bit(this, rule_number, NULL) != SUCCESS) 
+				if (parse_bit(this, rule_number, NULL) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -661,7 +520,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case RESERVED_BYTE:
 			{
-				if (this->parse_uint8(this, rule_number, NULL) != SUCCESS) 
+				if (parse_uint8(this, rule_number, NULL) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -670,7 +529,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case FLAG:
 			{
-				if (this->parse_bit(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_bit(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -679,7 +538,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case PAYLOAD_LENGTH:
 			{
-				if (this->parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -694,7 +553,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case HEADER_LENGTH:
 			{
-				if (this->parse_uint32(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint32(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -703,7 +562,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case SPI_SIZE:
 			{
-				if (this->parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -713,7 +572,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case SPI:
 			{
-				if (this->parse_chunk(this, rule_number, output + rule->offset, spi_size) != SUCCESS) 
+				if (parse_chunk(this, rule_number, output + rule->offset, spi_size) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -723,7 +582,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case PROPOSALS:
 			{
 				if (payload_length < SA_PAYLOAD_HEADER_LENGTH ||
-					this->parse_list(this, rule_number, output + rule->offset, PROPOSAL_SUBSTRUCTURE,
+					parse_list(this, rule_number, output + rule->offset, PROPOSAL_SUBSTRUCTURE,
 						payload_length - SA_PAYLOAD_HEADER_LENGTH) != SUCCESS)
 				{
 					pld->destroy(pld);
@@ -734,7 +593,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case TRANSFORMS:
 			{
 				if (payload_length < spi_size + PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH ||
-					this->parse_list(this, rule_number, output + rule->offset, TRANSFORM_SUBSTRUCTURE,
+					parse_list(this, rule_number, output + rule->offset, TRANSFORM_SUBSTRUCTURE,
 						payload_length - spi_size - PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH) != SUCCESS)
 				{
 					pld->destroy(pld);
@@ -745,7 +604,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case TRANSFORM_ATTRIBUTES:
 			{
 				if (payload_length < TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH ||
-					this->parse_list(this, rule_number, output + rule->offset, TRANSFORM_ATTRIBUTE,
+					parse_list(this, rule_number, output + rule->offset, TRANSFORM_ATTRIBUTE,
 						payload_length - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH) != SUCCESS)
 				{
 					pld->destroy(pld);
@@ -756,7 +615,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case CONFIGURATION_ATTRIBUTES:
 			{
 				if (payload_length < CP_PAYLOAD_HEADER_LENGTH ||
-					this->parse_list(this, rule_number, output + rule->offset, CONFIGURATION_ATTRIBUTE,
+					parse_list(this, rule_number, output + rule->offset, CONFIGURATION_ATTRIBUTE,
 						payload_length - CP_PAYLOAD_HEADER_LENGTH) != SUCCESS)
 				{
 					pld->destroy(pld);
@@ -766,7 +625,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case ATTRIBUTE_FORMAT:
 			{
-				if (this->parse_bit(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_bit(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -776,7 +635,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case ATTRIBUTE_TYPE:
 			{
-				if (this->parse_uint15(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint15(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -786,7 +645,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case CONFIGURATION_ATTRIBUTE_LENGTH:
 			{
-				if (this->parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -796,7 +655,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case ATTRIBUTE_LENGTH_OR_VALUE:
 			{	
-				if (this->parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -808,7 +667,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			{
 				if (attribute_format == FALSE)
 				{
-					if (this->parse_chunk(this, rule_number, output + rule->offset, attribute_length) != SUCCESS) 
+					if (parse_chunk(this, rule_number, output + rule->offset, attribute_length) != SUCCESS) 
 					{
 						pld->destroy(pld);
 						return PARSE_ERROR;
@@ -819,7 +678,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case NONCE_DATA:
 			{
 				if (payload_length < NONCE_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset, 
+					parse_chunk(this, rule_number, output + rule->offset, 
 						payload_length - NONCE_PAYLOAD_HEADER_LENGTH) != SUCCESS)
 				{
 					pld->destroy(pld);
@@ -830,7 +689,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case ID_DATA:
 			{
 				if (payload_length < ID_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset,
+					parse_chunk(this, rule_number, output + rule->offset,
 						payload_length - ID_PAYLOAD_HEADER_LENGTH) != SUCCESS)
 				{
 					pld->destroy(pld);
@@ -841,7 +700,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case AUTH_DATA:
 			{
 				if (payload_length < AUTH_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset,
+					parse_chunk(this, rule_number, output + rule->offset,
 						payload_length - AUTH_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
 				{
 					pld->destroy(pld);
@@ -852,7 +711,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case CERT_DATA:
 			{
 				if (payload_length < CERT_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset, 
+					parse_chunk(this, rule_number, output + rule->offset, 
 						payload_length - CERT_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
 				{
 					pld->destroy(pld);
@@ -863,7 +722,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case CERTREQ_DATA:
 			{
 				if (payload_length < CERTREQ_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset, 
+					parse_chunk(this, rule_number, output + rule->offset, 
 						payload_length - CERTREQ_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
 				{
 					pld->destroy(pld);
@@ -874,7 +733,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case EAP_DATA:
 			{
 				if (payload_length < EAP_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset, 
+					parse_chunk(this, rule_number, output + rule->offset, 
 						payload_length - EAP_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
 				{
 					pld->destroy(pld);
@@ -885,7 +744,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case SPIS:
 			{
 				if (payload_length < DELETE_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset,
+					parse_chunk(this, rule_number, output + rule->offset,
 						payload_length - DELETE_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
 				{
 					pld->destroy(pld);
@@ -896,7 +755,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case VID_DATA:
 			{
 				if (payload_length < VENDOR_ID_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset,
+					parse_chunk(this, rule_number, output + rule->offset,
 						payload_length - VENDOR_ID_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
 				{
 					pld->destroy(pld);
@@ -907,7 +766,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case CONFIGURATION_ATTRIBUTE_VALUE:
 			{
 				size_t data_length = attribute_length;
-				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				if (parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -917,7 +776,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case KEY_EXCHANGE_DATA:
 			{
 				if (payload_length < KE_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset,
+					parse_chunk(this, rule_number, output + rule->offset,
 						payload_length - KE_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
 				{
 					pld->destroy(pld);
@@ -928,7 +787,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case NOTIFICATION_DATA:
 			{
 				if (payload_length < NOTIFY_PAYLOAD_HEADER_LENGTH + spi_size ||
-					this->parse_chunk(this, rule_number, output + rule->offset, 
+					parse_chunk(this, rule_number, output + rule->offset, 
 						payload_length - NOTIFY_PAYLOAD_HEADER_LENGTH - spi_size) != SUCCESS) 
 				{
 					pld->destroy(pld);
@@ -939,7 +798,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case ENCRYPTED_DATA:
 			{				
 				if (payload_length < ENCRYPTION_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset,
+					parse_chunk(this, rule_number, output + rule->offset,
 						payload_length - ENCRYPTION_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
 				{
 					pld->destroy(pld);
@@ -949,7 +808,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case TS_TYPE:
 			{
-				if (this->parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -960,7 +819,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case ADDRESS:
 			{
 				size_t address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-				if (this->parse_chunk(this, rule_number, output + rule->offset,address_length) != SUCCESS) 
+				if (parse_chunk(this, rule_number, output + rule->offset,address_length) != SUCCESS) 
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -970,7 +829,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case TRAFFIC_SELECTORS:
 			{
 				if (payload_length < TS_PAYLOAD_HEADER_LENGTH ||
-					this->parse_list(this, rule_number, output + rule->offset, TRAFFIC_SELECTOR_SUBSTRUCTURE,
+					parse_list(this, rule_number, output + rule->offset, TRAFFIC_SELECTOR_SUBSTRUCTURE,
 						payload_length - TS_PAYLOAD_HEADER_LENGTH) != SUCCESS)
 				{
 					pld->destroy(pld);
@@ -981,7 +840,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case UNKNOWN_DATA:
 			{
 				if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH ||
-					this->parse_chunk(this, rule_number, output + rule->offset,
+					parse_chunk(this, rule_number, output + rule->offset,
 						payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH) != SUCCESS)
 				{
 					pld->destroy(pld);
@@ -1045,17 +904,6 @@ parser_t *parser_create(chunk_t data)
 	this->public.get_remaining_byte_count = (int (*) (parser_t *))get_remaining_byte_count;
 	this->public.destroy = (void(*)(parser_t*)) destroy;
 	
-	this->parse_uint4 = parse_uint4;
-	this->parse_uint8 = parse_uint8;
-	this->parse_uint15 = parse_uint15;
-	this->parse_uint16 = parse_uint16;
-	this->parse_uint32 = parse_uint32;
-	this->parse_uint64 = parse_uint64;
-	this->parse_bytes = parse_bytes;
-	this->parse_bit = parse_bit;
-	this->parse_list = parse_list;
-	this->parse_chunk = parse_chunk;
-	
 	this->input = data.ptr;
 	this->byte_pos = data.ptr;
 	this->bit_pos = 0;
diff --git a/src/charon/encoding/payloads/configuration_attribute.c b/src/charon/encoding/payloads/configuration_attribute.c
index 6b1cbffb4..ad8177e1f 100644
--- a/src/charon/encoding/payloads/configuration_attribute.c
+++ b/src/charon/encoding/payloads/configuration_attribute.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: configuration_attribute.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: configuration_attribute.c 4844 2009-01-20 22:55:13Z andreas $
  */
 
 #include <stddef.h>
@@ -69,7 +69,10 @@ ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP6_DNS, INTERNAL_IP6_SUB
 	"INTERNAL_IP4_SUBNET",
 	"SUPPORTED_ATTRIBUTES",
 	"INTERNAL_IP6_SUBNET");
-ENUM_END(configuration_attribute_type_names, INTERNAL_IP6_SUBNET);
+ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, INTERNAL_IP6_SUBNET,
+	"INTERNAL_IP4_SERVER",
+	"INTERNAL_IP6_SERVER");
+ENUM_END(configuration_attribute_type_names, INTERNAL_IP6_SERVER);
 
 /**
  * Encoding rules to parse or generate a configuration attribute.
diff --git a/src/charon/encoding/payloads/configuration_attribute.h b/src/charon/encoding/payloads/configuration_attribute.h
index ade837107..4c8673a26 100644
--- a/src/charon/encoding/payloads/configuration_attribute.h
+++ b/src/charon/encoding/payloads/configuration_attribute.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: configuration_attribute.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: configuration_attribute.h 4844 2009-01-20 22:55:13Z andreas $
  */
 
 /**
@@ -53,7 +53,10 @@ enum configuration_attribute_type_t {
 	INTERNAL_IP6_DHCP = 12,
 	INTERNAL_IP4_SUBNET = 13,
 	SUPPORTED_ATTRIBUTES = 14,
-	INTERNAL_IP6_SUBNET = 15
+	INTERNAL_IP6_SUBNET = 15,
+	/* proprietary Microsoft attributes */
+	INTERNAL_IP4_SERVER = 23456,
+	INTERNAL_IP6_SERVER = 23457
 };
 
 /** 
diff --git a/src/charon/encoding/payloads/nonce_payload.h b/src/charon/encoding/payloads/nonce_payload.h
index f1679834e..f1e49491d 100644
--- a/src/charon/encoding/payloads/nonce_payload.h
+++ b/src/charon/encoding/payloads/nonce_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: nonce_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: nonce_payload.h 4819 2008-12-31 08:58:49Z martin $
  */
 
 /**
@@ -32,7 +32,7 @@ typedef struct nonce_payload_t nonce_payload_t;
 /**
  * Nonce size in bytes for nonces sending to other peer.
  */
-#define NONCE_SIZE 16
+#define NONCE_SIZE 32
 
 /**
  * Length of a nonce payload without a nonce in bytes.
diff --git a/src/charon/encoding/payloads/notify_payload.c b/src/charon/encoding/payloads/notify_payload.c
index defb0b98a..a4377c275 100644
--- a/src/charon/encoding/payloads/notify_payload.c
+++ b/src/charon/encoding/payloads/notify_payload.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: notify_payload.c 3920 2008-05-08 16:19:11Z tobias $
+ * $Id: notify_payload.c 4842 2009-01-19 12:32:42Z andreas $
  */
 
 #include <stddef.h>
@@ -54,7 +54,7 @@ ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, AUTH
 	"UNEXPECTED_NAT_DETECTED");
 ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, UNEXPECTED_NAT_DETECTED,
 	"ME_CONNECT_FAILED");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, AUTH_LIFETIME, ME_CONNECT_FAILED,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ANOTHER_AUTH_FOLLOWS, ME_CONNECT_FAILED,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -74,8 +74,10 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, AUTH_LIFETIME, ME_CONNECT_FAILED,
 	"UPDATE_SA_ADDRESSES",
 	"COOKIE2",
 	"NO_NATS_ALLOWED",
-	"AUTH_LIFETIME");
-ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, AUTH_LIFETIME,
+	"AUTH_LIFETIME",
+	"MULTIPLE_AUTH_SUPPORTED",
+	"ANOTHER_AUTH_FOLLOWS");
+ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, ANOTHER_AUTH_FOLLOWS,
 	"EAP_ONLY_AUTHENTICATION");
 ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
 	"USE_BEET_MODE");
@@ -118,7 +120,7 @@ ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED
 	"UNEXPECT_NAT");
 ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, UNEXPECTED_NAT_DETECTED,
 	"ME_CONN_FAIL");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, AUTH_LIFETIME, ME_CONNECT_FAILED,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ANOTHER_AUTH_FOLLOWS, ME_CONNECT_FAILED,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -138,8 +140,10 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, AUTH_LIFETIME, ME_CONNECT_FA
 	"UPD_SA_ADDR",
 	"COOKIE2",
 	"NO_NATS",
-	"AUTH_LFT");
-ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, AUTH_LIFETIME,
+	"AUTH_LFT",
+	"MULT_AUTH",
+	"AUTH_FOLLOWS");
+ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, ANOTHER_AUTH_FOLLOWS,
 	"EAP_ONLY");
 ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
 	"BEET_MODE");
diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h
index f4a3bf27c..6ee137543 100644
--- a/src/charon/encoding/payloads/notify_payload.h
+++ b/src/charon/encoding/payloads/notify_payload.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: notify_payload.h 3670 2008-03-27 09:54:09Z tobias $
+ * $Id: notify_payload.h 4842 2009-01-19 12:32:42Z andreas $
  */
 
 /**
@@ -89,6 +89,9 @@ enum notify_type_t {
 	NO_NATS_ALLOWED = 16402,
 	/* repeated authentication extension, RFC4478 */
 	AUTH_LIFETIME = 16403,
+    /* multiple authentication exchanges, RFC 4739 */
+	MULTIPLE_AUTH_SUPPORTED = 16404,
+	ANOTHER_AUTH_FOLLOWS = 16405,
 	/* draft-eronen-ipsec-ikev2-eap-auth, not assigned by IANA yet */
 	EAP_ONLY_AUTHENTICATION = 40960,
 	/* BEET mode, not even a draft yet. private use */
diff --git a/src/charon/encoding/payloads/payload.h b/src/charon/encoding/payloads/payload.h
index abc79259a..7a19cc76c 100644
--- a/src/charon/encoding/payloads/payload.h
+++ b/src/charon/encoding/payloads/payload.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: payload.h 3666 2008-03-26 18:40:19Z tobias $
+ * $Id: payload.h 4875 2009-02-17 17:14:15Z tobias $
  */
 
 /**
@@ -86,7 +86,7 @@ enum payload_type_t{
 	NONCE = 40,
 
 	/**
-	 * Notif paylaod (N).
+	 * Notify paylaod (N).
 	 */
 	NOTIFY = 41,
 
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
index 73317ccbc..7f55df4d2 100644
--- a/src/charon/network/receiver.c
+++ b/src/charon/network/receiver.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -13,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: receiver.c 4228 2008-07-30 08:27:08Z martin $
+ * $Id: receiver.c 4699 2008-11-26 09:22:19Z tobias $
  */
 
 #include <stdlib.h>
@@ -34,10 +35,10 @@
 #define COOKIE_LIFETIME 10
 /** how many times to reuse the secret */
 #define COOKIE_REUSE 10000
-/** require cookies after half open IKE_SAs */
-#define COOKIE_TRESHOLD 10
-/** how many half open IKE_SAs per peer before blocking */
-#define BLOCK_TRESHOLD 5
+/** default value for private_receiver_t.cookie_threshold */
+#define COOKIE_THRESHOLD_DEFAULT 10
+/** default value for private_receiver_t.block_threshold */
+#define BLOCK_THRESHOLD_DEFAULT 5
 /** length of the secret to use for cookie calculation */
 #define SECRET_LENGTH 16
 
@@ -98,9 +99,14 @@ struct private_receiver_t {
  	hasher_t *hasher;
  	
  	/**
- 	 * use denial of service protection mechanisms (cookies)
+ 	 * require cookies after this many half open IKE_SAs
  	 */
- 	bool dos_protection;
+ 	u_int32_t cookie_threshold;
+ 	
+ 	/**
+ 	 * how many half open IKE_SAs per peer before blocking
+ 	 */
+ 	u_int32_t block_threshold;
 };
 
 /**
@@ -204,12 +210,12 @@ static bool cookie_required(private_receiver_t *this, message_t *message)
 	bool failed = FALSE;
 		
 	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
-													NULL) >= COOKIE_TRESHOLD)
+												NULL) >= this->cookie_threshold)
 	{
 		/* check for a cookie. We don't use our parser here and do it
 		 * quick and dirty for performance reasons. 
-		 * we assume to cookie is the first payload (which is a MUST), and 
-		 * the cookies SPI length is zero. */
+		 * we assume the cookie is the first payload (which is a MUST), and 
+		 * the cookie's SPI length is zero. */
 		packet_t *packet = message->get_packet(message);
 		chunk_t data = packet->get_data(packet);
 		if (data.len < 
@@ -242,7 +248,7 @@ static bool cookie_required(private_receiver_t *this, message_t *message)
 static bool peer_to_aggressive(private_receiver_t *this, message_t *message)
 {
 	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
-								message->get_source(message)) >= BLOCK_TRESHOLD)
+						message->get_source(message)) >= this->block_threshold)
 	{
 		return TRUE;
 	}
@@ -287,11 +293,10 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 	}
 	
 	if (message->get_request(message) &&
-		message->get_exchange_type(message) == IKE_SA_INIT &&
-		this->dos_protection)
+		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		/* check for cookies */
-		if (cookie_required(this, message))
+		if (this->cookie_threshold && cookie_required(this, message))
 		{
 			u_int32_t now = time(NULL);
 			chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
@@ -319,7 +324,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 		}
 		
 		/* check if peer has not too many IKE_SAs half open */
-		if (peer_to_aggressive(this, message))
+		if (this->block_threshold && peer_to_aggressive(this, message))
 		{
 			DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
 				 "peer too aggressive", message->get_source(message));
@@ -373,8 +378,15 @@ receiver_t *receiver_create()
 	this->secret_used = 0;
 	this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
 	memcpy(this->secret_old, this->secret, SECRET_LENGTH);
-	this->dos_protection = lib->settings->get_bool(lib->settings,
-												"charon.dos_protection", TRUE);
+	this->cookie_threshold = lib->settings->get_int(lib->settings,
+									"charon.cookie_threshold", COOKIE_THRESHOLD_DEFAULT);
+	this->block_threshold = lib->settings->get_int(lib->settings,
+									"charon.block_threshold", BLOCK_THRESHOLD_DEFAULT);
+	if (!lib->settings->get_bool(lib->settings, "charon.dos_protection", TRUE))
+	{
+		this->cookie_threshold = 0;
+		this->block_threshold = 0;
+	}
 
 	this->job = callback_job_create((callback_job_cb_t)receive_packets,
 									this, NULL, NULL);
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index 6be59ef62..8c516a9da 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: socket.c 4646 2008-11-13 07:15:45Z martin $
+ * $Id: socket.c 4688 2008-11-24 08:22:05Z martin $
  */
 
 /* for struct in6_pktinfo */
@@ -59,11 +59,6 @@
 #define IPV6_2292PKTINFO 2
 #endif /*IPV6_2292PKTINFO*/
 
-/* missing on uclibc */
-#ifndef IPV6_IPSEC_POLICY
-#define IPV6_IPSEC_POLICY 34
-#endif /*IPV6_IPSEC_POLICY*/
-
 typedef struct private_socket_t private_socket_t;
 
 /**
diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in
index 51be8754f..47eece7ab 100644
--- a/src/charon/plugins/eap_aka/Makefile.in
+++ b/src/charon/plugins/eap_aka/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in
index 661818254..0e8245804 100644
--- a/src/charon/plugins/eap_gtc/Makefile.in
+++ b/src/charon/plugins/eap_gtc/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in
index e71c13a35..212df3a94 100644
--- a/src/charon/plugins/eap_identity/Makefile.in
+++ b/src/charon/plugins/eap_identity/Makefile.in
@@ -87,22 +87,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -112,6 +107,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -120,12 +116,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -148,8 +148,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -188,6 +187,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in
index 8e0ca0706..7009f6488 100644
--- a/src/charon/plugins/eap_md5/Makefile.in
+++ b/src/charon/plugins/eap_md5/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.am b/src/charon/plugins/eap_mschapv2/Makefile.am
new file mode 100644
index 000000000..6ab931905
--- /dev/null
+++ b/src/charon/plugins/eap_mschapv2/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-eapmschapv2.la
+
+libstrongswan_eapmschapv2_la_SOURCES = \
+	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
+	eap_mschapv2.h eap_mschapv2.c
+libstrongswan_eapmschapv2_la_LDFLAGS = -module
+
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.in b/src/charon/plugins/eap_mschapv2/Makefile.in
new file mode 100644
index 000000000..e9dcae03e
--- /dev/null
+++ b/src/charon/plugins/eap_mschapv2/Makefile.in
@@ -0,0 +1,502 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/eap_mschapv2
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_eapmschapv2_la_LIBADD =
+am_libstrongswan_eapmschapv2_la_OBJECTS = eap_mschapv2_plugin.lo \
+	eap_mschapv2.lo
+libstrongswan_eapmschapv2_la_OBJECTS =  \
+	$(am_libstrongswan_eapmschapv2_la_OBJECTS)
+libstrongswan_eapmschapv2_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eapmschapv2_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eapmschapv2_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eapmschapv2_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-eapmschapv2.la
+libstrongswan_eapmschapv2_la_SOURCES = \
+	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
+	eap_mschapv2.h eap_mschapv2.c
+
+libstrongswan_eapmschapv2_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_mschapv2/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_mschapv2/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eapmschapv2.la: $(libstrongswan_eapmschapv2_la_OBJECTS) $(libstrongswan_eapmschapv2_la_DEPENDENCIES) 
+	$(libstrongswan_eapmschapv2_la_LINK) -rpath $(plugindir) $(libstrongswan_eapmschapv2_la_OBJECTS) $(libstrongswan_eapmschapv2_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_mschapv2.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_mschapv2_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
new file mode 100644
index 000000000..47dac47d4
--- /dev/null
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -0,0 +1,1208 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: eap_mschapv2.c 4888 2009-02-19 14:32:13Z tobias $
+ */
+
+#include "eap_mschapv2.h"
+
+#include <daemon.h>
+#include <library.h>
+#include <utils/enumerator.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct private_eap_mschapv2_t private_eap_mschapv2_t;
+
+/**
+ * Private data of an eap_mschapv2_t object.
+ */
+struct private_eap_mschapv2_t
+{
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_mschapv2_t public;
+	
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+	
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+	
+	/**
+	 * challenge sent by the server
+	 */
+	chunk_t challenge;
+	
+	/**
+	 * generated NT-Response
+	 */
+	chunk_t nt_response;
+	
+	/**
+	 * generated Authenticator Response
+	 */
+	chunk_t auth_response;
+	
+	/**
+	 * generated MSK
+	 */
+	chunk_t msk;
+	
+	/**
+	 * EAP message identifier
+	 */
+	u_int8_t identifier;
+	
+	/**
+	 * MS-CHAPv2-ID (session ID, increases with each retry)
+	 */
+	u_int8_t mschapv2id;
+	
+	/**
+	 * Number of retries
+	 */
+	int retries;
+};
+
+/**
+ * OpCodes
+ */
+enum mschapv2_opcode_t
+{
+	MSCHAPV2_CHALLENGE = 1,
+	MSCHAPV2_RESPONSE = 2,
+	MSCHAPV2_SUCCESS = 3,
+	MSCHAPV2_FAILURE = 4,
+	MSCHAPV2_CHANGE_PASSWORD = 7,
+};
+
+/**
+ * Names for OpCodes
+ */
+ENUM_BEGIN(mschapv2_opcode_names, MSCHAPV2_CHALLENGE, MSCHAPV2_FAILURE,
+		"CHALLENGE",
+		"RESPONSE",
+		"SUCCESS",
+		"FAILURE");
+ENUM_NEXT(mschapv2_opcode_names, MSCHAPV2_CHANGE_PASSWORD, MSCHAPV2_CHANGE_PASSWORD, MSCHAPV2_FAILURE,
+		"CHANGE_PASSWORD");
+ENUM_END(mschapv2_opcode_names, MSCHAPV2_CHANGE_PASSWORD);
+
+/**
+ * Error codes
+ */
+enum mschapv2_error_t
+{
+	ERROR_RESTRICTED_LOGON_HOURS	= 646,
+	ERROR_ACCT_DISABLED				= 647,
+	ERROR_PASSWD_EXPIRED			= 648,
+	ERROR_NO_DIALIN_PERMISSION		= 649,
+	ERROR_AUTHENTICATION_FAILURE	= 691,
+	ERROR_CHANGING_PASSWORD			= 709,
+};
+
+/**
+ * Names for error codes
+ */
+ENUM_BEGIN(mschapv2_error_names, ERROR_RESTRICTED_LOGON_HOURS, ERROR_NO_DIALIN_PERMISSION,
+		"ERROR_RESTRICTED_LOGON_HOURS",
+		"ERROR_ACCT_DISABLED",
+		"ERROR_PASSWD_EXPIRED",
+		"ERROR_NO_DIALIN_PERMISSION");
+ENUM_NEXT(mschapv2_error_names, ERROR_AUTHENTICATION_FAILURE, ERROR_AUTHENTICATION_FAILURE, ERROR_NO_DIALIN_PERMISSION,
+		"ERROR_AUTHENTICATION_FAILURE");
+ENUM_NEXT(mschapv2_error_names, ERROR_CHANGING_PASSWORD, ERROR_CHANGING_PASSWORD, ERROR_AUTHENTICATION_FAILURE,
+		"ERROR_CHANGING_PASSWORD");
+ENUM_END(mschapv2_error_names, ERROR_CHANGING_PASSWORD);
+
+/* Length of the challenge */
+#define CHALLENGE_LEN 16
+/* Length of the response (see eap_mschapv2_response_t) */
+#define RESPONSE_LEN 49
+/* Length of the authenticator response string ("S=<...>") */
+#define AUTH_RESPONSE_LEN 42
+/* Name we send as authenticator */
+#define MSCHAPV2_HOST_NAME "strongSwan"
+/* Message sent on success */
+#define SUCCESS_MESSAGE " M=Welcome to strongSwan"
+/* Message sent on failure */
+#define FAILURE_MESSAGE "E=691 R=1 C="
+/* Length of the complete failure message */
+#define FAILURE_MESSAGE_LEN (sizeof(FAILURE_MESSAGE) + CHALLENGE_LEN * 2)
+
+/* Number of seconds to delay retries */
+#define RETRY_DELAY 2
+/* Maximum number of retries */
+#define MAX_RETRIES 2
+
+typedef struct eap_mschapv2_header_t eap_mschapv2_header_t;
+typedef struct eap_mschapv2_challenge_t eap_mschapv2_challenge_t;
+typedef struct eap_mschapv2_response_t eap_mschapv2_response_t;
+
+/**
+ * packed EAP-MS-CHAPv2 header struct
+ */
+struct eap_mschapv2_header_t
+{
+	/** EAP code (REQUEST/RESPONSE) */
+	u_int8_t code;
+	/** unique message identifier */
+	u_int8_t identifier;
+	/** length of whole message */
+	u_int16_t length;
+	/** EAP type */
+	u_int8_t type;
+	/** MS-CHAPv2 OpCode */
+	u_int8_t opcode;
+	/** MS-CHAPv2-ID (equals identifier) */
+	u_int8_t ms_chapv2_id;
+	/** MS-Length (defined as length - 5) */
+	u_int16_t ms_length;
+	/** packet data (determined by OpCode) */
+	u_int8_t data[];
+}__attribute__((__packed__));
+
+/**
+ * packed data for a MS-CHAPv2 Challenge packet
+ */
+struct eap_mschapv2_challenge_t
+{
+	/** Value-Size */
+	u_int8_t value_size;
+	/** Challenge */
+	u_int8_t challenge[CHALLENGE_LEN];
+	/** Name */
+	u_int8_t name[];
+}__attribute__((__packed__));
+
+/**
+ * packed data for a MS-CHAPv2 Response packet
+ */
+struct eap_mschapv2_response_t
+{
+	/** Value-Size */
+	u_int8_t value_size;
+	/** Response */
+	struct
+	{
+		/* Peer-Challenge*/
+		u_int8_t peer_challenge[CHALLENGE_LEN];
+		/* Reserved (=zero) */
+		u_int8_t peer_reserved[8];
+		/* NT-Response */
+		u_int8_t nt_response[24];
+		/* Flags (=zero) */
+		u_int8_t flags;
+	} response;
+	/** Name */
+	u_int8_t name[];
+}__attribute__((__packed__));
+
+/**
+ * Length of the MS-CHAPv2 header
+ */
+#define HEADER_LEN (sizeof(eap_mschapv2_header_t))
+
+/**
+ * Length of the header for MS-CHAPv2 success/failure packets (does not include
+ * MS-CHAPv2-ID and MS-Length, i.e. 3 octets)
+ */
+#define SHORT_HEADER_LEN (HEADER_LEN - 3)
+
+/**
+ * The minimum length of an MS-CHAPv2 Challenge packet (the name MUST be
+ * at least one octet)
+ */
+#define CHALLENGE_PAYLOAD_LEN (HEADER_LEN + sizeof(eap_mschapv2_challenge_t))
+
+/**
+ * The minimum length of an MS-CHAPv2 Response packet
+ */
+#define RESPONSE_PAYLOAD_LEN (HEADER_LEN + sizeof(eap_mschapv2_response_t))
+
+
+/**
+ * Expand a 56-bit key to a 64-bit DES key by adding parity bits (odd parity)
+ */
+static chunk_t ExpandDESKey(chunk_t key)
+{
+	static const u_char bitmask[] =	{ 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
+	int i;
+	u_char carry = 0;
+	chunk_t expanded;
+	
+	/* expand the 7 octets to 8 octets */
+	expanded = chunk_alloc(8);
+	for (i = 0; i < 7; i++)
+	{
+		expanded.ptr[i] = ((key.ptr[i] & bitmask[i]) >> i) | (carry << (8 - i));
+		carry = key.ptr[i] & ~bitmask[i];
+	}
+	expanded.ptr[7] = carry << 1;
+	
+	/* add parity bits to each octet */
+	for (i = 0; i < 8; i++)
+	{
+		u_char val = expanded.ptr[i];
+		val = (val ^ (val >> 4)) & 0x0f;
+		expanded.ptr[i] |= (0x9669 >> val) & 1;
+	}
+	return expanded;
+}
+
+/**
+ * Calculate the NT password hash (i.e. hash the (unicode) password with MD4) 
+ */
+static status_t NtPasswordHash(chunk_t password, chunk_t *password_hash)
+{
+	hasher_t *hasher;
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD4);
+	if (hasher == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, MD4 not supported");
+		return FAILED;
+	}
+	hasher->allocate_hash(hasher, password, password_hash);
+	hasher->destroy(hasher);
+	return SUCCESS;
+}
+
+/**
+ * Calculate the challenge hash (i.e. hash [peer_challenge | server_challenge |
+ * username (without domain part)] with SHA1) 
+ */
+static status_t ChallengeHash(chunk_t peer_challenge, chunk_t server_challenge,
+							  chunk_t username, chunk_t *challenge_hash)
+{
+	chunk_t concat;
+	hasher_t *hasher;
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
+		return FAILED;
+	}
+	concat = chunk_cata("ccc", peer_challenge, server_challenge, username);
+	hasher->allocate_hash(hasher, concat, challenge_hash);
+	hasher->destroy(hasher);
+	/* we need only the first 8 octets */
+	challenge_hash->len = 8;
+	return SUCCESS;
+}
+
+/**
+ * Calculate the challenge response (i.e. expand password_hash to three DES keys
+ * and then encrypt the 8-octet challenge_hash with these keys and concatenate
+ * the results).
+ */
+static status_t ChallengeResponse(chunk_t challenge_hash, chunk_t password_hash,
+								  chunk_t *response)
+{
+	int i;
+	crypter_t *crypter;
+	chunk_t keys[3], z_password_hash;
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_DES_ECB, 8);
+	if (crypter == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, DES-ECB not supported");
+		return FAILED;
+	}
+	/* prepare keys: first pad password_hash to 21 octets, these get then split
+	 * into 7-octet chunks, which then get expanded into 8-octet DES keys */
+	z_password_hash = chunk_alloca(21);
+	memset(z_password_hash.ptr, 0, z_password_hash.len);
+	memcpy(z_password_hash.ptr, password_hash.ptr, password_hash.len);
+	chunk_split(z_password_hash, "mmm", 7, &keys[0], 7, &keys[1], 7, &keys[2]);
+	
+	*response = chunk_alloc(24);
+	for (i = 0; i < 3; i++)
+	{
+		chunk_t expanded, encrypted;
+		expanded = ExpandDESKey(keys[i]);
+		crypter->set_key(crypter, expanded);
+		crypter->encrypt(crypter, challenge_hash, chunk_empty, &encrypted);
+		memcpy(&response->ptr[i * 8], encrypted.ptr, encrypted.len);
+		chunk_clear(&encrypted);
+		chunk_clear(&expanded);
+	}
+	crypter->destroy(crypter);
+	return SUCCESS;
+}
+
+/**
+ * Computes the authenticator response
+ */
+static status_t AuthenticatorResponse(chunk_t password_hash_hash,
+		chunk_t challenge_hash, chunk_t nt_response, chunk_t *response)
+{
+	static u_int8_t magic1_data[] =
+				{ 0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
+				  0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
+				  0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
+				  0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74 };
+	static u_int8_t magic2_data[] =
+				{ 0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
+				  0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
+				  0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
+				  0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
+				  0x6E };
+	static const chunk_t magic1 = chunk_from_buf(magic1_data);
+	static const chunk_t magic2 = chunk_from_buf(magic2_data);
+	
+	status_t status = FAILED;
+	chunk_t digest = chunk_empty, concat;
+	hasher_t *hasher;
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
+		return FAILED;
+	}
+	
+	concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
+	hasher->allocate_hash(hasher, concat, &digest);
+	concat = chunk_cata("ccc", digest, challenge_hash, magic2);
+	hasher->allocate_hash(hasher, concat, response);
+	
+	hasher->destroy(hasher);
+	chunk_free(&digest);
+	return SUCCESS;
+}
+
+/**
+ * Generate the master session key according to RFC3079
+ */
+static status_t GenerateMSK(chunk_t password_hash_hash,
+							chunk_t nt_response, chunk_t *msk)
+{
+	static u_int8_t magic1_data[] =
+		{ 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
+		  0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
+		  0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79 };
+	static u_int8_t magic2_data[] =
+		{ 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
+		  0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
+		  0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+		  0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
+		  0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+		  0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
+		  0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+		  0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
+		  0x6b, 0x65, 0x79, 0x2e };
+	static u_int8_t magic3_data[] =
+		{ 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
+		  0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
+		  0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+		  0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
+		  0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
+		  0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
+		  0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
+		  0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
+		  0x6b, 0x65, 0x79, 0x2e };
+	static u_int8_t shapad1_data[] =
+		{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+	static u_int8_t shapad2_data[] =
+		{ 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+		  0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+		  0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+		  0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2 };
+	static const chunk_t magic1 = chunk_from_buf(magic1_data);
+	static const chunk_t magic2 = chunk_from_buf(magic2_data);
+	static const chunk_t magic3 = chunk_from_buf(magic3_data);
+	static const chunk_t shapad1 = chunk_from_buf(shapad1_data);
+	static const chunk_t shapad2 = chunk_from_buf(shapad2_data);
+	static const chunk_t keypad = { shapad1_data, 16 };
+	
+	chunk_t concat, master_key, master_receive_key, master_send_key;
+	hasher_t *hasher;
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
+		return FAILED;
+	}
+	
+	concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
+	hasher->allocate_hash(hasher, concat, &master_key);
+	master_key.len = 16;
+	
+	concat = chunk_cata("cccc", master_key, shapad1, magic2, shapad2);
+	hasher->allocate_hash(hasher, concat, &master_receive_key);
+	master_receive_key.len = 16;
+	
+	concat = chunk_cata("cccc", master_key, shapad1, magic3, shapad2);
+	hasher->allocate_hash(hasher, concat, &master_send_key);
+	master_send_key.len = 16;
+	
+	*msk = chunk_cat("cccc", master_receive_key, keypad, master_send_key, keypad);
+	
+	hasher->destroy(hasher);
+	chunk_free(&master_key);
+	chunk_free(&master_receive_key);
+	chunk_free(&master_send_key);
+	return SUCCESS;
+}
+
+static status_t GenerateStuff(private_eap_mschapv2_t *this,
+							  chunk_t server_challenge, chunk_t peer_challenge,
+							  chunk_t username, chunk_t password)
+{
+	status_t status = FAILED;
+	chunk_t password_hash = chunk_empty, password_hash_hash = chunk_empty,
+			challenge_hash = chunk_empty;
+	
+	if (NtPasswordHash(password, &password_hash) != SUCCESS)
+	{
+		goto error;
+	}
+	if (NtPasswordHash(password_hash, &password_hash_hash) != SUCCESS)
+	{
+		goto error;
+	}
+	if (ChallengeHash(peer_challenge, server_challenge, username,
+					  &challenge_hash) != SUCCESS)
+	{
+		goto error;
+	}
+	
+	if (ChallengeResponse(challenge_hash, password_hash,
+						  &this->nt_response) != SUCCESS)
+	{
+		goto error;
+	}
+	if (AuthenticatorResponse(password_hash_hash, challenge_hash,
+							  this->nt_response, &this->auth_response) != SUCCESS)
+	{
+		goto error;
+	}
+	if (GenerateMSK(password_hash_hash, this->nt_response, &this->msk) != SUCCESS)
+	{
+		goto error;
+	}
+	
+	status = SUCCESS;
+	
+error:
+	chunk_free(&password_hash);
+	chunk_free(&password_hash_hash);
+	chunk_free(&challenge_hash);
+	return status;
+}
+
+/**
+ * Converts an ASCII string into a UTF-16 (little-endian) string
+ */
+static chunk_t ascii_to_unicode(chunk_t ascii)
+{
+	int i;
+	chunk_t unicode = chunk_alloc(ascii.len * 2);
+	for (i = 0; i < ascii.len; i++)
+	{
+		unicode.ptr[i * 2] = ascii.ptr[i];
+		unicode.ptr[i * 2 + 1] = 0;
+	}
+	return unicode;
+}
+
+/**
+ * Returns a chunk of just the username part of the given user identity.
+ * Note: the chunk points to internal data of the identification.
+ */
+static chunk_t extract_username(identification_t* identification)
+{
+	char *has_domain;
+	chunk_t id;
+	id = identification->get_encoding(identification);
+	has_domain = (char*)memrchr(id.ptr, '\\', id.len);
+	if (has_domain)
+	{
+		int len;
+		has_domain++; /* skip the backslash */
+		len = id.len - ((u_char*)has_domain - id.ptr);
+		return len > 0 ? chunk_create(has_domain, len) : chunk_empty;
+	}
+	return id;
+}
+
+
+/**
+ * Implementation of eap_method_t.initiate for the peer
+ */
+static status_t initiate_peer(private_eap_mschapv2_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the server
+ */
+static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **out)
+{
+	rng_t *rng;
+	eap_mschapv2_header_t *eap;
+	eap_mschapv2_challenge_t *cha;
+	const char *name = MSCHAPV2_HOST_NAME;
+	u_int16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1;
+	
+	DBG1(DBG_IKE, "initiating EAP-MS-CHAPv2");
+	
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
+		return FAILED;
+	}
+	rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
+	rng->destroy(rng);
+	
+	eap = alloca(len);
+	eap->code = EAP_REQUEST;
+	eap->identifier = this->identifier;
+	eap->length = htons(len);
+	eap->type = EAP_MSCHAPV2;
+	eap->opcode = MSCHAPV2_CHALLENGE;
+	eap->ms_chapv2_id = this->mschapv2id;
+	eap->ms_length = htons(len - 5);
+	
+	cha = (eap_mschapv2_challenge_t*)eap->data;
+	cha->value_size = CHALLENGE_LEN;
+	memcpy(cha->challenge, this->challenge.ptr, this->challenge.len);
+	memcpy(cha->name, name, sizeof(MSCHAPV2_HOST_NAME) - 1);
+	
+	*out = eap_payload_create_data(chunk_create((void*) eap, len));
+	return NEED_MORE;
+}
+
+
+/**
+ * Process MS-CHAPv2 Challenge Requests
+ */
+static status_t process_peer_challenge(private_eap_mschapv2_t *this,
+									   eap_payload_t *in, eap_payload_t **out)
+{
+	rng_t *rng;
+	eap_mschapv2_header_t *eap;
+	eap_mschapv2_challenge_t *cha;
+	eap_mschapv2_response_t *res;
+	shared_key_t *shared;
+	chunk_t data, peer_challenge, username, password;
+	u_int16_t len = RESPONSE_PAYLOAD_LEN;
+	
+	data = in->get_data(in);
+	eap = (eap_mschapv2_header_t*)data.ptr;
+	
+	/* the name MUST be at least one octet long */
+	if (data.len < CHALLENGE_PAYLOAD_LEN + 1)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+		return FAILED;
+	}
+	
+	cha = (eap_mschapv2_challenge_t*)eap->data;
+			
+	if (cha->value_size != CHALLENGE_LEN)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: invalid challenge size");
+		return FAILED;
+	}
+			
+	this->mschapv2id = eap->ms_chapv2_id;
+	this->challenge = chunk_clone(chunk_create(cha->challenge, CHALLENGE_LEN));
+			
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
+		return FAILED;
+	}
+	peer_challenge = chunk_alloca(CHALLENGE_LEN);
+	rng->get_bytes(rng, CHALLENGE_LEN, peer_challenge.ptr);
+	rng->destroy(rng);
+			
+	shared = charon->credentials->get_shared(charon->credentials,
+											 SHARED_EAP, this->server, this->peer);
+	if (shared == NULL)
+	{
+		DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+				this->server, this->peer);
+		return NOT_FOUND;
+	}
+	
+	password = ascii_to_unicode(shared->get_key(shared));
+	shared->destroy(shared);
+	
+	username = extract_username(this->peer);
+	len += username.len;
+			
+	if (GenerateStuff(this, this->challenge, peer_challenge, username, password) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 generating NT-Response failed");
+		chunk_clear(&password);
+		return FAILED;
+	}
+	chunk_clear(&password);
+			
+	eap = alloca(len);
+	eap->code = EAP_RESPONSE;
+	eap->identifier = this->identifier;
+	eap->length = htons(len);
+	eap->type = EAP_MSCHAPV2;
+	eap->opcode = MSCHAPV2_RESPONSE;
+	eap->ms_chapv2_id = this->mschapv2id;
+	eap->ms_length = htons(len - 5);
+	
+	res = (eap_mschapv2_response_t*)eap->data;
+	res->value_size = RESPONSE_LEN;
+	memset(&res->response, 0, RESPONSE_LEN);
+	memcpy(res->response.peer_challenge, peer_challenge.ptr, peer_challenge.len);
+	memcpy(res->response.nt_response, this->nt_response.ptr, this->nt_response.len);
+	
+	username = this->peer->get_encoding(this->peer);
+	memcpy(res->name, username.ptr, username.len);
+	
+	*out = eap_payload_create_data(chunk_create((void*) eap, len));
+	return NEED_MORE;
+}
+
+/**
+ * Process MS-CHAPv2 Success Requests
+ */
+static status_t process_peer_success(private_eap_mschapv2_t *this,
+									  eap_payload_t *in, eap_payload_t **out)
+{
+	status_t status = FAILED;
+	enumerator_t *enumerator;
+	eap_mschapv2_header_t *eap;
+	chunk_t data, auth_string = chunk_empty;
+	char *message, *token, *msg = NULL;
+	int message_len;
+	u_int16_t len = SHORT_HEADER_LEN;
+	
+	data = in->get_data(in);
+	eap = (eap_mschapv2_header_t*)data.ptr;
+	
+	if (data.len < AUTH_RESPONSE_LEN)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+		return FAILED;
+	}
+	
+	message_len = data.len - HEADER_LEN;
+	message = malloc(message_len + 1);
+	memcpy(message, eap->data, message_len);
+	message[message_len] = '\0';
+	
+	/* S=<auth_string> M=<msg> */
+	enumerator = enumerator_create_token(message, " ", " ");
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		if (strneq(token, "S=", 2))
+		{
+			chunk_t hex;
+			token += 2;
+			if (strlen(token) != AUTH_RESPONSE_LEN - 2)
+			{
+				DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: invalid auth string");
+				goto error;
+			}
+			hex = chunk_create(token, AUTH_RESPONSE_LEN - 2);
+			auth_string = chunk_from_hex(hex, NULL);
+		}
+		else if (strneq(token, "M=", 2))
+		{
+			token += 2;
+			msg = strdup(token);
+		}
+	}
+	enumerator->destroy(enumerator);
+			
+	if (auth_string.ptr == NULL)	
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: auth string missing");
+		goto error;
+	}
+	
+	if (!chunk_equals(this->auth_response, auth_string))
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
+		goto error;
+	}
+	
+	DBG1(DBG_IKE, "EAP-MS-CHAPv2 succeeded: '%s'", msg);
+	
+	eap = alloca(len);
+	eap->code = EAP_RESPONSE;
+	eap->identifier = this->identifier;
+	eap->length = htons(len);
+	eap->type = EAP_MSCHAPV2;
+	eap->opcode = MSCHAPV2_SUCCESS;
+	
+	*out = eap_payload_create_data(chunk_create((void*) eap, len));
+	status = NEED_MORE;
+	
+error:
+	chunk_free(&auth_string);
+	free(message);
+	free(msg);
+	return status;
+}
+
+static status_t process_peer_failure(private_eap_mschapv2_t *this,
+									 eap_payload_t *in, eap_payload_t **out)
+{
+	status_t status = FAILED;
+	enumerator_t *enumerator;
+	eap_mschapv2_header_t *eap;
+	chunk_t data;
+	char *message, *token, *msg = NULL;
+	int message_len, error, retryable;
+	chunk_t challenge = chunk_empty;
+	u_int16_t len = SHORT_HEADER_LEN;
+	
+	data = in->get_data(in);
+	eap = (eap_mschapv2_header_t*)data.ptr;
+	
+	if (data.len < 3) /* we want at least an error code: E=e */
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+		return FAILED;
+	}
+	
+	message_len = data.len - HEADER_LEN;
+	message = malloc(message_len + 1);
+	memcpy(message, eap->data, message_len);
+	message[message_len] = '\0';
+			
+	/* E=eeeeeeeeee R=r C=cccccccccccccccccccccccccccccccc V=vvvvvvvvvv M=<msg> */
+	enumerator = enumerator_create_token(message, " ", " ");
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		if (strneq(token, "E=", 2))
+		{
+			token += 2;
+			error = atoi(token);
+		}
+		else if (strneq(token, "R=", 2))
+		{
+			token += 2;
+			retryable = atoi(token);
+		}
+		else if (strneq(token, "C=", 2))
+		{
+			chunk_t hex;
+			token += 2;
+			if (strlen(token) != 2 * CHALLENGE_LEN)
+			{
+				DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: invalid challenge");
+				goto error;
+			}
+			hex = chunk_create(token, 2 * CHALLENGE_LEN);
+			challenge = chunk_from_hex(hex, NULL);
+		}
+		else if (strneq(token, "V=", 2))
+		{
+			int version;
+			token += 2;
+			version = atoi(token);
+		}
+		else if (strneq(token, "M=", 2))
+		{
+			token += 2;
+			msg = strdup(token);
+		}
+	}
+	enumerator->destroy(enumerator);
+			
+	DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed with error %N: '%s'", mschapv2_error_names, error, msg);
+			
+	/**
+	 * at this point, if the error is retryable, we MAY retry the authentication
+	 * or MAY send a Change Password packet.
+	 * 
+	 * if the error is not retryable (or if we do neither of the above), we
+	 * SHOULD send a Failure Response packet.
+	 * windows clients don't do that, and since windows server 2008 r2 behaves
+	 * pretty odd if we do send a Failure Response, we just don't send one
+	 * either. windows 7 actually sends a delete notify (which, according to the
+	 * logs, results in an error on windows server 2008 r2). 
+	 * 
+	 * btw, windows server 2008 r2 does not send non-retryable errors for e.g.
+	 * a disabled account but returns the windows error code in a notify payload
+	 * of type 12345.
+	 */
+	
+	status = FAILED;
+	
+error:
+	chunk_free(&challenge);
+	free(message);
+	free(msg);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.process for the peer
+ */
+static status_t process_peer(private_eap_mschapv2_t *this, eap_payload_t *in,
+		eap_payload_t **out)
+{
+	chunk_t data;
+	eap_mschapv2_header_t *eap;
+	
+	this->identifier = in->get_identifier(in);
+	data = in->get_data(in);
+	if (data.len < SHORT_HEADER_LEN)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message");
+		return FAILED;
+	}
+	
+	eap = (eap_mschapv2_header_t*)data.ptr;
+		
+	switch (eap->opcode)
+	{
+		case MSCHAPV2_CHALLENGE:
+		{
+			return process_peer_challenge(this, in, out);
+		}
+		case MSCHAPV2_SUCCESS:
+		{
+			return process_peer_success(this, in, out);
+		}
+		case MSCHAPV2_FAILURE:
+		{
+			return process_peer_failure(this, in, out);
+		}
+		default:
+		{
+			DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported OpCode (%N)!",
+					mschapv2_opcode_names, eap->opcode);
+			break;
+		}
+	}
+	return FAILED;
+}
+
+/**
+ * Handles retries on the server
+ */
+static status_t process_server_retry(private_eap_mschapv2_t *this,
+									 eap_payload_t **out)
+{
+	eap_mschapv2_header_t *eap;
+	rng_t *rng;
+	chunk_t hex;
+	char msg[FAILURE_MESSAGE_LEN];
+	u_int16_t len = HEADER_LEN + FAILURE_MESSAGE_LEN - 1; /* no null byte */
+	
+	if (++this->retries > MAX_RETRIES)
+	{
+		/* we MAY send a Failure Request with R=0, but windows 7 does not
+		 * really like that and does not respond with a Failure Response.
+		 * so, to clean up our state we just fail with an EAP-Failure.
+		 * this gives an unknown error on the windows side, but is also fine
+		 * with the standard. */
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed: maximum number of retries reached");
+		return FAILED;
+	}
+	
+	DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed, retry (%d)", this->retries);
+	
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
+		return FAILED;
+	}
+	rng->get_bytes(rng, CHALLENGE_LEN, this->challenge.ptr);
+	rng->destroy(rng);
+	
+	chunk_free(&this->nt_response);
+	chunk_free(&this->auth_response);
+	chunk_free(&this->msk);
+	
+	eap = alloca(len);
+	eap->code = EAP_REQUEST;
+	eap->identifier = ++this->identifier;
+	eap->length = htons(len);
+	eap->type = EAP_MSCHAPV2;
+	eap->opcode = MSCHAPV2_FAILURE;
+	eap->ms_chapv2_id = this->mschapv2id++; /* increase for each retry */
+	eap->ms_length = htons(len - 5);
+	
+	hex = chunk_to_hex(this->challenge, NULL, TRUE);
+	snprintf(msg, FAILURE_MESSAGE_LEN, "%s%s", FAILURE_MESSAGE, hex.ptr);
+	chunk_free(&hex);
+	memcpy(eap->data, msg, FAILURE_MESSAGE_LEN - 1); /* no null byte */
+	*out = eap_payload_create_data(chunk_create((void*) eap, len));
+	
+	/* delay the response for some time to make brute-force attacks harder */
+	sleep(RETRY_DELAY);
+	
+	return NEED_MORE;
+}
+
+/**
+ * Process MS-CHAPv2 Response response packets
+ */
+static status_t process_server_response(private_eap_mschapv2_t *this,
+										eap_payload_t *in, eap_payload_t **out)
+{
+	eap_mschapv2_header_t *eap;
+	eap_mschapv2_response_t *res;
+	chunk_t data, peer_challenge, username, password;
+	identification_t *userid;
+	shared_key_t *shared;
+	int name_len;
+	
+	data = in->get_data(in);
+	eap = (eap_mschapv2_header_t*)data.ptr;
+	
+	if (data.len < RESPONSE_PAYLOAD_LEN)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+		return FAILED;
+	}
+	
+	res = (eap_mschapv2_response_t*)eap->data;
+	peer_challenge = chunk_create(res->response.peer_challenge, CHALLENGE_LEN);
+	
+	name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
+	userid = identification_create_from_encoding(ID_EAP,
+												 chunk_create(res->name, name_len));
+	username = extract_username(userid);
+	DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%.*s'", name_len, res->name);
+	
+	shared = charon->credentials->get_shared(charon->credentials,
+											 SHARED_EAP, this->server, userid);
+	if (shared == NULL)
+	{
+		DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+					  this->server, userid);
+		/* FIXME: windows 7 always sends the username that is first entered in
+		 * the username box, even, if the user changes it during retries (probably
+		 * to keep consistent with the EAP-Identity).
+	 	 * thus, we could actually fail here, because retries do not make much
+	 	 * sense. on the other hand, an attacker could guess usernames, if the
+	 	 * error messages were different. */
+		userid->destroy(userid);
+		return process_server_retry(this, out);
+	}
+	
+	password = ascii_to_unicode(shared->get_key(shared));
+	shared->destroy(shared);
+	
+	if (GenerateStuff(this, this->challenge, peer_challenge, username, password) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");	
+		userid->destroy(userid);
+		chunk_clear(&password);
+		return FAILED;
+	}
+	userid->destroy(userid);
+	chunk_clear(&password);
+	
+	if (memeq(res->response.nt_response, this->nt_response.ptr, this->nt_response.len))
+	{
+		chunk_t hex;
+		char msg[AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)];
+		u_int16_t len = HEADER_LEN + AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE);
+		
+		eap = alloca(len);
+		eap->code = EAP_REQUEST;
+		eap->identifier = ++this->identifier;
+		eap->length = htons(len);
+		eap->type = EAP_MSCHAPV2;
+		eap->opcode = MSCHAPV2_SUCCESS;
+		eap->ms_chapv2_id = this->mschapv2id;
+		eap->ms_length = htons(len - 5);
+		
+		hex = chunk_to_hex(this->auth_response, NULL, TRUE);
+		snprintf(msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE),
+					  "S=%s%s", hex.ptr, SUCCESS_MESSAGE);
+		chunk_free(&hex);
+		memcpy(eap->data, msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE));
+		*out = eap_payload_create_data(chunk_create((void*) eap, len));
+		return NEED_MORE;
+	}
+
+	return process_server_retry(this, out);
+}
+
+/**
+ * Implementation of eap_method_t.process for the server
+ */
+static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in,
+		eap_payload_t **out)
+{
+	eap_mschapv2_header_t *eap;
+	chunk_t data;
+	
+	if (this->identifier != in->get_identifier(in))
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: unexpected identifier");
+		return FAILED;
+	}
+	
+	data = in->get_data(in);
+	if (data.len < SHORT_HEADER_LEN)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+		return FAILED;
+	}
+	
+	eap = (eap_mschapv2_header_t*)data.ptr;
+	
+	switch (eap->opcode)
+	{
+		case MSCHAPV2_RESPONSE:
+		{
+			return process_server_response(this, in, out);
+		}
+		case MSCHAPV2_SUCCESS:
+		{
+			return SUCCESS;
+		}
+		case MSCHAPV2_FAILURE:
+		{
+			return FAILED;
+		}
+		default:
+		{
+			DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported OpCode (%N)!",
+					mschapv2_opcode_names, eap->opcode);
+			break;
+		}
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_mschapv2_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_MSCHAPV2;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_mschapv2_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_mschapv2_t *this)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_mschapv2_t *this)
+{
+	this->peer->destroy(this->peer);
+	this->server->destroy(this->server);
+	chunk_free(&this->challenge);
+	chunk_free(&this->nt_response);
+	chunk_free(&this->auth_response);
+	chunk_free(&this->msk);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *server, identification_t *peer)
+{
+	private_eap_mschapv2_t *this = malloc_thing(private_eap_mschapv2_t);
+	
+	this->public.eap_method_interface.initiate = NULL;
+	this->public.eap_method_interface.process = NULL;
+	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+	
+	/* private data */
+	this->peer = peer->clone(peer);
+	this->server = server->clone(server);
+	this->challenge = chunk_empty;
+	this->nt_response = chunk_empty;
+	this->auth_response = chunk_empty;
+	this->msk = chunk_empty;
+	this->identifier = 0;
+	this->mschapv2id = 0;
+	this->retries = 0;
+	
+	return this;
+}
+
+/*
+ * see header
+ */
+eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identification_t *peer)
+{
+	private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
+	
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_server;
+
+	/* generate a non-zero identifier */
+	do
+	{
+		this->identifier = random();
+	} while (!this->identifier);
+	
+	this->mschapv2id = this->identifier;
+	
+	return &this->public;
+}
+
+/*
+ * see header
+ */
+eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer)
+{
+	private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
+	
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_peer;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.h b/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
new file mode 100644
index 000000000..4b6e4531a
--- /dev/null
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: eap_mschapv2.h 4882 2009-02-18 19:57:15Z tobias $
+ */
+
+/**
+ * @defgroup eap_mschapv2_i eap_mschapv2
+ * @{ @ingroup eap_mschapv2
+ */
+
+#ifndef EAP_MSCHAPV2_H_
+#define EAP_MSCHAPV2_H_
+
+typedef struct eap_mschapv2_t eap_mschapv2_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-MS-CHAPv2.
+ */
+struct eap_mschapv2_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method_interface;
+};
+
+/**
+ * Creates the EAP method EAP-MS-CHAPv2 acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_mschapv2_t object
+ */
+eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-MS-CHAPv2 acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_mschapv2_t object
+ */
+eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer);
+
+#endif /* EAP_MSCHAPV2_H_ @}*/
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
new file mode 100644
index 000000000..4303a3a7a
--- /dev/null
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: eap_mschapv2_plugin.c 4882 2009-02-18 19:57:15Z tobias $
+ */
+
+#include "eap_mschapv2_plugin.h"
+
+#include "eap_mschapv2.h"
+
+#include <daemon.h>
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(eap_mschapv2_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_mschapv2_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_mschapv2_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	eap_mschapv2_plugin_t *this = malloc_thing(eap_mschapv2_plugin_t);
+	
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_SERVER,
+							(eap_constructor_t)eap_mschapv2_create_server);
+	charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_PEER,
+							(eap_constructor_t)eap_mschapv2_create_peer);
+	
+	return &this->plugin;
+}
+
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
new file mode 100644
index 000000000..97177947b
--- /dev/null
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: eap_mschapv2_plugin.h 4882 2009-02-18 19:57:15Z tobias $
+ */
+
+/**
+ * @defgroup eap_mschapv2 eap_mschapv2
+ * @ingroup cplugins
+ *
+ * @defgroup eap_mschapv2_plugin eap_mschapv2_plugin
+ * @{ @ingroup eap_mschapv2
+ */
+
+#ifndef EAP_MSCHAPV2_PLUGIN_H_
+#define EAP_MSCHAPV2_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_mschapv2_plugin_t eap_mschapv2_plugin_t;
+
+/**
+ * EAP-MS-CHAPv2 plugin
+ */
+struct eap_mschapv2_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_mschapv2_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* EAP_MSCHAPV2_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in
index cc5409952..be84728a4 100644
--- a/src/charon/plugins/eap_sim/Makefile.in
+++ b/src/charon/plugins/eap_sim/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/eap_sim/eap_sim.c b/src/charon/plugins/eap_sim/eap_sim.c
index 8b9434716..6110e823c 100644
--- a/src/charon/plugins/eap_sim/eap_sim.c
+++ b/src/charon/plugins/eap_sim/eap_sim.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_sim.c 4406 2008-10-10 08:36:01Z martin $
+ * $Id: eap_sim.c 4755 2008-12-04 10:10:37Z martin $
  */
 
 #include "eap_sim.h"
@@ -1050,7 +1050,6 @@ static bool is_mutual(private_eap_sim_t *this)
  */
 static void destroy(private_eap_sim_t *this)
 {
-	this->peer->destroy(this->peer);
 	this->peer->destroy(this->peer);
 	DESTROY_IF(this->hasher);
 	DESTROY_IF(this->prf);
diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in
index c4da4ec54..9396b98cf 100644
--- a/src/charon/plugins/eap_sim_file/Makefile.in
+++ b/src/charon/plugins/eap_sim_file/Makefile.in
@@ -88,22 +88,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -113,6 +108,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -121,12 +117,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -149,8 +149,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -189,6 +188,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in
index 702b38394..4e3312f2b 100644
--- a/src/charon/plugins/kernel_klips/Makefile.in
+++ b/src/charon/plugins/kernel_klips/Makefile.in
@@ -87,22 +87,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -112,6 +107,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -120,12 +116,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -148,8 +148,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -188,6 +187,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
index 91bef0a54..b2811aa9d 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_klips_ipsec.c 4631 2008-11-11 18:35:10Z martin $
+ * $Id: kernel_klips_ipsec.c 4793 2008-12-11 13:39:30Z tobias $
  */
 
 #include <sys/types.h>
@@ -853,7 +853,7 @@ static void host2ext(host_t *host, struct sadb_address *ext)
 }
 
 /**
- * add a host behind a sadb_address extension
+ * add a host to the given sadb_msg
  */
 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type)
 {
diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in
index 658e0feea..b3b161315 100644
--- a/src/charon/plugins/kernel_netlink/Makefile.in
+++ b/src/charon/plugins/kernel_netlink/Makefile.in
@@ -88,22 +88,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -113,6 +108,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -121,12 +117,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -149,8 +149,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -189,6 +188,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 70a0b3e7c..8a13ed489 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -17,7 +17,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_ipsec.c 4662 2008-11-16 21:19:58Z andreas $
+ * $Id: kernel_netlink_ipsec.c 4831 2009-01-09 09:37:13Z andreas $
  */
 
 #include <sys/types.h>
@@ -39,7 +39,7 @@
 
 #include <daemon.h>
 #include <utils/mutex.h>
-#include <utils/linked_list.h>
+#include <utils/hashtable.h>
 #include <processing/jobs/callback_job.h>
 #include <processing/jobs/acquire_job.h>
 #include <processing/jobs/migrate_job.h>
@@ -57,6 +57,11 @@
 #define IP_IPSEC_POLICY 16
 #endif
 
+/* missing on uclibc */
+#ifndef IPV6_IPSEC_POLICY
+#define IPV6_IPSEC_POLICY 34
+#endif /*IPV6_IPSEC_POLICY*/
+
 /** default priority of installed policies */
 #define PRIO_LOW 3000
 #define PRIO_HIGH 2000
@@ -92,13 +97,39 @@ struct kernel_algorithm_t {
 	 * Identifier specified in IKEv2
 	 */
 	int ikev2;
-	
+		
 	/**
 	 * Name of the algorithm in linux crypto API
 	 */
 	char *name;
 };
 
+ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
+	"XFRM_MSG_NEWSA",
+	"XFRM_MSG_DELSA",
+	"XFRM_MSG_GETSA",
+	"XFRM_MSG_NEWPOLICY",
+	"XFRM_MSG_DELPOLICY",
+	"XFRM_MSG_GETPOLICY",
+	"XFRM_MSG_ALLOCSPI",
+	"XFRM_MSG_ACQUIRE",
+	"XFRM_MSG_EXPIRE",
+	"XFRM_MSG_UPDPOLICY",
+	"XFRM_MSG_UPDSA",
+	"XFRM_MSG_POLEXPIRE",
+	"XFRM_MSG_FLUSHSA",
+	"XFRM_MSG_FLUSHPOLICY",
+	"XFRM_MSG_NEWAE",
+	"XFRM_MSG_GETAE",
+	"XFRM_MSG_REPORT",
+	"XFRM_MSG_MIGRATE",
+	"XFRM_MSG_NEWSADINFO",
+	"XFRM_MSG_GETSADINFO",
+	"XFRM_MSG_NEWSPDINFO",
+	"XFRM_MSG_GETSPDINFO",
+	"XFRM_MSG_MAPPING"
+);
+
 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
 	"XFRMA_UNSPEC",
 	"XFRMA_ALG_AUTH",
@@ -245,6 +276,24 @@ struct policy_entry_t {
 	u_int refcount;
 };
 
+/**
+ * Hash function for policy_entry_t objects
+ */
+static u_int policy_hash(policy_entry_t *key)
+{
+	chunk_t chunk = chunk_create((void*)&key->sel, sizeof(struct xfrm_selector));
+	return chunk_hash(chunk);
+}
+
+/**
+ * Equality function for policy_entry_t objects
+ */
+static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
+{
+	return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
+		   key->direction == other_key->direction;
+}
+
 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
 
 /**
@@ -262,9 +311,9 @@ struct private_kernel_netlink_ipsec_t {
 	mutex_t *mutex;
 	
 	/**
-	 * List of installed policies (policy_entry_t)
+	 * Hash table of installed policies (policy_entry_t)
 	 */
-	linked_list_t *policies;
+	hashtable_t *policies;
 		 
 	/**
 	 * job receiving netlink events
@@ -418,51 +467,48 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
  */
 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
 {
-	int family;
-	chunk_t addr;
+	u_char *addr;
 	u_int8_t prefixlen;
-	u_int16_t port, port_mask;
-	host_t *host;
-	traffic_selector_t *ts;
-
+	u_int16_t port = 0;
+	host_t *host = NULL;
+	
 	if (src)
 	{
-		addr.ptr = (u_char*)&sel->saddr;
+		addr = (u_char*)&sel->saddr;
 		prefixlen = sel->prefixlen_s;
-		port = sel->sport;
-		port_mask = sel->sport_mask;
+		if (sel->sport_mask)
+		{
+			port = htons(sel->sport);
+		}
 	}
-    else
+	else
 	{
-		addr.ptr = (u_char*)&sel->daddr;
+		addr = (u_char*)&sel->daddr;
 		prefixlen = sel->prefixlen_d;
-		port = sel->dport;
-		port_mask = sel->dport_mask;
+		if (sel->dport_mask)
+		{
+			port = htons(sel->dport);
+		}
 	}
-
+	
 	/* The Linux 2.6 kernel does not set the selector's family field,
-     * so as a kludge we additionally test the prefix length. 
+	 * so as a kludge we additionally test the prefix length. 
 	 */
 	if (sel->family == AF_INET || sel->prefixlen_s == 32)
 	{
-		family = AF_INET;
-		addr.len = 4;
+		host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
 	}
 	else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
 	{
-		family = AF_INET6;
-		addr.len = 16;
+		host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
 	}
-	else
+	
+	if (host)
 	{
-		return NULL;
+		return traffic_selector_create_from_subnet(host, prefixlen,
+												   sel->proto, port);
 	}
-	host = host_create_from_chunk(family, addr, 0);
-	port = (port_mask == 0) ? 0 : ntohs(port); 
-
-	ts = traffic_selector_create_from_subnet(host, prefixlen, sel->proto, port);
-	host->destroy(host); 		
-	return ts;
+	return NULL;
 }
 
 /**
@@ -1064,7 +1110,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 		 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
 		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
-	
+
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
@@ -1370,7 +1416,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 		
 		rta = XFRM_RTA_NEXT(rta);
 	}
-	
+
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
@@ -1394,7 +1440,6 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
 						   bool routed)
 {
-	iterator_t *iterator;
 	policy_entry_t *current, *policy;
 	bool found = FALSE;
 	netlink_buf_t request;
@@ -1409,27 +1454,21 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 	
 	/* find the policy, which matches EXACTLY */
 	this->mutex->lock(this->mutex);
-	iterator = this->policies->create_iterator(this->policies, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
+	current = this->policies->get(this->policies, policy);
+	if (current)
 	{
-		if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
-			policy->direction == current->direction)
-		{
-			/* use existing policy */
-			current->refcount++;
-			DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
-						  "refcount", src_ts, dst_ts,
-						   policy_dir_names, direction);
-			free(policy);
-			policy = current;
-			found = TRUE;
-			break;
-		}
+		/* use existing policy */
+		current->refcount++;
+		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
+					  "refcount", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		free(policy);
+		policy = current;
+		found = TRUE;
 	}
-	iterator->destroy(iterator);
-	if (!found)
+	else
 	{	/* apply the new one, if we have no such policy */
-		this->policies->insert_last(this->policies, policy);
+		this->policies->put(this->policies, policy, policy);
 		policy->refcount = 1;
 	}
 	
@@ -1657,7 +1696,6 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct xfrm_userpolicy_id *policy_id;
-	enumerator_t *enumerator;
 	
 	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
@@ -1669,28 +1707,21 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
 	
 	/* find the policy */
 	this->mutex->lock(this->mutex);
-	enumerator = this->policies->create_enumerator(this->policies);
-	while (enumerator->enumerate(enumerator, &current))
+	current = this->policies->get(this->policies, &policy);
+	if (current)
 	{
-		if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
-			policy.direction == current->direction)
+		to_delete = current;
+		if (--to_delete->refcount > 0)
 		{
-			to_delete = current;
-			if (--to_delete->refcount > 0)
-			{
-				/* is used by more SAs, keep in kernel */
-				DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
-				this->mutex->unlock(this->mutex);
-				enumerator->destroy(enumerator);
-				return SUCCESS;
-			}
-			/* remove if last reference */
-			this->policies->remove_at(this->policies, enumerator);
-			break;
+			/* is used by more SAs, keep in kernel */
+			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+			this->mutex->unlock(this->mutex);
+			return SUCCESS;
 		}
+		/* remove if last reference */
+		this->policies->remove(this->policies, to_delete);
 	}
 	this->mutex->unlock(this->mutex);
-	enumerator->destroy(enumerator);
 	if (!to_delete)
 	{
 		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
@@ -1739,9 +1770,18 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
  */
 static void destroy(private_kernel_netlink_ipsec_t *this)
 {
+	enumerator_t *enumerator;
+	policy_entry_t *policy;
+	
 	this->job->cancel(this->job);
 	close(this->socket_xfrm_events);
 	this->socket_xfrm->destroy(this->socket_xfrm);
+	enumerator = this->policies->create_enumerator(this->policies);
+	while (enumerator->enumerate(enumerator, &policy, &policy))
+	{
+		free(policy);
+	}
+	enumerator->destroy(enumerator);
 	this->policies->destroy(this->policies);
 	this->mutex->destroy(this->mutex);
 	free(this);
@@ -1832,7 +1872,8 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
 
 	/* private members */
-	this->policies = linked_list_create();
+	this->policies = hashtable_create((hashtable_hash_t)policy_hash,
+									  (hashtable_equals_t)policy_equals, 32);
 	this->mutex = mutex_create(MUTEX_DEFAULT);
 	this->install_routes = lib->settings->get_bool(lib->settings,
 					"charon.install_routes", TRUE);
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
index 69a781c14..6e4ddffe5 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_net.c 4660 2008-11-14 14:23:11Z martin $
+ * $Id: kernel_netlink_net.c 4671 2008-11-18 09:52:28Z martin $
  */
 
 #include <sys/socket.h>
@@ -707,7 +707,8 @@ static bool is_interface_up(private_kernel_netlink_net_t *this, int index)
 {
 	enumerator_t *ifaces;
 	iface_entry_t *iface;
-	bool up = FALSE;
+	/* default to TRUE for interface we do not monitor (e.g. lo) */
+	bool up = TRUE;
 	
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
index 3de56bf48..05bd4e397 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_shared.c 4579 2008-11-05 11:29:56Z martin $
+ * $Id: kernel_netlink_shared.c 4831 2009-01-09 09:37:13Z andreas $
  */
 
 #include <sys/socket.h>
@@ -46,13 +46,23 @@ struct private_netlink_socket_t {
 	 * current sequence number for netlink request
 	 */
 	int seq;
-	
+
+	/**
+	 * netlink socket protocol 
+	 */
+	int protocol;
+
 	/**
 	 * netlink socket 
 	 */
 	int socket;
 };
 
+/**
+ * Imported from kernel_netlink_ipsec.c
+ */
+extern enum_name_t *xfrm_msg_names;
+
 /**
  * Implementation of netlink_socket_t.send
  */
@@ -74,6 +84,13 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 	addr.nl_pid = 0;
 	addr.nl_groups = 0;
 
+	if (this->protocol == NETLINK_XFRM)
+	{
+		chunk_t in_chunk = { (u_char*)in, in->nlmsg_len };
+
+		DBG3(DBG_KNL, "sending %N: %B", xfrm_msg_names, in->nlmsg_type, &in_chunk);
+	}
+
 	while (TRUE)
 	{
 		len = sendto(this->socket, in, in->nlmsg_len, 0, 
@@ -245,6 +262,7 @@ netlink_socket_t *netlink_socket_create(int protocol) {
 	memset(&addr, 0, sizeof(addr));
 	addr.nl_family = AF_NETLINK;
 	
+	this->protocol = protocol;
 	this->socket = socket(AF_NETLINK, SOCK_RAW, protocol);
 	if (this->socket <= 0)
 	{
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in
index 41bad9715..d606f4a23 100644
--- a/src/charon/plugins/kernel_pfkey/Makefile.in
+++ b/src/charon/plugins/kernel_pfkey/Makefile.in
@@ -87,22 +87,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -112,6 +107,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -120,12 +116,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -148,8 +148,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -188,6 +187,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 77f3cbed8..656c83083 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_pfkey_ipsec.c 4662 2008-11-16 21:19:58Z andreas $
+ * $Id: kernel_pfkey_ipsec.c 4793 2008-12-11 13:39:30Z tobias $
  */
 
 #include <sys/types.h>
@@ -43,6 +43,11 @@
 #define IP_IPSEC_POLICY 16
 #endif
 
+/* missing on uclibc */
+#ifndef IPV6_IPSEC_POLICY
+#define IPV6_IPSEC_POLICY 34
+#endif /*IPV6_IPSEC_POLICY*/
+
 /** default priority of installed policies */
 #define PRIO_LOW 3000
 #define PRIO_HIGH 2000
@@ -532,6 +537,35 @@ static void host2ext(host_t *host, struct sadb_address *ext)
  	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
 }
 
+/**
+ * add a host to the given sadb_msg
+ */
+static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
+						 u_int8_t proto, u_int8_t prefixlen)
+{
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	addr->sadb_address_proto = proto;
+	addr->sadb_address_prefixlen = prefixlen;
+	host2ext(host, addr);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * adds an empty address extension to the given sadb_msg
+ */
+static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
+{
+	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
+										  sizeof(struct sockaddr_in6);
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
+	saddr->sa_family = family;
+ 	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
 /**
  * add udp encap extensions to a sadb_msg
  */
@@ -573,7 +607,6 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
 	host = host_create_from_sockaddr((sockaddr_t*)&address[1])	;
 	ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
  				address->sadb_address_proto, host->get_port(host));
-	host->destroy(host);
 	return ts;
 }
 
@@ -1026,7 +1059,6 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	struct sadb_x_sa2 *sa2;
-	struct sadb_address *addr;
 	struct sadb_spirange *range;
 	pfkey_msg_t response;
 	u_int32_t received_spi = 0;
@@ -1046,15 +1078,8 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
 	sa2->sadb_x_sa2_reqid = reqid;
 	PFKEY_EXT_ADD(msg, sa2);
 	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
-	host2ext(src, addr);
-	PFKEY_EXT_ADD(msg, addr);
-	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
-	host2ext(dst, addr);
-	PFKEY_EXT_ADD(msg, addr);
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
 	
 	range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
 	range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
@@ -1112,7 +1137,6 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 	struct sadb_msg *msg, *out;
 	struct sadb_sa *sa;
 	struct sadb_x_sa2 *sa2;
-	struct sadb_address *addr;
 	struct sadb_lifetime *lft;
 	struct sadb_key *key;
 	size_t len;
@@ -1143,15 +1167,8 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 	sa2->sadb_x_sa2_reqid = reqid;
 	PFKEY_EXT_ADD(msg, sa2);
 	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
-	host2ext(src, addr);
-	PFKEY_EXT_ADD(msg, addr);
-	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
-	host2ext(dst, addr);
-	PFKEY_EXT_ADD(msg, addr);
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
 	
 	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
 	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
@@ -1244,7 +1261,6 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	struct sadb_sa *sa;
-	struct sadb_address *addr;
 	pfkey_msg_t response;
 	size_t len;
 	
@@ -1276,16 +1292,9 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 	PFKEY_EXT_ADD(msg, sa);
 	
 	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
-	 * it is not used for anything, so we just send dst twice */
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
-	host2ext(dst, addr);
-	PFKEY_EXT_ADD(msg, addr);
-	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
-	host2ext(dst, addr);
-	PFKEY_EXT_ADD(msg, addr);
+	 * it is not used for anything. */
+	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
 	
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
@@ -1371,7 +1380,6 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	struct sadb_sa *sa;
-	struct sadb_address *addr;
 	size_t len;
 	
 	memset(&request, 0, sizeof(request));
@@ -1391,16 +1399,9 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
 	PFKEY_EXT_ADD(msg, sa);
 	
 	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
-	 * it is not used for anything, so we just send dst twice */
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
-	host2ext(dst, addr);
-	PFKEY_EXT_ADD(msg, addr);
-	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
-	host2ext(dst, addr);
-	PFKEY_EXT_ADD(msg, addr);
+	 * it is not used for anything. */
+	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
 	
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
@@ -1435,7 +1436,6 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	struct sadb_x_policy *pol;
-	struct sadb_address *addr;
 	struct sadb_x_ipsecrequest *req;
 	policy_entry_t *policy, *found = NULL;
 	pfkey_msg_t response;
@@ -1510,19 +1510,10 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 	pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
 	PFKEY_EXT_ADD(msg, pol);
 	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
-	addr->sadb_address_proto = policy->src.proto;
-	addr->sadb_address_prefixlen = policy->src.mask;
-	host2ext(policy->src.net, addr);
-	PFKEY_EXT_ADD(msg, addr);
-	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
-	addr->sadb_address_proto = policy->dst.proto;
-	addr->sadb_address_prefixlen = policy->dst.mask;
-	host2ext(policy->dst.net, addr);
-	PFKEY_EXT_ADD(msg, addr);
+	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+				 policy->src.mask);
+	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+				 policy->dst.mask);
 	
 	this->mutex->unlock(this->mutex);
 	
@@ -1626,7 +1617,6 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	struct sadb_x_policy *pol;
-	struct sadb_address *addr;
 	policy_entry_t *policy, *found = NULL;
 	pfkey_msg_t response;
 	size_t len;
@@ -1667,19 +1657,10 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
 	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
 	PFKEY_EXT_ADD(msg, pol);
 	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
-	addr->sadb_address_proto = policy->src.proto;
-	addr->sadb_address_prefixlen = policy->src.mask;
-	host2ext(policy->src.net, addr);
-	PFKEY_EXT_ADD(msg, addr);
-	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
-	addr->sadb_address_proto = policy->dst.proto;
-	addr->sadb_address_prefixlen = policy->dst.mask;
-	host2ext(policy->dst.net, addr);
-	PFKEY_EXT_ADD(msg, addr);
+	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+				 policy->src.mask);
+	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+				 policy->dst.mask);
 	
 	this->mutex->unlock(this->mutex);
 	
@@ -1723,7 +1704,6 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	struct sadb_x_policy *pol;
-	struct sadb_address *addr;
 	policy_entry_t *policy, *found = NULL;
 	route_entry_t *route;
 	size_t len;
@@ -1777,19 +1757,10 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
 	PFKEY_EXT_ADD(msg, pol);
 	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
-	addr->sadb_address_proto = policy->src.proto;
-	addr->sadb_address_prefixlen = policy->src.mask;
-	host2ext(policy->src.net, addr);
-	PFKEY_EXT_ADD(msg, addr);
-	
-	addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
-	addr->sadb_address_proto = policy->dst.proto;
-	addr->sadb_address_prefixlen = policy->dst.mask;
-	host2ext(policy->dst.net, addr);
-	PFKEY_EXT_ADD(msg, addr);
+	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+				 policy->src.mask);
+	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+				 policy->dst.mask);
 	
 	route = policy->route;
 	policy->route = NULL;
diff --git a/src/charon/plugins/load_tester/Makefile.am b/src/charon/plugins/load_tester/Makefile.am
index 88a6b688c..121f0b080 100644
--- a/src/charon/plugins/load_tester/Makefile.am
+++ b/src/charon/plugins/load_tester/Makefile.am
@@ -10,7 +10,8 @@ libstrongswan_load_tester_la_SOURCES = \
   load_tester_config.c load_tester_config.h \
   load_tester_creds.c load_tester_creds.h \
   load_tester_ipsec.c load_tester_ipsec.h \
-  load_tester_listener.c load_tester_listener.h
+  load_tester_listener.c load_tester_listener.h \
+  load_tester_diffie_hellman.c load_tester_diffie_hellman.h
 
 libstrongswan_load_tester_la_LDFLAGS = -module
 
diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in
index a0a749b87..5a24e83e9 100644
--- a/src/charon/plugins/load_tester/Makefile.in
+++ b/src/charon/plugins/load_tester/Makefile.in
@@ -52,7 +52,8 @@ LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_load_tester_la_LIBADD =
 am_libstrongswan_load_tester_la_OBJECTS = load_tester_plugin.lo \
 	load_tester_config.lo load_tester_creds.lo \
-	load_tester_ipsec.lo load_tester_listener.lo
+	load_tester_ipsec.lo load_tester_listener.lo \
+	load_tester_diffie_hellman.lo
 libstrongswan_load_tester_la_OBJECTS =  \
 	$(am_libstrongswan_load_tester_la_OBJECTS)
 libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
@@ -88,22 +89,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -113,6 +109,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -121,12 +118,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -149,8 +150,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -189,6 +189,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
@@ -220,7 +221,8 @@ libstrongswan_load_tester_la_SOURCES = \
   load_tester_config.c load_tester_config.h \
   load_tester_creds.c load_tester_creds.h \
   load_tester_ipsec.c load_tester_ipsec.h \
-  load_tester_listener.c load_tester_listener.h
+  load_tester_listener.c load_tester_listener.h \
+  load_tester_diffie_hellman.c load_tester_diffie_hellman.h
 
 libstrongswan_load_tester_la_LDFLAGS = -module
 all: all-am
@@ -294,6 +296,7 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_config.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_ipsec.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_listener.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_plugin.Plo@am__quote@
diff --git a/src/charon/plugins/load_tester/load_tester_config.c b/src/charon/plugins/load_tester/load_tester_config.c
index 8e93d24bb..f3cd33b61 100644
--- a/src/charon/plugins/load_tester/load_tester_config.c
+++ b/src/charon/plugins/load_tester/load_tester_config.c
@@ -35,8 +35,88 @@ struct private_load_tester_config_t {
 	 * peer config
 	 */
 	peer_cfg_t *peer_cfg;
+	
+	/**
+	 * virtual IP, if any
+	 */
+	host_t *vip;
+	
+	/**
+	 * Remote address
+	 */
+	char *remote;
+	
+	/**
+	 * IP address pool
+	 */
+	char *pool;
+	
+	/**
+ 	 * IKE proposal
+ 	 */
+	proposal_t *proposal;
+	
+	/**
+	 * Authentication method to use
+	 */
+	auth_class_t class;
+	
+	/**
+	 * incremental numbering of generated configs
+	 */
+	u_int num;
 };
 
+/**
+ * Generate a new initiator config, num = 0 for responder config
+ */
+static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
+{
+	ike_cfg_t *ike_cfg;
+	child_cfg_t *child_cfg;
+	peer_cfg_t *peer_cfg;
+	traffic_selector_t *ts;
+	auth_info_t *auth;
+	identification_t *local, *remote;
+	proposal_t *proposal;
+	char buf[128];
+	
+	if (num)
+	{	/* initiator */
+		snprintf(buf, sizeof(buf), "CN=cli-%d, OU=load-test, O=strongSwan", num);
+		local = identification_create_from_string(buf);
+		snprintf(buf, sizeof(buf), "CN=srv, OU=load-test, O=strongSwan", num);
+		remote = identification_create_from_string(buf);
+	}
+	else
+	{	/* responder */
+		local = identification_create_from_string(
+										"CN=srv, OU=load-test, O=strongSwan");
+		remote = identification_create_from_string(
+										"CN=*, OU=load-test, O=strongSwan");
+	}
+	
+	ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", this->remote);
+	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
+	peer_cfg = peer_cfg_create("load-test", 2, ike_cfg, local, remote,
+			CERT_SEND_IF_ASKED, UNIQUE_NO, 1, 0, 0, /* keytries, rekey, reauth */
+			0, 0, FALSE, 0,	/* jitter, overtime, mobike, dpddelay */
+			this->vip ? this->vip->clone(this->vip) : NULL,
+			this->pool, FALSE, NULL, NULL);
+	auth = peer_cfg->get_auth(peer_cfg);
+	auth->add_item(auth, AUTHN_AUTH_CLASS, &this->class);
+	child_cfg = child_cfg_create("load-test", 600, 400, 100, NULL, TRUE,
+								 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
+	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
+	child_cfg->add_proposal(child_cfg, proposal);
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+	return peer_cfg;
+}
+
 /**
  * Implementation of backend_t.create_peer_cfg_enumerator.
  */
@@ -67,7 +147,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_load_tester_config_t *this,
 {
 	if (streq(name, "load-test"))
 	{
-		return this->peer_cfg->get_ref(this->peer_cfg);;
+		return generate_config(this, this->num++);
 	}
 	return NULL;
 }
@@ -78,6 +158,8 @@ static peer_cfg_t *get_peer_cfg_by_name(private_load_tester_config_t *this,
 static void destroy(private_load_tester_config_t *this)
 {
 	this->peer_cfg->destroy(this->peer_cfg);
+	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->vip);
 	free(this);
 }
 
@@ -87,56 +169,45 @@ static void destroy(private_load_tester_config_t *this)
 load_tester_config_t *load_tester_config_create()
 {
 	private_load_tester_config_t *this = malloc_thing(private_load_tester_config_t);
-	ike_cfg_t *ike_cfg;
-	child_cfg_t *child_cfg;
-	proposal_t *proposal;
-	traffic_selector_t *ts;
-	auth_info_t *auth;
-	auth_class_t class;
-	char *remote, *pool;
-	host_t *vip = NULL;
+	char *authstr;
 	
 	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
 	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
 	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
 	this->public.destroy = (void(*)(load_tester_config_t*))destroy;
 	
+	this->vip = NULL;
 	if (lib->settings->get_bool(lib->settings,
 				"charon.plugins.load_tester.request_virtual_ip", FALSE))
 	{
-		vip = host_create_from_string("0.0.0.0", 0);
+		this->vip = host_create_from_string("0.0.0.0", 0);
 	}
-	pool = lib->settings->get_str(lib->settings,
+	this->pool = lib->settings->get_str(lib->settings,
 				"charon.plugins.load_tester.pool", NULL);
-	remote = lib->settings->get_str(lib->settings, 
+	this->remote = lib->settings->get_str(lib->settings, 
 				"charon.plugins.load_tester.remote", "127.0.0.1");
-	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", remote);
-	proposal = proposal_create_from_string(PROTO_IKE,
+				
+	this->proposal = proposal_create_from_string(PROTO_IKE,
 			lib->settings->get_str(lib->settings,
 				"charon.plugins.load_tester.proposal", "aes128-sha1-modp768"));
-	if (!proposal)
+	if (!this->proposal)
 	{	/* fallback */
-		proposal = proposal_create_from_string(PROTO_IKE, "aes128-sha1-modp768");
+		this->proposal = proposal_create_from_string(PROTO_IKE,
+													 "aes128-sha1-modp768");
 	}
-	ike_cfg->add_proposal(ike_cfg, proposal);
-	this->peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
-			identification_create_from_string("load-test@strongswan.org"),
-			identification_create_from_string("load-test@strongswan.org"),
-			CERT_SEND_IF_ASKED, UNIQUE_NO, 1, 0, 0, /* keytries, rekey, reauth */
-			0, 0, TRUE, 60,	/* jitter, overtime, mobike, dpddelay */
-			vip, pool, FALSE, NULL, NULL);
-	auth = this->peer_cfg->get_auth(this->peer_cfg);
-	class = AUTH_CLASS_PUBKEY;
-	auth->add_item(auth, AUTHN_AUTH_CLASS, &class);
-	child_cfg = child_cfg_create("load-test", 600, 400, 100, NULL, TRUE,
-								 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
-	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
-	child_cfg->add_proposal(child_cfg, proposal);
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
-	this->peer_cfg->add_child_cfg(this->peer_cfg, child_cfg);
+	authstr = lib->settings->get_str(lib->settings,
+								"charon.plugins.load_tester.auth", "pubkey");
+	if (streq(authstr, "psk"))
+	{
+		this->class = AUTH_CLASS_PSK;
+	}
+	else
+	{
+		this->class = AUTH_CLASS_PUBKEY;
+	}
+	
+	this->num = 1;
+	this->peer_cfg = generate_config(this, 0);
 	
 	return &this->public;
 }
diff --git a/src/charon/plugins/load_tester/load_tester_creds.c b/src/charon/plugins/load_tester/load_tester_creds.c
index ec69a1ac9..476a90b9f 100644
--- a/src/charon/plugins/load_tester/load_tester_creds.c
+++ b/src/charon/plugins/load_tester/load_tester_creds.c
@@ -17,8 +17,11 @@
 
 #include "load_tester_creds.h"
 
+#include <time.h>
+
 #include <daemon.h>
 #include <credentials/keys/shared_key.h>
+#include <credentials/certificates/x509.h>
 #include <utils/identification.h>
 
 typedef struct private_load_tester_creds_t private_load_tester_creds_t;
@@ -38,9 +41,24 @@ struct private_load_tester_creds_t {
 	private_key_t *private;
 	
 	/**
-	 * Trusted certificate to verify signatures
+	 * CA certificate, to issue/verify peer certificates
+	 */
+	certificate_t *ca;
+	
+	/**
+	 * serial number to issue certificates
+	 */
+	u_int32_t serial;
+	
+	/**
+	 * Preshared key
+	 */
+	shared_key_t *shared;
+	
+	/**
+	 * Identification for shared key
 	 */
-	certificate_t *cert;
+	identification_t *id;
 };
 
 /**
@@ -106,28 +124,33 @@ static char private[] = {
 /**
  * And an associated self-signed certificate
 -----BEGIN CERTIFICATE-----
-MIIB2zCCAUSgAwIBAgIRAKmSLQc+3QV4WswVkpxqY5kwDQYJKoZIhvcNAQEFBQAw
-FzEVMBMGA1UEAxMMbG9hZC10ZXN0aW5nMB4XDTA4MTAyMTEyNDk0MFoXDTEzMTAy
-MDEyNDk0MFowFzEVMBMGA1UEAxMMbG9hZC10ZXN0aW5nMIGfMA0GCSqGSIb3DQEB
+MIIB9DCCAV2gAwIBAgIBADANBgkqhkiG9w0BAQUFADA3MQwwCgYDVQQDEwNzcnYx
+EjAQBgNVBAsTCWxvYWQtdGVzdDETMBEGA1UEChMKc3Ryb25nU3dhbjAeFw0wODEy
+MDgxODU4NDhaFw0xODEyMDYxODU4NDhaMDcxDDAKBgNVBAMTA3NydjESMBAGA1UE
+CxMJbG9hZC10ZXN0MRMwEQYDVQQKEwpzdHJvbmdTd2FuMIGfMA0GCSqGSIb3DQEB
 AQUAA4GNADCBiQKBgQDQXr7poAPYZLxmTCqR51STGRuk9Hc5SWtTcs6b2RzpnP8E
 VRLxJEVxOKE9Mw6n7mD1pNrupCpnpGRdLAV5VznTPhSQ6k7ppJJrxosRYg0pHTZq
 BUEC7nQFwAe10g8q0UnM1wa4lJzGxDH78d21cVweJgbkxAeyriS0jhNs7gO5nQID
-AQABoycwJTAjBgNVHREEHDAagRhsb2FkLXRlc3RAc3Ryb25nc3dhbi5vcmcwDQYJ
-KoZIhvcNAQEFBQADgYEATyQ3KLVU13Q3U3uZZtQL56rm680wMLu0+2z164PnxcTu
-Donp19AwPfvl4y0kjCdQYqUA6NXczub40ZrCMfmZEbVarW9oAys9lWef8sqfW0pv
-asNWsTOOwgg4gcASh1VCYsMX73C8R1pegWM/btyX2SEa7+R1rBEZwHVtIxgFcnM=
+AQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAF39Xedyk2wj
+qOcaaZ7ypb8RDlLvS0uaJMVtLtIhtb2weMMlgdmOnKXEYrJL2/mbp14Fhe+XYME9
+nZLAnmUnX8bQWCsQlajb7YGE8w6QDMwXUVgSXTMhRl+PRX2CMIUzU21h1EIx65Po
+CwMLbJ7vQqwPHXRitDmNkEOK9H+vRnDf
 -----END CERTIFICATE-----
+
  */
-static char cert[] = {
-  0x30,0x82,0x01,0xdb,0x30,0x82,0x01,0x44,0xa0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
-  0xa9,0x92,0x2d,0x07,0x3e,0xdd,0x05,0x78,0x5a,0xcc,0x15,0x92,0x9c,0x6a,0x63,0x99,
+char cert[] = {
+  0x30,0x82,0x01,0xf4,0x30,0x82,0x01,0x5d,0xa0,0x03,0x02,0x01,0x02,0x02,0x01,0x00,
   0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,
-  0x17,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x6c,0x6f,0x61,0x64,
-  0x2d,0x74,0x65,0x73,0x74,0x69,0x6e,0x67,0x30,0x1e,0x17,0x0d,0x30,0x38,0x31,0x30,
-  0x32,0x31,0x31,0x32,0x34,0x39,0x34,0x30,0x5a,0x17,0x0d,0x31,0x33,0x31,0x30,0x32,
-  0x30,0x31,0x32,0x34,0x39,0x34,0x30,0x5a,0x30,0x17,0x31,0x15,0x30,0x13,0x06,0x03,
-  0x55,0x04,0x03,0x13,0x0c,0x6c,0x6f,0x61,0x64,0x2d,0x74,0x65,0x73,0x74,0x69,0x6e,
-  0x67,0x30,0x81,0x9f,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
+  0x37,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x03,0x13,0x03,0x73,0x72,0x76,0x31,
+  0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x0b,0x13,0x09,0x6c,0x6f,0x61,0x64,0x2d,0x74,
+  0x65,0x73,0x74,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,
+  0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x30,0x1e,0x17,0x0d,0x30,0x38,0x31,0x32,
+  0x30,0x38,0x31,0x38,0x35,0x38,0x34,0x38,0x5a,0x17,0x0d,0x31,0x38,0x31,0x32,0x30,
+  0x36,0x31,0x38,0x35,0x38,0x34,0x38,0x5a,0x30,0x37,0x31,0x0c,0x30,0x0a,0x06,0x03,
+  0x55,0x04,0x03,0x13,0x03,0x73,0x72,0x76,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,
+  0x0b,0x13,0x09,0x6c,0x6f,0x61,0x64,0x2d,0x74,0x65,0x73,0x74,0x31,0x13,0x30,0x11,
+  0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,
+  0x6e,0x30,0x81,0x9f,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
   0x01,0x05,0x00,0x03,0x81,0x8d,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xd0,0x5e,
   0xbe,0xe9,0xa0,0x03,0xd8,0x64,0xbc,0x66,0x4c,0x2a,0x91,0xe7,0x54,0x93,0x19,0x1b,
   0xa4,0xf4,0x77,0x39,0x49,0x6b,0x53,0x72,0xce,0x9b,0xd9,0x1c,0xe9,0x9c,0xff,0x04,
@@ -137,18 +160,25 @@ static char cert[] = {
   0x05,0x41,0x02,0xee,0x74,0x05,0xc0,0x07,0xb5,0xd2,0x0f,0x2a,0xd1,0x49,0xcc,0xd7,
   0x06,0xb8,0x94,0x9c,0xc6,0xc4,0x31,0xfb,0xf1,0xdd,0xb5,0x71,0x5c,0x1e,0x26,0x06,
   0xe4,0xc4,0x07,0xb2,0xae,0x24,0xb4,0x8e,0x13,0x6c,0xee,0x03,0xb9,0x9d,0x02,0x03,
-  0x01,0x00,0x01,0xa3,0x27,0x30,0x25,0x30,0x23,0x06,0x03,0x55,0x1d,0x11,0x04,0x1c,
-  0x30,0x1a,0x81,0x18,0x6c,0x6f,0x61,0x64,0x2d,0x74,0x65,0x73,0x74,0x40,0x73,0x74,
-  0x72,0x6f,0x6e,0x67,0x73,0x77,0x61,0x6e,0x2e,0x6f,0x72,0x67,0x30,0x0d,0x06,0x09,
-  0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x81,0x81,0x00,0x4f,
-  0x24,0x37,0x28,0xb5,0x54,0xd7,0x74,0x37,0x53,0x7b,0x99,0x66,0xd4,0x0b,0xe7,0xaa,
-  0xe6,0xeb,0xcd,0x30,0x30,0xbb,0xb4,0xfb,0x6c,0xf5,0xeb,0x83,0xe7,0xc5,0xc4,0xee,
-  0x0e,0x89,0xe9,0xd7,0xd0,0x30,0x3d,0xfb,0xe5,0xe3,0x2d,0x24,0x8c,0x27,0x50,0x62,
-  0xa5,0x00,0xe8,0xd5,0xdc,0xce,0xe6,0xf8,0xd1,0x9a,0xc2,0x31,0xf9,0x99,0x11,0xb5,
-  0x5a,0xad,0x6f,0x68,0x03,0x2b,0x3d,0x95,0x67,0x9f,0xf2,0xca,0x9f,0x5b,0x4a,0x6f,
-  0x6a,0xc3,0x56,0xb1,0x33,0x8e,0xc2,0x08,0x38,0x81,0xc0,0x12,0x87,0x55,0x42,0x62,
-  0xc3,0x17,0xef,0x70,0xbc,0x47,0x5a,0x5e,0x81,0x63,0x3f,0x6e,0xdc,0x97,0xd9,0x21,
-  0x1a,0xef,0xe4,0x75,0xac,0x11,0x19,0xc0,0x75,0x6d,0x23,0x18,0x05,0x72,0x73,
+  0x01,0x00,0x01,0xa3,0x10,0x30,0x0e,0x30,0x0c,0x06,0x03,0x55,0x1d,0x13,0x04,0x05,
+  0x30,0x03,0x01,0x01,0xff,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,
+  0x01,0x05,0x05,0x00,0x03,0x81,0x81,0x00,0x5d,0xfd,0x5d,0xe7,0x72,0x93,0x6c,0x23,
+  0xa8,0xe7,0x1a,0x69,0x9e,0xf2,0xa5,0xbf,0x11,0x0e,0x52,0xef,0x4b,0x4b,0x9a,0x24,
+  0xc5,0x6d,0x2e,0xd2,0x21,0xb5,0xbd,0xb0,0x78,0xc3,0x25,0x81,0xd9,0x8e,0x9c,0xa5,
+  0xc4,0x62,0xb2,0x4b,0xdb,0xf9,0x9b,0xa7,0x5e,0x05,0x85,0xef,0x97,0x60,0xc1,0x3d,
+  0x9d,0x92,0xc0,0x9e,0x65,0x27,0x5f,0xc6,0xd0,0x58,0x2b,0x10,0x95,0xa8,0xdb,0xed,
+  0x81,0x84,0xf3,0x0e,0x90,0x0c,0xcc,0x17,0x51,0x58,0x12,0x5d,0x33,0x21,0x46,0x5f,
+  0x8f,0x45,0x7d,0x82,0x30,0x85,0x33,0x53,0x6d,0x61,0xd4,0x42,0x31,0xeb,0x93,0xe8,
+  0x0b,0x03,0x0b,0x6c,0x9e,0xef,0x42,0xac,0x0f,0x1d,0x74,0x62,0xb4,0x39,0x8d,0x90,
+  0x43,0x8a,0xf4,0x7f,0xaf,0x46,0x70,0xdf,
+};
+
+
+/**
+ * A preshared key
+ */
+static char psk[] = {
+  0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
 };
 
 /**
@@ -185,7 +215,13 @@ static enumerator_t* create_cert_enumerator(private_load_tester_creds_t *this,
 							certificate_type_t cert, key_type_t key,
 							identification_t *id, bool trusted)
 {
-	if (this->cert == NULL)
+	certificate_t *peer_cert;
+	public_key_t *peer_key, *ca_key;
+	u_int32_t serial;
+	time_t now;
+	identification_t *keyid = NULL;
+	
+	if (this->ca == NULL)
 	{
 		return NULL;
 	}
@@ -197,11 +233,62 @@ static enumerator_t* create_cert_enumerator(private_load_tester_creds_t *this,
 	{
 		return NULL;
 	}
-	if (id && !this->cert->has_subject(this->cert, id))
+	ca_key = this->ca->get_public_key(this->ca);
+	if (ca_key && id)
+	{
+		keyid = ca_key->get_id(ca_key, id->get_type(id));
+	}
+	if (!id || this->ca->has_subject(this->ca, id) ||
+		(keyid && id->equals(id, keyid)))
+	{	/* ca certificate */
+		DESTROY_IF(ca_key);
+		return enumerator_create_single(this->ca, NULL);
+	}
+	DESTROY_IF(ca_key);
+	if (!trusted)
+	{
+		/* peer certificate, generate on demand */
+		serial = htonl(++this->serial);
+		now = time(NULL);
+		peer_key = this->private->get_public_key(this->private);
+		peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+									BUILD_SIGNING_KEY, this->private,
+									BUILD_SIGNING_CERT, this->ca,
+									BUILD_PUBLIC_KEY, peer_key,
+									BUILD_SUBJECT, id,
+									BUILD_NOT_BEFORE_TIME, now - 60 * 60 * 24,
+									BUILD_NOT_AFTER_TIME, now + 60 * 60 * 24,
+									BUILD_SERIAL, chunk_from_thing(serial),
+									BUILD_END);
+		peer_key->destroy(peer_key);
+		if (peer_cert)
+		{
+			return enumerator_create_single(peer_cert, (void*)peer_cert->destroy);
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Implements credential_set_t.create_shared_enumerator
+ */
+static enumerator_t* create_shared_enumerator(private_load_tester_creds_t *this, 
+							shared_key_type_t type,	identification_t *me,
+							identification_t *other)
+{
+	if (type != SHARED_ANY && type != SHARED_IKE)
+	{
+		return NULL;
+	}
+	if (me && !me->matches(me, this->id))
+	{
+		return NULL;
+	}
+	if (other && !other->matches(other, this->id))
 	{
 		return NULL;
 	}
-	return enumerator_create_single(this->cert, NULL);
+	return enumerator_create_single(this->shared, NULL);
 }
 
 /**
@@ -210,7 +297,9 @@ static enumerator_t* create_cert_enumerator(private_load_tester_creds_t *this,
 static void destroy(private_load_tester_creds_t *this)
 {
 	DESTROY_IF(this->private);
-	DESTROY_IF(this->cert);
+	DESTROY_IF(this->ca);
+	this->shared->destroy(this->shared);
+	this->id->destroy(this->id);
 	free(this);
 }
 
@@ -218,7 +307,7 @@ load_tester_creds_t *load_tester_creds_create()
 {
 	private_load_tester_creds_t *this = malloc_thing(private_load_tester_creds_t);
 
-	this->public.credential_set.create_shared_enumerator = (enumerator_t*(*)(credential_set_t*, shared_key_type_t, identification_t*, identification_t*))return_null;
+	this->public.credential_set.create_shared_enumerator = (enumerator_t*(*)(credential_set_t*, shared_key_type_t, identification_t*, identification_t*))create_shared_enumerator;
 	this->public.credential_set.create_private_enumerator = (enumerator_t*(*) (credential_set_t*, key_type_t, identification_t*))create_private_enumerator;
 	this->public.credential_set.create_cert_enumerator = (enumerator_t*(*) (credential_set_t*,	certificate_type_t, key_type_t,identification_t *, bool))create_cert_enumerator;
 	this->public.credential_set.create_cdp_enumerator  = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
@@ -226,11 +315,18 @@ load_tester_creds_t *load_tester_creds_create()
 	this->public.destroy = (void(*) (load_tester_creds_t*))destroy;
 	
 	this->private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-		BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)), BUILD_END);	
+				BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
+				BUILD_END);
 	
-	this->cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-		BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)), BUILD_END);			   
+	this->ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+				BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
+				BUILD_X509_FLAG, X509_CA,
+				BUILD_END);
 	
+	this->shared = shared_key_create(SHARED_IKE, 
+									 chunk_clone(chunk_create(psk, sizeof(psk))));
+	this->id = identification_create_from_string("CN=*, OU=load-test, O=strongSwan");
+	this->serial = 0;
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.c b/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
new file mode 100644
index 000000000..4cc9dbc48
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_diffie_hellman.h"
+
+/**
+ * Implementation of gmp_diffie_hellman_t.get_my_public_value.
+ */
+static void get_my_public_value(load_tester_diffie_hellman_t *this,
+								chunk_t *value)
+{
+	*value = chunk_empty;
+}
+
+/**
+ * Implementation of gmp_diffie_hellman_t.get_shared_secret.
+ */
+static status_t get_shared_secret(load_tester_diffie_hellman_t *this,
+								  chunk_t *secret)
+{
+	*secret = chunk_empty;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of gmp_diffie_hellman_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(load_tester_diffie_hellman_t *this)
+{
+	return MODP_NULL;
+}
+
+/**
+ * See header
+ */
+load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
+												diffie_hellman_group_t group)
+{
+	load_tester_diffie_hellman_t *this;
+	
+	if (group != MODP_NULL)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(load_tester_diffie_hellman_t);
+	
+	this->dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *))get_shared_secret;
+	this->dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t ))nop;
+	this->dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *))get_my_public_value;
+	this->dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *))get_dh_group;
+	this->dh.destroy = (void (*)(diffie_hellman_t *))free;
+	
+	return this;
+}
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
new file mode 100644
index 000000000..1f66e7f2b
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester_diffie_hellman load_tester_diffie_hellman
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_DIFFIE_HELLMAN_H_
+#define LOAD_TESTER_DIFFIE_HELLMAN_H_
+
+#include <crypto/diffie_hellman.h>
+
+typedef struct load_tester_diffie_hellman_t load_tester_diffie_hellman_t;
+
+/**
+ * A NULL Diffie Hellman implementation to avoid calculation overhead in tests.
+ */
+struct load_tester_diffie_hellman_t {
+	
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new gmp_diffie_hellman_t object.
+ * 
+ * @param group			Diffie Hellman group, supports MODP_NULL only
+ * @return				gmp_diffie_hellman_t object
+ */
+load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
+												diffie_hellman_group_t group);
+
+#endif /* LOAD_TESTER_DIFFIE_HELLMAN_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_listener.c b/src/charon/plugins/load_tester/load_tester_listener.c
index 991408a44..fe9e16fe7 100644
--- a/src/charon/plugins/load_tester/load_tester_listener.c
+++ b/src/charon/plugins/load_tester/load_tester_listener.c
@@ -17,6 +17,8 @@
 
 #include "load_tester_listener.h"
 
+#include <signal.h>
+
 #include <daemon.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 
@@ -35,6 +37,16 @@ struct private_load_tester_listener_t {
 	 * Delete IKE_SA after it has been established
 	 */
 	bool delete_after_established;
+
+	/**
+	 * Number of established SAs
+	 */
+	u_int established;
+	
+	/**
+	 * Shutdown the daemon if we have established this SA count
+	 */
+	u_int shutdown_on;
 };
 
 /**
@@ -43,10 +55,24 @@ struct private_load_tester_listener_t {
 static bool ike_state_change(private_load_tester_listener_t *this,
 							 ike_sa_t *ike_sa, ike_sa_state_t state)
 {
-	if (this->delete_after_established && state == IKE_ESTABLISHED)
+	if (state == IKE_ESTABLISHED)
 	{
-		charon->processor->queue_job(charon->processor,
-				(job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
+		ike_sa_id_t *id = ike_sa->get_id(ike_sa);
+	
+		if (this->delete_after_established)
+		{
+			charon->processor->queue_job(charon->processor,
+									(job_t*)delete_ike_sa_job_create(id, TRUE));
+		}
+		
+		if (id->is_initiator(id))
+		{
+			if (this->shutdown_on == ++this->established)
+			{
+				DBG1(DBG_CFG, "load-test complete, raising SIGTERM");
+				pthread_kill(charon->main_thread_id, SIGTERM);
+			}
+		}
 	}
 	return TRUE;
 }
@@ -59,7 +85,7 @@ static void destroy(private_load_tester_listener_t *this)
 	free(this);
 }
 
-load_tester_listener_t *load_tester_listener_create()
+load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
 {
 	private_load_tester_listener_t *this = malloc_thing(private_load_tester_listener_t);
 	
@@ -70,6 +96,9 @@ load_tester_listener_t *load_tester_listener_create()
 	this->delete_after_established = lib->settings->get_bool(lib->settings,
 				"charon.plugins.load_tester.delete_after_established", FALSE);
 	
+	this->shutdown_on = shutdown_on;
+	this->established = 0;
+	
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/load_tester/load_tester_listener.h b/src/charon/plugins/load_tester/load_tester_listener.h
index 28bb57d05..6ef749b96 100644
--- a/src/charon/plugins/load_tester/load_tester_listener.h
+++ b/src/charon/plugins/load_tester/load_tester_listener.h
@@ -46,8 +46,9 @@ struct load_tester_listener_t {
 /**
  * Create a listener to handle special events during load test
  *
- * @return			listener
+ * @param shutdown_on	shut down the daemon after this many SAs are established
+ * @return				listener
  */
-load_tester_listener_t *load_tester_listener_create();
+load_tester_listener_t *load_tester_listener_create(u_int shutdown_on);
 
 #endif /* LOAD_TESTER_LISTENER_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c
index aff83a9a7..444a92e2b 100644
--- a/src/charon/plugins/load_tester/load_tester_plugin.c
+++ b/src/charon/plugins/load_tester/load_tester_plugin.c
@@ -20,11 +20,13 @@
 #include "load_tester_creds.h"
 #include "load_tester_ipsec.h"
 #include "load_tester_listener.h"
+#include "load_tester_diffie_hellman.h"
 
 #include <unistd.h>
 
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
+#include <utils/mutex.h>
 
 typedef struct private_load_tester_plugin_t private_load_tester_plugin_t;
 
@@ -59,14 +61,29 @@ struct private_load_tester_plugin_t {
 	int iterations;
 	
 	/**
-	 * number of threads
+	 * number desired initiator threads
 	 */
 	int initiators;
 	
+	/**
+	 * currenly running initiators
+	 */
+	int running;
+	
 	/**
 	 * delay between initiations, in ms
 	 */
 	int delay;
+	
+	/**
+	 * mutex to lock running field
+	 */
+	mutex_t *mutex;
+	
+	/**
+	 * condvar to wait for initiators
+	 */
+	condvar_t *condvar;
 };
 
 /**
@@ -74,48 +91,56 @@ struct private_load_tester_plugin_t {
  */
 static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
 {
-	peer_cfg_t *peer_cfg;
-	child_cfg_t *child_cfg = NULL;;
-	enumerator_t *enumerator;
 	int i, s = 0, ms = 0;
 	
+	this->mutex->lock(this->mutex);
+	if (!this->running)
+	{
+		this->running = this->initiators;
+	}
+	this->mutex->unlock(this->mutex);
 	if (this->delay)
 	{
 		s = this->delay / 1000;
 		ms = this->delay % 1000;
 	}
-	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
-													  "load-test");
-	if (peer_cfg)
+	
+	for (i = 0; this->iterations == 0 || i < this->iterations; i++)
 	{
+		peer_cfg_t *peer_cfg;
+		child_cfg_t *child_cfg = NULL;
+		enumerator_t *enumerator;
+	
+		peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+														  "load-test");
+		if (!peer_cfg)
+		{
+			break;
+		}
 		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
-		if (enumerator->enumerate(enumerator, &child_cfg))
+		if (!enumerator->enumerate(enumerator, &child_cfg))
 		{
-			child_cfg->get_ref(child_cfg);
+			enumerator->destroy(enumerator);
+			break;
 		}
 		enumerator->destroy(enumerator);
 		
-		if (child_cfg)
-		{
-			for (i = 0; this->iterations == 0 || i < this->iterations; i++)
-			{
-				charon->controller->initiate(charon->controller,
-					peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
+		charon->controller->initiate(charon->controller,
+					peer_cfg, child_cfg->get_ref(child_cfg),
 					NULL, NULL);
-				
-				if (s)
-				{
-					sleep(s);
-				}
-				if (ms)
-				{
-					usleep(ms * 1000);
-				}
-			}
-			child_cfg->destroy(child_cfg);
+		if (s)
+		{
+			sleep(s);
+		}
+		if (ms)
+		{
+			usleep(ms * 1000);
 		}
-		peer_cfg->destroy(peer_cfg);
 	}
+	this->mutex->lock(this->mutex);
+	this->running--;
+	this->mutex->unlock(this->mutex);
+	this->condvar->signal(this->condvar);
 	return JOB_REQUEUE_NONE;
 }
 
@@ -124,6 +149,13 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
  */
 static void destroy(private_load_tester_plugin_t *this)
 {
+	this->iterations = -1;
+	this->mutex->lock(this->mutex);
+	while (this->running)
+	{
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+	this->mutex->unlock(this->mutex);
 	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
@@ -132,6 +164,10 @@ static void destroy(private_load_tester_plugin_t *this)
 	this->config->destroy(this->config);
 	this->creds->destroy(this->creds);
 	this->listener->destroy(this->listener);
+	lib->crypto->remove_dh(lib->crypto,
+						(dh_constructor_t)load_tester_diffie_hellman_create);
+	this->mutex->destroy(this->mutex);
+	this->condvar->destroy(this->condvar);
 	free(this);
 }
 
@@ -140,30 +176,50 @@ static void destroy(private_load_tester_plugin_t *this)
  */
 plugin_t *plugin_create()
 {
-	private_load_tester_plugin_t *this = malloc_thing(private_load_tester_plugin_t);
-	int i;
+	private_load_tester_plugin_t *this;
+	u_int i, shutdown_on = 0;
 	
+	if (!lib->settings->get_bool(lib->settings,
+								 "charon.plugins.load_tester.enable", FALSE))
+	{
+		DBG1(DBG_CFG, "disabling load-tester plugin, not configured");
+		return NULL;
+	}
+	
+	this = malloc_thing(private_load_tester_plugin_t);
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 	
+	lib->crypto->add_dh(lib->crypto, MODP_NULL, 
+						(dh_constructor_t)load_tester_diffie_hellman_create);
+	
+	this->delay = lib->settings->get_int(lib->settings,
+					"charon.plugins.load_tester.delay", 0);
+	this->iterations = lib->settings->get_int(lib->settings,
+					"charon.plugins.load_tester.iterations", 1);
+	this->initiators = lib->settings->get_int(lib->settings,
+					"charon.plugins.load_tester.initiators", 0);
+	if (lib->settings->get_bool(lib->settings,
+					"charon.plugins.load_tester.shutdown_when_complete", 0))
+	{
+		shutdown_on = this->iterations * this->initiators;
+	}
+	
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_DEFAULT);
 	this->config = load_tester_config_create();
 	this->creds = load_tester_creds_create();
-	this->listener = load_tester_listener_create();
+	this->listener = load_tester_listener_create(shutdown_on);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
 	charon->bus->add_listener(charon->bus, &this->listener->listener);
 	
 	if (lib->settings->get_bool(lib->settings,
-								"charon.plugins.load_tester.fake_kernel", FALSE))
+					"charon.plugins.load_tester.fake_kernel", FALSE))
 	{
 		charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, 
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	}
-	this->delay = lib->settings->get_int(lib->settings,
-								"charon.plugins.load_tester.delay", 0);
-	this->iterations = lib->settings->get_int(lib->settings,
-								"charon.plugins.load_tester.iterations", 1);
-	this->initiators = lib->settings->get_int(lib->settings,
-								"charon.plugins.load_tester.initiators", 0);
+	this->running = 0;
 	for (i = 0; i < this->initiators; i++)
 	{
 		charon->processor->queue_job(charon->processor, 
diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in
index 605ee1399..33c08eea8 100644
--- a/src/charon/plugins/medcli/Makefile.in
+++ b/src/charon/plugins/medcli/Makefile.in
@@ -86,22 +86,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -111,6 +106,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -119,12 +115,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -147,8 +147,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -187,6 +186,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in
index 2162afa77..2e97ca503 100644
--- a/src/charon/plugins/medsrv/Makefile.in
+++ b/src/charon/plugins/medsrv/Makefile.in
@@ -86,22 +86,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -111,6 +106,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -119,12 +115,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -147,8 +147,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -187,6 +186,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
index bb5436443..9c8c64fe1 100644
--- a/src/charon/plugins/nm/Makefile.am
+++ b/src/charon/plugins/nm/Makefile.am
@@ -8,21 +8,3 @@ libstrongswan_nm_la_SOURCES = \
   nm_plugin.h nm_plugin.c nm_service.h nm_service.c nm_creds.h nm_creds.c
 libstrongswan_nm_la_LDFLAGS = -module
 libstrongswan_nm_la_LIBADD = ${nm_LIBS}
-
-
-# build gnome/configure and friends for distribution
-
-EXTRA_DIST = gnome/configure gnome/po/LINGUAS gnome/po/POTFILES.in gnome/po/Makefile.in.in \
-	gnome/ltmain.sh gnome/config.h.in gnome/depcomp gnome/Makefile.in \
-	gnome/compile gnome/intltool-merge.in gnome/configure.in gnome/install-sh \
-	gnome/aclocal.m4 gnome/Makefile.am gnome/autogen.sh \
-	gnome/properties/Makefile.in gnome/properties/nm-strongswan-dialog.glade \
-	gnome/properties/Makefile.am gnome/properties/nm-strongswan.c \
-	gnome/properties/nm-strongswan.h gnome/intltool-update.in gnome/config.guess \
-	gnome/nm-strongswan-service.name.in gnome/nm-strongswan-service.conf \
-	gnome/mkinstalldirs gnome/auth-dialog gnome/auth-dialog/Makefile.in \
-	gnome/auth-dialog/Makefile.am gnome/auth-dialog/main.c gnome/intltool-extract.in \
-	gnome/config.sub gnome/missing
-
-gnome/configure :	gnome/configure.in
-					(cd `dirname $<` && ./autogen.sh)
diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in
index 4f75da14f..b3990fab1 100644
--- a/src/charon/plugins/nm/Makefile.in
+++ b/src/charon/plugins/nm/Makefile.in
@@ -86,22 +86,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -111,6 +106,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -119,12 +115,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -147,8 +147,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -187,6 +186,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
@@ -218,20 +218,6 @@ libstrongswan_nm_la_SOURCES = \
 
 libstrongswan_nm_la_LDFLAGS = -module
 libstrongswan_nm_la_LIBADD = ${nm_LIBS}
-
-# build gnome/configure and friends for distribution
-EXTRA_DIST = gnome/configure gnome/po/LINGUAS gnome/po/POTFILES.in gnome/po/Makefile.in.in \
-	gnome/ltmain.sh gnome/config.h.in gnome/depcomp gnome/Makefile.in \
-	gnome/compile gnome/intltool-merge.in gnome/configure.in gnome/install-sh \
-	gnome/aclocal.m4 gnome/Makefile.am gnome/autogen.sh \
-	gnome/properties/Makefile.in gnome/properties/nm-strongswan-dialog.glade \
-	gnome/properties/Makefile.am gnome/properties/nm-strongswan.c \
-	gnome/properties/nm-strongswan.h gnome/intltool-update.in gnome/config.guess \
-	gnome/nm-strongswan-service.name.in gnome/nm-strongswan-service.conf \
-	gnome/mkinstalldirs gnome/auth-dialog gnome/auth-dialog/Makefile.in \
-	gnome/auth-dialog/Makefile.am gnome/auth-dialog/main.c gnome/intltool-extract.in \
-	gnome/config.sub gnome/missing
-
 all: all-am
 
 .SUFFIXES:
@@ -511,9 +497,6 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
-
-gnome/configure :	gnome/configure.in
-					(cd `dirname $<` && ./autogen.sh)
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/Makefile.am b/src/charon/plugins/nm/gnome/Makefile.am
deleted file mode 100644
index 62d28e438..000000000
--- a/src/charon/plugins/nm/gnome/Makefile.am
+++ /dev/null
@@ -1,24 +0,0 @@
-AUTOMAKE_OPTIONS = foreign
-
-SUBDIRS = properties auth-dialog po
-
-dbusservicedir = $(sysconfdir)/dbus-1/system.d
-dbusservice_DATA = nm-strongswan-service.conf
-
-nmvpnservicedir = $(sysconfdir)/NetworkManager/VPN
-nmvpnservice_DATA = nm-strongswan-service.name
-
-@INTLTOOL_DESKTOP_RULE@
-
-nm-strongswan-service.name: $(srcdir)/nm-strongswan-service.name.in
-	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' \
-		-e 's|[@]CHARON[@]|$(charon)|' $< >$@
-
-EXTRA_DIST = nm-strongswan-service.name.in \
-             $(dbusservice_DATA)  \
-             intltool-extract.in  \
-             intltool-merge.in    \
-             intltool-update.in
-
-CLEANFILES = $(nmvpnservice_DATA) *~
-DISTCLEANFILES = intltool-extract intltool-merge intltool-update
diff --git a/src/charon/plugins/nm/gnome/Makefile.in b/src/charon/plugins/nm/gnome/Makefile.in
deleted file mode 100644
index 41745247f..000000000
--- a/src/charon/plugins/nm/gnome/Makefile.in
+++ /dev/null
@@ -1,767 +0,0 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = .
-DIST_COMMON = $(am__configure_deps) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in $(srcdir)/config.h.in \
-	$(top_srcdir)/configure compile config.guess config.sub \
-	depcomp install-sh ltmain.sh missing mkinstalldirs
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
- configure.lineno config.status.lineno
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
-CONFIG_HEADER = config.h
-CONFIG_CLEAN_FILES =
-SOURCES =
-DIST_SOURCES =
-RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
-	html-recursive info-recursive install-data-recursive \
-	install-dvi-recursive install-exec-recursive \
-	install-html-recursive install-info-recursive \
-	install-pdf-recursive install-ps-recursive install-recursive \
-	installcheck-recursive installdirs-recursive pdf-recursive \
-	ps-recursive uninstall-recursive
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
-am__installdirs = "$(DESTDIR)$(dbusservicedir)" \
-	"$(DESTDIR)$(nmvpnservicedir)"
-dbusserviceDATA_INSTALL = $(INSTALL_DATA)
-nmvpnserviceDATA_INSTALL = $(INSTALL_DATA)
-DATA = $(dbusservice_DATA) $(nmvpnservice_DATA)
-RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
-  distclean-recursive maintainer-clean-recursive
-ETAGS = etags
-CTAGS = ctags
-DIST_SUBDIRS = $(SUBDIRS)
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-distdir = $(PACKAGE)-$(VERSION)
-top_distdir = $(distdir)
-am__remove_distdir = \
-  { test ! -d $(distdir) \
-    || { find $(distdir) -type d ! -perm -200 -exec chmod u+w {} ';' \
-         && rm -fr $(distdir); }; }
-DIST_ARCHIVES = $(distdir).tar.gz
-GZIP_ENV = --best
-distuninstallcheck_listfiles = find . -type f -print
-distcleancheck_listfiles = find . -type f -print
-ACLOCAL = @ACLOCAL@
-ALL_LINGUAS = @ALL_LINGUAS@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CATALOGS = @CATALOGS@
-CATOBJEXT = @CATOBJEXT@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DATADIRNAME = @DATADIRNAME@
-DBUS_CFLAGS = @DBUS_CFLAGS@
-DBUS_LIBS = @DBUS_LIBS@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
-GCONF_CFLAGS = @GCONF_CFLAGS@
-GCONF_LIBS = @GCONF_LIBS@
-GDK_PIXBUF_CFLAGS = @GDK_PIXBUF_CFLAGS@
-GDK_PIXBUF_LIBS = @GDK_PIXBUF_LIBS@
-GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
-GLADE_CFLAGS = @GLADE_CFLAGS@
-GLADE_LIBS = @GLADE_LIBS@
-GMOFILES = @GMOFILES@
-GMSGFMT = @GMSGFMT@
-GNOMEKEYRING_CFLAGS = @GNOMEKEYRING_CFLAGS@
-GNOMEKEYRING_LIBS = @GNOMEKEYRING_LIBS@
-GREP = @GREP@
-GTHREAD_CFLAGS = @GTHREAD_CFLAGS@
-GTHREAD_LIBS = @GTHREAD_LIBS@
-GTK_CFLAGS = @GTK_CFLAGS@
-GTK_LIBS = @GTK_LIBS@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-INSTOBJEXT = @INSTOBJEXT@
-INTLLIBS = @INTLLIBS@
-INTLTOOL_CAVES_RULE = @INTLTOOL_CAVES_RULE@
-INTLTOOL_DESKTOP_RULE = @INTLTOOL_DESKTOP_RULE@
-INTLTOOL_DIRECTORY_RULE = @INTLTOOL_DIRECTORY_RULE@
-INTLTOOL_EXTRACT = @INTLTOOL_EXTRACT@
-INTLTOOL_KBD_RULE = @INTLTOOL_KBD_RULE@
-INTLTOOL_KEYS_RULE = @INTLTOOL_KEYS_RULE@
-INTLTOOL_MERGE = @INTLTOOL_MERGE@
-INTLTOOL_OAF_RULE = @INTLTOOL_OAF_RULE@
-INTLTOOL_PERL = @INTLTOOL_PERL@
-INTLTOOL_POLICY_RULE = @INTLTOOL_POLICY_RULE@
-INTLTOOL_PONG_RULE = @INTLTOOL_PONG_RULE@
-INTLTOOL_PROP_RULE = @INTLTOOL_PROP_RULE@
-INTLTOOL_SCHEMAS_RULE = @INTLTOOL_SCHEMAS_RULE@
-INTLTOOL_SERVER_RULE = @INTLTOOL_SERVER_RULE@
-INTLTOOL_SERVICE_RULE = @INTLTOOL_SERVICE_RULE@
-INTLTOOL_SHEET_RULE = @INTLTOOL_SHEET_RULE@
-INTLTOOL_SOUNDLIST_RULE = @INTLTOOL_SOUNDLIST_RULE@
-INTLTOOL_THEME_RULE = @INTLTOOL_THEME_RULE@
-INTLTOOL_UI_RULE = @INTLTOOL_UI_RULE@
-INTLTOOL_UPDATE = @INTLTOOL_UPDATE@
-INTLTOOL_XAM_RULE = @INTLTOOL_XAM_RULE@
-INTLTOOL_XML_NOMERGE_RULE = @INTLTOOL_XML_NOMERGE_RULE@
-INTLTOOL_XML_RULE = @INTLTOOL_XML_RULE@
-LDFLAGS = @LDFLAGS@
-LIBGNOMEUI_CFLAGS = @LIBGNOMEUI_CFLAGS@
-LIBGNOMEUI_LIBS = @LIBGNOMEUI_LIBS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAINT = @MAINT@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MKINSTALLDIRS = @MKINSTALLDIRS@
-MSGFMT = @MSGFMT@
-MSGFMT_OPTS = @MSGFMT_OPTS@
-MSGMERGE = @MSGMERGE@
-NMEDIT = @NMEDIT@
-NM_UTILS_CFLAGS = @NM_UTILS_CFLAGS@
-NM_UTILS_LIBS = @NM_UTILS_LIBS@
-OBJEXT = @OBJEXT@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-POFILES = @POFILES@
-POSUB = @POSUB@
-PO_IN_DATADIR_FALSE = @PO_IN_DATADIR_FALSE@
-PO_IN_DATADIR_TRUE = @PO_IN_DATADIR_TRUE@
-RANLIB = @RANLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-USE_NLS = @USE_NLS@
-VERSION = @VERSION@
-XGETTEXT = @XGETTEXT@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-charon = @charon@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-AUTOMAKE_OPTIONS = foreign
-SUBDIRS = properties auth-dialog po
-dbusservicedir = $(sysconfdir)/dbus-1/system.d
-dbusservice_DATA = nm-strongswan-service.conf
-nmvpnservicedir = $(sysconfdir)/NetworkManager/VPN
-nmvpnservice_DATA = nm-strongswan-service.name
-EXTRA_DIST = nm-strongswan-service.name.in \
-             $(dbusservice_DATA)  \
-             intltool-extract.in  \
-             intltool-merge.in    \
-             intltool-update.in
-
-CLEANFILES = $(nmvpnservice_DATA) *~
-DISTCLEANFILES = intltool-extract intltool-merge intltool-update
-all: config.h
-	$(MAKE) $(AM_MAKEFLAGS) all-recursive
-
-.SUFFIXES:
-am--refresh:
-	@:
-$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      echo ' cd $(srcdir) && $(AUTOMAKE) --foreign '; \
-	      cd $(srcdir) && $(AUTOMAKE) --foreign  \
-		&& exit 0; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign  Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    echo ' $(SHELL) ./config.status'; \
-	    $(SHELL) ./config.status;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	$(SHELL) ./config.status --recheck
-
-$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
-	cd $(srcdir) && $(AUTOCONF)
-$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
-	cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
-
-config.h: stamp-h1
-	@if test ! -f $@; then \
-	  rm -f stamp-h1; \
-	  $(MAKE) $(AM_MAKEFLAGS) stamp-h1; \
-	else :; fi
-
-stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
-	@rm -f stamp-h1
-	cd $(top_builddir) && $(SHELL) ./config.status config.h
-$(srcdir)/config.h.in: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) 
-	cd $(top_srcdir) && $(AUTOHEADER)
-	rm -f stamp-h1
-	touch $@
-
-distclean-hdr:
-	-rm -f config.h stamp-h1
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-install-dbusserviceDATA: $(dbusservice_DATA)
-	@$(NORMAL_INSTALL)
-	test -z "$(dbusservicedir)" || $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)"
-	@list='$(dbusservice_DATA)'; for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(dbusserviceDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(dbusservicedir)/$$f'"; \
-	  $(dbusserviceDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(dbusservicedir)/$$f"; \
-	done
-
-uninstall-dbusserviceDATA:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dbusservice_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(dbusservicedir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(dbusservicedir)/$$f"; \
-	done
-install-nmvpnserviceDATA: $(nmvpnservice_DATA)
-	@$(NORMAL_INSTALL)
-	test -z "$(nmvpnservicedir)" || $(MKDIR_P) "$(DESTDIR)$(nmvpnservicedir)"
-	@list='$(nmvpnservice_DATA)'; for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(nmvpnserviceDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(nmvpnservicedir)/$$f'"; \
-	  $(nmvpnserviceDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(nmvpnservicedir)/$$f"; \
-	done
-
-uninstall-nmvpnserviceDATA:
-	@$(NORMAL_UNINSTALL)
-	@list='$(nmvpnservice_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(nmvpnservicedir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(nmvpnservicedir)/$$f"; \
-	done
-
-# This directory's subdirectories are mostly independent; you can cd
-# into them and run `make' without going through this Makefile.
-# To change the values of `make' variables: instead of editing Makefiles,
-# (1) if the variable is set in `config.status', edit `config.status'
-#     (which will cause the Makefiles to be regenerated when you run `make');
-# (2) otherwise, pass the desired values on the `make' command line.
-$(RECURSIVE_TARGETS):
-	@failcom='exit 1'; \
-	for f in x $$MAKEFLAGS; do \
-	  case $$f in \
-	    *=* | --[!k]*);; \
-	    *k*) failcom='fail=yes';; \
-	  esac; \
-	done; \
-	dot_seen=no; \
-	target=`echo $@ | sed s/-recursive//`; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    dot_seen=yes; \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done; \
-	if test "$$dot_seen" = "no"; then \
-	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
-	fi; test -z "$$fail"
-
-$(RECURSIVE_CLEAN_TARGETS):
-	@failcom='exit 1'; \
-	for f in x $$MAKEFLAGS; do \
-	  case $$f in \
-	    *=* | --[!k]*);; \
-	    *k*) failcom='fail=yes';; \
-	  esac; \
-	done; \
-	dot_seen=no; \
-	case "$@" in \
-	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
-	  *) list='$(SUBDIRS)' ;; \
-	esac; \
-	rev=''; for subdir in $$list; do \
-	  if test "$$subdir" = "."; then :; else \
-	    rev="$$subdir $$rev"; \
-	  fi; \
-	done; \
-	rev="$$rev ."; \
-	target=`echo $@ | sed s/-recursive//`; \
-	for subdir in $$rev; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done && test -z "$$fail"
-tags-recursive:
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
-	done
-ctags-recursive:
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
-	done
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	here=`pwd`; \
-	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
-	  include_option=--etags-include; \
-	  empty_fix=.; \
-	else \
-	  include_option=--include; \
-	  empty_fix=; \
-	fi; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    test ! -f $$subdir/TAGS || \
-	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
-	  fi; \
-	done; \
-	list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
-	fi
-ctags: CTAGS
-CTAGS: ctags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	$(am__remove_distdir)
-	test -d $(distdir) || mkdir $(distdir)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
-	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
-	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
-	    || exit 1; \
-	  fi; \
-	done
-	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	    distdir=`$(am__cd) $(distdir) && pwd`; \
-	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
-	    (cd $$subdir && \
-	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$top_distdir" \
-	        distdir="$$distdir/$$subdir" \
-		am__remove_distdir=: \
-		am__skip_length_check=: \
-	        distdir) \
-	      || exit 1; \
-	  fi; \
-	done
-	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
-	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
-	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
-	  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
-	|| chmod -R a+r $(distdir)
-dist-gzip: distdir
-	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
-	$(am__remove_distdir)
-
-dist-bzip2: distdir
-	tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
-	$(am__remove_distdir)
-
-dist-lzma: distdir
-	tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma
-	$(am__remove_distdir)
-
-dist-tarZ: distdir
-	tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
-	$(am__remove_distdir)
-
-dist-shar: distdir
-	shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
-	$(am__remove_distdir)
-
-dist-zip: distdir
-	-rm -f $(distdir).zip
-	zip -rq $(distdir).zip $(distdir)
-	$(am__remove_distdir)
-
-dist dist-all: distdir
-	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
-	$(am__remove_distdir)
-
-# This target untars the dist file and tries a VPATH configuration.  Then
-# it guarantees that the distribution is self-contained by making another
-# tarfile.
-distcheck: dist
-	case '$(DIST_ARCHIVES)' in \
-	*.tar.gz*) \
-	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(am__untar) ;;\
-	*.tar.bz2*) \
-	  bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\
-	*.tar.lzma*) \
-	  unlzma -c $(distdir).tar.lzma | $(am__untar) ;;\
-	*.tar.Z*) \
-	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
-	*.shar.gz*) \
-	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).shar.gz | unshar ;;\
-	*.zip*) \
-	  unzip $(distdir).zip ;;\
-	esac
-	chmod -R a-w $(distdir); chmod a+w $(distdir)
-	mkdir $(distdir)/_build
-	mkdir $(distdir)/_inst
-	chmod a-w $(distdir)
-	dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
-	  && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
-	  && cd $(distdir)/_build \
-	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
-	    $(DISTCHECK_CONFIGURE_FLAGS) \
-	  && $(MAKE) $(AM_MAKEFLAGS) \
-	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
-	  && $(MAKE) $(AM_MAKEFLAGS) check \
-	  && $(MAKE) $(AM_MAKEFLAGS) install \
-	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
-	  && $(MAKE) $(AM_MAKEFLAGS) uninstall \
-	  && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \
-	        distuninstallcheck \
-	  && chmod -R a-w "$$dc_install_base" \
-	  && ({ \
-	       (cd ../.. && umask 077 && mkdir "$$dc_destdir") \
-	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \
-	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \
-	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \
-	            distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \
-	      } || { rm -rf "$$dc_destdir"; exit 1; }) \
-	  && rm -rf "$$dc_destdir" \
-	  && $(MAKE) $(AM_MAKEFLAGS) dist \
-	  && rm -rf $(DIST_ARCHIVES) \
-	  && $(MAKE) $(AM_MAKEFLAGS) distcleancheck
-	$(am__remove_distdir)
-	@(echo "$(distdir) archives ready for distribution: "; \
-	  list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
-	  sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
-distuninstallcheck:
-	@cd $(distuninstallcheck_dir) \
-	&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
-	   || { echo "ERROR: files left after uninstall:" ; \
-	        if test -n "$(DESTDIR)"; then \
-	          echo "  (check DESTDIR support)"; \
-	        fi ; \
-	        $(distuninstallcheck_listfiles) ; \
-	        exit 1; } >&2
-distcleancheck: distclean
-	@if test '$(srcdir)' = . ; then \
-	  echo "ERROR: distcleancheck can only run from a VPATH build" ; \
-	  exit 1 ; \
-	fi
-	@test `$(distcleancheck_listfiles) | wc -l` -eq 0 \
-	  || { echo "ERROR: files left in build directory after distclean:" ; \
-	       $(distcleancheck_listfiles) ; \
-	       exit 1; } >&2
-check-am: all-am
-check: check-recursive
-all-am: Makefile $(DATA) config.h
-installdirs: installdirs-recursive
-installdirs-am:
-	for dir in "$(DESTDIR)$(dbusservicedir)" "$(DESTDIR)$(nmvpnservicedir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-recursive
-install-exec: install-exec-recursive
-install-data: install-data-recursive
-uninstall: uninstall-recursive
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-recursive
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-recursive
-
-clean-am: clean-generic clean-libtool mostlyclean-am
-
-distclean: distclean-recursive
-	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-hdr \
-	distclean-libtool distclean-tags
-
-dvi: dvi-recursive
-
-dvi-am:
-
-html: html-recursive
-
-info: info-recursive
-
-info-am:
-
-install-data-am: install-dbusserviceDATA install-nmvpnserviceDATA
-
-install-dvi: install-dvi-recursive
-
-install-exec-am:
-
-install-html: install-html-recursive
-
-install-info: install-info-recursive
-
-install-man:
-
-install-pdf: install-pdf-recursive
-
-install-ps: install-ps-recursive
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-recursive
-	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-	-rm -rf $(top_srcdir)/autom4te.cache
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-recursive
-
-mostlyclean-am: mostlyclean-generic mostlyclean-libtool
-
-pdf: pdf-recursive
-
-pdf-am:
-
-ps: ps-recursive
-
-ps-am:
-
-uninstall-am: uninstall-dbusserviceDATA uninstall-nmvpnserviceDATA
-
-.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
-	install-strip
-
-.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
-	all all-am am--refresh check check-am clean clean-generic \
-	clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
-	dist-gzip dist-lzma dist-shar dist-tarZ dist-zip distcheck \
-	distclean distclean-generic distclean-hdr distclean-libtool \
-	distclean-tags distcleancheck distdir distuninstallcheck dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-dbusserviceDATA \
-	install-dvi install-dvi-am install-exec install-exec-am \
-	install-html install-html-am install-info install-info-am \
-	install-man install-nmvpnserviceDATA install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs installdirs-am \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am \
-	uninstall-dbusserviceDATA uninstall-nmvpnserviceDATA
-
-
-@INTLTOOL_DESKTOP_RULE@
-
-nm-strongswan-service.name: $(srcdir)/nm-strongswan-service.name.in
-	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' \
-		-e 's|[@]CHARON[@]|$(charon)|' $< >$@
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/aclocal.m4 b/src/charon/plugins/nm/gnome/aclocal.m4
deleted file mode 100644
index f7e0859bf..000000000
--- a/src/charon/plugins/nm/gnome/aclocal.m4
+++ /dev/null
@@ -1,8398 +0,0 @@
-# generated automatically by aclocal 1.10.1 -*- Autoconf -*-
-
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-# 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-m4_ifndef([AC_AUTOCONF_VERSION],
-  [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(AC_AUTOCONF_VERSION, [2.61],,
-[m4_warning([this file was generated for autoconf 2.61.
-You have another version of autoconf.  It may work, but is not guaranteed to.
-If you have problems, you may need to regenerate the build system entirely.
-To do so, use the procedure documented by the package, typically `autoreconf'.])])
-
-# Copyright (C) 1995-2002 Free Software Foundation, Inc.
-# Copyright (C) 2001-2003,2004 Red Hat, Inc.
-#
-# This file is free software, distributed under the terms of the GNU
-# General Public License.  As a special exception to the GNU General
-# Public License, this file may be distributed as part of a program
-# that contains a configuration script generated by Autoconf, under
-# the same distribution terms as the rest of that program.
-#
-# This file can be copied and used freely without restrictions.  It can
-# be used in projects which are not available under the GNU Public License
-# but which still want to provide support for the GNU gettext functionality.
-#
-# Macro to add for using GNU gettext.
-# Ulrich Drepper <drepper@cygnus.com>, 1995, 1996
-#
-# Modified to never use included libintl. 
-# Owen Taylor <otaylor@redhat.com>, 12/15/1998
-#
-# Major rework to remove unused code
-# Owen Taylor <otaylor@redhat.com>, 12/11/2002
-#
-# Added better handling of ALL_LINGUAS from GNU gettext version 
-# written by Bruno Haible, Owen Taylor <otaylor.redhat.com> 5/30/3002
-#
-# Modified to require ngettext
-# Matthias Clasen <mclasen@redhat.com> 08/06/2004
-#
-# We need this here as well, since someone might use autoconf-2.5x
-# to configure GLib then an older version to configure a package
-# using AM_GLIB_GNU_GETTEXT
-AC_PREREQ(2.53)
-
-dnl
-dnl We go to great lengths to make sure that aclocal won't 
-dnl try to pull in the installed version of these macros
-dnl when running aclocal in the glib directory.
-dnl
-m4_copy([AC_DEFUN],[glib_DEFUN])
-m4_copy([AC_REQUIRE],[glib_REQUIRE])
-dnl
-dnl At the end, if we're not within glib, we'll define the public
-dnl definitions in terms of our private definitions.
-dnl
-
-# GLIB_LC_MESSAGES
-#--------------------
-glib_DEFUN([GLIB_LC_MESSAGES],
-  [AC_CHECK_HEADERS([locale.h])
-    if test $ac_cv_header_locale_h = yes; then
-    AC_CACHE_CHECK([for LC_MESSAGES], am_cv_val_LC_MESSAGES,
-      [AC_TRY_LINK([#include <locale.h>], [return LC_MESSAGES],
-       am_cv_val_LC_MESSAGES=yes, am_cv_val_LC_MESSAGES=no)])
-    if test $am_cv_val_LC_MESSAGES = yes; then
-      AC_DEFINE(HAVE_LC_MESSAGES, 1,
-        [Define if your <locale.h> file defines LC_MESSAGES.])
-    fi
-  fi])
-
-# GLIB_PATH_PROG_WITH_TEST
-#----------------------------
-dnl GLIB_PATH_PROG_WITH_TEST(VARIABLE, PROG-TO-CHECK-FOR,
-dnl   TEST-PERFORMED-ON-FOUND_PROGRAM [, VALUE-IF-NOT-FOUND [, PATH]])
-glib_DEFUN([GLIB_PATH_PROG_WITH_TEST],
-[# Extract the first word of "$2", so it can be a program name with args.
-set dummy $2; ac_word=[$]2
-AC_MSG_CHECKING([for $ac_word])
-AC_CACHE_VAL(ac_cv_path_$1,
-[case "[$]$1" in
-  /*)
-  ac_cv_path_$1="[$]$1" # Let the user override the test with a path.
-  ;;
-  *)
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
-  for ac_dir in ifelse([$5], , $PATH, [$5]); do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      if [$3]; then
-	ac_cv_path_$1="$ac_dir/$ac_word"
-	break
-      fi
-    fi
-  done
-  IFS="$ac_save_ifs"
-dnl If no 4th arg is given, leave the cache variable unset,
-dnl so AC_PATH_PROGS will keep looking.
-ifelse([$4], , , [  test -z "[$]ac_cv_path_$1" && ac_cv_path_$1="$4"
-])dnl
-  ;;
-esac])dnl
-$1="$ac_cv_path_$1"
-if test ifelse([$4], , [-n "[$]$1"], ["[$]$1" != "$4"]); then
-  AC_MSG_RESULT([$]$1)
-else
-  AC_MSG_RESULT(no)
-fi
-AC_SUBST($1)dnl
-])
-
-# GLIB_WITH_NLS
-#-----------------
-glib_DEFUN([GLIB_WITH_NLS],
-  dnl NLS is obligatory
-  [USE_NLS=yes
-    AC_SUBST(USE_NLS)
-
-    gt_cv_have_gettext=no
-
-    CATOBJEXT=NONE
-    XGETTEXT=:
-    INTLLIBS=
-
-    AC_CHECK_HEADER(libintl.h,
-     [gt_cv_func_dgettext_libintl="no"
-      libintl_extra_libs=""
-
-      #
-      # First check in libc
-      #
-      AC_CACHE_CHECK([for ngettext in libc], gt_cv_func_ngettext_libc,
-        [AC_TRY_LINK([
-#include <libintl.h>
-],
-         [return !ngettext ("","", 1)],
-	  gt_cv_func_ngettext_libc=yes,
-          gt_cv_func_ngettext_libc=no)
-        ])
-  
-      if test "$gt_cv_func_ngettext_libc" = "yes" ; then
-	      AC_CACHE_CHECK([for dgettext in libc], gt_cv_func_dgettext_libc,
-        	[AC_TRY_LINK([
-#include <libintl.h>
-],
-	          [return !dgettext ("","")],
-		  gt_cv_func_dgettext_libc=yes,
-	          gt_cv_func_dgettext_libc=no)
-        	])
-      fi
-  
-      if test "$gt_cv_func_ngettext_libc" = "yes" ; then
-        AC_CHECK_FUNCS(bind_textdomain_codeset)
-      fi
-
-      #
-      # If we don't have everything we want, check in libintl
-      #
-      if test "$gt_cv_func_dgettext_libc" != "yes" \
-	 || test "$gt_cv_func_ngettext_libc" != "yes" \
-         || test "$ac_cv_func_bind_textdomain_codeset" != "yes" ; then
-        
-        AC_CHECK_LIB(intl, bindtextdomain,
-	    [AC_CHECK_LIB(intl, ngettext,
-		    [AC_CHECK_LIB(intl, dgettext,
-			          gt_cv_func_dgettext_libintl=yes)])])
-
-	if test "$gt_cv_func_dgettext_libintl" != "yes" ; then
-	  AC_MSG_CHECKING([if -liconv is needed to use gettext])
-	  AC_MSG_RESULT([])
-  	  AC_CHECK_LIB(intl, ngettext,
-          	[AC_CHECK_LIB(intl, dcgettext,
-		       [gt_cv_func_dgettext_libintl=yes
-			libintl_extra_libs=-liconv],
-			:,-liconv)],
-		:,-liconv)
-        fi
-
-        #
-        # If we found libintl, then check in it for bind_textdomain_codeset();
-        # we'll prefer libc if neither have bind_textdomain_codeset(),
-        # and both have dgettext and ngettext
-        #
-        if test "$gt_cv_func_dgettext_libintl" = "yes" ; then
-          glib_save_LIBS="$LIBS"
-          LIBS="$LIBS -lintl $libintl_extra_libs"
-          unset ac_cv_func_bind_textdomain_codeset
-          AC_CHECK_FUNCS(bind_textdomain_codeset)
-          LIBS="$glib_save_LIBS"
-
-          if test "$ac_cv_func_bind_textdomain_codeset" = "yes" ; then
-            gt_cv_func_dgettext_libc=no
-          else
-            if test "$gt_cv_func_dgettext_libc" = "yes" \
-		&& test "$gt_cv_func_ngettext_libc" = "yes"; then
-              gt_cv_func_dgettext_libintl=no
-            fi
-          fi
-        fi
-      fi
-
-      if test "$gt_cv_func_dgettext_libc" = "yes" \
-	|| test "$gt_cv_func_dgettext_libintl" = "yes"; then
-        gt_cv_have_gettext=yes
-      fi
-  
-      if test "$gt_cv_func_dgettext_libintl" = "yes"; then
-        INTLLIBS="-lintl $libintl_extra_libs"
-      fi
-  
-      if test "$gt_cv_have_gettext" = "yes"; then
-	AC_DEFINE(HAVE_GETTEXT,1,
-	  [Define if the GNU gettext() function is already present or preinstalled.])
-	GLIB_PATH_PROG_WITH_TEST(MSGFMT, msgfmt,
-	  [test -z "`$ac_dir/$ac_word -h 2>&1 | grep 'dv '`"], no)dnl
-	if test "$MSGFMT" != "no"; then
-          glib_save_LIBS="$LIBS"
-          LIBS="$LIBS $INTLLIBS"
-	  AC_CHECK_FUNCS(dcgettext)
-	  MSGFMT_OPTS=
-	  AC_MSG_CHECKING([if msgfmt accepts -c])
-	  GLIB_RUN_PROG([$MSGFMT -c -o /dev/null],[
-msgid ""
-msgstr ""
-"Content-Type: text/plain; charset=UTF-8\n"
-"Project-Id-Version: test 1.0\n"
-"PO-Revision-Date: 2007-02-15 12:01+0100\n"
-"Last-Translator: test <foo@bar.xx>\n"
-"Language-Team: C <LL@li.org>\n"
-"MIME-Version: 1.0\n"
-"Content-Transfer-Encoding: 8bit\n"
-], [MSGFMT_OPTS=-c; AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no])])
-	  AC_SUBST(MSGFMT_OPTS)
-	  AC_PATH_PROG(GMSGFMT, gmsgfmt, $MSGFMT)
-	  GLIB_PATH_PROG_WITH_TEST(XGETTEXT, xgettext,
-	    [test -z "`$ac_dir/$ac_word -h 2>&1 | grep '(HELP)'`"], :)
-	  AC_TRY_LINK(, [extern int _nl_msg_cat_cntr;
-			 return _nl_msg_cat_cntr],
-	    [CATOBJEXT=.gmo 
-             DATADIRNAME=share],
-	    [case $host in
-	    *-*-solaris*)
-	    dnl On Solaris, if bind_textdomain_codeset is in libc,
-	    dnl GNU format message catalog is always supported,
-            dnl since both are added to the libc all together.
-	    dnl Hence, we'd like to go with DATADIRNAME=share and
-	    dnl and CATOBJEXT=.gmo in this case.
-            AC_CHECK_FUNC(bind_textdomain_codeset,
-	      [CATOBJEXT=.gmo 
-               DATADIRNAME=share],
-	      [CATOBJEXT=.mo
-               DATADIRNAME=lib])
-	    ;;
-	    *)
-	    CATOBJEXT=.mo
-            DATADIRNAME=lib
-	    ;;
-	    esac])
-          LIBS="$glib_save_LIBS"
-	  INSTOBJEXT=.mo
-	else
-	  gt_cv_have_gettext=no
-	fi
-      fi
-    ])
-
-    if test "$gt_cv_have_gettext" = "yes" ; then
-      AC_DEFINE(ENABLE_NLS, 1,
-        [always defined to indicate that i18n is enabled])
-    fi
-
-    dnl Test whether we really found GNU xgettext.
-    if test "$XGETTEXT" != ":"; then
-      dnl If it is not GNU xgettext we define it as : so that the
-      dnl Makefiles still can work.
-      if $XGETTEXT --omit-header /dev/null 2> /dev/null; then
-        : ;
-      else
-        AC_MSG_RESULT(
-	  [found xgettext program is not GNU xgettext; ignore it])
-        XGETTEXT=":"
-      fi
-    fi
-
-    # We need to process the po/ directory.
-    POSUB=po
-
-    AC_OUTPUT_COMMANDS(
-      [case "$CONFIG_FILES" in *po/Makefile.in*)
-        sed -e "/POTFILES =/r po/POTFILES" po/Makefile.in > po/Makefile
-      esac])
-
-    dnl These rules are solely for the distribution goal.  While doing this
-    dnl we only have to keep exactly one list of the available catalogs
-    dnl in configure.in.
-    for lang in $ALL_LINGUAS; do
-      GMOFILES="$GMOFILES $lang.gmo"
-      POFILES="$POFILES $lang.po"
-    done
-
-    dnl Make all variables we use known to autoconf.
-    AC_SUBST(CATALOGS)
-    AC_SUBST(CATOBJEXT)
-    AC_SUBST(DATADIRNAME)
-    AC_SUBST(GMOFILES)
-    AC_SUBST(INSTOBJEXT)
-    AC_SUBST(INTLLIBS)
-    AC_SUBST(PO_IN_DATADIR_TRUE)
-    AC_SUBST(PO_IN_DATADIR_FALSE)
-    AC_SUBST(POFILES)
-    AC_SUBST(POSUB)
-  ])
-
-# AM_GLIB_GNU_GETTEXT
-# -------------------
-# Do checks necessary for use of gettext. If a suitable implementation 
-# of gettext is found in either in libintl or in the C library,
-# it will set INTLLIBS to the libraries needed for use of gettext
-# and AC_DEFINE() HAVE_GETTEXT and ENABLE_NLS. (The shell variable
-# gt_cv_have_gettext will be set to "yes".) It will also call AC_SUBST()
-# on various variables needed by the Makefile.in.in installed by 
-# glib-gettextize.
-dnl
-glib_DEFUN([GLIB_GNU_GETTEXT],
-  [AC_REQUIRE([AC_PROG_CC])dnl
-   AC_REQUIRE([AC_HEADER_STDC])dnl
-   
-   GLIB_LC_MESSAGES
-   GLIB_WITH_NLS
-
-   if test "$gt_cv_have_gettext" = "yes"; then
-     if test "x$ALL_LINGUAS" = "x"; then
-       LINGUAS=
-     else
-       AC_MSG_CHECKING(for catalogs to be installed)
-       NEW_LINGUAS=
-       for presentlang in $ALL_LINGUAS; do
-         useit=no
-         if test "%UNSET%" != "${LINGUAS-%UNSET%}"; then
-           desiredlanguages="$LINGUAS"
-         else
-           desiredlanguages="$ALL_LINGUAS"
-         fi
-         for desiredlang in $desiredlanguages; do
- 	   # Use the presentlang catalog if desiredlang is
-           #   a. equal to presentlang, or
-           #   b. a variant of presentlang (because in this case,
-           #      presentlang can be used as a fallback for messages
-           #      which are not translated in the desiredlang catalog).
-           case "$desiredlang" in
-             "$presentlang"*) useit=yes;;
-           esac
-         done
-         if test $useit = yes; then
-           NEW_LINGUAS="$NEW_LINGUAS $presentlang"
-         fi
-       done
-       LINGUAS=$NEW_LINGUAS
-       AC_MSG_RESULT($LINGUAS)
-     fi
-
-     dnl Construct list of names of catalog files to be constructed.
-     if test -n "$LINGUAS"; then
-       for lang in $LINGUAS; do CATALOGS="$CATALOGS $lang$CATOBJEXT"; done
-     fi
-   fi
-
-   dnl If the AC_CONFIG_AUX_DIR macro for autoconf is used we possibly
-   dnl find the mkinstalldirs script in another subdir but ($top_srcdir).
-   dnl Try to locate is.
-   MKINSTALLDIRS=
-   if test -n "$ac_aux_dir"; then
-     MKINSTALLDIRS="$ac_aux_dir/mkinstalldirs"
-   fi
-   if test -z "$MKINSTALLDIRS"; then
-     MKINSTALLDIRS="\$(top_srcdir)/mkinstalldirs"
-   fi
-   AC_SUBST(MKINSTALLDIRS)
-
-   dnl Generate list of files to be processed by xgettext which will
-   dnl be included in po/Makefile.
-   test -d po || mkdir po
-   if test "x$srcdir" != "x."; then
-     if test "x`echo $srcdir | sed 's@/.*@@'`" = "x"; then
-       posrcprefix="$srcdir/"
-     else
-       posrcprefix="../$srcdir/"
-     fi
-   else
-     posrcprefix="../"
-   fi
-   rm -f po/POTFILES
-   sed -e "/^#/d" -e "/^\$/d" -e "s,.*,	$posrcprefix& \\\\," -e "\$s/\(.*\) \\\\/\1/" \
-	< $srcdir/po/POTFILES.in > po/POTFILES
-  ])
-
-# AM_GLIB_DEFINE_LOCALEDIR(VARIABLE)
-# -------------------------------
-# Define VARIABLE to the location where catalog files will
-# be installed by po/Makefile.
-glib_DEFUN([GLIB_DEFINE_LOCALEDIR],
-[glib_REQUIRE([GLIB_GNU_GETTEXT])dnl
-glib_save_prefix="$prefix"
-glib_save_exec_prefix="$exec_prefix"
-glib_save_datarootdir="$datarootdir"
-test "x$prefix" = xNONE && prefix=$ac_default_prefix
-test "x$exec_prefix" = xNONE && exec_prefix=$prefix
-datarootdir=`eval echo "${datarootdir}"`
-if test "x$CATOBJEXT" = "x.mo" ; then
-  localedir=`eval echo "${libdir}/locale"`
-else
-  localedir=`eval echo "${datadir}/locale"`
-fi
-prefix="$glib_save_prefix"
-exec_prefix="$glib_save_exec_prefix"
-datarootdir="$glib_save_datarootdir"
-AC_DEFINE_UNQUOTED($1, "$localedir",
-  [Define the location where the catalogs will be installed])
-])
-
-dnl
-dnl Now the definitions that aclocal will find
-dnl
-ifdef(glib_configure_in,[],[
-AC_DEFUN([AM_GLIB_GNU_GETTEXT],[GLIB_GNU_GETTEXT($@)])
-AC_DEFUN([AM_GLIB_DEFINE_LOCALEDIR],[GLIB_DEFINE_LOCALEDIR($@)])
-])dnl
-
-# GLIB_RUN_PROG(PROGRAM, TEST-FILE, [ACTION-IF-PASS], [ACTION-IF-FAIL])
-# 
-# Create a temporary file with TEST-FILE as its contents and pass the
-# file name to PROGRAM.  Perform ACTION-IF-PASS if PROGRAM exits with
-# 0 and perform ACTION-IF-FAIL for any other exit status.
-AC_DEFUN([GLIB_RUN_PROG],
-[cat >conftest.foo <<_ACEOF
-$2
-_ACEOF
-if AC_RUN_LOG([$1 conftest.foo]); then
-  m4_ifval([$3], [$3], [:])
-m4_ifvaln([$4], [else $4])dnl
-echo "$as_me: failed input was:" >&AS_MESSAGE_LOG_FD
-sed 's/^/| /' conftest.foo >&AS_MESSAGE_LOG_FD
-fi])
-
-
-
-dnl IT_PROG_INTLTOOL([MINIMUM-VERSION], [no-xml])
-# serial 36 IT_PROG_INTLTOOL
-AC_DEFUN([IT_PROG_INTLTOOL],
-[AC_PREREQ([2.50])dnl
-
-case "$am__api_version" in
-    1.[01234])
-	AC_MSG_ERROR([Automake 1.5 or newer is required to use intltool])
-    ;;
-    *)
-    ;;
-esac
-
-if test -n "$1"; then
-    AC_MSG_CHECKING([for intltool >= $1])
-
-    INTLTOOL_REQUIRED_VERSION_AS_INT=`echo $1 | awk -F. '{ print $ 1 * 1000 + $ 2 * 100 + $ 3; }'`
-    INTLTOOL_APPLIED_VERSION=`awk -F\" '/\\$VERSION / { print $ 2; }' ${ac_aux_dir}/intltool-update.in`
-    [INTLTOOL_APPLIED_VERSION_AS_INT=`awk -F\" '/\\$VERSION / { split($ 2, VERSION, "."); print VERSION[1] * 1000 + VERSION[2] * 100 + VERSION[3];}' ${ac_aux_dir}/intltool-update.in`
-    ]
-    AC_MSG_RESULT([$INTLTOOL_APPLIED_VERSION found])
-    test "$INTLTOOL_APPLIED_VERSION_AS_INT" -ge "$INTLTOOL_REQUIRED_VERSION_AS_INT" ||
-	AC_MSG_ERROR([Your intltool is too old.  You need intltool $1 or later.])
-fi
-
-  INTLTOOL_DESKTOP_RULE='%.desktop:   %.desktop.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-INTLTOOL_DIRECTORY_RULE='%.directory: %.directory.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-     INTLTOOL_KEYS_RULE='%.keys:      %.keys.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -k -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-     INTLTOOL_PROP_RULE='%.prop:      %.prop.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-      INTLTOOL_OAF_RULE='%.oaf:       %.oaf.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -p $(top_srcdir)/po $< [$]@'
-     INTLTOOL_PONG_RULE='%.pong:      %.pong.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-   INTLTOOL_SERVER_RULE='%.server:    %.server.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-    INTLTOOL_SHEET_RULE='%.sheet:     %.sheet.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-INTLTOOL_SOUNDLIST_RULE='%.soundlist: %.soundlist.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-       INTLTOOL_UI_RULE='%.ui:        %.ui.in        $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-      INTLTOOL_XML_RULE='%.xml:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-      INTLTOOL_XML_NOMERGE_RULE='%.xml:       %.xml.in       $(INTLTOOL_MERGE) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u /tmp $< [$]@' 
-      INTLTOOL_XAM_RULE='%.xam:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-      INTLTOOL_KBD_RULE='%.kbd:       %.kbd.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -m -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-    INTLTOOL_CAVES_RULE='%.caves:     %.caves.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-  INTLTOOL_SCHEMAS_RULE='%.schemas:   %.schemas.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -s -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-    INTLTOOL_THEME_RULE='%.theme:     %.theme.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-    INTLTOOL_SERVICE_RULE='%.service: %.service.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
-   INTLTOOL_POLICY_RULE='%.policy:    %.policy.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
-
-AC_SUBST(INTLTOOL_DESKTOP_RULE)
-AC_SUBST(INTLTOOL_DIRECTORY_RULE)
-AC_SUBST(INTLTOOL_KEYS_RULE)
-AC_SUBST(INTLTOOL_PROP_RULE)
-AC_SUBST(INTLTOOL_OAF_RULE)
-AC_SUBST(INTLTOOL_PONG_RULE)
-AC_SUBST(INTLTOOL_SERVER_RULE)
-AC_SUBST(INTLTOOL_SHEET_RULE)
-AC_SUBST(INTLTOOL_SOUNDLIST_RULE)
-AC_SUBST(INTLTOOL_UI_RULE)
-AC_SUBST(INTLTOOL_XAM_RULE)
-AC_SUBST(INTLTOOL_KBD_RULE)
-AC_SUBST(INTLTOOL_XML_RULE)
-AC_SUBST(INTLTOOL_XML_NOMERGE_RULE)
-AC_SUBST(INTLTOOL_CAVES_RULE)
-AC_SUBST(INTLTOOL_SCHEMAS_RULE)
-AC_SUBST(INTLTOOL_THEME_RULE)
-AC_SUBST(INTLTOOL_SERVICE_RULE)
-AC_SUBST(INTLTOOL_POLICY_RULE)
-
-# Check the gettext tools to make sure they are GNU
-AC_PATH_PROG(XGETTEXT, xgettext)
-AC_PATH_PROG(MSGMERGE, msgmerge)
-AC_PATH_PROG(MSGFMT, msgfmt)
-if test -z "$XGETTEXT" -o -z "$MSGMERGE" -o -z "$MSGFMT"; then
-    AC_MSG_ERROR([GNU gettext tools not found; required for intltool])
-fi
-xgversion="`$XGETTEXT --version|grep '(GNU ' 2> /dev/null`"
-mmversion="`$MSGMERGE --version|grep '(GNU ' 2> /dev/null`"
-mfversion="`$MSGFMT --version|grep '(GNU ' 2> /dev/null`"
-if test -z "$xgversion" -o -z "$mmversion" -o -z "$mfversion"; then
-    AC_MSG_ERROR([GNU gettext tools not found; required for intltool])
-fi
-
-# Use the tools built into the package, not the ones that are installed.
-AC_SUBST(INTLTOOL_EXTRACT, '$(top_builddir)/intltool-extract')
-AC_SUBST(INTLTOOL_MERGE, '$(top_builddir)/intltool-merge')
-AC_SUBST(INTLTOOL_UPDATE, '$(top_builddir)/intltool-update')
-
-AC_PATH_PROG(INTLTOOL_PERL, perl)
-if test -z "$INTLTOOL_PERL"; then
-   AC_MSG_ERROR([perl not found; required for intltool])
-fi
-if test -z "`$INTLTOOL_PERL -v | fgrep '5.' 2> /dev/null`"; then
-   AC_MSG_ERROR([perl 5.x required for intltool])
-fi
-if test "x$2" != "xno-xml"; then
-   AC_MSG_CHECKING([for XML::Parser])
-   if `$INTLTOOL_PERL -e "require XML::Parser" 2>/dev/null`; then
-       AC_MSG_RESULT([ok])
-   else
-       AC_MSG_ERROR([XML::Parser perl module is required for intltool])
-   fi
-fi
-
-# Substitute ALL_LINGUAS so we can use it in po/Makefile
-AC_SUBST(ALL_LINGUAS)
-
-# Set DATADIRNAME correctly if it is not set yet
-# (copied from glib-gettext.m4)
-if test -z "$DATADIRNAME"; then
-  AC_LINK_IFELSE(
-    [AC_LANG_PROGRAM([[]],
-                     [[extern int _nl_msg_cat_cntr;
-                       return _nl_msg_cat_cntr]])],
-    [DATADIRNAME=share],
-    [case $host in
-    *-*-solaris*)
-    dnl On Solaris, if bind_textdomain_codeset is in libc,
-    dnl GNU format message catalog is always supported,
-    dnl since both are added to the libc all together.
-    dnl Hence, we'd like to go with DATADIRNAME=share
-    dnl in this case.
-    AC_CHECK_FUNC(bind_textdomain_codeset,
-      [DATADIRNAME=share], [DATADIRNAME=lib])
-    ;;
-    *)
-    [DATADIRNAME=lib]
-    ;;
-    esac])
-fi
-AC_SUBST(DATADIRNAME)
-
-IT_PO_SUBDIR([po])
-
-dnl The following is very similar to
-dnl
-dnl	AC_CONFIG_FILES([intltool-extract intltool-merge intltool-update])
-dnl
-dnl with the following slight differences:
-dnl  - the *.in files are in ac_aux_dir,
-dnl  - if the file haven't changed upon reconfigure, it's not touched,
-dnl  - the evaluation of the third parameter enables a hack which computes
-dnl    the actual value of $libdir,
-dnl  - the user sees "executing intltool commands", instead of
-dnl    "creating intltool-extract" and such.
-dnl
-dnl Nothing crucial here, and we could use AC_CONFIG_FILES, if there were
-dnl a reason for it.
-
-AC_CONFIG_COMMANDS([intltool], [
-
-for file in intltool-extract intltool-merge intltool-update; do
-  sed -e "s|@INTLTOOL_EXTRACT@|`pwd`/intltool-extract|g" \
-      -e "s|@INTLTOOL_LIBDIR@|${INTLTOOL_LIBDIR}|g" \
-      -e "s|@INTLTOOL_PERL@|${INTLTOOL_PERL}|g" \
-	< ${ac_aux_dir}/${file}.in > ${file}.out
-  if cmp -s ${file} ${file}.out 2>/dev/null; then
-    rm -f ${file}.out
-  else
-    mv -f ${file}.out ${file}
-  fi
-  chmod ugo+x ${file}
-  chmod u+w ${file}
-done
-
-],
-[INTLTOOL_PERL='${INTLTOOL_PERL}' ac_aux_dir='${ac_aux_dir}'
-prefix="$prefix" exec_prefix="$exec_prefix" INTLTOOL_LIBDIR="$libdir" 
-INTLTOOL_EXTRACT='${INTLTOOL_EXTRACT}'])
-
-])
-
-
-# IT_PO_SUBDIR(DIRNAME)
-# ---------------------
-# All po subdirs have to be declared with this macro; the subdir "po" is
-# declared by IT_PROG_INTLTOOL.
-#
-AC_DEFUN([IT_PO_SUBDIR],
-[AC_PREREQ([2.53])dnl We use ac_top_srcdir inside AC_CONFIG_COMMANDS.
-dnl
-dnl The following CONFIG_COMMANDS should be exetuted at the very end
-dnl of config.status.
-AC_CONFIG_COMMANDS_PRE([
-  AC_CONFIG_COMMANDS([$1/stamp-it], [
-    rm -f "$1/stamp-it" "$1/stamp-it.tmp" "$1/POTFILES" "$1/Makefile.tmp"
-    >"$1/stamp-it.tmp"
-    [sed '/^#/d
-	 s/^[[].*] *//
-	 /^[ 	]*$/d
-	'"s|^|	$ac_top_srcdir/|" \
-      "$srcdir/$1/POTFILES.in" | sed '$!s/$/ \\/' >"$1/POTFILES"
-    ]
-    if test ! -f "$1/Makefile"; then
-      AC_MSG_ERROR([$1/Makefile is not ready.])
-    fi
-    mv "$1/Makefile" "$1/Makefile.tmp"
-    [sed '/^POTFILES =/,/[^\\]$/ {
-		/^POTFILES =/!d
-		r $1/POTFILES
-	  }
-	 ' "$1/Makefile.tmp" >"$1/Makefile"]
-    rm -f "$1/Makefile.tmp"
-    mv "$1/stamp-it.tmp" "$1/stamp-it"
-  ])
-])dnl
-])
-
-
-# deprecated macros
-AU_ALIAS([AC_PROG_INTLTOOL], [IT_PROG_INTLTOOL])
-# A hint is needed for aclocal from Automake <= 1.9.4:
-# AC_DEFUN([AC_PROG_INTLTOOL], ...)
-
-
-# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
-
-# serial 52 Debian 1.5.26-1ubuntu1 AC_PROG_LIBTOOL
-
-
-# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
-# -----------------------------------------------------------
-# If this macro is not defined by Autoconf, define it here.
-m4_ifdef([AC_PROVIDE_IFELSE],
-         [],
-         [m4_define([AC_PROVIDE_IFELSE],
-	         [m4_ifdef([AC_PROVIDE_$1],
-		           [$2], [$3])])])
-
-
-# AC_PROG_LIBTOOL
-# ---------------
-AC_DEFUN([AC_PROG_LIBTOOL],
-[AC_REQUIRE([_AC_PROG_LIBTOOL])dnl
-dnl If AC_PROG_CXX has already been expanded, run AC_LIBTOOL_CXX
-dnl immediately, otherwise, hook it in at the end of AC_PROG_CXX.
-  AC_PROVIDE_IFELSE([AC_PROG_CXX],
-    [AC_LIBTOOL_CXX],
-    [define([AC_PROG_CXX], defn([AC_PROG_CXX])[AC_LIBTOOL_CXX
-  ])])
-dnl And a similar setup for Fortran 77 support
-  AC_PROVIDE_IFELSE([AC_PROG_F77],
-    [AC_LIBTOOL_F77],
-    [define([AC_PROG_F77], defn([AC_PROG_F77])[AC_LIBTOOL_F77
-])])
-
-dnl Quote A][M_PROG_GCJ so that aclocal doesn't bring it in needlessly.
-dnl If either AC_PROG_GCJ or A][M_PROG_GCJ have already been expanded, run
-dnl AC_LIBTOOL_GCJ immediately, otherwise, hook it in at the end of both.
-  AC_PROVIDE_IFELSE([AC_PROG_GCJ],
-    [AC_LIBTOOL_GCJ],
-    [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
-      [AC_LIBTOOL_GCJ],
-      [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],
-	[AC_LIBTOOL_GCJ],
-      [ifdef([AC_PROG_GCJ],
-	     [define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])
-       ifdef([A][M_PROG_GCJ],
-	     [define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[AC_LIBTOOL_GCJ])])
-       ifdef([LT_AC_PROG_GCJ],
-	     [define([LT_AC_PROG_GCJ],
-		defn([LT_AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])])])
-])])# AC_PROG_LIBTOOL
-
-
-# _AC_PROG_LIBTOOL
-# ----------------
-AC_DEFUN([_AC_PROG_LIBTOOL],
-[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
-AC_BEFORE([$0],[AC_LIBTOOL_CXX])dnl
-AC_BEFORE([$0],[AC_LIBTOOL_F77])dnl
-AC_BEFORE([$0],[AC_LIBTOOL_GCJ])dnl
-
-# This can be used to rebuild libtool when needed
-LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
-
-# Always use our own libtool.
-LIBTOOL='$(SHELL) $(top_builddir)/libtool'
-AC_SUBST(LIBTOOL)dnl
-
-# Prevent multiple expansion
-define([AC_PROG_LIBTOOL], [])
-])# _AC_PROG_LIBTOOL
-
-
-# AC_LIBTOOL_SETUP
-# ----------------
-AC_DEFUN([AC_LIBTOOL_SETUP],
-[AC_PREREQ(2.50)dnl
-AC_REQUIRE([AC_ENABLE_SHARED])dnl
-AC_REQUIRE([AC_ENABLE_STATIC])dnl
-AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
-AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AC_PROG_LD])dnl
-AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl
-AC_REQUIRE([AC_PROG_NM])dnl
-
-AC_REQUIRE([AC_PROG_LN_S])dnl
-AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
-# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
-AC_REQUIRE([AC_OBJEXT])dnl
-AC_REQUIRE([AC_EXEEXT])dnl
-dnl
-AC_LIBTOOL_SYS_MAX_CMD_LEN
-AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
-AC_LIBTOOL_OBJDIR
-
-AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
-_LT_AC_PROG_ECHO_BACKSLASH
-
-case $host_os in
-aix3*)
-  # AIX sometimes has problems with the GCC collect2 program.  For some
-  # reason, if we set the COLLECT_NAMES environment variable, the problems
-  # vanish in a puff of smoke.
-  if test "X${COLLECT_NAMES+set}" != Xset; then
-    COLLECT_NAMES=
-    export COLLECT_NAMES
-  fi
-  ;;
-esac
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed='sed -e 1s/^X//'
-[sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g']
-
-# Same as above, but do not quote variable references.
-[double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g']
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
-# Constants:
-rm="rm -f"
-
-# Global variables:
-default_ofile=libtool
-can_build_shared=yes
-
-# All known linkers require a `.a' archive for static linking (except MSVC,
-# which needs '.lib').
-libext=a
-ltmain="$ac_aux_dir/ltmain.sh"
-ofile="$default_ofile"
-with_gnu_ld="$lt_cv_prog_gnu_ld"
-
-AC_CHECK_TOOL(AR, ar, false)
-AC_CHECK_TOOL(RANLIB, ranlib, :)
-AC_CHECK_TOOL(STRIP, strip, :)
-
-old_CC="$CC"
-old_CFLAGS="$CFLAGS"
-
-# Set sane defaults for various variables
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
-test -z "$AS" && AS=as
-test -z "$CC" && CC=cc
-test -z "$LTCC" && LTCC=$CC
-test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
-test -z "$DLLTOOL" && DLLTOOL=dlltool
-test -z "$LD" && LD=ld
-test -z "$LN_S" && LN_S="ln -s"
-test -z "$MAGIC_CMD" && MAGIC_CMD=file
-test -z "$NM" && NM=nm
-test -z "$SED" && SED=sed
-test -z "$OBJDUMP" && OBJDUMP=objdump
-test -z "$RANLIB" && RANLIB=:
-test -z "$STRIP" && STRIP=:
-test -z "$ac_objext" && ac_objext=o
-
-# Determine commands to create old-style static archives.
-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
-old_postinstall_cmds='chmod 644 $oldlib'
-old_postuninstall_cmds=
-
-if test -n "$RANLIB"; then
-  case $host_os in
-  openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
-    ;;
-  *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
-    ;;
-  esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
-fi
-
-_LT_CC_BASENAME([$compiler])
-
-# Only perform the check for file, if the check method requires it
-case $deplibs_check_method in
-file_magic*)
-  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    AC_PATH_MAGIC
-  fi
-  ;;
-esac
-
-_LT_REQUIRED_DARWIN_CHECKS
-
-AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no)
-AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
-enable_win32_dll=yes, enable_win32_dll=no)
-
-AC_ARG_ENABLE([libtool-lock],
-    [AC_HELP_STRING([--disable-libtool-lock],
-	[avoid locking (might break parallel builds)])])
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
-
-AC_ARG_WITH([pic],
-    [AC_HELP_STRING([--with-pic],
-	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [pic_mode="$withval"],
-    [pic_mode=default])
-test -z "$pic_mode" && pic_mode=default
-
-# Use C for the default configuration in the libtool script
-tagname=
-AC_LIBTOOL_LANG_C_CONFIG
-_LT_AC_TAGCONFIG
-])# AC_LIBTOOL_SETUP
-
-
-# _LT_AC_SYS_COMPILER
-# -------------------
-AC_DEFUN([_LT_AC_SYS_COMPILER],
-[AC_REQUIRE([AC_PROG_CC])dnl
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-])# _LT_AC_SYS_COMPILER
-
-
-# _LT_CC_BASENAME(CC)
-# -------------------
-# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
-AC_DEFUN([_LT_CC_BASENAME],
-[for cc_temp in $1""; do
-  case $cc_temp in
-    compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
-    distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-])
-
-
-# _LT_COMPILER_BOILERPLATE
-# ------------------------
-# Check for compiler boilerplate output or warnings with
-# the simple compiler test code.
-AC_DEFUN([_LT_COMPILER_BOILERPLATE],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
-])# _LT_COMPILER_BOILERPLATE
-
-
-# _LT_LINKER_BOILERPLATE
-# ----------------------
-# Check for linker boilerplate output or warnings with
-# the simple link test code.
-AC_DEFUN([_LT_LINKER_BOILERPLATE],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
-])# _LT_LINKER_BOILERPLATE
-
-# _LT_REQUIRED_DARWIN_CHECKS
-# --------------------------
-# Check for some things on darwin
-AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS],[
-  case $host_os in
-    rhapsody* | darwin*)
-    AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:])
-    AC_CHECK_TOOL([NMEDIT], [nmedit], [:])
-
-    AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod],
-      [lt_cv_apple_cc_single_mod=no
-      if test -z "${LT_MULTI_MODULE}"; then
-   # By default we will add the -single_module flag. You can override
-   # by either setting the environment variable LT_MULTI_MODULE
-   # non-empty at configure time, or by adding -multi_module to the
-   # link flags.
-   echo "int foo(void){return 1;}" > conftest.c
-   $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
-     -dynamiclib ${wl}-single_module conftest.c
-   if test -f libconftest.dylib; then
-     lt_cv_apple_cc_single_mod=yes
-     rm -rf libconftest.dylib*
-   fi
-   rm conftest.c
-      fi])
-    AC_CACHE_CHECK([for -exported_symbols_list linker flag],
-      [lt_cv_ld_exported_symbols_list],
-      [lt_cv_ld_exported_symbols_list=no
-      save_LDFLAGS=$LDFLAGS
-      echo "_main" > conftest.sym
-      LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
-      AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
-   [lt_cv_ld_exported_symbols_list=yes],
-   [lt_cv_ld_exported_symbols_list=no])
-   LDFLAGS="$save_LDFLAGS"
-    ])
-    case $host_os in
-    rhapsody* | darwin1.[[0123]])
-      _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
-    darwin1.*)
-     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-    darwin*)
-      # if running on 10.5 or later, the deployment target defaults
-      # to the OS version, if on x86, and 10.4, the deployment
-      # target defaults to 10.4. Don't you love it?
-      case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
-   10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
-     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
-   10.[[012]]*)
-     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-   10.*)
-     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
-      esac
-    ;;
-  esac
-    if test "$lt_cv_apple_cc_single_mod" = "yes"; then
-      _lt_dar_single_mod='$single_module'
-    fi
-    if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
-      _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
-    else
-      _lt_dar_export_syms="~$NMEDIT -s \$output_objdir/\${libname}-symbols.expsym \${lib}"
-    fi
-    if test "$DSYMUTIL" != ":"; then
-      _lt_dsymutil="~$DSYMUTIL \$lib || :"
-    else
-      _lt_dsymutil=
-    fi
-    ;;
-  esac
-])
-
-# _LT_AC_SYS_LIBPATH_AIX
-# ----------------------
-# Links a minimal program and checks the executable
-# for the system default hardcoded library path. In most cases,
-# this is /usr/lib:/lib, but when the MPI compilers are used
-# the location of the communication and MPI libs are included too.
-# If we don't find anything, use the default library path according
-# to the aix ld manual.
-AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_LINK_IFELSE(AC_LANG_PROGRAM,[
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi],[])
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-])# _LT_AC_SYS_LIBPATH_AIX
-
-
-# _LT_AC_SHELL_INIT(ARG)
-# ----------------------
-AC_DEFUN([_LT_AC_SHELL_INIT],
-[ifdef([AC_DIVERSION_NOTICE],
-	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
-	 [AC_DIVERT_PUSH(NOTICE)])
-$1
-AC_DIVERT_POP
-])# _LT_AC_SHELL_INIT
-
-
-# _LT_AC_PROG_ECHO_BACKSLASH
-# --------------------------
-# Add some code to the start of the generated configure script which
-# will find an echo command which doesn't interpret backslashes.
-AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH],
-[_LT_AC_SHELL_INIT([
-# Check that we are running under the correct shell.
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-case X$ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
-  ;;
-esac
-
-echo=${ECHO-echo}
-if test "X[$]1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X[$]1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $echo works!
-  :
-else
-  # Restart under the correct shell.
-  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
-fi
-
-if test "X[$]1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-[$]*
-EOF
-  exit 0
-fi
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$ECHO"; then
-if test "X${echo_test_string+set}" != Xset; then
-# find a string as large as possible, as long as the shell can cope with it
-  for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
-    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
-       echo_test_string=`eval $cmd` &&
-       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
-    then
-      break
-    fi
-  done
-fi
-
-if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-   test "X$echo_testing_string" = "X$echo_test_string"; then
-  :
-else
-  # The Solaris, AIX, and Digital Unix default echo programs unquote
-  # backslashes.  This makes it impossible to quote backslashes using
-  #   echo "$something" | sed 's/\\/\\\\/g'
-  #
-  # So, first we look for a working echo in the user's PATH.
-
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for dir in $PATH /usr/ucb; do
-    IFS="$lt_save_ifs"
-    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      echo="$dir/echo"
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-
-  if test "X$echo" = Xecho; then
-    # We didn't find a better echo, so look for alternatives.
-    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      # This shell has a builtin print -r that does the trick.
-      echo='print -r'
-    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
-	 test "X$CONFIG_SHELL" != X/bin/ksh; then
-      # If we have ksh, try running configure again with it.
-      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-      export ORIGINAL_CONFIG_SHELL
-      CONFIG_SHELL=/bin/ksh
-      export CONFIG_SHELL
-      exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
-    else
-      # Try using printf.
-      echo='printf %s\n'
-      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-	 test "X$echo_testing_string" = "X$echo_test_string"; then
-	# Cool, printf works
-	:
-      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	export CONFIG_SHELL
-	SHELL="$CONFIG_SHELL"
-	export SHELL
-	echo="$CONFIG_SHELL [$]0 --fallback-echo"
-      elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	echo="$CONFIG_SHELL [$]0 --fallback-echo"
-      else
-	# maybe with a smaller string...
-	prev=:
-
-	for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
-	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
-	  then
-	    break
-	  fi
-	  prev="$cmd"
-	done
-
-	if test "$prev" != 'sed 50q "[$]0"'; then
-	  echo_test_string=`eval $prev`
-	  export echo_test_string
-	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
-	else
-	  # Oops.  We lost completely, so just stick with echo.
-	  echo=echo
-	fi
-      fi
-    fi
-  fi
-fi
-fi
-
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-ECHO=$echo
-if test "X$ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
-   ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
-fi
-
-AC_SUBST(ECHO)
-])])# _LT_AC_PROG_ECHO_BACKSLASH
-
-
-# _LT_AC_LOCK
-# -----------
-AC_DEFUN([_LT_AC_LOCK],
-[AC_ARG_ENABLE([libtool-lock],
-    [AC_HELP_STRING([--disable-libtool-lock],
-	[avoid locking (might break parallel builds)])])
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
-
-# Some flags need to be propagated to the compiler or linker for good
-# libtool support.
-case $host in
-ia64-*-hpux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *ELF-32*)
-      HPUX_IA64_MODE="32"
-      ;;
-    *ELF-64*)
-      HPUX_IA64_MODE="64"
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-*-*-irix6*)
-  # Find out which ABI we are using.
-  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-   if test "$lt_cv_prog_gnu_ld" = yes; then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -melf32bsmip"
-      ;;
-    *N32*)
-      LD="${LD-ld} -melf32bmipn32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -melf64bmip"
-      ;;
-    esac
-   else
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -32"
-      ;;
-    *N32*)
-      LD="${LD-ld} -n32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -64"
-      ;;
-    esac
-   fi
-  fi
-  rm -rf conftest*
-  ;;
-
-x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
-s390*-*linux*|sparc*-*linux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case `/usr/bin/file conftest.o` in
-    *32-bit*)
-      case $host in
-        x86_64-*kfreebsd*-gnu)
-          LD="${LD-ld} -m elf_i386_fbsd"
-          ;;
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_i386"
-          ;;
-        ppc64-*linux*|powerpc64-*linux*)
-          LD="${LD-ld} -m elf32ppclinux"
-          ;;
-        s390x-*linux*)
-          LD="${LD-ld} -m elf_s390"
-          ;;
-        sparc64-*linux*)
-          LD="${LD-ld} -m elf32_sparc"
-          ;;
-      esac
-      ;;
-    *64-bit*)
-      case $host in
-        x86_64-*kfreebsd*-gnu)
-          LD="${LD-ld} -m elf_x86_64_fbsd"
-          ;;
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_x86_64"
-          ;;
-        ppc*-*linux*|powerpc*-*linux*)
-          LD="${LD-ld} -m elf64ppc"
-          ;;
-        s390*-*linux*)
-          LD="${LD-ld} -m elf64_s390"
-          ;;
-        sparc*-*linux*)
-          LD="${LD-ld} -m elf64_sparc"
-          ;;
-      esac
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-
-*-*-sco3.2v5*)
-  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
-  SAVE_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS -belf"
-  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
-    [AC_LANG_PUSH(C)
-     AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
-     AC_LANG_POP])
-  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
-    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
-    CFLAGS="$SAVE_CFLAGS"
-  fi
-  ;;
-sparc*-*solaris*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case `/usr/bin/file conftest.o` in
-    *64-bit*)
-      case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
-      *)
-        if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
-	  LD="${LD-ld} -64"
-	fi
-	;;
-      esac
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-
-AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
-[*-*-cygwin* | *-*-mingw* | *-*-pw32*)
-  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
-  AC_CHECK_TOOL(AS, as, false)
-  AC_CHECK_TOOL(OBJDUMP, objdump, false)
-  ;;
-  ])
-esac
-
-need_locks="$enable_libtool_lock"
-
-])# _LT_AC_LOCK
-
-
-# AC_LIBTOOL_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
-#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
-# ----------------------------------------------------------------
-# Check whether the given compiler option works
-AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION],
-[AC_REQUIRE([LT_AC_PROG_SED])
-AC_CACHE_CHECK([$1], [$2],
-  [$2=no
-  ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$3"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       $2=yes
-     fi
-   fi
-   $rm conftest*
-])
-
-if test x"[$]$2" = xyes; then
-    ifelse([$5], , :, [$5])
-else
-    ifelse([$6], , :, [$6])
-fi
-])# AC_LIBTOOL_COMPILER_OPTION
-
-
-# AC_LIBTOOL_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
-#                          [ACTION-SUCCESS], [ACTION-FAILURE])
-# ------------------------------------------------------------
-# Check whether the given compiler option works
-AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_CACHE_CHECK([$1], [$2],
-  [$2=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $3"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&AS_MESSAGE_LOG_FD
-       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         $2=yes
-       fi
-     else
-       $2=yes
-     fi
-   fi
-   $rm -r conftest*
-   LDFLAGS="$save_LDFLAGS"
-])
-
-if test x"[$]$2" = xyes; then
-    ifelse([$4], , :, [$4])
-else
-    ifelse([$5], , :, [$5])
-fi
-])# AC_LIBTOOL_LINKER_OPTION
-
-
-# AC_LIBTOOL_SYS_MAX_CMD_LEN
-# --------------------------
-AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN],
-[# find the maximum length of command line arguments
-AC_MSG_CHECKING([the maximum length of command line arguments])
-AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
-  i=0
-  teststring="ABCD"
-
-  case $build_os in
-  msdosdjgpp*)
-    # On DJGPP, this test can blow up pretty badly due to problems in libc
-    # (any single argument exceeding 2000 bytes causes a buffer overrun
-    # during glob expansion).  Even if it were fixed, the result of this
-    # check would be larger than it should be.
-    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
-    ;;
-
-  gnu*)
-    # Under GNU Hurd, this test is not required because there is
-    # no limit to the length of command line arguments.
-    # Libtool will interpret -1 as no limit whatsoever
-    lt_cv_sys_max_cmd_len=-1;
-    ;;
-
-  cygwin* | mingw*)
-    # On Win9x/ME, this test blows up -- it succeeds, but takes
-    # about 5 minutes as the teststring grows exponentially.
-    # Worse, since 9x/ME are not pre-emptively multitasking,
-    # you end up with a "frozen" computer, even though with patience
-    # the test eventually succeeds (with a max line length of 256k).
-    # Instead, let's just punt: use the minimum linelength reported by
-    # all of the supported platforms: 8192 (on NT/2K/XP).
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  amigaos*)
-    # On AmigaOS with pdksh, this test takes hours, literally.
-    # So we just punt and use a minimum line length of 8192.
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
-    # This has been around since 386BSD, at least.  Likely further.
-    if test -x /sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
-    elif test -x /usr/sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
-    else
-      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
-    fi
-    # And add a safety zone
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
-    ;;
-
-  interix*)
-    # We know the value 262144 and hardcode it with a safety zone (like BSD)
-    lt_cv_sys_max_cmd_len=196608
-    ;;
-
-  osf*)
-    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
-    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
-    # nice to cause kernel panics so lets avoid the loop below.
-    # First set a reasonable default.
-    lt_cv_sys_max_cmd_len=16384
-    #
-    if test -x /sbin/sysconfig; then
-      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
-        *1*) lt_cv_sys_max_cmd_len=-1 ;;
-      esac
-    fi
-    ;;
-  sco3.2v5*)
-    lt_cv_sys_max_cmd_len=102400
-    ;;
-  sysv5* | sco5v6* | sysv4.2uw2*)
-    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
-    if test -n "$kargmax"; then
-      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ 	]]//'`
-    else
-      lt_cv_sys_max_cmd_len=32768
-    fi
-    ;;
-  *)
-    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
-    if test -n "$lt_cv_sys_max_cmd_len"; then
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
-    else
-      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-      while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \
-	       = "XX$teststring") >/dev/null 2>&1 &&
-	      new_result=`expr "X$teststring" : ".*" 2>&1` &&
-	      lt_cv_sys_max_cmd_len=$new_result &&
-	      test $i != 17 # 1/2 MB should be enough
-      do
-        i=`expr $i + 1`
-        teststring=$teststring$teststring
-      done
-      teststring=
-      # Add a significant safety factor because C++ compilers can tack on massive
-      # amounts of additional arguments before passing them to the linker.
-      # It appears as though 1/2 is a usable value.
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
-    fi
-    ;;
-  esac
-])
-if test -n $lt_cv_sys_max_cmd_len ; then
-  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
-else
-  AC_MSG_RESULT(none)
-fi
-])# AC_LIBTOOL_SYS_MAX_CMD_LEN
-
-
-# _LT_AC_CHECK_DLFCN
-# ------------------
-AC_DEFUN([_LT_AC_CHECK_DLFCN],
-[AC_CHECK_HEADERS(dlfcn.h)dnl
-])# _LT_AC_CHECK_DLFCN
-
-
-# _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
-#                           ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
-# ---------------------------------------------------------------------
-AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF],
-[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
-if test "$cross_compiling" = yes; then :
-  [$4]
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-[#line __oline__ "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-  else
-    puts (dlerror ());
-
-    exit (status);
-}]
-EOF
-  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) $1 ;;
-      x$lt_dlneed_uscore) $2 ;;
-      x$lt_dlunknown|x*) $3 ;;
-    esac
-  else :
-    # compilation failed
-    $3
-  fi
-fi
-rm -fr conftest*
-])# _LT_AC_TRY_DLOPEN_SELF
-
-
-# AC_LIBTOOL_DLOPEN_SELF
-# ----------------------
-AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF],
-[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
-
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
-
-  mingw* | pw32*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-   ;;
-
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-   ;;
-
-  darwin*)
-  # if libdl is installed we need to link against it
-    AC_CHECK_LIB([dl], [dlopen],
-		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ])
-   ;;
-
-  *)
-    AC_CHECK_FUNC([shl_load],
-	  [lt_cv_dlopen="shl_load"],
-      [AC_CHECK_LIB([dld], [shl_load],
-	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"],
-	[AC_CHECK_FUNC([dlopen],
-	      [lt_cv_dlopen="dlopen"],
-	  [AC_CHECK_LIB([dl], [dlopen],
-		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],
-	    [AC_CHECK_LIB([svld], [dlopen],
-		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
-	      [AC_CHECK_LIB([dld], [dld_link],
-		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"])
-	      ])
-	    ])
-	  ])
-	])
-      ])
-    ;;
-  esac
-
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
-
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
-
-    save_LDFLAGS="$LDFLAGS"
-    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
-
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
-
-    AC_CACHE_CHECK([whether a program can dlopen itself],
-	  lt_cv_dlopen_self, [dnl
-	  _LT_AC_TRY_DLOPEN_SELF(
-	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
-	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
-    ])
-
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
-      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
-    	  lt_cv_dlopen_self_static, [dnl
-	  _LT_AC_TRY_DLOPEN_SELF(
-	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
-	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
-      ])
-    fi
-
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
-
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
-
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
-])# AC_LIBTOOL_DLOPEN_SELF
-
-
-# AC_LIBTOOL_PROG_CC_C_O([TAGNAME])
-# ---------------------------------
-# Check to see if options -c and -o are simultaneously supported by compiler
-AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
-AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
-  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
-  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
-     fi
-   fi
-   chmod u+w . 2>&AS_MESSAGE_LOG_FD
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-])
-])# AC_LIBTOOL_PROG_CC_C_O
-
-
-# AC_LIBTOOL_SYS_HARD_LINK_LOCKS([TAGNAME])
-# -----------------------------------------
-# Check to see if we can do hard links to lock some files if needed
-AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS],
-[AC_REQUIRE([_LT_AC_LOCK])dnl
-
-hard_links="nottested"
-if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  AC_MSG_CHECKING([if we can lock with hard links])
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  AC_MSG_RESULT([$hard_links])
-  if test "$hard_links" = no; then
-    AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe])
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-])# AC_LIBTOOL_SYS_HARD_LINK_LOCKS
-
-
-# AC_LIBTOOL_OBJDIR
-# -----------------
-AC_DEFUN([AC_LIBTOOL_OBJDIR],
-[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
-[rm -f .libs 2>/dev/null
-mkdir .libs 2>/dev/null
-if test -d .libs; then
-  lt_cv_objdir=.libs
-else
-  # MS-DOS does not allow filenames that begin with a dot.
-  lt_cv_objdir=_libs
-fi
-rmdir .libs 2>/dev/null])
-objdir=$lt_cv_objdir
-])# AC_LIBTOOL_OBJDIR
-
-
-# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH([TAGNAME])
-# ----------------------------------------------
-# Check hardcoding attributes.
-AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH],
-[AC_MSG_CHECKING([how to hardcode library paths into programs])
-_LT_AC_TAGVAR(hardcode_action, $1)=
-if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \
-   test -n "$_LT_AC_TAGVAR(runpath_var, $1)" || \
-   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
-
-  # We can hardcode non-existant directories.
-  if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
-     test "$_LT_AC_TAGVAR(hardcode_minus_L, $1)" != no; then
-    # Linking always hardcodes the temporary library directory.
-    _LT_AC_TAGVAR(hardcode_action, $1)=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    _LT_AC_TAGVAR(hardcode_action, $1)=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  _LT_AC_TAGVAR(hardcode_action, $1)=unsupported
-fi
-AC_MSG_RESULT([$_LT_AC_TAGVAR(hardcode_action, $1)])
-
-if test "$_LT_AC_TAGVAR(hardcode_action, $1)" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-])# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH
-
-
-# AC_LIBTOOL_SYS_LIB_STRIP
-# ------------------------
-AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP],
-[striplib=
-old_striplib=
-AC_MSG_CHECKING([whether stripping libraries is possible])
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  AC_MSG_RESULT([yes])
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         old_striplib="$STRIP -S"
-         AC_MSG_RESULT([yes])
-       else
-  AC_MSG_RESULT([no])
-fi
-       ;;
-   *)
-  AC_MSG_RESULT([no])
-    ;;
-  esac
-fi
-])# AC_LIBTOOL_SYS_LIB_STRIP
-
-
-# AC_LIBTOOL_SYS_DYNAMIC_LINKER
-# -----------------------------
-# PORTME Fill in your ld.so characteristics
-AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_MSG_CHECKING([dynamic linker characteristics])
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-m4_if($1,[],[
-if test "$GCC" = yes; then
-  case $host_os in
-    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
-    *) lt_awk_arg="/^libraries:/" ;;
-  esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-  # Ok, now we have the path, separated by spaces, we can step through it
-  # and add multilib dir if necessary.
-  lt_tmp_lt_search_path_spec=
-  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
-  for lt_sys_path in $lt_search_path_spec; do
-    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
-      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
-    else
-      test -d "$lt_sys_path" && \
-	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
-    fi
-  done
-  lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk '
-BEGIN {RS=" "; FS="/|\n";} {
-  lt_foo="";
-  lt_count=0;
-  for (lt_i = NF; lt_i > 0; lt_i--) {
-    if ($lt_i != "" && $lt_i != ".") {
-      if ($lt_i == "..") {
-        lt_count++;
-      } else {
-        if (lt_count == 0) {
-          lt_foo="/" $lt_i lt_foo;
-        } else {
-          lt_count--;
-        }
-      }
-    }
-  }
-  if (lt_foo != "") { lt_freq[[lt_foo]]++; }
-  if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
-}'`
-  sys_lib_search_path_spec=`echo $lt_search_path_spec`
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi])
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix[[4-9]]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[[01]] | aix4.[[01]].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[[45]]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | [grep ';[c-zC-Z]:/' >/dev/null]; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-  m4_if([$1], [],[
-  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) 
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
-  else
-    case $host_os in
-    freebsd[[123]]*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
-  fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[[01]]* | freebsdelf3.[[01]]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \
-  freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-interix[[3-9]]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
-    *)                         need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[[89]] | openbsd2.[[89]].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-rdos*)
-  dynamic_linker=no
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-    shlibpath_overrides_runpath=no
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    shlibpath_overrides_runpath=yes
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
-  fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-AC_MSG_RESULT([$dynamic_linker])
-test "$dynamic_linker" = no && can_build_shared=no
-
-AC_CACHE_VAL([lt_cv_sys_lib_search_path_spec],
-[lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"])
-sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-AC_CACHE_VAL([lt_cv_sys_lib_dlsearch_path_spec],
-[lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"])
-sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-])# AC_LIBTOOL_SYS_DYNAMIC_LINKER
-
-
-# _LT_AC_TAGCONFIG
-# ----------------
-AC_DEFUN([_LT_AC_TAGCONFIG],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_ARG_WITH([tags],
-    [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@],
-        [include additional configurations @<:@automatic@:>@])],
-    [tagnames="$withval"])
-
-if test -f "$ltmain" && test -n "$tagnames"; then
-  if test ! -f "${ofile}"; then
-    AC_MSG_WARN([output file `$ofile' does not exist])
-  fi
-
-  if test -z "$LTCC"; then
-    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
-    if test -z "$LTCC"; then
-      AC_MSG_WARN([output file `$ofile' does not look like a libtool script])
-    else
-      AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile'])
-    fi
-  fi
-  if test -z "$LTCFLAGS"; then
-    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
-  fi
-
-  # Extract list of available tagged configurations in $ofile.
-  # Note that this assumes the entire list is on one line.
-  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
-
-  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-  for tagname in $tagnames; do
-    IFS="$lt_save_ifs"
-    # Check whether tagname contains only valid characters
-    case `$echo "X$tagname" | $Xsed -e 's:[[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]]::g'` in
-    "") ;;
-    *)  AC_MSG_ERROR([invalid tag name: $tagname])
-	;;
-    esac
-
-    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
-    then
-      AC_MSG_ERROR([tag name \"$tagname\" already exists])
-    fi
-
-    # Update the list of available tags.
-    if test -n "$tagname"; then
-      echo appending configuration tag \"$tagname\" to $ofile
-
-      case $tagname in
-      CXX)
-	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-	    (test "X$CXX" != "Xg++"))) ; then
-	  AC_LIBTOOL_LANG_CXX_CONFIG
-	else
-	  tagname=""
-	fi
-	;;
-
-      F77)
-	if test -n "$F77" && test "X$F77" != "Xno"; then
-	  AC_LIBTOOL_LANG_F77_CONFIG
-	else
-	  tagname=""
-	fi
-	;;
-
-      GCJ)
-	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
-	  AC_LIBTOOL_LANG_GCJ_CONFIG
-	else
-	  tagname=""
-	fi
-	;;
-
-      RC)
-	AC_LIBTOOL_LANG_RC_CONFIG
-	;;
-
-      *)
-	AC_MSG_ERROR([Unsupported tag name: $tagname])
-	;;
-      esac
-
-      # Append the new tag name to the list of available tags.
-      if test -n "$tagname" ; then
-      available_tags="$available_tags $tagname"
-    fi
-    fi
-  done
-  IFS="$lt_save_ifs"
-
-  # Now substitute the updated list of available tags.
-  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
-    mv "${ofile}T" "$ofile"
-    chmod +x "$ofile"
-  else
-    rm -f "${ofile}T"
-    AC_MSG_ERROR([unable to update list of available tagged configurations.])
-  fi
-fi
-])# _LT_AC_TAGCONFIG
-
-
-# AC_LIBTOOL_DLOPEN
-# -----------------
-# enable checks for dlopen support
-AC_DEFUN([AC_LIBTOOL_DLOPEN],
- [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])
-])# AC_LIBTOOL_DLOPEN
-
-
-# AC_LIBTOOL_WIN32_DLL
-# --------------------
-# declare package support for building win32 DLLs
-AC_DEFUN([AC_LIBTOOL_WIN32_DLL],
-[AC_BEFORE([$0], [AC_LIBTOOL_SETUP])
-])# AC_LIBTOOL_WIN32_DLL
-
-
-# AC_ENABLE_SHARED([DEFAULT])
-# ---------------------------
-# implement the --enable-shared flag
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-AC_DEFUN([AC_ENABLE_SHARED],
-[define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE([shared],
-    [AC_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
-	[build shared libraries @<:@default=]AC_ENABLE_SHARED_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_shared=yes ;;
-    no) enable_shared=no ;;
-    *)
-      enable_shared=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_shared=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_shared=]AC_ENABLE_SHARED_DEFAULT)
-])# AC_ENABLE_SHARED
-
-
-# AC_DISABLE_SHARED
-# -----------------
-# set the default shared flag to --disable-shared
-AC_DEFUN([AC_DISABLE_SHARED],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_SHARED(no)
-])# AC_DISABLE_SHARED
-
-
-# AC_ENABLE_STATIC([DEFAULT])
-# ---------------------------
-# implement the --enable-static flag
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-AC_DEFUN([AC_ENABLE_STATIC],
-[define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE([static],
-    [AC_HELP_STRING([--enable-static@<:@=PKGS@:>@],
-	[build static libraries @<:@default=]AC_ENABLE_STATIC_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_static=yes ;;
-    no) enable_static=no ;;
-    *)
-     enable_static=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_static=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_static=]AC_ENABLE_STATIC_DEFAULT)
-])# AC_ENABLE_STATIC
-
-
-# AC_DISABLE_STATIC
-# -----------------
-# set the default static flag to --disable-static
-AC_DEFUN([AC_DISABLE_STATIC],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_STATIC(no)
-])# AC_DISABLE_STATIC
-
-
-# AC_ENABLE_FAST_INSTALL([DEFAULT])
-# ---------------------------------
-# implement the --enable-fast-install flag
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-AC_DEFUN([AC_ENABLE_FAST_INSTALL],
-[define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE([fast-install],
-    [AC_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
-    [optimize for fast installation @<:@default=]AC_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_fast_install=yes ;;
-    no) enable_fast_install=no ;;
-    *)
-      enable_fast_install=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_fast_install=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_fast_install=]AC_ENABLE_FAST_INSTALL_DEFAULT)
-])# AC_ENABLE_FAST_INSTALL
-
-
-# AC_DISABLE_FAST_INSTALL
-# -----------------------
-# set the default to --disable-fast-install
-AC_DEFUN([AC_DISABLE_FAST_INSTALL],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_FAST_INSTALL(no)
-])# AC_DISABLE_FAST_INSTALL
-
-
-# AC_LIBTOOL_PICMODE([MODE])
-# --------------------------
-# implement the --with-pic flag
-# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
-AC_DEFUN([AC_LIBTOOL_PICMODE],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-pic_mode=ifelse($#,1,$1,default)
-])# AC_LIBTOOL_PICMODE
-
-
-# AC_PROG_EGREP
-# -------------
-# This is predefined starting with Autoconf 2.54, so this conditional
-# definition can be removed once we require Autoconf 2.54 or later.
-m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP],
-[AC_CACHE_CHECK([for egrep], [ac_cv_prog_egrep],
-   [if echo a | (grep -E '(a|b)') >/dev/null 2>&1
-    then ac_cv_prog_egrep='grep -E'
-    else ac_cv_prog_egrep='egrep'
-    fi])
- EGREP=$ac_cv_prog_egrep
- AC_SUBST([EGREP])
-])])
-
-
-# AC_PATH_TOOL_PREFIX
-# -------------------
-# find a file program which can recognize shared library
-AC_DEFUN([AC_PATH_TOOL_PREFIX],
-[AC_REQUIRE([AC_PROG_EGREP])dnl
-AC_MSG_CHECKING([for $1])
-AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
-[case $MAGIC_CMD in
-[[\\/*] |  ?:[\\/]*])
-  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
-  ;;
-*)
-  lt_save_MAGIC_CMD="$MAGIC_CMD"
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-dnl $ac_dummy forces splitting on constant user-supplied paths.
-dnl POSIX.2 word splitting is done only on the output of word expansions,
-dnl not every word.  This closes a longstanding sh security hole.
-  ac_dummy="ifelse([$2], , $PATH, [$2])"
-  for ac_dir in $ac_dummy; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$1; then
-      lt_cv_path_MAGIC_CMD="$ac_dir/$1"
-      if test -n "$file_magic_test_file"; then
-	case $deplibs_check_method in
-	"file_magic "*)
-	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
-	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
-	    $EGREP "$file_magic_regex" > /dev/null; then
-	    :
-	  else
-	    cat <<EOF 1>&2
-
-*** Warning: the command libtool uses to detect shared libraries,
-*** $file_magic_cmd, produces output that libtool cannot recognize.
-*** The result is that libtool may fail to recognize shared libraries
-*** as such.  This will affect the creation of libtool libraries that
-*** depend on shared libraries, but programs linked with such libtool
-*** libraries will work regardless of this problem.  Nevertheless, you
-*** may want to report the problem to your system manager and/or to
-*** bug-libtool@gnu.org
-
-EOF
-	  fi ;;
-	esac
-      fi
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-  MAGIC_CMD="$lt_save_MAGIC_CMD"
-  ;;
-esac])
-MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-if test -n "$MAGIC_CMD"; then
-  AC_MSG_RESULT($MAGIC_CMD)
-else
-  AC_MSG_RESULT(no)
-fi
-])# AC_PATH_TOOL_PREFIX
-
-
-# AC_PATH_MAGIC
-# -------------
-# find a file program which can recognize a shared library
-AC_DEFUN([AC_PATH_MAGIC],
-[AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
-if test -z "$lt_cv_path_MAGIC_CMD"; then
-  if test -n "$ac_tool_prefix"; then
-    AC_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
-  else
-    MAGIC_CMD=:
-  fi
-fi
-])# AC_PATH_MAGIC
-
-
-# AC_PROG_LD
-# ----------
-# find the pathname to the GNU or non-GNU linker
-AC_DEFUN([AC_PROG_LD],
-[AC_ARG_WITH([gnu-ld],
-    [AC_HELP_STRING([--with-gnu-ld],
-	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
-    [test "$withval" = no || with_gnu_ld=yes],
-    [with_gnu_ld=no])
-AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-ac_prog=ld
-if test "$GCC" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  AC_MSG_CHECKING([for ld used by $CC])
-  case $host in
-  *-*-mingw*)
-    # gcc leaves a trailing carriage return which upsets mingw
-    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
-  *)
-    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
-  esac
-  case $ac_prog in
-    # Accept absolute paths.
-    [[\\/]]* | ?:[[\\/]]*)
-      re_direlt='/[[^/]][[^/]]*/\.\./'
-      # Canonicalize the pathname of ld
-      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  AC_MSG_CHECKING([for GNU ld])
-else
-  AC_MSG_CHECKING([for non-GNU ld])
-fi
-AC_CACHE_VAL(lt_cv_path_LD,
-[if test -z "$LD"; then
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      lt_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some variants of GNU ld only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
-      *GNU* | *'with BFD'*)
-	test "$with_gnu_ld" != no && break
-	;;
-      *)
-	test "$with_gnu_ld" != yes && break
-	;;
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-else
-  lt_cv_path_LD="$LD" # Let the user override the test with a path.
-fi])
-LD="$lt_cv_path_LD"
-if test -n "$LD"; then
-  AC_MSG_RESULT($LD)
-else
-  AC_MSG_RESULT(no)
-fi
-test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
-AC_PROG_LD_GNU
-])# AC_PROG_LD
-
-
-# AC_PROG_LD_GNU
-# --------------
-AC_DEFUN([AC_PROG_LD_GNU],
-[AC_REQUIRE([AC_PROG_EGREP])dnl
-AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
-[# I'd rather use --version here, but apparently some GNU lds only accept -v.
-case `$LD -v 2>&1 </dev/null` in
-*GNU* | *'with BFD'*)
-  lt_cv_prog_gnu_ld=yes
-  ;;
-*)
-  lt_cv_prog_gnu_ld=no
-  ;;
-esac])
-with_gnu_ld=$lt_cv_prog_gnu_ld
-])# AC_PROG_LD_GNU
-
-
-# AC_PROG_LD_RELOAD_FLAG
-# ----------------------
-# find reload flag for linker
-#   -- PORTME Some linkers may need a different reload flag.
-AC_DEFUN([AC_PROG_LD_RELOAD_FLAG],
-[AC_CACHE_CHECK([for $LD option to reload object files],
-  lt_cv_ld_reload_flag,
-  [lt_cv_ld_reload_flag='-r'])
-reload_flag=$lt_cv_ld_reload_flag
-case $reload_flag in
-"" | " "*) ;;
-*) reload_flag=" $reload_flag" ;;
-esac
-reload_cmds='$LD$reload_flag -o $output$reload_objs'
-case $host_os in
-  darwin*)
-    if test "$GCC" = yes; then
-      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
-    else
-      reload_cmds='$LD$reload_flag -o $output$reload_objs'
-    fi
-    ;;
-esac
-])# AC_PROG_LD_RELOAD_FLAG
-
-
-# AC_DEPLIBS_CHECK_METHOD
-# -----------------------
-# how to check for library dependencies
-#  -- PORTME fill in with the dynamic library characteristics
-AC_DEFUN([AC_DEPLIBS_CHECK_METHOD],
-[AC_CACHE_CHECK([how to recognize dependent libraries],
-lt_cv_deplibs_check_method,
-[lt_cv_file_magic_cmd='$MAGIC_CMD'
-lt_cv_file_magic_test_file=
-lt_cv_deplibs_check_method='unknown'
-# Need to set the preceding variable on all platforms that support
-# interlibrary dependencies.
-# 'none' -- dependencies not supported.
-# `unknown' -- same as none, but documents that we really don't know.
-# 'pass_all' -- all dependencies passed with no checks.
-# 'test_compile' -- check by making test program.
-# 'file_magic [[regex]]' -- check by looking for files in library path
-# which responds to the $file_magic_cmd with a given extended regex.
-# If you have `file' or equivalent on your system and you're not sure
-# whether `pass_all' will *always* work, you probably want this one.
-
-case $host_os in
-aix[[4-9]]*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-beos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-bsdi[[45]]*)
-  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
-  lt_cv_file_magic_cmd='/usr/bin/file -L'
-  lt_cv_file_magic_test_file=/shlib/libc.so
-  ;;
-
-cygwin*)
-  # func_win32_libid is a shell function defined in ltmain.sh
-  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='func_win32_libid'
-  ;;
-
-mingw* | pw32*)
-  # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump',
-  # unless we find 'file', for example because we are cross-compiling.
-  if ( file / ) >/dev/null 2>&1; then
-    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-    lt_cv_file_magic_cmd='func_win32_libid'
-  else
-    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
-    lt_cv_file_magic_cmd='$OBJDUMP -f'
-  fi
-  ;;
-
-darwin* | rhapsody*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-freebsd* | dragonfly*)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
-    case $host_cpu in
-    i*86 )
-      # Not sure whether the presence of OpenBSD here was a mistake.
-      # Let's accept both of them until this is cleared up.
-      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library'
-      lt_cv_file_magic_cmd=/usr/bin/file
-      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
-      ;;
-    esac
-  else
-    lt_cv_deplibs_check_method=pass_all
-  fi
-  ;;
-
-gnu*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-hpux10.20* | hpux11*)
-  lt_cv_file_magic_cmd=/usr/bin/file
-  case $host_cpu in
-  ia64*)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
-    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
-    ;;
-  hppa*64*)
-    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
-    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
-    ;;
-  *)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
-    lt_cv_file_magic_test_file=/usr/lib/libc.sl
-    ;;
-  esac
-  ;;
-
-interix[[3-9]]*)
-  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
-  lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$'
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $LD in
-  *-32|*"-32 ") libmagic=32-bit;;
-  *-n32|*"-n32 ") libmagic=N32;;
-  *-64|*"-64 ") libmagic=64-bit;;
-  *) libmagic=never-match;;
-  esac
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-netbsd* | netbsdelf*-gnu)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
-  fi
-  ;;
-
-newos6*)
-  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
-  lt_cv_file_magic_cmd=/usr/bin/file
-  lt_cv_file_magic_test_file=/usr/lib/libnls.so
-  ;;
-
-nto-qnx*)
-  lt_cv_deplibs_check_method=unknown
-  ;;
-
-openbsd*)
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
-  fi
-  ;;
-
-osf3* | osf4* | osf5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-rdos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-solaris*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-sysv4 | sysv4.3*)
-  case $host_vendor in
-  motorola)
-    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
-    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
-    ;;
-  ncr)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  sequent)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
-    ;;
-  sni)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
-    lt_cv_file_magic_test_file=/lib/libc.so
-    ;;
-  siemens)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  pc)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  esac
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-esac
-])
-file_magic_cmd=$lt_cv_file_magic_cmd
-deplibs_check_method=$lt_cv_deplibs_check_method
-test -z "$deplibs_check_method" && deplibs_check_method=unknown
-])# AC_DEPLIBS_CHECK_METHOD
-
-
-# AC_PROG_NM
-# ----------
-# find the pathname to a BSD-compatible name lister
-AC_DEFUN([AC_PROG_NM],
-[AC_CACHE_CHECK([for BSD-compatible nm], lt_cv_path_NM,
-[if test -n "$NM"; then
-  # Let the user override the test.
-  lt_cv_path_NM="$NM"
-else
-  lt_nm_to_check="${ac_tool_prefix}nm"
-  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
-    lt_nm_to_check="$lt_nm_to_check nm"
-  fi
-  for lt_tmp_nm in $lt_nm_to_check; do
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
-      IFS="$lt_save_ifs"
-      test -z "$ac_dir" && ac_dir=.
-      tmp_nm="$ac_dir/$lt_tmp_nm"
-      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
-	# Check to see if the nm accepts a BSD-compat flag.
-	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
-	#   nm: unknown option "B" ignored
-	# Tru64's nm complains that /dev/null is an invalid object file
-	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
-	*/dev/null* | *'Invalid file or object type'*)
-	  lt_cv_path_NM="$tmp_nm -B"
-	  break
-	  ;;
-	*)
-	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
-	  */dev/null*)
-	    lt_cv_path_NM="$tmp_nm -p"
-	    break
-	    ;;
-	  *)
-	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
-	    continue # so that we can try to find one that supports BSD flags
-	    ;;
-	  esac
-	  ;;
-	esac
-      fi
-    done
-    IFS="$lt_save_ifs"
-  done
-  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
-fi])
-NM="$lt_cv_path_NM"
-])# AC_PROG_NM
-
-
-# AC_CHECK_LIBM
-# -------------
-# check for math library
-AC_DEFUN([AC_CHECK_LIBM],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-LIBM=
-case $host in
-*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
-  # These system don't have libm, or don't need it
-  ;;
-*-ncr-sysv4.3*)
-  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
-  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
-  ;;
-*)
-  AC_CHECK_LIB(m, cos, LIBM="-lm")
-  ;;
-esac
-])# AC_CHECK_LIBM
-
-
-# AC_LIBLTDL_CONVENIENCE([DIRECTORY])
-# -----------------------------------
-# sets LIBLTDL to the link flags for the libltdl convenience library and
-# LTDLINCL to the include flags for the libltdl header and adds
-# --enable-ltdl-convenience to the configure arguments.  Note that
-# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
-# it is assumed to be `libltdl'.  LIBLTDL will be prefixed with
-# '${top_builddir}/' and LTDLINCL will be prefixed with '${top_srcdir}/'
-# (note the single quotes!).  If your package is not flat and you're not
-# using automake, define top_builddir and top_srcdir appropriately in
-# the Makefiles.
-AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-  case $enable_ltdl_convenience in
-  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
-  "") enable_ltdl_convenience=yes
-      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
-  esac
-  LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la
-  LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
-  # For backwards non-gettext consistent compatibility...
-  INCLTDL="$LTDLINCL"
-])# AC_LIBLTDL_CONVENIENCE
-
-
-# AC_LIBLTDL_INSTALLABLE([DIRECTORY])
-# -----------------------------------
-# sets LIBLTDL to the link flags for the libltdl installable library and
-# LTDLINCL to the include flags for the libltdl header and adds
-# --enable-ltdl-install to the configure arguments.  Note that
-# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
-# and an installed libltdl is not found, it is assumed to be `libltdl'.
-# LIBLTDL will be prefixed with '${top_builddir}/'# and LTDLINCL with
-# '${top_srcdir}/' (note the single quotes!).  If your package is not
-# flat and you're not using automake, define top_builddir and top_srcdir
-# appropriately in the Makefiles.
-# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
-AC_DEFUN([AC_LIBLTDL_INSTALLABLE],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-  AC_CHECK_LIB(ltdl, lt_dlinit,
-  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
-  [if test x"$enable_ltdl_install" = xno; then
-     AC_MSG_WARN([libltdl not installed, but installation disabled])
-   else
-     enable_ltdl_install=yes
-   fi
-  ])
-  if test x"$enable_ltdl_install" = x"yes"; then
-    ac_configure_args="$ac_configure_args --enable-ltdl-install"
-    LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la
-    LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
-  else
-    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
-    LIBLTDL="-lltdl"
-    LTDLINCL=
-  fi
-  # For backwards non-gettext consistent compatibility...
-  INCLTDL="$LTDLINCL"
-])# AC_LIBLTDL_INSTALLABLE
-
-
-# AC_LIBTOOL_CXX
-# --------------
-# enable support for C++ libraries
-AC_DEFUN([AC_LIBTOOL_CXX],
-[AC_REQUIRE([_LT_AC_LANG_CXX])
-])# AC_LIBTOOL_CXX
-
-
-# _LT_AC_LANG_CXX
-# ---------------
-AC_DEFUN([_LT_AC_LANG_CXX],
-[AC_REQUIRE([AC_PROG_CXX])
-AC_REQUIRE([_LT_AC_PROG_CXXCPP])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
-])# _LT_AC_LANG_CXX
-
-# _LT_AC_PROG_CXXCPP
-# ------------------
-AC_DEFUN([_LT_AC_PROG_CXXCPP],
-[
-AC_REQUIRE([AC_PROG_CXX])
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  AC_PROG_CXXCPP
-fi
-])# _LT_AC_PROG_CXXCPP
-
-# AC_LIBTOOL_F77
-# --------------
-# enable support for Fortran 77 libraries
-AC_DEFUN([AC_LIBTOOL_F77],
-[AC_REQUIRE([_LT_AC_LANG_F77])
-])# AC_LIBTOOL_F77
-
-
-# _LT_AC_LANG_F77
-# ---------------
-AC_DEFUN([_LT_AC_LANG_F77],
-[AC_REQUIRE([AC_PROG_F77])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}F77])
-])# _LT_AC_LANG_F77
-
-
-# AC_LIBTOOL_GCJ
-# --------------
-# enable support for GCJ libraries
-AC_DEFUN([AC_LIBTOOL_GCJ],
-[AC_REQUIRE([_LT_AC_LANG_GCJ])
-])# AC_LIBTOOL_GCJ
-
-
-# _LT_AC_LANG_GCJ
-# ---------------
-AC_DEFUN([_LT_AC_LANG_GCJ],
-[AC_PROVIDE_IFELSE([AC_PROG_GCJ],[],
-  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],[],
-    [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],[],
-      [ifdef([AC_PROG_GCJ],[AC_REQUIRE([AC_PROG_GCJ])],
-	 [ifdef([A][M_PROG_GCJ],[AC_REQUIRE([A][M_PROG_GCJ])],
-	   [AC_REQUIRE([A][C_PROG_GCJ_OR_A][M_PROG_GCJ])])])])])])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ])
-])# _LT_AC_LANG_GCJ
-
-
-# AC_LIBTOOL_RC
-# -------------
-# enable support for Windows resource files
-AC_DEFUN([AC_LIBTOOL_RC],
-[AC_REQUIRE([LT_AC_PROG_RC])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}RC])
-])# AC_LIBTOOL_RC
-
-
-# AC_LIBTOOL_LANG_C_CONFIG
-# ------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG], [_LT_AC_LANG_C_CONFIG])
-AC_DEFUN([_LT_AC_LANG_C_CONFIG],
-[lt_save_CC="$CC"
-AC_LANG_PUSH(C)
-
-# Source file extension for C test sources.
-ac_ext=c
-
-# Object file extension for compiled C test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}'
-
-_LT_AC_SYS_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF
-
-# Report which library types will actually be built
-AC_MSG_CHECKING([if libtool supports shared libraries])
-AC_MSG_RESULT([$can_build_shared])
-
-AC_MSG_CHECKING([whether to build shared libraries])
-test "$can_build_shared" = "no" && enable_shared=no
-
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case $host_os in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
-
-aix[[4-9]]*)
-  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-    test "$enable_shared" = yes && enable_static=no
-  fi
-    ;;
-esac
-AC_MSG_RESULT([$enable_shared])
-
-AC_MSG_CHECKING([whether to build static libraries])
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-AC_MSG_RESULT([$enable_static])
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_POP
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_C_CONFIG
-
-
-# AC_LIBTOOL_LANG_CXX_CONFIG
-# --------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)])
-AC_DEFUN([_LT_AC_LANG_CXX_CONFIG],
-[AC_LANG_PUSH(C++)
-AC_REQUIRE([AC_PROG_CXX])
-AC_REQUIRE([_LT_AC_PROG_CXXCPP])
-
-_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_AC_TAGVAR(allow_undefined_flag, $1)=
-_LT_AC_TAGVAR(always_export_symbols, $1)=no
-_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
-_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_direct, $1)=no
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
-_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-_LT_AC_TAGVAR(hardcode_automatic, $1)=no
-_LT_AC_TAGVAR(module_cmds, $1)=
-_LT_AC_TAGVAR(module_expsym_cmds, $1)=
-_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_AC_TAGVAR(no_undefined_flag, $1)=
-_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Dependencies to place before and after the object being linked:
-_LT_AC_TAGVAR(predep_objects, $1)=
-_LT_AC_TAGVAR(postdep_objects, $1)=
-_LT_AC_TAGVAR(predeps, $1)=
-_LT_AC_TAGVAR(postdeps, $1)=
-_LT_AC_TAGVAR(compiler_lib_search_path, $1)=
-_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=
-
-# Source file extension for C++ test sources.
-ac_ext=cpp
-
-# Object file extension for compiled C++ test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC=$CC
-lt_save_LD=$LD
-lt_save_GCC=$GCC
-GCC=$GXX
-lt_save_with_gnu_ld=$with_gnu_ld
-lt_save_path_LD=$lt_cv_path_LD
-if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
-  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
-else
-  $as_unset lt_cv_prog_gnu_ld
-fi
-if test -n "${lt_cv_path_LDCXX+set}"; then
-  lt_cv_path_LD=$lt_cv_path_LDCXX
-else
-  $as_unset lt_cv_path_LD
-fi
-test -z "${LDCXX+set}" || LD=$LDCXX
-CC=${CXX-"c++"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-_LT_CC_BASENAME([$compiler])
-
-# We don't want -fno-exception wen compiling C++ code, so set the
-# no_builtin_flag separately
-if test "$GXX" = yes; then
-  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
-else
-  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
-fi
-
-if test "$GXX" = yes; then
-  # Set up default GNU C++ configuration
-
-  AC_PROG_LD
-
-  # Check if GNU C++ uses GNU ld as the underlying linker, since the
-  # archiving commands below assume that GNU ld is being used.
-  if test "$with_gnu_ld" = yes; then
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
-    #     investigate it a little bit more. (MM)
-    wlarc='${wl}'
-
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
-	grep 'no-whole-archive' > /dev/null; then
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    else
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-    fi
-  else
-    with_gnu_ld=no
-    wlarc=
-
-    # A generic and very simple default shared library creation
-    # command for GNU C++ for the case where it uses the native
-    # linker, instead of GNU ld.  If possible, this setting should
-    # overridden to take advantage of the native linker features on
-    # the platform it is being used on.
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-  fi
-
-  # Commands to make compiler produce verbose output that lists
-  # what "hidden" libraries, object files and flags are used when
-  # linking a shared library.
-  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-else
-  GXX=no
-  with_gnu_ld=no
-  wlarc=
-fi
-
-# PORTME: fill in a description of your system's C++ link characteristics
-AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
-_LT_AC_TAGVAR(ld_shlibs, $1)=yes
-case $host_os in
-  aix3*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  aix[[4-9]]*)
-    if test "$host_cpu" = ia64; then
-      # On IA64, the linker does run time linking by default, so we don't
-      # have to do anything special.
-      aix_use_runtimelinking=no
-      exp_sym_flag='-Bexport'
-      no_entry_flag=""
-    else
-      aix_use_runtimelinking=no
-
-      # Test if we are trying to use run time linking or normal
-      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
-      # need to do runtime linking.
-      case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
-	for ld_flag in $LDFLAGS; do
-	  case $ld_flag in
-	  *-brtl*)
-	    aix_use_runtimelinking=yes
-	    break
-	    ;;
-	  esac
-	done
-	;;
-      esac
-
-      exp_sym_flag='-bexport'
-      no_entry_flag='-bnoentry'
-    fi
-
-    # When large executables or shared objects are built, AIX ld can
-    # have problems creating the table of contents.  If linking a library
-    # or program results in "error TOC overflow" add -mminimal-toc to
-    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-    _LT_AC_TAGVAR(archive_cmds, $1)=''
-    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
-    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-
-    if test "$GXX" = yes; then
-      case $host_os in aix4.[[012]]|aix4.[[012]].*)
-      # We only want to do this on AIX 4.2 and lower, the check
-      # below for broken collect2 doesn't work under 4.3+
-	collect2name=`${CC} -print-prog-name=collect2`
-	if test -f "$collect2name" && \
-	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	then
-	  # We have reworked collect2
-	  :
-	else
-	  # We have old collect2
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
-	  # It fails to find uninstalled libraries when the uninstalled
-	  # path is not listed in the libpath.  Setting hardcode_minus_L
-	  # to unsupported forces relinking
-	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-	fi
-	;;
-      esac
-      shared_flag='-shared'
-      if test "$aix_use_runtimelinking" = yes; then
-	shared_flag="$shared_flag "'${wl}-G'
-      fi
-    else
-      # not using gcc
-      if test "$host_cpu" = ia64; then
-	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-	# chokes on -Wl,-G. The following line is correct:
-	shared_flag='-G'
-      else
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag='${wl}-G'
-	else
-	  shared_flag='${wl}-bM:SRE'
-	fi
-      fi
-    fi
-
-    # It seems that -bexpall does not export symbols beginning with
-    # underscore (_), so it is better to generate a list of symbols to export.
-    _LT_AC_TAGVAR(always_export_symbols, $1)=yes
-    if test "$aix_use_runtimelinking" = yes; then
-      # Warning - without using the other runtime loading flags (-brtl),
-      # -berok will link without error, but may produce a broken library.
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
-      # Determine the default libpath from the value encoded in an empty executable.
-      _LT_AC_SYS_LIBPATH_AIX
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-     else
-      if test "$host_cpu" = ia64; then
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-      else
-	# Determine the default libpath from the value encoded in an empty executable.
-	_LT_AC_SYS_LIBPATH_AIX
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	# Warning - without using the other run time loading flags,
-	# -berok will link without error, but may produce a broken library.
-	_LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	# Exported symbols can be pulled into shared objects from archives
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
-	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-	# This is similar to how AIX traditionally builds its shared libraries.
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-      fi
-    fi
-    ;;
-
-  beos*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-      # support --undefined.  This deserves some investigation.  FIXME
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-    else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    fi
-    ;;
-
-  chorus*)
-    case $cc_basename in
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-
-  cygwin* | mingw* | pw32*)
-    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-    # as there is no search path for DLLs.
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-    _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-    _LT_AC_TAGVAR(always_export_symbols, $1)=no
-    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-
-    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      # If the export-symbols file already is a .def file (1st line
-      # is EXPORTS), use it as is; otherwise, prepend...
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	cp $export_symbols $output_objdir/$soname.def;
-      else
-	echo EXPORTS > $output_objdir/$soname.def;
-	cat $export_symbols >> $output_objdir/$soname.def;
-      fi~
-      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-    else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    fi
-  ;;
-      darwin* | rhapsody*)
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
-      if test "$GXX" = yes ; then
-      output_verbose_link_cmd='echo'
-      _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-      _LT_AC_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-      _LT_AC_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-      if test "$lt_cv_apple_cc_single_mod" != "yes"; then
-        _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
-        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
-      fi
-      else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-          _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         _LT_AC_TAGVAR(ld_shlibs, $1)=no
-          ;;
-      esac
-      fi
-        ;;
-
-  dgux*)
-    case $cc_basename in
-      ec++*)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      ghcx*)
-	# Green Hills C++ Compiler
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  freebsd[[12]]*)
-    # C++ shared libraries reported to be fairly broken before switch to ELF
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  freebsd-elf*)
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    ;;
-  freebsd* | dragonfly*)
-    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
-    # conventions
-    _LT_AC_TAGVAR(ld_shlibs, $1)=yes
-    ;;
-  gnu*)
-    ;;
-  hpux9*)
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-    _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-				# but as the default
-				# location of the library.
-
-    case $cc_basename in
-    CC*)
-      # FIXME: insert proper C++ library support
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-    aCC*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      # Commands to make compiler produce verbose output that lists
-      # what "hidden" libraries, object files and flags are used when
-      # linking a shared library.
-      #
-      # There doesn't appear to be a way to prevent this compiler from
-      # explicitly linking system object files so we need to strip them
-      # from the output so that they don't get included in the library
-      # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[[-]]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-      ;;
-    *)
-      if test "$GXX" = yes; then
-        _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-        # FIXME: insert proper C++ library support
-        _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-    esac
-    ;;
-  hpux10*|hpux11*)
-    if test $with_gnu_ld = no; then
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-      case $host_cpu in
-      hppa*64*|ia64*) ;;
-      *)
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-        ;;
-      esac
-    fi
-    case $host_cpu in
-    hppa*64*|ia64*)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-    *)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
-      ;;
-    esac
-
-    case $cc_basename in
-      CC*)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      aCC*)
-	case $host_cpu in
-	hppa*64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	esac
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test $with_gnu_ld = no; then
-	    case $host_cpu in
-	    hppa*64*)
-	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    ia64*)
-	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    *)
-	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    esac
-	  fi
-	else
-	  # FIXME: insert proper C++ library support
-	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-    esac
-    ;;
-  interix[[3-9]]*)
-    _LT_AC_TAGVAR(hardcode_direct, $1)=no
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-    # Instead, shared libraries are loaded at an image base (0x10000000 by
-    # default) and relocated if they conflict, which is a slow very memory
-    # consuming and fragmenting process.  To avoid this, we pick a random,
-    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-    ;;
-  irix5* | irix6*)
-    case $cc_basename in
-      CC*)
-	# SGI C++
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-
-	# Archives containing C++ object files must be created using
-	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test "$with_gnu_ld" = no; then
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	  else
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
-	  fi
-	fi
-	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-	;;
-    esac
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-    ;;
-  linux* | k*bsd*-gnu)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath,$libdir'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
-	;;
-      icpc*)
-	# Intel C++
-	with_gnu_ld=yes
-	# version 8.0 and above of icpc choke on multiply defined symbols
-	# if we add $predep_objects and $postdep_objects, however 7.1 and
-	# earlier do not add the objects themselves.
-	case `$CC -V 2>&1` in
-	*"Version 7."*)
-  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	*)  # Version 8.0 or newer
-	  tmp_idyn=
-	  case $host_cpu in
-	    ia64*) tmp_idyn=' -i_dynamic';;
-	  esac
-  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	esac
-	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
-	;;
-      pgCC* | pgcpp*)
-        # Portland Group C++ compiler
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
-  	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-        ;;
-      cxx*)
-	# Compaq C++
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
-
-	runpath_var=LD_RUN_PATH
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C++ 5.9
-	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-
-	  # Not sure whether something based on
-	  # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
-	  # would be better.
-	  output_verbose_link_cmd='echo'
-
-	  # Archives containing C++ object files must be created using
-	  # "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	  # necessary to make sure instantiated templates are included
-	  # in the archive.
-	  _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
-	  ;;
-	esac
-	;;
-    esac
-    ;;
-  lynxos*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  m88k*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  mvs*)
-    case $cc_basename in
-      cxx*)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  netbsd* | netbsdelf*-gnu)
-    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
-      wlarc=
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    fi
-    # Workaround some broken pre-1.5 toolchains
-    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
-    ;;
-  openbsd2*)
-    # C++ shared libraries are fairly broken
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  openbsd*)
-    if test -f /usr/libexec/ld.so; then
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      fi
-      output_verbose_link_cmd='echo'
-    else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    fi
-    ;;
-  osf3*)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
-
-	;;
-      RCC*)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      cxx*)
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-    esac
-    ;;
-  osf4* | osf5*)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Archives containing C++ object files must be created using
-	# the KAI C++ compiler.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs'
-	;;
-      RCC*)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      cxx*)
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
-	  echo "-hidden">> $lib.exp~
-	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
-	  $rm $lib.exp'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-    esac
-    ;;
-  psos*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  sunos4*)
-    case $cc_basename in
-      CC*)
-	# Sun C++ 4.x
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      lcc*)
-	# Lucid
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  solaris*)
-    case $cc_basename in
-      CC*)
-	# Sun C++ 4.2, 5.x and Centerline C++
-        _LT_AC_TAGVAR(archive_cmds_need_lc,$1)=yes
-	_LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	case $host_os in
-	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-	  *)
-	    # The compiler driver will combine and reorder linker options,
-	    # but understands `-z linker_flag'.
-	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
-	    ;;
-	esac
-	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-
-	output_verbose_link_cmd='echo'
-
-	# Archives containing C++ object files must be created using
-	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
-	;;
-      gcx*)
-	# Green Hills C++ Compiler
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-
-	# The C++ compiler must be used to create the archive.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
-	;;
-      *)
-	# GNU C++ compiler with Solaris linker
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
-	  if $CC --version | grep -v '^2\.7' > /dev/null; then
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  else
-	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
-	    # platform.
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  fi
-
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
-	  case $host_os in
-	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-	  *)
-	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	    ;;
-	  esac
-	fi
-	;;
-    esac
-    ;;
-  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
-    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    runpath_var='LD_RUN_PATH'
-
-    case $cc_basename in
-      CC*)
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-      *)
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-    esac
-    ;;
-  sysv5* | sco3.2v5* | sco5v6*)
-    # Note: We can NOT use -z defs as we might desire, because we do not
-    # link with -lc, and that would cause any symbols used from libc to
-    # always be unresolved, which means just about no library would
-    # ever link correctly.  If we're not using GNU ld we use -z text
-    # though, which does catch some bad symbols but isn't as heavy-handed
-    # as -z defs.
-    # For security reasons, it is highly recommended that you always
-    # use absolute paths for naming shared libraries, and exclude the
-    # DT_RUNPATH tag from executables and libraries.  But doing so
-    # requires that you compile everything twice, which is a pain.
-    # So that behaviour is only enabled if SCOABSPATH is set to a
-    # non-empty value in the environment.  Most likely only useful for
-    # creating official distributions of packages.
-    # This is a hack until libtool officially supports absolute path
-    # names for shared libraries.
-    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-    _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
-    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-    runpath_var='LD_RUN_PATH'
-
-    case $cc_basename in
-      CC*)
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-      *)
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-    esac
-    ;;
-  tandem*)
-    case $cc_basename in
-      NCC*)
-	# NonStop-UX NCC 3.20
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  vxworks*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  *)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-esac
-AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
-test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
-_LT_AC_TAGVAR(GCC, $1)="$GXX"
-_LT_AC_TAGVAR(LD, $1)="$LD"
-
-AC_LIBTOOL_POSTDEP_PREDEP($1)
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_POP
-CC=$lt_save_CC
-LDCXX=$LD
-LD=$lt_save_LD
-GCC=$lt_save_GCC
-with_gnu_ldcxx=$with_gnu_ld
-with_gnu_ld=$lt_save_with_gnu_ld
-lt_cv_path_LDCXX=$lt_cv_path_LD
-lt_cv_path_LD=$lt_save_path_LD
-lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
-lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
-])# AC_LIBTOOL_LANG_CXX_CONFIG
-
-# AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME])
-# ------------------------------------
-# Figure out "hidden" library dependencies from verbose
-# compiler output when linking a shared library.
-# Parse the compiler output and extract the necessary
-# objects, libraries and library flags.
-AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-dnl we can't use the lt_simple_compile_test_code here,
-dnl because it contains code intended for an executable,
-dnl not a library.  It's possible we should let each
-dnl tag define a new lt_????_link_test_code variable,
-dnl but it's only used here...
-ifelse([$1],[],[cat > conftest.$ac_ext <<EOF
-int a;
-void foo (void) { a = 0; }
-EOF
-],[$1],[CXX],[cat > conftest.$ac_ext <<EOF
-class Foo
-{
-public:
-  Foo (void) { a = 0; }
-private:
-  int a;
-};
-EOF
-],[$1],[F77],[cat > conftest.$ac_ext <<EOF
-      subroutine foo
-      implicit none
-      integer*4 a
-      a=0
-      return
-      end
-EOF
-],[$1],[GCJ],[cat > conftest.$ac_ext <<EOF
-public class foo {
-  private int a;
-  public void bar (void) {
-    a = 0;
-  }
-};
-EOF
-])
-dnl Parse the compiler output and extract the necessary
-dnl objects, libraries and library flags.
-if AC_TRY_EVAL(ac_compile); then
-  # Parse the compiler output and extract the necessary
-  # objects, libraries and library flags.
-
-  # Sentinel used to keep track of whether or not we are before
-  # the conftest object file.
-  pre_test_object_deps_done=no
-
-  # The `*' in the case matches for architectures that use `case' in
-  # $output_verbose_cmd can trigger glob expansion during the loop
-  # eval without this substitution.
-  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
-
-  for p in `eval $output_verbose_link_cmd`; do
-    case $p in
-
-    -L* | -R* | -l*)
-       # Some compilers place space between "-{L,R}" and the path.
-       # Remove the space.
-       if test $p = "-L" \
-	  || test $p = "-R"; then
-	 prev=$p
-	 continue
-       else
-	 prev=
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 case $p in
-	 -L* | -R*)
-	   # Internal compiler library paths should come after those
-	   # provided the user.  The postdeps already come after the
-	   # user supplied libs so there is no need to process them.
-	   if test -z "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
-	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
-	   else
-	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${_LT_AC_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
-	   fi
-	   ;;
-	 # The "-l" case would never come before the object being
-	 # linked, so don't bother handling this case.
-	 esac
-       else
-	 if test -z "$_LT_AC_TAGVAR(postdeps, $1)"; then
-	   _LT_AC_TAGVAR(postdeps, $1)="${prev}${p}"
-	 else
-	   _LT_AC_TAGVAR(postdeps, $1)="${_LT_AC_TAGVAR(postdeps, $1)} ${prev}${p}"
-	 fi
-       fi
-       ;;
-
-    *.$objext)
-       # This assumes that the test object file only shows up
-       # once in the compiler output.
-       if test "$p" = "conftest.$objext"; then
-	 pre_test_object_deps_done=yes
-	 continue
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 if test -z "$_LT_AC_TAGVAR(predep_objects, $1)"; then
-	   _LT_AC_TAGVAR(predep_objects, $1)="$p"
-	 else
-	   _LT_AC_TAGVAR(predep_objects, $1)="$_LT_AC_TAGVAR(predep_objects, $1) $p"
-	 fi
-       else
-	 if test -z "$_LT_AC_TAGVAR(postdep_objects, $1)"; then
-	   _LT_AC_TAGVAR(postdep_objects, $1)="$p"
-	 else
-	   _LT_AC_TAGVAR(postdep_objects, $1)="$_LT_AC_TAGVAR(postdep_objects, $1) $p"
-	 fi
-       fi
-       ;;
-
-    *) ;; # Ignore the rest.
-
-    esac
-  done
-
-  # Clean up.
-  rm -f a.out a.exe
-else
-  echo "libtool.m4: error: problem compiling $1 test program"
-fi
-
-$rm -f confest.$objext
-
-_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=
-if test -n "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
-  _LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_AC_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
-fi
-
-# PORTME: override above test on systems where it is broken
-ifelse([$1],[CXX],
-[case $host_os in
-interix[[3-9]]*)
-  # Interix 3.5 installs completely hosed .la files for C++, so rather than
-  # hack all around it, let's just trust "g++" to DTRT.
-  _LT_AC_TAGVAR(predep_objects,$1)=
-  _LT_AC_TAGVAR(postdep_objects,$1)=
-  _LT_AC_TAGVAR(postdeps,$1)=
-  ;;
-
-linux*)
-  case `$CC -V 2>&1 | sed 5q` in
-  *Sun\ C*)
-    # Sun C++ 5.9
-    #
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
-      ;;
-    esac
-    if test "$solaris_use_stlport4" != yes; then
-      _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
-  ;;
-
-solaris*)
-  case $cc_basename in
-  CC*)
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
-      ;;
-    esac
-
-    # Adding this requires a known-good setup of shared libraries for
-    # Sun compiler versions before 5.6, else PIC objects from an old
-    # archive will be linked into the output, leading to subtle bugs.
-    if test "$solaris_use_stlport4" != yes; then
-      _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
-  ;;
-esac
-])
-case " $_LT_AC_TAGVAR(postdeps, $1) " in
-*" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;;
-esac
-])# AC_LIBTOOL_POSTDEP_PREDEP
-
-# AC_LIBTOOL_LANG_F77_CONFIG
-# --------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG], [_LT_AC_LANG_F77_CONFIG(F77)])
-AC_DEFUN([_LT_AC_LANG_F77_CONFIG],
-[AC_REQUIRE([AC_PROG_F77])
-AC_LANG_PUSH(Fortran 77)
-
-_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_AC_TAGVAR(allow_undefined_flag, $1)=
-_LT_AC_TAGVAR(always_export_symbols, $1)=no
-_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
-_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_direct, $1)=no
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
-_LT_AC_TAGVAR(hardcode_automatic, $1)=no
-_LT_AC_TAGVAR(module_cmds, $1)=
-_LT_AC_TAGVAR(module_expsym_cmds, $1)=
-_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_AC_TAGVAR(no_undefined_flag, $1)=
-_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Source file extension for f77 test sources.
-ac_ext=f
-
-# Object file extension for compiled f77 test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="\
-      subroutine t
-      return
-      end
-"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="\
-      program t
-      end
-"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${F77-"f77"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-_LT_CC_BASENAME([$compiler])
-
-AC_MSG_CHECKING([if libtool supports shared libraries])
-AC_MSG_RESULT([$can_build_shared])
-
-AC_MSG_CHECKING([whether to build shared libraries])
-test "$can_build_shared" = "no" && enable_shared=no
-
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case $host_os in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
-aix[[4-9]]*)
-  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-    test "$enable_shared" = yes && enable_static=no
-  fi
-  ;;
-esac
-AC_MSG_RESULT([$enable_shared])
-
-AC_MSG_CHECKING([whether to build static libraries])
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-AC_MSG_RESULT([$enable_static])
-
-_LT_AC_TAGVAR(GCC, $1)="$G77"
-_LT_AC_TAGVAR(LD, $1)="$LD"
-
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_POP
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_F77_CONFIG
-
-
-# AC_LIBTOOL_LANG_GCJ_CONFIG
-# --------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG], [_LT_AC_LANG_GCJ_CONFIG(GCJ)])
-AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG],
-[AC_LANG_SAVE
-
-# Source file extension for Java test sources.
-ac_ext=java
-
-# Object file extension for compiled Java test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${GCJ-"gcj"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-_LT_CC_BASENAME([$compiler])
-
-# GCJ did not exist at the time GCC didn't implicitly link libc in.
-_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-
-_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-
-AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_RESTORE
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_GCJ_CONFIG
-
-
-# AC_LIBTOOL_LANG_RC_CONFIG
-# -------------------------
-# Ensure that the configuration vars for the Windows resource compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG], [_LT_AC_LANG_RC_CONFIG(RC)])
-AC_DEFUN([_LT_AC_LANG_RC_CONFIG],
-[AC_LANG_SAVE
-
-# Source file extension for RC test sources.
-ac_ext=rc
-
-# Object file extension for compiled RC test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="$lt_simple_compile_test_code"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${RC-"windres"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-_LT_CC_BASENAME([$compiler])
-_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_RESTORE
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_RC_CONFIG
-
-
-# AC_LIBTOOL_CONFIG([TAGNAME])
-# ----------------------------
-# If TAGNAME is not passed, then create an initial libtool script
-# with a default configuration from the untagged config vars.  Otherwise
-# add code to config.status for appending the configuration named by
-# TAGNAME from the matching tagged config vars.
-AC_DEFUN([AC_LIBTOOL_CONFIG],
-[# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    _LT_AC_TAGVAR(compiler, $1) \
-    _LT_AC_TAGVAR(CC, $1) \
-    _LT_AC_TAGVAR(LD, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_static, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) \
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1) \
-    _LT_AC_TAGVAR(thread_safe_flag_spec, $1) \
-    _LT_AC_TAGVAR(whole_archive_flag_spec, $1) \
-    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) \
-    _LT_AC_TAGVAR(old_archive_cmds, $1) \
-    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) \
-    _LT_AC_TAGVAR(predep_objects, $1) \
-    _LT_AC_TAGVAR(postdep_objects, $1) \
-    _LT_AC_TAGVAR(predeps, $1) \
-    _LT_AC_TAGVAR(postdeps, $1) \
-    _LT_AC_TAGVAR(compiler_lib_search_path, $1) \
-    _LT_AC_TAGVAR(compiler_lib_search_dirs, $1) \
-    _LT_AC_TAGVAR(archive_cmds, $1) \
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1) \
-    _LT_AC_TAGVAR(postinstall_cmds, $1) \
-    _LT_AC_TAGVAR(postuninstall_cmds, $1) \
-    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) \
-    _LT_AC_TAGVAR(allow_undefined_flag, $1) \
-    _LT_AC_TAGVAR(no_undefined_flag, $1) \
-    _LT_AC_TAGVAR(export_symbols_cmds, $1) \
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) \
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) \
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1) \
-    _LT_AC_TAGVAR(hardcode_automatic, $1) \
-    _LT_AC_TAGVAR(module_cmds, $1) \
-    _LT_AC_TAGVAR(module_expsym_cmds, $1) \
-    _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \
-    _LT_AC_TAGVAR(fix_srcfile_path, $1) \
-    _LT_AC_TAGVAR(exclude_expsyms, $1) \
-    _LT_AC_TAGVAR(include_expsyms, $1); do
-
-    case $var in
-    _LT_AC_TAGVAR(old_archive_cmds, $1) | \
-    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) | \
-    _LT_AC_TAGVAR(archive_cmds, $1) | \
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1) | \
-    _LT_AC_TAGVAR(module_cmds, $1) | \
-    _LT_AC_TAGVAR(module_expsym_cmds, $1) | \
-    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) | \
-    _LT_AC_TAGVAR(export_symbols_cmds, $1) | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\[$]0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\[$]0 --fallback-echo"[$]/[$]0 --fallback-echo"/'`
-    ;;
-  esac
-
-ifelse([$1], [],
-  [cfgfile="${ofile}T"
-  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
-  $rm -f "$cfgfile"
-  AC_MSG_NOTICE([creating $ofile])],
-  [cfgfile="$ofile"])
-
-  cat <<__EOF__ >> "$cfgfile"
-ifelse([$1], [],
-[#! $SHELL
-
-# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
-# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
-# NOTE: Changes made to this file will be lost: look at ltmain.sh.
-#
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
-# Free Software Foundation, Inc.
-#
-# This file is part of GNU Libtool:
-# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# A sed program that does not truncate output.
-SED=$lt_SED
-
-# Sed that helps us avoid accidentally triggering echo(1) options like -n.
-Xsed="$SED -e 1s/^X//"
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-# The names of the tagged configurations supported by this script.
-available_tags=
-
-# ### BEGIN LIBTOOL CONFIG],
-[# ### BEGIN LIBTOOL TAG CONFIG: $tagname])
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
-
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
-
-# A language-specific compiler.
-CC=$lt_[]_LT_AC_TAGVAR(compiler, $1)
-
-# Is the compiler the GNU C compiler?
-with_gcc=$_LT_AC_TAGVAR(GCC, $1)
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_[]_LT_AC_TAGVAR(LD, $1)
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)
-
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_static, $1)
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_[]_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_[]_LT_AC_TAGVAR(whole_archive_flag_spec, $1)
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_[]_LT_AC_TAGVAR(thread_safe_flag_spec, $1)
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_cmds, $1)
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_new_cmds, $1)
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_[]_LT_AC_TAGVAR(archive_cmds, $1)
-archive_expsym_cmds=$lt_[]_LT_AC_TAGVAR(archive_expsym_cmds, $1)
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_[]_LT_AC_TAGVAR(module_cmds, $1)
-module_expsym_cmds=$lt_[]_LT_AC_TAGVAR(module_expsym_cmds, $1)
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_[]_LT_AC_TAGVAR(predep_objects, $1)
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_[]_LT_AC_TAGVAR(postdep_objects, $1)
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1)
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1)
-
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1)
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_[]_LT_AC_TAGVAR(allow_undefined_flag, $1)
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_[]_LT_AC_TAGVAR(no_undefined_flag, $1)
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$_LT_AC_TAGVAR(hardcode_action, $1)
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_separator, $1)
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$_LT_AC_TAGVAR(hardcode_direct, $1)
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$_LT_AC_TAGVAR(hardcode_minus_L, $1)
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$_LT_AC_TAGVAR(hardcode_automatic, $1)
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$_LT_AC_TAGVAR(link_all_deplibs, $1)
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1)
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_[]_LT_AC_TAGVAR(export_symbols_cmds, $1)
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_[]_LT_AC_TAGVAR(exclude_expsyms, $1)
-
-# Symbols that must always be exported.
-include_expsyms=$lt_[]_LT_AC_TAGVAR(include_expsyms, $1)
-
-ifelse([$1],[],
-[# ### END LIBTOOL CONFIG],
-[# ### END LIBTOOL TAG CONFIG: $tagname])
-
-__EOF__
-
-ifelse([$1],[], [
-  case $host_os in
-  aix3*)
-    cat <<\EOF >> "$cfgfile"
-
-# AIX sometimes has problems with the GCC collect2 program.  For some
-# reason, if we set the COLLECT_NAMES environment variable, the problems
-# vanish in a puff of smoke.
-if test "X${COLLECT_NAMES+set}" != Xset; then
-  COLLECT_NAMES=
-  export COLLECT_NAMES
-fi
-EOF
-    ;;
-  esac
-
-  # We use sed instead of cat because bash on DJGPP gets confused if
-  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
-  # text mode, it properly converts lines to CR/LF.  This bash problem
-  # is reportedly fixed, but why not run on old versions too?
-  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
-
-  mv -f "$cfgfile" "$ofile" || \
-    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
-  chmod +x "$ofile"
-])
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-])# AC_LIBTOOL_CONFIG
-
-
-# AC_LIBTOOL_PROG_COMPILER_NO_RTTI([TAGNAME])
-# -------------------------------------------
-AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI],
-[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
-
-_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
-
-if test "$GCC" = yes; then
-  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
-
-  AC_LIBTOOL_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
-    lt_cv_prog_compiler_rtti_exceptions,
-    [-fno-rtti -fno-exceptions], [],
-    [_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
-fi
-])# AC_LIBTOOL_PROG_COMPILER_NO_RTTI
-
-
-# AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
-# ---------------------------------
-AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE],
-[AC_REQUIRE([AC_CANONICAL_HOST])
-AC_REQUIRE([LT_AC_PROG_SED])
-AC_REQUIRE([AC_PROG_NM])
-AC_REQUIRE([AC_OBJEXT])
-# Check for command to grab the raw symbol name followed by C symbol from nm.
-AC_MSG_CHECKING([command to parse $NM output from $compiler object])
-AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
-[
-# These are sane defaults that work on at least a few old systems.
-# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
-
-# Character class describing NM global symbol codes.
-symcode='[[BCDEGRST]]'
-
-# Regexp to match symbols that can be accessed directly from C.
-sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
-
-# Transform an extracted symbol line into a proper C declaration
-lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
-
-# Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-
-# Define system-specific variables.
-case $host_os in
-aix*)
-  symcode='[[BCDT]]'
-  ;;
-cygwin* | mingw* | pw32*)
-  symcode='[[ABCDGISTW]]'
-  ;;
-hpux*) # Its linker distinguishes data from code symbols
-  if test "$host_cpu" = ia64; then
-    symcode='[[ABCDEGRST]]'
-  fi
-  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  ;;
-linux* | k*bsd*-gnu)
-  if test "$host_cpu" = ia64; then
-    symcode='[[ABCDGIRSTW]]'
-    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  fi
-  ;;
-irix* | nonstopux*)
-  symcode='[[BCDEGRST]]'
-  ;;
-osf*)
-  symcode='[[BCDEGQRST]]'
-  ;;
-solaris*)
-  symcode='[[BDRT]]'
-  ;;
-sco3.2v5*)
-  symcode='[[DT]]'
-  ;;
-sysv4.2uw2*)
-  symcode='[[DT]]'
-  ;;
-sysv5* | sco5v6* | unixware* | OpenUNIX*)
-  symcode='[[ABDT]]'
-  ;;
-sysv4)
-  symcode='[[DFNSTU]]'
-  ;;
-esac
-
-# Handle CRLF in mingw tool chain
-opt_cr=
-case $build_os in
-mingw*)
-  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
-  ;;
-esac
-
-# If we're using GNU nm, then use its standard symbol codes.
-case `$NM -V 2>&1` in
-*GNU* | *'with BFD'*)
-  symcode='[[ABCDGIRSTW]]' ;;
-esac
-
-# Try without a prefix undercore, then with it.
-for ac_symprfx in "" "_"; do
-
-  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
-  symxfrm="\\1 $ac_symprfx\\2 \\2"
-
-  # Write the raw and C identifiers.
-  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
-
-  # Check to see that the pipe works correctly.
-  pipe_works=no
-
-  rm -f conftest*
-  cat > conftest.$ac_ext <<EOF
-#ifdef __cplusplus
-extern "C" {
-#endif
-char nm_test_var;
-void nm_test_func(){}
-#ifdef __cplusplus
-}
-#endif
-int main(){nm_test_var='a';nm_test_func();return(0);}
-EOF
-
-  if AC_TRY_EVAL(ac_compile); then
-    # Now try to grab the symbols.
-    nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
-      # Try sorting and uniquifying the output.
-      if sort "$nlist" | uniq > "$nlist"T; then
-	mv -f "$nlist"T "$nlist"
-      else
-	rm -f "$nlist"T
-      fi
-
-      # Make sure that we snagged all the symbols we need.
-      if grep ' nm_test_var$' "$nlist" >/dev/null; then
-	if grep ' nm_test_func$' "$nlist" >/dev/null; then
-	  cat <<EOF > conftest.$ac_ext
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-EOF
-	  # Now generate the symbol file.
-	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
-
-	  cat <<EOF >> conftest.$ac_ext
-#if defined (__STDC__) && __STDC__
-# define lt_ptr_t void *
-#else
-# define lt_ptr_t char *
-# define const
-#endif
-
-/* The mapping between symbol names and symbols. */
-const struct {
-  const char *name;
-  lt_ptr_t address;
-}
-lt_preloaded_symbols[[]] =
-{
-EOF
-	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
-	  cat <<\EOF >> conftest.$ac_ext
-  {0, (lt_ptr_t) 0}
-};
-
-#ifdef __cplusplus
-}
-#endif
-EOF
-	  # Now try linking the two files.
-	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
-	  LIBS="conftstm.$ac_objext"
-	  CFLAGS="$CFLAGS$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
-	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
-	    pipe_works=yes
-	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
-	else
-	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
-	fi
-      else
-	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
-      fi
-    else
-      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
-    fi
-  else
-    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
-    cat conftest.$ac_ext >&5
-  fi
-  rm -rf conftest* conftst*
-
-  # Do not use the global_symbol_pipe unless it works.
-  if test "$pipe_works" = yes; then
-    break
-  else
-    lt_cv_sys_global_symbol_pipe=
-  fi
-done
-])
-if test -z "$lt_cv_sys_global_symbol_pipe"; then
-  lt_cv_sys_global_symbol_to_cdecl=
-fi
-if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  AC_MSG_RESULT(failed)
-else
-  AC_MSG_RESULT(ok)
-fi
-]) # AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
-
-
-# AC_LIBTOOL_PROG_COMPILER_PIC([TAGNAME])
-# ---------------------------------------
-AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC],
-[_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=
-_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=
-
-AC_MSG_CHECKING([for $compiler option to produce PIC])
- ifelse([$1],[CXX],[
-  # C++ specific cases for pic, static, wl, etc.
-  if test "$GXX" = yes; then
-    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
-
-    case $host_os in
-    aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
-      ;;
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-    mingw* | cygwin* | os2* | pw32*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      m4_if([$1], [GCJ], [],
-	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
-      ;;
-    *djgpp*)
-      # DJGPP does not support shared libraries at all
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-      ;;
-    interix[[3-9]]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
-      fi
-      ;;
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	;;
-      esac
-      ;;
-    *)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-      ;;
-    esac
-  else
-    case $host_os in
-      aix[[4-9]]*)
-	# All AIX code is PIC.
-	if test "$host_cpu" = ia64; then
-	  # AIX 5 now supports IA64 processor
-	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	else
-	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
-	fi
-	;;
-      chorus*)
-	case $cc_basename in
-	cxch68*)
-	  # Green Hills C++ Compiler
-	  # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
-	  ;;
-	esac
-	;;
-       darwin*)
-         # PIC is the default on this platform
-         # Common symbols not allowed in MH_DYLIB files
-         case $cc_basename in
-           xlc*)
-           _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
-           _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-           ;;
-         esac
-       ;;
-      dgux*)
-	case $cc_basename in
-	  ec++*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    ;;
-	  ghcx*)
-	    # Green Hills C++ Compiler
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      freebsd* | dragonfly*)
-	# FreeBSD uses GNU C++
-	;;
-      hpux9* | hpux10* | hpux11*)
-	case $cc_basename in
-	  CC*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-	    if test "$host_cpu" != ia64; then
-	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	    fi
-	    ;;
-	  aCC*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-	    case $host_cpu in
-	    hppa*64*|ia64*)
-	      # +Z the default
-	      ;;
-	    *)
-	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	      ;;
-	    esac
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      interix*)
-	# This is c89, which is MS Visual C++ (no shared libs)
-	# Anyone wants to do a port?
-	;;
-      irix5* | irix6* | nonstopux*)
-	case $cc_basename in
-	  CC*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    # CC pic flag -KPIC is the default.
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      linux* | k*bsd*-gnu)
-	case $cc_basename in
-	  KCC*)
-	    # KAI C++ Compiler
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	    ;;
-	  icpc* | ecpc*)
-	    # Intel C++
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
-	    ;;
-	  pgCC* | pgcpp*)
-	    # Portland Group C++ compiler.
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	  cxx*)
-	    # Compaq C++
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    ;;
-	  *)
-	    case `$CC -V 2>&1 | sed 5q` in
-	    *Sun\ C*)
-	      # Sun C++ 5.9
-	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-	      ;;
-	    esac
-	    ;;
-	esac
-	;;
-      lynxos*)
-	;;
-      m88k*)
-	;;
-      mvs*)
-	case $cc_basename in
-	  cxx*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      netbsd* | netbsdelf*-gnu)
-	;;
-      osf3* | osf4* | osf5*)
-	case $cc_basename in
-	  KCC*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
-	    ;;
-	  RCC*)
-	    # Rational C++ 2.4.1
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  cxx*)
-	    # Digital/Compaq C++
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      psos*)
-	;;
-      solaris*)
-	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.2, 5.x and Centerline C++
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-	    ;;
-	  gcx*)
-	    # Green Hills C++ Compiler
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sunos4*)
-	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.x
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	  lcc*)
-	    # Lucid
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      tandem*)
-	case $cc_basename in
-	  NCC*)
-	    # NonStop-UX NCC 3.20
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-	case $cc_basename in
-	  CC*)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	esac
-	;;
-      vxworks*)
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-	;;
-    esac
-  fi
-],
-[
-  if test "$GCC" = yes; then
-    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
-
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
-      ;;
-
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      m4_if([$1], [GCJ], [],
-	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
-
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
-      ;;
-
-    interix[[3-9]]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      enable_shared=no
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
-      fi
-      ;;
-
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	;;
-      esac
-      ;;
-
-    *)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      else
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case $cc_basename in
-         xlc*)
-         _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
-         _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-         ;;
-       esac
-       ;;
-
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      m4_if([$1], [GCJ], [],
-	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # PIC (with -KPIC) is the default.
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    newsos6)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    linux* | k*bsd*-gnu)
-      case $cc_basename in
-      icc* | ecc*)
-	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
-        ;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
-        # Portland Group compilers (*not* the Pentium gcc compiler,
-	# which looks to be a dead project)
-	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-        ;;
-      ccc*)
-        _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-        # All Alpha code is PIC.
-        _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-        ;;
-      *)
-        case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C 5.9
-	  _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=''
-	  ;;
-	esac
-	;;
-      esac
-      ;;
-
-    osf3* | osf4* | osf5*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # All OSF/1 code is PIC.
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    rdos*)
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    solaris*)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      case $cc_basename in
-      f77* | f90* | f95*)
-	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
-      esac
-      ;;
-
-    sunos4*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    unicos*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      ;;
-
-    uts4*)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    *)
-      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      ;;
-    esac
-  fi
-])
-AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)])
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
-  AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works],
-    _LT_AC_TAGVAR(lt_cv_prog_compiler_pic_works, $1),
-    [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [],
-    [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in
-     "" | " "*) ;;
-     *) _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)" ;;
-     esac],
-    [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-     _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
-fi
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-    ;;
-  *)
-    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])"
-    ;;
-esac
-
-#
-# Check to make sure the static flag actually works.
-#
-wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_AC_TAGVAR(lt_prog_compiler_static, $1)\"
-AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
-  _LT_AC_TAGVAR(lt_cv_prog_compiler_static_works, $1),
-  $lt_tmp_static_flag,
-  [],
-  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
-])
-
-
-# AC_LIBTOOL_PROG_LD_SHLIBS([TAGNAME])
-# ------------------------------------
-# See if the linker supports building shared libraries.
-AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS],
-[AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
-ifelse([$1],[CXX],[
-  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  case $host_os in
-  aix[[4-9]]*)
-    # If we're using GNU nm, then we don't want the "-C" option.
-    # -C means demangle to AIX nm, but means don't demangle with GNU nm
-    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-    else
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-    fi
-    ;;
-  pw32*)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
-  ;;
-  cygwin* | mingw*)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
-  ;;
-  linux* | k*bsd*-gnu)
-    _LT_AC_TAGVAR(link_all_deplibs, $1)=no
-  ;;
-  *)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  esac
-  _LT_AC_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
-],[
-  runpath_var=
-  _LT_AC_TAGVAR(allow_undefined_flag, $1)=
-  _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-  _LT_AC_TAGVAR(archive_cmds, $1)=
-  _LT_AC_TAGVAR(archive_expsym_cmds, $1)=
-  _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)=
-  _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)=
-  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-  _LT_AC_TAGVAR(thread_safe_flag_spec, $1)=
-  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-  _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
-  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-  _LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
-  _LT_AC_TAGVAR(hardcode_automatic, $1)=no
-  _LT_AC_TAGVAR(module_cmds, $1)=
-  _LT_AC_TAGVAR(module_expsym_cmds, $1)=
-  _LT_AC_TAGVAR(always_export_symbols, $1)=no
-  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  _LT_AC_TAGVAR(include_expsyms, $1)=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  _LT_AC_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  # Exclude shared library initialization/finalization symbols.
-dnl Note also adjust exclude_expsyms for C++ above.
-  extract_expsyms_cmds=
-  # Just being paranoid about ensuring that cc_basename is set.
-  _LT_CC_BASENAME([$compiler])
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
-
-  _LT_AC_TAGVAR(ld_shlibs, $1)=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
-
-    # Set some defaults for GNU ld with shared library support. These
-    # are reset later if shared libraries are not supported. Putting them
-    # here allows them to be overridden if necessary.
-    runpath_var=LD_RUN_PATH
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-    fi
-    supports_anon_versioning=no
-    case `$LD -v 2>/dev/null` in
-      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
-      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-      *\ 2.11.*) ;; # other 2.11 versions
-      *) supports_anon_versioning=yes ;;
-    esac
-
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix[[3-9]]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	cat <<EOF 1>&2
-
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
-
-EOF
-      fi
-      ;;
-
-    amigaos*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-      # as there is no search path for DLLs.
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_AC_TAGVAR(always_export_symbols, $1)=no
-      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    interix[[3-9]]*)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-      # Instead, shared libraries are loaded at an image base (0x10000000 by
-      # default) and relocated if they conflict, which is a slow very memory
-      # consuming and fragmenting process.  To avoid this, we pick a random,
-      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      ;;
-
-    gnu* | linux* | k*bsd*-gnu)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	tmp_addflag=
-	case $cc_basename,$host_cpu in
-	pgcc*)				# Portland Group C compiler
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag'
-	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag -Mnomain' ;;
-	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
-	  tmp_addflag=' -i_dynamic' ;;
-	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
-	  tmp_addflag=' -i_dynamic -nofor_main' ;;
-	ifc* | ifort*)			# Intel Fortran compiler
-	  tmp_addflag=' -nofor_main' ;;
-	esac
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)			# Sun C 5.9
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_sharedflag='-G' ;;
-	*Sun\ F*)			# Sun Fortran 8.3
-	  tmp_sharedflag='-G' ;;
-	*)
-	  tmp_sharedflag='-shared' ;;
-	esac
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-
-	if test $supports_anon_versioning = yes; then
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
-  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-  $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-	fi
-	_LT_AC_TAGVAR(link_all_deplibs, $1)=no
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	cat <<EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
-*** reliably create shared libraries on SCO systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-_LT_EOF
-	;;
-	*)
-	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
-	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
-	  else
-	    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	  fi
-	;;
-      esac
-      ;;
-
-    sunos4*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-    esac
-
-    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no; then
-      runpath_var=
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	_LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
-      fi
-      ;;
-
-    aix[[4-9]]*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-	else
-	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	  ;;
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      _LT_AC_TAGVAR(archive_cmds, $1)=''
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[[012]]|aix4.[[012]].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  :
-	  else
-  	  # We have old collect2
-  	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-  	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-  	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-	  fi
-	  ;;
-	esac
-	shared_flag='-shared'
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag="$shared_flag "'${wl}-G'
-	fi
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-	  fi
-	fi
-      fi
-
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       _LT_AC_SYS_LIBPATH_AIX
-       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 _LT_AC_SYS_LIBPATH_AIX
-	 _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
-	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-	  # This is similar to how AIX traditionally builds its shared libraries.
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      # see comment about different semantics on the GNU ld section
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
-    bsdi[[45]]*)
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
-      # FIXME: Should let the user specify the lib program.
-      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      _LT_AC_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
-      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      ;;
-
-    darwin* | rhapsody*)
-      case $host_os in
-        rhapsody* | darwin1.[[012]])
-         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[[012]])
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-        _LT_AC_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-        _LT_AC_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-    else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-         _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-         _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         _LT_AC_TAGVAR(ld_shlibs, $1)=no
-          ;;
-      esac
-    fi
-      ;;
-
-    dgux*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    freebsd1*)
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | dragonfly*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    hpux9*)
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      ;;
-
-    hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      if test "$with_gnu_ld" = no; then
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	_LT_AC_TAGVAR(hardcode_direct, $1)=yes
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-
-	# hardcode_minus_L: Not really in the search PATH,
-	# but as the default location of the library.
-	_LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      fi
-      ;;
-
-    hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case $host_cpu in
-	hppa*64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case $host_cpu in
-	hppa*64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	case $host_cpu in
-	hppa*64*|ia64*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    newsos6)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-	_LT_AC_TAGVAR(hardcode_direct, $1)=yes
-	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	else
-	  case $host_os in
-	   openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
-	     _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	     _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	     ;;
-	   *)
-	     _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	     _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	     ;;
-	  esac
-        fi
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    os2*)
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_AC_TAGVAR(archive_cmds, $1)='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      else
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      ;;
-
-    solaris*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
-      if test "$GCC" = yes; then
-	wlarc='${wl}'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	wlarc=''
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      case $host_os in
-      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-      *)
-	# The compiler driver will combine and reorder linker options,
-	# but understands `-z linker_flag'.  GCC discards it without `$wl',
-	# but is careful enough not to reorder.
- 	# Supported since Solaris 2.6 (maybe 2.5.1?)
-	if test "$GCC" = yes; then
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	else
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
-	fi
-	;;
-      esac
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-      ;;
-
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    sysv4)
-      case $host_vendor in
-	sni)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_AC_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-        ;;
-	motorola)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    sysv4.3*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	_LT_AC_TAGVAR(ld_shlibs, $1)=yes
-      fi
-      ;;
-
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6*)
-      # Note: We can NOT use -z defs as we might desire, because we do not
-      # link with -lc, and that would cause any symbols used from libc to
-      # always be unresolved, which means just about no library would
-      # ever link correctly.  If we're not using GNU ld we use -z text
-      # though, which does catch some bad symbols but isn't as heavy-handed
-      # as -z defs.
-      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    uts4*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    *)
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-    esac
-  fi
-])
-AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
-test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)" in
-x|xyes)
-  # Assume -lc should be added
-  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $_LT_AC_TAGVAR(archive_cmds, $1) in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
-      $rm conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
-	pic_flag=$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$_LT_AC_TAGVAR(allow_undefined_flag, $1)
-        _LT_AC_TAGVAR(allow_undefined_flag, $1)=
-        if AC_TRY_EVAL(_LT_AC_TAGVAR(archive_cmds, $1) 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1)
-        then
-	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-        else
-	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-        fi
-        _LT_AC_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      AC_MSG_RESULT([$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)])
-      ;;
-    esac
-  fi
-  ;;
-esac
-])# AC_LIBTOOL_PROG_LD_SHLIBS
-
-
-# _LT_AC_FILE_LTDLL_C
-# -------------------
-# Be careful that the start marker always follows a newline.
-AC_DEFUN([_LT_AC_FILE_LTDLL_C], [
-# /* ltdll.c starts here */
-# #define WIN32_LEAN_AND_MEAN
-# #include <windows.h>
-# #undef WIN32_LEAN_AND_MEAN
-# #include <stdio.h>
-#
-# #ifndef __CYGWIN__
-# #  ifdef __CYGWIN32__
-# #    define __CYGWIN__ __CYGWIN32__
-# #  endif
-# #endif
-#
-# #ifdef __cplusplus
-# extern "C" {
-# #endif
-# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
-# #ifdef __cplusplus
-# }
-# #endif
-#
-# #ifdef __CYGWIN__
-# #include <cygwin/cygwin_dll.h>
-# DECLARE_CYGWIN_DLL( DllMain );
-# #endif
-# HINSTANCE __hDllInstance_base;
-#
-# BOOL APIENTRY
-# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
-# {
-#   __hDllInstance_base = hInst;
-#   return TRUE;
-# }
-# /* ltdll.c ends here */
-])# _LT_AC_FILE_LTDLL_C
-
-
-# _LT_AC_TAGVAR(VARNAME, [TAGNAME])
-# ---------------------------------
-AC_DEFUN([_LT_AC_TAGVAR], [ifelse([$2], [], [$1], [$1_$2])])
-
-
-# old names
-AC_DEFUN([AM_PROG_LIBTOOL],   [AC_PROG_LIBTOOL])
-AC_DEFUN([AM_ENABLE_SHARED],  [AC_ENABLE_SHARED($@)])
-AC_DEFUN([AM_ENABLE_STATIC],  [AC_ENABLE_STATIC($@)])
-AC_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
-AC_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
-AC_DEFUN([AM_PROG_LD],        [AC_PROG_LD])
-AC_DEFUN([AM_PROG_NM],        [AC_PROG_NM])
-
-# This is just to silence aclocal about the macro not being used
-ifelse([AC_DISABLE_FAST_INSTALL])
-
-AC_DEFUN([LT_AC_PROG_GCJ],
-[AC_CHECK_TOOL(GCJ, gcj, no)
-  test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
-  AC_SUBST(GCJFLAGS)
-])
-
-AC_DEFUN([LT_AC_PROG_RC],
-[AC_CHECK_TOOL(RC, windres, no)
-])
-
-
-# Cheap backport of AS_EXECUTABLE_P and required macros
-# from Autoconf 2.59; we should not use $as_executable_p directly.
-
-# _AS_TEST_PREPARE
-# ----------------
-m4_ifndef([_AS_TEST_PREPARE],
-[m4_defun([_AS_TEST_PREPARE],
-[if test -x / >/dev/null 2>&1; then
-  as_executable_p='test -x'
-else
-  as_executable_p='test -f'
-fi
-])])# _AS_TEST_PREPARE
-
-# AS_EXECUTABLE_P
-# ---------------
-# Check whether a file is executable.
-m4_ifndef([AS_EXECUTABLE_P],
-[m4_defun([AS_EXECUTABLE_P],
-[AS_REQUIRE([_AS_TEST_PREPARE])dnl
-$as_executable_p $1[]dnl
-])])# AS_EXECUTABLE_P
-
-# NOTE: This macro has been submitted for inclusion into   #
-#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
-#  a released version of Autoconf we should remove this    #
-#  macro and use it instead.                               #
-# LT_AC_PROG_SED
-# --------------
-# Check for a fully-functional sed program, that truncates
-# as few characters as possible.  Prefer GNU sed if found.
-AC_DEFUN([LT_AC_PROG_SED],
-[AC_MSG_CHECKING([for a sed that does not truncate output])
-AC_CACHE_VAL(lt_cv_path_SED,
-[# Loop through the user's path and test for sed and gsed.
-# Then use that list of sed's as ones to test for truncation.
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for lt_ac_prog in sed gsed; do
-    for ac_exec_ext in '' $ac_executable_extensions; do
-      if AS_EXECUTABLE_P(["$as_dir/$lt_ac_prog$ac_exec_ext"]); then
-        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
-      fi
-    done
-  done
-done
-IFS=$as_save_IFS
-lt_ac_max=0
-lt_ac_count=0
-# Add /usr/xpg4/bin/sed as it is typically found on Solaris
-# along with /bin/sed that truncates output.
-for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && continue
-  cat /dev/null > conftest.in
-  lt_ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
-  # Check for GNU sed and select it if it is found.
-  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
-    lt_cv_path_SED=$lt_ac_sed
-    break
-  fi
-  while true; do
-    cat conftest.in conftest.in >conftest.tmp
-    mv conftest.tmp conftest.in
-    cp conftest.in conftest.nl
-    echo >>conftest.nl
-    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
-    cmp -s conftest.out conftest.nl || break
-    # 10000 chars as input seems more than enough
-    test $lt_ac_count -gt 10 && break
-    lt_ac_count=`expr $lt_ac_count + 1`
-    if test $lt_ac_count -gt $lt_ac_max; then
-      lt_ac_max=$lt_ac_count
-      lt_cv_path_SED=$lt_ac_sed
-    fi
-  done
-done
-])
-SED=$lt_cv_path_SED
-AC_SUBST([SED])
-AC_MSG_RESULT([$SED])
-])
-
-# pkg.m4 - Macros to locate and utilise pkg-config.            -*- Autoconf -*-
-# 
-# Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# PKG_PROG_PKG_CONFIG([MIN-VERSION])
-# ----------------------------------
-AC_DEFUN([PKG_PROG_PKG_CONFIG],
-[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
-m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
-AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl
-if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
-	AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
-fi
-if test -n "$PKG_CONFIG"; then
-	_pkg_min_version=m4_default([$1], [0.9.0])
-	AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
-	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
-		AC_MSG_RESULT([yes])
-	else
-		AC_MSG_RESULT([no])
-		PKG_CONFIG=""
-	fi
-		
-fi[]dnl
-])# PKG_PROG_PKG_CONFIG
-
-# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
-#
-# Check to see whether a particular set of modules exists.  Similar
-# to PKG_CHECK_MODULES(), but does not set variables or print errors.
-#
-#
-# Similar to PKG_CHECK_MODULES, make sure that the first instance of
-# this or PKG_CHECK_MODULES is called, or make sure to call
-# PKG_CHECK_EXISTS manually
-# --------------------------------------------------------------
-AC_DEFUN([PKG_CHECK_EXISTS],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-if test -n "$PKG_CONFIG" && \
-    AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
-  m4_ifval([$2], [$2], [:])
-m4_ifvaln([$3], [else
-  $3])dnl
-fi])
-
-
-# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
-# ---------------------------------------------
-m4_define([_PKG_CONFIG],
-[if test -n "$PKG_CONFIG"; then
-    if test -n "$$1"; then
-        pkg_cv_[]$1="$$1"
-    else
-        PKG_CHECK_EXISTS([$3],
-                         [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
-			 [pkg_failed=yes])
-    fi
-else
-	pkg_failed=untried
-fi[]dnl
-])# _PKG_CONFIG
-
-# _PKG_SHORT_ERRORS_SUPPORTED
-# -----------------------------
-AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi[]dnl
-])# _PKG_SHORT_ERRORS_SUPPORTED
-
-
-# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
-# [ACTION-IF-NOT-FOUND])
-#
-#
-# Note that if there is a possibility the first call to
-# PKG_CHECK_MODULES might not happen, you should be sure to include an
-# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
-#
-#
-# --------------------------------------------------------------
-AC_DEFUN([PKG_CHECK_MODULES],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
-AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
-
-pkg_failed=no
-AC_MSG_CHECKING([for $1])
-
-_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
-_PKG_CONFIG([$1][_LIBS], [libs], [$2])
-
-m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
-and $1[]_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.])
-
-if test $pkg_failed = yes; then
-        _PKG_SHORT_ERRORS_SUPPORTED
-        if test $_pkg_short_errors_supported = yes; then
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"`
-        else 
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
-
-	ifelse([$4], , [AC_MSG_ERROR(dnl
-[Package requirements ($2) were not met:
-
-$$1_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-_PKG_TEXT
-])],
-		[AC_MSG_RESULT([no])
-                $4])
-elif test $pkg_failed = untried; then
-	ifelse([$4], , [AC_MSG_FAILURE(dnl
-[The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-_PKG_TEXT
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.])],
-		[$4])
-else
-	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
-	$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
-        AC_MSG_RESULT([yes])
-	ifelse([$3], , :, [$3])
-fi[]dnl
-])# PKG_CHECK_MODULES
-
-# Copyright (C) 2002, 2003, 2005, 2006, 2007  Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_AUTOMAKE_VERSION(VERSION)
-# ----------------------------
-# Automake X.Y traces this macro to ensure aclocal.m4 has been
-# generated from the m4 files accompanying Automake X.Y.
-# (This private macro should not be called outside this file.)
-AC_DEFUN([AM_AUTOMAKE_VERSION],
-[am__api_version='1.10'
-dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
-dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.10.1], [],
-      [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
-])
-
-# _AM_AUTOCONF_VERSION(VERSION)
-# -----------------------------
-# aclocal traces this macro to find the Autoconf version.
-# This is a private macro too.  Using m4_define simplifies
-# the logic in aclocal, which can simply ignore this definition.
-m4_define([_AM_AUTOCONF_VERSION], [])
-
-# AM_SET_CURRENT_AUTOMAKE_VERSION
-# -------------------------------
-# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
-# This function is AC_REQUIREd by AC_INIT_AUTOMAKE.
-AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.10.1])dnl
-m4_ifndef([AC_AUTOCONF_VERSION],
-  [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-_AM_AUTOCONF_VERSION(AC_AUTOCONF_VERSION)])
-
-# AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
-
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets
-# $ac_aux_dir to `$srcdir/foo'.  In other projects, it is set to
-# `$srcdir', `$srcdir/..', or `$srcdir/../..'.
-#
-# Of course, Automake must honor this variable whenever it calls a
-# tool from the auxiliary directory.  The problem is that $srcdir (and
-# therefore $ac_aux_dir as well) can be either absolute or relative,
-# depending on how configure is run.  This is pretty annoying, since
-# it makes $ac_aux_dir quite unusable in subdirectories: in the top
-# source directory, any form will work fine, but in subdirectories a
-# relative path needs to be adjusted first.
-#
-# $ac_aux_dir/missing
-#    fails when called from a subdirectory if $ac_aux_dir is relative
-# $top_srcdir/$ac_aux_dir/missing
-#    fails if $ac_aux_dir is absolute,
-#    fails when called from a subdirectory in a VPATH build with
-#          a relative $ac_aux_dir
-#
-# The reason of the latter failure is that $top_srcdir and $ac_aux_dir
-# are both prefixed by $srcdir.  In an in-source build this is usually
-# harmless because $srcdir is `.', but things will broke when you
-# start a VPATH build or use an absolute $srcdir.
-#
-# So we could use something similar to $top_srcdir/$ac_aux_dir/missing,
-# iff we strip the leading $srcdir from $ac_aux_dir.  That would be:
-#   am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"`
-# and then we would define $MISSING as
-#   MISSING="\${SHELL} $am_aux_dir/missing"
-# This will work as long as MISSING is not called from configure, because
-# unfortunately $(top_srcdir) has no meaning in configure.
-# However there are other variables, like CC, which are often used in
-# configure, and could therefore not use this "fixed" $ac_aux_dir.
-#
-# Another solution, used here, is to always expand $ac_aux_dir to an
-# absolute PATH.  The drawback is that using absolute paths prevent a
-# configured tree to be moved without reconfiguration.
-
-AC_DEFUN([AM_AUX_DIR_EXPAND],
-[dnl Rely on autoconf to set up CDPATH properly.
-AC_PREREQ([2.50])dnl
-# expand $ac_aux_dir to an absolute path
-am_aux_dir=`cd $ac_aux_dir && pwd`
-])
-
-# AM_CONDITIONAL                                            -*- Autoconf -*-
-
-# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006
-# Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 8
-
-# AM_CONDITIONAL(NAME, SHELL-CONDITION)
-# -------------------------------------
-# Define a conditional.
-AC_DEFUN([AM_CONDITIONAL],
-[AC_PREREQ(2.52)dnl
- ifelse([$1], [TRUE],  [AC_FATAL([$0: invalid condition: $1])],
-	[$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
-AC_SUBST([$1_TRUE])dnl
-AC_SUBST([$1_FALSE])dnl
-_AM_SUBST_NOTMAKE([$1_TRUE])dnl
-_AM_SUBST_NOTMAKE([$1_FALSE])dnl
-if $2; then
-  $1_TRUE=
-  $1_FALSE='#'
-else
-  $1_TRUE='#'
-  $1_FALSE=
-fi
-AC_CONFIG_COMMANDS_PRE(
-[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
-  AC_MSG_ERROR([[conditional "$1" was never defined.
-Usually this means the macro was only invoked conditionally.]])
-fi])])
-
-# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006
-# Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 9
-
-# There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
-# written in clear, in which case automake, when reading aclocal.m4,
-# will think it sees a *use*, and therefore will trigger all it's
-# C support machinery.  Also note that it means that autoscan, seeing
-# CC etc. in the Makefile, will ask for an AC_PROG_CC use...
-
-
-# _AM_DEPENDENCIES(NAME)
-# ----------------------
-# See how the compiler implements dependency checking.
-# NAME is "CC", "CXX", "GCJ", or "OBJC".
-# We try a few techniques and use that to set a single cache variable.
-#
-# We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was
-# modified to invoke _AM_DEPENDENCIES(CC); we would have a circular
-# dependency, and given that the user is not expected to run this macro,
-# just rely on AC_PROG_CC.
-AC_DEFUN([_AM_DEPENDENCIES],
-[AC_REQUIRE([AM_SET_DEPDIR])dnl
-AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl
-AC_REQUIRE([AM_MAKE_INCLUDE])dnl
-AC_REQUIRE([AM_DEP_TRACK])dnl
-
-ifelse([$1], CC,   [depcc="$CC"   am_compiler_list=],
-       [$1], CXX,  [depcc="$CXX"  am_compiler_list=],
-       [$1], OBJC, [depcc="$OBJC" am_compiler_list='gcc3 gcc'],
-       [$1], UPC,  [depcc="$UPC"  am_compiler_list=],
-       [$1], GCJ,  [depcc="$GCJ"  am_compiler_list='gcc3 gcc'],
-                   [depcc="$$1"   am_compiler_list=])
-
-AC_CACHE_CHECK([dependency style of $depcc],
-               [am_cv_$1_dependencies_compiler_type],
-[if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
-  # We make a subdir and do the tests there.  Otherwise we can end up
-  # making bogus files that we don't know about and never remove.  For
-  # instance it was reported that on HP-UX the gcc test will end up
-  # making a dummy file named `D' -- because `-MD' means `put the output
-  # in D'.
-  mkdir conftest.dir
-  # Copy depcomp to subdir because otherwise we won't find it if we're
-  # using a relative directory.
-  cp "$am_depcomp" conftest.dir
-  cd conftest.dir
-  # We will build objects and dependencies in a subdirectory because
-  # it helps to detect inapplicable dependency modes.  For instance
-  # both Tru64's cc and ICC support -MD to output dependencies as a
-  # side effect of compilation, but ICC will put the dependencies in
-  # the current directory while Tru64 will put them in the object
-  # directory.
-  mkdir sub
-
-  am_cv_$1_dependencies_compiler_type=none
-  if test "$am_compiler_list" = ""; then
-     am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp`
-  fi
-  for depmode in $am_compiler_list; do
-    # Setup a source with many dependencies, because some compilers
-    # like to wrap large dependency lists on column 80 (with \), and
-    # we should not choose a depcomp mode which is confused by this.
-    #
-    # We need to recreate these files for each test, as the compiler may
-    # overwrite some of them when testing with obscure command lines.
-    # This happens at least with the AIX C compiler.
-    : > sub/conftest.c
-    for i in 1 2 3 4 5 6; do
-      echo '#include "conftst'$i'.h"' >> sub/conftest.c
-      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
-      # Solaris 8's {/usr,}/bin/sh.
-      touch sub/conftst$i.h
-    done
-    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
-
-    case $depmode in
-    nosideeffect)
-      # after this tag, mechanisms are not by side-effect, so they'll
-      # only be used when explicitly requested
-      if test "x$enable_dependency_tracking" = xyes; then
-	continue
-      else
-	break
-      fi
-      ;;
-    none) break ;;
-    esac
-    # We check with `-c' and `-o' for the sake of the "dashmstdout"
-    # mode.  It turns out that the SunPro C++ compiler does not properly
-    # handle `-M -o', and we need to detect this.
-    if depmode=$depmode \
-       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
-       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
-       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
-         >/dev/null 2>conftest.err &&
-       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
-       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
-      # icc doesn't choke on unknown options, it will just issue warnings
-      # or remarks (even with -Werror).  So we grep stderr for any message
-      # that says an option was ignored or not supported.
-      # When given -MP, icc 7.0 and 7.1 complain thusly:
-      #   icc: Command line warning: ignoring option '-M'; no argument required
-      # The diagnosis changed in icc 8.0:
-      #   icc: Command line remark: option '-MP' not supported
-      if (grep 'ignoring option' conftest.err ||
-          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
-        am_cv_$1_dependencies_compiler_type=$depmode
-        break
-      fi
-    fi
-  done
-
-  cd ..
-  rm -rf conftest.dir
-else
-  am_cv_$1_dependencies_compiler_type=none
-fi
-])
-AC_SUBST([$1DEPMODE], [depmode=$am_cv_$1_dependencies_compiler_type])
-AM_CONDITIONAL([am__fastdep$1], [
-  test "x$enable_dependency_tracking" != xno \
-  && test "$am_cv_$1_dependencies_compiler_type" = gcc3])
-])
-
-
-# AM_SET_DEPDIR
-# -------------
-# Choose a directory name for dependency files.
-# This macro is AC_REQUIREd in _AM_DEPENDENCIES
-AC_DEFUN([AM_SET_DEPDIR],
-[AC_REQUIRE([AM_SET_LEADING_DOT])dnl
-AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl
-])
-
-
-# AM_DEP_TRACK
-# ------------
-AC_DEFUN([AM_DEP_TRACK],
-[AC_ARG_ENABLE(dependency-tracking,
-[  --disable-dependency-tracking  speeds up one-time build
-  --enable-dependency-tracking   do not reject slow dependency extractors])
-if test "x$enable_dependency_tracking" != xno; then
-  am_depcomp="$ac_aux_dir/depcomp"
-  AMDEPBACKSLASH='\'
-fi
-AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno])
-AC_SUBST([AMDEPBACKSLASH])dnl
-_AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl
-])
-
-# Generate code to set up dependency tracking.              -*- Autoconf -*-
-
-# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005
-# Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-#serial 3
-
-# _AM_OUTPUT_DEPENDENCY_COMMANDS
-# ------------------------------
-AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS],
-[for mf in $CONFIG_FILES; do
-  # Strip MF so we end up with the name of the file.
-  mf=`echo "$mf" | sed -e 's/:.*$//'`
-  # Check whether this is an Automake generated Makefile or not.
-  # We used to match only the files named `Makefile.in', but
-  # some people rename them; so instead we look at the file content.
-  # Grep'ing the first line is not enough: some people post-process
-  # each Makefile.in and add a new line on top of each file to say so.
-  # Grep'ing the whole file is not good either: AIX grep has a line
-  # limit of 2048, but all sed's we know have understand at least 4000.
-  if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
-    dirpart=`AS_DIRNAME("$mf")`
-  else
-    continue
-  fi
-  # Extract the definition of DEPDIR, am__include, and am__quote
-  # from the Makefile without running `make'.
-  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
-  test -z "$DEPDIR" && continue
-  am__include=`sed -n 's/^am__include = //p' < "$mf"`
-  test -z "am__include" && continue
-  am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
-  # When using ansi2knr, U may be empty or an underscore; expand it
-  U=`sed -n 's/^U = //p' < "$mf"`
-  # Find all dependency output files, they are included files with
-  # $(DEPDIR) in their names.  We invoke sed twice because it is the
-  # simplest approach to changing $(DEPDIR) to its actual value in the
-  # expansion.
-  for file in `sed -n "
-    s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
-       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
-    # Make sure the directory exists.
-    test -f "$dirpart/$file" && continue
-    fdir=`AS_DIRNAME(["$file"])`
-    AS_MKDIR_P([$dirpart/$fdir])
-    # echo "creating $dirpart/$file"
-    echo '# dummy' > "$dirpart/$file"
-  done
-done
-])# _AM_OUTPUT_DEPENDENCY_COMMANDS
-
-
-# AM_OUTPUT_DEPENDENCY_COMMANDS
-# -----------------------------
-# This macro should only be invoked once -- use via AC_REQUIRE.
-#
-# This code is only required when automatic dependency tracking
-# is enabled.  FIXME.  This creates each `.P' file that we will
-# need in order to bootstrap the dependency handling code.
-AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
-[AC_CONFIG_COMMANDS([depfiles],
-     [test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS],
-     [AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"])
-])
-
-# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005
-# Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 8
-
-# AM_CONFIG_HEADER is obsolete.  It has been replaced by AC_CONFIG_HEADERS.
-AU_DEFUN([AM_CONFIG_HEADER], [AC_CONFIG_HEADERS($@)])
-
-# Do all the work for Automake.                             -*- Autoconf -*-
-
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-# 2005, 2006, 2008 Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 13
-
-# This macro actually does too much.  Some checks are only needed if
-# your package does certain things.  But this isn't really a big deal.
-
-# AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE])
-# AM_INIT_AUTOMAKE([OPTIONS])
-# -----------------------------------------------
-# The call with PACKAGE and VERSION arguments is the old style
-# call (pre autoconf-2.50), which is being phased out.  PACKAGE
-# and VERSION should now be passed to AC_INIT and removed from
-# the call to AM_INIT_AUTOMAKE.
-# We support both call styles for the transition.  After
-# the next Automake release, Autoconf can make the AC_INIT
-# arguments mandatory, and then we can depend on a new Autoconf
-# release and drop the old call support.
-AC_DEFUN([AM_INIT_AUTOMAKE],
-[AC_PREREQ([2.60])dnl
-dnl Autoconf wants to disallow AM_ names.  We explicitly allow
-dnl the ones we care about.
-m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl
-AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl
-AC_REQUIRE([AC_PROG_INSTALL])dnl
-if test "`cd $srcdir && pwd`" != "`pwd`"; then
-  # Use -I$(srcdir) only when $(srcdir) != ., so that make's output
-  # is not polluted with repeated "-I."
-  AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl
-  # test to see if srcdir already configured
-  if test -f $srcdir/config.status; then
-    AC_MSG_ERROR([source directory already configured; run "make distclean" there first])
-  fi
-fi
-
-# test whether we have cygpath
-if test -z "$CYGPATH_W"; then
-  if (cygpath --version) >/dev/null 2>/dev/null; then
-    CYGPATH_W='cygpath -w'
-  else
-    CYGPATH_W=echo
-  fi
-fi
-AC_SUBST([CYGPATH_W])
-
-# Define the identity of the package.
-dnl Distinguish between old-style and new-style calls.
-m4_ifval([$2],
-[m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl
- AC_SUBST([PACKAGE], [$1])dnl
- AC_SUBST([VERSION], [$2])],
-[_AM_SET_OPTIONS([$1])dnl
-dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT.
-m4_if(m4_ifdef([AC_PACKAGE_NAME], 1)m4_ifdef([AC_PACKAGE_VERSION], 1), 11,,
-  [m4_fatal([AC_INIT should be called with package and version arguments])])dnl
- AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl
- AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl
-
-_AM_IF_OPTION([no-define],,
-[AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package])
- AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])dnl
-
-# Some tools Automake needs.
-AC_REQUIRE([AM_SANITY_CHECK])dnl
-AC_REQUIRE([AC_ARG_PROGRAM])dnl
-AM_MISSING_PROG(ACLOCAL, aclocal-${am__api_version})
-AM_MISSING_PROG(AUTOCONF, autoconf)
-AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version})
-AM_MISSING_PROG(AUTOHEADER, autoheader)
-AM_MISSING_PROG(MAKEINFO, makeinfo)
-AM_PROG_INSTALL_SH
-AM_PROG_INSTALL_STRIP
-AC_REQUIRE([AM_PROG_MKDIR_P])dnl
-# We need awk for the "check" target.  The system "awk" is bad on
-# some platforms.
-AC_REQUIRE([AC_PROG_AWK])dnl
-AC_REQUIRE([AC_PROG_MAKE_SET])dnl
-AC_REQUIRE([AM_SET_LEADING_DOT])dnl
-_AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])],
-              [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])],
-	      		     [_AM_PROG_TAR([v7])])])
-_AM_IF_OPTION([no-dependencies],,
-[AC_PROVIDE_IFELSE([AC_PROG_CC],
-                  [_AM_DEPENDENCIES(CC)],
-                  [define([AC_PROG_CC],
-                          defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl
-AC_PROVIDE_IFELSE([AC_PROG_CXX],
-                  [_AM_DEPENDENCIES(CXX)],
-                  [define([AC_PROG_CXX],
-                          defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl
-AC_PROVIDE_IFELSE([AC_PROG_OBJC],
-                  [_AM_DEPENDENCIES(OBJC)],
-                  [define([AC_PROG_OBJC],
-                          defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl
-])
-])
-
-
-# When config.status generates a header, we must update the stamp-h file.
-# This file resides in the same directory as the config header
-# that is generated.  The stamp files are numbered to have different names.
-
-# Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the
-# loop where config.status creates the headers, so we can generate
-# our stamp files there.
-AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK],
-[# Compute $1's index in $config_headers.
-_am_arg=$1
-_am_stamp_count=1
-for _am_header in $config_headers :; do
-  case $_am_header in
-    $_am_arg | $_am_arg:* )
-      break ;;
-    * )
-      _am_stamp_count=`expr $_am_stamp_count + 1` ;;
-  esac
-done
-echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
-
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_PROG_INSTALL_SH
-# ------------------
-# Define $install_sh.
-AC_DEFUN([AM_PROG_INSTALL_SH],
-[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
-install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"}
-AC_SUBST(install_sh)])
-
-# Copyright (C) 2003, 2005  Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 2
-
-# Check whether the underlying file-system supports filenames
-# with a leading dot.  For instance MS-DOS doesn't.
-AC_DEFUN([AM_SET_LEADING_DOT],
-[rm -rf .tst 2>/dev/null
-mkdir .tst 2>/dev/null
-if test -d .tst; then
-  am__leading_dot=.
-else
-  am__leading_dot=_
-fi
-rmdir .tst 2>/dev/null
-AC_SUBST([am__leading_dot])])
-
-# Add --enable-maintainer-mode option to configure.         -*- Autoconf -*-
-# From Jim Meyering
-
-# Copyright (C) 1996, 1998, 2000, 2001, 2002, 2003, 2004, 2005
-# Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 4
-
-AC_DEFUN([AM_MAINTAINER_MODE],
-[AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
-  dnl maintainer-mode is disabled by default
-  AC_ARG_ENABLE(maintainer-mode,
-[  --enable-maintainer-mode  enable make rules and dependencies not useful
-			  (and sometimes confusing) to the casual installer],
-      USE_MAINTAINER_MODE=$enableval,
-      USE_MAINTAINER_MODE=no)
-  AC_MSG_RESULT([$USE_MAINTAINER_MODE])
-  AM_CONDITIONAL(MAINTAINER_MODE, [test $USE_MAINTAINER_MODE = yes])
-  MAINT=$MAINTAINER_MODE_TRUE
-  AC_SUBST(MAINT)dnl
-]
-)
-
-AU_DEFUN([jm_MAINTAINER_MODE], [AM_MAINTAINER_MODE])
-
-# Check to see how 'make' treats includes.	            -*- Autoconf -*-
-
-# Copyright (C) 2001, 2002, 2003, 2005  Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 3
-
-# AM_MAKE_INCLUDE()
-# -----------------
-# Check to see how make treats includes.
-AC_DEFUN([AM_MAKE_INCLUDE],
-[am_make=${MAKE-make}
-cat > confinc << 'END'
-am__doit:
-	@echo done
-.PHONY: am__doit
-END
-# If we don't find an include directive, just comment out the code.
-AC_MSG_CHECKING([for style of include used by $am_make])
-am__include="#"
-am__quote=
-_am_result=none
-# First try GNU make style include.
-echo "include confinc" > confmf
-# We grep out `Entering directory' and `Leaving directory'
-# messages which can occur if `w' ends up in MAKEFLAGS.
-# In particular we don't look at `^make:' because GNU make might
-# be invoked under some other name (usually "gmake"), in which
-# case it prints its new name instead of `make'.
-if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then
-   am__include=include
-   am__quote=
-   _am_result=GNU
-fi
-# Now try BSD make style include.
-if test "$am__include" = "#"; then
-   echo '.include "confinc"' > confmf
-   if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then
-      am__include=.include
-      am__quote="\""
-      _am_result=BSD
-   fi
-fi
-AC_SUBST([am__include])
-AC_SUBST([am__quote])
-AC_MSG_RESULT([$_am_result])
-rm -f confinc confmf
-])
-
-# Copyright (C) 1999, 2000, 2001, 2003, 2004, 2005
-# Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 5
-
-# AM_PROG_CC_C_O
-# --------------
-# Like AC_PROG_CC_C_O, but changed for automake.
-AC_DEFUN([AM_PROG_CC_C_O],
-[AC_REQUIRE([AC_PROG_CC_C_O])dnl
-AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
-AC_REQUIRE_AUX_FILE([compile])dnl
-# FIXME: we rely on the cache variable name because
-# there is no other way.
-set dummy $CC
-ac_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
-if eval "test \"`echo '$ac_cv_prog_cc_'${ac_cc}_c_o`\" != yes"; then
-   # Losing compiler, so override with the script.
-   # FIXME: It is wrong to rewrite CC.
-   # But if we don't then we get into trouble of one sort or another.
-   # A longer-term fix would be to have automake use am__CC in this case,
-   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
-   CC="$am_aux_dir/compile $CC"
-fi
-dnl Make sure AC_PROG_CC is never called again, or it will override our
-dnl setting of CC.
-m4_define([AC_PROG_CC],
-          [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
-])
-
-# Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
-
-# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005
-# Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 5
-
-# AM_MISSING_PROG(NAME, PROGRAM)
-# ------------------------------
-AC_DEFUN([AM_MISSING_PROG],
-[AC_REQUIRE([AM_MISSING_HAS_RUN])
-$1=${$1-"${am_missing_run}$2"}
-AC_SUBST($1)])
-
-
-# AM_MISSING_HAS_RUN
-# ------------------
-# Define MISSING if not defined so far and test if it supports --run.
-# If it does, set am_missing_run to use it, otherwise, to nothing.
-AC_DEFUN([AM_MISSING_HAS_RUN],
-[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
-AC_REQUIRE_AUX_FILE([missing])dnl
-test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
-# Use eval to expand $SHELL
-if eval "$MISSING --run true"; then
-  am_missing_run="$MISSING --run "
-else
-  am_missing_run=
-  AC_MSG_WARN([`missing' script is too old or missing])
-fi
-])
-
-# Copyright (C) 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_PROG_MKDIR_P
-# ---------------
-# Check for `mkdir -p'.
-AC_DEFUN([AM_PROG_MKDIR_P],
-[AC_PREREQ([2.60])dnl
-AC_REQUIRE([AC_PROG_MKDIR_P])dnl
-dnl Automake 1.8 to 1.9.6 used to define mkdir_p.  We now use MKDIR_P,
-dnl while keeping a definition of mkdir_p for backward compatibility.
-dnl @MKDIR_P@ is magic: AC_OUTPUT adjusts its value for each Makefile.
-dnl However we cannot define mkdir_p as $(MKDIR_P) for the sake of
-dnl Makefile.ins that do not define MKDIR_P, so we do our own
-dnl adjustment using top_builddir (which is defined more often than
-dnl MKDIR_P).
-AC_SUBST([mkdir_p], ["$MKDIR_P"])dnl
-case $mkdir_p in
-  [[\\/$]]* | ?:[[\\/]]*) ;;
-  */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;;
-esac
-])
-
-# Helper functions for option handling.                     -*- Autoconf -*-
-
-# Copyright (C) 2001, 2002, 2003, 2005  Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 3
-
-# _AM_MANGLE_OPTION(NAME)
-# -----------------------
-AC_DEFUN([_AM_MANGLE_OPTION],
-[[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])])
-
-# _AM_SET_OPTION(NAME)
-# ------------------------------
-# Set option NAME.  Presently that only means defining a flag for this option.
-AC_DEFUN([_AM_SET_OPTION],
-[m4_define(_AM_MANGLE_OPTION([$1]), 1)])
-
-# _AM_SET_OPTIONS(OPTIONS)
-# ----------------------------------
-# OPTIONS is a space-separated list of Automake options.
-AC_DEFUN([_AM_SET_OPTIONS],
-[AC_FOREACH([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])])
-
-# _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET])
-# -------------------------------------------
-# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
-AC_DEFUN([_AM_IF_OPTION],
-[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
-
-# Check to make sure that the build environment is sane.    -*- Autoconf -*-
-
-# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005
-# Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 4
-
-# AM_SANITY_CHECK
-# ---------------
-AC_DEFUN([AM_SANITY_CHECK],
-[AC_MSG_CHECKING([whether build environment is sane])
-# Just in case
-sleep 1
-echo timestamp > conftest.file
-# Do `set' in a subshell so we don't clobber the current shell's
-# arguments.  Must try -L first in case configure is actually a
-# symlink; some systems play weird games with the mod time of symlinks
-# (eg FreeBSD returns the mod time of the symlink's containing
-# directory).
-if (
-   set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null`
-   if test "$[*]" = "X"; then
-      # -L didn't work.
-      set X `ls -t $srcdir/configure conftest.file`
-   fi
-   rm -f conftest.file
-   if test "$[*]" != "X $srcdir/configure conftest.file" \
-      && test "$[*]" != "X conftest.file $srcdir/configure"; then
-
-      # If neither matched, then we have a broken ls.  This can happen
-      # if, for instance, CONFIG_SHELL is bash and it inherits a
-      # broken ls alias from the environment.  This has actually
-      # happened.  Such a system could not be considered "sane".
-      AC_MSG_ERROR([ls -t appears to fail.  Make sure there is not a broken
-alias in your environment])
-   fi
-
-   test "$[2]" = conftest.file
-   )
-then
-   # Ok.
-   :
-else
-   AC_MSG_ERROR([newly created file is older than distributed files!
-Check your system clock])
-fi
-AC_MSG_RESULT(yes)])
-
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_PROG_INSTALL_STRIP
-# ---------------------
-# One issue with vendor `install' (even GNU) is that you can't
-# specify the program used to strip binaries.  This is especially
-# annoying in cross-compiling environments, where the build's strip
-# is unlikely to handle the host's binaries.
-# Fortunately install-sh will honor a STRIPPROG variable, so we
-# always use install-sh in `make install-strip', and initialize
-# STRIPPROG with the value of the STRIP variable (set by the user).
-AC_DEFUN([AM_PROG_INSTALL_STRIP],
-[AC_REQUIRE([AM_PROG_INSTALL_SH])dnl
-# Installed binaries are usually stripped using `strip' when the user
-# run `make install-strip'.  However `strip' might not be the right
-# tool to use in cross-compilation environments, therefore Automake
-# will honor the `STRIP' environment variable to overrule this program.
-dnl Don't test for $cross_compiling = yes, because it might be `maybe'.
-if test "$cross_compiling" != no; then
-  AC_CHECK_TOOL([STRIP], [strip], :)
-fi
-INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
-AC_SUBST([INSTALL_STRIP_PROGRAM])])
-
-# Copyright (C) 2006  Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# _AM_SUBST_NOTMAKE(VARIABLE)
-# ---------------------------
-# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
-# This macro is traced by Automake.
-AC_DEFUN([_AM_SUBST_NOTMAKE])
-
-# Check how to create a tarball.                            -*- Autoconf -*-
-
-# Copyright (C) 2004, 2005  Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# serial 2
-
-# _AM_PROG_TAR(FORMAT)
-# --------------------
-# Check how to create a tarball in format FORMAT.
-# FORMAT should be one of `v7', `ustar', or `pax'.
-#
-# Substitute a variable $(am__tar) that is a command
-# writing to stdout a FORMAT-tarball containing the directory
-# $tardir.
-#     tardir=directory && $(am__tar) > result.tar
-#
-# Substitute a variable $(am__untar) that extract such
-# a tarball read from stdin.
-#     $(am__untar) < result.tar
-AC_DEFUN([_AM_PROG_TAR],
-[# Always define AMTAR for backward compatibility.
-AM_MISSING_PROG([AMTAR], [tar])
-m4_if([$1], [v7],
-     [am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'],
-     [m4_case([$1], [ustar],, [pax],,
-              [m4_fatal([Unknown tar format])])
-AC_MSG_CHECKING([how to create a $1 tar archive])
-# Loop over all known methods to create a tar archive until one works.
-_am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none'
-_am_tools=${am_cv_prog_tar_$1-$_am_tools}
-# Do not fold the above two line into one, because Tru64 sh and
-# Solaris sh will not grok spaces in the rhs of `-'.
-for _am_tool in $_am_tools
-do
-  case $_am_tool in
-  gnutar)
-    for _am_tar in tar gnutar gtar;
-    do
-      AM_RUN_LOG([$_am_tar --version]) && break
-    done
-    am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"'
-    am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"'
-    am__untar="$_am_tar -xf -"
-    ;;
-  plaintar)
-    # Must skip GNU tar: if it does not support --format= it doesn't create
-    # ustar tarball either.
-    (tar --version) >/dev/null 2>&1 && continue
-    am__tar='tar chf - "$$tardir"'
-    am__tar_='tar chf - "$tardir"'
-    am__untar='tar xf -'
-    ;;
-  pax)
-    am__tar='pax -L -x $1 -w "$$tardir"'
-    am__tar_='pax -L -x $1 -w "$tardir"'
-    am__untar='pax -r'
-    ;;
-  cpio)
-    am__tar='find "$$tardir" -print | cpio -o -H $1 -L'
-    am__tar_='find "$tardir" -print | cpio -o -H $1 -L'
-    am__untar='cpio -i -H $1 -d'
-    ;;
-  none)
-    am__tar=false
-    am__tar_=false
-    am__untar=false
-    ;;
-  esac
-
-  # If the value was cached, stop now.  We just wanted to have am__tar
-  # and am__untar set.
-  test -n "${am_cv_prog_tar_$1}" && break
-
-  # tar/untar a dummy directory, and stop if the command works
-  rm -rf conftest.dir
-  mkdir conftest.dir
-  echo GrepMe > conftest.dir/file
-  AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar])
-  rm -rf conftest.dir
-  if test -s conftest.tar; then
-    AM_RUN_LOG([$am__untar <conftest.tar])
-    grep GrepMe conftest.dir/file >/dev/null 2>&1 && break
-  fi
-done
-rm -rf conftest.dir
-
-AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool])
-AC_MSG_RESULT([$am_cv_prog_tar_$1])])
-AC_SUBST([am__tar])
-AC_SUBST([am__untar])
-]) # _AM_PROG_TAR
-
diff --git a/src/charon/plugins/nm/gnome/auth-dialog/.deps/nm_strongswan_auth_dialog-main.Po b/src/charon/plugins/nm/gnome/auth-dialog/.deps/nm_strongswan_auth_dialog-main.Po
deleted file mode 100644
index 9ce06a81e..000000000
--- a/src/charon/plugins/nm/gnome/auth-dialog/.deps/nm_strongswan_auth_dialog-main.Po
+++ /dev/null
@@ -1 +0,0 @@
-# dummy
diff --git a/src/charon/plugins/nm/gnome/auth-dialog/Makefile b/src/charon/plugins/nm/gnome/auth-dialog/Makefile
deleted file mode 100644
index 7519b1e2f..000000000
--- a/src/charon/plugins/nm/gnome/auth-dialog/Makefile
+++ /dev/null
@@ -1,566 +0,0 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
-# auth-dialog/Makefile.  Generated from Makefile.in by configure.
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-
-
-
-pkgdatadir = $(datadir)/NetworkManager-strongswan
-pkglibdir = $(libdir)/NetworkManager-strongswan
-pkgincludedir = $(includedir)/NetworkManager-strongswan
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = i686-pc-linux-gnu
-host_triplet = i686-pc-linux-gnu
-libexec_PROGRAMS = nm-strongswan-auth-dialog$(EXEEXT)
-subdir = auth-dialog
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libexecdir)"
-libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-PROGRAMS = $(libexec_PROGRAMS)
-am_nm_strongswan_auth_dialog_OBJECTS =  \
-	nm_strongswan_auth_dialog-main.$(OBJEXT)
-nm_strongswan_auth_dialog_OBJECTS =  \
-	$(am_nm_strongswan_auth_dialog_OBJECTS)
-am__DEPENDENCIES_1 =
-nm_strongswan_auth_dialog_DEPENDENCIES = $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(nm_strongswan_auth_dialog_SOURCES)
-DIST_SOURCES = $(nm_strongswan_auth_dialog_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run aclocal-1.10
-ALL_LINGUAS = 
-AMTAR = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run tar
-AR = ar
-AUTOCONF = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run autoconf
-AUTOHEADER = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run autoheader
-AUTOMAKE = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run automake-1.10
-AWK = gawk
-CATALOGS = 
-CATOBJEXT = .gmo
-CC = gcc
-CCDEPMODE = depmode=gcc3
-CFLAGS = -g -O2
-CPP = gcc -E
-CPPFLAGS = 
-CXX = g++
-CXXCPP = g++ -E
-CXXDEPMODE = depmode=gcc3
-CXXFLAGS = -g -O2
-CYGPATH_W = echo
-DATADIRNAME = share
-DBUS_CFLAGS = -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include  
-DBUS_LIBS = -ldbus-glib-1 -ldbus-1 -lgobject-2.0 -lglib-2.0  
-DEFS = -DHAVE_CONFIG_H
-DEPDIR = .deps
-DSYMUTIL = 
-ECHO = echo
-ECHO_C = 
-ECHO_N = -n
-ECHO_T = 
-EGREP = /bin/grep -E
-EXEEXT = 
-F77 = 
-FFLAGS = 
-GCONF_CFLAGS = -DORBIT2=1 -pthread -I/usr/include/gconf/2 -I/usr/include/orbit-2.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include  
-GCONF_LIBS = -lgconf-2 -lglib-2.0  
-GDK_PIXBUF_CFLAGS = -I/usr/include/gtk-2.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include  
-GDK_PIXBUF_LIBS = -lgdk_pixbuf-2.0 -lm -lgobject-2.0 -lgmodule-2.0 -ldl -lglib-2.0  
-GETTEXT_PACKAGE = NetworkManager-strongswan
-GLADE_CFLAGS = -I/usr/include/libglade-2.0 -I/usr/include/gtk-2.0 -I/usr/include/libxml2 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/pixman-1  
-GLADE_LIBS = -lglade-2.0 -lgtk-x11-2.0 -lxml2 -lgdk-x11-2.0 -latk-1.0 -lgdk_pixbuf-2.0 -lm -lpangocairo-1.0 -lpango-1.0 -lcairo -lgobject-2.0 -lgmodule-2.0 -ldl -lglib-2.0  
-GMOFILES = 
-GMSGFMT = /usr/bin/msgfmt
-GNOMEKEYRING_CFLAGS = -I/usr/include/gnome-keyring-1 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include  
-GNOMEKEYRING_LIBS = -lgnome-keyring -lglib-2.0  
-GREP = /bin/grep
-GTHREAD_CFLAGS = -pthread -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include  
-GTHREAD_LIBS = -pthread -lgthread-2.0 -lrt -lglib-2.0  
-GTK_CFLAGS = -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/pixman-1  
-GTK_LIBS = -lgtk-x11-2.0 -lgdk-x11-2.0 -latk-1.0 -lgdk_pixbuf-2.0 -lm -lpangocairo-1.0 -lpango-1.0 -lcairo -lgobject-2.0 -lgmodule-2.0 -ldl -lglib-2.0  
-INSTALL = /usr/bin/install -c
-INSTALL_DATA = ${INSTALL} -m 644
-INSTALL_PROGRAM = ${INSTALL}
-INSTALL_SCRIPT = ${INSTALL}
-INSTALL_STRIP_PROGRAM = $(install_sh) -c -s
-INSTOBJEXT = .mo
-INTLLIBS = 
-INTLTOOL_CAVES_RULE = %.caves:     %.caves.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_DESKTOP_RULE = %.desktop:   %.desktop.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_DIRECTORY_RULE = %.directory: %.directory.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_EXTRACT = $(top_builddir)/intltool-extract
-INTLTOOL_KBD_RULE = %.kbd:       %.kbd.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -m -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_KEYS_RULE = %.keys:      %.keys.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -k -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_MERGE = $(top_builddir)/intltool-merge
-INTLTOOL_OAF_RULE = %.oaf:       %.oaf.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -p $(top_srcdir)/po $< $@
-INTLTOOL_PERL = /usr/bin/perl
-INTLTOOL_POLICY_RULE = %.policy:    %.policy.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_PONG_RULE = %.pong:      %.pong.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_PROP_RULE = %.prop:      %.prop.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_SCHEMAS_RULE = %.schemas:   %.schemas.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -s -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_SERVER_RULE = %.server:    %.server.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_SERVICE_RULE = %.service: %.service.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_SHEET_RULE = %.sheet:     %.sheet.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_SOUNDLIST_RULE = %.soundlist: %.soundlist.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_THEME_RULE = %.theme:     %.theme.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_UI_RULE = %.ui:        %.ui.in        $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_UPDATE = $(top_builddir)/intltool-update
-INTLTOOL_XAM_RULE = %.xam:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-INTLTOOL_XML_NOMERGE_RULE = %.xml:       %.xml.in       $(INTLTOOL_MERGE) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u /tmp $< $@
-INTLTOOL_XML_RULE = %.xml:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@
-LDFLAGS = 
-LIBGNOMEUI_CFLAGS = -DORBIT2=1 -pthread -I/usr/include/libgnomeui-2.0 -I/usr/include/libart-2.0 -I/usr/include/gconf/2 -I/usr/include/gnome-keyring-1 -I/usr/include/libgnome-2.0 -I/usr/include/libbonoboui-2.0 -I/usr/include/libgnomecanvas-2.0 -I/usr/include/gtk-2.0 -I/usr/include/gnome-vfs-2.0 -I/usr/lib/gnome-vfs-2.0/include -I/usr/include/orbit-2.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/libbonobo-2.0 -I/usr/include/bonobo-activation-2.0 -I/usr/include/libxml2 -I/usr/include/pango-1.0 -I/usr/include/gail-1.0 -I/usr/include/freetype2 -I/usr/include/atk-1.0 -I/usr/lib/gtk-2.0/include -I/usr/include/cairo -I/usr/include/libpng12 -I/usr/include/pixman-1  
-LIBGNOMEUI_LIBS = -pthread -lgnomeui-2 -lSM -lICE -lbonoboui-2 -lgnomevfs-2 -lgnomecanvas-2 -lgnome-2 -lpopt -lbonobo-2 -lbonobo-activation -lORBit-2 -lart_lgpl_2 -lgtk-x11-2.0 -lgdk-x11-2.0 -latk-1.0 -lgdk_pixbuf-2.0 -lm -lpangocairo-1.0 -lpango-1.0 -lcairo -lgconf-2 -lgthread-2.0 -lrt -lgmodule-2.0 -ldl -lgobject-2.0 -lglib-2.0  
-LIBOBJS = 
-LIBS = 
-LIBTOOL = $(SHELL) $(top_builddir)/libtool
-LN_S = ln -s
-LTLIBOBJS = 
-MAINT = 
-MAKEINFO = ${SHELL} /home/andi/trunk/src/charon/plugins/nm/gnome/missing --run makeinfo
-MKDIR_P = /bin/mkdir -p
-MKINSTALLDIRS = ./mkinstalldirs
-MSGFMT = /usr/bin/msgfmt
-MSGFMT_OPTS = -c
-MSGMERGE = /usr/bin/msgmerge
-NMEDIT = 
-NM_UTILS_CFLAGS = -I/usr/include/NetworkManager -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/libnm-glib -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include  
-NM_UTILS_LIBS = -lnm-util -lnm_glib -lnm_glib_vpn -ldbus-glib-1 -ldbus-1 -lgobject-2.0 -lglib-2.0  
-OBJEXT = o
-PACKAGE = NetworkManager-strongswan
-PACKAGE_BUGREPORT = martin@strongswan.org
-PACKAGE_NAME = NetworkManager-strongswan
-PACKAGE_STRING = NetworkManager-strongswan 4.2.6
-PACKAGE_TARNAME = NetworkManager-strongswan
-PACKAGE_VERSION = 4.2.6
-PATH_SEPARATOR = :
-PKG_CONFIG = /usr/bin/pkg-config
-POFILES = 
-POSUB = po
-PO_IN_DATADIR_FALSE = 
-PO_IN_DATADIR_TRUE = 
-RANLIB = ranlib
-SED = /bin/sed
-SET_MAKE = 
-SHELL = /bin/bash
-STRIP = strip
-USE_NLS = yes
-VERSION = 4.2.6
-XGETTEXT = /usr/bin/xgettext
-abs_builddir = /home/andi/trunk/src/charon/plugins/nm/gnome/auth-dialog
-abs_srcdir = /home/andi/trunk/src/charon/plugins/nm/gnome/auth-dialog
-abs_top_builddir = /home/andi/trunk/src/charon/plugins/nm/gnome
-abs_top_srcdir = /home/andi/trunk/src/charon/plugins/nm/gnome
-ac_ct_CC = gcc
-ac_ct_CXX = g++
-ac_ct_F77 = 
-am__include = include
-am__leading_dot = .
-am__quote = 
-am__tar = ${AMTAR} chof - "$$tardir"
-am__untar = ${AMTAR} xf -
-bindir = ${exec_prefix}/bin
-build = i686-pc-linux-gnu
-build_alias = 
-build_cpu = i686
-build_os = linux-gnu
-build_vendor = pc
-builddir = .
-charon = ${exec_prefix}/libexec/ipsec/charon
-datadir = ${datarootdir}
-datarootdir = ${prefix}/share
-docdir = ${datarootdir}/doc/${PACKAGE_TARNAME}
-dvidir = ${docdir}
-exec_prefix = ${prefix}
-host = i686-pc-linux-gnu
-host_alias = 
-host_cpu = i686
-host_os = linux-gnu
-host_vendor = pc
-htmldir = ${docdir}
-includedir = ${prefix}/include
-infodir = ${datarootdir}/info
-install_sh = $(SHELL) /home/andi/trunk/src/charon/plugins/nm/gnome/install-sh
-libdir = ${exec_prefix}/lib
-libexecdir = ${exec_prefix}/libexec
-localedir = ${datarootdir}/locale
-localstatedir = ${prefix}/var
-mandir = ${datarootdir}/man
-mkdir_p = /bin/mkdir -p
-oldincludedir = /usr/include
-pdfdir = ${docdir}
-prefix = /usr/local
-program_transform_name = s,x,x,
-psdir = ${docdir}
-sbindir = ${exec_prefix}/sbin
-sharedstatedir = ${prefix}/com
-srcdir = .
-sysconfdir = ${prefix}/etc
-target_alias = 
-top_builddir = ..
-top_srcdir = ..
-nm_strongswan_auth_dialog_CPPFLAGS = \
-	$(GTHREAD_CFLAGS) \
-	$(GTK_CFLAGS) \
-	$(LIBGNOMEUI_CFLAGS) \
-	$(GNOMEKEYRING_CFLAGS) \
-	$(NETWORK_MANAGER_CFLAGS) \
-	$(NM_UTILS_CFLAGS) \
-	-DICONDIR=\""$(datadir)/pixmaps"\" \
-	-DGLADEDIR=\""$(gladedir)"\" \
-	-DBINDIR=\""$(bindir)"\" \
-	-DDBUS_API_SUBJECT_TO_CHANGE \
-	-DG_DISABLE_DEPRECATED \
-	-DGDK_DISABLE_DEPRECATED \
-	-DGNOME_DISABLE_DEPRECATED \
-	-DGNOMELOCALEDIR=\"$(datadir)/locale\" \
-	-DVERSION=\"$(VERSION)\"
-
-nm_strongswan_auth_dialog_SOURCES = \
-	main.c
-
-nm_strongswan_auth_dialog_LDADD = \
-	$(GTK_LIBS) \
-	$(LIBGNOMEUI_LIBS) \
-	$(GNOMEKEYRING_LIBS)
-
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  auth-dialog/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  auth-dialog/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-install-libexecPROGRAMS: $(libexec_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
-	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
-
-uninstall-libexecPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(libexecdir)/$$f"; \
-	done
-
-clean-libexecPROGRAMS:
-	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
-nm-strongswan-auth-dialog$(EXEEXT): $(nm_strongswan_auth_dialog_OBJECTS) $(nm_strongswan_auth_dialog_DEPENDENCIES) 
-	@rm -f nm-strongswan-auth-dialog$(EXEEXT)
-	$(LINK) $(nm_strongswan_auth_dialog_OBJECTS) $(nm_strongswan_auth_dialog_LDADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-include ./$(DEPDIR)/nm_strongswan_auth_dialog-main.Po
-
-.c.o:
-	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
-	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-	mv -f $$depbase.Tpo $$depbase.Po
-#	source='$<' object='$@' libtool=no \
-#	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \
-#	$(COMPILE) -c -o $@ $<
-
-.c.obj:
-	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
-	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
-	mv -f $$depbase.Tpo $$depbase.Po
-#	source='$<' object='$@' libtool=no \
-#	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \
-#	$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
-	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
-	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-	mv -f $$depbase.Tpo $$depbase.Plo
-#	source='$<' object='$@' libtool=yes \
-#	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \
-#	$(LTCOMPILE) -c -o $@ $<
-
-nm_strongswan_auth_dialog-main.o: main.c
-	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_strongswan_auth_dialog-main.o -MD -MP -MF $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo -c -o nm_strongswan_auth_dialog-main.o `test -f 'main.c' || echo '$(srcdir)/'`main.c
-	mv -f $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo $(DEPDIR)/nm_strongswan_auth_dialog-main.Po
-#	source='main.c' object='nm_strongswan_auth_dialog-main.o' libtool=no \
-#	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \
-#	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_strongswan_auth_dialog-main.o `test -f 'main.c' || echo '$(srcdir)/'`main.c
-
-nm_strongswan_auth_dialog-main.obj: main.c
-	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_strongswan_auth_dialog-main.obj -MD -MP -MF $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo -c -o nm_strongswan_auth_dialog-main.obj `if test -f 'main.c'; then $(CYGPATH_W) 'main.c'; else $(CYGPATH_W) '$(srcdir)/main.c'; fi`
-	mv -f $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo $(DEPDIR)/nm_strongswan_auth_dialog-main.Po
-#	source='main.c' object='nm_strongswan_auth_dialog-main.obj' libtool=no \
-#	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \
-#	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_strongswan_auth_dialog-main.obj `if test -f 'main.c'; then $(CYGPATH_W) 'main.c'; else $(CYGPATH_W) '$(srcdir)/main.c'; fi`
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
-	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
-	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(PROGRAMS)
-installdirs:
-	for dir in "$(DESTDIR)$(libexecdir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-info: info-am
-
-info-am:
-
-install-data-am:
-
-install-dvi: install-dvi-am
-
-install-exec-am: install-libexecPROGRAMS
-
-install-html: install-html-am
-
-install-info: install-info-am
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-ps: install-ps-am
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-libexecPROGRAMS
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libexecPROGRAMS clean-libtool ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am \
-	install-libexecPROGRAMS install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-libexecPROGRAMS
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/auth-dialog/Makefile.am b/src/charon/plugins/nm/gnome/auth-dialog/Makefile.am
deleted file mode 100644
index c95164785..000000000
--- a/src/charon/plugins/nm/gnome/auth-dialog/Makefile.am
+++ /dev/null
@@ -1,27 +0,0 @@
-libexec_PROGRAMS = nm-strongswan-auth-dialog
-
-nm_strongswan_auth_dialog_CPPFLAGS = \
-	$(GTHREAD_CFLAGS) \
-	$(GTK_CFLAGS) \
-	$(LIBGNOMEUI_CFLAGS) \
-	$(GNOMEKEYRING_CFLAGS) \
-	$(NETWORK_MANAGER_CFLAGS) \
-	$(NM_UTILS_CFLAGS) \
-	-DICONDIR=\""$(datadir)/pixmaps"\" \
-	-DGLADEDIR=\""$(gladedir)"\" \
-	-DBINDIR=\""$(bindir)"\" \
-	-DDBUS_API_SUBJECT_TO_CHANGE \
-	-DG_DISABLE_DEPRECATED \
-	-DGDK_DISABLE_DEPRECATED \
-	-DGNOME_DISABLE_DEPRECATED \
-	-DGNOMELOCALEDIR=\"$(datadir)/locale\" \
-	-DVERSION=\"$(VERSION)\"
-
-nm_strongswan_auth_dialog_SOURCES =	\
-	main.c
-
-nm_strongswan_auth_dialog_LDADD = \
-	$(GTK_LIBS) \
-	$(LIBGNOMEUI_LIBS) \
-	$(GNOMEKEYRING_LIBS)
-
diff --git a/src/charon/plugins/nm/gnome/auth-dialog/Makefile.in b/src/charon/plugins/nm/gnome/auth-dialog/Makefile.in
deleted file mode 100644
index fa953505f..000000000
--- a/src/charon/plugins/nm/gnome/auth-dialog/Makefile.in
+++ /dev/null
@@ -1,566 +0,0 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-libexec_PROGRAMS = nm-strongswan-auth-dialog$(EXEEXT)
-subdir = auth-dialog
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libexecdir)"
-libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-PROGRAMS = $(libexec_PROGRAMS)
-am_nm_strongswan_auth_dialog_OBJECTS =  \
-	nm_strongswan_auth_dialog-main.$(OBJEXT)
-nm_strongswan_auth_dialog_OBJECTS =  \
-	$(am_nm_strongswan_auth_dialog_OBJECTS)
-am__DEPENDENCIES_1 =
-nm_strongswan_auth_dialog_DEPENDENCIES = $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(nm_strongswan_auth_dialog_SOURCES)
-DIST_SOURCES = $(nm_strongswan_auth_dialog_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALL_LINGUAS = @ALL_LINGUAS@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CATALOGS = @CATALOGS@
-CATOBJEXT = @CATOBJEXT@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DATADIRNAME = @DATADIRNAME@
-DBUS_CFLAGS = @DBUS_CFLAGS@
-DBUS_LIBS = @DBUS_LIBS@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
-GCONF_CFLAGS = @GCONF_CFLAGS@
-GCONF_LIBS = @GCONF_LIBS@
-GDK_PIXBUF_CFLAGS = @GDK_PIXBUF_CFLAGS@
-GDK_PIXBUF_LIBS = @GDK_PIXBUF_LIBS@
-GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
-GLADE_CFLAGS = @GLADE_CFLAGS@
-GLADE_LIBS = @GLADE_LIBS@
-GMOFILES = @GMOFILES@
-GMSGFMT = @GMSGFMT@
-GNOMEKEYRING_CFLAGS = @GNOMEKEYRING_CFLAGS@
-GNOMEKEYRING_LIBS = @GNOMEKEYRING_LIBS@
-GREP = @GREP@
-GTHREAD_CFLAGS = @GTHREAD_CFLAGS@
-GTHREAD_LIBS = @GTHREAD_LIBS@
-GTK_CFLAGS = @GTK_CFLAGS@
-GTK_LIBS = @GTK_LIBS@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-INSTOBJEXT = @INSTOBJEXT@
-INTLLIBS = @INTLLIBS@
-INTLTOOL_CAVES_RULE = @INTLTOOL_CAVES_RULE@
-INTLTOOL_DESKTOP_RULE = @INTLTOOL_DESKTOP_RULE@
-INTLTOOL_DIRECTORY_RULE = @INTLTOOL_DIRECTORY_RULE@
-INTLTOOL_EXTRACT = @INTLTOOL_EXTRACT@
-INTLTOOL_KBD_RULE = @INTLTOOL_KBD_RULE@
-INTLTOOL_KEYS_RULE = @INTLTOOL_KEYS_RULE@
-INTLTOOL_MERGE = @INTLTOOL_MERGE@
-INTLTOOL_OAF_RULE = @INTLTOOL_OAF_RULE@
-INTLTOOL_PERL = @INTLTOOL_PERL@
-INTLTOOL_POLICY_RULE = @INTLTOOL_POLICY_RULE@
-INTLTOOL_PONG_RULE = @INTLTOOL_PONG_RULE@
-INTLTOOL_PROP_RULE = @INTLTOOL_PROP_RULE@
-INTLTOOL_SCHEMAS_RULE = @INTLTOOL_SCHEMAS_RULE@
-INTLTOOL_SERVER_RULE = @INTLTOOL_SERVER_RULE@
-INTLTOOL_SERVICE_RULE = @INTLTOOL_SERVICE_RULE@
-INTLTOOL_SHEET_RULE = @INTLTOOL_SHEET_RULE@
-INTLTOOL_SOUNDLIST_RULE = @INTLTOOL_SOUNDLIST_RULE@
-INTLTOOL_THEME_RULE = @INTLTOOL_THEME_RULE@
-INTLTOOL_UI_RULE = @INTLTOOL_UI_RULE@
-INTLTOOL_UPDATE = @INTLTOOL_UPDATE@
-INTLTOOL_XAM_RULE = @INTLTOOL_XAM_RULE@
-INTLTOOL_XML_NOMERGE_RULE = @INTLTOOL_XML_NOMERGE_RULE@
-INTLTOOL_XML_RULE = @INTLTOOL_XML_RULE@
-LDFLAGS = @LDFLAGS@
-LIBGNOMEUI_CFLAGS = @LIBGNOMEUI_CFLAGS@
-LIBGNOMEUI_LIBS = @LIBGNOMEUI_LIBS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAINT = @MAINT@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MKINSTALLDIRS = @MKINSTALLDIRS@
-MSGFMT = @MSGFMT@
-MSGFMT_OPTS = @MSGFMT_OPTS@
-MSGMERGE = @MSGMERGE@
-NMEDIT = @NMEDIT@
-NM_UTILS_CFLAGS = @NM_UTILS_CFLAGS@
-NM_UTILS_LIBS = @NM_UTILS_LIBS@
-OBJEXT = @OBJEXT@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-POFILES = @POFILES@
-POSUB = @POSUB@
-PO_IN_DATADIR_FALSE = @PO_IN_DATADIR_FALSE@
-PO_IN_DATADIR_TRUE = @PO_IN_DATADIR_TRUE@
-RANLIB = @RANLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-USE_NLS = @USE_NLS@
-VERSION = @VERSION@
-XGETTEXT = @XGETTEXT@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-charon = @charon@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-nm_strongswan_auth_dialog_CPPFLAGS = \
-	$(GTHREAD_CFLAGS) \
-	$(GTK_CFLAGS) \
-	$(LIBGNOMEUI_CFLAGS) \
-	$(GNOMEKEYRING_CFLAGS) \
-	$(NETWORK_MANAGER_CFLAGS) \
-	$(NM_UTILS_CFLAGS) \
-	-DICONDIR=\""$(datadir)/pixmaps"\" \
-	-DGLADEDIR=\""$(gladedir)"\" \
-	-DBINDIR=\""$(bindir)"\" \
-	-DDBUS_API_SUBJECT_TO_CHANGE \
-	-DG_DISABLE_DEPRECATED \
-	-DGDK_DISABLE_DEPRECATED \
-	-DGNOME_DISABLE_DEPRECATED \
-	-DGNOMELOCALEDIR=\"$(datadir)/locale\" \
-	-DVERSION=\"$(VERSION)\"
-
-nm_strongswan_auth_dialog_SOURCES = \
-	main.c
-
-nm_strongswan_auth_dialog_LDADD = \
-	$(GTK_LIBS) \
-	$(LIBGNOMEUI_LIBS) \
-	$(GNOMEKEYRING_LIBS)
-
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  auth-dialog/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  auth-dialog/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-install-libexecPROGRAMS: $(libexec_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
-	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
-
-uninstall-libexecPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(libexecdir)/$$f"; \
-	done
-
-clean-libexecPROGRAMS:
-	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
-nm-strongswan-auth-dialog$(EXEEXT): $(nm_strongswan_auth_dialog_OBJECTS) $(nm_strongswan_auth_dialog_DEPENDENCIES) 
-	@rm -f nm-strongswan-auth-dialog$(EXEEXT)
-	$(LINK) $(nm_strongswan_auth_dialog_OBJECTS) $(nm_strongswan_auth_dialog_LDADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_strongswan_auth_dialog-main.Po@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c -o $@ $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
-@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-nm_strongswan_auth_dialog-main.o: main.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_strongswan_auth_dialog-main.o -MD -MP -MF $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo -c -o nm_strongswan_auth_dialog-main.o `test -f 'main.c' || echo '$(srcdir)/'`main.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo $(DEPDIR)/nm_strongswan_auth_dialog-main.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='main.c' object='nm_strongswan_auth_dialog-main.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_strongswan_auth_dialog-main.o `test -f 'main.c' || echo '$(srcdir)/'`main.c
-
-nm_strongswan_auth_dialog-main.obj: main.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_strongswan_auth_dialog-main.obj -MD -MP -MF $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo -c -o nm_strongswan_auth_dialog-main.obj `if test -f 'main.c'; then $(CYGPATH_W) 'main.c'; else $(CYGPATH_W) '$(srcdir)/main.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/nm_strongswan_auth_dialog-main.Tpo $(DEPDIR)/nm_strongswan_auth_dialog-main.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='main.c' object='nm_strongswan_auth_dialog-main.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(nm_strongswan_auth_dialog_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_strongswan_auth_dialog-main.obj `if test -f 'main.c'; then $(CYGPATH_W) 'main.c'; else $(CYGPATH_W) '$(srcdir)/main.c'; fi`
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
-	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
-	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(PROGRAMS)
-installdirs:
-	for dir in "$(DESTDIR)$(libexecdir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-info: info-am
-
-info-am:
-
-install-data-am:
-
-install-dvi: install-dvi-am
-
-install-exec-am: install-libexecPROGRAMS
-
-install-html: install-html-am
-
-install-info: install-info-am
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-ps: install-ps-am
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-libexecPROGRAMS
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libexecPROGRAMS clean-libtool ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am \
-	install-libexecPROGRAMS install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-libexecPROGRAMS
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/auth-dialog/main.c b/src/charon/plugins/nm/gnome/auth-dialog/main.c
deleted file mode 100644
index 6f2095527..000000000
--- a/src/charon/plugins/nm/gnome/auth-dialog/main.c
+++ /dev/null
@@ -1,244 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- * Copyright (C) 2004 Dan Williams 
- * Red Hat, Inc.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * $Id$
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <string.h>
-#include <glib/gi18n.h>
-#include <gtk/gtk.h>
-#include <gnome-keyring.h>
-#include <libgnomeui/libgnomeui.h>
-#include <gconf/gconf-client.h>
-#include <nm-vpn-plugin.h>
-#include <nm-setting-vpn.h>
-#include <nm-setting-connection.h>
-
-#define NM_DBUS_SERVICE_STRONGSWAN	"org.freedesktop.NetworkManager.strongswan"
-
-/**
- * lookup a password in the keyring
- */
-static char *lookup_password(char *name, char *service)
-{
-	GList *list;
-	GList *iter;
-	char *pass = NULL;
-
-	if (gnome_keyring_find_network_password_sync(g_get_user_name(), NULL, name,
-			NULL, service, NULL, 0, &list) != GNOME_KEYRING_RESULT_OK)
-	{
-		return NULL;
-	}
-
-	for (iter = list; iter; iter = iter->next)
-	{
-		GnomeKeyringNetworkPasswordData *data = iter->data;
-		
-		if (strcmp(data->object, "password") == 0 && data->password)
-		{
-			pass = g_strdup(data->password);
-			break;
-		}
-	}
-	gnome_keyring_network_password_list_free(list);
-	return pass;
-}
-
-/**
- * get the connection type
- */
-static char* get_connection_type(char *uuid)
-{
-	GConfClient *client = NULL;
-	GSList *list;
-	GSList *iter;
-	char *key, *str, *path, *found = NULL, *method = NULL;
-
-	client = gconf_client_get_default();
-
-	list = gconf_client_all_dirs(client, "/system/networking/connections", NULL);
-	g_return_val_if_fail(list, NULL);
-
-	for (iter = list; iter; iter = iter->next)
-	{
-		path = (char *) iter->data;
-
-		key = g_strdup_printf("%s/%s/%s", path,
-							  NM_SETTING_CONNECTION_SETTING_NAME,
-							  NM_SETTING_CONNECTION_UUID);
-		str = gconf_client_get_string(client, key, NULL);
-		g_free (key);
-
-		if (str && !strcmp(str, uuid))
-		{
-			found = g_strdup(path);
-		}
-		g_free (str);
-		if (found)
-		{
-			break;
-		}
-	}
-	g_slist_foreach(list, (GFunc)g_free, NULL);
-	g_slist_free(list);
-	
-	if (found)
-	{
-		key = g_strdup_printf ("%s/%s/%s", found,
-			                   NM_SETTING_VPN_SETTING_NAME, "method");
-		method = gconf_client_get_string(client, key, NULL);
-		g_free(found);
-		g_free(key);
-	}
-	g_object_unref(client);
-	return method;
-}
-
-int main (int argc, char *argv[])
-{
-	gboolean retry = FALSE;
-	gchar *name = NULL, *uuid = NULL, *service = NULL, *keyring = NULL, *pass;
-	GOptionContext *context;
-	GnomeProgram *program = NULL;
-	int exit_status = 1;
-	char buf, *agent, *type;
-	guint32 itemid;
-	GtkWidget *dialog;
-	GOptionEntry entries[] = {
-		{ "reprompt", 'r', 0, G_OPTION_ARG_NONE, &retry, "Reprompt for passwords", NULL},
-		{ "uuid", 'u', 0, G_OPTION_ARG_STRING, &uuid, "UUID of VPN connection", NULL},
-		{ "name", 'n', 0, G_OPTION_ARG_STRING, &name, "Name of VPN connection", NULL},
-		{ "service", 's', 0, G_OPTION_ARG_STRING, &service, "VPN service type", NULL},
-		{ NULL }
-	};
-
-	bindtextdomain(GETTEXT_PACKAGE, NULL);
-	bind_textdomain_codeset(GETTEXT_PACKAGE, "UTF-8");
-	textdomain(GETTEXT_PACKAGE);
-
-	context = g_option_context_new ("- strongswan auth dialog");
-	g_option_context_add_main_entries (context, entries, GETTEXT_PACKAGE);
-
-	program = gnome_program_init ("nm-strongswan-auth-dialog", VERSION,
-								LIBGNOMEUI_MODULE,
-								argc, argv,
-								GNOME_PARAM_GOPTION_CONTEXT, context,
-								GNOME_PARAM_NONE);
-	
-	if (uuid == NULL || name == NULL || service == NULL)
-	{
-		fprintf (stderr, "Have to supply UUID, name, and service\n");
-		g_object_unref (program);
-		return 1;
-	}
-	
-	if (strcmp(service, NM_DBUS_SERVICE_STRONGSWAN) != 0)
-	{
-		fprintf(stderr, "This dialog only works with the '%s' service\n",
-				NM_DBUS_SERVICE_STRONGSWAN);
-		g_object_unref (program);
-		return 1;
-	}
-	
-	type = get_connection_type(uuid);
-	if (!type)
-	{
-		fprintf(stderr, "Connection lookup failed\n");
-		g_object_unref (program);
-		return 1;
-	}
-	if (!strcmp(type, "eap") || !strcmp(type, "key"))
-	{
-		pass = lookup_password(name, service);
-		if (!pass || retry)
-		{
-			if (!strcmp(type, "eap"))
-			{
-				dialog = gnome_password_dialog_new(_("VPN password required"),
-							_("EAP password required to establish VPN connection:"),
-							NULL, NULL, TRUE);
-			}
-			else
-			{
-				dialog = gnome_password_dialog_new(_("VPN password required"),
-							_("Private key decryption password required to establish VPN connection:"),
-							NULL, NULL, TRUE);
-			}
-			gnome_password_dialog_set_show_remember(GNOME_PASSWORD_DIALOG(dialog), TRUE);
-			gnome_password_dialog_set_show_username(GNOME_PASSWORD_DIALOG(dialog), FALSE);
-			if (pass)
-			{
-				gnome_password_dialog_set_password(GNOME_PASSWORD_DIALOG(dialog), pass);
-			}
-			if (!gnome_password_dialog_run_and_block(GNOME_PASSWORD_DIALOG(dialog)))
-			{
-				g_object_unref (program);
-				return 1;
-			}
-
-			pass = gnome_password_dialog_get_password(GNOME_PASSWORD_DIALOG(dialog));
-			switch (gnome_password_dialog_get_remember(GNOME_PASSWORD_DIALOG(dialog)))
-			{
-				case GNOME_PASSWORD_DIALOG_REMEMBER_NOTHING:
-					break;
-				case GNOME_PASSWORD_DIALOG_REMEMBER_SESSION:
-					keyring = "session";
-					/* FALL */
-				case GNOME_PASSWORD_DIALOG_REMEMBER_FOREVER:
-					if (gnome_keyring_set_network_password_sync(keyring,
-							g_get_user_name(), NULL, name, "password", service, NULL, 0,
-							pass, &itemid) != GNOME_KEYRING_RESULT_OK)
-					{
-						g_warning ("storing password in keyring failed");
-					}
-					break;
-			}
-		}
-		printf("password\n%s\n", pass);
-	}
-	else
-	{
-		agent = getenv("SSH_AUTH_SOCK");
-		if (agent)
-		{
-			printf("agent\n%s\n", agent);
-		}
-		else
-		{
-			GtkWidget *dialog;
-			
-			dialog = gtk_message_dialog_new(NULL, 0, GTK_MESSAGE_ERROR,
-						  GTK_BUTTONS_OK, 
-						  _("Configuration uses ssh-agent for authentication, "
-						  "but ssh-agent is not running!"));
-			gtk_dialog_run (GTK_DIALOG (dialog));
-			gtk_widget_destroy (dialog);
-			return 1;
-		}
-	}
-	printf("\n\n");
-	/* flush output, wait for input */
-	fflush(stdout);
-	fread(&buf, 1, sizeof(buf), stdin);
-	g_object_unref(program);
-	return 0;
-}
-
diff --git a/src/charon/plugins/nm/gnome/autogen.sh b/src/charon/plugins/nm/gnome/autogen.sh
deleted file mode 100755
index 25847e7c3..000000000
--- a/src/charon/plugins/nm/gnome/autogen.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-# Run this to generate all the initial makefiles, etc.
-
-srcdir=`dirname $0`
-test -z "$srcdir" && srcdir=.
-REQUIRED_AUTOMAKE_VERSION=1.7
-PKG_NAME=NetworkManager-strongswan
-
-which gnome-autogen.sh || {
-    echo "You need to install gnome-common from the GNOME CVS"
-    exit 1
-}
-USE_GNOME2_MACROS=1 . gnome-autogen.sh
-
-
diff --git a/src/charon/plugins/nm/gnome/compile b/src/charon/plugins/nm/gnome/compile
deleted file mode 100755
index 1b1d23216..000000000
--- a/src/charon/plugins/nm/gnome/compile
+++ /dev/null
@@ -1,142 +0,0 @@
-#! /bin/sh
-# Wrapper for compilers which do not understand `-c -o'.
-
-scriptversion=2005-05-14.22
-
-# Copyright (C) 1999, 2000, 2003, 2004, 2005 Free Software Foundation, Inc.
-# Written by Tom Tromey <tromey@cygnus.com>.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# This file is maintained in Automake, please report
-# bugs to <bug-automake@gnu.org> or send patches to
-# <automake-patches@gnu.org>.
-
-case $1 in
-  '')
-     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
-     exit 1;
-     ;;
-  -h | --h*)
-    cat <<\EOF
-Usage: compile [--help] [--version] PROGRAM [ARGS]
-
-Wrapper for compilers which do not understand `-c -o'.
-Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
-arguments, and rename the output as expected.
-
-If you are trying to build a whole package this is not the
-right script to run: please start by reading the file `INSTALL'.
-
-Report bugs to <bug-automake@gnu.org>.
-EOF
-    exit $?
-    ;;
-  -v | --v*)
-    echo "compile $scriptversion"
-    exit $?
-    ;;
-esac
-
-ofile=
-cfile=
-eat=
-
-for arg
-do
-  if test -n "$eat"; then
-    eat=
-  else
-    case $1 in
-      -o)
-	# configure might choose to run compile as `compile cc -o foo foo.c'.
-	# So we strip `-o arg' only if arg is an object.
-	eat=1
-	case $2 in
-	  *.o | *.obj)
-	    ofile=$2
-	    ;;
-	  *)
-	    set x "$@" -o "$2"
-	    shift
-	    ;;
-	esac
-	;;
-      *.c)
-	cfile=$1
-	set x "$@" "$1"
-	shift
-	;;
-      *)
-	set x "$@" "$1"
-	shift
-	;;
-    esac
-  fi
-  shift
-done
-
-if test -z "$ofile" || test -z "$cfile"; then
-  # If no `-o' option was seen then we might have been invoked from a
-  # pattern rule where we don't need one.  That is ok -- this is a
-  # normal compilation that the losing compiler can handle.  If no
-  # `.c' file was seen then we are probably linking.  That is also
-  # ok.
-  exec "$@"
-fi
-
-# Name of file we expect compiler to create.
-cofile=`echo "$cfile" | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
-
-# Create the lock directory.
-# Note: use `[/.-]' here to ensure that we don't use the same name
-# that we are using for the .o file.  Also, base the name on the expected
-# object file name, since that is what matters with a parallel build.
-lockdir=`echo "$cofile" | sed -e 's|[/.-]|_|g'`.d
-while true; do
-  if mkdir "$lockdir" >/dev/null 2>&1; then
-    break
-  fi
-  sleep 1
-done
-# FIXME: race condition here if user kills between mkdir and trap.
-trap "rmdir '$lockdir'; exit 1" 1 2 15
-
-# Run the compile.
-"$@"
-ret=$?
-
-if test -f "$cofile"; then
-  mv "$cofile" "$ofile"
-elif test -f "${cofile}bj"; then
-  mv "${cofile}bj" "$ofile"
-fi
-
-rmdir "$lockdir"
-exit $ret
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
-# End:
diff --git a/src/charon/plugins/nm/gnome/config.guess b/src/charon/plugins/nm/gnome/config.guess
deleted file mode 100755
index 278f9e9e0..000000000
--- a/src/charon/plugins/nm/gnome/config.guess
+++ /dev/null
@@ -1,1516 +0,0 @@
-#! /bin/sh
-# Attempt to guess a canonical system name.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
-#   Inc.
-
-timestamp='2007-07-22'
-
-# This file is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-
-# Originally written by Per Bothner <per@bothner.com>.
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
-#
-# This script attempts to guess a canonical system name similar to
-# config.sub.  If it succeeds, it prints the system name on stdout, and
-# exits with 0.  Otherwise, it exits with 1.
-#
-# The plan is that this can be called by configure scripts if you
-# don't specify an explicit build system type.
-
-me=`echo "$0" | sed -e 's,.*/,,'`
-
-usage="\
-Usage: $0 [OPTION]
-
-Output the configuration name of the system \`$me' is run on.
-
-Operation modes:
-  -h, --help         print this help, then exit
-  -t, --time-stamp   print date of last modification, then exit
-  -v, --version      print version number, then exit
-
-Report bugs and patches to <config-patches@gnu.org>."
-
-version="\
-GNU config.guess ($timestamp)
-
-Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
-Free Software Foundation, Inc.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-
-help="
-Try \`$me --help' for more information."
-
-# Parse command line
-while test $# -gt 0 ; do
-  case $1 in
-    --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit ;;
-    --version | -v )
-       echo "$version" ; exit ;;
-    --help | --h* | -h )
-       echo "$usage"; exit ;;
-    -- )     # Stop option processing
-       shift; break ;;
-    - )	# Use stdin as input.
-       break ;;
-    -* )
-       echo "$me: invalid option $1$help" >&2
-       exit 1 ;;
-    * )
-       break ;;
-  esac
-done
-
-if test $# != 0; then
-  echo "$me: too many arguments$help" >&2
-  exit 1
-fi
-
-trap 'exit 1' 1 2 15
-
-# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
-# compiler to aid in system detection is discouraged as it requires
-# temporary files to be created and, as you can see below, it is a
-# headache to deal with in a portable fashion.
-
-# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
-# use `HOST_CC' if defined, but it is deprecated.
-
-# Portable tmp directory creation inspired by the Autoconf team.
-
-set_cc_for_build='
-trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
-trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
-: ${TMPDIR=/tmp} ;
- { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
- { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
- { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
- { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
-dummy=$tmp/dummy ;
-tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
-case $CC_FOR_BUILD,$HOST_CC,$CC in
- ,,)    echo "int x;" > $dummy.c ;
-	for c in cc gcc c89 c99 ; do
-	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
-	     CC_FOR_BUILD="$c"; break ;
-	  fi ;
-	done ;
-	if test x"$CC_FOR_BUILD" = x ; then
-	  CC_FOR_BUILD=no_compiler_found ;
-	fi
-	;;
- ,,*)   CC_FOR_BUILD=$CC ;;
- ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
-esac ; set_cc_for_build= ;'
-
-# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
-# (ghazi@noc.rutgers.edu 1994-08-24)
-if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
-	PATH=$PATH:/.attbin ; export PATH
-fi
-
-UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
-UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
-UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
-UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
-
-# Note: order is significant - the case branches are not exclusive.
-
-case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
-    *:NetBSD:*:*)
-	# NetBSD (nbsd) targets should (where applicable) match one or
-	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
-	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
-	# switched to ELF, *-*-netbsd* would select the old
-	# object file format.  This provides both forward
-	# compatibility and a consistent mechanism for selecting the
-	# object file format.
-	#
-	# Note: NetBSD doesn't particularly care about the vendor
-	# portion of the name.  We always set it to "unknown".
-	sysctl="sysctl -n hw.machine_arch"
-	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
-	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
-	case "${UNAME_MACHINE_ARCH}" in
-	    armeb) machine=armeb-unknown ;;
-	    arm*) machine=arm-unknown ;;
-	    sh3el) machine=shl-unknown ;;
-	    sh3eb) machine=sh-unknown ;;
-	    sh5el) machine=sh5le-unknown ;;
-	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
-	esac
-	# The Operating System including object format, if it has switched
-	# to ELF recently, or will in the future.
-	case "${UNAME_MACHINE_ARCH}" in
-	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
-		eval $set_cc_for_build
-		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
-			| grep __ELF__ >/dev/null
-		then
-		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
-		    # Return netbsd for either.  FIX?
-		    os=netbsd
-		else
-		    os=netbsdelf
-		fi
-		;;
-	    *)
-	        os=netbsd
-		;;
-	esac
-	# The OS release
-	# Debian GNU/NetBSD machines have a different userland, and
-	# thus, need a distinct triplet. However, they do not need
-	# kernel version information, so it can be replaced with a
-	# suitable tag, in the style of linux-gnu.
-	case "${UNAME_VERSION}" in
-	    Debian*)
-		release='-gnu'
-		;;
-	    *)
-		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
-		;;
-	esac
-	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
-	# contains redundant information, the shorter form:
-	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
-	echo "${machine}-${os}${release}"
-	exit ;;
-    *:OpenBSD:*:*)
-	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
-	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    *:ekkoBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
-	exit ;;
-    *:SolidBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE}
-	exit ;;
-    macppc:MirBSD:*:*)
-	echo powerpc-unknown-mirbsd${UNAME_RELEASE}
-	exit ;;
-    *:MirBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
-	exit ;;
-    alpha:OSF1:*:*)
-	case $UNAME_RELEASE in
-	*4.0)
-		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
-		;;
-	*5.*)
-	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
-		;;
-	esac
-	# According to Compaq, /usr/sbin/psrinfo has been available on
-	# OSF/1 and Tru64 systems produced since 1995.  I hope that
-	# covers most systems running today.  This code pipes the CPU
-	# types through head -n 1, so we only detect the type of CPU 0.
-	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
-	case "$ALPHA_CPU_TYPE" in
-	    "EV4 (21064)")
-		UNAME_MACHINE="alpha" ;;
-	    "EV4.5 (21064)")
-		UNAME_MACHINE="alpha" ;;
-	    "LCA4 (21066/21068)")
-		UNAME_MACHINE="alpha" ;;
-	    "EV5 (21164)")
-		UNAME_MACHINE="alphaev5" ;;
-	    "EV5.6 (21164A)")
-		UNAME_MACHINE="alphaev56" ;;
-	    "EV5.6 (21164PC)")
-		UNAME_MACHINE="alphapca56" ;;
-	    "EV5.7 (21164PC)")
-		UNAME_MACHINE="alphapca57" ;;
-	    "EV6 (21264)")
-		UNAME_MACHINE="alphaev6" ;;
-	    "EV6.7 (21264A)")
-		UNAME_MACHINE="alphaev67" ;;
-	    "EV6.8CB (21264C)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.8AL (21264B)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.8CX (21264D)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.9A (21264/EV69A)")
-		UNAME_MACHINE="alphaev69" ;;
-	    "EV7 (21364)")
-		UNAME_MACHINE="alphaev7" ;;
-	    "EV7.9 (21364A)")
-		UNAME_MACHINE="alphaev79" ;;
-	esac
-	# A Pn.n version is a patched version.
-	# A Vn.n version is a released version.
-	# A Tn.n version is a released field test version.
-	# A Xn.n version is an unreleased experimental baselevel.
-	# 1.2 uses "1.2" for uname -r.
-	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	exit ;;
-    Alpha\ *:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# Should we change UNAME_MACHINE based on the output of uname instead
-	# of the specific Alpha model?
-	echo alpha-pc-interix
-	exit ;;
-    21064:Windows_NT:50:3)
-	echo alpha-dec-winnt3.5
-	exit ;;
-    Amiga*:UNIX_System_V:4.0:*)
-	echo m68k-unknown-sysv4
-	exit ;;
-    *:[Aa]miga[Oo][Ss]:*:*)
-	echo ${UNAME_MACHINE}-unknown-amigaos
-	exit ;;
-    *:[Mm]orph[Oo][Ss]:*:*)
-	echo ${UNAME_MACHINE}-unknown-morphos
-	exit ;;
-    *:OS/390:*:*)
-	echo i370-ibm-openedition
-	exit ;;
-    *:z/VM:*:*)
-	echo s390-ibm-zvmoe
-	exit ;;
-    *:OS400:*:*)
-        echo powerpc-ibm-os400
-	exit ;;
-    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
-	echo arm-acorn-riscix${UNAME_RELEASE}
-	exit ;;
-    arm:riscos:*:*|arm:RISCOS:*:*)
-	echo arm-unknown-riscos
-	exit ;;
-    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
-	echo hppa1.1-hitachi-hiuxmpp
-	exit ;;
-    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
-	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
-	if test "`(/bin/universe) 2>/dev/null`" = att ; then
-		echo pyramid-pyramid-sysv3
-	else
-		echo pyramid-pyramid-bsd
-	fi
-	exit ;;
-    NILE*:*:*:dcosx)
-	echo pyramid-pyramid-svr4
-	exit ;;
-    DRS?6000:unix:4.0:6*)
-	echo sparc-icl-nx6
-	exit ;;
-    DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
-	case `/usr/bin/uname -p` in
-	    sparc) echo sparc-icl-nx7; exit ;;
-	esac ;;
-    sun4H:SunOS:5.*:*)
-	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit ;;
-    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
-	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit ;;
-    i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
-	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit ;;
-    sun4*:SunOS:6*:*)
-	# According to config.sub, this is the proper way to canonicalize
-	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
-	# it's likely to be more like Solaris than SunOS4.
-	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit ;;
-    sun4*:SunOS:*:*)
-	case "`/usr/bin/arch -k`" in
-	    Series*|S4*)
-		UNAME_RELEASE=`uname -v`
-		;;
-	esac
-	# Japanese Language versions have a version number like `4.1.3-JL'.
-	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
-	exit ;;
-    sun3*:SunOS:*:*)
-	echo m68k-sun-sunos${UNAME_RELEASE}
-	exit ;;
-    sun*:*:4.2BSD:*)
-	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
-	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
-	case "`/bin/arch`" in
-	    sun3)
-		echo m68k-sun-sunos${UNAME_RELEASE}
-		;;
-	    sun4)
-		echo sparc-sun-sunos${UNAME_RELEASE}
-		;;
-	esac
-	exit ;;
-    aushp:SunOS:*:*)
-	echo sparc-auspex-sunos${UNAME_RELEASE}
-	exit ;;
-    # The situation for MiNT is a little confusing.  The machine name
-    # can be virtually everything (everything which is not
-    # "atarist" or "atariste" at least should have a processor
-    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
-    # to the lowercase version "mint" (or "freemint").  Finally
-    # the system name "TOS" denotes a system which is actually not
-    # MiNT.  But MiNT is downward compatible to TOS, so this should
-    # be no problem.
-    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
-	exit ;;
-    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
-	echo m68k-atari-mint${UNAME_RELEASE}
-        exit ;;
-    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
-	exit ;;
-    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
-        echo m68k-milan-mint${UNAME_RELEASE}
-        exit ;;
-    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
-        echo m68k-hades-mint${UNAME_RELEASE}
-        exit ;;
-    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
-        echo m68k-unknown-mint${UNAME_RELEASE}
-        exit ;;
-    m68k:machten:*:*)
-	echo m68k-apple-machten${UNAME_RELEASE}
-	exit ;;
-    powerpc:machten:*:*)
-	echo powerpc-apple-machten${UNAME_RELEASE}
-	exit ;;
-    RISC*:Mach:*:*)
-	echo mips-dec-mach_bsd4.3
-	exit ;;
-    RISC*:ULTRIX:*:*)
-	echo mips-dec-ultrix${UNAME_RELEASE}
-	exit ;;
-    VAX*:ULTRIX*:*:*)
-	echo vax-dec-ultrix${UNAME_RELEASE}
-	exit ;;
-    2020:CLIX:*:* | 2430:CLIX:*:*)
-	echo clipper-intergraph-clix${UNAME_RELEASE}
-	exit ;;
-    mips:*:*:UMIPS | mips:*:*:RISCos)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-#ifdef __cplusplus
-#include <stdio.h>  /* for printf() prototype */
-	int main (int argc, char *argv[]) {
-#else
-	int main (argc, argv) int argc; char *argv[]; {
-#endif
-	#if defined (host_mips) && defined (MIPSEB)
-	#if defined (SYSTYPE_SYSV)
-	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
-	#endif
-	#if defined (SYSTYPE_SVR4)
-	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
-	#endif
-	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
-	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
-	#endif
-	#endif
-	  exit (-1);
-	}
-EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c &&
-	  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
-	  SYSTEM_NAME=`$dummy $dummyarg` &&
-	    { echo "$SYSTEM_NAME"; exit; }
-	echo mips-mips-riscos${UNAME_RELEASE}
-	exit ;;
-    Motorola:PowerMAX_OS:*:*)
-	echo powerpc-motorola-powermax
-	exit ;;
-    Motorola:*:4.3:PL8-*)
-	echo powerpc-harris-powermax
-	exit ;;
-    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
-	echo powerpc-harris-powermax
-	exit ;;
-    Night_Hawk:Power_UNIX:*:*)
-	echo powerpc-harris-powerunix
-	exit ;;
-    m88k:CX/UX:7*:*)
-	echo m88k-harris-cxux7
-	exit ;;
-    m88k:*:4*:R4*)
-	echo m88k-motorola-sysv4
-	exit ;;
-    m88k:*:3*:R3*)
-	echo m88k-motorola-sysv3
-	exit ;;
-    AViiON:dgux:*:*)
-        # DG/UX returns AViiON for all architectures
-        UNAME_PROCESSOR=`/usr/bin/uname -p`
-	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
-	then
-	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
-	       [ ${TARGET_BINARY_INTERFACE}x = x ]
-	    then
-		echo m88k-dg-dgux${UNAME_RELEASE}
-	    else
-		echo m88k-dg-dguxbcs${UNAME_RELEASE}
-	    fi
-	else
-	    echo i586-dg-dgux${UNAME_RELEASE}
-	fi
- 	exit ;;
-    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
-	echo m88k-dolphin-sysv3
-	exit ;;
-    M88*:*:R3*:*)
-	# Delta 88k system running SVR3
-	echo m88k-motorola-sysv3
-	exit ;;
-    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
-	echo m88k-tektronix-sysv3
-	exit ;;
-    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
-	echo m68k-tektronix-bsd
-	exit ;;
-    *:IRIX*:*:*)
-	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
-	exit ;;
-    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
-	echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
-	exit ;;               # Note that: echo "'`uname -s`'" gives 'AIX '
-    i*86:AIX:*:*)
-	echo i386-ibm-aix
-	exit ;;
-    ia64:AIX:*:*)
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
-	else
-		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
-	fi
-	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
-	exit ;;
-    *:AIX:2:3)
-	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
-		eval $set_cc_for_build
-		sed 's/^		//' << EOF >$dummy.c
-		#include <sys/systemcfg.h>
-
-		main()
-			{
-			if (!__power_pc())
-				exit(1);
-			puts("powerpc-ibm-aix3.2.5");
-			exit(0);
-			}
-EOF
-		if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
-		then
-			echo "$SYSTEM_NAME"
-		else
-			echo rs6000-ibm-aix3.2.5
-		fi
-	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
-		echo rs6000-ibm-aix3.2.4
-	else
-		echo rs6000-ibm-aix3.2
-	fi
-	exit ;;
-    *:AIX:*:[45])
-	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
-	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
-		IBM_ARCH=rs6000
-	else
-		IBM_ARCH=powerpc
-	fi
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
-	else
-		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
-	fi
-	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
-	exit ;;
-    *:AIX:*:*)
-	echo rs6000-ibm-aix
-	exit ;;
-    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
-	echo romp-ibm-bsd4.4
-	exit ;;
-    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
-	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
-	exit ;;                             # report: romp-ibm BSD 4.3
-    *:BOSX:*:*)
-	echo rs6000-bull-bosx
-	exit ;;
-    DPX/2?00:B.O.S.:*:*)
-	echo m68k-bull-sysv3
-	exit ;;
-    9000/[34]??:4.3bsd:1.*:*)
-	echo m68k-hp-bsd
-	exit ;;
-    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
-	echo m68k-hp-bsd4.4
-	exit ;;
-    9000/[34678]??:HP-UX:*:*)
-	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
-	case "${UNAME_MACHINE}" in
-	    9000/31? )            HP_ARCH=m68000 ;;
-	    9000/[34]?? )         HP_ARCH=m68k ;;
-	    9000/[678][0-9][0-9])
-		if [ -x /usr/bin/getconf ]; then
-		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
-                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
-                    case "${sc_cpu_version}" in
-                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
-                      532)                      # CPU_PA_RISC2_0
-                        case "${sc_kernel_bits}" in
-                          32) HP_ARCH="hppa2.0n" ;;
-                          64) HP_ARCH="hppa2.0w" ;;
-			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
-                        esac ;;
-                    esac
-		fi
-		if [ "${HP_ARCH}" = "" ]; then
-		    eval $set_cc_for_build
-		    sed 's/^              //' << EOF >$dummy.c
-
-              #define _HPUX_SOURCE
-              #include <stdlib.h>
-              #include <unistd.h>
-
-              int main ()
-              {
-              #if defined(_SC_KERNEL_BITS)
-                  long bits = sysconf(_SC_KERNEL_BITS);
-              #endif
-                  long cpu  = sysconf (_SC_CPU_VERSION);
-
-                  switch (cpu)
-              	{
-              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
-              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0:
-              #if defined(_SC_KERNEL_BITS)
-              	    switch (bits)
-              		{
-              		case 64: puts ("hppa2.0w"); break;
-              		case 32: puts ("hppa2.0n"); break;
-              		default: puts ("hppa2.0"); break;
-              		} break;
-              #else  /* !defined(_SC_KERNEL_BITS) */
-              	    puts ("hppa2.0"); break;
-              #endif
-              	default: puts ("hppa1.0"); break;
-              	}
-                  exit (0);
-              }
-EOF
-		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
-		    test -z "$HP_ARCH" && HP_ARCH=hppa
-		fi ;;
-	esac
-	if [ ${HP_ARCH} = "hppa2.0w" ]
-	then
-	    eval $set_cc_for_build
-
-	    # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
-	    # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
-	    # generating 64-bit code.  GNU and HP use different nomenclature:
-	    #
-	    # $ CC_FOR_BUILD=cc ./config.guess
-	    # => hppa2.0w-hp-hpux11.23
-	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
-	    # => hppa64-hp-hpux11.23
-
-	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
-		grep __LP64__ >/dev/null
-	    then
-		HP_ARCH="hppa2.0w"
-	    else
-		HP_ARCH="hppa64"
-	    fi
-	fi
-	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
-	exit ;;
-    ia64:HP-UX:*:*)
-	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
-	echo ia64-hp-hpux${HPUX_REV}
-	exit ;;
-    3050*:HI-UX:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <unistd.h>
-	int
-	main ()
-	{
-	  long cpu = sysconf (_SC_CPU_VERSION);
-	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
-	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
-	     results, however.  */
-	  if (CPU_IS_PA_RISC (cpu))
-	    {
-	      switch (cpu)
-		{
-		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
-		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
-		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
-		  default: puts ("hppa-hitachi-hiuxwe2"); break;
-		}
-	    }
-	  else if (CPU_IS_HP_MC68K (cpu))
-	    puts ("m68k-hitachi-hiuxwe2");
-	  else puts ("unknown-hitachi-hiuxwe2");
-	  exit (0);
-	}
-EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
-		{ echo "$SYSTEM_NAME"; exit; }
-	echo unknown-hitachi-hiuxwe2
-	exit ;;
-    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
-	echo hppa1.1-hp-bsd
-	exit ;;
-    9000/8??:4.3bsd:*:*)
-	echo hppa1.0-hp-bsd
-	exit ;;
-    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
-	echo hppa1.0-hp-mpeix
-	exit ;;
-    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
-	echo hppa1.1-hp-osf
-	exit ;;
-    hp8??:OSF1:*:*)
-	echo hppa1.0-hp-osf
-	exit ;;
-    i*86:OSF1:*:*)
-	if [ -x /usr/sbin/sysversion ] ; then
-	    echo ${UNAME_MACHINE}-unknown-osf1mk
-	else
-	    echo ${UNAME_MACHINE}-unknown-osf1
-	fi
-	exit ;;
-    parisc*:Lites*:*:*)
-	echo hppa1.1-hp-lites
-	exit ;;
-    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
-	echo c1-convex-bsd
-        exit ;;
-    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-        exit ;;
-    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
-	echo c34-convex-bsd
-        exit ;;
-    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
-	echo c38-convex-bsd
-        exit ;;
-    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
-	echo c4-convex-bsd
-        exit ;;
-    CRAY*Y-MP:*:*:*)
-	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit ;;
-    CRAY*[A-Z]90:*:*:*)
-	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
-	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
-	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
-	      -e 's/\.[^.]*$/.X/'
-	exit ;;
-    CRAY*TS:*:*:*)
-	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit ;;
-    CRAY*T3E:*:*:*)
-	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit ;;
-    CRAY*SV1:*:*:*)
-	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit ;;
-    *:UNICOS/mp:*:*)
-	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit ;;
-    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
-	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
-        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-        exit ;;
-    5000:UNIX_System_V:4.*:*)
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
-        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-	exit ;;
-    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
-	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
-	exit ;;
-    sparc*:BSD/OS:*:*)
-	echo sparc-unknown-bsdi${UNAME_RELEASE}
-	exit ;;
-    *:BSD/OS:*:*)
-	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
-	exit ;;
-    *:FreeBSD:*:*)
-	case ${UNAME_MACHINE} in
-	    pc98)
-		echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
-	    amd64)
-		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
-	    *)
-		echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
-	esac
-	exit ;;
-    i*:CYGWIN*:*)
-	echo ${UNAME_MACHINE}-pc-cygwin
-	exit ;;
-    *:MINGW*:*)
-	echo ${UNAME_MACHINE}-pc-mingw32
-	exit ;;
-    i*:windows32*:*)
-    	# uname -m includes "-pc" on this system.
-    	echo ${UNAME_MACHINE}-mingw32
-	exit ;;
-    i*:PW*:*)
-	echo ${UNAME_MACHINE}-pc-pw32
-	exit ;;
-    *:Interix*:[3456]*)
-    	case ${UNAME_MACHINE} in
-	    x86)
-		echo i586-pc-interix${UNAME_RELEASE}
-		exit ;;
-	    EM64T | authenticamd)
-		echo x86_64-unknown-interix${UNAME_RELEASE}
-		exit ;;
-	esac ;;
-    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
-	echo i${UNAME_MACHINE}-pc-mks
-	exit ;;
-    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
-	# UNAME_MACHINE based on the output of uname instead of i386?
-	echo i586-pc-interix
-	exit ;;
-    i*:UWIN*:*)
-	echo ${UNAME_MACHINE}-pc-uwin
-	exit ;;
-    amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
-	echo x86_64-unknown-cygwin
-	exit ;;
-    p*:CYGWIN*:*)
-	echo powerpcle-unknown-cygwin
-	exit ;;
-    prep*:SunOS:5.*:*)
-	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit ;;
-    *:GNU:*:*)
-	# the GNU system
-	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
-	exit ;;
-    *:GNU/*:*:*)
-	# other systems with GNU libc and userland
-	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
-	exit ;;
-    i*86:Minix:*:*)
-	echo ${UNAME_MACHINE}-pc-minix
-	exit ;;
-    arm*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    avr32*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    cris:Linux:*:*)
-	echo cris-axis-linux-gnu
-	exit ;;
-    crisv32:Linux:*:*)
-	echo crisv32-axis-linux-gnu
-	exit ;;
-    frv:Linux:*:*)
-    	echo frv-unknown-linux-gnu
-	exit ;;
-    ia64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    m32r*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    m68*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    mips:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips
-	#undef mipsel
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mipsel
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
-	    /^CPU/{
-		s: ::g
-		p
-	    }'`"
-	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
-	;;
-    mips64:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips64
-	#undef mips64el
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mips64el
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips64
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
-	    /^CPU/{
-		s: ::g
-		p
-	    }'`"
-	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
-	;;
-    or32:Linux:*:*)
-	echo or32-unknown-linux-gnu
-	exit ;;
-    ppc:Linux:*:*)
-	echo powerpc-unknown-linux-gnu
-	exit ;;
-    ppc64:Linux:*:*)
-	echo powerpc64-unknown-linux-gnu
-	exit ;;
-    alpha:Linux:*:*)
-	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
-	  EV5)   UNAME_MACHINE=alphaev5 ;;
-	  EV56)  UNAME_MACHINE=alphaev56 ;;
-	  PCA56) UNAME_MACHINE=alphapca56 ;;
-	  PCA57) UNAME_MACHINE=alphapca56 ;;
-	  EV6)   UNAME_MACHINE=alphaev6 ;;
-	  EV67)  UNAME_MACHINE=alphaev67 ;;
-	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
-	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
-	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
-	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
-	exit ;;
-    parisc:Linux:*:* | hppa:Linux:*:*)
-	# Look for CPU level
-	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
-	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
-	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
-	  *)    echo hppa-unknown-linux-gnu ;;
-	esac
-	exit ;;
-    parisc64:Linux:*:* | hppa64:Linux:*:*)
-	echo hppa64-unknown-linux-gnu
-	exit ;;
-    s390:Linux:*:* | s390x:Linux:*:*)
-	echo ${UNAME_MACHINE}-ibm-linux
-	exit ;;
-    sh64*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    sh*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    sparc:Linux:*:* | sparc64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    vax:Linux:*:*)
-	echo ${UNAME_MACHINE}-dec-linux-gnu
-	exit ;;
-    x86_64:Linux:*:*)
-	echo x86_64-unknown-linux-gnu
-	exit ;;
-    xtensa:Linux:*:*)
-    	echo xtensa-unknown-linux-gnu
-	exit ;;
-    i*86:Linux:*:*)
-	# The BFD linker knows what the default object file format is, so
-	# first see if it will tell us. cd to the root directory to prevent
-	# problems with other programs or directories called `ld' in the path.
-	# Set LC_ALL=C to ensure ld outputs messages in English.
-	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
-			 | sed -ne '/supported targets:/!d
-				    s/[ 	][ 	]*/ /g
-				    s/.*supported targets: *//
-				    s/ .*//
-				    p'`
-        case "$ld_supported_targets" in
-	  elf32-i386)
-		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
-		;;
-	  a.out-i386-linux)
-		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
-		exit ;;
-	  coff-i386)
-		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
-		exit ;;
-	  "")
-		# Either a pre-BFD a.out linker (linux-gnuoldld) or
-		# one that does not give us useful --help.
-		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
-		exit ;;
-	esac
-	# Determine whether the default compiler is a.out or elf
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <features.h>
-	#ifdef __ELF__
-	# ifdef __GLIBC__
-	#  if __GLIBC__ >= 2
-	LIBC=gnu
-	#  else
-	LIBC=gnulibc1
-	#  endif
-	# else
-	LIBC=gnulibc1
-	# endif
-	#else
-	#if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC)
-	LIBC=gnu
-	#else
-	LIBC=gnuaout
-	#endif
-	#endif
-	#ifdef __dietlibc__
-	LIBC=dietlibc
-	#endif
-EOF
-	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
-	    /^LIBC/{
-		s: ::g
-		p
-	    }'`"
-	test x"${LIBC}" != x && {
-		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
-		exit
-	}
-	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
-	;;
-    i*86:DYNIX/ptx:4*:*)
-	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
-	# earlier versions are messed up and put the nodename in both
-	# sysname and nodename.
-	echo i386-sequent-sysv4
-	exit ;;
-    i*86:UNIX_SV:4.2MP:2.*)
-        # Unixware is an offshoot of SVR4, but it has its own version
-        # number series starting with 2...
-        # I am not positive that other SVR4 systems won't match this,
-	# I just have to hope.  -- rms.
-        # Use sysv4.2uw... so that sysv4* matches it.
-	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
-	exit ;;
-    i*86:OS/2:*:*)
-	# If we were able to find `uname', then EMX Unix compatibility
-	# is probably installed.
-	echo ${UNAME_MACHINE}-pc-os2-emx
-	exit ;;
-    i*86:XTS-300:*:STOP)
-	echo ${UNAME_MACHINE}-unknown-stop
-	exit ;;
-    i*86:atheos:*:*)
-	echo ${UNAME_MACHINE}-unknown-atheos
-	exit ;;
-    i*86:syllable:*:*)
-	echo ${UNAME_MACHINE}-pc-syllable
-	exit ;;
-    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
-	echo i386-unknown-lynxos${UNAME_RELEASE}
-	exit ;;
-    i*86:*DOS:*:*)
-	echo ${UNAME_MACHINE}-pc-msdosdjgpp
-	exit ;;
-    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
-	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
-	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
-		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
-	else
-		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
-	fi
-	exit ;;
-    i*86:*:5:[678]*)
-    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
-	case `/bin/uname -X | grep "^Machine"` in
-	    *486*)	     UNAME_MACHINE=i486 ;;
-	    *Pentium)	     UNAME_MACHINE=i586 ;;
-	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
-	esac
-	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
-	exit ;;
-    i*86:*:3.2:*)
-	if test -f /usr/options/cb.name; then
-		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
-		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
-	elif /bin/uname -X 2>/dev/null >/dev/null ; then
-		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
-		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
-		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
-			&& UNAME_MACHINE=i586
-		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
-			&& UNAME_MACHINE=i686
-		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
-			&& UNAME_MACHINE=i686
-		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
-	else
-		echo ${UNAME_MACHINE}-pc-sysv32
-	fi
-	exit ;;
-    pc:*:*:*)
-	# Left here for compatibility:
-        # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i386.
-	echo i386-pc-msdosdjgpp
-        exit ;;
-    Intel:Mach:3*:*)
-	echo i386-pc-mach3
-	exit ;;
-    paragon:*:*:*)
-	echo i860-intel-osf1
-	exit ;;
-    i860:*:4.*:*) # i860-SVR4
-	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
-	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
-	else # Add other i860-SVR4 vendors below as they are discovered.
-	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
-	fi
-	exit ;;
-    mini*:CTIX:SYS*5:*)
-	# "miniframe"
-	echo m68010-convergent-sysv
-	exit ;;
-    mc68k:UNIX:SYSTEM5:3.51m)
-	echo m68k-convergent-sysv
-	exit ;;
-    M680?0:D-NIX:5.3:*)
-	echo m68k-diab-dnix
-	exit ;;
-    M68*:*:R3V[5678]*:*)
-	test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
-    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
-	OS_REL=''
-	test -r /etc/.relid \
-	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
-	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-	  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
-	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
-	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
-    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
-        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-          && { echo i486-ncr-sysv4; exit; } ;;
-    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
-	echo m68k-unknown-lynxos${UNAME_RELEASE}
-	exit ;;
-    mc68030:UNIX_System_V:4.*:*)
-	echo m68k-atari-sysv4
-	exit ;;
-    TSUNAMI:LynxOS:2.*:*)
-	echo sparc-unknown-lynxos${UNAME_RELEASE}
-	exit ;;
-    rs6000:LynxOS:2.*:*)
-	echo rs6000-unknown-lynxos${UNAME_RELEASE}
-	exit ;;
-    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
-	echo powerpc-unknown-lynxos${UNAME_RELEASE}
-	exit ;;
-    SM[BE]S:UNIX_SV:*:*)
-	echo mips-dde-sysv${UNAME_RELEASE}
-	exit ;;
-    RM*:ReliantUNIX-*:*:*)
-	echo mips-sni-sysv4
-	exit ;;
-    RM*:SINIX-*:*:*)
-	echo mips-sni-sysv4
-	exit ;;
-    *:SINIX-*:*:*)
-	if uname -p 2>/dev/null >/dev/null ; then
-		UNAME_MACHINE=`(uname -p) 2>/dev/null`
-		echo ${UNAME_MACHINE}-sni-sysv4
-	else
-		echo ns32k-sni-sysv
-	fi
-	exit ;;
-    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
-                      # says <Richard.M.Bartel@ccMail.Census.GOV>
-        echo i586-unisys-sysv4
-        exit ;;
-    *:UNIX_System_V:4*:FTX*)
-	# From Gerald Hewes <hewes@openmarket.com>.
-	# How about differentiating between stratus architectures? -djm
-	echo hppa1.1-stratus-sysv4
-	exit ;;
-    *:*:*:FTX*)
-	# From seanf@swdc.stratus.com.
-	echo i860-stratus-sysv4
-	exit ;;
-    i*86:VOS:*:*)
-	# From Paul.Green@stratus.com.
-	echo ${UNAME_MACHINE}-stratus-vos
-	exit ;;
-    *:VOS:*:*)
-	# From Paul.Green@stratus.com.
-	echo hppa1.1-stratus-vos
-	exit ;;
-    mc68*:A/UX:*:*)
-	echo m68k-apple-aux${UNAME_RELEASE}
-	exit ;;
-    news*:NEWS-OS:6*:*)
-	echo mips-sony-newsos6
-	exit ;;
-    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
-	if [ -d /usr/nec ]; then
-	        echo mips-nec-sysv${UNAME_RELEASE}
-	else
-	        echo mips-unknown-sysv${UNAME_RELEASE}
-	fi
-        exit ;;
-    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
-	echo powerpc-be-beos
-	exit ;;
-    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
-	echo powerpc-apple-beos
-	exit ;;
-    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
-	echo i586-pc-beos
-	exit ;;
-    SX-4:SUPER-UX:*:*)
-	echo sx4-nec-superux${UNAME_RELEASE}
-	exit ;;
-    SX-5:SUPER-UX:*:*)
-	echo sx5-nec-superux${UNAME_RELEASE}
-	exit ;;
-    SX-6:SUPER-UX:*:*)
-	echo sx6-nec-superux${UNAME_RELEASE}
-	exit ;;
-    SX-7:SUPER-UX:*:*)
-	echo sx7-nec-superux${UNAME_RELEASE}
-	exit ;;
-    SX-8:SUPER-UX:*:*)
-	echo sx8-nec-superux${UNAME_RELEASE}
-	exit ;;
-    SX-8R:SUPER-UX:*:*)
-	echo sx8r-nec-superux${UNAME_RELEASE}
-	exit ;;
-    Power*:Rhapsody:*:*)
-	echo powerpc-apple-rhapsody${UNAME_RELEASE}
-	exit ;;
-    *:Rhapsody:*:*)
-	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
-	exit ;;
-    *:Darwin:*:*)
-	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
-	case $UNAME_PROCESSOR in
-	    unknown) UNAME_PROCESSOR=powerpc ;;
-	esac
-	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
-	exit ;;
-    *:procnto*:*:* | *:QNX:[0123456789]*:*)
-	UNAME_PROCESSOR=`uname -p`
-	if test "$UNAME_PROCESSOR" = "x86"; then
-		UNAME_PROCESSOR=i386
-		UNAME_MACHINE=pc
-	fi
-	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
-	exit ;;
-    *:QNX:*:4*)
-	echo i386-pc-qnx
-	exit ;;
-    NSE-?:NONSTOP_KERNEL:*:*)
-	echo nse-tandem-nsk${UNAME_RELEASE}
-	exit ;;
-    NSR-?:NONSTOP_KERNEL:*:*)
-	echo nsr-tandem-nsk${UNAME_RELEASE}
-	exit ;;
-    *:NonStop-UX:*:*)
-	echo mips-compaq-nonstopux
-	exit ;;
-    BS2000:POSIX*:*:*)
-	echo bs2000-siemens-sysv
-	exit ;;
-    DS/*:UNIX_System_V:*:*)
-	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
-	exit ;;
-    *:Plan9:*:*)
-	# "uname -m" is not consistent, so use $cputype instead. 386
-	# is converted to i386 for consistency with other x86
-	# operating systems.
-	if test "$cputype" = "386"; then
-	    UNAME_MACHINE=i386
-	else
-	    UNAME_MACHINE="$cputype"
-	fi
-	echo ${UNAME_MACHINE}-unknown-plan9
-	exit ;;
-    *:TOPS-10:*:*)
-	echo pdp10-unknown-tops10
-	exit ;;
-    *:TENEX:*:*)
-	echo pdp10-unknown-tenex
-	exit ;;
-    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
-	echo pdp10-dec-tops20
-	exit ;;
-    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
-	echo pdp10-xkl-tops20
-	exit ;;
-    *:TOPS-20:*:*)
-	echo pdp10-unknown-tops20
-	exit ;;
-    *:ITS:*:*)
-	echo pdp10-unknown-its
-	exit ;;
-    SEI:*:*:SEIUX)
-        echo mips-sei-seiux${UNAME_RELEASE}
-	exit ;;
-    *:DragonFly:*:*)
-	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
-	exit ;;
-    *:*VMS:*:*)
-    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
-	case "${UNAME_MACHINE}" in
-	    A*) echo alpha-dec-vms ; exit ;;
-	    I*) echo ia64-dec-vms ; exit ;;
-	    V*) echo vax-dec-vms ; exit ;;
-	esac ;;
-    *:XENIX:*:SysV)
-	echo i386-pc-xenix
-	exit ;;
-    i*86:skyos:*:*)
-	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
-	exit ;;
-    i*86:rdos:*:*)
-	echo ${UNAME_MACHINE}-pc-rdos
-	exit ;;
-esac
-
-#echo '(No uname command or uname output not recognized.)' 1>&2
-#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
-
-eval $set_cc_for_build
-cat >$dummy.c <<EOF
-#ifdef _SEQUENT_
-# include <sys/types.h>
-# include <sys/utsname.h>
-#endif
-main ()
-{
-#if defined (sony)
-#if defined (MIPSEB)
-  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
-     I don't know....  */
-  printf ("mips-sony-bsd\n"); exit (0);
-#else
-#include <sys/param.h>
-  printf ("m68k-sony-newsos%s\n",
-#ifdef NEWSOS4
-          "4"
-#else
-	  ""
-#endif
-         ); exit (0);
-#endif
-#endif
-
-#if defined (__arm) && defined (__acorn) && defined (__unix)
-  printf ("arm-acorn-riscix\n"); exit (0);
-#endif
-
-#if defined (hp300) && !defined (hpux)
-  printf ("m68k-hp-bsd\n"); exit (0);
-#endif
-
-#if defined (NeXT)
-#if !defined (__ARCHITECTURE__)
-#define __ARCHITECTURE__ "m68k"
-#endif
-  int version;
-  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
-  if (version < 4)
-    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
-  else
-    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
-  exit (0);
-#endif
-
-#if defined (MULTIMAX) || defined (n16)
-#if defined (UMAXV)
-  printf ("ns32k-encore-sysv\n"); exit (0);
-#else
-#if defined (CMU)
-  printf ("ns32k-encore-mach\n"); exit (0);
-#else
-  printf ("ns32k-encore-bsd\n"); exit (0);
-#endif
-#endif
-#endif
-
-#if defined (__386BSD__)
-  printf ("i386-pc-bsd\n"); exit (0);
-#endif
-
-#if defined (sequent)
-#if defined (i386)
-  printf ("i386-sequent-dynix\n"); exit (0);
-#endif
-#if defined (ns32000)
-  printf ("ns32k-sequent-dynix\n"); exit (0);
-#endif
-#endif
-
-#if defined (_SEQUENT_)
-    struct utsname un;
-
-    uname(&un);
-
-    if (strncmp(un.version, "V2", 2) == 0) {
-	printf ("i386-sequent-ptx2\n"); exit (0);
-    }
-    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
-	printf ("i386-sequent-ptx1\n"); exit (0);
-    }
-    printf ("i386-sequent-ptx\n"); exit (0);
-
-#endif
-
-#if defined (vax)
-# if !defined (ultrix)
-#  include <sys/param.h>
-#  if defined (BSD)
-#   if BSD == 43
-      printf ("vax-dec-bsd4.3\n"); exit (0);
-#   else
-#    if BSD == 199006
-      printf ("vax-dec-bsd4.3reno\n"); exit (0);
-#    else
-      printf ("vax-dec-bsd\n"); exit (0);
-#    endif
-#   endif
-#  else
-    printf ("vax-dec-bsd\n"); exit (0);
-#  endif
-# else
-    printf ("vax-dec-ultrix\n"); exit (0);
-# endif
-#endif
-
-#if defined (alliant) && defined (i860)
-  printf ("i860-alliant-bsd\n"); exit (0);
-#endif
-
-  exit (1);
-}
-EOF
-
-$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
-	{ echo "$SYSTEM_NAME"; exit; }
-
-# Apollos put the system type in the environment.
-
-test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
-
-# Convex versions that predate uname can use getsysinfo(1)
-
-if [ -x /usr/convex/getsysinfo ]
-then
-    case `getsysinfo -f cpu_type` in
-    c1*)
-	echo c1-convex-bsd
-	exit ;;
-    c2*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-	exit ;;
-    c34*)
-	echo c34-convex-bsd
-	exit ;;
-    c38*)
-	echo c38-convex-bsd
-	exit ;;
-    c4*)
-	echo c4-convex-bsd
-	exit ;;
-    esac
-fi
-
-cat >&2 <<EOF
-$0: unable to guess system type
-
-This script, last modified $timestamp, has failed to recognize
-the operating system you are using. It is advised that you
-download the most up to date version of the config scripts from
-
-  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
-and
-  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
-
-If the version you run ($0) is already up to date, please
-send the following data and any information you think might be
-pertinent to <config-patches@gnu.org> in order to provide the needed
-information to handle your system.
-
-config.guess timestamp = $timestamp
-
-uname -m = `(uname -m) 2>/dev/null || echo unknown`
-uname -r = `(uname -r) 2>/dev/null || echo unknown`
-uname -s = `(uname -s) 2>/dev/null || echo unknown`
-uname -v = `(uname -v) 2>/dev/null || echo unknown`
-
-/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
-/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
-
-hostinfo               = `(hostinfo) 2>/dev/null`
-/bin/universe          = `(/bin/universe) 2>/dev/null`
-/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
-/bin/arch              = `(/bin/arch) 2>/dev/null`
-/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
-/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
-
-UNAME_MACHINE = ${UNAME_MACHINE}
-UNAME_RELEASE = ${UNAME_RELEASE}
-UNAME_SYSTEM  = ${UNAME_SYSTEM}
-UNAME_VERSION = ${UNAME_VERSION}
-EOF
-
-exit 1
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "timestamp='"
-# time-stamp-format: "%:y-%02m-%02d"
-# time-stamp-end: "'"
-# End:
diff --git a/src/charon/plugins/nm/gnome/config.h.in b/src/charon/plugins/nm/gnome/config.h.in
deleted file mode 100644
index 2b64591de..000000000
--- a/src/charon/plugins/nm/gnome/config.h.in
+++ /dev/null
@@ -1,112 +0,0 @@
-/* config.h.in.  Generated from configure.in by autoheader.  */
-
-/* always defined to indicate that i18n is enabled */
-#undef ENABLE_NLS
-
-/* Gettext package */
-#undef GETTEXT_PACKAGE
-
-/* Define to 1 if you have the `bind_textdomain_codeset' function. */
-#undef HAVE_BIND_TEXTDOMAIN_CODESET
-
-/* Define to 1 if you have the `dcgettext' function. */
-#undef HAVE_DCGETTEXT
-
-/* Define to 1 if you have the <dlfcn.h> header file. */
-#undef HAVE_DLFCN_H
-
-/* Define to 1 if you have the <fcntl.h> header file. */
-#undef HAVE_FCNTL_H
-
-/* Define if the GNU gettext() function is already present or preinstalled. */
-#undef HAVE_GETTEXT
-
-/* Define to 1 if you have the <inttypes.h> header file. */
-#undef HAVE_INTTYPES_H
-
-/* Define if your <locale.h> file defines LC_MESSAGES. */
-#undef HAVE_LC_MESSAGES
-
-/* Define to 1 if you have the <locale.h> header file. */
-#undef HAVE_LOCALE_H
-
-/* Define to 1 if you have the <memory.h> header file. */
-#undef HAVE_MEMORY_H
-
-/* Define to 1 if you have the <paths.h> header file. */
-#undef HAVE_PATHS_H
-
-/* Define to 1 if you have the `select' function. */
-#undef HAVE_SELECT
-
-/* Define to 1 if you have the `socket' function. */
-#undef HAVE_SOCKET
-
-/* Define to 1 if you have the <stdint.h> header file. */
-#undef HAVE_STDINT_H
-
-/* Define to 1 if you have the <stdlib.h> header file. */
-#undef HAVE_STDLIB_H
-
-/* Define to 1 if you have the <strings.h> header file. */
-#undef HAVE_STRINGS_H
-
-/* Define to 1 if you have the <string.h> header file. */
-#undef HAVE_STRING_H
-
-/* Define to 1 if you have the <syslog.h> header file. */
-#undef HAVE_SYSLOG_H
-
-/* Define to 1 if you have the <sys/ioctl.h> header file. */
-#undef HAVE_SYS_IOCTL_H
-
-/* Define to 1 if you have the <sys/stat.h> header file. */
-#undef HAVE_SYS_STAT_H
-
-/* Define to 1 if you have the <sys/time.h> header file. */
-#undef HAVE_SYS_TIME_H
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#undef HAVE_SYS_TYPES_H
-
-/* Define to 1 if you have the `uname' function. */
-#undef HAVE_UNAME
-
-/* Define to 1 if you have the <unistd.h> header file. */
-#undef HAVE_UNISTD_H
-
-/* Define to 1 if your C compiler doesn't accept -c and -o together. */
-#undef NO_MINUS_C_MINUS_O
-
-/* Name of package */
-#undef PACKAGE
-
-/* Define to the address where bug reports for this package should be sent. */
-#undef PACKAGE_BUGREPORT
-
-/* Define to the full name of this package. */
-#undef PACKAGE_NAME
-
-/* Define to the full name and version of this package. */
-#undef PACKAGE_STRING
-
-/* Define to the one symbol short name of this package. */
-#undef PACKAGE_TARNAME
-
-/* Define to the version of this package. */
-#undef PACKAGE_VERSION
-
-/* Define to 1 if you have the ANSI C header files. */
-#undef STDC_HEADERS
-
-/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
-#undef TIME_WITH_SYS_TIME
-
-/* Version number of package */
-#undef VERSION
-
-/* Define to `int' if <sys/types.h> does not define. */
-#undef mode_t
-
-/* Define to `int' if <sys/types.h> does not define. */
-#undef pid_t
diff --git a/src/charon/plugins/nm/gnome/config.sub b/src/charon/plugins/nm/gnome/config.sub
deleted file mode 100755
index 1761d8bdf..000000000
--- a/src/charon/plugins/nm/gnome/config.sub
+++ /dev/null
@@ -1,1626 +0,0 @@
-#! /bin/sh
-# Configuration validation subroutine script.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
-#   Inc.
-
-timestamp='2007-06-28'
-
-# This file is (in principle) common to ALL GNU software.
-# The presence of a machine in this file suggests that SOME GNU software
-# can handle that machine.  It does not imply ALL GNU software can.
-#
-# This file is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
-#
-# Configuration subroutine to validate and canonicalize a configuration type.
-# Supply the specified configuration type as an argument.
-# If it is invalid, we print an error message on stderr and exit with code 1.
-# Otherwise, we print the canonical config type on stdout and succeed.
-
-# This file is supposed to be the same for all GNU packages
-# and recognize all the CPU types, system types and aliases
-# that are meaningful with *any* GNU software.
-# Each package is responsible for reporting which valid configurations
-# it does not support.  The user should be able to distinguish
-# a failure to support a valid configuration from a meaningless
-# configuration.
-
-# The goal of this file is to map all the various variations of a given
-# machine specification into a single specification in the form:
-#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
-# or in some cases, the newer four-part form:
-#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
-# It is wrong to echo any other type of specification.
-
-me=`echo "$0" | sed -e 's,.*/,,'`
-
-usage="\
-Usage: $0 [OPTION] CPU-MFR-OPSYS
-       $0 [OPTION] ALIAS
-
-Canonicalize a configuration name.
-
-Operation modes:
-  -h, --help         print this help, then exit
-  -t, --time-stamp   print date of last modification, then exit
-  -v, --version      print version number, then exit
-
-Report bugs and patches to <config-patches@gnu.org>."
-
-version="\
-GNU config.sub ($timestamp)
-
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
-Free Software Foundation, Inc.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-
-help="
-Try \`$me --help' for more information."
-
-# Parse command line
-while test $# -gt 0 ; do
-  case $1 in
-    --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit ;;
-    --version | -v )
-       echo "$version" ; exit ;;
-    --help | --h* | -h )
-       echo "$usage"; exit ;;
-    -- )     # Stop option processing
-       shift; break ;;
-    - )	# Use stdin as input.
-       break ;;
-    -* )
-       echo "$me: invalid option $1$help"
-       exit 1 ;;
-
-    *local*)
-       # First pass through any local machine types.
-       echo $1
-       exit ;;
-
-    * )
-       break ;;
-  esac
-done
-
-case $# in
- 0) echo "$me: missing argument$help" >&2
-    exit 1;;
- 1) ;;
- *) echo "$me: too many arguments$help" >&2
-    exit 1;;
-esac
-
-# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
-# Here we must recognize all the valid KERNEL-OS combinations.
-maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
-case $maybe_os in
-  nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \
-  uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \
-  storm-chaos* | os2-emx* | rtmk-nova*)
-    os=-$maybe_os
-    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
-    ;;
-  *)
-    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
-    if [ $basic_machine != $1 ]
-    then os=`echo $1 | sed 's/.*-/-/'`
-    else os=; fi
-    ;;
-esac
-
-### Let's recognize common machines as not being operating systems so
-### that things like config.sub decstation-3100 work.  We also
-### recognize some manufacturers as not being operating systems, so we
-### can provide default operating systems below.
-case $os in
-	-sun*os*)
-		# Prevent following clause from handling this invalid input.
-		;;
-	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
-	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
-	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
-	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple | -axis | -knuth | -cray)
-		os=
-		basic_machine=$1
-		;;
-	-sim | -cisco | -oki | -wec | -winbond)
-		os=
-		basic_machine=$1
-		;;
-	-scout)
-		;;
-	-wrs)
-		os=-vxworks
-		basic_machine=$1
-		;;
-	-chorusos*)
-		os=-chorusos
-		basic_machine=$1
-		;;
- 	-chorusrdb)
- 		os=-chorusrdb
-		basic_machine=$1
- 		;;
-	-hiux*)
-		os=-hiuxwe2
-		;;
-	-sco6)
-		os=-sco5v6
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco5)
-		os=-sco3.2v5
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco4)
-		os=-sco3.2v4
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco3.2.[4-9]*)
-		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco3.2v[4-9]*)
-		# Don't forget version if it is 3.2v4 or newer.
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco5v6*)
-		# Don't forget version if it is 3.2v4 or newer.
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco*)
-		os=-sco3.2v2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-udk*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-isc)
-		os=-isc2.2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-clix*)
-		basic_machine=clipper-intergraph
-		;;
-	-isc*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-lynx*)
-		os=-lynxos
-		;;
-	-ptx*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
-		;;
-	-windowsnt*)
-		os=`echo $os | sed -e 's/windowsnt/winnt/'`
-		;;
-	-psos*)
-		os=-psos
-		;;
-	-mint | -mint[0-9]*)
-		basic_machine=m68k-atari
-		os=-mint
-		;;
-esac
-
-# Decode aliases for certain CPU-COMPANY combinations.
-case $basic_machine in
-	# Recognize the basic CPU types without company name.
-	# Some are omitted here because they have special meanings below.
-	1750a | 580 \
-	| a29k \
-	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
-	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
-	| am33_2.0 \
-	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
-	| bfin \
-	| c4x | clipper \
-	| d10v | d30v | dlx | dsp16xx \
-	| fido | fr30 | frv \
-	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
-	| i370 | i860 | i960 | ia64 \
-	| ip2k | iq2000 \
-	| m32c | m32r | m32rle | m68000 | m68k | m88k \
-	| maxq | mb | microblaze | mcore | mep \
-	| mips | mipsbe | mipseb | mipsel | mipsle \
-	| mips16 \
-	| mips64 | mips64el \
-	| mips64vr | mips64vrel \
-	| mips64orion | mips64orionel \
-	| mips64vr4100 | mips64vr4100el \
-	| mips64vr4300 | mips64vr4300el \
-	| mips64vr5000 | mips64vr5000el \
-	| mips64vr5900 | mips64vr5900el \
-	| mipsisa32 | mipsisa32el \
-	| mipsisa32r2 | mipsisa32r2el \
-	| mipsisa64 | mipsisa64el \
-	| mipsisa64r2 | mipsisa64r2el \
-	| mipsisa64sb1 | mipsisa64sb1el \
-	| mipsisa64sr71k | mipsisa64sr71kel \
-	| mipstx39 | mipstx39el \
-	| mn10200 | mn10300 \
-	| mt \
-	| msp430 \
-	| nios | nios2 \
-	| ns16k | ns32k \
-	| or32 \
-	| pdp10 | pdp11 | pj | pjl \
-	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
-	| pyramid \
-	| score \
-	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
-	| sh64 | sh64le \
-	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
-	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
-	| spu | strongarm \
-	| tahoe | thumb | tic4x | tic80 | tron \
-	| v850 | v850e \
-	| we32k \
-	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
-	| z8k)
-		basic_machine=$basic_machine-unknown
-		;;
-	m6811 | m68hc11 | m6812 | m68hc12)
-		# Motorola 68HC11/12.
-		basic_machine=$basic_machine-unknown
-		os=-none
-		;;
-	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
-		;;
-	ms1)
-		basic_machine=mt-unknown
-		;;
-
-	# We use `pc' rather than `unknown'
-	# because (1) that's what they normally are, and
-	# (2) the word "unknown" tends to confuse beginning users.
-	i*86 | x86_64)
-	  basic_machine=$basic_machine-pc
-	  ;;
-	# Object if more than one company name word.
-	*-*-*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
-		exit 1
-		;;
-	# Recognize the basic CPU types with company name.
-	580-* \
-	| a29k-* \
-	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
-	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
-	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
-	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
-	| avr-* | avr32-* \
-	| bfin-* | bs2000-* \
-	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
-	| clipper-* | craynv-* | cydra-* \
-	| d10v-* | d30v-* | dlx-* \
-	| elxsi-* \
-	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
-	| h8300-* | h8500-* \
-	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
-	| i*86-* | i860-* | i960-* | ia64-* \
-	| ip2k-* | iq2000-* \
-	| m32c-* | m32r-* | m32rle-* \
-	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-	| m88110-* | m88k-* | maxq-* | mcore-* \
-	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
-	| mips16-* \
-	| mips64-* | mips64el-* \
-	| mips64vr-* | mips64vrel-* \
-	| mips64orion-* | mips64orionel-* \
-	| mips64vr4100-* | mips64vr4100el-* \
-	| mips64vr4300-* | mips64vr4300el-* \
-	| mips64vr5000-* | mips64vr5000el-* \
-	| mips64vr5900-* | mips64vr5900el-* \
-	| mipsisa32-* | mipsisa32el-* \
-	| mipsisa32r2-* | mipsisa32r2el-* \
-	| mipsisa64-* | mipsisa64el-* \
-	| mipsisa64r2-* | mipsisa64r2el-* \
-	| mipsisa64sb1-* | mipsisa64sb1el-* \
-	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
-	| mipstx39-* | mipstx39el-* \
-	| mmix-* \
-	| mt-* \
-	| msp430-* \
-	| nios-* | nios2-* \
-	| none-* | np1-* | ns16k-* | ns32k-* \
-	| orion-* \
-	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
-	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
-	| pyramid-* \
-	| romp-* | rs6000-* \
-	| sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
-	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
-	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
-	| sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
-	| tahoe-* | thumb-* \
-	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
-	| tron-* \
-	| v850-* | v850e-* | vax-* \
-	| we32k-* \
-	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
-	| xstormy16-* | xtensa-* \
-	| ymp-* \
-	| z8k-*)
-		;;
-	# Recognize the various machine names and aliases which stand
-	# for a CPU type and a company and sometimes even an OS.
-	386bsd)
-		basic_machine=i386-unknown
-		os=-bsd
-		;;
-	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
-		basic_machine=m68000-att
-		;;
-	3b*)
-		basic_machine=we32k-att
-		;;
-	a29khif)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-    	abacus)
-		basic_machine=abacus-unknown
-		;;
-	adobe68k)
-		basic_machine=m68010-adobe
-		os=-scout
-		;;
-	alliant | fx80)
-		basic_machine=fx80-alliant
-		;;
-	altos | altos3068)
-		basic_machine=m68k-altos
-		;;
-	am29k)
-		basic_machine=a29k-none
-		os=-bsd
-		;;
-	amd64)
-		basic_machine=x86_64-pc
-		;;
-	amd64-*)
-		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	amdahl)
-		basic_machine=580-amdahl
-		os=-sysv
-		;;
-	amiga | amiga-*)
-		basic_machine=m68k-unknown
-		;;
-	amigaos | amigados)
-		basic_machine=m68k-unknown
-		os=-amigaos
-		;;
-	amigaunix | amix)
-		basic_machine=m68k-unknown
-		os=-sysv4
-		;;
-	apollo68)
-		basic_machine=m68k-apollo
-		os=-sysv
-		;;
-	apollo68bsd)
-		basic_machine=m68k-apollo
-		os=-bsd
-		;;
-	aux)
-		basic_machine=m68k-apple
-		os=-aux
-		;;
-	balance)
-		basic_machine=ns32k-sequent
-		os=-dynix
-		;;
-	c90)
-		basic_machine=c90-cray
-		os=-unicos
-		;;
-	convex-c1)
-		basic_machine=c1-convex
-		os=-bsd
-		;;
-	convex-c2)
-		basic_machine=c2-convex
-		os=-bsd
-		;;
-	convex-c32)
-		basic_machine=c32-convex
-		os=-bsd
-		;;
-	convex-c34)
-		basic_machine=c34-convex
-		os=-bsd
-		;;
-	convex-c38)
-		basic_machine=c38-convex
-		os=-bsd
-		;;
-	cray | j90)
-		basic_machine=j90-cray
-		os=-unicos
-		;;
-	craynv)
-		basic_machine=craynv-cray
-		os=-unicosmp
-		;;
-	cr16)
-		basic_machine=cr16-unknown
-		os=-elf
-		;;
-	crds | unos)
-		basic_machine=m68k-crds
-		;;
-	crisv32 | crisv32-* | etraxfs*)
-		basic_machine=crisv32-axis
-		;;
-	cris | cris-* | etrax*)
-		basic_machine=cris-axis
-		;;
-	crx)
-		basic_machine=crx-unknown
-		os=-elf
-		;;
-	da30 | da30-*)
-		basic_machine=m68k-da30
-		;;
-	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
-		basic_machine=mips-dec
-		;;
-	decsystem10* | dec10*)
-		basic_machine=pdp10-dec
-		os=-tops10
-		;;
-	decsystem20* | dec20*)
-		basic_machine=pdp10-dec
-		os=-tops20
-		;;
-	delta | 3300 | motorola-3300 | motorola-delta \
-	      | 3300-motorola | delta-motorola)
-		basic_machine=m68k-motorola
-		;;
-	delta88)
-		basic_machine=m88k-motorola
-		os=-sysv3
-		;;
-	djgpp)
-		basic_machine=i586-pc
-		os=-msdosdjgpp
-		;;
-	dpx20 | dpx20-*)
-		basic_machine=rs6000-bull
-		os=-bosx
-		;;
-	dpx2* | dpx2*-bull)
-		basic_machine=m68k-bull
-		os=-sysv3
-		;;
-	ebmon29k)
-		basic_machine=a29k-amd
-		os=-ebmon
-		;;
-	elxsi)
-		basic_machine=elxsi-elxsi
-		os=-bsd
-		;;
-	encore | umax | mmax)
-		basic_machine=ns32k-encore
-		;;
-	es1800 | OSE68k | ose68k | ose | OSE)
-		basic_machine=m68k-ericsson
-		os=-ose
-		;;
-	fx2800)
-		basic_machine=i860-alliant
-		;;
-	genix)
-		basic_machine=ns32k-ns
-		;;
-	gmicro)
-		basic_machine=tron-gmicro
-		os=-sysv
-		;;
-	go32)
-		basic_machine=i386-pc
-		os=-go32
-		;;
-	h3050r* | hiux*)
-		basic_machine=hppa1.1-hitachi
-		os=-hiuxwe2
-		;;
-	h8300hms)
-		basic_machine=h8300-hitachi
-		os=-hms
-		;;
-	h8300xray)
-		basic_machine=h8300-hitachi
-		os=-xray
-		;;
-	h8500hms)
-		basic_machine=h8500-hitachi
-		os=-hms
-		;;
-	harris)
-		basic_machine=m88k-harris
-		os=-sysv3
-		;;
-	hp300-*)
-		basic_machine=m68k-hp
-		;;
-	hp300bsd)
-		basic_machine=m68k-hp
-		os=-bsd
-		;;
-	hp300hpux)
-		basic_machine=m68k-hp
-		os=-hpux
-		;;
-	hp3k9[0-9][0-9] | hp9[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hp9k2[0-9][0-9] | hp9k31[0-9])
-		basic_machine=m68000-hp
-		;;
-	hp9k3[2-9][0-9])
-		basic_machine=m68k-hp
-		;;
-	hp9k6[0-9][0-9] | hp6[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hp9k7[0-79][0-9] | hp7[0-79][0-9])
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k78[0-9] | hp78[0-9])
-		# FIXME: really hppa2.0-hp
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
-		# FIXME: really hppa2.0-hp
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[0-9][13679] | hp8[0-9][13679])
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[0-9][0-9] | hp8[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hppa-next)
-		os=-nextstep3
-		;;
-	hppaosf)
-		basic_machine=hppa1.1-hp
-		os=-osf
-		;;
-	hppro)
-		basic_machine=hppa1.1-hp
-		os=-proelf
-		;;
-	i370-ibm* | ibm*)
-		basic_machine=i370-ibm
-		;;
-# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
-	i*86v32)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv32
-		;;
-	i*86v4*)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv4
-		;;
-	i*86v)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv
-		;;
-	i*86sol2)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-solaris2
-		;;
-	i386mach)
-		basic_machine=i386-mach
-		os=-mach
-		;;
-	i386-vsta | vsta)
-		basic_machine=i386-unknown
-		os=-vsta
-		;;
-	iris | iris4d)
-		basic_machine=mips-sgi
-		case $os in
-		    -irix*)
-			;;
-		    *)
-			os=-irix4
-			;;
-		esac
-		;;
-	isi68 | isi)
-		basic_machine=m68k-isi
-		os=-sysv
-		;;
-	m88k-omron*)
-		basic_machine=m88k-omron
-		;;
-	magnum | m3230)
-		basic_machine=mips-mips
-		os=-sysv
-		;;
-	merlin)
-		basic_machine=ns32k-utek
-		os=-sysv
-		;;
-	mingw32)
-		basic_machine=i386-pc
-		os=-mingw32
-		;;
-	mingw32ce)
-		basic_machine=arm-unknown
-		os=-mingw32ce
-		;;
-	miniframe)
-		basic_machine=m68000-convergent
-		;;
-	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
-		basic_machine=m68k-atari
-		os=-mint
-		;;
-	mips3*-*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
-		;;
-	mips3*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
-		;;
-	monitor)
-		basic_machine=m68k-rom68k
-		os=-coff
-		;;
-	morphos)
-		basic_machine=powerpc-unknown
-		os=-morphos
-		;;
-	msdos)
-		basic_machine=i386-pc
-		os=-msdos
-		;;
-	ms1-*)
-		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
-		;;
-	mvs)
-		basic_machine=i370-ibm
-		os=-mvs
-		;;
-	ncr3000)
-		basic_machine=i486-ncr
-		os=-sysv4
-		;;
-	netbsd386)
-		basic_machine=i386-unknown
-		os=-netbsd
-		;;
-	netwinder)
-		basic_machine=armv4l-rebel
-		os=-linux
-		;;
-	news | news700 | news800 | news900)
-		basic_machine=m68k-sony
-		os=-newsos
-		;;
-	news1000)
-		basic_machine=m68030-sony
-		os=-newsos
-		;;
-	news-3600 | risc-news)
-		basic_machine=mips-sony
-		os=-newsos
-		;;
-	necv70)
-		basic_machine=v70-nec
-		os=-sysv
-		;;
-	next | m*-next )
-		basic_machine=m68k-next
-		case $os in
-		    -nextstep* )
-			;;
-		    -ns2*)
-		      os=-nextstep2
-			;;
-		    *)
-		      os=-nextstep3
-			;;
-		esac
-		;;
-	nh3000)
-		basic_machine=m68k-harris
-		os=-cxux
-		;;
-	nh[45]000)
-		basic_machine=m88k-harris
-		os=-cxux
-		;;
-	nindy960)
-		basic_machine=i960-intel
-		os=-nindy
-		;;
-	mon960)
-		basic_machine=i960-intel
-		os=-mon960
-		;;
-	nonstopux)
-		basic_machine=mips-compaq
-		os=-nonstopux
-		;;
-	np1)
-		basic_machine=np1-gould
-		;;
-	nsr-tandem)
-		basic_machine=nsr-tandem
-		;;
-	op50n-* | op60c-*)
-		basic_machine=hppa1.1-oki
-		os=-proelf
-		;;
-	openrisc | openrisc-*)
-		basic_machine=or32-unknown
-		;;
-	os400)
-		basic_machine=powerpc-ibm
-		os=-os400
-		;;
-	OSE68000 | ose68000)
-		basic_machine=m68000-ericsson
-		os=-ose
-		;;
-	os68k)
-		basic_machine=m68k-none
-		os=-os68k
-		;;
-	pa-hitachi)
-		basic_machine=hppa1.1-hitachi
-		os=-hiuxwe2
-		;;
-	paragon)
-		basic_machine=i860-intel
-		os=-osf
-		;;
-	pbd)
-		basic_machine=sparc-tti
-		;;
-	pbb)
-		basic_machine=m68k-tti
-		;;
-	pc532 | pc532-*)
-		basic_machine=ns32k-pc532
-		;;
-	pc98)
-		basic_machine=i386-pc
-		;;
-	pc98-*)
-		basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentium | p5 | k5 | k6 | nexgen | viac3)
-		basic_machine=i586-pc
-		;;
-	pentiumpro | p6 | 6x86 | athlon | athlon_*)
-		basic_machine=i686-pc
-		;;
-	pentiumii | pentium2 | pentiumiii | pentium3)
-		basic_machine=i686-pc
-		;;
-	pentium4)
-		basic_machine=i786-pc
-		;;
-	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
-		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentiumpro-* | p6-* | 6x86-* | athlon-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentium4-*)
-		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pn)
-		basic_machine=pn-gould
-		;;
-	power)	basic_machine=power-ibm
-		;;
-	ppc)	basic_machine=powerpc-unknown
-		;;
-	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppcle | powerpclittle | ppc-le | powerpc-little)
-		basic_machine=powerpcle-unknown
-		;;
-	ppcle-* | powerpclittle-*)
-		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppc64)	basic_machine=powerpc64-unknown
-		;;
-	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
-		basic_machine=powerpc64le-unknown
-		;;
-	ppc64le-* | powerpc64little-*)
-		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ps2)
-		basic_machine=i386-ibm
-		;;
-	pw32)
-		basic_machine=i586-unknown
-		os=-pw32
-		;;
-	rdos)
-		basic_machine=i386-pc
-		os=-rdos
-		;;
-	rom68k)
-		basic_machine=m68k-rom68k
-		os=-coff
-		;;
-	rm[46]00)
-		basic_machine=mips-siemens
-		;;
-	rtpc | rtpc-*)
-		basic_machine=romp-ibm
-		;;
-	s390 | s390-*)
-		basic_machine=s390-ibm
-		;;
-	s390x | s390x-*)
-		basic_machine=s390x-ibm
-		;;
-	sa29200)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	sb1)
-		basic_machine=mipsisa64sb1-unknown
-		;;
-	sb1el)
-		basic_machine=mipsisa64sb1el-unknown
-		;;
-	sde)
-		basic_machine=mipsisa32-sde
-		os=-elf
-		;;
-	sei)
-		basic_machine=mips-sei
-		os=-seiux
-		;;
-	sequent)
-		basic_machine=i386-sequent
-		;;
-	sh)
-		basic_machine=sh-hitachi
-		os=-hms
-		;;
-	sh5el)
-		basic_machine=sh5le-unknown
-		;;
-	sh64)
-		basic_machine=sh64-unknown
-		;;
-	sparclite-wrs | simso-wrs)
-		basic_machine=sparclite-wrs
-		os=-vxworks
-		;;
-	sps7)
-		basic_machine=m68k-bull
-		os=-sysv2
-		;;
-	spur)
-		basic_machine=spur-unknown
-		;;
-	st2000)
-		basic_machine=m68k-tandem
-		;;
-	stratus)
-		basic_machine=i860-stratus
-		os=-sysv4
-		;;
-	sun2)
-		basic_machine=m68000-sun
-		;;
-	sun2os3)
-		basic_machine=m68000-sun
-		os=-sunos3
-		;;
-	sun2os4)
-		basic_machine=m68000-sun
-		os=-sunos4
-		;;
-	sun3os3)
-		basic_machine=m68k-sun
-		os=-sunos3
-		;;
-	sun3os4)
-		basic_machine=m68k-sun
-		os=-sunos4
-		;;
-	sun4os3)
-		basic_machine=sparc-sun
-		os=-sunos3
-		;;
-	sun4os4)
-		basic_machine=sparc-sun
-		os=-sunos4
-		;;
-	sun4sol2)
-		basic_machine=sparc-sun
-		os=-solaris2
-		;;
-	sun3 | sun3-*)
-		basic_machine=m68k-sun
-		;;
-	sun4)
-		basic_machine=sparc-sun
-		;;
-	sun386 | sun386i | roadrunner)
-		basic_machine=i386-sun
-		;;
-	sv1)
-		basic_machine=sv1-cray
-		os=-unicos
-		;;
-	symmetry)
-		basic_machine=i386-sequent
-		os=-dynix
-		;;
-	t3e)
-		basic_machine=alphaev5-cray
-		os=-unicos
-		;;
-	t90)
-		basic_machine=t90-cray
-		os=-unicos
-		;;
-	tic54x | c54x*)
-		basic_machine=tic54x-unknown
-		os=-coff
-		;;
-	tic55x | c55x*)
-		basic_machine=tic55x-unknown
-		os=-coff
-		;;
-	tic6x | c6x*)
-		basic_machine=tic6x-unknown
-		os=-coff
-		;;
-	tx39)
-		basic_machine=mipstx39-unknown
-		;;
-	tx39el)
-		basic_machine=mipstx39el-unknown
-		;;
-	toad1)
-		basic_machine=pdp10-xkl
-		os=-tops20
-		;;
-	tower | tower-32)
-		basic_machine=m68k-ncr
-		;;
-	tpf)
-		basic_machine=s390x-ibm
-		os=-tpf
-		;;
-	udi29k)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	ultra3)
-		basic_machine=a29k-nyu
-		os=-sym1
-		;;
-	v810 | necv810)
-		basic_machine=v810-nec
-		os=-none
-		;;
-	vaxv)
-		basic_machine=vax-dec
-		os=-sysv
-		;;
-	vms)
-		basic_machine=vax-dec
-		os=-vms
-		;;
-	vpp*|vx|vx-*)
-		basic_machine=f301-fujitsu
-		;;
-	vxworks960)
-		basic_machine=i960-wrs
-		os=-vxworks
-		;;
-	vxworks68)
-		basic_machine=m68k-wrs
-		os=-vxworks
-		;;
-	vxworks29k)
-		basic_machine=a29k-wrs
-		os=-vxworks
-		;;
-	w65*)
-		basic_machine=w65-wdc
-		os=-none
-		;;
-	w89k-*)
-		basic_machine=hppa1.1-winbond
-		os=-proelf
-		;;
-	xbox)
-		basic_machine=i686-pc
-		os=-mingw32
-		;;
-	xps | xps100)
-		basic_machine=xps100-honeywell
-		;;
-	ymp)
-		basic_machine=ymp-cray
-		os=-unicos
-		;;
-	z8k-*-coff)
-		basic_machine=z8k-unknown
-		os=-sim
-		;;
-	none)
-		basic_machine=none-none
-		os=-none
-		;;
-
-# Here we handle the default manufacturer of certain CPU types.  It is in
-# some cases the only manufacturer, in others, it is the most popular.
-	w89k)
-		basic_machine=hppa1.1-winbond
-		;;
-	op50n)
-		basic_machine=hppa1.1-oki
-		;;
-	op60c)
-		basic_machine=hppa1.1-oki
-		;;
-	romp)
-		basic_machine=romp-ibm
-		;;
-	mmix)
-		basic_machine=mmix-knuth
-		;;
-	rs6000)
-		basic_machine=rs6000-ibm
-		;;
-	vax)
-		basic_machine=vax-dec
-		;;
-	pdp10)
-		# there are many clones, so DEC is not a safe bet
-		basic_machine=pdp10-unknown
-		;;
-	pdp11)
-		basic_machine=pdp11-dec
-		;;
-	we32k)
-		basic_machine=we32k-att
-		;;
-	sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
-		basic_machine=sh-unknown
-		;;
-	sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
-		basic_machine=sparc-sun
-		;;
-	cydra)
-		basic_machine=cydra-cydrome
-		;;
-	orion)
-		basic_machine=orion-highlevel
-		;;
-	orion105)
-		basic_machine=clipper-highlevel
-		;;
-	mac | mpw | mac-mpw)
-		basic_machine=m68k-apple
-		;;
-	pmac | pmac-mpw)
-		basic_machine=powerpc-apple
-		;;
-	*-unknown)
-		# Make sure to match an already-canonicalized machine name.
-		;;
-	*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
-		exit 1
-		;;
-esac
-
-# Here we canonicalize certain aliases for manufacturers.
-case $basic_machine in
-	*-digital*)
-		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
-		;;
-	*-commodore*)
-		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
-		;;
-	*)
-		;;
-esac
-
-# Decode manufacturer-specific aliases for certain operating systems.
-
-if [ x"$os" != x"" ]
-then
-case $os in
-        # First match some system type aliases
-        # that might get confused with valid system types.
-	# -solaris* is a basic system type, with this one exception.
-	-solaris1 | -solaris1.*)
-		os=`echo $os | sed -e 's|solaris1|sunos4|'`
-		;;
-	-solaris)
-		os=-solaris2
-		;;
-	-svr4*)
-		os=-sysv4
-		;;
-	-unixware*)
-		os=-sysv4.2uw
-		;;
-	-gnu/linux*)
-		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
-		;;
-	# First accept the basic system types.
-	# The portable systems comes first.
-	# Each alternative MUST END IN A *, to match a version number.
-	# -sysv* is not here because it comes later, after sysvr4.
-	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
-	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
-	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
-	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
-	      | -aos* \
-	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
-	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
-	      | -openbsd* | -solidbsd* \
-	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
-	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
-	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
-	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
-	      | -chorusos* | -chorusrdb* \
-	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \
-	      | -uxpv* | -beos* | -mpeix* | -udk* \
-	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
-	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
-	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
-	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
-	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
-	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
-	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops*)
-	# Remember, each alternative MUST END IN *, to match a version number.
-		;;
-	-qnx*)
-		case $basic_machine in
-		    x86-* | i*86-*)
-			;;
-		    *)
-			os=-nto$os
-			;;
-		esac
-		;;
-	-nto-qnx*)
-		;;
-	-nto*)
-		os=`echo $os | sed -e 's|nto|nto-qnx|'`
-		;;
-	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
-	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
-	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
-		;;
-	-mac*)
-		os=`echo $os | sed -e 's|mac|macos|'`
-		;;
-	-linux-dietlibc)
-		os=-linux-dietlibc
-		;;
-	-linux*)
-		os=`echo $os | sed -e 's|linux|linux-gnu|'`
-		;;
-	-sunos5*)
-		os=`echo $os | sed -e 's|sunos5|solaris2|'`
-		;;
-	-sunos6*)
-		os=`echo $os | sed -e 's|sunos6|solaris3|'`
-		;;
-	-opened*)
-		os=-openedition
-		;;
-        -os400*)
-		os=-os400
-		;;
-	-wince*)
-		os=-wince
-		;;
-	-osfrose*)
-		os=-osfrose
-		;;
-	-osf*)
-		os=-osf
-		;;
-	-utek*)
-		os=-bsd
-		;;
-	-dynix*)
-		os=-bsd
-		;;
-	-acis*)
-		os=-aos
-		;;
-	-atheos*)
-		os=-atheos
-		;;
-	-syllable*)
-		os=-syllable
-		;;
-	-386bsd)
-		os=-bsd
-		;;
-	-ctix* | -uts*)
-		os=-sysv
-		;;
-	-nova*)
-		os=-rtmk-nova
-		;;
-	-ns2 )
-		os=-nextstep2
-		;;
-	-nsk*)
-		os=-nsk
-		;;
-	# Preserve the version number of sinix5.
-	-sinix5.*)
-		os=`echo $os | sed -e 's|sinix|sysv|'`
-		;;
-	-sinix*)
-		os=-sysv4
-		;;
-        -tpf*)
-		os=-tpf
-		;;
-	-triton*)
-		os=-sysv3
-		;;
-	-oss*)
-		os=-sysv3
-		;;
-	-svr4)
-		os=-sysv4
-		;;
-	-svr3)
-		os=-sysv3
-		;;
-	-sysvr4)
-		os=-sysv4
-		;;
-	# This must come after -sysvr4.
-	-sysv*)
-		;;
-	-ose*)
-		os=-ose
-		;;
-	-es1800*)
-		os=-ose
-		;;
-	-xenix)
-		os=-xenix
-		;;
-	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
-		os=-mint
-		;;
-	-aros*)
-		os=-aros
-		;;
-	-kaos*)
-		os=-kaos
-		;;
-	-zvmoe)
-		os=-zvmoe
-		;;
-	-none)
-		;;
-	*)
-		# Get rid of the `-' at the beginning of $os.
-		os=`echo $os | sed 's/[^-]*-//'`
-		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
-		exit 1
-		;;
-esac
-else
-
-# Here we handle the default operating systems that come with various machines.
-# The value should be what the vendor currently ships out the door with their
-# machine or put another way, the most popular os provided with the machine.
-
-# Note that if you're going to try to match "-MANUFACTURER" here (say,
-# "-sun"), then you have to tell the case statement up towards the top
-# that MANUFACTURER isn't an operating system.  Otherwise, code above
-# will signal an error saying that MANUFACTURER isn't an operating
-# system, and we'll never get to this point.
-
-case $basic_machine in
-        score-*)
-		os=-elf
-		;;
-        spu-*)
-		os=-elf
-		;;
-	*-acorn)
-		os=-riscix1.2
-		;;
-	arm*-rebel)
-		os=-linux
-		;;
-	arm*-semi)
-		os=-aout
-		;;
-        c4x-* | tic4x-*)
-        	os=-coff
-		;;
-	# This must come before the *-dec entry.
-	pdp10-*)
-		os=-tops20
-		;;
-	pdp11-*)
-		os=-none
-		;;
-	*-dec | vax-*)
-		os=-ultrix4.2
-		;;
-	m68*-apollo)
-		os=-domain
-		;;
-	i386-sun)
-		os=-sunos4.0.2
-		;;
-	m68000-sun)
-		os=-sunos3
-		# This also exists in the configure program, but was not the
-		# default.
-		# os=-sunos4
-		;;
-	m68*-cisco)
-		os=-aout
-		;;
-        mep-*)
-		os=-elf
-		;;
-	mips*-cisco)
-		os=-elf
-		;;
-	mips*-*)
-		os=-elf
-		;;
-	or32-*)
-		os=-coff
-		;;
-	*-tti)	# must be before sparc entry or we get the wrong os.
-		os=-sysv3
-		;;
-	sparc-* | *-sun)
-		os=-sunos4.1.1
-		;;
-	*-be)
-		os=-beos
-		;;
-	*-haiku)
-		os=-haiku
-		;;
-	*-ibm)
-		os=-aix
-		;;
-    	*-knuth)
-		os=-mmixware
-		;;
-	*-wec)
-		os=-proelf
-		;;
-	*-winbond)
-		os=-proelf
-		;;
-	*-oki)
-		os=-proelf
-		;;
-	*-hp)
-		os=-hpux
-		;;
-	*-hitachi)
-		os=-hiux
-		;;
-	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
-		os=-sysv
-		;;
-	*-cbm)
-		os=-amigaos
-		;;
-	*-dg)
-		os=-dgux
-		;;
-	*-dolphin)
-		os=-sysv3
-		;;
-	m68k-ccur)
-		os=-rtu
-		;;
-	m88k-omron*)
-		os=-luna
-		;;
-	*-next )
-		os=-nextstep
-		;;
-	*-sequent)
-		os=-ptx
-		;;
-	*-crds)
-		os=-unos
-		;;
-	*-ns)
-		os=-genix
-		;;
-	i370-*)
-		os=-mvs
-		;;
-	*-next)
-		os=-nextstep3
-		;;
-	*-gould)
-		os=-sysv
-		;;
-	*-highlevel)
-		os=-bsd
-		;;
-	*-encore)
-		os=-bsd
-		;;
-	*-sgi)
-		os=-irix
-		;;
-	*-siemens)
-		os=-sysv4
-		;;
-	*-masscomp)
-		os=-rtu
-		;;
-	f30[01]-fujitsu | f700-fujitsu)
-		os=-uxpv
-		;;
-	*-rom68k)
-		os=-coff
-		;;
-	*-*bug)
-		os=-coff
-		;;
-	*-apple)
-		os=-macos
-		;;
-	*-atari*)
-		os=-mint
-		;;
-	*)
-		os=-none
-		;;
-esac
-fi
-
-# Here we handle the case where we know the os, and the CPU type, but not the
-# manufacturer.  We pick the logical manufacturer.
-vendor=unknown
-case $basic_machine in
-	*-unknown)
-		case $os in
-			-riscix*)
-				vendor=acorn
-				;;
-			-sunos*)
-				vendor=sun
-				;;
-			-aix*)
-				vendor=ibm
-				;;
-			-beos*)
-				vendor=be
-				;;
-			-hpux*)
-				vendor=hp
-				;;
-			-mpeix*)
-				vendor=hp
-				;;
-			-hiux*)
-				vendor=hitachi
-				;;
-			-unos*)
-				vendor=crds
-				;;
-			-dgux*)
-				vendor=dg
-				;;
-			-luna*)
-				vendor=omron
-				;;
-			-genix*)
-				vendor=ns
-				;;
-			-mvs* | -opened*)
-				vendor=ibm
-				;;
-			-os400*)
-				vendor=ibm
-				;;
-			-ptx*)
-				vendor=sequent
-				;;
-			-tpf*)
-				vendor=ibm
-				;;
-			-vxsim* | -vxworks* | -windiss*)
-				vendor=wrs
-				;;
-			-aux*)
-				vendor=apple
-				;;
-			-hms*)
-				vendor=hitachi
-				;;
-			-mpw* | -macos*)
-				vendor=apple
-				;;
-			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
-				vendor=atari
-				;;
-			-vos*)
-				vendor=stratus
-				;;
-		esac
-		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
-		;;
-esac
-
-echo $basic_machine$os
-exit
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "timestamp='"
-# time-stamp-format: "%:y-%02m-%02d"
-# time-stamp-end: "'"
-# End:
diff --git a/src/charon/plugins/nm/gnome/configure b/src/charon/plugins/nm/gnome/configure
deleted file mode 100755
index 45ab8dec1..000000000
--- a/src/charon/plugins/nm/gnome/configure
+++ /dev/null
@@ -1,25583 +0,0 @@
-#! /bin/sh
-# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for NetworkManager-strongswan 4.2.6.
-#
-# Report bugs to <martin@strongswan.org>.
-#
-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
-# This configure script is free software; the Free Software Foundation
-# gives unlimited permission to copy, distribute and modify it.
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
-
-# Be more Bourne compatible
-DUALCASE=1; export DUALCASE # for MKS sh
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-  setopt NO_GLOB_SUBST
-else
-  case `(set -o) 2>/dev/null` in
-  *posix*) set -o posix ;;
-esac
-
-fi
-
-
-
-
-# PATH needs CR
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
-
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
-
-
-# IFS
-# We need space, tab and new line, in precisely that order.  Quoting is
-# there to prevent editors from complaining about space-tab.
-# (If _AS_PATH_WALK were called with IFS unset, it would disable word
-# splitting by setting IFS to empty value.)
-as_nl='
-'
-IFS=" ""	$as_nl"
-
-# Find who we are.  Look in the path if we contain no directory separator.
-case $0 in
-  *[\\/]* ) as_myself=$0 ;;
-  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
-IFS=$as_save_IFS
-
-     ;;
-esac
-# We did not find ourselves, most probably we were run as `sh COMMAND'
-# in which case we are not to be found in the path.
-if test "x$as_myself" = x; then
-  as_myself=$0
-fi
-if test ! -f "$as_myself"; then
-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-  { (exit 1); exit 1; }
-fi
-
-# Work around bugs in pre-3.0 UWIN ksh.
-for as_var in ENV MAIL MAILPATH
-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-done
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-  fi
-done
-
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1 &&
-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
-
-
-# Name of the executable.
-as_me=`$as_basename -- "$0" ||
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\/\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\/\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-
-# CDPATH.
-$as_unset CDPATH
-
-
-if test "x$CONFIG_SHELL" = x; then
-  if (eval ":") 2>/dev/null; then
-  as_have_required=yes
-else
-  as_have_required=no
-fi
-
-  if test $as_have_required = yes && 	 (eval ":
-(as_func_return () {
-  (exit \$1)
-}
-as_func_success () {
-  as_func_return 0
-}
-as_func_failure () {
-  as_func_return 1
-}
-as_func_ret_success () {
-  return 0
-}
-as_func_ret_failure () {
-  return 1
-}
-
-exitcode=0
-if as_func_success; then
-  :
-else
-  exitcode=1
-  echo as_func_success failed.
-fi
-
-if as_func_failure; then
-  exitcode=1
-  echo as_func_failure succeeded.
-fi
-
-if as_func_ret_success; then
-  :
-else
-  exitcode=1
-  echo as_func_ret_success failed.
-fi
-
-if as_func_ret_failure; then
-  exitcode=1
-  echo as_func_ret_failure succeeded.
-fi
-
-if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
-  :
-else
-  exitcode=1
-  echo positional parameters were not saved.
-fi
-
-test \$exitcode = 0) || { (exit 1); exit 1; }
-
-(
-  as_lineno_1=\$LINENO
-  as_lineno_2=\$LINENO
-  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
-  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
-") 2> /dev/null; then
-  :
-else
-  as_candidate_shells=
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  case $as_dir in
-	 /*)
-	   for as_base in sh bash ksh sh5; do
-	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
-	   done;;
-       esac
-done
-IFS=$as_save_IFS
-
-
-      for as_shell in $as_candidate_shells $SHELL; do
-	 # Try only shells that exist, to save several forks.
-	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
-		{ ("$as_shell") 2> /dev/null <<\_ASEOF
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-  setopt NO_GLOB_SUBST
-else
-  case `(set -o) 2>/dev/null` in
-  *posix*) set -o posix ;;
-esac
-
-fi
-
-
-:
-_ASEOF
-}; then
-  CONFIG_SHELL=$as_shell
-	       as_have_required=yes
-	       if { "$as_shell" 2> /dev/null <<\_ASEOF
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-  setopt NO_GLOB_SUBST
-else
-  case `(set -o) 2>/dev/null` in
-  *posix*) set -o posix ;;
-esac
-
-fi
-
-
-:
-(as_func_return () {
-  (exit $1)
-}
-as_func_success () {
-  as_func_return 0
-}
-as_func_failure () {
-  as_func_return 1
-}
-as_func_ret_success () {
-  return 0
-}
-as_func_ret_failure () {
-  return 1
-}
-
-exitcode=0
-if as_func_success; then
-  :
-else
-  exitcode=1
-  echo as_func_success failed.
-fi
-
-if as_func_failure; then
-  exitcode=1
-  echo as_func_failure succeeded.
-fi
-
-if as_func_ret_success; then
-  :
-else
-  exitcode=1
-  echo as_func_ret_success failed.
-fi
-
-if as_func_ret_failure; then
-  exitcode=1
-  echo as_func_ret_failure succeeded.
-fi
-
-if ( set x; as_func_ret_success y && test x = "$1" ); then
-  :
-else
-  exitcode=1
-  echo positional parameters were not saved.
-fi
-
-test $exitcode = 0) || { (exit 1); exit 1; }
-
-(
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
-
-_ASEOF
-}; then
-  break
-fi
-
-fi
-
-      done
-
-      if test "x$CONFIG_SHELL" != x; then
-  for as_var in BASH_ENV ENV
-        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-        done
-        export CONFIG_SHELL
-        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
-fi
-
-
-    if test $as_have_required = no; then
-  echo This script requires a shell more modern than all the
-      echo shells that I found on your system.  Please install a
-      echo modern shell, or manually run the script under such a
-      echo shell if you do have one.
-      { (exit 1); exit 1; }
-fi
-
-
-fi
-
-fi
-
-
-
-(eval "as_func_return () {
-  (exit \$1)
-}
-as_func_success () {
-  as_func_return 0
-}
-as_func_failure () {
-  as_func_return 1
-}
-as_func_ret_success () {
-  return 0
-}
-as_func_ret_failure () {
-  return 1
-}
-
-exitcode=0
-if as_func_success; then
-  :
-else
-  exitcode=1
-  echo as_func_success failed.
-fi
-
-if as_func_failure; then
-  exitcode=1
-  echo as_func_failure succeeded.
-fi
-
-if as_func_ret_success; then
-  :
-else
-  exitcode=1
-  echo as_func_ret_success failed.
-fi
-
-if as_func_ret_failure; then
-  exitcode=1
-  echo as_func_ret_failure succeeded.
-fi
-
-if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
-  :
-else
-  exitcode=1
-  echo positional parameters were not saved.
-fi
-
-test \$exitcode = 0") || {
-  echo No shell found that supports shell functions.
-  echo Please tell autoconf@gnu.org about your system,
-  echo including any error possibly output before this
-  echo message
-}
-
-
-
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
-
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line after each line using $LINENO; the second 'sed'
-  # does the real work.  The second script uses 'N' to pair each
-  # line-number line with the line containing $LINENO, and appends
-  # trailing '-' during substitution so that $LINENO is not a special
-  # case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
-  # E. McMahon (1931-1989) for sed's syntax.  :-)
-  sed -n '
-    p
-    /[$]LINENO/=
-  ' <$as_myself |
-    sed '
-      s/[$]LINENO.*/&-/
-      t lineno
-      b
-      :lineno
-      N
-      :loop
-      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
-      t loop
-      s/-\n.*//
-    ' >$as_me.lineno &&
-  chmod +x "$as_me.lineno" ||
-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-   { (exit 1); exit 1; }; }
-
-  # Don't try to exec as it changes $[0], causing all sort of problems
-  # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensitive to this).
-  . "./$as_me.lineno"
-  # Exit status is that of the last command.
-  exit
-}
-
-
-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-  as_dirname=dirname
-else
-  as_dirname=false
-fi
-
-ECHO_C= ECHO_N= ECHO_T=
-case `echo -n x` in
--n*)
-  case `echo 'x\c'` in
-  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
-  *)   ECHO_C='\c';;
-  esac;;
-*)
-  ECHO_N='-n';;
-esac
-
-if expr a : '\(a\)' >/dev/null 2>&1 &&
-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-rm -f conf$$ conf$$.exe conf$$.file
-if test -d conf$$.dir; then
-  rm -f conf$$.dir/conf$$.file
-else
-  rm -f conf$$.dir
-  mkdir conf$$.dir
-fi
-echo >conf$$.file
-if ln -s conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s='ln -s'
-  # ... but there are two gotchas:
-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-  # In both cases, we have to default to `cp -p'.
-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-    as_ln_s='cp -p'
-elif ln conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s=ln
-else
-  as_ln_s='cp -p'
-fi
-rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
-rmdir conf$$.dir 2>/dev/null
-
-if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
-else
-  test -d ./-p && rmdir ./-p
-  as_mkdir_p=false
-fi
-
-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-        test -d "$1/.";
-      else
-	case $1 in
-        -*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
-
-# Sed expression to map a string onto a valid CPP name.
-as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
-
-# Sed expression to map a string onto a valid variable name.
-as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
-
-
-
-
-# Check that we are running under the correct shell.
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-case X$ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$ECHO" | sed 's,\\\\\$\\$0,'$0','`
-  ;;
-esac
-
-echo=${ECHO-echo}
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $echo works!
-  :
-else
-  # Restart under the correct shell.
-  exec $SHELL "$0" --no-reexec ${1+"$@"}
-fi
-
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-$*
-EOF
-  exit 0
-fi
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$ECHO"; then
-if test "X${echo_test_string+set}" != Xset; then
-# find a string as large as possible, as long as the shell can cope with it
-  for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
-    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
-       echo_test_string=`eval $cmd` &&
-       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
-    then
-      break
-    fi
-  done
-fi
-
-if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-   test "X$echo_testing_string" = "X$echo_test_string"; then
-  :
-else
-  # The Solaris, AIX, and Digital Unix default echo programs unquote
-  # backslashes.  This makes it impossible to quote backslashes using
-  #   echo "$something" | sed 's/\\/\\\\/g'
-  #
-  # So, first we look for a working echo in the user's PATH.
-
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for dir in $PATH /usr/ucb; do
-    IFS="$lt_save_ifs"
-    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      echo="$dir/echo"
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-
-  if test "X$echo" = Xecho; then
-    # We didn't find a better echo, so look for alternatives.
-    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      # This shell has a builtin print -r that does the trick.
-      echo='print -r'
-    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
-	 test "X$CONFIG_SHELL" != X/bin/ksh; then
-      # If we have ksh, try running configure again with it.
-      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-      export ORIGINAL_CONFIG_SHELL
-      CONFIG_SHELL=/bin/ksh
-      export CONFIG_SHELL
-      exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"}
-    else
-      # Try using printf.
-      echo='printf %s\n'
-      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-	 test "X$echo_testing_string" = "X$echo_test_string"; then
-	# Cool, printf works
-	:
-      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	export CONFIG_SHELL
-	SHELL="$CONFIG_SHELL"
-	export SHELL
-	echo="$CONFIG_SHELL $0 --fallback-echo"
-      elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	echo="$CONFIG_SHELL $0 --fallback-echo"
-      else
-	# maybe with a smaller string...
-	prev=:
-
-	for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
-	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
-	  then
-	    break
-	  fi
-	  prev="$cmd"
-	done
-
-	if test "$prev" != 'sed 50q "$0"'; then
-	  echo_test_string=`eval $prev`
-	  export echo_test_string
-	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"}
-	else
-	  # Oops.  We lost completely, so just stick with echo.
-	  echo=echo
-	fi
-      fi
-    fi
-  fi
-fi
-fi
-
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-ECHO=$echo
-if test "X$ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then
-   ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo"
-fi
-
-
-
-
-tagnames=${tagnames+${tagnames},}CXX
-
-tagnames=${tagnames+${tagnames},}F77
-
-exec 7<&0 </dev/null 6>&1
-
-# Name of the host.
-# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
-# so uname gets run too.
-ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
-
-#
-# Initializations.
-#
-ac_default_prefix=/usr/local
-ac_clean_files=
-ac_config_libobj_dir=.
-LIBOBJS=
-cross_compiling=no
-subdirs=
-MFLAGS=
-MAKEFLAGS=
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-# Identity of this package.
-PACKAGE_NAME='NetworkManager-strongswan'
-PACKAGE_TARNAME='NetworkManager-strongswan'
-PACKAGE_VERSION='4.2.6'
-PACKAGE_STRING='NetworkManager-strongswan 4.2.6'
-PACKAGE_BUGREPORT='martin@strongswan.org'
-
-# Factoring default headers for most tests.
-ac_includes_default="\
-#include <stdio.h>
-#ifdef HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#ifdef STDC_HEADERS
-# include <stdlib.h>
-# include <stddef.h>
-#else
-# ifdef HAVE_STDLIB_H
-#  include <stdlib.h>
-# endif
-#endif
-#ifdef HAVE_STRING_H
-# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
-#  include <memory.h>
-# endif
-# include <string.h>
-#endif
-#ifdef HAVE_STRINGS_H
-# include <strings.h>
-#endif
-#ifdef HAVE_INTTYPES_H
-# include <inttypes.h>
-#endif
-#ifdef HAVE_STDINT_H
-# include <stdint.h>
-#endif
-#ifdef HAVE_UNISTD_H
-# include <unistd.h>
-#endif"
-
-ac_subst_vars='SHELL
-PATH_SEPARATOR
-PACKAGE_NAME
-PACKAGE_TARNAME
-PACKAGE_VERSION
-PACKAGE_STRING
-PACKAGE_BUGREPORT
-exec_prefix
-prefix
-program_transform_name
-bindir
-sbindir
-libexecdir
-datarootdir
-datadir
-sysconfdir
-sharedstatedir
-localstatedir
-includedir
-oldincludedir
-docdir
-infodir
-htmldir
-dvidir
-pdfdir
-psdir
-libdir
-localedir
-mandir
-DEFS
-ECHO_C
-ECHO_N
-ECHO_T
-LIBS
-build_alias
-host_alias
-target_alias
-INSTALL_PROGRAM
-INSTALL_SCRIPT
-INSTALL_DATA
-am__isrc
-CYGPATH_W
-PACKAGE
-VERSION
-ACLOCAL
-AUTOCONF
-AUTOMAKE
-AUTOHEADER
-MAKEINFO
-install_sh
-STRIP
-INSTALL_STRIP_PROGRAM
-mkdir_p
-AWK
-SET_MAKE
-am__leading_dot
-AMTAR
-am__tar
-am__untar
-MAINTAINER_MODE_TRUE
-MAINTAINER_MODE_FALSE
-MAINT
-CC
-CFLAGS
-LDFLAGS
-CPPFLAGS
-ac_ct_CC
-EXEEXT
-OBJEXT
-DEPDIR
-am__include
-am__quote
-AMDEP_TRUE
-AMDEP_FALSE
-AMDEPBACKSLASH
-CCDEPMODE
-am__fastdepCC_TRUE
-am__fastdepCC_FALSE
-build
-build_cpu
-build_vendor
-build_os
-host
-host_cpu
-host_vendor
-host_os
-SED
-GREP
-EGREP
-LN_S
-ECHO
-AR
-RANLIB
-DSYMUTIL
-NMEDIT
-CPP
-CXX
-CXXFLAGS
-ac_ct_CXX
-CXXDEPMODE
-am__fastdepCXX_TRUE
-am__fastdepCXX_FALSE
-CXXCPP
-F77
-FFLAGS
-ac_ct_F77
-LIBTOOL
-LIBOBJS
-GETTEXT_PACKAGE
-INTLTOOL_DESKTOP_RULE
-INTLTOOL_DIRECTORY_RULE
-INTLTOOL_KEYS_RULE
-INTLTOOL_PROP_RULE
-INTLTOOL_OAF_RULE
-INTLTOOL_PONG_RULE
-INTLTOOL_SERVER_RULE
-INTLTOOL_SHEET_RULE
-INTLTOOL_SOUNDLIST_RULE
-INTLTOOL_UI_RULE
-INTLTOOL_XAM_RULE
-INTLTOOL_KBD_RULE
-INTLTOOL_XML_RULE
-INTLTOOL_XML_NOMERGE_RULE
-INTLTOOL_CAVES_RULE
-INTLTOOL_SCHEMAS_RULE
-INTLTOOL_THEME_RULE
-INTLTOOL_SERVICE_RULE
-INTLTOOL_POLICY_RULE
-XGETTEXT
-MSGMERGE
-MSGFMT
-INTLTOOL_EXTRACT
-INTLTOOL_MERGE
-INTLTOOL_UPDATE
-INTLTOOL_PERL
-ALL_LINGUAS
-DATADIRNAME
-USE_NLS
-MSGFMT_OPTS
-GMSGFMT
-CATALOGS
-CATOBJEXT
-GMOFILES
-INSTOBJEXT
-INTLLIBS
-PO_IN_DATADIR_TRUE
-PO_IN_DATADIR_FALSE
-POFILES
-POSUB
-MKINSTALLDIRS
-PKG_CONFIG
-GTHREAD_CFLAGS
-GTHREAD_LIBS
-DBUS_CFLAGS
-DBUS_LIBS
-GTK_CFLAGS
-GTK_LIBS
-GDK_PIXBUF_CFLAGS
-GDK_PIXBUF_LIBS
-GLADE_CFLAGS
-GLADE_LIBS
-LIBGNOMEUI_CFLAGS
-LIBGNOMEUI_LIBS
-GCONF_CFLAGS
-GCONF_LIBS
-GNOMEKEYRING_CFLAGS
-GNOMEKEYRING_LIBS
-NM_UTILS_CFLAGS
-NM_UTILS_LIBS
-charon
-LTLIBOBJS'
-ac_subst_files=''
-      ac_precious_vars='build_alias
-host_alias
-target_alias
-CC
-CFLAGS
-LDFLAGS
-LIBS
-CPPFLAGS
-CPP
-CXX
-CXXFLAGS
-CCC
-CXXCPP
-F77
-FFLAGS
-PKG_CONFIG
-GTHREAD_CFLAGS
-GTHREAD_LIBS
-DBUS_CFLAGS
-DBUS_LIBS
-GTK_CFLAGS
-GTK_LIBS
-GDK_PIXBUF_CFLAGS
-GDK_PIXBUF_LIBS
-GLADE_CFLAGS
-GLADE_LIBS
-LIBGNOMEUI_CFLAGS
-LIBGNOMEUI_LIBS
-GCONF_CFLAGS
-GCONF_LIBS
-GNOMEKEYRING_CFLAGS
-GNOMEKEYRING_LIBS
-NM_UTILS_CFLAGS
-NM_UTILS_LIBS'
-
-
-# Initialize some variables set by options.
-ac_init_help=
-ac_init_version=false
-# The variables have the same names as the options, with
-# dashes changed to underlines.
-cache_file=/dev/null
-exec_prefix=NONE
-no_create=
-no_recursion=
-prefix=NONE
-program_prefix=NONE
-program_suffix=NONE
-program_transform_name=s,x,x,
-silent=
-site=
-srcdir=
-verbose=
-x_includes=NONE
-x_libraries=NONE
-
-# Installation directory options.
-# These are left unexpanded so users can "make install exec_prefix=/foo"
-# and all the variables that are supposed to be based on exec_prefix
-# by default will actually change.
-# Use braces instead of parens because sh, perl, etc. also accept them.
-# (The list follows the same order as the GNU Coding Standards.)
-bindir='${exec_prefix}/bin'
-sbindir='${exec_prefix}/sbin'
-libexecdir='${exec_prefix}/libexec'
-datarootdir='${prefix}/share'
-datadir='${datarootdir}'
-sysconfdir='${prefix}/etc'
-sharedstatedir='${prefix}/com'
-localstatedir='${prefix}/var'
-includedir='${prefix}/include'
-oldincludedir='/usr/include'
-docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
-infodir='${datarootdir}/info'
-htmldir='${docdir}'
-dvidir='${docdir}'
-pdfdir='${docdir}'
-psdir='${docdir}'
-libdir='${exec_prefix}/lib'
-localedir='${datarootdir}/locale'
-mandir='${datarootdir}/man'
-
-ac_prev=
-ac_dashdash=
-for ac_option
-do
-  # If the previous option needs an argument, assign it.
-  if test -n "$ac_prev"; then
-    eval $ac_prev=\$ac_option
-    ac_prev=
-    continue
-  fi
-
-  case $ac_option in
-  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
-  *)	ac_optarg=yes ;;
-  esac
-
-  # Accept the important Cygnus configure options, so we can diagnose typos.
-
-  case $ac_dashdash$ac_option in
-  --)
-    ac_dashdash=yes ;;
-
-  -bindir | --bindir | --bindi | --bind | --bin | --bi)
-    ac_prev=bindir ;;
-  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
-    bindir=$ac_optarg ;;
-
-  -build | --build | --buil | --bui | --bu)
-    ac_prev=build_alias ;;
-  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
-    build_alias=$ac_optarg ;;
-
-  -cache-file | --cache-file | --cache-fil | --cache-fi \
-  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
-    ac_prev=cache_file ;;
-  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
-  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
-    cache_file=$ac_optarg ;;
-
-  --config-cache | -C)
-    cache_file=config.cache ;;
-
-  -datadir | --datadir | --datadi | --datad)
-    ac_prev=datadir ;;
-  -datadir=* | --datadir=* | --datadi=* | --datad=*)
-    datadir=$ac_optarg ;;
-
-  -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
-  | --dataroo | --dataro | --datar)
-    ac_prev=datarootdir ;;
-  -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
-  | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
-    datarootdir=$ac_optarg ;;
-
-  -disable-* | --disable-*)
-    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
-   { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
-    eval enable_$ac_feature=no ;;
-
-  -docdir | --docdir | --docdi | --doc | --do)
-    ac_prev=docdir ;;
-  -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
-    docdir=$ac_optarg ;;
-
-  -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
-    ac_prev=dvidir ;;
-  -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
-    dvidir=$ac_optarg ;;
-
-  -enable-* | --enable-*)
-    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
-   { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
-    eval enable_$ac_feature=\$ac_optarg ;;
-
-  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
-  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
-  | --exec | --exe | --ex)
-    ac_prev=exec_prefix ;;
-  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
-  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
-  | --exec=* | --exe=* | --ex=*)
-    exec_prefix=$ac_optarg ;;
-
-  -gas | --gas | --ga | --g)
-    # Obsolete; use --with-gas.
-    with_gas=yes ;;
-
-  -help | --help | --hel | --he | -h)
-    ac_init_help=long ;;
-  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
-    ac_init_help=recursive ;;
-  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
-    ac_init_help=short ;;
-
-  -host | --host | --hos | --ho)
-    ac_prev=host_alias ;;
-  -host=* | --host=* | --hos=* | --ho=*)
-    host_alias=$ac_optarg ;;
-
-  -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
-    ac_prev=htmldir ;;
-  -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
-  | --ht=*)
-    htmldir=$ac_optarg ;;
-
-  -includedir | --includedir | --includedi | --included | --include \
-  | --includ | --inclu | --incl | --inc)
-    ac_prev=includedir ;;
-  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
-  | --includ=* | --inclu=* | --incl=* | --inc=*)
-    includedir=$ac_optarg ;;
-
-  -infodir | --infodir | --infodi | --infod | --info | --inf)
-    ac_prev=infodir ;;
-  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
-    infodir=$ac_optarg ;;
-
-  -libdir | --libdir | --libdi | --libd)
-    ac_prev=libdir ;;
-  -libdir=* | --libdir=* | --libdi=* | --libd=*)
-    libdir=$ac_optarg ;;
-
-  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
-  | --libexe | --libex | --libe)
-    ac_prev=libexecdir ;;
-  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
-  | --libexe=* | --libex=* | --libe=*)
-    libexecdir=$ac_optarg ;;
-
-  -localedir | --localedir | --localedi | --localed | --locale)
-    ac_prev=localedir ;;
-  -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
-    localedir=$ac_optarg ;;
-
-  -localstatedir | --localstatedir | --localstatedi | --localstated \
-  | --localstate | --localstat | --localsta | --localst | --locals)
-    ac_prev=localstatedir ;;
-  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
-  | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
-    localstatedir=$ac_optarg ;;
-
-  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
-    ac_prev=mandir ;;
-  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
-    mandir=$ac_optarg ;;
-
-  -nfp | --nfp | --nf)
-    # Obsolete; use --without-fp.
-    with_fp=no ;;
-
-  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
-  | --no-cr | --no-c | -n)
-    no_create=yes ;;
-
-  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
-  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
-    no_recursion=yes ;;
-
-  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
-  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
-  | --oldin | --oldi | --old | --ol | --o)
-    ac_prev=oldincludedir ;;
-  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
-  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
-  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
-    oldincludedir=$ac_optarg ;;
-
-  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
-    ac_prev=prefix ;;
-  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
-    prefix=$ac_optarg ;;
-
-  -program-prefix | --program-prefix | --program-prefi | --program-pref \
-  | --program-pre | --program-pr | --program-p)
-    ac_prev=program_prefix ;;
-  -program-prefix=* | --program-prefix=* | --program-prefi=* \
-  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
-    program_prefix=$ac_optarg ;;
-
-  -program-suffix | --program-suffix | --program-suffi | --program-suff \
-  | --program-suf | --program-su | --program-s)
-    ac_prev=program_suffix ;;
-  -program-suffix=* | --program-suffix=* | --program-suffi=* \
-  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
-    program_suffix=$ac_optarg ;;
-
-  -program-transform-name | --program-transform-name \
-  | --program-transform-nam | --program-transform-na \
-  | --program-transform-n | --program-transform- \
-  | --program-transform | --program-transfor \
-  | --program-transfo | --program-transf \
-  | --program-trans | --program-tran \
-  | --progr-tra | --program-tr | --program-t)
-    ac_prev=program_transform_name ;;
-  -program-transform-name=* | --program-transform-name=* \
-  | --program-transform-nam=* | --program-transform-na=* \
-  | --program-transform-n=* | --program-transform-=* \
-  | --program-transform=* | --program-transfor=* \
-  | --program-transfo=* | --program-transf=* \
-  | --program-trans=* | --program-tran=* \
-  | --progr-tra=* | --program-tr=* | --program-t=*)
-    program_transform_name=$ac_optarg ;;
-
-  -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
-    ac_prev=pdfdir ;;
-  -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
-    pdfdir=$ac_optarg ;;
-
-  -psdir | --psdir | --psdi | --psd | --ps)
-    ac_prev=psdir ;;
-  -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
-    psdir=$ac_optarg ;;
-
-  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-  | -silent | --silent | --silen | --sile | --sil)
-    silent=yes ;;
-
-  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
-    ac_prev=sbindir ;;
-  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
-  | --sbi=* | --sb=*)
-    sbindir=$ac_optarg ;;
-
-  -sharedstatedir | --sharedstatedir | --sharedstatedi \
-  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
-  | --sharedst | --shareds | --shared | --share | --shar \
-  | --sha | --sh)
-    ac_prev=sharedstatedir ;;
-  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
-  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
-  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
-  | --sha=* | --sh=*)
-    sharedstatedir=$ac_optarg ;;
-
-  -site | --site | --sit)
-    ac_prev=site ;;
-  -site=* | --site=* | --sit=*)
-    site=$ac_optarg ;;
-
-  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
-    ac_prev=srcdir ;;
-  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
-    srcdir=$ac_optarg ;;
-
-  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
-  | --syscon | --sysco | --sysc | --sys | --sy)
-    ac_prev=sysconfdir ;;
-  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
-  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
-    sysconfdir=$ac_optarg ;;
-
-  -target | --target | --targe | --targ | --tar | --ta | --t)
-    ac_prev=target_alias ;;
-  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
-    target_alias=$ac_optarg ;;
-
-  -v | -verbose | --verbose | --verbos | --verbo | --verb)
-    verbose=yes ;;
-
-  -version | --version | --versio | --versi | --vers | -V)
-    ac_init_version=: ;;
-
-  -with-* | --with-*)
-    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid package name: $ac_package" >&2
-   { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
-    eval with_$ac_package=\$ac_optarg ;;
-
-  -without-* | --without-*)
-    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid package name: $ac_package" >&2
-   { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
-    eval with_$ac_package=no ;;
-
-  --x)
-    # Obsolete; use --with-x.
-    with_x=yes ;;
-
-  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
-  | --x-incl | --x-inc | --x-in | --x-i)
-    ac_prev=x_includes ;;
-  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
-  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
-    x_includes=$ac_optarg ;;
-
-  -x-libraries | --x-libraries | --x-librarie | --x-librari \
-  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
-    ac_prev=x_libraries ;;
-  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
-  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
-    x_libraries=$ac_optarg ;;
-
-  -*) { echo "$as_me: error: unrecognized option: $ac_option
-Try \`$0 --help' for more information." >&2
-   { (exit 1); exit 1; }; }
-    ;;
-
-  *=*)
-    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
-   { (exit 1); exit 1; }; }
-    eval $ac_envvar=\$ac_optarg
-    export $ac_envvar ;;
-
-  *)
-    # FIXME: should be removed in autoconf 3.0.
-    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
-    expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
-    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
-    ;;
-
-  esac
-done
-
-if test -n "$ac_prev"; then
-  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
-  { echo "$as_me: error: missing argument to $ac_option" >&2
-   { (exit 1); exit 1; }; }
-fi
-
-# Be sure to have absolute directory names.
-for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
-		datadir sysconfdir sharedstatedir localstatedir includedir \
-		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
-do
-  eval ac_val=\$$ac_var
-  case $ac_val in
-    [\\/$]* | ?:[\\/]* )  continue;;
-    NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
-  esac
-  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; }
-done
-
-# There might be people who depend on the old broken behavior: `$host'
-# used to hold the argument of --host etc.
-# FIXME: To remove some day.
-build=$build_alias
-host=$host_alias
-target=$target_alias
-
-# FIXME: To remove some day.
-if test "x$host_alias" != x; then
-  if test "x$build_alias" = x; then
-    cross_compiling=maybe
-    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
-    If a cross compiler is detected then cross compile mode will be used." >&2
-  elif test "x$build_alias" != "x$host_alias"; then
-    cross_compiling=yes
-  fi
-fi
-
-ac_tool_prefix=
-test -n "$host_alias" && ac_tool_prefix=$host_alias-
-
-test "$silent" = yes && exec 6>/dev/null
-
-
-ac_pwd=`pwd` && test -n "$ac_pwd" &&
-ac_ls_di=`ls -di .` &&
-ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
-  { echo "$as_me: error: Working directory cannot be determined" >&2
-   { (exit 1); exit 1; }; }
-test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
-  { echo "$as_me: error: pwd does not report name of working directory" >&2
-   { (exit 1); exit 1; }; }
-
-
-# Find the source files, if location was not specified.
-if test -z "$srcdir"; then
-  ac_srcdir_defaulted=yes
-  # Try the directory containing this script, then the parent directory.
-  ac_confdir=`$as_dirname -- "$0" ||
-$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$0" : 'X\(//\)[^/]' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$0" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-  srcdir=$ac_confdir
-  if test ! -r "$srcdir/$ac_unique_file"; then
-    srcdir=..
-  fi
-else
-  ac_srcdir_defaulted=no
-fi
-if test ! -r "$srcdir/$ac_unique_file"; then
-  test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
-  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
-   { (exit 1); exit 1; }; }
-fi
-ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
-ac_abs_confdir=`(
-	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
-   { (exit 1); exit 1; }; }
-	pwd)`
-# When building in place, set srcdir=.
-if test "$ac_abs_confdir" = "$ac_pwd"; then
-  srcdir=.
-fi
-# Remove unnecessary trailing slashes from srcdir.
-# Double slashes in file names in object file debugging info
-# mess up M-x gdb in Emacs.
-case $srcdir in
-*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
-esac
-for ac_var in $ac_precious_vars; do
-  eval ac_env_${ac_var}_set=\${${ac_var}+set}
-  eval ac_env_${ac_var}_value=\$${ac_var}
-  eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
-  eval ac_cv_env_${ac_var}_value=\$${ac_var}
-done
-
-#
-# Report the --help message.
-#
-if test "$ac_init_help" = "long"; then
-  # Omit some internal or obsolete options to make the list less imposing.
-  # This message is too long to be a string in the A/UX 3.1 sh.
-  cat <<_ACEOF
-\`configure' configures NetworkManager-strongswan 4.2.6 to adapt to many kinds of systems.
-
-Usage: $0 [OPTION]... [VAR=VALUE]...
-
-To assign environment variables (e.g., CC, CFLAGS...), specify them as
-VAR=VALUE.  See below for descriptions of some of the useful variables.
-
-Defaults for the options are specified in brackets.
-
-Configuration:
-  -h, --help              display this help and exit
-      --help=short        display options specific to this package
-      --help=recursive    display the short help of all the included packages
-  -V, --version           display version information and exit
-  -q, --quiet, --silent   do not print \`checking...' messages
-      --cache-file=FILE   cache test results in FILE [disabled]
-  -C, --config-cache      alias for \`--cache-file=config.cache'
-  -n, --no-create         do not create output files
-      --srcdir=DIR        find the sources in DIR [configure dir or \`..']
-
-Installation directories:
-  --prefix=PREFIX         install architecture-independent files in PREFIX
-			  [$ac_default_prefix]
-  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
-			  [PREFIX]
-
-By default, \`make install' will install all the files in
-\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
-an installation prefix other than \`$ac_default_prefix' using \`--prefix',
-for instance \`--prefix=\$HOME'.
-
-For better control, use the options below.
-
-Fine tuning of the installation directories:
-  --bindir=DIR           user executables [EPREFIX/bin]
-  --sbindir=DIR          system admin executables [EPREFIX/sbin]
-  --libexecdir=DIR       program executables [EPREFIX/libexec]
-  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
-  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
-  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
-  --libdir=DIR           object code libraries [EPREFIX/lib]
-  --includedir=DIR       C header files [PREFIX/include]
-  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
-  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
-  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
-  --infodir=DIR          info documentation [DATAROOTDIR/info]
-  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
-  --mandir=DIR           man documentation [DATAROOTDIR/man]
-  --docdir=DIR           documentation root [DATAROOTDIR/doc/NetworkManager-strongswan]
-  --htmldir=DIR          html documentation [DOCDIR]
-  --dvidir=DIR           dvi documentation [DOCDIR]
-  --pdfdir=DIR           pdf documentation [DOCDIR]
-  --psdir=DIR            ps documentation [DOCDIR]
-_ACEOF
-
-  cat <<\_ACEOF
-
-Program names:
-  --program-prefix=PREFIX            prepend PREFIX to installed program names
-  --program-suffix=SUFFIX            append SUFFIX to installed program names
-  --program-transform-name=PROGRAM   run sed PROGRAM on installed program names
-
-System types:
-  --build=BUILD     configure for building on BUILD [guessed]
-  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
-_ACEOF
-fi
-
-if test -n "$ac_init_help"; then
-  case $ac_init_help in
-     short | recursive ) echo "Configuration of NetworkManager-strongswan 4.2.6:";;
-   esac
-  cat <<\_ACEOF
-
-Optional Features:
-  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
-  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
-  --enable-maintainer-mode  enable make rules and dependencies not useful
-			  (and sometimes confusing) to the casual installer
-  --disable-dependency-tracking  speeds up one-time build
-  --enable-dependency-tracking   do not reject slow dependency extractors
-  --enable-shared[=PKGS]  build shared libraries [default=yes]
-  --enable-static[=PKGS]  build static libraries [default=yes]
-  --enable-fast-install[=PKGS]
-                          optimize for fast installation [default=yes]
-  --disable-libtool-lock  avoid locking (might break parallel builds)
-  --enable-more-warnings  Maximum compiler warnings
-
-Optional Packages:
-  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
-  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
-  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
-  --with-pic              try to use only PIC/non-PIC objects [default=use
-                          both]
-  --with-tags[=TAGS]      include additional configurations [automatic]
-  --with-charon=file      path to the strongSwan IKEv2 daemon charon"
-
-Some influential environment variables:
-  CC          C compiler command
-  CFLAGS      C compiler flags
-  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
-              nonstandard directory <lib dir>
-  LIBS        libraries to pass to the linker, e.g. -l<library>
-  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
-              you have headers in a nonstandard directory <include dir>
-  CPP         C preprocessor
-  CXX         C++ compiler command
-  CXXFLAGS    C++ compiler flags
-  CXXCPP      C++ preprocessor
-  F77         Fortran 77 compiler command
-  FFLAGS      Fortran 77 compiler flags
-  PKG_CONFIG  path to pkg-config utility
-  GTHREAD_CFLAGS
-              C compiler flags for GTHREAD, overriding pkg-config
-  GTHREAD_LIBS
-              linker flags for GTHREAD, overriding pkg-config
-  DBUS_CFLAGS C compiler flags for DBUS, overriding pkg-config
-  DBUS_LIBS   linker flags for DBUS, overriding pkg-config
-  GTK_CFLAGS  C compiler flags for GTK, overriding pkg-config
-  GTK_LIBS    linker flags for GTK, overriding pkg-config
-  GDK_PIXBUF_CFLAGS
-              C compiler flags for GDK_PIXBUF, overriding pkg-config
-  GDK_PIXBUF_LIBS
-              linker flags for GDK_PIXBUF, overriding pkg-config
-  GLADE_CFLAGS
-              C compiler flags for GLADE, overriding pkg-config
-  GLADE_LIBS  linker flags for GLADE, overriding pkg-config
-  LIBGNOMEUI_CFLAGS
-              C compiler flags for LIBGNOMEUI, overriding pkg-config
-  LIBGNOMEUI_LIBS
-              linker flags for LIBGNOMEUI, overriding pkg-config
-  GCONF_CFLAGS
-              C compiler flags for GCONF, overriding pkg-config
-  GCONF_LIBS  linker flags for GCONF, overriding pkg-config
-  GNOMEKEYRING_CFLAGS
-              C compiler flags for GNOMEKEYRING, overriding pkg-config
-  GNOMEKEYRING_LIBS
-              linker flags for GNOMEKEYRING, overriding pkg-config
-  NM_UTILS_CFLAGS
-              C compiler flags for NM_UTILS, overriding pkg-config
-  NM_UTILS_LIBS
-              linker flags for NM_UTILS, overriding pkg-config
-
-Use these variables to override the choices made by `configure' or to help
-it to find libraries and programs with nonstandard names/locations.
-
-Report bugs to <martin@strongswan.org>.
-_ACEOF
-ac_status=$?
-fi
-
-if test "$ac_init_help" = "recursive"; then
-  # If there are subdirs, report their specific --help.
-  for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
-    test -d "$ac_dir" || continue
-    ac_builddir=.
-
-case "$ac_dir" in
-.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
-*)
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A ".." for each directory in $ac_dir_suffix.
-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
-  case $ac_top_builddir_sub in
-  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
-  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
-  esac ;;
-esac
-ac_abs_top_builddir=$ac_pwd
-ac_abs_builddir=$ac_pwd$ac_dir_suffix
-# for backward compatibility:
-ac_top_builddir=$ac_top_build_prefix
-
-case $srcdir in
-  .)  # We are building in place.
-    ac_srcdir=.
-    ac_top_srcdir=$ac_top_builddir_sub
-    ac_abs_top_srcdir=$ac_pwd ;;
-  [\\/]* | ?:[\\/]* )  # Absolute name.
-    ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir
-    ac_abs_top_srcdir=$srcdir ;;
-  *) # Relative name.
-    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_build_prefix$srcdir
-    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
-esac
-ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
-
-    cd "$ac_dir" || { ac_status=$?; continue; }
-    # Check for guested configure.
-    if test -f "$ac_srcdir/configure.gnu"; then
-      echo &&
-      $SHELL "$ac_srcdir/configure.gnu" --help=recursive
-    elif test -f "$ac_srcdir/configure"; then
-      echo &&
-      $SHELL "$ac_srcdir/configure" --help=recursive
-    else
-      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
-    fi || ac_status=$?
-    cd "$ac_pwd" || { ac_status=$?; break; }
-  done
-fi
-
-test -n "$ac_init_help" && exit $ac_status
-if $ac_init_version; then
-  cat <<\_ACEOF
-NetworkManager-strongswan configure 4.2.6
-generated by GNU Autoconf 2.61
-
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
-This configure script is free software; the Free Software Foundation
-gives unlimited permission to copy, distribute and modify it.
-_ACEOF
-  exit
-fi
-cat >config.log <<_ACEOF
-This file contains any messages produced by compilers while
-running configure, to aid debugging if configure makes a mistake.
-
-It was created by NetworkManager-strongswan $as_me 4.2.6, which was
-generated by GNU Autoconf 2.61.  Invocation command line was
-
-  $ $0 $@
-
-_ACEOF
-exec 5>>config.log
-{
-cat <<_ASUNAME
-## --------- ##
-## Platform. ##
-## --------- ##
-
-hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
-uname -m = `(uname -m) 2>/dev/null || echo unknown`
-uname -r = `(uname -r) 2>/dev/null || echo unknown`
-uname -s = `(uname -s) 2>/dev/null || echo unknown`
-uname -v = `(uname -v) 2>/dev/null || echo unknown`
-
-/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
-/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`
-
-/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
-/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
-/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
-/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
-/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
-/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
-/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
-
-_ASUNAME
-
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  echo "PATH: $as_dir"
-done
-IFS=$as_save_IFS
-
-} >&5
-
-cat >&5 <<_ACEOF
-
-
-## ----------- ##
-## Core tests. ##
-## ----------- ##
-
-_ACEOF
-
-
-# Keep a trace of the command line.
-# Strip out --no-create and --no-recursion so they do not pile up.
-# Strip out --silent because we don't want to record it for future runs.
-# Also quote any args containing shell meta-characters.
-# Make two passes to allow for proper duplicate-argument suppression.
-ac_configure_args=
-ac_configure_args0=
-ac_configure_args1=
-ac_must_keep_next=false
-for ac_pass in 1 2
-do
-  for ac_arg
-  do
-    case $ac_arg in
-    -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
-    -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-    | -silent | --silent | --silen | --sile | --sil)
-      continue ;;
-    *\'*)
-      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
-    esac
-    case $ac_pass in
-    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
-    2)
-      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
-      if test $ac_must_keep_next = true; then
-	ac_must_keep_next=false # Got value, back to normal.
-      else
-	case $ac_arg in
-	  *=* | --config-cache | -C | -disable-* | --disable-* \
-	  | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
-	  | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
-	  | -with-* | --with-* | -without-* | --without-* | --x)
-	    case "$ac_configure_args0 " in
-	      "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
-	    esac
-	    ;;
-	  -* ) ac_must_keep_next=true ;;
-	esac
-      fi
-      ac_configure_args="$ac_configure_args '$ac_arg'"
-      ;;
-    esac
-  done
-done
-$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
-$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
-
-# When interrupted or exit'd, cleanup temporary files, and complete
-# config.log.  We remove comments because anyway the quotes in there
-# would cause problems or look ugly.
-# WARNING: Use '\'' to represent an apostrophe within the trap.
-# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
-trap 'exit_status=$?
-  # Save into config.log some information that might help in debugging.
-  {
-    echo
-
-    cat <<\_ASBOX
-## ---------------- ##
-## Cache variables. ##
-## ---------------- ##
-_ASBOX
-    echo
-    # The following way of writing the cache mishandles newlines in values,
-(
-  for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
-    eval ac_val=\$$ac_var
-    case $ac_val in #(
-    *${as_nl}*)
-      case $ac_var in #(
-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
-      esac
-      case $ac_var in #(
-      _ | IFS | as_nl) ;; #(
-      *) $as_unset $ac_var ;;
-      esac ;;
-    esac
-  done
-  (set) 2>&1 |
-    case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
-    *${as_nl}ac_space=\ *)
-      sed -n \
-	"s/'\''/'\''\\\\'\'''\''/g;
-	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
-      ;; #(
-    *)
-      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
-      ;;
-    esac |
-    sort
-)
-    echo
-
-    cat <<\_ASBOX
-## ----------------- ##
-## Output variables. ##
-## ----------------- ##
-_ASBOX
-    echo
-    for ac_var in $ac_subst_vars
-    do
-      eval ac_val=\$$ac_var
-      case $ac_val in
-      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
-      esac
-      echo "$ac_var='\''$ac_val'\''"
-    done | sort
-    echo
-
-    if test -n "$ac_subst_files"; then
-      cat <<\_ASBOX
-## ------------------- ##
-## File substitutions. ##
-## ------------------- ##
-_ASBOX
-      echo
-      for ac_var in $ac_subst_files
-      do
-	eval ac_val=\$$ac_var
-	case $ac_val in
-	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
-	esac
-	echo "$ac_var='\''$ac_val'\''"
-      done | sort
-      echo
-    fi
-
-    if test -s confdefs.h; then
-      cat <<\_ASBOX
-## ----------- ##
-## confdefs.h. ##
-## ----------- ##
-_ASBOX
-      echo
-      cat confdefs.h
-      echo
-    fi
-    test "$ac_signal" != 0 &&
-      echo "$as_me: caught signal $ac_signal"
-    echo "$as_me: exit $exit_status"
-  } >&5
-  rm -f core *.core core.conftest.* &&
-    rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
-    exit $exit_status
-' 0
-for ac_signal in 1 2 13 15; do
-  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
-done
-ac_signal=0
-
-# confdefs.h avoids OS command line length limits that DEFS can exceed.
-rm -f -r conftest* confdefs.h
-
-# Predefined preprocessor variables.
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_NAME "$PACKAGE_NAME"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_VERSION "$PACKAGE_VERSION"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_STRING "$PACKAGE_STRING"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
-_ACEOF
-
-
-# Let the site file select an alternate cache file if it wants to.
-# Prefer explicitly selected file to automatically selected ones.
-if test -n "$CONFIG_SITE"; then
-  set x "$CONFIG_SITE"
-elif test "x$prefix" != xNONE; then
-  set x "$prefix/share/config.site" "$prefix/etc/config.site"
-else
-  set x "$ac_default_prefix/share/config.site" \
-	"$ac_default_prefix/etc/config.site"
-fi
-shift
-for ac_site_file
-do
-  if test -r "$ac_site_file"; then
-    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
-echo "$as_me: loading site script $ac_site_file" >&6;}
-    sed 's/^/| /' "$ac_site_file" >&5
-    . "$ac_site_file"
-  fi
-done
-
-if test -r "$cache_file"; then
-  # Some versions of bash will fail to source /dev/null (special
-  # files actually), so we avoid doing that.
-  if test -f "$cache_file"; then
-    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
-echo "$as_me: loading cache $cache_file" >&6;}
-    case $cache_file in
-      [\\/]* | ?:[\\/]* ) . "$cache_file";;
-      *)                      . "./$cache_file";;
-    esac
-  fi
-else
-  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
-echo "$as_me: creating cache $cache_file" >&6;}
-  >$cache_file
-fi
-
-# Check that the precious variables saved in the cache have kept the same
-# value.
-ac_cache_corrupted=false
-for ac_var in $ac_precious_vars; do
-  eval ac_old_set=\$ac_cv_env_${ac_var}_set
-  eval ac_new_set=\$ac_env_${ac_var}_set
-  eval ac_old_val=\$ac_cv_env_${ac_var}_value
-  eval ac_new_val=\$ac_env_${ac_var}_value
-  case $ac_old_set,$ac_new_set in
-    set,)
-      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
-echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
-      ac_cache_corrupted=: ;;
-    ,set)
-      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
-echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
-      ac_cache_corrupted=: ;;
-    ,);;
-    *)
-      if test "x$ac_old_val" != "x$ac_new_val"; then
-	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
-echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
-echo "$as_me:   former value:  $ac_old_val" >&2;}
-	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
-echo "$as_me:   current value: $ac_new_val" >&2;}
-	ac_cache_corrupted=:
-      fi;;
-  esac
-  # Pass precious variables to config.status.
-  if test "$ac_new_set" = set; then
-    case $ac_new_val in
-    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
-    *) ac_arg=$ac_var=$ac_new_val ;;
-    esac
-    case " $ac_configure_args " in
-      *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
-      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
-    esac
-  fi
-done
-if $ac_cache_corrupted; then
-  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
-echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
-echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-ac_aux_dir=
-for ac_dir in . "$srcdir"/.; do
-  if test -f "$ac_dir/install-sh"; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install-sh -c"
-    break
-  elif test -f "$ac_dir/install.sh"; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install.sh -c"
-    break
-  elif test -f "$ac_dir/shtool"; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/shtool install -c"
-    break
-  fi
-done
-if test -z "$ac_aux_dir"; then
-  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in . \"$srcdir\"/." >&5
-echo "$as_me: error: cannot find install-sh or install.sh in . \"$srcdir\"/." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-# These three variables are undocumented and unsupported,
-# and are intended to be withdrawn in a future Autoconf release.
-# They can cause serious problems if a builder's source tree is in a directory
-# whose full name contains unusual characters.
-ac_config_guess="$SHELL $ac_aux_dir/config.guess"  # Please don't use this var.
-ac_config_sub="$SHELL $ac_aux_dir/config.sub"  # Please don't use this var.
-ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
-
-
-am__api_version='1.10'
-
-# Find a good install program.  We prefer a C program (faster),
-# so one script is as good as another.  But avoid the broken or
-# incompatible versions:
-# SysV /etc/install, /usr/sbin/install
-# SunOS /usr/etc/install
-# IRIX /sbin/install
-# AIX /bin/install
-# AmigaOS /C/install, which installs bootblocks on floppy discs
-# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
-# AFS /usr/afsws/bin/install, which mishandles nonexistent args
-# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
-# OS/2's system install, which has a completely different semantic
-# ./install, which can be erroneously created by make from ./install.sh.
-{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
-echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; }
-if test -z "$INSTALL"; then
-if test "${ac_cv_path_install+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  # Account for people who put trailing slashes in PATH elements.
-case $as_dir/ in
-  ./ | .// | /cC/* | \
-  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
-  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
-  /usr/ucb/* ) ;;
-  *)
-    # OSF1 and SCO ODT 3.0 have their own names for install.
-    # Don't use installbsd from OSF since it installs stuff as root
-    # by default.
-    for ac_prog in ginstall scoinst install; do
-      for ac_exec_ext in '' $ac_executable_extensions; do
-	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
-	  if test $ac_prog = install &&
-	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # AIX install.  It has an incompatible calling convention.
-	    :
-	  elif test $ac_prog = install &&
-	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # program-specific install script used by HP pwplus--don't use.
-	    :
-	  else
-	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
-	    break 3
-	  fi
-	fi
-      done
-    done
-    ;;
-esac
-done
-IFS=$as_save_IFS
-
-
-fi
-  if test "${ac_cv_path_install+set}" = set; then
-    INSTALL=$ac_cv_path_install
-  else
-    # As a last resort, use the slow shell script.  Don't cache a
-    # value for INSTALL within a source directory, because that will
-    # break other packages using the cache if that directory is
-    # removed, or if the value is a relative name.
-    INSTALL=$ac_install_sh
-  fi
-fi
-{ echo "$as_me:$LINENO: result: $INSTALL" >&5
-echo "${ECHO_T}$INSTALL" >&6; }
-
-# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
-# It thinks the first close brace ends the variable substitution.
-test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
-
-test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
-
-test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
-
-{ echo "$as_me:$LINENO: checking whether build environment is sane" >&5
-echo $ECHO_N "checking whether build environment is sane... $ECHO_C" >&6; }
-# Just in case
-sleep 1
-echo timestamp > conftest.file
-# Do `set' in a subshell so we don't clobber the current shell's
-# arguments.  Must try -L first in case configure is actually a
-# symlink; some systems play weird games with the mod time of symlinks
-# (eg FreeBSD returns the mod time of the symlink's containing
-# directory).
-if (
-   set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null`
-   if test "$*" = "X"; then
-      # -L didn't work.
-      set X `ls -t $srcdir/configure conftest.file`
-   fi
-   rm -f conftest.file
-   if test "$*" != "X $srcdir/configure conftest.file" \
-      && test "$*" != "X conftest.file $srcdir/configure"; then
-
-      # If neither matched, then we have a broken ls.  This can happen
-      # if, for instance, CONFIG_SHELL is bash and it inherits a
-      # broken ls alias from the environment.  This has actually
-      # happened.  Such a system could not be considered "sane".
-      { { echo "$as_me:$LINENO: error: ls -t appears to fail.  Make sure there is not a broken
-alias in your environment" >&5
-echo "$as_me: error: ls -t appears to fail.  Make sure there is not a broken
-alias in your environment" >&2;}
-   { (exit 1); exit 1; }; }
-   fi
-
-   test "$2" = conftest.file
-   )
-then
-   # Ok.
-   :
-else
-   { { echo "$as_me:$LINENO: error: newly created file is older than distributed files!
-Check your system clock" >&5
-echo "$as_me: error: newly created file is older than distributed files!
-Check your system clock" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-{ echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-test "$program_prefix" != NONE &&
-  program_transform_name="s&^&$program_prefix&;$program_transform_name"
-# Use a double $ so make ignores it.
-test "$program_suffix" != NONE &&
-  program_transform_name="s&\$&$program_suffix&;$program_transform_name"
-# Double any \ or $.  echo might interpret backslashes.
-# By default was `s,x,x', remove it if useless.
-cat <<\_ACEOF >conftest.sed
-s/[\\$]/&&/g;s/;s,x,x,$//
-_ACEOF
-program_transform_name=`echo $program_transform_name | sed -f conftest.sed`
-rm -f conftest.sed
-
-# expand $ac_aux_dir to an absolute path
-am_aux_dir=`cd $ac_aux_dir && pwd`
-
-test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
-# Use eval to expand $SHELL
-if eval "$MISSING --run true"; then
-  am_missing_run="$MISSING --run "
-else
-  am_missing_run=
-  { echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5
-echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;}
-fi
-
-{ echo "$as_me:$LINENO: checking for a thread-safe mkdir -p" >&5
-echo $ECHO_N "checking for a thread-safe mkdir -p... $ECHO_C" >&6; }
-if test -z "$MKDIR_P"; then
-  if test "${ac_cv_path_mkdir+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_prog in mkdir gmkdir; do
-	 for ac_exec_ext in '' $ac_executable_extensions; do
-	   { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue
-	   case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
-	     'mkdir (GNU coreutils) '* | \
-	     'mkdir (coreutils) '* | \
-	     'mkdir (fileutils) '4.1*)
-	       ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext
-	       break 3;;
-	   esac
-	 done
-       done
-done
-IFS=$as_save_IFS
-
-fi
-
-  if test "${ac_cv_path_mkdir+set}" = set; then
-    MKDIR_P="$ac_cv_path_mkdir -p"
-  else
-    # As a last resort, use the slow shell script.  Don't cache a
-    # value for MKDIR_P within a source directory, because that will
-    # break other packages using the cache if that directory is
-    # removed, or if the value is a relative name.
-    test -d ./--version && rmdir ./--version
-    MKDIR_P="$ac_install_sh -d"
-  fi
-fi
-{ echo "$as_me:$LINENO: result: $MKDIR_P" >&5
-echo "${ECHO_T}$MKDIR_P" >&6; }
-
-mkdir_p="$MKDIR_P"
-case $mkdir_p in
-  [\\/$]* | ?:[\\/]*) ;;
-  */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;;
-esac
-
-for ac_prog in gawk mawk nawk awk
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_AWK+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$AWK"; then
-  ac_cv_prog_AWK="$AWK" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_AWK="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-AWK=$ac_cv_prog_AWK
-if test -n "$AWK"; then
-  { echo "$as_me:$LINENO: result: $AWK" >&5
-echo "${ECHO_T}$AWK" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-  test -n "$AWK" && break
-done
-
-{ echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
-echo $ECHO_N "checking whether ${MAKE-make} sets \$(MAKE)... $ECHO_C" >&6; }
-set x ${MAKE-make}; ac_make=`echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
-if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.make <<\_ACEOF
-SHELL = /bin/sh
-all:
-	@echo '@@@%%%=$(MAKE)=@@@%%%'
-_ACEOF
-# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
-case `${MAKE-make} -f conftest.make 2>/dev/null` in
-  *@@@%%%=?*=@@@%%%*)
-    eval ac_cv_prog_make_${ac_make}_set=yes;;
-  *)
-    eval ac_cv_prog_make_${ac_make}_set=no;;
-esac
-rm -f conftest.make
-fi
-if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-  SET_MAKE=
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-  SET_MAKE="MAKE=${MAKE-make}"
-fi
-
-rm -rf .tst 2>/dev/null
-mkdir .tst 2>/dev/null
-if test -d .tst; then
-  am__leading_dot=.
-else
-  am__leading_dot=_
-fi
-rmdir .tst 2>/dev/null
-
-if test "`cd $srcdir && pwd`" != "`pwd`"; then
-  # Use -I$(srcdir) only when $(srcdir) != ., so that make's output
-  # is not polluted with repeated "-I."
-  am__isrc=' -I$(srcdir)'
-  # test to see if srcdir already configured
-  if test -f $srcdir/config.status; then
-    { { echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5
-echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;}
-   { (exit 1); exit 1; }; }
-  fi
-fi
-
-# test whether we have cygpath
-if test -z "$CYGPATH_W"; then
-  if (cygpath --version) >/dev/null 2>/dev/null; then
-    CYGPATH_W='cygpath -w'
-  else
-    CYGPATH_W=echo
-  fi
-fi
-
-
-# Define the identity of the package.
- PACKAGE='NetworkManager-strongswan'
- VERSION='4.2.6'
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE "$PACKAGE"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define VERSION "$VERSION"
-_ACEOF
-
-# Some tools Automake needs.
-
-ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"}
-
-
-AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"}
-
-
-AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"}
-
-
-AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"}
-
-
-MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
-
-install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"}
-
-# Installed binaries are usually stripped using `strip' when the user
-# run `make install-strip'.  However `strip' might not be the right
-# tool to use in cross-compilation environments, therefore Automake
-# will honor the `STRIP' environment variable to overrule this program.
-if test "$cross_compiling" != no; then
-  if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
-set dummy ${ac_tool_prefix}strip; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$STRIP"; then
-  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-STRIP=$ac_cv_prog_STRIP
-if test -n "$STRIP"; then
-  { echo "$as_me:$LINENO: result: $STRIP" >&5
-echo "${ECHO_T}$STRIP" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_prog_STRIP"; then
-  ac_ct_STRIP=$STRIP
-  # Extract the first word of "strip", so it can be a program name with args.
-set dummy strip; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_STRIP"; then
-  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_STRIP="strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
-if test -n "$ac_ct_STRIP"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
-echo "${ECHO_T}$ac_ct_STRIP" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-  if test "x$ac_ct_STRIP" = x; then
-    STRIP=":"
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    STRIP=$ac_ct_STRIP
-  fi
-else
-  STRIP="$ac_cv_prog_STRIP"
-fi
-
-fi
-INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
-
-# We need awk for the "check" target.  The system "awk" is bad on
-# some platforms.
-# Always define AMTAR for backward compatibility.
-
-AMTAR=${AMTAR-"${am_missing_run}tar"}
-
-am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'
-
-
-
-
-
-{ echo "$as_me:$LINENO: checking whether to enable maintainer-specific portions of Makefiles" >&5
-echo $ECHO_N "checking whether to enable maintainer-specific portions of Makefiles... $ECHO_C" >&6; }
-    # Check whether --enable-maintainer-mode was given.
-if test "${enable_maintainer_mode+set}" = set; then
-  enableval=$enable_maintainer_mode; USE_MAINTAINER_MODE=$enableval
-else
-  USE_MAINTAINER_MODE=no
-fi
-
-  { echo "$as_me:$LINENO: result: $USE_MAINTAINER_MODE" >&5
-echo "${ECHO_T}$USE_MAINTAINER_MODE" >&6; }
-   if test $USE_MAINTAINER_MODE = yes; then
-  MAINTAINER_MODE_TRUE=
-  MAINTAINER_MODE_FALSE='#'
-else
-  MAINTAINER_MODE_TRUE='#'
-  MAINTAINER_MODE_FALSE=
-fi
-
-  MAINT=$MAINTAINER_MODE_TRUE
-
-
-
-ac_config_headers="$ac_config_headers config.h"
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}gcc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="${ac_tool_prefix}gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "gcc", so it can be a program name with args.
-set dummy gcc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_CC="gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-  if test "x$ac_ct_CC" = x; then
-    CC=""
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    CC=$ac_ct_CC
-  fi
-else
-  CC="$ac_cv_prog_CC"
-fi
-
-if test -z "$CC"; then
-          if test -n "$ac_tool_prefix"; then
-    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}cc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="${ac_tool_prefix}cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-  fi
-fi
-if test -z "$CC"; then
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-  ac_prog_rejected=no
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
-       ac_prog_rejected=yes
-       continue
-     fi
-    ac_cv_prog_CC="cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-if test $ac_prog_rejected = yes; then
-  # We found a bogon in the path, so make sure we never use it.
-  set dummy $ac_cv_prog_CC
-  shift
-  if test $# != 0; then
-    # We chose a different compiler from the bogus one.
-    # However, it has the same basename, so the bogon will be chosen
-    # first if we set CC to just the basename; use the full file name.
-    shift
-    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
-  fi
-fi
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-fi
-if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  for ac_prog in cl.exe
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-    test -n "$CC" && break
-  done
-fi
-if test -z "$CC"; then
-  ac_ct_CC=$CC
-  for ac_prog in cl.exe
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_CC="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-  test -n "$ac_ct_CC" && break
-done
-
-  if test "x$ac_ct_CC" = x; then
-    CC=""
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    CC=$ac_ct_CC
-  fi
-fi
-
-fi
-
-
-test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&5
-echo "$as_me: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-
-# Provide some information about the compiler.
-echo "$as_me:$LINENO: checking for C compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (ac_try="$ac_compiler --version >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler --version >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -v >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -v >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -V >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -V >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files a.out a.exe b.out"
-# Try to create an executable without -o first, disregard a.out.
-# It will help us diagnose broken compilers, and finding out an intuition
-# of exeext.
-{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
-ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-#
-# List of possible output files, starting from the most likely.
-# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
-# only as a last resort.  b.out is created by i960 compilers.
-ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
-#
-# The IRIX 6 linker writes into existing files which may not be
-# executable, retaining their permissions.  Remove them first so a
-# subsequent execution test works.
-ac_rmfiles=
-for ac_file in $ac_files
-do
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
-    * ) ac_rmfiles="$ac_rmfiles $ac_file";;
-  esac
-done
-rm -f $ac_rmfiles
-
-if { (ac_try="$ac_link_default"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link_default") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
-# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
-# in a Makefile.  We should not override ac_cv_exeext if it was cached,
-# so that the user can short-circuit this test for compilers unknown to
-# Autoconf.
-for ac_file in $ac_files ''
-do
-  test -f "$ac_file" || continue
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
-	;;
-    [ab].out )
-	# We found the default executable, but exeext='' is most
-	# certainly right.
-	break;;
-    *.* )
-        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
-	then :; else
-	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	fi
-	# We set ac_cv_exeext here because the later test for it is not
-	# safe: cross compilers may not add the suffix if given an `-o'
-	# argument, so we may need to know it at that point already.
-	# Even if this section looks crufty: it has the advantage of
-	# actually working.
-	break;;
-    * )
-	break;;
-  esac
-done
-test "$ac_cv_exeext" = no && ac_cv_exeext=
-
-else
-  ac_file=''
-fi
-
-{ echo "$as_me:$LINENO: result: $ac_file" >&5
-echo "${ECHO_T}$ac_file" >&6; }
-if test -z "$ac_file"; then
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
-See \`config.log' for more details." >&5
-echo "$as_me: error: C compiler cannot create executables
-See \`config.log' for more details." >&2;}
-   { (exit 77); exit 77; }; }
-fi
-
-ac_exeext=$ac_cv_exeext
-
-# Check that the compiler produces executables we can run.  If not, either
-# the compiler is broken, or we cross compile.
-{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
-# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
-# If not cross compiling, check that we can run a simple program.
-if test "$cross_compiling" != yes; then
-  if { ac_try='./$ac_file'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-    cross_compiling=no
-  else
-    if test "$cross_compiling" = maybe; then
-	cross_compiling=yes
-    else
-	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-    fi
-  fi
-fi
-{ echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-
-rm -f a.out a.exe conftest$ac_cv_exeext b.out
-ac_clean_files=$ac_clean_files_save
-# Check that the compiler produces executables we can run.  If not, either
-# the compiler is broken, or we cross compile.
-{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
-{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
-echo "${ECHO_T}$cross_compiling" >&6; }
-
-{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # If both `conftest.exe' and `conftest' are `present' (well, observable)
-# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
-# work properly (i.e., refer to `conftest.exe'), while it won't with
-# `rm'.
-for ac_file in conftest.exe conftest conftest.*; do
-  test -f "$ac_file" || continue
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
-    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	  break;;
-    * ) break;;
-  esac
-done
-else
-  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-rm -f conftest$ac_cv_exeext
-{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
-echo "${ECHO_T}$ac_cv_exeext" >&6; }
-
-rm -f conftest.$ac_ext
-EXEEXT=$ac_cv_exeext
-ac_exeext=$EXEEXT
-{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
-if test "${ac_cv_objext+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.o conftest.obj
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  for ac_file in conftest.o conftest.obj conftest.*; do
-  test -f "$ac_file" || continue;
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
-    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
-       break;;
-  esac
-done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-rm -f conftest.$ac_cv_objext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
-echo "${ECHO_T}$ac_cv_objext" >&6; }
-OBJEXT=$ac_cv_objext
-ac_objext=$OBJEXT
-{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
-if test "${ac_cv_c_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-#ifndef __GNUC__
-       choke me
-#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_compiler_gnu=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_compiler_gnu=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_c_compiler_gnu=$ac_compiler_gnu
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
-GCC=`test $ac_compiler_gnu = yes && echo yes`
-ac_test_CFLAGS=${CFLAGS+set}
-ac_save_CFLAGS=$CFLAGS
-{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
-if test "${ac_cv_prog_cc_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_save_c_werror_flag=$ac_c_werror_flag
-   ac_c_werror_flag=yes
-   ac_cv_prog_cc_g=no
-   CFLAGS="-g"
-   cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	CFLAGS=""
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_c_werror_flag=$ac_save_c_werror_flag
-	 CFLAGS="-g"
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-   ac_c_werror_flag=$ac_save_c_werror_flag
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
-if test "$ac_test_CFLAGS" = set; then
-  CFLAGS=$ac_save_CFLAGS
-elif test $ac_cv_prog_cc_g = yes; then
-  if test "$GCC" = yes; then
-    CFLAGS="-g -O2"
-  else
-    CFLAGS="-g"
-  fi
-else
-  if test "$GCC" = yes; then
-    CFLAGS="-O2"
-  else
-    CFLAGS=
-  fi
-fi
-{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
-echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
-if test "${ac_cv_prog_cc_c89+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_prog_cc_c89=no
-ac_save_CC=$CC
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdarg.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
-struct buf { int x; };
-FILE * (*rcsopen) (struct buf *, struct stat *, int);
-static char *e (p, i)
-     char **p;
-     int i;
-{
-  return p[i];
-}
-static char *f (char * (*g) (char **, int), char **p, ...)
-{
-  char *s;
-  va_list v;
-  va_start (v,p);
-  s = g (p, va_arg (v,int));
-  va_end (v);
-  return s;
-}
-
-/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
-   function prototypes and stuff, but not '\xHH' hex character constants.
-   These don't provoke an error unfortunately, instead are silently treated
-   as 'x'.  The following induces an error, until -std is added to get
-   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
-   array size at least.  It's necessary to write '\x00'==0 to get something
-   that's true only with -std.  */
-int osf4_cc_array ['\x00' == 0 ? 1 : -1];
-
-/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
-   inside strings and character constants.  */
-#define FOO(x) 'x'
-int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
-
-int test (int i, double x);
-struct s1 {int (*f) (int a);};
-struct s2 {int (*f) (double a);};
-int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
-int argc;
-char **argv;
-int
-main ()
-{
-return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
-  ;
-  return 0;
-}
-_ACEOF
-for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
-	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
-do
-  CC="$ac_save_CC $ac_arg"
-  rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_c89=$ac_arg
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext
-  test "x$ac_cv_prog_cc_c89" != "xno" && break
-done
-rm -f conftest.$ac_ext
-CC=$ac_save_CC
-
-fi
-# AC_CACHE_VAL
-case "x$ac_cv_prog_cc_c89" in
-  x)
-    { echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6; } ;;
-  xno)
-    { echo "$as_me:$LINENO: result: unsupported" >&5
-echo "${ECHO_T}unsupported" >&6; } ;;
-  *)
-    CC="$CC $ac_cv_prog_cc_c89"
-    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
-esac
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-DEPDIR="${am__leading_dot}deps"
-
-ac_config_commands="$ac_config_commands depfiles"
-
-
-am_make=${MAKE-make}
-cat > confinc << 'END'
-am__doit:
-	@echo done
-.PHONY: am__doit
-END
-# If we don't find an include directive, just comment out the code.
-{ echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5
-echo $ECHO_N "checking for style of include used by $am_make... $ECHO_C" >&6; }
-am__include="#"
-am__quote=
-_am_result=none
-# First try GNU make style include.
-echo "include confinc" > confmf
-# We grep out `Entering directory' and `Leaving directory'
-# messages which can occur if `w' ends up in MAKEFLAGS.
-# In particular we don't look at `^make:' because GNU make might
-# be invoked under some other name (usually "gmake"), in which
-# case it prints its new name instead of `make'.
-if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then
-   am__include=include
-   am__quote=
-   _am_result=GNU
-fi
-# Now try BSD make style include.
-if test "$am__include" = "#"; then
-   echo '.include "confinc"' > confmf
-   if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then
-      am__include=.include
-      am__quote="\""
-      _am_result=BSD
-   fi
-fi
-
-
-{ echo "$as_me:$LINENO: result: $_am_result" >&5
-echo "${ECHO_T}$_am_result" >&6; }
-rm -f confinc confmf
-
-# Check whether --enable-dependency-tracking was given.
-if test "${enable_dependency_tracking+set}" = set; then
-  enableval=$enable_dependency_tracking;
-fi
-
-if test "x$enable_dependency_tracking" != xno; then
-  am_depcomp="$ac_aux_dir/depcomp"
-  AMDEPBACKSLASH='\'
-fi
- if test "x$enable_dependency_tracking" != xno; then
-  AMDEP_TRUE=
-  AMDEP_FALSE='#'
-else
-  AMDEP_TRUE='#'
-  AMDEP_FALSE=
-fi
-
-
-
-depcc="$CC"   am_compiler_list=
-
-{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
-echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
-if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
-  # We make a subdir and do the tests there.  Otherwise we can end up
-  # making bogus files that we don't know about and never remove.  For
-  # instance it was reported that on HP-UX the gcc test will end up
-  # making a dummy file named `D' -- because `-MD' means `put the output
-  # in D'.
-  mkdir conftest.dir
-  # Copy depcomp to subdir because otherwise we won't find it if we're
-  # using a relative directory.
-  cp "$am_depcomp" conftest.dir
-  cd conftest.dir
-  # We will build objects and dependencies in a subdirectory because
-  # it helps to detect inapplicable dependency modes.  For instance
-  # both Tru64's cc and ICC support -MD to output dependencies as a
-  # side effect of compilation, but ICC will put the dependencies in
-  # the current directory while Tru64 will put them in the object
-  # directory.
-  mkdir sub
-
-  am_cv_CC_dependencies_compiler_type=none
-  if test "$am_compiler_list" = ""; then
-     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
-  fi
-  for depmode in $am_compiler_list; do
-    # Setup a source with many dependencies, because some compilers
-    # like to wrap large dependency lists on column 80 (with \), and
-    # we should not choose a depcomp mode which is confused by this.
-    #
-    # We need to recreate these files for each test, as the compiler may
-    # overwrite some of them when testing with obscure command lines.
-    # This happens at least with the AIX C compiler.
-    : > sub/conftest.c
-    for i in 1 2 3 4 5 6; do
-      echo '#include "conftst'$i'.h"' >> sub/conftest.c
-      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
-      # Solaris 8's {/usr,}/bin/sh.
-      touch sub/conftst$i.h
-    done
-    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
-
-    case $depmode in
-    nosideeffect)
-      # after this tag, mechanisms are not by side-effect, so they'll
-      # only be used when explicitly requested
-      if test "x$enable_dependency_tracking" = xyes; then
-	continue
-      else
-	break
-      fi
-      ;;
-    none) break ;;
-    esac
-    # We check with `-c' and `-o' for the sake of the "dashmstdout"
-    # mode.  It turns out that the SunPro C++ compiler does not properly
-    # handle `-M -o', and we need to detect this.
-    if depmode=$depmode \
-       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
-       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
-       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
-         >/dev/null 2>conftest.err &&
-       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
-       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
-      # icc doesn't choke on unknown options, it will just issue warnings
-      # or remarks (even with -Werror).  So we grep stderr for any message
-      # that says an option was ignored or not supported.
-      # When given -MP, icc 7.0 and 7.1 complain thusly:
-      #   icc: Command line warning: ignoring option '-M'; no argument required
-      # The diagnosis changed in icc 8.0:
-      #   icc: Command line remark: option '-MP' not supported
-      if (grep 'ignoring option' conftest.err ||
-          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
-        am_cv_CC_dependencies_compiler_type=$depmode
-        break
-      fi
-    fi
-  done
-
-  cd ..
-  rm -rf conftest.dir
-else
-  am_cv_CC_dependencies_compiler_type=none
-fi
-
-fi
-{ echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5
-echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6; }
-CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type
-
- if
-  test "x$enable_dependency_tracking" != xno \
-  && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then
-  am__fastdepCC_TRUE=
-  am__fastdepCC_FALSE='#'
-else
-  am__fastdepCC_TRUE='#'
-  am__fastdepCC_FALSE=
-fi
-
-
-if test "x$CC" != xcc; then
-  { echo "$as_me:$LINENO: checking whether $CC and cc understand -c and -o together" >&5
-echo $ECHO_N "checking whether $CC and cc understand -c and -o together... $ECHO_C" >&6; }
-else
-  { echo "$as_me:$LINENO: checking whether cc understands -c and -o together" >&5
-echo $ECHO_N "checking whether cc understands -c and -o together... $ECHO_C" >&6; }
-fi
-set dummy $CC; ac_cc=`echo $2 |
-		      sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
-if { as_var=ac_cv_prog_cc_${ac_cc}_c_o; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-# Make sure it works both with $CC and with simple cc.
-# We do the test twice because some compilers refuse to overwrite an
-# existing .o file with -o, though they will create one.
-ac_try='$CC -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
-rm -f conftest2.*
-if { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-   test -f conftest2.$ac_objext && { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); };
-then
-  eval ac_cv_prog_cc_${ac_cc}_c_o=yes
-  if test "x$CC" != xcc; then
-    # Test first that cc exists at all.
-    if { ac_try='cc -c conftest.$ac_ext >&5'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-      ac_try='cc -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
-      rm -f conftest2.*
-      if { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 test -f conftest2.$ac_objext && { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); };
-      then
-	# cc works too.
-	:
-      else
-	# cc exists but doesn't like -o.
-	eval ac_cv_prog_cc_${ac_cc}_c_o=no
-      fi
-    fi
-  fi
-else
-  eval ac_cv_prog_cc_${ac_cc}_c_o=no
-fi
-rm -f core conftest*
-
-fi
-if eval test \$ac_cv_prog_cc_${ac_cc}_c_o = yes; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-
-cat >>confdefs.h <<\_ACEOF
-#define NO_MINUS_C_MINUS_O 1
-_ACEOF
-
-fi
-
-# FIXME: we rely on the cache variable name because
-# there is no other way.
-set dummy $CC
-ac_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
-if eval "test \"`echo '$ac_cv_prog_cc_'${ac_cc}_c_o`\" != yes"; then
-   # Losing compiler, so override with the script.
-   # FIXME: It is wrong to rewrite CC.
-   # But if we don't then we get into trouble of one sort or another.
-   # A longer-term fix would be to have automake use am__CC in this case,
-   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
-   CC="$am_aux_dir/compile $CC"
-fi
-
-
-# Find a good install program.  We prefer a C program (faster),
-# so one script is as good as another.  But avoid the broken or
-# incompatible versions:
-# SysV /etc/install, /usr/sbin/install
-# SunOS /usr/etc/install
-# IRIX /sbin/install
-# AIX /bin/install
-# AmigaOS /C/install, which installs bootblocks on floppy discs
-# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
-# AFS /usr/afsws/bin/install, which mishandles nonexistent args
-# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
-# OS/2's system install, which has a completely different semantic
-# ./install, which can be erroneously created by make from ./install.sh.
-{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
-echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; }
-if test -z "$INSTALL"; then
-if test "${ac_cv_path_install+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  # Account for people who put trailing slashes in PATH elements.
-case $as_dir/ in
-  ./ | .// | /cC/* | \
-  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
-  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
-  /usr/ucb/* ) ;;
-  *)
-    # OSF1 and SCO ODT 3.0 have their own names for install.
-    # Don't use installbsd from OSF since it installs stuff as root
-    # by default.
-    for ac_prog in ginstall scoinst install; do
-      for ac_exec_ext in '' $ac_executable_extensions; do
-	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
-	  if test $ac_prog = install &&
-	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # AIX install.  It has an incompatible calling convention.
-	    :
-	  elif test $ac_prog = install &&
-	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # program-specific install script used by HP pwplus--don't use.
-	    :
-	  else
-	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
-	    break 3
-	  fi
-	fi
-      done
-    done
-    ;;
-esac
-done
-IFS=$as_save_IFS
-
-
-fi
-  if test "${ac_cv_path_install+set}" = set; then
-    INSTALL=$ac_cv_path_install
-  else
-    # As a last resort, use the slow shell script.  Don't cache a
-    # value for INSTALL within a source directory, because that will
-    # break other packages using the cache if that directory is
-    # removed, or if the value is a relative name.
-    INSTALL=$ac_install_sh
-  fi
-fi
-{ echo "$as_me:$LINENO: result: $INSTALL" >&5
-echo "${ECHO_T}$INSTALL" >&6; }
-
-# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
-# It thinks the first close brace ends the variable substitution.
-test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
-
-test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
-
-test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
-
-# Check whether --enable-shared was given.
-if test "${enable_shared+set}" = set; then
-  enableval=$enable_shared; p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_shared=yes ;;
-    no) enable_shared=no ;;
-    *)
-      enable_shared=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_shared=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac
-else
-  enable_shared=yes
-fi
-
-
-# Check whether --enable-static was given.
-if test "${enable_static+set}" = set; then
-  enableval=$enable_static; p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_static=yes ;;
-    no) enable_static=no ;;
-    *)
-     enable_static=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_static=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac
-else
-  enable_static=yes
-fi
-
-
-# Check whether --enable-fast-install was given.
-if test "${enable_fast_install+set}" = set; then
-  enableval=$enable_fast_install; p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_fast_install=yes ;;
-    no) enable_fast_install=no ;;
-    *)
-      enable_fast_install=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_fast_install=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac
-else
-  enable_fast_install=yes
-fi
-
-
-# Make sure we can run config.sub.
-$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
-  { { echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
-echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
-   { (exit 1); exit 1; }; }
-
-{ echo "$as_me:$LINENO: checking build system type" >&5
-echo $ECHO_N "checking build system type... $ECHO_C" >&6; }
-if test "${ac_cv_build+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_build_alias=$build_alias
-test "x$ac_build_alias" = x &&
-  ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
-test "x$ac_build_alias" = x &&
-  { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
-echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
-   { (exit 1); exit 1; }; }
-ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
-  { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
-echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
-   { (exit 1); exit 1; }; }
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_build" >&5
-echo "${ECHO_T}$ac_cv_build" >&6; }
-case $ac_cv_build in
-*-*-*) ;;
-*) { { echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
-echo "$as_me: error: invalid value of canonical build" >&2;}
-   { (exit 1); exit 1; }; };;
-esac
-build=$ac_cv_build
-ac_save_IFS=$IFS; IFS='-'
-set x $ac_cv_build
-shift
-build_cpu=$1
-build_vendor=$2
-shift; shift
-# Remember, the first character of IFS is used to create $*,
-# except with old shells:
-build_os=$*
-IFS=$ac_save_IFS
-case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
-
-
-{ echo "$as_me:$LINENO: checking host system type" >&5
-echo $ECHO_N "checking host system type... $ECHO_C" >&6; }
-if test "${ac_cv_host+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test "x$host_alias" = x; then
-  ac_cv_host=$ac_cv_build
-else
-  ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
-    { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
-echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_host" >&5
-echo "${ECHO_T}$ac_cv_host" >&6; }
-case $ac_cv_host in
-*-*-*) ;;
-*) { { echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
-echo "$as_me: error: invalid value of canonical host" >&2;}
-   { (exit 1); exit 1; }; };;
-esac
-host=$ac_cv_host
-ac_save_IFS=$IFS; IFS='-'
-set x $ac_cv_host
-shift
-host_cpu=$1
-host_vendor=$2
-shift; shift
-# Remember, the first character of IFS is used to create $*,
-# except with old shells:
-host_os=$*
-IFS=$ac_save_IFS
-case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
-
-
-{ echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
-echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6; }
-if test "${lt_cv_path_SED+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # Loop through the user's path and test for sed and gsed.
-# Then use that list of sed's as ones to test for truncation.
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for lt_ac_prog in sed gsed; do
-    for ac_exec_ext in '' $ac_executable_extensions; do
-      if { test -f "$as_dir/$lt_ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$lt_ac_prog$ac_exec_ext"; }; then
-        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
-      fi
-    done
-  done
-done
-IFS=$as_save_IFS
-lt_ac_max=0
-lt_ac_count=0
-# Add /usr/xpg4/bin/sed as it is typically found on Solaris
-# along with /bin/sed that truncates output.
-for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && continue
-  cat /dev/null > conftest.in
-  lt_ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
-  # Check for GNU sed and select it if it is found.
-  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
-    lt_cv_path_SED=$lt_ac_sed
-    break
-  fi
-  while true; do
-    cat conftest.in conftest.in >conftest.tmp
-    mv conftest.tmp conftest.in
-    cp conftest.in conftest.nl
-    echo >>conftest.nl
-    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
-    cmp -s conftest.out conftest.nl || break
-    # 10000 chars as input seems more than enough
-    test $lt_ac_count -gt 10 && break
-    lt_ac_count=`expr $lt_ac_count + 1`
-    if test $lt_ac_count -gt $lt_ac_max; then
-      lt_ac_max=$lt_ac_count
-      lt_cv_path_SED=$lt_ac_sed
-    fi
-  done
-done
-
-fi
-
-SED=$lt_cv_path_SED
-
-{ echo "$as_me:$LINENO: result: $SED" >&5
-echo "${ECHO_T}$SED" >&6; }
-
-{ echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
-echo $ECHO_N "checking for grep that handles long lines and -e... $ECHO_C" >&6; }
-if test "${ac_cv_path_GREP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # Extract the first word of "grep ggrep" to use in msg output
-if test -z "$GREP"; then
-set dummy grep ggrep; ac_prog_name=$2
-if test "${ac_cv_path_GREP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_path_GREP_found=false
-# Loop through the user's path and test for each of PROGNAME-LIST
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_prog in grep ggrep; do
-  for ac_exec_ext in '' $ac_executable_extensions; do
-    ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-    { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
-    # Check for GNU ac_path_GREP and select it if it is found.
-  # Check for GNU $ac_path_GREP
-case `"$ac_path_GREP" --version 2>&1` in
-*GNU*)
-  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
-*)
-  ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
-  while :
-  do
-    cat "conftest.in" "conftest.in" >"conftest.tmp"
-    mv "conftest.tmp" "conftest.in"
-    cp "conftest.in" "conftest.nl"
-    echo 'GREP' >> "conftest.nl"
-    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
-    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-    ac_count=`expr $ac_count + 1`
-    if test $ac_count -gt ${ac_path_GREP_max-0}; then
-      # Best one so far, save it but keep looking for a better one
-      ac_cv_path_GREP="$ac_path_GREP"
-      ac_path_GREP_max=$ac_count
-    fi
-    # 10*(2^10) chars as input seems more than enough
-    test $ac_count -gt 10 && break
-  done
-  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
-esac
-
-
-    $ac_path_GREP_found && break 3
-  done
-done
-
-done
-IFS=$as_save_IFS
-
-
-fi
-
-GREP="$ac_cv_path_GREP"
-if test -z "$GREP"; then
-  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-else
-  ac_cv_path_GREP=$GREP
-fi
-
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
-echo "${ECHO_T}$ac_cv_path_GREP" >&6; }
- GREP="$ac_cv_path_GREP"
-
-
-{ echo "$as_me:$LINENO: checking for egrep" >&5
-echo $ECHO_N "checking for egrep... $ECHO_C" >&6; }
-if test "${ac_cv_path_EGREP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
-   then ac_cv_path_EGREP="$GREP -E"
-   else
-     # Extract the first word of "egrep" to use in msg output
-if test -z "$EGREP"; then
-set dummy egrep; ac_prog_name=$2
-if test "${ac_cv_path_EGREP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_path_EGREP_found=false
-# Loop through the user's path and test for each of PROGNAME-LIST
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_prog in egrep; do
-  for ac_exec_ext in '' $ac_executable_extensions; do
-    ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-    { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
-    # Check for GNU ac_path_EGREP and select it if it is found.
-  # Check for GNU $ac_path_EGREP
-case `"$ac_path_EGREP" --version 2>&1` in
-*GNU*)
-  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
-*)
-  ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
-  while :
-  do
-    cat "conftest.in" "conftest.in" >"conftest.tmp"
-    mv "conftest.tmp" "conftest.in"
-    cp "conftest.in" "conftest.nl"
-    echo 'EGREP' >> "conftest.nl"
-    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
-    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-    ac_count=`expr $ac_count + 1`
-    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
-      # Best one so far, save it but keep looking for a better one
-      ac_cv_path_EGREP="$ac_path_EGREP"
-      ac_path_EGREP_max=$ac_count
-    fi
-    # 10*(2^10) chars as input seems more than enough
-    test $ac_count -gt 10 && break
-  done
-  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
-esac
-
-
-    $ac_path_EGREP_found && break 3
-  done
-done
-
-done
-IFS=$as_save_IFS
-
-
-fi
-
-EGREP="$ac_cv_path_EGREP"
-if test -z "$EGREP"; then
-  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-else
-  ac_cv_path_EGREP=$EGREP
-fi
-
-
-   fi
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
-echo "${ECHO_T}$ac_cv_path_EGREP" >&6; }
- EGREP="$ac_cv_path_EGREP"
-
-
-
-# Check whether --with-gnu-ld was given.
-if test "${with_gnu_ld+set}" = set; then
-  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
-else
-  with_gnu_ld=no
-fi
-
-ac_prog=ld
-if test "$GCC" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
-  case $host in
-  *-*-mingw*)
-    # gcc leaves a trailing carriage return which upsets mingw
-    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
-  *)
-    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
-  esac
-  case $ac_prog in
-    # Accept absolute paths.
-    [\\/]* | ?:[\\/]*)
-      re_direlt='/[^/][^/]*/\.\./'
-      # Canonicalize the pathname of ld
-      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  { echo "$as_me:$LINENO: checking for GNU ld" >&5
-echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
-else
-  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
-fi
-if test "${lt_cv_path_LD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$LD"; then
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      lt_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some variants of GNU ld only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
-      *GNU* | *'with BFD'*)
-	test "$with_gnu_ld" != no && break
-	;;
-      *)
-	test "$with_gnu_ld" != yes && break
-	;;
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-else
-  lt_cv_path_LD="$LD" # Let the user override the test with a path.
-fi
-fi
-
-LD="$lt_cv_path_LD"
-if test -n "$LD"; then
-  { echo "$as_me:$LINENO: result: $LD" >&5
-echo "${ECHO_T}$LD" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
-echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
-   { (exit 1); exit 1; }; }
-{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
-echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
-if test "${lt_cv_prog_gnu_ld+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # I'd rather use --version here, but apparently some GNU lds only accept -v.
-case `$LD -v 2>&1 </dev/null` in
-*GNU* | *'with BFD'*)
-  lt_cv_prog_gnu_ld=yes
-  ;;
-*)
-  lt_cv_prog_gnu_ld=no
-  ;;
-esac
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
-echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
-with_gnu_ld=$lt_cv_prog_gnu_ld
-
-
-{ echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
-echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6; }
-if test "${lt_cv_ld_reload_flag+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_ld_reload_flag='-r'
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
-echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6; }
-reload_flag=$lt_cv_ld_reload_flag
-case $reload_flag in
-"" | " "*) ;;
-*) reload_flag=" $reload_flag" ;;
-esac
-reload_cmds='$LD$reload_flag -o $output$reload_objs'
-case $host_os in
-  darwin*)
-    if test "$GCC" = yes; then
-      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
-    else
-      reload_cmds='$LD$reload_flag -o $output$reload_objs'
-    fi
-    ;;
-esac
-
-{ echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
-echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6; }
-if test "${lt_cv_path_NM+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$NM"; then
-  # Let the user override the test.
-  lt_cv_path_NM="$NM"
-else
-  lt_nm_to_check="${ac_tool_prefix}nm"
-  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
-    lt_nm_to_check="$lt_nm_to_check nm"
-  fi
-  for lt_tmp_nm in $lt_nm_to_check; do
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
-      IFS="$lt_save_ifs"
-      test -z "$ac_dir" && ac_dir=.
-      tmp_nm="$ac_dir/$lt_tmp_nm"
-      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
-	# Check to see if the nm accepts a BSD-compat flag.
-	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
-	#   nm: unknown option "B" ignored
-	# Tru64's nm complains that /dev/null is an invalid object file
-	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
-	*/dev/null* | *'Invalid file or object type'*)
-	  lt_cv_path_NM="$tmp_nm -B"
-	  break
-	  ;;
-	*)
-	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
-	  */dev/null*)
-	    lt_cv_path_NM="$tmp_nm -p"
-	    break
-	    ;;
-	  *)
-	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
-	    continue # so that we can try to find one that supports BSD flags
-	    ;;
-	  esac
-	  ;;
-	esac
-      fi
-    done
-    IFS="$lt_save_ifs"
-  done
-  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
-fi
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
-echo "${ECHO_T}$lt_cv_path_NM" >&6; }
-NM="$lt_cv_path_NM"
-
-{ echo "$as_me:$LINENO: checking whether ln -s works" >&5
-echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6; }
-LN_S=$as_ln_s
-if test "$LN_S" = "ln -s"; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no, using $LN_S" >&5
-echo "${ECHO_T}no, using $LN_S" >&6; }
-fi
-
-{ echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5
-echo $ECHO_N "checking how to recognize dependent libraries... $ECHO_C" >&6; }
-if test "${lt_cv_deplibs_check_method+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_file_magic_cmd='$MAGIC_CMD'
-lt_cv_file_magic_test_file=
-lt_cv_deplibs_check_method='unknown'
-# Need to set the preceding variable on all platforms that support
-# interlibrary dependencies.
-# 'none' -- dependencies not supported.
-# `unknown' -- same as none, but documents that we really don't know.
-# 'pass_all' -- all dependencies passed with no checks.
-# 'test_compile' -- check by making test program.
-# 'file_magic [[regex]]' -- check by looking for files in library path
-# which responds to the $file_magic_cmd with a given extended regex.
-# If you have `file' or equivalent on your system and you're not sure
-# whether `pass_all' will *always* work, you probably want this one.
-
-case $host_os in
-aix[4-9]*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-beos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-bsdi[45]*)
-  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
-  lt_cv_file_magic_cmd='/usr/bin/file -L'
-  lt_cv_file_magic_test_file=/shlib/libc.so
-  ;;
-
-cygwin*)
-  # func_win32_libid is a shell function defined in ltmain.sh
-  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='func_win32_libid'
-  ;;
-
-mingw* | pw32*)
-  # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump',
-  # unless we find 'file', for example because we are cross-compiling.
-  if ( file / ) >/dev/null 2>&1; then
-    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-    lt_cv_file_magic_cmd='func_win32_libid'
-  else
-    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
-    lt_cv_file_magic_cmd='$OBJDUMP -f'
-  fi
-  ;;
-
-darwin* | rhapsody*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-freebsd* | dragonfly*)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
-    case $host_cpu in
-    i*86 )
-      # Not sure whether the presence of OpenBSD here was a mistake.
-      # Let's accept both of them until this is cleared up.
-      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library'
-      lt_cv_file_magic_cmd=/usr/bin/file
-      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
-      ;;
-    esac
-  else
-    lt_cv_deplibs_check_method=pass_all
-  fi
-  ;;
-
-gnu*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-hpux10.20* | hpux11*)
-  lt_cv_file_magic_cmd=/usr/bin/file
-  case $host_cpu in
-  ia64*)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64'
-    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
-    ;;
-  hppa*64*)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'
-    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
-    ;;
-  *)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
-    lt_cv_file_magic_test_file=/usr/lib/libc.sl
-    ;;
-  esac
-  ;;
-
-interix[3-9]*)
-  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
-  lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$'
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $LD in
-  *-32|*"-32 ") libmagic=32-bit;;
-  *-n32|*"-n32 ") libmagic=N32;;
-  *-64|*"-64 ") libmagic=64-bit;;
-  *) libmagic=never-match;;
-  esac
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-netbsd* | netbsdelf*-gnu)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$'
-  fi
-  ;;
-
-newos6*)
-  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)'
-  lt_cv_file_magic_cmd=/usr/bin/file
-  lt_cv_file_magic_test_file=/usr/lib/libnls.so
-  ;;
-
-nto-qnx*)
-  lt_cv_deplibs_check_method=unknown
-  ;;
-
-openbsd*)
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
-  fi
-  ;;
-
-osf3* | osf4* | osf5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-rdos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-solaris*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-sysv4 | sysv4.3*)
-  case $host_vendor in
-  motorola)
-    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
-    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
-    ;;
-  ncr)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  sequent)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )'
-    ;;
-  sni)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib"
-    lt_cv_file_magic_test_file=/lib/libc.so
-    ;;
-  siemens)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  pc)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  esac
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-esac
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
-echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6; }
-file_magic_cmd=$lt_cv_file_magic_cmd
-deplibs_check_method=$lt_cv_deplibs_check_method
-test -z "$deplibs_check_method" && deplibs_check_method=unknown
-
-
-
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-# Check whether --enable-libtool-lock was given.
-if test "${enable_libtool_lock+set}" = set; then
-  enableval=$enable_libtool_lock;
-fi
-
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
-
-# Some flags need to be propagated to the compiler or linker for good
-# libtool support.
-case $host in
-ia64-*-hpux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *ELF-32*)
-      HPUX_IA64_MODE="32"
-      ;;
-    *ELF-64*)
-      HPUX_IA64_MODE="64"
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-*-*-irix6*)
-  # Find out which ABI we are using.
-  echo '#line 4665 "configure"' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-   if test "$lt_cv_prog_gnu_ld" = yes; then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -melf32bsmip"
-      ;;
-    *N32*)
-      LD="${LD-ld} -melf32bmipn32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -melf64bmip"
-      ;;
-    esac
-   else
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -32"
-      ;;
-    *N32*)
-      LD="${LD-ld} -n32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -64"
-      ;;
-    esac
-   fi
-  fi
-  rm -rf conftest*
-  ;;
-
-x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
-s390*-*linux*|sparc*-*linux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-    case `/usr/bin/file conftest.o` in
-    *32-bit*)
-      case $host in
-        x86_64-*kfreebsd*-gnu)
-          LD="${LD-ld} -m elf_i386_fbsd"
-          ;;
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_i386"
-          ;;
-        ppc64-*linux*|powerpc64-*linux*)
-          LD="${LD-ld} -m elf32ppclinux"
-          ;;
-        s390x-*linux*)
-          LD="${LD-ld} -m elf_s390"
-          ;;
-        sparc64-*linux*)
-          LD="${LD-ld} -m elf32_sparc"
-          ;;
-      esac
-      ;;
-    *64-bit*)
-      case $host in
-        x86_64-*kfreebsd*-gnu)
-          LD="${LD-ld} -m elf_x86_64_fbsd"
-          ;;
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_x86_64"
-          ;;
-        ppc*-*linux*|powerpc*-*linux*)
-          LD="${LD-ld} -m elf64ppc"
-          ;;
-        s390*-*linux*)
-          LD="${LD-ld} -m elf64_s390"
-          ;;
-        sparc*-*linux*)
-          LD="${LD-ld} -m elf64_sparc"
-          ;;
-      esac
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-
-*-*-sco3.2v5*)
-  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
-  SAVE_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS -belf"
-  { echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
-echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6; }
-if test "${lt_cv_cc_needs_belf+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-     cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  lt_cv_cc_needs_belf=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	lt_cv_cc_needs_belf=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-     ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
-echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6; }
-  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
-    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
-    CFLAGS="$SAVE_CFLAGS"
-  fi
-  ;;
-sparc*-*solaris*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-    case `/usr/bin/file conftest.o` in
-    *64-bit*)
-      case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
-      *)
-        if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
-	  LD="${LD-ld} -64"
-	fi
-	;;
-      esac
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-
-
-esac
-
-need_locks="$enable_libtool_lock"
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-{ echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
-echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6; }
-# On Suns, sometimes $CPP names a directory.
-if test -n "$CPP" && test -d "$CPP"; then
-  CPP=
-fi
-if test -z "$CPP"; then
-  if test "${ac_cv_prog_CPP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-      # Double quotes because CPP needs to be expanded
-    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
-    do
-      ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether nonexistent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  break
-fi
-
-    done
-    ac_cv_prog_CPP=$CPP
-
-fi
-  CPP=$ac_cv_prog_CPP
-else
-  ac_cv_prog_CPP=$CPP
-fi
-{ echo "$as_me:$LINENO: result: $CPP" >&5
-echo "${ECHO_T}$CPP" >&6; }
-ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether nonexistent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&5
-echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
-if test "${ac_cv_header_stdc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <float.h>
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_header_stdc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_header_stdc=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-
-if test $ac_cv_header_stdc = yes; then
-  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <string.h>
-
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "memchr" >/dev/null 2>&1; then
-  :
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
-  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "free" >/dev/null 2>&1; then
-  :
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
-  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-  if test "$cross_compiling" = yes; then
-  :
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ctype.h>
-#include <stdlib.h>
-#if ((' ' & 0x0FF) == 0x020)
-# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-#else
-# define ISLOWER(c) \
-		   (('a' <= (c) && (c) <= 'i') \
-		     || ('j' <= (c) && (c) <= 'r') \
-		     || ('s' <= (c) && (c) <= 'z'))
-# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
-#endif
-
-#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
-int
-main ()
-{
-  int i;
-  for (i = 0; i < 256; i++)
-    if (XOR (islower (i), ISLOWER (i))
-	|| toupper (i) != TOUPPER (i))
-      return 2;
-  return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_header_stdc=no
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-
-
-fi
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
-if test $ac_cv_header_stdc = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define STDC_HEADERS 1
-_ACEOF
-
-fi
-
-# On IRIX 5.3, sys/types and inttypes.h are conflicting.
-
-
-
-
-
-
-
-
-
-for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
-		  inttypes.h stdint.h unistd.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  eval "$as_ac_Header=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_Header=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-
-
-for ac_header in dlfcn.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    ( cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to martin@strongswan.org ##
-## ------------------------------------ ##
-_ASBOX
-     ) | sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=\$ac_header_preproc"
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-
-fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-ac_ext=cpp
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-if test -z "$CXX"; then
-  if test -n "$CCC"; then
-    CXX=$CCC
-  else
-    if test -n "$ac_tool_prefix"; then
-  for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CXX"; then
-  ac_cv_prog_CXX="$CXX" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CXX="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-CXX=$ac_cv_prog_CXX
-if test -n "$CXX"; then
-  { echo "$as_me:$LINENO: result: $CXX" >&5
-echo "${ECHO_T}$CXX" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-    test -n "$CXX" && break
-  done
-fi
-if test -z "$CXX"; then
-  ac_ct_CXX=$CXX
-  for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CXX"; then
-  ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_CXX="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_CXX=$ac_cv_prog_ac_ct_CXX
-if test -n "$ac_ct_CXX"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5
-echo "${ECHO_T}$ac_ct_CXX" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-  test -n "$ac_ct_CXX" && break
-done
-
-  if test "x$ac_ct_CXX" = x; then
-    CXX="g++"
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    CXX=$ac_ct_CXX
-  fi
-fi
-
-  fi
-fi
-# Provide some information about the compiler.
-echo "$as_me:$LINENO: checking for C++ compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (ac_try="$ac_compiler --version >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler --version >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -v >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -v >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -V >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -V >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-
-{ echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C++ compiler... $ECHO_C" >&6; }
-if test "${ac_cv_cxx_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-#ifndef __GNUC__
-       choke me
-#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_compiler_gnu=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_compiler_gnu=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_cxx_compiler_gnu=$ac_compiler_gnu
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_cxx_compiler_gnu" >&6; }
-GXX=`test $ac_compiler_gnu = yes && echo yes`
-ac_test_CXXFLAGS=${CXXFLAGS+set}
-ac_save_CXXFLAGS=$CXXFLAGS
-{ echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5
-echo $ECHO_N "checking whether $CXX accepts -g... $ECHO_C" >&6; }
-if test "${ac_cv_prog_cxx_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_save_cxx_werror_flag=$ac_cxx_werror_flag
-   ac_cxx_werror_flag=yes
-   ac_cv_prog_cxx_g=no
-   CXXFLAGS="-g"
-   cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cxx_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	CXXFLAGS=""
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cxx_werror_flag=$ac_save_cxx_werror_flag
-	 CXXFLAGS="-g"
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cxx_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-   ac_cxx_werror_flag=$ac_save_cxx_werror_flag
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cxx_g" >&6; }
-if test "$ac_test_CXXFLAGS" = set; then
-  CXXFLAGS=$ac_save_CXXFLAGS
-elif test $ac_cv_prog_cxx_g = yes; then
-  if test "$GXX" = yes; then
-    CXXFLAGS="-g -O2"
-  else
-    CXXFLAGS="-g"
-  fi
-else
-  if test "$GXX" = yes; then
-    CXXFLAGS="-O2"
-  else
-    CXXFLAGS=
-  fi
-fi
-ac_ext=cpp
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-
-depcc="$CXX"  am_compiler_list=
-
-{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
-echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
-if test "${am_cv_CXX_dependencies_compiler_type+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
-  # We make a subdir and do the tests there.  Otherwise we can end up
-  # making bogus files that we don't know about and never remove.  For
-  # instance it was reported that on HP-UX the gcc test will end up
-  # making a dummy file named `D' -- because `-MD' means `put the output
-  # in D'.
-  mkdir conftest.dir
-  # Copy depcomp to subdir because otherwise we won't find it if we're
-  # using a relative directory.
-  cp "$am_depcomp" conftest.dir
-  cd conftest.dir
-  # We will build objects and dependencies in a subdirectory because
-  # it helps to detect inapplicable dependency modes.  For instance
-  # both Tru64's cc and ICC support -MD to output dependencies as a
-  # side effect of compilation, but ICC will put the dependencies in
-  # the current directory while Tru64 will put them in the object
-  # directory.
-  mkdir sub
-
-  am_cv_CXX_dependencies_compiler_type=none
-  if test "$am_compiler_list" = ""; then
-     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
-  fi
-  for depmode in $am_compiler_list; do
-    # Setup a source with many dependencies, because some compilers
-    # like to wrap large dependency lists on column 80 (with \), and
-    # we should not choose a depcomp mode which is confused by this.
-    #
-    # We need to recreate these files for each test, as the compiler may
-    # overwrite some of them when testing with obscure command lines.
-    # This happens at least with the AIX C compiler.
-    : > sub/conftest.c
-    for i in 1 2 3 4 5 6; do
-      echo '#include "conftst'$i'.h"' >> sub/conftest.c
-      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
-      # Solaris 8's {/usr,}/bin/sh.
-      touch sub/conftst$i.h
-    done
-    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
-
-    case $depmode in
-    nosideeffect)
-      # after this tag, mechanisms are not by side-effect, so they'll
-      # only be used when explicitly requested
-      if test "x$enable_dependency_tracking" = xyes; then
-	continue
-      else
-	break
-      fi
-      ;;
-    none) break ;;
-    esac
-    # We check with `-c' and `-o' for the sake of the "dashmstdout"
-    # mode.  It turns out that the SunPro C++ compiler does not properly
-    # handle `-M -o', and we need to detect this.
-    if depmode=$depmode \
-       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
-       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
-       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
-         >/dev/null 2>conftest.err &&
-       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
-       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
-      # icc doesn't choke on unknown options, it will just issue warnings
-      # or remarks (even with -Werror).  So we grep stderr for any message
-      # that says an option was ignored or not supported.
-      # When given -MP, icc 7.0 and 7.1 complain thusly:
-      #   icc: Command line warning: ignoring option '-M'; no argument required
-      # The diagnosis changed in icc 8.0:
-      #   icc: Command line remark: option '-MP' not supported
-      if (grep 'ignoring option' conftest.err ||
-          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
-        am_cv_CXX_dependencies_compiler_type=$depmode
-        break
-      fi
-    fi
-  done
-
-  cd ..
-  rm -rf conftest.dir
-else
-  am_cv_CXX_dependencies_compiler_type=none
-fi
-
-fi
-{ echo "$as_me:$LINENO: result: $am_cv_CXX_dependencies_compiler_type" >&5
-echo "${ECHO_T}$am_cv_CXX_dependencies_compiler_type" >&6; }
-CXXDEPMODE=depmode=$am_cv_CXX_dependencies_compiler_type
-
- if
-  test "x$enable_dependency_tracking" != xno \
-  && test "$am_cv_CXX_dependencies_compiler_type" = gcc3; then
-  am__fastdepCXX_TRUE=
-  am__fastdepCXX_FALSE='#'
-else
-  am__fastdepCXX_TRUE='#'
-  am__fastdepCXX_FALSE=
-fi
-
-
-
-
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  ac_ext=cpp
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-{ echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5
-echo $ECHO_N "checking how to run the C++ preprocessor... $ECHO_C" >&6; }
-if test -z "$CXXCPP"; then
-  if test "${ac_cv_prog_CXXCPP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-      # Double quotes because CXXCPP needs to be expanded
-    for CXXCPP in "$CXX -E" "/lib/cpp"
-    do
-      ac_preproc_ok=false
-for ac_cxx_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether nonexistent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  break
-fi
-
-    done
-    ac_cv_prog_CXXCPP=$CXXCPP
-
-fi
-  CXXCPP=$ac_cv_prog_CXXCPP
-else
-  ac_cv_prog_CXXCPP=$CXXCPP
-fi
-{ echo "$as_me:$LINENO: result: $CXXCPP" >&5
-echo "${ECHO_T}$CXXCPP" >&6; }
-ac_preproc_ok=false
-for ac_cxx_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether nonexistent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: C++ preprocessor \"$CXXCPP\" fails sanity check
-See \`config.log' for more details." >&5
-echo "$as_me: error: C++ preprocessor \"$CXXCPP\" fails sanity check
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-ac_ext=cpp
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-
-fi
-
-
-ac_ext=f
-ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
-ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_f77_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$F77"; then
-  ac_cv_prog_F77="$F77" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_F77="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-F77=$ac_cv_prog_F77
-if test -n "$F77"; then
-  { echo "$as_me:$LINENO: result: $F77" >&5
-echo "${ECHO_T}$F77" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-    test -n "$F77" && break
-  done
-fi
-if test -z "$F77"; then
-  ac_ct_F77=$F77
-  for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_F77"; then
-  ac_cv_prog_ac_ct_F77="$ac_ct_F77" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_F77="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_F77=$ac_cv_prog_ac_ct_F77
-if test -n "$ac_ct_F77"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_F77" >&5
-echo "${ECHO_T}$ac_ct_F77" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-  test -n "$ac_ct_F77" && break
-done
-
-  if test "x$ac_ct_F77" = x; then
-    F77=""
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    F77=$ac_ct_F77
-  fi
-fi
-
-
-# Provide some information about the compiler.
-echo "$as_me:$LINENO: checking for Fortran 77 compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (ac_try="$ac_compiler --version >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler --version >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -v >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -v >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -V >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -V >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-rm -f a.out
-
-# If we don't use `.F' as extension, the preprocessor is not run on the
-# input file.  (Note that this only needs to work for GNU compilers.)
-ac_save_ext=$ac_ext
-ac_ext=F
-{ echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU Fortran 77 compiler... $ECHO_C" >&6; }
-if test "${ac_cv_f77_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-      program main
-#ifndef __GNUC__
-       choke me
-#endif
-
-      end
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_f77_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_compiler_gnu=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_compiler_gnu=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_f77_compiler_gnu=$ac_compiler_gnu
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_f77_compiler_gnu" >&6; }
-ac_ext=$ac_save_ext
-ac_test_FFLAGS=${FFLAGS+set}
-ac_save_FFLAGS=$FFLAGS
-FFLAGS=
-{ echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5
-echo $ECHO_N "checking whether $F77 accepts -g... $ECHO_C" >&6; }
-if test "${ac_cv_prog_f77_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  FFLAGS=-g
-cat >conftest.$ac_ext <<_ACEOF
-      program main
-
-      end
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_f77_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_f77_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_prog_f77_g=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5
-echo "${ECHO_T}$ac_cv_prog_f77_g" >&6; }
-if test "$ac_test_FFLAGS" = set; then
-  FFLAGS=$ac_save_FFLAGS
-elif test $ac_cv_prog_f77_g = yes; then
-  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
-    FFLAGS="-g -O2"
-  else
-    FFLAGS="-g"
-  fi
-else
-  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
-    FFLAGS="-O2"
-  else
-    FFLAGS=
-  fi
-fi
-
-G77=`test $ac_compiler_gnu = yes && echo yes`
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-
-# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
-# find the maximum length of command line arguments
-{ echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
-echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; }
-if test "${lt_cv_sys_max_cmd_len+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-    i=0
-  teststring="ABCD"
-
-  case $build_os in
-  msdosdjgpp*)
-    # On DJGPP, this test can blow up pretty badly due to problems in libc
-    # (any single argument exceeding 2000 bytes causes a buffer overrun
-    # during glob expansion).  Even if it were fixed, the result of this
-    # check would be larger than it should be.
-    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
-    ;;
-
-  gnu*)
-    # Under GNU Hurd, this test is not required because there is
-    # no limit to the length of command line arguments.
-    # Libtool will interpret -1 as no limit whatsoever
-    lt_cv_sys_max_cmd_len=-1;
-    ;;
-
-  cygwin* | mingw*)
-    # On Win9x/ME, this test blows up -- it succeeds, but takes
-    # about 5 minutes as the teststring grows exponentially.
-    # Worse, since 9x/ME are not pre-emptively multitasking,
-    # you end up with a "frozen" computer, even though with patience
-    # the test eventually succeeds (with a max line length of 256k).
-    # Instead, let's just punt: use the minimum linelength reported by
-    # all of the supported platforms: 8192 (on NT/2K/XP).
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  amigaos*)
-    # On AmigaOS with pdksh, this test takes hours, literally.
-    # So we just punt and use a minimum line length of 8192.
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
-    # This has been around since 386BSD, at least.  Likely further.
-    if test -x /sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
-    elif test -x /usr/sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
-    else
-      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
-    fi
-    # And add a safety zone
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
-    ;;
-
-  interix*)
-    # We know the value 262144 and hardcode it with a safety zone (like BSD)
-    lt_cv_sys_max_cmd_len=196608
-    ;;
-
-  osf*)
-    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
-    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
-    # nice to cause kernel panics so lets avoid the loop below.
-    # First set a reasonable default.
-    lt_cv_sys_max_cmd_len=16384
-    #
-    if test -x /sbin/sysconfig; then
-      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
-        *1*) lt_cv_sys_max_cmd_len=-1 ;;
-      esac
-    fi
-    ;;
-  sco3.2v5*)
-    lt_cv_sys_max_cmd_len=102400
-    ;;
-  sysv5* | sco5v6* | sysv4.2uw2*)
-    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
-    if test -n "$kargmax"; then
-      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[ 	]//'`
-    else
-      lt_cv_sys_max_cmd_len=32768
-    fi
-    ;;
-  *)
-    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
-    if test -n "$lt_cv_sys_max_cmd_len"; then
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
-    else
-      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-      while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \
-	       = "XX$teststring") >/dev/null 2>&1 &&
-	      new_result=`expr "X$teststring" : ".*" 2>&1` &&
-	      lt_cv_sys_max_cmd_len=$new_result &&
-	      test $i != 17 # 1/2 MB should be enough
-      do
-        i=`expr $i + 1`
-        teststring=$teststring$teststring
-      done
-      teststring=
-      # Add a significant safety factor because C++ compilers can tack on massive
-      # amounts of additional arguments before passing them to the linker.
-      # It appears as though 1/2 is a usable value.
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
-    fi
-    ;;
-  esac
-
-fi
-
-if test -n $lt_cv_sys_max_cmd_len ; then
-  { echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
-echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6; }
-else
-  { echo "$as_me:$LINENO: result: none" >&5
-echo "${ECHO_T}none" >&6; }
-fi
-
-
-
-
-
-# Check for command to grab the raw symbol name followed by C symbol from nm.
-{ echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
-echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6; }
-if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-
-# These are sane defaults that work on at least a few old systems.
-# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
-
-# Character class describing NM global symbol codes.
-symcode='[BCDEGRST]'
-
-# Regexp to match symbols that can be accessed directly from C.
-sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
-
-# Transform an extracted symbol line into a proper C declaration
-lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
-
-# Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-
-# Define system-specific variables.
-case $host_os in
-aix*)
-  symcode='[BCDT]'
-  ;;
-cygwin* | mingw* | pw32*)
-  symcode='[ABCDGISTW]'
-  ;;
-hpux*) # Its linker distinguishes data from code symbols
-  if test "$host_cpu" = ia64; then
-    symcode='[ABCDEGRST]'
-  fi
-  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  ;;
-linux* | k*bsd*-gnu)
-  if test "$host_cpu" = ia64; then
-    symcode='[ABCDGIRSTW]'
-    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  fi
-  ;;
-irix* | nonstopux*)
-  symcode='[BCDEGRST]'
-  ;;
-osf*)
-  symcode='[BCDEGQRST]'
-  ;;
-solaris*)
-  symcode='[BDRT]'
-  ;;
-sco3.2v5*)
-  symcode='[DT]'
-  ;;
-sysv4.2uw2*)
-  symcode='[DT]'
-  ;;
-sysv5* | sco5v6* | unixware* | OpenUNIX*)
-  symcode='[ABDT]'
-  ;;
-sysv4)
-  symcode='[DFNSTU]'
-  ;;
-esac
-
-# Handle CRLF in mingw tool chain
-opt_cr=
-case $build_os in
-mingw*)
-  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
-  ;;
-esac
-
-# If we're using GNU nm, then use its standard symbol codes.
-case `$NM -V 2>&1` in
-*GNU* | *'with BFD'*)
-  symcode='[ABCDGIRSTW]' ;;
-esac
-
-# Try without a prefix undercore, then with it.
-for ac_symprfx in "" "_"; do
-
-  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
-  symxfrm="\\1 $ac_symprfx\\2 \\2"
-
-  # Write the raw and C identifiers.
-  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ 	]\($symcode$symcode*\)[ 	][ 	]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
-
-  # Check to see that the pipe works correctly.
-  pipe_works=no
-
-  rm -f conftest*
-  cat > conftest.$ac_ext <<EOF
-#ifdef __cplusplus
-extern "C" {
-#endif
-char nm_test_var;
-void nm_test_func(){}
-#ifdef __cplusplus
-}
-#endif
-int main(){nm_test_var='a';nm_test_func();return(0);}
-EOF
-
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-    # Now try to grab the symbols.
-    nlist=conftest.nm
-    if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5
-  (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s "$nlist"; then
-      # Try sorting and uniquifying the output.
-      if sort "$nlist" | uniq > "$nlist"T; then
-	mv -f "$nlist"T "$nlist"
-      else
-	rm -f "$nlist"T
-      fi
-
-      # Make sure that we snagged all the symbols we need.
-      if grep ' nm_test_var$' "$nlist" >/dev/null; then
-	if grep ' nm_test_func$' "$nlist" >/dev/null; then
-	  cat <<EOF > conftest.$ac_ext
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-EOF
-	  # Now generate the symbol file.
-	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
-
-	  cat <<EOF >> conftest.$ac_ext
-#if defined (__STDC__) && __STDC__
-# define lt_ptr_t void *
-#else
-# define lt_ptr_t char *
-# define const
-#endif
-
-/* The mapping between symbol names and symbols. */
-const struct {
-  const char *name;
-  lt_ptr_t address;
-}
-lt_preloaded_symbols[] =
-{
-EOF
-	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
-	  cat <<\EOF >> conftest.$ac_ext
-  {0, (lt_ptr_t) 0}
-};
-
-#ifdef __cplusplus
-}
-#endif
-EOF
-	  # Now try linking the two files.
-	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
-	  LIBS="conftstm.$ac_objext"
-	  CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag"
-	  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext}; then
-	    pipe_works=yes
-	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
-	else
-	  echo "cannot find nm_test_func in $nlist" >&5
-	fi
-      else
-	echo "cannot find nm_test_var in $nlist" >&5
-      fi
-    else
-      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&5
-    fi
-  else
-    echo "$progname: failed program was:" >&5
-    cat conftest.$ac_ext >&5
-  fi
-  rm -rf conftest* conftst*
-
-  # Do not use the global_symbol_pipe unless it works.
-  if test "$pipe_works" = yes; then
-    break
-  else
-    lt_cv_sys_global_symbol_pipe=
-  fi
-done
-
-fi
-
-if test -z "$lt_cv_sys_global_symbol_pipe"; then
-  lt_cv_sys_global_symbol_to_cdecl=
-fi
-if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  { echo "$as_me:$LINENO: result: failed" >&5
-echo "${ECHO_T}failed" >&6; }
-else
-  { echo "$as_me:$LINENO: result: ok" >&5
-echo "${ECHO_T}ok" >&6; }
-fi
-
-{ echo "$as_me:$LINENO: checking for objdir" >&5
-echo $ECHO_N "checking for objdir... $ECHO_C" >&6; }
-if test "${lt_cv_objdir+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  rm -f .libs 2>/dev/null
-mkdir .libs 2>/dev/null
-if test -d .libs; then
-  lt_cv_objdir=.libs
-else
-  # MS-DOS does not allow filenames that begin with a dot.
-  lt_cv_objdir=_libs
-fi
-rmdir .libs 2>/dev/null
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
-echo "${ECHO_T}$lt_cv_objdir" >&6; }
-objdir=$lt_cv_objdir
-
-
-
-
-
-case $host_os in
-aix3*)
-  # AIX sometimes has problems with the GCC collect2 program.  For some
-  # reason, if we set the COLLECT_NAMES environment variable, the problems
-  # vanish in a puff of smoke.
-  if test "X${COLLECT_NAMES+set}" != Xset; then
-    COLLECT_NAMES=
-    export COLLECT_NAMES
-  fi
-  ;;
-esac
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed='sed -e 1s/^X//'
-sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
-# Constants:
-rm="rm -f"
-
-# Global variables:
-default_ofile=libtool
-can_build_shared=yes
-
-# All known linkers require a `.a' archive for static linking (except MSVC,
-# which needs '.lib').
-libext=a
-ltmain="$ac_aux_dir/ltmain.sh"
-ofile="$default_ofile"
-with_gnu_ld="$lt_cv_prog_gnu_ld"
-
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ar; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_AR+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$AR"; then
-  ac_cv_prog_AR="$AR" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_AR="${ac_tool_prefix}ar"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-AR=$ac_cv_prog_AR
-if test -n "$AR"; then
-  { echo "$as_me:$LINENO: result: $AR" >&5
-echo "${ECHO_T}$AR" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_prog_AR"; then
-  ac_ct_AR=$AR
-  # Extract the first word of "ar", so it can be a program name with args.
-set dummy ar; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_AR"; then
-  ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_AR="ar"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_AR=$ac_cv_prog_ac_ct_AR
-if test -n "$ac_ct_AR"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
-echo "${ECHO_T}$ac_ct_AR" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-  if test "x$ac_ct_AR" = x; then
-    AR="false"
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    AR=$ac_ct_AR
-  fi
-else
-  AR="$ac_cv_prog_AR"
-fi
-
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ranlib; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_RANLIB+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$RANLIB"; then
-  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-RANLIB=$ac_cv_prog_RANLIB
-if test -n "$RANLIB"; then
-  { echo "$as_me:$LINENO: result: $RANLIB" >&5
-echo "${ECHO_T}$RANLIB" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_prog_RANLIB"; then
-  ac_ct_RANLIB=$RANLIB
-  # Extract the first word of "ranlib", so it can be a program name with args.
-set dummy ranlib; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_RANLIB"; then
-  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_RANLIB="ranlib"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
-if test -n "$ac_ct_RANLIB"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
-echo "${ECHO_T}$ac_ct_RANLIB" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-  if test "x$ac_ct_RANLIB" = x; then
-    RANLIB=":"
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    RANLIB=$ac_ct_RANLIB
-  fi
-else
-  RANLIB="$ac_cv_prog_RANLIB"
-fi
-
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
-set dummy ${ac_tool_prefix}strip; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$STRIP"; then
-  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-STRIP=$ac_cv_prog_STRIP
-if test -n "$STRIP"; then
-  { echo "$as_me:$LINENO: result: $STRIP" >&5
-echo "${ECHO_T}$STRIP" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_prog_STRIP"; then
-  ac_ct_STRIP=$STRIP
-  # Extract the first word of "strip", so it can be a program name with args.
-set dummy strip; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_STRIP"; then
-  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_STRIP="strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
-if test -n "$ac_ct_STRIP"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
-echo "${ECHO_T}$ac_ct_STRIP" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-  if test "x$ac_ct_STRIP" = x; then
-    STRIP=":"
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    STRIP=$ac_ct_STRIP
-  fi
-else
-  STRIP="$ac_cv_prog_STRIP"
-fi
-
-
-old_CC="$CC"
-old_CFLAGS="$CFLAGS"
-
-# Set sane defaults for various variables
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
-test -z "$AS" && AS=as
-test -z "$CC" && CC=cc
-test -z "$LTCC" && LTCC=$CC
-test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
-test -z "$DLLTOOL" && DLLTOOL=dlltool
-test -z "$LD" && LD=ld
-test -z "$LN_S" && LN_S="ln -s"
-test -z "$MAGIC_CMD" && MAGIC_CMD=file
-test -z "$NM" && NM=nm
-test -z "$SED" && SED=sed
-test -z "$OBJDUMP" && OBJDUMP=objdump
-test -z "$RANLIB" && RANLIB=:
-test -z "$STRIP" && STRIP=:
-test -z "$ac_objext" && ac_objext=o
-
-# Determine commands to create old-style static archives.
-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
-old_postinstall_cmds='chmod 644 $oldlib'
-old_postuninstall_cmds=
-
-if test -n "$RANLIB"; then
-  case $host_os in
-  openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
-    ;;
-  *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
-    ;;
-  esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
-fi
-
-for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-
-
-# Only perform the check for file, if the check method requires it
-case $deplibs_check_method in
-file_magic*)
-  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    { echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
-echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $MAGIC_CMD in
-[\\/*] |  ?:[\\/]*)
-  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
-  ;;
-*)
-  lt_save_MAGIC_CMD="$MAGIC_CMD"
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
-  for ac_dir in $ac_dummy; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/${ac_tool_prefix}file; then
-      lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file"
-      if test -n "$file_magic_test_file"; then
-	case $deplibs_check_method in
-	"file_magic "*)
-	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
-	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
-	    $EGREP "$file_magic_regex" > /dev/null; then
-	    :
-	  else
-	    cat <<EOF 1>&2
-
-*** Warning: the command libtool uses to detect shared libraries,
-*** $file_magic_cmd, produces output that libtool cannot recognize.
-*** The result is that libtool may fail to recognize shared libraries
-*** as such.  This will affect the creation of libtool libraries that
-*** depend on shared libraries, but programs linked with such libtool
-*** libraries will work regardless of this problem.  Nevertheless, you
-*** may want to report the problem to your system manager and/or to
-*** bug-libtool@gnu.org
-
-EOF
-	  fi ;;
-	esac
-      fi
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-  MAGIC_CMD="$lt_save_MAGIC_CMD"
-  ;;
-esac
-fi
-
-MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-if test -n "$MAGIC_CMD"; then
-  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-echo "${ECHO_T}$MAGIC_CMD" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-if test -z "$lt_cv_path_MAGIC_CMD"; then
-  if test -n "$ac_tool_prefix"; then
-    { echo "$as_me:$LINENO: checking for file" >&5
-echo $ECHO_N "checking for file... $ECHO_C" >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $MAGIC_CMD in
-[\\/*] |  ?:[\\/]*)
-  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
-  ;;
-*)
-  lt_save_MAGIC_CMD="$MAGIC_CMD"
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
-  for ac_dir in $ac_dummy; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/file; then
-      lt_cv_path_MAGIC_CMD="$ac_dir/file"
-      if test -n "$file_magic_test_file"; then
-	case $deplibs_check_method in
-	"file_magic "*)
-	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
-	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
-	    $EGREP "$file_magic_regex" > /dev/null; then
-	    :
-	  else
-	    cat <<EOF 1>&2
-
-*** Warning: the command libtool uses to detect shared libraries,
-*** $file_magic_cmd, produces output that libtool cannot recognize.
-*** The result is that libtool may fail to recognize shared libraries
-*** as such.  This will affect the creation of libtool libraries that
-*** depend on shared libraries, but programs linked with such libtool
-*** libraries will work regardless of this problem.  Nevertheless, you
-*** may want to report the problem to your system manager and/or to
-*** bug-libtool@gnu.org
-
-EOF
-	  fi ;;
-	esac
-      fi
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-  MAGIC_CMD="$lt_save_MAGIC_CMD"
-  ;;
-esac
-fi
-
-MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-if test -n "$MAGIC_CMD"; then
-  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-echo "${ECHO_T}$MAGIC_CMD" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-  else
-    MAGIC_CMD=:
-  fi
-fi
-
-  fi
-  ;;
-esac
-
-
-  case $host_os in
-    rhapsody* | darwin*)
-    if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args.
-set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_DSYMUTIL+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$DSYMUTIL"; then
-  ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-DSYMUTIL=$ac_cv_prog_DSYMUTIL
-if test -n "$DSYMUTIL"; then
-  { echo "$as_me:$LINENO: result: $DSYMUTIL" >&5
-echo "${ECHO_T}$DSYMUTIL" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_prog_DSYMUTIL"; then
-  ac_ct_DSYMUTIL=$DSYMUTIL
-  # Extract the first word of "dsymutil", so it can be a program name with args.
-set dummy dsymutil; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_DSYMUTIL"; then
-  ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL
-if test -n "$ac_ct_DSYMUTIL"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5
-echo "${ECHO_T}$ac_ct_DSYMUTIL" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-  if test "x$ac_ct_DSYMUTIL" = x; then
-    DSYMUTIL=":"
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    DSYMUTIL=$ac_ct_DSYMUTIL
-  fi
-else
-  DSYMUTIL="$ac_cv_prog_DSYMUTIL"
-fi
-
-    if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args.
-set dummy ${ac_tool_prefix}nmedit; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_NMEDIT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$NMEDIT"; then
-  ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-NMEDIT=$ac_cv_prog_NMEDIT
-if test -n "$NMEDIT"; then
-  { echo "$as_me:$LINENO: result: $NMEDIT" >&5
-echo "${ECHO_T}$NMEDIT" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_prog_NMEDIT"; then
-  ac_ct_NMEDIT=$NMEDIT
-  # Extract the first word of "nmedit", so it can be a program name with args.
-set dummy nmedit; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_NMEDIT"; then
-  ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_NMEDIT="nmedit"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT
-if test -n "$ac_ct_NMEDIT"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5
-echo "${ECHO_T}$ac_ct_NMEDIT" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-  if test "x$ac_ct_NMEDIT" = x; then
-    NMEDIT=":"
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    NMEDIT=$ac_ct_NMEDIT
-  fi
-else
-  NMEDIT="$ac_cv_prog_NMEDIT"
-fi
-
-
-    { echo "$as_me:$LINENO: checking for -single_module linker flag" >&5
-echo $ECHO_N "checking for -single_module linker flag... $ECHO_C" >&6; }
-if test "${lt_cv_apple_cc_single_mod+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_apple_cc_single_mod=no
-      if test -z "${LT_MULTI_MODULE}"; then
-   # By default we will add the -single_module flag. You can override
-   # by either setting the environment variable LT_MULTI_MODULE
-   # non-empty at configure time, or by adding -multi_module to the
-   # link flags.
-   echo "int foo(void){return 1;}" > conftest.c
-   $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
-     -dynamiclib ${wl}-single_module conftest.c
-   if test -f libconftest.dylib; then
-     lt_cv_apple_cc_single_mod=yes
-     rm -rf libconftest.dylib*
-   fi
-   rm conftest.c
-      fi
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5
-echo "${ECHO_T}$lt_cv_apple_cc_single_mod" >&6; }
-    { echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5
-echo $ECHO_N "checking for -exported_symbols_list linker flag... $ECHO_C" >&6; }
-if test "${lt_cv_ld_exported_symbols_list+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_ld_exported_symbols_list=no
-      save_LDFLAGS=$LDFLAGS
-      echo "_main" > conftest.sym
-      LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  lt_cv_ld_exported_symbols_list=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	lt_cv_ld_exported_symbols_list=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-   LDFLAGS="$save_LDFLAGS"
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5
-echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; }
-    case $host_os in
-    rhapsody* | darwin1.[0123])
-      _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
-    darwin1.*)
-     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-    darwin*)
-      # if running on 10.5 or later, the deployment target defaults
-      # to the OS version, if on x86, and 10.4, the deployment
-      # target defaults to 10.4. Don't you love it?
-      case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
-   10.0,*86*-darwin8*|10.0,*-darwin[91]*)
-     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
-   10.[012]*)
-     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-   10.*)
-     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
-      esac
-    ;;
-  esac
-    if test "$lt_cv_apple_cc_single_mod" = "yes"; then
-      _lt_dar_single_mod='$single_module'
-    fi
-    if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
-      _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
-    else
-      _lt_dar_export_syms="~$NMEDIT -s \$output_objdir/\${libname}-symbols.expsym \${lib}"
-    fi
-    if test "$DSYMUTIL" != ":"; then
-      _lt_dsymutil="~$DSYMUTIL \$lib || :"
-    else
-      _lt_dsymutil=
-    fi
-    ;;
-  esac
-
-
-enable_dlopen=no
-enable_win32_dll=no
-
-# Check whether --enable-libtool-lock was given.
-if test "${enable_libtool_lock+set}" = set; then
-  enableval=$enable_libtool_lock;
-fi
-
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
-
-
-# Check whether --with-pic was given.
-if test "${with_pic+set}" = set; then
-  withval=$with_pic; pic_mode="$withval"
-else
-  pic_mode=default
-fi
-
-test -z "$pic_mode" && pic_mode=default
-
-# Use C for the default configuration in the libtool script
-tagname=
-lt_save_CC="$CC"
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-# Source file extension for C test sources.
-ac_ext=c
-
-# Object file extension for compiled C test sources.
-objext=o
-objext=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}'
-
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-# save warnings/boilerplate of simple test code
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
-
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
-
-
-
-lt_prog_compiler_no_builtin_flag=
-
-if test "$GCC" = yes; then
-  lt_prog_compiler_no_builtin_flag=' -fno-builtin'
-
-
-{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_rtti_exceptions=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="-fno-rtti -fno-exceptions"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7722: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:7726: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_rtti_exceptions=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
-
-if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
-    lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
-else
-    :
-fi
-
-fi
-
-lt_prog_compiler_wl=
-lt_prog_compiler_pic=
-lt_prog_compiler_static=
-
-{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
-
-  if test "$GCC" = yes; then
-    lt_prog_compiler_wl='-Wl,'
-    lt_prog_compiler_static='-static'
-
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4'
-      ;;
-
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      lt_prog_compiler_pic='-DDLL_EXPORT'
-      ;;
-
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic='-fno-common'
-      ;;
-
-    interix[3-9]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      lt_prog_compiler_can_build_shared=no
-      enable_shared=no
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic=-Kconform_pic
-      fi
-      ;;
-
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic='-fPIC'
-	;;
-      esac
-      ;;
-
-    *)
-      lt_prog_compiler_pic='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      lt_prog_compiler_wl='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static='-Bstatic'
-      else
-	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case $cc_basename in
-         xlc*)
-         lt_prog_compiler_pic='-qnocommon'
-         lt_prog_compiler_wl='-Wl,'
-         ;;
-       esac
-       ;;
-
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic='-DDLL_EXPORT'
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      lt_prog_compiler_wl='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      lt_prog_compiler_static='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      lt_prog_compiler_wl='-Wl,'
-      # PIC (with -KPIC) is the default.
-      lt_prog_compiler_static='-non_shared'
-      ;;
-
-    newsos6)
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
-
-    linux* | k*bsd*-gnu)
-      case $cc_basename in
-      icc* | ecc*)
-	lt_prog_compiler_wl='-Wl,'
-	lt_prog_compiler_pic='-KPIC'
-	lt_prog_compiler_static='-static'
-        ;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
-        # Portland Group compilers (*not* the Pentium gcc compiler,
-	# which looks to be a dead project)
-	lt_prog_compiler_wl='-Wl,'
-	lt_prog_compiler_pic='-fpic'
-	lt_prog_compiler_static='-Bstatic'
-        ;;
-      ccc*)
-        lt_prog_compiler_wl='-Wl,'
-        # All Alpha code is PIC.
-        lt_prog_compiler_static='-non_shared'
-        ;;
-      *)
-        case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C 5.9
-	  lt_prog_compiler_pic='-KPIC'
-	  lt_prog_compiler_static='-Bstatic'
-	  lt_prog_compiler_wl='-Wl,'
-	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  lt_prog_compiler_pic='-KPIC'
-	  lt_prog_compiler_static='-Bstatic'
-	  lt_prog_compiler_wl=''
-	  ;;
-	esac
-	;;
-      esac
-      ;;
-
-    osf3* | osf4* | osf5*)
-      lt_prog_compiler_wl='-Wl,'
-      # All OSF/1 code is PIC.
-      lt_prog_compiler_static='-non_shared'
-      ;;
-
-    rdos*)
-      lt_prog_compiler_static='-non_shared'
-      ;;
-
-    solaris*)
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      case $cc_basename in
-      f77* | f90* | f95*)
-	lt_prog_compiler_wl='-Qoption ld ';;
-      *)
-	lt_prog_compiler_wl='-Wl,';;
-      esac
-      ;;
-
-    sunos4*)
-      lt_prog_compiler_wl='-Qoption ld '
-      lt_prog_compiler_pic='-PIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      lt_prog_compiler_wl='-Wl,'
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	lt_prog_compiler_pic='-Kconform_pic'
-	lt_prog_compiler_static='-Bstatic'
-      fi
-      ;;
-
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      lt_prog_compiler_wl='-Wl,'
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
-
-    unicos*)
-      lt_prog_compiler_wl='-Wl,'
-      lt_prog_compiler_can_build_shared=no
-      ;;
-
-    uts4*)
-      lt_prog_compiler_pic='-pic'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
-
-    *)
-      lt_prog_compiler_can_build_shared=no
-      ;;
-    esac
-  fi
-
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic" >&6; }
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic"; then
-
-{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_pic_works+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_pic_works=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic -DPIC"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8012: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:8016: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_pic_works=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_pic_works" >&6; }
-
-if test x"$lt_cv_prog_compiler_pic_works" = xyes; then
-    case $lt_prog_compiler_pic in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;;
-     esac
-else
-    lt_prog_compiler_pic=
-     lt_prog_compiler_can_build_shared=no
-fi
-
-fi
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic=
-    ;;
-  *)
-    lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
-    ;;
-esac
-
-#
-# Check to make sure the static flag actually works.
-#
-wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
-{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_static_works+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_static_works=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&5
-       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         lt_cv_prog_compiler_static_works=yes
-       fi
-     else
-       lt_cv_prog_compiler_static_works=yes
-     fi
-   fi
-   $rm -r conftest*
-   LDFLAGS="$save_LDFLAGS"
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_static_works" >&6; }
-
-if test x"$lt_cv_prog_compiler_static_works" = xyes; then
-    :
-else
-    lt_prog_compiler_static=
-fi
-
-
-{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8116: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:8120: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_c_o=yes
-     fi
-   fi
-   chmod u+w . 2>&5
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
-
-
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6; }
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-
-{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
-
-  runpath_var=
-  allow_undefined_flag=
-  enable_shared_with_static_runtimes=no
-  archive_cmds=
-  archive_expsym_cmds=
-  old_archive_From_new_cmds=
-  old_archive_from_expsyms_cmds=
-  export_dynamic_flag_spec=
-  whole_archive_flag_spec=
-  thread_safe_flag_spec=
-  hardcode_libdir_flag_spec=
-  hardcode_libdir_flag_spec_ld=
-  hardcode_libdir_separator=
-  hardcode_direct=no
-  hardcode_minus_L=no
-  hardcode_shlibpath_var=unsupported
-  link_all_deplibs=unknown
-  hardcode_automatic=no
-  module_cmds=
-  module_expsym_cmds=
-  always_export_symbols=no
-  export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  include_expsyms=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  exclude_expsyms='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  # Exclude shared library initialization/finalization symbols.
-  extract_expsyms_cmds=
-  # Just being paranoid about ensuring that cc_basename is set.
-  for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
-
-  ld_shlibs=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
-
-    # Set some defaults for GNU ld with shared library support. These
-    # are reset later if shared libraries are not supported. Putting them
-    # here allows them to be overridden if necessary.
-    runpath_var=LD_RUN_PATH
-    hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir'
-    export_dynamic_flag_spec='${wl}--export-dynamic'
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
-	whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec=
-    fi
-    supports_anon_versioning=no
-    case `$LD -v 2>/dev/null` in
-      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-      *\ 2.11.*) ;; # other 2.11 versions
-      *) supports_anon_versioning=yes ;;
-    esac
-
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix[3-9]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	ld_shlibs=no
-	cat <<EOF 1>&2
-
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
-
-EOF
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      ld_shlibs=no
-      ;;
-
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	allow_undefined_flag=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
-      # as there is no search path for DLLs.
-      hardcode_libdir_flag_spec='-L$libdir'
-      allow_undefined_flag=unsupported
-      always_export_symbols=no
-      enable_shared_with_static_runtimes=yes
-      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    interix[3-9]*)
-      hardcode_direct=no
-      hardcode_shlibpath_var=no
-      hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-      export_dynamic_flag_spec='${wl}-E'
-      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-      # Instead, shared libraries are loaded at an image base (0x10000000 by
-      # default) and relocated if they conflict, which is a slow very memory
-      # consuming and fragmenting process.  To avoid this, we pick a random,
-      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-      archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      ;;
-
-    gnu* | linux* | k*bsd*-gnu)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	tmp_addflag=
-	case $cc_basename,$host_cpu in
-	pgcc*)				# Portland Group C compiler
-	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag'
-	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag -Mnomain' ;;
-	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
-	  tmp_addflag=' -i_dynamic' ;;
-	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
-	  tmp_addflag=' -i_dynamic -nofor_main' ;;
-	ifc* | ifort*)			# Intel Fortran compiler
-	  tmp_addflag=' -nofor_main' ;;
-	esac
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)			# Sun C 5.9
-	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_sharedflag='-G' ;;
-	*Sun\ F*)			# Sun Fortran 8.3
-	  tmp_sharedflag='-G' ;;
-	*)
-	  tmp_sharedflag='-shared' ;;
-	esac
-	archive_cmds='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-
-	if test $supports_anon_versioning = yes; then
-	  archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
-  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-  $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-	fi
-	link_all_deplibs=no
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	ld_shlibs=no
-	cat <<EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
-	ld_shlibs=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
-*** reliably create shared libraries on SCO systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-_LT_EOF
-	;;
-	*)
-	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	    hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
-	    archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
-	    archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
-	  else
-	    ld_shlibs=no
-	  fi
-	;;
-      esac
-      ;;
-
-    sunos4*)
-      archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-    esac
-
-    if test "$ld_shlibs" = no; then
-      runpath_var=
-      hardcode_libdir_flag_spec=
-      export_dynamic_flag_spec=
-      whole_archive_flag_spec=
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      allow_undefined_flag=unsupported
-      always_export_symbols=yes
-      archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      hardcode_minus_L=yes
-      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	hardcode_direct=unsupported
-      fi
-      ;;
-
-    aix[4-9]*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	else
-	  export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	  ;;
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      archive_cmds=''
-      hardcode_direct=yes
-      hardcode_libdir_separator=':'
-      link_all_deplibs=yes
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[012]|aix4.[012].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  :
-	  else
-  	  # We have old collect2
-  	  hardcode_direct=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  hardcode_minus_L=yes
-  	  hardcode_libdir_flag_spec='-L$libdir'
-  	  hardcode_libdir_separator=
-	  fi
-	  ;;
-	esac
-	shared_flag='-shared'
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag="$shared_flag "'${wl}-G'
-	fi
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-	  fi
-	fi
-      fi
-
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      always_export_symbols=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	allow_undefined_flag='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-       hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
-	  allow_undefined_flag="-z nodefs"
-	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  no_undefined_flag=' ${wl}-bernotok'
-	  allow_undefined_flag=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec='$convenience'
-	  archive_cmds_need_lc=yes
-	  # This is similar to how AIX traditionally builds its shared libraries.
-	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-      # see comment about different semantics on the GNU ld section
-      ld_shlibs=no
-      ;;
-
-    bsdi[45]*)
-      export_dynamic_flag_spec=-rdynamic
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec=' '
-      allow_undefined_flag=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_From_new_cmds='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes=yes
-      ;;
-
-    darwin* | rhapsody*)
-      case $host_os in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      archive_cmds_need_lc=no
-      hardcode_direct=no
-      hardcode_automatic=yes
-      hardcode_shlibpath_var=unsupported
-      whole_archive_flag_spec=''
-      link_all_deplibs=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-        module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-        archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-        module_expsym_cmds="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-    else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-         module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-         archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs=no
-          ;;
-      esac
-    fi
-      ;;
-
-    dgux*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_shlibpath_var=no
-      ;;
-
-    freebsd1*)
-      ld_shlibs=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct=yes
-      hardcode_minus_L=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | dragonfly*)
-      archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    hpux9*)
-      if test "$GCC" = yes; then
-	archive_cmds='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator=:
-      hardcode_direct=yes
-
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      hardcode_minus_L=yes
-      export_dynamic_flag_spec='${wl}-E'
-      ;;
-
-    hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator=:
-
-	hardcode_direct=yes
-	export_dynamic_flag_spec='${wl}-E'
-
-	# hardcode_minus_L: Not really in the search PATH,
-	# but as the default location of the library.
-	hardcode_minus_L=yes
-      fi
-      ;;
-
-    hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator=:
-
-	case $host_cpu in
-	hppa*64*|ia64*)
-	  hardcode_libdir_flag_spec_ld='+b $libdir'
-	  hardcode_direct=no
-	  hardcode_shlibpath_var=no
-	  ;;
-	*)
-	  hardcode_direct=yes
-	  export_dynamic_flag_spec='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_ld='-rpath $libdir'
-      fi
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      link_all_deplibs=yes
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    newsos6)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct=yes
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      hardcode_shlibpath_var=no
-      ;;
-
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-	hardcode_direct=yes
-	hardcode_shlibpath_var=no
-	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	  archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	  archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	  hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-	  export_dynamic_flag_spec='${wl}-E'
-	else
-	  case $host_os in
-	   openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-	     archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	     hardcode_libdir_flag_spec='-R$libdir'
-	     ;;
-	   *)
-	     archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	     hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-	     ;;
-	  esac
-        fi
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    os2*)
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-      allow_undefined_flag=unsupported
-      archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      old_archive_From_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      else
-	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	hardcode_libdir_flag_spec='-rpath $libdir'
-      fi
-      hardcode_libdir_separator=:
-      ;;
-
-    solaris*)
-      no_undefined_flag=' -z text'
-      if test "$GCC" = yes; then
-	wlarc='${wl}'
-	archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	wlarc=''
-	archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_shlibpath_var=no
-      case $host_os in
-      solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *)
-	# The compiler driver will combine and reorder linker options,
-	# but understands `-z linker_flag'.  GCC discards it without `$wl',
-	# but is careful enough not to reorder.
- 	# Supported since Solaris 2.6 (maybe 2.5.1?)
-	if test "$GCC" = yes; then
-	  whole_archive_flag_spec='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	else
-	  whole_archive_flag_spec='-z allextract$convenience -z defaultextract'
-	fi
-	;;
-      esac
-      link_all_deplibs=yes
-      ;;
-
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_direct=yes
-      hardcode_minus_L=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    sysv4)
-      case $host_vendor in
-	sni)
-	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  reload_cmds='$CC -r -o $output$reload_objs'
-	  hardcode_direct=no
-        ;;
-	motorola)
-	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var=no
-      ;;
-
-    sysv4.3*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var=no
-      export_dynamic_flag_spec='-Bexport'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	hardcode_shlibpath_var=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	ld_shlibs=yes
-      fi
-      ;;
-
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
-      no_undefined_flag='${wl}-z,text'
-      archive_cmds_need_lc=no
-      hardcode_shlibpath_var=no
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6*)
-      # Note: We can NOT use -z defs as we might desire, because we do not
-      # link with -lc, and that would cause any symbols used from libc to
-      # always be unresolved, which means just about no library would
-      # ever link correctly.  If we're not using GNU ld we use -z text
-      # though, which does catch some bad symbols but isn't as heavy-handed
-      # as -z defs.
-      no_undefined_flag='${wl}-z,text'
-      allow_undefined_flag='${wl}-z,nodefs'
-      archive_cmds_need_lc=no
-      hardcode_shlibpath_var=no
-      hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-      hardcode_libdir_separator=':'
-      link_all_deplibs=yes
-      export_dynamic_flag_spec='${wl}-Bexport'
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	archive_cmds='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    uts4*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_shlibpath_var=no
-      ;;
-
-    *)
-      ld_shlibs=no
-      ;;
-    esac
-  fi
-
-{ echo "$as_me:$LINENO: result: $ld_shlibs" >&5
-echo "${ECHO_T}$ld_shlibs" >&6; }
-test "$ld_shlibs" = no && can_build_shared=no
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
-      $rm conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl
-	pic_flag=$lt_prog_compiler_pic
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag
-        allow_undefined_flag=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc=no
-        else
-	  archive_cmds_need_lc=yes
-        fi
-        allow_undefined_flag=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
-echo "${ECHO_T}$archive_cmds_need_lc" >&6; }
-      ;;
-    esac
-  fi
-  ;;
-esac
-
-{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-
-if test "$GCC" = yes; then
-  case $host_os in
-    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
-    *) lt_awk_arg="/^libraries:/" ;;
-  esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-  # Ok, now we have the path, separated by spaces, we can step through it
-  # and add multilib dir if necessary.
-  lt_tmp_lt_search_path_spec=
-  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
-  for lt_sys_path in $lt_search_path_spec; do
-    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
-      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
-    else
-      test -d "$lt_sys_path" && \
-	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
-    fi
-  done
-  lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk '
-BEGIN {RS=" "; FS="/|\n";} {
-  lt_foo="";
-  lt_count=0;
-  for (lt_i = NF; lt_i > 0; lt_i--) {
-    if ($lt_i != "" && $lt_i != ".") {
-      if ($lt_i == "..") {
-        lt_count++;
-      } else {
-        if (lt_count == 0) {
-          lt_foo="/" $lt_i lt_foo;
-        } else {
-          lt_count--;
-        }
-      }
-    }
-  }
-  if (lt_foo != "") { lt_freq[lt_foo]++; }
-  if (lt_freq[lt_foo] == 1) { print lt_foo; }
-}'`
-  sys_lib_search_path_spec=`echo $lt_search_path_spec`
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix[4-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-
-  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
-  else
-    case $host_os in
-    freebsd[123]*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
-  fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
-  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-interix[3-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
-    *)                         need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-rdos*)
-  dynamic_linker=no
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-    shlibpath_overrides_runpath=no
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    shlibpath_overrides_runpath=yes
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
-  fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6; }
-test "$dynamic_linker" = no && can_build_shared=no
-
-if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
-fi
-
-sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
-fi
-
-sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
-hardcode_action=
-if test -n "$hardcode_libdir_flag_spec" || \
-   test -n "$runpath_var" || \
-   test "X$hardcode_automatic" = "Xyes" ; then
-
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, )" != no &&
-     test "$hardcode_minus_L" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action=unsupported
-fi
-{ echo "$as_me:$LINENO: result: $hardcode_action" >&5
-echo "${ECHO_T}$hardcode_action" >&6; }
-
-if test "$hardcode_action" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-
-striplib=
-old_striplib=
-{ echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6; }
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         old_striplib="$STRIP -S"
-         { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-       else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-       ;;
-   *)
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-    ;;
-  esac
-fi
-
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
-
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
-
-  mingw* | pw32*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-   ;;
-
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-   ;;
-
-  darwin*)
-  # if libdl is installed we need to link against it
-    { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_dl_dlopen=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-
-fi
-
-   ;;
-
-  *)
-    { echo "$as_me:$LINENO: checking for shl_load" >&5
-echo $ECHO_N "checking for shl_load... $ECHO_C" >&6; }
-if test "${ac_cv_func_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define shl_load innocuous_shl_load
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char shl_load (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef shl_load
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char shl_load ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_shl_load || defined __stub___shl_load
-choke me
-#endif
-
-int
-main ()
-{
-return shl_load ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_func_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_func_shl_load=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-echo "${ECHO_T}$ac_cv_func_shl_load" >&6; }
-if test $ac_cv_func_shl_load = yes; then
-  lt_cv_dlopen="shl_load"
-else
-  { echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char shl_load ();
-int
-main ()
-{
-return shl_load ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dld_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_dld_shl_load=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; }
-if test $ac_cv_lib_dld_shl_load = yes; then
-  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
-else
-  { echo "$as_me:$LINENO: checking for dlopen" >&5
-echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; }
-if test "${ac_cv_func_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define dlopen innocuous_dlopen
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char dlopen (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef dlopen
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_dlopen || defined __stub___dlopen
-choke me
-#endif
-
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_func_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_func_dlopen=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-echo "${ECHO_T}$ac_cv_func_dlopen" >&6; }
-if test $ac_cv_func_dlopen = yes; then
-  lt_cv_dlopen="dlopen"
-else
-  { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_dl_dlopen=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-  { echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
-echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6; }
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsvld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_svld_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_svld_dlopen=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6; }
-if test $ac_cv_lib_svld_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
-else
-  { echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
-echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dld_link ();
-int
-main ()
-{
-return dld_link ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dld_dld_link=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_dld_dld_link=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; }
-if test $ac_cv_lib_dld_dld_link = yes; then
-  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-    ;;
-  esac
-
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
-
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
-
-    save_LDFLAGS="$LDFLAGS"
-    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
-
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
-
-    { echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
-echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6; }
-if test "${lt_cv_dlopen_self+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 10493 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-  else
-    puts (dlerror ());
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) >&5 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self" >&6; }
-
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
-      { echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
-echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6; }
-if test "${lt_cv_dlopen_self_static+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self_static=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 10593 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-  else
-    puts (dlerror ());
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) >&5 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self_static=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6; }
-    fi
-
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
-
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
-
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
-
-
-# Report which library types will actually be built
-{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
-{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
-echo "${ECHO_T}$can_build_shared" >&6; }
-
-{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
-test "$can_build_shared" = "no" && enable_shared=no
-
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case $host_os in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
-
-aix[4-9]*)
-  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-    test "$enable_shared" = yes && enable_static=no
-  fi
-    ;;
-esac
-{ echo "$as_me:$LINENO: result: $enable_shared" >&5
-echo "${ECHO_T}$enable_shared" >&6; }
-
-{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-{ echo "$as_me:$LINENO: result: $enable_static" >&5
-echo "${ECHO_T}$enable_static" >&6; }
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler \
-    CC \
-    LD \
-    lt_prog_compiler_wl \
-    lt_prog_compiler_pic \
-    lt_prog_compiler_static \
-    lt_prog_compiler_no_builtin_flag \
-    export_dynamic_flag_spec \
-    thread_safe_flag_spec \
-    whole_archive_flag_spec \
-    enable_shared_with_static_runtimes \
-    old_archive_cmds \
-    old_archive_from_new_cmds \
-    predep_objects \
-    postdep_objects \
-    predeps \
-    postdeps \
-    compiler_lib_search_path \
-    compiler_lib_search_dirs \
-    archive_cmds \
-    archive_expsym_cmds \
-    postinstall_cmds \
-    postuninstall_cmds \
-    old_archive_from_expsyms_cmds \
-    allow_undefined_flag \
-    no_undefined_flag \
-    export_symbols_cmds \
-    hardcode_libdir_flag_spec \
-    hardcode_libdir_flag_spec_ld \
-    hardcode_libdir_separator \
-    hardcode_automatic \
-    module_cmds \
-    module_expsym_cmds \
-    lt_cv_prog_compiler_c_o \
-    fix_srcfile_path \
-    exclude_expsyms \
-    include_expsyms; do
-
-    case $var in
-    old_archive_cmds | \
-    old_archive_from_new_cmds | \
-    archive_cmds | \
-    archive_expsym_cmds | \
-    module_cmds | \
-    module_expsym_cmds | \
-    old_archive_from_expsyms_cmds | \
-    export_symbols_cmds | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="${ofile}T"
-  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
-  $rm -f "$cfgfile"
-  { echo "$as_me:$LINENO: creating $ofile" >&5
-echo "$as_me: creating $ofile" >&6;}
-
-  cat <<__EOF__ >> "$cfgfile"
-#! $SHELL
-
-# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
-# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
-# NOTE: Changes made to this file will be lost: look at ltmain.sh.
-#
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
-# Free Software Foundation, Inc.
-#
-# This file is part of GNU Libtool:
-# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# A sed program that does not truncate output.
-SED=$lt_SED
-
-# Sed that helps us avoid accidentally triggering echo(1) options like -n.
-Xsed="$SED -e 1s/^X//"
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-# The names of the tagged configurations supported by this script.
-available_tags=
-
-# ### BEGIN LIBTOOL CONFIG
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
-
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
-
-# A language-specific compiler.
-CC=$lt_compiler
-
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o
-
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds
-archive_expsym_cmds=$lt_archive_expsym_cmds
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds
-module_expsym_cmds=$lt_module_expsym_cmds
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps
-
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_compiler_lib_search_dirs
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms
-
-# ### END LIBTOOL CONFIG
-
-__EOF__
-
-
-  case $host_os in
-  aix3*)
-    cat <<\EOF >> "$cfgfile"
-
-# AIX sometimes has problems with the GCC collect2 program.  For some
-# reason, if we set the COLLECT_NAMES environment variable, the problems
-# vanish in a puff of smoke.
-if test "X${COLLECT_NAMES+set}" != Xset; then
-  COLLECT_NAMES=
-  export COLLECT_NAMES
-fi
-EOF
-    ;;
-  esac
-
-  # We use sed instead of cat because bash on DJGPP gets confused if
-  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
-  # text mode, it properly converts lines to CR/LF.  This bash problem
-  # is reportedly fixed, but why not run on old versions too?
-  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
-
-  mv -f "$cfgfile" "$ofile" || \
-    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
-  chmod +x "$ofile"
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-
-# Check whether --with-tags was given.
-if test "${with_tags+set}" = set; then
-  withval=$with_tags; tagnames="$withval"
-fi
-
-
-if test -f "$ltmain" && test -n "$tagnames"; then
-  if test ! -f "${ofile}"; then
-    { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not exist" >&5
-echo "$as_me: WARNING: output file \`$ofile' does not exist" >&2;}
-  fi
-
-  if test -z "$LTCC"; then
-    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
-    if test -z "$LTCC"; then
-      { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not look like a libtool script" >&5
-echo "$as_me: WARNING: output file \`$ofile' does not look like a libtool script" >&2;}
-    else
-      { echo "$as_me:$LINENO: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&5
-echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;}
-    fi
-  fi
-  if test -z "$LTCFLAGS"; then
-    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
-  fi
-
-  # Extract list of available tagged configurations in $ofile.
-  # Note that this assumes the entire list is on one line.
-  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
-
-  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-  for tagname in $tagnames; do
-    IFS="$lt_save_ifs"
-    # Check whether tagname contains only valid characters
-    case `$echo "X$tagname" | $Xsed -e 's:[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]::g'` in
-    "") ;;
-    *)  { { echo "$as_me:$LINENO: error: invalid tag name: $tagname" >&5
-echo "$as_me: error: invalid tag name: $tagname" >&2;}
-   { (exit 1); exit 1; }; }
-	;;
-    esac
-
-    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
-    then
-      { { echo "$as_me:$LINENO: error: tag name \"$tagname\" already exists" >&5
-echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
-   { (exit 1); exit 1; }; }
-    fi
-
-    # Update the list of available tags.
-    if test -n "$tagname"; then
-      echo appending configuration tag \"$tagname\" to $ofile
-
-      case $tagname in
-      CXX)
-	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-	    (test "X$CXX" != "Xg++"))) ; then
-	  ac_ext=cpp
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-
-
-
-
-archive_cmds_need_lc_CXX=no
-allow_undefined_flag_CXX=
-always_export_symbols_CXX=no
-archive_expsym_cmds_CXX=
-export_dynamic_flag_spec_CXX=
-hardcode_direct_CXX=no
-hardcode_libdir_flag_spec_CXX=
-hardcode_libdir_flag_spec_ld_CXX=
-hardcode_libdir_separator_CXX=
-hardcode_minus_L_CXX=no
-hardcode_shlibpath_var_CXX=unsupported
-hardcode_automatic_CXX=no
-module_cmds_CXX=
-module_expsym_cmds_CXX=
-link_all_deplibs_CXX=unknown
-old_archive_cmds_CXX=$old_archive_cmds
-no_undefined_flag_CXX=
-whole_archive_flag_spec_CXX=
-enable_shared_with_static_runtimes_CXX=no
-
-# Dependencies to place before and after the object being linked:
-predep_objects_CXX=
-postdep_objects_CXX=
-predeps_CXX=
-postdeps_CXX=
-compiler_lib_search_path_CXX=
-compiler_lib_search_dirs_CXX=
-
-# Source file extension for C++ test sources.
-ac_ext=cpp
-
-# Object file extension for compiled C++ test sources.
-objext=o
-objext_CXX=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *[]) { return(0); }'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-# save warnings/boilerplate of simple test code
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
-
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
-
-
-# Allow CC to be a program name with arguments.
-lt_save_CC=$CC
-lt_save_LD=$LD
-lt_save_GCC=$GCC
-GCC=$GXX
-lt_save_with_gnu_ld=$with_gnu_ld
-lt_save_path_LD=$lt_cv_path_LD
-if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
-  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
-else
-  $as_unset lt_cv_prog_gnu_ld
-fi
-if test -n "${lt_cv_path_LDCXX+set}"; then
-  lt_cv_path_LD=$lt_cv_path_LDCXX
-else
-  $as_unset lt_cv_path_LD
-fi
-test -z "${LDCXX+set}" || LD=$LDCXX
-CC=${CXX-"c++"}
-compiler=$CC
-compiler_CXX=$CC
-for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-
-
-# We don't want -fno-exception wen compiling C++ code, so set the
-# no_builtin_flag separately
-if test "$GXX" = yes; then
-  lt_prog_compiler_no_builtin_flag_CXX=' -fno-builtin'
-else
-  lt_prog_compiler_no_builtin_flag_CXX=
-fi
-
-if test "$GXX" = yes; then
-  # Set up default GNU C++ configuration
-
-
-# Check whether --with-gnu-ld was given.
-if test "${with_gnu_ld+set}" = set; then
-  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
-else
-  with_gnu_ld=no
-fi
-
-ac_prog=ld
-if test "$GCC" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
-  case $host in
-  *-*-mingw*)
-    # gcc leaves a trailing carriage return which upsets mingw
-    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
-  *)
-    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
-  esac
-  case $ac_prog in
-    # Accept absolute paths.
-    [\\/]* | ?:[\\/]*)
-      re_direlt='/[^/][^/]*/\.\./'
-      # Canonicalize the pathname of ld
-      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  { echo "$as_me:$LINENO: checking for GNU ld" >&5
-echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
-else
-  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
-fi
-if test "${lt_cv_path_LD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$LD"; then
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      lt_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some variants of GNU ld only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
-      *GNU* | *'with BFD'*)
-	test "$with_gnu_ld" != no && break
-	;;
-      *)
-	test "$with_gnu_ld" != yes && break
-	;;
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-else
-  lt_cv_path_LD="$LD" # Let the user override the test with a path.
-fi
-fi
-
-LD="$lt_cv_path_LD"
-if test -n "$LD"; then
-  { echo "$as_me:$LINENO: result: $LD" >&5
-echo "${ECHO_T}$LD" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
-echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
-   { (exit 1); exit 1; }; }
-{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
-echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
-if test "${lt_cv_prog_gnu_ld+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # I'd rather use --version here, but apparently some GNU lds only accept -v.
-case `$LD -v 2>&1 </dev/null` in
-*GNU* | *'with BFD'*)
-  lt_cv_prog_gnu_ld=yes
-  ;;
-*)
-  lt_cv_prog_gnu_ld=no
-  ;;
-esac
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
-echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
-with_gnu_ld=$lt_cv_prog_gnu_ld
-
-
-
-  # Check if GNU C++ uses GNU ld as the underlying linker, since the
-  # archiving commands below assume that GNU ld is being used.
-  if test "$with_gnu_ld" = yes; then
-    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-    archive_expsym_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-
-    hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
-    export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
-
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
-    #     investigate it a little bit more. (MM)
-    wlarc='${wl}'
-
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
-	grep 'no-whole-archive' > /dev/null; then
-      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    else
-      whole_archive_flag_spec_CXX=
-    fi
-  else
-    with_gnu_ld=no
-    wlarc=
-
-    # A generic and very simple default shared library creation
-    # command for GNU C++ for the case where it uses the native
-    # linker, instead of GNU ld.  If possible, this setting should
-    # overridden to take advantage of the native linker features on
-    # the platform it is being used on.
-    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-  fi
-
-  # Commands to make compiler produce verbose output that lists
-  # what "hidden" libraries, object files and flags are used when
-  # linking a shared library.
-  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-else
-  GXX=no
-  with_gnu_ld=no
-  wlarc=
-fi
-
-# PORTME: fill in a description of your system's C++ link characteristics
-{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
-ld_shlibs_CXX=yes
-case $host_os in
-  aix3*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  aix[4-9]*)
-    if test "$host_cpu" = ia64; then
-      # On IA64, the linker does run time linking by default, so we don't
-      # have to do anything special.
-      aix_use_runtimelinking=no
-      exp_sym_flag='-Bexport'
-      no_entry_flag=""
-    else
-      aix_use_runtimelinking=no
-
-      # Test if we are trying to use run time linking or normal
-      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
-      # need to do runtime linking.
-      case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
-	for ld_flag in $LDFLAGS; do
-	  case $ld_flag in
-	  *-brtl*)
-	    aix_use_runtimelinking=yes
-	    break
-	    ;;
-	  esac
-	done
-	;;
-      esac
-
-      exp_sym_flag='-bexport'
-      no_entry_flag='-bnoentry'
-    fi
-
-    # When large executables or shared objects are built, AIX ld can
-    # have problems creating the table of contents.  If linking a library
-    # or program results in "error TOC overflow" add -mminimal-toc to
-    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-    archive_cmds_CXX=''
-    hardcode_direct_CXX=yes
-    hardcode_libdir_separator_CXX=':'
-    link_all_deplibs_CXX=yes
-
-    if test "$GXX" = yes; then
-      case $host_os in aix4.[012]|aix4.[012].*)
-      # We only want to do this on AIX 4.2 and lower, the check
-      # below for broken collect2 doesn't work under 4.3+
-	collect2name=`${CC} -print-prog-name=collect2`
-	if test -f "$collect2name" && \
-	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	then
-	  # We have reworked collect2
-	  :
-	else
-	  # We have old collect2
-	  hardcode_direct_CXX=unsupported
-	  # It fails to find uninstalled libraries when the uninstalled
-	  # path is not listed in the libpath.  Setting hardcode_minus_L
-	  # to unsupported forces relinking
-	  hardcode_minus_L_CXX=yes
-	  hardcode_libdir_flag_spec_CXX='-L$libdir'
-	  hardcode_libdir_separator_CXX=
-	fi
-	;;
-      esac
-      shared_flag='-shared'
-      if test "$aix_use_runtimelinking" = yes; then
-	shared_flag="$shared_flag "'${wl}-G'
-      fi
-    else
-      # not using gcc
-      if test "$host_cpu" = ia64; then
-	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-	# chokes on -Wl,-G. The following line is correct:
-	shared_flag='-G'
-      else
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag='${wl}-G'
-	else
-	  shared_flag='${wl}-bM:SRE'
-	fi
-      fi
-    fi
-
-    # It seems that -bexpall does not export symbols beginning with
-    # underscore (_), so it is better to generate a list of symbols to export.
-    always_export_symbols_CXX=yes
-    if test "$aix_use_runtimelinking" = yes; then
-      # Warning - without using the other runtime loading flags (-brtl),
-      # -berok will link without error, but may produce a broken library.
-      allow_undefined_flag_CXX='-berok'
-      # Determine the default libpath from the value encoded in an empty executable.
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-      hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
-
-      archive_expsym_cmds_CXX="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-     else
-      if test "$host_cpu" = ia64; then
-	hardcode_libdir_flag_spec_CXX='${wl}-R $libdir:/usr/lib:/lib'
-	allow_undefined_flag_CXX="-z nodefs"
-	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-      else
-	# Determine the default libpath from the value encoded in an empty executable.
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_cxx_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
-	# Warning - without using the other run time loading flags,
-	# -berok will link without error, but may produce a broken library.
-	no_undefined_flag_CXX=' ${wl}-bernotok'
-	allow_undefined_flag_CXX=' ${wl}-berok'
-	# Exported symbols can be pulled into shared objects from archives
-	whole_archive_flag_spec_CXX='$convenience'
-	archive_cmds_need_lc_CXX=yes
-	# This is similar to how AIX traditionally builds its shared libraries.
-	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-      fi
-    fi
-    ;;
-
-  beos*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-      allow_undefined_flag_CXX=unsupported
-      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-      # support --undefined.  This deserves some investigation.  FIXME
-      archive_cmds_CXX='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-    else
-      ld_shlibs_CXX=no
-    fi
-    ;;
-
-  chorus*)
-    case $cc_basename in
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-
-  cygwin* | mingw* | pw32*)
-    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, CXX) is actually meaningless,
-    # as there is no search path for DLLs.
-    hardcode_libdir_flag_spec_CXX='-L$libdir'
-    allow_undefined_flag_CXX=unsupported
-    always_export_symbols_CXX=no
-    enable_shared_with_static_runtimes_CXX=yes
-
-    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-      archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      # If the export-symbols file already is a .def file (1st line
-      # is EXPORTS), use it as is; otherwise, prepend...
-      archive_expsym_cmds_CXX='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	cp $export_symbols $output_objdir/$soname.def;
-      else
-	echo EXPORTS > $output_objdir/$soname.def;
-	cat $export_symbols >> $output_objdir/$soname.def;
-      fi~
-      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-    else
-      ld_shlibs_CXX=no
-    fi
-  ;;
-      darwin* | rhapsody*)
-      archive_cmds_need_lc_CXX=no
-      hardcode_direct_CXX=no
-      hardcode_automatic_CXX=yes
-      hardcode_shlibpath_var_CXX=unsupported
-      whole_archive_flag_spec_CXX=''
-      link_all_deplibs_CXX=yes
-      allow_undefined_flag_CXX="$_lt_dar_allow_undefined"
-      if test "$GXX" = yes ; then
-      output_verbose_link_cmd='echo'
-      archive_cmds_CXX="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-      module_cmds_CXX="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-      archive_expsym_cmds_CXX="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-      module_expsym_cmds_CXX="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-      if test "$lt_cv_apple_cc_single_mod" != "yes"; then
-        archive_cmds_CXX="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
-        archive_expsym_cmds_CXX="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
-      fi
-      else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-          archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-          module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-          archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_CXX=no
-          ;;
-      esac
-      fi
-        ;;
-
-  dgux*)
-    case $cc_basename in
-      ec++*)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      ghcx*)
-	# Green Hills C++ Compiler
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  freebsd[12]*)
-    # C++ shared libraries reported to be fairly broken before switch to ELF
-    ld_shlibs_CXX=no
-    ;;
-  freebsd-elf*)
-    archive_cmds_need_lc_CXX=no
-    ;;
-  freebsd* | dragonfly*)
-    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
-    # conventions
-    ld_shlibs_CXX=yes
-    ;;
-  gnu*)
-    ;;
-  hpux9*)
-    hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
-    hardcode_libdir_separator_CXX=:
-    export_dynamic_flag_spec_CXX='${wl}-E'
-    hardcode_direct_CXX=yes
-    hardcode_minus_L_CXX=yes # Not in the search PATH,
-				# but as the default
-				# location of the library.
-
-    case $cc_basename in
-    CC*)
-      # FIXME: insert proper C++ library support
-      ld_shlibs_CXX=no
-      ;;
-    aCC*)
-      archive_cmds_CXX='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      # Commands to make compiler produce verbose output that lists
-      # what "hidden" libraries, object files and flags are used when
-      # linking a shared library.
-      #
-      # There doesn't appear to be a way to prevent this compiler from
-      # explicitly linking system object files so we need to strip them
-      # from the output so that they don't get included in the library
-      # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[-]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-      ;;
-    *)
-      if test "$GXX" = yes; then
-        archive_cmds_CXX='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-        # FIXME: insert proper C++ library support
-        ld_shlibs_CXX=no
-      fi
-      ;;
-    esac
-    ;;
-  hpux10*|hpux11*)
-    if test $with_gnu_ld = no; then
-      hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator_CXX=:
-
-      case $host_cpu in
-      hppa*64*|ia64*) ;;
-      *)
-	export_dynamic_flag_spec_CXX='${wl}-E'
-        ;;
-      esac
-    fi
-    case $host_cpu in
-    hppa*64*|ia64*)
-      hardcode_direct_CXX=no
-      hardcode_shlibpath_var_CXX=no
-      ;;
-    *)
-      hardcode_direct_CXX=yes
-      hardcode_minus_L_CXX=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
-      ;;
-    esac
-
-    case $cc_basename in
-      CC*)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      aCC*)
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	esac
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test $with_gnu_ld = no; then
-	    case $host_cpu in
-	    hppa*64*)
-	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    ia64*)
-	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    *)
-	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    esac
-	  fi
-	else
-	  # FIXME: insert proper C++ library support
-	  ld_shlibs_CXX=no
-	fi
-	;;
-    esac
-    ;;
-  interix[3-9]*)
-    hardcode_direct_CXX=no
-    hardcode_shlibpath_var_CXX=no
-    hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-    export_dynamic_flag_spec_CXX='${wl}-E'
-    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-    # Instead, shared libraries are loaded at an image base (0x10000000 by
-    # default) and relocated if they conflict, which is a slow very memory
-    # consuming and fragmenting process.  To avoid this, we pick a random,
-    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-    archive_cmds_CXX='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-    archive_expsym_cmds_CXX='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-    ;;
-  irix5* | irix6*)
-    case $cc_basename in
-      CC*)
-	# SGI C++
-	archive_cmds_CXX='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-
-	# Archives containing C++ object files must be created using
-	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	old_archive_cmds_CXX='$CC -ar -WR,-u -o $oldlib $oldobjs'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test "$with_gnu_ld" = no; then
-	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	  else
-	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
-	  fi
-	fi
-	link_all_deplibs_CXX=yes
-	;;
-    esac
-    hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-    hardcode_libdir_separator_CXX=:
-    ;;
-  linux* | k*bsd*-gnu)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-	archive_expsym_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-
-	hardcode_libdir_flag_spec_CXX='${wl}--rpath,$libdir'
-	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
-	;;
-      icpc*)
-	# Intel C++
-	with_gnu_ld=yes
-	# version 8.0 and above of icpc choke on multiply defined symbols
-	# if we add $predep_objects and $postdep_objects, however 7.1 and
-	# earlier do not add the objects themselves.
-	case `$CC -V 2>&1` in
-	*"Version 7."*)
-  	  archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	  archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	*)  # Version 8.0 or newer
-	  tmp_idyn=
-	  case $host_cpu in
-	    ia64*) tmp_idyn=' -i_dynamic';;
-	  esac
-  	  archive_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	  archive_expsym_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	esac
-	archive_cmds_need_lc_CXX=no
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
-	whole_archive_flag_spec_CXX='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
-	;;
-      pgCC* | pgcpp*)
-        # Portland Group C++ compiler
-	archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
-  	archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
-	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
-	whole_archive_flag_spec_CXX='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-        ;;
-      cxx*)
-	# Compaq C++
-	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
-
-	runpath_var=LD_RUN_PATH
-	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C++ 5.9
-	  no_undefined_flag_CXX=' -zdefs'
-	  archive_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  archive_expsym_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
-	  hardcode_libdir_flag_spec_CXX='-R$libdir'
-	  whole_archive_flag_spec_CXX='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-
-	  # Not sure whether something based on
-	  # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
-	  # would be better.
-	  output_verbose_link_cmd='echo'
-
-	  # Archives containing C++ object files must be created using
-	  # "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	  # necessary to make sure instantiated templates are included
-	  # in the archive.
-	  old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
-	  ;;
-	esac
-	;;
-    esac
-    ;;
-  lynxos*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  m88k*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  mvs*)
-    case $cc_basename in
-      cxx*)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  netbsd* | netbsdelf*-gnu)
-    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-      archive_cmds_CXX='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
-      wlarc=
-      hardcode_libdir_flag_spec_CXX='-R$libdir'
-      hardcode_direct_CXX=yes
-      hardcode_shlibpath_var_CXX=no
-    fi
-    # Workaround some broken pre-1.5 toolchains
-    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
-    ;;
-  openbsd2*)
-    # C++ shared libraries are fairly broken
-    ld_shlibs_CXX=no
-    ;;
-  openbsd*)
-    if test -f /usr/libexec/ld.so; then
-      hardcode_direct_CXX=yes
-      hardcode_shlibpath_var_CXX=no
-      archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-      hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-	export_dynamic_flag_spec_CXX='${wl}-E'
-	whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      fi
-      output_verbose_link_cmd='echo'
-    else
-      ld_shlibs_CXX=no
-    fi
-    ;;
-  osf3*)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
-
-	;;
-      RCC*)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      cxx*)
-	allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	  archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-
-	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-	  hardcode_libdir_separator_CXX=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  ld_shlibs_CXX=no
-	fi
-	;;
-    esac
-    ;;
-  osf4* | osf5*)
-    case $cc_basename in
-      KCC*)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Archives containing C++ object files must be created using
-	# the KAI C++ compiler.
-	old_archive_cmds_CXX='$CC -o $oldlib $oldobjs'
-	;;
-      RCC*)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      cxx*)
-	allow_undefined_flag_CXX=' -expect_unresolved \*'
-	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds_CXX='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
-	  echo "-hidden">> $lib.exp~
-	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
-	  $rm $lib.exp'
-
-	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	 archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-
-	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-	  hardcode_libdir_separator_CXX=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  ld_shlibs_CXX=no
-	fi
-	;;
-    esac
-    ;;
-  psos*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  sunos4*)
-    case $cc_basename in
-      CC*)
-	# Sun C++ 4.x
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      lcc*)
-	# Lucid
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  solaris*)
-    case $cc_basename in
-      CC*)
-	# Sun C++ 4.2, 5.x and Centerline C++
-        archive_cmds_need_lc_CXX=yes
-	no_undefined_flag_CXX=' -zdefs'
-	archive_cmds_CXX='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	hardcode_libdir_flag_spec_CXX='-R$libdir'
-	hardcode_shlibpath_var_CXX=no
-	case $host_os in
-	  solaris2.[0-5] | solaris2.[0-5].*) ;;
-	  *)
-	    # The compiler driver will combine and reorder linker options,
-	    # but understands `-z linker_flag'.
-	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    whole_archive_flag_spec_CXX='-z allextract$convenience -z defaultextract'
-	    ;;
-	esac
-	link_all_deplibs_CXX=yes
-
-	output_verbose_link_cmd='echo'
-
-	# Archives containing C++ object files must be created using
-	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
-	;;
-      gcx*)
-	# Green Hills C++ Compiler
-	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-
-	# The C++ compiler must be used to create the archive.
-	old_archive_cmds_CXX='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
-	;;
-      *)
-	# GNU C++ compiler with Solaris linker
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  no_undefined_flag_CXX=' ${wl}-z ${wl}defs'
-	  if $CC --version | grep -v '^2\.7' > /dev/null; then
-	    archive_cmds_CXX='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  else
-	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
-	    # platform.
-	    archive_cmds_CXX='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  fi
-
-	  hardcode_libdir_flag_spec_CXX='${wl}-R $wl$libdir'
-	  case $host_os in
-	  solaris2.[0-5] | solaris2.[0-5].*) ;;
-	  *)
-	    whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	    ;;
-	  esac
-	fi
-	;;
-    esac
-    ;;
-  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
-    no_undefined_flag_CXX='${wl}-z,text'
-    archive_cmds_need_lc_CXX=no
-    hardcode_shlibpath_var_CXX=no
-    runpath_var='LD_RUN_PATH'
-
-    case $cc_basename in
-      CC*)
-	archive_cmds_CXX='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-      *)
-	archive_cmds_CXX='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-    esac
-    ;;
-  sysv5* | sco3.2v5* | sco5v6*)
-    # Note: We can NOT use -z defs as we might desire, because we do not
-    # link with -lc, and that would cause any symbols used from libc to
-    # always be unresolved, which means just about no library would
-    # ever link correctly.  If we're not using GNU ld we use -z text
-    # though, which does catch some bad symbols but isn't as heavy-handed
-    # as -z defs.
-    # For security reasons, it is highly recommended that you always
-    # use absolute paths for naming shared libraries, and exclude the
-    # DT_RUNPATH tag from executables and libraries.  But doing so
-    # requires that you compile everything twice, which is a pain.
-    # So that behaviour is only enabled if SCOABSPATH is set to a
-    # non-empty value in the environment.  Most likely only useful for
-    # creating official distributions of packages.
-    # This is a hack until libtool officially supports absolute path
-    # names for shared libraries.
-    no_undefined_flag_CXX='${wl}-z,text'
-    allow_undefined_flag_CXX='${wl}-z,nodefs'
-    archive_cmds_need_lc_CXX=no
-    hardcode_shlibpath_var_CXX=no
-    hardcode_libdir_flag_spec_CXX='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-    hardcode_libdir_separator_CXX=':'
-    link_all_deplibs_CXX=yes
-    export_dynamic_flag_spec_CXX='${wl}-Bexport'
-    runpath_var='LD_RUN_PATH'
-
-    case $cc_basename in
-      CC*)
-	archive_cmds_CXX='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-      *)
-	archive_cmds_CXX='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	;;
-    esac
-    ;;
-  tandem*)
-    case $cc_basename in
-      NCC*)
-	# NonStop-UX NCC 3.20
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  vxworks*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  *)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-esac
-{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
-echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
-test "$ld_shlibs_CXX" = no && can_build_shared=no
-
-GCC_CXX="$GXX"
-LD_CXX="$LD"
-
-cat > conftest.$ac_ext <<EOF
-class Foo
-{
-public:
-  Foo (void) { a = 0; }
-private:
-  int a;
-};
-EOF
-
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # Parse the compiler output and extract the necessary
-  # objects, libraries and library flags.
-
-  # Sentinel used to keep track of whether or not we are before
-  # the conftest object file.
-  pre_test_object_deps_done=no
-
-  # The `*' in the case matches for architectures that use `case' in
-  # $output_verbose_cmd can trigger glob expansion during the loop
-  # eval without this substitution.
-  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
-
-  for p in `eval $output_verbose_link_cmd`; do
-    case $p in
-
-    -L* | -R* | -l*)
-       # Some compilers place space between "-{L,R}" and the path.
-       # Remove the space.
-       if test $p = "-L" \
-	  || test $p = "-R"; then
-	 prev=$p
-	 continue
-       else
-	 prev=
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 case $p in
-	 -L* | -R*)
-	   # Internal compiler library paths should come after those
-	   # provided the user.  The postdeps already come after the
-	   # user supplied libs so there is no need to process them.
-	   if test -z "$compiler_lib_search_path_CXX"; then
-	     compiler_lib_search_path_CXX="${prev}${p}"
-	   else
-	     compiler_lib_search_path_CXX="${compiler_lib_search_path_CXX} ${prev}${p}"
-	   fi
-	   ;;
-	 # The "-l" case would never come before the object being
-	 # linked, so don't bother handling this case.
-	 esac
-       else
-	 if test -z "$postdeps_CXX"; then
-	   postdeps_CXX="${prev}${p}"
-	 else
-	   postdeps_CXX="${postdeps_CXX} ${prev}${p}"
-	 fi
-       fi
-       ;;
-
-    *.$objext)
-       # This assumes that the test object file only shows up
-       # once in the compiler output.
-       if test "$p" = "conftest.$objext"; then
-	 pre_test_object_deps_done=yes
-	 continue
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 if test -z "$predep_objects_CXX"; then
-	   predep_objects_CXX="$p"
-	 else
-	   predep_objects_CXX="$predep_objects_CXX $p"
-	 fi
-       else
-	 if test -z "$postdep_objects_CXX"; then
-	   postdep_objects_CXX="$p"
-	 else
-	   postdep_objects_CXX="$postdep_objects_CXX $p"
-	 fi
-       fi
-       ;;
-
-    *) ;; # Ignore the rest.
-
-    esac
-  done
-
-  # Clean up.
-  rm -f a.out a.exe
-else
-  echo "libtool.m4: error: problem compiling CXX test program"
-fi
-
-$rm -f confest.$objext
-
-compiler_lib_search_dirs_CXX=
-if test -n "$compiler_lib_search_path_CXX"; then
-  compiler_lib_search_dirs_CXX=`echo " ${compiler_lib_search_path_CXX}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
-fi
-
-# PORTME: override above test on systems where it is broken
-case $host_os in
-interix[3-9]*)
-  # Interix 3.5 installs completely hosed .la files for C++, so rather than
-  # hack all around it, let's just trust "g++" to DTRT.
-  predep_objects_CXX=
-  postdep_objects_CXX=
-  postdeps_CXX=
-  ;;
-
-linux*)
-  case `$CC -V 2>&1 | sed 5q` in
-  *Sun\ C*)
-    # Sun C++ 5.9
-    #
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
-      ;;
-    esac
-    if test "$solaris_use_stlport4" != yes; then
-      postdeps_CXX='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
-  ;;
-
-solaris*)
-  case $cc_basename in
-  CC*)
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
-      ;;
-    esac
-
-    # Adding this requires a known-good setup of shared libraries for
-    # Sun compiler versions before 5.6, else PIC objects from an old
-    # archive will be linked into the output, leading to subtle bugs.
-    if test "$solaris_use_stlport4" != yes; then
-      postdeps_CXX='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
-  ;;
-esac
-
-case " $postdeps_CXX " in
-*" -lc "*) archive_cmds_need_lc_CXX=no ;;
-esac
-
-lt_prog_compiler_wl_CXX=
-lt_prog_compiler_pic_CXX=
-lt_prog_compiler_static_CXX=
-
-{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
-
-  # C++ specific cases for pic, static, wl, etc.
-  if test "$GXX" = yes; then
-    lt_prog_compiler_wl_CXX='-Wl,'
-    lt_prog_compiler_static_CXX='-static'
-
-    case $host_os in
-    aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_CXX='-Bstatic'
-      fi
-      ;;
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic_CXX='-m68020 -resident32 -malways-restore-a4'
-      ;;
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-    mingw* | cygwin* | os2* | pw32*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      lt_prog_compiler_pic_CXX='-DDLL_EXPORT'
-      ;;
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic_CXX='-fno-common'
-      ;;
-    *djgpp*)
-      # DJGPP does not support shared libraries at all
-      lt_prog_compiler_pic_CXX=
-      ;;
-    interix[3-9]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic_CXX=-Kconform_pic
-      fi
-      ;;
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	;;
-      *)
-	lt_prog_compiler_pic_CXX='-fPIC'
-	;;
-      esac
-      ;;
-    *)
-      lt_prog_compiler_pic_CXX='-fPIC'
-      ;;
-    esac
-  else
-    case $host_os in
-      aix[4-9]*)
-	# All AIX code is PIC.
-	if test "$host_cpu" = ia64; then
-	  # AIX 5 now supports IA64 processor
-	  lt_prog_compiler_static_CXX='-Bstatic'
-	else
-	  lt_prog_compiler_static_CXX='-bnso -bI:/lib/syscalls.exp'
-	fi
-	;;
-      chorus*)
-	case $cc_basename in
-	cxch68*)
-	  # Green Hills C++ Compiler
-	  # _LT_AC_TAGVAR(lt_prog_compiler_static, CXX)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
-	  ;;
-	esac
-	;;
-       darwin*)
-         # PIC is the default on this platform
-         # Common symbols not allowed in MH_DYLIB files
-         case $cc_basename in
-           xlc*)
-           lt_prog_compiler_pic_CXX='-qnocommon'
-           lt_prog_compiler_wl_CXX='-Wl,'
-           ;;
-         esac
-       ;;
-      dgux*)
-	case $cc_basename in
-	  ec++*)
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    ;;
-	  ghcx*)
-	    # Green Hills C++ Compiler
-	    lt_prog_compiler_pic_CXX='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      freebsd* | dragonfly*)
-	# FreeBSD uses GNU C++
-	;;
-      hpux9* | hpux10* | hpux11*)
-	case $cc_basename in
-	  CC*)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX='${wl}-a ${wl}archive'
-	    if test "$host_cpu" != ia64; then
-	      lt_prog_compiler_pic_CXX='+Z'
-	    fi
-	    ;;
-	  aCC*)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX='${wl}-a ${wl}archive'
-	    case $host_cpu in
-	    hppa*64*|ia64*)
-	      # +Z the default
-	      ;;
-	    *)
-	      lt_prog_compiler_pic_CXX='+Z'
-	      ;;
-	    esac
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      interix*)
-	# This is c89, which is MS Visual C++ (no shared libs)
-	# Anyone wants to do a port?
-	;;
-      irix5* | irix6* | nonstopux*)
-	case $cc_basename in
-	  CC*)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX='-non_shared'
-	    # CC pic flag -KPIC is the default.
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      linux* | k*bsd*-gnu)
-	case $cc_basename in
-	  KCC*)
-	    # KAI C++ Compiler
-	    lt_prog_compiler_wl_CXX='--backend -Wl,'
-	    lt_prog_compiler_pic_CXX='-fPIC'
-	    ;;
-	  icpc* | ecpc*)
-	    # Intel C++
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    lt_prog_compiler_static_CXX='-static'
-	    ;;
-	  pgCC* | pgcpp*)
-	    # Portland Group C++ compiler.
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_pic_CXX='-fpic'
-	    lt_prog_compiler_static_CXX='-Bstatic'
-	    ;;
-	  cxx*)
-	    # Compaq C++
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    lt_prog_compiler_pic_CXX=
-	    lt_prog_compiler_static_CXX='-non_shared'
-	    ;;
-	  *)
-	    case `$CC -V 2>&1 | sed 5q` in
-	    *Sun\ C*)
-	      # Sun C++ 5.9
-	      lt_prog_compiler_pic_CXX='-KPIC'
-	      lt_prog_compiler_static_CXX='-Bstatic'
-	      lt_prog_compiler_wl_CXX='-Qoption ld '
-	      ;;
-	    esac
-	    ;;
-	esac
-	;;
-      lynxos*)
-	;;
-      m88k*)
-	;;
-      mvs*)
-	case $cc_basename in
-	  cxx*)
-	    lt_prog_compiler_pic_CXX='-W c,exportall'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      netbsd* | netbsdelf*-gnu)
-	;;
-      osf3* | osf4* | osf5*)
-	case $cc_basename in
-	  KCC*)
-	    lt_prog_compiler_wl_CXX='--backend -Wl,'
-	    ;;
-	  RCC*)
-	    # Rational C++ 2.4.1
-	    lt_prog_compiler_pic_CXX='-pic'
-	    ;;
-	  cxx*)
-	    # Digital/Compaq C++
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    lt_prog_compiler_pic_CXX=
-	    lt_prog_compiler_static_CXX='-non_shared'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      psos*)
-	;;
-      solaris*)
-	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.2, 5.x and Centerline C++
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    lt_prog_compiler_static_CXX='-Bstatic'
-	    lt_prog_compiler_wl_CXX='-Qoption ld '
-	    ;;
-	  gcx*)
-	    # Green Hills C++ Compiler
-	    lt_prog_compiler_pic_CXX='-PIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sunos4*)
-	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.x
-	    lt_prog_compiler_pic_CXX='-pic'
-	    lt_prog_compiler_static_CXX='-Bstatic'
-	    ;;
-	  lcc*)
-	    # Lucid
-	    lt_prog_compiler_pic_CXX='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      tandem*)
-	case $cc_basename in
-	  NCC*)
-	    # NonStop-UX NCC 3.20
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-	case $cc_basename in
-	  CC*)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    lt_prog_compiler_static_CXX='-Bstatic'
-	    ;;
-	esac
-	;;
-      vxworks*)
-	;;
-      *)
-	lt_prog_compiler_can_build_shared_CXX=no
-	;;
-    esac
-  fi
-
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_CXX" >&6; }
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic_CXX"; then
-
-{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_pic_works_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_pic_works_CXX=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic_CXX -DPIC"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12994: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:12998: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_pic_works_CXX=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_CXX" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_CXX" >&6; }
-
-if test x"$lt_cv_prog_compiler_pic_works_CXX" = xyes; then
-    case $lt_prog_compiler_pic_CXX in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic_CXX=" $lt_prog_compiler_pic_CXX" ;;
-     esac
-else
-    lt_prog_compiler_pic_CXX=
-     lt_prog_compiler_can_build_shared_CXX=no
-fi
-
-fi
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic_CXX=
-    ;;
-  *)
-    lt_prog_compiler_pic_CXX="$lt_prog_compiler_pic_CXX -DPIC"
-    ;;
-esac
-
-#
-# Check to make sure the static flag actually works.
-#
-wl=$lt_prog_compiler_wl_CXX eval lt_tmp_static_flag=\"$lt_prog_compiler_static_CXX\"
-{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_static_works_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_static_works_CXX=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&5
-       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         lt_cv_prog_compiler_static_works_CXX=yes
-       fi
-     else
-       lt_cv_prog_compiler_static_works_CXX=yes
-     fi
-   fi
-   $rm -r conftest*
-   LDFLAGS="$save_LDFLAGS"
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_CXX" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_static_works_CXX" >&6; }
-
-if test x"$lt_cv_prog_compiler_static_works_CXX" = xyes; then
-    :
-else
-    lt_prog_compiler_static_CXX=
-fi
-
-
-{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_c_o_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o_CXX=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13098: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:13102: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_c_o_CXX=yes
-     fi
-   fi
-   chmod u+w . 2>&5
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_CXX" >&6; }
-
-
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o_CXX" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6; }
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-
-{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
-
-  export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  case $host_os in
-  aix[4-9]*)
-    # If we're using GNU nm, then we don't want the "-C" option.
-    # -C means demangle to AIX nm, but means don't demangle with GNU nm
-    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-      export_symbols_cmds_CXX='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-    else
-      export_symbols_cmds_CXX='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-    fi
-    ;;
-  pw32*)
-    export_symbols_cmds_CXX="$ltdll_cmds"
-  ;;
-  cygwin* | mingw*)
-    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;/^.*[ ]__nm__/s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
-  ;;
-  linux* | k*bsd*-gnu)
-    link_all_deplibs_CXX=no
-  ;;
-  *)
-    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  esac
-  exclude_expsyms_CXX='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
-
-{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
-echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
-test "$ld_shlibs_CXX" = no && can_build_shared=no
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc_CXX" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc_CXX=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds_CXX in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
-      $rm conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl_CXX
-	pic_flag=$lt_prog_compiler_pic_CXX
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag_CXX
-        allow_undefined_flag_CXX=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc_CXX=no
-        else
-	  archive_cmds_need_lc_CXX=yes
-        fi
-        allow_undefined_flag_CXX=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_CXX" >&6; }
-      ;;
-    esac
-  fi
-  ;;
-esac
-
-{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix[4-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
-  else
-    case $host_os in
-    freebsd[123]*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
-  fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
-  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-interix[3-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
-    *)                         need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-rdos*)
-  dynamic_linker=no
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-    shlibpath_overrides_runpath=no
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    shlibpath_overrides_runpath=yes
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
-  fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6; }
-test "$dynamic_linker" = no && can_build_shared=no
-
-if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
-fi
-
-sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
-fi
-
-sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
-hardcode_action_CXX=
-if test -n "$hardcode_libdir_flag_spec_CXX" || \
-   test -n "$runpath_var_CXX" || \
-   test "X$hardcode_automatic_CXX" = "Xyes" ; then
-
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct_CXX" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, CXX)" != no &&
-     test "$hardcode_minus_L_CXX" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action_CXX=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action_CXX=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action_CXX=unsupported
-fi
-{ echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5
-echo "${ECHO_T}$hardcode_action_CXX" >&6; }
-
-if test "$hardcode_action_CXX" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_CXX \
-    CC_CXX \
-    LD_CXX \
-    lt_prog_compiler_wl_CXX \
-    lt_prog_compiler_pic_CXX \
-    lt_prog_compiler_static_CXX \
-    lt_prog_compiler_no_builtin_flag_CXX \
-    export_dynamic_flag_spec_CXX \
-    thread_safe_flag_spec_CXX \
-    whole_archive_flag_spec_CXX \
-    enable_shared_with_static_runtimes_CXX \
-    old_archive_cmds_CXX \
-    old_archive_from_new_cmds_CXX \
-    predep_objects_CXX \
-    postdep_objects_CXX \
-    predeps_CXX \
-    postdeps_CXX \
-    compiler_lib_search_path_CXX \
-    compiler_lib_search_dirs_CXX \
-    archive_cmds_CXX \
-    archive_expsym_cmds_CXX \
-    postinstall_cmds_CXX \
-    postuninstall_cmds_CXX \
-    old_archive_from_expsyms_cmds_CXX \
-    allow_undefined_flag_CXX \
-    no_undefined_flag_CXX \
-    export_symbols_cmds_CXX \
-    hardcode_libdir_flag_spec_CXX \
-    hardcode_libdir_flag_spec_ld_CXX \
-    hardcode_libdir_separator_CXX \
-    hardcode_automatic_CXX \
-    module_cmds_CXX \
-    module_expsym_cmds_CXX \
-    lt_cv_prog_compiler_c_o_CXX \
-    fix_srcfile_path_CXX \
-    exclude_expsyms_CXX \
-    include_expsyms_CXX; do
-
-    case $var in
-    old_archive_cmds_CXX | \
-    old_archive_from_new_cmds_CXX | \
-    archive_cmds_CXX | \
-    archive_expsym_cmds_CXX | \
-    module_cmds_CXX | \
-    module_expsym_cmds_CXX | \
-    old_archive_from_expsyms_cmds_CXX | \
-    export_symbols_cmds_CXX | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="$ofile"
-
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_CXX
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_CXX
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
-
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
-
-# A language-specific compiler.
-CC=$lt_compiler_CXX
-
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_CXX
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD_CXX
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_CXX
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_CXX
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_CXX
-
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_CXX
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_CXX
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_CXX
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_CXX
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_CXX
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_CXX
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_CXX
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_CXX
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_CXX
-archive_expsym_cmds=$lt_archive_expsym_cmds_CXX
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_CXX
-module_expsym_cmds=$lt_module_expsym_cmds_CXX
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_CXX
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_CXX
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_CXX
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_CXX
-
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_CXX
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_CXX
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_CXX
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_CXX
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_CXX
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_CXX
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_CXX
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_CXX
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_CXX
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_CXX
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_CXX
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_CXX
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_CXX
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_CXX
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_CXX
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_CXX
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_CXX
-
-# ### END LIBTOOL TAG CONFIG: $tagname
-
-__EOF__
-
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC=$lt_save_CC
-LDCXX=$LD
-LD=$lt_save_LD
-GCC=$lt_save_GCC
-with_gnu_ldcxx=$with_gnu_ld
-with_gnu_ld=$lt_save_with_gnu_ld
-lt_cv_path_LDCXX=$lt_cv_path_LD
-lt_cv_path_LD=$lt_save_path_LD
-lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
-lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
-
-	else
-	  tagname=""
-	fi
-	;;
-
-      F77)
-	if test -n "$F77" && test "X$F77" != "Xno"; then
-
-ac_ext=f
-ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
-ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_f77_compiler_gnu
-
-
-archive_cmds_need_lc_F77=no
-allow_undefined_flag_F77=
-always_export_symbols_F77=no
-archive_expsym_cmds_F77=
-export_dynamic_flag_spec_F77=
-hardcode_direct_F77=no
-hardcode_libdir_flag_spec_F77=
-hardcode_libdir_flag_spec_ld_F77=
-hardcode_libdir_separator_F77=
-hardcode_minus_L_F77=no
-hardcode_automatic_F77=no
-module_cmds_F77=
-module_expsym_cmds_F77=
-link_all_deplibs_F77=unknown
-old_archive_cmds_F77=$old_archive_cmds
-no_undefined_flag_F77=
-whole_archive_flag_spec_F77=
-enable_shared_with_static_runtimes_F77=no
-
-# Source file extension for f77 test sources.
-ac_ext=f
-
-# Object file extension for compiled f77 test sources.
-objext=o
-objext_F77=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="\
-      subroutine t
-      return
-      end
-"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="\
-      program t
-      end
-"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-# save warnings/boilerplate of simple test code
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
-
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
-
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${F77-"f77"}
-compiler=$CC
-compiler_F77=$CC
-for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-
-
-{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
-{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
-echo "${ECHO_T}$can_build_shared" >&6; }
-
-{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
-test "$can_build_shared" = "no" && enable_shared=no
-
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case $host_os in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
-aix[4-9]*)
-  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-    test "$enable_shared" = yes && enable_static=no
-  fi
-  ;;
-esac
-{ echo "$as_me:$LINENO: result: $enable_shared" >&5
-echo "${ECHO_T}$enable_shared" >&6; }
-
-{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-{ echo "$as_me:$LINENO: result: $enable_static" >&5
-echo "${ECHO_T}$enable_static" >&6; }
-
-GCC_F77="$G77"
-LD_F77="$LD"
-
-lt_prog_compiler_wl_F77=
-lt_prog_compiler_pic_F77=
-lt_prog_compiler_static_F77=
-
-{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
-
-  if test "$GCC" = yes; then
-    lt_prog_compiler_wl_F77='-Wl,'
-    lt_prog_compiler_static_F77='-static'
-
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_F77='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic_F77='-m68020 -resident32 -malways-restore-a4'
-      ;;
-
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
-      ;;
-
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic_F77='-fno-common'
-      ;;
-
-    interix[3-9]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      lt_prog_compiler_can_build_shared_F77=no
-      enable_shared=no
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic_F77=-Kconform_pic
-      fi
-      ;;
-
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_F77='-fPIC'
-	;;
-      esac
-      ;;
-
-    *)
-      lt_prog_compiler_pic_F77='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_F77='-Bstatic'
-      else
-	lt_prog_compiler_static_F77='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case $cc_basename in
-         xlc*)
-         lt_prog_compiler_pic_F77='-qnocommon'
-         lt_prog_compiler_wl_F77='-Wl,'
-         ;;
-       esac
-       ;;
-
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_F77='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      lt_prog_compiler_static_F77='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      # PIC (with -KPIC) is the default.
-      lt_prog_compiler_static_F77='-non_shared'
-      ;;
-
-    newsos6)
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
-
-    linux* | k*bsd*-gnu)
-      case $cc_basename in
-      icc* | ecc*)
-	lt_prog_compiler_wl_F77='-Wl,'
-	lt_prog_compiler_pic_F77='-KPIC'
-	lt_prog_compiler_static_F77='-static'
-        ;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
-        # Portland Group compilers (*not* the Pentium gcc compiler,
-	# which looks to be a dead project)
-	lt_prog_compiler_wl_F77='-Wl,'
-	lt_prog_compiler_pic_F77='-fpic'
-	lt_prog_compiler_static_F77='-Bstatic'
-        ;;
-      ccc*)
-        lt_prog_compiler_wl_F77='-Wl,'
-        # All Alpha code is PIC.
-        lt_prog_compiler_static_F77='-non_shared'
-        ;;
-      *)
-        case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C 5.9
-	  lt_prog_compiler_pic_F77='-KPIC'
-	  lt_prog_compiler_static_F77='-Bstatic'
-	  lt_prog_compiler_wl_F77='-Wl,'
-	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  lt_prog_compiler_pic_F77='-KPIC'
-	  lt_prog_compiler_static_F77='-Bstatic'
-	  lt_prog_compiler_wl_F77=''
-	  ;;
-	esac
-	;;
-      esac
-      ;;
-
-    osf3* | osf4* | osf5*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      # All OSF/1 code is PIC.
-      lt_prog_compiler_static_F77='-non_shared'
-      ;;
-
-    rdos*)
-      lt_prog_compiler_static_F77='-non_shared'
-      ;;
-
-    solaris*)
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      case $cc_basename in
-      f77* | f90* | f95*)
-	lt_prog_compiler_wl_F77='-Qoption ld ';;
-      *)
-	lt_prog_compiler_wl_F77='-Wl,';;
-      esac
-      ;;
-
-    sunos4*)
-      lt_prog_compiler_wl_F77='-Qoption ld '
-      lt_prog_compiler_pic_F77='-PIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	lt_prog_compiler_pic_F77='-Kconform_pic'
-	lt_prog_compiler_static_F77='-Bstatic'
-      fi
-      ;;
-
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
-
-    unicos*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      lt_prog_compiler_can_build_shared_F77=no
-      ;;
-
-    uts4*)
-      lt_prog_compiler_pic_F77='-pic'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
-
-    *)
-      lt_prog_compiler_can_build_shared_F77=no
-      ;;
-    esac
-  fi
-
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_F77" >&6; }
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic_F77"; then
-
-{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_pic_works_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_pic_works_F77=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic_F77"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14696: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:14700: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_pic_works_F77=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_F77" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_F77" >&6; }
-
-if test x"$lt_cv_prog_compiler_pic_works_F77" = xyes; then
-    case $lt_prog_compiler_pic_F77 in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic_F77=" $lt_prog_compiler_pic_F77" ;;
-     esac
-else
-    lt_prog_compiler_pic_F77=
-     lt_prog_compiler_can_build_shared_F77=no
-fi
-
-fi
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic_F77=
-    ;;
-  *)
-    lt_prog_compiler_pic_F77="$lt_prog_compiler_pic_F77"
-    ;;
-esac
-
-#
-# Check to make sure the static flag actually works.
-#
-wl=$lt_prog_compiler_wl_F77 eval lt_tmp_static_flag=\"$lt_prog_compiler_static_F77\"
-{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_static_works_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_static_works_F77=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&5
-       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         lt_cv_prog_compiler_static_works_F77=yes
-       fi
-     else
-       lt_cv_prog_compiler_static_works_F77=yes
-     fi
-   fi
-   $rm -r conftest*
-   LDFLAGS="$save_LDFLAGS"
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_F77" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_static_works_F77" >&6; }
-
-if test x"$lt_cv_prog_compiler_static_works_F77" = xyes; then
-    :
-else
-    lt_prog_compiler_static_F77=
-fi
-
-
-{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_c_o_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o_F77=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14800: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:14804: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_c_o_F77=yes
-     fi
-   fi
-   chmod u+w . 2>&5
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_F77" >&6; }
-
-
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o_F77" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6; }
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-
-{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
-
-  runpath_var=
-  allow_undefined_flag_F77=
-  enable_shared_with_static_runtimes_F77=no
-  archive_cmds_F77=
-  archive_expsym_cmds_F77=
-  old_archive_From_new_cmds_F77=
-  old_archive_from_expsyms_cmds_F77=
-  export_dynamic_flag_spec_F77=
-  whole_archive_flag_spec_F77=
-  thread_safe_flag_spec_F77=
-  hardcode_libdir_flag_spec_F77=
-  hardcode_libdir_flag_spec_ld_F77=
-  hardcode_libdir_separator_F77=
-  hardcode_direct_F77=no
-  hardcode_minus_L_F77=no
-  hardcode_shlibpath_var_F77=unsupported
-  link_all_deplibs_F77=unknown
-  hardcode_automatic_F77=no
-  module_cmds_F77=
-  module_expsym_cmds_F77=
-  always_export_symbols_F77=no
-  export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  include_expsyms_F77=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  exclude_expsyms_F77='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  # Exclude shared library initialization/finalization symbols.
-  extract_expsyms_cmds=
-  # Just being paranoid about ensuring that cc_basename is set.
-  for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
-
-  ld_shlibs_F77=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
-
-    # Set some defaults for GNU ld with shared library support. These
-    # are reset later if shared libraries are not supported. Putting them
-    # here allows them to be overridden if necessary.
-    runpath_var=LD_RUN_PATH
-    hardcode_libdir_flag_spec_F77='${wl}--rpath ${wl}$libdir'
-    export_dynamic_flag_spec_F77='${wl}--export-dynamic'
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
-	whole_archive_flag_spec_F77="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec_F77=
-    fi
-    supports_anon_versioning=no
-    case `$LD -v 2>/dev/null` in
-      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-      *\ 2.11.*) ;; # other 2.11 versions
-      *) supports_anon_versioning=yes ;;
-    esac
-
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix[3-9]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	ld_shlibs_F77=no
-	cat <<EOF 1>&2
-
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
-
-EOF
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_minus_L_F77=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      ld_shlibs_F77=no
-      ;;
-
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	allow_undefined_flag_F77=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	archive_cmds_F77='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, F77) is actually meaningless,
-      # as there is no search path for DLLs.
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      allow_undefined_flag_F77=unsupported
-      always_export_symbols_F77=no
-      enable_shared_with_static_runtimes_F77=yes
-      export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	archive_expsym_cmds_F77='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-
-    interix[3-9]*)
-      hardcode_direct_F77=no
-      hardcode_shlibpath_var_F77=no
-      hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
-      export_dynamic_flag_spec_F77='${wl}-E'
-      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-      # Instead, shared libraries are loaded at an image base (0x10000000 by
-      # default) and relocated if they conflict, which is a slow very memory
-      # consuming and fragmenting process.  To avoid this, we pick a random,
-      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-      archive_cmds_F77='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      archive_expsym_cmds_F77='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      ;;
-
-    gnu* | linux* | k*bsd*-gnu)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	tmp_addflag=
-	case $cc_basename,$host_cpu in
-	pgcc*)				# Portland Group C compiler
-	  whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag'
-	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag -Mnomain' ;;
-	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
-	  tmp_addflag=' -i_dynamic' ;;
-	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
-	  tmp_addflag=' -i_dynamic -nofor_main' ;;
-	ifc* | ifort*)			# Intel Fortran compiler
-	  tmp_addflag=' -nofor_main' ;;
-	esac
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)			# Sun C 5.9
-	  whole_archive_flag_spec_F77='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_sharedflag='-G' ;;
-	*Sun\ F*)			# Sun Fortran 8.3
-	  tmp_sharedflag='-G' ;;
-	*)
-	  tmp_sharedflag='-shared' ;;
-	esac
-	archive_cmds_F77='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-
-	if test $supports_anon_versioning = yes; then
-	  archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~
-  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-  $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-	fi
-	link_all_deplibs_F77=no
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_F77='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	ld_shlibs_F77=no
-	cat <<EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
-	ld_shlibs_F77=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
-*** reliably create shared libraries on SCO systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-_LT_EOF
-	;;
-	*)
-	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	    hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
-	    archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
-	    archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
-	  else
-	    ld_shlibs_F77=no
-	  fi
-	;;
-      esac
-      ;;
-
-    sunos4*)
-      archive_cmds_F77='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-    esac
-
-    if test "$ld_shlibs_F77" = no; then
-      runpath_var=
-      hardcode_libdir_flag_spec_F77=
-      export_dynamic_flag_spec_F77=
-      whole_archive_flag_spec_F77=
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      allow_undefined_flag_F77=unsupported
-      always_export_symbols_F77=yes
-      archive_expsym_cmds_F77='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      hardcode_minus_L_F77=yes
-      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	hardcode_direct_F77=unsupported
-      fi
-      ;;
-
-    aix[4-9]*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  export_symbols_cmds_F77='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	else
-	  export_symbols_cmds_F77='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	  ;;
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      archive_cmds_F77=''
-      hardcode_direct_F77=yes
-      hardcode_libdir_separator_F77=':'
-      link_all_deplibs_F77=yes
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[012]|aix4.[012].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  :
-	  else
-  	  # We have old collect2
-  	  hardcode_direct_F77=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  hardcode_minus_L_F77=yes
-  	  hardcode_libdir_flag_spec_F77='-L$libdir'
-  	  hardcode_libdir_separator_F77=
-	  fi
-	  ;;
-	esac
-	shared_flag='-shared'
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag="$shared_flag "'${wl}-G'
-	fi
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-	  fi
-	fi
-      fi
-
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      always_export_symbols_F77=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	allow_undefined_flag_F77='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       cat >conftest.$ac_ext <<_ACEOF
-      program main
-
-      end
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_f77_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-       hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds_F77="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  hardcode_libdir_flag_spec_F77='${wl}-R $libdir:/usr/lib:/lib'
-	  allow_undefined_flag_F77="-z nodefs"
-	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 cat >conftest.$ac_ext <<_ACEOF
-      program main
-
-      end
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_f77_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	 hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  no_undefined_flag_F77=' ${wl}-bernotok'
-	  allow_undefined_flag_F77=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec_F77='$convenience'
-	  archive_cmds_need_lc_F77=yes
-	  # This is similar to how AIX traditionally builds its shared libraries.
-	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_minus_L_F77=yes
-      # see comment about different semantics on the GNU ld section
-      ld_shlibs_F77=no
-      ;;
-
-    bsdi[45]*)
-      export_dynamic_flag_spec_F77=-rdynamic
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec_F77=' '
-      allow_undefined_flag_F77=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds_F77='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_From_new_cmds_F77='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds_F77='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path_F77='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes_F77=yes
-      ;;
-
-    darwin* | rhapsody*)
-      case $host_os in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_F77='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_F77='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      archive_cmds_need_lc_F77=no
-      hardcode_direct_F77=no
-      hardcode_automatic_F77=yes
-      hardcode_shlibpath_var_F77=unsupported
-      whole_archive_flag_spec_F77=''
-      link_all_deplibs_F77=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds_F77="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-        module_cmds_F77="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-        archive_expsym_cmds_F77="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-        module_expsym_cmds_F77="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-    else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-         module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-         archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_F77=no
-          ;;
-      esac
-    fi
-      ;;
-
-    dgux*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    freebsd1*)
-      ld_shlibs_F77=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_F77=yes
-      hardcode_minus_L_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | dragonfly*)
-      archive_cmds_F77='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    hpux9*)
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	archive_cmds_F77='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      hardcode_direct_F77=yes
-
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      hardcode_minus_L_F77=yes
-      export_dynamic_flag_spec_F77='${wl}-E'
-      ;;
-
-    hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_F77='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator_F77=:
-
-	hardcode_direct_F77=yes
-	export_dynamic_flag_spec_F77='${wl}-E'
-
-	# hardcode_minus_L: Not really in the search PATH,
-	# but as the default location of the library.
-	hardcode_minus_L_F77=yes
-      fi
-      ;;
-
-    hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator_F77=:
-
-	case $host_cpu in
-	hppa*64*|ia64*)
-	  hardcode_libdir_flag_spec_ld_F77='+b $libdir'
-	  hardcode_direct_F77=no
-	  hardcode_shlibpath_var_F77=no
-	  ;;
-	*)
-	  hardcode_direct_F77=yes
-	  export_dynamic_flag_spec_F77='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L_F77=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	archive_cmds_F77='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_ld_F77='-rpath $libdir'
-      fi
-      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      link_all_deplibs_F77=yes
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	archive_cmds_F77='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    newsos6)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_F77=yes
-      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-	hardcode_direct_F77=yes
-	hardcode_shlibpath_var_F77=no
-	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	  archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	  archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	  hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
-	  export_dynamic_flag_spec_F77='${wl}-E'
-	else
-	  case $host_os in
-	   openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-	     archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	     hardcode_libdir_flag_spec_F77='-R$libdir'
-	     ;;
-	   *)
-	     archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	     hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
-	     ;;
-	  esac
-        fi
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-
-    os2*)
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_minus_L_F77=yes
-      allow_undefined_flag_F77=unsupported
-      archive_cmds_F77='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      old_archive_From_new_cmds_F77='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	allow_undefined_flag_F77=' -expect_unresolved \*'
-	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      else
-	allow_undefined_flag_F77=' -expect_unresolved \*'
-	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds_F77='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	hardcode_libdir_flag_spec_F77='-rpath $libdir'
-      fi
-      hardcode_libdir_separator_F77=:
-      ;;
-
-    solaris*)
-      no_undefined_flag_F77=' -z text'
-      if test "$GCC" = yes; then
-	wlarc='${wl}'
-	archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	wlarc=''
-	archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_shlibpath_var_F77=no
-      case $host_os in
-      solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *)
-	# The compiler driver will combine and reorder linker options,
-	# but understands `-z linker_flag'.  GCC discards it without `$wl',
-	# but is careful enough not to reorder.
- 	# Supported since Solaris 2.6 (maybe 2.5.1?)
-	if test "$GCC" = yes; then
-	  whole_archive_flag_spec_F77='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	else
-	  whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract'
-	fi
-	;;
-      esac
-      link_all_deplibs_F77=yes
-      ;;
-
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	archive_cmds_F77='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_F77='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_direct_F77=yes
-      hardcode_minus_L_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    sysv4)
-      case $host_vendor in
-	sni)
-	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_F77=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  archive_cmds_F77='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  reload_cmds_F77='$CC -r -o $output$reload_objs'
-	  hardcode_direct_F77=no
-        ;;
-	motorola)
-	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_F77=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    sysv4.3*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var_F77=no
-      export_dynamic_flag_spec_F77='-Bexport'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	hardcode_shlibpath_var_F77=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	ld_shlibs_F77=yes
-      fi
-      ;;
-
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
-      no_undefined_flag_F77='${wl}-z,text'
-      archive_cmds_need_lc_F77=no
-      hardcode_shlibpath_var_F77=no
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_F77='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6*)
-      # Note: We can NOT use -z defs as we might desire, because we do not
-      # link with -lc, and that would cause any symbols used from libc to
-      # always be unresolved, which means just about no library would
-      # ever link correctly.  If we're not using GNU ld we use -z text
-      # though, which does catch some bad symbols but isn't as heavy-handed
-      # as -z defs.
-      no_undefined_flag_F77='${wl}-z,text'
-      allow_undefined_flag_F77='${wl}-z,nodefs'
-      archive_cmds_need_lc_F77=no
-      hardcode_shlibpath_var_F77=no
-      hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-      hardcode_libdir_separator_F77=':'
-      link_all_deplibs_F77=yes
-      export_dynamic_flag_spec_F77='${wl}-Bexport'
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_F77='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    uts4*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    *)
-      ld_shlibs_F77=no
-      ;;
-    esac
-  fi
-
-{ echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5
-echo "${ECHO_T}$ld_shlibs_F77" >&6; }
-test "$ld_shlibs_F77" = no && can_build_shared=no
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc_F77" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc_F77=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds_F77 in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
-      $rm conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl_F77
-	pic_flag=$lt_prog_compiler_pic_F77
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag_F77
-        allow_undefined_flag_F77=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc_F77=no
-        else
-	  archive_cmds_need_lc_F77=yes
-        fi
-        allow_undefined_flag_F77=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_F77" >&6; }
-      ;;
-    esac
-  fi
-  ;;
-esac
-
-{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix[4-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
-  else
-    case $host_os in
-    freebsd[123]*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
-  fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
-  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-interix[3-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
-    *)                         need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-rdos*)
-  dynamic_linker=no
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-    shlibpath_overrides_runpath=no
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    shlibpath_overrides_runpath=yes
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
-  fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6; }
-test "$dynamic_linker" = no && can_build_shared=no
-
-if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
-fi
-
-sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
-fi
-
-sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
-hardcode_action_F77=
-if test -n "$hardcode_libdir_flag_spec_F77" || \
-   test -n "$runpath_var_F77" || \
-   test "X$hardcode_automatic_F77" = "Xyes" ; then
-
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct_F77" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, F77)" != no &&
-     test "$hardcode_minus_L_F77" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action_F77=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action_F77=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action_F77=unsupported
-fi
-{ echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5
-echo "${ECHO_T}$hardcode_action_F77" >&6; }
-
-if test "$hardcode_action_F77" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_F77 \
-    CC_F77 \
-    LD_F77 \
-    lt_prog_compiler_wl_F77 \
-    lt_prog_compiler_pic_F77 \
-    lt_prog_compiler_static_F77 \
-    lt_prog_compiler_no_builtin_flag_F77 \
-    export_dynamic_flag_spec_F77 \
-    thread_safe_flag_spec_F77 \
-    whole_archive_flag_spec_F77 \
-    enable_shared_with_static_runtimes_F77 \
-    old_archive_cmds_F77 \
-    old_archive_from_new_cmds_F77 \
-    predep_objects_F77 \
-    postdep_objects_F77 \
-    predeps_F77 \
-    postdeps_F77 \
-    compiler_lib_search_path_F77 \
-    compiler_lib_search_dirs_F77 \
-    archive_cmds_F77 \
-    archive_expsym_cmds_F77 \
-    postinstall_cmds_F77 \
-    postuninstall_cmds_F77 \
-    old_archive_from_expsyms_cmds_F77 \
-    allow_undefined_flag_F77 \
-    no_undefined_flag_F77 \
-    export_symbols_cmds_F77 \
-    hardcode_libdir_flag_spec_F77 \
-    hardcode_libdir_flag_spec_ld_F77 \
-    hardcode_libdir_separator_F77 \
-    hardcode_automatic_F77 \
-    module_cmds_F77 \
-    module_expsym_cmds_F77 \
-    lt_cv_prog_compiler_c_o_F77 \
-    fix_srcfile_path_F77 \
-    exclude_expsyms_F77 \
-    include_expsyms_F77; do
-
-    case $var in
-    old_archive_cmds_F77 | \
-    old_archive_from_new_cmds_F77 | \
-    archive_cmds_F77 | \
-    archive_expsym_cmds_F77 | \
-    module_cmds_F77 | \
-    module_expsym_cmds_F77 | \
-    old_archive_from_expsyms_cmds_F77 | \
-    export_symbols_cmds_F77 | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="$ofile"
-
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_F77
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_F77
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
-
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
-
-# A language-specific compiler.
-CC=$lt_compiler_F77
-
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_F77
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD_F77
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_F77
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_F77
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_F77
-
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_F77
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_F77
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_F77
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_F77
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_F77
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_F77
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_F77
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_F77
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_F77
-archive_expsym_cmds=$lt_archive_expsym_cmds_F77
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_F77
-module_expsym_cmds=$lt_module_expsym_cmds_F77
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_F77
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_F77
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_F77
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_F77
-
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_F77
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_F77
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_F77
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_F77
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_F77
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_F77
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_F77
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_F77
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_F77
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_F77
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_F77
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_F77
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_F77
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_F77
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_F77
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_F77
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_F77
-
-# ### END LIBTOOL TAG CONFIG: $tagname
-
-__EOF__
-
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-	else
-	  tagname=""
-	fi
-	;;
-
-      GCJ)
-	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
-
-
-# Source file extension for Java test sources.
-ac_ext=java
-
-# Object file extension for compiled Java test sources.
-objext=o
-objext_GCJ=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-# save warnings/boilerplate of simple test code
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
-
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
-
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${GCJ-"gcj"}
-compiler=$CC
-compiler_GCJ=$CC
-for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-
-
-# GCJ did not exist at the time GCC didn't implicitly link libc in.
-archive_cmds_need_lc_GCJ=no
-
-old_archive_cmds_GCJ=$old_archive_cmds
-
-
-lt_prog_compiler_no_builtin_flag_GCJ=
-
-if test "$GCC" = yes; then
-  lt_prog_compiler_no_builtin_flag_GCJ=' -fno-builtin'
-
-
-{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_rtti_exceptions=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="-fno-rtti -fno-exceptions"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17020: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:17024: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_rtti_exceptions=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
-
-if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
-    lt_prog_compiler_no_builtin_flag_GCJ="$lt_prog_compiler_no_builtin_flag_GCJ -fno-rtti -fno-exceptions"
-else
-    :
-fi
-
-fi
-
-lt_prog_compiler_wl_GCJ=
-lt_prog_compiler_pic_GCJ=
-lt_prog_compiler_static_GCJ=
-
-{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
-
-  if test "$GCC" = yes; then
-    lt_prog_compiler_wl_GCJ='-Wl,'
-    lt_prog_compiler_static_GCJ='-static'
-
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_GCJ='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic_GCJ='-m68020 -resident32 -malways-restore-a4'
-      ;;
-
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-
-      ;;
-
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic_GCJ='-fno-common'
-      ;;
-
-    interix[3-9]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      lt_prog_compiler_can_build_shared_GCJ=no
-      enable_shared=no
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic_GCJ=-Kconform_pic
-      fi
-      ;;
-
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_GCJ='-fPIC'
-	;;
-      esac
-      ;;
-
-    *)
-      lt_prog_compiler_pic_GCJ='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_GCJ='-Bstatic'
-      else
-	lt_prog_compiler_static_GCJ='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case $cc_basename in
-         xlc*)
-         lt_prog_compiler_pic_GCJ='-qnocommon'
-         lt_prog_compiler_wl_GCJ='-Wl,'
-         ;;
-       esac
-       ;;
-
-    mingw* | cygwin* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_GCJ='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      lt_prog_compiler_static_GCJ='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      # PIC (with -KPIC) is the default.
-      lt_prog_compiler_static_GCJ='-non_shared'
-      ;;
-
-    newsos6)
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    linux* | k*bsd*-gnu)
-      case $cc_basename in
-      icc* | ecc*)
-	lt_prog_compiler_wl_GCJ='-Wl,'
-	lt_prog_compiler_pic_GCJ='-KPIC'
-	lt_prog_compiler_static_GCJ='-static'
-        ;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
-        # Portland Group compilers (*not* the Pentium gcc compiler,
-	# which looks to be a dead project)
-	lt_prog_compiler_wl_GCJ='-Wl,'
-	lt_prog_compiler_pic_GCJ='-fpic'
-	lt_prog_compiler_static_GCJ='-Bstatic'
-        ;;
-      ccc*)
-        lt_prog_compiler_wl_GCJ='-Wl,'
-        # All Alpha code is PIC.
-        lt_prog_compiler_static_GCJ='-non_shared'
-        ;;
-      *)
-        case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C 5.9
-	  lt_prog_compiler_pic_GCJ='-KPIC'
-	  lt_prog_compiler_static_GCJ='-Bstatic'
-	  lt_prog_compiler_wl_GCJ='-Wl,'
-	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  lt_prog_compiler_pic_GCJ='-KPIC'
-	  lt_prog_compiler_static_GCJ='-Bstatic'
-	  lt_prog_compiler_wl_GCJ=''
-	  ;;
-	esac
-	;;
-      esac
-      ;;
-
-    osf3* | osf4* | osf5*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      # All OSF/1 code is PIC.
-      lt_prog_compiler_static_GCJ='-non_shared'
-      ;;
-
-    rdos*)
-      lt_prog_compiler_static_GCJ='-non_shared'
-      ;;
-
-    solaris*)
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      case $cc_basename in
-      f77* | f90* | f95*)
-	lt_prog_compiler_wl_GCJ='-Qoption ld ';;
-      *)
-	lt_prog_compiler_wl_GCJ='-Wl,';;
-      esac
-      ;;
-
-    sunos4*)
-      lt_prog_compiler_wl_GCJ='-Qoption ld '
-      lt_prog_compiler_pic_GCJ='-PIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	lt_prog_compiler_pic_GCJ='-Kconform_pic'
-	lt_prog_compiler_static_GCJ='-Bstatic'
-      fi
-      ;;
-
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    unicos*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      lt_prog_compiler_can_build_shared_GCJ=no
-      ;;
-
-    uts4*)
-      lt_prog_compiler_pic_GCJ='-pic'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    *)
-      lt_prog_compiler_can_build_shared_GCJ=no
-      ;;
-    esac
-  fi
-
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_GCJ" >&6; }
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic_GCJ"; then
-
-{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_pic_works_GCJ+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_pic_works_GCJ=no
-  ac_outfile=conftest.$ac_objext
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic_GCJ"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17310: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:17314: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_pic_works_GCJ=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_GCJ" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_GCJ" >&6; }
-
-if test x"$lt_cv_prog_compiler_pic_works_GCJ" = xyes; then
-    case $lt_prog_compiler_pic_GCJ in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic_GCJ=" $lt_prog_compiler_pic_GCJ" ;;
-     esac
-else
-    lt_prog_compiler_pic_GCJ=
-     lt_prog_compiler_can_build_shared_GCJ=no
-fi
-
-fi
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic_GCJ=
-    ;;
-  *)
-    lt_prog_compiler_pic_GCJ="$lt_prog_compiler_pic_GCJ"
-    ;;
-esac
-
-#
-# Check to make sure the static flag actually works.
-#
-wl=$lt_prog_compiler_wl_GCJ eval lt_tmp_static_flag=\"$lt_prog_compiler_static_GCJ\"
-{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_static_works_GCJ+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_static_works_GCJ=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&5
-       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         lt_cv_prog_compiler_static_works_GCJ=yes
-       fi
-     else
-       lt_cv_prog_compiler_static_works_GCJ=yes
-     fi
-   fi
-   $rm -r conftest*
-   LDFLAGS="$save_LDFLAGS"
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_GCJ" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_static_works_GCJ" >&6; }
-
-if test x"$lt_cv_prog_compiler_static_works_GCJ" = xyes; then
-    :
-else
-    lt_prog_compiler_static_GCJ=
-fi
-
-
-{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
-if test "${lt_cv_prog_compiler_c_o_GCJ+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o_GCJ=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17414: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:17418: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       lt_cv_prog_compiler_c_o_GCJ=yes
-     fi
-   fi
-   chmod u+w . 2>&5
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-
-fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_GCJ" >&6; }
-
-
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o_GCJ" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6; }
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-
-{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
-
-  runpath_var=
-  allow_undefined_flag_GCJ=
-  enable_shared_with_static_runtimes_GCJ=no
-  archive_cmds_GCJ=
-  archive_expsym_cmds_GCJ=
-  old_archive_From_new_cmds_GCJ=
-  old_archive_from_expsyms_cmds_GCJ=
-  export_dynamic_flag_spec_GCJ=
-  whole_archive_flag_spec_GCJ=
-  thread_safe_flag_spec_GCJ=
-  hardcode_libdir_flag_spec_GCJ=
-  hardcode_libdir_flag_spec_ld_GCJ=
-  hardcode_libdir_separator_GCJ=
-  hardcode_direct_GCJ=no
-  hardcode_minus_L_GCJ=no
-  hardcode_shlibpath_var_GCJ=unsupported
-  link_all_deplibs_GCJ=unknown
-  hardcode_automatic_GCJ=no
-  module_cmds_GCJ=
-  module_expsym_cmds_GCJ=
-  always_export_symbols_GCJ=no
-  export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  include_expsyms_GCJ=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  exclude_expsyms_GCJ='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  # Exclude shared library initialization/finalization symbols.
-  extract_expsyms_cmds=
-  # Just being paranoid about ensuring that cc_basename is set.
-  for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
-
-  ld_shlibs_GCJ=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
-
-    # Set some defaults for GNU ld with shared library support. These
-    # are reset later if shared libraries are not supported. Putting them
-    # here allows them to be overridden if necessary.
-    runpath_var=LD_RUN_PATH
-    hardcode_libdir_flag_spec_GCJ='${wl}--rpath ${wl}$libdir'
-    export_dynamic_flag_spec_GCJ='${wl}--export-dynamic'
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
-	whole_archive_flag_spec_GCJ="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec_GCJ=
-    fi
-    supports_anon_versioning=no
-    case `$LD -v 2>/dev/null` in
-      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-      *\ 2.11.*) ;; # other 2.11 versions
-      *) supports_anon_versioning=yes ;;
-    esac
-
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix[3-9]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	ld_shlibs_GCJ=no
-	cat <<EOF 1>&2
-
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
-
-EOF
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_minus_L_GCJ=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      ld_shlibs_GCJ=no
-      ;;
-
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	allow_undefined_flag_GCJ=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	archive_cmds_GCJ='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, GCJ) is actually meaningless,
-      # as there is no search path for DLLs.
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      allow_undefined_flag_GCJ=unsupported
-      always_export_symbols_GCJ=no
-      enable_shared_with_static_runtimes_GCJ=yes
-      export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	archive_expsym_cmds_GCJ='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-
-    interix[3-9]*)
-      hardcode_direct_GCJ=no
-      hardcode_shlibpath_var_GCJ=no
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
-      export_dynamic_flag_spec_GCJ='${wl}-E'
-      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-      # Instead, shared libraries are loaded at an image base (0x10000000 by
-      # default) and relocated if they conflict, which is a slow very memory
-      # consuming and fragmenting process.  To avoid this, we pick a random,
-      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-      archive_cmds_GCJ='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      archive_expsym_cmds_GCJ='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      ;;
-
-    gnu* | linux* | k*bsd*-gnu)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	tmp_addflag=
-	case $cc_basename,$host_cpu in
-	pgcc*)				# Portland Group C compiler
-	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag'
-	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag -Mnomain' ;;
-	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
-	  tmp_addflag=' -i_dynamic' ;;
-	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
-	  tmp_addflag=' -i_dynamic -nofor_main' ;;
-	ifc* | ifort*)			# Intel Fortran compiler
-	  tmp_addflag=' -nofor_main' ;;
-	esac
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)			# Sun C 5.9
-	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_sharedflag='-G' ;;
-	*Sun\ F*)			# Sun Fortran 8.3
-	  tmp_sharedflag='-G' ;;
-	*)
-	  tmp_sharedflag='-shared' ;;
-	esac
-	archive_cmds_GCJ='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-
-	if test $supports_anon_versioning = yes; then
-	  archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~
-  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-  $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-	fi
-	link_all_deplibs_GCJ=no
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_GCJ='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	ld_shlibs_GCJ=no
-	cat <<EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
-	ld_shlibs_GCJ=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
-*** reliably create shared libraries on SCO systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-_LT_EOF
-	;;
-	*)
-	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	    hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
-	    archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
-	    archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
-	  else
-	    ld_shlibs_GCJ=no
-	  fi
-	;;
-      esac
-      ;;
-
-    sunos4*)
-      archive_cmds_GCJ='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-    esac
-
-    if test "$ld_shlibs_GCJ" = no; then
-      runpath_var=
-      hardcode_libdir_flag_spec_GCJ=
-      export_dynamic_flag_spec_GCJ=
-      whole_archive_flag_spec_GCJ=
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      allow_undefined_flag_GCJ=unsupported
-      always_export_symbols_GCJ=yes
-      archive_expsym_cmds_GCJ='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      hardcode_minus_L_GCJ=yes
-      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	hardcode_direct_GCJ=unsupported
-      fi
-      ;;
-
-    aix[4-9]*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  export_symbols_cmds_GCJ='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	else
-	  export_symbols_cmds_GCJ='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	  ;;
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      archive_cmds_GCJ=''
-      hardcode_direct_GCJ=yes
-      hardcode_libdir_separator_GCJ=':'
-      link_all_deplibs_GCJ=yes
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[012]|aix4.[012].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  :
-	  else
-  	  # We have old collect2
-  	  hardcode_direct_GCJ=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  hardcode_minus_L_GCJ=yes
-  	  hardcode_libdir_flag_spec_GCJ='-L$libdir'
-  	  hardcode_libdir_separator_GCJ=
-	  fi
-	  ;;
-	esac
-	shared_flag='-shared'
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag="$shared_flag "'${wl}-G'
-	fi
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-	  fi
-	fi
-      fi
-
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      always_export_symbols_GCJ=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	allow_undefined_flag_GCJ='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-       hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds_GCJ="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  hardcode_libdir_flag_spec_GCJ='${wl}-R $libdir:/usr/lib:/lib'
-	  allow_undefined_flag_GCJ="-z nodefs"
-	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	 hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  no_undefined_flag_GCJ=' ${wl}-bernotok'
-	  allow_undefined_flag_GCJ=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec_GCJ='$convenience'
-	  archive_cmds_need_lc_GCJ=yes
-	  # This is similar to how AIX traditionally builds its shared libraries.
-	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_minus_L_GCJ=yes
-      # see comment about different semantics on the GNU ld section
-      ld_shlibs_GCJ=no
-      ;;
-
-    bsdi[45]*)
-      export_dynamic_flag_spec_GCJ=-rdynamic
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec_GCJ=' '
-      allow_undefined_flag_GCJ=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds_GCJ='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_From_new_cmds_GCJ='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds_GCJ='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path_GCJ='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes_GCJ=yes
-      ;;
-
-    darwin* | rhapsody*)
-      case $host_os in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_GCJ='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_GCJ='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      archive_cmds_need_lc_GCJ=no
-      hardcode_direct_GCJ=no
-      hardcode_automatic_GCJ=yes
-      hardcode_shlibpath_var_GCJ=unsupported
-      whole_archive_flag_spec_GCJ=''
-      link_all_deplibs_GCJ=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds_GCJ="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-        module_cmds_GCJ="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-        archive_expsym_cmds_GCJ="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-        module_expsym_cmds_GCJ="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-    else
-      case $cc_basename in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
-         module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
-         archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_GCJ=no
-          ;;
-      esac
-    fi
-      ;;
-
-    dgux*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    freebsd1*)
-      ld_shlibs_GCJ=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_GCJ=yes
-      hardcode_minus_L_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | dragonfly*)
-      archive_cmds_GCJ='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    hpux9*)
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	archive_cmds_GCJ='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      hardcode_direct_GCJ=yes
-
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      hardcode_minus_L_GCJ=yes
-      export_dynamic_flag_spec_GCJ='${wl}-E'
-      ;;
-
-    hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_GCJ='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator_GCJ=:
-
-	hardcode_direct_GCJ=yes
-	export_dynamic_flag_spec_GCJ='${wl}-E'
-
-	# hardcode_minus_L: Not really in the search PATH,
-	# but as the default location of the library.
-	hardcode_minus_L_GCJ=yes
-      fi
-      ;;
-
-    hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case $host_cpu in
-	hppa*64*)
-	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator_GCJ=:
-
-	case $host_cpu in
-	hppa*64*|ia64*)
-	  hardcode_libdir_flag_spec_ld_GCJ='+b $libdir'
-	  hardcode_direct_GCJ=no
-	  hardcode_shlibpath_var_GCJ=no
-	  ;;
-	*)
-	  hardcode_direct_GCJ=yes
-	  export_dynamic_flag_spec_GCJ='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L_GCJ=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	archive_cmds_GCJ='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_ld_GCJ='-rpath $libdir'
-      fi
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      link_all_deplibs_GCJ=yes
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	archive_cmds_GCJ='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    newsos6)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_GCJ=yes
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-	hardcode_direct_GCJ=yes
-	hardcode_shlibpath_var_GCJ=no
-	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	  archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	  archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	  hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
-	  export_dynamic_flag_spec_GCJ='${wl}-E'
-	else
-	  case $host_os in
-	   openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-	     archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	     hardcode_libdir_flag_spec_GCJ='-R$libdir'
-	     ;;
-	   *)
-	     archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	     hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
-	     ;;
-	  esac
-        fi
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-
-    os2*)
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_minus_L_GCJ=yes
-      allow_undefined_flag_GCJ=unsupported
-      archive_cmds_GCJ='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      old_archive_From_new_cmds_GCJ='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	allow_undefined_flag_GCJ=' -expect_unresolved \*'
-	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      else
-	allow_undefined_flag_GCJ=' -expect_unresolved \*'
-	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds_GCJ='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	hardcode_libdir_flag_spec_GCJ='-rpath $libdir'
-      fi
-      hardcode_libdir_separator_GCJ=:
-      ;;
-
-    solaris*)
-      no_undefined_flag_GCJ=' -z text'
-      if test "$GCC" = yes; then
-	wlarc='${wl}'
-	archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	wlarc=''
-	archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_shlibpath_var_GCJ=no
-      case $host_os in
-      solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *)
-	# The compiler driver will combine and reorder linker options,
-	# but understands `-z linker_flag'.  GCC discards it without `$wl',
-	# but is careful enough not to reorder.
- 	# Supported since Solaris 2.6 (maybe 2.5.1?)
-	if test "$GCC" = yes; then
-	  whole_archive_flag_spec_GCJ='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	else
-	  whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract'
-	fi
-	;;
-      esac
-      link_all_deplibs_GCJ=yes
-      ;;
-
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	archive_cmds_GCJ='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_GCJ='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_minus_L_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    sysv4)
-      case $host_vendor in
-	sni)
-	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_GCJ=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  archive_cmds_GCJ='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  reload_cmds_GCJ='$CC -r -o $output$reload_objs'
-	  hardcode_direct_GCJ=no
-        ;;
-	motorola)
-	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_GCJ=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    sysv4.3*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var_GCJ=no
-      export_dynamic_flag_spec_GCJ='-Bexport'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	hardcode_shlibpath_var_GCJ=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	ld_shlibs_GCJ=yes
-      fi
-      ;;
-
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
-      no_undefined_flag_GCJ='${wl}-z,text'
-      archive_cmds_need_lc_GCJ=no
-      hardcode_shlibpath_var_GCJ=no
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_GCJ='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6*)
-      # Note: We can NOT use -z defs as we might desire, because we do not
-      # link with -lc, and that would cause any symbols used from libc to
-      # always be unresolved, which means just about no library would
-      # ever link correctly.  If we're not using GNU ld we use -z text
-      # though, which does catch some bad symbols but isn't as heavy-handed
-      # as -z defs.
-      no_undefined_flag_GCJ='${wl}-z,text'
-      allow_undefined_flag_GCJ='${wl}-z,nodefs'
-      archive_cmds_need_lc_GCJ=no
-      hardcode_shlibpath_var_GCJ=no
-      hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-      hardcode_libdir_separator_GCJ=':'
-      link_all_deplibs_GCJ=yes
-      export_dynamic_flag_spec_GCJ='${wl}-Bexport'
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_GCJ='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    uts4*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    *)
-      ld_shlibs_GCJ=no
-      ;;
-    esac
-  fi
-
-{ echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5
-echo "${ECHO_T}$ld_shlibs_GCJ" >&6; }
-test "$ld_shlibs_GCJ" = no && can_build_shared=no
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc_GCJ" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc_GCJ=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds_GCJ in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
-      $rm conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl_GCJ
-	pic_flag=$lt_prog_compiler_pic_GCJ
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag_GCJ
-        allow_undefined_flag_GCJ=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc_GCJ=no
-        else
-	  archive_cmds_need_lc_GCJ=yes
-        fi
-        allow_undefined_flag_GCJ=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_GCJ" >&6; }
-      ;;
-    esac
-  fi
-  ;;
-esac
-
-{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix[4-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
-  else
-    case $host_os in
-    freebsd[123]*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
-  fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
-  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-interix[3-9]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
-    *)                         need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-rdos*)
-  dynamic_linker=no
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-    shlibpath_overrides_runpath=no
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    shlibpath_overrides_runpath=yes
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
-  fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6; }
-test "$dynamic_linker" = no && can_build_shared=no
-
-if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
-fi
-
-sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
-fi
-
-sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
-hardcode_action_GCJ=
-if test -n "$hardcode_libdir_flag_spec_GCJ" || \
-   test -n "$runpath_var_GCJ" || \
-   test "X$hardcode_automatic_GCJ" = "Xyes" ; then
-
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct_GCJ" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, GCJ)" != no &&
-     test "$hardcode_minus_L_GCJ" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action_GCJ=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action_GCJ=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action_GCJ=unsupported
-fi
-{ echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5
-echo "${ECHO_T}$hardcode_action_GCJ" >&6; }
-
-if test "$hardcode_action_GCJ" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_GCJ \
-    CC_GCJ \
-    LD_GCJ \
-    lt_prog_compiler_wl_GCJ \
-    lt_prog_compiler_pic_GCJ \
-    lt_prog_compiler_static_GCJ \
-    lt_prog_compiler_no_builtin_flag_GCJ \
-    export_dynamic_flag_spec_GCJ \
-    thread_safe_flag_spec_GCJ \
-    whole_archive_flag_spec_GCJ \
-    enable_shared_with_static_runtimes_GCJ \
-    old_archive_cmds_GCJ \
-    old_archive_from_new_cmds_GCJ \
-    predep_objects_GCJ \
-    postdep_objects_GCJ \
-    predeps_GCJ \
-    postdeps_GCJ \
-    compiler_lib_search_path_GCJ \
-    compiler_lib_search_dirs_GCJ \
-    archive_cmds_GCJ \
-    archive_expsym_cmds_GCJ \
-    postinstall_cmds_GCJ \
-    postuninstall_cmds_GCJ \
-    old_archive_from_expsyms_cmds_GCJ \
-    allow_undefined_flag_GCJ \
-    no_undefined_flag_GCJ \
-    export_symbols_cmds_GCJ \
-    hardcode_libdir_flag_spec_GCJ \
-    hardcode_libdir_flag_spec_ld_GCJ \
-    hardcode_libdir_separator_GCJ \
-    hardcode_automatic_GCJ \
-    module_cmds_GCJ \
-    module_expsym_cmds_GCJ \
-    lt_cv_prog_compiler_c_o_GCJ \
-    fix_srcfile_path_GCJ \
-    exclude_expsyms_GCJ \
-    include_expsyms_GCJ; do
-
-    case $var in
-    old_archive_cmds_GCJ | \
-    old_archive_from_new_cmds_GCJ | \
-    archive_cmds_GCJ | \
-    archive_expsym_cmds_GCJ | \
-    module_cmds_GCJ | \
-    module_expsym_cmds_GCJ | \
-    old_archive_from_expsyms_cmds_GCJ | \
-    export_symbols_cmds_GCJ | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="$ofile"
-
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_GCJ
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_GCJ
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
-
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
-
-# A language-specific compiler.
-CC=$lt_compiler_GCJ
-
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_GCJ
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD_GCJ
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_GCJ
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_GCJ
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_GCJ
-
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_GCJ
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_GCJ
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_GCJ
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_GCJ
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_GCJ
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_GCJ
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_GCJ
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_GCJ
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_GCJ
-archive_expsym_cmds=$lt_archive_expsym_cmds_GCJ
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_GCJ
-module_expsym_cmds=$lt_module_expsym_cmds_GCJ
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_GCJ
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_GCJ
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_GCJ
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_GCJ
-
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_GCJ
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_GCJ
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_GCJ
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_GCJ
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_GCJ
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_GCJ
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_GCJ
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_GCJ
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_GCJ
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_GCJ
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_GCJ
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_GCJ
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_GCJ
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_GCJ
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_GCJ
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_GCJ
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_GCJ
-
-# ### END LIBTOOL TAG CONFIG: $tagname
-
-__EOF__
-
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-	else
-	  tagname=""
-	fi
-	;;
-
-      RC)
-
-
-# Source file extension for RC test sources.
-ac_ext=rc
-
-# Object file extension for compiled RC test sources.
-objext=o
-objext_RC=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="$lt_simple_compile_test_code"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-# save warnings/boilerplate of simple test code
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$rm conftest*
-
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$rm -r conftest*
-
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${RC-"windres"}
-compiler=$CC
-compiler_RC=$CC
-for cc_temp in $compiler""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-
-lt_cv_prog_compiler_c_o_RC=yes
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_RC \
-    CC_RC \
-    LD_RC \
-    lt_prog_compiler_wl_RC \
-    lt_prog_compiler_pic_RC \
-    lt_prog_compiler_static_RC \
-    lt_prog_compiler_no_builtin_flag_RC \
-    export_dynamic_flag_spec_RC \
-    thread_safe_flag_spec_RC \
-    whole_archive_flag_spec_RC \
-    enable_shared_with_static_runtimes_RC \
-    old_archive_cmds_RC \
-    old_archive_from_new_cmds_RC \
-    predep_objects_RC \
-    postdep_objects_RC \
-    predeps_RC \
-    postdeps_RC \
-    compiler_lib_search_path_RC \
-    compiler_lib_search_dirs_RC \
-    archive_cmds_RC \
-    archive_expsym_cmds_RC \
-    postinstall_cmds_RC \
-    postuninstall_cmds_RC \
-    old_archive_from_expsyms_cmds_RC \
-    allow_undefined_flag_RC \
-    no_undefined_flag_RC \
-    export_symbols_cmds_RC \
-    hardcode_libdir_flag_spec_RC \
-    hardcode_libdir_flag_spec_ld_RC \
-    hardcode_libdir_separator_RC \
-    hardcode_automatic_RC \
-    module_cmds_RC \
-    module_expsym_cmds_RC \
-    lt_cv_prog_compiler_c_o_RC \
-    fix_srcfile_path_RC \
-    exclude_expsyms_RC \
-    include_expsyms_RC; do
-
-    case $var in
-    old_archive_cmds_RC | \
-    old_archive_from_new_cmds_RC | \
-    archive_cmds_RC | \
-    archive_expsym_cmds_RC | \
-    module_cmds_RC | \
-    module_expsym_cmds_RC | \
-    old_archive_from_expsyms_cmds_RC | \
-    export_symbols_cmds_RC | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="$ofile"
-
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_RC
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_RC
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-host_os=$host_os
-
-# The build system.
-build_alias=$build_alias
-build=$build
-build_os=$build_os
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# LTCC compiler flags.
-LTCFLAGS=$lt_LTCFLAGS
-
-# A language-specific compiler.
-CC=$lt_compiler_RC
-
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_RC
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD_RC
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_RC
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_RC
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_RC
-
-# Must we lock files when doing compilation?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_RC
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_RC
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_RC
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_RC
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_RC
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_RC
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_RC
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_RC
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_RC
-archive_expsym_cmds=$lt_archive_expsym_cmds_RC
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_RC
-module_expsym_cmds=$lt_module_expsym_cmds_RC
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_RC
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_RC
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_RC
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_RC
-
-# The directories searched by this compiler when creating a shared
-# library
-compiler_lib_search_dirs=$lt_compiler_lib_search_dirs_RC
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_RC
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_RC
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_RC
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_RC
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_RC
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_RC
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_RC
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_RC
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_RC
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_RC
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_RC
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_RC
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_RC
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_RC
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_RC
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_RC
-
-# ### END LIBTOOL TAG CONFIG: $tagname
-
-__EOF__
-
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-	;;
-
-      *)
-	{ { echo "$as_me:$LINENO: error: Unsupported tag name: $tagname" >&5
-echo "$as_me: error: Unsupported tag name: $tagname" >&2;}
-   { (exit 1); exit 1; }; }
-	;;
-      esac
-
-      # Append the new tag name to the list of available tags.
-      if test -n "$tagname" ; then
-      available_tags="$available_tags $tagname"
-    fi
-    fi
-  done
-  IFS="$lt_save_ifs"
-
-  # Now substitute the updated list of available tags.
-  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
-    mv "${ofile}T" "$ofile"
-    chmod +x "$ofile"
-  else
-    rm -f "${ofile}T"
-    { { echo "$as_me:$LINENO: error: unable to update list of available tagged configurations." >&5
-echo "$as_me: error: unable to update list of available tagged configurations." >&2;}
-   { (exit 1); exit 1; }; }
-  fi
-fi
-
-
-
-# This can be used to rebuild libtool when needed
-LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
-
-# Always use our own libtool.
-LIBTOOL='$(SHELL) $(top_builddir)/libtool'
-
-# Prevent multiple expansion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
-if test "${ac_cv_header_stdc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <float.h>
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_header_stdc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_header_stdc=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-
-if test $ac_cv_header_stdc = yes; then
-  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <string.h>
-
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "memchr" >/dev/null 2>&1; then
-  :
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
-  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "free" >/dev/null 2>&1; then
-  :
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
-  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-  if test "$cross_compiling" = yes; then
-  :
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ctype.h>
-#include <stdlib.h>
-#if ((' ' & 0x0FF) == 0x020)
-# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-#else
-# define ISLOWER(c) \
-		   (('a' <= (c) && (c) <= 'i') \
-		     || ('j' <= (c) && (c) <= 'r') \
-		     || ('s' <= (c) && (c) <= 'z'))
-# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
-#endif
-
-#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
-int
-main ()
-{
-  int i;
-  for (i = 0; i < 256; i++)
-    if (XOR (islower (i), ISLOWER (i))
-	|| toupper (i) != TOUPPER (i))
-      return 2;
-  return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_header_stdc=no
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-
-
-fi
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
-if test $ac_cv_header_stdc = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define STDC_HEADERS 1
-_ACEOF
-
-fi
-
-
-
-
-
-
-
-for ac_header in fcntl.h paths.h sys/ioctl.h sys/time.h syslog.h unistd.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    ( cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to martin@strongswan.org ##
-## ------------------------------------ ##
-_ASBOX
-     ) | sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=\$ac_header_preproc"
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-
-fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-
-{ echo "$as_me:$LINENO: checking for mode_t" >&5
-echo $ECHO_N "checking for mode_t... $ECHO_C" >&6; }
-if test "${ac_cv_type_mode_t+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-typedef mode_t ac__type_new_;
-int
-main ()
-{
-if ((ac__type_new_ *) 0)
-  return 0;
-if (sizeof (ac__type_new_))
-  return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_type_mode_t=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_type_mode_t=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_type_mode_t" >&5
-echo "${ECHO_T}$ac_cv_type_mode_t" >&6; }
-if test $ac_cv_type_mode_t = yes; then
-  :
-else
-
-cat >>confdefs.h <<_ACEOF
-#define mode_t int
-_ACEOF
-
-fi
-
-{ echo "$as_me:$LINENO: checking for pid_t" >&5
-echo $ECHO_N "checking for pid_t... $ECHO_C" >&6; }
-if test "${ac_cv_type_pid_t+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-typedef pid_t ac__type_new_;
-int
-main ()
-{
-if ((ac__type_new_ *) 0)
-  return 0;
-if (sizeof (ac__type_new_))
-  return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_type_pid_t=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_type_pid_t=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_type_pid_t" >&5
-echo "${ECHO_T}$ac_cv_type_pid_t" >&6; }
-if test $ac_cv_type_pid_t = yes; then
-  :
-else
-
-cat >>confdefs.h <<_ACEOF
-#define pid_t int
-_ACEOF
-
-fi
-
-{ echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
-echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6; }
-if test "${ac_cv_header_time+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/types.h>
-#include <sys/time.h>
-#include <time.h>
-
-int
-main ()
-{
-if ((struct tm *) 0)
-return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_header_time=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_header_time=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
-echo "${ECHO_T}$ac_cv_header_time" >&6; }
-if test $ac_cv_header_time = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define TIME_WITH_SYS_TIME 1
-_ACEOF
-
-fi
-
-
-if test $ac_cv_c_compiler_gnu = yes; then
-    { echo "$as_me:$LINENO: checking whether $CC needs -traditional" >&5
-echo $ECHO_N "checking whether $CC needs -traditional... $ECHO_C" >&6; }
-if test "${ac_cv_prog_gcc_traditional+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-    ac_pattern="Autoconf.*'x'"
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sgtty.h>
-Autoconf TIOCGETP
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "$ac_pattern" >/dev/null 2>&1; then
-  ac_cv_prog_gcc_traditional=yes
-else
-  ac_cv_prog_gcc_traditional=no
-fi
-rm -f conftest*
-
-
-  if test $ac_cv_prog_gcc_traditional = no; then
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <termio.h>
-Autoconf TCGETA
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "$ac_pattern" >/dev/null 2>&1; then
-  ac_cv_prog_gcc_traditional=yes
-fi
-rm -f conftest*
-
-  fi
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_gcc_traditional" >&5
-echo "${ECHO_T}$ac_cv_prog_gcc_traditional" >&6; }
-  if test $ac_cv_prog_gcc_traditional = yes; then
-    CC="$CC -traditional"
-  fi
-fi
-
-{ echo "$as_me:$LINENO: checking for working memcmp" >&5
-echo $ECHO_N "checking for working memcmp... $ECHO_C" >&6; }
-if test "${ac_cv_func_memcmp_working+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test "$cross_compiling" = yes; then
-  ac_cv_func_memcmp_working=no
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-
-  /* Some versions of memcmp are not 8-bit clean.  */
-  char c0 = '\100', c1 = '\200', c2 = '\201';
-  if (memcmp(&c0, &c2, 1) >= 0 || memcmp(&c1, &c2, 1) >= 0)
-    return 1;
-
-  /* The Next x86 OpenStep bug shows up only when comparing 16 bytes
-     or more and with at least one buffer not starting on a 4-byte boundary.
-     William Lewis provided this test program.   */
-  {
-    char foo[21];
-    char bar[21];
-    int i;
-    for (i = 0; i < 4; i++)
-      {
-	char *a = foo + i;
-	char *b = bar + i;
-	strcpy (a, "--------01111111");
-	strcpy (b, "--------10000000");
-	if (memcmp (a, b, 16) >= 0)
-	  return 1;
-      }
-    return 0;
-  }
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_memcmp_working=yes
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_func_memcmp_working=no
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_memcmp_working" >&5
-echo "${ECHO_T}$ac_cv_func_memcmp_working" >&6; }
-test $ac_cv_func_memcmp_working = no && case " $LIBOBJS " in
-  *" memcmp.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS memcmp.$ac_objext"
- ;;
-esac
-
-
-
-
-
-for ac_func in select socket uname
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
-
-int
-main ()
-{
-return $ac_func ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_var=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_var'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-
-GETTEXT_PACKAGE=NetworkManager-strongswan
-
-
-cat >>confdefs.h <<_ACEOF
-#define GETTEXT_PACKAGE "$GETTEXT_PACKAGE"
-_ACEOF
-
-
-
-case "$am__api_version" in
-    1.01234)
-	{ { echo "$as_me:$LINENO: error: Automake 1.5 or newer is required to use intltool" >&5
-echo "$as_me: error: Automake 1.5 or newer is required to use intltool" >&2;}
-   { (exit 1); exit 1; }; }
-    ;;
-    *)
-    ;;
-esac
-
-if test -n "0.35"; then
-    { echo "$as_me:$LINENO: checking for intltool >= 0.35" >&5
-echo $ECHO_N "checking for intltool >= 0.35... $ECHO_C" >&6; }
-
-    INTLTOOL_REQUIRED_VERSION_AS_INT=`echo 0.35 | awk -F. '{ print $ 1 * 1000 + $ 2 * 100 + $ 3; }'`
-    INTLTOOL_APPLIED_VERSION=`awk -F\" '/\\$VERSION / { print $ 2; }' ${ac_aux_dir}/intltool-update.in`
-    INTLTOOL_APPLIED_VERSION_AS_INT=`awk -F\" '/\\$VERSION / { split($ 2, VERSION, "."); print VERSION[1] * 1000 + VERSION[2] * 100 + VERSION[3];}' ${ac_aux_dir}/intltool-update.in`
-
-    { echo "$as_me:$LINENO: result: $INTLTOOL_APPLIED_VERSION found" >&5
-echo "${ECHO_T}$INTLTOOL_APPLIED_VERSION found" >&6; }
-    test "$INTLTOOL_APPLIED_VERSION_AS_INT" -ge "$INTLTOOL_REQUIRED_VERSION_AS_INT" ||
-	{ { echo "$as_me:$LINENO: error: Your intltool is too old.  You need intltool 0.35 or later." >&5
-echo "$as_me: error: Your intltool is too old.  You need intltool 0.35 or later." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-  INTLTOOL_DESKTOP_RULE='%.desktop:   %.desktop.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-INTLTOOL_DIRECTORY_RULE='%.directory: %.directory.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-     INTLTOOL_KEYS_RULE='%.keys:      %.keys.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -k -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-     INTLTOOL_PROP_RULE='%.prop:      %.prop.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-      INTLTOOL_OAF_RULE='%.oaf:       %.oaf.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -p $(top_srcdir)/po $< $@'
-     INTLTOOL_PONG_RULE='%.pong:      %.pong.in      $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-   INTLTOOL_SERVER_RULE='%.server:    %.server.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-    INTLTOOL_SHEET_RULE='%.sheet:     %.sheet.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-INTLTOOL_SOUNDLIST_RULE='%.soundlist: %.soundlist.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-       INTLTOOL_UI_RULE='%.ui:        %.ui.in        $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-      INTLTOOL_XML_RULE='%.xml:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-      INTLTOOL_XML_NOMERGE_RULE='%.xml:       %.xml.in       $(INTLTOOL_MERGE) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u /tmp $< $@'
-      INTLTOOL_XAM_RULE='%.xam:       %.xml.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-      INTLTOOL_KBD_RULE='%.kbd:       %.kbd.in       $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -m -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-    INTLTOOL_CAVES_RULE='%.caves:     %.caves.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-  INTLTOOL_SCHEMAS_RULE='%.schemas:   %.schemas.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -s -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-    INTLTOOL_THEME_RULE='%.theme:     %.theme.in     $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-    INTLTOOL_SERVICE_RULE='%.service: %.service.in   $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-   INTLTOOL_POLICY_RULE='%.policy:    %.policy.in    $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< $@'
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-# Check the gettext tools to make sure they are GNU
-# Extract the first word of "xgettext", so it can be a program name with args.
-set dummy xgettext; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_XGETTEXT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $XGETTEXT in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_XGETTEXT="$XGETTEXT" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_XGETTEXT="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-  ;;
-esac
-fi
-XGETTEXT=$ac_cv_path_XGETTEXT
-if test -n "$XGETTEXT"; then
-  { echo "$as_me:$LINENO: result: $XGETTEXT" >&5
-echo "${ECHO_T}$XGETTEXT" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-# Extract the first word of "msgmerge", so it can be a program name with args.
-set dummy msgmerge; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_MSGMERGE+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $MSGMERGE in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_MSGMERGE="$MSGMERGE" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_MSGMERGE="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-  ;;
-esac
-fi
-MSGMERGE=$ac_cv_path_MSGMERGE
-if test -n "$MSGMERGE"; then
-  { echo "$as_me:$LINENO: result: $MSGMERGE" >&5
-echo "${ECHO_T}$MSGMERGE" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-# Extract the first word of "msgfmt", so it can be a program name with args.
-set dummy msgfmt; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_MSGFMT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $MSGFMT in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_MSGFMT="$MSGFMT" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_MSGFMT="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-  ;;
-esac
-fi
-MSGFMT=$ac_cv_path_MSGFMT
-if test -n "$MSGFMT"; then
-  { echo "$as_me:$LINENO: result: $MSGFMT" >&5
-echo "${ECHO_T}$MSGFMT" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-if test -z "$XGETTEXT" -o -z "$MSGMERGE" -o -z "$MSGFMT"; then
-    { { echo "$as_me:$LINENO: error: GNU gettext tools not found; required for intltool" >&5
-echo "$as_me: error: GNU gettext tools not found; required for intltool" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-xgversion="`$XGETTEXT --version|grep '(GNU ' 2> /dev/null`"
-mmversion="`$MSGMERGE --version|grep '(GNU ' 2> /dev/null`"
-mfversion="`$MSGFMT --version|grep '(GNU ' 2> /dev/null`"
-if test -z "$xgversion" -o -z "$mmversion" -o -z "$mfversion"; then
-    { { echo "$as_me:$LINENO: error: GNU gettext tools not found; required for intltool" >&5
-echo "$as_me: error: GNU gettext tools not found; required for intltool" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-# Use the tools built into the package, not the ones that are installed.
-INTLTOOL_EXTRACT='$(top_builddir)/intltool-extract'
-
-INTLTOOL_MERGE='$(top_builddir)/intltool-merge'
-
-INTLTOOL_UPDATE='$(top_builddir)/intltool-update'
-
-
-# Extract the first word of "perl", so it can be a program name with args.
-set dummy perl; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_INTLTOOL_PERL+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $INTLTOOL_PERL in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_INTLTOOL_PERL="$INTLTOOL_PERL" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_INTLTOOL_PERL="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-  ;;
-esac
-fi
-INTLTOOL_PERL=$ac_cv_path_INTLTOOL_PERL
-if test -n "$INTLTOOL_PERL"; then
-  { echo "$as_me:$LINENO: result: $INTLTOOL_PERL" >&5
-echo "${ECHO_T}$INTLTOOL_PERL" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-if test -z "$INTLTOOL_PERL"; then
-   { { echo "$as_me:$LINENO: error: perl not found; required for intltool" >&5
-echo "$as_me: error: perl not found; required for intltool" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "`$INTLTOOL_PERL -v | fgrep '5.' 2> /dev/null`"; then
-   { { echo "$as_me:$LINENO: error: perl 5.x required for intltool" >&5
-echo "$as_me: error: perl 5.x required for intltool" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test "x" != "xno-xml"; then
-   { echo "$as_me:$LINENO: checking for XML::Parser" >&5
-echo $ECHO_N "checking for XML::Parser... $ECHO_C" >&6; }
-   if `$INTLTOOL_PERL -e "require XML::Parser" 2>/dev/null`; then
-       { echo "$as_me:$LINENO: result: ok" >&5
-echo "${ECHO_T}ok" >&6; }
-   else
-       { { echo "$as_me:$LINENO: error: XML::Parser perl module is required for intltool" >&5
-echo "$as_me: error: XML::Parser perl module is required for intltool" >&2;}
-   { (exit 1); exit 1; }; }
-   fi
-fi
-
-# Substitute ALL_LINGUAS so we can use it in po/Makefile
-
-
-# Set DATADIRNAME correctly if it is not set yet
-# (copied from glib-gettext.m4)
-if test -z "$DATADIRNAME"; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-extern int _nl_msg_cat_cntr;
-                       return _nl_msg_cat_cntr
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  DATADIRNAME=share
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	case $host in
-    *-*-solaris*)
-                        { echo "$as_me:$LINENO: checking for bind_textdomain_codeset" >&5
-echo $ECHO_N "checking for bind_textdomain_codeset... $ECHO_C" >&6; }
-if test "${ac_cv_func_bind_textdomain_codeset+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define bind_textdomain_codeset to an innocuous variant, in case <limits.h> declares bind_textdomain_codeset.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define bind_textdomain_codeset innocuous_bind_textdomain_codeset
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char bind_textdomain_codeset (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef bind_textdomain_codeset
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char bind_textdomain_codeset ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_bind_textdomain_codeset || defined __stub___bind_textdomain_codeset
-choke me
-#endif
-
-int
-main ()
-{
-return bind_textdomain_codeset ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_func_bind_textdomain_codeset=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_func_bind_textdomain_codeset=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_bind_textdomain_codeset" >&5
-echo "${ECHO_T}$ac_cv_func_bind_textdomain_codeset" >&6; }
-if test $ac_cv_func_bind_textdomain_codeset = yes; then
-  DATADIRNAME=share
-else
-  DATADIRNAME=lib
-fi
-
-    ;;
-    *)
-    DATADIRNAME=lib
-    ;;
-    esac
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-
-
-
-
-
-ac_config_commands="$ac_config_commands intltool"
-
-
-
-
-
-for ac_header in locale.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    ( cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to martin@strongswan.org ##
-## ------------------------------------ ##
-_ASBOX
-     ) | sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=\$ac_header_preproc"
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-
-fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-    if test $ac_cv_header_locale_h = yes; then
-    { echo "$as_me:$LINENO: checking for LC_MESSAGES" >&5
-echo $ECHO_N "checking for LC_MESSAGES... $ECHO_C" >&6; }
-if test "${am_cv_val_LC_MESSAGES+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <locale.h>
-int
-main ()
-{
-return LC_MESSAGES
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  am_cv_val_LC_MESSAGES=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	am_cv_val_LC_MESSAGES=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $am_cv_val_LC_MESSAGES" >&5
-echo "${ECHO_T}$am_cv_val_LC_MESSAGES" >&6; }
-    if test $am_cv_val_LC_MESSAGES = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_LC_MESSAGES 1
-_ACEOF
-
-    fi
-  fi
-     USE_NLS=yes
-
-
-    gt_cv_have_gettext=no
-
-    CATOBJEXT=NONE
-    XGETTEXT=:
-    INTLLIBS=
-
-    if test "${ac_cv_header_libintl_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for libintl.h" >&5
-echo $ECHO_N "checking for libintl.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_libintl_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_libintl_h" >&5
-echo "${ECHO_T}$ac_cv_header_libintl_h" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking libintl.h usability" >&5
-echo $ECHO_N "checking libintl.h usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <libintl.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking libintl.h presence" >&5
-echo $ECHO_N "checking libintl.h presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <libintl.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: libintl.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: libintl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: libintl.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: libintl.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: libintl.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: libintl.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: libintl.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: libintl.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: libintl.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: libintl.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: libintl.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: libintl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: libintl.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: libintl.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: libintl.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: libintl.h: in the future, the compiler will take precedence" >&2;}
-    ( cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to martin@strongswan.org ##
-## ------------------------------------ ##
-_ASBOX
-     ) | sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for libintl.h" >&5
-echo $ECHO_N "checking for libintl.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_libintl_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_libintl_h=$ac_header_preproc
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_libintl_h" >&5
-echo "${ECHO_T}$ac_cv_header_libintl_h" >&6; }
-
-fi
-if test $ac_cv_header_libintl_h = yes; then
-  gt_cv_func_dgettext_libintl="no"
-      libintl_extra_libs=""
-
-      #
-      # First check in libc
-      #
-      { echo "$as_me:$LINENO: checking for ngettext in libc" >&5
-echo $ECHO_N "checking for ngettext in libc... $ECHO_C" >&6; }
-if test "${gt_cv_func_ngettext_libc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <libintl.h>
-
-int
-main ()
-{
-return !ngettext ("","", 1)
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  gt_cv_func_ngettext_libc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	gt_cv_func_ngettext_libc=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-
-fi
-{ echo "$as_me:$LINENO: result: $gt_cv_func_ngettext_libc" >&5
-echo "${ECHO_T}$gt_cv_func_ngettext_libc" >&6; }
-
-      if test "$gt_cv_func_ngettext_libc" = "yes" ; then
-	      { echo "$as_me:$LINENO: checking for dgettext in libc" >&5
-echo $ECHO_N "checking for dgettext in libc... $ECHO_C" >&6; }
-if test "${gt_cv_func_dgettext_libc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <libintl.h>
-
-int
-main ()
-{
-return !dgettext ("","")
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  gt_cv_func_dgettext_libc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	gt_cv_func_dgettext_libc=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-
-fi
-{ echo "$as_me:$LINENO: result: $gt_cv_func_dgettext_libc" >&5
-echo "${ECHO_T}$gt_cv_func_dgettext_libc" >&6; }
-      fi
-
-      if test "$gt_cv_func_ngettext_libc" = "yes" ; then
-
-for ac_func in bind_textdomain_codeset
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
-
-int
-main ()
-{
-return $ac_func ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_var=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_var'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-      fi
-
-      #
-      # If we don't have everything we want, check in libintl
-      #
-      if test "$gt_cv_func_dgettext_libc" != "yes" \
-	 || test "$gt_cv_func_ngettext_libc" != "yes" \
-         || test "$ac_cv_func_bind_textdomain_codeset" != "yes" ; then
-
-        { echo "$as_me:$LINENO: checking for bindtextdomain in -lintl" >&5
-echo $ECHO_N "checking for bindtextdomain in -lintl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_intl_bindtextdomain+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lintl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char bindtextdomain ();
-int
-main ()
-{
-return bindtextdomain ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_intl_bindtextdomain=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_intl_bindtextdomain=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_bindtextdomain" >&5
-echo "${ECHO_T}$ac_cv_lib_intl_bindtextdomain" >&6; }
-if test $ac_cv_lib_intl_bindtextdomain = yes; then
-  { echo "$as_me:$LINENO: checking for ngettext in -lintl" >&5
-echo $ECHO_N "checking for ngettext in -lintl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_intl_ngettext+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lintl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char ngettext ();
-int
-main ()
-{
-return ngettext ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_intl_ngettext=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_intl_ngettext=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_ngettext" >&5
-echo "${ECHO_T}$ac_cv_lib_intl_ngettext" >&6; }
-if test $ac_cv_lib_intl_ngettext = yes; then
-  { echo "$as_me:$LINENO: checking for dgettext in -lintl" >&5
-echo $ECHO_N "checking for dgettext in -lintl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_intl_dgettext+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lintl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dgettext ();
-int
-main ()
-{
-return dgettext ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_intl_dgettext=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_intl_dgettext=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_dgettext" >&5
-echo "${ECHO_T}$ac_cv_lib_intl_dgettext" >&6; }
-if test $ac_cv_lib_intl_dgettext = yes; then
-  gt_cv_func_dgettext_libintl=yes
-fi
-
-fi
-
-fi
-
-
-	if test "$gt_cv_func_dgettext_libintl" != "yes" ; then
-	  { echo "$as_me:$LINENO: checking if -liconv is needed to use gettext" >&5
-echo $ECHO_N "checking if -liconv is needed to use gettext... $ECHO_C" >&6; }
-	  { echo "$as_me:$LINENO: result: " >&5
-echo "${ECHO_T}" >&6; }
-  	  { echo "$as_me:$LINENO: checking for ngettext in -lintl" >&5
-echo $ECHO_N "checking for ngettext in -lintl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_intl_ngettext+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lintl -liconv $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char ngettext ();
-int
-main ()
-{
-return ngettext ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_intl_ngettext=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_intl_ngettext=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_ngettext" >&5
-echo "${ECHO_T}$ac_cv_lib_intl_ngettext" >&6; }
-if test $ac_cv_lib_intl_ngettext = yes; then
-  { echo "$as_me:$LINENO: checking for dcgettext in -lintl" >&5
-echo $ECHO_N "checking for dcgettext in -lintl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_intl_dcgettext+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lintl -liconv $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dcgettext ();
-int
-main ()
-{
-return dcgettext ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_intl_dcgettext=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_intl_dcgettext=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_dcgettext" >&5
-echo "${ECHO_T}$ac_cv_lib_intl_dcgettext" >&6; }
-if test $ac_cv_lib_intl_dcgettext = yes; then
-  gt_cv_func_dgettext_libintl=yes
-			libintl_extra_libs=-liconv
-else
-  :
-fi
-
-else
-  :
-fi
-
-        fi
-
-        #
-        # If we found libintl, then check in it for bind_textdomain_codeset();
-        # we'll prefer libc if neither have bind_textdomain_codeset(),
-        # and both have dgettext and ngettext
-        #
-        if test "$gt_cv_func_dgettext_libintl" = "yes" ; then
-          glib_save_LIBS="$LIBS"
-          LIBS="$LIBS -lintl $libintl_extra_libs"
-          unset ac_cv_func_bind_textdomain_codeset
-
-for ac_func in bind_textdomain_codeset
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
-
-int
-main ()
-{
-return $ac_func ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_var=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_var'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-          LIBS="$glib_save_LIBS"
-
-          if test "$ac_cv_func_bind_textdomain_codeset" = "yes" ; then
-            gt_cv_func_dgettext_libc=no
-          else
-            if test "$gt_cv_func_dgettext_libc" = "yes" \
-		&& test "$gt_cv_func_ngettext_libc" = "yes"; then
-              gt_cv_func_dgettext_libintl=no
-            fi
-          fi
-        fi
-      fi
-
-      if test "$gt_cv_func_dgettext_libc" = "yes" \
-	|| test "$gt_cv_func_dgettext_libintl" = "yes"; then
-        gt_cv_have_gettext=yes
-      fi
-
-      if test "$gt_cv_func_dgettext_libintl" = "yes"; then
-        INTLLIBS="-lintl $libintl_extra_libs"
-      fi
-
-      if test "$gt_cv_have_gettext" = "yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_GETTEXT 1
-_ACEOF
-
-	# Extract the first word of "msgfmt", so it can be a program name with args.
-set dummy msgfmt; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_MSGFMT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case "$MSGFMT" in
-  /*)
-  ac_cv_path_MSGFMT="$MSGFMT" # Let the user override the test with a path.
-  ;;
-  *)
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
-  for ac_dir in $PATH; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      if test -z "`$ac_dir/$ac_word -h 2>&1 | grep 'dv '`"; then
-	ac_cv_path_MSGFMT="$ac_dir/$ac_word"
-	break
-      fi
-    fi
-  done
-  IFS="$ac_save_ifs"
-  test -z "$ac_cv_path_MSGFMT" && ac_cv_path_MSGFMT="no"
-  ;;
-esac
-fi
-MSGFMT="$ac_cv_path_MSGFMT"
-if test "$MSGFMT" != "no"; then
-  { echo "$as_me:$LINENO: result: $MSGFMT" >&5
-echo "${ECHO_T}$MSGFMT" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-	if test "$MSGFMT" != "no"; then
-          glib_save_LIBS="$LIBS"
-          LIBS="$LIBS $INTLLIBS"
-
-for ac_func in dcgettext
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
-
-int
-main ()
-{
-return $ac_func ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_var=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_var'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-	  MSGFMT_OPTS=
-	  { echo "$as_me:$LINENO: checking if msgfmt accepts -c" >&5
-echo $ECHO_N "checking if msgfmt accepts -c... $ECHO_C" >&6; }
-	  cat >conftest.foo <<_ACEOF
-
-msgid ""
-msgstr ""
-"Content-Type: text/plain; charset=UTF-8\n"
-"Project-Id-Version: test 1.0\n"
-"PO-Revision-Date: 2007-02-15 12:01+0100\n"
-"Last-Translator: test <foo@bar.xx>\n"
-"Language-Team: C <LL@li.org>\n"
-"MIME-Version: 1.0\n"
-"Content-Transfer-Encoding: 8bit\n"
-
-_ACEOF
-if { (echo "$as_me:$LINENO: \$MSGFMT -c -o /dev/null conftest.foo") >&5
-  ($MSGFMT -c -o /dev/null conftest.foo) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  MSGFMT_OPTS=-c; { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-else { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-echo "$as_me: failed input was:" >&5
-sed 's/^/| /' conftest.foo >&5
-fi
-
-	  # Extract the first word of "gmsgfmt", so it can be a program name with args.
-set dummy gmsgfmt; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_GMSGFMT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $GMSGFMT in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_GMSGFMT="$GMSGFMT" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-  test -z "$ac_cv_path_GMSGFMT" && ac_cv_path_GMSGFMT="$MSGFMT"
-  ;;
-esac
-fi
-GMSGFMT=$ac_cv_path_GMSGFMT
-if test -n "$GMSGFMT"; then
-  { echo "$as_me:$LINENO: result: $GMSGFMT" >&5
-echo "${ECHO_T}$GMSGFMT" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-	  # Extract the first word of "xgettext", so it can be a program name with args.
-set dummy xgettext; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_XGETTEXT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case "$XGETTEXT" in
-  /*)
-  ac_cv_path_XGETTEXT="$XGETTEXT" # Let the user override the test with a path.
-  ;;
-  *)
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
-  for ac_dir in $PATH; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$ac_word; then
-      if test -z "`$ac_dir/$ac_word -h 2>&1 | grep '(HELP)'`"; then
-	ac_cv_path_XGETTEXT="$ac_dir/$ac_word"
-	break
-      fi
-    fi
-  done
-  IFS="$ac_save_ifs"
-  test -z "$ac_cv_path_XGETTEXT" && ac_cv_path_XGETTEXT=":"
-  ;;
-esac
-fi
-XGETTEXT="$ac_cv_path_XGETTEXT"
-if test "$XGETTEXT" != ":"; then
-  { echo "$as_me:$LINENO: result: $XGETTEXT" >&5
-echo "${ECHO_T}$XGETTEXT" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-	  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-extern int _nl_msg_cat_cntr;
-			 return _nl_msg_cat_cntr
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  CATOBJEXT=.gmo
-             DATADIRNAME=share
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	case $host in
-	    *-*-solaris*)
-	    	                	    	                { echo "$as_me:$LINENO: checking for bind_textdomain_codeset" >&5
-echo $ECHO_N "checking for bind_textdomain_codeset... $ECHO_C" >&6; }
-if test "${ac_cv_func_bind_textdomain_codeset+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define bind_textdomain_codeset to an innocuous variant, in case <limits.h> declares bind_textdomain_codeset.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define bind_textdomain_codeset innocuous_bind_textdomain_codeset
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char bind_textdomain_codeset (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef bind_textdomain_codeset
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char bind_textdomain_codeset ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_bind_textdomain_codeset || defined __stub___bind_textdomain_codeset
-choke me
-#endif
-
-int
-main ()
-{
-return bind_textdomain_codeset ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_func_bind_textdomain_codeset=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_func_bind_textdomain_codeset=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_bind_textdomain_codeset" >&5
-echo "${ECHO_T}$ac_cv_func_bind_textdomain_codeset" >&6; }
-if test $ac_cv_func_bind_textdomain_codeset = yes; then
-  CATOBJEXT=.gmo
-               DATADIRNAME=share
-else
-  CATOBJEXT=.mo
-               DATADIRNAME=lib
-fi
-
-	    ;;
-	    *)
-	    CATOBJEXT=.mo
-            DATADIRNAME=lib
-	    ;;
-	    esac
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-          LIBS="$glib_save_LIBS"
-	  INSTOBJEXT=.mo
-	else
-	  gt_cv_have_gettext=no
-	fi
-      fi
-
-fi
-
-
-
-    if test "$gt_cv_have_gettext" = "yes" ; then
-
-cat >>confdefs.h <<\_ACEOF
-#define ENABLE_NLS 1
-_ACEOF
-
-    fi
-
-        if test "$XGETTEXT" != ":"; then
-                  if $XGETTEXT --omit-header /dev/null 2> /dev/null; then
-        : ;
-      else
-        { echo "$as_me:$LINENO: result: found xgettext program is not GNU xgettext; ignore it" >&5
-echo "${ECHO_T}found xgettext program is not GNU xgettext; ignore it" >&6; }
-        XGETTEXT=":"
-      fi
-    fi
-
-    # We need to process the po/ directory.
-    POSUB=po
-
-    ac_config_commands="$ac_config_commands default-1"
-
-
-                for lang in $ALL_LINGUAS; do
-      GMOFILES="$GMOFILES $lang.gmo"
-      POFILES="$POFILES $lang.po"
-    done
-
-
-
-
-
-
-
-
-
-
-
-
-
-   if test "$gt_cv_have_gettext" = "yes"; then
-     if test "x$ALL_LINGUAS" = "x"; then
-       LINGUAS=
-     else
-       { echo "$as_me:$LINENO: checking for catalogs to be installed" >&5
-echo $ECHO_N "checking for catalogs to be installed... $ECHO_C" >&6; }
-       NEW_LINGUAS=
-       for presentlang in $ALL_LINGUAS; do
-         useit=no
-         if test "%UNSET%" != "${LINGUAS-%UNSET%}"; then
-           desiredlanguages="$LINGUAS"
-         else
-           desiredlanguages="$ALL_LINGUAS"
-         fi
-         for desiredlang in $desiredlanguages; do
- 	   # Use the presentlang catalog if desiredlang is
-           #   a. equal to presentlang, or
-           #   b. a variant of presentlang (because in this case,
-           #      presentlang can be used as a fallback for messages
-           #      which are not translated in the desiredlang catalog).
-           case "$desiredlang" in
-             "$presentlang"*) useit=yes;;
-           esac
-         done
-         if test $useit = yes; then
-           NEW_LINGUAS="$NEW_LINGUAS $presentlang"
-         fi
-       done
-       LINGUAS=$NEW_LINGUAS
-       { echo "$as_me:$LINENO: result: $LINGUAS" >&5
-echo "${ECHO_T}$LINGUAS" >&6; }
-     fi
-
-          if test -n "$LINGUAS"; then
-       for lang in $LINGUAS; do CATALOGS="$CATALOGS $lang$CATOBJEXT"; done
-     fi
-   fi
-
-            MKINSTALLDIRS=
-   if test -n "$ac_aux_dir"; then
-     MKINSTALLDIRS="$ac_aux_dir/mkinstalldirs"
-   fi
-   if test -z "$MKINSTALLDIRS"; then
-     MKINSTALLDIRS="\$(top_srcdir)/mkinstalldirs"
-   fi
-
-
-         test -d po || mkdir po
-   if test "x$srcdir" != "x."; then
-     if test "x`echo $srcdir | sed 's@/.*@@'`" = "x"; then
-       posrcprefix="$srcdir/"
-     else
-       posrcprefix="../$srcdir/"
-     fi
-   else
-     posrcprefix="../"
-   fi
-   rm -f po/POTFILES
-   sed -e "/^#/d" -e "/^\$/d" -e "s,.*,	$posrcprefix& \\\\," -e "\$s/\(.*\) \\\\/\1/" \
-	< $srcdir/po/POTFILES.in > po/POTFILES
-
-
-
-
-if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
-	if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
-set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_PKG_CONFIG+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $PKG_CONFIG in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-  ;;
-esac
-fi
-PKG_CONFIG=$ac_cv_path_PKG_CONFIG
-if test -n "$PKG_CONFIG"; then
-  { echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5
-echo "${ECHO_T}$PKG_CONFIG" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_path_PKG_CONFIG"; then
-  ac_pt_PKG_CONFIG=$PKG_CONFIG
-  # Extract the first word of "pkg-config", so it can be a program name with args.
-set dummy pkg-config; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $ac_pt_PKG_CONFIG in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-  ;;
-esac
-fi
-ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
-if test -n "$ac_pt_PKG_CONFIG"; then
-  { echo "$as_me:$LINENO: result: $ac_pt_PKG_CONFIG" >&5
-echo "${ECHO_T}$ac_pt_PKG_CONFIG" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-  if test "x$ac_pt_PKG_CONFIG" = x; then
-    PKG_CONFIG=""
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    PKG_CONFIG=$ac_pt_PKG_CONFIG
-  fi
-else
-  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
-fi
-
-fi
-if test -n "$PKG_CONFIG"; then
-	_pkg_min_version=0.9.0
-	{ echo "$as_me:$LINENO: checking pkg-config is at least version $_pkg_min_version" >&5
-echo $ECHO_N "checking pkg-config is at least version $_pkg_min_version... $ECHO_C" >&6; }
-	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
-		{ echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	else
-		{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-		PKG_CONFIG=""
-	fi
-
-fi
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for GTHREAD" >&5
-echo $ECHO_N "checking for GTHREAD... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GTHREAD_CFLAGS"; then
-        pkg_cv_GTHREAD_CFLAGS="$GTHREAD_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gthread-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gthread-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GTHREAD_CFLAGS=`$PKG_CONFIG --cflags "gthread-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GTHREAD_LIBS"; then
-        pkg_cv_GTHREAD_LIBS="$GTHREAD_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gthread-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gthread-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GTHREAD_LIBS=`$PKG_CONFIG --libs "gthread-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        GTHREAD_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gthread-2.0"`
-        else
-	        GTHREAD_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gthread-2.0"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$GTHREAD_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (gthread-2.0) were not met:
-
-$GTHREAD_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GTHREAD_CFLAGS
-and GTHREAD_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (gthread-2.0) were not met:
-
-$GTHREAD_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GTHREAD_CFLAGS
-and GTHREAD_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GTHREAD_CFLAGS
-and GTHREAD_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GTHREAD_CFLAGS
-and GTHREAD_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	GTHREAD_CFLAGS=$pkg_cv_GTHREAD_CFLAGS
-	GTHREAD_LIBS=$pkg_cv_GTHREAD_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for DBUS" >&5
-echo $ECHO_N "checking for DBUS... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$DBUS_CFLAGS"; then
-        pkg_cv_DBUS_CFLAGS="$DBUS_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"dbus-glib-1 >= 0.30\"") >&5
-  ($PKG_CONFIG --exists --print-errors "dbus-glib-1 >= 0.30") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_DBUS_CFLAGS=`$PKG_CONFIG --cflags "dbus-glib-1 >= 0.30" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$DBUS_LIBS"; then
-        pkg_cv_DBUS_LIBS="$DBUS_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"dbus-glib-1 >= 0.30\"") >&5
-  ($PKG_CONFIG --exists --print-errors "dbus-glib-1 >= 0.30") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_DBUS_LIBS=`$PKG_CONFIG --libs "dbus-glib-1 >= 0.30" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        DBUS_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "dbus-glib-1 >= 0.30"`
-        else
-	        DBUS_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "dbus-glib-1 >= 0.30"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$DBUS_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (dbus-glib-1 >= 0.30) were not met:
-
-$DBUS_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables DBUS_CFLAGS
-and DBUS_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (dbus-glib-1 >= 0.30) were not met:
-
-$DBUS_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables DBUS_CFLAGS
-and DBUS_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables DBUS_CFLAGS
-and DBUS_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables DBUS_CFLAGS
-and DBUS_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	DBUS_CFLAGS=$pkg_cv_DBUS_CFLAGS
-	DBUS_LIBS=$pkg_cv_DBUS_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-
-if test x"$with_gnome" != xno; then
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for GTK" >&5
-echo $ECHO_N "checking for GTK... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GTK_CFLAGS"; then
-        pkg_cv_GTK_CFLAGS="$GTK_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 >= 2.6\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 >= 2.6") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GTK_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 >= 2.6" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GTK_LIBS"; then
-        pkg_cv_GTK_LIBS="$GTK_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 >= 2.6\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 >= 2.6") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GTK_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 >= 2.6" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        GTK_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gtk+-2.0 >= 2.6"`
-        else
-	        GTK_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gtk+-2.0 >= 2.6"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$GTK_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (gtk+-2.0 >= 2.6) were not met:
-
-$GTK_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GTK_CFLAGS
-and GTK_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (gtk+-2.0 >= 2.6) were not met:
-
-$GTK_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GTK_CFLAGS
-and GTK_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GTK_CFLAGS
-and GTK_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GTK_CFLAGS
-and GTK_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	GTK_CFLAGS=$pkg_cv_GTK_CFLAGS
-	GTK_LIBS=$pkg_cv_GTK_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for GDK_PIXBUF" >&5
-echo $ECHO_N "checking for GDK_PIXBUF... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GDK_PIXBUF_CFLAGS"; then
-        pkg_cv_GDK_PIXBUF_CFLAGS="$GDK_PIXBUF_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gdk-pixbuf-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gdk-pixbuf-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GDK_PIXBUF_CFLAGS=`$PKG_CONFIG --cflags "gdk-pixbuf-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GDK_PIXBUF_LIBS"; then
-        pkg_cv_GDK_PIXBUF_LIBS="$GDK_PIXBUF_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gdk-pixbuf-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gdk-pixbuf-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GDK_PIXBUF_LIBS=`$PKG_CONFIG --libs "gdk-pixbuf-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        GDK_PIXBUF_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gdk-pixbuf-2.0"`
-        else
-	        GDK_PIXBUF_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gdk-pixbuf-2.0"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$GDK_PIXBUF_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (gdk-pixbuf-2.0) were not met:
-
-$GDK_PIXBUF_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GDK_PIXBUF_CFLAGS
-and GDK_PIXBUF_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (gdk-pixbuf-2.0) were not met:
-
-$GDK_PIXBUF_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GDK_PIXBUF_CFLAGS
-and GDK_PIXBUF_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GDK_PIXBUF_CFLAGS
-and GDK_PIXBUF_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GDK_PIXBUF_CFLAGS
-and GDK_PIXBUF_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	GDK_PIXBUF_CFLAGS=$pkg_cv_GDK_PIXBUF_CFLAGS
-	GDK_PIXBUF_LIBS=$pkg_cv_GDK_PIXBUF_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for GLADE" >&5
-echo $ECHO_N "checking for GLADE... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GLADE_CFLAGS"; then
-        pkg_cv_GLADE_CFLAGS="$GLADE_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libglade-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "libglade-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GLADE_CFLAGS=`$PKG_CONFIG --cflags "libglade-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GLADE_LIBS"; then
-        pkg_cv_GLADE_LIBS="$GLADE_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libglade-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "libglade-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GLADE_LIBS=`$PKG_CONFIG --libs "libglade-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        GLADE_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libglade-2.0"`
-        else
-	        GLADE_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libglade-2.0"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$GLADE_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (libglade-2.0) were not met:
-
-$GLADE_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GLADE_CFLAGS
-and GLADE_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (libglade-2.0) were not met:
-
-$GLADE_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GLADE_CFLAGS
-and GLADE_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GLADE_CFLAGS
-and GLADE_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GLADE_CFLAGS
-and GLADE_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	GLADE_CFLAGS=$pkg_cv_GLADE_CFLAGS
-	GLADE_LIBS=$pkg_cv_GLADE_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for LIBGNOMEUI" >&5
-echo $ECHO_N "checking for LIBGNOMEUI... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$LIBGNOMEUI_CFLAGS"; then
-        pkg_cv_LIBGNOMEUI_CFLAGS="$LIBGNOMEUI_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libgnomeui-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "libgnomeui-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_LIBGNOMEUI_CFLAGS=`$PKG_CONFIG --cflags "libgnomeui-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$LIBGNOMEUI_LIBS"; then
-        pkg_cv_LIBGNOMEUI_LIBS="$LIBGNOMEUI_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libgnomeui-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "libgnomeui-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_LIBGNOMEUI_LIBS=`$PKG_CONFIG --libs "libgnomeui-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        LIBGNOMEUI_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libgnomeui-2.0"`
-        else
-	        LIBGNOMEUI_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libgnomeui-2.0"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$LIBGNOMEUI_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (libgnomeui-2.0) were not met:
-
-$LIBGNOMEUI_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables LIBGNOMEUI_CFLAGS
-and LIBGNOMEUI_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (libgnomeui-2.0) were not met:
-
-$LIBGNOMEUI_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables LIBGNOMEUI_CFLAGS
-and LIBGNOMEUI_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables LIBGNOMEUI_CFLAGS
-and LIBGNOMEUI_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables LIBGNOMEUI_CFLAGS
-and LIBGNOMEUI_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	LIBGNOMEUI_CFLAGS=$pkg_cv_LIBGNOMEUI_CFLAGS
-	LIBGNOMEUI_LIBS=$pkg_cv_LIBGNOMEUI_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for GCONF" >&5
-echo $ECHO_N "checking for GCONF... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GCONF_CFLAGS"; then
-        pkg_cv_GCONF_CFLAGS="$GCONF_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gconf-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gconf-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GCONF_CFLAGS=`$PKG_CONFIG --cflags "gconf-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GCONF_LIBS"; then
-        pkg_cv_GCONF_LIBS="$GCONF_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gconf-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gconf-2.0") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GCONF_LIBS=`$PKG_CONFIG --libs "gconf-2.0" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        GCONF_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gconf-2.0"`
-        else
-	        GCONF_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gconf-2.0"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$GCONF_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (gconf-2.0) were not met:
-
-$GCONF_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GCONF_CFLAGS
-and GCONF_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (gconf-2.0) were not met:
-
-$GCONF_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GCONF_CFLAGS
-and GCONF_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GCONF_CFLAGS
-and GCONF_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GCONF_CFLAGS
-and GCONF_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	GCONF_CFLAGS=$pkg_cv_GCONF_CFLAGS
-	GCONF_LIBS=$pkg_cv_GCONF_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for GNOMEKEYRING" >&5
-echo $ECHO_N "checking for GNOMEKEYRING... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GNOMEKEYRING_CFLAGS"; then
-        pkg_cv_GNOMEKEYRING_CFLAGS="$GNOMEKEYRING_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gnome-keyring-1\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gnome-keyring-1") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GNOMEKEYRING_CFLAGS=`$PKG_CONFIG --cflags "gnome-keyring-1" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$GNOMEKEYRING_LIBS"; then
-        pkg_cv_GNOMEKEYRING_LIBS="$GNOMEKEYRING_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gnome-keyring-1\"") >&5
-  ($PKG_CONFIG --exists --print-errors "gnome-keyring-1") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_GNOMEKEYRING_LIBS=`$PKG_CONFIG --libs "gnome-keyring-1" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        GNOMEKEYRING_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gnome-keyring-1"`
-        else
-	        GNOMEKEYRING_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gnome-keyring-1"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$GNOMEKEYRING_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (gnome-keyring-1) were not met:
-
-$GNOMEKEYRING_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GNOMEKEYRING_CFLAGS
-and GNOMEKEYRING_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (gnome-keyring-1) were not met:
-
-$GNOMEKEYRING_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables GNOMEKEYRING_CFLAGS
-and GNOMEKEYRING_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GNOMEKEYRING_CFLAGS
-and GNOMEKEYRING_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables GNOMEKEYRING_CFLAGS
-and GNOMEKEYRING_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	GNOMEKEYRING_CFLAGS=$pkg_cv_GNOMEKEYRING_CFLAGS
-	GNOMEKEYRING_LIBS=$pkg_cv_GNOMEKEYRING_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-fi
-
-
-pkg_failed=no
-{ echo "$as_me:$LINENO: checking for NM_UTILS" >&5
-echo $ECHO_N "checking for NM_UTILS... $ECHO_C" >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$NM_UTILS_CFLAGS"; then
-        pkg_cv_NM_UTILS_CFLAGS="$NM_UTILS_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn\"") >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_NM_UTILS_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$NM_UTILS_LIBS"; then
-        pkg_cv_NM_UTILS_LIBS="$NM_UTILS_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn\"") >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_NM_UTILS_LIBS=`$PKG_CONFIG --libs "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
-    fi
-else
-	pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        NM_UTILS_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn"`
-        else
-	        NM_UTILS_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn"`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$NM_UTILS_PKG_ERRORS" >&5
-
-	{ { echo "$as_me:$LINENO: error: Package requirements (NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn) were not met:
-
-$NM_UTILS_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables NM_UTILS_CFLAGS
-and NM_UTILS_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-echo "$as_me: error: Package requirements (NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn) were not met:
-
-$NM_UTILS_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables NM_UTILS_CFLAGS
-and NM_UTILS_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
-elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables NM_UTILS_CFLAGS
-and NM_UTILS_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables NM_UTILS_CFLAGS
-and NM_UTILS_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-	NM_UTILS_CFLAGS=$pkg_cv_NM_UTILS_CFLAGS
-	NM_UTILS_LIBS=$pkg_cv_NM_UTILS_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	:
-fi
-
-
-
-
-# Check whether --with-charon was given.
-if test "${with_charon+set}" = set; then
-  withval=$with_charon; charon="$withval"
-
-else
-  charon="${libexecdir}/ipsec/charon"
-
-
-fi
-
-
-# Check whether --enable-more-warnings was given.
-if test "${enable_more_warnings+set}" = set; then
-  enableval=$enable_more_warnings; set_more_warnings="$enableval"
-else
-
-if test -d "$srcdir/{arch}" || test -d "$srcdir/CVS"; then
-	set_more_warnings=yes
-else
-	set_more_warnings=no
-fi
-
-fi
-
-{ echo "$as_me:$LINENO: checking for more warnings" >&5
-echo $ECHO_N "checking for more warnings... $ECHO_C" >&6; }
-if test "$GCC" = "yes" -a "$set_more_warnings" != "no"; then
-	{ echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	CFLAGS="-Wall -Werror -std=gnu89 $CFLAGS"
-
-	for option in -Wno-unused -Wno-strict-aliasing -Wno-sign-compare -Wdeclaration-after-statement -Wno-pointer-sign ; do
-		SAVE_CFLAGS="$CFLAGS"
-		CFLAGS="$CFLAGS $option"
-		{ echo "$as_me:$LINENO: checking whether gcc understands $option" >&5
-echo $ECHO_N "checking whether gcc understands $option... $ECHO_C" >&6; }
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  has_option=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	has_option=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-		if test $has_option = no; then
-			CFLAGS="$SAVE_CFLAGS"
-		fi
-		{ echo "$as_me:$LINENO: result: $has_option" >&5
-echo "${ECHO_T}$has_option" >&6; }
-		unset has_option
-		unset SAVE_CFLAGS
-	done
-	unset option
-else
-	{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-ac_config_files="$ac_config_files Makefile properties/Makefile auth-dialog/Makefile po/Makefile.in"
-
-cat >confcache <<\_ACEOF
-# This file is a shell script that caches the results of configure
-# tests run on this system so they can be shared between configure
-# scripts and configure runs, see configure's option --config-cache.
-# It is not useful on other systems.  If it contains results you don't
-# want to keep, you may remove or edit it.
-#
-# config.status only pays attention to the cache file if you give it
-# the --recheck option to rerun configure.
-#
-# `ac_cv_env_foo' variables (set or unset) will be overridden when
-# loading this file, other *unset* `ac_cv_foo' will be assigned the
-# following values.
-
-_ACEOF
-
-# The following way of writing the cache mishandles newlines in values,
-# but we know of no workaround that is simple, portable, and efficient.
-# So, we kill variables containing newlines.
-# Ultrix sh set writes to stderr and can't be redirected directly,
-# and sets the high bit in the cache file unless we assign to the vars.
-(
-  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
-    eval ac_val=\$$ac_var
-    case $ac_val in #(
-    *${as_nl}*)
-      case $ac_var in #(
-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
-      esac
-      case $ac_var in #(
-      _ | IFS | as_nl) ;; #(
-      *) $as_unset $ac_var ;;
-      esac ;;
-    esac
-  done
-
-  (set) 2>&1 |
-    case $as_nl`(ac_space=' '; set) 2>&1` in #(
-    *${as_nl}ac_space=\ *)
-      # `set' does not quote correctly, so add quotes (double-quote
-      # substitution turns \\\\ into \\, and sed turns \\ into \).
-      sed -n \
-	"s/'/'\\\\''/g;
-	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
-      ;; #(
-    *)
-      # `set' quotes correctly as required by POSIX, so do not add quotes.
-      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
-      ;;
-    esac |
-    sort
-) |
-  sed '
-     /^ac_cv_env_/b end
-     t clear
-     :clear
-     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
-     t end
-     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
-     :end' >>confcache
-if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
-  if test -w "$cache_file"; then
-    test "x$cache_file" != "x/dev/null" &&
-      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
-echo "$as_me: updating cache $cache_file" >&6;}
-    cat confcache >$cache_file
-  else
-    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
-echo "$as_me: not updating unwritable cache $cache_file" >&6;}
-  fi
-fi
-rm -f confcache
-
-test "x$prefix" = xNONE && prefix=$ac_default_prefix
-# Let make expand exec_prefix.
-test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
-
-DEFS=-DHAVE_CONFIG_H
-
-ac_libobjs=
-ac_ltlibobjs=
-for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
-  # 1. Remove the extension, and $U if already installed.
-  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
-  ac_i=`echo "$ac_i" | sed "$ac_script"`
-  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
-  #    will be set to the directory where LIBOBJS objects are built.
-  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
-  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
-done
-LIBOBJS=$ac_libobjs
-
-LTLIBOBJS=$ac_ltlibobjs
-
-
-if test -z "${MAINTAINER_MODE_TRUE}" && test -z "${MAINTAINER_MODE_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"MAINTAINER_MODE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"MAINTAINER_MODE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"AMDEP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${am__fastdepCXX_TRUE}" && test -z "${am__fastdepCXX_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCXX\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"am__fastdepCXX\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-  ac_config_commands="$ac_config_commands po/stamp-it"
-
-
-
-: ${CONFIG_STATUS=./config.status}
-ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files $CONFIG_STATUS"
-{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
-echo "$as_me: creating $CONFIG_STATUS" >&6;}
-cat >$CONFIG_STATUS <<_ACEOF
-#! $SHELL
-# Generated by $as_me.
-# Run this file to recreate the current configuration.
-# Compiler output produced by configure, useful for debugging
-# configure, is in config.log if it exists.
-
-debug=false
-ac_cs_recheck=false
-ac_cs_silent=false
-SHELL=\${CONFIG_SHELL-$SHELL}
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
-
-# Be more Bourne compatible
-DUALCASE=1; export DUALCASE # for MKS sh
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-  setopt NO_GLOB_SUBST
-else
-  case `(set -o) 2>/dev/null` in
-  *posix*) set -o posix ;;
-esac
-
-fi
-
-
-
-
-# PATH needs CR
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
-
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
-
-
-# IFS
-# We need space, tab and new line, in precisely that order.  Quoting is
-# there to prevent editors from complaining about space-tab.
-# (If _AS_PATH_WALK were called with IFS unset, it would disable word
-# splitting by setting IFS to empty value.)
-as_nl='
-'
-IFS=" ""	$as_nl"
-
-# Find who we are.  Look in the path if we contain no directory separator.
-case $0 in
-  *[\\/]* ) as_myself=$0 ;;
-  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
-IFS=$as_save_IFS
-
-     ;;
-esac
-# We did not find ourselves, most probably we were run as `sh COMMAND'
-# in which case we are not to be found in the path.
-if test "x$as_myself" = x; then
-  as_myself=$0
-fi
-if test ! -f "$as_myself"; then
-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-  { (exit 1); exit 1; }
-fi
-
-# Work around bugs in pre-3.0 UWIN ksh.
-for as_var in ENV MAIL MAILPATH
-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-done
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-  fi
-done
-
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1 &&
-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
-
-
-# Name of the executable.
-as_me=`$as_basename -- "$0" ||
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\/\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\/\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-
-# CDPATH.
-$as_unset CDPATH
-
-
-
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
-
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line after each line using $LINENO; the second 'sed'
-  # does the real work.  The second script uses 'N' to pair each
-  # line-number line with the line containing $LINENO, and appends
-  # trailing '-' during substitution so that $LINENO is not a special
-  # case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
-  # E. McMahon (1931-1989) for sed's syntax.  :-)
-  sed -n '
-    p
-    /[$]LINENO/=
-  ' <$as_myself |
-    sed '
-      s/[$]LINENO.*/&-/
-      t lineno
-      b
-      :lineno
-      N
-      :loop
-      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
-      t loop
-      s/-\n.*//
-    ' >$as_me.lineno &&
-  chmod +x "$as_me.lineno" ||
-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-   { (exit 1); exit 1; }; }
-
-  # Don't try to exec as it changes $[0], causing all sort of problems
-  # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensitive to this).
-  . "./$as_me.lineno"
-  # Exit status is that of the last command.
-  exit
-}
-
-
-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-  as_dirname=dirname
-else
-  as_dirname=false
-fi
-
-ECHO_C= ECHO_N= ECHO_T=
-case `echo -n x` in
--n*)
-  case `echo 'x\c'` in
-  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
-  *)   ECHO_C='\c';;
-  esac;;
-*)
-  ECHO_N='-n';;
-esac
-
-if expr a : '\(a\)' >/dev/null 2>&1 &&
-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-rm -f conf$$ conf$$.exe conf$$.file
-if test -d conf$$.dir; then
-  rm -f conf$$.dir/conf$$.file
-else
-  rm -f conf$$.dir
-  mkdir conf$$.dir
-fi
-echo >conf$$.file
-if ln -s conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s='ln -s'
-  # ... but there are two gotchas:
-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-  # In both cases, we have to default to `cp -p'.
-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-    as_ln_s='cp -p'
-elif ln conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s=ln
-else
-  as_ln_s='cp -p'
-fi
-rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
-rmdir conf$$.dir 2>/dev/null
-
-if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
-else
-  test -d ./-p && rmdir ./-p
-  as_mkdir_p=false
-fi
-
-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-        test -d "$1/.";
-      else
-	case $1 in
-        -*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
-
-# Sed expression to map a string onto a valid CPP name.
-as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
-
-# Sed expression to map a string onto a valid variable name.
-as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
-
-
-exec 6>&1
-
-# Save the log message, to keep $[0] and so on meaningful, and to
-# report actual input values of CONFIG_FILES etc. instead of their
-# values after options handling.
-ac_log="
-This file was extended by NetworkManager-strongswan $as_me 4.2.6, which was
-generated by GNU Autoconf 2.61.  Invocation command line was
-
-  CONFIG_FILES    = $CONFIG_FILES
-  CONFIG_HEADERS  = $CONFIG_HEADERS
-  CONFIG_LINKS    = $CONFIG_LINKS
-  CONFIG_COMMANDS = $CONFIG_COMMANDS
-  $ $0 $@
-
-on `(hostname || uname -n) 2>/dev/null | sed 1q`
-"
-
-_ACEOF
-
-cat >>$CONFIG_STATUS <<_ACEOF
-# Files that config.status was made for.
-config_files="$ac_config_files"
-config_headers="$ac_config_headers"
-config_commands="$ac_config_commands"
-
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-ac_cs_usage="\
-\`$as_me' instantiates files from templates according to the
-current configuration.
-
-Usage: $0 [OPTIONS] [FILE]...
-
-  -h, --help       print this help, then exit
-  -V, --version    print version number and configuration settings, then exit
-  -q, --quiet      do not print progress messages
-  -d, --debug      don't remove temporary files
-      --recheck    update $as_me by reconfiguring in the same conditions
-  --file=FILE[:TEMPLATE]
-		   instantiate the configuration file FILE
-  --header=FILE[:TEMPLATE]
-		   instantiate the configuration header FILE
-
-Configuration files:
-$config_files
-
-Configuration headers:
-$config_headers
-
-Configuration commands:
-$config_commands
-
-Report bugs to <bug-autoconf@gnu.org>."
-
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-ac_cs_version="\\
-NetworkManager-strongswan config.status 4.2.6
-configured by $0, generated by GNU Autoconf 2.61,
-  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
-
-Copyright (C) 2006 Free Software Foundation, Inc.
-This config.status script is free software; the Free Software Foundation
-gives unlimited permission to copy, distribute and modify it."
-
-ac_pwd='$ac_pwd'
-srcdir='$srcdir'
-INSTALL='$INSTALL'
-MKDIR_P='$MKDIR_P'
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-# If no file are specified by the user, then we need to provide default
-# value.  By we need to know if files were specified by the user.
-ac_need_defaults=:
-while test $# != 0
-do
-  case $1 in
-  --*=*)
-    ac_option=`expr "X$1" : 'X\([^=]*\)='`
-    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
-    ac_shift=:
-    ;;
-  *)
-    ac_option=$1
-    ac_optarg=$2
-    ac_shift=shift
-    ;;
-  esac
-
-  case $ac_option in
-  # Handling of the options.
-  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
-    ac_cs_recheck=: ;;
-  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
-    echo "$ac_cs_version"; exit ;;
-  --debug | --debu | --deb | --de | --d | -d )
-    debug=: ;;
-  --file | --fil | --fi | --f )
-    $ac_shift
-    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
-    ac_need_defaults=false;;
-  --header | --heade | --head | --hea )
-    $ac_shift
-    CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
-    ac_need_defaults=false;;
-  --he | --h)
-    # Conflict between --help and --header
-    { echo "$as_me: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&2
-   { (exit 1); exit 1; }; };;
-  --help | --hel | -h )
-    echo "$ac_cs_usage"; exit ;;
-  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-  | -silent | --silent | --silen | --sile | --sil | --si | --s)
-    ac_cs_silent=: ;;
-
-  # This is an error.
-  -*) { echo "$as_me: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&2
-   { (exit 1); exit 1; }; } ;;
-
-  *) ac_config_targets="$ac_config_targets $1"
-     ac_need_defaults=false ;;
-
-  esac
-  shift
-done
-
-ac_configure_extra_args=
-
-if $ac_cs_silent; then
-  exec 6>/dev/null
-  ac_configure_extra_args="$ac_configure_extra_args --silent"
-fi
-
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-if \$ac_cs_recheck; then
-  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
-  CONFIG_SHELL=$SHELL
-  export CONFIG_SHELL
-  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-fi
-
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-exec 5>>config.log
-{
-  echo
-  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
-## Running $as_me. ##
-_ASBOX
-  echo "$ac_log"
-} >&5
-
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-#
-# INIT-COMMANDS
-#
-AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
-INTLTOOL_PERL='${INTLTOOL_PERL}' ac_aux_dir='${ac_aux_dir}'
-prefix="$prefix" exec_prefix="$exec_prefix" INTLTOOL_LIBDIR="$libdir"
-INTLTOOL_EXTRACT='${INTLTOOL_EXTRACT}'
-
-
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-
-# Handling of arguments.
-for ac_config_target in $ac_config_targets
-do
-  case $ac_config_target in
-    "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
-    "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
-    "intltool") CONFIG_COMMANDS="$CONFIG_COMMANDS intltool" ;;
-    "default-1") CONFIG_COMMANDS="$CONFIG_COMMANDS default-1" ;;
-    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
-    "properties/Makefile") CONFIG_FILES="$CONFIG_FILES properties/Makefile" ;;
-    "auth-dialog/Makefile") CONFIG_FILES="$CONFIG_FILES auth-dialog/Makefile" ;;
-    "po/Makefile.in") CONFIG_FILES="$CONFIG_FILES po/Makefile.in" ;;
-    "po/stamp-it") CONFIG_COMMANDS="$CONFIG_COMMANDS po/stamp-it" ;;
-
-  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
-echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
-   { (exit 1); exit 1; }; };;
-  esac
-done
-
-
-# If the user did not use the arguments to specify the items to instantiate,
-# then the envvar interface is used.  Set only those that are not.
-# We use the long form for the default assignment because of an extremely
-# bizarre bug on SunOS 4.1.3.
-if $ac_need_defaults; then
-  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
-  test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
-  test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands
-fi
-
-# Have a temporary directory for convenience.  Make it in the build tree
-# simply because there is no reason against having it here, and in addition,
-# creating and moving files from /tmp can sometimes cause problems.
-# Hook for its removal unless debugging.
-# Note that there is a small window in which the directory will not be cleaned:
-# after its creation but before its name has been assigned to `$tmp'.
-$debug ||
-{
-  tmp=
-  trap 'exit_status=$?
-  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
-' 0
-  trap '{ (exit 1); exit 1; }' 1 2 13 15
-}
-# Create a (secure) tmp directory for tmp files.
-
-{
-  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
-  test -n "$tmp" && test -d "$tmp"
-}  ||
-{
-  tmp=./conf$$-$RANDOM
-  (umask 077 && mkdir "$tmp")
-} ||
-{
-   echo "$me: cannot create a temporary directory in ." >&2
-   { (exit 1); exit 1; }
-}
-
-#
-# Set up the sed scripts for CONFIG_FILES section.
-#
-
-# No need to generate the scripts if there are no CONFIG_FILES.
-# This happens for instance when ./config.status config.h
-if test -n "$CONFIG_FILES"; then
-
-_ACEOF
-
-
-
-ac_delim='%!_!# '
-for ac_last_try in false false false false false :; do
-  cat >conf$$subs.sed <<_ACEOF
-SHELL!$SHELL$ac_delim
-PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
-PACKAGE_NAME!$PACKAGE_NAME$ac_delim
-PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
-PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
-PACKAGE_STRING!$PACKAGE_STRING$ac_delim
-PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
-exec_prefix!$exec_prefix$ac_delim
-prefix!$prefix$ac_delim
-program_transform_name!$program_transform_name$ac_delim
-bindir!$bindir$ac_delim
-sbindir!$sbindir$ac_delim
-libexecdir!$libexecdir$ac_delim
-datarootdir!$datarootdir$ac_delim
-datadir!$datadir$ac_delim
-sysconfdir!$sysconfdir$ac_delim
-sharedstatedir!$sharedstatedir$ac_delim
-localstatedir!$localstatedir$ac_delim
-includedir!$includedir$ac_delim
-oldincludedir!$oldincludedir$ac_delim
-docdir!$docdir$ac_delim
-infodir!$infodir$ac_delim
-htmldir!$htmldir$ac_delim
-dvidir!$dvidir$ac_delim
-pdfdir!$pdfdir$ac_delim
-psdir!$psdir$ac_delim
-libdir!$libdir$ac_delim
-localedir!$localedir$ac_delim
-mandir!$mandir$ac_delim
-DEFS!$DEFS$ac_delim
-ECHO_C!$ECHO_C$ac_delim
-ECHO_N!$ECHO_N$ac_delim
-ECHO_T!$ECHO_T$ac_delim
-LIBS!$LIBS$ac_delim
-build_alias!$build_alias$ac_delim
-host_alias!$host_alias$ac_delim
-target_alias!$target_alias$ac_delim
-INSTALL_PROGRAM!$INSTALL_PROGRAM$ac_delim
-INSTALL_SCRIPT!$INSTALL_SCRIPT$ac_delim
-INSTALL_DATA!$INSTALL_DATA$ac_delim
-am__isrc!$am__isrc$ac_delim
-CYGPATH_W!$CYGPATH_W$ac_delim
-PACKAGE!$PACKAGE$ac_delim
-VERSION!$VERSION$ac_delim
-ACLOCAL!$ACLOCAL$ac_delim
-AUTOCONF!$AUTOCONF$ac_delim
-AUTOMAKE!$AUTOMAKE$ac_delim
-AUTOHEADER!$AUTOHEADER$ac_delim
-MAKEINFO!$MAKEINFO$ac_delim
-install_sh!$install_sh$ac_delim
-STRIP!$STRIP$ac_delim
-INSTALL_STRIP_PROGRAM!$INSTALL_STRIP_PROGRAM$ac_delim
-mkdir_p!$mkdir_p$ac_delim
-AWK!$AWK$ac_delim
-SET_MAKE!$SET_MAKE$ac_delim
-am__leading_dot!$am__leading_dot$ac_delim
-AMTAR!$AMTAR$ac_delim
-am__tar!$am__tar$ac_delim
-am__untar!$am__untar$ac_delim
-MAINTAINER_MODE_TRUE!$MAINTAINER_MODE_TRUE$ac_delim
-MAINTAINER_MODE_FALSE!$MAINTAINER_MODE_FALSE$ac_delim
-MAINT!$MAINT$ac_delim
-CC!$CC$ac_delim
-CFLAGS!$CFLAGS$ac_delim
-LDFLAGS!$LDFLAGS$ac_delim
-CPPFLAGS!$CPPFLAGS$ac_delim
-ac_ct_CC!$ac_ct_CC$ac_delim
-EXEEXT!$EXEEXT$ac_delim
-OBJEXT!$OBJEXT$ac_delim
-DEPDIR!$DEPDIR$ac_delim
-am__include!$am__include$ac_delim
-am__quote!$am__quote$ac_delim
-AMDEP_TRUE!$AMDEP_TRUE$ac_delim
-AMDEP_FALSE!$AMDEP_FALSE$ac_delim
-AMDEPBACKSLASH!$AMDEPBACKSLASH$ac_delim
-CCDEPMODE!$CCDEPMODE$ac_delim
-am__fastdepCC_TRUE!$am__fastdepCC_TRUE$ac_delim
-am__fastdepCC_FALSE!$am__fastdepCC_FALSE$ac_delim
-build!$build$ac_delim
-build_cpu!$build_cpu$ac_delim
-build_vendor!$build_vendor$ac_delim
-build_os!$build_os$ac_delim
-host!$host$ac_delim
-host_cpu!$host_cpu$ac_delim
-host_vendor!$host_vendor$ac_delim
-host_os!$host_os$ac_delim
-SED!$SED$ac_delim
-GREP!$GREP$ac_delim
-EGREP!$EGREP$ac_delim
-LN_S!$LN_S$ac_delim
-ECHO!$ECHO$ac_delim
-AR!$AR$ac_delim
-RANLIB!$RANLIB$ac_delim
-DSYMUTIL!$DSYMUTIL$ac_delim
-NMEDIT!$NMEDIT$ac_delim
-CPP!$CPP$ac_delim
-CXX!$CXX$ac_delim
-_ACEOF
-
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
-    break
-  elif $ac_last_try; then
-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-  else
-    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
-  fi
-done
-
-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
-if test -n "$ac_eof"; then
-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
-  ac_eof=`expr $ac_eof + 1`
-fi
-
-cat >>$CONFIG_STATUS <<_ACEOF
-cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-_ACEOF
-sed '
-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
-s/^/s,@/; s/!/@,|#_!!_#|/
-:n
-t n
-s/'"$ac_delim"'$/,g/; t
-s/$/\\/; p
-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
-' >>$CONFIG_STATUS <conf$$subs.sed
-rm -f conf$$subs.sed
-cat >>$CONFIG_STATUS <<_ACEOF
-CEOF$ac_eof
-_ACEOF
-
-
-ac_delim='%!_!# '
-for ac_last_try in false false false false false :; do
-  cat >conf$$subs.sed <<_ACEOF
-CXXFLAGS!$CXXFLAGS$ac_delim
-ac_ct_CXX!$ac_ct_CXX$ac_delim
-CXXDEPMODE!$CXXDEPMODE$ac_delim
-am__fastdepCXX_TRUE!$am__fastdepCXX_TRUE$ac_delim
-am__fastdepCXX_FALSE!$am__fastdepCXX_FALSE$ac_delim
-CXXCPP!$CXXCPP$ac_delim
-F77!$F77$ac_delim
-FFLAGS!$FFLAGS$ac_delim
-ac_ct_F77!$ac_ct_F77$ac_delim
-LIBTOOL!$LIBTOOL$ac_delim
-LIBOBJS!$LIBOBJS$ac_delim
-GETTEXT_PACKAGE!$GETTEXT_PACKAGE$ac_delim
-INTLTOOL_DESKTOP_RULE!$INTLTOOL_DESKTOP_RULE$ac_delim
-INTLTOOL_DIRECTORY_RULE!$INTLTOOL_DIRECTORY_RULE$ac_delim
-INTLTOOL_KEYS_RULE!$INTLTOOL_KEYS_RULE$ac_delim
-INTLTOOL_PROP_RULE!$INTLTOOL_PROP_RULE$ac_delim
-INTLTOOL_OAF_RULE!$INTLTOOL_OAF_RULE$ac_delim
-INTLTOOL_PONG_RULE!$INTLTOOL_PONG_RULE$ac_delim
-INTLTOOL_SERVER_RULE!$INTLTOOL_SERVER_RULE$ac_delim
-INTLTOOL_SHEET_RULE!$INTLTOOL_SHEET_RULE$ac_delim
-INTLTOOL_SOUNDLIST_RULE!$INTLTOOL_SOUNDLIST_RULE$ac_delim
-INTLTOOL_UI_RULE!$INTLTOOL_UI_RULE$ac_delim
-INTLTOOL_XAM_RULE!$INTLTOOL_XAM_RULE$ac_delim
-INTLTOOL_KBD_RULE!$INTLTOOL_KBD_RULE$ac_delim
-INTLTOOL_XML_RULE!$INTLTOOL_XML_RULE$ac_delim
-INTLTOOL_XML_NOMERGE_RULE!$INTLTOOL_XML_NOMERGE_RULE$ac_delim
-INTLTOOL_CAVES_RULE!$INTLTOOL_CAVES_RULE$ac_delim
-INTLTOOL_SCHEMAS_RULE!$INTLTOOL_SCHEMAS_RULE$ac_delim
-INTLTOOL_THEME_RULE!$INTLTOOL_THEME_RULE$ac_delim
-INTLTOOL_SERVICE_RULE!$INTLTOOL_SERVICE_RULE$ac_delim
-INTLTOOL_POLICY_RULE!$INTLTOOL_POLICY_RULE$ac_delim
-XGETTEXT!$XGETTEXT$ac_delim
-MSGMERGE!$MSGMERGE$ac_delim
-MSGFMT!$MSGFMT$ac_delim
-INTLTOOL_EXTRACT!$INTLTOOL_EXTRACT$ac_delim
-INTLTOOL_MERGE!$INTLTOOL_MERGE$ac_delim
-INTLTOOL_UPDATE!$INTLTOOL_UPDATE$ac_delim
-INTLTOOL_PERL!$INTLTOOL_PERL$ac_delim
-ALL_LINGUAS!$ALL_LINGUAS$ac_delim
-DATADIRNAME!$DATADIRNAME$ac_delim
-USE_NLS!$USE_NLS$ac_delim
-MSGFMT_OPTS!$MSGFMT_OPTS$ac_delim
-GMSGFMT!$GMSGFMT$ac_delim
-CATALOGS!$CATALOGS$ac_delim
-CATOBJEXT!$CATOBJEXT$ac_delim
-GMOFILES!$GMOFILES$ac_delim
-INSTOBJEXT!$INSTOBJEXT$ac_delim
-INTLLIBS!$INTLLIBS$ac_delim
-PO_IN_DATADIR_TRUE!$PO_IN_DATADIR_TRUE$ac_delim
-PO_IN_DATADIR_FALSE!$PO_IN_DATADIR_FALSE$ac_delim
-POFILES!$POFILES$ac_delim
-POSUB!$POSUB$ac_delim
-MKINSTALLDIRS!$MKINSTALLDIRS$ac_delim
-PKG_CONFIG!$PKG_CONFIG$ac_delim
-GTHREAD_CFLAGS!$GTHREAD_CFLAGS$ac_delim
-GTHREAD_LIBS!$GTHREAD_LIBS$ac_delim
-DBUS_CFLAGS!$DBUS_CFLAGS$ac_delim
-DBUS_LIBS!$DBUS_LIBS$ac_delim
-GTK_CFLAGS!$GTK_CFLAGS$ac_delim
-GTK_LIBS!$GTK_LIBS$ac_delim
-GDK_PIXBUF_CFLAGS!$GDK_PIXBUF_CFLAGS$ac_delim
-GDK_PIXBUF_LIBS!$GDK_PIXBUF_LIBS$ac_delim
-GLADE_CFLAGS!$GLADE_CFLAGS$ac_delim
-GLADE_LIBS!$GLADE_LIBS$ac_delim
-LIBGNOMEUI_CFLAGS!$LIBGNOMEUI_CFLAGS$ac_delim
-LIBGNOMEUI_LIBS!$LIBGNOMEUI_LIBS$ac_delim
-GCONF_CFLAGS!$GCONF_CFLAGS$ac_delim
-GCONF_LIBS!$GCONF_LIBS$ac_delim
-GNOMEKEYRING_CFLAGS!$GNOMEKEYRING_CFLAGS$ac_delim
-GNOMEKEYRING_LIBS!$GNOMEKEYRING_LIBS$ac_delim
-NM_UTILS_CFLAGS!$NM_UTILS_CFLAGS$ac_delim
-NM_UTILS_LIBS!$NM_UTILS_LIBS$ac_delim
-charon!$charon$ac_delim
-LTLIBOBJS!$LTLIBOBJS$ac_delim
-_ACEOF
-
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 74; then
-    break
-  elif $ac_last_try; then
-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-  else
-    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
-  fi
-done
-
-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
-if test -n "$ac_eof"; then
-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
-  ac_eof=`expr $ac_eof + 1`
-fi
-
-cat >>$CONFIG_STATUS <<_ACEOF
-cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
-_ACEOF
-sed '
-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
-s/^/s,@/; s/!/@,|#_!!_#|/
-:n
-t n
-s/'"$ac_delim"'$/,g/; t
-s/$/\\/; p
-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
-' >>$CONFIG_STATUS <conf$$subs.sed
-rm -f conf$$subs.sed
-cat >>$CONFIG_STATUS <<_ACEOF
-:end
-s/|#_!!_#|//g
-CEOF$ac_eof
-_ACEOF
-
-
-# VPATH may cause trouble with some makes, so we remove $(srcdir),
-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-# trailing colons and then remove the whole line if VPATH becomes empty
-# (actually we leave an empty line to preserve line numbers).
-if test "x$srcdir" = x.; then
-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
-s/:*\$(srcdir):*/:/
-s/:*\${srcdir}:*/:/
-s/:*@srcdir@:*/:/
-s/^\([^=]*=[	 ]*\):*/\1/
-s/:*$//
-s/^[^=]*=[	 ]*$//
-}'
-fi
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-fi # test -n "$CONFIG_FILES"
-
-
-for ac_tag in  :F $CONFIG_FILES  :H $CONFIG_HEADERS    :C $CONFIG_COMMANDS
-do
-  case $ac_tag in
-  :[FHLC]) ac_mode=$ac_tag; continue;;
-  esac
-  case $ac_mode$ac_tag in
-  :[FHL]*:*);;
-  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
-echo "$as_me: error: Invalid tag $ac_tag." >&2;}
-   { (exit 1); exit 1; }; };;
-  :[FH]-) ac_tag=-:-;;
-  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
-  esac
-  ac_save_IFS=$IFS
-  IFS=:
-  set x $ac_tag
-  IFS=$ac_save_IFS
-  shift
-  ac_file=$1
-  shift
-
-  case $ac_mode in
-  :L) ac_source=$1;;
-  :[FH])
-    ac_file_inputs=
-    for ac_f
-    do
-      case $ac_f in
-      -) ac_f="$tmp/stdin";;
-      *) # Look for the file first in the build tree, then in the source tree
-	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
-	 # because $ac_f cannot contain `:'.
-	 test -f "$ac_f" ||
-	   case $ac_f in
-	   [\\/$]*) false;;
-	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
-	   esac ||
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
-echo "$as_me: error: cannot find input file: $ac_f" >&2;}
-   { (exit 1); exit 1; }; };;
-      esac
-      ac_file_inputs="$ac_file_inputs $ac_f"
-    done
-
-    # Let's still pretend it is `configure' which instantiates (i.e., don't
-    # use $as_me), people would be surprised to read:
-    #    /* config.h.  Generated by config.status.  */
-    configure_input="Generated from "`IFS=:
-	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
-    if test x"$ac_file" != x-; then
-      configure_input="$ac_file.  $configure_input"
-      { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-    fi
-
-    case $ac_tag in
-    *:-:* | *:-) cat >"$tmp/stdin";;
-    esac
-    ;;
-  esac
-
-  ac_dir=`$as_dirname -- "$ac_file" ||
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$ac_file" : 'X\(//\)[^/]' \| \
-	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-  { as_dir="$ac_dir"
-  case $as_dir in #(
-  -*) as_dir=./$as_dir;;
-  esac
-  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
-    as_dirs=
-    while :; do
-      case $as_dir in #(
-      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
-      *) as_qdir=$as_dir;;
-      esac
-      as_dirs="'$as_qdir' $as_dirs"
-      as_dir=`$as_dirname -- "$as_dir" ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-      test -d "$as_dir" && break
-    done
-    test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
-echo "$as_me: error: cannot create directory $as_dir" >&2;}
-   { (exit 1); exit 1; }; }; }
-  ac_builddir=.
-
-case "$ac_dir" in
-.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
-*)
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A ".." for each directory in $ac_dir_suffix.
-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
-  case $ac_top_builddir_sub in
-  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
-  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
-  esac ;;
-esac
-ac_abs_top_builddir=$ac_pwd
-ac_abs_builddir=$ac_pwd$ac_dir_suffix
-# for backward compatibility:
-ac_top_builddir=$ac_top_build_prefix
-
-case $srcdir in
-  .)  # We are building in place.
-    ac_srcdir=.
-    ac_top_srcdir=$ac_top_builddir_sub
-    ac_abs_top_srcdir=$ac_pwd ;;
-  [\\/]* | ?:[\\/]* )  # Absolute name.
-    ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir
-    ac_abs_top_srcdir=$srcdir ;;
-  *) # Relative name.
-    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_build_prefix$srcdir
-    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
-esac
-ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
-
-
-  case $ac_mode in
-  :F)
-  #
-  # CONFIG_FILE
-  #
-
-  case $INSTALL in
-  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
-  *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
-  esac
-  ac_MKDIR_P=$MKDIR_P
-  case $MKDIR_P in
-  [\\/$]* | ?:[\\/]* ) ;;
-  */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;;
-  esac
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-# If the template does not know about datarootdir, expand it.
-# FIXME: This hack should be removed a few years after 2.60.
-ac_datarootdir_hack=; ac_datarootdir_seen=
-
-case `sed -n '/datarootdir/ {
-  p
-  q
-}
-/@datadir@/p
-/@docdir@/p
-/@infodir@/p
-/@localedir@/p
-/@mandir@/p
-' $ac_file_inputs` in
-*datarootdir*) ac_datarootdir_seen=yes;;
-*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
-  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
-echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-  ac_datarootdir_hack='
-  s&@datadir@&$datadir&g
-  s&@docdir@&$docdir&g
-  s&@infodir@&$infodir&g
-  s&@localedir@&$localedir&g
-  s&@mandir@&$mandir&g
-    s&\\\${datarootdir}&$datarootdir&g' ;;
-esac
-_ACEOF
-
-# Neutralize VPATH when `$srcdir' = `.'.
-# Shell code in configure.ac might set extrasub.
-# FIXME: do we really want to maintain this feature?
-cat >>$CONFIG_STATUS <<_ACEOF
-  sed "$ac_vpsub
-$extrasub
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-:t
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-s&@configure_input@&$configure_input&;t t
-s&@top_builddir@&$ac_top_builddir_sub&;t t
-s&@srcdir@&$ac_srcdir&;t t
-s&@abs_srcdir@&$ac_abs_srcdir&;t t
-s&@top_srcdir@&$ac_top_srcdir&;t t
-s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
-s&@builddir@&$ac_builddir&;t t
-s&@abs_builddir@&$ac_abs_builddir&;t t
-s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
-s&@INSTALL@&$ac_INSTALL&;t t
-s&@MKDIR_P@&$ac_MKDIR_P&;t t
-$ac_datarootdir_hack
-" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" >$tmp/out
-
-test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
-  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
-  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
-  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-which seems to be undefined.  Please make sure it is defined." >&5
-echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-which seems to be undefined.  Please make sure it is defined." >&2;}
-
-  rm -f "$tmp/stdin"
-  case $ac_file in
-  -) cat "$tmp/out"; rm -f "$tmp/out";;
-  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
-  esac
- ;;
-  :H)
-  #
-  # CONFIG_HEADER
-  #
-_ACEOF
-
-# Transform confdefs.h into a sed script `conftest.defines', that
-# substitutes the proper values into config.h.in to produce config.h.
-rm -f conftest.defines conftest.tail
-# First, append a space to every undef/define line, to ease matching.
-echo 's/$/ /' >conftest.defines
-# Then, protect against being on the right side of a sed subst, or in
-# an unquoted here document, in config.status.  If some macros were
-# called several times there might be several #defines for the same
-# symbol, which is useless.  But do not sort them, since the last
-# AC_DEFINE must be honored.
-ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
-# These sed commands are passed to sed as "A NAME B PARAMS C VALUE D", where
-# NAME is the cpp macro being defined, VALUE is the value it is being given.
-# PARAMS is the parameter list in the macro definition--in most cases, it's
-# just an empty string.
-ac_dA='s,^\\([	 #]*\\)[^	 ]*\\([	 ]*'
-ac_dB='\\)[	 (].*,\\1define\\2'
-ac_dC=' '
-ac_dD=' ,'
-
-uniq confdefs.h |
-  sed -n '
-	t rset
-	:rset
-	s/^[	 ]*#[	 ]*define[	 ][	 ]*//
-	t ok
-	d
-	:ok
-	s/[\\&,]/\\&/g
-	s/^\('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/ '"$ac_dA"'\1'"$ac_dB"'\2'"${ac_dC}"'\3'"$ac_dD"'/p
-	s/^\('"$ac_word_re"'\)[	 ]*\(.*\)/'"$ac_dA"'\1'"$ac_dB$ac_dC"'\2'"$ac_dD"'/p
-  ' >>conftest.defines
-
-# Remove the space that was appended to ease matching.
-# Then replace #undef with comments.  This is necessary, for
-# example, in the case of _POSIX_SOURCE, which is predefined and required
-# on some systems where configure will not decide to define it.
-# (The regexp can be short, since the line contains either #define or #undef.)
-echo 's/ $//
-s,^[	 #]*u.*,/* & */,' >>conftest.defines
-
-# Break up conftest.defines:
-ac_max_sed_lines=50
-
-# First sed command is:	 sed -f defines.sed $ac_file_inputs >"$tmp/out1"
-# Second one is:	 sed -f defines.sed "$tmp/out1" >"$tmp/out2"
-# Third one will be:	 sed -f defines.sed "$tmp/out2" >"$tmp/out1"
-# et cetera.
-ac_in='$ac_file_inputs'
-ac_out='"$tmp/out1"'
-ac_nxt='"$tmp/out2"'
-
-while :
-do
-  # Write a here document:
-    cat >>$CONFIG_STATUS <<_ACEOF
-    # First, check the format of the line:
-    cat >"\$tmp/defines.sed" <<\\CEOF
-/^[	 ]*#[	 ]*undef[	 ][	 ]*$ac_word_re[	 ]*\$/b def
-/^[	 ]*#[	 ]*define[	 ][	 ]*$ac_word_re[(	 ]/b def
-b
-:def
-_ACEOF
-  sed ${ac_max_sed_lines}q conftest.defines >>$CONFIG_STATUS
-  echo 'CEOF
-    sed -f "$tmp/defines.sed"' "$ac_in >$ac_out" >>$CONFIG_STATUS
-  ac_in=$ac_out; ac_out=$ac_nxt; ac_nxt=$ac_in
-  sed 1,${ac_max_sed_lines}d conftest.defines >conftest.tail
-  grep . conftest.tail >/dev/null || break
-  rm -f conftest.defines
-  mv conftest.tail conftest.defines
-done
-rm -f conftest.defines conftest.tail
-
-echo "ac_result=$ac_in" >>$CONFIG_STATUS
-cat >>$CONFIG_STATUS <<\_ACEOF
-  if test x"$ac_file" != x-; then
-    echo "/* $configure_input  */" >"$tmp/config.h"
-    cat "$ac_result" >>"$tmp/config.h"
-    if diff $ac_file "$tmp/config.h" >/dev/null 2>&1; then
-      { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
-echo "$as_me: $ac_file is unchanged" >&6;}
-    else
-      rm -f $ac_file
-      mv "$tmp/config.h" $ac_file
-    fi
-  else
-    echo "/* $configure_input  */"
-    cat "$ac_result"
-  fi
-  rm -f "$tmp/out12"
-# Compute $ac_file's index in $config_headers.
-_am_arg=$ac_file
-_am_stamp_count=1
-for _am_header in $config_headers :; do
-  case $_am_header in
-    $_am_arg | $_am_arg:* )
-      break ;;
-    * )
-      _am_stamp_count=`expr $_am_stamp_count + 1` ;;
-  esac
-done
-echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" ||
-$as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$_am_arg" : 'X\(//\)[^/]' \| \
-	 X"$_am_arg" : 'X\(//\)$' \| \
-	 X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$_am_arg" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`/stamp-h$_am_stamp_count
- ;;
-
-  :C)  { echo "$as_me:$LINENO: executing $ac_file commands" >&5
-echo "$as_me: executing $ac_file commands" >&6;}
- ;;
-  esac
-
-
-  case $ac_file$ac_mode in
-    "depfiles":C) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do
-  # Strip MF so we end up with the name of the file.
-  mf=`echo "$mf" | sed -e 's/:.*$//'`
-  # Check whether this is an Automake generated Makefile or not.
-  # We used to match only the files named `Makefile.in', but
-  # some people rename them; so instead we look at the file content.
-  # Grep'ing the first line is not enough: some people post-process
-  # each Makefile.in and add a new line on top of each file to say so.
-  # Grep'ing the whole file is not good either: AIX grep has a line
-  # limit of 2048, but all sed's we know have understand at least 4000.
-  if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
-    dirpart=`$as_dirname -- "$mf" ||
-$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$mf" : 'X\(//\)[^/]' \| \
-	 X"$mf" : 'X\(//\)$' \| \
-	 X"$mf" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$mf" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-  else
-    continue
-  fi
-  # Extract the definition of DEPDIR, am__include, and am__quote
-  # from the Makefile without running `make'.
-  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
-  test -z "$DEPDIR" && continue
-  am__include=`sed -n 's/^am__include = //p' < "$mf"`
-  test -z "am__include" && continue
-  am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
-  # When using ansi2knr, U may be empty or an underscore; expand it
-  U=`sed -n 's/^U = //p' < "$mf"`
-  # Find all dependency output files, they are included files with
-  # $(DEPDIR) in their names.  We invoke sed twice because it is the
-  # simplest approach to changing $(DEPDIR) to its actual value in the
-  # expansion.
-  for file in `sed -n "
-    s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
-       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
-    # Make sure the directory exists.
-    test -f "$dirpart/$file" && continue
-    fdir=`$as_dirname -- "$file" ||
-$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$file" : 'X\(//\)[^/]' \| \
-	 X"$file" : 'X\(//\)$' \| \
-	 X"$file" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-    { as_dir=$dirpart/$fdir
-  case $as_dir in #(
-  -*) as_dir=./$as_dir;;
-  esac
-  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
-    as_dirs=
-    while :; do
-      case $as_dir in #(
-      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
-      *) as_qdir=$as_dir;;
-      esac
-      as_dirs="'$as_qdir' $as_dirs"
-      as_dir=`$as_dirname -- "$as_dir" ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-      test -d "$as_dir" && break
-    done
-    test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
-echo "$as_me: error: cannot create directory $as_dir" >&2;}
-   { (exit 1); exit 1; }; }; }
-    # echo "creating $dirpart/$file"
-    echo '# dummy' > "$dirpart/$file"
-  done
-done
- ;;
-    "intltool":C)
-
-for file in intltool-extract intltool-merge intltool-update; do
-  sed -e "s|@INTLTOOL_EXTRACT@|`pwd`/intltool-extract|g" \
-      -e "s|@INTLTOOL_LIBDIR@|${INTLTOOL_LIBDIR}|g" \
-      -e "s|@INTLTOOL_PERL@|${INTLTOOL_PERL}|g" \
-	< ${ac_aux_dir}/${file}.in > ${file}.out
-  if cmp -s ${file} ${file}.out 2>/dev/null; then
-    rm -f ${file}.out
-  else
-    mv -f ${file}.out ${file}
-  fi
-  chmod ugo+x ${file}
-  chmod u+w ${file}
-done
-
- ;;
-    "default-1":C) case "$CONFIG_FILES" in *po/Makefile.in*)
-        sed -e "/POTFILES =/r po/POTFILES" po/Makefile.in > po/Makefile
-      esac ;;
-    "po/stamp-it":C)
-    rm -f "po/stamp-it" "po/stamp-it.tmp" "po/POTFILES" "po/Makefile.tmp"
-    >"po/stamp-it.tmp"
-    sed '/^#/d
-	 s/^[[].*] *//
-	 /^[ 	]*$/d
-	'"s|^|	$ac_top_srcdir/|" \
-      "$srcdir/po/POTFILES.in" | sed '$!s/$/ \\/' >"po/POTFILES"
-
-    if test ! -f "po/Makefile"; then
-      { { echo "$as_me:$LINENO: error: po/Makefile is not ready." >&5
-echo "$as_me: error: po/Makefile is not ready." >&2;}
-   { (exit 1); exit 1; }; }
-    fi
-    mv "po/Makefile" "po/Makefile.tmp"
-    sed '/^POTFILES =/,/[^\\]$/ {
-		/^POTFILES =/!d
-		r po/POTFILES
-	  }
-	 ' "po/Makefile.tmp" >"po/Makefile"
-    rm -f "po/Makefile.tmp"
-    mv "po/stamp-it.tmp" "po/stamp-it"
-   ;;
-
-  esac
-done # for ac_tag
-
-
-{ (exit 0); exit 0; }
-_ACEOF
-chmod +x $CONFIG_STATUS
-ac_clean_files=$ac_clean_files_save
-
-
-# configure is writing to config.log, and then calls config.status.
-# config.status does its own redirection, appending to config.log.
-# Unfortunately, on DOS this fails, as config.log is still kept open
-# by configure, so config.status won't be able to write to it; its
-# output is simply discarded.  So we exec the FD to /dev/null,
-# effectively closing config.log, so it can be properly (re)opened and
-# appended to by config.status.  When coming back to configure, we
-# need to make the FD available again.
-if test "$no_create" != yes; then
-  ac_cs_success=:
-  ac_config_status_args=
-  test "$silent" = yes &&
-    ac_config_status_args="$ac_config_status_args --quiet"
-  exec 5>/dev/null
-  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
-  exec 5>>config.log
-  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
-  # would make configure fail if this is the last instruction.
-  $ac_cs_success || { (exit 1); exit 1; }
-fi
-
diff --git a/src/charon/plugins/nm/gnome/configure.in b/src/charon/plugins/nm/gnome/configure.in
deleted file mode 100644
index 5bbcdcbad..000000000
--- a/src/charon/plugins/nm/gnome/configure.in
+++ /dev/null
@@ -1,128 +0,0 @@
-AC_PREREQ(2.52)
-
-AC_INIT(NetworkManager-strongswan, 4.2.6, martin@strongswan.org, NetworkManager-strongswan)
-AC_CONFIG_AUX_DIR(.)
-AM_INIT_AUTOMAKE([subdir-objects])
-AM_MAINTAINER_MODE
-
-AM_CONFIG_HEADER(config.h)
-
-dnl
-dnl Require programs
-dnl
-AC_PROG_CC
-AM_PROG_CC_C_O
-AC_PROG_INSTALL
-AC_PROG_LIBTOOL
-
-dnl
-dnl Required headers
-dnl
-AC_HEADER_STDC
-AC_CHECK_HEADERS(fcntl.h paths.h sys/ioctl.h sys/time.h syslog.h unistd.h)
-
-dnl
-dnl Checks for typedefs, structures, and compiler characteristics.
-dnl
-AC_TYPE_MODE_T
-AC_TYPE_PID_T
-AC_HEADER_TIME
-
-dnl
-dnl Checks for library functions.
-dnl
-AC_PROG_GCC_TRADITIONAL
-AC_FUNC_MEMCMP
-AC_CHECK_FUNCS(select socket uname)
-
-GETTEXT_PACKAGE=NetworkManager-strongswan
-AC_SUBST(GETTEXT_PACKAGE)
-AC_DEFINE_UNQUOTED(GETTEXT_PACKAGE,"$GETTEXT_PACKAGE", [Gettext package])
-
-IT_PROG_INTLTOOL([0.35])
-AM_GLIB_GNU_GETTEXT
-
-PKG_CHECK_MODULES(GTHREAD, gthread-2.0)
-AC_SUBST(GTHREAD_CFLAGS)
-AC_SUBST(GTHREAD_LIBS)
-
-PKG_CHECK_MODULES(DBUS, dbus-glib-1 >= 0.30)
-AC_SUBST(DBUS_CFLAGS)
-AC_SUBST(DBUS_LIBS)
-
-if test x"$with_gnome" != xno; then
-	PKG_CHECK_MODULES(GTK, gtk+-2.0 >= 2.6)
-	AC_SUBST(GTK_CFLAGS)
-	AC_SUBST(GTK_LIBS)
-
-	PKG_CHECK_MODULES(GDK_PIXBUF, gdk-pixbuf-2.0)
-	AC_SUBST(GDK_PIXBUF_CFLAGS)
-	AC_SUBST(GDK_PIXBUF_LIBS)
-
-	PKG_CHECK_MODULES(GLADE, libglade-2.0)
-	AC_SUBST(GLADE_CFLAGS)
-	AC_SUBST(GLADE_LIBS)
-
-	PKG_CHECK_MODULES(LIBGNOMEUI, libgnomeui-2.0)
-	AC_SUBST(LIBGNOMEUI_CFLAGS)
-	AC_SUBST(LIBGNOMEUI_LIBS)
-
-	PKG_CHECK_MODULES(GCONF, gconf-2.0)
-	AC_SUBST(GCONF_CFLAGS)
-	AC_SUBST(GCONF_LIBS)
-
-	PKG_CHECK_MODULES(GNOMEKEYRING, gnome-keyring-1)
-	AC_SUBST(GNOMEKEYRING_CFLAGS)
-	AC_SUBST(GNOMEKEYRING_LIBS)
-fi
-
-PKG_CHECK_MODULES(NM_UTILS, NetworkManager >= 0.7.0 libnm-util libnm_glib libnm_glib_vpn)
-AC_SUBST(NM_UTILS_CFLAGS)
-AC_SUBST(NM_UTILS_LIBS)
-
-AC_ARG_WITH(
-	[charon],
-	AS_HELP_STRING([--with-charon=file],[path to the strongSwan IKEv2 daemon charon"]),
-	[AC_SUBST(charon, "$withval")],
-	[AC_SUBST(charon, "${libexecdir}/ipsec/charon")]
-)
-
-AC_ARG_ENABLE(more-warnings,
-AC_HELP_STRING([--enable-more-warnings], [Maximum compiler warnings]),
-set_more_warnings="$enableval",[
-if test -d "$srcdir/{arch}" || test -d "$srcdir/CVS"; then
-	set_more_warnings=yes
-else
-	set_more_warnings=no
-fi
-])
-AC_MSG_CHECKING(for more warnings, including -Werror)
-if test "$GCC" = "yes" -a "$set_more_warnings" != "no"; then
-	AC_MSG_RESULT(yes)
-	CFLAGS="-Wall -Werror -std=gnu89 $CFLAGS"
-
-	for option in -Wno-unused -Wno-strict-aliasing -Wno-sign-compare -Wdeclaration-after-statement -Wno-pointer-sign ; do
-		SAVE_CFLAGS="$CFLAGS"
-		CFLAGS="$CFLAGS $option"
-		AC_MSG_CHECKING([whether gcc understands $option])
-		AC_TRY_COMPILE([], [],
-			has_option=yes,
-			has_option=no,)
-		if test $has_option = no; then
-			CFLAGS="$SAVE_CFLAGS"
-		fi
-		AC_MSG_RESULT($has_option)
-		unset has_option
-		unset SAVE_CFLAGS
-	done
-	unset option
-else
-	AC_MSG_RESULT(no)
-fi
-
-AC_OUTPUT([
-Makefile
-properties/Makefile
-auth-dialog/Makefile
-po/Makefile.in
-])
diff --git a/src/charon/plugins/nm/gnome/depcomp b/src/charon/plugins/nm/gnome/depcomp
deleted file mode 100755
index e5f9736c7..000000000
--- a/src/charon/plugins/nm/gnome/depcomp
+++ /dev/null
@@ -1,589 +0,0 @@
-#! /bin/sh
-# depcomp - compile a program generating dependencies as side-effects
-
-scriptversion=2007-03-29.01
-
-# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software
-# Foundation, Inc.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-# 02110-1301, USA.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
-
-case $1 in
-  '')
-     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
-     exit 1;
-     ;;
-  -h | --h*)
-    cat <<\EOF
-Usage: depcomp [--help] [--version] PROGRAM [ARGS]
-
-Run PROGRAMS ARGS to compile a file, generating dependencies
-as side-effects.
-
-Environment variables:
-  depmode     Dependency tracking mode.
-  source      Source file read by `PROGRAMS ARGS'.
-  object      Object file output by `PROGRAMS ARGS'.
-  DEPDIR      directory where to store dependencies.
-  depfile     Dependency file to output.
-  tmpdepfile  Temporary file to use when outputing dependencies.
-  libtool     Whether libtool is used (yes/no).
-
-Report bugs to <bug-automake@gnu.org>.
-EOF
-    exit $?
-    ;;
-  -v | --v*)
-    echo "depcomp $scriptversion"
-    exit $?
-    ;;
-esac
-
-if test -z "$depmode" || test -z "$source" || test -z "$object"; then
-  echo "depcomp: Variables source, object and depmode must be set" 1>&2
-  exit 1
-fi
-
-# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po.
-depfile=${depfile-`echo "$object" |
-  sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`}
-tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
-
-rm -f "$tmpdepfile"
-
-# Some modes work just like other modes, but use different flags.  We
-# parameterize here, but still list the modes in the big case below,
-# to make depend.m4 easier to write.  Note that we *cannot* use a case
-# here, because this file can only contain one case statement.
-if test "$depmode" = hp; then
-  # HP compiler uses -M and no extra arg.
-  gccflag=-M
-  depmode=gcc
-fi
-
-if test "$depmode" = dashXmstdout; then
-   # This is just like dashmstdout with a different argument.
-   dashmflag=-xM
-   depmode=dashmstdout
-fi
-
-case "$depmode" in
-gcc3)
-## gcc 3 implements dependency tracking that does exactly what
-## we want.  Yay!  Note: for some reason libtool 1.4 doesn't like
-## it if -MD -MP comes after the -MF stuff.  Hmm.
-## Unfortunately, FreeBSD c89 acceptance of flags depends upon
-## the command line argument order; so add the flags where they
-## appear in depend2.am.  Note that the slowdown incurred here
-## affects only configure: in makefiles, %FASTDEP% shortcuts this.
-  for arg
-  do
-    case $arg in
-    -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;;
-    *)  set fnord "$@" "$arg" ;;
-    esac
-    shift # fnord
-    shift # $arg
-  done
-  "$@"
-  stat=$?
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  mv "$tmpdepfile" "$depfile"
-  ;;
-
-gcc)
-## There are various ways to get dependency output from gcc.  Here's
-## why we pick this rather obscure method:
-## - Don't want to use -MD because we'd like the dependencies to end
-##   up in a subdir.  Having to rename by hand is ugly.
-##   (We might end up doing this anyway to support other compilers.)
-## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
-##   -MM, not -M (despite what the docs say).
-## - Using -M directly means running the compiler twice (even worse
-##   than renaming).
-  if test -z "$gccflag"; then
-    gccflag=-MD,
-  fi
-  "$@" -Wp,"$gccflag$tmpdepfile"
-  stat=$?
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-  echo "$object : \\" > "$depfile"
-  alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
-## The second -e expression handles DOS-style file names with drive letters.
-  sed -e 's/^[^:]*: / /' \
-      -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
-## This next piece of magic avoids the `deleted header file' problem.
-## The problem is that when a header file which appears in a .P file
-## is deleted, the dependency causes make to die (because there is
-## typically no way to rebuild the header).  We avoid this by adding
-## dummy dependencies for each header file.  Too bad gcc doesn't do
-## this for us directly.
-  tr ' ' '
-' < "$tmpdepfile" |
-## Some versions of gcc put a space before the `:'.  On the theory
-## that the space means something, we add a space to the output as
-## well.
-## Some versions of the HPUX 10.20 sed can't process this invocation
-## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-hp)
-  # This case exists only to let depend.m4 do its work.  It works by
-  # looking at the text of this script.  This case will never be run,
-  # since it is checked for above.
-  exit 1
-  ;;
-
-sgi)
-  if test "$libtool" = yes; then
-    "$@" "-Wp,-MDupdate,$tmpdepfile"
-  else
-    "$@" -MDupdate "$tmpdepfile"
-  fi
-  stat=$?
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-
-  if test -f "$tmpdepfile"; then  # yes, the sourcefile depend on other files
-    echo "$object : \\" > "$depfile"
-
-    # Clip off the initial element (the dependent).  Don't try to be
-    # clever and replace this with sed code, as IRIX sed won't handle
-    # lines with more than a fixed number of characters (4096 in
-    # IRIX 6.2 sed, 8192 in IRIX 6.5).  We also remove comment lines;
-    # the IRIX cc adds comments like `#:fec' to the end of the
-    # dependency line.
-    tr ' ' '
-' < "$tmpdepfile" \
-    | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
-    tr '
-' ' ' >> $depfile
-    echo >> $depfile
-
-    # The second pass generates a dummy entry for each header file.
-    tr ' ' '
-' < "$tmpdepfile" \
-   | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
-   >> $depfile
-  else
-    # The sourcefile does not contain any dependencies, so just
-    # store a dummy comment line, to avoid errors with the Makefile
-    # "include basename.Plo" scheme.
-    echo "#dummy" > "$depfile"
-  fi
-  rm -f "$tmpdepfile"
-  ;;
-
-aix)
-  # The C for AIX Compiler uses -M and outputs the dependencies
-  # in a .u file.  In older versions, this file always lives in the
-  # current directory.  Also, the AIX compiler puts `$object:' at the
-  # start of each line; $object doesn't have directory information.
-  # Version 6 uses the directory in both cases.
-  dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
-  test "x$dir" = "x$object" && dir=
-  base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
-  if test "$libtool" = yes; then
-    tmpdepfile1=$dir$base.u
-    tmpdepfile2=$base.u
-    tmpdepfile3=$dir.libs/$base.u
-    "$@" -Wc,-M
-  else
-    tmpdepfile1=$dir$base.u
-    tmpdepfile2=$dir$base.u
-    tmpdepfile3=$dir$base.u
-    "$@" -M
-  fi
-  stat=$?
-
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
-    exit $stat
-  fi
-
-  for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
-  do
-    test -f "$tmpdepfile" && break
-  done
-  if test -f "$tmpdepfile"; then
-    # Each line is of the form `foo.o: dependent.h'.
-    # Do two passes, one to just change these to
-    # `$object: dependent.h' and one to simply `dependent.h:'.
-    sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
-    # That's a tab and a space in the [].
-    sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
-  else
-    # The sourcefile does not contain any dependencies, so just
-    # store a dummy comment line, to avoid errors with the Makefile
-    # "include basename.Plo" scheme.
-    echo "#dummy" > "$depfile"
-  fi
-  rm -f "$tmpdepfile"
-  ;;
-
-icc)
-  # Intel's C compiler understands `-MD -MF file'.  However on
-  #    icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
-  # ICC 7.0 will fill foo.d with something like
-  #    foo.o: sub/foo.c
-  #    foo.o: sub/foo.h
-  # which is wrong.  We want:
-  #    sub/foo.o: sub/foo.c
-  #    sub/foo.o: sub/foo.h
-  #    sub/foo.c:
-  #    sub/foo.h:
-  # ICC 7.1 will output
-  #    foo.o: sub/foo.c sub/foo.h
-  # and will wrap long lines using \ :
-  #    foo.o: sub/foo.c ... \
-  #     sub/foo.h ... \
-  #     ...
-
-  "$@" -MD -MF "$tmpdepfile"
-  stat=$?
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-  # Each line is of the form `foo.o: dependent.h',
-  # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
-  # Do two passes, one to just change these to
-  # `$object: dependent.h' and one to simply `dependent.h:'.
-  sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
-  # Some versions of the HPUX 10.20 sed can't process this invocation
-  # correctly.  Breaking it into two sed invocations is a workaround.
-  sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
-    sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-hp2)
-  # The "hp" stanza above does not work with aCC (C++) and HP's ia64
-  # compilers, which have integrated preprocessors.  The correct option
-  # to use with these is +Maked; it writes dependencies to a file named
-  # 'foo.d', which lands next to the object file, wherever that
-  # happens to be.
-  # Much of this is similar to the tru64 case; see comments there.
-  dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
-  test "x$dir" = "x$object" && dir=
-  base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
-  if test "$libtool" = yes; then
-    tmpdepfile1=$dir$base.d
-    tmpdepfile2=$dir.libs/$base.d
-    "$@" -Wc,+Maked
-  else
-    tmpdepfile1=$dir$base.d
-    tmpdepfile2=$dir$base.d
-    "$@" +Maked
-  fi
-  stat=$?
-  if test $stat -eq 0; then :
-  else
-     rm -f "$tmpdepfile1" "$tmpdepfile2"
-     exit $stat
-  fi
-
-  for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2"
-  do
-    test -f "$tmpdepfile" && break
-  done
-  if test -f "$tmpdepfile"; then
-    sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
-    # Add `dependent.h:' lines.
-    sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile"
-  else
-    echo "#dummy" > "$depfile"
-  fi
-  rm -f "$tmpdepfile" "$tmpdepfile2"
-  ;;
-
-tru64)
-   # The Tru64 compiler uses -MD to generate dependencies as a side
-   # effect.  `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
-   # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
-   # dependencies in `foo.d' instead, so we check for that too.
-   # Subdirectories are respected.
-   dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
-   test "x$dir" = "x$object" && dir=
-   base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
-
-   if test "$libtool" = yes; then
-      # With Tru64 cc, shared objects can also be used to make a
-      # static library.  This mechanism is used in libtool 1.4 series to
-      # handle both shared and static libraries in a single compilation.
-      # With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d.
-      #
-      # With libtool 1.5 this exception was removed, and libtool now
-      # generates 2 separate objects for the 2 libraries.  These two
-      # compilations output dependencies in $dir.libs/$base.o.d and
-      # in $dir$base.o.d.  We have to check for both files, because
-      # one of the two compilations can be disabled.  We should prefer
-      # $dir$base.o.d over $dir.libs/$base.o.d because the latter is
-      # automatically cleaned when .libs/ is deleted, while ignoring
-      # the former would cause a distcleancheck panic.
-      tmpdepfile1=$dir.libs/$base.lo.d   # libtool 1.4
-      tmpdepfile2=$dir$base.o.d          # libtool 1.5
-      tmpdepfile3=$dir.libs/$base.o.d    # libtool 1.5
-      tmpdepfile4=$dir.libs/$base.d      # Compaq CCC V6.2-504
-      "$@" -Wc,-MD
-   else
-      tmpdepfile1=$dir$base.o.d
-      tmpdepfile2=$dir$base.d
-      tmpdepfile3=$dir$base.d
-      tmpdepfile4=$dir$base.d
-      "$@" -MD
-   fi
-
-   stat=$?
-   if test $stat -eq 0; then :
-   else
-      rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
-      exit $stat
-   fi
-
-   for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
-   do
-     test -f "$tmpdepfile" && break
-   done
-   if test -f "$tmpdepfile"; then
-      sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
-      # That's a tab and a space in the [].
-      sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
-   else
-      echo "#dummy" > "$depfile"
-   fi
-   rm -f "$tmpdepfile"
-   ;;
-
-#nosideeffect)
-  # This comment above is used by automake to tell side-effect
-  # dependency tracking mechanisms from slower ones.
-
-dashmstdout)
-  # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout, regardless of -o.
-  "$@" || exit $?
-
-  # Remove the call to Libtool.
-  if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
-      shift
-    done
-    shift
-  fi
-
-  # Remove `-o $object'.
-  IFS=" "
-  for arg
-  do
-    case $arg in
-    -o)
-      shift
-      ;;
-    $object)
-      shift
-      ;;
-    *)
-      set fnord "$@" "$arg"
-      shift # fnord
-      shift # $arg
-      ;;
-    esac
-  done
-
-  test -z "$dashmflag" && dashmflag=-M
-  # Require at least two characters before searching for `:'
-  # in the target name.  This is to cope with DOS-style filenames:
-  # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
-  "$@" $dashmflag |
-    sed 's:^[  ]*[^: ][^:][^:]*\:[    ]*:'"$object"'\: :' > "$tmpdepfile"
-  rm -f "$depfile"
-  cat < "$tmpdepfile" > "$depfile"
-  tr ' ' '
-' < "$tmpdepfile" | \
-## Some versions of the HPUX 10.20 sed can't process this invocation
-## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-dashXmstdout)
-  # This case only exists to satisfy depend.m4.  It is never actually
-  # run, as this mode is specially recognized in the preamble.
-  exit 1
-  ;;
-
-makedepend)
-  "$@" || exit $?
-  # Remove any Libtool call
-  if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
-      shift
-    done
-    shift
-  fi
-  # X makedepend
-  shift
-  cleared=no
-  for arg in "$@"; do
-    case $cleared in
-    no)
-      set ""; shift
-      cleared=yes ;;
-    esac
-    case "$arg" in
-    -D*|-I*)
-      set fnord "$@" "$arg"; shift ;;
-    # Strip any option that makedepend may not understand.  Remove
-    # the object too, otherwise makedepend will parse it as a source file.
-    -*|$object)
-      ;;
-    *)
-      set fnord "$@" "$arg"; shift ;;
-    esac
-  done
-  obj_suffix="`echo $object | sed 's/^.*\././'`"
-  touch "$tmpdepfile"
-  ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
-  rm -f "$depfile"
-  cat < "$tmpdepfile" > "$depfile"
-  sed '1,2d' "$tmpdepfile" | tr ' ' '
-' | \
-## Some versions of the HPUX 10.20 sed can't process this invocation
-## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile" "$tmpdepfile".bak
-  ;;
-
-cpp)
-  # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout.
-  "$@" || exit $?
-
-  # Remove the call to Libtool.
-  if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
-      shift
-    done
-    shift
-  fi
-
-  # Remove `-o $object'.
-  IFS=" "
-  for arg
-  do
-    case $arg in
-    -o)
-      shift
-      ;;
-    $object)
-      shift
-      ;;
-    *)
-      set fnord "$@" "$arg"
-      shift # fnord
-      shift # $arg
-      ;;
-    esac
-  done
-
-  "$@" -E |
-    sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-       -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
-    sed '$ s: \\$::' > "$tmpdepfile"
-  rm -f "$depfile"
-  echo "$object : \\" > "$depfile"
-  cat < "$tmpdepfile" >> "$depfile"
-  sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-msvisualcpp)
-  # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout, regardless of -o,
-  # because we must use -o when running libtool.
-  "$@" || exit $?
-  IFS=" "
-  for arg
-  do
-    case "$arg" in
-    "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
-	set fnord "$@"
-	shift
-	shift
-	;;
-    *)
-	set fnord "$@" "$arg"
-	shift
-	shift
-	;;
-    esac
-  done
-  "$@" -E |
-  sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
-  rm -f "$depfile"
-  echo "$object : \\" > "$depfile"
-  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::	\1 \\:p' >> "$depfile"
-  echo "	" >> "$depfile"
-  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-none)
-  exec "$@"
-  ;;
-
-*)
-  echo "Unknown depmode $depmode" 1>&2
-  exit 1
-  ;;
-esac
-
-exit 0
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
-# End:
diff --git a/src/charon/plugins/nm/gnome/install-sh b/src/charon/plugins/nm/gnome/install-sh
deleted file mode 100755
index a5897de6e..000000000
--- a/src/charon/plugins/nm/gnome/install-sh
+++ /dev/null
@@ -1,519 +0,0 @@
-#!/bin/sh
-# install - install a program, script, or datafile
-
-scriptversion=2006-12-25.00
-
-# This originates from X11R5 (mit/util/scripts/install.sh), which was
-# later released in X11R6 (xc/config/util/install.sh) with the
-# following copyright and license.
-#
-# Copyright (C) 1994 X Consortium
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to
-# deal in the Software without restriction, including without limitation the
-# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-# sell copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
-# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
-# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
-# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-# Except as contained in this notice, the name of the X Consortium shall not
-# be used in advertising or otherwise to promote the sale, use or other deal-
-# ings in this Software without prior written authorization from the X Consor-
-# tium.
-#
-#
-# FSF changes to this file are in the public domain.
-#
-# Calling this script install-sh is preferred over install.sh, to prevent
-# `make' implicit rules from creating a file called install from it
-# when there is no Makefile.
-#
-# This script is compatible with the BSD install script, but was written
-# from scratch.
-
-nl='
-'
-IFS=" ""	$nl"
-
-# set DOITPROG to echo to test this script
-
-# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit=${DOITPROG-}
-if test -z "$doit"; then
-  doit_exec=exec
-else
-  doit_exec=$doit
-fi
-
-# Put in absolute file names if you don't have them in your path;
-# or use environment vars.
-
-chgrpprog=${CHGRPPROG-chgrp}
-chmodprog=${CHMODPROG-chmod}
-chownprog=${CHOWNPROG-chown}
-cmpprog=${CMPPROG-cmp}
-cpprog=${CPPROG-cp}
-mkdirprog=${MKDIRPROG-mkdir}
-mvprog=${MVPROG-mv}
-rmprog=${RMPROG-rm}
-stripprog=${STRIPPROG-strip}
-
-posix_glob='?'
-initialize_posix_glob='
-  test "$posix_glob" != "?" || {
-    if (set -f) 2>/dev/null; then
-      posix_glob=
-    else
-      posix_glob=:
-    fi
-  }
-'
-
-posix_mkdir=
-
-# Desired mode of installed file.
-mode=0755
-
-chgrpcmd=
-chmodcmd=$chmodprog
-chowncmd=
-mvcmd=$mvprog
-rmcmd="$rmprog -f"
-stripcmd=
-
-src=
-dst=
-dir_arg=
-dst_arg=
-
-copy_on_change=false
-no_target_directory=
-
-usage="\
-Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
-   or: $0 [OPTION]... SRCFILES... DIRECTORY
-   or: $0 [OPTION]... -t DIRECTORY SRCFILES...
-   or: $0 [OPTION]... -d DIRECTORIES...
-
-In the 1st form, copy SRCFILE to DSTFILE.
-In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
-In the 4th, create DIRECTORIES.
-
-Options:
-     --help     display this help and exit.
-     --version  display version info and exit.
-
-  -c            (ignored)
-  -C            install only if different (preserve the last data modification time)
-  -d            create directories instead of installing files.
-  -g GROUP      $chgrpprog installed files to GROUP.
-  -m MODE       $chmodprog installed files to MODE.
-  -o USER       $chownprog installed files to USER.
-  -s            $stripprog installed files.
-  -t DIRECTORY  install into DIRECTORY.
-  -T            report an error if DSTFILE is a directory.
-
-Environment variables override the default commands:
-  CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
-  RMPROG STRIPPROG
-"
-
-while test $# -ne 0; do
-  case $1 in
-    -c) ;;
-
-    -C) copy_on_change=true;;
-
-    -d) dir_arg=true;;
-
-    -g) chgrpcmd="$chgrpprog $2"
-	shift;;
-
-    --help) echo "$usage"; exit $?;;
-
-    -m) mode=$2
-	case $mode in
-	  *' '* | *'	'* | *'
-'*	  | *'*'* | *'?'* | *'['*)
-	    echo "$0: invalid mode: $mode" >&2
-	    exit 1;;
-	esac
-	shift;;
-
-    -o) chowncmd="$chownprog $2"
-	shift;;
-
-    -s) stripcmd=$stripprog;;
-
-    -t) dst_arg=$2
-	shift;;
-
-    -T) no_target_directory=true;;
-
-    --version) echo "$0 $scriptversion"; exit $?;;
-
-    --)	shift
-	break;;
-
-    -*)	echo "$0: invalid option: $1" >&2
-	exit 1;;
-
-    *)  break;;
-  esac
-  shift
-done
-
-if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
-  # When -d is used, all remaining arguments are directories to create.
-  # When -t is used, the destination is already specified.
-  # Otherwise, the last argument is the destination.  Remove it from $@.
-  for arg
-  do
-    if test -n "$dst_arg"; then
-      # $@ is not empty: it contains at least $arg.
-      set fnord "$@" "$dst_arg"
-      shift # fnord
-    fi
-    shift # arg
-    dst_arg=$arg
-  done
-fi
-
-if test $# -eq 0; then
-  if test -z "$dir_arg"; then
-    echo "$0: no input file specified." >&2
-    exit 1
-  fi
-  # It's OK to call `install-sh -d' without argument.
-  # This can happen when creating conditional directories.
-  exit 0
-fi
-
-if test -z "$dir_arg"; then
-  trap '(exit $?); exit' 1 2 13 15
-
-  # Set umask so as not to create temps with too-generous modes.
-  # However, 'strip' requires both read and write access to temps.
-  case $mode in
-    # Optimize common cases.
-    *644) cp_umask=133;;
-    *755) cp_umask=22;;
-
-    *[0-7])
-      if test -z "$stripcmd"; then
-	u_plus_rw=
-      else
-	u_plus_rw='% 200'
-      fi
-      cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
-    *)
-      if test -z "$stripcmd"; then
-	u_plus_rw=
-      else
-	u_plus_rw=,u+rw
-      fi
-      cp_umask=$mode$u_plus_rw;;
-  esac
-fi
-
-for src
-do
-  # Protect names starting with `-'.
-  case $src in
-    -*) src=./$src;;
-  esac
-
-  if test -n "$dir_arg"; then
-    dst=$src
-    dstdir=$dst
-    test -d "$dstdir"
-    dstdir_status=$?
-  else
-
-    # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
-    # might cause directories to be created, which would be especially bad
-    # if $src (and thus $dsttmp) contains '*'.
-    if test ! -f "$src" && test ! -d "$src"; then
-      echo "$0: $src does not exist." >&2
-      exit 1
-    fi
-
-    if test -z "$dst_arg"; then
-      echo "$0: no destination specified." >&2
-      exit 1
-    fi
-
-    dst=$dst_arg
-    # Protect names starting with `-'.
-    case $dst in
-      -*) dst=./$dst;;
-    esac
-
-    # If destination is a directory, append the input filename; won't work
-    # if double slashes aren't ignored.
-    if test -d "$dst"; then
-      if test -n "$no_target_directory"; then
-	echo "$0: $dst_arg: Is a directory" >&2
-	exit 1
-      fi
-      dstdir=$dst
-      dst=$dstdir/`basename "$src"`
-      dstdir_status=0
-    else
-      # Prefer dirname, but fall back on a substitute if dirname fails.
-      dstdir=`
-	(dirname "$dst") 2>/dev/null ||
-	expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	     X"$dst" : 'X\(//\)[^/]' \| \
-	     X"$dst" : 'X\(//\)$' \| \
-	     X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
-	echo X"$dst" |
-	    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-		   s//\1/
-		   q
-		 }
-		 /^X\(\/\/\)[^/].*/{
-		   s//\1/
-		   q
-		 }
-		 /^X\(\/\/\)$/{
-		   s//\1/
-		   q
-		 }
-		 /^X\(\/\).*/{
-		   s//\1/
-		   q
-		 }
-		 s/.*/./; q'
-      `
-
-      test -d "$dstdir"
-      dstdir_status=$?
-    fi
-  fi
-
-  obsolete_mkdir_used=false
-
-  if test $dstdir_status != 0; then
-    case $posix_mkdir in
-      '')
-	# Create intermediate dirs using mode 755 as modified by the umask.
-	# This is like FreeBSD 'install' as of 1997-10-28.
-	umask=`umask`
-	case $stripcmd.$umask in
-	  # Optimize common cases.
-	  *[2367][2367]) mkdir_umask=$umask;;
-	  .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
-
-	  *[0-7])
-	    mkdir_umask=`expr $umask + 22 \
-	      - $umask % 100 % 40 + $umask % 20 \
-	      - $umask % 10 % 4 + $umask % 2
-	    `;;
-	  *) mkdir_umask=$umask,go-w;;
-	esac
-
-	# With -d, create the new directory with the user-specified mode.
-	# Otherwise, rely on $mkdir_umask.
-	if test -n "$dir_arg"; then
-	  mkdir_mode=-m$mode
-	else
-	  mkdir_mode=
-	fi
-
-	posix_mkdir=false
-	case $umask in
-	  *[123567][0-7][0-7])
-	    # POSIX mkdir -p sets u+wx bits regardless of umask, which
-	    # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
-	    ;;
-	  *)
-	    tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
-	    trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
-
-	    if (umask $mkdir_umask &&
-		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
-	    then
-	      if test -z "$dir_arg" || {
-		   # Check for POSIX incompatibilities with -m.
-		   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
-		   # other-writeable bit of parent directory when it shouldn't.
-		   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
-		   ls_ld_tmpdir=`ls -ld "$tmpdir"`
-		   case $ls_ld_tmpdir in
-		     d????-?r-*) different_mode=700;;
-		     d????-?--*) different_mode=755;;
-		     *) false;;
-		   esac &&
-		   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
-		     ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
-		     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
-		   }
-		 }
-	      then posix_mkdir=:
-	      fi
-	      rmdir "$tmpdir/d" "$tmpdir"
-	    else
-	      # Remove any dirs left behind by ancient mkdir implementations.
-	      rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
-	    fi
-	    trap '' 0;;
-	esac;;
-    esac
-
-    if
-      $posix_mkdir && (
-	umask $mkdir_umask &&
-	$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
-      )
-    then :
-    else
-
-      # The umask is ridiculous, or mkdir does not conform to POSIX,
-      # or it failed possibly due to a race condition.  Create the
-      # directory the slow way, step by step, checking for races as we go.
-
-      case $dstdir in
-	/*) prefix='/';;
-	-*) prefix='./';;
-	*)  prefix='';;
-      esac
-
-      eval "$initialize_posix_glob"
-
-      oIFS=$IFS
-      IFS=/
-      $posix_glob set -f
-      set fnord $dstdir
-      shift
-      $posix_glob set +f
-      IFS=$oIFS
-
-      prefixes=
-
-      for d
-      do
-	test -z "$d" && continue
-
-	prefix=$prefix$d
-	if test -d "$prefix"; then
-	  prefixes=
-	else
-	  if $posix_mkdir; then
-	    (umask=$mkdir_umask &&
-	     $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
-	    # Don't fail if two instances are running concurrently.
-	    test -d "$prefix" || exit 1
-	  else
-	    case $prefix in
-	      *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
-	      *) qprefix=$prefix;;
-	    esac
-	    prefixes="$prefixes '$qprefix'"
-	  fi
-	fi
-	prefix=$prefix/
-      done
-
-      if test -n "$prefixes"; then
-	# Don't fail if two instances are running concurrently.
-	(umask $mkdir_umask &&
-	 eval "\$doit_exec \$mkdirprog $prefixes") ||
-	  test -d "$dstdir" || exit 1
-	obsolete_mkdir_used=true
-      fi
-    fi
-  fi
-
-  if test -n "$dir_arg"; then
-    { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
-    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
-    { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
-      test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
-  else
-
-    # Make a couple of temp file names in the proper directory.
-    dsttmp=$dstdir/_inst.$$_
-    rmtmp=$dstdir/_rm.$$_
-
-    # Trap to clean up those temp files at exit.
-    trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
-
-    # Copy the file name to the temp name.
-    (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
-
-    # and set any options; do chmod last to preserve setuid bits.
-    #
-    # If any of these fail, we abort the whole thing.  If we want to
-    # ignore errors from any of these, just make sure not to ignore
-    # errors from the above "$doit $cpprog $src $dsttmp" command.
-    #
-    { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
-    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
-    { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
-    { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
-
-    # If -C, don't bother to copy if it wouldn't change the file.
-    if $copy_on_change &&
-       old=`LC_ALL=C ls -dlL "$dst"	2>/dev/null` &&
-       new=`LC_ALL=C ls -dlL "$dsttmp"	2>/dev/null` &&
-
-       eval "$initialize_posix_glob" &&
-       $posix_glob set -f &&
-       set X $old && old=:$2:$4:$5:$6 &&
-       set X $new && new=:$2:$4:$5:$6 &&
-       $posix_glob set +f &&
-
-       test "$old" = "$new" &&
-       $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
-    then
-      rm -f "$dsttmp"
-    else
-      # Rename the file to the real destination.
-      $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
-
-      # The rename failed, perhaps because mv can't rename something else
-      # to itself, or perhaps because mv is so ancient that it does not
-      # support -f.
-      {
-	# Now remove or move aside any old file at destination location.
-	# We try this two ways since rm can't unlink itself on some
-	# systems and the destination file might be busy for other
-	# reasons.  In this case, the final cleanup might fail but the new
-	# file should still install successfully.
-	{
-	  test ! -f "$dst" ||
-	  $doit $rmcmd -f "$dst" 2>/dev/null ||
-	  { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
-	    { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
-	  } ||
-	  { echo "$0: cannot unlink or rename $dst" >&2
-	    (exit 1); exit 1
-	  }
-	} &&
-
-	# Now rename the file to the real destination.
-	$doit $mvcmd "$dsttmp" "$dst"
-      }
-    fi || exit 1
-
-    trap '' 0
-  fi
-done
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
-# End:
diff --git a/src/charon/plugins/nm/gnome/intltool-extract.in b/src/charon/plugins/nm/gnome/intltool-extract.in
deleted file mode 100644
index ae393ac66..000000000
--- a/src/charon/plugins/nm/gnome/intltool-extract.in
+++ /dev/null
@@ -1,875 +0,0 @@
-#!@INTLTOOL_PERL@ -w 
-# -*- Mode: perl; indent-tabs-mode: nil; c-basic-offset: 4  -*-
-
-#
-#  The Intltool Message Extractor
-#
-#  Copyright (C) 2000-2001, 2003 Free Software Foundation.
-#
-#  Intltool is free software; you can redistribute it and/or
-#  modify it under the terms of the GNU General Public License as
-#  published by the Free Software Foundation; either version 2 of the
-#  License, or (at your option) any later version.
-#
-#  Intltool is distributed in the hope that it will be useful,
-#  but WITHOUT ANY WARRANTY; without even the implied warranty of
-#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-#  General Public License for more details.
-#
-#  You should have received a copy of the GNU General Public License
-#  along with this program; if not, write to the Free Software
-#  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-#
-#  As a special exception to the GNU General Public License, if you
-#  distribute this file as part of a program that contains a
-#  configuration script generated by Autoconf, you may include it under
-#  the same distribution terms that you use for the rest of that program.
-#
-#  Authors: Kenneth Christiansen <kenneth@gnu.org>
-#           Darin Adler <darin@bentspoon.com>
-#
-
-## Release information
-my $PROGRAM      = "intltool-extract";
-my $PACKAGE      = "intltool";
-my $VERSION      = "0.37.1";
-
-## Loaded modules
-use strict; 
-use File::Basename;
-use Getopt::Long;
-
-## Scalars used by the option stuff
-my $TYPE_ARG	= "0";
-my $LOCAL_ARG	= "0";
-my $HELP_ARG 	= "0";
-my $VERSION_ARG = "0";
-my $UPDATE_ARG  = "0";
-my $QUIET_ARG   = "0";
-my $SRCDIR_ARG	= ".";
-
-my $FILE;
-my $OUTFILE;
-
-my $gettext_type = "";
-my $input;
-my %messages = ();
-my %loc = ();
-my %count = ();
-my %comments = ();
-my $strcount = 0;
-
-my $XMLCOMMENT = "";
-
-## Use this instead of \w for XML files to handle more possible characters.
-my $w = "[-A-Za-z0-9._:]";
-
-## Always print first
-$| = 1;
-
-## Handle options
-GetOptions (
-	    "type=s"     => \$TYPE_ARG,
-            "local|l"    => \$LOCAL_ARG,
-            "help|h"     => \$HELP_ARG,
-            "version|v"  => \$VERSION_ARG,
-            "update"     => \$UPDATE_ARG,
-	    "quiet|q"    => \$QUIET_ARG,
-	    "srcdir=s"	 => \$SRCDIR_ARG,
-            ) or &error;
-
-&split_on_argument;
-
-
-## Check for options. 
-## This section will check for the different options.
-
-sub split_on_argument {
-
-    if ($VERSION_ARG) {
-        &version;
-
-    } elsif ($HELP_ARG) {
-	&help;
-        
-    } elsif ($LOCAL_ARG) {
-        &place_local;
-        &extract;
-
-    } elsif ($UPDATE_ARG) {
-	&place_normal;
-	&extract;
-
-    } elsif (@ARGV > 0) {
-	&place_normal;
-	&message;
-	&extract;
-
-    } else {
-	&help;
-
-    }  
-}    
-
-sub place_normal {
-    $FILE	 = $ARGV[0];
-    $OUTFILE     = "$FILE.h";
-
-    my $dirname = dirname ($OUTFILE);
-    if (! -d "$dirname" && $dirname ne "") {
-        system ("mkdir -p $dirname");
-    }
-}   
-
-sub place_local {
-    $FILE	 = $ARGV[0];
-    $OUTFILE     = fileparse($FILE, ());
-    if (!-e "tmp/") { 
-        system("mkdir tmp/"); 
-    }
-    $OUTFILE     = "./tmp/$OUTFILE.h"
-}
-
-sub determine_type {
-   if ($TYPE_ARG =~ /^gettext\/(.*)/) {
-	$gettext_type=$1
-   }
-}
-
-## Sub for printing release information
-sub version{
-    print <<_EOF_;
-${PROGRAM} (${PACKAGE}) $VERSION
-Copyright (C) 2000, 2003 Free Software Foundation, Inc.
-Written by Kenneth Christiansen, 2000.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-_EOF_
-    exit;
-}
-
-## Sub for printing usage information
-sub help {
-    print <<_EOF_;
-Usage: ${PROGRAM} [OPTION]... [FILENAME]
-Generates a header file from an XML source file.
-
-It grabs all strings between <_translatable_node> and its end tag in
-XML files. Read manpage (man ${PROGRAM}) for more info.
-
-      --type=TYPE   Specify the file type of FILENAME. Currently supports:
-                    "gettext/glade", "gettext/ini", "gettext/keys"
-                    "gettext/rfc822deb", "gettext/schemas",
-                    "gettext/scheme", "gettext/xml", "gettext/quoted",
-                    "gettext/quotedxml"
-  -l, --local       Writes output into current working directory
-                    (conflicts with --update)
-      --update      Writes output into the same directory the source file 
-                    reside (conflicts with --local)
-      --srcdir      Root of the source tree
-  -v, --version     Output version information and exit
-  -h, --help        Display this help and exit
-  -q, --quiet       Quiet mode
-
-Report bugs to http://bugzilla.gnome.org/ (product name "$PACKAGE")
-or send email to <xml-i18n-tools\@gnome.org>.
-_EOF_
-    exit;
-}
-
-## Sub for printing error messages
-sub error{
-    print STDERR "Try `${PROGRAM} --help' for more information.\n";
-    exit;
-}
-
-sub message {
-    print "Generating C format header file for translation.\n" unless $QUIET_ARG;
-}
-
-sub extract {
-    &determine_type;
-
-    &convert;
-
-    open OUT, ">$OUTFILE";
-    binmode (OUT) if $^O eq 'MSWin32';
-    &msg_write;
-    close OUT;
-
-    print "Wrote $OUTFILE\n" unless $QUIET_ARG;
-}
-
-sub convert {
-
-    ## Reading the file
-    {
-	local (*IN);
-	local $/; #slurp mode
-	open (IN, "<$SRCDIR_ARG/$FILE") || die "can't open $SRCDIR_ARG/$FILE: $!";
-	$input = <IN>;
-    }
-
-    &type_ini if $gettext_type eq "ini";
-    &type_keys if $gettext_type eq "keys";
-    &type_xml if $gettext_type eq "xml";
-    &type_glade if $gettext_type eq "glade";
-    &type_scheme if $gettext_type eq "scheme";
-    &type_schemas  if $gettext_type eq "schemas";
-    &type_rfc822deb  if $gettext_type eq "rfc822deb";
-    &type_quoted if $gettext_type eq "quoted";
-    &type_quotedxml if $gettext_type eq "quotedxml";
-}
-
-sub entity_decode_minimal
-{
-    local ($_) = @_;
-
-    s/&apos;/'/g; # '
-    s/&quot;/"/g; # "
-    s/&amp;/&/g;
-
-    return $_;
-}
-
-sub entity_decode
-{
-    local ($_) = @_;
-
-    s/&apos;/'/g; # '
-    s/&quot;/"/g; # "
-    s/&lt;/</g;
-    s/&gt;/>/g;
-    s/&amp;/&/g;
-
-    return $_;
-}
-
-sub escape_char
-{
-    return '\"' if $_ eq '"';
-    return '\n' if $_ eq "\n";
-    return '\\\\' if $_ eq '\\';
-
-    return $_;
-}
-
-sub escape
-{
-    my ($string) = @_;
-    return join "", map &escape_char, split //, $string;
-}
-
-sub type_ini {
-    ### For generic translatable desktop files ###
-    while ($input =~ /^(#(.+)\n)?^_.*=(.*)$/mg) {
-        if (defined($2))  {
-            $comments{$3} = $2;
-        }
-        $messages{$3} = [];
-    }
-}
-
-sub type_keys {
-    ### For generic translatable mime/keys files ###
-    while ($input =~ /^\s*_\w+=(.*)$/mg) {
-        $messages{$1} = [];
-    }
-}
-
-sub type_xml {
-    ### For generic translatable XML files ###
-    my $tree = readXml($input);
-    parseTree(0, $tree);
-}
-
-sub print_var {
-    my $var = shift;
-    my $vartype = ref $var;
-    
-    if ($vartype =~ /ARRAY/) {
-        my @arr = @{$var};
-        print "[ ";
-        foreach my $el (@arr) {
-            print_var($el);
-            print ", ";
-        }
-        print "] ";
-    } elsif ($vartype =~ /HASH/) {
-        my %hash = %{$var};
-        print "{ ";
-        foreach my $key (keys %hash) {
-            print "$key => ";
-            print_var($hash{$key});
-            print ", ";
-        }
-        print "} ";
-    } else {
-        print $var;
-    }
-}
-
-# Same syntax as getAttributeString in intltool-merge.in.in, similar logic (look for ## differences comment)
-sub getAttributeString
-{
-    my $sub = shift;
-    my $do_translate = shift || 1;
-    my $language = shift || "";
-    my $translate = shift;
-    my $result = "";
-    foreach my $e (reverse(sort(keys %{ $sub }))) {
-	my $key    = $e;
-	my $string = $sub->{$e};
-	my $quote = '"';
-	
-	$string =~ s/^[\s]+//;
-	$string =~ s/[\s]+$//;
-	
-	if ($string =~ /^'.*'$/)
-	{
-	    $quote = "'";
-	}
-	$string =~ s/^['"]//g;
-	$string =~ s/['"]$//g;
-
-        ## differences from intltool-merge.in.in
-	if ($key =~ /^_/) {
-            $comments{entity_decode($string)} = $XMLCOMMENT if $XMLCOMMENT;
-            $messages{entity_decode($string)} = [];
-            $$translate = 2;
-	}
-        ## differences end here from intltool-merge.in.in
-	$result .= " $key=$quote$string$quote";
-    }
-    return $result;
-}
-
-# Verbatim copy from intltool-merge.in.in
-sub getXMLstring
-{
-    my $ref = shift;
-    my $spacepreserve = shift || 0;
-    my @list = @{ $ref };
-    my $result = "";
-
-    my $count = scalar(@list);
-    my $attrs = $list[0];
-    my $index = 1;
-
-    $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
-    $spacepreserve = 0 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?default["']?$/));
-
-    while ($index < $count) {
-	my $type = $list[$index];
-	my $content = $list[$index+1];
-        if (! $type ) {
-	    # We've got CDATA
-	    if ($content) {
-		# lets strip the whitespace here, and *ONLY* here
-                $content =~ s/\s+/ /gs if (!$spacepreserve);
-		$result .= $content;
-	    }
-	} elsif ( "$type" ne "1" ) {
-	    # We've got another element
-	    $result .= "<$type";
-	    $result .= getAttributeString(@{$content}[0], 0); # no nested translatable elements
-	    if ($content) {
-		my $subresult = getXMLstring($content, $spacepreserve);
-		if ($subresult) {
-		    $result .= ">".$subresult . "</$type>";
-		} else {
-		    $result .= "/>";
-		}
-	    } else {
-		$result .= "/>";
-	    }
-	}
-	$index += 2;
-    }
-    return $result;
-}
-
-# Verbatim copy from intltool-merge.in.in, except for MULTIPLE_OUTPUT handling removed
-# Translate list of nodes if necessary
-sub translate_subnodes
-{
-    my $fh = shift;
-    my $content = shift;
-    my $language = shift || "";
-    my $singlelang = shift || 0;
-    my $spacepreserve = shift || 0;
-
-    my @nodes = @{ $content };
-
-    my $count = scalar(@nodes);
-    my $index = 0;
-    while ($index < $count) {
-        my $type = $nodes[$index];
-        my $rest = $nodes[$index+1];
-        traverse($fh, $type, $rest, $language, $spacepreserve);
-        $index += 2;
-    }
-}
-
-# Based on traverse() in intltool-merge.in.in
-sub traverse
-{
-    my $fh = shift; # unused, to allow us to sync code between -merge and -extract
-    my $nodename = shift;
-    my $content = shift;
-    my $language = shift || "";
-    my $spacepreserve = shift || 0;
-
-    if ($nodename && "$nodename" eq "1") {
-        $XMLCOMMENT = $content;
-    } elsif ($nodename) {
-	# element
-	my @all = @{ $content };
-	my $attrs = shift @all;
-	my $translate = 0;
-	my $outattr = getAttributeString($attrs, 1, $language, \$translate);
-
-	if ($nodename =~ /^_/) {
-	    $translate = 1;
-	    $nodename =~ s/^_//;
-	}
-	my $lookup = '';
-
-        $spacepreserve = 0 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?default["']?$/));
-        $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
-
-	if ($translate) {
-	    $lookup = getXMLstring($content, $spacepreserve);
-            if (!$spacepreserve) {
-                $lookup =~ s/^\s+//s;
-                $lookup =~ s/\s+$//s;
-            }
-
-	    if ($lookup && $translate != 2) {
-                $comments{$lookup} = $XMLCOMMENT if $XMLCOMMENT;
-                $messages{$lookup} = [];
-            } elsif ($translate == 2) {
-                translate_subnodes($fh, \@all, $language, 1, $spacepreserve);
-	    }
-	} else {
-            $XMLCOMMENT = "";
-	    my $count = scalar(@all);
-	    if ($count > 0) {
-                my $index = 0;
-                while ($index < $count) {
-                    my $type = $all[$index];
-                    my $rest = $all[$index+1];
-                    traverse($fh, $type, $rest, $language, $spacepreserve);
-                    $index += 2;
-                }
-	    }
-	}
-        $XMLCOMMENT = "";
-    }
-}
-
-
-# Verbatim copy from intltool-merge.in.in, $fh for compatibility
-sub parseTree
-{
-    my $fh        = shift;
-    my $ref       = shift;
-    my $language  = shift || "";
-
-    my $name = shift @{ $ref };
-    my $cont = shift @{ $ref };
-
-    while (!$name || "$name" eq "1") {
-        $name = shift @{ $ref };
-        $cont = shift @{ $ref };
-    }
-
-    my $spacepreserve = 0;
-    my $attrs = @{$cont}[0];
-    $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
-
-    traverse($fh, $name, $cont, $language, $spacepreserve);
-}
-
-# Verbatim copy from intltool-merge.in.in
-sub intltool_tree_comment
-{
-    my $expat = shift;
-    my $data  = $expat->original_string();
-    my $clist = $expat->{Curlist};
-    my $pos   = $#$clist;
-
-    $data =~ s/^<!--//s;
-    $data =~ s/-->$//s;
-    push @$clist, 1 => $data;
-}
-
-# Verbatim copy from intltool-merge.in.in
-sub intltool_tree_cdatastart
-{
-    my $expat    = shift;
-    my $clist = $expat->{Curlist};
-    my $pos   = $#$clist;
-
-    push @$clist, 0 => $expat->original_string();
-}
-
-# Verbatim copy from intltool-merge.in.in
-sub intltool_tree_cdataend
-{
-    my $expat    = shift;
-    my $clist = $expat->{Curlist};
-    my $pos   = $#$clist;
-
-    $clist->[$pos] .= $expat->original_string();
-}
-
-# Verbatim copy from intltool-merge.in.in
-sub intltool_tree_char
-{
-    my $expat = shift;
-    my $text  = shift;
-    my $clist = $expat->{Curlist};
-    my $pos   = $#$clist;
-
-    # Use original_string so that we retain escaped entities
-    # in CDATA sections.
-    #
-    if ($pos > 0 and $clist->[$pos - 1] eq '0') {
-        $clist->[$pos] .= $expat->original_string();
-    } else {
-        push @$clist, 0 => $expat->original_string();
-    }
-}
-
-# Verbatim copy from intltool-merge.in.in
-sub intltool_tree_start
-{
-    my $expat    = shift;
-    my $tag      = shift;
-    my @origlist = ();
-
-    # Use original_string so that we retain escaped entities
-    # in attribute values.  We must convert the string to an
-    # @origlist array to conform to the structure of the Tree
-    # Style.
-    #
-    my @original_array = split /\x/, $expat->original_string();
-    my $source         = $expat->original_string();
-
-    # Remove leading tag.
-    #
-    $source =~ s|^\s*<\s*(\S+)||s;
-
-    # Grab attribute key/value pairs and push onto @origlist array.
-    #
-    while ($source)
-    {
-       if ($source =~ /^\s*([\w:-]+)\s*[=]\s*["]/)
-       {
-           $source =~ s|^\s*([\w:-]+)\s*[=]\s*["]([^"]*)["]||s;
-           push @origlist, $1;
-           push @origlist, '"' . $2 . '"';
-       }
-       elsif ($source =~ /^\s*([\w:-]+)\s*[=]\s*[']/)
-       {
-           $source =~ s|^\s*([\w:-]+)\s*[=]\s*[']([^']*)[']||s;
-           push @origlist, $1;
-           push @origlist, "'" . $2 . "'";
-       }
-       else
-       {
-           last;
-       }
-    }
-
-    my $ol = [ { @origlist } ];
-
-    push @{ $expat->{Lists} }, $expat->{Curlist};
-    push @{ $expat->{Curlist} }, $tag => $ol;
-    $expat->{Curlist} = $ol;
-}
-
-# Copied from intltool-merge.in.in and added comment handler.
-sub readXml
-{
-    my $xmldoc = shift || return;
-    my $ret = eval 'require XML::Parser';
-    if(!$ret) {
-        die "You must have XML::Parser installed to run $0\n\n";
-    }
-    my $xp = new XML::Parser(Style => 'Tree');
-    $xp->setHandlers(Char => \&intltool_tree_char);
-    $xp->setHandlers(Start => \&intltool_tree_start);
-    $xp->setHandlers(CdataStart => \&intltool_tree_cdatastart);
-    $xp->setHandlers(CdataEnd => \&intltool_tree_cdataend);
-
-    ## differences from intltool-merge.in.in
-    $xp->setHandlers(Comment => \&intltool_tree_comment);
-    ## differences end here from intltool-merge.in.in
-
-    my $tree = $xp->parse($xmldoc);
-    #print_var($tree);
-
-# <foo><!-- comment --><head id="a">Hello <em>there</em></head><bar>Howdy<ref/></bar>do</foo>
-# would be:
-# [foo, [{}, 1, "comment", head, [{id => "a"}, 0, "Hello ",  em, [{}, 0, "there"]], bar, 
-# [{}, 0, "Howdy",  ref, [{}]], 0, "do" ] ]
-
-    return $tree;
-}
-
-sub type_schemas {
-    ### For schemas XML files ###
-         
-    # FIXME: We should handle escaped < (less than)
-    while ($input =~ /
-                      <locale\ name="C">\s*
-                          (<default>\s*(?:<!--([^>]*?)-->\s*)?(.*?)\s*<\/default>\s*)?
-                          (<short>\s*(?:<!--([^>]*?)-->\s*)?(.*?)\s*<\/short>\s*)?
-                          (<long>\s*(?:<!--([^>]*?)-->\s*)?(.*?)\s*<\/long>\s*)?
-                      <\/locale>
-                     /sgx) {
-        my @totranslate = ($3,$6,$9);
-        my @eachcomment = ($2,$5,$8);
-        foreach (@totranslate) {
-            my $currentcomment = shift @eachcomment;
-            next if !$_;
-            s/\s+/ /g;
-            $messages{entity_decode_minimal($_)} = [];
-            $comments{entity_decode_minimal($_)} = $currentcomment if (defined($currentcomment));
-        }
-    }
-}
-
-sub type_rfc822deb {
-    ### For rfc822-style Debian configuration files ###
-
-    my $lineno = 1;
-    my $type = '';
-    while ($input =~ /\G(.*?)(^|\n)(_+)([^:]+):[ \t]*(.*?)(?=\n\S|$)/sg)
-    {
-        my ($pre, $newline, $underscore, $tag, $text) = ($1, $2, $3, $4, $5);
-        while ($pre =~ m/\n/g)
-        {
-            $lineno ++;
-        }
-        $lineno += length($newline);
-        my @str_list = rfc822deb_split(length($underscore), $text);
-        for my $str (@str_list)
-        {
-            $strcount++;
-            $messages{$str} = [];
-            $loc{$str} = $lineno;
-            $count{$str} = $strcount;
-            my $usercomment = '';
-            while($pre =~ s/(^|\n)#([^\n]*)$//s)
-            {
-                $usercomment = "\n" . $2 . $usercomment;
-            }
-            $comments{$str} = $tag . $usercomment;
-        }
-        $lineno += ($text =~ s/\n//g);
-    }
-}
-
-sub rfc822deb_split {
-    # Debian defines a special way to deal with rfc822-style files:
-    # when a value contain newlines, it consists of
-    #   1.  a short form (first line)
-    #   2.  a long description, all lines begin with a space,
-    #       and paragraphs are separated by a single dot on a line
-    # This routine returns an array of all paragraphs, and reformat
-    # them.
-    # When first argument is 2, the string is a comma separated list of
-    # values.
-    my $type = shift;
-    my $text = shift;
-    $text =~ s/^[ \t]//mg;
-    return (split(/, */, $text, 0)) if $type ne 1;
-    return ($text) if $text !~ /\n/;
-
-    $text =~ s/([^\n]*)\n//;
-    my @list = ($1);
-    my $str = '';
-    for my $line (split (/\n/, $text))
-    {
-        chomp $line;
-        if ($line =~ /^\.\s*$/)
-        {
-            #  New paragraph
-            $str =~ s/\s*$//;
-            push(@list, $str);
-            $str = '';
-        }
-        elsif ($line =~ /^\s/)
-        {
-            #  Line which must not be reformatted
-            $str .= "\n" if length ($str) && $str !~ /\n$/;
-            $line =~ s/\s+$//;
-            $str .= $line."\n";
-        }
-        else
-        {
-            #  Continuation line, remove newline
-            $str .= " " if length ($str) && $str !~ /\n$/;
-            $str .= $line;
-        }
-    }
-    $str =~ s/\s*$//;
-    push(@list, $str) if length ($str);
-    return @list;
-}
-
-sub type_quoted {
-    while ($input =~ /\"(([^\"]|\\\")*[^\\\"])\"/g) {
-        my $message = $1;
-        my $before = $`;
-        $message =~ s/\\\"/\"/g;
-        $before =~ s/[^\n]//g;
-        $messages{$message} = [];
-        $loc{$message} = length ($before) + 2;
-    }
-}
-
-sub type_quotedxml {
-    while ($input =~ /\"(([^\"]|\\\")*[^\\\"])\"/g) {
-        my $message = $1;
-        my $before = $`;
-        $message =~ s/\\\"/\"/g;
-        $message = entity_decode($message);
-        $before =~ s/[^\n]//g;
-        $messages{$message} = [];
-        $loc{$message} = length ($before) + 2;
-    }
-}
-
-sub type_glade {
-    ### For translatable Glade XML files ###
-
-    my $tags = "label|title|text|format|copyright|comments|preview_text|tooltip|message";
-
-    while ($input =~ /<($tags)>([^<]+)<\/($tags)>/sg) {
-	# Glade sometimes uses tags that normally mark translatable things for
-        # little bits of non-translatable content. We work around this by not
-        # translating strings that only includes something like label4 or window1.
-	$messages{entity_decode($2)} = [] unless $2 =~ /^(window|label|dialog)[0-9]+$/;
-    }
-    
-    while ($input =~ /<items>(..[^<]*)<\/items>/sg) {
-	for my $item (split (/\n/, $1)) {
-	    $messages{entity_decode($item)} = [];
-	}
-    }
-
-    ## handle new glade files
-    while ($input =~ /<(property|atkproperty|col)\s+[^>]*translatable\s*=\s*"yes"(?:\s+[^>]*comments\s*=\s*"([^"]*)")?[^>]*>([^<]+)<\/\1>/sg) {
-	$messages{entity_decode($3)} = [] unless $3 =~ /^(window|label)[0-9]+$/;
-        if (defined($2) and !($3 =~ /^(window|label)[0-9]+$/)) {
-	   $comments{entity_decode($3)} = entity_decode($2) ;
-        }
-    }
-    while ($input =~ /<atkaction\s+action_name="([^>]*)"\s+description="([^>]+)"\/>/sg) {
-        $messages{entity_decode_minimal($2)} = [];
-    }
-}
-
-sub type_scheme {
-    my ($line, $i, $state, $str, $trcomment, $char);
-    for $line (split(/\n/, $input)) {
-        $i = 0;
-        $state = 0; # 0 - nothing, 1 - string, 2 - translatable string
-        while ($i < length($line)) {
-            if (substr($line,$i,1) eq "\"") {
-                if ($state == 2) {
-                    $comments{$str} = $trcomment if ($trcomment);
-                    $messages{$str} = [];
-                    $str = '';
-                    $state = 0; $trcomment = "";
-                } elsif ($state == 1) {
-                    $str = '';
-                    $state = 0; $trcomment = "";
-                } else {
-                    $state = 1;
-                    $str = '';
-                    if ($i>0 && substr($line,$i-1,1) eq '_') {
-                        $state = 2;
-                    }
-                }
-            } elsif (!$state) {
-                if (substr($line,$i,1) eq ";") {
-                    $trcomment = substr($line,$i+1);
-                    $trcomment =~ s/^;*\s*//;
-                    $i = length($line);
-                } elsif ($trcomment && substr($line,$i,1) !~ /\s|\(|\)|_/) {
-                    $trcomment = "";
-                }
-            } else {
-                if (substr($line,$i,1) eq "\\") {
-                    $char = substr($line,$i+1,1);
-                    if ($char ne "\"" && $char ne "\\") {
-                       $str = $str . "\\";
-                    }
-                    $i++;
-                }
-                $str = $str . substr($line,$i,1);
-            }
-            $i++;
-        }
-    }
-}
-
-sub msg_write {
-    my @msgids;
-    if (%count)
-    {
-        @msgids = sort { $count{$a} <=> $count{$b} } keys %count;
-    }
-    else
-    {
-        @msgids = sort keys %messages;
-    }
-    for my $message (@msgids)
-    {
-	my $offsetlines = 1;
-	$offsetlines++ if $message =~ /%/;
-	if (defined ($comments{$message}))
-	{
-		while ($comments{$message} =~ m/\n/g)
-		{
-		    $offsetlines++;
-		}
-	}
-	print OUT "# ".($loc{$message} - $offsetlines).  " \"$FILE\"\n"
-	        if defined $loc{$message};
-   	print OUT "/* ".$comments{$message}." */\n"
-                if defined $comments{$message};
-   	print OUT "/* xgettext:no-c-format */\n" if $message =~ /%/;
-        
-    	my @lines = split (/\n/, $message, -1);
-    	for (my $n = 0; $n < @lines; $n++)
-	{
-            if ($n == 0)
-            {
- 		print OUT "char *s = N_(\""; 
-            }
-            else
-            {  
-                print OUT "             \""; 
-            }
-
-            print OUT escape($lines[$n]);
-
-            if ($n < @lines - 1)
-            {
-                print OUT "\\n\"\n"; 
-            }
-            else
-            {
-                print OUT "\");\n";  
-	    }
-        }
-    }
-}
-
diff --git a/src/charon/plugins/nm/gnome/intltool-merge.in b/src/charon/plugins/nm/gnome/intltool-merge.in
deleted file mode 100644
index 60c3f3e29..000000000
--- a/src/charon/plugins/nm/gnome/intltool-merge.in
+++ /dev/null
@@ -1,1506 +0,0 @@
-#!@INTLTOOL_PERL@ -w
-# -*- Mode: perl; indent-tabs-mode: nil; c-basic-offset: 4  -*-
-
-#
-#  The Intltool Message Merger
-#
-#  Copyright (C) 2000, 2003 Free Software Foundation.
-#  Copyright (C) 2000, 2001 Eazel, Inc
-#
-#  Intltool is free software; you can redistribute it and/or
-#  modify it under the terms of the GNU General Public License 
-#  version 2 published by the Free Software Foundation.
-#
-#  Intltool is distributed in the hope that it will be useful,
-#  but WITHOUT ANY WARRANTY; without even the implied warranty of
-#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-#  General Public License for more details.
-#
-#  You should have received a copy of the GNU General Public License
-#  along with this program; if not, write to the Free Software
-#  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-#
-#  As a special exception to the GNU General Public License, if you
-#  distribute this file as part of a program that contains a
-#  configuration script generated by Autoconf, you may include it under
-#  the same distribution terms that you use for the rest of that program.
-#
-#  Authors:  Maciej Stachowiak <mjs@noisehavoc.org>
-#            Kenneth Christiansen <kenneth@gnu.org>
-#            Darin Adler <darin@bentspoon.com>
-#
-#  Proper XML UTF-8'ification written by Cyrille Chepelov <chepelov@calixo.net>
-#
-
-## Release information
-my $PROGRAM = "intltool-merge";
-my $PACKAGE = "intltool";
-my $VERSION = "0.37.1";
-
-## Loaded modules
-use strict; 
-use Getopt::Long;
-use Text::Wrap;
-use File::Basename;
-
-my $must_end_tag      = -1;
-my $last_depth        = -1;
-my $translation_depth = -1;
-my @tag_stack = ();
-my @entered_tag = ();
-my @translation_strings = ();
-my $leading_space = "";
-
-## Scalars used by the option stuff
-my $HELP_ARG = 0;
-my $VERSION_ARG = 0;
-my $BA_STYLE_ARG = 0;
-my $XML_STYLE_ARG = 0;
-my $KEYS_STYLE_ARG = 0;
-my $DESKTOP_STYLE_ARG = 0;
-my $SCHEMAS_STYLE_ARG = 0;
-my $RFC822DEB_STYLE_ARG = 0;
-my $QUOTED_STYLE_ARG = 0;
-my $QUOTEDXML_STYLE_ARG = 0;
-my $QUIET_ARG = 0;
-my $PASS_THROUGH_ARG = 0;
-my $UTF8_ARG = 0;
-my $MULTIPLE_OUTPUT = 0;
-my $cache_file;
-
-## Handle options
-GetOptions 
-(
- "help" => \$HELP_ARG,
- "version" => \$VERSION_ARG,
- "quiet|q" => \$QUIET_ARG,
- "oaf-style|o" => \$BA_STYLE_ARG, ## for compatibility
- "ba-style|b" => \$BA_STYLE_ARG,
- "xml-style|x" => \$XML_STYLE_ARG,
- "keys-style|k" => \$KEYS_STYLE_ARG,
- "desktop-style|d" => \$DESKTOP_STYLE_ARG,
- "schemas-style|s" => \$SCHEMAS_STYLE_ARG,
- "rfc822deb-style|r" => \$RFC822DEB_STYLE_ARG,
- "quoted-style" => \$QUOTED_STYLE_ARG,
- "quotedxml-style" => \$QUOTEDXML_STYLE_ARG,
- "pass-through|p" => \$PASS_THROUGH_ARG,
- "utf8|u" => \$UTF8_ARG,
- "multiple-output|m" => \$MULTIPLE_OUTPUT,
- "cache|c=s" => \$cache_file
- ) or &error;
-
-my $PO_DIR;
-my $FILE;
-my $OUTFILE;
-
-my %po_files_by_lang = ();
-my %translations = ();
-my $iconv = $ENV{"ICONV"} || "iconv";
-my $devnull = ($^O eq 'MSWin32' ? 'NUL:' : '/dev/null');
-
-sub isProgramInPath
-{
-    my ($file) = @_;
-    # If either a file exists, or when run it returns 0 exit status
-    return 1 if ((-x $file) or (system("$file -l >$devnull") == 0));
-    return 0;
-}
-
-if (! isProgramInPath ("$iconv"))
-{
-	print STDERR " *** iconv is not found on this system!\n".
-		     " *** Without it, intltool-merge can not convert encodings.\n";
-	exit;
-}
-
-# Use this instead of \w for XML files to handle more possible characters.
-my $w = "[-A-Za-z0-9._:]";
-
-# XML quoted string contents
-my $q = "[^\\\"]*";
-
-## Check for options. 
-
-if ($VERSION_ARG) 
-{
-	&print_version;
-} 
-elsif ($HELP_ARG) 
-{
-	&print_help;
-} 
-elsif ($BA_STYLE_ARG && @ARGV > 2) 
-{
-	&utf8_sanity_check;
-	&preparation;
-	&print_message;
-	&ba_merge_translations;
-	&finalize;
-} 
-elsif ($XML_STYLE_ARG && @ARGV > 2) 
-{
-	&utf8_sanity_check;
-	&preparation;
-	&print_message;
-	&xml_merge_output;
-	&finalize;
-} 
-elsif ($KEYS_STYLE_ARG && @ARGV > 2) 
-{
-	&utf8_sanity_check;
-	&preparation;
-	&print_message;
-        &keys_merge_translations;
-	&finalize;
-} 
-elsif ($DESKTOP_STYLE_ARG && @ARGV > 2) 
-{
-	&utf8_sanity_check;
-	&preparation;
-	&print_message;
-	&desktop_merge_translations;
-	&finalize;
-} 
-elsif ($SCHEMAS_STYLE_ARG && @ARGV > 2) 
-{
-	&utf8_sanity_check;
-	&preparation;
-	&print_message;
-	&schemas_merge_translations;
-	&finalize;
-} 
-elsif ($RFC822DEB_STYLE_ARG && @ARGV > 2) 
-{
-	&preparation;
-	&print_message;
-	&rfc822deb_merge_translations;
-	&finalize;
-} 
-elsif (($QUOTED_STYLE_ARG || $QUOTEDXML_STYLE_ARG) && @ARGV > 2)
-{
-	&utf8_sanity_check;
-	&preparation;
-	&print_message;
-	&quoted_merge_translations($QUOTEDXML_STYLE_ARG);
-	&finalize;
-} 
-else 
-{
-	&print_help;
-}
-
-exit;
-
-## Sub for printing release information
-sub print_version
-{
-    print <<_EOF_;
-${PROGRAM} (${PACKAGE}) ${VERSION}
-Written by Maciej Stachowiak, Darin Adler and Kenneth Christiansen.
-
-Copyright (C) 2000-2003 Free Software Foundation, Inc.
-Copyright (C) 2000-2001 Eazel, Inc.
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-_EOF_
-    exit;
-}
-
-## Sub for printing usage information
-sub print_help
-{
-    print <<_EOF_;
-Usage: ${PROGRAM} [OPTION]... PO_DIRECTORY FILENAME OUTPUT_FILE
-Generates an output file that includes some localized attributes from an
-untranslated source file.
-
-Mandatory options: (exactly one must be specified)
-  -b, --ba-style         includes translations in the bonobo-activation style
-  -d, --desktop-style    includes translations in the desktop style
-  -k, --keys-style       includes translations in the keys style
-  -s, --schemas-style    includes translations in the schemas style
-  -r, --rfc822deb-style  includes translations in the RFC822 style
-      --quoted-style     includes translations in the quoted string style
-      --quotedxml-style  includes translations in the quoted xml string style
-  -x, --xml-style        includes translations in the standard xml style
-
-Other options:
-  -u, --utf8             convert all strings to UTF-8 before merging 
-                         (default for everything except RFC822 style)
-  -p, --pass-through     deprecated, does nothing and issues a warning
-  -m, --multiple-output  output one localized file per locale, instead of 
-	                 a single file containing all localized elements
-  -c, --cache=FILE       specify cache file name
-                         (usually \$top_builddir/po/.intltool-merge-cache)
-  -q, --quiet            suppress most messages
-      --help             display this help and exit
-      --version          output version information and exit
-
-Report bugs to http://bugzilla.gnome.org/ (product name "$PACKAGE")
-or send email to <xml-i18n-tools\@gnome.org>.
-_EOF_
-    exit;
-}
-
-
-## Sub for printing error messages
-sub print_error
-{
-    print STDERR "Try `${PROGRAM} --help' for more information.\n";
-    exit;
-}
-
-
-sub print_message 
-{
-    print "Merging translations into $OUTFILE.\n" unless $QUIET_ARG;
-}
-
-
-sub preparation 
-{
-    $PO_DIR = $ARGV[0];
-    $FILE = $ARGV[1];
-    $OUTFILE = $ARGV[2];
-
-    &gather_po_files;
-    &get_translation_database;
-}
-
-# General-purpose code for looking up translations in .po files
-
-sub po_file2lang
-{
-    my ($tmp) = @_; 
-    $tmp =~ s/^.*\/(.*)\.po$/$1/; 
-    return $tmp; 
-}
-
-sub gather_po_files
-{
-    if (my $linguas = $ENV{"LINGUAS"})
-    {
-        for my $lang (split / /, $linguas) {
-            my $po_file = $PO_DIR . "/" . $lang . ".po";
-            if (-e $po_file) {
-                $po_files_by_lang{$lang} = $po_file;
-            }
-        }
-    }
-    else
-    {
-        if (open LINGUAS_FILE, "$PO_DIR/LINGUAS")
-        {
-            while (<LINGUAS_FILE>)
-            {
-                next if /^#/;
-
-                for my $lang (split)
-                {
-                    chomp ($lang);
-                    my $po_file = $PO_DIR . "/" . $lang . ".po";
-                    if (-e $po_file) {
-                        $po_files_by_lang{$lang} = $po_file;
-                    }
-                }
-            }
-
-            close LINGUAS_FILE;
-        }
-        else
-        {
-            for my $po_file (glob "$PO_DIR/*.po") {
-                $po_files_by_lang{po_file2lang($po_file)} = $po_file;
-            }
-        }
-    }
-}
-
-sub get_local_charset
-{
-    my ($encoding) = @_;
-    my $alias_file = $ENV{"G_CHARSET_ALIAS"} || "@INTLTOOL_LIBDIR@/charset.alias";
-
-    # seek character encoding aliases in charset.alias (glib)
-
-    if (open CHARSET_ALIAS, $alias_file) 
-    {
-	while (<CHARSET_ALIAS>) 
-        {
-            next if /^\#/;
-            return $1 if (/^\s*([-._a-zA-Z0-9]+)\s+$encoding\b/i)
-        }
-
-        close CHARSET_ALIAS;
-    }
-
-    # if not found, return input string
-
-    return $encoding;
-}
-
-sub get_po_encoding
-{
-    my ($in_po_file) = @_;
-    my $encoding = "";
-
-    open IN_PO_FILE, $in_po_file or die;
-    while (<IN_PO_FILE>) 
-    {
-        ## example: "Content-Type: text/plain; charset=ISO-8859-1\n"
-        if (/Content-Type\:.*charset=([-a-zA-Z0-9]+)\\n/) 
-        {
-            $encoding = $1; 
-            last;
-        }
-    }
-    close IN_PO_FILE;
-
-    if (!$encoding) 
-    {
-        print STDERR "Warning: no encoding found in $in_po_file. Assuming ISO-8859-1\n" unless $QUIET_ARG;
-        $encoding = "ISO-8859-1";
-    }
-
-    system ("$iconv -f $encoding -t UTF-8 <$devnull 2>$devnull");
-    if ($?) {
-	$encoding = get_local_charset($encoding);
-    }
-
-    return $encoding
-}
-
-sub utf8_sanity_check 
-{
-    print STDERR "Warning: option --pass-through has been removed.\n" if $PASS_THROUGH_ARG;
-    $UTF8_ARG = 1;
-}
-
-sub get_translation_database
-{
-    if ($cache_file) {
-	&get_cached_translation_database;
-    } else {
-        &create_translation_database;
-    }
-}
-
-sub get_newest_po_age
-{
-    my $newest_age;
-
-    foreach my $file (values %po_files_by_lang) 
-    {
-	my $file_age = -M $file;
-	$newest_age = $file_age if !$newest_age || $file_age < $newest_age;
-    }
-
-    $newest_age = 0 if !$newest_age;
-
-    return $newest_age;
-}
-
-sub create_cache
-{
-    print "Generating and caching the translation database\n" unless $QUIET_ARG;
-
-    &create_translation_database;
-
-    open CACHE, ">$cache_file" || die;
-    print CACHE join "\x01", %translations;
-    close CACHE;
-}
-
-sub load_cache 
-{
-    print "Found cached translation database\n" unless $QUIET_ARG;
-
-    my $contents;
-    open CACHE, "<$cache_file" || die;
-    {
-        local $/;
-        $contents = <CACHE>;
-    }
-    close CACHE;
-    %translations = split "\x01", $contents;
-}
-
-sub get_cached_translation_database
-{
-    my $cache_file_age = -M $cache_file;
-    if (defined $cache_file_age) 
-    {
-        if ($cache_file_age <= &get_newest_po_age) 
-        {
-            &load_cache;
-            return;
-        }
-        print "Found too-old cached translation database\n" unless $QUIET_ARG;
-    }
-
-    &create_cache;
-}
-
-sub create_translation_database
-{
-    for my $lang (keys %po_files_by_lang) 
-    {
-    	my $po_file = $po_files_by_lang{$lang};
-
-        if ($UTF8_ARG) 
-        {
-            my $encoding = get_po_encoding ($po_file);
-
-            if (lc $encoding eq "utf-8") 
-            {
-                open PO_FILE, "<$po_file";	
-            } 
-            else 
-            {
-		print "NOTICE: $po_file is not in UTF-8 but $encoding, converting...\n" unless $QUIET_ARG;;
-
-                open PO_FILE, "$iconv -f $encoding -t UTF-8 $po_file|";	
-            }
-        } 
-        else 
-        {
-            open PO_FILE, "<$po_file";	
-        }
-
-	my $nextfuzzy = 0;
-	my $inmsgid = 0;
-	my $inmsgstr = 0;
-	my $msgid = "";
-	my $msgstr = "";
-
-        while (<PO_FILE>) 
-        {
-	    $nextfuzzy = 1 if /^#, fuzzy/;
-       
-	    if (/^msgid "((\\.|[^\\]+)*)"/ ) 
-            {
-		$translations{$lang, $msgid} = $msgstr if $inmsgstr && $msgid && $msgstr;
-		$msgid = "";
-		$msgstr = "";
-
-		if ($nextfuzzy) {
-		    $inmsgid = 0;
-		} else {
-		    $msgid = unescape_po_string($1);
-		    $inmsgid = 1;
-		}
-		$inmsgstr = 0;
-		$nextfuzzy = 0;
-	    }
-
-	    if (/^msgstr "((\\.|[^\\]+)*)"/) 
-            {
-	        $msgstr = unescape_po_string($1);
-		$inmsgstr = 1;
-		$inmsgid = 0;
-	    }
-
-	    if (/^"((\\.|[^\\]+)*)"/) 
-            {
-	        $msgid .= unescape_po_string($1) if $inmsgid;
-	        $msgstr .= unescape_po_string($1) if $inmsgstr;
-	    }
-	}
-	$translations{$lang, $msgid} = $msgstr if $inmsgstr && $msgid && $msgstr;
-    }
-}
-
-sub finalize
-{
-}
-
-sub unescape_one_sequence
-{
-    my ($sequence) = @_;
-
-    return "\\" if $sequence eq "\\\\";
-    return "\"" if $sequence eq "\\\"";
-    return "\n" if $sequence eq "\\n";
-    return "\r" if $sequence eq "\\r";
-    return "\t" if $sequence eq "\\t";
-    return "\b" if $sequence eq "\\b";
-    return "\f" if $sequence eq "\\f";
-    return "\a" if $sequence eq "\\a";
-    return chr(11) if $sequence eq "\\v"; # vertical tab, see ascii(7)
-
-    return chr(hex($1)) if ($sequence =~ /\\x([0-9a-fA-F]{2})/);
-    return chr(oct($1)) if ($sequence =~ /\\([0-7]{3})/);
-
-    # FIXME: Is \0 supported as well? Kenneth and Rodney don't want it, see bug #48489
-
-    return $sequence;
-}
-
-sub unescape_po_string
-{
-    my ($string) = @_;
-
-    $string =~ s/(\\x[0-9a-fA-F]{2}|\\[0-7]{3}|\\.)/unescape_one_sequence($1)/eg;
-
-    return $string;
-}
-
-sub entity_decode
-{
-    local ($_) = @_;
-
-    s/&apos;/'/g; # '
-    s/&quot;/"/g; # "
-    s/&lt;/</g;
-    s/&gt;/>/g;
-    s/&amp;/&/g;
-
-    return $_;
-}
- 
-# entity_encode: (string)
-#
-# Encode the given string to XML format (encode '<' etc).
-
-sub entity_encode
-{
-    my ($pre_encoded) = @_;
-
-    my @list_of_chars = unpack ('C*', $pre_encoded);
-
-    # with UTF-8 we only encode minimalistic
-    return join ('', map (&entity_encode_int_minimalist, @list_of_chars));
-}
-
-sub entity_encode_int_minimalist
-{
-    return "&quot;" if $_ == 34;
-    return "&amp;" if $_ == 38;
-    return "&apos;" if $_ == 39;
-    return "&lt;" if $_ == 60;
-    return "&gt;" if $_ == 62;
-    return chr $_;
-}
-
-sub entity_encoded_translation
-{
-    my ($lang, $string) = @_;
-
-    my $translation = $translations{$lang, $string};
-    return $string if !$translation;
-    return entity_encode ($translation);
-}
-
-## XML (bonobo-activation specific) merge code
-
-sub ba_merge_translations
-{
-    my $source;
-
-    {
-       local $/; # slurp mode
-       open INPUT, "<$FILE" or die "can't open $FILE: $!";
-       $source = <INPUT>;
-       close INPUT;
-    }
-
-    open OUTPUT, ">$OUTFILE" or die "can't open $OUTFILE: $!";
-    # Binmode so that selftest works ok if using a native Win32 Perl...
-    binmode (OUTPUT) if $^O eq 'MSWin32';
-
-    while ($source =~ s|^(.*?)([ \t]*<\s*$w+\s+($w+\s*=\s*"$q"\s*)+/?>)([ \t]*\n)?||s) 
-    {
-        print OUTPUT $1;
-
-        my $node = $2 . "\n";
-
-        my @strings = ();
-        $_ = $node;
-	while (s/(\s)_($w+\s*=\s*"($q)")/$1$2/s) {
-             push @strings, entity_decode($3);
-        }
-	print OUTPUT;
-
-	my %langs;
-	for my $string (@strings) 
-        {
-	    for my $lang (keys %po_files_by_lang) 
-            {
-                $langs{$lang} = 1 if $translations{$lang, $string};
-	    }
-	}
-	
-	for my $lang (sort keys %langs) 
-        {
-	    $_ = $node;
-	    s/(\sname\s*=\s*)"($q)"/$1"$2-$lang"/s;
-	    s/(\s)_($w+\s*=\s*")($q)"/$1 . $2 . entity_encoded_translation($lang, $3) . '"'/seg;
-	    print OUTPUT;
-        }
-    }
-
-    print OUTPUT $source;
-
-    close OUTPUT;
-}
-
-
-## XML (non-bonobo-activation) merge code
-
-
-# Process tag attributes
-#   Only parameter is a HASH containing attributes -> values mapping
-sub getAttributeString
-{
-    my $sub = shift;
-    my $do_translate = shift || 0;
-    my $language = shift || "";
-    my $result = "";
-    my $translate = shift;
-    foreach my $e (reverse(sort(keys %{ $sub }))) {
-	my $key    = $e;
-	my $string = $sub->{$e};
-	my $quote = '"';
-	
-	$string =~ s/^[\s]+//;
-	$string =~ s/[\s]+$//;
-	
-	if ($string =~ /^'.*'$/)
-	{
-	    $quote = "'";
-	}
-	$string =~ s/^['"]//g;
-	$string =~ s/['"]$//g;
-
-	if ($do_translate && $key =~ /^_/) {
-	    $key =~ s|^_||g;
-	    if ($language) {
-		# Handle translation
-		my $decode_string = entity_decode($string);
-		my $translation = $translations{$language, $decode_string};
-		if ($translation) {
-		    $translation = entity_encode($translation);
-		    $string = $translation;
-                }
-                $$translate = 2;
-            } else {
-                 $$translate = 2 if ($translate && (!$$translate)); # watch not to "overwrite" $translate
-            }
-	}
-	
-	$result .= " $key=$quote$string$quote";
-    }
-    return $result;
-}
-
-# Returns a translatable string from XML node, it works on contents of every node in XML::Parser tree
-sub getXMLstring
-{
-    my $ref = shift;
-    my $spacepreserve = shift || 0;
-    my @list = @{ $ref };
-    my $result = "";
-
-    my $count = scalar(@list);
-    my $attrs = $list[0];
-    my $index = 1;
-
-    $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
-    $spacepreserve = 0 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?default["']?$/));
-
-    while ($index < $count) {
-	my $type = $list[$index];
-	my $content = $list[$index+1];
-        if (! $type ) {
-	    # We've got CDATA
-	    if ($content) {
-		# lets strip the whitespace here, and *ONLY* here
-                $content =~ s/\s+/ /gs if (!$spacepreserve);
-		$result .= $content;
-	    }
-	} elsif ( "$type" ne "1" ) {
-	    # We've got another element
-	    $result .= "<$type";
-	    $result .= getAttributeString(@{$content}[0], 0); # no nested translatable elements
-	    if ($content) {
-		my $subresult = getXMLstring($content, $spacepreserve);
-		if ($subresult) {
-		    $result .= ">".$subresult . "</$type>";
-		} else {
-		    $result .= "/>";
-		}
-	    } else {
-		$result .= "/>";
-	    }
-	}
-	$index += 2;
-    }
-    return $result;
-}
-
-# Translate list of nodes if necessary
-sub translate_subnodes
-{
-    my $fh = shift;
-    my $content = shift;
-    my $language = shift || "";
-    my $singlelang = shift || 0;
-    my $spacepreserve = shift || 0;
-
-    my @nodes = @{ $content };
-
-    my $count = scalar(@nodes);
-    my $index = 0;
-    while ($index < $count) {
-        my $type = $nodes[$index];
-        my $rest = $nodes[$index+1];
-        if ($singlelang) {
-            my $oldMO = $MULTIPLE_OUTPUT;
-            $MULTIPLE_OUTPUT = 1;
-            traverse($fh, $type, $rest, $language, $spacepreserve);
-            $MULTIPLE_OUTPUT = $oldMO;
-        } else {
-            traverse($fh, $type, $rest, $language, $spacepreserve);
-        }
-        $index += 2;
-    }
-}
-
-sub isWellFormedXmlFragment
-{
-    my $ret = eval 'require XML::Parser';
-    if(!$ret) {
-        die "You must have XML::Parser installed to run $0\n\n";
-    } 
-
-    my $fragment = shift;
-    return 0 if (!$fragment);
-
-    $fragment = "<root>$fragment</root>";
-    my $xp = new XML::Parser(Style => 'Tree');
-    my $tree = 0;
-    eval { $tree = $xp->parse($fragment); };
-    return $tree;
-}
-
-sub traverse
-{
-    my $fh = shift; 
-    my $nodename = shift;
-    my $content = shift;
-    my $language = shift || "";
-    my $spacepreserve = shift || 0;
-
-    if (!$nodename) {
-	if ($content =~ /^[\s]*$/) {
-	    $leading_space .= $content;
-	}
-	print $fh $content;
-    } else {
-	# element
-	my @all = @{ $content };
-	my $attrs = shift @all;
-	my $translate = 0;
-	my $outattr = getAttributeString($attrs, 1, $language, \$translate);
-
-	if ($nodename =~ /^_/) {
-	    $translate = 1;
-	    $nodename =~ s/^_//;
-	}
-	my $lookup = '';
-
-        $spacepreserve = 0 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?default["']?$/));
-        $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
-
-	print $fh "<$nodename", $outattr;
-	if ($translate) {
-	    $lookup = getXMLstring($content, $spacepreserve);
-            if (!$spacepreserve) {
-                $lookup =~ s/^\s+//s;
-                $lookup =~ s/\s+$//s;
-            }
-
-	    if ($lookup || $translate == 2) {
-                my $translation = $translations{$language, $lookup} if isWellFormedXmlFragment($translations{$language, $lookup});
-                if ($MULTIPLE_OUTPUT && ($translation || $translate == 2)) {
-                    $translation = $lookup if (!$translation);
-                    print $fh " xml:lang=\"", $language, "\"" if $language;
-                    print $fh ">";
-                    if ($translate == 2) {
-                        translate_subnodes($fh, \@all, $language, 1, $spacepreserve);
-                    } else {
-                        print $fh $translation;
-                    }
-                    print $fh "</$nodename>";
-
-                    return; # this means there will be no same translation with xml:lang="$language"...
-                            # if we want them both, just remove this "return"
-                } else {
-                    print $fh ">";
-                    if ($translate == 2) {
-                        translate_subnodes($fh, \@all, $language, 1, $spacepreserve);
-                    } else {
-                        print $fh $lookup;
-                    }
-                    print $fh "</$nodename>";
-                }
-	    } else {
-		print $fh "/>";
-	    }
-
-	    for my $lang (sort keys %po_files_by_lang) {
-                    if ($MULTIPLE_OUTPUT && $lang ne "$language") {
-                        next;
-                    }
-		    if ($lang) {
-                        # Handle translation
-                        #
-                        my $translate = 0;
-                        my $localattrs = getAttributeString($attrs, 1, $lang, \$translate);
-                        my $translation = $translations{$lang, $lookup} if isWellFormedXmlFragment($translations{$lang, $lookup});
-                        if ($translate && !$translation) {
-                            $translation = $lookup;
-                        }
-
-                        if ($translation || $translate) {
-			    print $fh "\n";
-			    $leading_space =~ s/.*\n//g;
-			    print $fh $leading_space;
- 			    print $fh "<", $nodename, " xml:lang=\"", $lang, "\"", $localattrs, ">";
-                            if ($translate == 2) {
-                               translate_subnodes($fh, \@all, $lang, 1, $spacepreserve);
-                            } else {
-                                print $fh $translation;
-                            }
-                            print $fh "</$nodename>";
-			}
-                    }
-	    }
-
-	} else {
-	    my $count = scalar(@all);
-	    if ($count > 0) {
-		print $fh ">";
-                my $index = 0;
-                while ($index < $count) {
-                    my $type = $all[$index];
-                    my $rest = $all[$index+1];
-                    traverse($fh, $type, $rest, $language, $spacepreserve);
-                    $index += 2;
-                }
-		print $fh "</$nodename>";
-	    } else {
-		print $fh "/>";
-	    }
-	}
-    }
-}
-
-sub intltool_tree_comment
-{
-    my $expat = shift;
-    my $data  = shift;
-    my $clist = $expat->{Curlist};
-    my $pos   = $#$clist;
-
-    push @$clist, 1 => $data;
-}
-
-sub intltool_tree_cdatastart
-{
-    my $expat    = shift;
-    my $clist = $expat->{Curlist};
-    my $pos   = $#$clist;
-
-    push @$clist, 0 => $expat->original_string();
-}
-
-sub intltool_tree_cdataend
-{
-    my $expat    = shift;
-    my $clist = $expat->{Curlist};
-    my $pos   = $#$clist;
-
-    $clist->[$pos] .= $expat->original_string();
-}
-
-sub intltool_tree_char
-{
-    my $expat = shift;
-    my $text  = shift;
-    my $clist = $expat->{Curlist};
-    my $pos   = $#$clist;
-
-    # Use original_string so that we retain escaped entities
-    # in CDATA sections.
-    #
-    if ($pos > 0 and $clist->[$pos - 1] eq '0') {
-        $clist->[$pos] .= $expat->original_string();
-    } else {
-        push @$clist, 0 => $expat->original_string();
-    }
-}
-
-sub intltool_tree_start
-{
-    my $expat    = shift;
-    my $tag      = shift;
-    my @origlist = ();
-
-    # Use original_string so that we retain escaped entities
-    # in attribute values.  We must convert the string to an
-    # @origlist array to conform to the structure of the Tree
-    # Style.
-    #
-    my @original_array = split /\x/, $expat->original_string();
-    my $source         = $expat->original_string();
-
-    # Remove leading tag.
-    #
-    $source =~ s|^\s*<\s*(\S+)||s;
-
-    # Grab attribute key/value pairs and push onto @origlist array.
-    #
-    while ($source)
-    {
-       if ($source =~ /^\s*([\w:-]+)\s*[=]\s*["]/)
-       {
-           $source =~ s|^\s*([\w:-]+)\s*[=]\s*["]([^"]*)["]||s;
-           push @origlist, $1;
-           push @origlist, '"' . $2 . '"';
-       }
-       elsif ($source =~ /^\s*([\w:-]+)\s*[=]\s*[']/)
-       {
-           $source =~ s|^\s*([\w:-]+)\s*[=]\s*[']([^']*)[']||s;
-           push @origlist, $1;
-           push @origlist, "'" . $2 . "'";
-       }
-       else
-       {
-           last;
-       }
-    }
-
-    my $ol = [ { @origlist } ];
-
-    push @{ $expat->{Lists} }, $expat->{Curlist};
-    push @{ $expat->{Curlist} }, $tag => $ol;
-    $expat->{Curlist} = $ol;
-}
-
-sub readXml
-{
-    my $filename = shift || return;
-    if(!-f $filename) {
-        die "ERROR Cannot find filename: $filename\n";
-    }
-
-    my $ret = eval 'require XML::Parser';
-    if(!$ret) {
-        die "You must have XML::Parser installed to run $0\n\n";
-    } 
-    my $xp = new XML::Parser(Style => 'Tree');
-    $xp->setHandlers(Char => \&intltool_tree_char);
-    $xp->setHandlers(Start => \&intltool_tree_start);
-    $xp->setHandlers(CdataStart => \&intltool_tree_cdatastart);
-    $xp->setHandlers(CdataEnd => \&intltool_tree_cdataend);
-    my $tree = $xp->parsefile($filename);
-
-# <foo><head id="a">Hello <em>there</em></head><bar>Howdy<ref/></bar>do</foo>
-# would be:
-# [foo, [{}, head, [{id => "a"}, 0, "Hello ",  em, [{}, 0, "there"]], bar, [{},
-# 0, "Howdy",  ref, [{}]], 0, "do" ] ]
-
-    return $tree;
-}
-
-sub print_header
-{
-    my $infile = shift;
-    my $fh = shift;
-    my $source;
-
-    if(!-f $infile) {
-        die "ERROR Cannot find filename: $infile\n";
-    }
-
-    print $fh qq{<?xml version="1.0" encoding="UTF-8"?>\n};
-    {
-        local $/;
-        open DOCINPUT, "<${FILE}" or die;
-        $source = <DOCINPUT>;
-        close DOCINPUT;
-    }
-    if ($source =~ /(<!DOCTYPE.*\[.*\]\s*>)/s)
-    {
-        print $fh "$1\n";
-    }
-    elsif ($source =~ /(<!DOCTYPE[^>]*>)/s)
-    {
-        print $fh "$1\n";
-    }
-}
-
-sub parseTree
-{
-    my $fh        = shift;
-    my $ref       = shift;
-    my $language  = shift || "";
-
-    my $name = shift @{ $ref };
-    my $cont = shift @{ $ref };
-    
-    while (!$name || "$name" eq "1") {
-        $name = shift @{ $ref };
-        $cont = shift @{ $ref };
-    }
-
-    my $spacepreserve = 0;
-    my $attrs = @{$cont}[0];
-    $spacepreserve = 1 if ((exists $attrs->{"xml:space"}) && ($attrs->{"xml:space"} =~ /^["']?preserve["']?$/));
-
-    traverse($fh, $name, $cont, $language, $spacepreserve);
-}
-
-sub xml_merge_output
-{
-    my $source;
-
-    if ($MULTIPLE_OUTPUT) {
-        for my $lang (sort keys %po_files_by_lang) {
-	    if ( ! -d $lang ) {
-	        mkdir $lang or -d $lang or die "Cannot create subdirectory $lang: $!\n";
-            }
-            open OUTPUT, ">$lang/$OUTFILE" or die "Cannot open $lang/$OUTFILE: $!\n";
-            binmode (OUTPUT) if $^O eq 'MSWin32';
-            my $tree = readXml($FILE);
-            print_header($FILE, \*OUTPUT);
-            parseTree(\*OUTPUT, $tree, $lang);
-            close OUTPUT;
-            print "CREATED $lang/$OUTFILE\n" unless $QUIET_ARG;
-        }
-        if ( ! -d "C" ) {
-            mkdir "C" or -d "C" or die "Cannot create subdirectory C: $!\n";
-        }
-        open OUTPUT, ">C/$OUTFILE" or die "Cannot open C/$OUTFILE: $!\n";
-        binmode (OUTPUT) if $^O eq 'MSWin32';
-        my $tree = readXml($FILE);
-        print_header($FILE, \*OUTPUT);
-        parseTree(\*OUTPUT, $tree);
-        close OUTPUT;
-        print "CREATED C/$OUTFILE\n" unless $QUIET_ARG;
-    } else {
-        open OUTPUT, ">$OUTFILE" or die "Cannot open $OUTFILE: $!\n";
-        binmode (OUTPUT) if $^O eq 'MSWin32';
-        my $tree = readXml($FILE);
-        print_header($FILE, \*OUTPUT);
-        parseTree(\*OUTPUT, $tree);
-        close OUTPUT;
-        print "CREATED $OUTFILE\n" unless $QUIET_ARG;
-    }
-}
-
-sub keys_merge_translation
-{
-    my ($lang) = @_;
-
-    if ( ! -d $lang && $MULTIPLE_OUTPUT)
-    {
-        mkdir $lang or -d $lang or die "Cannot create subdirectory $lang: $!\n";
-    }
-
-    open INPUT, "<${FILE}" or die "Cannot open ${FILE}: $!\n";
-    open OUTPUT, ">$lang/$OUTFILE" or die "Cannot open $lang/$OUTFILE: $!\n";
-    binmode (OUTPUT) if $^O eq 'MSWin32';
-
-    while (<INPUT>)
-    {
-        if (s/^(\s*)_(\w+=(.*))/$1$2/)
-        {
-            my $string = $3;
-
-            if (!$MULTIPLE_OUTPUT)
-            {
-                print OUTPUT;
-
-                my $non_translated_line = $_;
-
-                for my $lang (sort keys %po_files_by_lang)
-                {
-                    my $translation = $translations{$lang, $string};
-                    next if !$translation;
-
-                    $_ = $non_translated_line;
-                    s/(\w+)=.*/[$lang]$1=$translation/;
-                    print OUTPUT;
-                }
-            }
-            else
-            {
-                my $non_translated_line = $_;
-                my $translation = $translations{$lang, $string};
-                $translation = $string if !$translation;
-
-                $_ = $non_translated_line;
-                s/(\w+)=.*/$1=$translation/;
-                print OUTPUT;
-            }
-        }
-        else
-        {
-            print OUTPUT;
-        }
-    }
-
-    close OUTPUT;
-    close INPUT;
-
-    print "CREATED $lang/$OUTFILE\n" unless $QUIET_ARG;
-}
-
-sub keys_merge_translations
-{
-    if ($MULTIPLE_OUTPUT)
-    {
-        for my $lang (sort keys %po_files_by_lang)
-        {
-            keys_merge_translation ($lang);
-        }
-        keys_merge_translation ("C");
-    }
-    else
-    {
-        keys_merge_translation (".");
-    }
-}
-
-sub desktop_merge_translations
-{
-    open INPUT, "<${FILE}" or die;
-    open OUTPUT, ">${OUTFILE}" or die;
-    binmode (OUTPUT) if $^O eq 'MSWin32';
-
-    while (<INPUT>) 
-    {
-        if (s/^(\s*)_(\w+=(.*))/$1$2/)  
-        {
-	    my $string = $3;
-
-            print OUTPUT;
-
-	    my $non_translated_line = $_;
-
-            for my $lang (sort keys %po_files_by_lang) 
-            {
-                my $translation = $translations{$lang, $string};
-                next if !$translation;
-
-                $_ = $non_translated_line;
-                s/(\w+)=.*/${1}[$lang]=$translation/;
-                print OUTPUT;
-            }
-	} 
-        else 
-        {
-            print OUTPUT;
-        }
-    }
-
-    close OUTPUT;
-    close INPUT;
-}
-
-sub schemas_merge_translations
-{
-    my $source;
-
-    {
-       local $/; # slurp mode
-       open INPUT, "<$FILE" or die "can't open $FILE: $!";
-       $source = <INPUT>;
-       close INPUT;
-    }
-
-    open OUTPUT, ">$OUTFILE" or die;
-    binmode (OUTPUT) if $^O eq 'MSWin32';
-
-    # FIXME: support attribute translations
-
-    # Empty nodes never need translation, so unmark all of them.
-    # For example, <_foo/> is just replaced by <foo/>.
-    $source =~ s|<\s*_($w+)\s*/>|<$1/>|g;
-
-    while ($source =~ s/
-                        (.*?)
-                        (\s+)(<locale\ name="C">(\s*)
-                            (<default>\s*(?:<!--[^>]*?-->\s*)?(.*?)\s*<\/default>)?(\s*)
-                            (<short>\s*(?:<!--[^>]*?-->\s*)?(.*?)\s*<\/short>)?(\s*)
-                            (<long>\s*(?:<!--[^>]*?-->\s*)?(.*?)\s*<\/long>)?(\s*)
-                        <\/locale>)
-                       //sx) 
-    {
-        print OUTPUT $1;
-
-	my $locale_start_spaces = $2 ? $2 : '';
-	my $default_spaces = $4 ? $4 : '';
-	my $short_spaces = $7 ? $7 : '';
-	my $long_spaces = $10 ? $10 : '';
-	my $locale_end_spaces = $13 ? $13 : '';
-	my $c_default_block = $3 ? $3 : '';
-	my $default_string = $6 ? $6 : '';
-	my $short_string = $9 ? $9 : '';
-	my $long_string = $12 ? $12 : '';
-
-	print OUTPUT "$locale_start_spaces$c_default_block";
-
-        $default_string =~ s/\s+/ /g;
-        $default_string = entity_decode($default_string);
-	$short_string =~ s/\s+/ /g;
-	$short_string = entity_decode($short_string);
-	$long_string =~ s/\s+/ /g;
-	$long_string = entity_decode($long_string);
-
-	for my $lang (sort keys %po_files_by_lang) 
-        {
-	    my $default_translation = $translations{$lang, $default_string};
-	    my $short_translation = $translations{$lang, $short_string};
-	    my $long_translation  = $translations{$lang, $long_string};
-
-	    next if (!$default_translation && !$short_translation && 
-                     !$long_translation);
-
-	    print OUTPUT "\n$locale_start_spaces<locale name=\"$lang\">";
-
-        print OUTPUT "$default_spaces";    
-
-        if ($default_translation)
-        {
-            $default_translation = entity_encode($default_translation);
-            print OUTPUT "<default>$default_translation</default>";
-        }
-
-	    print OUTPUT "$short_spaces";
-
-	    if ($short_translation)
-	    {
-			$short_translation = entity_encode($short_translation);
-			print OUTPUT "<short>$short_translation</short>";
-	    }
-
-	    print OUTPUT "$long_spaces";
-
-	    if ($long_translation)
-	    {
-			$long_translation = entity_encode($long_translation);
-			print OUTPUT "<long>$long_translation</long>";
-	    }	    
-
-	    print OUTPUT "$locale_end_spaces</locale>";
-        }
-    }
-
-    print OUTPUT $source;
-
-    close OUTPUT;
-}
-
-sub rfc822deb_merge_translations
-{
-    my %encodings = ();
-    for my $lang (keys %po_files_by_lang) {
-        $encodings{$lang} = ($UTF8_ARG ? 'UTF-8' : get_po_encoding($po_files_by_lang{$lang}));
-    }
-
-    my $source;
-
-    $Text::Wrap::huge = 'overflow';
-    $Text::Wrap::break = qr/\n|\s(?=\S)/;
-
-    {
-       local $/; # slurp mode
-       open INPUT, "<$FILE" or die "can't open $FILE: $!";
-       $source = <INPUT>;
-       close INPUT;
-    }
-
-    open OUTPUT, ">${OUTFILE}" or die;
-    binmode (OUTPUT) if $^O eq 'MSWin32';
-
-    while ($source =~ /(^|\n+)(_*)([^:\s]+)(:[ \t]*)(.*?)(?=\n[\S\n]|$)/sg)
-    {
-	    my $sep = $1;
-	    my $non_translated_line = $3.$4;
-	    my $string = $5;
-	    my $underscore = length($2);
-	    next if $underscore eq 0 && $non_translated_line =~ /^#/;
-	    #  Remove [] dummy strings
-	    my $stripped = $string;
-	    $stripped =~ s/\[\s[^\[\]]*\],/,/g if $underscore eq 2;
-	    $stripped =~ s/\[\s[^\[\]]*\]$//;
-	    $non_translated_line .= $stripped;
-
-	    print OUTPUT $sep.$non_translated_line;
-    
-	    if ($underscore) 
-	    {
-	        my @str_list = rfc822deb_split($underscore, $string);
-
-	        for my $lang (sort keys %po_files_by_lang) 
-                {
-                    my $is_translated = 1;
-                    my $str_translated = '';
-                    my $first = 1;
-                
-                    for my $str (@str_list) 
-                    {
-                        my $translation = $translations{$lang, $str};
-                    
-                        if (!$translation) 
-                        {
-                            $is_translated = 0;
-                            last;
-                        }
-
-	                #  $translation may also contain [] dummy
-                        #  strings, mostly to indicate an empty string
-	                $translation =~ s/\[\s[^\[\]]*\]$//;
-                        
-                        if ($first) 
-                        {
-                            if ($underscore eq 2)
-                            {
-                                $str_translated .= $translation;
-                            }
-                            else
-                            {
-                                $str_translated .=
-                                    Text::Tabs::expand($translation) .
-                                    "\n";
-                            }
-                        } 
-                        else 
-                        {
-                            if ($underscore eq 2)
-                            {
-                                $str_translated .= ', ' . $translation;
-                            }
-                            else
-                            {
-                                $str_translated .= Text::Tabs::expand(
-                                    Text::Wrap::wrap(' ', ' ', $translation)) .
-                                    "\n .\n";
-                            }
-                        }
-                        $first = 0;
-
-                        #  To fix some problems with Text::Wrap::wrap
-                        $str_translated =~ s/(\n )+\n/\n .\n/g;
-                    }
-                    next unless $is_translated;
-
-                    $str_translated =~ s/\n \.\n$//;
-                    $str_translated =~ s/\s+$//;
-
-                    $_ = $non_translated_line;
-                    s/^(\w+):\s*.*/$sep${1}-$lang.$encodings{$lang}: $str_translated/s;
-                    print OUTPUT;
-                }
-	    }
-    }
-    print OUTPUT "\n";
-
-    close OUTPUT;
-    close INPUT;
-}
-
-sub rfc822deb_split 
-{
-    # Debian defines a special way to deal with rfc822-style files:
-    # when a value contain newlines, it consists of
-    #   1.  a short form (first line)
-    #   2.  a long description, all lines begin with a space,
-    #       and paragraphs are separated by a single dot on a line
-    # This routine returns an array of all paragraphs, and reformat
-    # them.
-    # When first argument is 2, the string is a comma separated list of
-    # values.
-    my $type = shift;
-    my $text = shift;
-    $text =~ s/^[ \t]//mg;
-    return (split(/, */, $text, 0)) if $type ne 1;
-    return ($text) if $text !~ /\n/;
-
-    $text =~ s/([^\n]*)\n//;
-    my @list = ($1);
-    my $str = '';
-
-    for my $line (split (/\n/, $text)) 
-    {
-        chomp $line;
-        if ($line =~ /^\.\s*$/)
-        {
-            #  New paragraph
-            $str =~ s/\s*$//;
-            push(@list, $str);
-            $str = '';
-        } 
-        elsif ($line =~ /^\s/) 
-        {
-            #  Line which must not be reformatted
-            $str .= "\n" if length ($str) && $str !~ /\n$/;
-            $line =~ s/\s+$//;
-            $str .= $line."\n";
-        } 
-        else 
-        {
-            #  Continuation line, remove newline
-            $str .= " " if length ($str) && $str !~ /\n$/;
-            $str .= $line;
-        }
-    }
-
-    $str =~ s/\s*$//;
-    push(@list, $str) if length ($str);
-
-    return @list;
-}
-
-sub quoted_translation
-{
-    my ($xml_mode, $lang, $string) = @_;
-
-    $string = entity_decode($string) if $xml_mode;
-    $string =~ s/\\\"/\"/g;
-
-    my $translation = $translations{$lang, $string};
-    $translation = $string if !$translation;
-    $translation = entity_encode($translation) if $xml_mode;
-    $translation =~ s/\"/\\\"/g;
-    return $translation
-}
-
-sub quoted_merge_translations
-{
-    my ($xml_mode) = @_;
-
-    if (!$MULTIPLE_OUTPUT) {
-        print "Quoted only supports Multiple Output.\n";
-        exit(1);
-    }
-
-    for my $lang (sort keys %po_files_by_lang) {
-        if ( ! -d $lang ) {
-            mkdir $lang or -d $lang or die "Cannot create subdirectory $lang: $!\n";
-        }
-        open INPUT, "<${FILE}" or die;
-        open OUTPUT, ">$lang/$OUTFILE" or die "Cannot open $lang/$OUTFILE: $!\n";
-        binmode (OUTPUT) if $^O eq 'MSWin32';
-        while (<INPUT>) 
-        {
-            s/\"(([^\"]|\\\")*[^\\\"])\"/"\"" . &quoted_translation($xml_mode, $lang, $1) . "\""/ge;
-            print OUTPUT;
-        }
-        close OUTPUT;
-        close INPUT;
-    }
-}
diff --git a/src/charon/plugins/nm/gnome/intltool-update.in b/src/charon/plugins/nm/gnome/intltool-update.in
deleted file mode 100644
index 2684cc0d2..000000000
--- a/src/charon/plugins/nm/gnome/intltool-update.in
+++ /dev/null
@@ -1,1166 +0,0 @@
-#!@INTLTOOL_PERL@ -w
-# -*- Mode: perl; indent-tabs-mode: nil; c-basic-offset: 4  -*-
-
-#
-#  The Intltool Message Updater
-#
-#  Copyright (C) 2000-2003 Free Software Foundation.
-#
-#  Intltool is free software; you can redistribute it and/or
-#  modify it under the terms of the GNU General Public License 
-#  version 2 published by the Free Software Foundation.
-#
-#  Intltool is distributed in the hope that it will be useful,
-#  but WITHOUT ANY WARRANTY; without even the implied warranty of
-#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-#  General Public License for more details.
-#
-#  You should have received a copy of the GNU General Public License
-#  along with this program; if not, write to the Free Software
-#  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-#
-#  As a special exception to the GNU General Public License, if you
-#  distribute this file as part of a program that contains a
-#  configuration script generated by Autoconf, you may include it under
-#  the same distribution terms that you use for the rest of that program.
-#
-#  Authors: Kenneth Christiansen <kenneth@gnu.org>
-#           Maciej Stachowiak
-#           Darin Adler <darin@bentspoon.com>
-
-## Release information
-my $PROGRAM = "intltool-update";
-my $VERSION = "0.37.1";
-my $PACKAGE = "intltool";
-
-## Loaded modules
-use strict;
-use Getopt::Long;
-use Cwd;
-use File::Copy;
-use File::Find;
-
-## Scalars used by the option stuff
-my $HELP_ARG 	   = 0;
-my $VERSION_ARG    = 0;
-my $DIST_ARG	   = 0;
-my $POT_ARG	   = 0;
-my $HEADERS_ARG    = 0;
-my $MAINTAIN_ARG   = 0;
-my $REPORT_ARG     = 0;
-my $VERBOSE	   = 0;
-my $GETTEXT_PACKAGE = "";
-my $OUTPUT_FILE    = "";
-
-my @languages;
-my %varhash = ();
-my %po_files_by_lang = ();
-
-# Regular expressions to categorize file types.
-# FIXME: Please check if the following is correct
-
-my $xml_support =
-"xml(?:\\.in)*|".	# http://www.w3.org/XML/ (Note: .in is not required)
-"ui|".			# Bonobo specific - User Interface desc. files
-"lang|".		# ?
-"glade2?(?:\\.in)*|".	# Glade specific - User Interface desc. files (Note: .in is not required)
-"scm(?:\\.in)*|".	# ? (Note: .in is not required)
-"oaf(?:\\.in)+|".	# DEPRECATED: Replaces by Bonobo .server files 
-"etspec|".		# ?
-"server(?:\\.in)+|".	# Bonobo specific
-"sheet(?:\\.in)+|".	# ?
-"schemas(?:\\.in)+|".	# GConf specific
-"pong(?:\\.in)+|".	# DEPRECATED: PONG is not used [by GNOME] any longer.
-"kbd(?:\\.in)+|".	# GOK specific. 
-"policy(?:\\.in)+";	# PolicyKit files
-
-my $ini_support =
-"icon(?:\\.in)+|".	# http://www.freedesktop.org/Standards/icon-theme-spec
-"desktop(?:\\.in)+|".	# http://www.freedesktop.org/Standards/menu-spec
-"caves(?:\\.in)+|".	# GNOME Games specific
-"directory(?:\\.in)+|".	# http://www.freedesktop.org/Standards/menu-spec
-"soundlist(?:\\.in)+|".	# GNOME specific
-"keys(?:\\.in)+|".	# GNOME Mime database specific
-"theme(?:\\.in)+|".	# http://www.freedesktop.org/Standards/icon-theme-spec
-"service(?:\\.in)+";    # DBus specific
-
-my $buildin_gettext_support = 
-"c|y|cs|cc|cpp|c\\+\\+|h|hh|gob|py";
-
-## Always flush buffer when printing
-$| = 1;
-
-## Sometimes the source tree will be rooted somewhere else.
-my $SRCDIR = $ENV{"srcdir"} || ".";
-my $POTFILES_in;
-
-$POTFILES_in = "<$SRCDIR/POTFILES.in";
-
-my $devnull = ($^O eq 'MSWin32' ? 'NUL:' : '/dev/null');
-
-## Handle options
-GetOptions 
-(
- "help" 	       => \$HELP_ARG,
- "version" 	       => \$VERSION_ARG,
- "dist|d"	       => \$DIST_ARG,
- "pot|p"	       => \$POT_ARG,
- "headers|s"	       => \$HEADERS_ARG,
- "maintain|m"	       => \$MAINTAIN_ARG,
- "report|r"	       => \$REPORT_ARG,
- "verbose|x"	       => \$VERBOSE,
- "gettext-package|g=s" => \$GETTEXT_PACKAGE,
- "output-file|o=s"     => \$OUTPUT_FILE,
- ) or &Console_WriteError_InvalidOption;
-
-&Console_Write_IntltoolHelp if $HELP_ARG;
-&Console_Write_IntltoolVersion if $VERSION_ARG;
-
-my $arg_count = ($DIST_ARG > 0)
-    + ($POT_ARG > 0)
-    + ($HEADERS_ARG > 0)
-    + ($MAINTAIN_ARG > 0)
-    + ($REPORT_ARG > 0);
-
-&Console_Write_IntltoolHelp if $arg_count > 1;
-
-my $PKGNAME = FindPackageName ();
-
-# --version and --help don't require a module name
-my $MODULE = $GETTEXT_PACKAGE || $PKGNAME || "unknown";
-
-if ($POT_ARG)
-{
-    &GenerateHeaders;
-    &GeneratePOTemplate;
-}
-elsif ($HEADERS_ARG)
-{
-    &GenerateHeaders;
-}
-elsif ($MAINTAIN_ARG)
-{
-    &FindLeftoutFiles;
-}
-elsif ($REPORT_ARG)
-{
-    &GenerateHeaders;
-    &GeneratePOTemplate;
-    &Console_Write_CoverageReport;
-}
-elsif ((defined $ARGV[0]) && $ARGV[0] =~ /^[a-z]/)
-{
-    my $lang = $ARGV[0];
-
-    ## Report error if the language file supplied
-    ## to the command line is non-existent
-    &Console_WriteError_NotExisting("$SRCDIR/$lang.po")
-        if ! -s "$SRCDIR/$lang.po";
-
-    if (!$DIST_ARG)
-    {
-	print "Working, please wait..." if $VERBOSE;
-	&GenerateHeaders;
-	&GeneratePOTemplate;
-    }
-    &POFile_Update ($lang, $OUTPUT_FILE);
-    &Console_Write_TranslationStatus ($lang, $OUTPUT_FILE);
-} 
-else 
-{
-    &Console_Write_IntltoolHelp;
-}
-
-exit;
-
-#########
-
-sub Console_Write_IntltoolVersion
-{
-    print <<_EOF_;
-${PROGRAM} (${PACKAGE}) $VERSION
-Written by Kenneth Christiansen, Maciej Stachowiak, and Darin Adler.
-
-Copyright (C) 2000-2003 Free Software Foundation, Inc.
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-_EOF_
-    exit;
-}
-
-sub Console_Write_IntltoolHelp
-{
-    print <<_EOF_;
-Usage: ${PROGRAM} [OPTION]... LANGCODE
-Updates PO template files and merge them with the translations.
-
-Mode of operation (only one is allowed):
-  -p, --pot                   generate the PO template only
-  -s, --headers               generate the header files in POTFILES.in
-  -m, --maintain              search for left out files from POTFILES.in
-  -r, --report                display a status report for the module
-  -d, --dist                  merge LANGCODE.po with existing PO template
-
-Extra options:
-  -g, --gettext-package=NAME  override PO template name, useful with --pot
-  -o, --output-file=FILE      write merged translation to FILE
-  -x, --verbose               display lots of feedback
-      --help                  display this help and exit
-      --version               output version information and exit
-
-Examples of use:
-${PROGRAM} --pot    just create a new PO template
-${PROGRAM} xy       create new PO template and merge xy.po with it
-
-Report bugs to http://bugzilla.gnome.org/ (product name "$PACKAGE")
-or send email to <xml-i18n-tools\@gnome.org>.
-_EOF_
-    exit;
-}
-
-sub echo_n
-{
-    my $str = shift;
-    my $ret = `echo "$str"`;
-
-    $ret =~ s/\n$//; # do we need the "s" flag?
-
-    return $ret;
-}
-
-sub POFile_DetermineType ($) 
-{
-   my $type = $_;
-   my $gettext_type;
-
-   my $xml_regex     = "(?:" . $xml_support . ")";
-   my $ini_regex     = "(?:" . $ini_support . ")";
-   my $buildin_regex = "(?:" . $buildin_gettext_support . ")";
-
-   if ($type =~ /\[type: gettext\/([^\]].*)]/) 
-   {
-	$gettext_type=$1;
-   }
-   elsif ($type =~ /schemas(\.in)+$/) 
-   {
-	$gettext_type="schemas";
-   }
-   elsif ($type =~ /glade2?(\.in)*$/) 
-   {
-       $gettext_type="glade";
-   }
-   elsif ($type =~ /scm(\.in)*$/) 
-   {
-       $gettext_type="scheme";
-   }
-   elsif ($type =~ /keys(\.in)+$/) 
-   {
-       $gettext_type="keys";
-   }
-
-   # bucket types
-
-   elsif ($type =~ /$xml_regex$/) 
-   {
-       $gettext_type="xml";
-   }
-   elsif ($type =~ /$ini_regex$/) 
-   { 
-       $gettext_type="ini";
-   }
-   elsif ($type =~ /$buildin_regex$/) 
-   {
-       $gettext_type="buildin";
-   }
-   else
-   { 
-       $gettext_type="unknown"; 
-   }
-
-   return "gettext\/$gettext_type";
-}
-
-sub TextFile_DetermineEncoding ($) 
-{
-    my $gettext_code="ASCII"; # All files are ASCII by default
-    my $filetype=`file $_ | cut -d ' ' -f 2`;
-
-    if ($? eq "0")
-    {
-	if ($filetype =~ /^(ISO|UTF)/)
-	{
-	    chomp ($gettext_code = $filetype);
-	}
-	elsif ($filetype =~ /^XML/)
-	{
-	    $gettext_code="UTF-8"; # We asume that .glade and other .xml files are UTF-8
-	}
-    }
-
-    return $gettext_code;
-}
-
-sub isNotValidMissing
-{
-    my ($file) = @_;
-
-    return if $file =~ /^\{arch\}\/.*$/;
-    return if $file =~ /^$varhash{"PACKAGE"}-$varhash{"VERSION"}\/.*$/;
-}
-
-sub FindLeftoutFiles
-{
-    my (@buf_i18n_plain,
-	@buf_i18n_xml,
-	@buf_i18n_xml_unmarked,
-	@buf_i18n_ini,
-	@buf_potfiles,
-	@buf_potfiles_ignore,
-	@buf_allfiles,
-	@buf_allfiles_sorted,
-	@buf_potfiles_sorted,
-        @buf_potfiles_ignore_sorted
-    );
-
-    ## Search and find all translatable files
-    find sub { 
-	push @buf_i18n_plain,        "$File::Find::name" if /\.($buildin_gettext_support)$/;
-	push @buf_i18n_xml,          "$File::Find::name" if /\.($xml_support)$/;
-	push @buf_i18n_ini,          "$File::Find::name" if /\.($ini_support)$/;
-	push @buf_i18n_xml_unmarked, "$File::Find::name" if /\.(schemas(\.in)+)$/;
-	}, "..";
-    find sub { 
-	push @buf_i18n_plain,        "$File::Find::name" if /\.($buildin_gettext_support)$/;
-	push @buf_i18n_xml,          "$File::Find::name" if /\.($xml_support)$/;
-	push @buf_i18n_ini,          "$File::Find::name" if /\.($ini_support)$/;
-	push @buf_i18n_xml_unmarked, "$File::Find::name" if /\.(schemas(\.in)+)$/;
-	}, "$SRCDIR/.." if "$SRCDIR" ne ".";
-
-    open POTFILES, $POTFILES_in or die "$PROGRAM:  there's no POTFILES.in!\n";
-    @buf_potfiles = grep !/^(#|\s*$)/, <POTFILES>;
-    close POTFILES;
-
-    foreach (@buf_potfiles) {
-	s/^\[.*]\s*//;
-    }
-
-    print "Searching for missing translatable files...\n" if $VERBOSE;
-
-    ## Check if we should ignore some found files, when
-    ## comparing with POTFILES.in
-    foreach my $ignore ("POTFILES.skip", "POTFILES.ignore")
-    {
-	(-s "$SRCDIR/$ignore") or next;
-
-	if ("$ignore" eq "POTFILES.ignore")
-	{
-	    print "The usage of POTFILES.ignore is deprecated. Please consider moving the\n".
-		  "content of this file to POTFILES.skip.\n";
-	}
-
-	print "Found $ignore: Ignoring files...\n" if $VERBOSE;
-	open FILE, "<$SRCDIR/$ignore" or die "ERROR: Failed to open $SRCDIR/$ignore!\n";
-	    
-	while (<FILE>)
-	{
-	    push @buf_potfiles_ignore, $_ unless /^(#|\s*$)/;
-	}
-	close FILE;
-
-	@buf_potfiles_ignore_sorted = sort (@buf_potfiles_ignore);
-    }
-
-    foreach my $file (@buf_i18n_plain)
-    {
-	my $in_comment = 0;
-	my $in_macro = 0;
-
-	open FILE, "<$file";
-	while (<FILE>)
-	{
-	    # Handle continued multi-line comment.
-	    if ($in_comment)
-	    {
-		next unless s-.*\*/--;
-		$in_comment = 0;
-	    }
-
-	    # Handle continued macro.
-	    if ($in_macro)
-	    {
-		$in_macro = 0 unless /\\$/;
-		next;
-	    }
-
-	    # Handle start of macro (or any preprocessor directive).
-	    if (/^\s*\#/)
-	    {
-		$in_macro = 1 if /^([^\\]|\\.)*\\$/;
-		next;
-	    }
-
-	    # Handle comments and quoted text.
-	    while (m-(/\*|//|\'|\")-) # \' and \" keep emacs perl mode happy
-	    {
-		my $match = $1;
-		if ($match eq "/*")
-		{
-		    if (!s-/\*.*?\*/--)
-		    {
-			s-/\*.*--;
-			$in_comment = 1;
-		    }
-		}
-		elsif ($match eq "//")
-		{
-		    s-//.*--;
-		}
-		else # ' or "
-		{
-		    if (!s-$match([^\\]|\\.)*?$match-QUOTEDTEXT-)
-		    {
-			warn "mismatched quotes at line $. in $file\n";
-			s-$match.*--;
-		    }
-		}
-	    }	    
-
-	    if (/\w\.GetString *\(QUOTEDTEXT/)
-	    {
-                if (defined isNotValidMissing (unpack("x3 A*", $file))) {
-                    ## Remove the first 3 chars and add newline
-                    push @buf_allfiles, unpack("x3 A*", $file) . "\n";
-                }
-		last;
-	    }
-
-            ## C_ N_ Q_ and _ are the macros defined in gi8n.h
-	    if (/[CNQ]?_ *\(QUOTEDTEXT/)
-	    {
-                if (defined isNotValidMissing (unpack("x3 A*", $file))) {
-                    ## Remove the first 3 chars and add newline
-                    push @buf_allfiles, unpack("x3 A*", $file) . "\n";
-                }
-		last;
-	    }
-	}
-	close FILE;
-    }
-
-    foreach my $file (@buf_i18n_xml) 
-    {
-	open FILE, "<$file";
-	
-	while (<FILE>) 
-	{
-	    # FIXME: share the pattern matching code with intltool-extract
-	    if (/\s_[-A-Za-z0-9._:]+\s*=\s*\"([^"]+)\"/ || /<_[^>]+>/ || /translatable=\"yes\"/)
-	    {
-                if (defined isNotValidMissing (unpack("x3 A*", $file))) {
-                    push @buf_allfiles, unpack("x3 A*", $file) . "\n";
-                }
-		last;
-	    }
-	}
-	close FILE;
-    }
-
-    foreach my $file (@buf_i18n_ini)
-    {
-	open FILE, "<$file";
-	while (<FILE>) 
-	{
-	    if (/_(.*)=/)
-	    {
-                if (defined isNotValidMissing (unpack("x3 A*", $file))) {
-                    push @buf_allfiles, unpack("x3 A*", $file) . "\n";
-                }
-		last;
-	    }
-	}
-	close FILE;
-    }
-
-    foreach my $file (@buf_i18n_xml_unmarked)
-    {
-        if (defined isNotValidMissing (unpack("x3 A*", $file))) {
-            push @buf_allfiles, unpack("x3 A*", $file) . "\n";
-        }
-    }
-
-
-    @buf_allfiles_sorted = sort (@buf_allfiles);
-    @buf_potfiles_sorted = sort (@buf_potfiles);
-
-    my %in2;
-    foreach (@buf_potfiles_sorted) 
-    {
-        s#^$SRCDIR/../##;
-        s#^$SRCDIR/##;
-	$in2{$_} = 1;
-    }
-
-    foreach (@buf_potfiles_ignore_sorted) 
-    {
-        s#^$SRCDIR/../##;
-        s#^$SRCDIR/##;
-	$in2{$_} = 1;
-    }
-
-    my @result;
-
-    foreach (@buf_allfiles_sorted)
-    {
-        my $dummy = $_;
-        my $srcdir = $SRCDIR;
-
-        $srcdir =~ s#^../##;
-        $dummy =~ s#^$srcdir/../##;
-        $dummy =~ s#^$srcdir/##;
-        $dummy =~ s#_build/##;
-	if (!exists($in2{$dummy}))
-	{
-	    push @result, $dummy
-	}
-    }
-
-    my @buf_potfiles_notexist;
-
-    foreach (@buf_potfiles_sorted)
-    {
-	chomp (my $dummy = $_);
-	if ("$dummy" ne "" and !(-f "$SRCDIR/../$dummy" or -f "../$dummy"))
-	{
-	    push @buf_potfiles_notexist, $_;
-	}
-    }
-
-    ## Save file with information about the files missing
-    ## if any, and give information about this procedure.
-    if (@result + @buf_potfiles_notexist > 0)
-    {
-	if (@result) 
-	{
-	    print "\n" if $VERBOSE;
-	    unlink "missing";
-	    open OUT, ">missing";
-	    print OUT @result;
-	    close OUT;
-	    warn "\e[1mThe following files contain translations and are currently not in use. Please\e[0m\n".
-	         "\e[1mconsider adding these to the POTFILES.in file, located in the po/ directory.\e[0m\n\n";
-	    print STDERR @result, "\n";
-	    warn "If some of these files are left out on purpose then please add them to\n".
-		 "POTFILES.skip instead of POTFILES.in. A file \e[1m'missing'\e[0m containing this list\n".
-		 "of left out files has been written in the current directory.\n";
-	}
-	if (@buf_potfiles_notexist)
-	{
-	    unlink "notexist";
-	    open OUT, ">notexist";
-	    print OUT @buf_potfiles_notexist;
-	    close OUT;
-	    warn "\n" if ($VERBOSE or @result);
-	    warn "\e[1mThe following files do not exist anymore:\e[0m\n\n";
-	    warn @buf_potfiles_notexist, "\n";
-	    warn "Please remove them from POTFILES.in. A file \e[1m'notexist'\e[0m\n".
-		 "containing this list of absent files has been written in the current directory.\n";
-	}
-    }
-
-    ## If there is nothing to complain about, notify the user
-    else {
-	print "\nAll files containing translations are present in POTFILES.in.\n" if $VERBOSE;
-    }
-}
-
-sub Console_WriteError_InvalidOption
-{
-    ## Handle invalid arguments
-    print STDERR "Try `${PROGRAM} --help' for more information.\n";
-    exit 1;
-}
-
-sub isProgramInPath
-{
-    my ($file) = @_;
-    # If either a file exists, or when run it returns 0 exit status
-    return 1 if ((-x $file) or (system("$file --version >$devnull") == 0));
-    return 0;
-}
-
-sub isGNUGettextTool
-{
-    my ($file) = @_;
-    # Check that we are using GNU gettext tools
-    if (isProgramInPath ($file))
-    {
-        my $version = `$file --version`;
-        return 1 if ($version =~ m/.*\(GNU .*\).*/);
-    }
-    return 0;
-}
-
-sub GenerateHeaders
-{
-    my $EXTRACT = $ENV{"INTLTOOL_EXTRACT"} || "intltool-extract";
-
-    ## Generate the .h header files, so we can allow glade and
-    ## xml translation support
-    if (! isProgramInPath ("$EXTRACT"))
-    {
-	print STDERR "\n *** The intltool-extract script wasn't found!"
-	     ."\n *** Without it, intltool-update can not generate files.\n";
-	exit;
-    }
-    else
-    {
-	open (FILE, $POTFILES_in) or die "$PROGRAM: POTFILES.in not found.\n";
-	
-	while (<FILE>) 
-	{
-	   chomp;
-	   next if /^\[\s*encoding/;
-
-	   ## Find xml files in POTFILES.in and generate the
-	   ## files with help from the extract script
-
-	   my $gettext_type= &POFile_DetermineType ($1);
-
-	   if (/\.($xml_support|$ini_support)$/ || /^\[/)
-	   {
-	       s/^\[[^\[].*]\s*//;
-
-	       my $filename = "../$_";
-
-	       if ($VERBOSE)
-	       {
-		   system ($EXTRACT, "--update", "--srcdir=$SRCDIR",
-			   "--type=$gettext_type", $filename);
-	       } 
-	       else 
-	       {
-	 	   system ($EXTRACT, "--update", "--type=$gettext_type", 
-			   "--srcdir=$SRCDIR", "--quiet", $filename);
-	       }
-	   }
-       }
-       close FILE;
-   }
-}
-
-#
-# Generate .pot file from POTFILES.in
-#
-sub GeneratePOTemplate
-{
-    my $XGETTEXT = $ENV{"XGETTEXT"} || "xgettext";
-    my $XGETTEXT_ARGS = $ENV{"XGETTEXT_ARGS"} || '';
-    chomp $XGETTEXT;
-
-    if (! isGNUGettextTool ("$XGETTEXT"))
-    {
-	print STDERR " *** GNU xgettext is not found on this system!\n".
-		     " *** Without it, intltool-update can not extract strings.\n";
-	exit;
-    }
-
-    print "Building $MODULE.pot...\n" if $VERBOSE;
-
-    open INFILE, $POTFILES_in;
-    unlink "POTFILES.in.temp";
-    open OUTFILE, ">POTFILES.in.temp" or die("Cannot open POTFILES.in.temp for writing");
-
-    my $gettext_support_nonascii = 0;
-
-    # checks for GNU gettext >= 0.12
-    my $dummy = `$XGETTEXT --version --from-code=UTF-8 >$devnull 2>$devnull`;
-    if ($? == 0)
-    {
-	$gettext_support_nonascii = 1;
-    }
-    else
-    {
-	# urge everybody to upgrade gettext
-	print STDERR "WARNING: This version of gettext does not support extracting non-ASCII\n".
-		     "         strings. That means you should install a version of gettext\n".
-		     "         that supports non-ASCII strings (such as GNU gettext >= 0.12),\n".
-		     "         or have to let non-ASCII strings untranslated. (If there is any)\n";
-    }
-
-    my $encoding = "ASCII";
-    my $forced_gettext_code;
-    my @temp_headers;
-    my $encoding_problem_is_reported = 0;
-
-    while (<INFILE>) 
-    {
-	next if (/^#/ or /^\s*$/);
-
-	chomp;
-
-	my $gettext_code;
-
-	if (/^\[\s*encoding:\s*(.*)\s*\]/)
-	{
-	    $forced_gettext_code=$1;
-	}
-	elsif (/\.($xml_support|$ini_support)$/ || /^\[/)
-	{
-	    s/^\[.*]\s*//;
-            print OUTFILE "../$_.h\n";
-	    push @temp_headers, "../$_.h";
-	    $gettext_code = &TextFile_DetermineEncoding ("../$_.h") if ($gettext_support_nonascii and not defined $forced_gettext_code);
-	} 
-	else 
-	{
-            print OUTFILE "$SRCDIR/../$_\n";
-	    $gettext_code = &TextFile_DetermineEncoding ("$SRCDIR/../$_") if ($gettext_support_nonascii and not defined $forced_gettext_code);
-	}
-
-	next if (! $gettext_support_nonascii);
-
-	if (defined $forced_gettext_code)
-	{
-	    $encoding=$forced_gettext_code;
-	}
-	elsif (defined $gettext_code and "$encoding" ne "$gettext_code")
-	{
-	    if ($encoding eq "ASCII")
-	    {
-		$encoding=$gettext_code;
-	    }
-	    elsif ($gettext_code ne "ASCII")
-	    {
-		# Only report once because the message is quite long
-		if (! $encoding_problem_is_reported)
-		{
-		    print STDERR "WARNING: You should use the same file encoding for all your project files,\n".
-				 "         but $PROGRAM thinks that most of the source files are in\n".
-				 "         $encoding encoding, while \"$_\" is (likely) in\n".
-		       		 "         $gettext_code encoding. If you are sure that all translatable strings\n".
-				 "         are in same encoding (say UTF-8), please \e[1m*prepend*\e[0m the following\n".
-				 "         line to POTFILES.in:\n\n".
-				 "                 [encoding: UTF-8]\n\n".
-				 "         and make sure that configure.in/ac checks for $PACKAGE >= 0.27 .\n".
-				 "(such warning message will only be reported once.)\n";
-		    $encoding_problem_is_reported = 1;
-		}
-	    }
-	}
-    }
-
-    close OUTFILE;
-    close INFILE;
-
-    unlink "$MODULE.pot";
-    my @xgettext_argument=("$XGETTEXT",
-			   "--add-comments",
-			   "--directory\=.",
-                           "--default-domain\=$MODULE",
-                           "--flag\=g_strdup_printf:1:c-format",
-                           "--flag\=g_string_printf:2:c-format",
-                           "--flag\=g_string_append_printf:2:c-format",
-                           "--flag\=g_error_new:3:c-format",
-                           "--flag\=g_set_error:4:c-format",
-                           "--flag\=g_markup_printf_escaped:1:c-format",
-                           "--flag\=g_log:3:c-format",
-                           "--flag\=g_print:1:c-format",
-                           "--flag\=g_printerr:1:c-format",
-                           "--flag\=g_printf:1:c-format",
-                           "--flag\=g_fprintf:2:c-format",
-                           "--flag\=g_sprintf:2:c-format",
-                           "--flag\=g_snprintf:3:c-format",
-                           "--flag\=g_scanner_error:2:c-format",
-                           "--flag\=g_scanner_warn:2:c-format",
-			   "--output\=$MODULE\.pot",
-			   "--files-from\=\.\/POTFILES\.in\.temp");
-    my $XGETTEXT_KEYWORDS = &FindPOTKeywords;
-    push @xgettext_argument, $XGETTEXT_KEYWORDS;
-    my $MSGID_BUGS_ADDRESS = &FindMakevarsBugAddress;
-    push @xgettext_argument, "--msgid-bugs-address\=\"$MSGID_BUGS_ADDRESS\"" if $MSGID_BUGS_ADDRESS;
-    push @xgettext_argument, "--from-code\=$encoding" if ($gettext_support_nonascii);
-    push @xgettext_argument, $XGETTEXT_ARGS if $XGETTEXT_ARGS;
-    my $xgettext_command = join ' ', @xgettext_argument;
-
-    # intercept xgettext error message
-    print "Running $xgettext_command\n" if $VERBOSE;
-    my $xgettext_error_msg = `$xgettext_command 2>\&1`;
-    my $command_failed = $?;
-
-    unlink "POTFILES.in.temp";
-
-    print "Removing generated header (.h) files..." if $VERBOSE;
-    unlink foreach (@temp_headers);
-    print "done.\n" if $VERBOSE;
-
-    if (! $command_failed)
-    {
-	if (! -e "$MODULE.pot")
-	{
-	    print "None of the files in POTFILES.in contain strings marked for translation.\n" if $VERBOSE;
-	}
-	else
-	{
-	    print "Wrote $MODULE.pot\n" if $VERBOSE;
-	}
-    }
-    else
-    {
-	if ($xgettext_error_msg =~ /--from-code/)
-	{
-	    # replace non-ASCII error message with a more useful one.
-	    print STDERR "ERROR: xgettext failed to generate PO template file because there is non-ASCII\n".
-			 "       string marked for translation. Please make sure that all strings marked\n".
-			 "       for translation are in uniform encoding (say UTF-8), then \e[1m*prepend*\e[0m the\n".
-			 "       following line to POTFILES.in and rerun $PROGRAM:\n\n".
-			 "           [encoding: UTF-8]\n\n";
-	}
-	else
-	{
-	    print STDERR "$xgettext_error_msg";
-	    if (-e "$MODULE.pot")
-	    {
-		# is this possible?
-		print STDERR "ERROR: xgettext failed but still managed to generate PO template file.\n".
-			     "       Please consult error message above if there is any.\n";
-	    }
-	    else
-	    {
-		print STDERR "ERROR: xgettext failed to generate PO template file. Please consult\n".
-			     "       error message above if there is any.\n";
-	    }
-	}
-	exit (1);
-    }
-}
-
-sub POFile_Update
-{
-    -f "$MODULE.pot" or die "$PROGRAM: $MODULE.pot does not exist.\n";
-
-    my $MSGMERGE = $ENV{"MSGMERGE"} || "msgmerge";
-    my ($lang, $outfile) = @_;
-
-    if (! isGNUGettextTool ("$MSGMERGE"))
-    {
-	print STDERR " *** GNU msgmerge is not found on this system!\n".
-		     " *** Without it, intltool-update can not extract strings.\n";
-	exit;
-    }
-
-    print "Merging $SRCDIR/$lang.po with $MODULE.pot..." if $VERBOSE;
-
-    my $infile = "$SRCDIR/$lang.po";
-    $outfile = "$SRCDIR/$lang.po" if ($outfile eq "");
-
-    # I think msgmerge won't overwrite old file if merge is not successful
-    system ("$MSGMERGE", "-o", $outfile, $infile, "$MODULE.pot");
-}
-
-sub Console_WriteError_NotExisting
-{
-    my ($file) = @_;
-
-    ## Report error if supplied language file is non-existing
-    print STDERR "$PROGRAM: $file does not exist!\n";
-    print STDERR "Try '$PROGRAM --help' for more information.\n";
-    exit;
-}
-
-sub GatherPOFiles
-{
-    my @po_files = glob ("./*.po");
-
-    @languages = map (&POFile_GetLanguage, @po_files);
-
-    foreach my $lang (@languages) 
-    {
-	$po_files_by_lang{$lang} = shift (@po_files);
-    }
-}
-
-sub POFile_GetLanguage ($)
-{
-    s/^(.*\/)?(.+)\.po$/$2/;
-    return $_;
-}
-
-sub Console_Write_TranslationStatus
-{
-    my ($lang, $output_file) = @_;
-    my $MSGFMT = $ENV{"MSGFMT"} || "msgfmt";
-
-    if (! isGNUGettextTool ("$MSGFMT"))
-    {
-	print STDERR " *** GNU msgfmt is not found on this system!\n".
-		     " *** Without it, intltool-update can not extract strings.\n";
-	exit;
-    }
-
-    $output_file = "$SRCDIR/$lang.po" if ($output_file eq "");
-
-    system ("$MSGFMT", "-o", "$devnull", "--verbose", $output_file);
-}
-
-sub Console_Write_CoverageReport
-{
-    my $MSGFMT = $ENV{"MSGFMT"} || "msgfmt";
-
-    if (! isGNUGettextTool ("$MSGFMT"))
-    {
-	print STDERR " *** GNU msgfmt is not found on this system!\n".
-		     " *** Without it, intltool-update can not extract strings.\n";
-	exit;
-    }
-
-    &GatherPOFiles;
-
-    foreach my $lang (@languages) 
-    {
-	print STDERR "$lang: ";
-	&POFile_Update ($lang, "");
-    }
-
-    print STDERR "\n\n * Current translation support in $MODULE \n\n";
-
-    foreach my $lang (@languages)
-    {
-	print STDERR "$lang: ";
-	system ("$MSGFMT", "-o", "$devnull", "--verbose", "$SRCDIR/$lang.po");
-    }
-}
-
-sub SubstituteVariable
-{
-    my ($str) = @_;
-    
-    # always need to rewind file whenever it has been accessed
-    seek (CONF, 0, 0);
-
-    # cache each variable. varhash is global to we can add
-    # variables elsewhere.
-    while (<CONF>)
-    {
-	if (/^(\w+)=(.*)$/)
-	{
-	    ($varhash{$1} = $2) =~  s/^["'](.*)["']$/$1/;
-	}
-    }
-    
-    if ($str =~ /^(.*)\${?([A-Z_]+)}?(.*)$/)
-    {
-	my $rest = $3;
-	my $untouched = $1;
-	my $sub = "";
-        # Ignore recursive definitions of variables
-        $sub = $varhash{$2} if defined $varhash{$2} and $varhash{$2} !~ /\${?$2}?/;
-
-	return SubstituteVariable ("$untouched$sub$rest");
-    }
-    
-    # We're using Perl backticks ` and "echo -n" here in order to 
-    # expand any shell escapes (such as backticks themselves) in every variable
-    return echo_n ($str);
-}
-
-sub CONF_Handle_Open
-{
-    my $base_dirname = getcwd();
-    $base_dirname =~ s@.*/@@;
-
-    my ($conf_in, $src_dir);
-
-    if ($base_dirname =~ /^po(-.+)?$/) 
-    {
-	if (-f "Makevars") 
-	{
-	    my $makefile_source;
-
-	    local (*IN);
-	    open (IN, "<Makevars") || die "can't open Makevars: $!";
-
-	    while (<IN>) 
-	    {
-		if (/^top_builddir[ \t]*=/) 
-		{
-		    $src_dir = $_;
-		    $src_dir =~ s/^top_builddir[ \t]*=[ \t]*([^ \t\n\r]*)/$1/;
-
-		    chomp $src_dir;
-                    if (-f "$src_dir" . "/configure.ac") {
-                        $conf_in = "$src_dir" . "/configure.ac" . "\n";
-                    } else {
-                        $conf_in = "$src_dir" . "/configure.in" . "\n";
-                    }
-		    last;
-		}
-	    }
-	    close IN;
-
-	    $conf_in || die "Cannot find top_builddir in Makevars.";
-	}
-	elsif (-f "$SRCDIR/../configure.ac") 
-	{
-	    $conf_in = "$SRCDIR/../configure.ac";
-	} 
-	elsif (-f "$SRCDIR/../configure.in") 
-	{
-	    $conf_in = "$SRCDIR/../configure.in";
-	} 
-	else 
-	{
-	    my $makefile_source;
-
-	    local (*IN);
-	    open (IN, "<Makefile") || return;
-
-	    while (<IN>) 
-	    {
-		if (/^top_srcdir[ \t]*=/) 
-		{
-		    $src_dir = $_;		    
-		    $src_dir =~ s/^top_srcdir[ \t]*=[ \t]*([^ \t\n\r]*)/$1/;
-
-		    chomp $src_dir;
-		    $conf_in = "$src_dir" . "/configure.in" . "\n";
-
-		    last;
-		}
-	    }
-	    close IN;
-
-	    $conf_in || die "Cannot find top_srcdir in Makefile.";
-	}
-
-	open (CONF, "<$conf_in");
-    }
-    else
-    {
-	print STDERR "$PROGRAM: Unable to proceed.\n" .
-		     "Make sure to run this script inside the po directory.\n";
-	exit;
-    }
-}
-
-sub FindPackageName
-{
-    my $version;
-    my $domain = &FindMakevarsDomain;
-    my $name = $domain || "untitled";
-
-    &CONF_Handle_Open;
-
-    my $conf_source; {
-	local (*IN);
-	open (IN, "<&CONF") || return $name;
-	seek (IN, 0, 0);
-	local $/; # slurp mode
-	$conf_source = <IN>;
-	close IN;
-    }
-
-    # priority for getting package name:
-    # 1. GETTEXT_PACKAGE
-    # 2. first argument of AC_INIT (with >= 2 arguments)
-    # 3. first argument of AM_INIT_AUTOMAKE (with >= 2 argument)
-
-    # /^AM_INIT_AUTOMAKE\([\s\[]*([^,\)\s\]]+)/m 
-    # the \s makes this not work, why?
-    if ($conf_source =~ /^AM_INIT_AUTOMAKE\(([^,\)]+),([^,\)]+)/m)
-    {
-	($name, $version) = ($1, $2);
-	$name    =~ s/[\[\]\s]//g;
-	$version =~ s/[\[\]\s]//g;
-	$varhash{"PACKAGE_NAME"} = $name if (not $name =~ /\${?AC_PACKAGE_NAME}?/);
-	$varhash{"PACKAGE"} = $name if (not $name =~ /\${?PACKAGE}?/);
-	$varhash{"PACKAGE_VERSION"} = $version if (not $name =~ /\${?AC_PACKAGE_VERSION}?/);
-	$varhash{"VERSION"} = $version if (not $name =~ /\${?VERSION}?/);
-    }
-    
-    if ($conf_source =~ /^AC_INIT\(([^,\)]+),([^,\)]+)/m) 
-    {
-	($name, $version) = ($1, $2);
-	$name    =~ s/[\[\]\s]//g;
-	$version =~ s/[\[\]\s]//g;
-	$varhash{"PACKAGE_NAME"} = $name if (not $name =~ /\${?AC_PACKAGE_NAME}?/);
-	$varhash{"PACKAGE"} = $name if (not $name =~ /\${?PACKAGE}?/);
-	$varhash{"PACKAGE_VERSION"} = $version if (not $name =~ /\${?AC_PACKAGE_VERSION}?/);
-	$varhash{"VERSION"} = $version if (not $name =~ /\${?VERSION}?/);
-    }
-
-    # \s makes this not work, why?
-    $name = $1 if $conf_source =~ /^GETTEXT_PACKAGE=\[?([^\n\]]+)/m;
-    
-    # m4 macros AC_PACKAGE_NAME, AC_PACKAGE_VERSION etc. have same value
-    # as corresponding $PACKAGE_NAME, $PACKAGE_VERSION etc. shell variables.
-    $name =~ s/\bAC_PACKAGE_/\$PACKAGE_/g;
-
-    $name = $domain if $domain;
-
-    $name = SubstituteVariable ($name);
-    $name =~ s/^["'](.*)["']$/$1/;
-
-    return $name if $name;
-}
-
-
-sub FindPOTKeywords
-{
-
-    my $keywords = "--keyword\=\_ --keyword\=N\_ --keyword\=U\_ --keyword\=Q\_";
-    my $varname = "XGETTEXT_OPTIONS";
-    my $make_source; {
-	local (*IN);
-	open (IN, "<Makevars") || (open(IN, "<Makefile.in.in") && ($varname = "XGETTEXT_KEYWORDS")) || return $keywords;
-	seek (IN, 0, 0);
-	local $/; # slurp mode
-	$make_source = <IN>;
-	close IN;
-    }
-
-    # unwrap lines split with a trailing \
-    $make_source =~  s/\\ $ \n/ /mxg;
-    $keywords = $1 if $make_source =~ /^$varname[ ]*=\[?([^\n\]]+)/m;
-    
-    return $keywords;
-}
-
-sub FindMakevarsDomain
-{
-
-    my $domain = "";
-    my $makevars_source; { 
-	local (*IN);
-	open (IN, "<Makevars") || return $domain;
-	seek (IN, 0, 0);
-	local $/; # slurp mode
-	$makevars_source = <IN>;
-	close IN;
-    }
-
-    $domain = $1 if $makevars_source =~ /^DOMAIN[ ]*=\[?([^\n\]\$]+)/m;
-    $domain =~ s/^\s+//;
-    $domain =~ s/\s+$//;
-    
-    return $domain;
-}
-
-sub FindMakevarsBugAddress
-{
-
-    my $address = "";
-    my $makevars_source; { 
-	local (*IN);
-	open (IN, "<Makevars") || return undef;
-	seek (IN, 0, 0);
-	local $/; # slurp mode
-	$makevars_source = <IN>;
-	close IN;
-    }
-
-    $address = $1 if $makevars_source =~ /^MSGID_BUGS_ADDRESS[ ]*=\[?([^\n\]\$]+)/m;
-    $address =~ s/^\s+//;
-    $address =~ s/\s+$//;
-    
-    return $address;
-}
diff --git a/src/charon/plugins/nm/gnome/ltmain.sh b/src/charon/plugins/nm/gnome/ltmain.sh
deleted file mode 100644
index e420facf5..000000000
--- a/src/charon/plugins/nm/gnome/ltmain.sh
+++ /dev/null
@@ -1,6964 +0,0 @@
-# ltmain.sh - Provide generalized library-building support services.
-# NOTE: Changing this file will not affect anything until you rerun configure.
-#
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
-# 2007, 2008  Free Software Foundation, Inc.
-# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-basename="s,^.*/,,g"
-
-# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
-# is ksh but when the shell is invoked as "sh" and the current value of
-# the _XPG environment variable is not equal to 1 (one), the special
-# positional parameter $0, within a function call, is the name of the
-# function.
-progpath="$0"
-
-# The name of this program:
-progname=`echo "$progpath" | $SED $basename`
-modename="$progname"
-
-# Global variables:
-EXIT_SUCCESS=0
-EXIT_FAILURE=1
-
-PROGRAM=ltmain.sh
-PACKAGE=libtool
-VERSION="1.5.26 Debian 1.5.26-1ubuntu1"
-TIMESTAMP=" (1.1220.2.493 2008/02/01 16:58:18)"
-
-# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE).
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-  setopt NO_GLOB_SUBST
-else
-  case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac
-fi
-BIN_SH=xpg4; export BIN_SH # for Tru64
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# Check that we have a working $echo.
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
-  # Yippee, $echo works!
-  :
-else
-  # Restart under the correct shell, and then maybe $echo will work.
-  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
-fi
-
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-$*
-EOF
-  exit $EXIT_SUCCESS
-fi
-
-default_mode=
-help="Try \`$progname --help' for more information."
-magic="%%%MAGIC variable%%%"
-mkdir="mkdir"
-mv="mv -f"
-rm="rm -f"
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed="${SED}"' -e 1s/^X//'
-sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
-# test EBCDIC or ASCII
-case `echo X|tr X '\101'` in
- A) # ASCII based system
-    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
-  SP2NL='tr \040 \012'
-  NL2SP='tr \015\012 \040\040'
-  ;;
- *) # EBCDIC based system
-  SP2NL='tr \100 \n'
-  NL2SP='tr \r\n \100\100'
-  ;;
-esac
-
-# NLS nuisances.
-# Only set LANG and LC_ALL to C if already set.
-# These must not be set unconditionally because not all systems understand
-# e.g. LANG=C (notably SCO).
-# We save the old values to restore during execute mode.
-lt_env=
-for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
-do
-  eval "if test \"\${$lt_var+set}\" = set; then
-	  save_$lt_var=\$$lt_var
-	  lt_env=\"$lt_var=\$$lt_var \$lt_env\"
-	  $lt_var=C
-	  export $lt_var
-	fi"
-done
-
-if test -n "$lt_env"; then
-  lt_env="env $lt_env"
-fi
-
-# Make sure IFS has a sensible default
-lt_nl='
-'
-IFS=" 	$lt_nl"
-
-if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
-  $echo "$modename: not configured to build any kind of library" 1>&2
-  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-  exit $EXIT_FAILURE
-fi
-
-# Global variables.
-mode=$default_mode
-nonopt=
-prev=
-prevopt=
-run=
-show="$echo"
-show_help=
-execute_dlfiles=
-duplicate_deps=no
-preserve_args=
-lo2o="s/\\.lo\$/.${objext}/"
-o2lo="s/\\.${objext}\$/.lo/"
-extracted_archives=
-extracted_serial=0
-
-#####################################
-# Shell function definitions:
-# This seems to be the best place for them
-
-# func_mktempdir [string]
-# Make a temporary directory that won't clash with other running
-# libtool processes, and avoids race conditions if possible.  If
-# given, STRING is the basename for that directory.
-func_mktempdir ()
-{
-    my_template="${TMPDIR-/tmp}/${1-$progname}"
-
-    if test "$run" = ":"; then
-      # Return a directory name, but don't create it in dry-run mode
-      my_tmpdir="${my_template}-$$"
-    else
-
-      # If mktemp works, use that first and foremost
-      my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null`
-
-      if test ! -d "$my_tmpdir"; then
-	# Failing that, at least try and use $RANDOM to avoid a race
-	my_tmpdir="${my_template}-${RANDOM-0}$$"
-
-	save_mktempdir_umask=`umask`
-	umask 0077
-	$mkdir "$my_tmpdir"
-	umask $save_mktempdir_umask
-      fi
-
-      # If we're not in dry-run mode, bomb out on failure
-      test -d "$my_tmpdir" || {
-        $echo "cannot create temporary directory \`$my_tmpdir'" 1>&2
-	exit $EXIT_FAILURE
-      }
-    fi
-
-    $echo "X$my_tmpdir" | $Xsed
-}
-
-
-# func_win32_libid arg
-# return the library type of file 'arg'
-#
-# Need a lot of goo to handle *both* DLLs and import libs
-# Has to be a shell function in order to 'eat' the argument
-# that is supplied when $file_magic_command is called.
-func_win32_libid ()
-{
-  win32_libid_type="unknown"
-  win32_fileres=`file -L $1 2>/dev/null`
-  case $win32_fileres in
-  *ar\ archive\ import\ library*) # definitely import
-    win32_libid_type="x86 archive import"
-    ;;
-  *ar\ archive*) # could be an import, or static
-    if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \
-      $EGREP -e 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
-      win32_nmres=`eval $NM -f posix -A $1 | \
-	$SED -n -e '1,100{
-		/ I /{
-			s,.*,import,
-			p
-			q
-			}
-		}'`
-      case $win32_nmres in
-      import*)  win32_libid_type="x86 archive import";;
-      *)        win32_libid_type="x86 archive static";;
-      esac
-    fi
-    ;;
-  *DLL*)
-    win32_libid_type="x86 DLL"
-    ;;
-  *executable*) # but shell scripts are "executable" too...
-    case $win32_fileres in
-    *MS\ Windows\ PE\ Intel*)
-      win32_libid_type="x86 DLL"
-      ;;
-    esac
-    ;;
-  esac
-  $echo $win32_libid_type
-}
-
-
-# func_infer_tag arg
-# Infer tagged configuration to use if any are available and
-# if one wasn't chosen via the "--tag" command line option.
-# Only attempt this if the compiler in the base compile
-# command doesn't match the default compiler.
-# arg is usually of the form 'gcc ...'
-func_infer_tag ()
-{
-    if test -n "$available_tags" && test -z "$tagname"; then
-      CC_quoted=
-      for arg in $CC; do
-	case $arg in
-	  *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-	CC_quoted="$CC_quoted $arg"
-      done
-      case $@ in
-      # Blanks in the command may have been stripped by the calling shell,
-      # but not from the CC environment variable when configure was run.
-      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*) ;;
-      # Blanks at the start of $base_compile will cause this to fail
-      # if we don't check for them as well.
-      *)
-	for z in $available_tags; do
-	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
-	    # Evaluate the configuration.
-	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
-	    CC_quoted=
-	    for arg in $CC; do
-	    # Double-quote args containing other shell metacharacters.
-	    case $arg in
-	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	      arg="\"$arg\""
-	      ;;
-	    esac
-	    CC_quoted="$CC_quoted $arg"
-	  done
-	    case "$@ " in
-	      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*)
-	      # The compiler in the base compile command matches
-	      # the one in the tagged configuration.
-	      # Assume this is the tagged configuration we want.
-	      tagname=$z
-	      break
-	      ;;
-	    esac
-	  fi
-	done
-	# If $tagname still isn't set, then no tagged configuration
-	# was found and let the user know that the "--tag" command
-	# line option must be used.
-	if test -z "$tagname"; then
-	  $echo "$modename: unable to infer tagged configuration"
-	  $echo "$modename: specify a tag with \`--tag'" 1>&2
-	  exit $EXIT_FAILURE
-#        else
-#          $echo "$modename: using $tagname tagged configuration"
-	fi
-	;;
-      esac
-    fi
-}
-
-
-# func_extract_an_archive dir oldlib
-func_extract_an_archive ()
-{
-    f_ex_an_ar_dir="$1"; shift
-    f_ex_an_ar_oldlib="$1"
-
-    $show "(cd $f_ex_an_ar_dir && $AR x $f_ex_an_ar_oldlib)"
-    $run eval "(cd \$f_ex_an_ar_dir && $AR x \$f_ex_an_ar_oldlib)" || exit $?
-    if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
-     :
-    else
-      $echo "$modename: ERROR: object name conflicts: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" 1>&2
-      exit $EXIT_FAILURE
-    fi
-}
-
-# func_extract_archives gentop oldlib ...
-func_extract_archives ()
-{
-    my_gentop="$1"; shift
-    my_oldlibs=${1+"$@"}
-    my_oldobjs=""
-    my_xlib=""
-    my_xabs=""
-    my_xdir=""
-    my_status=""
-
-    $show "${rm}r $my_gentop"
-    $run ${rm}r "$my_gentop"
-    $show "$mkdir $my_gentop"
-    $run $mkdir "$my_gentop"
-    my_status=$?
-    if test "$my_status" -ne 0 && test ! -d "$my_gentop"; then
-      exit $my_status
-    fi
-
-    for my_xlib in $my_oldlibs; do
-      # Extract the objects.
-      case $my_xlib in
-	[\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;;
-	*) my_xabs=`pwd`"/$my_xlib" ;;
-      esac
-      my_xlib=`$echo "X$my_xlib" | $Xsed -e 's%^.*/%%'`
-      my_xlib_u=$my_xlib
-      while :; do
-        case " $extracted_archives " in
-	*" $my_xlib_u "*)
-	  extracted_serial=`expr $extracted_serial + 1`
-	  my_xlib_u=lt$extracted_serial-$my_xlib ;;
-	*) break ;;
-	esac
-      done
-      extracted_archives="$extracted_archives $my_xlib_u"
-      my_xdir="$my_gentop/$my_xlib_u"
-
-      $show "${rm}r $my_xdir"
-      $run ${rm}r "$my_xdir"
-      $show "$mkdir $my_xdir"
-      $run $mkdir "$my_xdir"
-      exit_status=$?
-      if test "$exit_status" -ne 0 && test ! -d "$my_xdir"; then
-	exit $exit_status
-      fi
-      case $host in
-      *-darwin*)
-	$show "Extracting $my_xabs"
-	# Do not bother doing anything if just a dry run
-	if test -z "$run"; then
-	  darwin_orig_dir=`pwd`
-	  cd $my_xdir || exit $?
-	  darwin_archive=$my_xabs
-	  darwin_curdir=`pwd`
-	  darwin_base_archive=`$echo "X$darwin_archive" | $Xsed -e 's%^.*/%%'`
-	  darwin_arches=`lipo -info "$darwin_archive" 2>/dev/null | $EGREP Architectures 2>/dev/null`
-	  if test -n "$darwin_arches"; then 
-	    darwin_arches=`echo "$darwin_arches" | $SED -e 's/.*are://'`
-	    darwin_arch=
-	    $show "$darwin_base_archive has multiple architectures $darwin_arches"
-	    for darwin_arch in  $darwin_arches ; do
-	      mkdir -p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      lipo -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
-	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      func_extract_an_archive "`pwd`" "${darwin_base_archive}"
-	      cd "$darwin_curdir"
-	      $rm "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}"
-	    done # $darwin_arches
-      ## Okay now we have a bunch of thin objects, gotta fatten them up :)
-	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print| xargs basename | sort -u | $NL2SP`
-	    darwin_file=
-	    darwin_files=
-	    for darwin_file in $darwin_filelist; do
-	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
-	      lipo -create -output "$darwin_file" $darwin_files
-	    done # $darwin_filelist
-	    ${rm}r unfat-$$
-	    cd "$darwin_orig_dir"
-	  else
-	    cd "$darwin_orig_dir"
- 	    func_extract_an_archive "$my_xdir" "$my_xabs"
-	  fi # $darwin_arches
-	fi # $run
-	;;
-      *)
-        func_extract_an_archive "$my_xdir" "$my_xabs"
-        ;;
-      esac
-      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
-    done
-    func_extract_archives_result="$my_oldobjs"
-}
-# End of Shell function definitions
-#####################################
-
-# Darwin sucks
-eval std_shrext=\"$shrext_cmds\"
-
-disable_libs=no
-
-# Parse our command line options once, thoroughly.
-while test "$#" -gt 0
-do
-  arg="$1"
-  shift
-
-  case $arg in
-  -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  # If the previous option needs an argument, assign it.
-  if test -n "$prev"; then
-    case $prev in
-    execute_dlfiles)
-      execute_dlfiles="$execute_dlfiles $arg"
-      ;;
-    tag)
-      tagname="$arg"
-      preserve_args="${preserve_args}=$arg"
-
-      # Check whether tagname contains only valid characters
-      case $tagname in
-      *[!-_A-Za-z0-9,/]*)
-	$echo "$progname: invalid tag name: $tagname" 1>&2
-	exit $EXIT_FAILURE
-	;;
-      esac
-
-      case $tagname in
-      CC)
-	# Don't test for the "default" C tag, as we know, it's there, but
-	# not specially marked.
-	;;
-      *)
-	if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$progpath" > /dev/null; then
-	  taglist="$taglist $tagname"
-	  # Evaluate the configuration.
-	  eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $progpath`"
-	else
-	  $echo "$progname: ignoring unknown tag $tagname" 1>&2
-	fi
-	;;
-      esac
-      ;;
-    *)
-      eval "$prev=\$arg"
-      ;;
-    esac
-
-    prev=
-    prevopt=
-    continue
-  fi
-
-  # Have we seen a non-optional argument yet?
-  case $arg in
-  --help)
-    show_help=yes
-    ;;
-
-  --version)
-    echo "\
-$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP
-
-Copyright (C) 2008  Free Software Foundation, Inc.
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-    exit $?
-    ;;
-
-  --config)
-    ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $progpath
-    # Now print the configurations for the tags.
-    for tagname in $taglist; do
-      ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$progpath"
-    done
-    exit $?
-    ;;
-
-  --debug)
-    $echo "$progname: enabling shell trace mode"
-    set -x
-    preserve_args="$preserve_args $arg"
-    ;;
-
-  --dry-run | -n)
-    run=:
-    ;;
-
-  --features)
-    $echo "host: $host"
-    if test "$build_libtool_libs" = yes; then
-      $echo "enable shared libraries"
-    else
-      $echo "disable shared libraries"
-    fi
-    if test "$build_old_libs" = yes; then
-      $echo "enable static libraries"
-    else
-      $echo "disable static libraries"
-    fi
-    exit $?
-    ;;
-
-  --finish) mode="finish" ;;
-
-  --mode) prevopt="--mode" prev=mode ;;
-  --mode=*) mode="$optarg" ;;
-
-  --preserve-dup-deps) duplicate_deps="yes" ;;
-
-  --quiet | --silent)
-    show=:
-    preserve_args="$preserve_args $arg"
-    ;;
-
-  --tag)
-    prevopt="--tag"
-    prev=tag
-    preserve_args="$preserve_args --tag"
-    ;;
-  --tag=*)
-    set tag "$optarg" ${1+"$@"}
-    shift
-    prev=tag
-    preserve_args="$preserve_args --tag"
-    ;;
-
-  -dlopen)
-    prevopt="-dlopen"
-    prev=execute_dlfiles
-    ;;
-
-  -*)
-    $echo "$modename: unrecognized option \`$arg'" 1>&2
-    $echo "$help" 1>&2
-    exit $EXIT_FAILURE
-    ;;
-
-  *)
-    nonopt="$arg"
-    break
-    ;;
-  esac
-done
-
-if test -n "$prevopt"; then
-  $echo "$modename: option \`$prevopt' requires an argument" 1>&2
-  $echo "$help" 1>&2
-  exit $EXIT_FAILURE
-fi
-
-case $disable_libs in
-no) 
-  ;;
-shared)
-  build_libtool_libs=no
-  build_old_libs=yes
-  ;;
-static)
-  build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac`
-  ;;
-esac
-
-# If this variable is set in any of the actions, the command in it
-# will be execed at the end.  This prevents here-documents from being
-# left over by shells.
-exec_cmd=
-
-if test -z "$show_help"; then
-
-  # Infer the operation mode.
-  if test -z "$mode"; then
-    $echo "*** Warning: inferring the mode of operation is deprecated." 1>&2
-    $echo "*** Future versions of Libtool will require --mode=MODE be specified." 1>&2
-    case $nonopt in
-    *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*)
-      mode=link
-      for arg
-      do
-	case $arg in
-	-c)
-	   mode=compile
-	   break
-	   ;;
-	esac
-      done
-      ;;
-    *db | *dbx | *strace | *truss)
-      mode=execute
-      ;;
-    *install*|cp|mv)
-      mode=install
-      ;;
-    *rm)
-      mode=uninstall
-      ;;
-    *)
-      # If we have no mode, but dlfiles were specified, then do execute mode.
-      test -n "$execute_dlfiles" && mode=execute
-
-      # Just use the default operation mode.
-      if test -z "$mode"; then
-	if test -n "$nonopt"; then
-	  $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
-	else
-	  $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
-	fi
-      fi
-      ;;
-    esac
-  fi
-
-  # Only execute mode is allowed to have -dlopen flags.
-  if test -n "$execute_dlfiles" && test "$mode" != execute; then
-    $echo "$modename: unrecognized option \`-dlopen'" 1>&2
-    $echo "$help" 1>&2
-    exit $EXIT_FAILURE
-  fi
-
-  # Change the help message to a mode-specific one.
-  generic_help="$help"
-  help="Try \`$modename --help --mode=$mode' for more information."
-
-  # These modes are in order of execution frequency so that they run quickly.
-  case $mode in
-  # libtool compile mode
-  compile)
-    modename="$modename: compile"
-    # Get the compilation command and the source file.
-    base_compile=
-    srcfile="$nonopt"  #  always keep a non-empty value in "srcfile"
-    suppress_opt=yes
-    suppress_output=
-    arg_mode=normal
-    libobj=
-    later=
-
-    for arg
-    do
-      case $arg_mode in
-      arg  )
-	# do not "continue".  Instead, add this to base_compile
-	lastarg="$arg"
-	arg_mode=normal
-	;;
-
-      target )
-	libobj="$arg"
-	arg_mode=normal
-	continue
-	;;
-
-      normal )
-	# Accept any command-line options.
-	case $arg in
-	-o)
-	  if test -n "$libobj" ; then
-	    $echo "$modename: you cannot specify \`-o' more than once" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  arg_mode=target
-	  continue
-	  ;;
-
-	-static | -prefer-pic | -prefer-non-pic)
-	  later="$later $arg"
-	  continue
-	  ;;
-
-	-no-suppress)
-	  suppress_opt=no
-	  continue
-	  ;;
-
-	-Xcompiler)
-	  arg_mode=arg  #  the next one goes into the "base_compile" arg list
-	  continue      #  The current "srcfile" will either be retained or
-	  ;;            #  replaced later.  I would guess that would be a bug.
-
-	-Wc,*)
-	  args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
-	  lastarg=
-	  save_ifs="$IFS"; IFS=','
- 	  for arg in $args; do
-	    IFS="$save_ifs"
-
-	    # Double-quote args containing other shell metacharacters.
-	    # Many Bourne shells cannot handle close brackets correctly
-	    # in scan sets, so we specify it separately.
-	    case $arg in
-	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	      arg="\"$arg\""
-	      ;;
-	    esac
-	    lastarg="$lastarg $arg"
-	  done
-	  IFS="$save_ifs"
-	  lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"`
-
-	  # Add the arguments to base_compile.
-	  base_compile="$base_compile $lastarg"
-	  continue
-	  ;;
-
-	* )
-	  # Accept the current argument as the source file.
-	  # The previous "srcfile" becomes the current argument.
-	  #
-	  lastarg="$srcfile"
-	  srcfile="$arg"
-	  ;;
-	esac  #  case $arg
-	;;
-      esac    #  case $arg_mode
-
-      # Aesthetically quote the previous argument.
-      lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
-
-      case $lastarg in
-      # Double-quote args containing other shell metacharacters.
-      # Many Bourne shells cannot handle close brackets correctly
-      # in scan sets, and some SunOS ksh mistreat backslash-escaping
-      # in scan sets (worked around with variable expansion),
-      # and furthermore cannot handle '|' '&' '(' ')' in scan sets 
-      # at all, so we specify them separately.
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	lastarg="\"$lastarg\""
-	;;
-      esac
-
-      base_compile="$base_compile $lastarg"
-    done # for arg
-
-    case $arg_mode in
-    arg)
-      $echo "$modename: you must specify an argument for -Xcompile"
-      exit $EXIT_FAILURE
-      ;;
-    target)
-      $echo "$modename: you must specify a target with \`-o'" 1>&2
-      exit $EXIT_FAILURE
-      ;;
-    *)
-      # Get the name of the library object.
-      [ -z "$libobj" ] && libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'`
-      ;;
-    esac
-
-    # Recognize several different file suffixes.
-    # If the user specifies -o file.o, it is replaced with file.lo
-    xform='[cCFSifmso]'
-    case $libobj in
-    *.ada) xform=ada ;;
-    *.adb) xform=adb ;;
-    *.ads) xform=ads ;;
-    *.asm) xform=asm ;;
-    *.c++) xform=c++ ;;
-    *.cc) xform=cc ;;
-    *.ii) xform=ii ;;
-    *.class) xform=class ;;
-    *.cpp) xform=cpp ;;
-    *.cxx) xform=cxx ;;
-    *.[fF][09]?) xform=[fF][09]. ;;
-    *.for) xform=for ;;
-    *.java) xform=java ;;
-    *.obj) xform=obj ;;
-    *.sx) xform=sx ;;
-    esac
-
-    libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
-
-    case $libobj in
-    *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
-    *)
-      $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
-      exit $EXIT_FAILURE
-      ;;
-    esac
-
-    func_infer_tag $base_compile
-
-    for arg in $later; do
-      case $arg in
-      -static)
-	build_old_libs=yes
-	continue
-	;;
-
-      -prefer-pic)
-	pic_mode=yes
-	continue
-	;;
-
-      -prefer-non-pic)
-	pic_mode=no
-	continue
-	;;
-      esac
-    done
-
-    qlibobj=`$echo "X$libobj" | $Xsed -e "$sed_quote_subst"`
-    case $qlibobj in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	qlibobj="\"$qlibobj\"" ;;
-    esac
-    test "X$libobj" != "X$qlibobj" \
-	&& $echo "X$libobj" | grep '[]~#^*{};<>?"'"'"' 	&()|`$[]' \
-	&& $echo "$modename: libobj name \`$libobj' may not contain shell special characters."
-    objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
-    xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
-    if test "X$xdir" = "X$obj"; then
-      xdir=
-    else
-      xdir=$xdir/
-    fi
-    lobj=${xdir}$objdir/$objname
-
-    if test -z "$base_compile"; then
-      $echo "$modename: you must specify a compilation command" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    # Delete any leftover library objects.
-    if test "$build_old_libs" = yes; then
-      removelist="$obj $lobj $libobj ${libobj}T"
-    else
-      removelist="$lobj $libobj ${libobj}T"
-    fi
-
-    $run $rm $removelist
-    trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
-
-    # On Cygwin there's no "real" PIC flag so we must build both object types
-    case $host_os in
-    cygwin* | mingw* | pw32* | os2*)
-      pic_mode=default
-      ;;
-    esac
-    if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then
-      # non-PIC code in shared libraries is not supported
-      pic_mode=default
-    fi
-
-    # Calculate the filename of the output object if compiler does
-    # not support -o with -c
-    if test "$compiler_c_o" = no; then
-      output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
-      lockfile="$output_obj.lock"
-      removelist="$removelist $output_obj $lockfile"
-      trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
-    else
-      output_obj=
-      need_locks=no
-      lockfile=
-    fi
-
-    # Lock this critical section if it is needed
-    # We use this script file to make the link, it avoids creating a new file
-    if test "$need_locks" = yes; then
-      until $run ln "$progpath" "$lockfile" 2>/dev/null; do
-	$show "Waiting for $lockfile to be removed"
-	sleep 2
-      done
-    elif test "$need_locks" = warn; then
-      if test -f "$lockfile"; then
-	$echo "\
-*** ERROR, $lockfile exists and contains:
-`cat $lockfile 2>/dev/null`
-
-This indicates that another process is trying to use the same
-temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
-repeat this compilation, it may succeed, by chance, but you had better
-avoid parallel builds (make -j) in this platform, or get a better
-compiler."
-
-	$run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
-      $echo "$srcfile" > "$lockfile"
-    fi
-
-    if test -n "$fix_srcfile_path"; then
-      eval srcfile=\"$fix_srcfile_path\"
-    fi
-    qsrcfile=`$echo "X$srcfile" | $Xsed -e "$sed_quote_subst"`
-    case $qsrcfile in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-      qsrcfile="\"$qsrcfile\"" ;;
-    esac
-
-    $run $rm "$libobj" "${libobj}T"
-
-    # Create a libtool object file (analogous to a ".la" file),
-    # but don't create it if we're doing a dry run.
-    test -z "$run" && cat > ${libobj}T <<EOF
-# $libobj - a libtool object file
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-#
-# Please DO NOT delete this file!
-# It is necessary for linking the library.
-
-# Name of the PIC object.
-EOF
-
-    # Only build a PIC object if we are building libtool libraries.
-    if test "$build_libtool_libs" = yes; then
-      # Without this assignment, base_compile gets emptied.
-      fbsd_hideous_sh_bug=$base_compile
-
-      if test "$pic_mode" != no; then
-	command="$base_compile $qsrcfile $pic_flag"
-      else
-	# Don't build PIC code
-	command="$base_compile $qsrcfile"
-      fi
-
-      if test ! -d "${xdir}$objdir"; then
-	$show "$mkdir ${xdir}$objdir"
-	$run $mkdir ${xdir}$objdir
-	exit_status=$?
-	if test "$exit_status" -ne 0 && test ! -d "${xdir}$objdir"; then
-	  exit $exit_status
-	fi
-      fi
-
-      if test -z "$output_obj"; then
-	# Place PIC objects in $objdir
-	command="$command -o $lobj"
-      fi
-
-      $run $rm "$lobj" "$output_obj"
-
-      $show "$command"
-      if $run eval $lt_env "$command"; then :
-      else
-	test -n "$output_obj" && $run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
-
-      if test "$need_locks" = warn &&
-	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
-	$echo "\
-*** ERROR, $lockfile contains:
-`cat $lockfile 2>/dev/null`
-
-but it should contain:
-$srcfile
-
-This indicates that another process is trying to use the same
-temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
-repeat this compilation, it may succeed, by chance, but you had better
-avoid parallel builds (make -j) in this platform, or get a better
-compiler."
-
-	$run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
-
-      # Just move the object if needed, then go on to compile the next one
-      if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then
-	$show "$mv $output_obj $lobj"
-	if $run $mv $output_obj $lobj; then :
-	else
-	  error=$?
-	  $run $rm $removelist
-	  exit $error
-	fi
-      fi
-
-      # Append the name of the PIC object to the libtool object file.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-pic_object='$objdir/$objname'
-
-EOF
-
-      # Allow error messages only from the first compilation.
-      if test "$suppress_opt" = yes; then
-        suppress_output=' >/dev/null 2>&1'
-      fi
-    else
-      # No PIC object so indicate it doesn't exist in the libtool
-      # object file.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-pic_object=none
-
-EOF
-    fi
-
-    # Only build a position-dependent object if we build old libraries.
-    if test "$build_old_libs" = yes; then
-      if test "$pic_mode" != yes; then
-	# Don't build PIC code
-	command="$base_compile $qsrcfile"
-      else
-	command="$base_compile $qsrcfile $pic_flag"
-      fi
-      if test "$compiler_c_o" = yes; then
-	command="$command -o $obj"
-      fi
-
-      # Suppress compiler output if we already did a PIC compilation.
-      command="$command$suppress_output"
-      $run $rm "$obj" "$output_obj"
-      $show "$command"
-      if $run eval $lt_env "$command"; then :
-      else
-	$run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
-
-      if test "$need_locks" = warn &&
-	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
-	$echo "\
-*** ERROR, $lockfile contains:
-`cat $lockfile 2>/dev/null`
-
-but it should contain:
-$srcfile
-
-This indicates that another process is trying to use the same
-temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
-repeat this compilation, it may succeed, by chance, but you had better
-avoid parallel builds (make -j) in this platform, or get a better
-compiler."
-
-	$run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
-
-      # Just move the object if needed
-      if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then
-	$show "$mv $output_obj $obj"
-	if $run $mv $output_obj $obj; then :
-	else
-	  error=$?
-	  $run $rm $removelist
-	  exit $error
-	fi
-      fi
-
-      # Append the name of the non-PIC object the libtool object file.
-      # Only append if the libtool object file exists.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-# Name of the non-PIC object.
-non_pic_object='$objname'
-
-EOF
-    else
-      # Append the name of the non-PIC object the libtool object file.
-      # Only append if the libtool object file exists.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-# Name of the non-PIC object.
-non_pic_object=none
-
-EOF
-    fi
-
-    $run $mv "${libobj}T" "${libobj}"
-
-    # Unlock the critical section if it was locked
-    if test "$need_locks" != no; then
-      $run $rm "$lockfile"
-    fi
-
-    exit $EXIT_SUCCESS
-    ;;
-
-  # libtool link mode
-  link | relink)
-    modename="$modename: link"
-    case $host in
-    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
-      # It is impossible to link a dll without this setting, and
-      # we shouldn't force the makefile maintainer to figure out
-      # which system we are compiling for in order to pass an extra
-      # flag for every libtool invocation.
-      # allow_undefined=no
-
-      # FIXME: Unfortunately, there are problems with the above when trying
-      # to make a dll which has undefined symbols, in which case not
-      # even a static library is built.  For now, we need to specify
-      # -no-undefined on the libtool link line when we can be certain
-      # that all symbols are satisfied, otherwise we get a static library.
-      allow_undefined=yes
-      ;;
-    *)
-      allow_undefined=yes
-      ;;
-    esac
-    libtool_args="$nonopt"
-    base_compile="$nonopt $@"
-    compile_command="$nonopt"
-    finalize_command="$nonopt"
-
-    compile_rpath=
-    finalize_rpath=
-    compile_shlibpath=
-    finalize_shlibpath=
-    convenience=
-    old_convenience=
-    deplibs=
-    old_deplibs=
-    compiler_flags=
-    linker_flags=
-    dllsearchpath=
-    lib_search_path=`pwd`
-    inst_prefix_dir=
-
-    avoid_version=no
-    dlfiles=
-    dlprefiles=
-    dlself=no
-    export_dynamic=no
-    export_symbols=
-    export_symbols_regex=
-    generated=
-    libobjs=
-    ltlibs=
-    module=no
-    no_install=no
-    objs=
-    non_pic_objects=
-    notinst_path= # paths that contain not-installed libtool libraries
-    precious_files_regex=
-    prefer_static_libs=no
-    preload=no
-    prev=
-    prevarg=
-    release=
-    rpath=
-    xrpath=
-    perm_rpath=
-    temp_rpath=
-    thread_safe=no
-    vinfo=
-    vinfo_number=no
-    single_module="${wl}-single_module"
-
-    func_infer_tag $base_compile
-
-    # We need to know -static, to get the right output filenames.
-    for arg
-    do
-      case $arg in
-      -all-static | -static | -static-libtool-libs)
-	case $arg in
-	-all-static)
-	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
-	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
-	  fi
-	  if test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	  prefer_static_libs=yes
-	  ;;
-	-static)
-	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	  prefer_static_libs=built
-	  ;;
-	-static-libtool-libs)
-	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	  prefer_static_libs=yes
-	  ;;
-	esac
-	build_libtool_libs=no
-	build_old_libs=yes
-	break
-	;;
-      esac
-    done
-
-    # See if our shared archives depend on static archives.
-    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
-
-    # Go through the arguments, transforming them on the way.
-    while test "$#" -gt 0; do
-      arg="$1"
-      shift
-      case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test
-	;;
-      *) qarg=$arg ;;
-      esac
-      libtool_args="$libtool_args $qarg"
-
-      # If the previous option needs an argument, assign it.
-      if test -n "$prev"; then
-	case $prev in
-	output)
-	  compile_command="$compile_command @OUTPUT@"
-	  finalize_command="$finalize_command @OUTPUT@"
-	  ;;
-	esac
-
-	case $prev in
-	dlfiles|dlprefiles)
-	  if test "$preload" = no; then
-	    # Add the symbol object into the linking commands.
-	    compile_command="$compile_command @SYMFILE@"
-	    finalize_command="$finalize_command @SYMFILE@"
-	    preload=yes
-	  fi
-	  case $arg in
-	  *.la | *.lo) ;;  # We handle these cases below.
-	  force)
-	    if test "$dlself" = no; then
-	      dlself=needless
-	      export_dynamic=yes
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  self)
-	    if test "$prev" = dlprefiles; then
-	      dlself=yes
-	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
-	      dlself=yes
-	    else
-	      dlself=needless
-	      export_dynamic=yes
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  *)
-	    if test "$prev" = dlfiles; then
-	      dlfiles="$dlfiles $arg"
-	    else
-	      dlprefiles="$dlprefiles $arg"
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  esac
-	  ;;
-	expsyms)
-	  export_symbols="$arg"
-	  if test ! -f "$arg"; then
-	    $echo "$modename: symbol file \`$arg' does not exist"
-	    exit $EXIT_FAILURE
-	  fi
-	  prev=
-	  continue
-	  ;;
-	expsyms_regex)
-	  export_symbols_regex="$arg"
-	  prev=
-	  continue
-	  ;;
-	inst_prefix)
-	  inst_prefix_dir="$arg"
-	  prev=
-	  continue
-	  ;;
-	precious_regex)
-	  precious_files_regex="$arg"
-	  prev=
-	  continue
-	  ;;
-	release)
-	  release="-$arg"
-	  prev=
-	  continue
-	  ;;
-	objectlist)
-	  if test -f "$arg"; then
-	    save_arg=$arg
-	    moreargs=
-	    for fil in `cat $save_arg`
-	    do
-#	      moreargs="$moreargs $fil"
-	      arg=$fil
-	      # A libtool-controlled object.
-
-	      # Check to see that this really is a libtool object.
-	      if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-		pic_object=
-		non_pic_object=
-
-		# Read the .lo file
-		# If there is no directory component, then add one.
-		case $arg in
-		*/* | *\\*) . $arg ;;
-		*) . ./$arg ;;
-		esac
-
-		if test -z "$pic_object" || \
-		   test -z "$non_pic_object" ||
-		   test "$pic_object" = none && \
-		   test "$non_pic_object" = none; then
-		  $echo "$modename: cannot find name of object for \`$arg'" 1>&2
-		  exit $EXIT_FAILURE
-		fi
-
-		# Extract subdirectory from the argument.
-		xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-		if test "X$xdir" = "X$arg"; then
-		  xdir=
-		else
-		  xdir="$xdir/"
-		fi
-
-		if test "$pic_object" != none; then
-		  # Prepend the subdirectory the object is found in.
-		  pic_object="$xdir$pic_object"
-
-		  if test "$prev" = dlfiles; then
-		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		      dlfiles="$dlfiles $pic_object"
-		      prev=
-		      continue
-		    else
-		      # If libtool objects are unsupported, then we need to preload.
-		      prev=dlprefiles
-		    fi
-		  fi
-
-		  # CHECK ME:  I think I busted this.  -Ossama
-		  if test "$prev" = dlprefiles; then
-		    # Preload the old-style object.
-		    dlprefiles="$dlprefiles $pic_object"
-		    prev=
-		  fi
-
-		  # A PIC object.
-		  libobjs="$libobjs $pic_object"
-		  arg="$pic_object"
-		fi
-
-		# Non-PIC object.
-		if test "$non_pic_object" != none; then
-		  # Prepend the subdirectory the object is found in.
-		  non_pic_object="$xdir$non_pic_object"
-
-		  # A standard non-PIC object
-		  non_pic_objects="$non_pic_objects $non_pic_object"
-		  if test -z "$pic_object" || test "$pic_object" = none ; then
-		    arg="$non_pic_object"
-		  fi
-		else
-		  # If the PIC object exists, use it instead.
-		  # $xdir was prepended to $pic_object above.
-		  non_pic_object="$pic_object"
-		  non_pic_objects="$non_pic_objects $non_pic_object"
-		fi
-	      else
-		# Only an error if not doing a dry-run.
-		if test -z "$run"; then
-		  $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
-		  exit $EXIT_FAILURE
-		else
-		  # Dry-run case.
-
-		  # Extract subdirectory from the argument.
-		  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-		  if test "X$xdir" = "X$arg"; then
-		    xdir=
-		  else
-		    xdir="$xdir/"
-		  fi
-
-		  pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
-		  non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
-		  libobjs="$libobjs $pic_object"
-		  non_pic_objects="$non_pic_objects $non_pic_object"
-		fi
-	      fi
-	    done
-	  else
-	    $echo "$modename: link input file \`$save_arg' does not exist"
-	    exit $EXIT_FAILURE
-	  fi
-	  arg=$save_arg
-	  prev=
-	  continue
-	  ;;
-	rpath | xrpath)
-	  # We need an absolute path.
-	  case $arg in
-	  [\\/]* | [A-Za-z]:[\\/]*) ;;
-	  *)
-	    $echo "$modename: only absolute run-paths are allowed" 1>&2
-	    exit $EXIT_FAILURE
-	    ;;
-	  esac
-	  if test "$prev" = rpath; then
-	    case "$rpath " in
-	    *" $arg "*) ;;
-	    *) rpath="$rpath $arg" ;;
-	    esac
-	  else
-	    case "$xrpath " in
-	    *" $arg "*) ;;
-	    *) xrpath="$xrpath $arg" ;;
-	    esac
-	  fi
-	  prev=
-	  continue
-	  ;;
-	xcompiler)
-	  compiler_flags="$compiler_flags $qarg"
-	  prev=
-	  compile_command="$compile_command $qarg"
-	  finalize_command="$finalize_command $qarg"
-	  continue
-	  ;;
-	xlinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $wl$qarg"
-	  prev=
-	  compile_command="$compile_command $wl$qarg"
-	  finalize_command="$finalize_command $wl$qarg"
-	  continue
-	  ;;
-	xcclinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $qarg"
-	  prev=
-	  compile_command="$compile_command $qarg"
-	  finalize_command="$finalize_command $qarg"
-	  continue
-	  ;;
-	shrext)
-  	  shrext_cmds="$arg"
-	  prev=
-	  continue
-	  ;;
-	darwin_framework|darwin_framework_skip)
-	  test "$prev" = "darwin_framework" && compiler_flags="$compiler_flags $arg"
-	  compile_command="$compile_command $arg"
-	  finalize_command="$finalize_command $arg"
-	  prev=
-	  continue
-	  ;;
-	*)
-	  eval "$prev=\"\$arg\""
-	  prev=
-	  continue
-	  ;;
-	esac
-      fi # test -n "$prev"
-
-      prevarg="$arg"
-
-      case $arg in
-      -all-static)
-	if test -n "$link_static_flag"; then
-	  compile_command="$compile_command $link_static_flag"
-	  finalize_command="$finalize_command $link_static_flag"
-	fi
-	continue
-	;;
-
-      -allow-undefined)
-	# FIXME: remove this flag sometime in the future.
-	$echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2
-	continue
-	;;
-
-      -avoid-version)
-	avoid_version=yes
-	continue
-	;;
-
-      -dlopen)
-	prev=dlfiles
-	continue
-	;;
-
-      -dlpreopen)
-	prev=dlprefiles
-	continue
-	;;
-
-      -export-dynamic)
-	export_dynamic=yes
-	continue
-	;;
-
-      -export-symbols | -export-symbols-regex)
-	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
-	  $echo "$modename: more than one -exported-symbols argument is not allowed"
-	  exit $EXIT_FAILURE
-	fi
-	if test "X$arg" = "X-export-symbols"; then
-	  prev=expsyms
-	else
-	  prev=expsyms_regex
-	fi
-	continue
-	;;
-
-      -framework|-arch|-isysroot)
-	case " $CC " in
-	  *" ${arg} ${1} "* | *" ${arg}	${1} "*) 
-		prev=darwin_framework_skip ;;
-	  *) compiler_flags="$compiler_flags $arg"
-	     prev=darwin_framework ;;
-	esac
-	compile_command="$compile_command $arg"
-	finalize_command="$finalize_command $arg"
-	continue
-	;;
-
-      -inst-prefix-dir)
-	prev=inst_prefix
-	continue
-	;;
-
-      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
-      # so, if we see these flags be careful not to treat them like -L
-      -L[A-Z][A-Z]*:*)
-	case $with_gcc/$host in
-	no/*-*-irix* | /*-*-irix*)
-	  compile_command="$compile_command $arg"
-	  finalize_command="$finalize_command $arg"
-	  ;;
-	esac
-	continue
-	;;
-
-      -L*)
-	dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
-	# We need an absolute path.
-	case $dir in
-	[\\/]* | [A-Za-z]:[\\/]*) ;;
-	*)
-	  absdir=`cd "$dir" && pwd`
-	  if test -z "$absdir"; then
-	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
-	    absdir="$dir"
-	    notinst_path="$notinst_path $dir"
-	  fi
-	  dir="$absdir"
-	  ;;
-	esac
-	case "$deplibs " in
-	*" -L$dir "*) ;;
-	*)
-	  deplibs="$deplibs -L$dir"
-	  lib_search_path="$lib_search_path $dir"
-	  ;;
-	esac
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
-	  testbindir=`$echo "X$dir" | $Xsed -e 's*/lib$*/bin*'`
-	  case :$dllsearchpath: in
-	  *":$dir:"*) ;;
-	  *) dllsearchpath="$dllsearchpath:$dir";;
-	  esac
-	  case :$dllsearchpath: in
-	  *":$testbindir:"*) ;;
-	  *) dllsearchpath="$dllsearchpath:$testbindir";;
-	  esac
-	  ;;
-	esac
-	continue
-	;;
-
-      -l*)
-	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
-	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos*)
-	    # These systems don't actually have a C or math library (as such)
-	    continue
-	    ;;
-	  *-*-os2*)
-	    # These systems don't actually have a C library (as such)
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
-	    # Do not include libc due to us having libc/libc_r.
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-rhapsody* | *-*-darwin1.[012])
-	    # Rhapsody C and math libraries are in the System framework
-	    deplibs="$deplibs -framework System"
-	    continue
-	    ;;
-	  *-*-sco3.2v5* | *-*-sco5v6*)
-	    # Causes problems with __ctype
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
-	    # Compiler inserts libc in the correct place for threads to work
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  esac
-	elif test "X$arg" = "X-lc_r"; then
-	 case $host in
-	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
-	   # Do not include libc_r directly, use -pthread flag.
-	   continue
-	   ;;
-	 esac
-	fi
-	deplibs="$deplibs $arg"
-	continue
-	;;
-
-      # Tru64 UNIX uses -model [arg] to determine the layout of C++
-      # classes, name mangling, and exception handling.
-      -model)
-	compile_command="$compile_command $arg"
-	compiler_flags="$compiler_flags $arg"
-	finalize_command="$finalize_command $arg"
-	prev=xcompiler
-	continue
-	;;
-
-     -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
-	compiler_flags="$compiler_flags $arg"
-	compile_command="$compile_command $arg"
-	finalize_command="$finalize_command $arg"
-	continue
-	;;
-
-      -multi_module)
-	single_module="${wl}-multi_module"
-	continue
-	;;
-
-      -module)
-	module=yes
-	continue
-	;;
-
-      # -64, -mips[0-9] enable 64-bit mode on the SGI compiler
-      # -r[0-9][0-9]* specifies the processor on the SGI compiler
-      # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler
-      # +DA*, +DD* enable 64-bit mode on the HP compiler
-      # -q* pass through compiler args for the IBM compiler
-      # -m* pass through architecture-specific compiler args for GCC
-      # -m*, -t[45]*, -txscale* pass through architecture-specific
-      # compiler args for GCC
-      # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC
-      # -F/path gives path to uninstalled frameworks, gcc on darwin
-      # @file GCC response files
-      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
-      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*)
-
-	# Unknown arguments in both finalize_command and compile_command need
-	# to be aesthetically quoted because they are evaled later.
-	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-	case $arg in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-        compile_command="$compile_command $arg"
-        finalize_command="$finalize_command $arg"
-        compiler_flags="$compiler_flags $arg"
-        continue
-        ;;
-
-      -shrext)
-	prev=shrext
-	continue
-	;;
-
-      -no-fast-install)
-	fast_install=no
-	continue
-	;;
-
-      -no-install)
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin*)
-	  # The PATH hackery in wrapper scripts is required on Windows
-	  # and Darwin in order for the loader to find any dlls it needs.
-	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
-	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
-	  fast_install=no
-	  ;;
-	*) no_install=yes ;;
-	esac
-	continue
-	;;
-
-      -no-undefined)
-	allow_undefined=no
-	continue
-	;;
-
-      -objectlist)
-	prev=objectlist
-	continue
-	;;
-
-      -o) prev=output ;;
-
-      -precious-files-regex)
-	prev=precious_regex
-	continue
-	;;
-
-      -release)
-	prev=release
-	continue
-	;;
-
-      -rpath)
-	prev=rpath
-	continue
-	;;
-
-      -R)
-	prev=xrpath
-	continue
-	;;
-
-      -R*)
-	dir=`$echo "X$arg" | $Xsed -e 's/^-R//'`
-	# We need an absolute path.
-	case $dir in
-	[\\/]* | [A-Za-z]:[\\/]*) ;;
-	*)
-	  $echo "$modename: only absolute run-paths are allowed" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-	case "$xrpath " in
-	*" $dir "*) ;;
-	*) xrpath="$xrpath $dir" ;;
-	esac
-	continue
-	;;
-
-      -static | -static-libtool-libs)
-	# The effects of -static are defined in a previous loop.
-	# We used to do the same as -all-static on platforms that
-	# didn't have a PIC flag, but the assumption that the effects
-	# would be equivalent was wrong.  It would break on at least
-	# Digital Unix and AIX.
-	continue
-	;;
-
-      -thread-safe)
-	thread_safe=yes
-	continue
-	;;
-
-      -version-info)
-	prev=vinfo
-	continue
-	;;
-      -version-number)
-	prev=vinfo
-	vinfo_number=yes
-	continue
-	;;
-
-      -Wc,*)
-	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'`
-	arg=
-	save_ifs="$IFS"; IFS=','
-	for flag in $args; do
-	  IFS="$save_ifs"
-	  case $flag in
-	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	    flag="\"$flag\""
-	    ;;
-	  esac
-	  arg="$arg $wl$flag"
-	  compiler_flags="$compiler_flags $flag"
-	done
-	IFS="$save_ifs"
-	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
-	;;
-
-      -Wl,*)
-	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'`
-	arg=
-	save_ifs="$IFS"; IFS=','
-	for flag in $args; do
-	  IFS="$save_ifs"
-	  case $flag in
-	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	    flag="\"$flag\""
-	    ;;
-	  esac
-	  arg="$arg $wl$flag"
-	  compiler_flags="$compiler_flags $wl$flag"
-	  linker_flags="$linker_flags $flag"
-	done
-	IFS="$save_ifs"
-	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
-	;;
-
-      -Xcompiler)
-	prev=xcompiler
-	continue
-	;;
-
-      -Xlinker)
-	prev=xlinker
-	continue
-	;;
-
-      -XCClinker)
-	prev=xcclinker
-	continue
-	;;
-
-      # Some other compiler flag.
-      -* | +*)
-	# Unknown arguments in both finalize_command and compile_command need
-	# to be aesthetically quoted because they are evaled later.
-	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-	case $arg in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-	;;
-
-      *.$objext)
-	# A standard object.
-	objs="$objs $arg"
-	;;
-
-      *.lo)
-	# A libtool-controlled object.
-
-	# Check to see that this really is a libtool object.
-	if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	  pic_object=
-	  non_pic_object=
-
-	  # Read the .lo file
-	  # If there is no directory component, then add one.
-	  case $arg in
-	  */* | *\\*) . $arg ;;
-	  *) . ./$arg ;;
-	  esac
-
-	  if test -z "$pic_object" || \
-	     test -z "$non_pic_object" ||
-	     test "$pic_object" = none && \
-	     test "$non_pic_object" = none; then
-	    $echo "$modename: cannot find name of object for \`$arg'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-
-	  # Extract subdirectory from the argument.
-	  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-	  if test "X$xdir" = "X$arg"; then
-	    xdir=
- 	  else
-	    xdir="$xdir/"
-	  fi
-
-	  if test "$pic_object" != none; then
-	    # Prepend the subdirectory the object is found in.
-	    pic_object="$xdir$pic_object"
-
-	    if test "$prev" = dlfiles; then
-	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		dlfiles="$dlfiles $pic_object"
-		prev=
-		continue
-	      else
-		# If libtool objects are unsupported, then we need to preload.
-		prev=dlprefiles
-	      fi
-	    fi
-
-	    # CHECK ME:  I think I busted this.  -Ossama
-	    if test "$prev" = dlprefiles; then
-	      # Preload the old-style object.
-	      dlprefiles="$dlprefiles $pic_object"
-	      prev=
-	    fi
-
-	    # A PIC object.
-	    libobjs="$libobjs $pic_object"
-	    arg="$pic_object"
-	  fi
-
-	  # Non-PIC object.
-	  if test "$non_pic_object" != none; then
-	    # Prepend the subdirectory the object is found in.
-	    non_pic_object="$xdir$non_pic_object"
-
-	    # A standard non-PIC object
-	    non_pic_objects="$non_pic_objects $non_pic_object"
-	    if test -z "$pic_object" || test "$pic_object" = none ; then
-	      arg="$non_pic_object"
-	    fi
-	  else
-	    # If the PIC object exists, use it instead.
-	    # $xdir was prepended to $pic_object above.
-	    non_pic_object="$pic_object"
-	    non_pic_objects="$non_pic_objects $non_pic_object"
-	  fi
-	else
-	  # Only an error if not doing a dry-run.
-	  if test -z "$run"; then
-	    $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
-	    exit $EXIT_FAILURE
-	  else
-	    # Dry-run case.
-
-	    # Extract subdirectory from the argument.
-	    xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-	    if test "X$xdir" = "X$arg"; then
-	      xdir=
-	    else
-	      xdir="$xdir/"
-	    fi
-
-	    pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
-	    non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
-	    libobjs="$libobjs $pic_object"
-	    non_pic_objects="$non_pic_objects $non_pic_object"
-	  fi
-	fi
-	;;
-
-      *.$libext)
-	# An archive.
-	deplibs="$deplibs $arg"
-	old_deplibs="$old_deplibs $arg"
-	continue
-	;;
-
-      *.la)
-	# A libtool-controlled library.
-
-	if test "$prev" = dlfiles; then
-	  # This library was specified with -dlopen.
-	  dlfiles="$dlfiles $arg"
-	  prev=
-	elif test "$prev" = dlprefiles; then
-	  # The library was specified with -dlpreopen.
-	  dlprefiles="$dlprefiles $arg"
-	  prev=
-	else
-	  deplibs="$deplibs $arg"
-	fi
-	continue
-	;;
-
-      # Some other compiler argument.
-      *)
-	# Unknown arguments in both finalize_command and compile_command need
-	# to be aesthetically quoted because they are evaled later.
-	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-	case $arg in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-	;;
-      esac # arg
-
-      # Now actually substitute the argument into the commands.
-      if test -n "$arg"; then
-	compile_command="$compile_command $arg"
-	finalize_command="$finalize_command $arg"
-      fi
-    done # argument parsing loop
-
-    if test -n "$prev"; then
-      $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
-      eval arg=\"$export_dynamic_flag_spec\"
-      compile_command="$compile_command $arg"
-      finalize_command="$finalize_command $arg"
-    fi
-
-    oldlibs=
-    # calculate the name of the file, without its directory
-    outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
-    libobjs_save="$libobjs"
-
-    if test -n "$shlibpath_var"; then
-      # get the directories listed in $shlibpath_var
-      eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
-    else
-      shlib_search_path=
-    fi
-    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
-    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
-
-    output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
-    if test "X$output_objdir" = "X$output"; then
-      output_objdir="$objdir"
-    else
-      output_objdir="$output_objdir/$objdir"
-    fi
-    # Create the object directory.
-    if test ! -d "$output_objdir"; then
-      $show "$mkdir $output_objdir"
-      $run $mkdir $output_objdir
-      exit_status=$?
-      if test "$exit_status" -ne 0 && test ! -d "$output_objdir"; then
-	exit $exit_status
-      fi
-    fi
-
-    # Determine the type of output
-    case $output in
-    "")
-      $echo "$modename: you must specify an output file" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-      ;;
-    *.$libext) linkmode=oldlib ;;
-    *.lo | *.$objext) linkmode=obj ;;
-    *.la) linkmode=lib ;;
-    *) linkmode=prog ;; # Anything else should be a program.
-    esac
-
-    case $host in
-    *cygwin* | *mingw* | *pw32*)
-      # don't eliminate duplications in $postdeps and $predeps
-      duplicate_compiler_generated_deps=yes
-      ;;
-    *)
-      duplicate_compiler_generated_deps=$duplicate_deps
-      ;;
-    esac
-    specialdeplibs=
-
-    libs=
-    # Find all interdependent deplibs by searching for libraries
-    # that are linked more than once (e.g. -la -lb -la)
-    for deplib in $deplibs; do
-      if test "X$duplicate_deps" = "Xyes" ; then
-	case "$libs " in
-	*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	esac
-      fi
-      libs="$libs $deplib"
-    done
-
-    if test "$linkmode" = lib; then
-      libs="$predeps $libs $compiler_lib_search_path $postdeps"
-
-      # Compute libraries that are listed more than once in $predeps
-      # $postdeps and mark them as special (i.e., whose duplicates are
-      # not to be eliminated).
-      pre_post_deps=
-      if test "X$duplicate_compiler_generated_deps" = "Xyes" ; then
-	for pre_post_dep in $predeps $postdeps; do
-	  case "$pre_post_deps " in
-	  *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;;
-	  esac
-	  pre_post_deps="$pre_post_deps $pre_post_dep"
-	done
-      fi
-      pre_post_deps=
-    fi
-
-    deplibs=
-    newdependency_libs=
-    newlib_search_path=
-    need_relink=no # whether we're linking any uninstalled libtool libraries
-    notinst_deplibs= # not-installed libtool libraries
-    case $linkmode in
-    lib)
-	passes="conv link"
-	for file in $dlfiles $dlprefiles; do
-	  case $file in
-	  *.la) ;;
-	  *)
-	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
-	    exit $EXIT_FAILURE
-	    ;;
-	  esac
-	done
-	;;
-    prog)
-	compile_deplibs=
-	finalize_deplibs=
-	alldeplibs=no
-	newdlfiles=
-	newdlprefiles=
-	passes="conv scan dlopen dlpreopen link"
-	;;
-    *)  passes="conv"
-	;;
-    esac
-    for pass in $passes; do
-      if test "$linkmode,$pass" = "lib,link" ||
-	 test "$linkmode,$pass" = "prog,scan"; then
-	libs="$deplibs"
-	deplibs=
-      fi
-      if test "$linkmode" = prog; then
-	case $pass in
-	dlopen) libs="$dlfiles" ;;
-	dlpreopen) libs="$dlprefiles" ;;
-	link)
-	  libs="$deplibs %DEPLIBS%"
-	  test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs"
-	  ;;
-	esac
-      fi
-      if test "$pass" = dlopen; then
-	# Collect dlpreopened libraries
-	save_deplibs="$deplibs"
-	deplibs=
-      fi
-      for deplib in $libs; do
-	lib=
-	found=no
-	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
-	  if test "$linkmode,$pass" = "prog,link"; then
-	    compile_deplibs="$deplib $compile_deplibs"
-	    finalize_deplibs="$deplib $finalize_deplibs"
-	  else
-	    compiler_flags="$compiler_flags $deplib"
-	  fi
-	  continue
-	  ;;
-	-l*)
-	  if test "$linkmode" != lib && test "$linkmode" != prog; then
-	    $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2
-	    continue
-	  fi
-	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
-	  if test "$linkmode" = lib; then
-	    searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path"
-	  else
-	    searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path"
-	  fi
-	  for searchdir in $searchdirs; do
-	    for search_ext in .la $std_shrext .so .a; do
-	      # Search the libtool library
-	      lib="$searchdir/lib${name}${search_ext}"
-	      if test -f "$lib"; then
-		if test "$search_ext" = ".la"; then
-		  found=yes
-		else
-		  found=no
-		fi
-		break 2
-	      fi
-	    done
-	  done
-	  if test "$found" != yes; then
-	    # deplib doesn't seem to be a libtool library
-	    if test "$linkmode,$pass" = "prog,link"; then
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    else
-	      deplibs="$deplib $deplibs"
-	      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
-	    fi
-	    continue
-	  else # deplib is a libtool library
-	    # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib,
-	    # We need to do some special things here, and not later.
-	    if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-	      case " $predeps $postdeps " in
-	      *" $deplib "*)
-		if (${SED} -e '2q' $lib |
-                    grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-		  library_names=
-		  old_library=
-		  case $lib in
-		  */* | *\\*) . $lib ;;
-		  *) . ./$lib ;;
-		  esac
-		  for l in $old_library $library_names; do
-		    ll="$l"
-		  done
-		  if test "X$ll" = "X$old_library" ; then # only static version available
-		    found=no
-		    ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
-		    test "X$ladir" = "X$lib" && ladir="."
-		    lib=$ladir/$old_library
-		    if test "$linkmode,$pass" = "prog,link"; then
-		      compile_deplibs="$deplib $compile_deplibs"
-		      finalize_deplibs="$deplib $finalize_deplibs"
-		    else
-		      deplibs="$deplib $deplibs"
-		      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
-		    fi
-		    continue
-		  fi
-		fi
-	        ;;
-	      *) ;;
-	      esac
-	    fi
-	  fi
-	  ;; # -l
-	-L*)
-	  case $linkmode in
-	  lib)
-	    deplibs="$deplib $deplibs"
-	    test "$pass" = conv && continue
-	    newdependency_libs="$deplib $newdependency_libs"
-	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
-	    ;;
-	  prog)
-	    if test "$pass" = conv; then
-	      deplibs="$deplib $deplibs"
-	      continue
-	    fi
-	    if test "$pass" = scan; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    fi
-	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
-	    ;;
-	  *)
-	    $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2
-	    ;;
-	  esac # linkmode
-	  continue
-	  ;; # -L
-	-R*)
-	  if test "$pass" = link; then
-	    dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'`
-	    # Make sure the xrpath contains only unique directories.
-	    case "$xrpath " in
-	    *" $dir "*) ;;
-	    *) xrpath="$xrpath $dir" ;;
-	    esac
-	  fi
-	  deplibs="$deplib $deplibs"
-	  continue
-	  ;;
-	*.la) lib="$deplib" ;;
-	*.$libext)
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	    continue
-	  fi
-	  case $linkmode in
-	  lib)
-	    valid_a_lib=no
-	    case $deplibs_check_method in
-	      match_pattern*)
-		set dummy $deplibs_check_method
-	        match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
-		if eval $echo \"$deplib\" 2>/dev/null \
-		    | $SED 10q \
-		    | $EGREP "$match_pattern_regex" > /dev/null; then
-		  valid_a_lib=yes
-		fi
-		;;
-	      pass_all)
-		valid_a_lib=yes
-		;;
-            esac
-	    if test "$valid_a_lib" != yes; then
-	      $echo
-	      $echo "*** Warning: Trying to link with static lib archive $deplib."
-	      $echo "*** I have the capability to make that library automatically link in when"
-	      $echo "*** you link to this library.  But I can only do this if you have a"
-	      $echo "*** shared version of the library, which you do not appear to have"
-	      $echo "*** because the file extensions .$libext of this argument makes me believe"
-	      $echo "*** that it is just a static archive that I should not used here."
-	    else
-	      $echo
-	      $echo "*** Warning: Linking the shared library $output against the"
-	      $echo "*** static library $deplib is not portable!"
-	      deplibs="$deplib $deplibs"
-	    fi
-	    continue
-	    ;;
-	  prog)
-	    if test "$pass" != link; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    fi
-	    continue
-	    ;;
-	  esac # linkmode
-	  ;; # *.$libext
-	*.lo | *.$objext)
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	  elif test "$linkmode" = prog; then
-	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
-	      # If there is no dlopen support or we're linking statically,
-	      # we need to preload.
-	      newdlprefiles="$newdlprefiles $deplib"
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    else
-	      newdlfiles="$newdlfiles $deplib"
-	    fi
-	  fi
-	  continue
-	  ;;
-	%DEPLIBS%)
-	  alldeplibs=yes
-	  continue
-	  ;;
-	esac # case $deplib
-	if test "$found" = yes || test -f "$lib"; then :
-	else
-	  $echo "$modename: cannot find the library \`$lib' or unhandled argument \`$deplib'" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	# Check to see that this really is a libtool archive.
-	if (${SED} -e '2q' $lib | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-	else
-	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
-	test "X$ladir" = "X$lib" && ladir="."
-
-	dlname=
-	dlopen=
-	dlpreopen=
-	libdir=
-	library_names=
-	old_library=
-	# If the library was installed with an old release of libtool,
-	# it will not redefine variables installed, or shouldnotlink
-	installed=yes
-	shouldnotlink=no
-	avoidtemprpath=
-
-
-	# Read the .la file
-	case $lib in
-	*/* | *\\*) . $lib ;;
-	*) . ./$lib ;;
-	esac
-
-	if test "$linkmode,$pass" = "lib,link" ||
-	   test "$linkmode,$pass" = "prog,scan" ||
-	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
-	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
-	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
-	fi
-
-	if test "$pass" = conv; then
-	  # Only check for convenience libraries
-	  deplibs="$lib $deplibs"
-	  if test -z "$libdir"; then
-	    if test -z "$old_library"; then
-	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
-	      exit $EXIT_FAILURE
-	    fi
-	    # It is a libtool convenience library, so add in its objects.
-	    convenience="$convenience $ladir/$objdir/$old_library"
-	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
-	    tmp_libs=
-	    for deplib in $dependency_libs; do
-	      deplibs="$deplib $deplibs"
-              if test "X$duplicate_deps" = "Xyes" ; then
-	        case "$tmp_libs " in
-	        *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	        esac
-              fi
-	      tmp_libs="$tmp_libs $deplib"
-	    done
-	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
-	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  continue
-	fi # $pass = conv
-
-
-	# Get the name of the library we link against.
-	linklib=
-	for l in $old_library $library_names; do
-	  linklib="$l"
-	done
-	if test -z "$linklib"; then
-	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	# This library was specified with -dlopen.
-	if test "$pass" = dlopen; then
-	  if test -z "$libdir"; then
-	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  if test -z "$dlname" ||
-	     test "$dlopen_support" != yes ||
-	     test "$build_libtool_libs" = no; then
-	    # If there is no dlname, no dlopen support or we're linking
-	    # statically, we need to preload.  We also need to preload any
-	    # dependent libraries so libltdl's deplib preloader doesn't
-	    # bomb out in the load deplibs phase.
-	    dlprefiles="$dlprefiles $lib $dependency_libs"
-	  else
-	    newdlfiles="$newdlfiles $lib"
-	  fi
-	  continue
-	fi # $pass = dlopen
-
-	# We need an absolute path.
-	case $ladir in
-	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
-	*)
-	  abs_ladir=`cd "$ladir" && pwd`
-	  if test -z "$abs_ladir"; then
-	    $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2
-	    $echo "$modename: passing it literally to the linker, although it might fail" 1>&2
-	    abs_ladir="$ladir"
-	  fi
-	  ;;
-	esac
-	laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
-
-	# Find the relevant object directory and library name.
-	if test "X$installed" = Xyes; then
-	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    $echo "$modename: warning: library \`$lib' was moved." 1>&2
-	    dir="$ladir"
-	    absdir="$abs_ladir"
-	    libdir="$abs_ladir"
-	  else
-	    dir="$libdir"
-	    absdir="$libdir"
-	  fi
-	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
-	else
-	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    dir="$ladir"
-	    absdir="$abs_ladir"
-	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
-	  else
-	    dir="$ladir/$objdir"
-	    absdir="$abs_ladir/$objdir"
-	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
-	  fi
-	fi # $installed = yes
-	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
-
-	# This library was specified with -dlpreopen.
-	if test "$pass" = dlpreopen; then
-	  if test -z "$libdir"; then
-	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  # Prefer using a static library (so that no silly _DYNAMIC symbols
-	  # are required to link).
-	  if test -n "$old_library"; then
-	    newdlprefiles="$newdlprefiles $dir/$old_library"
-	  # Otherwise, use the dlname, so that lt_dlopen finds it.
-	  elif test -n "$dlname"; then
-	    newdlprefiles="$newdlprefiles $dir/$dlname"
-	  else
-	    newdlprefiles="$newdlprefiles $dir/$linklib"
-	  fi
-	fi # $pass = dlpreopen
-
-	if test -z "$libdir"; then
-	  # Link the convenience library
-	  if test "$linkmode" = lib; then
-	    deplibs="$dir/$old_library $deplibs"
-	  elif test "$linkmode,$pass" = "prog,link"; then
-	    compile_deplibs="$dir/$old_library $compile_deplibs"
-	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
-	  else
-	    deplibs="$lib $deplibs" # used for prog,scan pass
-	  fi
-	  continue
-	fi
-
-
-	if test "$linkmode" = prog && test "$pass" != link; then
-	  newlib_search_path="$newlib_search_path $ladir"
-	  deplibs="$lib $deplibs"
-
-	  linkalldeplibs=no
-	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
-	     test "$build_libtool_libs" = no; then
-	    linkalldeplibs=yes
-	  fi
-
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    case $deplib in
-	    -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test
-	    esac
-	    # Need to link against all dependency_libs?
-	    if test "$linkalldeplibs" = yes; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      # Need to hardcode shared library paths
-	      # or/and link against static libraries
-	      newdependency_libs="$deplib $newdependency_libs"
-	    fi
-	    if test "X$duplicate_deps" = "Xyes" ; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	      esac
-	    fi
-	    tmp_libs="$tmp_libs $deplib"
-	  done # for deplib
-	  continue
-	fi # $linkmode = prog...
-
-	if test "$linkmode,$pass" = "prog,link"; then
-	  if test -n "$library_names" &&
-	     { { test "$prefer_static_libs" = no ||
-		 test "$prefer_static_libs,$installed" = "built,yes"; } ||
-	       test -z "$old_library"; }; then
-	    # We need to hardcode the library path
-	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then
-	      # Make sure the rpath contains only unique directories.
-	      case "$temp_rpath " in
-	      *" $dir "*) ;;
-	      *" $absdir "*) ;;
-	      *) temp_rpath="$temp_rpath $absdir" ;;
-	      esac
-	    fi
-
-	    # Hardcode the library path.
-	    # Skip directories that are in the system default run-time
-	    # search path.
-	    case " $sys_lib_dlsearch_path " in
-	    *" $absdir "*) ;;
-	    *)
-	      case "$compile_rpath " in
-	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
-	      esac
-	      ;;
-	    esac
-	    case " $sys_lib_dlsearch_path " in
-	    *" $libdir "*) ;;
-	    *)
-	      case "$finalize_rpath " in
-	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
-	      esac
-	      ;;
-	    esac
-	  fi # $linkmode,$pass = prog,link...
-
-	  if test "$alldeplibs" = yes &&
-	     { test "$deplibs_check_method" = pass_all ||
-	       { test "$build_libtool_libs" = yes &&
-		 test -n "$library_names"; }; }; then
-	    # We only need to search for static libraries
-	    continue
-	  fi
-	fi
-
-	link_static=no # Whether the deplib will be linked statically
-	use_static_libs=$prefer_static_libs
-	if test "$use_static_libs" = built && test "$installed" = yes ; then
-	  use_static_libs=no
-	fi
-	if test -n "$library_names" &&
-	   { test "$use_static_libs" = no || test -z "$old_library"; }; then
-	  if test "$installed" = no; then
-	    notinst_deplibs="$notinst_deplibs $lib"
-	    need_relink=yes
-	  fi
-	  # This is a shared library
-
-	  # Warn about portability, can't link against -module's on
-	  # some systems (darwin)
-	  if test "$shouldnotlink" = yes && test "$pass" = link ; then
-	    $echo
-	    if test "$linkmode" = prog; then
-	      $echo "*** Warning: Linking the executable $output against the loadable module"
-	    else
-	      $echo "*** Warning: Linking the shared library $output against the loadable module"
-	    fi
-	    $echo "*** $linklib is not portable!"
-	  fi
-	  if test "$linkmode" = lib &&
-	     test "$hardcode_into_libs" = yes; then
-	    # Hardcode the library path.
-	    # Skip directories that are in the system default run-time
-	    # search path.
-	    case " $sys_lib_dlsearch_path " in
-	    *" $absdir "*) ;;
-	    *)
-	      case "$compile_rpath " in
-	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
-	      esac
-	      ;;
-	    esac
-	    case " $sys_lib_dlsearch_path " in
-	    *" $libdir "*) ;;
-	    *)
-	      case "$finalize_rpath " in
-	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
-	      esac
-	      ;;
-	    esac
-	  fi
-
-	  if test -n "$old_archive_from_expsyms_cmds"; then
-	    # figure out the soname
-	    set dummy $library_names
-	    realname="$2"
-	    shift; shift
-	    libname=`eval \\$echo \"$libname_spec\"`
-	    # use dlname if we got it. it's perfectly good, no?
-	    if test -n "$dlname"; then
-	      soname="$dlname"
-	    elif test -n "$soname_spec"; then
-	      # bleh windows
-	      case $host in
-	      *cygwin* | mingw*)
-		major=`expr $current - $age`
-		versuffix="-$major"
-		;;
-	      esac
-	      eval soname=\"$soname_spec\"
-	    else
-	      soname="$realname"
-	    fi
-
-	    # Make a new name for the extract_expsyms_cmds to use
-	    soroot="$soname"
-	    soname=`$echo $soroot | ${SED} -e 's/^.*\///'`
-	    newlib="libimp-`$echo $soname | ${SED} 's/^lib//;s/\.dll$//'`.a"
-
-	    # If the library has no export list, then create one now
-	    if test -f "$output_objdir/$soname-def"; then :
-	    else
-	      $show "extracting exported symbol list from \`$soname'"
-	      save_ifs="$IFS"; IFS='~'
-	      cmds=$extract_expsyms_cmds
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd" || exit $?
-	      done
-	      IFS="$save_ifs"
-	    fi
-
-	    # Create $newlib
-	    if test -f "$output_objdir/$newlib"; then :; else
-	      $show "generating import library for \`$soname'"
-	      save_ifs="$IFS"; IFS='~'
-	      cmds=$old_archive_from_expsyms_cmds
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd" || exit $?
-	      done
-	      IFS="$save_ifs"
-	    fi
-	    # make sure the library variables are pointing to the new library
-	    dir=$output_objdir
-	    linklib=$newlib
-	  fi # test -n "$old_archive_from_expsyms_cmds"
-
-	  if test "$linkmode" = prog || test "$mode" != relink; then
-	    add_shlibpath=
-	    add_dir=
-	    add=
-	    lib_linked=yes
-	    case $hardcode_action in
-	    immediate | unsupported)
-	      if test "$hardcode_direct" = no; then
-		add="$dir/$linklib"
-		case $host in
-		  *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;;
-		  *-*-sysv4*uw2*) add_dir="-L$dir" ;;
-		  *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \
-		    *-*-unixware7*) add_dir="-L$dir" ;;
-		  *-*-darwin* )
-		    # if the lib is a module then we can not link against
-		    # it, someone is ignoring the new warnings I added
-		    if /usr/bin/file -L $add 2> /dev/null |
-                      $EGREP ": [^:]* bundle" >/dev/null ; then
-		      $echo "** Warning, lib $linklib is a module, not a shared library"
-		      if test -z "$old_library" ; then
-		        $echo
-		        $echo "** And there doesn't seem to be a static archive available"
-		        $echo "** The link will probably fail, sorry"
-		      else
-		        add="$dir/$old_library"
-		      fi
-		    fi
-		esac
-	      elif test "$hardcode_minus_L" = no; then
-		case $host in
-		*-*-sunos*) add_shlibpath="$dir" ;;
-		esac
-		add_dir="-L$dir"
-		add="-l$name"
-	      elif test "$hardcode_shlibpath_var" = no; then
-		add_shlibpath="$dir"
-		add="-l$name"
-	      else
-		lib_linked=no
-	      fi
-	      ;;
-	    relink)
-	      if test "$hardcode_direct" = yes; then
-		add="$dir/$linklib"
-	      elif test "$hardcode_minus_L" = yes; then
-		add_dir="-L$dir"
-		# Try looking first in the location we're being installed to.
-		if test -n "$inst_prefix_dir"; then
-		  case $libdir in
-		    [\\/]*)
-		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
-		      ;;
-		  esac
-		fi
-		add="-l$name"
-	      elif test "$hardcode_shlibpath_var" = yes; then
-		add_shlibpath="$dir"
-		add="-l$name"
-	      else
-		lib_linked=no
-	      fi
-	      ;;
-	    *) lib_linked=no ;;
-	    esac
-
-	    if test "$lib_linked" != yes; then
-	      $echo "$modename: configuration error: unsupported hardcode properties"
-	      exit $EXIT_FAILURE
-	    fi
-
-	    if test -n "$add_shlibpath"; then
-	      case :$compile_shlibpath: in
-	      *":$add_shlibpath:"*) ;;
-	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
-	      esac
-	    fi
-	    if test "$linkmode" = prog; then
-	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
-	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
-	    else
-	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
-	      test -n "$add" && deplibs="$add $deplibs"
-	      if test "$hardcode_direct" != yes && \
-		 test "$hardcode_minus_L" != yes && \
-		 test "$hardcode_shlibpath_var" = yes; then
-		case :$finalize_shlibpath: in
-		*":$libdir:"*) ;;
-		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
-		esac
-	      fi
-	    fi
-	  fi
-
-	  if test "$linkmode" = prog || test "$mode" = relink; then
-	    add_shlibpath=
-	    add_dir=
-	    add=
-	    # Finalize command for both is simple: just hardcode it.
-	    if test "$hardcode_direct" = yes; then
-	      add="$libdir/$linklib"
-	    elif test "$hardcode_minus_L" = yes; then
-	      add_dir="-L$libdir"
-	      add="-l$name"
-	    elif test "$hardcode_shlibpath_var" = yes; then
-	      case :$finalize_shlibpath: in
-	      *":$libdir:"*) ;;
-	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
-	      esac
-	      add="-l$name"
-	    elif test "$hardcode_automatic" = yes; then
-	      if test -n "$inst_prefix_dir" &&
-		 test -f "$inst_prefix_dir$libdir/$linklib" ; then
-	        add="$inst_prefix_dir$libdir/$linklib"
-	      else
-	        add="$libdir/$linklib"
-	      fi
-	    else
-	      # We cannot seem to hardcode it, guess we'll fake it.
-	      add_dir="-L$libdir"
-	      # Try looking first in the location we're being installed to.
-	      if test -n "$inst_prefix_dir"; then
-		case $libdir in
-		  [\\/]*)
-		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
-		    ;;
-		esac
-	      fi
-	      add="-l$name"
-	    fi
-
-	    if test "$linkmode" = prog; then
-	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
-	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
-	    else
-	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
-	      test -n "$add" && deplibs="$add $deplibs"
-	    fi
-	  fi
-	elif test "$linkmode" = prog; then
-	  # Here we assume that one of hardcode_direct or hardcode_minus_L
-	  # is not unsupported.  This is valid on all known static and
-	  # shared platforms.
-	  if test "$hardcode_direct" != unsupported; then
-	    test -n "$old_library" && linklib="$old_library"
-	    compile_deplibs="$dir/$linklib $compile_deplibs"
-	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
-	  else
-	    compile_deplibs="-l$name -L$dir $compile_deplibs"
-	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
-	  fi
-	elif test "$build_libtool_libs" = yes; then
-	  # Not a shared library
-	  if test "$deplibs_check_method" != pass_all; then
-	    # We're trying link a shared library against a static one
-	    # but the system doesn't support it.
-
-	    # Just print a warning and add the library to dependency_libs so
-	    # that the program can be linked against the static library.
-	    $echo
-	    $echo "*** Warning: This system can not link to static lib archive $lib."
-	    $echo "*** I have the capability to make that library automatically link in when"
-	    $echo "*** you link to this library.  But I can only do this if you have a"
-	    $echo "*** shared version of the library, which you do not appear to have."
-	    if test "$module" = yes; then
-	      $echo "*** But as you try to build a module library, libtool will still create "
-	      $echo "*** a static module, that should work as long as the dlopening application"
-	      $echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
-	      if test -z "$global_symbol_pipe"; then
-		$echo
-		$echo "*** However, this would only work if libtool was able to extract symbol"
-		$echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
-		$echo "*** not find such a program.  So, this module is probably useless."
-		$echo "*** \`nm' from GNU binutils and a full rebuild may help."
-	      fi
-	      if test "$build_old_libs" = no; then
-		build_libtool_libs=module
-		build_old_libs=yes
-	      else
-		build_libtool_libs=no
-	      fi
-	    fi
-	  else
-	    deplibs="$dir/$old_library $deplibs"
-	    link_static=yes
-	  fi
-	fi # link shared/static library?
-
-	if test "$linkmode" = lib; then
-	  if test -n "$dependency_libs" &&
-	     { test "$hardcode_into_libs" != yes ||
-	       test "$build_old_libs" = yes ||
-	       test "$link_static" = yes; }; then
-	    # Extract -R from dependency_libs
-	    temp_deplibs=
-	    for libdir in $dependency_libs; do
-	      case $libdir in
-	      -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'`
-		   case " $xrpath " in
-		   *" $temp_xrpath "*) ;;
-		   *) xrpath="$xrpath $temp_xrpath";;
-		   esac;;
-	      *) temp_deplibs="$temp_deplibs $libdir";;
-	      esac
-	    done
-	    dependency_libs="$temp_deplibs"
-	  fi
-
-	  newlib_search_path="$newlib_search_path $absdir"
-	  # Link against this library
-	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
-	  # ... and its dependency_libs
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    newdependency_libs="$deplib $newdependency_libs"
-	    if test "X$duplicate_deps" = "Xyes" ; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	      esac
-	    fi
-	    tmp_libs="$tmp_libs $deplib"
-	  done
-
-	  if test "$link_all_deplibs" != no; then
-	    # Add the search paths of all dependency libraries
-	    for deplib in $dependency_libs; do
-	      case $deplib in
-	      -L*) path="$deplib" ;;
-	      *.la)
-		dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'`
-		test "X$dir" = "X$deplib" && dir="."
-		# We need an absolute path.
-		case $dir in
-		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
-		*)
-		  absdir=`cd "$dir" && pwd`
-		  if test -z "$absdir"; then
-		    $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2
-		    absdir="$dir"
-		  fi
-		  ;;
-		esac
-		if grep "^installed=no" $deplib > /dev/null; then
-		  path="$absdir/$objdir"
-		else
-		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
-		  if test -z "$libdir"; then
-		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
-		    exit $EXIT_FAILURE
-		  fi
-		  if test "$absdir" != "$libdir"; then
-		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
-		  fi
-		  path="$absdir"
-		fi
-		depdepl=
-		case $host in
-		*-*-darwin*)
-		  # we do not want to link against static libs,
-		  # but need to link against shared
-		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
-		  eval deplibdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
-		  if test -n "$deplibrary_names" ; then
-		    for tmp in $deplibrary_names ; do
-		      depdepl=$tmp
-		    done
-		    if test -f "$deplibdir/$depdepl" ; then
-		      depdepl="$deplibdir/$depdepl"
-	      	    elif test -f "$path/$depdepl" ; then
-		      depdepl="$path/$depdepl"
-		    else
-		      # Can't find it, oh well...
-		      depdepl=
-		    fi
-		    # do not add paths which are already there
-		    case " $newlib_search_path " in
-		    *" $path "*) ;;
-		    *) newlib_search_path="$newlib_search_path $path";;
-		    esac
-		  fi
-		  path=""
-		  ;;
-		*)
-		  path="-L$path"
-		  ;;
-		esac
-		;;
-	      -l*)
-		case $host in
-		*-*-darwin*)
-		  # Again, we only want to link against shared libraries
-		  eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"`
-		  for tmp in $newlib_search_path ; do
-		    if test -f "$tmp/lib$tmp_libs.dylib" ; then
-		      eval depdepl="$tmp/lib$tmp_libs.dylib"
-		      break
-		    fi
-		  done
-		  path=""
-		  ;;
-		*) continue ;;
-		esac
-		;;
-	      *) continue ;;
-	      esac
-	      case " $deplibs " in
-	      *" $path "*) ;;
-	      *) deplibs="$path $deplibs" ;;
-	      esac
-	      case " $deplibs " in
-	      *" $depdepl "*) ;;
-	      *) deplibs="$depdepl $deplibs" ;;
-	      esac
-	    done
-	  fi # link_all_deplibs != no
-	fi # linkmode = lib
-      done # for deplib in $libs
-      dependency_libs="$newdependency_libs"
-      if test "$pass" = dlpreopen; then
-	# Link the dlpreopened libraries before other libraries
-	for deplib in $save_deplibs; do
-	  deplibs="$deplib $deplibs"
-	done
-      fi
-      if test "$pass" != dlopen; then
-	if test "$pass" != conv; then
-	  # Make sure lib_search_path contains only unique directories.
-	  lib_search_path=
-	  for dir in $newlib_search_path; do
-	    case "$lib_search_path " in
-	    *" $dir "*) ;;
-	    *) lib_search_path="$lib_search_path $dir" ;;
-	    esac
-	  done
-	  newlib_search_path=
-	fi
-
-	if test "$linkmode,$pass" != "prog,link"; then
-	  vars="deplibs"
-	else
-	  vars="compile_deplibs finalize_deplibs"
-	fi
-	for var in $vars dependency_libs; do
-	  # Add libraries to $var in reverse order
-	  eval tmp_libs=\"\$$var\"
-	  new_libs=
-	  for deplib in $tmp_libs; do
-	    # FIXME: Pedantically, this is the right thing to do, so
-	    #        that some nasty dependency loop isn't accidentally
-	    #        broken:
-	    #new_libs="$deplib $new_libs"
-	    # Pragmatically, this seems to cause very few problems in
-	    # practice:
-	    case $deplib in
-	    -L*) new_libs="$deplib $new_libs" ;;
-	    -R*) ;;
-	    *)
-	      # And here is the reason: when a library appears more
-	      # than once as an explicit dependence of a library, or
-	      # is implicitly linked in more than once by the
-	      # compiler, it is considered special, and multiple
-	      # occurrences thereof are not removed.  Compare this
-	      # with having the same library being listed as a
-	      # dependency of multiple other libraries: in this case,
-	      # we know (pedantically, we assume) the library does not
-	      # need to be listed more than once, so we keep only the
-	      # last copy.  This is not always right, but it is rare
-	      # enough that we require users that really mean to play
-	      # such unportable linking tricks to link the library
-	      # using -Wl,-lname, so that libtool does not consider it
-	      # for duplicate removal.
-	      case " $specialdeplibs " in
-	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
-	      *)
-		case " $new_libs " in
-		*" $deplib "*) ;;
-		*) new_libs="$deplib $new_libs" ;;
-		esac
-		;;
-	      esac
-	      ;;
-	    esac
-	  done
-	  tmp_libs=
-	  for deplib in $new_libs; do
-	    case $deplib in
-	    -L*)
-	      case " $tmp_libs " in
-	      *" $deplib "*) ;;
-	      *) tmp_libs="$tmp_libs $deplib" ;;
-	      esac
-	      ;;
-	    *) tmp_libs="$tmp_libs $deplib" ;;
-	    esac
-	  done
-	  eval $var=\"$tmp_libs\"
-	done # for var
-      fi
-      # Last step: remove runtime libs from dependency_libs
-      # (they stay in deplibs)
-      tmp_libs=
-      for i in $dependency_libs ; do
-	case " $predeps $postdeps $compiler_lib_search_path " in
-	*" $i "*)
-	  i=""
-	  ;;
-	esac
-	if test -n "$i" ; then
-	  tmp_libs="$tmp_libs $i"
-	fi
-      done
-      dependency_libs=$tmp_libs
-    done # for pass
-    if test "$linkmode" = prog; then
-      dlfiles="$newdlfiles"
-      dlprefiles="$newdlprefiles"
-    fi
-
-    case $linkmode in
-    oldlib)
-      case " $deplibs" in
-      *\ -l* | *\ -L*)
-	$echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2 ;;
-      esac
-
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
-      fi
-
-      if test -n "$rpath"; then
-	$echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
-      fi
-
-      if test -n "$xrpath"; then
-	$echo "$modename: warning: \`-R' is ignored for archives" 1>&2
-      fi
-
-      if test -n "$vinfo"; then
-	$echo "$modename: warning: \`-version-info/-version-number' is ignored for archives" 1>&2
-      fi
-
-      if test -n "$release"; then
-	$echo "$modename: warning: \`-release' is ignored for archives" 1>&2
-      fi
-
-      if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
-	$echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
-      fi
-
-      # Now set the variables for building old libraries.
-      build_libtool_libs=no
-      oldlibs="$output"
-      objs="$objs$old_deplibs"
-      ;;
-
-    lib)
-      # Make sure we only generate libraries of the form `libNAME.la'.
-      case $outputname in
-      lib*)
-	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
-	eval shared_ext=\"$shrext_cmds\"
-	eval libname=\"$libname_spec\"
-	;;
-      *)
-	if test "$module" = no; then
-	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-	if test "$need_lib_prefix" != no; then
-	  # Add the "lib" prefix for modules if required
-	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
-	  eval shared_ext=\"$shrext_cmds\"
-	  eval libname=\"$libname_spec\"
-	else
-	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
-	fi
-	;;
-      esac
-
-      if test -n "$objs"; then
-	if test "$deplibs_check_method" != pass_all; then
-	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
-	  exit $EXIT_FAILURE
-	else
-	  $echo
-	  $echo "*** Warning: Linking the shared library $output against the non-libtool"
-	  $echo "*** objects $objs is not portable!"
-	  libobjs="$libobjs $objs"
-	fi
-      fi
-
-      if test "$dlself" != no; then
-	$echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2
-      fi
-
-      set dummy $rpath
-      if test "$#" -gt 2; then
-	$echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2
-      fi
-      install_libdir="$2"
-
-      oldlibs=
-      if test -z "$rpath"; then
-	if test "$build_libtool_libs" = yes; then
-	  # Building a libtool convenience library.
-	  # Some compilers have problems with a `.al' extension so
-	  # convenience libraries should have the same extension an
-	  # archive normally would.
-	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
-	  build_libtool_libs=convenience
-	  build_old_libs=yes
-	fi
-
-	if test -n "$vinfo"; then
-	  $echo "$modename: warning: \`-version-info/-version-number' is ignored for convenience libraries" 1>&2
-	fi
-
-	if test -n "$release"; then
-	  $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2
-	fi
-      else
-
-	# Parse the version information argument.
-	save_ifs="$IFS"; IFS=':'
-	set dummy $vinfo 0 0 0
-	IFS="$save_ifs"
-
-	if test -n "$8"; then
-	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	# convert absolute version numbers to libtool ages
-	# this retains compatibility with .la files and attempts
-	# to make the code below a bit more comprehensible
-
-	case $vinfo_number in
-	yes)
-	  number_major="$2"
-	  number_minor="$3"
-	  number_revision="$4"
-	  #
-	  # There are really only two kinds -- those that
-	  # use the current revision as the major version
-	  # and those that subtract age and use age as
-	  # a minor version.  But, then there is irix
-	  # which has an extra 1 added just for fun
-	  #
-	  case $version_type in
-	  darwin|linux|osf|windows|none)
-	    current=`expr $number_major + $number_minor`
-	    age="$number_minor"
-	    revision="$number_revision"
-	    ;;
-	  freebsd-aout|freebsd-elf|sunos)
-	    current="$number_major"
-	    revision="$number_minor"
-	    age="0"
-	    ;;
-	  irix|nonstopux)
-	    current=`expr $number_major + $number_minor`
-	    age="$number_minor"
-	    revision="$number_minor"
-	    lt_irix_increment=no
-	    ;;
-	  *)
-	    $echo "$modename: unknown library version type \`$version_type'" 1>&2
-	    $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-	    exit $EXIT_FAILURE
-	    ;;
-	  esac
-	  ;;
-	no)
-	  current="$2"
-	  revision="$3"
-	  age="$4"
-	  ;;
-	esac
-
-	# Check that each of the things are valid numbers.
-	case $current in
-	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
-	*)
-	  $echo "$modename: CURRENT \`$current' must be a nonnegative integer" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	case $revision in
-	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
-	*)
-	  $echo "$modename: REVISION \`$revision' must be a nonnegative integer" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	case $age in
-	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
-	*)
-	  $echo "$modename: AGE \`$age' must be a nonnegative integer" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	if test "$age" -gt "$current"; then
-	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	# Calculate the version variables.
-	major=
-	versuffix=
-	verstring=
-	case $version_type in
-	none) ;;
-
-	darwin)
-	  # Like Linux, but with the current version available in
-	  # verstring for coding it into the library header
-	  major=.`expr $current - $age`
-	  versuffix="$major.$age.$revision"
-	  # Darwin ld doesn't like 0 for these options...
-	  minor_current=`expr $current + 1`
-	  xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
-	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
-	  ;;
-
-	freebsd-aout)
-	  major=".$current"
-	  versuffix=".$current.$revision";
-	  ;;
-
-	freebsd-elf)
-	  major=".$current"
-	  versuffix=".$current";
-	  ;;
-
-	irix | nonstopux)
-	  if test "X$lt_irix_increment" = "Xno"; then
-	    major=`expr $current - $age`
-	  else
-	    major=`expr $current - $age + 1`
-	  fi
-	  case $version_type in
-	    nonstopux) verstring_prefix=nonstopux ;;
-	    *)         verstring_prefix=sgi ;;
-	  esac
-	  verstring="$verstring_prefix$major.$revision"
-
-	  # Add in all the interfaces that we are compatible with.
-	  loop=$revision
-	  while test "$loop" -ne 0; do
-	    iface=`expr $revision - $loop`
-	    loop=`expr $loop - 1`
-	    verstring="$verstring_prefix$major.$iface:$verstring"
-	  done
-
-	  # Before this point, $major must not contain `.'.
-	  major=.$major
-	  versuffix="$major.$revision"
-	  ;;
-
-	linux)
-	  major=.`expr $current - $age`
-	  versuffix="$major.$age.$revision"
-	  ;;
-
-	osf)
-	  major=.`expr $current - $age`
-	  versuffix=".$current.$age.$revision"
-	  verstring="$current.$age.$revision"
-
-	  # Add in all the interfaces that we are compatible with.
-	  loop=$age
-	  while test "$loop" -ne 0; do
-	    iface=`expr $current - $loop`
-	    loop=`expr $loop - 1`
-	    verstring="$verstring:${iface}.0"
-	  done
-
-	  # Make executables depend on our current version.
-	  verstring="$verstring:${current}.0"
-	  ;;
-
-	sunos)
-	  major=".$current"
-	  versuffix=".$current.$revision"
-	  ;;
-
-	windows)
-	  # Use '-' rather than '.', since we only want one
-	  # extension on DOS 8.3 filesystems.
-	  major=`expr $current - $age`
-	  versuffix="-$major"
-	  ;;
-
-	*)
-	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
-	  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	# Clear the version info if we defaulted, and they specified a release.
-	if test -z "$vinfo" && test -n "$release"; then
-	  major=
-	  case $version_type in
-	  darwin)
-	    # we can't check for "0.0" in archive_cmds due to quoting
-	    # problems, so we reset it completely
-	    verstring=
-	    ;;
-	  *)
-	    verstring="0.0"
-	    ;;
-	  esac
-	  if test "$need_version" = no; then
-	    versuffix=
-	  else
-	    versuffix=".0.0"
-	  fi
-	fi
-
-	# Remove version info from name if versioning should be avoided
-	if test "$avoid_version" = yes && test "$need_version" = no; then
-	  major=
-	  versuffix=
-	  verstring=""
-	fi
-
-	# Check to see if the archive will have undefined symbols.
-	if test "$allow_undefined" = yes; then
-	  if test "$allow_undefined_flag" = unsupported; then
-	    $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2
-	    build_libtool_libs=no
-	    build_old_libs=yes
-	  fi
-	else
-	  # Don't allow undefined symbols.
-	  allow_undefined_flag="$no_undefined_flag"
-	fi
-      fi
-
-      if test "$mode" != relink; then
-	# Remove our outputs, but don't remove object files since they
-	# may have been created when compiling PIC objects.
-	removelist=
-	tempremovelist=`$echo "$output_objdir/*"`
-	for p in $tempremovelist; do
-	  case $p in
-	    *.$objext)
-	       ;;
-	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
-	       if test "X$precious_files_regex" != "X"; then
-	         if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
-	         then
-		   continue
-		 fi
-	       fi
-	       removelist="$removelist $p"
-	       ;;
-	    *) ;;
-	  esac
-	done
-	if test -n "$removelist"; then
-	  $show "${rm}r $removelist"
-	  $run ${rm}r $removelist
-	fi
-      fi
-
-      # Now set the variables for building old libraries.
-      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
-	oldlibs="$oldlibs $output_objdir/$libname.$libext"
-
-	# Transform .lo files to .o files.
-	oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
-      fi
-
-      # Eliminate all temporary directories.
-      #for path in $notinst_path; do
-      #	lib_search_path=`$echo "$lib_search_path " | ${SED} -e "s% $path % %g"`
-      #	deplibs=`$echo "$deplibs " | ${SED} -e "s% -L$path % %g"`
-      #	dependency_libs=`$echo "$dependency_libs " | ${SED} -e "s% -L$path % %g"`
-      #done
-
-      if test -n "$xrpath"; then
-	# If the user specified any rpath flags, then add them.
-	temp_xrpath=
-	for libdir in $xrpath; do
-	  temp_xrpath="$temp_xrpath -R$libdir"
-	  case "$finalize_rpath " in
-	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
-	  esac
-	done
-	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
-	  dependency_libs="$temp_xrpath $dependency_libs"
-	fi
-      fi
-
-      # Make sure dlfiles contains only unique files that won't be dlpreopened
-      old_dlfiles="$dlfiles"
-      dlfiles=
-      for lib in $old_dlfiles; do
-	case " $dlprefiles $dlfiles " in
-	*" $lib "*) ;;
-	*) dlfiles="$dlfiles $lib" ;;
-	esac
-      done
-
-      # Make sure dlprefiles contains only unique files
-      old_dlprefiles="$dlprefiles"
-      dlprefiles=
-      for lib in $old_dlprefiles; do
-	case "$dlprefiles " in
-	*" $lib "*) ;;
-	*) dlprefiles="$dlprefiles $lib" ;;
-	esac
-      done
-
-      if test "$build_libtool_libs" = yes; then
-	if test -n "$rpath"; then
-	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*)
-	    # these systems don't actually have a c library (as such)!
-	    ;;
-	  *-*-rhapsody* | *-*-darwin1.[012])
-	    # Rhapsody C library is in the System framework
-	    deplibs="$deplibs -framework System"
-	    ;;
-	  *-*-netbsd*)
-	    # Don't link with libc until the a.out ld.so is fixed.
-	    ;;
-	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
-	    # Do not include libc due to us having libc/libc_r.
-	    ;;
-	  *-*-sco3.2v5* | *-*-sco5v6*)
-	    # Causes problems with __ctype
-	    ;;
-	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
-	    # Compiler inserts libc in the correct place for threads to work
-	    ;;
- 	  *)
-	    # Add libc to deplibs on all other systems if necessary.
-	    if test "$build_libtool_need_lc" = "yes"; then
-	      deplibs="$deplibs -lc"
-	    fi
-	    ;;
-	  esac
-	fi
-
-	# Transform deplibs into only deplibs that can be linked in shared.
-	name_save=$name
-	libname_save=$libname
-	release_save=$release
-	versuffix_save=$versuffix
-	major_save=$major
-	# I'm not sure if I'm treating the release correctly.  I think
-	# release should show up in the -l (ie -lgmp5) so we don't want to
-	# add it in twice.  Is that correct?
-	release=""
-	versuffix=""
-	major=""
-	newdeplibs=
-	droppeddeps=no
-	case $deplibs_check_method in
-	pass_all)
-	  # Don't check for shared/static.  Everything works.
-	  # This might be a little naive.  We might want to check
-	  # whether the library exists or not.  But this is on
-	  # osf3 & osf4 and I'm not really sure... Just
-	  # implementing what was already the behavior.
-	  newdeplibs=$deplibs
-	  ;;
-	test_compile)
-	  # This code stresses the "libraries are programs" paradigm to its
-	  # limits. Maybe even breaks it.  We compile a program, linking it
-	  # against the deplibs as a proxy for the library.  Then we can check
-	  # whether they linked in statically or dynamically with ldd.
-	  $rm conftest.c
-	  cat > conftest.c <<EOF
-	  int main() { return 0; }
-EOF
-	  $rm conftest
-	  if $LTCC $LTCFLAGS -o conftest conftest.c $deplibs; then
-	    ldd_output=`ldd conftest`
-	    for i in $deplibs; do
-	      name=`expr $i : '-l\(.*\)'`
-	      # If $name is empty we are operating on a -L argument.
-              if test "$name" != "" && test "$name" != "0"; then
-		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		  case " $predeps $postdeps " in
-		  *" $i "*)
-		    newdeplibs="$newdeplibs $i"
-		    i=""
-		    ;;
-		  esac
-	        fi
-		if test -n "$i" ; then
-		  libname=`eval \\$echo \"$libname_spec\"`
-		  deplib_matches=`eval \\$echo \"$library_names_spec\"`
-		  set dummy $deplib_matches
-		  deplib_match=$2
-		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		    newdeplibs="$newdeplibs $i"
-		  else
-		    droppeddeps=yes
-		    $echo
-		    $echo "*** Warning: dynamic linker does not accept needed library $i."
-		    $echo "*** I have the capability to make that library automatically link in when"
-		    $echo "*** you link to this library.  But I can only do this if you have a"
-		    $echo "*** shared version of the library, which I believe you do not have"
-		    $echo "*** because a test_compile did reveal that the linker did not use it for"
-		    $echo "*** its dynamic dependency list that programs get resolved with at runtime."
-		  fi
-		fi
-	      else
-		newdeplibs="$newdeplibs $i"
-	      fi
-	    done
-	  else
-	    # Error occurred in the first compile.  Let's try to salvage
-	    # the situation: Compile a separate program for each library.
-	    for i in $deplibs; do
-	      name=`expr $i : '-l\(.*\)'`
-	      # If $name is empty we are operating on a -L argument.
-              if test "$name" != "" && test "$name" != "0"; then
-		$rm conftest
-		if $LTCC $LTCFLAGS -o conftest conftest.c $i; then
-		  ldd_output=`ldd conftest`
-		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		    case " $predeps $postdeps " in
-		    *" $i "*)
-		      newdeplibs="$newdeplibs $i"
-		      i=""
-		      ;;
-		    esac
-		  fi
-		  if test -n "$i" ; then
-		    libname=`eval \\$echo \"$libname_spec\"`
-		    deplib_matches=`eval \\$echo \"$library_names_spec\"`
-		    set dummy $deplib_matches
-		    deplib_match=$2
-		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		      newdeplibs="$newdeplibs $i"
-		    else
-		      droppeddeps=yes
-		      $echo
-		      $echo "*** Warning: dynamic linker does not accept needed library $i."
-		      $echo "*** I have the capability to make that library automatically link in when"
-		      $echo "*** you link to this library.  But I can only do this if you have a"
-		      $echo "*** shared version of the library, which you do not appear to have"
-		      $echo "*** because a test_compile did reveal that the linker did not use this one"
-		      $echo "*** as a dynamic dependency that programs can get resolved with at runtime."
-		    fi
-		  fi
-		else
-		  droppeddeps=yes
-		  $echo
-		  $echo "*** Warning!  Library $i is needed by this library but I was not able to"
-		  $echo "*** make it link in!  You will probably need to install it or some"
-		  $echo "*** library that it depends on before this library will be fully"
-		  $echo "*** functional.  Installing it before continuing would be even better."
-		fi
-	      else
-		newdeplibs="$newdeplibs $i"
-	      fi
-	    done
-	  fi
-	  ;;
-	file_magic*)
-	  set dummy $deplibs_check_method
-	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
-	  for a_deplib in $deplibs; do
-	    name=`expr $a_deplib : '-l\(.*\)'`
-	    # If $name is empty we are operating on a -L argument.
-            if test "$name" != "" && test  "$name" != "0"; then
-	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		case " $predeps $postdeps " in
-		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
-		  a_deplib=""
-		  ;;
-		esac
-	      fi
-	      if test -n "$a_deplib" ; then
-		libname=`eval \\$echo \"$libname_spec\"`
-		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
-		  for potent_lib in $potential_libs; do
-		      # Follow soft links.
-		      if ls -lLd "$potent_lib" 2>/dev/null \
-			 | grep " -> " >/dev/null; then
-			continue
-		      fi
-		      # The statement above tries to avoid entering an
-		      # endless loop below, in case of cyclic links.
-		      # We might still enter an endless loop, since a link
-		      # loop can be closed while we follow links,
-		      # but so what?
-		      potlib="$potent_lib"
-		      while test -h "$potlib" 2>/dev/null; do
-			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
-			case $potliblink in
-			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
-			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
-			esac
-		      done
-		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
-			 | ${SED} 10q \
-			 | $EGREP "$file_magic_regex" > /dev/null; then
-			newdeplibs="$newdeplibs $a_deplib"
-			a_deplib=""
-			break 2
-		      fi
-		  done
-		done
-	      fi
-	      if test -n "$a_deplib" ; then
-		droppeddeps=yes
-		$echo
-		$echo "*** Warning: linker path does not have real file for library $a_deplib."
-		$echo "*** I have the capability to make that library automatically link in when"
-		$echo "*** you link to this library.  But I can only do this if you have a"
-		$echo "*** shared version of the library, which you do not appear to have"
-		$echo "*** because I did check the linker path looking for a file starting"
-		if test -z "$potlib" ; then
-		  $echo "*** with $libname but no candidates were found. (...for file magic test)"
-		else
-		  $echo "*** with $libname and none of the candidates passed a file format test"
-		  $echo "*** using a file magic. Last file checked: $potlib"
-		fi
-	      fi
-	    else
-	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
-	    fi
-	  done # Gone through all deplibs.
-	  ;;
-	match_pattern*)
-	  set dummy $deplibs_check_method
-	  match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
-	  for a_deplib in $deplibs; do
-	    name=`expr $a_deplib : '-l\(.*\)'`
-	    # If $name is empty we are operating on a -L argument.
-	    if test -n "$name" && test "$name" != "0"; then
-	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		case " $predeps $postdeps " in
-		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
-		  a_deplib=""
-		  ;;
-		esac
-	      fi
-	      if test -n "$a_deplib" ; then
-		libname=`eval \\$echo \"$libname_spec\"`
-		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
-		  for potent_lib in $potential_libs; do
-		    potlib="$potent_lib" # see symlink-check above in file_magic test
-		    if eval $echo \"$potent_lib\" 2>/dev/null \
-		        | ${SED} 10q \
-		        | $EGREP "$match_pattern_regex" > /dev/null; then
-		      newdeplibs="$newdeplibs $a_deplib"
-		      a_deplib=""
-		      break 2
-		    fi
-		  done
-		done
-	      fi
-	      if test -n "$a_deplib" ; then
-		droppeddeps=yes
-		$echo
-		$echo "*** Warning: linker path does not have real file for library $a_deplib."
-		$echo "*** I have the capability to make that library automatically link in when"
-		$echo "*** you link to this library.  But I can only do this if you have a"
-		$echo "*** shared version of the library, which you do not appear to have"
-		$echo "*** because I did check the linker path looking for a file starting"
-		if test -z "$potlib" ; then
-		  $echo "*** with $libname but no candidates were found. (...for regex pattern test)"
-		else
-		  $echo "*** with $libname and none of the candidates passed a file format test"
-		  $echo "*** using a regex pattern. Last file checked: $potlib"
-		fi
-	      fi
-	    else
-	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
-	    fi
-	  done # Gone through all deplibs.
-	  ;;
-	none | unknown | *)
-	  newdeplibs=""
-	  tmp_deplibs=`$echo "X $deplibs" | $Xsed -e 's/ -lc$//' \
-	    -e 's/ -[LR][^ ]*//g'`
-	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-	    for i in $predeps $postdeps ; do
-	      # can't use Xsed below, because $i might contain '/'
-	      tmp_deplibs=`$echo "X $tmp_deplibs" | ${SED} -e "1s,^X,," -e "s,$i,,"`
-	    done
-	  fi
-	  if $echo "X $tmp_deplibs" | $Xsed -e 's/[ 	]//g' \
-	    | grep . >/dev/null; then
-	    $echo
-	    if test "X$deplibs_check_method" = "Xnone"; then
-	      $echo "*** Warning: inter-library dependencies are not supported in this platform."
-	    else
-	      $echo "*** Warning: inter-library dependencies are not known to be supported."
-	    fi
-	    $echo "*** All declared inter-library dependencies are being dropped."
-	    droppeddeps=yes
-	  fi
-	  ;;
-	esac
-	versuffix=$versuffix_save
-	major=$major_save
-	release=$release_save
-	libname=$libname_save
-	name=$name_save
-
-	case $host in
-	*-*-rhapsody* | *-*-darwin1.[012])
-	  # On Rhapsody replace the C library is the System framework
-	  newdeplibs=`$echo "X $newdeplibs" | $Xsed -e 's/ -lc / -framework System /'`
-	  ;;
-	esac
-
-	if test "$droppeddeps" = yes; then
-	  if test "$module" = yes; then
-	    $echo
-	    $echo "*** Warning: libtool could not satisfy all declared inter-library"
-	    $echo "*** dependencies of module $libname.  Therefore, libtool will create"
-	    $echo "*** a static module, that should work as long as the dlopening"
-	    $echo "*** application is linked with the -dlopen flag."
-	    if test -z "$global_symbol_pipe"; then
-	      $echo
-	      $echo "*** However, this would only work if libtool was able to extract symbol"
-	      $echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
-	      $echo "*** not find such a program.  So, this module is probably useless."
-	      $echo "*** \`nm' from GNU binutils and a full rebuild may help."
-	    fi
-	    if test "$build_old_libs" = no; then
-	      oldlibs="$output_objdir/$libname.$libext"
-	      build_libtool_libs=module
-	      build_old_libs=yes
-	    else
-	      build_libtool_libs=no
-	    fi
-	  else
-	    $echo "*** The inter-library dependencies that have been dropped here will be"
-	    $echo "*** automatically added whenever a program is linked with this library"
-	    $echo "*** or is declared to -dlopen it."
-
-	    if test "$allow_undefined" = no; then
-	      $echo
-	      $echo "*** Since this library must not contain undefined symbols,"
-	      $echo "*** because either the platform does not support them or"
-	      $echo "*** it was explicitly requested with -no-undefined,"
-	      $echo "*** libtool will only create a static version of it."
-	      if test "$build_old_libs" = no; then
-		oldlibs="$output_objdir/$libname.$libext"
-		build_libtool_libs=module
-		build_old_libs=yes
-	      else
-		build_libtool_libs=no
-	      fi
-	    fi
-	  fi
-	fi
-	# Done checking deplibs!
-	deplibs=$newdeplibs
-      fi
-
-
-      # move library search paths that coincide with paths to not yet
-      # installed libraries to the beginning of the library search list
-      new_libs=
-      for path in $notinst_path; do
-	case " $new_libs " in
-	*" -L$path/$objdir "*) ;;
-	*)
-	  case " $deplibs " in
-	  *" -L$path/$objdir "*)
-	    new_libs="$new_libs -L$path/$objdir" ;;
-	  esac
-	  ;;
-	esac
-      done
-      for deplib in $deplibs; do
-	case $deplib in
-	-L*)
-	  case " $new_libs " in
-	  *" $deplib "*) ;;
-	  *) new_libs="$new_libs $deplib" ;;
-	  esac
-	  ;;
-	*) new_libs="$new_libs $deplib" ;;
-	esac
-      done
-      deplibs="$new_libs"
-
-
-      # All the library-specific variables (install_libdir is set above).
-      library_names=
-      old_library=
-      dlname=
-
-      # Test again, we may have decided not to build it any more
-      if test "$build_libtool_libs" = yes; then
-	if test "$hardcode_into_libs" = yes; then
-	  # Hardcode the library paths
-	  hardcode_libdirs=
-	  dep_rpath=
-	  rpath="$finalize_rpath"
-	  test "$mode" != relink && rpath="$compile_rpath$rpath"
-	  for libdir in $rpath; do
-	    if test -n "$hardcode_libdir_flag_spec"; then
-	      if test -n "$hardcode_libdir_separator"; then
-		if test -z "$hardcode_libdirs"; then
-		  hardcode_libdirs="$libdir"
-		else
-		  # Just accumulate the unique libdirs.
-		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		    ;;
-		  *)
-		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		    ;;
-		  esac
-		fi
-	      else
-		eval flag=\"$hardcode_libdir_flag_spec\"
-		dep_rpath="$dep_rpath $flag"
-	      fi
-	    elif test -n "$runpath_var"; then
-	      case "$perm_rpath " in
-	      *" $libdir "*) ;;
-	      *) perm_rpath="$perm_rpath $libdir" ;;
-	      esac
-	    fi
-	  done
-	  # Substitute the hardcoded libdirs into the rpath.
-	  if test -n "$hardcode_libdir_separator" &&
-	     test -n "$hardcode_libdirs"; then
-	    libdir="$hardcode_libdirs"
-	    if test -n "$hardcode_libdir_flag_spec_ld"; then
-	      case $archive_cmds in
-	      *\$LD*) eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\" ;;
-	      *)      eval dep_rpath=\"$hardcode_libdir_flag_spec\" ;;
-	      esac
-	    else
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
-	    fi
-	  fi
-	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
-	    # We should set the runpath_var.
-	    rpath=
-	    for dir in $perm_rpath; do
-	      rpath="$rpath$dir:"
-	    done
-	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
-	  fi
-	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
-	fi
-
-	shlibpath="$finalize_shlibpath"
-	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
-	if test -n "$shlibpath"; then
-	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
-	fi
-
-	# Get the real and link names of the library.
-	eval shared_ext=\"$shrext_cmds\"
-	eval library_names=\"$library_names_spec\"
-	set dummy $library_names
-	realname="$2"
-	shift; shift
-
-	if test -n "$soname_spec"; then
-	  eval soname=\"$soname_spec\"
-	else
-	  soname="$realname"
-	fi
-	if test -z "$dlname"; then
-	  dlname=$soname
-	fi
-
-	lib="$output_objdir/$realname"
-	linknames=
-	for link
-	do
-	  linknames="$linknames $link"
-	done
-
-	# Use standard objects if they are pic
-	test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-
-	# Prepare the list of exported symbols
-	if test -z "$export_symbols"; then
-	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
-	    $show "generating symbol list for \`$libname.la'"
-	    export_symbols="$output_objdir/$libname.exp"
-	    $run $rm $export_symbols
-	    cmds=$export_symbols_cmds
-	    save_ifs="$IFS"; IFS='~'
-	    for cmd in $cmds; do
-	      IFS="$save_ifs"
-	      eval cmd=\"$cmd\"
-	      if len=`expr "X$cmd" : ".*"` &&
-	       test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	        $show "$cmd"
-	        $run eval "$cmd" || exit $?
-	        skipped_export=false
-	      else
-	        # The command line is too long to execute in one step.
-	        $show "using reloadable object file for export list..."
-	        skipped_export=:
-		# Break out early, otherwise skipped_export may be
-		# set to false by a later but shorter cmd.
-		break
-	      fi
-	    done
-	    IFS="$save_ifs"
-	    if test -n "$export_symbols_regex"; then
-	      $show "$EGREP -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\""
-	      $run eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
-	      $show "$mv \"${export_symbols}T\" \"$export_symbols\""
-	      $run eval '$mv "${export_symbols}T" "$export_symbols"'
-	    fi
-	  fi
-	fi
-
-	if test -n "$export_symbols" && test -n "$include_expsyms"; then
-	  $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"'
-	fi
-
-	tmp_deplibs=
-	for test_deplib in $deplibs; do
-		case " $convenience " in
-		*" $test_deplib "*) ;;
-		*)
-			tmp_deplibs="$tmp_deplibs $test_deplib"
-			;;
-		esac
-	done
-	deplibs="$tmp_deplibs"
-
-	if test -n "$convenience"; then
-	  if test -n "$whole_archive_flag_spec"; then
-	    save_libobjs=$libobjs
-	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
-	  else
-	    gentop="$output_objdir/${outputname}x"
-	    generated="$generated $gentop"
-
-	    func_extract_archives $gentop $convenience
-	    libobjs="$libobjs $func_extract_archives_result"
-	  fi
-	fi
-	
-	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
-	  eval flag=\"$thread_safe_flag_spec\"
-	  linker_flags="$linker_flags $flag"
-	fi
-
-	# Make a backup of the uninstalled library when relinking
-	if test "$mode" = relink; then
-	  $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $?
-	fi
-
-	# Do each of the archive commands.
-	if test "$module" = yes && test -n "$module_cmds" ; then
-	  if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
-	    eval test_cmds=\"$module_expsym_cmds\"
-	    cmds=$module_expsym_cmds
-	  else
-	    eval test_cmds=\"$module_cmds\"
-	    cmds=$module_cmds
-	  fi
-	else
-	if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
-	  eval test_cmds=\"$archive_expsym_cmds\"
-	  cmds=$archive_expsym_cmds
-	else
-	  eval test_cmds=\"$archive_cmds\"
-	  cmds=$archive_cmds
-	  fi
-	fi
-
-	if test "X$skipped_export" != "X:" &&
-	   len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
-	   test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	  :
-	else
-	  # The command line is too long to link in one step, link piecewise.
-	  $echo "creating reloadable object files..."
-
-	  # Save the value of $output and $libobjs because we want to
-	  # use them later.  If we have whole_archive_flag_spec, we
-	  # want to use save_libobjs as it was before
-	  # whole_archive_flag_spec was expanded, because we can't
-	  # assume the linker understands whole_archive_flag_spec.
-	  # This may have to be revisited, in case too many
-	  # convenience libraries get linked in and end up exceeding
-	  # the spec.
-	  if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then
-	    save_libobjs=$libobjs
-	  fi
-	  save_output=$output
-	  output_la=`$echo "X$output" | $Xsed -e "$basename"`
-
-	  # Clear the reloadable object creation command queue and
-	  # initialize k to one.
-	  test_cmds=
-	  concat_cmds=
-	  objlist=
-	  delfiles=
-	  last_robj=
-	  k=1
-	  output=$output_objdir/$output_la-${k}.$objext
-	  # Loop over the list of objects to be linked.
-	  for obj in $save_libobjs
-	  do
-	    eval test_cmds=\"$reload_cmds $objlist $last_robj\"
-	    if test "X$objlist" = X ||
-	       { len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
-		 test "$len" -le "$max_cmd_len"; }; then
-	      objlist="$objlist $obj"
-	    else
-	      # The command $test_cmds is almost too long, add a
-	      # command to the queue.
-	      if test "$k" -eq 1 ; then
-		# The first file doesn't have a previous command to add.
-		eval concat_cmds=\"$reload_cmds $objlist $last_robj\"
-	      else
-		# All subsequent reloadable object files will link in
-		# the last one created.
-		eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\"
-	      fi
-	      last_robj=$output_objdir/$output_la-${k}.$objext
-	      k=`expr $k + 1`
-	      output=$output_objdir/$output_la-${k}.$objext
-	      objlist=$obj
-	      len=1
-	    fi
-	  done
-	  # Handle the remaining objects by creating one last
-	  # reloadable object file.  All subsequent reloadable object
-	  # files will link in the last one created.
-	  test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	  eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\"
-
-	  if ${skipped_export-false}; then
-	    $show "generating symbol list for \`$libname.la'"
-	    export_symbols="$output_objdir/$libname.exp"
-	    $run $rm $export_symbols
-	    libobjs=$output
-	    # Append the command to create the export file.
-	    eval concat_cmds=\"\$concat_cmds~$export_symbols_cmds\"
-          fi
-
-	  # Set up a command to remove the reloadable object files
-	  # after they are used.
-	  i=0
-	  while test "$i" -lt "$k"
-	  do
-	    i=`expr $i + 1`
-	    delfiles="$delfiles $output_objdir/$output_la-${i}.$objext"
-	  done
-
-	  $echo "creating a temporary reloadable object file: $output"
-
-	  # Loop through the commands generated above and execute them.
-	  save_ifs="$IFS"; IFS='~'
-	  for cmd in $concat_cmds; do
-	    IFS="$save_ifs"
-	    $show "$cmd"
-	    $run eval "$cmd" || exit $?
-	  done
-	  IFS="$save_ifs"
-
-	  libobjs=$output
-	  # Restore the value of output.
-	  output=$save_output
-
-	  if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then
-	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
-	  fi
-	  # Expand the library linking commands again to reset the
-	  # value of $libobjs for piecewise linking.
-
-	  # Do each of the archive commands.
-	  if test "$module" = yes && test -n "$module_cmds" ; then
-	    if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
-	      cmds=$module_expsym_cmds
-	    else
-	      cmds=$module_cmds
-	    fi
-	  else
-	  if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
-	    cmds=$archive_expsym_cmds
-	  else
-	    cmds=$archive_cmds
-	    fi
-	  fi
-
-	  # Append the command to remove the reloadable object files
-	  # to the just-reset $cmds.
-	  eval cmds=\"\$cmds~\$rm $delfiles\"
-	fi
-	save_ifs="$IFS"; IFS='~'
-	for cmd in $cmds; do
-	  IFS="$save_ifs"
-	  eval cmd=\"$cmd\"
-	  $show "$cmd"
-	  $run eval "$cmd" || {
-	    lt_exit=$?
-
-	    # Restore the uninstalled library and exit
-	    if test "$mode" = relink; then
-	      $run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
-	    fi
-
-	    exit $lt_exit
-	  }
-	done
-	IFS="$save_ifs"
-
-	# Restore the uninstalled library and exit
-	if test "$mode" = relink; then
-	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
-
-	  if test -n "$convenience"; then
-	    if test -z "$whole_archive_flag_spec"; then
-	      $show "${rm}r $gentop"
-	      $run ${rm}r "$gentop"
-	    fi
-	  fi
-
-	  exit $EXIT_SUCCESS
-	fi
-
-	# Create links to the real library.
-	for linkname in $linknames; do
-	  if test "$realname" != "$linkname"; then
-	    $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)"
-	    $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $?
-	  fi
-	done
-
-	# If -module or -export-dynamic was specified, set the dlname.
-	if test "$module" = yes || test "$export_dynamic" = yes; then
-	  # On all known operating systems, these are identical.
-	  dlname="$soname"
-	fi
-      fi
-      ;;
-
-    obj)
-      case " $deplibs" in
-      *\ -l* | *\ -L*)
-	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2 ;;
-      esac
-
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
-      fi
-
-      if test -n "$rpath"; then
-	$echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
-      fi
-
-      if test -n "$xrpath"; then
-	$echo "$modename: warning: \`-R' is ignored for objects" 1>&2
-      fi
-
-      if test -n "$vinfo"; then
-	$echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
-      fi
-
-      if test -n "$release"; then
-	$echo "$modename: warning: \`-release' is ignored for objects" 1>&2
-      fi
-
-      case $output in
-      *.lo)
-	if test -n "$objs$old_deplibs"; then
-	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-	libobj="$output"
-	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
-	;;
-      *)
-	libobj=
-	obj="$output"
-	;;
-      esac
-
-      # Delete the old objects.
-      $run $rm $obj $libobj
-
-      # Objects from convenience libraries.  This assumes
-      # single-version convenience libraries.  Whenever we create
-      # different ones for PIC/non-PIC, this we'll have to duplicate
-      # the extraction.
-      reload_conv_objs=
-      gentop=
-      # reload_cmds runs $LD directly, so let us get rid of
-      # -Wl from whole_archive_flag_spec and hope we can get by with
-      # turning comma into space..
-      wl=
-
-      if test -n "$convenience"; then
-	if test -n "$whole_archive_flag_spec"; then
-	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
-	  reload_conv_objs=$reload_objs\ `$echo "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'`
-	else
-	  gentop="$output_objdir/${obj}x"
-	  generated="$generated $gentop"
-
-	  func_extract_archives $gentop $convenience
-	  reload_conv_objs="$reload_objs $func_extract_archives_result"
-	fi
-      fi
-
-      # Create the old-style object.
-      reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
-
-      output="$obj"
-      cmds=$reload_cmds
-      save_ifs="$IFS"; IFS='~'
-      for cmd in $cmds; do
-	IFS="$save_ifs"
-	eval cmd=\"$cmd\"
-	$show "$cmd"
-	$run eval "$cmd" || exit $?
-      done
-      IFS="$save_ifs"
-
-      # Exit if we aren't doing a library object file.
-      if test -z "$libobj"; then
-	if test -n "$gentop"; then
-	  $show "${rm}r $gentop"
-	  $run ${rm}r $gentop
-	fi
-
-	exit $EXIT_SUCCESS
-      fi
-
-      if test "$build_libtool_libs" != yes; then
-	if test -n "$gentop"; then
-	  $show "${rm}r $gentop"
-	  $run ${rm}r $gentop
-	fi
-
-	# Create an invalid libtool object if no PIC, so that we don't
-	# accidentally link it into a program.
-	# $show "echo timestamp > $libobj"
-	# $run eval "echo timestamp > $libobj" || exit $?
-	exit $EXIT_SUCCESS
-      fi
-
-      if test -n "$pic_flag" || test "$pic_mode" != default; then
-	# Only do commands if we really have different PIC objects.
-	reload_objs="$libobjs $reload_conv_objs"
-	output="$libobj"
-	cmds=$reload_cmds
-	save_ifs="$IFS"; IFS='~'
-	for cmd in $cmds; do
-	  IFS="$save_ifs"
-	  eval cmd=\"$cmd\"
-	  $show "$cmd"
-	  $run eval "$cmd" || exit $?
-	done
-	IFS="$save_ifs"
-      fi
-
-      if test -n "$gentop"; then
-	$show "${rm}r $gentop"
-	$run ${rm}r $gentop
-      fi
-
-      exit $EXIT_SUCCESS
-      ;;
-
-    prog)
-      case $host in
-	*cygwin*) output=`$echo $output | ${SED} -e 's,.exe$,,;s,$,.exe,'` ;;
-      esac
-      if test -n "$vinfo"; then
-	$echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
-      fi
-
-      if test -n "$release"; then
-	$echo "$modename: warning: \`-release' is ignored for programs" 1>&2
-      fi
-
-      if test "$preload" = yes; then
-	if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown &&
-	   test "$dlopen_self_static" = unknown; then
-	  $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support."
-	fi
-      fi
-
-      case $host in
-      *-*-rhapsody* | *-*-darwin1.[012])
-	# On Rhapsody replace the C library is the System framework
-	compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
-	finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
-	;;
-      esac
-
-      case $host in
-      *darwin*)
-        # Don't allow lazy linking, it breaks C++ global constructors
-        if test "$tagname" = CXX ; then
-        compile_command="$compile_command ${wl}-bind_at_load"
-        finalize_command="$finalize_command ${wl}-bind_at_load"
-        fi
-        ;;
-      esac
-
-
-      # move library search paths that coincide with paths to not yet
-      # installed libraries to the beginning of the library search list
-      new_libs=
-      for path in $notinst_path; do
-	case " $new_libs " in
-	*" -L$path/$objdir "*) ;;
-	*)
-	  case " $compile_deplibs " in
-	  *" -L$path/$objdir "*)
-	    new_libs="$new_libs -L$path/$objdir" ;;
-	  esac
-	  ;;
-	esac
-      done
-      for deplib in $compile_deplibs; do
-	case $deplib in
-	-L*)
-	  case " $new_libs " in
-	  *" $deplib "*) ;;
-	  *) new_libs="$new_libs $deplib" ;;
-	  esac
-	  ;;
-	*) new_libs="$new_libs $deplib" ;;
-	esac
-      done
-      compile_deplibs="$new_libs"
-
-
-      compile_command="$compile_command $compile_deplibs"
-      finalize_command="$finalize_command $finalize_deplibs"
-
-      if test -n "$rpath$xrpath"; then
-	# If the user specified any rpath flags, then add them.
-	for libdir in $rpath $xrpath; do
-	  # This is the magic to use -rpath.
-	  case "$finalize_rpath " in
-	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
-	  esac
-	done
-      fi
-
-      # Now hardcode the library paths
-      rpath=
-      hardcode_libdirs=
-      for libdir in $compile_rpath $finalize_rpath; do
-	if test -n "$hardcode_libdir_flag_spec"; then
-	  if test -n "$hardcode_libdir_separator"; then
-	    if test -z "$hardcode_libdirs"; then
-	      hardcode_libdirs="$libdir"
-	    else
-	      # Just accumulate the unique libdirs.
-	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		;;
-	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		;;
-	      esac
-	    fi
-	  else
-	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
-	  fi
-	elif test -n "$runpath_var"; then
-	  case "$perm_rpath " in
-	  *" $libdir "*) ;;
-	  *) perm_rpath="$perm_rpath $libdir" ;;
-	  esac
-	fi
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
-	  testbindir=`$echo "X$libdir" | $Xsed -e 's*/lib$*/bin*'`
-	  case :$dllsearchpath: in
-	  *":$libdir:"*) ;;
-	  *) dllsearchpath="$dllsearchpath:$libdir";;
-	  esac
-	  case :$dllsearchpath: in
-	  *":$testbindir:"*) ;;
-	  *) dllsearchpath="$dllsearchpath:$testbindir";;
-	  esac
-	  ;;
-	esac
-      done
-      # Substitute the hardcoded libdirs into the rpath.
-      if test -n "$hardcode_libdir_separator" &&
-	 test -n "$hardcode_libdirs"; then
-	libdir="$hardcode_libdirs"
-	eval rpath=\" $hardcode_libdir_flag_spec\"
-      fi
-      compile_rpath="$rpath"
-
-      rpath=
-      hardcode_libdirs=
-      for libdir in $finalize_rpath; do
-	if test -n "$hardcode_libdir_flag_spec"; then
-	  if test -n "$hardcode_libdir_separator"; then
-	    if test -z "$hardcode_libdirs"; then
-	      hardcode_libdirs="$libdir"
-	    else
-	      # Just accumulate the unique libdirs.
-	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		;;
-	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		;;
-	      esac
-	    fi
-	  else
-	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
-	  fi
-	elif test -n "$runpath_var"; then
-	  case "$finalize_perm_rpath " in
-	  *" $libdir "*) ;;
-	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
-	  esac
-	fi
-      done
-      # Substitute the hardcoded libdirs into the rpath.
-      if test -n "$hardcode_libdir_separator" &&
-	 test -n "$hardcode_libdirs"; then
-	libdir="$hardcode_libdirs"
-	eval rpath=\" $hardcode_libdir_flag_spec\"
-      fi
-      finalize_rpath="$rpath"
-
-      if test -n "$libobjs" && test "$build_old_libs" = yes; then
-	# Transform all the library objects into standard objects.
-	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-      fi
-
-      dlsyms=
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	if test -n "$NM" && test -n "$global_symbol_pipe"; then
-	  dlsyms="${outputname}S.c"
-	else
-	  $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
-	fi
-      fi
-
-      if test -n "$dlsyms"; then
-	case $dlsyms in
-	"") ;;
-	*.c)
-	  # Discover the nlist of each of the dlfiles.
-	  nlist="$output_objdir/${outputname}.nm"
-
-	  $show "$rm $nlist ${nlist}S ${nlist}T"
-	  $run $rm "$nlist" "${nlist}S" "${nlist}T"
-
-	  # Parse the name list into a source file.
-	  $show "creating $output_objdir/$dlsyms"
-
-	  test -z "$run" && $echo > "$output_objdir/$dlsyms" "\
-/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
-/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */
-
-#ifdef __cplusplus
-extern \"C\" {
-#endif
-
-/* Prevent the only kind of declaration conflicts we can make. */
-#define lt_preloaded_symbols some_other_symbol
-
-/* External symbol declarations for the compiler. */\
-"
-
-	  if test "$dlself" = yes; then
-	    $show "generating symbol list for \`$output'"
-
-	    test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist"
-
-	    # Add our own program objects to the symbol list.
-	    progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-	    for arg in $progfiles; do
-	      $show "extracting global C symbols from \`$arg'"
-	      $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
-	    done
-
-	    if test -n "$exclude_expsyms"; then
-	      $run eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
-	      $run eval '$mv "$nlist"T "$nlist"'
-	    fi
-
-	    if test -n "$export_symbols_regex"; then
-	      $run eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T'
-	      $run eval '$mv "$nlist"T "$nlist"'
-	    fi
-
-	    # Prepare the list of exported symbols
-	    if test -z "$export_symbols"; then
-	      export_symbols="$output_objdir/$outputname.exp"
-	      $run $rm $export_symbols
-	      $run eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
-              case $host in
-              *cygwin* | *mingw* )
-	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
-		$run eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"'
-                ;;
-              esac
-	    else
-	      $run eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
-	      $run eval 'grep -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
-	      $run eval 'mv "$nlist"T "$nlist"'
-              case $host in
-              *cygwin* | *mingw* )
-	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
-		$run eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
-                ;;
-              esac
-	    fi
-	  fi
-
-	  for arg in $dlprefiles; do
-	    $show "extracting global C symbols from \`$arg'"
-	    name=`$echo "$arg" | ${SED} -e 's%^.*/%%'`
-	    $run eval '$echo ": $name " >> "$nlist"'
-	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
-	  done
-
-	  if test -z "$run"; then
-	    # Make sure we have at least an empty file.
-	    test -f "$nlist" || : > "$nlist"
-
-	    if test -n "$exclude_expsyms"; then
-	      $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
-	      $mv "$nlist"T "$nlist"
-	    fi
-
-	    # Try sorting and uniquifying the output.
-	    if grep -v "^: " < "$nlist" |
-		if sort -k 3 </dev/null >/dev/null 2>&1; then
-		  sort -k 3
-		else
-		  sort +2
-		fi |
-		uniq > "$nlist"S; then
-	      :
-	    else
-	      grep -v "^: " < "$nlist" > "$nlist"S
-	    fi
-
-	    if test -f "$nlist"S; then
-	      eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"'
-	    else
-	      $echo '/* NONE */' >> "$output_objdir/$dlsyms"
-	    fi
-
-	    $echo >> "$output_objdir/$dlsyms" "\
-
-#undef lt_preloaded_symbols
-
-#if defined (__STDC__) && __STDC__
-# define lt_ptr void *
-#else
-# define lt_ptr char *
-# define const
-#endif
-
-/* The mapping between symbol names and symbols. */
-"
-
-	    case $host in
-	    *cygwin* | *mingw* )
-	  $echo >> "$output_objdir/$dlsyms" "\
-/* DATA imports from DLLs on WIN32 can't be const, because
-   runtime relocations are performed -- see ld's documentation
-   on pseudo-relocs */
-struct {
-"
-	      ;;
-	    * )
-	  $echo >> "$output_objdir/$dlsyms" "\
-const struct {
-"
-	      ;;
-	    esac
-
-
-	  $echo >> "$output_objdir/$dlsyms" "\
-  const char *name;
-  lt_ptr address;
-}
-lt_preloaded_symbols[] =
-{\
-"
-
-	    eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$dlsyms"
-
-	    $echo >> "$output_objdir/$dlsyms" "\
-  {0, (lt_ptr) 0}
-};
-
-/* This works around a problem in FreeBSD linker */
-#ifdef FREEBSD_WORKAROUND
-static const void *lt_preloaded_setup() {
-  return lt_preloaded_symbols;
-}
-#endif
-
-#ifdef __cplusplus
-}
-#endif\
-"
-	  fi
-
-	  pic_flag_for_symtable=
-	  case $host in
-	  # compiling the symbol table file with pic_flag works around
-	  # a FreeBSD bug that causes programs to crash when -lm is
-	  # linked before any other PIC object.  But we must not use
-	  # pic_flag when linking with -static.  The problem exists in
-	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
-	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
-	    case "$compile_command " in
-	    *" -static "*) ;;
-	    *) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND";;
-	    esac;;
-	  *-*-hpux*)
-	    case "$compile_command " in
-	    *" -static "*) ;;
-	    *) pic_flag_for_symtable=" $pic_flag";;
-	    esac
-	  esac
-
-	  # Now compile the dynamic symbol file.
-	  $show "(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
-	  $run eval '(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
-
-	  # Clean up the generated files.
-	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
-	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
-
-	  # Transform the symbol file into the correct name.
-          case $host in
-          *cygwin* | *mingw* )
-            if test -f "$output_objdir/${outputname}.def" ; then
-              compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP`
-              finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP`
-            else
-              compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
-              finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
-             fi
-            ;;
-          * )
-            compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
-            finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
-            ;;
-          esac
-	  ;;
-	*)
-	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-      else
-	# We keep going just in case the user didn't refer to
-	# lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
-	# really was required.
-
-	# Nullify the symbol file.
-	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP`
-	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP`
-      fi
-
-      if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
-	# Replace the output file specification.
-	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$output"'%g' | $NL2SP`
-	link_command="$compile_command$compile_rpath"
-
-	# We have no uninstalled library dependencies, so finalize right now.
-	$show "$link_command"
-	$run eval "$link_command"
-	exit_status=$?
-
-	# Delete the generated files.
-	if test -n "$dlsyms"; then
-	  $show "$rm $output_objdir/${outputname}S.${objext}"
-	  $run $rm "$output_objdir/${outputname}S.${objext}"
-	fi
-
-	exit $exit_status
-      fi
-
-      if test -n "$shlibpath_var"; then
-	# We should set the shlibpath_var
-	rpath=
-	for dir in $temp_rpath; do
-	  case $dir in
-	  [\\/]* | [A-Za-z]:[\\/]*)
-	    # Absolute path.
-	    rpath="$rpath$dir:"
-	    ;;
-	  *)
-	    # Relative path: add a thisdir entry.
-	    rpath="$rpath\$thisdir/$dir:"
-	    ;;
-	  esac
-	done
-	temp_rpath="$rpath"
-      fi
-
-      if test -n "$compile_shlibpath$finalize_shlibpath"; then
-	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
-      fi
-      if test -n "$finalize_shlibpath"; then
-	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
-      fi
-
-      compile_var=
-      finalize_var=
-      if test -n "$runpath_var"; then
-	if test -n "$perm_rpath"; then
-	  # We should set the runpath_var.
-	  rpath=
-	  for dir in $perm_rpath; do
-	    rpath="$rpath$dir:"
-	  done
-	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
-	fi
-	if test -n "$finalize_perm_rpath"; then
-	  # We should set the runpath_var.
-	  rpath=
-	  for dir in $finalize_perm_rpath; do
-	    rpath="$rpath$dir:"
-	  done
-	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
-	fi
-      fi
-
-      if test "$no_install" = yes; then
-	# We don't need to create a wrapper script.
-	link_command="$compile_var$compile_command$compile_rpath"
-	# Replace the output file specification.
-	link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
-	# Delete the old output file.
-	$run $rm $output
-	# Link the executable and exit
-	$show "$link_command"
-	$run eval "$link_command" || exit $?
-	exit $EXIT_SUCCESS
-      fi
-
-      if test "$hardcode_action" = relink; then
-	# Fast installation is not supported
-	link_command="$compile_var$compile_command$compile_rpath"
-	relink_command="$finalize_var$finalize_command$finalize_rpath"
-
-	$echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2
-	$echo "$modename: \`$output' will be relinked during installation" 1>&2
-      else
-	if test "$fast_install" != no; then
-	  link_command="$finalize_var$compile_command$finalize_rpath"
-	  if test "$fast_install" = yes; then
-	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $SP2NL | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g' | $NL2SP`
-	  else
-	    # fast_install is set to needless
-	    relink_command=
-	  fi
-	else
-	  link_command="$compile_var$compile_command$compile_rpath"
-	  relink_command="$finalize_var$finalize_command$finalize_rpath"
-	fi
-      fi
-
-      # Replace the output file specification.
-      link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
-
-      # Delete the old output files.
-      $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname
-
-      $show "$link_command"
-      $run eval "$link_command" || exit $?
-
-      # Now create the wrapper script.
-      $show "creating $output"
-
-      # Quote the relink command for shipping.
-      if test -n "$relink_command"; then
-	# Preserve any variables that may affect compiler behavior
-	for var in $variables_saved_for_relink; do
-	  if eval test -z \"\${$var+set}\"; then
-	    relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
-	  elif eval var_value=\$$var; test -z "$var_value"; then
-	    relink_command="$var=; export $var; $relink_command"
-	  else
-	    var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
-	    relink_command="$var=\"$var_value\"; export $var; $relink_command"
-	  fi
-	done
-	relink_command="(cd `pwd`; $relink_command)"
-	relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP`
-      fi
-
-      # Quote $echo for shipping.
-      if test "X$echo" = "X$SHELL $progpath --fallback-echo"; then
-	case $progpath in
-	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
-	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
-	esac
-	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
-      else
-	qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
-      fi
-
-      # Only actually do things if our run command is non-null.
-      if test -z "$run"; then
-	# win32 will think the script is a binary if it has
-	# a .exe suffix, so we strip it off here.
-	case $output in
-	  *.exe) output=`$echo $output|${SED} 's,.exe$,,'` ;;
-	esac
-	# test for cygwin because mv fails w/o .exe extensions
-	case $host in
-	  *cygwin*)
-	    exeext=.exe
-	    outputname=`$echo $outputname|${SED} 's,.exe$,,'` ;;
-	  *) exeext= ;;
-	esac
-	case $host in
-	  *cygwin* | *mingw* )
-            output_name=`basename $output`
-            output_path=`dirname $output`
-            cwrappersource="$output_path/$objdir/lt-$output_name.c"
-            cwrapper="$output_path/$output_name.exe"
-            $rm $cwrappersource $cwrapper
-            trap "$rm $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
-
-	    cat > $cwrappersource <<EOF
-
-/* $cwrappersource - temporary wrapper executable for $objdir/$outputname
-   Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-
-   The $output program cannot be directly executed until all the libtool
-   libraries that it depends on are installed.
-
-   This wrapper executable should never be moved out of the build directory.
-   If it is, it will not operate correctly.
-
-   Currently, it simply execs the wrapper *script* "/bin/sh $output",
-   but could eventually absorb all of the scripts functionality and
-   exec $objdir/$outputname directly.
-*/
-EOF
-	    cat >> $cwrappersource<<"EOF"
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <malloc.h>
-#include <stdarg.h>
-#include <assert.h>
-#include <string.h>
-#include <ctype.h>
-#include <sys/stat.h>
-
-#if defined(PATH_MAX)
-# define LT_PATHMAX PATH_MAX
-#elif defined(MAXPATHLEN)
-# define LT_PATHMAX MAXPATHLEN
-#else
-# define LT_PATHMAX 1024
-#endif
-
-#ifndef DIR_SEPARATOR
-# define DIR_SEPARATOR '/'
-# define PATH_SEPARATOR ':'
-#endif
-
-#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
-  defined (__OS2__)
-# define HAVE_DOS_BASED_FILE_SYSTEM
-# ifndef DIR_SEPARATOR_2
-#  define DIR_SEPARATOR_2 '\\'
-# endif
-# ifndef PATH_SEPARATOR_2
-#  define PATH_SEPARATOR_2 ';'
-# endif
-#endif
-
-#ifndef DIR_SEPARATOR_2
-# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR)
-#else /* DIR_SEPARATOR_2 */
-# define IS_DIR_SEPARATOR(ch) \
-        (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
-#endif /* DIR_SEPARATOR_2 */
-
-#ifndef PATH_SEPARATOR_2
-# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR)
-#else /* PATH_SEPARATOR_2 */
-# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
-#endif /* PATH_SEPARATOR_2 */
-
-#define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
-#define XFREE(stale) do { \
-  if (stale) { free ((void *) stale); stale = 0; } \
-} while (0)
-
-/* -DDEBUG is fairly common in CFLAGS.  */
-#undef DEBUG
-#if defined DEBUGWRAPPER
-# define DEBUG(format, ...) fprintf(stderr, format, __VA_ARGS__)
-#else
-# define DEBUG(format, ...)
-#endif
-
-const char *program_name = NULL;
-
-void * xmalloc (size_t num);
-char * xstrdup (const char *string);
-const char * base_name (const char *name);
-char * find_executable(const char *wrapper);
-int    check_executable(const char *path);
-char * strendzap(char *str, const char *pat);
-void lt_fatal (const char *message, ...);
-
-int
-main (int argc, char *argv[])
-{
-  char **newargz;
-  int i;
-
-  program_name = (char *) xstrdup (base_name (argv[0]));
-  DEBUG("(main) argv[0]      : %s\n",argv[0]);
-  DEBUG("(main) program_name : %s\n",program_name);
-  newargz = XMALLOC(char *, argc+2);
-EOF
-
-            cat >> $cwrappersource <<EOF
-  newargz[0] = (char *) xstrdup("$SHELL");
-EOF
-
-            cat >> $cwrappersource <<"EOF"
-  newargz[1] = find_executable(argv[0]);
-  if (newargz[1] == NULL)
-    lt_fatal("Couldn't find %s", argv[0]);
-  DEBUG("(main) found exe at : %s\n",newargz[1]);
-  /* we know the script has the same name, without the .exe */
-  /* so make sure newargz[1] doesn't end in .exe */
-  strendzap(newargz[1],".exe");
-  for (i = 1; i < argc; i++)
-    newargz[i+1] = xstrdup(argv[i]);
-  newargz[argc+1] = NULL;
-
-  for (i=0; i<argc+1; i++)
-  {
-    DEBUG("(main) newargz[%d]   : %s\n",i,newargz[i]);
-    ;
-  }
-
-EOF
-
-            case $host_os in
-              mingw*)
-                cat >> $cwrappersource <<EOF
-  execv("$SHELL",(char const **)newargz);
-EOF
-              ;;
-              *)
-                cat >> $cwrappersource <<EOF
-  execv("$SHELL",newargz);
-EOF
-              ;;
-            esac
-
-            cat >> $cwrappersource <<"EOF"
-  return 127;
-}
-
-void *
-xmalloc (size_t num)
-{
-  void * p = (void *) malloc (num);
-  if (!p)
-    lt_fatal ("Memory exhausted");
-
-  return p;
-}
-
-char *
-xstrdup (const char *string)
-{
-  return string ? strcpy ((char *) xmalloc (strlen (string) + 1), string) : NULL
-;
-}
-
-const char *
-base_name (const char *name)
-{
-  const char *base;
-
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  /* Skip over the disk name in MSDOS pathnames. */
-  if (isalpha ((unsigned char)name[0]) && name[1] == ':')
-    name += 2;
-#endif
-
-  for (base = name; *name; name++)
-    if (IS_DIR_SEPARATOR (*name))
-      base = name + 1;
-  return base;
-}
-
-int
-check_executable(const char * path)
-{
-  struct stat st;
-
-  DEBUG("(check_executable)  : %s\n", path ? (*path ? path : "EMPTY!") : "NULL!");
-  if ((!path) || (!*path))
-    return 0;
-
-  if ((stat (path, &st) >= 0) &&
-      (
-        /* MinGW & native WIN32 do not support S_IXOTH or S_IXGRP */
-#if defined (S_IXOTH)
-       ((st.st_mode & S_IXOTH) == S_IXOTH) ||
-#endif
-#if defined (S_IXGRP)
-       ((st.st_mode & S_IXGRP) == S_IXGRP) ||
-#endif
-       ((st.st_mode & S_IXUSR) == S_IXUSR))
-      )
-    return 1;
-  else
-    return 0;
-}
-
-/* Searches for the full path of the wrapper.  Returns
-   newly allocated full path name if found, NULL otherwise */
-char *
-find_executable (const char* wrapper)
-{
-  int has_slash = 0;
-  const char* p;
-  const char* p_next;
-  /* static buffer for getcwd */
-  char tmp[LT_PATHMAX + 1];
-  int tmp_len;
-  char* concat_name;
-
-  DEBUG("(find_executable)  : %s\n", wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!");
-
-  if ((wrapper == NULL) || (*wrapper == '\0'))
-    return NULL;
-
-  /* Absolute path? */
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  if (isalpha ((unsigned char)wrapper[0]) && wrapper[1] == ':')
-  {
-    concat_name = xstrdup (wrapper);
-    if (check_executable(concat_name))
-      return concat_name;
-    XFREE(concat_name);
-  }
-  else
-  {
-#endif
-    if (IS_DIR_SEPARATOR (wrapper[0]))
-    {
-      concat_name = xstrdup (wrapper);
-      if (check_executable(concat_name))
-        return concat_name;
-      XFREE(concat_name);
-    }
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  }
-#endif
-
-  for (p = wrapper; *p; p++)
-    if (*p == '/')
-    {
-      has_slash = 1;
-      break;
-    }
-  if (!has_slash)
-  {
-    /* no slashes; search PATH */
-    const char* path = getenv ("PATH");
-    if (path != NULL)
-    {
-      for (p = path; *p; p = p_next)
-      {
-        const char* q;
-        size_t p_len;
-        for (q = p; *q; q++)
-          if (IS_PATH_SEPARATOR(*q))
-            break;
-        p_len = q - p;
-        p_next = (*q == '\0' ? q : q + 1);
-        if (p_len == 0)
-        {
-          /* empty path: current directory */
-          if (getcwd (tmp, LT_PATHMAX) == NULL)
-            lt_fatal ("getcwd failed");
-          tmp_len = strlen(tmp);
-          concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
-          memcpy (concat_name, tmp, tmp_len);
-          concat_name[tmp_len] = '/';
-          strcpy (concat_name + tmp_len + 1, wrapper);
-        }
-        else
-        {
-          concat_name = XMALLOC(char, p_len + 1 + strlen(wrapper) + 1);
-          memcpy (concat_name, p, p_len);
-          concat_name[p_len] = '/';
-          strcpy (concat_name + p_len + 1, wrapper);
-        }
-        if (check_executable(concat_name))
-          return concat_name;
-        XFREE(concat_name);
-      }
-    }
-    /* not found in PATH; assume curdir */
-  }
-  /* Relative path | not found in path: prepend cwd */
-  if (getcwd (tmp, LT_PATHMAX) == NULL)
-    lt_fatal ("getcwd failed");
-  tmp_len = strlen(tmp);
-  concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
-  memcpy (concat_name, tmp, tmp_len);
-  concat_name[tmp_len] = '/';
-  strcpy (concat_name + tmp_len + 1, wrapper);
-
-  if (check_executable(concat_name))
-    return concat_name;
-  XFREE(concat_name);
-  return NULL;
-}
-
-char *
-strendzap(char *str, const char *pat)
-{
-  size_t len, patlen;
-
-  assert(str != NULL);
-  assert(pat != NULL);
-
-  len = strlen(str);
-  patlen = strlen(pat);
-
-  if (patlen <= len)
-  {
-    str += len - patlen;
-    if (strcmp(str, pat) == 0)
-      *str = '\0';
-  }
-  return str;
-}
-
-static void
-lt_error_core (int exit_status, const char * mode,
-          const char * message, va_list ap)
-{
-  fprintf (stderr, "%s: %s: ", program_name, mode);
-  vfprintf (stderr, message, ap);
-  fprintf (stderr, ".\n");
-
-  if (exit_status >= 0)
-    exit (exit_status);
-}
-
-void
-lt_fatal (const char *message, ...)
-{
-  va_list ap;
-  va_start (ap, message);
-  lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
-  va_end (ap);
-}
-EOF
-          # we should really use a build-platform specific compiler
-          # here, but OTOH, the wrappers (shell script and this C one)
-          # are only useful if you want to execute the "real" binary.
-          # Since the "real" binary is built for $host, then this
-          # wrapper might as well be built for $host, too.
-          $run $LTCC $LTCFLAGS -s -o $cwrapper $cwrappersource
-          ;;
-        esac
-        $rm $output
-        trap "$rm $output; exit $EXIT_FAILURE" 1 2 15
-
-	$echo > $output "\
-#! $SHELL
-
-# $output - temporary wrapper script for $objdir/$outputname
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-#
-# The $output program cannot be directly executed until all the libtool
-# libraries that it depends on are installed.
-#
-# This wrapper script should never be moved out of the build directory.
-# If it is, it will not operate correctly.
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed='${SED} -e 1s/^X//'
-sed_quote_subst='$sed_quote_subst'
-
-# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE).
-if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '\${1+\"\$@\"}'='\"\$@\"'
-  setopt NO_GLOB_SUBST
-else
-  case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac
-fi
-BIN_SH=xpg4; export BIN_SH # for Tru64
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-relink_command=\"$relink_command\"
-
-# This environment variable determines our operation mode.
-if test \"\$libtool_install_magic\" = \"$magic\"; then
-  # install mode needs the following variable:
-  notinst_deplibs='$notinst_deplibs'
-else
-  # When we are sourced in execute mode, \$file and \$echo are already set.
-  if test \"\$libtool_execute_magic\" != \"$magic\"; then
-    echo=\"$qecho\"
-    file=\"\$0\"
-    # Make sure echo works.
-    if test \"X\$1\" = X--no-reexec; then
-      # Discard the --no-reexec flag, and continue.
-      shift
-    elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then
-      # Yippee, \$echo works!
-      :
-    else
-      # Restart under the correct shell, and then maybe \$echo will work.
-      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
-    fi
-  fi\
-"
-	$echo >> $output "\
-
-  # Find the directory that this script lives in.
-  thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
-  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
-
-  # Follow symbolic links until we get to the real thisdir.
-  file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\`
-  while test -n \"\$file\"; do
-    destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
-
-    # If there was a directory component, then change thisdir.
-    if test \"x\$destdir\" != \"x\$file\"; then
-      case \"\$destdir\" in
-      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
-      *) thisdir=\"\$thisdir/\$destdir\" ;;
-      esac
-    fi
-
-    file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
-    file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
-  done
-
-  # Try to get the absolute directory name.
-  absdir=\`cd \"\$thisdir\" && pwd\`
-  test -n \"\$absdir\" && thisdir=\"\$absdir\"
-"
-
-	if test "$fast_install" = yes; then
-	  $echo >> $output "\
-  program=lt-'$outputname'$exeext
-  progdir=\"\$thisdir/$objdir\"
-
-  if test ! -f \"\$progdir/\$program\" || \\
-     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\
-       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
-
-    file=\"\$\$-\$program\"
-
-    if test ! -d \"\$progdir\"; then
-      $mkdir \"\$progdir\"
-    else
-      $rm \"\$progdir/\$file\"
-    fi"
-
-	  $echo >> $output "\
-
-    # relink executable if necessary
-    if test -n \"\$relink_command\"; then
-      if relink_command_output=\`eval \$relink_command 2>&1\`; then :
-      else
-	$echo \"\$relink_command_output\" >&2
-	$rm \"\$progdir/\$file\"
-	exit $EXIT_FAILURE
-      fi
-    fi
-
-    $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
-    { $rm \"\$progdir/\$program\";
-      $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; }
-    $rm \"\$progdir/\$file\"
-  fi"
-	else
-	  $echo >> $output "\
-  program='$outputname'
-  progdir=\"\$thisdir/$objdir\"
-"
-	fi
-
-	$echo >> $output "\
-
-  if test -f \"\$progdir/\$program\"; then"
-
-	# Export our shlibpath_var if we have one.
-	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
-	  $echo >> $output "\
-    # Add our own library path to $shlibpath_var
-    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
-
-    # Some systems cannot cope with colon-terminated $shlibpath_var
-    # The second colon is a workaround for a bug in BeOS R4 sed
-    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
-
-    export $shlibpath_var
-"
-	fi
-
-	# fixup the dll searchpath if we need to.
-	if test -n "$dllsearchpath"; then
-	  $echo >> $output "\
-    # Add the dll search path components to the executable PATH
-    PATH=$dllsearchpath:\$PATH
-"
-	fi
-
-	$echo >> $output "\
-    if test \"\$libtool_execute_magic\" != \"$magic\"; then
-      # Run the actual program with our arguments.
-"
-	case $host in
-	# Backslashes separate directories on plain windows
-	*-*-mingw | *-*-os2*)
-	  $echo >> $output "\
-      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
-"
-	  ;;
-
-	*)
-	  $echo >> $output "\
-      exec \"\$progdir/\$program\" \${1+\"\$@\"}
-"
-	  ;;
-	esac
-	$echo >> $output "\
-      \$echo \"\$0: cannot exec \$program \$*\"
-      exit $EXIT_FAILURE
-    fi
-  else
-    # The program doesn't exist.
-    \$echo \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
-    \$echo \"This script is just a wrapper for \$program.\" 1>&2
-    $echo \"See the $PACKAGE documentation for more information.\" 1>&2
-    exit $EXIT_FAILURE
-  fi
-fi\
-"
-	chmod +x $output
-      fi
-      exit $EXIT_SUCCESS
-      ;;
-    esac
-
-    # See if we need to build an old-fashioned archive.
-    for oldlib in $oldlibs; do
-
-      if test "$build_libtool_libs" = convenience; then
-	oldobjs="$libobjs_save"
-	addlibs="$convenience"
-	build_libtool_libs=no
-      else
-	if test "$build_libtool_libs" = module; then
-	  oldobjs="$libobjs_save"
-	  build_libtool_libs=no
-	else
-	  oldobjs="$old_deplibs $non_pic_objects"
-	fi
-	addlibs="$old_convenience"
-      fi
-
-      if test -n "$addlibs"; then
-	gentop="$output_objdir/${outputname}x"
-	generated="$generated $gentop"
-
-	func_extract_archives $gentop $addlibs
-	oldobjs="$oldobjs $func_extract_archives_result"
-      fi
-
-      # Do each command in the archive commands.
-      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
-       cmds=$old_archive_from_new_cmds
-      else
-	# POSIX demands no paths to be encoded in archives.  We have
-	# to avoid creating archives with duplicate basenames if we
-	# might have to extract them afterwards, e.g., when creating a
-	# static archive out of a convenience library, or when linking
-	# the entirety of a libtool archive into another (currently
-	# not supported by libtool).
-	if (for obj in $oldobjs
-	    do
-	      $echo "X$obj" | $Xsed -e 's%^.*/%%'
-	    done | sort | sort -uc >/dev/null 2>&1); then
-	  :
-	else
-	  $echo "copying selected object files to avoid basename conflicts..."
-
-	  if test -z "$gentop"; then
-	    gentop="$output_objdir/${outputname}x"
-	    generated="$generated $gentop"
-
-	    $show "${rm}r $gentop"
-	    $run ${rm}r "$gentop"
-	    $show "$mkdir $gentop"
-	    $run $mkdir "$gentop"
-	    exit_status=$?
-	    if test "$exit_status" -ne 0 && test ! -d "$gentop"; then
-	      exit $exit_status
-	    fi
-	  fi
-
-	  save_oldobjs=$oldobjs
-	  oldobjs=
-	  counter=1
-	  for obj in $save_oldobjs
-	  do
-	    objbase=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
-	    case " $oldobjs " in
-	    " ") oldobjs=$obj ;;
-	    *[\ /]"$objbase "*)
-	      while :; do
-		# Make sure we don't pick an alternate name that also
-		# overlaps.
-		newobj=lt$counter-$objbase
-		counter=`expr $counter + 1`
-		case " $oldobjs " in
-		*[\ /]"$newobj "*) ;;
-		*) if test ! -f "$gentop/$newobj"; then break; fi ;;
-		esac
-	      done
-	      $show "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
-	      $run ln "$obj" "$gentop/$newobj" ||
-	      $run cp "$obj" "$gentop/$newobj"
-	      oldobjs="$oldobjs $gentop/$newobj"
-	      ;;
-	    *) oldobjs="$oldobjs $obj" ;;
-	    esac
-	  done
-	fi
-
-	eval cmds=\"$old_archive_cmds\"
-
-	if len=`expr "X$cmds" : ".*"` &&
-	     test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	  cmds=$old_archive_cmds
-	else
-	  # the command line is too long to link in one step, link in parts
-	  $echo "using piecewise archive linking..."
-	  save_RANLIB=$RANLIB
-	  RANLIB=:
-	  objlist=
-	  concat_cmds=
-	  save_oldobjs=$oldobjs
-
-	  # Is there a better way of finding the last object in the list?
-	  for obj in $save_oldobjs
-	  do
-	    last_oldobj=$obj
-	  done
-	  for obj in $save_oldobjs
-	  do
-	    oldobjs="$objlist $obj"
-	    objlist="$objlist $obj"
-	    eval test_cmds=\"$old_archive_cmds\"
-	    if len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
-	       test "$len" -le "$max_cmd_len"; then
-	      :
-	    else
-	      # the above command should be used before it gets too long
-	      oldobjs=$objlist
-	      if test "$obj" = "$last_oldobj" ; then
-	        RANLIB=$save_RANLIB
-	      fi
-	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
-	      objlist=
-	    fi
-	  done
-	  RANLIB=$save_RANLIB
-	  oldobjs=$objlist
-	  if test "X$oldobjs" = "X" ; then
-	    eval cmds=\"\$concat_cmds\"
-	  else
-	    eval cmds=\"\$concat_cmds~\$old_archive_cmds\"
-	  fi
-	fi
-      fi
-      save_ifs="$IFS"; IFS='~'
-      for cmd in $cmds; do
-        eval cmd=\"$cmd\"
-	IFS="$save_ifs"
-	$show "$cmd"
-	$run eval "$cmd" || exit $?
-      done
-      IFS="$save_ifs"
-    done
-
-    if test -n "$generated"; then
-      $show "${rm}r$generated"
-      $run ${rm}r$generated
-    fi
-
-    # Now create the libtool archive.
-    case $output in
-    *.la)
-      old_library=
-      test "$build_old_libs" = yes && old_library="$libname.$libext"
-      $show "creating $output"
-
-      # Preserve any variables that may affect compiler behavior
-      for var in $variables_saved_for_relink; do
-	if eval test -z \"\${$var+set}\"; then
-	  relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
-	elif eval var_value=\$$var; test -z "$var_value"; then
-	  relink_command="$var=; export $var; $relink_command"
-	else
-	  var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
-	  relink_command="$var=\"$var_value\"; export $var; $relink_command"
-	fi
-      done
-      # Quote the link command for shipping.
-      relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
-      relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP`
-      if test "$hardcode_automatic" = yes ; then
-	relink_command=
-      fi
-
-
-      # Only create the output if not a dry run.
-      if test -z "$run"; then
-	for installed in no yes; do
-	  if test "$installed" = yes; then
-	    if test -z "$install_libdir"; then
-	      break
-	    fi
-	    output="$output_objdir/$outputname"i
-	    # Replace all uninstalled libtool libraries with the installed ones
-	    newdependency_libs=
-	    for deplib in $dependency_libs; do
-	      case $deplib in
-	      *.la)
-		name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'`
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
-		if test -z "$libdir"; then
-		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
-		  exit $EXIT_FAILURE
-		fi
-		newdependency_libs="$newdependency_libs $libdir/$name"
-		;;
-	      *) newdependency_libs="$newdependency_libs $deplib" ;;
-	      esac
-	    done
-	    dependency_libs="$newdependency_libs"
-	    newdlfiles=
-	    for lib in $dlfiles; do
-	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
-	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
-	      if test -z "$libdir"; then
-		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-		exit $EXIT_FAILURE
-	      fi
-	      newdlfiles="$newdlfiles $libdir/$name"
-	    done
-	    dlfiles="$newdlfiles"
-	    newdlprefiles=
-	    for lib in $dlprefiles; do
-	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
-	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
-	      if test -z "$libdir"; then
-		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-		exit $EXIT_FAILURE
-	      fi
-	      newdlprefiles="$newdlprefiles $libdir/$name"
-	    done
-	    dlprefiles="$newdlprefiles"
-	  else
-	    newdlfiles=
-	    for lib in $dlfiles; do
-	      case $lib in
-		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
-		*) abs=`pwd`"/$lib" ;;
-	      esac
-	      newdlfiles="$newdlfiles $abs"
-	    done
-	    dlfiles="$newdlfiles"
-	    newdlprefiles=
-	    for lib in $dlprefiles; do
-	      case $lib in
-		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
-		*) abs=`pwd`"/$lib" ;;
-	      esac
-	      newdlprefiles="$newdlprefiles $abs"
-	    done
-	    dlprefiles="$newdlprefiles"
-	  fi
-	  $rm $output
-	  # place dlname in correct position for cygwin
-	  tdlname=$dlname
-	  case $host,$output,$installed,$module,$dlname in
-	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
-	  esac
-	  $echo > $output "\
-# $outputname - a libtool library file
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-#
-# Please DO NOT delete this file!
-# It is necessary for linking the library.
-
-# The name that we can dlopen(3).
-dlname='$tdlname'
-
-# Names of this library.
-library_names='$library_names'
-
-# The name of the static archive.
-old_library='$old_library'
-
-# Libraries that this one depends upon.
-dependency_libs='$dependency_libs'
-
-# Version information for $libname.
-current=$current
-age=$age
-revision=$revision
-
-# Is this an already installed library?
-installed=$installed
-
-# Should we warn about portability when linking against -modules?
-shouldnotlink=$module
-
-# Files to dlopen/dlpreopen
-dlopen='$dlfiles'
-dlpreopen='$dlprefiles'
-
-# Directory that this library needs to be installed in:
-libdir='$install_libdir'"
-	  if test "$installed" = no && test "$need_relink" = yes; then
-	    $echo >> $output "\
-relink_command=\"$relink_command\""
-	  fi
-	done
-      fi
-
-      # Do a symbolic link so that the libtool archive can be found in
-      # LD_LIBRARY_PATH before the program is installed.
-      $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)"
-      $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
-      ;;
-    esac
-    exit $EXIT_SUCCESS
-    ;;
-
-  # libtool install mode
-  install)
-    modename="$modename: install"
-
-    # There may be an optional sh(1) argument at the beginning of
-    # install_prog (especially on Windows NT).
-    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
-       # Allow the use of GNU shtool's install command.
-       $echo "X$nonopt" | grep shtool > /dev/null; then
-      # Aesthetically quote it.
-      arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
-      case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	arg="\"$arg\""
-	;;
-      esac
-      install_prog="$arg "
-      arg="$1"
-      shift
-    else
-      install_prog=
-      arg=$nonopt
-    fi
-
-    # The real first argument should be the name of the installation program.
-    # Aesthetically quote it.
-    arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-    case $arg in
-    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-      arg="\"$arg\""
-      ;;
-    esac
-    install_prog="$install_prog$arg"
-
-    # We need to accept at least all the BSD install flags.
-    dest=
-    files=
-    opts=
-    prev=
-    install_type=
-    isdir=no
-    stripme=
-    for arg
-    do
-      if test -n "$dest"; then
-	files="$files $dest"
-	dest=$arg
-	continue
-      fi
-
-      case $arg in
-      -d) isdir=yes ;;
-      -f) 
-      	case " $install_prog " in
-	*[\\\ /]cp\ *) ;;
-	*) prev=$arg ;;
-	esac
-	;;
-      -g | -m | -o) prev=$arg ;;
-      -s)
-	stripme=" -s"
-	continue
-	;;
-      -*)
-	;;
-      *)
-	# If the previous option needed an argument, then skip it.
-	if test -n "$prev"; then
-	  prev=
-	else
-	  dest=$arg
-	  continue
-	fi
-	;;
-      esac
-
-      # Aesthetically quote the argument.
-      arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-      case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	arg="\"$arg\""
-	;;
-      esac
-      install_prog="$install_prog $arg"
-    done
-
-    if test -z "$install_prog"; then
-      $echo "$modename: you must specify an install program" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    if test -n "$prev"; then
-      $echo "$modename: the \`$prev' option requires an argument" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    if test -z "$files"; then
-      if test -z "$dest"; then
-	$echo "$modename: no file or destination specified" 1>&2
-      else
-	$echo "$modename: you must specify a destination" 1>&2
-      fi
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    # Strip any trailing slash from the destination.
-    dest=`$echo "X$dest" | $Xsed -e 's%/$%%'`
-
-    # Check to see that the destination is a directory.
-    test -d "$dest" && isdir=yes
-    if test "$isdir" = yes; then
-      destdir="$dest"
-      destname=
-    else
-      destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'`
-      test "X$destdir" = "X$dest" && destdir=.
-      destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'`
-
-      # Not a directory, so check to see that there is only one file specified.
-      set dummy $files
-      if test "$#" -gt 2; then
-	$echo "$modename: \`$dest' is not a directory" 1>&2
-	$echo "$help" 1>&2
-	exit $EXIT_FAILURE
-      fi
-    fi
-    case $destdir in
-    [\\/]* | [A-Za-z]:[\\/]*) ;;
-    *)
-      for file in $files; do
-	case $file in
-	*.lo) ;;
-	*)
-	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-      done
-      ;;
-    esac
-
-    # This variable tells wrapper scripts just to set variables rather
-    # than running their programs.
-    libtool_install_magic="$magic"
-
-    staticlibs=
-    future_libdirs=
-    current_libdirs=
-    for file in $files; do
-
-      # Do each installation.
-      case $file in
-      *.$libext)
-	# Do the static libraries later.
-	staticlibs="$staticlibs $file"
-	;;
-
-      *.la)
-	# Check to see that this really is a libtool archive.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-	else
-	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	library_names=
-	old_library=
-	relink_command=
-	# If there is no directory component, then add one.
-	case $file in
-	*/* | *\\*) . $file ;;
-	*) . ./$file ;;
-	esac
-
-	# Add the libdir to current_libdirs if it is the destination.
-	if test "X$destdir" = "X$libdir"; then
-	  case "$current_libdirs " in
-	  *" $libdir "*) ;;
-	  *) current_libdirs="$current_libdirs $libdir" ;;
-	  esac
-	else
-	  # Note the libdir as a future libdir.
-	  case "$future_libdirs " in
-	  *" $libdir "*) ;;
-	  *) future_libdirs="$future_libdirs $libdir" ;;
-	  esac
-	fi
-
-	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/
-	test "X$dir" = "X$file/" && dir=
-	dir="$dir$objdir"
-
-	if test -n "$relink_command"; then
-	  # Determine the prefix the user has applied to our future dir.
-	  inst_prefix_dir=`$echo "$destdir" | $SED "s%$libdir\$%%"`
-
-	  # Don't allow the user to place us outside of our expected
-	  # location b/c this prevents finding dependent libraries that
-	  # are installed to the same prefix.
-	  # At present, this check doesn't affect windows .dll's that
-	  # are installed into $libdir/../bin (currently, that works fine)
-	  # but it's something to keep an eye on.
-	  if test "$inst_prefix_dir" = "$destdir"; then
-	    $echo "$modename: error: cannot install \`$file' to a directory not ending in $libdir" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-
-	  if test -n "$inst_prefix_dir"; then
-	    # Stick the inst_prefix_dir data into the link command.
-	    relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%" | $NL2SP`
-	  else
-	    relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%%" | $NL2SP`
-	  fi
-
-	  $echo "$modename: warning: relinking \`$file'" 1>&2
-	  $show "$relink_command"
-	  if $run eval "$relink_command"; then :
-	  else
-	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	fi
-
-	# See the names of the shared library.
-	set dummy $library_names
-	if test -n "$2"; then
-	  realname="$2"
-	  shift
-	  shift
-
-	  srcname="$realname"
-	  test -n "$relink_command" && srcname="$realname"T
-
-	  # Install the shared library and build the symlinks.
-	  $show "$install_prog $dir/$srcname $destdir/$realname"
-	  $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $?
-	  if test -n "$stripme" && test -n "$striplib"; then
-	    $show "$striplib $destdir/$realname"
-	    $run eval "$striplib $destdir/$realname" || exit $?
-	  fi
-
-	  if test "$#" -gt 0; then
-	    # Delete the old symlinks, and create new ones.
-	    # Try `ln -sf' first, because the `ln' binary might depend on
-	    # the symlink we replace!  Solaris /bin/ln does not understand -f,
-	    # so we also need to try rm && ln -s.
-	    for linkname
-	    do
-	      if test "$linkname" != "$realname"; then
-                $show "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
-                $run eval "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
-	      fi
-	    done
-	  fi
-
-	  # Do each command in the postinstall commands.
-	  lib="$destdir/$realname"
-	  cmds=$postinstall_cmds
-	  save_ifs="$IFS"; IFS='~'
-	  for cmd in $cmds; do
-	    IFS="$save_ifs"
-	    eval cmd=\"$cmd\"
-	    $show "$cmd"
-	    $run eval "$cmd" || {
-	      lt_exit=$?
-
-	      # Restore the uninstalled library and exit
-	      if test "$mode" = relink; then
-		$run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
-	      fi
-
-	      exit $lt_exit
-	    }
-	  done
-	  IFS="$save_ifs"
-	fi
-
-	# Install the pseudo-library for information purposes.
-	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-	instname="$dir/$name"i
-	$show "$install_prog $instname $destdir/$name"
-	$run eval "$install_prog $instname $destdir/$name" || exit $?
-
-	# Maybe install the static library, too.
-	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
-	;;
-
-      *.lo)
-	# Install (i.e. copy) a libtool object.
-
-	# Figure out destination file name, if it wasn't already specified.
-	if test -n "$destname"; then
-	  destfile="$destdir/$destname"
-	else
-	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-	  destfile="$destdir/$destfile"
-	fi
-
-	# Deduce the name of the destination old-style object file.
-	case $destfile in
-	*.lo)
-	  staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
-	  ;;
-	*.$objext)
-	  staticdest="$destfile"
-	  destfile=
-	  ;;
-	*)
-	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	# Install the libtool object if requested.
-	if test -n "$destfile"; then
-	  $show "$install_prog $file $destfile"
-	  $run eval "$install_prog $file $destfile" || exit $?
-	fi
-
-	# Install the old object if enabled.
-	if test "$build_old_libs" = yes; then
-	  # Deduce the name of the old-style object file.
-	  staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
-
-	  $show "$install_prog $staticobj $staticdest"
-	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
-	fi
-	exit $EXIT_SUCCESS
-	;;
-
-      *)
-	# Figure out destination file name, if it wasn't already specified.
-	if test -n "$destname"; then
-	  destfile="$destdir/$destname"
-	else
-	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-	  destfile="$destdir/$destfile"
-	fi
-
-	# If the file is missing, and there is a .exe on the end, strip it
-	# because it is most likely a libtool script we actually want to
-	# install
-	stripped_ext=""
-	case $file in
-	  *.exe)
-	    if test ! -f "$file"; then
-	      file=`$echo $file|${SED} 's,.exe$,,'`
-	      stripped_ext=".exe"
-	    fi
-	    ;;
-	esac
-
-	# Do a test to see if this is really a libtool program.
-	case $host in
-	*cygwin*|*mingw*)
-	    wrapper=`$echo $file | ${SED} -e 's,.exe$,,'`
-	    ;;
-	*)
-	    wrapper=$file
-	    ;;
-	esac
-	if (${SED} -e '4q' $wrapper | grep "^# Generated by .*$PACKAGE")>/dev/null 2>&1; then
-	  notinst_deplibs=
-	  relink_command=
-
-	  # Note that it is not necessary on cygwin/mingw to append a dot to
-	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
-	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
-	  # `FILE.' does not work on cygwin managed mounts.
-	  #
-	  # If there is no directory component, then add one.
-	  case $wrapper in
-	  */* | *\\*) . ${wrapper} ;;
-	  *) . ./${wrapper} ;;
-	  esac
-
-	  # Check the variables that should have been set.
-	  if test -z "$notinst_deplibs"; then
-	    $echo "$modename: invalid libtool wrapper script \`$wrapper'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-
-	  finalize=yes
-	  for lib in $notinst_deplibs; do
-	    # Check to see that each library is installed.
-	    libdir=
-	    if test -f "$lib"; then
-	      # If there is no directory component, then add one.
-	      case $lib in
-	      */* | *\\*) . $lib ;;
-	      *) . ./$lib ;;
-	      esac
-	    fi
-	    libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
-	    if test -n "$libdir" && test ! -f "$libfile"; then
-	      $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
-	      finalize=no
-	    fi
-	  done
-
-	  relink_command=
-	  # Note that it is not necessary on cygwin/mingw to append a dot to
-	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
-	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
-	  # `FILE.' does not work on cygwin managed mounts.
-	  #
-	  # If there is no directory component, then add one.
-	  case $wrapper in
-	  */* | *\\*) . ${wrapper} ;;
-	  *) . ./${wrapper} ;;
-	  esac
-
-	  outputname=
-	  if test "$fast_install" = no && test -n "$relink_command"; then
-	    if test "$finalize" = yes && test -z "$run"; then
-	      tmpdir=`func_mktempdir`
-	      file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
-	      outputname="$tmpdir/$file"
-	      # Replace the output file specification.
-	      relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g' | $NL2SP`
-
-	      $show "$relink_command"
-	      if $run eval "$relink_command"; then :
-	      else
-		$echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
-		${rm}r "$tmpdir"
-		continue
-	      fi
-	      file="$outputname"
-	    else
-	      $echo "$modename: warning: cannot relink \`$file'" 1>&2
-	    fi
-	  else
-	    # Install the binary that we compiled earlier.
-	    file=`$echo "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
-	  fi
-	fi
-
-	# remove .exe since cygwin /usr/bin/install will append another
-	# one anyway 
-	case $install_prog,$host in
-	*/usr/bin/install*,*cygwin*)
-	  case $file:$destfile in
-	  *.exe:*.exe)
-	    # this is ok
-	    ;;
-	  *.exe:*)
-	    destfile=$destfile.exe
-	    ;;
-	  *:*.exe)
-	    destfile=`$echo $destfile | ${SED} -e 's,.exe$,,'`
-	    ;;
-	  esac
-	  ;;
-	esac
-	$show "$install_prog$stripme $file $destfile"
-	$run eval "$install_prog\$stripme \$file \$destfile" || exit $?
-	test -n "$outputname" && ${rm}r "$tmpdir"
-	;;
-      esac
-    done
-
-    for file in $staticlibs; do
-      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-
-      # Set up the ranlib parameters.
-      oldlib="$destdir/$name"
-
-      $show "$install_prog $file $oldlib"
-      $run eval "$install_prog \$file \$oldlib" || exit $?
-
-      if test -n "$stripme" && test -n "$old_striplib"; then
-	$show "$old_striplib $oldlib"
-	$run eval "$old_striplib $oldlib" || exit $?
-      fi
-
-      # Do each command in the postinstall commands.
-      cmds=$old_postinstall_cmds
-      save_ifs="$IFS"; IFS='~'
-      for cmd in $cmds; do
-	IFS="$save_ifs"
-	eval cmd=\"$cmd\"
-	$show "$cmd"
-	$run eval "$cmd" || exit $?
-      done
-      IFS="$save_ifs"
-    done
-
-    if test -n "$future_libdirs"; then
-      $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2
-    fi
-
-    if test -n "$current_libdirs"; then
-      # Maybe just do a dry run.
-      test -n "$run" && current_libdirs=" -n$current_libdirs"
-      exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs'
-    else
-      exit $EXIT_SUCCESS
-    fi
-    ;;
-
-  # libtool finish mode
-  finish)
-    modename="$modename: finish"
-    libdirs="$nonopt"
-    admincmds=
-
-    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
-      for dir
-      do
-	libdirs="$libdirs $dir"
-      done
-
-      for libdir in $libdirs; do
-	if test -n "$finish_cmds"; then
-	  # Do each command in the finish commands.
-	  cmds=$finish_cmds
-	  save_ifs="$IFS"; IFS='~'
-	  for cmd in $cmds; do
-	    IFS="$save_ifs"
-	    eval cmd=\"$cmd\"
-	    $show "$cmd"
-	    $run eval "$cmd" || admincmds="$admincmds
-       $cmd"
-	  done
-	  IFS="$save_ifs"
-	fi
-	if test -n "$finish_eval"; then
-	  # Do the single finish_eval.
-	  eval cmds=\"$finish_eval\"
-	  $run eval "$cmds" || admincmds="$admincmds
-       $cmds"
-	fi
-      done
-    fi
-
-    # Exit here if they wanted silent mode.
-    test "$show" = : && exit $EXIT_SUCCESS
-
-    $echo "X----------------------------------------------------------------------" | $Xsed
-    $echo "Libraries have been installed in:"
-    for libdir in $libdirs; do
-      $echo "   $libdir"
-    done
-    $echo
-    $echo "If you ever happen to want to link against installed libraries"
-    $echo "in a given directory, LIBDIR, you must either use libtool, and"
-    $echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
-    $echo "flag during linking and do at least one of the following:"
-    if test -n "$shlibpath_var"; then
-      $echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
-      $echo "     during execution"
-    fi
-    if test -n "$runpath_var"; then
-      $echo "   - add LIBDIR to the \`$runpath_var' environment variable"
-      $echo "     during linking"
-    fi
-    if test -n "$hardcode_libdir_flag_spec"; then
-      libdir=LIBDIR
-      eval flag=\"$hardcode_libdir_flag_spec\"
-
-      $echo "   - use the \`$flag' linker flag"
-    fi
-    if test -n "$admincmds"; then
-      $echo "   - have your system administrator run these commands:$admincmds"
-    fi
-    if test -f /etc/ld.so.conf; then
-      $echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
-    fi
-    $echo
-    $echo "See any operating system documentation about shared libraries for"
-    $echo "more information, such as the ld(1) and ld.so(8) manual pages."
-    $echo "X----------------------------------------------------------------------" | $Xsed
-    exit $EXIT_SUCCESS
-    ;;
-
-  # libtool execute mode
-  execute)
-    modename="$modename: execute"
-
-    # The first argument is the command name.
-    cmd="$nonopt"
-    if test -z "$cmd"; then
-      $echo "$modename: you must specify a COMMAND" 1>&2
-      $echo "$help"
-      exit $EXIT_FAILURE
-    fi
-
-    # Handle -dlopen flags immediately.
-    for file in $execute_dlfiles; do
-      if test ! -f "$file"; then
-	$echo "$modename: \`$file' is not a file" 1>&2
-	$echo "$help" 1>&2
-	exit $EXIT_FAILURE
-      fi
-
-      dir=
-      case $file in
-      *.la)
-	# Check to see that this really is a libtool archive.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-	else
-	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	# Read the libtool library.
-	dlname=
-	library_names=
-
-	# If there is no directory component, then add one.
-	case $file in
-	*/* | *\\*) . $file ;;
-	*) . ./$file ;;
-	esac
-
-	# Skip this library if it cannot be dlopened.
-	if test -z "$dlname"; then
-	  # Warn if it was a shared library.
-	  test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'"
-	  continue
-	fi
-
-	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
-	test "X$dir" = "X$file" && dir=.
-
-	if test -f "$dir/$objdir/$dlname"; then
-	  dir="$dir/$objdir"
-	else
-	  if test ! -f "$dir/$dlname"; then
-	    $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	fi
-	;;
-
-      *.lo)
-	# Just add the directory containing the .lo file.
-	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
-	test "X$dir" = "X$file" && dir=.
-	;;
-
-      *)
-	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
-	continue
-	;;
-      esac
-
-      # Get the absolute pathname.
-      absdir=`cd "$dir" && pwd`
-      test -n "$absdir" && dir="$absdir"
-
-      # Now add the directory to shlibpath_var.
-      if eval "test -z \"\$$shlibpath_var\""; then
-	eval "$shlibpath_var=\"\$dir\""
-      else
-	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
-      fi
-    done
-
-    # This variable tells wrapper scripts just to set shlibpath_var
-    # rather than running their programs.
-    libtool_execute_magic="$magic"
-
-    # Check if any of the arguments is a wrapper script.
-    args=
-    for file
-    do
-      case $file in
-      -*) ;;
-      *)
-	# Do a test to see if this is really a libtool program.
-	if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	  # If there is no directory component, then add one.
-	  case $file in
-	  */* | *\\*) . $file ;;
-	  *) . ./$file ;;
-	  esac
-
-	  # Transform arg to wrapped name.
-	  file="$progdir/$program"
-	fi
-	;;
-      esac
-      # Quote arguments (to preserve shell metacharacters).
-      file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
-      args="$args \"$file\""
-    done
-
-    if test -z "$run"; then
-      if test -n "$shlibpath_var"; then
-	# Export the shlibpath_var.
-	eval "export $shlibpath_var"
-      fi
-
-      # Restore saved environment variables
-      for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
-      do
-	eval "if test \"\${save_$lt_var+set}\" = set; then
-		$lt_var=\$save_$lt_var; export $lt_var
-	      fi"
-      done
-
-      # Now prepare to actually exec the command.
-      exec_cmd="\$cmd$args"
-    else
-      # Display what would be done.
-      if test -n "$shlibpath_var"; then
-	eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
-	$echo "export $shlibpath_var"
-      fi
-      $echo "$cmd$args"
-      exit $EXIT_SUCCESS
-    fi
-    ;;
-
-  # libtool clean and uninstall mode
-  clean | uninstall)
-    modename="$modename: $mode"
-    rm="$nonopt"
-    files=
-    rmforce=
-    exit_status=0
-
-    # This variable tells wrapper scripts just to set variables rather
-    # than running their programs.
-    libtool_install_magic="$magic"
-
-    for arg
-    do
-      case $arg in
-      -f) rm="$rm $arg"; rmforce=yes ;;
-      -*) rm="$rm $arg" ;;
-      *) files="$files $arg" ;;
-      esac
-    done
-
-    if test -z "$rm"; then
-      $echo "$modename: you must specify an RM program" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    rmdirs=
-
-    origobjdir="$objdir"
-    for file in $files; do
-      dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
-      if test "X$dir" = "X$file"; then
-	dir=.
-	objdir="$origobjdir"
-      else
-	objdir="$dir/$origobjdir"
-      fi
-      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-      test "$mode" = uninstall && objdir="$dir"
-
-      # Remember objdir for removal later, being careful to avoid duplicates
-      if test "$mode" = clean; then
-	case " $rmdirs " in
-	  *" $objdir "*) ;;
-	  *) rmdirs="$rmdirs $objdir" ;;
-	esac
-      fi
-
-      # Don't error if the file doesn't exist and rm -f was used.
-      if (test -L "$file") >/dev/null 2>&1 \
-	|| (test -h "$file") >/dev/null 2>&1 \
-	|| test -f "$file"; then
-	:
-      elif test -d "$file"; then
-	exit_status=1
-	continue
-      elif test "$rmforce" = yes; then
-	continue
-      fi
-
-      rmfiles="$file"
-
-      case $name in
-      *.la)
-	# Possibly a libtool archive, so verify it.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	  . $dir/$name
-
-	  # Delete the libtool libraries and symlinks.
-	  for n in $library_names; do
-	    rmfiles="$rmfiles $objdir/$n"
-	  done
-	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
-
-	  case "$mode" in
-	  clean)
-	    case "  $library_names " in
-	    # "  " in the beginning catches empty $dlname
-	    *" $dlname "*) ;;
-	    *) rmfiles="$rmfiles $objdir/$dlname" ;;
-	    esac
-	     test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
-	    ;;
-	  uninstall)
-	    if test -n "$library_names"; then
-	      # Do each command in the postuninstall commands.
-	      cmds=$postuninstall_cmds
-	      save_ifs="$IFS"; IFS='~'
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd"
-		if test "$?" -ne 0 && test "$rmforce" != yes; then
-		  exit_status=1
-		fi
-	      done
-	      IFS="$save_ifs"
-	    fi
-
-	    if test -n "$old_library"; then
-	      # Do each command in the old_postuninstall commands.
-	      cmds=$old_postuninstall_cmds
-	      save_ifs="$IFS"; IFS='~'
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd"
-		if test "$?" -ne 0 && test "$rmforce" != yes; then
-		  exit_status=1
-		fi
-	      done
-	      IFS="$save_ifs"
-	    fi
-	    # FIXME: should reinstall the best remaining shared library.
-	    ;;
-	  esac
-	fi
-	;;
-
-      *.lo)
-	# Possibly a libtool object, so verify it.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-
-	  # Read the .lo file
-	  . $dir/$name
-
-	  # Add PIC object to the list of files to remove.
-	  if test -n "$pic_object" \
-	     && test "$pic_object" != none; then
-	    rmfiles="$rmfiles $dir/$pic_object"
-	  fi
-
-	  # Add non-PIC object to the list of files to remove.
-	  if test -n "$non_pic_object" \
-	     && test "$non_pic_object" != none; then
-	    rmfiles="$rmfiles $dir/$non_pic_object"
-	  fi
-	fi
-	;;
-
-      *)
-	if test "$mode" = clean ; then
-	  noexename=$name
-	  case $file in
-	  *.exe)
-	    file=`$echo $file|${SED} 's,.exe$,,'`
-	    noexename=`$echo $name|${SED} 's,.exe$,,'`
-	    # $file with .exe has already been added to rmfiles,
-	    # add $file without .exe
-	    rmfiles="$rmfiles $file"
-	    ;;
-	  esac
-	  # Do a test to see if this is a libtool program.
-	  if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	    relink_command=
-	    . $dir/$noexename
-
-	    # note $name still contains .exe if it was in $file originally
-	    # as does the version of $file that was added into $rmfiles
-	    rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
-	    if test "$fast_install" = yes && test -n "$relink_command"; then
-	      rmfiles="$rmfiles $objdir/lt-$name"
-	    fi
-	    if test "X$noexename" != "X$name" ; then
-	      rmfiles="$rmfiles $objdir/lt-${noexename}.c"
-	    fi
-	  fi
-	fi
-	;;
-      esac
-      $show "$rm $rmfiles"
-      $run $rm $rmfiles || exit_status=1
-    done
-    objdir="$origobjdir"
-
-    # Try to remove the ${objdir}s in the directories where we deleted files
-    for dir in $rmdirs; do
-      if test -d "$dir"; then
-	$show "rmdir $dir"
-	$run rmdir $dir >/dev/null 2>&1
-      fi
-    done
-
-    exit $exit_status
-    ;;
-
-  "")
-    $echo "$modename: you must specify a MODE" 1>&2
-    $echo "$generic_help" 1>&2
-    exit $EXIT_FAILURE
-    ;;
-  esac
-
-  if test -z "$exec_cmd"; then
-    $echo "$modename: invalid operation mode \`$mode'" 1>&2
-    $echo "$generic_help" 1>&2
-    exit $EXIT_FAILURE
-  fi
-fi # test -z "$show_help"
-
-if test -n "$exec_cmd"; then
-  eval exec $exec_cmd
-  exit $EXIT_FAILURE
-fi
-
-# We need to display help for each of the modes.
-case $mode in
-"") $echo \
-"Usage: $modename [OPTION]... [MODE-ARG]...
-
-Provide generalized library-building support services.
-
-    --config          show all configuration variables
-    --debug           enable verbose shell tracing
--n, --dry-run         display commands without modifying any files
-    --features        display basic configuration information and exit
-    --finish          same as \`--mode=finish'
-    --help            display this help message and exit
-    --mode=MODE       use operation mode MODE [default=inferred from MODE-ARGS]
-    --quiet           same as \`--silent'
-    --silent          don't print informational messages
-    --tag=TAG         use configuration variables from tag TAG
-    --version         print version information
-
-MODE must be one of the following:
-
-      clean           remove files from the build directory
-      compile         compile a source file into a libtool object
-      execute         automatically set library path, then run a program
-      finish          complete the installation of libtool libraries
-      install         install libraries or executables
-      link            create a library or an executable
-      uninstall       remove libraries from an installed directory
-
-MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
-a more detailed description of MODE.
-
-Report bugs to <bug-libtool@gnu.org>."
-  exit $EXIT_SUCCESS
-  ;;
-
-clean)
-  $echo \
-"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
-
-Remove files from the build directory.
-
-RM is the name of the program to use to delete files associated with each FILE
-(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
-to RM.
-
-If FILE is a libtool library, object or program, all the files associated
-with it are deleted. Otherwise, only FILE itself is deleted using RM."
-  ;;
-
-compile)
-  $echo \
-"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
-
-Compile a source file into a libtool library object.
-
-This mode accepts the following additional options:
-
-  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
-  -prefer-pic       try to building PIC objects only
-  -prefer-non-pic   try to building non-PIC objects only
-  -static           always build a \`.o' file suitable for static linking
-
-COMPILE-COMMAND is a command to be used in creating a \`standard' object file
-from the given SOURCEFILE.
-
-The output file name is determined by removing the directory component from
-SOURCEFILE, then substituting the C source code suffix \`.c' with the
-library object suffix, \`.lo'."
-  ;;
-
-execute)
-  $echo \
-"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]...
-
-Automatically set library path, then run a program.
-
-This mode accepts the following additional options:
-
-  -dlopen FILE      add the directory containing FILE to the library path
-
-This mode sets the library path environment variable according to \`-dlopen'
-flags.
-
-If any of the ARGS are libtool executable wrappers, then they are translated
-into their corresponding uninstalled binary, and any of their required library
-directories are added to the library path.
-
-Then, COMMAND is executed, with ARGS as arguments."
-  ;;
-
-finish)
-  $echo \
-"Usage: $modename [OPTION]... --mode=finish [LIBDIR]...
-
-Complete the installation of libtool libraries.
-
-Each LIBDIR is a directory that contains libtool libraries.
-
-The commands that this mode executes may require superuser privileges.  Use
-the \`--dry-run' option if you just want to see what would be executed."
-  ;;
-
-install)
-  $echo \
-"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND...
-
-Install executables or libraries.
-
-INSTALL-COMMAND is the installation command.  The first component should be
-either the \`install' or \`cp' program.
-
-The rest of the components are interpreted as arguments to that command (only
-BSD-compatible install options are recognized)."
-  ;;
-
-link)
-  $echo \
-"Usage: $modename [OPTION]... --mode=link LINK-COMMAND...
-
-Link object files or libraries together to form another library, or to
-create an executable program.
-
-LINK-COMMAND is a command using the C compiler that you would use to create
-a program from several object files.
-
-The following components of LINK-COMMAND are treated specially:
-
-  -all-static       do not do any dynamic linking at all
-  -avoid-version    do not add a version suffix if possible
-  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
-  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
-  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
-  -export-symbols SYMFILE
-                    try to export only the symbols listed in SYMFILE
-  -export-symbols-regex REGEX
-                    try to export only the symbols matching REGEX
-  -LLIBDIR          search LIBDIR for required installed libraries
-  -lNAME            OUTPUT-FILE requires the installed library libNAME
-  -module           build a library that can dlopened
-  -no-fast-install  disable the fast-install mode
-  -no-install       link a not-installable executable
-  -no-undefined     declare that a library does not refer to external symbols
-  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
-  -objectlist FILE  Use a list of object files found in FILE to specify objects
-  -precious-files-regex REGEX
-                    don't remove output files matching REGEX
-  -release RELEASE  specify package release information
-  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
-  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
-  -static           do not do any dynamic linking of uninstalled libtool libraries
-  -static-libtool-libs
-                    do not do any dynamic linking of libtool libraries
-  -version-info CURRENT[:REVISION[:AGE]]
-                    specify library version info [each variable defaults to 0]
-
-All other options (arguments beginning with \`-') are ignored.
-
-Every other argument is treated as a filename.  Files ending in \`.la' are
-treated as uninstalled libtool libraries, other files are standard or library
-object files.
-
-If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
-only library objects (\`.lo' files) may be specified, and \`-rpath' is
-required, except when creating a convenience library.
-
-If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
-using \`ar' and \`ranlib', or on Windows using \`lib'.
-
-If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
-is created, otherwise an executable program is created."
-  ;;
-
-uninstall)
-  $echo \
-"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
-
-Remove libraries from an installation directory.
-
-RM is the name of the program to use to delete files associated with each FILE
-(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
-to RM.
-
-If FILE is a libtool library, all the files associated with it are deleted.
-Otherwise, only FILE itself is deleted using RM."
-  ;;
-
-*)
-  $echo "$modename: invalid operation mode \`$mode'" 1>&2
-  $echo "$help" 1>&2
-  exit $EXIT_FAILURE
-  ;;
-esac
-
-$echo
-$echo "Try \`$modename --help' for more information about other modes."
-
-exit $?
-
-# The TAGs below are defined such that we never get into a situation
-# in which we disable both kinds of libraries.  Given conflicting
-# choices, we go for a static library, that is the most portable,
-# since we can't tell whether shared libraries were disabled because
-# the user asked for that or because the platform doesn't support
-# them.  This is particularly important on AIX, because we don't
-# support having both static and shared libraries enabled at the same
-# time on that platform, so we default to a shared-only configuration.
-# If a disable-shared tag is given, we'll fallback to a static-only
-# configuration.  But we'll never go from static-only to shared-only.
-
-# ### BEGIN LIBTOOL TAG CONFIG: disable-shared
-disable_libs=shared
-# ### END LIBTOOL TAG CONFIG: disable-shared
-
-# ### BEGIN LIBTOOL TAG CONFIG: disable-static
-disable_libs=static
-# ### END LIBTOOL TAG CONFIG: disable-static
-
-# Local Variables:
-# mode:shell-script
-# sh-indentation:2
-# End:
diff --git a/src/charon/plugins/nm/gnome/missing b/src/charon/plugins/nm/gnome/missing
deleted file mode 100755
index 1c8ff7049..000000000
--- a/src/charon/plugins/nm/gnome/missing
+++ /dev/null
@@ -1,367 +0,0 @@
-#! /bin/sh
-# Common stub for a few missing GNU programs while installing.
-
-scriptversion=2006-05-10.23
-
-# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
-#   Free Software Foundation, Inc.
-# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-# 02110-1301, USA.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-if test $# -eq 0; then
-  echo 1>&2 "Try \`$0 --help' for more information"
-  exit 1
-fi
-
-run=:
-sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p'
-sed_minuso='s/.* -o \([^ ]*\).*/\1/p'
-
-# In the cases where this matters, `missing' is being run in the
-# srcdir already.
-if test -f configure.ac; then
-  configure_ac=configure.ac
-else
-  configure_ac=configure.in
-fi
-
-msg="missing on your system"
-
-case $1 in
---run)
-  # Try to run requested program, and just exit if it succeeds.
-  run=
-  shift
-  "$@" && exit 0
-  # Exit code 63 means version mismatch.  This often happens
-  # when the user try to use an ancient version of a tool on
-  # a file that requires a minimum version.  In this case we
-  # we should proceed has if the program had been absent, or
-  # if --run hadn't been passed.
-  if test $? = 63; then
-    run=:
-    msg="probably too old"
-  fi
-  ;;
-
-  -h|--h|--he|--hel|--help)
-    echo "\
-$0 [OPTION]... PROGRAM [ARGUMENT]...
-
-Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
-error status if there is no known handling for PROGRAM.
-
-Options:
-  -h, --help      display this help and exit
-  -v, --version   output version information and exit
-  --run           try to run the given command, and emulate it if it fails
-
-Supported PROGRAM values:
-  aclocal      touch file \`aclocal.m4'
-  autoconf     touch file \`configure'
-  autoheader   touch file \`config.h.in'
-  autom4te     touch the output file, or create a stub one
-  automake     touch all \`Makefile.in' files
-  bison        create \`y.tab.[ch]', if possible, from existing .[ch]
-  flex         create \`lex.yy.c', if possible, from existing .c
-  help2man     touch the output file
-  lex          create \`lex.yy.c', if possible, from existing .c
-  makeinfo     touch the output file
-  tar          try tar, gnutar, gtar, then tar without non-portable flags
-  yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
-
-Send bug reports to <bug-automake@gnu.org>."
-    exit $?
-    ;;
-
-  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
-    echo "missing $scriptversion (GNU Automake)"
-    exit $?
-    ;;
-
-  -*)
-    echo 1>&2 "$0: Unknown \`$1' option"
-    echo 1>&2 "Try \`$0 --help' for more information"
-    exit 1
-    ;;
-
-esac
-
-# Now exit if we have it, but it failed.  Also exit now if we
-# don't have it and --version was passed (most likely to detect
-# the program).
-case $1 in
-  lex|yacc)
-    # Not GNU programs, they don't have --version.
-    ;;
-
-  tar)
-    if test -n "$run"; then
-       echo 1>&2 "ERROR: \`tar' requires --run"
-       exit 1
-    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
-       exit 1
-    fi
-    ;;
-
-  *)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
-       # Could not run --version or --help.  This is probably someone
-       # running `$TOOL --version' or `$TOOL --help' to check whether
-       # $TOOL exists and not knowing $TOOL uses missing.
-       exit 1
-    fi
-    ;;
-esac
-
-# If it does not exist, or fails to run (possibly an outdated version),
-# try to emulate it.
-case $1 in
-  aclocal*)
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`acinclude.m4' or \`${configure_ac}'.  You might want
-         to install the \`Automake' and \`Perl' packages.  Grab them from
-         any GNU archive site."
-    touch aclocal.m4
-    ;;
-
-  autoconf)
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`${configure_ac}'.  You might want to install the
-         \`Autoconf' and \`GNU m4' packages.  Grab them from any GNU
-         archive site."
-    touch configure
-    ;;
-
-  autoheader)
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`acconfig.h' or \`${configure_ac}'.  You might want
-         to install the \`Autoconf' and \`GNU m4' packages.  Grab them
-         from any GNU archive site."
-    files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
-    test -z "$files" && files="config.h"
-    touch_files=
-    for f in $files; do
-      case $f in
-      *:*) touch_files="$touch_files "`echo "$f" |
-				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
-      *) touch_files="$touch_files $f.in";;
-      esac
-    done
-    touch $touch_files
-    ;;
-
-  automake*)
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
-         You might want to install the \`Automake' and \`Perl' packages.
-         Grab them from any GNU archive site."
-    find . -type f -name Makefile.am -print |
-	   sed 's/\.am$/.in/' |
-	   while read f; do touch "$f"; done
-    ;;
-
-  autom4te)
-    echo 1>&2 "\
-WARNING: \`$1' is needed, but is $msg.
-         You might have modified some files without having the
-         proper tools for further handling them.
-         You can get \`$1' as part of \`Autoconf' from any GNU
-         archive site."
-
-    file=`echo "$*" | sed -n "$sed_output"`
-    test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
-    if test -f "$file"; then
-	touch $file
-    else
-	test -z "$file" || exec >$file
-	echo "#! /bin/sh"
-	echo "# Created by GNU Automake missing as a replacement of"
-	echo "#  $ $@"
-	echo "exit 0"
-	chmod +x $file
-	exit 1
-    fi
-    ;;
-
-  bison|yacc)
-    echo 1>&2 "\
-WARNING: \`$1' $msg.  You should only need it if
-         you modified a \`.y' file.  You may need the \`Bison' package
-         in order for those modifications to take effect.  You can get
-         \`Bison' from any GNU archive site."
-    rm -f y.tab.c y.tab.h
-    if test $# -ne 1; then
-        eval LASTARG="\${$#}"
-	case $LASTARG in
-	*.y)
-	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
-	    if test -f "$SRCFILE"; then
-	         cp "$SRCFILE" y.tab.c
-	    fi
-	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
-	    if test -f "$SRCFILE"; then
-	         cp "$SRCFILE" y.tab.h
-	    fi
-	  ;;
-	esac
-    fi
-    if test ! -f y.tab.h; then
-	echo >y.tab.h
-    fi
-    if test ! -f y.tab.c; then
-	echo 'main() { return 0; }' >y.tab.c
-    fi
-    ;;
-
-  lex|flex)
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified a \`.l' file.  You may need the \`Flex' package
-         in order for those modifications to take effect.  You can get
-         \`Flex' from any GNU archive site."
-    rm -f lex.yy.c
-    if test $# -ne 1; then
-        eval LASTARG="\${$#}"
-	case $LASTARG in
-	*.l)
-	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
-	    if test -f "$SRCFILE"; then
-	         cp "$SRCFILE" lex.yy.c
-	    fi
-	  ;;
-	esac
-    fi
-    if test ! -f lex.yy.c; then
-	echo 'main() { return 0; }' >lex.yy.c
-    fi
-    ;;
-
-  help2man)
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-	 you modified a dependency of a manual page.  You may need the
-	 \`Help2man' package in order for those modifications to take
-	 effect.  You can get \`Help2man' from any GNU archive site."
-
-    file=`echo "$*" | sed -n "$sed_output"`
-    test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
-    if test -f "$file"; then
-	touch $file
-    else
-	test -z "$file" || exec >$file
-	echo ".ab help2man is required to generate this page"
-	exit 1
-    fi
-    ;;
-
-  makeinfo)
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified a \`.texi' or \`.texinfo' file, or any other file
-         indirectly affecting the aspect of the manual.  The spurious
-         call might also be the consequence of using a buggy \`make' (AIX,
-         DU, IRIX).  You might want to install the \`Texinfo' package or
-         the \`GNU make' package.  Grab either from any GNU archive site."
-    # The file to touch is that specified with -o ...
-    file=`echo "$*" | sed -n "$sed_output"`
-    test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
-    if test -z "$file"; then
-      # ... or it is the one specified with @setfilename ...
-      infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
-      file=`sed -n '
-	/^@setfilename/{
-	  s/.* \([^ ]*\) *$/\1/
-	  p
-	  q
-	}' $infile`
-      # ... or it is derived from the source name (dir/f.texi becomes f.info)
-      test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
-    fi
-    # If the file does not exist, the user really needs makeinfo;
-    # let's fail without touching anything.
-    test -f $file || exit 1
-    touch $file
-    ;;
-
-  tar)
-    shift
-
-    # We have already tried tar in the generic part.
-    # Look for gnutar/gtar before invocation to avoid ugly error
-    # messages.
-    if (gnutar --version > /dev/null 2>&1); then
-       gnutar "$@" && exit 0
-    fi
-    if (gtar --version > /dev/null 2>&1); then
-       gtar "$@" && exit 0
-    fi
-    firstarg="$1"
-    if shift; then
-	case $firstarg in
-	*o*)
-	    firstarg=`echo "$firstarg" | sed s/o//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-	case $firstarg in
-	*h*)
-	    firstarg=`echo "$firstarg" | sed s/h//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-    fi
-
-    echo 1>&2 "\
-WARNING: I can't seem to be able to run \`tar' with the given arguments.
-         You may want to install GNU tar or Free paxutils, or check the
-         command line arguments."
-    exit 1
-    ;;
-
-  *)
-    echo 1>&2 "\
-WARNING: \`$1' is needed, and is $msg.
-         You might have modified some files without having the
-         proper tools for further handling them.  Check the \`README' file,
-         it often tells you about the needed prerequisites for installing
-         this package.  You may also peek at any GNU archive site, in case
-         some other package would contain this missing \`$1' program."
-    exit 1
-    ;;
-esac
-
-exit 0
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
-# End:
diff --git a/src/charon/plugins/nm/gnome/mkinstalldirs b/src/charon/plugins/nm/gnome/mkinstalldirs
deleted file mode 100755
index ef7e16fda..000000000
--- a/src/charon/plugins/nm/gnome/mkinstalldirs
+++ /dev/null
@@ -1,161 +0,0 @@
-#! /bin/sh
-# mkinstalldirs --- make directory hierarchy
-
-scriptversion=2006-05-11.19
-
-# Original author: Noah Friedman <friedman@prep.ai.mit.edu>
-# Created: 1993-05-16
-# Public domain.
-#
-# This file is maintained in Automake, please report
-# bugs to <bug-automake@gnu.org> or send patches to
-# <automake-patches@gnu.org>.
-
-nl='
-'
-IFS=" ""	$nl"
-errstatus=0
-dirmode=
-
-usage="\
-Usage: mkinstalldirs [-h] [--help] [--version] [-m MODE] DIR ...
-
-Create each directory DIR (with mode MODE, if specified), including all
-leading file name components.
-
-Report bugs to <bug-automake@gnu.org>."
-
-# process command line arguments
-while test $# -gt 0 ; do
-  case $1 in
-    -h | --help | --h*)         # -h for help
-      echo "$usage"
-      exit $?
-      ;;
-    -m)                         # -m PERM arg
-      shift
-      test $# -eq 0 && { echo "$usage" 1>&2; exit 1; }
-      dirmode=$1
-      shift
-      ;;
-    --version)
-      echo "$0 $scriptversion"
-      exit $?
-      ;;
-    --)                         # stop option processing
-      shift
-      break
-      ;;
-    -*)                         # unknown option
-      echo "$usage" 1>&2
-      exit 1
-      ;;
-    *)                          # first non-opt arg
-      break
-      ;;
-  esac
-done
-
-for file
-do
-  if test -d "$file"; then
-    shift
-  else
-    break
-  fi
-done
-
-case $# in
-  0) exit 0 ;;
-esac
-
-# Solaris 8's mkdir -p isn't thread-safe.  If you mkdir -p a/b and
-# mkdir -p a/c at the same time, both will detect that a is missing,
-# one will create a, then the other will try to create a and die with
-# a "File exists" error.  This is a problem when calling mkinstalldirs
-# from a parallel make.  We use --version in the probe to restrict
-# ourselves to GNU mkdir, which is thread-safe.
-case $dirmode in
-  '')
-    if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then
-      echo "mkdir -p -- $*"
-      exec mkdir -p -- "$@"
-    else
-      # On NextStep and OpenStep, the `mkdir' command does not
-      # recognize any option.  It will interpret all options as
-      # directories to create, and then abort because `.' already
-      # exists.
-      test -d ./-p && rmdir ./-p
-      test -d ./--version && rmdir ./--version
-    fi
-    ;;
-  *)
-    if mkdir -m "$dirmode" -p --version . >/dev/null 2>&1 &&
-       test ! -d ./--version; then
-      echo "mkdir -m $dirmode -p -- $*"
-      exec mkdir -m "$dirmode" -p -- "$@"
-    else
-      # Clean up after NextStep and OpenStep mkdir.
-      for d in ./-m ./-p ./--version "./$dirmode";
-      do
-        test -d $d && rmdir $d
-      done
-    fi
-    ;;
-esac
-
-for file
-do
-  case $file in
-    /*) pathcomp=/ ;;
-    *)  pathcomp= ;;
-  esac
-  oIFS=$IFS
-  IFS=/
-  set fnord $file
-  shift
-  IFS=$oIFS
-
-  for d
-  do
-    test "x$d" = x && continue
-
-    pathcomp=$pathcomp$d
-    case $pathcomp in
-      -*) pathcomp=./$pathcomp ;;
-    esac
-
-    if test ! -d "$pathcomp"; then
-      echo "mkdir $pathcomp"
-
-      mkdir "$pathcomp" || lasterr=$?
-
-      if test ! -d "$pathcomp"; then
-	errstatus=$lasterr
-      else
-	if test ! -z "$dirmode"; then
-	  echo "chmod $dirmode $pathcomp"
-	  lasterr=
-	  chmod "$dirmode" "$pathcomp" || lasterr=$?
-
-	  if test ! -z "$lasterr"; then
-	    errstatus=$lasterr
-	  fi
-	fi
-      fi
-    fi
-
-    pathcomp=$pathcomp/
-  done
-done
-
-exit $errstatus
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
-# End:
diff --git a/src/charon/plugins/nm/gnome/nm-strongswan-service.conf b/src/charon/plugins/nm/gnome/nm-strongswan-service.conf
deleted file mode 100644
index dccc19af9..000000000
--- a/src/charon/plugins/nm/gnome/nm-strongswan-service.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-<!DOCTYPE busconfig PUBLIC
- "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-	<policy user="root">
-		<allow own="org.freedesktop.NetworkManager.strongswan"/>
-		<allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
-		<allow send_interface="org.freedesktop.NetworkManager.strongswan"/>
-	</policy>
-	<policy context="default">
-		<deny own="org.freedesktop.NetworkManager.strongswan"/>
-		<deny send_destination="org.freedesktop.NetworkManager.strongswan"/>
-		<deny send_interface="org.freedesktop.NetworkManager.strongswan"/>
-	</policy>
-</busconfig>
-
diff --git a/src/charon/plugins/nm/gnome/nm-strongswan-service.name.in b/src/charon/plugins/nm/gnome/nm-strongswan-service.name.in
deleted file mode 100644
index 4120e55ae..000000000
--- a/src/charon/plugins/nm/gnome/nm-strongswan-service.name.in
+++ /dev/null
@@ -1,8 +0,0 @@
-[VPN Connection]
-name=strongswan
-service=org.freedesktop.NetworkManager.strongswan
-program=@CHARON@
-
-[GNOME]
-auth-dialog=@LIBEXECDIR@/nm-strongswan-auth-dialog
-properties=libnm-strongswan-properties
diff --git a/src/charon/plugins/nm/gnome/po/LINGUAS b/src/charon/plugins/nm/gnome/po/LINGUAS
deleted file mode 100644
index adc376a70..000000000
--- a/src/charon/plugins/nm/gnome/po/LINGUAS
+++ /dev/null
@@ -1,2 +0,0 @@
-# please keep this list sorted alphabetically
-de
diff --git a/src/charon/plugins/nm/gnome/po/Makefile.in.in b/src/charon/plugins/nm/gnome/po/Makefile.in.in
deleted file mode 100644
index 6891e8f7d..000000000
--- a/src/charon/plugins/nm/gnome/po/Makefile.in.in
+++ /dev/null
@@ -1,218 +0,0 @@
-# Makefile for program source directory in GNU NLS utilities package.
-# Copyright (C) 1995, 1996, 1997 by Ulrich Drepper <drepper@gnu.ai.mit.edu>
-# Copyright (C) 2004-2008 Rodney Dawes <dobey.pwns@gmail.com>
-#
-# This file may be copied and used freely without restrictions.  It may
-# be used in projects which are not available under a GNU Public License,
-# but which still want to provide support for the GNU gettext functionality.
-#
-# - Modified by Owen Taylor <otaylor@redhat.com> to use GETTEXT_PACKAGE
-#   instead of PACKAGE and to look for po2tbl in ./ not in intl/
-#
-# - Modified by jacob berkman <jacob@ximian.com> to install
-#   Makefile.in.in and po2tbl.sed.in for use with glib-gettextize
-#
-# - Modified by Rodney Dawes <dobey.pwns@gmail.com> for use with intltool
-#
-# We have the following line for use by intltoolize:
-# INTLTOOL_MAKEFILE
-
-GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
-PACKAGE = @PACKAGE@
-VERSION = @VERSION@
-
-SHELL = /bin/sh
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
-top_builddir = @top_builddir@
-VPATH = @srcdir@
-
-prefix = @prefix@
-exec_prefix = @exec_prefix@
-datadir = @datadir@
-datarootdir = @datarootdir@
-libdir = @libdir@
-DATADIRNAME = @DATADIRNAME@
-itlocaledir = $(prefix)/$(DATADIRNAME)/locale
-subdir = po
-install_sh = @install_sh@
-# Automake >= 1.8 provides @mkdir_p@.
-# Until it can be supposed, use the safe fallback:
-mkdir_p = $(install_sh) -d
-
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-
-GMSGFMT = @GMSGFMT@
-MSGFMT = @MSGFMT@
-XGETTEXT = @XGETTEXT@
-INTLTOOL_UPDATE = @INTLTOOL_UPDATE@
-INTLTOOL_EXTRACT = @INTLTOOL_EXTRACT@
-MSGMERGE = INTLTOOL_EXTRACT=$(INTLTOOL_EXTRACT) srcdir=$(srcdir) $(INTLTOOL_UPDATE) --gettext-package $(GETTEXT_PACKAGE) --dist
-GENPOT   = INTLTOOL_EXTRACT=$(INTLTOOL_EXTRACT) srcdir=$(srcdir) $(INTLTOOL_UPDATE) --gettext-package $(GETTEXT_PACKAGE) --pot
-
-ALL_LINGUAS = @ALL_LINGUAS@
-
-PO_LINGUAS=$(shell if test -r $(srcdir)/LINGUAS; then grep -v "^\#" $(srcdir)/LINGUAS; fi)
-
-USER_LINGUAS=$(shell if test -n "$(LINGUAS)"; then LLINGUAS="$(LINGUAS)"; ALINGUAS="$(ALL_LINGUAS)"; for lang in $$LLINGUAS; do if test -n "`grep ^$$lang$$ $(srcdir)/LINGUAS`" -o -n "`echo $$ALINGUAS|grep ' ?$$lang ?'`"; then printf "$$lang "; fi; done; fi)
-
-USE_LINGUAS=$(shell if test -n "$(USER_LINGUAS)"; then LLINGUAS="$(USER_LINGUAS)"; else if test -n "$(PO_LINGUAS)"; then LLINGUAS="$(PO_LINGUAS)"; else LLINGUAS="$(ALL_LINGUAS)"; fi; fi; for lang in $$LLINGUAS; do printf "$$lang "; done)
-
-POFILES=$(shell LINGUAS="$(USE_LINGUAS)"; for lang in $$LINGUAS; do printf "$$lang.po "; done)
-
-DISTFILES = ChangeLog Makefile.in.in POTFILES.in $(POFILES)
-EXTRA_DISTFILES = POTFILES.skip Makevars LINGUAS
-
-POTFILES = \
-# This comment gets stripped out
-
-CATALOGS=$(shell LINGUAS="$(USE_LINGUAS)"; for lang in $$LINGUAS; do printf "$$lang.gmo "; done)
-
-.SUFFIXES:
-.SUFFIXES: .po .pox .gmo .mo .msg .cat
-
-.po.pox:
-	$(MAKE) $(GETTEXT_PACKAGE).pot
-	$(MSGMERGE) $< $(GETTEXT_PACKAGE).pot -o $*.pox
-
-.po.mo:
-	$(MSGFMT) -o $@ $<
-
-.po.gmo:
-	file=`echo $* | sed 's,.*/,,'`.gmo \
-	  && rm -f $$file && $(GMSGFMT) -o $$file $<
-
-.po.cat:
-	sed -f ../intl/po2msg.sed < $< > $*.msg \
-	  && rm -f $@ && gencat $@ $*.msg
-
-
-all: all-@USE_NLS@
-
-all-yes: $(CATALOGS)
-all-no:
-
-$(GETTEXT_PACKAGE).pot: $(POTFILES)
-	$(GENPOT)
-
-install: install-data
-install-data: install-data-@USE_NLS@
-install-data-no: all
-install-data-yes: all
-	$(mkdir_p) $(DESTDIR)$(itlocaledir)
-	linguas="$(USE_LINGUAS)"; \
-	for lang in $$linguas; do \
-	  dir=$(DESTDIR)$(itlocaledir)/$$lang/LC_MESSAGES; \
-	  $(mkdir_p) $$dir; \
-	  if test -r $$lang.gmo; then \
-	    $(INSTALL_DATA) $$lang.gmo $$dir/$(GETTEXT_PACKAGE).mo; \
-	    echo "installing $$lang.gmo as $$dir/$(GETTEXT_PACKAGE).mo"; \
-	  else \
-	    $(INSTALL_DATA) $(srcdir)/$$lang.gmo $$dir/$(GETTEXT_PACKAGE).mo; \
-	    echo "installing $(srcdir)/$$lang.gmo as" \
-		 "$$dir/$(GETTEXT_PACKAGE).mo"; \
-	  fi; \
-	  if test -r $$lang.gmo.m; then \
-	    $(INSTALL_DATA) $$lang.gmo.m $$dir/$(GETTEXT_PACKAGE).mo.m; \
-	    echo "installing $$lang.gmo.m as $$dir/$(GETTEXT_PACKAGE).mo.m"; \
-	  else \
-	    if test -r $(srcdir)/$$lang.gmo.m ; then \
-	      $(INSTALL_DATA) $(srcdir)/$$lang.gmo.m \
-		$$dir/$(GETTEXT_PACKAGE).mo.m; \
-	      echo "installing $(srcdir)/$$lang.gmo.m as" \
-		   "$$dir/$(GETTEXT_PACKAGE).mo.m"; \
-	    else \
-	      true; \
-	    fi; \
-	  fi; \
-	done
-
-# Empty stubs to satisfy archaic automake needs
-dvi info tags TAGS ID:
-
-# Define this as empty until I found a useful application.
-install-exec installcheck:
-
-uninstall:
-	linguas="$(USE_LINGUAS)"; \
-	for lang in $$linguas; do \
-	  rm -f $(DESTDIR)$(itlocaledir)/$$lang/LC_MESSAGES/$(GETTEXT_PACKAGE).mo; \
-	  rm -f $(DESTDIR)$(itlocaledir)/$$lang/LC_MESSAGES/$(GETTEXT_PACKAGE).mo.m; \
-	done
-
-check: all $(GETTEXT_PACKAGE).pot
-	rm -f missing notexist
-	srcdir=$(srcdir) $(INTLTOOL_UPDATE) -m
-	if [ -r missing -o -r notexist ]; then \
-	  exit 1; \
-	fi
-
-mostlyclean:
-	rm -f *.pox $(GETTEXT_PACKAGE).pot *.old.po cat-id-tbl.tmp
-	rm -f .intltool-merge-cache
-
-clean: mostlyclean
-
-distclean: clean
-	rm -f Makefile Makefile.in POTFILES stamp-it
-	rm -f *.mo *.msg *.cat *.cat.m *.gmo
-
-maintainer-clean: distclean
-	@echo "This command is intended for maintainers to use;"
-	@echo "it deletes files that may require special tools to rebuild."
-	rm -f Makefile.in.in
-
-distdir = ../$(PACKAGE)-$(VERSION)/$(subdir)
-dist distdir: $(DISTFILES)
-	dists="$(DISTFILES)"; \
-	extra_dists="$(EXTRA_DISTFILES)"; \
-	for file in $$extra_dists; do \
-	  test -f $(srcdir)/$$file && dists="$$dists $(srcdir)/$$file"; \
-	done; \
-	for file in $$dists; do \
-	  test -f $$file || file="$(srcdir)/$$file"; \
-	  ln $$file $(distdir) 2> /dev/null \
-	    || cp -p $$file $(distdir); \
-	done
-
-update-po: Makefile
-	$(MAKE) $(GETTEXT_PACKAGE).pot
-	tmpdir=`pwd`; \
-	linguas="$(USE_LINGUAS)"; \
-	for lang in $$linguas; do \
-	  echo "$$lang:"; \
-	  result="`$(MSGMERGE) -o $$tmpdir/$$lang.new.po $$lang`"; \
-	  if $$result; then \
-	    if cmp $(srcdir)/$$lang.po $$tmpdir/$$lang.new.po >/dev/null 2>&1; then \
-	      rm -f $$tmpdir/$$lang.new.po; \
-            else \
-	      if mv -f $$tmpdir/$$lang.new.po $$lang.po; then \
-	        :; \
-	      else \
-	        echo "msgmerge for $$lang.po failed: cannot move $$tmpdir/$$lang.new.po to $$lang.po" 1>&2; \
-	        rm -f $$tmpdir/$$lang.new.po; \
-	        exit 1; \
-	      fi; \
-	    fi; \
-	  else \
-	    echo "msgmerge for $$lang.gmo failed!"; \
-	    rm -f $$tmpdir/$$lang.new.po; \
-	  fi; \
-	done
-
-Makefile POTFILES: stamp-it
-	@if test ! -f $@; then \
-	  rm -f stamp-it; \
-	  $(MAKE) stamp-it; \
-	fi
-
-stamp-it: Makefile.in.in $(top_builddir)/config.status POTFILES.in
-	cd $(top_builddir) \
-	  && CONFIG_FILES=$(subdir)/Makefile.in CONFIG_HEADERS= CONFIG_LINKS= \
-	       $(SHELL) ./config.status
-
-# Tell versions [3.59,3.63) of GNU make not to export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/po/POTFILES.in b/src/charon/plugins/nm/gnome/po/POTFILES.in
deleted file mode 100644
index 3732874e9..000000000
--- a/src/charon/plugins/nm/gnome/po/POTFILES.in
+++ /dev/null
@@ -1,5 +0,0 @@
-# List of source files containing translatable strings.
-# Please keep this file sorted alphabetically.
-properties/nm-strongswan.c
-properties/nm-strongswan-dialog.glade
-auth-dialog/main.c
diff --git a/src/charon/plugins/nm/gnome/properties/Makefile.am b/src/charon/plugins/nm/gnome/properties/Makefile.am
deleted file mode 100644
index acbab6357..000000000
--- a/src/charon/plugins/nm/gnome/properties/Makefile.am
+++ /dev/null
@@ -1,38 +0,0 @@
-plugindir = $(libdir)/NetworkManager
-plugin_LTLIBRARIES = libnm-strongswan-properties.la
-
-libnm_strongswan_properties_la_SOURCES = \
-	nm-strongswan.c \
-	nm-strongswan.h
-
-gladedir = $(datadir)/gnome-vpn-properties/strongswan
-glade_DATA = nm-strongswan-dialog.glade
-
-libnm_strongswan_properties_la_CFLAGS =                          \
-        $(GLADE_CFLAGS)                                 \
-        $(GTK_CFLAGS)                                   \
-        $(GCONF_CFLAGS)                                 \
-        $(LIBGNOMEUI_CFLAGS)                            \
-        $(NM_UTILS_CFLAGS)                              \
-        -DICONDIR=\""$(datadir)/pixmaps"\"              \
-        -DGLADEDIR=\""$(gladedir)"\"                    \
-        -DG_DISABLE_DEPRECATED                          \
-        -DGDK_DISABLE_DEPRECATED                        \
-        -DGNOME_DISABLE_DEPRECATED                      \
-        -DGNOMELOCALEDIR=\"$(datadir)/locale\"		\
-        -DVERSION=\"$(VERSION)\"
-
-libnm_strongswan_properties_la_LIBADD = \
-        $(GLADE_LIBS) \
-        $(GTK_LIBS) \
-        $(GCONF_LIBS) \
-        $(LIBGNOMEUI_LIBS) \
-        $(NM_UTILS_LIBS)
-
-libnm_strongswan_properties_la_LDFLAGS =      \
-        -avoid-version
-
-CLEANFILES = *.bak *.gladep *~
-
-EXTRA_DIST =                            \
-        $(glade_DATA)
diff --git a/src/charon/plugins/nm/gnome/properties/Makefile.in b/src/charon/plugins/nm/gnome/properties/Makefile.in
deleted file mode 100644
index fa48399b5..000000000
--- a/src/charon/plugins/nm/gnome/properties/Makefile.in
+++ /dev/null
@@ -1,600 +0,0 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = properties
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
-am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(gladedir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-libnm_strongswan_properties_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_libnm_strongswan_properties_la_OBJECTS =  \
-	libnm_strongswan_properties_la-nm-strongswan.lo
-libnm_strongswan_properties_la_OBJECTS =  \
-	$(am_libnm_strongswan_properties_la_OBJECTS)
-libnm_strongswan_properties_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(libnm_strongswan_properties_la_CFLAGS) $(CFLAGS) \
-	$(libnm_strongswan_properties_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libnm_strongswan_properties_la_SOURCES)
-DIST_SOURCES = $(libnm_strongswan_properties_la_SOURCES)
-gladeDATA_INSTALL = $(INSTALL_DATA)
-DATA = $(glade_DATA)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALL_LINGUAS = @ALL_LINGUAS@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CATALOGS = @CATALOGS@
-CATOBJEXT = @CATOBJEXT@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DATADIRNAME = @DATADIRNAME@
-DBUS_CFLAGS = @DBUS_CFLAGS@
-DBUS_LIBS = @DBUS_LIBS@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
-GCONF_CFLAGS = @GCONF_CFLAGS@
-GCONF_LIBS = @GCONF_LIBS@
-GDK_PIXBUF_CFLAGS = @GDK_PIXBUF_CFLAGS@
-GDK_PIXBUF_LIBS = @GDK_PIXBUF_LIBS@
-GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
-GLADE_CFLAGS = @GLADE_CFLAGS@
-GLADE_LIBS = @GLADE_LIBS@
-GMOFILES = @GMOFILES@
-GMSGFMT = @GMSGFMT@
-GNOMEKEYRING_CFLAGS = @GNOMEKEYRING_CFLAGS@
-GNOMEKEYRING_LIBS = @GNOMEKEYRING_LIBS@
-GREP = @GREP@
-GTHREAD_CFLAGS = @GTHREAD_CFLAGS@
-GTHREAD_LIBS = @GTHREAD_LIBS@
-GTK_CFLAGS = @GTK_CFLAGS@
-GTK_LIBS = @GTK_LIBS@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-INSTOBJEXT = @INSTOBJEXT@
-INTLLIBS = @INTLLIBS@
-INTLTOOL_CAVES_RULE = @INTLTOOL_CAVES_RULE@
-INTLTOOL_DESKTOP_RULE = @INTLTOOL_DESKTOP_RULE@
-INTLTOOL_DIRECTORY_RULE = @INTLTOOL_DIRECTORY_RULE@
-INTLTOOL_EXTRACT = @INTLTOOL_EXTRACT@
-INTLTOOL_KBD_RULE = @INTLTOOL_KBD_RULE@
-INTLTOOL_KEYS_RULE = @INTLTOOL_KEYS_RULE@
-INTLTOOL_MERGE = @INTLTOOL_MERGE@
-INTLTOOL_OAF_RULE = @INTLTOOL_OAF_RULE@
-INTLTOOL_PERL = @INTLTOOL_PERL@
-INTLTOOL_POLICY_RULE = @INTLTOOL_POLICY_RULE@
-INTLTOOL_PONG_RULE = @INTLTOOL_PONG_RULE@
-INTLTOOL_PROP_RULE = @INTLTOOL_PROP_RULE@
-INTLTOOL_SCHEMAS_RULE = @INTLTOOL_SCHEMAS_RULE@
-INTLTOOL_SERVER_RULE = @INTLTOOL_SERVER_RULE@
-INTLTOOL_SERVICE_RULE = @INTLTOOL_SERVICE_RULE@
-INTLTOOL_SHEET_RULE = @INTLTOOL_SHEET_RULE@
-INTLTOOL_SOUNDLIST_RULE = @INTLTOOL_SOUNDLIST_RULE@
-INTLTOOL_THEME_RULE = @INTLTOOL_THEME_RULE@
-INTLTOOL_UI_RULE = @INTLTOOL_UI_RULE@
-INTLTOOL_UPDATE = @INTLTOOL_UPDATE@
-INTLTOOL_XAM_RULE = @INTLTOOL_XAM_RULE@
-INTLTOOL_XML_NOMERGE_RULE = @INTLTOOL_XML_NOMERGE_RULE@
-INTLTOOL_XML_RULE = @INTLTOOL_XML_RULE@
-LDFLAGS = @LDFLAGS@
-LIBGNOMEUI_CFLAGS = @LIBGNOMEUI_CFLAGS@
-LIBGNOMEUI_LIBS = @LIBGNOMEUI_LIBS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAINT = @MAINT@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MKINSTALLDIRS = @MKINSTALLDIRS@
-MSGFMT = @MSGFMT@
-MSGFMT_OPTS = @MSGFMT_OPTS@
-MSGMERGE = @MSGMERGE@
-NMEDIT = @NMEDIT@
-NM_UTILS_CFLAGS = @NM_UTILS_CFLAGS@
-NM_UTILS_LIBS = @NM_UTILS_LIBS@
-OBJEXT = @OBJEXT@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-POFILES = @POFILES@
-POSUB = @POSUB@
-PO_IN_DATADIR_FALSE = @PO_IN_DATADIR_FALSE@
-PO_IN_DATADIR_TRUE = @PO_IN_DATADIR_TRUE@
-RANLIB = @RANLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-USE_NLS = @USE_NLS@
-VERSION = @VERSION@
-XGETTEXT = @XGETTEXT@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-charon = @charon@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-plugindir = $(libdir)/NetworkManager
-plugin_LTLIBRARIES = libnm-strongswan-properties.la
-libnm_strongswan_properties_la_SOURCES = \
-	nm-strongswan.c \
-	nm-strongswan.h
-
-gladedir = $(datadir)/gnome-vpn-properties/strongswan
-glade_DATA = nm-strongswan-dialog.glade
-libnm_strongswan_properties_la_CFLAGS = \
-        $(GLADE_CFLAGS)                                 \
-        $(GTK_CFLAGS)                                   \
-        $(GCONF_CFLAGS)                                 \
-        $(LIBGNOMEUI_CFLAGS)                            \
-        $(NM_UTILS_CFLAGS)                              \
-        -DICONDIR=\""$(datadir)/pixmaps"\"              \
-        -DGLADEDIR=\""$(gladedir)"\"                    \
-        -DG_DISABLE_DEPRECATED                          \
-        -DGDK_DISABLE_DEPRECATED                        \
-        -DGNOME_DISABLE_DEPRECATED                      \
-        -DGNOMELOCALEDIR=\"$(datadir)/locale\"		\
-        -DVERSION=\"$(VERSION)\"
-
-libnm_strongswan_properties_la_LIBADD = \
-        $(GLADE_LIBS) \
-        $(GTK_LIBS) \
-        $(GCONF_LIBS) \
-        $(LIBGNOMEUI_LIBS) \
-        $(NM_UTILS_LIBS)
-
-libnm_strongswan_properties_la_LDFLAGS = \
-        -avoid-version
-
-CLEANFILES = *.bak *.gladep *~
-EXTRA_DIST = \
-        $(glade_DATA)
-
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  properties/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  properties/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
-	  else :; fi; \
-	done
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libnm-strongswan-properties.la: $(libnm_strongswan_properties_la_OBJECTS) $(libnm_strongswan_properties_la_DEPENDENCIES) 
-	$(libnm_strongswan_properties_la_LINK) -rpath $(plugindir) $(libnm_strongswan_properties_la_OBJECTS) $(libnm_strongswan_properties_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libnm_strongswan_properties_la-nm-strongswan.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c -o $@ $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
-@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-@am__fastdepCC_TRUE@	mv -f $$depbase.Tpo $$depbase.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-libnm_strongswan_properties_la-nm-strongswan.lo: nm-strongswan.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libnm_strongswan_properties_la_CFLAGS) $(CFLAGS) -MT libnm_strongswan_properties_la-nm-strongswan.lo -MD -MP -MF $(DEPDIR)/libnm_strongswan_properties_la-nm-strongswan.Tpo -c -o libnm_strongswan_properties_la-nm-strongswan.lo `test -f 'nm-strongswan.c' || echo '$(srcdir)/'`nm-strongswan.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/libnm_strongswan_properties_la-nm-strongswan.Tpo $(DEPDIR)/libnm_strongswan_properties_la-nm-strongswan.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='nm-strongswan.c' object='libnm_strongswan_properties_la-nm-strongswan.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libnm_strongswan_properties_la_CFLAGS) $(CFLAGS) -c -o libnm_strongswan_properties_la-nm-strongswan.lo `test -f 'nm-strongswan.c' || echo '$(srcdir)/'`nm-strongswan.c
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-install-gladeDATA: $(glade_DATA)
-	@$(NORMAL_INSTALL)
-	test -z "$(gladedir)" || $(MKDIR_P) "$(DESTDIR)$(gladedir)"
-	@list='$(glade_DATA)'; for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(gladeDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(gladedir)/$$f'"; \
-	  $(gladeDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(gladedir)/$$f"; \
-	done
-
-uninstall-gladeDATA:
-	@$(NORMAL_UNINSTALL)
-	@list='$(glade_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(gladedir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(gladedir)/$$f"; \
-	done
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
-	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
-	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES) $(DATA)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(gladedir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-info: info-am
-
-info-am:
-
-install-data-am: install-gladeDATA install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-info: install-info-am
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-ps: install-ps-am
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-gladeDATA uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-gladeDATA \
-	install-html install-html-am install-info install-info-am \
-	install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-gladeDATA uninstall-pluginLTLIBRARIES
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade b/src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
deleted file mode 100644
index f77eb42e7..000000000
--- a/src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
+++ /dev/null
@@ -1,334 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE glade-interface SYSTEM "glade-2.0.dtd">
-<!--*- mode: xml -*-->
-<glade-interface>
-  <widget class="GtkWindow" id="strongswan-widget">
-    <property name="title" translatable="yes">window1</property>
-    <child>
-      <widget class="GtkVBox" id="strongswan-vbox">
-        <property name="visible">True</property>
-        <property name="border_width">12</property>
-        <property name="spacing">16</property>
-        <child>
-          <widget class="GtkVBox" id="gateway-vbox">
-            <property name="visible">True</property>
-            <property name="spacing">6</property>
-            <child>
-              <widget class="GtkLabel" id="gateway-label">
-                <property name="visible">True</property>
-                <property name="xalign">0</property>
-                <property name="label" translatable="yes">&lt;b&gt;Gateway&lt;/b&gt;</property>
-                <property name="use_markup">True</property>
-              </widget>
-              <packing>
-                <property name="expand">False</property>
-                <property name="fill">False</property>
-              </packing>
-            </child>
-            <child>
-              <widget class="GtkAlignment" id="gateway-alignement">
-                <property name="visible">True</property>
-                <property name="left_padding">12</property>
-                <child>
-                  <widget class="GtkTable" id="gateway-table">
-                    <property name="visible">True</property>
-                    <property name="n_rows">2</property>
-                    <property name="n_columns">2</property>
-                    <property name="column_spacing">6</property>
-                    <property name="row_spacing">6</property>
-                    <child>
-                      <widget class="GtkLabel" id="address-label">
-                        <property name="visible">True</property>
-                        <property name="xalign">0</property>
-                        <property name="label" translatable="yes">_Address:</property>
-                        <property name="use_underline">True</property>
-                        <property name="mnemonic_widget">address-entry</property>
-                      </widget>
-                      <packing>
-                        <property name="x_options">GTK_FILL</property>
-                        <property name="y_options"></property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkEntry" id="address-entry">
-                        <property name="visible">True</property>
-                        <property name="can_focus">True</property>
-                        <property name="has_tooltip">True</property>
-                        <property name="tooltip_text">An IP address or hostname the Gateway can be contacted.</property>
-                      </widget>
-                      <packing>
-                        <property name="left_attach">1</property>
-                        <property name="right_attach">2</property>
-                        <property name="y_options"></property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkLabel" id="certificate-label">
-                        <property name="visible">True</property>
-                        <property name="xalign">0</property>
-                        <property name="label" translatable="yes">C_ertificate:</property>
-                        <property name="use_underline">True</property>
-                        <property name="mnemonic_widget">certificate-button</property>
-                      </widget>
-                      <packing>
-                        <property name="top_attach">1</property>
-                        <property name="bottom_attach">2</property>
-                        <property name="x_options">GTK_FILL</property>
-                        <property name="y_options"></property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkFileChooserButton" id="certificate-button">
-                        <property name="visible">True</property>
-                        <property name="tooltip_text">Gateway certificate to use for gateway authentication.</property>
-                      </widget>
-                      <packing>
-                        <property name="left_attach">1</property>
-                        <property name="right_attach">2</property>
-                        <property name="top_attach">1</property>
-                        <property name="bottom_attach">2</property>
-                      </packing>
-                    </child>
-                  </widget>
-                </child>
-              </widget>
-              <packing>
-                <property name="position">1</property>
-              </packing>
-            </child>
-          </widget>
-          <packing>
-            <property name="expand">False</property>
-          </packing>
-        </child>
-        <child>
-          <widget class="GtkVBox" id="client-vbox">
-            <property name="visible">True</property>
-            <property name="spacing">6</property>
-            <child>
-              <widget class="GtkLabel" id="client-label">
-                <property name="visible">True</property>
-                <property name="xalign">0</property>
-                <property name="label" translatable="yes">&lt;b&gt;Client&lt;/b&gt;</property>
-                <property name="use_markup">True</property>
-              </widget>
-              <packing>
-                <property name="expand">False</property>
-                <property name="fill">False</property>
-              </packing>
-            </child>
-            <child>
-              <widget class="GtkAlignment" id="client-aligement">
-                <property name="visible">True</property>
-                <property name="left_padding">12</property>
-                <child>
-                  <widget class="GtkTable" id="client-table">
-                    <property name="visible">True</property>
-                    <property name="n_rows">4</property>
-                    <property name="n_columns">2</property>
-                    <property name="column_spacing">6</property>
-                    <property name="row_spacing">6</property>
-                    <child>
-                      <widget class="GtkFileChooserButton" id="userkey-button">
-                        <property name="visible">True</property>
-                        <property name="tooltip_text">Private key to use for client authentication. This key has to match the certificates public key and may be encrypted..</property>
-                      </widget>
-                      <packing>
-                        <property name="left_attach">1</property>
-                        <property name="right_attach">2</property>
-                        <property name="top_attach">3</property>
-                        <property name="bottom_attach">4</property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkLabel" id="userkey-label">
-                        <property name="visible">True</property>
-                        <property name="xalign">0</property>
-                        <property name="label" translatable="yes">Private _key:</property>
-                        <property name="use_underline">True</property>
-                        <property name="mnemonic_widget">userkey-button</property>
-                      </widget>
-                      <packing>
-                        <property name="top_attach">3</property>
-                        <property name="bottom_attach">4</property>
-                        <property name="x_options">GTK_FILL</property>
-                        <property name="y_options"></property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkComboBox" id="method-combo">
-                        <property name="visible">True</property>
-                        <property name="has_tooltip">True</property>
-                        <property name="tooltip_text">Authentication Method to use for authentication against the Gateway. </property>
-                        <property name="items"></property>
-                      </widget>
-                      <packing>
-                        <property name="left_attach">1</property>
-                        <property name="right_attach">2</property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkLabel" id="method-label">
-                        <property name="visible">True</property>
-                        <property name="xalign">0</property>
-                        <property name="label" translatable="yes">Au_thentication:</property>
-                        <property name="use_underline">True</property>
-                        <property name="mnemonic_widget">method-combo</property>
-                      </widget>
-                      <packing>
-                        <property name="x_options">GTK_FILL</property>
-                        <property name="y_options"></property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkLabel" id="user-label">
-                        <property name="visible">True</property>
-                        <property name="xalign">0</property>
-                        <property name="label" translatable="yes">_Username:</property>
-                        <property name="use_underline">True</property>
-                        <property name="mnemonic_widget">user-entry</property>
-                      </widget>
-                      <packing>
-                        <property name="top_attach">1</property>
-                        <property name="bottom_attach">2</property>
-                        <property name="x_options">GTK_FILL</property>
-                        <property name="y_options"></property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkEntry" id="user-entry">
-                        <property name="visible">True</property>
-                        <property name="can_focus">True</property>
-                        <property name="has_tooltip">True</property>
-                        <property name="tooltip_text">The username (identity) to use for authentication against the gateway.</property>
-                      </widget>
-                      <packing>
-                        <property name="left_attach">1</property>
-                        <property name="right_attach">2</property>
-                        <property name="top_attach">1</property>
-                        <property name="bottom_attach">2</property>
-                        <property name="y_options"></property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkLabel" id="usercert-label">
-                        <property name="visible">True</property>
-                        <property name="xalign">0</property>
-                        <property name="label" translatable="yes">Ce_rtificate:</property>
-                        <property name="use_underline">True</property>
-                        <property name="mnemonic_widget">usercert-button</property>
-                      </widget>
-                      <packing>
-                        <property name="top_attach">2</property>
-                        <property name="bottom_attach">3</property>
-                        <property name="x_options">GTK_FILL</property>
-                        <property name="y_options"></property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkFileChooserButton" id="usercert-button">
-                        <property name="visible">True</property>
-                        <property name="tooltip_text">Client certificate to use for client authentication.</property>
-                      </widget>
-                      <packing>
-                        <property name="left_attach">1</property>
-                        <property name="right_attach">2</property>
-                        <property name="top_attach">2</property>
-                        <property name="bottom_attach">3</property>
-                      </packing>
-                    </child>
-                  </widget>
-                </child>
-              </widget>
-              <packing>
-                <property name="position">1</property>
-              </packing>
-            </child>
-          </widget>
-          <packing>
-            <property name="expand">False</property>
-            <property name="position">1</property>
-          </packing>
-        </child>
-        <child>
-          <widget class="GtkVBox" id="options-vbox">
-            <property name="visible">True</property>
-            <property name="spacing">6</property>
-            <child>
-              <widget class="GtkLabel" id="options-label">
-                <property name="visible">True</property>
-                <property name="xalign">0</property>
-                <property name="label" translatable="yes">&lt;b&gt;Options&lt;/b&gt;</property>
-                <property name="use_markup">True</property>
-              </widget>
-              <packing>
-                <property name="expand">False</property>
-                <property name="fill">False</property>
-              </packing>
-            </child>
-            <child>
-              <widget class="GtkAlignment" id="options-alignement">
-                <property name="visible">True</property>
-                <property name="left_padding">12</property>
-                <child>
-                  <widget class="GtkVBox" id="options-inner-vbox">
-                    <property name="visible">True</property>
-                    <child>
-                      <widget class="GtkCheckButton" id="virtual-check">
-                        <property name="visible">True</property>
-                        <property name="can_focus">True</property>
-                        <property name="has_tooltip">True</property>
-                        <property name="tooltip_text">The Gateway may provide addresses from a pool to use for communication in the Gateways network. Check to request such an address.</property>
-                        <property name="label" translatable="yes">Request an _inner IP address</property>
-                        <property name="use_underline">True</property>
-                        <property name="response_id">0</property>
-                        <property name="draw_indicator">True</property>
-                      </widget>
-                    </child>
-                    <child>
-                      <widget class="GtkCheckButton" id="encap-check">
-                        <property name="visible">True</property>
-                        <property name="can_focus">True</property>
-                        <property name="has_tooltip">True</property>
-                        <property name="tooltip_text">Some firewalls block ESP traffic. Enforcing UDP capsulation even if no NAT situation is detected might help in such cases.</property>
-                        <property name="label" translatable="yes">En_force UDP encapsulation</property>
-                        <property name="use_underline">True</property>
-                        <property name="response_id">0</property>
-                        <property name="draw_indicator">True</property>
-                      </widget>
-                      <packing>
-                        <property name="position">1</property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkCheckButton" id="ipcomp-check">
-                        <property name="visible">True</property>
-                        <property name="can_focus">True</property>
-                        <property name="has_tooltip">True</property>
-                        <property name="tooltip_text">IPComp compresses raw IP packets before they get encrypted. This saves some bandwith, but uses more processing power.</property>
-                        <property name="label" translatable="yes">Use IP c_ompression</property>
-                        <property name="use_underline">True</property>
-                        <property name="response_id">0</property>
-                        <property name="draw_indicator">True</property>
-                      </widget>
-                      <packing>
-                        <property name="position">2</property>
-                      </packing>
-                    </child>
-                  </widget>
-                </child>
-              </widget>
-              <packing>
-                <property name="position">1</property>
-              </packing>
-            </child>
-          </widget>
-          <packing>
-            <property name="expand">False</property>
-            <property name="position">2</property>
-          </packing>
-        </child>
-      </widget>
-    </child>
-  </widget>
-</glade-interface>
diff --git a/src/charon/plugins/nm/gnome/properties/nm-strongswan.c b/src/charon/plugins/nm/gnome/properties/nm-strongswan.c
deleted file mode 100644
index e8a882cdf..000000000
--- a/src/charon/plugins/nm/gnome/properties/nm-strongswan.c
+++ /dev/null
@@ -1,526 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- * Copyright (C) 2005 David Zeuthen
- * Copyright (C) 2005-2008 Dan Williams
- *
- * Based on NetworkManager's vpnc plugin
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * $Id$
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <errno.h>
-#include <stdlib.h>
-#include <glib/gi18n-lib.h>
-#include <string.h>
-#include <gtk/gtk.h>
-#include <glade/glade.h>
-
-#define NM_VPN_API_SUBJECT_TO_CHANGE
-
-#include <nm-vpn-plugin-ui-interface.h>
-#include <nm-setting-vpn.h>
-#include <nm-setting-connection.h>
-#include <nm-setting-ip4-config.h>
-
-#include "nm-strongswan.h"
-
-#define STRONGSWAN_PLUGIN_NAME    _("IPsec/IKEv2 (strongswan)")
-#define STRONGSWAN_PLUGIN_DESC    _("IPsec with the IKEv2 key exchange protocol.")
-#define STRONGSWAN_PLUGIN_SERVICE "org.freedesktop.NetworkManager.strongswan"
-#define NM_DBUS_SERVICE_STRONGSWAN "org.freedesktop.NetworkManager.strongswan"
-
-/************** plugin class **************/
-
-static void strongswan_plugin_ui_interface_init (NMVpnPluginUiInterface *iface_class);
-
-G_DEFINE_TYPE_EXTENDED (StrongswanPluginUi, strongswan_plugin_ui, G_TYPE_OBJECT, 0,
-						G_IMPLEMENT_INTERFACE (NM_TYPE_VPN_PLUGIN_UI_INTERFACE,
-											   strongswan_plugin_ui_interface_init))
-
-/************** UI widget class **************/
-
-static void strongswan_plugin_ui_widget_interface_init (NMVpnPluginUiWidgetInterface *iface_class);
-
-G_DEFINE_TYPE_EXTENDED (StrongswanPluginUiWidget, strongswan_plugin_ui_widget, G_TYPE_OBJECT, 0,
-						G_IMPLEMENT_INTERFACE (NM_TYPE_VPN_PLUGIN_UI_WIDGET_INTERFACE,
-											   strongswan_plugin_ui_widget_interface_init))
-
-#define STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET, StrongswanPluginUiWidgetPrivate))
-
-typedef struct {
-	GladeXML *xml;
-	GtkWidget *widget;
-} StrongswanPluginUiWidgetPrivate;
-
-
-#define STRONGSWAN_PLUGIN_UI_ERROR strongswan_plugin_ui_error_quark ()
-
-static GQuark
-strongswan_plugin_ui_error_quark (void)
-{
-	static GQuark error_quark = 0;
-
-	if (G_UNLIKELY (error_quark == 0))
-		error_quark = g_quark_from_static_string ("strongswan-plugin-ui-error-quark");
-
-	return error_quark;
-}
-
-#define ENUM_ENTRY(NAME, DESC) { NAME, "" #NAME "", DESC }
-
-GType
-strongswan_plugin_ui_error_get_type (void)
-{
-	static GType etype = 0;
-
-	if (etype == 0) {
-		static const GEnumValue values[] = {
-			/* Unknown error. */
-			ENUM_ENTRY (STRONGSWAN_PLUGIN_UI_ERROR_UNKNOWN, "UnknownError"),
-			/* The specified property was invalid. */
-			ENUM_ENTRY (STRONGSWAN_PLUGIN_UI_ERROR_INVALID_PROPERTY, "InvalidProperty"),
-			/* The specified property was missing and is required. */
-			ENUM_ENTRY (STRONGSWAN_PLUGIN_UI_ERROR_MISSING_PROPERTY, "MissingProperty"),
-			{ 0, 0, 0 }
-		};
-		etype = g_enum_register_static ("StrongswanPluginUiError", values);
-	}
-	return etype;
-}
-
-static gboolean
-check_validity (StrongswanPluginUiWidget *self, GError **error)
-{
-	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
-	GtkWidget *widget;
-	char *str;
-
-	widget = glade_xml_get_widget (priv->xml, "address-entry");
-	str = (char *) gtk_entry_get_text (GTK_ENTRY (widget));
-	if (!str || !strlen (str)) {
-		g_set_error (error,
-		             STRONGSWAN_PLUGIN_UI_ERROR,
-		             STRONGSWAN_PLUGIN_UI_ERROR_INVALID_PROPERTY,
-		             "address");
-		return FALSE;
-	}
-	return TRUE;
-}
-
-static void update_layout (GtkWidget *widget, StrongswanPluginUiWidgetPrivate *priv)
-{
-	switch (gtk_combo_box_get_active (GTK_COMBO_BOX (widget)))
-	{
-		default:
-			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 0);
-			/* FALL */
-		case 0:
-			gtk_widget_show (glade_xml_get_widget (priv->xml, "usercert-label"));
-			gtk_widget_show (glade_xml_get_widget (priv->xml, "usercert-button"));
-			gtk_widget_show (glade_xml_get_widget (priv->xml, "userkey-label"));
-			gtk_widget_show (glade_xml_get_widget (priv->xml, "userkey-button"));
-			gtk_widget_hide (glade_xml_get_widget (priv->xml, "user-label"));
-			gtk_widget_hide (glade_xml_get_widget (priv->xml, "user-entry"));
-			break;
-		case 1:
-			gtk_widget_show (glade_xml_get_widget (priv->xml, "usercert-label"));
-			gtk_widget_show (glade_xml_get_widget (priv->xml, "usercert-button"));
-			gtk_widget_hide (glade_xml_get_widget (priv->xml, "user-label"));
-			gtk_widget_hide (glade_xml_get_widget (priv->xml, "user-entry"));
-			gtk_widget_hide (glade_xml_get_widget (priv->xml, "userkey-label"));
-			gtk_widget_hide (glade_xml_get_widget (priv->xml, "userkey-button"));
-			break;
-		case 2:
-			gtk_widget_show (glade_xml_get_widget (priv->xml, "user-label"));
-			gtk_widget_show (glade_xml_get_widget (priv->xml, "user-entry"));
-			gtk_widget_hide (glade_xml_get_widget (priv->xml, "usercert-label"));
-			gtk_widget_hide (glade_xml_get_widget (priv->xml, "usercert-button"));
-			gtk_widget_hide (glade_xml_get_widget (priv->xml, "userkey-label"));
-			gtk_widget_hide (glade_xml_get_widget (priv->xml, "userkey-button"));
-			break;
-	}
-
-}
-
-static void
-settings_changed_cb (GtkWidget *widget, gpointer user_data)
-{
-	StrongswanPluginUiWidget *self = STRONGSWAN_PLUGIN_UI_WIDGET (user_data);
-	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
-	
-	if (widget == glade_xml_get_widget (priv->xml, "method-combo"))
-	{
-		update_layout(glade_xml_get_widget (priv->xml, "method-combo"), priv);
-	}
-	g_signal_emit_by_name (STRONGSWAN_PLUGIN_UI_WIDGET (user_data), "changed");
-}
-
-static gboolean
-init_plugin_ui (StrongswanPluginUiWidget *self, NMConnection *connection, GError **error)
-{
-	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
-	NMSettingVPN *settings;
-	GtkWidget *widget;
-	char *value;
-	gboolean active;
-	
-	settings = NM_SETTING_VPN(nm_connection_get_setting(connection, NM_TYPE_SETTING_VPN));
-	widget = glade_xml_get_widget (priv->xml, "address-entry");
-	value = g_hash_table_lookup (settings->data, "address");
-	if (value)
-		gtk_entry_set_text (GTK_ENTRY (widget), value);
-	g_signal_connect (G_OBJECT (widget), "changed", G_CALLBACK (settings_changed_cb), self);
-
-	widget = glade_xml_get_widget (priv->xml, "certificate-button");
-	value = g_hash_table_lookup (settings->data, "certificate");
-	if (value)
-		gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), value);
-	g_signal_connect (G_OBJECT (widget), "selection-changed", G_CALLBACK (settings_changed_cb), self);
-
-	widget = glade_xml_get_widget (priv->xml, "user-label");
-	gtk_widget_set_no_show_all (widget, TRUE);
-	widget = glade_xml_get_widget (priv->xml, "user-entry");
-	gtk_widget_set_no_show_all (widget, TRUE);
-	value = g_hash_table_lookup (settings->data, "user");
-	if (value)
-		gtk_entry_set_text (GTK_ENTRY (widget), value);
-	g_signal_connect (G_OBJECT (widget), "changed", G_CALLBACK (settings_changed_cb), self);
-
-	widget = glade_xml_get_widget (priv->xml, "method-combo");
-	gtk_combo_box_append_text (GTK_COMBO_BOX (widget), _("Certificate/private key"));
-	gtk_combo_box_append_text (GTK_COMBO_BOX (widget), _("Certificate/ssh-agent"));
-	gtk_combo_box_append_text (GTK_COMBO_BOX (widget), _("EAP"));
-	value = g_hash_table_lookup (settings->data, "method");
-	if (value) {
-		if (g_strcasecmp (value, "key") == 0) {
-			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 0);
-		}
-		if (g_strcasecmp (value, "agent") == 0) {
-			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 1);
-		}
-		if (g_strcasecmp (value, "eap") == 0) {
-			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 2);
-		}
-	}
-	if (gtk_combo_box_get_active (GTK_COMBO_BOX (widget)) == -1)
-	{
-		gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 0);
-	}
-	update_layout (widget, priv);
-	g_signal_connect (G_OBJECT (widget), "changed", G_CALLBACK (settings_changed_cb), self);
-	
-	widget = glade_xml_get_widget (priv->xml, "usercert-label");
-	gtk_widget_set_no_show_all (widget, TRUE);
-	widget = glade_xml_get_widget (priv->xml, "usercert-button");
-	gtk_widget_set_no_show_all (widget, TRUE);
-	value = g_hash_table_lookup (settings->data, "usercert");
-	if (value)
-		gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), value);
-	g_signal_connect (G_OBJECT (widget), "selection-changed", G_CALLBACK (settings_changed_cb), self);
-	
-	widget = glade_xml_get_widget (priv->xml, "userkey-label");
-	gtk_widget_set_no_show_all (widget, TRUE);
-	widget = glade_xml_get_widget (priv->xml, "userkey-button");
-	gtk_widget_set_no_show_all (widget, TRUE);
-	value = g_hash_table_lookup (settings->data, "userkey");
-	if (value)
-		gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), value);
-	g_signal_connect (G_OBJECT (widget), "selection-changed", G_CALLBACK (settings_changed_cb), self);
-	
-	widget = glade_xml_get_widget (priv->xml, "virtual-check");
-	value = g_hash_table_lookup (settings->data, "virtual");
-	if (value && strcmp(value, "yes") == 0)
-	{
-		gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(widget), TRUE);
-	}
-	g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (settings_changed_cb), self);
-	
-	widget = glade_xml_get_widget (priv->xml, "encap-check");
-	value = g_hash_table_lookup (settings->data, "encap");
-	if (value && strcmp(value, "yes") == 0)
-	{
-		gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(widget), TRUE);
-	}
-	g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (settings_changed_cb), self);
-	
-	widget = glade_xml_get_widget (priv->xml, "ipcomp-check");
-	value = g_hash_table_lookup (settings->data, "ipcomp");
-	if (value && strcmp(value, "yes") == 0)
-	{
-		gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(widget), TRUE);
-	}
-	g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (settings_changed_cb), self);
-
-	return TRUE;
-}
-
-static GObject *
-get_widget (NMVpnPluginUiWidgetInterface *iface)
-{
-	StrongswanPluginUiWidget *self = STRONGSWAN_PLUGIN_UI_WIDGET (iface);
-	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
-
-	return G_OBJECT (priv->widget);
-}
-
-static gboolean
-update_connection (NMVpnPluginUiWidgetInterface *iface,
-                   NMConnection *connection,
-                   GError **error)
-{
-	StrongswanPluginUiWidget *self = STRONGSWAN_PLUGIN_UI_WIDGET (iface);
-	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
-	NMSettingVPN *settings;
-	GtkWidget *widget;
-	GValue *value;
-	gboolean active;
-	char *str;
-	GtkTreeModel *model;
-	GtkTreeIter iter;
-
-	if (!check_validity (self, error))
-		return FALSE;
-	settings = NM_SETTING_VPN (nm_setting_vpn_new ());
-	settings->service_type = g_strdup (NM_DBUS_SERVICE_STRONGSWAN);
-
-	widget = glade_xml_get_widget (priv->xml, "address-entry");
-	str = (char *) gtk_entry_get_text (GTK_ENTRY (widget));
-	if (str && strlen (str)) {
-		g_hash_table_insert (settings->data, g_strdup ("address"), g_strdup(str));
-	}
-
-	widget = glade_xml_get_widget (priv->xml, "certificate-button");
-	str = (char *) gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
-	if (str) {
-		g_hash_table_insert (settings->data, g_strdup ("certificate"), g_strdup(str));
-	}
-	
-	widget = glade_xml_get_widget (priv->xml, "method-combo");
-	switch (gtk_combo_box_get_active (GTK_COMBO_BOX (widget)))
-	{
-		default:
-		case 0:
-			widget = glade_xml_get_widget (priv->xml, "userkey-button");
-			str = (char *) gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
-			if (str) {
-				g_hash_table_insert (settings->data, g_strdup ("userkey"), g_strdup(str));
-			}
-			widget = glade_xml_get_widget (priv->xml, "usercert-button");
-			str = (char *) gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
-			if (str) {
-				g_hash_table_insert (settings->data, g_strdup ("usercert"), g_strdup(str));
-			}
-			str = "key";
-			break;
-		case 1:
-			widget = glade_xml_get_widget (priv->xml, "usercert-button");
-			str = (char *) gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
-			if (str) {
-				g_hash_table_insert (settings->data, g_strdup ("usercert"), g_strdup(str));
-			}
-			str = "agent";
-			break;
-		case 2:
-			widget = glade_xml_get_widget (priv->xml, "user-entry");
-			str = (char *) gtk_entry_get_text (GTK_ENTRY (widget));
-			if (str && strlen (str)) {
-				g_hash_table_insert (settings->data, g_strdup ("user"), g_strdup(str));
-			}
-			str = "eap";
-			break;
-	}
-	g_hash_table_insert (settings->data, g_strdup ("method"), g_strdup(str));
-	
-	widget = glade_xml_get_widget (priv->xml, "virtual-check");
-	active = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(widget));
-	g_hash_table_insert (settings->data, g_strdup ("virtual"),
-			             g_strdup(active ? "yes" : "no"));
-	                     
-	widget = glade_xml_get_widget (priv->xml, "encap-check");
-	active = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(widget));
-	g_hash_table_insert (settings->data, g_strdup ("encap"),
-			             g_strdup(active ? "yes" : "no"));
-	                     
-	widget = glade_xml_get_widget (priv->xml, "ipcomp-check");
-	active = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(widget));
-	g_hash_table_insert (settings->data, g_strdup ("ipcomp"),
-			             g_strdup(active ? "yes" : "no"));
-
-	nm_connection_add_setting (connection, NM_SETTING (settings));
-	return TRUE;
-}
-
-static NMVpnPluginUiWidgetInterface *
-nm_vpn_plugin_ui_widget_interface_new (NMConnection *connection, GError **error)
-{
-	NMVpnPluginUiWidgetInterface *object;
-	StrongswanPluginUiWidgetPrivate *priv;
-	char *glade_file;
-
-	if (error)
-		g_return_val_if_fail (*error == NULL, NULL);
-
-	object = NM_VPN_PLUGIN_UI_WIDGET_INTERFACE (g_object_new (STRONGSWAN_TYPE_PLUGIN_UI_WIDGET, NULL));
-	if (!object) {
-		g_set_error (error, STRONGSWAN_PLUGIN_UI_ERROR, 0, "could not create strongswan object");
-		return NULL;
-	}
-
-	priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (object);
-
-	glade_file = g_strdup_printf ("%s/%s", GLADEDIR, "nm-strongswan-dialog.glade");
-	priv->xml = glade_xml_new (glade_file, "strongswan-vbox", GETTEXT_PACKAGE);
-	if (priv->xml == NULL) {
-		g_set_error (error, STRONGSWAN_PLUGIN_UI_ERROR, 0,
-		             "could not load required resources at %s", glade_file);
-		g_free (glade_file);
-		g_object_unref (object);
-		return NULL;
-	}
-	g_free (glade_file);
-
-	priv->widget = glade_xml_get_widget (priv->xml, "strongswan-vbox");
-	if (!priv->widget) {
-		g_set_error (error, STRONGSWAN_PLUGIN_UI_ERROR, 0, "could not load UI widget");
-		g_object_unref (object);
-		return NULL;
-	}
-	g_object_ref_sink (priv->widget);
-
-	if (!init_plugin_ui (STRONGSWAN_PLUGIN_UI_WIDGET (object), connection, error)) {
-		g_object_unref (object);
-		return NULL;
-	}
-
-	return object;
-}
-
-static void
-dispose (GObject *object)
-{
-	StrongswanPluginUiWidget *plugin = STRONGSWAN_PLUGIN_UI_WIDGET (object);
-	StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (plugin);
-
-	if (priv->widget)
-		g_object_unref (priv->widget);
-
-	if (priv->xml)
-		g_object_unref (priv->xml);
-
-	G_OBJECT_CLASS (strongswan_plugin_ui_widget_parent_class)->dispose (object);
-}
-
-static void
-strongswan_plugin_ui_widget_class_init (StrongswanPluginUiWidgetClass *req_class)
-{
-	GObjectClass *object_class = G_OBJECT_CLASS (req_class);
-
-	g_type_class_add_private (req_class, sizeof (StrongswanPluginUiWidgetPrivate));
-
-	object_class->dispose = dispose;
-}
-
-static void
-strongswan_plugin_ui_widget_init (StrongswanPluginUiWidget *plugin)
-{
-}
-
-static void
-strongswan_plugin_ui_widget_interface_init (NMVpnPluginUiWidgetInterface *iface_class)
-{
-	/* interface implementation */
-	iface_class->get_widget = get_widget;
-	iface_class->update_connection = update_connection;
-}
-
-static guint32
-get_capabilities (NMVpnPluginUiInterface *iface)
-{
-	return 0;
-}
-
-static NMVpnPluginUiWidgetInterface *
-ui_factory (NMVpnPluginUiInterface *iface, NMConnection *connection, GError **error)
-{
-	return nm_vpn_plugin_ui_widget_interface_new (connection, error);
-}
-
-static void
-get_property (GObject *object, guint prop_id,
-			  GValue *value, GParamSpec *pspec)
-{
-	switch (prop_id) {
-	case NM_VPN_PLUGIN_UI_INTERFACE_PROP_NAME:
-		g_value_set_string (value, STRONGSWAN_PLUGIN_NAME);
-		break;
-	case NM_VPN_PLUGIN_UI_INTERFACE_PROP_DESC:
-		g_value_set_string (value, STRONGSWAN_PLUGIN_DESC);
-		break;
-	case NM_VPN_PLUGIN_UI_INTERFACE_PROP_SERVICE:
-		g_value_set_string (value, STRONGSWAN_PLUGIN_SERVICE);
-		break;
-	default:
-		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
-		break;
-	}
-}
-
-static void
-strongswan_plugin_ui_class_init (StrongswanPluginUiClass *req_class)
-{
-	GObjectClass *object_class = G_OBJECT_CLASS (req_class);
-
-	object_class->get_property = get_property;
-
-	g_object_class_override_property (object_class,
-									  NM_VPN_PLUGIN_UI_INTERFACE_PROP_NAME,
-									  NM_VPN_PLUGIN_UI_INTERFACE_NAME);
-
-	g_object_class_override_property (object_class,
-									  NM_VPN_PLUGIN_UI_INTERFACE_PROP_DESC,
-									  NM_VPN_PLUGIN_UI_INTERFACE_DESC);
-
-	g_object_class_override_property (object_class,
-									  NM_VPN_PLUGIN_UI_INTERFACE_PROP_SERVICE,
-									  NM_VPN_PLUGIN_UI_INTERFACE_SERVICE);
-}
-
-static void
-strongswan_plugin_ui_init (StrongswanPluginUi *plugin)
-{
-}
-
-static void
-strongswan_plugin_ui_interface_init (NMVpnPluginUiInterface *iface_class)
-{
-	/* interface implementation */
-	iface_class->ui_factory = ui_factory;
-	iface_class->get_capabilities = get_capabilities;
-	/* TODO: implement delete_connection to purge associated secrets */
-}
-
-
-G_MODULE_EXPORT NMVpnPluginUiInterface *
-nm_vpn_plugin_ui_factory (GError **error)
-{
-	if (error)
-		g_return_val_if_fail (*error == NULL, NULL);
-
-	return NM_VPN_PLUGIN_UI_INTERFACE (g_object_new (STRONGSWAN_TYPE_PLUGIN_UI, NULL));
-}
-
diff --git a/src/charon/plugins/nm/gnome/properties/nm-strongswan.h b/src/charon/plugins/nm/gnome/properties/nm-strongswan.h
deleted file mode 100644
index 793c3d97a..000000000
--- a/src/charon/plugins/nm/gnome/properties/nm-strongswan.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- * Copyright (C) 2008 Dan Williams
- *
- * Based on NetworkManager's vpnc plugin
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * $Id$
- */
-
-#ifndef _NM_STRONGSWAN_H_
-#define _NM_STRONGSWAN_H_
-
-#include <glib-object.h>
-
-typedef enum
-{
-	STRONGSWAN_PLUGIN_UI_ERROR_UNKNOWN = 0,
-	STRONGSWAN_PLUGIN_UI_ERROR_INVALID_PROPERTY,
-	STRONGSWAN_PLUGIN_UI_ERROR_MISSING_PROPERTY
-} StrongswanPluginUiError;
-
-#define STRONGSWAN_TYPE_PLUGIN_UI_ERROR (strongswan_plugin_ui_error_get_type ()) 
-GType strongswan_plugin_ui_error_get_type (void);
-
-#define STRONGSWAN_TYPE_PLUGIN_UI            (strongswan_plugin_ui_get_type ())
-#define STRONGSWAN_PLUGIN_UI(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), STRONGSWAN_TYPE_PLUGIN_UI, StrongswanPluginUi))
-#define STRONGSWAN_PLUGIN_UI_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), STRONGSWAN_TYPE_PLUGIN_UI, StrongswanPluginUiClass))
-#define STRONGSWAN_IS_PLUGIN_UI(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), STRONGSWAN_TYPE_PLUGIN_UI))
-#define STRONGSWAN_IS_PLUGIN_UI_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((obj), STRONGSWAN_TYPE_PLUGIN_UI))
-#define STRONGSWAN_PLUGIN_UI_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), STRONGSWAN_TYPE_PLUGIN_UI, StrongswanPluginUiClass))
-
-typedef struct _StrongswanPluginUi StrongswanPluginUi;
-typedef struct _StrongswanPluginUiClass StrongswanPluginUiClass;
-
-struct _StrongswanPluginUi {
-	GObject parent;
-};
-
-struct _StrongswanPluginUiClass {
-	GObjectClass parent;
-};
-
-GType strongswan_plugin_ui_get_type (void);
-
-
-#define STRONGSWAN_TYPE_PLUGIN_UI_WIDGET            (strongswan_plugin_ui_widget_get_type ())
-#define STRONGSWAN_PLUGIN_UI_WIDGET(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET, StrongswanPluginUiWidget))
-#define STRONGSWAN_PLUGIN_UI_WIDGET_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET, StrongswanPluginUiWidgetClass))
-#define STRONGSWAN_IS_PLUGIN_UI_WIDGET(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET))
-#define STRONGSWAN_IS_PLUGIN_UI_WIDGET_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((obj), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET))
-#define STRONGSWAN_PLUGIN_UI_WIDGET_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), STRONGSWAN_TYPE_PLUGIN_UI_WIDGET, StrongswanPluginUiWidgetClass))
-
-typedef struct _StrongswanPluginUiWidget StrongswanPluginUiWidget;
-typedef struct _StrongswanPluginUiWidgetClass StrongswanPluginUiWidgetClass;
-
-struct _StrongswanPluginUiWidget {
-	GObject parent;
-};
-
-struct _StrongswanPluginUiWidgetClass {
-	GObjectClass parent;
-};
-
-GType strongswan_plugin_ui_widget_get_type (void);
-
-#endif	/* _NM_STRONGSWAN_H_ */
-
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index f90bfa448..1f2b6f723 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -223,7 +223,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		str = g_hash_table_lookup(settings->data, "user");
 		if (str)
 		{
-			user = identification_create_from_string(str);
+			user = identification_create_from_encoding(ID_KEY_ID,
+											chunk_create(str, strlen(str)));
 			str = g_hash_table_lookup(settings->secrets, "password");
 			creds->set_username_password(creds, user, str);
 		}
diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in
index b255b08fb..428da0ec9 100644
--- a/src/charon/plugins/smp/Makefile.in
+++ b/src/charon/plugins/smp/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in
index 83491333f..3673af659 100644
--- a/src/charon/plugins/sql/Makefile.in
+++ b/src/charon/plugins/sql/Makefile.in
@@ -93,22 +93,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -118,6 +113,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -126,12 +122,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -154,8 +154,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -194,6 +193,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index 486a432ca..cd6f7c0cd 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -210,7 +210,7 @@ static host_t* acquire_address(private_sql_attribute_t *this,
  * Implementation of attribute_provider_t.release_address
  */
 static bool release_address(private_sql_attribute_t *this,
-							char *name, host_t *address)
+							char *name, host_t *address, identification_t *id)
 {
 	enumerator_t *enumerator;
 	bool found = FALSE;
@@ -264,7 +264,7 @@ sql_attribute_t *sql_attribute_create(database_t *db)
 	time_t now = time(NULL);
 	
 	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,auth_info_t *, host_t *))acquire_address;
-	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *))release_address;
+	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
 	this->public.destroy = (void(*)(sql_attribute_t*))destroy;
 	
 	this->db = db;
diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c
index 41c5e9790..d530f9fde 100644
--- a/src/charon/plugins/sql/sql_config.c
+++ b/src/charon/plugins/sql/sql_config.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sql_config.c 4276 2008-08-22 10:44:51Z martin $
+ * $Id: sql_config.c 4860 2009-02-11 13:09:52Z martin $
  */
 
 #include <string.h>
diff --git a/src/charon/plugins/sql/sql_plugin.c b/src/charon/plugins/sql/sql_plugin.c
index 8c4f20f74..24680ba5e 100644
--- a/src/charon/plugins/sql/sql_plugin.c
+++ b/src/charon/plugins/sql/sql_plugin.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sql_plugin.c 3826 2008-04-17 15:08:48Z martin $
+ * $Id: sql_plugin.c 4711 2008-11-27 14:33:41Z martin $
  */
 
 #include "sql_plugin.h"
@@ -68,6 +68,7 @@ static void destroy(private_sql_plugin_t *this)
 {
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
 	charon->credentials->remove_set(charon->credentials, &this->cred->set);
+	charon->attributes->remove_provider(charon->attributes, &this->attribute->provider);
 	charon->bus->remove_listener(charon->bus, &this->logger->listener);
 	this->config->destroy(this->config);
 	this->cred->destroy(this->cred);
diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in
index 1ff213165..645ae2a48 100644
--- a/src/charon/plugins/stroke/Makefile.in
+++ b/src/charon/plugins/stroke/Makefile.in
@@ -87,22 +87,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -112,6 +107,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -120,12 +116,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -148,8 +148,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -188,6 +187,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
index 71b56bc8a..7591a1e27 100644
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ b/src/charon/plugins/stroke/stroke_attribute.c
@@ -19,9 +19,10 @@
 
 #include <daemon.h>
 #include <utils/linked_list.h>
+#include <utils/hashtable.h>
 #include <utils/mutex.h>
 
-#define POOL_LIMIT 16
+#define POOL_LIMIT (sizeof(uintptr_t)*8)
 
 typedef struct private_stroke_attribute_t private_stroke_attribute_t;
 
@@ -51,20 +52,53 @@ typedef struct {
 	char *name;
 	/** base address of the pool */
 	host_t *base;
-	/** number of entries in the pool */
-	int count;
-	/** array of in-use flags, TODO: use bit fields */
-	u_int8_t *in_use;
+	/** size of the pool */
+	int size;
+	/** next unused address */
+	int unused;
+	/** hashtable [identity => offset], for online leases */
+	hashtable_t *online;
+	/** hashtable [identity => offset], for offline leases */
+	hashtable_t *offline;
+	/** hashtable [identity => identity], handles identity references */
+	hashtable_t *ids;
 } pool_t;
 
+/**
+ * hashtable hash function for identities
+ */
+static u_int id_hash(identification_t *id)
+{
+	return chunk_hash(id->get_encoding(id));
+}
+
+/**
+ * hashtable equals function for identities
+ */
+static bool id_equals(identification_t *a, identification_t *b)
+{
+	return a->equals(a, b);
+}
+
 /**
  * destroy a pool_t
  */
 static void pool_destroy(pool_t *this)
 {
+	enumerator_t *enumerator;
+	identification_t *id;
+	
+	enumerator = this->ids->create_enumerator(this->ids);
+	while (enumerator->enumerate(enumerator, &id, NULL))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+	this->ids->destroy(this->ids);
+	this->online->destroy(this->online);
+	this->offline->destroy(this->offline);
 	DESTROY_IF(this->base);
 	free(this->name);
-	free(this->in_use);
 	free(this);
 }
 
@@ -98,7 +132,8 @@ host_t* offset2host(pool_t *pool, int offset)
 	host_t *host;
 	u_int32_t *pos;
 	
-	if (offset > pool->count)
+	offset--;
+	if (offset > pool->size)
 	{
 		return NULL;
 	}
@@ -144,11 +179,11 @@ int host2offset(pool_t *pool, host_t *addr)
 	}
 	hosti = ntohl(*(u_int32_t*)(host.ptr));
 	basei = ntohl(*(u_int32_t*)(base.ptr));
-	if (hosti > basei + pool->count)
+	if (hosti > basei + pool->size)
 	{
 		return -1;
 	}
-	return hosti - basei;
+	return hosti - basei + 1;
 }
 
 /**
@@ -159,67 +194,120 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 							   auth_info_t *auth, host_t *requested)
 {
 	pool_t *pool;
-	host_t *host = NULL;
-	int i;
+	uintptr_t offset = 0;
+	enumerator_t *enumerator;
+	identification_t *old_id;
 	
 	this->mutex->lock(this->mutex);
 	pool = find_pool(this, name);
-	if (pool)
+	while (pool)
 	{
-		if (requested && !requested->is_anyaddr(requested))
+		/* handle %config case by mirroring requested address */
+		if (pool->size == 0)
 		{
-			if (pool->count == 0)
-			{	/* %config, give any */
-				host = requested->clone(requested);
-			}
-			else
+			this->mutex->unlock(this->mutex);
+			return requested->clone(requested);
+		}
+
+		if (requested->get_family(requested) !=
+			pool->base->get_family(pool->base))
+		{
+			DBG1(DBG_CFG, "IP pool address family mismatch");
+			break;
+		}
+		
+		/* check for a valid offline lease, refresh */
+		offset = (uintptr_t)pool->offline->remove(pool->offline, id);
+		if (offset)
+		{
+			id = pool->ids->get(pool->ids, id);
+			if (id)
 			{
-				i = host2offset(pool, requested);
-				if (i >= 0 && !pool->in_use[i])
-				{
-					pool->in_use[i] = TRUE;
-					host = requested->clone(requested);
-				}
+				DBG1(DBG_CFG, "reassigning offline lease to %D", id);
+				pool->online->put(pool->online, id, (void*)offset);
+				break;
 			}
 		}
-		if (!host)
+		
+		/* check for a valid online lease, reassign */
+		offset = (uintptr_t)pool->online->get(pool->online, id);
+		if (offset && offset == host2offset(pool, requested))
+		{
+			DBG1(DBG_CFG, "reassigning online lease to %D", id);
+			break;
+		}
+		
+		if (pool->unused < pool->size)
+		{
+			/* assigning offset, starting by 1. Handling 0 in hashtable
+			 * is difficult. */
+			offset = ++pool->unused;
+			id = id->clone(id);
+			pool->ids->put(pool->ids, id, id);
+			pool->online->put(pool->online, id, (void*)offset);
+			DBG1(DBG_CFG, "assigning new lease to %D", id);
+			break;
+		}
+		/* no more addresses, replace the first found offline lease */
+		enumerator = pool->offline->create_enumerator(pool->offline);
+		if (enumerator->enumerate(enumerator, &old_id, &offset))
 		{
-			for (i = 0; i < pool->count; i++)
+			offset = (uintptr_t)pool->offline->remove(pool->offline, old_id);
+			if (offset)
 			{
-				if (!pool->in_use[i])
+				/* destroy reference to old ID */
+				old_id = pool->ids->remove(pool->ids, old_id);
+				DBG1(DBG_CFG, "reassigning existing offline lease of %D to %D",
+					 old_id, id);
+				if (old_id)
 				{
-					pool->in_use[i] = TRUE;
-					host = offset2host(pool, i);
-					break;
+					old_id->destroy(old_id);
 				}
+				id = id->clone(id);
+				pool->ids->put(pool->ids, id, id);
+				pool->online->put(pool->online, id, (void*)offset);
+				enumerator->destroy(enumerator);
+				break;
 			}
 		}
+		enumerator->destroy(enumerator);
+		
+		DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", name);
+		break;
 	}
 	this->mutex->unlock(this->mutex);
-	return host;
+	if (offset)
+	{
+		return offset2host(pool, offset);
+	}
+	return NULL;
 }
 
 /**
  * Implementation of attribute_provider_t.release_address
  */
 static bool release_address(private_stroke_attribute_t *this,
-							char *name, host_t *address)
+							char *name, host_t *address, identification_t *id)
 {
 	pool_t *pool;
 	bool found = FALSE;
-	int i;
+	uintptr_t offset;
 	
 	this->mutex->lock(this->mutex);
 	pool = find_pool(this, name);
 	if (pool)
 	{
-		if (pool->count != 0)
+		if (pool->size != 0)
 		{
-			i = host2offset(pool, address);
-			if (i >= 0 && pool->in_use[i])
+			offset = (uintptr_t)pool->online->remove(pool->online, id);
+			if (offset)
 			{
-				pool->in_use[i] = FALSE;
-				found = TRUE;
+				id = pool->ids->get(pool->ids, id);
+				if (id)
+				{
+					DBG1(DBG_CFG, "lease %H of %D went offline", address, id);
+					pool->offline->put(pool->offline, id, (void*)offset);
+				}
 			}
 		}
 	}
@@ -236,6 +324,19 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
 	{
 		pool_t *pool;
 		
+		pool = malloc_thing(pool_t);
+		pool->base = NULL;
+		pool->size = 0;
+		pool->unused = 0;
+		pool->name = strdup(msg->add_conn.name);
+		pool->online = hashtable_create((hashtable_hash_t)id_hash,
+										(hashtable_equals_t)id_equals, 16);
+		pool->offline = hashtable_create((hashtable_hash_t)id_hash,
+										(hashtable_equals_t)id_equals, 16);
+		pool->ids = hashtable_create((hashtable_hash_t)id_hash,
+										(hashtable_equals_t)id_equals, 16);
+		
+		/* if %config, add an empty pool, otherwise */
 		if (msg->add_conn.other.sourceip)
 		{
 			u_int32_t bits;
@@ -245,15 +346,13 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
 				 msg->add_conn.name, msg->add_conn.other.sourceip, 
 				 msg->add_conn.other.sourceip_size);
 		
-			pool = malloc_thing(pool_t);
 			pool->base = host_create_from_string(msg->add_conn.other.sourceip, 0);
 			if (!pool->base)
 			{
-				free(pool);
+				pool_destroy(pool);
 				DBG1(DBG_CFG, "virtual IP address invalid, discarded");
 				return;
 			}
-			pool->name = strdup(msg->add_conn.name);
 			family = pool->base->get_family(pool->base);
 			bits = (family == AF_INET ? 32 : 128) - msg->add_conn.other.sourceip_size;
 			if (bits > POOL_LIMIT)
@@ -263,23 +362,14 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
 					 msg->add_conn.other.sourceip,
 					 (family == AF_INET ? 32 : 128) - bits);
 			}
-			pool->count = 1 << (bits);
-			pool->in_use = calloc(pool->count, sizeof(u_int8_t));
-		
-			if (pool->count > 2)
+			pool->size = 1 << (bits);
+			
+			if (pool->size > 2)
 			{	/* do not use first and last addresses of a block */
-				pool->in_use[0] = TRUE;
-				pool->in_use[pool->count-1] = TRUE;
+				pool->unused++;
+				pool->size--;
 			}
 		}
-		else
-		{	/* %config, add an empty pool */
-			pool = malloc_thing(pool_t);
-			pool->name = strdup(msg->add_conn.name);
-			pool->base = NULL;
-			pool->count = 0;
-			pool->in_use = NULL;
-		}
 		this->mutex->lock(this->mutex);
 		this->pools->insert_last(this->pools, pool);
 		this->mutex->unlock(this->mutex);
@@ -309,6 +399,119 @@ static void del_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
 	this->mutex->unlock(this->mutex);
 }
 
+/**
+ * Pool enumerator filter function, converts pool_t to name, size, ...
+ */
+static bool pool_filter(void *mutex, pool_t **poolp, char **name,
+						void *d1, u_int *size, void *d2, u_int *online,
+						void *d3, u_int *offline)
+{
+	pool_t *pool = *poolp;
+	
+	*name = pool->name;
+	*size = pool->size;
+	*online = pool->online->get_count(pool->online);
+	*offline = pool->offline->get_count(pool->offline);
+	return TRUE;
+}
+
+/**
+ * Implementation of stroke_attribute_t.create_pool_enumerator
+ */
+static enumerator_t* create_pool_enumerator(private_stroke_attribute_t *this)
+{
+	this->mutex->lock(this->mutex);
+	return enumerator_create_filter(this->pools->create_enumerator(this->pools),
+									(void*)pool_filter,
+									this->mutex, (void*)this->mutex->unlock);
+}
+
+/**
+ * lease enumerator
+ */
+typedef struct {
+	/** implemented enumerator interface */
+	enumerator_t public;
+	/** inner hash-table enumerator */
+	enumerator_t *inner;
+	/** enumerated pool */
+	pool_t *pool;
+	/** mutex to unlock on destruction */
+	mutex_t *mutex;
+	/** currently enumerated lease address */
+	host_t *current;
+} lease_enumerator_t;
+
+/**
+ * Implementation of lease_enumerator_t.enumerate
+ */
+static bool lease_enumerate(lease_enumerator_t *this, identification_t **id_out,
+							host_t **addr_out, bool *online)
+{
+	identification_t *id;
+	uintptr_t offset;
+	
+	DESTROY_IF(this->current);
+	this->current = NULL;
+	
+	if (this->inner->enumerate(this->inner, &id, NULL))
+	{
+		offset = (uintptr_t)this->pool->online->get(this->pool->online, id);
+		if (offset)
+		{
+			*id_out = id;
+			*addr_out = this->current = offset2host(this->pool, offset);
+			*online = TRUE;
+			return TRUE;
+		}
+		offset = (uintptr_t)this->pool->offline->get(this->pool->offline, id);
+		if (offset)
+		{
+			*id_out = id;
+			*addr_out = this->current = offset2host(this->pool, offset);
+			*online = FALSE;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of lease_enumerator_t.destroy
+ */
+static void lease_enumerator_destroy(lease_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	this->mutex->unlock(this->mutex);
+	free(this);
+}
+
+/**
+ * Implementation of stroke_attribute_t.create_lease_enumerator
+ */
+static enumerator_t* create_lease_enumerator(private_stroke_attribute_t *this,
+											 char *pool)
+{
+	lease_enumerator_t *enumerator;
+	
+	this->mutex->lock(this->mutex);
+	enumerator = malloc_thing(lease_enumerator_t);
+	enumerator->pool = find_pool(this, pool);
+	if (!enumerator->pool)
+	{
+		this->mutex->unlock(this->mutex);
+		free(enumerator);
+		return NULL;
+	}
+	enumerator->public.enumerate = (void*)lease_enumerate;
+	enumerator->public.destroy = (void*)lease_enumerator_destroy;
+	enumerator->inner = enumerator->pool->ids->create_enumerator(enumerator->pool->ids);
+	enumerator->mutex = this->mutex;
+	enumerator->current = NULL;
+	return &enumerator->public;
+}
+
 /**
  * Implementation of stroke_attribute_t.destroy
  */
@@ -327,13 +530,15 @@ stroke_attribute_t *stroke_attribute_create()
 	private_stroke_attribute_t *this = malloc_thing(private_stroke_attribute_t);
 	
 	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,auth_info_t *, host_t *))acquire_address;
-	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *))release_address;
+	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
 	this->public.add_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))add_pool;
 	this->public.del_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))del_pool;
+	this->public.create_pool_enumerator = (enumerator_t*(*)(stroke_attribute_t*))create_pool_enumerator;
+	this->public.create_lease_enumerator = (enumerator_t*(*)(stroke_attribute_t*, char *pool))create_lease_enumerator;
 	this->public.destroy = (void(*)(stroke_attribute_t*))destroy;
 	
 	this->pools = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_RECURSIVE);
 	
 	return &this->public;
 }
diff --git a/src/charon/plugins/stroke/stroke_attribute.h b/src/charon/plugins/stroke/stroke_attribute.h
index f871d5a13..5060dc987 100644
--- a/src/charon/plugins/stroke/stroke_attribute.h
+++ b/src/charon/plugins/stroke/stroke_attribute.h
@@ -32,7 +32,7 @@ typedef struct stroke_attribute_t stroke_attribute_t;
  * Stroke IKEv2 cfg attribute provider
  */
 struct stroke_attribute_t {
-
+	
 	/**
 	 * Implements attribute provider interface
 	 */
@@ -54,9 +54,30 @@ struct stroke_attribute_t {
 	void (*del_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
 	
 	/**
-     * Destroy a stroke_attribute instance.
-     */
-    void (*destroy)(stroke_attribute_t *this);
+	 * Create an enumerator over installed pools.
+	 *
+	 * Enumerator enumerates over 
+	 * char *pool, u_int size, u_int offline, u_int online.
+	 *
+	 * @return			enumerator
+	 */
+	enumerator_t* (*create_pool_enumerator)(stroke_attribute_t *this);
+	
+	/**
+	 * Create an enumerator over the leases of a pool.
+	 *
+	 * Enumerator enumerates over
+	 * identification_t *id, host_t *address, bool online
+	 *
+	 * @param pool		name of the pool to enumerate
+	 * @return 			enumerator, NULL if pool not found
+	 */
+	enumerator_t* (*create_lease_enumerator)(stroke_attribute_t *this,
+											 char *pool);
+	/**
+	 * Destroy a stroke_attribute instance.
+	 */
+	void (*destroy)(stroke_attribute_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index cb91ecb72..59c58ca0d 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -374,6 +374,12 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 		return NULL;
 	}
 	
+	if (msg->add_conn.ikeme.mediation)
+	{
+		/* force unique connections for mediation connections */
+		msg->add_conn.unique = 1;
+	}
+	
 	if (msg->add_conn.ikeme.mediated_by)
 	{
 		mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 23a6f99b0..07e0ca768 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -720,13 +721,23 @@ static void load_secrets(private_stroke_cred_t *this)
 		{
 			continue;
 		}
-		if (!extract_last_token(&ids, ':', &line))
+		if (line.len > 2 && strneq(": ", line.ptr, 2))
 		{
-			DBG1(DBG_CFG, "line %d: missing ':' separator", line_nr);
+			/* no ids, skip the ':' */
+			ids = chunk_empty;
+			line.ptr++;
+			line.len--;
+		}
+		else if (extract_token_str(&ids, " : ", &line))
+		{
+			/* NULL terminate the extracted id string */
+			*(ids.ptr + ids.len) = '\0';
+		}
+		else
+		{
+			DBG1(DBG_CFG, "line %d: missing ' : ' separator", line_nr);
 			goto error;
 		}
-		/* NULL terminate the ids string by replacing the : separator */
-		*(ids.ptr + ids.len) = '\0';
 
 		if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
 		{
@@ -791,10 +802,75 @@ static void load_secrets(private_stroke_cred_t *this)
 			}
 			chunk_clear(&secret);
 		}
+		else if (match("PIN", &token))
+		{
+			chunk_t sc = chunk_empty;
+			char smartcard[32], keyid[22], pin[32];
+			private_key_t *key;
+			u_int slot;
+			
+			err_t ugh = extract_value(&sc, &line);
+			
+			if (ugh != NULL)
+			{
+				DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+				goto error;
+			}
+			if (sc.len == 0)
+			{
+				DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr);
+				goto error;
+			}
+			snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
+			smartcard[sizeof(smartcard) - 1] = '\0';
+			
+			/* parse slot and key id. only two formats are supported.
+			 * first try %smartcard<slot>:<keyid> */
+			if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
+			{
+				snprintf(smartcard, sizeof(smartcard), "%u:%s", slot, keyid);
+			}
+			/* then try %smartcard:<keyid> */
+			else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1)
+			{
+				snprintf(smartcard, sizeof(smartcard), "%s", keyid);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not"
+						" supported or invalid", line_nr);
+				goto error;
+			}
+			
+			if (!eat_whitespace(&line))
+			{
+				DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
+				goto error;
+			}
+			ugh = extract_secret(&chunk, &line);
+			if (ugh != NULL)
+			{
+				DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
+				goto error;
+			}
+			snprintf(pin, sizeof(pin), "%.*s", chunk.len, chunk.ptr);
+			pin[sizeof(pin) - 1] = '\0';
+			
+			/* we assume an RSA key */
+			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+									 BUILD_SMARTCARD_KEYID, smartcard,
+									 BUILD_SMARTCARD_PIN, pin, BUILD_END);
+			
+			if (key)
+			{
+				DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
+				this->private->insert_last(this->private, key);
+			}
+			memset(pin, 0, sizeof(pin));
+		}
 		else if ((match("PSK", &token) && (type = SHARED_IKE)) ||
 				 (match("EAP", &token) && (type = SHARED_EAP)) ||
-				 (match("XAUTH", &token) && (type = SHARED_EAP)) ||
-				 (match("PIN", &token) && (type = SHARED_PIN)))
+				 (match("XAUTH", &token) && (type = SHARED_EAP)))
 		{
 			stroke_shared_key_t *shared_key;
 			chunk_t secret = chunk_empty;
@@ -862,7 +938,7 @@ static void load_secrets(private_stroke_cred_t *this)
 		else
 		{
 			DBG1(DBG_CFG, "line %d: token must be either "
-				 "RSA, EC, PSK, EAP, or PIN", line_nr);
+				 "RSA, ECDSA, PSK, EAP, XAUTH or PIN", line_nr);
 			goto error;
 		}
 	}
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 7d0ad4557..8042875c9 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -47,6 +47,11 @@ struct private_stroke_list_t {
 	 * timestamp of daemon start
 	 */
 	time_t uptime;
+	
+	/**
+	 * strokes attribute provider
+	 */
+	stroke_attribute_t *attribute;
 };
 
 /**
@@ -72,10 +77,21 @@ auth_class_t get_auth_class(peer_cfg_t *config)
 static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 {
 	ike_sa_id_t *id = ike_sa->get_id(ike_sa);
-
-	fprintf(out, "%12s[%d]: %N, %H[%D]...%H[%D]\n",
+	time_t now = time(NULL);
+	
+	fprintf(out, "%12s[%d]: %N",
 			ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
-			ike_sa_state_names, ike_sa->get_state(ike_sa),
+			ike_sa_state_names, ike_sa->get_state(ike_sa));
+	
+	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
+	{
+		time_t established;
+		
+		established = ike_sa->get_statistic(ike_sa, STAT_ESTABLISHED);
+		fprintf(out, " %#V ago", &now, &established);
+	}
+	
+	fprintf(out, ", %H[%D]...%H[%D]\n",
 			ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
 			ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
 	
@@ -93,22 +109,20 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 		
 		if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
 		{
-			u_int32_t rekey, reauth, now;
+			time_t rekey, reauth;
 			
-			now = time(NULL);
 			rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY);
 			reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH);
 			
 			if (rekey)
 			{
-				rekey -= now;
-				fprintf(out, ", rekeying in %V", &rekey);
+				fprintf(out, ", rekeying in %#V", &rekey, &now);
 			}
 			if (reauth)
 			{
-				reauth -= now;
-				fprintf(out, ", %N reauthentication in %V", auth_class_names,
-						get_auth_class(ike_sa->get_peer_cfg(ike_sa)), &reauth);
+				fprintf(out, ", %N reauthentication in %#V", auth_class_names,
+						get_auth_class(ike_sa->get_peer_cfg(ike_sa)),
+						&reauth, &now);
 			}
 			if (!rekey && !reauth)
 			{
@@ -248,11 +262,13 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 	if (all)
 	{
 		peer_cfg_t *peer_cfg;
-		char *plugin;
+		char *plugin, *pool;
 		host_t *host;
 		u_int32_t dpd;
 		time_t uptime = time(NULL) - this->uptime;
-
+		bool first = TRUE;
+		u_int size, online, offline;
+		
 		fprintf(out, "Performance:\n");
 		fprintf(out, "  uptime: %V, since %#T\n", &uptime, &this->uptime, FALSE);
 		fprintf(out, "  worker threads: %d idle of %d,",
@@ -271,6 +287,18 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		enumerator->destroy(enumerator);
 		fprintf(out, "\n");
 		
+		enumerator = this->attribute->create_pool_enumerator(this->attribute);
+		while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
+		{
+			if (first)
+			{
+				first = FALSE;
+				fprintf(out, "Virtual IP pools (size/online/offline):\n");
+			}
+			fprintf(out, "  %s: %lu/%lu/%lu\n", pool, size, online, offline);
+		}
+		enumerator->destroy(enumerator);
+		
 		enumerator = charon->kernel_interface->create_address_enumerator(
 								charon->kernel_interface, FALSE, FALSE);
 		fprintf(out, "Listening IP addresses:\n");
@@ -968,6 +996,77 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 	DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
 }
 
+/**
+ * Print leases of a single pool
+ */
+static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
+						host_t *address, u_int size, u_int online, u_int offline)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	host_t *lease;
+	bool on;
+	int found = 0;
+	
+	fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n",
+			pool, online + offline, size, online);
+	enumerator = this->attribute->create_lease_enumerator(this->attribute, pool);
+	while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on))
+	{
+		if (!address || address->ip_equals(address, lease))
+		{
+			fprintf(out, "  %15H   %s   '%D'\n",
+					lease, on ? "online" : "offline", id);
+			found++;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		fprintf(out, "  no matching leases found\n");
+	}
+}
+
+/**
+ * Implementation of stroke_list_t.leases
+ */
+static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
+{
+	enumerator_t *enumerator;
+	u_int size, offline, online;
+	host_t *address = NULL;
+	char *pool;
+	int found = 0;
+	
+	if (msg->leases.address)
+	{
+		address = host_create_from_string(msg->leases.address, 0);
+	}
+	
+	enumerator = this->attribute->create_pool_enumerator(this->attribute);
+	while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
+	{
+		if (!msg->leases.pool || streq(msg->leases.pool, pool))
+		{
+			pool_leases(this, out, pool, address, size, online, offline);
+			found++;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		if (msg->leases.pool)
+		{
+			fprintf(out, "pool '%s' not found\n", msg->leases.pool);
+		}
+		else
+		{
+			fprintf(out, "no pools found\n");
+		}
+	}
+	DESTROY_IF(address);
+}
+
 /**
  * Implementation of stroke_list_t.destroy
  */
@@ -979,15 +1078,17 @@ static void destroy(private_stroke_list_t *this)
 /*
  * see header file
  */
-stroke_list_t *stroke_list_create()
+stroke_list_t *stroke_list_create(stroke_attribute_t *attribute)
 {
 	private_stroke_list_t *this = malloc_thing(private_stroke_list_t);
 	
 	this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list;
 	this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status;
+	this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases;
 	this->public.destroy = (void(*)(stroke_list_t*))destroy;
 	
 	this->uptime = time(NULL);
+	this->attribute = attribute;
 	
 	return &this->public;
 }
diff --git a/src/charon/plugins/stroke/stroke_list.h b/src/charon/plugins/stroke/stroke_list.h
index dabdbff39..1f7f19d62 100644
--- a/src/charon/plugins/stroke/stroke_list.h
+++ b/src/charon/plugins/stroke/stroke_list.h
@@ -23,6 +23,8 @@
 #ifndef STROKE_LIST_H_
 #define STROKE_LIST_H_
 
+#include "stroke_attribute.h"
+
 #include <stroke_msg.h>
 #include <library.h>
 
@@ -51,14 +53,24 @@ struct stroke_list_t {
 	void (*status)(stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all);
 	
 	/**
-     * Destroy a stroke_list instance.
-     */
-    void (*destroy)(stroke_list_t *this);
+	 * Log pool leases to stroke console.
+	 *
+	 * @param msg		stroke message
+	 * @param out		stroke console stream
+	 */
+	void (*leases)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
+	
+	/**
+	 * Destroy a stroke_list instance.
+	 */
+	void (*destroy)(stroke_list_t *this);
 };
 
 /**
  * Create a stroke_list instance.
+ *
+ * @param attribute		strokes attribute provider
  */
-stroke_list_t *stroke_list_create();
+stroke_list_t *stroke_list_create(stroke_attribute_t *attribute);
 
 #endif /* STROKE_LIST_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index 8c4ab7804..53edde031 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -337,6 +337,18 @@ static void stroke_purge(private_stroke_socket_t *this,
 									 CERT_X509_OCSP_RESPONSE);
 }
 
+/**
+ * list pool leases
+ */
+static void stroke_leases(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->leases.pool);
+	pop_string(msg, &msg->leases.address);
+	
+	this->list->leases(this->list, msg, out);
+}
+
 debug_t get_group_from_name(char *type)
 {
 	if (strcasecmp(type, "any") == 0) return DBG_ANY;
@@ -498,6 +510,9 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 		case STR_PURGE:
 			stroke_purge(this, msg, out);
 			break;
+		case STR_LEASES:
+			stroke_leases(this, msg, out);
+			break;
 		default:
 			DBG1(DBG_CFG, "received unknown stroke");
 			break;
@@ -621,7 +636,7 @@ stroke_socket_t *stroke_socket_create()
 	this->ca = stroke_ca_create(this->cred);
 	this->config = stroke_config_create(this->ca, this->cred);
 	this->control = stroke_control_create();
-	this->list = stroke_list_create();
+	this->list = stroke_list_create(this->attribute);
 	
 	charon->credentials->add_set(charon->credentials, &this->ca->set);
 	charon->credentials->add_set(charon->credentials, &this->cred->set);
diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in
index 17a1212f3..a29d2d4b1 100644
--- a/src/charon/plugins/uci/Makefile.in
+++ b/src/charon/plugins/uci/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am
index 238e5a1dc..9c86aa69f 100644
--- a/src/charon/plugins/unit_tester/Makefile.am
+++ b/src/charon/plugins/unit_tester/Makefile.am
@@ -14,11 +14,13 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
   tests/test_sqlite.c \
   tests/test_mutex.c \
   tests/test_rsa_gen.c \
+  tests/test_cert.c \
   tests/test_med_db.c \
   tests/test_aes.c \
   tests/test_chunk.c \
   tests/test_pool.c \
-  tests/test_agent.c
+  tests/test_agent.c \
+  tests/test_rng.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module
 
diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in
index 837dcd73c..537ec127e 100644
--- a/src/charon/plugins/unit_tester/Makefile.in
+++ b/src/charon/plugins/unit_tester/Makefile.in
@@ -53,8 +53,8 @@ libstrongswan_unit_tester_la_LIBADD =
 am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
 	test_enumerator.lo test_auth_info.lo test_fips_prf.lo \
 	test_curl.lo test_mysql.lo test_sqlite.lo test_mutex.lo \
-	test_rsa_gen.lo test_med_db.lo test_aes.lo test_chunk.lo \
-	test_pool.lo test_agent.lo
+	test_rsa_gen.lo test_cert.lo test_med_db.lo test_aes.lo \
+	test_chunk.lo test_pool.lo test_agent.lo test_rng.lo
 libstrongswan_unit_tester_la_OBJECTS =  \
 	$(am_libstrongswan_unit_tester_la_OBJECTS)
 libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \
@@ -90,22 +90,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -115,6 +110,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -123,12 +119,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -151,8 +151,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -191,6 +190,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
@@ -226,11 +226,13 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
   tests/test_sqlite.c \
   tests/test_mutex.c \
   tests/test_rsa_gen.c \
+  tests/test_cert.c \
   tests/test_med_db.c \
   tests/test_aes.c \
   tests/test_chunk.c \
   tests/test_pool.c \
-  tests/test_agent.c
+  tests/test_agent.c \
+  tests/test_rng.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module
 all: all-am
@@ -305,6 +307,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_aes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_auth_info.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cert.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_enumerator.Plo@am__quote@
@@ -313,6 +316,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mysql.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pool.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rsa_gen.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_sqlite.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@
@@ -394,6 +398,13 @@ test_rsa_gen.lo: tests/test_rsa_gen.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
 
+test_cert.lo: tests/test_cert.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_cert.lo -MD -MP -MF $(DEPDIR)/test_cert.Tpo -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_cert.Tpo $(DEPDIR)/test_cert.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_cert.c' object='test_cert.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
+
 test_med_db.lo: tests/test_med_db.c
 @am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_med_db.lo -MD -MP -MF $(DEPDIR)/test_med_db.Tpo -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_med_db.Tpo $(DEPDIR)/test_med_db.Plo
@@ -429,6 +440,13 @@ test_agent.lo: tests/test_agent.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
 
+test_rng.lo: tests/test_rng.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_rng.lo -MD -MP -MF $(DEPDIR)/test_rng.Tpo -c -o test_rng.lo `test -f 'tests/test_rng.c' || echo '$(srcdir)/'`tests/test_rng.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_rng.Tpo $(DEPDIR)/test_rng.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_rng.c' object='test_rng.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_rng.lo `test -f 'tests/test_rng.c' || echo '$(srcdir)/'`tests/test_rng.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h
index 058d1987d..0673c309a 100644
--- a/src/charon/plugins/unit_tester/tests.h
+++ b/src/charon/plugins/unit_tester/tests.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: tests.h 4317 2008-09-02 11:00:13Z martin $
+ * $Id: tests.h 4815 2008-12-18 16:24:22Z martin $
  */
 
 /**
@@ -33,9 +33,11 @@ DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
 DEFINE_TEST("mutex primitive", test_mutex, FALSE)
 DEFINE_TEST("RSA key generation", test_rsa_gen, FALSE)
 DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, FALSE)
+DEFINE_TEST("X509 certificate", test_cert_x509, FALSE)
 DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE)
 DEFINE_TEST("AES-128 encryption", test_aes128, FALSE)
 DEFINE_TEST("AES-XCBC", test_aes_xcbc, FALSE)
 DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
 DEFINE_TEST("IP pool", test_pool, FALSE)
-DEFINE_TEST("SSH agent", test_agent, TRUE)
+DEFINE_TEST("SSH agent", test_agent, FALSE)
+DEFINE_TEST("RNG quality", test_rng, FALSE)
diff --git a/src/charon/plugins/unit_tester/tests/test_cert.c b/src/charon/plugins/unit_tester/tests/test_cert.c
new file mode 100644
index 000000000..95ab289df
--- /dev/null
+++ b/src/charon/plugins/unit_tester/tests/test_cert.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+#include <credentials/certificates/x509.h>
+
+/*******************************************************************************
+ * X509 certificate generation and parsing
+ ******************************************************************************/
+bool test_cert_x509()
+{
+	private_key_t *ca_key, *peer_key;
+	public_key_t *public;
+	certificate_t *ca_cert, *peer_cert, *parsed;
+	identification_t *issuer, *subject;
+	u_int32_t serial = htonl(0);
+	chunk_t encoding;
+	
+	issuer = identification_create_from_string("CN=CA, OU=Test, O=strongSwan");
+	subject = identification_create_from_string("CN=Peer, OU=Test, O=strongSwan");
+	
+	ca_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+						BUILD_KEY_SIZE, 1024, BUILD_END);
+	peer_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+						BUILD_KEY_SIZE, 1024, BUILD_END);
+	if (!ca_key)
+	{
+		return FALSE;
+	}
+	ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_SIGNING_KEY, ca_key,
+						BUILD_SUBJECT, issuer,
+						BUILD_SERIAL, chunk_from_thing(serial),
+						BUILD_X509_FLAG, X509_CA,
+						BUILD_END);
+	if (!ca_cert)
+	{
+		return FALSE;
+	}
+	
+	encoding = ca_cert->get_encoding(ca_cert);
+	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_BLOB_ASN1_DER, encoding,
+						BUILD_END);
+	chunk_free(&encoding);
+	if (!parsed)
+	{
+		return FALSE;
+	}
+	if (!parsed->issued_by(parsed, ca_cert))
+	{
+		return FALSE;
+	}
+	parsed->destroy(parsed);
+	
+	serial = htonl(ntohl(serial) + 1);
+	public = peer_key->get_public_key(peer_key);
+	peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_SIGNING_KEY, ca_key,
+						BUILD_SIGNING_CERT, ca_cert,
+						BUILD_PUBLIC_KEY, public,
+						BUILD_SUBJECT, subject,
+						BUILD_SERIAL, chunk_from_thing(serial),
+						BUILD_END);
+	public->destroy(public);
+	if (!peer_cert)
+	{
+		return FALSE;
+	}
+	
+	encoding = peer_cert->get_encoding(peer_cert);
+	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_BLOB_ASN1_DER, encoding,
+						BUILD_END);
+	chunk_free(&encoding);
+	if (!parsed)
+	{
+		return FALSE;
+	}
+	if (!parsed->issued_by(parsed, ca_cert))
+	{
+		return FALSE;
+	}
+	parsed->destroy(parsed);
+	
+	ca_cert->destroy(ca_cert);
+	ca_key->destroy(ca_key);
+	peer_cert->destroy(peer_cert);
+	peer_key->destroy(peer_key);
+	issuer->destroy(issuer);
+	subject->destroy(subject);
+	return TRUE;
+}
+
+
diff --git a/src/charon/plugins/unit_tester/tests/test_enumerator.c b/src/charon/plugins/unit_tester/tests/test_enumerator.c
index a7f3dd822..6898084fc 100644
--- a/src/charon/plugins/unit_tester/tests/test_enumerator.c
+++ b/src/charon/plugins/unit_tester/tests/test_enumerator.c
@@ -226,18 +226,26 @@ bool test_enumerate_token()
 		char *string;
 		char *sep;
 		char *trim;
-	} tests[] = {
+	} tests1[] = {
 		{"abc, cde, efg", ",", " "},
 		{" abc 1:2 cde;3  4efg5.  ", ":;.,", " 12345"},
 		{"abc.cde,efg", ",.", ""},
 		{"  abc   cde  efg  ", " ", " "},
+		{"a'abc' c 'cde' cefg", " ", " abcd"},
+		{"'abc' abc 'cde'd 'efg'", " ", " abcd"},
+	}, tests2[] = {
+		{"a, b, c", ",", " "},
+		{"a,b,c", ",", " "},
+		{" a 1:2 b;3  4c5.  ", ":;.,", " 12345"},
+		{"a.b,c", ",.", ""},
+		{"  a   b  c  ", " ", " "},
 	};
 	
-	for (num = 0; num < countof(tests); num++)
+	for (num = 0; num < countof(tests1); num++)
 	{
 		i = 0;
-		enumerator = enumerator_create_token(
-							tests[num].string, tests[num].sep, tests[num].trim);
+		enumerator = enumerator_create_token(tests1[num].string,
+											 tests1[num].sep, tests1[num].trim);
 		while (enumerator->enumerate(enumerator, &token))
 		{
 			switch (i)
@@ -256,9 +264,43 @@ bool test_enumerate_token()
 			}
 			i++;
 		}
+		if (i != 3)
+		{
+			return FALSE;
+		}
 		enumerator->destroy(enumerator);
 	}
-
+	
+	for (num = 0; num < countof(tests2); num++)
+	{
+		i = 0;
+		enumerator = enumerator_create_token(tests2[num].string,
+											 tests2[num].sep, tests2[num].trim);
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			switch (i)
+			{
+				case 0:
+					if (!streq(token, "a")) return FALSE;
+					break;
+				case 1:
+					if (!streq(token, "b")) return FALSE;
+					break;
+				case 2:
+					if (!streq(token, "c")) return FALSE;
+					break;
+				default:
+					return FALSE;
+			}
+			i++;
+		}
+		if (i != 3)
+		{
+			return FALSE;
+		}
+		enumerator->destroy(enumerator);
+	}
+	
 	return TRUE;
 }
 
diff --git a/src/charon/plugins/unit_tester/tests/test_pool.c b/src/charon/plugins/unit_tester/tests/test_pool.c
index 40334335d..b11f71704 100644
--- a/src/charon/plugins/unit_tester/tests/test_pool.c
+++ b/src/charon/plugins/unit_tester/tests/test_pool.c
@@ -60,7 +60,7 @@ static void* testing(void *thread)
 	/* release addresses */
 	for (i = 0; i < ALLOCS; i++)
 	{
-		charon->attributes->release_address(charon->attributes, "test", addr[i]);
+		charon->attributes->release_address(charon->attributes, "test", addr[i], id[i]);
 	}
 	
 	/* cleanup */
diff --git a/src/charon/plugins/unit_tester/tests/test_rng.c b/src/charon/plugins/unit_tester/tests/test_rng.c
new file mode 100644
index 000000000..60cbf2d36
--- /dev/null
+++ b/src/charon/plugins/unit_tester/tests/test_rng.c
@@ -0,0 +1,221 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+#include <library.h>
+#include <utils/mutex.h>
+
+#include <unistd.h>
+#include <sched.h>
+#include <pthread.h>
+
+static bool test_monobit(chunk_t data)
+{
+	int i, j, bits = 0;
+	
+	for (i = 0; i < data.len; i++)
+	{
+		for (j = 0; j < 8; j++)
+		{
+			if (data.ptr[i] & (1<<j))
+			{
+				bits++;
+			}
+		}
+	}
+	DBG1(DBG_CFG, "  Monobit: %d/%d bits set", bits, data.len * 8);
+	if (bits > 9654 && bits < 10346)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+static bool test_poker(chunk_t data)
+{
+	int i, counter[16];
+	double sum = 0.0;
+	
+	memset(counter, 0, sizeof(counter));
+	
+	for (i = 0; i < data.len; i++)
+	{
+		counter[data.ptr[i] & 0x0F]++;
+		counter[(data.ptr[i] & 0xF0) >> 4]++;
+	}
+	
+	for (i = 0; i < countof(counter); i++)
+	{
+		sum += (counter[i] * counter[i]) / 5000.0 * 16.0;
+	}
+	sum -= 5000.0;
+	DBG1(DBG_CFG, "  Poker: %f", sum);
+	if (sum > 1.03 && sum < 57.4)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+static bool test_runs(chunk_t data)
+{
+	int i, j, zero_runs[7], one_runs[7], zero = 0, one = 0, longrun = 0;
+	bool ok = TRUE;
+	
+	memset(one_runs, 0, sizeof(zero_runs));
+	memset(zero_runs, 0, sizeof(one_runs));
+	
+	for (i = 0; i < data.len; i++)
+	{
+		for (j = 0; j < 8; j++)
+		{
+			if (data.ptr[i] & (1<<j))
+			{
+				if (one)
+				{
+					if (++one >= 34)
+					{
+						longrun++;
+						break;
+					}
+				}
+				else
+				{
+					zero_runs[min(6, zero)]++;
+					zero = 0;
+					one = 1;
+				}
+			}
+			else
+			{
+				if (zero)
+				{
+					if (++zero >= 34)
+					{
+						longrun++;
+						break;
+					}
+				}
+				else
+				{
+					one_runs[min(6, one)]++;
+					one = 0;
+					zero = 1;
+				}
+			}
+		}
+	}
+	
+	DBG1(DBG_CFG, "  Runs: zero: %d/%d/%d/%d/%d/%d, one: %d/%d/%d/%d/%d/%d, "
+		 "longruns: %d",
+		 zero_runs[1], zero_runs[2], zero_runs[3],
+		 zero_runs[4], zero_runs[5], zero_runs[6],
+		 one_runs[1], one_runs[2], one_runs[3],
+		 one_runs[4], one_runs[5], one_runs[6],
+		 longrun);
+	
+	if (longrun)
+	{
+		return FALSE;
+	}
+	
+	for (i = 1; i < countof(zero_runs); i++)
+	{
+		switch (i)
+		{
+			case 1:
+				ok &= zero_runs[i] > 2267 && zero_runs[i] < 2733;
+				ok &= one_runs[i] > 2267 && one_runs[i] < 2733;
+				break;
+			case 2:
+				ok &= zero_runs[i] > 1079 && zero_runs[i] < 1421;
+				ok &= one_runs[i] > 1079 && one_runs[i] < 1421;
+				break;
+			case 3:
+				ok &= zero_runs[i] > 502 && zero_runs[i] < 748;
+				ok &= one_runs[i] > 502 && one_runs[i] < 748;
+				break;
+			case 4:
+				ok &= zero_runs[i] > 223 && zero_runs[i] < 402;
+				ok &= one_runs[i] > 223 && one_runs[i] < 402;
+				break;
+			case 5:
+				ok &= zero_runs[i] > 90 && zero_runs[i] < 223;
+				ok &= one_runs[i] > 90 && one_runs[i] < 223;
+				break;
+			case 6:
+				ok &= zero_runs[i] > 90 && zero_runs[i] < 223;
+				ok &= one_runs[i] > 90 && one_runs[i] < 223;
+				break;
+		}
+		if (!ok)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+static bool test_rng_quality(rng_quality_t quality)
+{
+	rng_t *rng;
+	chunk_t chunk;
+	
+	rng = lib->crypto->create_rng(lib->crypto, quality);
+	if (!rng)
+	{
+		return FALSE;
+	}
+	DBG1(DBG_CFG, "%N", rng_quality_names, quality);
+	rng->allocate_bytes(rng, 2500, &chunk);
+	
+	if (!test_monobit(chunk))
+	{
+		return FALSE;
+	}
+	if (!test_poker(chunk))
+	{
+		return FALSE;
+	}
+	if (!test_runs(chunk))
+	{
+		return FALSE;
+	}
+	
+	free(chunk.ptr);
+	rng->destroy(rng);
+	return TRUE;
+}
+
+/**
+ * run a test using given values
+ */
+bool test_rng()
+{
+	if (!test_rng_quality(RNG_WEAK))
+	{
+		return FALSE;
+	}
+	if (!test_rng_quality(RNG_STRONG))
+	{
+		return FALSE;
+	}
+	if (!test_rng_quality(RNG_REAL))
+	{
+		return FALSE;
+	}
+	return TRUE; 
+}
+
diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in
index 603000a09..15bc7b95c 100644
--- a/src/charon/plugins/updown/Makefile.in
+++ b/src/charon/plugins/updown/Makefile.in
@@ -86,22 +86,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -111,6 +106,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -119,12 +115,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -147,8 +147,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -187,6 +186,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.c b/src/charon/processing/jobs/delete_ike_sa_job.c
index 95b60ad01..c37e4e389 100644
--- a/src/charon/processing/jobs/delete_ike_sa_job.c
+++ b/src/charon/processing/jobs/delete_ike_sa_job.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: delete_ike_sa_job.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: delete_ike_sa_job.c 4722 2008-11-28 15:44:25Z martin $
  */
 
 #include "delete_ike_sa_job.h"
@@ -63,6 +63,11 @@ static void execute(private_delete_ike_sa_job_t *this)
 											  this->ike_sa_id);
 	if (ike_sa)
 	{
+		if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			return destroy(this);
+		}
 		if (this->delete_if_established)
 		{
 			if (ike_sa->delete(ike_sa) == DESTROY_ME)
diff --git a/src/charon/processing/jobs/migrate_job.c b/src/charon/processing/jobs/migrate_job.c
index ec0a76fb9..47ff658f1 100644
--- a/src/charon/processing/jobs/migrate_job.c
+++ b/src/charon/processing/jobs/migrate_job.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: migrate_job.c 4662 2008-11-16 21:19:58Z andreas $
+ * $Id: migrate_job.c 4677 2008-11-19 15:31:27Z martin $
  */
 
 #include "migrate_job.h"
@@ -110,7 +110,7 @@ static void execute(private_migrate_job_t *this)
 		host->set_port(host, IKEV2_UDP_PORT);
 		ike_sa->set_other_host(ike_sa, host);
 
-		if (child_sa->update_hosts(child_sa, this->local, this->remote,
+		if (child_sa->update(child_sa, this->local, this->remote,
 				ike_sa->get_virtual_ip(ike_sa, TRUE),
 			 	ike_sa->has_condition(ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
 		{
diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c
index 9cff090bf..68916937b 100644
--- a/src/charon/processing/processor.c
+++ b/src/charon/processing/processor.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: processor.c 4579 2008-11-05 11:29:56Z martin $
+ * $Id: processor.c 4802 2008-12-12 15:57:12Z martin $
  */
  
 #include <stdlib.h>
@@ -84,7 +84,9 @@ static void restart(private_processor_t *this)
 {
 	pthread_t thread;
 	
-	if (pthread_create(&thread, NULL, (void*)process_jobs, this) != 0)
+	/* respawn thread if required */
+	if (this->desired_threads == 0 ||
+		pthread_create(&thread, NULL, (void*)process_jobs, this) != 0)
 	{
 		this->mutex->lock(this->mutex);
 		this->total_threads--;
diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c
index 42aa2579e..593a51f0b 100644
--- a/src/charon/processing/scheduler.c
+++ b/src/charon/processing/scheduler.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -13,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: scheduler.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: scheduler.c 4799 2008-12-12 09:16:31Z martin $
  */
 
 #include <stdlib.h>
@@ -25,6 +26,10 @@
 #include <daemon.h>
 #include <processing/processor.h>
 #include <processing/jobs/callback_job.h>
+#include <utils/mutex.h>
+
+/* the initial size of the heap */
+#define HEAP_SIZE_DEFAULT 64
 
 typedef struct event_t event_t;
 
@@ -64,26 +69,34 @@ struct private_scheduler_t {
 	 scheduler_t public;
 
 	/**
-	 * Job wich schedules
+	 * Job which queues scheduled jobs to the processor.
 	 */
 	callback_job_t *job;
+		
+	/**
+	 * The heap in which the events are stored.
+	 */
+	event_t **heap;
+	
+	/**
+	 * The size of the heap.
+	 */
+	u_int heap_size;
 	
 	/**
-	 * The jobs are scheduled in a list.
+	 * The number of scheduled events.
 	 */
-	linked_list_t *list;
+	u_int event_count;
 
 	/**
 	 * Exclusive access to list
 	 */
-	pthread_mutex_t mutex;
+	mutex_t *mutex;
 
 	/**
 	 * Condvar to wait for next job.
 	 */
-	pthread_cond_t condvar;
-	
-	bool cancelled;
+	condvar_t *condvar;
 };
 
 /**
@@ -99,50 +112,103 @@ static long time_difference(timeval_t *end, timeval_t *start)
 	return (s * 1000 + us/1000);
 }
 
+/**
+ * Returns the top event without removing it. Returns NULL if the heap is empty.
+ */
+static event_t *peek_event(private_scheduler_t *this)
+{
+	return this->event_count > 0 ? this->heap[1] : NULL;
+}
+
+/**
+ * Removes the top event from the heap and returns it. Returns NULL if the heap
+ * is empty.
+ */
+static event_t *remove_event(private_scheduler_t *this)
+{
+	event_t *event, *top;
+	if (!this->event_count)
+	{
+		return NULL;
+	}
+	
+	/* store the value to return */
+	event = this->heap[1];
+	/* move the bottom event to the top */
+	top = this->heap[1] = this->heap[this->event_count];
+		
+	if (--this->event_count > 1)
+	{
+		/* seep down the top event */
+		u_int position = 1;
+		while ((position << 1) <= this->event_count)
+		{
+			u_int child = position << 1;
+			
+			if ((child + 1) <= this->event_count &&
+				time_difference(&this->heap[child + 1]->time,
+								&this->heap[child]->time) < 0)
+			{
+				/* the "right" child is smaller */
+				child++;
+			}
+			
+			if (time_difference(&top->time, &this->heap[child]->time) <= 0)
+			{
+				/* the top event fires before the smaller of the two children, stop */
+				break;
+			}
+			
+			/* exchange with the smaller child */
+			this->heap[position] = this->heap[child];
+			position = child;
+		}
+		this->heap[position] = top;
+	}
+	return event;
+}
+
 /**
  * Get events from the queue and pass it to the processor
  */
 static job_requeue_t schedule(private_scheduler_t * this)
 {
-	timespec_t timeout;
 	timeval_t now;
 	event_t *event;
 	long difference;
 	int oldstate;
 	bool timed = FALSE;
 	
-	DBG2(DBG_JOB, "waiting for next event...");
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	
 	gettimeofday(&now, NULL);
 	
-	if (this->list->get_count(this->list) > 0)
+	if ((event = peek_event(this)) != NULL)
 	{
-		this->list->get_first(this->list, (void **)&event);
 		difference = time_difference(&now, &event->time);
-		if (difference > 0)
+		if (difference >= 0)
 		{
-			DBG2(DBG_JOB, "got event, queueing job for execution");
-			this->list->remove_first(this->list, (void **)&event);	
-			pthread_mutex_unlock(&this->mutex);
+			remove_event(this);
+			this->mutex->unlock(this->mutex);
+			DBG2(DBG_JOB, "got event, queuing job for execution");
 			charon->processor->queue_job(charon->processor, event->job);
 			free(event);
 			return JOB_REQUEUE_DIRECT;
 		}
-		timeout.tv_sec = event->time.tv_sec;
-		timeout.tv_nsec = event->time.tv_usec * 1000;
+		DBG2(DBG_JOB, "next event in %ldms, waiting", -difference);
 		timed = TRUE;
 	}
-	pthread_cleanup_push((void*)pthread_mutex_unlock, &this->mutex);
+	pthread_cleanup_push((void*)this->mutex->unlock, this->mutex);
 	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
 	
 	if (timed)
 	{
-		pthread_cond_timedwait(&this->condvar, &this->mutex, &timeout);
+		this->condvar->timed_wait_abs(this->condvar, this->mutex, event->time);
 	}
 	else
 	{
-		pthread_cond_wait(&this->condvar, &this->mutex);
+		DBG2(DBG_JOB, "no events, waiting");
+		this->condvar->wait(this->condvar, this->mutex);
 	}
 	pthread_setcancelstate(oldstate, NULL);
 	pthread_cleanup_pop(TRUE);
@@ -155,9 +221,9 @@ static job_requeue_t schedule(private_scheduler_t * this)
 static u_int get_job_load(private_scheduler_t *this)
 {
 	int count;
-	pthread_mutex_lock(&this->mutex);
-	count = this->list->get_count(this->list);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->lock(this->mutex);
+	count = this->event_count;
+	this->mutex->unlock(this->mutex);
 	return count;
 }
 
@@ -167,8 +233,8 @@ static u_int get_job_load(private_scheduler_t *this)
 static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t time)
 {
 	timeval_t now;
-	event_t *event, *current;
-	iterator_t *iterator;
+	event_t *event;
+	u_int position;
 	time_t s;
 	suseconds_t us;
 	
@@ -182,46 +248,30 @@ static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t time)
 	event->time.tv_usec = (now.tv_usec + us) % 1000000;
 	event->time.tv_sec = now.tv_sec + (now.tv_usec + us)/1000000 + s;
 	
-	pthread_mutex_lock(&this->mutex);
-	while(TRUE)
+	this->mutex->lock(this->mutex);
+	
+	this->event_count++;
+	if (this->event_count > this->heap_size)
 	{
-		if (this->list->get_count(this->list) == 0)
-		{
-			this->list->insert_first(this->list,event);
-			break;
-		}
-
-		this->list->get_last(this->list, (void**)&current);
-		if (time_difference(&event->time, &current->time) >= 0)
-		{	/* new event has to be fired after the last event in list */
-			this->list->insert_last(this->list, event);
-			break;
-		}
-
-		this->list->get_first(this->list, (void**)&current);
-		if (time_difference(&event->time, &current->time) < 0)
-		{	/* new event has to be fired before the first event in list */
-			this->list->insert_first(this->list, event);
-			break;
-		}
-		
-		iterator = this->list->create_iterator(this->list, TRUE);
-		/* first element has not to be checked (already done) */
-		iterator->iterate(iterator, (void**)&current);
-		while(iterator->iterate(iterator, (void**)&current))
-		{
-			if (time_difference(&event->time, &current->time) <= 0)
-			{
-				/* new event has to be fired before the current event in list */
-				iterator->insert_before(iterator, event);
-				break;
-			}
-		}
-		iterator->destroy(iterator);
-		break;
+		/* double the size of the heap */
+		this->heap_size <<= 1;
+		this->heap = (event_t**)realloc(this->heap, (this->heap_size + 1) * sizeof(event_t*));
 	}
-	pthread_cond_signal(&this->condvar);
-	pthread_mutex_unlock(&this->mutex);
+	/* "put" the event to the bottom */
+	position = this->event_count;
+	
+	/* then bubble it up */
+	while (position > 1 && time_difference(&this->heap[position >> 1]->time,
+										   &event->time) > 0)
+	{
+		/* parent has to be fired after the new event, move up */
+		this->heap[position] = this->heap[position >> 1];
+		position >>= 1;
+	}
+	this->heap[position] = event;
+	
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -229,9 +279,15 @@ static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t time)
  */
 static void destroy(private_scheduler_t *this)
 {
-	this->cancelled = TRUE;
+	event_t *event;
 	this->job->cancel(this->job);
-	this->list->destroy_function(this->list, (void*)event_destroy);
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
+	while ((event = remove_event(this)) != NULL)
+	{
+		event_destroy(event);
+	}
+	free(this->heap);
 	free(this);
 }
 
@@ -246,10 +302,13 @@ scheduler_t * scheduler_create()
 	this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job;
 	this->public.destroy = (void(*)(scheduler_t*)) destroy;
 	
-	this->list = linked_list_create();
-	this->cancelled = FALSE;
-	pthread_mutex_init(&this->mutex, NULL);
-	pthread_cond_init(&this->condvar, NULL);
+	/* Note: the root of the heap is at index 1 */
+	this->event_count = 0;
+	this->heap_size = HEAP_SIZE_DEFAULT;
+	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
+	
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_DEFAULT);
 	
 	this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c
index 11b12fb49..6babab212 100644
--- a/src/charon/sa/authenticators/eap/eap_method.c
+++ b/src/charon/sa/authenticators/eap/eap_method.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_method.c 4269 2008-08-21 12:10:07Z martin $
+ * $Id: eap_method.c 4882 2009-02-18 19:57:15Z tobias $
  */
 
 #include "eap_method.h"
@@ -28,7 +28,9 @@ ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC,
 	"EAP_SIM");
 ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
 	"EAP_AKA");
-ENUM_NEXT(eap_type_names, EAP_EXPANDED, EAP_EXPERIMENTAL, EAP_AKA,
+ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+	"EAP_MSCHAPV2");
+ENUM_NEXT(eap_type_names, EAP_EXPANDED, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
 	"EAP_EXPANDED",
 	"EAP_EXPERIMENTAL");
 ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h
index 663117931..1fd7bd24b 100644
--- a/src/charon/sa/authenticators/eap/eap_method.h
+++ b/src/charon/sa/authenticators/eap/eap_method.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_method.h 4276 2008-08-22 10:44:51Z martin $
+ * $Id: eap_method.h 4882 2009-02-18 19:57:15Z tobias $
  */
 
 /**
@@ -56,6 +56,7 @@ enum eap_type_t {
 	EAP_GTC = 6,
 	EAP_SIM = 18,
 	EAP_AKA = 23,
+	EAP_MSCHAPV2 = 26,
 	EAP_EXPANDED = 254,
 	EAP_EXPERIMENTAL = 255,
 };
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 5c22f3df2..0c0abcf2e 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_authenticator.c 4495 2008-10-28 16:07:06Z martin $
+ * $Id: eap_authenticator.c 4754 2008-12-04 10:09:21Z martin $
  */
 
 #include <string.h>
@@ -360,6 +360,7 @@ static status_t process_eap_identity(private_eap_authenticator_t *this,
 	}
 	/* restart EAP exchange, but with real method */
 	this->method->destroy(this->method);
+	this->method = NULL;
 	this->do_eap_identity = FALSE;
 	return initiate(this, this->type, this->vendor, out);
 }
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index d7a63d5e8..022b9149a 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_sa.c 4665 2008-11-17 00:01:34Z andreas $
+ * $Id: child_sa.c 4677 2008-11-19 15:31:27Z martin $
  */
 
 #define _GNU_SOURCE
@@ -89,16 +89,6 @@ struct private_child_sa_t {
 	 */
 	linked_list_t *other_ts;
 	
-	/**
-	 * Allocated SPI for a ESP proposal candidates
-	 */
-	u_int32_t alloc_esp_spi;
-	
-	/**
-	 * Allocated SPI for a AH proposal candidates
-	 */
-	u_int32_t alloc_ah_spi;
-	
 	/**
 	 * Protocol used to protect this SA, ESP|AH
 	 */
@@ -134,11 +124,6 @@ struct private_child_sa_t {
 	 */
 	ipcomp_transform_t ipcomp;
 	
-	/**
-	 * TRUE if we allocated (or tried to allocate) a CPI
-	 */
-	bool cpi_allocated;
-	
 	/**
 	 * mode this SA uses, tunnel/transport
 	 */
@@ -170,7 +155,32 @@ static u_int32_t get_reqid(private_child_sa_t *this)
 {
 	return this->reqid;
 }
-	
+
+/**
+ * Implements child_sa_t.get_config
+ */
+static child_cfg_t* get_config(private_child_sa_t *this)
+{
+	return this->config;
+}
+
+/**
+ * Implements child_sa_t.set_state
+ */
+static void set_state(private_child_sa_t *this, child_sa_state_t state)
+{
+	charon->bus->child_state_change(charon->bus, &this->public, state);
+	this->state = state;
+}
+
+/**
+ * Implements child_sa_t.get_state
+ */
+static child_sa_state_t get_state(private_child_sa_t *this)
+{
+	return this->state;
+}
+
 /**
  * Implements child_sa_t.get_spi
  */
@@ -195,6 +205,14 @@ protocol_id_t get_protocol(private_child_sa_t *this)
 	return this->protocol;
 }
 
+/**
+ * Implementation of child_sa_t.set_protocol
+ */
+static void set_protocol(private_child_sa_t *this, protocol_id_t protocol)
+{
+	this->protocol = protocol;
+}
+
 /**
  * Implementation of child_sa_t.get_mode
  */
@@ -203,6 +221,14 @@ static ipsec_mode_t get_mode(private_child_sa_t *this)
 	return this->mode;
 }
 
+/**
+ * Implementation of child_sa_t.set_mode
+ */
+static void set_mode(private_child_sa_t *this, ipsec_mode_t mode)
+{
+	this->mode = mode;
+}
+
 /**
  * Implementation of child_sa_t.has_encap
  */
@@ -220,19 +246,35 @@ static ipcomp_transform_t get_ipcomp(private_child_sa_t *this)
 }
 
 /**
- * Implements child_sa_t.get_state
+ * Implementation of child_sa_t.set_ipcomp.
  */
-static child_sa_state_t get_state(private_child_sa_t *this)
+static void set_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp)
 {
-	return this->state;
+	this->ipcomp = ipcomp;
 }
 
 /**
- * Implements child_sa_t.get_config
+ * Implementation of child_sa_t.get_proposal
  */
-static child_cfg_t* get_config(private_child_sa_t *this)
+static proposal_t* get_proposal(private_child_sa_t *this)
 {
-	return this->config;
+	return this->proposal;
+}
+
+/**
+ * Implementation of child_sa_t.set_proposal
+ */
+static void set_proposal(private_child_sa_t *this, proposal_t *proposal)
+{
+	this->proposal = proposal->clone(proposal);
+}
+
+/**
+ * Implementation of child_sa_t.get_traffic_selectors.
+ */
+static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local)
+{
+	return local ? this->my_ts : this->other_ts;
 }
 
 typedef struct policy_enumerator_t policy_enumerator_t;
@@ -366,143 +408,100 @@ static u_int32_t get_lifetime(private_child_sa_t *this, bool hard)
 }
 
 /**
- * Implements child_sa_t.set_state
- */
-static void set_state(private_child_sa_t *this, child_sa_state_t state)
-{
-	charon->bus->child_state_change(charon->bus, &this->public, state);
-	this->state = state;
-}
-
-/**
- * Allocate SPI for a single proposal
+ * Implementation of child_sa_t.alloc_spi
  */
-static status_t alloc_proposal(private_child_sa_t *this, proposal_t *proposal)
+static u_int32_t alloc_spi(private_child_sa_t *this, protocol_id_t protocol)
 {
-	protocol_id_t protocol = proposal->get_protocol(proposal);
-		
-	if (protocol == PROTO_AH)
+	switch (protocol)
 	{
-		/* get a new spi for AH, if not already done */
-		if (this->alloc_ah_spi == 0)
-		{
-			if (charon->kernel_interface->get_spi(
-						 charon->kernel_interface, 
-						 this->other_addr, this->my_addr,
-						 PROTO_AH, this->reqid,
-						 &this->alloc_ah_spi) != SUCCESS)
+		case PROTO_AH:
+			if (charon->kernel_interface->get_spi(charon->kernel_interface, 
+							this->other_addr, this->my_addr, PROTO_AH,
+							this->reqid, &this->my_spi) == SUCCESS)
 			{
-				return FAILED;
+				return this->my_spi;
 			}
-		}
-		proposal->set_spi(proposal, this->alloc_ah_spi);
-	}
-	if (protocol == PROTO_ESP)
-	{
-		/* get a new spi for ESP, if not already done */
-		if (this->alloc_esp_spi == 0)
-		{
-			if (charon->kernel_interface->get_spi(
-						 charon->kernel_interface,
-						 this->other_addr, this->my_addr,
-						 PROTO_ESP, this->reqid,
-						 &this->alloc_esp_spi) != SUCCESS)
+			break;
+		case PROTO_ESP:
+			if (charon->kernel_interface->get_spi(charon->kernel_interface,
+							this->other_addr, this->my_addr, PROTO_ESP,
+							this->reqid, &this->my_spi) == SUCCESS)
 			{
-				return FAILED;
+				return this->my_spi;
 			}
-		}
-		proposal->set_spi(proposal, this->alloc_esp_spi);
+			break;
+		default:
+			break;
 	}
-	return SUCCESS;
+	return 0;
 }
 
 /**
- * Implements child_sa_t.alloc
+ * Implementation of child_sa_t.alloc_cpi
  */
-static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
+static u_int16_t alloc_cpi(private_child_sa_t *this)
 {
-	iterator_t *iterator;
-	proposal_t *proposal;
-	
-	/* iterator through proposals to update spis */
-	iterator = proposals->create_iterator(proposals, TRUE);
-	while(iterator->iterate(iterator, (void**)&proposal))
+	if (charon->kernel_interface->get_cpi(charon->kernel_interface,
+					this->other_addr, this->my_addr, this->reqid,
+					&this->my_cpi) == SUCCESS)
 	{
-		if (alloc_proposal(this, proposal) != SUCCESS)
-		{
-			iterator->destroy(iterator);
-			return FAILED;
-		}
+		return this->my_cpi;
 	}
-	iterator->destroy(iterator);
-	return SUCCESS;
+	return 0;
 }
 
 /**
- * Install an SA for one direction
+ * Implementation of child_sa_t.install
  */
-static status_t install(private_child_sa_t *this, proposal_t *proposal,
-						ipsec_mode_t mode, chunk_t integ, chunk_t encr, bool in)
+static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
+						u_int32_t spi, u_int16_t cpi, bool inbound)
 {
 	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
-	u_int32_t spi, soft, hard, now;
+	u_int32_t soft, hard, now;
 	host_t *src, *dst;
 	status_t status;
+	bool update = FALSE;
 	
 	/* now we have to decide which spi to use. Use self allocated, if "in",
 	 * or the one in the proposal, if not "in" (others). Additionally,
 	 * source and dest host switch depending on the role */
-	if (in)
+	if (inbound)
 	{
-		/* if we have allocated SPIs for AH and ESP, we must delete the unused
-		 * one. */
-		if (this->protocol == PROTO_ESP)
-		{
-			this->my_spi = this->alloc_esp_spi;
-			if (this->alloc_ah_spi)
-			{
-				charon->kernel_interface->del_sa(charon->kernel_interface,
-								this->my_addr, this->alloc_ah_spi, 0, PROTO_AH);
-			}
-		}
-		else
-		{
-			this->my_spi = this->alloc_ah_spi;
-			if (this->alloc_esp_spi)
-			{
-				charon->kernel_interface->del_sa(charon->kernel_interface,
-								this->my_addr, this->alloc_esp_spi, 0, PROTO_ESP);
-			}
-		}
-		spi = this->my_spi;
 		dst = this->my_addr;
 		src = this->other_addr;
+		if (this->my_spi == spi)
+		{	/* alloc_spi has been called, do an SA update */
+			update = TRUE;
+		}
+		this->my_spi = spi;
+		this->my_cpi = cpi;
 	}
 	else
 	{
-		this->other_spi = proposal->get_spi(proposal);
-		spi = this->other_spi;
 		src = this->my_addr;
 		dst = this->other_addr;
+		this->other_spi = spi;
+		this->other_cpi = cpi;
 	}
 	
-	DBG2(DBG_CHD, "adding %s %N SA", in ? "inbound" : "outbound",
+	DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
 		 protocol_id_names, this->protocol);
 	
 	/* send SA down to the kernel */
 	DBG2(DBG_CHD, "  SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
 	
-	proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg, &size);
-	proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, &size);
+	this->proposal->get_algorithm(this->proposal, ENCRYPTION_ALGORITHM,
+								  &enc_alg, &size);
+	this->proposal->get_algorithm(this->proposal, INTEGRITY_ALGORITHM,
+								  &int_alg, &size);
 	
 	soft = this->config->get_lifetime(this->config, TRUE);
 	hard = this->config->get_lifetime(this->config, FALSE);
-
+	
 	status = charon->kernel_interface->add_sa(charon->kernel_interface,
 				src, dst, spi, this->protocol, this->reqid,
-				in ? soft : 0, hard, enc_alg, encr, int_alg, integ,
-				mode, this->ipcomp, in ? this->my_cpi : this->other_cpi,
-				this->encap, in);
+				inbound ? soft : 0, hard, enc_alg, encr, int_alg, integ,
+				this->mode, this->ipcomp, cpi, this->encap, update);
 	
 	now = time(NULL);
 	this->rekey_time = now + soft;
@@ -510,84 +509,17 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal,
 	return status;
 }
 
-/**
- * Implementation of child_sa_t.add
- */
-static status_t add(private_child_sa_t *this, 
-					proposal_t *proposal, ipsec_mode_t mode,
-					chunk_t integ_in, chunk_t integ_out,
-					chunk_t encr_in, chunk_t encr_out)
-{
-	this->proposal = proposal->clone(proposal);
-	this->protocol = proposal->get_protocol(proposal);
-	
-	/* get SPIs for inbound SAs, write to proposal */
-	if (alloc_proposal(this, proposal) != SUCCESS)
-	{
-		return FAILED;
-	}
-	/* install inbound SAs using allocated SPI */
-	if (install(this, proposal, mode, integ_in, encr_in, TRUE) != SUCCESS)
-	{
-		return FAILED;
-	}
-	/* install outbound SAs using received SPI*/
-	if (install(this, this->proposal, mode, integ_out, encr_out, FALSE) != SUCCESS)
-	{
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of child_sa_t.update
- */
-static status_t update(private_child_sa_t *this,
-					   proposal_t *proposal, ipsec_mode_t mode,
-					   chunk_t integ_in, chunk_t integ_out,
-					   chunk_t encr_in, chunk_t encr_out)
-{
-	this->proposal = proposal->clone(proposal);
-	this->protocol = proposal->get_protocol(proposal);
-	
-	/* install outbound SAs */
-	if (install(this, proposal, mode, integ_out, encr_out, FALSE) != SUCCESS)
-	{
-		return FAILED;
-	}
-	/* install inbound SAs */
-	if (install(this, proposal, mode, integ_in, encr_in, TRUE) != SUCCESS)
-	{
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of child_sa_t.get_proposal
- */
-static proposal_t* get_proposal(private_child_sa_t *this)
-{
-	return this->proposal;
-}
-
 /**
  * Implementation of child_sa_t.add_policies
  */
 static status_t add_policies(private_child_sa_t *this,
-					linked_list_t *my_ts_list, linked_list_t *other_ts_list,
-					ipsec_mode_t mode, protocol_id_t proto)
+					linked_list_t *my_ts_list, linked_list_t *other_ts_list)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
 	status_t status = SUCCESS;
 	bool routed = (this->state == CHILD_CREATED);
 	
-	if (this->protocol == PROTO_NONE)
-	{	/* update if not set yet */
-		this->protocol = proto;
-	}
-
 	/* apply traffic selectors */
 	enumerator = my_ts_list->create_enumerator(my_ts_list);
 	while (enumerator->enumerate(enumerator, &my_ts))
@@ -611,19 +543,19 @@ static status_t add_policies(private_child_sa_t *this,
 			/* install 3 policies: out, in and forward */
 			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
 					this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT,
-					this->other_spi, this->protocol, this->reqid, mode, this->ipcomp,
-					this->other_cpi, routed);
+					this->other_spi, this->protocol, this->reqid, this->mode,
+					this->ipcomp, this->other_cpi, routed);
 			
 			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
 					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN,
-					this->my_spi, this->protocol, this->reqid, mode, this->ipcomp,
-					this->my_cpi, routed);
-			if (mode != MODE_TRANSPORT)
+					this->my_spi, this->protocol, this->reqid, this->mode,
+					this->ipcomp, this->my_cpi, routed);
+			if (this->mode != MODE_TRANSPORT)
 			{
 				status |= charon->kernel_interface->add_policy(charon->kernel_interface,
 					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD,
-					this->my_spi, this->protocol, this->reqid, mode, this->ipcomp,
-					this->my_cpi, routed);
+					this->my_spi, this->protocol, this->reqid, this->mode,
+					this->ipcomp, this->my_cpi, routed);
 			}
 			
 			if (status != SUCCESS)
@@ -634,32 +566,18 @@ static status_t add_policies(private_child_sa_t *this,
 		enumerator->destroy(enumerator);
 	}
 	
-	if (status == SUCCESS)
-	{
-		/* switch to routed state if no SAD entry set up */
-		if (this->state == CHILD_CREATED)
-		{
-			set_state(this, CHILD_ROUTED);
-		}
-		/* needed to update hosts */
-		this->mode = mode;
+	if (status == SUCCESS && this->state == CHILD_CREATED)
+	{	/* switch to routed state if no SAD entry set up */
+		set_state(this, CHILD_ROUTED);
 	}
 	return status;
 }
 
 /**
- * Implementation of child_sa_t.get_traffic_selectors.
+ * Implementation of child_sa_t.update.
  */
-static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local)
-{
-	return local ? this->my_ts : this->other_ts;
-}
-
-/**
- * Implementation of child_sa_t.update_hosts.
- */
-static status_t update_hosts(private_child_sa_t *this, 
-							 host_t *me, host_t *other, host_t *vip, bool encap) 
+static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
+					   host_t *vip, bool encap) 
 {
 	child_sa_state_t old;
 	bool transport_proxy_mode;
@@ -791,30 +709,6 @@ static status_t update_hosts(private_child_sa_t *this,
 	return SUCCESS;
 }
 
-/**
- * Implementation of child_sa_t.activate_ipcomp.
- */
-static void activate_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp,
-		u_int16_t other_cpi)
-{
-	this->ipcomp = ipcomp;
-	this->other_cpi = other_cpi;
-}
-
-/**
- * Implementation of child_sa_t.allocate_cpi.
- */
-static u_int16_t allocate_cpi(private_child_sa_t *this)
-{
-	if (!this->cpi_allocated)
-	{
-		charon->kernel_interface->get_cpi(charon->kernel_interface,
-			this->other_addr, this->my_addr, this->reqid, &this->my_cpi);
-		this->cpi_allocated = TRUE;
-	}
-	return this->my_cpi;
-}
-
 /**
  * Implementation of child_sa_t.destroy.
  */
@@ -833,16 +727,6 @@ static void destroy(private_child_sa_t *this)
 					this->my_addr, this->my_spi, this->protocol,
 					this->my_cpi);
 	}
-	if (this->alloc_esp_spi && this->alloc_esp_spi != this->my_spi)
-	{
-		charon->kernel_interface->del_sa(charon->kernel_interface,
-					this->my_addr, this->alloc_esp_spi, PROTO_ESP, 0);
-	}
-	if (this->alloc_ah_spi && this->alloc_ah_spi != this->my_spi)
-	{
-		charon->kernel_interface->del_sa(charon->kernel_interface,
-					this->my_addr, this->alloc_ah_spi, PROTO_AH, 0);
-	}
 	if (this->other_spi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
@@ -890,40 +774,39 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	/* public functions */
 	this->public.get_name = (char*(*)(child_sa_t*))get_name;
 	this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid;
+	this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
+	this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
+	this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
 	this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
 	this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi;
 	this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
+	this->public.set_protocol = (void(*)(child_sa_t*, protocol_id_t protocol))set_protocol;
 	this->public.get_mode = (ipsec_mode_t(*)(child_sa_t*))get_mode;
-	this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
-	this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
+	this->public.set_mode = (void(*)(child_sa_t*, ipsec_mode_t mode))set_mode;
+	this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal;
+	this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal;
 	this->public.get_lifetime = (u_int32_t(*)(child_sa_t*, bool))get_lifetime;
 	this->public.get_usetime = (u_int32_t(*)(child_sa_t*, bool))get_usetime;
-	this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
-	this->public.add = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,chunk_t,chunk_t,chunk_t,chunk_t))add;
-	this->public.update = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,chunk_t,chunk_t,chunk_t,chunk_t))update;
-	this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal;
-	this->public.update_hosts = (status_t (*)(child_sa_t*,host_t*,host_t*,host_t*,bool))update_hosts;
-	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,ipsec_mode_t,protocol_id_t))add_policies;
+	this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
+	this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
+	this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp;
+	this->public.alloc_spi = (u_int32_t(*)(child_sa_t*, protocol_id_t protocol))alloc_spi;
+	this->public.alloc_cpi = (u_int16_t(*)(child_sa_t*))alloc_cpi;
+	this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound))install;
+	this->public.update = (status_t (*)(child_sa_t*,host_t*,host_t*,host_t*,bool))update;
+	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*))add_policies;
 	this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
 	this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
-	this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
-	this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
-	this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
-	this->public.activate_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t,u_int16_t))activate_ipcomp;
-	this->public.allocate_cpi = (u_int16_t(*)(child_sa_t*))allocate_cpi;
 	this->public.destroy = (void(*)(child_sa_t*))destroy;
-
+	
 	/* private data */
 	this->my_addr = me->clone(me);
 	this->other_addr = other->clone(other);
 	this->my_spi = 0;
-	this->my_cpi = 0;
 	this->other_spi = 0;
+	this->my_cpi = 0;
 	this->other_cpi = 0;
-	this->alloc_ah_spi = 0;
-	this->alloc_esp_spi = 0;
 	this->encap = encap;
-	this->cpi_allocated = FALSE;
 	this->ipcomp = IPCOMP_NONE;
 	this->state = CHILD_CREATED;
 	/* reuse old reqid if we are rekeying an existing CHILD_SA */
@@ -935,7 +818,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->proposal = NULL;
 	this->config = config;
 	config->get_ref(config);
-
+	
 	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */	
 	if (config->get_mode(config) == MODE_TRANSPORT &&
 	    config->use_proxy_mode(config))
@@ -947,9 +830,9 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		enumerator_t *enumerator;
 		linked_list_t *my_ts_list, *other_ts_list;
 		traffic_selector_t *my_ts, *other_ts;
-
+		
 		this->mode = MODE_TRANSPORT;
-
+		
 		my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, me);
 		enumerator = my_ts_list->create_enumerator(my_ts_list);
 		if (enumerator->enumerate(enumerator, &my_ts))
@@ -970,7 +853,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		}
 		enumerator->destroy(enumerator);
 		my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy));
-
+		
 		other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, other);
 		enumerator = other_ts_list->create_enumerator(other_ts_list);
 		if (enumerator->enumerate(enumerator, &other_ts))
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index 7109de5cd..277fd0a79 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2006-2007 Martin Willi
+ * Copyright (C) 2006-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_sa.h 4618 2008-11-11 09:22:00Z tobias $
+ * $Id: child_sa.h 4677 2008-11-19 15:31:27Z martin $
  */
 
 /**
@@ -93,12 +93,13 @@ extern enum_name_t *child_sa_state_names;
  * SAs and the policies have the same reqid.
  * 
  * The procedure for child sa setup is as follows:
- * - A gets SPIs for a proposal via child_sa_t.alloc
- * - A send the updated proposal to B
+ * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc
+ * - A send the proposals with the allocated SPIs to B
  * - B selects a suitable proposal
- * - B calls child_sa_t.add to add and update the selected proposal
- * - B sends the updated proposal to A
- * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
+ * - B allocates an SPI for the selected protocol
+ * - B calls child_sa_t.install for both, the allocated and received SPI
+ * - B sends the proposal with the allocated SPI to A
+ * - A calls child_sa_t.install for both, the allocated and recevied SPI
  * 
  * Once SAs are set up, policies can be added using add_policies.
  */
@@ -121,6 +122,27 @@ struct child_sa_t {
 	 */
 	u_int32_t (*get_reqid)(child_sa_t *this);
 	
+	/**
+	 * Get the config used to set up this child sa.
+	 *
+	 * @return			child_cfg
+	 */
+	child_cfg_t* (*get_config) (child_sa_t *this);
+	
+	/**
+	 * Get the state of the CHILD_SA.
+	 *
+	 * @return 			CHILD_SA state
+	 */	
+	child_sa_state_t (*get_state) (child_sa_t *this);
+	
+	/**
+	 * Set the state of the CHILD_SA.
+	 *
+	 * @param state		state to set on CHILD_SA
+	 */	
+	void (*set_state) (child_sa_t *this, child_sa_state_t state);
+	
 	/**
 	 * Get the SPI of this CHILD_SA.
 	 * 
@@ -152,6 +174,13 @@ struct child_sa_t {
 	 */
 	protocol_id_t (*get_protocol) (child_sa_t *this);
 	
+	/**
+	 * Set the negotiated protocol to use for this CHILD_SA.
+	 *
+	 * @param protocol	AH | ESP
+	 */
+	void (*set_protocol)(child_sa_t *this, protocol_id_t protocol);
+	
 	/**
 	 * Get the IPsec mode of this CHILD_SA.
 	 *
@@ -159,6 +188,13 @@ struct child_sa_t {
 	 */
 	ipsec_mode_t (*get_mode)(child_sa_t *this);
 	
+	/**
+	 * Set the negotiated IPsec mode to use.
+	 *
+	 * @param mode		TUNNEL | TRANPORT | BEET
+	 */
+	void (*set_mode)(child_sa_t *this, ipsec_mode_t mode);
+	
 	/**
 	 * Get the used IPComp algorithm.
 	 *
@@ -166,6 +202,27 @@ struct child_sa_t {
 	 */
 	ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
 	
+	/**
+	 * Set the IPComp algorithm to use.
+	 * 
+	 * @param ipcomp	the IPComp transform to use
+	 */
+	void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
+	
+	/**
+	 * Get the selected proposal.
+	 *
+	 * @return			selected proposal
+	 */
+	proposal_t* (*get_proposal)(child_sa_t *this);
+	
+	/**
+	 * Set the negotiated proposal.
+	 *
+	 * @param proposal	selected proposal
+	 */
+	void (*set_proposal)(child_sa_t *this, proposal_t *proposal);	
+	
 	/**
 	 * Check if this CHILD_SA uses UDP encapsulation.
 	 *
@@ -190,69 +247,48 @@ struct child_sa_t {
 	u_int32_t (*get_usetime)(child_sa_t *this, bool inbound);
 	
 	/**
-	 * Allocate SPIs for given proposals.
-	 * 
-	 * Since the kernel manages SPIs for us, we need
-	 * to allocate them. If a proposal contains more
-	 * than one protocol, for each protocol an SPI is
-	 * allocated. SPIs are stored internally and written
-	 * back to the proposal.
+	 * Get the traffic selectors list added for one side.
 	 *
-	 * @param proposals	list of proposals for which SPIs are allocated
-	 */
-	status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
+	 * @param local		TRUE for own traffic selectors, FALSE for remote
+	 * @return			list of traffic selectors
+	 */	
+	linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
 	
 	/**
-	 * Install the kernel SAs for a proposal, without previous SPI allocation.
+	 * Create an enumerator over installed policies.
 	 *
-	 * @param proposal	proposal for which SPIs are allocated
-	 * @param mode		mode for the CHILD_SA
-	 * @param integ_in	integrity key for inbound traffic
-	 * @param integ_out	integrity key for outbound traffic
-	 * @param encr_in	encryption key for inbound traffic
-	 * @param enc_out	encryption key for outbound traffic
-	 * @return			SUCCESS or FAILED
+	 * @return			enumerator over pairs of traffic selectors.
 	 */
-	status_t (*add)(child_sa_t *this, proposal_t *proposal, ipsec_mode_t mode,
-					chunk_t integ_in, chunk_t integ_out,
-					chunk_t encr_in, chunk_t encr_out);
+	enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
+	
 	/**
-	 * Install the kernel SAs for a proposal, after SPIs have been allocated.
-	 *
-	 * Updates an SA, for which SPIs are already allocated via alloc().
+	 * Allocate an SPI to include in a proposal.
 	 *
-	 * @param proposal	proposal for which SPIs are allocated
-	 * @param mode		mode for the CHILD_SA
-	 * @param integ_in	integrity key for inbound traffic
-	 * @param integ_out	integrity key for outbound traffic
-	 * @param encr_in	encryption key for inbound traffic
-	 * @param enc_out	encryption key for outbound traffic
-	 * @return			SUCCESS or FAILED
+	 * @param protocol	protocol to allocate SPI for (ESP|AH)
+	 * @param spi		SPI output pointer
+	 * @return			SPI, 0 on failure
 	 */
-	status_t (*update)(child_sa_t *this, proposal_t *proposal, ipsec_mode_t mode,
-					   chunk_t integ_in, chunk_t integ_out,
-					   chunk_t encr_in, chunk_t encr_out);
+	u_int32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
+	
 	/**
-	 * Get the selected proposal passed to add()/update().
+	 * Allocate a CPI to use for IPComp.
 	 *
-	 * @return			selected proposal
+	 * @return			CPI, 0 on failure
 	 */
-	proposal_t* (*get_proposal)(child_sa_t *this);
+	u_int16_t (*alloc_cpi)(child_sa_t *this);
 	
 	/**
-	 * Update the hosts in the kernel SAs and policies.
+	 * Install an IPsec SA for one direction.
 	 *
-	 * The CHILD must be INSTALLED to do this update.
-	 *
-	 * @param me		the new local host
-	 * @param other		the new remote host
-	 * @param vip		virtual IP, if any
-	 * @param			TRUE to use UDP encapsulation for NAT traversal
+	 * @param encr		encryption key, if any
+	 * @param integ		integrity key
+	 * @param spi		SPI to use, allocated for inbound
+	 * @param cpi		CPI to use, allocated for outbound
+	 * @param inbound	TRUE to install an inbound SA, FALSE for outbound
 	 * @return			SUCCESS or FAILED
 	 */
-	status_t (*update_hosts)(child_sa_t *this, host_t *me, host_t *other,
-							 host_t *vip, bool encap);
-	
+	status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
+						u_int32_t spi, u_int16_t cpi, bool inbound);
 	/**
 	 * Install the policies using some traffic selectors.
 	 *
@@ -261,64 +297,21 @@ struct child_sa_t {
 	 *
 	 * @param my_ts		traffic selectors for local site
 	 * @param other_ts	traffic selectors for remote site
-	 * @param mode		mode for the SA: tunnel/transport
-	 * @param proto		protocol for policy, ESP/AH
 	 * @return			SUCCESS or FAILED
 	 */	
 	status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
-							 linked_list_t *other_ts_list, ipsec_mode_t mode,
-							 protocol_id_t proto);
-	
-	/**
-	 * Get the traffic selectors of added policies of local host.
-	 *
-	 * @param local		TRUE for own traffic selectors, FALSE for remote
-	 * @return			list of traffic selectors
-	 */	
-	linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
-	
+							 linked_list_t *other_ts_list);
 	/**
-	 * Create an enumerator over installed policies.
+	 * Update hosts and ecapulation mode in the kernel SAs and policies.
 	 *
-	 * @return			enumerator over pairs of traffic selectors.
-	 */
-	enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
-	
-	/**
-	 * Get the state of the CHILD_SA.
-	 */	
-	child_sa_state_t (*get_state) (child_sa_t *this);
-	
-	/**
-	 * Set the state of the CHILD_SA.
-	 *
-	 * @param state		state to set on CHILD_SA
-	 */	
-	void (*set_state) (child_sa_t *this, child_sa_state_t state);
-	
-	/**
-	 * Get the config used to set up this child sa.
-	 *
-	 * @return			child_cfg
-	 */
-	child_cfg_t* (*get_config) (child_sa_t *this);
-	
-	/**
-	 * Activate IPComp by setting the transform ID and CPI values.
-	 * 
-	 * @param ipcomp	the IPComp transform to use
-	 * @param other_cpi	other Compression Parameter Index
-	 */
-	void (*activate_ipcomp) (child_sa_t *this, ipcomp_transform_t ipcomp,
-							 u_int16_t other_cpi);
-	
-	/**
-	 * Returns the Compression Parameter Index (CPI) allocated from the kernel.
-	 * 
-	 * @return			allocated CPI
+	 * @param me		the new local host
+	 * @param other		the new remote host
+	 * @param vip		virtual IP, if any
+	 * @param			TRUE to use UDP encapsulation for NAT traversal
+	 * @return			SUCCESS or FAILED
 	 */
-	u_int16_t (*allocate_cpi) (child_sa_t *this);
-	
+	status_t (*update)(child_sa_t *this, host_t *me, host_t *other,
+					   host_t *vip, bool encap);
 	/**
 	 * Destroys a child_sa.
 	 */
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index d9bb01c60..82dd479ca 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa.c 4652 2008-11-14 08:38:53Z martin $
+ * $Id: ike_sa.c 4808 2008-12-16 15:48:36Z martin $
  */
 
 #include <sys/time.h>
@@ -66,6 +66,7 @@ ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
 	"CREATED",
 	"CONNECTING",
 	"ESTABLISHED",
+	"PASSIVE",
 	"REKEYING",
 	"DELETING",
 	"DESTROYING",
@@ -409,6 +410,21 @@ static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
 	this->proposal = proposal->clone(proposal);
 }
 
+/**
+ * Implementation of ike_sa_t.set_message_id
+ */
+static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid)
+{
+	if (initiate)
+	{
+		this->task_manager->reset(this->task_manager, mid, UINT_MAX);
+	}
+	else
+	{
+		this->task_manager->reset(this->task_manager, UINT_MAX, mid);
+	}
+}
+
 /**
  * Implementation of ike_sa_t.send_keepalive
  */
@@ -621,7 +637,8 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 	{
 		case IKE_ESTABLISHED:
 		{
-			if (this->state == IKE_CONNECTING)
+			if (this->state == IKE_CONNECTING ||
+				this->state == IKE_PASSIVE)
 			{
 				job_t *job;
 				u_int32_t t;
@@ -708,7 +725,7 @@ static void reset(private_ike_sa_t *this)
 	
 	set_state(this, IKE_CREATED);
 	
-	this->task_manager->reset(this->task_manager);
+	this->task_manager->reset(this->task_manager, 0, 0);
 }
 
 /**
@@ -874,7 +891,7 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 		iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 		while (iterator->iterate(iterator, (void**)&child_sa))
 		{
-			if (child_sa->update_hosts(child_sa, this->my_host,
+			if (child_sa->update(child_sa, this->my_host,
 						this->other_host, this->my_virtual_ip,
 						has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
 			{
@@ -1199,11 +1216,17 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 	iterator_t *iterator;
 	child_sa_t *current, *child_sa = NULL;
 	
-	if (this->state == IKE_DELETING)
+	switch (this->state)
 	{
-		DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
-			 "IKE_SA is deleting", reqid);
-		return FAILED;
+		case IKE_DELETING:
+			DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
+				 "IKE_SA is deleting", reqid);
+			return FAILED;
+		case IKE_PASSIVE:
+			/* do not process acquires if passive */
+			return FAILED;
+		default:
+			break;
 	}
 	
 	/* find CHILD_SA */
@@ -1265,6 +1288,7 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 		case IKE_CREATED:
 		case IKE_CONNECTING:
 		case IKE_ESTABLISHED:
+		case IKE_PASSIVE:
 		default:
 			break;
 	}
@@ -1288,8 +1312,8 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 	my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
 	other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
 
-	status = child_sa->add_policies(child_sa, my_ts, other_ts,
-							child_cfg->get_mode(child_cfg),	PROTO_NONE);
+	child_sa->set_mode(child_sa, child_cfg->get_mode(child_cfg));
+	status = child_sa->add_policies(child_sa, my_ts, other_ts);
 
 	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
@@ -1353,6 +1377,11 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 	status_t status;
 	bool is_request;
 	
+	if (this->state == IKE_PASSIVE)
+	{	/* do not handle messages in passive state */
+		return FAILED;
+	}
+	
 	is_request = message->get_request(message);
 	
 	status = message->parse_body(message,
@@ -1366,7 +1395,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 			switch (status)
 			{
 				case NOT_SUPPORTED:
-					DBG1(DBG_IKE, "ciritcal unknown payloads found");
+					DBG1(DBG_IKE, "critical unknown payloads found");
 					if (is_request)
 					{
 						send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
@@ -1449,6 +1478,14 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 		status = this->task_manager->process_message(this->task_manager, message);
 		if (status != DESTROY_ME)
 		{
+			if (message->get_exchange_type(message) == IKE_AUTH &&
+				this->state == IKE_ESTABLISHED)
+			{
+				/* purge auth items if SA is up, as they contain certs
+				 * and other memory wasting elements */
+				this->my_auth->purge(this->my_auth);
+				this->other_auth->purge(this->other_auth);
+			}
 			return status;
 		}
 		/* if IKE_SA gets closed for any reasons, reroute routed children */
@@ -1594,37 +1631,27 @@ static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
 /**
  * Implementation of ike_sa_t.rekey_child_sa.
  */
-static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
+static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
+							   u_int32_t spi)
 {
-	child_sa_t *child_sa;
 	child_rekey_t *child_rekey;
 	
-	child_sa = get_child_sa(this, protocol, spi, TRUE);
-	if (child_sa)
-	{
-		child_rekey = child_rekey_create(&this->public, child_sa);
-		this->task_manager->queue_task(this->task_manager, &child_rekey->task);
-		return this->task_manager->initiate(this->task_manager);
-	}
-	return FAILED;
+	child_rekey = child_rekey_create(&this->public, protocol, spi);
+	this->task_manager->queue_task(this->task_manager, &child_rekey->task);
+	return this->task_manager->initiate(this->task_manager);
 }
 
 /**
  * Implementation of ike_sa_t.delete_child_sa.
  */
-static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
+static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
+								u_int32_t spi)
 {
-	child_sa_t *child_sa;
 	child_delete_t *child_delete;
 	
-	child_sa = get_child_sa(this, protocol, spi, TRUE);
-	if (child_sa)
-	{
-		child_delete = child_delete_create(&this->public, child_sa);
-		this->task_manager->queue_task(this->task_manager, &child_delete->task);
-		return this->task_manager->initiate(this->task_manager);
-	}
-	return FAILED;
+	child_delete = child_delete_create(&this->public, protocol, spi);
+	this->task_manager->queue_task(this->task_manager, &child_delete->task);
+	return this->task_manager->initiate(this->task_manager);
 }
 
 /**
@@ -1670,6 +1697,8 @@ static status_t delete_(private_ike_sa_t *this)
 		case IKE_CREATED:
 			DBG1(DBG_IKE, "deleting unestablished IKE_SA");
 			break;
+		case IKE_PASSIVE:
+			break;
 		default:
 			DBG1(DBG_IKE, "destroying IKE_SA in state %N "
 				"without notification", ike_sa_state_names, this->state);
@@ -1943,6 +1972,7 @@ static status_t roam(private_ike_sa_t *this, bool address)
 	{
 		case IKE_CREATED:
 		case IKE_DELETING:
+		case IKE_PASSIVE:
 			return SUCCESS;
 		default:
 			break;
@@ -2239,7 +2269,7 @@ static void destroy(private_ike_sa_t *this)
 		{
 			charon->attributes->release_address(charon->attributes,
 									this->peer_cfg->get_pool(this->peer_cfg),
-									this->other_virtual_ip);
+									this->other_virtual_ip, this->other_id);
 		}
 		this->other_virtual_ip->destroy(this->other_virtual_ip);
 	}
@@ -2308,6 +2338,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
 	this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
 	this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
+	this->public.set_message_id = (void(*)(ike_sa_t*, bool inbound, u_int32_t mid))set_message_id;
 	this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
 	this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
 	this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
@@ -2365,6 +2396,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 	this->child_sas = linked_list_create();
 	this->my_host = host_create_any(AF_INET);
+	this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
 	this->other_host = host_create_any(AF_INET);
 	this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
 	this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index 5aa458704..d3976527b 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa.h 4640 2008-11-12 16:07:17Z martin $
+ * $Id: ike_sa.h 4810 2008-12-16 17:21:28Z tobias $
  */
 
 /**
@@ -199,6 +199,11 @@ enum ike_sa_state_t {
 	 */
 	IKE_ESTABLISHED,
 	
+	/**
+	 * IKE_SA is managed externally and does not process messages
+	 */
+	IKE_PASSIVE,
+	
 	/**
 	 * IKE_SA rekeying in progress
 	 */
@@ -413,6 +418,17 @@ struct ike_sa_t {
 	 */
 	void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
 	
+	/**
+	 * Set the message id of the IKE_SA.
+	 *
+	 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
+	 * and one to respond to exchanges (expect).
+	 *
+	 * @param initiate		TRUE to set message ID for initiating
+	 * @param mid			message id to set
+	 */
+	void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
+	
 	/**
 	 * Add an additional address for the peer.
 	 *
@@ -641,9 +657,9 @@ struct ike_sa_t {
 	 * 
 	 * @return
 	 * 						- SUCCESS if deletion is initialized
-	 * 						- INVALID_STATE, if the IKE_SA is not in 
+	 * 						- DESTROY_ME, if the IKE_SA is not in 
 	 * 						  an established state and can not be
-	 * 						  delete (but destroyed).
+	 * 						  deleted (but destroyed).
 	 */
 	status_t (*delete) (ike_sa_t *this);
 	
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index a760409c0..447fa2dd5 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa_manager.c 4579 2008-11-05 11:29:56Z martin $
+ * $Id: ike_sa_manager.c 4811 2008-12-17 09:00:22Z martin $
  */
 
 #include <string.h>
@@ -27,6 +28,15 @@
 #include <utils/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
+/* the default size of the hash table (MUST be a power of 2) */
+#define DEFAULT_HASHTABLE_SIZE 1
+
+/* the maximum size of the hash table (MUST be a power of 2) */
+#define MAX_HASHTABLE_SIZE (1 << 30)
+
+/* the default number of segments (MUST be a power of 2) */
+#define DEFAULT_SEGMENT_COUNT 1
+
 typedef struct entry_t entry_t;
 
 /**
@@ -60,7 +70,7 @@ struct entry_t {
 	bool driveout_waiting_threads;
 	
 	/**
-	 * Identifiaction of an IKE_SA (SPIs).
+	 * Identification of an IKE_SA (SPIs).
 	 */
 	ike_sa_id_t *ike_sa_id;
 	
@@ -79,6 +89,11 @@ struct entry_t {
 	 */
 	host_t *other;
 	
+	/**
+	 * As responder: Is this SA half-open?
+	 */
+	bool half_open;
+		
 	/**
 	 * own identity, required for duplicate checking
 	 */
@@ -115,7 +130,7 @@ static status_t entry_destroy(entry_t *this)
 /**
  * Creates a new entry for the ike_sa_t list.
  */
-static entry_t *entry_create(ike_sa_id_t *ike_sa_id)
+static entry_t *entry_create()
 {
 	entry_t *this = malloc_thing(entry_t);
 	
@@ -129,18 +144,151 @@ static entry_t *entry_create(ike_sa_id_t *ike_sa_id)
 	this->message_id = -1;
 	this->init_hash = chunk_empty;
 	this->other = NULL;
+	this->half_open = FALSE;
 	this->my_id = NULL;
 	this->other_id = NULL;
+	this->ike_sa_id = NULL;
+	this->ike_sa = NULL;
 	
-	/* ike_sa_id is always cloned */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	return this;
+}
 
-	/* create new ike_sa */
-	this->ike_sa = ike_sa_create(ike_sa_id);
+/**
+ * Function that matches entry_t objects by initiator SPI and the hash of the
+ * IKE_SA_INIT message.
+ */
+static bool entry_match_by_hash(entry_t *entry, ike_sa_id_t *id, chunk_t *hash)
+{
+	return id->get_responder_spi(id) == 0 &&
+		id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+		id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id) &&
+		chunk_equals(*hash, entry->init_hash);
+}
 
-	return this;
+/**
+ * Function that matches entry_t objects by ike_sa_id_t.
+ */
+static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id)
+{
+	if (id->equals(id, entry->ike_sa_id))
+	{
+		return TRUE;
+	}	
+	if ((id->get_responder_spi(id) == 0 ||
+		 entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) &&
+		id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+		id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id))
+	{
+		/* this is TRUE for IKE_SAs that we initiated but have not yet received a response */
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Function that matches entry_t objects by ike_sa_t pointers.
+ */
+static bool entry_match_by_sa(entry_t *entry, ike_sa_t *ike_sa)
+{
+	return entry->ike_sa == ike_sa;
+}
+
+/**
+ * Hash function for ike_sa_id_t objects.
+ */
+static u_int ike_sa_id_hash(ike_sa_id_t *ike_sa_id)
+{
+	/* we always use initiator spi as key */
+	return ike_sa_id->get_initiator_spi(ike_sa_id);
 }
 
+typedef struct half_open_t half_open_t;
+
+/**
+ * Struct to manage half-open IKE_SAs per peer.
+ */
+struct half_open_t {
+	/** chunk of remote host address */
+	chunk_t other;
+	
+	/** the number of half-open IKE_SAs with that host */
+	u_int count;
+};
+
+/**
+ * Destroys a half_open_t object.
+ */
+static void half_open_destroy(half_open_t *this)
+{
+	chunk_free(&this->other);
+	free(this);
+}
+
+/**
+ * Function that matches half_open_t objects by the given IP address chunk.
+ */
+static bool half_open_match(half_open_t *half_open, chunk_t *addr)
+{
+	return chunk_equals(*addr, half_open->other);
+}
+
+typedef struct connected_peers_t connected_peers_t;
+
+struct connected_peers_t {
+	/** own identity */
+	identification_t *my_id;
+	
+	/** remote identity */
+	identification_t *other_id;
+	
+	/** list of ike_sa_id_t objects of IKE_SAs between the two identities */
+	linked_list_t *sas;
+};
+
+static void connected_peers_destroy(connected_peers_t *this)
+{
+	this->my_id->destroy(this->my_id);
+	this->other_id->destroy(this->other_id);
+	this->sas->destroy(this->sas);
+	free(this);
+}
+
+/**
+ * Function that matches connected_peers_t objects by the given ids.
+ */
+static bool connected_peers_match(connected_peers_t *connected_peers,
+							identification_t *my_id, identification_t *other_id)
+{
+	return my_id->equals(my_id, connected_peers->my_id) &&
+		   other_id->equals(other_id, connected_peers->other_id);
+}
+
+typedef struct segment_t segment_t;
+
+/**
+ * Struct to manage segments of the hash table.
+ */
+struct segment_t {
+	/** mutex to access a segment exclusively */
+	mutex_t *mutex;
+	
+	/** the number of entries in this segment */
+	u_int count;
+};
+
+typedef struct shareable_segment_t shareable_segment_t;
+
+/**
+ * Struct to manage segments of the "half-open" and "connected peers" hash tables.
+ */
+struct shareable_segment_t {
+	/** rwlock to access a segment non-/exclusively */
+	rwlock_t *lock;
+	
+	/** the number of entries in this segment - in case of the "half-open table"
+	 * it's the sum of all half_open_t.count in a segment. */
+	u_int count;
+};
 
 typedef struct private_ike_sa_manager_t private_ike_sa_manager_t;
 
@@ -154,14 +302,54 @@ struct private_ike_sa_manager_t {
 	 ike_sa_manager_t public;
 	
 	 /**
-	  * Lock for exclusivly accessing the manager.
+	  * Hash table with entries for the ike_sa_t objects.
 	  */
-	 mutex_t *mutex;
-
+	 linked_list_t **ike_sa_table;
+	 
+	 /**
+	  * The size of the hash table.
+	  */
+	 u_int table_size;
+	 
+	 /**
+	  * Mask to map the hashes to table rows.
+	  */
+	 u_int table_mask;
+	 
+	 /**
+	  * Segments of the hash table.
+	  */
+	 segment_t *segments;
+	 
+	 /**
+	  * The number of segments.
+	  */
+	 u_int segment_count;
+	 
+	 /**
+	  * Mask to map a table row to a segment.
+	  */
+	 u_int segment_mask;
+	 
+	 /**
+	  * Hash table with half_open_t objects.
+	  */
+	 linked_list_t **half_open_table;
+	 
 	 /**
-	  * Linked list with entries for the ike_sa_t objects.
+	  * Segments of the "half-open" hash table.
 	  */
-	 linked_list_t *ike_sa_list;
+	 shareable_segment_t *half_open_segments;
+	 
+	 /**
+	  * Hash table with connected_peers_t objects.
+	  */
+	 linked_list_t **connected_peers_table;
+	 
+	 /**
+	  * Segments of the "connected peers" hash table.
+	  */
+	 shareable_segment_t *connected_peers_segments;
 	 
 	 /**
 	  * RNG to get random SPIs for our side
@@ -180,126 +368,304 @@ struct private_ike_sa_manager_t {
 };
 
 /**
- * Implementation of private_ike_sa_manager_t.get_entry_by_id.
+ * Acquire a lock to access the segment of the table row with the given index.
+ * It also works with the segment index directly.
  */
-static status_t get_entry_by_id(private_ike_sa_manager_t *this,
-								ike_sa_id_t *ike_sa_id, entry_t **entry)
+static void lock_single_segment(private_ike_sa_manager_t *this, u_int index)
 {
-	enumerator_t *enumerator;
-	entry_t *current;
-	status_t status;
+	mutex_t *lock = this->segments[index & this->segment_mask].mutex;
 	
-	/* create enumerator over list of ike_sa's */
-	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
+	lock->lock(lock);
+}
 
-	/* default status */
-	status = NOT_FOUND;
+/**
+ * Release the lock required to access the segment of the table row with the given index.
+ * It also works with the segment index directly.
+ */
+static void unlock_single_segment(private_ike_sa_manager_t *this, u_int index)
+{
+	mutex_t *lock = this->segments[index & this->segment_mask].mutex;
 	
-	while (enumerator->enumerate(enumerator, &current))
+	lock->unlock(lock);
+}
+
+/**
+ * Lock all segments
+ */
+static void lock_all_segments(private_ike_sa_manager_t *this)
+{
+	u_int i;
+	
+	for (i = 0; i < this->segment_count; ++i)
 	{
-		if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
-		{
-			DBG2(DBG_MGR,  "found entry by both SPIs");
-			*entry = current;
-			status = SUCCESS;
-			break;
-		}
-		if (ike_sa_id->get_responder_spi(ike_sa_id) == 0 ||
-			current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0)
-		{
-			/* seems to be a half ready ike_sa */
-			if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) ==
-						  ike_sa_id->get_initiator_spi(ike_sa_id)) &&
-				(current->ike_sa_id->is_initiator(ike_sa_id) ==
-						  ike_sa_id->is_initiator(current->ike_sa_id)))
-			{
-				DBG2(DBG_MGR, "found entry by initiator SPI");
-				*entry = current;
-				status = SUCCESS;
-				break;
-			}
-		}
+		this->segments[i].mutex->lock(this->segments[i].mutex);
 	}
-	
-	enumerator->destroy(enumerator);
-	return status;
 }
 
 /**
- * Implementation of private_ike_sa_manager_t.get_entry_by_sa.
+ * Unlock all segments
  */
-static status_t get_entry_by_sa(private_ike_sa_manager_t *this,
-								ike_sa_t *ike_sa, entry_t **entry)
+static void unlock_all_segments(private_ike_sa_manager_t *this)
 {
-	enumerator_t *enumerator;
-	entry_t *current;
-	status_t status;
+	u_int i;
+	
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->segments[i].mutex->unlock(this->segments[i].mutex);
+	}
+}
+
+typedef struct private_enumerator_t private_enumerator_t;
+
+/**
+ * hash table enumerator implementation
+ */
+struct private_enumerator_t {
+
+	/**
+	 * implements enumerator interface
+	 */
+	enumerator_t enumerator;
+	
+	/**
+	 * associated ike_sa_manager_t
+	 */
+	private_ike_sa_manager_t *manager;
+	
+	/**
+	 * current segment index
+	 */
+	u_int segment;
 	
-	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
+	/**
+	 * currently enumerating entry
+	 */
+	entry_t *entry;
 	
-	/* default status */
-	status = NOT_FOUND;
+	/**
+	 * current table row index
+	 */
+	u_int row;
 	
-	while (enumerator->enumerate(enumerator, &current))
+	/**
+	 * enumerator for the current table row
+	 */
+	enumerator_t *current;
+};
+
+/**
+ * Implementation of private_enumerator_t.enumerator.enumerate.
+ */
+static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segment)
+{
+	if (this->entry)
+	{
+		this->entry->condvar->signal(this->entry->condvar);
+		this->entry = NULL;
+	}
+	while (this->segment < this->manager->segment_count)
 	{
-		/* only pointers are compared */
-		if (current->ike_sa == ike_sa)
+		while (this->row < this->manager->table_size)
 		{
-			DBG2(DBG_MGR, "found entry by pointer");
-			*entry = current;
-			status = SUCCESS;
-			break;
+			if (this->current)
+			{
+				entry_t *item;
+				
+				if (this->current->enumerate(this->current, &item))
+				{
+					*entry = this->entry = item;
+					*segment = this->segment;
+					return TRUE;
+				}
+				this->current->destroy(this->current);
+				this->current = NULL;
+				unlock_single_segment(this->manager, this->segment);
+			}
+			else
+			{
+				linked_list_t *list;
+				
+				lock_single_segment(this->manager, this->segment);
+				if ((list = this->manager->ike_sa_table[this->row]) != NULL &&
+					 list->get_count(list))
+				{
+					this->current = list->create_enumerator(list);
+					continue;
+				}
+				unlock_single_segment(this->manager, this->segment);
+			}
+			this->row += this->manager->segment_count;
 		}
+		this->segment++;
+		this->row = this->segment;
 	}
-	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Implementation of private_enumerator_t.enumerator.destroy.
+ */
+static void enumerator_destroy(private_enumerator_t *this)
+{
+	if (this->entry)
+	{
+		this->entry->condvar->signal(this->entry->condvar);
+	}
+	if (this->current)
+	{
+		this->current->destroy(this->current);
+		unlock_single_segment(this->manager, this->segment);
+	}
+	free(this);
+}
+
+/**
+ * Creates an enumerator to enumerate the entries in the hash table.
+ */
+static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
+{
+	private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
+	
+	enumerator->enumerator.enumerate = (void*)enumerate;
+	enumerator->enumerator.destroy = (void*)enumerator_destroy;
+	enumerator->manager = this;
+	enumerator->segment = 0;
+	enumerator->entry = NULL;
+	enumerator->row = 0;
+	enumerator->current = NULL;
 	
-	return status;
+	return &enumerator->enumerator;
 }
 
 /**
- * Implementation of private_ike_sa_manager_s.delete_entry.
+ * Put an entry into the hash table.
+ * Note: The caller has to unlock the returned segment.
  */
-static status_t delete_entry(private_ike_sa_manager_t *this, entry_t *entry)
+static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
 {
-	enumerator_t *enumerator;
-	entry_t *current;
-	status_t status;
+	linked_list_t *list;
+	u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
+	u_int segment = row & this->segment_mask;
 	
-	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
+	lock_single_segment(this, segment);
+	if ((list = this->ike_sa_table[row]) == NULL)
+	{
+		list = this->ike_sa_table[row] = linked_list_create();
+	}
+	list->insert_last(list, entry);
+	this->segments[segment].count++;
+	return segment;
+}
 
-	status = NOT_FOUND;
+/**
+ * Remove an entry from the hash table.
+ * Note: The caller MUST have a lock on the segment of this entry.
+ */
+static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	linked_list_t *list;
+	u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
+	u_int segment = row & this->segment_mask;
 	
-	while (enumerator->enumerate(enumerator, &current))
+	if ((list = this->ike_sa_table[row]) != NULL)
 	{
-		if (current == entry)
+		entry_t *current;
+
+		enumerator_t *enumerator = list->create_enumerator(list);
+		while (enumerator->enumerate(enumerator, &current))
 		{
-			/* mark it, so now new threads can get this entry */
-			entry->driveout_new_threads = TRUE;
-			/* wait until all workers have done their work */
-			while (entry->waiting_threads)
+			if (current == entry)
 			{
-				/* wake up all */
-				entry->condvar->broadcast(entry->condvar);
-				/* they will wake us again when their work is done */
-				entry->condvar->wait(entry->condvar, this->mutex);
+				list->remove_at(list, enumerator);
+				this->segments[segment].count--;
+				break;
 			}
-			
-			DBG2(DBG_MGR,  "found entry by pointer, deleting it");
-			this->ike_sa_list->remove_at(this->ike_sa_list, enumerator);
-			entry_destroy(entry);
-			status = SUCCESS;
-			break;
 		}
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
-	return status;
+}
+
+/**
+ * Remove the entry at the current enumerator position.
+ */
+static void remove_entry_at(private_enumerator_t *this)
+{
+	this->entry = NULL;
+	if (this->current)
+	{
+		linked_list_t *list = this->manager->ike_sa_table[this->row];
+		list->remove_at(list, this->current);
+		this->manager->segments[this->segment].count--;
+	}
+}
+
+/**
+ * Find an entry using the provided match function to compare the entries for
+ * equality.
+ */
+static status_t get_entry_by_match_function(private_ike_sa_manager_t *this,
+					ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment,
+					linked_list_match_t match, void *p1, void *p2)
+{
+	entry_t *current;
+	linked_list_t *list;
+	u_int row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
+	u_int seg = row & this->segment_mask;
+	
+	lock_single_segment(this, seg);
+	if ((list = this->ike_sa_table[row]) != NULL)
+	{
+		if (list->find_first(list, match, (void**)&current, p1, p2) == SUCCESS)
+		{
+			*entry = current;
+			*segment = seg;
+			/* the locked segment has to be unlocked by the caller */
+			return SUCCESS;
+		}
+	}
+	unlock_single_segment(this, seg);
+	return NOT_FOUND;
+}
+
+/**
+ * Find an entry by ike_sa_id_t.
+ * Note: On SUCCESS, the caller has to unlock the segment.
+ */
+static status_t get_entry_by_id(private_ike_sa_manager_t *this,
+						ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment)
+{
+	return get_entry_by_match_function(this, ike_sa_id, entry, segment, 
+				(linked_list_match_t)entry_match_by_id, ike_sa_id, NULL);
+}
+
+/**
+ * Find an entry by initiator SPI and IKE_SA_INIT hash.
+ * Note: On SUCCESS, the caller has to unlock the segment.
+ */
+static status_t get_entry_by_hash(private_ike_sa_manager_t *this,
+			ike_sa_id_t *ike_sa_id, chunk_t hash, entry_t **entry, u_int *segment)
+{
+	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
+				(linked_list_match_t)entry_match_by_hash, ike_sa_id, &hash);
+}
+
+/**
+ * Find an entry by IKE_SA pointer.
+ * Note: On SUCCESS, the caller has to unlock the segment.
+ */
+static status_t get_entry_by_sa(private_ike_sa_manager_t *this,
+			ike_sa_id_t *ike_sa_id, ike_sa_t *ike_sa, entry_t **entry, u_int *segment)
+{
+	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
+				(linked_list_match_t)entry_match_by_sa, ike_sa, NULL);
 }
 
 /**
  * Wait until no other thread is using an IKE_SA, return FALSE if entry not
- * acquireable
+ * acquirable.
  */
-static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry)
+static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry,
+						   u_int segment)
 {
 	if (entry->driveout_new_threads)
 	{
@@ -311,7 +677,7 @@ static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry)
 		/* so wait until we can get it for us.
 		 * we register us as waiting. */
 		entry->waiting_threads++;
-		entry->condvar->wait(entry->condvar, this->mutex);
+		entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
 		entry->waiting_threads--;
 	}
 	/* hm, a deletion request forbids us to get this SA, get next one */
@@ -324,6 +690,176 @@ static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry)
 	return TRUE;
 }
 
+/**
+ * Put a half-open SA into the hash table.
+ */
+static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	half_open_t *half_open = NULL;
+	linked_list_t *list;
+	chunk_t addr = entry->other->get_address(entry->other);
+	u_int row = chunk_hash(addr) & this->table_mask;
+	u_int segment = row & this->segment_mask;
+	
+	rwlock_t *lock = this->half_open_segments[segment].lock;
+	lock->write_lock(lock);
+	if ((list = this->half_open_table[row]) == NULL)
+	{
+		list = this->half_open_table[row] = linked_list_create();
+	}
+	else
+	{
+		half_open_t *current;
+		if (list->find_first(list, (linked_list_match_t)half_open_match,
+							 (void**)&current, &addr) == SUCCESS)
+		{
+			half_open = current;
+			half_open->count++;
+			this->half_open_segments[segment].count++;
+		}
+	}
+	
+	if (!half_open)
+	{
+		half_open = malloc_thing(half_open_t);
+		half_open->other = chunk_clone(addr);
+		half_open->count = 1;
+		list->insert_last(list, half_open);
+		this->half_open_segments[segment].count++;
+	}
+	lock->unlock(lock);
+}
+
+/**
+ * Remove a half-open SA from the hash table.
+ */
+static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	linked_list_t *list;
+	chunk_t addr = entry->other->get_address(entry->other);
+	u_int row = chunk_hash(addr) & this->table_mask;
+	u_int segment = row & this->segment_mask;
+	
+	rwlock_t *lock = this->half_open_segments[segment].lock;
+	lock->write_lock(lock);
+	if ((list = this->half_open_table[row]) != NULL)
+	{
+		half_open_t *current;
+		enumerator_t *enumerator = list->create_enumerator(list);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (half_open_match(current, &addr))
+			{
+				if (--current->count == 0)
+				{
+					list->remove_at(list, enumerator);
+					half_open_destroy(current);
+				}
+				this->half_open_segments[segment].count--;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	lock->unlock(lock);
+}
+
+/**
+ * Put an SA between two peers into the hash table.
+ */
+static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	linked_list_t *list;
+	connected_peers_t *connected_peers = NULL;
+	chunk_t my_id = entry->my_id->get_encoding(entry->my_id),
+			other_id = entry->other_id->get_encoding(entry->other_id);
+	u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
+	u_int segment = row & this->segment_mask;
+	
+	rwlock_t *lock = this->connected_peers_segments[segment].lock;
+	lock->write_lock(lock);
+	if ((list = this->connected_peers_table[row]) == NULL)
+	{
+		list = this->connected_peers_table[row] = linked_list_create();
+	}
+	else
+	{
+		connected_peers_t *current;
+		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
+					(void**)&current, entry->my_id, entry->other_id) == SUCCESS)
+		{
+			connected_peers = current;
+			if (connected_peers->sas->find_first(connected_peers->sas,
+					(linked_list_match_t)entry->ike_sa_id->equals,
+					NULL, entry->ike_sa_id) == SUCCESS)
+			{
+				lock->unlock(lock);
+				return;
+			}
+		}
+	}
+	
+	if (!connected_peers)
+	{
+		connected_peers = malloc_thing(connected_peers_t);
+		connected_peers->my_id = entry->my_id->clone(entry->my_id);
+		connected_peers->other_id = entry->other_id->clone(entry->other_id);
+		connected_peers->sas = linked_list_create();
+		list->insert_last(list, connected_peers);
+	}
+	connected_peers->sas->insert_last(connected_peers->sas,
+									  entry->ike_sa_id->clone(entry->ike_sa_id));
+	this->connected_peers_segments[segment].count++;
+	lock->unlock(lock);
+}
+
+/**
+ * Remove an SA between two peers from the hash table.
+ */
+static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	linked_list_t *list;
+	chunk_t my_id = entry->my_id->get_encoding(entry->my_id),
+			other_id = entry->other_id->get_encoding(entry->other_id);
+	u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
+	u_int segment = row & this->segment_mask;
+	
+	rwlock_t *lock = this->connected_peers_segments[segment].lock;
+	lock->write_lock(lock);
+	if ((list = this->connected_peers_table[row]) != NULL)
+	{
+		connected_peers_t *current;
+		enumerator_t *enumerator = list->create_enumerator(list);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (connected_peers_match(current, entry->my_id, entry->other_id))
+			{
+				ike_sa_id_t *ike_sa_id;
+				enumerator_t *inner = current->sas->create_enumerator(current->sas);
+				while (inner->enumerate(inner, &ike_sa_id))
+				{
+					if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id))
+					{
+						current->sas->remove_at(current->sas, inner);
+						ike_sa_id->destroy(ike_sa_id);
+						this->connected_peers_segments[segment].count--;
+						break;
+					}
+				}
+				inner->destroy(inner);
+				if (current->sas->get_count(current->sas) == 0)
+				{
+					list->remove_at(list, enumerator);
+					connected_peers_destroy(current);
+				}
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	lock->unlock(lock);
+}
+
 /**
  * Implementation of private_ike_sa_manager_t.get_next_spi.
  */
@@ -342,21 +878,20 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
 {
 	ike_sa_t *ike_sa = NULL;
 	entry_t *entry;
+	u_int segment;
 	
-	DBG2(DBG_MGR, "checkout IKE_SA, %d IKE_SAs in manager",
-		 this->ike_sa_list->get_count(this->ike_sa_list));
+	DBG2(DBG_MGR, "checkout IKE_SA");
 	
-	this->mutex->lock(this->mutex);
-	if (get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
+	if (get_entry_by_id(this, ike_sa_id, &entry, &segment) == SUCCESS)
 	{
-		if (wait_for_entry(this, entry))
+		if (wait_for_entry(this, entry, segment))
 		{
 			DBG2(DBG_MGR, "IKE_SA successfully checked out");
 			entry->checked_out = TRUE;
 			ike_sa = entry->ike_sa;
 		}
+		unlock_single_segment(this, segment);
 	}
-	this->mutex->unlock(this->mutex);
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
 }
@@ -367,24 +902,24 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
 static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
 {
 	entry_t *entry;
-	ike_sa_id_t *id;
+	u_int segment;
 	
+	entry = entry_create();
 	if (initiator)
 	{
-		id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
+		entry->ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
 	}
 	else
 	{
-		id = ike_sa_id_create(0, get_next_spi(this), FALSE);
+		entry->ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE);
 	}
-	entry = entry_create(id);
-	id->destroy(id);
-	this->mutex->lock(this->mutex);	
-	this->ike_sa_list->insert_last(this->ike_sa_list, entry);
+	entry->ike_sa = ike_sa_create(entry->ike_sa_id);
+	
+	segment = put_entry(this, entry); 
 	entry->checked_out = TRUE;
-	this->mutex->unlock(this->mutex);	
-	DBG2(DBG_MGR, "created IKE_SA, %d IKE_SAs in manager",
-		 this->ike_sa_list->get_count(this->ike_sa_list));
+	unlock_single_segment(this, segment);
+	
+	DBG2(DBG_MGR, "created IKE_SA");
 	return entry->ike_sa;
 }
 
@@ -394,53 +929,45 @@ static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
 static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 									 message_t *message)
 {
+	u_int segment;
 	entry_t *entry;
 	ike_sa_t *ike_sa = NULL;
 	ike_sa_id_t *id = message->get_ike_sa_id(message);
+
 	id = id->clone(id);
 	id->switch_initiator(id);
 	
-	DBG2(DBG_MGR, "checkout IKE_SA by message, %d IKE_SAs in manager",
-		 this->ike_sa_list->get_count(this->ike_sa_list));
+	DBG2(DBG_MGR, "checkout IKE_SA by message");
 	
 	if (message->get_request(message) &&
 		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		/* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */
-		enumerator_t *enumerator;
 		chunk_t data, hash;
-		
+			
 		data = message->get_packet_data(message);
 		this->hasher->allocate_hash(this->hasher, data, &hash);
 		chunk_free(&data);
 		
-		this->mutex->lock(this->mutex);
-		enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
-		while (enumerator->enumerate(enumerator, &entry))
+		if (get_entry_by_hash(this, id, hash, &entry, &segment) == SUCCESS)
 		{
-			if (chunk_equals(hash, entry->init_hash))
+			if (entry->message_id == 0)
 			{
-				if (entry->message_id == 0)
-				{
-					enumerator->destroy(enumerator);
-					this->mutex->unlock(this->mutex);
-					chunk_free(&hash);
-					id->destroy(id);
-					DBG1(DBG_MGR, "ignoring IKE_SA_INIT, already processing");
-					return NULL;
-				}
-				else if (wait_for_entry(this, entry))
-				{
-					DBG2(DBG_MGR, "IKE_SA checked out by hash");
-					entry->checked_out = TRUE;
-					entry->message_id = message->get_message_id(message);
-					ike_sa = entry->ike_sa;
-				}
-				break;
+				unlock_single_segment(this, segment);
+				chunk_free(&hash);
+				id->destroy(id);
+				DBG1(DBG_MGR, "ignoring IKE_SA_INIT, already processing");
+				return NULL;
+			}
+			else if (wait_for_entry(this, entry, segment))
+			{
+				DBG2(DBG_MGR, "IKE_SA checked out by hash");
+				entry->checked_out = TRUE;
+				entry->message_id = message->get_message_id(message);
+				ike_sa = entry->ike_sa;
 			}
+			unlock_single_segment(this, segment);
 		}
-		enumerator->destroy(enumerator);
-		this->mutex->unlock(this->mutex);
 		
 		if (ike_sa == NULL)
 		{
@@ -449,15 +976,19 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 			{
 				/* no IKE_SA found, create a new one */
 				id->set_responder_spi(id, get_next_spi(this));
-				entry = entry_create(id);
+				entry = entry_create();
+				entry->ike_sa = ike_sa_create(id);
+				entry->ike_sa_id = id->clone(id);
 				
-				this->mutex->lock(this->mutex);
-				this->ike_sa_list->insert_last(this->ike_sa_list, entry);
+				segment = put_entry(this, entry);
 				entry->checked_out = TRUE;
-				entry->message_id = message->get_message_id(message);
-				this->mutex->unlock(this->mutex);
+				unlock_single_segment(this, segment);
+				
+				entry->message_id = message->get_message_id(message);				
 				entry->init_hash = hash;
 				ike_sa = entry->ike_sa;
+				
+				DBG2(DBG_MGR, "created IKE_SA");
 			}
 			else
 			{
@@ -474,8 +1005,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 		return ike_sa;
 	}
 	
-	this->mutex->lock(this->mutex);
-	if (get_entry_by_id(this, id, &entry) == SUCCESS)
+	if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS)
 	{
 		/* only check out if we are not processing this request */
 		if (message->get_request(message) &&
@@ -484,7 +1014,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 			DBG1(DBG_MGR, "ignoring request with ID %d, already processing",
 				 entry->message_id);
 		}
-		else if (wait_for_entry(this, entry))
+		else if (wait_for_entry(this, entry, segment))
 		{
 			ike_sa_id_t *ike_id = entry->ike_sa->get_id(entry->ike_sa);
 			DBG2(DBG_MGR, "IKE_SA successfully checked out");
@@ -496,8 +1026,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 			}
 			ike_sa = entry->ike_sa;
 		}
+		unlock_single_segment(this, segment);
 	}
-	this->mutex->unlock(this->mutex);
 	id->destroy(id);
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
@@ -515,6 +1045,14 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 	identification_t *my_id, *other_id;
 	host_t *my_host, *other_host;
 	ike_cfg_t *ike_cfg;
+	u_int segment;
+	
+	if (!this->reuse_ikesa)
+	{	/* IKE_SA reuse disable by config */
+		ike_sa = checkout_new(this, TRUE);	
+		charon->bus->set_sa(charon->bus, ike_sa);
+		return ike_sa;
+	}
 	
 	ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
 	my_id = peer_cfg->get_my_id(peer_cfg);
@@ -522,24 +1060,22 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 	my_host = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg), 0, 0);
 	other_host = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg), 0, 0);
 	
-	this->mutex->lock(this->mutex);
-	
-	if (my_host && other_host && this->reuse_ikesa)
+	if (my_host && other_host)
 	{
-		enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
-		while (enumerator->enumerate(enumerator, &entry))
+		enumerator = create_table_enumerator(this);
+		while (enumerator->enumerate(enumerator, &entry, &segment))
 		{
 			identification_t *found_my_id, *found_other_id;
 			host_t *found_my_host, *found_other_host;
 		
-			if (!wait_for_entry(this, entry))
+			if (!wait_for_entry(this, entry, segment))
 			{
 				continue;
 			}
 		
 			if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
 			{
-				/* skip IKE_SA which are not useable */
+				/* skip IKE_SAs which are not usable */
 				continue;
 			}
 		
@@ -584,28 +1120,9 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 	DESTROY_IF(other_host);
 	
 	if (!ike_sa)
-	{
-		u_int64_t initiator_spi;
-		entry_t *new_entry;
-		ike_sa_id_t *new_ike_sa_id;
-		
-		initiator_spi = get_next_spi(this);
-		new_ike_sa_id = ike_sa_id_create(0, 0, TRUE);
-		new_ike_sa_id->set_initiator_spi(new_ike_sa_id, initiator_spi);
-		
-		/* create entry */
-		new_entry = entry_create(new_ike_sa_id);
-		DBG2(DBG_MGR, "created IKE_SA");
-		new_ike_sa_id->destroy(new_ike_sa_id);
-		
-		this->ike_sa_list->insert_last(this->ike_sa_list, new_entry);
-		
-		/* check ike_sa out */
-		DBG2(DBG_MGR, "new IKE_SA created for IDs [%D]...[%D]", my_id, other_id);
-		new_entry->checked_out = TRUE;
-		ike_sa = new_entry->ike_sa;
+	{	/* no IKE_SA using such a config, hand out a new */
+		ike_sa = checkout_new(this, TRUE);	
 	}
-	this->mutex->unlock(this->mutex);
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
 }
@@ -621,13 +1138,12 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
 	entry_t *entry;
 	ike_sa_t *ike_sa = NULL;
 	child_sa_t *child_sa;
+	u_int segment;
 	
-	this->mutex->lock(this->mutex);
-	
-	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
-	while (enumerator->enumerate(enumerator, &entry))
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
-		if (wait_for_entry(this, entry))
+		if (wait_for_entry(this, entry, segment))
 		{
 			/* look for a child with such a reqid ... */
 			if (child)
@@ -659,7 +1175,6 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
 	
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
@@ -676,13 +1191,12 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
 	entry_t *entry;
 	ike_sa_t *ike_sa = NULL;
 	child_sa_t *child_sa;
+	u_int segment;
 	
-	this->mutex->lock(this->mutex);
-	
-	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
-	while (enumerator->enumerate(enumerator, &entry))
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
-		if (wait_for_entry(this, entry))
+		if (wait_for_entry(this, entry, segment))
 		{
 			/* look for a child with such a policy name ... */
 			if (child)
@@ -714,68 +1228,18 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
 	
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
 }
-	
-/**
- * Implementation of ike_sa_manager_t.checkout_duplicate.
- */
-static ike_sa_t* checkout_duplicate(private_ike_sa_manager_t *this,
-									ike_sa_t *ike_sa)
-{
-	enumerator_t *enumerator;
-	entry_t *entry;
-	ike_sa_t *duplicate = NULL;
-	identification_t *me, *other;
-	
-	me = ike_sa->get_my_id(ike_sa);
-	other = ike_sa->get_other_id(ike_sa);
-	
-	this->mutex->lock(this->mutex);
-	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->ike_sa == ike_sa)
-		{	/* self is not a duplicate */
-			continue;
-		}
-		if (entry->my_id && me->equals(me, entry->my_id) &&
-			entry->other_id && other->equals(other, entry->other_id))
-		{	
-			/* we are sure that the other entry is not calling 
-			 * checkout_duplicate here, as the identities in entry would not
-			 * have been set yet. Otherwise we would risk a deadlock. */
-			if (wait_for_entry(this, entry))
-			{
-				duplicate = entry->ike_sa;
-				entry->checked_out = TRUE;
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-	return duplicate;
-}
-
-/**
- * enumerator cleanup function
- */
-static void enumerator_unlock(private_ike_sa_manager_t *this)
-{
-	this->mutex->unlock(this->mutex);
-}
 
 /**
  * enumerator filter function 
  */
 static bool enumerator_filter(private_ike_sa_manager_t *this,
-							  entry_t **in, ike_sa_t **out)
+							  entry_t **in, ike_sa_t **out, u_int *segment)
 {
-	if (wait_for_entry(this, *in))
+	if (wait_for_entry(this, *in, *segment))
 	{
 		*out = (*in)->ike_sa;
 		return TRUE;
@@ -784,126 +1248,266 @@ static bool enumerator_filter(private_ike_sa_manager_t *this,
 }
 
 /**
- * Implementation of ike_sa_manager_t.create_iterator.
+ * Implementation of ike_sa_manager_t.create_enumerator.
  */
 static enumerator_t *create_enumerator(private_ike_sa_manager_t* this)
 {
-	this->mutex->lock(this->mutex);
 	return enumerator_create_filter(
-						this->ike_sa_list->create_enumerator(this->ike_sa_list),
-						(void*)enumerator_filter, this, (void*)enumerator_unlock);
+						create_table_enumerator(this),
+						(void*)enumerator_filter, this, NULL);
 }
 
 /**
  * Implementation of ike_sa_manager_t.checkin.
  */
-static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 {
 	/* to check the SA back in, we look for the pointer of the ike_sa
 	 * in all entries.
-	 * We can't search by SPI's since the MAY have changed (e.g. on reception
-	 * of a IKE_SA_INIT response). Updating of the SPI MAY be necessary...
+	 * The lookup is done by initiator SPI, so even if the SPI has changed (e.g.
+	 * on reception of a IKE_SA_INIT response) the lookup will work but
+	 * updating of the SPI MAY be necessary...
 	 */
-	status_t retval;
 	entry_t *entry;
 	ike_sa_id_t *ike_sa_id;
 	host_t *other;
 	identification_t *my_id, *other_id;
+	u_int segment;
 	
 	ike_sa_id = ike_sa->get_id(ike_sa);
+	my_id = ike_sa->get_my_id(ike_sa);
+	other_id = ike_sa->get_other_id(ike_sa);
+	other = ike_sa->get_other_host(ike_sa);
 	
 	DBG2(DBG_MGR, "checkin IKE_SA");
 	
-	this->mutex->lock(this->mutex);
-
 	/* look for the entry */
-	if (get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
+	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
 	{
 		/* ike_sa_id must be updated */
 		entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
 		/* signal waiting threads */
 		entry->checked_out = FALSE;
 		entry->message_id = -1;
-		/* apply remote address for DoS detection */
-		other = ike_sa->get_other_host(ike_sa);
-		if (!entry->other || !other->equals(other, entry->other))
+		/* check if this SA is half-open */
+		if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING)
 		{
-			DESTROY_IF(entry->other);
-			entry->other = other->clone(other);
+			/* not half open anymore */
+			entry->half_open = FALSE;
+			remove_half_open(this, entry);
 		}
-		/* apply identities for diplicate test */
-		my_id = ike_sa->get_my_id(ike_sa);
-		other_id = ike_sa->get_other_id(ike_sa);
-		if (!entry->my_id ||
-			entry->my_id->get_type(entry->my_id) == ID_ANY)
+		else if (entry->half_open && !other->ip_equals(other, entry->other))
 		{
-			DESTROY_IF(entry->my_id);
-			entry->my_id = my_id->clone(my_id);
+			/* the other host's IP has changed, we must update the hash table */
+			remove_half_open(this, entry);
+			DESTROY_IF(entry->other);
+			entry->other = other->clone(other);
+			put_half_open(this, entry);
 		}
-		if (!entry->other_id ||
-			entry->other_id->get_type(entry->other_id) == ID_ANY)
+		else if (!entry->half_open &&
+				 !entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+				 ike_sa->get_state(ike_sa) == IKE_CONNECTING)
 		{
-			DESTROY_IF(entry->other_id);
-			entry->other_id = other_id->clone(other_id);
+			/* this is a new half-open SA */
+			entry->half_open = TRUE;
+			entry->other = other->clone(other);
+			put_half_open(this, entry);
 		}
 		DBG2(DBG_MGR, "check-in of IKE_SA successful.");
 		entry->condvar->signal(entry->condvar);
-	 	retval = SUCCESS;
 	}
 	else
 	{
-		DBG2(DBG_MGR, "tried to check in nonexisting IKE_SA");
-		/* this SA is no more, this REALLY should not happen */
-		retval = NOT_FOUND;
+		entry = entry_create();
+		entry->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+		entry->ike_sa = ike_sa;
+		segment = put_entry(this, entry);
+	}
+	
+	/* apply identities for duplicate test (only as responder) */
+	if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+			(!entry->my_id || !entry->other_id))
+	{
+		if (!entry->my_id && my_id->get_type(my_id) != ID_ANY)
+		{
+			entry->my_id = my_id->clone(my_id);
+		}
+		if (!entry->other_id && other_id->get_type(other_id) != ID_ANY)
+		{
+			entry->other_id = other_id->clone(other_id);
+		}
+		if (entry->my_id && entry->other_id)
+		{
+			put_connected_peers(this, entry);
+		}
 	}
 	
-	DBG2(DBG_MGR, "%d IKE_SAs in manager now",
-		 this->ike_sa_list->get_count(this->ike_sa_list));
-	this->mutex->unlock(this->mutex);
+	unlock_single_segment(this, segment);
 	
 	charon->bus->set_sa(charon->bus, NULL);
-	return retval;
 }
 
-
 /**
  * Implementation of ike_sa_manager_t.checkin_and_destroy.
  */
-static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 {
-	/* deletion is a bit complex, we must garant that no thread is waiting for
+	/* deletion is a bit complex, we must ensure that no thread is waiting for
 	 * this SA.
-	 * We take this SA from the list, and start signaling while threads
+	 * We take this SA from the table, and start signaling while threads
 	 * are in the condvar.
 	 */
 	entry_t *entry;
-	status_t retval;
 	ike_sa_id_t *ike_sa_id;
+	u_int segment;
 	
 	ike_sa_id = ike_sa->get_id(ike_sa);
+	
 	DBG2(DBG_MGR, "checkin and destroy IKE_SA");
-
-	this->mutex->lock(this->mutex);
-
-	if (get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
+	
+	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
 	{
 		/* drive out waiting threads, as we are in hurry */
 		entry->driveout_waiting_threads = TRUE;
+		/* mark it, so no new threads can get this entry */
+		entry->driveout_new_threads = TRUE;
+		/* wait until all workers have done their work */
+		while (entry->waiting_threads)
+		{
+			/* wake up all */
+			entry->condvar->broadcast(entry->condvar);
+			/* they will wake us again when their work is done */
+			entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
+		}
+		remove_entry(this, entry);
+		unlock_single_segment(this, segment);
+		
+		if (entry->half_open)
+		{
+			remove_half_open(this, entry);
+		}
+		if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+			entry->my_id && entry->other_id)
+		{
+			remove_connected_peers(this, entry);
+		}
 		
-		delete_entry(this, entry);
+		entry_destroy(entry);
 		
 		DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
-		retval = SUCCESS;
 	}
 	else
 	{
-		DBG2(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
-		retval = NOT_FOUND;
+		DBG1(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
+		ike_sa->destroy(ike_sa);
 	}
 	charon->bus->set_sa(charon->bus, NULL);
+}
+
+	
+/**
+ * Implementation of ike_sa_manager_t.check_uniqueness.
+ */
+static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+{
+	bool cancel = FALSE;
+	peer_cfg_t *peer_cfg;
+	unique_policy_t policy;
+	linked_list_t *list, *duplicate_ids = NULL;
+	enumerator_t *enumerator;
+	ike_sa_id_t *duplicate_id = NULL;
+	identification_t *me, *other;
+	u_int row, segment;
+	rwlock_t *lock;
+	
+	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+	policy = peer_cfg->get_unique_policy(peer_cfg);
+	if (policy == UNIQUE_NO)
+	{
+		return FALSE;
+	}
+	
+	me = ike_sa->get_my_id(ike_sa);
+	other = ike_sa->get_other_id(ike_sa);
+	
+	row = chunk_hash_inc(other->get_encoding(other),
+						 chunk_hash(me->get_encoding(me))) & this->table_mask;
+	segment = row & this->segment_mask;
+	
+	lock = this->connected_peers_segments[segment & this->segment_mask].lock;
+	lock->read_lock(lock);
+	if ((list = this->connected_peers_table[row]) != NULL)
+	{
+		connected_peers_t *current;
+		
+		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
+							 (void**)&current, me, other) == SUCCESS)
+		{
+			/* clone the list, so we can release the lock */
+			duplicate_ids = current->sas->clone_offset(current->sas,
+												offsetof(ike_sa_id_t, clone));
+		}
+	}
+	lock->unlock(lock);
+	
+	if (!duplicate_ids)
+	{
+		return FALSE;
+	}
 	
-	this->mutex->unlock(this->mutex);
-	return retval;
+	enumerator = duplicate_ids->create_enumerator(duplicate_ids);
+	while (enumerator->enumerate(enumerator, &duplicate_id))
+	{
+		status_t status = SUCCESS;
+		ike_sa_t *duplicate;
+		
+		duplicate = checkout(this, duplicate_id);
+		if (!duplicate)
+		{
+			continue;
+		}
+		peer_cfg = duplicate->get_peer_cfg(duplicate);
+		if (peer_cfg && peer_cfg->equals(peer_cfg, ike_sa->get_peer_cfg(ike_sa)))
+		{
+			switch (duplicate->get_state(duplicate))
+			{
+				case IKE_ESTABLISHED:
+				case IKE_REKEYING:
+					switch (policy)
+					{
+						case UNIQUE_REPLACE:
+							DBG1(DBG_IKE, "deleting duplicate IKE_SA due"
+									" uniqueness policy");
+							status = duplicate->delete(duplicate);
+							break;
+						case UNIQUE_KEEP:
+							cancel = TRUE;
+							/* we keep the first IKE_SA and delete all
+							 * other duplicates that might exist */
+							policy = UNIQUE_REPLACE;
+							break;
+						default:
+							break;
+					}
+					break;
+				default:
+					break;
+			}
+		}
+		if (status == DESTROY_ME)
+		{
+			checkin_and_destroy(this, duplicate);
+		}
+		else
+		{
+			checkin(this, duplicate);
+		}
+	}
+	enumerator->destroy(enumerator);
+	duplicate_ids->destroy_offset(duplicate_ids, offsetof(ike_sa_id_t, destroy));
+	/* reset thread's current IKE_SA after checkin */
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return cancel;
 }
 
 /**
@@ -911,35 +1515,43 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik
  */
 static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
 {
-	enumerator_t *enumerator;
-	entry_t *entry;
 	int count = 0;
 
-	this->mutex->lock(this->mutex);
-	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
-	while (enumerator->enumerate(enumerator, &entry))
+	if (ip)
 	{
-		/* we check if we have a responder CONNECTING IKE_SA without checkout */
-		if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-			entry->ike_sa->get_state(entry->ike_sa) == IKE_CONNECTING)
+		linked_list_t *list;
+		chunk_t addr = ip->get_address(ip);
+		u_int row = chunk_hash(addr) & this->table_mask;
+		u_int segment = row & this->segment_mask;
+		
+		rwlock_t *lock = this->half_open_segments[segment & this->segment_mask].lock;
+		lock->read_lock(lock);
+		if ((list = this->half_open_table[row]) != NULL)
 		{
-			/* if we have a host, count only matching IKE_SAs */
-			if (ip)
-			{
-				if (entry->other && ip->ip_equals(ip, entry->other))
-				{
-					count++;
-				}
-			}
-			else
+			half_open_t *current;
+			
+			if (list->find_first(list, (linked_list_match_t)half_open_match,
+								 (void**)&current, &addr) == SUCCESS)
 			{
-				count++;
+				count = current->count;
 			}
 		}
+		lock->unlock(lock);
+	}
+	else
+	{
+		u_int segment;
+		
+		for (segment = 0; segment < this->segment_count; ++segment)
+		{
+			rwlock_t *lock;
+			lock = this->half_open_segments[segment & this->segment_mask].lock;
+			lock->read_lock(lock);
+			count += this->half_open_segments[segment].count;
+			lock->unlock(lock);
+		}
 	}
-	enumerator->destroy(enumerator);
 	
-	this->mutex->unlock(this->mutex);
 	return count;
 }
 
@@ -951,13 +1563,14 @@ static void flush(private_ike_sa_manager_t *this)
 	/* destroy all list entries */
 	enumerator_t *enumerator;
 	entry_t *entry;
+	u_int segment;
 	
-	this->mutex->lock(this->mutex);
+	lock_all_segments(this);
 	DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
 	/* Step 1: drive out all waiting threads  */
 	DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's");
-	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
-	while (enumerator->enumerate(enumerator, &entry))
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
 		/* do not accept new threads, drive out waiting threads */
 		entry->driveout_new_threads = TRUE;
@@ -966,22 +1579,22 @@ static void flush(private_ike_sa_manager_t *this)
 	enumerator->destroy(enumerator);
 	DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
 	/* Step 2: wait until all are gone */
-	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
-	while (enumerator->enumerate(enumerator, &entry))
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
-		while (entry->waiting_threads)
+		while (entry->waiting_threads || entry->checked_out)
 		{
 			/* wake up all */
 			entry->condvar->broadcast(entry->condvar);
 			/* go sleeping until they are gone */
-			entry->condvar->wait(entry->condvar, this->mutex);
+			entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
 		}
 	}
 	enumerator->destroy(enumerator);
 	DBG2(DBG_MGR, "delete all IKE_SA's");
 	/* Step 3: initiate deletion of all IKE_SAs */
-	enumerator = this->ike_sa_list->create_enumerator(this->ike_sa_list);
-	while (enumerator->enumerate(enumerator, &entry))
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
 		charon->bus->set_sa(charon->bus, entry->ike_sa);
 		entry->ike_sa->delete(entry->ike_sa);
@@ -990,14 +1603,25 @@ static void flush(private_ike_sa_manager_t *this)
 	
 	DBG2(DBG_MGR, "destroy all entries");
 	/* Step 4: destroy all entries */
-	while (this->ike_sa_list->remove_last(this->ike_sa_list,
-										  (void**)&entry) == SUCCESS)
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
 		charon->bus->set_sa(charon->bus, entry->ike_sa);
+		if (entry->half_open)
+		{
+			remove_half_open(this, entry);
+		}
+		if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+			entry->my_id && entry->other_id)
+		{
+			remove_connected_peers(this, entry);
+		}
+		remove_entry_at((private_enumerator_t*)enumerator);
 		entry_destroy(entry);
 	}
+	enumerator->destroy(enumerator);
 	charon->bus->set_sa(charon->bus, NULL);
-	this->mutex->unlock(this->mutex);
+	unlock_all_segments(this);
 }
 
 /**
@@ -1005,18 +1629,67 @@ static void flush(private_ike_sa_manager_t *this)
  */
 static void destroy(private_ike_sa_manager_t *this)
 {
-	this->ike_sa_list->destroy(this->ike_sa_list);
+	u_int i;
+
+	for (i = 0; i < this->table_size; ++i)
+	{
+		linked_list_t *list;
+
+		if ((list = this->ike_sa_table[i]) != NULL)
+		{
+			list->destroy(list);
+		}
+		if ((list = this->half_open_table[i]) != NULL)
+		{
+			list->destroy(list);
+		}
+		if ((list = this->connected_peers_table[i]) != NULL)
+		{
+			list->destroy(list);
+		}
+	}
+	free(this->ike_sa_table);
+	free(this->half_open_table);
+	free(this->connected_peers_table);
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->segments[i].mutex->destroy(this->segments[i].mutex);
+		this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock);
+		this->connected_peers_segments[i].lock->destroy(this->connected_peers_segments[i].lock);
+	}
+	free(this->segments);
+	free(this->half_open_segments);
+	free(this->connected_peers_segments);
+	
 	this->rng->destroy(this->rng);
 	this->hasher->destroy(this->hasher);
-	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
+/**
+ * This function returns the next-highest power of two for the given number.
+ * The algorithm works by setting all bits on the right-hand side of the most
+ * significant 1 to 1 and then increments the whole number so it rolls over
+ * to the nearest power of two. Note: returns 0 for n == 0
+ */
+static u_int get_nearest_powerof2(u_int n)
+{
+	u_int i;
+	
+	--n;
+	for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
+	{
+		n |= n >> i;
+	}
+	return ++n;
+}
+
 /*
  * Described in header.
  */
 ike_sa_manager_t *ike_sa_manager_create()
 {
+	u_int i;
 	private_ike_sa_manager_t *this = malloc_thing(private_ike_sa_manager_t);
 
 	/* assign public functions */
@@ -1028,10 +1701,10 @@ ike_sa_manager_t *ike_sa_manager_create()
 	this->public.checkout_by_config = (ike_sa_t*(*)(ike_sa_manager_t*,peer_cfg_t*))checkout_by_config;
 	this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t,bool))checkout_by_id;
 	this->public.checkout_by_name = (ike_sa_t*(*)(ike_sa_manager_t*,char*,bool))checkout_by_name;
-	this->public.checkout_duplicate = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_t *ike_sa))checkout_duplicate;
+	this->public.check_uniqueness = (bool(*)(ike_sa_manager_t*, ike_sa_t *ike_sa))check_uniqueness;
 	this->public.create_enumerator = (enumerator_t*(*)(ike_sa_manager_t*))create_enumerator;
-	this->public.checkin = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
-	this->public.checkin_and_destroy = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
+	this->public.checkin = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
+	this->public.checkin_and_destroy = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
 	this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count;
 	
 	/* initialize private variables */
@@ -1050,10 +1723,44 @@ ike_sa_manager_t *ike_sa_manager_create()
 		free(this);
 		return NULL;
 	}
-	this->ike_sa_list = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->table_size = get_nearest_powerof2(lib->settings->get_int(lib->settings,
+						"charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE));
+	this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
+	this->table_mask = this->table_size - 1;
+	
+	this->segment_count = get_nearest_powerof2(lib->settings->get_int(lib->settings,
+						"charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT));
+	this->segment_count = max(1, min(this->segment_count, this->table_size));
+	this->segment_mask = this->segment_count - 1;
+	
+	this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*));
+	
+	this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->segments[i].mutex = mutex_create(MUTEX_RECURSIVE);
+		this->segments[i].count = 0;
+	}
+	
+	/* we use the same table parameters for the table to track half-open SAs */
+	this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*));
+	this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->half_open_segments[i].lock = rwlock_create(RWLOCK_DEFAULT);
+		this->half_open_segments[i].count = 0;
+	}
+	
+	/* also for the hash table used for duplicate tests */
+	this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*));
+	this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_DEFAULT);
+		this->connected_peers_segments[i].count = 0;
+	}
+	
 	this->reuse_ikesa = lib->settings->get_bool(lib->settings,
 												"charon.reuse_ikesa", TRUE);
 	return &this->public;
 }
-
diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h
index 3f0752cc8..6b6d5a32d 100644
--- a/src/charon/sa/ike_sa_manager.h
+++ b/src/charon/sa/ike_sa_manager.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa_manager.h 4624 2008-11-11 13:11:44Z tobias $
+ * $Id: ike_sa_manager.h 4811 2008-12-17 09:00:22Z martin $
  */
 
 /**
@@ -32,16 +33,11 @@ typedef struct ike_sa_manager_t ike_sa_manager_t;
 #include <config/peer_cfg.h>
 
 /**
- * The IKE_SA-Manager is responsible for managing all initiated and responded IKE_SA's.
+ * Manages and synchronizes access to all IKE_SAs.
  *
- * To avoid access from multiple threads, IKE_SAs must be checked out from
- * the manager, and checked in after usage. 
- * The manager also handles deletion of SAs.
- *
- * @todo checking of double-checkouts from the same threads would be nice.
- * This could be done by comparing thread-ids via pthread_self()...
- * 
- * @todo Managing of ike_sa_t objects in a hash table instead of linked list.
+ * To synchronize access to thread-unsave IKE_SAs, they are checked out for
+ * use and checked in afterwards. A checked out SA is exclusively accessible
+ * by the owning thread.
  */
 struct ike_sa_manager_t {
 	
@@ -57,7 +53,7 @@ struct ike_sa_manager_t {
 	
 	/**
 	 * Create and check out a new IKE_SA.
-	 * 
+	 *
 	 * @param initiator			TRUE for initiator, FALSE otherwise
 	 * @returns 				created and checked out IKE_SA
 	 */
@@ -103,12 +99,19 @@ struct ike_sa_manager_t {
 								 	 peer_cfg_t *peer_cfg);
 	
 	/**
-	 * Check out a duplicate if ike_sa to do uniqueness tests.
-	 *
-	 * @param ike_sa			ike_sa to get a duplicate from
-	 * @return					checked out duplicate
+	 * Check for duplicates of the given IKE_SA.
+	 * 
+	 * Measures are taken according to the uniqueness policy of the IKE_SA.
+	 * The return value indicates whether duplicates have been found and if
+	 * further measures should be taken (e.g. cancelling an IKE_AUTH exchange).
+	 * check_uniqueness() must be called before the IKE_SA is complete,
+	 * deadlocks occur otherwise.
+	 * 
+	 * @param ike_sa			ike_sa to check
+	 * @return					TRUE, if the given IKE_SA has duplicates and
+	 * 							should be deleted
 	 */
-	ike_sa_t* (*checkout_duplicate)(ike_sa_manager_t *this, ike_sa_t *ike_sa);
+	bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa);
 	
 	/**
 	 * Check out an IKE_SA a unique ID.
@@ -130,8 +133,8 @@ struct ike_sa_manager_t {
 	/**
 	 * Check out an IKE_SA by the policy/connection name.
 	 *
-	 * Check out the IKE_SA by the connections name or by a CHILD_SAs policy
-	 * name.
+	 * Check out the IKE_SA by the configuration name, either from the IKE- or
+	 * one of its CHILD_SAs.
 	 *
 	 * @param name				name of the connection/policy
 	 * @param child				TRUE to use policy name, FALSE to use conn name
@@ -145,8 +148,8 @@ struct ike_sa_manager_t {
 	/**
 	 * Create an enumerator over all stored IKE_SAs.
 	 *
-	 * The avoid synchronization issues, the enumerator locks access
-	 * to the manager exclusively, until it gets destroyed.
+	 * While enumerating an IKE_SA, it is temporarily checked out and
+	 * automatically checked in after the current enumeration step.
 	 *
 	 * @return					enumerator over all IKE_SAs.
 	 */
@@ -154,17 +157,13 @@ struct ike_sa_manager_t {
 	
 	/**
 	 * Checkin the SA after usage.
-	 * 
-	 * @warning the SA pointer MUST NOT be used after checkin! 
-	 * The SA must be checked out again!
-	 *  
+	 *
+	 * If the IKE_SA is not registered in the manager, a new entry is created.
+	 *
 	 * @param ike_sa_id			the SA identifier, will be updated
 	 * @param ike_sa			checked out SA
-	 * @returns 				
-	 * 							- SUCCESS if checked in
-	 * 							- NOT_FOUND when not found (shouldn't happen!)
 	 */
-	status_t (*checkin) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
+	void (*checkin) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
 	
 	/**
 	 * Destroy a checked out SA.
@@ -177,11 +176,8 @@ struct ike_sa_manager_t {
 	 * risk that another thread can get the SA.
 	 *
 	 * @param ike_sa			SA to delete
-	 * @returns 				
-	 * 							- SUCCESS if found
-	 * 							- NOT_FOUND when no such SA is available
 	 */
-	status_t (*checkin_and_destroy) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
+	void (*checkin_and_destroy) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
 	
 	/**
 	 * Get the number of IKE_SAs which are in the connecting state.
@@ -214,7 +210,7 @@ struct ike_sa_manager_t {
 };
 
 /**
- * Create a manager.
+ * Create the IKE_SA manager.
  * 
  * @returns 	ike_sa_manager_t object, NULL if initialization fails
  */
diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c
index c65bfc3b7..b2e646c93 100644
--- a/src/charon/sa/keymat.c
+++ b/src/charon/sa/keymat.c
@@ -62,6 +62,11 @@ struct private_keymat_t {
 	 */
 	prf_t *prf;
 	
+	/**
+	 * Negotiated PRF algorithm
+	 */
+	pseudo_random_function_t prf_alg;
+	
 	/**
 	 * Key to derive key material from for CHILD_SAs, rekeying
 	 */
@@ -145,7 +150,8 @@ static diffie_hellman_t* create_dh(private_keymat_t *this,
 static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 							diffie_hellman_t *dh, chunk_t nonce_i,
 							chunk_t nonce_r, ike_sa_id_t *id,
-							private_keymat_t *rekey)
+							pseudo_random_function_t rekey_function,
+							chunk_t rekey_skd)
 {
 	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
 	chunk_t spi_i, spi_r;
@@ -153,6 +159,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	signer_t *signer_i, *signer_r;
 	prf_plus_t *prf_plus;
 	u_int16_t alg, key_size;
+	prf_t *rekey_prf = NULL;
 	
 	spi_i = chunk_alloca(sizeof(u_int64_t));
 	spi_r = chunk_alloca(sizeof(u_int64_t));
@@ -169,6 +176,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
 		return FALSE;
 	}
+	this->prf_alg = alg;
 	this->prf = lib->crypto->create_prf(lib->crypto, alg);
 	if (this->prf == NULL)
 	{
@@ -205,7 +213,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	 *
 	 * if we are rekeying, SKEYSEED is built on another way
 	 */
-	if (rekey == NULL) /* not rekeying */
+	if (rekey_function == PRF_UNDEFINED) /* not rekeying */
 	{
 		/* SKEYSEED = prf(Ni | Nr, g^ir) */
 		this->prf->set_key(this->prf, fixed_nonce);
@@ -217,11 +225,21 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	{
 		/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr) 
 		 * use OLD SAs PRF functions for both prf_plus and prf */
+		rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
+		if (!rekey_prf)
+		{
+			DBG1(DBG_IKE, "PRF of old SA %N not supported!",
+				 pseudo_random_function_names, rekey_function);
+			chunk_free(&full_nonce);
+			chunk_free(&fixed_nonce);
+			chunk_clear(&prf_plus_seed);
+			return FALSE;
+		}
 		secret = chunk_cat("mc", secret, full_nonce);
-		rekey->prf->set_key(rekey->prf, rekey->skd);
-		rekey->prf->allocate_bytes(rekey->prf, secret, &skeyseed);
-		rekey->prf->set_key(rekey->prf, skeyseed);
-		prf_plus = prf_plus_create(rekey->prf, prf_plus_seed);
+		rekey_prf->set_key(rekey_prf, rekey_skd);
+		rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed);
+		rekey_prf->set_key(rekey_prf, skeyseed);
+		prf_plus = prf_plus_create(rekey_prf, prf_plus_seed);
 	}
 	DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
 	
@@ -243,6 +261,8 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	{
 		DBG1(DBG_IKE, "no %N selected",
 			 transform_type_names, INTEGRITY_ALGORITHM);
+		prf_plus->destroy(prf_plus);
+		DESTROY_IF(rekey_prf);
 		return FALSE;
 	}
 	signer_i = lib->crypto->create_signer(lib->crypto, alg);
@@ -253,6 +273,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 			 transform_type_names, INTEGRITY_ALGORITHM,
 			 integrity_algorithm_names ,alg);
 		prf_plus->destroy(prf_plus);
+		DESTROY_IF(rekey_prf);
 		return FALSE;
 	}
 	key_size = signer_i->get_key_size(signer_i);
@@ -284,6 +305,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 		DBG1(DBG_IKE, "no %N selected",
 			 transform_type_names, ENCRYPTION_ALGORITHM);
 		prf_plus->destroy(prf_plus);
+		DESTROY_IF(rekey_prf);
 		return FALSE;
 	}
 	crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
@@ -294,6 +316,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 			 transform_type_names, ENCRYPTION_ALGORITHM,
 			 encryption_algorithm_names, alg, key_size);
 		prf_plus->destroy(prf_plus);
+		DESTROY_IF(rekey_prf);
 		return FALSE;
 	}
 	key_size = crypter_i->get_key_size(crypter_i);
@@ -344,6 +367,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	
 	/* all done, prf_plus not needed anymore */
 	prf_plus->destroy(prf_plus);
+	DESTROY_IF(rekey_prf);
 	
 	return TRUE;
 }
@@ -382,9 +406,9 @@ static bool derive_child_keys(private_keymat_t *this,
 		{
 			enc_size = lookup_keylen(keylen_enc, enc_alg);
 		}
-		if (!enc_size)
+		if (enc_alg != ENCR_NULL && !enc_size)
 		{
-			DBG1(DBG_CHD, "no keylenth defined for %N",
+			DBG1(DBG_CHD, "no keylength defined for %N",
 				 encryption_algorithm_names, enc_alg);
 			return FALSE;
 		}
@@ -421,7 +445,7 @@ static bool derive_child_keys(private_keymat_t *this,
 		}
 		if (!int_size)
 		{
-			DBG1(DBG_CHD, "no keylenth defined for %N",
+			DBG1(DBG_CHD, "no keylength defined for %N",
 				 integrity_algorithm_names, int_alg);
 			return FALSE;
 		}
@@ -442,6 +466,15 @@ static bool derive_child_keys(private_keymat_t *this,
 	return TRUE;
 }
 
+/**
+ * Implementation of keymat_t.get_skd
+ */
+static pseudo_random_function_t get_skd(private_keymat_t *this, chunk_t *skd)
+{
+	*skd = this->skd;
+	return this->prf_alg;
+}
+
 /**
  * Implementation of keymat_t.get_signer
  */
@@ -544,8 +577,9 @@ keymat_t *keymat_create(bool initiator)
 	private_keymat_t *this = malloc_thing(private_keymat_t);
 	
 	this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
-	this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, keymat_t *rekey))derive_ike_keys;
+	this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys;
 	this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
+	this->public.get_skd = (pseudo_random_function_t(*)(keymat_t*, chunk_t *skd))get_skd;
 	this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
 	this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
 	this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
@@ -559,6 +593,7 @@ keymat_t *keymat_create(bool initiator)
 	this->crypter_in = NULL;
 	this->crypter_out = NULL;
 	this->prf = NULL;
+	this->prf_alg = PRF_UNDEFINED;
 	this->skd = chunk_empty;
 	this->skp_verify = chunk_empty;
 	this->skp_build = chunk_empty;
diff --git a/src/charon/sa/keymat.h b/src/charon/sa/keymat.h
index 3ca25da9e..0d6d08f51 100644
--- a/src/charon/sa/keymat.h
+++ b/src/charon/sa/keymat.h
@@ -61,12 +61,15 @@ struct keymat_t {
 	 * @param nonce_i	initiators nonce value
 	 * @param nonce_r	responders nonce value
 	 * @param id		IKE_SA identifier
-	 * @param rekey		keymat of old SA if we are rekeying
+	 * @param rekey_prf	PRF of old SA if rekeying, PRF_UNDEFINED otherwise
+	 * @param rekey_sdk	SKd of old SA if rekeying
 	 * @return			TRUE on success
 	 */
 	bool (*derive_ike_keys)(keymat_t *this, proposal_t *proposal,
 							diffie_hellman_t *dh, chunk_t nonce_i,
-							chunk_t nonce_r, ike_sa_id_t *id, keymat_t *rekey);
+							chunk_t nonce_r, ike_sa_id_t *id,
+							pseudo_random_function_t rekey_function,
+							chunk_t rekey_skd);
 	/**
 	 * Derive keys for a CHILD_SA.
 	 *
@@ -90,6 +93,14 @@ struct keymat_t {
 							  chunk_t nonce_i, chunk_t nonce_r,
 							  chunk_t *encr_i, chunk_t *integ_i,
 							  chunk_t *encr_r, chunk_t *integ_r);
+	/**
+	 * Get SKd to pass to derive_ikey_keys() during rekeying.
+	 *
+	 * @param skd		chunk to write SKd to (internal data)
+	 * @return			PRF function to derive keymat
+	 */
+	pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd);
+	
 	/**
 	 * Get a signer to sign/verify IKE messages.
 	 *
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
index 0630647c9..e5c5fe178 100644
--- a/src/charon/sa/task_manager.c
+++ b/src/charon/sa/task_manager.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: task_manager.c 4484 2008-10-27 11:13:33Z martin $
+ * $Id: task_manager.c 4857 2009-02-09 10:45:51Z martin $
  */
 
 #include "task_manager.h"
@@ -48,12 +48,12 @@ typedef struct exchange_t exchange_t;
  * An exchange in the air, used do detect and handle retransmission
  */
 struct exchange_t {
-
+	
 	/**
 	 * Message ID used for this transaction
 	 */
 	u_int32_t mid;
-
+	
 	/**
 	 * generated packet for retransmission
 	 */
@@ -66,17 +66,17 @@ typedef struct private_task_manager_t private_task_manager_t;
  * private data of the task manager
  */
 struct private_task_manager_t {
-
+	
 	/**
 	 * public functions
 	 */
 	task_manager_t public;
-
+	
 	/**
 	 * associated IKE_SA we are serving
 	 */
 	ike_sa_t *ike_sa;
-
+	
 	/**
 	 * Exchange we are currently handling as responder
 	 */
@@ -85,14 +85,14 @@ struct private_task_manager_t {
 		 * Message ID of the exchange
 		 */
 		u_int32_t mid;
-
+		
 		/**
 		 * packet for retransmission
 		 */
 		packet_t *packet;
 		
 	} responding;
-
+	
 	/**
 	 * Exchange we are currently handling as initiator
 	 */
@@ -118,17 +118,17 @@ struct private_task_manager_t {
 		exchange_type_t type;
 	
 	} initiating;
-
+	
 	/**
 	 * List of queued tasks not yet in action
 	 */
 	linked_list_t *queued_tasks;
-
+	
 	/**
 	 * List of active tasks, initiated by ourselve
 	 */
 	linked_list_t *active_tasks;
-
+	
 	/**
 	 * List of tasks initiated by peer
 	 */
@@ -417,43 +417,48 @@ static status_t build_request(private_task_manager_t *this)
 	message->set_exchange_type(message, exchange);
 	this->initiating.type = exchange;
 	this->initiating.retransmitted = 0;
-
+	
 	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
 	while (iterator->iterate(iterator, (void*)&task))
 	{
-	    switch (task->build(task, message))
-	    {
-	        case SUCCESS:
-	            /* task completed, remove it */
-	            iterator->remove(iterator);
-	            task->destroy(task);
-	            break;
-	        case NEED_MORE:
-	            /* processed, but task needs another exchange */
-	            break;
-	        case FAILED:
-	        default:
-	            /* critical failure, destroy IKE_SA */
-	            iterator->destroy(iterator);
+		switch (task->build(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				iterator->remove(iterator);
+				task->destroy(task);
+				break;
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				break;
+			case FAILED:
+			default:
+				/* critical failure, destroy IKE_SA */
+				iterator->destroy(iterator);
 				message->destroy(message);
 				flush(this);
-	            return DESTROY_ME;
-	    }
+				return DESTROY_ME;
+		}
 	}
 	iterator->destroy(iterator);
-
-	DESTROY_IF(this->initiating.packet);
+	
+	/* update exchange type if a task changed it */
+	this->initiating.type = message->get_exchange_type(message);
+	
 	status = this->ike_sa->generate_message(this->ike_sa, message,
 											&this->initiating.packet);
-	message->destroy(message);
 	if (status != SUCCESS)
 	{
-	    /* message generation failed. There is nothing more to do than to
+		/* message generation failed. There is nothing more to do than to
 		 * close the SA */
+		message->destroy(message);
 		flush(this);
-	    return DESTROY_ME;
+		return DESTROY_ME;
 	}
 	
+	charon->bus->message(charon->bus, message, FALSE);
+	message->destroy(message);
+	
 	return retransmit(this, this->initiating.mid);
 }
 
@@ -473,32 +478,34 @@ static status_t process_response(private_task_manager_t *this,
 			 exchange_type_names, this->initiating.type);
 		return DESTROY_ME;
 	}
-
+	
 	/* catch if we get resetted while processing */
 	this->reset = FALSE;
 	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
 	while (iterator->iterate(iterator, (void*)&task))
 	{
-	    switch (task->process(task, message))
-	    {
-	        case SUCCESS:
-	            /* task completed, remove it */
-	            iterator->remove(iterator);
-	            task->destroy(task);
-	            break;
-	        case NEED_MORE:
-	            /* processed, but task needs another exchange */
-	            break;
-	        case FAILED:
-	        default:
-	            /* critical failure, destroy IKE_SA */
-	            iterator->destroy(iterator);
-	            return DESTROY_ME;
-	    }
-	    if (this->reset)
-	    {	/* start all over again if we were reset */
-	    	this->reset = FALSE;
-	    	iterator->destroy(iterator);
+		switch (task->process(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				iterator->remove(iterator);
+				task->destroy(task);
+				break;
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				break;
+			case FAILED:
+			default:
+				/* critical failure, destroy IKE_SA */
+				iterator->remove(iterator);
+				iterator->destroy(iterator);
+				task->destroy(task);
+				return DESTROY_ME;
+		}
+		if (this->reset)
+		{	/* start all over again if we were reset */
+			this->reset = FALSE;
+			iterator->destroy(iterator);
 			return build_request(this);
 		}	
 	}
@@ -506,7 +513,9 @@ static status_t process_response(private_task_manager_t *this,
 	
 	this->initiating.mid++;
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-
+	this->initiating.packet->destroy(this->initiating.packet);
+	this->initiating.packet = NULL;
+	
 	return build_request(this);
 }
 
@@ -525,34 +534,34 @@ static void handle_collisions(private_task_manager_t *this, task_t *task)
 	if (type == IKE_REKEY || type == CHILD_REKEY ||
 		type == CHILD_DELETE || type == IKE_DELETE || type == IKE_REAUTH)
 	{
-	    /* find an exchange collision, and notify these tasks */
-	    iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
-	    while (iterator->iterate(iterator, (void**)&active))
-	    {
-	    	switch (active->get_type(active))
-	    	{
-	    		case IKE_REKEY:
-	    			if (type == IKE_REKEY || type == IKE_DELETE ||
-	    				type == IKE_REAUTH)
-	    			{
-	    				ike_rekey_t *rekey = (ike_rekey_t*)active;
-	    				rekey->collide(rekey, task);
-	    				break;
-	    			}
-	    			continue;
-	    		case CHILD_REKEY:
-	    			if (type == CHILD_REKEY || type == CHILD_DELETE)
-	    			{
-	    				child_rekey_t *rekey = (child_rekey_t*)active;
-	    				rekey->collide(rekey, task);
-	    				break;
-	    			}
-	    			continue;
-	    		default:
-	    			continue;
-	    	}
-		    iterator->destroy(iterator);
-	    	return;
+		/* find an exchange collision, and notify these tasks */
+		iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
+		while (iterator->iterate(iterator, (void**)&active))
+		{
+			switch (active->get_type(active))
+			{
+				case IKE_REKEY:
+					if (type == IKE_REKEY || type == IKE_DELETE ||
+						type == IKE_REAUTH)
+					{
+						ike_rekey_t *rekey = (ike_rekey_t*)active;
+						rekey->collide(rekey, task);
+						break;
+					}
+					continue;
+				case CHILD_REKEY:
+					if (type == CHILD_REKEY || type == CHILD_DELETE)
+					{
+						child_rekey_t *rekey = (child_rekey_t*)active;
+						rekey->collide(rekey, task);
+						break;
+					}
+					continue;
+				default:
+					continue;
+			}
+			iterator->destroy(iterator);
+			return;
 		}
 		iterator->destroy(iterator);
 	}
@@ -571,10 +580,10 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	host_t *me, *other;
 	bool delete = FALSE;
 	status_t status;
-
+	
 	me = request->get_destination(request);
 	other = request->get_source(request);
-
+	
 	message = message_create();
 	message->set_exchange_type(message, request->get_exchange_type(request));
 	/* send response along the path the request came in */
@@ -582,29 +591,29 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	message->set_destination(message, other->clone(other));
 	message->set_message_id(message, this->responding.mid);
 	message->set_request(message, FALSE);
-
+	
 	iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
 	while (iterator->iterate(iterator, (void*)&task))
 	{
-	    switch (task->build(task, message))
-	    {
-	        case SUCCESS:
-	            /* task completed, remove it */
-	            iterator->remove(iterator);
+		switch (task->build(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				iterator->remove(iterator);
 				handle_collisions(this, task);
-	        case NEED_MORE:
-	            /* processed, but task needs another exchange */
-	            break;
-	        case FAILED:
-	        default:
-	            /* destroy IKE_SA, but SEND response first */
-	            delete = TRUE;
-	            break;
-	    }
-	    if (delete)
-	    {
-	    	break;
-	    }
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				break;
+			case FAILED:
+			default:
+				/* destroy IKE_SA, but SEND response first */
+				delete = TRUE;
+				break;
+		}
+		if (delete)
+		{
+			break;
+		}
 	}
 	iterator->destroy(iterator);
 	
@@ -614,7 +623,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 		ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
 		id->set_responder_spi(id, 0);
 	}
-
+	
 	/* message complete, send it */
 	DESTROY_IF(this->responding.packet);
 	status = this->ike_sa->generate_message(this->ike_sa, message,
@@ -623,7 +632,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	message->destroy(message);
 	if (status != SUCCESS)
 	{
-	    return DESTROY_ME;
+		return DESTROY_ME;
 	}
 	
 	charon->sender->send(charon->sender,
@@ -646,7 +655,7 @@ static status_t process_request(private_task_manager_t *this,
 	payload_t *payload;
 	notify_payload_t *notify;
 	delete_payload_t *delete;
-
+	
 	/* create tasks depending on request type */
 	switch (message->get_exchange_type(message))
 	{
@@ -713,7 +722,8 @@ static status_t process_request(private_task_manager_t *this,
 			{
 				if (notify_found)
 				{
-					task = (task_t*)child_rekey_create(this->ike_sa, NULL);
+					task = (task_t*)child_rekey_create(this->ike_sa,
+													   PROTO_NONE, 0);
 				}
 				else
 				{
@@ -770,7 +780,8 @@ static status_t process_request(private_task_manager_t *this,
 						}
 						else
 						{
-							task = (task_t*)child_delete_create(this->ike_sa, NULL);
+							task = (task_t*)child_delete_create(this->ike_sa,
+																PROTO_NONE, 0);
 						}
 						break;
 					}
@@ -801,30 +812,32 @@ static status_t process_request(private_task_manager_t *this,
 		default:
 			break;
 	}
-
+	
 	/* let the tasks process the message */
 	iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
 	while (iterator->iterate(iterator, (void*)&task))
 	{
-	    switch (task->process(task, message))
-	    {
-	        case SUCCESS:
-	            /* task completed, remove it */
-	            iterator->remove(iterator);
-	            task->destroy(task);
-	            break;
-	        case NEED_MORE:
-	            /* processed, but task needs at least another call to build() */
-	            break;
-	        case FAILED:
-	        default:
-	            /* critical failure, destroy IKE_SA */
-	            iterator->destroy(iterator);
-	            return DESTROY_ME;
-	    }
+		switch (task->process(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				iterator->remove(iterator);
+				task->destroy(task);
+				break;
+			case NEED_MORE:
+				/* processed, but task needs at least another call to build() */
+				break;
+			case FAILED:
+			default:
+				/* critical failure, destroy IKE_SA */
+				iterator->remove(iterator);
+				iterator->destroy(iterator);
+				task->destroy(task);
+				return DESTROY_ME;
+		}
 	}
 	iterator->destroy(iterator);
-
+	
 	return build_response(this, message);
 }
 
@@ -834,7 +847,7 @@ static status_t process_request(private_task_manager_t *this,
 static status_t process_message(private_task_manager_t *this, message_t *msg)
 {
 	u_int32_t mid = msg->get_message_id(msg);
-
+	
 	if (msg->get_request(msg))
 	{
 		if (mid == this->responding.mid)
@@ -919,7 +932,7 @@ static void queue_task(private_task_manager_t *this, task_t *task)
 static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *other)
 {
 	task_t *task;
-
+	
 	/* move queued tasks from other to this */
 	while (other->queued_tasks->remove_last(other->queued_tasks,
 												(void**)&task) == SUCCESS)
@@ -950,7 +963,8 @@ static bool busy(private_task_manager_t *this)
 /**
  * Implementation of task_manager_t.reset
  */
-static void reset(private_task_manager_t *this)
+static void reset(private_task_manager_t *this,
+				  u_int32_t initiate, u_int32_t respond)
 {
 	task_t *task;
 	
@@ -959,8 +973,14 @@ static void reset(private_task_manager_t *this)
 	DESTROY_IF(this->initiating.packet);
 	this->responding.packet = NULL;
 	this->initiating.packet = NULL;
-	this->responding.mid = 0;
-	this->initiating.mid = 0;
+	if (initiate != UINT_MAX)
+	{
+		this->initiating.mid = initiate;
+	}
+	if (respond != UINT_MAX)
+	{
+		this->responding.mid = respond;
+	}
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
 	
 	/* reset active tasks */
@@ -996,16 +1016,16 @@ static void destroy(private_task_manager_t *this)
 task_manager_t *task_manager_create(ike_sa_t *ike_sa)
 {
 	private_task_manager_t *this = malloc_thing(private_task_manager_t);
-
+	
 	this->public.process_message = (status_t(*)(task_manager_t*,message_t*))process_message;
 	this->public.queue_task = (void(*)(task_manager_t*,task_t*))queue_task;
 	this->public.initiate = (status_t(*)(task_manager_t*))build_request;
 	this->public.retransmit = (status_t(*)(task_manager_t*,u_int32_t))retransmit;
-	this->public.reset = (void(*)(task_manager_t*))reset;
+	this->public.reset = (void(*)(task_manager_t*,u_int32_t,u_int32_t))reset;
 	this->public.adopt_tasks = (void(*)(task_manager_t*,task_manager_t*))adopt_tasks;
 	this->public.busy = (bool(*)(task_manager_t*))busy;
 	this->public.destroy = (void(*)(task_manager_t*))destroy;
-
+	
 	this->ike_sa = ike_sa;
 	this->responding.packet = NULL;
 	this->initiating.packet = NULL;
@@ -1016,6 +1036,6 @@ task_manager_t *task_manager_create(ike_sa_t *ike_sa)
 	this->active_tasks = linked_list_create();
 	this->passive_tasks = linked_list_create();
 	this->reset = FALSE;
-
+	
 	return &this->public;
 }
diff --git a/src/charon/sa/task_manager.h b/src/charon/sa/task_manager.h
index 6243ac888..2aa6018fd 100644
--- a/src/charon/sa/task_manager.h
+++ b/src/charon/sa/task_manager.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: task_manager.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: task_manager.h 4689 2008-11-24 12:46:06Z martin $
  */
 
 /**
@@ -25,6 +25,8 @@
 
 typedef struct task_manager_t task_manager_t;
 
+#include <limits.h>
+
 #include <library.h>
 #include <encoding/message.h>
 #include <sa/ike_sa.h>
@@ -125,7 +127,7 @@ struct task_manager_t {
 	 *						- SUCCESS if retransmission sent
 	 */
 	status_t (*retransmit) (task_manager_t *this, u_int32_t message_id);
-
+	
 	/**
 	 * Migrate all tasks from other to this.
 	 *
@@ -143,10 +145,12 @@ struct task_manager_t {
 	 * reset to zero (INVALID_KE_PAYLOAD, COOKIES, ...). The reset() method
 	 * resets the message IDs and resets all active tasks using the migrate()
 	 * method.
-	 * 
-	 * @param other			manager which gives away its tasks
+	 * Use a value of UINT_MAX to keep the current message ID.
+	 *
+	 * @param initiate		message ID to initiate exchanges (send)
+	 * @param respond		message ID to respond to exchanges (expect)
 	 */
-	void (*reset) (task_manager_t *this);
+	void (*reset) (task_manager_t *this, u_int32_t initiate, u_int32_t respond);
 	
 	/**
 	 * Check if we are currently waiting for a reply.
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index 767ceef55..f6043979f 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_create.c 4618 2008-11-11 09:22:00Z tobias $
+ * $Id: child_create.c 4860 2009-02-11 13:09:52Z martin $
  */
 
 #include "child_create.h"
@@ -117,7 +117,22 @@ struct private_child_create_t {
 	ipcomp_transform_t ipcomp_received;
 	
 	/**
-	 * Other Compression Parameter Index (CPI)
+	 * Own allocated SPI
+	 */
+	u_int32_t my_spi;
+	
+	/**
+	 * SPI received in proposal
+	 */
+	u_int32_t other_spi;
+	
+	/**
+	 * Own allocated Compression Parameter Index (CPI)
+	 */
+	u_int16_t my_cpi;
+	
+	/**
+	 * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
 	 */
 	u_int16_t other_cpi;
 	
@@ -188,6 +203,36 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host)
 	return is_host;
 }
 
+/**
+ * Allocate SPIs and update proposals
+ */
+static bool allocate_spi(private_child_create_t *this)
+{
+	enumerator_t *enumerator;
+	proposal_t *proposal;
+	
+	/* TODO: allocate additional SPI for AH if we have such proposals */ 
+	this->my_spi = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+	if (this->my_spi)
+	{
+		if (this->initiator)
+		{
+			enumerator = this->proposals->create_enumerator(this->proposals);
+			while (enumerator->enumerate(enumerator, &proposal))
+			{
+				proposal->set_spi(proposal, this->my_spi);
+			}
+			enumerator->destroy(enumerator);
+		}
+		else
+		{
+			this->proposal->set_spi(this->proposal, this->my_spi);
+		}
+		return TRUE;
+	}
+	return FALSE;
+}
+
 /**
  * Install a CHILD_SA for usage, return value:
  * - FAILED: no acceptable proposal
@@ -197,7 +242,9 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host)
 static status_t select_and_install(private_child_create_t *this, bool no_dh)
 {
 	status_t status;
-	chunk_t nonce_i, nonce_r, encr_i, integ_i, encr_r, integ_r;
+	chunk_t nonce_i, nonce_r;
+	chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
+	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
 	linked_list_t *my_ts, *other_ts;
 	host_t *me, *other, *other_vip, *my_vip;
 	
@@ -216,7 +263,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	other = this->ike_sa->get_other_host(this->ike_sa);
 	my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
 	other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
-
+	
 	this->proposal = this->config->select_proposal(this->config, this->proposals,
 												   no_dh);
 	if (this->proposal == NULL)
@@ -224,6 +271,14 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		DBG1(DBG_IKE, "no acceptable proposal found");
 		return FAILED;
 	}
+	this->other_spi = this->proposal->get_spi(this->proposal);
+	
+	if (!this->initiator && !allocate_spi(this))
+	{	/* responder has no SPI allocated yet */
+		DBG1(DBG_IKE, "allocating SPI failed");
+		return FAILED;
+	}
+	this->child_sa->set_proposal(this->child_sa, this->proposal);
 	
 	if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
@@ -328,26 +383,33 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	}
 	
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
+	this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
+	this->child_sa->set_mode(this->child_sa, this->mode);
+	this->child_sa->set_protocol(this->child_sa,
+								 this->proposal->get_protocol(this->proposal));
 	
-	if (this->ipcomp != IPCOMP_NONE)
+	if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
 	{
-		this->child_sa->activate_ipcomp(this->child_sa, this->ipcomp,
-										this->other_cpi);
+		this->my_cpi = this->other_cpi = 0;
+		this->ipcomp = IPCOMP_NONE;
 	}
-	
 	status = FAILED;
 	if (this->keymat->derive_child_keys(this->keymat, this->proposal,
 			this->dh, nonce_i, nonce_r,	&encr_i, &integ_i, &encr_r, &integ_r))
 	{
 		if (this->initiator)
 		{
-			status = this->child_sa->update(this->child_sa, this->proposal,
-							this->mode, integ_r, integ_i, encr_r, encr_i);
+			status = this->child_sa->install(this->child_sa, encr_r, integ_r,
+										this->my_spi, this->my_cpi, TRUE);
+			status = this->child_sa->install(this->child_sa, encr_i, integ_i,
+										this->other_spi, this->other_cpi, FALSE);
 		}
 		else
 		{
-			status = this->child_sa->add(this->child_sa, this->proposal,
-							this->mode, integ_i, integ_r, encr_i, encr_r);
+			status = this->child_sa->install(this->child_sa, encr_i, integ_i,
+										this->my_spi, this->my_cpi, TRUE);
+			status = this->child_sa->install(this->child_sa, encr_r, integ_r,
+										this->other_spi, this->other_cpi, FALSE);
 		}
 	}
 	chunk_clear(&integ_i);
@@ -361,8 +423,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		return FAILED;
 	}
 	
-	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
-					this->mode, this->proposal->get_protocol(this->proposal));
+	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
 	if (status != SUCCESS)
 	{	
 		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
@@ -436,33 +497,71 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 }
 
 /**
- * Adds an IPCOMP_SUPPORTED notify to the message, if possible
+ * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
  */
-static void build_ipcomp_supported_notify(private_child_create_t *this,
-										  message_t *message)
+static void add_ipcomp_notify(private_child_create_t *this,
+								  message_t *message, u_int8_t ipcomp)
 {
-	u_int16_t cpi;
-	u_int8_t tid;
-
 	if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
 	{
 		DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
 			 "IPComp disabled");
-		this->ipcomp = IPCOMP_NONE;
 		return;
 	}
 	
-	cpi = this->child_sa->allocate_cpi(this->child_sa);
-	tid = this->ipcomp;
-	if (cpi)
+	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
+	if (this->my_cpi)
 	{
-		message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
-				chunk_cata("cc", chunk_from_thing(cpi), chunk_from_thing(tid)));
+		this->ipcomp = ipcomp;
+		message->add_notify(message, FALSE, IPCOMP_SUPPORTED, 
+							chunk_cata("cc", chunk_from_thing(this->my_cpi),
+									   chunk_from_thing(ipcomp)));
 	}
 	else
 	{
 		DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
-		this->ipcomp = IPCOMP_NONE;
+	}
+}
+
+/**
+ * handle a received notify payload
+ */
+static void handle_notify(private_child_create_t *this, notify_payload_t *notify)
+{
+	switch (notify->get_notify_type(notify))
+	{
+		case USE_TRANSPORT_MODE:
+			this->mode = MODE_TRANSPORT;
+			break;
+		case USE_BEET_MODE:
+			this->mode = MODE_BEET;
+			break;
+		case IPCOMP_SUPPORTED:
+		{
+			ipcomp_transform_t ipcomp;
+			u_int16_t cpi;
+			chunk_t data;
+			
+			data = notify->get_notification_data(notify);
+			cpi = *(u_int16_t*)data.ptr;
+			ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
+			switch (ipcomp)
+			{
+				case IPCOMP_DEFLATE:
+					this->other_cpi = cpi;
+					this->ipcomp_received = ipcomp;
+					break;
+				case IPCOMP_LZS:
+				case IPCOMP_LZJH:
+				default:
+					DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a "
+						 "transform ID we don't support %N",
+						 ipcomp_transform_names, ipcomp);
+					break;
+			}
+		}
+		default:
+			break;
 	}
 }
 
@@ -476,7 +575,6 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 	sa_payload_t *sa_payload;
 	ke_payload_t *ke_payload;
 	ts_payload_t *ts_payload;
-	notify_payload_t *notify_payload;
 	
 	/* defaults to TUNNEL mode */
 	this->mode = MODE_TUNNEL;
@@ -512,37 +610,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 				this->tsr = ts_payload->get_traffic_selectors(ts_payload);
 				break;
 			case NOTIFY:
-				notify_payload = (notify_payload_t*)payload;
-				switch (notify_payload ->get_notify_type(notify_payload ))
-				{
-					case USE_TRANSPORT_MODE:
-						this->mode = MODE_TRANSPORT;
-						break;
-					case USE_BEET_MODE:
-						this->mode = MODE_BEET;
-						break;
-					case IPCOMP_SUPPORTED:
-					{
-						chunk_t data = notify_payload->get_notification_data(notify_payload);
-						u_int16_t cpi = *(u_int16_t*)data.ptr;
-						ipcomp_transform_t ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
-						switch(ipcomp)
-						{
-							case IPCOMP_DEFLATE:
-								this->other_cpi = cpi;
-								this->ipcomp_received = ipcomp;
-								break;
-							case IPCOMP_LZS:
-							case IPCOMP_LZJH:
-							default:
-								DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a transform"
-										" ID we don't support %N", ipcomp_transform_names, ipcomp);
-								break;
-						}
-					}
-					default:
-						break;
-				}
+				handle_notify(this, (notify_payload_t*)payload);
 				break;
 			default:
 				break;
@@ -557,9 +625,8 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 static status_t build_i(private_child_create_t *this, message_t *message)
 {
 	host_t *me, *other, *vip;
-	bool propose_all = FALSE;
 	peer_cfg_t *peer_cfg;
-
+	
 	switch (message->get_exchange_type(message))
 	{
 		case IKE_SA_INIT:
@@ -610,23 +677,18 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 	}
 	
 	/* check if we want a virtual IP, but don't have one */
-	if (!this->reqid)
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	vip = peer_cfg->get_virtual_ip(peer_cfg);
+	if (!this->reqid && vip)
 	{
-		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-		vip = peer_cfg->get_virtual_ip(peer_cfg);
-		if (vip)
-		{
-			propose_all = TRUE;
-		}
-	}
-	
-	if (propose_all)
-	{	/* propose a 0.0.0.0/0 subnet when we use virtual ip */
+		/* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
+		vip = host_create_any(vip->get_family(vip));
 		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
-														NULL, NULL);
+														NULL, vip);
+		vip->destroy(vip);
 	}
 	else
-	{	/* but shorten a 0.0.0.0/0 subnet for host2host/we already have a vip */
+	{	/* but narrow it for host2host / if we already have a vip */
 		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
 														NULL, me);
 	}
@@ -641,7 +703,7 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
 			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
 	
-	if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS)
+	if (!allocate_spi(this))
 	{
 		DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
 		return FAILED;
@@ -652,10 +714,10 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
 	}
 	
-	if (this->config->use_ipcomp(this->config)) {
+	if (this->config->use_ipcomp(this->config))
+	{
 		/* IPCOMP_DEFLATE is the only transform we support at the moment */
-		this->ipcomp = IPCOMP_DEFLATE;
-		build_ipcomp_supported_notify(this, message);
+		add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
 	}
 	
 	build_payloads(this, message);
@@ -821,16 +883,17 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
 			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
 	
-	if (this->config->use_ipcomp(this->config) &&
-		this->ipcomp_received != IPCOMP_NONE)
+	if (this->ipcomp_received != IPCOMP_NONE)
 	{
-		this->ipcomp = this->ipcomp_received;
-		build_ipcomp_supported_notify(this, message);
-	}
-	else if (this->ipcomp_received != IPCOMP_NONE)
-	{
-		DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
-			 notify_type_names, IPCOMP_SUPPORTED);
+		if (this->config->use_ipcomp(this->config))
+		{
+			add_ipcomp_notify(this, message, this->ipcomp_received);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
+				 notify_type_names, IPCOMP_SUPPORTED);
+		}
 	}
 	
 	switch (select_and_install(this, no_dh))
@@ -1052,6 +1115,8 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
 	}
 	
 	this->ike_sa = ike_sa;
+	this->keymat = ike_sa->get_keymat(ike_sa);
+	this->proposal = NULL;
 	this->proposals = NULL;
 	this->tsi = NULL;
 	this->tsr = NULL;
@@ -1137,6 +1202,9 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config)
 	this->mode = MODE_TUNNEL;
 	this->ipcomp = IPCOMP_NONE;
 	this->ipcomp_received = IPCOMP_NONE;
+	this->my_spi = 0;
+	this->other_spi = 0;
+	this->my_cpi = 0;
 	this->other_cpi = 0;
 	this->reqid = 0;
 	this->established = FALSE;
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
index cab1d63f0..0fd4a056b 100644
--- a/src/charon/sa/tasks/child_delete.c
+++ b/src/charon/sa/tasks/child_delete.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_delete.c 4434 2008-10-14 08:52:13Z martin $
+ * $Id: child_delete.c 4730 2008-12-01 18:38:28Z martin $
  */
 
 #include "child_delete.h"
@@ -44,9 +44,19 @@ struct private_child_delete_t {
 	bool initiator;
 	
 	/**
- 	 * wheter to enforce delete action policy
- 	 */
- 	bool check_delete_action;
+	 * Protocol of CHILD_SA to delete
+	 */
+	protocol_id_t protocol;
+	
+	/**
+	 * Inbound SPI of CHILD_SA to delete
+	 */
+	u_int32_t spi;
+	
+	/**
+	 * wheter to enforce delete action policy
+	 */
+	bool check_delete_action;
 	
 	/**
 	 * CHILD_SAs which get deleted
@@ -238,6 +248,16 @@ static void log_children(private_child_delete_t *this)
  */
 static status_t build_i(private_child_delete_t *this, message_t *message)
 {
+	child_sa_t *child_sa;
+	
+	child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+										  this->spi, TRUE);
+	if (!child_sa)
+	{	/* child does not exist anymore */
+		return SUCCESS;
+	}
+	this->child_sas->insert_last(this->child_sas, child_sa);
+	
 	log_children(this);
 	build_payloads(this, message);
 	return NEED_MORE;
@@ -323,7 +343,8 @@ static void destroy(private_child_delete_t *this)
 /*
  * Described in header.
  */
-child_delete_t *child_delete_create(ike_sa_t *ike_sa, child_sa_t *child_sa)
+child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+									u_int32_t spi)
 {
 	private_child_delete_t *this = malloc_thing(private_child_delete_t);
 
@@ -335,13 +356,14 @@ child_delete_t *child_delete_create(ike_sa_t *ike_sa, child_sa_t *child_sa)
 	this->ike_sa = ike_sa;
 	this->check_delete_action = FALSE;
 	this->child_sas = linked_list_create();
+	this->protocol = protocol;
+	this->spi = spi;
 	
-	if (child_sa != NULL)
+	if (protocol != PROTO_NONE)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
 		this->initiator = TRUE;
-		this->child_sas->insert_last(this->child_sas, child_sa);
 	}
 	else
 	{
diff --git a/src/charon/sa/tasks/child_delete.h b/src/charon/sa/tasks/child_delete.h
index c304ea9d8..c5ebec338 100644
--- a/src/charon/sa/tasks/child_delete.h
+++ b/src/charon/sa/tasks/child_delete.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_delete.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: child_delete.h 4730 2008-12-01 18:38:28Z martin $
  */
 
 /**
@@ -52,9 +52,11 @@ struct child_delete_t {
  * Create a new child_delete task.
  *
  * @param ike_sa		IKE_SA this task works for
- * @param child_sa		CHILD_SA to delete, or NULL as responder
+ * @param protocol		protocol of CHILD_SA to delete, PROTO_NONE as responder
+ * @param spi			inbound SPI of CHILD_SA to delete
  * @return				child_delete task to handle by the task_manager
  */
-child_delete_t *child_delete_create(ike_sa_t *ike_sa, child_sa_t *child_sa);
+child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+									u_int32_t spi);
 
 #endif /* CHILD_DELETE_H_ @} */
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
index e50ad33be..0d8cf2db7 100644
--- a/src/charon/sa/tasks/child_rekey.c
+++ b/src/charon/sa/tasks/child_rekey.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_rekey.c 4659 2008-11-14 14:05:47Z martin $
+ * $Id: child_rekey.c 4730 2008-12-01 18:38:28Z martin $
  */
 
 #include "child_rekey.h"
@@ -48,11 +48,26 @@ struct private_child_rekey_t {
 	 */
 	bool initiator;
 	
+	/**
+	 * Protocol of CHILD_SA to rekey
+	 */
+	protocol_id_t protocol;
+	
+	/**
+	 * Inbound SPI of CHILD_SA to rekey
+	 */
+	u_int32_t spi;
+	
 	/**
 	 * the CHILD_CREATE task which is reused to simplify rekeying
 	 */
 	child_create_t *child_create;
 	
+	/**
+	 * the CHILD_DELETE task to delete rekeyed CHILD_SA
+	 */
+	child_delete_t *child_delete;
+	
 	/**
 	 * CHILD_SA which gets rekeyed
 	 */
@@ -64,6 +79,25 @@ struct private_child_rekey_t {
 	task_t *collision;
 };
 
+/**
+ * Implementation of task_t.build for initiator, after rekeying
+ */
+static status_t build_i_delete(private_child_rekey_t *this, message_t *message)
+{
+	/* update exchange type to INFORMATIONAL for the delete */
+	message->set_exchange_type(message, INFORMATIONAL);
+	
+	return this->child_delete->task.build(&this->child_delete->task, message);
+}
+
+/**
+ * Implementation of task_t.process for initiator, after rekeying
+ */
+static status_t process_i_delete(private_child_rekey_t *this, message_t *message)
+{
+	return this->child_delete->task.process(&this->child_delete->task, message);
+}
+
 /**
  * find a child using the REKEY_SA notify
  */
@@ -104,25 +138,33 @@ static void find_child(private_child_rekey_t *this, message_t *message)
  * Implementation of task_t.build for initiator
  */
 static status_t build_i(private_child_rekey_t *this, message_t *message)
-{	
+{
 	notify_payload_t *notify;
-	protocol_id_t protocol;
-	u_int32_t spi, reqid;
+	u_int32_t reqid;
+	child_cfg_t *config;
+	
+	this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+												this->spi, TRUE);
+	if (!this->child_sa)
+	{	/* CHILD_SA is gone, unable to rekey */
+		return SUCCESS;
+	}
+	config = this->child_sa->get_config(this->child_sa);
 	
 	/* we just need the rekey notify ... */
-	protocol = this->child_sa->get_protocol(this->child_sa);
-	spi = this->child_sa->get_spi(this->child_sa, TRUE);
-	notify = notify_payload_create_from_protocol_and_type(protocol, REKEY_SA);
-	notify->set_spi(notify, spi);
+	notify = notify_payload_create_from_protocol_and_type(this->protocol,
+														  REKEY_SA);
+	notify->set_spi(notify, this->spi);
 	message->add_payload(message, (payload_t*)notify);
-
+	
 	/* ... our CHILD_CREATE task does the hard work for us. */
 	reqid = this->child_sa->get_reqid(this->child_sa);
+	this->child_create = child_create_create(this->ike_sa, config);
 	this->child_create->use_reqid(this->child_create, reqid);
 	this->child_create->task.build(&this->child_create->task, message);
 	
 	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
-
+	
 	return NEED_MORE;
 }
 
@@ -133,7 +175,7 @@ static status_t process_r(private_child_rekey_t *this, message_t *message)
 {
 	/* let the CHILD_CREATE task process the message */
 	this->child_create->task.process(&this->child_create->task, message);
-
+	
 	find_child(this, message);
 	
 	return NEED_MORE;
@@ -265,11 +307,13 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 	
 	spi = to_delete->get_spi(to_delete, TRUE);
 	protocol = to_delete->get_protocol(to_delete);
-	if (this->ike_sa->delete_child_sa(this->ike_sa, protocol, spi) != SUCCESS)
-	{
-		return FAILED;
-	}
-	return SUCCESS;
+	
+	/* rekeying done, delete the obsolete CHILD_SA using a subtask */
+	this->child_delete = child_delete_create(this->ike_sa, protocol, spi);
+	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
+	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
+	
+	return NEED_MORE;
 }
 
 /**
@@ -319,9 +363,16 @@ static void collide(private_child_rekey_t *this, task_t *other)
  */
 static void migrate(private_child_rekey_t *this, ike_sa_t *ike_sa)
 {	
-	this->child_create->task.migrate(&this->child_create->task, ike_sa);
+	if (this->child_create)
+	{
+		this->child_create->task.migrate(&this->child_create->task, ike_sa);
+	}
+	if (this->child_delete)
+	{
+		this->child_delete->task.migrate(&this->child_delete->task, ike_sa);
+	}
 	DESTROY_IF(this->collision);
-
+	
 	this->ike_sa = ike_sa;
 	this->collision = NULL;
 }
@@ -331,7 +382,14 @@ static void migrate(private_child_rekey_t *this, ike_sa_t *ike_sa)
  */
 static void destroy(private_child_rekey_t *this)
 {
-	this->child_create->task.destroy(&this->child_create->task);
+	if (this->child_create)
+	{
+		this->child_create->task.destroy(&this->child_create->task);
+	}
+	if (this->child_delete)
+	{
+		this->child_delete->task.destroy(&this->child_delete->task);
+	}
 	DESTROY_IF(this->collision);
 	free(this);
 }
@@ -339,22 +397,21 @@ static void destroy(private_child_rekey_t *this)
 /*
  * Described in header.
  */
-child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, child_sa_t *child_sa)
+child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+								  u_int32_t spi)
 {
-	child_cfg_t *config;
 	private_child_rekey_t *this = malloc_thing(private_child_rekey_t);
-
+	
 	this->public.collide = (void (*)(child_rekey_t*,task_t*))collide;
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	if (child_sa != NULL)
+	if (protocol != PROTO_NONE)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
 		this->initiator = TRUE;
-		config = child_sa->get_config(child_sa);
-		this->child_create = child_create_create(ike_sa, config);
+		this->child_create = NULL;
 	}
 	else
 	{
@@ -365,8 +422,11 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, child_sa_t *child_sa)
 	}
 	
 	this->ike_sa = ike_sa;
-	this->child_sa = child_sa;
+	this->child_sa = NULL;
+	this->protocol = protocol;
+	this->spi = spi;
 	this->collision = NULL;
+	this->child_delete = NULL;
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/child_rekey.h b/src/charon/sa/tasks/child_rekey.h
index b386ef3c6..37b61a9ef 100644
--- a/src/charon/sa/tasks/child_rekey.h
+++ b/src/charon/sa/tasks/child_rekey.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_rekey.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: child_rekey.h 4730 2008-12-01 18:38:28Z martin $
  */
 
 /**
@@ -56,9 +56,11 @@ struct child_rekey_t {
  * Create a new CHILD_REKEY task.
  *
  * @param ike_sa		IKE_SA this task works for
- * @param child_sa 		child_sa to rekey, NULL if responder
+ * @param protocol		protocol of CHILD_SA to rekey, PROTO_NONE as responder
+ * @param spi			inbound SPI of CHILD_SA to rekey
  * @return			  	child_rekey task to handle by the task_manager
  */
-child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, child_sa_t *child_sa);
+child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+								  u_int32_t spi);
 
 #endif /* CHILD_REKEY_H_ @} */
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 5c3f33cbd..93b145755 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details
  *
- * $Id: ike_auth.c 4463 2008-10-20 11:38:16Z martin $
+ * $Id: ike_auth.c 4858 2009-02-10 17:21:44Z martin $
  */
 
 #include "ike_auth.h"
@@ -87,70 +87,6 @@ struct private_ike_auth_t {
 	bool peer_authenticated;
 };
 
-/**
- * check uniqueness and delete duplicates
- */
-static bool check_uniqueness(private_ike_auth_t *this)
-{
-	ike_sa_t *duplicate;
-	unique_policy_t policy;
-	status_t status = SUCCESS;
-	peer_cfg_t *peer_cfg;
-	bool cancel = FALSE;
-	
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	policy = peer_cfg->get_unique_policy(peer_cfg);
-	if (policy == UNIQUE_NO)
-	{
-		return FALSE;
-	}
-	duplicate = charon->ike_sa_manager->checkout_duplicate(
-										charon->ike_sa_manager, this->ike_sa);
-	if (duplicate)
-	{
-		peer_cfg = duplicate->get_peer_cfg(duplicate);
-		if (peer_cfg &&
-			peer_cfg->equals(peer_cfg, this->ike_sa->get_peer_cfg(this->ike_sa)))
-		{
-			switch (duplicate->get_state(duplicate))
-			{
-				case IKE_ESTABLISHED:
-				case IKE_REKEYING:
-					switch (policy)
-					{
-						case UNIQUE_REPLACE:
-							DBG1(DBG_IKE, "deleting duplicate IKE_SA due "
-								 "uniqueness policy");
-							status = duplicate->delete(duplicate);
-							break;
-						case UNIQUE_KEEP:
-							DBG1(DBG_IKE, "cancelling IKE_SA setup due "
-								 "uniqueness policy");
-							cancel = TRUE;
-							break;
-						default:
-							break;
-					}
-					break;
-				default:
-					break;
-			}
-		}
-		if (status == DESTROY_ME)
-		{
-			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-														duplicate);
-		}
-		else
-		{
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, duplicate);
-		}
-	}
-	/* set threads active IKE_SA after checkin */
-	charon->bus->set_sa(charon->bus, this->ike_sa);
-	return cancel;
-}
-
 /**
  * get the authentication class of a config
  */
@@ -400,6 +336,12 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
 	authenticator_t *auth;
 	auth_payload_t *auth_payload;
 	
+	if (!this->initiator && !this->peer_authenticated)
+	{
+		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+		return FAILED;
+	}
+	
 	auth = (authenticator_t*)this->eap_auth;
 	if (auth->build(auth, this->my_packet->get_data(this->my_packet),
 		this->other_nonce, &auth_payload) != SUCCESS)
@@ -681,8 +623,10 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 		return FAILED;
 	}
 	
-	if (check_uniqueness(this))
+	if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+												 this->ike_sa))
 	{
+		DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
 		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
 		return FAILED;
 	}
diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c
index e89f381d3..b890e93ba 100644
--- a/src/charon/sa/tasks/ike_config.c
+++ b/src/charon/sa/tasks/ike_config.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_config.c 4129 2008-07-01 06:36:52Z martin $
+ * $Id: ike_config.c 4867 2009-02-13 11:57:50Z andreas $
  */
 
 #include "ike_config.h"
@@ -21,6 +21,9 @@
 #include <daemon.h>
 #include <encoding/payloads/cp_payload.h>
 
+#define DNS_SERVER_MAX		2
+#define NBNS_SERVER_MAX		2
+
 typedef struct private_ike_config_t private_ike_config_t;
 
 /**
@@ -52,6 +55,11 @@ struct private_ike_config_t {
 	 * list of DNS servers
 	 */
 	linked_list_t *dns;
+
+	/**
+	 * list of WINS servers
+	 */
+	linked_list_t *nbns;
 };
 
 /**
@@ -121,7 +129,10 @@ static void build_payloads(private_ike_config_t *this, message_t *message,
 	else
 	{
 		host_t *ip;
-		iterator_t *iterator = this->dns->create_iterator(this->dns, TRUE);
+		iterator_t *iterator;
+
+		/* Add internal DNS servers */
+		iterator = this->dns->create_iterator(this->dns, TRUE);
 		while (iterator->iterate(iterator, (void**)&ip))
 		{
 			ca = configuration_attribute_create();
@@ -138,6 +149,25 @@ static void build_payloads(private_ike_config_t *this, message_t *message,
 			cp->add_configuration_attribute(cp, ca);
 		}
 		iterator->destroy(iterator);
+
+		/* Add internal WINS servers */
+		iterator = this->nbns->create_iterator(this->nbns, TRUE);
+		while (iterator->iterate(iterator, (void**)&ip))
+		{
+			ca = configuration_attribute_create();
+			if (ip->get_family(ip) == AF_INET)
+			{
+				ca->set_type(ca, INTERNAL_IP4_NBNS);
+			}
+			else
+			{
+				ca->set_type(ca, INTERNAL_IP6_NBNS);
+			}
+			chunk = ip->get_address(ip);
+			ca->set_value(ca, chunk);
+			cp->add_configuration_attribute(cp, ca);
+		}
+		iterator->destroy(iterator);
 	}
 	message->add_payload(message, (payload_t*)cp);
 }
@@ -201,7 +231,22 @@ static void process_attribute(private_ike_config_t *this,
 		}
 		case INTERNAL_IP4_NBNS:
 		case INTERNAL_IP6_NBNS:
-			/* TODO */
+		{
+			addr = ca->get_value(ca);
+			if (addr.len == 0)
+			{
+				ip = host_create_any(family);
+			}
+			else
+			{
+				ip = host_create_from_chunk(family, addr, 0);
+			}
+			if (ip)
+			{
+				this->nbns->insert_last(this->nbns, ip);
+			}
+			break;
+		}
 		default:
 			DBG1(DBG_IKE, "ignoring %N config attribute", 
 	 			 configuration_attribute_type_names,
@@ -351,7 +396,7 @@ static status_t process_i(private_ike_config_t *this, message_t *message)
 		process_payloads(this, message);
 		
 		if (this->virtual_ip == NULL)
-		{	/* force a configured virtual IP, even server didn't return one */
+		{	/* force a configured virtual IP, even if server didn't return one */
 			config = this->ike_sa->get_peer_cfg(this->ike_sa);
 			this->virtual_ip = config->get_virtual_ip(config);
 			if (this->virtual_ip)
@@ -406,6 +451,7 @@ static void destroy(private_ike_config_t *this)
 {
 	DESTROY_IF(this->virtual_ip);
 	this->dns->destroy_offset(this->dns, offsetof(host_t, destroy));
+	this->nbns->destroy_offset(this->nbns, offsetof(host_t, destroy));
 	free(this);
 }
 
@@ -420,6 +466,12 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
 	
+	this->initiator = initiator;
+	this->ike_sa = ike_sa;
+	this->virtual_ip = NULL;
+	this->dns = linked_list_create();
+	this->nbns = linked_list_create();
+
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -427,13 +479,49 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
 	}
 	else
 	{
+		int i;
+
+		/* assign DNS servers */
+		for (i = 1; i <= DNS_SERVER_MAX; i++)
+		{
+			char dns_key[16], *dns_str;
+
+			snprintf(dns_key, sizeof(dns_key), "charon.dns%d", i);
+			dns_str = lib->settings->get_str(lib->settings, dns_key, NULL);
+			if (dns_str)
+			{
+				host_t *dns = host_create_from_string(dns_str, 0);
+
+				if (dns)
+				{
+					DBG2(DBG_CFG, "assigning DNS server %H to peer", dns);
+					this->dns->insert_last(this->dns, dns);
+				}
+			}
+		}
+
+		/* assign WINS servers */
+		for (i = 1; i <= NBNS_SERVER_MAX; i++)
+		{
+			char nbns_key[16], *nbns_str;
+
+			snprintf(nbns_key, sizeof(nbns_key), "charon.nbns%d", i);
+			nbns_str = lib->settings->get_str(lib->settings, nbns_key, NULL);
+			if (nbns_str)
+			{
+				host_t *nbns = host_create_from_string(nbns_str, 0);
+
+				if (nbns)
+				{
+					DBG2(DBG_CFG, "assigning NBNS server %H to peer", nbns);
+					this->nbns->insert_last(this->nbns, nbns);
+				}
+			}
+		}
+
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	this->initiator = initiator;
-	this->ike_sa = ike_sa;
-	this->virtual_ip = NULL;
-	this->dns = linked_list_create();
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
index bd2cd39bb..139107480 100644
--- a/src/charon/sa/tasks/ike_init.c
+++ b/src/charon/sa/tasks/ike_init.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_init.c 4531 2008-10-30 12:58:54Z martin $
+ * $Id: ike_init.c 4717 2008-11-28 09:51:44Z martin $
  */
 
 #include "ike_init.h"
@@ -370,13 +370,46 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
 }
 
 /**
- * Implementation of task_t.build for responder
+ * Derive the keymat for the IKE_SA
  */
-static status_t build_r(private_ike_init_t *this, message_t *message)
+static bool derive_keys(private_ike_init_t *this,
+						chunk_t nonce_i, chunk_t nonce_r)
 {
-	keymat_t *old_keymat = NULL;
+	keymat_t *old_keymat;
+	pseudo_random_function_t prf_alg = PRF_UNDEFINED;
+	chunk_t skd = chunk_empty;
 	ike_sa_id_t *id;
 	
+	id = this->ike_sa->get_id(this->ike_sa);
+	if (this->old_sa)
+	{
+		/* rekeying: Include old SKd, use old PRF, apply SPI */
+		old_keymat = this->old_sa->get_keymat(this->old_sa);
+		prf_alg = old_keymat->get_skd(old_keymat, &skd);
+		if (this->initiator)
+		{
+			id->set_responder_spi(id, this->proposal->get_spi(this->proposal));
+		}
+		else
+		{
+			id->set_initiator_spi(id, this->proposal->get_spi(this->proposal));
+		}
+	}
+	if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
+									   nonce_i, nonce_r, id, prf_alg, skd))
+	{
+		return FALSE;
+	}
+	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
+						  nonce_i, nonce_r, this->old_sa);
+	return TRUE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_init_t *this, message_t *message)
+{
 	/* check if we have everything we need */
 	if (this->proposal == NULL ||
 		this->other_nonce.len == 0 || this->my_nonce.len == 0)
@@ -410,23 +443,12 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
 		return FAILED;
 	}
 	
-	id = this->ike_sa->get_id(this->ike_sa);
-	if (this->old_sa)
-	{	/* rekeying: Apply SPI, include keymat from old SA in key derivation */
-		id->set_initiator_spi(id, this->proposal->get_spi(this->proposal));
-		old_keymat = this->old_sa->get_keymat(this->old_sa);
-	}
-	if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
-							this->other_nonce, this->my_nonce, id, old_keymat))
+	if (!derive_keys(this, this->other_nonce, this->my_nonce))
 	{
 		DBG1(DBG_IKE, "key derivation failed");
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return FAILED;
 	}
-	
-	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
-						  this->other_nonce, this->my_nonce, this->old_sa);
-	
 	build_payloads(this, message);
 	return SUCCESS;
 }
@@ -436,8 +458,6 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
  */
 static status_t process_i(private_ike_init_t *this, message_t *message)
 {
-	keymat_t *old_keymat = NULL;
-	ike_sa_id_t *id;
 	iterator_t *iterator;
 	payload_t *payload;
 
@@ -521,22 +541,11 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 		return FAILED;
 	}
 	
-	id = this->ike_sa->get_id(this->ike_sa);
-	if (this->old_sa)
-	{	/* rekeying: Apply SPI, include keymat from old SA in key derivation */
-		id->set_responder_spi(id, this->proposal->get_spi(this->proposal));
-		old_keymat = this->old_sa->get_keymat(this->old_sa);
-	}
-	if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
-							this->my_nonce, this->other_nonce, id, old_keymat))
+	if (!derive_keys(this, this->my_nonce, this->other_nonce))
 	{
 		DBG1(DBG_IKE, "key derivation failed");
 		return FAILED;
 	}
-	
-	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
-						  this->my_nonce, this->other_nonce, this->old_sa);
-	
 	return SUCCESS;
 }
 
diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c
index a791d1892..b5e065081 100644
--- a/src/charon/sa/tasks/ike_mobike.c
+++ b/src/charon/sa/tasks/ike_mobike.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_mobike.c 4618 2008-11-11 09:22:00Z tobias $
+ * $Id: ike_mobike.c 4816 2008-12-19 14:34:40Z martin $
  */
 
 #include "ike_mobike.h"
@@ -24,6 +24,7 @@
 #include <encoding/payloads/notify_payload.h>
 
 #define COOKIE2_SIZE 16
+#define MAX_ADDITIONAL_ADDRS 8
 
 typedef struct private_ike_mobike_t private_ike_mobike_t;
 
@@ -191,8 +192,8 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 	enumerator_t *enumerator;
 	host_t *host, *me;
 	notify_type_t type;
-	bool additional = FALSE;
-
+	int added = 0;
+	
 	me = this->ike_sa->get_my_host(this->ike_sa);
 	enumerator = charon->kernel_interface->create_address_enumerator(
 										charon->kernel_interface, FALSE, FALSE);
@@ -214,9 +215,13 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 				continue;
 		}
 		message->add_notify(message, FALSE, type, host->get_address(host));
-		additional = TRUE;
+		if (++added >= MAX_ADDITIONAL_ADDRS)
+		{	/* limit number of notifys, some implementations do not like too
+			 * many of them (f.e. strongSwan ;-) */
+			break;
+		}
 	}
-	if (!additional)
+	if (!added)
 	{
 		message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
 	}
@@ -251,7 +256,7 @@ static void update_children(private_ike_mobike_t *this)
 	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
-		if (child_sa->update_hosts(child_sa,
+		if (child_sa->update(child_sa,
 				this->ike_sa->get_my_host(this->ike_sa), 
 				this->ike_sa->get_other_host(this->ike_sa),
 				this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
@@ -516,6 +521,10 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 				/* start the update with the same task */
 				this->check = FALSE;
 				this->address = FALSE;
+				if (this->natd)
+				{
+					this->natd->task.destroy(&this->natd->task);
+				}
 				this->natd = ike_natd_create(this->ike_sa, this->initiator);
 				this->ike_sa->set_pending_updates(this->ike_sa, 1);
 				return NEED_MORE;
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index 28d63cca7..e61d161bc 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_rekey.c 4659 2008-11-14 14:05:47Z martin $
+ * $Id: ike_rekey.c 4730 2008-12-01 18:38:28Z martin $
  */
 
 #include "ike_rekey.h"
@@ -21,6 +21,7 @@
 #include <daemon.h>
 #include <encoding/payloads/notify_payload.h>
 #include <sa/tasks/ike_init.h>
+#include <sa/tasks/ike_delete.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 #include <processing/jobs/rekey_ike_sa_job.h>
 
@@ -57,12 +58,36 @@ struct private_ike_rekey_t {
 	 */
 	ike_init_t *ike_init;
 	
+	/**
+	 * IKE_DELETE task to delete the old IKE_SA after rekeying was successful
+	 */
+	ike_delete_t *ike_delete;
+	
 	/**
 	 * colliding task detected by the task manager
 	 */
 	task_t *collision;
 };
 
+/**
+ * Implementation of task_t.build for initiator, after rekeying
+ */
+static status_t build_i_delete(private_ike_rekey_t *this, message_t *message)
+{
+	/* update exchange type to INFORMATIONAL for the delete */
+	message->set_exchange_type(message, INFORMATIONAL);
+	
+	return this->ike_delete->task.build(&this->ike_delete->task, message);
+}
+
+/**
+ * Implementation of task_t.process for initiator, after rekeying
+ */
+static status_t process_i_delete(private_ike_rekey_t *this, message_t *message)
+{
+	return this->ike_delete->task.process(&this->ike_delete->task, message);
+}
+
 /**
  * Implementation of task_t.build for initiator
  */
@@ -168,7 +193,6 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
  */
 static status_t process_i(private_ike_rekey_t *this, message_t *message)
 {
-	job_t *job;
 	ike_sa_id_t *to_delete;
 	iterator_t *iterator;
 	payload_t *payload;
@@ -271,10 +295,12 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 		charon->bus->set_sa(charon->bus, this->ike_sa);
 	}
 	
-	job = (job_t*)delete_ike_sa_job_create(to_delete, TRUE);
-	charon->processor->queue_job(charon->processor, job);	
+	/* rekeying successful, delete the IKE_SA using a subtask */
+	this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
+	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
+	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
 	
-	return SUCCESS;
+	return NEED_MORE;
 }
 
 /**
@@ -300,6 +326,10 @@ static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
 	{
 		this->ike_init->task.destroy(&this->ike_init->task);
 	}
+	if (this->ike_delete)
+	{
+		this->ike_delete->task.destroy(&this->ike_delete->task);
+	}
 	if (this->new_sa)
 	{
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
@@ -308,11 +338,12 @@ static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
 		charon->bus->set_sa(charon->bus, this->ike_sa);
 	}
 	DESTROY_IF(this->collision);
-
+	
 	this->collision = NULL;
 	this->ike_sa = ike_sa;
 	this->new_sa = NULL;
 	this->ike_init = NULL;
+	this->ike_delete = NULL;
 }
 
 /**
@@ -339,6 +370,10 @@ static void destroy(private_ike_rekey_t *this)
 	{
 		this->ike_init->task.destroy(&this->ike_init->task);
 	}
+	if (this->ike_delete)
+	{
+		this->ike_delete->task.destroy(&this->ike_delete->task);
+	}
 	DESTROY_IF(this->collision);
 	free(this);
 }
@@ -368,6 +403,7 @@ ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
 	this->ike_sa = ike_sa;
 	this->new_sa = NULL;
 	this->ike_init = NULL;
+	this->ike_delete = NULL;
 	this->initiator = initiator;
 	this->collision = NULL;
 	
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 7c3f28191..6cf2a88af 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -94,22 +94,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -119,6 +114,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -127,12 +123,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -155,8 +155,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -195,6 +194,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 84f114999..25c46e648 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -54,22 +54,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -79,6 +74,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -87,12 +83,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -115,8 +115,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -155,6 +154,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 50175845c..e32d0e91e 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -62,22 +62,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -87,6 +82,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -95,12 +91,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -123,8 +123,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -163,6 +162,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in
index 1b1332723..4f2c1caa3 100755
--- a/src/ipsec/ipsec.in
+++ b/src/ipsec/ipsec.in
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: ipsec.in 4401 2008-10-10 06:59:03Z martin $
+# RCSID $Id: ipsec.in 4790 2008-12-11 12:49:41Z martin $
 
 # define a minimum PATH environment in case it is not set
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
@@ -63,6 +63,7 @@ case "$1" in
 	echo "	listcacerts|listaacerts|listocspcerts [--utc]"
 	echo "	listacerts|listgroups|listcainfos [--utc]"
 	echo "	listcrls|listocsp|listcards|listall [--utc]"
+	echo "	leases [<poolname> [<address>]]"
 	echo "	rereadsecrets|rereadgroups"
 	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
 	echo "	rereadacerts|rereadcrls|rereadall"
@@ -146,6 +147,21 @@ listcards|rereadgroups)
 		exit 7 
 	fi 
 	;;
+leases)
+	op="$1"
+	rc=7
+	shift
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		case "$#" in
+		0) $IPSEC_STROKE "$op" ;;
+		1) $IPSEC_STROKE "$op" "$1" ;;
+		*) $IPSEC_STROKE "$op" "$1" "$2" ;;
+		esac
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
 listalgs|\listpubkeys|\
 listcerts|listcacerts|listaacerts|\
 listacerts|listgroups|listocspcerts|\
diff --git a/src/libcrypto/Makefile.in b/src/libcrypto/Makefile.in
index 1c7f7a719..0e4b3c7f4 100644
--- a/src/libcrypto/Makefile.in
+++ b/src/libcrypto/Makefile.in
@@ -81,22 +81,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -106,6 +101,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -114,12 +110,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -142,8 +142,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -182,6 +181,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 8d3c2fba2..f56322500 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -82,22 +82,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -107,6 +102,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -115,12 +111,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -143,8 +143,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -183,6 +182,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index e58bcc66d..c973358ed 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -94,22 +94,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -119,6 +114,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -127,12 +123,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -155,8 +155,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -195,6 +194,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 1423db5c3..110c2ef16 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -47,6 +47,7 @@ utils/identification.c utils/identification.h \
 utils/iterator.h \
 utils/lexparser.c utils/lexparser.h \
 utils/linked_list.c utils/linked_list.h \
+utils/hashtable.c utils/hashtable.h \
 utils/enumerator.c utils/enumerator.h \
 utils/optionsfrom.c utils/optionsfrom.h \
 utils/mutex.c utils/mutex.h \
@@ -97,6 +98,10 @@ if USE_DES
   SUBDIRS += plugins/des
 endif
 
+if USE_MD4
+  SUBDIRS += plugins/md4
+endif
+
 if USE_MD5
   SUBDIRS += plugins/md5
 endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index f1cf4f554..ba90d987b 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -37,24 +37,25 @@ host_triplet = @host@
 @USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER
 @USE_AES_TRUE@am__append_4 = plugins/aes
 @USE_DES_TRUE@am__append_5 = plugins/des
-@USE_MD5_TRUE@am__append_6 = plugins/md5
-@USE_SHA1_TRUE@am__append_7 = plugins/sha1
-@USE_SHA2_TRUE@am__append_8 = plugins/sha2
-@USE_FIPS_PRF_TRUE@am__append_9 = plugins/fips_prf
-@USE_GMP_TRUE@am__append_10 = plugins/gmp
-@USE_RANDOM_TRUE@am__append_11 = plugins/random
-@USE_HMAC_TRUE@am__append_12 = plugins/hmac
-@USE_XCBC_TRUE@am__append_13 = plugins/xcbc
-@USE_X509_TRUE@am__append_14 = plugins/x509
-@USE_PUBKEY_TRUE@am__append_15 = plugins/pubkey
-@USE_CURL_TRUE@am__append_16 = plugins/curl
-@USE_LDAP_TRUE@am__append_17 = plugins/ldap
-@USE_MYSQL_TRUE@am__append_18 = plugins/mysql
-@USE_SQLITE_TRUE@am__append_19 = plugins/sqlite
-@USE_PADLOCK_TRUE@am__append_20 = plugins/padlock
-@USE_OPENSSL_TRUE@am__append_21 = plugins/openssl
-@USE_AGENT_TRUE@am__append_22 = plugins/agent
-@USE_INTEGRITY_TEST_TRUE@am__append_23 = fips
+@USE_MD4_TRUE@am__append_6 = plugins/md4
+@USE_MD5_TRUE@am__append_7 = plugins/md5
+@USE_SHA1_TRUE@am__append_8 = plugins/sha1
+@USE_SHA2_TRUE@am__append_9 = plugins/sha2
+@USE_FIPS_PRF_TRUE@am__append_10 = plugins/fips_prf
+@USE_GMP_TRUE@am__append_11 = plugins/gmp
+@USE_RANDOM_TRUE@am__append_12 = plugins/random
+@USE_HMAC_TRUE@am__append_13 = plugins/hmac
+@USE_XCBC_TRUE@am__append_14 = plugins/xcbc
+@USE_X509_TRUE@am__append_15 = plugins/x509
+@USE_PUBKEY_TRUE@am__append_16 = plugins/pubkey
+@USE_CURL_TRUE@am__append_17 = plugins/curl
+@USE_LDAP_TRUE@am__append_18 = plugins/ldap
+@USE_MYSQL_TRUE@am__append_19 = plugins/mysql
+@USE_SQLITE_TRUE@am__append_20 = plugins/sqlite
+@USE_PADLOCK_TRUE@am__append_21 = plugins/padlock
+@USE_OPENSSL_TRUE@am__append_22 = plugins/openssl
+@USE_AGENT_TRUE@am__append_23 = plugins/agent
+@USE_INTEGRITY_TEST_TRUE@am__append_24 = fips
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -104,12 +105,12 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	database/database_factory.c utils.h utils.c utils/host.c \
 	utils/host.h utils/identification.c utils/identification.h \
 	utils/iterator.h utils/lexparser.c utils/lexparser.h \
-	utils/linked_list.c utils/linked_list.h utils/enumerator.c \
-	utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \
-	utils/mutex.c utils/mutex.h utils/backtrace.c \
-	utils/backtrace.h plugins/plugin_loader.c \
-	plugins/plugin_loader.h plugins/plugin.h \
-	utils/leak_detective.c utils/leak_detective.h \
+	utils/linked_list.c utils/linked_list.h utils/hashtable.c \
+	utils/hashtable.h utils/enumerator.c utils/enumerator.h \
+	utils/optionsfrom.c utils/optionsfrom.h utils/mutex.c \
+	utils/mutex.h utils/backtrace.c utils/backtrace.h \
+	plugins/plugin_loader.c plugins/plugin_loader.h \
+	plugins/plugin.h utils/leak_detective.c utils/leak_detective.h \
 	fips/fips_canister_start.c fips/fips.c fips/fips.h \
 	fips/fips_canister_end.c
 @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo
@@ -127,8 +128,9 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 @USE_INTEGRITY_TEST_FALSE@	fetcher_manager.lo \
 @USE_INTEGRITY_TEST_FALSE@	database_factory.lo utils.lo host.lo \
 @USE_INTEGRITY_TEST_FALSE@	identification.lo lexparser.lo \
-@USE_INTEGRITY_TEST_FALSE@	linked_list.lo enumerator.lo \
-@USE_INTEGRITY_TEST_FALSE@	optionsfrom.lo mutex.lo backtrace.lo \
+@USE_INTEGRITY_TEST_FALSE@	linked_list.lo hashtable.lo \
+@USE_INTEGRITY_TEST_FALSE@	enumerator.lo optionsfrom.lo \
+@USE_INTEGRITY_TEST_FALSE@	mutex.lo backtrace.lo \
 @USE_INTEGRITY_TEST_FALSE@	plugin_loader.lo $(am__objects_1)
 @USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS =  \
 @USE_INTEGRITY_TEST_TRUE@	fips_canister_start.lo fips.lo \
@@ -145,10 +147,10 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 @USE_INTEGRITY_TEST_TRUE@	fetcher_manager.lo \
 @USE_INTEGRITY_TEST_TRUE@	database_factory.lo utils.lo host.lo \
 @USE_INTEGRITY_TEST_TRUE@	identification.lo lexparser.lo \
-@USE_INTEGRITY_TEST_TRUE@	linked_list.lo enumerator.lo \
-@USE_INTEGRITY_TEST_TRUE@	optionsfrom.lo mutex.lo backtrace.lo \
-@USE_INTEGRITY_TEST_TRUE@	plugin_loader.lo $(am__objects_1) \
-@USE_INTEGRITY_TEST_TRUE@	fips_canister_end.lo
+@USE_INTEGRITY_TEST_TRUE@	linked_list.lo hashtable.lo \
+@USE_INTEGRITY_TEST_TRUE@	enumerator.lo optionsfrom.lo mutex.lo \
+@USE_INTEGRITY_TEST_TRUE@	backtrace.lo plugin_loader.lo \
+@USE_INTEGRITY_TEST_TRUE@	$(am__objects_1) fips_canister_end.lo
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -175,11 +177,12 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/aes plugins/des plugins/md5 plugins/sha1 \
-	plugins/sha2 plugins/fips_prf plugins/gmp plugins/random \
-	plugins/hmac plugins/xcbc plugins/x509 plugins/pubkey \
-	plugins/curl plugins/ldap plugins/mysql plugins/sqlite \
-	plugins/padlock plugins/openssl plugins/agent fips
+DIST_SUBDIRS = . plugins/aes plugins/des plugins/md4 plugins/md5 \
+	plugins/sha1 plugins/sha2 plugins/fips_prf plugins/gmp \
+	plugins/random plugins/hmac plugins/xcbc plugins/x509 \
+	plugins/pubkey plugins/curl plugins/ldap plugins/mysql \
+	plugins/sqlite plugins/padlock plugins/openssl plugins/agent \
+	fips
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -193,22 +196,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -218,6 +216,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -226,12 +225,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -254,8 +257,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -294,6 +296,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
@@ -373,6 +376,7 @@ lib_LTLIBRARIES = libstrongswan.la
 @USE_INTEGRITY_TEST_FALSE@	utils/lexparser.h \
 @USE_INTEGRITY_TEST_FALSE@	utils/linked_list.c \
 @USE_INTEGRITY_TEST_FALSE@	utils/linked_list.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/hashtable.c utils/hashtable.h \
 @USE_INTEGRITY_TEST_FALSE@	utils/enumerator.c \
 @USE_INTEGRITY_TEST_FALSE@	utils/enumerator.h \
 @USE_INTEGRITY_TEST_FALSE@	utils/optionsfrom.c \
@@ -436,8 +440,9 @@ lib_LTLIBRARIES = libstrongswan.la
 @USE_INTEGRITY_TEST_TRUE@	utils/identification.h \
 @USE_INTEGRITY_TEST_TRUE@	utils/iterator.h utils/lexparser.c \
 @USE_INTEGRITY_TEST_TRUE@	utils/lexparser.h utils/linked_list.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/linked_list.h \
-@USE_INTEGRITY_TEST_TRUE@	utils/enumerator.c utils/enumerator.h \
+@USE_INTEGRITY_TEST_TRUE@	utils/linked_list.h utils/hashtable.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/hashtable.h utils/enumerator.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/enumerator.h \
 @USE_INTEGRITY_TEST_TRUE@	utils/optionsfrom.c \
 @USE_INTEGRITY_TEST_TRUE@	utils/optionsfrom.h utils/mutex.c \
 @USE_INTEGRITY_TEST_TRUE@	utils/mutex.h utils/backtrace.c \
@@ -463,7 +468,7 @@ SUBDIRS = . $(am__append_4) $(am__append_5) $(am__append_6) \
 	$(am__append_13) $(am__append_14) $(am__append_15) \
 	$(am__append_16) $(am__append_17) $(am__append_18) \
 	$(am__append_19) $(am__append_20) $(am__append_21) \
-	$(am__append_22) $(am__append_23)
+	$(am__append_22) $(am__append_23) $(am__append_24)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -554,6 +559,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_end.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_start.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@
@@ -796,6 +802,13 @@ linked_list.lo: utils/linked_list.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
 
+hashtable.lo: utils/hashtable.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/hashtable.c' object='hashtable.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
+
 enumerator.lo: utils/enumerator.c
 @am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 524abfe5e..6122aa9f8 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: asn1.c 4047 2008-06-10 07:36:44Z tobias $
+ * $Id: asn1.c 4776 2008-12-09 15:00:30Z martin $
  */
 
 #include <stdio.h>
@@ -348,8 +348,9 @@ chunk_t asn1_from_time(const time_t *time, asn1_t type)
 	const char *format;
 	char buf[BUF_LEN];
 	chunk_t formatted_time;
-	struct tm *t = gmtime(time);
+	struct tm t;
 	
+	gmtime_r(time, &t);
 	if (type == ASN1_GENERALIZEDTIME)
 	{
 		format = "%04d%02d%02d%02d%02d%02dZ";
@@ -358,10 +359,10 @@ chunk_t asn1_from_time(const time_t *time, asn1_t type)
 	else /* ASN1_UTCTIME */
 	{
 		format = "%02d%02d%02d%02d%02d%02dZ";
-		offset = (t->tm_year < 100)? 0 : -100;
+		offset = (t.tm_year < 100)? 0 : -100;
 	}
-	snprintf(buf, BUF_LEN, format, t->tm_year + offset, 
-			 t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
+	snprintf(buf, BUF_LEN, format, t.tm_year + offset, 
+			 t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec);
 	formatted_time.ptr = buf;
 	formatted_time.len = strlen(buf);
 	return asn1_simple_object(type, formatted_time);
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index 565f48fb0..681581af9 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -13,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: chunk.c 4276 2008-08-22 10:44:51Z martin $
+ * $Id: chunk.c 4784 2008-12-10 13:43:51Z tobias $
  */
 
 #include <stdio.h>
@@ -26,20 +27,21 @@
 #include <debug.h>
 #include <printf_hook.h>
 
+/* required for chunk_hash */
+#undef get16bits
+#if (defined(__GNUC__) && defined(__i386__))
+#define get16bits(d) (*((const u_int16_t*)(d)))
+#endif
+#if !defined (get16bits)
+#define get16bits(d) ((((u_int32_t)(((const u_int8_t*)(d))[1])) << 8)\
+                      + (u_int32_t)(((const u_int8_t*)(d))[0]) )
+#endif
+
 /**
  * Empty chunk.
  */
 chunk_t chunk_empty = { NULL, 0 };
 
-/**
- * Described in header.
- */
-chunk_t chunk_create(u_char *ptr, size_t len)
-{
-	chunk_t chunk = {ptr, len};
-	return chunk;
-}
-
 /**
  * Described in header.
  */
@@ -132,7 +134,7 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
 void chunk_split(chunk_t chunk, const char *mode, ...)
 {
 	va_list chunks;
-	size_t len;
+	u_int len;
 	chunk_t *ch;
 	
 	va_start(chunks, mode);
@@ -142,7 +144,7 @@ void chunk_split(chunk_t chunk, const char *mode, ...)
 		{
 			break;
 		}
-		len = va_arg(chunks, size_t);
+		len = va_arg(chunks, u_int);
 		ch = va_arg(chunks, chunk_t*);
 		/* a null chunk means skip len bytes */
 		if (ch == NULL)
@@ -251,7 +253,7 @@ static char hexdig_lower[] = "0123456789abcdef";
  */
 chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase)
 {
-	int i, len;;
+	int i, len;
 	char *hexdig = hexdig_lower;
 	
 	if (uppercase)
@@ -425,39 +427,6 @@ chunk_t chunk_from_base64(chunk_t base64, char *buf)
 	return chunk_create(buf, outlen);
 }
 
-/**
- * Described in header.
- */
-void chunk_free(chunk_t *chunk)
-{
-	free(chunk->ptr);
-	chunk->ptr = NULL;
-	chunk->len = 0;
-}
-
-/**
- * Described in header.
- */
-void chunk_clear(chunk_t *chunk)
-{
-	memset(chunk->ptr, 0, chunk->len);
-	chunk_free(chunk);
-}
-
-/**
- * Described in header.
- */
-chunk_t chunk_skip(chunk_t chunk, size_t bytes)
-{
-	if (chunk.len > bytes)
-	{
-		chunk.ptr += bytes;
-		chunk.len -= bytes;
-		return chunk;
-	}
-	return chunk_empty;
-}
-
 /**
  * Described in header.
  */
@@ -473,13 +442,81 @@ int chunk_compare(chunk_t a, chunk_t b)
 	return memcmp(a.ptr, b.ptr, len);
 };
 
+/**
+ * Described in header.
+ * 
+ * The implementation is based on Paul Hsieh's SuperFastHash:
+ * 	 http://www.azillionmonkeys.com/qed/hash.html
+ */
+u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
+{
+	u_char *data = chunk.ptr;
+	size_t len = chunk.len;
+	u_int32_t tmp;
+	int rem;
+	
+	if (!len || data == NULL)
+	{
+		return 0;
+	}
+	
+	rem = len & 3;
+	len >>= 2;
+	
+	/* Main loop */
+	for (; len > 0; --len)
+	{
+		hash += get16bits(data);
+		tmp   = (get16bits(data + 2) << 11) ^ hash;
+		hash  = (hash << 16) ^ tmp;
+		data += 2 * sizeof(u_int16_t);
+		hash += hash >> 11;
+	}
+	
+	/* Handle end cases */
+	switch (rem)
+	{
+		case 3:
+		{
+			hash += get16bits(data);
+			hash ^= hash << 16;
+			hash ^= data[sizeof(u_int16_t)] << 18;
+			hash += hash >> 11;
+			break;
+		}
+		case 2:
+		{
+			hash += get16bits(data);
+			hash ^= hash << 11;
+			hash += hash >> 17;
+			break;
+		}
+		case 1:
+		{
+			hash += *data;
+			hash ^= hash << 10;
+			hash += hash >> 1;
+			break;
+		}
+	}
+	
+	/* Force "avalanching" of final 127 bits */
+	hash ^= hash << 3;
+	hash += hash >> 5;
+	hash ^= hash << 4;
+	hash += hash >> 17;
+	hash ^= hash << 25;
+	hash += hash >> 6;
+	
+	return hash;
+}
+
 /**
  * Described in header.
  */
-bool chunk_equals(chunk_t a, chunk_t b)
+u_int32_t chunk_hash(chunk_t chunk)
 {
-	return a.ptr != NULL  && b.ptr != NULL &&
-			a.len == b.len && memeq(a.ptr, b.ptr, a.len);
+	return chunk_hash_inc(chunk, chunk.len);
 }
 
 /**
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 7e70a2a2d..2986e0db3 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -13,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: chunk.h 4276 2008-08-22 10:44:51Z martin $
+ * $Id: chunk.h 4841 2009-01-15 01:52:44Z andreas $
  */
 
 /**
@@ -50,7 +51,11 @@ extern chunk_t chunk_empty;
 /**
  * Create a new chunk pointing to "ptr" with length "len"
  */
-chunk_t chunk_create(u_char *ptr, size_t len);
+static inline chunk_t chunk_create(u_char *ptr, size_t len)
+{
+	chunk_t chunk = {ptr, len};
+	return chunk;
+}
 
 /**
  * Create a clone of a chunk pointing to "ptr"
@@ -135,12 +140,23 @@ chunk_t chunk_from_base64(chunk_t base64, char *buf);
 /**
  * Free contents of a chunk
  */
-void chunk_free(chunk_t *chunk);
+static inline void chunk_free(chunk_t *chunk)
+{
+	free(chunk->ptr);
+	*chunk = chunk_empty;
+}
 
 /**
  * Overwrite the contents of a chunk and free it
  */
-void chunk_clear(chunk_t *chunk);
+static inline void chunk_clear(chunk_t *chunk)
+{
+	if (chunk->ptr)
+	{
+		memset(chunk->ptr, 0, chunk->len);
+		chunk_free(chunk);
+	}
+}
 
 /**
  * Initialize a chunk to point to buffer inspectable by sizeof()
@@ -185,7 +201,16 @@ void chunk_clear(chunk_t *chunk);
 /**
  * Skip n bytes in chunk (forward pointer, shorten length)
  */
-chunk_t chunk_skip(chunk_t chunk, size_t bytes);
+static inline chunk_t chunk_skip(chunk_t chunk, size_t bytes)
+{
+	if (chunk.len > bytes)
+	{
+		chunk.ptr += bytes;
+		chunk.len -= bytes;
+		return chunk;
+	}
+	return chunk_empty;
+}
 
 /**
  *  Compare two chunks, returns zero if a equals b
@@ -197,7 +222,22 @@ int chunk_compare(chunk_t a, chunk_t b);
  * Compare two chunks for equality,
  * NULL chunks are never equal.
  */
-bool chunk_equals(chunk_t a, chunk_t b);
+static inline bool chunk_equals(chunk_t a, chunk_t b)
+{
+	return a.ptr != NULL  && b.ptr != NULL &&
+			a.len == b.len && memeq(a.ptr, b.ptr, a.len);
+}
+
+/**
+ * Computes a 32 bit hash of the given chunk.
+ * Note: This hash is only intended for hash tables not for cryptographic purposes.
+ */
+u_int32_t chunk_hash(chunk_t chunk);
+
+/**
+ * Incremental version of chunk_hash. Use this to hash two or more chunks.
+ */
+u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash);
 
 /**
  * Get printf hooks for a chunk.
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 4295b3094..0bca198f1 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -35,6 +35,8 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_CA_CERT",
 	"BUILD_CERT",
 	"BUILD_X509_FLAG",
+	"BUILD_SMARTCARD_KEYID",
+	"BUILD_SMARTCARD_PIN",
 	"BUILD_END",
 );
 
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index cd75236ba..332d52d52 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -76,6 +76,10 @@ enum builder_part_t {
 	BUILD_CERT,
 	/** enforce an additional X509 flag, x509_flag_t */
 	BUILD_X509_FLAG,
+	/** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */
+	BUILD_SMARTCARD_KEYID,
+	/** pin to access a key on a smartcard, null terminated char* */
+	BUILD_SMARTCARD_PIN,
 	/** end of variable argument builder list */
 	BUILD_END,
 };
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 203317fa4..5ae6980be 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: credential_factory.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: credential_factory.c 4777 2008-12-09 15:57:51Z martin $
  */
 
 #include "credential_factory.h"
@@ -46,9 +46,9 @@ struct private_credential_factory_t {
 	linked_list_t *constructors;
 	
 	/**
-	 * mutex to lock access to modules
+	 * lock access to builders
 	 */
-	mutex_t *mutex;
+	rwlock_t *lock;
 };
 
 typedef struct entry_t entry_t;
@@ -86,12 +86,12 @@ static enumerator_t* create_builder_enumerator(
 	data->type = type;
 	data->subtype = subtype;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_cleaner(
 				enumerator_create_filter(
 					this->constructors->create_enumerator(this->constructors),
 					(void*)builder_filter, data, free), 
-				(void*)this->mutex->unlock, this->mutex);
+				(void*)this->lock->unlock, this->lock);
 }
 
 /**
@@ -106,9 +106,9 @@ static void add_builder(private_credential_factory_t *this,
 	entry->type = type;
 	entry->subtype = subtype;
 	entry->constructor = constructor;
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->constructors->insert_last(this->constructors, entry);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -120,7 +120,7 @@ static void remove_builder(private_credential_factory_t *this,
 	enumerator_t *enumerator;
 	entry_t *entry;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	enumerator = this->constructors->create_enumerator(this->constructors);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -131,7 +131,7 @@ static void remove_builder(private_credential_factory_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -184,6 +184,8 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
 				case BUILD_CA_CERT:
 				case BUILD_CERT:
 				case BUILD_IETF_GROUP_ATTR:
+				case BUILD_SMARTCARD_KEYID:
+				case BUILD_SMARTCARD_PIN:
 					builder->add(builder, part, va_arg(args, void*));
 					continue;
 				/* no default to get a compiler warning */
@@ -213,7 +215,7 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
 static void destroy(private_credential_factory_t *this)
 {
 	this->constructors->destroy_function(this->constructors, free);
-	this->mutex->destroy(this->mutex);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -232,7 +234,7 @@ credential_factory_t *credential_factory_create()
 	
 	this->constructors = linked_list_create();
 	
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c
index 2c291a9f5..13ba9c6e2 100644
--- a/src/libstrongswan/crypto/crypters/crypter.c
+++ b/src/libstrongswan/crypto/crypters/crypter.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: crypter.c 3971 2008-05-16 13:27:21Z tobias $
+ * $Id: crypter.c 4880 2009-02-18 19:45:46Z tobias $
  */
 
 #include "crypter.h"
@@ -41,5 +41,7 @@ ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_AES_GCM_ICV16, ENC
 	"AES_GCM_8",
 	"AES_GCM_12",
 	"AES_GCM_16");
-ENUM_END(encryption_algorithm_names, ENCR_AES_GCM_ICV16);
+ENUM_NEXT(encryption_algorithm_names, ENCR_DES_ECB, ENCR_DES_ECB, ENCR_AES_GCM_ICV16,
+	"DES_ECB");
+ENUM_END(encryption_algorithm_names, ENCR_DES_ECB);
 
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index fb06af97d..1a70bd125 100644
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: crypter.h 4532 2008-10-30 13:21:21Z martin $
+ * $Id: crypter.h 4886 2009-02-19 13:46:08Z tobias $
  */
  
 /**
@@ -51,7 +51,8 @@ enum encryption_algorithm_t {
     ENCR_AES_CCM_ICV16 = 16,
     ENCR_AES_GCM_ICV8 = 18,
     ENCR_AES_GCM_ICV12 = 19,
-    ENCR_AES_GCM_ICV16 = 20
+    ENCR_AES_GCM_ICV16 = 20,
+    ENCR_DES_ECB = 1025
 };
 
 /**
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 02d2cb52a..53c3a1632 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: diffie_hellman.c 4023 2008-05-29 06:55:03Z andreas $
+ * $Id: diffie_hellman.c 4685 2008-11-22 16:14:55Z martin $
  */
 
 #include "diffie_hellman.h"
@@ -36,5 +36,7 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_2048_BIT, ECP_521_BIT, MODP_1536_BIT,
 ENUM_NEXT(diffie_hellman_group_names, ECP_192_BIT, ECP_224_BIT, ECP_521_BIT,
 	"ECP_192_BIT",
 	"ECP_224_BIT");
-ENUM_END(diffie_hellman_group_names, ECP_224_BIT);
+ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_224_BIT,
+	"MODP_NULL");
+ENUM_END(diffie_hellman_group_names, MODP_NULL);
 
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index ce8ab8e21..4147d85af 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: diffie_hellman.h 4566 2008-11-04 13:12:11Z martin $
+ * $Id: diffie_hellman.h 4685 2008-11-22 16:14:55Z martin $
  */
  
 /**
@@ -52,6 +52,8 @@ enum diffie_hellman_group_t {
 	ECP_521_BIT   = 21,
 	ECP_192_BIT   = 25,
 	ECP_224_BIT   = 26,
+	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
+	MODP_NULL = 1024,
 };
 
 /**
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index 6c29d1d5d..cf507442d 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -14,14 +14,14 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: hasher.c 3619 2008-03-19 14:02:52Z martin $
+ * $Id: hasher.c 4880 2009-02-18 19:45:46Z tobias $
  */
 
 #include "hasher.h"
 
 #include <asn1/oid.h>
 
-ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512,
+ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_MD4,
 	"HASH_UNKNOWN",
 	"HASH_PREFERRED",
 	"HASH_MD2",
@@ -29,7 +29,8 @@ ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512,
 	"HASH_SHA1",
 	"HASH_SHA256",
 	"HASH_SHA384",
-	"HASH_SHA512"
+	"HASH_SHA512",
+	"HASH_MD4"
 );
 
 /*
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index e19b0318b..fe2f48be6 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: hasher.h 3619 2008-03-19 14:02:52Z martin $
+ * $Id: hasher.h 4880 2009-02-18 19:45:46Z tobias $
  */
  
 /**
@@ -44,9 +44,11 @@ enum hash_algorithm_t {
 	HASH_SHA256 		= 5,
 	HASH_SHA384 		= 6,
 	HASH_SHA512 		= 7,
+	HASH_MD4			= 8,
 };
 
 #define HASH_SIZE_MD2		16
+#define HASH_SIZE_MD4		16
 #define HASH_SIZE_MD5		16
 #define HASH_SIZE_SHA1		20
 #define HASH_SIZE_SHA256	32
diff --git a/src/libstrongswan/fips/Makefile.in b/src/libstrongswan/fips/Makefile.in
index 9814d631f..d1c3ed5b6 100644
--- a/src/libstrongswan/fips/Makefile.in
+++ b/src/libstrongswan/fips/Makefile.in
@@ -76,22 +76,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -101,6 +96,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -109,12 +105,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -137,8 +137,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -177,6 +176,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 55faa07f0..e4eb7e5cf 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -84,22 +84,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -109,6 +104,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -117,12 +113,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -145,8 +145,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -185,6 +184,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index eb38b537a..6b2da9cb4 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index cb44a4ffe..cd916ccbe 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -84,22 +84,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -109,6 +104,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -117,12 +113,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -145,8 +145,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -185,6 +184,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 8824bd238..415c126af 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -84,22 +84,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -109,6 +104,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -117,12 +113,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -145,8 +145,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -185,6 +184,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index 43aff4dd1..a0b147c63 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -1,4 +1,6 @@
-/* Copyright (C) 2006 Martin Willi
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * Derived from Plutos DES library by Eric Young.
@@ -55,7 +57,7 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  *
- * $Id: des_crypter.c 3910 2008-05-07 11:54:30Z martin $
+ * $Id: des_crypter.c 4887 2009-02-19 14:29:25Z tobias $
  */
 
 #include "des_crypter.h"
@@ -1107,6 +1109,65 @@ static void des_cbc_encrypt(des_cblock *input, des_cblock *output, long length,
 	tin[0]=tin[1]=0;
 }
 
+/**
+ * DES ECB encrypt decrypt routine
+ */
+static void des_ecb_encrypt(des_cblock *input, des_cblock *output, long length, 
+						    des_key_schedule schedule, int enc)
+{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1;
+	register unsigned char *in,*out;
+	register long l=length;
+	DES_LONG tin[2];
+
+	in=(unsigned char *)input;
+	out=(unsigned char *)output;
+
+	if (enc)
+	{
+		for (l-=8; l>=0; l-=8)
+		{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+		}
+		if (l != -8)
+		{
+			c2ln(in,tin0,tin1,l+8);
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+		}
+	}
+	else
+	{
+		for (l-=8; l>=0; l-=8)
+		{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			l2c(tout0,out);
+			l2c(tout1,out);
+		}
+		if (l != -8)
+		{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			l2cn(tout0,tout1,out,l+8);
+		}
+	}
+	tin0=tin1=tout0=tout1=0;
+	tin[0]=tin[1]=0;
+}
+
 static void des_encrypt2(DES_LONG *data, des_key_schedule ks, int enc)
 {
 	register DES_LONG l,r,t,u;
@@ -1398,6 +1459,42 @@ static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 					 data.len, this->ks, &ivb, DES_ENCRYPT);
 }
 
+/**
+ * Implementation of crypter_t.decrypt for DES (ECB).
+ */
+static void decrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
+						chunk_t *decrypted)
+{
+	u_int8_t *out;
+	
+	out = data.ptr;
+	if (decrypted)
+	{
+		*decrypted = chunk_alloc(data.len);
+		out = decrypted->ptr;
+	}
+	des_ecb_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
+					 data.len, this->ks, DES_DECRYPT);
+}
+
+/**
+ * Implementation of crypter_t.decrypt for DES (ECB).
+ */
+static void encrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
+						chunk_t *encrypted)
+{
+	u_int8_t *out;
+	
+	out = data.ptr;
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(data.len);
+		out = encrypted->ptr;
+	}
+	des_ecb_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
+					 data.len, this->ks, DES_ENCRYPT);
+}
+
 /**
  * Implementation of crypter_t.decrypt for 3DES.
  */
@@ -1509,6 +1606,12 @@ des_crypter_t *des_crypter_create(encryption_algorithm_t algo)
 			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt3;
 			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt3;
 			break;
+		case ENCR_DES_ECB:
+			this->key_size = sizeof(des_cblock);
+			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
+			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt_ecb;
+			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt_ecb;
+			break;
 		default:
 			free(this);
 			return NULL;
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index 538138d8a..a0d8ce07b 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: des_plugin.c 4309 2008-08-28 11:07:57Z martin $
+ * $Id: des_plugin.c 4887 2009-02-19 14:29:25Z tobias $
  */
 
 #include "des_plugin.h"
@@ -56,6 +56,8 @@ plugin_t *plugin_create()
 							 (crypter_constructor_t)des_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
 							 (crypter_constructor_t)des_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
+							 (crypter_constructor_t)des_crypter_create);
 	
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 48a6c9b28..1e53f435f 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -86,22 +86,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -111,6 +106,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -119,12 +115,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -147,8 +147,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -187,6 +186,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 56642b7c9..c406f3af6 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index ded48fbf2..067763049 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index e828fbd44..e0109c6e8 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -84,22 +84,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -109,6 +104,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -117,12 +113,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -145,8 +145,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -185,6 +184,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/md4/Makefile.am b/src/libstrongswan/plugins/md4/Makefile.am
new file mode 100644
index 000000000..f984322a6
--- /dev/null
+++ b/src/libstrongswan/plugins/md4/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-md4.la
+
+libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
+libstrongswan_md4_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
new file mode 100644
index 000000000..4dbe8a6c4
--- /dev/null
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -0,0 +1,496 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/md4
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_md4_la_LIBADD =
+am_libstrongswan_md4_la_OBJECTS = md4_plugin.lo md4_hasher.lo
+libstrongswan_md4_la_OBJECTS = $(am_libstrongswan_md4_la_OBJECTS)
+libstrongswan_md4_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_md4_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_md4_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_md4_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-md4.la
+libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
+libstrongswan_md4_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/md4/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/md4/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-md4.la: $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_DEPENDENCIES) 
+	$(libstrongswan_md4_la_LINK) -rpath $(plugindir) $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md4_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md4_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/md4/md4_hasher.c b/src/libstrongswan/plugins/md4/md4_hasher.c
new file mode 100644
index 000000000..9053bc68d
--- /dev/null
+++ b/src/libstrongswan/plugins/md4/md4_hasher.c
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 1990-1992, RSA Data Security, Inc. Created 1990. 
+ * All rights reserved.
+ * 
+ * Derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm.
+ * Ported to fulfill hasher_t interface.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: md4_hasher.c 4885 2009-02-19 10:16:45Z andreas $
+ */
+
+#include <string.h>
+
+#include "md4_hasher.h"
+
+/*
+ * Constants for MD4Transform routine.
+ */
+#define S11 3
+#define S12 7
+#define S13 11
+#define S14 19
+#define S21 3
+#define S22 5
+#define S23 9
+#define S24 13
+#define S31 3
+#define S32 9
+#define S33 11
+#define S34 15
+
+static u_int8_t PADDING[64] = {
+  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * F, G, H and I are basic MD4 functions.
+ */
+#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
+#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+
+/*
+ * ROTATE_LEFT rotates x left n bits.
+ */
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+
+/* FF, GG and HH are transformations for rounds 1, 2 and 3
+ * Rotation is separate from addition to prevent recomputation
+ */
+#define FF(a, b, c, d, x, s) { \
+    (a) += F ((b), (c), (d)) + (x); \
+    (a) = ROTATE_LEFT ((a), (s)); \
+  }
+#define GG(a, b, c, d, x, s) { \
+    (a) += G ((b), (c), (d)) + (x) + (u_int32_t)0x5a827999; \
+    (a) = ROTATE_LEFT ((a), (s)); \
+  }
+#define HH(a, b, c, d, x, s) { \
+    (a) += H ((b), (c), (d)) + (x) + (u_int32_t)0x6ed9eba1; \
+    (a) = ROTATE_LEFT ((a), (s)); \
+  }
+
+typedef struct private_md4_hasher_t private_md4_hasher_t;
+
+/**
+ * Private data structure with hasing context.
+ */
+struct private_md4_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	md4_hasher_t public;
+	
+	/*
+	 * State of the hasher.
+	 */
+	u_int32_t state[4];
+    u_int32_t count[2];
+    u_int8_t buffer[64];
+};
+
+#if BYTE_ORDER != LITTLE_ENDIAN
+
+/* Encodes input (u_int32_t) into output (u_int8_t). Assumes len is
+ * a multiple of 4.
+ */
+static void Encode (u_int8_t *output, u_int32_t *input, size_t len)
+{
+	size_t i, j;
+
+	for (i = 0, j = 0; j < len; i++, j += 4) 
+	{
+		output[j] = (u_int8_t)(input[i] & 0xff);
+		output[j+1] = (u_int8_t)((input[i] >> 8) & 0xff);
+		output[j+2] = (u_int8_t)((input[i] >> 16) & 0xff);
+		output[j+3] = (u_int8_t)((input[i] >> 24) & 0xff);
+	}
+}
+
+/* Decodes input (u_int8_t) into output (u_int32_t). Assumes len is
+ * a multiple of 4.
+ */
+static void Decode(u_int32_t *output, u_int8_t *input, size_t len)
+{
+	size_t i, j;
+
+	for (i = 0, j = 0; j < len; i++, j += 4)
+	{
+ 		output[i] = ((u_int32_t)input[j]) | (((u_int32_t)input[j+1]) << 8) |
+		(((u_int32_t)input[j+2]) << 16) | (((u_int32_t)input[j+3]) << 24);
+	}
+}
+
+#elif BYTE_ORDER == LITTLE_ENDIAN
+ #define Encode memcpy
+ #define Decode memcpy
+#endif
+
+/*
+ * MD4 basic transformation. Transforms state based on block.
+ */
+static void MD4Transform(u_int32_t state[4], u_int8_t block[64])
+{
+	u_int32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16];
+
+	Decode(x, block, 64);
+
+  /* Round 1 */
+  FF (a, b, c, d, x[ 0], S11); /* 1 */
+  FF (d, a, b, c, x[ 1], S12); /* 2 */
+  FF (c, d, a, b, x[ 2], S13); /* 3 */
+  FF (b, c, d, a, x[ 3], S14); /* 4 */
+  FF (a, b, c, d, x[ 4], S11); /* 5 */
+  FF (d, a, b, c, x[ 5], S12); /* 6 */
+  FF (c, d, a, b, x[ 6], S13); /* 7 */
+  FF (b, c, d, a, x[ 7], S14); /* 8 */
+  FF (a, b, c, d, x[ 8], S11); /* 9 */
+  FF (d, a, b, c, x[ 9], S12); /* 10 */
+  FF (c, d, a, b, x[10], S13); /* 11 */
+  FF (b, c, d, a, x[11], S14); /* 12 */
+  FF (a, b, c, d, x[12], S11); /* 13 */
+  FF (d, a, b, c, x[13], S12); /* 14 */
+  FF (c, d, a, b, x[14], S13); /* 15 */
+  FF (b, c, d, a, x[15], S14); /* 16 */
+
+  /* Round 2 */
+  GG (a, b, c, d, x[ 0], S21); /* 17 */
+  GG (d, a, b, c, x[ 4], S22); /* 18 */
+  GG (c, d, a, b, x[ 8], S23); /* 19 */
+  GG (b, c, d, a, x[12], S24); /* 20 */
+  GG (a, b, c, d, x[ 1], S21); /* 21 */
+  GG (d, a, b, c, x[ 5], S22); /* 22 */
+  GG (c, d, a, b, x[ 9], S23); /* 23 */
+  GG (b, c, d, a, x[13], S24); /* 24 */
+  GG (a, b, c, d, x[ 2], S21); /* 25 */
+  GG (d, a, b, c, x[ 6], S22); /* 26 */
+  GG (c, d, a, b, x[10], S23); /* 27 */
+  GG (b, c, d, a, x[14], S24); /* 28 */
+  GG (a, b, c, d, x[ 3], S21); /* 29 */
+  GG (d, a, b, c, x[ 7], S22); /* 30 */
+  GG (c, d, a, b, x[11], S23); /* 31 */
+  GG (b, c, d, a, x[15], S24); /* 32 */
+
+  /* Round 3 */
+  HH (a, b, c, d, x[ 0], S31); /* 33 */
+  HH (d, a, b, c, x[ 8], S32); /* 34 */
+  HH (c, d, a, b, x[ 4], S33); /* 35 */
+  HH (b, c, d, a, x[12], S34); /* 36 */
+  HH (a, b, c, d, x[ 2], S31); /* 37 */
+  HH (d, a, b, c, x[10], S32); /* 38 */
+  HH (c, d, a, b, x[ 6], S33); /* 39 */
+  HH (b, c, d, a, x[14], S34); /* 40 */
+  HH (a, b, c, d, x[ 1], S31); /* 41 */
+  HH (d, a, b, c, x[ 9], S32); /* 42 */
+  HH (c, d, a, b, x[ 5], S33); /* 43 */
+  HH (b, c, d, a, x[13], S34); /* 44 */
+  HH (a, b, c, d, x[ 3], S31); /* 45 */
+  HH (d, a, b, c, x[11], S32); /* 46 */
+  HH (c, d, a, b, x[ 7], S33); /* 47 */
+  HH (b, c, d, a, x[15], S34); /* 48 */
+
+  state[0] += a;
+  state[1] += b;
+  state[2] += c;
+  state[3] += d;
+}
+
+/* MD4 block update operation. Continues an MD4 message-digest
+ * operation, processing another message block, and updating the
+ * context.
+ */
+static void MD4Update(private_md4_hasher_t *this, u_int8_t *input, size_t inputLen)
+{
+	u_int32_t i;
+	size_t index, partLen;
+
+	/* Compute number of bytes mod 64 */
+	index = (u_int8_t)((this->count[0] >> 3) & 0x3F);
+
+	/* Update number of bits */
+	if ((this->count[0] += (inputLen << 3)) < (inputLen << 3))
+	{
+		this->count[1]++;
+	}
+	this->count[1] += (inputLen >> 29);
+
+	partLen = 64 - index;
+
+	/* Transform as many times as possible. */
+	if (inputLen >= partLen) 
+	{
+		memcpy(&this->buffer[index], input, partLen);
+		MD4Transform (this->state, this->buffer);
+
+		for (i = partLen; i + 63 < inputLen; i += 64)
+		{
+	    	MD4Transform (this->state, &input[i]);
+		}
+		index = 0;
+	}
+	else
+	{
+		i = 0;
+	}
+
+	/* Buffer remaining input */
+	memcpy(&this->buffer[index], &input[i], inputLen-i);
+}
+
+/* MD4 finalization. Ends an MD4 message-digest operation, writing the
+ * the message digest and zeroizing the context.
+ */
+static void MD4Final (private_md4_hasher_t *this, u_int8_t digest[16])
+{
+	u_int8_t bits[8];
+	size_t index, padLen;
+
+	/* Save number of bits */
+	Encode (bits, this->count, 8);
+
+	/* Pad out to 56 mod 64. */
+	index = (size_t)((this->count[0] >> 3) & 0x3f);
+	padLen = (index < 56) ? (56 - index) : (120 - index);
+	MD4Update (this, PADDING, padLen);
+
+	/* Append length (before padding) */
+	MD4Update (this, bits, 8);
+
+	if (digest != NULL)			/* Bill Simpson's padding */
+	{
+		/* store state in digest */
+		Encode (digest, this->state, 16);
+	}
+}
+
+
+
+/**
+ * Implementation of hasher_t.get_hash.
+ */
+static void get_hash(private_md4_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
+{
+	MD4Update(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		MD4Final(this, buffer);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
+
+/**
+ * Implementation of hasher_t.allocate_hash.
+ */
+static void allocate_hash(private_md4_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	MD4Update(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{
+		allocated_hash.ptr = malloc(HASH_SIZE_MD4);
+		allocated_hash.len = HASH_SIZE_MD4;
+
+		MD4Final(this, allocated_hash.ptr);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		
+		*hash = allocated_hash;
+	}
+}
+	
+/**
+ * Implementation of hasher_t.get_hash_size.
+ */
+static size_t get_hash_size(private_md4_hasher_t *this)
+{
+	return HASH_SIZE_MD4;
+}
+
+/**
+ * Implementation of hasher_t.reset.
+ */
+static void reset(private_md4_hasher_t *this)
+{
+	this->state[0] = 0x67452301;
+	this->state[1] = 0xefcdab89;
+	this->state[2] = 0x98badcfe;
+	this->state[3] = 0x10325476;
+	this->count[0] = 0;
+	this->count[1] = 0;
+}
+
+/**
+ * Implementation of hasher_t.destroy.
+ */
+static void destroy(private_md4_hasher_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+md4_hasher_t *md4_hasher_create(hash_algorithm_t algo)
+{
+	private_md4_hasher_t *this;
+	
+	if (algo != HASH_MD4)
+	{
+		return NULL;
+	}
+	this = malloc_thing(private_md4_hasher_t);
+	
+	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
+	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
+	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
+	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
+	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
+	
+	/* initialize */
+	reset(this);
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/plugins/md4/md4_hasher.h b/src/libstrongswan/plugins/md4/md4_hasher.h
new file mode 100644
index 000000000..75956fde6
--- /dev/null
+++ b/src/libstrongswan/plugins/md4/md4_hasher.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup md4_hasher md4_hasher
+ * @{ @ingroup md4_p
+ */
+
+#ifndef MD4_HASHER_H_
+#define MD4_HASHER_H_
+
+typedef struct md4_hasher_t md4_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hasher_t interface using the MD4 algorithm.
+ */
+struct md4_hasher_t {
+	
+	/**
+	 * Generic hasher_t interface for this hasher.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * Creates a new md4_hasher_t.
+ * 
+ * @param algo		hash algorithm, must be HASH_MD4
+ * @return			md4_hasher_t object, NULL if not supported
+ */
+md4_hasher_t *md4_hasher_create(hash_algorithm_t algo);
+
+#endif /*MD4_HASHER_H_@}*/
diff --git a/src/libstrongswan/plugins/md4/md4_plugin.c b/src/libstrongswan/plugins/md4/md4_plugin.c
new file mode 100644
index 000000000..df77314f7
--- /dev/null
+++ b/src/libstrongswan/plugins/md4/md4_plugin.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: md4_plugin.c 4885 2009-02-19 10:16:45Z andreas $
+ */
+
+#include "md4_plugin.h"
+
+#include <library.h>
+#include "md4_hasher.h"
+
+typedef struct private_md4_plugin_t private_md4_plugin_t;
+
+/**
+ * private data of md4_plugin
+ */
+struct private_md4_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	md4_plugin_t public;
+};
+
+/**
+ * Implementation of md4_plugin_t.destroy
+ */
+static void destroy(private_md4_plugin_t *this)
+{
+	lib->crypto->remove_hasher(lib->crypto,
+							   (hasher_constructor_t)md4_hasher_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_md4_plugin_t *this = malloc_thing(private_md4_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_hasher(lib->crypto, HASH_MD4,
+							(hasher_constructor_t)md4_hasher_create);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/md4/md4_plugin.h b/src/libstrongswan/plugins/md4/md4_plugin.h
new file mode 100644
index 000000000..965bff261
--- /dev/null
+++ b/src/libstrongswan/plugins/md4/md4_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup md4_p md4
+ * @ingroup plugins
+ *
+ * @defgroup md4_plugin md4_plugin
+ * @{ @ingroup md4_p
+ */
+
+#ifndef MD4_PLUGIN_H_
+#define MD4_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct md4_plugin_t md4_plugin_t;
+
+/**
+ * Plugin implementing the md4 hash algorithm in software.
+ */
+struct md4_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a md4_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* MD4_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 43b921e63..a73e78b05 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -84,22 +84,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -109,6 +104,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -117,12 +113,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -145,8 +145,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -185,6 +184,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 96dc33fe5..9a16662b9 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -84,22 +84,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -109,6 +104,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -117,12 +113,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -145,8 +145,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -185,6 +184,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 746b5cf4b..0af89d377 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -89,22 +89,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -114,6 +109,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -122,12 +118,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -150,8 +150,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -190,6 +189,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index e59c4d615..5eddeb5f9 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_crypter.c 4020 2008-05-28 12:20:38Z andreas $
+ * $Id: openssl_crypter.c 4879 2009-02-18 19:41:33Z tobias $
  */
 
 #include "openssl_crypter.h"
@@ -224,6 +224,9 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 					return NULL;
 			}
 			break;
+		case ENCR_DES_ECB:
+			this->cipher = EVP_des_ecb();
+			break;
 		default:
 		{
 			char* name = lookup_algorithm(encryption_algs, algo, &key_size);
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
index 1275cdfb0..d344dbd51 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_hasher.c 3898 2008-04-30 09:23:13Z tobias $
+ * $Id: openssl_hasher.c 4879 2009-02-18 19:41:33Z tobias $
  */
 
 #include "openssl_hasher.h"
@@ -69,7 +69,8 @@ static openssl_algorithm_t integrity_algs[] = {
 	{HASH_SHA1,		"sha1"},
 	{HASH_SHA256,	"sha256"},
 	{HASH_SHA384,	"sha384"},
-	{HASH_SHA512, 	"sha512"},
+	{HASH_SHA512,	"sha512"},
+	{HASH_MD4,		"md4"},
 	{END_OF_LIST, 	NULL},
 };
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index dcc78aed6..725daff01 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -13,9 +13,10 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_plugin.c 4583 2008-11-05 12:37:37Z martin $
+ * $Id: openssl_plugin.c 4879 2009-02-18 19:41:33Z tobias $
  */
 
+#include <openssl/conf.h>
 #include <openssl/evp.h>
 #include <openssl/engine.h>
 #include <openssl/crypto.h>
@@ -185,6 +186,7 @@ static void destroy(private_openssl_plugin_t *this)
 	
 	ENGINE_cleanup();
 	EVP_cleanup();
+	CONF_modules_free();
 	
 	threading_cleanup();
 	
@@ -202,6 +204,7 @@ plugin_t *plugin_create()
 	
 	threading_init();
 	
+	OPENSSL_config(NULL);
 	OpenSSL_add_all_algorithms();
 	
 	/* activate support for hardware accelerators */
@@ -223,6 +226,8 @@ plugin_t *plugin_create()
 					(crypter_constructor_t)openssl_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
 					(crypter_constructor_t)openssl_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
+					(crypter_constructor_t)openssl_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_NULL,
 					(crypter_constructor_t)openssl_crypter_create);
 	
@@ -231,6 +236,8 @@ plugin_t *plugin_create()
 					(hasher_constructor_t)openssl_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_MD2,
 					(hasher_constructor_t)openssl_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_MD4,
+					(hasher_constructor_t)openssl_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
 					(hasher_constructor_t)openssl_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index a815ce622..9730e0ab2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_rsa_private_key.c 4564 2008-11-04 13:01:36Z martin $
+ * $Id: openssl_rsa_private_key.c 4745 2008-12-03 10:12:20Z tobias $
  */
 
 #include "openssl_rsa_private_key.h"
@@ -22,6 +22,7 @@
 
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
+#include <openssl/engine.h>
 
 /**
  *  Public exponent to use for key generation.
@@ -43,6 +44,11 @@ struct private_openssl_rsa_private_key_t {
 	 * RSA object from OpenSSL
 	 */
 	RSA *rsa;
+	
+	/**
+	 * TRUE if the key is from an OpenSSL ENGINE and might not be readable
+	 */
+	bool engine;
 
 	/**
 	 * Keyid formed as a SHA-1 hash of a privateKey object
@@ -238,9 +244,13 @@ static bool belongs_to(private_openssl_rsa_private_key_t *this, public_key_t *pu
  */
 static chunk_t get_encoding(private_openssl_rsa_private_key_t *this)
 {
-	chunk_t enc = chunk_alloc(i2d_RSAPrivateKey(this->rsa, NULL));
-	u_char *p = enc.ptr;
-	i2d_RSAPrivateKey(this->rsa, &p);
+	chunk_t enc = chunk_empty;
+	if (!this->engine)
+	{
+		enc = chunk_alloc(i2d_RSAPrivateKey(this->rsa, NULL));
+		u_char *p = enc.ptr;
+		i2d_RSAPrivateKey(this->rsa, &p);
+	}
 	return enc;
 }
 
@@ -289,6 +299,7 @@ static private_openssl_rsa_private_key_t *openssl_rsa_private_key_create_empty(v
 	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
 	
+	this->engine = FALSE;
 	this->keyid = NULL;
 	this->keyid_info = NULL;
 	this->ref = 1;
@@ -347,6 +358,61 @@ static openssl_rsa_private_key_t *load(chunk_t blob)
 	return &this->public;
 }
 
+/**
+ * load private key from a smart card
+ */
+static openssl_rsa_private_key_t *load_from_smartcard(char *keyid, char *pin)
+{
+	private_openssl_rsa_private_key_t *this = NULL;
+	EVP_PKEY *key;
+	char *engine_id = lib->settings->get_str(lib->settings,
+								"library.plugins.openssl.engine_id", "pkcs11");
+	
+	ENGINE *engine = ENGINE_by_id(engine_id);
+	if (!engine)
+	{
+		DBG1("engine '%s' is not available", engine_id);
+		return NULL;
+	}
+	
+	if (!ENGINE_init(engine))
+	{
+		DBG1("failed to initialize engine '%s'", engine_id);
+		goto error;
+	}
+	
+	if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
+	{
+		DBG1("failed to set PIN on engine '%s'", engine_id);
+		goto error;
+	}
+	
+	key = ENGINE_load_private_key(engine, keyid, NULL, NULL);
+	
+	if (!key)
+	{
+		DBG1("failed to load private key with ID '%s' from engine '%s'", keyid,
+				engine_id);
+		goto error;
+	}
+	ENGINE_free(engine);
+	
+	this = openssl_rsa_private_key_create_empty();
+	this->rsa = EVP_PKEY_get1_RSA(key);
+	this->engine = TRUE;
+	
+	if (!openssl_rsa_public_key_build_id(this->rsa, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+	
+error:
+	ENGINE_free(engine);
+	return NULL;
+}
+
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for key loading/generation
@@ -356,6 +422,10 @@ struct private_builder_t {
 	builder_t public;
 	/** loaded/generated private key */
 	openssl_rsa_private_key_t *key;
+	/** temporary stored smartcard key ID */
+	char *keyid;
+	/** temporary stored smartcard pin */
+	char *pin;
 };
 
 /**
@@ -365,6 +435,10 @@ static openssl_rsa_private_key_t *build(private_builder_t *this)
 {
 	openssl_rsa_private_key_t *key = this->key;
 	
+	if (this->keyid && this->pin)
+	{
+		key = load_from_smartcard(this->keyid, this->pin);
+	}
 	free(this);
 	return key;
 }
@@ -396,6 +470,20 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 				va_end(args);
 				return;
 			}
+			case BUILD_SMARTCARD_KEYID:
+			{
+				va_start(args, part);
+				this->keyid = va_arg(args, char*);
+				va_end(args);
+				return;
+			}
+			case BUILD_SMARTCARD_PIN:
+			{
+				va_start(args, part);
+				this->pin = va_arg(args, char*);
+				va_end(args);
+				return;
+			}
 			default:
 				break;
 		}
@@ -424,6 +512,8 @@ builder_t *openssl_rsa_private_key_builder(key_type_t type)
 	this->key = NULL;
 	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
 	this->public.build = (void*(*)(builder_t *this))build;
+	this->keyid = NULL;
+	this->pin = NULL;
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am
index e2e76e9e6..e7c3ba486 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.am
+++ b/src/libstrongswan/plugins/padlock/Makefile.am
@@ -7,6 +7,7 @@ plugin_LTLIBRARIES = libstrongswan-padlock.la
 
 libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
 	padlock_aes_crypter.c padlock_aes_crypter.h \
-	padlock_sha1_hasher.c padlock_sha1_hasher.h
+	padlock_sha1_hasher.c padlock_sha1_hasher.h \
+	padlock_rng.c padlock_rng.h
 libstrongswan_padlock_la_LDFLAGS = -module
 
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 1b032e3d4..290b4836d 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -51,7 +51,7 @@ pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_padlock_la_LIBADD =
 am_libstrongswan_padlock_la_OBJECTS = padlock_plugin.lo \
-	padlock_aes_crypter.lo padlock_sha1_hasher.lo
+	padlock_aes_crypter.lo padlock_sha1_hasher.lo padlock_rng.lo
 libstrongswan_padlock_la_OBJECTS =  \
 	$(am_libstrongswan_padlock_la_OBJECTS)
 libstrongswan_padlock_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -86,22 +86,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -111,6 +106,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -119,12 +115,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -147,8 +147,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -187,6 +186,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
@@ -215,7 +215,8 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-padlock.la
 libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
 	padlock_aes_crypter.c padlock_aes_crypter.h \
-	padlock_sha1_hasher.c padlock_sha1_hasher.h
+	padlock_sha1_hasher.c padlock_sha1_hasher.h \
+	padlock_rng.c padlock_rng.h
 
 libstrongswan_padlock_la_LDFLAGS = -module
 all: all-am
@@ -289,6 +290,7 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/padlock_aes_crypter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/padlock_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/padlock_rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/padlock_sha1_hasher.Plo@am__quote@
 
 .c.o:
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index 822acc4a2..d0b55bcd9 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -16,12 +16,37 @@
  */
 
 #include "padlock_plugin.h"
-
-#include <library.h>
 #include "padlock_aes_crypter.h"
 #include "padlock_sha1_hasher.h"
+#include "padlock_rng.h"
+
+#include <stdio.h>
+
+#include <library.h>
+#include <debug.h>
 
 typedef struct private_padlock_plugin_t private_padlock_plugin_t;
+typedef enum padlock_feature_t padlock_feature_t;
+
+/**
+ * Feature flags of padlock, received via cpuid()
+ */
+enum padlock_feature_t {
+	PADLOCK_RESERVED_1 = 		(1<<0),
+	PADLOCK_RESERVED_2 = 		(1<<1),
+	PADLOCK_RNG_AVAILABLE = 	(1<<2),
+	PADLOCK_RNG_ENABLED = 		(1<<3),
+	PADLOCK_RESERVED_3 = 		(1<<4),
+	PADLOCK_RESERVED_4 = 		(1<<5),
+	PADLOCK_ACE_AVAILABLE = 	(1<<6),
+	PADLOCK_ACE_ENABLED = 		(1<<7),
+	PADLOCK_ACE2_AVAILABLE = 	(1<<8),
+	PADLOCK_ACE2_ENABLED = 		(1<<9),
+	PADLOCK_PHE_AVAILABLE = 	(1<<10),
+	PADLOCK_PHE_ENABLED = 		(1<<11),
+	PADLOCK_PMM_AVAILABLE = 	(1<<12),
+	PADLOCK_PMM_ENABLED = 		(1<<13),
+};
 
 /**
  * private data of aes_plugin
@@ -32,17 +57,76 @@ struct private_padlock_plugin_t {
 	 * public functions
 	 */
 	padlock_plugin_t public;
+	
+	/**
+	 * features supported by Padlock
+	 */
+	padlock_feature_t features;
 };
 
+/**
+ * Get cpuid for info, return eax, ebx, ecx and edx. -fPIC requires to save ebx.
+ */
+#define cpuid(op, a, b, c, d)\
+	asm (\
+		"pushl %%ebx		\n\t"\
+		"cpuid				\n\t"\
+		"movl %%ebx, %1		\n\t"\
+		"popl %%ebx			\n\t"\
+		: "=a" (a), "=r" (b), "=c" (c), "=d" (d) \
+		: "a" (op));
+
+/**
+ * Get features supported by Padlock
+ */
+static padlock_feature_t get_padlock_features()
+{
+	char vendor[3 * sizeof(int) + 1];
+	int a, b, c, d;
+	
+	cpuid(0, a, b, c, d);
+	/* VendorID string is in b-d-c (yes, in this order) */
+	snprintf(vendor, sizeof(vendor), "%.4s%.4s%.4s", &b, &d, &c);
+	
+	/* check if we have a VIA chip */
+	if (streq(vendor, "CentaurHauls"))
+	{
+		cpuid(0xC0000000, a, b, c, d);
+		/* check Centaur Extended Feature Flags */
+		if (a >= 0xC0000001)
+		{
+			cpuid(0xC0000001, a, b, c, d);
+			return d;
+		}
+	}
+	DBG1("Padlock not found, CPU is %s\n", vendor);
+	return 0;
+}
+
 /**
  * Implementation of aes_plugin_t.destroy
  */
 static void destroy(private_padlock_plugin_t *this)
 {
-	lib->crypto->remove_crypter(lib->crypto,
-					(crypter_constructor_t)padlock_aes_crypter_create);
-	lib->crypto->remove_hasher(lib->crypto,
-					(hasher_constructor_t)padlock_sha1_hasher_create);
+	if (this->features & PADLOCK_RNG_ENABLED)
+	{
+		lib->crypto->remove_rng(lib->crypto,
+							(rng_constructor_t)padlock_rng_create);
+		lib->crypto->remove_rng(lib->crypto,
+							(rng_constructor_t)padlock_rng_create);
+		lib->crypto->remove_rng(lib->crypto,
+							(rng_constructor_t)padlock_rng_create);
+	}
+	if (this->features & PADLOCK_ACE2_ENABLED)
+	{
+		lib->crypto->remove_crypter(lib->crypto,
+							(crypter_constructor_t)padlock_aes_crypter_create);
+	}
+	if (this->features & PADLOCK_PHE_ENABLED)
+	{
+		lib->crypto->remove_hasher(lib->crypto,
+							(hasher_constructor_t)padlock_sha1_hasher_create);
+	}
 	free(this);
 }
 
@@ -55,10 +139,42 @@ plugin_t *plugin_create()
 	
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 	
-	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
-					(crypter_constructor_t)padlock_aes_crypter_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
-					(hasher_constructor_t)padlock_sha1_hasher_create);
+	this->features = get_padlock_features();
+	if (!this->features)
+	{
+		free(this);
+		return NULL;
+	}
+	DBG1("Padlock found, supports:%s%s%s%s%s, enabled:%s%s%s%s%s",
+		 this->features & PADLOCK_RNG_AVAILABLE ? " RNG" : "",
+		 this->features & PADLOCK_ACE_AVAILABLE ? " ACE" : "",
+		 this->features & PADLOCK_ACE2_AVAILABLE ? " ACE2" : "",
+		 this->features & PADLOCK_PHE_AVAILABLE ? " PHE" : "",
+		 this->features & PADLOCK_PMM_AVAILABLE ? " PMM" : "",
+		 this->features & PADLOCK_RNG_ENABLED ? " RNG" : "",
+		 this->features & PADLOCK_ACE_ENABLED ? " ACE" : "",
+		 this->features & PADLOCK_ACE2_ENABLED ? " ACE2" : "",
+		 this->features & PADLOCK_PHE_ENABLED ? " PHE" : "",
+		 this->features & PADLOCK_PMM_ENABLED ? " PMM" : "");
 	
+	if (this->features & PADLOCK_RNG_ENABLED)
+	{
+		lib->crypto->add_rng(lib->crypto, RNG_REAL,
+						(rng_constructor_t)padlock_rng_create);
+		lib->crypto->add_rng(lib->crypto, RNG_STRONG,
+						(rng_constructor_t)padlock_rng_create);
+		lib->crypto->add_rng(lib->crypto, RNG_WEAK,
+						(rng_constructor_t)padlock_rng_create);
+	}
+	if (this->features & PADLOCK_ACE2_ENABLED)
+	{
+		lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+						(crypter_constructor_t)padlock_aes_crypter_create);
+	}
+	if (this->features & PADLOCK_PHE_ENABLED)
+	{
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+						(hasher_constructor_t)padlock_sha1_hasher_create);
+	}
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.c b/src/libstrongswan/plugins/padlock/padlock_rng.c
new file mode 100644
index 000000000..50d9f0c43
--- /dev/null
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "padlock_rng.h"
+
+typedef struct private_padlock_rng_t private_padlock_rng_t;
+typedef enum padlock_quality_factor_t padlock_quality_factor_t;
+
+/**
+ * Padlock RNG quality factors
+ */
+enum padlock_quality_factor_t {
+	/* Lowest quality: Reads 8 bytes */
+	PADLOCK_QF0 = 0x00,
+	/* Medium quality: Reads 4 bytes */
+	PADLOCK_QF1 = 0x01,
+	/* Better quality: Reads 2 bytes */
+	PADLOCK_QF2 = 0x10,
+	/* Highest quality: Reads 1 byte */
+	PADLOCK_QF3 = 0x11,
+};
+
+/**
+ * Private data of an padlock_rng_t object.
+ */
+struct private_padlock_rng_t {
+	
+	/**
+	 * Public padlock_rng_t interface.
+	 */
+	padlock_rng_t public;
+	
+	/**
+	 * Padlock quality factor
+	 */
+	padlock_quality_factor_t quality;
+};
+
+/**
+ * Get bytes from Padlock RNG. buf should have space for (len + 7)
+ */
+static void rng(char *buf, int len, int quality)
+{
+	while (len > 0)
+	{
+		int status;
+		
+		/* run XSTORE until we have all bytes needed. We do not use REP, as
+		 * this should not be performance critical and it's easier this way. */
+		asm volatile (
+			".byte 0x0F,0xA7,0xC0 \n\t"
+			: "=D"(buf), "=a"(status)
+			: "d"(quality), "D"(buf));
+		
+		/* bits[0..4] of status word contains the number of bytes read */
+		len -= status & 0x1F;
+	}
+}
+
+/**
+ * Implementation of padlock_rng_t.allocate_bytes.
+ */
+static void allocate_bytes(private_padlock_rng_t *this, size_t bytes,
+						   chunk_t *chunk)
+{
+	chunk->len = bytes;
+	/* padlock requires some additional bytes */
+	chunk->ptr = malloc(bytes + 7);
+	
+	rng(chunk->ptr, chunk->len, this->quality);
+}
+
+/**
+ * Implementation of padlock_rng_t.get_bytes.
+ */
+static void get_bytes(private_padlock_rng_t *this, size_t bytes,
+					  u_int8_t *buffer)
+{
+	chunk_t chunk;
+	
+	/* Padlock needs a larger buffer than "bytes", we need a new buffer */
+	allocate_bytes(this, bytes, &chunk);
+	memcpy(buffer, chunk.ptr, bytes);
+	chunk_clear(&chunk);
+}
+
+/**
+ * Implementation of padlock_rng_t.destroy.
+ */
+static void destroy(private_padlock_rng_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+padlock_rng_t *padlock_rng_create(rng_quality_t quality)
+{
+	private_padlock_rng_t *this = malloc_thing(private_padlock_rng_t);
+	
+	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
+	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
+	this->public.rng.destroy = (void (*) (rng_t *))destroy;
+	
+	/* map RNG quality to Padlock quality factor */
+	switch (quality)
+	{
+		case RNG_WEAK:
+			this->quality = PADLOCK_QF0;
+			break;
+		case RNG_STRONG:
+			this->quality = PADLOCK_QF1;
+			break;
+		case RNG_REAL:
+			this->quality = PADLOCK_QF3;
+			break;
+	}
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.h b/src/libstrongswan/plugins/padlock/padlock_rng.h
new file mode 100644
index 000000000..a76ecd296
--- /dev/null
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup padlock_rng padlock_rng
+ * @{ @ingroup padlock
+ */
+
+#ifndef PADLOCK_RNG_H_
+#define PADLOCK_RNG_H_
+
+#include <crypto/rngs/rng.h>
+
+typedef struct padlock_rng_t padlock_rng_t;
+
+/**
+ * Hardware-RNG based on via Padlock.
+ */
+struct padlock_rng_t {
+	
+	/**
+	 * Implements rng_t interface.
+	 */
+	rng_t rng;
+};
+
+/**
+ * Create a padlock_rng instance.
+ *
+ * @param quality	required quality of randomness
+ * @return			created random_rng_t
+ */
+padlock_rng_t *padlock_rng_create(rng_quality_t quality);
+
+#endif /* PADLOCK_RNG_ @}*/
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index ef1004672..eb5e19f08 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -86,22 +86,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -111,6 +106,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -119,12 +115,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -147,8 +147,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -187,6 +186,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 90b319520..f5e3c4cc9 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index df6845b43..ece7381b2 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index ea5610671..6b28b68a1 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -84,22 +84,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -109,6 +104,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -117,12 +113,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -145,8 +145,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -185,6 +184,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 21773de32..e6732a195 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -86,22 +86,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -111,6 +106,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -119,12 +115,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -147,8 +147,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -187,6 +186,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 01093e862..028bbd41a 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -86,22 +86,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -111,6 +106,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -119,12 +115,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -147,8 +147,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -187,6 +186,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 257a903e4..fbb7707a1 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -409,7 +409,7 @@ static bool parse_certificate(private_x509_ac_t *this)
 				sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
 				break;
 			case AC_OBJ_SERIAL_NUMBER:
-				this->serialNumber = object;
+				this->serialNumber = chunk_clone(object);
 				break;
 			case AC_OBJ_NOT_BEFORE:
 				this->notBefore = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
@@ -923,6 +923,7 @@ static void destroy(private_x509_ac_t *this)
 
 		ietfAttr_list_destroy(this->charging);
 		ietfAttr_list_destroy(this->groups);
+		free(this->serialNumber.ptr);
 		free(this->encoding.ptr);
 		free(this);
 	}
@@ -956,6 +957,7 @@ static private_x509_ac_t *create_empty(void)
 
 	/* initialize */
 	this->encoding = chunk_empty;
+	this->serialNumber = chunk_empty;
 	this->holderSerial = chunk_empty;
 	this->holderIssuer = NULL;
 	this->entityName = NULL;
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 9f76c3486..e618f31d8 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -17,7 +17,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_cert.c 4576 2008-11-05 08:32:38Z martin $
+ * $Id: x509_cert.c 4767 2008-12-08 19:15:38Z martin $
  */
 
 #define _GNU_SOURCE
@@ -66,7 +66,7 @@ struct private_x509_cert_t {
 	 * Public interface for this certificate.
 	 */
 	x509_cert_t public;
-
+	
 	/**
 	 * X.509 certificate encoding in ASN.1 DER format
 	 */
@@ -76,7 +76,7 @@ struct private_x509_cert_t {
 	 * SHA1 hash of the DER encoding of this X.509 certificate
 	 */
 	chunk_t encoding_hash;
-
+	
 	/**
 	 * X.509 certificate body over which signature is computed
 	 */
@@ -96,17 +96,17 @@ struct private_x509_cert_t {
 	 * ID representing the certificate issuer
 	 */
 	identification_t *issuer;
-
+	
 	/**
 	 * Start time of certificate validity
 	 */
 	time_t notBefore;
-
+	
 	/**
 	 * End time of certificate validity
 	 */
 	time_t notAfter;
-
+	
 	/**
 	 * ID representing the certificate subject
 	 */
@@ -121,12 +121,12 @@ struct private_x509_cert_t {
 	 * List of crlDistributionPoints as allocated char*
 	 */
 	linked_list_t *crl_uris;
-
+	
 	/**
 	 * List ocspAccessLocations as identification_t
 	 */
 	linked_list_t *ocsp_uris;
-
+	
 	/**
 	 * certificates embedded public key
 	 */
@@ -136,12 +136,12 @@ struct private_x509_cert_t {
 	 * Subject Key Identifier
 	 */
 	chunk_t subjectKeyID;
-
+	
 	/**
 	 * Authority Key Identifier
 	 */
 	identification_t *authKeyIdentifier;
-
+	
 	/**
 	 * Authority Key Serial Number
 	 */
@@ -151,17 +151,22 @@ struct private_x509_cert_t {
 	 * x509 constraints and other flags
 	 */
 	x509_flag_t flags;
-
+	
 	/**
 	 * Signature algorithm
 	 */
 	int algorithm;
-
+	
 	/**
 	 * Signature
 	 */
 	chunk_t signature;
 	
+	/**
+	 * Certificate parsed from blob/file?
+	 */
+	bool parsed;
+	
 	/**
 	 * reference count
 	 */
@@ -258,7 +263,7 @@ static bool parse_otherName(chunk_t blob, int level0)
 		}
 	}
 	success = parser->success(parser);
-
+	
 end:
 	parser->destroy(parser);
 	return success;
@@ -306,16 +311,16 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 	asn1_parser_t *parser;
 	chunk_t object;
 	int objectID ;
-
+	
 	identification_t *gn = NULL;
-
+	
 	parser = asn1_parser_create(generalNameObjects, blob);
 	parser->set_top_level(parser, level0);
-
+	
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		id_type_t id_type = ID_ANY;
-	
+		
 		switch (objectID)
 		{
 			case GN_OBJ_RFC822_NAME:
@@ -329,7 +334,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 				break;
 			case GN_OBJ_DIRECTORY_NAME:
 				id_type = ID_DER_ASN1_DN;
-	    		break;
+				break;
 			case GN_OBJ_IP_ADDRESS:
 				id_type = ID_IPV4_ADDR;
 				break;
@@ -350,12 +355,12 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 			gn = identification_create_from_encoding(id_type, object);
 			DBG2("  '%D'", gn);
 			goto end;
-        }
-   }
-
+		}
+	}
+	
 end:
 	parser->destroy(parser);
-    return gn;
+	return gn;
 }
 
 /**
@@ -377,18 +382,18 @@ void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_lis
 	asn1_parser_t *parser;
 	chunk_t object;
 	int objectID;
-
+	
 	parser = asn1_parser_create(generalNamesObjects, blob);
 	parser->set_top_level(parser, level0);
 	parser->set_flags(parser, implicit, FALSE);
-
+	
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		if (objectID == GENERAL_NAMES_GN)
 		{
 			identification_t *gn = parse_generalName(object,
 											parser->get_level(parser)+1);
-
+			
 			if (gn)
 			{
 				list->insert_last(list, (void *)gn);
@@ -425,12 +430,12 @@ identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
 	chunk_t object;
 	int objectID;
 	identification_t *authKeyIdentifier = NULL;
-
+	
 	*authKeySerialNumber = chunk_empty;
-
+	
 	parser = asn1_parser_create(authKeyIdentifierObjects, blob);
 	parser->set_top_level(parser, level0);
-
+	
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		switch (objectID) 
@@ -480,7 +485,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
 	
 	parser = asn1_parser_create(authInfoAccessObjects, blob);
 	parser->set_top_level(parser, level0);
-
+	
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		switch (objectID) 
@@ -497,7 +502,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
 						{
 							identification_t *id;
 							char *uri;
-
+							
 							id = parse_generalName(object,
 											parser->get_level(parser)+1);
 							if (id == NULL)
@@ -524,7 +529,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
 				break;
 		}
 	}
-
+	
 end:
 	parser->destroy(parser);
 }
@@ -552,7 +557,7 @@ static bool parse_extendedKeyUsage(chunk_t blob, int level0)
 	
 	parser = asn1_parser_create(extendedKeyUsageObjects, blob);
 	parser->set_top_level(parser, level0);
-
+	
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		if (objectID == EXT_KEY_USAGE_PURPOSE_ID && 
@@ -599,13 +604,13 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0,
 	
 	parser = asn1_parser_create(crlDistributionPointsObjects, blob);
 	parser->set_top_level(parser, level0);
-
+	
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		if (objectID == CRL_DIST_POINTS_FULLNAME)
 		{
 			identification_t *id;
-
+			
 			/* append extracted generalNames to existing chained list */
 			x509_parse_generalNames(object, parser->get_level(parser)+1,
 									TRUE, list);
@@ -613,7 +618,7 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0,
 			while (list->remove_last(list, (void**)&id) == SUCCESS)
 			{
 				char *uri;
-
+				
 				if (asprintf(&uri, "%D", id) > 0)
 				{
 					this->crl_uris->insert_last(this->crl_uris, uri);
@@ -687,11 +692,11 @@ static bool parse_certificate(private_x509_cert_t *this)
 	bool critical;
 	
 	parser = asn1_parser_create(certObjects, this->encoding);
-
+	
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		u_int level = parser->get_level(parser)+1;
-
+		
 		switch (objectID)
 		{
 			case X509_OBJ_TBS_CERTIFICATE:
@@ -806,7 +811,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 		}
 	}
 	success = parser->success(parser);
-
+	
 end:
 	parser->destroy(parser);
 	return success;
@@ -850,7 +855,7 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
 	{
 		return ID_MATCH_PERFECT;
 	}
-
+	
 	best = this->subject->matches(this->subject, subject);
 	enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
 	while (enumerator->enumerate(enumerator, &current))
@@ -1001,7 +1006,7 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 {
 	time_t this_update, that_update, now = time(NULL);
 	bool new;
-
+	
 	this->get_validity(this, &now, &this_update, NULL);
 	that->get_validity(that, &now, &that_update, NULL);
 	new = this_update > that_update;
@@ -1026,7 +1031,7 @@ static bool equals(private_x509_cert_t *this, certificate_t *other)
 {
 	chunk_t encoding;
 	bool equal;
-
+	
 	if (this == (private_x509_cert_t*)other)
 	{
 		return TRUE;
@@ -1102,6 +1107,12 @@ static void destroy(private_x509_cert_t *this)
 		DESTROY_IF(this->authKeyIdentifier);
 		chunk_free(&this->encoding);
 		chunk_free(&this->encoding_hash);
+		if (!this->parsed)
+		{	/* only parsed certificates point these fields to "encoded" */
+			chunk_free(&this->signature);
+			chunk_free(&this->serialNumber);
+			chunk_free(&this->tbsCertificate);
+		}
 		free(this);
 	}
 }
@@ -1132,9 +1143,14 @@ static private_x509_cert_t* create_empty(void)
 	this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
 	this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
 	this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
-
+	
 	this->encoding = chunk_empty;
 	this->encoding_hash = chunk_empty;
+	this->tbsCertificate = chunk_empty;
+	this->version = 3;
+	this->serialNumber = chunk_empty;	
+	this->notBefore = 0;
+	this->notAfter = 0;
 	this->public_key = NULL;
 	this->subject = NULL;
 	this->issuer = NULL;
@@ -1144,9 +1160,12 @@ static private_x509_cert_t* create_empty(void)
 	this->subjectKeyID = chunk_empty;
 	this->authKeyIdentifier = NULL;
 	this->authKeySerialNumber = chunk_empty;
+	this->algorithm = 0;
+	this->signature = chunk_empty;
 	this->flags = 0;
 	this->ref = 1;
-
+	this->parsed = FALSE;
+	
 	return this;
 }
 
@@ -1155,22 +1174,23 @@ static private_x509_cert_t* create_empty(void)
  */
 static private_x509_cert_t *create_from_chunk(chunk_t chunk)
 {
+	hasher_t *hasher;
 	private_x509_cert_t *this = create_empty();
-
+	
 	this->encoding = chunk;
 	if (!parse_certificate(this))
 	{
 		destroy(this);
 		return NULL;
 	}
-
+	
 	/* check if the certificate is self-signed */
 	if (issued_by(this, &this->public.interface.interface))
 	{
 		this->flags |= X509_SELF_SIGNED;
 	}
 	
-	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (hasher != NULL)
 	{
 		hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
@@ -1181,6 +1201,7 @@ static private_x509_cert_t *create_from_chunk(chunk_t chunk)
 		DBG1("  unable to create hash of certificate, SHA1 not supported");		
 	}
 	
+	this->parsed = TRUE;
 	return this;
 }
 
@@ -1207,7 +1228,6 @@ static private_x509_cert_t *create_from_file(char *path)
 	}
 	DBG1("  loaded certificate file '%s'",  path);
 	return this;
-
 }
 
 typedef struct private_builder_t private_builder_t;
@@ -1221,21 +1241,137 @@ struct private_builder_t {
 	private_x509_cert_t *cert;
 	/** additional flags to enforce */
 	x509_flag_t flags;
+	/** certificate to sign, if we generate a new cert */
+	certificate_t *sign_cert;
+	/** private key to sign, if we generate a new cert */
+	private_key_t *sign_key;
 };
 
+/**
+ * Generate and sign a new certificate
+ */
+static bool generate(private_builder_t *this)
+{
+	chunk_t extensions = chunk_empty;
+	identification_t *issuer, *subject;
+	chunk_t key_info, key;
+	signature_scheme_t scheme;
+	hasher_t *hasher;
+	
+	subject = this->cert->subject;
+	if (this->sign_cert)
+	{
+		issuer = this->sign_cert->get_subject(this->sign_cert);
+		if (!this->cert->public_key)
+		{
+			return FALSE;
+		}
+	}
+	else
+	{	/* self signed */
+		issuer = subject;
+		if (!this->cert->public_key)
+		{
+			this->cert->public_key = this->sign_key->get_public_key(this->sign_key);
+		}
+		this->flags |= X509_SELF_SIGNED;
+	}
+	this->cert->issuer = issuer->clone(issuer);
+	if (!this->cert->notBefore)
+	{
+		this->cert->notBefore = time(NULL);
+	}
+	if (!this->cert->notAfter)
+	{	/* defaults to 1 years from now on */
+		this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
+	}
+	this->cert->flags = this->flags;
+	
+	switch (this->sign_key->get_type(this->sign_key))
+	{
+		case KEY_RSA:
+			this->cert->algorithm = OID_SHA1_WITH_RSA;
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			break;
+		default:
+			return FALSE;
+	}
+	
+	switch (this->cert->public_key->get_type(this->cert->public_key))
+	{
+		case KEY_RSA:
+			key = this->cert->public_key->get_encoding(this->cert->public_key);
+			key_info = asn1_wrap(ASN1_SEQUENCE, "cm",
+							asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), 
+							asn1_bitstring("m", key));	
+			break;
+		default:
+			return FALSE;
+	}
+	
+	if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
+	{
+		/* TODO: encode subjectAltNames */
+	}
+	
+	this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm", 
+		asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
+		asn1_simple_object(ASN1_INTEGER, this->cert->serialNumber),
+		asn1_algorithmIdentifier(this->cert->algorithm),
+		issuer->get_encoding(issuer),
+		asn1_wrap(ASN1_SEQUENCE, "mm",
+			asn1_from_time(&this->cert->notBefore, ASN1_UTCTIME),
+			asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)),
+		subject->get_encoding(subject),
+		key_info, extensions);
+	
+	if (!this->sign_key->sign(this->sign_key, scheme, 
+							this->cert->tbsCertificate, &this->cert->signature))
+	{
+		return FALSE;
+	}
+	this->cert->encoding = asn1_wrap(ASN1_SEQUENCE, "ccm",
+								this->cert->tbsCertificate,
+								asn1_algorithmIdentifier(this->cert->algorithm),
+								asn1_bitstring("c", this->cert->signature));
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+	hasher->allocate_hash(hasher, this->cert->encoding,
+						  &this->cert->encoding_hash);
+	hasher->destroy(hasher);
+	return TRUE;
+}
+
 /**
  * Implementation of builder_t.build
  */
 static private_x509_cert_t *build(private_builder_t *this)
 {
-	private_x509_cert_t *cert = this->cert;
-	x509_flag_t flags = this->flags;
-
+	private_x509_cert_t *cert;
+	x509_flag_t flags;
+	
+	if (this->cert && !this->cert->encoding.ptr)
+	{
+		if (!this->sign_key || !this->cert ||
+			!generate(this))
+		{
+			destroy(this->cert);
+			free(this);
+			return NULL;
+		}
+	}
+	cert = this->cert;
+	flags =  this->flags;
 	free(this);
 	if (cert == NULL)
 	{
 		return NULL;
 	}
+	
 	if ((flags & X509_CA) && !(cert->flags & X509_CA))
 	{
 		DBG1("  ca certificate must have ca basic constraint set, discarded");
@@ -1253,6 +1389,7 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 {
 	va_list args;
 	chunk_t chunk;
+	bool handled = TRUE;
 	
 	va_start(args, part);
 	switch (part)
@@ -1267,6 +1404,60 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 		case BUILD_X509_FLAG:
 			this->flags = va_arg(args, x509_flag_t);
 			break;
+		case BUILD_SIGNING_KEY:
+			this->sign_key = va_arg(args, private_key_t*);
+			break;
+		case BUILD_SIGNING_CERT:
+			this->sign_cert = va_arg(args, certificate_t*);
+			break;
+		default:
+			/* all other parts need an empty cert */
+			if (!this->cert)
+			{
+				this->cert = create_empty();
+			}
+			handled = FALSE;
+			break;
+	}
+	if (handled)
+	{
+		va_end(args);
+		return;
+	}
+	
+	switch (part)
+	{
+		case BUILD_PUBLIC_KEY:
+		{
+			public_key_t *key = va_arg(args, public_key_t*);
+			this->cert->public_key = key->get_ref(key);
+			break;
+		}
+		case BUILD_SUBJECT:
+		{
+			identification_t *id = va_arg(args, identification_t*);
+			this->cert->subject = id->clone(id);
+			break;
+		}
+		case BUILD_SUBJECT_ALTNAME:
+		{
+			identification_t *id = va_arg(args, identification_t*);
+			this->cert->subjectAltNames->insert_last(
+									this->cert->subjectAltNames, id->clone(id));
+			break;
+		}
+		case BUILD_NOT_BEFORE_TIME:
+			this->cert->notBefore = va_arg(args, time_t);
+			break;
+		case BUILD_NOT_AFTER_TIME:
+			this->cert->notAfter = va_arg(args, time_t);
+			break;
+		case BUILD_SERIAL:
+		{
+			chunk_t serial = va_arg(args, chunk_t);
+			this->cert->serialNumber = chunk_clone(serial);
+			break;
+		}
 		default:
 			/* abort if unsupported option */
 			if (this->cert)
@@ -1295,6 +1486,8 @@ builder_t *x509_cert_builder(certificate_type_t type)
 	
 	this->cert = NULL;
 	this->flags = 0;
+	this->sign_cert = NULL;
+	this->sign_key = NULL;
 	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
 	this->public.build = (void*(*)(builder_t *this))build;
 	
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 898142582..48c6ef954 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -85,22 +85,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -110,6 +105,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -118,12 +114,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -146,8 +146,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -186,6 +185,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index b2134dfc7..4e6a09c4f 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -13,17 +13,17 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: utils.c 4305 2008-08-28 07:47:55Z tobias $
+ * $Id: utils.c 4742 2008-12-03 09:45:58Z tobias $
  */
 
 #include "utils.h"
 
 #include <sys/stat.h>
 #include <string.h>
-#include <pthread.h>
 #include <stdio.h>
 #include <unistd.h>
 #include <dirent.h>
+#include <time.h>
 
 #include <enum.h>
 #include <debug.h>
@@ -61,13 +61,38 @@ void *clalloc(void * pointer, size_t size)
  */
 void memxor(u_int8_t dest[], u_int8_t src[], size_t n)
 {
-	size_t i;
-	for (i = 0; i < n; i++)
+	int i = 0, m;
+	
+	m = n - sizeof(long);
+	while (i < m)
+	{
+		*(long*)(dest + i) ^= *(long*)(src + i);
+		i += sizeof(long);
+	}
+	while (i < n)
 	{
 		dest[i] ^= src[i];
+		i++;
 	}
 }
 
+/**
+ * Described in header.
+ */
+void *memstr(const void *haystack, const char *needle, size_t n)
+{
+	unsigned const char *pos = haystack;
+	size_t l = strlen(needle);
+	for (; n >= l; ++pos, --n)
+	{
+		if (memeq(pos, needle, l))
+		{
+			return (void*)pos;
+		}
+	}
+	return NULL;
+}
+
 /**
  * Described in header.
  */
@@ -129,19 +154,16 @@ void nop()
 {
 }
 
+#ifndef HAVE_GCC_ATOMIC_OPERATIONS
+#include <pthread.h>
+
 /**
- * We use a single mutex for all refcount variables. This
- * is not optimal for performance, but the critical section
- * is not that long...
- * TODO: Consider to include a mutex in each refcount_t variable.
+ * We use a single mutex for all refcount variables. 
  */
 static pthread_mutex_t ref_mutex = PTHREAD_MUTEX_INITIALIZER;
 
 /**
- * Described in header.
- * 
- * TODO: May be implemented with atomic CPU instructions
- * instead of a mutex.
+ * Increase refcount
  */
 void ref_get(refcount_t *ref)
 {
@@ -151,10 +173,7 @@ void ref_get(refcount_t *ref)
 }
 
 /**
- * Described in header.
- * 
- * TODO: May be implemented with atomic CPU instructions
- * instead of a mutex.
+ * Decrease refcount
  */
 bool ref_put(refcount_t *ref)
 {
@@ -165,6 +184,7 @@ bool ref_put(refcount_t *ref)
 	pthread_mutex_unlock(&ref_mutex);
 	return !more_refs;
 }
+#endif /* HAVE_GCC_ATOMIC_OPERATIONS */
 
 /**
  * output handler in printf() for time_t
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index a5900201a..b26a17b01 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: utils.h 4632 2008-11-11 18:37:19Z martin $
+ * $Id: utils.h 4742 2008-12-03 09:45:58Z tobias $
  */
 
 /**
@@ -224,6 +224,12 @@ void *clalloc(void *pointer, size_t size);
  */
 void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
 
+/**
+ * A variant of strstr with the characteristics of memchr, where haystack is not
+ * a null-terminated string but simply a memory area of length n.
+ */
+void *memstr(const void *haystack, const char *needle, size_t n);
+
 /**
  * Creates a directory and all required parent directories. 
  *
@@ -248,6 +254,14 @@ void nop();
  */
 typedef volatile u_int refcount_t;
 
+
+#ifdef HAVE_GCC_ATOMIC_OPERATIONS
+
+#define ref_get(ref) {__sync_fetch_and_add(ref, 1); }
+#define ref_put(ref) (!__sync_sub_and_fetch(ref, 1))
+
+#else /* !HAVE_GCC_ATOMIC_OPERATIONS */
+
 /**
  * Get a new reference.
  *
@@ -268,6 +282,8 @@ void ref_get(refcount_t *ref);
  */
 bool ref_put(refcount_t *ref);
 
+#endif /* HAVE_GCC_ATOMIC_OPERATIONS */
+
 /**
  * Get printf hooks for time.
  *
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c
index 4ebc2e097..e7653a9b2 100644
--- a/src/libstrongswan/utils/enumerator.c
+++ b/src/libstrongswan/utils/enumerator.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: enumerator.c 4142 2008-07-02 08:09:07Z martin $
+ * $Id: enumerator.c 4744 2008-12-03 10:03:59Z tobias $
  */
 
 #include "enumerator.h"
@@ -215,27 +216,48 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 		}
 	}
 	
-	/* find separators */
-	sep = this->sep;
-	while (*sep)
+	switch (*this->pos)
 	{
-		tmp = strchr(this->pos, *sep);
-		if (tmp && (pos == NULL || tmp < pos))
+		case '"':
+		case '\'':
 		{
-			pos = tmp;
+			/* read quoted token */
+			tmp = strchr(this->pos + 1, *this->pos);
+			if (tmp)
+			{
+				*token = this->pos + 1;
+				*tmp = '\0';
+				this->pos = tmp + 1;
+				return TRUE;
+			}
+			/* unterminated string, FALL-THROUGH */
+		}
+		default:
+		{
+			/* find nearest separator */
+			sep = this->sep;
+			while (*sep)
+			{
+				tmp = strchr(this->pos, *sep);
+				if (tmp && (pos == NULL || tmp < pos))
+				{
+					pos = tmp;
+				}
+				sep++;
+			}
+			*token = this->pos;
+			if (pos)
+			{
+				*pos = '\0';
+				this->pos = pos + 1;
+			}
+			else
+			{
+				last = TRUE;
+				pos = this->pos = strchr(this->pos, '\0');
+			}
+			break;
 		}
-		sep++;
-	}
-	*token = this->pos;
-	if (pos)
-	{
-		*pos = '\0';
-		this->pos = pos + 1;
-	}
-	else
-	{
-		last = TRUE;
-		pos = this->pos = strchr(this->pos, '\0');
 	}
 	
 	/* trim trailing characters/separators */
@@ -268,7 +290,7 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 		}
 	}
 	
-	if (!last || pos > *token)
+	if (!last || pos >= *token)
 	{
 		return TRUE;
 	}
diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c
new file mode 100644
index 000000000..892d08b6c
--- /dev/null
+++ b/src/libstrongswan/utils/hashtable.c
@@ -0,0 +1,433 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: hashtable.c 4812 2008-12-17 09:56:05Z tobias $
+ */
+
+#include <utils/linked_list.h>
+
+#include "hashtable.h"
+
+/** The maximum capacity of the hash table (MUST be a power of 2) */
+#define MAX_CAPACITY (1 << 30)
+
+typedef struct pair_t pair_t;
+
+/**
+ * This pair holds a pointer to the key and value it represents.
+ */
+struct pair_t {
+	/**
+	 * Key of a hash table item.
+	 */
+	void *key;
+	
+	/**
+	 * Value of a hash table item.
+	 */
+	void *value;
+	
+	/**
+	 * Cached hash (used in case of a resize).
+	 */
+	u_int hash;
+};
+
+/**
+ * Creates an empty pair object.
+ */
+pair_t *pair_create(void *key, void *value, u_int hash)
+{
+	pair_t *this = malloc_thing(pair_t);
+	
+	this->key = key;
+	this->value = value;
+	this->hash = hash;
+	
+	return this;
+}
+
+typedef struct private_hashtable_t private_hashtable_t;
+
+/**
+ * Private data of a hashtable_t object.
+ *
+ */
+struct private_hashtable_t {
+	/**
+	 * Public part of hash table.
+	 */
+	hashtable_t public;
+	
+	/**
+	 * The number of items in the hash table. 
+	 */
+	u_int count;
+	
+	/**
+	 * The current capacity of the hash table (always a power of 2).
+	 */
+	u_int capacity;
+	
+	/**
+	 * The current mask to calculate the row index (capacity - 1). 
+	 */
+	u_int mask;
+	
+	/**
+	 * The load factor.
+	 */
+	float load_factor;
+	
+	/**
+	 * The actual table.
+	 */
+	linked_list_t **table;
+	
+	/**
+	 * The hashing function.
+	 */
+	hashtable_hash_t hash;
+	
+	/**
+	 * The equality function.
+	 */
+	hashtable_equals_t equals;
+};
+
+typedef struct private_enumerator_t private_enumerator_t;
+
+/**
+ * hash table enumerator implementation
+ */
+struct private_enumerator_t {
+
+	/**
+	 * implements enumerator interface
+	 */
+	enumerator_t enumerator;
+	
+	/**
+	 * associated hash table
+	 */
+	private_hashtable_t *table;
+	
+	/**
+	 * current row index
+	 */
+	u_int row;
+	
+	/**
+	 * enumerator for the current row
+	 */
+	enumerator_t *current;
+};
+
+/**
+ * Compare a pair in a list with the given key.
+ */
+static inline bool pair_equals(pair_t *pair, private_hashtable_t *this, void *key)
+{
+	return this->equals(key, pair->key);
+}
+
+/**
+ * This function returns the next-highest power of two for the given number.
+ * The algorithm works by setting all bits on the right-hand side of the most
+ * significant 1 to 1 and then increments the whole number so it rolls over
+ * to the nearest power of two. Note: returns 0 for n == 0
+ */
+static u_int get_nearest_powerof2(u_int n)
+{
+	u_int i;
+	--n;
+	for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
+	{
+		n |= n >> i;
+	}
+	return ++n;
+}
+
+/**
+ * Init hash table parameters
+ */
+static void init_hashtable(private_hashtable_t *this, u_int capacity)
+{
+	capacity = max(1, min(capacity, MAX_CAPACITY));
+	this->capacity = get_nearest_powerof2(capacity);
+	this->mask = this->capacity - 1;
+	this->load_factor = 0.75;
+	
+	this->table = calloc(this->capacity, sizeof(linked_list_t*));
+}
+
+/**
+ * Double the size of the hash table and rehash all the elements.
+ */
+static void rehash(private_hashtable_t *this)
+{
+	u_int row;
+	u_int old_capacity = this->capacity;
+	linked_list_t **old_table = this->table;
+	
+	if (old_capacity >= MAX_CAPACITY)
+	{
+		return;
+	}
+	
+	init_hashtable(this, old_capacity << 1);
+	
+	for (row = 0; row < old_capacity; ++row)
+	{
+		linked_list_t *list;
+		if ((list = old_table[row]) != NULL)
+		{
+			pair_t *pair;
+			enumerator_t *enumerator = list->create_enumerator(list);
+			while (enumerator->enumerate(enumerator, &pair))
+			{
+				linked_list_t *new_list;
+				u_int new_row = pair->hash & this->mask;
+				list->remove_at(list, enumerator);
+				if ((new_list = this->table[new_row]) == NULL)
+				{
+					new_list = this->table[new_row] = linked_list_create();
+				}
+				new_list->insert_last(new_list, pair);
+			}
+			enumerator->destroy(enumerator);
+			list->destroy(list);
+		}
+	}
+	free(old_table);
+}
+
+/**
+ * Implementation of hashtable_t.put
+ */
+static void *put(private_hashtable_t *this, void *key, void *value)
+{
+	linked_list_t *list;
+	void *old_value = NULL;
+	u_int hash = this->hash(key);
+	u_int row = hash & this->mask;
+	
+	if ((list = this->table[row]) != NULL)
+	{
+		pair_t *pair;
+		enumerator_t *enumerator = list->create_enumerator(list);
+		while (enumerator->enumerate(enumerator, &pair))
+		{
+			if (pair_equals(pair, this, key))
+			{
+				old_value = pair->value;
+				pair->value = value;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		list = this->table[row] = linked_list_create();
+	}
+	
+	if (!old_value)
+	{
+		list->insert_last(list, pair_create(key, value, hash));
+		this->count++;
+	}
+	
+	if (this->count >= this->capacity * this->load_factor)
+	{
+		rehash(this);
+	}
+	
+	return old_value;
+}
+	
+/**
+ * Implementation of hashtable_t.get  
+ */
+static void *get(private_hashtable_t *this, void *key)
+{
+	void *value = NULL;
+	linked_list_t *list;
+	u_int row = this->hash(key) & this->mask;
+	
+	if ((list = this->table[row]) != NULL)
+	{
+		pair_t *pair;
+		if (list->find_first(list, (linked_list_match_t)pair_equals,
+				(void**)&pair, this, key) == SUCCESS)
+		{
+			value = pair->value;
+		}
+	}
+	
+	return value;
+}
+	
+/**
+ * Implementation of hashtable_t.remove
+ */
+static void *remove(private_hashtable_t *this, void *key)
+{
+	void *value = NULL;
+	linked_list_t *list;
+	u_int row = this->hash(key) & this->mask;	
+	
+	if ((list = this->table[row]) != NULL)
+	{
+		pair_t *pair;
+		enumerator_t *enumerator = list->create_enumerator(list);
+		while (enumerator->enumerate(enumerator, &pair))
+		{
+			if (pair_equals(pair, this, key))
+			{
+				list->remove_at(list, enumerator);
+				value = pair->value;
+				this->count--;
+				free(pair);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	
+	return value;
+}
+	
+/**
+ * Implementation of hashtable_t.get_count
+ */
+static u_int get_count(private_hashtable_t *this)
+{
+	return this->count;
+}
+
+/**
+ * Implementation of private_enumerator_t.enumerator.enumerate.
+ */
+static bool enumerate(private_enumerator_t *this, void **key, void **value)
+{
+	while (this->row < this->table->capacity)
+	{
+		if (this->current)
+		{
+			pair_t *pair;
+			
+			if (this->current->enumerate(this->current, &pair))
+			{
+				if (key)
+				{
+					*key = pair->key;
+				}
+				if (value)
+				{
+					*value = pair->value;
+				}
+				return TRUE;
+			}
+			this->current->destroy(this->current);
+			this->current = NULL;
+		}
+		else
+		{
+			linked_list_t *list;
+			
+			if ((list = this->table->table[this->row]) != NULL)
+			{
+				this->current = list->create_enumerator(list);
+				continue;
+			}
+		}
+		this->row++;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of private_enumerator_t.enumerator.destroy.
+ */
+static void enumerator_destroy(private_enumerator_t *this)
+{
+	if (this->current)
+	{
+		this->current->destroy(this->current);
+	}
+	free(this);
+}
+
+/**
+ * Implementation of hashtable_t.create_enumerator.
+ */
+static enumerator_t* create_enumerator(private_hashtable_t *this)
+{
+	private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
+	
+	enumerator->enumerator.enumerate = (void*)enumerate;
+	enumerator->enumerator.destroy = (void*)enumerator_destroy;
+	enumerator->table = this;
+	enumerator->row = 0;
+	enumerator->current = NULL;
+	
+	return &enumerator->enumerator;
+}
+	
+/**
+ * Implementation of hashtable_t.destroy
+ */
+static void destroy(private_hashtable_t *this)
+{
+	u_int row;
+	for (row = 0; row < this->capacity; ++row)
+	{
+		linked_list_t *list;
+		if ((list = this->table[row]) != NULL)
+		{
+			list->destroy_function(list, free);
+		}
+	}
+	free(this->table);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
+							  u_int capacity)
+{
+	private_hashtable_t *this = malloc_thing(private_hashtable_t);
+
+	this->public.put = (void*(*)(hashtable_t*,void*,void*))put;
+	this->public.get = (void*(*)(hashtable_t*,void*))get; 
+	this->public.remove = (void*(*)(hashtable_t*,void*))remove;
+	this->public.get_count = (u_int(*)(hashtable_t*))get_count;
+	this->public.create_enumerator = (enumerator_t*(*)(hashtable_t*))create_enumerator;
+	this->public.destroy = (void(*)(hashtable_t*))destroy;
+	
+	this->count = 0;
+	this->capacity = 0;
+	this->mask = 0;
+	this->load_factor = 0;
+	this->table = NULL;
+	this->hash = hash;
+	this->equals = equals;
+	
+	init_hashtable(this, capacity);
+	
+	return &this->public;
+}
diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/utils/hashtable.h
new file mode 100644
index 000000000..3d3005e73
--- /dev/null
+++ b/src/libstrongswan/utils/hashtable.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: hashtable.h 4762 2008-12-05 10:01:52Z martin $
+ */
+
+/**
+ * @defgroup hashtable hashtable
+ * @{ @ingroup utils
+ */
+
+#ifndef HASHTABLE_H_
+#define HASHTABLE_H_
+
+#include <utils/enumerator.h>
+
+typedef struct hashtable_t hashtable_t;
+
+/**
+ * Prototype for a function that computes the hash code from the given key.
+ *
+ * @param key			key to hash
+ * @return				hash code
+ */
+typedef u_int (*hashtable_hash_t)(void *key);
+
+/**
+ * Prototype for a function that compares the two keys for equality.
+ *
+ * @param key			first key (the one we are looking for)
+ * @param other_key		second key
+ * @return				TRUE if the keys are equal
+ */
+typedef bool (*hashtable_equals_t)(void *key, void *other_key);
+
+/**
+ * Class implementing a hash table.
+ *
+ * General purpose hash table. This hash table is not synchronized.
+ */
+struct hashtable_t {
+	
+	/**
+	 * Create an enumerator over the hash table key/value pairs.
+	 * 
+	 * @return			enumerator over (void *key, void *value)
+	 */
+	enumerator_t *(*create_enumerator) (hashtable_t *this);
+	
+	/**
+	 * Adds the given value with the given key to the hash table, if there
+	 * exists no entry with that key. NULL is returned in this case.
+	 * Otherwise the existing value is replaced and the function returns the
+	 * old value.
+	 * 
+	 * @param key		the key to store
+	 * @param value		the value to store
+	 * @return			NULL if no item was replaced, the old value otherwise
+	 */
+	void *(*put) (hashtable_t *this, void *key, void *value);
+	
+	/**
+	 * Returns the value with the given key, if the hash table contains such an
+	 * entry, otherwise NULL is returned.
+	 * 
+	 * @param key		the key of the requested value
+	 * @return			the value, NULL if not found  
+	 */
+	void *(*get) (hashtable_t *this, void *key);
+	
+	/**
+	 * Removes the value with the given key from the hash table and returns the
+	 * removed value (or NULL if no such value existed).
+	 * 
+	 * @param key		the key of the value to remove
+	 * @return			the removed value, NULL if not found
+	 */
+	void *(*remove) (hashtable_t *this, void *key);
+	
+	/**
+	 * Gets the number of items in the hash table.
+	 * 
+	 * @return 			number of items
+	 */
+	u_int (*get_count) (hashtable_t *this);
+	
+	/**
+	 * Destroys a hash table object.
+	 */
+	void (*destroy) (hashtable_t *this);
+	
+};
+
+/**
+ * Creates an empty hash table object.
+ * 
+ * @param hash			hash function
+ * @param equals		equals function
+ * @param capacity		initial capacity
+ * @return 				hashtable_t object.
+ */
+hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
+							  u_int capacity);
+
+#endif /* HASHTABLE_H_ @} */
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index 4702222e8..719c5a529 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: host.c 4639 2008-11-12 15:09:24Z martin $
+ * $Id: host.c 4856 2009-02-05 22:13:48Z andreas $
  */
 
 #define _GNU_SOURCE
@@ -453,6 +453,10 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 	{
 		return host_create_any(af ? af : AF_INET);
 	}
+	if (streq(string, "%any6"))
+	{
+		return host_create_any(af ? af : AF_INET6);
+	}
 	else if (strchr(string, ':'))
 	{
 		/* gethostbyname does not like IPv6 addresses - fallback */
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index db442e9ab..529e62509 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: identification.c 4344 2008-09-17 02:17:01Z andreas $
+ * $Id: identification.c 4856 2009-02-05 22:13:48Z andreas $
  */
 
 #define _GNU_SOURCE
@@ -1046,6 +1046,7 @@ identification_t *identification_create_from_string(char *string)
 	else if (strchr(string, '@') == NULL)
 	{
 		if (streq(string, "%any")
+		||  streq(string, "%any6")
 		||	streq(string, "0.0.0.0")
 		||	streq(string, "*")
 		||	streq(string, "::")
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 73409158d..4c56c9596 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -12,9 +12,11 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: leak_detective.c 4609 2008-11-10 16:44:27Z martin $
+ * $Id: leak_detective.c 4796 2008-12-12 09:10:52Z martin $
  */
 	
+#define _GNU_SOURCE
+#include <sched.h>
 #include <stddef.h>
 #include <string.h>
 #include <stdio.h>
@@ -160,6 +162,7 @@ char *whitelist[] = {
 	/* pthread stuff */
 	"pthread_create",
 	"pthread_setspecific",
+	"__pthread_setspecific",
 	/* glibc functions */
 	"mktime",
 	"__gmtime_r",
@@ -199,6 +202,7 @@ char *whitelist[] = {
 	"RSA_new_method",
 	"DH_new_method",
 	"ENGINE_load_builtin_engines",
+	"OPENSSL_config",
 };
 
 /**
@@ -471,6 +475,16 @@ leak_detective_t *leak_detective_create()
 	
 	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
 	{
+		cpu_set_t mask;
+		
+		CPU_ZERO(&mask);
+		CPU_SET(0, &mask);
+		
+		if (sched_setaffinity(0, sizeof(cpu_set_t), &mask) != 0)
+		{
+			fprintf(stderr, "setting CPU affinity failed: %m");
+		}
+	
 		lib->leak_detective = TRUE;
 		install_hooks();
 	}
diff --git a/src/libstrongswan/utils/lexparser.c b/src/libstrongswan/utils/lexparser.c
index 8b7b3b547..5725df1ea 100644
--- a/src/libstrongswan/utils/lexparser.c
+++ b/src/libstrongswan/utils/lexparser.c
@@ -11,16 +11,11 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: lexparser.c 3872 2008-04-25 07:04:59Z andreas $
+ * $Id: lexparser.c 4877 2009-02-18 09:45:54Z martin $
  */
 
-/* memrchr is a GNU extension */
-#define _GNU_SOURCE
-#include <string.h>
-
 #include "lexparser.h"
 
-
 /**
  * eat whitespace
  */
@@ -30,7 +25,7 @@ bool eat_whitespace(chunk_t *src)
 	{
 		src->ptr++;  src->len--;
 	}
-    return  src->len > 0 && *src->ptr != '#';
+	return  src->len > 0 && *src->ptr != '#';
 }
 
 /**
@@ -51,11 +46,11 @@ bool extract_token(chunk_t *token, const char termination, chunk_t *src)
 	if (termination == ' ')
 	{
 		u_char *eot_tab = memchr(src->ptr, '\t', src->len);
-
+		
 		/* check if a tab instead of a space terminates the token */
 		eot = ( eot_tab == NULL || (eot && eot < eot_tab) ) ? eot : eot_tab;
 	}
-
+	
 	/* initialize empty token */
 	*token = chunk_empty;
 	
@@ -76,16 +71,17 @@ bool extract_token(chunk_t *token, const char termination, chunk_t *src)
 }
 
 /**
- * extracts a token ending with the last occurrence of a given termination symbol
+ * extracts a token ending with the first occurrence of a given null-terminated string
  */
-bool extract_last_token(chunk_t *token, const char termination, chunk_t *src)
+bool extract_token_str(chunk_t *token, const char *termination, chunk_t *src)
 {
-	u_char *eot = memrchr(src->ptr, termination, src->len);
+	u_char *eot = memstr(src->ptr, termination, src->len);
+	size_t l = strlen(termination);
 	
 	/* initialize empty token */
 	*token = chunk_empty;
 	
-	if (eot == NULL) /* termination symbol not found */
+	if (eot == NULL) /* termination string not found */
 	{
 		return FALSE;
 	}
@@ -94,9 +90,9 @@ bool extract_last_token(chunk_t *token, const char termination, chunk_t *src)
 	token->ptr = src->ptr;
 	token->len = (u_int)(eot - src->ptr);
 	
-	/* advance src pointer after termination symbol */
-	src->ptr = eot + 1;
-	src->len -= (token->len + 1);
+	/* advance src pointer after termination string */
+	src->ptr = eot + l;
+	src->len -= (token->len + l);
 	
 	return TRUE;
 }
diff --git a/src/libstrongswan/utils/lexparser.h b/src/libstrongswan/utils/lexparser.h
index 7d54ca22e..c47f65718 100644
--- a/src/libstrongswan/utils/lexparser.h
+++ b/src/libstrongswan/utils/lexparser.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: lexparser.h 3876 2008-04-26 09:24:14Z andreas $
+ * $Id: lexparser.h 4877 2009-02-18 09:45:54Z martin $
  */
  
 /**
@@ -37,14 +37,14 @@ bool eat_whitespace(chunk_t *src);
 bool match(const char *pattern, const chunk_t *ch);
 
 /**
- * Extracts a token ending with the first occurence a given termination symbol
+ * Extracts a token ending with the first occurrence of a given termination symbol
  */
 bool extract_token(chunk_t *token, const char termination, chunk_t *src);
 
 /**
- * Extracts a token ending with the last occurence a given termination symbol
+ * Extracts a token ending with the first occurrence of a given null-terminated string
  */
-bool extract_last_token(chunk_t *token, const char termination, chunk_t *src);
+bool extract_token_str(chunk_t *token, const char *termination, chunk_t *src);
 
 /**
  *  Fetches a new text line terminated by \n or \r\n
diff --git a/src/libstrongswan/utils/mutex.c b/src/libstrongswan/utils/mutex.c
index ddb0d2df6..ba4b72b0c 100644
--- a/src/libstrongswan/utils/mutex.c
+++ b/src/libstrongswan/utils/mutex.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: mutex.c 4591 2008-11-05 16:12:54Z martin $
+ * $Id: mutex.c 4803 2008-12-15 09:13:43Z martin $
  */
 
 #define _GNU_SOURCE
@@ -76,7 +77,7 @@ static void profiler_cleanup(lock_profile_t *profile)
  */
 static void profiler_init(lock_profile_t *profile)
 {
-	profile->backtrace = backtrace_create(3);
+	profile->backtrace = backtrace_create(2);
 	timerclear(&profile->waited);
 }
 
@@ -332,28 +333,17 @@ static void wait(private_condvar_t *this, private_mutex_t *mutex)
 }
 
 /**
- * Implementation of condvar_t.timed_wait.
+ * Implementation of condvar_t.timed_wait_abs.
  */
-static bool timed_wait(private_condvar_t *this, private_mutex_t *mutex,
-					   u_int timeout)
+static bool timed_wait_abs(private_condvar_t *this, private_mutex_t *mutex,
+						   timeval_t time)
 {
 	struct timespec ts;
-	struct timeval tv;
-	u_int s, ms;
 	bool timed_out;
 	
-	gettimeofday(&tv, NULL);
-	
-	s = timeout / 1000;
-	ms = timeout % 1000;
+	ts.tv_sec = time.tv_sec;
+	ts.tv_nsec = time.tv_usec * 1000;
 	
-	ts.tv_sec = tv.tv_sec + s;
-	ts.tv_nsec = tv.tv_usec * 1000 + ms * 1000000;
-	if (ts.tv_nsec > 1000000000 /* 1s */)
-	{
-		ts.tv_nsec -= 1000000000;
-		ts.tv_sec++;
-	}
 	if (mutex->recursive)
 	{
 		private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
@@ -371,6 +361,31 @@ static bool timed_wait(private_condvar_t *this, private_mutex_t *mutex,
 	return timed_out;
 }
 
+/**
+ * Implementation of condvar_t.timed_wait.
+ */
+static bool timed_wait(private_condvar_t *this, private_mutex_t *mutex,
+					   u_int timeout)
+{
+	timeval_t tv;
+	u_int s, ms;
+	
+	gettimeofday(&tv, NULL);
+	
+	s = timeout / 1000;
+	ms = timeout % 1000;
+	
+	tv.tv_sec += s;
+	tv.tv_usec += ms * 1000;
+	
+	if (tv.tv_usec > 1000000 /* 1s */)
+	{
+		tv.tv_usec -= 1000000;
+		tv.tv_sec++;
+	}
+	return timed_wait_abs(this, mutex, tv);
+}
+
 /**
  * Implementation of condvar_t.signal.
  */
@@ -410,6 +425,7 @@ condvar_t *condvar_create(condvar_type_t type)
 		
 			this->public.wait = (void(*)(condvar_t*, mutex_t *mutex))wait;
 			this->public.timed_wait = (bool(*)(condvar_t*, mutex_t *mutex, u_int timeout))timed_wait;
+			this->public.timed_wait_abs = (bool(*)(condvar_t*, mutex_t *mutex, timeval_t time))timed_wait_abs;
 			this->public.signal = (void(*)(condvar_t*))signal;
 			this->public.broadcast = (void(*)(condvar_t*))broadcast;
 			this->public.destroy = (void(*)(condvar_t*))condvar_destroy;
diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h
index a0a198024..4cdd96a99 100644
--- a/src/libstrongswan/utils/mutex.h
+++ b/src/libstrongswan/utils/mutex.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -11,6 +12,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ * 
+ * $Id: mutex.h 4697 2008-11-25 19:30:02Z tobias $
  */
 
 /**
@@ -98,6 +101,15 @@ struct condvar_t {
 	 */
 	bool (*timed_wait)(condvar_t *this, mutex_t *mutex, u_int timeout);
 	
+	/**
+	 * Wait on a condvar until it gets signalized, or times out.
+	 * 
+	 * @param mutex			mutex to release while waiting
+	 * @param time			absolute time until timeout
+	 * @return				TRUE if timed out, FALSE otherwise
+	 */
+	bool (*timed_wait_abs)(condvar_t *this, mutex_t *mutex, timeval_t timeout);
+	
 	/**
 	 * Wake up a single thread in a condvar.
 	 */
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 900d94b3a..bce0ead39 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -109,22 +109,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -134,6 +129,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -142,12 +138,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -170,8 +170,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -210,6 +209,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 42b3db6c6..89843860d 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -95,22 +95,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -120,6 +115,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -128,12 +124,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -156,8 +156,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -196,6 +195,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index f25073a21..ae05b722f 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -81,22 +81,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -106,6 +101,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -114,12 +110,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -142,8 +142,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -182,6 +181,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 5d9cd92d3..99464a236 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -20,7 +20,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: openac.c 4345 2008-09-17 08:10:48Z martin $
+ * RCSID $Id: openac.c 4749 2008-12-04 04:34:49Z andreas $
  */
 
 #include <stdio.h>
@@ -540,7 +540,6 @@ int main(int argc, char **argv)
 							BUILD_SIGNING_CERT, signerCert,
 							BUILD_SIGNING_KEY, signerKey,
 							BUILD_END);
-		free(serial.ptr);
 		if (!attr_cert)
 		{
 			goto end;
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index c28fbf6e0..f788bc3d1 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -68,8 +68,8 @@ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 _pluto_adns_SOURCES = adns.c adns.h
 
 LIBSTRONGSWANDIR=$(top_srcdir)/src/libstrongswan
-LIBFREESWANDIR=$(top_srcdir)/src/libfreeswan
-LIBCRYPTODIR=$(top_srcdir)/src/libcrypto
+LIBFREESWANDIR=$(top_builddir)/src/libfreeswan
+LIBCRYPTODIR=$(top_builddir)/src/libcrypto
 
 
 INCLUDES = \
@@ -85,7 +85,7 @@ AM_CFLAGS = \
 -DIPSEC_PIDDIR=\"${piddir}\" \
 -DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
 -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \
--DPLUTO -DKLIPS -DDEBUG -DTHREADS
+-DPLUTO -DKLIPS -DDEBUG
 
 pluto_LDADD = \
 oid.o \
@@ -143,3 +143,6 @@ if USE_CAPABILITIES
   pluto_LDADD += -lcap
 endif
 
+if USE_THREADS
+  AM_CFLAGS += -DTHREADS
+endif
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 6ea863973..457f93d9f 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -61,6 +61,7 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
 # This compile option activates smartcard support
 @USE_SMARTCARD_TRUE@am__append_9 = -DSMARTCARD
 @USE_CAPABILITIES_TRUE@am__append_10 = -lcap
+@USE_THREADS_TRUE@am__append_11 = -DTHREADS
 subdir = src/pluto
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in TODO
@@ -137,22 +138,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -162,6 +158,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -170,12 +167,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -198,8 +199,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -238,6 +238,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
@@ -324,8 +325,8 @@ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 
 _pluto_adns_SOURCES = adns.c adns.h
 LIBSTRONGSWANDIR = $(top_srcdir)/src/libstrongswan
-LIBFREESWANDIR = $(top_srcdir)/src/libfreeswan
-LIBCRYPTODIR = $(top_srcdir)/src/libcrypto
+LIBFREESWANDIR = $(top_builddir)/src/libfreeswan
+LIBCRYPTODIR = $(top_builddir)/src/libcrypto
 INCLUDES = \
 -I${linuxdir} \
 -I$(LIBSTRONGSWANDIR)\
@@ -337,9 +338,9 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
 	-DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
 	-DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO \
-	-DKLIPS -DDEBUG -DTHREADS $(am__append_1) $(am__append_2) \
+	-DKLIPS -DDEBUG $(am__append_1) $(am__append_2) \
 	$(am__append_3) $(am__append_4) $(am__append_6) \
-	$(am__append_8) $(am__append_9)
+	$(am__append_8) $(am__append_9) $(am__append_11)
 pluto_LDADD = oid.o $(LIBFREESWANDIR)/libfreeswan.a \
 	$(LIBCRYPTODIR)/libcrypto.a -lgmp -lresolv -lpthread -ldl \
 	$(am__append_5) $(am__append_7) $(am__append_10)
diff --git a/src/pluto/ca.c b/src/pluto/ca.c
index 70b26c32c..816db53a8 100644
--- a/src/pluto/ca.c
+++ b/src/pluto/ca.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ca.c 4632 2008-11-11 18:37:19Z martin $
+ * RCSID $Id: ca.c 4709 2008-11-27 10:20:25Z martin $
  */
 
 #include <stdlib.h>
@@ -33,6 +33,7 @@
 #include "certs.h"
 #include "whack.h"
 #include "fetch.h"
+#include "smartcard.h"
 
 /* chained list of X.509 authority certificates (ca, aa, and ocsp) */
 
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index 7dedbf1f7..74b86bf19 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ocsp.c 3253 2007-10-06 21:39:00Z andreas $
+ * RCSID $Id: ocsp.c 4827 2009-01-09 01:36:13Z andreas $
  */
 
 #include <unistd.h>
@@ -58,6 +58,7 @@ static const char *const response_status_names[] = {
     "malformed request",
     "internal error",
     "try later",
+    "status #4",
     "signature required",
     "unauthorized"
 };
diff --git a/src/pluto/smartcard.h b/src/pluto/smartcard.h
index a2978a929..69510171c 100644
--- a/src/pluto/smartcard.h
+++ b/src/pluto/smartcard.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: smartcard.h 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: smartcard.h 4709 2008-11-27 10:20:25Z martin $
  */
 
 #ifndef _SMARTCARD_H
@@ -25,14 +25,17 @@
 #define SCX_CERT_CACHE_INTERVAL	  60 /* seconds */
 #define SCX_MAX_PIN_TRIALS	  3
 
-/* smartcard operations */
+/* smartcard operations, update copy in whack.h */
 
+#ifndef SC_OP_T
+#define SC_OP_T
 typedef enum {
     SC_OP_NONE =    0,
     SC_OP_ENCRYPT = 1,
     SC_OP_DECRYPT = 2,
     SC_OP_SIGN =    3,
 } sc_op_t;
+#endif /* SC_OP_T */
 
 /* smartcard record */
 
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index e4fda0f1f..d4d8fcb1a 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.c 4426 2008-10-14 01:53:37Z andreas $
+ * RCSID $Id: vendor.c 4846 2009-01-21 03:14:52Z andreas $
  */
 
 #include <stdlib.h>
@@ -206,7 +206,10 @@ static struct vid_struct _vid_tab[] = {
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.9")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.12")
+	DEC_MD5_VID(STRONGSWAN_4_2_11,"strongSwan 4.2.11")
+	DEC_MD5_VID(STRONGSWAN_4_2_10,"strongSwan 4.2.10")
+	DEC_MD5_VID(STRONGSWAN_4_2_9, "strongSwan 4.2.9")
 	DEC_MD5_VID(STRONGSWAN_4_2_8, "strongSwan 4.2.8")
 	DEC_MD5_VID(STRONGSWAN_4_2_7, "strongSwan 4.2.7")
 	DEC_MD5_VID(STRONGSWAN_4_2_6, "strongSwan 4.2.6")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 819dbd99d..20711fe4e 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.h 4426 2008-10-14 01:53:37Z andreas $
+ * RCSID $Id: vendor.h 4846 2009-01-21 03:14:52Z andreas $
  */
 
 #ifndef _VENDOR_H_
@@ -125,6 +125,9 @@ enum known_vendorid {
   VID_STRONGSWAN_4_2_6		=106,
   VID_STRONGSWAN_4_2_7		=107,
   VID_STRONGSWAN_4_2_8		=108,
+  VID_STRONGSWAN_4_2_9		=109,
+  VID_STRONGSWAN_4_2_10		=110,
+  VID_STRONGSWAN_4_2_11		=111,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=151,
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index 57b20dfb5..86220d71b 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -17,10 +17,13 @@ INCLUDES = \
 
 AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\"
 
+LIBFREESWANBUILDDIR=$(top_builddir)/src/libfreeswan
+LIBCRYPTOBUILDDIR=$(top_builddir)/src/libcrypto
+
 scepclient_LDADD = asn1.o ca.o crl.o certs.o constants.o defs.o fetch.o id.o \
                    keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o pem.o pgp.o \
                    pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \
-                   $(LIBFREESWANDIR)/libfreeswan.a $(LIBCRYPTODIR)/libcrypto.a \
+                   $(LIBFREESWANBUILDDIR)/libfreeswan.a $(LIBCRYPTOBUILDDIR)/libcrypto.a \
                    -lgmp
 
 # This compile option activates smartcard support
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 0e751d00b..a15b65697 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -60,8 +60,9 @@ am__DEPENDENCIES_1 =
 scepclient_DEPENDENCIES = asn1.o ca.o crl.o certs.o constants.o defs.o \
 	fetch.o id.o keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o \
 	pem.o pgp.o pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \
-	$(LIBFREESWANDIR)/libfreeswan.a $(LIBCRYPTODIR)/libcrypto.a \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+	$(LIBFREESWANBUILDDIR)/libfreeswan.a \
+	$(LIBCRYPTOBUILDDIR)/libcrypto.a $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -94,22 +95,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -119,6 +115,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -127,12 +124,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -155,8 +156,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -195,6 +195,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
@@ -234,11 +235,14 @@ INCLUDES = \
 
 AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\" \
 	$(am__append_1) $(am__append_3)
+LIBFREESWANBUILDDIR = $(top_builddir)/src/libfreeswan
+LIBCRYPTOBUILDDIR = $(top_builddir)/src/libcrypto
 scepclient_LDADD = asn1.o ca.o crl.o certs.o constants.o defs.o \
 	fetch.o id.o keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o \
 	pem.o pgp.o pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \
-	$(LIBFREESWANDIR)/libfreeswan.a $(LIBCRYPTODIR)/libcrypto.a \
-	-lgmp $(am__append_2) $(am__append_4)
+	$(LIBFREESWANBUILDDIR)/libfreeswan.a \
+	$(LIBCRYPTOBUILDDIR)/libcrypto.a -lgmp $(am__append_2) \
+	$(am__append_4)
 dist_man_MANS = scepclient.8
 all: all-am
 
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 5ee614f1b..78320b4c7 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -5,7 +5,7 @@ starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
 keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
 exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
 
-INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 446edf8c5..1301b931d 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -88,22 +88,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -113,6 +108,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -121,12 +117,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -149,8 +149,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -189,6 +188,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
@@ -218,7 +218,7 @@ starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
 keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
 exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
 
-INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 1560266c1..d0d1f4ed8 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: confread.c 4612 2008-11-11 06:37:37Z andreas $
+ * RCSID $Id: confread.c 4882 2009-02-18 19:57:15Z tobias $
  */
 
 #include <stddef.h>
@@ -621,6 +621,10 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 			{
 				conn->eap_type = 6;
 			}
+			else if (streq(kw->value, "mschapv2"))
+			{
+				conn->eap_type = 26;
+			}
 			else
 			{
 				conn->eap_type = atoi(kw->value);
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 96baa4773..8028bbe54 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: invokecharon.c 4243 2008-08-01 10:35:59Z andreas $
+ * RCSID $Id: invokecharon.c 4833 2009-01-13 06:50:55Z andreas $
  */
 
 #include <sys/types.h>
@@ -127,10 +127,13 @@ starter_start_charon (starter_config_t *cfg, bool no_fork)
 	arg[argc++] = "--use-syslog";
     }
 
-    {   /* parse debug string */
-    	char *pos, *level, *buf_pos, type[4];
-	pos = cfg->setup.charondebug;
-	buf_pos = buffer;
+    /* parse debug string */
+    {
+	int level;
+	char type[4];
+	char *pos = cfg->setup.charondebug;
+	char *buf_pos = buffer;
+
 	while (pos && sscanf(pos, "%4s %d,", type, &level) == 2)
 	{
 	    snprintf(buf_pos, buffer + sizeof(buffer) - buf_pos, "--debug-%s", type);
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 10ce8348e..9ad03eb60 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -1,5 +1,5 @@
 .TH IPSEC.CONF 5 "27 Jun 2007"
-.\" RCSID $Id: ipsec.conf.5 4645 2008-11-13 06:29:53Z andreas $
+.\" RCSID $Id: ipsec.conf.5 4890 2009-02-19 22:12:04Z andreas $
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -356,9 +356,13 @@ selected. Acceptable values are
 .B aka
 for EAP-AKA,
 .B sim
-for EAP-SIM and
+for EAP-SIM,
+.B gtc
+for EAP-GTC,
 .B md5
-for EAP-MD5.
+for EAP-MD5, and
+.B mschapv2
+for EAP-MS-CHAPv2.
 Additionally, IANA assigned EAP method numbers are accepted, or a definition
 in the form
 .B eap=type-vendor
@@ -1008,6 +1012,7 @@ Accepted values are
 and
 .B no
 (the default).
+Used by IKEv1 only, NAT traversal always being active in IKEv2.
 .TP
 .B nocrsend
 no certificate request payloads will be sent.
@@ -1016,7 +1021,6 @@ Accepted values are
 and
 .B no
 (the default).
-Used by IKEv1 only, NAT traversal always being active in IKEv2.
 .TP
 .B pkcs11initargs
 non-standard argument string for PKCS#11 C_Initialize() function;
diff --git a/src/starter/lex.yy.c b/src/starter/lex.yy.c
index 4b3405eda..8edb9e3e6 100644
--- a/src/starter/lex.yy.c
+++ b/src/starter/lex.yy.c
@@ -8,7 +8,7 @@
 #define FLEX_SCANNER
 #define YY_FLEX_MAJOR_VERSION 2
 #define YY_FLEX_MINOR_VERSION 5
-#define YY_FLEX_SUBMINOR_VERSION 34
+#define YY_FLEX_SUBMINOR_VERSION 35
 #if YY_FLEX_SUBMINOR_VERSION > 0
 #define FLEX_BETA
 #endif
@@ -53,7 +53,6 @@ typedef int flex_int32_t;
 typedef unsigned char flex_uint8_t; 
 typedef unsigned short int flex_uint16_t;
 typedef unsigned int flex_uint32_t;
-#endif /* ! C99 */
 
 /* Limits of integral types. */
 #ifndef INT8_MIN
@@ -84,6 +83,8 @@ typedef unsigned int flex_uint32_t;
 #define UINT32_MAX             (4294967295U)
 #endif
 
+#endif /* ! C99 */
+
 #endif /* ! FLEXINT_H */
 
 #ifdef __cplusplus
@@ -178,13 +179,6 @@ extern FILE *yyin, *yyout;
 
 #define unput(c) yyunput( c, (yytext_ptr)  )
 
-/* The following is because we cannot portably get our hands on size_t
- * (without autoconf's help, which isn't available because we want
- * flex-generated scanners to compile on their own).
- * Given that the standard has decreed that size_t exists since 1989,
- * I guess we can afford to depend on it. Manoj.
- */
-
 #ifndef YY_TYPEDEF_YY_SIZE_T
 #define YY_TYPEDEF_YY_SIZE_T
 typedef size_t yy_size_t;
@@ -618,7 +612,7 @@ int _parser_y_include (const char *filename)
     return 0;
 }
 
-#line 622 "lex.yy.c"
+#line 616 "lex.yy.c"
 
 #define INITIAL 0
 
@@ -636,6 +630,35 @@ int _parser_y_include (const char *filename)
 
 static int yy_init_globals (void );
 
+/* Accessor methods to globals.
+   These are made visible to non-reentrant scanners for convenience. */
+
+int yylex_destroy (void );
+
+int yyget_debug (void );
+
+void yyset_debug (int debug_flag  );
+
+YY_EXTRA_TYPE yyget_extra (void );
+
+void yyset_extra (YY_EXTRA_TYPE user_defined  );
+
+FILE *yyget_in (void );
+
+void yyset_in  (FILE * in_str  );
+
+FILE *yyget_out (void );
+
+void yyset_out  (FILE * out_str  );
+
+int yyget_leng (void );
+
+char *yyget_text (void );
+
+int yyget_lineno (void );
+
+void yyset_lineno (int line_number  );
+
 /* Macros after this point can all be overridden by user definitions in
  * section 1.
  */
@@ -676,7 +699,7 @@ static int input (void );
 /* This used to be an fputs(), but since the string might contain NUL's,
  * we now use fwrite().
  */
-#define ECHO fwrite( yytext, yyleng, 1, yyout )
+#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0)
 #endif
 
 /* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
@@ -687,7 +710,7 @@ static int input (void );
 	if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
 		{ \
 		int c = '*'; \
-		int n; \
+		size_t n; \
 		for ( n = 0; n < max_size && \
 			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
 			buf[n] = (char) c; \
@@ -775,7 +798,7 @@ YY_DECL
 #line 135 "parser.l"
 
 
-#line 779 "lex.yy.c"
+#line 802 "lex.yy.c"
 
 	if ( !(yy_init) )
 		{
@@ -959,7 +982,7 @@ YY_RULE_SETUP
 #line 185 "parser.l"
 ECHO;
 	YY_BREAK
-#line 963 "lex.yy.c"
+#line 986 "lex.yy.c"
 
 	case YY_END_OF_BUFFER:
 		{
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 481b7de34..a1339f2a5 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starterstroke.c 4614 2008-11-11 07:28:52Z andreas $
+ * RCSID $Id: starterstroke.c 4856 2009-02-05 22:13:48Z andreas $
  */
 
 #include <sys/types.h>
@@ -127,19 +127,6 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len)
 {
 	switch (((struct sockaddr*)addr)->sa_family)
 	{
-		case AF_INET:
-		{
-			struct sockaddr_in* sin = (struct sockaddr_in*)addr;
-			u_int8_t zeroes[IPV4_LEN];
-
-			memset(zeroes, 0, IPV4_LEN);
-			if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) &&
-				inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
-			{
-				return;
-			}
-			break;
-		}
 		case AF_INET6:
 		{
 			struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
@@ -151,16 +138,28 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len)
 			{
 				return;
 			}
+			snprintf(buffer, len, "%%any6");
 			break;
 		}
+		case AF_INET:
+		{
+			struct sockaddr_in* sin = (struct sockaddr_in*)addr;
+			u_int8_t zeroes[IPV4_LEN];
+
+			memset(zeroes, 0, IPV4_LEN);
+			if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) &&
+				inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
+			{
+				return;
+			}
+			/* fall through to default */
+		}
 		default:
+			snprintf(buffer, len, "%%any");
 			break;
 	}
-	/* default */
-	snprintf(buffer, len, "%%any");
 }
 
-
 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
 {
 	char buffer[INET6_ADDRSTRLEN];
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 62d1bb83e..0d78d9425 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -76,22 +76,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -101,6 +96,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -109,12 +105,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -137,8 +137,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -177,6 +176,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index d100c2107..01cbcb5b0 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke.c 4384 2008-10-08 07:00:13Z andreas $
+ * RCSID $Id: stroke.c 4783 2008-12-10 13:00:02Z martin $
  */
 
 #include <stdlib.h>
@@ -259,6 +259,18 @@ static int purge(stroke_keyword_t kw)
 	return send_stroke_msg(&msg);
 }
 
+static int leases(stroke_keyword_t kw, char *pool, char *address)
+{
+
+	stroke_msg_t msg;
+	
+	msg.type = STR_LEASES;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.leases.pool = push_string(&msg, pool);
+	msg.leases.address = push_string(&msg, address);
+	return send_stroke_msg(&msg);
+}
+
 static int set_loglevel(char *type, u_int level)
 {
 	stroke_msg_t msg;
@@ -318,6 +330,8 @@ static void exit_usage(char *error)
 	printf("    stroke rereadsecrets|rereadcrls|rereadall\n");
 	printf("  Purge ocsp cache entries:\n");
 	printf("    stroke purgeocsp\n");
+	printf("  Show leases of a pool:\n");
+	printf("    stroke leases [POOL [ADDRESS]]\n");
 	exit_error(error);
 }
 
@@ -429,6 +443,10 @@ int main(int argc, char *argv[])
 		case STROKE_PURGE_OCSP:
 			res = purge(token->kw);
 			break;
+		case STROKE_LEASES:
+			res = leases(token->kw, argc > 2 ? argv[2] : NULL,
+						 argc > 3 ? argv[3] : NULL);
+			break;
 		default:
 			exit_usage(NULL);
 	}
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index 17bcda47c..a5d17edc2 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -44,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke_keywords.txt 4384 2008-10-08 07:00:13Z andreas $
+ * RCSID $Id: stroke_keywords.txt 4783 2008-12-10 13:00:02Z martin $
  */
 
 #include <string.h>
@@ -56,12 +56,12 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 31
+#define TOTAL_KEYWORDS 32
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
 #define MIN_HASH_VALUE 3
-#define MAX_HASH_VALUE 48
-/* maximum key range = 46, duplicates = 0 */
+#define MAX_HASH_VALUE 65
+/* maximum key range = 63, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -77,32 +77,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49,  0, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49,  0,  0,  5,
-      28,  0, 49, 10, 49, 20, 49, 49,  0, 49,
-      49, 20,  0, 49, 10, 10,  0, 10, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
-      49, 49, 49, 49, 49, 49
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66,  0, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66,  0,  0,  5,
+      45,  0, 66, 10, 66, 15, 66, 66,  0, 66,
+      66, 20,  0, 66, 10, 10,  0, 10, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+      66, 66, 66, 66, 66, 66
     };
   register int hval = len;
 
@@ -129,7 +129,8 @@ static const struct stroke_token wordlist[] =
   {
     {""}, {""}, {""},
     {"add",             STROKE_ADD},
-    {""}, {""}, {""},
+    {""}, {""},
+    {"leases",          STROKE_LEASES},
     {"listall",         STROKE_LIST_ALL},
     {"loglevel",        STROKE_LOGLEVEL},
     {""},
@@ -145,8 +146,8 @@ static const struct stroke_token wordlist[] =
     {"rereadall",       STROKE_REREAD_ALL},
     {""},
     {"listcacerts",     STROKE_LIST_CACERTS},
-    {"rereadacerts",    STROKE_REREAD_ACERTS,},
-    {"rereadaacerts",   STROKE_REREAD_AACERTS,},
+    {"rereadacerts",    STROKE_REREAD_ACERTS},
+    {"rereadaacerts",   STROKE_REREAD_AACERTS},
     {"listcerts",       STROKE_LIST_CERTS},
     {"rereadcrls",      STROKE_REREAD_CRLS},
     {"status",          STROKE_STATUS},
@@ -154,13 +155,10 @@ static const struct stroke_token wordlist[] =
     {"rereadcacerts",   STROKE_REREAD_CACERTS},
     {"statusall",       STROKE_STATUSALL},
     {""},
-    {"del",             STROKE_DEL},
-    {"down",            STROKE_DOWN},
-    {"rereadsecrets",   STROKE_REREAD_SECRETS},
-    {"delete",          STROKE_DELETE},
-    {""},
     {"listcainfos",     STROKE_LIST_CAINFOS},
     {""},
+    {"rereadsecrets",   STROKE_REREAD_SECRETS},
+    {""}, {""}, {""}, {""},
     {"listocsp",        STROKE_LIST_OCSP},
     {""},
     {"listgroups",      STROKE_LIST_GROUPS},
@@ -169,6 +167,12 @@ static const struct stroke_token wordlist[] =
     {""},
     {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
     {""}, {""},
+    {"del",             STROKE_DEL},
+    {"down",            STROKE_DOWN},
+    {""},
+    {"delete",          STROKE_DELETE},
+    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {""}, {""}, {""}, {""},
     {"down-srcip",      STROKE_DOWN_SRCIP}
   };
 
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 0ad221153..e089b5660 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke_keywords.h 4384 2008-10-08 07:00:13Z andreas $
+ * RCSID $Id: stroke_keywords.h 4783 2008-12-10 13:00:02Z martin $
  */
 
 #ifndef _STROKE_KEYWORDS_H_
@@ -49,7 +49,8 @@ typedef enum {
 	STROKE_REREAD_ACERTS,
 	STROKE_REREAD_CRLS,
 	STROKE_REREAD_ALL,
-	STROKE_PURGE_OCSP
+	STROKE_PURGE_OCSP,
+	STROKE_LEASES
 } stroke_keyword_t;
 
 #define STROKE_LIST_FIRST		STROKE_LIST_PUBKEYS
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index ba35e8bcc..3ec259a24 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke_keywords.txt 4384 2008-10-08 07:00:13Z andreas $
+ * RCSID $Id: stroke_keywords.txt 4783 2008-12-10 13:00:02Z martin $
  */
 
 #include <string.h>
@@ -52,8 +52,9 @@ listall,         STROKE_LIST_ALL
 rereadsecrets,   STROKE_REREAD_SECRETS
 rereadcacerts,   STROKE_REREAD_CACERTS
 rereadocspcerts, STROKE_REREAD_OCSPCERTS
-rereadaacerts,   STROKE_REREAD_AACERTS,
-rereadacerts,    STROKE_REREAD_ACERTS,
+rereadaacerts,   STROKE_REREAD_AACERTS
+rereadacerts,    STROKE_REREAD_ACERTS
 rereadcrls,      STROKE_REREAD_CRLS
 rereadall,       STROKE_REREAD_ALL
 purgeocsp,       STROKE_PURGE_OCSP
+leases,          STROKE_LEASES
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 38f44f923..81ad2e397 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -19,7 +19,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: stroke_msg.h 4614 2008-11-11 07:28:52Z andreas $
+ * RCSID $Id: stroke_msg.h 4783 2008-12-10 13:00:02Z martin $
  */
 
 #ifndef STROKE_MSG_H_
@@ -181,7 +181,9 @@ struct stroke_msg_t {
 		/* reread various objects */
 		STR_REREAD,
 		/* purge various objects */
-		STR_PURGE
+		STR_PURGE,
+		/* show pool leases */
+		STR_LEASES,
 		/* more to come */
 	} type;
 	
@@ -278,6 +280,12 @@ struct stroke_msg_t {
 		struct {
 			purge_flag_t flags;
 		} purge;
+
+		/* data for STR_LEASES */
+		struct {
+			char *pool;
+			char *address;
+		} leases;
 	};
 	char buffer[STROKE_BUF_LEN];
 };
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index 1ca24ef3a..5c9762cd3 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -76,22 +76,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -101,6 +96,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -109,12 +105,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -137,8 +137,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -177,6 +176,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/src/whack/whack.h b/src/whack/whack.h
index b35150788..8e0e7c3af 100644
--- a/src/whack/whack.h
+++ b/src/whack/whack.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: whack.h 3264 2007-10-08 19:49:56Z andreas $
+ * RCSID $Id: whack.h 4709 2008-11-27 10:20:25Z martin $
  */
 
 #ifndef _WHACK_H
@@ -19,7 +19,16 @@
 
 #include <freeswan.h>
 
-#include <smartcard.h>
+/* copy of smartcard operations, defined in smartcard.h */
+#ifndef SC_OP_T
+#define SC_OP_T
+typedef enum {
+    SC_OP_NONE =    0,
+    SC_OP_ENCRYPT = 1,
+    SC_OP_DECRYPT = 2,
+    SC_OP_SIGN =    3,
+} sc_op_t;
+#endif /* SC_OP_T */
 
 /* Since the message remains on one host, native representation is used.
  * Think of this as horizontal microcode: all selected operations are
diff --git a/testing/INSTALL b/testing/INSTALL
index 5e67b3bf9..d09383328 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,16 +53,14 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.5.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2
 
-    * The Linux kernel 2.6.26 requires the following patch for the uml guest kernel
-      to successfully start up:
-
-      http://download.strongswan.org/uml/uml-2.6.26.patch.bz2
+    * The Linux kernel 2.6.28 does not require any patches for the uml guest kernel
+      to successfully start up.
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.27
+      http://download.strongswan.org/uml/.config-2.6.28
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
@@ -70,7 +68,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.2.9.tar.bz2
+      http://download.strongswan.org/strongswan-4.2.12.tar.bz2
 
 
 3. Creating the environment
@@ -145,5 +143,5 @@ README document.
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: INSTALL 4663 2008-11-16 21:23:56Z andreas $
+This file is RCSID $Id: INSTALL 4846 2009-01-21 03:14:52Z andreas $
 
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 3ceb82887..83825043f 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -57,22 +57,17 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GPERF = @GPERF@
 GREP = @GREP@
 INSTALL = @INSTALL@
@@ -82,6 +77,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
 IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -90,12 +86,16 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
 NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -118,8 +118,7 @@ abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -158,6 +157,7 @@ libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index b54493de8..fad5b23d8 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: build-umlrootfs 4425 2008-10-13 22:54:09Z andreas $
+# RCSID $Id: build-umlrootfs 4889 2009-02-19 22:02:28Z andreas $
 
 DIR=`dirname $0`
 
@@ -149,12 +149,18 @@ if [ "$USE_EAP_SIM" = "yes" ]
 then
     echo -n " --enable-eap-sim" >> $INSTALLSHELL
     echo -n " --enable-eap-sim-file" >> $INSTALLSHELL
-    fi
+fi
 
 if [ "$USE_EAP_MD5" = "yes" ]
 then
     echo -n " --enable-eap-md5" >> $INSTALLSHELL
-    fi
+fi
+
+if [ "$USE_EAP_MSCHAPV2" = "yes" ]
+then
+    echo -n " --enable-md4" >> $INSTALLSHELL
+    echo -n " --enable-eap-mschapv2" >> $INSTALLSHELL
+fi
 
 if [ "$USE_EAP_IDENTITY" = "yes" ]
 then
@@ -191,6 +197,11 @@ then
     echo -n " --enable-leak-detective" >> $INSTALLSHELL
 fi
 
+if [ "$USE_LOAD_TESTS" = "yes" ]
+then
+    echo -n " --enable-load-tests" >> $INSTALLSHELL
+fi
+
 echo "" >> $INSTALLSHELL
 echo "make" >> $INSTALLSHELL
 echo "make install" >> $INSTALLSHELL
diff --git a/testing/testing.conf b/testing/testing.conf
index fdfab383a..5871734d2 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -14,26 +14,26 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: testing.conf 4442 2008-10-15 00:22:51Z andreas $
+# RCSID $Id: testing.conf 4889 2009-02-19 22:02:28Z andreas $
 
 # Root directory of testing
 UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.27.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.28.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.27
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.28
 
 # Bzipped uml patch for kernel
-UMLPATCH=$UMLTESTDIR/uml-2.6.26.patch.bz2
+#UMLPATCH=$UMLTESTDIR/uml-2.6.26.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.2.9.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.2.12.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -41,13 +41,14 @@ USE_LDAP="yes"
 USE_EAP_AKA="yes"
 USE_EAP_SIM="yes"
 USE_EAP_MD5="yes"
+USE_EAP_MSCHAPV2="yes"
 USE_EAP_IDENTITY="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"
 USE_OPENSSL="yes"
 USE_KERNEL_PFKEY="yes"
-USE_INTEGRITY_TEST="no"
-USE_LEAK_DETECTIVE="no"
+USE_INTEGRITY_TEST="yes"
+USE_LEAK_DETECTIVE="yes"
 
 # Gentoo linux root filesystem
 ROOTFS=$UMLTESTDIR/gentoo-fs-20080407.tar.bz2
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5a360543c
--- /dev/null
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,3 @@
+openac {
+  load = sha1 sha2 md5 gmp random x509 pubkey
+}
diff --git a/testing/tests/ikev1/attr-cert/pretest.dat b/testing/tests/ikev1/attr-cert/pretest.dat
index b3fecaf3c..3c7fb5dc6 100644
--- a/testing/tests/ikev1/attr-cert/pretest.dat
+++ b/testing/tests/ikev1/attr-cert/pretest.dat
@@ -1,7 +1,7 @@
 moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::cat /etc/openac/default.conf
-moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem
-moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem
+moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem 2> /dev/null
+moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/config-payload/evaltest.dat b/testing/tests/ikev2/config-payload/evaltest.dat
index 73d5ea206..40624e3ef 100644
--- a/testing/tests/ikev2/config-payload/evaltest.dat
+++ b/testing/tests/ikev2/config-payload/evaltest.dat
@@ -1,6 +1,8 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS::YES
 carol::ipsec status::home.*INSTALLED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index 40eb84b8a..9068f9dcf 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev2/esp-alg-null/description.txt b/testing/tests/ikev2/esp-alg-null/description.txt
new file mode 100644
index 000000000..3f1b35e6c
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-null/description.txt
@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>NULL/HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-null/evaltest.dat b/testing/tests/ikev2/esp-alg-null/evaltest.dat
new file mode 100644
index 000000000..dc50f11e0
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-null/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::NULL/HMAC_SHA1_96::YES
+carol::ipsec statusall::NULL/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc ecb(cipher_null)::YES
+carol::ip xfrm state::enc ecb(cipher_null)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5640d74fc
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha1-modp2048!
+	esp=null-sha1!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..91f4a7c7f
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha1-modp2048!
+	esp=null-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/esp-alg-null/posttest.dat b/testing/tests/ikev2/esp-alg-null/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-null/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-null/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-null/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat
index d12e10959..9ce2c44a8 100644
--- a/testing/tests/ikev2/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat
@@ -11,9 +11,9 @@ dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES
+moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
 moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
 moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index 0d900b871..b77ff97fb 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -8,3 +8,7 @@ charon {
   }
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql updown
 }
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
index 5d26cbbbc..1505a77ba 100644
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -4,5 +4,5 @@ dave::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
-moon::ipsec pool --del bigpool
+moon::ipsec pool --del bigpool 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat
index 78ba3f581..1765538a3 100644
--- a/testing/tests/ikev2/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -1,6 +1,6 @@
 moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0
+moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-wish/description.txt b/testing/tests/ikev2/ip-pool-wish/description.txt
index a5487169a..4b08aa33e 100644
--- a/testing/tests/ikev2/ip-pool-wish/description.txt
+++ b/testing/tests/ikev2/ip-pool-wish/description.txt
@@ -1,8 +1,8 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
 Both <b>carol</b> and <b>dave</b> request the same <b>virtual IP</b> via the IKEv2
-configuration payload by using the <b>leftsourceip=PH_IP_DAVE1</b> parameter. On a first-come,
-first-served basis, <b>dave</b> gets <b>PH_IP_DAVE1</b> from the simple address pool managed
-by gateway <b>moon</b> and <b>carol</b> gets the first free address <b>PH_IP_CAROL1</b>
+configuration payload by using the <b>leftsourceip=PH_IP_CAROL1</b> parameter. On a first-come,
+first-served basis, <b>carol</b> gets <b>PH_IP_CAROL1</b> from the simple address pool managed
+by gateway <b>moon</b> and <b>dave</b> gets the next free address <b>PH_IP_DAVE1</b>
 from the pool. 
 <p>
 <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
index 19e6783af..d02d422ab 100644
--- a/testing/tests/ikev2/ip-pool-wish/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
@@ -9,7 +9,7 @@ dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave::ipsec status::home.*INSTALLED::YES
 dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::adding virtual IP address pool::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES
+moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
 moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
 moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
index 5f93b3987..c9867c7d4 100755
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,7 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftsourceip=PH_IP_DAVE1
+	leftsourceip=PH_IP_CAROL1
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
index b58ba5460..98dd99271 100755
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,7 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftsourceip=PH_IP_DAVE1
+	leftsourceip=PH_IP_CAROL1
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat
index 519c81a31..1f4ff286a 100644
--- a/testing/tests/ikev2/ip-pool-wish/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat
@@ -1,10 +1,10 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
-dave::ipsec start
 carol::ipsec start
+dave::ipsec start
 moon::ipsec start
-dave::sleep 2 
-dave::ipsec up home
+carol::sleep 2 
 carol::ipsec up home
+dave::ipsec up home
 dave::sleep 1
diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat
index 15ca7426f..b130d4565 100644
--- a/testing/tests/ikev2/ip-pool/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool/evaltest.dat
@@ -11,6 +11,9 @@ dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::adding virtual IP address pool::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
+moon::ipsec leases rw::2/15, 2 online::YES
+moon::ipsec leases rw 10.3.0.1::carol@strongswan.org::YES
+moon::ipsec leases rw 10.3.0.2::dave@strongswan.org::YES
 moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
 moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
index 74c967def..c2bd87c58 100644
--- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
@@ -6,12 +6,12 @@ moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
 moon::ipsec status::ext.*ESTABLISHED.*dave@strongswan.org::YES
 moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
 moon::ipsec status::int.*ESTABLISHED.*venus.strongswan.org::YES
-moon::ipsec pool --status::extpool.*10.3.0.1.*10.3.255.254.*48h.*2::YES
-moon::ipsec pool --status::intpool.*10.4.0.1.*10.4.255.254.*static.*2::YES
-moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
-moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org::online::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org::online::YES
+moon::ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
+moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
+moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 dave::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
index 7a9cd5311..1b5257ccc 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -8,3 +8,7 @@ charon {
   }
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql kernel-netlink updown
 }
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 5ea5128ce..17901fa15 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -11,6 +11,6 @@ dave::/etc/init.d/iptables stop 2> /dev/null
 moon::ip route del 10.3.0.0/16 via PH_IP_MOON
 moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
 moon::conntrack -F
-moon::ipsec pool --del extpool
-moon::ipsec pool --del intpool
+moon::ipsec pool --del extpool 2> /dev/null
+moon::ipsec pool --del intpool 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
index 3870a2919..fa7c122d9 100644
--- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
@@ -1,7 +1,7 @@
 moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.255.254 --timeout 48 
-moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.255.254 --timeout  0
+moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null 
+moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
 moon::ip route add 10.3.0.0/16 via PH_IP_MOON
 moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
 alice::/etc/init.d/iptables start 2> /dev/null
diff --git a/testing/tests/ikev2/ip-two-pools/evaltest.dat b/testing/tests/ikev2/ip-two-pools/evaltest.dat
index 479a3ae3d..ac0a3eeb3 100644
--- a/testing/tests/ikev2/ip-two-pools/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools/evaltest.dat
@@ -4,6 +4,10 @@ moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
 moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
 moon::cat /var/log/daemon.log::adding virtual IP address pool.*int.*10.4.0.0/28::YES
 moon::cat /var/log/daemon.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
+moon::ipsec leases ext::1/15, 1 online::YES
+moon::ipsec leases int::1/15, 1 online::YES
+moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
+moon::ipsec leases int 10.4.0.1::alice@strongswan.org::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
 carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
index db18182a3..cf0d65c58 100755
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
@@ -17,6 +17,10 @@ start() {
 	/sbin/iptables -P OUTPUT DROP
 	/sbin/iptables -P FORWARD DROP
 
+        # allow IPsec tunnel traffic
+        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
 	# allow esp
 	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
 	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
index 37e92cf5b..6c87468bb 100755
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn mobike
 	left=PH_IP_ALICE1
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
-	leftfirewall=yes
 	right=PH_IP_SUN
 	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/description.txt b/testing/tests/ikev2/rw-eap-mschapv2-rsa/description.txt
new file mode 100644
index 000000000..df7041a97
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with the <i>Microsoft CHAP version 2</i> protocol
+(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
+e.g. by the Windows 7 Agile VPN client.
+In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
+uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionaly uses an <b>RSA signature</b>
+to authenticate itself against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-rsa/evaltest.dat
new file mode 100644
index 000000000..d8708d122
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::using EAP identity.*carol::YES
+moon::cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..ec09a3375
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=eap
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftfirewall=yes
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..44ba3fa25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..26ccc84ce
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md4 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmschapv2 eapidentity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..57a89966a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	authby=rsasig
+	eap=mschapv2
+	eap_identity=%identity
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftfirewall=yes
+	rightid=%any
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..3868b62f4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..26ccc84ce
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md4 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmschapv2 eapidentity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-mschapv2-rsa/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-rsa/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/test.conf b/testing/tests/ikev2/rw-eap-mschapv2-rsa/test.conf
new file mode 100644
index 000000000..2bd21499b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/esp-alg-null/description.txt b/testing/tests/pfkey/esp-alg-null/description.txt
new file mode 100644
index 000000000..3f1b35e6c
--- /dev/null
+++ b/testing/tests/pfkey/esp-alg-null/description.txt
@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>NULL/HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/pfkey/esp-alg-null/evaltest.dat b/testing/tests/pfkey/esp-alg-null/evaltest.dat
new file mode 100644
index 000000000..dc50f11e0
--- /dev/null
+++ b/testing/tests/pfkey/esp-alg-null/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::NULL/HMAC_SHA1_96::YES
+carol::ipsec statusall::NULL/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc ecb(cipher_null)::YES
+carol::ip xfrm state::enc ecb(cipher_null)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5640d74fc
--- /dev/null
+++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha1-modp2048!
+	esp=null-sha1!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..91f4a7c7f
--- /dev/null
+++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha1-modp2048!
+	esp=null-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..db6fa7486
--- /dev/null
+++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/esp-alg-null/posttest.dat b/testing/tests/pfkey/esp-alg-null/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/pfkey/esp-alg-null/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/pfkey/esp-alg-null/pretest.dat b/testing/tests/pfkey/esp-alg-null/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/pfkey/esp-alg-null/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/pfkey/esp-alg-null/test.conf b/testing/tests/pfkey/esp-alg-null/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/pfkey/esp-alg-null/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
index 91dd9dff6..9633fde10 100644
--- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
@@ -11,9 +11,9 @@ dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES
+moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
 moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
 moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index 29e2395e8..a747a6cb1 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -8,3 +8,7 @@ charon {
   }
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat
index c83449eaf..4df33509f 100644
--- a/testing/tests/sql/ip-pool-db-expired/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat
@@ -7,7 +7,7 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --leases
+moon::ipsec pool --leases 2> /dev/null
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
index 7a33cb6ba..f4c713c9f 100644
--- a/testing/tests/sql/ip-pool-db-restart/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
@@ -11,9 +11,9 @@ dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon::cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES
+moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
 moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
 moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index 29e2395e8..a747a6cb1 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -8,3 +8,7 @@ charon {
   }
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat
index 4ecf6347a..1d64321b5 100644
--- a/testing/tests/sql/ip-pool-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat
@@ -7,7 +7,7 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --leases
+moon::ipsec pool --leases 2> /dev/null
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat
index 0aeeff9c8..49051ed22 100644
--- a/testing/tests/sql/ip-pool-db/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db/evaltest.dat
@@ -11,9 +11,9 @@ dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES
+moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
 moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
 moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index 29e2395e8..a747a6cb1 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -8,3 +8,7 @@ charon {
   }
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
 }
+
+pool {
+  load = sqlite
+}
-- 
cgit v1.2.3


From 7a229aeb240cc750546f55ad089022f0ca7dc44f Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Sun, 22 Mar 2009 09:52:39 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.2.13)

---
 NEWS                                               |  17 +-
 configure                                          | 227 ++++++++++--
 configure.in                                       |  11 +-
 src/charon/config/attributes/attribute_manager.c   |  16 +-
 src/charon/config/proposal.c                       |  64 ++--
 src/charon/config/proposal.h                       |   7 +-
 src/charon/config/traffic_selector.c               |  59 +---
 src/charon/config/traffic_selector.h               |   7 +-
 src/charon/credentials/credential_manager.c        |  18 +-
 src/charon/daemon.c                                |  10 +-
 src/charon/plugins/eap_mschapv2/eap_mschapv2.c     |   4 +-
 src/charon/plugins/nm/nm_service.c                 |  80 +++--
 src/charon/plugins/sql/pool.c                      |   4 +-
 src/charon/plugins/sql/sql_attribute.c             |   2 +-
 src/charon/plugins/stroke/stroke_attribute.c       |   1 +
 src/charon/plugins/stroke/stroke_cred.c            |   7 +-
 src/charon/plugins/stroke/stroke_list.c            |  42 ++-
 src/charon/sa/ike_sa.c                             |  11 +-
 src/libstrongswan/Makefile.am                      |   4 +
 src/libstrongswan/Makefile.in                      |  62 ++--
 src/libstrongswan/asn1/asn1.c                      |  19 +-
 src/libstrongswan/chunk.c                          |  43 +--
 src/libstrongswan/chunk.h                          |  10 +-
 src/libstrongswan/enum.c                           |  38 +-
 src/libstrongswan/enum.h                           |  13 +-
 src/libstrongswan/library.c                        |  28 +-
 src/libstrongswan/library.h                        |   4 +-
 src/libstrongswan/plugins/des/des_crypter.c        |  14 +-
 src/libstrongswan/plugins/x509/x509_ac.c           |   2 +-
 src/libstrongswan/plugins/x509/x509_cert.c         |   4 +-
 src/libstrongswan/plugins/x509/x509_crl.c          |   4 +-
 .../plugins/x509/x509_ocsp_response.c              |   6 +-
 src/libstrongswan/printf_hook.c                    | 381 ++++++++++++++++++++-
 src/libstrongswan/printf_hook.h                    | 107 +++++-
 src/libstrongswan/utils.c                          | 152 ++------
 src/libstrongswan/utils.h                          |  23 +-
 src/libstrongswan/utils/hashtable.c                |   6 +-
 src/libstrongswan/utils/host.c                     |  67 ++--
 src/libstrongswan/utils/host.h                     |   9 +-
 src/libstrongswan/utils/identification.c           |  40 +--
 src/libstrongswan/utils/identification.h           |  13 +-
 src/libstrongswan/utils/leak_detective.c           |   3 +-
 src/libstrongswan/utils/linked_list.c              |  12 +-
 src/pluto/asn1.c                                   |  16 +-
 src/pluto/connections.c                            |   4 +-
 src/pluto/ipsec_doi.c                              |  21 +-
 src/pluto/state.c                                  |  11 +-
 src/pluto/vendor.c                                 |   5 +-
 src/pluto/vendor.h                                 |   3 +-
 testing/INSTALL                                    |   6 +-
 testing/testing.conf                               |   6 +-
 testing/tests/ikev1/dpd-restart/description.txt    |  13 +
 testing/tests/ikev1/dpd-restart/evaltest.dat       |  10 +
 .../ikev1/dpd-restart/hosts/carol/etc/ipsec.conf   |  25 ++
 .../ikev1/dpd-restart/hosts/moon/etc/ipsec.conf    |  29 ++
 testing/tests/ikev1/dpd-restart/posttest.dat       |   5 +
 testing/tests/ikev1/dpd-restart/pretest.dat        |   5 +
 testing/tests/ikev1/dpd-restart/test.conf          |  21 ++
 testing/tests/ikev2/ip-pool-db/description.txt     |   2 +-
 .../tests/ikev2/ip-two-pools-db/description.txt    |   4 +-
 .../tests/ikev2/ip-two-pools-mixed/description.txt |   9 +
 .../tests/ikev2/ip-two-pools-mixed/evaltest.dat    |  17 +
 .../hosts/alice/etc/init.d/iptables                |  78 +++++
 .../ip-two-pools-mixed/hosts/alice/etc/ipsec.conf  |  23 ++
 .../hosts/alice/etc/strongswan.conf                |   5 +
 .../ip-two-pools-mixed/hosts/carol/etc/ipsec.conf  |  23 ++
 .../hosts/carol/etc/strongswan.conf                |   5 +
 .../hosts/moon/etc/init.d/iptables                 |  91 +++++
 .../ip-two-pools-mixed/hosts/moon/etc/ipsec.conf   |  27 ++
 .../hosts/moon/etc/strongswan.conf                 |  14 +
 .../tests/ikev2/ip-two-pools-mixed/posttest.dat    |   9 +
 testing/tests/ikev2/ip-two-pools-mixed/pretest.dat |  13 +
 testing/tests/ikev2/ip-two-pools-mixed/test.conf   |  21 ++
 73 files changed, 1553 insertions(+), 619 deletions(-)
 create mode 100644 testing/tests/ikev1/dpd-restart/description.txt
 create mode 100644 testing/tests/ikev1/dpd-restart/evaltest.dat
 create mode 100755 testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/dpd-restart/posttest.dat
 create mode 100644 testing/tests/ikev1/dpd-restart/pretest.dat
 create mode 100644 testing/tests/ikev1/dpd-restart/test.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/description.txt
 create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
 create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
 create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
 create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/NEWS b/NEWS
index 73bec5e27..4709b07df 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,20 @@
+strongswan-4.2.13
+-----------------
+
+- Fixed a use-after-free bug in the DPD timeout section of the
+  IKEv1 pluto daemon which sporadically caused a segfault.
+
+- Fixed a crash in the IKEv2 charon daemon occuring with
+  mixed RAM-based and SQL-based virtual IP address pools. 
+
+- Fixed ASN.1 parsing of algorithmIdentifier objects where the
+  parameters field is optional.
+
+- Ported nm plugin to NetworkManager 7.1.
+
+
 strongswan-4.2.12
-'----------------
+-----------------
 
 - Support of the EAP-MSCHAPv2 protocol enabled by the option
   --enable-eap-mschapv2. Requires the MD4 hash algorithm enabled
diff --git a/configure b/configure
index 6c018dc76..59692f4a3 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for strongSwan 4.2.12.
+# Generated by GNU Autoconf 2.61 for strongSwan 4.2.13.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
 # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
@@ -721,8 +721,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.2.12'
-PACKAGE_STRING='strongSwan 4.2.12'
+PACKAGE_VERSION='4.2.13'
+PACKAGE_STRING='strongSwan 4.2.13'
 PACKAGE_BUGREPORT=''
 
 # Factoring default headers for most tests.
@@ -1011,6 +1011,8 @@ USE_LIBSTRONGSWAN_TRUE
 USE_LIBSTRONGSWAN_FALSE
 USE_FILE_CONFIG_TRUE
 USE_FILE_CONFIG_FALSE
+USE_VSTR_TRUE
+USE_VSTR_FALSE
 LIBOBJS
 LTLIBOBJS'
 ac_subst_files=''
@@ -1534,7 +1536,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.2.12 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.2.13 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1604,7 +1606,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.2.12:";;
+     short | recursive ) echo "Configuration of strongSwan 4.2.13:";;
    esac
   cat <<\_ACEOF
 
@@ -1854,7 +1856,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.2.12
+strongSwan configure 4.2.13
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1868,7 +1870,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.2.12, which was
+It was created by strongSwan $as_me 4.2.13, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -2558,7 +2560,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.2.12'
+ VERSION='4.2.13'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -6396,13 +6398,13 @@ if test "${lt_cv_nm_interface+set}" = set; then
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6399: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6401: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6402: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6404: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6405: output\"" >&5)
+  (eval echo "\"\$as_me:6407: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -7512,7 +7514,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7515 "configure"' > conftest.$ac_ext
+  echo '#line 7517 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -8885,11 +8887,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8888: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8890: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8892: \$? = $ac_status" >&5
+   echo "$as_me:8894: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9209,11 +9211,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9212: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9214: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9216: \$? = $ac_status" >&5
+   echo "$as_me:9218: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9314,11 +9316,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9317: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9319: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9321: \$? = $ac_status" >&5
+   echo "$as_me:9323: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9369,11 +9371,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9372: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9374: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9376: \$? = $ac_status" >&5
+   echo "$as_me:9378: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12130,7 +12132,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12133 "configure"
+#line 12135 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12230,7 +12232,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12233 "configure"
+#line 12235 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13919,6 +13921,164 @@ fi
 
 
 
+{ echo "$as_me:$LINENO: checking for register_printf_function" >&5
+echo $ECHO_N "checking for register_printf_function... $ECHO_C" >&6; }
+if test "${ac_cv_func_register_printf_function+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define register_printf_function to an innocuous variant, in case <limits.h> declares register_printf_function.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define register_printf_function innocuous_register_printf_function
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char register_printf_function (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef register_printf_function
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char register_printf_function ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_register_printf_function || defined __stub___register_printf_function
+choke me
+#endif
+
+int
+main ()
+{
+return register_printf_function ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_register_printf_function=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_register_printf_function=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_register_printf_function" >&5
+echo "${ECHO_T}$ac_cv_func_register_printf_function" >&6; }
+if test $ac_cv_func_register_printf_function = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_PRINTF_HOOKS 1
+_ACEOF
+
+else
+
+		{ echo "$as_me:$LINENO: printf does not support custom format specifiers!" >&5
+echo "$as_me: printf does not support custom format specifiers!" >&6;}
+		{ echo "$as_me:$LINENO: checking for main in -lvstr" >&5
+echo $ECHO_N "checking for main in -lvstr... $ECHO_C" >&6; }
+if test "${ac_cv_lib_vstr_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lvstr  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_vstr_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_vstr_main=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_vstr_main" >&5
+echo "${ECHO_T}$ac_cv_lib_vstr_main" >&6; }
+if test $ac_cv_lib_vstr_main = yes; then
+  LIBS="$LIBS"; vstr=true
+else
+  { { echo "$as_me:$LINENO: error: Vstr string library not found" >&5
+echo "$as_me: error: Vstr string library not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_vstr=ac_cv_lib_vstr_main
+
+
+fi
+
+
 if test x$gmp = xtrue; then
 	{ echo "$as_me:$LINENO: checking for main in -lgmp" >&5
 echo $ECHO_N "checking for main in -lgmp... $ECHO_C" >&6; }
@@ -17102,6 +17262,14 @@ else
   USE_FILE_CONFIG_FALSE=
 fi
 
+ if test x$vstr = xtrue; then
+  USE_VSTR_TRUE=
+  USE_VSTR_FALSE='#'
+else
+  USE_VSTR_TRUE='#'
+  USE_VSTR_FALSE=
+fi
+
 
 
 if test x$me = xtrue; then
@@ -17687,6 +17855,13 @@ echo "$as_me: error: conditional \"USE_FILE_CONFIG\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_VSTR_TRUE}" && test -z "${USE_VSTR_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_VSTR\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_VSTR\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
 : ${CONFIG_STATUS=./config.status}
 ac_clean_files_save=$ac_clean_files
@@ -17987,7 +18162,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.2.12, which was
+This file was extended by strongSwan $as_me 4.2.13, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -18034,7 +18209,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-strongSwan config.status 4.2.12
+strongSwan config.status 4.2.13
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
@@ -18851,11 +19026,13 @@ USE_LIBSTRONGSWAN_TRUE!$USE_LIBSTRONGSWAN_TRUE$ac_delim
 USE_LIBSTRONGSWAN_FALSE!$USE_LIBSTRONGSWAN_FALSE$ac_delim
 USE_FILE_CONFIG_TRUE!$USE_FILE_CONFIG_TRUE$ac_delim
 USE_FILE_CONFIG_FALSE!$USE_FILE_CONFIG_FALSE$ac_delim
+USE_VSTR_TRUE!$USE_VSTR_TRUE$ac_delim
+USE_VSTR_FALSE!$USE_VSTR_FALSE$ac_delim
 LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 58; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 60; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
diff --git a/configure.in b/configure.in
index b0405130e..81909c078 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.2.12)
+AC_INIT(strongSwan,4.2.13)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_C_BIGENDIAN
 AC_SUBST(confdir, '${sysconfdir}')
@@ -740,6 +740,14 @@ AC_TRY_RUN(
 [AC_MSG_RESULT([no])],
 [AC_MSG_RESULT([no])])
 
+AC_CHECK_FUNC(
+	[register_printf_function],
+	[AC_DEFINE(HAVE_PRINTF_HOOKS)],
+	[
+		AC_MSG_NOTICE([printf does not support custom format specifiers!])
+		AC_HAVE_LIBRARY([vstr],[LIBS="$LIBS"]; vstr=true,[AC_MSG_ERROR([Vstr string library not found])])
+	])
+
 if test x$gmp = xtrue; then
 	AC_HAVE_LIBRARY([gmp],[LIBS="$LIBS"],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])
 	AC_MSG_CHECKING([gmp.h version >= 4.1.4])
@@ -981,6 +989,7 @@ AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
 AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
+AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
 
 dnl ==============================
 dnl  set global definitions
diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c
index b919c4261..a069c954a 100644
--- a/src/charon/config/attributes/attribute_manager.c
+++ b/src/charon/config/attributes/attribute_manager.c
@@ -17,6 +17,7 @@
 
 #include "attribute_manager.h"
 
+#include <daemon.h>
 #include <utils/linked_list.h>
 #include <utils/mutex.h>
 
@@ -53,7 +54,7 @@ static host_t* acquire_address(private_attribute_manager_t *this,
 	enumerator_t *enumerator;
 	attribute_provider_t *current;
 	host_t *host = NULL;
-
+	
 	this->lock->read_lock(this->lock);
 	enumerator = this->providers->create_enumerator(this->providers);
 	while (enumerator->enumerate(enumerator, &current))
@@ -67,6 +68,10 @@ static host_t* acquire_address(private_attribute_manager_t *this,
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
 	
+	if (!host)
+	{
+		DBG1(DBG_CFG, "acquiring address from pool '%s' failed", pool);
+	}
 	return host;
 }
 
@@ -78,18 +83,25 @@ static void release_address(private_attribute_manager_t *this,
 {
 	enumerator_t *enumerator;
 	attribute_provider_t *current;
-
+	bool found = FALSE;
+	
 	this->lock->read_lock(this->lock);
 	enumerator = this->providers->create_enumerator(this->providers);
 	while (enumerator->enumerate(enumerator, &current))
 	{
 		if (current->release_address(current, pool, address, id))
 		{
+			found = TRUE;
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
+	
+	if (!found)
+	{
+		DBG1(DBG_CFG, "releasing address to pool '%s' failed", pool);
+	}
 }
 
 /**
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index 8fcbdc960..92ef34b75 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: proposal.c 4685 2008-11-22 16:14:55Z martin $
+ * $Id: proposal.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <string.h>
@@ -803,10 +803,10 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 }
 
 /**
- * print all algorithms of a kind to stream
+ * print all algorithms of a kind to buffer
  */
-static int print_alg(private_proposal_t *this, FILE *stream, u_int kind,
-					 void *names, bool *first)
+static int print_alg(private_proposal_t *this, char **dst, int *len,
+					 u_int kind, void *names, bool *first)
 {
 	enumerator_t *enumerator;
 	size_t written = 0;
@@ -817,16 +817,16 @@ static int print_alg(private_proposal_t *this, FILE *stream, u_int kind,
 	{
 		if (*first)
 		{
-			written += fprintf(stream, "%N", names, alg);
+			written += print_in_hook(*dst, *len, "%N", names, alg);
 			*first = FALSE;
 		}
 		else
 		{
-			written += fprintf(stream, "/%N", names, alg);
+			written += print_in_hook(*dst, *len, "/%N", names, alg);
 		}
 		if (size)
 		{
-			written += fprintf(stream, "-%d", size);
+			written += print_in_hook(*dst, *len, "-%d", size);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -834,10 +834,10 @@ static int print_alg(private_proposal_t *this, FILE *stream, u_int kind,
 }
 
 /**
- * output handler in printf()
+ * Described in header.
  */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
+int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+						 const void *const *args)
 {
 	private_proposal_t *this = *((private_proposal_t**)(args[0]));
 	linked_list_t *list = *((linked_list_t**)(args[0]));
@@ -847,64 +847,42 @@ static int print(FILE *stream, const struct printf_info *info,
 	
 	if (this == NULL)
 	{
-		return fprintf(stream, "(null)");
+		return print_in_hook(dst, len, "(null)");
 	}
 	
-	if (info->alt)
+	if (spec->hash)
 	{
 		enumerator = list->create_enumerator(list);
 		while (enumerator->enumerate(enumerator, &this))
 		{	/* call recursivly */
 			if (first)
 			{
-				written += fprintf(stream, "%P", this);
+				written += print_in_hook(dst, len, "%P", this);
 				first = FALSE;
 			}
 			else
 			{
-				written += fprintf(stream, ", %P", this);
+				written += print_in_hook(dst, len, ", %P", this);
 			}
 		}
 		enumerator->destroy(enumerator);
 		return written;
 	}
 	
-	written = fprintf(stream, "%N:", protocol_id_names, this->protocol);
-	written += print_alg(this, stream, ENCRYPTION_ALGORITHM,
+	written = print_in_hook(dst, len, "%N:", protocol_id_names, this->protocol);
+	written += print_alg(this, &dst, &len, ENCRYPTION_ALGORITHM,
 						 encryption_algorithm_names, &first);
-	written += print_alg(this, stream, INTEGRITY_ALGORITHM,
+	written += print_alg(this, &dst, &len, INTEGRITY_ALGORITHM,
 						 integrity_algorithm_names, &first);
-	written += print_alg(this, stream, PSEUDO_RANDOM_FUNCTION,
+	written += print_alg(this, &dst, &len, PSEUDO_RANDOM_FUNCTION,
 						 pseudo_random_function_names, &first);
-	written += print_alg(this, stream, DIFFIE_HELLMAN_GROUP,
+	written += print_alg(this, &dst, &len, DIFFIE_HELLMAN_GROUP,
 						 diffie_hellman_group_names, &first);
-	written += print_alg(this, stream, EXTENDED_SEQUENCE_NUMBERS,
+	written += print_alg(this, &dst, &len, EXTENDED_SEQUENCE_NUMBERS,
 						 extended_sequence_numbers_names, &first);
 	return written;
 }
 
-/**
- * arginfo handler for printf() proposal
- */
-static int arginfo(const struct printf_info *info, size_t n, int *argtypes)
-{
-	if (n > 0)
-	{
-		argtypes[0] = PA_POINTER;
-	}
-	return 1;
-}
-
-/**
- * return printf hook functions for a proposal
- */
-printf_hook_functions_t proposal_get_printf_hooks()
-{
-	printf_hook_functions_t hooks = {print, arginfo};
-	
-	return hooks;
-}
-
 /**
  * Implements proposal_t.destroy.
  */
diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h
index fb7dc9dfa..ea01120f9 100644
--- a/src/charon/config/proposal.h
+++ b/src/charon/config/proposal.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: proposal.h 4062 2008-06-12 11:42:19Z martin $
+ * $Id: proposal.h 4936 2009-03-12 18:07:32Z tobias $
  */
 
 /**
@@ -233,13 +233,14 @@ proposal_t *proposal_create_default(protocol_id_t protocol);
 proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs);
 
 /**
- * Get printf hooks for a proposal.
+ * printf hook function for proposal_t.
  *
  * Arguments are: 
  *    proposal_t *proposal
  * With the #-specifier, arguments are:
  *    linked_list_t *list containing proposal_t*
  */
-printf_hook_functions_t proposal_get_printf_hooks();
+int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+						 const void *const *args);
 
 #endif /* PROPOSAL_H_ @} */
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
index 7442fc7ef..b3bab900d 100644
--- a/src/charon/config/traffic_selector.c
+++ b/src/charon/config/traffic_selector.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2007-2009 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -14,14 +14,13 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector.c 4860 2009-02-11 13:09:52Z martin $
+ * $Id: traffic_selector.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <arpa/inet.h>
 #include <string.h>
 #include <netdb.h>
 #include <stdio.h>
-#include <printf.h>
 
 #include "traffic_selector.h"
 
@@ -157,10 +156,10 @@ static u_int8_t calc_netbits(private_traffic_selector_t *this)
 static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port);
 
 /**
- * output handler in printf()
+ * Described in header.
  */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
+int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+								 const void *const *args)
 {
 	private_traffic_selector_t *this = *((private_traffic_selector_t**)(args[0]));
 	linked_list_t *list = *((linked_list_t**)(args[0]));
@@ -175,16 +174,16 @@ static int print(FILE *stream, const struct printf_info *info,
 	
 	if (this == NULL)
 	{
-		return fprintf(stream, "(null)");
+		return print_in_hook(dst, len, "(null)");
 	}
 	
-	if (info->alt)
+	if (spec->hash)
 	{
 		iterator = list->create_iterator(list, TRUE);
 		while (iterator->iterate(iterator, (void**)&this))
 		{
 			/* call recursivly */
-			written += fprintf(stream, "%R ", this);
+			written += print_in_hook(dst, len, "%R ", this);
 		}
 		iterator->destroy(iterator);
 		return written;
@@ -196,7 +195,7 @@ static int print(FILE *stream, const struct printf_info *info,
 		memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) && 
 		memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
 	{
-		written += fprintf(stream, "dynamic");
+		written += print_in_hook(dst, len, "dynamic");
 	}
 	else
 	{
@@ -209,7 +208,7 @@ static int print(FILE *stream, const struct printf_info *info,
 			inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str));
 		}
 		mask = calc_netbits(this);
-		written += fprintf(stream, "%s/%d", addr_str, mask);
+		written += print_in_hook(dst, len, "%s/%d", addr_str, mask);
 	}
 	
 	/* check if we have protocol and/or port selectors */
@@ -221,7 +220,7 @@ static int print(FILE *stream, const struct printf_info *info,
 		return written;
 	}
 
-	written += fprintf(stream, "[");
+	written += print_in_hook(dst, len, "[");
 
 	/* build protocol string */
 	if (has_proto)
@@ -230,18 +229,18 @@ static int print(FILE *stream, const struct printf_info *info,
 
 		if (proto)
 		{
-			written += fprintf(stream, "%s", proto->p_name);
+			written += print_in_hook(dst, len, "%s", proto->p_name);
 			serv_proto = proto->p_name;
 		}
 		else
 		{
-			written += fprintf(stream, "%d", this->protocol);
+			written += print_in_hook(dst, len, "%d", this->protocol);
 		}
 	}
 	
 	if (has_proto && has_ports)
 	{
-		written += fprintf(stream, "/");
+		written += print_in_hook(dst, len, "/");
 	}
 
 	/* build port string */
@@ -253,46 +252,24 @@ static int print(FILE *stream, const struct printf_info *info,
 
 			if (serv)
 			{
-				written += fprintf(stream, "%s", serv->s_name);
+				written += print_in_hook(dst, len, "%s", serv->s_name);
 			}
 			else
 			{
-				written += fprintf(stream, "%d", this->from_port);
+				written += print_in_hook(dst, len, "%d", this->from_port);
 			}
 		}
 		else
 		{
-			written += fprintf(stream, "%d-%d", this->from_port, this->to_port);
+			written += print_in_hook(dst, len, "%d-%d", this->from_port, this->to_port);
 		}
 	}
 	
-	written += fprintf(stream, "]");
+	written += print_in_hook(dst, len, "]");
 
 	return written;
 }
 
-/**
- * arginfo handler for printf() traffic selector
- */
-static int arginfo(const struct printf_info *info, size_t n, int *argtypes)
-{
-	if (n > 0)
-	{
-		argtypes[0] = PA_POINTER;
-	}
-	return 1;
-}
-
-/**
- * return printf hook functions for a chunk
- */
-printf_hook_functions_t traffic_selector_get_printf_hooks()
-{
-	printf_hook_functions_t hooks = {print, arginfo};
-	
-	return hooks;
-}
-
 /**
  * implements traffic_selector_t.get_subset
  */
diff --git a/src/charon/config/traffic_selector.h b/src/charon/config/traffic_selector.h
index 69c04c605..fcec4e50b 100644
--- a/src/charon/config/traffic_selector.h
+++ b/src/charon/config/traffic_selector.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector.h 4860 2009-02-11 13:09:52Z martin $
+ * $Id: traffic_selector.h 4936 2009-03-12 18:07:32Z tobias $
  */
 
 /**
@@ -291,13 +291,14 @@ traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
 									u_int16_t from_port, u_int16_t to_port);
 
 /**
- * Get printf hooks for a traffic selector.
+ * printf hook function for traffic_selector_t.
  *
  * Arguments are: 
  *    traffic_selector_t *ts
  * With the #-specifier, arguments are:
  *    linked_list_t *list containing traffic_selector_t*
  */
-printf_hook_functions_t traffic_selector_get_printf_hooks();
+int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+								 const void *const *args);
 
 #endif /* TRAFFIC_SELECTOR_H_ @} */
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 309115280..2841086b2 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: credential_manager.c 4591 2008-11-05 16:12:54Z martin $
+ * $Id: credential_manager.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <pthread.h>
@@ -572,7 +572,7 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this,
 		case VALIDATION_REVOKED:
 			/* subject has been revoked by a valid OCSP response */
 			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
-				 		  &revocation, crl_reason_names, reason);
+				 		  &revocation, TRUE, crl_reason_names, reason);
 			revoked = TRUE;
 			break;
 		case VALIDATION_GOOD:
@@ -593,7 +593,7 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this,
 		best = cand;
 		if (best->get_validity(best, NULL, NULL, &valid_until))
 		{
-			DBG1(DBG_CFG, "  ocsp response is valid: until %#T",
+			DBG1(DBG_CFG, "  ocsp response is valid: until %T",
 							 &valid_until, FALSE);
 			*valid = VALIDATION_GOOD;
 			if (cache)
@@ -603,7 +603,7 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this,
 		}
 		else
 		{
-			DBG1(DBG_CFG, "  ocsp response is stale: since %#T",
+			DBG1(DBG_CFG, "  ocsp response is stale: since %T",
 							 &valid_until, FALSE);
 			*valid = VALIDATION_STALE;
 		}
@@ -791,7 +791,7 @@ static certificate_t *get_better_crl(private_credential_manager_t *this,
 		if (chunk_equals(serial, subject->get_serial(subject)))
 		{
 			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
-				 &revocation, crl_reason_names, reason);
+				 &revocation, TRUE, crl_reason_names, reason);
 			*valid = VALIDATION_REVOKED;
 			enumerator->destroy(enumerator);
 			DESTROY_IF(best);
@@ -807,7 +807,7 @@ static certificate_t *get_better_crl(private_credential_manager_t *this,
 		best = cand;
 		if (best->get_validity(best, NULL, NULL, &valid_until))
 		{
-			DBG1(DBG_CFG, "  crl is valid: until %#T", &valid_until, FALSE);
+			DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
 			*valid = VALIDATION_GOOD;
 			if (cache)
 			{	/* we cache non-stale crls only, as a stale crls are refetched */
@@ -816,7 +816,7 @@ static certificate_t *get_better_crl(private_credential_manager_t *this,
 		}
 		else
 		{
-			DBG1(DBG_CFG, "  crl is stale: since %#T", &valid_until, FALSE);
+			DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
 			*valid = VALIDATION_STALE;
 		}
 	}
@@ -938,13 +938,13 @@ static bool check_certificate(private_credential_manager_t *this,
 	if (!subject->get_validity(subject, NULL, &not_before, &not_after))
 	{
 		DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
-			 &not_before, &not_after);
+			 &not_before, TRUE, &not_after, TRUE);
 		return FALSE;
 	}
 	if (!issuer->get_validity(issuer, NULL, &not_before, &not_after))
 	{
 		DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)",
-			 &not_before, &not_after);
+			 &not_before, TRUE, &not_after, TRUE);
 		return FALSE;
 	}
 	if (issuer->get_type(issuer) == CERT_X509 &&
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 78cbeec83..6dcb39a89 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -1,5 +1,5 @@
 /* 
- * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -644,9 +644,13 @@ int main(int argc, char *argv[])
 	/* initialize library */
 	library_init(STRONGSWAN_CONF);
 	lib->printf_hook->add_handler(lib->printf_hook, 'R',
-								  traffic_selector_get_printf_hooks());
+								  traffic_selector_printf_hook,
+								  PRINTF_HOOK_ARGTYPE_POINTER,
+								  PRINTF_HOOK_ARGTYPE_END);
 	lib->printf_hook->add_handler(lib->printf_hook, 'P',
-								  proposal_get_printf_hooks());
+								  proposal_printf_hook,
+								  PRINTF_HOOK_ARGTYPE_POINTER,
+								  PRINTF_HOOK_ARGTYPE_END);
 	private_charon = daemon_create();
 	charon = (daemon_t*)private_charon;
 	
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
index 47dac47d4..07ca48e6f 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_mschapv2.c 4888 2009-02-19 14:32:13Z tobias $
+ * $Id: eap_mschapv2.c 4896 2009-02-24 13:39:50Z martin $
  */
 
 #include "eap_mschapv2.h"
@@ -643,7 +643,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	rng->destroy(rng);
 			
 	shared = charon->credentials->get_shared(charon->credentials,
-											 SHARED_EAP, this->server, this->peer);
+											 SHARED_EAP, this->peer, this->server);
 	if (shared == NULL)
 	{
 		DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index 1f2b6f723..72744b784 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -83,8 +83,8 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
  */
 static void signal_failure(NMVPNPlugin *plugin)
 {
-	/* TODO: NM does not handle this failure!? 
-	nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); */
+	/* TODO: NM does not handle this failure!? */
+	nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); 
 	nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
 }
 
@@ -144,7 +144,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	nm_creds_t *creds;
 	NMSettingVPN *settings;
 	identification_t *user = NULL, *gateway;
-	char *address, *str;
+	const char *address, *str;
 	bool virtual, encap, ipcomp;
 	ike_cfg_t *ike_cfg;
 	peer_cfg_t *peer_cfg;
@@ -164,20 +164,20 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	
 	DBG4(DBG_CFG, "received NetworkManager connection: %s",
 		 nm_setting_to_string(NM_SETTING(settings)));
-	address = g_hash_table_lookup(settings->data, "address");
+	address = nm_setting_vpn_get_data_item(settings, "address");
 	if (!address || !*address)
 	{
 		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
 				    "Gateway address missing.");
 		return FALSE;
 	}
-	str = g_hash_table_lookup(settings->data, "virtual");
+	str = nm_setting_vpn_get_data_item(settings, "virtual");
 	virtual = str && streq(str, "yes");
-	str = g_hash_table_lookup(settings->data, "encap");
+	str = nm_setting_vpn_get_data_item(settings, "encap");
 	encap = str && streq(str, "yes");
-	str = g_hash_table_lookup(settings->data, "ipcomp");
+	str = nm_setting_vpn_get_data_item(settings, "ipcomp");
 	ipcomp = str && streq(str, "yes");
-	str = g_hash_table_lookup(settings->data, "method");
+	str = nm_setting_vpn_get_data_item(settings, "method");
 	if (str)
 	{
 		if (streq(str, "psk"))
@@ -202,7 +202,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	creds->clear(creds);
 	
 	/* gateway cert */
-	str = g_hash_table_lookup(settings->data, "certificate");
+	str = nm_setting_vpn_get_data_item(settings, "certificate");
 	if (str)
 	{
 		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
@@ -220,20 +220,20 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	if (auth_class == AUTH_CLASS_EAP)
 	{
 		/* username/password authentication ... */
-		str = g_hash_table_lookup(settings->data, "user");
+		str = nm_setting_vpn_get_data_item(settings, "user");
 		if (str)
 		{
 			user = identification_create_from_encoding(ID_KEY_ID,
 											chunk_create(str, strlen(str)));
-			str = g_hash_table_lookup(settings->secrets, "password");
-			creds->set_username_password(creds, user, str);
+			str = nm_setting_vpn_get_secret(settings, "password");
+			creds->set_username_password(creds, user, (char*)str);
 		}
 	}
 	
 	if (auth_class == AUTH_CLASS_PUBKEY)
 	{
 		/* ... or certificate/private key authenitcation */
-		str = g_hash_table_lookup(settings->data, "usercert");
+		str = nm_setting_vpn_get_data_item(settings, "usercert");
 		if (str)
 		{
 			public_key_t *public;
@@ -241,10 +241,16 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			
 			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 									  BUILD_FROM_FILE, str, BUILD_END);	
-									  
+			if (!cert)
+			{
+				g_set_error(err, NM_VPN_PLUGIN_ERROR,
+							NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+							"Loading peer certificate failed.");
+				return FALSE;
+			}
 			/* try agent */  
-			str = g_hash_table_lookup(settings->secrets, "agent");
-			if (agent && str && cert)
+			str = nm_setting_vpn_get_secret(settings, "agent");
+			if (agent && str)
 			{
 				public = cert->get_public_key(cert);
 				if (public)
@@ -256,25 +262,38 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 												 BUILD_END);
 					public->destroy(public);
 				}
+				if (!private)
+				{
+					g_set_error(err, NM_VPN_PLUGIN_ERROR,
+								NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+								"Connecting to SSH agent failed.");
+				}
 			}
 			/* ... or key file */  
-			str = g_hash_table_lookup(settings->data, "userkey");
-			if (!agent && str && cert)
+			str = nm_setting_vpn_get_data_item(settings, "userkey");
+			if (!agent && str)
 			{
 				chunk_t secret, chunk;
 				bool pgp = FALSE;
 				
-				secret.ptr = g_hash_table_lookup(settings->secrets, "password");
+				secret.ptr = (char*)nm_setting_vpn_get_secret(settings,
+																 "password");
 				if (secret.ptr)
 				{
 					secret.len = strlen(secret.ptr);
 				}
-				if (pem_asn1_load_file(str, &secret, &chunk, &pgp))
+				if (pem_asn1_load_file((char*)str, &secret, &chunk, &pgp))
 				{
 					private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
 								KEY_RSA, BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
 					free(chunk.ptr);
 				}
+				if (!private)
+				{
+					g_set_error(err, NM_VPN_PLUGIN_ERROR,
+								NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+								"Loading private key failed.");
+				}
 			}
 			if (private)
 			{
@@ -285,8 +304,6 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			else
 			{
 				DESTROY_IF(cert);
-				g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-							"Loading user certificate/private key failed.");
 				return FALSE;
 			}
 		}
@@ -302,7 +319,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	/**
 	 * Set up configurations
 	 */
-	ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", address);
+	ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg,
 					user, gateway->clone(gateway),
@@ -367,40 +384,40 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 							 char **setting_name, GError **error)
 {
 	NMSettingVPN *settings;
-	char *method, *path;
+	const char *method, *path;
 	chunk_t secret = chunk_empty, key;
 	bool pgp = FALSE;
 	
 	settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
 														NM_TYPE_SETTING_VPN));
-	method = g_hash_table_lookup(settings->data, "method");
+	method = nm_setting_vpn_get_data_item(settings, "method");
 	if (method)
 	{
 		if (streq(method, "eap"))
 		{
-			if (g_hash_table_lookup(settings->secrets, "password"))
+			if (nm_setting_vpn_get_secret(settings, "password"))
 			{
 				return FALSE;
 			}
 		}
 		else if (streq(method, "agent"))
 		{
-			if (g_hash_table_lookup(settings->secrets, "agent"))
+			if (nm_setting_vpn_get_secret(settings, "agent"))
 			{
 				return FALSE;
 			}
 		}
 		else if (streq(method, "key"))
 		{
-			path = g_hash_table_lookup(settings->data, "userkey");
+			path = nm_setting_vpn_get_data_item(settings, "userkey");
 			if (path)
 			{
-				secret.ptr = g_hash_table_lookup(settings->secrets, "password");
+				secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
 				if (secret.ptr)
 				{
 					secret.len = strlen(secret.ptr);
 				}
-				if (pem_asn1_load_file(path, &secret, &key, &pgp))
+				if (pem_asn1_load_file((char*)path, &secret, &key, &pgp))
 				{
 					free(key.ptr);
 					return FALSE;
@@ -434,6 +451,9 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
 		}
 	}
 	enumerator->destroy(enumerator);
+	
+	g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_GENERAL,
+				"Connection not found.");
 	return FALSE;
 }
 
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index 8f5dc54dd..9761e88e9 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -554,10 +554,10 @@ static void leases(char *filter, bool utc)
 			printf("%-7s ", "expired");
 		}
 		
-		printf(" %#T  ", &acquired, utc);
+		printf(" %T  ", &acquired, utc);
 		if (released)
 		{
-			printf("%#T  ", &released, utc);
+			printf("%T  ", &released, utc);
 		}
 		else
 		{
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index cd6f7c0cd..826aa8318 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -89,7 +89,7 @@ static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
 		e->destroy(e);
 		return pool;
 	}
-	DBG1(DBG_CFG, "ip pool '%s' not found");
+	DESTROY_IF(e);
 	return 0;
 }
 
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
index 7591a1e27..f850b5320 100644
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ b/src/charon/plugins/stroke/stroke_attribute.c
@@ -307,6 +307,7 @@ static bool release_address(private_stroke_attribute_t *this,
 				{
 					DBG1(DBG_CFG, "lease %H of %D went offline", address, id);
 					pool->offline->put(pool->offline, id, (void*)offset);
+					found = TRUE;
 				}
 			}
 		}
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 07e0ca768..434aec22b 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -804,7 +804,7 @@ static void load_secrets(private_stroke_cred_t *this)
 		}
 		else if (match("PIN", &token))
 		{
-			chunk_t sc = chunk_empty;
+			chunk_t sc = chunk_empty, secret = chunk_empty;
 			char smartcard[32], keyid[22], pin[32];
 			private_key_t *key;
 			u_int slot;
@@ -847,13 +847,13 @@ static void load_secrets(private_stroke_cred_t *this)
 				DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
 				goto error;
 			}
-			ugh = extract_secret(&chunk, &line);
+			ugh = extract_secret(&secret, &line);
 			if (ugh != NULL)
 			{
 				DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
 				goto error;
 			}
-			snprintf(pin, sizeof(pin), "%.*s", chunk.len, chunk.ptr);
+			snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
 			pin[sizeof(pin) - 1] = '\0';
 			
 			/* we assume an RSA key */
@@ -867,6 +867,7 @@ static void load_secrets(private_stroke_cred_t *this)
 				this->private->insert_last(this->private, key);
 			}
 			memset(pin, 0, sizeof(pin));
+			chunk_clear(&secret);
 		}
 		else if ((match("PSK", &token) && (type = SHARED_IKE)) ||
 				 (match("EAP", &token) && (type = SHARED_EAP)) ||
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 8042875c9..94b3def3a 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -88,7 +88,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 		time_t established;
 		
 		established = ike_sa->get_statistic(ike_sa, STAT_ESTABLISHED);
-		fprintf(out, " %#V ago", &now, &established);
+		fprintf(out, " %V ago", &now, &established);
 	}
 	
 	fprintf(out, ", %H[%D]...%H[%D]\n",
@@ -116,11 +116,11 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 			
 			if (rekey)
 			{
-				fprintf(out, ", rekeying in %#V", &rekey, &now);
+				fprintf(out, ", rekeying in %V", &rekey, &now);
 			}
 			if (reauth)
 			{
-				fprintf(out, ", %N reauthentication in %#V", auth_class_names,
+				fprintf(out, ", %N reauthentication in %V", auth_class_names,
 						get_auth_class(ike_sa->get_peer_cfg(ike_sa)),
 						&reauth, &now);
 			}
@@ -212,7 +212,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			rekey = child_sa->get_lifetime(child_sa, FALSE);
 			if (rekey)
 			{
-				fprintf(out, "in %#V", &now, &rekey);
+				fprintf(out, "in %V", &now, &rekey);
 			}
 			else
 			{
@@ -265,12 +265,12 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		char *plugin, *pool;
 		host_t *host;
 		u_int32_t dpd;
-		time_t uptime = time(NULL) - this->uptime;
+		time_t now = time(NULL);
 		bool first = TRUE;
 		u_int size, online, offline;
 		
 		fprintf(out, "Performance:\n");
-		fprintf(out, "  uptime: %V, since %#T\n", &uptime, &this->uptime, FALSE);
+		fprintf(out, "  uptime: %V, since %T\n", &now, &this->uptime, &this->uptime, FALSE);
 		fprintf(out, "  worker threads: %d idle of %d,",
 				charon->processor->get_idle_threads(charon->processor),
 				charon->processor->get_total_threads(charon->processor));
@@ -290,6 +290,10 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		enumerator = this->attribute->create_pool_enumerator(this->attribute);
 		while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
 		{
+			if (name && !streq(name, pool))
+			{
+				continue;
+			}
 			if (first)
 			{
 				first = FALSE;
@@ -655,26 +659,26 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 
 			/* list validity */
 			cert->get_validity(cert, &now, &notBefore, &notAfter);
-			fprintf(out, "  validity:  not before %#T, ", &notBefore, utc);
+			fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
 			if (now < notBefore)
 			{
-				fprintf(out, "not valid yet (valid in %#V)\n", &now, &notBefore);
+				fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
 			}
 			else
 			{
 				fprintf(out, "ok\n");
 			}
-			fprintf(out, "             not after  %#T, ", &notAfter, utc);
+			fprintf(out, "             not after  %T, ", &notAfter, utc);
 			if (now > notAfter)
 			{
-				fprintf(out, "expired (%#V ago)\n", &now, &notAfter);
+				fprintf(out, "expired (%V ago)\n", &now, &notAfter);
 			}
 			else
 			{
 				fprintf(out, "ok");
 				if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
 				{
-					fprintf(out, " (expires in %#V)", &now, &notAfter);
+					fprintf(out, " (expires in %V)", &now, &notAfter);
 				}
 				fprintf(out, " \n");
 			}
@@ -755,18 +759,18 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 
 		/* list validity */
 		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
-		fprintf(out, "  updates:   this %#T\n",  &thisUpdate, utc);
-		fprintf(out, "             next %#T, ", &nextUpdate, utc);
+		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
+		fprintf(out, "             next %T, ", &nextUpdate, utc);
 		if (now > nextUpdate)
 		{
-			fprintf(out, "expired (%#V ago)\n", &now, &nextUpdate);
+			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
 		}
 		else
 		{
 			fprintf(out, "ok");
 			if (now > nextUpdate - AC_WARNING_INTERVAL * 60 * 60 * 24)
 			{
-				fprintf(out, " (expires in %#V)", &now, &nextUpdate);
+				fprintf(out, " (expires in %V)", &now, &nextUpdate);
 			}
 			fprintf(out, " \n");
 		}
@@ -828,18 +832,18 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 
 		/* list validity */
 		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
-		fprintf(out, "  updates:   this %#T\n",  &thisUpdate, utc);
-		fprintf(out, "             next %#T, ", &nextUpdate, utc);
+		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
+		fprintf(out, "             next %T, ", &nextUpdate, utc);
 		if (now > nextUpdate)
 		{
-			fprintf(out, "expired (%#V ago)\n", &now, &nextUpdate);
+			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
 		}
 		else
 		{
 			fprintf(out, "ok");
 			if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
 			{
-				fprintf(out, " (expires in %#V)", &now, &nextUpdate);
+				fprintf(out, " (expires in %V)", &now, &nextUpdate);
 			}
 			fprintf(out, " \n");
 		}
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 82dd479ca..6acbc6eef 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -15,12 +15,11 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa.c 4808 2008-12-16 15:48:36Z martin $
+ * $Id: ike_sa.c 4945 2009-03-16 14:23:36Z martin $
  */
 
 #include <sys/time.h>
 #include <string.h>
-#include <printf.h>
 #include <sys/stat.h>
 #include <errno.h>
 #include <time.h>
@@ -1103,6 +1102,12 @@ static void resolve_hosts(private_ike_sa_t *this)
 			{
 				host->set_port(host, IKEV2_UDP_PORT);
 			}
+			else
+			{	/* fallback to address family specific %any(6), if configured */
+				host = host_create_from_dns(
+									this->ike_cfg->get_my_addr(this->ike_cfg),
+									0, IKEV2_UDP_PORT);
+			}
 		}
 	}
 	if (host)
@@ -1743,7 +1748,7 @@ static status_t reauth(private_ike_sa_t *this)
 		{
 			time_t now = time(NULL);
 			
-			DBG1(DBG_IKE, "IKE_SA will timeout in %#V",
+			DBG1(DBG_IKE, "IKE_SA will timeout in %V",
 				 &now, &this->stats[STAT_DELETE]);
 			return FAILED;
 		}
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 110c2ef16..1d0f837ef 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -74,6 +74,10 @@ if USE_INTEGRITY_TEST
   fips/fips_canister_end.c
 endif
 
+if USE_VSTR
+  libstrongswan_la_LIBADD += -lvstr
+endif
+
 EXTRA_DIST = asn1/oid.txt asn1/oid.pl
 BUILT_SOURCES = asn1/oid.c asn1/oid.h
 MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index ba90d987b..ed13138e4 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -35,27 +35,28 @@ host_triplet = @host@
 @USE_LEAK_DETECTIVE_TRUE@am__append_1 = -DLEAK_DETECTIVE
 @USE_LEAK_DETECTIVE_TRUE@am__append_2 = utils/leak_detective.c utils/leak_detective.h
 @USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER
-@USE_AES_TRUE@am__append_4 = plugins/aes
-@USE_DES_TRUE@am__append_5 = plugins/des
-@USE_MD4_TRUE@am__append_6 = plugins/md4
-@USE_MD5_TRUE@am__append_7 = plugins/md5
-@USE_SHA1_TRUE@am__append_8 = plugins/sha1
-@USE_SHA2_TRUE@am__append_9 = plugins/sha2
-@USE_FIPS_PRF_TRUE@am__append_10 = plugins/fips_prf
-@USE_GMP_TRUE@am__append_11 = plugins/gmp
-@USE_RANDOM_TRUE@am__append_12 = plugins/random
-@USE_HMAC_TRUE@am__append_13 = plugins/hmac
-@USE_XCBC_TRUE@am__append_14 = plugins/xcbc
-@USE_X509_TRUE@am__append_15 = plugins/x509
-@USE_PUBKEY_TRUE@am__append_16 = plugins/pubkey
-@USE_CURL_TRUE@am__append_17 = plugins/curl
-@USE_LDAP_TRUE@am__append_18 = plugins/ldap
-@USE_MYSQL_TRUE@am__append_19 = plugins/mysql
-@USE_SQLITE_TRUE@am__append_20 = plugins/sqlite
-@USE_PADLOCK_TRUE@am__append_21 = plugins/padlock
-@USE_OPENSSL_TRUE@am__append_22 = plugins/openssl
-@USE_AGENT_TRUE@am__append_23 = plugins/agent
-@USE_INTEGRITY_TEST_TRUE@am__append_24 = fips
+@USE_VSTR_TRUE@am__append_4 = -lvstr
+@USE_AES_TRUE@am__append_5 = plugins/aes
+@USE_DES_TRUE@am__append_6 = plugins/des
+@USE_MD4_TRUE@am__append_7 = plugins/md4
+@USE_MD5_TRUE@am__append_8 = plugins/md5
+@USE_SHA1_TRUE@am__append_9 = plugins/sha1
+@USE_SHA2_TRUE@am__append_10 = plugins/sha2
+@USE_FIPS_PRF_TRUE@am__append_11 = plugins/fips_prf
+@USE_GMP_TRUE@am__append_12 = plugins/gmp
+@USE_RANDOM_TRUE@am__append_13 = plugins/random
+@USE_HMAC_TRUE@am__append_14 = plugins/hmac
+@USE_XCBC_TRUE@am__append_15 = plugins/xcbc
+@USE_X509_TRUE@am__append_16 = plugins/x509
+@USE_PUBKEY_TRUE@am__append_17 = plugins/pubkey
+@USE_CURL_TRUE@am__append_18 = plugins/curl
+@USE_LDAP_TRUE@am__append_19 = plugins/ldap
+@USE_MYSQL_TRUE@am__append_20 = plugins/mysql
+@USE_SQLITE_TRUE@am__append_21 = plugins/sqlite
+@USE_PADLOCK_TRUE@am__append_22 = plugins/padlock
+@USE_OPENSSL_TRUE@am__append_23 = plugins/openssl
+@USE_AGENT_TRUE@am__append_24 = plugins/agent
+@USE_INTEGRITY_TEST_TRUE@am__append_25 = fips
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -73,7 +74,8 @@ am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
 am__installdirs = "$(DESTDIR)$(libdir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
-libstrongswan_la_DEPENDENCIES =
+am__DEPENDENCIES_1 =
+libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
 	printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \
@@ -451,7 +453,7 @@ lib_LTLIBRARIES = libstrongswan.la
 @USE_INTEGRITY_TEST_TRUE@	plugins/plugin_loader.h \
 @USE_INTEGRITY_TEST_TRUE@	plugins/plugin.h $(am__append_2) \
 @USE_INTEGRITY_TEST_TRUE@	fips/fips_canister_end.c
-libstrongswan_la_LIBADD = -lpthread -ldl
+libstrongswan_la_LIBADD = -lpthread -ldl $(am__append_4)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \
@@ -462,13 +464,13 @@ MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
 
 # build plugins with their own Makefile
 #######################################
-SUBDIRS = . $(am__append_4) $(am__append_5) $(am__append_6) \
-	$(am__append_7) $(am__append_8) $(am__append_9) \
-	$(am__append_10) $(am__append_11) $(am__append_12) \
-	$(am__append_13) $(am__append_14) $(am__append_15) \
-	$(am__append_16) $(am__append_17) $(am__append_18) \
-	$(am__append_19) $(am__append_20) $(am__append_21) \
-	$(am__append_22) $(am__append_23) $(am__append_24)
+SUBDIRS = . $(am__append_5) $(am__append_6) $(am__append_7) \
+	$(am__append_8) $(am__append_9) $(am__append_10) \
+	$(am__append_11) $(am__append_12) $(am__append_13) \
+	$(am__append_14) $(am__append_15) $(am__append_16) \
+	$(am__append_17) $(am__append_18) $(am__append_19) \
+	$(am__append_20) $(am__append_21) $(am__append_22) \
+	$(am__append_23) $(am__append_24) $(am__append_25)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 6122aa9f8..1359dcd2d 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: asn1.c 4776 2008-12-09 15:00:30Z martin $
+ * $Id: asn1.c 4942 2009-03-13 20:22:24Z andreas $
  */
 
 #include <stdio.h>
@@ -397,7 +397,7 @@ void asn1_debug_simple_object(chunk_t object, asn1_t type, bool private)
 			{
 				time_t time = asn1_to_time(&object, type);
 
-				DBG2("  '%T'", &time);
+				DBG2("  '%T'", &time, TRUE);
 			}
 			return;
 		default:
@@ -452,13 +452,6 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level, const c
  * ASN.1 definition of an algorithmIdentifier
  */
 static const asn1Object_t algorithmIdentifierObjects[] = {
-	{ 0, "algorithmIdentifier",	ASN1_SEQUENCE,	ASN1_NONE }, /* 0 */
-	{ 1,   "algorithm",			ASN1_OID,		ASN1_BODY }, /* 1 */
-	{ 1,   "parameters",		ASN1_EOC,		ASN1_RAW  }, /* 2 */
-	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
-};
-/* parameters are optional in case of ecdsa-with-SHA1 as algorithm (RFC 3279) */
-static const asn1Object_t algorithmIdentifierObjectsOptional[] = {
 	{ 0, "algorithmIdentifier",	ASN1_SEQUENCE,	ASN1_NONE         }, /* 0 */
 	{ 1,   "algorithm",			ASN1_OID,		ASN1_BODY         }, /* 1 */
 	{ 1,   "parameters",		ASN1_EOC,		ASN1_RAW|ASN1_OPT }, /* 2 */
@@ -477,14 +470,8 @@ int asn1_parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters
 	chunk_t object;
 	int objectID;
 	int alg = OID_UNKNOWN;
-	const asn1Object_t *objects = algorithmIdentifierObjectsOptional;
-	
-	if (parameters != NULL)
-	{
-		objects = algorithmIdentifierObjects;
-	}
 	
-	parser = asn1_parser_create(objects, blob);
+	parser = asn1_parser_create(algorithmIdentifierObjects, blob);
 	parser->set_top_level(parser, level0);
 	
 	while (parser->iterate(parser, &objectID, &object))
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index 681581af9..331ef4436 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: chunk.c 4784 2008-12-10 13:43:51Z tobias $
+ * $Id: chunk.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <stdio.h>
@@ -25,7 +25,6 @@
 #include "chunk.h"
 
 #include <debug.h>
-#include <printf_hook.h>
 
 /* required for chunk_hash */
 #undef get16bits
@@ -520,21 +519,20 @@ u_int32_t chunk_hash(chunk_t chunk)
 }
 
 /**
- * output handler in printf() for chunks
+ * Described in header.
  */
-static int chunk_print(FILE *stream, const struct printf_info *info,
-					   const void *const *args)
+int chunk_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+					  const void *const *args)
 {
 	chunk_t *chunk = *((chunk_t**)(args[0]));
 	bool first = TRUE;
 	chunk_t copy = *chunk;
 	int written = 0;
-	printf_hook_functions_t mem = mem_get_printf_hooks();
 	
-	if (!info->alt)
+	if (!spec->hash)
 	{
 		const void *new_args[] = {&chunk->ptr, &chunk->len};
-		return mem.print(stream, info, new_args);
+		return mem_printf_hook(dst, len, spec, new_args);
 	}
 	
 	while (copy.len > 0)
@@ -545,33 +543,10 @@ static int chunk_print(FILE *stream, const struct printf_info *info,
 		}
 		else
 		{
-			written += fprintf(stream, ":");
+			written += print_in_hook(dst, len, ":");
 		}
-		written += fprintf(stream, "%02x", *copy.ptr++);
+		written += print_in_hook(dst, len, "%02x", *copy.ptr++);
 		copy.len--;
 	}
 	return written;
 }
-
-/**
- * arginfo handler for printf() mem ranges
- */
-static int chunk_arginfo(const struct printf_info *info, size_t n, int *argtypes)
-{
-	if (n > 0)
-	{
-		argtypes[0] = PA_POINTER;
-	}
-	return 1;
-}
-
-/**
- * return printf hook functions for a chunk
- */
-printf_hook_functions_t chunk_get_printf_hooks()
-{
-	printf_hook_functions_t hooks = {chunk_print, chunk_arginfo};
-	
-	return hooks;
-}
-
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 2986e0db3..5eb8f8d8a 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: chunk.h 4841 2009-01-15 01:52:44Z andreas $
+ * $Id: chunk.h 4936 2009-03-12 18:07:32Z tobias $
  */
 
 /**
@@ -240,11 +240,13 @@ u_int32_t chunk_hash(chunk_t chunk);
 u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash);
 
 /**
- * Get printf hooks for a chunk.
+ * printf hook function for chunk_t.
  *
  * Arguments are: 
  *    chunk_t *chunk
+ * Use #-modifier to print a compact version
  */
-printf_hook_functions_t chunk_get_printf_hooks();
+int chunk_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+					  const void *const *args);
 
 #endif /* CHUNK_H_ @}*/
diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c
index 5eb283807..32524d225 100644
--- a/src/libstrongswan/enum.c
+++ b/src/libstrongswan/enum.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: enum.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: enum.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <stddef.h>
@@ -20,8 +20,6 @@
 
 #include "enum.h"
 
-#include <printf_hook.h>
-
 /**
  * get the name of an enum value in a enum_name_t list
  */
@@ -39,10 +37,10 @@ static char *enum_name(enum_name_t *e, int val)
 }
 
 /**
- * output handler in printf() for enum names
+ * Described in header.
  */
-static int print(FILE *stream, const struct printf_info *info,
-					  const void *const *args)
+int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+					 const void *const *args)
 {
 	enum_name_t *ed = *((enum_name_t**)(args[0]));
 	int val = *((int*)(args[1]));
@@ -51,34 +49,10 @@ static int print(FILE *stream, const struct printf_info *info,
 
 	if (name == NULL)
 	{
-		return fprintf(stream, "(%d)", val);
+		return print_in_hook(dst, len, "(%d)", val);
 	}
 	else
 	{
-		return fprintf(stream, "%s", name);
-	}
-}
-
-/**
- * arginfo handler for printf() hook
- */
-static int arginfo(const struct printf_info *info, size_t n, int *argtypes)
-{
-	if (n > 1)
-	{
-		argtypes[0] = PA_POINTER;
-		argtypes[1] = PA_INT;
+		return print_in_hook(dst, len, "%s", name);
 	}
-	return 2;
 }
-
-/**
- * return printf hook functions
- */
-printf_hook_functions_t enum_get_printf_hooks()
-{
-	printf_hook_functions_t hooks = {print, arginfo};
-	
-	return hooks;
-}
-
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/enum.h
index 5e44293c0..4a594a4a9 100644
--- a/src/libstrongswan/enum.h
+++ b/src/libstrongswan/enum.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2006-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: enum.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: enum.h 4936 2009-03-12 18:07:32Z tobias $
  */
 
 /**
@@ -108,12 +109,12 @@ struct enum_name_t {
 #define ENUM(name, first, last, ...) ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last)
 
 /**
- * Get printf hook functions for enum_names_t.
+ * printf hook function for enum_names_t.
  *
- * The handler takes the arguments: enum_names_t *names, int value
- *
- * @return 		printf hook functions
+ * Arguments are: 
+ *    enum_names_t *names, int value
  */
-printf_hook_functions_t enum_get_printf_hooks();
+int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+					 const void *const *args);
 
 #endif /* ENUM_H_ @}*/
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 07d08fa51..cb8d43052 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: library.c 4311 2008-08-28 16:27:48Z martin $
+ * $Id: library.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include "library.h"
@@ -95,13 +96,24 @@ void library_init(char *settings)
 	pfh = printf_hook_create();
 	this->public.printf_hook = pfh;
 	
-	pfh->add_handler(pfh, 'b', mem_get_printf_hooks());
-	pfh->add_handler(pfh, 'B', chunk_get_printf_hooks());
-	pfh->add_handler(pfh, 'D', identification_get_printf_hooks());
-	pfh->add_handler(pfh, 'H', host_get_printf_hooks());
-	pfh->add_handler(pfh, 'N', enum_get_printf_hooks());
-	pfh->add_handler(pfh, 'T', time_get_printf_hooks());
-	pfh->add_handler(pfh, 'V', time_delta_get_printf_hooks());
+	pfh->add_handler(pfh, 'b', mem_printf_hook,
+					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_INT,
+					 PRINTF_HOOK_ARGTYPE_END);
+	pfh->add_handler(pfh, 'B', chunk_printf_hook,
+					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
+	pfh->add_handler(pfh, 'D', identification_printf_hook,
+					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
+	pfh->add_handler(pfh, 'H', host_printf_hook,
+					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
+	pfh->add_handler(pfh, 'N', enum_printf_hook,
+					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_INT,
+					 PRINTF_HOOK_ARGTYPE_END);
+	pfh->add_handler(pfh, 'T', time_printf_hook,
+					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_INT,
+					 PRINTF_HOOK_ARGTYPE_END);
+	pfh->add_handler(pfh, 'V', time_delta_printf_hook,
+					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_POINTER,
+					 PRINTF_HOOK_ARGTYPE_END);
 	
 	this->public.crypto = crypto_factory_create();
 	this->public.creds = credential_factory_create();
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 34a981054..1445b28cd 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: library.h 4311 2008-08-28 16:27:48Z martin $
+ * $Id: library.h 4936 2009-03-12 18:07:32Z tobias $
  */
 
 /**
@@ -57,10 +57,10 @@
 #ifndef LIBRARY_H_
 #define LIBRARY_H_
 
+#include <printf_hook.h>
 #include <utils.h>
 #include <chunk.h>
 #include <settings.h>
-#include <printf_hook.h>
 #include <plugins/plugin_loader.h>
 #include <crypto/crypto_factory.h>
 #include <credentials/credential_factory.h>
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index a0b147c63..b0b18a2c1 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -57,7 +57,7 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  *
- * $Id: des_crypter.c 4887 2009-02-19 14:29:25Z tobias $
+ * $Id: des_crypter.c 4938 2009-03-12 18:38:13Z tobias $
  */
 
 #include "des_crypter.h"
@@ -1128,10 +1128,8 @@ static void des_ecb_encrypt(des_cblock *input, des_cblock *output, long length,
 	{
 		for (l-=8; l>=0; l-=8)
 		{
-			c2l(in,tin0);
-			c2l(in,tin1);
-			tin[0]=tin0;
-			tin[1]=tin1;
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
 			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
 			tout0=tin[0]; l2c(tout0,out);
 			tout1=tin[1]; l2c(tout1,out);
@@ -1153,14 +1151,16 @@ static void des_ecb_encrypt(des_cblock *input, des_cblock *output, long length,
 			c2l(in,tin0); tin[0]=tin0;
 			c2l(in,tin1); tin[1]=tin1;
 			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
-			l2c(tout0,out);
-			l2c(tout1,out);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
 		}
 		if (l != -8)
 		{
 			c2l(in,tin0); tin[0]=tin0;
 			c2l(in,tin1); tin[1]=tin1;
 			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0];
+			tout1=tin[1];
 			l2cn(tout0,tout1,out,l+8);
 		}
 	}
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index fbb7707a1..2168f9bc7 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -870,7 +870,7 @@ static bool is_newer(private_x509_ac_t *this, ac_t *that)
 	this_cert->get_validity(this_cert, &now, &this_update, NULL);
 	that_cert->get_validity(that_cert, &now, &that_update, NULL);
 	new = this_update > that_update;
-	DBG1("  attr cert from %#T is %s - existing attr_cert from %#T %s",
+	DBG1("  attr cert from %T is %s - existing attr_cert from %T %s",
 			&this_update, FALSE, new ? "newer":"not newer",
 			&that_update, FALSE, new ? "replaced":"retained");
 	return new;
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index e618f31d8..4c6b45394 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -17,7 +17,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_cert.c 4767 2008-12-08 19:15:38Z martin $
+ * $Id: x509_cert.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #define _GNU_SOURCE
@@ -1010,7 +1010,7 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 	this->get_validity(this, &now, &this_update, NULL);
 	that->get_validity(that, &now, &that_update, NULL);
 	new = this_update > that_update;
-	DBG1("  certificate from %#T is %s - existing certificate from %#T %s",
+	DBG1("  certificate from %T is %s - existing certificate from %T %s",
 				&this_update, FALSE, new ? "newer":"not newer",
 				&that_update, FALSE, new ? "replaced":"retained");
 	return new;
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 8375d88ef..fd14dfebd 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_crl.c 4576 2008-11-05 08:32:38Z martin $
+ * $Id: x509_crl.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include "x509_crl.h"
@@ -539,7 +539,7 @@ static bool is_newer(private_x509_crl_t *this, crl_t *that)
 		this_cert->get_validity(this_cert, &now, &this_update, NULL);
 		that_cert->get_validity(that_cert, &now, &that_update, NULL);
 		new = this_update > that_update;
-		DBG1("  crl from %#T is %s - existing crl from %#T %s",
+		DBG1("  crl from %T is %s - existing crl from %T %s",
 				&this_update, FALSE, new ? "newer":"not newer",
 				&that_update, FALSE, new ? "replaced":"retained");
 	}
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 01f35864d..6bb59d8e6 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -1,7 +1,7 @@
 /**
  * Copyright (C) 2008 Martin Willi
  * Copyright (C) 2007 Andreas Steffen
- * Hochschule für Technik Rapperswil
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_ocsp_response.c 4317 2008-09-02 11:00:13Z martin $
+ * $Id: x509_ocsp_response.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include "x509_ocsp_response.h"
@@ -806,7 +806,7 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 	this->get_validity(this, &now, &this_update, NULL);
 	that->get_validity(that, &now, &that_update, NULL);
 	new = this_update > that_update;
-	DBG1("  ocsp response from %#T is %s - existing ocsp response from %#T %s",
+	DBG1("  ocsp response from %T is %s - existing ocsp response from %T %s",
 				&this_update, FALSE, new ? "newer":"not newer",
 				&that_update, FALSE, new ? "replaced":"retained");
 	return new;
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c
index d0046928f..ceace27da 100644
--- a/src/libstrongswan/printf_hook.c
+++ b/src/libstrongswan/printf_hook.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2006-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,14 +13,23 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: printf_hook.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: printf_hook.c 4975 2009-03-19 08:54:39Z martin $
  */
 
 #include "printf_hook.h"
 
 #include <utils.h>
+#include <debug.h>
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
 
 typedef struct private_printf_hook_t private_printf_hook_t;
+typedef struct printf_hook_handler_t printf_hook_handler_t;
+
+#define PRINTF_BUF_LEN 8192
+#define ARGS_MAX 3
 
 /**
  * private data of printf_hook
@@ -32,13 +42,340 @@ struct private_printf_hook_t {
 	printf_hook_t public;
 };
 
+/**
+ * struct with information about a registered handler
+ */
+struct printf_hook_handler_t {
+	
+	/**
+	 * callback function
+	 */
+	printf_hook_function_t hook;
+	
+	/**
+	 * number of arguments
+	 */
+	int numargs;
+	
+	/**
+	 * types of the arguments
+	 */
+	int argtypes[ARGS_MAX];
+
+#ifndef HAVE_PRINTF_HOOKS
+	/**
+	 * name required for Vstr
+	 */
+	char *name;
+#endif
+};
+
+/* A-Z | 6 other chars | a-z */
+#define NUM_HANDLERS 58
+static printf_hook_handler_t *printf_hooks[NUM_HANDLERS];
+
+#define SPEC_TO_INDEX(spec) ((int)(spec) - (int)'A')
+#define IS_VALID_SPEC(spec) (SPEC_TO_INDEX(spec) > -1 && SPEC_TO_INDEX(spec) < NUM_HANDLERS)
+
+#ifdef HAVE_PRINTF_HOOKS
+
+/**
+ * Printf hook print function. This is actually of type "printf_function",
+ * however glibc does it typedef to function, but uclibc to a pointer.
+ * So we redefine it here.
+ */
+static int custom_print(FILE *stream, const struct printf_info *info,
+						const void *const *args)
+{
+	int written;
+	char buf[PRINTF_BUF_LEN];
+	printf_hook_spec_t spec;
+	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
+	
+	spec.hash = info->alt;
+	spec.minus = info->left;
+	spec.width = info->width;
+	
+	written = handler->hook(buf, sizeof(buf), &spec, args);
+	if (written > 0)
+	{
+		ignore_result(fwrite(buf, 1, written, stream));
+	}
+	return written;
+}
+
+/**
+ * Printf hook arginfo function, which is actually of type
+ * "printf_arginfo_function".
+ */
+static int custom_arginfo(const struct printf_info *info, size_t n, int *argtypes)
+{
+	int i;
+	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
+	
+	if (handler->numargs <= n)
+	{
+		for (i = 0; i < handler->numargs; ++i)
+		{
+			argtypes[i] = handler->argtypes[i];
+		}
+	}
+	return handler->numargs;
+}
+
+#else
+
+#include <errno.h>
+#include <unistd.h> /* for STDOUT_FILENO */
+
+/**
+ * Vstr custom format specifier callback function.
+ */
+static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec)
+{
+	int i, written;
+	char buf[PRINTF_BUF_LEN];
+	const void *args[ARGS_MAX];
+	printf_hook_spec_t spec;
+	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(fmt_spec->name[0])];
+	
+	for (i = 0; i < handler->numargs; i++)
+	{
+		switch(handler->argtypes[i])
+		{
+			case PRINTF_HOOK_ARGTYPE_INT:
+				args[i] = VSTR_FMT_CB_ARG_PTR(fmt_spec, i);
+				break;
+			case PRINTF_HOOK_ARGTYPE_POINTER:
+				args[i] = &VSTR_FMT_CB_ARG_PTR(fmt_spec, i);
+				break;
+		}
+	}
+	
+	spec.hash = fmt_spec->fmt_hash;
+	spec.minus = fmt_spec->fmt_minus;
+	spec.width = fmt_spec->fmt_field_width;
+	
+	written = handler->hook(buf, sizeof(buf), &spec, args);
+	if (written > 0)
+	{
+		vstr_add_buf(base, pos, buf, written);
+	}
+	return TRUE;
+}
+
+/**
+ * Add a custom format handler to the given Vstr_conf object 
+ */
+static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler)
+{
+	int *at = handler->argtypes;
+	switch(handler->numargs)
+	{
+		case 1:
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], VSTR_TYPE_FMT_END);
+			break;
+		case 2:
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], at[1], VSTR_TYPE_FMT_END);
+			break;
+		case 3:
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], at[1], at[2], VSTR_TYPE_FMT_END);
+			break;
+	}
+}
+
+/**
+ * Management of thread-specific Vstr_conf objects
+ */
+#include <pthread.h>
+
+static pthread_key_t vstr_conf_key;
+static pthread_once_t vstr_conf_key_once = PTHREAD_ONCE_INIT;
+
+static void init_vstr_conf_key(void)
+{
+	pthread_key_create(&vstr_conf_key, (void*)vstr_free_conf);
+}
+
+static Vstr_conf *create_vstr_conf()
+{
+	int i;
+	Vstr_conf *conf = vstr_make_conf();
+	vstr_cntl_conf(conf, VSTR_CNTL_CONF_SET_FMT_CHAR_ESC, '%');
+	vstr_cntl_conf(conf, VSTR_CNTL_CONF_SET_TYPE_GRPALLOC_CACHE,
+						 VSTR_TYPE_CNTL_CONF_GRPALLOC_CSTR);
+	vstr_cntl_conf(conf, VSTR_CNTL_CONF_SET_NUM_BUF_SZ, PRINTF_BUF_LEN);
+	for (i = 0; i < NUM_HANDLERS; ++i)
+	{
+		printf_hook_handler_t *handler = printf_hooks[i];
+		if (handler)
+		{
+			vstr_fmt_add_handler(conf, handler);
+		}
+	}
+	return conf;
+}
+
+static inline Vstr_conf *get_vstr_conf()
+{
+	Vstr_conf *conf;
+	pthread_once(&vstr_conf_key_once, init_vstr_conf_key);
+	conf = (Vstr_conf*)pthread_getspecific(vstr_conf_key);
+	if (!conf)
+	{
+		conf = create_vstr_conf();
+		pthread_setspecific(vstr_conf_key, conf);
+	}
+	return conf;
+}
+
+/**
+ * Wrapper functions for printf and alike
+ */
+int vstr_wrapper_printf(const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vprintf(format, args);
+	va_end(args);
+	return written;
+}
+int vstr_wrapper_fprintf(FILE *stream, const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vfprintf(stream, format, args);
+	va_end(args);
+	return written;
+}
+int vstr_wrapper_sprintf(char *str, const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vsprintf(str, format, args);
+	va_end(args);
+	return written;
+}
+int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vsnprintf(str, size, format, args);
+	va_end(args);
+	return written;
+}
+static inline int vstr_wrapper_vprintf_internal(int fd, const char *format,
+												va_list args)
+{
+	int written;
+	Vstr_conf *conf = get_vstr_conf();
+	Vstr_base *s = vstr_make_base(conf);
+	vstr_add_vfmt(s, 0, format, args);
+	written = s->len;
+	while (s->len)
+	{
+		if (!vstr_sc_write_fd(s, 1, s->len, fd, NULL))
+		{
+			if (errno != EAGAIN && errno != EINTR)
+			{
+				written -= s->len;
+				break;
+			}
+		}
+	}
+	vstr_free_base(s);
+	return written;
+}
+int vstr_wrapper_vprintf(const char *format, va_list args)
+{
+	return vstr_wrapper_vprintf_internal(STDOUT_FILENO, format, args);
+}
+int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list args)
+{
+	return vstr_wrapper_vprintf_internal(fileno(stream), format, args);
+}
+static inline int vstr_wrapper_vsnprintf_internal(char *str, size_t size,
+												  const char *format,
+												  va_list args)
+{
+	int written;
+	Vstr_conf *conf = get_vstr_conf();
+	Vstr_base *s = vstr_make_base(conf);
+	vstr_add_vfmt(s, 0, format, args);
+	written = s->len;
+	vstr_export_cstr_buf(s, 1, s->len, str, (size > 0) ? size : s->len + 1);
+	vstr_free_base(s);
+	return written;
+}
+int vstr_wrapper_vsprintf(char *str, const char *format, va_list args)
+{
+	return vstr_wrapper_vsnprintf_internal(str, 0, format, args);
+}
+int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format,
+						   va_list args)
+{
+	return (size > 0) ? vstr_wrapper_vsnprintf_internal(str, size, format, args) : 0;
+}
+
+#endif
+
 /**
  * Implementation of printf_hook_t.add_handler.
  */
-static void add_handler(private_printf_hook_t *this, char spec, 
-						printf_hook_functions_t hook)
+static void add_handler(private_printf_hook_t *this, char spec,
+						printf_hook_function_t hook, ...)
 {
-	register_printf_function(spec, hook.print, hook.arginfo);
+	int i = -1;
+	printf_hook_handler_t *handler;
+	printf_hook_argtype_t argtype;
+	va_list args;
+	
+	if (!IS_VALID_SPEC(spec))
+	{
+		DBG1("'%c' is not a valid printf hook specifier, not registered!", spec);
+		return;
+	}
+	
+	handler = malloc_thing(printf_hook_handler_t); 
+	handler->hook = hook;
+	
+	va_start(args, hook);
+	while ((argtype = va_arg(args, printf_hook_argtype_t)) != PRINTF_HOOK_ARGTYPE_END)
+	{
+		if (++i >= ARGS_MAX)
+		{
+			DBG1("Too many arguments for printf hook with specifier '%c', not registered!", spec);
+			va_end(args);
+			free(handler);
+			return;
+		}
+		handler->argtypes[i] = argtype;
+	}
+	va_end(args);
+	
+	handler->numargs = i + 1;
+	
+	if (handler->numargs > 0)
+	{
+#ifdef HAVE_PRINTF_HOOKS
+		register_printf_function(spec, custom_print, custom_arginfo);
+#else
+		Vstr_conf *conf = get_vstr_conf();
+		handler->name = malloc(2);
+		handler->name[0] = spec;
+		handler->name[1] = '\0';
+		vstr_fmt_add_handler(conf, handler);
+#endif
+		printf_hooks[SPEC_TO_INDEX(spec)] = handler;
+	}
+	else
+	{
+		free(handler);
+	}
 }
 
 /**
@@ -46,6 +383,30 @@ static void add_handler(private_printf_hook_t *this, char spec,
  */
 static void destroy(private_printf_hook_t *this)
 {
+	int i;
+#ifndef HAVE_PRINTF_HOOKS
+	Vstr_conf *conf = get_vstr_conf();
+#endif
+	
+	for (i = 0; i < NUM_HANDLERS; ++i)
+	{
+		printf_hook_handler_t *handler = printf_hooks[i];
+		if (handler)
+		{
+#ifndef HAVE_PRINTF_HOOKS
+			vstr_fmt_del(conf, handler->name);
+			free(handler->name);
+#endif
+			free(handler);
+		}
+	}
+	
+#ifndef HAVE_PRINTF_HOOKS
+	/* freeing the Vstr_conf of the main thread */
+	pthread_key_delete(vstr_conf_key);
+	vstr_free_conf(conf);
+	vstr_exit();
+#endif
 	free(this);
 }
 
@@ -56,9 +417,19 @@ printf_hook_t *printf_hook_create()
 {
 	private_printf_hook_t *this = malloc_thing(private_printf_hook_t);
 	
-	this->public.add_handler = (void(*)(printf_hook_t*, char, printf_hook_functions_t))add_handler;
+	this->public.add_handler = (void(*)(printf_hook_t*, char, printf_hook_function_t, ...))add_handler;
 	this->public.destroy = (void(*)(printf_hook_t*))destroy;
 	
+	memset(printf_hooks, 0, sizeof(printf_hooks));
+	
+#ifndef HAVE_PRINTF_HOOKS
+	if (!vstr_init())
+	{
+		DBG1("failed to initialize Vstr library!");
+		free(this);
+		return NULL;
+	}
+#endif
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
index 416db1a7f..d2edbdd22 100644
--- a/src/libstrongswan/printf_hook.h
+++ b/src/libstrongswan/printf_hook.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2006-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: printf_hook.h 3749 2008-04-04 11:37:19Z martin $
+ * $Id: printf_hook.h 4936 2009-03-12 18:07:32Z tobias $
  */
 
 /**
@@ -24,30 +25,103 @@
 #define PRINTF_HOOK_H_
 
 typedef struct printf_hook_t printf_hook_t;
-typedef struct printf_hook_functions_t printf_hook_functions_t;
+typedef struct printf_hook_spec_t printf_hook_spec_t;
+typedef enum printf_hook_argtype_t printf_hook_argtype_t;
+
+#ifdef HAVE_PRINTF_HOOKS
 
 #include <printf.h>
 
+enum printf_hook_argtype_t {
+	PRINTF_HOOK_ARGTYPE_END = PA_LAST,
+	PRINTF_HOOK_ARGTYPE_INT = PA_INT,
+	PRINTF_HOOK_ARGTYPE_POINTER = PA_POINTER,
+};
+
+#else
+
+#include <vstr.h>
+
+enum printf_hook_argtype_t {
+	PRINTF_HOOK_ARGTYPE_END = VSTR_TYPE_FMT_END,
+	PRINTF_HOOK_ARGTYPE_INT = VSTR_TYPE_FMT_INT,
+	PRINTF_HOOK_ARGTYPE_POINTER = VSTR_TYPE_FMT_PTR_VOID,
+};
+
 /**
- * Printf hook function set.
- *
- * A printf hook has two functions, one to print the string, one to read
- * in the number of arguments. See <printf.h>.
+ * Redefining printf and alike
+ */
+#include <stdio.h>
+#include <stdarg.h>
+
+int vstr_wrapper_printf(const char *format, ...);
+int vstr_wrapper_fprintf(FILE *stream, const char *format, ...);
+int vstr_wrapper_sprintf(char *str, const char *format, ...);
+int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...);
+
+int vstr_wrapper_vprintf(const char *format, va_list ap);
+int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list ap);
+int vstr_wrapper_vsprintf(char *str, const char *format, va_list ap);
+int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list ap);
+
+#define printf vstr_wrapper_printf
+#define fprintf vstr_wrapper_fprintf
+#define sprintf vstr_wrapper_sprintf
+#define snprintf vstr_wrapper_snprintf
+
+#define vprintf vstr_wrapper_vprintf
+#define vfprintf vstr_wrapper_vfprintf
+#define vsprintf vstr_wrapper_vsprintf
+#define vsnprintf vstr_wrapper_vsnprintf
+
+#endif
+
+/**
+ * Callback function type for printf hooks.
+ * 
+ * @param dst		destination buffer
+ * @param len		length of the buffer
+ * @param spec		format specifier
+ * @param args		arguments array
+ * @return 			number of characters written
+ */
+typedef int (*printf_hook_function_t)(char *dst, size_t len,
+									  printf_hook_spec_t *spec,
+									  const void *const *args);
+
+/**
+ * Helper macro to be used in printf hook callbacks.
+ * buf and buflen get modified.
  */
-struct printf_hook_functions_t {
+#define print_in_hook(buf, buflen, fmt, ...) ({\
+	int _written = snprintf(buf, buflen, fmt, ##__VA_ARGS__);\
+	if (_written < 0 || _written >= buflen)\
+	{\
+		_written = buflen - 1;\
+	}\
+	buf += _written;\
+	buflen -= _written;\
+	_written;\
+})
 
+/**
+ * Properties of the format specifier
+ */
+struct printf_hook_spec_t {
+	/**
+	 * TRUE if a '#' was used in the format specifier
+	 */
+	int hash;
+	
 	/**
-	 * Printf hook print function. This is actually of type "printf_function",
-	 * however glibc does it typedef to function, but uclibc to a pointer.
-	 * So we redefine it here.
+	 * TRUE if a '-' was used in the format specifier
 	 */
-	int (*print)(FILE *, const struct printf_info *info, const void *const *args);
+	int minus;
 	
 	/**
-	 * Printf hook arginfo function, which is actually of type
-	 * "printf_arginfo_function".
+	 * The width as given in the format specifier.
 	 */
-	int (*arginfo)(const struct printf_info *info, size_t n, int *argtypes);
+	int width;
 };
 
 /**
@@ -59,10 +133,11 @@ struct printf_hook_t {
 	 * Register a printf handler.
 	 *
 	 * @param spec		printf hook format character
-	 * @param hook		hook functions
+	 * @param hook		hook function
+	 * @param ...		list of PRINTF_HOOK_ARGTYPE_*, MUST end with PRINTF_HOOK_ARGTYPE_END
 	 */
 	void (*add_handler)(printf_hook_t *this, char spec,
-						printf_hook_functions_t hook);
+						printf_hook_function_t hook, ...);
 	
 	/**
      * Destroy a printf_hook instance.
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index 4e6a09c4f..be0e8e9e5 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: utils.c 4742 2008-12-03 09:45:58Z tobias $
+ * $Id: utils.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include "utils.h"
@@ -187,27 +187,23 @@ bool ref_put(refcount_t *ref)
 #endif /* HAVE_GCC_ATOMIC_OPERATIONS */
 
 /**
- * output handler in printf() for time_t
+ * Described in header.
  */
-static int time_print(FILE *stream, const struct printf_info *info,
-					  const void *const *args)
+int time_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+					 const void *const *args)
 {
 	static const char* months[] = {
 		"Jan", "Feb", "Mar", "Apr", "May", "Jun",
 		"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
 	};
 	time_t *time = *((time_t**)(args[0]));
-	bool utc = TRUE;
+	bool utc = *((bool*)(args[1]));;
 	struct tm t;
 	
-	if (info->alt)
-	{
-		utc = *((bool*)(args[1]));
-	}
 	if (time == UNDEFINED_TIME)
 	{
-		return fprintf(stream, "--- -- --:--:--%s----",
-					   info->alt ? " UTC " : " ");
+		return print_in_hook(dst, len, "--- -- --:--:--%s----",
+							 utc ? " UTC " : " ");
 	}
 	if (utc)
 	{
@@ -217,54 +213,22 @@ static int time_print(FILE *stream, const struct printf_info *info,
 	{
 		localtime_r(time, &t);
 	}
-	return fprintf(stream, "%s %02d %02d:%02d:%02d%s%04d",
-				   months[t.tm_mon], t.tm_mday, t.tm_hour, t.tm_min,
-				   t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900);
-}
-
-/**
- * arginfo handler for printf() time
- */
-static int time_arginfo(const struct printf_info *info, size_t n, int *argtypes)
-{
-	if (info->alt)
-	{
-		if (n > 1)
-		{
-			argtypes[0] = PA_POINTER;
-			argtypes[1] = PA_INT;
-		}
-		return 2;
-	}
-	
-	if (n > 0)
-	{
-		argtypes[0] = PA_POINTER;
-	}
-	return 1;
+	return print_in_hook(dst, len, "%s %02d %02d:%02d:%02d%s%04d",
+						 months[t.tm_mon], t.tm_mday, t.tm_hour, t.tm_min,
+						 t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900);
 }
 
 /**
- * output handler in printf() for time deltas
+ * Described in header.
  */
-static int time_delta_print(FILE *stream, const struct printf_info *info,
-							const void *const *args)
+int time_delta_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+						   const void *const *args)
 {
 	char* unit = "second";
-	time_t *arg1, *arg2;
-	time_t delta;
+	time_t *arg1 = *((time_t**)(args[0]));
+	time_t *arg2 = *((time_t**)(args[1]));
+	time_t delta = abs(*arg1 - *arg2);
 	
-	arg1 = *((time_t**)(args[0]));
-	if (info->alt)
-	{
-		arg2 = *((time_t**)(args[1]));
-		delta = abs(*arg1 - *arg2);
-	}
-	else
-	{
-		delta = *arg1;
-	}
-
 	if (delta > 2 * 60 * 60 * 24)
 	{
 		delta /= 60 * 60 * 24;
@@ -280,29 +244,7 @@ static int time_delta_print(FILE *stream, const struct printf_info *info,
 		delta /= 60;
 		unit = "minute";
 	}
-	return fprintf(stream, "%d %s%s", delta, unit, (delta == 1)? "":"s");
-}
-
-/**
- * arginfo handler for printf() time deltas
- */
-int time_delta_arginfo(const struct printf_info *info, size_t n, int *argtypes)
-{
-	if (info->alt)
-	{
-		if (n > 1)
-		{
-			argtypes[0] = PA_POINTER;
-			argtypes[1] = PA_POINTER;
-		}
-		return 2;
-	}
-	
-	if (n > 0)
-	{
-		argtypes[0] = PA_POINTER;
-	}
-	return 1;
+	return print_in_hook(dst, len, "%d %s%s", delta, unit, (delta == 1)? "":"s");
 }
 
 /**
@@ -313,10 +255,10 @@ int time_delta_arginfo(const struct printf_info *info, size_t n, int *argtypes)
 static char hexdig_upper[] = "0123456789ABCDEF";
 
 /**
- * output handler in printf() for mem ranges
+ * Described in header.
  */
-static int mem_print(FILE *stream, const struct printf_info *info,
-					 const void *const *args)
+int mem_printf_hook(char *dst, size_t dstlen,
+					printf_hook_spec_t *spec, const void *const *args)
 {
 	char *bytes = *((void**)(args[0]));
 	int len = *((size_t*)(args[1]));
@@ -330,7 +272,7 @@ static int mem_print(FILE *stream, const struct printf_info *info,
 	int i = 0;
 	int written = 0;
 	
-	written += fprintf(stream, "=> %d bytes @ %p", len, bytes);
+	written += print_in_hook(dst, dstlen, "=> %d bytes @ %p", len, bytes);
 	
 	while (bytes_pos < bytes_roof)
 	{
@@ -343,7 +285,6 @@ static int mem_print(FILE *stream, const struct printf_info *info,
 		if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE) 
 		{
 			int padding = 3 * (BYTES_PER_LINE - i);
-			int written;
 			
 			while (padding--)
 			{
@@ -352,9 +293,8 @@ static int mem_print(FILE *stream, const struct printf_info *info,
 			*buffer_pos++ = '\0';
 			ascii_buffer[i] = '\0';
 			
-			written += fprintf(stream, "\n%4d: %s  %s",
-							   line_start, buffer, ascii_buffer);
-
+			written += print_in_hook(dst, dstlen, "\n%4d: %s  %s",
+								     line_start, buffer, ascii_buffer);
 			
 			buffer_pos = buffer;
 			line_start += BYTES_PER_LINE;
@@ -367,47 +307,3 @@ static int mem_print(FILE *stream, const struct printf_info *info,
 	}
 	return written;
 }
-
-/**
- * arginfo handler for printf() mem ranges
- */
-int mem_arginfo(const struct printf_info *info, size_t n, int *argtypes)
-{
-	if (n > 1)
-	{
-		argtypes[0] = PA_POINTER;
-		argtypes[1] = PA_INT;
-	}
-	return 2;
-}
-
-/**
- * return printf hook functions for a time
- */
-printf_hook_functions_t time_get_printf_hooks()
-{
-	printf_hook_functions_t hooks = {time_print, time_arginfo};
-	
-	return hooks;
-}
-
-/**
- * return printf hook functions for a time delta
- */
-printf_hook_functions_t time_delta_get_printf_hooks()
-{
-	printf_hook_functions_t hooks = {time_delta_print, time_delta_arginfo};
-	
-	return hooks;
-}
-
-/**
- * return printf hook functions for mem ranges
- */
-printf_hook_functions_t mem_get_printf_hooks()
-{
-	printf_hook_functions_t hooks = {mem_print, mem_arginfo};
-	
-	return hooks;
-}
-
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index b26a17b01..01d01576e 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: utils.h 4742 2008-12-03 09:45:58Z tobias $
+ * $Id: utils.h 4936 2009-03-12 18:07:32Z tobias $
  */
 
 /**
@@ -285,31 +285,30 @@ bool ref_put(refcount_t *ref);
 #endif /* HAVE_GCC_ATOMIC_OPERATIONS */
 
 /**
- * Get printf hooks for time.
+ * printf hook for time_t.
  *
  * Arguments are: 
- *    time_t* time
- * Arguments using #-specificer
  *    time_t* time, bool utc
  */
-printf_hook_functions_t time_get_printf_hooks();
+int time_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+					 const void *const *args);
 
 /**
- * Get printf hooks for time deltas.
+ * printf hook for time_t deltas.
  *
  * Arguments are: 
- *    time_t* delta
- * Arguments using #-specificer
  *    time_t* begin, time_t* end
  */
-printf_hook_functions_t time_delta_get_printf_hooks();
+int time_delta_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+						   const void *const *args);
 
 /**
- * Get printf hooks for time deltas.
+ * printf hook for memory areas.
  *
  * Arguments are: 
  *    u_char *ptr, int len
  */
-printf_hook_functions_t mem_get_printf_hooks();
+int mem_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+					const void *const *args);
 
 #endif /* UTILS_H_ @}*/
diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c
index 892d08b6c..27a7a66c1 100644
--- a/src/libstrongswan/utils/hashtable.c
+++ b/src/libstrongswan/utils/hashtable.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: hashtable.c 4812 2008-12-17 09:56:05Z tobias $
+ * $Id: hashtable.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <utils/linked_list.h>
@@ -282,7 +282,7 @@ static void *get(private_hashtable_t *this, void *key)
 /**
  * Implementation of hashtable_t.remove
  */
-static void *remove(private_hashtable_t *this, void *key)
+static void *remove_(private_hashtable_t *this, void *key)
 {
 	void *value = NULL;
 	linked_list_t *list;
@@ -414,7 +414,7 @@ hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
 
 	this->public.put = (void*(*)(hashtable_t*,void*,void*))put;
 	this->public.get = (void*(*)(hashtable_t*,void*))get; 
-	this->public.remove = (void*(*)(hashtable_t*,void*))remove;
+	this->public.remove = (void*(*)(hashtable_t*,void*))remove_;
 	this->public.get_count = (u_int(*)(hashtable_t*))get_count;
 	this->public.create_enumerator = (enumerator_t*(*)(hashtable_t*))create_enumerator;
 	this->public.destroy = (void(*)(hashtable_t*))destroy;
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index 719c5a529..a40c42c49 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -15,13 +15,12 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: host.c 4856 2009-02-05 22:13:48Z andreas $
+ * $Id: host.c 4977 2009-03-19 09:16:03Z martin $
  */
 
 #define _GNU_SOURCE
 #include <netdb.h>
 #include <string.h>
-#include <printf.h>
 
 #include "host.h"
 
@@ -106,10 +105,10 @@ static bool is_anyaddr(private_host_t *this)
 }
 
 /**
- * output handler in printf()
+ * Described in header.
  */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
+int host_printf_hook(char *dst, size_t dstlen, printf_hook_spec_t *spec,
+					 const void *const *args)
 {
 	private_host_t *this = *((private_host_t**)(args[0]));
 	char buffer[INET6_ADDRSTRLEN + 16];
@@ -120,7 +119,8 @@ static int print(FILE *stream, const struct printf_info *info,
 	}
 	else if (is_anyaddr(this))
 	{
-		snprintf(buffer, sizeof(buffer), "%%any");
+		snprintf(buffer, sizeof(buffer), "%%any%s",
+				 this->address.sa_family == AF_INET6 ? "6" : "");
 	}
 	else
 	{
@@ -145,7 +145,7 @@ static int print(FILE *stream, const struct printf_info *info,
 					snprintf(buffer, sizeof(buffer),
 							 "(address conversion failed)");
 				}
-				else if (info->alt)
+				else if (spec->hash)
 				{
 					len = strlen(buffer);
 					snprintf(buffer + len, sizeof(buffer) - len,
@@ -157,34 +157,11 @@ static int print(FILE *stream, const struct printf_info *info,
 				break;
 		}
 	}
-	if (info->left)
+	if (spec->minus)
 	{
-		return fprintf(stream, "%-*s", info->width, buffer);
+		return print_in_hook(dst, dstlen, "%-*s", spec->width, buffer);
 	}
-	return fprintf(stream, "%*s", info->width, buffer);
-}
-
-
-/**
- * arginfo handler for printf() hosts
- */
-int arginfo(const struct printf_info *info, size_t n, int *argtypes)
-{
-	if (n > 0)
-	{
-		argtypes[0] = PA_POINTER;
-	}
-	return 1;
-}
-
-/**
- * return printf hook functions for a host
- */
-printf_hook_functions_t host_get_printf_hooks()
-{
-	printf_hook_functions_t hooks = {print, arginfo};
-	
-	return hooks;
+	return print_in_hook(dst, dstlen, "%*s", spec->width, buffer);
 }
 
 /**
@@ -387,6 +364,18 @@ static private_host_t *host_create_empty(void)
 	return this;
 }
 
+/*
+ * Create a %any host with port
+ */
+static host_t *host_create_any_port(int family, u_int16_t port)
+{
+	host_t *this;
+	
+	this = host_create_any(family);
+	this->set_port(this, port);
+	return this;
+}
+
 /*
  * Described in header.
  */
@@ -396,7 +385,11 @@ host_t *host_create_from_string(char *string, u_int16_t port)
 	
 	if (streq(string, "%any"))
 	{
-		return host_create_any(AF_INET);
+		return host_create_any_port(AF_INET, port);
+	}
+	if (streq(string, "%any6"))
+	{
+		return host_create_any_port(AF_INET6, port);
 	}
 	
 	this = host_create_empty();
@@ -451,11 +444,11 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 
 	if (streq(string, "%any"))
 	{
-		return host_create_any(af ? af : AF_INET);
+		return host_create_any_port(af ? af : AF_INET, port);
 	}
 	if (streq(string, "%any6"))
 	{
-		return host_create_any(af ? af : AF_INET6);
+		return host_create_any_port(af ? af : AF_INET6, port);
 	}
 	else if (strchr(string, ':'))
 	{
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h
index 667cc6bcc..5f00872b8 100644
--- a/src/libstrongswan/utils/host.h
+++ b/src/libstrongswan/utils/host.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -198,12 +198,13 @@ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
 host_t *host_create_any(int family);
 
 /**
- * Get printf hooks for a host.
+ * printf hook function for host_t.
  *
  * Arguments are: 
  *    host_t *host
  * Use #-modifier to include port number
  */
-printf_hook_functions_t host_get_printf_hooks();
+int host_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+					 const void *const *args);
 
 #endif /* HOST_H_ @}*/
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 529e62509..ff97f3610 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -13,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: identification.c 4856 2009-02-05 22:13:48Z andreas $
+ * $Id: identification.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #define _GNU_SOURCE
@@ -23,7 +24,6 @@
 #include <string.h>
 #include <stdio.h>
 #include <ctype.h>
-#include <printf.h>
 
 #include "identification.h"
 
@@ -879,10 +879,10 @@ static id_match_t matches_dn(private_identification_t *this,
 }
 
 /**
- * output handler in printf()
+ * Described in header.
  */
-static int print(FILE *stream, const struct printf_info *info,
-						 const void *const *args)
+int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+							   const void *const *args)
 {
 	private_identification_t *this = *((private_identification_t**)(args[0]));
 	char buf[BUF_LEN];
@@ -890,7 +890,7 @@ static int print(FILE *stream, const struct printf_info *info,
 	
 	if (this == NULL)
 	{
-		return fprintf(stream, "%*s", info->width, "(null)");
+		return print_in_hook(dst, len, "%*s", spec->width, "(null)");
 	}
 	
 	switch (this->type)
@@ -940,33 +940,11 @@ static int print(FILE *stream, const struct printf_info *info,
 			snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
 			break;
 	}
-	if (info->left)
-	{
-		return fprintf(stream, "%-*s", info->width, buf);
-	}
-	return fprintf(stream, "%*s", info->width, buf);
-}
-
-/**
- * arginfo handler
- */
-static int arginfo(const struct printf_info *info, size_t n, int *argtypes)
-{
-	if (n > 0)
+	if (spec->minus)
 	{
-		argtypes[0] = PA_POINTER;
+		return print_in_hook(dst, len, "%-*s", spec->width, buf);
 	}
-	return 1;
-}
-
-/**
- * Get printf hook functions
- */
-printf_hook_functions_t identification_get_printf_hooks()
-{
-	printf_hook_functions_t hook = {print, arginfo};
-	
-	return hook;
+	return print_in_hook(dst, len, "%*s", spec->width, buf);
 }
 
 /**
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 3b895961d..070984490 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -13,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: identification.h 4344 2008-09-17 02:17:01Z andreas $
+ * $Id: identification.h 4936 2009-03-12 18:07:32Z tobias $
  */
  
 /**
@@ -274,10 +275,12 @@ identification_t * identification_create_from_string(char *string);
 identification_t * identification_create_from_encoding(id_type_t type, chunk_t encoded);
 
 /**
- * Get the printf hook functions.
- * 
- * @return			printf hook functions
+ * printf hook function for identification_t.
+ *
+ * Arguments are: 
+ *    identification_t *identification
  */
-printf_hook_functions_t identification_get_printf_hooks();
+int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+							   const void *const *args);
 
 #endif /* IDENTIFICATION_H_ @} */
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 4c56c9596..0e0866fec 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: leak_detective.c 4796 2008-12-12 09:10:52Z martin $
+ * $Id: leak_detective.c 4936 2009-03-12 18:07:32Z tobias $
  */
 	
 #define _GNU_SOURCE
@@ -29,7 +29,6 @@
 #include <syslog.h>
 #include <pthread.h>
 #include <netdb.h>
-#include <printf.h>
 #include <locale.h>
 
 #include "leak_detective.h"
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c
index 068d13f99..bfe30b0df 100644
--- a/src/libstrongswan/utils/linked_list.c
+++ b/src/libstrongswan/utils/linked_list.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: linked_list.c 4580 2008-11-05 11:55:17Z martin $
+ * $Id: linked_list.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <stdlib.h>
@@ -224,7 +224,7 @@ static void iterator_reset(private_iterator_t *this)
 /**
  * Implementation of iterator_t.remove.
  */
-static status_t remove_(private_iterator_t *this)
+static status_t iterator_remove(private_iterator_t *this)
 {
 	element_t *new_current;
 
@@ -514,8 +514,8 @@ static status_t remove_last(private_linked_list_t *this, void **item)
 /**
  * Implementation of linked_list_t.remove.
  */
-static int remove(private_linked_list_t *this, void *item,
-				  bool (*compare)(void *,void*))
+static int remove_(private_linked_list_t *this, void *item,
+				   bool (*compare)(void *,void*))
 {
 	element_t *current = this->first;
 	int removed = 0;
@@ -727,7 +727,7 @@ static iterator_t *create_iterator(private_linked_list_t *linked_list, bool forw
 	this->public.insert_before = (void (*) (iterator_t*, void *item)) insert_before;
 	this->public.insert_after = (void (*) (iterator_t*, void *item)) insert_after;
 	this->public.replace = (status_t (*) (iterator_t*, void **, void *)) replace;
-	this->public.remove = (status_t (*) (iterator_t*)) remove_;
+	this->public.remove = (status_t (*) (iterator_t*)) iterator_remove;
 	this->public.reset = (void (*) (iterator_t*)) iterator_reset;
 	this->public.destroy = (void (*) (iterator_t*)) iterator_destroy;
 	
@@ -756,7 +756,7 @@ linked_list_t *linked_list_create()
 	this->public.insert_last = (void (*) (linked_list_t *, void *item))insert_last;
 	this->public.remove_first = (status_t (*) (linked_list_t *, void **item))remove_first;
 	this->public.remove_last = (status_t (*) (linked_list_t *, void **item))remove_last;
-	this->public.remove = (int(*)(linked_list_t*, void *item, bool (*compare)(void *,void*)))remove;
+	this->public.remove = (int(*)(linked_list_t*, void *item, bool (*compare)(void *,void*)))remove_;
 	this->public.remove_at = (void(*)(linked_list_t*, enumerator_t *enumerator))remove_at;
 	this->public.invoke_offset = (void (*)(linked_list_t*,size_t,...))invoke_offset;
 	this->public.invoke_function = (void (*)(linked_list_t*,linked_list_invoke_t,...))invoke_function;
diff --git a/src/pluto/asn1.c b/src/pluto/asn1.c
index 7436d4d1a..bd27f6a78 100644
--- a/src/pluto/asn1.c
+++ b/src/pluto/asn1.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: asn1.c 3451 2008-02-05 19:27:05Z andreas $
+ * RCSID $Id: asn1.c 4942 2009-03-13 20:22:24Z andreas $
  */
 
 #include <stdlib.h>
@@ -75,17 +75,19 @@ const chunk_t ASN1_rsaEncryption_id = strchunk(ASN1_rsaEncryption_id_str);
 const chunk_t ASN1_md5WithRSA_id = strchunk(ASN1_md5WithRSA_id_str);
 const chunk_t ASN1_sha1WithRSA_id = strchunk(ASN1_sha1WithRSA_id_str);
 
-/* ASN.1 definiton of an algorithmIdentifier */
+/* ASN.1 definition of an algorithmIdentifier */
 
 static const asn1Object_t algorithmIdentifierObjects[] = {
-  { 0, "algorithmIdentifier",	ASN1_SEQUENCE,	   ASN1_NONE }, /* 0 */
-  { 1,   "algorithm",		ASN1_OID,	   ASN1_BODY }, /* 1 */
-  { 1,   "parameters",		ASN1_EOC,	   ASN1_RAW  }  /* 2 */
+  { 0, "algorithmIdentifier",	ASN1_SEQUENCE,	ASN1_NONE }, /* 0 */
+  { 1,   "algorithm",		ASN1_OID,	ASN1_BODY }, /* 1 */
+  { 1,   "parameters",		ASN1_EOC,	ASN1_OPT |
+						ASN1_RAW  }, /* 2 */
+  { 1,   "end opt",		ASN1_EOC,	ASN1_END  }  /* 3 */
 };
 
 #define ALGORITHM_ID_ALG		1
 #define ALGORITHM_ID_PARAMETERS		2
-#define ALGORITHM_ID_ROOF		3
+#define ALGORITHM_ID_ROOF		4
 
 /*
  * return the ASN.1 encoded algorithm identifier
@@ -723,7 +725,7 @@ parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters)
     while (objectID < ALGORITHM_ID_ROOF)
     {
 	if (!extract_object(algorithmIdentifierObjects, &objectID, &object, &level, &ctx))
-	     return OID_UNKNOWN;
+	     return alg;
 
 	switch (objectID)
 	{
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 13a004794..cd118cb34 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: connections.c 3686 2008-03-28 11:48:14Z martin $
+ * RCSID $Id: connections.c 4924 2009-03-10 21:13:18Z andreas $
  */
 
 #include <string.h>
@@ -2995,6 +2995,8 @@ terminate_connection(const char *nm)
 	    c->policy &= ~POLICY_UP;
 	    flush_pending_by_connection(c);
 	    delete_states_by_connection(c, FALSE);
+	    if (c->kind == CK_INSTANCE)
+		delete_connection(c, FALSE);
 	    reset_cur_connection();
 	}
 	c = n;
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 88536e6d6..52b59be31 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ipsec_doi.c 3686 2008-03-28 11:48:14Z martin $
+ * RCSID $Id: ipsec_doi.c 4924 2009-03-10 21:13:18Z andreas $
  */
 
 #include <stdio.h>
@@ -5592,6 +5592,7 @@ dpd_timeout(struct state *st)
     struct state *newest_phase1_st;
     struct connection *c = st->st_connection;
     int action = st->st_connection->dpd_action;
+    char cname[BUF_LEN];
 
     passert(action == DPD_ACTION_HOLD
 	 || action == DPD_ACTION_CLEAR
@@ -5622,20 +5623,30 @@ dpd_timeout(struct state *st)
 	 * leak traffic.  Also, being in %trap means new packets will
 	 * force an initiation of the conn again.
 	 */
-	loglog(RC_LOG_SERIOUS, "DPD: Putting connection into %%trap");
+	loglog(RC_LOG_SERIOUS, "DPD: Putting connection \"%s\" into %%trap", c->name);
+	if (c->kind == CK_INSTANCE)
+	    delete_connection(c, TRUE);
 	break;
     case DPD_ACTION_CLEAR:
 	/* dpdaction=clear - Wipe the SA & eroute - everything */
-        loglog(RC_LOG_SERIOUS, "DPD: Clearing connection");
+        loglog(RC_LOG_SERIOUS, "DPD: Clearing connection \"%s\"", c->name);
         unroute_connection(c);
+	if (c->kind == CK_INSTANCE)
+	    delete_connection(c, TRUE);
 	break;
     case DPD_ACTION_RESTART:
 	/* dpdaction=restart - Restart connection,
 	 * except if roadwarrior connection
 	 */
-	loglog(RC_LOG_SERIOUS, "DPD: Restarting connection");
+	loglog(RC_LOG_SERIOUS, "DPD: Restarting connection \"%s\"", c->name);
 	unroute_connection(c);
-	initiate_connection(c->name, NULL_FD);
+
+	/* caching the connection name before deletion */
+	strncpy(cname, c->name, BUF_LEN);
+
+	if (c->kind == CK_INSTANCE)
+	    delete_connection(c, TRUE);
+	initiate_connection(cname, NULL_FD);
 	break;
     default:
 	loglog(RC_LOG_SERIOUS, "DPD: unknown action");
diff --git a/src/pluto/state.c b/src/pluto/state.c
index c62e28e99..5372e86f5 100644
--- a/src/pluto/state.c
+++ b/src/pluto/state.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: state.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: state.c 4924 2009-03-10 21:13:18Z andreas $
  */
 
 #include <stdio.h>
@@ -464,12 +464,7 @@ delete_states_by_connection(struct connection *c, bool relations)
 	passert(sr->routing != RT_ROUTED_TUNNEL);
 	sr = sr->next;
     }
-
-    if (ck == CK_INSTANCE)
-    {
-	c->kind = ck;
-	delete_connection(c, relations);
-    }
+    c->kind = ck;
 }
 
 /* Walk through the state table, and delete each state whose phase 1 (IKE)
@@ -506,6 +501,8 @@ delete_states_by_peer(ip_address *peer)
 			 , peerstr
 			 , c->name);
 		    delete_states_by_connection(c, TRUE);
+		    if (c->kind == CK_INSTANCE)
+	    		delete_connection(c, TRUE);
 		    break;	/* can only delete it once */
 		}
 	    }
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index d4d8fcb1a..cf2136b44 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.c 4846 2009-01-21 03:14:52Z andreas $
+ * RCSID $Id: vendor.c 4893 2009-02-21 17:53:10Z andreas $
  */
 
 #include <stdlib.h>
@@ -206,7 +206,8 @@ static struct vid_struct _vid_tab[] = {
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.12")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.13")
+	DEC_MD5_VID(STRONGSWAN_4_2_12,"strongSwan 4.2.12")
 	DEC_MD5_VID(STRONGSWAN_4_2_11,"strongSwan 4.2.11")
 	DEC_MD5_VID(STRONGSWAN_4_2_10,"strongSwan 4.2.10")
 	DEC_MD5_VID(STRONGSWAN_4_2_9, "strongSwan 4.2.9")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 20711fe4e..f049af1ef 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.h 4846 2009-01-21 03:14:52Z andreas $
+ * RCSID $Id: vendor.h 4893 2009-02-21 17:53:10Z andreas $
  */
 
 #ifndef _VENDOR_H_
@@ -128,6 +128,7 @@ enum known_vendorid {
   VID_STRONGSWAN_4_2_9		=109,
   VID_STRONGSWAN_4_2_10		=110,
   VID_STRONGSWAN_4_2_11		=111,
+  VID_STRONGSWAN_4_2_12		=112,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=151,
diff --git a/testing/INSTALL b/testing/INSTALL
index d09383328..27a2ddc64 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,7 +53,7 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.6.tar.bz2
 
     * The Linux kernel 2.6.28 does not require any patches for the uml guest kernel
       to successfully start up.
@@ -68,7 +68,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.2.12.tar.bz2
+      http://download.strongswan.org/strongswan-4.2.13.tar.bz2
 
 
 3. Creating the environment
@@ -143,5 +143,5 @@ README document.
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: INSTALL 4846 2009-01-21 03:14:52Z andreas $
+This file is RCSID $Id: INSTALL 4893 2009-02-21 17:53:10Z andreas $
 
diff --git a/testing/testing.conf b/testing/testing.conf
index 5871734d2..28b043905 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -14,14 +14,14 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: testing.conf 4889 2009-02-19 22:02:28Z andreas $
+# RCSID $Id: testing.conf 4893 2009-02-21 17:53:10Z andreas $
 
 # Root directory of testing
 UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.28.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.28.6.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
@@ -33,7 +33,7 @@ KERNELCONFIG=$UMLTESTDIR/.config-2.6.28
 #UMLPATCH=$UMLTESTDIR/uml-2.6.26.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.2.12.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.2.13.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt
new file mode 100644
index 000000000..0a309cf52
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/description.txt
@@ -0,0 +1,13 @@
+The peer <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
+is defined symbolically by <b>right=%&lt;hostname&gt;</b>. The ipsec starter resolves the
+fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
+/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
+<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
+IP address under the condition that the peer identity remains unchanged. When this happens
+the old tunnel is replaced by an IPsec connection to the new origin.
+<p>
+In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
+the responder <b>carol</b> disconnects (simulated by iptables blocking IKE and ESP traffic).
+<b>moon</b> detects via Dead Peer Detection (DPD) that the connection is down and tries to
+reconnect. After a few seconds the firewall is opened again and the connection is 
+reestablished.
diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat
new file mode 100644
index 000000000..016524dd9
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
+carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+moon::sleep 35::no output expected::NO
+carol::iptables -D INPUT 1::no output expected::NO
+moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
+moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
+moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
+moon::cat /var/log/auth.log::DPD: Restarting connection::YES
+moon::sleep 5::no output expected::NO
+moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..e6938e79a
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftnexthop=%direct
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ae9b35e97
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+        dpdaction=restart
+        dpddelay=5
+        dpdtimeout=25
+
+conn carol
+	left=%defaultroute
+	leftnexthop=%direct
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP_MOON1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%carol.strongswan.org
+	rightid=carol@strongswan.org
+	rightsubnet=PH_IP_CAROL1/32
+	auto=start
diff --git a/testing/tests/ikev1/dpd-restart/posttest.dat b/testing/tests/ikev1/dpd-restart/posttest.dat
new file mode 100644
index 000000000..e092608cb
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/posttest.dat
@@ -0,0 +1,5 @@
+carol::ipsec stop
+moon::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
diff --git a/testing/tests/ikev1/dpd-restart/pretest.dat b/testing/tests/ikev1/dpd-restart/pretest.dat
new file mode 100644
index 000000000..caf89d6c6
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/pretest.dat
@@ -0,0 +1,5 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+moon::sleep 4
diff --git a/testing/tests/ikev1/dpd-restart/test.conf b/testing/tests/ikev1/dpd-restart/test.conf
new file mode 100644
index 000000000..4d648102b
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-pool-db/description.txt b/testing/tests/ikev2/ip-pool-db/description.txt
index 5cc500c98..7bc4ef3ab 100644
--- a/testing/tests/ikev2/ip-pool-db/description.txt
+++ b/testing/tests/ikev2/ip-pool-db/description.txt
@@ -2,7 +2,7 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gatewa
 Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
 by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual IP
 addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
-<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0</b>.
+<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
 <p>
 <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
 tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
diff --git a/testing/tests/ikev2/ip-two-pools-db/description.txt b/testing/tests/ikev2/ip-two-pools-db/description.txt
index 14a3f17b5..188b4349e 100644
--- a/testing/tests/ikev2/ip-two-pools-db/description.txt
+++ b/testing/tests/ikev2/ip-two-pools-db/description.txt
@@ -1,9 +1,9 @@
 The hosts <b>alice</b>, <b>venus</b>, <b>carol</b>, and <b>dave</b> set up tunnel connections
 to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b> 
 with the <b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual
-IP addresses from a pool named <b>extpool</b> [10.3.0.1..10.3.255.254] to hosts connecting
+IP addresses from a pool named <b>extpool</b> [10.3.0.1..10.3.1.244] to hosts connecting
 to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a pool named <b>intpool</b>
-[10.4.0.1..10.4.255.254] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
+[10.4.0.1..10.4.1.244] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
 Thus <b>carol</b> and <b>dave</b> are assigned <b>PH_IP_CAROL1</b> and <b>PH_IP_DAVE1</b>,
 respectively, whereas <b>alice</b> and <b>venus</b> get <b>10.4.0.1</b> and <b>10.4.0.2</b>,
 respectively.
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/description.txt b/testing/tests/ikev2/ip-two-pools-mixed/description.txt
new file mode 100644
index 000000000..d771d006d
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/description.txt
@@ -0,0 +1,9 @@
+The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
+Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload by using the
+<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
+addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
+to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from an SQLite-based pool
+named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
+<p>
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and 
+both ping the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
new file mode 100644
index 000000000..1505de751
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
@@ -0,0 +1,17 @@
+carol::ipsec status::home.*INSTALLED::YES
+alice::ipsec status::home.*INSTALLED::YES
+moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
+moon::cat /var/log/daemon.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
+moon::ipsec leases ext::1/15, 1 online::YES
+moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
+moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
+moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..97b773645
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..f5ce1687e
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn home 
+	left=%defaultroute
+	leftsourceip=%config
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON1
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..e647f1e36
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..bb9d03acd
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,91 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# masquerade crl fetches to winnetou
+	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d80bb5305
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+
+conn int 
+	left=PH_IP_MOON1
+	rightsourceip=%intpool
+	auto=add
+
+conn ext 
+	left=PH_IP_MOON
+	rightsourceip=10.3.0.0/28
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1b5257ccc
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql kernel-netlink updown
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
new file mode 100644
index 000000000..db5e6237f
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
@@ -0,0 +1,9 @@
+carol::ipsec stop
+alice::ipsec stop
+moon::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+alice::/etc/init.d/iptables stop 2> /dev/null
+moon::conntrack -F
+moon::ipsec pool --del intpool 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
new file mode 100644
index 000000000..b579464f2
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
@@ -0,0 +1,13 @@
+moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+alice::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+alice::ipsec up home
+alice::sleep 1
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
new file mode 100644
index 000000000..329774c0a
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice carol"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice moon carol"
-- 
cgit v1.2.3


From c3e7f611ea8273c6b3909cb006ade4903a74aad0 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Wed, 1 Apr 2009 20:13:30 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.2.14)

---
 Doxyfile.in                                        | 1530 +++++++++++++++++---
 Makefile.am                                        |    2 +
 Makefile.in                                        |    1 +
 NEWS                                               |   26 +
 configure                                          |   84 +-
 configure.in                                       |   13 +-
 src/charon/Makefile.am                             |    5 +
 src/charon/Makefile.in                             |   31 +-
 src/charon/bus/bus.h                               |    4 +-
 src/charon/bus/listeners/file_logger.h             |    4 +-
 src/charon/bus/listeners/sys_logger.h              |    4 +-
 src/charon/config/attributes/attribute_manager.h   |    2 +-
 src/charon/config/attributes/attribute_provider.h  |    2 +-
 src/charon/config/backend.h                        |    4 +-
 src/charon/config/backend_manager.h                |    5 +-
 src/charon/config/child_cfg.h                      |   10 +-
 src/charon/config/ike_cfg.h                        |    5 +-
 src/charon/config/peer_cfg.h                       |    7 +-
 src/charon/config/proposal.h                       |    4 +-
 src/charon/config/traffic_selector.h               |    6 +-
 src/charon/control/controller.h                    |    4 +-
 src/charon/credentials/auth_info.h                 |    2 +-
 src/charon/credentials/credential_manager.h        |    4 +-
 src/charon/credentials/credential_set.h            |    4 +-
 src/charon/credentials/sets/auth_info_wrapper.h    |    2 +-
 src/charon/credentials/sets/cert_cache.h           |    2 +-
 .../credentials/sets/ocsp_response_wrapper.h       |    2 +-
 src/charon/daemon.h                                |    4 +-
 src/charon/encoding/generator.h                    |    4 +-
 src/charon/encoding/message.h                      |    4 +-
 src/charon/encoding/parser.h                       |    4 +-
 src/charon/encoding/payloads/auth_payload.h        |    4 +-
 src/charon/encoding/payloads/cert_payload.h        |    5 +-
 src/charon/encoding/payloads/certreq_payload.h     |    4 +-
 .../encoding/payloads/configuration_attribute.h    |    4 +-
 src/charon/encoding/payloads/cp_payload.h          |    4 +-
 src/charon/encoding/payloads/delete_payload.h      |    4 +-
 src/charon/encoding/payloads/eap_payload.h         |    4 +-
 src/charon/encoding/payloads/encodings.h           |    4 +-
 src/charon/encoding/payloads/encryption_payload.h  |    4 +-
 src/charon/encoding/payloads/endpoint_notify.h     |    4 +-
 src/charon/encoding/payloads/id_payload.h          |    4 +-
 src/charon/encoding/payloads/ike_header.h          |    4 +-
 src/charon/encoding/payloads/ke_payload.h          |    4 +-
 src/charon/encoding/payloads/nonce_payload.h       |    4 +-
 src/charon/encoding/payloads/notify_payload.h      |    4 +-
 src/charon/encoding/payloads/payload.h             |    4 +-
 .../encoding/payloads/proposal_substructure.h      |    4 +-
 src/charon/encoding/payloads/sa_payload.h          |    4 +-
 .../payloads/traffic_selector_substructure.h       |    4 +-
 src/charon/encoding/payloads/transform_attribute.h |    4 +-
 .../encoding/payloads/transform_substructure.h     |    4 +-
 src/charon/encoding/payloads/ts_payload.h          |    4 +-
 src/charon/encoding/payloads/unknown_payload.h     |    4 +-
 src/charon/encoding/payloads/vendor_id_payload.h   |    4 +-
 src/charon/kernel/kernel_interface.c               |    2 +-
 src/charon/kernel/kernel_interface.h               |    4 +-
 src/charon/kernel/kernel_ipsec.h                   |    4 +-
 src/charon/kernel/kernel_net.h                     |    4 +-
 src/charon/network/packet.h                        |    4 +-
 src/charon/network/receiver.h                      |    4 +-
 src/charon/network/sender.h                        |    4 +-
 src/charon/network/socket.h                        |    4 +-
 src/charon/plugins/eap_aka/eap_aka.h               |    6 +-
 src/charon/plugins/eap_aka/eap_aka_plugin.h        |    4 +-
 src/charon/plugins/eap_gtc/eap_gtc.h               |    2 +-
 src/charon/plugins/eap_gtc/eap_gtc_plugin.h        |    2 +-
 src/charon/plugins/eap_identity/eap_identity.h     |    4 +-
 .../plugins/eap_identity/eap_identity_plugin.h     |    4 +-
 src/charon/plugins/eap_md5/eap_md5.h               |    4 +-
 src/charon/plugins/eap_md5/eap_md5_plugin.h        |    4 +-
 src/charon/plugins/eap_mschapv2/eap_mschapv2.h     |    4 +-
 .../plugins/eap_mschapv2/eap_mschapv2_plugin.h     |    4 +-
 src/charon/plugins/eap_radius/Makefile.am          |   14 +
 src/charon/plugins/eap_radius/Makefile.in          |  506 +++++++
 src/charon/plugins/eap_radius/eap_radius.c         |  276 ++++
 src/charon/plugins/eap_radius/eap_radius.h         |   50 +
 src/charon/plugins/eap_radius/eap_radius_plugin.c  |   56 +
 src/charon/plugins/eap_radius/eap_radius_plugin.h  |   52 +
 src/charon/plugins/eap_radius/radius_client.c      |  495 +++++++
 src/charon/plugins/eap_radius/radius_client.h      |   90 ++
 src/charon/plugins/eap_radius/radius_message.c     |  477 ++++++
 src/charon/plugins/eap_radius/radius_message.h     |  278 ++++
 src/charon/plugins/eap_sim/eap_sim.h               |    2 +-
 src/charon/plugins/eap_sim/eap_sim_plugin.h        |    4 +-
 .../plugins/eap_sim_file/eap_sim_file_card.h       |    2 +-
 .../plugins/eap_sim_file/eap_sim_file_plugin.h     |    2 +-
 .../plugins/eap_sim_file/eap_sim_file_provider.h   |    2 +-
 .../plugins/eap_sim_file/eap_sim_file_triplets.h   |    2 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.h      |    4 +-
 .../plugins/kernel_klips/kernel_klips_plugin.h     |    4 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |    2 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.h  |    4 +-
 .../plugins/kernel_netlink/kernel_netlink_net.h    |    4 +-
 .../plugins/kernel_netlink/kernel_netlink_plugin.h |    4 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.h      |    4 +-
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.h     |    4 +-
 .../plugins/load_tester/load_tester_config.h       |    2 +-
 src/charon/plugins/load_tester/load_tester_creds.h |    2 +-
 .../load_tester/load_tester_diffie_hellman.h       |    2 +-
 src/charon/plugins/load_tester/load_tester_ipsec.h |    2 +-
 .../plugins/load_tester/load_tester_listener.h     |    2 +-
 .../plugins/load_tester/load_tester_plugin.h       |    2 +-
 src/charon/plugins/medcli/medcli_config.h          |    2 +-
 src/charon/plugins/medcli/medcli_creds.h           |    2 +-
 src/charon/plugins/medcli/medcli_listener.h        |    2 +-
 src/charon/plugins/medcli/medcli_plugin.h          |    2 +-
 src/charon/plugins/medsrv/medsrv_config.h          |    2 +-
 src/charon/plugins/medsrv/medsrv_creds.h           |    4 +-
 src/charon/plugins/medsrv/medsrv_plugin.h          |    4 +-
 src/charon/plugins/nm/nm_creds.h                   |    2 +-
 src/charon/plugins/nm/nm_plugin.h                  |    2 +-
 src/charon/plugins/nm/nm_service.h                 |    2 +-
 src/charon/plugins/smp/smp.h                       |    4 +-
 src/charon/plugins/sql/sql_attribute.h             |    2 +-
 src/charon/plugins/sql/sql_config.h                |    4 +-
 src/charon/plugins/sql/sql_cred.h                  |    2 +-
 src/charon/plugins/sql/sql_logger.h                |    2 +-
 src/charon/plugins/sql/sql_plugin.h                |    4 +-
 src/charon/plugins/stroke/stroke_attribute.h       |    2 +-
 src/charon/plugins/stroke/stroke_ca.h              |    2 +-
 src/charon/plugins/stroke/stroke_config.h          |    2 +-
 src/charon/plugins/stroke/stroke_control.h         |    2 +-
 src/charon/plugins/stroke/stroke_cred.h            |    2 +-
 src/charon/plugins/stroke/stroke_list.h            |    2 +-
 src/charon/plugins/stroke/stroke_plugin.h          |    2 +-
 src/charon/plugins/stroke/stroke_shared_key.h      |    2 +-
 src/charon/plugins/stroke/stroke_socket.h          |    2 +-
 src/charon/plugins/uci/uci_config.h                |    2 +-
 src/charon/plugins/uci/uci_control.h               |   13 +-
 src/charon/plugins/uci/uci_creds.h                 |    2 +-
 src/charon/plugins/uci/uci_parser.h                |    3 +-
 src/charon/plugins/uci/uci_plugin.h                |    2 +-
 src/charon/plugins/unit_tester/tests.h             |    4 +-
 src/charon/plugins/unit_tester/unit_tester.h       |    4 +-
 src/charon/plugins/updown/updown_listener.h        |    2 +-
 src/charon/plugins/updown/updown_plugin.h          |    2 +-
 src/charon/processing/jobs/acquire_job.h           |    4 +-
 src/charon/processing/jobs/callback_job.h          |    4 +-
 src/charon/processing/jobs/delete_child_sa_job.h   |    4 +-
 src/charon/processing/jobs/delete_ike_sa_job.h     |    4 +-
 .../processing/jobs/initiate_mediation_job.h       |    4 +-
 src/charon/processing/jobs/job.h                   |    4 +-
 src/charon/processing/jobs/mediation_job.h         |    4 +-
 src/charon/processing/jobs/migrate_job.h           |    4 +-
 src/charon/processing/jobs/process_message_job.h   |    4 +-
 src/charon/processing/jobs/rekey_child_sa_job.h    |    4 +-
 src/charon/processing/jobs/rekey_ike_sa_job.h      |    4 +-
 src/charon/processing/jobs/retransmit_job.h        |    4 +-
 src/charon/processing/jobs/roam_job.h              |    4 +-
 src/charon/processing/jobs/send_dpd_job.h          |    4 +-
 src/charon/processing/jobs/send_keepalive_job.h    |    4 +-
 src/charon/processing/jobs/update_sa_job.h         |    2 +-
 src/charon/processing/processor.h                  |    4 +-
 src/charon/processing/scheduler.h                  |    4 +-
 src/charon/sa/authenticators/authenticator.h       |    4 +-
 src/charon/sa/authenticators/eap/eap_manager.h     |    4 +-
 src/charon/sa/authenticators/eap/eap_method.c      |    5 +-
 src/charon/sa/authenticators/eap/eap_method.h      |    6 +-
 src/charon/sa/authenticators/eap/sim_manager.h     |    2 +-
 src/charon/sa/authenticators/eap_authenticator.c   |    9 +-
 src/charon/sa/authenticators/eap_authenticator.h   |    4 +-
 src/charon/sa/authenticators/psk_authenticator.h   |    4 +-
 .../sa/authenticators/pubkey_authenticator.h       |    4 +-
 src/charon/sa/child_sa.h                           |    6 +-
 src/charon/sa/connect_manager.h                    |    4 +-
 src/charon/sa/ike_sa.h                             |    4 +-
 src/charon/sa/ike_sa_id.h                          |    4 +-
 src/charon/sa/ike_sa_manager.c                     |    6 +-
 src/charon/sa/ike_sa_manager.h                     |    4 +-
 src/charon/sa/keymat.h                             |    2 +-
 src/charon/sa/mediation_manager.h                  |    4 +-
 src/charon/sa/task_manager.h                       |    6 +-
 src/charon/sa/tasks/child_create.h                 |    4 +-
 src/charon/sa/tasks/child_delete.h                 |    4 +-
 src/charon/sa/tasks/child_rekey.h                  |    4 +-
 src/charon/sa/tasks/ike_auth.h                     |    4 +-
 src/charon/sa/tasks/ike_auth_lifetime.h            |    4 +-
 src/charon/sa/tasks/ike_cert_post.h                |    4 +-
 src/charon/sa/tasks/ike_cert_pre.h                 |    4 +-
 src/charon/sa/tasks/ike_config.h                   |    4 +-
 src/charon/sa/tasks/ike_delete.h                   |    4 +-
 src/charon/sa/tasks/ike_dpd.h                      |    4 +-
 src/charon/sa/tasks/ike_init.h                     |    4 +-
 src/charon/sa/tasks/ike_me.h                       |    4 +-
 src/charon/sa/tasks/ike_mobike.h                   |    4 +-
 src/charon/sa/tasks/ike_natd.c                     |    6 +-
 src/charon/sa/tasks/ike_natd.h                     |    4 +-
 src/charon/sa/tasks/ike_reauth.h                   |    4 +-
 src/charon/sa/tasks/ike_rekey.h                    |    4 +-
 src/charon/sa/tasks/task.h                         |    4 +-
 src/libfast/context.h                              |    4 +-
 src/libfast/controller.h                           |    4 +-
 src/libfast/dispatcher.h                           |    4 +-
 src/libfast/request.h                              |    4 +-
 src/libfast/session.h                              |    4 +-
 src/libstrongswan/asn1/asn1.c                      |   23 +-
 src/libstrongswan/asn1/asn1.h                      |   10 +-
 src/libstrongswan/asn1/asn1_parser.h               |    4 +-
 src/libstrongswan/chunk.h                          |   16 +-
 src/libstrongswan/credentials/builder.h            |    2 +-
 src/libstrongswan/credentials/certificates/ac.h    |    3 +-
 .../credentials/certificates/certificate.h         |    2 +-
 src/libstrongswan/credentials/certificates/crl.h   |    4 +-
 .../credentials/certificates/ocsp_request.h        |    2 +-
 .../credentials/certificates/ocsp_response.h       |    2 +-
 src/libstrongswan/credentials/certificates/x509.h  |    4 +-
 src/libstrongswan/credentials/credential_factory.h |    2 +-
 src/libstrongswan/credentials/keys/private_key.h   |    4 +-
 src/libstrongswan/credentials/keys/public_key.h    |    4 +-
 src/libstrongswan/crypto/crypters/crypter.h        |    4 +-
 src/libstrongswan/crypto/crypto_factory.h          |    2 +-
 src/libstrongswan/crypto/diffie_hellman.h          |    4 +-
 src/libstrongswan/crypto/hashers/hasher.h          |    4 +-
 src/libstrongswan/crypto/pkcs9.h                   |    5 +-
 src/libstrongswan/crypto/prf_plus.h                |    4 +-
 src/libstrongswan/crypto/prfs/prf.h                |    4 +-
 src/libstrongswan/crypto/rngs/rng.h                |    2 +-
 src/libstrongswan/crypto/signers/signer.h          |    6 +-
 src/libstrongswan/database/database.h              |    2 +-
 src/libstrongswan/database/database_factory.h      |    2 +-
 src/libstrongswan/debug.h                          |    4 +-
 src/libstrongswan/enum.h                           |    4 +-
 src/libstrongswan/fetcher/fetcher.h                |    2 +-
 src/libstrongswan/fetcher/fetcher_manager.h        |    2 +-
 src/libstrongswan/fips/fips.h                      |    4 +-
 src/libstrongswan/library.h                        |    4 +-
 src/libstrongswan/plugins/aes/aes_crypter.h        |    2 +-
 src/libstrongswan/plugins/aes/aes_plugin.h         |    2 +-
 src/libstrongswan/plugins/agent/agent_plugin.h     |    2 +-
 .../plugins/agent/agent_private_key.h              |    2 +-
 src/libstrongswan/plugins/curl/curl_fetcher.h      |    2 +-
 src/libstrongswan/plugins/curl/curl_plugin.h       |    2 +-
 src/libstrongswan/plugins/des/des_crypter.h        |    2 +-
 src/libstrongswan/plugins/des/des_plugin.h         |    2 +-
 src/libstrongswan/plugins/fips_prf/fips_prf.h      |    2 +-
 .../plugins/fips_prf/fips_prf_plugin.h             |    2 +-
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h |    2 +-
 src/libstrongswan/plugins/gmp/gmp_plugin.h         |    2 +-
 .../plugins/gmp/gmp_rsa_private_key.h              |    2 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h |    4 +-
 src/libstrongswan/plugins/hmac/hmac.h              |    2 +-
 src/libstrongswan/plugins/hmac/hmac_plugin.c       |    4 +-
 src/libstrongswan/plugins/hmac/hmac_plugin.h       |    2 +-
 src/libstrongswan/plugins/hmac/hmac_prf.h          |    2 +-
 src/libstrongswan/plugins/hmac/hmac_signer.c       |    6 +-
 src/libstrongswan/plugins/hmac/hmac_signer.h       |    2 +-
 src/libstrongswan/plugins/ldap/ldap_fetcher.h      |    2 +-
 src/libstrongswan/plugins/ldap/ldap_plugin.h       |    2 +-
 src/libstrongswan/plugins/md4/md4_hasher.h         |    2 +-
 src/libstrongswan/plugins/md4/md4_plugin.h         |    2 +-
 src/libstrongswan/plugins/md5/md5_hasher.h         |    2 +-
 src/libstrongswan/plugins/md5/md5_plugin.h         |    2 +-
 src/libstrongswan/plugins/mysql/mysql_database.h   |    4 +-
 src/libstrongswan/plugins/mysql/mysql_plugin.h     |    2 +-
 .../plugins/openssl/openssl_crypter.h              |    4 +-
 .../plugins/openssl/openssl_diffie_hellman.h       |    4 +-
 .../plugins/openssl/openssl_ec_diffie_hellman.h    |    4 +-
 .../plugins/openssl/openssl_ec_private_key.h       |    4 +-
 .../plugins/openssl/openssl_ec_public_key.h        |    4 +-
 src/libstrongswan/plugins/openssl/openssl_hasher.h |    5 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.h |    4 +-
 .../plugins/openssl/openssl_rsa_private_key.h      |    4 +-
 .../plugins/openssl/openssl_rsa_public_key.h       |    4 +-
 src/libstrongswan/plugins/openssl/openssl_util.h   |    4 +-
 .../plugins/padlock/padlock_aes_crypter.h          |    2 +-
 src/libstrongswan/plugins/padlock/padlock_plugin.h |    2 +-
 src/libstrongswan/plugins/padlock/padlock_rng.h    |    4 +-
 .../plugins/padlock/padlock_sha1_hasher.h          |    4 +-
 src/libstrongswan/plugins/plugin.h                 |    2 +-
 src/libstrongswan/plugins/plugin_loader.h          |    2 +-
 src/libstrongswan/plugins/pubkey/pubkey_cert.h     |    2 +-
 src/libstrongswan/plugins/pubkey/pubkey_plugin.h   |    2 +-
 .../plugins/pubkey/pubkey_public_key.h             |    4 +-
 src/libstrongswan/plugins/random/random_plugin.h   |    2 +-
 src/libstrongswan/plugins/random/random_rng.h      |    4 +-
 src/libstrongswan/plugins/sha1/sha1_hasher.h       |    2 +-
 src/libstrongswan/plugins/sha1/sha1_plugin.h       |    2 +-
 src/libstrongswan/plugins/sha1/sha1_prf.h          |    2 +-
 src/libstrongswan/plugins/sha2/sha2_hasher.h       |    2 +-
 src/libstrongswan/plugins/sha2/sha2_plugin.h       |    2 +-
 src/libstrongswan/plugins/sqlite/sqlite_database.h |    2 +-
 src/libstrongswan/plugins/sqlite/sqlite_plugin.h   |    2 +-
 src/libstrongswan/plugins/x509/ietf_attr_list.h    |    2 +-
 src/libstrongswan/plugins/x509/x509_ac.h           |    2 +-
 src/libstrongswan/plugins/x509/x509_cert.h         |    4 +-
 src/libstrongswan/plugins/x509/x509_crl.h          |    2 +-
 src/libstrongswan/plugins/x509/x509_ocsp_request.h |    2 +-
 .../plugins/x509/x509_ocsp_response.h              |    2 +-
 src/libstrongswan/plugins/x509/x509_plugin.h       |    2 +-
 src/libstrongswan/plugins/xcbc/xcbc.h              |    2 +-
 src/libstrongswan/plugins/xcbc/xcbc_plugin.h       |    2 +-
 src/libstrongswan/plugins/xcbc/xcbc_prf.h          |    2 +-
 src/libstrongswan/plugins/xcbc/xcbc_signer.h       |    6 +-
 src/libstrongswan/printf_hook.h                    |    4 +-
 src/libstrongswan/settings.h                       |    2 +-
 src/libstrongswan/utils.h                          |    4 +-
 src/libstrongswan/utils/backtrace.h                |    3 +-
 src/libstrongswan/utils/enumerator.h               |    6 +-
 src/libstrongswan/utils/hashtable.h                |    4 +-
 src/libstrongswan/utils/host.h                     |    2 +-
 src/libstrongswan/utils/identification.c           |   36 +-
 src/libstrongswan/utils/identification.h           |   10 +-
 src/libstrongswan/utils/iterator.h                 |    4 +-
 src/libstrongswan/utils/leak_detective.h           |    2 +-
 src/libstrongswan/utils/lexparser.h                |    6 +-
 src/libstrongswan/utils/linked_list.h              |    4 +-
 src/libstrongswan/utils/mutex.h                    |    4 +-
 src/libstrongswan/utils/optionsfrom.h              |    4 +-
 src/manager/controller/auth_controller.h           |    4 +-
 src/manager/controller/config_controller.h         |    4 +-
 src/manager/controller/control_controller.h        |    4 +-
 src/manager/controller/gateway_controller.h        |    4 +-
 src/manager/controller/ikesa_controller.h          |    4 +-
 src/manager/gateway.h                              |   14 +-
 src/manager/manager.h                              |    4 +-
 src/manager/storage.h                              |    4 +-
 src/manager/xml.h                                  |    4 +-
 src/pluto/asn1.c                                   |   13 +-
 src/pluto/ipsec_doi.c                              |   10 +-
 src/pluto/vendor.c                                 |    6 +-
 src/pluto/vendor.h                                 |    4 +-
 src/starter/Makefile.am                            |    8 +
 src/starter/Makefile.in                            |    6 +-
 src/starter/confread.c                             |   11 +-
 src/starter/invokecharon.c                         |    4 +-
 src/starter/invokepluto.c                          |   44 +-
 src/starter/ipsec.conf.5                           |   14 +-
 testing/INSTALL                                    |    6 +-
 testing/hosts/winnetou/etc/openssl/generate-crl    |    5 +
 .../hosts/winnetou/etc/openssl/monster/crlnumber   |    1 +
 .../hosts/winnetou/etc/openssl/monster/index.txt   |    2 +
 .../winnetou/etc/openssl/monster/index.txt.attr    |    1 +
 .../etc/openssl/monster/index.txt.attr.old         |    1 +
 .../winnetou/etc/openssl/monster/index.txt.old     |    1 +
 .../winnetou/etc/openssl/monster/newcerts/01.pem   |   46 +
 .../winnetou/etc/openssl/monster/newcerts/02.pem   |   46 +
 .../hosts/winnetou/etc/openssl/monster/openssl.cnf |  184 +++
 testing/hosts/winnetou/etc/openssl/monster/serial  |    1 +
 .../hosts/winnetou/etc/openssl/monster/serial.old  |    1 +
 .../etc/openssl/monster/strongswanCert-monster.pem |   55 +
 .../etc/openssl/monster/strongswanKey-monster.pem  |   99 ++
 .../hosts/winnetou/etc/openssl/research/index.txt  |    2 +-
 .../winnetou/etc/openssl/research/newcerts/04.pem  |   42 +-
 testing/hosts/winnetou/etc/openssl/sales/index.txt |    2 +-
 .../winnetou/etc/openssl/sales/newcerts/04.pem     |   44 +-
 testing/scripts/build-umlrootfs                    |    7 +-
 testing/testing.conf                               |   11 +-
 .../tests/ikev1/after-2038-certs/description.txt   |   13 +
 testing/tests/ikev1/after-2038-certs/evaltest.dat  |    6 +
 .../after-2038-certs/hosts/carol/etc/ipsec.conf    |   22 +
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |   55 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   46 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   51 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../after-2038-certs/hosts/moon/etc/ipsec.conf     |   21 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |   55 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   46 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |   51 +
 .../hosts/moon/etc/strongswan.conf                 |    5 +
 testing/tests/ikev1/after-2038-certs/posttest.dat  |    4 +
 testing/tests/ikev1/after-2038-certs/pretest.dat   |    6 +
 testing/tests/ikev1/after-2038-certs/test.conf     |   21 +
 .../tests/ikev2/after-2038-certs/description.txt   |   13 +
 testing/tests/ikev2/after-2038-certs/evaltest.dat  |    6 +
 .../after-2038-certs/hosts/carol/etc/ipsec.conf    |   23 +
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |   55 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   46 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   51 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../after-2038-certs/hosts/moon/etc/ipsec.conf     |   22 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |   55 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   46 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |   51 +
 .../hosts/moon/etc/strongswan.conf                 |    5 +
 testing/tests/ikev2/after-2038-certs/posttest.dat  |    4 +
 testing/tests/ikev2/after-2038-certs/pretest.dat   |    6 +
 testing/tests/ikev2/after-2038-certs/test.conf     |   21 +
 .../carol/etc/ipsec.d/certs/carolCert-ifuri.pem    |   42 +-
 .../dave/etc/ipsec.d/certs/daveCert-ifuri.pem      |   44 +-
 .../tests/ikev2/rw-eap-aka-id-rsa/description.txt  |    9 +
 testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat |   11 +
 .../rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf   |   23 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf    |   26 +
 .../rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets |    5 +
 .../hosts/moon/etc/strongswan.conf                 |    5 +
 testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat |    4 +
 testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat  |    7 +
 testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf    |   21 +
 .../ikev2/rw-eap-aka-identity/description.txt      |    8 -
 .../tests/ikev2/rw-eap-aka-identity/evaltest.dat   |   11 -
 .../rw-eap-aka-identity/hosts/carol/etc/ipsec.conf |   23 -
 .../hosts/carol/etc/ipsec.secrets                  |    3 -
 .../hosts/carol/etc/strongswan.conf                |    5 -
 .../rw-eap-aka-identity/hosts/moon/etc/ipsec.conf  |   26 -
 .../hosts/moon/etc/ipsec.secrets                   |    5 -
 .../hosts/moon/etc/strongswan.conf                 |    5 -
 .../tests/ikev2/rw-eap-aka-identity/posttest.dat   |    4 -
 .../tests/ikev2/rw-eap-aka-identity/pretest.dat    |    7 -
 testing/tests/ikev2/rw-eap-aka-identity/test.conf  |   21 -
 .../ikev2/rw-eap-md5-id-radius/description.txt     |   10 +
 .../tests/ikev2/rw-eap-md5-id-radius/evaltest.dat  |   12 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 +
 .../hosts/alice/etc/raddb/eap.conf                 |    5 +
 .../hosts/alice/etc/raddb/proxy.conf               |    5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 ++
 .../hosts/alice/etc/raddb/sites-available/default  |   61 +
 .../hosts/alice/etc/raddb/users                    |    1 +
 .../hosts/carol/etc/ipsec.conf                     |   23 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../hosts/moon/etc/init.d/iptables                 |   84 ++
 .../rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf |   26 +
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   11 +
 .../tests/ikev2/rw-eap-md5-id-radius/posttest.dat  |    5 +
 .../tests/ikev2/rw-eap-md5-id-radius/pretest.dat   |   12 +
 testing/tests/ikev2/rw-eap-md5-id-radius/test.conf |   21 +
 .../tests/ikev2/rw-eap-md5-radius/description.txt  |    8 +
 testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat |   11 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 +
 .../hosts/alice/etc/raddb/eap.conf                 |    5 +
 .../hosts/alice/etc/raddb/proxy.conf               |    5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 ++
 .../hosts/alice/etc/raddb/sites-available/default  |   61 +
 .../rw-eap-md5-radius/hosts/alice/etc/raddb/users  |    1 +
 .../rw-eap-md5-radius/hosts/carol/etc/ipsec.conf   |   22 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../hosts/moon/etc/init.d/iptables                 |   84 ++
 .../rw-eap-md5-radius/hosts/moon/etc/ipsec.conf    |   25 +
 .../rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   11 +
 testing/tests/ikev2/rw-eap-md5-radius/posttest.dat |    5 +
 testing/tests/ikev2/rw-eap-md5-radius/pretest.dat  |   12 +
 testing/tests/ikev2/rw-eap-md5-radius/test.conf    |   21 +
 testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat    |    2 +-
 .../rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets   |    2 +-
 .../ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf |    2 +-
 .../rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets    |    2 +-
 .../ikev2/rw-eap-mschapv2-id-rsa/description.txt   |    8 +
 .../ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat      |   11 +
 .../hosts/carol/etc/ipsec.conf                     |   22 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../hosts/moon/etc/ipsec.conf                      |   26 +
 .../hosts/moon/etc/ipsec.secrets                   |    5 +
 .../hosts/moon/etc/strongswan.conf                 |    5 +
 .../ikev2/rw-eap-mschapv2-id-rsa/posttest.dat      |    4 +
 .../tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat |    7 +
 .../tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf   |   21 +
 .../ikev2/rw-eap-mschapv2-rsa/description.txt      |    8 -
 .../tests/ikev2/rw-eap-mschapv2-rsa/evaltest.dat   |   11 -
 .../rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.conf |   22 -
 .../hosts/carol/etc/ipsec.secrets                  |    3 -
 .../hosts/carol/etc/strongswan.conf                |    5 -
 .../rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.conf  |   26 -
 .../hosts/moon/etc/ipsec.secrets                   |    5 -
 .../hosts/moon/etc/strongswan.conf                 |    5 -
 .../tests/ikev2/rw-eap-mschapv2-rsa/posttest.dat   |    4 -
 .../tests/ikev2/rw-eap-mschapv2-rsa/pretest.dat    |    7 -
 testing/tests/ikev2/rw-eap-mschapv2-rsa/test.conf  |   21 -
 .../ikev2/rw-eap-sim-id-radius/description.txt     |   13 +
 .../tests/ikev2/rw-eap-sim-id-radius/evaltest.dat  |   12 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 +
 .../hosts/alice/etc/raddb/eap.conf                 |    5 +
 .../hosts/alice/etc/raddb/proxy.conf               |    5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |  123 ++
 .../hosts/alice/etc/raddb/sites-available/default  |   62 +
 .../hosts/alice/etc/raddb/triplets.dat             |    3 +
 .../hosts/alice/etc/raddb/users                    |    0
 .../hosts/carol/etc/ipsec.conf                     |   23 +
 .../hosts/carol/etc/ipsec.d/triplets.dat           |    3 +
 .../hosts/carol/etc/ipsec.secrets                  |    1 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../hosts/moon/etc/init.d/iptables                 |   84 ++
 .../rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf |   26 +
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   11 +
 .../tests/ikev2/rw-eap-sim-id-radius/posttest.dat  |    5 +
 .../tests/ikev2/rw-eap-sim-id-radius/pretest.dat   |   12 +
 testing/tests/ikev2/rw-eap-sim-id-radius/test.conf |   21 +
 .../tests/ikev2/rw-eap-sim-radius/description.txt  |   14 +
 testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat |   15 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 +
 .../hosts/alice/etc/raddb/eap.conf                 |    5 +
 .../hosts/alice/etc/raddb/proxy.conf               |    5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |  123 ++
 .../hosts/alice/etc/raddb/sites-available/default  |   62 +
 .../hosts/alice/etc/raddb/triplets.dat             |    7 +
 .../rw-eap-sim-radius/hosts/alice/etc/raddb/users  |    0
 .../rw-eap-sim-radius/hosts/carol/etc/ipsec.conf   |   21 +
 .../hosts/carol/etc/ipsec.d/triplets.dat           |    3 +
 .../hosts/carol/etc/ipsec.secrets                  |    1 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../rw-eap-sim-radius/hosts/dave/etc/ipsec.conf    |   21 +
 .../hosts/dave/etc/ipsec.d/triplets.dat            |    3 +
 .../rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets |    1 +
 .../hosts/dave/etc/strongswan.conf                 |    5 +
 .../hosts/moon/etc/init.d/iptables                 |   84 ++
 .../rw-eap-sim-radius/hosts/moon/etc/ipsec.conf    |   25 +
 .../rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   11 +
 testing/tests/ikev2/rw-eap-sim-radius/posttest.dat |    7 +
 testing/tests/ikev2/rw-eap-sim-radius/pretest.dat  |   15 +
 testing/tests/ikev2/rw-eap-sim-radius/test.conf    |   21 +
 508 files changed, 7750 insertions(+), 1108 deletions(-)
 create mode 100644 src/charon/plugins/eap_radius/Makefile.am
 create mode 100644 src/charon/plugins/eap_radius/Makefile.in
 create mode 100644 src/charon/plugins/eap_radius/eap_radius.c
 create mode 100644 src/charon/plugins/eap_radius/eap_radius.h
 create mode 100644 src/charon/plugins/eap_radius/eap_radius_plugin.c
 create mode 100644 src/charon/plugins/eap_radius/eap_radius_plugin.h
 create mode 100644 src/charon/plugins/eap_radius/radius_client.c
 create mode 100644 src/charon/plugins/eap_radius/radius_client.h
 create mode 100644 src/charon/plugins/eap_radius/radius_message.c
 create mode 100644 src/charon/plugins/eap_radius/radius_message.h
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/crlnumber
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/index.txt
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/index.txt.attr
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/index.txt.attr.old
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/index.txt.old
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/newcerts/01.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/newcerts/02.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/serial
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/serial.old
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/strongswanCert-monster.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/monster/strongswanKey-monster.pem
 create mode 100644 testing/tests/ikev1/after-2038-certs/description.txt
 create mode 100644 testing/tests/ikev1/after-2038-certs/evaltest.dat
 create mode 100755 testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/after-2038-certs/posttest.dat
 create mode 100644 testing/tests/ikev1/after-2038-certs/pretest.dat
 create mode 100644 testing/tests/ikev1/after-2038-certs/test.conf
 create mode 100644 testing/tests/ikev2/after-2038-certs/description.txt
 create mode 100644 testing/tests/ikev2/after-2038-certs/evaltest.dat
 create mode 100755 testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/after-2038-certs/posttest.dat
 create mode 100644 testing/tests/ikev2/after-2038-certs/pretest.dat
 create mode 100644 testing/tests/ikev2/after-2038-certs/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-aka-identity/description.txt
 delete mode 100644 testing/tests/ikev2/rw-eap-aka-identity/evaltest.dat
 delete mode 100755 testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf
 delete mode 100755 testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-aka-identity/posttest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-aka-identity/pretest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-aka-identity/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users
 create mode 100755 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users
 create mode 100755 testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/description.txt
 delete mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/evaltest.dat
 delete mode 100755 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/strongswan.conf
 delete mode 100755 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/posttest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/pretest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-mschapv2-rsa/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users
 create mode 100755 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users
 create mode 100755 testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/Doxyfile.in b/Doxyfile.in
index fb746a61d..54f6596f0 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -1,220 +1,1420 @@
-# Doxyfile 1.4.1-KDevelop
+# Doxyfile 1.5.6
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project
+#
+# All text after a hash (#) is considered a comment and will be ignored
+# The format is:
+#       TAG = value [value, ...]
+# For lists items can also be appended using:
+#       TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (" ")
 
 #---------------------------------------------------------------------------
 # Project related configuration options
 #---------------------------------------------------------------------------
-PROJECT_NAME = "@PACKAGE_NAME@"
-PROJECT_NUMBER = "@PACKAGE_VERSION@"
-OUTPUT_DIRECTORY = apidoc
-CREATE_SUBDIRS = NO
-OUTPUT_LANGUAGE = English
-USE_WINDOWS_ENCODING = NO
-BRIEF_MEMBER_DESC = YES
-REPEAT_BRIEF = YES
-ABBREVIATE_BRIEF = 
-ALWAYS_DETAILED_SEC = NO
-INLINE_INHERITED_MEMB = NO
-FULL_PATH_NAMES = YES
-STRIP_FROM_PATH = 
-STRIP_FROM_INC_PATH = 
-SHORT_NAMES = NO
-JAVADOC_AUTOBRIEF = YES
+
+# This tag specifies the encoding used for all characters in the config file 
+# that follow. The default is UTF-8 which is also the encoding used for all 
+# text before the first occurrence of this tag. Doxygen uses libiconv (or the 
+# iconv built into libc) for the transcoding. See 
+# http://www.gnu.org/software/libiconv for the list of possible encodings.
+
+DOXYFILE_ENCODING      = UTF-8
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded 
+# by quotes) that should identify the project.
+
+PROJECT_NAME           = "@PACKAGE_NAME@"
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. 
+# This could be handy for archiving the generated documentation or 
+# if some version control system is used.
+
+PROJECT_NUMBER         = "@PACKAGE_VERSION@"
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
+# base path where the generated documentation will be put. 
+# If a relative path is entered, it will be relative to the location 
+# where doxygen was started. If left blank the current directory will be used.
+
+OUTPUT_DIRECTORY       = apidoc
+
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 
+# 4096 sub-directories (in 2 levels) under the output directory of each output 
+# format and will distribute the generated files over these directories. 
+# Enabling this option can be useful when feeding doxygen a huge amount of 
+# source files, where putting all generated files in the same directory would 
+# otherwise cause performance problems for the file system.
+
+CREATE_SUBDIRS         = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all 
+# documentation generated by doxygen is written. Doxygen will use this 
+# information to generate all constant output in the proper language. 
+# The default language is English, other supported languages are: 
+# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, 
+# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek, 
+# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages), 
+# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish, 
+# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, 
+# and Ukrainian.
+
+OUTPUT_LANGUAGE        = English
+
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will 
+# include brief member descriptions after the members that are listed in 
+# the file and class documentation (similar to JavaDoc). 
+# Set to NO to disable this.
+
+BRIEF_MEMBER_DESC      = YES
+
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend 
+# the brief description of a member or function before the detailed description. 
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
+# brief descriptions will be completely suppressed.
+
+REPEAT_BRIEF           = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator 
+# that is used to form the text in various listings. Each string 
+# in this list, if found as the leading text of the brief description, will be 
+# stripped from the text and the result after processing the whole list, is 
+# used as the annotated text. Otherwise, the brief description is used as-is. 
+# If left blank, the following values are used ("$name" is automatically 
+# replaced with the name of the entity): "The $name class" "The $name widget" 
+# "The $name file" "is" "provides" "specifies" "contains" 
+# "represents" "a" "an" "the"
+
+ABBREVIATE_BRIEF       = 
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then 
+# Doxygen will generate a detailed section even if there is only a brief 
+# description.
+
+ALWAYS_DETAILED_SEC    = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all 
+# inherited members of a class in the documentation of that class as if those 
+# members were ordinary class members. Constructors, destructors and assignment 
+# operators of the base classes will not be shown.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full 
+# path before files name in the file list and in the header files. If set 
+# to NO the shortest path that makes the file name unique will be used.
+
+FULL_PATH_NAMES        = YES
+
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag 
+# can be used to strip a user-defined part of the path. Stripping is 
+# only done if one of the specified strings matches the left-hand part of 
+# the path. The tag can be used to show relative paths in the file list. 
+# If left blank the directory from which doxygen is run is used as the 
+# path to strip.
+
+STRIP_FROM_PATH        = 
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of 
+# the path mentioned in the documentation of a class, which tells 
+# the reader which header file to include in order to use a class. 
+# If left blank only the name of the header file containing the class 
+# definition is used. Otherwise one should specify the include paths that 
+# are normally passed to the compiler using the -I flag.
+
+STRIP_FROM_INC_PATH    = 
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter 
+# (but less readable) file names. This can be useful is your file systems 
+# doesn't support long names like on DOS, Mac, or CD-ROM.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen 
+# will interpret the first line (until the first dot) of a JavaDoc-style 
+# comment as the brief description. If set to NO, the JavaDoc 
+# comments will behave just like regular Qt-style comments 
+# (thus requiring an explicit @brief command for a brief description.)
+
+JAVADOC_AUTOBRIEF      = YES
+
+# If the QT_AUTOBRIEF tag is set to YES then Doxygen will 
+# interpret the first line (until the first dot) of a Qt-style 
+# comment as the brief description. If set to NO, the comments 
+# will behave just like regular Qt-style comments (thus requiring 
+# an explicit \brief command for a brief description.)
+
+QT_AUTOBRIEF           = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen 
+# treat a multi-line C++ special comment block (i.e. a block of //! or /// 
+# comments) as a brief description. This used to be the default behaviour. 
+# The new default is to treat a multi-line C++ comment block as a detailed 
+# description. Set this tag to YES if you prefer the old behaviour instead.
+
 MULTILINE_CPP_IS_BRIEF = NO
-DETAILS_AT_TOP = YES
-INHERIT_DOCS = YES
-DISTRIBUTE_GROUP_DOC = NO
-TAB_SIZE = 1
-ALIASES = 
-OPTIMIZE_OUTPUT_FOR_C = NO
-OPTIMIZE_OUTPUT_JAVA = NO
-SUBGROUPING = YES
+
+# If the DETAILS_AT_TOP tag is set to YES then Doxygen 
+# will output the detailed description near the top, like JavaDoc.
+# If set to NO, the detailed description appears after the member 
+# documentation.
+
+DETAILS_AT_TOP         = YES
+
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented 
+# member inherits the documentation from any documented member that it 
+# re-implements.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce 
+# a new page for each member. If set to NO, the documentation of a member will 
+# be part of the file/class/namespace that contains it.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. 
+# Doxygen uses this value to replace tabs by spaces in code fragments.
+
+TAB_SIZE               = 4
+
+# This tag can be used to specify a number of aliases that acts 
+# as commands in the documentation. An alias has the form "name=value". 
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to 
+# put the command \sideeffect (or @sideeffect) in the documentation, which 
+# will result in a user-defined paragraph with heading "Side Effects:". 
+# You can put \n's in the value part of an alias to insert newlines.
+
+ALIASES                = 
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C 
+# sources only. Doxygen will then generate output that is more tailored for C. 
+# For instance, some of the names that are used will be different. The list 
+# of all members will be omitted, etc.
+
+OPTIMIZE_OUTPUT_FOR_C  = NO
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java 
+# sources only. Doxygen will then generate output that is more tailored for 
+# Java. For instance, namespaces will be presented as packages, qualified 
+# scopes will look different, etc.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran 
+# sources only. Doxygen will then generate output that is more tailored for 
+# Fortran.
+
+OPTIMIZE_FOR_FORTRAN   = NO
+
+# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL 
+# sources. Doxygen will then generate output that is tailored for 
+# VHDL.
+
+OPTIMIZE_OUTPUT_VHDL   = NO
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want 
+# to include (a tag file for) the STL sources as input, then you should 
+# set this tag to YES in order to let doxygen match functions declarations and 
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. 
+# func(std::string) {}). This also make the inheritance and collaboration 
+# diagrams that involve STL classes more complete and accurate.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+
+CPP_CLI_SUPPORT        = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. 
+# Doxygen will parse them like normal C++ but will assume all classes use public 
+# instead of private inheritance when no explicit protection keyword is present.
+
+SIP_SUPPORT            = NO
+
+# For Microsoft's IDL there are propget and propput attributes to indicate getter 
+# and setter methods for a property. Setting this option to YES (the default) 
+# will make doxygen to replace the get and set methods by a property in the 
+# documentation. This will only work if the methods are indeed getting or 
+# setting a simple type. If this is not the case, or you want to show the 
+# methods anyway, you should set this option to NO.
+
+IDL_PROPERTY_SUPPORT   = YES
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC 
+# tag is set to YES, then doxygen will reuse the documentation of the first 
+# member in the group (if any) for the other members of the group. By default 
+# all members of a group must be documented explicitly.
+
+DISTRIBUTE_GROUP_DOC   = NO
+
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of 
+# the same type (for instance a group of public functions) to be put as a 
+# subgroup of that type (e.g. under the Public Functions section). Set it to 
+# NO to prevent subgrouping. Alternatively, this can be done per class using 
+# the \nosubgrouping command.
+
+SUBGROUPING            = YES
+
+# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum 
+# is documented as struct, union, or enum with the name of the typedef. So 
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct 
+# with name TypeT. When disabled the typedef will appear as a member of a file, 
+# namespace, or class. And the struct will be named TypeS. This can typically 
+# be useful for C code in case the coding convention dictates that all compound 
+# types are typedef'ed and only the typedef is referenced, never the tag name.
+
+TYPEDEF_HIDES_STRUCT   = YES
+
 #---------------------------------------------------------------------------
 # Build related configuration options
 #---------------------------------------------------------------------------
-EXTRACT_ALL = NO
-EXTRACT_PRIVATE = NO
-EXTRACT_STATIC = NO
-EXTRACT_LOCAL_CLASSES = NO
-EXTRACT_LOCAL_METHODS = NO
-HIDE_UNDOC_MEMBERS = NO
-HIDE_UNDOC_CLASSES = NO
-HIDE_FRIEND_COMPOUNDS = NO
-HIDE_IN_BODY_DOCS = NO
-INTERNAL_DOCS = NO
-CASE_SENSE_NAMES = YES
-HIDE_SCOPE_NAMES = NO
-SHOW_INCLUDE_FILES = YES
-INLINE_INFO = YES
-SORT_MEMBER_DOCS = YES
-SORT_BRIEF_DOCS = NO
-SORT_BY_SCOPE_NAME = NO
-GENERATE_TODOLIST = YES
-GENERATE_TESTLIST = NO
-GENERATE_BUGLIST = YES
-GENERATE_DEPRECATEDLIST = YES
-ENABLED_SECTIONS = 
-MAX_INITIALIZER_LINES = 30
-SHOW_USED_FILES = YES
-SHOW_DIRECTORIES = NO
-FILE_VERSION_FILTER = 
+
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in 
+# documentation are documented, even if no documentation was available. 
+# Private class members and static file members will be hidden unless 
+# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+
+EXTRACT_ALL            = NO
+
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class 
+# will be included in the documentation.
+
+EXTRACT_PRIVATE        = NO
+
+# If the EXTRACT_STATIC tag is set to YES all static members of a file 
+# will be included in the documentation.
+
+EXTRACT_STATIC         = NO
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) 
+# defined locally in source files will be included in the documentation. 
+# If set to NO only classes defined in header files are included.
+
+EXTRACT_LOCAL_CLASSES  = NO
+
+# This flag is only useful for Objective-C code. When set to YES local 
+# methods, which are defined in the implementation section but not in 
+# the interface are included in the documentation. 
+# If set to NO (the default) only methods in the interface are included.
+
+EXTRACT_LOCAL_METHODS  = NO
+
+# If this flag is set to YES, the members of anonymous namespaces will be 
+# extracted and appear in the documentation as a namespace called 
+# 'anonymous_namespace{file}', where file will be replaced with the base 
+# name of the file that contains the anonymous namespace. By default 
+# anonymous namespace are hidden.
+
+EXTRACT_ANON_NSPACES   = NO
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all 
+# undocumented members of documented classes, files or namespaces. 
+# If set to NO (the default) these members will be included in the 
+# various overviews, but no documentation section is generated. 
+# This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_MEMBERS     = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all 
+# undocumented classes that are normally visible in the class hierarchy. 
+# If set to NO (the default) these classes will be included in the various 
+# overviews. This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_CLASSES     = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all 
+# friend (class|struct|union) declarations. 
+# If set to NO (the default) these declarations will be included in the 
+# documentation.
+
+HIDE_FRIEND_COMPOUNDS  = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any 
+# documentation blocks found inside the body of a function. 
+# If set to NO (the default) these blocks will be appended to the 
+# function's detailed documentation block.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation 
+# that is typed after a \internal command is included. If the tag is set 
+# to NO (the default) then the documentation will be excluded. 
+# Set it to YES to include the internal documentation.
+
+INTERNAL_DOCS          = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate 
+# file names in lower-case letters. If set to YES upper-case letters are also 
+# allowed. This is useful if you have classes or files whose names only differ 
+# in case and if your file system supports case sensitive file names. Windows 
+# and Mac users are advised to set this option to NO.
+
+CASE_SENSE_NAMES       = YES
+
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen 
+# will show members with their full class and namespace scopes in the 
+# documentation. If set to YES the scope will be hidden.
+
+HIDE_SCOPE_NAMES       = NO
+
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen 
+# will put a list of the files that are included by a file in the documentation 
+# of that file.
+
+SHOW_INCLUDE_FILES     = NO
+
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] 
+# is inserted in the documentation for inline members.
+
+INLINE_INFO            = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen 
+# will sort the (detailed) documentation of file and class members 
+# alphabetically by member name. If set to NO the members will appear in 
+# declaration order.
+
+SORT_MEMBER_DOCS       = NO
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the 
+# brief documentation of file, namespace and class members alphabetically 
+# by member name. If set to NO (the default) the members will appear in 
+# declaration order.
+
+SORT_BRIEF_DOCS        = NO
+
+# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the 
+# hierarchy of group names into alphabetical order. If set to NO (the default) 
+# the group names will appear in their defined order.
+
+SORT_GROUP_NAMES       = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be 
+# sorted by fully-qualified names, including namespaces. If set to 
+# NO (the default), the class list will be sorted only by class name, 
+# not including the namespace part. 
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the 
+# alphabetical list.
+
+SORT_BY_SCOPE_NAME     = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or 
+# disable (NO) the todo list. This list is created by putting \todo 
+# commands in the documentation.
+
+GENERATE_TODOLIST      = NO
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or 
+# disable (NO) the test list. This list is created by putting \test 
+# commands in the documentation.
+
+GENERATE_TESTLIST      = NO
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or 
+# disable (NO) the bug list. This list is created by putting \bug 
+# commands in the documentation.
+
+GENERATE_BUGLIST       = NO
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or 
+# disable (NO) the deprecated list. This list is created by putting 
+# \deprecated commands in the documentation.
+
+GENERATE_DEPRECATEDLIST= NO
+
+# The ENABLED_SECTIONS tag can be used to enable conditional 
+# documentation sections, marked by \if sectionname ... \endif.
+
+ENABLED_SECTIONS       = 
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines 
+# the initial value of a variable or define consists of for it to appear in 
+# the documentation. If the initializer consists of more lines than specified 
+# here it will be hidden. Use a value of 0 to hide initializers completely. 
+# The appearance of the initializer of individual variables and defines in the 
+# documentation can be controlled using \showinitializer or \hideinitializer 
+# command in the documentation regardless of this setting.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated 
+# at the bottom of the documentation of classes and structs. If set to YES the 
+# list will mention the files that were used to generate the documentation.
+
+SHOW_USED_FILES        = NO
+
+# If the sources in your project are distributed over multiple directories 
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES       = YES
+
+# Set the SHOW_FILES tag to NO to disable the generation of the Files page.
+# This will remove the Files entry from the Quick Index and from the 
+# Folder Tree View (if specified). The default is YES.
+
+SHOW_FILES             = NO
+
+# Set the SHOW_NAMESPACES tag to NO to disable the generation of the 
+# Namespaces page.  This will remove the Namespaces entry from the Quick Index
+# and from the Folder Tree View (if specified). The default is YES.
+
+SHOW_NAMESPACES        = YES
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that 
+# doxygen should invoke to get the current version for each file (typically from 
+# the version control system). Doxygen will invoke the program by executing (via 
+# popen()) the command <command> <input-file>, where <command> is the value of 
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file 
+# provided by doxygen. Whatever the program writes to standard output 
+# is used as the file version. See the manual for examples.
+
+FILE_VERSION_FILTER    = 
+
 #---------------------------------------------------------------------------
 # configuration options related to warning and progress messages
 #---------------------------------------------------------------------------
-QUIET = NO
-WARNINGS = YES
-WARN_IF_UNDOCUMENTED = YES
-WARN_IF_DOC_ERROR = YES
-WARN_NO_PARAMDOC = NO
-WARN_FORMAT = "$file:$line: $text"
-WARN_LOGFILE = 
+
+# The QUIET tag can be used to turn on/off the messages that are generated 
+# by doxygen. Possible values are YES and NO. If left blank NO is used.
+
+QUIET                  = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are 
+# generated by doxygen. Possible values are YES and NO. If left blank 
+# NO is used.
+
+WARNINGS               = YES
+
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings 
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will 
+# automatically be disabled.
+
+WARN_IF_UNDOCUMENTED   = NO
+
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for 
+# potential errors in the documentation, such as not documenting some 
+# parameters in a documented function, or documenting parameters that 
+# don't exist or using markup commands wrongly.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be abled to get warnings for 
+# functions that are documented, but have no documentation for their parameters 
+# or return value. If set to NO (the default) doxygen will only warn about 
+# wrong or incomplete parameter documentation, but not about the absence of 
+# documentation.
+
+WARN_NO_PARAMDOC       = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that 
+# doxygen can produce. The string should contain the $file, $line, and $text 
+# tags, which will be replaced by the file and line number from which the 
+# warning originated and the warning text. Optionally the format may contain 
+# $version, which will be replaced by the version of the file (if it could 
+# be obtained via FILE_VERSION_FILTER)
+
+WARN_FORMAT            = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning 
+# and error messages should be written. If left blank the output is written 
+# to stderr.
+
+WARN_LOGFILE           = 
+
 #---------------------------------------------------------------------------
 # configuration options related to the input files
 #---------------------------------------------------------------------------
-INPUT = src/libstrongswan src/charon src/libfast src/manager
-FILE_PATTERNS = *.h
-RECURSIVE = YES
-EXCLUDE = 
-EXCLUDE_SYMLINKS = NO
-EXCLUDE_PATTERNS = */.svn/*
-EXAMPLE_PATH = 
-EXAMPLE_PATTERNS = 
-EXAMPLE_RECURSIVE = NO
-IMAGE_PATH = 
-INPUT_FILTER = 
-FILTER_PATTERNS = 
-FILTER_SOURCE_FILES = NO
+
+# The INPUT tag can be used to specify the files and/or directories that contain 
+# documented source files. You may enter file names like "myfile.cpp" or 
+# directories like "/usr/src/myproject". Separate the files or directories 
+# with spaces.
+
+INPUT                  = src/libstrongswan \
+                         src/charon \
+                         src/libfast \
+                         src/manager
+
+# This tag can be used to specify the character encoding of the source files 
+# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is 
+# also the default input encoding. Doxygen uses libiconv (or the iconv built 
+# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for 
+# the list of possible encodings.
+
+INPUT_ENCODING         = UTF-8
+
+# If the value of the INPUT tag contains directories, you can use the 
+# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank the following patterns are tested: 
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx 
+# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
+
+FILE_PATTERNS          = *.h
+
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories 
+# should be searched for input files as well. Possible values are YES and NO. 
+# If left blank NO is used.
+
+RECURSIVE              = YES
+
+# The EXCLUDE tag can be used to specify files and/or directories that should 
+# excluded from the INPUT source files. This way you can easily exclude a 
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+
+EXCLUDE                = 
+
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or 
+# directories that are symbolic links (a Unix filesystem feature) are excluded 
+# from the input.
+
+EXCLUDE_SYMLINKS       = NO
+
+# If the value of the INPUT tag contains directories, you can use the 
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude 
+# certain files from those directories. Note that the wildcards are matched 
+# against the file with absolute path, so to exclude all test directories 
+# for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       = */.svn/*
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names 
+# (namespaces, classes, functions, etc.) that should be excluded from the 
+# output. The symbol name can be a fully qualified name, a word, or if the 
+# wildcard * is used, a substring. Examples: ANamespace, AClass, 
+# AClass::ANamespace, ANamespace::*Test
+
+EXCLUDE_SYMBOLS        = 
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or 
+# directories that contain example code fragments that are included (see 
+# the \include command).
+
+EXAMPLE_PATH           = 
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the 
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank all files are included.
+
+EXAMPLE_PATTERNS       = 
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be 
+# searched for input files to be used with the \include or \dontinclude 
+# commands irrespective of the value of the RECURSIVE tag. 
+# Possible values are YES and NO. If left blank NO is used.
+
+EXAMPLE_RECURSIVE      = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or 
+# directories that contain image that are included in the documentation (see 
+# the \image command).
+
+IMAGE_PATH             = 
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should 
+# invoke to filter for each input file. Doxygen will invoke the filter program 
+# by executing (via popen()) the command <filter> <input-file>, where <filter> 
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an 
+# input file. Doxygen will then use the output that the filter program writes 
+# to standard output.  If FILTER_PATTERNS is specified, this tag will be 
+# ignored.
+
+INPUT_FILTER           = 
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern 
+# basis.  Doxygen will compare the file name with each pattern and apply the 
+# filter if there is a match.  The filters are a list of the form: 
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further 
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER 
+# is applied to all files.
+
+FILTER_PATTERNS        = 
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using 
+# INPUT_FILTER) will be used to filter the input files when producing source 
+# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+
+FILTER_SOURCE_FILES    = NO
+
 #---------------------------------------------------------------------------
 # configuration options related to source browsing
 #---------------------------------------------------------------------------
-SOURCE_BROWSER = NO
-INLINE_SOURCES = NO
-STRIP_CODE_COMMENTS = NO
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will 
+# be generated. Documented entities will be cross-referenced with these sources. 
+# Note: To get rid of all source code in the generated output, make sure also 
+# VERBATIM_HEADERS is set to NO.
+
+SOURCE_BROWSER         = NO
+
+# Setting the INLINE_SOURCES tag to YES will include the body 
+# of functions and classes directly in the documentation.
+
+INLINE_SOURCES         = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct 
+# doxygen to hide any special comment blocks from generated source code 
+# fragments. Normal C and C++ comments will always remain visible.
+
+STRIP_CODE_COMMENTS    = NO
+
+# If the REFERENCED_BY_RELATION tag is set to YES 
+# then for each documented function all documented 
+# functions referencing it will be listed.
+
 REFERENCED_BY_RELATION = NO
-REFERENCES_RELATION = NO
-VERBATIM_HEADERS = YES
+
+# If the REFERENCES_RELATION tag is set to YES 
+# then for each documented function all documented entities 
+# called/used by that function will be listed.
+
+REFERENCES_RELATION    = NO
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
+# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
+# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
+# link to the source code.  Otherwise they will link to the documentstion.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code 
+# will point to the HTML generated by the htags(1) tool instead of doxygen 
+# built-in source browser. The htags tool is part of GNU's global source 
+# tagging system (see http://www.gnu.org/software/global/global.html). You 
+# will need version 4.8.6 or higher.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen 
+# will generate a verbatim copy of the header file for each class for 
+# which an include is specified. Set to NO to disable this.
+
+VERBATIM_HEADERS       = YES
+
 #---------------------------------------------------------------------------
 # configuration options related to the alphabetical class index
 #---------------------------------------------------------------------------
-ALPHABETICAL_INDEX = NO
-COLS_IN_ALPHA_INDEX = 5
-IGNORE_PREFIX = 
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index 
+# of all compounds will be generated. Enable this if the project 
+# contains a lot of classes, structs, unions or interfaces.
+
+ALPHABETICAL_INDEX     = NO
+
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then 
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns 
+# in which this list will be split (can be a number in the range [1..20])
+
+COLS_IN_ALPHA_INDEX    = 5
+
+# In case all classes in a project start with a common prefix, all 
+# classes will be put under the same header in the alphabetical index. 
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that 
+# should be ignored while generating the index headers.
+
+IGNORE_PREFIX          = 
+
 #---------------------------------------------------------------------------
 # configuration options related to the HTML output
 #---------------------------------------------------------------------------
-GENERATE_HTML = YES
-HTML_OUTPUT = .
-HTML_FILE_EXTENSION = .html
-HTML_HEADER = 
-HTML_FOOTER = 
-HTML_STYLESHEET = 
-HTML_ALIGN_MEMBERS = YES
-GENERATE_HTMLHELP = NO
-CHM_FILE = 
-HHC_LOCATION = 
-GENERATE_CHI = NO
-BINARY_TOC = NO
-TOC_EXPAND = NO
-DISABLE_INDEX = YES
-ENUM_VALUES_PER_LINE = 1
-GENERATE_TREEVIEW = YES
-TREEVIEW_WIDTH = 250
+
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will 
+# generate HTML output.
+
+GENERATE_HTML          = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `html' will be used as the default path.
+
+HTML_OUTPUT            = .
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for 
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank 
+# doxygen will generate files with .html extension.
+
+HTML_FILE_EXTENSION    = .html
+
+# The HTML_HEADER tag can be used to specify a personal HTML header for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard header.
+
+HTML_HEADER            = 
+
+# The HTML_FOOTER tag can be used to specify a personal HTML footer for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard footer.
+
+HTML_FOOTER            = 
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading 
+# style sheet that is used by each HTML page. It can be used to 
+# fine-tune the look of the HTML output. If the tag is left blank doxygen 
+# will generate a default style sheet. Note that doxygen will try to copy 
+# the style sheet file to the HTML output directory, so don't put your own 
+# stylesheet in the HTML output directory as well, or it will be erased!
+
+HTML_STYLESHEET        = 
+
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
+# files or namespaces will be aligned in HTML using tables. If set to 
+# NO a bullet list will be used.
+
+HTML_ALIGN_MEMBERS     = YES
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files 
+# will be generated that can be used as input for tools like the 
+# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) 
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP      = NO
+
+# If the GENERATE_DOCSET tag is set to YES, additional index files 
+# will be generated that can be used as input for Apple's Xcode 3 
+# integrated development environment, introduced with OSX 10.5 (Leopard). 
+# To create a documentation set, doxygen will generate a Makefile in the 
+# HTML output directory. Running make will produce the docset in that 
+# directory and running "make install" will install the docset in 
+# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find 
+# it at startup.
+
+GENERATE_DOCSET        = NO
+
+# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the 
+# feed. A documentation feed provides an umbrella under which multiple 
+# documentation sets from a single provider (such as a company or product suite) 
+# can be grouped.
+
+DOCSET_FEEDNAME        = "Doxygen generated docs"
+
+# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that 
+# should uniquely identify the documentation set bundle. This should be a 
+# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen 
+# will append .docset to the name.
+
+DOCSET_BUNDLE_ID       = org.doxygen.Project
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML 
+# documentation will contain sections that can be hidden and shown after the 
+# page has loaded. For this to work a browser that supports 
+# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox 
+# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
+
+HTML_DYNAMIC_SECTIONS  = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can 
+# be used to specify the file name of the resulting .chm file. You 
+# can add a path in front of the file if the result should not be 
+# written to the html output directory.
+
+CHM_FILE               = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can 
+# be used to specify the location (absolute path including file name) of 
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run 
+# the HTML help compiler on the generated index.hhp.
+
+HHC_LOCATION           = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag 
+# controls if a separate .chi index file is generated (YES) or that 
+# it should be included in the master .chm file (NO).
+
+GENERATE_CHI           = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING
+# is used to encode HtmlHelp index (hhk), content (hhc) and project file
+# content.
+
+CHM_INDEX_ENCODING     = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag 
+# controls whether a binary table of contents is generated (YES) or a 
+# normal table of contents (NO) in the .chm file.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members 
+# to the contents of the HTML help documentation and to the tree view.
+
+TOC_EXPAND             = NO
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at 
+# top of each HTML page. The value NO (the default) enables the index and 
+# the value YES disables it.
+
+DISABLE_INDEX          = YES
+
+# This tag can be used to set the number of enum values (range [1..20]) 
+# that doxygen will group on one line in the generated HTML documentation.
+
+ENUM_VALUES_PER_LINE   = 1
+
+# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
+# structure should be generated to display hierarchical information.
+# If the tag value is set to FRAME, a side panel will be generated
+# containing a tree-like index structure (just like the one that 
+# is generated for HTML Help). For this to work a browser that supports 
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, 
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are 
+# probably better off using the HTML help feature. Other possible values 
+# for this tag are: HIERARCHIES, which will generate the Groups, Directories,
+# and Class Hiererachy pages using a tree view instead of an ordered list;
+# ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which
+# disables this behavior completely. For backwards compatibility with previous
+# releases of Doxygen, the values YES and NO are equivalent to FRAME and NONE
+# respectively.
+
+GENERATE_TREEVIEW      = YES
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be 
+# used to set the initial width (in pixels) of the frame in which the tree 
+# is shown.
+
+TREEVIEW_WIDTH         = 250
+
+# Use this tag to change the font size of Latex formulas included 
+# as images in the HTML documentation. The default is 10. Note that 
+# when you change the font size after a successful doxygen run you need 
+# to manually remove any form_*.png images from the HTML output directory 
+# to force them to be regenerated.
+
+FORMULA_FONTSIZE       = 10
+
 #---------------------------------------------------------------------------
 # configuration options related to the LaTeX output
 #---------------------------------------------------------------------------
-GENERATE_LATEX = NO
-LATEX_OUTPUT = latex
-LATEX_CMD_NAME = latex
-MAKEINDEX_CMD_NAME = makeindex
-COMPACT_LATEX = NO
-PAPER_TYPE = a4wide
-EXTRA_PACKAGES = 
-LATEX_HEADER = 
-PDF_HYPERLINKS = NO
-USE_PDFLATEX = NO
-LATEX_BATCHMODE = NO
-LATEX_HIDE_INDICES = NO
+
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will 
+# generate Latex output.
+
+GENERATE_LATEX         = NO
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `latex' will be used as the default path.
+
+LATEX_OUTPUT           = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be 
+# invoked. If left blank `latex' will be used as the default command name.
+
+LATEX_CMD_NAME         = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to 
+# generate index for LaTeX. If left blank `makeindex' will be used as the 
+# default command name.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact 
+# LaTeX documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_LATEX          = NO
+
+# The PAPER_TYPE tag can be used to set the paper type that is used 
+# by the printer. Possible values are: a4, a4wide, letter, legal and 
+# executive. If left blank a4wide will be used.
+
+PAPER_TYPE             = a4wide
+
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX 
+# packages that should be included in the LaTeX output.
+
+EXTRA_PACKAGES         = 
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for 
+# the generated latex document. The header should contain everything until 
+# the first chapter. If it is left blank doxygen will generate a 
+# standard header. Notice: only use this tag if you know what you are doing!
+
+LATEX_HEADER           = 
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated 
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will 
+# contain links (just like the HTML output) instead of page references 
+# This makes the output suitable for online browsing using a pdf viewer.
+
+PDF_HYPERLINKS         = NO
+
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of 
+# plain latex in the generated Makefile. Set this option to YES to get a 
+# higher quality PDF documentation.
+
+USE_PDFLATEX           = NO
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. 
+# command to the generated LaTeX files. This will instruct LaTeX to keep 
+# running if errors occur, instead of asking the user for help. 
+# This option is also used when generating formulas in HTML.
+
+LATEX_BATCHMODE        = NO
+
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not 
+# include the index chapters (such as File Index, Compound Index, etc.) 
+# in the output.
+
+LATEX_HIDE_INDICES     = NO
+
 #---------------------------------------------------------------------------
 # configuration options related to the RTF output
 #---------------------------------------------------------------------------
-GENERATE_RTF = NO
-RTF_OUTPUT = rtf
-COMPACT_RTF = NO
-RTF_HYPERLINKS = NO
-RTF_STYLESHEET_FILE = 
-RTF_EXTENSIONS_FILE = 
+
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output 
+# The RTF output is optimized for Word 97 and may not look very pretty with 
+# other RTF readers or editors.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `rtf' will be used as the default path.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact 
+# RTF documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated 
+# will contain hyperlink fields. The RTF file will 
+# contain links (just like the HTML output) instead of page references. 
+# This makes the output suitable for online browsing using WORD or other 
+# programs which support those fields. 
+# Note: wordpad (write) and others do not support links.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's 
+# config file, i.e. a series of assignments. You only have to provide 
+# replacements, missing definitions are set to their default value.
+
+RTF_STYLESHEET_FILE    = 
+
+# Set optional variables used in the generation of an rtf document. 
+# Syntax is similar to doxygen's config file.
+
+RTF_EXTENSIONS_FILE    = 
+
 #---------------------------------------------------------------------------
 # configuration options related to the man page output
 #---------------------------------------------------------------------------
-GENERATE_MAN = NO
-MAN_OUTPUT = man
-MAN_EXTENSION = .3
-MAN_LINKS = YES
+
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will 
+# generate man pages
+
+GENERATE_MAN           = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `man' will be used as the default path.
+
+MAN_OUTPUT             = man
+
+# The MAN_EXTENSION tag determines the extension that is added to 
+# the generated man pages (default is the subroutine's section .3)
+
+MAN_EXTENSION          = .3
+
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output, 
+# then it will generate one additional man file for each entity 
+# documented in the real man page(s). These additional files 
+# only source the real man page, but without them the man command 
+# would be unable to find the correct page. The default is NO.
+
+MAN_LINKS              = YES
+
 #---------------------------------------------------------------------------
 # configuration options related to the XML output
 #---------------------------------------------------------------------------
-GENERATE_XML = NO
-XML_OUTPUT = xml
-XML_SCHEMA = 
-XML_DTD = 
-XML_PROGRAMLISTING = YES
+
+# If the GENERATE_XML tag is set to YES Doxygen will 
+# generate an XML file that captures the structure of 
+# the code including all documentation.
+
+GENERATE_XML           = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `xml' will be used as the default path.
+
+XML_OUTPUT             = xml
+
+# The XML_SCHEMA tag can be used to specify an XML schema, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_SCHEMA             = 
+
+# The XML_DTD tag can be used to specify an XML DTD, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_DTD                = 
+
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
+# dump the program listings (including syntax highlighting 
+# and cross-referencing information) to the XML output. Note that 
+# enabling this will significantly increase the size of the XML output.
+
+XML_PROGRAMLISTING     = YES
+
 #---------------------------------------------------------------------------
 # configuration options for the AutoGen Definitions output
 #---------------------------------------------------------------------------
-GENERATE_AUTOGEN_DEF = NO
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will 
+# generate an AutoGen Definitions (see autogen.sf.net) file 
+# that captures the structure of the code including all 
+# documentation. Note that this feature is still experimental 
+# and incomplete at the moment.
+
+GENERATE_AUTOGEN_DEF   = NO
+
 #---------------------------------------------------------------------------
 # configuration options related to the Perl module output
 #---------------------------------------------------------------------------
-GENERATE_PERLMOD = NO
-PERLMOD_LATEX = NO
-PERLMOD_PRETTY = YES
+
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will 
+# generate a Perl module file that captures the structure of 
+# the code including all documentation. Note that this 
+# feature is still experimental and incomplete at the 
+# moment.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate 
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able 
+# to generate PDF and DVI output from the Perl module output.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be 
+# nicely formatted so it can be parsed by a human reader.  This is useful 
+# if you want to understand what is going on.  On the other hand, if this 
+# tag is set to NO the size of the Perl module output will be much smaller 
+# and Perl will parse it just the same.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file 
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. 
+# This is useful so different doxyrules.make files included by the same 
+# Makefile don't overwrite each other's variables.
+
 PERLMOD_MAKEVAR_PREFIX = 
+
 #---------------------------------------------------------------------------
 # Configuration options related to the preprocessor   
 #---------------------------------------------------------------------------
-ENABLE_PREPROCESSING = YES
-MACRO_EXPANSION = YES
-EXPAND_ONLY_PREDEF = NO
-SEARCH_INCLUDES = YES
-INCLUDE_PATH = 
-INCLUDE_FILE_PATTERNS = 
-PREDEFINED = LEAK_DETECTIVE
-EXPAND_AS_DEFINED = 
-SKIP_FUNCTION_MACROS = YES
+
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will 
+# evaluate all C-preprocessor directives found in the sources and include 
+# files.
+
+ENABLE_PREPROCESSING   = YES
+
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro 
+# names in the source code. If set to NO (the default) only conditional 
+# compilation will be performed. Macro expansion can be done in a controlled 
+# way by setting EXPAND_ONLY_PREDEF to YES.
+
+MACRO_EXPANSION        = YES
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES 
+# then the macro expansion is limited to the macros specified with the 
+# PREDEFINED and EXPAND_AS_DEFINED tags.
+
+EXPAND_ONLY_PREDEF     = NO
+
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files 
+# in the INCLUDE_PATH (see below) will be search if a #include is found.
+
+SEARCH_INCLUDES        = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that 
+# contain include files that are not input files but should be processed by 
+# the preprocessor.
+
+INCLUDE_PATH           = 
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard 
+# patterns (like *.h and *.hpp) to filter out the header-files in the 
+# directories. If left blank, the patterns specified with FILE_PATTERNS will 
+# be used.
+
+INCLUDE_FILE_PATTERNS  = 
+
+# The PREDEFINED tag can be used to specify one or more macro names that 
+# are defined before the preprocessor is started (similar to the -D option of 
+# gcc). The argument of the tag is a list of macros of the form: name 
+# or name=definition (no spaces). If the definition and the = are 
+# omitted =1 is assumed. To prevent a macro definition from being 
+# undefined via #undef or recursively expanded use the := operator 
+# instead of the = operator.
+
+PREDEFINED             = LEAK_DETECTIVE
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then 
+# this tag can be used to specify a list of macro names that should be expanded. 
+# The macro definition that is found in the sources will be used. 
+# Use the PREDEFINED tag if you want to use a different macro definition.
+
+EXPAND_AS_DEFINED      = 
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then 
+# doxygen's preprocessor will remove all function-like macros that are alone 
+# on a line, have an all uppercase name, and do not end with a semicolon. Such 
+# function macros are typically used for boiler-plate code, and will confuse 
+# the parser if not removed.
+
+SKIP_FUNCTION_MACROS   = YES
+
 #---------------------------------------------------------------------------
 # Configuration::additions related to external references   
 #---------------------------------------------------------------------------
-TAGFILES = 
-GENERATE_TAGFILE = 
-ALLEXTERNALS = NO
-EXTERNAL_GROUPS = YES
-PERL_PATH = /usr/bin/perl
+
+# The TAGFILES option can be used to specify one or more tagfiles. 
+# Optionally an initial location of the external documentation 
+# can be added for each tagfile. The format of a tag file without 
+# this location is as follows: 
+#   TAGFILES = file1 file2 ... 
+# Adding location for the tag files is done as follows: 
+#   TAGFILES = file1=loc1 "file2 = loc2" ... 
+# where "loc1" and "loc2" can be relative or absolute paths or 
+# URLs. If a location is present for each tag, the installdox tool 
+# does not have to be run to correct the links.
+# Note that each tag file must have a unique name
+# (where the name does NOT include the path)
+# If a tag file is not located in the directory in which doxygen 
+# is run, you must also specify the path to the tagfile here.
+
+TAGFILES               = 
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create 
+# a tag file that is based on the input files it reads.
+
+GENERATE_TAGFILE       = 
+
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed 
+# in the class index. If set to NO only the inherited external classes 
+# will be listed.
+
+ALLEXTERNALS           = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed 
+# in the modules index. If set to NO, only the current project's groups will 
+# be listed.
+
+EXTERNAL_GROUPS        = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script 
+# interpreter (i.e. the result of `which perl').
+
+PERL_PATH              = /usr/bin/perl
+
 #---------------------------------------------------------------------------
 # Configuration options related to the dot tool   
 #---------------------------------------------------------------------------
-CLASS_DIAGRAMS = YES
-HIDE_UNDOC_RELATIONS = YES
-HAVE_DOT = NO
-CLASS_GRAPH = YES
-COLLABORATION_GRAPH = YES
-GROUP_GRAPHS = YES
-UML_LOOK = NO
-TEMPLATE_RELATIONS = NO
-INCLUDE_GRAPH = YES
-INCLUDED_BY_GRAPH = YES
-CALL_GRAPH = NO
-GRAPHICAL_HIERARCHY = YES
-DIRECTORY_GRAPH = YES
-DOT_IMAGE_FORMAT = png
-DOT_PATH = 
-DOTFILE_DIRS = 
-MAX_DOT_GRAPH_WIDTH = 1024
-MAX_DOT_GRAPH_HEIGHT = 1024
-MAX_DOT_GRAPH_DEPTH = 0
-DOT_TRANSPARENT = NO
-DOT_MULTI_TARGETS = NO
-GENERATE_LEGEND = YES
-DOT_CLEANUP = YES
+
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will 
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base 
+# or super classes. Setting the tag to NO turns the diagrams off. Note that 
+# this option is superseded by the HAVE_DOT option below. This is only a 
+# fallback. It is recommended to install and use dot, since it yields more 
+# powerful graphs.
+
+CLASS_DIAGRAMS         = YES
+
+# You can define message sequence charts within doxygen comments using the \msc 
+# command. Doxygen will then run the mscgen tool (see 
+# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the 
+# documentation. The MSCGEN_PATH tag allows you to specify the directory where 
+# the mscgen tool resides. If left empty the tool is assumed to be found in the 
+# default search path.
+
+MSCGEN_PATH            = 
+
+# If set to YES, the inheritance and collaboration graphs will hide 
+# inheritance and usage relations if the target is undocumented 
+# or is not a class.
+
+HIDE_UNDOC_RELATIONS   = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is 
+# available from the path. This tool is part of Graphviz, a graph visualization 
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section 
+# have no effect if this option is set to NO (the default)
+
+HAVE_DOT               = NO
+
+# By default doxygen will write a font called FreeSans.ttf to the output 
+# directory and reference it in all dot files that doxygen generates. This 
+# font does not include all possible unicode characters however, so when you need 
+# these (or just want a differently looking font) you can specify the font name 
+# using DOT_FONTNAME. You need need to make sure dot is able to find the font, 
+# which can be done by putting it in a standard location or by setting the 
+# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory 
+# containing the font.
+
+DOT_FONTNAME           = FreeSans
+
+# By default doxygen will tell dot to use the output directory to look for the 
+# FreeSans.ttf font (which doxygen will put there itself). If you specify a 
+# different font using DOT_FONTNAME you can set the path where dot 
+# can find it using this tag.
+
+DOT_FONTPATH           = 
+
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect inheritance relations. Setting this tag to YES will force the 
+# the CLASS_DIAGRAMS tag to NO.
+
+CLASS_GRAPH            = YES
+
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect implementation dependencies (inheritance, containment, and 
+# class references variables) of the class with other documented classes.
+
+COLLABORATION_GRAPH    = YES
+
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for groups, showing the direct groups dependencies
+
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and 
+# collaboration diagrams in a style similar to the OMG's Unified Modeling 
+# Language.
+
+UML_LOOK               = NO
+
+# If set to YES, the inheritance and collaboration graphs will show the 
+# relations between templates and their instances.
+
+TEMPLATE_RELATIONS     = NO
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT 
+# tags are set to YES then doxygen will generate a graph for each documented 
+# file showing the direct and indirect include dependencies of the file with 
+# other documented files.
+
+INCLUDE_GRAPH          = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and 
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each 
+# documented header file showing the documented files that directly or 
+# indirectly include this file.
+
+INCLUDED_BY_GRAPH      = YES
+
+# If the CALL_GRAPH and HAVE_DOT options are set to YES then 
+# doxygen will generate a call dependency graph for every global function 
+# or class method. Note that enabling this option will significantly increase 
+# the time of a run. So in most cases it will be better to enable call graphs 
+# for selected functions only using the \callgraph command.
+
+CALL_GRAPH             = NO
+
+# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then 
+# doxygen will generate a caller dependency graph for every global function 
+# or class method. Note that enabling this option will significantly increase 
+# the time of a run. So in most cases it will be better to enable caller 
+# graphs for selected functions only using the \callergraph command.
+
+CALLER_GRAPH           = NO
+
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen 
+# will graphical hierarchy of all classes instead of a textual one.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES 
+# then doxygen will show the dependencies a directory has on other directories 
+# in a graphical way. The dependency relations are determined by the #include
+# relations between the files in the directories.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images 
+# generated by dot. Possible values are png, jpg, or gif
+# If left blank png will be used.
+
+DOT_IMAGE_FORMAT       = png
+
+# The tag DOT_PATH can be used to specify the path where the dot tool can be 
+# found. If left blank, it is assumed the dot tool can be found in the path.
+
+DOT_PATH               = 
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that 
+# contain dot files that are included in the documentation (see the 
+# \dotfile command).
+
+DOTFILE_DIRS           = 
+
+# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of 
+# nodes that will be shown in the graph. If the number of nodes in a graph 
+# becomes larger than this value, doxygen will truncate the graph, which is 
+# visualized by representing a node as a red box. Note that doxygen if the 
+# number of direct children of the root node in a graph is already larger than 
+# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note 
+# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+
+DOT_GRAPH_MAX_NODES    = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the 
+# graphs generated by dot. A depth value of 3 means that only nodes reachable 
+# from the root by following a path via at most 3 edges will be shown. Nodes 
+# that lay further from the root node will be omitted. Note that setting this 
+# option to 1 or 2 may greatly reduce the computation time needed for large 
+# code bases. Also note that the size of a graph can be further restricted by 
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+
+MAX_DOT_GRAPH_DEPTH    = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent 
+# background. This is enabled by default, which results in a transparent 
+# background. Warning: Depending on the platform used, enabling this option 
+# may lead to badly anti-aliased labels on the edges of a graph (i.e. they 
+# become hard to read).
+
+DOT_TRANSPARENT        = NO
+
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output 
+# files in one run (i.e. multiple -o and -T options on the command line). This 
+# makes dot run faster, but since only newer versions of dot (>1.8.10) 
+# support this, this feature is disabled by default.
+
+DOT_MULTI_TARGETS      = NO
+
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will 
+# generate a legend page explaining the meaning of the various boxes and 
+# arrows in the dot generated graphs.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will 
+# remove the intermediate dot files that are used to generate 
+# the various graphs.
+
+DOT_CLEANUP            = YES
+
 #---------------------------------------------------------------------------
 # Configuration::additions related to the search engine   
 #---------------------------------------------------------------------------
-SEARCHENGINE = NO
+
+# The SEARCHENGINE tag specifies whether or not a search engine should be 
+# used. If set to NO the values of all tags below this one will be ignored.
+
+SEARCHENGINE           = NO
diff --git a/Makefile.am b/Makefile.am
index e6a73e996..b8c380cb3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,6 +2,8 @@ SUBDIRS = src testing scripts
 EXTRA_DIST = Doxyfile.in CREDITS
 CLEANFILES = apidoc Doxyfile
 
+ACLOCAL_AMFLAGS = -I m4
+
 Doxyfile :	Doxyfile.in
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
diff --git a/Makefile.in b/Makefile.in
index dfe5a2eca..5d298a7ee 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -208,6 +208,7 @@ xml_LIBS = @xml_LIBS@
 SUBDIRS = src testing scripts
 EXTRA_DIST = Doxyfile.in CREDITS
 CLEANFILES = apidoc Doxyfile
+ACLOCAL_AMFLAGS = -I m4
 all: all-recursive
 
 .SUFFIXES:
diff --git a/NEWS b/NEWS
index 4709b07df..83308c772 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,29 @@
+strongswan-4.2.14
+-----------------
+
+- The new server-side EAP RADIUS plugin (--enable-eap-radius)
+  relays EAP messages to and from a RADIUS server. Succesfully
+  tested with with a freeradius server using EAP-MD5 and EAP-SIM.
+
+- A vulnerability in the Dead Peer Detection (RFC 3706) code was found by
+  Gerd v. Egidy <gerd.von.egidy@intra2net.com> of Intra2net AG affecting
+  all Openswan and strongSwan releases. A malicious (or expired ISAKMP)
+  R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet can cause the
+  pluto IKE daemon to crash and restart. No authentication or encryption
+  is required to trigger this bug. One spoofed UDP packet can cause the
+  pluto IKE daemon to restart and be unresponsive for a few seconds while
+  restarting. This DPD null state vulnerability has been officially
+  registered as CVE-2009-0790 and is fixed by this release.
+
+- ASN.1 to time_t conversion caused a time wrap-around for
+  dates after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
+  As a workaround such dates are set to the maximum representable
+  time, i.e. Jan 19 03:14:07 UTC 2038.
+
+- Distinguished Names containing wildcards (*) are not sent in the
+  IDr payload anymore. 
+
+
 strongswan-4.2.13
 -----------------
 
diff --git a/configure b/configure
index 59692f4a3..b3e1792e3 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for strongSwan 4.2.13.
+# Generated by GNU Autoconf 2.61 for strongSwan 4.2.14.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
 # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
@@ -721,8 +721,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.2.13'
-PACKAGE_STRING='strongSwan 4.2.13'
+PACKAGE_VERSION='4.2.14'
+PACKAGE_STRING='strongSwan 4.2.14'
 PACKAGE_BUGREPORT=''
 
 # Factoring default headers for most tests.
@@ -965,6 +965,8 @@ USE_EAP_AKA_TRUE
 USE_EAP_AKA_FALSE
 USE_EAP_MSCHAPV2_TRUE
 USE_EAP_MSCHAPV2_FALSE
+USE_EAP_RADIUS_TRUE
+USE_EAP_RADIUS_FALSE
 USE_KERNEL_NETLINK_TRUE
 USE_KERNEL_NETLINK_FALSE
 USE_KERNEL_PFKEY_TRUE
@@ -1536,7 +1538,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.2.13 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.2.14 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1606,7 +1608,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.2.13:";;
+     short | recursive ) echo "Configuration of strongSwan 4.2.14:";;
    esac
   cat <<\_ACEOF
 
@@ -1682,6 +1684,8 @@ Optional Features:
                           NO).
   --enable-eap-mschapv2   build MS-CHAPv2 authenication module for EAP
                           (default is NO).
+  --enable-eap-radius     build RADIUS proxy authenication module for EAP
+                          (default is NO).
   --disable-kernel-netlink
                           disable the netlink kernel interface. (default is
                           NO).
@@ -1856,7 +1860,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.2.13
+strongSwan configure 4.2.14
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1870,7 +1874,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.2.13, which was
+It was created by strongSwan $as_me 4.2.14, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -2560,7 +2564,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.2.13'
+ VERSION='4.2.14'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -2787,6 +2791,7 @@ echo "${ECHO_T}$am_cv_prog_tar_ustar" >&6; }
 
 
 
+
 DEPDIR="${am__leading_dot}deps"
 
 ac_config_commands="$ac_config_commands depfiles"
@@ -5480,6 +5485,15 @@ if test "${enable_eap_mschapv2+set}" = set; then
 fi
 
 
+# Check whether --enable-eap-radius was given.
+if test "${enable_eap_radius+set}" = set; then
+  enableval=$enable_eap_radius; if test x$enableval = xyes; then
+		eap_radius=true
+	fi
+
+fi
+
+
 # Check whether --enable-kernel-netlink was given.
 if test "${enable_kernel_netlink+set}" = set; then
   enableval=$enable_kernel_netlink; if test x$enableval = xyes; then
@@ -6398,13 +6412,13 @@ if test "${lt_cv_nm_interface+set}" = set; then
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6401: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6415: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6404: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6418: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6407: output\"" >&5)
+  (eval echo "\"\$as_me:6421: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -7514,7 +7528,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7517 "configure"' > conftest.$ac_ext
+  echo '#line 7531 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -8887,11 +8901,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8890: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8904: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8894: \$? = $ac_status" >&5
+   echo "$as_me:8908: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9211,11 +9225,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9214: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9228: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9218: \$? = $ac_status" >&5
+   echo "$as_me:9232: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9316,11 +9330,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9319: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9333: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9323: \$? = $ac_status" >&5
+   echo "$as_me:9337: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9371,11 +9385,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9374: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9388: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9378: \$? = $ac_status" >&5
+   echo "$as_me:9392: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12132,7 +12146,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12135 "configure"
+#line 12149 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12232,7 +12246,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12235 "configure"
+#line 12249 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -17077,6 +17091,14 @@ else
   USE_EAP_MSCHAPV2_FALSE=
 fi
 
+ if test x$eap_radius = xtrue; then
+  USE_EAP_RADIUS_TRUE=
+  USE_EAP_RADIUS_FALSE='#'
+else
+  USE_EAP_RADIUS_TRUE='#'
+  USE_EAP_RADIUS_FALSE=
+fi
+
  if test x$kernel_netlink = xtrue; then
   USE_KERNEL_NETLINK_TRUE=
   USE_KERNEL_NETLINK_FALSE='#'
@@ -17286,7 +17308,7 @@ _ACEOF
 fi
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/fips/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/fips/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/eap_radius/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -17694,6 +17716,13 @@ echo "$as_me: error: conditional \"USE_EAP_MSCHAPV2\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_EAP_RADIUS_TRUE}" && test -z "${USE_EAP_RADIUS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_RADIUS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_EAP_RADIUS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -18162,7 +18191,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.2.13, which was
+This file was extended by strongSwan $as_me 4.2.14, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -18209,7 +18238,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-strongSwan config.status 4.2.13
+strongSwan config.status 4.2.14
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
@@ -18606,6 +18635,7 @@ do
     "src/charon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim/Makefile" ;;
     "src/charon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim_file/Makefile" ;;
     "src/charon/plugins/eap_mschapv2/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_mschapv2/Makefile" ;;
+    "src/charon/plugins/eap_radius/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_radius/Makefile" ;;
     "src/charon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_netlink/Makefile" ;;
     "src/charon/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_pfkey/Makefile" ;;
     "src/charon/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_klips/Makefile" ;;
@@ -18980,6 +19010,8 @@ USE_EAP_AKA_TRUE!$USE_EAP_AKA_TRUE$ac_delim
 USE_EAP_AKA_FALSE!$USE_EAP_AKA_FALSE$ac_delim
 USE_EAP_MSCHAPV2_TRUE!$USE_EAP_MSCHAPV2_TRUE$ac_delim
 USE_EAP_MSCHAPV2_FALSE!$USE_EAP_MSCHAPV2_FALSE$ac_delim
+USE_EAP_RADIUS_TRUE!$USE_EAP_RADIUS_TRUE$ac_delim
+USE_EAP_RADIUS_FALSE!$USE_EAP_RADIUS_FALSE$ac_delim
 USE_KERNEL_NETLINK_TRUE!$USE_KERNEL_NETLINK_TRUE$ac_delim
 USE_KERNEL_NETLINK_FALSE!$USE_KERNEL_NETLINK_FALSE$ac_delim
 USE_KERNEL_PFKEY_TRUE!$USE_KERNEL_PFKEY_TRUE$ac_delim
@@ -19032,7 +19064,7 @@ LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 60; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 62; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
diff --git a/configure.in b/configure.in
index 81909c078..e5b3f76e2 100644
--- a/configure.in
+++ b/configure.in
@@ -16,8 +16,9 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.2.13)
+AC_INIT(strongSwan,4.2.14)
 AM_INIT_AUTOMAKE(tar-ustar)
+AC_CONFIG_MACRO_DIR([m4])
 AC_C_BIGENDIAN
 AC_SUBST(confdir, '${sysconfdir}')
 PKG_PROG_PKG_CONFIG
@@ -465,6 +466,14 @@ AC_ARG_ENABLE(
 	fi]
 )
 
+AC_ARG_ENABLE(
+	[eap-radius],
+	AS_HELP_STRING([--enable-eap-radius],[build RADIUS proxy authenication module for EAP (default is NO).]),
+	[if test x$enableval = xyes; then
+		eap_radius=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[kernel-netlink],
 	AS_HELP_STRING([--disable-kernel-netlink],[disable the netlink kernel interface. (default is NO).]),
@@ -963,6 +972,7 @@ AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
 AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
 AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
 AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
+AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
 AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
 AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
@@ -1044,6 +1054,7 @@ AC_OUTPUT(
 	src/charon/plugins/eap_sim/Makefile
 	src/charon/plugins/eap_sim_file/Makefile
 	src/charon/plugins/eap_mschapv2/Makefile
+	src/charon/plugins/eap_radius/Makefile
 	src/charon/plugins/kernel_netlink/Makefile
 	src/charon/plugins/kernel_pfkey/Makefile
 	src/charon/plugins/kernel_klips/Makefile
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 3393b4516..9da2b238a 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -221,6 +221,11 @@ if USE_EAP_MSCHAPV2
   PLUGINS += eapmschapv2
 endif
 
+if USE_EAP_RADIUS
+  SUBDIRS += plugins/eap_radius
+  PLUGINS += eapradius
+endif
+
 if USE_MEDSRV
   SUBDIRS += plugins/medsrv
   PLUGINS += medsrv
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 33098d4a7..f74577c8c 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -80,16 +80,18 @@ ipsec_PROGRAMS = charon$(EXEEXT)
 @USE_EAP_AKA_TRUE@am__append_34 = eapaka
 @USE_EAP_MSCHAPV2_TRUE@am__append_35 = plugins/eap_mschapv2
 @USE_EAP_MSCHAPV2_TRUE@am__append_36 = eapmschapv2
-@USE_MEDSRV_TRUE@am__append_37 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_38 = medsrv
-@USE_MEDCLI_TRUE@am__append_39 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_40 = medcli
-@USE_NM_TRUE@am__append_41 = plugins/nm
-@USE_NM_TRUE@am__append_42 = nm
-@USE_UCI_TRUE@am__append_43 = plugins/uci
-@USE_UCI_TRUE@am__append_44 = uci
-@USE_UNIT_TESTS_TRUE@am__append_45 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_46 = unit-tester
+@USE_EAP_RADIUS_TRUE@am__append_37 = plugins/eap_radius
+@USE_EAP_RADIUS_TRUE@am__append_38 = eapradius
+@USE_MEDSRV_TRUE@am__append_39 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_40 = medsrv
+@USE_MEDCLI_TRUE@am__append_41 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_42 = medcli
+@USE_NM_TRUE@am__append_43 = plugins/nm
+@USE_NM_TRUE@am__append_44 = nm
+@USE_UCI_TRUE@am__append_45 = plugins/uci
+@USE_UCI_TRUE@am__append_46 = uci
+@USE_UNIT_TESTS_TRUE@am__append_47 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_48 = unit-tester
 subdir = src/charon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -311,8 +313,8 @@ DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
 	plugins/smp plugins/sql plugins/updown plugins/eap_identity \
 	plugins/eap_sim plugins/eap_sim_file plugins/eap_md5 \
 	plugins/eap_gtc plugins/eap_aka plugins/eap_mschapv2 \
-	plugins/medsrv plugins/medcli plugins/nm plugins/uci \
-	plugins/unit_tester
+	plugins/eap_radius plugins/medsrv plugins/medcli plugins/nm \
+	plugins/uci plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -587,14 +589,15 @@ SUBDIRS = . $(am__append_7) $(am__append_9) $(am__append_11) \
 	$(am__append_25) $(am__append_27) $(am__append_29) \
 	$(am__append_31) $(am__append_33) $(am__append_35) \
 	$(am__append_37) $(am__append_39) $(am__append_41) \
-	$(am__append_43) $(am__append_45)
+	$(am__append_43) $(am__append_45) $(am__append_47)
 PLUGINS = ${libstrongswan_plugins} $(am__append_8) $(am__append_10) \
 	$(am__append_12) $(am__append_14) $(am__append_16) \
 	$(am__append_18) $(am__append_20) $(am__append_22) \
 	$(am__append_24) $(am__append_26) $(am__append_28) \
 	$(am__append_30) $(am__append_32) $(am__append_34) \
 	$(am__append_36) $(am__append_38) $(am__append_40) \
-	$(am__append_42) $(am__append_44) $(am__append_46)
+	$(am__append_42) $(am__append_44) $(am__append_46) \
+	$(am__append_48)
 all: all-recursive
 
 .SUFFIXES:
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index 383678488..fe7d1e53d 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: bus.h 4622 2008-11-11 10:52:37Z martin $
+ * $Id: bus.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -350,4 +350,4 @@ struct bus_t {
  */
 bus_t *bus_create();
 
-#endif /* BUS_H_ @} */
+#endif /** BUS_H_ @}*/
diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h
index 18a7c9765..5cd37adc0 100644
--- a/src/charon/bus/listeners/file_logger.h
+++ b/src/charon/bus/listeners/file_logger.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: file_logger.h 4434 2008-10-14 08:52:13Z martin $
+ * $Id: file_logger.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -59,4 +59,4 @@ struct file_logger_t {
  */
 file_logger_t *file_logger_create(FILE *out);
 
-#endif /* FILE_LOGGER_H_ @} */
+#endif /** FILE_LOGGER_H_ @}*/
diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h
index 08cf4dd63..50301924e 100644
--- a/src/charon/bus/listeners/sys_logger.h
+++ b/src/charon/bus/listeners/sys_logger.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sys_logger.h 4434 2008-10-14 08:52:13Z martin $
+ * $Id: sys_logger.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -61,4 +61,4 @@ struct sys_logger_t {
  */
 sys_logger_t *sys_logger_create(int facility);
 
-#endif /* SYS_LOGGER_H_ @} */
+#endif /** SYS_LOGGER_H_ @}*/
diff --git a/src/charon/config/attributes/attribute_manager.h b/src/charon/config/attributes/attribute_manager.h
index d2b69e02d..aef6e7b6e 100644
--- a/src/charon/config/attributes/attribute_manager.h
+++ b/src/charon/config/attributes/attribute_manager.h
@@ -80,4 +80,4 @@ struct attribute_manager_t {
  */
 attribute_manager_t *attribute_manager_create();
 
-#endif /* ATTRIBUTE_MANAGER_H_ @}*/
+#endif /** ATTRIBUTE_MANAGER_H_ @}*/
diff --git a/src/charon/config/attributes/attribute_provider.h b/src/charon/config/attributes/attribute_provider.h
index 9810c0354..5d563e86b 100644
--- a/src/charon/config/attributes/attribute_provider.h
+++ b/src/charon/config/attributes/attribute_provider.h
@@ -58,4 +58,4 @@ struct attribute_provider_t {
 							char *pool, host_t *address, identification_t *id);
 };
 
-#endif /* ATTRIBUTE_PROVIDER_H_ @}*/
+#endif /** ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/charon/config/backend.h b/src/charon/config/backend.h
index ec2c481bd..3a22f61ac 100644
--- a/src/charon/config/backend.h
+++ b/src/charon/config/backend.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: backend.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: backend.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -72,4 +72,4 @@ struct backend_t {
 	peer_cfg_t *(*get_peer_cfg_by_name)(backend_t *this, char *name);
 };
 
-#endif /* BACKEND_H_ @} */
+#endif /** BACKEND_H_ @}*/
diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h
index 17df26dad..657e5af94 100644
--- a/src/charon/config/backend_manager.h
+++ b/src/charon/config/backend_manager.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: backend_manager.h 4132 2008-07-01 09:05:20Z martin $
+ * $Id: backend_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -119,5 +119,4 @@ struct backend_manager_t {
  */
 backend_manager_t* backend_manager_create(void);
 
-#endif /*BACKEND_MANAGER_H_ @} */
-
+#endif /** BACKEND_MANAGER_H_ @}*/
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 787324dca..6e3b0ba00 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_cfg.h 4611 2008-11-11 06:29:25Z andreas $
+ * $Id: child_cfg.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -234,10 +234,10 @@ struct child_cfg_t {
 	/**
 	 * Sets two options needed for Mobile IPv6 interoperability
 	 * 
-	 * @proxy_mode			use IPsec transport proxy mode (default FALSE)
-	 * @install_policy		install IPsec kernel policies (default TRUE)
+	 * @param proxy_mode	use IPsec transport proxy mode (default FALSE)
+	 * @param install_policy install IPsec kernel policies (default TRUE)
 	 */
-	void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mod,
+	void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mode,
 												 bool install_policy);
 
 	/**
@@ -299,4 +299,4 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 							  char *updown, bool hostaccess, ipsec_mode_t mode,
 							  action_t dpd_action, action_t close_action, bool ipcomp);
 
-#endif /* CHILD_CFG_H_ @} */
+#endif /** CHILD_CFG_H_ @}*/
diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h
index 6169af96b..c2f1f2867 100644
--- a/src/charon/config/ike_cfg.h
+++ b/src/charon/config/ike_cfg.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_cfg.h 4044 2008-06-06 15:05:54Z martin $
+ * $Id: ike_cfg.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -133,7 +133,6 @@ struct ike_cfg_t {
  *
  * Supplied hosts become owned by ike_cfg, the name gets cloned.
  *
- * @param name			ike_cfg identifier
  * @param certreq		TRUE to send a certificate request
  * @param force_encap	enforce UDP encapsulation by faking NATD notify
  * @param me			address/DNS name of local peer
@@ -143,4 +142,4 @@ struct ike_cfg_t {
 ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap, 
 						  char *me, char *other);
 
-#endif /* IKE_CFG_H_ @} */
+#endif /** IKE_CFG_H_ @}*/
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
index 473cdfd04..93bc7d495 100644
--- a/src/charon/config/peer_cfg.h
+++ b/src/charon/config/peer_cfg.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: peer_cfg.h 4276 2008-08-22 10:44:51Z martin $
+ * $Id: peer_cfg.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -340,7 +340,6 @@ struct peer_cfg_t {
  * @param reauth_time		timeout before starting reauthentication
  * @param jitter_time		timerange to randomly substract from rekey/reauth time
  * @param over_time			maximum overtime before closing a rekeying/reauth SA
- * @param reauth			sould be done reauthentication instead of rekeying?
  * @param mobike			use MOBIKE (RFC4555) if peer supports it
  * @param dpd				DPD check interval, 0 to disable
  * @param virtual_ip		virtual IP for local host, or NULL
@@ -350,7 +349,7 @@ struct peer_cfg_t {
  * @param peer_id			ID that identifies our peer at the mediation server
  * @return 					peer_cfg_t object
  */
-peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
+peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 							identification_t *my_id, identification_t *other_id,
 							cert_policy_t cert_policy, unique_policy_t unique,
 							u_int32_t keyingtries, u_int32_t rekey_time,
@@ -360,4 +359,4 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
 							bool mediation, peer_cfg_t *mediated_by,
 							identification_t *peer_id);
 
-#endif /* PEER_CFG_H_ @} */
+#endif /** PEER_CFG_H_ @}*/
diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h
index ea01120f9..6096158e6 100644
--- a/src/charon/config/proposal.h
+++ b/src/charon/config/proposal.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: proposal.h 4936 2009-03-12 18:07:32Z tobias $
+ * $Id: proposal.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -243,4 +243,4 @@ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs
 int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 						 const void *const *args);
 
-#endif /* PROPOSAL_H_ @} */
+#endif /** PROPOSAL_H_ @}*/
diff --git a/src/charon/config/traffic_selector.h b/src/charon/config/traffic_selector.h
index fcec4e50b..2721f8993 100644
--- a/src/charon/config/traffic_selector.h
+++ b/src/charon/config/traffic_selector.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector.h 4936 2009-03-12 18:07:32Z tobias $
+ * $Id: traffic_selector.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -264,6 +264,8 @@ traffic_selector_t *traffic_selector_create_from_bytes(
  * 
  * @param net			subnet to use
  * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
+ * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param port			port number, host order
  * @return
  * 						- traffic_selector_t object
  * 						- NULL if address family of net not supported
@@ -301,4 +303,4 @@ traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
 int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 								 const void *const *args);
 
-#endif /* TRAFFIC_SELECTOR_H_ @} */
+#endif /** TRAFFIC_SELECTOR_H_ @}*/
diff --git a/src/charon/control/controller.h b/src/charon/control/controller.h
index 4609d7a8b..b2eaf480b 100644
--- a/src/charon/control/controller.h
+++ b/src/charon/control/controller.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: controller.h 4624 2008-11-11 13:11:44Z tobias $
+ * $Id: controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -171,4 +171,4 @@ struct controller_t {
  */
 controller_t *controller_create(void);
 
-#endif /* CONTROLLER_H_ @} */
+#endif /** CONTROLLER_H_ @}*/
diff --git a/src/charon/credentials/auth_info.h b/src/charon/credentials/auth_info.h
index 161698a65..f480a6e08 100644
--- a/src/charon/credentials/auth_info.h
+++ b/src/charon/credentials/auth_info.h
@@ -195,4 +195,4 @@ struct auth_info_t {
  */
 auth_info_t *auth_info_create();
 
-#endif /* AUTH_INFO_H_ @}*/
+#endif /** AUTH_INFO_H_ @}*/
diff --git a/src/charon/credentials/credential_manager.h b/src/charon/credentials/credential_manager.h
index 3a64437e6..ff2dc3645 100644
--- a/src/charon/credentials/credential_manager.h
+++ b/src/charon/credentials/credential_manager.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: credential_manager.h 3835 2008-04-18 10:11:41Z tobias $
+ * $Id: credential_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -204,4 +204,4 @@ struct credential_manager_t {
  */
 credential_manager_t *credential_manager_create();
 
-#endif /* CREDENTIAL_MANAGER_H_ @} */
+#endif /** CREDENTIAL_MANAGER_H_ @}*/
diff --git a/src/charon/credentials/credential_set.h b/src/charon/credentials/credential_set.h
index 4166d05a3..14b2a8ebd 100644
--- a/src/charon/credentials/credential_set.h
+++ b/src/charon/credentials/credential_set.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: credential_set.h 4229 2008-07-30 11:38:44Z martin $
+ * $Id: credential_set.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -107,4 +107,4 @@ struct credential_set_t {
 	void (*cache_cert)(credential_set_t *this, certificate_t *cert);	
 };
 
-#endif /* CREDENTIAL_SET_H_ @} */
+#endif /** CREDENTIAL_SET_H_ @}*/
diff --git a/src/charon/credentials/sets/auth_info_wrapper.h b/src/charon/credentials/sets/auth_info_wrapper.h
index c382e9870..9186715f0 100644
--- a/src/charon/credentials/sets/auth_info_wrapper.h
+++ b/src/charon/credentials/sets/auth_info_wrapper.h
@@ -52,4 +52,4 @@ struct auth_info_wrapper_t {
  */
 auth_info_wrapper_t *auth_info_wrapper_create(auth_info_t *auth);
 
-#endif /* AUTH_INFO_WRAPPER_H_ @}*/
+#endif /** AUTH_INFO_WRAPPER_H_ @}*/
diff --git a/src/charon/credentials/sets/cert_cache.h b/src/charon/credentials/sets/cert_cache.h
index 281189d53..40e38e913 100644
--- a/src/charon/credentials/sets/cert_cache.h
+++ b/src/charon/credentials/sets/cert_cache.h
@@ -70,4 +70,4 @@ struct cert_cache_t {
  */
 cert_cache_t *cert_cache_create();
 
-#endif /* CERT_CACHE_H_ @}*/
+#endif /** CERT_CACHE_H_ @}*/
diff --git a/src/charon/credentials/sets/ocsp_response_wrapper.h b/src/charon/credentials/sets/ocsp_response_wrapper.h
index 6d32c2ca8..068035884 100644
--- a/src/charon/credentials/sets/ocsp_response_wrapper.h
+++ b/src/charon/credentials/sets/ocsp_response_wrapper.h
@@ -52,4 +52,4 @@ struct ocsp_response_wrapper_t {
  */
 ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response);
 
-#endif /* OCSP_RESPONSE_WRAPPER_H_ @}*/
+#endif /** OCSP_RESPONSE_WRAPPER_H_ @}*/
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index 1b9392f8e..d70a88010 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: daemon.h 4797 2008-12-12 09:13:06Z martin $
+ * $Id: daemon.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -330,4 +330,4 @@ struct daemon_t {
  */
 extern daemon_t *charon;
 
-#endif /*DAEMON_H_ @} */
+#endif /** DAEMON_H_ @}*/
diff --git a/src/charon/encoding/generator.h b/src/charon/encoding/generator.h
index d1d3522d0..5c8755d04 100644
--- a/src/charon/encoding/generator.h
+++ b/src/charon/encoding/generator.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: generator.h 4702 2008-11-26 10:42:54Z martin $
+ * $Id: generator.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -84,4 +84,4 @@ struct generator_t {
  */
 generator_t *generator_create(void);
 
-#endif /*GENERATOR_H_ @} */
+#endif /** GENERATOR_H_ @}*/
diff --git a/src/charon/encoding/message.h b/src/charon/encoding/message.h
index 8cc604ea7..40941c2c9 100644
--- a/src/charon/encoding/message.h
+++ b/src/charon/encoding/message.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: message.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: message.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -353,4 +353,4 @@ message_t * message_create_from_packet(packet_t *packet);
  */
 message_t * message_create(void);
 
-#endif /*MESSAGE_H_ @} */
+#endif /** MESSAGE_H_ @}*/
diff --git a/src/charon/encoding/parser.h b/src/charon/encoding/parser.h
index 58778b57a..222e328d1 100644
--- a/src/charon/encoding/parser.h
+++ b/src/charon/encoding/parser.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: parser.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: parser.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -78,4 +78,4 @@ struct parser_t {
  */
 parser_t *parser_create(chunk_t data);
 
-#endif /*PARSER_H_ @} */
+#endif /** PARSER_H_ @}*/
diff --git a/src/charon/encoding/payloads/auth_payload.h b/src/charon/encoding/payloads/auth_payload.h
index bdbba9e35..26375a398 100644
--- a/src/charon/encoding/payloads/auth_payload.h
+++ b/src/charon/encoding/payloads/auth_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: auth_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: auth_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -101,4 +101,4 @@ struct auth_payload_t {
  */
 auth_payload_t *auth_payload_create(void);
 
-#endif /* AUTH_PAYLOAD_H_ @} */
+#endif /** AUTH_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/cert_payload.h b/src/charon/encoding/payloads/cert_payload.h
index aa16104a8..d6e328850 100644
--- a/src/charon/encoding/payloads/cert_payload.h
+++ b/src/charon/encoding/payloads/cert_payload.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: cert_payload.h 3838 2008-04-18 11:24:45Z tobias $
+ * $Id: cert_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -115,7 +115,6 @@ struct cert_payload_t {
 /**
  * Creates an empty certificate payload.
  * 
- * @param cert				certificate to embed
  * @return					cert_payload_t object
  */
 cert_payload_t *cert_payload_create(void);
@@ -137,4 +136,4 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert);
  */
 cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url);
 
-#endif /* CERT_PAYLOAD_H_ @} */
+#endif /** CERT_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/certreq_payload.h b/src/charon/encoding/payloads/certreq_payload.h
index b835d7ad6..a246f0e93 100644
--- a/src/charon/encoding/payloads/certreq_payload.h
+++ b/src/charon/encoding/payloads/certreq_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: certreq_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: certreq_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -89,4 +89,4 @@ certreq_payload_t *certreq_payload_create(void);
  */
 certreq_payload_t *certreq_payload_create_type(certificate_type_t type);
 
-#endif /* CERTREQ_PAYLOAD_H_ @} */
+#endif /** CERTREQ_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/configuration_attribute.h b/src/charon/encoding/payloads/configuration_attribute.h
index 4c8673a26..13aaa0e90 100644
--- a/src/charon/encoding/payloads/configuration_attribute.h
+++ b/src/charon/encoding/payloads/configuration_attribute.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: configuration_attribute.h 4844 2009-01-20 22:55:13Z andreas $
+ * $Id: configuration_attribute.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -127,4 +127,4 @@ struct configuration_attribute_t {
  */
 configuration_attribute_t *configuration_attribute_create(void);
 
-#endif /* CONFIGURATION_ATTRIBUTE_H_ @} */
+#endif /** CONFIGURATION_ATTRIBUTE_H_ @}*/
diff --git a/src/charon/encoding/payloads/cp_payload.h b/src/charon/encoding/payloads/cp_payload.h
index 0ca75e71d..c31b1667d 100644
--- a/src/charon/encoding/payloads/cp_payload.h
+++ b/src/charon/encoding/payloads/cp_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: cp_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: cp_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -110,4 +110,4 @@ struct cp_payload_t {
  */
 cp_payload_t *cp_payload_create(void);
 
-#endif /*CP_PAYLOAD_H_ @} */
+#endif /** CP_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/delete_payload.h b/src/charon/encoding/payloads/delete_payload.h
index 2c1a596b9..862deb9dc 100644
--- a/src/charon/encoding/payloads/delete_payload.h
+++ b/src/charon/encoding/payloads/delete_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: delete_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: delete_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -83,4 +83,4 @@ struct delete_payload_t {
  */
 delete_payload_t *delete_payload_create(protocol_id_t protocol_id);
 
-#endif /* DELETE_PAYLOAD_H_ @} */
+#endif /** DELETE_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/eap_payload.h b/src/charon/encoding/payloads/eap_payload.h
index 23558053d..337f82e12 100644
--- a/src/charon/encoding/payloads/eap_payload.h
+++ b/src/charon/encoding/payloads/eap_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: eap_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -128,4 +128,4 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier);
  */
 eap_payload_t *eap_payload_create_nak(u_int8_t identifier);
 
-#endif /* EAP_PAYLOAD_H_ @} */
+#endif /** EAP_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/encodings.h b/src/charon/encoding/payloads/encodings.h
index 73c5f9c36..ad98874a2 100644
--- a/src/charon/encoding/payloads/encodings.h
+++ b/src/charon/encoding/payloads/encodings.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: encodings.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: encodings.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -527,4 +527,4 @@ struct encoding_rule_t {
 	u_int32_t offset;
 };
 
-#endif /*ENCODINGS_H_ @} */
+#endif /** ENCODINGS_H_ @}*/
diff --git a/src/charon/encoding/payloads/encryption_payload.h b/src/charon/encoding/payloads/encryption_payload.h
index e20ff6acc..1d3eeb793 100644
--- a/src/charon/encoding/payloads/encryption_payload.h
+++ b/src/charon/encoding/payloads/encryption_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: encryption_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: encryption_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -172,4 +172,4 @@ struct encryption_payload_t {
  */
 encryption_payload_t *encryption_payload_create(void);
 
-#endif /*ENCRYPTION_PAYLOAD_H_ @} */
+#endif /** ENCRYPTION_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/endpoint_notify.h b/src/charon/encoding/payloads/endpoint_notify.h
index 9a4a4d7a1..36f483c67 100644
--- a/src/charon/encoding/payloads/endpoint_notify.h
+++ b/src/charon/encoding/payloads/endpoint_notify.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: endpoint_notify.h 3701 2008-03-31 10:56:49Z tobias $
+ * $Id: endpoint_notify.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -172,4 +172,4 @@ endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type,
  */
 endpoint_notify_t *endpoint_notify_create_from_payload(notify_payload_t *notify);
 
-#endif /*ENDPOINT_NOTIFY_H_ @} */
+#endif /** ENDPOINT_NOTIFY_H_ @}*/
diff --git a/src/charon/encoding/payloads/id_payload.h b/src/charon/encoding/payloads/id_payload.h
index 49e6c214b..9de21cc6a 100644
--- a/src/charon/encoding/payloads/id_payload.h
+++ b/src/charon/encoding/payloads/id_payload.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: id_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: id_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -121,4 +121,4 @@ id_payload_t *id_payload_create(payload_type_t payload_type);
 id_payload_t *id_payload_create_from_identification(payload_type_t payload_type,
 											identification_t *identification);
 
-#endif /* ID_PAYLOAD_H_ @} */
+#endif /** ID_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/ike_header.h b/src/charon/encoding/payloads/ike_header.h
index 5568f081b..7292c2c9c 100644
--- a/src/charon/encoding/payloads/ike_header.h
+++ b/src/charon/encoding/payloads/ike_header.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_header.h 3666 2008-03-26 18:40:19Z tobias $
+ * $Id: ike_header.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -227,4 +227,4 @@ struct ike_header_t {
  */
 ike_header_t *ike_header_create(void);
 
-#endif /*IKE_HEADER_H_ @} */
+#endif /** IKE_HEADER_H_ @}*/
diff --git a/src/charon/encoding/payloads/ke_payload.h b/src/charon/encoding/payloads/ke_payload.h
index 222d2ec7c..bc5c9224a 100644
--- a/src/charon/encoding/payloads/ke_payload.h
+++ b/src/charon/encoding/payloads/ke_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ke_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ke_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -103,4 +103,4 @@ ke_payload_t *ke_payload_create(void);
 ke_payload_t *ke_payload_create_from_diffie_hellman(
 											diffie_hellman_t *diffie_hellman);
 
-#endif /* KE_PAYLOAD_H_ @} */
+#endif /** KE_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/nonce_payload.h b/src/charon/encoding/payloads/nonce_payload.h
index f1e49491d..b433c7023 100644
--- a/src/charon/encoding/payloads/nonce_payload.h
+++ b/src/charon/encoding/payloads/nonce_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: nonce_payload.h 4819 2008-12-31 08:58:49Z martin $
+ * $Id: nonce_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -77,4 +77,4 @@ struct nonce_payload_t {
  */
 nonce_payload_t *nonce_payload_create(void);
 
-#endif /*NONCE_PAYLOAD_H_ @} */
+#endif /** NONCE_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h
index 6ee137543..9f7577c26 100644
--- a/src/charon/encoding/payloads/notify_payload.h
+++ b/src/charon/encoding/payloads/notify_payload.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: notify_payload.h 4842 2009-01-19 12:32:42Z andreas $
+ * $Id: notify_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -215,4 +215,4 @@ notify_payload_t *notify_payload_create(void);
 notify_payload_t *notify_payload_create_from_protocol_and_type(
 								protocol_id_t protocol_id, notify_type_t type);
 
-#endif /*NOTIFY_PAYLOAD_H_ @} */
+#endif /** NOTIFY_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/payload.h b/src/charon/encoding/payloads/payload.h
index 7a19cc76c..7cb1b7735 100644
--- a/src/charon/encoding/payloads/payload.h
+++ b/src/charon/encoding/payloads/payload.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: payload.h 4875 2009-02-17 17:14:15Z tobias $
+ * $Id: payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -271,4 +271,4 @@ struct payload_t {
  */
 payload_t *payload_create(payload_type_t type);
 
-#endif /*PAYLOAD_H_ @} */
+#endif /** PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/proposal_substructure.h b/src/charon/encoding/payloads/proposal_substructure.h
index 85daadddc..212366d77 100644
--- a/src/charon/encoding/payloads/proposal_substructure.h
+++ b/src/charon/encoding/payloads/proposal_substructure.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: proposal_substructure.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: proposal_substructure.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -172,4 +172,4 @@ proposal_substructure_t *proposal_substructure_create(void);
 proposal_substructure_t *proposal_substructure_create_from_proposal(
 														proposal_t *proposal);
 
-#endif /*PROPOSAL_SUBSTRUCTURE_H_ @} */
+#endif /** PROPOSAL_SUBSTRUCTURE_H_ @}*/
diff --git a/src/charon/encoding/payloads/sa_payload.h b/src/charon/encoding/payloads/sa_payload.h
index 34906c889..237432422 100644
--- a/src/charon/encoding/payloads/sa_payload.h
+++ b/src/charon/encoding/payloads/sa_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sa_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: sa_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -114,4 +114,4 @@ sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals);
  */
 sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal);
 
-#endif /*SA_PAYLOAD_H_ @} */
+#endif /** SA_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.h b/src/charon/encoding/payloads/traffic_selector_substructure.h
index 2a2769fb6..9179d1478 100644
--- a/src/charon/encoding/payloads/traffic_selector_substructure.h
+++ b/src/charon/encoding/payloads/traffic_selector_substructure.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: traffic_selector_substructure.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: traffic_selector_substructure.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -150,4 +150,4 @@ traffic_selector_substructure_t *traffic_selector_substructure_create(void);
 traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(
 										traffic_selector_t *traffic_selector);
 
-#endif /* /TRAFFIC_SELECTOR_SUBSTRUCTURE_H_ @} */
+#endif /** TRAFFIC_SELECTOR_SUBSTRUCTURE_H_ @}*/
diff --git a/src/charon/encoding/payloads/transform_attribute.h b/src/charon/encoding/payloads/transform_attribute.h
index 891155913..6755ff74c 100644
--- a/src/charon/encoding/payloads/transform_attribute.h
+++ b/src/charon/encoding/payloads/transform_attribute.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: transform_attribute.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: transform_attribute.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -131,4 +131,4 @@ transform_attribute_t *transform_attribute_create(void);
  */
 transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length);
 
-#endif /*TRANSFORM_ATTRIBUTE_H_ @} */
+#endif /** TRANSFORM_ATTRIBUTE_H_ @}*/
diff --git a/src/charon/encoding/payloads/transform_substructure.h b/src/charon/encoding/payloads/transform_substructure.h
index 6be4b6d1e..cc8adc38a 100644
--- a/src/charon/encoding/payloads/transform_substructure.h
+++ b/src/charon/encoding/payloads/transform_substructure.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: transform_substructure.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: transform_substructure.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -173,4 +173,4 @@ transform_substructure_t *transform_substructure_create_type(
 						transform_type_t transform_type, u_int16_t transform_id,
 						u_int16_t key_length);
 
-#endif /*TRANSFORM_SUBSTRUCTURE_H_ @} */
+#endif /** TRANSFORM_SUBSTRUCTURE_H_ @}*/
diff --git a/src/charon/encoding/payloads/ts_payload.h b/src/charon/encoding/payloads/ts_payload.h
index d8a108ddd..91f26f55d 100644
--- a/src/charon/encoding/payloads/ts_payload.h
+++ b/src/charon/encoding/payloads/ts_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ts_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ts_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -126,4 +126,4 @@ ts_payload_t *ts_payload_create(bool is_initiator);
 ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, 
 											linked_list_t *traffic_selectors);
 
-#endif /* TS_PAYLOAD_H_ @} */
+#endif /** TS_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/unknown_payload.h b/src/charon/encoding/payloads/unknown_payload.h
index 045448f06..03894c619 100644
--- a/src/charon/encoding/payloads/unknown_payload.h
+++ b/src/charon/encoding/payloads/unknown_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: unknown_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: unknown_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -78,4 +78,4 @@ struct unknown_payload_t {
  */
 unknown_payload_t *unknown_payload_create(void);
 
-#endif /* UNKNOWN_PAYLOAD_H_ @} */
+#endif /** UNKNOWN_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/vendor_id_payload.h b/src/charon/encoding/payloads/vendor_id_payload.h
index e489bfd5a..b8798f24e 100644
--- a/src/charon/encoding/payloads/vendor_id_payload.h
+++ b/src/charon/encoding/payloads/vendor_id_payload.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: vendor_id_payload.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: vendor_id_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -86,4 +86,4 @@ struct vendor_id_payload_t {
  */
 vendor_id_payload_t *vendor_id_payload_create(void);
 
-#endif /* VENDOR_ID_PAYLOAD_H_ @} */
+#endif /** VENDOR_ID_PAYLOAD_H_ @}*/
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index f078f3a00..f099a94ac 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_interface.c 4655 2008-11-14 13:04:22Z martin $
+ * $Id: kernel_interface.c 4997 2009-03-24 10:24:58Z martin $
  */
 
 #include "kernel_interface.h"
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index 3c3b05c81..29a07f74f 100644
--- a/src/charon/kernel/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_interface.h 4618 2008-11-11 09:22:00Z tobias $
+ * $Id: kernel_interface.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -379,4 +379,4 @@ struct kernel_interface_t {
  */
 kernel_interface_t *kernel_interface_create(void);
 
-#endif /* KERNEL_INTERFACE_H_ @} */
+#endif /** KERNEL_INTERFACE_H_ @}*/
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
index de7068fb9..24834c4b1 100644
--- a/src/charon/kernel/kernel_ipsec.h
+++ b/src/charon/kernel/kernel_ipsec.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_ipsec.h 4618 2008-11-11 09:22:00Z tobias $
+ * $Id: kernel_ipsec.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -258,4 +258,4 @@ struct kernel_ipsec_t {
 	void (*destroy) (kernel_ipsec_t *this);
 };
 
-#endif /* KERNEL_IPSEC_H_ @} */
+#endif /** KERNEL_IPSEC_H_ @}*/
diff --git a/src/charon/kernel/kernel_net.h b/src/charon/kernel/kernel_net.h
index 80a71ebc6..df73bc1f9 100644
--- a/src/charon/kernel/kernel_net.h
+++ b/src/charon/kernel/kernel_net.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_net.h 4386 2008-10-08 08:23:46Z martin $
+ * $Id: kernel_net.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -142,4 +142,4 @@ struct kernel_net_t {
 	void (*destroy) (kernel_net_t *this);
 };
 
-#endif /* KERNEL_NET_H_ @} */
+#endif /** KERNEL_NET_H_ @}*/
diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h
index 2f126d465..8c1a07ab5 100644
--- a/src/charon/network/packet.h
+++ b/src/charon/network/packet.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: packet.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: packet.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -114,4 +114,4 @@ struct packet_t {
  */
 packet_t *packet_create(void);
 
-#endif /*PACKET_H_ @} */
+#endif /** PACKET_H_ @}*/
diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h
index 810a51849..36a57df79 100644
--- a/src/charon/network/receiver.h
+++ b/src/charon/network/receiver.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: receiver.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: receiver.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -69,4 +69,4 @@ struct receiver_t {
  */
 receiver_t * receiver_create(void);
 
-#endif /*RECEIVER_H_ @} */
+#endif /** RECEIVER_H_ @}*/
diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h
index 4a67c7e72..0c92017e4 100644
--- a/src/charon/network/sender.h
+++ b/src/charon/network/sender.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sender.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: sender.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -61,4 +61,4 @@ struct sender_t {
  */
 sender_t * sender_create(void);
 
-#endif /*SENDER_H_ @} */
+#endif /** SENDER_H_ @}*/
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
index 4e967f721..af5d64edf 100644
--- a/src/charon/network/socket.h
+++ b/src/charon/network/socket.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: socket.h 4647 2008-11-13 07:48:27Z martin $
+ * $Id: socket.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -101,4 +101,4 @@ struct socket_t {
  */
 socket_t *socket_create();
 
-#endif /*SOCKET_H_ @} */
+#endif /** SOCKET_H_ @}*/
diff --git a/src/charon/plugins/eap_aka/eap_aka.h b/src/charon/plugins/eap_aka/eap_aka.h
index 118f2c44f..196eaf429 100644
--- a/src/charon/plugins/eap_aka/eap_aka.h
+++ b/src/charon/plugins/eap_aka/eap_aka.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_aka.h 3491 2008-02-22 14:04:00Z martin $
+ * $Id: eap_aka.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -49,7 +49,7 @@ typedef struct eap_aka_t eap_aka_t;
  * a sequence number derived from time. It is initialized to the startup
  * time of the daemon. As long as the (UTC) time of the system is not
  * turned back while the daemon is not running, this method is secure.
- * To enable time based SEQs, #define SEQ_CHECK as 1. Default is to accept
+ * To enable time based SEQs, define SEQ_CHECK as 1. Default is to accept
  * any SEQ numbers. This allows an attacker to do replay attacks. But since
  * the server has proven his identity via IKE, such an attack is only
  * possible between server and AAA (if any).
@@ -80,4 +80,4 @@ eap_aka_t *eap_aka_create_server(identification_t *server, identification_t *pee
  */
 eap_aka_t *eap_aka_create_peer(identification_t *server, identification_t *peer);
 
-#endif /* EAP_AKA_H_ @}*/
+#endif /** EAP_AKA_H_ @}*/
diff --git a/src/charon/plugins/eap_aka/eap_aka_plugin.h b/src/charon/plugins/eap_aka/eap_aka_plugin.h
index 506d47f98..5fdc5c768 100644
--- a/src/charon/plugins/eap_aka/eap_aka_plugin.h
+++ b/src/charon/plugins/eap_aka/eap_aka_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_aka_plugin.h 3491 2008-02-22 14:04:00Z martin $
+ * $Id: eap_aka_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct eap_aka_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* EAP_AKA_PLUGIN_H_ @}*/
+#endif /** EAP_AKA_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.h b/src/charon/plugins/eap_gtc/eap_gtc.h
index 478ac81cf..722881249 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc.h
+++ b/src/charon/plugins/eap_gtc/eap_gtc.h
@@ -59,4 +59,4 @@ eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *pee
  */
 eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer);
 
-#endif /* EAP_GTC_H_ @}*/
+#endif /** EAP_GTC_H_ @}*/
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
index 8b2f5435f..f858f0d15 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
+++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
@@ -46,4 +46,4 @@ struct eap_gtc_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* EAP_GTC_PLUGIN_H_ @}*/
+#endif /** EAP_GTC_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_identity/eap_identity.h b/src/charon/plugins/eap_identity/eap_identity.h
index 27b04b7d5..60f62e17c 100644
--- a/src/charon/plugins/eap_identity/eap_identity.h
+++ b/src/charon/plugins/eap_identity/eap_identity.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_identity.h 4276 2008-08-22 10:44:51Z martin $
+ * $Id: eap_identity.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -58,4 +58,4 @@ eap_identity_t *eap_identity_create_server(identification_t *server,
 eap_identity_t *eap_identity_create_peer(identification_t *server,
 										 identification_t *peer);
 
-#endif /* EAP_IDENTITY_H_ @}*/
+#endif /** EAP_IDENTITY_H_ @}*/
diff --git a/src/charon/plugins/eap_identity/eap_identity_plugin.h b/src/charon/plugins/eap_identity/eap_identity_plugin.h
index d7fa525ce..ddb3ed457 100644
--- a/src/charon/plugins/eap_identity/eap_identity_plugin.h
+++ b/src/charon/plugins/eap_identity/eap_identity_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_identity_plugin.h 3491 2008-02-22 14:04:00Z martin $
+ * $Id: eap_identity_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct eap_identity_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* EAP_IDENTITY_PLUGIN_H_ @}*/
+#endif /** EAP_IDENTITY_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_md5/eap_md5.h b/src/charon/plugins/eap_md5/eap_md5.h
index 421e1e602..2617b9aea 100644
--- a/src/charon/plugins/eap_md5/eap_md5.h
+++ b/src/charon/plugins/eap_md5/eap_md5.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_md5.h 3491 2008-02-22 14:04:00Z martin $
+ * $Id: eap_md5.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -56,4 +56,4 @@ eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *pee
  */
 eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer);
 
-#endif /* EAP_MD5_H_ @}*/
+#endif /** EAP_MD5_H_ @}*/
diff --git a/src/charon/plugins/eap_md5/eap_md5_plugin.h b/src/charon/plugins/eap_md5/eap_md5_plugin.h
index d13794f2e..3adbcfe27 100644
--- a/src/charon/plugins/eap_md5/eap_md5_plugin.h
+++ b/src/charon/plugins/eap_md5/eap_md5_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_md5_plugin.h 3491 2008-02-22 14:04:00Z martin $
+ * $Id: eap_md5_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct eap_md5_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* EAP_MD5_PLUGIN_H_ @}*/
+#endif /** EAP_MD5_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.h b/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
index 4b6e4531a..d5638db00 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_mschapv2.h 4882 2009-02-18 19:57:15Z tobias $
+ * $Id: eap_mschapv2.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -56,4 +56,4 @@ eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identificat
  */
 eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer);
 
-#endif /* EAP_MSCHAPV2_H_ @}*/
+#endif /** EAP_MSCHAPV2_H_ @}*/
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
index 97177947b..0e671c3d6 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_mschapv2_plugin.h 4882 2009-02-18 19:57:15Z tobias $
+ * $Id: eap_mschapv2_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct eap_mschapv2_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* EAP_MSCHAPV2_PLUGIN_H_ @}*/
+#endif /** EAP_MSCHAPV2_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_radius/Makefile.am b/src/charon/plugins/eap_radius/Makefile.am
new file mode 100644
index 000000000..f7de2f14f
--- /dev/null
+++ b/src/charon/plugins/eap_radius/Makefile.am
@@ -0,0 +1,14 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-eapradius.la
+
+libstrongswan_eapradius_la_SOURCES = \
+  eap_radius_plugin.h eap_radius_plugin.c \
+  eap_radius.h eap_radius.c \
+  radius_client.h radius_client.c \
+  radius_message.h radius_message.c
+libstrongswan_eapradius_la_LDFLAGS = -module
+
diff --git a/src/charon/plugins/eap_radius/Makefile.in b/src/charon/plugins/eap_radius/Makefile.in
new file mode 100644
index 000000000..329ff981b
--- /dev/null
+++ b/src/charon/plugins/eap_radius/Makefile.in
@@ -0,0 +1,506 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/eap_radius
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_eapradius_la_LIBADD =
+am_libstrongswan_eapradius_la_OBJECTS = eap_radius_plugin.lo \
+	eap_radius.lo radius_client.lo radius_message.lo
+libstrongswan_eapradius_la_OBJECTS =  \
+	$(am_libstrongswan_eapradius_la_OBJECTS)
+libstrongswan_eapradius_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eapradius_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eapradius_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eapradius_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-eapradius.la
+libstrongswan_eapradius_la_SOURCES = \
+  eap_radius_plugin.h eap_radius_plugin.c \
+  eap_radius.h eap_radius.c \
+  radius_client.h radius_client.c \
+  radius_message.h radius_message.c
+
+libstrongswan_eapradius_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_radius/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_radius/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eapradius.la: $(libstrongswan_eapradius_la_OBJECTS) $(libstrongswan_eapradius_la_DEPENDENCIES) 
+	$(libstrongswan_eapradius_la_LINK) -rpath $(plugindir) $(libstrongswan_eapradius_la_OBJECTS) $(libstrongswan_eapradius_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_client.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_message.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c
new file mode 100644
index 000000000..1a02c5acf
--- /dev/null
+++ b/src/charon/plugins/eap_radius/eap_radius.c
@@ -0,0 +1,276 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+ 
+#include "eap_radius.h"
+
+#include "radius_message.h"
+#include "radius_client.h"
+
+#include <daemon.h>
+
+
+typedef struct private_eap_radius_t private_eap_radius_t;
+
+/**
+ * Private data of an eap_radius_t object.
+ */
+struct private_eap_radius_t {
+	
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_radius_t public;
+	
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+	
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+	
+	/**
+	 * EAP method type we are proxying
+	 */
+	eap_type_t type;
+	
+	/**
+	 * EAP vendor, if any
+	 */
+	u_int32_t vendor;
+	
+	/**
+	 * EAP MSK, if method established one
+	 */
+	chunk_t msk;
+	
+	/**
+	 * RADIUS client instance
+	 */
+	radius_client_t *client;
+};
+
+/**
+ * Add EAP-Identity to RADIUS message
+ */
+static void add_eap_identity(private_eap_radius_t *this,
+							 radius_message_t *request)
+{
+	struct {
+		/** EAP code (REQUEST/RESPONSE) */
+		u_int8_t code;
+		/** unique message identifier */
+		u_int8_t identifier;
+		/** length of whole message */
+		u_int16_t length;
+		/** EAP type */
+		u_int8_t type;
+		/** identity data */
+		u_int8_t data[];
+	} __attribute__((__packed__)) *hdr;
+	chunk_t id;
+	size_t len;
+	
+	id = this->peer->get_encoding(this->peer);
+	len = sizeof(*hdr) + id.len;
+	
+	hdr = alloca(len);
+	hdr->code = EAP_RESPONSE;
+	hdr->identifier = 0;
+	hdr->length = htons(len);
+	hdr->type = EAP_IDENTITY;
+	memcpy(hdr->data, id.ptr, id.len);
+	
+	request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
+}
+
+/**
+ * Copy EAP-Message attribute from RADIUS message to an new EAP payload
+ */
+static bool radius2ike(private_eap_radius_t *this,
+					   radius_message_t *msg, eap_payload_t **out)
+{
+	enumerator_t *enumerator;
+	eap_payload_t *payload;
+	chunk_t data;
+	int type;
+	
+	enumerator = msg->create_enumerator(msg);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == RAT_EAP_MESSAGE)
+		{
+			*out = payload = eap_payload_create_data(data);
+			/* apply EAP method selected by RADIUS server */
+			this->type = payload->get_type(payload, &this->vendor);
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
+{
+	radius_message_t *request, *response;
+	status_t status = FAILED;
+	
+	request = radius_message_create_request();
+	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
+	add_eap_identity(this, request);
+	response = this->client->request(this->client, request);
+	if (response)
+	{
+		if (radius2ike(this, response, out))
+		{
+			status = NEED_MORE;
+		}
+		response->destroy(response);
+	}
+	request->destroy(request);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.process
+ */
+static status_t process(private_eap_radius_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	radius_message_t *request, *response;
+	status_t status = FAILED;
+	
+	request = radius_message_create_request();
+	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
+	request->add(request, RAT_EAP_MESSAGE, in->get_data(in));
+	
+	response = this->client->request(this->client, request);
+	if (response)
+	{
+		switch (response->get_code(response))
+		{
+			case RMC_ACCESS_CHALLENGE:
+				if (radius2ike(this, response, out))
+				{
+					status = NEED_MORE;
+					break;
+				}
+				status = FAILED;
+				break;
+			case RMC_ACCESS_ACCEPT:
+				this->msk = this->client->decrypt_msk(this->client,
+													  response, request);
+				status = SUCCESS;
+				break;
+			case RMC_ACCESS_REJECT:
+			default:
+				DBG1(DBG_CFG, "received %N from RADIUS server",
+					 radius_message_code_names, response->get_code(response));
+				status = FAILED;
+				break;
+		}
+		response->destroy(response);
+	}
+	request->destroy(request);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_radius_t *this, u_int32_t *vendor)
+{
+	*vendor = this->vendor;
+	return this->type;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_radius_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_radius_t *this)
+{
+	switch (this->type)
+	{
+		case EAP_AKA:
+		case EAP_SIM:
+			return TRUE;
+		default:
+			return FALSE;
+	}
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_radius_t *this)
+{
+	this->peer->destroy(this->peer);
+	this->server->destroy(this->server);
+	this->client->destroy(this->client);
+	chunk_clear(&this->msk);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
+{
+	private_eap_radius_t *this = malloc_thing(private_eap_radius_t);
+	
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+	
+	this->client = radius_client_create();
+	if (!this->client)
+	{
+		free(this);
+		return NULL;
+	}
+	this->peer = peer->clone(peer);
+	this->server = server->clone(server);
+	/* initially EAP_RADIUS, but is set to the method selected by RADIUS */
+	this->type = EAP_RADIUS;
+	this->vendor = 0;
+	this->msk = chunk_empty;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_radius/eap_radius.h b/src/charon/plugins/eap_radius/eap_radius.h
new file mode 100644
index 000000000..7cb0a8615
--- /dev/null
+++ b/src/charon/plugins/eap_radius/eap_radius.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup eap_radius_i eap_radius
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef EAP_RADIUS_H_
+#define EAP_RADIUS_H_
+
+typedef struct eap_radius_t eap_radius_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using a RADIUS server.
+ */
+struct eap_radius_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method_interface;
+};
+
+/**
+ * Create a EAP RADIUS proxy.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_radius_t object
+ */
+eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer);
+
+#endif /** EAP_RADIUS_H_ @}*/
diff --git a/src/charon/plugins/eap_radius/eap_radius_plugin.c b/src/charon/plugins/eap_radius/eap_radius_plugin.c
new file mode 100644
index 000000000..a429859a7
--- /dev/null
+++ b/src/charon/plugins/eap_radius/eap_radius_plugin.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "eap_radius_plugin.h"
+
+#include "eap_radius.h"
+#include "radius_client.h"
+
+#include <daemon.h>
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(eap_radius_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_radius_create);
+	radius_client_cleanup();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	eap_radius_plugin_t *this;
+	
+	if (!radius_client_init())
+	{
+		DBG1(DBG_CFG, "RADIUS plugin initialization failed");
+		return NULL;
+	}
+	
+	this = malloc_thing(eap_radius_plugin_t);
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	charon->eap->add_method(charon->eap, EAP_RADIUS, 0,
+							EAP_SERVER, (eap_constructor_t)eap_radius_create);
+	
+	return &this->plugin;
+}
+
diff --git a/src/charon/plugins/eap_radius/eap_radius_plugin.h b/src/charon/plugins/eap_radius/eap_radius_plugin.h
new file mode 100644
index 000000000..3ed194619
--- /dev/null
+++ b/src/charon/plugins/eap_radius/eap_radius_plugin.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup eap_radius eap_radius
+ * @ingroup cplugins
+ *
+ * @defgroup eap_radius_plugin eap_radius_plugin
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef EAP_RADIUS_PLUGIN_H_
+#define EAP_RADIUS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_radius_plugin_t eap_radius_plugin_t;
+
+/**
+ * EAP RADIUS proxy plugin.
+ *
+ * This plugin provides not a single EAP method, but a proxy to forwared
+ * EAP packets to a RADIUS server. It only provides server implementations.
+ */
+struct eap_radius_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_radius_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** EAP_RADIUS_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c
new file mode 100644
index 000000000..a3ab1dd78
--- /dev/null
+++ b/src/charon/plugins/eap_radius/radius_client.c
@@ -0,0 +1,495 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "radius_client.h"
+
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <utils/linked_list.h>
+#include <utils/mutex.h>
+
+/**
+ * Default RADIUS server port, when not configured
+ */
+#define RADIUS_PORT 1812
+
+/**
+ * Vendor-Id of Microsoft specific attributes
+ */
+#define VENDOR_ID_MICROSOFT 311
+
+/**
+ * Microsoft specific vendor attributes
+ */
+#define MS_MPPE_SEND_KEY 16
+#define MS_MPPE_RECV_KEY 17
+
+typedef struct private_radius_client_t private_radius_client_t;
+
+typedef struct entry_t entry_t;
+
+/**
+ * A socket pool entry.
+ */
+struct entry_t {
+	/** socket file descriptor */
+	int fd;
+	/** current RADIUS identifier */
+	u_int8_t identifier;
+	/** hasher to use for response verification */
+	hasher_t *hasher;
+	/** HMAC-MD5 signer to build Message-Authenticator attribute */
+	signer_t *signer;
+	/** random number generator for RADIUS request authenticator */
+	rng_t *rng;
+};
+
+/**
+ * Private data of an radius_client_t object.
+ */
+struct private_radius_client_t {
+	
+	/**
+	 * Public radius_client_t interface.
+	 */
+	radius_client_t public;
+	
+	/**
+	 * RADIUS servers State attribute
+	 */
+	chunk_t state;
+};
+
+/**
+ * Global list of radius sockets, contains entry_t's
+ */
+static linked_list_t *sockets;
+
+/**
+ * mutex to lock sockets list
+ */
+static mutex_t *mutex;
+
+/**
+ * condvar to wait for sockets
+ */
+static condvar_t *condvar;
+
+/**
+ * RADIUS secret
+ */
+static chunk_t secret;
+
+/**
+ * NAS-Identifier
+ */
+static chunk_t nas_identifier;
+
+/**
+ * Clean up socket list
+ */
+void radius_client_cleanup()
+{
+	entry_t *entry;
+	
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+	while (sockets->remove_last(sockets, (void**)&entry) == SUCCESS)
+	{
+		entry->rng->destroy(entry->rng);
+		entry->hasher->destroy(entry->hasher);
+		entry->signer->destroy(entry->signer);
+		close(entry->fd);
+		free(entry);
+	}
+	sockets->destroy(sockets);
+}
+
+/**
+ * Initialize the socket list
+ */
+bool radius_client_init()
+{
+	int i, count, fd;
+	u_int16_t port;
+	entry_t *entry;
+	host_t *host;
+	char *server;
+	
+	nas_identifier.ptr = lib->settings->get_str(lib->settings,
+					"charon.plugins.eap_radius.nas_identifier", "strongSwan");
+	nas_identifier.len = strlen(nas_identifier.ptr);
+	
+	secret.ptr = lib->settings->get_str(lib->settings,
+					"charon.plugins.eap_radius.secret", NULL);
+	if (!secret.ptr)
+	{
+		DBG1(DBG_CFG, "no RADUIS secret defined");
+		return FALSE;
+	}
+	secret.len = strlen(secret.ptr);
+	server = lib->settings->get_str(lib->settings,
+					"charon.plugins.eap_radius.server", NULL);
+	if (!server)
+	{
+		DBG1(DBG_CFG, "no RADUIS server defined");
+		return FALSE;
+	}
+	port = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap_radius.port", RADIUS_PORT);
+	host = host_create_from_dns(server, 0, port);
+	if (!host)
+	{
+		return FALSE;
+	}
+	count = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap_radius.sockets", 1);
+	
+	sockets = linked_list_create();
+	mutex = mutex_create(MUTEX_DEFAULT);
+	condvar = condvar_create(CONDVAR_DEFAULT);
+	for (i = 0; i < count; i++)
+	{
+		fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP);
+		if (fd < 0)
+		{
+			DBG1(DBG_CFG, "opening RADIUS socket failed");
+			host->destroy(host);
+			radius_client_cleanup();
+			return FALSE;
+		}
+		if (connect(fd, host->get_sockaddr(host),
+					*host->get_sockaddr_len(host)) < 0)
+		{
+			DBG1(DBG_CFG, "connecting RADIUS socket failed");
+			host->destroy(host);
+			radius_client_cleanup();
+			return FALSE;
+		}
+		entry = malloc_thing(entry_t);
+		entry->fd = fd;
+		/* we use per-socket crypto elements: this reduces overhead, but
+		 * is still thread-save. */
+		entry->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+		entry->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128);
+		entry->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		if (!entry->hasher || !entry->signer || !entry->rng)
+		{
+			DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
+			DESTROY_IF(entry->hasher);
+			DESTROY_IF(entry->signer);
+			DESTROY_IF(entry->rng);
+			free(entry);
+			host->destroy(host);
+			radius_client_cleanup();
+			return FALSE;
+		}
+		entry->signer->set_key(entry->signer, secret);
+		/* we use a random identifier, helps if we restart often (testing) */
+		entry->identifier = random();
+		sockets->insert_last(sockets, entry);
+	}
+	host->destroy(host);
+	return TRUE;
+}
+
+/**
+ * Get a socket from the pool, block if none available
+ */
+static entry_t* get_socket()
+{
+	entry_t *entry;
+	
+	mutex->lock(mutex);
+	while (sockets->remove_first(sockets, (void**)&entry) != SUCCESS)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	mutex->unlock(mutex);
+	return entry;
+}
+
+/**
+ * Release a socket to the pool
+ */
+static void put_socket(entry_t *entry)
+{
+	mutex->lock(mutex);
+	sockets->insert_last(sockets, entry);
+	mutex->unlock(mutex);
+	condvar->signal(condvar);
+}
+
+/**
+ * Save the state attribute to include in further request
+ */
+static void save_state(private_radius_client_t *this, radius_message_t *msg)
+{
+	enumerator_t *enumerator;
+	int type;
+	chunk_t data;
+	
+	enumerator = msg->create_enumerator(msg);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == RAT_STATE)
+		{
+			free(this->state.ptr);
+			this->state = chunk_clone(data);
+			enumerator->destroy(enumerator);
+			return;
+		}
+	}
+	enumerator->destroy(enumerator);
+	/* no state attribute found, remove state */
+	chunk_free(&this->state);
+}
+
+/**
+ * Implementation of radius_client_t.request
+ */
+static radius_message_t* request(private_radius_client_t *this,
+								 radius_message_t *req)
+{
+	char virtual[] = {0x00,0x00,0x00,0x05};
+	entry_t *socket;
+	chunk_t data;
+	int i;
+	
+	socket = get_socket();
+	
+	/* set Message Identifier */
+	req->set_identifier(req, socket->identifier++);
+	/* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */
+	req->add(req, RAT_NAS_PORT_TYPE, chunk_create(virtual, sizeof(virtual)));
+	/* add our NAS-Identifier */
+	req->add(req, RAT_NAS_IDENTIFIER, nas_identifier);
+	/* add State attribute, if server sent one */
+	if (this->state.ptr)
+	{
+		req->add(req, RAT_STATE, this->state);
+	}
+	/* sign the request */
+	req->sign(req, socket->rng, socket->signer);
+	
+	data = req->get_encoding(req);
+	/* timeout after 2, 3, 4, 5 seconds */
+	for (i = 2; i <= 5; i++)
+	{
+		radius_message_t *response;
+		bool retransmit = FALSE;
+		struct timeval tv;
+		char buf[1024];
+		fd_set fds;
+		int res;
+		
+		if (send(socket->fd, data.ptr, data.len, 0) != data.len)
+		{
+			DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
+			put_socket(socket);
+			return NULL;
+		}
+		tv.tv_sec = i;
+		tv.tv_usec = 0;
+		
+		while (TRUE)
+		{
+			FD_ZERO(&fds);
+			FD_SET(socket->fd, &fds);
+			res = select(socket->fd + 1, &fds, NULL, NULL, &tv);
+			/* TODO: updated tv to time not waited. Linux does this for us. */
+			if (res < 0)
+			{	/* failed */
+				DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
+					 strerror(errno));
+				break;
+			}
+			if (res == 0)
+			{	/* timeout */
+				DBG1(DBG_CFG, "retransmitting RADIUS message");
+				retransmit = TRUE;
+				break;
+			}
+			res = recv(socket->fd, buf, sizeof(buf), MSG_DONTWAIT);
+			if (res <= 0)
+			{
+				DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
+					 strerror(errno));
+				break;
+			}
+			response = radius_message_parse_response(chunk_create(buf, res));
+			if (response)
+			{	
+				if (response->verify(response, req->get_authenticator(req),
+							secret, socket->hasher, socket->signer))
+				{
+					save_state(this, response);
+					put_socket(socket);
+					return response;
+				}
+				response->destroy(response);
+			}
+			DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+		}
+		if (!retransmit)
+		{
+			break;
+		}
+	}
+	DBG1(DBG_CFG, "RADIUS server is not responding");
+	put_socket(socket);
+	return NULL;
+}
+
+/**
+ * Decrypt a MS-MPPE-Send/Recv-Key
+ */
+static chunk_t decrypt_mppe_key(private_radius_client_t *this, u_int16_t salt,
+								chunk_t C, radius_message_t *request)
+{
+	chunk_t A, R, P, seed;
+	u_char *c, *p;
+	hasher_t *hasher;
+	
+	/**
+	 * From RFC2548 (encryption):
+	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
+	 * b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
+	 *      . . .
+	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
+	 */
+	
+	if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
+	{
+		return chunk_empty;
+	}
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+	if (!hasher)
+	{
+		return chunk_empty;
+	}
+	
+	A = chunk_create((u_char*)&salt, sizeof(salt));
+	R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
+	P = chunk_alloca(C.len);
+	p = P.ptr;
+	c = C.ptr;
+	
+	seed = chunk_cata("cc", R, A);
+	
+	while (c < C.ptr + C.len)
+	{
+		/* b(i) = MD5(S + c(i-1)) */
+		hasher->get_hash(hasher, secret, NULL);
+		hasher->get_hash(hasher, seed, p);
+		
+		/* p(i) = b(i) xor c(1) */
+		memxor(p, c, HASH_SIZE_MD5);
+		
+		/* prepare next round */
+		seed = chunk_create(c, HASH_SIZE_MD5);
+		c += HASH_SIZE_MD5;
+		p += HASH_SIZE_MD5;
+	}
+	hasher->destroy(hasher);
+	
+	/* remove truncation, first byte is key length */
+	if (*P.ptr >= P.len)
+	{	/* decryption failed? */
+		return chunk_empty;
+	}
+	return chunk_clone(chunk_create(P.ptr + 1, *P.ptr));
+}
+
+/**
+ * Implementation of radius_client_t.decrypt_msk
+ */
+static chunk_t decrypt_msk(private_radius_client_t *this,
+						   radius_message_t *response, radius_message_t *request)
+{
+	struct {
+		u_int32_t id;
+		u_int8_t type;
+		u_int8_t length;
+		u_int16_t salt;
+		u_int8_t key[];
+	} __attribute__((packed)) *mppe_key;
+	enumerator_t *enumerator;
+	chunk_t data, send = chunk_empty, recv = chunk_empty;
+	int type;
+	
+	enumerator = response->create_enumerator(response);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == RAT_VENDOR_SPECIFIC &&
+			data.len > sizeof(*mppe_key))
+		{
+			mppe_key = (void*)data.ptr;
+			if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT &&
+				mppe_key->length == data.len - sizeof(mppe_key->id))
+			{
+				data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key));
+				if (mppe_key->type == MS_MPPE_SEND_KEY)
+				{
+					send = decrypt_mppe_key(this, mppe_key->salt, data, request);
+				}
+				if (mppe_key->type == MS_MPPE_RECV_KEY)
+				{
+					recv = decrypt_mppe_key(this, mppe_key->salt, data, request);
+				}
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (send.ptr && recv.ptr)
+	{
+		return chunk_cat("mm", recv, send);
+	}
+	chunk_clear(&send);
+	chunk_clear(&recv);
+	return chunk_empty;
+}
+
+/**
+ * Implementation of radius_client_t.destroy.
+ */
+static void destroy(private_radius_client_t *this)
+{
+	free(this->state.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+radius_client_t *radius_client_create()
+{
+	private_radius_client_t *this = malloc_thing(private_radius_client_t);
+	
+	this->public.request = (radius_message_t*(*)(radius_client_t*, radius_message_t *msg))request;
+	this->public.decrypt_msk = (chunk_t(*)(radius_client_t*, radius_message_t *, radius_message_t *))decrypt_msk;
+	this->public.destroy = (void(*)(radius_client_t*))destroy;
+	
+	this->state = chunk_empty;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_radius/radius_client.h b/src/charon/plugins/eap_radius/radius_client.h
new file mode 100644
index 000000000..2207b8713
--- /dev/null
+++ b/src/charon/plugins/eap_radius/radius_client.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup radius_client radius_client
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef RADIUS_CLIENT_H_
+#define RADIUS_CLIENT_H_
+
+#include "radius_message.h"
+
+typedef struct radius_client_t radius_client_t;
+
+/**
+ * RADIUS client functionality.
+ *
+ * To communicate with a RADIUS server, create a client and send messages over
+ * it. All instances share a fixed size pool of sockets. The client reserves
+ * a socket during request() and releases it afterwards.
+ */
+struct radius_client_t {
+	
+	/**
+	 * Send a RADIUS request and wait for the response.
+	 *
+	 * The client fills in RADIUS Message identifier, NAS-Identifier, 
+	 * NAS-Port-Type, builds a Request-Authenticator and calculates the
+	 * Message-Authenticator attribute.
+	 * The received response gets verified using the Response-Identifier
+	 * and the Message-Authenticator attribute.
+	 *
+	 * @param msg			RADIUS request message to send
+	 * @return				response, NULL if timed out/verification failed
+	 */
+	radius_message_t* (*request)(radius_client_t *this, radius_message_t *msg);
+	
+	/**
+	 * Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key.
+	 *
+	 * @param response		RADIUS response message containing attributes
+	 * @param request		associated RADIUS request message
+	 * @return				allocated MSK, empty chunk if none found
+	 */
+	chunk_t (*decrypt_msk)(radius_client_t *this, radius_message_t *response,
+						   radius_message_t *request);
+	
+	/**
+	 * Destroy the client, release the socket.
+	 */
+	void (*destroy)(radius_client_t *this);
+};
+
+/**
+ * Create a RADIUS client, acquire a socket.
+ *
+ * This call might block if the socket pool is empty.
+ *
+ * @return			radius_client_t object
+ */
+radius_client_t *radius_client_create();
+
+/**
+ * Initialize the socket pool.
+ *
+ * @return 			TRUE if initialization successful
+ */
+bool radius_client_init();
+
+/**
+ * Cleanup the socket pool.
+ */
+void radius_client_cleanup();
+
+#endif /** RADIUS_CLIENT_H_ @}*/
diff --git a/src/charon/plugins/eap_radius/radius_message.c b/src/charon/plugins/eap_radius/radius_message.c
new file mode 100644
index 000000000..a95d2bb93
--- /dev/null
+++ b/src/charon/plugins/eap_radius/radius_message.c
@@ -0,0 +1,477 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "radius_message.h"
+
+#include <daemon.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct private_radius_message_t private_radius_message_t;
+typedef struct rmsg_t rmsg_t;
+typedef struct rattr_t rattr_t;
+
+/**
+ * RADIUS message header
+ */
+struct rmsg_t {
+	/** message code, radius_message_code_t */
+	u_int8_t code;
+	/** message identifier */
+	u_int8_t identifier;
+	/** length of Code, Identifier, Length, Authenticator and Attributes */
+	u_int16_t length;
+	/** message authenticator, MD5 hash */
+	u_int8_t authenticator[HASH_SIZE_MD5];
+	/** variable list of packed attributes */
+	u_int8_t attributes[];
+} __attribute__((packed));
+
+/**
+ * RADIUS message attribute.
+ */
+struct rattr_t {
+	/** attribute type, radius_attribute_type_t */
+	u_int8_t type;
+	/** length of the attriubte, including the Type, Length and Value fields */
+	u_int8_t length;
+	/** variable length attribute value */
+	u_int8_t value[];
+} __attribute__((packed));
+
+/**
+ * Private data of an radius_message_t object.
+ */
+struct private_radius_message_t {
+	
+	/**
+	 * Public radius_message_t interface.
+	 */
+	radius_message_t public;
+	
+	/**
+	 * message data, allocated
+	 */
+	rmsg_t *msg;
+};
+
+ENUM_BEGIN(radius_message_code_names, RMC_ACCESS_REQUEST, RMC_ACCOUNTING_RESPONSE,
+	"Access-Request",
+	"Access-Accept",
+	"Access-Reject",
+	"Accounting-Request",
+	"Accounting-Response");
+ENUM_NEXT(radius_message_code_names, RMC_ACCESS_CHALLENGE, RMC_ACCESS_CHALLENGE, RMC_ACCOUNTING_RESPONSE,
+	"Access-Challenge");
+ENUM_END(radius_message_code_names, RMC_ACCESS_CHALLENGE);
+
+ENUM(radius_attribute_type_names, RAT_USER_NAME, RAT_MIP6_HOME_LINK_PREFIX,
+	"User-Name",
+	"User-Password",
+	"CHAP-Password",
+	"NAS-IP-Address",
+	"NAS-Port",
+	"Service-Type",
+	"Framed-Protocol",
+	"Framed-IP-Address",
+	"Framed-IP-Netmask",
+	"Framed-Routing",
+	"Filter-Id",
+	"Framed-MTU",
+	"Framed-Compression",
+	"Login-IP-Host",
+	"Login-Service",
+	"Login-TCP-Port",
+	"Unassigned",
+	"Reply-Message",
+	"Callback-Number",
+	"Callback-Id",
+	"Unassigned",
+	"Framed-Route",
+	"Framed-IPX-Network",
+	"State",
+	"Class",
+	"Vendor-Specific",
+	"Session-Timeout",
+	"Idle-Timeout",
+	"Termination-Action",
+	"Called-Station-Id",
+	"Calling-Station-Id",
+	"NAS-Identifier",
+	"Proxy-State",
+	"Login-LAT-Service",
+	"Login-LAT-Node",
+	"Login-LAT-Group",
+	"Framed-AppleTalk-Link",
+	"Framed-AppleTalk-Network",
+	"Framed-AppleTalk-Zone",
+	"Acct-Status-Type",
+	"Acct-Delay-Time",
+	"Acct-Input-Octets",
+	"Acct-Output-Octets",
+	"Acct-Session-Id",
+	"Acct-Authentic",
+	"Acct-Session-Time",
+	"Acct-Input-Packets",
+	"Acct-Output-Packets",
+	"Acct-Terminate-Cause",
+	"Acct-Multi-Session-Id",
+	"Acct-Link-Count",
+	"Acct-Input-Gigawords",
+	"Acct-Output-Gigawords",
+	"Unassigned",
+	"Event-Timestamp",
+	"Egress-VLANID",
+	"Ingress-Filters",
+	"Egress-VLAN-Name",
+	"User-Priority-Table",
+	"CHAP-Challenge",
+	"NAS-Port-Type",
+	"Port-Limit",
+	"Login-LAT-Port",
+	"Tunnel-Type",
+	"Tunnel-Medium-Type",
+	"Tunnel-Client-Endpoint",
+	"Tunnel-Server-Endpoint",
+	"Acct-Tunnel-Connection",
+	"Tunnel-Password",
+	"ARAP-Password",
+	"ARAP-Features",
+	"ARAP-Zone-Access",
+	"ARAP-Security",
+	"ARAP-Security-Data",
+	"Password-Retry",
+	"Prompt",
+	"Connect-Info",
+	"Configuration-Token",
+	"EAP-Message",
+	"Message-Authenticator",
+	"Tunnel-Private-Group-ID",
+	"Tunnel-Assignment-ID",
+	"Tunnel-Preference",
+	"ARAP-Challenge-Response",
+	"Acct-Interim-Interval",
+	"Acct-Tunnel-Packets-Lost",
+	"NAS-Port-Id",
+	"Framed-Pool",
+	"CUI",
+	"Tunnel-Client-Auth-ID",
+	"Tunnel-Server-Auth-ID",
+	"NAS-Filter-Rule",
+	"Unassigned",
+	"Originating-Line-Info",
+	"NAS-IPv6-Address",
+	"Framed-Interface-Id",
+	"Framed-IPv6-Prefix",
+	"Login-IPv6-Host",
+	"Framed-IPv6-Route",
+	"Framed-IPv6-Pool",
+	"Error-Cause",
+	"EAP-Key-Name",
+	"Digest-Response",
+	"Digest-Realm",
+	"Digest-Nonce",
+	"Digest-Response-Auth",
+	"Digest-Nextnonce",
+	"Digest-Method",
+	"Digest-URI",
+	"Digest-Qop",
+	"Digest-Algorithm",
+	"Digest-Entity-Body-Hash",
+	"Digest-CNonce",
+	"Digest-Nonce-Count",
+	"Digest-Username",
+	"Digest-Opaque",
+	"Digest-Auth-Param",
+	"Digest-AKA-Auts",
+	"Digest-Domain",
+	"Digest-Stale",
+	"Digest-HA1",
+	"SIP-AOR",
+	"Delegated-IPv6-Prefix",
+	"MIP6-Feature-Vector",
+	"MIP6-Home-Link-Prefix");
+
+/**
+ * Attribute enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator interface */
+	enumerator_t public;
+	/** currently pointing attribute */
+	rattr_t *next;
+	/** bytes left */
+	int left;
+} attribute_enumerator_t;
+
+
+/**
+ * Implementation of attribute_enumerator_t.enumerate
+ */
+static bool attribute_enumerate(attribute_enumerator_t *this,
+								int *type, chunk_t *data)
+
+{
+	if (this->left == 0)
+	{
+		return FALSE;
+	}
+	if (this->left < sizeof(rattr_t) ||
+		this->left < this->next->length)
+	{
+		DBG1(DBG_IKE, "RADIUS message truncated");
+		return FALSE;
+	}
+	*type = this->next->type;
+	data->ptr = this->next->value;
+	data->len = this->next->length - sizeof(rattr_t);
+	this->left -= this->next->length;
+	this->next = ((void*)this->next) + this->next->length;
+	return TRUE;
+}
+
+/**
+ * Implementation of radius_message_t.create_enumerator
+ */
+static enumerator_t* create_enumerator(private_radius_message_t *this)
+{
+	attribute_enumerator_t *e;
+	
+	if (ntohs(this->msg->length) < sizeof(rmsg_t) + sizeof(rattr_t))
+	{
+		return enumerator_create_empty();
+	}
+	
+	e = malloc_thing(attribute_enumerator_t);
+	e->public.enumerate = (void*)attribute_enumerate;
+	e->public.destroy = (void*)free;
+	e->next = (rattr_t*)this->msg->attributes;
+	e->left = ntohs(this->msg->length) - sizeof(rmsg_t);
+	return &e->public;
+}
+
+/**
+ * Implementation of radius_message_t.add
+ */
+static void add(private_radius_message_t *this, radius_attribute_type_t type,
+				chunk_t data)
+{
+	rattr_t *attribute;
+	
+	this->msg = realloc(this->msg,
+						ntohs(this->msg->length) + sizeof(rattr_t) + data.len);
+	attribute = ((void*)this->msg) + ntohs(this->msg->length);
+	attribute->type = type;
+	attribute->length = data.len + sizeof(rattr_t);
+	memcpy(attribute->value, data.ptr, data.len);
+	this->msg->length = htons(ntohs(this->msg->length) + attribute->length);
+}
+
+/**
+ * Implementation of radius_message_t.sign
+ */
+static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer)
+{
+	char buf[HASH_SIZE_MD5];
+	
+	/* build Request-Authenticator */
+	rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
+	
+	/* build Message-Authenticator attribute, using 16 null bytes */
+	memset(buf, 0, sizeof(buf));
+	add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
+	signer->get_signature(signer,
+				chunk_create((u_char*)this->msg, ntohs(this->msg->length)),
+				((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5);
+}
+
+/**
+ * Implementation of radius_message_t.verify
+ */
+static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
+				   chunk_t secret, hasher_t *hasher, signer_t *signer)
+{
+	char buf[HASH_SIZE_MD5], res_auth[HASH_SIZE_MD5];
+	enumerator_t *enumerator;
+	int type;
+	chunk_t data, msg;
+	bool has_eap = FALSE, has_auth = FALSE;
+	
+	/* replace Response by Request Authenticator for verification */
+	memcpy(res_auth, this->msg->authenticator, HASH_SIZE_MD5);
+	memcpy(this->msg->authenticator, req_auth, HASH_SIZE_MD5);
+	msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
+	
+	/* verify Response-Authenticator */
+	hasher->get_hash(hasher, msg, NULL);
+	hasher->get_hash(hasher, secret, buf);
+	if (!memeq(buf, res_auth, HASH_SIZE_MD5))
+	{
+		DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed");
+		return FALSE;
+	}
+	
+	/* verify Message-Authenticator attribute */
+	enumerator = create_enumerator(this);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == RAT_MESSAGE_AUTHENTICATOR)
+		{
+			if (data.len != HASH_SIZE_MD5)
+			{
+				DBG1(DBG_CFG, "RADIUS Message-Authenticator invalid length");
+				enumerator->destroy(enumerator);
+				return FALSE;
+			}
+			memcpy(buf, data.ptr, data.len);
+			memset(data.ptr, 0, data.len);
+			if (signer->verify_signature(signer, msg,
+										 chunk_create(buf, sizeof(buf))))
+			{
+				/* restore Message-Authenticator */
+				memcpy(data.ptr, buf, data.len);
+				has_auth = TRUE;
+				break;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "RADIUS Message-Authenticator verification failed");
+				enumerator->destroy(enumerator);
+				return FALSE;
+			}
+		}
+		else if (type == RAT_EAP_MESSAGE)
+		{
+			has_eap = TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	/* restore Response-Authenticator */
+	memcpy(this->msg->authenticator, res_auth, HASH_SIZE_MD5);
+	
+	if (has_eap && !has_auth)
+	{	/* Message-Authenticator is required if we have an EAP-Message */
+		DBG1(DBG_CFG, "RADIUS Message-Authenticator attribute missing");
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of radius_message_t.get_code
+ */
+static radius_message_code_t get_code(private_radius_message_t *this)
+{
+	return this->msg->code;
+}
+
+/**
+ * Implementation of radius_message_t.get_identifier
+ */
+static u_int8_t get_identifier(private_radius_message_t *this)
+{
+	return this->msg->identifier;
+}
+
+/**
+ * Implementation of radius_message_t.set_identifier
+ */
+static void set_identifier(private_radius_message_t *this, u_int8_t identifier)
+{
+	this->msg->identifier = identifier;
+}
+
+/**
+ * Implementation of radius_message_t.get_authenticator
+ */
+static u_int8_t* get_authenticator(private_radius_message_t *this)
+{
+	return this->msg->authenticator;
+}
+
+
+/**
+ * Implementation of radius_message_t.get_encoding
+ */
+static chunk_t get_encoding(private_radius_message_t *this)
+{
+	return chunk_create((u_char*)this->msg, ntohs(this->msg->length));
+}
+
+/**
+ * Implementation of radius_message_t.destroy.
+ */
+static void destroy(private_radius_message_t *this)
+{
+	free(this->msg);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_radius_message_t *radius_message_create()
+{
+	private_radius_message_t *this = malloc_thing(private_radius_message_t);
+	
+	this->public.create_enumerator = (enumerator_t*(*)(radius_message_t*))create_enumerator;
+	this->public.add = (void(*)(radius_message_t*, radius_attribute_type_t,chunk_t))add;
+	this->public.get_code = (radius_message_code_t(*)(radius_message_t*))get_code;
+	this->public.get_identifier = (u_int8_t(*)(radius_message_t*))get_identifier;
+	this->public.set_identifier = (void(*)(radius_message_t*, u_int8_t identifier))set_identifier;
+	this->public.get_authenticator = (u_int8_t*(*)(radius_message_t*))get_authenticator;
+	this->public.get_encoding = (chunk_t(*)(radius_message_t*))get_encoding;
+	this->public.sign = (void(*)(radius_message_t*, rng_t *rng, signer_t *signer))sign;
+	this->public.verify = (bool(*)(radius_message_t*, u_int8_t *req_auth, chunk_t secret, hasher_t *hasher, signer_t *signer))verify;
+	this->public.destroy = (void(*)(radius_message_t*))destroy;
+	
+	return this;
+}
+
+/**
+ * See header
+ */
+radius_message_t *radius_message_create_request()
+{
+	private_radius_message_t *this = radius_message_create();
+	
+	this->msg = malloc_thing(rmsg_t);
+	this->msg->code = RMC_ACCESS_REQUEST;
+	this->msg->identifier = 0;
+	this->msg->length = htons(sizeof(rmsg_t));
+	
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+radius_message_t *radius_message_parse_response(chunk_t data)
+{
+	private_radius_message_t *this = radius_message_create();
+	
+	this->msg = malloc(data.len);
+	memcpy(this->msg, data.ptr, data.len);
+	if (data.len < sizeof(rmsg_t) ||
+		ntohs(this->msg->length) != data.len)
+	{
+		DBG1(DBG_IKE, "RADIUS message has invalid length");
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_radius/radius_message.h b/src/charon/plugins/eap_radius/radius_message.h
new file mode 100644
index 000000000..d195bbe23
--- /dev/null
+++ b/src/charon/plugins/eap_radius/radius_message.h
@@ -0,0 +1,278 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup radius_message radius_message
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef RADIUS_MESSAGE_H_
+#define RADIUS_MESSAGE_H_
+
+#include <library.h>
+
+typedef struct radius_message_t radius_message_t;
+typedef enum radius_message_code_t radius_message_code_t;
+typedef enum radius_attribute_type_t radius_attribute_type_t;
+
+/**
+ * RADIUS Message Codes.
+ */
+enum radius_message_code_t {
+	RMC_ACCESS_REQUEST = 1,
+	RMC_ACCESS_ACCEPT = 2,
+	RMC_ACCESS_REJECT = 3,
+	RMC_ACCOUNTING_REQUEST = 4,
+	RMC_ACCOUNTING_RESPONSE = 5,
+	RMC_ACCESS_CHALLENGE = 11,
+};
+
+/**
+ * Enum names for radius_attribute_type_t.
+ */
+extern enum_name_t *radius_message_code_names;
+
+/**
+ * RADIUS Attribute Types.
+ */
+enum radius_attribute_type_t {
+	RAT_USER_NAME = 1,
+	RAT_USER_PASSWORD = 2,
+	RAT_CHAP_PASSWORD = 3,
+	RAT_NAS_IP_ADDRESS = 4,
+	RAT_NAS_PORT = 5,
+	RAT_SERVICE_TYPE = 6,
+	RAT_FRAMED_PROTOCOL = 7,
+	RAT_FRAMED_IP_ADDRESS = 8,
+	RAT_FRAMED_IP_NETMASK = 9,
+	RAT_FRAMED_ROUTING = 10,
+	RAT_FILTER_ID = 11,
+	RAT_FRAMED_MTU = 12,
+	RAT_FRAMED_COMPRESSION = 13,
+	RAT_LOGIN_IP_HOST = 14,
+	RAT_LOGIN_SERVICE = 15,
+	RAT_LOGIN_TCP_PORT = 16,
+	RAT_REPLY_MESSAGE = 18,
+	RAT_CALLBACK_NUMBER = 19,
+	RAT_CALLBACK_ID = 20,
+	RAT_FRAMED_ROUTE = 22,
+	RAT_FRAMED_IPX_NETWORK = 23,
+	RAT_STATE = 24,
+	RAT_CLASS = 25,
+	RAT_VENDOR_SPECIFIC = 26,
+	RAT_SESSION_TIMEOUT = 27,
+	RAT_IDLE_TIMEOUT = 28,
+	RAT_TERMINATION_ACTION = 29,
+	RAT_CALLED_STATION_ID = 30,
+	RAT_CALLING_STATION_ID = 31,
+	RAT_NAS_IDENTIFIER = 32,
+	RAT_PROXY_STATE = 33,
+	RAT_LOGIN_LAT_SERVICE = 34,
+	RAT_LOGIN_LAT_NODE = 35,
+	RAT_LOGIN_LAT_GROUP = 36,
+	RAT_FRAMED_APPLETALK_LINK = 37,
+	RAT_FRAMED_APPLETALK_NETWORK = 38,
+	RAT_FRAMED_APPLETALK_ZONE = 39,
+	RAT_ACCT_STATUS_TYPE = 40,
+	RAT_ACCT_DELAY_TIME = 41,
+	RAT_ACCT_INPUT_OCTETS = 42,
+	RAT_ACCT_OUTPUT_OCTETS = 43,
+	RAT_ACCT_SESSION_ID = 44,
+	RAT_ACCT_AUTHENTIC = 45,
+	RAT_ACCT_SESSION_TIME = 46,
+	RAT_ACCT_INPUT_PACKETS = 47,
+	RAT_ACCT_OUTPUT_PACKETS = 48,
+	RAT_ACCT_TERMINATE_CAUSE = 49,
+	RAT_ACCT_MULTI_SESSION_ID = 50,
+	RAT_ACCT_LINK_COUNT = 51,
+	RAT_ACCT_INPUT_GIGAWORDS = 52,
+	RAT_ACCT_OUTPUT_GIGAWORDS = 53,
+	RAT_EVENT_TIMESTAMP = 55,
+	RAT_EGRESS_VLANID = 56,
+	RAT_INGRESS_FILTERS = 57,
+	RAT_EGRESS_VLAN_NAME = 58,
+	RAT_USER_PRIORITY_TABLE = 59,
+	RAT_CHAP_CHALLENGE = 60,
+	RAT_NAS_PORT_TYPE = 61,
+	RAT_PORT_LIMIT = 62,
+	RAT_LOGIN_LAT_PORT = 63,
+	RAT_TUNNEL_TYPE = 64,
+	RAT_TUNNEL_MEDIUM_TYPE = 65,
+	RAT_TUNNEL_CLIENT_ENDPOINT = 66,
+	RAT_TUNNEL_SERVER_ENDPOINT = 67,
+	RAT_ACCT_TUNNEL_CONNECTION = 68,
+	RAT_TUNNEL_PASSWORD = 69,
+	RAT_ARAP_PASSWORD = 70,
+	RAT_ARAP_FEATURES = 71,
+	RAT_ARAP_ZONE_ACCESS = 72,
+	RAT_ARAP_SECURITY = 73,
+	RAT_ARAP_SECURITY_DATA = 74,
+	RAT_PASSWORD_RETRY = 75,
+	RAT_PROMPT = 76,
+	RAT_CONNECT_INFO = 77,
+	RAT_CONFIGURATION_TOKEN = 78,
+	RAT_EAP_MESSAGE = 79,
+	RAT_MESSAGE_AUTHENTICATOR = 80,
+	RAT_TUNNEL_PRIVATE_GROUP_ID = 81,
+	RAT_TUNNEL_ASSIGNMENT_ID = 82,
+	RAT_TUNNEL_PREFERENCE = 83,
+	RAT_ARAP_CHALLENGE_RESPONSE = 84,
+	RAT_ACCT_INTERIM_INTERVAL = 85,
+	RAT_ACCT_TUNNEL_PACKETS_LOST = 86,
+	RAT_NAS_PORT_ID = 87,
+	RAT_FRAMED_POOL = 88,
+	RAT_CUI = 89,
+	RAT_TUNNEL_CLIENT_AUTH_ID = 90,
+	RAT_TUNNEL_SERVER_AUTH_ID = 91,
+	RAT_NAS_FILTER_RULE = 92,
+	RAT_UNASSIGNED = 93,
+	RAT_ORIGINATING_LINE_INFO = 94,
+	RAT_NAS_IPV6_ADDRESS = 95,
+	RAT_FRAMED_INTERFACE_ID = 96,
+	RAT_FRAMED_IPV6_PREFIX = 97,
+	RAT_LOGIN_IPV6_HOST = 98,
+	RAT_FRAMED_IPV6_ROUTE = 99,
+	RAT_FRAMED_IPV6_POOL = 100,
+	RAT_ERROR_CAUSE = 101,
+	RAT_EAP_KEY_NAME = 102,
+	RAT_DIGEST_RESPONSE = 103,
+	RAT_DIGEST_REALM = 104,
+	RAT_DIGEST_NONCE = 105,
+	RAT_DIGEST_RESPONSE_AUTH = 106,
+	RAT_DIGEST_NEXTNONCE = 107,
+	RAT_DIGEST_METHOD = 108,
+	RAT_DIGEST_URI = 109,
+	RAT_DIGEST_QOP = 110,
+	RAT_DIGEST_ALGORITHM = 111,
+	RAT_DIGEST_ENTITY_BODY_HASH = 112,
+	RAT_DIGEST_CNONCE = 113,
+	RAT_DIGEST_NONCE_COUNT = 114,
+	RAT_DIGEST_USERNAME = 115,
+	RAT_DIGEST_OPAQUE = 116,
+	RAT_DIGEST_AUTH_PARAM = 117,
+	RAT_DIGEST_AKA_AUTS = 118,
+	RAT_DIGEST_DOMAIN = 119,
+	RAT_DIGEST_STALE = 120,
+	RAT_DIGEST_HA1 = 121,
+	RAT_SIP_AOR = 122,
+	RAT_DELEGATED_IPV6_PREFIX = 123,
+	RAT_MIP6_FEATURE_VECTOR = 124,
+	RAT_MIP6_HOME_LINK_PREFIX = 125,
+};
+
+/**
+ * Enum names for radius_attribute_type_t.
+ */
+extern enum_name_t *radius_attribute_type_names;
+
+/**
+ * A RADIUS message, contains attributes.
+ */
+struct radius_message_t {
+	
+	/**
+	 * Create an enumerator over contained RADIUS attributes.
+	 *
+	 * @return				enumerator over (int type, chunk_t data)
+	 */
+	enumerator_t* (*create_enumerator)(radius_message_t *this);
+	
+	/**
+	 * Add a RADIUS attribute to the message.
+	 *
+	 * @param type			type of attribute to add
+	 * @param				attribute data, gets cloned
+	 */
+	void (*add)(radius_message_t *this, radius_attribute_type_t type,
+				chunk_t data);
+	
+	/**
+	 * Get the message type (code).
+	 *
+	 * @return				message code
+	 */
+	radius_message_code_t (*get_code)(radius_message_t *this);
+	
+	/**
+	 * Get the message identifier.
+	 *
+	 * @return				message identifier
+	 */
+	u_int8_t (*get_identifier)(radius_message_t *this);
+	
+	/**
+	 * Set the message identifier.
+	 *
+	 * @param identifier	message identifier
+	 */
+	void (*set_identifier)(radius_message_t *this, u_int8_t identifier);
+	
+	/**
+	 * Get the 16 byte authenticator.
+	 *
+	 * @return				pointer to the Authenticator field
+	 */
+	u_int8_t* (*get_authenticator)(radius_message_t *this);
+	
+	/**
+	 * Get the RADIUS message in its encoded form.
+	 *
+	 * @return				chunk pointing to internal RADIUS message.
+	 */
+	chunk_t (*get_encoding)(radius_message_t *this);
+	
+	/**
+	 * Calculate and add the Message-Authenticator attribute to the message.
+	 *
+	 * @param rng			RNG to create Request-Authenticator
+	 * @param signer		HMAC-MD5 signer with secret set
+	 */
+	void (*sign)(radius_message_t *this, rng_t *rng, signer_t *signer);
+	
+	/**
+	 * Verify the integrity of a received RADIUS response.
+	 *
+	 * @param req_auth		16 byte Authenticator of the corresponding request
+	 * @param secret		shared RADIUS secret
+	 * @param hasher		hasher to verify Response-Authenticator
+	 * @param signer		signer to verify Message-Authenticator attribute
+	 */
+	bool (*verify)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
+				   hasher_t *hasher, signer_t *signer);
+	
+	/**
+	 * Destroy the message.
+	 */
+	void (*destroy)(radius_message_t *this);
+};
+
+/**
+ * Create an empty RADIUS request message (RMT_ACCESS_REQUEST).
+ *
+ * @return				radius_message_t object
+ */
+radius_message_t *radius_message_create_request();
+
+/**
+ * Parse and verify a recevied RADIUS response.
+ *
+ * @param data			received message data
+ * @return				radius_message_t object, NULL if length invalid
+ */
+radius_message_t *radius_message_parse_response(chunk_t data);
+
+#endif /** RADIUS_MESSAGE_H_ @}*/
diff --git a/src/charon/plugins/eap_sim/eap_sim.h b/src/charon/plugins/eap_sim/eap_sim.h
index ec061b6f4..af1aa2aa5 100644
--- a/src/charon/plugins/eap_sim/eap_sim.h
+++ b/src/charon/plugins/eap_sim/eap_sim.h
@@ -58,4 +58,4 @@ eap_sim_t *eap_sim_create_server(identification_t *server, identification_t *pee
  */
 eap_sim_t *eap_sim_create_peer(identification_t *server, identification_t *peer);
 
-#endif /* EAP_SIM_H_ @}*/
+#endif /** EAP_SIM_H_ @}*/
diff --git a/src/charon/plugins/eap_sim/eap_sim_plugin.h b/src/charon/plugins/eap_sim/eap_sim_plugin.h
index 13152358a..d90a72092 100644
--- a/src/charon/plugins/eap_sim/eap_sim_plugin.h
+++ b/src/charon/plugins/eap_sim/eap_sim_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_sim_plugin.h 4406 2008-10-10 08:36:01Z martin $
+ * $Id: eap_sim_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct eap_sim_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* EAP_SIM_PLUGIN_H_ @}*/
+#endif /** EAP_SIM_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
index 953a3e915..9f28aa8fc 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
@@ -52,4 +52,4 @@ struct eap_sim_file_card_t {
  */
 eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets);
 
-#endif /* EAP_SIM_FILE_CARD_ @}*/
+#endif /** EAP_SIM_FILE_CARD_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
index c1828527d..8e603258f 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
@@ -46,4 +46,4 @@ struct eap_sim_file_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* EAP_SIM_FILE_PLUGIN_H_ @}*/
+#endif /** EAP_SIM_FILE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
index bc8f6cca0..efd73802a 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
@@ -51,4 +51,4 @@ struct eap_sim_file_provider_t {
 eap_sim_file_provider_t *eap_sim_file_provider_create(
 											eap_sim_file_triplets_t *triplets);
 
-#endif /* EAP_SIM_FILE_PROVIDER_ @}*/
+#endif /** EAP_SIM_FILE_PROVIDER_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
index 5f3adfe62..a6e9188a5 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
@@ -71,4 +71,4 @@ struct eap_sim_file_triplets_t {
  */
 eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file);
 
-#endif /* EAP_SIM_FILE_TRIPLETS_ @}*/
+#endif /** EAP_SIM_FILE_TRIPLETS_ @}*/
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
index b16390ab4..4d4e33813 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_klips_ipsec.h 4617 2008-11-11 08:45:19Z tobias $
+ * $Id: kernel_klips_ipsec.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -45,4 +45,4 @@ struct kernel_klips_ipsec_t {
  */
 kernel_klips_ipsec_t *kernel_klips_ipsec_create();
 
-#endif /* KERNEL_KLIPS_IPSEC_H_ @} */
+#endif /** KERNEL_KLIPS_IPSEC_H_ @}*/
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.h b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
index 67c3b74c6..8dd2f1895 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
+++ b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_klips_plugin.h 4617 2008-11-11 08:45:19Z tobias $
+ * $Id: kernel_klips_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct kernel_klips_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* KERNEL_KLIPS_PLUGIN_H_ @} */
+#endif /** KERNEL_KLIPS_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 8a13ed489..ee47914d3 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -17,7 +17,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_ipsec.c 4831 2009-01-09 09:37:13Z andreas $
+ * $Id: kernel_netlink_ipsec.c 4997 2009-03-24 10:24:58Z martin $
  */
 
 #include <sys/types.h>
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
index a78004e09..0b65c5213 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_ipsec.h 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: kernel_netlink_ipsec.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -45,4 +45,4 @@ struct kernel_netlink_ipsec_t {
  */
 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create();
 
-#endif /* KERNEL_NETLINK_IPSEC_H_ @} */
+#endif /** KERNEL_NETLINK_IPSEC_H_ @}*/
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
index 393167a71..39b96837b 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_net.h 4350 2008-09-18 15:16:43Z tobias $
+ * $Id: kernel_netlink_net.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -45,4 +45,4 @@ struct kernel_netlink_net_t {
  */
 kernel_netlink_net_t *kernel_netlink_net_create();
 
-#endif /* KERNEL_NETLINK_NET_H_ @} */
+#endif /** KERNEL_NETLINK_NET_H_ @}*/
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
index 80a6c27e1..f08dbc023 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_netlink_plugin.h 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: kernel_netlink_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct kernel_netlink_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* KERNEL_NETLINK_PLUGIN_H_ @} */
+#endif /** KERNEL_NETLINK_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
index 6e2ec5377..db05462f4 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_pfkey_ipsec.h 4361 2008-10-01 16:47:51Z tobias $
+ * $Id: kernel_pfkey_ipsec.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -45,4 +45,4 @@ struct kernel_pfkey_ipsec_t {
  */
 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create();
 
-#endif /* KERNEL_PFKEY_IPSEC_H_ @} */
+#endif /** KERNEL_PFKEY_IPSEC_H_ @}*/
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
index 5e256ca74..f091c6d81 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: kernel_pfkey_plugin.h 4361 2008-10-01 16:47:51Z tobias $
+ * $Id: kernel_pfkey_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct kernel_pfkey_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* KERNEL_PFKEY_PLUGIN_H_ @} */
+#endif /** KERNEL_PFKEY_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_config.h b/src/charon/plugins/load_tester/load_tester_config.h
index d5391da63..92a0ff95b 100644
--- a/src/charon/plugins/load_tester/load_tester_config.h
+++ b/src/charon/plugins/load_tester/load_tester_config.h
@@ -50,4 +50,4 @@ struct load_tester_config_t {
  */
 load_tester_config_t *load_tester_config_create();
 
-#endif /* LOAD_TESTER_CONFIG_H_ @}*/
+#endif /** LOAD_TESTER_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_creds.h b/src/charon/plugins/load_tester/load_tester_creds.h
index bc092bd12..ed73f14c3 100644
--- a/src/charon/plugins/load_tester/load_tester_creds.h
+++ b/src/charon/plugins/load_tester/load_tester_creds.h
@@ -50,4 +50,4 @@ struct load_tester_creds_t {
  */
 load_tester_creds_t *load_tester_creds_create();
 
-#endif /* LOAD_TESTER_CREDS_H_ @}*/
+#endif /** LOAD_TESTER_CREDS_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
index 1f66e7f2b..422428a54 100644
--- a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
+++ b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
@@ -47,4 +47,4 @@ struct load_tester_diffie_hellman_t {
 load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
 												diffie_hellman_group_t group);
 
-#endif /* LOAD_TESTER_DIFFIE_HELLMAN_ @}*/
+#endif /** LOAD_TESTER_DIFFIE_HELLMAN_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.h b/src/charon/plugins/load_tester/load_tester_ipsec.h
index 34a99dcbd..4f374032f 100644
--- a/src/charon/plugins/load_tester/load_tester_ipsec.h
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.h
@@ -45,4 +45,4 @@ struct load_tester_ipsec_t {
  */
 load_tester_ipsec_t *load_tester_ipsec_create();
 
-#endif /* LOAD_TESTER_IPSEC_H_ @} */
+#endif /** LOAD_TESTER_IPSEC_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_listener.h b/src/charon/plugins/load_tester/load_tester_listener.h
index 6ef749b96..b61da0cb3 100644
--- a/src/charon/plugins/load_tester/load_tester_listener.h
+++ b/src/charon/plugins/load_tester/load_tester_listener.h
@@ -51,4 +51,4 @@ struct load_tester_listener_t {
  */
 load_tester_listener_t *load_tester_listener_create(u_int shutdown_on);
 
-#endif /* LOAD_TESTER_LISTENER_H_ @}*/
+#endif /** LOAD_TESTER_LISTENER_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.h b/src/charon/plugins/load_tester/load_tester_plugin.h
index 10088bfa2..e0b64cfef 100644
--- a/src/charon/plugins/load_tester/load_tester_plugin.h
+++ b/src/charon/plugins/load_tester/load_tester_plugin.h
@@ -48,4 +48,4 @@ struct load_tester_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* LOAD_TESTER_PLUGIN_H_ @}*/
+#endif /** LOAD_TESTER_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/medcli/medcli_config.h b/src/charon/plugins/medcli/medcli_config.h
index 789a73243..9c0357a26 100644
--- a/src/charon/plugins/medcli/medcli_config.h
+++ b/src/charon/plugins/medcli/medcli_config.h
@@ -52,4 +52,4 @@ struct medcli_config_t {
  */
 medcli_config_t *medcli_config_create(database_t *db);
 
-#endif /* MEDCLI_CONFIG_H_ @}*/
+#endif /** MEDCLI_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/medcli/medcli_creds.h b/src/charon/plugins/medcli/medcli_creds.h
index 5a81edaf2..4e563b4ac 100644
--- a/src/charon/plugins/medcli/medcli_creds.h
+++ b/src/charon/plugins/medcli/medcli_creds.h
@@ -52,4 +52,4 @@ struct medcli_creds_t {
  */
 medcli_creds_t *medcli_creds_create(database_t *database);
 
-#endif /* MEDCLI_CREDS_H_ @}*/
+#endif /** MEDCLI_CREDS_H_ @}*/
diff --git a/src/charon/plugins/medcli/medcli_listener.h b/src/charon/plugins/medcli/medcli_listener.h
index 4cec3caad..291e66097 100644
--- a/src/charon/plugins/medcli/medcli_listener.h
+++ b/src/charon/plugins/medcli/medcli_listener.h
@@ -52,4 +52,4 @@ struct medcli_listener_t {
  */
 medcli_listener_t *medcli_listener_create(database_t *database);
 
-#endif /* MEDCLI_LISTENER_H_ @}*/
+#endif /** MEDCLI_LISTENER_H_ @}*/
diff --git a/src/charon/plugins/medcli/medcli_plugin.h b/src/charon/plugins/medcli/medcli_plugin.h
index 1a8c5b5e7..791a5cea5 100644
--- a/src/charon/plugins/medcli/medcli_plugin.h
+++ b/src/charon/plugins/medcli/medcli_plugin.h
@@ -46,4 +46,4 @@ struct medcli_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* MEDCLI_PLUGIN_H_ @}*/
+#endif /** MEDCLI_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/medsrv/medsrv_config.h b/src/charon/plugins/medsrv/medsrv_config.h
index ebb62037e..a92780144 100644
--- a/src/charon/plugins/medsrv/medsrv_config.h
+++ b/src/charon/plugins/medsrv/medsrv_config.h
@@ -52,4 +52,4 @@ struct medsrv_config_t {
  */
 medsrv_config_t *medsrv_config_create(database_t *db);
 
-#endif /* MEDSRV_CONFIG_H_ @}*/
+#endif /** MEDSRV_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/medsrv/medsrv_creds.h b/src/charon/plugins/medsrv/medsrv_creds.h
index f65e98411..0ce77167c 100644
--- a/src/charon/plugins/medsrv/medsrv_creds.h
+++ b/src/charon/plugins/medsrv/medsrv_creds.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: medsrv_creds.h 3915 2008-05-08 12:11:30Z martin $
+ * $Id: medsrv_creds.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -52,4 +52,4 @@ struct medsrv_creds_t {
  */
 medsrv_creds_t *medsrv_creds_create(database_t *database);
 
-#endif /* MEDSRV_CREDS_H_ @}*/
+#endif /** MEDSRV_CREDS_H_ @}*/
diff --git a/src/charon/plugins/medsrv/medsrv_plugin.h b/src/charon/plugins/medsrv/medsrv_plugin.h
index 8aa56d607..fbe04021f 100644
--- a/src/charon/plugins/medsrv/medsrv_plugin.h
+++ b/src/charon/plugins/medsrv/medsrv_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: medsrv_plugin.h 3915 2008-05-08 12:11:30Z martin $
+ * $Id: medsrv_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct medsrv_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* MEDSRV_PLUGIN_H_ @}*/
+#endif /** MEDSRV_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/nm/nm_creds.h b/src/charon/plugins/nm/nm_creds.h
index 4bcc32191..b0cc7a098 100644
--- a/src/charon/plugins/nm/nm_creds.h
+++ b/src/charon/plugins/nm/nm_creds.h
@@ -76,4 +76,4 @@ struct nm_creds_t {
  */
 nm_creds_t *nm_creds_create();
 
-#endif /* NM_CREDS_H_ @}*/
+#endif /** NM_CREDS_H_ @}*/
diff --git a/src/charon/plugins/nm/nm_plugin.h b/src/charon/plugins/nm/nm_plugin.h
index 2604b80dd..fadcbfb96 100644
--- a/src/charon/plugins/nm/nm_plugin.h
+++ b/src/charon/plugins/nm/nm_plugin.h
@@ -46,4 +46,4 @@ struct nm_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* NM_PLUGIN_H_ @}*/
+#endif /** NM_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/nm/nm_service.h b/src/charon/plugins/nm/nm_service.h
index 7cd0fc5e3..bc6ebcf99 100644
--- a/src/charon/plugins/nm/nm_service.h
+++ b/src/charon/plugins/nm/nm_service.h
@@ -52,4 +52,4 @@ GType nm_strongswan_plugin_get_type(void);
 
 NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds);
 
-#endif /* NM_SERVICE_H_ */
+#endif /** NM_SERVICE_H_ @}*/
diff --git a/src/charon/plugins/smp/smp.h b/src/charon/plugins/smp/smp.h
index e65d5ea2c..1f45befa6 100644
--- a/src/charon/plugins/smp/smp.h
+++ b/src/charon/plugins/smp/smp.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: smp.h 3689 2008-03-28 12:44:01Z martin $
+ * $Id: smp.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -49,4 +49,4 @@ struct smp_t {
  */
 plugin_t *plugin_create();
 
-#endif /* XML_H_ @}*/
+#endif /** XML_H_ @}*/
diff --git a/src/charon/plugins/sql/sql_attribute.h b/src/charon/plugins/sql/sql_attribute.h
index 211204ced..57db4617e 100644
--- a/src/charon/plugins/sql/sql_attribute.h
+++ b/src/charon/plugins/sql/sql_attribute.h
@@ -48,4 +48,4 @@ struct sql_attribute_t {
  */
 sql_attribute_t *sql_attribute_create(database_t *db);
 
-#endif /* SQL_ATTRIBUTE_H_ @}*/
+#endif /** SQL_ATTRIBUTE_H_ @}*/
diff --git a/src/charon/plugins/sql/sql_config.h b/src/charon/plugins/sql/sql_config.h
index d34705c71..bfcd7a7c1 100644
--- a/src/charon/plugins/sql/sql_config.h
+++ b/src/charon/plugins/sql/sql_config.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sql_config.h 3594 2008-03-13 14:53:57Z martin $
+ * $Id: sql_config.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -52,4 +52,4 @@ struct sql_config_t {
  */
 sql_config_t *sql_config_create(database_t *db);
 
-#endif /* SQL_CONFIG_H_ @}*/
+#endif /** SQL_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/sql/sql_cred.h b/src/charon/plugins/sql/sql_cred.h
index e251abe00..a614f0cba 100644
--- a/src/charon/plugins/sql/sql_cred.h
+++ b/src/charon/plugins/sql/sql_cred.h
@@ -52,4 +52,4 @@ struct sql_cred_t {
  */
 sql_cred_t *sql_cred_create(database_t *db);
 
-#endif /* SQL_CRED_H_ @}*/
+#endif /** SQL_CRED_H_ @}*/
diff --git a/src/charon/plugins/sql/sql_logger.h b/src/charon/plugins/sql/sql_logger.h
index a2c6fb5e9..3346430a1 100644
--- a/src/charon/plugins/sql/sql_logger.h
+++ b/src/charon/plugins/sql/sql_logger.h
@@ -52,4 +52,4 @@ struct sql_logger_t {
  */
 sql_logger_t *sql_logger_create(database_t *db);
 
-#endif /* SQL_LOGGER_H_ @}*/
+#endif /** SQL_LOGGER_H_ @}*/
diff --git a/src/charon/plugins/sql/sql_plugin.h b/src/charon/plugins/sql/sql_plugin.h
index 8a7ba3e85..d4f2d29f2 100644
--- a/src/charon/plugins/sql/sql_plugin.h
+++ b/src/charon/plugins/sql/sql_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: sql_plugin.h 3577 2008-03-12 14:38:35Z martin $
+ * $Id: sql_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct sql_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* SQL_PLUGIN_H_ @}*/
+#endif /** SQL_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_attribute.h b/src/charon/plugins/stroke/stroke_attribute.h
index 5060dc987..41ab6299b 100644
--- a/src/charon/plugins/stroke/stroke_attribute.h
+++ b/src/charon/plugins/stroke/stroke_attribute.h
@@ -85,4 +85,4 @@ struct stroke_attribute_t {
  */
 stroke_attribute_t *stroke_attribute_create();
 
-#endif /* STROKE_ATTRIBUTE_H_ @}*/
+#endif /** STROKE_ATTRIBUTE_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_ca.h b/src/charon/plugins/stroke/stroke_ca.h
index 882446afe..ee759ff4e 100644
--- a/src/charon/plugins/stroke/stroke_ca.h
+++ b/src/charon/plugins/stroke/stroke_ca.h
@@ -79,4 +79,4 @@ struct stroke_ca_t {
  */
 stroke_ca_t *stroke_ca_create(stroke_cred_t *cred);
 
-#endif /* STROKE_CA_H_ @}*/
+#endif /** STROKE_CA_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_config.h b/src/charon/plugins/stroke/stroke_config.h
index 22b493cd2..12eb11a8f 100644
--- a/src/charon/plugins/stroke/stroke_config.h
+++ b/src/charon/plugins/stroke/stroke_config.h
@@ -65,4 +65,4 @@ struct stroke_config_t {
  */
 stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred);
 
-#endif /* STROKE_CONFIG_H_ @}*/
+#endif /** STROKE_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_control.h b/src/charon/plugins/stroke/stroke_control.h
index 926964458..26dc99b94 100644
--- a/src/charon/plugins/stroke/stroke_control.h
+++ b/src/charon/plugins/stroke/stroke_control.h
@@ -80,4 +80,4 @@ struct stroke_control_t {
  */
 stroke_control_t *stroke_control_create();
 
-#endif /* STROKE_CONTROL_H_ @}*/
+#endif /** STROKE_CONTROL_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_cred.h b/src/charon/plugins/stroke/stroke_cred.h
index 1b9ef986e..fc7121622 100644
--- a/src/charon/plugins/stroke/stroke_cred.h
+++ b/src/charon/plugins/stroke/stroke_cred.h
@@ -80,4 +80,4 @@ struct stroke_cred_t {
  */
 stroke_cred_t *stroke_cred_create();
 
-#endif /* STROKE_CRED_H_ @}*/
+#endif /** STROKE_CRED_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_list.h b/src/charon/plugins/stroke/stroke_list.h
index 1f7f19d62..73a6ff6e4 100644
--- a/src/charon/plugins/stroke/stroke_list.h
+++ b/src/charon/plugins/stroke/stroke_list.h
@@ -73,4 +73,4 @@ struct stroke_list_t {
  */
 stroke_list_t *stroke_list_create(stroke_attribute_t *attribute);
 
-#endif /* STROKE_LIST_H_ @}*/
+#endif /** STROKE_LIST_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_plugin.h b/src/charon/plugins/stroke/stroke_plugin.h
index 7ea18b8af..b4c367c6e 100644
--- a/src/charon/plugins/stroke/stroke_plugin.h
+++ b/src/charon/plugins/stroke/stroke_plugin.h
@@ -49,4 +49,4 @@ struct stroke_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* STROKE_PLUGIN_H_ @}*/
+#endif /** STROKE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_shared_key.h b/src/charon/plugins/stroke/stroke_shared_key.h
index e93d8cee2..b456095ae 100644
--- a/src/charon/plugins/stroke/stroke_shared_key.h
+++ b/src/charon/plugins/stroke/stroke_shared_key.h
@@ -59,4 +59,4 @@ struct stroke_shared_key_t {
  */
 stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key);
 
-#endif /* STROKE_SHARED_KEY_H_ @}*/
+#endif /** STROKE_SHARED_KEY_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_socket.h b/src/charon/plugins/stroke/stroke_socket.h
index 7bc96686f..7a772c56c 100644
--- a/src/charon/plugins/stroke/stroke_socket.h
+++ b/src/charon/plugins/stroke/stroke_socket.h
@@ -41,4 +41,4 @@ struct stroke_socket_t {
  */
 stroke_socket_t *stroke_socket_create();
 
-#endif /* STROKE_SOCKET_H_ @}*/
+#endif /** STROKE_SOCKET_H_ @}*/
diff --git a/src/charon/plugins/uci/uci_config.h b/src/charon/plugins/uci/uci_config.h
index 4d8b286c6..67893f771 100644
--- a/src/charon/plugins/uci/uci_config.h
+++ b/src/charon/plugins/uci/uci_config.h
@@ -54,4 +54,4 @@ struct uci_config_t {
  */
 uci_config_t *uci_config_create(uci_parser_t *parser);
 
-#endif /* UCI_CONFIG_H_ @}*/
+#endif /** UCI_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/uci/uci_control.h b/src/charon/plugins/uci/uci_control.h
index 774c42661..b5db32226 100644
--- a/src/charon/plugins/uci/uci_control.h
+++ b/src/charon/plugins/uci/uci_control.h
@@ -25,19 +25,20 @@
 
 typedef struct uci_control_t uci_control_t;
 
+/**
+ * UCI control interface, uses a simple FIFO file
+ */
 struct uci_control_t {
-
+	
 	/**
- 	 * Destroy the controller
- 	 */
-
+	 * Destroy the controller
+	 */
 	void (*destroy)(uci_control_t *this);
 };
 
 /**
  * Create a UCI based configuration backend.
  */
-
 uci_control_t *uci_control_create();
 
-#endif /*UCI_CONTROL_H_@}*/
+#endif /** UCI_CONTROL_H_ @}*/
diff --git a/src/charon/plugins/uci/uci_creds.h b/src/charon/plugins/uci/uci_creds.h
index cf82f1c07..f1573a8a3 100644
--- a/src/charon/plugins/uci/uci_creds.h
+++ b/src/charon/plugins/uci/uci_creds.h
@@ -54,4 +54,4 @@ struct uci_creds_t {
  */
 uci_creds_t *uci_creds_create(uci_parser_t *parser);
 
-#endif /* UCI_CREDS_H_ @}*/
+#endif /** UCI_CREDS_H_ @}*/
diff --git a/src/charon/plugins/uci/uci_parser.h b/src/charon/plugins/uci/uci_parser.h
index a8633ca2e..b3e76962b 100644
--- a/src/charon/plugins/uci/uci_parser.h
+++ b/src/charon/plugins/uci/uci_parser.h
@@ -58,5 +58,4 @@ struct uci_parser_t {
  */
 uci_parser_t *uci_parser_create(char *package);
 
-#endif /* UCI_PARSER_H_ @}*/
-
+#endif /** UCI_PARSER_H_ @}*/
diff --git a/src/charon/plugins/uci/uci_plugin.h b/src/charon/plugins/uci/uci_plugin.h
index cac95dc13..d9a888aa1 100644
--- a/src/charon/plugins/uci/uci_plugin.h
+++ b/src/charon/plugins/uci/uci_plugin.h
@@ -47,4 +47,4 @@ struct uci_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* UCI_PLUGIN_H_ @}*/
+#endif /** UCI_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h
index 0673c309a..7a5aa5ab8 100644
--- a/src/charon/plugins/unit_tester/tests.h
+++ b/src/charon/plugins/unit_tester/tests.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: tests.h 4815 2008-12-18 16:24:22Z martin $
+ * $Id: tests.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -41,3 +41,5 @@ DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
 DEFINE_TEST("IP pool", test_pool, FALSE)
 DEFINE_TEST("SSH agent", test_agent, FALSE)
 DEFINE_TEST("RNG quality", test_rng, FALSE)
+
+/** @}*/
diff --git a/src/charon/plugins/unit_tester/unit_tester.h b/src/charon/plugins/unit_tester/unit_tester.h
index af946c2e0..760b0389b 100644
--- a/src/charon/plugins/unit_tester/unit_tester.h
+++ b/src/charon/plugins/unit_tester/unit_tester.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: unit_tester.h 3491 2008-02-22 14:04:00Z martin $
+ * $Id: unit_tester.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -48,4 +48,4 @@ struct unit_tester_t {
  */
 plugin_t *plugin_create();
 
-#endif /* UNIT_TESTER_H_ @}*/
+#endif /** UNIT_TESTER_H_ @}*/
diff --git a/src/charon/plugins/updown/updown_listener.h b/src/charon/plugins/updown/updown_listener.h
index 569d5817e..0d09a4cea 100644
--- a/src/charon/plugins/updown/updown_listener.h
+++ b/src/charon/plugins/updown/updown_listener.h
@@ -48,4 +48,4 @@ struct updown_listener_t {
  */
 updown_listener_t *updown_listener_create();
 
-#endif /* UPDOWN_LISTENER_ @}*/
+#endif /** UPDOWN_LISTENER_ @}*/
diff --git a/src/charon/plugins/updown/updown_plugin.h b/src/charon/plugins/updown/updown_plugin.h
index 4d0a930c2..99779d04e 100644
--- a/src/charon/plugins/updown/updown_plugin.h
+++ b/src/charon/plugins/updown/updown_plugin.h
@@ -46,4 +46,4 @@ struct updown_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* UPDOWN_PLUGIN_H_ @}*/
+#endif /** UPDOWN_PLUGIN_H_ @}*/
diff --git a/src/charon/processing/jobs/acquire_job.h b/src/charon/processing/jobs/acquire_job.h
index 7459ccc21..feea5c72a 100644
--- a/src/charon/processing/jobs/acquire_job.h
+++ b/src/charon/processing/jobs/acquire_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: acquire_job.h 4535 2008-10-31 01:43:23Z andreas $
+ * $Id: acquire_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -55,4 +55,4 @@ acquire_job_t *acquire_job_create(u_int32_t reqid,
 								  traffic_selector_t *src_ts,
 								  traffic_selector_t *dst_ts);
 
-#endif /* REKEY_CHILD_SA_JOB_H_ @} */
+#endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/callback_job.h b/src/charon/processing/jobs/callback_job.h
index 4e2eab235..012bb271c 100644
--- a/src/charon/processing/jobs/callback_job.h
+++ b/src/charon/processing/jobs/callback_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: callback_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: callback_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -116,4 +116,4 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
 									callback_job_cleanup_t cleanup,
 									callback_job_t *parent);
 
-#endif /* CALLBACK_JOB_H_ @} */
+#endif /** CALLBACK_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/delete_child_sa_job.h b/src/charon/processing/jobs/delete_child_sa_job.h
index c11e8fab4..a17c86b22 100644
--- a/src/charon/processing/jobs/delete_child_sa_job.h
+++ b/src/charon/processing/jobs/delete_child_sa_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: delete_child_sa_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: delete_child_sa_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -58,4 +58,4 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
 												  protocol_id_t protocol, 
 												  u_int32_t spi);
 
-#endif /* DELETE_CHILD_SA_JOB_H_ @} */
+#endif /** DELETE_CHILD_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.h b/src/charon/processing/jobs/delete_ike_sa_job.h
index cf666bb48..fcb712e43 100644
--- a/src/charon/processing/jobs/delete_ike_sa_job.h
+++ b/src/charon/processing/jobs/delete_ike_sa_job.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: delete_ike_sa_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: delete_ike_sa_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -56,4 +56,4 @@ struct delete_ike_sa_job_t {
 delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
 											  bool delete_if_established);
 
-#endif /* DELETE_IKE_SA_JOB_H_ @} */
+#endif /** DELETE_IKE_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/initiate_mediation_job.h b/src/charon/processing/jobs/initiate_mediation_job.h
index 966da95d3..17f5e4d18 100644
--- a/src/charon/processing/jobs/initiate_mediation_job.h
+++ b/src/charon/processing/jobs/initiate_mediation_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: initiate_mediation_job.h 3792 2008-04-10 12:51:04Z tobias $
+ * $Id: initiate_mediation_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -60,4 +60,4 @@ initiate_mediation_job_t *initiate_mediation_job_create(ike_sa_id_t *ike_sa_id);
 initiate_mediation_job_t *reinitiate_mediation_job_create(ike_sa_id_t *mediation_sa_id,
 		ike_sa_id_t *mediated_sa_id);
 
-#endif /*INITIATE_MEDIATION_JOB_H_ @} */
+#endif /** INITIATE_MEDIATION_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/job.h b/src/charon/processing/jobs/job.h
index 61f639936..e0a2d1df7 100644
--- a/src/charon/processing/jobs/job.h
+++ b/src/charon/processing/jobs/job.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -51,4 +51,4 @@ struct job_t {
 	void (*destroy) (job_t *job);
 };
 
-#endif /* JOB_H_ @} */
+#endif /** JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/mediation_job.h b/src/charon/processing/jobs/mediation_job.h
index 0e2901180..08e37915f 100644
--- a/src/charon/processing/jobs/mediation_job.h
+++ b/src/charon/processing/jobs/mediation_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: mediation_job.h 3666 2008-03-26 18:40:19Z tobias $
+ * $Id: mediation_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -73,4 +73,4 @@ mediation_job_t *mediation_job_create(identification_t *peer_id,
 mediation_job_t *mediation_callback_job_create(identification_t *requester,
 		identification_t *peer_id);
 
-#endif /*MEDIATION_JOB_H_ @} */
+#endif /** MEDIATION_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/migrate_job.h b/src/charon/processing/jobs/migrate_job.h
index a99ffbb0c..9f39b9730 100644
--- a/src/charon/processing/jobs/migrate_job.h
+++ b/src/charon/processing/jobs/migrate_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: migrate_job.h 4662 2008-11-16 21:19:58Z andreas $
+ * $Id: migrate_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -62,4 +62,4 @@ migrate_job_t *migrate_job_create(u_int32_t reqid,
 								  policy_dir_t dir,
 								  host_t *local, host_t *remote);
 
-#endif /* MIGRATE_JOB_H_ @} */
+#endif /** MIGRATE_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/process_message_job.h b/src/charon/processing/jobs/process_message_job.h
index 920444db1..0aae4c24e 100644
--- a/src/charon/processing/jobs/process_message_job.h
+++ b/src/charon/processing/jobs/process_message_job.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: process_message_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: process_message_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -48,4 +48,4 @@ struct process_message_job_t {
  */
 process_message_job_t *process_message_job_create(message_t *message);
 
-#endif /*PROCESS_MESSAGE_JOB_H_ @} */
+#endif /** PROCESS_MESSAGE_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/rekey_child_sa_job.h b/src/charon/processing/jobs/rekey_child_sa_job.h
index 38fd04f10..14e4af5e1 100644
--- a/src/charon/processing/jobs/rekey_child_sa_job.h
+++ b/src/charon/processing/jobs/rekey_child_sa_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: rekey_child_sa_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: rekey_child_sa_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -56,4 +56,4 @@ struct rekey_child_sa_job_t {
 rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, 
 												protocol_id_t protocol,
 												u_int32_t spi);
-#endif /* REKEY_CHILD_SA_JOB_H_ @} */
+#endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.h b/src/charon/processing/jobs/rekey_ike_sa_job.h
index c8d9abee3..c03711d73 100644
--- a/src/charon/processing/jobs/rekey_ike_sa_job.h
+++ b/src/charon/processing/jobs/rekey_ike_sa_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: rekey_ike_sa_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: rekey_ike_sa_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -50,4 +50,4 @@ struct rekey_ike_sa_job_t {
  */
 rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth);
 
-#endif /* REKEY_IKE_SA_JOB_H_ @} */
+#endif /** REKEY_IKE_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/retransmit_job.h b/src/charon/processing/jobs/retransmit_job.h
index 60932b304..a20369a1b 100644
--- a/src/charon/processing/jobs/retransmit_job.h
+++ b/src/charon/processing/jobs/retransmit_job.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: retransmit_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: retransmit_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -54,4 +54,4 @@ struct retransmit_job_t {
 retransmit_job_t *retransmit_job_create(u_int32_t message_id,
 										ike_sa_id_t *ike_sa_id);
 
-#endif /* RETRANSMIT_JOB_H_ @} */
+#endif /** RETRANSMIT_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/roam_job.h b/src/charon/processing/jobs/roam_job.h
index 763416b4a..6c0cbc2b7 100644
--- a/src/charon/processing/jobs/roam_job.h
+++ b/src/charon/processing/jobs/roam_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: roam_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: roam_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -51,4 +51,4 @@ struct roam_job_t {
  */
 roam_job_t *roam_job_create(bool address);
 
-#endif /*ROAM_JOB_H_ @} */
+#endif /** ROAM_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/send_dpd_job.h b/src/charon/processing/jobs/send_dpd_job.h
index 032823edd..2b6b5fee3 100644
--- a/src/charon/processing/jobs/send_dpd_job.h
+++ b/src/charon/processing/jobs/send_dpd_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: send_dpd_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: send_dpd_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -51,4 +51,4 @@ struct send_dpd_job_t {
  */
 send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id);
 
-#endif /*SEND_DPD_JOB_H_ @} */
+#endif /** SEND_DPD_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/send_keepalive_job.h b/src/charon/processing/jobs/send_keepalive_job.h
index 44bab09b4..7b3fe9f60 100644
--- a/src/charon/processing/jobs/send_keepalive_job.h
+++ b/src/charon/processing/jobs/send_keepalive_job.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: send_keepalive_job.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: send_keepalive_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -50,4 +50,4 @@ struct send_keepalive_job_t {
  */
 send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id);
 
-#endif /*SEND_KEEPALIVE_JOB_H_ @} */
+#endif /** SEND_KEEPALIVE_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/update_sa_job.h b/src/charon/processing/jobs/update_sa_job.h
index 5a350d939..79b89bbe3 100644
--- a/src/charon/processing/jobs/update_sa_job.h
+++ b/src/charon/processing/jobs/update_sa_job.h
@@ -49,4 +49,4 @@ struct update_sa_job_t {
  */
 update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new);
 
-#endif /*UPDATE_SA_JOB_H_ @} */
+#endif /** UPDATE_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/processor.h b/src/charon/processing/processor.h
index 530fbc24b..6ab643b1f 100644
--- a/src/charon/processing/processor.h
+++ b/src/charon/processing/processor.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: processor.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: processor.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -93,4 +93,4 @@ struct processor_t {
  */
 processor_t *processor_create();
 
-#endif /*PROCESSOR_H_ @} */
+#endif /** PROCESSOR_H_ @}*/
diff --git a/src/charon/processing/scheduler.h b/src/charon/processing/scheduler.h
index edc17a02b..c3e177727 100644
--- a/src/charon/processing/scheduler.h
+++ b/src/charon/processing/scheduler.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: scheduler.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: scheduler.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -66,4 +66,4 @@ struct scheduler_t {
  */
 scheduler_t *scheduler_create(void);
 
-#endif /*SCHEDULER_H_ @} */
+#endif /** SCHEDULER_H_ @}*/
diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h
index aa5a73e86..345cc7deb 100644
--- a/src/charon/sa/authenticators/authenticator.h
+++ b/src/charon/sa/authenticators/authenticator.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: authenticator.h 4276 2008-08-22 10:44:51Z martin $
+ * $Id: authenticator.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -162,4 +162,4 @@ authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
 authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,	
 												  auth_method_t method);
 
-#endif /* AUTHENTICATOR_H_ @} */
+#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap/eap_manager.h b/src/charon/sa/authenticators/eap/eap_manager.h
index 74bfa1f51..db5535a81 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.h
+++ b/src/charon/sa/authenticators/eap/eap_manager.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_manager.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: eap_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -81,4 +81,4 @@ struct eap_manager_t {
  */
 eap_manager_t *eap_manager_create();
 
-#endif /* EAP_MANAGER_H_ @}*/
+#endif /** EAP_MANAGER_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c
index 6babab212..2e4307eb4 100644
--- a/src/charon/sa/authenticators/eap/eap_method.c
+++ b/src/charon/sa/authenticators/eap/eap_method.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_method.c 4882 2009-02-18 19:57:15Z tobias $
+ * $Id: eap_method.c 4997 2009-03-24 10:24:58Z martin $
  */
 
 #include "eap_method.h"
@@ -30,7 +30,8 @@ ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
 	"EAP_AKA");
 ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
 	"EAP_MSCHAPV2");
-ENUM_NEXT(eap_type_names, EAP_EXPANDED, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
+ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
+	"EAP_RADIUS",
 	"EAP_EXPANDED",
 	"EAP_EXPERIMENTAL");
 ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h
index 1fd7bd24b..6f3da1ba7 100644
--- a/src/charon/sa/authenticators/eap/eap_method.h
+++ b/src/charon/sa/authenticators/eap/eap_method.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_method.h 4882 2009-02-18 19:57:15Z tobias $
+ * $Id: eap_method.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -57,6 +57,8 @@ enum eap_type_t {
 	EAP_SIM = 18,
 	EAP_AKA = 23,
 	EAP_MSCHAPV2 = 26,
+	/** not a method, but an implementation providing different methods */
+	EAP_RADIUS = 253,
 	EAP_EXPANDED = 254,
 	EAP_EXPERIMENTAL = 255,
 };
@@ -185,4 +187,4 @@ struct eap_method_t {
 typedef eap_method_t *(*eap_constructor_t)(identification_t *server,
 										   identification_t *peer);
 
-#endif /* EAP_METHOD_H_ @} */
+#endif /** EAP_METHOD_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap/sim_manager.h b/src/charon/sa/authenticators/eap/sim_manager.h
index 7fb1f2858..69a2e4df9 100644
--- a/src/charon/sa/authenticators/eap/sim_manager.h
+++ b/src/charon/sa/authenticators/eap/sim_manager.h
@@ -133,4 +133,4 @@ struct sim_manager_t {
  */
 sim_manager_t *sim_manager_create();
 
-#endif /* SIM_MANAGER_H_ @}*/
+#endif /** SIM_MANAGER_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 0c0abcf2e..7b97fe56c 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_authenticator.c 4754 2008-12-04 10:09:21Z martin $
+ * $Id: eap_authenticator.c 5037 2009-03-26 13:58:17Z andreas $
  */
 
 #include <string.h>
@@ -141,7 +141,8 @@ static identification_t *get_peer_id(private_eap_authenticator_t *this)
 	{
 		config = this->ike_sa->get_peer_cfg(this->ike_sa);
 		auth = config->get_auth(config);
-		if (!auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id))
+		if (!auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id) ||
+			id->get_type(id) == ID_ANY)
 		{
 			if (this->role == EAP_PEER)
 			{
@@ -252,7 +253,7 @@ static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
 	if (this->method->initiate(this->method, out) != NEED_MORE)
 	{
 		DBG1(DBG_IKE, "failed to initiate EAP exchange, sending %N",
-			 eap_type_names, type, eap_code_names, EAP_FAILURE);
+			 eap_code_names, EAP_FAILURE);
 		*out = eap_payload_create_code(EAP_FAILURE, 0);
 		return FAILED;	
 	}
@@ -412,7 +413,7 @@ static status_t process_server(private_eap_authenticator_t *this,
 			}
 			else
 			{
-				DBG1(DBG_IKE, "EAP method %N failed for peer %D",
+				DBG1(DBG_IKE, "EAP method %N failed for peer '%D'",
 					 eap_type_names, type,
 					 this->ike_sa->get_other_id(this->ike_sa));
 			}
diff --git a/src/charon/sa/authenticators/eap_authenticator.h b/src/charon/sa/authenticators/eap_authenticator.h
index bd300a584..3ee6839fa 100644
--- a/src/charon/sa/authenticators/eap_authenticator.h
+++ b/src/charon/sa/authenticators/eap_authenticator.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_authenticator.h 4276 2008-08-22 10:44:51Z martin $
+ * $Id: eap_authenticator.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -144,4 +144,4 @@ struct eap_authenticator_t {
  */
 eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa);
 
-#endif /* EAP_AUTHENTICATOR_H_ @} */
+#endif /** EAP_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/psk_authenticator.h b/src/charon/sa/authenticators/psk_authenticator.h
index c7cb5a23c..df65076a4 100644
--- a/src/charon/sa/authenticators/psk_authenticator.h
+++ b/src/charon/sa/authenticators/psk_authenticator.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: psk_authenticator.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: psk_authenticator.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct psk_authenticator_t {
  */
 psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa);
 
-#endif /* PSK_AUTHENTICATOR_H_ @} */
+#endif /** PSK_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.h b/src/charon/sa/authenticators/pubkey_authenticator.h
index 038d8b1d2..d2189fa97 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.h
+++ b/src/charon/sa/authenticators/pubkey_authenticator.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: pubkey_authenticator.h 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: pubkey_authenticator.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -47,4 +47,4 @@ struct pubkey_authenticator_t {
  */
 pubkey_authenticator_t *pubkey_authenticator_create(ike_sa_t *ike_sa);
 
-#endif /* PUBKEY_AUTHENTICATOR_H_ @} */
+#endif /** PUBKEY_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index 277fd0a79..70169f515 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_sa.h 4677 2008-11-19 15:31:27Z martin $
+ * $Id: child_sa.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -323,8 +323,6 @@ struct child_sa_t {
  *
  * @param me				own address
  * @param other				remote address
- * @param my_id				id of own peer
- * @param other_id			id of remote peer
  * @param config			config to use for this CHILD_SA
  * @param reqid				reqid of old CHILD_SA when rekeying, 0 otherwise
  * @param encap				TRUE to enable UDP encapsulation (NAT traversal)
@@ -333,4 +331,4 @@ struct child_sa_t {
 child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
 							 u_int32_t reqid, bool encap);
 
-#endif /*CHILD_SA_H_ @} */
+#endif /** CHILD_SA_H_ @}*/
diff --git a/src/charon/sa/connect_manager.h b/src/charon/sa/connect_manager.h
index 38d8e7a49..c16f87352 100644
--- a/src/charon/sa/connect_manager.h
+++ b/src/charon/sa/connect_manager.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: connect_manager.h 3792 2008-04-10 12:51:04Z tobias $
+ * $Id: connect_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -120,4 +120,4 @@ struct connect_manager_t {
  */
 connect_manager_t *connect_manager_create(void);
 
-#endif /*CONNECT_MANAGER_H_ @} */
+#endif /** CONNECT_MANAGER_H_ @}*/
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index d3976527b..3ca8d9521 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -15,7 +15,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa.h 4810 2008-12-16 17:21:28Z tobias $
+ * $Id: ike_sa.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -920,4 +920,4 @@ struct ike_sa_t {
  */
 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
 
-#endif /* IKE_SA_H_ @} */
+#endif /** IKE_SA_H_ @}*/
diff --git a/src/charon/sa/ike_sa_id.h b/src/charon/sa/ike_sa_id.h
index 652c968b6..db36fda95 100644
--- a/src/charon/sa/ike_sa_id.h
+++ b/src/charon/sa/ike_sa_id.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa_id.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_sa_id.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -125,4 +125,4 @@ struct ike_sa_id_t {
 ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi,
 							   bool is_initiaor);
 
-#endif /*IKE_SA_ID_H_ @} */
+#endif /** IKE_SA_ID_H_ @}*/
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index 447fa2dd5..e2aacddd5 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa_manager.c 4811 2008-12-17 09:00:22Z martin $
+ * $Id: ike_sa_manager.c 5035 2009-03-26 13:18:19Z andreas $
  */
 
 #include <string.h>
@@ -1476,8 +1476,8 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 					switch (policy)
 					{
 						case UNIQUE_REPLACE:
-							DBG1(DBG_IKE, "deleting duplicate IKE_SA due"
-									" uniqueness policy");
+							DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
+									"'%D' due to uniqueness policy", other);
 							status = duplicate->delete(duplicate);
 							break;
 						case UNIQUE_KEEP:
diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h
index 6b6d5a32d..8fe991521 100644
--- a/src/charon/sa/ike_sa_manager.h
+++ b/src/charon/sa/ike_sa_manager.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_sa_manager.h 4811 2008-12-17 09:00:22Z martin $
+ * $Id: ike_sa_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -216,4 +216,4 @@ struct ike_sa_manager_t {
  */
 ike_sa_manager_t *ike_sa_manager_create(void);
 
-#endif /*IKE_SA_MANAGER_H_ @} */
+#endif /** IKE_SA_MANAGER_H_ @}*/
diff --git a/src/charon/sa/keymat.h b/src/charon/sa/keymat.h
index 0d6d08f51..659e4dff2 100644
--- a/src/charon/sa/keymat.h
+++ b/src/charon/sa/keymat.h
@@ -162,4 +162,4 @@ struct keymat_t {
  */
 keymat_t *keymat_create(bool initiator);
 
-#endif /* KEYMAT_ @}*/
+#endif /** KEYMAT_ @}*/
diff --git a/src/charon/sa/mediation_manager.h b/src/charon/sa/mediation_manager.h
index d21c93244..7eee09d67 100644
--- a/src/charon/sa/mediation_manager.h
+++ b/src/charon/sa/mediation_manager.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: mediation_manager.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: mediation_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -88,4 +88,4 @@ struct mediation_manager_t {
  */
 mediation_manager_t *mediation_manager_create(void);
 
-#endif /*MEDIATION_MANAGER_H_ @} */
+#endif /** MEDIATION_MANAGER_H_ @}*/
diff --git a/src/charon/sa/task_manager.h b/src/charon/sa/task_manager.h
index 2aa6018fd..db21684c3 100644
--- a/src/charon/sa/task_manager.h
+++ b/src/charon/sa/task_manager.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: task_manager.h 4689 2008-11-24 12:46:06Z martin $
+ * $Id: task_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -87,7 +87,7 @@ typedef struct task_manager_t task_manager_t;
    4s * (1.8 ** 4) =   42s        89s
    4s * (1.8 ** 5) =   76s       165s
  
-   @endberbatim
+   @endverbatim
  * The peer is considered dead after 2min 45s when no reply comes in.
  */
 struct task_manager_t {
@@ -172,4 +172,4 @@ struct task_manager_t {
  */
 task_manager_t *task_manager_create(ike_sa_t *ike_sa);
 
-#endif /* TASK_MANAGER_H_ @} */
+#endif /** TASK_MANAGER_H_ @}*/
diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h
index cee37121e..d01baa594 100644
--- a/src/charon/sa/tasks/child_create.h
+++ b/src/charon/sa/tasks/child_create.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_create.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: child_create.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -77,4 +77,4 @@ struct child_create_t {
  */
 child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config);
 
-#endif /* CHILD_CREATE_H_ @} */
+#endif /** CHILD_CREATE_H_ @}*/
diff --git a/src/charon/sa/tasks/child_delete.h b/src/charon/sa/tasks/child_delete.h
index c5ebec338..8886ff4a1 100644
--- a/src/charon/sa/tasks/child_delete.h
+++ b/src/charon/sa/tasks/child_delete.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_delete.h 4730 2008-12-01 18:38:28Z martin $
+ * $Id: child_delete.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -59,4 +59,4 @@ struct child_delete_t {
 child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 									u_int32_t spi);
 
-#endif /* CHILD_DELETE_H_ @} */
+#endif /** CHILD_DELETE_H_ @}*/
diff --git a/src/charon/sa/tasks/child_rekey.h b/src/charon/sa/tasks/child_rekey.h
index 37b61a9ef..42fce0742 100644
--- a/src/charon/sa/tasks/child_rekey.h
+++ b/src/charon/sa/tasks/child_rekey.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: child_rekey.h 4730 2008-12-01 18:38:28Z martin $
+ * $Id: child_rekey.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -63,4 +63,4 @@ struct child_rekey_t {
 child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 								  u_int32_t spi);
 
-#endif /* CHILD_REKEY_H_ @} */
+#endif /** CHILD_REKEY_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_auth.h b/src/charon/sa/tasks/ike_auth.h
index 15f98f312..a4719ec24 100644
--- a/src/charon/sa/tasks/ike_auth.h
+++ b/src/charon/sa/tasks/ike_auth.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_auth.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_auth.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -56,4 +56,4 @@ struct ike_auth_t {
  */
 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /* IKE_AUTH_H_ @} */
+#endif /** IKE_AUTH_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_auth_lifetime.h b/src/charon/sa/tasks/ike_auth_lifetime.h
index 21a3bbfdc..46595e6ed 100644
--- a/src/charon/sa/tasks/ike_auth_lifetime.h
+++ b/src/charon/sa/tasks/ike_auth_lifetime.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_auth_lifetime.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_auth_lifetime.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -52,4 +52,4 @@ struct ike_auth_lifetime_t {
  */
 ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /* IKE_MOBIKE_H_ @} */
+#endif /** IKE_MOBIKE_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_cert_post.h b/src/charon/sa/tasks/ike_cert_post.h
index 78b32d67a..ec9d172e1 100644
--- a/src/charon/sa/tasks/ike_cert_post.h
+++ b/src/charon/sa/tasks/ike_cert_post.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_cert_post.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_cert_post.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -52,4 +52,4 @@ struct ike_cert_post_t {
  */
 ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /*  IKE_CERT_POST_H_ @} */
+#endif /** IKE_CERT_POST_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_cert_pre.h b/src/charon/sa/tasks/ike_cert_pre.h
index d8793a8e2..d6d06b04f 100644
--- a/src/charon/sa/tasks/ike_cert_pre.h
+++ b/src/charon/sa/tasks/ike_cert_pre.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_cert_pre.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_cert_pre.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -52,4 +52,4 @@ struct ike_cert_pre_t {
  */
 ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /* IKE_CERT_PRE_H_ @} */
+#endif /** IKE_CERT_PRE_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_config.h b/src/charon/sa/tasks/ike_config.h
index 23410a196..cc709f4d6 100644
--- a/src/charon/sa/tasks/ike_config.h
+++ b/src/charon/sa/tasks/ike_config.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_config.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_config.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -50,4 +50,4 @@ struct ike_config_t {
  */
 ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /* IKE_CONFIG_H_ @} */
+#endif /** IKE_CONFIG_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_delete.h b/src/charon/sa/tasks/ike_delete.h
index 6d08d345d..ea4e9832b 100644
--- a/src/charon/sa/tasks/ike_delete.h
+++ b/src/charon/sa/tasks/ike_delete.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_delete.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_delete.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -49,4 +49,4 @@ struct ike_delete_t {
  */
 ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /* IKE_DELETE_H_ @} */
+#endif /** IKE_DELETE_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_dpd.h b/src/charon/sa/tasks/ike_dpd.h
index 62b8a6a10..0eadd0db7 100644
--- a/src/charon/sa/tasks/ike_dpd.h
+++ b/src/charon/sa/tasks/ike_dpd.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_dpd.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_dpd.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -50,4 +50,4 @@ struct ike_dpd_t {
  */
 ike_dpd_t *ike_dpd_create(bool initiator);
 
-#endif /* IKE_DPD_H_ @} */
+#endif /** IKE_DPD_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_init.h b/src/charon/sa/tasks/ike_init.h
index 0e5a913fd..84f28a98d 100644
--- a/src/charon/sa/tasks/ike_init.h
+++ b/src/charon/sa/tasks/ike_init.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_init.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_init.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -59,4 +59,4 @@ struct ike_init_t {
  */
 ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa);
 
-#endif /* IKE_INIT_H_ @} */
+#endif /** IKE_INIT_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_me.h b/src/charon/sa/tasks/ike_me.h
index c9a515c8f..3bef0a7f1 100644
--- a/src/charon/sa/tasks/ike_me.h
+++ b/src/charon/sa/tasks/ike_me.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_me.h 3666 2008-03-26 18:40:19Z tobias $
+ * $Id: ike_me.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -97,4 +97,4 @@ struct ike_me_t {
  */
 ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /*IKE_ME_H_ @} */
+#endif /** IKE_ME_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_mobike.h b/src/charon/sa/tasks/ike_mobike.h
index f8f094456..4a2006a80 100644
--- a/src/charon/sa/tasks/ike_mobike.h
+++ b/src/charon/sa/tasks/ike_mobike.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_mobike.h 4368 2008-10-06 13:37:04Z martin $
+ * $Id: ike_mobike.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -87,4 +87,4 @@ struct ike_mobike_t {
  */
 ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /* IKE_MOBIKE_H_ @} */
+#endif /** IKE_MOBIKE_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c
index 9e62fcbdf..eb84c876f 100644
--- a/src/charon/sa/tasks/ike_natd.c
+++ b/src/charon/sa/tasks/ike_natd.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_natd.c 4386 2008-10-08 08:23:46Z martin $
+ * $Id: ike_natd.c 5029 2009-03-26 11:49:07Z martin $
  */
 
 #include "ike_natd.h"
@@ -356,7 +356,11 @@ static status_t build_i(private_ike_natd_t *this, message_t *message)
 										charon->kernel_interface, FALSE, FALSE);
 			while (enumerator->enumerate(enumerator, (void**)&host))
 			{
+				/* apply port 500 to host, but work on a copy */
+				host = host->clone(host);
+				host->set_port(host, IKEV2_UDP_PORT);
 				notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+				host->destroy(host);
 				message->add_payload(message, (payload_t*)notify);
 			}
 			enumerator->destroy(enumerator);
diff --git a/src/charon/sa/tasks/ike_natd.h b/src/charon/sa/tasks/ike_natd.h
index 7e1e58bc0..155ae4b4c 100644
--- a/src/charon/sa/tasks/ike_natd.h
+++ b/src/charon/sa/tasks/ike_natd.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_natd.h 4368 2008-10-06 13:37:04Z martin $
+ * $Id: ike_natd.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -58,4 +58,4 @@ struct ike_natd_t {
  */
 ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /* IKE_NATD_H_ @} */
+#endif /** IKE_NATD_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_reauth.h b/src/charon/sa/tasks/ike_reauth.h
index 1076cc7cc..689550c92 100644
--- a/src/charon/sa/tasks/ike_reauth.h
+++ b/src/charon/sa/tasks/ike_reauth.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_reauth.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_reauth.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -50,4 +50,4 @@ struct ike_reauth_t {
  */
 ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa);
 
-#endif /* IKE_REAUTH_H_ @} */
+#endif /** IKE_REAUTH_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_rekey.h b/src/charon/sa/tasks/ike_rekey.h
index 1bfde8a54..ab82789f3 100644
--- a/src/charon/sa/tasks/ike_rekey.h
+++ b/src/charon/sa/tasks/ike_rekey.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ike_rekey.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_rekey.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -60,4 +60,4 @@ struct ike_rekey_t {
  */
 ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /* IKE_REKEY_H_ @} */
+#endif /** IKE_REKEY_H_ @}*/
diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h
index 26b4f214e..a5eb2caa3 100644
--- a/src/charon/sa/tasks/task.h
+++ b/src/charon/sa/tasks/task.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: task.h 3666 2008-03-26 18:40:19Z tobias $
+ * $Id: task.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -145,4 +145,4 @@ struct task_t {
 	void (*destroy) (task_t *this);
 };
 
-#endif /* TASK_H_ @} */
+#endif /** TASK_H_ @}*/
diff --git a/src/libfast/context.h b/src/libfast/context.h
index dc1450bd1..3f21ea6f2 100644
--- a/src/libfast/context.h
+++ b/src/libfast/context.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: context.h 3489 2008-02-22 09:40:58Z martin $
+ * $Id: context.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -41,4 +41,4 @@ struct context_t {
 	void (*destroy) (context_t *this);
 };
 
-#endif /* CONTEXT_H_ @}*/
+#endif /** CONTEXT_H_ @}*/
diff --git a/src/libfast/controller.h b/src/libfast/controller.h
index 162e114e3..9bfb04bab 100644
--- a/src/libfast/controller.h
+++ b/src/libfast/controller.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: controller.h 3489 2008-02-22 09:40:58Z martin $
+ * $Id: controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -76,4 +76,4 @@ struct controller_t {
 	void (*destroy) (controller_t *this);
 };
 
-#endif /* CONTROLLER_H_ @} */
+#endif /** CONTROLLER_H_ @}*/
diff --git a/src/libfast/dispatcher.h b/src/libfast/dispatcher.h
index 98a7b7e30..bcd1712ce 100644
--- a/src/libfast/dispatcher.h
+++ b/src/libfast/dispatcher.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: dispatcher.h 3519 2008-03-02 12:14:34Z martin $
+ * $Id: dispatcher.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -136,4 +136,4 @@ struct dispatcher_t {
 dispatcher_t *dispatcher_create(char *socket, bool debug, int timeout,
 								context_constructor_t constructor, void *param);
 
-#endif /* DISPATCHER_H_ @} */
+#endif /** DISPATCHER_H_ @}*/
diff --git a/src/libfast/request.h b/src/libfast/request.h
index b0d5bd89c..25fa5fc60 100644
--- a/src/libfast/request.h
+++ b/src/libfast/request.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: request.h 3531 2008-03-06 09:50:56Z martin $
+ * $Id: request.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -183,4 +183,4 @@ struct request_t {
  */
 request_t *request_create(int fd, bool debug);
 
-#endif /* REQUEST_H_ @} */
+#endif /** REQUEST_H_ @}*/
diff --git a/src/libfast/session.h b/src/libfast/session.h
index 0df5d5482..a782a8fe4 100644
--- a/src/libfast/session.h
+++ b/src/libfast/session.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: session.h 3519 2008-03-02 12:14:34Z martin $
+ * $Id: session.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -77,4 +77,4 @@ struct session_t {
  */
 session_t *session_create(context_t *context);
 
-#endif /* SESSION_H_ @} */
+#endif /** SESSION_H_ @}*/
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 1359dcd2d..8b9762777 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: asn1.c 4942 2009-03-13 20:22:24Z andreas $
+ * $Id: asn1.c 5041 2009-03-27 08:58:48Z andreas $
  */
 
 #include <stdio.h>
@@ -264,13 +264,15 @@ u_int asn1_length(chunk_t *blob)
 	return len;
 }
 
+#define TIME_MAX	0x7fffffff
+
 /**
  * Converts ASN.1 UTCTIME or GENERALIZEDTIME into calender time
  */
 time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 {
 	struct tm t;
-	time_t tz_offset;
+	time_t tc, tz_offset;
 	u_char *eot = NULL;
 	
 	if ((eot = memchr(utctime->ptr, 'Z', utctime->len)) != NULL)
@@ -296,12 +298,13 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 		return 0; /* error in time format */
 	}
 	
+	/* parse ASN.1 time string */
 	{
-	const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
-			"%4d%2d%2d%2d%2d";
+		const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
+													 "%4d%2d%2d%2d%2d";
 	
-	sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
-		   &t.tm_hour, &t.tm_min);
+		sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+			   						 &t.tm_hour, &t.tm_min);
 	}
 	
 	/* is there a seconds field? */
@@ -334,9 +337,11 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	/* set daylight saving time to off */
 	t.tm_isdst = 0;
 	
-	/* compensate timezone */
-	
-	return mktime(&t) - timezone - tz_offset;
+	/* convert to time_t */
+	tc = mktime(&t);
+
+	/* if no conversion overflow occurred, compensate timezone */
+	return (tc == -1) ? TIME_MAX : (tc - timezone - tz_offset);
 }
 
 /**
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 0f2e6e5c0..4ea89730c 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: asn1.h 3876 2008-04-26 09:24:14Z andreas $
+ * $Id: asn1.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -110,7 +110,7 @@ int asn1_known_oid(chunk_t object);
  * Returns the length of an ASN.1 object
  * The blob pointer is advanced past the tag length fields
  *
- * @param			pointer to an ASN.1 coded blob
+ * @param blob		pointer to an ASN.1 coded blob
  * @return			length of ASN.1 object
  */
 u_int asn1_length(chunk_t *blob);
@@ -168,7 +168,7 @@ chunk_t asn1_from_time(const time_t *time, asn1_t type);
  * Parse an ASN.1 UTCTIME or GENERALIZEDTIME object
  *
  * @param blob		ASN.1 coded time object
- * @param level		top-most level offset
+ * @param level0	top-most level offset
  * @return			time_t in UTC 	
  */
 time_t asn1_parse_time(chunk_t blob, int level0);
@@ -223,10 +223,10 @@ chunk_t asn1_bitstring(const char *mode, chunk_t content);
 /**
  * Build an ASN.1 object from a variable number of individual chunks
  *
- * @param typ		ASN.1 type to be created
+ * @param type		ASN.1 type to be created
  * @param mode		for each list member: 'c' for copy or 'm' for move
  * @return			chunk containing the ASN.1 coded object
  */
 chunk_t asn1_wrap(asn1_t type, const char *mode, ...);
 
-#endif /* ASN1_H_ @}*/
+#endif /** ASN1_H_ @}*/
diff --git a/src/libstrongswan/asn1/asn1_parser.h b/src/libstrongswan/asn1/asn1_parser.h
index d84a5336f..bcc966e04 100644
--- a/src/libstrongswan/asn1/asn1_parser.h
+++ b/src/libstrongswan/asn1/asn1_parser.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: asn1_parser.h 3894 2008-04-28 18:44:21Z andreas $
+ * $Id: asn1_parser.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -116,4 +116,4 @@ struct asn1_parser_t {
  */
 asn1_parser_t* asn1_parser_create(asn1Object_t const *objects, chunk_t blob);
 
-#endif /* ASN1_PARSER_H_ @}*/
+#endif /** ASN1_PARSER_H_ @}*/
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 5eb8f8d8a..125b86b12 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: chunk.h 4936 2009-03-12 18:07:32Z tobias $
+ * $Id: chunk.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -92,11 +92,11 @@ bool chunk_write(chunk_t chunk, char *path, mode_t mask, bool force);
 /**
  * Convert a chunk of data to hex encoding.
  *
- * The resulting string is '\0' terminated, but the chunk does not include
- * the '\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1).
+ * The resulting string is '\\0' terminated, but the chunk does not include
+ * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1).
  *
  * @param chunk			data to convert
- * @param buff			buffer to write to, NULL to malloc
+ * @param buf			buffer to write to, NULL to malloc
  * @param uppercase		TRUE to use uppercase letters
  * @return				chunk of encoded data
  */
@@ -117,11 +117,11 @@ chunk_t chunk_from_hex(chunk_t hex, char *buf);
 /**
  * Convert a chunk of data to its base64 encoding.
  *
- * The resulting string is '\0' terminated, but the chunk does not include
- * the '\0'. If buf is supplied, it must hold at least (chunk.len * 4 / 3 + 1).
+ * The resulting string is '\\0' terminated, but the chunk does not include
+ * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 4 / 3 + 1).
  *
  * @param chunk			data to convert
- * @param buff			buffer to write to, NULL to malloc
+ * @param buf			buffer to write to, NULL to malloc
  * @return				chunk of encoded data
  */
 chunk_t chunk_to_base64(chunk_t chunk, char *buf);
@@ -249,4 +249,4 @@ u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash);
 int chunk_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 					  const void *const *args);
 
-#endif /* CHUNK_H_ @}*/
+#endif /** CHUNK_H_ @}*/
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 332d52d52..4b3fb1ae4 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -129,4 +129,4 @@ struct builder_t {
  */
 void* builder_free(builder_t *this);
 
-#endif /* BUILDER_H_ @}*/
+#endif /** BUILDER_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h
index 4e33390bb..39ab8fe71 100644
--- a/src/libstrongswan/credentials/certificates/ac.h
+++ b/src/libstrongswan/credentials/certificates/ac.h
@@ -82,5 +82,4 @@ struct ac_t {
 	bool (*equals_holder) (ac_t *this, ac_t *other);
 };
 
-#endif /* AC_H_ @}*/
-
+#endif /** AC_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 14f4de389..1fb151d9f 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -189,4 +189,4 @@ struct certificate_t {
     void (*destroy)(certificate_t *this);
 };
 
-#endif /* CERTIFICATE_H_ @}*/
+#endif /** CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index f1fb70efd..0c0493940 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: crl.h 3656 2008-03-25 22:28:27Z andreas $
+ * $Id: crl.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -85,4 +85,4 @@ struct crl_t {
 	
 };
 
-#endif /* CRL_H_ @}*/
+#endif /** CRL_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ocsp_request.h b/src/libstrongswan/credentials/certificates/ocsp_request.h
index 377eabd23..25ecb8d35 100644
--- a/src/libstrongswan/credentials/certificates/ocsp_request.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_request.h
@@ -38,4 +38,4 @@ struct ocsp_request_t {
 	certificate_t interface;
 };
 
-#endif /* OCSP_REQUEST_H_ @}*/
+#endif /** OCSP_REQUEST_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h
index 416f712f3..3c9794956 100644
--- a/src/libstrongswan/credentials/certificates/ocsp_response.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.h
@@ -81,4 +81,4 @@ struct ocsp_response_t {
 	enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);	
 };
 
-#endif /* OCSP_RESPONSE_H_ @}*/
+#endif /** OCSP_RESPONSE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 737dcdc67..704f11522 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509.h 3656 2008-03-25 22:28:27Z andreas $
+ * $Id: x509.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -104,4 +104,4 @@ struct x509_t {
 	enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
 };
 
-#endif /* X509_H_ @}*/
+#endif /** X509_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index dc4d62679..42fb2df6d 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -109,4 +109,4 @@ struct credential_factory_t {
  */
 credential_factory_t *credential_factory_create();
 
-#endif /* CREDENTIAL_FACTORY_H_ @}*/
+#endif /** CREDENTIAL_FACTORY_H_ @}*/
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
index c28988309..219926af1 100644
--- a/src/libstrongswan/credentials/keys/private_key.h
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: private_key.h 3620 2008-03-19 14:21:56Z martin $
+ * $Id: private_key.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -111,4 +111,4 @@ struct private_key_t {
     void (*destroy)(private_key_t *this);
 };
 
-#endif /* PRIVATE_KEY_H_ @} */
+#endif /** PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 62dbe4303..65bb5f64d 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: public_key.h 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: public_key.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -152,4 +152,4 @@ struct public_key_t {
 	void (*destroy)(public_key_t *this);
 };
 
-#endif /* PUBLIC_KEY_H_ @} */
+#endif /** PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index 1a70bd125..d61d98f95 100644
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: crypter.h 4886 2009-02-19 13:46:08Z tobias $
+ * $Id: crypter.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -122,4 +122,4 @@ struct crypter_t {
 	void (*destroy) (crypter_t *this);
 };
 
-#endif /*CRYPTER_H_ @} */
+#endif /** CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index cdb9b47ba..e2d2de71a 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -267,4 +267,4 @@ struct crypto_factory_t {
  */
 crypto_factory_t *crypto_factory_create();
 
-#endif /* CRYPTO_FACTORY_H_ @}*/
+#endif /** CRYPTO_FACTORY_H_ @}*/
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index 4147d85af..5aaba383e 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: diffie_hellman.h 4685 2008-11-22 16:14:55Z martin $
+ * $Id: diffie_hellman.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -108,4 +108,4 @@ struct diffie_hellman_t {
 	void (*destroy) (diffie_hellman_t *this);
 };
 
-#endif /*DIFFIE_HELLMAN_H_ @} */
+#endif /** DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index fe2f48be6..1db5c14cc 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: hasher.h 4880 2009-02-18 19:45:46Z tobias $
+ * $Id: hasher.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -133,4 +133,4 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg);
  */
 int hasher_signature_algorithm_to_oid(hash_algorithm_t alg);
 
-#endif /* HASHER_H_ @} */
+#endif /** HASHER_H_ @}*/
diff --git a/src/libstrongswan/crypto/pkcs9.h b/src/libstrongswan/crypto/pkcs9.h
index 89cdec83d..698f3c172 100644
--- a/src/libstrongswan/crypto/pkcs9.h
+++ b/src/libstrongswan/crypto/pkcs9.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: pkcs9.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: pkcs9.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -92,9 +92,8 @@ pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level);
 /**
  * Create an empty PKCS#9 attribute list
  * 
- * @param chunk			chunk containing data
  * @return 				created pkcs9 attribute list.
  */
 pkcs9_t *pkcs9_create(void);
 
-#endif /* PKCS9_H_ @} */
+#endif /** PKCS9_H_ @}*/
diff --git a/src/libstrongswan/crypto/prf_plus.h b/src/libstrongswan/crypto/prf_plus.h
index e63827858..4c98e4ad1 100644
--- a/src/libstrongswan/crypto/prf_plus.h
+++ b/src/libstrongswan/crypto/prf_plus.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: prf_plus.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: prf_plus.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -77,4 +77,4 @@ struct prf_plus_t {
  */
 prf_plus_t *prf_plus_create(prf_t *prf, chunk_t seed);
 
-#endif /*PRF_PLUS_H_ @} */
+#endif /** PRF_PLUS_H_ @}*/
diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h
index 324eb89b4..e2b4f6fe0 100644
--- a/src/libstrongswan/crypto/prfs/prf.h
+++ b/src/libstrongswan/crypto/prfs/prf.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: prf.h 3916 2008-05-08 12:43:27Z martin $
+ * $Id: prf.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -115,4 +115,4 @@ struct prf_t {
 	void (*destroy) (prf_t *this);
 };
 
-#endif /*PRF_H_ @} */
+#endif /** PRF_H_ @}*/
diff --git a/src/libstrongswan/crypto/rngs/rng.h b/src/libstrongswan/crypto/rngs/rng.h
index 08f7af209..1c4d204f3 100644
--- a/src/libstrongswan/crypto/rngs/rng.h
+++ b/src/libstrongswan/crypto/rngs/rng.h
@@ -72,4 +72,4 @@ struct rng_t {
 	void (*destroy) (rng_t *this);
 };
 
-#endif /*RNG_H_ @} */
+#endif /** RNG_H_ @}*/
diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h
index f67c38f07..b2be2c030 100644
--- a/src/libstrongswan/crypto/signers/signer.h
+++ b/src/libstrongswan/crypto/signers/signer.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: signer.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: signer.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -51,6 +51,8 @@ enum integrity_algorithm_t {
 	AUTH_HMAC_SHA2_512_256 = 14,
 	/** Implemented via hmac_signer_t */
 	AUTH_HMAC_SHA1_128 = 1025,
+	/** Implemented via hmac_signer_t */
+	AUTH_HMAC_MD5_128 = 1026,
 };
 
 /**
@@ -120,4 +122,4 @@ struct signer_t {
 	void (*destroy) (signer_t *this);
 };
 
-#endif /*SIGNER_H_ @} */
+#endif /** SIGNER_H_ @}*/
diff --git a/src/libstrongswan/database/database.h b/src/libstrongswan/database/database.h
index 39f909cd7..16472d869 100644
--- a/src/libstrongswan/database/database.h
+++ b/src/libstrongswan/database/database.h
@@ -120,4 +120,4 @@ struct database_t {
     void (*destroy)(database_t *this);
 };
 
-#endif /* DATABASE_H_ @}*/
+#endif /** DATABASE_H_ @}*/
diff --git a/src/libstrongswan/database/database_factory.h b/src/libstrongswan/database/database_factory.h
index 358f49054..8875adad7 100644
--- a/src/libstrongswan/database/database_factory.h
+++ b/src/libstrongswan/database/database_factory.h
@@ -70,4 +70,4 @@ struct database_factory_t {
  */
 database_factory_t *database_factory_create();
 
-#endif /* DATABASE_FACTORY_H_ @}*/
+#endif /** DATABASE_FACTORY_H_ @}*/
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h
index b120cc601..3b98f6837 100644
--- a/src/libstrongswan/debug.h
+++ b/src/libstrongswan/debug.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: debug.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: debug.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -60,4 +60,4 @@ extern void (*dbg) (int level, char *fmt, ...);
 /** default logging function, prints to stderr */
 void dbg_default(int level, char *fmt, ...);
 
-#endif /* DEBUG_H_ @} */
+#endif /** DEBUG_H_ @}*/
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/enum.h
index 4a594a4a9..877b3e6de 100644
--- a/src/libstrongswan/enum.h
+++ b/src/libstrongswan/enum.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: enum.h 4936 2009-03-12 18:07:32Z tobias $
+ * $Id: enum.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -117,4 +117,4 @@ struct enum_name_t {
 int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 					 const void *const *args);
 
-#endif /* ENUM_H_ @}*/
+#endif /** ENUM_H_ @}*/
diff --git a/src/libstrongswan/fetcher/fetcher.h b/src/libstrongswan/fetcher/fetcher.h
index 4fc37e35e..9a7cc315e 100644
--- a/src/libstrongswan/fetcher/fetcher.h
+++ b/src/libstrongswan/fetcher/fetcher.h
@@ -102,4 +102,4 @@ struct fetcher_t {
 	void (*destroy)(fetcher_t *this);	
 };
 
-#endif /* FETCHER_H_ @}*/
+#endif /** FETCHER_H_ @}*/
diff --git a/src/libstrongswan/fetcher/fetcher_manager.h b/src/libstrongswan/fetcher/fetcher_manager.h
index e94d44494..183964d6c 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.h
+++ b/src/libstrongswan/fetcher/fetcher_manager.h
@@ -71,4 +71,4 @@ struct fetcher_manager_t {
  */
 fetcher_manager_t *fetcher_manager_create();
 
-#endif /* FETCHER_MANAGER_H_ @}*/
+#endif /** FETCHER_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h
index a4ff440ba..9b777be5f 100644
--- a/src/libstrongswan/fips/fips.h
+++ b/src/libstrongswan/fips/fips.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: fips.h 3877 2008-04-26 09:40:22Z andreas $
+ * $Id: fips.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -43,4 +43,4 @@ bool fips_compute_hmac_signature(const char *key, char *signature);
  */
 bool fips_verify_hmac_signature(const char *key, const char *signature);
 
-#endif /*FIPS_H_ @} */
+#endif /** FIPS_H_ @}*/
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 1445b28cd..a6d27551e 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: library.h 4936 2009-03-12 18:07:32Z tobias $
+ * $Id: library.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -132,4 +132,4 @@ void library_deinit();
  */
 extern library_t *lib;
 
-#endif /* LIBRARY_H_ @}*/
+#endif /** LIBRARY_H_ @}*/
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.h b/src/libstrongswan/plugins/aes/aes_crypter.h
index e42a6bc5b..19ea6b4b7 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.h
+++ b/src/libstrongswan/plugins/aes/aes_crypter.h
@@ -47,4 +47,4 @@ struct aes_crypter_t {
 aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo,
 								  size_t key_size);
 
-#endif /* AES_CRYPTER_H_ @}*/
+#endif /** AES_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.h b/src/libstrongswan/plugins/aes/aes_plugin.h
index 4cf0bc15e..a6ff620ed 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.h
+++ b/src/libstrongswan/plugins/aes/aes_plugin.h
@@ -44,4 +44,4 @@ struct aes_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* AES_PLUGIN_H_ @}*/
+#endif /** AES_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.h b/src/libstrongswan/plugins/agent/agent_plugin.h
index d12dd44ac..33a5dcb53 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.h
+++ b/src/libstrongswan/plugins/agent/agent_plugin.h
@@ -44,4 +44,4 @@ struct agent_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* AGENT_PLUGIN_H_ @}*/
+#endif /** AGENT_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.h b/src/libstrongswan/plugins/agent/agent_private_key.h
index 4d678dd08..929e88a50 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.h
+++ b/src/libstrongswan/plugins/agent/agent_private_key.h
@@ -44,5 +44,5 @@ struct agent_private_key_t {
  */
 builder_t *agent_private_key_builder(key_type_t type);
 
-#endif /*AGENT_PRIVATE_KEY_H_ @}*/
+#endif /** AGENT_PRIVATE_KEY_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.h b/src/libstrongswan/plugins/curl/curl_fetcher.h
index 3028eac1b..043beb834 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.h
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.h
@@ -44,4 +44,4 @@ struct curl_fetcher_t {
  */
 curl_fetcher_t *curl_fetcher_create();
 
-#endif /* CURL_FETCHER_H_ @}*/
+#endif /** CURL_FETCHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.h b/src/libstrongswan/plugins/curl/curl_plugin.h
index 73166a25b..1b748446b 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.h
+++ b/src/libstrongswan/plugins/curl/curl_plugin.h
@@ -44,4 +44,4 @@ struct curl_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* CURL_PLUGIN_H_ @}*/
+#endif /** CURL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/des/des_crypter.h b/src/libstrongswan/plugins/des/des_crypter.h
index d40d9cf2f..623b292fc 100644
--- a/src/libstrongswan/plugins/des/des_crypter.h
+++ b/src/libstrongswan/plugins/des/des_crypter.h
@@ -46,4 +46,4 @@ struct des_crypter_t {
 des_crypter_t *des_crypter_create(encryption_algorithm_t algo);
 
 
-#endif /* DES_CRYPTER_H_ @}*/
+#endif /** DES_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/des/des_plugin.h b/src/libstrongswan/plugins/des/des_plugin.h
index 8cabd082b..17df220bc 100644
--- a/src/libstrongswan/plugins/des/des_plugin.h
+++ b/src/libstrongswan/plugins/des/des_plugin.h
@@ -44,4 +44,4 @@ struct des_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* DES_PLUGIN_H_ @}*/
+#endif /** DES_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.h b/src/libstrongswan/plugins/fips_prf/fips_prf.h
index 3fead6b9b..b2940be72 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.h
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.h
@@ -56,4 +56,4 @@ struct fips_prf_t {
  */
 fips_prf_t *fips_prf_create(pseudo_random_function_t algo);
 
-#endif /* FIPS_PRF_H_ @}*/
+#endif /** FIPS_PRF_H_ @}*/
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h
index 6816eb66f..8d65254ba 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h
@@ -44,4 +44,4 @@ struct fips_prf_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* FIPS_PRF_PLUGIN_H_ @}*/
+#endif /** FIPS_PRF_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
index e2d4d6851..774c31cc2 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
@@ -45,5 +45,5 @@ struct gmp_diffie_hellman_t {
  */
 gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group);
 
-#endif /*GMP_DIFFIE_HELLMAN_H_ @}*/
+#endif /** GMP_DIFFIE_HELLMAN_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.h b/src/libstrongswan/plugins/gmp/gmp_plugin.h
index a853064b7..d707d78ea 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.h
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.h
@@ -44,4 +44,4 @@ struct gmp_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* GMP_PLUGIN_H_ @}*/
+#endif /** GMP_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
index 6f59b2ad2..d47e2583d 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
@@ -44,5 +44,5 @@ struct gmp_rsa_private_key_t {
  */
 builder_t *gmp_rsa_private_key_builder(key_type_t type);
 
-#endif /*GMP_RSA_PRIVATE_KEY_H_ @}*/
+#endif /** GMP_RSA_PRIVATE_KEY_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
index 2e502b7e6..46c8c3fd8 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: gmp_rsa_public_key.h 3721 2008-04-01 14:51:31Z martin $
+ * $Id: gmp_rsa_public_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -47,4 +47,4 @@ struct gmp_rsa_public_key_t {
  */
 builder_t *gmp_rsa_public_key_builder(key_type_t type);
 
-#endif /*GMP_RSA_PUBLIC_KEY_H_ @}*/
+#endif /** GMP_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/hmac.h b/src/libstrongswan/plugins/hmac/hmac.h
index 5f266e133..a204d3b17 100644
--- a/src/libstrongswan/plugins/hmac/hmac.h
+++ b/src/libstrongswan/plugins/hmac/hmac.h
@@ -90,4 +90,4 @@ struct hmac_t {
  */
 hmac_t *hmac_create(hash_algorithm_t hash_algorithm);
 
-#endif /*HMAC_H_ @}*/
+#endif /** HMAC_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index a0afc2a85..7a09b7a4e 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: hmac_plugin.c 4309 2008-08-28 11:07:57Z martin $
+ * $Id: hmac_plugin.c 4997 2009-03-24 10:24:58Z martin $
  */
 
 #include "hmac_plugin.h"
@@ -74,6 +74,8 @@ plugin_t *plugin_create()
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, 
 							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, 
+							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, 
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, 
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.h b/src/libstrongswan/plugins/hmac/hmac_plugin.h
index 55ba0b5f4..5c3afa7d6 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.h
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.h
@@ -44,4 +44,4 @@ struct hmac_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* HMAC_PLUGIN_H_ @}*/
+#endif /** HMAC_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.h b/src/libstrongswan/plugins/hmac/hmac_prf.h
index 46d05f03a..aa75272e1 100644
--- a/src/libstrongswan/plugins/hmac/hmac_prf.h
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.h
@@ -48,4 +48,4 @@ struct hmac_prf_t {
  */
 hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo);
 
-#endif /*PRF_HMAC_SHA1_H_ @}*/
+#endif /** PRF_HMAC_SHA1_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.c b/src/libstrongswan/plugins/hmac/hmac_signer.c
index cdfc819f1..89cae1716 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.c
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: hmac_signer.c 3488 2008-02-21 15:10:02Z martin $
+ * $Id: hmac_signer.c 4997 2009-03-24 10:24:58Z martin $
  */
 
 #include <string.h>
@@ -159,6 +159,10 @@ hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
 			hash = HASH_MD5;
 			trunc = 12;
 			break;
+		case AUTH_HMAC_MD5_128:
+			hash = HASH_MD5;
+			trunc = 16;
+			break;
 		case AUTH_HMAC_SHA2_256_128:
 			hash = HASH_SHA256;
 			trunc = 16;
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.h b/src/libstrongswan/plugins/hmac/hmac_signer.h
index 969f482e7..197e28fa7 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.h
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.h
@@ -52,4 +52,4 @@ struct hmac_signer_t {
  */
 hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo);
 
-#endif /*HMAC_SIGNER_H_ @}*/
+#endif /** HMAC_SIGNER_H_ @}*/
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.h b/src/libstrongswan/plugins/ldap/ldap_fetcher.h
index bde60c799..30a141bae 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.h
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.h
@@ -39,4 +39,4 @@ struct ldap_fetcher_t {
  */
 ldap_fetcher_t *ldap_fetcher_create();
 
-#endif /* LDAP_FETCHER_H_ @}*/
+#endif /** LDAP_FETCHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.h b/src/libstrongswan/plugins/ldap/ldap_plugin.h
index 7b2bb3232..de4ff3422 100644
--- a/src/libstrongswan/plugins/ldap/ldap_plugin.h
+++ b/src/libstrongswan/plugins/ldap/ldap_plugin.h
@@ -44,4 +44,4 @@ struct ldap_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* LDAP_PLUGIN_H_ @}*/
+#endif /** LDAP_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/md4/md4_hasher.h b/src/libstrongswan/plugins/md4/md4_hasher.h
index 75956fde6..b0b8c65d2 100644
--- a/src/libstrongswan/plugins/md4/md4_hasher.h
+++ b/src/libstrongswan/plugins/md4/md4_hasher.h
@@ -45,4 +45,4 @@ struct md4_hasher_t {
  */
 md4_hasher_t *md4_hasher_create(hash_algorithm_t algo);
 
-#endif /*MD4_HASHER_H_@}*/
+#endif /** MD4_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/md4/md4_plugin.h b/src/libstrongswan/plugins/md4/md4_plugin.h
index 965bff261..b13002d7b 100644
--- a/src/libstrongswan/plugins/md4/md4_plugin.h
+++ b/src/libstrongswan/plugins/md4/md4_plugin.h
@@ -44,4 +44,4 @@ struct md4_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* MD4_PLUGIN_H_ @}*/
+#endif /** MD4_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/md5/md5_hasher.h b/src/libstrongswan/plugins/md5/md5_hasher.h
index d4a0417ab..0064c177b 100644
--- a/src/libstrongswan/plugins/md5/md5_hasher.h
+++ b/src/libstrongswan/plugins/md5/md5_hasher.h
@@ -45,4 +45,4 @@ struct md5_hasher_t {
  */
 md5_hasher_t *md5_hasher_create(hash_algorithm_t algo);
 
-#endif /*MD5_HASHER_H_@}*/
+#endif /** MD5_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.h b/src/libstrongswan/plugins/md5/md5_plugin.h
index e8e8dd535..057689ad3 100644
--- a/src/libstrongswan/plugins/md5/md5_plugin.h
+++ b/src/libstrongswan/plugins/md5/md5_plugin.h
@@ -44,4 +44,4 @@ struct md5_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* MD5_PLUGIN_H_ @}*/
+#endif /** MD5_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.h b/src/libstrongswan/plugins/mysql/mysql_database.h
index d04aa79fa..98ddcad36 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.h
+++ b/src/libstrongswan/plugins/mysql/mysql_database.h
@@ -39,7 +39,7 @@ struct mysql_database_t {
 /**
  * Create a mysql_database instance.
  *
- * @param uri			connection URI, mysql://user:pass@host:port/database
+ * @param uri			connection URI, mysql://user:pass@example.com:port/database
  */
 mysql_database_t *mysql_database_create(char *uri);
 
@@ -55,4 +55,4 @@ bool mysql_database_init();
  */
 void mysql_database_deinit();
 
-#endif /* MYSQL_DATABASE_H_ @}*/
+#endif /** MYSQL_DATABASE_H_ @}*/
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.h b/src/libstrongswan/plugins/mysql/mysql_plugin.h
index dbcabaafe..fa53c2b7a 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.h
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.h
@@ -44,4 +44,4 @@ struct mysql_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* MYSQL_PLUGIN_H_ @}*/
+#endif /** MYSQL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.h b/src/libstrongswan/plugins/openssl/openssl_crypter.h
index f80d0dec6..4510fb7ee 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.h
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  * 
- * $Id: openssl_crypter.h 4000 2008-05-22 12:13:10Z tobias $
+ * $Id: openssl_crypter.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -48,4 +48,4 @@ struct openssl_crypter_t {
 openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 												  size_t key_size);
 
-#endif /* OPENSSL_CRYPTER_H_ @}*/
+#endif /** OPENSSL_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
index c72b4aab0..c67ce8970 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  * 
- * $Id: openssl_diffie_hellman.h 4000 2008-05-22 12:13:10Z tobias $
+ * $Id: openssl_diffie_hellman.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,5 +46,5 @@ struct openssl_diffie_hellman_t {
  */
 openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group);
 
-#endif /*OPENSSL_DIFFIE_HELLMAN_H_ @}*/
+#endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
index e89f1cbd7..6b135b36b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  * 
- * $Id: openssl_ec_diffie_hellman.h 4000 2008-05-22 12:13:10Z tobias $
+ * $Id: openssl_ec_diffie_hellman.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,5 +46,5 @@ struct openssl_ec_diffie_hellman_t {
  */
 openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group);
 
-#endif /*OPENSSL_EC_DIFFIE_HELLMAN_H_ @}*/
+#endif /** OPENSSL_EC_DIFFIE_HELLMAN_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
index 629fc9574..29588ce18 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  * 
- * $Id: openssl_ec_private_key.h 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: openssl_ec_private_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct openssl_ec_private_key_t {
  */
 builder_t *openssl_ec_private_key_builder(key_type_t type);
 
-#endif /*OPENSSL_EC_PRIVATE_KEY_H_ @}*/
+#endif /** OPENSSL_EC_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
index 92684402c..83552d590 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_ec_public_key.h 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: openssl_ec_public_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct openssl_ec_public_key_t {
  */
 builder_t *openssl_ec_public_key_builder(key_type_t type);
 
-#endif /*OPENSSL_EC_PUBLIC_KEY_H_ @}*/
+#endif /** OPENSSL_EC_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.h b/src/libstrongswan/plugins/openssl/openssl_hasher.h
index f776e9fd4..52699f7ff 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.h
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  * 
- * $Id: openssl_hasher.h 4000 2008-05-22 12:13:10Z tobias $
+ * $Id: openssl_hasher.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -42,9 +42,8 @@ struct openssl_hasher_t {
  * Constructor to create openssl_hasher_t.
  * 
  * @param algo			algorithm
- * @param key_size		key size in bytes
  * @return				openssl_hasher_t, NULL if not supported
  */
 openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo);
 
-#endif /* OPENSSL_HASHER_H_ @}*/
+#endif /** OPENSSL_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.h b/src/libstrongswan/plugins/openssl/openssl_plugin.h
index 40f741dfa..a6d2a060e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.h
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  * 
- * $Id: openssl_plugin.h 4000 2008-05-22 12:13:10Z tobias $
+ * $Id: openssl_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct openssl_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* OPENSSL_PLUGIN_H_ @}*/
+#endif /** OPENSSL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
index 81d81b2db..05d83416c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  * 
- * $Id: openssl_rsa_private_key.h 4000 2008-05-22 12:13:10Z tobias $
+ * $Id: openssl_rsa_private_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct openssl_rsa_private_key_t {
  */
 builder_t *openssl_rsa_private_key_builder(key_type_t type);
 
-#endif /*OPENSSL_RSA_PRIVATE_KEY_H_ @}*/
+#endif /** OPENSSL_RSA_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
index 570fb69cb..c97ba1b92 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_rsa_public_key.h 4000 2008-05-22 12:13:10Z tobias $
+ * $Id: openssl_rsa_public_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct openssl_rsa_public_key_t {
  */
 builder_t *openssl_rsa_public_key_builder(key_type_t type);
 
-#endif /*OPENSSL_RSA_PUBLIC_KEY_H_ @}*/
+#endif /** OPENSSL_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
index 2dbd5054e..e780e2a25 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.h
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: openssl_util.h 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: openssl_util.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -67,4 +67,4 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk);
  */
 bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b);
 
-#endif /*OPENSSL_UTIL_H_ @}*/
+#endif /** OPENSSL_UTIL_H_ @}*/
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
index e8b01633d..d8ac9c2a0 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
@@ -47,4 +47,4 @@ struct padlock_aes_crypter_t {
 padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo,
 												  size_t key_size);
 
-#endif /* PADLOCK_AES_CRYPTER_H_ @}*/
+#endif /** PADLOCK_AES_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.h b/src/libstrongswan/plugins/padlock/padlock_plugin.h
index 7e013a5f7..76f4d1135 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.h
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.h
@@ -44,4 +44,4 @@ struct padlock_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* PADLOCK_PLUGIN_H_ @}*/
+#endif /** PADLOCK_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.h b/src/libstrongswan/plugins/padlock/padlock_rng.h
index a76ecd296..505f4649c 100644
--- a/src/libstrongswan/plugins/padlock/padlock_rng.h
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.h
@@ -17,7 +17,7 @@
 
 /**
  * @defgroup padlock_rng padlock_rng
- * @{ @ingroup padlock
+ * @{ @ingroup padlock_p
  */
 
 #ifndef PADLOCK_RNG_H_
@@ -46,4 +46,4 @@ struct padlock_rng_t {
  */
 padlock_rng_t *padlock_rng_create(rng_quality_t quality);
 
-#endif /* PADLOCK_RNG_ @}*/
+#endif /** PADLOCK_RNG_ @}*/
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
index 6855b827f..afa1e046d 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup sha1_hasher sha1_hasher
- * @{ @ingroup sha1_p
+ * @{ @ingroup padlock_p
  */
 
 #ifndef PADLOCK_SHA1_HASHER_H_
@@ -45,4 +45,4 @@ struct padlock_sha1_hasher_t {
  */
 padlock_sha1_hasher_t *padlock_sha1_hasher_create(hash_algorithm_t algo);
 
-#endif /*SHA1_HASHER_H_ @}*/
+#endif /** SHA1_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin.h b/src/libstrongswan/plugins/plugin.h
index cf0b728a3..6ca71540c 100644
--- a/src/libstrongswan/plugins/plugin.h
+++ b/src/libstrongswan/plugins/plugin.h
@@ -46,4 +46,4 @@ struct plugin_t {
  */
 typedef plugin_t *(*plugin_constructor_t)(void);
 
-#endif /* PLUGIN_H_ @}*/
+#endif /** PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index bd24e7558..6230f9d68 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -64,4 +64,4 @@ struct plugin_loader_t {
  */
 plugin_loader_t *plugin_loader_create();
 
-#endif /* PLUGIN_LOADER_H_ @}*/
+#endif /** PLUGIN_LOADER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.h b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
index 71ffe5099..b04824fee 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.h
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
@@ -48,4 +48,4 @@ struct pubkey_cert_t {
  */
 builder_t *pubkey_cert_builder(certificate_type_t type);
 
-#endif /* PUBKEY_CERT_H_ @}*/
+#endif /** PUBKEY_CERT_H_ @}*/
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.h b/src/libstrongswan/plugins/pubkey/pubkey_plugin.h
index 64d0995fc..a3fd2f155 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.h
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.h
@@ -44,4 +44,4 @@ struct pubkey_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* PUBKEY_PLUGIN_H_ @}*/
+#endif /** PUBKEY_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_public_key.h b/src/libstrongswan/plugins/pubkey/pubkey_public_key.h
index 914ad74e9..0545feeee 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_public_key.h
+++ b/src/libstrongswan/plugins/pubkey/pubkey_public_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: pubkey_public_key.h 3961 2008-05-15 12:33:00Z tobias $
+ * $Id: pubkey_public_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -33,4 +33,4 @@
  */
 builder_t *pubkey_public_key_builder(key_type_t type);
 
-#endif /*PUBKEY_RSA_PUBLIC_KEY_H_ @}*/
+#endif /** PUBKEY_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/random_plugin.h b/src/libstrongswan/plugins/random/random_plugin.h
index 9e8b99387..8145c7875 100644
--- a/src/libstrongswan/plugins/random/random_plugin.h
+++ b/src/libstrongswan/plugins/random/random_plugin.h
@@ -44,4 +44,4 @@ struct random_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* RANDOM_PLUGIN_H_ @}*/
+#endif /** RANDOM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/random_rng.h b/src/libstrongswan/plugins/random/random_rng.h
index 7f82353d8..3426d694e 100644
--- a/src/libstrongswan/plugins/random/random_rng.h
+++ b/src/libstrongswan/plugins/random/random_rng.h
@@ -17,7 +17,7 @@
  
 /**
  * @defgroup random_rng random_rng
- * @{ @ingroup utils
+ * @{ @ingroup random_p
  */
 
 #ifndef RANDOM_RNG_H_
@@ -46,4 +46,4 @@ struct random_rng_t {
  */
 random_rng_t *random_rng_create(rng_quality_t quality);
 
-#endif /*RANDOM_RNG_H_ @} */
+#endif /** RANDOM_RNG_H_ @} */
diff --git a/src/libstrongswan/plugins/sha1/sha1_hasher.h b/src/libstrongswan/plugins/sha1/sha1_hasher.h
index 7dcb0b8b3..b9bfe1c86 100644
--- a/src/libstrongswan/plugins/sha1/sha1_hasher.h
+++ b/src/libstrongswan/plugins/sha1/sha1_hasher.h
@@ -45,4 +45,4 @@ struct sha1_hasher_t {
  */
 sha1_hasher_t *sha1_hasher_create(hash_algorithm_t algo);
 
-#endif /*SHA1_HASHER_H_ @}*/
+#endif /** SHA1_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.h b/src/libstrongswan/plugins/sha1/sha1_plugin.h
index 82ab04c86..36b12b91e 100644
--- a/src/libstrongswan/plugins/sha1/sha1_plugin.h
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.h
@@ -44,4 +44,4 @@ struct sha1_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* SHA1_PLUGIN_H_ @}*/
+#endif /** SHA1_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha1/sha1_prf.h b/src/libstrongswan/plugins/sha1/sha1_prf.h
index a0f56b681..b6cd2f9d0 100644
--- a/src/libstrongswan/plugins/sha1/sha1_prf.h
+++ b/src/libstrongswan/plugins/sha1/sha1_prf.h
@@ -44,4 +44,4 @@ struct sha1_prf_t {
  */
 sha1_prf_t *sha1_prf_create(pseudo_random_function_t algo);
 
-#endif /*SHA1_PRF_H_ @}*/
+#endif /** SHA1_PRF_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.h b/src/libstrongswan/plugins/sha2/sha2_hasher.h
index 6d732495a..11f4fac26 100644
--- a/src/libstrongswan/plugins/sha2/sha2_hasher.h
+++ b/src/libstrongswan/plugins/sha2/sha2_hasher.h
@@ -47,4 +47,4 @@ struct sha2_hasher_t {
  */
 sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm);
 
-#endif /* SHA2_HASHER_H_ @}*/
+#endif /** SHA2_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.h b/src/libstrongswan/plugins/sha2/sha2_plugin.h
index 859597758..b80f7560e 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.h
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.h
@@ -44,4 +44,4 @@ struct sha2_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* SHA2_PLUGIN_H_ @}*/
+#endif /** SHA2_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.h b/src/libstrongswan/plugins/sqlite/sqlite_database.h
index 795785627..75f89a7ed 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.h
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.h
@@ -43,4 +43,4 @@ struct sqlite_database_t {
  */
 sqlite_database_t *sqlite_database_create(char *uri);
 
-#endif /* SQLITE_DATABASE_H_ @}*/
+#endif /** SQLITE_DATABASE_H_ @}*/
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.h b/src/libstrongswan/plugins/sqlite/sqlite_plugin.h
index 07bf9618f..82735a311 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.h
+++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.h
@@ -44,4 +44,4 @@ struct sqlite_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* SQLITE_PLUGIN_H_ @}*/
+#endif /** SQLITE_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/ietf_attr_list.h b/src/libstrongswan/plugins/x509/ietf_attr_list.h
index e3e4add61..983c67d14 100644
--- a/src/libstrongswan/plugins/x509/ietf_attr_list.h
+++ b/src/libstrongswan/plugins/x509/ietf_attr_list.h
@@ -77,5 +77,5 @@ chunk_t ietfAttr_list_encode(linked_list_t *list);
  */
 void ietfAttr_list_destroy(linked_list_t *list);
 
-#endif /* IETF_ATTR_LIST_H_ @}*/
+#endif /** IETF_ATTR_LIST_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/x509/x509_ac.h b/src/libstrongswan/plugins/x509/x509_ac.h
index 2fd165e45..5df9c5f8a 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.h
+++ b/src/libstrongswan/plugins/x509/x509_ac.h
@@ -56,4 +56,4 @@ struct x509_ac_t {
  */
 builder_t *x509_ac_builder(certificate_type_t type);
 
-#endif /* X509_AC_H_ @}*/
+#endif /** X509_AC_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_cert.h b/src/libstrongswan/plugins/x509/x509_cert.h
index 701cc3d63..8dbd8050a 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.h
+++ b/src/libstrongswan/plugins/x509/x509_cert.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: x509_cert.h 3650 2008-03-22 08:15:18Z andreas $
+ * $Id: x509_cert.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -46,4 +46,4 @@ struct x509_cert_t {
  */
 builder_t *x509_cert_builder(certificate_type_t type);
 
-#endif /* X509_CERT_H_ @}*/
+#endif /** X509_CERT_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_crl.h b/src/libstrongswan/plugins/x509/x509_crl.h
index 0d9e5cca4..daa8e4846 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.h
+++ b/src/libstrongswan/plugins/x509/x509_crl.h
@@ -45,4 +45,4 @@ struct x509_crl_t {
  */
 builder_t *x509_crl_builder(certificate_type_t type);
 
-#endif /* X509_CRL_H_ @}*/
+#endif /** X509_CRL_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.h b/src/libstrongswan/plugins/x509/x509_ocsp_request.h
index 0a4016f65..ffaa3c634 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.h
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.h
@@ -51,4 +51,4 @@ struct x509_ocsp_request_t {
  */
 builder_t *x509_ocsp_request_builder(certificate_type_t type);
 
-#endif /* X509_OCSP_REQUEST_H_ @}*/
+#endif /** X509_OCSP_REQUEST_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.h b/src/libstrongswan/plugins/x509/x509_ocsp_response.h
index 8b4c8328d..06a9fd3c7 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.h
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.h
@@ -44,4 +44,4 @@ struct x509_ocsp_response_t {
  */
 builder_t *x509_ocsp_response_builder(certificate_type_t type);
 
-#endif /* X509_OCSP_RESPONSE_H_ @}*/
+#endif /** X509_OCSP_RESPONSE_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.h b/src/libstrongswan/plugins/x509/x509_plugin.h
index 9743a2367..fe8c0b31f 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.h
+++ b/src/libstrongswan/plugins/x509/x509_plugin.h
@@ -44,4 +44,4 @@ struct x509_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* X509_PLUGIN_H_ @}*/
+#endif /** X509_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.h b/src/libstrongswan/plugins/xcbc/xcbc.h
index 81812442e..a334c675b 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc.h
@@ -75,4 +75,4 @@ struct xcbc_t {
  */
 xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size);
 
-#endif /*xcbc_H_ @}*/
+#endif /** XCBC_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.h b/src/libstrongswan/plugins/xcbc/xcbc_plugin.h
index 728d84690..803d847aa 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.h
@@ -44,4 +44,4 @@ struct xcbc_plugin_t {
  */
 plugin_t *plugin_create();
 
-#endif /* XCBC_PLUGIN_H_ @}*/
+#endif /** XCBC_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.h b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
index e8692ae23..bbf5b972a 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
@@ -47,4 +47,4 @@ struct xcbc_prf_t {
  */
 xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo);
 
-#endif /*PRF_XCBC_SHA1_H_ @}*/
+#endif /** PRF_XCBC_SHA1_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.h b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
index c7eff7e17..dc0087392 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
@@ -18,8 +18,8 @@
  * @{ @ingroup xcbc_p
  */
 
-#ifndef xcbc_SIGNER_H_
-#define xcbc_SIGNER_H_
+#ifndef XCBC_SIGNER_H_
+#define XCBC_SIGNER_H_
 
 typedef struct xcbc_signer_t xcbc_signer_t;
 
@@ -44,4 +44,4 @@ struct xcbc_signer_t {
  */
 xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo);
 
-#endif /*xcbc_SIGNER_H_ @}*/
+#endif /** XCBC_SIGNER_H_ @}*/
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
index d2edbdd22..a82c1583c 100644
--- a/src/libstrongswan/printf_hook.h
+++ b/src/libstrongswan/printf_hook.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: printf_hook.h 4936 2009-03-12 18:07:32Z tobias $
+ * $Id: printf_hook.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -150,4 +150,4 @@ struct printf_hook_t {
  */
 printf_hook_t *printf_hook_create();
 
-#endif /* PRINTF_HOOK_H_ @}*/
+#endif /** PRINTF_HOOK_H_ @}*/
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
index 0f41878c5..c487f7775 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/settings.h
@@ -116,4 +116,4 @@ struct settings_t {
  */
 settings_t *settings_create(char *file);
 
-#endif /* SETTINGS_H_ @}*/
+#endif /** SETTINGS_H_ @}*/
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index 01d01576e..b740e7473 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: utils.h 4936 2009-03-12 18:07:32Z tobias $
+ * $Id: utils.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -311,4 +311,4 @@ int time_delta_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 int mem_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 					const void *const *args);
 
-#endif /* UTILS_H_ @}*/
+#endif /** UTILS_H_ @}*/
diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h
index 72effd01e..061d9f356 100644
--- a/src/libstrongswan/utils/backtrace.h
+++ b/src/libstrongswan/utils/backtrace.h
@@ -59,5 +59,4 @@ struct backtrace_t {
  */
 backtrace_t *backtrace_create(int skip);
 
-#endif /* BACKTRACE_H_ @}*/
-
+#endif /** BACKTRACE_H_ @}*/
diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/utils/enumerator.h
index d82f650db..98f300609 100644
--- a/src/libstrongswan/utils/enumerator.h
+++ b/src/libstrongswan/utils/enumerator.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: enumerator.h 4142 2008-07-02 08:09:07Z martin $
+ * $Id: enumerator.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -122,7 +122,7 @@ enumerator_t* enumerator_create_token(char *string, char *sep, char *trim);
  * @return						the nested enumerator
  */
 enumerator_t *enumerator_create_nested(enumerator_t *outer,
-					enumerator_t *(inner_constructor)(void *outer, void *data),
+					enumerator_t *(*inner_constructor)(void *outer, void *data),
 					void *data, void (*destroy_data)(void *data));
 
 /**
@@ -157,4 +157,4 @@ enumerator_t *enumerator_create_filter(enumerator_t *unfiltered,
 enumerator_t *enumerator_create_cleaner(enumerator_t *wrapped,
 					void (*cleanup)(void *data), void *data);
 
-#endif /* ENUMERATOR_H_ @} */
+#endif /** ENUMERATOR_H_ @}*/
diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/utils/hashtable.h
index 3d3005e73..28804caf8 100644
--- a/src/libstrongswan/utils/hashtable.h
+++ b/src/libstrongswan/utils/hashtable.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: hashtable.h 4762 2008-12-05 10:01:52Z martin $
+ * $Id: hashtable.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -113,4 +113,4 @@ struct hashtable_t {
 hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
 							  u_int capacity);
 
-#endif /* HASHTABLE_H_ @} */
+#endif /** HASHTABLE_H_ @}*/
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h
index 5f00872b8..0a2541d96 100644
--- a/src/libstrongswan/utils/host.h
+++ b/src/libstrongswan/utils/host.h
@@ -207,4 +207,4 @@ host_t *host_create_any(int family);
 int host_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 					 const void *const *args);
 
-#endif /* HOST_H_ @}*/
+#endif /** HOST_H_ @}*/
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index ff97f3610..bce6b1cc2 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: identification.c 4936 2009-03-12 18:07:32Z tobias $
+ * $Id: identification.c 5036 2009-03-26 13:25:46Z martin $
  */
 
 #define _GNU_SOURCE
@@ -715,6 +715,37 @@ static id_type_t get_type(private_identification_t *this)
 	return this->type;
 }
 
+/**
+ * Implementation of identification_t.contains_wildcards fro ID_DER_ASN1_DN.
+ */
+static bool contains_wildcards_dn(private_identification_t *this)
+{
+	chunk_t rdn, attribute;
+	chunk_t oid, value;
+	asn1_t type;
+	bool next;
+	
+	if (!init_rdn(this->encoded, &rdn, &attribute, &next))
+	{
+		return FALSE;
+	}	
+	/* fetch next RDN */
+	while (next)
+	{
+		/* parse next RDN and check for errors */
+		if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next))
+		{
+			return FALSE;
+		}
+		/* check if RDN is a wildcard */
+		if (value.len == 1 && *value.ptr == '*')
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
 /**
  * Implementation of identification_t.contains_wildcards.
  */
@@ -728,10 +759,9 @@ static bool contains_wildcards(private_identification_t *this)
 		case ID_RFC822_ADDR:
 			return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
 		case ID_DER_ASN1_DN:
-			/* TODO */
+			return contains_wildcards_dn(this);
 		default:
 			return FALSE;
-		
 	}
 }
 
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 070984490..2284b7b46 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: identification.h 4936 2009-03-12 18:07:32Z tobias $
+ * $Id: identification.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -197,8 +197,8 @@ struct identification_t {
 	 * Check if an ID matches a wildcard ID.
 	 * 
 	 * An identification_t may contain wildcards, such as
-	 * *@strongswan.org. This call checks if a given ID
-	 * (e.g. tester@strongswan.org) belongs to a such wildcard
+	 * *.strongswan.org. This call checks if a given ID
+	 * (e.g. tester.strongswan.org) belongs to a such wildcard
 	 * ID. Returns > 0 if
 	 * - IDs are identical
 	 * - other is of type ID_ANY
@@ -243,7 +243,7 @@ struct identification_t {
  * The input string may be e.g. one of the following:
  * - ID_IPV4_ADDR:		192.168.0.1
  * - ID_IPV6_ADDR:		2001:0db8:85a3:08d3:1319:8a2e:0370:7345
- * - ID_FQDN:			@www.strongswan.org (@indicates FQDN)
+ * - ID_FQDN:			www.strongswan.org (optionally with a prepended @)
  * - ID_RFC822_ADDR:	alice@wonderland.org
  * - ID_DER_ASN1_DN:	C=CH, O=Linux strongSwan, CN=bob
  *
@@ -283,4 +283,4 @@ identification_t * identification_create_from_encoding(id_type_t type, chunk_t e
 int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 							   const void *const *args);
 
-#endif /* IDENTIFICATION_H_ @} */
+#endif /** IDENTIFICATION_H_ @}*/
diff --git a/src/libstrongswan/utils/iterator.h b/src/libstrongswan/utils/iterator.h
index 28ee74cd6..02eb1b9c0 100644
--- a/src/libstrongswan/utils/iterator.h
+++ b/src/libstrongswan/utils/iterator.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: iterator.h 4577 2008-11-05 08:37:09Z martin $
+ * $Id: iterator.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -113,4 +113,4 @@ struct iterator_t {
 	void (*destroy) (iterator_t *this);
 };
 
-#endif /*ITERATOR_H_ @} */
+#endif /** ITERATOR_H_ @}*/
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
index 3773fb8e5..cd30dcd5f 100644
--- a/src/libstrongswan/utils/leak_detective.h
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -44,5 +44,5 @@ struct leak_detective_t {
  */
 leak_detective_t *leak_detective_create();
 
-#endif /* LEAK_DETECTIVE_H_ @}*/
+#endif /** LEAK_DETECTIVE_H_ @}*/
 
diff --git a/src/libstrongswan/utils/lexparser.h b/src/libstrongswan/utils/lexparser.h
index c47f65718..6ae970e1e 100644
--- a/src/libstrongswan/utils/lexparser.h
+++ b/src/libstrongswan/utils/lexparser.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: lexparser.h 4877 2009-02-18 09:45:54Z martin $
+ * $Id: lexparser.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -47,7 +47,7 @@ bool extract_token(chunk_t *token, const char termination, chunk_t *src);
 bool extract_token_str(chunk_t *token, const char *termination, chunk_t *src);
 
 /**
- *  Fetches a new text line terminated by \n or \r\n
+ *  Fetches a new text line terminated by \\n or \\r\\n
  */
 bool fetchline(chunk_t *src, chunk_t *line);
 
@@ -66,4 +66,4 @@ err_t extract_name_value(chunk_t *name, chunk_t *value, chunk_t *line);
  */
 err_t extract_parameter_value(chunk_t *name, chunk_t *value, chunk_t *line);
 
-#endif /* LEXPARSER_H_ @} */
+#endif /** LEXPARSER_H_ @}*/
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h
index ba47e7dfb..aa603fefa 100644
--- a/src/libstrongswan/utils/linked_list.h
+++ b/src/libstrongswan/utils/linked_list.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: linked_list.h 4576 2008-11-05 08:32:38Z martin $
+ * $Id: linked_list.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -272,4 +272,4 @@ struct linked_list_t {
  */
 linked_list_t *linked_list_create(void);
 
-#endif /*LINKED_LIST_H_ @} */
+#endif /** LINKED_LIST_H_ @}*/
diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h
index 4cdd96a99..46c939fb8 100644
--- a/src/libstrongswan/utils/mutex.h
+++ b/src/libstrongswan/utils/mutex.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  * 
- * $Id: mutex.h 4697 2008-11-25 19:30:02Z tobias $
+ * $Id: mutex.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -185,4 +185,4 @@ condvar_t *condvar_create(condvar_type_t type);
  */
 rwlock_t *rwlock_create(rwlock_type_t type);
 
-#endif /* MUTEX_H_ @}*/
+#endif /** MUTEX_H_ @}*/
diff --git a/src/libstrongswan/utils/optionsfrom.h b/src/libstrongswan/utils/optionsfrom.h
index 424b9dc61..9372971ca 100644
--- a/src/libstrongswan/utils/optionsfrom.h
+++ b/src/libstrongswan/utils/optionsfrom.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: optionsfrom.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: optionsfrom.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -56,4 +56,4 @@ struct options_t {
  */
 options_t *options_create(void);
 
-#endif /*OPTIONSFROM_H_ @} */
+#endif /** OPTIONSFROM_H_ @}*/
diff --git a/src/manager/controller/auth_controller.h b/src/manager/controller/auth_controller.h
index b17e5745d..e2cd48cc4 100644
--- a/src/manager/controller/auth_controller.h
+++ b/src/manager/controller/auth_controller.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: auth_controller.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: auth_controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -44,4 +44,4 @@ struct auth_controller_t {
  */
 controller_t *auth_controller_create(context_t *context, void *param);
 
-#endif /* AUTH_CONTROLLER_H_ @} */
+#endif /** AUTH_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/config_controller.h b/src/manager/controller/config_controller.h
index cde4efd1a..88d37424f 100644
--- a/src/manager/controller/config_controller.h
+++ b/src/manager/controller/config_controller.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: config_controller.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: config_controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -44,4 +44,4 @@ struct config_controller_t {
  */
 controller_t *config_controller_create(context_t *context, void *param);
 
-#endif /* CONFIG_CONTROLLER_H_ @} */
+#endif /** CONFIG_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/control_controller.h b/src/manager/controller/control_controller.h
index 1f2fbcb31..8992e5b48 100644
--- a/src/manager/controller/control_controller.h
+++ b/src/manager/controller/control_controller.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: control_controller.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: control_controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -44,4 +44,4 @@ struct control_controller_t {
  */
 controller_t *control_controller_create(context_t *context, void *param);
 
-#endif /* CONTROL_CONTROLLER_H_ */
+#endif /** CONTROL_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/gateway_controller.h b/src/manager/controller/gateway_controller.h
index cf314ce54..864c7a4bd 100644
--- a/src/manager/controller/gateway_controller.h
+++ b/src/manager/controller/gateway_controller.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: gateway_controller.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: gateway_controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -44,4 +44,4 @@ struct gateway_controller_t {
  */
 controller_t *gateway_controller_create(context_t *context, void *param);
 
-#endif /* GATEWAY_CONTROLLER_H_ @} */
+#endif /** GATEWAY_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/ikesa_controller.h b/src/manager/controller/ikesa_controller.h
index 1ff9d1749..240e8db4f 100644
--- a/src/manager/controller/ikesa_controller.h
+++ b/src/manager/controller/ikesa_controller.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: ikesa_controller.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ikesa_controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -44,4 +44,4 @@ struct ikesa_controller_t {
  */
 controller_t *ikesa_controller_create(context_t *context, void *param);
 
-#endif /* IKESA_CONTROLLER_H_ @} */
+#endif /** IKESA_CONTROLLER_H_ @}*/
diff --git a/src/manager/gateway.h b/src/manager/gateway.h
index 17df9763a..4ba301a0f 100644
--- a/src/manager/gateway.h
+++ b/src/manager/gateway.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: gateway.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: gateway.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -74,9 +74,9 @@ struct gateway_t {
 	enumerator_t* (*initiate)(gateway_t *this, bool ike, char *name);
 	
 	/**
-     * Destroy a gateway instance.
-     */
-    void (*destroy)(gateway_t *this);
+	 * Destroy a gateway instance.
+	 */
+	void (*destroy)(gateway_t *this);
 };
 
 /**
@@ -84,7 +84,7 @@ struct gateway_t {
  *
  * @param name			name of the gateway
  * @param host			gateway connection endpoint
- * @param 
+ * @return				gateway connection
  */
 gateway_t *gateway_create_tcp(char *name, host_t *host);
 
@@ -92,8 +92,8 @@ gateway_t *gateway_create_tcp(char *name, host_t *host);
  * Create a gateway instance using a UNIX socket.
  *
  * @param name			name of the gateway
- * @param 
+ * @return				gateway connection
  */
 gateway_t *gateway_create_unix(char *name);
 
-#endif /* GATEWAY_H_ @} */
+#endif /** GATEWAY_H_ @}*/
diff --git a/src/manager/manager.h b/src/manager/manager.h
index 669e413ac..ecd29550b 100644
--- a/src/manager/manager.h
+++ b/src/manager/manager.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: manager.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -95,4 +95,4 @@ struct manager_t {
  */
 manager_t *manager_create(storage_t *storage);
 
-#endif /* MANAGER_H_ @} */
+#endif /** MANAGER_H_ @}*/
diff --git a/src/manager/storage.h b/src/manager/storage.h
index f732eca72..6c5bea650 100644
--- a/src/manager/storage.h
+++ b/src/manager/storage.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: storage.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: storage.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -66,4 +66,4 @@ struct storage_t {
  */
 storage_t *storage_create(char *uri);
 
-#endif /* STORAGE_H_ @} */
+#endif /** STORAGE_H_ @}*/
diff --git a/src/manager/xml.h b/src/manager/xml.h
index 73964307d..febe5c25d 100644
--- a/src/manager/xml.h
+++ b/src/manager/xml.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: xml.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: xml.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -60,4 +60,4 @@ struct xml_t {
  */
 xml_t *xml_create(char *xml);
 
-#endif /* XML_H_ @} */
+#endif /** XML_H_ @}*/
diff --git a/src/pluto/asn1.c b/src/pluto/asn1.c
index bd27f6a78..529f597fb 100644
--- a/src/pluto/asn1.c
+++ b/src/pluto/asn1.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: asn1.c 4942 2009-03-13 20:22:24Z andreas $
+ * RCSID $Id: asn1.c 5041 2009-03-27 08:58:48Z andreas $
  */
 
 #include <stdlib.h>
@@ -348,6 +348,8 @@ is_printablestring(chunk_t str)
     return TRUE;
 }
 
+#define TIME_MAX	0x7fffffff
+
 /*
  *  Converts ASN.1 UTCTIME or GENERALIZEDTIME into calender time
  */
@@ -355,7 +357,7 @@ time_t
 asn1totime(const chunk_t *utctime, asn1_t type)
 {
     struct tm t;
-    time_t tz_offset;
+    time_t tc, tz_offset;
     u_char *eot = NULL;
 
     if ((eot = memchr(utctime->ptr, 'Z', utctime->len)) != NULL)
@@ -381,6 +383,7 @@ asn1totime(const chunk_t *utctime, asn1_t type)
 	return 0; /* error in time format */
     }
 
+    /* parse ASN.1 time string */
     {
 	const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
 						     "%4d%2d%2d%2d%2d";
@@ -419,9 +422,11 @@ asn1totime(const chunk_t *utctime, asn1_t type)
     /* set daylight saving time to off */
     t.tm_isdst = 0;
 
-    /* compensate timezone */
+    /* convert to time_t */
+    tc = mktime(&t);
 
-    return mktime(&t) - timezone - tz_offset;
+    /* if no conversion overflow occurred, compensate timezone */
+    return (tc == -1) ? TIME_MAX : (tc - timezone - tz_offset);
 }
 
 /*
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 52b59be31..9721ac583 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ipsec_doi.c 4924 2009-03-10 21:13:18Z andreas $
+ * RCSID $Id: ipsec_doi.c 5052 2009-03-30 03:47:14Z andreas $
  */
 
 #include <stdio.h>
@@ -5446,9 +5446,9 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
    time_t tm = now();
     u_int32_t seqno;
 
-    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+    if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
     {
-        loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISKAMP SA");
+        loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA");
         return STF_IGNORE;
     }
     if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
@@ -5516,10 +5516,10 @@ dpd_inR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
 {
     u_int32_t seqno;
 
-    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+    if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
     {
         loglog(RC_LOG_SERIOUS
-	    , "DPD: Received R_U_THERE_ACK for unestablished ISKAMP SA");
+	    , "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA");
         return STF_FAIL;
     }
 
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index cf2136b44..f957bf39b 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.c 4893 2009-02-21 17:53:10Z andreas $
+ * RCSID $Id: vendor.c 5052 2009-03-30 03:47:14Z andreas $
  */
 
 #include <stdlib.h>
@@ -206,7 +206,8 @@ static struct vid_struct _vid_tab[] = {
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.13")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.14")
+	DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13")
 	DEC_MD5_VID(STRONGSWAN_4_2_12,"strongSwan 4.2.12")
 	DEC_MD5_VID(STRONGSWAN_4_2_11,"strongSwan 4.2.11")
 	DEC_MD5_VID(STRONGSWAN_4_2_10,"strongSwan 4.2.10")
@@ -241,6 +242,7 @@ static struct vid_struct _vid_tab[] = {
 	DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
 	DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
 
+	DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.9")
 	DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8")
 	DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7")
 	DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index f049af1ef..2c8c24b34 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.h 4893 2009-02-21 17:53:10Z andreas $
+ * RCSID $Id: vendor.h 5052 2009-03-30 03:47:14Z andreas $
  */
 
 #ifndef _VENDOR_H_
@@ -94,6 +94,7 @@ enum known_vendorid {
   VID_STRONGSWAN_2_8_6		= 72,
   VID_STRONGSWAN_2_8_7		= 73,
   VID_STRONGSWAN_2_8_8		= 74,
+  VID_STRONGSWAN_2_8_9		= 75,
 
   VID_STRONGSWAN_4_0_0		= 80,
   VID_STRONGSWAN_4_0_1		= 81,
@@ -129,6 +130,7 @@ enum known_vendorid {
   VID_STRONGSWAN_4_2_10		=110,
   VID_STRONGSWAN_4_2_11		=111,
   VID_STRONGSWAN_4_2_12		=112,
+  VID_STRONGSWAN_4_2_13		=113,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=151,
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 78320b4c7..8a9ba54c9 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -15,6 +15,14 @@ MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 PLUTODIR=$(top_srcdir)/src/pluto
 SCEPCLIENTDIR=$(top_srcdir)/src/scepclient
 
+if USE_PLUTO
+  AM_CFLAGS += -DSTART_PLUTO
+endif
+
+if USE_CHARON
+  AM_CFLAGS += -DSTART_CHARON
+endif
+
 lex.yy.c:	parser.l parser.y parser.h y.tab.c
 		$(LEX) --nounput $< 
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 1301b931d..54fd28604 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -33,6 +33,8 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = starter$(EXEEXT)
+@USE_PLUTO_TRUE@am__append_1 = -DSTART_PLUTO
+@USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON
 subdir = src/starter
 DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
@@ -219,7 +221,9 @@ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
 exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
 
 INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \
+	-DDEBUG $(am__append_1) $(am__append_2)
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
 dist_man_MANS = ipsec.conf.5 starter.8
diff --git a/src/starter/confread.c b/src/starter/confread.c
index d0d1f4ed8..855d07b51 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: confread.c 4882 2009-02-18 19:57:15Z tobias $
+ * RCSID $Id: confread.c 5002 2009-03-24 15:02:12Z martin $
  */
 
 #include <stddef.h>
@@ -61,8 +61,13 @@ static void default_values(starter_config_t *cfg)
 	cfg->setup.hidetos     = TRUE;
 	cfg->setup.uniqueids   = TRUE;
 	cfg->setup.interfaces  = new_list("%defaultroute");
+
+#ifdef START_CHARON
 	cfg->setup.charonstart = TRUE;
+#endif
+#ifdef START_PLUTO
 	cfg->setup.plutostart  = TRUE;
+#endif
 
 	cfg->conn_default.seen    = LEMPTY;
 	cfg->conn_default.startup = STARTUP_NO;
@@ -625,6 +630,10 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 			{
 				conn->eap_type = 26;
 			}
+			else if (streq(kw->value, "radius"))
+			{	/* pseudo-type */
+				conn->eap_type = 253;
+			}
 			else
 			{
 				conn->eap_type = atoi(kw->value);
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 8028bbe54..dd3f5f018 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: invokecharon.c 4833 2009-01-13 06:50:55Z andreas $
+ * RCSID $Id: invokecharon.c 5050 2009-03-27 16:14:59Z andreas $
  */
 
 #include <sys/types.h>
@@ -216,7 +216,7 @@ starter_start_charon (starter_config_t *cfg, bool no_fork)
 		    {
 			kill(pid, SIGKILL);
 		    }
-		    usleep(20000);
+		    usleep(20000); /* sleep for 20 ms */
 		}
 	    }
 	    else
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index e18d6e38d..edc587124 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: invokepluto.c 4632 2008-11-11 18:37:19Z martin $
+ * RCSID $Id: invokepluto.c 5050 2009-03-27 16:14:59Z andreas $
  */
 
 #include <sys/types.h>
@@ -62,33 +62,49 @@ starter_pluto_sigchild(pid_t pid)
 int
 starter_stop_pluto (void)
 {
-    pid_t pid;
     int i;
+    pid_t pid = _pluto_pid;
 
-    pid = _pluto_pid;
     if (pid)
     {
 	_stop_requested = 1;
+
 	if (starter_whack_shutdown() == 0)
 	{
-	    for (i = 0; i < 20; i++)
+	    for (i = 0; i < 400; i++)
 	    {
-		usleep(20000);
+		usleep(20000); /* sleep for 20 ms */
 		if (_pluto_pid == 0)
+		{
+		    plog("pluto stopped after %d ms", 20*(i+1));
 		    return 0;
+		}
 	    }
 	}
 	/* be more and more aggressive */
 	for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
 	{
+	    
 	    if (i < 10)
+	    {
 		kill(pid, SIGTERM);
+	    }
+	    if (i == 10)
+	    {
+		kill(pid, SIGKILL);
+		plog("starter_stop_pluto(): pluto does not respond, sending KILL");
+	    }		
 	    else
+	    {
 		kill(pid, SIGKILL);
-	    usleep(20000);
+	    }
+	    usleep(100000); /* sleep for 100 ms */
 	}
 	if (_pluto_pid == 0)
+	{
+	    plog("pluto stopped after %d ms", 8000 + 100*i);
 	    return 0;
+	}
 	plog("starter_stop_pluto(): can't stop pluto !!!");
 	return -1;
     }
@@ -248,17 +264,17 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork)
 	default:
 	    /* father */
 	    _pluto_pid = pid;
-	    for (i = 0; i < 50 && _pluto_pid; i++)
+	    for (i = 0; i < 500 && _pluto_pid; i++)
 	    {
-		/* wait for pluto */
+		/* wait for pluto for a maximum of 500 x 20 ms = 10 s */
 		usleep(20000);
 		if (stat(PLUTO_CTL_FILE, &stb) == 0)
 		{
-		    DBG(DBG_CONTROL,
-			DBG_log("pluto (%d) started", _pluto_pid)
-		    )
+		    plog("pluto (%d) started after %d ms", _pluto_pid, 20*(i+1));
 		    if (cfg->setup.postpluto)
+		    {
 			ignore_result(system(cfg->setup.postpluto));
+		    }
 		    return 0;
 		}
 	    }
@@ -269,10 +285,14 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork)
 		for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
 		{
 		    if (i < 10)
+		    {
 			kill(pid, SIGTERM);
+		    }
 		    else
+		    {
 			kill(pid, SIGKILL);
-		    usleep(20000);
+		    }
+		    usleep(20000); /* sleep for 20 ms */
 		}
 	    }
 	    else
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 9ad03eb60..565f15c66 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -1,5 +1,5 @@
 .TH IPSEC.CONF 5 "27 Jun 2007"
-.\" RCSID $Id: ipsec.conf.5 4890 2009-02-19 22:12:04Z andreas $
+.\" RCSID $Id: ipsec.conf.5 5002 2009-03-24 15:02:12Z martin $
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -369,6 +369,10 @@ in the form
 (e.g.
 .B eap=7-12345
 ) can be used to specify vendor specific EAP types.
+
+To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
+set 
+.B eap=radius
 .TP
 .B eap_identity
 defines the identity the client uses to reply to a EAP Identity request.
@@ -936,9 +940,11 @@ and
 whether to start the IKEv2 Charon daemon or not.
 Accepted values are
 .B yes
-(the default)
 or
 .BR no .
+The default is 
+.B yes
+if starter was compiled with IKEv2 support.
 .TP
 .B dumpdir
 in what directory should things started by \fBipsec starter\fR
@@ -951,9 +957,11 @@ This feature is currently not yet supported by \fBipsec starter\fR.
 whether to start the IKEv1 Pluto daemon or not.
 Accepted values are
 .B yes
-(the default)
 or
 .BR no .
+The default is 
+.B yes
+if starter was compiled with IKEv1 support.
 .TP
 .B strictcrlpolicy
 defines if a fresh CRL must be available in order for the peer authentication based
diff --git a/testing/INSTALL b/testing/INSTALL
index 27a2ddc64..cdf51ab35 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,7 +53,7 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.6.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.8.tar.bz2
 
     * The Linux kernel 2.6.28 does not require any patches for the uml guest kernel
       to successfully start up.
@@ -68,7 +68,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.2.13.tar.bz2
+      http://download.strongswan.org/strongswan-4.2.14.tar.bz2
 
 
 3. Creating the environment
@@ -143,5 +143,5 @@ README document.
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: INSTALL 4893 2009-02-21 17:53:10Z andreas $
+This file is RCSID $Id: INSTALL 4990 2009-03-22 14:37:03Z andreas $
 
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 199ecf10e..78e91bdd6 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -36,3 +36,8 @@ cd /etc/openssl/ecdsa
 openssl ca -gencrl -crldays 15 -config /etc/openssl/ecdsa/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan_ec.crl
 cp strongswan_ec.crl /var/www/localhost/htdocs/
+cd /etc/openssl/monster
+openssl ca -gencrl -crldays 15 -config /etc/openssl/monster/openssl.cnf -out crl.pem
+openssl crl -in crl.pem -outform der -out strongswan-monster.crl
+cp strongswan-monster.crl /var/www/localhost/htdocs/
+
diff --git a/testing/hosts/winnetou/etc/openssl/monster/crlnumber b/testing/hosts/winnetou/etc/openssl/monster/crlnumber
new file mode 100644
index 000000000..eeee65ec4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/crlnumber
@@ -0,0 +1 @@
+05
diff --git a/testing/hosts/winnetou/etc/openssl/monster/index.txt b/testing/hosts/winnetou/etc/openssl/monster/index.txt
new file mode 100644
index 000000000..cd9407ee9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/index.txt
@@ -0,0 +1,2 @@
+V	390321140608Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Monster/CN=carol@strongswan.org
+V	390321140716Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Monster/CN=moon.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/monster/index.txt.attr b/testing/hosts/winnetou/etc/openssl/monster/index.txt.attr
new file mode 100644
index 000000000..3a7e39e6e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/testing/hosts/winnetou/etc/openssl/monster/index.txt.attr.old b/testing/hosts/winnetou/etc/openssl/monster/index.txt.attr.old
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/index.txt.attr.old
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testing/hosts/winnetou/etc/openssl/monster/index.txt.old b/testing/hosts/winnetou/etc/openssl/monster/index.txt.old
new file mode 100644
index 000000000..fbbcb81d3
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/index.txt.old
@@ -0,0 +1 @@
+V	390321140608Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Monster/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/monster/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/monster/newcerts/01.pem
new file mode 100644
index 000000000..2ce2ce3c9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/newcerts/01.pem
@@ -0,0 +1,46 @@
+-----BEGIN CERTIFICATE-----
+MIIINzCCBB+gAwIBAgIBATANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
+b25zdGVyIENBMB4XDTA5MDMyODE0MDYwOFoXDTM5MDMyMTE0MDYwOFowWTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
+bnN0ZXIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgR
+yGVG6HVoA3DU/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mp
+dYtP53SWASOHBiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkw
+BebpMLCf2Mi1robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bO
+FPoBoBOY7v4fuq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DW
+kk1vTt4jplSg6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5
+mGabckTMvtI591UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014l
+cFg11mzjXGGBFuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest
+2X0psHe3AlocUFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9C
+uezkuM1QEvkev5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+
+t8GhCKV6B7RTzFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3Hh
+fTZstGECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTy8LU5yQdnV8pfwhCPY7q/CiNyzjB4BgNVHSMEcTBvgBQZYq2Wq8b7148Q
+xFb/QGMiQnB2DqFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
+cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gTW9uc3RlciBDQYIJAIORWNru
+S4GuMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMEEGA1UdHwQ6MDgw
+NqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1tb25z
+dGVyLmNybDANBgkqhkiG9w0BAQ0FAAOCBAEAi39l78OCI9S0I3X62HbkxiLguvnc
+CbXY6Tqmz0Ms8xqZgYzJOk7FLB/4v/zJohOH5nd7KxJ81KbcERyASpybaLM0/V+V
+oGT0rDGGH5cS4H2uYfs9HsKFKKPbZeCnExFyCamXjBZkl5IZNjdpS9TLyXRJSyFN
+OIRNhILPSriqdtzgRuGOeX798U8o0ObizGQRVlT0p0lI4t64dzZbIh3jSXjCf1Tz
+cmVOC8qhhGvxLlorSy5K98t2zNY7DvzwtvoQrNFGtso1kvfmaO4XRCvSZsmqPpC5
+mmWJjNEG2qcbmfpt8TotyUHgEJTZXwXlPVVb5OXHTW6jXk/MN0UiMTLJYcvJ1gji
+kSnGNHzRH2rKlYRED+jlzzHAWSv0mBGcOTdmfBV6+TJ7QhWhLZBzAUfwqXpAy9Vk
+idtyB0eSWBTIvhZY6SzB0Rvkdj0FtZ+tNURT4dPtiO0D+LXm/ojpdKKI2tFNOgwY
+n8df2u3xnCRvHqcF6lvu+ptnwUkUDDGDuiM20+sm0HHhLIj51v8tTm3Q/MzI0BAb
+G4HOSQNDzymWDgzIE67UTxBwXVDbSLkzH1vhFXtZQlD1UHqOUT/4FQm5ZlVMF8na
+FKxHakqoh1CdI8TAmM64h3hp1zp+G9Zn0lfcHRhvWBvpU8mgF1cbEvgbzjd9+xLe
+q45/8xuZPnU7XIBvDcZTUk8LRIThcTxQRlQdI1UJnvPOBYG3mUrLs2UdEZGwsooG
+zMOj3EQwqrR67rQiuGo65IMPDix4mwHjcZ8Gr4eqLDwSUS5yoPX1qI2qNLQbI1Ni
+8PEYMXQ0Xm+9Z86ZkI0dAIBWLkEGkz5Ngqk4O3JLzF1O/XPG4E9hGJ8WsHQW6pk9
++quv5nVNCAO0z6FYfQoYprdbDBur+N/no+BYIcSFSpLcNgafLXgj3I65iJ2VmRi0
+V0xAfxcRiQN2+/7aao2zLrrSPHU8YsW48ISw9ibQ9EckZMVtnhuYpBJuX8+auZ8f
+OgBmgRi7fCtEcMlXsiisQehymMs470eDRfWFUMzgJC8tMOQIWNdYM0Bo29wYUJPN
+jD+NO0n+PisFMilBEyoT2pD1i94+5DWQau/7STb3GbpBsLb7JbIrQEp0oSdsvsNR
+SaJQEqMxepJM0OGp3FMr79s+/a13+TMm+jl65M6sV/YTDdYFlplkWyHDjbL+WjUu
+lvDEURfBJrtT7u673RakCEzl5e53fP01HXFhqgMSloR7j2XNiyCeEUBp+zetXxwb
+8e6IKtbXWU+WcXIdNOHAL+OtD1vUK3gxupJPrRNW6daZKWUDbjRixzXnjeyIw8It
+bRldc5VjyM0G4FMbmIROgRcvjJ74MUwnHpgPl9zQ28HmbxKbANiJJZHIDw==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/monster/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/monster/newcerts/02.pem
new file mode 100644
index 000000000..e83798c07
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/newcerts/02.pem
@@ -0,0 +1,46 @@
+-----BEGIN CERTIFICATE-----
+MIIINTCCBB2gAwIBAgIBAjANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
+b25zdGVyIENBMB4XDTA5MDMyODE0MDcxNloXDTM5MDMyMTE0MDcxNlowWDELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
+bnN0ZXIxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQC/9647SgAcK/or/Qs/3cRc19po7oex5EBdPR7b
+vInAuzrVMK84+ifneBWscVhBnxcUI37D0SpKx0onrdskMOyv5nmkdcgQf8931eip
+scNsw8bC8MJsbc5Jfn3DKPurbKK2/uFFE8ot7S65HY9tVBsxKsrjS5YFPE+DKKP+
+BgVk/9hL0Kqq2iKuWTq8YTRMu5iskpLIxqvuz362G46BKoW52pFegeDzpz/Bs/7y
+0oWPRcNcuRQR5XFTpF2L3UosniMkr7aYU5Z8s7IqiEx7txGh5SxRB+TYIZwB1ODa
+L+bnclQeMsBiFqlO9UI38UaxEQgk/+UhgpaX/DPrZg8KJmjW3e+x8xcwL3ouRLy2
+2Z99WMnV6TlwpTKj24EQJALmLG+UJG+hbV9P9j6Mkql3FHb4aLZH71CvyCqeg2yh
+FGiuaGEe8vS9+Dj5LKv8hSbBe/MSQDiPhKT1gb84TiQMsWfxLN7oDXunohnhMZfu
+sydB/c/R/ooA5ri+lE5c65bP2Mk+ml61p6z7lJv+DXBDXW/o4v8Imjx2OMsL85LZ
+vYWJppdJrThd/m4OVnCXYfuHMZqedsIvNR5blnldATLBjWWbeoKhOyqZb8hZ6HFR
+dlJ11LhxnGg9itG385L3Espl+EVcakWBZWrOn5/LGNKZH3UedclEBNci6lSadZaP
+/UfRCwIDAQABo4IBGDCCARQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
+BBYEFOQpYirU7vrMZUWDkqDijTPuhPQiMHgGA1UdIwRxMG+AFBlirZarxvvXjxDE
+Vv9AYyJCcHYOoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
+b25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5L
+ga4wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzBBBgNVHR8EOjA4MDag
+NKAyhjBodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tbW9uc3Rl
+ci5jcmwwDQYJKoZIhvcNAQENBQADggQBAAEsjsebEspAIANEBVWRjRpowIJlVSLf
+WKzblIPlhClXafHGJbhiamdtS2FmEh/rkzz3Ml+9cJy1KnB1Pn6+4JLSJe5xAywK
+lKTT2iY0KDdOsaK5j+CNJ2tW9NrJPxwtIz+nGGqqyyEUPJE1FYxphbLgmwFNBm2o
+HyeUVYI+gyfmhyHaXHKOmbsDG0o+pUX2tVOs0KdyU6deaAtEf1E6aA5TpCAi1OZs
+pdRDXFUfjdekRkfRr1PZ41Xwk3t6E32YhIE++r7QneQPhXymxVO9nepmpuSoHvlX
+Hb4JN2EQ0zCkkkOfqCuF46zVxsR46/3cfKbRsaVmdfGjvmDSCDI47AreluYiPTGA
+zN4XN91Y5rPZuT9OJYV4UrYv9N1jH5StVmSz19rbYOeozJXX0PBjdCKHEonD1FHY
+xWRpijVUG6NWVLKpvdg3RiFw78wIrNPAeVDvLL+112nbszNDNLSoOJjOUBySHJda
+WYFtg2IoAUis9r/o7uykNcC6KiU4Y1nC8PEIhMi4AMA9UgBCn4ixYtHI9jkfHcrD
+O1kvPRUo3hKzrhftLYtfiBfTEh+3Xab615lt5vNNhdI7d4knqUXvVdURtvlfJLZv
+W0YdvwjJtrVJAiCtX3wyxy72O1ZOG5kHCcK5oHUHg5W172rK9hK4LByk5ESqtc/t
+YDG7TmZLtUceV5yK4gz7pwIwXthA8yayRy+lbk8BFxRMfOEfb6rPdm0vvmPpHHDu
+yHR5SJTgpGo+/I8N1zS6PNeUBh0RAbSnxHJSMLn+GYTs8s6Atnq05SIuVYxvXyAQ
+ULf+ppNN5lngSZHPaOFJNpC1QL1+DdMNueDITVxYx5DV8SkWRPhzS77tsYeUxVGI
+IpUVEqSggGe6Q4YWv2smAjSeqaS5HNGxstE+Ybat/cp9QMbLc7gwKxwRQHhVRZ5O
+0rVq2bZUyly8y4wX8G8WFMNuCoAcHAdMvKh4JtmdDDZlbxdC2mSVbLSuTBfGvKc1
+ScwOBtSqQkm9PsTMitZM31s97WJLQIZbq82g2ns7hfEXMMIgzcFLYlM1SovbDZI5
+ZM63NBVTaKyj+Gxy8FcAPBPtPWwAQT+Gdi8gFwtcEilTOBECL5y0hzlL9aJpsJEq
+4KV5nnM5rutUufiYzQMZqME3g9VWk0kQteVpa4x+4zsKH9lJSSS/y0eCo/jArS8l
+HSmzUDkj2cWmf/azdrcig7g/mHeEbKu1JH1X5lRdZekqcRCW6v1OjP025B/5nSnL
+WYPUI9RLb01fmPjWdrc4+hPnHjePp8w6tuM6U6huMCwstnOel6d2FL5hOWvXNmIH
+I+8zv7SHhIWQmUbC0YQn8BFqvqDC08In5x42YiTe+42YEtafkTkbY8o=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
new file mode 100644
index 000000000..e5a716f28
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
@@ -0,0 +1,184 @@
+# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
+# Mario Strasser <mario.strasser@zhwin.ch>
+#
+# $Id: openssl.cnf,v 1.2 2005/08/15 21:25:22 as Exp $
+#	
+
+# This definitions were set by the ca_init script DO NOT change
+# them manualy.
+CAHOME			= /etc/openssl/monster
+RANDFILE		= $CAHOME/.rand
+
+# Extra OBJECT IDENTIFIER info:
+oid_section		= new_oids
+
+[ new_oids ]
+SmartcardLogin		= 1.3.6.1.4.1.311.20.2
+ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
+
+####################################################################
+
+[ ca ]
+default_ca	= root_ca		# The default ca section
+
+####################################################################
+
+[ root_ca ]				
+
+dir		= $CAHOME
+certs		= $dir/certs		  # Where the issued certs are kept
+crl_dir		= $dir/crl                # Where the issued crl are kept
+database	= $dir/index.txt          # database index file.
+new_certs_dir   = $dir/newcerts           # default place for new certs.
+
+certificate     = $dir/strongswanCert-monster.pem # The CA certificate
+serial          = $dir/serial             # The current serial number
+crl             = $dir/crl.pem            # The current CRL
+crlnumber	= $dir/crlnumber	  # The current CRL serial number
+private_key     = $dir/strongswanKey-monster.pem  # The private key
+RANDFILE        = $dir/.rand              # private random number file
+
+x509_extensions = host_ext		  # The extentions to add to the cert
+
+crl_extensions	= crl_ext  		  # The extentions to add to the CRL
+
+default_days    = 10950                   # how long to certify for
+default_crl_days= 30			  # how long before next CRL
+default_md      = sha512                  # which md to use.
+preserve        = no                      # keep passed DN ordering
+email_in_dn	= no			  # allow/forbid EMail in DN
+
+policy          = policy_match		  # specifying how similar the request must look
+
+####################################################################
+
+# the 'match' policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= optional
+localityName            = optional
+organizationName	= match
+organizationalUnitName	= optional
+userId			= optional
+serialNumber		= optional
+commonName		= supplied
+emailAddress		= optional
+
+# the 'anything' policy
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= ca_ext	# The extentions to add to the self signed cert
+# req_extensions 	= v3_req 	# The extensions to add to a certificate request
+
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask 			= nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+####################################################################
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= CH
+countryName_min			= 2
+countryName_max			= 2
+
+#stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= ZH
+
+#localityName			= Locality Name (eg, city)
+#localityName_default		= Winterthur
+
+organizationName		= Organization Name (eg, company)
+organizationName_default	= Linux strongSwan
+
+0.organizationalUnitName		= Organizational Unit Name (eg, section)
+#0.organizationalUnitName_default	= Research
+
+#1.organizationalUnitName	= Type (eg, Staff)
+#1.organizationalUnitName_default = Staff
+
+#userId				= UID 
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= $ENV::COMMON_NAME
+commonName_max			= 64
+
+#0.emailAddress			= Email Address (eg, foo@bar.com)
+#0.emailAddress_min              = 0
+#0.emailAddress_max              = 40
+
+#1.emailAddress                  = Second Email Address (eg, foo@bar.com)
+#1.emailAddress_min              = 0
+#1.emailAddress_max              = 40
+
+####################################################################
+
+[ req_attributes ]
+
+####################################################################
+
+[ host_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName			= DNS:$ENV::COMMON_NAME
+#extendedKeyUsage		= OCSPSigning
+crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan-monster.crl
+
+####################################################################
+
+[ user_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName                  = email:$ENV::COMMON_NAME 
+#authorityInfoAccess		= OCSP;URI:http://ocsp.strongswan.org:8880
+crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan-monster.crl
+
+####################################################################
+
+[ ca_ext ]
+
+basicConstraints               	= critical, CA:TRUE
+keyUsage                        = cRLSign, keyCertSign
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid, issuer:always
+
+####################################################################
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+#issuerAltName			= issuer:copy
+authorityKeyIdentifier		= keyid:always, issuer:always
+
+# eof
diff --git a/testing/hosts/winnetou/etc/openssl/monster/serial b/testing/hosts/winnetou/etc/openssl/monster/serial
new file mode 100644
index 000000000..75016ea36
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/serial
@@ -0,0 +1 @@
+03
diff --git a/testing/hosts/winnetou/etc/openssl/monster/serial.old b/testing/hosts/winnetou/etc/openssl/monster/serial.old
new file mode 100644
index 000000000..9e22bcb8e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/serial.old
@@ -0,0 +1 @@
+02
diff --git a/testing/hosts/winnetou/etc/openssl/monster/strongswanCert-monster.pem b/testing/hosts/winnetou/etc/openssl/monster/strongswanCert-monster.pem
new file mode 100644
index 000000000..03b57243b
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/strongswanCert-monster.pem
@@ -0,0 +1,55 @@
+-----BEGIN CERTIFICATE-----
+MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
+bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
+NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
+HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
+A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
+4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
+2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
+ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
+dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
+sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
+kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
+YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
+qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
+HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
+UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
+xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
+Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
+/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
+Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
+Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
+9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
+9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
+ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
+XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
+e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
+99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
+AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
+YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
+CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
+c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
+ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
+hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
+71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
+/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
+lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
+8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
+RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
+Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
+xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
+PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
+6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
+c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
+MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
+vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
+RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
+uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
+inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
+CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
+8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
+9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
+cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
+d/Fp6btmZH31IEyJrRNVOpCwZPI=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/monster/strongswanKey-monster.pem b/testing/hosts/winnetou/etc/openssl/monster/strongswanKey-monster.pem
new file mode 100644
index 000000000..8d24aaecc
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/monster/strongswanKey-monster.pem
@@ -0,0 +1,99 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIISKAIBAAKCBAEAy9wsvH2JQ/y6nOr151mpMsMrwe66LlewiHcWTBh8/+szuOLG
+WnqlsuBZqesz7iyPEbcbCMq2QCc6p0wzUW+hYaLHZbk8v0C9jfjNlNHynkYwHdiC
+JxTmm6kkoXgfDaed8StvKGd8Xu+b26UkYqhiLZqmR4qBT6TVfoEb9jQtjUlKq7Wv
+WkaN+ZtmckLmr+PqDmGpWsgKWVq+OMPKkCUSC7xaOo3O8eWxPi4BTUX3tefzGHcq
+2m2rSC5DrnD+tVRO0Kn7S4+OucNRht5M8reD7F+RSpEpIbN8DJ0Ciycr8VCJZLAu
+5vzcwAUQBAHywDgySfYp3VAlY3CwwvNWr0D6Bzkg+9+oZGKVkZ5a4L7teKvuXZAU
+b8gkLvkqAT49KDLRBHWj5O2gRo1w7ypHiQGWBHDj/IfaClEI8GFEIUOzadH992AW
+kEgr/+pH5ftutF1zFkK0HeIg2Ne8eR/MAOpp3E0NNSRyCcuaYsV7dPXT5lmgIamV
+mg25Ei7JTtOc2ouOUKUxUNkLcN3esOQWN7tm0RAex58hX2RfJ+N6b7CJzb+aUBy1
+Rzef0z/2FcG2Y+FF14AI5C/+LegxhC5OtlZK8QdXUA6KYphUZmhnLQBlm6PK6FFa
+Rg150hwp/Uj5hKnnrStXyR3AnkLJFRWpCAd6nUSTPq7FnDhQOHONA+risryx3sWW
+6mjo6S9q/b37szLW1DFIp2TQalX+3QpMWNNoHYtR6UweadVQUkW13WgtWaMODkZ9
+hJHev5a+RuOUvJY6+xHhpwFChTqMlPBenWJr4MAU4DcELBmvjG1pLmmsbiKtH/3t
+ydz2JHUPu7TVz7KqA13DrXNGT5QUcA8fSbPqofOnuRyofOQ8wY45fe4Ir/9zwhJO
+opoB4cdELLpVlHxs5bPrHd0l3/GswRbeiYe5VCUGnzR/vny2b68hmGtoIxJ+FQsK
+/D02li5uU8IB5ciUx/GZJO8hFWb8yX7OlAvLRGmIrZgG/HvXGE87QNHuID3mP/VE
+8m9FwJ6Jd+vAxiouU+S9cdTVR5D3Oc1V3BlL1BaRHeKuGiVo/cVMrJLdd35fFfQT
+inNQSWVHQpMUUrdcBeLZXBbPRFWzqGDk9viiYmlgefZHvjux1MZ4xczXzxSzvSLY
+DR4WoV64V9tnv/wfUIc0OTtvVIV6V9MutuAyv3v24/enOr3uTagyHGXTslXbk14h
+Mn1KT9GY78EW0uNgNVWLN+BCwbeZ7VIUb4Ir1wGwZwtfab/1hbqzM2sbnkII4Xv0
+1F9RVl4fM6uaj7wEsZLqXaORjq3I5+mvM05kT0ulfI1S0JlBzLArMhXFVBArC/fc
+HrdZ5RQJaC+fWego49y5Mi6XiBv6OCLRhHcOWwIDAQABAoIEAH/5PqgxElt4qtlY
+8neCJKI2PSDoMT5oU+zG/VtVwBqT1wtIaQZhmeVZy0/M0/O/SyzuymzRfGl3du2Q
++2Iy9pcpLY1hJI5XIOef+cZjqa/MFeaWhNXt2/p5ywIGO1BCGfdMseImXL/oIOpY
+mCfK1p8URy//9b8+lbttZ1U+Wh4olVSHoIXGZtf7wusVrmVaaRMQIdVYYI7JVUKj
+PmUQsGxnmCjL3s6hx4tmK/ELbD5oVoXUQTWPxQdx65D1ZCAGxddd7d/4Rbu9rk9A
+/AMeSxW2xKmPyMdcOhJc+jzKoV5ClY18wGTG9fkg9HXflzktzfv6KTvCVUZAduZb
+Bd7MpmikZ11WgQpLjOM2CoytrrujCub3TK0Dcht+1Oyk2pWCmQ34n6NVvNitb+jj
+nLaYJUmyaJyd17XEOx1TogZTzqwuZATH8EIw3FYyB2KLXWqig13FD/b2fnJBtBJB
+cLpebYgbYqAqueAGTWuV1zOMIrKnLswS/lQQK08LydnPI9dZ5kQf/35mUjVPQr2+
+4WepIBk7yma8MaIFi2qp9bFpnIhpsIB8FRyZAZ8Gtv/fdBTtVP+8Y1iD/EdrTLJS
+s5zpPPBkEF60UhEk2U7UWXi5mA+FWhpO/6GcUg4hGgbjqaerVUGzRM9++u0etcaj
+q1HcCA/z/Y9K/chc3ZciirKb4CYdCZ/84QjurI13yubhKmODHBS8hsn7fPLroymQ
+UkbREZwLYHii4LdesnWYuDn85WCM3uroiKtgCTTKMMTBbuZhg6Z89xy+Hr1gn/6l
+VJ4W2ZfKgzKMAlcz91bqHZ2EsdMmvl78iFye/WjQe38hj4Ccgub+wGOIsdo4tWKD
+phL5kGbUI2PNhcERva710o4K8KwMyfhZ5iRbE51TiCv1xlfaYh+kwSKHh49j14TF
+P7Xp42DRAR4RYW4vs2krXQdoTwBMzC0DyWz0tSMU13XQsuut7A/rvhF8oUswBKCt
+UfZ0LpDJd67jMKQ+8ccvax4Zcapv0Ifz7xOfQVQGEyKtpt32d3qgBbvDpq9BHGst
+ux0cHi75g3aKpxZYSPsqRea0sKNdj84e1xUPc8JQGT5i4KrGof405OqnkOi4sl5z
+WLD+9Y8hUzXE3UJ3DMMeQqddmAOS1LuSG/XOsAoM78ukBKv2yfYOcOZNCCJh24GE
+KzHwLG5/AemObThqO2ztqttmcDlrKhg0VGngAXctxluCWPRHXwKrwtaWMsqadCQJ
+Na3DigjXmuFteBX8Z5Jbw7pJtiINa9w3izoGQdM3vi99DDm22YjxpLBpB36eMoq4
+Mv0pgP0okjjZWmDZ0lTiGFHpzSTSZ5MzXKS/brUYX1WoUA83qwU9NbZ3vuniMuLZ
+ksk9lJECggIBAOdVcKtE/7DHHj43W37T6oNxLN/L4nHIR6bQL02UPWuQpe9Ch4vi
+ETDQiKGOw6fcz3+GCeCMQSPQJ9SZZOUKhpu0vkKRWSIg8JSXYu0ViaHo1SSUb5Gr
+vDVcE2nmZI0ptf7DcP0NUPAKxCTM4ForSIgjPdyTXMYCBYcDe053y5Svebx1q9Vo
+OzKtu0Bn7YALvRY82w3KKhRlR3TGOFPnLiKE7/K0EyrFV1OIRskLbtUVoeMQgaqH
+P/UhDHz84JjeoE0xtwgdDUMejYADr/h7fjtixvqnEXZALlaTg+sO/aQ/e2Jlt43a
+w+lJRBeujWQg59M9BTs7naLILB2o3gQJmmbs0uE1l7iZkEU4LsUPf727rfStZhqq
+lQr/3XX1lFnYPAuY3fgLqnV8eohJVakgMmi7mj/ZjpjoUKk2W3Us1N/ro2bgFfuI
+IntWYctiGK3XOQ8WicjDySe3lJa+vfKrCBBAugH3pcmj1p+I7fhRDtc8ogeI5GkU
+urQQ9PJS0ArRw4soYo3khnf7vB7Ioos846sfPlgy4OHbyiu81l04v7+e6svoWKPb
+TYyKW+qQpiKMb2O/5wqtvYTGlPM2MAUvYgVI7WalGjcbKtQ2q/uRjZzzFLyPo+7e
+/6fqwuPXerAAVCZYJKGt2RGnmhxVm3eRkOXF+MXPejlh2T80iKP0diqpAoICAQDh
+mM3Ppvsb61tQUE5bN3iQqr2AO3PKb3Nz8C90R243Qkz+OFwc75kziQL3IbcmOxJY
+Wq3T+KQIkX1aDNwU/ip3Qf3wpqbtxlpzJpgYQpAEzFdEKzP36rMYdxekskeesVIu
+s8v/PxYwJztfaHxeTuxsEDB7uxg6h9IkypY2w/vdpruKR6XOQSxKyxekLkRK2JTW
+lzsVUt0VQHhIt65D7I8sN6RJaOhQpSnCVblZo/HrEN4pfkSffk3AUyd+AS2xjRa8
+Yp9FB/TRabC7kgWTIrBmXSWalR8K1B4y1DGXz9x/KUT85Id2k+kDC5y00FVtqsaQ
+m6D2UkR0XLnvdCAj2Iky8HjSYuvvyoi/BaHJfLnw/S/j542yQxh55Z4bneH5wYgJ
+KBU8KGTtuxP0RC1AmalkCWViWadItTP7mPtq5YbvyCoWNJEvQx7JbLVyYkCcFOY8
++aNfkdhEMCQvLAkmwMqHwrVdSVHOic+kS/amVWtRjQwZJ7AIVlcIfLkTI/vZN+oV
+58jqBruIDjW8zN62QYa/D4os8B7vyv60p/v4LufCThgtFiB4MevlD2LNjR/0q/nF
+zsuFRKV4pfP8gtLEzkcfj827nGzOGT/1B2SoB+YJxNR3rfLloCvMNKvKtf60idRY
+jAH5ArX56HH9XOcKeKalu0fvKAE8+sbxBNTaK3B3YwKCAgBSlziAjUPUc2Kix9TM
+tRAXGYLx67LO+LhMICujQPekvaHgiBoooO+ORAVj2LqV5cnXN52zI5/mD10JFDLn
+axif4qnCzm3KN4RtKJdTGctnmN7wDma+1Vd+nX744h6oH2owqMpgLi7lZJKeqN64
+kpd0s1BUve/zaalbiKyvWSm/zd5ioIhWyr3H3CrsVa5/drFtjRCQHctkOLyIPnTB
+z9myzU91kUD+ljIVSqQrBv/s56pCjRQeM+drtv7kaMwvB9yncsZsCSNBAVl3iNl8
+l2p7/UoZFyiu1T81/bitZU69I0UD3ljoNmCXm2bKJbGpO+5IhpKlkSU4hsrpU+7f
+9iW/9XFcomumpnzRmbto852hua3jmzzG7HwFz0/b22+5m+/kHBGzi0ayZ1y/557D
+oREeP0xU23GDuf2CTDve28CsqU5PXlW61eGpsy97E2zIM/zVHDDZEr1whqRwJW1f
+hBx+4P0H0sjH8syfbJ25eAcaZTVcB021DoeR3jP1iAdqtXVg62w0SJCRqbiCLROL
+LpQB9kel6ZRMTtIhR2wpICelXDFr12o+Jf/L22Hxnu8Rip4COPNd5qWxD80CACio
+0T/nrx/C89MmNXbXCSXhzReIH2kZ4RagI9GWu8QU4EuXJqbkgbeiWZUULohg8Vdu
+GvRmdIXa6bYzYnHTlQfrsU228QKCAgBlZVibzGFw2wffwTh2pyf5XcRurkoM4qrx
+oTKzAKf5DkOsv4gnOUmScDJ1ASJgfIxySc93Rnnzn/DHWKBSjypnD7IjR8QfeteM
+ifwyazhv76gJa6Gf/E0i4eQukjK+kNRvSUCXKLPAUOHOsBe2C6MXru8bravmIsXA
+441AcDX0GcyRCkLrwT83HrExidoICfBbwv07SFM2ChQGGwioXtq69QdSN2SzWoi6
+X+0+7QD+tkYkQCx3wz0PBFDrwXvYIaHmai1LyZevx+E3bRo0V5MRbyxHnl6lb1Fj
+ZxwjL7nbLaFkSRLZqQFB7SYx3rGG6Qr2U/y0uaUq58JqbbdEZT7FNnAXn36L+Gwd
+71oYRYcNWb78oEZ/qMiHgTzfDMdUijeqZemlcEJs13jQgRQVxPrti4uV+NXHSCpl
+Gw1lrmRHwZ+o+1eF9pUP01x6XM7NWFdjcJCNk++wNjMNQK2cTWq6OjlqBFpQioBZ
+SAtEF4B01wBpDf2Awc28ctJ8V+AKcac00UjsZrpDHJ/qi+pN4IW/uixQplxBSuvQ
+JvCJTAu+uXsESL2vSEDOY2v1F0kVn3ZUAe5Xp9L3tx9Cj0pMSqqM9QVzHYuJ1q94
+YipLm8E5As68O+LAco086y+LnOEuJATdB5Cbayx/dopFZkwx2KiONO7P/xsPXWet
+TI6ewId8IQKCAgEA1tzZKsVfohvP9CYa67EdkJ24HWEzmiv+8Y1/UZZXi4PTpBNt
+EdgE3cc5K67aSzTV3yuLFCQ4xCrnMYo5ZdOEQAqkApW23M/fOkPQA1oPcmNVLSVb
+DrXtjTk30ILr3jWG7ekLiQ2RrtGVzHTZd9mQL8uOL2+cDbkwR+gG38GR0V9TKXOP
+HtnuSezc0B72SMs+TaTwZXmt8d603ImLAwCUj06PZlknySP+SFUn/P20cDyZCeHu
+lKqONhsR5zJSXg8twJvEHuBK7ZtgoGmuQYIGSREiXZPl000+DQ4Tu6OF2CiUYl0C
+2zCyuoBFJbEcTdvoQMcf1TZZ7uazCy9HkvK+KL/y+VVkHmYrrNvWZ2e7/dsca/Sp
+ma1+ABfb2GaIWp97SNVNhmSAeEHkJVfKY7Aqlh5blGorXQSd4pxkjBWo+gY9ZNgJ
+S3weoP2GSGTY+gUf1wCOhUS/738ee+af+4iGonIsdKV8IFOlnLH5rC+MFF0eBNBb
+SuzYn8rl8eoZFIay/kivyx5IBU3d02If4a7vs4rMnPVX3Y0TFSa33Q8T9ykew8vQ
+UJH9ZJs7lRPNB+x7GimfvLajR8jZB/ezYVpJ+gT5fkEgggBtJKpuDtPYUxFb6fld
+T+9VoObYb60kv3hAomX9DmPAAHdJL0cPI+A97k4LLwj2gk3hMivjXWexJmw=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 05e38f050..26e68d4f3 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -1,4 +1,4 @@
 V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
-V	120418092554Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	140323203747Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/04.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/04.pem
index 894bf7dbd..f586a9414 100644
--- a/testing/hosts/winnetou/etc/openssl/research/newcerts/04.pem
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/04.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIID+DCCAuCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDQyMDA5MjU1NFoXDTEyMDQxODA5MjU1
-NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOByjCBxzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUi6jZ
-/eq7FoNJDiWP3Mlw9iaZzyIwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPd
-VCChSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
-MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ8wHwYDVR0RBBgwFoEUY2Fy
-b2xAc3Ryb25nc3dhbi5vcmcwDQYJKoZIhvcNAQEFBQADggEBADHYFhLgIo3jrKcw
-bmfkqHLrwI0sHgyJJrEf1hl3cdc16VdKVW+V3qMwumdlMobK20yTRtW90x1ErULS
-RClHlQ5UtDubtQTwjcc6Uc8tOcBdAAH1SQk2xLikxQq19UGFpRRA0VxDXzF5yXnJ
-oM9mJZvgscQZeZPqMEXd3yQclK3Ouap70zE1J8kcyT/yrdkTM3nMbiq8aPytr3Al
-njoW+ToTsDqcTZYWeF3A3tfSZ5+AhlValx1btbcNPZVjjhBx46knOrOFeQLE5f5C
-3XYxVaWPX7hcjfQz/e3T4Rnb8nVQqoCnycUPfYxG/4z7pp/GplS/MEuMNNGDhSsI
-nTjnJgY=
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MDMyNDIwMzc0N1oXDTE0MDMyMzIwMzc0
+N1owYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW
+BgNVBAsTD1Jlc2VhcmNoIG5vIENEUDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPqE4le5QodSA+
+NXnQ1IFI0XWcBDDwQDNcQ6qMScSCaboPFCLrlC9E70J2eGeX2v/UDTQpEOxQ4fGX
+Efk0/MdJjnWGAO95jEInNJ+DuexfrP5REiryKDfryA0d6xiQb/a2M7UuDgxPgyZf
+VyvU7SHebue4317v5NyGJeRnkN3/onNpdjpWu9Le9DqenBQ2SITgo7NsVsNsqhnT
+1jg2jfxJ8OXzi7/6JvuxxweCoDxr+KeKIViFAqNlyufeyIvowdjHTlJRvN/9Wl+/
+jPiHmFcIyIc1o8EUHzM9AEIWtB2DeHL62e7LVJbjMXsLAkTggc3BkGE2cWFOBY0f
+J4R+AKWDAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
+BBYEFIuo2f3quxaDSQ4lj9zJcPYmmc8iMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj
+zMfIDynz3VQgoUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
+b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEPMB8GA1UdEQQY
+MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQBiOKAx
+ePEwlga++nOpkfBg6ESag5/VWfnAp1zRpXHXnRak10OTtCPDjmJiDUzlKBwolwJN
+I6T3S7eg+M04E3r5IHn3i+HtQcENkq02YUPiUXS5cvLtzKMPIm8pYCj7/5pXxAek
+nHGRdBZkQiGDz49H9rPKxLdJDTLCXpj4l9uOFgsbiQ3k5SyWq5oMhtZsf4VKqAd+
+77Mbn9pnjjy53wLuzjaMVX+K5KKotPNeSHH/pWh9RqNROmf6F2B0nZhW5Aryxa9/
+24GRkZEPZ+cqhtwgVjq5aImzdSrARJQ1tu6lZqNB5b9klYSAi+al0FrvUFoG58Qt
+eWeiFXLvAtXTGoax
 -----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt
index 87af9dd15..3e39e973b 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt
@@ -1,4 +1,4 @@
 V	100322071017Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
 V	100615195536Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	120323211811Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
-V	120418093600Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
+V	140323211053Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/04.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/04.pem
index c19c7333a..cae8184f6 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/newcerts/04.pem
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/04.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEJjCCAw6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIELTCCAxWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA3MDQyMDA5MzYwMFoXDTEyMDQxODA5MzYwMFowVjEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
-BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4IBCDCC
-AQQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFILLnutR01FvK1SR
-EZgaOaO9d8izMG0GA1UdIwRmMGSAFF+bE0b5IHLIANWItadMLpfqC5MooUmkRzBF
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UE
-AxMSc3Ryb25nU3dhbiBSb290IENBggENMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25n
-c3dhbi5vcmcwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vb2Nz
-cDIuc3Ryb25nc3dhbi5vcmc6ODg4MjANBgkqhkiG9w0BAQUFAAOCAQEAhhebUzkR
-5bllLrfSb0H+Uns0Fw/hfyrvJPjKOcb/otwPZOeGftGYQgihGu3X0Wi6IPX3/I6v
-tAnjYTyMXO68Cm2Zw3ZjjjSupQ3LOtyUhKPehk1EXNI5S1WnpYvEjocaBeT5DBaH
-fjMHL4L32dUcyzU49zbrkFEY7ffka44s3SUf4tEaw5QlBfAnwoij2A/rucokWNeQ
-6KVE9wfYJri6P7ztVTWFsAD6MXRCjzYrS6lOo02w32k2Rpp5SdAWuiwnXLY1BPi9
-U031sS6eh2aRM+u1UKuCGQtUDCMOI6yDv5U2aWQuxYS2uTW05PlWwKAg2atFt7uZ
-P35gzzpJWopPqw==
+BAMTCFNhbGVzIENBMB4XDTA5MDMyNDIxMTA1M1oXDTE0MDMyMzIxMTA1M1owXTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsT
+DFNhbGVzIG5vIENEUDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqgEdIrRiLkrf0UfCB4xUyx/5cs
+Ka5h1MNBks2cKP6uABOL+jnlkRtyVFIOOCuNMgcK+873LC87UU32zapbe6Ph46aN
+5M9ADMA6PtVeNkJIetVSVtT9DUL5II4kJ/hJUjINbt7omAiDAIWDGKNmTCsR18Ua
+o1O/QFbiTT96fMFKX8EXiJgMt/5+vOWG0s1nGz6gn40R/2K52EvBmu5v0M3TX67c
+YQFgBqMNfvnk0jLy10pEHro1OjgiTTj1DQd55ydSKGa0JvMDT/GOQeR87zkshRLz
+bhxXOt4Ej2kkYbs9ILm7jKa9XfUYI58vCYLHwhGzpLZSsJ2xXkgfAAIFTI8CAwEA
+AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57r
+UdNRbytUkRGYGjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT
+KKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
+GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZl
+QHN0cm9uZ3N3YW4ub3JnMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0
+cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQEFBQADggEB
+ADn1ow4aGxckB4HsJQf1Z6LFpiCOExqhqcK/+fsFcl/WM3F0F+1TbEWzwFzDj3Yu
+5gH6DQ/c0Fp+WYCKAbZXdYoKHJDSZY0BsoD7Nglc1r+l1wFRv1UGF5DoYZPryHGA
+FkusMTUQMvWRRmN9PsURQ77DsmAtryKi5aDQ/rAiPIJK67bQ0HmvPAynO8IF2Fd9
+GpqFSc0gZni9NQszVUH33nuLlZP1hFC5MDeqhcqgmUL/GZbs7DZYThF4INBryfOg
+xFE73CpyNQHHmfT23TLsrFD5IXCp3z3oMtCtTphwUnCJrEzZ1H7mJ+xSJoJ3MOqd
+mNs1ygehz0a99cPoX1j/iwo=
 -----END CERTIFICATE-----
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index fad5b23d8..4eeebe54f 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: build-umlrootfs 4889 2009-02-19 22:02:28Z andreas $
+# RCSID $Id: build-umlrootfs 5006 2009-03-25 07:26:53Z andreas $
 
 DIR=`dirname $0`
 
@@ -167,6 +167,11 @@ then
     echo -n " --enable-eap-identity" >> $INSTALLSHELL
 fi
 
+if [ "$USE_EAP_RADIUS" = "yes" ]
+then
+    echo -n " --enable-eap-radius" >> $INSTALLSHELL
+fi
+
 if [ "$USE_SQL" = "yes" ]
 then
     echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
diff --git a/testing/testing.conf b/testing/testing.conf
index 28b043905..548f5b530 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -14,26 +14,26 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: testing.conf 4893 2009-02-21 17:53:10Z andreas $
+# RCSID $Id: testing.conf 5051 2009-03-28 15:08:47Z andreas $
 
 # Root directory of testing
 UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.28.6.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.29.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.28
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.29
 
 # Bzipped uml patch for kernel
 #UMLPATCH=$UMLTESTDIR/uml-2.6.26.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.2.13.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.2.14.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -43,6 +43,7 @@ USE_EAP_SIM="yes"
 USE_EAP_MD5="yes"
 USE_EAP_MSCHAPV2="yes"
 USE_EAP_IDENTITY="yes"
+USE_EAP_RADIUS="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"
 USE_OPENSSL="yes"
@@ -51,7 +52,7 @@ USE_INTEGRITY_TEST="yes"
 USE_LEAK_DETECTIVE="yes"
 
 # Gentoo linux root filesystem
-ROOTFS=$UMLTESTDIR/gentoo-fs-20080407.tar.bz2
+ROOTFS=$UMLTESTDIR/gentoo-fs-20090325.tar.bz2
 
 # Size of the finished root filesystem in MB
 ROOTFSSIZE=600
diff --git a/testing/tests/ikev1/after-2038-certs/description.txt b/testing/tests/ikev1/after-2038-certs/description.txt
new file mode 100644
index 000000000..fb622dc15
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/description.txt
@@ -0,0 +1,13 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on <b>X.509 certificates</b> that are valid until
+the year 2039 and are issued by a certification authority with a root ca 
+certificate valid until the year 2059. On 32-bit platforms, dates after
+Jan 19 03:14:07 UTC 2038 cannot by represented by the time_t data type.
+Thus if a time wrap-around occurs during ASN.1 to time_t conversions,
+dates contained in the certificates are set to the maximum value,
+i.e. to Jan 19 03:14:07 UTC 2038.
+
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> ping the client <b>alice</b>
+behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/after-2038-certs/evaltest.dat b/testing/tests/ikev1/after-2038-certs/evaltest.dat
new file mode 100644
index 000000000..790811a61
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/evaltest.dat
@@ -0,0 +1,6 @@
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..392a4b51e
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..03b57243b
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,55 @@
+-----BEGIN CERTIFICATE-----
+MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
+bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
+NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
+HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
+A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
+4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
+2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
+ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
+dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
+sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
+kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
+YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
+qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
+HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
+UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
+xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
+Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
+/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
+Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
+Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
+9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
+9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
+ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
+XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
+e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
+99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
+AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
+YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
+CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
+c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
+ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
+hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
+71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
+/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
+lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
+8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
+RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
+Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
+xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
+PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
+6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
+c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
+MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
+vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
+RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
+uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
+inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
+CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
+8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
+9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
+cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
+d/Fp6btmZH31IEyJrRNVOpCwZPI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2ce2ce3c9
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,46 @@
+-----BEGIN CERTIFICATE-----
+MIIINzCCBB+gAwIBAgIBATANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
+b25zdGVyIENBMB4XDTA5MDMyODE0MDYwOFoXDTM5MDMyMTE0MDYwOFowWTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
+bnN0ZXIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgR
+yGVG6HVoA3DU/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mp
+dYtP53SWASOHBiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkw
+BebpMLCf2Mi1robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bO
+FPoBoBOY7v4fuq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DW
+kk1vTt4jplSg6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5
+mGabckTMvtI591UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014l
+cFg11mzjXGGBFuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest
+2X0psHe3AlocUFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9C
+uezkuM1QEvkev5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+
+t8GhCKV6B7RTzFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3Hh
+fTZstGECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTy8LU5yQdnV8pfwhCPY7q/CiNyzjB4BgNVHSMEcTBvgBQZYq2Wq8b7148Q
+xFb/QGMiQnB2DqFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
+cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gTW9uc3RlciBDQYIJAIORWNru
+S4GuMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMEEGA1UdHwQ6MDgw
+NqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1tb25z
+dGVyLmNybDANBgkqhkiG9w0BAQ0FAAOCBAEAi39l78OCI9S0I3X62HbkxiLguvnc
+CbXY6Tqmz0Ms8xqZgYzJOk7FLB/4v/zJohOH5nd7KxJ81KbcERyASpybaLM0/V+V
+oGT0rDGGH5cS4H2uYfs9HsKFKKPbZeCnExFyCamXjBZkl5IZNjdpS9TLyXRJSyFN
+OIRNhILPSriqdtzgRuGOeX798U8o0ObizGQRVlT0p0lI4t64dzZbIh3jSXjCf1Tz
+cmVOC8qhhGvxLlorSy5K98t2zNY7DvzwtvoQrNFGtso1kvfmaO4XRCvSZsmqPpC5
+mmWJjNEG2qcbmfpt8TotyUHgEJTZXwXlPVVb5OXHTW6jXk/MN0UiMTLJYcvJ1gji
+kSnGNHzRH2rKlYRED+jlzzHAWSv0mBGcOTdmfBV6+TJ7QhWhLZBzAUfwqXpAy9Vk
+idtyB0eSWBTIvhZY6SzB0Rvkdj0FtZ+tNURT4dPtiO0D+LXm/ojpdKKI2tFNOgwY
+n8df2u3xnCRvHqcF6lvu+ptnwUkUDDGDuiM20+sm0HHhLIj51v8tTm3Q/MzI0BAb
+G4HOSQNDzymWDgzIE67UTxBwXVDbSLkzH1vhFXtZQlD1UHqOUT/4FQm5ZlVMF8na
+FKxHakqoh1CdI8TAmM64h3hp1zp+G9Zn0lfcHRhvWBvpU8mgF1cbEvgbzjd9+xLe
+q45/8xuZPnU7XIBvDcZTUk8LRIThcTxQRlQdI1UJnvPOBYG3mUrLs2UdEZGwsooG
+zMOj3EQwqrR67rQiuGo65IMPDix4mwHjcZ8Gr4eqLDwSUS5yoPX1qI2qNLQbI1Ni
+8PEYMXQ0Xm+9Z86ZkI0dAIBWLkEGkz5Ngqk4O3JLzF1O/XPG4E9hGJ8WsHQW6pk9
++quv5nVNCAO0z6FYfQoYprdbDBur+N/no+BYIcSFSpLcNgafLXgj3I65iJ2VmRi0
+V0xAfxcRiQN2+/7aao2zLrrSPHU8YsW48ISw9ibQ9EckZMVtnhuYpBJuX8+auZ8f
+OgBmgRi7fCtEcMlXsiisQehymMs470eDRfWFUMzgJC8tMOQIWNdYM0Bo29wYUJPN
+jD+NO0n+PisFMilBEyoT2pD1i94+5DWQau/7STb3GbpBsLb7JbIrQEp0oSdsvsNR
+SaJQEqMxepJM0OGp3FMr79s+/a13+TMm+jl65M6sV/YTDdYFlplkWyHDjbL+WjUu
+lvDEURfBJrtT7u673RakCEzl5e53fP01HXFhqgMSloR7j2XNiyCeEUBp+zetXxwb
+8e6IKtbXWU+WcXIdNOHAL+OtD1vUK3gxupJPrRNW6daZKWUDbjRixzXnjeyIw8It
+bRldc5VjyM0G4FMbmIROgRcvjJ74MUwnHpgPl9zQ28HmbxKbANiJJZHIDw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..f0836ec33
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgRyGVG6HVoA3DU
+/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mpdYtP53SWASOH
+BiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkwBebpMLCf2Mi1
+robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bOFPoBoBOY7v4f
+uq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DWkk1vTt4jplSg
+6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5mGabckTMvtI5
+91UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014lcFg11mzjXGGB
+FuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest2X0psHe3Aloc
+UFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9CuezkuM1QEvke
+v5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+t8GhCKV6B7RT
+zFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3HhfTZstGECAwEA
+AQKCAgAmHcjpYm4FXy7Fl72F531pTv69w50OslFCexEUaqCMdojR7TYVs0hwXObT
+XePSczMaOTjujIXNcz/K0zdCwanMSSMy1THYhRC+DEqK4K0wLifjTad3m7S4PaPI
+0ocxbKWQBMDl3KdGEJW38KcqR4b1B/h6f4VYo7BQzkSbrxRSHANz63vdJvVWPoMz
+jxAgykSiAqIDTNGxYp5trUX7ZLLn0cCIJjIwLU56GcPPN33SDVXetUdQ4sCaDdXU
+8YP8rj0K1VWMYy7SItCZsIqzSEMT+7wC3tvDUDWGyEb1UW9q3cpKBNDAl7KkO3rH
+UbeMutCK5ydtXMIumzNB704cnuwZ08sdM7BTTMhmu0VK+zjVzhBK+MFcF7pickD3
+SdNzOiqfgiXLGjsiMFJvJ7OUJczEJl2xIoZ+Otb113ep0An0PEuF6aZMaKPNP7xf
+ljnengym1Rq+f1mHBRRfool9zmeisnQSSecKo0htm6oRkQTcTwLj0TjiCugbmISf
+D7sUXWp/QFVdYhHTay1gWUnP1quflKYvEynd0UF0JOnCbpWAczdXf27fm7DVjgLp
+yZ4QyrCtyvtIITgmZOvkAcaflxe2E+cBN2F+hWGzqMJfoMtw008hRW9DcRji35Kn
+lCOj/87n8lL3dicDI0caBZO9tQIakh05XYW8xN+sYF9K/xKauQKCAQEA2txDchqB
+7719R6hBqdNqig2+telNHlN0amPKjqIvP7Tr/JnJx8A7cSasao1Fw0cGPReBT7Tb
+Z5IW7xvWiZYFMDI8q8ZGEIb+MveYs1gHlEaimMtwoVCNeNe3cEPIL7ffNT8y+xFc
+o55AjzgKAOHqmf6OidKqRs/B1sSmOrgugsY8KvYtA/JrieVHKrjNX5XqZNqrfsns
+K4DMcJvIrfBu9iyWenNoBOdEJsP0h3F39Zh2hkEg29eH+/8x6FGlezvSU89Jjs9O
+/2BdlyS82RbhPu2VIrsmpfoSrsFHRe8t/9yrnpY3ud6w2LP9QIEMd8FpWKGnNxJp
+AIZJ6u+NoWVlLwKCAQEAxk/7RSSvf6VJvi1gmOxKd79LkYUEiyZryP/M8kQFMqs5
+pU6BgFLVLZsaXz+1oYS0bEjVGGo5ppCVVUMN6RuFX9zVz9uVZBeiiItqw64UDbt/
+0u78m9ngvSpWaMQU2nS/kHVhKOY+Gfs0v5fBvZE+wxTfMBR+nbx7uJivpXnq6xMP
+fhDz6juap/lEK6HuvQN5xXBNL4wpd099lvy3NUuG0Dohb/+gWf3YzQtjs281iMZB
+G3/gGLcBSdk6PBwXueJ3NPj9FAII73MQNBNYS3zi3IYuulA/rMcvbA+IGeKTzRX5
+E47B8ZAhJxZ3OePalvZyVEaRHDFT+Y2YCv/G9Bw7bwKCAQBs97oE97m2Gcxkfxui
+aIblEY7gl7Yz4S1XQzQ46/tGZtgQPqm+cLGn1q+Fpa0UWyp6BFf3zX5oBM6yYlPg
+0PboVjrq858y32N1EN3QfYXYh4qxNKlxR+AISK8mkDj9uTjDFCJX6v8K3+IY7Lfe
+VJ0v6xQg/uiUtSA3xFVXaxiNOBIA+ezTyEFOuP9EABsQ+l1ntZApYnPZ/RjNAGNc
+Zxd4Lh8F/KvPtS2zd2Eqho5Jk41/rrGjg55LE3ZPy0bvIovH+q8PEZytfddbR4lX
+NRMU98mHL1NA1E+0/rpz0XA/sikonnZEbuHyIzt2gEoq3fuLi4Dr5JivEC2BcaA8
+uXU1AoIBAQDDxUdfXbTmxQxEctVuga2OA0mdkXwHxlkXZvcyntWmzIOu3g5X2O3c
+BMcHCoTKu4/Faiz72jmpZggV0IlV+zYyiXaFqNcUpYRtWXx/SkU/vT6VxBmZ3X/Q
+HpCJAjE365MFD+tnjcv2qBfNoAnBkzYrLVqbQ1AvdVeJxyl2qSGxCPL9V80DCe5G
+LnwOuuBMtbaro45/BtYUk2N+/2H5eeLPguNphigNTtyMpta412s458Z0WEuo+liK
+R6kGmBEQDzHxGG/2JYAeqi9vyT0b4GCwpMJSaVBCx6vX+Ik6TIPuLOfjV8W8K7We
+ub3fZ0FuUEJTUgqEk2m77P0Qtqn4aDp/AoIBAQDXI66F4POHVOPI/j584sSLhW6X
+j5VzFlmOhpyoourPYXsKyIFrLa/gYAe/wNH/5jg3Ap5DbBVZB87gOkaMz2oV+ZQ/
+5IWiFmiUxGrCXmWyI6Eqr2DUtSKispLnQ043bFN+HlhfQYTwD9ijqpwpUt/sC+IJ
+mLIGJs5B3cdcRQuSxh1HpvSJOuItjp0wfcGj3+RPh5cPdjHZW30FHGFomOk//6BO
+nWdoYUGrN9wXylDOHvlkYaP2Uj5rCWm51ZGaxzJR9S+WkHdNBzyygpGtEXdSAIzU
+tHufKwQdDnj22w8KSCvQ+KvwUn9UrIR5LyGKiYGWved9X2EQzIFC4dJ8h30G
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e56090f48
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..03b57243b
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,55 @@
+-----BEGIN CERTIFICATE-----
+MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
+bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
+NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
+HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
+A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
+4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
+2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
+ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
+dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
+sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
+kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
+YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
+qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
+HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
+UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
+xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
+Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
+/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
+Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
+Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
+9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
+9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
+ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
+XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
+e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
+99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
+AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
+YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
+CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
+c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
+ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
+hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
+71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
+/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
+lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
+8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
+RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
+Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
+xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
+PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
+6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
+c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
+MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
+vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
+RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
+uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
+inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
+CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
+8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
+9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
+cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
+d/Fp6btmZH31IEyJrRNVOpCwZPI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..e83798c07
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,46 @@
+-----BEGIN CERTIFICATE-----
+MIIINTCCBB2gAwIBAgIBAjANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
+b25zdGVyIENBMB4XDTA5MDMyODE0MDcxNloXDTM5MDMyMTE0MDcxNlowWDELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
+bnN0ZXIxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQC/9647SgAcK/or/Qs/3cRc19po7oex5EBdPR7b
+vInAuzrVMK84+ifneBWscVhBnxcUI37D0SpKx0onrdskMOyv5nmkdcgQf8931eip
+scNsw8bC8MJsbc5Jfn3DKPurbKK2/uFFE8ot7S65HY9tVBsxKsrjS5YFPE+DKKP+
+BgVk/9hL0Kqq2iKuWTq8YTRMu5iskpLIxqvuz362G46BKoW52pFegeDzpz/Bs/7y
+0oWPRcNcuRQR5XFTpF2L3UosniMkr7aYU5Z8s7IqiEx7txGh5SxRB+TYIZwB1ODa
+L+bnclQeMsBiFqlO9UI38UaxEQgk/+UhgpaX/DPrZg8KJmjW3e+x8xcwL3ouRLy2
+2Z99WMnV6TlwpTKj24EQJALmLG+UJG+hbV9P9j6Mkql3FHb4aLZH71CvyCqeg2yh
+FGiuaGEe8vS9+Dj5LKv8hSbBe/MSQDiPhKT1gb84TiQMsWfxLN7oDXunohnhMZfu
+sydB/c/R/ooA5ri+lE5c65bP2Mk+ml61p6z7lJv+DXBDXW/o4v8Imjx2OMsL85LZ
+vYWJppdJrThd/m4OVnCXYfuHMZqedsIvNR5blnldATLBjWWbeoKhOyqZb8hZ6HFR
+dlJ11LhxnGg9itG385L3Espl+EVcakWBZWrOn5/LGNKZH3UedclEBNci6lSadZaP
+/UfRCwIDAQABo4IBGDCCARQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
+BBYEFOQpYirU7vrMZUWDkqDijTPuhPQiMHgGA1UdIwRxMG+AFBlirZarxvvXjxDE
+Vv9AYyJCcHYOoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
+b25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5L
+ga4wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzBBBgNVHR8EOjA4MDag
+NKAyhjBodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tbW9uc3Rl
+ci5jcmwwDQYJKoZIhvcNAQENBQADggQBAAEsjsebEspAIANEBVWRjRpowIJlVSLf
+WKzblIPlhClXafHGJbhiamdtS2FmEh/rkzz3Ml+9cJy1KnB1Pn6+4JLSJe5xAywK
+lKTT2iY0KDdOsaK5j+CNJ2tW9NrJPxwtIz+nGGqqyyEUPJE1FYxphbLgmwFNBm2o
+HyeUVYI+gyfmhyHaXHKOmbsDG0o+pUX2tVOs0KdyU6deaAtEf1E6aA5TpCAi1OZs
+pdRDXFUfjdekRkfRr1PZ41Xwk3t6E32YhIE++r7QneQPhXymxVO9nepmpuSoHvlX
+Hb4JN2EQ0zCkkkOfqCuF46zVxsR46/3cfKbRsaVmdfGjvmDSCDI47AreluYiPTGA
+zN4XN91Y5rPZuT9OJYV4UrYv9N1jH5StVmSz19rbYOeozJXX0PBjdCKHEonD1FHY
+xWRpijVUG6NWVLKpvdg3RiFw78wIrNPAeVDvLL+112nbszNDNLSoOJjOUBySHJda
+WYFtg2IoAUis9r/o7uykNcC6KiU4Y1nC8PEIhMi4AMA9UgBCn4ixYtHI9jkfHcrD
+O1kvPRUo3hKzrhftLYtfiBfTEh+3Xab615lt5vNNhdI7d4knqUXvVdURtvlfJLZv
+W0YdvwjJtrVJAiCtX3wyxy72O1ZOG5kHCcK5oHUHg5W172rK9hK4LByk5ESqtc/t
+YDG7TmZLtUceV5yK4gz7pwIwXthA8yayRy+lbk8BFxRMfOEfb6rPdm0vvmPpHHDu
+yHR5SJTgpGo+/I8N1zS6PNeUBh0RAbSnxHJSMLn+GYTs8s6Atnq05SIuVYxvXyAQ
+ULf+ppNN5lngSZHPaOFJNpC1QL1+DdMNueDITVxYx5DV8SkWRPhzS77tsYeUxVGI
+IpUVEqSggGe6Q4YWv2smAjSeqaS5HNGxstE+Ybat/cp9QMbLc7gwKxwRQHhVRZ5O
+0rVq2bZUyly8y4wX8G8WFMNuCoAcHAdMvKh4JtmdDDZlbxdC2mSVbLSuTBfGvKc1
+ScwOBtSqQkm9PsTMitZM31s97WJLQIZbq82g2ns7hfEXMMIgzcFLYlM1SovbDZI5
+ZM63NBVTaKyj+Gxy8FcAPBPtPWwAQT+Gdi8gFwtcEilTOBECL5y0hzlL9aJpsJEq
+4KV5nnM5rutUufiYzQMZqME3g9VWk0kQteVpa4x+4zsKH9lJSSS/y0eCo/jArS8l
+HSmzUDkj2cWmf/azdrcig7g/mHeEbKu1JH1X5lRdZekqcRCW6v1OjP025B/5nSnL
+WYPUI9RLb01fmPjWdrc4+hPnHjePp8w6tuM6U6huMCwstnOel6d2FL5hOWvXNmIH
+I+8zv7SHhIWQmUbC0YQn8BFqvqDC08In5x42YiTe+42YEtafkTkbY8o=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..6d39ac084
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAv/euO0oAHCv6K/0LP93EXNfaaO6HseRAXT0e27yJwLs61TCv
+OPon53gVrHFYQZ8XFCN+w9EqSsdKJ63bJDDsr+Z5pHXIEH/Pd9XoqbHDbMPGwvDC
+bG3OSX59wyj7q2yitv7hRRPKLe0uuR2PbVQbMSrK40uWBTxPgyij/gYFZP/YS9Cq
+qtoirlk6vGE0TLuYrJKSyMar7s9+thuOgSqFudqRXoHg86c/wbP+8tKFj0XDXLkU
+EeVxU6Rdi91KLJ4jJK+2mFOWfLOyKohMe7cRoeUsUQfk2CGcAdTg2i/m53JUHjLA
+YhapTvVCN/FGsREIJP/lIYKWl/wz62YPCiZo1t3vsfMXMC96LkS8ttmffVjJ1ek5
+cKUyo9uBECQC5ixvlCRvoW1fT/Y+jJKpdxR2+Gi2R+9Qr8gqnoNsoRRormhhHvL0
+vfg4+Syr/IUmwXvzEkA4j4Sk9YG/OE4kDLFn8Sze6A17p6IZ4TGX7rMnQf3P0f6K
+AOa4vpROXOuWz9jJPppetaes+5Sb/g1wQ11v6OL/CJo8djjLC/OS2b2FiaaXSa04
+Xf5uDlZwl2H7hzGannbCLzUeW5Z5XQEywY1lm3qCoTsqmW/IWehxUXZSddS4cZxo
+PYrRt/OS9xLKZfhFXGpFgWVqzp+fyxjSmR91HnXJRATXIupUmnWWj/1H0QsCAwEA
+AQKCAgAn3928CQH+2A+uBXDJwlngYyHF/A4JoHzSITkAsaf3dayhzewHrMaPKP1v
+hVeswcv8becN66uaPs0jctR7LwJrAzevNpvo+XNx0+fxH7CVLhFiOrpX5XMdBv4+
+hIvKLtWZp1XJkHPFmGfFIePB9N91FgtwrSmrSrzFZLKzuDJ0qUQXc2+P76GWj4hI
+yvQfIDR1XDjLJaFfCJCsaQrvv5JpaYIanGXKlqoCpU3GyH3fpcEPyI3nrb4dfp3D
+yKJ4pBxuqWUHPQ2cN4NBnHAunnc2JrFO35HkZw7Nvpc6GwsedjwMzcPyW/ytHvqz
+PhXN/9iuPs0sacC4LzXlppxnIlVSOCoLUpyoe8zXxDJBLsU7d+zDnXZ/1guviHz+
+x4RsEKjlXcvsvnZGAy0pUzOEXIfmWOOSlA7iqkbPNud9nBS4YnOtiZIowLj6893k
+rN1GQ/jw7szBkNh5vjdZT7HAIhlBwyQI3hRJX/h0hdUPNiPW4/j9W94JWcRxk0tO
+vZq7mcTtJ8OFlsNyO12KgFIjT+Gwz7tmNrN+Of98pOt9jRN7hhxY8sQosmW1nePZ
+HuWR52CVShXX/N2d/09hwf48xjYBjF3Mjxc8ySIyERdcWqsWx3j5WaB8rEAAuMcF
+/gY5bb4Oc1MAUtX8aMidvKfVW0Owapj/ApgyOmGbO6YEQCKSIQKCAQEA6hbs2JoD
+8u9sCaabRKNxqnjzXzB7JrR1PKyOjp3Iiku29W1VQ/TMRUpO63LsE3lbv/3RIvi1
+wZN/dFhWC9wOY85iDUci5ZI0QcZA0OIQ/uetrE5/FBOmH9MVIQEXnGHSNPHUWMqk
+EBrykyt+7RMEb7Kldm0V57MesO1FA0y81+UCJP01KZM0D7Nq1Eb6GfNLENah3Fk2
+wHk6g36O1nMAEyjHvS+ht8C0rzNXIqCnkeAuxxAfJde9TYpuW7oCt1JEeh2VAmOO
+7QESq2x0OrPKLCUs00y5k0I9eqvAaQfCC6EcdiX7FyAfX5n5Vf5FbfbWhf9oheno
+CQ0uai4v1uqX2wKCAQEA0e91hlukBO2InB9j+54R3XA0buCr/eQFqJ4sAjgL9GCk
+n09tfytH/nLPw/g/l7snyVmGW3uZfmkOqnTP9Yfbx1dU0pPRN11qM9QG6YH+Odkv
+D+LpRnYRjj7QxQJQbGy+2IZN8cmtpJQziSmQMNZU/YoDpq7wYNVhwnP0Z3ZgUo3d
+GfRPbGw951dOAK0Z6S61+mXSQE9JhZBo49zOrmkgLa1fmLfJoukmz4MTZqoWFffq
++1Q4vdYgRS8ToT2Rmba+7s4UAmVKyACEw8WEyjH3TXxd6tQy/smzcD0Vgg7Ghvg7
+Vs5ion9HcqDEcQ1YWvMDWPD/x4fyVgu4v2QW/k/KkQKCAQBPb04ZxlG2u1YfBEFG
+DmyA26BCWfJAVRY/a5LIhHRLsZu5NsurTsOOc8PKE+pWRWVEBj5Urq8GrCWg9mTk
+i1z6s0sElHIcEvvWog7WkxAPX9DIWq62wmAqBnfyBivb7jnlq3ZSVxlLOcm89RKS
+IlTsDmQlhqjbQiYVBb7Yes7OODD9GktS+1e8SDblJ9ywt6VuZlbwrfltYPXhLy4L
+SWTqG3mEEki/UQ4/MZ3M61VRpBBbjnXzYn0jdekzCTDowmroQWeSMvSKKkYKk7fx
+P5dIWakXXr7OYLj6CpQ1T+OiDJ7a3NKSq1zaFSbN7oXi5dMwD1aJsrEBeU6Zy2iC
+doLnAoIBAQCzC716J7JNmaCHNqZ5NKkb6NRvNCK72LuSwcPa6J4ZgEsmrAFBElLG
+inj0NEdYSwB102qpn1Kb41HkwteSGpqw+qSXLAalZ4BqT4zNnlaKU9a1f9tggtYa
+MSywuXaJ4n0qAfF8I3t7AAKsGsylOkcmLY1LnavZimNkCq0JiIZCIkfOGPWcDP0G
+zwjxvrB4laQSuMCGpJiZ1z3+CJYlXfdZvaHoh+bqkFrPZIUpbCqF9fls/Lmf/n1r
+Q+lD/VSuepOA7DVYjbcnuHmC1nSYVeELLuSSoQQVFUV6lj4/vAZJmnBRapfo6xCu
+jLq9iJowh031jyU2sZVXGYwpf12066xhAoIBADCtIvqwfy9pcqYs8PQMQTbDuz3G
+ZCe3E5SLJ00gk/PBVJihOYvdKgwoZAyWdWxOPDKzBJAaJBgpmpWKeX3k92HgLxyi
+50zKogbCc49mz2c6kRC13SviPAjO1XuM+FKo50AICenauu21/ZeMYuLt9gxnhEo5
+kkIYhD0irfTw5MMEKITAs71iB74Lxm9gv/+jOwsgoP23k562NHnIvPdbDzbR/ROD
+xb/3DsGbB4kmUXoLlWxradiZGczPddki+bMI4meMs8oH+XP14KyGqWC8LSuBDg8Y
+fADibXSIAHobiN+KhDtWz9Wnhtch9C8Q5+JDjixdspcn4lkMdMK532v/FBM=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev1/after-2038-certs/posttest.dat b/testing/tests/ikev1/after-2038-certs/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/after-2038-certs/pretest.dat b/testing/tests/ikev1/after-2038-certs/pretest.dat
new file mode 100644
index 000000000..4921d5097
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev1/after-2038-certs/test.conf b/testing/tests/ikev1/after-2038-certs/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev1/after-2038-certs/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/after-2038-certs/description.txt b/testing/tests/ikev2/after-2038-certs/description.txt
new file mode 100644
index 000000000..fb622dc15
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/description.txt
@@ -0,0 +1,13 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on <b>X.509 certificates</b> that are valid until
+the year 2039 and are issued by a certification authority with a root ca 
+certificate valid until the year 2059. On 32-bit platforms, dates after
+Jan 19 03:14:07 UTC 2038 cannot by represented by the time_t data type.
+Thus if a time wrap-around occurs during ASN.1 to time_t conversions,
+dates contained in the certificates are set to the maximum value,
+i.e. to Jan 19 03:14:07 UTC 2038.
+
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> ping the client <b>alice</b>
+behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/after-2038-certs/evaltest.dat b/testing/tests/ikev2/after-2038-certs/evaltest.dat
new file mode 100644
index 000000000..1bb9c105f
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/evaltest.dat
@@ -0,0 +1,6 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..bcdb8641b
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..03b57243b
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,55 @@
+-----BEGIN CERTIFICATE-----
+MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
+bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
+NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
+HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
+A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
+4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
+2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
+ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
+dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
+sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
+kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
+YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
+qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
+HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
+UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
+xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
+Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
+/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
+Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
+Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
+9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
+9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
+ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
+XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
+e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
+99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
+AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
+YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
+CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
+c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
+ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
+hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
+71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
+/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
+lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
+8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
+RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
+Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
+xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
+PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
+6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
+c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
+MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
+vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
+RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
+uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
+inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
+CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
+8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
+9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
+cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
+d/Fp6btmZH31IEyJrRNVOpCwZPI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2ce2ce3c9
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,46 @@
+-----BEGIN CERTIFICATE-----
+MIIINzCCBB+gAwIBAgIBATANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
+b25zdGVyIENBMB4XDTA5MDMyODE0MDYwOFoXDTM5MDMyMTE0MDYwOFowWTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
+bnN0ZXIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgR
+yGVG6HVoA3DU/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mp
+dYtP53SWASOHBiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkw
+BebpMLCf2Mi1robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bO
+FPoBoBOY7v4fuq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DW
+kk1vTt4jplSg6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5
+mGabckTMvtI591UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014l
+cFg11mzjXGGBFuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest
+2X0psHe3AlocUFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9C
+uezkuM1QEvkev5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+
+t8GhCKV6B7RTzFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3Hh
+fTZstGECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTy8LU5yQdnV8pfwhCPY7q/CiNyzjB4BgNVHSMEcTBvgBQZYq2Wq8b7148Q
+xFb/QGMiQnB2DqFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
+cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gTW9uc3RlciBDQYIJAIORWNru
+S4GuMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMEEGA1UdHwQ6MDgw
+NqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1tb25z
+dGVyLmNybDANBgkqhkiG9w0BAQ0FAAOCBAEAi39l78OCI9S0I3X62HbkxiLguvnc
+CbXY6Tqmz0Ms8xqZgYzJOk7FLB/4v/zJohOH5nd7KxJ81KbcERyASpybaLM0/V+V
+oGT0rDGGH5cS4H2uYfs9HsKFKKPbZeCnExFyCamXjBZkl5IZNjdpS9TLyXRJSyFN
+OIRNhILPSriqdtzgRuGOeX798U8o0ObizGQRVlT0p0lI4t64dzZbIh3jSXjCf1Tz
+cmVOC8qhhGvxLlorSy5K98t2zNY7DvzwtvoQrNFGtso1kvfmaO4XRCvSZsmqPpC5
+mmWJjNEG2qcbmfpt8TotyUHgEJTZXwXlPVVb5OXHTW6jXk/MN0UiMTLJYcvJ1gji
+kSnGNHzRH2rKlYRED+jlzzHAWSv0mBGcOTdmfBV6+TJ7QhWhLZBzAUfwqXpAy9Vk
+idtyB0eSWBTIvhZY6SzB0Rvkdj0FtZ+tNURT4dPtiO0D+LXm/ojpdKKI2tFNOgwY
+n8df2u3xnCRvHqcF6lvu+ptnwUkUDDGDuiM20+sm0HHhLIj51v8tTm3Q/MzI0BAb
+G4HOSQNDzymWDgzIE67UTxBwXVDbSLkzH1vhFXtZQlD1UHqOUT/4FQm5ZlVMF8na
+FKxHakqoh1CdI8TAmM64h3hp1zp+G9Zn0lfcHRhvWBvpU8mgF1cbEvgbzjd9+xLe
+q45/8xuZPnU7XIBvDcZTUk8LRIThcTxQRlQdI1UJnvPOBYG3mUrLs2UdEZGwsooG
+zMOj3EQwqrR67rQiuGo65IMPDix4mwHjcZ8Gr4eqLDwSUS5yoPX1qI2qNLQbI1Ni
+8PEYMXQ0Xm+9Z86ZkI0dAIBWLkEGkz5Ngqk4O3JLzF1O/XPG4E9hGJ8WsHQW6pk9
++quv5nVNCAO0z6FYfQoYprdbDBur+N/no+BYIcSFSpLcNgafLXgj3I65iJ2VmRi0
+V0xAfxcRiQN2+/7aao2zLrrSPHU8YsW48ISw9ibQ9EckZMVtnhuYpBJuX8+auZ8f
+OgBmgRi7fCtEcMlXsiisQehymMs470eDRfWFUMzgJC8tMOQIWNdYM0Bo29wYUJPN
+jD+NO0n+PisFMilBEyoT2pD1i94+5DWQau/7STb3GbpBsLb7JbIrQEp0oSdsvsNR
+SaJQEqMxepJM0OGp3FMr79s+/a13+TMm+jl65M6sV/YTDdYFlplkWyHDjbL+WjUu
+lvDEURfBJrtT7u673RakCEzl5e53fP01HXFhqgMSloR7j2XNiyCeEUBp+zetXxwb
+8e6IKtbXWU+WcXIdNOHAL+OtD1vUK3gxupJPrRNW6daZKWUDbjRixzXnjeyIw8It
+bRldc5VjyM0G4FMbmIROgRcvjJ74MUwnHpgPl9zQ28HmbxKbANiJJZHIDw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..f0836ec33
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgRyGVG6HVoA3DU
+/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mpdYtP53SWASOH
+BiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkwBebpMLCf2Mi1
+robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bOFPoBoBOY7v4f
+uq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DWkk1vTt4jplSg
+6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5mGabckTMvtI5
+91UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014lcFg11mzjXGGB
+FuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest2X0psHe3Aloc
+UFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9CuezkuM1QEvke
+v5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+t8GhCKV6B7RT
+zFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3HhfTZstGECAwEA
+AQKCAgAmHcjpYm4FXy7Fl72F531pTv69w50OslFCexEUaqCMdojR7TYVs0hwXObT
+XePSczMaOTjujIXNcz/K0zdCwanMSSMy1THYhRC+DEqK4K0wLifjTad3m7S4PaPI
+0ocxbKWQBMDl3KdGEJW38KcqR4b1B/h6f4VYo7BQzkSbrxRSHANz63vdJvVWPoMz
+jxAgykSiAqIDTNGxYp5trUX7ZLLn0cCIJjIwLU56GcPPN33SDVXetUdQ4sCaDdXU
+8YP8rj0K1VWMYy7SItCZsIqzSEMT+7wC3tvDUDWGyEb1UW9q3cpKBNDAl7KkO3rH
+UbeMutCK5ydtXMIumzNB704cnuwZ08sdM7BTTMhmu0VK+zjVzhBK+MFcF7pickD3
+SdNzOiqfgiXLGjsiMFJvJ7OUJczEJl2xIoZ+Otb113ep0An0PEuF6aZMaKPNP7xf
+ljnengym1Rq+f1mHBRRfool9zmeisnQSSecKo0htm6oRkQTcTwLj0TjiCugbmISf
+D7sUXWp/QFVdYhHTay1gWUnP1quflKYvEynd0UF0JOnCbpWAczdXf27fm7DVjgLp
+yZ4QyrCtyvtIITgmZOvkAcaflxe2E+cBN2F+hWGzqMJfoMtw008hRW9DcRji35Kn
+lCOj/87n8lL3dicDI0caBZO9tQIakh05XYW8xN+sYF9K/xKauQKCAQEA2txDchqB
+7719R6hBqdNqig2+telNHlN0amPKjqIvP7Tr/JnJx8A7cSasao1Fw0cGPReBT7Tb
+Z5IW7xvWiZYFMDI8q8ZGEIb+MveYs1gHlEaimMtwoVCNeNe3cEPIL7ffNT8y+xFc
+o55AjzgKAOHqmf6OidKqRs/B1sSmOrgugsY8KvYtA/JrieVHKrjNX5XqZNqrfsns
+K4DMcJvIrfBu9iyWenNoBOdEJsP0h3F39Zh2hkEg29eH+/8x6FGlezvSU89Jjs9O
+/2BdlyS82RbhPu2VIrsmpfoSrsFHRe8t/9yrnpY3ud6w2LP9QIEMd8FpWKGnNxJp
+AIZJ6u+NoWVlLwKCAQEAxk/7RSSvf6VJvi1gmOxKd79LkYUEiyZryP/M8kQFMqs5
+pU6BgFLVLZsaXz+1oYS0bEjVGGo5ppCVVUMN6RuFX9zVz9uVZBeiiItqw64UDbt/
+0u78m9ngvSpWaMQU2nS/kHVhKOY+Gfs0v5fBvZE+wxTfMBR+nbx7uJivpXnq6xMP
+fhDz6juap/lEK6HuvQN5xXBNL4wpd099lvy3NUuG0Dohb/+gWf3YzQtjs281iMZB
+G3/gGLcBSdk6PBwXueJ3NPj9FAII73MQNBNYS3zi3IYuulA/rMcvbA+IGeKTzRX5
+E47B8ZAhJxZ3OePalvZyVEaRHDFT+Y2YCv/G9Bw7bwKCAQBs97oE97m2Gcxkfxui
+aIblEY7gl7Yz4S1XQzQ46/tGZtgQPqm+cLGn1q+Fpa0UWyp6BFf3zX5oBM6yYlPg
+0PboVjrq858y32N1EN3QfYXYh4qxNKlxR+AISK8mkDj9uTjDFCJX6v8K3+IY7Lfe
+VJ0v6xQg/uiUtSA3xFVXaxiNOBIA+ezTyEFOuP9EABsQ+l1ntZApYnPZ/RjNAGNc
+Zxd4Lh8F/KvPtS2zd2Eqho5Jk41/rrGjg55LE3ZPy0bvIovH+q8PEZytfddbR4lX
+NRMU98mHL1NA1E+0/rpz0XA/sikonnZEbuHyIzt2gEoq3fuLi4Dr5JivEC2BcaA8
+uXU1AoIBAQDDxUdfXbTmxQxEctVuga2OA0mdkXwHxlkXZvcyntWmzIOu3g5X2O3c
+BMcHCoTKu4/Faiz72jmpZggV0IlV+zYyiXaFqNcUpYRtWXx/SkU/vT6VxBmZ3X/Q
+HpCJAjE365MFD+tnjcv2qBfNoAnBkzYrLVqbQ1AvdVeJxyl2qSGxCPL9V80DCe5G
+LnwOuuBMtbaro45/BtYUk2N+/2H5eeLPguNphigNTtyMpta412s458Z0WEuo+liK
+R6kGmBEQDzHxGG/2JYAeqi9vyT0b4GCwpMJSaVBCx6vX+Ik6TIPuLOfjV8W8K7We
+ub3fZ0FuUEJTUgqEk2m77P0Qtqn4aDp/AoIBAQDXI66F4POHVOPI/j584sSLhW6X
+j5VzFlmOhpyoourPYXsKyIFrLa/gYAe/wNH/5jg3Ap5DbBVZB87gOkaMz2oV+ZQ/
+5IWiFmiUxGrCXmWyI6Eqr2DUtSKispLnQ043bFN+HlhfQYTwD9ijqpwpUt/sC+IJ
+mLIGJs5B3cdcRQuSxh1HpvSJOuItjp0wfcGj3+RPh5cPdjHZW30FHGFomOk//6BO
+nWdoYUGrN9wXylDOHvlkYaP2Uj5rCWm51ZGaxzJR9S+WkHdNBzyygpGtEXdSAIzU
+tHufKwQdDnj22w8KSCvQ+KvwUn9UrIR5LyGKiYGWved9X2EQzIFC4dJ8h30G
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..274521386
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..03b57243b
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,55 @@
+-----BEGIN CERTIFICATE-----
+MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
+bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
+NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
+HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
+A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
+4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
+2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
+ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
+dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
+sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
+kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
+YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
+qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
+HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
+UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
+xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
+Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
+/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
+Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
+Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
+9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
+9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
+ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
+XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
+e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
+99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
+AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
+YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
+CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
+c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
+ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
+hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
+71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
+/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
+lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
+8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
+RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
+Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
+xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
+PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
+6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
+c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
+MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
+vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
+RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
+uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
+inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
+CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
+8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
+9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
+cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
+d/Fp6btmZH31IEyJrRNVOpCwZPI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..e83798c07
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,46 @@
+-----BEGIN CERTIFICATE-----
+MIIINTCCBB2gAwIBAgIBAjANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
+b25zdGVyIENBMB4XDTA5MDMyODE0MDcxNloXDTM5MDMyMTE0MDcxNlowWDELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
+bnN0ZXIxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQC/9647SgAcK/or/Qs/3cRc19po7oex5EBdPR7b
+vInAuzrVMK84+ifneBWscVhBnxcUI37D0SpKx0onrdskMOyv5nmkdcgQf8931eip
+scNsw8bC8MJsbc5Jfn3DKPurbKK2/uFFE8ot7S65HY9tVBsxKsrjS5YFPE+DKKP+
+BgVk/9hL0Kqq2iKuWTq8YTRMu5iskpLIxqvuz362G46BKoW52pFegeDzpz/Bs/7y
+0oWPRcNcuRQR5XFTpF2L3UosniMkr7aYU5Z8s7IqiEx7txGh5SxRB+TYIZwB1ODa
+L+bnclQeMsBiFqlO9UI38UaxEQgk/+UhgpaX/DPrZg8KJmjW3e+x8xcwL3ouRLy2
+2Z99WMnV6TlwpTKj24EQJALmLG+UJG+hbV9P9j6Mkql3FHb4aLZH71CvyCqeg2yh
+FGiuaGEe8vS9+Dj5LKv8hSbBe/MSQDiPhKT1gb84TiQMsWfxLN7oDXunohnhMZfu
+sydB/c/R/ooA5ri+lE5c65bP2Mk+ml61p6z7lJv+DXBDXW/o4v8Imjx2OMsL85LZ
+vYWJppdJrThd/m4OVnCXYfuHMZqedsIvNR5blnldATLBjWWbeoKhOyqZb8hZ6HFR
+dlJ11LhxnGg9itG385L3Espl+EVcakWBZWrOn5/LGNKZH3UedclEBNci6lSadZaP
+/UfRCwIDAQABo4IBGDCCARQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
+BBYEFOQpYirU7vrMZUWDkqDijTPuhPQiMHgGA1UdIwRxMG+AFBlirZarxvvXjxDE
+Vv9AYyJCcHYOoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
+b25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5L
+ga4wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzBBBgNVHR8EOjA4MDag
+NKAyhjBodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tbW9uc3Rl
+ci5jcmwwDQYJKoZIhvcNAQENBQADggQBAAEsjsebEspAIANEBVWRjRpowIJlVSLf
+WKzblIPlhClXafHGJbhiamdtS2FmEh/rkzz3Ml+9cJy1KnB1Pn6+4JLSJe5xAywK
+lKTT2iY0KDdOsaK5j+CNJ2tW9NrJPxwtIz+nGGqqyyEUPJE1FYxphbLgmwFNBm2o
+HyeUVYI+gyfmhyHaXHKOmbsDG0o+pUX2tVOs0KdyU6deaAtEf1E6aA5TpCAi1OZs
+pdRDXFUfjdekRkfRr1PZ41Xwk3t6E32YhIE++r7QneQPhXymxVO9nepmpuSoHvlX
+Hb4JN2EQ0zCkkkOfqCuF46zVxsR46/3cfKbRsaVmdfGjvmDSCDI47AreluYiPTGA
+zN4XN91Y5rPZuT9OJYV4UrYv9N1jH5StVmSz19rbYOeozJXX0PBjdCKHEonD1FHY
+xWRpijVUG6NWVLKpvdg3RiFw78wIrNPAeVDvLL+112nbszNDNLSoOJjOUBySHJda
+WYFtg2IoAUis9r/o7uykNcC6KiU4Y1nC8PEIhMi4AMA9UgBCn4ixYtHI9jkfHcrD
+O1kvPRUo3hKzrhftLYtfiBfTEh+3Xab615lt5vNNhdI7d4knqUXvVdURtvlfJLZv
+W0YdvwjJtrVJAiCtX3wyxy72O1ZOG5kHCcK5oHUHg5W172rK9hK4LByk5ESqtc/t
+YDG7TmZLtUceV5yK4gz7pwIwXthA8yayRy+lbk8BFxRMfOEfb6rPdm0vvmPpHHDu
+yHR5SJTgpGo+/I8N1zS6PNeUBh0RAbSnxHJSMLn+GYTs8s6Atnq05SIuVYxvXyAQ
+ULf+ppNN5lngSZHPaOFJNpC1QL1+DdMNueDITVxYx5DV8SkWRPhzS77tsYeUxVGI
+IpUVEqSggGe6Q4YWv2smAjSeqaS5HNGxstE+Ybat/cp9QMbLc7gwKxwRQHhVRZ5O
+0rVq2bZUyly8y4wX8G8WFMNuCoAcHAdMvKh4JtmdDDZlbxdC2mSVbLSuTBfGvKc1
+ScwOBtSqQkm9PsTMitZM31s97WJLQIZbq82g2ns7hfEXMMIgzcFLYlM1SovbDZI5
+ZM63NBVTaKyj+Gxy8FcAPBPtPWwAQT+Gdi8gFwtcEilTOBECL5y0hzlL9aJpsJEq
+4KV5nnM5rutUufiYzQMZqME3g9VWk0kQteVpa4x+4zsKH9lJSSS/y0eCo/jArS8l
+HSmzUDkj2cWmf/azdrcig7g/mHeEbKu1JH1X5lRdZekqcRCW6v1OjP025B/5nSnL
+WYPUI9RLb01fmPjWdrc4+hPnHjePp8w6tuM6U6huMCwstnOel6d2FL5hOWvXNmIH
+I+8zv7SHhIWQmUbC0YQn8BFqvqDC08In5x42YiTe+42YEtafkTkbY8o=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..6d39ac084
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAv/euO0oAHCv6K/0LP93EXNfaaO6HseRAXT0e27yJwLs61TCv
+OPon53gVrHFYQZ8XFCN+w9EqSsdKJ63bJDDsr+Z5pHXIEH/Pd9XoqbHDbMPGwvDC
+bG3OSX59wyj7q2yitv7hRRPKLe0uuR2PbVQbMSrK40uWBTxPgyij/gYFZP/YS9Cq
+qtoirlk6vGE0TLuYrJKSyMar7s9+thuOgSqFudqRXoHg86c/wbP+8tKFj0XDXLkU
+EeVxU6Rdi91KLJ4jJK+2mFOWfLOyKohMe7cRoeUsUQfk2CGcAdTg2i/m53JUHjLA
+YhapTvVCN/FGsREIJP/lIYKWl/wz62YPCiZo1t3vsfMXMC96LkS8ttmffVjJ1ek5
+cKUyo9uBECQC5ixvlCRvoW1fT/Y+jJKpdxR2+Gi2R+9Qr8gqnoNsoRRormhhHvL0
+vfg4+Syr/IUmwXvzEkA4j4Sk9YG/OE4kDLFn8Sze6A17p6IZ4TGX7rMnQf3P0f6K
+AOa4vpROXOuWz9jJPppetaes+5Sb/g1wQ11v6OL/CJo8djjLC/OS2b2FiaaXSa04
+Xf5uDlZwl2H7hzGannbCLzUeW5Z5XQEywY1lm3qCoTsqmW/IWehxUXZSddS4cZxo
+PYrRt/OS9xLKZfhFXGpFgWVqzp+fyxjSmR91HnXJRATXIupUmnWWj/1H0QsCAwEA
+AQKCAgAn3928CQH+2A+uBXDJwlngYyHF/A4JoHzSITkAsaf3dayhzewHrMaPKP1v
+hVeswcv8becN66uaPs0jctR7LwJrAzevNpvo+XNx0+fxH7CVLhFiOrpX5XMdBv4+
+hIvKLtWZp1XJkHPFmGfFIePB9N91FgtwrSmrSrzFZLKzuDJ0qUQXc2+P76GWj4hI
+yvQfIDR1XDjLJaFfCJCsaQrvv5JpaYIanGXKlqoCpU3GyH3fpcEPyI3nrb4dfp3D
+yKJ4pBxuqWUHPQ2cN4NBnHAunnc2JrFO35HkZw7Nvpc6GwsedjwMzcPyW/ytHvqz
+PhXN/9iuPs0sacC4LzXlppxnIlVSOCoLUpyoe8zXxDJBLsU7d+zDnXZ/1guviHz+
+x4RsEKjlXcvsvnZGAy0pUzOEXIfmWOOSlA7iqkbPNud9nBS4YnOtiZIowLj6893k
+rN1GQ/jw7szBkNh5vjdZT7HAIhlBwyQI3hRJX/h0hdUPNiPW4/j9W94JWcRxk0tO
+vZq7mcTtJ8OFlsNyO12KgFIjT+Gwz7tmNrN+Of98pOt9jRN7hhxY8sQosmW1nePZ
+HuWR52CVShXX/N2d/09hwf48xjYBjF3Mjxc8ySIyERdcWqsWx3j5WaB8rEAAuMcF
+/gY5bb4Oc1MAUtX8aMidvKfVW0Owapj/ApgyOmGbO6YEQCKSIQKCAQEA6hbs2JoD
+8u9sCaabRKNxqnjzXzB7JrR1PKyOjp3Iiku29W1VQ/TMRUpO63LsE3lbv/3RIvi1
+wZN/dFhWC9wOY85iDUci5ZI0QcZA0OIQ/uetrE5/FBOmH9MVIQEXnGHSNPHUWMqk
+EBrykyt+7RMEb7Kldm0V57MesO1FA0y81+UCJP01KZM0D7Nq1Eb6GfNLENah3Fk2
+wHk6g36O1nMAEyjHvS+ht8C0rzNXIqCnkeAuxxAfJde9TYpuW7oCt1JEeh2VAmOO
+7QESq2x0OrPKLCUs00y5k0I9eqvAaQfCC6EcdiX7FyAfX5n5Vf5FbfbWhf9oheno
+CQ0uai4v1uqX2wKCAQEA0e91hlukBO2InB9j+54R3XA0buCr/eQFqJ4sAjgL9GCk
+n09tfytH/nLPw/g/l7snyVmGW3uZfmkOqnTP9Yfbx1dU0pPRN11qM9QG6YH+Odkv
+D+LpRnYRjj7QxQJQbGy+2IZN8cmtpJQziSmQMNZU/YoDpq7wYNVhwnP0Z3ZgUo3d
+GfRPbGw951dOAK0Z6S61+mXSQE9JhZBo49zOrmkgLa1fmLfJoukmz4MTZqoWFffq
++1Q4vdYgRS8ToT2Rmba+7s4UAmVKyACEw8WEyjH3TXxd6tQy/smzcD0Vgg7Ghvg7
+Vs5ion9HcqDEcQ1YWvMDWPD/x4fyVgu4v2QW/k/KkQKCAQBPb04ZxlG2u1YfBEFG
+DmyA26BCWfJAVRY/a5LIhHRLsZu5NsurTsOOc8PKE+pWRWVEBj5Urq8GrCWg9mTk
+i1z6s0sElHIcEvvWog7WkxAPX9DIWq62wmAqBnfyBivb7jnlq3ZSVxlLOcm89RKS
+IlTsDmQlhqjbQiYVBb7Yes7OODD9GktS+1e8SDblJ9ywt6VuZlbwrfltYPXhLy4L
+SWTqG3mEEki/UQ4/MZ3M61VRpBBbjnXzYn0jdekzCTDowmroQWeSMvSKKkYKk7fx
+P5dIWakXXr7OYLj6CpQ1T+OiDJ7a3NKSq1zaFSbN7oXi5dMwD1aJsrEBeU6Zy2iC
+doLnAoIBAQCzC716J7JNmaCHNqZ5NKkb6NRvNCK72LuSwcPa6J4ZgEsmrAFBElLG
+inj0NEdYSwB102qpn1Kb41HkwteSGpqw+qSXLAalZ4BqT4zNnlaKU9a1f9tggtYa
+MSywuXaJ4n0qAfF8I3t7AAKsGsylOkcmLY1LnavZimNkCq0JiIZCIkfOGPWcDP0G
+zwjxvrB4laQSuMCGpJiZ1z3+CJYlXfdZvaHoh+bqkFrPZIUpbCqF9fls/Lmf/n1r
+Q+lD/VSuepOA7DVYjbcnuHmC1nSYVeELLuSSoQQVFUV6lj4/vAZJmnBRapfo6xCu
+jLq9iJowh031jyU2sZVXGYwpf12066xhAoIBADCtIvqwfy9pcqYs8PQMQTbDuz3G
+ZCe3E5SLJ00gk/PBVJihOYvdKgwoZAyWdWxOPDKzBJAaJBgpmpWKeX3k92HgLxyi
+50zKogbCc49mz2c6kRC13SviPAjO1XuM+FKo50AICenauu21/ZeMYuLt9gxnhEo5
+kkIYhD0irfTw5MMEKITAs71iB74Lxm9gv/+jOwsgoP23k562NHnIvPdbDzbR/ROD
+xb/3DsGbB4kmUXoLlWxradiZGczPddki+bMI4meMs8oH+XP14KyGqWC8LSuBDg8Y
+fADibXSIAHobiN+KhDtWz9Wnhtch9C8Q5+JDjixdspcn4lkMdMK532v/FBM=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/after-2038-certs/posttest.dat b/testing/tests/ikev2/after-2038-certs/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat
new file mode 100644
index 000000000..4921d5097
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/after-2038-certs/test.conf b/testing/tests/ikev2/after-2038-certs/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/after-2038-certs/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
index 894bf7dbd..f586a9414 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIID+DCCAuCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDQyMDA5MjU1NFoXDTEyMDQxODA5MjU1
-NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOByjCBxzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUi6jZ
-/eq7FoNJDiWP3Mlw9iaZzyIwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPd
-VCChSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
-MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ8wHwYDVR0RBBgwFoEUY2Fy
-b2xAc3Ryb25nc3dhbi5vcmcwDQYJKoZIhvcNAQEFBQADggEBADHYFhLgIo3jrKcw
-bmfkqHLrwI0sHgyJJrEf1hl3cdc16VdKVW+V3qMwumdlMobK20yTRtW90x1ErULS
-RClHlQ5UtDubtQTwjcc6Uc8tOcBdAAH1SQk2xLikxQq19UGFpRRA0VxDXzF5yXnJ
-oM9mJZvgscQZeZPqMEXd3yQclK3Ouap70zE1J8kcyT/yrdkTM3nMbiq8aPytr3Al
-njoW+ToTsDqcTZYWeF3A3tfSZ5+AhlValx1btbcNPZVjjhBx46knOrOFeQLE5f5C
-3XYxVaWPX7hcjfQz/e3T4Rnb8nVQqoCnycUPfYxG/4z7pp/GplS/MEuMNNGDhSsI
-nTjnJgY=
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MDMyNDIwMzc0N1oXDTE0MDMyMzIwMzc0
+N1owYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW
+BgNVBAsTD1Jlc2VhcmNoIG5vIENEUDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPqE4le5QodSA+
+NXnQ1IFI0XWcBDDwQDNcQ6qMScSCaboPFCLrlC9E70J2eGeX2v/UDTQpEOxQ4fGX
+Efk0/MdJjnWGAO95jEInNJ+DuexfrP5REiryKDfryA0d6xiQb/a2M7UuDgxPgyZf
+VyvU7SHebue4317v5NyGJeRnkN3/onNpdjpWu9Le9DqenBQ2SITgo7NsVsNsqhnT
+1jg2jfxJ8OXzi7/6JvuxxweCoDxr+KeKIViFAqNlyufeyIvowdjHTlJRvN/9Wl+/
+jPiHmFcIyIc1o8EUHzM9AEIWtB2DeHL62e7LVJbjMXsLAkTggc3BkGE2cWFOBY0f
+J4R+AKWDAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
+BBYEFIuo2f3quxaDSQ4lj9zJcPYmmc8iMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj
+zMfIDynz3VQgoUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
+b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEPMB8GA1UdEQQY
+MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQBiOKAx
+ePEwlga++nOpkfBg6ESag5/VWfnAp1zRpXHXnRak10OTtCPDjmJiDUzlKBwolwJN
+I6T3S7eg+M04E3r5IHn3i+HtQcENkq02YUPiUXS5cvLtzKMPIm8pYCj7/5pXxAek
+nHGRdBZkQiGDz49H9rPKxLdJDTLCXpj4l9uOFgsbiQ3k5SyWq5oMhtZsf4VKqAd+
+77Mbn9pnjjy53wLuzjaMVX+K5KKotPNeSHH/pWh9RqNROmf6F2B0nZhW5Aryxa9/
+24GRkZEPZ+cqhtwgVjq5aImzdSrARJQ1tu6lZqNB5b9klYSAi+al0FrvUFoG58Qt
+eWeiFXLvAtXTGoax
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
index c19c7333a..cae8184f6 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEJjCCAw6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIELTCCAxWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA3MDQyMDA5MzYwMFoXDTEyMDQxODA5MzYwMFowVjEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
-BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4IBCDCC
-AQQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFILLnutR01FvK1SR
-EZgaOaO9d8izMG0GA1UdIwRmMGSAFF+bE0b5IHLIANWItadMLpfqC5MooUmkRzBF
-MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UE
-AxMSc3Ryb25nU3dhbiBSb290IENBggENMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25n
-c3dhbi5vcmcwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vb2Nz
-cDIuc3Ryb25nc3dhbi5vcmc6ODg4MjANBgkqhkiG9w0BAQUFAAOCAQEAhhebUzkR
-5bllLrfSb0H+Uns0Fw/hfyrvJPjKOcb/otwPZOeGftGYQgihGu3X0Wi6IPX3/I6v
-tAnjYTyMXO68Cm2Zw3ZjjjSupQ3LOtyUhKPehk1EXNI5S1WnpYvEjocaBeT5DBaH
-fjMHL4L32dUcyzU49zbrkFEY7ffka44s3SUf4tEaw5QlBfAnwoij2A/rucokWNeQ
-6KVE9wfYJri6P7ztVTWFsAD6MXRCjzYrS6lOo02w32k2Rpp5SdAWuiwnXLY1BPi9
-U031sS6eh2aRM+u1UKuCGQtUDCMOI6yDv5U2aWQuxYS2uTW05PlWwKAg2atFt7uZ
-P35gzzpJWopPqw==
+BAMTCFNhbGVzIENBMB4XDTA5MDMyNDIxMTA1M1oXDTE0MDMyMzIxMTA1M1owXTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsT
+DFNhbGVzIG5vIENEUDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqgEdIrRiLkrf0UfCB4xUyx/5cs
+Ka5h1MNBks2cKP6uABOL+jnlkRtyVFIOOCuNMgcK+873LC87UU32zapbe6Ph46aN
+5M9ADMA6PtVeNkJIetVSVtT9DUL5II4kJ/hJUjINbt7omAiDAIWDGKNmTCsR18Ua
+o1O/QFbiTT96fMFKX8EXiJgMt/5+vOWG0s1nGz6gn40R/2K52EvBmu5v0M3TX67c
+YQFgBqMNfvnk0jLy10pEHro1OjgiTTj1DQd55ydSKGa0JvMDT/GOQeR87zkshRLz
+bhxXOt4Ej2kkYbs9ILm7jKa9XfUYI58vCYLHwhGzpLZSsJ2xXkgfAAIFTI8CAwEA
+AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57r
+UdNRbytUkRGYGjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT
+KKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
+GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZl
+QHN0cm9uZ3N3YW4ub3JnMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0
+cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQEFBQADggEB
+ADn1ow4aGxckB4HsJQf1Z6LFpiCOExqhqcK/+fsFcl/WM3F0F+1TbEWzwFzDj3Yu
+5gH6DQ/c0Fp+WYCKAbZXdYoKHJDSZY0BsoD7Nglc1r+l1wFRv1UGF5DoYZPryHGA
+FkusMTUQMvWRRmN9PsURQ77DsmAtryKi5aDQ/rAiPIJK67bQ0HmvPAynO8IF2Fd9
+GpqFSc0gZni9NQszVUH33nuLlZP1hFC5MDeqhcqgmUL/GZbs7DZYThF4INBryfOg
+xFE73CpyNQHHmfT23TLsrFD5IXCp3z3oMtCtTphwUnCJrEzZ1H7mJ+xSJoJ3MOqd
+mNs1ygehz0a99cPoX1j/iwo=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
new file mode 100644
index 000000000..6d886024b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt
@@ -0,0 +1,9 @@
+at the outset the gateway authenticates itself to the client by sending an
+IKEv2 <b>RSA signature</b> accompanied by a certificate.
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with the <i>Authentication and Key Agreement</i> protocol
+(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
+in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
+In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
+uses the EAP identity <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
new file mode 100644
index 000000000..d5cbbdbf7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::using EAP identity.*carol::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..8cffbe3b3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=eap
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..44ba3fa25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..831d9e663
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b239e7718
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	authby=rsasig
+	eap=aka
+	eap_identity=%identity
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftfirewall=yes
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..3868b62f4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..831d9e663
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
new file mode 100644
index 000000000..2bd21499b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/description.txt b/testing/tests/ikev2/rw-eap-aka-identity/description.txt
deleted file mode 100644
index e7d2c784a..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Authentication and Key Agreement</i> protocol
-(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
-in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
-In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
-uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionaly uses an <b>RSA signature</b>
-to authenticate itself against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-identity/evaltest.dat
deleted file mode 100644
index 5d0b469bf..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::using EAP identity.*carol::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 8cffbe3b3..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	authby=eap
-
-conn home
-	left=PH_IP_CAROL
-	leftnexthop=%direct
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	eap_identity=carol
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 44ba3fa25..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 831d9e663..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity updown
-}
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 350fc48b6..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-eapaka
-	authby=rsasig
-	eap=aka
-	eap_identity=%identity
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	leftcert=moonCert.pem
-	leftfirewall=yes
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 3868b62f4..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 831d9e663..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity updown
-}
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/posttest.dat b/testing/tests/ikev2/rw-eap-aka-identity/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/pretest.dat b/testing/tests/ikev2/rw-eap-aka-identity/pretest.dat
deleted file mode 100644
index ed5498bfe..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1
-carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-identity/test.conf b/testing/tests/ikev2/rw-eap-aka-identity/test.conf
deleted file mode 100644
index 2bd21499b..000000000
--- a/testing/tests/ikev2/rw-eap-aka-identity/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice carol moon"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt
new file mode 100644
index 000000000..a1512ca9e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with an  <i>MD5</i> challenge and response protocol
+(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b>.
+In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior
+<b>carol</b> uses the EAP identity <b>carol</b>.
+The user password is kept in <b>ipsec.secrets</b> on the client <b>carol</b>
+and the gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
new file mode 100644
index 000000000..6c73054d7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+moon::cat /var/log/daemon.log::using EAP identity .*carol"::YES
+carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..9c3702cb7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,61 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..8cffbe3b3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=eap
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..23d79cf2e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b856adc9e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5 eapidentity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..08b920afd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	authby=rsasig
+	eap=radius
+	eap_identity=%identity
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftfirewall=yes
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..10414b29a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown
+  plugins {
+    eap_radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
new file mode 100644
index 000000000..920d6a20d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
new file mode 100644
index 000000000..3508e9d8c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::cat /etc/raddb/clients.conf
+alice::cat /etc/raddb/eap.conf
+alice::cat /etc/raddb/proxy.conf
+alice::cat /etc/raddb/users
+alice::/etc/init.d/radiusd start 
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
new file mode 100644
index 000000000..2bd21499b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-radius/description.txt
new file mode 100644
index 000000000..12bdc9fdd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with an  <i>MD5</i> challenge and response protocol
+(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b>.
+The user password is kept in <b>ipsec.secrets</b> on the client <b>carol</b>
+and the gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
new file mode 100644
index 000000000..444362a86
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..9c3702cb7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,61 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..2af93a313
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=eap
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..a53e44f50
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5 updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..825994278
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	authby=rsasig
+	eap=radius
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftfirewall=yes
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cae56a7f6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius updown
+  plugins {
+    eap_radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
new file mode 100644
index 000000000..920d6a20d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
new file mode 100644
index 000000000..3508e9d8c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::cat /etc/raddb/clients.conf
+alice::cat /etc/raddb/eap.conf
+alice::cat /etc/raddb/proxy.conf
+alice::cat /etc/raddb/users
+alice::/etc/init.d/radiusd start 
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
new file mode 100644
index 000000000..2bd21499b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
index 5de841c03..fadcdc635 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -1,7 +1,7 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets
index e03e89a0f..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-carol@strongswan.org : EAP "Ar3etTnp01qlpOgb"
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
index 78bc23b4c..7777e914b 100755
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 
-conn rw-eapaka
+conn rw-eap
 	authby=rsasig
 	eap=md5
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets
index aa3838385..c991683b8 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : RSA moonKey.pem
 
-carol@strongswan.org : EAP "Ar3etTnp01qlpOgb"
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
new file mode 100644
index 000000000..df7041a97
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with the <i>Microsoft CHAP version 2</i> protocol
+(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
+e.g. by the Windows 7 Agile VPN client.
+In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
+uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionaly uses an <b>RSA signature</b>
+to authenticate itself against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
new file mode 100644
index 000000000..d8708d122
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::using EAP identity.*carol::YES
+moon::cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..ec09a3375
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=eap
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftfirewall=yes
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..44ba3fa25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..26ccc84ce
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md4 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmschapv2 eapidentity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..57a89966a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	authby=rsasig
+	eap=mschapv2
+	eap_identity=%identity
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftfirewall=yes
+	rightid=%any
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..3868b62f4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..26ccc84ce
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md4 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmschapv2 eapidentity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
new file mode 100644
index 000000000..2bd21499b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/description.txt b/testing/tests/ikev2/rw-eap-mschapv2-rsa/description.txt
deleted file mode 100644
index df7041a97..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Microsoft CHAP version 2</i> protocol
-(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
-e.g. by the Windows 7 Agile VPN client.
-In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
-uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionaly uses an <b>RSA signature</b>
-to authenticate itself against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-rsa/evaltest.dat
deleted file mode 100644
index d8708d122..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::using EAP identity.*carol::YES
-moon::cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index ec09a3375..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	authby=eap
-
-conn home
-	left=PH_IP_CAROL
-	leftnexthop=%direct
-	leftfirewall=yes
-	eap_identity=carol
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 44ba3fa25..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 26ccc84ce..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md4 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmschapv2 eapidentity updown
-}
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 57a89966a..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-eap
-	authby=rsasig
-	eap=mschapv2
-	eap_identity=%identity
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	leftcert=moonCert.pem
-	leftfirewall=yes
-	rightid=%any
-	rightsendcert=never
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 3868b62f4..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol : EAP "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 26ccc84ce..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md4 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmschapv2 eapidentity updown
-}
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-mschapv2-rsa/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-rsa/pretest.dat
deleted file mode 100644
index ed5498bfe..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1
-carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-rsa/test.conf b/testing/tests/ikev2/rw-eap-mschapv2-rsa/test.conf
deleted file mode 100644
index 2bd21499b..000000000
--- a/testing/tests/ikev2/rw-eap-mschapv2-rsa/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice carol moon"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
new file mode 100644
index 000000000..887d3f467
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
@@ -0,0 +1,13 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with a <i>GSM Subscriber Identity Module</i>
+(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
+In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
+are used instead of a physical SIM card on the client <b>carol</b> and
+the gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses static triplets. In addition to her IKEv2 identity
+<b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
+identity <b>232420100000015</b>.
+
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
new file mode 100644
index 000000000..4e7cbcc4c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+moon::cat /var/log/daemon.log::using EAP identity .*232420100000015::YES
+carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..a2020424e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim 
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..d77b818fe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,123 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+  sim_files {
+    simtriplets = "/etc/raddb/triplets.dat"
+  }
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..dfceb037d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,62 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
new file mode 100644
index 000000000..2a750029f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
@@ -0,0 +1,3 @@
+232420100000015,30000000000000000000000000000000,30112233,305566778899AABB
+232420100000015,31000000000000000000000000000000,31112233,315566778899AABB
+232420100000015,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..e69de29bb
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..404589348
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=eap
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	eap_identity=232420100000015
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..2a750029f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+232420100000015,30000000000000000000000000000000,30112233,305566778899AABB
+232420100000015,31000000000000000000000000000000,31112233,315566778899AABB
+232420100000015,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..cc451fc8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..08b920afd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	authby=rsasig
+	eap=radius
+	eap_identity=%identity
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftfirewall=yes
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..10414b29a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown
+  plugins {
+    eap_radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
new file mode 100644
index 000000000..920d6a20d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
new file mode 100644
index 000000000..0a9f41856
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::cat /etc/raddb/clients.conf
+alice::cat /etc/raddb/eap.conf
+alice::cat /etc/raddb/proxy.conf
+alice::cat /etc/raddb/triplets.dat
+alice::/etc/init.d/radiusd start
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
new file mode 100644
index 000000000..2bd21499b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-radius/description.txt
new file mode 100644
index 000000000..6c3c71987
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/description.txt
@@ -0,0 +1,14 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with a <i>GSM Subscriber Identity Module</i>
+(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
+In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
+are used instead of a physical SIM card on the client <b>carol</b>.
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses a static triplets file.
+<p>
+The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
+the radius server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. 	
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
new file mode 100644
index 000000000..cd4b43cca
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -0,0 +1,15 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP failed::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..a2020424e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim 
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..d77b818fe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,123 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+  sim_files {
+    simtriplets = "/etc/raddb/triplets.dat"
+  }
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..dfceb037d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,62 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
new file mode 100644
index 000000000..fd0eb19b9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
@@ -0,0 +1,7 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
+dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
+
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..e69de29bb
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4f0d40b3e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=eap
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..83906807f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e2388268c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file updown
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..511eb6172
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=eap
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..a02a42c0d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..e2388268c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file updown
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..825994278
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	authby=rsasig
+	eap=radius
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftfirewall=yes
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cae56a7f6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius updown
+  plugins {
+    eap_radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
new file mode 100644
index 000000000..dbe56013a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
new file mode 100644
index 000000000..b3fd4cbf1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::cat /etc/raddb/clients.conf
+alice::cat /etc/raddb/eap.conf
+alice::cat /etc/raddb/proxy.conf
+alice::cat /etc/raddb/triplets.dat
+alice::/etc/init.d/radiusd start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
-- 
cgit v1.2.3


From 41787e147279ff0695e9d759487266a60b80867b Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Tue, 23 Jun 2009 11:25:24 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.3.2)

---
 Makefile.am                                        |     4 +-
 Makefile.in                                        |    25 +-
 NEWS                                               |    93 +
 README                                             |    14 +-
 aclocal.m4                                         |   382 +-
 configure                                          | 12574 ++++++++++---------
 configure.in                                       |   283 +-
 ltmain.sh                                          |   782 +-
 scripts/Makefile.am                                |    11 +-
 scripts/Makefile.in                                |    54 +-
 scripts/dh_speed.c                                 |   129 +
 scripts/id2sql.c                                   |     2 +-
 scripts/key2keyid.c                                |     2 +
 scripts/keyid2sql.c                                |     4 +
 scripts/pubkey_speed.c                             |   148 +
 src/Makefile.am                                    |    12 +-
 src/Makefile.in                                    |    31 +-
 src/_copyright/Makefile.am                         |     7 +-
 src/_copyright/Makefile.in                         |    31 +-
 src/_copyright/_copyright.8                        |     3 -
 src/_copyright/_copyright.c                        |     5 +-
 src/_updown/Makefile.am                            |     2 +-
 src/_updown/Makefile.in                            |    21 +-
 src/_updown/_updown.8                              |     3 -
 src/_updown/_updown.in                             |    21 +-
 src/_updown_espmark/Makefile.in                    |    19 +-
 src/_updown_espmark/_updown_espmark                |    21 +-
 src/_updown_espmark/_updown_espmark.8              |     3 -
 src/charon/Makefile.am                             |    30 +-
 src/charon/Makefile.in                             |   286 +-
 src/charon/bus/bus.c                               |    42 +-
 src/charon/bus/bus.h                               |    28 +-
 src/charon/bus/listeners/file_logger.c             |     2 -
 src/charon/bus/listeners/file_logger.h             |     2 -
 src/charon/bus/listeners/sys_logger.c              |     2 -
 src/charon/bus/listeners/sys_logger.h              |     2 -
 src/charon/config/attributes/attribute_handler.h   |    58 +
 src/charon/config/attributes/attribute_manager.c   |   120 +-
 src/charon/config/attributes/attribute_manager.h   |    74 +-
 src/charon/config/attributes/attribute_provider.h  |    16 +-
 src/charon/config/auth_cfg.c                       |   768 ++
 src/charon/config/auth_cfg.h                       |   201 +
 src/charon/config/backend.h                        |    18 +-
 src/charon/config/backend_manager.c                |   314 +-
 src/charon/config/backend_manager.h                |    32 +-
 src/charon/config/child_cfg.c                      |     2 -
 src/charon/config/child_cfg.h                      |     2 -
 src/charon/config/ike_cfg.c                        |     2 -
 src/charon/config/ike_cfg.h                        |     2 -
 src/charon/config/peer_cfg.c                       |   194 +-
 src/charon/config/peer_cfg.h                       |    78 +-
 src/charon/config/proposal.c                       |   251 +-
 src/charon/config/proposal.h                       |    23 +-
 src/charon/config/traffic_selector.c               |     2 -
 src/charon/config/traffic_selector.h               |     2 -
 src/charon/control/controller.c                    |   128 +-
 src/charon/control/controller.h                    |    34 -
 src/charon/credentials/auth_info.c                 |   607 -
 src/charon/credentials/auth_info.h                 |   198 -
 src/charon/credentials/credential_manager.c        |   176 +-
 src/charon/credentials/credential_manager.h        |    18 +-
 src/charon/credentials/credential_set.h            |     2 -
 src/charon/credentials/sets/auth_cfg_wrapper.c     |   223 +
 src/charon/credentials/sets/auth_cfg_wrapper.h     |    53 +
 src/charon/credentials/sets/auth_info_wrapper.c    |   216 -
 src/charon/credentials/sets/auth_info_wrapper.h    |    55 -
 src/charon/credentials/sets/cert_cache.c           |     2 -
 src/charon/credentials/sets/cert_cache.h           |     2 -
 .../credentials/sets/ocsp_response_wrapper.c       |     2 -
 .../credentials/sets/ocsp_response_wrapper.h       |     2 -
 src/charon/daemon.c                                |    74 +-
 src/charon/daemon.h                                |    12 +-
 src/charon/encoding/generator.c                    |   444 +-
 src/charon/encoding/generator.h                    |     8 +-
 src/charon/encoding/message.c                      |   132 +-
 src/charon/encoding/message.h                      |    21 +-
 src/charon/encoding/parser.c                       |   479 +-
 src/charon/encoding/parser.h                       |     2 -
 src/charon/encoding/payloads/auth_payload.c        |     2 -
 src/charon/encoding/payloads/auth_payload.h        |     2 -
 src/charon/encoding/payloads/cert_payload.c        |     2 -
 src/charon/encoding/payloads/cert_payload.h        |     2 -
 src/charon/encoding/payloads/certreq_payload.c     |     2 -
 src/charon/encoding/payloads/certreq_payload.h     |     2 -
 .../encoding/payloads/configuration_attribute.c    |     2 -
 .../encoding/payloads/configuration_attribute.h    |     2 -
 src/charon/encoding/payloads/cp_payload.c          |     2 -
 src/charon/encoding/payloads/cp_payload.h          |     2 -
 src/charon/encoding/payloads/delete_payload.c      |     2 -
 src/charon/encoding/payloads/delete_payload.h      |     2 -
 src/charon/encoding/payloads/eap_payload.c         |     2 -
 src/charon/encoding/payloads/eap_payload.h         |     2 -
 src/charon/encoding/payloads/encodings.c           |     3 -
 src/charon/encoding/payloads/encodings.h           |    15 -
 src/charon/encoding/payloads/encryption_payload.c  |     2 -
 src/charon/encoding/payloads/encryption_payload.h  |     2 -
 src/charon/encoding/payloads/endpoint_notify.c     |     2 -
 src/charon/encoding/payloads/endpoint_notify.h     |     2 -
 src/charon/encoding/payloads/id_payload.c          |     2 -
 src/charon/encoding/payloads/id_payload.h          |     2 -
 src/charon/encoding/payloads/ike_header.c          |     2 -
 src/charon/encoding/payloads/ike_header.h          |     2 -
 src/charon/encoding/payloads/ke_payload.c          |     2 -
 src/charon/encoding/payloads/ke_payload.h          |     2 -
 src/charon/encoding/payloads/nonce_payload.c       |     2 -
 src/charon/encoding/payloads/nonce_payload.h       |     2 -
 src/charon/encoding/payloads/notify_payload.c      |     2 -
 src/charon/encoding/payloads/notify_payload.h      |     2 -
 src/charon/encoding/payloads/payload.c             |     2 -
 src/charon/encoding/payloads/payload.h             |     2 -
 .../encoding/payloads/proposal_substructure.c      |     2 -
 .../encoding/payloads/proposal_substructure.h      |     2 -
 src/charon/encoding/payloads/sa_payload.c          |     2 -
 src/charon/encoding/payloads/sa_payload.h          |     2 -
 .../payloads/traffic_selector_substructure.c       |     2 -
 .../payloads/traffic_selector_substructure.h       |     2 -
 src/charon/encoding/payloads/transform_attribute.c |     6 +-
 src/charon/encoding/payloads/transform_attribute.h |     2 -
 .../encoding/payloads/transform_substructure.c     |    36 +-
 .../encoding/payloads/transform_substructure.h     |     2 -
 src/charon/encoding/payloads/ts_payload.c          |     2 -
 src/charon/encoding/payloads/ts_payload.h          |     2 -
 src/charon/encoding/payloads/unknown_payload.c     |     2 -
 src/charon/encoding/payloads/unknown_payload.h     |     2 -
 src/charon/encoding/payloads/vendor_id_payload.c   |     2 -
 src/charon/encoding/payloads/vendor_id_payload.h   |     2 -
 src/charon/kernel/kernel_interface.c               |   154 +-
 src/charon/kernel/kernel_interface.h               |    12 +-
 src/charon/kernel/kernel_ipsec.c                   |     2 -
 src/charon/kernel/kernel_ipsec.h                   |    17 +-
 src/charon/kernel/kernel_net.h                     |     2 -
 src/charon/network/packet.c                        |     2 -
 src/charon/network/packet.h                        |     2 -
 src/charon/network/receiver.c                      |   100 +-
 src/charon/network/receiver.h                      |     2 -
 src/charon/network/sender.c                        |     2 -
 src/charon/network/sender.h                        |     2 -
 src/charon/network/socket-raw.c                    |     4 +-
 src/charon/network/socket.c                        |   151 +-
 src/charon/network/socket.h                        |     2 -
 src/charon/plugins/attr/Makefile.am                |     9 +
 src/charon/plugins/attr/Makefile.in                |   507 +
 src/charon/plugins/attr/attr_plugin.c              |    63 +
 src/charon/plugins/attr/attr_plugin.h              |    47 +
 src/charon/plugins/attr/attr_provider.c            |   154 +
 src/charon/plugins/attr/attr_provider.h            |    49 +
 src/charon/plugins/eap_aka/Makefile.in             |    17 +-
 src/charon/plugins/eap_aka/eap_aka.c               |     6 +-
 src/charon/plugins/eap_aka/eap_aka.h               |     2 -
 src/charon/plugins/eap_aka/eap_aka_plugin.c        |     2 -
 src/charon/plugins/eap_aka/eap_aka_plugin.h        |     2 -
 src/charon/plugins/eap_gtc/Makefile.in             |    17 +-
 src/charon/plugins/eap_gtc/eap_gtc.c               |     4 +-
 src/charon/plugins/eap_gtc/eap_gtc.h               |     2 -
 src/charon/plugins/eap_gtc/eap_gtc_plugin.c        |     2 -
 src/charon/plugins/eap_gtc/eap_gtc_plugin.h        |     2 -
 src/charon/plugins/eap_identity/Makefile.in        |    17 +-
 src/charon/plugins/eap_identity/eap_identity.c     |     2 -
 src/charon/plugins/eap_identity/eap_identity.h     |     2 -
 .../plugins/eap_identity/eap_identity_plugin.c     |     2 -
 .../plugins/eap_identity/eap_identity_plugin.h     |     2 -
 src/charon/plugins/eap_md5/Makefile.in             |    17 +-
 src/charon/plugins/eap_md5/eap_md5.c               |     4 +-
 src/charon/plugins/eap_md5/eap_md5.h               |     2 -
 src/charon/plugins/eap_md5/eap_md5_plugin.c        |     2 -
 src/charon/plugins/eap_md5/eap_md5_plugin.h        |     2 -
 src/charon/plugins/eap_mschapv2/Makefile.in        |    17 +-
 src/charon/plugins/eap_mschapv2/eap_mschapv2.c     |    98 +-
 src/charon/plugins/eap_mschapv2/eap_mschapv2.h     |     2 -
 .../plugins/eap_mschapv2/eap_mschapv2_plugin.c     |     2 -
 .../plugins/eap_mschapv2/eap_mschapv2_plugin.h     |     2 -
 src/charon/plugins/eap_radius/Makefile.in          |    17 +-
 src/charon/plugins/eap_radius/eap_radius.c         |    21 +-
 src/charon/plugins/eap_radius/eap_radius.h         |     2 -
 src/charon/plugins/eap_radius/eap_radius_plugin.c  |     2 -
 src/charon/plugins/eap_radius/eap_radius_plugin.h  |     2 -
 src/charon/plugins/eap_radius/radius_client.c      |     2 -
 src/charon/plugins/eap_radius/radius_client.h      |     2 -
 src/charon/plugins/eap_radius/radius_message.c     |     2 -
 src/charon/plugins/eap_radius/radius_message.h     |     2 -
 src/charon/plugins/eap_sim/Makefile.in             |    17 +-
 src/charon/plugins/eap_sim/eap_sim.c               |     6 +-
 src/charon/plugins/eap_sim/eap_sim_plugin.c        |     2 -
 src/charon/plugins/eap_sim/eap_sim_plugin.h        |     2 -
 src/charon/plugins/eap_sim_file/Makefile.in        |    17 +-
 .../plugins/eap_sim_file/eap_sim_file_card.c       |     8 +-
 .../plugins/eap_sim_file/eap_sim_file_card.h       |     2 -
 .../plugins/eap_sim_file/eap_sim_file_plugin.c     |     2 -
 .../plugins/eap_sim_file/eap_sim_file_plugin.h     |     2 -
 .../plugins/eap_sim_file/eap_sim_file_provider.c   |     2 -
 .../plugins/eap_sim_file/eap_sim_file_provider.h   |     2 -
 .../plugins/eap_sim_file/eap_sim_file_triplets.c   |   107 +-
 .../plugins/eap_sim_file/eap_sim_file_triplets.h   |    10 +-
 src/charon/plugins/kernel_klips/Makefile.in        |    17 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.c      |    11 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.h      |     2 -
 .../plugins/kernel_klips/kernel_klips_plugin.c     |     2 -
 .../plugins/kernel_klips/kernel_klips_plugin.h     |     2 -
 src/charon/plugins/kernel_netlink/Makefile.in      |    17 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |    53 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.h  |     2 -
 .../plugins/kernel_netlink/kernel_netlink_net.c    |    30 +-
 .../plugins/kernel_netlink/kernel_netlink_net.h    |     2 -
 .../plugins/kernel_netlink/kernel_netlink_plugin.c |     2 -
 .../plugins/kernel_netlink/kernel_netlink_plugin.h |     2 -
 .../plugins/kernel_netlink/kernel_netlink_shared.c |     2 -
 .../plugins/kernel_netlink/kernel_netlink_shared.h |     2 -
 src/charon/plugins/kernel_pfkey/Makefile.in        |    17 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |   209 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.h      |     2 -
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.c     |     2 -
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.h     |     2 -
 src/charon/plugins/kernel_pfroute/Makefile.am      |    10 +
 src/charon/plugins/kernel_pfroute/Makefile.in      |   510 +
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |   713 ++
 .../plugins/kernel_pfroute/kernel_pfroute_net.h    |    46 +
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.c |    58 +
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.h |    47 +
 src/charon/plugins/load_tester/Makefile.in         |    17 +-
 .../plugins/load_tester/load_tester_config.c       |   169 +-
 .../plugins/load_tester/load_tester_config.h       |     2 -
 src/charon/plugins/load_tester/load_tester_creds.c |     2 -
 src/charon/plugins/load_tester/load_tester_creds.h |     2 -
 .../load_tester/load_tester_diffie_hellman.c       |     2 -
 .../load_tester/load_tester_diffie_hellman.h       |     2 -
 src/charon/plugins/load_tester/load_tester_ipsec.c |     9 +-
 src/charon/plugins/load_tester/load_tester_ipsec.h |     2 -
 .../plugins/load_tester/load_tester_listener.c     |     2 -
 .../plugins/load_tester/load_tester_listener.h     |     2 -
 .../plugins/load_tester/load_tester_plugin.c       |     2 -
 .../plugins/load_tester/load_tester_plugin.h       |     2 -
 src/charon/plugins/medcli/Makefile.in              |    17 +-
 src/charon/plugins/medcli/medcli_config.c          |    46 +-
 src/charon/plugins/medcli/medcli_config.h          |     2 -
 src/charon/plugins/medcli/medcli_creds.c           |     4 +-
 src/charon/plugins/medcli/medcli_creds.h           |     2 -
 src/charon/plugins/medcli/medcli_listener.c        |     2 -
 src/charon/plugins/medcli/medcli_listener.h        |     2 -
 src/charon/plugins/medcli/medcli_plugin.c          |     2 -
 src/charon/plugins/medcli/medcli_plugin.h          |     2 -
 src/charon/plugins/medsrv/Makefile.in              |    17 +-
 src/charon/plugins/medsrv/medsrv_config.c          |    14 +-
 src/charon/plugins/medsrv/medsrv_config.h          |     2 -
 src/charon/plugins/medsrv/medsrv_creds.c           |     2 -
 src/charon/plugins/medsrv/medsrv_creds.h           |     2 -
 src/charon/plugins/medsrv/medsrv_plugin.c          |     2 -
 src/charon/plugins/medsrv/medsrv_plugin.h          |     2 -
 src/charon/plugins/nm/Makefile.am                  |     5 +-
 src/charon/plugins/nm/Makefile.in                  |    25 +-
 src/charon/plugins/nm/nm_creds.c                   |     6 +-
 src/charon/plugins/nm/nm_creds.h                   |     3 +-
 src/charon/plugins/nm/nm_handler.c                 |   148 +
 src/charon/plugins/nm/nm_handler.h                 |    62 +
 src/charon/plugins/nm/nm_plugin.c                  |    24 +-
 src/charon/plugins/nm/nm_plugin.h                  |     2 -
 src/charon/plugins/nm/nm_service.c                 |    97 +-
 src/charon/plugins/nm/nm_service.h                 |     8 +-
 src/charon/plugins/resolv_conf/Makefile.am         |    13 +
 src/charon/plugins/resolv_conf/Makefile.in         |   513 +
 .../plugins/resolv_conf/resolv_conf_handler.c      |   192 +
 .../plugins/resolv_conf/resolv_conf_handler.h      |    49 +
 .../plugins/resolv_conf/resolv_conf_plugin.c       |    64 +
 .../plugins/resolv_conf/resolv_conf_plugin.h       |    47 +
 src/charon/plugins/smp/Makefile.in                 |    17 +-
 src/charon/plugins/smp/smp.c                       |    13 +-
 src/charon/plugins/smp/smp.h                       |     2 -
 src/charon/plugins/sql/Makefile.in                 |    17 +-
 src/charon/plugins/sql/pool.c                      |    10 +-
 src/charon/plugins/sql/sql_attribute.c             |     7 +-
 src/charon/plugins/sql/sql_attribute.h             |     2 -
 src/charon/plugins/sql/sql_config.c                |    20 +-
 src/charon/plugins/sql/sql_config.h                |     2 -
 src/charon/plugins/sql/sql_cred.c                  |     2 -
 src/charon/plugins/sql/sql_cred.h                  |     2 -
 src/charon/plugins/sql/sql_logger.c                |     2 -
 src/charon/plugins/sql/sql_logger.h                |     2 -
 src/charon/plugins/sql/sql_plugin.c                |     2 -
 src/charon/plugins/sql/sql_plugin.h                |     2 -
 src/charon/plugins/stroke/Makefile.am              |     5 +-
 src/charon/plugins/stroke/Makefile.in              |    23 +-
 src/charon/plugins/stroke/stroke_attribute.c       |    22 +-
 src/charon/plugins/stroke/stroke_attribute.h       |     2 -
 src/charon/plugins/stroke/stroke_ca.c              |     8 +-
 src/charon/plugins/stroke/stroke_ca.h              |     2 -
 src/charon/plugins/stroke/stroke_config.c          |   732 +-
 src/charon/plugins/stroke/stroke_config.h          |     2 -
 src/charon/plugins/stroke/stroke_control.c         |   203 +-
 src/charon/plugins/stroke/stroke_control.h         |    15 +-
 src/charon/plugins/stroke/stroke_cred.c            |    81 +-
 src/charon/plugins/stroke/stroke_cred.h            |     2 -
 src/charon/plugins/stroke/stroke_list.c            |   335 +-
 src/charon/plugins/stroke/stroke_list.h            |     2 -
 src/charon/plugins/stroke/stroke_plugin.c          |     2 -
 src/charon/plugins/stroke/stroke_plugin.h          |     2 -
 src/charon/plugins/stroke/stroke_shared_key.c      |     2 -
 src/charon/plugins/stroke/stroke_shared_key.h      |     2 -
 src/charon/plugins/stroke/stroke_socket.c          |    48 +-
 src/charon/plugins/stroke/stroke_socket.h          |     2 -
 src/charon/plugins/uci/Makefile.in                 |    17 +-
 src/charon/plugins/uci/uci_config.c                |    43 +-
 src/charon/plugins/uci/uci_config.h                |     2 -
 src/charon/plugins/uci/uci_control.c               |    47 +-
 src/charon/plugins/uci/uci_control.h               |     2 -
 src/charon/plugins/uci/uci_creds.c                 |    10 -
 src/charon/plugins/uci/uci_creds.h                 |     2 -
 src/charon/plugins/uci/uci_parser.c                |     2 -
 src/charon/plugins/uci/uci_parser.h                |     2 -
 src/charon/plugins/uci/uci_plugin.c                |     2 -
 src/charon/plugins/uci/uci_plugin.h                |     2 -
 src/charon/plugins/unit_tester/Makefile.am         |     4 +-
 src/charon/plugins/unit_tester/Makefile.in         |    57 +-
 src/charon/plugins/unit_tester/tests.h             |     9 +-
 src/charon/plugins/unit_tester/tests/test_aes.c    |   467 -
 .../plugins/unit_tester/tests/test_auth_info.c     |    29 +-
 .../plugins/unit_tester/tests/test_fips_prf.c      |    64 -
 src/charon/plugins/unit_tester/tests/test_id.c     |    69 +
 src/charon/plugins/unit_tester/tests/test_med_db.c |     2 +-
 src/charon/plugins/unit_tester/tests/test_pool.c   |    17 +-
 src/charon/plugins/unit_tester/tests/test_rng.c    |   221 -
 .../plugins/unit_tester/tests/test_rsa_gen.c       |    20 +-
 src/charon/plugins/unit_tester/unit_tester.c       |     2 -
 src/charon/plugins/unit_tester/unit_tester.h       |     2 -
 src/charon/plugins/updown/Makefile.in              |    17 +-
 src/charon/plugins/updown/updown_listener.c        |     6 +-
 src/charon/plugins/updown/updown_listener.h        |     2 -
 src/charon/plugins/updown/updown_plugin.c          |     2 -
 src/charon/plugins/updown/updown_plugin.h          |     2 -
 src/charon/processing/jobs/acquire_job.c           |    31 +-
 src/charon/processing/jobs/acquire_job.h           |     6 +-
 src/charon/processing/jobs/callback_job.c          |     2 -
 src/charon/processing/jobs/callback_job.h          |     2 -
 src/charon/processing/jobs/delete_child_sa_job.c   |     2 -
 src/charon/processing/jobs/delete_child_sa_job.h   |     2 -
 src/charon/processing/jobs/delete_ike_sa_job.c     |     2 -
 src/charon/processing/jobs/delete_ike_sa_job.h     |     2 -
 .../processing/jobs/initiate_mediation_job.c       |    18 +-
 .../processing/jobs/initiate_mediation_job.h       |     2 -
 src/charon/processing/jobs/job.h                   |     2 -
 src/charon/processing/jobs/mediation_job.c         |    10 +-
 src/charon/processing/jobs/mediation_job.h         |     2 -
 src/charon/processing/jobs/migrate_job.c           |     2 -
 src/charon/processing/jobs/migrate_job.h           |     2 -
 src/charon/processing/jobs/process_message_job.c   |     2 -
 src/charon/processing/jobs/process_message_job.h   |     2 -
 src/charon/processing/jobs/rekey_child_sa_job.c    |     2 -
 src/charon/processing/jobs/rekey_child_sa_job.h    |     2 -
 src/charon/processing/jobs/rekey_ike_sa_job.c      |     2 -
 src/charon/processing/jobs/rekey_ike_sa_job.h      |     2 -
 src/charon/processing/jobs/retransmit_job.c        |     2 -
 src/charon/processing/jobs/retransmit_job.h        |     2 -
 src/charon/processing/jobs/roam_job.c              |     2 -
 src/charon/processing/jobs/roam_job.h              |     2 -
 src/charon/processing/jobs/send_dpd_job.c          |     2 -
 src/charon/processing/jobs/send_dpd_job.h          |     2 -
 src/charon/processing/jobs/send_keepalive_job.c    |     2 -
 src/charon/processing/jobs/send_keepalive_job.h    |     2 -
 src/charon/processing/jobs/update_sa_job.c         |     2 -
 src/charon/processing/jobs/update_sa_job.h         |     2 -
 src/charon/processing/processor.c                  |     2 -
 src/charon/processing/processor.h                  |     2 -
 src/charon/processing/scheduler.c                  |   122 +-
 src/charon/processing/scheduler.h                  |    84 +-
 src/charon/sa/authenticators/authenticator.c       |    49 +-
 src/charon/sa/authenticators/authenticator.h       |    89 +-
 src/charon/sa/authenticators/eap/eap_manager.c     |    22 +-
 src/charon/sa/authenticators/eap/eap_manager.h     |     2 -
 src/charon/sa/authenticators/eap/eap_method.c      |    35 +-
 src/charon/sa/authenticators/eap/eap_method.h      |    11 +-
 src/charon/sa/authenticators/eap/sim_manager.c     |     2 -
 src/charon/sa/authenticators/eap/sim_manager.h     |     4 +-
 src/charon/sa/authenticators/eap_authenticator.c   |   786 +-
 src/charon/sa/authenticators/eap_authenticator.h   |   113 +-
 src/charon/sa/authenticators/psk_authenticator.c   |   147 +-
 src/charon/sa/authenticators/psk_authenticator.h   |    30 +-
 .../sa/authenticators/pubkey_authenticator.c       |   229 +-
 .../sa/authenticators/pubkey_authenticator.h       |    30 +-
 src/charon/sa/child_sa.c                           |    45 +-
 src/charon/sa/child_sa.h                           |     2 -
 src/charon/sa/connect_manager.c                    |    24 +-
 src/charon/sa/connect_manager.h                    |     2 -
 src/charon/sa/ike_sa.c                             |   564 +-
 src/charon/sa/ike_sa.h                             |    96 +-
 src/charon/sa/ike_sa_id.c                          |     2 -
 src/charon/sa/ike_sa_id.h                          |     2 -
 src/charon/sa/ike_sa_manager.c                     |   127 +-
 src/charon/sa/ike_sa_manager.h                     |     5 +-
 src/charon/sa/keymat.c                             |    17 +-
 src/charon/sa/keymat.h                             |     2 -
 src/charon/sa/mediation_manager.c                  |    10 +-
 src/charon/sa/mediation_manager.h                  |     2 -
 src/charon/sa/task_manager.c                       |   265 +-
 src/charon/sa/task_manager.h                       |     2 -
 src/charon/sa/tasks/child_create.c                 |   136 +-
 src/charon/sa/tasks/child_create.h                 |     9 +-
 src/charon/sa/tasks/child_delete.c                 |    17 +-
 src/charon/sa/tasks/child_delete.h                 |     2 -
 src/charon/sa/tasks/child_rekey.c                  |    26 +-
 src/charon/sa/tasks/child_rekey.h                  |     2 -
 src/charon/sa/tasks/ike_auth.c                     |  1107 +-
 src/charon/sa/tasks/ike_auth.h                     |     2 -
 src/charon/sa/tasks/ike_auth_lifetime.c            |    10 +-
 src/charon/sa/tasks/ike_auth_lifetime.h            |     2 -
 src/charon/sa/tasks/ike_cert_post.c                |   122 +-
 src/charon/sa/tasks/ike_cert_post.h                |     2 -
 src/charon/sa/tasks/ike_cert_pre.c                 |   302 +-
 src/charon/sa/tasks/ike_cert_pre.h                 |     2 -
 src/charon/sa/tasks/ike_config.c                   |   310 +-
 src/charon/sa/tasks/ike_config.h                   |     2 -
 src/charon/sa/tasks/ike_delete.c                   |     6 +-
 src/charon/sa/tasks/ike_delete.h                   |     2 -
 src/charon/sa/tasks/ike_dpd.c                      |     2 -
 src/charon/sa/tasks/ike_dpd.h                      |     2 -
 src/charon/sa/tasks/ike_init.c                     |    43 +-
 src/charon/sa/tasks/ike_init.h                     |     2 -
 src/charon/sa/tasks/ike_me.c                       |    16 +-
 src/charon/sa/tasks/ike_me.h                       |     2 -
 src/charon/sa/tasks/ike_mobike.c                   |    20 +-
 src/charon/sa/tasks/ike_mobike.h                   |     2 -
 src/charon/sa/tasks/ike_natd.c                     |    10 +-
 src/charon/sa/tasks/ike_natd.h                     |     2 -
 src/charon/sa/tasks/ike_reauth.c                   |     6 +-
 src/charon/sa/tasks/ike_reauth.h                   |     2 -
 src/charon/sa/tasks/ike_rekey.c                    |    45 +-
 src/charon/sa/tasks/ike_rekey.h                    |     2 -
 src/charon/sa/tasks/task.c                         |     2 -
 src/charon/sa/tasks/task.h                         |     2 -
 src/charon/sa/trap_manager.c                       |   371 +
 src/charon/sa/trap_manager.h                       |    81 +
 src/dumm/Makefile.am                               |    17 +-
 src/dumm/Makefile.in                               |    69 +-
 src/dumm/bridge.h                                  |    14 +-
 src/dumm/cowfs.c                                   |   344 +-
 src/dumm/cowfs.h                                   |     8 +-
 src/dumm/dumm.c                                    |    83 +-
 src/dumm/dumm.h                                    |    27 +-
 src/dumm/ext/dumm.c                                |   124 +-
 src/dumm/ext/extconf.rb                            |    21 -
 src/dumm/ext/extconf.rb.in                         |    19 +
 src/dumm/ext/lib/dumm.rb                           |    45 +-
 src/dumm/ext/lib/dumm/guest.rb                     |    26 +-
 src/dumm/guest.c                                   |     9 +-
 src/dumm/guest.h                                   |    30 +-
 src/dumm/iface.h                                   |    16 +-
 src/dumm/mconsole.c                                |     7 +-
 src/dumm/mconsole.h                                |    10 +-
 src/include/Makefile.in                            |    15 +-
 src/ipsec/Makefile.am                              |     2 +-
 src/ipsec/Makefile.in                              |    21 +-
 src/ipsec/ipsec.8                                  |     1 -
 src/ipsec/ipsec.in                                 |    13 +-
 src/libcrypto/Makefile.am                          |    11 -
 src/libcrypto/Makefile.in                          |   741 --
 src/libcrypto/include/cbc_generic.h                |   110 -
 src/libcrypto/include/hmac_generic.h               |    60 -
 src/libcrypto/include/md32_common.h                |   607 -
 src/libcrypto/libaes/aes.c                         |  1415 ---
 src/libcrypto/libaes/aes.h                         |    97 -
 src/libcrypto/libaes/aes_cbc.c                     |    13 -
 src/libcrypto/libaes/aes_cbc.h                     |     4 -
 src/libcrypto/libaes/aes_xcbc_mac.c                |    67 -
 src/libcrypto/libaes/aes_xcbc_mac.h                |    12 -
 src/libcrypto/libblowfish/bf_enc.c                 |   306 -
 src/libcrypto/libblowfish/bf_locl.h                |   218 -
 src/libcrypto/libblowfish/bf_pi.h                  |   325 -
 src/libcrypto/libblowfish/bf_skey.c                |   122 -
 src/libcrypto/libblowfish/blowfish.h               |   133 -
 src/libcrypto/libdes/cbc_enc.c                     |   135 -
 src/libcrypto/libdes/des.h                         |   308 -
 src/libcrypto/libdes/des_enc.c                     |   502 -
 src/libcrypto/libdes/des_locl.h                    |   515 -
 src/libcrypto/libdes/des_ver.h                     |    60 -
 src/libcrypto/libdes/destest.c                     |   871 --
 src/libcrypto/libdes/ecb_enc.c                     |   128 -
 src/libcrypto/libdes/fcrypt.c                      |   152 -
 src/libcrypto/libdes/fcrypt_b.c                    |   148 -
 src/libcrypto/libdes/podd.h                        |    75 -
 src/libcrypto/libdes/set_key.c                     |   246 -
 src/libcrypto/libdes/sk.h                          |   204 -
 src/libcrypto/libdes/spr.h                         |   204 -
 src/libcrypto/libserpent/serpent.c                 |   995 --
 src/libcrypto/libserpent/serpent.h                 |    17 -
 src/libcrypto/libserpent/serpent_cbc.c             |     8 -
 src/libcrypto/libserpent/serpent_cbc.h             |     3 -
 src/libcrypto/libsha2/hmac_sha2.c                  |    32 -
 src/libcrypto/libsha2/hmac_sha2.h                  |    17 -
 src/libcrypto/libsha2/sha2.c                       |   437 -
 src/libcrypto/libsha2/sha2.h                       |    52 -
 src/libcrypto/libtwofish/twofish.c                 |   861 --
 src/libcrypto/libtwofish/twofish.h                 |    20 -
 src/libcrypto/libtwofish/twofish_cbc.c             |     8 -
 src/libcrypto/libtwofish/twofish_cbc.h             |     3 -
 src/libfast/Makefile.in                            |    17 +-
 src/libfast/context.h                              |     2 -
 src/libfast/controller.h                           |     2 -
 src/libfast/dispatcher.c                           |     2 -
 src/libfast/dispatcher.h                           |     2 -
 src/libfast/filter.h                               |     2 -
 src/libfast/request.c                              |     2 -
 src/libfast/request.h                              |     2 -
 src/libfast/session.c                              |     2 -
 src/libfast/session.h                              |     2 -
 src/libfreeswan/Makefile.am                        |    22 +-
 src/libfreeswan/Makefile.in                        |    62 +-
 src/libfreeswan/addrtoa.c                          |     2 -
 src/libfreeswan/addrtot.c                          |     4 +-
 src/libfreeswan/addrtypeof.c                       |     4 +-
 src/libfreeswan/anyaddr.3                          |     1 -
 src/libfreeswan/anyaddr.c                          |     4 +-
 src/libfreeswan/atoaddr.3                          |     1 -
 src/libfreeswan/atoaddr.c                          |     2 -
 src/libfreeswan/atoasr.3                           |     1 -
 src/libfreeswan/atoasr.c                           |     2 -
 src/libfreeswan/atosa.3                            |     1 -
 src/libfreeswan/atosa.c                            |     2 -
 src/libfreeswan/atosubnet.c                        |     2 -
 src/libfreeswan/atoul.3                            |     1 -
 src/libfreeswan/atoul.c                            |     2 -
 src/libfreeswan/copyright.c                        |     4 +-
 src/libfreeswan/datatot.c                          |     2 -
 src/libfreeswan/freeswan.h                         |    78 +-
 src/libfreeswan/goodmask.3                         |     1 -
 src/libfreeswan/goodmask.c                         |     2 -
 src/libfreeswan/initaddr.3                         |     1 -
 src/libfreeswan/initaddr.c                         |     4 +-
 src/libfreeswan/initsaid.c                         |     2 -
 src/libfreeswan/initsubnet.3                       |     1 -
 src/libfreeswan/initsubnet.c                       |     2 -
 src/libfreeswan/internal.h                         |    35 -
 src/libfreeswan/ipcomp.h                           |    61 -
 src/libfreeswan/ipsec_ah.h                         |   111 -
 src/libfreeswan/ipsec_alg.h                        |   254 -
 src/libfreeswan/ipsec_encap.h                      |    55 -
 src/libfreeswan/ipsec_eroute.h                     |    82 -
 src/libfreeswan/ipsec_errs.h                       |    32 -
 src/libfreeswan/ipsec_esp.h                        |    80 -
 src/libfreeswan/ipsec_ipe4.h                       |    27 -
 src/libfreeswan/ipsec_kversion.h                   |   191 -
 src/libfreeswan/ipsec_life.h                       |    90 -
 src/libfreeswan/ipsec_md5h.h                       |    83 -
 src/libfreeswan/ipsec_param.h                      |   172 -
 src/libfreeswan/ipsec_policy.h                     |   233 -
 src/libfreeswan/ipsec_proto.h                      |   111 -
 src/libfreeswan/ipsec_radij.h                      |    63 -
 src/libfreeswan/ipsec_rcv.h                        |    72 -
 src/libfreeswan/ipsec_sa.h                         |   252 -
 src/libfreeswan/ipsec_sha1.h                       |    32 -
 src/libfreeswan/ipsec_stats.h                      |    38 -
 src/libfreeswan/ipsec_tunnel.h                     |   128 -
 src/libfreeswan/ipsec_xform.h                      |    84 -
 src/libfreeswan/ipsec_xmit.h                       |   140 -
 src/libfreeswan/keyblobtoid.3                      |     1 -
 src/libfreeswan/keyblobtoid.c                      |     2 -
 src/libfreeswan/optionsfrom.3                      |   182 -
 src/libfreeswan/optionsfrom.c                      |   301 -
 src/libfreeswan/pfkey.h                            |   121 -
 src/libfreeswan/pfkey_v2_build.c                   |    71 +-
 src/libfreeswan/pfkey_v2_debug.c                   |    28 +-
 src/libfreeswan/pfkey_v2_ext_bits.c                |    36 +-
 src/libfreeswan/pfkey_v2_parse.c                   |    83 +-
 src/libfreeswan/pfkeyv2.h                          |     4 -
 src/libfreeswan/portof.3                           |     1 -
 src/libfreeswan/portof.c                           |     4 +-
 src/libfreeswan/prng.3                             |     1 -
 src/libfreeswan/prng.c                             |     2 -
 src/libfreeswan/radij.h                            |   201 -
 src/libfreeswan/rangetoa.c                         |     2 -
 src/libfreeswan/rangetosubnet.3                    |     1 -
 src/libfreeswan/rangetosubnet.c                    |     2 -
 src/libfreeswan/sameaddr.3                         |     1 -
 src/libfreeswan/sameaddr.c                         |     2 -
 src/libfreeswan/satoa.c                            |     2 -
 src/libfreeswan/satot.c                            |     4 +-
 src/libfreeswan/subnetof.3                         |     1 -
 src/libfreeswan/subnetof.c                         |     2 -
 src/libfreeswan/subnettoa.c                        |     2 -
 src/libfreeswan/subnettot.c                        |     2 -
 src/libfreeswan/subnettypeof.c                     |     2 -
 src/libfreeswan/ttoaddr.3                          |     1 -
 src/libfreeswan/ttoaddr.c                          |     4 +-
 src/libfreeswan/ttodata.3                          |     1 -
 src/libfreeswan/ttodata.c                          |     2 -
 src/libfreeswan/ttoprotoport.c                     |     4 +-
 src/libfreeswan/ttosa.3                            |     1 -
 src/libfreeswan/ttosa.c                            |     4 +-
 src/libfreeswan/ttosubnet.c                        |     4 +-
 src/libfreeswan/ttoul.3                            |     1 -
 src/libfreeswan/ttoul.c                            |     2 -
 src/libfreeswan/ultoa.c                            |     2 -
 src/libfreeswan/ultot.c                            |     2 -
 src/libfreeswan/version.3                          |    44 -
 src/libfreeswan/version.c                          |    43 -
 src/libstrongswan/Makefile.am                      |    57 +-
 src/libstrongswan/Makefile.in                      |   284 +-
 src/libstrongswan/asn1/asn1.c                      |   170 +-
 src/libstrongswan/asn1/asn1.h                      |    24 +-
 src/libstrongswan/asn1/asn1_parser.c               |     6 +-
 src/libstrongswan/asn1/asn1_parser.h               |     6 +-
 src/libstrongswan/asn1/oid.c                       |   562 +-
 src/libstrongswan/asn1/oid.h                       |   264 +-
 src/libstrongswan/asn1/oid.pl                      |     7 +-
 src/libstrongswan/asn1/oid.txt                     |    72 +-
 src/libstrongswan/asn1/pem.c                       |    49 +-
 src/libstrongswan/asn1/pem.h                       |     8 +-
 src/libstrongswan/chunk.c                          |    14 +-
 src/libstrongswan/chunk.h                          |    19 +-
 src/libstrongswan/credentials/builder.c            |     2 +
 src/libstrongswan/credentials/builder.h            |    10 +-
 src/libstrongswan/credentials/certificates/ac.h    |     2 -
 .../credentials/certificates/certificate.c         |    14 +-
 .../credentials/certificates/certificate.h         |    12 +-
 src/libstrongswan/credentials/certificates/crl.c   |     2 -
 src/libstrongswan/credentials/certificates/crl.h   |     2 -
 .../credentials/certificates/ocsp_request.h        |     2 -
 .../credentials/certificates/ocsp_response.c       |     2 -
 .../credentials/certificates/ocsp_response.h       |     2 -
 src/libstrongswan/credentials/certificates/x509.c  |     2 -
 src/libstrongswan/credentials/certificates/x509.h  |     2 -
 src/libstrongswan/credentials/credential_factory.c |     4 +-
 src/libstrongswan/credentials/credential_factory.h |     3 -
 src/libstrongswan/credentials/keys/private_key.c   |     2 -
 src/libstrongswan/credentials/keys/private_key.h   |    10 +-
 src/libstrongswan/credentials/keys/public_key.c    |    45 +-
 src/libstrongswan/credentials/keys/public_key.h    |    66 +-
 src/libstrongswan/credentials/keys/shared_key.c    |     2 -
 src/libstrongswan/crypto/crypters/crypter.c        |   147 +-
 src/libstrongswan/crypto/crypters/crypter.h        |    74 +-
 src/libstrongswan/crypto/crypto_factory.c          |   178 +-
 src/libstrongswan/crypto/crypto_factory.h          |    15 +-
 src/libstrongswan/crypto/crypto_tester.c           |   629 +
 src/libstrongswan/crypto/crypto_tester.h           |   205 +
 src/libstrongswan/crypto/diffie_hellman.c          |    28 +-
 src/libstrongswan/crypto/diffie_hellman.h          |     2 -
 src/libstrongswan/crypto/hashers/hasher.c          |     8 +-
 src/libstrongswan/crypto/hashers/hasher.h          |    18 +-
 src/libstrongswan/crypto/pkcs9.c                   |     2 -
 src/libstrongswan/crypto/pkcs9.h                   |     2 -
 src/libstrongswan/crypto/prf_plus.c                |     2 -
 src/libstrongswan/crypto/prf_plus.h                |     2 -
 src/libstrongswan/crypto/prfs/prf.c                |    11 +-
 src/libstrongswan/crypto/prfs/prf.h                |    20 +-
 .../crypto/proposal/proposal_keywords.c            |   270 +
 .../crypto/proposal/proposal_keywords.h            |    34 +
 .../crypto/proposal/proposal_keywords.txt          |   118 +
 src/libstrongswan/crypto/rngs/rng.c                |     6 +-
 src/libstrongswan/crypto/rngs/rng.h                |    10 +-
 src/libstrongswan/crypto/signers/signer.c          |    21 +-
 src/libstrongswan/crypto/signers/signer.h          |    35 +-
 src/libstrongswan/crypto/transform.c               |    29 +
 src/libstrongswan/crypto/transform.h               |    47 +
 src/libstrongswan/database/database_factory.c      |     2 -
 src/libstrongswan/debug.c                          |     2 -
 src/libstrongswan/debug.h                          |     2 -
 src/libstrongswan/enum.c                           |     2 -
 src/libstrongswan/enum.h                           |     2 -
 src/libstrongswan/fetcher/fetcher.h                |    12 +
 src/libstrongswan/fetcher/fetcher_manager.c        |     6 +-
 src/libstrongswan/fips/Makefile.in                 |    17 +-
 src/libstrongswan/fips/fips.c                      |     2 -
 src/libstrongswan/fips/fips.h                      |     2 -
 src/libstrongswan/fips/fips_canister_end.c         |     2 -
 src/libstrongswan/fips/fips_canister_start.c       |     2 -
 src/libstrongswan/fips/fips_signer.c               |     2 -
 src/libstrongswan/library.c                        |     8 +-
 src/libstrongswan/library.h                        |     4 +-
 src/libstrongswan/pgp/pgp.c                        |    93 +
 src/libstrongswan/pgp/pgp.h                        |   115 +
 src/libstrongswan/plugins/aes/Makefile.in          |    17 +-
 src/libstrongswan/plugins/aes/aes_crypter.c        |     4 -
 src/libstrongswan/plugins/aes/aes_plugin.c         |     2 -
 src/libstrongswan/plugins/agent/Makefile.in        |    17 +-
 src/libstrongswan/plugins/agent/agent_plugin.c     |     2 -
 .../plugins/agent/agent_private_key.c              |    16 +-
 src/libstrongswan/plugins/blowfish/Makefile.am     |    12 +
 src/libstrongswan/plugins/blowfish/Makefile.in     |   513 +
 src/libstrongswan/plugins/blowfish/bf_enc.c        |   306 +
 src/libstrongswan/plugins/blowfish/bf_locl.h       |   218 +
 src/libstrongswan/plugins/blowfish/bf_pi.h         |   325 +
 src/libstrongswan/plugins/blowfish/bf_skey.c       |   122 +
 src/libstrongswan/plugins/blowfish/blowfish.h      |   133 +
 .../plugins/blowfish/blowfish_crypter.c            |   197 +
 .../plugins/blowfish/blowfish_crypter.h            |    50 +
 .../plugins/blowfish/blowfish_plugin.c             |    59 +
 .../plugins/blowfish/blowfish_plugin.h             |    48 +
 src/libstrongswan/plugins/curl/Makefile.in         |    17 +-
 src/libstrongswan/plugins/curl/curl_fetcher.c      |    66 +-
 src/libstrongswan/plugins/curl/curl_plugin.c       |     2 -
 src/libstrongswan/plugins/des/Makefile.in          |    17 +-
 src/libstrongswan/plugins/des/des_crypter.c        |     4 +-
 src/libstrongswan/plugins/des/des_plugin.c         |     2 -
 src/libstrongswan/plugins/fips_prf/Makefile.in     |    17 +-
 src/libstrongswan/plugins/fips_prf/fips_prf.c      |     2 -
 .../plugins/fips_prf/fips_prf_plugin.c             |     2 -
 src/libstrongswan/plugins/gcrypt/Makefile.am       |    17 +
 src/libstrongswan/plugins/gcrypt/Makefile.in       |   522 +
 src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c  |   252 +
 src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h  |    49 +
 src/libstrongswan/plugins/gcrypt/gcrypt_dh.c       |   564 +
 src/libstrongswan/plugins/gcrypt/gcrypt_dh.h       |    48 +
 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c   |   151 +
 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h   |    47 +
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c   |   212 +
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.h   |    47 +
 src/libstrongswan/plugins/gcrypt/gcrypt_rng.c      |   103 +
 src/libstrongswan/plugins/gcrypt/gcrypt_rng.h      |    47 +
 .../plugins/gcrypt/gcrypt_rsa_private_key.c        |   734 ++
 .../plugins/gcrypt/gcrypt_rsa_private_key.h        |    47 +
 .../plugins/gcrypt/gcrypt_rsa_public_key.c         |   512 +
 .../plugins/gcrypt/gcrypt_rsa_public_key.h         |    47 +
 src/libstrongswan/plugins/gmp/Makefile.in          |    17 +-
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c |     6 +-
 src/libstrongswan/plugins/gmp/gmp_plugin.c         |     2 -
 .../plugins/gmp/gmp_rsa_private_key.c              |   341 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |   350 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h |     2 -
 src/libstrongswan/plugins/hmac/Makefile.in         |    17 +-
 src/libstrongswan/plugins/hmac/hmac.c              |     2 -
 src/libstrongswan/plugins/hmac/hmac_plugin.c       |     4 +-
 src/libstrongswan/plugins/hmac/hmac_prf.c          |     2 -
 src/libstrongswan/plugins/hmac/hmac_signer.c       |     6 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |    17 +-
 src/libstrongswan/plugins/ldap/ldap_fetcher.c      |     2 -
 src/libstrongswan/plugins/ldap/ldap_plugin.c       |     2 -
 src/libstrongswan/plugins/md4/Makefile.in          |    17 +-
 src/libstrongswan/plugins/md4/md4_hasher.c         |     2 -
 src/libstrongswan/plugins/md4/md4_plugin.c         |     2 -
 src/libstrongswan/plugins/md5/Makefile.in          |    17 +-
 src/libstrongswan/plugins/md5/md5_hasher.c         |     2 -
 src/libstrongswan/plugins/md5/md5_plugin.c         |     2 -
 src/libstrongswan/plugins/mysql/Makefile.in        |    17 +-
 src/libstrongswan/plugins/mysql/mysql_database.c   |     2 -
 src/libstrongswan/plugins/mysql/mysql_plugin.c     |     2 -
 src/libstrongswan/plugins/openssl/Makefile.in      |    17 +-
 .../plugins/openssl/openssl_crypter.c              |    10 +-
 .../plugins/openssl/openssl_crypter.h              |     2 -
 .../plugins/openssl/openssl_diffie_hellman.c       |     4 +-
 .../plugins/openssl/openssl_diffie_hellman.h       |     2 -
 .../plugins/openssl/openssl_ec_diffie_hellman.c    |     2 -
 .../plugins/openssl/openssl_ec_diffie_hellman.h    |     2 -
 .../plugins/openssl/openssl_ec_private_key.c       |   101 +-
 .../plugins/openssl/openssl_ec_private_key.h       |     2 -
 .../plugins/openssl/openssl_ec_public_key.c        |    51 +-
 .../plugins/openssl/openssl_ec_public_key.h        |     2 -
 src/libstrongswan/plugins/openssl/openssl_hasher.c |     2 -
 src/libstrongswan/plugins/openssl/openssl_hasher.h |     2 -
 src/libstrongswan/plugins/openssl/openssl_plugin.c |     4 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.h |     2 -
 .../plugins/openssl/openssl_rsa_private_key.c      |   167 +-
 .../plugins/openssl/openssl_rsa_private_key.h      |     2 -
 .../plugins/openssl/openssl_rsa_public_key.c       |   127 +-
 .../plugins/openssl/openssl_rsa_public_key.h       |     2 -
 src/libstrongswan/plugins/openssl/openssl_util.c   |     2 -
 src/libstrongswan/plugins/openssl/openssl_util.h   |     2 -
 src/libstrongswan/plugins/padlock/Makefile.in      |    17 +-
 .../plugins/padlock/padlock_aes_crypter.c          |     2 -
 src/libstrongswan/plugins/padlock/padlock_plugin.c |     4 +-
 src/libstrongswan/plugins/padlock/padlock_rng.c    |     4 +-
 src/libstrongswan/plugins/padlock/padlock_rng.h    |     2 -
 .../plugins/padlock/padlock_sha1_hasher.c          |     2 -
 src/libstrongswan/plugins/plugin_loader.c          |     2 -
 src/libstrongswan/plugins/pubkey/Makefile.in       |    17 +-
 src/libstrongswan/plugins/pubkey/pubkey_cert.c     |     2 -
 src/libstrongswan/plugins/pubkey/pubkey_cert.h     |     2 -
 src/libstrongswan/plugins/pubkey/pubkey_plugin.c   |     2 -
 .../plugins/pubkey/pubkey_public_key.c             |     4 +-
 .../plugins/pubkey/pubkey_public_key.h             |     2 -
 src/libstrongswan/plugins/random/Makefile.in       |    17 +-
 src/libstrongswan/plugins/random/random_plugin.c   |     4 +-
 src/libstrongswan/plugins/random/random_rng.c      |     4 +-
 src/libstrongswan/plugins/random/random_rng.h      |     2 -
 src/libstrongswan/plugins/sha1/Makefile.in         |    17 +-
 src/libstrongswan/plugins/sha1/sha1_hasher.c       |     2 -
 src/libstrongswan/plugins/sha1/sha1_plugin.c       |     2 -
 src/libstrongswan/plugins/sha1/sha1_prf.c          |     2 -
 src/libstrongswan/plugins/sha2/Makefile.in         |    17 +-
 src/libstrongswan/plugins/sha2/sha2_hasher.c       |     2 -
 src/libstrongswan/plugins/sha2/sha2_plugin.c       |     2 -
 src/libstrongswan/plugins/sqlite/Makefile.in       |    17 +-
 src/libstrongswan/plugins/sqlite/sqlite_database.c |     2 -
 src/libstrongswan/plugins/sqlite/sqlite_plugin.c   |     2 -
 src/libstrongswan/plugins/test_vectors/Makefile.am |    33 +
 src/libstrongswan/plugins/test_vectors/Makefile.in |   710 ++
 .../plugins/test_vectors/test_vectors.h            |   159 +
 .../plugins/test_vectors/test_vectors/3des_cbc.c   |    43 +
 .../plugins/test_vectors/test_vectors/aes_cbc.c    |   113 +
 .../plugins/test_vectors/test_vectors/aes_xcbc.c   |   129 +
 .../plugins/test_vectors/test_vectors/blowfish.c   |    46 +
 .../test_vectors/test_vectors/camellia_cbc.c       |    91 +
 .../plugins/test_vectors/test_vectors/cast.c       |    28 +
 .../plugins/test_vectors/test_vectors/des.c        |    65 +
 .../plugins/test_vectors/test_vectors/fips_prf.c   |    30 +
 .../plugins/test_vectors/test_vectors/idea.c       |    44 +
 .../plugins/test_vectors/test_vectors/md2.c        |    63 +
 .../plugins/test_vectors/test_vectors/md4.c        |    63 +
 .../plugins/test_vectors/test_vectors/md5.c        |    63 +
 .../plugins/test_vectors/test_vectors/md5_hmac.c   |   112 +
 .../plugins/test_vectors/test_vectors/null.c       |    25 +
 .../plugins/test_vectors/test_vectors/rc5.c        |    44 +
 .../plugins/test_vectors/test_vectors/rng.c        |   236 +
 .../test_vectors/test_vectors/serpent_cbc.c        |    91 +
 .../plugins/test_vectors/test_vectors/sha1.c       |    51 +
 .../plugins/test_vectors/test_vectors/sha1_hmac.c  |   146 +
 .../plugins/test_vectors/test_vectors/sha2.c       |   136 +
 .../plugins/test_vectors/test_vectors/sha2_hmac.c  |   353 +
 .../test_vectors/test_vectors/twofish_cbc.c        |    56 +
 .../plugins/test_vectors/test_vectors_plugin.c     |   142 +
 .../plugins/test_vectors/test_vectors_plugin.h     |    47 +
 src/libstrongswan/plugins/x509/Makefile.in         |    17 +-
 src/libstrongswan/plugins/x509/ietf_attr_list.h    |     2 -
 src/libstrongswan/plugins/x509/x509_ac.c           |    33 +-
 src/libstrongswan/plugins/x509/x509_ac.h           |     2 -
 src/libstrongswan/plugins/x509/x509_cert.c         |   122 +-
 src/libstrongswan/plugins/x509/x509_cert.h         |     2 -
 src/libstrongswan/plugins/x509/x509_crl.c          |    34 +-
 src/libstrongswan/plugins/x509/x509_ocsp_request.c |     3 +-
 .../plugins/x509/x509_ocsp_response.c              |    38 +-
 src/libstrongswan/plugins/x509/x509_plugin.c       |     2 -
 src/libstrongswan/plugins/xcbc/Makefile.in         |    17 +-
 src/libstrongswan/plugins/xcbc/xcbc.c              |     2 -
 src/libstrongswan/plugins/xcbc/xcbc_plugin.c       |     2 -
 src/libstrongswan/plugins/xcbc/xcbc_prf.c          |     2 -
 src/libstrongswan/plugins/xcbc/xcbc_signer.c       |     2 -
 src/libstrongswan/printf_hook.c                    |    20 +-
 src/libstrongswan/printf_hook.h                    |     7 +-
 src/libstrongswan/settings.c                       |    19 +-
 src/libstrongswan/settings.h                       |     4 +-
 src/libstrongswan/utils.c                          |    19 +-
 src/libstrongswan/utils.h                          |    33 +-
 src/libstrongswan/utils/backtrace.c                |     4 +-
 src/libstrongswan/utils/enumerator.c               |     4 +-
 src/libstrongswan/utils/enumerator.h               |     4 +-
 src/libstrongswan/utils/hashtable.c                |     2 -
 src/libstrongswan/utils/hashtable.h                |     2 -
 src/libstrongswan/utils/host.c                     |    51 +-
 src/libstrongswan/utils/identification.c           |   396 +-
 src/libstrongswan/utils/identification.h           |    89 +-
 src/libstrongswan/utils/iterator.h                 |     2 -
 src/libstrongswan/utils/leak_detective.c           |     7 +-
 src/libstrongswan/utils/lexparser.c                |     2 -
 src/libstrongswan/utils/lexparser.h                |     2 -
 src/libstrongswan/utils/linked_list.c              |     2 -
 src/libstrongswan/utils/linked_list.h              |     3 -
 src/libstrongswan/utils/mutex.c                    |    10 +-
 src/libstrongswan/utils/mutex.h                    |     2 -
 src/libstrongswan/utils/optionsfrom.c              |     2 -
 src/libstrongswan/utils/optionsfrom.h              |     2 -
 src/manager/Makefile.in                            |    17 +-
 src/manager/controller/auth_controller.c           |     2 -
 src/manager/controller/auth_controller.h           |     2 -
 src/manager/controller/config_controller.c         |     2 -
 src/manager/controller/config_controller.h         |     2 -
 src/manager/controller/control_controller.c        |     2 -
 src/manager/controller/control_controller.h        |     2 -
 src/manager/controller/gateway_controller.c        |     2 -
 src/manager/controller/gateway_controller.h        |     2 -
 src/manager/controller/ikesa_controller.c          |     2 -
 src/manager/controller/ikesa_controller.h          |     2 -
 src/manager/gateway.c                              |     2 -
 src/manager/gateway.h                              |     2 -
 src/manager/main.c                                 |     2 -
 src/manager/manager.c                              |     2 -
 src/manager/manager.h                              |     2 -
 src/manager/storage.c                              |     2 -
 src/manager/storage.h                              |     2 -
 src/manager/xml.c                                  |     4 +-
 src/manager/xml.h                                  |     2 -
 src/medsrv/Makefile.in                             |    17 +-
 src/medsrv/controller/peer_controller.c            |     4 +-
 src/medsrv/controller/peer_controller.h            |     2 -
 src/medsrv/controller/user_controller.c            |     2 -
 src/medsrv/controller/user_controller.h            |     2 -
 src/medsrv/filter/auth_filter.c                    |     2 -
 src/medsrv/filter/auth_filter.h                    |     2 -
 src/medsrv/main.c                                  |     2 -
 src/medsrv/user.c                                  |     2 -
 src/medsrv/user.h                                  |     2 -
 src/openac/Makefile.in                             |    21 +-
 src/openac/openac.c                                |    25 +-
 src/pluto/Makefile.am                              |    52 +-
 src/pluto/Makefile.in                              |   239 +-
 src/pluto/TODO                                     |   129 -
 src/pluto/ac.c                                     |  1575 ++-
 src/pluto/ac.h                                     |    56 +-
 src/pluto/adns.c                                   |   726 +-
 src/pluto/adns.h                                   |    56 +-
 src/pluto/alg/ike_alg_aes.c                        |    68 -
 src/pluto/alg/ike_alg_blowfish.c                   |    52 -
 src/pluto/alg/ike_alg_serpent.c                    |    70 -
 src/pluto/alg/ike_alg_sha2.c                       |   634 -
 src/pluto/alg/ike_alg_twofish.c                    |    85 -
 src/pluto/alg/ike_alginit.c                        |     7 -
 src/pluto/alg_info.c                               |  1539 +--
 src/pluto/alg_info.h                               |    69 +-
 src/pluto/asn1.c                                   |   787 --
 src/pluto/asn1.h                                   |   141 -
 src/pluto/ca.c                                     |   923 +-
 src/pluto/ca.h                                     |    42 +-
 src/pluto/certs.c                                  |   374 +-
 src/pluto/certs.h                                  |    63 +-
 src/pluto/connections.c                            |  6580 +++++-----
 src/pluto/connections.h                            |   270 +-
 src/pluto/constants.c                              |  1071 +-
 src/pluto/constants.h                              |  1013 +-
 src/pluto/cookie.c                                 |    68 +-
 src/pluto/cookie.h                                 |     8 +-
 src/pluto/crl.c                                    |  1197 +-
 src/pluto/crl.h                                    |    34 +-
 src/pluto/crypto.c                                 |   997 +-
 src/pluto/crypto.h                                 |    91 +-
 src/pluto/db_ops.c                                 |   541 +-
 src/pluto/db_ops.h                                 |    36 +-
 src/pluto/defs.c                                   |   346 +-
 src/pluto/defs.h                                   |    97 +-
 src/pluto/demux.c                                  |  3950 +++---
 src/pluto/demux.h                                  |    64 +-
 src/pluto/dnskey.c                                 |  2609 ++--
 src/pluto/dnskey.h                                 |    70 +-
 src/pluto/dsa.c                                    |   476 -
 src/pluto/dsa.h                                    |    32 -
 src/pluto/elgamal.c                                |   613 -
 src/pluto/elgamal.h                                |    35 -
 src/pluto/fetch.c                                  |  1293 +-
 src/pluto/fetch.h                                  |    28 +-
 src/pluto/foodgroups.c                             |   606 +-
 src/pluto/foodgroups.h                             |     4 +-
 src/pluto/gcryptfix.c                              |   283 -
 src/pluto/gcryptfix.h                              |   111 -
 src/pluto/id.c                                     |   672 +-
 src/pluto/id.h                                     |    34 +-
 src/pluto/ike_alg.c                                |   775 +-
 src/pluto/ike_alg.h                                |    86 +-
 src/pluto/ipsec_doi.c                              |  8830 +++++++------
 src/pluto/ipsec_doi.h                              |    80 +-
 src/pluto/kameipsec.h                              |    46 +-
 src/pluto/kernel.c                                 |  4681 ++++---
 src/pluto/kernel.h                                 |   204 +-
 src/pluto/kernel_alg.c                             |  1163 +-
 src/pluto/kernel_alg.h                             |     2 -
 src/pluto/kernel_netlink.c                         |  1748 ++-
 src/pluto/kernel_netlink.h                         |     2 -
 src/pluto/kernel_noklips.c                         |    60 +-
 src/pluto/kernel_noklips.h                         |     2 -
 src/pluto/kernel_pfkey.c                           |  1212 +-
 src/pluto/kernel_pfkey.h                           |     2 -
 src/pluto/keys.c                                   |  2249 ++--
 src/pluto/keys.h                                   |    79 +-
 src/pluto/lex.c                                    |   268 +-
 src/pluto/lex.h                                    |    20 +-
 src/pluto/log.c                                    |  1115 +-
 src/pluto/log.h                                    |   104 +-
 src/pluto/md2.c                                    |   237 -
 src/pluto/md2.h                                    |    72 -
 src/pluto/md5.c                                    |   385 -
 src/pluto/md5.h                                    |    75 -
 src/pluto/modecfg.c                                |  1773 +--
 src/pluto/modecfg.h                                |     2 -
 src/pluto/mp_defs.c                                |    70 -
 src/pluto/mp_defs.h                                |    36 -
 src/pluto/nat_traversal.c                          |  1279 +-
 src/pluto/nat_traversal.h                          |    62 +-
 src/pluto/ocsp.c                                   |  2396 ++--
 src/pluto/ocsp.h                                   |    64 +-
 src/pluto/packet.c                                 |  1286 +-
 src/pluto/packet.h                                 |   312 +-
 src/pluto/pem.c                                    |   485 +-
 src/pluto/pem.h                                    |    10 +-
 src/pluto/pgp.c                                    |   647 -
 src/pluto/pgp.h                                    |    54 -
 src/pluto/pgpcert.c                                |   496 +
 src/pluto/pgpcert.h                                |    56 +
 src/pluto/pkcs1.c                                  |   676 -
 src/pluto/pkcs1.h                                  |    88 -
 src/pluto/pkcs7.c                                  |  1341 +-
 src/pluto/pkcs7.h                                  |    32 +-
 src/pluto/plutomain.c                              |  1125 +-
 src/pluto/primegen.c                               |   593 -
 src/pluto/rcv_whack.c                              |  1013 +-
 src/pluto/rcv_whack.h                              |     2 -
 src/pluto/rnd.c                                    |   250 -
 src/pluto/rnd.h                                    |    21 -
 src/pluto/server.c                                 |  1434 +--
 src/pluto/server.h                                 |    28 +-
 src/pluto/sha1.c                                   |   193 -
 src/pluto/sha1.h                                   |    16 -
 src/pluto/smallprime.c                             |   122 -
 src/pluto/smartcard.c                              |  2746 ++--
 src/pluto/smartcard.h                              |    56 +-
 src/pluto/spdb.c                                   |  3779 +++---
 src/pluto/spdb.h                                   |    84 +-
 src/pluto/state.c                                  |  1358 +-
 src/pluto/state.h                                  |   276 +-
 src/pluto/timer.c                                  |   875 +-
 src/pluto/timer.h                                  |    16 +-
 src/pluto/vendor.c                                 |   795 +-
 src/pluto/vendor.h                                 |   254 +-
 src/pluto/virtual.c                                |   411 +-
 src/pluto/virtual.h                                |     6 +-
 src/pluto/x509.c                                   |  3375 +++--
 src/pluto/x509.h                                   |   137 +-
 src/pluto/xauth.c                                  |    74 +-
 src/pluto/xauth.h                                  |    18 +-
 src/scepclient/Makefile.am                         |    55 +-
 src/scepclient/Makefile.in                         |    90 +-
 src/scepclient/loglite.c                           |   406 +-
 src/scepclient/pkcs10.c                            |   234 +-
 src/scepclient/pkcs10.h                            |    27 +-
 src/scepclient/rsakey.c                            |   349 -
 src/scepclient/rsakey.h                            |    31 -
 src/scepclient/scep.c                              |   884 +-
 src/scepclient/scep.h                              |    46 +-
 src/scepclient/scepclient.8                        |     8 +-
 src/scepclient/scepclient.c                        |  1753 +--
 src/starter/Makefile.am                            |    37 +-
 src/starter/Makefile.in                            |    57 +-
 src/starter/args.c                                 |   985 +-
 src/starter/args.h                                 |     8 +-
 src/starter/cmp.c                                  |    90 +-
 src/starter/cmp.h                                  |     2 -
 src/starter/confread.c                             |    62 +-
 src/starter/confread.h                             |   324 +-
 src/starter/exec.c                                 |    28 +-
 src/starter/exec.h                                 |     2 -
 src/starter/files.h                                |    12 +-
 src/starter/interfaces.c                           |   198 +-
 src/starter/interfaces.h                           |    14 +-
 src/starter/invokecharon.c                         |   317 +-
 src/starter/invokecharon.h                         |     4 +-
 src/starter/invokepluto.c                          |   466 +-
 src/starter/invokepluto.h                          |     4 +-
 src/starter/ipsec.conf.5                           |    94 +-
 src/starter/keywords.c                             |   349 +-
 src/starter/keywords.h                             |   322 +-
 src/starter/keywords.txt                           |    12 +-
 src/starter/klips.c                                |    80 +-
 src/starter/klips.h                                |     2 -
 src/starter/lex.yy.c                               |   244 +-
 src/starter/loglite.c                              |   294 +-
 src/starter/netkey.c                               |    84 +-
 src/starter/netkey.h                               |     2 -
 src/starter/parser.h                               |    24 +-
 src/starter/parser.l                               |   216 +-
 src/starter/parser.y                               |   339 +-
 src/starter/starter.c                              |  1116 +-
 src/starter/starterstroke.c                        |    33 +-
 src/starter/starterstroke.h                        |     2 -
 src/starter/starterwhack.c                         |   582 +-
 src/starter/starterwhack.h                         |     2 -
 src/starter/y.tab.c                                |   323 +-
 src/starter/y.tab.h                                |     2 +-
 src/stroke/Makefile.am                             |     5 +-
 src/stroke/Makefile.in                             |    32 +-
 src/stroke/stroke.c                                |    14 +-
 src/stroke/stroke_keywords.c                       |   130 +-
 src/stroke/stroke_keywords.h                       |     3 +-
 src/stroke/stroke_keywords.txt                     |     3 +-
 src/stroke/stroke_msg.h                            |    11 +-
 src/strongswan.conf                                |    18 +-
 src/whack/Makefile.am                              |    11 +-
 src/whack/Makefile.in                              |    32 +-
 src/whack/whack.c                                  |  3394 ++---
 src/whack/whack.h                                  |   478 +-
 testing/INSTALL                                    |    12 +-
 testing/Makefile.am                                |     2 +-
 testing/Makefile.in                                |    17 +-
 testing/README                                     |     2 -
 testing/do-tests.in                                |     2 -
 testing/hosts/alice/etc/strongswan.conf            |    10 +
 testing/hosts/bob/etc/strongswan.conf              |    10 +
 testing/hosts/carol/etc/strongswan.conf            |    10 +
 testing/hosts/dave/etc/strongswan.conf             |    10 +
 testing/hosts/moon/etc/strongswan.conf             |    10 +
 testing/hosts/sun/etc/strongswan.conf              |    10 +
 testing/hosts/venus/etc/strongswan.conf            |    10 +
 testing/hosts/winnetou/etc/openssl/ecdsa/index.txt |     2 +
 .../hosts/winnetou/etc/openssl/ecdsa/index.txt.old |     2 +
 .../winnetou/etc/openssl/ecdsa/newcerts/05.pem     |    18 +
 .../winnetou/etc/openssl/ecdsa/newcerts/06.pem     |    19 +
 .../hosts/winnetou/etc/openssl/ecdsa/openssl.cnf   |     2 -
 testing/hosts/winnetou/etc/openssl/ecdsa/serial    |     2 +-
 .../hosts/winnetou/etc/openssl/ecdsa/serial.old    |     2 +-
 testing/hosts/winnetou/etc/openssl/generate-crl    |     2 -
 testing/hosts/winnetou/etc/openssl/index.txt       |     1 +
 testing/hosts/winnetou/etc/openssl/index.txt.old   |     3 +-
 .../hosts/winnetou/etc/openssl/monster/openssl.cnf |     2 -
 testing/hosts/winnetou/etc/openssl/newcerts/15.pem |    25 +
 testing/hosts/winnetou/etc/openssl/openssl.cnf     |     2 -
 .../winnetou/etc/openssl/research/openssl.cnf      |     2 -
 .../hosts/winnetou/etc/openssl/sales/openssl.cnf   |     2 -
 testing/hosts/winnetou/etc/openssl/serial          |     2 +-
 testing/hosts/winnetou/etc/openssl/serial.old      |     2 +-
 testing/make-testing                               |     2 -
 testing/scripts/build-hostconfig                   |     2 -
 testing/scripts/build-sshkeys                      |     2 -
 testing/scripts/build-umlhostfs                    |     2 -
 testing/scripts/build-umlkernel                    |     2 -
 testing/scripts/build-umlrootfs                    |    17 +-
 testing/scripts/function.sh                        |    46 +-
 testing/scripts/gstart-umls                        |     2 -
 testing/scripts/kstart-umls                        |     2 -
 testing/scripts/load-testconfig                    |     2 -
 testing/scripts/restore-defaults                   |     2 -
 testing/scripts/start-bridges                      |    64 +
 testing/scripts/start-switches                     |    39 -
 testing/scripts/start-umls                         |     2 -
 testing/scripts/stop-bridges                       |    49 +
 testing/scripts/xstart-umls                        |     2 -
 testing/start-testing                              |     8 +-
 testing/stop-testing                               |    11 +-
 testing/testing.conf                               |    42 +-
 .../tests/gcrypt-ikev1/alg-serpent/description.txt |     4 +
 .../tests/gcrypt-ikev1/alg-serpent/evaltest.dat    |    10 +
 .../alg-serpent/hosts/carol/etc/ipsec.conf         |    24 +
 .../alg-serpent/hosts/carol/etc/strongswan.conf    |    11 +
 .../alg-serpent/hosts/moon/etc/ipsec.conf          |    24 +
 .../alg-serpent/hosts/moon/etc/strongswan.conf     |    11 +
 .../tests/gcrypt-ikev1/alg-serpent/posttest.dat    |     2 +
 testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat |     5 +
 testing/tests/gcrypt-ikev1/alg-serpent/test.conf   |    22 +
 .../tests/gcrypt-ikev1/alg-twofish/description.txt |     4 +
 .../tests/gcrypt-ikev1/alg-twofish/evaltest.dat    |    10 +
 .../alg-twofish/hosts/carol/etc/ipsec.conf         |    24 +
 .../alg-twofish/hosts/carol/etc/strongswan.conf    |    11 +
 .../alg-twofish/hosts/moon/etc/ipsec.conf          |    24 +
 .../alg-twofish/hosts/moon/etc/strongswan.conf     |    11 +
 .../tests/gcrypt-ikev1/alg-twofish/posttest.dat    |     2 +
 testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat |     5 +
 testing/tests/gcrypt-ikev1/alg-twofish/test.conf   |    22 +
 testing/tests/gcrypt-ikev1/rw-cert/description.txt |    12 +
 testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat    |    10 +
 .../rw-cert/hosts/carol/etc/ipsec.conf             |    25 +
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    14 +
 .../gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf |    25 +
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    15 +
 .../gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf |    24 +
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    14 +
 testing/tests/gcrypt-ikev1/rw-cert/posttest.dat    |     6 +
 testing/tests/gcrypt-ikev1/rw-cert/pretest.dat     |     9 +
 testing/tests/gcrypt-ikev1/rw-cert/test.conf       |    21 +
 .../gcrypt-ikev2/alg-camellia/description.txt      |     4 +
 .../tests/gcrypt-ikev2/alg-camellia/evaltest.dat   |     9 +
 .../alg-camellia/hosts/carol/etc/ipsec.conf        |    25 +
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |     5 +
 .../alg-camellia/hosts/moon/etc/ipsec.conf         |    24 +
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |     5 +
 .../tests/gcrypt-ikev2/alg-camellia/posttest.dat   |     4 +
 .../tests/gcrypt-ikev2/alg-camellia/pretest.dat    |     7 +
 testing/tests/gcrypt-ikev2/alg-camellia/test.conf  |    21 +
 testing/tests/gcrypt-ikev2/rw-cert/description.txt |    12 +
 testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat    |    10 +
 .../rw-cert/hosts/carol/etc/ipsec.conf             |    24 +
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    11 +
 .../gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf |    24 +
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    12 +
 .../gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf |    23 +
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    11 +
 testing/tests/gcrypt-ikev2/rw-cert/posttest.dat    |     6 +
 testing/tests/gcrypt-ikev2/rw-cert/pretest.dat     |     9 +
 testing/tests/gcrypt-ikev2/rw-cert/test.conf       |    21 +
 .../ike/rw-cert/hosts/carol/etc/strongswan.conf    |    14 +
 .../ike/rw-cert/hosts/dave/etc/strongswan.conf     |     8 +-
 .../ike/rw-cert/hosts/moon/etc/strongswan.conf     |    12 +-
 .../rw_v1-net_v2/hosts/moon/etc/strongswan.conf    |     6 +-
 .../after-2038-certs/hosts/carol/etc/ipsec.conf    |     3 +-
 .../hosts/carol/etc/strongswan.conf                |     5 -
 .../after-2038-certs/hosts/moon/etc/ipsec.conf     |     3 +-
 .../hosts/moon/etc/strongswan.conf                 |     5 -
 testing/tests/ikev1/alg-blowfish/description.txt   |     4 +-
 testing/tests/ikev1/alg-blowfish/evaltest.dat      |     8 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |    11 +
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |    11 +
 testing/tests/ikev1/alg-serpent/description.txt    |     4 -
 testing/tests/ikev1/alg-serpent/evaltest.dat       |    10 -
 .../ikev1/alg-serpent/hosts/carol/etc/ipsec.conf   |    24 -
 .../ikev1/alg-serpent/hosts/moon/etc/ipsec.conf    |    24 -
 testing/tests/ikev1/alg-serpent/posttest.dat       |     2 -
 testing/tests/ikev1/alg-serpent/pretest.dat        |     5 -
 testing/tests/ikev1/alg-serpent/test.conf          |    22 -
 .../ikev1/alg-sha-equals-sha1/description.txt      |     5 -
 .../tests/ikev1/alg-sha-equals-sha1/evaltest.dat   |     9 -
 .../alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf |    25 -
 .../alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf  |    25 -
 .../tests/ikev1/alg-sha-equals-sha1/posttest.dat   |     2 -
 .../tests/ikev1/alg-sha-equals-sha1/pretest.dat    |     5 -
 testing/tests/ikev1/alg-sha-equals-sha1/test.conf  |    22 -
 testing/tests/ikev1/alg-sha2_256/description.txt   |     4 +-
 testing/tests/ikev1/alg-sha2_256/evaltest.dat      |     8 +-
 testing/tests/ikev1/alg-twofish/description.txt    |     4 -
 testing/tests/ikev1/alg-twofish/evaltest.dat       |    10 -
 .../ikev1/alg-twofish/hosts/carol/etc/ipsec.conf   |    24 -
 .../ikev1/alg-twofish/hosts/moon/etc/ipsec.conf    |    24 -
 testing/tests/ikev1/alg-twofish/posttest.dat       |     2 -
 testing/tests/ikev1/alg-twofish/pretest.dat        |     5 -
 testing/tests/ikev1/alg-twofish/test.conf          |    22 -
 .../ikev1/attr-cert/hosts/moon/etc/strongswan.conf |    10 +
 testing/tests/ikev1/crl-ldap/evaltest.dat          |     4 +-
 .../ikev1/crl-ldap/hosts/carol/etc/strongswan.conf |    11 +
 .../ikev1/crl-ldap/hosts/moon/etc/strongswan.conf  |    11 +
 .../default-keys/hosts/carol/etc/strongswan.conf   |    15 +
 .../default-keys/hosts/moon/etc/strongswan.conf    |    15 +
 testing/tests/ikev1/dpd-restart/evaltest.dat       |     2 +-
 .../tests/ikev1/esp-ah-transport/description.txt   |     2 +-
 testing/tests/ikev1/esp-ah-transport/evaltest.dat  |     4 +-
 testing/tests/ikev1/esp-ah-tunnel/description.txt  |     2 +-
 testing/tests/ikev1/esp-ah-tunnel/evaltest.dat     |     4 +-
 .../tests/ikev1/esp-alg-aesxcbc/description.txt    |     2 +-
 testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat   |     4 +-
 .../tests/ikev1/esp-alg-camellia/description.txt   |     2 +-
 testing/tests/ikev1/esp-alg-camellia/evaltest.dat  |     4 +-
 testing/tests/ikev1/esp-alg-des/evaltest.dat       |     6 +-
 testing/tests/ikev1/esp-alg-null/evaltest.dat      |     6 +-
 .../ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf  |     2 +-
 .../ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf   |     2 +-
 .../ikev1/esp-alg-strict-fail/description.txt      |     6 +-
 .../tests/ikev1/esp-alg-strict-fail/evaltest.dat   |     6 +-
 .../esp-alg-strict-fail/hosts/carol/etc/ipsec.conf |     2 +-
 .../esp-alg-strict-fail/hosts/moon/etc/ipsec.conf  |     2 +-
 testing/tests/ikev1/esp-alg-strict/description.txt |     8 +-
 testing/tests/ikev1/esp-alg-strict/evaltest.dat    |    10 +-
 .../esp-alg-strict/hosts/carol/etc/ipsec.conf      |     4 +-
 .../ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf |     2 +-
 testing/tests/ikev1/esp-alg-weak/description.txt   |     2 +-
 .../tests/ikev1/ike-alg-sha2_384/description.txt   |     4 +-
 testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat  |     8 +-
 .../tests/ikev1/ike-alg-sha2_512/description.txt   |     4 +-
 testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat  |     8 +-
 .../ikev1/ike-alg-strict-fail/description.txt      |     6 +-
 .../tests/ikev1/ike-alg-strict-fail/evaltest.dat   |     2 +-
 .../ike-alg-strict-fail/hosts/carol/etc/ipsec.conf |     2 +-
 .../ike-alg-strict-fail/hosts/moon/etc/ipsec.conf  |     2 +-
 testing/tests/ikev1/ike-alg-strict/description.txt |     8 +-
 testing/tests/ikev1/ike-alg-strict/evaltest.dat    |    10 +-
 .../ike-alg-strict/hosts/carol/etc/ipsec.conf      |     4 +-
 .../ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf |     2 +-
 testing/tests/ikev1/mode-config/evaltest.dat       |     2 +
 .../mode-config/hosts/moon/etc/strongswan.conf     |    13 +
 .../tests/ikev1/multi-level-ca-ldap/evaltest.dat   |     2 +-
 .../hosts/carol/etc/strongswan.conf                |    11 +
 .../hosts/dave/etc/strongswan.conf                 |    11 +
 .../hosts/moon/etc/strongswan.conf                 |    11 +
 .../nat-two-rw-psk/hosts/alice/etc/strongswan.conf |    11 +
 .../nat-two-rw-psk/hosts/sun/etc/strongswan.conf   |    11 +
 .../nat-two-rw-psk/hosts/venus/etc/strongswan.conf |    11 +
 .../hosts/moon/etc/strongswan.conf                 |    11 +
 .../net2net-psk-fail/hosts/sun/etc/strongswan.conf |    11 +
 .../net2net-psk/hosts/moon/etc/strongswan.conf     |    11 +
 .../net2net-psk/hosts/sun/etc/strongswan.conf      |    11 +
 testing/tests/ikev1/no-priv-key/evaltest.dat       |     4 +-
 testing/tests/ikev1/protoport-route/evaltest.dat   |     4 +-
 testing/tests/ikev1/protoport-route/pretest.dat    |     4 +-
 .../req-pkcs10/hosts/carol/etc/strongswan.conf     |    15 +
 .../req-pkcs10/hosts/moon/etc/strongswan.conf      |    15 +
 .../ikev1/rw-cert/hosts/carol/etc/strongswan.conf  |    14 +
 .../ikev1/rw-cert/hosts/moon/etc/strongswan.conf   |    14 +
 .../hosts/carol/etc/strongswan.conf                |    11 +
 .../hosts/moon/etc/strongswan.conf                 |    11 +
 .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf    |    11 +
 .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf     |    11 +
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |    11 +
 .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf     |    11 +
 .../hosts/carol/etc/strongswan.conf                |    11 +
 .../hosts/moon/etc/strongswan.conf                 |    11 +
 testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat  |     2 +-
 testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat  |     4 +-
 .../self-signed/hosts/carol/etc/strongswan.conf    |    15 +
 .../self-signed/hosts/moon/etc/strongswan.conf     |    15 +
 .../hosts/carol/etc/strongswan.conf                |    11 +
 .../hosts/dave/etc/strongswan.conf                 |    11 +
 .../hosts/moon/etc/strongswan.conf                 |    11 +
 .../xauth-psk/hosts/carol/etc/strongswan.conf      |    11 +
 .../ikev1/xauth-psk/hosts/dave/etc/strongswan.conf |    11 +
 .../ikev1/xauth-psk/hosts/moon/etc/strongswan.conf |    11 +
 testing/tests/ikev2/alg-aes-xcbc/description.txt   |     2 +-
 testing/tests/ikev2/alg-aes-xcbc/evaltest.dat      |     8 +-
 testing/tests/ikev2/alg-blowfish/description.txt   |     6 +
 testing/tests/ikev2/alg-blowfish/evaltest.dat      |    16 +
 .../ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf  |    26 +
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |     6 +
 .../ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf   |    25 +
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |     6 +
 .../ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf   |    25 +
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |     6 +
 testing/tests/ikev2/alg-blowfish/posttest.dat      |     6 +
 testing/tests/ikev2/alg-blowfish/pretest.dat       |     9 +
 testing/tests/ikev2/alg-blowfish/test.conf         |    21 +
 .../any-interface/hosts/alice/etc/strongswan.conf  |     1 +
 .../any-interface/hosts/bob/etc/strongswan.conf    |     1 +
 .../any-interface/hosts/moon/etc/strongswan.conf   |     1 +
 .../any-interface/hosts/sun/etc/strongswan.conf    |     1 +
 .../config-payload/hosts/carol/etc/strongswan.conf |     2 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |     2 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |     2 +-
 testing/tests/ikev2/crl-revoked/evaltest.dat       |     1 -
 testing/tests/ikev2/crl-strict/description.txt     |     2 -
 testing/tests/ikev2/crl-strict/evaltest.dat        |     4 -
 .../ikev2/crl-strict/hosts/carol/etc/ipsec.conf    |    22 -
 .../ikev2/crl-strict/hosts/moon/etc/ipsec.conf     |    33 -
 testing/tests/ikev2/crl-strict/posttest.dat        |     2 -
 testing/tests/ikev2/crl-strict/pretest.dat         |     4 -
 testing/tests/ikev2/crl-strict/test.conf           |    21 -
 testing/tests/ikev2/crl-to-cache/evaltest.dat      |     4 +-
 .../default-keys/hosts/carol/etc/strongswan.conf   |     4 +
 .../default-keys/hosts/moon/etc/strongswan.conf    |     4 +
 .../tests/ikev2/esp-alg-aes-ccm/description.txt    |     4 +-
 testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat   |     4 +-
 .../tests/ikev2/esp-alg-aes-gcm/description.txt    |     2 +-
 testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat   |     4 +-
 .../tests/ikev2/esp-alg-camellia/description.txt   |     3 +
 testing/tests/ikev2/esp-alg-camellia/evaltest.dat  |     7 +
 .../esp-alg-camellia/hosts/carol/etc/ipsec.conf    |    25 +
 .../hosts/carol/etc/strongswan.conf                |     5 +
 .../esp-alg-camellia/hosts/moon/etc/ipsec.conf     |    24 +
 .../hosts/moon/etc/strongswan.conf                 |     5 +
 testing/tests/ikev2/esp-alg-camellia/posttest.dat  |     4 +
 testing/tests/ikev2/esp-alg-camellia/pretest.dat   |     7 +
 testing/tests/ikev2/esp-alg-camellia/test.conf     |    21 +
 testing/tests/ikev2/esp-alg-null/description.txt   |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     1 +
 .../hosts/sun/etc/strongswan.conf                  |     1 +
 .../ikev2/mult-auth-rsa-eap-sim-id/description.txt |    17 +
 .../ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat    |    21 +
 .../hosts/alice/etc/raddb/clients.conf             |     4 +
 .../hosts/alice/etc/raddb/eap.conf                 |     5 +
 .../hosts/alice/etc/raddb/proxy.conf               |     5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |   123 +
 .../hosts/alice/etc/raddb/sites-available/default  |    62 +
 .../hosts/alice/etc/raddb/triplets.dat             |     7 +
 .../hosts/alice/etc/raddb/users                    |     0
 .../hosts/carol/etc/ipsec.conf                     |    26 +
 .../hosts/carol/etc/ipsec.d/triplets.dat           |     3 +
 .../hosts/carol/etc/ipsec.secrets                  |     3 +
 .../hosts/carol/etc/strongswan.conf                |     5 +
 .../hosts/dave/etc/ipsec.conf                      |    27 +
 .../hosts/dave/etc/ipsec.d/triplets.dat            |     3 +
 .../hosts/dave/etc/ipsec.secrets                   |     3 +
 .../hosts/dave/etc/strongswan.conf                 |     5 +
 .../hosts/moon/etc/init.d/iptables                 |    84 +
 .../hosts/moon/etc/ipsec.conf                      |    26 +
 .../hosts/moon/etc/ipsec.secrets                   |     3 +
 .../hosts/moon/etc/strongswan.conf                 |    11 +
 .../ikev2/mult-auth-rsa-eap-sim-id/posttest.dat    |     7 +
 .../ikev2/mult-auth-rsa-eap-sim-id/pretest.dat     |    15 +
 .../tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf |    21 +
 .../ikev2/multi-level-ca-cr-init/description.txt   |    12 +-
 .../hosts/moon/etc/ipsec.conf                      |     4 +-
 .../ikev2/multi-level-ca-cr-resp/description.txt   |    12 +-
 .../ikev2/multi-level-ca-cr-resp/evaltest.dat      |     4 +-
 .../hosts/moon/etc/ipsec.conf                      |     4 +-
 .../tests/ikev2/multi-level-ca-ldap/evaltest.dat   |     5 +-
 .../tests/ikev2/multi-level-ca-loop/evaltest.dat   |     2 +-
 .../ikev2/multi-level-ca-revoked/evaltest.dat      |     1 -
 .../ikev2/multi-level-ca-strict/description.txt    |     2 +-
 testing/tests/ikev2/multi-level-ca/evaltest.dat    |     5 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |     1 +
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |     1 +
 .../net2net-psk/hosts/moon/etc/strongswan.conf     |     1 +
 .../net2net-psk/hosts/sun/etc/strongswan.conf      |     1 +
 .../net2net-route/hosts/moon/etc/strongswan.conf   |     1 +
 .../net2net-route/hosts/sun/etc/strongswan.conf    |     1 +
 .../net2net-start/hosts/moon/etc/strongswan.conf   |     1 +
 .../net2net-start/hosts/sun/etc/strongswan.conf    |     1 +
 .../tests/ikev2/ocsp-no-signer-cert/evaltest.dat   |     3 +-
 testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat |     2 +-
 .../tests/ikev2/ocsp-untrusted-cert/evaltest.dat   |     2 +-
 testing/tests/ikev2/reauth-late/evaltest.dat       |     2 +-
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |     8 +-
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |     8 +-
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |     8 +-
 testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat |     3 +-
 .../rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf   |     4 +-
 .../rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf    |     8 +-
 testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat    |     1 +
 .../rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf      |     3 +-
 .../ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf |     6 +-
 .../tests/ikev2/rw-eap-md5-id-radius/evaltest.dat  |    10 +-
 .../hosts/carol/etc/ipsec.conf                     |     3 +-
 .../rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf |     6 +-
 testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat |     2 +-
 .../rw-eap-md5-radius/hosts/carol/etc/ipsec.conf   |     3 +-
 .../rw-eap-md5-radius/hosts/moon/etc/ipsec.conf    |     4 +-
 .../rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf      |     3 +-
 .../ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf |     4 +-
 .../ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat      |     9 +-
 .../hosts/carol/etc/ipsec.conf                     |     4 +-
 .../hosts/moon/etc/ipsec.conf                      |     9 +-
 .../ikev2/rw-eap-sim-id-radius/description.txt     |     2 +-
 .../tests/ikev2/rw-eap-sim-id-radius/evaltest.dat  |     4 +-
 .../hosts/alice/etc/raddb/triplets.dat             |     6 +-
 .../hosts/carol/etc/ipsec.conf                     |     5 +-
 .../rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf |     6 +-
 testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat |     4 +-
 .../rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf      |     3 +-
 .../ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf |     4 +-
 testing/tests/ikev2/two-certs/description.txt      |    13 +-
 testing/tests/ikev2/two-certs/evaltest.dat         |    19 +-
 .../ikev2/two-certs/hosts/carol/etc/ipsec.conf     |    18 +-
 .../carol/etc/ipsec.d/certs/carolCert-002.pem      |    25 +
 .../carol/etc/ipsec.d/private/carolKey-002.pem     |    27 +
 .../ikev2/two-certs/hosts/carol/etc/ipsec.secrets  |     5 +
 .../ikev2/two-certs/hosts/dave/etc/ipsec.conf      |    23 -
 .../ikev2/two-certs/hosts/dave/etc/strongswan.conf |     5 -
 .../ikev2/two-certs/hosts/moon/etc/ipsec.conf      |    19 +-
 .../moon/etc/ipsec.d/certs/carolRevokedCert.pem    |    25 -
 .../hosts/moon/etc/ipsec.d/certs/daveCert.der      |   Bin 827 -> 0 bytes
 testing/tests/ikev2/two-certs/posttest.dat         |     5 +-
 testing/tests/ikev2/two-certs/pretest.dat          |     7 +-
 testing/tests/ikev2/two-certs/test.conf            |     6 +-
 .../openssl-ikev1/alg-ecp-high/description.txt     |    17 +
 .../tests/openssl-ikev1/alg-ecp-high/evaltest.dat  |    13 +
 .../alg-ecp-high/hosts/carol/etc/ipsec.conf        |    25 +
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |    11 +
 .../alg-ecp-high/hosts/dave/etc/ipsec.conf         |    25 +
 .../alg-ecp-high/hosts/dave/etc/strongswan.conf    |    11 +
 .../alg-ecp-high/hosts/moon/etc/ipsec.conf         |    24 +
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |    11 +
 .../tests/openssl-ikev1/alg-ecp-high/posttest.dat  |     6 +
 .../tests/openssl-ikev1/alg-ecp-high/pretest.dat   |     9 +
 testing/tests/openssl-ikev1/alg-ecp-high/test.conf |    21 +
 .../openssl-ikev1/alg-ecp-low/description.txt      |    17 +
 .../tests/openssl-ikev1/alg-ecp-low/evaltest.dat   |    13 +
 .../alg-ecp-low/hosts/carol/etc/ipsec.conf         |    25 +
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |    11 +
 .../alg-ecp-low/hosts/dave/etc/ipsec.conf          |    25 +
 .../alg-ecp-low/hosts/dave/etc/strongswan.conf     |    11 +
 .../alg-ecp-low/hosts/moon/etc/ipsec.conf          |    24 +
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |    11 +
 .../tests/openssl-ikev1/alg-ecp-low/posttest.dat   |     6 +
 .../tests/openssl-ikev1/alg-ecp-low/pretest.dat    |     9 +
 testing/tests/openssl-ikev1/alg-ecp-low/test.conf  |    21 +
 .../openssl-ikev1/ecdsa-certs/description.txt      |    11 +
 .../tests/openssl-ikev1/ecdsa-certs/evaltest.dat   |    15 +
 .../ecdsa-certs/hosts/carol/etc/ipsec.conf         |    23 +
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |    17 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |    18 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |     8 +
 .../ecdsa-certs/hosts/carol/etc/ipsec.secrets      |     3 +
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |    11 +
 .../ecdsa-certs/hosts/dave/etc/ipsec.conf          |    23 +
 .../dave/etc/ipsec.d/cacerts/strongswanCert.pem    |    17 +
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |    19 +
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |     6 +
 .../ecdsa-certs/hosts/dave/etc/ipsec.secrets       |     3 +
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |    11 +
 .../ecdsa-certs/hosts/moon/etc/ipsec.conf          |    32 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |    17 +
 .../moon/etc/ipsec.d/certs/moon_ec256_Cert.pem     |    18 +
 .../moon/etc/ipsec.d/certs/moon_ec384_Cert.pem     |    19 +
 .../moon/etc/ipsec.d/private/moon_ec256_Key.pem    |     5 +
 .../moon/etc/ipsec.d/private/moon_ec384_Key.pem    |     6 +
 .../ecdsa-certs/hosts/moon/etc/ipsec.secrets       |     5 +
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |    11 +
 .../tests/openssl-ikev1/ecdsa-certs/posttest.dat   |     8 +
 .../tests/openssl-ikev1/ecdsa-certs/pretest.dat    |     9 +
 testing/tests/openssl-ikev1/ecdsa-certs/test.conf  |    21 +
 .../tests/openssl-ikev1/rw-cert/description.txt    |    12 +
 testing/tests/openssl-ikev1/rw-cert/evaltest.dat   |    10 +
 .../rw-cert/hosts/carol/etc/ipsec.conf             |    25 +
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    14 +
 .../rw-cert/hosts/dave/etc/ipsec.conf              |    25 +
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    15 +
 .../rw-cert/hosts/moon/etc/ipsec.conf              |    24 +
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    15 +
 testing/tests/openssl-ikev1/rw-cert/posttest.dat   |     6 +
 testing/tests/openssl-ikev1/rw-cert/pretest.dat    |     9 +
 testing/tests/openssl-ikev1/rw-cert/test.conf      |    21 +
 .../openssl-ikev2/alg-blowfish/description.txt     |    11 +
 .../tests/openssl-ikev2/alg-blowfish/evaltest.dat  |    16 +
 .../alg-blowfish/hosts/carol/etc/ipsec.conf        |    25 +
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |     5 +
 .../alg-blowfish/hosts/dave/etc/ipsec.conf         |    25 +
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |     5 +
 .../alg-blowfish/hosts/moon/etc/ipsec.conf         |    24 +
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |     5 +
 .../tests/openssl-ikev2/alg-blowfish/posttest.dat  |     6 +
 .../tests/openssl-ikev2/alg-blowfish/pretest.dat   |     9 +
 testing/tests/openssl-ikev2/alg-blowfish/test.conf |    21 +
 .../openssl-ikev2/alg-ecp-high/description.txt     |    17 +
 .../tests/openssl-ikev2/alg-ecp-high/evaltest.dat  |    14 +
 .../alg-ecp-high/hosts/carol/etc/ipsec.conf        |    24 +
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |     5 +
 .../alg-ecp-high/hosts/dave/etc/ipsec.conf         |    24 +
 .../alg-ecp-high/hosts/dave/etc/strongswan.conf    |     5 +
 .../alg-ecp-high/hosts/moon/etc/ipsec.conf         |    23 +
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |     5 +
 .../tests/openssl-ikev2/alg-ecp-high/posttest.dat  |     6 +
 .../tests/openssl-ikev2/alg-ecp-high/pretest.dat   |     9 +
 testing/tests/openssl-ikev2/alg-ecp-high/test.conf |    21 +
 .../openssl-ikev2/alg-ecp-low/description.txt      |    17 +
 .../tests/openssl-ikev2/alg-ecp-low/evaltest.dat   |    14 +
 .../alg-ecp-low/hosts/carol/etc/ipsec.conf         |    24 +
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |     5 +
 .../alg-ecp-low/hosts/dave/etc/ipsec.conf          |    24 +
 .../alg-ecp-low/hosts/dave/etc/strongswan.conf     |     5 +
 .../alg-ecp-low/hosts/moon/etc/ipsec.conf          |    23 +
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |     5 +
 .../tests/openssl-ikev2/alg-ecp-low/posttest.dat   |     6 +
 .../tests/openssl-ikev2/alg-ecp-low/pretest.dat    |     9 +
 testing/tests/openssl-ikev2/alg-ecp-low/test.conf  |    21 +
 .../openssl-ikev2/ecdsa-certs/description.txt      |    11 +
 .../tests/openssl-ikev2/ecdsa-certs/evaltest.dat   |    14 +
 .../ecdsa-certs/hosts/carol/etc/ipsec.conf         |    23 +
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |    17 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |    18 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |     8 +
 .../ecdsa-certs/hosts/carol/etc/ipsec.secrets      |     3 +
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |     5 +
 .../ecdsa-certs/hosts/dave/etc/ipsec.conf          |    23 +
 .../dave/etc/ipsec.d/cacerts/strongswanCert.pem    |    17 +
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |    19 +
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |     6 +
 .../ecdsa-certs/hosts/dave/etc/ipsec.secrets       |     3 +
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |     5 +
 .../ecdsa-certs/hosts/moon/etc/ipsec.conf          |    22 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |    17 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |    20 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |     7 +
 .../ecdsa-certs/hosts/moon/etc/ipsec.secrets       |     3 +
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |     5 +
 .../tests/openssl-ikev2/ecdsa-certs/posttest.dat   |     6 +
 .../tests/openssl-ikev2/ecdsa-certs/pretest.dat    |     9 +
 testing/tests/openssl-ikev2/ecdsa-certs/test.conf  |    21 +
 .../tests/openssl-ikev2/rw-cert/description.txt    |    12 +
 testing/tests/openssl-ikev2/rw-cert/evaltest.dat   |    10 +
 .../rw-cert/hosts/carol/etc/ipsec.conf             |    24 +
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    12 +
 .../rw-cert/hosts/dave/etc/ipsec.conf              |    24 +
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    12 +
 .../rw-cert/hosts/moon/etc/ipsec.conf              |    23 +
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    11 +
 testing/tests/openssl-ikev2/rw-cert/posttest.dat   |     6 +
 testing/tests/openssl-ikev2/rw-cert/pretest.dat    |     9 +
 testing/tests/openssl-ikev2/rw-cert/test.conf      |    21 +
 testing/tests/openssl/ecdsa-certs/description.txt  |    11 -
 testing/tests/openssl/ecdsa-certs/evaltest.dat     |    14 -
 .../openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf |    24 -
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |    17 -
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |    18 -
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |     8 -
 .../ecdsa-certs/hosts/carol/etc/ipsec.secrets      |     3 -
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |     5 -
 .../openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf  |    24 -
 .../dave/etc/ipsec.d/cacerts/strongswanCert.pem    |    17 -
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |    19 -
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |     6 -
 .../ecdsa-certs/hosts/dave/etc/ipsec.secrets       |     3 -
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |     5 -
 .../openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf  |    23 -
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |    17 -
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |    20 -
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |     7 -
 .../ecdsa-certs/hosts/moon/etc/ipsec.secrets       |     3 -
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |     5 -
 testing/tests/openssl/ecdsa-certs/posttest.dat     |     6 -
 testing/tests/openssl/ecdsa-certs/pretest.dat      |     9 -
 testing/tests/openssl/ecdsa-certs/test.conf        |    21 -
 .../tests/openssl/ike-alg-ecp-high/description.txt |    17 -
 .../tests/openssl/ike-alg-ecp-high/evaltest.dat    |    14 -
 .../ike-alg-ecp-high/hosts/carol/etc/ipsec.conf    |    24 -
 .../hosts/carol/etc/strongswan.conf                |     5 -
 .../ike-alg-ecp-high/hosts/dave/etc/ipsec.conf     |    24 -
 .../hosts/dave/etc/strongswan.conf                 |     5 -
 .../ike-alg-ecp-high/hosts/moon/etc/ipsec.conf     |    23 -
 .../hosts/moon/etc/strongswan.conf                 |     5 -
 .../tests/openssl/ike-alg-ecp-high/posttest.dat    |     6 -
 testing/tests/openssl/ike-alg-ecp-high/pretest.dat |     9 -
 testing/tests/openssl/ike-alg-ecp-high/test.conf   |    21 -
 .../tests/openssl/ike-alg-ecp-low/description.txt  |    17 -
 testing/tests/openssl/ike-alg-ecp-low/evaltest.dat |    14 -
 .../ike-alg-ecp-low/hosts/carol/etc/ipsec.conf     |    24 -
 .../hosts/carol/etc/strongswan.conf                |     5 -
 .../ike-alg-ecp-low/hosts/dave/etc/ipsec.conf      |    24 -
 .../ike-alg-ecp-low/hosts/dave/etc/strongswan.conf |     5 -
 .../ike-alg-ecp-low/hosts/moon/etc/ipsec.conf      |    23 -
 .../ike-alg-ecp-low/hosts/moon/etc/strongswan.conf |     5 -
 testing/tests/openssl/ike-alg-ecp-low/posttest.dat |     6 -
 testing/tests/openssl/ike-alg-ecp-low/pretest.dat  |     9 -
 testing/tests/openssl/ike-alg-ecp-low/test.conf    |    21 -
 testing/tests/openssl/rw-cert/description.txt      |    12 -
 testing/tests/openssl/rw-cert/evaltest.dat         |    10 -
 .../openssl/rw-cert/hosts/carol/etc/ipsec.conf     |    24 -
 .../rw-cert/hosts/carol/etc/strongswan.conf        |     5 -
 .../openssl/rw-cert/hosts/dave/etc/ipsec.conf      |    24 -
 .../openssl/rw-cert/hosts/dave/etc/strongswan.conf |     5 -
 .../openssl/rw-cert/hosts/moon/etc/ipsec.conf      |    23 -
 .../openssl/rw-cert/hosts/moon/etc/strongswan.conf |     5 -
 testing/tests/openssl/rw-cert/posttest.dat         |     6 -
 testing/tests/openssl/rw-cert/pretest.dat          |     9 -
 testing/tests/openssl/rw-cert/test.conf            |    21 -
 testing/tests/pfkey/alg-aes-xcbc/description.txt   |     2 +-
 testing/tests/pfkey/alg-aes-xcbc/evaltest.dat      |     8 +-
 .../pfkey/rw-cert/hosts/carol/etc/strongswan.conf  |     8 +-
 .../pfkey/rw-cert/hosts/dave/etc/strongswan.conf   |     8 +-
 .../pfkey/rw-cert/hosts/moon/etc/strongswan.conf   |     8 +-
 .../sql/rw-cert/hosts/carol/etc/strongswan.conf    |     8 +-
 .../sql/rw-cert/hosts/dave/etc/strongswan.conf     |     8 +-
 .../sql/rw-cert/hosts/moon/etc/strongswan.conf     |     8 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |    16 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql |    14 +-
 1596 files changed, 83514 insertions(+), 85896 deletions(-)
 create mode 100644 scripts/dh_speed.c
 create mode 100644 scripts/pubkey_speed.c
 create mode 100644 src/charon/config/attributes/attribute_handler.h
 create mode 100644 src/charon/config/auth_cfg.c
 create mode 100644 src/charon/config/auth_cfg.h
 delete mode 100644 src/charon/credentials/auth_info.c
 delete mode 100644 src/charon/credentials/auth_info.h
 create mode 100644 src/charon/credentials/sets/auth_cfg_wrapper.c
 create mode 100644 src/charon/credentials/sets/auth_cfg_wrapper.h
 delete mode 100644 src/charon/credentials/sets/auth_info_wrapper.c
 delete mode 100644 src/charon/credentials/sets/auth_info_wrapper.h
 create mode 100644 src/charon/plugins/attr/Makefile.am
 create mode 100644 src/charon/plugins/attr/Makefile.in
 create mode 100644 src/charon/plugins/attr/attr_plugin.c
 create mode 100644 src/charon/plugins/attr/attr_plugin.h
 create mode 100644 src/charon/plugins/attr/attr_provider.c
 create mode 100644 src/charon/plugins/attr/attr_provider.h
 create mode 100644 src/charon/plugins/kernel_pfroute/Makefile.am
 create mode 100644 src/charon/plugins/kernel_pfroute/Makefile.in
 create mode 100644 src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
 create mode 100644 src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
 create mode 100644 src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
 create mode 100644 src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
 create mode 100644 src/charon/plugins/nm/nm_handler.c
 create mode 100644 src/charon/plugins/nm/nm_handler.h
 create mode 100644 src/charon/plugins/resolv_conf/Makefile.am
 create mode 100644 src/charon/plugins/resolv_conf/Makefile.in
 create mode 100644 src/charon/plugins/resolv_conf/resolv_conf_handler.c
 create mode 100644 src/charon/plugins/resolv_conf/resolv_conf_handler.h
 create mode 100644 src/charon/plugins/resolv_conf/resolv_conf_plugin.c
 create mode 100644 src/charon/plugins/resolv_conf/resolv_conf_plugin.h
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_aes.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_fips_prf.c
 create mode 100644 src/charon/plugins/unit_tester/tests/test_id.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_rng.c
 create mode 100644 src/charon/sa/trap_manager.c
 create mode 100644 src/charon/sa/trap_manager.h
 delete mode 100644 src/dumm/ext/extconf.rb
 create mode 100644 src/dumm/ext/extconf.rb.in
 delete mode 100644 src/libcrypto/Makefile.am
 delete mode 100644 src/libcrypto/Makefile.in
 delete mode 100644 src/libcrypto/include/cbc_generic.h
 delete mode 100644 src/libcrypto/include/hmac_generic.h
 delete mode 100644 src/libcrypto/include/md32_common.h
 delete mode 100644 src/libcrypto/libaes/aes.c
 delete mode 100644 src/libcrypto/libaes/aes.h
 delete mode 100644 src/libcrypto/libaes/aes_cbc.c
 delete mode 100644 src/libcrypto/libaes/aes_cbc.h
 delete mode 100644 src/libcrypto/libaes/aes_xcbc_mac.c
 delete mode 100644 src/libcrypto/libaes/aes_xcbc_mac.h
 delete mode 100644 src/libcrypto/libblowfish/bf_enc.c
 delete mode 100644 src/libcrypto/libblowfish/bf_locl.h
 delete mode 100644 src/libcrypto/libblowfish/bf_pi.h
 delete mode 100644 src/libcrypto/libblowfish/bf_skey.c
 delete mode 100644 src/libcrypto/libblowfish/blowfish.h
 delete mode 100644 src/libcrypto/libdes/cbc_enc.c
 delete mode 100644 src/libcrypto/libdes/des.h
 delete mode 100644 src/libcrypto/libdes/des_enc.c
 delete mode 100644 src/libcrypto/libdes/des_locl.h
 delete mode 100644 src/libcrypto/libdes/des_ver.h
 delete mode 100644 src/libcrypto/libdes/destest.c
 delete mode 100644 src/libcrypto/libdes/ecb_enc.c
 delete mode 100644 src/libcrypto/libdes/fcrypt.c
 delete mode 100644 src/libcrypto/libdes/fcrypt_b.c
 delete mode 100644 src/libcrypto/libdes/podd.h
 delete mode 100644 src/libcrypto/libdes/set_key.c
 delete mode 100644 src/libcrypto/libdes/sk.h
 delete mode 100644 src/libcrypto/libdes/spr.h
 delete mode 100644 src/libcrypto/libserpent/serpent.c
 delete mode 100644 src/libcrypto/libserpent/serpent.h
 delete mode 100644 src/libcrypto/libserpent/serpent_cbc.c
 delete mode 100644 src/libcrypto/libserpent/serpent_cbc.h
 delete mode 100644 src/libcrypto/libsha2/hmac_sha2.c
 delete mode 100644 src/libcrypto/libsha2/hmac_sha2.h
 delete mode 100644 src/libcrypto/libsha2/sha2.c
 delete mode 100644 src/libcrypto/libsha2/sha2.h
 delete mode 100644 src/libcrypto/libtwofish/twofish.c
 delete mode 100644 src/libcrypto/libtwofish/twofish.h
 delete mode 100644 src/libcrypto/libtwofish/twofish_cbc.c
 delete mode 100644 src/libcrypto/libtwofish/twofish_cbc.h
 delete mode 100644 src/libfreeswan/ipcomp.h
 delete mode 100644 src/libfreeswan/ipsec_ah.h
 delete mode 100644 src/libfreeswan/ipsec_alg.h
 delete mode 100644 src/libfreeswan/ipsec_encap.h
 delete mode 100644 src/libfreeswan/ipsec_eroute.h
 delete mode 100644 src/libfreeswan/ipsec_errs.h
 delete mode 100644 src/libfreeswan/ipsec_esp.h
 delete mode 100644 src/libfreeswan/ipsec_ipe4.h
 delete mode 100644 src/libfreeswan/ipsec_kversion.h
 delete mode 100644 src/libfreeswan/ipsec_life.h
 delete mode 100644 src/libfreeswan/ipsec_md5h.h
 delete mode 100644 src/libfreeswan/ipsec_policy.h
 delete mode 100644 src/libfreeswan/ipsec_proto.h
 delete mode 100644 src/libfreeswan/ipsec_radij.h
 delete mode 100644 src/libfreeswan/ipsec_rcv.h
 delete mode 100644 src/libfreeswan/ipsec_sa.h
 delete mode 100644 src/libfreeswan/ipsec_sha1.h
 delete mode 100644 src/libfreeswan/ipsec_stats.h
 delete mode 100644 src/libfreeswan/ipsec_tunnel.h
 delete mode 100644 src/libfreeswan/ipsec_xform.h
 delete mode 100644 src/libfreeswan/ipsec_xmit.h
 delete mode 100644 src/libfreeswan/optionsfrom.3
 delete mode 100644 src/libfreeswan/optionsfrom.c
 delete mode 100644 src/libfreeswan/radij.h
 delete mode 100644 src/libfreeswan/version.3
 delete mode 100644 src/libfreeswan/version.c
 create mode 100644 src/libstrongswan/crypto/crypto_tester.c
 create mode 100644 src/libstrongswan/crypto/crypto_tester.h
 create mode 100644 src/libstrongswan/crypto/proposal/proposal_keywords.c
 create mode 100644 src/libstrongswan/crypto/proposal/proposal_keywords.h
 create mode 100644 src/libstrongswan/crypto/proposal/proposal_keywords.txt
 create mode 100644 src/libstrongswan/crypto/transform.c
 create mode 100644 src/libstrongswan/crypto/transform.h
 create mode 100644 src/libstrongswan/pgp/pgp.c
 create mode 100644 src/libstrongswan/pgp/pgp.h
 create mode 100644 src/libstrongswan/plugins/blowfish/Makefile.am
 create mode 100644 src/libstrongswan/plugins/blowfish/Makefile.in
 create mode 100644 src/libstrongswan/plugins/blowfish/bf_enc.c
 create mode 100644 src/libstrongswan/plugins/blowfish/bf_locl.h
 create mode 100644 src/libstrongswan/plugins/blowfish/bf_pi.h
 create mode 100644 src/libstrongswan/plugins/blowfish/bf_skey.c
 create mode 100644 src/libstrongswan/plugins/blowfish/blowfish.h
 create mode 100644 src/libstrongswan/plugins/blowfish/blowfish_crypter.c
 create mode 100644 src/libstrongswan/plugins/blowfish/blowfish_crypter.h
 create mode 100644 src/libstrongswan/plugins/blowfish/blowfish_plugin.c
 create mode 100644 src/libstrongswan/plugins/blowfish/blowfish_plugin.h
 create mode 100644 src/libstrongswan/plugins/gcrypt/Makefile.am
 create mode 100644 src/libstrongswan/plugins/gcrypt/Makefile.in
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.h
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_rng.h
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
 create mode 100644 src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
 create mode 100644 src/libstrongswan/plugins/test_vectors/Makefile.am
 create mode 100644 src/libstrongswan/plugins/test_vectors/Makefile.in
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors.h
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/3des_cbc.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/aes_cbc.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/aes_xcbc.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/blowfish.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/camellia_cbc.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/cast.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/des.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/fips_prf.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/idea.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/md4.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/md5.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/md5_hmac.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/null.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/rc5.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/serpent_cbc.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/sha1.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/sha1_hmac.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/sha2_hmac.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/twofish_cbc.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors_plugin.h
 delete mode 100644 src/pluto/TODO
 delete mode 100644 src/pluto/alg/ike_alg_aes.c
 delete mode 100644 src/pluto/alg/ike_alg_blowfish.c
 delete mode 100644 src/pluto/alg/ike_alg_serpent.c
 delete mode 100644 src/pluto/alg/ike_alg_sha2.c
 delete mode 100644 src/pluto/alg/ike_alg_twofish.c
 delete mode 100644 src/pluto/alg/ike_alginit.c
 delete mode 100644 src/pluto/asn1.c
 delete mode 100644 src/pluto/asn1.h
 delete mode 100644 src/pluto/dsa.c
 delete mode 100644 src/pluto/dsa.h
 delete mode 100644 src/pluto/elgamal.c
 delete mode 100644 src/pluto/elgamal.h
 delete mode 100644 src/pluto/gcryptfix.c
 delete mode 100644 src/pluto/gcryptfix.h
 delete mode 100644 src/pluto/md2.c
 delete mode 100644 src/pluto/md2.h
 delete mode 100644 src/pluto/md5.c
 delete mode 100644 src/pluto/md5.h
 delete mode 100644 src/pluto/mp_defs.c
 delete mode 100644 src/pluto/mp_defs.h
 delete mode 100644 src/pluto/pgp.c
 delete mode 100644 src/pluto/pgp.h
 create mode 100644 src/pluto/pgpcert.c
 create mode 100644 src/pluto/pgpcert.h
 delete mode 100644 src/pluto/pkcs1.c
 delete mode 100644 src/pluto/pkcs1.h
 delete mode 100644 src/pluto/primegen.c
 delete mode 100644 src/pluto/rnd.c
 delete mode 100644 src/pluto/rnd.h
 delete mode 100644 src/pluto/sha1.c
 delete mode 100644 src/pluto/sha1.h
 delete mode 100644 src/pluto/smallprime.c
 delete mode 100644 src/scepclient/rsakey.c
 delete mode 100644 src/scepclient/rsakey.h
 create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/05.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/06.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/15.pem
 create mode 100755 testing/scripts/start-bridges
 delete mode 100755 testing/scripts/start-switches
 create mode 100755 testing/scripts/stop-bridges
 create mode 100644 testing/tests/gcrypt-ikev1/alg-serpent/description.txt
 create mode 100644 testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
 create mode 100755 testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat
 create mode 100644 testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
 create mode 100644 testing/tests/gcrypt-ikev1/alg-serpent/test.conf
 create mode 100644 testing/tests/gcrypt-ikev1/alg-twofish/description.txt
 create mode 100644 testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
 create mode 100755 testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat
 create mode 100644 testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
 create mode 100644 testing/tests/gcrypt-ikev1/alg-twofish/test.conf
 create mode 100644 testing/tests/gcrypt-ikev1/rw-cert/description.txt
 create mode 100644 testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat
 create mode 100755 testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/gcrypt-ikev1/rw-cert/posttest.dat
 create mode 100644 testing/tests/gcrypt-ikev1/rw-cert/pretest.dat
 create mode 100644 testing/tests/gcrypt-ikev1/rw-cert/test.conf
 create mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/description.txt
 create mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
 create mode 100755 testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
 create mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
 create mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/test.conf
 create mode 100644 testing/tests/gcrypt-ikev2/rw-cert/description.txt
 create mode 100644 testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
 create mode 100755 testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
 create mode 100644 testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
 create mode 100644 testing/tests/gcrypt-ikev2/rw-cert/test.conf
 create mode 100644 testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev1/alg-serpent/description.txt
 delete mode 100644 testing/tests/ikev1/alg-serpent/evaltest.dat
 delete mode 100755 testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
 delete mode 100755 testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/alg-serpent/posttest.dat
 delete mode 100644 testing/tests/ikev1/alg-serpent/pretest.dat
 delete mode 100644 testing/tests/ikev1/alg-serpent/test.conf
 delete mode 100644 testing/tests/ikev1/alg-sha-equals-sha1/description.txt
 delete mode 100644 testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat
 delete mode 100755 testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
 delete mode 100755 testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat
 delete mode 100644 testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat
 delete mode 100644 testing/tests/ikev1/alg-sha-equals-sha1/test.conf
 delete mode 100644 testing/tests/ikev1/alg-twofish/description.txt
 delete mode 100644 testing/tests/ikev1/alg-twofish/evaltest.dat
 delete mode 100755 testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
 delete mode 100755 testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/alg-twofish/posttest.dat
 delete mode 100644 testing/tests/ikev1/alg-twofish/pretest.dat
 delete mode 100644 testing/tests/ikev1/alg-twofish/test.conf
 create mode 100644 testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-blowfish/description.txt
 create mode 100644 testing/tests/ikev2/alg-blowfish/evaltest.dat
 create mode 100755 testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-blowfish/posttest.dat
 create mode 100644 testing/tests/ikev2/alg-blowfish/pretest.dat
 create mode 100644 testing/tests/ikev2/alg-blowfish/test.conf
 delete mode 100644 testing/tests/ikev2/crl-strict/description.txt
 delete mode 100644 testing/tests/ikev2/crl-strict/evaltest.dat
 delete mode 100755 testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
 delete mode 100755 testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/crl-strict/posttest.dat
 delete mode 100644 testing/tests/ikev2/crl-strict/pretest.dat
 delete mode 100644 testing/tests/ikev2/crl-strict/test.conf
 create mode 100644 testing/tests/ikev2/esp-alg-camellia/description.txt
 create mode 100644 testing/tests/ikev2/esp-alg-camellia/evaltest.dat
 create mode 100755 testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/esp-alg-camellia/posttest.dat
 create mode 100644 testing/tests/ikev2/esp-alg-camellia/pretest.dat
 create mode 100644 testing/tests/ikev2/esp-alg-camellia/test.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users
 create mode 100755 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
 create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
 create mode 100644 testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem
 create mode 100644 testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem
 create mode 100644 testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets
 delete mode 100755 testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem
 delete mode 100644 testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/description.txt
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/test.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/description.txt
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
 create mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/test.conf
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/description.txt
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
 create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/test.conf
 create mode 100644 testing/tests/openssl-ikev1/rw-cert/description.txt
 create mode 100644 testing/tests/openssl-ikev1/rw-cert/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev1/rw-cert/posttest.dat
 create mode 100644 testing/tests/openssl-ikev1/rw-cert/pretest.dat
 create mode 100644 testing/tests/openssl-ikev1/rw-cert/test.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-blowfish/description.txt
 create mode 100644 testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-blowfish/test.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/description.txt
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/test.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/description.txt
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/test.conf
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/description.txt
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/test.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cert/description.txt
 create mode 100644 testing/tests/openssl-ikev2/rw-cert/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-cert/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-cert/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-cert/test.conf
 delete mode 100644 testing/tests/openssl/ecdsa-certs/description.txt
 delete mode 100644 testing/tests/openssl/ecdsa-certs/evaltest.dat
 delete mode 100755 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf
 delete mode 100755 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf
 delete mode 100755 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets
 delete mode 100644 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/openssl/ecdsa-certs/posttest.dat
 delete mode 100644 testing/tests/openssl/ecdsa-certs/pretest.dat
 delete mode 100644 testing/tests/openssl/ecdsa-certs/test.conf
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-high/description.txt
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-high/evaltest.dat
 delete mode 100755 testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf
 delete mode 100755 testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf
 delete mode 100755 testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-high/posttest.dat
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-high/pretest.dat
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-high/test.conf
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-low/description.txt
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-low/evaltest.dat
 delete mode 100755 testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf
 delete mode 100755 testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf
 delete mode 100755 testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-low/posttest.dat
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-low/pretest.dat
 delete mode 100644 testing/tests/openssl/ike-alg-ecp-low/test.conf
 delete mode 100644 testing/tests/openssl/rw-cert/description.txt
 delete mode 100644 testing/tests/openssl/rw-cert/evaltest.dat
 delete mode 100755 testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf
 delete mode 100755 testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf
 delete mode 100755 testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/openssl/rw-cert/posttest.dat
 delete mode 100644 testing/tests/openssl/rw-cert/pretest.dat
 delete mode 100644 testing/tests/openssl/rw-cert/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/Makefile.am b/Makefile.am
index b8c380cb3..95eb8d95e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,13 +2,11 @@ SUBDIRS = src testing scripts
 EXTRA_DIST = Doxyfile.in CREDITS
 CLEANFILES = apidoc Doxyfile
 
-ACLOCAL_AMFLAGS = -I m4
-
 Doxyfile :	Doxyfile.in
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
-		$< > $@
+		$(srcdir)/$@.in > $@
 
 apidoc :	Doxyfile
 		doxygen
diff --git a/Makefile.in b/Makefile.in
index 5d298a7ee..8755056b2 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -33,7 +33,8 @@ build_triplet = @build@
 host_triplet = @host@
 subdir = .
 DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in $(top_srcdir)/configure AUTHORS COPYING \
+	$(srcdir)/Makefile.in $(top_srcdir)/configure \
+	$(top_srcdir)/src/dumm/ext/extconf.rb.in AUTHORS COPYING \
 	ChangeLog INSTALL NEWS TODO config.guess config.sub depcomp \
 	install-sh ltmain.sh missing
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -43,7 +44,7 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
  configure.lineno config.status.lineno
 mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_FILES = src/dumm/ext/extconf.rb
 SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -84,6 +85,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -106,6 +108,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -117,6 +122,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -130,6 +136,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +198,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -201,6 +210,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -208,7 +218,6 @@ xml_LIBS = @xml_LIBS@
 SUBDIRS = src testing scripts
 EXTRA_DIST = Doxyfile.in CREDITS
 CLEANFILES = apidoc Doxyfile
-ACLOCAL_AMFLAGS = -I m4
 all: all-recursive
 
 .SUFFIXES:
@@ -245,6 +254,8 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(srcdir) && $(AUTOCONF)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
+src/dumm/ext/extconf.rb: $(top_builddir)/config.status $(top_srcdir)/src/dumm/ext/extconf.rb.in
+	cd $(top_builddir) && $(SHELL) ./config.status $@
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -253,7 +264,7 @@ clean-libtool:
 	-rm -rf .libs _libs
 
 distclean-libtool:
-	-rm -f libtool
+	-rm -f libtool config.lt
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
@@ -330,7 +341,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
@@ -648,7 +659,7 @@ Doxyfile :	Doxyfile.in
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
-		$< > $@
+		$(srcdir)/$@.in > $@
 
 apidoc :	Doxyfile
 		doxygen
diff --git a/NEWS b/NEWS
index 83308c772..d38e9fe67 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,96 @@
+strongswan-4.3.2
+----------------
+
+- The new gcrypt plugin provides symmetric cipher, hasher, RNG, Diffie-Hellman
+  and RSA crypto primitives using the LGPL licensed GNU gcrypt library.
+
+- libstrongswan features an integrated crypto selftest framework for registered
+  algorithms. The test-vector plugin provides a first set of test vectors and
+  allows pluto and charon to rely on tested crypto algorithms.
+
+- pluto can now use all libstrongswan plugins with the exception of x509 and xcbc.
+  Thanks to the openssl plugin, the ECP Diffie-Hellman groups 19, 20, 21, 25, and
+  26 as well as ECDSA-256, ECDSA-384, and ECDSA-521 authentication can be used
+  with IKEv1.
+
+- Applying their fuzzing tool, the Orange Labs vulnerability research team found
+  another two DoS vulnerabilities, one in the rather old ASN.1 parser of Relative
+  Distinguished Names (RDNs) and a second one in the conversion of ASN.1 UTCTIME
+  and GENERALIZEDTIME strings to a time_t value.
+  
+
+strongswan-4.3.1
+----------------
+
+- The nm plugin now passes DNS/NBNS server information to NetworkManager,
+  allowing a gateway administrator to set DNS/NBNS configuration on clients
+  dynamically.
+
+- The nm plugin also accepts CA certificates for gateway authentication. If
+  a CA certificate is configured, strongSwan uses the entered gateway address
+  as its idenitity, requiring the gateways certificate to contain the same as
+  subjectAltName. This allows a gateway administrator to deploy the same
+  certificates to Windows 7 and NetworkManager clients.
+
+- The command ipsec purgeike deletes IKEv2 SAs that don't have a CHILD SA.
+  The command ipsec down <conn>{n} deletes CHILD SA instance n of connection
+  <conn> whereas ipsec down <conn>{*} deletes all CHILD SA instances.
+  The command ipsec down <conn>[n] deletes IKE SA instance n of connection
+  <conn> plus dependent CHILD SAs whereas ipsec down <conn>[*] deletes all
+  IKE SA instances of connection <conn>.
+
+- Fixed a regression introduced in 4.3.0 where EAP authentication calculated
+  the AUTH payload incorrectly. Further, the EAP-MSCHAPv2 MSK key derivation
+  has been updated to be compatible with the Windows 7 Release Candidate.
+
+- Refactored installation of triggering policies. Routed policies are handled
+  outside of IKE_SAs to keep them installed in any case. A tunnel gets
+  established only once, even if initiation is delayed due network outages.
+
+- Improved the handling of multiple acquire signals triggered by the kernel.
+
+- Fixed two DoS vulnerabilities in the charon daemon that were discovered by
+  fuzzing techniques: 1) Sending a malformed IKE_SA_INIT request leaved an
+  incomplete state which caused a null pointer dereference if a subsequent
+  CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
+  a missing TSi or TSr payload caused a null pointer derefence because the
+  checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was 
+  developped by the Orange Labs vulnerability research team. The tool was
+  initially written by Gabriel Campana and is now maintained by Laurent Butti.
+
+- Added support for AES counter mode in ESP in IKEv2 using the proposal
+  keywords aes128ctr, aes192ctr and aes256ctr.
+
+- Further progress in refactoring pluto: Use of the curl and ldap plugins
+  for fetching crls and OCSP. Use of the random plugin to get keying material
+  from /dev/random or /dev/urandom. Use of the openssl plugin as an alternative
+  to the aes, des, sha1, sha2, and md5 plugins. The blowfish, twofish, and
+  serpent encryption plugins are now optional and are not enabled by default.
+
+
+strongswan-4.3.0
+----------------
+
+- Support for the IKEv2 Multiple Authentication Exchanges extension (RFC4739).
+  Initiators and responders can use several authentication rounds (e.g. RSA
+  followed by EAP) to authenticate. The new ipsec.conf leftauth/rightauth and
+  leftauth2/rightauth2 parameters define own authentication rounds or setup
+  constraints for the remote peer. See the ipsec.conf man page for more detials.
+
+- If glibc printf hooks (register_printf_function) are not available,
+  strongSwan can use the vstr string library to run on non-glibc systems.
+
+- The IKEv2 charon daemon can now configure the ESP CAMELLIA-CBC cipher
+  (esp=camellia128|192|256).
+
+- Refactored the pluto and scepclient code to use basic functions (memory
+  allocation, leak detective, chunk handling, printf_hooks, strongswan.conf
+  attributes, ASN.1 parser, etc.) from the libstrongswan library.
+
+- Up to two DNS and WINS servers to be sent via IKEv1 ModeConfig can be
+  configured in the pluto section of strongswan.conf.
+
+
 strongswan-4.2.14
 -----------------
 
diff --git a/README b/README
index bc1cf3d47..101e4838c 100644
--- a/README
+++ b/README
@@ -1159,7 +1159,7 @@ The presence of a rightca parameter also causes the CA to be sent as
 part of the certificate request message when strongSwan is the initiator.
 A special case occurs when strongSwan responds to a roadwarrior. If several
 roadwarrior connections based on different CAs are defined then all eligible
-CAs will be listed in Pluto’s certificate request message.
+CAs will be listed in Pluto�s certificate request message.
 
 
 4.9 IPsec policies based on group attributes
@@ -1505,12 +1505,16 @@ any certificates to the other end via the IKE Main Mode protocol. Especially
 if self-signed certificates are used which wouldn't be accepted any way by
 the other side. In these cases it is recommended to add
 
-          leftsendcert=never
+    leftsendcert=never
 
 to the connection definition[s] in order to avoid the sending of the host's
 own certificate. The default value is
 
-    leftsendcert=always.
+    leftsendcert=ifasked
+
+If a peer does not send a certificate request then use the setting
+
+    leftsendcert=always
 
 If a peer certificate contains a subjectAltName extension, then an alternative
 rightid type can be used, as the example "conn sun" shows. If no rightid
@@ -3118,7 +3122,7 @@ by the pluto/xauth.h header file.
 	               Copyright (c) 2000, Kai Martius
 
 		   X.509, OCSP and smartcard functionality:
-°
+
   Copyright (c) 2000, Andreas Hess, Patric Lichtsteiner, Roger Wegmann
   Copyright (c) 2001, Marco Bertossa, Andreas Schleiss
   Copyright (c) 2002, Uli Galizzi, Ariane Seiler, Mario Strasser
@@ -3147,5 +3151,3 @@ by the pluto/xauth.h header file.
   for more details.
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: README 3272 2007-10-08 20:15:30Z andreas $
-
diff --git a/aclocal.m4 b/aclocal.m4
index 23c6a61b4..b547a212b 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
-# generated automatically by aclocal 1.10.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.10.2 -*- Autoconf -*-
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
 # 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
@@ -13,12 +13,121 @@
 
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(AC_AUTOCONF_VERSION, [2.61],,
-[m4_warning([this file was generated for autoconf 2.61.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.63],,
+[m4_warning([this file was generated for autoconf 2.63.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
 
+dnl Autoconf macros for libgcrypt
+dnl       Copyright (C) 2002, 2004 Free Software Foundation, Inc.
+dnl
+dnl This file is free software; as a special exception the author gives
+dnl unlimited permission to copy and/or distribute it, with or without
+dnl modifications, as long as this notice is preserved.
+dnl
+dnl This file is distributed in the hope that it will be useful, but
+dnl WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+dnl implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+
+dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION,
+dnl                   [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
+dnl Test for libgcrypt and define LIBGCRYPT_CFLAGS and LIBGCRYPT_LIBS.
+dnl MINIMUN-VERSION is a string with the version number optionalliy prefixed
+dnl with the API version to also check the API compatibility. Example:
+dnl a MINIMUN-VERSION of 1:1.2.5 won't pass the test unless the installed 
+dnl version of libgcrypt is at least 1.2.5 *and* the API number is 1.  Using
+dnl this features allows to prevent build against newer versions of libgcrypt
+dnl with a changed API.
+dnl
+AC_DEFUN([AM_PATH_LIBGCRYPT],
+[ AC_ARG_WITH(libgcrypt-prefix,
+            AC_HELP_STRING([--with-libgcrypt-prefix=PFX],
+                           [prefix where LIBGCRYPT is installed (optional)]),
+     libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="")
+  if test x$libgcrypt_config_prefix != x ; then
+     if test x${LIBGCRYPT_CONFIG+set} != xset ; then
+        LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
+     fi
+  fi
+
+  AC_PATH_PROG(LIBGCRYPT_CONFIG, libgcrypt-config, no)
+  tmp=ifelse([$1], ,1:1.2.0,$1)
+  if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then
+     req_libgcrypt_api=`echo "$tmp"     | sed 's/\(.*\):\(.*\)/\1/'`
+     min_libgcrypt_version=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\2/'`
+  else
+     req_libgcrypt_api=0
+     min_libgcrypt_version="$tmp"
+  fi
+
+  AC_MSG_CHECKING(for LIBGCRYPT - version >= $min_libgcrypt_version)
+  ok=no
+  if test "$LIBGCRYPT_CONFIG" != "no" ; then
+    req_major=`echo $min_libgcrypt_version | \
+               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\1/'`
+    req_minor=`echo $min_libgcrypt_version | \
+               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\2/'`
+    req_micro=`echo $min_libgcrypt_version | \
+               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'`
+    libgcrypt_config_version=`$LIBGCRYPT_CONFIG --version`
+    major=`echo $libgcrypt_config_version | \
+               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'`
+    minor=`echo $libgcrypt_config_version | \
+               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\2/'`
+    micro=`echo $libgcrypt_config_version | \
+               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'`
+    if test "$major" -gt "$req_major"; then
+        ok=yes
+    else 
+        if test "$major" -eq "$req_major"; then
+            if test "$minor" -gt "$req_minor"; then
+               ok=yes
+            else
+               if test "$minor" -eq "$req_minor"; then
+                   if test "$micro" -ge "$req_micro"; then
+                     ok=yes
+                   fi
+               fi
+            fi
+        fi
+    fi
+  fi
+  if test $ok = yes; then
+    AC_MSG_RESULT([yes ($libgcrypt_config_version)])
+  else
+    AC_MSG_RESULT(no)
+  fi
+  if test $ok = yes; then
+     # If we have a recent libgcrypt, we should also check that the
+     # API is compatible
+     if test "$req_libgcrypt_api" -gt 0 ; then
+        tmp=`$LIBGCRYPT_CONFIG --api-version 2>/dev/null || echo 0`
+        if test "$tmp" -gt 0 ; then
+           AC_MSG_CHECKING([LIBGCRYPT API version])
+           if test "$req_libgcrypt_api" -eq "$tmp" ; then
+             AC_MSG_RESULT([okay])
+           else
+             ok=no
+             AC_MSG_RESULT([does not match. want=$req_libgcrypt_api got=$tmp])
+           fi
+        fi
+     fi
+  fi
+  if test $ok = yes; then
+    LIBGCRYPT_CFLAGS=`$LIBGCRYPT_CONFIG --cflags`
+    LIBGCRYPT_LIBS=`$LIBGCRYPT_CONFIG --libs`
+    ifelse([$2], , :, [$2])
+  else
+    LIBGCRYPT_CFLAGS=""
+    LIBGCRYPT_LIBS=""
+    ifelse([$3], , :, [$3])
+  fi
+  AC_SUBST(LIBGCRYPT_CFLAGS)
+  AC_SUBST(LIBGCRYPT_LIBS)
+])
+
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
@@ -395,12 +504,12 @@ m4_define([lt_decl_dquote_varnames],
 # lt_decl_varnames_tagged([SEPARATOR], [VARNAME1...])
 # ---------------------------------------------------
 m4_define([lt_decl_varnames_tagged],
-[_$0(m4_quote(m4_default([$1], [[, ]])),
-     m4_quote(m4_if([$2], [],
-		     m4_quote(lt_decl_tag_varnames),
-		  m4_quote(m4_shift($@)))),
-     m4_split(m4_normalize(m4_quote(_LT_TAGS))))])
-m4_define([_lt_decl_varnames_tagged], [lt_combine([$1], [$2], [_], $3)])
+[m4_assert([$# <= 2])dnl
+_$0(m4_quote(m4_default([$1], [[, ]])),
+    m4_ifval([$2], [[$2]], [m4_dquote(lt_decl_tag_varnames)]),
+    m4_split(m4_normalize(m4_quote(_LT_TAGS)), [ ]))])
+m4_define([_lt_decl_varnames_tagged],
+[m4_ifval([$3], [lt_combine([$1], [$2], [_], $3)])])
 
 
 # lt_decl_all_varnames([SEPARATOR], [VARNAME1...])
@@ -960,10 +1069,10 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
     darwin1.*)
       _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-    darwin*) # darwin 5.x on 
+    darwin*) # darwin 5.x on
       # if running on 10.5 or later, the deployment target defaults
       # to the OS version, if on x86, and 10.4, the deployment
-      # target defaults to 10.4. Don't you love it? 
+      # target defaults to 10.4. Don't you love it?
       case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
 	10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
 	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
@@ -1005,7 +1114,11 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
   _LT_TAGVAR(whole_archive_flag_spec, $1)=''
   _LT_TAGVAR(link_all_deplibs, $1)=yes
   _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
-  if test "$GCC" = "yes"; then
+  case $cc_basename in
+     ifort*) _lt_dar_can_shared=yes ;;
+     *) _lt_dar_can_shared=$GCC ;;
+  esac
+  if test "$_lt_dar_can_shared" = "yes"; then
     output_verbose_link_cmd=echo
     _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
     _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
@@ -1527,7 +1640,7 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=-1;
     ;;
 
-  cygwin* | mingw*)
+  cygwin* | mingw* | cegcc*)
     # On Win9x/ME, this test blows up -- it succeeds, but takes
     # about 5 minutes as the teststring grows exponentially.
     # Worse, since 9x/ME are not pre-emptively multitasking,
@@ -1695,10 +1808,6 @@ else
 #  endif
 #endif
 
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
 void fnord() { int i=42;}
 int main ()
 {
@@ -1714,7 +1823,7 @@ int main ()
   else
     puts (dlerror ());
 
-    exit (status);
+  return status;
 }]
 _LT_EOF
   if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
@@ -1753,7 +1862,7 @@ else
     lt_cv_dlopen_self=yes
     ;;
 
-  mingw* | pw32*)
+  mingw* | pw32* | cegcc*)
     lt_cv_dlopen="LoadLibrary"
     lt_cv_dlopen_libs=
     ;;
@@ -2050,6 +2159,7 @@ m4_defun([_LT_SYS_DYNAMIC_LINKER],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 m4_require([_LT_DECL_EGREP])dnl
 m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_OBJDUMP])dnl
 m4_require([_LT_DECL_SED])dnl
 AC_MSG_CHECKING([dynamic linker characteristics])
 m4_if([$1],
@@ -2214,14 +2324,14 @@ bsdi[[45]]*)
   # libtool to hard-code these into programs
   ;;
 
-cygwin* | mingw* | pw32*)
+cygwin* | mingw* | pw32* | cegcc*)
   version_type=windows
   shrext_cmds=".dll"
   need_version=no
   need_lib_prefix=no
 
   case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
+  yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*)
     library_names_spec='$libname.dll.a'
     # DLL is installed to $(libdir)/../bin by postinstall_cmds
     postinstall_cmds='base_file=`basename \${file}`~
@@ -2244,7 +2354,7 @@ cygwin* | mingw* | pw32*)
       soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
       sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
       ;;
-    mingw*)
+    mingw* | cegcc*)
       # MinGW DLLs use traditional 'lib' prefix
       soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
       sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
@@ -2682,7 +2792,7 @@ tpf*)
   version_type=linux
   need_lib_prefix=no
   need_version=no
-  library_name_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=no
   hardcode_into_libs=yes
@@ -2706,7 +2816,7 @@ variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
 if test "$GCC" = yes; then
   variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
 fi
- 
+
 if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
   sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
 fi
@@ -2983,6 +3093,7 @@ _LT_DECL([], [reload_cmds], [2])dnl
 #  -- PORTME fill in with the dynamic library characteristics
 m4_defun([_LT_CHECK_MAGIC_METHOD],
 [m4_require([_LT_DECL_EGREP])
+m4_require([_LT_DECL_OBJDUMP])
 AC_CACHE_CHECK([how to recognize dependent libraries],
 lt_cv_deplibs_check_method,
 [lt_cv_file_magic_cmd='$MAGIC_CMD'
@@ -3033,6 +3144,12 @@ mingw* | pw32*)
   fi
   ;;
 
+cegcc)
+  # use the weaker test based on 'objdump'. See mingw*.
+  lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
 darwin* | rhapsody*)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -3344,7 +3461,7 @@ case $host_os in
 aix*)
   symcode='[[BCDT]]'
   ;;
-cygwin* | mingw* | pw32*)
+cygwin* | mingw* | pw32* | cegcc*)
   symcode='[[ABCDGISTW]]'
   ;;
 hpux*)
@@ -3590,7 +3707,7 @@ m4_if([$1], [CXX], [
     beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
-    mingw* | cygwin* | os2* | pw32*)
+    mingw* | cygwin* | os2* | pw32* | cegcc*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       # Although the cygwin gcc ignores -fPIC, still need this for old-style
@@ -3617,10 +3734,11 @@ m4_if([$1], [CXX], [
       fi
       ;;
     hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
+      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
+      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
+      # sets the default TLS model and affects inlining.
       case $host_cpu in
-      hppa*64*|ia64*)
+      hppa*64*)
 	;;
       *)
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
@@ -3718,12 +3836,19 @@ m4_if([$1], [CXX], [
 	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
 	    ;;
-	  icpc* | ecpc* )
-	    # Intel C++
+	  ecpc* )
+	    # old Intel C++ for x86_64 which still supported -KPIC.
 	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
 	    ;;
+	  icpc* )
+	    # Intel C++, used to be incompatible with GCC.
+	    # ICC 10 doesn't accept -KPIC any more.
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
 	  pgCC* | pgcpp*)
 	    # Portland Group C++ compiler
 	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
@@ -3889,7 +4014,7 @@ m4_if([$1], [CXX], [
       # PIC is the default for these OSes.
       ;;
 
-    mingw* | cygwin* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       # Although the cygwin gcc ignores -fPIC, still need this for old-style
@@ -3905,10 +4030,11 @@ m4_if([$1], [CXX], [
       ;;
 
     hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
+      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
+      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
+      # sets the default TLS model and affects inlining.
       case $host_cpu in
-      hppa*64*|ia64*)
+      hppa*64*)
 	# +Z the default
 	;;
       *)
@@ -3958,7 +4084,7 @@ m4_if([$1], [CXX], [
       fi
       ;;
 
-    mingw* | cygwin* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       m4_if([$1], [GCJ], [],
@@ -3989,11 +4115,25 @@ m4_if([$1], [CXX], [
 
     linux* | k*bsd*-gnu)
       case $cc_basename in
-      icc* | ecc* | ifort*)
+      # old Intel for x86_64 which still supported -KPIC.
+      ecc*)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
         ;;
+      # icc used to be incompatible with GCC.
+      # ICC 10 doesn't accept -KPIC any more.
+      icc* | ifort*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      # Lahey Fortran 8.1.
+      lf95*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='--static'
+	;;
       pgcc* | pgf77* | pgf90* | pgf95*)
         # Portland Group compilers (*not* the Pentium gcc compiler,
 	# which looks to be a dead project)
@@ -4175,7 +4315,7 @@ m4_if([$1], [CXX], [
   pw32*)
     _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
   ;;
-  cygwin* | mingw*)
+  cygwin* | mingw* | cegcc*)
     _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
   ;;
   linux* | k*bsd*-gnu)
@@ -4230,7 +4370,7 @@ dnl Note also adjust exclude_expsyms for C++ above.
   extract_expsyms_cmds=
 
   case $host_os in
-  cygwin* | mingw* | pw32*)
+  cygwin* | mingw* | pw32* | cegcc*)
     # FIXME: the MSVC++ port hasn't been tested in a loooong time
     # When not using gcc, we currently assume that we are using
     # Microsoft Visual C++.
@@ -4317,7 +4457,7 @@ _LT_EOF
       fi
       ;;
 
-    cygwin* | mingw* | pw32*)
+    cygwin* | mingw* | pw32* | cegcc*)
       # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
       # as there is no search path for DLLs.
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
@@ -4383,6 +4523,9 @@ _LT_EOF
 	  tmp_addflag=' -i_dynamic -nofor_main' ;;
 	ifc* | ifort*)			# Intel Fortran compiler
 	  tmp_addflag=' -nofor_main' ;;
+	lf95*)				# Lahey Fortran 8.1
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)=
+	  tmp_sharedflag='--shared' ;;
 	xl[[cC]]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
 	  tmp_sharedflag='-qmkshrobj'
 	  tmp_addflag= ;;
@@ -4615,6 +4758,7 @@ _LT_EOF
 	fi
       fi
 
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall'
       # It seems that -bexpall does not export symbols beginning with
       # underscore (_), so it is better to generate a list of symbols to export.
       _LT_TAGVAR(always_export_symbols, $1)=yes
@@ -4669,7 +4813,7 @@ _LT_EOF
       _LT_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
       ;;
 
-    cygwin* | mingw* | pw32*)
+    cygwin* | mingw* | pw32* | cegcc*)
       # When not using gcc, we currently assume that we are using
       # Microsoft Visual C++.
       # hardcode_libdir_flag_spec is actually meaningless, as there is
@@ -4773,7 +4917,7 @@ _LT_EOF
 	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	ia64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
 	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
@@ -5554,6 +5698,7 @@ if test "$_lt_caught_CXX_error" != yes; then
           fi
         fi
 
+        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall'
         # It seems that -bexpall does not export symbols beginning with
         # underscore (_), so it is better to generate a list of symbols to
 	# export.
@@ -5612,7 +5757,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         esac
         ;;
 
-      cygwin* | mingw* | pw32*)
+      cygwin* | mingw* | pw32* | cegcc*)
         # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
         # as there is no search path for DLLs.
         _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
@@ -6993,6 +7138,18 @@ AC_SUBST([GREP])
 ])
 
 
+# _LT_DECL_OBJDUMP
+# --------------
+# If we don't have a new enough Autoconf to choose the best objdump
+# available, choose the one first in the user's PATH.
+m4_defun([_LT_DECL_OBJDUMP],
+[AC_CHECK_TOOL(OBJDUMP, objdump, false)
+test -z "$OBJDUMP" && OBJDUMP=objdump
+_LT_DECL([], [OBJDUMP], [1], [An object symbol dumper])
+AC_SUBST([OBJDUMP])
+])
+
+
 # _LT_DECL_SED
 # ------------
 # Check for a fully-functional sed program, that truncates
@@ -7453,7 +7610,7 @@ LT_OPTION_DEFINE([LT_INIT], [win32-dll],
 [enable_win32_dll=yes
 
 case $host in
-*-*-cygwin* | *-*-mingw* | *-*-pw32*)
+*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
   AC_CHECK_TOOL(AS, as, false)
   AC_CHECK_TOOL(DLLTOOL, dlltool, false)
   AC_CHECK_TOOL(OBJDUMP, objdump, false)
@@ -7694,14 +7851,14 @@ LT_OPTION_DEFINE([LTDL_INIT], [convenience],
 
 # ltsugar.m4 -- libtool m4 base layer.                         -*-Autoconf-*-
 #
-#   Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
-#   Written by Gary V. Vaughan, 2004
+# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
+# Written by Gary V. Vaughan, 2004
 #
 # This file is free software; the Free Software Foundation gives
 # unlimited permission to copy and/or distribute it, with or without
 # modifications, as long as this notice is preserved.
 
-# serial 5 ltsugar.m4
+# serial 6 ltsugar.m4
 
 # This is to help aclocal find these macros, as it can't see m4_define.
 AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])])
@@ -7757,14 +7914,14 @@ m4_define([lt_append],
 # Produce a SEP delimited list of all paired combinations of elements of
 # PREFIX-LIST with SUFFIX1 through SUFFIXn.  Each element of the list
 # has the form PREFIXmINFIXSUFFIXn.
+# Needed until we can rely on m4_combine added in Autoconf 2.62.
 m4_define([lt_combine],
-[m4_if([$2], [], [],
-  [m4_if([$4], [], [],
-    [lt_join(m4_quote(m4_default([$1], [[, ]])),
-      lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_prefix, [$2],
-		   [m4_foreach(_Lt_suffix, lt_car([m4_shiftn(3, $@)]),
-			       [_Lt_prefix[]$3[]_Lt_suffix ])])))))])])dnl
-])
+[m4_if(m4_eval([$# > 3]), [1],
+       [m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl
+[[m4_foreach([_Lt_prefix], [$2],
+	     [m4_foreach([_Lt_suffix],
+		]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[,
+	[_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])])
 
 
 # lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ])
@@ -7827,15 +7984,15 @@ m4_define([lt_dict_filter],
 
 # Generated from ltversion.in.
 
-# serial 2976 ltversion.m4
+# serial 3012 ltversion.m4
 # This file is part of GNU Libtool
 
-m4_define([LT_PACKAGE_VERSION], [2.2.4])
-m4_define([LT_PACKAGE_REVISION], [1.2976])
+m4_define([LT_PACKAGE_VERSION], [2.2.6])
+m4_define([LT_PACKAGE_REVISION], [1.3012])
 
 AC_DEFUN([LTVERSION_VERSION],
-[macro_version='2.2.4'
-macro_revision='1.2976'
+[macro_version='2.2.6'
+macro_revision='1.3012'
 _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
 _LT_DECL(, macro_revision, 0)
 ])
@@ -8091,7 +8248,7 @@ else
 fi[]dnl
 ])# PKG_CHECK_MODULES
 
-# Copyright (C) 2002, 2003, 2005, 2006, 2007  Free Software Foundation, Inc.
+# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -8106,7 +8263,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
 [am__api_version='1.10'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.10.1], [],
+m4_if([$1], [1.10.2], [],
       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
 
@@ -8120,12 +8277,12 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # AM_SET_CURRENT_AUTOMAKE_VERSION
 # -------------------------------
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
-# This function is AC_REQUIREd by AC_INIT_AUTOMAKE.
+# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.10.1])dnl
+[AM_AUTOMAKE_VERSION([1.10.2])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-_AM_AUTOCONF_VERSION(AC_AUTOCONF_VERSION)])
+_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
 
 # AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
 
@@ -8375,57 +8532,68 @@ _AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl
 
 # Generate code to set up dependency tracking.              -*- Autoconf -*-
 
-# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005
+# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2008
 # Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-#serial 3
+#serial 5
 
 # _AM_OUTPUT_DEPENDENCY_COMMANDS
 # ------------------------------
 AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS],
-[for mf in $CONFIG_FILES; do
-  # Strip MF so we end up with the name of the file.
-  mf=`echo "$mf" | sed -e 's/:.*$//'`
-  # Check whether this is an Automake generated Makefile or not.
-  # We used to match only the files named `Makefile.in', but
-  # some people rename them; so instead we look at the file content.
-  # Grep'ing the first line is not enough: some people post-process
-  # each Makefile.in and add a new line on top of each file to say so.
-  # Grep'ing the whole file is not good either: AIX grep has a line
-  # limit of 2048, but all sed's we know have understand at least 4000.
-  if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
-    dirpart=`AS_DIRNAME("$mf")`
-  else
-    continue
-  fi
-  # Extract the definition of DEPDIR, am__include, and am__quote
-  # from the Makefile without running `make'.
-  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
-  test -z "$DEPDIR" && continue
-  am__include=`sed -n 's/^am__include = //p' < "$mf"`
-  test -z "am__include" && continue
-  am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
-  # When using ansi2knr, U may be empty or an underscore; expand it
-  U=`sed -n 's/^U = //p' < "$mf"`
-  # Find all dependency output files, they are included files with
-  # $(DEPDIR) in their names.  We invoke sed twice because it is the
-  # simplest approach to changing $(DEPDIR) to its actual value in the
-  # expansion.
-  for file in `sed -n "
-    s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
-       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
-    # Make sure the directory exists.
-    test -f "$dirpart/$file" && continue
-    fdir=`AS_DIRNAME(["$file"])`
-    AS_MKDIR_P([$dirpart/$fdir])
-    # echo "creating $dirpart/$file"
-    echo '# dummy' > "$dirpart/$file"
+[{
+  # Autoconf 2.62 quotes --file arguments for eval, but not when files
+  # are listed without --file.  Let's play safe and only enable the eval
+  # if we detect the quoting.
+  case $CONFIG_FILES in
+  *\'*) eval set x "$CONFIG_FILES" ;;
+  *)   set x $CONFIG_FILES ;;
+  esac
+  shift
+  for mf
+  do
+    # Strip MF so we end up with the name of the file.
+    mf=`echo "$mf" | sed -e 's/:.*$//'`
+    # Check whether this is an Automake generated Makefile or not.
+    # We used to match only the files named `Makefile.in', but
+    # some people rename them; so instead we look at the file content.
+    # Grep'ing the first line is not enough: some people post-process
+    # each Makefile.in and add a new line on top of each file to say so.
+    # Grep'ing the whole file is not good either: AIX grep has a line
+    # limit of 2048, but all sed's we know have understand at least 4000.
+    if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
+      dirpart=`AS_DIRNAME("$mf")`
+    else
+      continue
+    fi
+    # Extract the definition of DEPDIR, am__include, and am__quote
+    # from the Makefile without running `make'.
+    DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
+    test -z "$DEPDIR" && continue
+    am__include=`sed -n 's/^am__include = //p' < "$mf"`
+    test -z "am__include" && continue
+    am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
+    # When using ansi2knr, U may be empty or an underscore; expand it
+    U=`sed -n 's/^U = //p' < "$mf"`
+    # Find all dependency output files, they are included files with
+    # $(DEPDIR) in their names.  We invoke sed twice because it is the
+    # simplest approach to changing $(DEPDIR) to its actual value in the
+    # expansion.
+    for file in `sed -n "
+      s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
+	 sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+      # Make sure the directory exists.
+      test -f "$dirpart/$file" && continue
+      fdir=`AS_DIRNAME(["$file"])`
+      AS_MKDIR_P([$dirpart/$fdir])
+      # echo "creating $dirpart/$file"
+      echo '# dummy' > "$dirpart/$file"
+    done
   done
-done
+}
 ])# _AM_OUTPUT_DEPENDENCY_COMMANDS
 
 
@@ -8719,13 +8887,13 @@ esac
 
 # Helper functions for option handling.                     -*- Autoconf -*-
 
-# Copyright (C) 2001, 2002, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2002, 2003, 2005, 2008  Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 3
+# serial 4
 
 # _AM_MANGLE_OPTION(NAME)
 # -----------------------
@@ -8742,7 +8910,7 @@ AC_DEFUN([_AM_SET_OPTION],
 # ----------------------------------
 # OPTIONS is a space-separated list of Automake options.
 AC_DEFUN([_AM_SET_OPTIONS],
-[AC_FOREACH([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])])
+[m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])])
 
 # _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET])
 # -------------------------------------------
diff --git a/configure b/configure
index b3e1792e3..540aad3aa 100755
--- a/configure
+++ b/configure
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for strongSwan 4.2.14.
+# Generated by GNU Autoconf 2.63 for strongSwan 4.3.2.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
+# 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
 # This configure script is free software; the Free Software Foundation
 # gives unlimited permission to copy, distribute and modify it.
 ## --------------------- ##
@@ -15,7 +15,7 @@ DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
@@ -37,17 +37,45 @@ as_cr_Letters=$as_cr_letters$as_cr_LETTERS
 as_cr_digits='0123456789'
 as_cr_alnum=$as_cr_Letters$as_cr_digits
 
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
+as_nl='
+'
+export as_nl
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='printf %s\n'
+  as_echo_n='printf %s'
+else
+  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+    as_echo_n='/usr/ucb/echo -n'
   else
-    PATH_SEPARATOR=:
+    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
+    as_echo_n_body='eval
+      arg=$1;
+      case $arg in
+      *"$as_nl"*)
+	expr "X$arg" : "X\\(.*\\)$as_nl";
+	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
+      esac;
+      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
+    '
+    export as_echo_n_body
+    as_echo_n='sh -c $as_echo_n_body as_echo'
   fi
-  rm -f conf$$.sh
+  export as_echo_body
+  as_echo='sh -c $as_echo_body as_echo'
+fi
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  PATH_SEPARATOR=:
+  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
+    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
+      PATH_SEPARATOR=';'
+  }
 fi
 
 # Support unset when possible.
@@ -63,8 +91,6 @@ fi
 # there to prevent editors from complaining about space-tab.
 # (If _AS_PATH_WALK were called with IFS unset, it would disable word
 # splitting by setting IFS to empty value.)
-as_nl='
-'
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
@@ -87,7 +113,7 @@ if test "x$as_myself" = x; then
   as_myself=$0
 fi
 if test ! -f "$as_myself"; then
-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
   { (exit 1); exit 1; }
 fi
 
@@ -100,17 +126,10 @@ PS2='> '
 PS4='+ '
 
 # NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-  fi
-done
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
 
 # Required to use basename.
 if expr a : '\(a\)' >/dev/null 2>&1 &&
@@ -132,7 +151,7 @@ as_me=`$as_basename -- "$0" ||
 $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
 	 X"$0" : 'X\(//\)$' \| \
 	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-echo X/"$0" |
+$as_echo X/"$0" |
     sed '/^.*\/\([^/][^/]*\)\/*$/{
 	    s//\1/
 	    q
@@ -158,7 +177,7 @@ else
   as_have_required=no
 fi
 
-  if test $as_have_required = yes && 	 (eval ":
+  if test $as_have_required = yes &&	 (eval ":
 (as_func_return () {
   (exit \$1)
 }
@@ -240,7 +259,7 @@ IFS=$as_save_IFS
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
@@ -261,7 +280,7 @@ _ASEOF
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
@@ -341,10 +360,10 @@ fi
 
       if test "x$CONFIG_SHELL" != x; then
   for as_var in BASH_ENV ENV
-        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-        done
-        export CONFIG_SHELL
-        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+	do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+	done
+	export CONFIG_SHELL
+	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
 fi
 
 
@@ -413,9 +432,10 @@ fi
 
 test \$exitcode = 0") || {
   echo No shell found that supports shell functions.
-  echo Please tell autoconf@gnu.org about your system,
-  echo including any error possibly output before this
-  echo message
+  echo Please tell bug-autoconf@gnu.org about your system,
+  echo including any error possibly output before this message.
+  echo This can help us improve future autoconf versions.
+  echo Configuration will now proceed without shell functions.
 }
 
 
@@ -451,7 +471,7 @@ test \$exitcode = 0") || {
       s/-\n.*//
     ' >$as_me.lineno &&
   chmod +x "$as_me.lineno" ||
-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
    { (exit 1); exit 1; }; }
 
   # Don't try to exec as it changes $[0], causing all sort of problems
@@ -479,7 +499,6 @@ case `echo -n x` in
 *)
   ECHO_N='-n';;
 esac
-
 if expr a : '\(a\)' >/dev/null 2>&1 &&
    test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
@@ -492,19 +511,22 @@ if test -d conf$$.dir; then
   rm -f conf$$.dir/conf$$.file
 else
   rm -f conf$$.dir
-  mkdir conf$$.dir
-fi
-echo >conf$$.file
-if ln -s conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s='ln -s'
-  # ... but there are two gotchas:
-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-  # In both cases, we have to default to `cp -p'.
-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+  mkdir conf$$.dir 2>/dev/null
+fi
+if (echo >conf$$.file) 2>/dev/null; then
+  if ln -s conf$$.file conf$$ 2>/dev/null; then
+    as_ln_s='ln -s'
+    # ... but there are two gotchas:
+    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+    # In both cases, we have to default to `cp -p'.
+    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+      as_ln_s='cp -p'
+  elif ln conf$$.file conf$$ 2>/dev/null; then
+    as_ln_s=ln
+  else
     as_ln_s='cp -p'
-elif ln conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s=ln
+  fi
 else
   as_ln_s='cp -p'
 fi
@@ -529,10 +551,10 @@ else
   as_test_x='
     eval sh -c '\''
       if test -d "$1"; then
-        test -d "$1/.";
+	test -d "$1/.";
       else
 	case $1 in
-        -*)set "./$1";;
+	-*)set "./$1";;
 	esac;
 	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
 	???[sx]*):;;*)false;;esac;fi
@@ -721,8 +743,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.2.14'
-PACKAGE_STRING='strongSwan 4.2.14'
+PACKAGE_VERSION='4.3.2'
+PACKAGE_STRING='strongSwan 4.3.2'
 PACKAGE_BUGREPORT=''
 
 # Factoring default headers for most tests.
@@ -761,273 +783,385 @@ ac_includes_default="\
 # include <unistd.h>
 #endif"
 
-ac_subst_vars='SHELL
-PATH_SEPARATOR
-PACKAGE_NAME
-PACKAGE_TARNAME
-PACKAGE_VERSION
-PACKAGE_STRING
-PACKAGE_BUGREPORT
-exec_prefix
-prefix
-program_transform_name
-bindir
-sbindir
-libexecdir
-datarootdir
-datadir
-sysconfdir
-sharedstatedir
-localstatedir
-includedir
-oldincludedir
-docdir
-infodir
-htmldir
-dvidir
-pdfdir
-psdir
-libdir
-localedir
-mandir
-DEFS
-ECHO_C
-ECHO_N
-ECHO_T
-LIBS
-build_alias
-host_alias
-target_alias
-INSTALL_PROGRAM
-INSTALL_SCRIPT
-INSTALL_DATA
-am__isrc
-CYGPATH_W
-PACKAGE
-VERSION
-ACLOCAL
-AUTOCONF
-AUTOMAKE
-AUTOHEADER
-MAKEINFO
-install_sh
-STRIP
-INSTALL_STRIP_PROGRAM
-mkdir_p
-AWK
-SET_MAKE
-am__leading_dot
-AMTAR
-am__tar
-am__untar
+ac_subst_vars='LTLIBOBJS
+LIBOBJS
+USE_VSTR_FALSE
+USE_VSTR_TRUE
+USE_FILE_CONFIG_FALSE
+USE_FILE_CONFIG_TRUE
+USE_LIBSTRONGSWAN_FALSE
+USE_LIBSTRONGSWAN_TRUE
+USE_TOOLS_FALSE
+USE_TOOLS_TRUE
+USE_CHARON_FALSE
+USE_CHARON_TRUE
+USE_THREADS_FALSE
+USE_THREADS_TRUE
+USE_PLUTO_FALSE
+USE_PLUTO_TRUE
+USE_CAPABILITIES_FALSE
+USE_CAPABILITIES_TRUE
+USE_INTEGRITY_TEST_FALSE
+USE_INTEGRITY_TEST_TRUE
+USE_ME_FALSE
+USE_ME_TRUE
+USE_MANAGER_FALSE
+USE_MANAGER_TRUE
+USE_FAST_FALSE
+USE_FAST_TRUE
+USE_DUMM_FALSE
+USE_DUMM_TRUE
+USE_XAUTH_VID_FALSE
+USE_XAUTH_VID_TRUE
+USE_VENDORID_FALSE
+USE_VENDORID_TRUE
+USE_NAT_TRANSPORT_FALSE
+USE_NAT_TRANSPORT_TRUE
+USE_LOCK_PROFILER_FALSE
+USE_LOCK_PROFILER_TRUE
+USE_LEAK_DETECTIVE_FALSE
+USE_LEAK_DETECTIVE_TRUE
+USE_CISCO_QUIRKS_FALSE
+USE_CISCO_QUIRKS_TRUE
+USE_SMARTCARD_FALSE
+USE_SMARTCARD_TRUE
+USE_KERNEL_KLIPS_FALSE
+USE_KERNEL_KLIPS_TRUE
+USE_KERNEL_PFROUTE_FALSE
+USE_KERNEL_PFROUTE_TRUE
+USE_KERNEL_PFKEY_FALSE
+USE_KERNEL_PFKEY_TRUE
+USE_KERNEL_NETLINK_FALSE
+USE_KERNEL_NETLINK_TRUE
+USE_EAP_RADIUS_FALSE
+USE_EAP_RADIUS_TRUE
+USE_EAP_MSCHAPV2_FALSE
+USE_EAP_MSCHAPV2_TRUE
+USE_EAP_AKA_FALSE
+USE_EAP_AKA_TRUE
+USE_EAP_GTC_FALSE
+USE_EAP_GTC_TRUE
+USE_EAP_MD5_FALSE
+USE_EAP_MD5_TRUE
+USE_EAP_IDENTITY_FALSE
+USE_EAP_IDENTITY_TRUE
+USE_EAP_SIM_FILE_FALSE
+USE_EAP_SIM_FILE_TRUE
+USE_EAP_SIM_FALSE
+USE_EAP_SIM_TRUE
+USE_LOAD_TESTS_FALSE
+USE_LOAD_TESTS_TRUE
+USE_UNIT_TESTS_FALSE
+USE_UNIT_TESTS_TRUE
+USE_RESOLV_CONF_FALSE
+USE_RESOLV_CONF_TRUE
+USE_ATTR_FALSE
+USE_ATTR_TRUE
+USE_UPDOWN_FALSE
+USE_UPDOWN_TRUE
+USE_SQL_FALSE
+USE_SQL_TRUE
+USE_SMP_FALSE
+USE_SMP_TRUE
+USE_UCI_FALSE
+USE_UCI_TRUE
+USE_NM_FALSE
+USE_NM_TRUE
+USE_MEDCLI_FALSE
+USE_MEDCLI_TRUE
+USE_MEDSRV_FALSE
+USE_MEDSRV_TRUE
+USE_STROKE_FALSE
+USE_STROKE_TRUE
+USE_AGENT_FALSE
+USE_AGENT_TRUE
+USE_GCRYPT_FALSE
+USE_GCRYPT_TRUE
+USE_OPENSSL_FALSE
+USE_OPENSSL_TRUE
+USE_PADLOCK_FALSE
+USE_PADLOCK_TRUE
+USE_SQLITE_FALSE
+USE_SQLITE_TRUE
+USE_MYSQL_FALSE
+USE_MYSQL_TRUE
+USE_XCBC_FALSE
+USE_XCBC_TRUE
+USE_HMAC_FALSE
+USE_HMAC_TRUE
+USE_PUBKEY_FALSE
+USE_PUBKEY_TRUE
+USE_X509_FALSE
+USE_X509_TRUE
+USE_RANDOM_FALSE
+USE_RANDOM_TRUE
+USE_GMP_FALSE
+USE_GMP_TRUE
+USE_FIPS_PRF_FALSE
+USE_FIPS_PRF_TRUE
+USE_SHA2_FALSE
+USE_SHA2_TRUE
+USE_SHA1_FALSE
+USE_SHA1_TRUE
+USE_MD5_FALSE
+USE_MD5_TRUE
+USE_MD4_FALSE
+USE_MD4_TRUE
+USE_BLOWFISH_FALSE
+USE_BLOWFISH_TRUE
+USE_DES_FALSE
+USE_DES_TRUE
+USE_AES_FALSE
+USE_AES_TRUE
+USE_LDAP_FALSE
+USE_LDAP_TRUE
+USE_CURL_FALSE
+USE_CURL_TRUE
+USE_TEST_VECTORS_FALSE
+USE_TEST_VECTORS_TRUE
+pluto_plugins
+libstrongswan_plugins
+nm_LIBS
+nm_CFLAGS
+LIBGCRYPT_LIBS
+LIBGCRYPT_CFLAGS
+LIBGCRYPT_CONFIG
+RUBYINCLUDE
+RUBY
+gtk_LIBS
+gtk_CFLAGS
+xml_LIBS
+xml_CFLAGS
+DLLIB
+PERL
+GPERF
+YFLAGS
+YACC
+LEXLIB
+LEX_OUTPUT_ROOT
+LEX
+OTOOL64
+OTOOL
+LIPO
+NMEDIT
+DSYMUTIL
+lt_ECHO
+RANLIB
+AR
+OBJDUMP
+LN_S
+NM
+ac_ct_DUMPBIN
+DUMPBIN
+LD
+FGREP
+SED
+host_os
+host_vendor
+host_cpu
+host
+build_os
+build_vendor
+build_cpu
+build
+LIBTOOL
+EGREP
+GREP
+CPP
+am__fastdepCC_FALSE
+am__fastdepCC_TRUE
+CCDEPMODE
+AMDEPBACKSLASH
+AMDEP_FALSE
+AMDEP_TRUE
+am__quote
+am__include
+DEPDIR
+OBJEXT
+EXEEXT
+ac_ct_CC
+CPPFLAGS
+LDFLAGS
 CC
 CFLAGS
-LDFLAGS
-CPPFLAGS
-ac_ct_CC
-EXEEXT
-OBJEXT
-DEPDIR
-am__include
-am__quote
-AMDEP_TRUE
-AMDEP_FALSE
-AMDEPBACKSLASH
-CCDEPMODE
-am__fastdepCC_TRUE
-am__fastdepCC_FALSE
-CPP
-GREP
-EGREP
-confdir
-PKG_CONFIG
-resolv_conf
-strongswan_conf
-piddir
-ipsecdir
-plugindir
-simreader
-linuxdir
-LINUX_HEADERS
-IPSEC_ROUTING_TABLE
-IPSEC_ROUTING_TABLE_PRIO
-ipsecuser
 ipsecgroup
-LIBTOOL
-build
-build_cpu
-build_vendor
-build_os
-host
-host_cpu
-host_vendor
-host_os
-SED
-FGREP
-LD
-DUMPBIN
-ac_ct_DUMPBIN
-NM
-LN_S
-AR
-RANLIB
-lt_ECHO
-DSYMUTIL
-NMEDIT
-LIPO
-OTOOL
-OTOOL64
-LEX
-LEX_OUTPUT_ROOT
-LEXLIB
-YACC
-YFLAGS
-GPERF
-PERL
-xml_CFLAGS
-xml_LIBS
-gtk_CFLAGS
-gtk_LIBS
-nm_CFLAGS
-nm_LIBS
-libstrongswan_plugins
-USE_CURL_TRUE
-USE_CURL_FALSE
-USE_LDAP_TRUE
-USE_LDAP_FALSE
-USE_AES_TRUE
-USE_AES_FALSE
-USE_DES_TRUE
-USE_DES_FALSE
-USE_MD4_TRUE
-USE_MD4_FALSE
-USE_MD5_TRUE
-USE_MD5_FALSE
-USE_SHA1_TRUE
-USE_SHA1_FALSE
-USE_SHA2_TRUE
-USE_SHA2_FALSE
-USE_FIPS_PRF_TRUE
-USE_FIPS_PRF_FALSE
-USE_GMP_TRUE
-USE_GMP_FALSE
-USE_RANDOM_TRUE
-USE_RANDOM_FALSE
-USE_X509_TRUE
-USE_X509_FALSE
-USE_PUBKEY_TRUE
-USE_PUBKEY_FALSE
-USE_HMAC_TRUE
-USE_HMAC_FALSE
-USE_XCBC_TRUE
-USE_XCBC_FALSE
-USE_MYSQL_TRUE
-USE_MYSQL_FALSE
-USE_SQLITE_TRUE
-USE_SQLITE_FALSE
-USE_PADLOCK_TRUE
-USE_PADLOCK_FALSE
-USE_OPENSSL_TRUE
-USE_OPENSSL_FALSE
-USE_AGENT_TRUE
-USE_AGENT_FALSE
-USE_STROKE_TRUE
-USE_STROKE_FALSE
-USE_MEDSRV_TRUE
-USE_MEDSRV_FALSE
-USE_MEDCLI_TRUE
-USE_MEDCLI_FALSE
-USE_NM_TRUE
-USE_NM_FALSE
-USE_UCI_TRUE
-USE_UCI_FALSE
-USE_SMP_TRUE
-USE_SMP_FALSE
-USE_SQL_TRUE
-USE_SQL_FALSE
-USE_UPDOWN_TRUE
-USE_UPDOWN_FALSE
-USE_UNIT_TESTS_TRUE
-USE_UNIT_TESTS_FALSE
-USE_LOAD_TESTS_TRUE
-USE_LOAD_TESTS_FALSE
-USE_EAP_SIM_TRUE
-USE_EAP_SIM_FALSE
-USE_EAP_SIM_FILE_TRUE
-USE_EAP_SIM_FILE_FALSE
-USE_EAP_IDENTITY_TRUE
-USE_EAP_IDENTITY_FALSE
-USE_EAP_MD5_TRUE
-USE_EAP_MD5_FALSE
-USE_EAP_GTC_TRUE
-USE_EAP_GTC_FALSE
-USE_EAP_AKA_TRUE
-USE_EAP_AKA_FALSE
-USE_EAP_MSCHAPV2_TRUE
-USE_EAP_MSCHAPV2_FALSE
-USE_EAP_RADIUS_TRUE
-USE_EAP_RADIUS_FALSE
-USE_KERNEL_NETLINK_TRUE
-USE_KERNEL_NETLINK_FALSE
-USE_KERNEL_PFKEY_TRUE
-USE_KERNEL_PFKEY_FALSE
-USE_KERNEL_KLIPS_TRUE
-USE_KERNEL_KLIPS_FALSE
-USE_SMARTCARD_TRUE
-USE_SMARTCARD_FALSE
-USE_CISCO_QUIRKS_TRUE
-USE_CISCO_QUIRKS_FALSE
-USE_LEAK_DETECTIVE_TRUE
-USE_LEAK_DETECTIVE_FALSE
-USE_LOCK_PROFILER_TRUE
-USE_LOCK_PROFILER_FALSE
-USE_NAT_TRANSPORT_TRUE
-USE_NAT_TRANSPORT_FALSE
-USE_VENDORID_TRUE
-USE_VENDORID_FALSE
-USE_XAUTH_VID_TRUE
-USE_XAUTH_VID_FALSE
-USE_DUMM_TRUE
-USE_DUMM_FALSE
-USE_FAST_TRUE
-USE_FAST_FALSE
-USE_MANAGER_TRUE
-USE_MANAGER_FALSE
-USE_ME_TRUE
-USE_ME_FALSE
-USE_INTEGRITY_TEST_TRUE
-USE_INTEGRITY_TEST_FALSE
-USE_SELF_TEST_TRUE
-USE_SELF_TEST_FALSE
-USE_CAPABILITIES_TRUE
-USE_CAPABILITIES_FALSE
-USE_PLUTO_TRUE
-USE_PLUTO_FALSE
-USE_THREADS_TRUE
-USE_THREADS_FALSE
-USE_CHARON_TRUE
-USE_CHARON_FALSE
-USE_TOOLS_TRUE
-USE_TOOLS_FALSE
-USE_LIBSTRONGSWAN_TRUE
-USE_LIBSTRONGSWAN_FALSE
-USE_FILE_CONFIG_TRUE
-USE_FILE_CONFIG_FALSE
-USE_VSTR_TRUE
-USE_VSTR_FALSE
-LIBOBJS
-LTLIBOBJS'
+ipsecuser
+IPSEC_ROUTING_TABLE_PRIO
+IPSEC_ROUTING_TABLE
+LINUX_HEADERS
+linuxdir
+simreader
+plugindir
+ipsecdir
+piddir
+strongswan_conf
+resolv_conf
+PKG_CONFIG
+confdir
+am__untar
+am__tar
+AMTAR
+am__leading_dot
+SET_MAKE
+AWK
+mkdir_p
+MKDIR_P
+INSTALL_STRIP_PROGRAM
+STRIP
+install_sh
+MAKEINFO
+AUTOHEADER
+AUTOMAKE
+AUTOCONF
+ACLOCAL
+VERSION
+PACKAGE
+CYGPATH_W
+am__isrc
+INSTALL_DATA
+INSTALL_SCRIPT
+INSTALL_PROGRAM
+target_alias
+host_alias
+build_alias
+LIBS
+ECHO_T
+ECHO_N
+ECHO_C
+DEFS
+mandir
+localedir
+libdir
+psdir
+pdfdir
+dvidir
+htmldir
+infodir
+docdir
+oldincludedir
+includedir
+localstatedir
+sharedstatedir
+sysconfdir
+datadir
+datarootdir
+libexecdir
+sbindir
+bindir
+program_transform_name
+prefix
+exec_prefix
+PACKAGE_BUGREPORT
+PACKAGE_STRING
+PACKAGE_VERSION
+PACKAGE_TARNAME
+PACKAGE_NAME
+PATH_SEPARATOR
+SHELL'
 ac_subst_files=''
+ac_user_opts='
+enable_option_checking
+with_default_pkcs11
+with_xauth_module
+with_random_device
+with_resolv_conf
+with_strongswan_conf
+with_urandom_device
+with_piddir
+with_ipsecdir
+with_plugindir
+with_sim_reader
+with_linux_headers
+with_routing_table
+with_routing_table_prio
+with_uid
+with_gid
+with_user
+with_group
+with_capabilities
+enable_curl
+enable_ldap
+enable_aes
+enable_des
+enable_blowfish
+enable_md4
+enable_md5
+enable_sha1
+enable_sha2
+enable_fips_prf
+enable_gmp
+enable_random
+enable_x509
+enable_pubkey
+enable_hmac
+enable_xcbc
+enable_test_vectors
+enable_mysql
+enable_sqlite
+enable_stroke
+enable_medsrv
+enable_medcli
+enable_smp
+enable_sql
+enable_smartcard
+enable_cisco_quirks
+enable_leak_detective
+enable_lock_profiler
+enable_unit_tests
+enable_load_tests
+enable_eap_sim
+enable_eap_sim_file
+enable_eap_identity
+enable_eap_md5
+enable_eap_gtc
+enable_eap_aka
+enable_eap_mschapv2
+enable_eap_radius
+enable_kernel_netlink
+enable_kernel_pfkey
+enable_kernel_pfroute
+enable_kernel_klips
+enable_nat_transport
+enable_vendor_id
+enable_xauth_vid
+enable_dumm
+enable_fast
+enable_manager
+enable_mediation
+enable_integrity_test
+enable_pluto
+enable_threads
+enable_charon
+enable_tools
+enable_updown
+enable_attr
+enable_resolv_conf
+enable_padlock
+enable_openssl
+enable_gcrypt
+enable_agent
+enable_uci
+enable_nm
+enable_vstr
+enable_dependency_tracking
+enable_shared
+enable_static
+with_pic
+enable_fast_install
+with_gnu_ld
+enable_libtool_lock
+with_libgcrypt_prefix
+'
       ac_precious_vars='build_alias
 host_alias
 target_alias
+PKG_CONFIG
 CC
 CFLAGS
 LDFLAGS
 LIBS
 CPPFLAGS
 CPP
-PKG_CONFIG
 YACC
 YFLAGS
 xml_CFLAGS
@@ -1041,6 +1175,8 @@ nm_LIBS'
 # Initialize some variables set by options.
 ac_init_help=
 ac_init_version=false
+ac_unrecognized_opts=
+ac_unrecognized_sep=
 # The variables have the same names as the options, with
 # dashes changed to underlines.
 cache_file=/dev/null
@@ -1139,13 +1275,21 @@ do
     datarootdir=$ac_optarg ;;
 
   -disable-* | --disable-*)
-    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+    ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+      { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2
    { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
-    eval enable_$ac_feature=no ;;
+    ac_useropt_orig=$ac_useropt
+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+    case $ac_user_opts in
+      *"
+"enable_$ac_useropt"
+"*) ;;
+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
+	 ac_unrecognized_sep=', ';;
+    esac
+    eval enable_$ac_useropt=no ;;
 
   -docdir | --docdir | --docdi | --doc | --do)
     ac_prev=docdir ;;
@@ -1158,13 +1302,21 @@ do
     dvidir=$ac_optarg ;;
 
   -enable-* | --enable-*)
-    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+    ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+      { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2
    { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
-    eval enable_$ac_feature=\$ac_optarg ;;
+    ac_useropt_orig=$ac_useropt
+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+    case $ac_user_opts in
+      *"
+"enable_$ac_useropt"
+"*) ;;
+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
+	 ac_unrecognized_sep=', ';;
+    esac
+    eval enable_$ac_useropt=\$ac_optarg ;;
 
   -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
   | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
@@ -1355,22 +1507,38 @@ do
     ac_init_version=: ;;
 
   -with-* | --with-*)
-    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+    ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid package name: $ac_package" >&2
+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+      { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2
    { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
-    eval with_$ac_package=\$ac_optarg ;;
+    ac_useropt_orig=$ac_useropt
+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+    case $ac_user_opts in
+      *"
+"with_$ac_useropt"
+"*) ;;
+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
+	 ac_unrecognized_sep=', ';;
+    esac
+    eval with_$ac_useropt=\$ac_optarg ;;
 
   -without-* | --without-*)
-    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+    ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid package name: $ac_package" >&2
+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+      { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2
    { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
-    eval with_$ac_package=no ;;
+    ac_useropt_orig=$ac_useropt
+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+    case $ac_user_opts in
+      *"
+"with_$ac_useropt"
+"*) ;;
+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
+	 ac_unrecognized_sep=', ';;
+    esac
+    eval with_$ac_useropt=no ;;
 
   --x)
     # Obsolete; use --with-x.
@@ -1390,7 +1558,7 @@ do
   | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
     x_libraries=$ac_optarg ;;
 
-  -*) { echo "$as_me: error: unrecognized option: $ac_option
+  -*) { $as_echo "$as_me: error: unrecognized option: $ac_option
 Try \`$0 --help' for more information." >&2
    { (exit 1); exit 1; }; }
     ;;
@@ -1399,16 +1567,16 @@ Try \`$0 --help' for more information." >&2
     ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
     # Reject names that are not valid shell variable names.
     expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
+      { $as_echo "$as_me: error: invalid variable name: $ac_envvar" >&2
    { (exit 1); exit 1; }; }
     eval $ac_envvar=\$ac_optarg
     export $ac_envvar ;;
 
   *)
     # FIXME: should be removed in autoconf 3.0.
-    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+    $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
     expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+      $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
     : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
     ;;
 
@@ -1417,22 +1585,38 @@ done
 
 if test -n "$ac_prev"; then
   ac_option=--`echo $ac_prev | sed 's/_/-/g'`
-  { echo "$as_me: error: missing argument to $ac_option" >&2
+  { $as_echo "$as_me: error: missing argument to $ac_option" >&2
    { (exit 1); exit 1; }; }
 fi
 
-# Be sure to have absolute directory names.
+if test -n "$ac_unrecognized_opts"; then
+  case $enable_option_checking in
+    no) ;;
+    fatal) { $as_echo "$as_me: error: unrecognized options: $ac_unrecognized_opts" >&2
+   { (exit 1); exit 1; }; } ;;
+    *)     $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
+  esac
+fi
+
+# Check all directory arguments for consistency.
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
 		libdir localedir mandir
 do
   eval ac_val=\$$ac_var
+  # Remove trailing slashes.
+  case $ac_val in
+    */ )
+      ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
+      eval $ac_var=\$ac_val;;
+  esac
+  # Be sure to have absolute directory names.
   case $ac_val in
     [\\/$]* | ?:[\\/]* )  continue;;
     NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
   esac
-  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+  { $as_echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
    { (exit 1); exit 1; }; }
 done
 
@@ -1447,7 +1631,7 @@ target=$target_alias
 if test "x$host_alias" != x; then
   if test "x$build_alias" = x; then
     cross_compiling=maybe
-    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
+    $as_echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
     If a cross compiler is detected then cross compile mode will be used." >&2
   elif test "x$build_alias" != "x$host_alias"; then
     cross_compiling=yes
@@ -1463,10 +1647,10 @@ test "$silent" = yes && exec 6>/dev/null
 ac_pwd=`pwd` && test -n "$ac_pwd" &&
 ac_ls_di=`ls -di .` &&
 ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
-  { echo "$as_me: error: Working directory cannot be determined" >&2
+  { $as_echo "$as_me: error: working directory cannot be determined" >&2
    { (exit 1); exit 1; }; }
 test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
-  { echo "$as_me: error: pwd does not report name of working directory" >&2
+  { $as_echo "$as_me: error: pwd does not report name of working directory" >&2
    { (exit 1); exit 1; }; }
 
 
@@ -1474,12 +1658,12 @@ test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
 if test -z "$srcdir"; then
   ac_srcdir_defaulted=yes
   # Try the directory containing this script, then the parent directory.
-  ac_confdir=`$as_dirname -- "$0" ||
-$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$0" : 'X\(//\)[^/]' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$0" |
+  ac_confdir=`$as_dirname -- "$as_myself" ||
+$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_myself" : 'X\(//\)[^/]' \| \
+	 X"$as_myself" : 'X\(//\)$' \| \
+	 X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_myself" |
     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
 	    s//\1/
 	    q
@@ -1506,12 +1690,12 @@ else
 fi
 if test ! -r "$srcdir/$ac_unique_file"; then
   test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
-  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+  { $as_echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
    { (exit 1); exit 1; }; }
 fi
 ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
 ac_abs_confdir=`(
-	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
+	cd "$srcdir" && test -r "./$ac_unique_file" || { $as_echo "$as_me: error: $ac_msg" >&2
    { (exit 1); exit 1; }; }
 	pwd)`
 # When building in place, set srcdir=.
@@ -1538,7 +1722,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.2.14 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.3.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1560,9 +1744,9 @@ Configuration:
 
 Installation directories:
   --prefix=PREFIX         install architecture-independent files in PREFIX
-			  [$ac_default_prefix]
+                          [$ac_default_prefix]
   --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
-			  [PREFIX]
+                          [PREFIX]
 
 By default, \`make install' will install all the files in
 \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
@@ -1572,25 +1756,25 @@ for instance \`--prefix=\$HOME'.
 For better control, use the options below.
 
 Fine tuning of the installation directories:
-  --bindir=DIR           user executables [EPREFIX/bin]
-  --sbindir=DIR          system admin executables [EPREFIX/sbin]
-  --libexecdir=DIR       program executables [EPREFIX/libexec]
-  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
-  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
-  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
-  --libdir=DIR           object code libraries [EPREFIX/lib]
-  --includedir=DIR       C header files [PREFIX/include]
-  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
-  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
-  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
-  --infodir=DIR          info documentation [DATAROOTDIR/info]
-  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
-  --mandir=DIR           man documentation [DATAROOTDIR/man]
-  --docdir=DIR           documentation root [DATAROOTDIR/doc/strongswan]
-  --htmldir=DIR          html documentation [DOCDIR]
-  --dvidir=DIR           dvi documentation [DOCDIR]
-  --pdfdir=DIR           pdf documentation [DOCDIR]
-  --psdir=DIR            ps documentation [DOCDIR]
+  --bindir=DIR            user executables [EPREFIX/bin]
+  --sbindir=DIR           system admin executables [EPREFIX/sbin]
+  --libexecdir=DIR        program executables [EPREFIX/libexec]
+  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
+  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
+  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --libdir=DIR            object code libraries [EPREFIX/lib]
+  --includedir=DIR        C header files [PREFIX/include]
+  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
+  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
+  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
+  --infodir=DIR           info documentation [DATAROOTDIR/info]
+  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
+  --mandir=DIR            man documentation [DATAROOTDIR/man]
+  --docdir=DIR            documentation root [DATAROOTDIR/doc/strongswan]
+  --htmldir=DIR           html documentation [DOCDIR]
+  --dvidir=DIR            dvi documentation [DOCDIR]
+  --pdfdir=DIR            pdf documentation [DOCDIR]
+  --psdir=DIR             ps documentation [DOCDIR]
 _ACEOF
 
   cat <<\_ACEOF
@@ -1608,15 +1792,14 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.2.14:";;
+     short | recursive ) echo "Configuration of strongSwan 4.3.2:";;
    esac
   cat <<\_ACEOF
 
 Optional Features:
+  --disable-option-checking  ignore unrecognized --enable/--with options
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
-  --disable-dependency-tracking  speeds up one-time build
-  --enable-dependency-tracking   do not reject slow dependency extractors
   --enable-curl           enable CURL fetcher plugin to fetch files via
                           libcurl (default is NO). Requires libcurl.
   --enable-ldap           enable LDAP fetching plugin to fetch files via
@@ -1625,6 +1808,8 @@ Optional Features:
                           (default is NO).
   --disable-des           disable own DES/3DES software implementation plugin.
                           (default is NO).
+  --enable-blowfish       enable Blowfish software implementation plugin
+                          (default is NO).
   --enable-md4            enable MD4 software implementation plugin (default
                           is NO).
   --disable-md5           disable own MD5 software implementation plugin.
@@ -1647,6 +1832,8 @@ Optional Features:
                           is NO).
   --disable-xcbc          disable xcbc crypto implementation plugin. (default
                           is NO).
+  --enable-test-vectors   enable plugin providing crypto test vectors (default
+                          is NO).
   --enable-mysql          enable MySQL database support (default is NO).
                           Requires libmysqlclient_r.
   --enable-sqlite         enable SQLite database support (default is NO).
@@ -1690,6 +1877,8 @@ Optional Features:
                           disable the netlink kernel interface. (default is
                           NO).
   --enable-kernel-pfkey   enable the PF_KEY kernel interface. (default is NO).
+  --enable-kernel-pfroute enable the PF_ROUTE kernel interface. (default is
+                          NO).
   --enable-kernel-klips   enable the KLIPS kernel interface. (default is NO).
   --enable-nat-transport  enable NAT traversal with IPsec transport mode
                           (default is NO).
@@ -1704,8 +1893,6 @@ Optional Features:
   --enable-mediation      enable IKEv2 Mediation Extension (default is NO).
   --enable-integrity-test enable the integrity test of the crypto library
                           (default is NO).
-  --disable-self-test     disable the self-test of the crypto library (default
-                          is NO).
   --disable-pluto         disable the IKEv1 keying daemon pluto. (default is
                           NO).
   --disable-threads       disable the use of threads in pluto. Charon always
@@ -1716,13 +1903,22 @@ Optional Features:
                           scepclient). (default is NO).
   --disable-updown        disable updown firewall script plugin. (default is
                           NO).
+  --disable-attr          disable strongswan.conf based configuration
+                          attribute plugin. (default is NO).
+  --disable-resolv-conf   disable resolv.conf DNS handler plugin. (default is
+                          NO).
   --enable-padlock        enables VIA Padlock crypto plugin. (default is NO).
   --enable-openssl        enables the OpenSSL crypto plugin. (default is NO).
+  --enable-gcrypt         enables the libgcrypt plugin. (default is NO).
   --enable-agent          enables the ssh-agent signing plugin. (default is
                           NO).
   --enable-uci            enable OpenWRT UCI configuration plugin (default is
                           NO).
   --enable-nm             enable NetworkManager plugin (default is NO).
+  --enable-vstr           enforce using the Vstr string library to replace
+                          glibc-like printf hooks (default is NO).
+  --disable-dependency-tracking  speeds up one-time build
+  --enable-dependency-tracking   do not reject slow dependency extractors
   --enable-shared[=PKGS]  build shared libraries [default=yes]
   --enable-static[=PKGS]  build static libraries [default=yes]
   --enable-fast-install[=PKGS]
@@ -1739,8 +1935,8 @@ Optional Packages:
   --with-random-device=dev
                           set the device for real random data other than
                           "/dev/random"
-  --with-resolv-conf=file set the file to store DNS server information other
-                          than "sysconfdir/resolv.conf"
+  --with-resolv-conf=file set the file to use in DNS handler plugin other than
+                          "sysconfdir/resolv.conf"
   --with-strongswan-conf=file
                           strongswan.conf file other than
                           "sysconfdir/strongswan.conf"
@@ -1774,8 +1970,11 @@ Optional Packages:
   --with-pic              try to use only PIC/non-PIC objects [default=use
                           both]
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
+  --with-libgcrypt-prefix=PFX
+                          prefix where LIBGCRYPT is installed (optional)
 
 Some influential environment variables:
+  PKG_CONFIG  path to pkg-config utility
   CC          C compiler command
   CFLAGS      C compiler flags
   LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
@@ -1784,7 +1983,6 @@ Some influential environment variables:
   CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
               you have headers in a nonstandard directory <include dir>
   CPP         C preprocessor
-  PKG_CONFIG  path to pkg-config utility
   YACC        The `Yet Another C Compiler' implementation to use. Defaults to
               the first program found out of: `bison -y', `byacc', `yacc'.
   YFLAGS      The list of arguments that will be passed by default to $YACC.
@@ -1807,15 +2005,17 @@ fi
 if test "$ac_init_help" = "recursive"; then
   # If there are subdirs, report their specific --help.
   for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
-    test -d "$ac_dir" || continue
+    test -d "$ac_dir" ||
+      { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
+      continue
     ac_builddir=.
 
 case "$ac_dir" in
 .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
 *)
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
   # A ".." for each directory in $ac_dir_suffix.
-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
   case $ac_top_builddir_sub in
   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
@@ -1851,7 +2051,7 @@ ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
       echo &&
       $SHELL "$ac_srcdir/configure" --help=recursive
     else
-      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+      $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
     fi || ac_status=$?
     cd "$ac_pwd" || { ac_status=$?; break; }
   done
@@ -1860,11 +2060,11 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.2.14
-generated by GNU Autoconf 2.61
+strongSwan configure 4.3.2
+generated by GNU Autoconf 2.63
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
+2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
@@ -1874,8 +2074,8 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.2.14, which was
-generated by GNU Autoconf 2.61.  Invocation command line was
+It was created by strongSwan $as_me 4.3.2, which was
+generated by GNU Autoconf 2.63.  Invocation command line was
 
   $ $0 $@
 
@@ -1911,7 +2111,7 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  echo "PATH: $as_dir"
+  $as_echo "PATH: $as_dir"
 done
 IFS=$as_save_IFS
 
@@ -1946,7 +2146,7 @@ do
     | -silent | --silent | --silen | --sile | --sil)
       continue ;;
     *\'*)
-      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+      ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
     esac
     case $ac_pass in
     1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
@@ -1998,11 +2198,12 @@ _ASBOX
     case $ac_val in #(
     *${as_nl}*)
       case $ac_var in #(
-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: cache variable $ac_var contains a newline" >&5
+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
       esac
       case $ac_var in #(
       _ | IFS | as_nl) ;; #(
+      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
       *) $as_unset $ac_var ;;
       esac ;;
     esac
@@ -2032,9 +2233,9 @@ _ASBOX
     do
       eval ac_val=\$$ac_var
       case $ac_val in
-      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+      *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
       esac
-      echo "$ac_var='\''$ac_val'\''"
+      $as_echo "$ac_var='\''$ac_val'\''"
     done | sort
     echo
 
@@ -2049,9 +2250,9 @@ _ASBOX
       do
 	eval ac_val=\$$ac_var
 	case $ac_val in
-	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+	*\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
 	esac
-	echo "$ac_var='\''$ac_val'\''"
+	$as_echo "$ac_var='\''$ac_val'\''"
       done | sort
       echo
     fi
@@ -2067,8 +2268,8 @@ _ASBOX
       echo
     fi
     test "$ac_signal" != 0 &&
-      echo "$as_me: caught signal $ac_signal"
-    echo "$as_me: exit $exit_status"
+      $as_echo "$as_me: caught signal $ac_signal"
+    $as_echo "$as_me: exit $exit_status"
   } >&5
   rm -f core *.core core.conftest.* &&
     rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
@@ -2110,21 +2311,24 @@ _ACEOF
 
 
 # Let the site file select an alternate cache file if it wants to.
-# Prefer explicitly selected file to automatically selected ones.
+# Prefer an explicitly selected file to automatically selected ones.
+ac_site_file1=NONE
+ac_site_file2=NONE
 if test -n "$CONFIG_SITE"; then
-  set x "$CONFIG_SITE"
+  ac_site_file1=$CONFIG_SITE
 elif test "x$prefix" != xNONE; then
-  set x "$prefix/share/config.site" "$prefix/etc/config.site"
+  ac_site_file1=$prefix/share/config.site
+  ac_site_file2=$prefix/etc/config.site
 else
-  set x "$ac_default_prefix/share/config.site" \
-	"$ac_default_prefix/etc/config.site"
+  ac_site_file1=$ac_default_prefix/share/config.site
+  ac_site_file2=$ac_default_prefix/etc/config.site
 fi
-shift
-for ac_site_file
+for ac_site_file in "$ac_site_file1" "$ac_site_file2"
 do
+  test "x$ac_site_file" = xNONE && continue
   if test -r "$ac_site_file"; then
-    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
-echo "$as_me: loading site script $ac_site_file" >&6;}
+    { $as_echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+$as_echo "$as_me: loading site script $ac_site_file" >&6;}
     sed 's/^/| /' "$ac_site_file" >&5
     . "$ac_site_file"
   fi
@@ -2134,16 +2338,16 @@ if test -r "$cache_file"; then
   # Some versions of bash will fail to source /dev/null (special
   # files actually), so we avoid doing that.
   if test -f "$cache_file"; then
-    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
-echo "$as_me: loading cache $cache_file" >&6;}
+    { $as_echo "$as_me:$LINENO: loading cache $cache_file" >&5
+$as_echo "$as_me: loading cache $cache_file" >&6;}
     case $cache_file in
       [\\/]* | ?:[\\/]* ) . "$cache_file";;
       *)                      . "./$cache_file";;
     esac
   fi
 else
-  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
-echo "$as_me: creating cache $cache_file" >&6;}
+  { $as_echo "$as_me:$LINENO: creating cache $cache_file" >&5
+$as_echo "$as_me: creating cache $cache_file" >&6;}
   >$cache_file
 fi
 
@@ -2157,29 +2361,38 @@ for ac_var in $ac_precious_vars; do
   eval ac_new_val=\$ac_env_${ac_var}_value
   case $ac_old_set,$ac_new_set in
     set,)
-      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
-echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+      { $as_echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
       ac_cache_corrupted=: ;;
     ,set)
-      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
-echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+      { $as_echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
       ac_cache_corrupted=: ;;
     ,);;
     *)
       if test "x$ac_old_val" != "x$ac_new_val"; then
-	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
-echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
-echo "$as_me:   former value:  $ac_old_val" >&2;}
-	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
-echo "$as_me:   current value: $ac_new_val" >&2;}
-	ac_cache_corrupted=:
+	# differences in whitespace do not lead to failure.
+	ac_old_val_w=`echo x $ac_old_val`
+	ac_new_val_w=`echo x $ac_new_val`
+	if test "$ac_old_val_w" != "$ac_new_val_w"; then
+	  { $as_echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+	  ac_cache_corrupted=:
+	else
+	  { $as_echo "$as_me:$LINENO: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
+$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
+	  eval $ac_var=\$ac_old_val
+	fi
+	{ $as_echo "$as_me:$LINENO:   former value:  \`$ac_old_val'" >&5
+$as_echo "$as_me:   former value:  \`$ac_old_val'" >&2;}
+	{ $as_echo "$as_me:$LINENO:   current value: \`$ac_new_val'" >&5
+$as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
       fi;;
   esac
   # Pass precious variables to config.status.
   if test "$ac_new_set" = set; then
     case $ac_new_val in
-    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+    *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
     *) ac_arg=$ac_var=$ac_new_val ;;
     esac
     case " $ac_configure_args " in
@@ -2189,10 +2402,12 @@ echo "$as_me:   current value: $ac_new_val" >&2;}
   fi
 done
 if $ac_cache_corrupted; then
-  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
-echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
-echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
+  { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+  { $as_echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
+$as_echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -2246,8 +2461,8 @@ for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
   fi
 done
 if test -z "$ac_aux_dir"; then
-  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5
-echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5
+$as_echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -2273,11 +2488,12 @@ ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
 # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
 # OS/2's system install, which has a completely different semantic
 # ./install, which can be erroneously created by make from ./install.sh.
-{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
-echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; }
+# Reject install programs that cannot install multiple files.
+{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+$as_echo_n "checking for a BSD-compatible install... " >&6; }
 if test -z "$INSTALL"; then
 if test "${ac_cv_path_install+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -2306,17 +2522,29 @@ case $as_dir/ in
 	    # program-specific install script used by HP pwplus--don't use.
 	    :
 	  else
-	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
-	    break 3
+	    rm -rf conftest.one conftest.two conftest.dir
+	    echo one > conftest.one
+	    echo two > conftest.two
+	    mkdir conftest.dir
+	    if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" &&
+	      test -s conftest.one && test -s conftest.two &&
+	      test -s conftest.dir/conftest.one &&
+	      test -s conftest.dir/conftest.two
+	    then
+	      ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+	      break 3
+	    fi
 	  fi
 	fi
       done
     done
     ;;
 esac
+
 done
 IFS=$as_save_IFS
 
+rm -rf conftest.one conftest.two conftest.dir
 
 fi
   if test "${ac_cv_path_install+set}" = set; then
@@ -2329,8 +2557,8 @@ fi
     INSTALL=$ac_install_sh
   fi
 fi
-{ echo "$as_me:$LINENO: result: $INSTALL" >&5
-echo "${ECHO_T}$INSTALL" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5
+$as_echo "$INSTALL" >&6; }
 
 # Use test -z because SunOS4 sh mishandles braces in ${var-val}.
 # It thinks the first close brace ends the variable substitution.
@@ -2340,8 +2568,8 @@ test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
 
 test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
 
-{ echo "$as_me:$LINENO: checking whether build environment is sane" >&5
-echo $ECHO_N "checking whether build environment is sane... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking whether build environment is sane" >&5
+$as_echo_n "checking whether build environment is sane... " >&6; }
 # Just in case
 sleep 1
 echo timestamp > conftest.file
@@ -2364,9 +2592,9 @@ if (
       # if, for instance, CONFIG_SHELL is bash and it inherits a
       # broken ls alias from the environment.  This has actually
       # happened.  Such a system could not be considered "sane".
-      { { echo "$as_me:$LINENO: error: ls -t appears to fail.  Make sure there is not a broken
+      { { $as_echo "$as_me:$LINENO: error: ls -t appears to fail.  Make sure there is not a broken
 alias in your environment" >&5
-echo "$as_me: error: ls -t appears to fail.  Make sure there is not a broken
+$as_echo "$as_me: error: ls -t appears to fail.  Make sure there is not a broken
 alias in your environment" >&2;}
    { (exit 1); exit 1; }; }
    fi
@@ -2377,26 +2605,23 @@ then
    # Ok.
    :
 else
-   { { echo "$as_me:$LINENO: error: newly created file is older than distributed files!
+   { { $as_echo "$as_me:$LINENO: error: newly created file is older than distributed files!
 Check your system clock" >&5
-echo "$as_me: error: newly created file is older than distributed files!
+$as_echo "$as_me: error: newly created file is older than distributed files!
 Check your system clock" >&2;}
    { (exit 1); exit 1; }; }
 fi
-{ echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+{ $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
 test "$program_prefix" != NONE &&
   program_transform_name="s&^&$program_prefix&;$program_transform_name"
 # Use a double $ so make ignores it.
 test "$program_suffix" != NONE &&
   program_transform_name="s&\$&$program_suffix&;$program_transform_name"
-# Double any \ or $.  echo might interpret backslashes.
+# Double any \ or $.
 # By default was `s,x,x', remove it if useless.
-cat <<\_ACEOF >conftest.sed
-s/[\\$]/&&/g;s/;s,x,x,$//
-_ACEOF
-program_transform_name=`echo $program_transform_name | sed -f conftest.sed`
-rm -f conftest.sed
+ac_script='s/[\\$]/&&/g;s/;s,x,x,$//'
+program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"`
 
 # expand $ac_aux_dir to an absolute path
 am_aux_dir=`cd $ac_aux_dir && pwd`
@@ -2407,15 +2632,15 @@ if eval "$MISSING --run true"; then
   am_missing_run="$MISSING --run "
 else
   am_missing_run=
-  { echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5
-echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;}
+  { $as_echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5
+$as_echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;}
 fi
 
-{ echo "$as_me:$LINENO: checking for a thread-safe mkdir -p" >&5
-echo $ECHO_N "checking for a thread-safe mkdir -p... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for a thread-safe mkdir -p" >&5
+$as_echo_n "checking for a thread-safe mkdir -p... " >&6; }
 if test -z "$MKDIR_P"; then
   if test "${ac_cv_path_mkdir+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin
@@ -2450,8 +2675,8 @@ fi
     MKDIR_P="$ac_install_sh -d"
   fi
 fi
-{ echo "$as_me:$LINENO: result: $MKDIR_P" >&5
-echo "${ECHO_T}$MKDIR_P" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $MKDIR_P" >&5
+$as_echo "$MKDIR_P" >&6; }
 
 mkdir_p="$MKDIR_P"
 case $mkdir_p in
@@ -2463,10 +2688,10 @@ for ac_prog in gawk mawk nawk awk
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_AWK+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$AWK"; then
   ac_cv_prog_AWK="$AWK" # Let the user override the test.
@@ -2479,7 +2704,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_AWK="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -2490,22 +2715,23 @@ fi
 fi
 AWK=$ac_cv_prog_AWK
 if test -n "$AWK"; then
-  { echo "$as_me:$LINENO: result: $AWK" >&5
-echo "${ECHO_T}$AWK" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $AWK" >&5
+$as_echo "$AWK" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
   test -n "$AWK" && break
 done
 
-{ echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
-echo $ECHO_N "checking whether ${MAKE-make} sets \$(MAKE)... $ECHO_C" >&6; }
-set x ${MAKE-make}; ac_make=`echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
+{ $as_echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
+$as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; }
+set x ${MAKE-make}
+ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
 if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   cat >conftest.make <<\_ACEOF
 SHELL = /bin/sh
@@ -2522,12 +2748,12 @@ esac
 rm -f conftest.make
 fi
 if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
   SET_MAKE=
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
   SET_MAKE="MAKE=${MAKE-make}"
 fi
 
@@ -2546,8 +2772,8 @@ if test "`cd $srcdir && pwd`" != "`pwd`"; then
   am__isrc=' -I$(srcdir)'
   # test to see if srcdir already configured
   if test -f $srcdir/config.status; then
-    { { echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5
-echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;}
+    { { $as_echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5
+$as_echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;}
    { (exit 1); exit 1; }; }
   fi
 fi
@@ -2564,7 +2790,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.2.14'
+ VERSION='4.3.2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -2602,10 +2828,10 @@ if test "$cross_compiling" != no; then
   if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
 set dummy ${ac_tool_prefix}strip; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$STRIP"; then
   ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
@@ -2618,7 +2844,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -2629,11 +2855,11 @@ fi
 fi
 STRIP=$ac_cv_prog_STRIP
 if test -n "$STRIP"; then
-  { echo "$as_me:$LINENO: result: $STRIP" >&5
-echo "${ECHO_T}$STRIP" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $STRIP" >&5
+$as_echo "$STRIP" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -2642,10 +2868,10 @@ if test -z "$ac_cv_prog_STRIP"; then
   ac_ct_STRIP=$STRIP
   # Extract the first word of "strip", so it can be a program name with args.
 set dummy strip; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_STRIP"; then
   ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
@@ -2658,7 +2884,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_STRIP="strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -2669,11 +2895,11 @@ fi
 fi
 ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
 if test -n "$ac_ct_STRIP"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
-echo "${ECHO_T}$ac_ct_STRIP" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+$as_echo "$ac_ct_STRIP" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
   if test "x$ac_ct_STRIP" = x; then
@@ -2681,12 +2907,8 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
     STRIP=$ac_ct_STRIP
@@ -2705,8 +2927,8 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 AMTAR=${AMTAR-"${am_missing_run}tar"}
 
 
-{ echo "$as_me:$LINENO: checking how to create a ustar tar archive" >&5
-echo $ECHO_N "checking how to create a ustar tar archive... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking how to create a ustar tar archive" >&5
+$as_echo_n "checking how to create a ustar tar archive... " >&6; }
 # Loop over all known methods to create a tar archive until one works.
 _am_tools='gnutar plaintar pax cpio none'
 _am_tools=${am_cv_prog_tar_ustar-$_am_tools}
@@ -2779,2957 +3001,3187 @@ done
 rm -rf conftest.dir
 
 if test "${am_cv_prog_tar_ustar+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   am_cv_prog_tar_ustar=$_am_tool
 fi
 
-{ echo "$as_me:$LINENO: result: $am_cv_prog_tar_ustar" >&5
-echo "${ECHO_T}$am_cv_prog_tar_ustar" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $am_cv_prog_tar_ustar" >&5
+$as_echo "$am_cv_prog_tar_ustar" >&6; }
 
 
 
 
 
-
-DEPDIR="${am__leading_dot}deps"
-
-ac_config_commands="$ac_config_commands depfiles"
-
-
-am_make=${MAKE-make}
-cat > confinc << 'END'
-am__doit:
-	@echo done
-.PHONY: am__doit
-END
-# If we don't find an include directive, just comment out the code.
-{ echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5
-echo $ECHO_N "checking for style of include used by $am_make... $ECHO_C" >&6; }
-am__include="#"
-am__quote=
-_am_result=none
-# First try GNU make style include.
-echo "include confinc" > confmf
-# We grep out `Entering directory' and `Leaving directory'
-# messages which can occur if `w' ends up in MAKEFLAGS.
-# In particular we don't look at `^make:' because GNU make might
-# be invoked under some other name (usually "gmake"), in which
-# case it prints its new name instead of `make'.
-if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then
-   am__include=include
-   am__quote=
-   _am_result=GNU
-fi
-# Now try BSD make style include.
-if test "$am__include" = "#"; then
-   echo '.include "confinc"' > confmf
-   if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then
-      am__include=.include
-      am__quote="\""
-      _am_result=BSD
-   fi
-fi
+confdir='${sysconfdir}'
 
 
-{ echo "$as_me:$LINENO: result: $_am_result" >&5
-echo "${ECHO_T}$_am_result" >&6; }
-rm -f confinc confmf
 
-# Check whether --enable-dependency-tracking was given.
-if test "${enable_dependency_tracking+set}" = set; then
-  enableval=$enable_dependency_tracking;
-fi
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+	if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_path_PKG_CONFIG+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  case $PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-if test "x$enable_dependency_tracking" != xno; then
-  am_depcomp="$ac_aux_dir/depcomp"
-  AMDEPBACKSLASH='\'
+  ;;
+esac
 fi
- if test "x$enable_dependency_tracking" != xno; then
-  AMDEP_TRUE=
-  AMDEP_FALSE='#'
+PKG_CONFIG=$ac_cv_path_PKG_CONFIG
+if test -n "$PKG_CONFIG"; then
+  { $as_echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5
+$as_echo "$PKG_CONFIG" >&6; }
 else
-  AMDEP_TRUE='#'
-  AMDEP_FALSE=
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}gcc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
+fi
+if test -z "$ac_cv_path_PKG_CONFIG"; then
+  ac_pt_PKG_CONFIG=$PKG_CONFIG
+  # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  case $ac_pt_PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="${ac_tool_prefix}gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
 IFS=$as_save_IFS
 
+  ;;
+esac
 fi
+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
+if test -n "$ac_pt_PKG_CONFIG"; then
+  { $as_echo "$as_me:$LINENO: result: $ac_pt_PKG_CONFIG" >&5
+$as_echo "$ac_pt_PKG_CONFIG" >&6; }
+else
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
+
+  if test "x$ac_pt_PKG_CONFIG" = x; then
+    PKG_CONFIG=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    PKG_CONFIG=$ac_pt_PKG_CONFIG
+  fi
+else
+  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
+fi
+
+fi
+if test -n "$PKG_CONFIG"; then
+	_pkg_min_version=0.9.0
+	{ $as_echo "$as_me:$LINENO: checking pkg-config is at least version $_pkg_min_version" >&5
+$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+		{ $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
+	else
+		{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+		PKG_CONFIG=""
+	fi
+
+fi
+
+
+
+# Check whether --with-default-pkcs11 was given.
+if test "${with_default_pkcs11+set}" = set; then
+  withval=$with_default_pkcs11; cat >>confdefs.h <<_ACEOF
+#define PKCS11_DEFAULT_LIB "$withval"
+_ACEOF
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define PKCS11_DEFAULT_LIB "/usr/lib/opensc-pkcs11.so"
+_ACEOF
+
+
+fi
+
+
+
+# Check whether --with-xauth-module was given.
+if test "${with_xauth_module+set}" = set; then
+  withval=$with_xauth_module; cat >>confdefs.h <<_ACEOF
+#define XAUTH_DEFAULT_LIB "$withval"
+_ACEOF
+
+fi
+
+
+
+# Check whether --with-random-device was given.
+if test "${with_random_device+set}" = set; then
+  withval=$with_random_device; cat >>confdefs.h <<_ACEOF
+#define DEV_RANDOM "$withval"
+_ACEOF
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define DEV_RANDOM "/dev/random"
+_ACEOF
+
+
+fi
+
+
+# Check whether --with-resolv-conf was given.
+if test "${with_resolv_conf+set}" = set; then
+  withval=$with_resolv_conf; resolv_conf="$withval"
+
+else
+  resolv_conf="${sysconfdir}/resolv.conf"
+
+
+fi
+
+
+
+# Check whether --with-strongswan-conf was given.
+if test "${with_strongswan_conf+set}" = set; then
+  withval=$with_strongswan_conf; strongswan_conf="$withval"
+
+else
+  strongswan_conf="${sysconfdir}/strongswan.conf"
+
+
+fi
+
+
+
+# Check whether --with-urandom-device was given.
+if test "${with_urandom_device+set}" = set; then
+  withval=$with_urandom_device; cat >>confdefs.h <<_ACEOF
+#define DEV_URANDOM "$withval"
+_ACEOF
+
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  cat >>confdefs.h <<_ACEOF
+#define DEV_URANDOM "/dev/urandom"
+_ACEOF
+
+
 fi
 
 
+
+# Check whether --with-piddir was given.
+if test "${with_piddir+set}" = set; then
+  withval=$with_piddir; piddir="$withval"
+
+else
+  piddir="/var/run"
+
+
 fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "gcc", so it can be a program name with args.
-set dummy gcc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_CC="gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
 
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6; }
+
+
+# Check whether --with-ipsecdir was given.
+if test "${with_ipsecdir+set}" = set; then
+  withval=$with_ipsecdir; ipsecdir="$withval"
+
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  ipsecdir="${libexecdir%/}/ipsec"
+
+
 fi
 
-  if test "x$ac_ct_CC" = x; then
-    CC=""
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    CC=$ac_ct_CC
-  fi
+plugindir="${ipsecdir%/}/plugins"
+
+
+
+# Check whether --with-plugindir was given.
+if test "${with_plugindir+set}" = set; then
+  withval=$with_plugindir; plugindir="$withval"
+
 else
-  CC="$ac_cv_prog_CC"
+  plugindir="${ipsecdir%/}/plugins"
+
+
 fi
 
-if test -z "$CC"; then
-          if test -n "$ac_tool_prefix"; then
-    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}cc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
+
+
+# Check whether --with-sim-reader was given.
+if test "${with_sim_reader+set}" = set; then
+  withval=$with_sim_reader; simreader="$withval"
+
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="${ac_tool_prefix}cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
+  simreader="${plugindir%/}/libeapsim-file.so"
+
 
 fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
+
+
+
+# Check whether --with-linux-headers was given.
+if test "${with_linux_headers+set}" = set; then
+  withval=$with_linux_headers; linuxdir="$withval"
+
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
+  linuxdir="\${top_srcdir}/src/include"
 
 
-  fi
 fi
-if test -z "$CC"; then
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
+
+
+
+
+# Check whether --with-routing-table was given.
+if test "${with_routing_table+set}" = set; then
+  withval=$with_routing_table; cat >>confdefs.h <<_ACEOF
+#define IPSEC_ROUTING_TABLE $withval
+_ACEOF
+ IPSEC_ROUTING_TABLE="$withval"
+
 else
-  ac_prog_rejected=no
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
-       ac_prog_rejected=yes
-       continue
-     fi
-    ac_cv_prog_CC="cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
+  cat >>confdefs.h <<_ACEOF
+#define IPSEC_ROUTING_TABLE 220
+_ACEOF
+ IPSEC_ROUTING_TABLE="220"
+
 
-if test $ac_prog_rejected = yes; then
-  # We found a bogon in the path, so make sure we never use it.
-  set dummy $ac_cv_prog_CC
-  shift
-  if test $# != 0; then
-    # We chose a different compiler from the bogus one.
-    # However, it has the same basename, so the bogon will be chosen
-    # first if we set CC to just the basename; use the full file name.
-    shift
-    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
-  fi
-fi
-fi
 fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
+
+
+
+# Check whether --with-routing-table-prio was given.
+if test "${with_routing_table_prio+set}" = set; then
+  withval=$with_routing_table_prio; cat >>confdefs.h <<_ACEOF
+#define IPSEC_ROUTING_TABLE_PRIO $withval
+_ACEOF
+ IPSEC_ROUTING_TABLE_PRIO="$withval"
+
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
+  cat >>confdefs.h <<_ACEOF
+#define IPSEC_ROUTING_TABLE_PRIO 220
+_ACEOF
+ IPSEC_ROUTING_TABLE_PRIO="220"
 
 
 fi
-if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  for ac_prog in cl.exe
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
+
+
+
+# Check whether --with-uid was given.
+if test "${with_uid+set}" = set; then
+  withval=$with_uid; { { $as_echo "$as_me:$LINENO: error: --with-uid is gone, use --with-user instead!" >&5
+$as_echo "$as_me: error: --with-uid is gone, use --with-user instead!" >&2;}
+   { (exit 1); exit 1; }; }
 
 fi
+
+
+
+# Check whether --with-gid was given.
+if test "${with_gid+set}" = set; then
+  withval=$with_gid; { { $as_echo "$as_me:$LINENO: error: --with-gid is gone, use --with-group instead!" >&5
+$as_echo "$as_me: error: --with-gid is gone, use --with-group instead!" >&2;}
+   { (exit 1); exit 1; }; }
+
 fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
+
+
+
+# Check whether --with-user was given.
+if test "${with_user+set}" = set; then
+  withval=$with_user; cat >>confdefs.h <<_ACEOF
+#define IPSEC_USER "$withval"
+_ACEOF
+ ipsecuser="$withval"
+
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
+  ipsecuser="root"
 
 
-    test -n "$CC" && break
-  done
 fi
-if test -z "$CC"; then
-  ac_ct_CC=$CC
-  for ac_prog in cl.exe
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_CC="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
+
+
+
+# Check whether --with-group was given.
+if test "${with_group+set}" = set; then
+  withval=$with_group; cat >>confdefs.h <<_ACEOF
+#define IPSEC_GROUP "$withval"
+_ACEOF
+ ipsecgroup="$withval"
+
+else
+  ipsecgroup="root"
+
 
 fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6; }
+
+
+
+# Check whether --with-capabilities was given.
+if test "${with_capabilities+set}" = set; then
+  withval=$with_capabilities; capabilities="$withval"
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  capabilities=no
+
 fi
 
 
-  test -n "$ac_ct_CC" && break
-done
+# Check whether --enable-curl was given.
+if test "${enable_curl+set}" = set; then
+  enableval=$enable_curl; if test x$enableval = xyes; then
+		curl=true
+	fi
 
-  if test "x$ac_ct_CC" = x; then
-    CC=""
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    CC=$ac_ct_CC
-  fi
 fi
 
+
+# Check whether --enable-ldap was given.
+if test "${enable_ldap+set}" = set; then
+  enableval=$enable_ldap; if test x$enableval = xyes; then
+		ldap=true
+	fi
+
 fi
 
 
-test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&5
-echo "$as_me: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
+# Check whether --enable-aes was given.
+if test "${enable_aes+set}" = set; then
+  enableval=$enable_aes; if test x$enableval = xyes; then
+		aes=true
+	 else
+		aes=false
+	fi
+else
+  aes=true
 
-# Provide some information about the compiler.
-echo "$as_me:$LINENO: checking for C compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (ac_try="$ac_compiler --version >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler --version >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -v >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -v >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -V >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -V >&5") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
+fi
 
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-int
-main ()
-{
+# Check whether --enable-des was given.
+if test "${enable_des+set}" = set; then
+  enableval=$enable_des; if test x$enableval = xyes; then
+		des=true
+	 else
+		des=false
+	fi
+else
+  des=true
 
-  ;
-  return 0;
-}
-_ACEOF
-ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files a.out a.exe b.out"
-# Try to create an executable without -o first, disregard a.out.
-# It will help us diagnose broken compilers, and finding out an intuition
-# of exeext.
-{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
-ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-#
-# List of possible output files, starting from the most likely.
-# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
-# only as a last resort.  b.out is created by i960 compilers.
-ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
-#
-# The IRIX 6 linker writes into existing files which may not be
-# executable, retaining their permissions.  Remove them first so a
-# subsequent execution test works.
-ac_rmfiles=
-for ac_file in $ac_files
-do
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
-    * ) ac_rmfiles="$ac_rmfiles $ac_file";;
-  esac
-done
-rm -f $ac_rmfiles
+fi
 
-if { (ac_try="$ac_link_default"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link_default") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
-# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
-# in a Makefile.  We should not override ac_cv_exeext if it was cached,
-# so that the user can short-circuit this test for compilers unknown to
-# Autoconf.
-for ac_file in $ac_files ''
-do
-  test -f "$ac_file" || continue
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
-	;;
-    [ab].out )
-	# We found the default executable, but exeext='' is most
-	# certainly right.
-	break;;
-    *.* )
-        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
-	then :; else
-	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+
+# Check whether --enable-blowfish was given.
+if test "${enable_blowfish+set}" = set; then
+  enableval=$enable_blowfish; if test x$enableval = xyes; then
+		blowfish=true
 	fi
-	# We set ac_cv_exeext here because the later test for it is not
-	# safe: cross compilers may not add the suffix if given an `-o'
-	# argument, so we may need to know it at that point already.
-	# Even if this section looks crufty: it has the advantage of
-	# actually working.
-	break;;
-    * )
-	break;;
-  esac
-done
-test "$ac_cv_exeext" = no && ac_cv_exeext=
 
-else
-  ac_file=''
 fi
 
-{ echo "$as_me:$LINENO: result: $ac_file" >&5
-echo "${ECHO_T}$ac_file" >&6; }
-if test -z "$ac_file"; then
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
-See \`config.log' for more details." >&5
-echo "$as_me: error: C compiler cannot create executables
-See \`config.log' for more details." >&2;}
-   { (exit 77); exit 77; }; }
+# Check whether --enable-md4 was given.
+if test "${enable_md4+set}" = set; then
+  enableval=$enable_md4; if test x$enableval = xyes; then
+		md4=true
+	fi
+
 fi
 
-ac_exeext=$ac_cv_exeext
 
-# Check that the compiler produces executables we can run.  If not, either
-# the compiler is broken, or we cross compile.
-{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
-# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
-# If not cross compiling, check that we can run a simple program.
-if test "$cross_compiling" != yes; then
-  if { ac_try='./$ac_file'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-    cross_compiling=no
-  else
-    if test "$cross_compiling" = maybe; then
-	cross_compiling=yes
-    else
-	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-    fi
-  fi
+# Check whether --enable-md5 was given.
+if test "${enable_md5+set}" = set; then
+  enableval=$enable_md5; if test x$enableval = xyes; then
+		md5=true
+	 else
+		md5=false
+	fi
+else
+  md5=true
+
 fi
-{ echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
 
-rm -f a.out a.exe conftest$ac_cv_exeext b.out
-ac_clean_files=$ac_clean_files_save
-# Check that the compiler produces executables we can run.  If not, either
-# the compiler is broken, or we cross compile.
-{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
-{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
-echo "${ECHO_T}$cross_compiling" >&6; }
 
-{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # If both `conftest.exe' and `conftest' are `present' (well, observable)
-# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
-# work properly (i.e., refer to `conftest.exe'), while it won't with
-# `rm'.
-for ac_file in conftest.exe conftest conftest.*; do
-  test -f "$ac_file" || continue
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
-    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	  break;;
-    * ) break;;
-  esac
-done
+# Check whether --enable-sha1 was given.
+if test "${enable_sha1+set}" = set; then
+  enableval=$enable_sha1; if test x$enableval = xyes; then
+		sha1=true
+	 else
+		sha1=false
+	fi
 else
-  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
+  sha1=true
+
+fi
+
+
+# Check whether --enable-sha2 was given.
+if test "${enable_sha2+set}" = set; then
+  enableval=$enable_sha2; if test x$enableval = xyes; then
+		sha2=true
+	 else
+		sha2=false
+	fi
+else
+  sha2=true
+
+fi
+
+
+# Check whether --enable-fips-prf was given.
+if test "${enable_fips_prf+set}" = set; then
+  enableval=$enable_fips_prf; if test x$enableval = xyes; then
+		fips_prf=true
+	 else
+		fips_prf=false
+	fi
+else
+  fips_prf=true
+
 fi
 
-rm -f conftest$ac_cv_exeext
-{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
-echo "${ECHO_T}$ac_cv_exeext" >&6; }
 
-rm -f conftest.$ac_ext
-EXEEXT=$ac_cv_exeext
-ac_exeext=$EXEEXT
-{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
-if test "${ac_cv_objext+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+# Check whether --enable-gmp was given.
+if test "${enable_gmp+set}" = set; then
+  enableval=$enable_gmp; if test x$enableval = xyes; then
+		gmp=true
+	 else
+		gmp=false
+	fi
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+  gmp=true
 
-int
-main ()
-{
+fi
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.o conftest.obj
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  for ac_file in conftest.o conftest.obj conftest.*; do
-  test -f "$ac_file" || continue;
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
-    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
-       break;;
-  esac
-done
+
+# Check whether --enable-random was given.
+if test "${enable_random+set}" = set; then
+  enableval=$enable_random; if test x$enableval = xyes; then
+		random=true
+	 else
+		random=false
+	fi
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  random=true
 
-{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
 fi
 
-rm -f conftest.$ac_cv_objext conftest.$ac_ext
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
-echo "${ECHO_T}$ac_cv_objext" >&6; }
-OBJEXT=$ac_cv_objext
-ac_objext=$OBJEXT
-{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
-if test "${ac_cv_c_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+
+# Check whether --enable-x509 was given.
+if test "${enable_x509+set}" = set; then
+  enableval=$enable_x509; if test x$enableval = xyes; then
+		x509=true
+	 else
+		x509=false
+	fi
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+  x509=true
 
-int
-main ()
-{
-#ifndef __GNUC__
-       choke me
-#endif
+fi
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_compiler_gnu=yes
+
+# Check whether --enable-pubkey was given.
+if test "${enable_pubkey+set}" = set; then
+  enableval=$enable_pubkey; if test x$enableval = xyes; then
+		pubkey=true
+	 else
+		pubkey=false
+	fi
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  pubkey=true
 
-	ac_compiler_gnu=no
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_c_compiler_gnu=$ac_compiler_gnu
 
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
-GCC=`test $ac_compiler_gnu = yes && echo yes`
-ac_test_CFLAGS=${CFLAGS+set}
-ac_save_CFLAGS=$CFLAGS
-{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
-if test "${ac_cv_prog_cc_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+# Check whether --enable-hmac was given.
+if test "${enable_hmac+set}" = set; then
+  enableval=$enable_hmac; if test x$enableval = xyes; then
+		hmac=true
+	 else
+		hmac=false
+	fi
 else
-  ac_save_c_werror_flag=$ac_c_werror_flag
-   ac_c_werror_flag=yes
-   ac_cv_prog_cc_g=no
-   CFLAGS="-g"
-   cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+  hmac=true
 
-int
-main ()
-{
+fi
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_g=yes
+
+# Check whether --enable-xcbc was given.
+if test "${enable_xcbc+set}" = set; then
+  enableval=$enable_xcbc; if test x$enableval = xyes; then
+		xcbc=true
+	 else
+		xcbc=false
+	fi
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  xcbc=true
 
-	CFLAGS=""
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+fi
 
-int
-main ()
-{
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+# Check whether --enable-test-vectors was given.
+if test "${enable_test_vectors+set}" = set; then
+  enableval=$enable_test_vectors; if test x$enableval = xyes; then
+		test_vectors=true
+	fi
 
-	ac_c_werror_flag=$ac_save_c_werror_flag
-	 CFLAGS="-g"
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+fi
 
-int
-main ()
-{
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+# Check whether --enable-mysql was given.
+if test "${enable_mysql+set}" = set; then
+  enableval=$enable_mysql; if test x$enableval = xyes; then
+		mysql=true
+	fi
 
+fi
+
+
+# Check whether --enable-sqlite was given.
+if test "${enable_sqlite+set}" = set; then
+  enableval=$enable_sqlite; if test x$enableval = xyes; then
+		sqlite=true
+	fi
 
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+# Check whether --enable-stroke was given.
+if test "${enable_stroke+set}" = set; then
+  enableval=$enable_stroke; if test x$enableval = xyes; then
+		stroke=true
+	 else
+		stroke=false
+	fi
+else
+  stroke=true
+
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-   ac_c_werror_flag=$ac_save_c_werror_flag
+
+# Check whether --enable-medsrv was given.
+if test "${enable_medsrv+set}" = set; then
+  enableval=$enable_medsrv; if test x$enableval = xyes; then
+		medsrv=true
+	fi
+
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
-if test "$ac_test_CFLAGS" = set; then
-  CFLAGS=$ac_save_CFLAGS
-elif test $ac_cv_prog_cc_g = yes; then
-  if test "$GCC" = yes; then
-    CFLAGS="-g -O2"
-  else
-    CFLAGS="-g"
-  fi
-else
-  if test "$GCC" = yes; then
-    CFLAGS="-O2"
-  else
-    CFLAGS=
-  fi
+
+
+# Check whether --enable-medcli was given.
+if test "${enable_medcli+set}" = set; then
+  enableval=$enable_medcli; if test x$enableval = xyes; then
+		medcli=true
+	fi
+
 fi
-{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
-echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
-if test "${ac_cv_prog_cc_c89+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_prog_cc_c89=no
-ac_save_CC=$CC
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdarg.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
-struct buf { int x; };
-FILE * (*rcsopen) (struct buf *, struct stat *, int);
-static char *e (p, i)
-     char **p;
-     int i;
-{
-  return p[i];
-}
-static char *f (char * (*g) (char **, int), char **p, ...)
-{
-  char *s;
-  va_list v;
-  va_start (v,p);
-  s = g (p, va_arg (v,int));
-  va_end (v);
-  return s;
-}
 
-/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
-   function prototypes and stuff, but not '\xHH' hex character constants.
-   These don't provoke an error unfortunately, instead are silently treated
-   as 'x'.  The following induces an error, until -std is added to get
-   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
-   array size at least.  It's necessary to write '\x00'==0 to get something
-   that's true only with -std.  */
-int osf4_cc_array ['\x00' == 0 ? 1 : -1];
 
-/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
-   inside strings and character constants.  */
-#define FOO(x) 'x'
-int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+# Check whether --enable-smp was given.
+if test "${enable_smp+set}" = set; then
+  enableval=$enable_smp; if test x$enableval = xyes; then
+		smp=true
+	fi
 
-int test (int i, double x);
-struct s1 {int (*f) (int a);};
-struct s2 {int (*f) (double a);};
-int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
-int argc;
-char **argv;
-int
-main ()
-{
-return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
-  ;
-  return 0;
-}
-_ACEOF
-for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
-	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
-do
-  CC="$ac_save_CC $ac_arg"
-  rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_c89=$ac_arg
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+fi
 
 
+# Check whether --enable-sql was given.
+if test "${enable_sql+set}" = set; then
+  enableval=$enable_sql; if test x$enableval = xyes; then
+		sql=true
+	fi
+
 fi
 
-rm -f core conftest.err conftest.$ac_objext
-  test "x$ac_cv_prog_cc_c89" != "xno" && break
-done
-rm -f conftest.$ac_ext
-CC=$ac_save_CC
+
+# Check whether --enable-smartcard was given.
+if test "${enable_smartcard+set}" = set; then
+  enableval=$enable_smartcard; if test x$enableval = xyes; then
+		smartcard=true
+	fi
 
 fi
-# AC_CACHE_VAL
-case "x$ac_cv_prog_cc_c89" in
-  x)
-    { echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6; } ;;
-  xno)
-    { echo "$as_me:$LINENO: result: unsupported" >&5
-echo "${ECHO_T}unsupported" >&6; } ;;
-  *)
-    CC="$CC $ac_cv_prog_cc_c89"
-    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
-esac
 
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
+# Check whether --enable-cisco-quirks was given.
+if test "${enable_cisco_quirks+set}" = set; then
+  enableval=$enable_cisco_quirks; if test x$enableval = xyes; then
+		cisco_quirks=true
+	fi
 
-depcc="$CC"   am_compiler_list=
+fi
 
-{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
-echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
-if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
-  # We make a subdir and do the tests there.  Otherwise we can end up
-  # making bogus files that we don't know about and never remove.  For
-  # instance it was reported that on HP-UX the gcc test will end up
-  # making a dummy file named `D' -- because `-MD' means `put the output
-  # in D'.
-  mkdir conftest.dir
-  # Copy depcomp to subdir because otherwise we won't find it if we're
-  # using a relative directory.
-  cp "$am_depcomp" conftest.dir
-  cd conftest.dir
-  # We will build objects and dependencies in a subdirectory because
-  # it helps to detect inapplicable dependency modes.  For instance
-  # both Tru64's cc and ICC support -MD to output dependencies as a
-  # side effect of compilation, but ICC will put the dependencies in
-  # the current directory while Tru64 will put them in the object
-  # directory.
-  mkdir sub
 
-  am_cv_CC_dependencies_compiler_type=none
-  if test "$am_compiler_list" = ""; then
-     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
-  fi
-  for depmode in $am_compiler_list; do
-    # Setup a source with many dependencies, because some compilers
-    # like to wrap large dependency lists on column 80 (with \), and
-    # we should not choose a depcomp mode which is confused by this.
-    #
-    # We need to recreate these files for each test, as the compiler may
-    # overwrite some of them when testing with obscure command lines.
-    # This happens at least with the AIX C compiler.
-    : > sub/conftest.c
-    for i in 1 2 3 4 5 6; do
-      echo '#include "conftst'$i'.h"' >> sub/conftest.c
-      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
-      # Solaris 8's {/usr,}/bin/sh.
-      touch sub/conftst$i.h
-    done
-    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
+# Check whether --enable-leak-detective was given.
+if test "${enable_leak_detective+set}" = set; then
+  enableval=$enable_leak_detective; if test x$enableval = xyes; then
+		leak_detective=true
+	fi
 
-    case $depmode in
-    nosideeffect)
-      # after this tag, mechanisms are not by side-effect, so they'll
-      # only be used when explicitly requested
-      if test "x$enable_dependency_tracking" = xyes; then
-	continue
-      else
-	break
-      fi
-      ;;
-    none) break ;;
-    esac
-    # We check with `-c' and `-o' for the sake of the "dashmstdout"
-    # mode.  It turns out that the SunPro C++ compiler does not properly
-    # handle `-M -o', and we need to detect this.
-    if depmode=$depmode \
-       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
-       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
-       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
-         >/dev/null 2>conftest.err &&
-       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
-       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
-      # icc doesn't choke on unknown options, it will just issue warnings
-      # or remarks (even with -Werror).  So we grep stderr for any message
-      # that says an option was ignored or not supported.
-      # When given -MP, icc 7.0 and 7.1 complain thusly:
-      #   icc: Command line warning: ignoring option '-M'; no argument required
-      # The diagnosis changed in icc 8.0:
-      #   icc: Command line remark: option '-MP' not supported
-      if (grep 'ignoring option' conftest.err ||
-          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
-        am_cv_CC_dependencies_compiler_type=$depmode
-        break
-      fi
-    fi
-  done
+fi
+
+
+# Check whether --enable-lock-profiler was given.
+if test "${enable_lock_profiler+set}" = set; then
+  enableval=$enable_lock_profiler; if test x$enableval = xyes; then
+		lock_profiler=true
+	fi
 
-  cd ..
-  rm -rf conftest.dir
-else
-  am_cv_CC_dependencies_compiler_type=none
 fi
 
+
+# Check whether --enable-unit-tests was given.
+if test "${enable_unit_tests+set}" = set; then
+  enableval=$enable_unit_tests; if test x$enableval = xyes; then
+		unittest=true
+	fi
+
 fi
-{ echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5
-echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6; }
-CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type
 
- if
-  test "x$enable_dependency_tracking" != xno \
-  && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then
-  am__fastdepCC_TRUE=
-  am__fastdepCC_FALSE='#'
-else
-  am__fastdepCC_TRUE='#'
-  am__fastdepCC_FALSE=
+
+# Check whether --enable-load-tests was given.
+if test "${enable_load_tests+set}" = set; then
+  enableval=$enable_load_tests; if test x$enableval = xyes; then
+		loadtest=true
+	fi
+
 fi
 
 
+# Check whether --enable-eap-sim was given.
+if test "${enable_eap_sim+set}" = set; then
+  enableval=$enable_eap_sim; if test x$enableval = xyes; then
+		eap_sim=true
+	fi
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-{ echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
-echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6; }
-# On Suns, sometimes $CPP names a directory.
-if test -n "$CPP" && test -d "$CPP"; then
-  CPP=
 fi
-if test -z "$CPP"; then
-  if test "${ac_cv_prog_CPP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-      # Double quotes because CPP needs to be expanded
-    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
-    do
-      ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-  # Broken: fails on valid input.
-continue
+
+# Check whether --enable-eap-sim-file was given.
+if test "${enable_eap_sim_file+set}" = set; then
+  enableval=$enable_eap_sim_file; if test x$enableval = xyes; then
+		eap_sim_file=true
+	fi
+
 fi
 
-rm -f conftest.err conftest.$ac_ext
 
-  # OK, works on sane cases.  Now check whether nonexistent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+# Check whether --enable-eap-identity was given.
+if test "${enable_eap_identity+set}" = set; then
+  enableval=$enable_eap_identity; if test x$enableval = xyes; then
+		eap_identity=true
+	fi
 
-  # Passes both tests.
-ac_preproc_ok=:
-break
 fi
 
-rm -f conftest.err conftest.$ac_ext
 
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  break
+# Check whether --enable-eap-md5 was given.
+if test "${enable_eap_md5+set}" = set; then
+  enableval=$enable_eap_md5; if test x$enableval = xyes; then
+		eap_md5=true
+	fi
+
 fi
 
-    done
-    ac_cv_prog_CPP=$CPP
+
+# Check whether --enable-eap-gtc was given.
+if test "${enable_eap_gtc+set}" = set; then
+  enableval=$enable_eap_gtc; if test x$enableval = xyes; then
+		eap_gtc=true
+	fi
 
 fi
-  CPP=$ac_cv_prog_CPP
-else
-  ac_cv_prog_CPP=$CPP
+
+
+# Check whether --enable-eap-aka was given.
+if test "${enable_eap_aka+set}" = set; then
+  enableval=$enable_eap_aka; if test x$enableval = xyes; then
+		eap_aka=true
+	fi
+
 fi
-{ echo "$as_me:$LINENO: result: $CPP" >&5
-echo "${ECHO_T}$CPP" >&6; }
-ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-  # Broken: fails on valid input.
-continue
+
+# Check whether --enable-eap-mschapv2 was given.
+if test "${enable_eap_mschapv2+set}" = set; then
+  enableval=$enable_eap_mschapv2; if test x$enableval = xyes; then
+		eap_mschapv2=true
+	fi
+
 fi
 
-rm -f conftest.err conftest.$ac_ext
 
-  # OK, works on sane cases.  Now check whether nonexistent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  # Broken: success on invalid input.
-continue
+# Check whether --enable-eap-radius was given.
+if test "${enable_eap_radius+set}" = set; then
+  enableval=$enable_eap_radius; if test x$enableval = xyes; then
+		eap_radius=true
+	fi
+
+fi
+
+
+# Check whether --enable-kernel-netlink was given.
+if test "${enable_kernel_netlink+set}" = set; then
+  enableval=$enable_kernel_netlink; if test x$enableval = xyes; then
+		kernel_netlink=true
+	 else
+		kernel_netlink=false
+	fi
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  kernel_netlink=true
 
-  # Passes both tests.
-ac_preproc_ok=:
-break
 fi
 
-rm -f conftest.err conftest.$ac_ext
 
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&5
-echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
+# Check whether --enable-kernel-pfkey was given.
+if test "${enable_kernel_pfkey+set}" = set; then
+  enableval=$enable_kernel_pfkey; if test x$enableval = xyes; then
+		kernel_pfkey=true
+	fi
+
 fi
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
+# Check whether --enable-kernel-pfroute was given.
+if test "${enable_kernel_pfroute+set}" = set; then
+  enableval=$enable_kernel_pfroute; if test x$enableval = xyes; then
+		kernel_pfroute=true
+	fi
 
-{ echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
-echo $ECHO_N "checking for grep that handles long lines and -e... $ECHO_C" >&6; }
-if test "${ac_cv_path_GREP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # Extract the first word of "grep ggrep" to use in msg output
-if test -z "$GREP"; then
-set dummy grep ggrep; ac_prog_name=$2
-if test "${ac_cv_path_GREP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_path_GREP_found=false
-# Loop through the user's path and test for each of PROGNAME-LIST
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_prog in grep ggrep; do
-  for ac_exec_ext in '' $ac_executable_extensions; do
-    ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-    { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
-    # Check for GNU ac_path_GREP and select it if it is found.
-  # Check for GNU $ac_path_GREP
-case `"$ac_path_GREP" --version 2>&1` in
-*GNU*)
-  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
-*)
-  ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
-  while :
-  do
-    cat "conftest.in" "conftest.in" >"conftest.tmp"
-    mv "conftest.tmp" "conftest.in"
-    cp "conftest.in" "conftest.nl"
-    echo 'GREP' >> "conftest.nl"
-    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
-    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-    ac_count=`expr $ac_count + 1`
-    if test $ac_count -gt ${ac_path_GREP_max-0}; then
-      # Best one so far, save it but keep looking for a better one
-      ac_cv_path_GREP="$ac_path_GREP"
-      ac_path_GREP_max=$ac_count
-    fi
-    # 10*(2^10) chars as input seems more than enough
-    test $ac_count -gt 10 && break
-  done
-  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
-esac
+fi
 
 
-    $ac_path_GREP_found && break 3
-  done
-done
+# Check whether --enable-kernel-klips was given.
+if test "${enable_kernel_klips+set}" = set; then
+  enableval=$enable_kernel_klips; if test x$enableval = xyes; then
+		kernel_klips=true
+	fi
 
-done
-IFS=$as_save_IFS
+fi
 
 
-fi
+# Check whether --enable-nat-transport was given.
+if test "${enable_nat_transport+set}" = set; then
+  enableval=$enable_nat_transport; if test x$enableval = xyes; then
+		nat_transport=true
+	fi
 
-GREP="$ac_cv_path_GREP"
-if test -z "$GREP"; then
-  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
-   { (exit 1); exit 1; }; }
 fi
 
-else
-  ac_cv_path_GREP=$GREP
-fi
 
+# Check whether --enable-vendor-id was given.
+if test "${enable_vendor_id+set}" = set; then
+  enableval=$enable_vendor_id; if test x$enableval = xyes; then
+		vendor_id=true
+	 else
+		vendor_id=false
+	fi
+else
+  vendor_id=true
 
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
-echo "${ECHO_T}$ac_cv_path_GREP" >&6; }
- GREP="$ac_cv_path_GREP"
 
 
-{ echo "$as_me:$LINENO: checking for egrep" >&5
-echo $ECHO_N "checking for egrep... $ECHO_C" >&6; }
-if test "${ac_cv_path_EGREP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
-   then ac_cv_path_EGREP="$GREP -E"
-   else
-     # Extract the first word of "egrep" to use in msg output
-if test -z "$EGREP"; then
-set dummy egrep; ac_prog_name=$2
-if test "${ac_cv_path_EGREP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+# Check whether --enable-xauth-vid was given.
+if test "${enable_xauth_vid+set}" = set; then
+  enableval=$enable_xauth_vid; if test x$enableval = xyes; then
+		xauth_vid=true
+	 else
+		xauth_vid=false
+	fi
 else
-  ac_path_EGREP_found=false
-# Loop through the user's path and test for each of PROGNAME-LIST
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_prog in egrep; do
-  for ac_exec_ext in '' $ac_executable_extensions; do
-    ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-    { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
-    # Check for GNU ac_path_EGREP and select it if it is found.
-  # Check for GNU $ac_path_EGREP
-case `"$ac_path_EGREP" --version 2>&1` in
-*GNU*)
-  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
-*)
-  ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
-  while :
-  do
-    cat "conftest.in" "conftest.in" >"conftest.tmp"
-    mv "conftest.tmp" "conftest.in"
-    cp "conftest.in" "conftest.nl"
-    echo 'EGREP' >> "conftest.nl"
-    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
-    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-    ac_count=`expr $ac_count + 1`
-    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
-      # Best one so far, save it but keep looking for a better one
-      ac_cv_path_EGREP="$ac_path_EGREP"
-      ac_path_EGREP_max=$ac_count
-    fi
-    # 10*(2^10) chars as input seems more than enough
-    test $ac_count -gt 10 && break
-  done
-  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
-esac
+  xauth_vid=true
 
+fi
 
-    $ac_path_EGREP_found && break 3
-  done
-done
 
-done
-IFS=$as_save_IFS
+# Check whether --enable-dumm was given.
+if test "${enable_dumm+set}" = set; then
+  enableval=$enable_dumm; if test x$enableval = xyes; then
+		dumm=true
+	fi
 
+fi
+
+
+# Check whether --enable-fast was given.
+if test "${enable_fast+set}" = set; then
+  enableval=$enable_fast; if test x$enableval = xyes; then
+		fast=true
+	fi
 
 fi
 
-EGREP="$ac_cv_path_EGREP"
-if test -z "$EGREP"; then
-  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
-   { (exit 1); exit 1; }; }
+
+# Check whether --enable-manager was given.
+if test "${enable_manager+set}" = set; then
+  enableval=$enable_manager; if test x$enableval = xyes; then
+		manager=true
+		xml=true
+	fi
+
 fi
 
-else
-  ac_cv_path_EGREP=$EGREP
+
+# Check whether --enable-mediation was given.
+if test "${enable_mediation+set}" = set; then
+  enableval=$enable_mediation; if test x$enableval = xyes; then
+		me=true
+	fi
+
 fi
 
 
-   fi
+# Check whether --enable-integrity-test was given.
+if test "${enable_integrity_test+set}" = set; then
+  enableval=$enable_integrity_test; if test x$enableval = xyes; then
+		integrity_test=true
+	fi
+
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
-echo "${ECHO_T}$ac_cv_path_EGREP" >&6; }
- EGREP="$ac_cv_path_EGREP"
 
 
-{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
-if test "${ac_cv_header_stdc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+# Check whether --enable-pluto was given.
+if test "${enable_pluto+set}" = set; then
+  enableval=$enable_pluto; if test x$enableval = xyes; then
+		pluto=true
+	 else
+		pluto=false
+	fi
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <float.h>
+  pluto=true
 
-int
-main ()
-{
+fi
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_header_stdc=yes
+
+# Check whether --enable-threads was given.
+if test "${enable_threads+set}" = set; then
+  enableval=$enable_threads; if test x$enableval = xyes; then
+		threads=true
+	 else
+		threads=false
+	fi
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  threads=true
 
-	ac_cv_header_stdc=no
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-
-if test $ac_cv_header_stdc = yes; then
-  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <string.h>
 
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "memchr" >/dev/null 2>&1; then
-  :
+# Check whether --enable-charon was given.
+if test "${enable_charon+set}" = set; then
+  enableval=$enable_charon; if test x$enableval = xyes; then
+		charon=true
+	 else
+		charon=false
+	fi
 else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
+  charon=true
 
 fi
 
-if test $ac_cv_header_stdc = yes; then
-  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
 
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "free" >/dev/null 2>&1; then
-  :
+# Check whether --enable-tools was given.
+if test "${enable_tools+set}" = set; then
+  enableval=$enable_tools; if test x$enableval = xyes; then
+		tools=true
+	 else
+		tools=false
+	fi
 else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
+  tools=true
 
 fi
 
-if test $ac_cv_header_stdc = yes; then
-  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-  if test "$cross_compiling" = yes; then
-  :
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ctype.h>
-#include <stdlib.h>
-#if ((' ' & 0x0FF) == 0x020)
-# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-#else
-# define ISLOWER(c) \
-		   (('a' <= (c) && (c) <= 'i') \
-		     || ('j' <= (c) && (c) <= 'r') \
-		     || ('s' <= (c) && (c) <= 'z'))
-# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
-#endif
 
-#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
-int
-main ()
-{
-  int i;
-  for (i = 0; i < 256; i++)
-    if (XOR (islower (i), ISLOWER (i))
-	|| toupper (i) != TOUPPER (i))
-      return 2;
-  return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
+# Check whether --enable-updown was given.
+if test "${enable_updown+set}" = set; then
+  enableval=$enable_updown; if test x$enableval = xyes; then
+		updown=true
+	 else
+		updown=false
+	fi
 else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  updown=true
 
-( exit $ac_status )
-ac_cv_header_stdc=no
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
+# Check whether --enable-attr was given.
+if test "${enable_attr+set}" = set; then
+  enableval=$enable_attr; if test x$enableval = xyes; then
+		attr=true
+	 else
+		attr=false
+	fi
+else
+  attr=true
+
 fi
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
-if test $ac_cv_header_stdc = yes; then
 
-cat >>confdefs.h <<\_ACEOF
-#define STDC_HEADERS 1
-_ACEOF
 
-fi
+# Check whether --enable-resolv-conf was given.
+if test "${enable_resolv_conf+set}" = set; then
+  enableval=$enable_resolv_conf; if test x$enableval = xyes; then
+		resolvconf=true
+	 else
+		resolvconf=false
+	fi
+else
+  resolvconf=true
 
-# On IRIX 5.3, sys/types and inttypes.h are conflicting.
+fi
 
 
+# Check whether --enable-padlock was given.
+if test "${enable_padlock+set}" = set; then
+  enableval=$enable_padlock; if test x$enableval = xyes; then
+		padlock=true
+	 else
+		padlock=false
+	fi
+fi
 
 
+# Check whether --enable-openssl was given.
+if test "${enable_openssl+set}" = set; then
+  enableval=$enable_openssl; if test x$enableval = xyes; then
+		openssl=true
+	 else
+		openssl=false
+	fi
+fi
 
 
+# Check whether --enable-gcrypt was given.
+if test "${enable_gcrypt+set}" = set; then
+  enableval=$enable_gcrypt; if test x$enableval = xyes; then
+		gcrypt=true
+	 else
+		gcrypt=false
+	fi
+fi
 
 
+# Check whether --enable-agent was given.
+if test "${enable_agent+set}" = set; then
+  enableval=$enable_agent; if test x$enableval = xyes; then
+		agent=true
+	 else
+		agent=false
+	fi
+fi
 
-for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
-		  inttypes.h stdint.h unistd.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
 
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  eval "$as_ac_Header=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+# Check whether --enable-uci was given.
+if test "${enable_uci+set}" = set; then
+  enableval=$enable_uci; if test x$enableval = xyes; then
+		uci=true
+	fi
 
-	eval "$as_ac_Header=no"
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
 
-fi
+# Check whether --enable-nm was given.
+if test "${enable_nm+set}" = set; then
+  enableval=$enable_nm; if test x$enableval = xyes; then
+		nm=true
+	fi
 
-done
+fi
 
 
-{ echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
-echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6; }
-if test "${ac_cv_c_bigendian+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # See if sys/param.h defines the BYTE_ORDER macro.
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/types.h>
-#include <sys/param.h>
+# Check whether --enable-vstr was given.
+if test "${enable_vstr+set}" = set; then
+  enableval=$enable_vstr; if test x$enableval = xyes; then
+	 	vstr=true
+	fi
 
-int
-main ()
-{
-#if  ! (defined BYTE_ORDER && defined BIG_ENDIAN && defined LITTLE_ENDIAN \
-	&& BYTE_ORDER && BIG_ENDIAN && LITTLE_ENDIAN)
- bogus endian macros
-#endif
+fi
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  # It does; now see whether it defined to BIG_ENDIAN or not.
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/types.h>
-#include <sys/param.h>
 
-int
-main ()
-{
-#if BYTE_ORDER != BIG_ENDIAN
- not big endian
-#endif
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_c_bigendian=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+if test -z "$CFLAGS"; then
+	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign -Wno-strict-aliasing"
 
-	ac_cv_c_bigendian=no
 fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}gcc"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-	# It does not; compile a test program.
-if test "$cross_compiling" = yes; then
-  # try to guess the endianness by grepping values into an object file
-  ac_cv_c_bigendian=unknown
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-short int ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 };
-short int ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 };
-void _ascii () { char *s = (char *) ascii_mm; s = (char *) ascii_ii; }
-short int ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 };
-short int ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 };
-void _ebcdic () { char *s = (char *) ebcdic_mm; s = (char *) ebcdic_ii; }
-int
-main ()
-{
- _ascii (); _ebcdic ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  if grep BIGenDianSyS conftest.$ac_objext >/dev/null ; then
-  ac_cv_c_bigendian=yes
 fi
-if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then
-  if test "$ac_cv_c_bigendian" = unknown; then
-    ac_cv_c_bigendian=no
-  else
-    # finding both strings is unlikely to happen, but who knows?
-    ac_cv_c_bigendian=unknown
-  fi
 fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
 
 
 fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CC="gcc"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
-  /* Are we little or big endian?  From Harbison&Steele.  */
-  union
-  {
-    long int l;
-    char c[sizeof (long int)];
-  } u;
-  u.l = 1;
-  return u.c[sizeof (long int) - 1] == 1;
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_c_bigendian=no
+    CC=$ac_ct_CC
+  fi
 else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_c_bigendian=yes
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+  CC="$ac_cv_prog_CC"
 fi
 
+if test -z "$CC"; then
+          if test -n "$ac_tool_prefix"; then
+    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}cc"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
 fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5
-echo "${ECHO_T}$ac_cv_c_bigendian" >&6; }
-case $ac_cv_c_bigendian in
-  yes)
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
 
-cat >>confdefs.h <<\_ACEOF
-#define WORDS_BIGENDIAN 1
-_ACEOF
- ;;
-  no)
-     ;;
-  *)
-    { { echo "$as_me:$LINENO: error: unknown endianness
-presetting ac_cv_c_bigendian=no (or yes) will help" >&5
-echo "$as_me: error: unknown endianness
-presetting ac_cv_c_bigendian=no (or yes) will help" >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
 
-confdir='${sysconfdir}'
+  fi
+fi
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+       ac_prog_rejected=yes
+       continue
+     fi
+    ac_cv_prog_CC="cc"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# != 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+  fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
 
 
-if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
-	if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
-set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_PKG_CONFIG+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in cl.exe
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-  case $PKG_CONFIG in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
 IFS=$as_save_IFS
 
-  ;;
-esac
 fi
-PKG_CONFIG=$ac_cv_path_PKG_CONFIG
-if test -n "$PKG_CONFIG"; then
-  { echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5
-echo "${ECHO_T}$PKG_CONFIG" >&6; }
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:$LINENO: result: $CC" >&5
+$as_echo "$CC" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
+    test -n "$CC" && break
+  done
 fi
-if test -z "$ac_cv_path_PKG_CONFIG"; then
-  ac_pt_PKG_CONFIG=$PKG_CONFIG
-  # Extract the first word of "pkg-config", so it can be a program name with args.
-set dummy pkg-config; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+if test -z "$CC"; then
+  ac_ct_CC=$CC
+  for ac_prog in cl.exe
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-  case $ac_pt_PKG_CONFIG in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    ac_cv_prog_ac_ct_CC="$ac_prog"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
 IFS=$as_save_IFS
 
-  ;;
-esac
 fi
-ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
-if test -n "$ac_pt_PKG_CONFIG"; then
-  { echo "$as_me:$LINENO: result: $ac_pt_PKG_CONFIG" >&5
-echo "${ECHO_T}$ac_pt_PKG_CONFIG" >&6; }
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
-  if test "x$ac_pt_PKG_CONFIG" = x; then
-    PKG_CONFIG=""
+
+  test -n "$ac_ct_CC" && break
+done
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
-    PKG_CONFIG=$ac_pt_PKG_CONFIG
+    CC=$ac_ct_CC
   fi
-else
-  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
-fi
-
-fi
-if test -n "$PKG_CONFIG"; then
-	_pkg_min_version=0.9.0
-	{ echo "$as_me:$LINENO: checking pkg-config is at least version $_pkg_min_version" >&5
-echo $ECHO_N "checking pkg-config is at least version $_pkg_min_version... $ECHO_C" >&6; }
-	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
-		{ echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-	else
-		{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-		PKG_CONFIG=""
-	fi
-
-fi
-
-
-
-# Check whether --with-default-pkcs11 was given.
-if test "${with_default_pkcs11+set}" = set; then
-  withval=$with_default_pkcs11; cat >>confdefs.h <<_ACEOF
-#define PKCS11_DEFAULT_LIB "$withval"
-_ACEOF
-
-else
-  cat >>confdefs.h <<_ACEOF
-#define PKCS11_DEFAULT_LIB "/usr/lib/opensc-pkcs11.so"
-_ACEOF
-
-
 fi
 
-
-
-# Check whether --with-xauth-module was given.
-if test "${with_xauth_module+set}" = set; then
-  withval=$with_xauth_module; cat >>confdefs.h <<_ACEOF
-#define XAUTH_DEFAULT_LIB "$withval"
-_ACEOF
-
 fi
 
 
+test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+{ { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }; }
 
-# Check whether --with-random-device was given.
-if test "${with_random_device+set}" = set; then
-  withval=$with_random_device; cat >>confdefs.h <<_ACEOF
-#define DEV_RANDOM "$withval"
-_ACEOF
+# Provide some information about the compiler.
+$as_echo "$as_me:$LINENO: checking for C compiler version" >&5
+set X $ac_compile
+ac_compiler=$2
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
 
-else
-  cat >>confdefs.h <<_ACEOF
-#define DEV_RANDOM "/dev/random"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
 _ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
+int
+main ()
+{
 
-fi
-
-
-# Check whether --with-resolv-conf was given.
-if test "${with_resolv_conf+set}" = set; then
-  withval=$with_resolv_conf; resolv_conf="$withval"
-
-else
-  resolv_conf="${sysconfdir}/resolv.conf"
-
-
-fi
-
-
-
-# Check whether --with-strongswan-conf was given.
-if test "${with_strongswan_conf+set}" = set; then
-  withval=$with_strongswan_conf; strongswan_conf="$withval"
-
-else
-  strongswan_conf="${sysconfdir}/strongswan.conf"
-
-
-fi
-
-
-
-# Check whether --with-urandom-device was given.
-if test "${with_urandom_device+set}" = set; then
-  withval=$with_urandom_device; cat >>confdefs.h <<_ACEOF
-#define DEV_URANDOM "$withval"
-_ACEOF
-
-else
-  cat >>confdefs.h <<_ACEOF
-#define DEV_URANDOM "/dev/urandom"
+  ;
+  return 0;
+}
 _ACEOF
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
+# Try to create an executable without -o first, disregard a.out.
+# It will help us diagnose broken compilers, and finding out an intuition
+# of exeext.
+{ $as_echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+$as_echo_n "checking for C compiler default output file name... " >&6; }
+ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
 
+# The possible output files:
+ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
 
-fi
-
-
-
-# Check whether --with-piddir was given.
-if test "${with_piddir+set}" = set; then
-  withval=$with_piddir; piddir="$withval"
-
-else
-  piddir="/var/run"
-
-
-fi
-
-
-
-# Check whether --with-ipsecdir was given.
-if test "${with_ipsecdir+set}" = set; then
-  withval=$with_ipsecdir; ipsecdir="$withval"
-
-else
-  ipsecdir="${libexecdir%/}/ipsec"
-
-
-fi
-
-plugindir="${ipsecdir%/}/plugins"
-
-
-
-# Check whether --with-plugindir was given.
-if test "${with_plugindir+set}" = set; then
-  withval=$with_plugindir; plugindir="$withval"
-
-else
-  plugindir="${ipsecdir%/}/plugins"
-
-
-fi
-
-
+ac_rmfiles=
+for ac_file in $ac_files
+do
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+    * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+  esac
+done
+rm -f $ac_rmfiles
 
-# Check whether --with-sim-reader was given.
-if test "${with_sim_reader+set}" = set; then
-  withval=$with_sim_reader; simreader="$withval"
+if { (ac_try="$ac_link_default"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link_default") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+# in a Makefile.  We should not override ac_cv_exeext if it was cached,
+# so that the user can short-circuit this test for compilers unknown to
+# Autoconf.
+for ac_file in $ac_files ''
+do
+  test -f "$ac_file" || continue
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
+	;;
+    [ab].out )
+	# We found the default executable, but exeext='' is most
+	# certainly right.
+	break;;
+    *.* )
+        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+	then :; else
+	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	fi
+	# We set ac_cv_exeext here because the later test for it is not
+	# safe: cross compilers may not add the suffix if given an `-o'
+	# argument, so we may need to know it at that point already.
+	# Even if this section looks crufty: it has the advantage of
+	# actually working.
+	break;;
+    * )
+	break;;
+  esac
+done
+test "$ac_cv_exeext" = no && ac_cv_exeext=
 
 else
-  simreader="${plugindir%/}/libeapsim-file.so"
+  ac_file=''
+fi
 
+{ $as_echo "$as_me:$LINENO: result: $ac_file" >&5
+$as_echo "$ac_file" >&6; }
+if test -z "$ac_file"; then
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+{ { $as_echo "$as_me:$LINENO: error: C compiler cannot create executables
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: C compiler cannot create executables
+See \`config.log' for more details." >&2;}
+   { (exit 77); exit 77; }; }; }
 fi
 
+ac_exeext=$ac_cv_exeext
 
+# Check that the compiler produces executables we can run.  If not, either
+# the compiler is broken, or we cross compile.
+{ $as_echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+$as_echo_n "checking whether the C compiler works... " >&6; }
+# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
+# If not cross compiling, check that we can run a simple program.
+if test "$cross_compiling" != yes; then
+  if { ac_try='./$ac_file'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+    cross_compiling=no
+  else
+    if test "$cross_compiling" = maybe; then
+	cross_compiling=yes
+    else
+	{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+{ { $as_echo "$as_me:$LINENO: error: cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }; }
+    fi
+  fi
+fi
+{ $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
 
-# Check whether --with-linux-headers was given.
-if test "${with_linux_headers+set}" = set; then
-  withval=$with_linux_headers; linuxdir="$withval"
+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
+ac_clean_files=$ac_clean_files_save
+# Check that the compiler produces executables we can run.  If not, either
+# the compiler is broken, or we cross compile.
+{ $as_echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+$as_echo_n "checking whether we are cross compiling... " >&6; }
+{ $as_echo "$as_me:$LINENO: result: $cross_compiling" >&5
+$as_echo "$cross_compiling" >&6; }
 
+{ $as_echo "$as_me:$LINENO: checking for suffix of executables" >&5
+$as_echo_n "checking for suffix of executables... " >&6; }
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # If both `conftest.exe' and `conftest' are `present' (well, observable)
+# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
+# work properly (i.e., refer to `conftest.exe'), while it won't with
+# `rm'.
+for ac_file in conftest.exe conftest conftest.*; do
+  test -f "$ac_file" || continue
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	  break;;
+    * ) break;;
+  esac
+done
 else
-  linuxdir="\${top_srcdir}/src/include"
-
-
+  { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }; }
 fi
 
+rm -f conftest$ac_cv_exeext
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+$as_echo "$ac_cv_exeext" >&6; }
 
+rm -f conftest.$ac_ext
+EXEEXT=$ac_cv_exeext
+ac_exeext=$EXEEXT
+{ $as_echo "$as_me:$LINENO: checking for suffix of object files" >&5
+$as_echo_n "checking for suffix of object files... " >&6; }
+if test "${ac_cv_objext+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
+int
+main ()
+{
 
-# Check whether --with-routing-table was given.
-if test "${with_routing_table+set}" = set; then
-  withval=$with_routing_table; cat >>confdefs.h <<_ACEOF
-#define IPSEC_ROUTING_TABLE $withval
+  ;
+  return 0;
+}
 _ACEOF
- IPSEC_ROUTING_TABLE="$withval"
-
+rm -f conftest.o conftest.obj
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  for ac_file in conftest.o conftest.obj conftest.*; do
+  test -f "$ac_file" || continue;
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
+    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+       break;;
+  esac
+done
 else
-  cat >>confdefs.h <<_ACEOF
-#define IPSEC_ROUTING_TABLE 220
-_ACEOF
- IPSEC_ROUTING_TABLE="220"
-
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }; }
 fi
 
+rm -f conftest.$ac_cv_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+$as_echo "$ac_cv_objext" >&6; }
+OBJEXT=$ac_cv_objext
+ac_objext=$OBJEXT
+{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
+if test "${ac_cv_c_compiler_gnu+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
 
-# Check whether --with-routing-table-prio was given.
-if test "${with_routing_table_prio+set}" = set; then
-  withval=$with_routing_table_prio; cat >>confdefs.h <<_ACEOF
-#define IPSEC_ROUTING_TABLE_PRIO $withval
+  ;
+  return 0;
+}
 _ACEOF
- IPSEC_ROUTING_TABLE_PRIO="$withval"
-
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_compiler_gnu=yes
 else
-  cat >>confdefs.h <<_ACEOF
-#define IPSEC_ROUTING_TABLE_PRIO 220
-_ACEOF
- IPSEC_ROUTING_TABLE_PRIO="220"
-
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+	ac_compiler_gnu=no
 fi
 
-
-
-# Check whether --with-uid was given.
-if test "${with_uid+set}" = set; then
-  withval=$with_uid; { { echo "$as_me:$LINENO: error: --with-uid is gone, use --with-user instead!" >&5
-echo "$as_me: error: --with-uid is gone, use --with-user instead!" >&2;}
-   { (exit 1); exit 1; }; }
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
 
 fi
-
-
-
-# Check whether --with-gid was given.
-if test "${with_gid+set}" = set; then
-  withval=$with_gid; { { echo "$as_me:$LINENO: error: --with-gid is gone, use --with-group instead!" >&5
-echo "$as_me: error: --with-gid is gone, use --with-group instead!" >&2;}
-   { (exit 1); exit 1; }; }
-
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+$as_echo "$ac_cv_c_compiler_gnu" >&6; }
+if test $ac_compiler_gnu = yes; then
+  GCC=yes
+else
+  GCC=
 fi
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+$as_echo_n "checking whether $CC accepts -g... " >&6; }
+if test "${ac_cv_prog_cc_g+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_save_c_werror_flag=$ac_c_werror_flag
+   ac_c_werror_flag=yes
+   ac_cv_prog_cc_g=no
+   CFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
+int
+main ()
+{
 
-
-# Check whether --with-user was given.
-if test "${with_user+set}" = set; then
-  withval=$with_user; cat >>confdefs.h <<_ACEOF
-#define IPSEC_USER "$withval"
+  ;
+  return 0;
+}
 _ACEOF
- ipsecuser="$withval"
-
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
 else
-  ipsecuser="root"
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	CFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
+int
+main ()
+{
 
-fi
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+	ac_c_werror_flag=$ac_save_c_werror_flag
+	 CFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
+int
+main ()
+{
 
-# Check whether --with-group was given.
-if test "${with_group+set}" = set; then
-  withval=$with_group; cat >>confdefs.h <<_ACEOF
-#define IPSEC_GROUP "$withval"
+  ;
+  return 0;
+}
 _ACEOF
- ipsecgroup="$withval"
-
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
 else
-  ipsecgroup="root"
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
-
-
-# Check whether --with-capabilities was given.
-if test "${with_capabilities+set}" = set; then
-  withval=$with_capabilities; capabilities="$withval"
-else
-  capabilities=no
-
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
-
-# Check whether --enable-curl was given.
-if test "${enable_curl+set}" = set; then
-  enableval=$enable_curl; if test x$enableval = xyes; then
-		curl=true
-	fi
-
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
-
-# Check whether --enable-ldap was given.
-if test "${enable_ldap+set}" = set; then
-  enableval=$enable_ldap; if test x$enableval = xyes; then
-		ldap=true
-	fi
-
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_c_werror_flag=$ac_save_c_werror_flag
 fi
-
-
-# Check whether --enable-aes was given.
-if test "${enable_aes+set}" = set; then
-  enableval=$enable_aes; if test x$enableval = xyes; then
-		aes=true
-	 else
-		aes=false
-	fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+$as_echo "$ac_cv_prog_cc_g" >&6; }
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
 else
-  aes=true
-
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
 fi
+{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_prog_cc_c89=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
+
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
+   function prototypes and stuff, but not '\xHH' hex character constants.
+   These don't provoke an error unfortunately, instead are silently treated
+   as 'x'.  The following induces an error, until -std is added to get
+   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
+   array size at least.  It's necessary to write '\x00'==0 to get something
+   that's true only with -std.  */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
 
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+   inside strings and character constants.  */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
 
-# Check whether --enable-des was given.
-if test "${enable_des+set}" = set; then
-  enableval=$enable_des; if test x$enableval = xyes; then
-		des=true
-	 else
-		des=false
-	fi
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_c89=$ac_arg
 else
-  des=true
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-fi
 
+fi
 
-# Check whether --enable-md4 was given.
-if test "${enable_md4+set}" = set; then
-  enableval=$enable_md4; if test x$enableval = xyes; then
-		md4=true
-	fi
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c89" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
 
 fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+  x)
+    { $as_echo "$as_me:$LINENO: result: none needed" >&5
+$as_echo "none needed" >&6; } ;;
+  xno)
+    { $as_echo "$as_me:$LINENO: result: unsupported" >&5
+$as_echo "unsupported" >&6; } ;;
+  *)
+    CC="$CC $ac_cv_prog_cc_c89"
+    { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+esac
 
 
-# Check whether --enable-md5 was given.
-if test "${enable_md5+set}" = set; then
-  enableval=$enable_md5; if test x$enableval = xyes; then
-		md5=true
-	 else
-		md5=false
-	fi
-else
-  md5=true
-
-fi
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+DEPDIR="${am__leading_dot}deps"
 
+ac_config_commands="$ac_config_commands depfiles"
 
-# Check whether --enable-sha1 was given.
-if test "${enable_sha1+set}" = set; then
-  enableval=$enable_sha1; if test x$enableval = xyes; then
-		sha1=true
-	 else
-		sha1=false
-	fi
-else
-  sha1=true
 
+am_make=${MAKE-make}
+cat > confinc << 'END'
+am__doit:
+	@echo done
+.PHONY: am__doit
+END
+# If we don't find an include directive, just comment out the code.
+{ $as_echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5
+$as_echo_n "checking for style of include used by $am_make... " >&6; }
+am__include="#"
+am__quote=
+_am_result=none
+# First try GNU make style include.
+echo "include confinc" > confmf
+# We grep out `Entering directory' and `Leaving directory'
+# messages which can occur if `w' ends up in MAKEFLAGS.
+# In particular we don't look at `^make:' because GNU make might
+# be invoked under some other name (usually "gmake"), in which
+# case it prints its new name instead of `make'.
+if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then
+   am__include=include
+   am__quote=
+   _am_result=GNU
+fi
+# Now try BSD make style include.
+if test "$am__include" = "#"; then
+   echo '.include "confinc"' > confmf
+   if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then
+      am__include=.include
+      am__quote="\""
+      _am_result=BSD
+   fi
 fi
 
 
-# Check whether --enable-sha2 was given.
-if test "${enable_sha2+set}" = set; then
-  enableval=$enable_sha2; if test x$enableval = xyes; then
-		sha2=true
-	 else
-		sha2=false
-	fi
-else
-  sha2=true
+{ $as_echo "$as_me:$LINENO: result: $_am_result" >&5
+$as_echo "$_am_result" >&6; }
+rm -f confinc confmf
 
+# Check whether --enable-dependency-tracking was given.
+if test "${enable_dependency_tracking+set}" = set; then
+  enableval=$enable_dependency_tracking;
 fi
 
-
-# Check whether --enable-fips-prf was given.
-if test "${enable_fips_prf+set}" = set; then
-  enableval=$enable_fips_prf; if test x$enableval = xyes; then
-		fips_prf=true
-	 else
-		fips_prf=false
-	fi
-else
-  fips_prf=true
-
+if test "x$enable_dependency_tracking" != xno; then
+  am_depcomp="$ac_aux_dir/depcomp"
+  AMDEPBACKSLASH='\'
 fi
-
-
-# Check whether --enable-gmp was given.
-if test "${enable_gmp+set}" = set; then
-  enableval=$enable_gmp; if test x$enableval = xyes; then
-		gmp=true
-	 else
-		gmp=false
-	fi
+ if test "x$enable_dependency_tracking" != xno; then
+  AMDEP_TRUE=
+  AMDEP_FALSE='#'
 else
-  gmp=true
-
+  AMDEP_TRUE='#'
+  AMDEP_FALSE=
 fi
 
 
-# Check whether --enable-random was given.
-if test "${enable_random+set}" = set; then
-  enableval=$enable_random; if test x$enableval = xyes; then
-		random=true
-	 else
-		random=false
-	fi
-else
-  random=true
-
-fi
 
+depcc="$CC"   am_compiler_list=
 
-# Check whether --enable-x509 was given.
-if test "${enable_x509+set}" = set; then
-  enableval=$enable_x509; if test x$enableval = xyes; then
-		x509=true
-	 else
-		x509=false
-	fi
+{ $as_echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
+$as_echo_n "checking dependency style of $depcc... " >&6; }
+if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-  x509=true
+  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
+  # We make a subdir and do the tests there.  Otherwise we can end up
+  # making bogus files that we don't know about and never remove.  For
+  # instance it was reported that on HP-UX the gcc test will end up
+  # making a dummy file named `D' -- because `-MD' means `put the output
+  # in D'.
+  mkdir conftest.dir
+  # Copy depcomp to subdir because otherwise we won't find it if we're
+  # using a relative directory.
+  cp "$am_depcomp" conftest.dir
+  cd conftest.dir
+  # We will build objects and dependencies in a subdirectory because
+  # it helps to detect inapplicable dependency modes.  For instance
+  # both Tru64's cc and ICC support -MD to output dependencies as a
+  # side effect of compilation, but ICC will put the dependencies in
+  # the current directory while Tru64 will put them in the object
+  # directory.
+  mkdir sub
 
-fi
+  am_cv_CC_dependencies_compiler_type=none
+  if test "$am_compiler_list" = ""; then
+     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
+  fi
+  for depmode in $am_compiler_list; do
+    # Setup a source with many dependencies, because some compilers
+    # like to wrap large dependency lists on column 80 (with \), and
+    # we should not choose a depcomp mode which is confused by this.
+    #
+    # We need to recreate these files for each test, as the compiler may
+    # overwrite some of them when testing with obscure command lines.
+    # This happens at least with the AIX C compiler.
+    : > sub/conftest.c
+    for i in 1 2 3 4 5 6; do
+      echo '#include "conftst'$i'.h"' >> sub/conftest.c
+      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
+      # Solaris 8's {/usr,}/bin/sh.
+      touch sub/conftst$i.h
+    done
+    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
 
+    case $depmode in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode=$depmode \
+       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
+       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+         >/dev/null 2>conftest.err &&
+       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
+      # icc doesn't choke on unknown options, it will just issue warnings
+      # or remarks (even with -Werror).  So we grep stderr for any message
+      # that says an option was ignored or not supported.
+      # When given -MP, icc 7.0 and 7.1 complain thusly:
+      #   icc: Command line warning: ignoring option '-M'; no argument required
+      # The diagnosis changed in icc 8.0:
+      #   icc: Command line remark: option '-MP' not supported
+      if (grep 'ignoring option' conftest.err ||
+          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
+        am_cv_CC_dependencies_compiler_type=$depmode
+        break
+      fi
+    fi
+  done
 
-# Check whether --enable-pubkey was given.
-if test "${enable_pubkey+set}" = set; then
-  enableval=$enable_pubkey; if test x$enableval = xyes; then
-		pubkey=true
-	 else
-		pubkey=false
-	fi
+  cd ..
+  rm -rf conftest.dir
 else
-  pubkey=true
-
+  am_cv_CC_dependencies_compiler_type=none
 fi
 
-
-# Check whether --enable-hmac was given.
-if test "${enable_hmac+set}" = set; then
-  enableval=$enable_hmac; if test x$enableval = xyes; then
-		hmac=true
-	 else
-		hmac=false
-	fi
-else
-  hmac=true
-
 fi
+{ $as_echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5
+$as_echo "$am_cv_CC_dependencies_compiler_type" >&6; }
+CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type
 
-
-# Check whether --enable-xcbc was given.
-if test "${enable_xcbc+set}" = set; then
-  enableval=$enable_xcbc; if test x$enableval = xyes; then
-		xcbc=true
-	 else
-		xcbc=false
-	fi
+ if
+  test "x$enable_dependency_tracking" != xno \
+  && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then
+  am__fastdepCC_TRUE=
+  am__fastdepCC_FALSE='#'
 else
-  xcbc=true
-
-fi
-
-
-# Check whether --enable-mysql was given.
-if test "${enable_mysql+set}" = set; then
-  enableval=$enable_mysql; if test x$enableval = xyes; then
-		mysql=true
-	fi
-
+  am__fastdepCC_TRUE='#'
+  am__fastdepCC_FALSE=
 fi
 
 
-# Check whether --enable-sqlite was given.
-if test "${enable_sqlite+set}" = set; then
-  enableval=$enable_sqlite; if test x$enableval = xyes; then
-		sqlite=true
-	fi
 
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+{ $as_echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+$as_echo_n "checking how to run the C preprocessor... " >&6; }
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
 fi
-
-
-# Check whether --enable-stroke was given.
-if test "${enable_stroke+set}" = set; then
-  enableval=$enable_stroke; if test x$enableval = xyes; then
-		stroke=true
-	 else
-		stroke=false
-	fi
+if test -z "$CPP"; then
+  if test "${ac_cv_prog_CPP+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+      # Double quotes because CPP needs to be expanded
+    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
+    do
+      ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  :
 else
-  stroke=true
-
-fi
-
-
-# Check whether --enable-medsrv was given.
-if test "${enable_medsrv+set}" = set; then
-  enableval=$enable_medsrv; if test x$enableval = xyes; then
-		medsrv=true
-	fi
-
-fi
-
-
-# Check whether --enable-medcli was given.
-if test "${enable_medcli+set}" = set; then
-  enableval=$enable_medcli; if test x$enableval = xyes; then
-		medcli=true
-	fi
-
-fi
-
-
-# Check whether --enable-smp was given.
-if test "${enable_smp+set}" = set; then
-  enableval=$enable_smp; if test x$enableval = xyes; then
-		smp=true
-	fi
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+  # Broken: fails on valid input.
+continue
 fi
 
+rm -f conftest.err conftest.$ac_ext
 
-# Check whether --enable-sql was given.
-if test "${enable_sql+set}" = set; then
-  enableval=$enable_sql; if test x$enableval = xyes; then
-		sql=true
-	fi
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  # Broken: success on invalid input.
+continue
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+  # Passes both tests.
+ac_preproc_ok=:
+break
 fi
 
+rm -f conftest.err conftest.$ac_ext
 
-# Check whether --enable-smartcard was given.
-if test "${enable_smartcard+set}" = set; then
-  enableval=$enable_smartcard; if test x$enableval = xyes; then
-		smartcard=true
-	fi
-
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  break
 fi
 
-
-# Check whether --enable-cisco-quirks was given.
-if test "${enable_cisco_quirks+set}" = set; then
-  enableval=$enable_cisco_quirks; if test x$enableval = xyes; then
-		cisco_quirks=true
-	fi
+    done
+    ac_cv_prog_CPP=$CPP
 
 fi
-
-
-# Check whether --enable-leak-detective was given.
-if test "${enable_leak_detective+set}" = set; then
-  enableval=$enable_leak_detective; if test x$enableval = xyes; then
-		leak_detective=true
-	fi
-
+  CPP=$ac_cv_prog_CPP
+else
+  ac_cv_prog_CPP=$CPP
 fi
+{ $as_echo "$as_me:$LINENO: result: $CPP" >&5
+$as_echo "$CPP" >&6; }
+ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  :
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-
-# Check whether --enable-lock-profiler was given.
-if test "${enable_lock_profiler+set}" = set; then
-  enableval=$enable_lock_profiler; if test x$enableval = xyes; then
-		lock_profiler=true
-	fi
-
+  # Broken: fails on valid input.
+continue
 fi
 
+rm -f conftest.err conftest.$ac_ext
 
-# Check whether --enable-unit-tests was given.
-if test "${enable_unit_tests+set}" = set; then
-  enableval=$enable_unit_tests; if test x$enableval = xyes; then
-		unittest=true
-	fi
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  # Broken: success on invalid input.
+continue
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+  # Passes both tests.
+ac_preproc_ok=:
+break
 fi
 
+rm -f conftest.err conftest.$ac_ext
 
-# Check whether --enable-load-tests was given.
-if test "${enable_load_tests+set}" = set; then
-  enableval=$enable_load_tests; if test x$enableval = xyes; then
-		loadtest=true
-	fi
-
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  :
+else
+  { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+{ { $as_echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." >&5
+$as_echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }; }
 fi
 
-
-# Check whether --enable-eap-sim was given.
-if test "${enable_eap_sim+set}" = set; then
-  enableval=$enable_eap_sim; if test x$enableval = xyes; then
-		eap_sim=true
-	fi
-
-fi
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-# Check whether --enable-eap-sim-file was given.
-if test "${enable_eap_sim_file+set}" = set; then
-  enableval=$enable_eap_sim_file; if test x$enableval = xyes; then
-		eap_sim_file=true
-	fi
+{ $as_echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
+$as_echo_n "checking for grep that handles long lines and -e... " >&6; }
+if test "${ac_cv_path_GREP+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if test -z "$GREP"; then
+  ac_path_GREP_found=false
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in grep ggrep; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+# Check for GNU ac_path_GREP and select it if it is found.
+  # Check for GNU $ac_path_GREP
+case `"$ac_path_GREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
+*)
+  ac_count=0
+  $as_echo_n 0123456789 >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    $as_echo 'GREP' >> "conftest.nl"
+    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_GREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_GREP="$ac_path_GREP"
+      ac_path_GREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
 
+      $ac_path_GREP_found && break 3
+    done
+  done
+done
+IFS=$as_save_IFS
+  if test -z "$ac_cv_path_GREP"; then
+    { { $as_echo "$as_me:$LINENO: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+$as_echo "$as_me: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+else
+  ac_cv_path_GREP=$GREP
 fi
 
-
-# Check whether --enable-eap-identity was given.
-if test "${enable_eap_identity+set}" = set; then
-  enableval=$enable_eap_identity; if test x$enableval = xyes; then
-		eap_identity=true
-	fi
-
 fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
+$as_echo "$ac_cv_path_GREP" >&6; }
+ GREP="$ac_cv_path_GREP"
 
 
-# Check whether --enable-eap-md5 was given.
-if test "${enable_eap_md5+set}" = set; then
-  enableval=$enable_eap_md5; if test x$enableval = xyes; then
-		eap_md5=true
-	fi
+{ $as_echo "$as_me:$LINENO: checking for egrep" >&5
+$as_echo_n "checking for egrep... " >&6; }
+if test "${ac_cv_path_EGREP+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
+   then ac_cv_path_EGREP="$GREP -E"
+   else
+     if test -z "$EGREP"; then
+  ac_path_EGREP_found=false
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in egrep; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+# Check for GNU ac_path_EGREP and select it if it is found.
+  # Check for GNU $ac_path_EGREP
+case `"$ac_path_EGREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
+*)
+  ac_count=0
+  $as_echo_n 0123456789 >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    $as_echo 'EGREP' >> "conftest.nl"
+    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_EGREP="$ac_path_EGREP"
+      ac_path_EGREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
 
+      $ac_path_EGREP_found && break 3
+    done
+  done
+done
+IFS=$as_save_IFS
+  if test -z "$ac_cv_path_EGREP"; then
+    { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+else
+  ac_cv_path_EGREP=$EGREP
 fi
 
+   fi
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+$as_echo "$ac_cv_path_EGREP" >&6; }
+ EGREP="$ac_cv_path_EGREP"
 
-# Check whether --enable-eap-gtc was given.
-if test "${enable_eap_gtc+set}" = set; then
-  enableval=$enable_eap_gtc; if test x$enableval = xyes; then
-		eap_gtc=true
-	fi
 
-fi
+{ $as_echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+$as_echo_n "checking for ANSI C header files... " >&6; }
+if test "${ac_cv_header_stdc+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
 
+int
+main ()
+{
 
-# Check whether --enable-eap-aka was given.
-if test "${enable_eap_aka+set}" = set; then
-  enableval=$enable_eap_aka; if test x$enableval = xyes; then
-		eap_aka=true
-	fi
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_header_stdc=yes
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+	ac_cv_header_stdc=no
 fi
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
-# Check whether --enable-eap-mschapv2 was given.
-if test "${enable_eap_mschapv2+set}" = set; then
-  enableval=$enable_eap_mschapv2; if test x$enableval = xyes; then
-		eap_mschapv2=true
-	fi
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <string.h>
 
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "memchr" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
 fi
-
-
-# Check whether --enable-eap-radius was given.
-if test "${enable_eap_radius+set}" = set; then
-  enableval=$enable_eap_radius; if test x$enableval = xyes; then
-		eap_radius=true
-	fi
+rm -f conftest*
 
 fi
 
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdlib.h>
 
-# Check whether --enable-kernel-netlink was given.
-if test "${enable_kernel_netlink+set}" = set; then
-  enableval=$enable_kernel_netlink; if test x$enableval = xyes; then
-		kernel_netlink=true
-	 else
-		kernel_netlink=false
-	fi
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "free" >/dev/null 2>&1; then
+  :
 else
-  kernel_netlink=true
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
 
 fi
 
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ctype.h>
+#include <stdlib.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) \
+		   (('a' <= (c) && (c) <= 'i') \
+		     || ('j' <= (c) && (c) <= 'r') \
+		     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
 
-# Check whether --enable-kernel-pfkey was given.
-if test "${enable_kernel_pfkey+set}" = set; then
-  enableval=$enable_kernel_pfkey; if test x$enableval = xyes; then
-		kernel_pfkey=true
-	fi
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+	|| toupper (i) != TOUPPER (i))
+      return 2;
+  return 0;
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  :
+else
+  $as_echo "$as_me: program exited with status $ac_status" >&5
+$as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+( exit $ac_status )
+ac_cv_header_stdc=no
+fi
+rm -rf conftest.dSYM
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
-# Check whether --enable-kernel-klips was given.
-if test "${enable_kernel_klips+set}" = set; then
-  enableval=$enable_kernel_klips; if test x$enableval = xyes; then
-		kernel_klips=true
-	fi
-
 fi
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+$as_echo "$ac_cv_header_stdc" >&6; }
+if test $ac_cv_header_stdc = yes; then
 
-
-# Check whether --enable-nat-transport was given.
-if test "${enable_nat_transport+set}" = set; then
-  enableval=$enable_nat_transport; if test x$enableval = xyes; then
-		nat_transport=true
-	fi
+cat >>confdefs.h <<\_ACEOF
+#define STDC_HEADERS 1
+_ACEOF
 
 fi
 
+# On IRIX 5.3, sys/types and inttypes.h are conflicting.
+
 
-# Check whether --enable-vendor-id was given.
-if test "${enable_vendor_id+set}" = set; then
-  enableval=$enable_vendor_id; if test x$enableval = xyes; then
-		vendor_id=true
-	 else
-		vendor_id=false
-	fi
-else
-  vendor_id=true
 
-fi
 
 
-# Check whether --enable-xauth-vid was given.
-if test "${enable_xauth_vid+set}" = set; then
-  enableval=$enable_xauth_vid; if test x$enableval = xyes; then
-		xauth_vid=true
-	 else
-		xauth_vid=false
-	fi
-else
-  xauth_vid=true
 
-fi
 
 
-# Check whether --enable-dumm was given.
-if test "${enable_dumm+set}" = set; then
-  enableval=$enable_dumm; if test x$enableval = xyes; then
-		dumm=true
-	fi
 
-fi
+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
+		  inttypes.h stdint.h unistd.h
+do
+as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
 
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Check whether --enable-fast was given.
-if test "${enable_fast+set}" = set; then
-  enableval=$enable_fast; if test x$enableval = xyes; then
-		fast=true
-	fi
+	eval "$as_ac_Header=no"
+fi
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+as_val=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+   if test "x$as_val" = x""yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
 
+fi
 
-# Check whether --enable-manager was given.
-if test "${enable_manager+set}" = set; then
-  enableval=$enable_manager; if test x$enableval = xyes; then
-		manager=true
-		xml=true
-	fi
+done
 
-fi
 
 
-# Check whether --enable-mediation was given.
-if test "${enable_mediation+set}" = set; then
-  enableval=$enable_mediation; if test x$enableval = xyes; then
-		me=true
-	fi
+ { $as_echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
+$as_echo_n "checking whether byte ordering is bigendian... " >&6; }
+if test "${ac_cv_c_bigendian+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_c_bigendian=unknown
+    # See if we're dealing with a universal compiler.
+    cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifndef __APPLE_CC__
+	       not a universal capable compiler
+	     #endif
+	     typedef int dummy;
 
-fi
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
 
+	# Check for potential -arch flags.  It is not universal unless
+	# there are some -arch flags.  Note that *ppc* also matches
+	# ppc64.  This check is also rather less than ideal.
+	case "${CC} ${CFLAGS} ${CPPFLAGS} ${LDFLAGS}" in  #(
+	  *-arch*ppc*|*-arch*i386*|*-arch*x86_64*) ac_cv_c_bigendian=universal;;
+	esac
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Check whether --enable-integrity-test was given.
-if test "${enable_integrity_test+set}" = set; then
-  enableval=$enable_integrity_test; if test x$enableval = xyes; then
-		integrity_test=true
-	fi
 
 fi
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+    if test $ac_cv_c_bigendian = unknown; then
+      # See if sys/param.h defines the BYTE_ORDER macro.
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+	     #include <sys/param.h>
 
-# Check whether --enable-self-test was given.
-if test "${enable_self_test+set}" = set; then
-  enableval=$enable_self_test; if test x$enableval = xyes; then
-		self_test=true
-	 else
-		self_test=false
-	fi
-else
-  self_test=true
+int
+main ()
+{
+#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \
+		     && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \
+		     && LITTLE_ENDIAN)
+	      bogus endian macros
+	     #endif
 
-fi
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  # It does; now see whether it defined to BIG_ENDIAN or not.
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+		#include <sys/param.h>
 
+int
+main ()
+{
+#if BYTE_ORDER != BIG_ENDIAN
+		 not big endian
+		#endif
 
-# Check whether --enable-pluto was given.
-if test "${enable_pluto+set}" = set; then
-  enableval=$enable_pluto; if test x$enableval = xyes; then
-		pluto=true
-	 else
-		pluto=false
-	fi
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_c_bigendian=yes
 else
-  pluto=true
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+	ac_cv_c_bigendian=no
 fi
 
-
-# Check whether --enable-threads was given.
-if test "${enable_threads+set}" = set; then
-  enableval=$enable_threads; if test x$enableval = xyes; then
-		threads=true
-	 else
-		threads=false
-	fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 else
-  threads=true
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
 
 fi
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+    fi
+    if test $ac_cv_c_bigendian = unknown; then
+      # See if <limits.h> defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris).
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <limits.h>
 
-# Check whether --enable-charon was given.
-if test "${enable_charon+set}" = set; then
-  enableval=$enable_charon; if test x$enableval = xyes; then
-		charon=true
-	 else
-		charon=false
-	fi
+int
+main ()
+{
+#if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN)
+	      bogus endian macros
+	     #endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  # It does; now see whether it defined to _BIG_ENDIAN or not.
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <limits.h>
+
+int
+main ()
+{
+#ifndef _BIG_ENDIAN
+		 not big endian
+		#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_c_bigendian=yes
 else
-  charon=true
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+	ac_cv_c_bigendian=no
 fi
 
-
-# Check whether --enable-tools was given.
-if test "${enable_tools+set}" = set; then
-  enableval=$enable_tools; if test x$enableval = xyes; then
-		tools=true
-	 else
-		tools=false
-	fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 else
-  tools=true
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
 
 fi
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+    fi
+    if test $ac_cv_c_bigendian = unknown; then
+      # Compile a test program.
+      if test "$cross_compiling" = yes; then
+  # Try to guess by grepping values from an object file.
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+short int ascii_mm[] =
+		  { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 };
+		short int ascii_ii[] =
+		  { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 };
+		int use_ascii (int i) {
+		  return ascii_mm[i] + ascii_ii[i];
+		}
+		short int ebcdic_ii[] =
+		  { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 };
+		short int ebcdic_mm[] =
+		  { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 };
+		int use_ebcdic (int i) {
+		  return ebcdic_mm[i] + ebcdic_ii[i];
+		}
+		extern int foo;
 
-# Check whether --enable-updown was given.
-if test "${enable_updown+set}" = set; then
-  enableval=$enable_updown; if test x$enableval = xyes; then
-		updown=true
-	 else
-		updown=false
-	fi
+int
+main ()
+{
+return use_ascii (foo) == use_ebcdic (foo);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then
+	      ac_cv_c_bigendian=yes
+	    fi
+	    if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then
+	      if test "$ac_cv_c_bigendian" = unknown; then
+		ac_cv_c_bigendian=no
+	      else
+		# finding both strings is unlikely to happen, but who knows?
+		ac_cv_c_bigendian=unknown
+	      fi
+	    fi
 else
-  updown=true
-
-fi
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
 
-# Check whether --enable-padlock was given.
-if test "${enable_padlock+set}" = set; then
-  enableval=$enable_padlock; if test x$enableval = xyes; then
-		padlock=true
-	 else
-		padlock=false
-	fi
 fi
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+int
+main ()
+{
 
-# Check whether --enable-openssl was given.
-if test "${enable_openssl+set}" = set; then
-  enableval=$enable_openssl; if test x$enableval = xyes; then
-		openssl=true
-	 else
-		openssl=false
-	fi
-fi
+	     /* Are we little or big endian?  From Harbison&Steele.  */
+	     union
+	     {
+	       long int l;
+	       char c[sizeof (long int)];
+	     } u;
+	     u.l = 1;
+	     return u.c[sizeof (long int) - 1] == 1;
 
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_c_bigendian=no
+else
+  $as_echo "$as_me: program exited with status $ac_status" >&5
+$as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-# Check whether --enable-agent was given.
-if test "${enable_agent+set}" = set; then
-  enableval=$enable_agent; if test x$enableval = xyes; then
-		agent=true
-	 else
-		agent=false
-	fi
+( exit $ac_status )
+ac_cv_c_bigendian=yes
+fi
+rm -rf conftest.dSYM
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
-# Check whether --enable-uci was given.
-if test "${enable_uci+set}" = set; then
-  enableval=$enable_uci; if test x$enableval = xyes; then
-		uci=true
-	fi
-
+    fi
 fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5
+$as_echo "$ac_cv_c_bigendian" >&6; }
+ case $ac_cv_c_bigendian in #(
+   yes)
+     cat >>confdefs.h <<\_ACEOF
+#define WORDS_BIGENDIAN 1
+_ACEOF
+;; #(
+   no)
+      ;; #(
+   universal)
 
+cat >>confdefs.h <<\_ACEOF
+#define AC_APPLE_UNIVERSAL_BUILD 1
+_ACEOF
 
-# Check whether --enable-nm was given.
-if test "${enable_nm+set}" = set; then
-  enableval=$enable_nm; if test x$enableval = xyes; then
-		nm=true
-	fi
-
-fi
+     ;; #(
+   *)
+     { { $as_echo "$as_me:$LINENO: error: unknown endianness
+ presetting ac_cv_c_bigendian=no (or yes) will help" >&5
+$as_echo "$as_me: error: unknown endianness
+ presetting ac_cv_c_bigendian=no (or yes) will help" >&2;}
+   { (exit 1); exit 1; }; } ;;
+ esac
 
 
 
@@ -5746,11 +6198,12 @@ fi
 # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
 # OS/2's system install, which has a completely different semantic
 # ./install, which can be erroneously created by make from ./install.sh.
-{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
-echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; }
+# Reject install programs that cannot install multiple files.
+{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+$as_echo_n "checking for a BSD-compatible install... " >&6; }
 if test -z "$INSTALL"; then
 if test "${ac_cv_path_install+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -5779,17 +6232,29 @@ case $as_dir/ in
 	    # program-specific install script used by HP pwplus--don't use.
 	    :
 	  else
-	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
-	    break 3
+	    rm -rf conftest.one conftest.two conftest.dir
+	    echo one > conftest.one
+	    echo two > conftest.two
+	    mkdir conftest.dir
+	    if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" &&
+	      test -s conftest.one && test -s conftest.two &&
+	      test -s conftest.dir/conftest.one &&
+	      test -s conftest.dir/conftest.two
+	    then
+	      ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+	      break 3
+	    fi
 	  fi
 	fi
       done
     done
     ;;
 esac
+
 done
 IFS=$as_save_IFS
 
+rm -rf conftest.one conftest.two conftest.dir
 
 fi
   if test "${ac_cv_path_install+set}" = set; then
@@ -5802,8 +6267,8 @@ fi
     INSTALL=$ac_install_sh
   fi
 fi
-{ echo "$as_me:$LINENO: result: $INSTALL" >&5
-echo "${ECHO_T}$INSTALL" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5
+$as_echo "$INSTALL" >&6; }
 
 # Use test -z because SunOS4 sh mishandles braces in ${var-val}.
 # It thinks the first close brace ends the variable substitution.
@@ -5815,14 +6280,14 @@ test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
 
 case `pwd` in
   *\ * | *\	*)
-    { echo "$as_me:$LINENO: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5
-echo "$as_me: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&2;} ;;
+    { $as_echo "$as_me:$LINENO: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5
+$as_echo "$as_me: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&2;} ;;
 esac
 
 
 
-macro_version='2.2.4'
-macro_revision='1.2976'
+macro_version='2.2.6'
+macro_revision='1.3012'
 
 
 
@@ -5840,34 +6305,34 @@ ltmain="$ac_aux_dir/ltmain.sh"
 
 # Make sure we can run config.sub.
 $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
-  { { echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
-echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
+$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
    { (exit 1); exit 1; }; }
 
-{ echo "$as_me:$LINENO: checking build system type" >&5
-echo $ECHO_N "checking build system type... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking build system type" >&5
+$as_echo_n "checking build system type... " >&6; }
 if test "${ac_cv_build+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_build_alias=$build_alias
 test "x$ac_build_alias" = x &&
   ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
 test "x$ac_build_alias" = x &&
-  { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
-echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
+$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
    { (exit 1); exit 1; }; }
 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
-  { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
-echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
+$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
    { (exit 1); exit 1; }; }
 
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_build" >&5
-echo "${ECHO_T}$ac_cv_build" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+$as_echo "$ac_cv_build" >&6; }
 case $ac_cv_build in
 *-*-*) ;;
-*) { { echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
-echo "$as_me: error: invalid value of canonical build" >&2;}
+*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
+$as_echo "$as_me: error: invalid value of canonical build" >&2;}
    { (exit 1); exit 1; }; };;
 esac
 build=$ac_cv_build
@@ -5884,27 +6349,27 @@ IFS=$ac_save_IFS
 case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
 
 
-{ echo "$as_me:$LINENO: checking host system type" >&5
-echo $ECHO_N "checking host system type... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking host system type" >&5
+$as_echo_n "checking host system type... " >&6; }
 if test "${ac_cv_host+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test "x$host_alias" = x; then
   ac_cv_host=$ac_cv_build
 else
   ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
-    { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
-echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
+    { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
+$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_host" >&5
-echo "${ECHO_T}$ac_cv_host" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+$as_echo "$ac_cv_host" >&6; }
 case $ac_cv_host in
 *-*-*) ;;
-*) { { echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
-echo "$as_me: error: invalid value of canonical host" >&2;}
+*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
+$as_echo "$as_me: error: invalid value of canonical host" >&2;}
    { (exit 1); exit 1; }; };;
 esac
 host=$ac_cv_host
@@ -5921,48 +6386,43 @@ IFS=$ac_save_IFS
 case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
 
 
-{ echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
-echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
+$as_echo_n "checking for a sed that does not truncate output... " >&6; }
 if test "${ac_cv_path_SED+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
             ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/
      for ac_i in 1 2 3 4 5 6 7; do
        ac_script="$ac_script$as_nl$ac_script"
      done
-     echo "$ac_script" | sed 99q >conftest.sed
+     echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed
      $as_unset ac_script || ac_script=
-     # Extract the first word of "sed gsed" to use in msg output
-if test -z "$SED"; then
-set dummy sed gsed; ac_prog_name=$2
-if test "${ac_cv_path_SED+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
+     if test -z "$SED"; then
   ac_path_SED_found=false
-# Loop through the user's path and test for each of PROGNAME-LIST
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_prog in sed gsed; do
-  for ac_exec_ext in '' $ac_executable_extensions; do
-    ac_path_SED="$as_dir/$ac_prog$ac_exec_ext"
-    { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue
-    # Check for GNU ac_path_SED and select it if it is found.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_SED="$as_dir/$ac_prog$ac_exec_ext"
+      { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue
+# Check for GNU ac_path_SED and select it if it is found.
   # Check for GNU $ac_path_SED
 case `"$ac_path_SED" --version 2>&1` in
 *GNU*)
   ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;;
 *)
   ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  $as_echo_n 0123456789 >"conftest.in"
   while :
   do
     cat "conftest.in" "conftest.in" >"conftest.tmp"
     mv "conftest.tmp" "conftest.in"
     cp "conftest.in" "conftest.nl"
-    echo '' >> "conftest.nl"
+    $as_echo '' >> "conftest.nl"
     "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break
     diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
     ac_count=`expr $ac_count + 1`
@@ -5977,31 +6437,23 @@ case `"$ac_path_SED" --version 2>&1` in
   rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
 esac
 
-
-    $ac_path_SED_found && break 3
+      $ac_path_SED_found && break 3
+    done
   done
 done
-
-done
 IFS=$as_save_IFS
-
-
-fi
-
-SED="$ac_cv_path_SED"
-if test -z "$SED"; then
-  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in \$PATH" >&5
-echo "$as_me: error: no acceptable $ac_prog_name could be found in \$PATH" >&2;}
+  if test -z "$ac_cv_path_SED"; then
+    { { $as_echo "$as_me:$LINENO: error: no acceptable sed could be found in \$PATH" >&5
+$as_echo "$as_me: error: no acceptable sed could be found in \$PATH" >&2;}
    { (exit 1); exit 1; }; }
-fi
-
+  fi
 else
   ac_cv_path_SED=$SED
 fi
 
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_path_SED" >&5
-echo "${ECHO_T}$ac_cv_path_SED" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_SED" >&5
+$as_echo "$ac_cv_path_SED" >&6; }
  SED="$ac_cv_path_SED"
   rm -f conftest.sed
 
@@ -6018,45 +6470,40 @@ Xsed="$SED -e 1s/^X//"
 
 
 
-{ echo "$as_me:$LINENO: checking for fgrep" >&5
-echo $ECHO_N "checking for fgrep... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for fgrep" >&5
+$as_echo_n "checking for fgrep... " >&6; }
 if test "${ac_cv_path_FGREP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1
    then ac_cv_path_FGREP="$GREP -F"
    else
-     # Extract the first word of "fgrep" to use in msg output
-if test -z "$FGREP"; then
-set dummy fgrep; ac_prog_name=$2
-if test "${ac_cv_path_FGREP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
+     if test -z "$FGREP"; then
   ac_path_FGREP_found=false
-# Loop through the user's path and test for each of PROGNAME-LIST
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_prog in fgrep; do
-  for ac_exec_ext in '' $ac_executable_extensions; do
-    ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext"
-    { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue
-    # Check for GNU ac_path_FGREP and select it if it is found.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext"
+      { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue
+# Check for GNU ac_path_FGREP and select it if it is found.
   # Check for GNU $ac_path_FGREP
 case `"$ac_path_FGREP" --version 2>&1` in
 *GNU*)
   ac_cv_path_FGREP="$ac_path_FGREP" ac_path_FGREP_found=:;;
 *)
   ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  $as_echo_n 0123456789 >"conftest.in"
   while :
   do
     cat "conftest.in" "conftest.in" >"conftest.tmp"
     mv "conftest.tmp" "conftest.in"
     cp "conftest.in" "conftest.nl"
-    echo 'FGREP' >> "conftest.nl"
+    $as_echo 'FGREP' >> "conftest.nl"
     "$ac_path_FGREP" FGREP < "conftest.nl" >"conftest.out" 2>/dev/null || break
     diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
     ac_count=`expr $ac_count + 1`
@@ -6071,33 +6518,24 @@ case `"$ac_path_FGREP" --version 2>&1` in
   rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
 esac
 
-
-    $ac_path_FGREP_found && break 3
+      $ac_path_FGREP_found && break 3
+    done
   done
 done
-
-done
 IFS=$as_save_IFS
-
-
-fi
-
-FGREP="$ac_cv_path_FGREP"
-if test -z "$FGREP"; then
-  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+  if test -z "$ac_cv_path_FGREP"; then
+    { { $as_echo "$as_me:$LINENO: error: no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+$as_echo "$as_me: error: no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
    { (exit 1); exit 1; }; }
-fi
-
+  fi
 else
   ac_cv_path_FGREP=$FGREP
 fi
 
-
    fi
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_path_FGREP" >&5
-echo "${ECHO_T}$ac_cv_path_FGREP" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_FGREP" >&5
+$as_echo "$ac_cv_path_FGREP" >&6; }
  FGREP="$ac_cv_path_FGREP"
 
 
@@ -6131,8 +6569,8 @@ fi
 ac_prog=ld
 if test "$GCC" = yes; then
   # Check if gcc -print-prog-name=ld gives a path.
-  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+$as_echo_n "checking for ld used by $CC... " >&6; }
   case $host in
   *-*-mingw*)
     # gcc leaves a trailing carriage return which upsets mingw
@@ -6161,14 +6599,14 @@ echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
     ;;
   esac
 elif test "$with_gnu_ld" = yes; then
-  { echo "$as_me:$LINENO: checking for GNU ld" >&5
-echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for GNU ld" >&5
+$as_echo_n "checking for GNU ld... " >&6; }
 else
-  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+$as_echo_n "checking for non-GNU ld... " >&6; }
 fi
 if test "${lt_cv_path_LD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -z "$LD"; then
   lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
@@ -6198,19 +6636,19 @@ fi
 
 LD="$lt_cv_path_LD"
 if test -n "$LD"; then
-  { echo "$as_me:$LINENO: result: $LD" >&5
-echo "${ECHO_T}$LD" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $LD" >&5
+$as_echo "$LD" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
-test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
-echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+test -z "$LD" && { { $as_echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
+$as_echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
    { (exit 1); exit 1; }; }
-{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
-echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+$as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; }
 if test "${lt_cv_prog_gnu_ld+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   # I'd rather use --version here, but apparently some GNU lds only accept -v.
 case `$LD -v 2>&1 </dev/null` in
@@ -6222,8 +6660,8 @@ case `$LD -v 2>&1 </dev/null` in
   ;;
 esac
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
-echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+$as_echo "$lt_cv_prog_gnu_ld" >&6; }
 with_gnu_ld=$lt_cv_prog_gnu_ld
 
 
@@ -6234,10 +6672,10 @@ with_gnu_ld=$lt_cv_prog_gnu_ld
 
 
 
-{ echo "$as_me:$LINENO: checking for BSD- or MS-compatible name lister (nm)" >&5
-echo $ECHO_N "checking for BSD- or MS-compatible name lister (nm)... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for BSD- or MS-compatible name lister (nm)" >&5
+$as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; }
 if test "${lt_cv_path_NM+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$NM"; then
   # Let the user override the test.
@@ -6283,8 +6721,8 @@ else
   : ${lt_cv_path_NM=no}
 fi
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
-echo "${ECHO_T}$lt_cv_path_NM" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
+$as_echo "$lt_cv_path_NM" >&6; }
 if test "$lt_cv_path_NM" != "no"; then
   NM="$lt_cv_path_NM"
 else
@@ -6294,10 +6732,10 @@ else
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_DUMPBIN+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$DUMPBIN"; then
   ac_cv_prog_DUMPBIN="$DUMPBIN" # Let the user override the test.
@@ -6310,7 +6748,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6321,11 +6759,11 @@ fi
 fi
 DUMPBIN=$ac_cv_prog_DUMPBIN
 if test -n "$DUMPBIN"; then
-  { echo "$as_me:$LINENO: result: $DUMPBIN" >&5
-echo "${ECHO_T}$DUMPBIN" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $DUMPBIN" >&5
+$as_echo "$DUMPBIN" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -6338,10 +6776,10 @@ if test -z "$DUMPBIN"; then
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_DUMPBIN"; then
   ac_cv_prog_ac_ct_DUMPBIN="$ac_ct_DUMPBIN" # Let the user override the test.
@@ -6354,7 +6792,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_DUMPBIN="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6365,11 +6803,11 @@ fi
 fi
 ac_ct_DUMPBIN=$ac_cv_prog_ac_ct_DUMPBIN
 if test -n "$ac_ct_DUMPBIN"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_DUMPBIN" >&5
-echo "${ECHO_T}$ac_ct_DUMPBIN" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_DUMPBIN" >&5
+$as_echo "$ac_ct_DUMPBIN" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -6381,12 +6819,8 @@ done
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
     DUMPBIN=$ac_ct_DUMPBIN
@@ -6405,45 +6839,45 @@ test -z "$NM" && NM=nm
 
 
 
-{ echo "$as_me:$LINENO: checking the name lister ($NM) interface" >&5
-echo $ECHO_N "checking the name lister ($NM) interface... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking the name lister ($NM) interface" >&5
+$as_echo_n "checking the name lister ($NM) interface... " >&6; }
 if test "${lt_cv_nm_interface+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6415: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6849: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6418: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6852: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6421: output\"" >&5)
+  (eval echo "\"\$as_me:6855: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
   fi
   rm -f conftest*
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_nm_interface" >&5
-echo "${ECHO_T}$lt_cv_nm_interface" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_nm_interface" >&5
+$as_echo "$lt_cv_nm_interface" >&6; }
 
-{ echo "$as_me:$LINENO: checking whether ln -s works" >&5
-echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking whether ln -s works" >&5
+$as_echo_n "checking whether ln -s works... " >&6; }
 LN_S=$as_ln_s
 if test "$LN_S" = "ln -s"; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no, using $LN_S" >&5
-echo "${ECHO_T}no, using $LN_S" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no, using $LN_S" >&5
+$as_echo "no, using $LN_S" >&6; }
 fi
 
 # find the maximum length of command line arguments
-{ echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
-echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
+$as_echo_n "checking the maximum length of command line arguments... " >&6; }
 if test "${lt_cv_sys_max_cmd_len+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
     i=0
   teststring="ABCD"
@@ -6464,7 +6898,7 @@ else
     lt_cv_sys_max_cmd_len=-1;
     ;;
 
-  cygwin* | mingw*)
+  cygwin* | mingw* | cegcc*)
     # On Win9x/ME, this test blows up -- it succeeds, but takes
     # about 5 minutes as the teststring grows exponentially.
     # Worse, since 9x/ME are not pre-emptively multitasking,
@@ -6560,11 +6994,11 @@ else
 fi
 
 if test -n $lt_cv_sys_max_cmd_len ; then
-  { echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
-echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
+$as_echo "$lt_cv_sys_max_cmd_len" >&6; }
 else
-  { echo "$as_me:$LINENO: result: none" >&5
-echo "${ECHO_T}none" >&6; }
+  { $as_echo "$as_me:$LINENO: result: none" >&5
+$as_echo "none" >&6; }
 fi
 max_cmd_len=$lt_cv_sys_max_cmd_len
 
@@ -6577,8 +7011,8 @@ max_cmd_len=$lt_cv_sys_max_cmd_len
 : ${MV="mv -f"}
 : ${RM="rm -f"}
 
-{ echo "$as_me:$LINENO: checking whether the shell understands some XSI constructs" >&5
-echo $ECHO_N "checking whether the shell understands some XSI constructs... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking whether the shell understands some XSI constructs" >&5
+$as_echo_n "checking whether the shell understands some XSI constructs... " >&6; }
 # Try some XSI features
 xsi_shell=no
 ( _lt_dummy="a/b/c"
@@ -6587,18 +7021,18 @@ xsi_shell=no
     && eval 'test $(( 1 + 1 )) -eq 2 \
     && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
   && xsi_shell=yes
-{ echo "$as_me:$LINENO: result: $xsi_shell" >&5
-echo "${ECHO_T}$xsi_shell" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $xsi_shell" >&5
+$as_echo "$xsi_shell" >&6; }
 
 
-{ echo "$as_me:$LINENO: checking whether the shell understands \"+=\"" >&5
-echo $ECHO_N "checking whether the shell understands \"+=\"... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking whether the shell understands \"+=\"" >&5
+$as_echo_n "checking whether the shell understands \"+=\"... " >&6; }
 lt_shell_append=no
 ( foo=bar; set foo baz; eval "$1+=\$2" && test "$foo" = barbaz ) \
     >/dev/null 2>&1 \
   && lt_shell_append=yes
-{ echo "$as_me:$LINENO: result: $lt_shell_append" >&5
-echo "${ECHO_T}$lt_shell_append" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_shell_append" >&5
+$as_echo "$lt_shell_append" >&6; }
 
 
 if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
@@ -6632,15 +7066,15 @@ esac
 
 
 
-{ echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
-echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
+$as_echo_n "checking for $LD option to reload object files... " >&6; }
 if test "${lt_cv_ld_reload_flag+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   lt_cv_ld_reload_flag='-r'
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
-echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
+$as_echo "$lt_cv_ld_reload_flag" >&6; }
 reload_flag=$lt_cv_ld_reload_flag
 case $reload_flag in
 "" | " "*) ;;
@@ -6665,11 +7099,112 @@ esac
 
 
 
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args.
+set dummy ${ac_tool_prefix}objdump; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_OBJDUMP+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$OBJDUMP"; then
+  ac_cv_prog_OBJDUMP="$OBJDUMP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+OBJDUMP=$ac_cv_prog_OBJDUMP
+if test -n "$OBJDUMP"; then
+  { $as_echo "$as_me:$LINENO: result: $OBJDUMP" >&5
+$as_echo "$OBJDUMP" >&6; }
+else
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_OBJDUMP"; then
+  ac_ct_OBJDUMP=$OBJDUMP
+  # Extract the first word of "objdump", so it can be a program name with args.
+set dummy objdump; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_OBJDUMP"; then
+  ac_cv_prog_ac_ct_OBJDUMP="$ac_ct_OBJDUMP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_OBJDUMP="objdump"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP
+if test -n "$ac_ct_OBJDUMP"; then
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_OBJDUMP" >&5
+$as_echo "$ac_ct_OBJDUMP" >&6; }
+else
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_OBJDUMP" = x; then
+    OBJDUMP="false"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    OBJDUMP=$ac_ct_OBJDUMP
+  fi
+else
+  OBJDUMP="$ac_cv_prog_OBJDUMP"
+fi
+
+test -z "$OBJDUMP" && OBJDUMP=objdump
+
+
+
+
+
+
+
+
 
-{ echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5
-echo $ECHO_N "checking how to recognize dependent libraries... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5
+$as_echo_n "checking how to recognize dependent libraries... " >&6; }
 if test "${lt_cv_deplibs_check_method+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   lt_cv_file_magic_cmd='$MAGIC_CMD'
 lt_cv_file_magic_test_file=
@@ -6719,6 +7254,12 @@ mingw* | pw32*)
   fi
   ;;
 
+cegcc)
+  # use the weaker test based on 'objdump'. See mingw*.
+  lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
 darwin* | rhapsody*)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -6856,8 +7397,8 @@ tpf*)
 esac
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
-echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
+$as_echo "$lt_cv_deplibs_check_method" >&6; }
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
 test -z "$deplibs_check_method" && deplibs_check_method=unknown
@@ -6876,10 +7417,10 @@ test -z "$deplibs_check_method" && deplibs_check_method=unknown
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
 set dummy ${ac_tool_prefix}ar; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_AR+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$AR"; then
   ac_cv_prog_AR="$AR" # Let the user override the test.
@@ -6892,7 +7433,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_AR="${ac_tool_prefix}ar"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6903,11 +7444,11 @@ fi
 fi
 AR=$ac_cv_prog_AR
 if test -n "$AR"; then
-  { echo "$as_me:$LINENO: result: $AR" >&5
-echo "${ECHO_T}$AR" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $AR" >&5
+$as_echo "$AR" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -6916,10 +7457,10 @@ if test -z "$ac_cv_prog_AR"; then
   ac_ct_AR=$AR
   # Extract the first word of "ar", so it can be a program name with args.
 set dummy ar; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_AR"; then
   ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
@@ -6932,7 +7473,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_AR="ar"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6943,11 +7484,11 @@ fi
 fi
 ac_ct_AR=$ac_cv_prog_ac_ct_AR
 if test -n "$ac_ct_AR"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
-echo "${ECHO_T}$ac_ct_AR" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
+$as_echo "$ac_ct_AR" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
   if test "x$ac_ct_AR" = x; then
@@ -6955,12 +7496,8 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
     AR=$ac_ct_AR
@@ -6985,10 +7522,10 @@ test -z "$AR_FLAGS" && AR_FLAGS=cru
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
 set dummy ${ac_tool_prefix}strip; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$STRIP"; then
   ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
@@ -7001,7 +7538,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -7012,11 +7549,11 @@ fi
 fi
 STRIP=$ac_cv_prog_STRIP
 if test -n "$STRIP"; then
-  { echo "$as_me:$LINENO: result: $STRIP" >&5
-echo "${ECHO_T}$STRIP" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $STRIP" >&5
+$as_echo "$STRIP" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -7025,10 +7562,10 @@ if test -z "$ac_cv_prog_STRIP"; then
   ac_ct_STRIP=$STRIP
   # Extract the first word of "strip", so it can be a program name with args.
 set dummy strip; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_STRIP"; then
   ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
@@ -7041,7 +7578,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_STRIP="strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -7052,11 +7589,11 @@ fi
 fi
 ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
 if test -n "$ac_ct_STRIP"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
-echo "${ECHO_T}$ac_ct_STRIP" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+$as_echo "$ac_ct_STRIP" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
   if test "x$ac_ct_STRIP" = x; then
@@ -7064,12 +7601,8 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
     STRIP=$ac_ct_STRIP
@@ -7088,10 +7621,10 @@ test -z "$STRIP" && STRIP=:
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
 set dummy ${ac_tool_prefix}ranlib; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_RANLIB+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$RANLIB"; then
   ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
@@ -7104,7 +7637,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -7115,11 +7648,11 @@ fi
 fi
 RANLIB=$ac_cv_prog_RANLIB
 if test -n "$RANLIB"; then
-  { echo "$as_me:$LINENO: result: $RANLIB" >&5
-echo "${ECHO_T}$RANLIB" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $RANLIB" >&5
+$as_echo "$RANLIB" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -7128,10 +7661,10 @@ if test -z "$ac_cv_prog_RANLIB"; then
   ac_ct_RANLIB=$RANLIB
   # Extract the first word of "ranlib", so it can be a program name with args.
 set dummy ranlib; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_RANLIB"; then
   ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
@@ -7144,7 +7677,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_RANLIB="ranlib"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -7155,11 +7688,11 @@ fi
 fi
 ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
 if test -n "$ac_ct_RANLIB"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
-echo "${ECHO_T}$ac_ct_RANLIB" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
+$as_echo "$ac_ct_RANLIB" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
   if test "x$ac_ct_RANLIB" = x; then
@@ -7167,12 +7700,8 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
     RANLIB=$ac_ct_RANLIB
@@ -7249,10 +7778,10 @@ compiler=$CC
 
 
 # Check for command to grab the raw symbol name followed by C symbol from nm.
-{ echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
-echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
+$as_echo_n "checking command to parse $NM output from $compiler object... " >&6; }
 if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
 
 # These are sane defaults that work on at least a few old systems.
@@ -7269,7 +7798,7 @@ case $host_os in
 aix*)
   symcode='[BCDT]'
   ;;
-cygwin* | mingw* | pw32*)
+cygwin* | mingw* | pw32* | cegcc*)
   symcode='[ABCDGISTW]'
   ;;
 hpux*)
@@ -7370,14 +7899,14 @@ _LT_EOF
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
     # Now try to grab the symbols.
     nlist=conftest.nm
     if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5
   (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
@@ -7434,7 +7963,7 @@ _LT_EOF
 	  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
   (eval $ac_link) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && test -s conftest${ac_exeext}; then
 	    pipe_works=yes
 	  fi
@@ -7469,11 +7998,11 @@ if test -z "$lt_cv_sys_global_symbol_pipe"; then
   lt_cv_sys_global_symbol_to_cdecl=
 fi
 if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  { echo "$as_me:$LINENO: result: failed" >&5
-echo "${ECHO_T}failed" >&6; }
+  { $as_echo "$as_me:$LINENO: result: failed" >&5
+$as_echo "failed" >&6; }
 else
-  { echo "$as_me:$LINENO: result: ok" >&5
-echo "${ECHO_T}ok" >&6; }
+  { $as_echo "$as_me:$LINENO: result: ok" >&5
+$as_echo "ok" >&6; }
 fi
 
 
@@ -7513,7 +8042,7 @@ ia64-*-hpux*)
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
     case `/usr/bin/file conftest.$ac_objext` in
       *ELF-32*)
@@ -7528,11 +8057,11 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7531 "configure"' > conftest.$ac_ext
+  echo '#line 8060 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
     if test "$lt_cv_prog_gnu_ld" = yes; then
       case `/usr/bin/file conftest.$ac_objext` in
@@ -7570,7 +8099,7 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
     case `/usr/bin/file conftest.o` in
       *32-bit*)
@@ -7620,10 +8149,10 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
   # On SCO OpenServer 5, we need -belf to get full-featured binaries.
   SAVE_CFLAGS="$CFLAGS"
   CFLAGS="$CFLAGS -belf"
-  { echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
-echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
+$as_echo_n "checking whether the C compiler needs -belf... " >&6; }
 if test "${lt_cv_cc_needs_belf+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
@@ -7652,26 +8181,30 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   lt_cv_cc_needs_belf=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	lt_cv_cc_needs_belf=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
      ac_ext=c
@@ -7681,8 +8214,8 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
-echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
+$as_echo "$lt_cv_cc_needs_belf" >&6; }
   if test x"$lt_cv_cc_needs_belf" != x"yes"; then
     # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
     CFLAGS="$SAVE_CFLAGS"
@@ -7694,7 +8227,7 @@ sparc*-*solaris*)
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
     case `/usr/bin/file conftest.o` in
     *64-bit*)
@@ -7721,10 +8254,10 @@ need_locks="$enable_libtool_lock"
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args.
 set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_DSYMUTIL+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$DSYMUTIL"; then
   ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test.
@@ -7737,7 +8270,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -7748,11 +8281,11 @@ fi
 fi
 DSYMUTIL=$ac_cv_prog_DSYMUTIL
 if test -n "$DSYMUTIL"; then
-  { echo "$as_me:$LINENO: result: $DSYMUTIL" >&5
-echo "${ECHO_T}$DSYMUTIL" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $DSYMUTIL" >&5
+$as_echo "$DSYMUTIL" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -7761,10 +8294,10 @@ if test -z "$ac_cv_prog_DSYMUTIL"; then
   ac_ct_DSYMUTIL=$DSYMUTIL
   # Extract the first word of "dsymutil", so it can be a program name with args.
 set dummy dsymutil; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_DSYMUTIL"; then
   ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test.
@@ -7777,7 +8310,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -7788,11 +8321,11 @@ fi
 fi
 ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL
 if test -n "$ac_ct_DSYMUTIL"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5
-echo "${ECHO_T}$ac_ct_DSYMUTIL" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5
+$as_echo "$ac_ct_DSYMUTIL" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
   if test "x$ac_ct_DSYMUTIL" = x; then
@@ -7800,12 +8333,8 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
     DSYMUTIL=$ac_ct_DSYMUTIL
@@ -7817,10 +8346,10 @@ fi
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args.
 set dummy ${ac_tool_prefix}nmedit; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_NMEDIT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$NMEDIT"; then
   ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test.
@@ -7833,7 +8362,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -7844,11 +8373,11 @@ fi
 fi
 NMEDIT=$ac_cv_prog_NMEDIT
 if test -n "$NMEDIT"; then
-  { echo "$as_me:$LINENO: result: $NMEDIT" >&5
-echo "${ECHO_T}$NMEDIT" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $NMEDIT" >&5
+$as_echo "$NMEDIT" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -7857,10 +8386,10 @@ if test -z "$ac_cv_prog_NMEDIT"; then
   ac_ct_NMEDIT=$NMEDIT
   # Extract the first word of "nmedit", so it can be a program name with args.
 set dummy nmedit; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_NMEDIT"; then
   ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test.
@@ -7873,7 +8402,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_NMEDIT="nmedit"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -7884,11 +8413,11 @@ fi
 fi
 ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT
 if test -n "$ac_ct_NMEDIT"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5
-echo "${ECHO_T}$ac_ct_NMEDIT" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5
+$as_echo "$ac_ct_NMEDIT" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
   if test "x$ac_ct_NMEDIT" = x; then
@@ -7896,12 +8425,8 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
     NMEDIT=$ac_ct_NMEDIT
@@ -7913,10 +8438,10 @@ fi
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}lipo", so it can be a program name with args.
 set dummy ${ac_tool_prefix}lipo; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_LIPO+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$LIPO"; then
   ac_cv_prog_LIPO="$LIPO" # Let the user override the test.
@@ -7929,7 +8454,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_LIPO="${ac_tool_prefix}lipo"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -7940,11 +8465,11 @@ fi
 fi
 LIPO=$ac_cv_prog_LIPO
 if test -n "$LIPO"; then
-  { echo "$as_me:$LINENO: result: $LIPO" >&5
-echo "${ECHO_T}$LIPO" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $LIPO" >&5
+$as_echo "$LIPO" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -7953,10 +8478,10 @@ if test -z "$ac_cv_prog_LIPO"; then
   ac_ct_LIPO=$LIPO
   # Extract the first word of "lipo", so it can be a program name with args.
 set dummy lipo; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_LIPO"; then
   ac_cv_prog_ac_ct_LIPO="$ac_ct_LIPO" # Let the user override the test.
@@ -7969,7 +8494,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_LIPO="lipo"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -7980,11 +8505,11 @@ fi
 fi
 ac_ct_LIPO=$ac_cv_prog_ac_ct_LIPO
 if test -n "$ac_ct_LIPO"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_LIPO" >&5
-echo "${ECHO_T}$ac_ct_LIPO" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_LIPO" >&5
+$as_echo "$ac_ct_LIPO" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
   if test "x$ac_ct_LIPO" = x; then
@@ -7992,12 +8517,8 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
     LIPO=$ac_ct_LIPO
@@ -8009,10 +8530,10 @@ fi
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}otool", so it can be a program name with args.
 set dummy ${ac_tool_prefix}otool; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_OTOOL+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$OTOOL"; then
   ac_cv_prog_OTOOL="$OTOOL" # Let the user override the test.
@@ -8025,7 +8546,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_OTOOL="${ac_tool_prefix}otool"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -8036,11 +8557,11 @@ fi
 fi
 OTOOL=$ac_cv_prog_OTOOL
 if test -n "$OTOOL"; then
-  { echo "$as_me:$LINENO: result: $OTOOL" >&5
-echo "${ECHO_T}$OTOOL" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $OTOOL" >&5
+$as_echo "$OTOOL" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -8049,10 +8570,10 @@ if test -z "$ac_cv_prog_OTOOL"; then
   ac_ct_OTOOL=$OTOOL
   # Extract the first word of "otool", so it can be a program name with args.
 set dummy otool; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OTOOL"; then
   ac_cv_prog_ac_ct_OTOOL="$ac_ct_OTOOL" # Let the user override the test.
@@ -8065,7 +8586,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_OTOOL="otool"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -8076,11 +8597,11 @@ fi
 fi
 ac_ct_OTOOL=$ac_cv_prog_ac_ct_OTOOL
 if test -n "$ac_ct_OTOOL"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_OTOOL" >&5
-echo "${ECHO_T}$ac_ct_OTOOL" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_OTOOL" >&5
+$as_echo "$ac_ct_OTOOL" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
   if test "x$ac_ct_OTOOL" = x; then
@@ -8088,12 +8609,8 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
     OTOOL=$ac_ct_OTOOL
@@ -8105,10 +8622,10 @@ fi
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}otool64", so it can be a program name with args.
 set dummy ${ac_tool_prefix}otool64; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_OTOOL64+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$OTOOL64"; then
   ac_cv_prog_OTOOL64="$OTOOL64" # Let the user override the test.
@@ -8121,7 +8638,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -8132,11 +8649,11 @@ fi
 fi
 OTOOL64=$ac_cv_prog_OTOOL64
 if test -n "$OTOOL64"; then
-  { echo "$as_me:$LINENO: result: $OTOOL64" >&5
-echo "${ECHO_T}$OTOOL64" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $OTOOL64" >&5
+$as_echo "$OTOOL64" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -8145,10 +8662,10 @@ if test -z "$ac_cv_prog_OTOOL64"; then
   ac_ct_OTOOL64=$OTOOL64
   # Extract the first word of "otool64", so it can be a program name with args.
 set dummy otool64; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OTOOL64"; then
   ac_cv_prog_ac_ct_OTOOL64="$ac_ct_OTOOL64" # Let the user override the test.
@@ -8161,7 +8678,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_OTOOL64="otool64"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -8172,11 +8689,11 @@ fi
 fi
 ac_ct_OTOOL64=$ac_cv_prog_ac_ct_OTOOL64
 if test -n "$ac_ct_OTOOL64"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_OTOOL64" >&5
-echo "${ECHO_T}$ac_ct_OTOOL64" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $ac_ct_OTOOL64" >&5
+$as_echo "$ac_ct_OTOOL64" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
   if test "x$ac_ct_OTOOL64" = x; then
@@ -8184,12 +8701,8 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
     OTOOL64=$ac_ct_OTOOL64
@@ -8224,10 +8737,10 @@ fi
 
 
 
-    { echo "$as_me:$LINENO: checking for -single_module linker flag" >&5
-echo $ECHO_N "checking for -single_module linker flag... $ECHO_C" >&6; }
+    { $as_echo "$as_me:$LINENO: checking for -single_module linker flag" >&5
+$as_echo_n "checking for -single_module linker flag... " >&6; }
 if test "${lt_cv_apple_cc_single_mod+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   lt_cv_apple_cc_single_mod=no
       if test -z "${LT_MULTI_MODULE}"; then
@@ -8251,12 +8764,12 @@ else
 	rm -f conftest.*
       fi
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5
-echo "${ECHO_T}$lt_cv_apple_cc_single_mod" >&6; }
-    { echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5
-echo $ECHO_N "checking for -exported_symbols_list linker flag... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5
+$as_echo "$lt_cv_apple_cc_single_mod" >&6; }
+    { $as_echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5
+$as_echo_n "checking for -exported_symbols_list linker flag... " >&6; }
 if test "${lt_cv_ld_exported_symbols_list+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   lt_cv_ld_exported_symbols_list=no
       save_LDFLAGS=$LDFLAGS
@@ -8283,33 +8796,37 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   lt_cv_ld_exported_symbols_list=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	lt_cv_ld_exported_symbols_list=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	LDFLAGS="$save_LDFLAGS"
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5
-echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5
+$as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
     case $host_os in
     rhapsody* | darwin1.[012])
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
@@ -8348,11 +8865,11 @@ echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; }
 
 for ac_header in dlfcn.h
 do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -8370,20 +8887,21 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   eval "$as_ac_Header=yes"
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	eval "$as_ac_Header=no"
@@ -8391,12 +8909,15 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+as_val=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+   if test "x$as_val" = x""yes; then
   cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -8576,10 +9097,10 @@ if test -n "${ZSH_VERSION+set}" ; then
    setopt NO_GLOB_SUBST
 fi
 
-{ echo "$as_me:$LINENO: checking for objdir" >&5
-echo $ECHO_N "checking for objdir... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for objdir" >&5
+$as_echo_n "checking for objdir... " >&6; }
 if test "${lt_cv_objdir+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   rm -f .libs 2>/dev/null
 mkdir .libs 2>/dev/null
@@ -8591,8 +9112,8 @@ else
 fi
 rmdir .libs 2>/dev/null
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
-echo "${ECHO_T}$lt_cv_objdir" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
+$as_echo "$lt_cv_objdir" >&6; }
 objdir=$lt_cv_objdir
 
 
@@ -8684,10 +9205,10 @@ test -z "$MAGIC_CMD" && MAGIC_CMD=file
 case $deplibs_check_method in
 file_magic*)
   if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    { echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
-echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6; }
+    { $as_echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
+$as_echo_n "checking for ${ac_tool_prefix}file... " >&6; }
 if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   case $MAGIC_CMD in
 [\\/*] |  ?:[\\/]*)
@@ -8737,11 +9258,11 @@ fi
 
 MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 if test -n "$MAGIC_CMD"; then
-  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-echo "${ECHO_T}$MAGIC_CMD" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+$as_echo "$MAGIC_CMD" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -8750,10 +9271,10 @@ fi
 
 if test -z "$lt_cv_path_MAGIC_CMD"; then
   if test -n "$ac_tool_prefix"; then
-    { echo "$as_me:$LINENO: checking for file" >&5
-echo $ECHO_N "checking for file... $ECHO_C" >&6; }
+    { $as_echo "$as_me:$LINENO: checking for file" >&5
+$as_echo_n "checking for file... " >&6; }
 if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   case $MAGIC_CMD in
 [\\/*] |  ?:[\\/]*)
@@ -8803,11 +9324,11 @@ fi
 
 MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 if test -n "$MAGIC_CMD"; then
-  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-echo "${ECHO_T}$MAGIC_CMD" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+$as_echo "$MAGIC_CMD" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -8883,10 +9404,10 @@ lt_prog_compiler_no_builtin_flag=
 if test "$GCC" = yes; then
   lt_prog_compiler_no_builtin_flag=' -fno-builtin'
 
-  { echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+$as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; }
 if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_rtti_exceptions=no
    ac_outfile=conftest.$ac_objext
@@ -8901,11 +9422,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8904: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9425: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8908: \$? = $ac_status" >&5
+   echo "$as_me:9429: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8918,8 +9439,8 @@ else
    $RM conftest*
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+$as_echo "$lt_cv_prog_compiler_rtti_exceptions" >&6; }
 
 if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
     lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
@@ -8938,8 +9459,8 @@ fi
 lt_prog_compiler_pic=
 lt_prog_compiler_static=
 
-{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
 
   if test "$GCC" = yes; then
     lt_prog_compiler_wl='-Wl,'
@@ -8973,7 +9494,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       # PIC is the default for these OSes.
       ;;
 
-    mingw* | cygwin* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       # Although the cygwin gcc ignores -fPIC, still need this for old-style
@@ -8988,10 +9509,11 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       ;;
 
     hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
+      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
+      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
+      # sets the default TLS model and affects inlining.
       case $host_cpu in
-      hppa*64*|ia64*)
+      hppa*64*)
 	# +Z the default
 	;;
       *)
@@ -9041,7 +9563,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       fi
       ;;
 
-    mingw* | cygwin* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       lt_prog_compiler_pic='-DDLL_EXPORT'
@@ -9071,11 +9593,25 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
     linux* | k*bsd*-gnu)
       case $cc_basename in
-      icc* | ecc* | ifort*)
+      # old Intel for x86_64 which still supported -KPIC.
+      ecc*)
 	lt_prog_compiler_wl='-Wl,'
 	lt_prog_compiler_pic='-KPIC'
 	lt_prog_compiler_static='-static'
         ;;
+      # icc used to be incompatible with GCC.
+      # ICC 10 doesn't accept -KPIC any more.
+      icc* | ifort*)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-fPIC'
+	lt_prog_compiler_static='-static'
+        ;;
+      # Lahey Fortran 8.1.
+      lf95*)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='--shared'
+	lt_prog_compiler_static='--static'
+	;;
       pgcc* | pgf77* | pgf90* | pgf95*)
         # Portland Group compilers (*not* the Pentium gcc compiler,
 	# which looks to be a dead project)
@@ -9195,8 +9731,8 @@ case $host_os in
     lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
     ;;
 esac
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
+$as_echo "$lt_prog_compiler_pic" >&6; }
 
 
 
@@ -9207,10 +9743,10 @@ echo "${ECHO_T}$lt_prog_compiler_pic" >&6; }
 # Check to make sure the PIC flag actually works.
 #
 if test -n "$lt_prog_compiler_pic"; then
-  { echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
+$as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; }
 if test "${lt_cv_prog_compiler_pic_works+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_pic_works=no
    ac_outfile=conftest.$ac_objext
@@ -9225,11 +9761,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9228: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9764: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9232: \$? = $ac_status" >&5
+   echo "$as_me:9768: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9242,8 +9778,8 @@ else
    $RM conftest*
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_pic_works" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5
+$as_echo "$lt_cv_prog_compiler_pic_works" >&6; }
 
 if test x"$lt_cv_prog_compiler_pic_works" = xyes; then
     case $lt_prog_compiler_pic in
@@ -9266,10 +9802,10 @@ fi
 # Check to make sure the static flag actually works.
 #
 wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
-{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+$as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; }
 if test "${lt_cv_prog_compiler_static_works+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_static_works=no
    save_LDFLAGS="$LDFLAGS"
@@ -9294,8 +9830,8 @@ else
    LDFLAGS="$save_LDFLAGS"
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_static_works" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5
+$as_echo "$lt_cv_prog_compiler_static_works" >&6; }
 
 if test x"$lt_cv_prog_compiler_static_works" = xyes; then
     :
@@ -9309,10 +9845,10 @@ fi
 
 
 
-  { echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
 if test "${lt_cv_prog_compiler_c_o+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_c_o=no
    $RM -r conftest 2>/dev/null
@@ -9330,11 +9866,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9333: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9869: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9337: \$? = $ac_status" >&5
+   echo "$as_me:9873: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9356,18 +9892,18 @@ else
    $RM conftest*
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+$as_echo "$lt_cv_prog_compiler_c_o" >&6; }
 
 
 
 
 
 
-  { echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
 if test "${lt_cv_prog_compiler_c_o+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_c_o=no
    $RM -r conftest 2>/dev/null
@@ -9385,11 +9921,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9388: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9924: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9392: \$? = $ac_status" >&5
+   echo "$as_me:9928: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9411,8 +9947,8 @@ else
    $RM conftest*
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+$as_echo "$lt_cv_prog_compiler_c_o" >&6; }
 
 
 
@@ -9420,19 +9956,19 @@ echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
 hard_links="nottested"
 if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
-  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+$as_echo_n "checking if we can lock with hard links... " >&6; }
   hard_links=yes
   $RM conftest*
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $hard_links" >&5
+$as_echo "$hard_links" >&6; }
   if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+$as_echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
     need_locks=warn
   fi
 else
@@ -9444,8 +9980,8 @@ fi
 
 
 
-  { echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+$as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; }
 
   runpath_var=
   allow_undefined_flag=
@@ -9489,7 +10025,7 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
   extract_expsyms_cmds=
 
   case $host_os in
-  cygwin* | mingw* | pw32*)
+  cygwin* | mingw* | pw32* | cegcc*)
     # FIXME: the MSVC++ port hasn't been tested in a loooong time
     # When not using gcc, we currently assume that we are using
     # Microsoft Visual C++.
@@ -9576,7 +10112,7 @@ _LT_EOF
       fi
       ;;
 
-    cygwin* | mingw* | pw32*)
+    cygwin* | mingw* | pw32* | cegcc*)
       # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
       # as there is no search path for DLLs.
       hardcode_libdir_flag_spec='-L$libdir'
@@ -9642,6 +10178,9 @@ _LT_EOF
 	  tmp_addflag=' -i_dynamic -nofor_main' ;;
 	ifc* | ifort*)			# Intel Fortran compiler
 	  tmp_addflag=' -nofor_main' ;;
+	lf95*)				# Lahey Fortran 8.1
+	  whole_archive_flag_spec=
+	  tmp_sharedflag='--shared' ;;
 	xl[cC]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
 	  tmp_sharedflag='-qmkshrobj'
 	  tmp_addflag= ;;
@@ -9874,6 +10413,7 @@ _LT_EOF
 	fi
       fi
 
+      export_dynamic_flag_spec='${wl}-bexpall'
       # It seems that -bexpall does not export symbols beginning with
       # underscore (_), so it is better to generate a list of symbols to export.
       always_export_symbols=yes
@@ -9904,18 +10444,21 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -9930,12 +10473,13 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
@@ -9971,18 +10515,21 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -9997,12 +10544,13 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
@@ -10040,7 +10588,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       export_dynamic_flag_spec=-rdynamic
       ;;
 
-    cygwin* | mingw* | pw32*)
+    cygwin* | mingw* | pw32* | cegcc*)
       # When not using gcc, we currently assume that we are using
       # Microsoft Visual C++.
       # hardcode_libdir_flag_spec is actually meaningless, as there is
@@ -10071,7 +10619,11 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
   whole_archive_flag_spec=''
   link_all_deplibs=yes
   allow_undefined_flag="$_lt_dar_allow_undefined"
-  if test "$GCC" = "yes"; then
+  case $cc_basename in
+     ifort*) _lt_dar_can_shared=yes ;;
+     *) _lt_dar_can_shared=$GCC ;;
+  esac
+  if test "$_lt_dar_can_shared" = "yes"; then
     output_verbose_link_cmd=echo
     archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
     module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
@@ -10163,7 +10715,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	ia64*)
-	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
 	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
@@ -10221,27 +10773,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
 
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
         LDFLAGS="$save_LDFLAGS"
@@ -10499,8 +11055,8 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
     fi
   fi
 
-{ echo "$as_me:$LINENO: result: $ld_shlibs" >&5
-echo "${ECHO_T}$ld_shlibs" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ld_shlibs" >&5
+$as_echo "$ld_shlibs" >&6; }
 test "$ld_shlibs" = no && can_build_shared=no
 
 with_gnu_ld=$with_gnu_ld
@@ -10536,15 +11092,15 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
+      { $as_echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+$as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
       $RM conftest*
       echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } 2>conftest.err; then
         soname=conftest
         lib=conftest
@@ -10562,7 +11118,7 @@ echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&
         if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\"") >&5
   (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
         then
 	  archive_cmds_need_lc=no
@@ -10574,8 +11130,8 @@ echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&
         cat conftest.err 1>&5
       fi
       $RM conftest*
-      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
-echo "${ECHO_T}$archive_cmds_need_lc" >&6; }
+      { $as_echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
+$as_echo "$archive_cmds_need_lc" >&6; }
       ;;
     esac
   fi
@@ -10738,8 +11294,8 @@ esac
 
 
 
-  { echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+$as_echo_n "checking dynamic linker characteristics... " >&6; }
 
 if test "$GCC" = yes; then
   case $host_os in
@@ -10901,14 +11457,14 @@ bsdi[45]*)
   # libtool to hard-code these into programs
   ;;
 
-cygwin* | mingw* | pw32*)
+cygwin* | mingw* | pw32* | cegcc*)
   version_type=windows
   shrext_cmds=".dll"
   need_version=no
   need_lib_prefix=no
 
   case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
+  yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*)
     library_names_spec='$libname.dll.a'
     # DLL is installed to $(libdir)/../bin by postinstall_cmds
     postinstall_cmds='base_file=`basename \${file}`~
@@ -10931,7 +11487,7 @@ cygwin* | mingw* | pw32*)
       soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
       sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
       ;;
-    mingw*)
+    mingw* | cegcc*)
       # MinGW DLLs use traditional 'lib' prefix
       soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
       sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
@@ -11181,29 +11737,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   if  ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then
   shlibpath_overrides_runpath=yes
 fi
 
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
   LDFLAGS=$save_LDFLAGS
@@ -11412,7 +11972,7 @@ tpf*)
   version_type=linux
   need_lib_prefix=no
   need_version=no
-  library_name_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=no
   hardcode_into_libs=yes
@@ -11429,8 +11989,8 @@ uts4*)
   dynamic_linker=no
   ;;
 esac
-{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+$as_echo "$dynamic_linker" >&6; }
 test "$dynamic_linker" = no && can_build_shared=no
 
 variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
@@ -11531,8 +12091,8 @@ fi
 
 
 
-  { echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+$as_echo_n "checking how to hardcode library paths into programs... " >&6; }
 hardcode_action=
 if test -n "$hardcode_libdir_flag_spec" ||
    test -n "$runpath_var" ||
@@ -11556,8 +12116,8 @@ else
   # directories.
   hardcode_action=unsupported
 fi
-{ echo "$as_me:$LINENO: result: $hardcode_action" >&5
-echo "${ECHO_T}$hardcode_action" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $hardcode_action" >&5
+$as_echo "$hardcode_action" >&6; }
 
 if test "$hardcode_action" = relink ||
    test "$inherit_rpath" = yes; then
@@ -11589,7 +12149,7 @@ else
     lt_cv_dlopen_self=yes
     ;;
 
-  mingw* | pw32*)
+  mingw* | pw32* | cegcc*)
     lt_cv_dlopen="LoadLibrary"
     lt_cv_dlopen_libs=
     ;;
@@ -11601,10 +12161,10 @@ else
 
   darwin*)
   # if libdl is installed we need to link against it
-    { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
+    { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+$as_echo_n "checking for dlopen in -ldl... " >&6; }
 if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldl  $LIBS"
@@ -11636,33 +12196,37 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_dl_dlopen=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_dl_dlopen=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
-if test $ac_cv_lib_dl_dlopen = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+$as_echo "$ac_cv_lib_dl_dlopen" >&6; }
+if test "x$ac_cv_lib_dl_dlopen" = x""yes; then
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
 
@@ -11675,10 +12239,10 @@ fi
     ;;
 
   *)
-    { echo "$as_me:$LINENO: checking for shl_load" >&5
-echo $ECHO_N "checking for shl_load... $ECHO_C" >&6; }
+    { $as_echo "$as_me:$LINENO: checking for shl_load" >&5
+$as_echo_n "checking for shl_load... " >&6; }
 if test "${ac_cv_func_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -11731,38 +12295,42 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_func_shl_load=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_shl_load=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-echo "${ECHO_T}$ac_cv_func_shl_load" >&6; }
-if test $ac_cv_func_shl_load = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
+$as_echo "$ac_cv_func_shl_load" >&6; }
+if test "x$ac_cv_func_shl_load" = x""yes; then
   lt_cv_dlopen="shl_load"
 else
-  { echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
+$as_echo_n "checking for shl_load in -ldld... " >&6; }
 if test "${ac_cv_lib_dld_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldld  $LIBS"
@@ -11794,39 +12362,43 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_dld_shl_load=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_dld_shl_load=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; }
-if test $ac_cv_lib_dld_shl_load = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
+$as_echo "$ac_cv_lib_dld_shl_load" >&6; }
+if test "x$ac_cv_lib_dld_shl_load" = x""yes; then
   lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
 else
-  { echo "$as_me:$LINENO: checking for dlopen" >&5
-echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for dlopen" >&5
+$as_echo_n "checking for dlopen... " >&6; }
 if test "${ac_cv_func_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -11879,38 +12451,42 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_func_dlopen=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_dlopen=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-echo "${ECHO_T}$ac_cv_func_dlopen" >&6; }
-if test $ac_cv_func_dlopen = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
+$as_echo "$ac_cv_func_dlopen" >&6; }
+if test "x$ac_cv_func_dlopen" = x""yes; then
   lt_cv_dlopen="dlopen"
 else
-  { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+$as_echo_n "checking for dlopen in -ldl... " >&6; }
 if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldl  $LIBS"
@@ -11942,39 +12518,43 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_dl_dlopen=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_dl_dlopen=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
-if test $ac_cv_lib_dl_dlopen = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+$as_echo "$ac_cv_lib_dl_dlopen" >&6; }
+if test "x$ac_cv_lib_dl_dlopen" = x""yes; then
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
-  { echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
-echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
+$as_echo_n "checking for dlopen in -lsvld... " >&6; }
 if test "${ac_cv_lib_svld_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lsvld  $LIBS"
@@ -12006,39 +12586,43 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_svld_dlopen=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_svld_dlopen=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6; }
-if test $ac_cv_lib_svld_dlopen = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
+$as_echo "$ac_cv_lib_svld_dlopen" >&6; }
+if test "x$ac_cv_lib_svld_dlopen" = x""yes; then
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
 else
-  { echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
-echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
+$as_echo_n "checking for dld_link in -ldld... " >&6; }
 if test "${ac_cv_lib_dld_dld_link+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldld  $LIBS"
@@ -12070,33 +12654,37 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_dld_dld_link=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_dld_dld_link=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; }
-if test $ac_cv_lib_dld_dld_link = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
+$as_echo "$ac_cv_lib_dld_dld_link" >&6; }
+if test "x$ac_cv_lib_dld_dld_link" = x""yes; then
   lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
 fi
 
@@ -12135,10 +12723,10 @@ fi
     save_LIBS="$LIBS"
     LIBS="$lt_cv_dlopen_libs $LIBS"
 
-    { echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
-echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6; }
+    { $as_echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
+$as_echo_n "checking whether a program can dlopen itself... " >&6; }
 if test "${lt_cv_dlopen_self+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   	  if test "$cross_compiling" = yes; then :
   lt_cv_dlopen_self=cross
@@ -12146,7 +12734,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12149 "configure"
+#line 12737 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12187,10 +12775,6 @@ else
 #  endif
 #endif
 
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
 void fnord() { int i=42;}
 int main ()
 {
@@ -12206,13 +12790,13 @@ int main ()
   else
     puts (dlerror ());
 
-    exit (status);
+  return status;
 }
 _LT_EOF
   if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
   (eval $ac_link) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
     (./conftest; exit; ) >&5 2>/dev/null
     lt_status=$?
@@ -12230,15 +12814,15 @@ rm -fr conftest*
 
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
+$as_echo "$lt_cv_dlopen_self" >&6; }
 
     if test "x$lt_cv_dlopen_self" = xyes; then
       wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
-      { echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
-echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6; }
+      { $as_echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
+$as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; }
 if test "${lt_cv_dlopen_self_static+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   	  if test "$cross_compiling" = yes; then :
   lt_cv_dlopen_self_static=cross
@@ -12246,7 +12830,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12249 "configure"
+#line 12833 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12287,10 +12871,6 @@ else
 #  endif
 #endif
 
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
 void fnord() { int i=42;}
 int main ()
 {
@@ -12306,13 +12886,13 @@ int main ()
   else
     puts (dlerror ());
 
-    exit (status);
+  return status;
 }
 _LT_EOF
   if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
   (eval $ac_link) 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
     (./conftest; exit; ) >&5 2>/dev/null
     lt_status=$?
@@ -12330,8 +12910,8 @@ rm -fr conftest*
 
 
 fi
-{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
+$as_echo "$lt_cv_dlopen_self_static" >&6; }
     fi
 
     CPPFLAGS="$save_CPPFLAGS"
@@ -12369,13 +12949,13 @@ fi
 
 striplib=
 old_striplib=
-{ echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+$as_echo_n "checking whether stripping libraries is possible... " >&6; }
 if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
   test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
   test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
 else
 # FIXME - insert some real tests, host_os isn't really good enough
   case $host_os in
@@ -12383,16 +12963,16 @@ else
     if test -n "$STRIP" ; then
       striplib="$STRIP -x"
       old_striplib="$STRIP -S"
-      { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+      { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
     else
-      { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+      { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
     fi
     ;;
   *)
-    { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+    { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
     ;;
   esac
 fi
@@ -12409,13 +12989,13 @@ fi
 
 
   # Report which library types will actually be built
-  { echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
-  { echo "$as_me:$LINENO: result: $can_build_shared" >&5
-echo "${ECHO_T}$can_build_shared" >&6; }
+  { $as_echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+$as_echo_n "checking if libtool supports shared libraries... " >&6; }
+  { $as_echo "$as_me:$LINENO: result: $can_build_shared" >&5
+$as_echo "$can_build_shared" >&6; }
 
-  { echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+$as_echo_n "checking whether to build shared libraries... " >&6; }
   test "$can_build_shared" = "no" && enable_shared=no
 
   # On AIX, shared libraries and static libraries use the same namespace, and
@@ -12435,15 +13015,15 @@ echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
     fi
     ;;
   esac
-  { echo "$as_me:$LINENO: result: $enable_shared" >&5
-echo "${ECHO_T}$enable_shared" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $enable_shared" >&5
+$as_echo "$enable_shared" >&6; }
 
-  { echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+$as_echo_n "checking whether to build static libraries... " >&6; }
   # Make sure either enable_shared or enable_static is yes.
   test "$enable_shared" = yes || enable_static=yes
-  { echo "$as_me:$LINENO: result: $enable_static" >&5
-echo "${ECHO_T}$enable_static" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $enable_static" >&5
+$as_echo "$enable_static" >&6; }
 
 
 
@@ -12481,10 +13061,10 @@ for ac_prog in flex lex
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_LEX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$LEX"; then
   ac_cv_prog_LEX="$LEX" # Let the user override the test.
@@ -12497,7 +13077,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_LEX="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -12508,11 +13088,11 @@ fi
 fi
 LEX=$ac_cv_prog_LEX
 if test -n "$LEX"; then
-  { echo "$as_me:$LINENO: result: $LEX" >&5
-echo "${ECHO_T}$LEX" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $LEX" >&5
+$as_echo "$LEX" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -12545,15 +13125,16 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$LEX conftest.l") 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ echo "$as_me:$LINENO: checking lex output file root" >&5
-echo $ECHO_N "checking lex output file root... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking lex output file root" >&5
+$as_echo_n "checking lex output file root... " >&6; }
 if test "${ac_cv_prog_lex_root+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
 
 if test -f lex.yy.c; then
@@ -12561,20 +13142,20 @@ if test -f lex.yy.c; then
 elif test -f lexyy.c; then
   ac_cv_prog_lex_root=lexyy
 else
-  { { echo "$as_me:$LINENO: error: cannot find output from $LEX; giving up" >&5
-echo "$as_me: error: cannot find output from $LEX; giving up" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: cannot find output from $LEX; giving up" >&5
+$as_echo "$as_me: error: cannot find output from $LEX; giving up" >&2;}
    { (exit 1); exit 1; }; }
 fi
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_lex_root" >&5
-echo "${ECHO_T}$ac_cv_prog_lex_root" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_lex_root" >&5
+$as_echo "$ac_cv_prog_lex_root" >&6; }
 LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
 
 if test -z "${LEXLIB+set}"; then
-  { echo "$as_me:$LINENO: checking lex library" >&5
-echo $ECHO_N "checking lex library... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking lex library" >&5
+$as_echo_n "checking lex library... " >&6; }
 if test "${ac_cv_lib_lex+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
 
     ac_save_LIBS=$LIBS
@@ -12590,26 +13171,30 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_lex=$ac_lib
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
       test "$ac_cv_lib_lex" != 'none needed' && break
@@ -12617,16 +13202,16 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
     LIBS=$ac_save_LIBS
 
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_lex" >&5
-echo "${ECHO_T}$ac_cv_lib_lex" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_lex" >&5
+$as_echo "$ac_cv_lib_lex" >&6; }
   test "$ac_cv_lib_lex" != 'none needed' && LEXLIB=$ac_cv_lib_lex
 fi
 
 
-{ echo "$as_me:$LINENO: checking whether yytext is a pointer" >&5
-echo $ECHO_N "checking whether yytext is a pointer... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking whether yytext is a pointer" >&5
+$as_echo_n "checking whether yytext is a pointer... " >&6; }
 if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   # POSIX says lex can declare yytext either as a pointer or an array; the
 # default is implementation-dependent.  Figure out which it is, since
@@ -12644,33 +13229,37 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_prog_lex_yytext_pointer=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_save_LIBS
 
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_lex_yytext_pointer" >&5
-echo "${ECHO_T}$ac_cv_prog_lex_yytext_pointer" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_lex_yytext_pointer" >&5
+$as_echo "$ac_cv_prog_lex_yytext_pointer" >&6; }
 if test $ac_cv_prog_lex_yytext_pointer = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -12685,10 +13274,10 @@ for ac_prog in 'bison -y' byacc
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
 if test "${ac_cv_prog_YACC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   if test -n "$YACC"; then
   ac_cv_prog_YACC="$YACC" # Let the user override the test.
@@ -12701,7 +13290,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_YACC="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -12712,11 +13301,11 @@ fi
 fi
 YACC=$ac_cv_prog_YACC
 if test -n "$YACC"; then
-  { echo "$as_me:$LINENO: result: $YACC" >&5
-echo "${ECHO_T}$YACC" >&6; }
+  { $as_echo "$as_me:$LINENO: result: $YACC" >&5
+$as_echo "$YACC" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
@@ -12724,356 +13313,611 @@ fi
 done
 test -n "$YACC" || YACC="yacc"
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}gcc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
+# Extract the first word of "gperf", so it can be a program name with args.
+set dummy gperf; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_path_GPERF+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
+  case $GPERF in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_GPERF="$GPERF" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="${ac_tool_prefix}gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
 IFS=$as_save_IFS
 
+  ;;
+esac
 fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
+GPERF=$ac_cv_path_GPERF
+if test -n "$GPERF"; then
+  { $as_echo "$as_me:$LINENO: result: $GPERF" >&5
+$as_echo "$GPERF" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
-fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "gcc", so it can be a program name with args.
-set dummy gcc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+# Extract the first word of "perl", so it can be a program name with args.
+set dummy perl; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_path_PERL+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
+  case $PERL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_CC="gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
 IFS=$as_save_IFS
 
+  ;;
+esac
 fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6; }
+PERL=$ac_cv_path_PERL
+if test -n "$PERL"; then
+  { $as_echo "$as_me:$LINENO: result: $PERL" >&5
+$as_echo "$PERL" >&6; }
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
-  if test "x$ac_ct_CC" = x; then
-    CC=""
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    CC=$ac_ct_CC
-  fi
-else
-  CC="$ac_cv_prog_CC"
+
+
+
+if test x$eap_aka = xtrue; then
+	gmp=true;
+	fips_prf=true;
+	sha1=true;
 fi
 
-if test -z "$CC"; then
-          if test -n "$ac_tool_prefix"; then
-    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}cc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="${ac_tool_prefix}cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
+if test x$eap_sim = xtrue; then
+	fips_prf=true;
+fi
 
+if test x$fips_prf = xtrue; then
+	sha1=true;
 fi
+
+if test x$tools = xtrue; then
+	gmp=true;
 fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+
+if test x$smp = xtrue; then
+	xml=true
 fi
 
+if test x$manager = xtrue; then
+	fast=true
+fi
 
-  fi
+if test x$medsrv = xtrue; then
+	me=true
+	fast=true
 fi
-if test -z "$CC"; then
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+
+if test x$medcli = xtrue; then
+	me=true
+fi
+
+
+{ $as_echo "$as_me:$LINENO: checking for stdbool.h that conforms to C99" >&5
+$as_echo_n "checking for stdbool.h that conforms to C99... " >&6; }
+if test "${ac_cv_header_stdbool_h+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <stdbool.h>
+#ifndef bool
+ "error: bool is not defined"
+#endif
+#ifndef false
+ "error: false is not defined"
+#endif
+#if false
+ "error: false is not 0"
+#endif
+#ifndef true
+ "error: true is not defined"
+#endif
+#if true != 1
+ "error: true is not 1"
+#endif
+#ifndef __bool_true_false_are_defined
+ "error: __bool_true_false_are_defined is not defined"
+#endif
+
+	struct s { _Bool s: 1; _Bool t; } s;
+
+	char a[true == 1 ? 1 : -1];
+	char b[false == 0 ? 1 : -1];
+	char c[__bool_true_false_are_defined == 1 ? 1 : -1];
+	char d[(bool) 0.5 == true ? 1 : -1];
+	bool e = &s;
+	char f[(_Bool) 0.0 == false ? 1 : -1];
+	char g[true];
+	char h[sizeof (_Bool)];
+	char i[sizeof s.t];
+	enum { j = false, k = true, l = false * true, m = true * 256 };
+	/* The following fails for
+	   HP aC++/ANSI C B3910B A.05.55 [Dec 04 2003]. */
+	_Bool n[m];
+	char o[sizeof n == m * sizeof n[0] ? 1 : -1];
+	char p[-1 - (_Bool) 0 < 0 && -1 - (bool) 0 < 0 ? 1 : -1];
+#	if defined __xlc__ || defined __GNUC__
+	 /* Catch a bug in IBM AIX xlc compiler version 6.0.0.0
+	    reported by James Lemley on 2005-10-05; see
+	    http://lists.gnu.org/archive/html/bug-coreutils/2005-10/msg00086.html
+	    This test is not quite right, since xlc is allowed to
+	    reject this program, as the initializer for xlcbug is
+	    not one of the forms that C requires support for.
+	    However, doing the test right would require a runtime
+	    test, and that would make cross-compilation harder.
+	    Let us hope that IBM fixes the xlc bug, and also adds
+	    support for this kind of constant expression.  In the
+	    meantime, this test will reject xlc, which is OK, since
+	    our stdbool.h substitute should suffice.  We also test
+	    this with GCC, where it should work, to detect more
+	    quickly whether someone messes up the test in the
+	    future.  */
+	 char digs[] = "0123456789";
+	 int xlcbug = 1 / (&(digs + 5)[-2 + (bool) 1] == &digs[4] ? 1 : -1);
+#	endif
+	/* Catch a bug in an HP-UX C compiler.  See
+	   http://gcc.gnu.org/ml/gcc-patches/2003-12/msg02303.html
+	   http://lists.gnu.org/archive/html/bug-coreutils/2005-11/msg00161.html
+	 */
+	_Bool q = true;
+	_Bool *pq = &q;
+
+int
+main ()
+{
+
+	*pq |= q;
+	*pq |= ! q;
+	/* Refer to every declared value, to avoid compiler optimizations.  */
+	return (!a + !b + !c + !d + !e + !f + !g + !h + !i + !!j + !k + !!l
+		+ !m + !n + !o + !p + !q + !pq);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_header_stdbool_h=yes
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_header_stdbool_h=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdbool_h" >&5
+$as_echo "$ac_cv_header_stdbool_h" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for _Bool" >&5
+$as_echo_n "checking for _Bool... " >&6; }
+if test "${ac_cv_type__Bool+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_type__Bool=no
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+int
+main ()
+{
+if (sizeof (_Bool))
+       return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+int
+main ()
+{
+if (sizeof ((_Bool)))
+	  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
 else
-  ac_prog_rejected=no
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
-       ac_prog_rejected=yes
-       continue
-     fi
-    ac_cv_prog_CC="cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-if test $ac_prog_rejected = yes; then
-  # We found a bogon in the path, so make sure we never use it.
-  set dummy $ac_cv_prog_CC
-  shift
-  if test $# != 0; then
-    # We chose a different compiler from the bogus one.
-    # However, it has the same basename, so the bogon will be chosen
-    # first if we set CC to just the basename; use the full file name.
-    shift
-    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
-  fi
+	ac_cv_type__Bool=yes
 fi
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
-if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  for ac_prog in cl.exe
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  { echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_type__Bool" >&5
+$as_echo "$ac_cv_type__Bool" >&6; }
+if test "x$ac_cv_type__Bool" = x""yes; then
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE__BOOL 1
+_ACEOF
 
-    test -n "$CC" && break
-  done
-fi
-if test -z "$CC"; then
-  ac_ct_CC=$CC
-  for ac_prog in cl.exe
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_CC="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
 
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
 fi
 
+if test $ac_cv_header_stdbool_h = yes; then
 
-  test -n "$ac_ct_CC" && break
-done
-
-  if test "x$ac_ct_CC" = x; then
-    CC=""
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&5
-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
-whose name does not start with the host triplet.  If you think this
-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
-ac_tool_warned=yes ;;
-esac
-    CC=$ac_ct_CC
-  fi
-fi
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_STDBOOL_H 1
+_ACEOF
 
 fi
 
 
-test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&5
-echo "$as_me: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
+saved_LIBS=$LIBS
+LIBS=""
+{ $as_echo "$as_me:$LINENO: checking for library containing dlopen" >&5
+$as_echo_n "checking for library containing dlopen... " >&6; }
+if test "${ac_cv_search_dlopen+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-# Provide some information about the compiler.
-echo "$as_me:$LINENO: checking for C compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (ac_try="$ac_compiler --version >&5"
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' dl; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler --version >&5") 2>&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -v >&5"
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  ac_cv_search_dlopen=$ac_res
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext
+  if test "${ac_cv_search_dlopen+set}" = set; then
+  break
+fi
+done
+if test "${ac_cv_search_dlopen+set}" = set; then
+  :
+else
+  ac_cv_search_dlopen=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_dlopen" >&5
+$as_echo "$ac_cv_search_dlopen" >&6; }
+ac_res=$ac_cv_search_dlopen
+if test "$ac_res" != no; then
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+  DLLIB=$LIBS
+fi
+
+LIBS=$saved_LIBS
+
+
+{ $as_echo "$as_me:$LINENO: checking for dladdr" >&5
+$as_echo_n "checking for dladdr... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#define _GNU_SOURCE
+	 #include <dlfcn.h>
+int
+main ()
+{
+Dl_info* info = 0;
+	 dladdr(0, info);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -v >&5") 2>&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -V >&5"
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
+#define HAVE_DLADDR 1
+_ACEOF
+
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+for ac_func in backtrace
+do
+as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+$as_echo_n "checking for $ac_func... " >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compiler -V >&5") 2>&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  eval "$as_ac_var=yes"
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
-if test "${ac_cv_c_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+	eval "$as_ac_var=no"
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval 'as_val=${'$as_ac_var'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+as_val=`eval 'as_val=${'$as_ac_var'}
+		 $as_echo "$as_val"'`
+   if test "x$as_val" = x""yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+for ac_func in prctl
+do
+as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+$as_echo_n "checking for $ac_func... " >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -13081,113 +13925,222 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
 
 int
 main ()
 {
-#ifndef __GNUC__
-       choke me
-#endif
-
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_compiler_gnu=yes
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  eval "$as_ac_var=yes"
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_compiler_gnu=no
+	eval "$as_ac_var=no"
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_c_compiler_gnu=$ac_compiler_gnu
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval 'as_val=${'$as_ac_var'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+as_val=`eval 'as_val=${'$as_ac_var'}
+		 $as_echo "$as_val"'`
+   if test "x$as_val" = x""yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
 
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
-GCC=`test $ac_compiler_gnu = yes && echo yes`
-ac_test_CFLAGS=${CFLAGS+set}
-ac_save_CFLAGS=$CFLAGS
-{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
-if test "${ac_cv_prog_cc_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+done
+
+
+for ac_func in gethostbyname_r
+do
+as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+$as_echo_n "checking for $ac_func... " >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
 else
-  ac_save_c_werror_flag=$ac_c_werror_flag
-   ac_c_werror_flag=yes
-   ac_cv_prog_cc_g=no
-   CFLAGS="-g"
-   cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
 
 int
 main ()
 {
-
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_g=yes
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  eval "$as_ac_var=yes"
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	CFLAGS=""
-      cat >conftest.$ac_ext <<_ACEOF
+	eval "$as_ac_var=no"
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval 'as_val=${'$as_ac_var'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+as_val=`eval 'as_val=${'$as_ac_var'}
+		 $as_echo "$as_val"'`
+   if test "x$as_val" = x""yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+
+
+
+for ac_header in net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h
+do
+as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
+fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
+$as_echo_n "checking $ac_header usability... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
+$ac_includes_default
+#include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
 if { (ac_try="$ac_compile"
@@ -13195,689 +14148,481 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  :
+  ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_c_werror_flag=$ac_save_c_werror_flag
-	 CFLAGS="-g"
-	 cat >conftest.$ac_ext <<_ACEOF
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
+$as_echo_n "checking $ac_header presence... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
+#include <$ac_header>
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
+if { (ac_try="$ac_cpp conftest.$ac_ext"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_g=yes
+       }; then
+  ac_header_preproc=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-
+  ac_header_preproc=no
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
+rm -f conftest.err conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
 fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-   ac_c_werror_flag=$ac_save_c_werror_flag
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
-if test "$ac_test_CFLAGS" = set; then
-  CFLAGS=$ac_save_CFLAGS
-elif test $ac_cv_prog_cc_g = yes; then
-  if test "$GCC" = yes; then
-    CFLAGS="-g -O2"
-  else
-    CFLAGS="-g"
-  fi
-else
-  if test "$GCC" = yes; then
-    CFLAGS="-O2"
-  else
-    CFLAGS=
-  fi
+as_val=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+   if test "x$as_val" = x""yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
 fi
-{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
-echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
-if test "${ac_cv_prog_cc_c89+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+
+done
+
+
+{ $as_echo "$as_me:$LINENO: checking for struct sockaddr.sa_len" >&5
+$as_echo_n "checking for struct sockaddr.sa_len... " >&6; }
+if test "${ac_cv_member_struct_sockaddr_sa_len+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-  ac_cv_prog_cc_c89=no
-ac_save_CC=$CC
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <stdarg.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
-struct buf { int x; };
-FILE * (*rcsopen) (struct buf *, struct stat *, int);
-static char *e (p, i)
-     char **p;
-     int i;
-{
-  return p[i];
-}
-static char *f (char * (*g) (char **, int), char **p, ...)
-{
-  char *s;
-  va_list v;
-  va_start (v,p);
-  s = g (p, va_arg (v,int));
-  va_end (v);
-  return s;
-}
 
-/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
-   function prototypes and stuff, but not '\xHH' hex character constants.
-   These don't provoke an error unfortunately, instead are silently treated
-   as 'x'.  The following induces an error, until -std is added to get
-   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
-   array size at least.  It's necessary to write '\x00'==0 to get something
-   that's true only with -std.  */
-int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+	#include <sys/types.h>
+	#include <sys/socket.h>
 
-/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
-   inside strings and character constants.  */
-#define FOO(x) 'x'
-int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
 
-int test (int i, double x);
-struct s1 {int (*f) (int a);};
-struct s2 {int (*f) (double a);};
-int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
-int argc;
-char **argv;
 int
 main ()
 {
-return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+static struct sockaddr ac_aggr;
+if (ac_aggr.sa_len)
+return 0;
   ;
   return 0;
 }
 _ACEOF
-for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
-	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
-do
-  CC="$ac_save_CC $ac_arg"
-  rm -f conftest.$ac_objext
+rm -f conftest.$ac_objext
 if { (ac_try="$ac_compile"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  ac_cv_prog_cc_c89=$ac_arg
+  ac_cv_member_struct_sockaddr_sa_len=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-fi
-
-rm -f core conftest.err conftest.$ac_objext
-  test "x$ac_cv_prog_cc_c89" != "xno" && break
-done
-rm -f conftest.$ac_ext
-CC=$ac_save_CC
-
-fi
-# AC_CACHE_VAL
-case "x$ac_cv_prog_cc_c89" in
-  x)
-    { echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6; } ;;
-  xno)
-    { echo "$as_me:$LINENO: result: unsupported" >&5
-echo "${ECHO_T}unsupported" >&6; } ;;
-  *)
-    CC="$CC $ac_cv_prog_cc_c89"
-    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
-esac
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-depcc="$CC"   am_compiler_list=
-
-{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
-echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
-if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
-  # We make a subdir and do the tests there.  Otherwise we can end up
-  # making bogus files that we don't know about and never remove.  For
-  # instance it was reported that on HP-UX the gcc test will end up
-  # making a dummy file named `D' -- because `-MD' means `put the output
-  # in D'.
-  mkdir conftest.dir
-  # Copy depcomp to subdir because otherwise we won't find it if we're
-  # using a relative directory.
-  cp "$am_depcomp" conftest.dir
-  cd conftest.dir
-  # We will build objects and dependencies in a subdirectory because
-  # it helps to detect inapplicable dependency modes.  For instance
-  # both Tru64's cc and ICC support -MD to output dependencies as a
-  # side effect of compilation, but ICC will put the dependencies in
-  # the current directory while Tru64 will put them in the object
-  # directory.
-  mkdir sub
-
-  am_cv_CC_dependencies_compiler_type=none
-  if test "$am_compiler_list" = ""; then
-     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
-  fi
-  for depmode in $am_compiler_list; do
-    # Setup a source with many dependencies, because some compilers
-    # like to wrap large dependency lists on column 80 (with \), and
-    # we should not choose a depcomp mode which is confused by this.
-    #
-    # We need to recreate these files for each test, as the compiler may
-    # overwrite some of them when testing with obscure command lines.
-    # This happens at least with the AIX C compiler.
-    : > sub/conftest.c
-    for i in 1 2 3 4 5 6; do
-      echo '#include "conftst'$i'.h"' >> sub/conftest.c
-      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
-      # Solaris 8's {/usr,}/bin/sh.
-      touch sub/conftst$i.h
-    done
-    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
-
-    case $depmode in
-    nosideeffect)
-      # after this tag, mechanisms are not by side-effect, so they'll
-      # only be used when explicitly requested
-      if test "x$enable_dependency_tracking" = xyes; then
-	continue
-      else
-	break
-      fi
-      ;;
-    none) break ;;
-    esac
-    # We check with `-c' and `-o' for the sake of the "dashmstdout"
-    # mode.  It turns out that the SunPro C++ compiler does not properly
-    # handle `-M -o', and we need to detect this.
-    if depmode=$depmode \
-       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
-       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
-       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
-         >/dev/null 2>conftest.err &&
-       grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
-       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
-      # icc doesn't choke on unknown options, it will just issue warnings
-      # or remarks (even with -Werror).  So we grep stderr for any message
-      # that says an option was ignored or not supported.
-      # When given -MP, icc 7.0 and 7.1 complain thusly:
-      #   icc: Command line warning: ignoring option '-M'; no argument required
-      # The diagnosis changed in icc 8.0:
-      #   icc: Command line remark: option '-MP' not supported
-      if (grep 'ignoring option' conftest.err ||
-          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
-        am_cv_CC_dependencies_compiler_type=$depmode
-        break
-      fi
-    fi
-  done
-
-  cd ..
-  rm -rf conftest.dir
-else
-  am_cv_CC_dependencies_compiler_type=none
-fi
-
-fi
-{ echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5
-echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6; }
-CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type
-
- if
-  test "x$enable_dependency_tracking" != xno \
-  && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then
-  am__fastdepCC_TRUE=
-  am__fastdepCC_FALSE='#'
-else
-  am__fastdepCC_TRUE='#'
-  am__fastdepCC_FALSE=
-fi
-
-
-# Extract the first word of "gperf", so it can be a program name with args.
-set dummy gperf; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_GPERF+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $GPERF in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_GPERF="$GPERF" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
-for as_dir in $as_dummy
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-  ;;
-esac
-fi
-GPERF=$ac_cv_path_GPERF
-if test -n "$GPERF"; then
-  { echo "$as_me:$LINENO: result: $GPERF" >&5
-echo "${ECHO_T}$GPERF" >&6; }
-else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
+	#include <sys/types.h>
+	#include <sys/socket.h>
 
-# Extract the first word of "perl", so it can be a program name with args.
-set dummy perl; ac_word=$2
-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_PERL+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $PERL in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
-for as_dir in $as_dummy
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
 
-  ;;
+int
+main ()
+{
+static struct sockaddr ac_aggr;
+if (sizeof ac_aggr.sa_len)
+return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
 esac
-fi
-PERL=$ac_cv_path_PERL
-if test -n "$PERL"; then
-  { echo "$as_me:$LINENO: result: $PERL" >&5
-echo "${ECHO_T}$PERL" >&6; }
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_member_struct_sockaddr_sa_len=yes
 else
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-fi
-
-
-
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-if test x$pluto = xtrue; then
-	gmp=true;
+	ac_cv_member_struct_sockaddr_sa_len=no
 fi
 
-if test x$tools = xtrue; then
-	gmp=true;
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
-if test x$smp = xtrue; then
-	xml=true
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_member_struct_sockaddr_sa_len" >&5
+$as_echo "$ac_cv_member_struct_sockaddr_sa_len" >&6; }
+if test "x$ac_cv_member_struct_sockaddr_sa_len" = x""yes; then
 
-if test x$manager = xtrue; then
-	fast=true
-fi
+cat >>confdefs.h <<_ACEOF
+#define HAVE_STRUCT_SOCKADDR_SA_LEN 1
+_ACEOF
 
-if test x$medsrv = xtrue; then
-	me=true
-	fast=true
-fi
 
-if test x$medcli = xtrue; then
-	me=true
 fi
 
 
-
-{ echo "$as_me:$LINENO: checking for main in -ldl" >&5
-echo $ECHO_N "checking for main in -ldl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dl_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+{ $as_echo "$as_me:$LINENO: checking for struct sadb_x_policy.sadb_x_policy_priority" >&5
+$as_echo_n "checking for struct sadb_x_policy.sadb_x_policy_priority... " >&6; }
+if test "${ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority+set}" = set; then
+  $as_echo_n "(cached) " >&6
 else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
+	#include <sys/types.h>
+	#ifdef HAVE_NET_PFKEYV2_H
+	#include <net/pfkeyv2.h>
+	#else
+	#include <stdint.h>
+	#include <linux/pfkeyv2.h>
+	#endif
+
 
 int
 main ()
 {
-return main ();
+static struct sadb_x_policy ac_aggr;
+if (ac_aggr.sadb_x_policy_priority)
+return 0;
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dl_main=yes
+       } && test -s conftest.$ac_objext; then
+  ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_cv_lib_dl_main=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_main" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_main" >&6; }
-if test $ac_cv_lib_dl_main = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBDL 1
-_ACEOF
-
-  LIBS="-ldl $LIBS"
-
-fi
-ac_cv_lib_dl=ac_cv_lib_dl_main
-
-
-for ac_func in backtrace
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
+	cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 
-#undef $ac_func
+	#include <sys/types.h>
+	#ifdef HAVE_NET_PFKEYV2_H
+	#include <net/pfkeyv2.h>
+	#else
+	#include <stdint.h>
+	#include <linux/pfkeyv2.h>
+	#endif
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
 
 int
 main ()
 {
-return $ac_func ();
+static struct sadb_x_policy ac_aggr;
+if (sizeof ac_aggr.sadb_x_policy_priority)
+return 0;
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  eval "$as_ac_var=yes"
+       } && test -s conftest.$ac_objext; then
+  ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	eval "$as_ac_var=no"
+	ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority=no
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-ac_res=`eval echo '${'$as_ac_var'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" >&5
+$as_echo "$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" >&6; }
+if test "x$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" = x""yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY 1
 _ACEOF
 
+
 fi
-done
 
 
-for ac_func in dladdr
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
+{ $as_echo "$as_me:$LINENO: checking for IPSEC_MODE_BEET" >&5
+$as_echo_n "checking for IPSEC_MODE_BEET... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
+#include <sys/types.h>
+	#ifdef HAVE_NETIPSEC_IPSEC_H
+	#include <netipsec/ipsec.h>
+	#elif defined(HAVE_NETINET6_IPSEC_H)
+	#include <netinet6/ipsec.h>
+	#else
+	#include <stdint.h>
+	#include <linux/ipsec.h>
+	#endif
+int
+main ()
+{
+int mode = IPSEC_MODE_BEET;
+	 return mode;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
+#define HAVE_IPSEC_MODE_BEET 1
+_ACEOF
 
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
+	{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 
-#undef $ac_func
+fi
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
+{ $as_echo "$as_me:$LINENO: checking for IPSEC_DIR_FWD" >&5
+$as_echo_n "checking for IPSEC_DIR_FWD... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+	#ifdef HAVE_NETIPSEC_IPSEC_H
+	#include <netipsec/ipsec.h>
+	#elif defined(HAVE_NETINET6_IPSEC_H)
+	#include <netinet6/ipsec.h>
+	#else
+	#include <stdint.h>
+	#include <linux/ipsec.h>
+	#endif
 int
 main ()
 {
-return $ac_func ();
+int dir = IPSEC_DIR_FWD;
+	 return dir;
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  eval "$as_ac_var=yes"
+       } && test -s conftest.$ac_objext; then
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
+#define HAVE_IPSEC_DIR_FWD 1
+_ACEOF
+
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	eval "$as_ac_var=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_var'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+	{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 
 fi
-done
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
-{ echo "$as_me:$LINENO: checking for gcc atomic operations" >&5
-echo $ECHO_N "checking for gcc atomic operations... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for gcc atomic operations" >&5
+$as_echo_n "checking for gcc atomic operations... " >&6; }
 if test "$cross_compiling" = yes; then
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -13902,43 +14647,46 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }; cat >>confdefs.h <<\_ACEOF
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
 #define HAVE_GCC_ATOMIC_OPERATIONS 1
 _ACEOF
 
 else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: program exited with status $ac_status" >&5
+$as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
+rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
 
-{ echo "$as_me:$LINENO: checking for register_printf_function" >&5
-echo $ECHO_N "checking for register_printf_function... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for register_printf_function" >&5
+$as_echo_n "checking for register_printf_function... " >&6; }
 if test "${ac_cv_func_register_printf_function+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -13991,44 +14739,55 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_func_register_printf_function=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_register_printf_function=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_register_printf_function" >&5
-echo "${ECHO_T}$ac_cv_func_register_printf_function" >&6; }
-if test $ac_cv_func_register_printf_function = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_register_printf_function" >&5
+$as_echo "$ac_cv_func_register_printf_function" >&6; }
+if test "x$ac_cv_func_register_printf_function" = x""yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_PRINTF_HOOKS 1
 _ACEOF
 
 else
 
-		{ echo "$as_me:$LINENO: printf does not support custom format specifiers!" >&5
-echo "$as_me: printf does not support custom format specifiers!" >&6;}
-		{ echo "$as_me:$LINENO: checking for main in -lvstr" >&5
-echo $ECHO_N "checking for main in -lvstr... $ECHO_C" >&6; }
+		{ $as_echo "$as_me:$LINENO: printf does not support custom format specifiers!" >&5
+$as_echo "$as_me: printf does not support custom format specifiers!" >&6;}
+		vstr=true
+
+
+fi
+
+
+if test x$vstr = xtrue; then
+	{ $as_echo "$as_me:$LINENO: checking for main in -lvstr" >&5
+$as_echo_n "checking for main in -lvstr... " >&6; }
 if test "${ac_cv_lib_vstr_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lvstr  $LIBS"
@@ -14054,50 +14813,56 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_vstr_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_vstr_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_vstr_main" >&5
-echo "${ECHO_T}$ac_cv_lib_vstr_main" >&6; }
-if test $ac_cv_lib_vstr_main = yes; then
-  LIBS="$LIBS"; vstr=true
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_vstr_main" >&5
+$as_echo "$ac_cv_lib_vstr_main" >&6; }
+if test "x$ac_cv_lib_vstr_main" = x""yes; then
+  LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: Vstr string library not found" >&5
-echo "$as_me: error: Vstr string library not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: Vstr string library not found" >&5
+$as_echo "$as_me: error: Vstr string library not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_vstr=ac_cv_lib_vstr_main
 
+	cat >>confdefs.h <<\_ACEOF
+#define USE_VSTR 1
+_ACEOF
 
 fi
 
-
 if test x$gmp = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lgmp" >&5
-echo $ECHO_N "checking for main in -lgmp... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lgmp" >&5
+$as_echo_n "checking for main in -lgmp... " >&6; }
 if test "${ac_cv_lib_gmp_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lgmp  $LIBS"
@@ -14123,43 +14888,47 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_gmp_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_gmp_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_gmp_main" >&5
-echo "${ECHO_T}$ac_cv_lib_gmp_main" >&6; }
-if test $ac_cv_lib_gmp_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_gmp_main" >&5
+$as_echo "$ac_cv_lib_gmp_main" >&6; }
+if test "x$ac_cv_lib_gmp_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: GNU Multi Precision library gmp not found" >&5
-echo "$as_me: error: GNU Multi Precision library gmp not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: GNU Multi Precision library gmp not found" >&5
+$as_echo "$as_me: error: GNU Multi Precision library gmp not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_gmp=ac_cv_lib_gmp_main
 
-	{ echo "$as_me:$LINENO: checking gmp.h version >= 4.1.4" >&5
-echo $ECHO_N "checking gmp.h version >= 4.1.4... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking gmp.h version >= 4.1.4" >&5
+$as_echo_n "checking gmp.h version >= 4.1.4... " >&6; }
 	cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -14185,26 +14954,27 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }; { { echo "$as_me:$LINENO: error: No usable gmp.h found!" >&5
-echo "$as_me: error: No usable gmp.h found!" >&2;}
+	{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }; { { $as_echo "$as_me:$LINENO: error: No usable gmp.h found!" >&5
+$as_echo "$as_me: error: No usable gmp.h found!" >&2;}
    { (exit 1); exit 1; }; }
 
 fi
@@ -14213,10 +14983,10 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test x$ldap = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lldap" >&5
-echo $ECHO_N "checking for main in -lldap... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lldap" >&5
+$as_echo_n "checking for main in -lldap... " >&6; }
 if test "${ac_cv_lib_ldap_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lldap  $LIBS"
@@ -14242,45 +15012,49 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_ldap_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_ldap_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_ldap_main" >&5
-echo "${ECHO_T}$ac_cv_lib_ldap_main" >&6; }
-if test $ac_cv_lib_ldap_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_ldap_main" >&5
+$as_echo "$ac_cv_lib_ldap_main" >&6; }
+if test "x$ac_cv_lib_ldap_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: LDAP library ldap not found" >&5
-echo "$as_me: error: LDAP library ldap not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: LDAP library ldap not found" >&5
+$as_echo "$as_me: error: LDAP library ldap not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_ldap=ac_cv_lib_ldap_main
 
-	{ echo "$as_me:$LINENO: checking for main in -llber" >&5
-echo $ECHO_N "checking for main in -llber... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -llber" >&5
+$as_echo_n "checking for main in -llber... " >&6; }
 if test "${ac_cv_lib_lber_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-llber  $LIBS"
@@ -14306,53 +15080,57 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_lber_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_lber_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_lber_main" >&5
-echo "${ECHO_T}$ac_cv_lib_lber_main" >&6; }
-if test $ac_cv_lib_lber_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_lber_main" >&5
+$as_echo "$ac_cv_lib_lber_main" >&6; }
+if test "x$ac_cv_lib_lber_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: LDAP library lber not found" >&5
-echo "$as_me: error: LDAP library lber not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: LDAP library lber not found" >&5
+$as_echo "$as_me: error: LDAP library lber not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_lber=ac_cv_lib_lber_main
 
 	if test "${ac_cv_header_ldap_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for ldap.h" >&5
-echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for ldap.h" >&5
+$as_echo_n "checking for ldap.h... " >&6; }
 if test "${ac_cv_header_ldap_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
-echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
+$as_echo "$ac_cv_header_ldap_h" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking ldap.h usability" >&5
-echo $ECHO_N "checking ldap.h usability... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking ldap.h usability" >&5
+$as_echo_n "checking ldap.h usability... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -14368,32 +15146,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking ldap.h presence" >&5
-echo $ECHO_N "checking ldap.h presence... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking ldap.h presence" >&5
+$as_echo_n "checking ldap.h presence... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -14407,70 +15186,71 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: ldap.h: proceeding with the compiler's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: ldap.h: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: ldap.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: ldap.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: ldap.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: ldap.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: ldap.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: ldap.h: in the future, the compiler will take precedence" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: ldap.h: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: ldap.h:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: ldap.h:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: ldap.h: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: ldap.h: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: ldap.h: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for ldap.h" >&5
-echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for ldap.h" >&5
+$as_echo_n "checking for ldap.h... " >&6; }
 if test "${ac_cv_header_ldap_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_cv_header_ldap_h=$ac_header_preproc
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
-echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
+$as_echo "$ac_cv_header_ldap_h" >&6; }
 
 fi
-if test $ac_cv_header_ldap_h = yes; then
+if test "x$ac_cv_header_ldap_h" = x""yes; then
   :
 else
-  { { echo "$as_me:$LINENO: error: LDAP header ldap.h not found!" >&5
-echo "$as_me: error: LDAP header ldap.h not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: LDAP header ldap.h not found!" >&5
+$as_echo "$as_me: error: LDAP header ldap.h not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -14478,10 +15258,10 @@ fi
 fi
 
 if test x$curl = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lcurl" >&5
-echo $ECHO_N "checking for main in -lcurl... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lcurl" >&5
+$as_echo_n "checking for main in -lcurl... " >&6; }
 if test "${ac_cv_lib_curl_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lcurl  $LIBS"
@@ -14507,53 +15287,57 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_curl_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_curl_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_curl_main" >&5
-echo "${ECHO_T}$ac_cv_lib_curl_main" >&6; }
-if test $ac_cv_lib_curl_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_curl_main" >&5
+$as_echo "$ac_cv_lib_curl_main" >&6; }
+if test "x$ac_cv_lib_curl_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: CURL library curl not found" >&5
-echo "$as_me: error: CURL library curl not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: CURL library curl not found" >&5
+$as_echo "$as_me: error: CURL library curl not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_curl=ac_cv_lib_curl_main
 
 	if test "${ac_cv_header_curl_curl_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for curl/curl.h" >&5
-echo $ECHO_N "checking for curl/curl.h... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for curl/curl.h" >&5
+$as_echo_n "checking for curl/curl.h... " >&6; }
 if test "${ac_cv_header_curl_curl_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
-echo "${ECHO_T}$ac_cv_header_curl_curl_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
+$as_echo "$ac_cv_header_curl_curl_h" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking curl/curl.h usability" >&5
-echo $ECHO_N "checking curl/curl.h usability... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking curl/curl.h usability" >&5
+$as_echo_n "checking curl/curl.h usability... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -14569,32 +15353,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking curl/curl.h presence" >&5
-echo $ECHO_N "checking curl/curl.h presence... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking curl/curl.h presence" >&5
+$as_echo_n "checking curl/curl.h presence... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -14608,70 +15393,71 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: curl/curl.h: proceeding with the compiler's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: curl/curl.h: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: curl/curl.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: curl/curl.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: curl/curl.h: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: curl/curl.h: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for curl/curl.h" >&5
-echo $ECHO_N "checking for curl/curl.h... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for curl/curl.h" >&5
+$as_echo_n "checking for curl/curl.h... " >&6; }
 if test "${ac_cv_header_curl_curl_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_cv_header_curl_curl_h=$ac_header_preproc
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
-echo "${ECHO_T}$ac_cv_header_curl_curl_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
+$as_echo "$ac_cv_header_curl_curl_h" >&6; }
 
 fi
-if test $ac_cv_header_curl_curl_h = yes; then
+if test "x$ac_cv_header_curl_curl_h" = x""yes; then
   :
 else
-  { { echo "$as_me:$LINENO: error: CURL header curl/curl.h not found!" >&5
-echo "$as_me: error: CURL header curl/curl.h not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: CURL header curl/curl.h not found!" >&5
+$as_echo "$as_me: error: CURL header curl/curl.h not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -14681,18 +15467,18 @@ fi
 if test x$xml = xtrue; then
 
 pkg_failed=no
-{ echo "$as_me:$LINENO: checking for xml" >&5
-echo $ECHO_N "checking for xml... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for xml" >&5
+$as_echo_n "checking for xml... " >&6; }
 
 if test -n "$PKG_CONFIG"; then
     if test -n "$xml_CFLAGS"; then
         pkg_cv_xml_CFLAGS="$xml_CFLAGS"
     else
         if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
+    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
   ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
   pkg_cv_xml_CFLAGS=`$PKG_CONFIG --cflags "libxml-2.0" 2>/dev/null`
 else
@@ -14707,10 +15493,10 @@ if test -n "$PKG_CONFIG"; then
         pkg_cv_xml_LIBS="$xml_LIBS"
     else
         if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
+    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
   ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
   pkg_cv_xml_LIBS=`$PKG_CONFIG --libs "libxml-2.0" 2>/dev/null`
 else
@@ -14738,7 +15524,7 @@ fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$xml_PKG_ERRORS" >&5
 
-	{ { echo "$as_me:$LINENO: error: Package requirements (libxml-2.0) were not met:
+	{ { $as_echo "$as_me:$LINENO: error: Package requirements (libxml-2.0) were not met:
 
 $xml_PKG_ERRORS
 
@@ -14749,7 +15535,7 @@ Alternatively, you may set the environment variables xml_CFLAGS
 and xml_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 " >&5
-echo "$as_me: error: Package requirements (libxml-2.0) were not met:
+$as_echo "$as_me: error: Package requirements (libxml-2.0) were not met:
 
 $xml_PKG_ERRORS
 
@@ -14762,7 +15548,9 @@ See the pkg-config man page for more details.
 " >&2;}
    { (exit 1); exit 1; }; }
 elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+	{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+{ { $as_echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -14772,7 +15560,7 @@ See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
 See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+$as_echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -14782,12 +15570,12 @@ See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
 See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
+   { (exit 1); exit 1; }; }; }
 else
 	xml_CFLAGS=$pkg_cv_xml_CFLAGS
 	xml_LIBS=$pkg_cv_xml_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+        { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
 	:
 fi
 
@@ -14797,18 +15585,18 @@ fi
 if test x$dumm = xtrue; then
 
 pkg_failed=no
-{ echo "$as_me:$LINENO: checking for gtk" >&5
-echo $ECHO_N "checking for gtk... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for gtk" >&5
+$as_echo_n "checking for gtk... " >&6; }
 
 if test -n "$PKG_CONFIG"; then
     if test -n "$gtk_CFLAGS"; then
         pkg_cv_gtk_CFLAGS="$gtk_CFLAGS"
     else
         if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\"") >&5
+    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\"") >&5
   ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
   pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null`
 else
@@ -14823,10 +15611,10 @@ if test -n "$PKG_CONFIG"; then
         pkg_cv_gtk_LIBS="$gtk_LIBS"
     else
         if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\"") >&5
+    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\"") >&5
   ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
   pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null`
 else
@@ -14854,7 +15642,7 @@ fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$gtk_PKG_ERRORS" >&5
 
-	{ { echo "$as_me:$LINENO: error: Package requirements (gtk+-2.0 vte) were not met:
+	{ { $as_echo "$as_me:$LINENO: error: Package requirements (gtk+-2.0 vte) were not met:
 
 $gtk_PKG_ERRORS
 
@@ -14865,7 +15653,7 @@ Alternatively, you may set the environment variables gtk_CFLAGS
 and gtk_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 " >&5
-echo "$as_me: error: Package requirements (gtk+-2.0 vte) were not met:
+$as_echo "$as_me: error: Package requirements (gtk+-2.0 vte) were not met:
 
 $gtk_PKG_ERRORS
 
@@ -14878,7 +15666,9 @@ See the pkg-config man page for more details.
 " >&2;}
    { (exit 1); exit 1; }; }
 elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+	{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+{ { $as_echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -14888,7 +15678,7 @@ See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
 See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+$as_echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -14898,23 +15688,96 @@ See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
 See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
+   { (exit 1); exit 1; }; }; }
 else
 	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
 	gtk_LIBS=$pkg_cv_gtk_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+        { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
 	:
 fi
 
 
+	for ac_prog in ruby
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_RUBY+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$RUBY"; then
+  ac_cv_prog_RUBY="$RUBY" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_RUBY="$ac_prog"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+RUBY=$ac_cv_prog_RUBY
+if test -n "$RUBY"; then
+  { $as_echo "$as_me:$LINENO: result: $RUBY" >&5
+$as_echo "$RUBY" >&6; }
+else
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$RUBY" && break
+done
+
+	{ $as_echo "$as_me:$LINENO: checking for Ruby header files" >&5
+$as_echo_n "checking for Ruby header files... " >&6; }
+	if test -n "$RUBY"; then
+		RUBYDIR=`($RUBY -rmkmf -e 'print Config::CONFIG["archdir"] || $archdir') 2>/dev/null`
+		if test -n "$RUBYDIR"; then
+			dirs="$RUBYDIR"
+			RUBYINCLUDE=none
+			for i in $dirs; do
+				if test -r $i/ruby.h; then
+					{ $as_echo "$as_me:$LINENO: result: $i" >&5
+$as_echo "$i" >&6; }
+					RUBYINCLUDE="-I$i"
+					break;
+				fi
+			done
+			if test x"$RUBYINCLUDE" = xnone; then
+				{ { $as_echo "$as_me:$LINENO: error: ruby.h not found" >&5
+$as_echo "$as_me: error: ruby.h not found" >&2;}
+   { (exit 1); exit 1; }; }
+			fi
+
+		else
+			{ { $as_echo "$as_me:$LINENO: error: unable to determine ruby configuration" >&5
+$as_echo "$as_me: error: unable to determine ruby configuration" >&2;}
+   { (exit 1); exit 1; }; }
+		fi
+	else
+		{ { $as_echo "$as_me:$LINENO: error: don't know how to run ruby" >&5
+$as_echo "$as_me: error: don't know how to run ruby" >&2;}
+   { (exit 1); exit 1; }; }
+	fi
 fi
 
 if test x$fast = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lneo_cgi" >&5
-echo $ECHO_N "checking for main in -lneo_cgi... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lneo_cgi" >&5
+$as_echo_n "checking for main in -lneo_cgi... " >&6; }
 if test "${ac_cv_lib_neo_cgi_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lneo_cgi  $LIBS"
@@ -14940,45 +15803,49 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_neo_cgi_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_neo_cgi_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_neo_cgi_main" >&5
-echo "${ECHO_T}$ac_cv_lib_neo_cgi_main" >&6; }
-if test $ac_cv_lib_neo_cgi_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_neo_cgi_main" >&5
+$as_echo "$ac_cv_lib_neo_cgi_main" >&6; }
+if test "x$ac_cv_lib_neo_cgi_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: ClearSilver library neo_cgi not found!" >&5
-echo "$as_me: error: ClearSilver library neo_cgi not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: ClearSilver library neo_cgi not found!" >&5
+$as_echo "$as_me: error: ClearSilver library neo_cgi not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_neo_cgi=ac_cv_lib_neo_cgi_main
 
-	{ echo "$as_me:$LINENO: checking for main in -lneo_utl" >&5
-echo $ECHO_N "checking for main in -lneo_utl... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lneo_utl" >&5
+$as_echo_n "checking for main in -lneo_utl... " >&6; }
 if test "${ac_cv_lib_neo_utl_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lneo_utl  $LIBS"
@@ -15004,45 +15871,49 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_neo_utl_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_neo_utl_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_neo_utl_main" >&5
-echo "${ECHO_T}$ac_cv_lib_neo_utl_main" >&6; }
-if test $ac_cv_lib_neo_utl_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_neo_utl_main" >&5
+$as_echo "$ac_cv_lib_neo_utl_main" >&6; }
+if test "x$ac_cv_lib_neo_utl_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: ClearSilver library neo_utl not found!" >&5
-echo "$as_me: error: ClearSilver library neo_utl not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: ClearSilver library neo_utl not found!" >&5
+$as_echo "$as_me: error: ClearSilver library neo_utl not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_neo_utl=ac_cv_lib_neo_utl_main
 
-	{ echo "$as_me:$LINENO: checking for main in -lz" >&5
-echo $ECHO_N "checking for main in -lz... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lz" >&5
+$as_echo_n "checking for main in -lz... " >&6; }
 if test "${ac_cv_lib_z_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lz  $LIBS"
@@ -15068,46 +15939,50 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_z_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_z_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_z_main" >&5
-echo "${ECHO_T}$ac_cv_lib_z_main" >&6; }
-if test $ac_cv_lib_z_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_z_main" >&5
+$as_echo "$ac_cv_lib_z_main" >&6; }
+if test "x$ac_cv_lib_z_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: ClearSilver dependency zlib not found!" >&5
-echo "$as_me: error: ClearSilver dependency zlib not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: ClearSilver dependency zlib not found!" >&5
+$as_echo "$as_me: error: ClearSilver dependency zlib not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_z=ac_cv_lib_z_main
 
 
-	{ echo "$as_me:$LINENO: checking for main in -lfcgi" >&5
-echo $ECHO_N "checking for main in -lfcgi... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lfcgi" >&5
+$as_echo_n "checking for main in -lfcgi... " >&6; }
 if test "${ac_cv_lib_fcgi_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lfcgi  $LIBS"
@@ -15133,53 +16008,57 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_fcgi_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_fcgi_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_fcgi_main" >&5
-echo "${ECHO_T}$ac_cv_lib_fcgi_main" >&6; }
-if test $ac_cv_lib_fcgi_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_fcgi_main" >&5
+$as_echo "$ac_cv_lib_fcgi_main" >&6; }
+if test "x$ac_cv_lib_fcgi_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: FastCGI library fcgi not found!" >&5
-echo "$as_me: error: FastCGI library fcgi not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: FastCGI library fcgi not found!" >&5
+$as_echo "$as_me: error: FastCGI library fcgi not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 
 	if test "${ac_cv_header_fcgiapp_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for fcgiapp.h" >&5
-echo $ECHO_N "checking for fcgiapp.h... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for fcgiapp.h" >&5
+$as_echo_n "checking for fcgiapp.h... " >&6; }
 if test "${ac_cv_header_fcgiapp_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_fcgiapp_h" >&5
-echo "${ECHO_T}$ac_cv_header_fcgiapp_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_fcgiapp_h" >&5
+$as_echo "$ac_cv_header_fcgiapp_h" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking fcgiapp.h usability" >&5
-echo $ECHO_N "checking fcgiapp.h usability... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking fcgiapp.h usability" >&5
+$as_echo_n "checking fcgiapp.h usability... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -15195,32 +16074,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking fcgiapp.h presence" >&5
-echo $ECHO_N "checking fcgiapp.h presence... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking fcgiapp.h presence" >&5
+$as_echo_n "checking fcgiapp.h presence... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -15234,70 +16114,71 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: fcgiapp.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: fcgiapp.h: proceeding with the compiler's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: fcgiapp.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: fcgiapp.h: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: fcgiapp.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: fcgiapp.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: fcgiapp.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: fcgiapp.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: fcgiapp.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: fcgiapp.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: fcgiapp.h: in the future, the compiler will take precedence" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: fcgiapp.h: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: fcgiapp.h:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: fcgiapp.h: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: fcgiapp.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: fcgiapp.h: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: fcgiapp.h: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for fcgiapp.h" >&5
-echo $ECHO_N "checking for fcgiapp.h... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for fcgiapp.h" >&5
+$as_echo_n "checking for fcgiapp.h... " >&6; }
 if test "${ac_cv_header_fcgiapp_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_cv_header_fcgiapp_h=$ac_header_preproc
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_fcgiapp_h" >&5
-echo "${ECHO_T}$ac_cv_header_fcgiapp_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_fcgiapp_h" >&5
+$as_echo "$ac_cv_header_fcgiapp_h" >&6; }
 
 fi
-if test $ac_cv_header_fcgiapp_h = yes; then
+if test "x$ac_cv_header_fcgiapp_h" = x""yes; then
   :
 else
-  { { echo "$as_me:$LINENO: error: FastCGI header file fcgiapp.h not found!" >&5
-echo "$as_me: error: FastCGI header file fcgiapp.h not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: FastCGI header file fcgiapp.h not found!" >&5
+$as_echo "$as_me: error: FastCGI header file fcgiapp.h not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -15305,10 +16186,10 @@ fi
 fi
 
 if test x$mysql = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lmysqlclient_r" >&5
-echo $ECHO_N "checking for main in -lmysqlclient_r... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lmysqlclient_r" >&5
+$as_echo_n "checking for main in -lmysqlclient_r... " >&6; }
 if test "${ac_cv_lib_mysqlclient_r_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lmysqlclient_r  $LIBS"
@@ -15334,53 +16215,57 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_mysqlclient_r_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_mysqlclient_r_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_mysqlclient_r_main" >&5
-echo "${ECHO_T}$ac_cv_lib_mysqlclient_r_main" >&6; }
-if test $ac_cv_lib_mysqlclient_r_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_mysqlclient_r_main" >&5
+$as_echo "$ac_cv_lib_mysqlclient_r_main" >&6; }
+if test "x$ac_cv_lib_mysqlclient_r_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: MySQL library mysqlclient_r not found" >&5
-echo "$as_me: error: MySQL library mysqlclient_r not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: MySQL library mysqlclient_r not found" >&5
+$as_echo "$as_me: error: MySQL library mysqlclient_r not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_mysqlclient_r=ac_cv_lib_mysqlclient_r_main
 
 	if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for mysql/mysql.h" >&5
-echo $ECHO_N "checking for mysql/mysql.h... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for mysql/mysql.h" >&5
+$as_echo_n "checking for mysql/mysql.h... " >&6; }
 if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_mysql_mysql_h" >&5
-echo "${ECHO_T}$ac_cv_header_mysql_mysql_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_mysql_mysql_h" >&5
+$as_echo "$ac_cv_header_mysql_mysql_h" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking mysql/mysql.h usability" >&5
-echo $ECHO_N "checking mysql/mysql.h usability... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking mysql/mysql.h usability" >&5
+$as_echo_n "checking mysql/mysql.h usability... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -15396,32 +16281,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking mysql/mysql.h presence" >&5
-echo $ECHO_N "checking mysql/mysql.h presence... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking mysql/mysql.h presence" >&5
+$as_echo_n "checking mysql/mysql.h presence... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -15435,70 +16321,71 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: mysql/mysql.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: mysql/mysql.h: proceeding with the compiler's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: mysql/mysql.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: mysql/mysql.h: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: mysql/mysql.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: mysql/mysql.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: mysql/mysql.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: mysql/mysql.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: mysql/mysql.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: mysql/mysql.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: mysql/mysql.h: in the future, the compiler will take precedence" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: mysql/mysql.h: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: mysql/mysql.h:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: mysql/mysql.h: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: mysql/mysql.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: mysql/mysql.h: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: mysql/mysql.h: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for mysql/mysql.h" >&5
-echo $ECHO_N "checking for mysql/mysql.h... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for mysql/mysql.h" >&5
+$as_echo_n "checking for mysql/mysql.h... " >&6; }
 if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_cv_header_mysql_mysql_h=$ac_header_preproc
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_mysql_mysql_h" >&5
-echo "${ECHO_T}$ac_cv_header_mysql_mysql_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_mysql_mysql_h" >&5
+$as_echo "$ac_cv_header_mysql_mysql_h" >&6; }
 
 fi
-if test $ac_cv_header_mysql_mysql_h = yes; then
+if test "x$ac_cv_header_mysql_mysql_h" = x""yes; then
   :
 else
-  { { echo "$as_me:$LINENO: error: MySQL header mysql/mysql.h not found!" >&5
-echo "$as_me: error: MySQL header mysql/mysql.h not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: MySQL header mysql/mysql.h not found!" >&5
+$as_echo "$as_me: error: MySQL header mysql/mysql.h not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -15506,10 +16393,10 @@ fi
 fi
 
 if test x$sqlite = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lsqlite3" >&5
-echo $ECHO_N "checking for main in -lsqlite3... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lsqlite3" >&5
+$as_echo_n "checking for main in -lsqlite3... " >&6; }
 if test "${ac_cv_lib_sqlite3_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lsqlite3  $LIBS"
@@ -15535,53 +16422,57 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_sqlite3_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_sqlite3_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_sqlite3_main" >&5
-echo "${ECHO_T}$ac_cv_lib_sqlite3_main" >&6; }
-if test $ac_cv_lib_sqlite3_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_sqlite3_main" >&5
+$as_echo "$ac_cv_lib_sqlite3_main" >&6; }
+if test "x$ac_cv_lib_sqlite3_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: SQLite library sqlite3 not found" >&5
-echo "$as_me: error: SQLite library sqlite3 not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: SQLite library sqlite3 not found" >&5
+$as_echo "$as_me: error: SQLite library sqlite3 not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 
 	if test "${ac_cv_header_sqlite3_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for sqlite3.h" >&5
-echo $ECHO_N "checking for sqlite3.h... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for sqlite3.h" >&5
+$as_echo_n "checking for sqlite3.h... " >&6; }
 if test "${ac_cv_header_sqlite3_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_sqlite3_h" >&5
-echo "${ECHO_T}$ac_cv_header_sqlite3_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_sqlite3_h" >&5
+$as_echo "$ac_cv_header_sqlite3_h" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking sqlite3.h usability" >&5
-echo $ECHO_N "checking sqlite3.h usability... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking sqlite3.h usability" >&5
+$as_echo_n "checking sqlite3.h usability... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -15597,32 +16488,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking sqlite3.h presence" >&5
-echo $ECHO_N "checking sqlite3.h presence... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking sqlite3.h presence" >&5
+$as_echo_n "checking sqlite3.h presence... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -15636,76 +16528,77 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: sqlite3.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: sqlite3.h: proceeding with the compiler's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: sqlite3.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: sqlite3.h: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: sqlite3.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: sqlite3.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: sqlite3.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: sqlite3.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: sqlite3.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sqlite3.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: sqlite3.h: in the future, the compiler will take precedence" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: sqlite3.h: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: sqlite3.h:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: sqlite3.h: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: sqlite3.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: sqlite3.h: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: sqlite3.h: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for sqlite3.h" >&5
-echo $ECHO_N "checking for sqlite3.h... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for sqlite3.h" >&5
+$as_echo_n "checking for sqlite3.h... " >&6; }
 if test "${ac_cv_header_sqlite3_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_cv_header_sqlite3_h=$ac_header_preproc
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_sqlite3_h" >&5
-echo "${ECHO_T}$ac_cv_header_sqlite3_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_sqlite3_h" >&5
+$as_echo "$ac_cv_header_sqlite3_h" >&6; }
 
 fi
-if test $ac_cv_header_sqlite3_h = yes; then
+if test "x$ac_cv_header_sqlite3_h" = x""yes; then
   :
 else
-  { { echo "$as_me:$LINENO: error: SQLite header sqlite3.h not found!" >&5
-echo "$as_me: error: SQLite header sqlite3.h not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: SQLite header sqlite3.h not found!" >&5
+$as_echo "$as_me: error: SQLite header sqlite3.h not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
 
-	{ echo "$as_me:$LINENO: checking sqlite3_prepare_v2" >&5
-echo $ECHO_N "checking sqlite3_prepare_v2... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking sqlite3_prepare_v2" >&5
+$as_echo_n "checking sqlite3_prepare_v2... " >&6; }
 	cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -15729,33 +16622,34 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }; cat >>confdefs.h <<_ACEOF
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }; cat >>confdefs.h <<_ACEOF
 #define HAVE_SQLITE3_PREPARE_V2 1
 _ACEOF
 
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
+	{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-	{ echo "$as_me:$LINENO: checking sqlite3.h version >= 3.3.1" >&5
-echo $ECHO_N "checking sqlite3.h version >= 3.3.1... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking sqlite3.h version >= 3.3.1" >&5
+$as_echo_n "checking sqlite3.h version >= 3.3.1... " >&6; }
 	cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -15781,26 +16675,27 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }; { { echo "$as_me:$LINENO: error: SQLite version >= 3.3.1 required!" >&5
-echo "$as_me: error: SQLite version >= 3.3.1 required!" >&2;}
+	{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }; { { $as_echo "$as_me:$LINENO: error: SQLite version >= 3.3.1 required!" >&5
+$as_echo "$as_me: error: SQLite version >= 3.3.1 required!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -15808,10 +16703,10 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test x$openssl = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lcrypto" >&5
-echo $ECHO_N "checking for main in -lcrypto... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lcrypto" >&5
+$as_echo_n "checking for main in -lcrypto... " >&6; }
 if test "${ac_cv_lib_crypto_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lcrypto  $LIBS"
@@ -15837,53 +16732,57 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_crypto_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_crypto_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_crypto_main" >&5
-echo "${ECHO_T}$ac_cv_lib_crypto_main" >&6; }
-if test $ac_cv_lib_crypto_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_crypto_main" >&5
+$as_echo "$ac_cv_lib_crypto_main" >&6; }
+if test "x$ac_cv_lib_crypto_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: OpenSSL crypto library not found" >&5
-echo "$as_me: error: OpenSSL crypto library not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: OpenSSL crypto library not found" >&5
+$as_echo "$as_me: error: OpenSSL crypto library not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_crypto=ac_cv_lib_crypto_main
 
 	if test "${ac_cv_header_openssl_evp_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for openssl/evp.h" >&5
-echo $ECHO_N "checking for openssl/evp.h... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for openssl/evp.h" >&5
+$as_echo_n "checking for openssl/evp.h... " >&6; }
 if test "${ac_cv_header_openssl_evp_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_openssl_evp_h" >&5
-echo "${ECHO_T}$ac_cv_header_openssl_evp_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_openssl_evp_h" >&5
+$as_echo "$ac_cv_header_openssl_evp_h" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking openssl/evp.h usability" >&5
-echo $ECHO_N "checking openssl/evp.h usability... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking openssl/evp.h usability" >&5
+$as_echo_n "checking openssl/evp.h usability... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -15899,32 +16798,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking openssl/evp.h presence" >&5
-echo $ECHO_N "checking openssl/evp.h presence... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking openssl/evp.h presence" >&5
+$as_echo_n "checking openssl/evp.h presence... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -15938,81 +16838,272 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: openssl/evp.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: openssl/evp.h: proceeding with the compiler's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: openssl/evp.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: openssl/evp.h: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: openssl/evp.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: openssl/evp.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: openssl/evp.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: openssl/evp.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: openssl/evp.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: openssl/evp.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: openssl/evp.h: in the future, the compiler will take precedence" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: openssl/evp.h: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: openssl/evp.h:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: openssl/evp.h: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: openssl/evp.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: openssl/evp.h: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: openssl/evp.h: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for openssl/evp.h" >&5
-echo $ECHO_N "checking for openssl/evp.h... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for openssl/evp.h" >&5
+$as_echo_n "checking for openssl/evp.h... " >&6; }
 if test "${ac_cv_header_openssl_evp_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_cv_header_openssl_evp_h=$ac_header_preproc
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_openssl_evp_h" >&5
-echo "${ECHO_T}$ac_cv_header_openssl_evp_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_openssl_evp_h" >&5
+$as_echo "$ac_cv_header_openssl_evp_h" >&6; }
 
 fi
-if test $ac_cv_header_openssl_evp_h = yes; then
+if test "x$ac_cv_header_openssl_evp_h" = x""yes; then
   :
 else
-  { { echo "$as_me:$LINENO: error: OpenSSL header openssl/evp.h not found!" >&5
-echo "$as_me: error: OpenSSL header openssl/evp.h not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: OpenSSL header openssl/evp.h not found!" >&5
+$as_echo "$as_me: error: OpenSSL header openssl/evp.h not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
 
 fi
 
+if test x$gcrypt = xtrue; then
+
+# Check whether --with-libgcrypt-prefix was given.
+if test "${with_libgcrypt_prefix+set}" = set; then
+  withval=$with_libgcrypt_prefix; libgcrypt_config_prefix="$withval"
+else
+  libgcrypt_config_prefix=""
+fi
+
+  if test x$libgcrypt_config_prefix != x ; then
+     if test x${LIBGCRYPT_CONFIG+set} != xset ; then
+        LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
+     fi
+  fi
+
+  # Extract the first word of "libgcrypt-config", so it can be a program name with args.
+set dummy libgcrypt-config; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_path_LIBGCRYPT_CONFIG+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  case $LIBGCRYPT_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_LIBGCRYPT_CONFIG="$LIBGCRYPT_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_LIBGCRYPT_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_path_LIBGCRYPT_CONFIG" && ac_cv_path_LIBGCRYPT_CONFIG="no"
+  ;;
+esac
+fi
+LIBGCRYPT_CONFIG=$ac_cv_path_LIBGCRYPT_CONFIG
+if test -n "$LIBGCRYPT_CONFIG"; then
+  { $as_echo "$as_me:$LINENO: result: $LIBGCRYPT_CONFIG" >&5
+$as_echo "$LIBGCRYPT_CONFIG" >&6; }
+else
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  tmp=1:1.2.0
+  if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then
+     req_libgcrypt_api=`echo "$tmp"     | sed 's/\(.*\):\(.*\)/\1/'`
+     min_libgcrypt_version=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\2/'`
+  else
+     req_libgcrypt_api=0
+     min_libgcrypt_version="$tmp"
+  fi
+
+  { $as_echo "$as_me:$LINENO: checking for LIBGCRYPT - version >= $min_libgcrypt_version" >&5
+$as_echo_n "checking for LIBGCRYPT - version >= $min_libgcrypt_version... " >&6; }
+  ok=no
+  if test "$LIBGCRYPT_CONFIG" != "no" ; then
+    req_major=`echo $min_libgcrypt_version | \
+               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\1/'`
+    req_minor=`echo $min_libgcrypt_version | \
+               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\2/'`
+    req_micro=`echo $min_libgcrypt_version | \
+               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\3/'`
+    libgcrypt_config_version=`$LIBGCRYPT_CONFIG --version`
+    major=`echo $libgcrypt_config_version | \
+               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\).*/\1/'`
+    minor=`echo $libgcrypt_config_version | \
+               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\).*/\2/'`
+    micro=`echo $libgcrypt_config_version | \
+               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\).*/\3/'`
+    if test "$major" -gt "$req_major"; then
+        ok=yes
+    else
+        if test "$major" -eq "$req_major"; then
+            if test "$minor" -gt "$req_minor"; then
+               ok=yes
+            else
+               if test "$minor" -eq "$req_minor"; then
+                   if test "$micro" -ge "$req_micro"; then
+                     ok=yes
+                   fi
+               fi
+            fi
+        fi
+    fi
+  fi
+  if test $ok = yes; then
+    { $as_echo "$as_me:$LINENO: result: yes ($libgcrypt_config_version)" >&5
+$as_echo "yes ($libgcrypt_config_version)" >&6; }
+  else
+    { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+  fi
+  if test $ok = yes; then
+     # If we have a recent libgcrypt, we should also check that the
+     # API is compatible
+     if test "$req_libgcrypt_api" -gt 0 ; then
+        tmp=`$LIBGCRYPT_CONFIG --api-version 2>/dev/null || echo 0`
+        if test "$tmp" -gt 0 ; then
+           { $as_echo "$as_me:$LINENO: checking LIBGCRYPT API version" >&5
+$as_echo_n "checking LIBGCRYPT API version... " >&6; }
+           if test "$req_libgcrypt_api" -eq "$tmp" ; then
+             { $as_echo "$as_me:$LINENO: result: okay" >&5
+$as_echo "okay" >&6; }
+           else
+             ok=no
+             { $as_echo "$as_me:$LINENO: result: does not match. want=$req_libgcrypt_api got=$tmp" >&5
+$as_echo "does not match. want=$req_libgcrypt_api got=$tmp" >&6; }
+           fi
+        fi
+     fi
+  fi
+  if test $ok = yes; then
+    LIBGCRYPT_CFLAGS=`$LIBGCRYPT_CONFIG --cflags`
+    LIBGCRYPT_LIBS=`$LIBGCRYPT_CONFIG --libs`
+    :
+  else
+    LIBGCRYPT_CFLAGS=""
+    LIBGCRYPT_LIBS=""
+    { { $as_echo "$as_me:$LINENO: error: libgcrypt not found!" >&5
+$as_echo "$as_me: error: libgcrypt not found!" >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+
+
+
+	{ $as_echo "$as_me:$LINENO: checking gcrypt CAMELLIA cipher" >&5
+$as_echo_n "checking gcrypt CAMELLIA cipher... " >&6; }
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <gcrypt.h>
+int
+main ()
+{
+enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
+#define HAVE_GCRY_CIPHER_CAMELLIA 1
+_ACEOF
+
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
 if test x$uci = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -luci" >&5
-echo $ECHO_N "checking for main in -luci... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -luci" >&5
+$as_echo_n "checking for main in -luci... " >&6; }
 if test "${ac_cv_lib_uci_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-luci  $LIBS"
@@ -16038,53 +17129,57 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_uci_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_uci_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_uci_main" >&5
-echo "${ECHO_T}$ac_cv_lib_uci_main" >&6; }
-if test $ac_cv_lib_uci_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_uci_main" >&5
+$as_echo "$ac_cv_lib_uci_main" >&6; }
+if test "x$ac_cv_lib_uci_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: UCI library libuci not found" >&5
-echo "$as_me: error: UCI library libuci not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: UCI library libuci not found" >&5
+$as_echo "$as_me: error: UCI library libuci not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_uci=ac_cv_lib_uci_main
 
 	if test "${ac_cv_header_uci_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for uci.h" >&5
-echo $ECHO_N "checking for uci.h... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for uci.h" >&5
+$as_echo_n "checking for uci.h... " >&6; }
 if test "${ac_cv_header_uci_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_uci_h" >&5
-echo "${ECHO_T}$ac_cv_header_uci_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_uci_h" >&5
+$as_echo "$ac_cv_header_uci_h" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking uci.h usability" >&5
-echo $ECHO_N "checking uci.h usability... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking uci.h usability" >&5
+$as_echo_n "checking uci.h usability... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -16100,32 +17195,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking uci.h presence" >&5
-echo $ECHO_N "checking uci.h presence... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking uci.h presence" >&5
+$as_echo_n "checking uci.h presence... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -16139,70 +17235,71 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: uci.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: uci.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: uci.h: proceeding with the compiler's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: uci.h: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: uci.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: uci.h: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: uci.h: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: uci.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: uci.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: uci.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: uci.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: uci.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: uci.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: uci.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: uci.h: in the future, the compiler will take precedence" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: uci.h: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: uci.h: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: uci.h:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: uci.h:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: uci.h: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: uci.h: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: uci.h:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: uci.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: uci.h: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: uci.h: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: uci.h: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: uci.h: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for uci.h" >&5
-echo $ECHO_N "checking for uci.h... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for uci.h" >&5
+$as_echo_n "checking for uci.h... " >&6; }
 if test "${ac_cv_header_uci_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_cv_header_uci_h=$ac_header_preproc
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_uci_h" >&5
-echo "${ECHO_T}$ac_cv_header_uci_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_uci_h" >&5
+$as_echo "$ac_cv_header_uci_h" >&6; }
 
 fi
-if test $ac_cv_header_uci_h = yes; then
+if test "x$ac_cv_header_uci_h" = x""yes; then
   :
 else
-  { { echo "$as_me:$LINENO: error: UCI header uci.h not found!" >&5
-echo "$as_me: error: UCI header uci.h not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: UCI header uci.h not found!" >&5
+$as_echo "$as_me: error: UCI header uci.h not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -16212,18 +17309,18 @@ fi
 if test x$nm = xtrue; then
 
 pkg_failed=no
-{ echo "$as_me:$LINENO: checking for nm" >&5
-echo $ECHO_N "checking for nm... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for nm" >&5
+$as_echo_n "checking for nm... " >&6; }
 
 if test -n "$PKG_CONFIG"; then
     if test -n "$nm_CFLAGS"; then
         pkg_cv_nm_CFLAGS="$nm_CFLAGS"
     else
         if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
+    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
   ($PKG_CONFIG --exists --print-errors "NetworkManager libnm_glib_vpn gthread-2.0") 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
   pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager libnm_glib_vpn gthread-2.0" 2>/dev/null`
 else
@@ -16238,10 +17335,10 @@ if test -n "$PKG_CONFIG"; then
         pkg_cv_nm_LIBS="$nm_LIBS"
     else
         if test -n "$PKG_CONFIG" && \
-    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
+    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
   ($PKG_CONFIG --exists --print-errors "NetworkManager libnm_glib_vpn gthread-2.0") 2>&5
   ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
   pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager libnm_glib_vpn gthread-2.0" 2>/dev/null`
 else
@@ -16269,7 +17366,7 @@ fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
 
-	{ { echo "$as_me:$LINENO: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
+	{ { $as_echo "$as_me:$LINENO: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
 
 $nm_PKG_ERRORS
 
@@ -16280,7 +17377,7 @@ Alternatively, you may set the environment variables nm_CFLAGS
 and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 " >&5
-echo "$as_me: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
+$as_echo "$as_me: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
 
 $nm_PKG_ERRORS
 
@@ -16293,7 +17390,9 @@ See the pkg-config man page for more details.
 " >&2;}
    { (exit 1); exit 1; }; }
 elif test $pkg_failed = untried; then
-	{ { echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+	{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+{ { $as_echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -16303,7 +17402,7 @@ See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
 See \`config.log' for more details." >&5
-echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+$as_echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -16313,12 +17412,12 @@ See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
 See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
+   { (exit 1); exit 1; }; }; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
-        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
+        { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
 	:
 fi
 
@@ -16326,10 +17425,10 @@ fi
 fi
 
 if test x$eap_gtc = xtrue; then
-	{ echo "$as_me:$LINENO: checking for main in -lpam" >&5
-echo $ECHO_N "checking for main in -lpam... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lpam" >&5
+$as_echo_n "checking for main in -lpam... " >&6; }
 if test "${ac_cv_lib_pam_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lpam  $LIBS"
@@ -16355,53 +17454,57 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_pam_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_pam_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_pam_main" >&5
-echo "${ECHO_T}$ac_cv_lib_pam_main" >&6; }
-if test $ac_cv_lib_pam_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pam_main" >&5
+$as_echo "$ac_cv_lib_pam_main" >&6; }
+if test "x$ac_cv_lib_pam_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: PAM library not found" >&5
-echo "$as_me: error: PAM library not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: PAM library not found" >&5
+$as_echo "$as_me: error: PAM library not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_pam=ac_cv_lib_pam_main
 
 	if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
-echo $ECHO_N "checking for security/pam_appl.h... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
+$as_echo_n "checking for security/pam_appl.h... " >&6; }
 if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
-echo "${ECHO_T}$ac_cv_header_security_pam_appl_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
+$as_echo "$ac_cv_header_security_pam_appl_h" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking security/pam_appl.h usability" >&5
-echo $ECHO_N "checking security/pam_appl.h usability... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking security/pam_appl.h usability" >&5
+$as_echo_n "checking security/pam_appl.h usability... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -16417,32 +17520,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking security/pam_appl.h presence" >&5
-echo $ECHO_N "checking security/pam_appl.h presence... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking security/pam_appl.h presence" >&5
+$as_echo_n "checking security/pam_appl.h presence... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -16456,70 +17560,71 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: security/pam_appl.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: security/pam_appl.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: security/pam_appl.h: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: security/pam_appl.h: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
-echo $ECHO_N "checking for security/pam_appl.h... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
+$as_echo_n "checking for security/pam_appl.h... " >&6; }
 if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_cv_header_security_pam_appl_h=$ac_header_preproc
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
-echo "${ECHO_T}$ac_cv_header_security_pam_appl_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
+$as_echo "$ac_cv_header_security_pam_appl_h" >&6; }
 
 fi
-if test $ac_cv_header_security_pam_appl_h = yes; then
+if test "x$ac_cv_header_security_pam_appl_h" = x""yes; then
   :
 else
-  { { echo "$as_me:$LINENO: error: PAM header security/pam_appl.h not found!" >&5
-echo "$as_me: error: PAM header security/pam_appl.h not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: PAM header security/pam_appl.h not found!" >&5
+$as_echo "$as_me: error: PAM header security/pam_appl.h not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -16527,10 +17632,10 @@ fi
 fi
 
 if test x$capabilities = xlibcap; then
-	{ echo "$as_me:$LINENO: checking for main in -lcap" >&5
-echo $ECHO_N "checking for main in -lcap... $ECHO_C" >&6; }
+	{ $as_echo "$as_me:$LINENO: checking for main in -lcap" >&5
+$as_echo_n "checking for main in -lcap... " >&6; }
 if test "${ac_cv_lib_cap_main+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lcap  $LIBS"
@@ -16556,53 +17661,57 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
   ac_cv_lib_cap_main=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_cap_main=no
 fi
 
+rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_main" >&5
-echo "${ECHO_T}$ac_cv_lib_cap_main" >&6; }
-if test $ac_cv_lib_cap_main = yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_cap_main" >&5
+$as_echo "$ac_cv_lib_cap_main" >&6; }
+if test "x$ac_cv_lib_cap_main" = x""yes; then
   LIBS="$LIBS"
 else
-  { { echo "$as_me:$LINENO: error: libcap library not found" >&5
-echo "$as_me: error: libcap library not found" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: libcap library not found" >&5
+$as_echo "$as_me: error: libcap library not found" >&2;}
    { (exit 1); exit 1; }; }
 fi
 ac_cv_lib_cap=ac_cv_lib_cap_main
 
 	if test "${ac_cv_header_sys_capability_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for sys/capability.h" >&5
-echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
+  { $as_echo "$as_me:$LINENO: checking for sys/capability.h" >&5
+$as_echo_n "checking for sys/capability.h... " >&6; }
 if test "${ac_cv_header_sys_capability_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
-echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
+$as_echo "$ac_cv_header_sys_capability_h" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking sys/capability.h usability" >&5
-echo $ECHO_N "checking sys/capability.h usability... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking sys/capability.h usability" >&5
+$as_echo_n "checking sys/capability.h usability... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -16618,32 +17727,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking sys/capability.h presence" >&5
-echo $ECHO_N "checking sys/capability.h presence... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking sys/capability.h presence" >&5
+$as_echo_n "checking sys/capability.h presence... " >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -16657,70 +17767,71 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  echo "$as_me: failed program was:" >&5
+  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5
-echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
+{ $as_echo "$as_me:$LINENO: checking for sys/capability.h" >&5
+$as_echo_n "checking for sys/capability.h... " >&6; }
 if test "${ac_cv_header_sys_capability_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+  $as_echo_n "(cached) " >&6
 else
   ac_cv_header_sys_capability_h=$ac_header_preproc
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
-echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
+$as_echo "$ac_cv_header_sys_capability_h" >&6; }
 
 fi
-if test $ac_cv_header_sys_capability_h = yes; then
+if test "x$ac_cv_header_sys_capability_h" = x""yes; then
   :
 else
-  { { echo "$as_me:$LINENO: error: libcap header sys/capability.h not found!" >&5
-echo "$as_me: error: libcap header sys/capability.h not found!" >&2;}
+  { { $as_echo "$as_me:$LINENO: error: libcap header sys/capability.h not found!" >&5
+$as_echo "$as_me: error: libcap header sys/capability.h not found!" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -16729,48 +17840,60 @@ fi
 
 
 libstrongswan_plugins=
+pluto_plugins=
 
+if test x$test_vectors = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" test-vectors"
+	pluto_plugins=${pluto_plugins}" test-vectors"
+fi
 if test x$curl = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" curl"
+	pluto_plugins=${pluto_plugins}" curl"
 fi
 if test x$ldap = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" ldap"
+	pluto_plugins=${pluto_plugins}" ldap"
 fi
 if test x$aes = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" aes"
+	pluto_plugins=${pluto_plugins}" aes"
 fi
 if test x$des = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" des"
+	pluto_plugins=${pluto_plugins}" des"
+fi
+if test x$blowfish = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" blowfish"
+	pluto_plugins=${pluto_plugins}" blowfish"
 fi
 if test x$sha1 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
+	pluto_plugins=${pluto_plugins}" sha1"
 fi
 if test x$sha2 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
+	pluto_plugins=${pluto_plugins}" sha2"
 fi
 if test x$md4 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" md4"
 fi
 if test x$md5 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" md5"
+	pluto_plugins=${pluto_plugins}" md5"
 fi
 if test x$fips_prf = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
 fi
 if test x$random = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" random"
+	pluto_plugins=${pluto_plugins}" random"
 fi
 if test x$x509 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" x509"
 fi
 if test x$pubkey = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
-fi
-if test x$xcbc = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
-fi
-if test x$hmac = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
+	pluto_plugins=${pluto_plugins}" pubkey"
 fi
 if test x$mysql = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
@@ -16783,17 +17906,39 @@ if test x$padlock = xtrue; then
 fi
 if test x$openssl = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
+	pluto_plugins=${pluto_plugins}" openssl"
+fi
+if test x$gcrypt = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" gcrypt"
+	pluto_plugins=${pluto_plugins}" gcrypt"
+fi
+if test x$xcbc = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
+fi
+if test x$hmac = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
+	pluto_plugins=${pluto_plugins}" hmac"
 fi
 if test x$agent = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" agent"
 fi
 if test x$gmp = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
+	pluto_plugins=${pluto_plugins}" gmp"
 fi
 
 
 
 
+
+ if test x$test_vectors = xtrue; then
+  USE_TEST_VECTORS_TRUE=
+  USE_TEST_VECTORS_FALSE='#'
+else
+  USE_TEST_VECTORS_TRUE='#'
+  USE_TEST_VECTORS_FALSE=
+fi
+
  if test x$curl = xtrue; then
   USE_CURL_TRUE=
   USE_CURL_FALSE='#'
@@ -16826,6 +17971,14 @@ else
   USE_DES_FALSE=
 fi
 
+ if test x$blowfish = xtrue; then
+  USE_BLOWFISH_TRUE=
+  USE_BLOWFISH_FALSE='#'
+else
+  USE_BLOWFISH_TRUE='#'
+  USE_BLOWFISH_FALSE=
+fi
+
  if test x$md4 = xtrue; then
   USE_MD4_TRUE=
   USE_MD4_FALSE='#'
@@ -16946,6 +18099,14 @@ else
   USE_OPENSSL_FALSE=
 fi
 
+ if test x$gcrypt = xtrue; then
+  USE_GCRYPT_TRUE=
+  USE_GCRYPT_FALSE='#'
+else
+  USE_GCRYPT_TRUE='#'
+  USE_GCRYPT_FALSE=
+fi
+
  if test x$agent = xtrue; then
   USE_AGENT_TRUE=
   USE_AGENT_FALSE='#'
@@ -17019,6 +18180,22 @@ else
   USE_UPDOWN_FALSE=
 fi
 
+ if test x$attr = xtrue; then
+  USE_ATTR_TRUE=
+  USE_ATTR_FALSE='#'
+else
+  USE_ATTR_TRUE='#'
+  USE_ATTR_FALSE=
+fi
+
+ if test x$resolvconf = xtrue; then
+  USE_RESOLV_CONF_TRUE=
+  USE_RESOLV_CONF_FALSE='#'
+else
+  USE_RESOLV_CONF_TRUE='#'
+  USE_RESOLV_CONF_FALSE=
+fi
+
  if test x$unittest = xtrue; then
   USE_UNIT_TESTS_TRUE=
   USE_UNIT_TESTS_FALSE='#'
@@ -17115,6 +18292,14 @@ else
   USE_KERNEL_PFKEY_FALSE=
 fi
 
+ if test x$kernel_pfroute = xtrue; then
+  USE_KERNEL_PFROUTE_TRUE=
+  USE_KERNEL_PFROUTE_FALSE='#'
+else
+  USE_KERNEL_PFROUTE_TRUE='#'
+  USE_KERNEL_PFROUTE_FALSE=
+fi
+
  if test x$kernel_klips = xtrue; then
   USE_KERNEL_KLIPS_TRUE=
   USE_KERNEL_KLIPS_FALSE='#'
@@ -17220,14 +18405,6 @@ else
   USE_INTEGRITY_TEST_FALSE=
 fi
 
- if test x$self_test = xtrue; then
-  USE_SELF_TEST_TRUE=
-  USE_SELF_TEST_FALSE='#'
-else
-  USE_SELF_TEST_TRUE='#'
-  USE_SELF_TEST_FALSE=
-fi
-
  if test x$capabilities = xlibcap; then
   USE_CAPABILITIES_TRUE=
   USE_CAPABILITIES_FALSE='#'
@@ -17268,7 +18445,7 @@ else
   USE_TOOLS_FALSE=
 fi
 
- if test x$charon = xtrue -o x$tools = xtrue; then
+ if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue; then
   USE_LIBSTRONGSWAN_TRUE=
   USE_LIBSTRONGSWAN_FALSE='#'
 else
@@ -17308,7 +18485,7 @@ _ACEOF
 fi
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/fips/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/eap_radius/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/fips/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/eap_radius/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_pfroute/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/attr/Makefile src/charon/plugins/resolv_conf/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -17337,11 +18514,12 @@ _ACEOF
     case $ac_val in #(
     *${as_nl}*)
       case $ac_var in #(
-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: cache variable $ac_var contains a newline" >&5
+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
       esac
       case $ac_var in #(
       _ | IFS | as_nl) ;; #(
+      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
       *) $as_unset $ac_var ;;
       esac ;;
     esac
@@ -17374,12 +18552,12 @@ echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
 if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
   if test -w "$cache_file"; then
     test "x$cache_file" != "x/dev/null" &&
-      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
-echo "$as_me: updating cache $cache_file" >&6;}
+      { $as_echo "$as_me:$LINENO: updating cache $cache_file" >&5
+$as_echo "$as_me: updating cache $cache_file" >&6;}
     cat confcache >$cache_file
   else
-    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
-echo "$as_me: not updating unwritable cache $cache_file" >&6;}
+    { $as_echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
   fi
 fi
 rm -f confcache
@@ -17396,6 +18574,12 @@ test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
 # take arguments), then branch to the quote section.  Otherwise,
 # look for a macro that doesn't take arguments.
 ac_script='
+:mline
+/\\$/{
+ N
+ s,\\\n,,
+ b mline
+}
 t clear
 :clear
 s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
@@ -17425,7 +18609,7 @@ ac_ltlibobjs=
 for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
   # 1. Remove the extension, and $U if already installed.
   ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
-  ac_i=`echo "$ac_i" | sed "$ac_script"`
+  ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
   # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
   #    will be set to the directory where LIBOBJS objects are built.
   ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
@@ -17437,467 +18621,497 @@ LTLIBOBJS=$ac_ltlibobjs
 
 
 if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"AMDEP\" was never defined.
+$as_echo "$as_me: error: conditional \"AMDEP\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
+$as_echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
-if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
+
+if test -z "${USE_TEST_VECTORS_TRUE}" && test -z "${USE_TEST_VECTORS_FALSE}"; then
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_TEST_VECTORS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_TEST_VECTORS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_CURL\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_CURL\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_CURL\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_CURL\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_LDAP_TRUE}" && test -z "${USE_LDAP_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_LDAP\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LDAP\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_LDAP\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_LDAP\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_AES_TRUE}" && test -z "${USE_AES_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_AES\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_AES\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_AES\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_AES\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_DES_TRUE}" && test -z "${USE_DES_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_DES\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_DES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+$as_echo "$as_me: error: conditional \"USE_DES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_BLOWFISH_TRUE}" && test -z "${USE_BLOWFISH_FALSE}"; then
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_BLOWFISH\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_DES\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_BLOWFISH\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_MD4_TRUE}" && test -z "${USE_MD4_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MD4\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MD4\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MD4\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_MD4\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_MD5_TRUE}" && test -z "${USE_MD5_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MD5\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MD5\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MD5\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_MD5\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_SHA1_TRUE}" && test -z "${USE_SHA1_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SHA1\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SHA1\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SHA1\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_SHA1\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_SHA2_TRUE}" && test -z "${USE_SHA2_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SHA2\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SHA2\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SHA2\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_SHA2\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_FIPS_PRF_TRUE}" && test -z "${USE_FIPS_PRF_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_FIPS_PRF\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_FIPS_PRF\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_FIPS_PRF\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_FIPS_PRF\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_GMP\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_GMP\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_GMP\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_GMP\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_RANDOM_TRUE}" && test -z "${USE_RANDOM_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_RANDOM\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_RANDOM\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_RANDOM\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_RANDOM\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_X509_TRUE}" && test -z "${USE_X509_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_X509\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_X509\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_X509\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_X509\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_PUBKEY\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_PUBKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_PUBKEY\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_PUBKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_HMAC_TRUE}" && test -z "${USE_HMAC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_HMAC\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_HMAC\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_HMAC\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_HMAC\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_XCBC_TRUE}" && test -z "${USE_XCBC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_XCBC\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_XCBC\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_XCBC\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_XCBC\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_MYSQL_TRUE}" && test -z "${USE_MYSQL_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MYSQL\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MYSQL\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MYSQL\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_MYSQL\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_SQLITE_TRUE}" && test -z "${USE_SQLITE_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SQLITE\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SQLITE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SQLITE\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_SQLITE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_PADLOCK_TRUE}" && test -z "${USE_PADLOCK_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_PADLOCK\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_PADLOCK\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_PADLOCK\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_PADLOCK\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_OPENSSL_TRUE}" && test -z "${USE_OPENSSL_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_OPENSSL\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_OPENSSL\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_OPENSSL\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_OPENSSL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_GCRYPT_TRUE}" && test -z "${USE_GCRYPT_FALSE}"; then
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_GCRYPT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+$as_echo "$as_me: error: conditional \"USE_GCRYPT\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_AGENT_TRUE}" && test -z "${USE_AGENT_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_AGENT\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_AGENT\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_AGENT\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_AGENT\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_STROKE\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_STROKE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_STROKE\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_STROKE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_MEDSRV_TRUE}" && test -z "${USE_MEDSRV_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MEDSRV\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MEDSRV\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MEDSRV\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_MEDSRV\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_MEDCLI_TRUE}" && test -z "${USE_MEDCLI_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MEDCLI\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MEDCLI\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MEDCLI\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_MEDCLI\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_NM_TRUE}" && test -z "${USE_NM_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_NM\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_NM\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_NM\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_NM\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_UCI\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_UCI\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_UCI\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_UCI\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_SMP_TRUE}" && test -z "${USE_SMP_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SMP\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SMP\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SMP\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_SMP\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_SQL_TRUE}" && test -z "${USE_SQL_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SQL\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SQL\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_UPDOWN\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_UPDOWN\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+$as_echo "$as_me: error: conditional \"USE_UPDOWN\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_ATTR\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_UPDOWN\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_ATTR\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_RESOLV_CONF_TRUE}" && test -z "${USE_RESOLV_CONF_FALSE}"; then
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_RESOLV_CONF\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+$as_echo "$as_me: error: conditional \"USE_RESOLV_CONF\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_UNIT_TESTS\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_UNIT_TESTS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_UNIT_TESTS\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_UNIT_TESTS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_LOAD_TESTS_TRUE}" && test -z "${USE_LOAD_TESTS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_LOAD_TESTS\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LOAD_TESTS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_LOAD_TESTS\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_LOAD_TESTS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_EAP_SIM_TRUE}" && test -z "${USE_EAP_SIM_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_SIM\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_EAP_SIM\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_EAP_SIM_FILE_TRUE}" && test -z "${USE_EAP_SIM_FILE_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_EAP_IDENTITY_TRUE}" && test -z "${USE_EAP_IDENTITY_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_IDENTITY\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_IDENTITY\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_IDENTITY\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_EAP_IDENTITY\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_EAP_MD5_TRUE}" && test -z "${USE_EAP_MD5_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_MD5\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_MD5\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_MD5\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_EAP_MD5\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_EAP_GTC_TRUE}" && test -z "${USE_EAP_GTC_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_GTC\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_GTC\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_GTC\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_EAP_GTC\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_EAP_AKA_TRUE}" && test -z "${USE_EAP_AKA_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_AKA\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_AKA\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_AKA\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_EAP_AKA\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_EAP_MSCHAPV2_TRUE}" && test -z "${USE_EAP_MSCHAPV2_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_MSCHAPV2\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_MSCHAPV2\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_MSCHAPV2\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_EAP_MSCHAPV2\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_EAP_RADIUS_TRUE}" && test -z "${USE_EAP_RADIUS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_EAP_RADIUS\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_RADIUS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_EAP_RADIUS\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_EAP_RADIUS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+$as_echo "$as_me: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}"; then
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_PFROUTE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_KERNEL_PFROUTE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SMARTCARD\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SMARTCARD\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SMARTCARD\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_SMARTCARD\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_CISCO_QUIRKS_TRUE}" && test -z "${USE_CISCO_QUIRKS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_LOCK_PROFILER_TRUE}" && test -z "${USE_LOCK_PROFILER_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_LOCK_PROFILER\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LOCK_PROFILER\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_LOCK_PROFILER\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_LOCK_PROFILER\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_NAT_TRANSPORT_TRUE}" && test -z "${USE_NAT_TRANSPORT_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_VENDORID_TRUE}" && test -z "${USE_VENDORID_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_VENDORID\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_VENDORID\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_VENDORID\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_VENDORID\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_XAUTH_VID_TRUE}" && test -z "${USE_XAUTH_VID_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_XAUTH_VID\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_XAUTH_VID\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_XAUTH_VID\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_XAUTH_VID\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_DUMM_TRUE}" && test -z "${USE_DUMM_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_DUMM\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_DUMM\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_DUMM\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_DUMM\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_FAST_TRUE}" && test -z "${USE_FAST_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_FAST\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_FAST\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_FAST\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_FAST\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_MANAGER_TRUE}" && test -z "${USE_MANAGER_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_MANAGER\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MANAGER\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_MANAGER\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_MANAGER\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_ME_TRUE}" && test -z "${USE_ME_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_ME\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_ME\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_ME\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_ME\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_INTEGRITY_TEST_TRUE}" && test -z "${USE_INTEGRITY_TEST_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_INTEGRITY_TEST\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_INTEGRITY_TEST\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_INTEGRITY_TEST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_SELF_TEST_TRUE}" && test -z "${USE_SELF_TEST_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_SELF_TEST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_SELF_TEST\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_INTEGRITY_TEST\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_CAPABILITIES_TRUE}" && test -z "${USE_CAPABILITIES_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_CAPABILITIES\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_CAPABILITIES\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_CAPABILITIES\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_CAPABILITIES\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_PLUTO_TRUE}" && test -z "${USE_PLUTO_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_PLUTO\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_PLUTO\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_PLUTO\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_PLUTO\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_THREADS_TRUE}" && test -z "${USE_THREADS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_THREADS\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_THREADS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_THREADS\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_THREADS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_CHARON_TRUE}" && test -z "${USE_CHARON_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_CHARON\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_CHARON\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_CHARON\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_CHARON\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_TOOLS_TRUE}" && test -z "${USE_TOOLS_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_TOOLS\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_TOOLS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_TOOLS\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_TOOLS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_FILE_CONFIG\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_FILE_CONFIG\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_FILE_CONFIG\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_FILE_CONFIG\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 if test -z "${USE_VSTR_TRUE}" && test -z "${USE_VSTR_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"USE_VSTR\" was never defined.
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_VSTR\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"USE_VSTR\" was never defined.
+$as_echo "$as_me: error: conditional \"USE_VSTR\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
 
 : ${CONFIG_STATUS=./config.status}
+ac_write_fail=0
 ac_clean_files_save=$ac_clean_files
 ac_clean_files="$ac_clean_files $CONFIG_STATUS"
-{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
-echo "$as_me: creating $CONFIG_STATUS" >&6;}
-cat >$CONFIG_STATUS <<_ACEOF
+{ $as_echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
+cat >$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 #! $SHELL
 # Generated by $as_me.
 # Run this file to recreate the current configuration.
@@ -17910,7 +19124,7 @@ ac_cs_silent=false
 SHELL=\${CONFIG_SHELL-$SHELL}
 _ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 ## --------------------- ##
 ## M4sh Initialization.  ##
 ## --------------------- ##
@@ -17920,7 +19134,7 @@ DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
@@ -17942,17 +19156,45 @@ as_cr_Letters=$as_cr_letters$as_cr_LETTERS
 as_cr_digits='0123456789'
 as_cr_alnum=$as_cr_Letters$as_cr_digits
 
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
+as_nl='
+'
+export as_nl
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='printf %s\n'
+  as_echo_n='printf %s'
+else
+  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+    as_echo_n='/usr/ucb/echo -n'
   else
-    PATH_SEPARATOR=:
+    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
+    as_echo_n_body='eval
+      arg=$1;
+      case $arg in
+      *"$as_nl"*)
+	expr "X$arg" : "X\\(.*\\)$as_nl";
+	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
+      esac;
+      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
+    '
+    export as_echo_n_body
+    as_echo_n='sh -c $as_echo_n_body as_echo'
   fi
-  rm -f conf$$.sh
+  export as_echo_body
+  as_echo='sh -c $as_echo_body as_echo'
+fi
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  PATH_SEPARATOR=:
+  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
+    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
+      PATH_SEPARATOR=';'
+  }
 fi
 
 # Support unset when possible.
@@ -17968,8 +19210,6 @@ fi
 # there to prevent editors from complaining about space-tab.
 # (If _AS_PATH_WALK were called with IFS unset, it would disable word
 # splitting by setting IFS to empty value.)
-as_nl='
-'
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
@@ -17992,7 +19232,7 @@ if test "x$as_myself" = x; then
   as_myself=$0
 fi
 if test ! -f "$as_myself"; then
-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
   { (exit 1); exit 1; }
 fi
 
@@ -18005,17 +19245,10 @@ PS2='> '
 PS4='+ '
 
 # NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-  fi
-done
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
 
 # Required to use basename.
 if expr a : '\(a\)' >/dev/null 2>&1 &&
@@ -18037,7 +19270,7 @@ as_me=`$as_basename -- "$0" ||
 $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
 	 X"$0" : 'X\(//\)$' \| \
 	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-echo X/"$0" |
+$as_echo X/"$0" |
     sed '/^.*\/\([^/][^/]*\)\/*$/{
 	    s//\1/
 	    q
@@ -18088,7 +19321,7 @@ $as_unset CDPATH
       s/-\n.*//
     ' >$as_me.lineno &&
   chmod +x "$as_me.lineno" ||
-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
    { (exit 1); exit 1; }; }
 
   # Don't try to exec as it changes $[0], causing all sort of problems
@@ -18116,7 +19349,6 @@ case `echo -n x` in
 *)
   ECHO_N='-n';;
 esac
-
 if expr a : '\(a\)' >/dev/null 2>&1 &&
    test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
@@ -18129,19 +19361,22 @@ if test -d conf$$.dir; then
   rm -f conf$$.dir/conf$$.file
 else
   rm -f conf$$.dir
-  mkdir conf$$.dir
-fi
-echo >conf$$.file
-if ln -s conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s='ln -s'
-  # ... but there are two gotchas:
-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-  # In both cases, we have to default to `cp -p'.
-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+  mkdir conf$$.dir 2>/dev/null
+fi
+if (echo >conf$$.file) 2>/dev/null; then
+  if ln -s conf$$.file conf$$ 2>/dev/null; then
+    as_ln_s='ln -s'
+    # ... but there are two gotchas:
+    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+    # In both cases, we have to default to `cp -p'.
+    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+      as_ln_s='cp -p'
+  elif ln conf$$.file conf$$ 2>/dev/null; then
+    as_ln_s=ln
+  else
     as_ln_s='cp -p'
-elif ln conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s=ln
+  fi
 else
   as_ln_s='cp -p'
 fi
@@ -18166,10 +19401,10 @@ else
   as_test_x='
     eval sh -c '\''
       if test -d "$1"; then
-        test -d "$1/.";
+	test -d "$1/.";
       else
 	case $1 in
-        -*)set "./$1";;
+	-*)set "./$1";;
 	esac;
 	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
 	???[sx]*):;;*)false;;esac;fi
@@ -18191,8 +19426,8 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.2.14, which was
-generated by GNU Autoconf 2.61.  Invocation command line was
+This file was extended by strongSwan $as_me 4.3.2, which was
+generated by GNU Autoconf 2.63.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -18205,27 +19440,34 @@ on `(hostname || uname -n) 2>/dev/null | sed 1q`
 
 _ACEOF
 
-cat >>$CONFIG_STATUS <<_ACEOF
+case $ac_config_files in *"
+"*) set x $ac_config_files; shift; ac_config_files=$*;;
+esac
+
+
+
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 # Files that config.status was made for.
 config_files="$ac_config_files"
 config_commands="$ac_config_commands"
 
 _ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 ac_cs_usage="\
 \`$as_me' instantiates files from templates according to the
 current configuration.
 
-Usage: $0 [OPTIONS] [FILE]...
+Usage: $0 [OPTION]... [FILE]...
 
   -h, --help       print this help, then exit
   -V, --version    print version number and configuration settings, then exit
-  -q, --quiet      do not print progress messages
+  -q, --quiet, --silent
+                   do not print progress messages
   -d, --debug      don't remove temporary files
       --recheck    update $as_me by reconfiguring in the same conditions
-  --file=FILE[:TEMPLATE]
-		   instantiate the configuration file FILE
+      --file=FILE[:TEMPLATE]
+                   instantiate the configuration file FILE
 
 Configuration files:
 $config_files
@@ -18236,13 +19478,13 @@ $config_commands
 Report bugs to <bug-autoconf@gnu.org>."
 
 _ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_version="\\
-strongSwan config.status 4.2.14
-configured by $0, generated by GNU Autoconf 2.61,
-  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
+strongSwan config.status 4.3.2
+configured by $0, generated by GNU Autoconf 2.63,
+  with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
-Copyright (C) 2006 Free Software Foundation, Inc.
+Copyright (C) 2008 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 
@@ -18250,11 +19492,12 @@ ac_pwd='$ac_pwd'
 srcdir='$srcdir'
 INSTALL='$INSTALL'
 MKDIR_P='$MKDIR_P'
+AWK='$AWK'
+test -n "\$AWK" || AWK=awk
 _ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF
-# If no file are specified by the user, then we need to provide default
-# value.  By we need to know if files were specified by the user.
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+# The default lists apply if the user does not specify any file.
 ac_need_defaults=:
 while test $# != 0
 do
@@ -18276,21 +19519,24 @@ do
   -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
     ac_cs_recheck=: ;;
   --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
-    echo "$ac_cs_version"; exit ;;
+    $as_echo "$ac_cs_version"; exit ;;
   --debug | --debu | --deb | --de | --d | -d )
     debug=: ;;
   --file | --fil | --fi | --f )
     $ac_shift
-    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
+    case $ac_optarg in
+    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    esac
+    CONFIG_FILES="$CONFIG_FILES '$ac_optarg'"
     ac_need_defaults=false;;
   --he | --h |  --help | --hel | -h )
-    echo "$ac_cs_usage"; exit ;;
+    $as_echo "$ac_cs_usage"; exit ;;
   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
   | -silent | --silent | --silen | --sile | --sil | --si | --s)
     ac_cs_silent=: ;;
 
   # This is an error.
-  -*) { echo "$as_me: error: unrecognized option: $1
+  -*) { $as_echo "$as_me: error: unrecognized option: $1
 Try \`$0 --help' for more information." >&2
    { (exit 1); exit 1; }; } ;;
 
@@ -18309,27 +19555,29 @@ if $ac_cs_silent; then
 fi
 
 _ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 if \$ac_cs_recheck; then
-  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
-  CONFIG_SHELL=$SHELL
+  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  shift
+  \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
+  CONFIG_SHELL='$SHELL'
   export CONFIG_SHELL
-  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  exec "\$@"
 fi
 
 _ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 exec 5>>config.log
 {
   echo
   sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
 ## Running $as_me. ##
 _ASBOX
-  echo "$ac_log"
+  $as_echo "$ac_log"
 } >&5
 
 _ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 #
 # INIT-COMMANDS
 #
@@ -18371,6 +19619,7 @@ lt_SP2NL='`$ECHO "X$lt_SP2NL" | $Xsed -e "$delay_single_quote_subst"`'
 lt_NL2SP='`$ECHO "X$lt_NL2SP" | $Xsed -e "$delay_single_quote_subst"`'
 reload_flag='`$ECHO "X$reload_flag" | $Xsed -e "$delay_single_quote_subst"`'
 reload_cmds='`$ECHO "X$reload_cmds" | $Xsed -e "$delay_single_quote_subst"`'
+OBJDUMP='`$ECHO "X$OBJDUMP" | $Xsed -e "$delay_single_quote_subst"`'
 deplibs_check_method='`$ECHO "X$deplibs_check_method" | $Xsed -e "$delay_single_quote_subst"`'
 file_magic_cmd='`$ECHO "X$file_magic_cmd" | $Xsed -e "$delay_single_quote_subst"`'
 AR='`$ECHO "X$AR" | $Xsed -e "$delay_single_quote_subst"`'
@@ -18476,6 +19725,7 @@ LN_S \
 lt_SP2NL \
 lt_NL2SP \
 reload_flag \
+OBJDUMP \
 deplibs_check_method \
 file_magic_cmd \
 AR \
@@ -18590,7 +19840,7 @@ fi
 
 _ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 
 # Handling of arguments.
 for ac_config_target in $ac_config_targets
@@ -18604,6 +19854,7 @@ do
     "src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;;
     "src/libstrongswan/plugins/aes/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/aes/Makefile" ;;
     "src/libstrongswan/plugins/des/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/des/Makefile" ;;
+    "src/libstrongswan/plugins/blowfish/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/blowfish/Makefile" ;;
     "src/libstrongswan/plugins/md4/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md4/Makefile" ;;
     "src/libstrongswan/plugins/md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md5/Makefile" ;;
     "src/libstrongswan/plugins/sha1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha1/Makefile" ;;
@@ -18621,9 +19872,10 @@ do
     "src/libstrongswan/plugins/sqlite/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sqlite/Makefile" ;;
     "src/libstrongswan/plugins/padlock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/padlock/Makefile" ;;
     "src/libstrongswan/plugins/openssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/openssl/Makefile" ;;
+    "src/libstrongswan/plugins/gcrypt/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcrypt/Makefile" ;;
     "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
+    "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
     "src/libstrongswan/fips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/fips/Makefile" ;;
-    "src/libcrypto/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcrypto/Makefile" ;;
     "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
     "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
     "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
@@ -18638,6 +19890,7 @@ do
     "src/charon/plugins/eap_radius/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_radius/Makefile" ;;
     "src/charon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_netlink/Makefile" ;;
     "src/charon/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_pfkey/Makefile" ;;
+    "src/charon/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_pfroute/Makefile" ;;
     "src/charon/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_klips/Makefile" ;;
     "src/charon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/smp/Makefile" ;;
     "src/charon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/sql/Makefile" ;;
@@ -18647,6 +19900,8 @@ do
     "src/charon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/uci/Makefile" ;;
     "src/charon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/stroke/Makefile" ;;
     "src/charon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/updown/Makefile" ;;
+    "src/charon/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/attr/Makefile" ;;
+    "src/charon/plugins/resolv_conf/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/resolv_conf/Makefile" ;;
     "src/charon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/unit_tester/Makefile" ;;
     "src/charon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/load_tester/Makefile" ;;
     "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
@@ -18658,14 +19913,15 @@ do
     "src/openac/Makefile") CONFIG_FILES="$CONFIG_FILES src/openac/Makefile" ;;
     "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
     "src/dumm/Makefile") CONFIG_FILES="$CONFIG_FILES src/dumm/Makefile" ;;
+    "src/dumm/ext/extconf.rb") CONFIG_FILES="$CONFIG_FILES src/dumm/ext/extconf.rb" ;;
     "src/libfast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfast/Makefile" ;;
     "src/manager/Makefile") CONFIG_FILES="$CONFIG_FILES src/manager/Makefile" ;;
     "src/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/medsrv/Makefile" ;;
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
-  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
-echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+  *) { { $as_echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+$as_echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
    { (exit 1); exit 1; }; };;
   esac
 done
@@ -18705,403 +19961,144 @@ $debug ||
   (umask 077 && mkdir "$tmp")
 } ||
 {
-   echo "$me: cannot create a temporary directory in ." >&2
+   $as_echo "$as_me: cannot create a temporary directory in ." >&2
    { (exit 1); exit 1; }
 }
 
-#
-# Set up the sed scripts for CONFIG_FILES section.
-#
-
-# No need to generate the scripts if there are no CONFIG_FILES.
-# This happens for instance when ./config.status config.h
+# Set up the scripts for CONFIG_FILES section.
+# No need to generate them if there are no CONFIG_FILES.
+# This happens for instance with `./config.status config.h'.
 if test -n "$CONFIG_FILES"; then
 
-_ACEOF
-
-
-
-ac_delim='%!_!# '
-for ac_last_try in false false false false false :; do
-  cat >conf$$subs.sed <<_ACEOF
-SHELL!$SHELL$ac_delim
-PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
-PACKAGE_NAME!$PACKAGE_NAME$ac_delim
-PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
-PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
-PACKAGE_STRING!$PACKAGE_STRING$ac_delim
-PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
-exec_prefix!$exec_prefix$ac_delim
-prefix!$prefix$ac_delim
-program_transform_name!$program_transform_name$ac_delim
-bindir!$bindir$ac_delim
-sbindir!$sbindir$ac_delim
-libexecdir!$libexecdir$ac_delim
-datarootdir!$datarootdir$ac_delim
-datadir!$datadir$ac_delim
-sysconfdir!$sysconfdir$ac_delim
-sharedstatedir!$sharedstatedir$ac_delim
-localstatedir!$localstatedir$ac_delim
-includedir!$includedir$ac_delim
-oldincludedir!$oldincludedir$ac_delim
-docdir!$docdir$ac_delim
-infodir!$infodir$ac_delim
-htmldir!$htmldir$ac_delim
-dvidir!$dvidir$ac_delim
-pdfdir!$pdfdir$ac_delim
-psdir!$psdir$ac_delim
-libdir!$libdir$ac_delim
-localedir!$localedir$ac_delim
-mandir!$mandir$ac_delim
-DEFS!$DEFS$ac_delim
-ECHO_C!$ECHO_C$ac_delim
-ECHO_N!$ECHO_N$ac_delim
-ECHO_T!$ECHO_T$ac_delim
-LIBS!$LIBS$ac_delim
-build_alias!$build_alias$ac_delim
-host_alias!$host_alias$ac_delim
-target_alias!$target_alias$ac_delim
-INSTALL_PROGRAM!$INSTALL_PROGRAM$ac_delim
-INSTALL_SCRIPT!$INSTALL_SCRIPT$ac_delim
-INSTALL_DATA!$INSTALL_DATA$ac_delim
-am__isrc!$am__isrc$ac_delim
-CYGPATH_W!$CYGPATH_W$ac_delim
-PACKAGE!$PACKAGE$ac_delim
-VERSION!$VERSION$ac_delim
-ACLOCAL!$ACLOCAL$ac_delim
-AUTOCONF!$AUTOCONF$ac_delim
-AUTOMAKE!$AUTOMAKE$ac_delim
-AUTOHEADER!$AUTOHEADER$ac_delim
-MAKEINFO!$MAKEINFO$ac_delim
-install_sh!$install_sh$ac_delim
-STRIP!$STRIP$ac_delim
-INSTALL_STRIP_PROGRAM!$INSTALL_STRIP_PROGRAM$ac_delim
-mkdir_p!$mkdir_p$ac_delim
-AWK!$AWK$ac_delim
-SET_MAKE!$SET_MAKE$ac_delim
-am__leading_dot!$am__leading_dot$ac_delim
-AMTAR!$AMTAR$ac_delim
-am__tar!$am__tar$ac_delim
-am__untar!$am__untar$ac_delim
-CC!$CC$ac_delim
-CFLAGS!$CFLAGS$ac_delim
-LDFLAGS!$LDFLAGS$ac_delim
-CPPFLAGS!$CPPFLAGS$ac_delim
-ac_ct_CC!$ac_ct_CC$ac_delim
-EXEEXT!$EXEEXT$ac_delim
-OBJEXT!$OBJEXT$ac_delim
-DEPDIR!$DEPDIR$ac_delim
-am__include!$am__include$ac_delim
-am__quote!$am__quote$ac_delim
-AMDEP_TRUE!$AMDEP_TRUE$ac_delim
-AMDEP_FALSE!$AMDEP_FALSE$ac_delim
-AMDEPBACKSLASH!$AMDEPBACKSLASH$ac_delim
-CCDEPMODE!$CCDEPMODE$ac_delim
-am__fastdepCC_TRUE!$am__fastdepCC_TRUE$ac_delim
-am__fastdepCC_FALSE!$am__fastdepCC_FALSE$ac_delim
-CPP!$CPP$ac_delim
-GREP!$GREP$ac_delim
-EGREP!$EGREP$ac_delim
-confdir!$confdir$ac_delim
-PKG_CONFIG!$PKG_CONFIG$ac_delim
-resolv_conf!$resolv_conf$ac_delim
-strongswan_conf!$strongswan_conf$ac_delim
-piddir!$piddir$ac_delim
-ipsecdir!$ipsecdir$ac_delim
-plugindir!$plugindir$ac_delim
-simreader!$simreader$ac_delim
-linuxdir!$linuxdir$ac_delim
-LINUX_HEADERS!$LINUX_HEADERS$ac_delim
-IPSEC_ROUTING_TABLE!$IPSEC_ROUTING_TABLE$ac_delim
-IPSEC_ROUTING_TABLE_PRIO!$IPSEC_ROUTING_TABLE_PRIO$ac_delim
-ipsecuser!$ipsecuser$ac_delim
-ipsecgroup!$ipsecgroup$ac_delim
-LIBTOOL!$LIBTOOL$ac_delim
-build!$build$ac_delim
-build_cpu!$build_cpu$ac_delim
-build_vendor!$build_vendor$ac_delim
-build_os!$build_os$ac_delim
-_ACEOF
-
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
-    break
-  elif $ac_last_try; then
-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-  else
-    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
-  fi
-done
 
-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
-if test -n "$ac_eof"; then
-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
-  ac_eof=`expr $ac_eof + 1`
+ac_cr='
'
+ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
+if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
+  ac_cs_awk_cr='\\r'
+else
+  ac_cs_awk_cr=$ac_cr
 fi
 
-cat >>$CONFIG_STATUS <<_ACEOF
-cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-_ACEOF
-sed '
-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
-s/^/s,@/; s/!/@,|#_!!_#|/
-:n
-t n
-s/'"$ac_delim"'$/,g/; t
-s/$/\\/; p
-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
-' >>$CONFIG_STATUS <conf$$subs.sed
-rm -f conf$$subs.sed
-cat >>$CONFIG_STATUS <<_ACEOF
-CEOF$ac_eof
+echo 'BEGIN {' >"$tmp/subs1.awk" &&
 _ACEOF
 
 
+{
+  echo "cat >conf$$subs.awk <<_ACEOF" &&
+  echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
+  echo "_ACEOF"
+} >conf$$subs.sh ||
+  { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+ac_delim_num=`echo "$ac_subst_vars" | grep -c '$'`
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
-  cat >conf$$subs.sed <<_ACEOF
-host!$host$ac_delim
-host_cpu!$host_cpu$ac_delim
-host_vendor!$host_vendor$ac_delim
-host_os!$host_os$ac_delim
-SED!$SED$ac_delim
-FGREP!$FGREP$ac_delim
-LD!$LD$ac_delim
-DUMPBIN!$DUMPBIN$ac_delim
-ac_ct_DUMPBIN!$ac_ct_DUMPBIN$ac_delim
-NM!$NM$ac_delim
-LN_S!$LN_S$ac_delim
-AR!$AR$ac_delim
-RANLIB!$RANLIB$ac_delim
-lt_ECHO!$lt_ECHO$ac_delim
-DSYMUTIL!$DSYMUTIL$ac_delim
-NMEDIT!$NMEDIT$ac_delim
-LIPO!$LIPO$ac_delim
-OTOOL!$OTOOL$ac_delim
-OTOOL64!$OTOOL64$ac_delim
-LEX!$LEX$ac_delim
-LEX_OUTPUT_ROOT!$LEX_OUTPUT_ROOT$ac_delim
-LEXLIB!$LEXLIB$ac_delim
-YACC!$YACC$ac_delim
-YFLAGS!$YFLAGS$ac_delim
-GPERF!$GPERF$ac_delim
-PERL!$PERL$ac_delim
-xml_CFLAGS!$xml_CFLAGS$ac_delim
-xml_LIBS!$xml_LIBS$ac_delim
-gtk_CFLAGS!$gtk_CFLAGS$ac_delim
-gtk_LIBS!$gtk_LIBS$ac_delim
-nm_CFLAGS!$nm_CFLAGS$ac_delim
-nm_LIBS!$nm_LIBS$ac_delim
-libstrongswan_plugins!$libstrongswan_plugins$ac_delim
-USE_CURL_TRUE!$USE_CURL_TRUE$ac_delim
-USE_CURL_FALSE!$USE_CURL_FALSE$ac_delim
-USE_LDAP_TRUE!$USE_LDAP_TRUE$ac_delim
-USE_LDAP_FALSE!$USE_LDAP_FALSE$ac_delim
-USE_AES_TRUE!$USE_AES_TRUE$ac_delim
-USE_AES_FALSE!$USE_AES_FALSE$ac_delim
-USE_DES_TRUE!$USE_DES_TRUE$ac_delim
-USE_DES_FALSE!$USE_DES_FALSE$ac_delim
-USE_MD4_TRUE!$USE_MD4_TRUE$ac_delim
-USE_MD4_FALSE!$USE_MD4_FALSE$ac_delim
-USE_MD5_TRUE!$USE_MD5_TRUE$ac_delim
-USE_MD5_FALSE!$USE_MD5_FALSE$ac_delim
-USE_SHA1_TRUE!$USE_SHA1_TRUE$ac_delim
-USE_SHA1_FALSE!$USE_SHA1_FALSE$ac_delim
-USE_SHA2_TRUE!$USE_SHA2_TRUE$ac_delim
-USE_SHA2_FALSE!$USE_SHA2_FALSE$ac_delim
-USE_FIPS_PRF_TRUE!$USE_FIPS_PRF_TRUE$ac_delim
-USE_FIPS_PRF_FALSE!$USE_FIPS_PRF_FALSE$ac_delim
-USE_GMP_TRUE!$USE_GMP_TRUE$ac_delim
-USE_GMP_FALSE!$USE_GMP_FALSE$ac_delim
-USE_RANDOM_TRUE!$USE_RANDOM_TRUE$ac_delim
-USE_RANDOM_FALSE!$USE_RANDOM_FALSE$ac_delim
-USE_X509_TRUE!$USE_X509_TRUE$ac_delim
-USE_X509_FALSE!$USE_X509_FALSE$ac_delim
-USE_PUBKEY_TRUE!$USE_PUBKEY_TRUE$ac_delim
-USE_PUBKEY_FALSE!$USE_PUBKEY_FALSE$ac_delim
-USE_HMAC_TRUE!$USE_HMAC_TRUE$ac_delim
-USE_HMAC_FALSE!$USE_HMAC_FALSE$ac_delim
-USE_XCBC_TRUE!$USE_XCBC_TRUE$ac_delim
-USE_XCBC_FALSE!$USE_XCBC_FALSE$ac_delim
-USE_MYSQL_TRUE!$USE_MYSQL_TRUE$ac_delim
-USE_MYSQL_FALSE!$USE_MYSQL_FALSE$ac_delim
-USE_SQLITE_TRUE!$USE_SQLITE_TRUE$ac_delim
-USE_SQLITE_FALSE!$USE_SQLITE_FALSE$ac_delim
-USE_PADLOCK_TRUE!$USE_PADLOCK_TRUE$ac_delim
-USE_PADLOCK_FALSE!$USE_PADLOCK_FALSE$ac_delim
-USE_OPENSSL_TRUE!$USE_OPENSSL_TRUE$ac_delim
-USE_OPENSSL_FALSE!$USE_OPENSSL_FALSE$ac_delim
-USE_AGENT_TRUE!$USE_AGENT_TRUE$ac_delim
-USE_AGENT_FALSE!$USE_AGENT_FALSE$ac_delim
-USE_STROKE_TRUE!$USE_STROKE_TRUE$ac_delim
-USE_STROKE_FALSE!$USE_STROKE_FALSE$ac_delim
-USE_MEDSRV_TRUE!$USE_MEDSRV_TRUE$ac_delim
-USE_MEDSRV_FALSE!$USE_MEDSRV_FALSE$ac_delim
-USE_MEDCLI_TRUE!$USE_MEDCLI_TRUE$ac_delim
-USE_MEDCLI_FALSE!$USE_MEDCLI_FALSE$ac_delim
-USE_NM_TRUE!$USE_NM_TRUE$ac_delim
-USE_NM_FALSE!$USE_NM_FALSE$ac_delim
-USE_UCI_TRUE!$USE_UCI_TRUE$ac_delim
-USE_UCI_FALSE!$USE_UCI_FALSE$ac_delim
-USE_SMP_TRUE!$USE_SMP_TRUE$ac_delim
-USE_SMP_FALSE!$USE_SMP_FALSE$ac_delim
-USE_SQL_TRUE!$USE_SQL_TRUE$ac_delim
-USE_SQL_FALSE!$USE_SQL_FALSE$ac_delim
-USE_UPDOWN_TRUE!$USE_UPDOWN_TRUE$ac_delim
-USE_UPDOWN_FALSE!$USE_UPDOWN_FALSE$ac_delim
-USE_UNIT_TESTS_TRUE!$USE_UNIT_TESTS_TRUE$ac_delim
-USE_UNIT_TESTS_FALSE!$USE_UNIT_TESTS_FALSE$ac_delim
-USE_LOAD_TESTS_TRUE!$USE_LOAD_TESTS_TRUE$ac_delim
-USE_LOAD_TESTS_FALSE!$USE_LOAD_TESTS_FALSE$ac_delim
-USE_EAP_SIM_TRUE!$USE_EAP_SIM_TRUE$ac_delim
-USE_EAP_SIM_FALSE!$USE_EAP_SIM_FALSE$ac_delim
-USE_EAP_SIM_FILE_TRUE!$USE_EAP_SIM_FILE_TRUE$ac_delim
-USE_EAP_SIM_FILE_FALSE!$USE_EAP_SIM_FILE_FALSE$ac_delim
-_ACEOF
-
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
+  . ./conf$$subs.sh ||
+    { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+
+  ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
+  if test $ac_delim_n = $ac_delim_num; then
     break
   elif $ac_last_try; then
-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+    { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
    { (exit 1); exit 1; }; }
   else
     ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
   fi
 done
+rm -f conf$$subs.sh
 
-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
-if test -n "$ac_eof"; then
-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
-  ac_eof=`expr $ac_eof + 1`
-fi
-
-cat >>$CONFIG_STATUS <<_ACEOF
-cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
 _ACEOF
-sed '
-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
-s/^/s,@/; s/!/@,|#_!!_#|/
-:n
-t n
-s/'"$ac_delim"'$/,g/; t
-s/$/\\/; p
-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
-' >>$CONFIG_STATUS <conf$$subs.sed
-rm -f conf$$subs.sed
-cat >>$CONFIG_STATUS <<_ACEOF
-CEOF$ac_eof
-_ACEOF
-
+sed -n '
+h
+s/^/S["/; s/!.*/"]=/
+p
+g
+s/^[^!]*!//
+:repl
+t repl
+s/'"$ac_delim"'$//
+t delim
+:nl
+h
+s/\(.\{148\}\).*/\1/
+t more1
+s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
+p
+n
+b repl
+:more1
+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
+p
+g
+s/.\{148\}//
+t nl
+:delim
+h
+s/\(.\{148\}\).*/\1/
+t more2
+s/["\\]/\\&/g; s/^/"/; s/$/"/
+p
+b
+:more2
+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
+p
+g
+s/.\{148\}//
+t delim
+' <conf$$subs.awk | sed '
+/^[^""]/{
+  N
+  s/\n//
+}
+' >>$CONFIG_STATUS || ac_write_fail=1
+rm -f conf$$subs.awk
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+_ACAWK
+cat >>"\$tmp/subs1.awk" <<_ACAWK &&
+  for (key in S) S_is_set[key] = 1
+  FS = ""
 
-ac_delim='%!_!# '
-for ac_last_try in false false false false false :; do
-  cat >conf$$subs.sed <<_ACEOF
-USE_EAP_IDENTITY_TRUE!$USE_EAP_IDENTITY_TRUE$ac_delim
-USE_EAP_IDENTITY_FALSE!$USE_EAP_IDENTITY_FALSE$ac_delim
-USE_EAP_MD5_TRUE!$USE_EAP_MD5_TRUE$ac_delim
-USE_EAP_MD5_FALSE!$USE_EAP_MD5_FALSE$ac_delim
-USE_EAP_GTC_TRUE!$USE_EAP_GTC_TRUE$ac_delim
-USE_EAP_GTC_FALSE!$USE_EAP_GTC_FALSE$ac_delim
-USE_EAP_AKA_TRUE!$USE_EAP_AKA_TRUE$ac_delim
-USE_EAP_AKA_FALSE!$USE_EAP_AKA_FALSE$ac_delim
-USE_EAP_MSCHAPV2_TRUE!$USE_EAP_MSCHAPV2_TRUE$ac_delim
-USE_EAP_MSCHAPV2_FALSE!$USE_EAP_MSCHAPV2_FALSE$ac_delim
-USE_EAP_RADIUS_TRUE!$USE_EAP_RADIUS_TRUE$ac_delim
-USE_EAP_RADIUS_FALSE!$USE_EAP_RADIUS_FALSE$ac_delim
-USE_KERNEL_NETLINK_TRUE!$USE_KERNEL_NETLINK_TRUE$ac_delim
-USE_KERNEL_NETLINK_FALSE!$USE_KERNEL_NETLINK_FALSE$ac_delim
-USE_KERNEL_PFKEY_TRUE!$USE_KERNEL_PFKEY_TRUE$ac_delim
-USE_KERNEL_PFKEY_FALSE!$USE_KERNEL_PFKEY_FALSE$ac_delim
-USE_KERNEL_KLIPS_TRUE!$USE_KERNEL_KLIPS_TRUE$ac_delim
-USE_KERNEL_KLIPS_FALSE!$USE_KERNEL_KLIPS_FALSE$ac_delim
-USE_SMARTCARD_TRUE!$USE_SMARTCARD_TRUE$ac_delim
-USE_SMARTCARD_FALSE!$USE_SMARTCARD_FALSE$ac_delim
-USE_CISCO_QUIRKS_TRUE!$USE_CISCO_QUIRKS_TRUE$ac_delim
-USE_CISCO_QUIRKS_FALSE!$USE_CISCO_QUIRKS_FALSE$ac_delim
-USE_LEAK_DETECTIVE_TRUE!$USE_LEAK_DETECTIVE_TRUE$ac_delim
-USE_LEAK_DETECTIVE_FALSE!$USE_LEAK_DETECTIVE_FALSE$ac_delim
-USE_LOCK_PROFILER_TRUE!$USE_LOCK_PROFILER_TRUE$ac_delim
-USE_LOCK_PROFILER_FALSE!$USE_LOCK_PROFILER_FALSE$ac_delim
-USE_NAT_TRANSPORT_TRUE!$USE_NAT_TRANSPORT_TRUE$ac_delim
-USE_NAT_TRANSPORT_FALSE!$USE_NAT_TRANSPORT_FALSE$ac_delim
-USE_VENDORID_TRUE!$USE_VENDORID_TRUE$ac_delim
-USE_VENDORID_FALSE!$USE_VENDORID_FALSE$ac_delim
-USE_XAUTH_VID_TRUE!$USE_XAUTH_VID_TRUE$ac_delim
-USE_XAUTH_VID_FALSE!$USE_XAUTH_VID_FALSE$ac_delim
-USE_DUMM_TRUE!$USE_DUMM_TRUE$ac_delim
-USE_DUMM_FALSE!$USE_DUMM_FALSE$ac_delim
-USE_FAST_TRUE!$USE_FAST_TRUE$ac_delim
-USE_FAST_FALSE!$USE_FAST_FALSE$ac_delim
-USE_MANAGER_TRUE!$USE_MANAGER_TRUE$ac_delim
-USE_MANAGER_FALSE!$USE_MANAGER_FALSE$ac_delim
-USE_ME_TRUE!$USE_ME_TRUE$ac_delim
-USE_ME_FALSE!$USE_ME_FALSE$ac_delim
-USE_INTEGRITY_TEST_TRUE!$USE_INTEGRITY_TEST_TRUE$ac_delim
-USE_INTEGRITY_TEST_FALSE!$USE_INTEGRITY_TEST_FALSE$ac_delim
-USE_SELF_TEST_TRUE!$USE_SELF_TEST_TRUE$ac_delim
-USE_SELF_TEST_FALSE!$USE_SELF_TEST_FALSE$ac_delim
-USE_CAPABILITIES_TRUE!$USE_CAPABILITIES_TRUE$ac_delim
-USE_CAPABILITIES_FALSE!$USE_CAPABILITIES_FALSE$ac_delim
-USE_PLUTO_TRUE!$USE_PLUTO_TRUE$ac_delim
-USE_PLUTO_FALSE!$USE_PLUTO_FALSE$ac_delim
-USE_THREADS_TRUE!$USE_THREADS_TRUE$ac_delim
-USE_THREADS_FALSE!$USE_THREADS_FALSE$ac_delim
-USE_CHARON_TRUE!$USE_CHARON_TRUE$ac_delim
-USE_CHARON_FALSE!$USE_CHARON_FALSE$ac_delim
-USE_TOOLS_TRUE!$USE_TOOLS_TRUE$ac_delim
-USE_TOOLS_FALSE!$USE_TOOLS_FALSE$ac_delim
-USE_LIBSTRONGSWAN_TRUE!$USE_LIBSTRONGSWAN_TRUE$ac_delim
-USE_LIBSTRONGSWAN_FALSE!$USE_LIBSTRONGSWAN_FALSE$ac_delim
-USE_FILE_CONFIG_TRUE!$USE_FILE_CONFIG_TRUE$ac_delim
-USE_FILE_CONFIG_FALSE!$USE_FILE_CONFIG_FALSE$ac_delim
-USE_VSTR_TRUE!$USE_VSTR_TRUE$ac_delim
-USE_VSTR_FALSE!$USE_VSTR_FALSE$ac_delim
-LIBOBJS!$LIBOBJS$ac_delim
-LTLIBOBJS!$LTLIBOBJS$ac_delim
-_ACEOF
-
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 62; then
-    break
-  elif $ac_last_try; then
-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-  else
-    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
-  fi
-done
+}
+{
+  line = $ 0
+  nfields = split(line, field, "@")
+  substed = 0
+  len = length(field[1])
+  for (i = 2; i < nfields; i++) {
+    key = field[i]
+    keylen = length(key)
+    if (S_is_set[key]) {
+      value = S[key]
+      line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
+      len += length(value) + length(field[++i])
+      substed = 1
+    } else
+      len += 1 + keylen
+  }
 
-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
-if test -n "$ac_eof"; then
-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
-  ac_eof=`expr $ac_eof + 1`
-fi
+  print line
+}
 
-cat >>$CONFIG_STATUS <<_ACEOF
-cat >"\$tmp/subs-3.sed" <<\CEOF$ac_eof
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+_ACAWK
 _ACEOF
-sed '
-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
-s/^/s,@/; s/!/@,|#_!!_#|/
-:n
-t n
-s/'"$ac_delim"'$/,g/; t
-s/$/\\/; p
-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
-' >>$CONFIG_STATUS <conf$$subs.sed
-rm -f conf$$subs.sed
-cat >>$CONFIG_STATUS <<_ACEOF
-:end
-s/|#_!!_#|//g
-CEOF$ac_eof
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
+  sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
+else
+  cat
+fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
+  || { { $as_echo "$as_me:$LINENO: error: could not setup config files machinery" >&5
+$as_echo "$as_me: error: could not setup config files machinery" >&2;}
+   { (exit 1); exit 1; }; }
 _ACEOF
 
-
 # VPATH may cause trouble with some makes, so we remove $(srcdir),
 # ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
 # trailing colons and then remove the whole line if VPATH becomes empty
@@ -19117,19 +20114,21 @@ s/^[^=]*=[	 ]*$//
 }'
 fi
 
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 fi # test -n "$CONFIG_FILES"
 
 
-for ac_tag in  :F $CONFIG_FILES      :C $CONFIG_COMMANDS
+eval set X "  :F $CONFIG_FILES      :C $CONFIG_COMMANDS"
+shift
+for ac_tag
 do
   case $ac_tag in
   :[FHLC]) ac_mode=$ac_tag; continue;;
   esac
   case $ac_mode$ac_tag in
   :[FHL]*:*);;
-  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
-echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+  :L* | :C*:*) { { $as_echo "$as_me:$LINENO: error: invalid tag $ac_tag" >&5
+$as_echo "$as_me: error: invalid tag $ac_tag" >&2;}
    { (exit 1); exit 1; }; };;
   :[FH]-) ac_tag=-:-;;
   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
@@ -19158,26 +20157,38 @@ echo "$as_me: error: Invalid tag $ac_tag." >&2;}
 	   [\\/$]*) false;;
 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
 	   esac ||
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
-echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+	   { { $as_echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+$as_echo "$as_me: error: cannot find input file: $ac_f" >&2;}
    { (exit 1); exit 1; }; };;
       esac
-      ac_file_inputs="$ac_file_inputs $ac_f"
+      case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
+      ac_file_inputs="$ac_file_inputs '$ac_f'"
     done
 
     # Let's still pretend it is `configure' which instantiates (i.e., don't
     # use $as_me), people would be surprised to read:
     #    /* config.h.  Generated by config.status.  */
-    configure_input="Generated from "`IFS=:
-	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
+    configure_input='Generated from '`
+	  $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
+	`' by configure.'
     if test x"$ac_file" != x-; then
       configure_input="$ac_file.  $configure_input"
-      { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
+      { $as_echo "$as_me:$LINENO: creating $ac_file" >&5
+$as_echo "$as_me: creating $ac_file" >&6;}
     fi
+    # Neutralize special characters interpreted by sed in replacement strings.
+    case $configure_input in #(
+    *\&* | *\|* | *\\* )
+       ac_sed_conf_input=`$as_echo "$configure_input" |
+       sed 's/[\\\\&|]/\\\\&/g'`;; #(
+    *) ac_sed_conf_input=$configure_input;;
+    esac
 
     case $ac_tag in
-    *:-:* | *:-) cat >"$tmp/stdin";;
+    *:-:* | *:-) cat >"$tmp/stdin" \
+      || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
+$as_echo "$as_me: error: could not create $ac_file" >&2;}
+   { (exit 1); exit 1; }; } ;;
     esac
     ;;
   esac
@@ -19187,7 +20198,7 @@ $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$ac_file" : 'X\(//\)[^/]' \| \
 	 X"$ac_file" : 'X\(//\)$' \| \
 	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$ac_file" |
+$as_echo X"$ac_file" |
     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
 	    s//\1/
 	    q
@@ -19213,7 +20224,7 @@ echo X"$ac_file" |
     as_dirs=
     while :; do
       case $as_dir in #(
-      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
       *) as_qdir=$as_dir;;
       esac
       as_dirs="'$as_qdir' $as_dirs"
@@ -19222,7 +20233,7 @@ $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$as_dir" : 'X\(//\)[^/]' \| \
 	 X"$as_dir" : 'X\(//\)$' \| \
 	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$as_dir" |
+$as_echo X"$as_dir" |
     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
 	    s//\1/
 	    q
@@ -19243,17 +20254,17 @@ echo X"$as_dir" |
       test -d "$as_dir" && break
     done
     test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
-echo "$as_me: error: cannot create directory $as_dir" >&2;}
+  } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+$as_echo "$as_me: error: cannot create directory $as_dir" >&2;}
    { (exit 1); exit 1; }; }; }
   ac_builddir=.
 
 case "$ac_dir" in
 .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
 *)
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
   # A ".." for each directory in $ac_dir_suffix.
-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
   case $ac_top_builddir_sub in
   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
@@ -19298,12 +20309,13 @@ ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
   esac
 _ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # If the template does not know about datarootdir, expand it.
 # FIXME: This hack should be removed a few years after 2.60.
 ac_datarootdir_hack=; ac_datarootdir_seen=
 
-case `sed -n '/datarootdir/ {
+ac_sed_dataroot='
+/datarootdir/ {
   p
   q
 }
@@ -19312,13 +20324,14 @@ case `sed -n '/datarootdir/ {
 /@infodir@/p
 /@localedir@/p
 /@mandir@/p
-' $ac_file_inputs` in
+'
+case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
 *datarootdir*) ac_datarootdir_seen=yes;;
 *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
-  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
-echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+  { $as_echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
 _ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
   ac_datarootdir_hack='
   s&@datadir@&$datadir&g
   s&@docdir@&$docdir&g
@@ -19332,15 +20345,16 @@ _ACEOF
 # Neutralize VPATH when `$srcdir' = `.'.
 # Shell code in configure.ac might set extrasub.
 # FIXME: do we really want to maintain this feature?
-cat >>$CONFIG_STATUS <<_ACEOF
-  sed "$ac_vpsub
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ac_sed_extra="$ac_vpsub
 $extrasub
 _ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 :t
 /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-s&@configure_input@&$configure_input&;t t
+s|@configure_input@|$ac_sed_conf_input|;t t
 s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@top_build_prefix@&$ac_top_build_prefix&;t t
 s&@srcdir@&$ac_srcdir&;t t
 s&@abs_srcdir@&$ac_abs_srcdir&;t t
 s&@top_srcdir@&$ac_top_srcdir&;t t
@@ -19351,48 +20365,65 @@ s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
 s&@INSTALL@&$ac_INSTALL&;t t
 s&@MKDIR_P@&$ac_MKDIR_P&;t t
 $ac_datarootdir_hack
-" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" >$tmp/out
+"
+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
+  || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
+$as_echo "$as_me: error: could not create $ac_file" >&2;}
+   { (exit 1); exit 1; }; }
 
 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
   { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
-  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+  { $as_echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined." >&5
-echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined." >&2;}
 
   rm -f "$tmp/stdin"
   case $ac_file in
-  -) cat "$tmp/out"; rm -f "$tmp/out";;
-  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
-  esac
+  -) cat "$tmp/out" && rm -f "$tmp/out";;
+  *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
+  esac \
+  || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
+$as_echo "$as_me: error: could not create $ac_file" >&2;}
+   { (exit 1); exit 1; }; }
  ;;
 
 
-  :C)  { echo "$as_me:$LINENO: executing $ac_file commands" >&5
-echo "$as_me: executing $ac_file commands" >&6;}
+  :C)  { $as_echo "$as_me:$LINENO: executing $ac_file commands" >&5
+$as_echo "$as_me: executing $ac_file commands" >&6;}
  ;;
   esac
 
 
   case $ac_file$ac_mode in
-    "depfiles":C) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do
-  # Strip MF so we end up with the name of the file.
-  mf=`echo "$mf" | sed -e 's/:.*$//'`
-  # Check whether this is an Automake generated Makefile or not.
-  # We used to match only the files named `Makefile.in', but
-  # some people rename them; so instead we look at the file content.
-  # Grep'ing the first line is not enough: some people post-process
-  # each Makefile.in and add a new line on top of each file to say so.
-  # Grep'ing the whole file is not good either: AIX grep has a line
-  # limit of 2048, but all sed's we know have understand at least 4000.
-  if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
-    dirpart=`$as_dirname -- "$mf" ||
+    "depfiles":C) test x"$AMDEP_TRUE" != x"" || {
+  # Autoconf 2.62 quotes --file arguments for eval, but not when files
+  # are listed without --file.  Let's play safe and only enable the eval
+  # if we detect the quoting.
+  case $CONFIG_FILES in
+  *\'*) eval set x "$CONFIG_FILES" ;;
+  *)   set x $CONFIG_FILES ;;
+  esac
+  shift
+  for mf
+  do
+    # Strip MF so we end up with the name of the file.
+    mf=`echo "$mf" | sed -e 's/:.*$//'`
+    # Check whether this is an Automake generated Makefile or not.
+    # We used to match only the files named `Makefile.in', but
+    # some people rename them; so instead we look at the file content.
+    # Grep'ing the first line is not enough: some people post-process
+    # each Makefile.in and add a new line on top of each file to say so.
+    # Grep'ing the whole file is not good either: AIX grep has a line
+    # limit of 2048, but all sed's we know have understand at least 4000.
+    if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
+      dirpart=`$as_dirname -- "$mf" ||
 $as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$mf" : 'X\(//\)[^/]' \| \
 	 X"$mf" : 'X\(//\)$' \| \
 	 X"$mf" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$mf" |
+$as_echo X"$mf" |
     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
 	    s//\1/
 	    q
@@ -19410,33 +20441,33 @@ echo X"$mf" |
 	    q
 	  }
 	  s/.*/./; q'`
-  else
-    continue
-  fi
-  # Extract the definition of DEPDIR, am__include, and am__quote
-  # from the Makefile without running `make'.
-  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
-  test -z "$DEPDIR" && continue
-  am__include=`sed -n 's/^am__include = //p' < "$mf"`
-  test -z "am__include" && continue
-  am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
-  # When using ansi2knr, U may be empty or an underscore; expand it
-  U=`sed -n 's/^U = //p' < "$mf"`
-  # Find all dependency output files, they are included files with
-  # $(DEPDIR) in their names.  We invoke sed twice because it is the
-  # simplest approach to changing $(DEPDIR) to its actual value in the
-  # expansion.
-  for file in `sed -n "
-    s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
-       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
-    # Make sure the directory exists.
-    test -f "$dirpart/$file" && continue
-    fdir=`$as_dirname -- "$file" ||
+    else
+      continue
+    fi
+    # Extract the definition of DEPDIR, am__include, and am__quote
+    # from the Makefile without running `make'.
+    DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
+    test -z "$DEPDIR" && continue
+    am__include=`sed -n 's/^am__include = //p' < "$mf"`
+    test -z "am__include" && continue
+    am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
+    # When using ansi2knr, U may be empty or an underscore; expand it
+    U=`sed -n 's/^U = //p' < "$mf"`
+    # Find all dependency output files, they are included files with
+    # $(DEPDIR) in their names.  We invoke sed twice because it is the
+    # simplest approach to changing $(DEPDIR) to its actual value in the
+    # expansion.
+    for file in `sed -n "
+      s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
+	 sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+      # Make sure the directory exists.
+      test -f "$dirpart/$file" && continue
+      fdir=`$as_dirname -- "$file" ||
 $as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$file" : 'X\(//\)[^/]' \| \
 	 X"$file" : 'X\(//\)$' \| \
 	 X"$file" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$file" |
+$as_echo X"$file" |
     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
 	    s//\1/
 	    q
@@ -19454,7 +20485,7 @@ echo X"$file" |
 	    q
 	  }
 	  s/.*/./; q'`
-    { as_dir=$dirpart/$fdir
+      { as_dir=$dirpart/$fdir
   case $as_dir in #(
   -*) as_dir=./$as_dir;;
   esac
@@ -19462,7 +20493,7 @@ echo X"$file" |
     as_dirs=
     while :; do
       case $as_dir in #(
-      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
       *) as_qdir=$as_dir;;
       esac
       as_dirs="'$as_qdir' $as_dirs"
@@ -19471,7 +20502,7 @@ $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$as_dir" : 'X\(//\)[^/]' \| \
 	 X"$as_dir" : 'X\(//\)$' \| \
 	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-echo X"$as_dir" |
+$as_echo X"$as_dir" |
     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
 	    s//\1/
 	    q
@@ -19492,13 +20523,14 @@ echo X"$as_dir" |
       test -d "$as_dir" && break
     done
     test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
-echo "$as_me: error: cannot create directory $as_dir" >&2;}
+  } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+$as_echo "$as_me: error: cannot create directory $as_dir" >&2;}
    { (exit 1); exit 1; }; }; }
-    # echo "creating $dirpart/$file"
-    echo '# dummy' > "$dirpart/$file"
+      # echo "creating $dirpart/$file"
+      echo '# dummy' > "$dirpart/$file"
+    done
   done
-done
+}
  ;;
     "libtool":C)
 
@@ -19622,6 +20654,9 @@ NL2SP=$lt_lt_NL2SP
 reload_flag=$lt_reload_flag
 reload_cmds=$lt_reload_cmds
 
+# An object symbol dumper.
+OBJDUMP=$lt_OBJDUMP
+
 # Method to check whether dependent libraries are shared objects.
 deplibs_check_method=$lt_deplibs_check_method
 
@@ -20142,6 +21177,11 @@ _ACEOF
 chmod +x $CONFIG_STATUS
 ac_clean_files=$ac_clean_files_save
 
+test $ac_write_fail = 0 ||
+  { { $as_echo "$as_me:$LINENO: error: write failure creating $CONFIG_STATUS" >&5
+$as_echo "$as_me: error: write failure creating $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+
 
 # configure is writing to config.log, and then calls config.status.
 # config.status does its own redirection, appending to config.log.
@@ -20163,4 +21203,8 @@ if test "$no_create" != yes; then
   # would make configure fail if this is the last instruction.
   $ac_cs_success || { (exit 1); exit 1; }
 fi
+if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
+  { $as_echo "$as_me:$LINENO: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
+$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
+fi
 
diff --git a/configure.in b/configure.in
index e5b3f76e2..e97e69139 100644
--- a/configure.in
+++ b/configure.in
@@ -16,10 +16,8 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.2.14)
+AC_INIT(strongSwan,4.3.2)
 AM_INIT_AUTOMAKE(tar-ustar)
-AC_CONFIG_MACRO_DIR([m4])
-AC_C_BIGENDIAN
 AC_SUBST(confdir, '${sysconfdir}')
 PKG_PROG_PKG_CONFIG
 
@@ -48,7 +46,7 @@ AC_ARG_WITH(
 )
 AC_ARG_WITH(
 	[resolv-conf],
-	AS_HELP_STRING([--with-resolv-conf=file],[set the file to store DNS server information other than "sysconfdir/resolv.conf"]),
+	AS_HELP_STRING([--with-resolv-conf=file],[set the file to use in DNS handler plugin other than "sysconfdir/resolv.conf"]),
 	[AC_SUBST(resolv_conf, "$withval")],
 	[AC_SUBST(resolv_conf, "${sysconfdir}/resolv.conf")]
 )
@@ -185,6 +183,14 @@ AC_ARG_ENABLE(
 	des=true
 )
 
+AC_ARG_ENABLE(
+	[blowfish],
+	AS_HELP_STRING([--enable-blowfish],[enable Blowfish software implementation plugin (default is NO).]),
+	[if test x$enableval = xyes; then
+		blowfish=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[md4],
 	AS_HELP_STRING([--enable-md4],[enable MD4 software implementation plugin (default is NO).]),
@@ -303,6 +309,14 @@ AC_ARG_ENABLE(
 	xcbc=true
 )
 
+AC_ARG_ENABLE(
+	[test-vectors],
+	AS_HELP_STRING([--enable-test-vectors],[enable plugin providing crypto test vectors (default is NO).]),
+	[if test x$enableval = xyes; then
+		test_vectors=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[mysql],
 	AS_HELP_STRING([--enable-mysql],[enable MySQL database support (default is NO). Requires libmysqlclient_r.]),
@@ -493,6 +507,14 @@ AC_ARG_ENABLE(
 	fi]
 )
 
+AC_ARG_ENABLE(
+	[kernel-pfroute],
+	AS_HELP_STRING([--enable-kernel-pfroute],[enable the PF_ROUTE kernel interface. (default is NO).]),
+	[if test x$enableval = xyes; then
+		kernel_pfroute=true
+	fi]
+)
+
 AC_ARG_ENABLE(
 	[kernel-klips],
 	AS_HELP_STRING([--enable-kernel-klips],[enable the KLIPS kernel interface. (default is NO).]),
@@ -572,17 +594,6 @@ AC_ARG_ENABLE(
 	fi]
 )
 
-AC_ARG_ENABLE(
-	[self-test],
-	AS_HELP_STRING([--disable-self-test],[disable the self-test of the crypto library (default is NO).]),
-	[if test x$enableval = xyes; then
-		self_test=true
-	 else
-		self_test=false
-	fi],
-	self_test=true
-)
-
 AC_ARG_ENABLE(
 	[pluto],
 	AS_HELP_STRING([--disable-pluto],[disable the IKEv1 keying daemon pluto. (default is NO).]),
@@ -638,6 +649,28 @@ AC_ARG_ENABLE(
 	updown=true
 )
 
+AC_ARG_ENABLE(
+	[attr],
+	AS_HELP_STRING([--disable-attr],[disable strongswan.conf based configuration attribute plugin. (default is NO).]),
+	[if test x$enableval = xyes; then
+		attr=true
+	 else
+		attr=false
+	fi],
+	attr=true
+)
+
+AC_ARG_ENABLE(
+	[resolv-conf],
+	AS_HELP_STRING([--disable-resolv-conf],[disable resolv.conf DNS handler plugin. (default is NO).]),
+	[if test x$enableval = xyes; then
+		resolvconf=true
+	 else
+		resolvconf=false
+	fi],
+	resolvconf=true
+)
+
 AC_ARG_ENABLE(
 	[padlock],
 	AS_HELP_STRING([--enable-padlock],[enables VIA Padlock crypto plugin. (default is NO).]),
@@ -658,6 +691,16 @@ AC_ARG_ENABLE(
 	fi],
 )
 
+AC_ARG_ENABLE(
+	[gcrypt],
+	AS_HELP_STRING([--enable-gcrypt],[enables the libgcrypt plugin. (default is NO).]),
+	[if test x$enableval = xyes; then
+		gcrypt=true
+	 else
+		gcrypt=false
+	fi],
+)
+
 AC_ARG_ENABLE(
 	[agent],
 	AS_HELP_STRING([--enable-agent],[enables the ssh-agent signing plugin. (default is NO).]),
@@ -684,6 +727,24 @@ AC_ARG_ENABLE(
 	fi]
 )
 
+AC_ARG_ENABLE(
+	[vstr],
+	AS_HELP_STRING([--enable-vstr],[enforce using the Vstr string library to replace glibc-like printf hooks (default is NO).]),
+	[if test x$enableval = xyes; then
+	 	vstr=true
+	fi]
+)
+
+dnl =========================
+dnl  set up compiler and flags
+dnl =========================
+
+if test -z "$CFLAGS"; then
+	AC_SUBST(CFLAGS, "-g -O2 -Wall -Wno-format -Wno-pointer-sign -Wno-strict-aliasing")
+fi
+AC_PROG_CC
+AC_C_BIGENDIAN
+
 dnl =========================
 dnl  check required programs
 dnl =========================
@@ -692,7 +753,6 @@ AC_PROG_INSTALL
 AC_PROG_LIBTOOL
 AC_PROG_LEX
 AC_PROG_YACC
-AC_PROG_CC()
 AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 
@@ -700,8 +760,18 @@ dnl =========================
 dnl  dependency calculation
 dnl =========================
 
-if test x$pluto = xtrue; then
+if test x$eap_aka = xtrue; then
 	gmp=true;
+	fips_prf=true;
+	sha1=true;
+fi
+
+if test x$eap_sim = xtrue; then
+	fips_prf=true;
+fi
+
+if test x$fips_prf = xtrue; then
+	sha1=true;
 fi
 
 if test x$tools = xtrue; then
@@ -725,13 +795,84 @@ if test x$medcli = xtrue; then
 	me=true
 fi
 
-dnl ==========================================
+dnl ===========================================
 dnl  check required libraries and header files
-dnl ==========================================
+dnl ===========================================
+
+AC_HEADER_STDBOOL
+
+saved_LIBS=$LIBS
+LIBS=""
+AC_SEARCH_LIBS(dlopen, dl, [DLLIB=$LIBS])
+LIBS=$saved_LIBS
+AC_SUBST(DLLIB)
+
+AC_MSG_CHECKING(for dladdr)
+AC_TRY_COMPILE(
+	[#define _GNU_SOURCE
+	 #include <dlfcn.h>],
+	[Dl_info* info = 0;
+	 dladdr(0, info);],
+	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_DLADDR])],
+	[AC_MSG_RESULT([no])]
+)
 
-AC_HAVE_LIBRARY(dl)
 AC_CHECK_FUNCS(backtrace)
-AC_CHECK_FUNCS(dladdr)
+AC_CHECK_FUNCS(prctl)
+AC_CHECK_FUNCS(gethostbyname_r)
+
+AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h)
+
+AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [],
+[
+	#include <sys/types.h>
+	#include <sys/socket.h>
+])
+
+AC_CHECK_MEMBERS([struct sadb_x_policy.sadb_x_policy_priority], [], [],
+[
+	#include <sys/types.h>
+	#ifdef HAVE_NET_PFKEYV2_H
+	#include <net/pfkeyv2.h>
+	#else
+	#include <stdint.h>
+	#include <linux/pfkeyv2.h>
+	#endif
+])
+
+AC_MSG_CHECKING([for IPSEC_MODE_BEET])
+AC_TRY_COMPILE(
+	[#include <sys/types.h>
+	#ifdef HAVE_NETIPSEC_IPSEC_H
+	#include <netipsec/ipsec.h>
+	#elif defined(HAVE_NETINET6_IPSEC_H)
+	#include <netinet6/ipsec.h>
+	#else
+	#include <stdint.h>
+	#include <linux/ipsec.h>
+	#endif],
+	[int mode = IPSEC_MODE_BEET;
+	 return mode;],
+	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_IPSEC_MODE_BEET])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for IPSEC_DIR_FWD])
+AC_TRY_COMPILE(
+	[#include <sys/types.h>
+	#ifdef HAVE_NETIPSEC_IPSEC_H
+	#include <netipsec/ipsec.h>
+	#elif defined(HAVE_NETINET6_IPSEC_H)
+	#include <netinet6/ipsec.h>
+	#else
+	#include <stdint.h>
+	#include <linux/ipsec.h>
+	#endif],
+	[int dir = IPSEC_DIR_FWD;
+	 return dir;],
+	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_IPSEC_DIR_FWD])],
+	[AC_MSG_RESULT([no])]
+)
 
 AC_MSG_CHECKING([for gcc atomic operations])
 AC_TRY_RUN(
@@ -754,8 +895,14 @@ AC_CHECK_FUNC(
 	[AC_DEFINE(HAVE_PRINTF_HOOKS)],
 	[
 		AC_MSG_NOTICE([printf does not support custom format specifiers!])
-		AC_HAVE_LIBRARY([vstr],[LIBS="$LIBS"]; vstr=true,[AC_MSG_ERROR([Vstr string library not found])])
-	])
+		vstr=true
+	]
+)
+
+if test x$vstr = xtrue; then
+	AC_HAVE_LIBRARY([vstr],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])])
+	AC_DEFINE(USE_VSTR)
+fi
 
 if test x$gmp = xtrue; then
 	AC_HAVE_LIBRARY([gmp],[LIBS="$LIBS"],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])
@@ -792,6 +939,30 @@ if test x$dumm = xtrue; then
 	PKG_CHECK_MODULES(gtk, [gtk+-2.0 vte])
 	AC_SUBST(gtk_CFLAGS)
 	AC_SUBST(gtk_LIBS)
+	AC_CHECK_PROGS(RUBY, ruby)
+	AC_MSG_CHECKING([for Ruby header files])
+	if test -n "$RUBY"; then
+		RUBYDIR=`($RUBY -rmkmf -e 'print Config::CONFIG[["archdir"]] || $archdir') 2>/dev/null`
+		if test -n "$RUBYDIR"; then
+			dirs="$RUBYDIR"
+			RUBYINCLUDE=none
+			for i in $dirs; do
+				if test -r $i/ruby.h; then
+					AC_MSG_RESULT([$i])
+					RUBYINCLUDE="-I$i"
+					break;
+				fi
+			done
+			if test x"$RUBYINCLUDE" = xnone; then
+				AC_MSG_ERROR([ruby.h not found])
+			fi
+			AC_SUBST(RUBYINCLUDE)
+		else
+			AC_MSG_ERROR([unable to determine ruby configuration])
+		fi
+	else
+		AC_MSG_ERROR([don't know how to run ruby])
+	fi
 fi
 
 if test x$fast = xtrue; then
@@ -836,6 +1007,17 @@ if test x$openssl = xtrue; then
 	AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
 fi
 
+if test x$gcrypt = xtrue; then
+	AM_PATH_LIBGCRYPT(,,[AC_MSG_ERROR([libgcrypt not found!])])
+	AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
+	AC_TRY_COMPILE(
+		[#include <gcrypt.h>],
+		[enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;],
+		[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_GCRY_CIPHER_CAMELLIA])],
+		[AC_MSG_RESULT([no])]
+	)
+fi
+
 if test x$uci = xtrue; then
 	AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])])
 	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
@@ -862,48 +1044,60 @@ dnl  collect all plugins for libstrongswan
 dnl ======================================
 
 libstrongswan_plugins=
+pluto_plugins=
 
+if test x$test_vectors = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" test-vectors"
+	pluto_plugins=${pluto_plugins}" test-vectors"
+fi
 if test x$curl = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" curl"
+	pluto_plugins=${pluto_plugins}" curl"
 fi
 if test x$ldap = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" ldap"
+	pluto_plugins=${pluto_plugins}" ldap"
 fi
 if test x$aes = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" aes"
+	pluto_plugins=${pluto_plugins}" aes"
 fi
 if test x$des = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" des"
+	pluto_plugins=${pluto_plugins}" des"
+fi
+if test x$blowfish = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" blowfish"
+	pluto_plugins=${pluto_plugins}" blowfish"
 fi
 if test x$sha1 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
+	pluto_plugins=${pluto_plugins}" sha1"
 fi
 if test x$sha2 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
+	pluto_plugins=${pluto_plugins}" sha2"
 fi
 if test x$md4 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" md4"
 fi
 if test x$md5 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" md5"
+	pluto_plugins=${pluto_plugins}" md5"
 fi
 if test x$fips_prf = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
 fi
 if test x$random = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" random"
+	pluto_plugins=${pluto_plugins}" random"
 fi
 if test x$x509 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" x509"
 fi
 if test x$pubkey = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
-fi
-if test x$xcbc = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
-fi
-if test x$hmac = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
+	pluto_plugins=${pluto_plugins}" pubkey"
 fi
 if test x$mysql = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
@@ -916,15 +1110,29 @@ if test x$padlock = xtrue; then
 fi
 if test x$openssl = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
+	pluto_plugins=${pluto_plugins}" openssl"
+fi
+if test x$gcrypt = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" gcrypt"
+	pluto_plugins=${pluto_plugins}" gcrypt"
+fi
+if test x$xcbc = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
+fi
+if test x$hmac = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
+	pluto_plugins=${pluto_plugins}" hmac"
 fi
 if test x$agent = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" agent"
 fi
 if test x$gmp = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
+	pluto_plugins=${pluto_plugins}" gmp"
 fi
 
 AC_SUBST(libstrongswan_plugins)
+AC_SUBST(pluto_plugins)
 
 dnl =========================
 dnl  set Makefile.am vars
@@ -932,10 +1140,12 @@ dnl =========================
 
 dnl libstrongswan plugins
 dnl =====================
+AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
 AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
 AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
 AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
 AM_CONDITIONAL(USE_DES, test x$des = xtrue)
+AM_CONDITIONAL(USE_BLOWFISH, test x$blowfish = xtrue)
 AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue)
 AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
 AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
@@ -951,6 +1161,7 @@ AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue)
 AM_CONDITIONAL(USE_SQLITE, test x$sqlite = xtrue)
 AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
 AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
+AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
 AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
 
 dnl charon plugins
@@ -963,6 +1174,8 @@ AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
 AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
 AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
+AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
+AM_CONDITIONAL(USE_RESOLV_CONF, test x$resolvconf = xtrue)
 AM_CONDITIONAL(USE_UNIT_TESTS, test x$unittest = xtrue)
 AM_CONDITIONAL(USE_LOAD_TESTS, test x$loadtest = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
@@ -975,6 +1188,7 @@ AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
 AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
 AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
 AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
 
 dnl other options
@@ -991,13 +1205,12 @@ AM_CONDITIONAL(USE_FAST, test x$fast = xtrue)
 AM_CONDITIONAL(USE_MANAGER, test x$manager = xtrue)
 AM_CONDITIONAL(USE_ME, test x$me = xtrue)
 AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
-AM_CONDITIONAL(USE_SELF_TEST, test x$self_test = xtrue)
 AM_CONDITIONAL(USE_CAPABILITIES, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
 AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
 AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
 
@@ -1023,6 +1236,7 @@ AC_OUTPUT(
 	src/libstrongswan/Makefile
 	src/libstrongswan/plugins/aes/Makefile
 	src/libstrongswan/plugins/des/Makefile
+	src/libstrongswan/plugins/blowfish/Makefile
 	src/libstrongswan/plugins/md4/Makefile
 	src/libstrongswan/plugins/md5/Makefile
 	src/libstrongswan/plugins/sha1/Makefile
@@ -1040,9 +1254,10 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/sqlite/Makefile
 	src/libstrongswan/plugins/padlock/Makefile
 	src/libstrongswan/plugins/openssl/Makefile
+	src/libstrongswan/plugins/gcrypt/Makefile
 	src/libstrongswan/plugins/agent/Makefile
+	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libstrongswan/fips/Makefile
-	src/libcrypto/Makefile
 	src/libfreeswan/Makefile
 	src/pluto/Makefile
 	src/whack/Makefile
@@ -1057,6 +1272,7 @@ AC_OUTPUT(
 	src/charon/plugins/eap_radius/Makefile
 	src/charon/plugins/kernel_netlink/Makefile
 	src/charon/plugins/kernel_pfkey/Makefile
+	src/charon/plugins/kernel_pfroute/Makefile
 	src/charon/plugins/kernel_klips/Makefile
 	src/charon/plugins/smp/Makefile
 	src/charon/plugins/sql/Makefile
@@ -1066,6 +1282,8 @@ AC_OUTPUT(
 	src/charon/plugins/uci/Makefile
 	src/charon/plugins/stroke/Makefile
 	src/charon/plugins/updown/Makefile
+	src/charon/plugins/attr/Makefile
+	src/charon/plugins/resolv_conf/Makefile
 	src/charon/plugins/unit_tester/Makefile
 	src/charon/plugins/load_tester/Makefile
 	src/stroke/Makefile
@@ -1077,6 +1295,7 @@ AC_OUTPUT(
 	src/openac/Makefile
 	src/scepclient/Makefile
 	src/dumm/Makefile
+	src/dumm/ext/extconf.rb
 	src/libfast/Makefile
 	src/manager/Makefile
 	src/medsrv/Makefile
diff --git a/ltmain.sh b/ltmain.sh
index 6d056ecf3..b612e9a6d 100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,6 +1,6 @@
 # Generated from ltmain.m4sh.
 
-# ltmain.sh (GNU libtool) 2.2.4
+# ltmain.sh (GNU libtool) 2.2.6
 # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc.
@@ -65,7 +65,7 @@
 #       compiler:		$LTCC
 #       compiler flags:		$LTCFLAGS
 #       linker:		$LD (gnu? $with_gnu_ld)
-#       $progname:		(GNU libtool) 2.2.4 Debian-2.2.4-0ubuntu4
+#       $progname:		(GNU libtool) 2.2.6 Debian-2.2.6a-1ubuntu1
 #       automake:		$automake_version
 #       autoconf:		$autoconf_version
 #
@@ -73,9 +73,9 @@
 
 PROGRAM=ltmain.sh
 PACKAGE=libtool
-VERSION="2.2.4 Debian-2.2.4-0ubuntu4"
+VERSION="2.2.6 Debian-2.2.6a-1ubuntu1"
 TIMESTAMP=""
-package_revision=1.2976
+package_revision=1.3012
 
 # Be Bourne compatible
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
@@ -805,7 +805,7 @@ func_enable_tag ()
 
 
   case $host in
-    *cygwin* | *mingw* | *pw32*)
+    *cygwin* | *mingw* | *pw32* | *cegcc*)
       # don't eliminate duplications in $postdeps and $predeps
       opt_duplicate_compiler_generated_deps=:
       ;;
@@ -893,8 +893,9 @@ $opt_help || {
 # determined imposters.
 func_lalib_p ()
 {
-    $SED -e 4q "$1" 2>/dev/null \
-      | $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1
+    test -f "$1" &&
+      $SED -e 4q "$1" 2>/dev/null \
+        | $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1
 }
 
 # func_lalib_unsafe_p file
@@ -907,7 +908,7 @@ func_lalib_p ()
 func_lalib_unsafe_p ()
 {
     lalib_p=no
-    if test -r "$1" && exec 5<&0 <"$1"; then
+    if test -f "$1" && test -r "$1" && exec 5<&0 <"$1"; then
 	for lalib_p_l in 1 2 3 4
 	do
 	    read lalib_p_line
@@ -1275,7 +1276,7 @@ func_mode_compile ()
 
     # On Cygwin there's no "real" PIC flag so we must build both object types
     case $host_os in
-    cygwin* | mingw* | pw32* | os2*)
+    cygwin* | mingw* | pw32* | os2* | cegcc*)
       pic_mode=default
       ;;
     esac
@@ -2046,7 +2047,7 @@ func_mode_install ()
 	      'exit $?'
 	  tstripme="$stripme"
 	  case $host_os in
-	  cygwin* | mingw* | pw32*)
+	  cygwin* | mingw* | pw32* | cegcc*)
 	    case $realname in
 	    *.dll.a)
 	      tstripme=""
@@ -2152,7 +2153,7 @@ func_mode_install ()
 
 	# Do a test to see if this is really a libtool program.
 	case $host in
-	*cygwin*|*mingw*)
+	*cygwin* | *mingw*)
 	    if func_ltwrapper_executable_p "$file"; then
 	      func_ltwrapper_scriptname "$file"
 	      wrapper=$func_ltwrapper_scriptname_result
@@ -2358,7 +2359,7 @@ extern \"C\" {
 	      $RM $export_symbols
 	      eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
 	      case $host in
-	      *cygwin* | *mingw* )
+	      *cygwin* | *mingw* | *cegcc* )
                 eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
                 eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"'
 	        ;;
@@ -2370,7 +2371,7 @@ extern \"C\" {
 	      eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
 	      eval '$MV "$nlist"T "$nlist"'
 	      case $host in
-	        *cygwin | *mingw* )
+	        *cygwin | *mingw* | *cegcc* )
 	          eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
 	          eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
 	          ;;
@@ -2426,7 +2427,7 @@ typedef struct {
 } lt_dlsymlist;
 "
 	  case $host in
-	  *cygwin* | *mingw* )
+	  *cygwin* | *mingw* | *cegcc* )
 	    $ECHO >> "$output_objdir/$my_dlsyms" "\
 /* DATA imports from DLLs on WIN32 con't be const, because
    runtime relocations are performed -- see ld's documentation
@@ -2512,7 +2513,7 @@ static const void *lt_preloaded_setup() {
 	# Transform the symbol file into the correct name.
 	symfileobj="$output_objdir/${my_outputname}S.$objext"
 	case $host in
-	*cygwin* | *mingw* )
+	*cygwin* | *mingw* | *cegcc* )
 	  if test -f "$output_objdir/$my_outputname.def"; then
 	    compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
 	    finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
@@ -2691,25 +2692,16 @@ func_extract_archives ()
 
 
 
-# func_emit_wrapper arg
+# func_emit_wrapper_part1 [arg=no]
 #
-# emit a libtool wrapper script on stdout
-# don't directly open a file because we may want to
-# incorporate the script contents within a cygwin/mingw
-# wrapper executable.  Must ONLY be called from within
-# func_mode_link because it depends on a number of variable
-# set therein.
-#
-# arg is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
-# variable will take.  If 'yes', then the emitted script
-# will assume that the directory in which it is stored is
-# the '.lib' directory.  This is a cygwin/mingw-specific
-# behavior.
-func_emit_wrapper ()
+# Emit the first part of a libtool wrapper script on stdout.
+# For more information, see the description associated with
+# func_emit_wrapper(), below.
+func_emit_wrapper_part1 ()
 {
-	func_emit_wrapper_arg1=no
+	func_emit_wrapper_part1_arg1=no
 	if test -n "$1" ; then
-	  func_emit_wrapper_arg1=$1
+	  func_emit_wrapper_part1_arg1=$1
 	fi
 
 	$ECHO "\
@@ -2794,10 +2786,27 @@ else
     file=\`\$ECHO \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
     file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
   done
+"
+}
+# end: func_emit_wrapper_part1
+
+# func_emit_wrapper_part2 [arg=no]
+#
+# Emit the second part of a libtool wrapper script on stdout.
+# For more information, see the description associated with
+# func_emit_wrapper(), below.
+func_emit_wrapper_part2 ()
+{
+	func_emit_wrapper_part2_arg1=no
+	if test -n "$1" ; then
+	  func_emit_wrapper_part2_arg1=$1
+	fi
+
+	$ECHO "\
 
   # Usually 'no', except on cygwin/mingw when embedded into
   # the cwrapper.
-  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1
+  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_part2_arg1
   if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then
     # special case for '.'
     if test \"\$thisdir\" = \".\"; then
@@ -2888,7 +2897,7 @@ else
 "
 	case $host in
 	# Backslashes separate directories on plain windows
-	*-*-mingw | *-*-os2*)
+	*-*-mingw | *-*-os2* | *-cegcc*)
 	  $ECHO "\
       exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
 "
@@ -2914,7 +2923,207 @@ else
 fi\
 "
 }
-# end: func_emit_wrapper
+# end: func_emit_wrapper_part2
+
+
+# func_emit_wrapper [arg=no]
+#
+# Emit a libtool wrapper script on stdout.
+# Don't directly open a file because we may want to
+# incorporate the script contents within a cygwin/mingw
+# wrapper executable.  Must ONLY be called from within
+# func_mode_link because it depends on a number of variables
+# set therein.
+#
+# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
+# variable will take.  If 'yes', then the emitted script
+# will assume that the directory in which it is stored is
+# the $objdir directory.  This is a cygwin/mingw-specific
+# behavior.
+func_emit_wrapper ()
+{
+	func_emit_wrapper_arg1=no
+	if test -n "$1" ; then
+	  func_emit_wrapper_arg1=$1
+	fi
+
+	# split this up so that func_emit_cwrapperexe_src
+	# can call each part independently.
+	func_emit_wrapper_part1 "${func_emit_wrapper_arg1}"
+	func_emit_wrapper_part2 "${func_emit_wrapper_arg1}"
+}
+
+
+# func_to_host_path arg
+#
+# Convert paths to host format when used with build tools.
+# Intended for use with "native" mingw (where libtool itself
+# is running under the msys shell), or in the following cross-
+# build environments:
+#    $build          $host
+#    mingw (msys)    mingw  [e.g. native]
+#    cygwin          mingw
+#    *nix + wine     mingw
+# where wine is equipped with the `winepath' executable.
+# In the native mingw case, the (msys) shell automatically
+# converts paths for any non-msys applications it launches,
+# but that facility isn't available from inside the cwrapper.
+# Similar accommodations are necessary for $host mingw and
+# $build cygwin.  Calling this function does no harm for other
+# $host/$build combinations not listed above.
+#
+# ARG is the path (on $build) that should be converted to
+# the proper representation for $host. The result is stored
+# in $func_to_host_path_result.
+func_to_host_path ()
+{
+  func_to_host_path_result="$1"
+  if test -n "$1" ; then
+    case $host in
+      *mingw* )
+        lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
+        case $build in
+          *mingw* ) # actually, msys
+            # awkward: cmd appends spaces to result
+            lt_sed_strip_trailing_spaces="s/[ ]*\$//"
+            func_to_host_path_tmp1=`( cmd //c echo "$1" |\
+              $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""`
+            func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
+              $SED -e "$lt_sed_naive_backslashify"`
+            ;;
+          *cygwin* )
+            func_to_host_path_tmp1=`cygpath -w "$1"`
+            func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
+              $SED -e "$lt_sed_naive_backslashify"`
+            ;;
+          * )
+            # Unfortunately, winepath does not exit with a non-zero
+            # error code, so we are forced to check the contents of
+            # stdout. On the other hand, if the command is not
+            # found, the shell will set an exit code of 127 and print
+            # *an error message* to stdout. So we must check for both
+            # error code of zero AND non-empty stdout, which explains
+            # the odd construction:
+            func_to_host_path_tmp1=`winepath -w "$1" 2>/dev/null`
+            if test "$?" -eq 0 && test -n "${func_to_host_path_tmp1}"; then
+              func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
+                $SED -e "$lt_sed_naive_backslashify"`
+            else
+              # Allow warning below.
+              func_to_host_path_result=""
+            fi
+            ;;
+        esac
+        if test -z "$func_to_host_path_result" ; then
+          func_error "Could not determine host path corresponding to"
+          func_error "  '$1'"
+          func_error "Continuing, but uninstalled executables may not work."
+          # Fallback:
+          func_to_host_path_result="$1"
+        fi
+        ;;
+    esac
+  fi
+}
+# end: func_to_host_path
+
+# func_to_host_pathlist arg
+#
+# Convert pathlists to host format when used with build tools.
+# See func_to_host_path(), above. This function supports the
+# following $build/$host combinations (but does no harm for
+# combinations not listed here):
+#    $build          $host
+#    mingw (msys)    mingw  [e.g. native]
+#    cygwin          mingw
+#    *nix + wine     mingw
+#
+# Path separators are also converted from $build format to
+# $host format. If ARG begins or ends with a path separator
+# character, it is preserved (but converted to $host format)
+# on output.
+#
+# ARG is a pathlist (on $build) that should be converted to
+# the proper representation on $host. The result is stored
+# in $func_to_host_pathlist_result.
+func_to_host_pathlist ()
+{
+  func_to_host_pathlist_result="$1"
+  if test -n "$1" ; then
+    case $host in
+      *mingw* )
+        lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
+        # Remove leading and trailing path separator characters from
+        # ARG. msys behavior is inconsistent here, cygpath turns them
+        # into '.;' and ';.', and winepath ignores them completely.
+        func_to_host_pathlist_tmp2="$1"
+        # Once set for this call, this variable should not be
+        # reassigned. It is used in tha fallback case.
+        func_to_host_pathlist_tmp1=`echo "$func_to_host_pathlist_tmp2" |\
+          $SED -e 's|^:*||' -e 's|:*$||'`
+        case $build in
+          *mingw* ) # Actually, msys.
+            # Awkward: cmd appends spaces to result.
+            lt_sed_strip_trailing_spaces="s/[ ]*\$//"
+            func_to_host_pathlist_tmp2=`( cmd //c echo "$func_to_host_pathlist_tmp1" |\
+              $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""`
+            func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\
+              $SED -e "$lt_sed_naive_backslashify"`
+            ;;
+          *cygwin* )
+            func_to_host_pathlist_tmp2=`cygpath -w -p "$func_to_host_pathlist_tmp1"`
+            func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\
+              $SED -e "$lt_sed_naive_backslashify"`
+            ;;
+          * )
+            # unfortunately, winepath doesn't convert pathlists
+            func_to_host_pathlist_result=""
+            func_to_host_pathlist_oldIFS=$IFS
+            IFS=:
+            for func_to_host_pathlist_f in $func_to_host_pathlist_tmp1 ; do
+              IFS=$func_to_host_pathlist_oldIFS
+              if test -n "$func_to_host_pathlist_f" ; then
+                func_to_host_path "$func_to_host_pathlist_f"
+                if test -n "$func_to_host_path_result" ; then
+                  if test -z "$func_to_host_pathlist_result" ; then
+                    func_to_host_pathlist_result="$func_to_host_path_result"
+                  else
+                    func_to_host_pathlist_result="$func_to_host_pathlist_result;$func_to_host_path_result"
+                  fi
+                fi
+              fi
+              IFS=:
+            done
+            IFS=$func_to_host_pathlist_oldIFS
+            ;;
+        esac
+        if test -z "$func_to_host_pathlist_result" ; then
+          func_error "Could not determine the host path(s) corresponding to"
+          func_error "  '$1'"
+          func_error "Continuing, but uninstalled executables may not work."
+          # Fallback. This may break if $1 contains DOS-style drive
+          # specifications. The fix is not to complicate the expression
+          # below, but for the user to provide a working wine installation
+          # with winepath so that path translation in the cross-to-mingw
+          # case works properly.
+          lt_replace_pathsep_nix_to_dos="s|:|;|g"
+          func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp1" |\
+            $SED -e "$lt_replace_pathsep_nix_to_dos"`
+        fi
+        # Now, add the leading and trailing path separators back
+        case "$1" in
+          :* ) func_to_host_pathlist_result=";$func_to_host_pathlist_result"
+            ;;
+        esac
+        case "$1" in
+          *: ) func_to_host_pathlist_result="$func_to_host_pathlist_result;"
+            ;;
+        esac
+        ;;
+    esac
+  fi
+}
+# end: func_to_host_pathlist
 
 # func_emit_cwrapperexe_src
 # emit the source code for a wrapper executable on stdout
@@ -2951,6 +3160,12 @@ EOF
 # include <stdint.h>
 # ifdef __CYGWIN__
 #  include <io.h>
+#  define HAVE_SETENV
+#  ifdef __STRICT_ANSI__
+char *realpath (const char *, char *);
+int putenv (char *);
+int setenv (const char *, const char *, int);
+#  endif
 # endif
 #endif
 #include <malloc.h>
@@ -3057,29 +3272,105 @@ int make_executable (const char *path);
 int check_executable (const char *path);
 char *strendzap (char *str, const char *pat);
 void lt_fatal (const char *message, ...);
-
-static const char *script_text =
+void lt_setenv (const char *name, const char *value);
+char *lt_extend_str (const char *orig_value, const char *add, int to_end);
+void lt_opt_process_env_set (const char *arg);
+void lt_opt_process_env_prepend (const char *arg);
+void lt_opt_process_env_append (const char *arg);
+int lt_split_name_value (const char *arg, char** name, char** value);
+void lt_update_exe_path (const char *name, const char *value);
+void lt_update_lib_path (const char *name, const char *value);
+
+static const char *script_text_part1 =
 EOF
 
-	    func_emit_wrapper yes |
+	    func_emit_wrapper_part1 yes |
+	        $SED -e 's/\([\\"]\)/\\\1/g' \
+	             -e 's/^/  "/' -e 's/$/\\n"/'
+	    echo ";"
+	    cat <<EOF
+
+static const char *script_text_part2 =
+EOF
+	    func_emit_wrapper_part2 yes |
 	        $SED -e 's/\([\\"]\)/\\\1/g' \
 	             -e 's/^/  "/' -e 's/$/\\n"/'
 	    echo ";"
 
 	    cat <<EOF
 const char * MAGIC_EXE = "$magic_exe";
+const char * LIB_PATH_VARNAME = "$shlibpath_var";
+EOF
+
+	    if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+              func_to_host_pathlist "$temp_rpath"
+	      cat <<EOF
+const char * LIB_PATH_VALUE   = "$func_to_host_pathlist_result";
+EOF
+	    else
+	      cat <<"EOF"
+const char * LIB_PATH_VALUE   = "";
+EOF
+	    fi
+
+	    if test -n "$dllsearchpath"; then
+              func_to_host_pathlist "$dllsearchpath:"
+	      cat <<EOF
+const char * EXE_PATH_VARNAME = "PATH";
+const char * EXE_PATH_VALUE   = "$func_to_host_pathlist_result";
+EOF
+	    else
+	      cat <<"EOF"
+const char * EXE_PATH_VARNAME = "";
+const char * EXE_PATH_VALUE   = "";
+EOF
+	    fi
+
+	    if test "$fast_install" = yes; then
+	      cat <<EOF
+const char * TARGET_PROGRAM_NAME = "lt-$outputname"; /* hopefully, no .exe */
+EOF
+	    else
+	      cat <<EOF
+const char * TARGET_PROGRAM_NAME = "$outputname"; /* hopefully, no .exe */
+EOF
+	    fi
+
+
+	    cat <<"EOF"
+
+#define LTWRAPPER_OPTION_PREFIX         "--lt-"
+#define LTWRAPPER_OPTION_PREFIX_LENGTH  5
+
+static const size_t opt_prefix_len         = LTWRAPPER_OPTION_PREFIX_LENGTH;
+static const char *ltwrapper_option_prefix = LTWRAPPER_OPTION_PREFIX;
+
+static const char *dumpscript_opt       = LTWRAPPER_OPTION_PREFIX "dump-script";
+
+static const size_t env_set_opt_len     = LTWRAPPER_OPTION_PREFIX_LENGTH + 7;
+static const char *env_set_opt          = LTWRAPPER_OPTION_PREFIX "env-set";
+  /* argument is putenv-style "foo=bar", value of foo is set to bar */
+
+static const size_t env_prepend_opt_len = LTWRAPPER_OPTION_PREFIX_LENGTH + 11;
+static const char *env_prepend_opt      = LTWRAPPER_OPTION_PREFIX "env-prepend";
+  /* argument is putenv-style "foo=bar", new value of foo is bar${foo} */
+
+static const size_t env_append_opt_len  = LTWRAPPER_OPTION_PREFIX_LENGTH + 10;
+static const char *env_append_opt       = LTWRAPPER_OPTION_PREFIX "env-append";
+  /* argument is putenv-style "foo=bar", new value of foo is ${foo}bar */
 
 int
 main (int argc, char *argv[])
 {
   char **newargz;
+  int  newargc;
   char *tmp_pathspec;
   char *actual_cwrapper_path;
-  char *shwrapper_name;
+  char *actual_cwrapper_name;
+  char *target_name;
+  char *lt_argv_zero;
   intptr_t rval = 127;
-  FILE *shwrapper;
 
-  const char *dumpscript_opt = "--lt-dump-script";
   int i;
 
   program_name = (char *) xstrdup (base_name (argv[0]));
@@ -3099,38 +3390,14 @@ EOF
 		;;
 	      esac
 
-	    cat <<EOF
-	  printf ("%s", script_text);
+	    cat <<"EOF"
+	  printf ("%s", script_text_part1);
+	  printf ("%s", script_text_part2);
 	  return 0;
 	}
     }
 
-  newargz = XMALLOC (char *, argc + 2);
-EOF
-
-	    if test -n "$TARGETSHELL" ; then
-	      # no path translation at all
-	      lt_newargv0=$TARGETSHELL
-	    else
-	      case "$host" in
-		*mingw* )
-		  # awkward: cmd appends spaces to result
-		  lt_sed_strip_trailing_spaces="s/[ ]*\$//"
-		  lt_newargv0=`( cmd //c echo $SHELL | $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo $SHELL`
-		  case $lt_newargv0 in
-		    *.exe | *.EXE) ;;
-		    *) lt_newargv0=$lt_newargv0.exe ;;
-		  esac
-		  ;;
-		* ) lt_newargv0=$SHELL ;;
-	      esac
-	    fi
-
-		cat <<EOF
-  newargz[0] = (char *) xstrdup ("$lt_newargv0");
-EOF
-
-	    cat <<"EOF"
+  newargz = XMALLOC (char *, argc + 1);
   tmp_pathspec = find_executable (argv[0]);
   if (tmp_pathspec == NULL)
     lt_fatal ("Couldn't find %s", argv[0]);
@@ -3142,39 +3409,60 @@ EOF
 			  actual_cwrapper_path));
   XFREE (tmp_pathspec);
 
-  shwrapper_name = (char *) xstrdup (base_name (actual_cwrapper_path));
-  strendzap (actual_cwrapper_path, shwrapper_name);
-
-  /* shwrapper_name transforms */
-  strendzap (shwrapper_name, ".exe");
-  tmp_pathspec = XMALLOC (char, (strlen (shwrapper_name) +
-				 strlen ("_ltshwrapperTMP") + 1));
-  strcpy (tmp_pathspec, shwrapper_name);
-  strcat (tmp_pathspec, "_ltshwrapperTMP");
-  XFREE (shwrapper_name);
-  shwrapper_name = tmp_pathspec;
+  actual_cwrapper_name = xstrdup( base_name (actual_cwrapper_path));
+  strendzap (actual_cwrapper_path, actual_cwrapper_name);
+
+  /* wrapper name transforms */
+  strendzap (actual_cwrapper_name, ".exe");
+  tmp_pathspec = lt_extend_str (actual_cwrapper_name, ".exe", 1);
+  XFREE (actual_cwrapper_name);
+  actual_cwrapper_name = tmp_pathspec;
   tmp_pathspec = 0;
-  LTWRAPPER_DEBUGPRINTF (("(main) libtool shell wrapper name: %s\n",
-			  shwrapper_name));
+
+  /* target_name transforms -- use actual target program name; might have lt- prefix */
+  target_name = xstrdup (base_name (TARGET_PROGRAM_NAME));
+  strendzap (target_name, ".exe");
+  tmp_pathspec = lt_extend_str (target_name, ".exe", 1);
+  XFREE (target_name);
+  target_name = tmp_pathspec;
+  tmp_pathspec = 0;
+
+  LTWRAPPER_DEBUGPRINTF (("(main) libtool target name: %s\n",
+			  target_name));
 EOF
 
 	    cat <<EOF
-  newargz[1] =
+  newargz[0] =
     XMALLOC (char, (strlen (actual_cwrapper_path) +
-		    strlen ("$objdir") + 1 + strlen (shwrapper_name) + 1));
-  strcpy (newargz[1], actual_cwrapper_path);
-  strcat (newargz[1], "$objdir");
-  strcat (newargz[1], "/");
-  strcat (newargz[1], shwrapper_name);
+		    strlen ("$objdir") + 1 + strlen (actual_cwrapper_name) + 1));
+  strcpy (newargz[0], actual_cwrapper_path);
+  strcat (newargz[0], "$objdir");
+  strcat (newargz[0], "/");
 EOF
 
+	    cat <<"EOF"
+  /* stop here, and copy so we don't have to do this twice */
+  tmp_pathspec = xstrdup (newargz[0]);
+
+  /* do NOT want the lt- prefix here, so use actual_cwrapper_name */
+  strcat (newargz[0], actual_cwrapper_name);
+
+  /* DO want the lt- prefix here if it exists, so use target_name */
+  lt_argv_zero = lt_extend_str (tmp_pathspec, target_name, 1);
+  XFREE (tmp_pathspec);
+  tmp_pathspec = NULL;
+EOF
 
 	    case $host_os in
 	      mingw*)
 	    cat <<"EOF"
   {
     char* p;
-    while ((p = strchr (newargz[1], '\\')) != NULL)
+    while ((p = strchr (newargz[0], '\\')) != NULL)
+      {
+	*p = '/';
+      }
+    while ((p = strchr (lt_argv_zero, '\\')) != NULL)
       {
 	*p = '/';
       }
@@ -3184,55 +3472,114 @@ EOF
 	    esac
 
 	    cat <<"EOF"
-  XFREE (shwrapper_name);
+  XFREE (target_name);
   XFREE (actual_cwrapper_path);
+  XFREE (actual_cwrapper_name);
 
-  /* always write in binary mode */
-  if ((shwrapper = fopen (newargz[1], FOPEN_WB)) == 0)
-    {
-      lt_fatal ("Could not open %s for writing", newargz[1]);
-    }
-  fprintf (shwrapper, "%s", script_text);
-  fclose (shwrapper);
-
-  make_executable (newargz[1]);
+  lt_setenv ("BIN_SH", "xpg4"); /* for Tru64 */
+  lt_setenv ("DUALCASE", "1");  /* for MSK sh */
+  lt_update_lib_path (LIB_PATH_VARNAME, LIB_PATH_VALUE);
+  lt_update_exe_path (EXE_PATH_VARNAME, EXE_PATH_VALUE);
 
+  newargc=0;
   for (i = 1; i < argc; i++)
-    newargz[i + 1] = xstrdup (argv[i]);
-  newargz[argc + 1] = NULL;
+    {
+      if (strncmp (argv[i], env_set_opt, env_set_opt_len) == 0)
+        {
+          if (argv[i][env_set_opt_len] == '=')
+            {
+              const char *p = argv[i] + env_set_opt_len + 1;
+              lt_opt_process_env_set (p);
+            }
+          else if (argv[i][env_set_opt_len] == '\0' && i + 1 < argc)
+            {
+              lt_opt_process_env_set (argv[++i]); /* don't copy */
+            }
+          else
+            lt_fatal ("%s missing required argument", env_set_opt);
+          continue;
+        }
+      if (strncmp (argv[i], env_prepend_opt, env_prepend_opt_len) == 0)
+        {
+          if (argv[i][env_prepend_opt_len] == '=')
+            {
+              const char *p = argv[i] + env_prepend_opt_len + 1;
+              lt_opt_process_env_prepend (p);
+            }
+          else if (argv[i][env_prepend_opt_len] == '\0' && i + 1 < argc)
+            {
+              lt_opt_process_env_prepend (argv[++i]); /* don't copy */
+            }
+          else
+            lt_fatal ("%s missing required argument", env_prepend_opt);
+          continue;
+        }
+      if (strncmp (argv[i], env_append_opt, env_append_opt_len) == 0)
+        {
+          if (argv[i][env_append_opt_len] == '=')
+            {
+              const char *p = argv[i] + env_append_opt_len + 1;
+              lt_opt_process_env_append (p);
+            }
+          else if (argv[i][env_append_opt_len] == '\0' && i + 1 < argc)
+            {
+              lt_opt_process_env_append (argv[++i]); /* don't copy */
+            }
+          else
+            lt_fatal ("%s missing required argument", env_append_opt);
+          continue;
+        }
+      if (strncmp (argv[i], ltwrapper_option_prefix, opt_prefix_len) == 0)
+        {
+          /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
+             namespace, but it is not one of the ones we know about and
+             have already dealt with, above (inluding dump-script), then
+             report an error. Otherwise, targets might begin to believe
+             they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
+             namespace. The first time any user complains about this, we'll
+             need to make LTWRAPPER_OPTION_PREFIX a configure-time option
+             or a configure.ac-settable value.
+           */
+          lt_fatal ("Unrecognized option in %s namespace: '%s'",
+                    ltwrapper_option_prefix, argv[i]);
+        }
+      /* otherwise ... */
+      newargz[++newargc] = xstrdup (argv[i]);
+    }
+  newargz[++newargc] = NULL;
 
-  for (i = 0; i < argc + 1; i++)
+  LTWRAPPER_DEBUGPRINTF     (("(main) lt_argv_zero : %s\n", (lt_argv_zero ? lt_argv_zero : "<NULL>")));
+  for (i = 0; i < newargc; i++)
     {
-      LTWRAPPER_DEBUGPRINTF (("(main) newargz[%d]   : %s\n", i, newargz[i]));
+      LTWRAPPER_DEBUGPRINTF (("(main) newargz[%d]   : %s\n", i, (newargz[i] ? newargz[i] : "<NULL>")));
     }
 
 EOF
 
 	    case $host_os in
 	      mingw*)
-		cat <<EOF
+		cat <<"EOF"
   /* execv doesn't actually work on mingw as expected on unix */
-  rval = _spawnv (_P_WAIT, "$lt_newargv0", (const char * const *) newargz);
+  rval = _spawnv (_P_WAIT, lt_argv_zero, (const char * const *) newargz);
   if (rval == -1)
     {
       /* failed to start process */
-      LTWRAPPER_DEBUGPRINTF (("(main) failed to launch target \"$lt_newargv0\": errno = %d\n", errno));
+      LTWRAPPER_DEBUGPRINTF (("(main) failed to launch target \"%s\": errno = %d\n", lt_argv_zero, errno));
       return 127;
     }
   return rval;
-}
 EOF
 		;;
 	      *)
-		cat <<EOF
-  execv ("$lt_newargv0", newargz);
+		cat <<"EOF"
+  execv (lt_argv_zero, newargz);
   return rval; /* =127, but avoids unused variable warning */
-}
 EOF
 		;;
 	    esac
 
 	    cat <<"EOF"
+}
 
 void *
 xmalloc (size_t num)
@@ -3506,6 +3853,177 @@ lt_fatal (const char *message, ...)
   lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
   va_end (ap);
 }
+
+void
+lt_setenv (const char *name, const char *value)
+{
+  LTWRAPPER_DEBUGPRINTF (("(lt_setenv) setting '%s' to '%s'\n",
+                          (name ? name : "<NULL>"),
+                          (value ? value : "<NULL>")));
+  {
+#ifdef HAVE_SETENV
+    /* always make a copy, for consistency with !HAVE_SETENV */
+    char *str = xstrdup (value);
+    setenv (name, str, 1);
+#else
+    int len = strlen (name) + 1 + strlen (value) + 1;
+    char *str = XMALLOC (char, len);
+    sprintf (str, "%s=%s", name, value);
+    if (putenv (str) != EXIT_SUCCESS)
+      {
+        XFREE (str);
+      }
+#endif
+  }
+}
+
+char *
+lt_extend_str (const char *orig_value, const char *add, int to_end)
+{
+  char *new_value;
+  if (orig_value && *orig_value)
+    {
+      int orig_value_len = strlen (orig_value);
+      int add_len = strlen (add);
+      new_value = XMALLOC (char, add_len + orig_value_len + 1);
+      if (to_end)
+        {
+          strcpy (new_value, orig_value);
+          strcpy (new_value + orig_value_len, add);
+        }
+      else
+        {
+          strcpy (new_value, add);
+          strcpy (new_value + add_len, orig_value);
+        }
+    }
+  else
+    {
+      new_value = xstrdup (add);
+    }
+  return new_value;
+}
+
+int
+lt_split_name_value (const char *arg, char** name, char** value)
+{
+  const char *p;
+  int len;
+  if (!arg || !*arg)
+    return 1;
+
+  p = strchr (arg, (int)'=');
+
+  if (!p)
+    return 1;
+
+  *value = xstrdup (++p);
+
+  len = strlen (arg) - strlen (*value);
+  *name = XMALLOC (char, len);
+  strncpy (*name, arg, len-1);
+  (*name)[len - 1] = '\0';
+
+  return 0;
+}
+
+void
+lt_opt_process_env_set (const char *arg)
+{
+  char *name = NULL;
+  char *value = NULL;
+
+  if (lt_split_name_value (arg, &name, &value) != 0)
+    {
+      XFREE (name);
+      XFREE (value);
+      lt_fatal ("bad argument for %s: '%s'", env_set_opt, arg);
+    }
+
+  lt_setenv (name, value);
+  XFREE (name);
+  XFREE (value);
+}
+
+void
+lt_opt_process_env_prepend (const char *arg)
+{
+  char *name = NULL;
+  char *value = NULL;
+  char *new_value = NULL;
+
+  if (lt_split_name_value (arg, &name, &value) != 0)
+    {
+      XFREE (name);
+      XFREE (value);
+      lt_fatal ("bad argument for %s: '%s'", env_prepend_opt, arg);
+    }
+
+  new_value = lt_extend_str (getenv (name), value, 0);
+  lt_setenv (name, new_value);
+  XFREE (new_value);
+  XFREE (name);
+  XFREE (value);
+}
+
+void
+lt_opt_process_env_append (const char *arg)
+{
+  char *name = NULL;
+  char *value = NULL;
+  char *new_value = NULL;
+
+  if (lt_split_name_value (arg, &name, &value) != 0)
+    {
+      XFREE (name);
+      XFREE (value);
+      lt_fatal ("bad argument for %s: '%s'", env_append_opt, arg);
+    }
+
+  new_value = lt_extend_str (getenv (name), value, 1);
+  lt_setenv (name, new_value);
+  XFREE (new_value);
+  XFREE (name);
+  XFREE (value);
+}
+
+void
+lt_update_exe_path (const char *name, const char *value)
+{
+  LTWRAPPER_DEBUGPRINTF (("(lt_update_exe_path) modifying '%s' by prepending '%s'\n",
+                          (name ? name : "<NULL>"),
+                          (value ? value : "<NULL>")));
+
+  if (name && *name && value && *value)
+    {
+      char *new_value = lt_extend_str (getenv (name), value, 0);
+      /* some systems can't cope with a ':'-terminated path #' */
+      int len = strlen (new_value);
+      while (((len = strlen (new_value)) > 0) && IS_PATH_SEPARATOR (new_value[len-1]))
+        {
+          new_value[len-1] = '\0';
+        }
+      lt_setenv (name, new_value);
+      XFREE (new_value);
+    }
+}
+
+void
+lt_update_lib_path (const char *name, const char *value)
+{
+  LTWRAPPER_DEBUGPRINTF (("(lt_update_lib_path) modifying '%s' by prepending '%s'\n",
+                          (name ? name : "<NULL>"),
+                          (value ? value : "<NULL>")));
+
+  if (name && *name && value && *value)
+    {
+      char *new_value = lt_extend_str (getenv (name), value, 0);
+      lt_setenv (name, new_value);
+      XFREE (new_value);
+    }
+}
+
+
 EOF
 }
 # end: func_emit_cwrapperexe_src
@@ -3515,7 +4033,7 @@ func_mode_link ()
 {
     $opt_debug
     case $host in
-    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
       # It is impossible to link a dll without this setting, and
       # we shouldn't force the makefile maintainer to figure out
       # which system we are compiling for in order to pass an extra
@@ -3959,6 +4477,13 @@ func_mode_link ()
       -L*)
 	func_stripname '-L' '' "$arg"
 	dir=$func_stripname_result
+	if test -z "$dir"; then
+	  if test "$#" -gt 0; then
+	    func_fatal_error "require no space between \`-L' and \`$1'"
+	  else
+	    func_fatal_error "need path for \`-L' option"
+	  fi
+	fi
 	# We need an absolute path.
 	case $dir in
 	[\\/]* | [A-Za-z]:[\\/]*) ;;
@@ -3977,14 +4502,16 @@ func_mode_link ()
 	  ;;
 	esac
 	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
 	  testbindir=`$ECHO "X$dir" | $Xsed -e 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
 	  *":$dir:"*) ;;
+	  ::) dllsearchpath=$dir;;
 	  *) dllsearchpath="$dllsearchpath:$dir";;
 	  esac
 	  case :$dllsearchpath: in
 	  *":$testbindir:"*) ;;
+	  ::) dllsearchpath=$testbindir;;
 	  *) dllsearchpath="$dllsearchpath:$testbindir";;
 	  esac
 	  ;;
@@ -3995,7 +4522,7 @@ func_mode_link ()
       -l*)
 	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
 	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos*)
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc*)
 	    # These systems don't actually have a C or math library (as such)
 	    continue
 	    ;;
@@ -4072,7 +4599,7 @@ func_mode_link ()
 
       -no-install)
 	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin*)
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin* | *-cegcc*)
 	  # The PATH hackery in wrapper scripts is required on Windows
 	  # and Darwin in order for the loader to find any dlls it needs.
 	  func_warning "\`-no-install' is ignored for $host"
@@ -5032,7 +5559,7 @@ func_mode_link ()
 	if test -n "$library_names" &&
 	   { test "$use_static_libs" = no || test -z "$old_library"; }; then
 	  case $host in
-	  *cygwin* | *mingw*)
+	  *cygwin* | *mingw* | *cegcc*)
 	      # No point in relinking DLLs because paths are not encoded
 	      notinst_deplibs="$notinst_deplibs $lib"
 	      need_relink=no
@@ -5102,7 +5629,7 @@ func_mode_link ()
 	    elif test -n "$soname_spec"; then
 	      # bleh windows
 	      case $host in
-	      *cygwin* | mingw*)
+	      *cygwin* | mingw* | *cegcc*)
 	        func_arith $current - $age
 		major=$func_arith_result
 		versuffix="-$major"
@@ -5884,7 +6411,7 @@ func_mode_link ()
 	tempremovelist=`$ECHO "$output_objdir/*"`
 	for p in $tempremovelist; do
 	  case $p in
-	    *.$objext)
+	    *.$objext | *.gcno)
 	       ;;
 	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
 	       if test "X$precious_files_regex" != "X"; then
@@ -5955,7 +6482,7 @@ func_mode_link ()
       if test "$build_libtool_libs" = yes; then
 	if test -n "$rpath"; then
 	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*)
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc*)
 	    # these systems don't actually have a c library (as such)!
 	    ;;
 	  *-*-rhapsody* | *-*-darwin1.[012])
@@ -6454,7 +6981,7 @@ EOF
 
 	orig_export_symbols=
 	case $host_os in
-	cygwin* | mingw*)
+	cygwin* | mingw* | cegcc*)
 	  if test -n "$export_symbols" && test -z "$export_symbols_regex"; then
 	    # exporting using user supplied symfile
 	    if test "x`$SED 1q $export_symbols`" != xEXPORTS; then
@@ -7079,14 +7606,16 @@ EOF
 	  esac
 	fi
 	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
 	  testbindir=`${ECHO} "$libdir" | ${SED} -e 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
 	  *":$libdir:"*) ;;
+	  ::) dllsearchpath=$libdir;;
 	  *) dllsearchpath="$dllsearchpath:$libdir";;
 	  esac
 	  case :$dllsearchpath: in
 	  *":$testbindir:"*) ;;
+	  ::) dllsearchpath=$testbindir;;
 	  *) dllsearchpath="$dllsearchpath:$testbindir";;
 	  esac
 	  ;;
@@ -7156,6 +7685,10 @@ EOF
           wrappers_required=no
         fi
         ;;
+      *cegcc)
+        # Disable wrappers for cegcc, we are cross compiling anyway.
+        wrappers_required=no
+        ;;
       *)
         if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
           wrappers_required=no
@@ -7308,11 +7841,10 @@ EOF
 
 	    func_emit_cwrapperexe_src > $cwrappersource
 
-	    # we should really use a build-platform specific compiler
-	    # here, but OTOH, the wrappers (shell script and this C one)
-	    # are only useful if you want to execute the "real" binary.
-	    # Since the "real" binary is built for $host, then this
-	    # wrapper might as well be built for $host, too.
+	    # The wrapper executable is built using the $host compiler,
+	    # because it contains $host paths and files. If cross-
+	    # compiling, it, like the target executable, must be
+	    # executed on the $host or under an emulation environment.
 	    $opt_dry_run || {
 	      $LTCC $LTCFLAGS -o $cwrapper $cwrappersource
 	      $STRIP $cwrapper
@@ -7597,7 +8129,7 @@ EOF
 	  # place dlname in correct position for cygwin
 	  tdlname=$dlname
 	  case $host,$output,$installed,$module,$dlname in
-	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
+	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
 	  esac
 	  $ECHO > $output "\
 # $outputname - a libtool library file
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 14e460eab..f8d62b3bc 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -1,13 +1,20 @@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS =-DIPSEC_PLUGINDIR=\"${plugindir}\"
+AM_CFLAGS = \
+-DIPSEC_PLUGINDIR=\"${plugindir}\" \
+-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
 
-noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql thread_analysis
+noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql \
+	thread_analysis dh_speed pubkey_speed
 bin2array_SOURCES = bin2array.c
 bin2sql_SOURCES = bin2sql.c
 id2sql_SOURCES = id2sql.c
 key2keyid_SOURCES = key2keyid.c
 keyid2sql_SOURCES = keyid2sql.c
 thread_analysis_SOURCES = thread_analysis.c
+dh_speed_SOURCES = dh_speed.c
+pubkey_speed_SOURCES = pubkey_speed.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
+pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 8a237e48c..9cd2baa88 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -33,7 +33,8 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
-	key2keyid$(EXEEXT) keyid2sql$(EXEEXT) thread_analysis$(EXEEXT)
+	key2keyid$(EXEEXT) keyid2sql$(EXEEXT) thread_analysis$(EXEEXT) \
+	dh_speed$(EXEEXT) pubkey_speed$(EXEEXT)
 subdir = scripts
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -49,6 +50,10 @@ bin2array_LDADD = $(LDADD)
 am_bin2sql_OBJECTS = bin2sql.$(OBJEXT)
 bin2sql_OBJECTS = $(am_bin2sql_OBJECTS)
 bin2sql_LDADD = $(LDADD)
+am_dh_speed_OBJECTS = dh_speed.$(OBJEXT)
+dh_speed_OBJECTS = $(am_dh_speed_OBJECTS)
+dh_speed_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_id2sql_OBJECTS = id2sql.$(OBJEXT)
 id2sql_OBJECTS = $(am_id2sql_OBJECTS)
 id2sql_DEPENDENCIES =  \
@@ -61,6 +66,10 @@ am_keyid2sql_OBJECTS = keyid2sql.$(OBJEXT)
 keyid2sql_OBJECTS = $(am_keyid2sql_OBJECTS)
 keyid2sql_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_pubkey_speed_OBJECTS = pubkey_speed.$(OBJEXT)
+pubkey_speed_OBJECTS = $(am_pubkey_speed_OBJECTS)
+pubkey_speed_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_thread_analysis_OBJECTS = thread_analysis.$(OBJEXT)
 thread_analysis_OBJECTS = $(am_thread_analysis_OBJECTS)
 thread_analysis_LDADD = $(LDADD)
@@ -76,11 +85,12 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) $(id2sql_SOURCES) \
-	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
-	$(thread_analysis_SOURCES)
-DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
+SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) $(dh_speed_SOURCES) \
 	$(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES)
+DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
+	$(dh_speed_SOURCES) $(id2sql_SOURCES) $(key2keyid_SOURCES) \
+	$(keyid2sql_SOURCES) $(pubkey_speed_SOURCES) \
 	$(thread_analysis_SOURCES)
 ETAGS = etags
 CTAGS = ctags
@@ -100,6 +110,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -122,6 +133,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -133,6 +147,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -146,6 +161,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -206,6 +223,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -217,21 +235,29 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DIPSEC_PLUGINDIR=\"${plugindir}\"
+AM_CFLAGS = \
+-DIPSEC_PLUGINDIR=\"${plugindir}\" \
+-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+
 bin2array_SOURCES = bin2array.c
 bin2sql_SOURCES = bin2sql.c
 id2sql_SOURCES = id2sql.c
 key2keyid_SOURCES = key2keyid.c
 keyid2sql_SOURCES = keyid2sql.c
 thread_analysis_SOURCES = thread_analysis.c
+dh_speed_SOURCES = dh_speed.c
+pubkey_speed_SOURCES = pubkey_speed.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
+pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 all: all-am
 
 .SUFFIXES:
@@ -240,8 +266,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -278,6 +304,9 @@ bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES)
 bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) 
 	@rm -f bin2sql$(EXEEXT)
 	$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
+dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) 
+	@rm -f dh_speed$(EXEEXT)
+	$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
 id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) 
 	@rm -f id2sql$(EXEEXT)
 	$(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS)
@@ -287,6 +316,9 @@ key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES)
 keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) 
 	@rm -f keyid2sql$(EXEEXT)
 	$(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS)
+pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) 
+	@rm -f pubkey_speed$(EXEEXT)
+	$(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS)
 thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) 
 	@rm -f thread_analysis$(EXEEXT)
 	$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS)
@@ -299,9 +331,11 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2array.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2sql.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh_speed.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid2sql.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_speed.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_analysis.Po@am__quote@
 
 .c.o:
@@ -336,7 +370,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
new file mode 100644
index 000000000..76dafe752
--- /dev/null
+++ b/scripts/dh_speed.c
@@ -0,0 +1,129 @@
+
+#include <stdio.h>
+#include <time.h>
+#include <library.h>
+#include <debug.h>
+#include <crypto/diffie_hellman.h>
+
+static void usage()
+{
+	printf("usage: dh_speed plugins rounds group1 [group2 [...]]\n");
+	exit(1);
+}
+
+struct {
+	char *name;
+	diffie_hellman_group_t group;
+} groups[] = {
+	{"modp768",		MODP_768_BIT},
+	{"modp1024",	MODP_1024_BIT},
+	{"modp1536",	MODP_1536_BIT},
+	{"modp2048",	MODP_2048_BIT},
+	{"modp3072",	MODP_3072_BIT},
+	{"modp4096",	MODP_4096_BIT},
+	{"modp6144",	MODP_6144_BIT},
+	{"modp8192",	MODP_8192_BIT},
+	{"ecp256",		ECP_256_BIT},
+	{"ecp384",		ECP_384_BIT},
+	{"ecp521",		ECP_521_BIT},
+	{"ecp192",		ECP_192_BIT},
+	{"ecp224",		ECP_224_BIT},
+};
+
+static void start_timing(struct timespec *start)
+{
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, start);
+}
+
+static double end_timing(struct timespec *start)
+{
+	struct timespec end;
+	
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
+	return (end.tv_nsec - start->tv_nsec) / 1000000000.0 +
+			(end.tv_sec - start->tv_sec) * 1.0;
+}
+
+static void run_test(diffie_hellman_group_t group, int rounds)
+{
+	diffie_hellman_t *l[rounds], *r;
+	chunk_t chunk;
+	struct timespec timing;
+	int round;
+	
+	r = lib->crypto->create_dh(lib->crypto, group);
+	if (!r)
+	{
+		printf("skipping %N, not supported\n",
+				diffie_hellman_group_names, group);
+		return;
+	}
+	
+	printf("%N:\t",
+			diffie_hellman_group_names, group);
+	
+	start_timing(&timing);
+	for (round = 0; round < rounds; round++)
+	{
+		l[round] = lib->crypto->create_dh(lib->crypto, group);
+	}
+	printf("A = g^a/s: %8.1f", rounds / end_timing(&timing));
+	
+	for (round = 0; round < rounds; round++)
+	{
+		l[round]->get_my_public_value(l[round], &chunk);
+		r->set_other_public_value(r, chunk);
+		chunk_free(&chunk);
+	}
+	
+	r->get_my_public_value(r, &chunk);
+	start_timing(&timing);
+	for (round = 0; round < rounds; round++)
+	{
+		l[round]->set_other_public_value(l[round], chunk);
+	}
+	printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing));
+	chunk_free(&chunk);
+	
+	for (round = 0; round < rounds; round++)
+	{
+		l[round]->destroy(l[round]);
+	}
+	r->destroy(r);
+}
+
+int main(int argc, char *argv[])
+{
+	int rounds, i, j;
+	
+	if (argc < 4)
+	{
+		usage();
+	}
+	
+	library_init(STRONGSWAN_CONF);
+	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, argv[1]);
+	atexit(library_deinit);
+	
+	rounds = atoi(argv[2]);
+	
+	for (i = 3; i < argc; i++)
+	{
+		bool found = FALSE;
+		
+		for (j = 0; j < countof(groups); j++)
+		{
+			if (streq(groups[j].name, argv[i]))
+			{
+				run_test(groups[j].group, rounds);
+				found = TRUE;
+			}
+		}
+		if (!found)
+		{
+			printf("group %s not found\n", argv[i]);
+		}
+	}
+	return 0;
+}
+
diff --git a/scripts/id2sql.c b/scripts/id2sql.c
index 3990e88da..5b0bd1d7d 100644
--- a/scripts/id2sql.c
+++ b/scripts/id2sql.c
@@ -1,6 +1,6 @@
 
 #include <stdio.h>
-#include <library.h>
+#include <utils/identification.h>
 
 /**
  * convert an identity to type and encoding
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
index 80c342919..201670e43 100644
--- a/scripts/key2keyid.c
+++ b/scripts/key2keyid.c
@@ -2,6 +2,8 @@
 #include <stdio.h>
 #include <library.h>
 #include <debug.h>
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/public_key.h>
 
 /**
  * print the keyids of a private or public key
diff --git a/scripts/keyid2sql.c b/scripts/keyid2sql.c
index f7d447a78..588bd7ac0 100644
--- a/scripts/keyid2sql.c
+++ b/scripts/keyid2sql.c
@@ -2,6 +2,10 @@
 #include <stdio.h>
 #include <library.h>
 #include <debug.h>
+#include <utils/identification.h>
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/public_key.h>
+
 
 /**
  * print the keyids of a private or public key in sql format
diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c
new file mode 100644
index 000000000..86a4e105b
--- /dev/null
+++ b/scripts/pubkey_speed.c
@@ -0,0 +1,148 @@
+
+#include <stdio.h>
+#include <time.h>
+#include <library.h>
+#include <debug.h>
+#include <credentials/keys/private_key.h>
+#include <asn1/pem.h>
+
+void start_timing(struct timespec *start)
+{
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, start);
+}
+
+double end_timing(struct timespec *start)
+{
+	struct timespec end;
+	
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
+	return (end.tv_nsec - start->tv_nsec) / 1000000000.0 +
+			(end.tv_sec - start->tv_sec) * 1.0;
+}
+
+static void usage()
+{
+	printf("usage: pubkey_speed plugins rsa|ecdsa rounds\n");
+	exit(1);
+}
+
+static char data_buf[] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07};
+
+int main(int argc, char *argv[])
+{
+	private_key_t *private;
+	public_key_t *public;
+	struct timespec timing;
+	int round, rounds, read;
+	char buf[8096], *pos = buf;
+	key_type_t type = KEY_ANY;
+	signature_scheme_t scheme = SIGN_UNKNOWN;
+	chunk_t keydata, *sigs, data = chunk_from_buf(data_buf);
+	
+	if (argc < 4)
+	{
+		usage();
+	}
+	
+	rounds = atoi(argv[3]);
+	
+	if (streq(argv[2], "rsa"))
+	{
+		type = KEY_RSA;
+		scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+	}
+	else if (streq(argv[2], "ecdsa"))
+	{
+		type = KEY_ECDSA;
+	}
+	else
+	{
+		usage();
+	}
+	
+	library_init(STRONGSWAN_CONF);
+	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, argv[1]);
+	atexit(library_deinit);
+	
+	keydata = chunk_create(buf, 0);
+	while ((read = fread(pos, 1, sizeof(buf) - (pos - buf), stdin)))
+	{
+		pos += read;
+		keydata.len += read;
+	}
+	if (pem_to_bin(&keydata, chunk_empty, NULL) != SUCCESS)
+	{
+		printf("converting PEM private key failed.\n");
+		exit(1);
+	}
+	
+	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_BLOB_ASN1_DER, keydata, BUILD_END);
+	if (!private)
+	{
+		printf("parsing private key failed.\n");
+		exit(1);
+	}
+	if (type == KEY_ECDSA)
+	{
+		switch (private->get_keysize(private))
+		{
+			case 32:
+				scheme = SIGN_ECDSA_256; 
+				break;
+			case 48:
+				scheme = SIGN_ECDSA_384;
+				break;
+			case 66:
+				scheme = SIGN_ECDSA_521;
+				break;
+			default:
+				printf("%d bit ECDSA private key size not supported",
+						private->get_keysize(private) * 8);
+				exit(1);
+		}
+	}
+	
+	printf("%4d bit %N: ", private->get_keysize(private)*8,
+		key_type_names, type);
+	
+	sigs = malloc(sizeof(chunk_t) * rounds);
+	
+	start_timing(&timing);
+	for (round = 0; round < rounds; round++)
+	{
+		if (!private->sign(private, scheme, data, &sigs[round]))
+		{
+			printf("creating signature failed\n");
+			exit(1);
+		}
+	};
+	printf("sign()/s: %8.1f   ", rounds / end_timing(&timing));
+	
+	public = private->get_public_key(private);
+	if (!public)
+	{
+		printf("extracting public key failed\n");
+		exit(1);
+	}
+	start_timing(&timing);
+	for (round = 0; round < rounds; round++)
+	{
+		if (!public->verify(public, scheme, data, sigs[round]))
+		{
+			printf("signature verification failed\n");
+			exit(1);
+		}
+	}
+	printf("verify()/s: %8.1f\n", rounds / end_timing(&timing));
+	public->destroy(public);
+	private->destroy(private);
+	
+	for (round = 0; round < rounds; round++)
+	{
+		free(sigs[round].ptr);
+	}
+	free(sigs);
+	return 0;
+}
+
diff --git a/src/Makefile.am b/src/Makefile.am
index 913099c23..09eb13fe3 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,15 +1,15 @@
 SUBDIRS = . include
 
-if USE_FILE_CONFIG
-  SUBDIRS += libfreeswan starter ipsec _copyright
-endif
-
 if USE_LIBSTRONGSWAN
   SUBDIRS += libstrongswan
 endif
 
+if USE_FILE_CONFIG
+  SUBDIRS += libfreeswan starter ipsec _copyright
+endif
+
 if USE_PLUTO
-  SUBDIRS += libcrypto pluto whack
+  SUBDIRS += pluto whack
 endif
 
 if USE_CHARON
@@ -25,7 +25,7 @@ if USE_UPDOWN
 endif
 
 if USE_TOOLS
-  SUBDIRS += libcrypto openac scepclient
+  SUBDIRS += openac scepclient
 endif
 
 if USE_DUMM
diff --git a/src/Makefile.in b/src/Makefile.in
index 7dab32d21..26046e6a1 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -31,13 +31,13 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-@USE_FILE_CONFIG_TRUE@am__append_1 = libfreeswan starter ipsec _copyright
-@USE_LIBSTRONGSWAN_TRUE@am__append_2 = libstrongswan
-@USE_PLUTO_TRUE@am__append_3 = libcrypto pluto whack
+@USE_LIBSTRONGSWAN_TRUE@am__append_1 = libstrongswan
+@USE_FILE_CONFIG_TRUE@am__append_2 = libfreeswan starter ipsec _copyright
+@USE_PLUTO_TRUE@am__append_3 = pluto whack
 @USE_CHARON_TRUE@am__append_4 = charon
 @USE_STROKE_TRUE@am__append_5 = stroke
 @USE_UPDOWN_TRUE@am__append_6 = _updown _updown_espmark
-@USE_TOOLS_TRUE@am__append_7 = libcrypto openac scepclient
+@USE_TOOLS_TRUE@am__append_7 = openac scepclient
 @USE_DUMM_TRUE@am__append_8 = dumm
 @USE_FAST_TRUE@am__append_9 = libfast
 @USE_MANAGER_TRUE@am__append_10 = manager
@@ -63,9 +63,9 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . include libfreeswan starter ipsec _copyright \
-	libstrongswan libcrypto pluto whack charon stroke _updown \
-	_updown_espmark openac scepclient dumm libfast manager medsrv
+DIST_SUBDIRS = . include libstrongswan libfreeswan starter ipsec \
+	_copyright pluto whack charon stroke _updown _updown_espmark \
+	openac scepclient dumm libfast manager medsrv
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -82,6 +82,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -104,6 +105,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -115,6 +119,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -128,6 +133,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +195,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -199,6 +207,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -215,8 +224,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/_copyright/Makefile.am b/src/_copyright/Makefile.am
index 00d5fb2ff..33c4ffc23 100644
--- a/src/_copyright/Makefile.am
+++ b/src/_copyright/Makefile.am
@@ -2,5 +2,8 @@ ipsec_PROGRAMS = _copyright
 _copyright_SOURCES = _copyright.c
 dist_man8_MANS = _copyright.8
 
-INCLUDES = -I$(top_srcdir)/src/libfreeswan
-_copyright_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libstrongswan
+
+_copyright_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index c86e56bce..9f178fdfa 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -48,7 +48,8 @@ PROGRAMS = $(ipsec_PROGRAMS)
 am__copyright_OBJECTS = _copyright.$(OBJEXT)
 _copyright_OBJECTS = $(am__copyright_OBJECTS)
 _copyright_DEPENDENCIES =  \
-	$(top_builddir)/src/libfreeswan/libfreeswan.a
+	$(top_builddir)/src/libfreeswan/libfreeswan.a \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -84,6 +85,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -106,6 +108,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -117,6 +122,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -130,6 +136,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +198,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -201,14 +210,18 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 _copyright_SOURCES = _copyright.c
 dist_man8_MANS = _copyright.8
-INCLUDES = -I$(top_srcdir)/src/libfreeswan
-_copyright_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libstrongswan
+
+_copyright_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
 
 .SUFFIXES:
@@ -217,8 +230,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -319,8 +332,8 @@ install-man8: $(man8_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    8*) ;; \
@@ -359,7 +372,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/_copyright/_copyright.8 b/src/_copyright/_copyright.8
index a0358750a..99386254b 100644
--- a/src/_copyright/_copyright.8
+++ b/src/_copyright/_copyright.8
@@ -1,7 +1,4 @@
 .TH _COPYRIGHT 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _copyright.8 3266 2007-10-08 19:57:37Z andreas $
-.\"
 .SH NAME
 ipsec _copyright \- prints FreeSWAN copyright
 .SH DESCRIPTION
diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c
index ff4294f81..5abefd4f1 100644
--- a/src/_copyright/_copyright.c
+++ b/src/_copyright/_copyright.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: _copyright.c 3266 2007-10-08 19:57:37Z andreas $
  */
 
 #include <sys/types.h>
@@ -39,7 +37,6 @@ main(int argc, char *argv[])
 	int opt;
 	extern int optind;
 	int errflg = 0;
-	const char *version = ipsec_version_code();
 	const char **notice = ipsec_copyright_notice();
 	const char **co;
 
@@ -50,7 +47,7 @@ main(int argc, char *argv[])
 			exit(0);
 			break;
 		case 'v':	/* version */
-			printf("%s %s\n", me, version);
+			printf("%s strongSwan "VERSION"\n", me);
 			exit(0);
 			break;
 		case '?':
diff --git a/src/_updown/Makefile.am b/src/_updown/Makefile.am
index 9fd592797..5fc04ab88 100644
--- a/src/_updown/Makefile.am
+++ b/src/_updown/Makefile.am
@@ -8,5 +8,5 @@ _updown : _updown.in
 	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
 	-e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \
 	-e "s:\@IPSEC_ROUTING_TABLE_PRIO\@:$(IPSEC_ROUTING_TABLE_PRIO):" \
-	$< > $@
+	$(srcdir)/$@.in > $@
 	chmod +x $@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 059c56383..3db887ef0 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -65,6 +65,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -87,6 +88,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -98,6 +102,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -111,6 +116,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -171,6 +178,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -182,6 +190,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -197,8 +206,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -258,8 +267,8 @@ install-man8: $(man8_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    8*) ;; \
@@ -434,7 +443,7 @@ _updown : _updown.in
 	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
 	-e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \
 	-e "s:\@IPSEC_ROUTING_TABLE_PRIO\@:$(IPSEC_ROUTING_TABLE_PRIO):" \
-	$< > $@
+	$(srcdir)/$@.in > $@
 	chmod +x $@
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/_updown/_updown.8 b/src/_updown/_updown.8
index 0f7b17ba5..8c88e5fb8 100644
--- a/src/_updown/_updown.8
+++ b/src/_updown/_updown.8
@@ -1,7 +1,4 @@
 .TH _UPDOWN 8 "27 Apr 2006"
-.\"
-.\" RCSID $Id: _updown.8 3268 2007-10-08 19:59:18Z andreas $
-.\"
 .SH NAME
 ipsec _updown \- route and firewall manipulation script
 .SH SYNOPSIS
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index d71317e60..838842d06 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -15,8 +15,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: _updown.in 4187 2008-07-18 10:04:40Z andreas $
 
 # CAUTION:  Installing a new version of strongSwan will install a new
 # copy of this script, wiping out any custom changes you make.  If
@@ -35,7 +33,7 @@
 #              specifies the name of the operation to be performed
 #              (prepare-host, prepare-client, up-host, up-client,
 #              down-host, or down-client).  If the address family
-#              for security gateway to security gateway communica­
+#              for security gateway to security gateway communica-
 #              tions is IPv6, then a suffix of -v6 is added to the
 #              verb.
 #
@@ -95,7 +93,7 @@
 #              is the CA which issued the cert of our peer.
 #
 #       PLUTO_PEER_CLIENT
-#              is the IP address / count of the peer's client sub­
+#              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
@@ -207,15 +205,12 @@ doroute() {
 
 	if [ -z "$PLUTO_MY_SOURCEIP" ]
 	then
-	    if [ -f /etc/sysconfig/defaultsource ]
-	    then
-		. /etc/sysconfig/defaultsource
-	    fi
-
-	    if [ -f /etc/conf.d/defaultsource ]
-	    then
-		. /etc/conf.d/defaultsource
-	    fi
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
 
 	    if [ -n "$DEFAULTSOURCE" ]
 	    then
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 7838e94ac..2852b7e67 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -65,6 +65,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -87,6 +88,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -98,6 +102,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -111,6 +116,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -171,6 +178,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -182,6 +190,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -195,8 +204,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -256,8 +265,8 @@ install-man8: $(man8_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    8*) ;; \
diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark
index fbaf30132..74de0722d 100644
--- a/src/_updown_espmark/_updown_espmark
+++ b/src/_updown_espmark/_updown_espmark
@@ -15,8 +15,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: _updown_espmark 4187 2008-07-18 10:04:40Z andreas $
 
 
 
@@ -38,7 +36,7 @@
 #              specifies the name of the operation to be performed
 #              (prepare-host, prepare-client, up-host, up-client,
 #              down-host, or down-client).  If the address family
-#              for security gateway to security gateway communica­
+#              for security gateway to security gateway communica-
 #              tions is IPv6, then a suffix of -v6 is added to the
 #              verb.
 #
@@ -95,7 +93,7 @@
 #              is the CA which issued the cert of our peer.
 #
 #       PLUTO_PEER_CLIENT
-#              is the IP address / count of the peer's client sub­
+#              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
@@ -201,15 +199,12 @@ doroute() {
 
 	if [ -z "$PLUTO_MY_SOURCEIP" ]
 	then
-	    if [ -f /etc/sysconfig/defaultsource ]
-	    then
-		. /etc/sysconfig/defaultsource
-	    fi
-
-	    if [ -f /etc/conf.d/defaultsource ]
-	    then
-		. /etc/conf.d/defaultsource
-	    fi
+            for dir in /etc/sysconfig /etc/conf.d; do
+                if [ -f "$dir/defaultsource" ]
+                then
+                    . "$dir/defaultsource"
+                fi
+            done
 
 	    if [ -n "$DEFAULTSOURCE" ]
 	    then
diff --git a/src/_updown_espmark/_updown_espmark.8 b/src/_updown_espmark/_updown_espmark.8
index 07db3b548..34383cb8e 100644
--- a/src/_updown_espmark/_updown_espmark.8
+++ b/src/_updown_espmark/_updown_espmark.8
@@ -1,7 +1,4 @@
 .TH _UPDOWN_ESPMARK 8 "7 Apr 2005"
-.\"
-.\" RCSID $Id: _updown_espmark.8 3268 2007-10-08 19:59:18Z andreas $
-.\"
 .SH NAME
 ipsec _updown_espmark \- manages routes and firewall rules
 .SH SYNOPSIS
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 9da2b238a..3b5b9c068 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -9,8 +9,10 @@ config/child_cfg.c config/child_cfg.h \
 config/ike_cfg.c config/ike_cfg.h \
 config/peer_cfg.c config/peer_cfg.h \
 config/proposal.c config/proposal.h \
+config/auth_cfg.c config/auth_cfg.h \
 config/traffic_selector.c config/traffic_selector.h \
 config/attributes/attribute_provider.h \
+config/attributes/attribute_handler.h \
 config/attributes/attribute_manager.c config/attributes/attribute_manager.h \
 control/controller.c control/controller.h \
 daemon.c daemon.h \
@@ -76,6 +78,7 @@ sa/ike_sa_id.c sa/ike_sa_id.h \
 sa/ike_sa_manager.c sa/ike_sa_manager.h \
 sa/task_manager.c sa/task_manager.h \
 sa/keymat.c sa/keymat.h \
+sa/trap_manager.c sa/trap_manager.h \
 sa/tasks/child_create.c sa/tasks/child_create.h \
 sa/tasks/child_delete.c sa/tasks/child_delete.h \
 sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
@@ -93,8 +96,7 @@ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
 sa/tasks/task.c sa/tasks/task.h \
 credentials/credential_manager.c credentials/credential_manager.h \
-credentials/auth_info.c credentials/auth_info.h \
-credentials/sets/auth_info_wrapper.c credentials/sets/auth_info_wrapper.h \
+credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
 credentials/credential_set.h
@@ -104,9 +106,8 @@ AM_CFLAGS = -rdynamic \
   -DIPSEC_DIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
   -DIPSEC_PLUGINDIR=\"${plugindir}\" \
-  -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-  -DRESOLV_CONF=\"${resolv_conf}\"
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm -ldl
+  -DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB)
 
 # compile options
 #################
@@ -131,10 +132,6 @@ if USE_INTEGRITY_TEST
   AM_CFLAGS += -DINTEGRITY_TEST
 endif
 
-if USE_SELF_TEST
-  AM_CFLAGS += -DSELF_TEST
-endif
-
 if USE_CAPABILITIES
   charon_LDADD += -lcap
 endif
@@ -156,6 +153,11 @@ if USE_KERNEL_PFKEY
   PLUGINS += kernel-pfkey
 endif
 
+if USE_KERNEL_PFROUTE
+  SUBDIRS += plugins/kernel_pfroute
+  PLUGINS += kernel-pfroute
+endif
+
 if USE_KERNEL_KLIPS
   SUBDIRS += plugins/kernel_klips
   PLUGINS += kernel-klips
@@ -186,6 +188,11 @@ if USE_UPDOWN
   PLUGINS += updown
 endif
 
+if USE_ATTR
+  SUBDIRS += plugins/attr
+  PLUGINS += attr
+endif
+
 if USE_EAP_IDENTITY
   SUBDIRS += plugins/eap_identity
   PLUGINS += eapidentity
@@ -241,6 +248,11 @@ if USE_NM
   PLUGINS += nm
 endif
 
+if USE_RESOLV_CONF
+  SUBDIRS += plugins/resolv_conf
+  PLUGINS += resolv-conf
+endif
+
 if USE_UCI
   SUBDIRS += plugins/uci
   PLUGINS += uci
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index f74577c8c..77884d50e 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -48,50 +48,55 @@ ipsec_PROGRAMS = charon$(EXEEXT)
 @USE_ME_TRUE@    sa/tasks/ike_me.c sa/tasks/ike_me.h
 
 @USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
-@USE_SELF_TEST_TRUE@am__append_5 = -DSELF_TEST
-@USE_CAPABILITIES_TRUE@am__append_6 = -lcap
-@USE_LOAD_TESTS_TRUE@am__append_7 = plugins/load_tester
-@USE_LOAD_TESTS_TRUE@am__append_8 = load-tester
-@USE_KERNEL_PFKEY_TRUE@am__append_9 = plugins/kernel_pfkey
-@USE_KERNEL_PFKEY_TRUE@am__append_10 = kernel-pfkey
-@USE_KERNEL_KLIPS_TRUE@am__append_11 = plugins/kernel_klips
-@USE_KERNEL_KLIPS_TRUE@am__append_12 = kernel-klips
-@USE_KERNEL_NETLINK_TRUE@am__append_13 = plugins/kernel_netlink
-@USE_KERNEL_NETLINK_TRUE@am__append_14 = kernel-netlink
-@USE_STROKE_TRUE@am__append_15 = plugins/stroke
-@USE_STROKE_TRUE@am__append_16 = stroke
-@USE_SMP_TRUE@am__append_17 = plugins/smp
-@USE_SMP_TRUE@am__append_18 = smp
-@USE_SQL_TRUE@am__append_19 = plugins/sql
-@USE_SQL_TRUE@am__append_20 = sql
-@USE_UPDOWN_TRUE@am__append_21 = plugins/updown
-@USE_UPDOWN_TRUE@am__append_22 = updown
-@USE_EAP_IDENTITY_TRUE@am__append_23 = plugins/eap_identity
-@USE_EAP_IDENTITY_TRUE@am__append_24 = eapidentity
-@USE_EAP_SIM_TRUE@am__append_25 = plugins/eap_sim
-@USE_EAP_SIM_TRUE@am__append_26 = eapsim
-@USE_EAP_SIM_FILE_TRUE@am__append_27 = plugins/eap_sim_file
-@USE_EAP_SIM_FILE_TRUE@am__append_28 = eapsim-file
-@USE_EAP_MD5_TRUE@am__append_29 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_30 = eapmd5
-@USE_EAP_GTC_TRUE@am__append_31 = plugins/eap_gtc
-@USE_EAP_GTC_TRUE@am__append_32 = eapgtc
-@USE_EAP_AKA_TRUE@am__append_33 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_34 = eapaka
-@USE_EAP_MSCHAPV2_TRUE@am__append_35 = plugins/eap_mschapv2
-@USE_EAP_MSCHAPV2_TRUE@am__append_36 = eapmschapv2
-@USE_EAP_RADIUS_TRUE@am__append_37 = plugins/eap_radius
-@USE_EAP_RADIUS_TRUE@am__append_38 = eapradius
-@USE_MEDSRV_TRUE@am__append_39 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_40 = medsrv
-@USE_MEDCLI_TRUE@am__append_41 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_42 = medcli
-@USE_NM_TRUE@am__append_43 = plugins/nm
-@USE_NM_TRUE@am__append_44 = nm
-@USE_UCI_TRUE@am__append_45 = plugins/uci
-@USE_UCI_TRUE@am__append_46 = uci
-@USE_UNIT_TESTS_TRUE@am__append_47 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_48 = unit-tester
+@USE_CAPABILITIES_TRUE@am__append_5 = -lcap
+@USE_LOAD_TESTS_TRUE@am__append_6 = plugins/load_tester
+@USE_LOAD_TESTS_TRUE@am__append_7 = load-tester
+@USE_KERNEL_PFKEY_TRUE@am__append_8 = plugins/kernel_pfkey
+@USE_KERNEL_PFKEY_TRUE@am__append_9 = kernel-pfkey
+@USE_KERNEL_PFROUTE_TRUE@am__append_10 = plugins/kernel_pfroute
+@USE_KERNEL_PFROUTE_TRUE@am__append_11 = kernel-pfroute
+@USE_KERNEL_KLIPS_TRUE@am__append_12 = plugins/kernel_klips
+@USE_KERNEL_KLIPS_TRUE@am__append_13 = kernel-klips
+@USE_KERNEL_NETLINK_TRUE@am__append_14 = plugins/kernel_netlink
+@USE_KERNEL_NETLINK_TRUE@am__append_15 = kernel-netlink
+@USE_STROKE_TRUE@am__append_16 = plugins/stroke
+@USE_STROKE_TRUE@am__append_17 = stroke
+@USE_SMP_TRUE@am__append_18 = plugins/smp
+@USE_SMP_TRUE@am__append_19 = smp
+@USE_SQL_TRUE@am__append_20 = plugins/sql
+@USE_SQL_TRUE@am__append_21 = sql
+@USE_UPDOWN_TRUE@am__append_22 = plugins/updown
+@USE_UPDOWN_TRUE@am__append_23 = updown
+@USE_ATTR_TRUE@am__append_24 = plugins/attr
+@USE_ATTR_TRUE@am__append_25 = attr
+@USE_EAP_IDENTITY_TRUE@am__append_26 = plugins/eap_identity
+@USE_EAP_IDENTITY_TRUE@am__append_27 = eapidentity
+@USE_EAP_SIM_TRUE@am__append_28 = plugins/eap_sim
+@USE_EAP_SIM_TRUE@am__append_29 = eapsim
+@USE_EAP_SIM_FILE_TRUE@am__append_30 = plugins/eap_sim_file
+@USE_EAP_SIM_FILE_TRUE@am__append_31 = eapsim-file
+@USE_EAP_MD5_TRUE@am__append_32 = plugins/eap_md5
+@USE_EAP_MD5_TRUE@am__append_33 = eapmd5
+@USE_EAP_GTC_TRUE@am__append_34 = plugins/eap_gtc
+@USE_EAP_GTC_TRUE@am__append_35 = eapgtc
+@USE_EAP_AKA_TRUE@am__append_36 = plugins/eap_aka
+@USE_EAP_AKA_TRUE@am__append_37 = eapaka
+@USE_EAP_MSCHAPV2_TRUE@am__append_38 = plugins/eap_mschapv2
+@USE_EAP_MSCHAPV2_TRUE@am__append_39 = eapmschapv2
+@USE_EAP_RADIUS_TRUE@am__append_40 = plugins/eap_radius
+@USE_EAP_RADIUS_TRUE@am__append_41 = eapradius
+@USE_MEDSRV_TRUE@am__append_42 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_43 = medsrv
+@USE_MEDCLI_TRUE@am__append_44 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_45 = medcli
+@USE_NM_TRUE@am__append_46 = plugins/nm
+@USE_NM_TRUE@am__append_47 = nm
+@USE_RESOLV_CONF_TRUE@am__append_48 = plugins/resolv_conf
+@USE_RESOLV_CONF_TRUE@am__append_49 = resolv-conf
+@USE_UCI_TRUE@am__append_50 = plugins/uci
+@USE_UCI_TRUE@am__append_51 = uci
+@USE_UNIT_TESTS_TRUE@am__append_52 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_53 = unit-tester
 subdir = src/charon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -110,8 +115,10 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
 	config/backend.h config/child_cfg.c config/child_cfg.h \
 	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
 	config/peer_cfg.h config/proposal.c config/proposal.h \
-	config/traffic_selector.c config/traffic_selector.h \
+	config/auth_cfg.c config/auth_cfg.h config/traffic_selector.c \
+	config/traffic_selector.h \
 	config/attributes/attribute_provider.h \
+	config/attributes/attribute_handler.h \
 	config/attributes/attribute_manager.c \
 	config/attributes/attribute_manager.h control/controller.c \
 	control/controller.h daemon.c daemon.h encoding/generator.c \
@@ -199,10 +206,10 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
 	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
 	sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
 	sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
-	sa/tasks/child_create.c sa/tasks/child_create.h \
-	sa/tasks/child_delete.c sa/tasks/child_delete.h \
-	sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
-	sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+	sa/trap_manager.c sa/trap_manager.h sa/tasks/child_create.c \
+	sa/tasks/child_create.h sa/tasks/child_delete.c \
+	sa/tasks/child_delete.h sa/tasks/child_rekey.c \
+	sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
 	sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
 	sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
 	sa/tasks/ike_config.c sa/tasks/ike_config.h \
@@ -214,9 +221,9 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
 	sa/tasks/ike_auth_lifetime.h sa/tasks/task.c sa/tasks/task.h \
 	credentials/credential_manager.c \
-	credentials/credential_manager.h credentials/auth_info.c \
-	credentials/auth_info.h credentials/sets/auth_info_wrapper.c \
-	credentials/sets/auth_info_wrapper.h \
+	credentials/credential_manager.h \
+	credentials/sets/auth_cfg_wrapper.c \
+	credentials/sets/auth_cfg_wrapper.h \
 	credentials/sets/ocsp_response_wrapper.c \
 	credentials/sets/ocsp_response_wrapper.h \
 	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
@@ -238,15 +245,15 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
 am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
 	sys_logger.$(OBJEXT) backend_manager.$(OBJEXT) \
 	child_cfg.$(OBJEXT) ike_cfg.$(OBJEXT) peer_cfg.$(OBJEXT) \
-	proposal.$(OBJEXT) traffic_selector.$(OBJEXT) \
-	attribute_manager.$(OBJEXT) controller.$(OBJEXT) \
-	daemon.$(OBJEXT) generator.$(OBJEXT) message.$(OBJEXT) \
-	parser.$(OBJEXT) auth_payload.$(OBJEXT) cert_payload.$(OBJEXT) \
-	certreq_payload.$(OBJEXT) configuration_attribute.$(OBJEXT) \
-	cp_payload.$(OBJEXT) delete_payload.$(OBJEXT) \
-	eap_payload.$(OBJEXT) encodings.$(OBJEXT) \
-	encryption_payload.$(OBJEXT) id_payload.$(OBJEXT) \
-	ike_header.$(OBJEXT) ke_payload.$(OBJEXT) \
+	proposal.$(OBJEXT) auth_cfg.$(OBJEXT) \
+	traffic_selector.$(OBJEXT) attribute_manager.$(OBJEXT) \
+	controller.$(OBJEXT) daemon.$(OBJEXT) generator.$(OBJEXT) \
+	message.$(OBJEXT) parser.$(OBJEXT) auth_payload.$(OBJEXT) \
+	cert_payload.$(OBJEXT) certreq_payload.$(OBJEXT) \
+	configuration_attribute.$(OBJEXT) cp_payload.$(OBJEXT) \
+	delete_payload.$(OBJEXT) eap_payload.$(OBJEXT) \
+	encodings.$(OBJEXT) encryption_payload.$(OBJEXT) \
+	id_payload.$(OBJEXT) ike_header.$(OBJEXT) ke_payload.$(OBJEXT) \
 	nonce_payload.$(OBJEXT) notify_payload.$(OBJEXT) \
 	payload.$(OBJEXT) proposal_substructure.$(OBJEXT) \
 	sa_payload.$(OBJEXT) traffic_selector_substructure.$(OBJEXT) \
@@ -267,22 +274,22 @@ am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
 	psk_authenticator.$(OBJEXT) pubkey_authenticator.$(OBJEXT) \
 	child_sa.$(OBJEXT) ike_sa.$(OBJEXT) ike_sa_id.$(OBJEXT) \
 	ike_sa_manager.$(OBJEXT) task_manager.$(OBJEXT) \
-	keymat.$(OBJEXT) child_create.$(OBJEXT) child_delete.$(OBJEXT) \
-	child_rekey.$(OBJEXT) ike_auth.$(OBJEXT) \
-	ike_cert_pre.$(OBJEXT) ike_cert_post.$(OBJEXT) \
-	ike_config.$(OBJEXT) ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) \
-	ike_init.$(OBJEXT) ike_natd.$(OBJEXT) ike_mobike.$(OBJEXT) \
-	ike_rekey.$(OBJEXT) ike_reauth.$(OBJEXT) \
-	ike_auth_lifetime.$(OBJEXT) task.$(OBJEXT) \
-	credential_manager.$(OBJEXT) auth_info.$(OBJEXT) \
-	auth_info_wrapper.$(OBJEXT) ocsp_response_wrapper.$(OBJEXT) \
+	keymat.$(OBJEXT) trap_manager.$(OBJEXT) child_create.$(OBJEXT) \
+	child_delete.$(OBJEXT) child_rekey.$(OBJEXT) \
+	ike_auth.$(OBJEXT) ike_cert_pre.$(OBJEXT) \
+	ike_cert_post.$(OBJEXT) ike_config.$(OBJEXT) \
+	ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) ike_init.$(OBJEXT) \
+	ike_natd.$(OBJEXT) ike_mobike.$(OBJEXT) ike_rekey.$(OBJEXT) \
+	ike_reauth.$(OBJEXT) ike_auth_lifetime.$(OBJEXT) \
+	task.$(OBJEXT) credential_manager.$(OBJEXT) \
+	auth_cfg_wrapper.$(OBJEXT) ocsp_response_wrapper.$(OBJEXT) \
 	cert_cache.$(OBJEXT) $(am__objects_1) $(am__objects_2) \
 	$(am__objects_3)
 charon_OBJECTS = $(am_charon_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(am__DEPENDENCIES_1)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -309,12 +316,13 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
-	plugins/kernel_klips plugins/kernel_netlink plugins/stroke \
-	plugins/smp plugins/sql plugins/updown plugins/eap_identity \
+	plugins/kernel_pfroute plugins/kernel_klips \
+	plugins/kernel_netlink plugins/stroke plugins/smp plugins/sql \
+	plugins/updown plugins/attr plugins/eap_identity \
 	plugins/eap_sim plugins/eap_sim_file plugins/eap_md5 \
 	plugins/eap_gtc plugins/eap_aka plugins/eap_mschapv2 \
 	plugins/eap_radius plugins/medsrv plugins/medcli plugins/nm \
-	plugins/uci plugins/unit_tester
+	plugins/resolv_conf plugins/uci plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -331,6 +339,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -353,6 +362,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -364,6 +376,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -377,6 +390,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -437,6 +452,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -448,6 +464,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -458,9 +475,10 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
 	config/backend_manager.h config/backend.h config/child_cfg.c \
 	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
 	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
-	config/proposal.h config/traffic_selector.c \
-	config/traffic_selector.h \
+	config/proposal.h config/auth_cfg.c config/auth_cfg.h \
+	config/traffic_selector.c config/traffic_selector.h \
 	config/attributes/attribute_provider.h \
+	config/attributes/attribute_handler.h \
 	config/attributes/attribute_manager.c \
 	config/attributes/attribute_manager.h control/controller.c \
 	control/controller.h daemon.c daemon.h encoding/generator.c \
@@ -548,10 +566,10 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
 	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
 	sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
 	sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
-	sa/tasks/child_create.c sa/tasks/child_create.h \
-	sa/tasks/child_delete.c sa/tasks/child_delete.h \
-	sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
-	sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+	sa/trap_manager.c sa/trap_manager.h sa/tasks/child_create.c \
+	sa/tasks/child_create.h sa/tasks/child_delete.c \
+	sa/tasks/child_delete.h sa/tasks/child_rekey.c \
+	sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
 	sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
 	sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
 	sa/tasks/ike_config.c sa/tasks/ike_config.h \
@@ -563,9 +581,9 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
 	sa/tasks/ike_auth_lifetime.h sa/tasks/task.c sa/tasks/task.h \
 	credentials/credential_manager.c \
-	credentials/credential_manager.h credentials/auth_info.c \
-	credentials/auth_info.h credentials/sets/auth_info_wrapper.c \
-	credentials/sets/auth_info_wrapper.h \
+	credentials/credential_manager.h \
+	credentials/sets/auth_cfg_wrapper.c \
+	credentials/sets/auth_cfg_wrapper.h \
 	credentials/sets/ocsp_response_wrapper.c \
 	credentials/sets/ocsp_response_wrapper.h \
 	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
@@ -575,29 +593,30 @@ INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/c
 AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
 	-DIPSEC_PLUGINDIR=\"${plugindir}\" \
-	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-	-DRESOLV_CONF=\"${resolv_conf}\" $(am__append_4) \
-	$(am__append_5) -DPLUGINS=\""${PLUGINS}\""
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_4) \
+	-DPLUGINS=\""${PLUGINS}\""
 charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-	-lpthread -lm -ldl $(am__append_6)
+	-lpthread -lm $(DLLIB) $(am__append_5)
 
 # build optional plugins
 ########################
-SUBDIRS = . $(am__append_7) $(am__append_9) $(am__append_11) \
-	$(am__append_13) $(am__append_15) $(am__append_17) \
-	$(am__append_19) $(am__append_21) $(am__append_23) \
-	$(am__append_25) $(am__append_27) $(am__append_29) \
-	$(am__append_31) $(am__append_33) $(am__append_35) \
-	$(am__append_37) $(am__append_39) $(am__append_41) \
-	$(am__append_43) $(am__append_45) $(am__append_47)
-PLUGINS = ${libstrongswan_plugins} $(am__append_8) $(am__append_10) \
+SUBDIRS = . $(am__append_6) $(am__append_8) $(am__append_10) \
 	$(am__append_12) $(am__append_14) $(am__append_16) \
 	$(am__append_18) $(am__append_20) $(am__append_22) \
 	$(am__append_24) $(am__append_26) $(am__append_28) \
 	$(am__append_30) $(am__append_32) $(am__append_34) \
 	$(am__append_36) $(am__append_38) $(am__append_40) \
 	$(am__append_42) $(am__append_44) $(am__append_46) \
-	$(am__append_48)
+	$(am__append_48) $(am__append_50) $(am__append_52)
+PLUGINS = ${libstrongswan_plugins} $(am__append_7) $(am__append_9) \
+	$(am__append_11) $(am__append_13) $(am__append_15) \
+	$(am__append_17) $(am__append_19) $(am__append_21) \
+	$(am__append_23) $(am__append_25) $(am__append_27) \
+	$(am__append_29) $(am__append_31) $(am__append_33) \
+	$(am__append_35) $(am__append_37) $(am__append_39) \
+	$(am__append_41) $(am__append_43) $(am__append_45) \
+	$(am__append_47) $(am__append_49) $(am__append_51) \
+	$(am__append_53)
 all: all-recursive
 
 .SUFFIXES:
@@ -606,8 +625,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -671,8 +690,8 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attribute_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_info.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_info_wrapper.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Po@am__quote@
@@ -765,6 +784,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/trap_manager.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ts_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unknown_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/update_sa_job.Po@am__quote@
@@ -903,6 +923,20 @@ proposal.obj: config/proposal.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.obj `if test -f 'config/proposal.c'; then $(CYGPATH_W) 'config/proposal.c'; else $(CYGPATH_W) '$(srcdir)/config/proposal.c'; fi`
 
+auth_cfg.o: config/auth_cfg.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.o -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.o `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/auth_cfg.c' object='auth_cfg.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.o `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
+
+auth_cfg.obj: config/auth_cfg.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.obj -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.obj `if test -f 'config/auth_cfg.c'; then $(CYGPATH_W) 'config/auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/auth_cfg.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/auth_cfg.c' object='auth_cfg.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.obj `if test -f 'config/auth_cfg.c'; then $(CYGPATH_W) 'config/auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/auth_cfg.c'; fi`
+
 traffic_selector.o: config/traffic_selector.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.o -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Po
@@ -1771,6 +1805,20 @@ keymat.obj: sa/keymat.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.obj `if test -f 'sa/keymat.c'; then $(CYGPATH_W) 'sa/keymat.c'; else $(CYGPATH_W) '$(srcdir)/sa/keymat.c'; fi`
 
+trap_manager.o: sa/trap_manager.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.o -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.o `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/trap_manager.c' object='trap_manager.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.o `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+
+trap_manager.obj: sa/trap_manager.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.obj -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.obj `if test -f 'sa/trap_manager.c'; then $(CYGPATH_W) 'sa/trap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/trap_manager.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/trap_manager.c' object='trap_manager.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.obj `if test -f 'sa/trap_manager.c'; then $(CYGPATH_W) 'sa/trap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/trap_manager.c'; fi`
+
 child_create.o: sa/tasks/child_create.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.o -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Po
@@ -2009,33 +2057,19 @@ credential_manager.obj: credentials/credential_manager.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.obj `if test -f 'credentials/credential_manager.c'; then $(CYGPATH_W) 'credentials/credential_manager.c'; else $(CYGPATH_W) '$(srcdir)/credentials/credential_manager.c'; fi`
 
-auth_info.o: credentials/auth_info.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_info.o -MD -MP -MF $(DEPDIR)/auth_info.Tpo -c -o auth_info.o `test -f 'credentials/auth_info.c' || echo '$(srcdir)/'`credentials/auth_info.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_info.Tpo $(DEPDIR)/auth_info.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/auth_info.c' object='auth_info.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_info.o `test -f 'credentials/auth_info.c' || echo '$(srcdir)/'`credentials/auth_info.c
-
-auth_info.obj: credentials/auth_info.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_info.obj -MD -MP -MF $(DEPDIR)/auth_info.Tpo -c -o auth_info.obj `if test -f 'credentials/auth_info.c'; then $(CYGPATH_W) 'credentials/auth_info.c'; else $(CYGPATH_W) '$(srcdir)/credentials/auth_info.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_info.Tpo $(DEPDIR)/auth_info.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/auth_info.c' object='auth_info.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_info.obj `if test -f 'credentials/auth_info.c'; then $(CYGPATH_W) 'credentials/auth_info.c'; else $(CYGPATH_W) '$(srcdir)/credentials/auth_info.c'; fi`
-
-auth_info_wrapper.o: credentials/sets/auth_info_wrapper.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_info_wrapper.o -MD -MP -MF $(DEPDIR)/auth_info_wrapper.Tpo -c -o auth_info_wrapper.o `test -f 'credentials/sets/auth_info_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_info_wrapper.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_info_wrapper.Tpo $(DEPDIR)/auth_info_wrapper.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_info_wrapper.c' object='auth_info_wrapper.o' libtool=no @AMDEPBACKSLASH@
+auth_cfg_wrapper.o: credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.o -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.o `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_info_wrapper.o `test -f 'credentials/sets/auth_info_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_info_wrapper.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.o `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
 
-auth_info_wrapper.obj: credentials/sets/auth_info_wrapper.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_info_wrapper.obj -MD -MP -MF $(DEPDIR)/auth_info_wrapper.Tpo -c -o auth_info_wrapper.obj `if test -f 'credentials/sets/auth_info_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_info_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_info_wrapper.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_info_wrapper.Tpo $(DEPDIR)/auth_info_wrapper.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_info_wrapper.c' object='auth_info_wrapper.obj' libtool=no @AMDEPBACKSLASH@
+auth_cfg_wrapper.obj: credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.obj -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.obj `if test -f 'credentials/sets/auth_cfg_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_cfg_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_cfg_wrapper.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_info_wrapper.obj `if test -f 'credentials/sets/auth_info_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_info_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_info_wrapper.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.obj `if test -f 'credentials/sets/auth_cfg_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_cfg_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_cfg_wrapper.c'; fi`
 
 ocsp_response_wrapper.o: credentials/sets/ocsp_response_wrapper.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.o -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.o `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
@@ -2258,7 +2292,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
index 504947465..bb7014b0b 100644
--- a/src/charon/bus/bus.c
+++ b/src/charon/bus/bus.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: bus.c 4622 2008-11-11 10:52:37Z martin $
  */
 
 #include "bus.h"
@@ -520,6 +518,45 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa,
 	this->mutex->unlock(this->mutex);
 }
 
+/**
+ * Implementation of bus_t.authorize
+ */
+static bool authorize(private_bus_t *this, linked_list_t *auth, bool final)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep, success = TRUE;
+	
+	ike_sa = pthread_getspecific(this->thread_sa);
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->authorize)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->authorize(entry->listener, ike_sa,
+										  auth, final, &success);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+			break;
+		}
+		if (!success)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+	return success;
+}
+
 /**
  * Implementation of bus_t.destroy.
  */
@@ -548,6 +585,7 @@ bus_t *bus_create()
 	this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
 	this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
 	this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
+	this->public.authorize = (bool(*)(bus_t*, linked_list_t *auth, bool final))authorize;
 	this->public.destroy = (void(*)(bus_t*)) destroy;
 	
 	this->listeners = linked_list_create();
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index fe7d1e53d..5faea088f 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: bus.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -210,6 +208,23 @@ struct listener_t {
 	 */
 	bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
 					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
+	
+	/**
+	 * Hook called to invoke additional authorization rules.
+	 *
+	 * An authorization hook gets invoked several times: After each
+	 * authentication round, the hook gets invoked with with final = FALSE.
+	 * After authentication is complete and the peer configuration is selected,
+	 * it is invoked again, but with final = TRUE.
+	 *
+	 * @param ike_sa	IKE_SA to authorize
+	 * @param auth		list of auth_cfg_t, done in peers authentication rounds
+	 * @param final		TRUE if this is the final hook invocation
+	 * @param success	set to TRUE to complete IKE_SA, FALSE abort
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth,
+					  bool final, bool *success);
 };
 
 /**
@@ -316,6 +331,15 @@ struct bus_t {
 	 */
 	void (*message)(bus_t *this, message_t *message, bool incoming);
 	
+	/**
+	 * IKE_SA authorization hook.
+	 *
+	 * @param auth		list of auth_cfg_t, containing peers authentication info
+	 * @param final		TRUE if this is the final invocation
+	 * @return			TRUE to establish IKE_SA, FALSE to send AUTH_FAILED
+	 */
+	bool (*authorize)(bus_t *this, linked_list_t *auth, bool final);
+	
 	/**
 	 * IKE_SA keymat hook.
 	 *
diff --git a/src/charon/bus/listeners/file_logger.c b/src/charon/bus/listeners/file_logger.c
index 4259630ec..c3213f5f8 100644
--- a/src/charon/bus/listeners/file_logger.c
+++ b/src/charon/bus/listeners/file_logger.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: file_logger.c 4622 2008-11-11 10:52:37Z martin $
  */
 
 #include <stdio.h>
diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h
index 5cd37adc0..7282224a5 100644
--- a/src/charon/bus/listeners/file_logger.h
+++ b/src/charon/bus/listeners/file_logger.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: file_logger.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c
index 37dbce926..5bcf28f24 100644
--- a/src/charon/bus/listeners/sys_logger.c
+++ b/src/charon/bus/listeners/sys_logger.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sys_logger.c 4434 2008-10-14 08:52:13Z martin $
  */
 
 #include <stdio.h>
diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h
index 50301924e..6eda096a9 100644
--- a/src/charon/bus/listeners/sys_logger.h
+++ b/src/charon/bus/listeners/sys_logger.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sys_logger.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/config/attributes/attribute_handler.h b/src/charon/config/attributes/attribute_handler.h
new file mode 100644
index 000000000..de1c4414d
--- /dev/null
+++ b/src/charon/config/attributes/attribute_handler.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attribute_handler attribute_handler
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_HANDLER_H_
+#define ATTRIBUTE_HANDLER_H_
+
+#include <sa/ike_sa.h>
+#include <encoding/payloads/configuration_attribute.h>
+
+typedef struct attribute_handler_t attribute_handler_t;
+
+/**
+ * Interface to handle configuration payload attributes.
+ */
+struct attribute_handler_t {
+	
+	/**
+	 * Handle a configuration attribute.
+	 *
+	 * After receiving a configuration attriubte, it is passed to each
+	 * attribute handler until it is handled.
+	 *
+	 * @param type		type of configuration attribute to handle
+	 * @param data		associated attribute data
+	 * @return			TRUE if attribute handled
+	 */
+	bool (*handle)(attribute_handler_t *this, ike_sa_t *ike_sa,
+				   configuration_attribute_type_t type, chunk_t data);
+	
+	/**
+	 * Release an attribute handled during handle().
+	 *
+	 * A handler that handle()d an attribute gets a call to release() when the
+	 * IKE_SA gets closed. Depending on the implementation, this is required
+	 * to remove the attribute.
+	 */
+	void (*release)(attribute_handler_t *this, ike_sa_t *ike_sa,
+					configuration_attribute_type_t type, chunk_t data);
+};
+
+#endif /* ATTRIBUTE_HANDLER_ @}*/
diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c
index a069c954a..83e431c43 100644
--- a/src/charon/config/attributes/attribute_manager.c
+++ b/src/charon/config/attributes/attribute_manager.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "attribute_manager.h"
@@ -38,6 +36,11 @@ struct private_attribute_manager_t {
 	 */
 	linked_list_t *providers;
 	
+	/**
+	 * list of registered handlers
+	 */
+	linked_list_t *handlers;
+	
 	/**
 	 * rwlock provider list
 	 */
@@ -49,7 +52,7 @@ struct private_attribute_manager_t {
  */
 static host_t* acquire_address(private_attribute_manager_t *this,
 							   char *pool, identification_t *id,
-							   auth_info_t *auth, host_t *requested)
+							   host_t *requested)
 {
 	enumerator_t *enumerator;
 	attribute_provider_t *current;
@@ -59,7 +62,7 @@ static host_t* acquire_address(private_attribute_manager_t *this,
 	enumerator = this->providers->create_enumerator(this->providers);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		host = current->acquire_address(current, pool, id, auth, requested);
+		host = current->acquire_address(current, pool, id, requested);
 		if (host)
 		{
 			break;
@@ -104,6 +107,29 @@ static void release_address(private_attribute_manager_t *this,
 	}
 }
 
+/**
+ * inner enumerator constructor for attributes
+ */
+static enumerator_t *attrib_enum_create(attribute_provider_t *provider,
+										identification_t *id)
+{
+	return provider->create_attribute_enumerator(provider, id);
+}
+
+/**
+ * Implementation of attribute_manager_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(
+						private_attribute_manager_t *this, identification_t *id)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_cleaner(
+				enumerator_create_nested(
+					this->providers->create_enumerator(this->providers),
+					(void*)attrib_enum_create, id, NULL),
+				(void*)this->lock->unlock, this->lock);
+}
+
 /**
  * Implementation of attribute_manager_t.add_provider.
  */
@@ -126,12 +152,90 @@ static void remove_provider(private_attribute_manager_t *this,
 	this->lock->unlock(this->lock);
 }
 
+/**
+ * Implementation of attribute_manager_t.handle
+ */
+static attribute_handler_t* handle(private_attribute_manager_t *this,
+						ike_sa_t *ike_sa, configuration_attribute_type_t type,
+						chunk_t data)
+{
+	enumerator_t *enumerator;
+	attribute_handler_t *current, *handled = NULL;
+	
+	this->lock->read_lock(this->lock);
+	enumerator = this->handlers->create_enumerator(this->handlers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current->handle(current, ike_sa, type, data))
+		{
+			handled = current;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	
+	if (!handled)
+	{
+		DBG1(DBG_CFG, "handling %N attribute failed",
+			 configuration_attribute_type_names, type);
+	}
+	return handled;
+}
+
+/**
+ * Implementation of attribute_manager_t.release
+ */
+static void release(private_attribute_manager_t *this,
+						attribute_handler_t *handler, ike_sa_t *ike_sa,
+						configuration_attribute_type_t type, chunk_t data)
+{
+	enumerator_t *enumerator;
+	attribute_handler_t *current;
+	
+	this->lock->read_lock(this->lock);
+	enumerator = this->handlers->create_enumerator(this->handlers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current == handler)
+		{
+			current->release(current, ike_sa, type, data);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.add_handler
+ */
+static void add_handler(private_attribute_manager_t *this,
+						attribute_handler_t *handler)
+{
+	this->lock->write_lock(this->lock);
+	this->handlers->insert_last(this->handlers, handler);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.remove_handler
+ */
+static void remove_handler(private_attribute_manager_t *this,
+						attribute_handler_t *handler)
+{
+	this->lock->write_lock(this->lock);
+	this->handlers->remove(this->handlers, handler, NULL);
+	this->lock->unlock(this->lock);
+}
+
 /**
  * Implementation of attribute_manager_t.destroy
  */
 static void destroy(private_attribute_manager_t *this)
 {
 	this->providers->destroy(this->providers);
+	this->handlers->destroy(this->handlers);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -143,13 +247,19 @@ attribute_manager_t *attribute_manager_create()
 {
 	private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t);
 	
-	this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,auth_info_t*,host_t*))acquire_address;
+	this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address;
 	this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address;
+	this->public.create_attribute_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t *id))create_attribute_enumerator;
 	this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider;
 	this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider;
+	this->public.handle = (attribute_handler_t*(*)(attribute_manager_t*, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data))handle;
+	this->public.release = (void(*)(attribute_manager_t*, attribute_handler_t *handler, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data))release;
+	this->public.add_handler = (void(*)(attribute_manager_t*, attribute_handler_t *handler))add_handler;
+	this->public.remove_handler = (void(*)(attribute_manager_t*, attribute_handler_t *handler))remove_handler;
 	this->public.destroy = (void(*)(attribute_manager_t*))destroy;
 	
 	this->providers = linked_list_create();
+	this->handlers = linked_list_create();
 	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	
 	return &this->public;
diff --git a/src/charon/config/attributes/attribute_manager.h b/src/charon/config/attributes/attribute_manager.h
index aef6e7b6e..ceea06581 100644
--- a/src/charon/config/attributes/attribute_manager.h
+++ b/src/charon/config/attributes/attribute_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
@@ -24,26 +22,31 @@
 #define ATTRIBUTE_MANAGER_H_
 
 #include <config/attributes/attribute_provider.h>
+#include <config/attributes/attribute_handler.h>
 
 typedef struct attribute_manager_t attribute_manager_t;
 
 /**
- * Provide configuration attributes to include in CFG Payloads.
+ * The attribute manager hands out attributes or handles them.
+ *
+ * The attribute manager manages both, attribute providers and attribute
+ * handlers. Attribute providers are responsible to hand out attributes if
+ * a connecting peer requests them. Handlers handle such attributes if they
+ * are received on the requesting peer.
  */
 struct attribute_manager_t {
-
+	
 	/**
 	 * Acquire a virtual IP address to assign to a peer.
 	 *
 	 * @param pool			pool name to acquire address from
-	 * @param id			peer identity to get address for
-	 * @param auth			authorization infos of peer
+	 * @param id			peer identity to get address forua
 	 * @param requested		IP in configuration request
 	 * @return				allocated address, NULL to serve none
 	 */
 	host_t* (*acquire_address)(attribute_manager_t *this,
 							   char *pool, identification_t *id,
-							   auth_info_t *auth, host_t *requested);
+							   host_t *requested);
 	
 	/**
 	 * Release a previously acquired address.
@@ -55,6 +58,15 @@ struct attribute_manager_t {
 	void (*release_address)(attribute_manager_t *this,
 							char *pool, host_t *address, identification_t *id);
 	
+	/**
+	 * Create an enumerator over attributes to hand out to a peer.
+	 *
+	 * @param id			peer identity to hand out attributes to
+	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
+	 */
+	enumerator_t* (*create_attribute_enumerator)(attribute_manager_t *this,
+												 identification_t *id);
+	
 	/**
 	 * Register an attribute provider to the manager.
 	 *
@@ -69,10 +81,50 @@ struct attribute_manager_t {
 	 */
 	void (*remove_provider)(attribute_manager_t *this,
 							attribute_provider_t *provider);
+	
+	/**
+	 * Handle a configuration attribute by passing them to the handlers.
+	 *
+	 * @param ike_sa		IKE_SA where attribute was received
+	 * @param type			type of configuration attribute
+	 * @param data			associated attribute data
+	 * @return				handler which handled this attribute, NULL if none
+	 */
+	attribute_handler_t* (*handle)(attribute_manager_t *this, ike_sa_t *ike_sa,
+							configuration_attribute_type_t type, chunk_t data);
+	
 	/**
-     * Destroy a attribute_manager instance.
-     */
-    void (*destroy)(attribute_manager_t *this);
+	 * Release an attribute previously handle()d by a handler.
+	 *
+	 * @param handler		handler returned by handle() for this attribute
+	 * @param ike_sa		IKE_SA owning the attribute
+	 * @param type			type of attribute to release
+	 * @param data			associated attribute data
+	 */
+	void (*release)(attribute_manager_t *this, attribute_handler_t *handler,
+						ike_sa_t *ike_sa, configuration_attribute_type_t type,
+						chunk_t data);
+	
+	/**
+	 * Register an attribute handler to the manager.
+	 *
+	 * @param handler		attribute handler to register
+	 */
+	void (*add_handler)(attribute_manager_t *this,
+						attribute_handler_t *handler);
+	
+	/**
+	 * Unregister an attribute handler from the manager.
+	 *
+	 * @param handler		attribute handler to unregister
+	 */
+	void (*remove_handler)(attribute_manager_t *this,
+						   attribute_handler_t *handler);
+	
+	/**
+	 * Destroy a attribute_manager instance.
+	 */
+	void (*destroy)(attribute_manager_t *this);
 };
 
 /**
diff --git a/src/charon/config/attributes/attribute_provider.h b/src/charon/config/attributes/attribute_provider.h
index 5d563e86b..0f1057af4 100644
--- a/src/charon/config/attributes/attribute_provider.h
+++ b/src/charon/config/attributes/attribute_provider.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
@@ -25,7 +23,7 @@
 
 #include <library.h>
 #include <utils/host.h>
-#include <credentials/auth_info.h>
+#include <utils/identification.h>
 
 typedef struct attribute_provider_t attribute_provider_t;
 
@@ -39,13 +37,12 @@ struct attribute_provider_t {
 	 *
 	 * @param pool			name of the pool to acquire address from
 	 * @param id			peer ID
-	 * @param auth			authorization infos
 	 * @param requested		IP in configuration request
 	 * @return				allocated address, NULL to serve none
 	 */
 	host_t* (*acquire_address)(attribute_provider_t *this,
 							   char *pool, identification_t *id, 
-							   auth_info_t *auth, host_t *requested);
+							   host_t *requested);
 	/**
 	 * Release a previously acquired address.
 	 *
@@ -56,6 +53,15 @@ struct attribute_provider_t {
 	 */
 	bool (*release_address)(attribute_provider_t *this,
 							char *pool, host_t *address, identification_t *id);
+	
+	/**
+	 * Create an enumerator over attributes to hand out to a peer.
+	 *
+	 * @param id			peer ID
+	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
+	 */
+	enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this,
+												 identification_t *id);
 };
 
 #endif /** ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/charon/config/auth_cfg.c b/src/charon/config/auth_cfg.c
new file mode 100644
index 000000000..e4501bc93
--- /dev/null
+++ b/src/charon/config/auth_cfg.c
@@ -0,0 +1,768 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "auth_cfg.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <credentials/certificates/certificate.h>
+
+ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
+	"RULE_IDENTITY",
+	"RULE_AUTH_CLASS",
+	"RULE_EAP_IDENTITY",
+	"RULE_EAP_TYPE",
+	"RULE_EAP_VENDOR",
+	"RULE_CA_CERT",
+	"RULE_IM_CERT",
+	"RULE_SUBJECT_CERT",
+	"RULE_CRL_VALIDATION",
+	"RULE_OCSP_VALIDATION",
+	"RULE_AC_GROUP",
+	"HELPER_IM_CERT",
+	"HELPER_SUBJECT_CERT",
+	"HELPER_IM_HASH_URL",
+	"HELPER_SUBJECT_HASH_URL",
+);
+
+typedef struct private_auth_cfg_t private_auth_cfg_t;
+
+/**
+ * private data of item_set
+ */
+struct private_auth_cfg_t {
+	
+	/**
+	 * public functions
+	 */
+	auth_cfg_t public;
+	
+	/**
+	 * list of entry_t
+	 */
+	linked_list_t *entries;
+};
+
+typedef struct entry_t entry_t;
+
+struct entry_t {
+	/** rule type */
+	auth_rule_t type;
+	/** associated value */
+	void *value;
+};
+
+/**
+ * enumerator for auth_cfg_t.create_enumerator()
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** inner enumerator from linked_list_t */
+	enumerator_t *inner;
+	/** current entry */
+	entry_t *current;
+} entry_enumerator_t;
+
+/**
+ * enumerate function for item_enumerator_t
+ */
+static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value)
+{
+	entry_t *entry;
+	
+	if (this->inner->enumerate(this->inner, &entry))
+	{
+		this->current = entry;
+		*type = entry->type;
+		*value = entry->value;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * destroy function for item_enumerator_t
+ */
+static void entry_enumerator_destroy(entry_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of auth_cfg_t.create_enumerator.
+ */
+static enumerator_t* create_enumerator(private_auth_cfg_t *this)
+{
+	entry_enumerator_t *enumerator;
+	
+	enumerator = malloc_thing(entry_enumerator_t);
+	enumerator->inner = this->entries->create_enumerator(this->entries);
+	enumerator->public.enumerate = (void*)enumerate;
+	enumerator->public.destroy = (void*)entry_enumerator_destroy;
+	enumerator->current = NULL;
+	return &enumerator->public;
+}
+
+/**
+ * Destroy the value associated with an entry
+ */
+static void destroy_entry_value(entry_t *entry)
+{
+	switch (entry->type)
+	{
+		case AUTH_RULE_IDENTITY:
+		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AC_GROUP:
+		{
+			identification_t *id = (identification_t*)entry->value;
+			id->destroy(id);
+			break;
+		}
+		case AUTH_RULE_CA_CERT:
+		case AUTH_RULE_IM_CERT:
+		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_HELPER_IM_CERT:
+		case AUTH_HELPER_SUBJECT_CERT:
+		{
+			certificate_t *cert = (certificate_t*)entry->value;
+			cert->destroy(cert);
+			break;
+		}
+		case AUTH_HELPER_IM_HASH_URL:
+		case AUTH_HELPER_SUBJECT_HASH_URL:
+		{
+			free(entry->value);
+			break;
+		}
+		case AUTH_RULE_AUTH_CLASS:
+		case AUTH_RULE_EAP_TYPE:
+		case AUTH_RULE_EAP_VENDOR:
+		case AUTH_RULE_CRL_VALIDATION:
+		case AUTH_RULE_OCSP_VALIDATION:
+			break;
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.replace.
+ */
+static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
+					auth_rule_t type, ...)
+{
+	if (enumerator->current)
+	{
+		va_list args;
+		
+		va_start(args, type);
+		
+		destroy_entry_value(enumerator->current);
+		enumerator->current->type = type;
+		switch (type)
+		{
+			case AUTH_RULE_AUTH_CLASS:
+			case AUTH_RULE_EAP_TYPE:
+			case AUTH_RULE_EAP_VENDOR:
+			case AUTH_RULE_CRL_VALIDATION:
+			case AUTH_RULE_OCSP_VALIDATION:
+				/* integer type */
+				enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
+				break;
+			case AUTH_RULE_IDENTITY:
+			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_AC_GROUP:
+			case AUTH_RULE_CA_CERT:
+			case AUTH_RULE_IM_CERT:
+			case AUTH_RULE_SUBJECT_CERT:
+			case AUTH_HELPER_IM_CERT:
+			case AUTH_HELPER_SUBJECT_CERT:
+			case AUTH_HELPER_IM_HASH_URL:
+			case AUTH_HELPER_SUBJECT_HASH_URL:
+				/* pointer type */
+				enumerator->current->value = va_arg(args, void*);
+				break;
+		}
+		va_end(args);
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.get.
+ */
+static void* get(private_auth_cfg_t *this, auth_rule_t type)
+{
+	enumerator_t *enumerator;
+	void *current_value, *best_value = NULL;
+	auth_rule_t current_type;
+	bool found = FALSE;
+	
+	enumerator = create_enumerator(this);
+	while (enumerator->enumerate(enumerator, &current_type, &current_value))
+	{
+		if (type == current_type)
+		{
+			if (type == AUTH_RULE_CRL_VALIDATION ||
+				type == AUTH_RULE_OCSP_VALIDATION)
+			{	/* for CRL/OCSP validation, always get() the highest value */
+				if (!found || current_value > best_value)
+				{
+					best_value = current_value;
+				}
+				found = TRUE;
+				continue;
+			}
+			best_value = current_value;
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (found)
+	{
+		return best_value;
+	}
+	switch (type)
+	{
+		/* use some sane defaults if we don't find an entry */
+		case AUTH_RULE_AUTH_CLASS:
+			return (void*)AUTH_CLASS_ANY;
+		case AUTH_RULE_EAP_TYPE:
+			return (void*)EAP_NAK;
+		case AUTH_RULE_EAP_VENDOR:
+			return (void*)0;
+		case AUTH_RULE_CRL_VALIDATION:
+		case AUTH_RULE_OCSP_VALIDATION:
+			return (void*)VALIDATION_FAILED;
+		case AUTH_RULE_IDENTITY:
+		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AC_GROUP:
+		case AUTH_RULE_CA_CERT:
+		case AUTH_RULE_IM_CERT:
+		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_HELPER_IM_CERT:
+		case AUTH_HELPER_SUBJECT_CERT:
+		case AUTH_HELPER_IM_HASH_URL:
+		case AUTH_HELPER_SUBJECT_HASH_URL:
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.add.
+ */
+static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
+{
+	entry_t *entry = malloc_thing(entry_t);
+	va_list args;
+	
+	va_start(args, type);
+	entry->type = type;
+	switch (type)
+	{
+		case AUTH_RULE_AUTH_CLASS:
+		case AUTH_RULE_EAP_TYPE:
+		case AUTH_RULE_EAP_VENDOR:
+		case AUTH_RULE_CRL_VALIDATION:
+		case AUTH_RULE_OCSP_VALIDATION:
+			/* integer type */
+			entry->value = (void*)(uintptr_t)va_arg(args, u_int);
+			break;
+		case AUTH_RULE_IDENTITY:
+		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AC_GROUP:
+		case AUTH_RULE_CA_CERT:
+		case AUTH_RULE_IM_CERT:
+		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_HELPER_IM_CERT:
+		case AUTH_HELPER_SUBJECT_CERT:
+		case AUTH_HELPER_IM_HASH_URL:
+		case AUTH_HELPER_SUBJECT_HASH_URL:
+			/* pointer type */
+			entry->value = va_arg(args, void*);
+			break;
+	}
+	va_end(args);
+	this->entries->insert_last(this->entries, entry);
+}
+
+/**
+ * Implementation of auth_cfg_t.complies.
+ */
+static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
+					 bool log_error)
+{
+	enumerator_t *e1, *e2;
+	bool success = TRUE;
+	auth_rule_t t1, t2;
+	void *value;
+	
+	e1 = constraints->create_enumerator(constraints);
+	while (e1->enumerate(e1, &t1, &value))
+	{
+		switch (t1)
+		{
+			case AUTH_RULE_CA_CERT:
+			case AUTH_RULE_IM_CERT:
+			{
+				certificate_t *c1, *c2;
+				
+				c1 = (certificate_t*)value;
+				
+				success = FALSE;
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &c2))
+				{
+					if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
+						c1->equals(c1, c2))
+					{
+						success = TRUE;
+					}
+				}
+				e2->destroy(e2);
+				if (!success && log_error)
+				{
+					DBG1(DBG_CFG, "constraint check failed: peer not "
+						 "authenticated by CA '%Y'.", c1->get_subject(c1));
+				}
+				break;
+			}
+			case AUTH_RULE_SUBJECT_CERT:
+			{
+				certificate_t *c1, *c2;
+				
+				c1 = (certificate_t*)value;
+				c2 = get(this, AUTH_RULE_SUBJECT_CERT);
+				if (!c2 || !c1->equals(c1, c2))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint check failed: peer not "
+							 "authenticated with peer cert '%Y'.",
+							 c1->get_subject(c1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_CRL_VALIDATION:
+			case AUTH_RULE_OCSP_VALIDATION:
+			{
+				cert_validation_t validated, required;
+				
+				required = (uintptr_t)value;
+				validated = (uintptr_t)get(this, t1);
+				switch (required)
+				{
+					case VALIDATION_FAILED:
+						/* no constraint */
+						break;
+					case VALIDATION_SKIPPED:
+						if (validated == VALIDATION_SKIPPED)
+						{
+							break;
+						}
+						/* FALL */
+					case VALIDATION_GOOD:
+						if (validated == VALIDATION_GOOD)
+						{
+							break;
+						}
+						/* FALL */
+					default:
+						success = FALSE;
+						if (log_error)
+						{
+							DBG1(DBG_CFG, "constraint check failed: %N is %N, "
+								 "but requires at least %N", auth_rule_names,
+								 t1, cert_validation_names, validated,
+								 cert_validation_names, required);
+						}
+						break;
+				}
+				break;
+			}
+			case AUTH_RULE_IDENTITY:
+			case AUTH_RULE_EAP_IDENTITY:
+			{
+				identification_t *id1, *id2;
+				
+				id1 = (identification_t*)value;
+				id2 = get(this, t1);
+				if (!id2 || !id2->matches(id2, id1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'"
+							 " required ", t1 == AUTH_RULE_IDENTITY ? "" :
+							 "EAP ", id1);
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_AUTH_CLASS:
+			{
+				if ((uintptr_t)value != AUTH_CLASS_ANY &&
+					(uintptr_t)value != (uintptr_t)get(this, t1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint requires %N authentication, "
+							 "but %N was used", auth_class_names, (uintptr_t)value,
+							 auth_class_names, (uintptr_t)get(this, t1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_EAP_TYPE:
+			{
+				if ((uintptr_t)value != (uintptr_t)get(this, t1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint requires %N, "
+							 "but %N was used", eap_type_names, (uintptr_t)value,
+							 eap_type_names,  (uintptr_t)get(this, t1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_EAP_VENDOR:
+			{
+				if ((uintptr_t)value != (uintptr_t)get(this, t1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint requires EAP vendor %d, "
+							 "but %d was used", (uintptr_t)value,
+							 (uintptr_t)get(this, t1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_AC_GROUP:
+			{
+				success = FALSE;
+				if (log_error)
+				{
+					DBG1(DBG_CFG, "constraint check %N not implemented!",
+						 auth_rule_names, t1);
+				}
+				break;
+			}
+			case AUTH_HELPER_IM_CERT:
+			case AUTH_HELPER_SUBJECT_CERT:
+			case AUTH_HELPER_IM_HASH_URL:
+			case AUTH_HELPER_SUBJECT_HASH_URL:
+				/* skip helpers */
+				continue;
+		}
+		if (!success)
+		{
+			break;
+		}
+	}
+	e1->destroy(e1);
+	return success;
+}
+
+/**
+ * Implementation of auth_cfg_t.merge.
+ */
+static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy)
+{
+	if (!other)
+	{	/* nothing to merge */
+		return;
+	}
+	if (copy)
+	{
+		enumerator_t *enumerator;
+		auth_rule_t type;
+		void *value;
+		
+		enumerator = create_enumerator(other);
+		while (enumerator->enumerate(enumerator, &type, &value))
+		{
+			switch (type)
+			{
+				case AUTH_RULE_CA_CERT:
+				case AUTH_RULE_IM_CERT:
+				case AUTH_RULE_SUBJECT_CERT:
+				case AUTH_HELPER_IM_CERT:
+				case AUTH_HELPER_SUBJECT_CERT:
+				{
+					certificate_t *cert = (certificate_t*)value;
+					
+					add(this, type, cert->get_ref(cert));
+					break;
+				}
+				case AUTH_RULE_CRL_VALIDATION:
+				case AUTH_RULE_OCSP_VALIDATION:
+				case AUTH_RULE_AUTH_CLASS:
+				case AUTH_RULE_EAP_TYPE:
+				case AUTH_RULE_EAP_VENDOR:
+				{
+					add(this, type, (uintptr_t)value);
+					break;
+				}
+				case AUTH_RULE_IDENTITY:
+				case AUTH_RULE_EAP_IDENTITY:
+				case AUTH_RULE_AC_GROUP:
+				{
+					identification_t *id = (identification_t*)value;
+					
+					add(this, type, id->clone(id));
+					break;
+				}
+				case AUTH_HELPER_IM_HASH_URL:
+				case AUTH_HELPER_SUBJECT_HASH_URL:
+				{
+					add(this, type, strdup((char*)value));
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		entry_t *entry;
+		
+		while (other->entries->remove_first(other->entries,
+											(void**)&entry) == SUCCESS)
+		{
+			this->entries->insert_last(this->entries, entry);
+		}
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.equals.
+ */
+static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
+{
+	enumerator_t *e1, *e2;
+	entry_t *i1, *i2;
+	bool equal = TRUE, found;
+	
+	if (this->entries->get_count(this->entries) !=
+		other->entries->get_count(other->entries))
+	{
+		return FALSE;
+	}
+	e1 = this->entries->create_enumerator(this->entries);
+	while (e1->enumerate(e1, &i1))
+	{
+		found = FALSE;
+		e2 = other->entries->create_enumerator(other->entries);
+		while (e2->enumerate(e2, &i2))
+		{
+			if (i1->type == i2->type)
+			{
+				switch (i1->type)
+				{
+					case AUTH_RULE_AUTH_CLASS:
+					case AUTH_RULE_EAP_TYPE:
+					case AUTH_RULE_EAP_VENDOR:
+					case AUTH_RULE_CRL_VALIDATION:
+					case AUTH_RULE_OCSP_VALIDATION:
+					{
+						if (i1->value == i2->value)
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+					case AUTH_RULE_CA_CERT:
+					case AUTH_RULE_IM_CERT:
+					case AUTH_RULE_SUBJECT_CERT:
+					case AUTH_HELPER_IM_CERT:
+					case AUTH_HELPER_SUBJECT_CERT:
+					{
+						certificate_t *c1, *c2;
+						
+						c1 = (certificate_t*)i1->value;
+						c2 = (certificate_t*)i2->value;
+						
+						if (c1->equals(c1, c2))
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+					case AUTH_RULE_IDENTITY:
+					case AUTH_RULE_EAP_IDENTITY:
+					case AUTH_RULE_AC_GROUP:
+					{
+						identification_t *id1, *id2;
+						
+						id1 = (identification_t*)i1->value;
+						id2 = (identification_t*)i2->value;
+						
+						if (id1->equals(id1, id2))
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+					case AUTH_HELPER_IM_HASH_URL:
+					case AUTH_HELPER_SUBJECT_HASH_URL:
+					{
+						if (streq(i1->value, i2->value))
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+				}
+				break;
+			}
+		}
+		e2->destroy(e2);
+		if (!found)
+		{
+			equal = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	return equal;
+}
+
+/**
+ * Implementation of auth_cfg_t.purge
+ */
+static void purge(private_auth_cfg_t *this, bool keep_ca)
+{
+	entry_t *entry;
+	linked_list_t *cas;
+	
+	cas = linked_list_create();
+	while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
+	{
+		if (keep_ca && entry->type == AUTH_RULE_CA_CERT)
+		{
+			cas->insert_first(cas, entry);
+		}
+		else
+		{
+			destroy_entry_value(entry);
+			free(entry);
+		}
+	}
+	while (cas->remove_last(cas, (void**)&entry) == SUCCESS)
+	{
+		this->entries->insert_first(this->entries, entry);
+	}
+	cas->destroy(cas);
+}
+
+/**
+ * Implementation of auth_cfg_t.clone
+ */
+static auth_cfg_t* clone_(private_auth_cfg_t *this)
+{
+	enumerator_t *enumerator;
+	auth_cfg_t *clone;
+	entry_t *entry;
+	
+	clone = auth_cfg_create();
+	enumerator = this->entries->create_enumerator(this->entries);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		switch (entry->type)
+		{
+			case AUTH_RULE_IDENTITY:
+			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_AC_GROUP:
+			{
+				identification_t *id = (identification_t*)entry->value;
+				clone->add(clone, entry->type, id->clone(id));
+				break;
+			}
+			case AUTH_RULE_CA_CERT:
+			case AUTH_RULE_IM_CERT:
+			case AUTH_RULE_SUBJECT_CERT:
+			case AUTH_HELPER_IM_CERT:
+			case AUTH_HELPER_SUBJECT_CERT:
+			{
+				certificate_t *cert = (certificate_t*)entry->value;
+				clone->add(clone, entry->type, cert->get_ref(cert));
+				break;
+			}
+			case AUTH_HELPER_IM_HASH_URL:
+			case AUTH_HELPER_SUBJECT_HASH_URL:
+			{
+				clone->add(clone, entry->type, strdup(entry->value));
+				break;
+			}
+			case AUTH_RULE_AUTH_CLASS:
+			case AUTH_RULE_EAP_TYPE:
+			case AUTH_RULE_EAP_VENDOR:
+			case AUTH_RULE_CRL_VALIDATION:
+			case AUTH_RULE_OCSP_VALIDATION:
+				clone->add(clone, entry->type, (uintptr_t)entry->value);
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return clone;
+}
+
+/**
+ * Implementation of auth_cfg_t.destroy
+ */
+static void destroy(private_auth_cfg_t *this)
+{
+	purge(this, FALSE);
+	this->entries->destroy(this->entries);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+auth_cfg_t *auth_cfg_create()
+{
+	private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t);
+	
+	this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add;
+	this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get;
+	this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator;
+	this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace;
+	this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies;
+	this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge;
+	this->public.purge = (void(*)(auth_cfg_t*,bool))purge;
+	this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals;
+	this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_;
+	this->public.destroy = (void(*)(auth_cfg_t*))destroy;
+	
+	this->entries = linked_list_create();
+	
+	return &this->public;
+}
+
diff --git a/src/charon/config/auth_cfg.h b/src/charon/config/auth_cfg.h
new file mode 100644
index 000000000..c6bc1959b
--- /dev/null
+++ b/src/charon/config/auth_cfg.h
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup auth_cfg auth_cfg
+ * @{ @ingroup config
+ */
+
+#ifndef AUTH_CFG_H_
+#define AUTH_CFG_H_
+
+#include <utils/enumerator.h>
+
+typedef struct auth_cfg_t auth_cfg_t;
+typedef enum auth_rule_t auth_rule_t;
+
+/**
+ * Authentication config to use during authentication process.
+ *
+ * Each authentication config contains a set of rules. These rule-sets are used
+ * in two ways:
+ * - For configs specifying local authentication behavior, the rules define
+ *   which authentication method in which way.
+ * - For configs specifying remote peer authentication, the rules define
+ *   constraints the peer has to fullfill.
+ *
+ * Additionally to the rules, there is a set of helper items. These are used
+ * to transport credentials during the authentication process.
+ */
+enum auth_rule_t {
+	
+	/** identity to use for IKEv2 authentication exchange, identification_t* */
+	AUTH_RULE_IDENTITY,
+	/** authentication class, auth_class_t */
+	AUTH_RULE_AUTH_CLASS,
+	/** EAP identity to use within EAP-Identity exchange, identification_t* */
+	AUTH_RULE_EAP_IDENTITY,
+	/** EAP type to propose for peer authentication, eap_type_t */
+	AUTH_RULE_EAP_TYPE,
+	/** EAP vendor for vendor specific type, u_int32_t */
+	AUTH_RULE_EAP_VENDOR,
+	/** certificate authority, certificate_t* */
+	AUTH_RULE_CA_CERT,
+	/** intermediate certificate in trustchain, certificate_t* */
+	AUTH_RULE_IM_CERT,
+	/** subject certificate, certificate_t* */
+	AUTH_RULE_SUBJECT_CERT,
+	/** result of a CRL validation, cert_validation_t */
+	AUTH_RULE_CRL_VALIDATION,
+	/** result of a OCSP validation, cert_validation_t */
+	AUTH_RULE_OCSP_VALIDATION,
+	/** subject is in attribute certificate group, identification_t* */
+	AUTH_RULE_AC_GROUP,
+	
+	/** intermediate certificate, certificate_t* */
+	AUTH_HELPER_IM_CERT,
+	/** subject certificate, certificate_t* */
+	AUTH_HELPER_SUBJECT_CERT,
+	/** Hash and URL of a intermediate certificate, char* */
+	AUTH_HELPER_IM_HASH_URL,
+	/** Hash and URL of a end-entity certificate, char* */
+	AUTH_HELPER_SUBJECT_HASH_URL,
+};
+
+/**
+ * enum name for auth_rule_t.
+ */
+extern enum_name_t *auth_rule_names;
+
+/**
+ * Authentication/Authorization round.
+ *
+ * RFC4739 defines multiple authentication rounds. This class defines such
+ * a round from a configuration perspective, either for the local or the remote
+ * peer. Local config are called "rulesets", as they define how we authenticate.
+ * Remote peer configs are called "constraits", they define what is needed to 
+ * complete the authentication round successfully.
+ *
+ * @verbatim
+
+   [Repeat for each configuration]
+   +--------------------------------------------------+
+   |                                                  |
+   |                                                  |
+   |   +----------+     IKE_AUTH       +--------- +   |
+   |   |  config  |   ----------->     |          |   |
+   |   |  ruleset |                    |          |   |
+   |   +----------+ [ <----------- ]   |          |   |
+   |                [ optional EAP ]   |   Peer   |   |
+   |   +----------+ [ -----------> ]   |          |   |
+   |   |  config  |                    |          |   |
+   |   |  constr. |   <-----------     |          |   |
+   |   +----------+     IKE_AUTH       +--------- +   |
+   |                                                  |
+   |                                                  |
+   +--------------------------------------------------+
+
+   @endverbatim
+ *
+ * Values for each items are either pointers (casted to void*) or short
+ * integers (use uintptr_t cast).
+ */
+struct auth_cfg_t {
+
+	/**
+	 * Add an rule to the set.
+	 *
+	 * @param rule		rule type
+	 * @param ...		associated value to rule
+	 */
+	void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
+	
+	/**
+	 * Get an rule value.
+	 *
+	 * @param rule		rule type
+	 * @return			bool if item has been found
+	 */
+	void* (*get)(auth_cfg_t *this, auth_rule_t rule);
+	
+	/**
+	 * Create an enumerator over added rules.
+	 *
+	 * @return			enumerator over (auth_rule_t, union{void*,uintpr_t})
+	 */
+	enumerator_t* (*create_enumerator)(auth_cfg_t *this);
+	
+	/**
+	 * Replace an rule at enumerator position.
+	 *
+	 * @param pos		enumerator position position
+	 * @param rule		rule type
+	 * @param ...		associated value to rule
+	 */
+	void (*replace)(auth_cfg_t *this, enumerator_t *pos,
+					auth_rule_t rule, ...);
+	
+	/**
+	 * Check if a used config fulfills a set of configured constraints.
+	 *
+	 * @param constraints	required authorization rules
+	 * @param log_error		wheter to log compliance errors
+	 * @return				TRUE if this complies with constraints
+	 */
+	bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
+	
+	/**
+	 * Merge items from other into this.
+	 *
+	 * @param other		items to read for merge
+	 * @param copy		TRUE to copy items, FALSE to move them
+	 */
+	void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
+	
+	/**
+	 * Purge all rules in a config.
+	 *
+	 * @param keep_ca	wheter to keep AUTH_RULE_CA_CERT entries
+	 */
+	void (*purge)(auth_cfg_t *this, bool keep_ca);
+	
+	/**
+	 * Check two configs for equality.
+	 *
+	 * @param other		other config to compaire against this
+	 * @return			TRUE if auth infos identical
+	 */
+	bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
+	
+	/**
+	 * Clone a authentication config, including all rules.
+	 *
+	 * @return			cloned configuration
+	 */
+	auth_cfg_t* (*clone)(auth_cfg_t *this);
+	
+	/**
+	 * Destroy a config with all associated rules/values.
+	 */
+	void (*destroy)(auth_cfg_t *this);
+};
+
+/**
+ * Create a authentication config.
+ */
+auth_cfg_t *auth_cfg_create();
+
+#endif /** AUTH_CFG_H_ @}*/
diff --git a/src/charon/config/backend.h b/src/charon/config/backend.h
index 3a22f61ac..458abc37f 100644
--- a/src/charon/config/backend.h
+++ b/src/charon/config/backend.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: backend.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -28,7 +26,6 @@ typedef struct backend_t backend_t;
 #include <library.h>
 #include <config/ike_cfg.h>
 #include <config/peer_cfg.h>
-#include <credentials/auth_info.h>
 #include <utils/linked_list.h>
 
 /**
@@ -45,6 +42,10 @@ struct backend_t {
 	 *
 	 * Hosts may be NULL to get all.
 	 *
+	 * There is no requirement for the backend to filter the configurations
+	 * using the supplied hosts; but it may do so if it increases lookup times
+	 * (e.g. include hosts in SQL query).
+	 *
 	 * @param me		address of local host
 	 * @param other		address of remote host
 	 * @return			enumerator over ike_cfg_t's
@@ -52,10 +53,17 @@ struct backend_t {
 	enumerator_t* (*create_ike_cfg_enumerator)(backend_t *this,
 											   host_t *me, host_t *other);
 	/**
-	 * Create an enumerator over all Peer configs matching two IDs.
+	 * Create an enumerator over all peer configs matching two identities.
 	 *
 	 * IDs may be NULL to get all.
 	 *
+	 * As configurations are looked up in the first authentication round (when
+	 * multiple authentication), the backend implementation should compare
+	 * the identities to the first auth_cfgs only.
+	 * There is no requirement for the backend to filter the configurations
+	 * using the supplied identities; but it may do so if it increases lookup
+	 * times (e.g. include hosts in SQL query).
+	 *
 	 * @param me		identity of ourself
 	 * @param other		identity of remote host
 	 * @return			enumerator over peer_cfg_t
@@ -64,7 +72,7 @@ struct backend_t {
 												identification_t *me,
 												identification_t *other);
 	/**
-	 * Get a peer_cfg identified by it's name, or a name of its child.
+	 * Get a peer_cfg identified by it's name, or a name of its children.
 	 *
 	 * @param name				name of peer/child cfg
 	 * @return					matching peer_config, or NULL if none found
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index a9fe974af..3a3a78466 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: backend_manager.c 4758 2008-12-04 23:16:10Z andreas $
  */
 
 #include "backend_manager.h"
@@ -67,15 +65,6 @@ typedef struct {
 	host_t *other;
 } ike_data_t;
 
-/**
- * data to pass nested peer enumerator
- */
-typedef struct {
-	private_backend_manager_t *this;
-	identification_t *me;
-	identification_t *other;
-} peer_data_t;
-
 /**
  * inner enumerator constructor for IKE cfgs
  */
@@ -84,60 +73,59 @@ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
 	return backend->create_ike_cfg_enumerator(backend, data->me, data->other);
 }
 
-/**
- * inner enumerator constructor for Peer cfgs
- */
-static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data)
-{
-	return backend->create_peer_cfg_enumerator(backend, data->me, data->other);
-}
-/**
- * inner enumerator constructor for all Peer cfgs
- */
-static enumerator_t *peer_enum_create_all(backend_t *backend)
-{
-	return backend->create_peer_cfg_enumerator(backend, NULL, NULL);
-}
-
 /**
  * get a match of a candidate ike_cfg for two hosts
  */
-static ike_cfg_match_t get_match(ike_cfg_t *cand, host_t *me, host_t *other)
+static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 {
 	host_t *me_cand, *other_cand;
 	ike_cfg_match_t match = MATCH_NONE;
 	
-	me_cand = host_create_from_dns(cand->get_my_addr(cand),
-								   me->get_family(me), 0);
-	if (!me_cand)
+	if (me)
 	{
-		return MATCH_NONE;
-	}
-	if (me_cand->ip_equals(me_cand, me))
-	{
-		match += MATCH_ME;
+		me_cand = host_create_from_dns(cand->get_my_addr(cand),
+									   me->get_family(me), 0);
+		if (!me_cand)
+		{
+			return MATCH_NONE;
+		}
+		if (me_cand->ip_equals(me_cand, me))
+		{
+			match += MATCH_ME;
+		}
+		else if (me_cand->is_anyaddr(me_cand))
+		{
+			match += MATCH_ANY;
+		}
+		me_cand->destroy(me_cand);
 	}
-	else if (me_cand->is_anyaddr(me_cand))
+	else
 	{
 		match += MATCH_ANY;
 	}
-	me_cand->destroy(me_cand);
 	
-	other_cand = host_create_from_dns(cand->get_other_addr(cand),
-									  other->get_family(other), 0);
-	if (!other_cand)
+	if (other)
 	{
-		return MATCH_NONE;
-	}
-	if (other_cand->ip_equals(other_cand, other))
-	{
-		match += MATCH_OTHER;
+		other_cand = host_create_from_dns(cand->get_other_addr(cand),
+										  other->get_family(other), 0);
+		if (!other_cand)
+		{
+			return MATCH_NONE;
+		}
+		if (other_cand->ip_equals(other_cand, other))
+		{
+			match += MATCH_OTHER;
+		}
+		else if (other_cand->is_anyaddr(other_cand))
+		{
+			match += MATCH_ANY;
+		}
+		other_cand->destroy(other_cand);
 	}
-	else if (other_cand->is_anyaddr(other_cand))
+	else
 	{
 		match += MATCH_ANY;
 	}
-	other_cand->destroy(other_cand);
 	return match;
 }
 
@@ -165,7 +153,7 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 						(void*)ike_enum_create, data, (void*)free);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
-		match = get_match(current, me, other);
+		match = get_ike_match(current, me, other);
 		
 		if (match)
 		{
@@ -191,87 +179,198 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 	return found;
 }
 
+/**
+ * Get the best ID match in one of the configs auth_cfg
+ */
+static id_match_t get_peer_match(identification_t *id,
+								 peer_cfg_t *cfg, bool local)
+{
+	enumerator_t *enumerator;
+	auth_cfg_t *auth;
+	identification_t *candidate;
+	id_match_t match = ID_MATCH_NONE;
+	
+	if (!id)
+	{
+		return ID_MATCH_ANY;
+	}
+	
+	/* compare first auth config only */
+	enumerator = cfg->create_auth_cfg_enumerator(cfg, local);
+	if (enumerator->enumerate(enumerator, &auth))
+	{
+		candidate = auth->get(auth, AUTH_RULE_IDENTITY);
+		if (candidate)
+		{
+			match = id->matches(id, candidate);
+			/* match vice-versa, as the proposed IDr might be ANY */
+			if (!match)
+			{
+				match = candidate->matches(candidate, id);
+			}
+		}
+		else
+		{
+			match = ID_MATCH_ANY;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return match;
+}
+
+/**
+ * data to pass nested peer enumerator
+ */
+typedef struct {
+	rwlock_t *lock;
+	identification_t *me;
+	identification_t *other;
+} peer_data_t;
+
+/**
+ * list element to help sorting
+ */
+typedef struct {
+	id_match_t match_peer;
+	ike_cfg_match_t match_ike;
+	peer_cfg_t *cfg;
+} match_entry_t;
+
+/**
+ * inner enumerator constructor for peer cfgs
+ */
+static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data)
+{
+	return backend->create_peer_cfg_enumerator(backend, data->me, data->other);
+}
+
+/**
+ * unlock/cleanup peer enumerator
+ */
+static void peer_enum_destroy(peer_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
+}
 
-static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this)
+/**
+ * convert enumerator value from match_entry to config
+ */
+static bool peer_enum_filter(linked_list_t *configs,
+							 match_entry_t **in, peer_cfg_t **out)
 {
-	this->lock->read_lock(this->lock);
-	return enumerator_create_nested(
-							this->backends->create_enumerator(this->backends),
-							(void*)peer_enum_create_all, this->lock,
-							(void*)this->lock->unlock);
+	*out = (*in)->cfg;
+	return TRUE;
+}
+
+/**
+ * Clean up temporary config list
+ */
+static void peer_enum_filter_destroy(linked_list_t *configs)
+{
+	match_entry_t *entry;
+	
+	while (configs->remove_last(configs, (void**)&entry) == SUCCESS)
+	{
+		entry->cfg->destroy(entry->cfg);
+		free(entry);
+	}
+	configs->destroy(configs);
 }
 
 /**
- * implements backend_manager_t.get_peer_cfg.
+ * Insert entry into match-sorted list, using helper
+ */
+static void insert_sorted(match_entry_t *entry, linked_list_t *list,
+						  linked_list_t *helper)
+{
+	match_entry_t *current;
+	
+	while (list->remove_first(list, (void**)&current) == SUCCESS)
+	{
+		helper->insert_last(helper, current);
+	}
+	while (helper->remove_first(helper, (void**)&current) == SUCCESS)
+	{
+		if (entry && (
+			 (entry->match_ike > current->match_ike &&
+			  entry->match_peer >= current->match_peer) ||
+			 (entry->match_ike >= current->match_ike &&
+			  entry->match_peer > current->match_peer)))
+		{
+			list->insert_last(list, entry);
+			entry = NULL;
+		}
+		list->insert_last(list, current);
+	}
+	if (entry)
+	{
+		list->insert_last(list, entry);
+	}
+}
+
+/**
+ * Implements backend_manager_t.create_peer_cfg_enumerator.
  */			
-static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
-								host_t *other, identification_t *my_id,
-								identification_t *other_id, auth_info_t *auth)
+static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
+							host_t *me, host_t *other, identification_t *my_id,
+							identification_t *other_id)
 {
-	peer_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
-	id_match_t best_peer = ID_MATCH_NONE;
-	ike_cfg_match_t best_ike = MATCH_NONE;
 	peer_data_t *data;
-	
-	DBG2(DBG_CFG, "looking for a peer config for %H[%D]...%H[%D]",
-		 me, my_id, other, other_id);
+	peer_cfg_t *cfg;
+	linked_list_t *configs, *helper;
 	
 	data = malloc_thing(peer_data_t);
-	data->this = this;
+	data->lock = this->lock;
 	data->me = my_id;
 	data->other = other_id;
 	
+	/* create a sorted list with all matches */
 	this->lock->read_lock(this->lock);
 	enumerator = enumerator_create_nested(
-						this->backends->create_enumerator(this->backends),
-						(void*)peer_enum_create, data, (void*)free);
-	while (enumerator->enumerate(enumerator, &current))
+					this->backends->create_enumerator(this->backends),
+					(void*)peer_enum_create, data, (void*)peer_enum_destroy);
+	
+	if (!me && !other && !my_id && !other_id)
+	{	/* shortcut if we are doing a "listall" */
+		return enumerator;
+	}
+	
+	DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
+		 me, my_id, other, other_id);
+	
+	configs = linked_list_create();
+	/* only once allocated helper list for sorting */
+	helper = linked_list_create();
+	while (enumerator->enumerate(enumerator, &cfg))
 	{
-		identification_t *my_cand, *other_cand;
-		id_match_t m1, m2, match_peer;
+		id_match_t match_peer_me, match_peer_other;
 		ike_cfg_match_t match_ike;
+		match_entry_t *entry;
 		
-		my_cand = current->get_my_id(current);
-		other_cand = current->get_other_id(current);
-		
-		/* own ID may have wildcards in both, config and request (missing IDr) */
-		m1 = my_cand->matches(my_cand, my_id);
-		if (!m1)
-		{
-			m1 = my_id->matches(my_id, my_cand);
-		}
-		m2 = other_id->matches(other_id, other_cand);
-		
-		match_peer = m1 + m2;
-		match_ike = get_match(current->get_ike_cfg(current), me, other);
+		match_peer_me = get_peer_match(my_id, cfg, TRUE);
+		match_peer_other = get_peer_match(other_id, cfg, FALSE);
+		match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other);
 		
-		if (m1 && m2 && match_ike && 
-			auth->complies(auth, current->get_auth(current)))
+		if (match_peer_me && match_peer_other && match_ike)
 		{
-			DBG2(DBG_CFG, "  candidate \"%s\": %D...%D with prio %d.%d",
-			 	 current->get_name(current), my_cand, other_cand,
-			 	 match_peer, match_ike);
-			if ((match_peer > best_peer && match_ike >= best_ike) ||
-				(match_peer >= best_peer && match_ike > best_ike))
-			{
-				DESTROY_IF(found);
-				found = current;
-				found->get_ref(found);
-				best_peer = match_peer;
-				best_ike = match_ike;
-			}
+			DBG2(DBG_CFG, "  candidate \"%s\", match: %d/%d/%d (me/other/ike)",
+				 cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
+			
+			entry = malloc_thing(match_entry_t);
+			entry->match_peer = match_peer_me + match_peer_other;
+			entry->match_ike = match_ike;
+			entry->cfg = cfg->get_ref(cfg);
+			insert_sorted(entry, configs, helper);
 		}
 	}
-	if (found)
-	{
-		DBG1(DBG_CFG, "found matching peer config \"%s\": %D...%D with prio %d.%d",
-			 found->get_name(found), found->get_my_id(found),
-			 found->get_other_id(found), best_peer, best_ike);
-	}
 	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	return found;
+	helper->destroy(helper);
+	
+	return enumerator_create_filter(configs->create_enumerator(configs),
+									(void*)peer_enum_filter, configs,
+									(void*)peer_enum_filter_destroy);
 }
 
 /**
@@ -332,9 +431,8 @@ backend_manager_t *backend_manager_create()
 	private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
 	
 	this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
-	this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg;
 	this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name;
-	this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*))create_peer_cfg_enumerator;
+	this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator;
 	this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend;
 	this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend;
 	this->public.destroy = (void (*)(backend_manager_t*))destroy;
diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h
index 657e5af94..0b7d7d0f8 100644
--- a/src/charon/config/backend_manager.h
+++ b/src/charon/config/backend_manager.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: backend_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -63,20 +61,6 @@ struct backend_manager_t {
 	ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this, 
 							  host_t *my_host, host_t *other_host);
 	
-	/**
-	 * Get a peer_config identified by two IDs and authorization info.
-	 *
-	 * @param me				own address
-	 * @param other				peer address
-	 * @param my_id				own ID
-	 * @param other_id			peer ID
-	 * @param auth_info			authorization info
-	 * @return					matching peer_config, or NULL if none found
-	 */
-	peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, host_t *me,
-								host_t *other, identification_t *my_id,
-								identification_t *other_id, auth_info_t *auth);
-	
 	/**
 	 * Get a peer_config identified by it's name.
 	 *
@@ -86,12 +70,20 @@ struct backend_manager_t {
 	peer_cfg_t* (*get_peer_cfg_by_name)(backend_manager_t *this, char *name);
 	
 	/**
-	 * Create an enumerator over all peer configs.
+	 * Create an enumerator over all matching peer configs.
 	 *
-	 * @return 					enumerator over peer configs
+	 * Pass NULL as parameters to match any. The enumerator enumerates over
+	 * peer_cfgs, ordered by priority (best match first).
+	 *
+	 * @param me				local address
+	 * @param other				remote address
+	 * @param my_id				IDr in first authentication round
+	 * @param other_id			IDi in first authentication round
+	 * @return 					enumerator over peer_cfg_t
 	 */
-	enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this);
-	
+	enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this,
+							host_t *me, host_t *other, identification_t *my_id,
+							identification_t *other_id);
 	/**
 	 * Register a backend on the manager.
 	 *
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index 737a38e89..43e41671a 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: child_cfg.c 4862 2009-02-11 16:41:37Z andreas $
  */
 
 #include "child_cfg.h"
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 6e3b0ba00..185fee3da 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: child_cfg.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/config/ike_cfg.c b/src/charon/config/ike_cfg.c
index 8beccdc29..e80ab577e 100644
--- a/src/charon/config/ike_cfg.c
+++ b/src/charon/config/ike_cfg.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_cfg.c 4062 2008-06-12 11:42:19Z martin $
  */
 
 #include "ike_cfg.h"
diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h
index c2f1f2867..064906423 100644
--- a/src/charon/config/ike_cfg.h
+++ b/src/charon/config/ike_cfg.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_cfg.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index 9cbca040d..da796d6a2 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2007-2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: peer_cfg.c 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #include <string.h>
@@ -81,16 +79,6 @@ struct private_peer_cfg_t {
 	 */
 	mutex_t *mutex;
 	
-	/**
-	 * id to use to identify us
-	 */
-	identification_t *my_id;
-	
-	/**
-	 * allowed id for other
-	 */
-	identification_t *other_id;
-	
 	/**
 	 * should we send a certificate
 	 */
@@ -147,10 +135,15 @@ struct private_peer_cfg_t {
 	char *pool;
 	
 	/**
-	 * required authorization constraints
+	 * local authentication configs (rulesets)
 	 */
-	auth_info_t *auth;
-
+	linked_list_t *local_auth;
+	
+	/**
+	 * remote authentication configs (constraints)
+	 */
+	linked_list_t *remote_auth;
+	
 #ifdef ME	
 	/**
 	 * Is this a mediation connection?
@@ -204,14 +197,40 @@ static void add_child_cfg(private_peer_cfg_t *this, child_cfg_t *child_cfg)
 	this->mutex->unlock(this->mutex);
 }
 
+/**
+ * child_cfg enumerator
+ */
+typedef struct {
+	enumerator_t public;
+	enumerator_t *wrapped;
+	mutex_t *mutex;
+} child_cfg_enumerator_t;
+
 /**
  * Implementation of peer_cfg_t.remove_child_cfg.
  */
-static void remove_child_cfg(private_peer_cfg_t *this, enumerator_t *enumerator)
+static void remove_child_cfg(private_peer_cfg_t *this,
+							 child_cfg_enumerator_t *enumerator)
+{
+	this->child_cfgs->remove_at(this->child_cfgs, enumerator->wrapped);
+}
+
+/**
+ * Implementation of child_cfg_enumerator_t.destroy
+ */
+static void child_cfg_enumerator_destroy(child_cfg_enumerator_t *this)
 {
-	this->mutex->lock(this->mutex);
-	this->child_cfgs->remove_at(this->child_cfgs, enumerator);
 	this->mutex->unlock(this->mutex);
+	this->wrapped->destroy(this->wrapped);
+	free(this);
+}
+
+/**
+ * Implementation of child_cfg_enumerator_t.enumerate
+ */
+static bool child_cfg_enumerate(child_cfg_enumerator_t *this, child_cfg_t **chd)
+{
+	return this->wrapped->enumerate(this->wrapped, chd);
 }
 
 /**
@@ -219,12 +238,15 @@ static void remove_child_cfg(private_peer_cfg_t *this, enumerator_t *enumerator)
  */
 static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this)
 {
-	enumerator_t *enumerator;
-
+	child_cfg_enumerator_t *enumerator = malloc_thing(child_cfg_enumerator_t);
+	
+	enumerator->public.enumerate = (void*)child_cfg_enumerate;
+	enumerator->public.destroy = (void*)child_cfg_enumerator_destroy;
+	enumerator->mutex = this->mutex;
+	enumerator->wrapped = this->child_cfgs->create_enumerator(this->child_cfgs);
+	
 	this->mutex->lock(this->mutex);
-	enumerator = this->child_cfgs->create_enumerator(this->child_cfgs);
-	return enumerator_create_cleaner(enumerator,
-									 (void*)this->mutex->unlock, this->mutex);
+	return &enumerator->public;
 }
 
 /**
@@ -286,22 +308,6 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this,
 	return found;
 }
 
-/**
- * Implementation of peer_cfg_t.get_my_id
- */
-static identification_t *get_my_id(private_peer_cfg_t *this)
-{
-	return this->my_id;
-}
-
-/**
- * Implementation of peer_cfg_t.get_other_id
- */
-static identification_t *get_other_id(private_peer_cfg_t *this)
-{
-	return this->other_id;
-}
-
 /**
  * Implementation of peer_cfg_t.get_cert_policy.
  */
@@ -397,13 +403,34 @@ static char* get_pool(private_peer_cfg_t *this)
 {
 	return this->pool;
 }
-	
+
+/**
+ * Implementation of peer_cfg_t.add_auth_cfg
+ */
+static void add_auth_cfg(private_peer_cfg_t *this,
+						 auth_cfg_t *cfg, bool local)
+{
+	if (local)
+	{
+		this->local_auth->insert_last(this->local_auth, cfg);
+	}
+	else
+	{
+		this->remote_auth->insert_last(this->remote_auth, cfg);
+	}
+}
+
 /**
- * Implementation of peer_cfg_t.get_auth.
+ * Implementation of peer_cfg_t.create_auth_cfg_enumerator
  */
-static auth_info_t* get_auth(private_peer_cfg_t *this)
+static enumerator_t* create_auth_cfg_enumerator(private_peer_cfg_t *this,
+												 bool local)
 {
-	return this->auth;
+	if (local)
+	{
+		return this->local_auth->create_enumerator(this->local_auth);
+	}
+	return this->remote_auth->create_enumerator(this->remote_auth);
 }
 
 #ifdef ME
@@ -432,6 +459,60 @@ static identification_t* get_peer_id(private_peer_cfg_t *this)
 }
 #endif /* ME */
 
+/**
+ * check auth configs for equality
+ */
+static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
+{
+	enumerator_t *e1, *e2;
+	auth_cfg_t *cfg1, *cfg2;
+	bool equal = TRUE;
+	
+	if (this->local_auth->get_count(this->local_auth) !=
+		other->local_auth->get_count(other->local_auth))
+	{
+		return FALSE;
+	}
+	if (this->remote_auth->get_count(this->remote_auth) !=
+		other->remote_auth->get_count(other->remote_auth))
+	{
+		return FALSE;
+	}
+	
+	e1 = this->local_auth->create_enumerator(this->local_auth);
+	e2 = other->local_auth->create_enumerator(other->local_auth);
+	while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
+	{
+		if (!cfg1->equals(cfg1, cfg2))
+		{
+			equal = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+	
+	if (!equal)
+	{
+		return FALSE;
+	}
+	
+	e1 = this->remote_auth->create_enumerator(this->remote_auth);
+	e2 = other->remote_auth->create_enumerator(other->remote_auth);
+	while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
+	{
+		if (!cfg1->equals(cfg1, cfg2))
+		{
+			equal = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+	
+	return equal;
+}
+
 /**
  * Implementation of peer_cfg_t.equals.
  */
@@ -448,8 +529,6 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
 	
 	return (
 		this->ike_version == other->ike_version &&
-		this->my_id->equals(this->my_id, other->my_id) &&
-		this->other_id->equals(this->other_id, other->other_id) &&
 		this->cert_policy == other->cert_policy &&
 		this->unique == other->unique &&
 		this->keyingtries == other->keyingtries &&
@@ -464,7 +543,7 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
 		  this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) &&
 		(this->pool == other->pool || 
 		 (this->pool && other->pool && streq(this->pool, other->pool))) &&
-		this->auth->equals(this->auth, other->auth) 
+		auth_cfg_equal(this, other)
 #ifdef ME
 		&& this->mediation == other->mediation &&
 		this->mediated_by == other->mediated_by &&
@@ -492,11 +571,13 @@ static void destroy(private_peer_cfg_t *this)
 	if (ref_put(&this->refcount))
 	{
 		this->ike_cfg->destroy(this->ike_cfg);
-		this->child_cfgs->destroy_offset(this->child_cfgs, offsetof(child_cfg_t, destroy));
-		this->my_id->destroy(this->my_id);
-		this->other_id->destroy(this->other_id);
+		this->child_cfgs->destroy_offset(this->child_cfgs,
+										offsetof(child_cfg_t, destroy));
 		DESTROY_IF(this->virtual_ip);
-		this->auth->destroy(this->auth);
+		this->local_auth->destroy_offset(this->local_auth,
+										offsetof(auth_cfg_t, destroy));
+		this->remote_auth->destroy_offset(this->remote_auth,
+										offsetof(auth_cfg_t, destroy));
 #ifdef ME
 		DESTROY_IF(this->mediated_by);
 		DESTROY_IF(this->peer_id);
@@ -512,7 +593,6 @@ static void destroy(private_peer_cfg_t *this)
  * Described in header-file
  */
 peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
-							identification_t *my_id, identification_t *other_id,
 							cert_policy_t cert_policy, unique_policy_t unique,
 							u_int32_t keyingtries, u_int32_t rekey_time,
 							u_int32_t reauth_time, u_int32_t jitter_time,
@@ -531,8 +611,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->public.remove_child_cfg = (void(*)(peer_cfg_t*, enumerator_t*))remove_child_cfg;
 	this->public.create_child_cfg_enumerator = (enumerator_t* (*) (peer_cfg_t *))create_child_cfg_enumerator;
 	this->public.select_child_cfg = (child_cfg_t* (*) (peer_cfg_t *,linked_list_t*,linked_list_t*,host_t*,host_t*))select_child_cfg;
-	this->public.get_my_id = (identification_t* (*)(peer_cfg_t*))get_my_id;
-	this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id;
 	this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy;
 	this->public.get_unique_policy = (unique_policy_t (*) (peer_cfg_t *))get_unique_policy;
 	this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries;
@@ -543,7 +621,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->public.get_dpd = (u_int32_t (*) (peer_cfg_t *))get_dpd;
 	this->public.get_virtual_ip = (host_t* (*) (peer_cfg_t *))get_virtual_ip;
 	this->public.get_pool = (char*(*)(peer_cfg_t*))get_pool;
-	this->public.get_auth = (auth_info_t*(*)(peer_cfg_t*))get_auth;
+	this->public.add_auth_cfg = (void(*)(peer_cfg_t*, auth_cfg_t *cfg, bool local))add_auth_cfg;
+	this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(peer_cfg_t*, bool local))create_auth_cfg_enumerator;
 	this->public.equals = (bool(*)(peer_cfg_t*, peer_cfg_t *other))equals;
 	this->public.get_ref = (peer_cfg_t*(*)(peer_cfg_t *))get_ref;
 	this->public.destroy = (void(*)(peer_cfg_t *))destroy;
@@ -559,8 +638,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->ike_cfg = ike_cfg;
 	this->child_cfgs = linked_list_create();
 	this->mutex = mutex_create(MUTEX_DEFAULT);
-	this->my_id = my_id;
-	this->other_id = other_id;
 	this->cert_policy = cert_policy;
 	this->unique = unique;
 	this->keyingtries = keyingtries;
@@ -580,7 +657,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->dpd = dpd;
 	this->virtual_ip = virtual_ip;
 	this->pool = pool ? strdup(pool) : NULL;
-	this->auth = auth_info_create();
+	this->local_auth = linked_list_create();
+	this->remote_auth = linked_list_create();
 	this->refcount = 1;
 #ifdef ME
 	this->mediation = mediation;
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
index 93bc7d495..3c095eff0 100644
--- a/src/charon/config/peer_cfg.h
+++ b/src/charon/config/peer_cfg.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2007-2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: peer_cfg.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -38,7 +36,7 @@ typedef struct peer_cfg_t peer_cfg_t;
 #include <config/child_cfg.h>
 #include <sa/authenticators/authenticator.h>
 #include <sa/authenticators/eap/eap_method.h>
-#include <credentials/auth_info.h>
+#include <config/auth_cfg.h>
 
 /**
  * Certificate sending policy. This is also used for certificate
@@ -87,27 +85,33 @@ extern enum_name_t *unique_policy_names;
  * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
  * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
  * @verbatim
-
-                           +-------------------+           +---------------+
-   +---------------+       |     peer_cfg      |         +---------------+ |
-   |    ike_cfg    |       +-------------------+         |   child_cfg   | |
-   +---------------+       | - ids             |         +---------------+ |
-   | - hosts       | 1   1 | - cas             | 1     n | - proposals   | |
-   | - proposals   |<------| - auth info       |-------->| - traffic sel | |
-   | - ...         |       | - dpd config      |         | - ...         |-+
-   +---------------+       | - ...             |         +---------------+
-                           +-------------------+
-                                     ^
-                                     |
-                           +-------------------+
-                           |     auth_info     |
-                           +-------------------+
-                           |     auth_items    |
-                           +-------------------+
+                          +-------------------+        +---------------+
+   +---------------+      |     peer_cfg      |      +---------------+ |
+   |    ike_cfg    |      +-------------------+      |   child_cfg   | |
+   +---------------+      | - ids             |      +---------------+ |
+   | - hosts       | 1  1 | - cas             | 1  n | - proposals   | |
+   | - proposals   |<-----| - auth info       |----->| - traffic sel | |
+   | - ...         |      | - dpd config      |      | - ...         |-+
+   +---------------+      | - ...             |      +---------------+
+                          +-------------------+
+                             | 1         0 |
+                             |             |
+                             v n         n V
+             +-------------------+     +-------------------+
+           +-------------------+ |   +-------------------+ |
+           |     auth_cfg      | |   |     auth_cfg      | |
+           +-------------------+ |   +-------------------+ |
+           | - local rules     |-+   | - remote constr.  |-+
+           +-------------------+     +-------------------+
    @endverbatim
- * The auth_info_t object associated to the peer_cfg holds additional
- * authorization constraints. A peer who wants to use a config needs to fullfil
- * the requirements defined in auth_info.
+ *
+ * Each peer_cfg has two lists of authentication config attached. Local
+ * authentication configs define how to authenticate ourself against the remote
+ * peer. Each config is enforced using the multiple authentication extension
+ * (RFC4739). 
+ * The remote authentication configs are handled as constraints. The peer has
+ * to fullfill each of these rules (using multiple authentication, in any order)
+ * to gain access to the configuration.
  */
 struct peer_cfg_t {
 	
@@ -169,25 +173,20 @@ struct peer_cfg_t {
 									  host_t *other_host);
 	
 	/**
-	 * Get the authentication constraint items.
+	 * Add an authentication config to the peer configuration.
 	 *
-	 * @return				auth_info object to manipulate requirements
-	 */
-	auth_info_t* (*get_auth)(peer_cfg_t *this);
-		
-	/**
-	 * Get own ID.
-	 * 
-	 * @return				own id
+	 * @param config		config to add
+	 * @param local			TRUE for local rules, FALSE for remote constraints
 	 */
-	identification_t* (*get_my_id)(peer_cfg_t *this);
+	void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
 	
 	/**
-	 * Get peers ID.
-	 * 
-	 * @return				other id
+	 * Create an enumerator over registered authentication configs.
+	 *
+	 * @param local			TRUE for local rules, FALSE for remote constraints
+	 * @return				enumerator over auth_cfg_t*
 	 */
-	identification_t* (*get_other_id)(peer_cfg_t *this);
+	enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
 
 	/**
 	 * Should be sent a certificate for this connection?
@@ -331,8 +330,6 @@ struct peer_cfg_t {
  * @param name				name of the peer_cfg
  * @param ike_version		which IKE version we sould use for this peer
  * @param ike_cfg			IKE config to use when acting as initiator
- * @param my_id 			identification_t for ourselves
- * @param other_id 			identification_t for the remote guy
  * @param cert_policy		should we send a certificate payload?
  * @param unique			uniqueness of an IKE_SA
  * @param keyingtries		how many keying tries should be done before giving up
@@ -350,7 +347,6 @@ struct peer_cfg_t {
  * @return 					peer_cfg_t object
  */
 peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
-							identification_t *my_id, identification_t *other_id,
 							cert_policy_t cert_policy, unique_policy_t unique,
 							u_int32_t keyingtries, u_int32_t rekey_time,
 							u_int32_t reauth_time, u_int32_t jitter_time,
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index 92ef34b75..e2dfcca4f 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: proposal.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <string.h>
@@ -24,10 +22,11 @@
 #include <utils/linked_list.h>
 #include <utils/identification.h>
 #include <utils/lexparser.h>
+#include <crypto/transform.h>
 #include <crypto/prfs/prf.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
-
+#include <crypto/proposal/proposal_keywords.h>
 
 ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP,
 	"PROTO_NONE",
@@ -36,16 +35,6 @@ ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP,
 	"ESP",
 );
 
-ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, UNDEFINED_TRANSFORM_TYPE, 
-	"UNDEFINED_TRANSFORM_TYPE");
-ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, UNDEFINED_TRANSFORM_TYPE,
-	"ENCRYPTION_ALGORITHM",
-	"PSEUDO_RANDOM_FUNCTION",
-	"INTEGRITY_ALGORITHM",
-	"DIFFIE_HELLMAN_GROUP",
-	"EXTENDED_SEQUENCE_NUMBERS");
-ENUM_END(transform_type_names, EXTENDED_SEQUENCE_NUMBERS);
-
 ENUM(extended_sequence_numbers_names, NO_EXT_SEQ_NUMBERS, EXT_SEQ_NUMBERS,
 	"NO_EXT_SEQ",
 	"EXT_SEQ",
@@ -585,227 +574,57 @@ static void check_proposal(private_proposal_t *this)
 
 /**
  * add a algorithm identified by a string to the proposal.
- * TODO: we could use gperf here.
  */
 static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 {
-	if (strncmp(alg.ptr, "null", alg.len) == 0)
-	{
-		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_NULL, 0);
-	}
-	else if (strncmp(alg.ptr, "aes128", alg.len) == 0)
-	{
-		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
-	}
-	else if (strncmp(alg.ptr, "aes192", alg.len) == 0)
-	{
-		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
-	}
-	else if (strncmp(alg.ptr, "aes256", alg.len) == 0)
+	const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len);
+
+	if (token == NULL)
 	{
-		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
+		return FAILED;
 	}
-	else if (strstr(alg.ptr, "ccm"))
-	{
-		u_int16_t key_size, icv_size;
 
-		if (sscanf(alg.ptr, "aes%huccm%hu", &key_size, &icv_size) == 2)
-		{
-			if (key_size == 128 || key_size == 192 || key_size == 256)
-			{
-				switch (icv_size)
-				{
-					case   8: /* octets */
-					case  64: /* bits */
-						add_algorithm(this, ENCRYPTION_ALGORITHM,
-									  ENCR_AES_CCM_ICV8, key_size);
-						break;
-					case  12: /* octets */
-					case  96: /* bits */
-						add_algorithm(this, ENCRYPTION_ALGORITHM,
-									  ENCR_AES_CCM_ICV12, key_size);
-						break;
-					case  16: /* octets */
-					case 128: /* bits */
-						add_algorithm(this, ENCRYPTION_ALGORITHM,
-									  ENCR_AES_CCM_ICV16, key_size);
-						break;
-					default:
-						/* invalid ICV size */
-						break;
-				}
-			}
-		}
-	}
-	else if (strstr(alg.ptr, "gcm"))
-	{
-		u_int16_t key_size, icv_size;
+	add_algorithm(this, token->type, token->algorithm, token->keysize);
 
-		if (sscanf(alg.ptr, "aes%hugcm%hu", &key_size, &icv_size) == 2)
-		{
-			if (key_size == 128 || key_size == 192 || key_size == 256)
-			{
-				switch (icv_size)
-				{
-					case   8: /* octets */
-					case  64: /* bits */
-						add_algorithm(this, ENCRYPTION_ALGORITHM,
-									  ENCR_AES_GCM_ICV8, key_size);
-						break;
-					case  12: /* octets */
-					case  96: /* bits */
-						add_algorithm(this, ENCRYPTION_ALGORITHM,
-									  ENCR_AES_GCM_ICV12, key_size);
-						break;
-					case  16: /* octets */
-					case 128: /* bits */
-						add_algorithm(this, ENCRYPTION_ALGORITHM,
-									  ENCR_AES_GCM_ICV16, key_size);
-						break;
-					default:
-						/* invalid ICV size */
-						break;
-				}
-			}
-		}
-	}
-	else if (strncmp(alg.ptr, "3des", alg.len) == 0)
+	if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM)
 	{
-		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
-	}
-	/* blowfish only uses some predefined key sizes yet */
-	else if (strncmp(alg.ptr, "blowfish128", alg.len) == 0)
-	{
-		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128);
-	}
-	else if (strncmp(alg.ptr, "blowfish192", alg.len) == 0)
-	{
-		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192);
-	}
-	else if (strncmp(alg.ptr, "blowfish256", alg.len) == 0)
-	{
-		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
-	}
-	else if (strncmp(alg.ptr, "sha", alg.len) == 0 ||
-			 strncmp(alg.ptr, "sha1", alg.len) == 0)
-	{
-		/* sha means we use SHA for both, PRF and AUTH */
-		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
-		if (this->protocol == PROTO_IKE)
-		{
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
-		}
-	}  
-	else if (strncmp(alg.ptr, "sha256", alg.len) == 0 ||
-			 strncmp(alg.ptr, "sha2_256", alg.len) == 0)
-	{
-		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
-		if (this->protocol == PROTO_IKE)
-		{
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0);
-		}
-	}
-	else if (strncmp(alg.ptr, "sha384", alg.len) == 0 ||
-			 strncmp(alg.ptr, "sha2_384", alg.len) == 0)
-	{
-		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
-		if (this->protocol == PROTO_IKE)
-		{
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0);
-		}
-	}
-	else if (strncmp(alg.ptr, "sha512", alg.len) == 0 ||
-			 strncmp(alg.ptr, "sha2_512", alg.len) == 0)
-	{
-		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
-		if (this->protocol == PROTO_IKE)
-		{
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0);
-		}
-	}
-	else if (strncmp(alg.ptr, "md5", alg.len) == 0)
-	{
-		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
-		if (this->protocol == PROTO_IKE)
+		pseudo_random_function_t prf;
+
+		switch (token->algorithm)
 		{
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0);
+			case AUTH_HMAC_SHA1_96:
+				prf = PRF_HMAC_SHA1;
+				break;
+			case AUTH_HMAC_SHA2_256_128:
+				prf = PRF_HMAC_SHA2_256;
+				break;
+			case AUTH_HMAC_SHA2_384_192:
+				prf = PRF_HMAC_SHA2_384;
+				break;
+			case AUTH_HMAC_SHA2_512_256:
+				prf = PRF_HMAC_SHA2_512;
+				break;
+			case AUTH_HMAC_MD5_96:
+				prf = PRF_HMAC_MD5;
+				break;
+			case AUTH_AES_XCBC_96:
+				prf = PRF_AES128_XCBC;
+				break;
+			default: 
+				prf = PRF_UNDEFINED;
 		}
-	}
-	else if (strncmp(alg.ptr, "aesxcbc", alg.len) == 0)
-	{
-		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
-		if (this->protocol == PROTO_IKE)
+		if (prf != PRF_UNDEFINED)
 		{
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0);
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
 		}
 	}
-	else if (strncmp(alg.ptr, "modpnull", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0);
-	}
-	else if (strncmp(alg.ptr, "modp768", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "modp1024", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "modp1536", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "modp2048", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "modp3072", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "modp4096", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "modp6144", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "modp8192", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "ecp192", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "ecp224", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "ecp256", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "ecp384", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0);
-	}
-	else if (strncmp(alg.ptr, "ecp521", alg.len) == 0)
-	{
-		add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0);
-	}
-	else
-	{
-		return FAILED;
-	}
 	return SUCCESS;
 }
 
 /**
  * print all algorithms of a kind to buffer
  */
-static int print_alg(private_proposal_t *this, char **dst, int *len,
+static int print_alg(private_proposal_t *this, char **dst, size_t *len,
 					 u_int kind, void *names, bool *first)
 {
 	enumerator_t *enumerator;
@@ -826,7 +645,7 @@ static int print_alg(private_proposal_t *this, char **dst, int *len,
 		}
 		if (size)
 		{
-			written += print_in_hook(*dst, *len, "-%d", size);
+			written += print_in_hook(*dst, *len, "_%u", size);
 		}
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h
index 6096158e6..bc7a8c5e7 100644
--- a/src/charon/config/proposal.h
+++ b/src/charon/config/proposal.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: proposal.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -24,7 +22,6 @@
 #define PROPOSAL_H_
 
 typedef enum protocol_id_t protocol_id_t;
-typedef enum transform_type_t transform_type_t;
 typedef enum extended_sequence_numbers_t extended_sequence_numbers_t;
 typedef struct proposal_t proposal_t;
 
@@ -32,6 +29,7 @@ typedef struct proposal_t proposal_t;
 #include <utils/identification.h>
 #include <utils/linked_list.h>
 #include <utils/host.h>
+#include <crypto/transform.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
 #include <crypto/diffie_hellman.h>
@@ -52,25 +50,6 @@ enum protocol_id_t {
  */
 extern enum_name_t *protocol_id_names;
 
-
-/**
- * Type of a transform, as in IKEv2 RFC 3.3.2.
- */
-enum transform_type_t {
-	UNDEFINED_TRANSFORM_TYPE = 241,
-	ENCRYPTION_ALGORITHM = 1,
-	PSEUDO_RANDOM_FUNCTION = 2,
-	INTEGRITY_ALGORITHM = 3,
-	DIFFIE_HELLMAN_GROUP = 4,
-	EXTENDED_SEQUENCE_NUMBERS = 5
-};
-
-/**
- * enum names for transform_type_t.
- */
-extern enum_name_t *transform_type_names;
-
-
 /**
  * Extended sequence numbers, as in IKEv2 RFC 3.3.2.
  */
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
index b3bab900d..a8ea10008 100644
--- a/src/charon/config/traffic_selector.c
+++ b/src/charon/config/traffic_selector.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: traffic_selector.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <arpa/inet.h>
diff --git a/src/charon/config/traffic_selector.h b/src/charon/config/traffic_selector.h
index 2721f8993..a57da43a8 100644
--- a/src/charon/config/traffic_selector.h
+++ b/src/charon/config/traffic_selector.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: traffic_selector.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/control/controller.c b/src/charon/control/controller.c
index 989167a53..021cb4fdd 100644
--- a/src/charon/control/controller.c
+++ b/src/charon/control/controller.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: controller.c 4704 2008-11-26 14:32:55Z martin $
  */
 
 #include "controller.h"
@@ -172,15 +170,12 @@ static bool listener_child_state(interface_listener_t *this, ike_sa_t *ike_sa,
 	{
 		switch (state)
 		{
-			case CHILD_ROUTED:
 			case CHILD_INSTALLED:
 				this->status = SUCCESS;
 				return FALSE;
 			case CHILD_DESTROYING:
 				switch (child_sa->get_state(child_sa))
 				{
-					case CHILD_ROUTED:
-						/* has been unrouted */
 					case CHILD_DELETING:
 						/* proper delete */
 						this->status = SUCCESS;
@@ -235,7 +230,7 @@ static status_t initiate_execute(interface_job_t *job)
 	}
 	peer_cfg->destroy(peer_cfg);
 	
-	if (ike_sa->initiate(ike_sa, listener->child_cfg) == SUCCESS)
+	if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS)
 	{
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		return SUCCESS;
@@ -425,125 +420,6 @@ static status_t terminate_child(controller_t *this, u_int32_t reqid,
 	return job.listener.status;
 }
 
-/**
- * execute function for route
- */
-static status_t route_execute(interface_job_t *job)
-{
-	interface_listener_t *listener = &job->listener;
-	ike_sa_t *ike_sa = listener->ike_sa;
-	
-	charon->bus->set_sa(charon->bus, ike_sa);
-	if (ike_sa->route(ike_sa, listener->child_cfg) != DESTROY_ME)
-	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		return SUCCESS;
-	}
-	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-	return FAILED;
-}
-
-/**
- * Implementation of controller_t.route.
- */
-static status_t route(controller_t *this,
-					  peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
-					  controller_cb_t callback, void *param)
-{
-	ike_sa_t *ike_sa;
-	interface_job_t job = {
-		.listener = {
-			.public = {
-				.log = (void*)listener_log,
-				.ike_state_change = (void*)listener_ike_state,
-				.child_state_change = (void*)listener_child_state,
-			},
-			.callback = callback,
-			.param = param,
-			.status = FAILED,
-			.peer_cfg = peer_cfg,
-			.child_cfg = child_cfg,
-		},
-		.public = {
-			.execute = (void*)route_execute,
-			.destroy = (void*)recheckin,
-		},
-	};
-	
-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
-														peer_cfg);
-	if (ike_sa->get_peer_cfg(ike_sa) == NULL)
-	{
-		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
-	}
-	job.listener.ike_sa = ike_sa;
-	if (callback == NULL)
-	{
-		return route_execute(&job);
-	}
-	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
-	return job.listener.status;
-}
-
-/**
- * execute function for unroute
- */
-static status_t unroute_execute(interface_job_t *job)
-{
-	interface_listener_t *listener = &job->listener;
-	ike_sa_t *ike_sa = listener->ike_sa;
-	
-	if (ike_sa->unroute(ike_sa, listener->id) != DESTROY_ME)
-	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		return SUCCESS;
-	}
-	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-	return SUCCESS;
-}
-
-/**
- * Implementation of controller_t.unroute.
- */
-static status_t unroute(controller_t *this, u_int32_t reqid, 
-						controller_cb_t callback, void *param)
-{
-	ike_sa_t *ike_sa;
-	interface_job_t job = {
-		.listener = {
-			.public = {
-				.log = (void*)listener_log,
-				.ike_state_change = (void*)listener_ike_state,
-				.child_state_change = (void*)listener_child_state,
-			},
-			.callback = callback,
-			.param = param,
-			.status = FAILED,
-			.id = reqid,
-		},
-		.public = {
-			.execute = (void*)unroute_execute,
-			.destroy = (void*)recheckin,
-		},
-	};
-	
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													reqid, TRUE);
-	if (ike_sa == NULL)
-	{
-		DBG1(DBG_IKE, "unable to unroute, CHILD_SA with ID %d not found", reqid);
-		return NOT_FOUND;
-	}
-	job.listener.ike_sa = ike_sa;
-
-	if (callback == NULL)
-	{
-		return unroute_execute(&job);
-	}
-	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);	
-	return job.listener.status;
-}
-
 /**
  * See header
  */
@@ -572,8 +448,6 @@ controller_t *controller_create(void)
 	this->public.initiate = (status_t(*)(controller_t*,peer_cfg_t*,child_cfg_t*,controller_cb_t,void*))initiate;
 	this->public.terminate_ike = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void*))terminate_ike;
 	this->public.terminate_child = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void *param))terminate_child;
-	this->public.route = (status_t(*)(controller_t*,peer_cfg_t*, child_cfg_t*,controller_cb_t,void*))route;
-	this->public.unroute = (status_t(*)(controller_t*,u_int32_t,controller_cb_t,void*))unroute;
 	this->public.destroy = (void (*)(controller_t*))destroy;
 	
 	return &this->public;
diff --git a/src/charon/control/controller.h b/src/charon/control/controller.h
index b2eaf480b..3c928d2ea 100644
--- a/src/charon/control/controller.h
+++ b/src/charon/control/controller.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -125,38 +123,6 @@ struct controller_t {
 	status_t (*terminate_child)(controller_t *this, u_int32_t reqid, 
 								controller_cb_t callback, void *param);
 	
-	/**
-	 * Route a CHILD_SA (install triggering policies).
-	 *
-	 * @param peer_cfg		peer_cfg to use for IKE_SA setup, if triggered
-	 * @param child_cfg		child_cfg to route
-	 * @param cb			logging callback
-	 * @param param			parameter to include in each call of cb
-	 * @return
-	 *						- SUCCESS, if CHILD_SA routed
-	 *						- FAILED, if routing failed
-	 *						- NEED_MORE, if callback returned FALSE
-	 */
-	status_t (*route)(controller_t *this,
-					  peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
-					  controller_cb_t callback, void *param);
-	
-	/**
-	 * Unroute a routed CHILD_SA (uninstall triggering policies).
-	 *
-	 * Only the route is removed, not the CHILD_SAs the route triggered.
-	 *
-	 * @param reqid			reqid of the CHILD_SA to unroute
-	 * @param cb			logging callback
-	 * @param param			parameter to include in each call of cb
-	 * @return
-	 *						- SUCCESS, if CHILD_SA terminated
-	 *						- NOT_FOUND, if no such CHILD_SA routed
-	 *						- NEED_MORE, if callback returned FALSE
-	 */
-	status_t (*unroute)(controller_t *this, u_int32_t reqid, 
-						controller_cb_t callback, void *param);
-	
 	/**
 	 * Destroy a controller_t instance.
 	 */
diff --git a/src/charon/credentials/auth_info.c b/src/charon/credentials/auth_info.c
deleted file mode 100644
index ed725b889..000000000
--- a/src/charon/credentials/auth_info.c
+++ /dev/null
@@ -1,607 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * $Id: auth_info.c 4774 2008-12-09 14:34:15Z martin $
- */
-
-
-#include "auth_info.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-#include <credentials/certificates/certificate.h>
-
-ENUM(auth_item_names, AUTHN_CA_CERT, AUTHZ_AC_GROUP,
-	"AUTHN_AUTH_CLASS",
-	"AUTHN_EAP_TYPE",
-	"AUTHN_EAP_VENDOR",
-	"AUTHN_EAP_IDENTITY",
-	"AUTHN_CA_CERT",
-	"AUTHN_CA_CERT_KEYID",
-	"AUTHN_CA_CERT_NAME",
-	"AUTHN_IM_CERT",
-	"AUTHN_SUBJECT_CERT",
-	"AUTHN_IM_HASH_URL",
-	"AUTHN_SUBJECT_HASH_URL",
-	"AUTHZ_PUBKEY",
-	"AUTHZ_PSK",
-	"AUTHZ_EAP",
-	"AUTHZ_CA_CERT",
-	"AUTHZ_CA_CERT_NAME",
-	"AUTHZ_IM_CERT",
-	"AUTHZ_SUBJECT_CERT",
-	"AUTHZ_CRL_VALIDATION",
-	"AUTHZ_OCSP_VALIDATION",
-	"AUTHZ_AC_GROUP",
-);
-
-typedef struct private_auth_info_t private_auth_info_t;
-
-/**
- * private data of item_set
- */
-struct private_auth_info_t {
-
-	/**
-	 * public functions
-	 */
-	auth_info_t public;
-	
-	/**
-	 * list of item_t's
-	 */
-	linked_list_t *items;
-};
-
-typedef struct item_t item_t;
-
-struct item_t {
-	/** type of this item */
-	auth_item_t type;
-	/** associated privlege value, if any */
-	void *value;
-};
-
-/**
- * enumerator for auth_info_wrapper_t.create_cert_enumerator()
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** inner enumerator from linked_list_t */
-	enumerator_t *inner;
-	/** the current item */
-	item_t *item;
-} item_enumerator_t;
-
-/**
- * enumerate function for item_enumerator_t
- */
-static bool enumerate(item_enumerator_t *this, auth_item_t *type, void **value)
-{
-	if (this->inner->enumerate(this->inner, &this->item))
-	{
-		*type = this->item->type;
-		*value = this->item->value;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * destroy function for item_enumerator_t
- */
-static void item_enumerator_destroy(item_enumerator_t *this)
-{
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of auth_info_t.create_item_enumerator.
- */
-static enumerator_t* create_item_enumerator(private_auth_info_t *this)
-{
-	item_enumerator_t *enumerator;
-	
-	enumerator = malloc_thing(item_enumerator_t);
-	enumerator->item = NULL;
-	enumerator->inner = this->items->create_enumerator(this->items);
-	enumerator->public.enumerate = (void*)enumerate;
-	enumerator->public.destroy = (void*)item_enumerator_destroy;
-	return &enumerator->public;
-}
-
-static void destroy_item_value(item_t *item);
-
-/**
- * Implementation of auth_info_t.replace_item.
- */
-static void replace_item(item_enumerator_t *enumerator, auth_item_t type, void *value)
-{
-	destroy_item_value(enumerator->item);
-	enumerator->item->type = type;
-	enumerator->item->value = value;
-}
-
-/**
- * Implementation of auth_info_t.get_item.
- */
-static bool get_item(private_auth_info_t *this, auth_item_t type, void** value)
-{
-	enumerator_t *enumerator;
-	void *current_value;
-	auth_item_t current_type;
-	bool found = FALSE;
-	
-	enumerator = create_item_enumerator(this);
-	while (enumerator->enumerate(enumerator, &current_type, &current_value))
-	{
-		if (type == current_type)
-		{
-			*value = current_value;
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * Implementation of auth_info_t.add_item.
- */
-static void add_item(private_auth_info_t *this, auth_item_t type, void *value)
-{
-	item_t *item = malloc_thing(item_t);
-	
-	item->type = type;
-	switch (type)
-	{		
-		case AUTHZ_PUBKEY:
-		{
-			public_key_t *key = (public_key_t*)value;
-
-			item->value = key->get_ref(key);
-			break;
-		}
-		case AUTHZ_PSK:
-		{
-			shared_key_t *key = (shared_key_t*)value;
-
-			item->value = key->get_ref(key);
-			break;
-		}
-		case AUTHN_IM_HASH_URL:
-		case AUTHN_SUBJECT_HASH_URL:
-		{
-			item->value = strdup(value);
-			break;
-		}
-		case AUTHN_CA_CERT:
-		case AUTHN_IM_CERT:
-		case AUTHN_SUBJECT_CERT:
-		case AUTHZ_CA_CERT:
-		case AUTHZ_IM_CERT:
-		case AUTHZ_SUBJECT_CERT:
-		{
-			certificate_t *cert = (certificate_t*)value;
-
-			item->value = cert->get_ref(cert);
-			break;
-		}
-		case AUTHZ_CRL_VALIDATION:
-		case AUTHZ_OCSP_VALIDATION:
-		{
-			cert_validation_t *validation = malloc_thing(cert_validation_t);
-
-			*validation = *(cert_validation_t*)value;
-			item->value = validation;
-			break;
-		}
-		case AUTHN_AUTH_CLASS:
-		case AUTHN_EAP_TYPE:
-		case AUTHN_EAP_VENDOR:
-		case AUTHZ_EAP:
-		{
-			u_int *intval = malloc_thing(u_int);
-
-			*intval = *(u_int*)value;
-			item->value = intval;
-			break;
-		}
-		case AUTHN_EAP_IDENTITY:
-		case AUTHN_CA_CERT_KEYID:
-		case AUTHN_CA_CERT_NAME:
-		case AUTHZ_CA_CERT_NAME:
-		case AUTHZ_AC_GROUP:
-		{
-			identification_t *id = (identification_t*)value;
-
-			item->value = id->clone(id);
-			break;
-		}
-	}
-	this->items->insert_last(this->items, item);
-}
-
-
-/**
- * Implementation of auth_info_t.complies.
- */
-static bool complies(private_auth_info_t *this, auth_info_t *constraints)
-{
-	enumerator_t *enumerator;
-	bool success = TRUE;
-	auth_item_t t1, t2;
-	void *value;
-	
-	enumerator = constraints->create_item_enumerator(constraints);
-	while (enumerator->enumerate(enumerator, &t1, &value))
-	{
-		switch (t1)
-		{
-			case AUTHN_AUTH_CLASS:
-			case AUTHN_EAP_TYPE:
-			case AUTHN_EAP_VENDOR:
-			case AUTHN_EAP_IDENTITY:
-			case AUTHN_CA_CERT_KEYID:
-			case AUTHN_CA_CERT:
-			case AUTHN_CA_CERT_NAME:
-			case AUTHN_IM_CERT:
-			case AUTHN_SUBJECT_CERT:
-			case AUTHN_IM_HASH_URL:
-			case AUTHN_SUBJECT_HASH_URL:
-			{	/* skip non-authorization tokens */
-				continue;
-			}
-			case AUTHZ_CRL_VALIDATION:
-			case AUTHZ_OCSP_VALIDATION:
-			{
-				cert_validation_t *valid;
-			
-				/* OCSP validation is also sufficient for CRL constraint, but
-				 * not vice-versa */
-				if (!get_item(this, t1, (void**)&valid) &&
-					t1 == AUTHZ_CRL_VALIDATION &&
-					!get_item(this, AUTHZ_OCSP_VALIDATION, (void**)&valid))
-				{
-					DBG1(DBG_CFG, "constraint check failed: %N requires at "
-						 "least %N, but no check done", auth_item_names, t1,
-						 cert_validation_names, *(cert_validation_t*)value);
-					success = FALSE;
-					break;
-				}
-				switch (*(cert_validation_t*)value)
-				{
-					case VALIDATION_SKIPPED:
-						if (*valid == VALIDATION_SKIPPED)
-						{
-							break;
-						}	/* FALL */
-					case VALIDATION_GOOD:
-						if (*valid == VALIDATION_GOOD)
-						{
-							break;
-						}	/* FALL */
-					default:
-						DBG1(DBG_CFG, "constraint check failed: %N is %N, but "
-							 "requires at least %N", auth_item_names, t1,
-							 cert_validation_names, *valid,
-							 cert_validation_names, *(cert_validation_t*)value);
-						success = FALSE;
-						break;
-				}
-				break;
-			}
-			case AUTHZ_CA_CERT:
-			{
-				enumerator_t *enumerator;
-				certificate_t *c1, *c2;
-				
-				c1 = (certificate_t*)value;
-				
-				success = FALSE;
-				enumerator = create_item_enumerator(this);
-				while (enumerator->enumerate(enumerator, &t2, &c2))
-				{
-					if ((t2 == AUTHZ_CA_CERT || t2 == AUTHZ_IM_CERT) &&
-						c1->equals(c1, c2))
-					{
-						success = TRUE;
-					}
-				}
-				enumerator->destroy(enumerator);
-				if (!success)
-				{
-					DBG1(DBG_CFG, "constraint check failed: peer not "
-						 "authenticated by CA '%D'.", c1->get_subject(c1));
-				}
-				break;
-			}
-			case AUTHZ_CA_CERT_NAME:
-			{
-				enumerator_t *enumerator;
-				certificate_t *cert;
-				identification_t *id;
-				
-				id = (identification_t*)value;
-				success = FALSE;
-				enumerator = create_item_enumerator(this);
-				while (enumerator->enumerate(enumerator, &t2, &cert))
-				{
-					if ((t2 == AUTHZ_CA_CERT || t2 == AUTHZ_IM_CERT) &&
-						cert->has_subject(cert, id))
-					{
-						success = TRUE;
-					}
-				}
-				enumerator->destroy(enumerator);
-				if (!success)
-				{
-					DBG1(DBG_CFG, "constraint check failed: peer not "
-						 "authenticated by CA '%D'.", id);
-				}
-				break;
-			}
-			case AUTHZ_PUBKEY:
-			case AUTHZ_PSK:
-			case AUTHZ_IM_CERT:
-			case AUTHZ_SUBJECT_CERT:
-			case AUTHZ_EAP:
-			case AUTHZ_AC_GROUP:
-			{
-				DBG1(DBG_CFG, "constraint check %N not implemented!",
-					 auth_item_names, t1);
-				success = FALSE;
-				break;
-			}
-		}
-		if (!success)
-		{
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return success;
-}
-
-/**
- * Implementation of auth_info_t.merge.
- */
-static void merge(private_auth_info_t *this, private_auth_info_t *other)
-{
-	item_t *item;
-	
-	while (other->items->remove_first(other->items, (void**)&item) == SUCCESS)
-	{
-		this->items->insert_last(this->items, item);
-	}
-}
-
-/**
- * Implementation of auth_info_t.equals.
- */
-static bool equals(private_auth_info_t *this, private_auth_info_t *other)
-{
-	enumerator_t *e1, *e2;
-	item_t *i1, *i2;
-	bool equal = TRUE, found;
-	
-	e1 = this->items->create_enumerator(this->items);
-	while (e1->enumerate(e1, &i1))
-	{
-		found = FALSE;
-		e2 = other->items->create_enumerator(other->items);
-		while (e2->enumerate(e2, &i2))
-		{
-			if (i1->type == i2->type)
-			{
-				switch (i1->type)
-				{
-					case AUTHZ_CRL_VALIDATION:
-					case AUTHZ_OCSP_VALIDATION:
-					{
-						cert_validation_t c1, c2;
-						
-						c1 = *(cert_validation_t*)i1->value;
-						c2 = *(cert_validation_t*)i2->value;
-					
-						if (c1 == c2)
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-					case AUTHN_IM_HASH_URL:
-					case AUTHN_SUBJECT_HASH_URL:
-					{
-						if (streq(i1->value, i2->value))
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-					case AUTHN_CA_CERT:
-					case AUTHN_IM_CERT:
-					case AUTHN_SUBJECT_CERT:
-					case AUTHZ_CA_CERT:
-					case AUTHZ_IM_CERT:
-					case AUTHZ_SUBJECT_CERT:
-					{
-						certificate_t *c1, *c2;
-						
-						c1 = (certificate_t*)i1->value;
-						c2 = (certificate_t*)i2->value;
-					
-						if (c1->equals(c1, c2))
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-					case AUTHN_EAP_IDENTITY:
-					case AUTHN_CA_CERT_KEYID:
-					case AUTHN_CA_CERT_NAME:
-					case AUTHZ_CA_CERT_NAME:
-					{
-						identification_t *c1, *c2;
-						
-						c1 = (identification_t*)i1->value;
-						c2 = (identification_t*)i2->value;
-					
-						if (c1->equals(c1, c2))
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-					case AUTHN_AUTH_CLASS:
-					case AUTHN_EAP_TYPE:
-					case AUTHN_EAP_VENDOR:
-					{
-						if (*(u_int*)i1->value == *(u_int*)i2->value)
-						{
-							found = TRUE;
-							break;
-						}
-					}
-					case AUTHZ_PUBKEY:
-					case AUTHZ_PSK:
-					case AUTHZ_EAP:
-					case AUTHZ_AC_GROUP:
-						/* TODO: implement value comparison */
-						break;
-				}
-				break;
-			}
-		}
-		e2->destroy(e2);
-		if (!found)
-		{
-			equal = FALSE;
-			break;
-		}
-	}
-	e1->destroy(e1);
-	return equal;
-}
-
-/**
- * Destroy the value associated with an item
- */
-static void destroy_item_value(item_t *item)
-{
-	switch (item->type)
-	{
-		case AUTHZ_PUBKEY:
-		{
-			public_key_t *key = (public_key_t*)item->value;
-			key->destroy(key);
-			break;
-		}
-		case AUTHZ_PSK:
-		{
-			shared_key_t *key = (shared_key_t*)item->value;
-			key->destroy(key);
-			break;
-		}
-		case AUTHN_CA_CERT:
-		case AUTHN_IM_CERT:
-		case AUTHN_SUBJECT_CERT:
-		case AUTHZ_CA_CERT:
-		case AUTHZ_IM_CERT:
-		case AUTHZ_SUBJECT_CERT:
-		{
-			certificate_t *cert = (certificate_t*)item->value;
-			cert->destroy(cert);
-			break;
-		}
-		case AUTHN_AUTH_CLASS:
-		case AUTHN_EAP_TYPE:
-		case AUTHN_EAP_VENDOR:
-		case AUTHN_IM_HASH_URL:
-		case AUTHN_SUBJECT_HASH_URL:
-		case AUTHZ_CRL_VALIDATION:
-		case AUTHZ_OCSP_VALIDATION:
-		case AUTHZ_EAP:
-		{
-			free(item->value);
-			break;
-		}
-		case AUTHN_EAP_IDENTITY:
-		case AUTHN_CA_CERT_KEYID:
-		case AUTHN_CA_CERT_NAME:
-		case AUTHZ_CA_CERT_NAME:
-		case AUTHZ_AC_GROUP:
-		{
-			identification_t *id = (identification_t*)item->value;
-			id->destroy(id);
-			break;
-		}
-	}
-}
-
-/**
- * Implementation of auth_info_t.purge
- */
-static void purge(private_auth_info_t *this)
-{
-	item_t *item;
-	
-	while (this->items->remove_last(this->items, (void**)&item) == SUCCESS)
-	{
-		destroy_item_value(item);
-		free(item);
-	}
-}
-
-/**
- * Implementation of auth_info_t.destroy
- */
-static void destroy(private_auth_info_t *this)
-{
-	purge(this);
-	this->items->destroy(this->items);
-	free(this);
-}
-
-/*
- * see header file
- */
-auth_info_t *auth_info_create()
-{
-	private_auth_info_t *this = malloc_thing(private_auth_info_t);
-	
-	this->public.add_item = (void(*)(auth_info_t*, auth_item_t type, void *value))add_item;
-	this->public.get_item = (bool(*)(auth_info_t*, auth_item_t type, void **value))get_item;
-	this->public.replace_item = (void(*)(enumerator_t*,auth_item_t,void*))replace_item;
-	this->public.create_item_enumerator = (enumerator_t*(*)(auth_info_t*))create_item_enumerator;
-	this->public.complies = (bool(*)(auth_info_t*, auth_info_t *))complies;
-	this->public.merge = (void(*)(auth_info_t*, auth_info_t *other))merge;
-	this->public.purge = (void(*)(auth_info_t*))purge;
-	this->public.equals = (bool(*)(auth_info_t*, auth_info_t *other))equals;
-	this->public.destroy = (void(*)(auth_info_t*))destroy;
-	
-	this->items = linked_list_create();
-	
-	return &this->public;
-}
-
diff --git a/src/charon/credentials/auth_info.h b/src/charon/credentials/auth_info.h
deleted file mode 100644
index f480a6e08..000000000
--- a/src/charon/credentials/auth_info.h
+++ /dev/null
@@ -1,198 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup auth_info auth_info
- * @{ @ingroup ccredentials
- */
-
-#ifndef AUTH_INFO_H_
-#define AUTH_INFO_H_
-
-#include <utils/enumerator.h>
-
-typedef struct auth_info_t auth_info_t;
-typedef enum auth_item_t auth_item_t;
-
-/**
- * Authentication/Authorization process helper item.
- *
- * For the authentication process, further information may be needed. These
- * items are defined as auth_item_t and have a AUTHN prefix. 
- * The authentication process returns important data for the authorization 
- * process, these items are defined with a AUTHZ prefix.
- * Authentication uses AUTHN items and creates AUTHZ items during authentication,
- * authorization reads AUTHZ values to give out privileges.
- *
- *                +---+             +---------------------+
- *                | A |             | A                   |
- *                | u |             | u    +-----------+  |
- *                | t |             | t    |  Required |  |
- *                | h |             | h    | auth_info |  |
- *                | e |             | o    +-----------+  |
- *                | n |             | r           |       |
- * +-----------+  | t |             | i           |       |
- * | Provided  |  | i |             | z           V       |
- * | auth_info |--| c |-------------| a  ----> match? ----|------->
- * +-----------+  | a |             | t                   |
- *                | t |             | i                   |
- *                | i |             | o                   |
- *                | o |             | n                   |
- *                | n |             |                     |
- *                +---+             +---------------------+
- */
-enum auth_item_t {
-
-	/*
-	 * items provided to authentication process
-	 */
-	
-	/** authentication class to use, value is auth_class_t* */
-	AUTHN_AUTH_CLASS,
-	/** EAP method to request from peer, value is eap_type_t* */
-	AUTHN_EAP_TYPE,
-	/** EAP vendor to used in conjunction with EAP method, value is u_int32_t* */
-	AUTHN_EAP_VENDOR,
-	/** EAP identity to use within EAP-Identity exchange */
-	AUTHN_EAP_IDENTITY,
-	/** CA certificate to use for authentication, value is certificate_t* */
-	AUTHN_CA_CERT,
-	/** Keyid of a CA certificate to use, value is identification_t* */
-	AUTHN_CA_CERT_KEYID,
-	/** subject DN of a CA certificate to use, value is identification_t* */
-	AUTHN_CA_CERT_NAME,
-	/** intermediate certificate, value is certificate_t* */
-	AUTHN_IM_CERT,
-	/** certificate for trustchain verification, value is certificate_t* */
-	AUTHN_SUBJECT_CERT,
-	/** intermediate certificate supplied as hash and url */
-	AUTHN_IM_HASH_URL,
-	/** end-entity certificate supplied as hash and url */
-	AUTHN_SUBJECT_HASH_URL,
-	
-	/*
-	 * item provided to authorization process
-	 */
-	
-	/** subject has been authenticated by public key, value is public_key_t* */
-	AUTHZ_PUBKEY,
-	/** subject has ben authenticated using preshared secrets, value is shared_key_t* */ 
-	AUTHZ_PSK,
-	/** subject has been authenticated using EAP, value is eap_type_t* */
-	AUTHZ_EAP,
-	/** certificate authority, value is certificate_t* */
-	AUTHZ_CA_CERT,
-	/** subject DN of a certificate authority, value is identification_t* */
-	AUTHZ_CA_CERT_NAME,
-	/** intermediate certificate in trustchain, value is certificate_t* */
-	AUTHZ_IM_CERT,
-	/** subject certificate, value is certificate_t* */
-	AUTHZ_SUBJECT_CERT,
-	/** result of a CRL validation, value is cert_validation_t */
-	AUTHZ_CRL_VALIDATION,
-	/** result of a OCSP validation, value is cert_validation_t */
-	AUTHZ_OCSP_VALIDATION,
-	/** subject is in attribute certificate group, value is identification_t* */
-	AUTHZ_AC_GROUP,
-};
-
-
-/**
- * enum name for auth_item_t.
- */
-extern enum_name_t *auth_item_names;
-
-/**
- * The auth_info class contains auth_item_t's used for AA.
- *
- * A auth_info allows the separation of authentication and authorization. 
- */
-struct auth_info_t {
-
-	/**
-	 * Add an item to the set.
-	 *
-	 * @param type		auth_info type
-	 * @param value		associated value to auth_info type, if any
-	 */
-	void (*add_item)(auth_info_t *this, auth_item_t type, void *value);
-	
-	/**
-	 * Get an item.
-	 *
-	 * @param type		auth_info type to get
-	 * @param value		pointer to a pointer receiving item
-	 * @return			bool if item has been found
-	 */
-	bool (*get_item)(auth_info_t *this, auth_item_t type, void **value);
-	
-	/**
-	 * Replace an item.
-	 * 
-	 * @param type		new auth_info type
-	 * @param value		pointer to the new value
-	 */
-	void (*replace_item)(enumerator_t *this, auth_item_t type, void *value);
-	
-	/**
-	 * Create an enumerator over all items.
-	 *
-	 * @return			enumerator over (auth_item_t type, void *value)
-	 */
-	enumerator_t* (*create_item_enumerator)(auth_info_t *this);
-	
-	/**
-	 * Check if this fulfills a set of required constraints.
-	 *
-	 * @param constraints	required authorization infos
-	 * @return				TRUE if this complies with constraints
-	 */
-	bool (*complies)(auth_info_t *this, auth_info_t *constraints);
-	
-	/**
-	 * Merge items from other into this.
-  	 *
-	 * Items do not get cloned, but moved from other to this.
-	 *
-	 * @param other		items to read for merge
-	 */
-	void (*merge)(auth_info_t *this, auth_info_t *other);
-	
-	/**
-	 * Purge all items in auth_info.
-	 */
-	void (*purge)(auth_info_t *this);
-	
-	/**
-	 * Check two auth_infos for equality.
-	 *
-	 * @param other		other item to compaire against this
-	 * @return			TRUE if auth infos identical
-	 */
-	bool (*equals)(auth_info_t *this, auth_info_t *other);
-	
-	/**
-     * Destroy a auth_info instance with all associated values.
-     */
-    void (*destroy)(auth_info_t *this);
-};
-
-/**
- * Create a auth_info instance.
- */
-auth_info_t *auth_info_create();
-
-#endif /** AUTH_INFO_H_ @}*/
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 2841086b2..776dbe599 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: credential_manager.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <pthread.h>
@@ -23,7 +21,7 @@
 #include <utils/mutex.h>
 #include <utils/linked_list.h>
 #include <credentials/sets/cert_cache.h>
-#include <credentials/sets/auth_info_wrapper.h>
+#include <credentials/sets/auth_cfg_wrapper.h>
 #include <credentials/sets/ocsp_response_wrapper.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
@@ -530,7 +528,7 @@ static bool verify_ocsp(private_credential_manager_t *this,
 	{
 		if (this->cache->issued_by(this->cache, subject, issuer))
 		{
-			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%D\"",
+			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
 						     issuer->get_subject(issuer));
 			verified = TRUE;
 			break;
@@ -625,7 +623,7 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this,
  */
 static cert_validation_t check_ocsp(private_credential_manager_t *this,
 								    x509_t *subject, x509_t *issuer, 
-								    auth_info_t *auth)
+								    auth_cfg_t *auth)
 {
 	enumerator_t *enumerator;
 	cert_validation_t valid = VALIDATION_SKIPPED;
@@ -706,7 +704,11 @@ static cert_validation_t check_ocsp(private_credential_manager_t *this,
 	}
 	if (auth)
 	{
-		auth->add_item(auth, AUTHZ_OCSP_VALIDATION, &valid);
+		auth->add(auth, AUTH_RULE_OCSP_VALIDATION, valid);
+		if (valid == VALIDATION_GOOD)
+		{	/* successful OCSP check fulfills also CRL constraint */
+			auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
+		}
 	}
 	DESTROY_IF(best);
 	return valid;
@@ -728,6 +730,7 @@ static certificate_t* fetch_crl(private_credential_manager_t *this, char *url)
 	}
 	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
 							 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	chunk_free(&chunk);
 	if (!crl)
 	{
 		DBG1(DBG_CFG, "crl fetched successfully but parsing failed");
@@ -751,7 +754,7 @@ static bool verify_crl(private_credential_manager_t *this, certificate_t *crl)
 	{
 		if (this->cache->issued_by(this->cache, crl, issuer))
 		{
-			DBG1(DBG_CFG, "  crl correctly signed by \"%D\"",
+			DBG1(DBG_CFG, "  crl correctly signed by \"%Y\"",
 						   issuer->get_subject(issuer));
 			verified = TRUE;
 			break;
@@ -833,7 +836,7 @@ static certificate_t *get_better_crl(private_credential_manager_t *this,
  */
 static cert_validation_t check_crl(private_credential_manager_t *this,
 								   x509_t *subject, x509_t *issuer, 
-								   auth_info_t *auth)
+								   auth_cfg_t *auth)
 {
 	cert_validation_t valid = VALIDATION_SKIPPED;
 	identification_t *keyid = NULL;
@@ -841,7 +844,7 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
 	certificate_t *current;
 	public_key_t *public;
 	enumerator_t *enumerator;
-	char *uri;
+	char *uri = NULL;
 	
 	/* derive the authorityKeyIdentifier from the issuer's public key */
 	current = &issuer->interface;
@@ -920,7 +923,16 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
 	}
 	if (auth)
 	{
-		auth->add_item(auth, AUTHZ_CRL_VALIDATION, &valid);
+		if (valid == VALIDATION_SKIPPED)
+		{	/* if we skipped CRL validation, we use the result of OCSP for
+			 * constraint checking */
+			auth->add(auth, AUTH_RULE_CRL_VALIDATION,
+					  auth->get(auth, AUTH_RULE_OCSP_VALIDATION));
+		}
+		else
+		{
+			auth->add(auth, AUTH_RULE_CRL_VALIDATION, valid);
+		}
 	}
 	DESTROY_IF(best);
 	return valid;
@@ -931,7 +943,7 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
  */
 static bool check_certificate(private_credential_manager_t *this,
 							  certificate_t *subject, certificate_t *issuer,
-							  bool crl, bool ocsp, auth_info_t *auth)
+							  bool crl, bool ocsp, auth_cfg_t *auth)
 {
 	time_t not_before, not_after;
 	
@@ -952,7 +964,7 @@ static bool check_certificate(private_credential_manager_t *this,
 	{
 		if (ocsp || crl)
 		{
-			DBG1(DBG_CFG, "checking certificate status of \"%D\"",
+			DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
 						   subject->get_subject(subject));
 		}
 		if (ocsp)
@@ -963,7 +975,7 @@ static bool check_certificate(private_credential_manager_t *this,
 					DBG1(DBG_CFG, "certificate status is good");
 					return TRUE;
 				case VALIDATION_REVOKED:
-					/* has already been logged */			
+					/* has already been logged */
 					return FALSE;
 				case VALIDATION_SKIPPED:
 					DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
@@ -983,8 +995,8 @@ static bool check_certificate(private_credential_manager_t *this,
 				case VALIDATION_GOOD:
 					DBG1(DBG_CFG, "certificate status is good");
 					return TRUE;
-				case VALIDATION_REVOKED:		
-					/* has already been logged */			
+				case VALIDATION_REVOKED:
+					/* has already been logged */
 					return FALSE;
 				case VALIDATION_FAILED:
 				case VALIDATION_SKIPPED:
@@ -1050,14 +1062,14 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this,
  * try to verify the trust chain of subject, return TRUE if trusted
  */
 static bool verify_trust_chain(private_credential_manager_t *this,
-							   certificate_t *subject, auth_info_t *result,
+							   certificate_t *subject, auth_cfg_t *result,
 							   bool trusted, bool crl, bool ocsp)
 {
 	certificate_t *current, *issuer;
-	auth_info_t *auth;
+	auth_cfg_t *auth;
 	u_int level = 0;
 	
-	auth = auth_info_create();
+	auth = auth_cfg_create();
 	current = subject->get_ref(subject);
 	while (level++ < MAX_CA_LEVELS)
 	{
@@ -1067,16 +1079,16 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			/* accept only self-signed CAs as trust anchor */
 			if (this->cache->issued_by(this->cache, issuer, issuer))
 			{
-				auth->add_item(auth, AUTHZ_CA_CERT, issuer);
-				DBG1(DBG_CFG, "  using trusted ca certificate \"%D\"",
+				auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
+				DBG1(DBG_CFG, "  using trusted ca certificate \"%Y\"",
 					 issuer->get_subject(issuer));
 				trusted = TRUE;
 			}
 			else
 			{
-				auth->add_item(auth, AUTHZ_IM_CERT, issuer);
+				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
 				DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
-					 "\"%D\"", issuer->get_subject(issuer));
+					 "\"%Y\"", issuer->get_subject(issuer));
 			}
 		}
 		else
@@ -1086,18 +1098,18 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			{
 				if (current->equals(current, issuer))
 				{
-					DBG1(DBG_CFG, "  self-signed certificate \"%D\" is not trusted",
+					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not trusted",
 						 current->get_subject(current));
 					issuer->destroy(issuer);
 					break;
 				}
-				auth->add_item(auth, AUTHZ_IM_CERT, issuer);
+				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
 				DBG1(DBG_CFG, "  using untrusted intermediate certificate "
-					 "\"%D\"", issuer->get_subject(issuer));
+					 "\"%Y\"", issuer->get_subject(issuer));
 			}
 			else
 			{
-				DBG1(DBG_CFG, "no issuer certificate found for \"%D\"", 
+				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"", 
 					 current->get_subject(current));
 				break;
 			}
@@ -1123,7 +1135,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 	}
 	if (trusted)
 	{
-		result->merge(result, auth);
+		result->merge(result, auth, FALSE);
 	}
 	auth->destroy(auth);
 	return trusted;
@@ -1149,20 +1161,20 @@ typedef struct {
 	bool ocsp;
 	/** pretrusted certificate we have served at first invocation */
 	certificate_t *pretrusted;
-	/** currently enumerating auth info */
-	auth_info_t *auth;
+	/** currently enumerating auth config */
+	auth_cfg_t *auth;
 } trusted_enumerator_t;
 
 /**
  * Implements trusted_enumerator_t.enumerate
  */
 static bool trusted_enumerate(trusted_enumerator_t *this,
-							  certificate_t **cert, auth_info_t **auth)
+							  certificate_t **cert, auth_cfg_t **auth)
 {
 	certificate_t *current;
 	
 	DESTROY_IF(this->auth);
-	this->auth = auth_info_create();
+	this->auth = auth_cfg_create();
 	
 	if (!this->candidates)
 	{
@@ -1181,8 +1193,9 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
 				verify_trust_chain(this->this, this->pretrusted, this->auth,
 								   TRUE, this->crl, this->ocsp))
 			{
-				this->auth->add_item(this->auth, AUTHZ_CA_CERT, this->pretrusted);
-				DBG1(DBG_CFG, "  using trusted certificate \"%D\"",
+				this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
+								this->pretrusted->get_ref(this->pretrusted));
+				DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
 					 this->pretrusted->get_subject(this->pretrusted));
 				*cert = this->pretrusted;
 				if (auth)
@@ -1202,7 +1215,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
 			continue;
 		}
 	
-		DBG1(DBG_CFG, "  using certificate \"%D\"",
+		DBG1(DBG_CFG, "  using certificate \"%Y\"",
 			 current->get_subject(current));
 		if (verify_trust_chain(this->this, current, this->auth, FALSE,
 							   this->crl, this->ocsp))
@@ -1264,15 +1277,15 @@ typedef struct {
 	private_credential_manager_t *this;
 	/** currently enumerating key */
 	public_key_t *current;
-	/** credset wrapper around auth */
-	auth_info_wrapper_t *wrapper;
+	/** credset wrapper around auth config */
+	auth_cfg_wrapper_t *wrapper;
 } public_enumerator_t;
 
 /**
  * Implements public_enumerator_t.enumerate
  */
 static bool public_enumerate(public_enumerator_t *this,
-							 public_key_t **key, auth_info_t **auth)
+							 public_key_t **key, auth_cfg_t **auth)
 {
 	certificate_t *cert;
 	
@@ -1312,7 +1325,7 @@ static void public_destroy(public_enumerator_t *this)
  * Implementation of credential_manager_t.create_public_enumerator.
  */
 static enumerator_t* create_public_enumerator(private_credential_manager_t *this,
-						key_type_t type, identification_t *id, auth_info_t *auth)
+						key_type_t type, identification_t *id, auth_cfg_t *auth)
 {
 	public_enumerator_t *enumerator = malloc_thing(public_enumerator_t);
 	
@@ -1324,7 +1337,7 @@ static enumerator_t* create_public_enumerator(private_credential_manager_t *this
 	enumerator->wrapper = NULL;
 	if (auth)
 	{
-		enumerator->wrapper = auth_info_wrapper_create(auth);
+		enumerator->wrapper = auth_cfg_wrapper_create(auth);
 		add_local_set(this, &enumerator->wrapper->set);
 	}
 	this->lock->read_lock(this->lock);
@@ -1334,40 +1347,22 @@ static enumerator_t* create_public_enumerator(private_credential_manager_t *this
 /**
  * Check if a certificate's keyid is contained in the auth helper
  */
-static bool auth_contains_cacert(auth_info_t *auth, certificate_t *cert)
+static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert)
 {
 	enumerator_t *enumerator;
 	identification_t *value;
-	auth_item_t type;
+	auth_rule_t type;
 	bool found = FALSE;
 
-	enumerator = auth->create_item_enumerator(auth);
+	enumerator = auth->create_enumerator(auth);
 	while (enumerator->enumerate(enumerator, &type, &value))
 	{
-		if (type == AUTHN_CA_CERT && cert->equals(cert, (certificate_t*)value))
+		if (type == AUTH_RULE_CA_CERT &&
+			cert->equals(cert, (certificate_t*)value))
 		{
 			found = TRUE;
 			break;
 		}
-		if (type == AUTHN_CA_CERT_KEYID)
-		{
-			public_key_t *public;
-			identification_t *certid, *keyid;
-			
-			public = cert->get_public_key(cert);
-			if (public)
-			{
-				keyid = (identification_t*)value;
-				certid = public->get_id(public, keyid->get_type(keyid));
-				if (certid && certid->equals(certid, keyid))
-				{
-					public->destroy(public);
-					found = TRUE;
-					break;
-				}
-				public->destroy(public);
-			}
-		}
 	}
 	enumerator->destroy(enumerator);
 	return found;
@@ -1376,19 +1371,21 @@ static bool auth_contains_cacert(auth_info_t *auth, certificate_t *cert)
 /**
  * build a trustchain from subject up to a trust anchor in trusted
  */
-static auth_info_t *build_trustchain(private_credential_manager_t *this,
-									 certificate_t *subject, auth_info_t *auth)
+static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
+									 certificate_t *subject, auth_cfg_t *auth)
 {	
 	certificate_t *issuer, *current;
-	auth_info_t *trustchain;
+	auth_cfg_t *trustchain;
 	u_int level = 0;
 	
-	trustchain = auth_info_create();
+	trustchain = auth_cfg_create();
 	
-	if (!auth->get_item(auth, AUTHN_CA_CERT, (void**)&current))
+	current = auth->get(auth, AUTH_RULE_CA_CERT);
+	if (!current)
 	{
 		/* no trust anchor specified, return this cert only */
-		trustchain->add_item(trustchain, AUTHZ_SUBJECT_CERT, subject);
+		trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT,
+						subject->get_ref(subject));
 		return trustchain;
 	}
 	current = subject->get_ref(subject);
@@ -1396,26 +1393,23 @@ static auth_info_t *build_trustchain(private_credential_manager_t *this,
 	{
 		if (auth_contains_cacert(auth, current))
 		{
-			trustchain->add_item(trustchain, AUTHZ_CA_CERT, current);
-			current->destroy(current);
+			trustchain->add(trustchain, AUTH_RULE_CA_CERT, current);
 			return trustchain;
 		}
 		if (subject == current)
 		{
-			trustchain->add_item(trustchain, AUTHZ_SUBJECT_CERT, current);
+			trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current);
 		}
 		else
 		{
-			trustchain->add_item(trustchain, AUTHZ_IM_CERT, current);
+			trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
 		}
 		issuer = get_issuer_cert(this, current, FALSE);
 		if (!issuer || issuer->equals(issuer, current) || level > MAX_CA_LEVELS)
 		{
 			DESTROY_IF(issuer);
-			current->destroy(current);
 			break;
 		}
-		current->destroy(current);
 		current = issuer;
 		level++;
 	}
@@ -1451,12 +1445,12 @@ static private_key_t *get_private_by_cert(private_credential_manager_t *this,
  */
 static private_key_t *get_private(private_credential_manager_t *this,
 								  key_type_t type, identification_t *id,
-								  auth_info_t *auth)
+								  auth_cfg_t *auth)
 {
 	enumerator_t *enumerator;
 	certificate_t *cert;
 	private_key_t *private = NULL;
-	auth_info_t *trustchain;
+	auth_cfg_t *trustchain;
 	
 	/* check if this is a lookup by key ID, and do it if so */
 	if (id)
@@ -1471,8 +1465,25 @@ static private_key_t *get_private(private_credential_manager_t *this,
 				break;
 		}
 	}
-	
-	/* try to build a trustchain for each certificate found */
+
+	/* if a specific certificate is preferred, check for a matching key */
+	cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+	if (cert)
+	{
+		private = get_private_by_cert(this, cert, type);
+		if (private)
+		{
+			trustchain = build_trustchain(this, cert, auth);
+			if (trustchain)
+			{
+				auth->merge(auth, trustchain, FALSE);
+				trustchain->destroy(trustchain);
+			}
+			return private;
+		}
+	}
+			
+	/* try to build a trust chain for each certificate found */
 	enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
 	while (enumerator->enumerate(enumerator, &cert))
 	{
@@ -1482,7 +1493,7 @@ static private_key_t *get_private(private_credential_manager_t *this,
 			trustchain = build_trustchain(this, cert, auth);
 			if (trustchain)
 			{
-				auth->merge(auth, trustchain);
+				auth->merge(auth, trustchain, FALSE);
 				trustchain->destroy(trustchain);
 				break;
 			}
@@ -1491,6 +1502,7 @@ static private_key_t *get_private(private_credential_manager_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
+
 	/* if no valid trustchain was found, fall back to the first usable cert */
 	if (!private)
 	{
@@ -1500,7 +1512,7 @@ static private_key_t *get_private(private_credential_manager_t *this,
 			private = get_private_by_cert(this, cert, type);
 			if (private)
 			{
-				auth->add_item(auth, AUTHZ_SUBJECT_CERT, cert);
+				auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
 				break;
 			}
 		}
@@ -1566,8 +1578,8 @@ credential_manager_t *credential_manager_create()
 	this->public.create_cdp_enumerator = (enumerator_t *(*)(credential_manager_t*, certificate_type_t type, identification_t *id))create_cdp_enumerator;
 	this->public.get_cert = (certificate_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *, bool))get_cert;
 	this->public.get_shared = (shared_key_t *(*)(credential_manager_t *this,shared_key_type_t type,identification_t *me, identification_t *other))get_shared;
-	this->public.get_private = (private_key_t*(*)(credential_manager_t*, key_type_t type, identification_t *, auth_info_t*))get_private;
-	this->public.create_public_enumerator = (enumerator_t*(*)(credential_manager_t*, key_type_t type, identification_t *id, auth_info_t *aut))create_public_enumerator;
+	this->public.get_private = (private_key_t*(*)(credential_manager_t*, key_type_t type, identification_t *, auth_cfg_t*))get_private;
+	this->public.create_public_enumerator = (enumerator_t*(*)(credential_manager_t*, key_type_t type, identification_t *id, auth_cfg_t *aut))create_public_enumerator;
 	this->public.flush_cache = (void(*)(credential_manager_t*, certificate_type_t type))flush_cache;
 	this->public.cache_cert = (void(*)(credential_manager_t*, certificate_t *cert))cache_cert;
 	this->public.add_set = (void(*)(credential_manager_t*, credential_set_t *set))add_set;
diff --git a/src/charon/credentials/credential_manager.h b/src/charon/credentials/credential_manager.h
index ff2dc3645..0af54c0b1 100644
--- a/src/charon/credentials/credential_manager.h
+++ b/src/charon/credentials/credential_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2008 Martin Willi
+ * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: credential_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -25,7 +23,7 @@
 
 #include <utils/identification.h>
 #include <utils/enumerator.h>
-#include <credentials/auth_info.h>
+#include <config/auth_cfg.h>
 #include <credentials/credential_set.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/shared_key.h>
@@ -122,7 +120,6 @@ struct credential_manager_t {
 	 * @param type		kind of requested shared key
 	 * @param me		own identity
 	 * @param other		peers identity
-	 * @param auth		auth_info helper 
 	 * @return			shared_key_t, NULL if none found
 	 */			   
 	shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
@@ -138,11 +135,11 @@ struct credential_manager_t {
 	 *
 	 * @param type		type of the key to get
 	 * @param id		identification the key belongs to
-	 * @param auth		auth_info helper, including trusted CA certificates
+	 * @param auth		auth config, including trusted CA certificates
 	 * @return			private_key_t, NULL if none found
 	 */
 	private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
-								  identification_t *id, auth_info_t *auth);
+								  identification_t *id, auth_cfg_t *auth);
 	
 	/**
 	 * Create an enumerator over trusted public keys.
@@ -150,9 +147,8 @@ struct credential_manager_t {
 	 * This method gets a an enumerator over trusted public keys to verify a
 	 * signature created by id. The auth parameter contains additional 
 	 * authentication infos, e.g. peer and intermediate certificates.
-	 * The resulting enumerator enumerates over public_key_t *, auth_info_t *,
-	 * where the auth info contains gained privileges for the authorization
-	 * process.
+	 * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
+	 * where the auth config helper contains rules for constraint checks.
 	 *
 	 * @param type		type of the key to get
 	 * @param id		owner of the key, signer of the signature
@@ -160,7 +156,7 @@ struct credential_manager_t {
 	 * @return			enumerator
 	 */
 	enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
-					key_type_t type, identification_t *id, auth_info_t *auth);
+					key_type_t type, identification_t *id, auth_cfg_t *auth);
 	
 	/**
 	 * Cache a certificate by invoking cache_cert() on all registerd sets.
diff --git a/src/charon/credentials/credential_set.h b/src/charon/credentials/credential_set.h
index 14b2a8ebd..e9ad99bfd 100644
--- a/src/charon/credentials/credential_set.h
+++ b/src/charon/credentials/credential_set.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: credential_set.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/credentials/sets/auth_cfg_wrapper.c b/src/charon/credentials/sets/auth_cfg_wrapper.c
new file mode 100644
index 000000000..b2cf5d960
--- /dev/null
+++ b/src/charon/credentials/sets/auth_cfg_wrapper.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+#include "auth_cfg_wrapper.h"
+
+typedef struct private_auth_cfg_wrapper_t private_auth_cfg_wrapper_t;
+
+/**
+ * private data of auth_cfg_wrapper
+ */
+struct private_auth_cfg_wrapper_t {
+
+	/**
+	 * public functions
+	 */
+	auth_cfg_wrapper_t public;
+	
+	/**
+	 * wrapped auth info
+	 */
+	auth_cfg_t *auth;
+};
+
+/**
+ * enumerator for auth_cfg_wrapper_t.create_cert_enumerator()
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** inner enumerator from auth_cfg */
+	enumerator_t *inner;
+	/** wrapped auth round */
+	auth_cfg_t *auth;
+	/** enumerated cert type */
+	certificate_type_t cert;
+	/** enumerated key type */
+	key_type_t key;
+	/** enumerated id */
+	identification_t *id;
+} wrapper_enumerator_t;
+
+/**
+ * Tries to fetch a certificate that was supplied as "Hash and URL"
+ * (replaces rule type and value in place).
+ */
+static bool fetch_cert(wrapper_enumerator_t *enumerator,
+					   auth_rule_t *rule, void **value)
+{
+	char *url = (char*)*value;
+	if (!url)
+	{
+		/* fetching the certificate previously failed */
+		return FALSE;
+	}
+	
+	chunk_t data;
+	certificate_t *cert;
+	
+	DBG1(DBG_CFG, "  fetching certificate from '%s' ...", url);
+	if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "  fetching certificate failed");
+		/* we set the item to NULL, so we can skip it */
+		enumerator->auth->replace(enumerator->auth, enumerator->inner,
+								  *rule, NULL);
+		return FALSE;
+	}
+	
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+	free(data.ptr);
+	
+	if (!cert)
+	{
+		DBG1(DBG_CFG, "  parsing fetched certificate failed");
+		/* we set the item to NULL, so we can skip it */
+		enumerator->auth->replace(enumerator->auth, enumerator->inner,
+								  *rule, NULL);
+		return FALSE;
+	}
+	
+	DBG1(DBG_CFG, "  fetched certificate \"%Y\"", cert->get_subject(cert));
+	charon->credentials->cache_cert(charon->credentials, cert);
+	
+	if (*rule == AUTH_HELPER_IM_HASH_URL)
+	{
+		*rule = AUTH_HELPER_IM_CERT;
+	}
+	else
+	{
+		*rule = AUTH_HELPER_SUBJECT_CERT;
+	}
+	*value = cert;
+	enumerator->auth->replace(enumerator->auth, enumerator->inner,
+							  *rule, cert->get_ref(cert));
+	return TRUE;
+}
+
+/**
+ * enumerate function for wrapper_enumerator_t
+ */
+static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
+{
+	auth_rule_t rule;
+	certificate_t *current;
+	public_key_t *public;
+
+	while (this->inner->enumerate(this->inner, &rule, &current))
+	{
+		if (rule == AUTH_HELPER_IM_HASH_URL ||
+			rule == AUTH_HELPER_SUBJECT_HASH_URL)
+		{	/* on-demand fetching of hash and url certificates */
+			if (!fetch_cert(this, &rule, (void**)&current))
+			{
+				continue;
+			}
+		}
+		else if (rule != AUTH_HELPER_SUBJECT_CERT &&
+				 rule != AUTH_HELPER_IM_CERT)
+		{	/* handle only HELPER certificates */
+			continue;
+		}
+		if (this->cert != CERT_ANY && this->cert != current->get_type(current))
+		{	/* CERT type requested, but does not match */
+			continue;
+		}
+		public = current->get_public_key(current);
+		if (this->key != KEY_ANY && !public)
+		{	/* key type requested, but no public key */
+			DESTROY_IF(public);
+			continue;
+		}
+		if (this->key != KEY_ANY && public && this->key != public->get_type(public))
+		{	/* key type requested, but public key has another type */
+			DESTROY_IF(public);
+			continue;
+		}
+		DESTROY_IF(public);
+		if (this->id && !current->has_subject(current, this->id))
+		{	/* subject requested, but does not match */
+			continue;
+		}
+		*cert = current;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * destroy function for wrapper_enumerator_t
+ */
+static void wrapper_enumerator_destroy(wrapper_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator
+ */
+static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this,
+									   certificate_type_t cert, key_type_t key, 
+									   identification_t *id, bool trusted)
+{
+	wrapper_enumerator_t *enumerator;
+	
+	if (trusted)
+	{
+		return NULL;
+	}
+	enumerator = malloc_thing(wrapper_enumerator_t);
+	enumerator->auth = this->auth;
+	enumerator->cert = cert;
+	enumerator->key = key;
+	enumerator->id = id;
+	enumerator->inner = this->auth->create_enumerator(this->auth);
+	enumerator->public.enumerate = (void*)enumerate;
+	enumerator->public.destroy = (void*)wrapper_enumerator_destroy;
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of auth_cfg_wrapper_t.destroy
+ */
+static void destroy(private_auth_cfg_wrapper_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth)
+{
+	private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t);
+	
+	this->public.set.create_private_enumerator = (void*)return_null;
+	this->public.set.create_cert_enumerator = (void*)create_enumerator;
+	this->public.set.create_shared_enumerator = (void*)return_null;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+	this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy;
+	
+	this->auth = auth;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/credentials/sets/auth_cfg_wrapper.h b/src/charon/credentials/sets/auth_cfg_wrapper.h
new file mode 100644
index 000000000..dd5e0fff6
--- /dev/null
+++ b/src/charon/credentials/sets/auth_cfg_wrapper.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup auth_cfg_wrapper auth_cfg_wrapper
+ * @{ @ingroup sets
+ */
+
+#ifndef AUTH_CFG_WRAPPER_H_
+#define AUTH_CFG_WRAPPER_H_
+
+#include <config/auth_cfg.h>
+#include <credentials/credential_set.h>
+
+typedef struct auth_cfg_wrapper_t auth_cfg_wrapper_t;
+
+/**
+ * A wrapper around auth_cfg_t to handle it as a credential set.
+ */
+struct auth_cfg_wrapper_t {
+
+	/**
+	 * implements credential_set_t
+	 */
+	credential_set_t set;
+		
+	/**
+     * Destroy a auth_cfg_wrapper instance.
+     */
+    void (*destroy)(auth_cfg_wrapper_t *this);
+};
+
+/**
+ * Create a auth_cfg_wrapper instance.
+ *
+ * @param auth		the wrapped auth info
+ * @return			wrapper around auth
+ */
+auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth);
+
+#endif /** AUTH_CFG_WRAPPER_H_ @}*/
diff --git a/src/charon/credentials/sets/auth_info_wrapper.c b/src/charon/credentials/sets/auth_info_wrapper.c
deleted file mode 100644
index 7ec75be15..000000000
--- a/src/charon/credentials/sets/auth_info_wrapper.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * $Id$
- */
-
-#include <daemon.h>
-
-#include "auth_info_wrapper.h"
-
-typedef struct private_auth_info_wrapper_t private_auth_info_wrapper_t;
-
-/**
- * private data of auth_info_wrapper
- */
-struct private_auth_info_wrapper_t {
-
-	/**
-	 * public functions
-	 */
-	auth_info_wrapper_t public;
-	
-	/**
-	 * wrapped auth info
-	 */
-	auth_info_t *auth;
-};
-
-/**
- * enumerator for auth_info_wrapper_t.create_cert_enumerator()
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** inner enumerator from auth_info */
-	enumerator_t *inner;
-	/** wrapped auth info */
-	auth_info_t *auth;
-	/** enumerated cert type */
-	certificate_type_t cert;
-	/** enumerated key type */
-	key_type_t key;
-	/** enumerated id */
-	identification_t *id;
-} wrapper_enumerator_t;
-
-/**
- * Tries to fetch a certificate that was supplied as "Hash and URL" (replaces the
- * item's type and value in place).
- */
-static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void **value)
-{
-	char *url = (char*)*value;
-	if (!url)
-	{
-		/* fetching the certificate previously failed */
-		return FALSE;
-	}
-	
-	chunk_t data;
-	certificate_t *cert;
-	
-	DBG1(DBG_CFG, "  fetching certificate from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
-	{
-		DBG1(DBG_CFG, "  fetching certificate failed");
-		/* we set the item to NULL, so we can skip it */
-		enumerator->auth->replace_item(enumerator->inner, *type, NULL);
-		return FALSE;
-	}
-	
-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-					  BUILD_BLOB_ASN1_DER, data, BUILD_END);
-	free(data.ptr);
-	
-	if (!cert)
-	{
-		DBG1(DBG_CFG, "  parsing fetched certificate failed");
-		/* we set the item to NULL, so we can skip it */
-		enumerator->auth->replace_item(enumerator->inner, *type, NULL);
-		return FALSE;
-	}
-	
-	DBG1(DBG_CFG, "  fetched certificate \"%D\"", cert->get_subject(cert));
-	charon->credentials->cache_cert(charon->credentials, cert);
-	
-	*type = (*type == AUTHN_IM_HASH_URL) ? AUTHN_IM_CERT : AUTHN_SUBJECT_CERT;
-	*value = cert;
-	enumerator->auth->replace_item(enumerator->inner, *type, cert);
-	
-	return TRUE;
-}
-
-/**
- * enumerate function for wrapper_enumerator_t
- */
-static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
-{
-	auth_item_t type;
-	certificate_t *current;
-	public_key_t *public;
-
-	while (this->inner->enumerate(this->inner, &type, &current))
-	{
-		if (type == AUTHN_IM_HASH_URL ||
-			type == AUTHN_SUBJECT_HASH_URL)
-		{
-			if (!fetch_cert(this, &type, (void**)&current))
-			{
-				continue;
-			}
-		}
-		else if (type != AUTHN_SUBJECT_CERT && 
-				 type != AUTHN_IM_CERT)
-		{
-			continue;
-		}
-
-		if (this->cert != CERT_ANY && this->cert != current->get_type(current))
-		{	/* CERT type requested, but does not match */
-			continue;
-		}
-		public = current->get_public_key(current);
-		if (this->key != KEY_ANY && !public)
-		{	/* key type requested, but no public key */
-			DESTROY_IF(public);
-			continue;
-		}
-		if (this->key != KEY_ANY && public && this->key != public->get_type(public))
-		{	/* key type requested, but public key has another type */
-			DESTROY_IF(public);
-			continue;
-		}
-		DESTROY_IF(public);
-		if (this->id && !current->has_subject(current, this->id))
-		{	/* subject requested, but does not match */
-			continue;
-		}
-		*cert = current;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * destroy function for wrapper_enumerator_t
- */
-static void wrapper_enumerator_destroy(wrapper_enumerator_t *this)
-{
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * implementation of auth_info_wrapper_t.set.create_cert_enumerator
- */
-static enumerator_t *create_enumerator(private_auth_info_wrapper_t *this,
-									   certificate_type_t cert, key_type_t key, 
-									   identification_t *id, bool trusted)
-{
-	wrapper_enumerator_t *enumerator;
-	
-	if (trusted)
-	{
-		return NULL;
-	}
-	enumerator = malloc_thing(wrapper_enumerator_t);
-	enumerator->auth = this->auth;
-	enumerator->cert = cert;
-	enumerator->key = key;
-	enumerator->id = id;
-	enumerator->inner = this->auth->create_item_enumerator(this->auth);
-	enumerator->public.enumerate = (void*)enumerate;
-	enumerator->public.destroy = (void*)wrapper_enumerator_destroy;
-	return &enumerator->public;
-}
-
-/**
- * Implementation of auth_info_wrapper_t.destroy
- */
-static void destroy(private_auth_info_wrapper_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-auth_info_wrapper_t *auth_info_wrapper_create(auth_info_t *auth)
-{
-	private_auth_info_wrapper_t *this = malloc_thing(private_auth_info_wrapper_t);
-	
-	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)create_enumerator;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)nop;
-	this->public.destroy = (void(*)(auth_info_wrapper_t*))destroy;
-	
-	this->auth = auth;
-	
-	return &this->public;
-}
-
diff --git a/src/charon/credentials/sets/auth_info_wrapper.h b/src/charon/credentials/sets/auth_info_wrapper.h
deleted file mode 100644
index 9186715f0..000000000
--- a/src/charon/credentials/sets/auth_info_wrapper.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * $Id$
- */
-
-/**
- * @defgroup auth_info_wrapper auth_info_wrapper
- * @{ @ingroup sets
- */
-
-#ifndef AUTH_INFO_WRAPPER_H_
-#define AUTH_INFO_WRAPPER_H_
-
-#include <credentials/credential_set.h>
-#include <credentials/auth_info.h>
-
-typedef struct auth_info_wrapper_t auth_info_wrapper_t;
-
-/**
- * A wrapper around auth_info_t to handle it like a credential set.
- */
-struct auth_info_wrapper_t {
-
-	/**
-	 * implements credential_set_t
-	 */
-	credential_set_t set;
-		
-	/**
-     * Destroy a auth_info_wrapper instance.
-     */
-    void (*destroy)(auth_info_wrapper_t *this);
-};
-
-/**
- * Create a auth_info_wrapper instance.
- *
- * @param auth		the wrapped auth info
- * @return			wrapper around auth
- */
-auth_info_wrapper_t *auth_info_wrapper_create(auth_info_t *auth);
-
-#endif /** AUTH_INFO_WRAPPER_H_ @}*/
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
index 83ba8263d..907f5072f 100644
--- a/src/charon/credentials/sets/cert_cache.c
+++ b/src/charon/credentials/sets/cert_cache.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "cert_cache.h"
diff --git a/src/charon/credentials/sets/cert_cache.h b/src/charon/credentials/sets/cert_cache.h
index 40e38e913..a2cae367c 100644
--- a/src/charon/credentials/sets/cert_cache.h
+++ b/src/charon/credentials/sets/cert_cache.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/credentials/sets/ocsp_response_wrapper.c b/src/charon/credentials/sets/ocsp_response_wrapper.c
index c4d3a5b0f..e9faec472 100644
--- a/src/charon/credentials/sets/ocsp_response_wrapper.c
+++ b/src/charon/credentials/sets/ocsp_response_wrapper.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "ocsp_response_wrapper.h"
diff --git a/src/charon/credentials/sets/ocsp_response_wrapper.h b/src/charon/credentials/sets/ocsp_response_wrapper.h
index 068035884..8f141f7a1 100644
--- a/src/charon/credentials/sets/ocsp_response_wrapper.h
+++ b/src/charon/credentials/sets/ocsp_response_wrapper.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 6dcb39a89..c646ef9b4 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -1,7 +1,7 @@
 /* 
  * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -17,7 +17,9 @@
  */
 
 #include <stdio.h>
+#ifdef HAVE_PRCTL
 #include <sys/prctl.h>
+#endif
 #include <signal.h>
 #include <pthread.h>
 #include <sys/stat.h>
@@ -178,6 +180,7 @@ static void destroy(private_daemon_t *this)
 #ifdef CAPABILITIES
 	cap_free(this->caps);
 #endif /* CAPABILITIES */
+	DESTROY_IF(this->public.traps);
 	DESTROY_IF(this->public.ike_sa_manager);
 	DESTROY_IF(this->public.kernel_interface);
 	DESTROY_IF(this->public.scheduler);
@@ -240,8 +243,10 @@ static void kill_daemon(private_daemon_t *this, char *reason)
  * drop daemon capabilities
  */
 static void drop_capabilities(private_daemon_t *this)
-{	
+{
+#ifdef HAVE_PRCTL
 	prctl(PR_SET_KEEPCAPS, 1);
+#endif
 
 	if (setgid(charon->gid) != 0)
 	{
@@ -314,6 +319,7 @@ static void print_plugins()
 	int len = 0;
 	enumerator_t *enumerator;
 	
+	buf[0] = '\0';
 	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
 	while (len < sizeof(buf) && enumerator->enumerate(enumerator, &plugin))
 	{
@@ -461,7 +467,7 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	
 	initialize_loggers(this, !syslog, levels);
 	
-	DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION);
+	DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")");
 
 	/* load secrets, ca certificates and crls */
 	this->public.processor = processor_create();
@@ -474,6 +480,7 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	this->public.attributes = attribute_manager_create();
 	this->public.kernel_interface = kernel_interface_create();
 	this->public.socket = socket_create();
+	this->public.traps = trap_manager_create();
 	
 	/* load plugins, further infrastructure may need it */
 	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
@@ -481,9 +488,6 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	
 	print_plugins();
 	
-	/* create the kernel interfaces */
-	this->public.kernel_interface->create_interfaces(this->public.kernel_interface);
-	
 #ifdef INTEGRITY_TEST
 	DBG1(DBG_DMN, "integrity test of libstrongswan code");
 	if (fips_verify_hmac_signature(hmac_key, hmac_signature))
@@ -552,6 +556,7 @@ private_daemon_t *daemon_create(void)
 	/* NULL members for clean destruction */
 	this->public.socket = NULL;
 	this->public.ike_sa_manager = NULL;
+	this->public.traps = NULL;
 	this->public.credentials = NULL;
 	this->public.backends = NULL;
 	this->public.attributes = NULL;
@@ -603,6 +608,48 @@ private_daemon_t *daemon_create(void)
 	return this;
 }
 
+/**
+ * Check/create PID file, return TRUE if already running 
+ */
+static bool check_pidfile()
+{
+	struct stat stb;
+	FILE *file;
+	
+	if (stat(PID_FILE, &stb) == 0)
+	{
+		file = fopen(PID_FILE, "r");
+		if (file)
+		{
+			char buf[64];
+			pid_t pid = 0;
+			
+			memset(buf, 0, sizeof(buf));
+			if (fread(buf, 1, sizeof(buf), file))
+			{
+				pid = atoi(buf);
+			}
+			fclose(file);
+			if (pid && kill(pid, 0) == 0)
+			{	/* such a process is running */
+				return TRUE;
+			}
+		}
+		DBG1(DBG_DMN, "removing pidfile '"PID_FILE"', process not running");
+		unlink(PID_FILE);
+	}
+	
+	/* create new pidfile */
+	file = fopen(PID_FILE, "w");
+	if (file)
+	{
+		fprintf(file, "%d\n", getpid());
+		ignore_result(fchown(fileno(file), charon->uid, charon->gid));
+		fclose(file);
+	}
+	return FALSE;
+}
+
 /**
  * print command line usage and exit
  */
@@ -631,10 +678,7 @@ static void usage(const char *msg)
 int main(int argc, char *argv[])
 {
 	bool use_syslog = FALSE;
-
 	private_daemon_t *private_charon;
-	FILE *pid_file;
-	struct stat stb;
 	level_t levels[DBG_MAX];
 	int group;
 	
@@ -715,21 +759,13 @@ int main(int argc, char *argv[])
 		destroy(private_charon);
 		exit(-1);
 	}
-
-	/* check/setup PID file */
-	if (stat(PID_FILE, &stb) == 0)
+	
+	if (check_pidfile())
 	{
 		DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
 		destroy(private_charon);
 		exit(-1);
 	}
-	pid_file = fopen(PID_FILE, "w");
-	if (pid_file)
-	{
-		fprintf(pid_file, "%d\n", getpid());
-		ignore_result(fchown(fileno(pid_file), charon->uid, charon->gid));
-		fclose(pid_file);
-	}
 	
 	/* drop the capabilities we won't need */
 	drop_capabilities(private_charon);
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index d70a88010..023bae447 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: daemon.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -159,6 +157,7 @@ typedef struct daemon_t daemon_t;
 #include <bus/listeners/file_logger.h>
 #include <bus/listeners/sys_logger.h>
 #include <sa/ike_sa_manager.h>
+#include <sa/trap_manager.h>
 #include <config/backend_manager.h>
 #include <config/attributes/attribute_manager.h>
 #include <credentials/credential_manager.h>
@@ -205,12 +204,17 @@ struct daemon_t {
 	 * A socket_t instance.
 	 */
 	socket_t *socket;
-
+	
 	/**
 	 * A ike_sa_manager_t instance.
 	 */
 	ike_sa_manager_t *ike_sa_manager;
 	
+	/**
+	 * Manager for triggering policies, called traps
+	 */
+	trap_manager_t *traps;
+	
 	/**
 	 * Manager for the different configuration backends.
 	 */
diff --git a/src/charon/encoding/generator.c b/src/charon/encoding/generator.c
index dea4f0e21..406cfc688 100644
--- a/src/charon/encoding/generator.c
+++ b/src/charon/encoding/generator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: generator.c 4702 2008-11-26 10:42:54Z martin $
  */
 
 #include <stdlib.h>
@@ -21,7 +19,6 @@
 #include <arpa/inet.h>
 #include <stdio.h>
 
-
 #include "generator.h"
 
 #include <library.h>
@@ -61,26 +58,26 @@ struct private_generator_t {
 	 * Buffer used to generate the data into.
 	 */
 	u_int8_t *buffer;
-
+	
 	/**
 	 * Current write position in buffer (one byte aligned).
 	 */
 	u_int8_t *out_position;
-
+	
 	/**
 	 * Position of last byte in buffer.
 	 */
 	u_int8_t *roof_position;
-
+	
 	/**
 	 * Current bit writing to in current byte (between 0 and 7).
 	 */
-	size_t current_bit;
-
+	u_int8_t current_bit;
+	
 	/**
 	 * Associated data struct to read informations from.
 	 */
-	void * data_struct;
+	void *data_struct;
 	
 	/*
 	 * Last payload length position offset in the buffer.
@@ -115,7 +112,7 @@ struct private_generator_t {
 /**
  * Get size of current buffer in bytes.
  */
-static size_t get_current_buffer_size(private_generator_t *this)
+static int get_size(private_generator_t *this)
 {
 	return this->roof_position - this->buffer;
 }
@@ -123,7 +120,7 @@ static size_t get_current_buffer_size(private_generator_t *this)
 /**
  * Get free space of current buffer in bytes.
  */
-static size_t get_current_buffer_space(private_generator_t *this)
+static int get_space(private_generator_t *this)
 {
 	return this->roof_position - this->out_position;
 }
@@ -131,7 +128,7 @@ static size_t get_current_buffer_space(private_generator_t *this)
 /**
  * Get length of data in buffer (in bytes).
  */
-static size_t get_current_data_length(private_generator_t *this)
+static int get_length(private_generator_t *this)
 {
 	return this->out_position - this->buffer;
 }
@@ -139,7 +136,7 @@ static size_t get_current_data_length(private_generator_t *this)
 /**
  * Get current offset in buffer (in bytes).
  */
-static u_int32_t get_current_buffer_offset(private_generator_t *this)
+static u_int32_t get_offset(private_generator_t *this)
 {
 	return this->out_position - this->buffer;
 }
@@ -147,21 +144,20 @@ static u_int32_t get_current_buffer_offset(private_generator_t *this)
 /**
  * Makes sure enough space is available in buffer to store amount of bits.
  */
-static void make_space_available (private_generator_t *this, size_t bits)
+static void make_space_available(private_generator_t *this, int bits)
 {
-	while ((get_current_buffer_space(this) * 8 - this->current_bit) < bits)
+	while ((get_space(this) * 8 - this->current_bit) < bits)
 	{
-		/* must increase buffer */
-		size_t old_buffer_size = get_current_buffer_size(this);
-		size_t new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
-		size_t out_position_offset = ((this->out_position) - (this->buffer));
-
-		DBG2(DBG_ENC, "increased gen buffer from %d to %d byte", 
+		int old_buffer_size, new_buffer_size, out_position_offset;
+		
+		old_buffer_size = get_size(this);
+		new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
+		out_position_offset = this->out_position - this->buffer;
+		
+		DBG2(DBG_ENC, "increasing gen buffer from %d to %d byte", 
 			 old_buffer_size, new_buffer_size);
 		
-		/* Reallocate space for new buffer */
 		this->buffer = realloc(this->buffer,new_buffer_size);
-
 		this->out_position = (this->buffer + out_position_offset);
 		this->roof_position = (this->buffer + new_buffer_size);
 	}
@@ -170,11 +166,11 @@ static void make_space_available (private_generator_t *this, size_t bits)
 /**
  * Writes a specific amount of byte into the buffer.
  */
-static void write_bytes_to_buffer(private_generator_t *this, void * bytes,
-								  size_t number_of_bytes)
+static void write_bytes_to_buffer(private_generator_t *this, void *bytes,
+								  int number_of_bytes)
 {
 	int i;
-	u_int8_t *read_position = (u_int8_t *) bytes;
+	u_int8_t *read_position = (u_int8_t *)bytes;
 	
 	make_space_available(this, number_of_bytes * 8);
 	
@@ -189,18 +185,19 @@ static void write_bytes_to_buffer(private_generator_t *this, void * bytes,
 /**
  * Writes a specific amount of byte into the buffer at a specific offset.
  */
-static void write_bytes_to_buffer_at_offset (private_generator_t *this,
-						void *bytes, size_t number_of_bytes, u_int32_t offset)
+static void write_bytes_to_buffer_at_offset(private_generator_t *this,
+						void *bytes, int number_of_bytes, u_int32_t offset)
 {
 	int i;
-	u_int8_t *read_position = (u_int8_t *) bytes;
+	u_int8_t *read_position = (u_int8_t *)bytes;
 	u_int8_t *write_position;
-	u_int32_t free_space_after_offset = get_current_buffer_size(this) - offset;
-
+	u_int32_t free_space_after_offset = get_size(this) - offset;
+	
 	/* check first if enough space for new data is available */	
 	if (number_of_bytes > free_space_after_offset)
 	{
-		make_space_available(this, (number_of_bytes - free_space_after_offset) * 8);
+		make_space_available(this, 
+							 (number_of_bytes - free_space_after_offset) * 8);
 	}
 	
 	write_position = this->buffer + offset;
@@ -214,98 +211,83 @@ static void write_bytes_to_buffer_at_offset (private_generator_t *this,
 
 /**
  * Generates a U_INT-Field type and writes it to buffer.
- *
- * @param this 					private_generator_t object
- * @param int_type 				type of U_INT field (U_INT_4, U_INT_8, etc.)
- * 								ATTRIBUTE_TYPE is also generated in this function
- * @param offset 				offset of value in data struct
- * @param generator_contexts	generator_contexts_t object where the context is written or read from
  */
 static void generate_u_int_type(private_generator_t *this,
 								encoding_type_t int_type,u_int32_t offset)
 {
-	size_t number_of_bits = 0;
-
-	/* find out number of bits of each U_INT type to check for enough space 
-	   in buffer */
+	int number_of_bits = 0;
+	
+	/* find out number of bits of each U_INT type to check for enough space */
 	switch (int_type)
 	{
-			case U_INT_4:
-				number_of_bits = 4;
-				break;
-			case TS_TYPE:
-			case U_INT_8:
-				number_of_bits = 8;
-				break;
-			case U_INT_16:
-			case CONFIGURATION_ATTRIBUTE_LENGTH:
-				number_of_bits = 16;
-				break;
-			case U_INT_32:
-				number_of_bits = 32;
-				break;
-			case U_INT_64:
-				number_of_bits = 64;
-				break;
-			case ATTRIBUTE_TYPE:
-				number_of_bits = 15;
-				break;
-			case IKE_SPI:
-				number_of_bits = 64;
-				break;
-
-			default:
+		case U_INT_4:
+			number_of_bits = 4;
+			break;
+		case TS_TYPE:
+		case U_INT_8:
+			number_of_bits = 8;
+			break;
+		case U_INT_16:
+		case CONFIGURATION_ATTRIBUTE_LENGTH:
+			number_of_bits = 16;
+			break;
+		case U_INT_32:
+			number_of_bits = 32;
+			break;
+		case ATTRIBUTE_TYPE:
+			number_of_bits = 15;
+			break;
+		case IKE_SPI:
+			number_of_bits = 64;
+			break;
+		default:
 			DBG1(DBG_ENC, "U_INT Type %N is not supported",
 				 encoding_type_names, int_type);
-
 			return;
 	}
-	/* U_INT Types of multiple then 8 bits must be aligned */
-	if (((number_of_bits % 8) == 0) && (this->current_bit != 0))
+	if ((number_of_bits % 8) == 0 && this->current_bit != 0)
 	{
 		DBG1(DBG_ENC, "U_INT Type %N is not 8 Bit aligned",
 			 encoding_type_names, int_type);
-		/* current bit has to be zero for values multiple of 8 bits */
 		return;
 	}
 	
-	/* make sure enough space is available in buffer */
 	make_space_available(this, number_of_bits);
-	/* now handle each u int type differently */
 	switch (int_type)
 	{
 		case U_INT_4:
 		{
+			u_int8_t high, low;
+			
 			if (this->current_bit == 0)
 			{
-				/* highval of current byte in buffer has to be set to the new value*/
-				u_int8_t high_val = *((u_int8_t *)(this->data_struct + offset)) << 4;
-				/* lowval in buffer is not changed */
-				u_int8_t low_val = *(this->out_position) & 0x0F;
-				/* highval is set, low_val is not changed */
-				*(this->out_position) = high_val | low_val;
+				/* high of current byte in buffer has to be set to the new value*/
+				high = *((u_int8_t *)(this->data_struct + offset)) << 4;
+				/* low in buffer is not changed */
+				low = *(this->out_position) & 0x0F;
+				/* high is set, low_val is not changed */
+				*(this->out_position) = high | low;
 				DBG3(DBG_ENC, "   => %d", *(this->out_position));
 				/* write position is not changed, just bit position is moved */
 				this->current_bit = 4;
 			}
 			else if (this->current_bit == 4)
 			{
-				/* highval in buffer is not changed */
-				u_int high_val = *(this->out_position) & 0xF0;
-				/* lowval of current byte in buffer has to be set to the new value*/
-				u_int low_val = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
-				*(this->out_position) = high_val | low_val;
+				/* high in buffer is not changed */
+				high = *(this->out_position) & 0xF0;
+				/* low of current byte in buffer has to be set to the new value*/
+				low = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
+				*(this->out_position) = high | low;
 				DBG3(DBG_ENC, "   => %d", *(this->out_position));
 				this->out_position++;
 				this->current_bit = 0;
-
 			}
 			else
 			{
 				DBG1(DBG_ENC, "U_INT_4 Type is not 4 Bit aligned");
 				/* 4 Bit integers must have a 4 bit alignment */
 				return;
-			};
+			}
 			break;
 		}
 		case TS_TYPE:
@@ -316,31 +298,31 @@ static void generate_u_int_type(private_generator_t *this,
 			DBG3(DBG_ENC, "   => %d", *(this->out_position));
 			this->out_position++;
 			break;
-
 		}
 		case ATTRIBUTE_TYPE:
 		{
-			/* attribute type must not change first bit uf current byte ! */
+			u_int8_t attribute_format_flag;
+			u_int16_t val;
+			
+			/* attribute type must not change first bit of current byte */
 			if (this->current_bit != 1)
 			{
 				DBG1(DBG_ENC, "ATTRIBUTE FORMAT flag is not set");
-				/* first bit has to be set! */
 				return;
 			}
-			/* get value of attribute format flag */
-			u_int8_t attribute_format_flag = *(this->out_position) & 0x80;
+			attribute_format_flag = *(this->out_position) & 0x80;
 			/* get attribute type value as 16 bit integer*/
-			u_int16_t int16_val = *((u_int16_t*)(this->data_struct + offset));
+			val = *((u_int16_t*)(this->data_struct + offset));
 			/* unset most significant bit */
-			int16_val &= 0x7FFF;
+			val &= 0x7FFF;
 			if (attribute_format_flag)
 			{
-				int16_val |= 0x8000;
+				val |= 0x8000;
 			}
-			int16_val = htons(int16_val);
-			DBG3(DBG_ENC, "   => %d", int16_val);
-			/* write bytes to buffer (set bit is overwritten)*/				
-			write_bytes_to_buffer(this, &int16_val, sizeof(u_int16_t));
+			val = htons(val);
+			DBG3(DBG_ENC, "   => %d", val);
+			/* write bytes to buffer (set bit is overwritten) */
+			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
 			this->current_bit = 0;
 			break;
 			
@@ -348,37 +330,25 @@ static void generate_u_int_type(private_generator_t *this,
 		case U_INT_16:
 		case CONFIGURATION_ATTRIBUTE_LENGTH:
 		{
-			u_int16_t int16_val = htons(*((u_int16_t*)(this->data_struct + offset)));
-			DBG3(DBG_ENC, "   => %b", (void*)&int16_val, sizeof(int16_val));
-			write_bytes_to_buffer(this, &int16_val, sizeof(u_int16_t));
+			u_int16_t val = htons(*((u_int16_t*)(this->data_struct + offset)));
+			DBG3(DBG_ENC, "   => %b", &val, sizeof(u_int16_t));
+			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
 			break;
 		}
 		case U_INT_32:
 		{
-			u_int32_t int32_val = htonl(*((u_int32_t*)(this->data_struct + offset)));
-			DBG3(DBG_ENC, "   => %b", (void*)&int32_val, sizeof(int32_val));
-			write_bytes_to_buffer(this, &int32_val, sizeof(u_int32_t));
+			u_int32_t val = htonl(*((u_int32_t*)(this->data_struct + offset)));
+			DBG3(DBG_ENC, "   => %b", &val, sizeof(u_int32_t));
+			write_bytes_to_buffer(this, &val, sizeof(u_int32_t));
 			break;
 		}
-		case U_INT_64:
-		{
-			/* 64 bit integers are written as two 32 bit integers */
-			u_int32_t int32_val_low = htonl(*((u_int32_t*)(this->data_struct + offset)));
-			u_int32_t int32_val_high = htonl(*((u_int32_t*)(this->data_struct + offset) + 1));
-			DBG3(DBG_ENC, "   => %b %b",
-				 (void*)&int32_val_low, sizeof(int32_val_low),
-				 (void*)&int32_val_high, sizeof(int32_val_high));
-			/* TODO add support for big endian machines */
-			write_bytes_to_buffer(this, &int32_val_high, sizeof(u_int32_t));
-			write_bytes_to_buffer(this, &int32_val_low, sizeof(u_int32_t));
-			break;
-		}
-		
 		case IKE_SPI:
 		{
-			/* 64 bit are written as they come :-) */
-			write_bytes_to_buffer(this, this->data_struct + offset, sizeof(u_int64_t));
-			DBG3(DBG_ENC, "   => %b", (void*)(this->data_struct + offset), sizeof(u_int64_t));
+			/* 64 bit are written as-is, no host order conversion */
+			write_bytes_to_buffer(this, this->data_struct + offset,
+								  sizeof(u_int64_t));
+			DBG3(DBG_ENC, "   => %b", this->data_struct + offset,
+				 sizeof(u_int64_t));
 			break;
 		}
 		default:
@@ -396,18 +366,17 @@ static void generate_u_int_type(private_generator_t *this,
 static void generate_reserved_field(private_generator_t *this, int bits)
 {
 	/* only one bit or 8 bit fields are supported */
-	if ((bits != 1) && (bits != 8))
+	if (bits != 1 && bits != 8)
 	{
 		DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits);
 		return ;
 	}
-	/* make sure enough space is available in buffer */
 	make_space_available(this, bits);
 	
 	if (bits == 1)
-	{	
-		/* one bit processing */
+	{
 		u_int8_t reserved_bit = ~(1 << (7 - this->current_bit));
+		
 		*(this->out_position) = *(this->out_position) & reserved_bit;
 		if (this->current_bit == 0)
 		{
@@ -423,7 +392,6 @@ static void generate_reserved_field(private_generator_t *this, int bits)
 	}
 	else
 	{
-		/* one byte processing*/
 		if (this->current_bit > 0)
 		{
 			DBG1(DBG_ENC, "reserved field cannot be written cause "
@@ -440,12 +408,9 @@ static void generate_reserved_field(private_generator_t *this, int bits)
  */
 static void generate_flag(private_generator_t *this, u_int32_t offset)
 {
-	/* value of current flag */
 	u_int8_t flag_value;
-	/* position of flag in current byte */
 	u_int8_t flag;
 	
-	/* if the value in the data_struct is TRUE, flag_value is set to 1, 0 otherwise */
 	flag_value = (*((bool *) (this->data_struct + offset))) ? 1 : 0;
 	/* get flag position */
 	flag = (flag_value << (7 - this->current_bit));
@@ -457,12 +422,10 @@ static void generate_flag(private_generator_t *this, u_int32_t offset)
 		/* memory must be zero */
 		*(this->out_position) = 0x00;
 	}
-
-	*(this->out_position) = *(this->out_position) | flag;
 	
+	*(this->out_position) = *(this->out_position) | flag;
+	DBG3(DBG_ENC, "   => %d", *this->out_position);
 	
-	DBG3(DBG_ENC, "   => %d", *(this->out_position));
-
 	this->current_bit++;
 	if (this->current_bit >= 8)
 	{
@@ -476,42 +439,42 @@ static void generate_flag(private_generator_t *this, u_int32_t offset)
  */
 static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
 {
+	chunk_t *value;
+	
 	if (this->current_bit != 0)
 	{
 		DBG1(DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit);
 		return ;
 	}
 	
-	/* position in buffer */
-	chunk_t *attribute_value = (chunk_t *)(this->data_struct + offset);
-	
-	DBG3(DBG_ENC, "   => %B", attribute_value);
+	value = (chunk_t *)(this->data_struct + offset);
+	DBG3(DBG_ENC, "   => %B", value);
 	
-	/* use write_bytes_to_buffer function to do the job */
-	write_bytes_to_buffer(this, attribute_value->ptr, attribute_value->len);
+	write_bytes_to_buffer(this, value->ptr, value->len);
 }
 
 /**
  * Implementation of private_generator_t.write_to_chunk.
  */
-static void write_to_chunk (private_generator_t *this,chunk_t *data)
+static void write_to_chunk(private_generator_t *this,chunk_t *data)
 {
-	size_t data_length = get_current_data_length(this);
+	int data_length = get_length(this);
 	u_int32_t header_length_field = data_length;
 	
 	/* write length into header length field */
 	if (this->header_length_position_offset > 0)
 	{
-		u_int32_t int32_val = htonl(header_length_field);
-		write_bytes_to_buffer_at_offset(this, &int32_val, sizeof(u_int32_t),
+		u_int32_t val = htonl(header_length_field);
+		write_bytes_to_buffer_at_offset(this, &val, sizeof(u_int32_t),
 										this->header_length_position_offset);
 	}
-
+	
 	if (this->current_bit > 0)
-	data_length++;
-	data->ptr = malloc(data_length);
-	memcpy(data->ptr,this->buffer,data_length);
-	data->len = data_length;
+	{
+		data_length++;
+	}
+	*data = chunk_alloc(data_length);
+	memcpy(data->ptr, this->buffer, data_length);
 	
 	DBG3(DBG_ENC, "generated data of this generator %B", data);
 }
@@ -521,26 +484,24 @@ static void write_to_chunk (private_generator_t *this,chunk_t *data)
  */
 static void generate_payload (private_generator_t *this,payload_t *payload)
 {
-	int i;
-	this->data_struct = payload;
+	int i, offset_start;
 	size_t rule_count;
 	encoding_rule_t *rules;
 	payload_type_t payload_type;
-	u_int8_t *payload_start;
 	
-	/* get payload type */
+	this->data_struct = payload;
 	payload_type = payload->get_type(payload);
 	/* spi size has to get reseted */
 	this->last_spi_size = 0;
 	
-	payload_start = this->out_position;
+	offset_start = this->out_position - this->buffer;
 	
 	DBG2(DBG_ENC, "generating payload of type %N",
 		 payload_type_names, payload_type);
 	
 	/* each payload has its own encoding rules */
-	payload->get_encoding_rules(payload,&rules,&rule_count);
-
+	payload->get_encoding_rules(payload, &rules, &rule_count);
+	
 	for (i = 0; i < rule_count;i++)
 	{
 		DBG2(DBG_ENC, "  generating rule %d %N",
@@ -551,13 +512,12 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			case U_INT_8:
 			case U_INT_16:
 			case U_INT_32:
-			case U_INT_64:
 			case IKE_SPI:
 			case TS_TYPE:
 			case ATTRIBUTE_TYPE:
 			case CONFIGURATION_ATTRIBUTE_LENGTH:
 			{
-				generate_u_int_type(this, rules[i].type,rules[i].offset);
+				generate_u_int_type(this, rules[i].type, rules[i].offset);
 				break;
 			}
 			case RESERVED_BIT:
@@ -577,35 +537,28 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			}
 			case PAYLOAD_LENGTH:
 			{
-				/* position of payload lenght field is temporary stored */
-				this->last_payload_length_position_offset = get_current_buffer_offset(this);
-				/* payload length is generated like an U_INT_16 */
+				this->last_payload_length_position_offset = get_offset(this);
 				generate_u_int_type(this, U_INT_16,rules[i].offset);
 				break;
 			}
 			case HEADER_LENGTH:
 			{
-				/* position of header length field is temporary stored */			
-				this->header_length_position_offset = get_current_buffer_offset(this);	
-				/* header length is generated like an U_INT_32 */
+				this->header_length_position_offset = get_offset(this);
 				generate_u_int_type(this ,U_INT_32, rules[i].offset);
 				break;
 			}
 			case SPI_SIZE:
-				/* spi size is handled as 8 bit unsigned integer */
 				generate_u_int_type(this, U_INT_8, rules[i].offset);
-				/* last spi size is temporary stored */
-				this->last_spi_size = *((u_int8_t *)(this->data_struct + rules[i].offset));
+				this->last_spi_size = *((u_int8_t *)(this->data_struct +
+													 rules[i].offset));
 				break;
 			case ADDRESS:
 			{
-				/* the Address value is generated from chunk */
 				generate_from_chunk(this, rules[i].offset);
 				break;
 			}
 			case SPI:
 			{
-				/* the SPI value is generated from chunk */
 				generate_from_chunk(this, rules[i].offset);
 				break;
 			}
@@ -625,14 +578,15 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				u_int16_t length_of_payload;
 				u_int16_t header_length = 0;
 				u_int16_t length_in_network_order;
-
+				
 				switch(rules[i].type)
 				{
 					case KEY_EXCHANGE_DATA:
 						header_length = KE_PAYLOAD_HEADER_LENGTH;
 						break;
 					case NOTIFICATION_DATA:
-						header_length = NOTIFY_PAYLOAD_HEADER_LENGTH + this->last_spi_size ;
+						header_length = NOTIFY_PAYLOAD_HEADER_LENGTH +
+														this->last_spi_size;
 						break;
 					case NONCE_DATA:
 						header_length = NONCE_PAYLOAD_HEADER_LENGTH;
@@ -664,47 +618,42 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 					default:
 						break;
 				}
-				
-				/* the data value is generated from chunk */
 				generate_from_chunk(this, rules[i].offset);
 				
-				payload_length_position_offset = this->last_payload_length_position_offset;
+				payload_length_position_offset =
+									this->last_payload_length_position_offset;
 				
+				length_of_payload = header_length + 
+						((chunk_t *)(this->data_struct + rules[i].offset))->len;
 				
-				/* Length of payload is calculated */
-				length_of_payload = header_length + ((chunk_t *)(this->data_struct + rules[i].offset))->len;
-				
-				length_in_network_order = htons(length_of_payload);			
+				length_in_network_order = htons(length_of_payload);
 				write_bytes_to_buffer_at_offset(this, &length_in_network_order,
-							sizeof(u_int16_t),payload_length_position_offset);
+							sizeof(u_int16_t), payload_length_position_offset);
 				break;
 			}
 			case PROPOSALS:
 			{
-				/* before iterative generate the transforms, store the current payload length position */
-				u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
+				u_int32_t payload_length_position_offset = 
+									this->last_payload_length_position_offset;
 				/* Length of SA_PAYLOAD is calculated */
 				u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH;
 				u_int16_t int16_val;
-				/* proposals are stored in a linked list and so accessed */
-				linked_list_t *proposals = *((linked_list_t **)(this->data_struct + rules[i].offset));
+				linked_list_t *proposals = *((linked_list_t **)
+										(this->data_struct + rules[i].offset));
 				iterator_t *iterator;
 				payload_t *current_proposal;
 				
-				/* create forward iterator */
 				iterator = proposals->create_iterator(proposals,TRUE);
-				/* every proposal is processed (iterative call )*/
 				while (iterator->iterate(iterator, (void**)&current_proposal))
 				{
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
 					
-					before_generate_position_offset = get_current_buffer_offset(this);
-					this->public.generate_payload(&(this->public),current_proposal);
-					after_generate_position_offset = get_current_buffer_offset(this);
-					
-					/* increase size of transform */
-					length_of_sa_payload += (after_generate_position_offset - before_generate_position_offset);
+					before_generate_position_offset = get_offset(this);
+					generate_payload(this, current_proposal);
+					after_generate_position_offset = get_offset(this);
+					length_of_sa_payload += (after_generate_position_offset -
+											 before_generate_position_offset);
 				}
 				iterator->destroy(iterator);
 				
@@ -715,60 +664,61 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			}
 			case TRANSFORMS:
 			{
-				/* before iterative generate the transforms, store the current length position */
-				u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
-				u_int16_t length_of_proposal = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size;
+				u_int32_t payload_length_position_offset = 
+									this->last_payload_length_position_offset;
+				u_int16_t length_of_proposal = 
+					PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size;
 				u_int16_t int16_val;
-				linked_list_t *transforms = *((linked_list_t **)(this->data_struct + rules[i].offset));
+				linked_list_t *transforms = *((linked_list_t **)
+										(this->data_struct + rules[i].offset));
 				iterator_t *iterator;
 				payload_t *current_transform;
 				
-				/* create forward iterator */
 				iterator = transforms->create_iterator(transforms,TRUE);
 				while (iterator->iterate(iterator, (void**)&current_transform))
 				{
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
 					
-					before_generate_position_offset = get_current_buffer_offset(this);
-					this->public.generate_payload(&(this->public),current_transform);
-					after_generate_position_offset = get_current_buffer_offset(this);
+					before_generate_position_offset = get_offset(this);
+					generate_payload(this, current_transform);
+					after_generate_position_offset = get_offset(this);
 					
-					/* increase size of transform */
-					length_of_proposal += (after_generate_position_offset - before_generate_position_offset);
+					length_of_proposal += (after_generate_position_offset -
+										   before_generate_position_offset);
 				}
-				
 				iterator->destroy(iterator);
 				
 				int16_val = htons(length_of_proposal);
 				write_bytes_to_buffer_at_offset(this, &int16_val,
 							sizeof(u_int16_t), payload_length_position_offset);
-				
 				break;
 			}	
 			case TRANSFORM_ATTRIBUTES:
 			{
-				/* before iterative generate the transform attributes, store the current length position */
-				u_int32_t transform_length_position_offset = this->last_payload_length_position_offset;
-				u_int16_t length_of_transform = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+				u_int32_t transform_length_position_offset =
+									this->last_payload_length_position_offset;
+				u_int16_t length_of_transform =
+									TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
 				u_int16_t int16_val;
-				linked_list_t *transform_attributes =*((linked_list_t **)(this->data_struct + rules[i].offset));
+				linked_list_t *transform_attributes =*((linked_list_t **)
+									(this->data_struct + rules[i].offset));
 				iterator_t *iterator;
 				payload_t *current_attribute;
 				
-				/* create forward iterator */
-				iterator = transform_attributes->create_iterator(transform_attributes,TRUE);
+				iterator = transform_attributes->create_iterator(
+													transform_attributes, TRUE);
 				while (iterator->iterate(iterator, (void**)&current_attribute))
 				{
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
 					
-					before_generate_position_offset = get_current_buffer_offset(this);
-					this->public.generate_payload(&(this->public),current_attribute);
-					after_generate_position_offset = get_current_buffer_offset(this);
+					before_generate_position_offset = get_offset(this);
+					generate_payload(this, current_attribute);
+					after_generate_position_offset = get_offset(this);
 					
-					/* increase size of transform */
-					length_of_transform += (after_generate_position_offset - before_generate_position_offset);
+					length_of_transform += (after_generate_position_offset -
+											before_generate_position_offset);
 				}
 				
 				iterator->destroy(iterator);
@@ -776,32 +726,32 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				int16_val = htons(length_of_transform);
 				write_bytes_to_buffer_at_offset(this, &int16_val, 
 							sizeof(u_int16_t),transform_length_position_offset);
-				
 				break;
 			}
 			case CONFIGURATION_ATTRIBUTES:
 			{
-				/* before iterative generate the configuration attributes, store the current length position */
-				u_int32_t configurations_length_position_offset = this->last_payload_length_position_offset;
+				u_int32_t configurations_length_position_offset = 
+									this->last_payload_length_position_offset;
 				u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH;
 				u_int16_t int16_val;
-				linked_list_t *configuration_attributes =*((linked_list_t **)(this->data_struct + rules[i].offset));
+				linked_list_t *configuration_attributes = *((linked_list_t **)
+										(this->data_struct + rules[i].offset));
 				iterator_t *iterator;
 				payload_t *current_attribute;
 				
-				/* create forward iterator */
-				iterator = configuration_attributes->create_iterator(configuration_attributes,TRUE);
+				iterator = configuration_attributes->create_iterator(
+												configuration_attributes,TRUE);
 				while (iterator->iterate(iterator, (void**)&current_attribute))
 				{
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
 					
-					before_generate_position_offset = get_current_buffer_offset(this);
-					this->public.generate_payload(&(this->public),current_attribute);
-					after_generate_position_offset = get_current_buffer_offset(this);
+					before_generate_position_offset = get_offset(this);
+					generate_payload(this, current_attribute);
+					after_generate_position_offset = get_offset(this);
 					
-					/* increase size of transform */
-					length_of_configurations += (after_generate_position_offset - before_generate_position_offset);
+					length_of_configurations += after_generate_position_offset -
+											before_generate_position_offset;
 				}
 				
 				iterator->destroy(iterator);
@@ -809,14 +759,14 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				int16_val = htons(length_of_configurations);
 				write_bytes_to_buffer_at_offset(this, &int16_val, 
 					 sizeof(u_int16_t),configurations_length_position_offset);
-				
 				break;
 			}	
 			case ATTRIBUTE_FORMAT:
 			{
 				generate_flag(this, rules[i].offset);
 				/* Attribute format is a flag which is stored in context*/
-				this->attribute_format = *((bool *) (this->data_struct + rules[i].offset));
+				this->attribute_format =
+							*((bool *)(this->data_struct + rules[i].offset));
 				break;
 			}	
 
@@ -826,7 +776,8 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				{
 					generate_u_int_type(this, U_INT_16, rules[i].offset);
 					/* this field hold the length of the attribute */
-					this->attribute_length = *((u_int16_t *)(this->data_struct + rules[i].offset));
+					this->attribute_length =
+						*((u_int16_t *)(this->data_struct + rules[i].offset));
 				}
 				else
 				{
@@ -846,30 +797,28 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			}
 			case TRAFFIC_SELECTORS:
 			{
-				/* before iterative generate the traffic_selectors, store the current payload length position */
-				u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
-				/* Length of SA_PAYLOAD is calculated */
+				u_int32_t payload_length_position_offset = 
+									this->last_payload_length_position_offset;
 				u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH;
 				u_int16_t int16_val;
-				/* traffic selectors are stored in a linked list and so accessed */
-				linked_list_t *traffic_selectors = *((linked_list_t **)(this->data_struct + rules[i].offset));
+				linked_list_t *traffic_selectors = *((linked_list_t **)
+										(this->data_struct + rules[i].offset));
 				iterator_t *iterator;
-				payload_t *current_traffic_selector_substructure;
+				payload_t *current_tss;
 				
-				/* create forward iterator */
-				iterator = traffic_selectors->create_iterator(traffic_selectors,TRUE);
-				/* every proposal is processed (iterative call )*/
-				while (iterator->iterate(iterator, (void **)&current_traffic_selector_substructure))
+				iterator = traffic_selectors->create_iterator(
+													traffic_selectors,TRUE);
+				while (iterator->iterate(iterator, (void **)&current_tss))
 				{
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_current_buffer_offset(this);
-					this->public.generate_payload(&(this->public),current_traffic_selector_substructure);
-					after_generate_position_offset = get_current_buffer_offset(this);
 					
-					/* increase size of transform */
-					length_of_ts_payload += (after_generate_position_offset - before_generate_position_offset);
+					before_generate_position_offset = get_offset(this);
+					generate_payload(this, current_tss);
+					after_generate_position_offset = get_offset(this);
+					
+					length_of_ts_payload += (after_generate_position_offset -
+											 before_generate_position_offset);
 				}
 				iterator->destroy(iterator);
 				
@@ -893,7 +842,8 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 	DBG2(DBG_ENC, "generating %N payload finished",
 		 payload_type_names, payload_type);
 	DBG3(DBG_ENC, "generated data for this payload %b",
-		 payload_start, this->out_position-payload_start);
+		 this->buffer + offset_start,
+		 this->out_position - this->buffer - offset_start);
 }
 
 /**
@@ -916,9 +866,9 @@ generator_t *generator_create()
 	this = malloc_thing(private_generator_t);
 
 	/* initiate public functions */
-	this->public.generate_payload = (void(*)(generator_t*, payload_t *)) generate_payload;
+	this->public.generate_payload = (void(*)(generator_t*, payload_t *))generate_payload;
 	this->public.destroy = (void(*)(generator_t*)) destroy;
-	this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *)) write_to_chunk;
+	this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *))write_to_chunk;
 	
 	/* allocate memory for buffer */
 	this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE);
diff --git a/src/charon/encoding/generator.h b/src/charon/encoding/generator.h
index 5c8755d04..f6fb8981c 100644
--- a/src/charon/encoding/generator.h
+++ b/src/charon/encoding/generator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: generator.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -67,10 +65,10 @@ struct generator_t {
 	/**
 	 * Writes all generated data of the generator to a chunk.
 	 *
- 	 * @param data 		chunk to write the data to
+	 * @param data 		chunk to write the data to
 	 */
 	void (*write_to_chunk) (generator_t *this,chunk_t *data);
-
+	
 	/**
 	 * Destroys a generator_t object.
 	 */
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c
index 600fe97d9..7c6fdb499 100644
--- a/src/charon/encoding/message.c
+++ b/src/charon/encoding/message.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: message.c 4339 2008-09-11 11:14:09Z martin $
  */
 
 #include <stdlib.h>
@@ -208,7 +206,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
 	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
-	{ID_INITIATOR,					1,	1,						TRUE,	FALSE},
+	{ID_INITIATOR,					0,	1,						TRUE,	FALSE},
 	{CERTIFICATE,					0,	4,						TRUE,	FALSE},
 	{CERTIFICATE_REQUEST,			0,	1,						TRUE,	FALSE},
 	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
@@ -217,9 +215,9 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
 	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
 	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
 #else
-	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	1,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	1,	1,						TRUE,	FALSE},
+	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
 #endif /* ME */
 	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
 	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
@@ -261,9 +259,9 @@ static payload_rule_t ike_auth_r_payload_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
+	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
 	{CERTIFICATE,					0,	4,						TRUE,	FALSE},
 	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
-	{AUTHENTICATION,				0,	1,						TRUE,	FALSE},
 	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
 	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
 	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
@@ -846,11 +844,11 @@ static host_t * get_destination(private_message_t *this)
 }
 
 /**
- * Implementation of message_t.get_payload_iterator.
+ * Implementation of message_t.create_payload_enumerator.
  */
-static iterator_t *get_payload_iterator(private_message_t *this)
+static enumerator_t *create_payload_enumerator(private_message_t *this)
 {
-	return this->payloads->create_iterator(this->payloads, TRUE);
+	return this->payloads->create_enumerator(this->payloads);
 }
 
 /**
@@ -859,10 +857,10 @@ static iterator_t *get_payload_iterator(private_message_t *this)
 static payload_t *get_payload(private_message_t *this, payload_type_t type)
 {
 	payload_t *current, *found = NULL;
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	
-	iterator = this->payloads->create_iterator(this->payloads, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
+	enumerator = create_payload_enumerator(this);
+	while (enumerator->enumerate(enumerator, &current))
 	{
 		if (current->get_type(current) == type)
 		{
@@ -870,16 +868,42 @@ static payload_t *get_payload(private_message_t *this, payload_type_t type)
 			break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	return found;
 }
 
+/**
+ * Implementation of message_t.get_notify
+ */
+static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
+{
+	enumerator_t *enumerator;
+	notify_payload_t *notify = NULL;
+	payload_t *payload;
+	
+	enumerator = create_payload_enumerator(this);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify = (notify_payload_t*)payload;
+			if (notify->get_notify_type(notify) == type)
+			{
+				break;
+			}
+			notify = NULL;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return notify;
+}
+
 /**
  * get a string representation of the message
  */
 static char* get_string(private_message_t *this, char *buf, int len)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
 	int written;
 	char *pos = buf;
@@ -898,8 +922,8 @@ static char* get_string(private_message_t *this, char *buf, int len)
 	pos += written;
 	len -= written;
 	
-	iterator = this->payloads->create_iterator(this->payloads, TRUE);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = create_payload_enumerator(this);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		written = snprintf(pos, len, " %N", payload_type_short_names,
 				  		   payload->get_type(payload));
@@ -922,7 +946,7 @@ static char* get_string(private_message_t *this, char *buf, int len)
 			len -= written;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
 	/* remove last space */
 	snprintf(pos, len, " ]");
@@ -1076,7 +1100,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 	generator_t *generator;
 	ike_header_t *ike_header;
 	payload_t *payload, *next_payload;
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	status_t status;
 	chunk_t packet_data;
 	char str[256];
@@ -1131,21 +1155,20 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 	ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
 	ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
 	ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
-
+	
 	generator = generator_create();
 	
 	payload = (payload_t*)ike_header;
-
 	
 	/* generate every payload expect last one, this is done later*/
-	iterator = this->payloads->create_iterator(this->payloads, TRUE);
-	while(iterator->iterate(iterator, (void**)&next_payload))
+	enumerator = create_payload_enumerator(this);
+	while (enumerator->enumerate(enumerator, &next_payload))
 	{
 		payload->set_next_type(payload, next_payload->get_type(next_payload));
 		generator->generate_payload(generator, payload);
 		payload = next_payload;
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
 	/* last payload has no next payload*/
 	payload->set_next_type(payload, NO_PAYLOAD);
@@ -1411,72 +1434,78 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
 static status_t verify(private_message_t *this)
 {
 	int i;
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *current_payload;
 	size_t total_found_payloads = 0;
 	
 	DBG2(DBG_ENC, "verifying message structure");
 	
-	iterator = this->payloads->create_iterator(this->payloads,TRUE);
 	/* check for payloads with wrong count*/
-	for (i = 0; i < this->message_rule->payload_rule_count;i++)
+	for (i = 0; i < this->message_rule->payload_rule_count; i++)
 	{
 		size_t found_payloads = 0;
-	
-		/* check all payloads for specific rule */
-		iterator->reset(iterator);
+		payload_rule_t *rule;
 		
-		while(iterator->iterate(iterator,(void **)&current_payload))
+		rule = &this->message_rule->payload_rules[i];
+		enumerator = create_payload_enumerator(this);
+		
+		/* check all payloads for specific rule */
+		while (enumerator->enumerate(enumerator, &current_payload))
 		{
 			payload_type_t current_payload_type;
+			unknown_payload_t *unknown_payload;
 			
 			current_payload_type = current_payload->get_type(current_payload);
 			if (current_payload_type == UNKNOWN_PAYLOAD)
 			{
 				/* unknown payloads are ignored, IF they are not critical */
-				unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
+				unknown_payload = (unknown_payload_t*)current_payload;
 				if (unknown_payload->is_critical(unknown_payload))
 				{
 					DBG1(DBG_ENC, "%N is not supported, but its critical!",
 						 payload_type_names, current_payload_type);
-					iterator->destroy(iterator);
+					enumerator->destroy(enumerator);
 					return NOT_SUPPORTED;	
 				}
 			}
-			else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
+			else if (current_payload_type == rule->payload_type)
 			{
 				found_payloads++;
 				total_found_payloads++;
-				DBG2(DBG_ENC, "found payload of type %N",
-					 payload_type_names, this->message_rule->payload_rules[i].payload_type);
+				DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
+					 rule->payload_type);
 				
-				/* as soon as ohe payload occures more then specified, the verification fails */
-				if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
+				/* as soon as ohe payload occures more then specified, 
+				 * the verification fails */
+				if (found_payloads >
+					rule->max_occurence)
 				{
-					DBG1(DBG_ENC, "payload of type %N more than %d times (%d) occured in current message",
-						 payload_type_names, current_payload_type,
-						 this->message_rule->payload_rules[i].max_occurence, found_payloads);
-					iterator->destroy(iterator);
+					DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
+						 "occured in current message", payload_type_names,
+						 current_payload_type, rule->max_occurence,
+						 found_payloads);
+					enumerator->destroy(enumerator);
 					return VERIFY_ERROR;
 				}
 			}
 		}
 		
-		if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
+		if (found_payloads < rule->min_occurence)
 		{
 			DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
-				 payload_type_names, this->message_rule->payload_rules[i].payload_type,
-				 this->message_rule->payload_rules[i].min_occurence, found_payloads);
-			iterator->destroy(iterator);
+				 payload_type_names, rule->payload_type, rule->min_occurence,
+				 found_payloads);
+			enumerator->destroy(enumerator);
 			return VERIFY_ERROR;
 		}
-		if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
+		if (rule->sufficient &&
+			this->payloads->get_count(this->payloads) == total_found_payloads)
 		{
-			iterator->destroy(iterator);
+			enumerator->destroy(enumerator);
 			return SUCCESS;	
 		}
+		enumerator->destroy(enumerator);
 	}
-	iterator->destroy(iterator);
 	return SUCCESS;
 }
 
@@ -1604,8 +1633,9 @@ message_t *message_create_from_packet(packet_t *packet)
 	this->public.get_source = (host_t * (*) (message_t*)) get_source;
 	this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
 	this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
-	this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
+	this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
 	this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
+	this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
 	this->public.parse_header = (status_t (*) (message_t *)) parse_header;
 	this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
 	this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
diff --git a/src/charon/encoding/message.h b/src/charon/encoding/message.h
index 40941c2c9..1db3ea0cc 100644
--- a/src/charon/encoding/message.h
+++ b/src/charon/encoding/message.h
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: message.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -286,14 +284,11 @@ struct message_t {
 	void (*set_destination) (message_t *this, host_t *host);
 	
 	/**
-	 * Returns an iterator on all stored payloads.
-	 * 
-	 * @warning Don't insert payloads over this iterator. 
-	 * 			Use add_payload() instead.
+	 * Create an enumerator over all payloads.
 	 *
-	 * @return			iterator_t object which has to get destroyd by the caller
+	 * @return			enumerator over payload_t
 	 */	
-	iterator_t * (*get_payload_iterator) (message_t *this);
+	enumerator_t * (*create_payload_enumerator) (message_t *this);
 	
 	/**
 	 * Find a payload of a specific type.
@@ -305,6 +300,14 @@ struct message_t {
 	 */	
 	payload_t* (*get_payload) (message_t *this, payload_type_t type);
 	
+	/**
+	 * Get the first notify payload of a specific type.
+	 *
+	 * @param type		type of notification payload
+	 * @return			notify payload, NULL if no such notify found
+	 */
+	notify_payload_t* (*get_notify)(message_t *this, notify_type_t type);
+	
 	/**
 	 * Returns a clone of the internal stored packet_t object.
 	 *
diff --git a/src/charon/encoding/parser.c b/src/charon/encoding/parser.c
index 396054810..ac2b78c28 100644
--- a/src/charon/encoding/parser.c
+++ b/src/charon/encoding/parser.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: parser.c 4703 2008-11-26 10:54:08Z martin $
  */
 
 #include <stdlib.h>
@@ -87,30 +85,53 @@ struct private_parser_t {
 	encoding_rule_t *rules;
 };
 
+/**
+ * Forward declaration
+ */
+static status_t parse_payload(private_parser_t *this,
+							  payload_type_t payload_type, payload_t **payload);
+
+/**
+ * Log invalid length error
+ */
+static bool short_input(private_parser_t *this, int number)
+{
+	DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
+		 number, encoding_type_names, this->rules[number].type);
+	return FALSE;
+}
+
+/**
+ * Log unaligned rules
+ */
+static bool bad_bitpos(private_parser_t *this, int number)
+{
+	DBG1(DBG_ENC, "  found rule %d %N on bitpos %d",
+		 number, encoding_type_names, this->rules[number].type, this->bit_pos);
+	return FALSE;
+}
+
 /**
  * Parse a 4-Bit unsigned integer from the current parsing position.
  */
-static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *output_pos)
+static bool parse_uint4(private_parser_t *this, int rule_number,
+						u_int8_t *output_pos)
 {
-	if (this->byte_pos + sizeof(u_int8_t)  > this->input_roof)
+	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
 	{
-		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
-			 rule_number, encoding_type_names, this->rules[rule_number].type);
-		return PARSE_ERROR;
+		return short_input(this, rule_number);
 	}
 	switch (this->bit_pos)
 	{
 		case 0:
-			/* caller interested in result ? */
-			if (output_pos != NULL)
+			if (output_pos)
 			{
 				*output_pos = *(this->byte_pos) >> 4;
 			}
 			this->bit_pos = 4;
 			break;
-		case 4:	
-			/* caller interested in result ? */
-			if (output_pos != NULL)
+		case 4:
+			if (output_pos)
 			{
 				*output_pos = *(this->byte_pos) & 0x0F;
 			}
@@ -118,311 +139,240 @@ static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *o
 			this->byte_pos++;
 			break;
 		default:
-			DBG2(DBG_ENC, "  found rule %d %N on bitpos %d",
-				 rule_number, encoding_type_names,
-				 this->rules[rule_number].type, this->bit_pos);
-			return PARSE_ERROR;
+			return bad_bitpos(this, rule_number);
 	}
-	
-	if (output_pos != NULL)
+	if (output_pos)
 	{
 		DBG3(DBG_ENC, "   => %d", *output_pos);
 	}
-	
-	return SUCCESS;
+	return TRUE;
 }
 
 /**
  * Parse a 8-Bit unsigned integer from the current parsing position.
  */
-static status_t parse_uint8(private_parser_t *this, int rule_number, u_int8_t *output_pos)
+static bool parse_uint8(private_parser_t *this, int rule_number,
+						u_int8_t *output_pos)
 {
-	if (this->byte_pos + sizeof(u_int8_t)  > this->input_roof)
+	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
 	{
-		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
-			 rule_number, encoding_type_names, this->rules[rule_number].type);
-		return PARSE_ERROR;
+		return short_input(this, rule_number);
 	}
 	if (this->bit_pos)
 	{
-		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d",
-			 rule_number, encoding_type_names,
-			 this->rules[rule_number].type, this->bit_pos);
-		return PARSE_ERROR;
+		return bad_bitpos(this, rule_number);
 	}
-
-	/* caller interested in result ? */
-	if (output_pos != NULL)
+	if (output_pos)
 	{
 		*output_pos = *(this->byte_pos);
 		DBG3(DBG_ENC, "   => %d", *output_pos);
 	}
 	this->byte_pos++;
-	
-	return SUCCESS;
+	return TRUE;
 }
 
 /**
  * Parse a 15-Bit unsigned integer from the current parsing position.
  */
-static status_t parse_uint15(private_parser_t *this, int rule_number, u_int16_t *output_pos)
+static bool parse_uint15(private_parser_t *this, int rule_number,
+						 u_int16_t *output_pos)
 {
 	if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
 	{
-		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
-			 rule_number, encoding_type_names, this->rules[rule_number].type);
-		return PARSE_ERROR;
+		return short_input(this, rule_number);
 	}
 	if (this->bit_pos != 1)
 	{
-		DBG2(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
-			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
-		return PARSE_ERROR;
+		return bad_bitpos(this, rule_number);
 	}
-	/* caller interested in result ? */
-	if (output_pos != NULL)
+	if (output_pos)
 	{
-		*output_pos = ntohs(*((u_int16_t*)this->byte_pos)) & ~0x8000;
+		memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
+		*output_pos = ntohs(*output_pos) & ~0x8000;
 		DBG3(DBG_ENC, "   => %d", *output_pos);
 	}
-	this->byte_pos += 2;
+	this->byte_pos += sizeof(u_int16_t);
 	this->bit_pos = 0;
-	
-	return SUCCESS;
+	return TRUE;
 }
 
 /**
  * Parse a 16-Bit unsigned integer from the current parsing position.
  */
-static status_t parse_uint16(private_parser_t *this, int rule_number, u_int16_t *output_pos)
+static bool parse_uint16(private_parser_t *this, int rule_number,
+						 u_int16_t *output_pos)
 {
 	if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
 	{
-		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
-			 rule_number, encoding_type_names, this->rules[rule_number].type);
-		return PARSE_ERROR;
+		return short_input(this, rule_number);
 	}
 	if (this->bit_pos)
 	{
-		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
-			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
-		return PARSE_ERROR;
+		return bad_bitpos(this, rule_number);
 	}
-	/* caller interested in result ? */
-	if (output_pos != NULL)
+	if (output_pos)
 	{
-		*output_pos = ntohs(*((u_int16_t*)this->byte_pos));
-		
+		memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
+		*output_pos = ntohs(*output_pos);
 		DBG3(DBG_ENC, "   => %d", *output_pos);
 	}
-	this->byte_pos += 2;
-	
-	return SUCCESS;
+	this->byte_pos += sizeof(u_int16_t);
+	return TRUE;
 }
 /**
  * Parse a 32-Bit unsigned integer from the current parsing position.
  */
-static status_t parse_uint32(private_parser_t *this, int rule_number, u_int32_t *output_pos)
+static bool parse_uint32(private_parser_t *this, int rule_number,
+						 u_int32_t *output_pos)
 {
 	if (this->byte_pos + sizeof(u_int32_t) > this->input_roof)
 	{
-		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
-			 rule_number, encoding_type_names, this->rules[rule_number].type);
-		return PARSE_ERROR;
+		return short_input(this, rule_number);
 	}
 	if (this->bit_pos)
 	{
-		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
-			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
-		return PARSE_ERROR;
+		return bad_bitpos(this, rule_number);
 	}
-	/* caller interested in result ? */
-	if (output_pos != NULL)
+	if (output_pos)
 	{
-		*output_pos = ntohl(*((u_int32_t*)this->byte_pos));
-		
+		memcpy(output_pos, this->byte_pos, sizeof(u_int32_t));
+		*output_pos = ntohl(*output_pos);
 		DBG3(DBG_ENC, "   => %d", *output_pos);
 	}
-	this->byte_pos += 4;
-	
-	return SUCCESS;
-}
-
-/**
- * Parse a 64-Bit unsigned integer from the current parsing position.
- */
-static status_t parse_uint64(private_parser_t *this, int rule_number, u_int64_t *output_pos)
-{
-	if (this->byte_pos + sizeof(u_int64_t) > this->input_roof)
-	{
-		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
-			 rule_number, encoding_type_names, this->rules[rule_number].type);
-		return PARSE_ERROR;
-	}
-	if (this->bit_pos)
-	{
-		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
-			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
-		return PARSE_ERROR;
-	}
-	/* caller interested in result ? */
-	if (output_pos != NULL)
-	{
-		/* assuming little endian host order */
-		*(output_pos + 1) = ntohl(*((u_int32_t*)this->byte_pos));
-		*output_pos = ntohl(*(((u_int32_t*)this->byte_pos) + 1));
-		
-		DBG3(DBG_ENC, "   => %b", (void*)output_pos, sizeof(u_int64_t));
-	}
-	this->byte_pos += 8;
-
-	return SUCCESS;
+	this->byte_pos += sizeof(u_int32_t);
+	return TRUE;
 }
 
 /**
  * Parse a given amount of bytes and writes them to a specific location
  */
-static status_t parse_bytes (private_parser_t *this, int rule_number, u_int8_t *output_pos,size_t bytes)
+static bool parse_bytes(private_parser_t *this, int rule_number,
+						u_int8_t *output_pos, int bytes)
 {
 	if (this->byte_pos + bytes > this->input_roof)
 	{
-		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
-			 rule_number, encoding_type_names, this->rules[rule_number].type);
-		return PARSE_ERROR;
+		return short_input(this, rule_number);
 	}
 	if (this->bit_pos)
 	{
-		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
-			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
-		return PARSE_ERROR;
+		return bad_bitpos(this, rule_number);
 	}
-
-	/* caller interested in result ? */
-	if (output_pos != NULL)
+	if (output_pos)
 	{
-		memcpy(output_pos,this->byte_pos,bytes);
-		
-		DBG3(DBG_ENC, "   => %b", (void*)output_pos, bytes);
+		memcpy(output_pos, this->byte_pos, bytes);
+		DBG3(DBG_ENC, "   => %b", output_pos, bytes);
 	}
 	this->byte_pos += bytes;
-	
-	return SUCCESS;
+	return TRUE;
 }
 
 /**
  * Parse a single Bit from the current parsing position
  */
-static status_t parse_bit(private_parser_t *this, int rule_number, bool *output_pos)
+static bool parse_bit(private_parser_t *this, int rule_number,
+					  bool *output_pos)
 {
 	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
 	{
-		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
-			 rule_number, encoding_type_names, this->rules[rule_number].type);
-		return PARSE_ERROR;
+		return short_input(this, rule_number);
 	}
-	/* caller interested in result ? */
-	if (output_pos != NULL)
+	if (output_pos)
 	{	
 		u_int8_t mask;
 		mask = 0x01 << (7 - this->bit_pos);
 		*output_pos = *this->byte_pos & mask;
-	
+		
 		if (*output_pos)
-		{
-			/* set to a "clean", comparable true */
+		{	/* set to a "clean", comparable true */
 			*output_pos = TRUE;
 		}
-		
 		DBG3(DBG_ENC, "   => %d", *output_pos);
 	}
 	this->bit_pos = (this->bit_pos + 1) % 8;
-	if (this->bit_pos == 0) 
+	if (this->bit_pos == 0)
 	{
-		this->byte_pos++;	
+		this->byte_pos++;
 	}
-	
-	return SUCCESS;
+	return TRUE;
 }
 
 /**
  * Parse substructures in a list.
  */
-static status_t parse_list(private_parser_t *this, int rule_number, linked_list_t **output_pos, payload_type_t payload_type, size_t length)
+static bool parse_list(private_parser_t *this, int rule_number,
+			linked_list_t **output_pos, payload_type_t payload_type, int length)
 {
-	linked_list_t * list = *output_pos;
+	linked_list_t *list = *output_pos;
 	
 	if (length < 0)
 	{
-		DBG1(DBG_ENC, "  invalid length for rule %d %N",
-			 rule_number, encoding_type_names, this->rules[rule_number].type);
-		return PARSE_ERROR;	
+		return short_input(this, rule_number);
 	}
-	
 	if (this->bit_pos)
 	{
-		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
-			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
-		return PARSE_ERROR;
+		return bad_bitpos(this, rule_number);
 	}
-	
 	while (length > 0)
 	{
 		u_int8_t *pos_before = this->byte_pos;
 		payload_t *payload;
-		status_t status;
+		
 		DBG2(DBG_ENC, "  %d bytes left, parsing recursively %N",
 			 length, payload_type_names, payload_type);
-		status = this->public.parse_payload((parser_t*)this, payload_type, &payload);
-		if (status != SUCCESS)
+		
+		if (parse_payload(this, payload_type, &payload) != SUCCESS)
 		{
 			DBG1(DBG_ENC, "  parsing of a %N substructure failed",
 				 payload_type_names, payload_type);
-			return status;
+			return FALSE;
 		}
 		list->insert_last(list, payload);
 		length -= this->byte_pos - pos_before;
 	}
+	if (length != 0)
+	{	/* must yield exactly to zero */
+		DBG1(DBG_ENC, "  length of %N substructure list invalid",
+			 payload_type_names, payload_type);
+		return FALSE;
+	}
 	*output_pos = list;
-	return SUCCESS;	
+	return TRUE;
 }
 
 /**
  * Parse data from current parsing position in a chunk.
  */
-static status_t parse_chunk(private_parser_t *this, int rule_number, chunk_t *output_pos, size_t length)
+static bool parse_chunk(private_parser_t *this, int rule_number,
+						chunk_t *output_pos, int length)
 {
 	if (this->byte_pos + length > this->input_roof)
 	{
-		DBG1(DBG_ENC, "  not enough input (%d bytes) to parse rule %d %N",
-			 length, rule_number, encoding_type_names, this->rules[rule_number].type);
-		return PARSE_ERROR;
+		return short_input(this, rule_number);
 	}
 	if (this->bit_pos)
 	{
-		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
-			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
-		return PARSE_ERROR;
+		return bad_bitpos(this, rule_number);
 	}
-	if (output_pos != NULL)
+	if (output_pos)
 	{
-		output_pos->len = length;
-		output_pos->ptr = malloc(length);
+		*output_pos = chunk_alloc(length);
 		memcpy(output_pos->ptr, this->byte_pos, length);
+		DBG3(DBG_ENC, "   => %b", output_pos->ptr, length);
 	}
 	this->byte_pos += length;
-	DBG3(DBG_ENC, "   => %b", (void*)output_pos->ptr, length);
-	
-	return SUCCESS;
+	return TRUE;
 }
 
 /**
  * Implementation of parser_t.parse_payload.
  */
-static status_t parse_payload(private_parser_t *this, payload_type_t payload_type, payload_t **payload)
+static status_t parse_payload(private_parser_t *this,
+							  payload_type_t payload_type, payload_t **payload)
 {
 	payload_t *pld;
 	void *output;
-	size_t rule_count, payload_length = 0, spi_size = 0, attribute_length = 0;
+	size_t rule_count;
+	int payload_length = 0, spi_size = 0, attribute_length = 0;
 	u_int16_t ts_type = 0;
 	bool attribute_format = FALSE;
 	int rule_number;
@@ -435,7 +385,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 		 payload_type_names, payload_type, this->input_roof - this->byte_pos);
 	
 	DBG3(DBG_ENC, "parsing payload from %b",
-		 this->byte_pos, this->input_roof-this->byte_pos);
+		 this->byte_pos, this->input_roof - this->byte_pos);
 	
 	if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
 	{
@@ -447,7 +397,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 	output = pld;
 	
 	/* parse the payload with its own rulse */
-	pld->get_encoding_rules(pld, &(this->rules), &rule_count);
+	pld->get_encoding_rules(pld, &this->rules, &rule_count);
 	for (rule_number = 0; rule_number < rule_count; rule_number++)
 	{
 		rule = &(this->rules[rule_number]);
@@ -457,7 +407,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 		{
 			case U_INT_4:
 			{
-				if (parse_uint4(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_uint4(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -466,7 +416,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case U_INT_8:
 			{
-				if (parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_uint8(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -475,7 +425,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case U_INT_16:
 			{
-				if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_uint16(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -484,16 +434,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case U_INT_32:
 			{
-				if (parse_uint32(this, rule_number, output + rule->offset) != SUCCESS) 
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case U_INT_64:
-			{
-				if (parse_uint64(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_uint32(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -502,7 +443,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case IKE_SPI:
 			{
-				if (parse_bytes(this, rule_number, output + rule->offset,8) != SUCCESS) 
+				if (!parse_bytes(this, rule_number, output + rule->offset, 8))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -511,7 +452,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case RESERVED_BIT:
 			{
-				if (parse_bit(this, rule_number, NULL) != SUCCESS) 
+				if (!parse_bit(this, rule_number, NULL))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -520,7 +461,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case RESERVED_BYTE:
 			{
-				if (parse_uint8(this, rule_number, NULL) != SUCCESS) 
+				if (!parse_uint8(this, rule_number, NULL))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -529,7 +470,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case FLAG:
 			{
-				if (parse_bit(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_bit(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -538,11 +479,12 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case PAYLOAD_LENGTH:
 			{
-				if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_uint16(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
+				/* parsed u_int16 should be aligned */
 				payload_length = *(u_int16_t*)(output + rule->offset);
 				if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH)
 				{
@@ -553,7 +495,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case HEADER_LENGTH:
 			{
-				if (parse_uint32(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_uint32(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -562,7 +504,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case SPI_SIZE:
 			{
-				if (parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_uint8(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -572,7 +514,8 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case SPI:
 			{
-				if (parse_chunk(this, rule_number, output + rule->offset, spi_size) != SUCCESS) 
+				if (!parse_chunk(this, rule_number, output + rule->offset,
+								 spi_size))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -582,8 +525,9 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case PROPOSALS:
 			{
 				if (payload_length < SA_PAYLOAD_HEADER_LENGTH ||
-					parse_list(this, rule_number, output + rule->offset, PROPOSAL_SUBSTRUCTURE,
-						payload_length - SA_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+					!parse_list(this, rule_number, output + rule->offset,
+								PROPOSAL_SUBSTRUCTURE,
+								payload_length - SA_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -592,9 +536,11 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case TRANSFORMS:
 			{
-				if (payload_length < spi_size + PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH ||
-					parse_list(this, rule_number, output + rule->offset, TRANSFORM_SUBSTRUCTURE,
-						payload_length - spi_size - PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH) != SUCCESS)
+				if (payload_length <
+							spi_size + PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH ||
+					!parse_list(this, rule_number, output + rule->offset,
+							TRANSFORM_SUBSTRUCTURE, payload_length - spi_size -
+										PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -604,8 +550,9 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case TRANSFORM_ATTRIBUTES:
 			{
 				if (payload_length < TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH ||
-					parse_list(this, rule_number, output + rule->offset, TRANSFORM_ATTRIBUTE,
-						payload_length - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH) != SUCCESS)
+					!parse_list(this, rule_number, output + rule->offset,
+						TRANSFORM_ATTRIBUTE,
+						payload_length - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -615,8 +562,9 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case CONFIGURATION_ATTRIBUTES:
 			{
 				if (payload_length < CP_PAYLOAD_HEADER_LENGTH ||
-					parse_list(this, rule_number, output + rule->offset, CONFIGURATION_ATTRIBUTE,
-						payload_length - CP_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+					!parse_list(this, rule_number, output + rule->offset,
+								CONFIGURATION_ATTRIBUTE,
+								payload_length - CP_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -625,7 +573,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case ATTRIBUTE_FORMAT:
 			{
-				if (parse_bit(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_bit(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -635,17 +583,16 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case ATTRIBUTE_TYPE:
 			{
-				if (parse_uint15(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_uint15(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
-				attribute_format = *(bool*)(output + rule->offset);
 				break;
 			}
 			case CONFIGURATION_ATTRIBUTE_LENGTH:
 			{
-				if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_uint16(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -654,8 +601,8 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 				break;
 			}
 			case ATTRIBUTE_LENGTH_OR_VALUE:
-			{	
-				if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+			{
+				if (!parse_uint16(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -665,43 +612,42 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			}
 			case ATTRIBUTE_VALUE:
 			{
-				if (attribute_format == FALSE)
+				if (attribute_format == FALSE &&
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 attribute_length))
 				{
-					if (parse_chunk(this, rule_number, output + rule->offset, attribute_length) != SUCCESS) 
-					{
-						pld->destroy(pld);
-						return PARSE_ERROR;
-					}
+					pld->destroy(pld);
+					return PARSE_ERROR;
 				}
 				break;
 			}
 			case NONCE_DATA:
 			{
 				if (payload_length < NONCE_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset, 
-						payload_length - NONCE_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - NONCE_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
-				}		
+				}
 				break;
 			}
 			case ID_DATA:
 			{
 				if (payload_length < ID_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset,
-						payload_length - ID_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - ID_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
-				}	
+				}
 				break;
 			}
 			case AUTH_DATA:
 			{
 				if (payload_length < AUTH_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset,
-						payload_length - AUTH_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - AUTH_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -711,8 +657,8 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case CERT_DATA:
 			{
 				if (payload_length < CERT_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset, 
-						payload_length - CERT_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - CERT_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -722,8 +668,8 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case CERTREQ_DATA:
 			{
 				if (payload_length < CERTREQ_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset, 
-						payload_length - CERTREQ_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - CERTREQ_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -733,8 +679,8 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case EAP_DATA:
 			{
 				if (payload_length < EAP_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset, 
-						payload_length - EAP_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - EAP_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -744,109 +690,112 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 			case SPIS:
 			{
 				if (payload_length < DELETE_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset,
-						payload_length - DELETE_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - DELETE_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
-				}		
-				break;			
+				}
+				break;
 			}
 			case VID_DATA:
 			{
 				if (payload_length < VENDOR_ID_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset,
-						payload_length - VENDOR_ID_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
+					!parse_chunk(this, rule_number, output + rule->offset,
+							payload_length - VENDOR_ID_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
-				}		
-				break;			
+				}
+				break;
 			}
 			case CONFIGURATION_ATTRIBUTE_VALUE:
 			{
-				size_t data_length = attribute_length;
-				if (parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				if (!parse_chunk(this, rule_number, output + rule->offset,
+								 attribute_length))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
-				}		
-				break;			
+				}
+				break;
 			}
 			case KEY_EXCHANGE_DATA:
 			{
 				if (payload_length < KE_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset,
-						payload_length - KE_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - KE_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
-				}		
-				break;			
+				}
+				break;
 			}
 			case NOTIFICATION_DATA:
 			{
 				if (payload_length < NOTIFY_PAYLOAD_HEADER_LENGTH + spi_size ||
-					parse_chunk(this, rule_number, output + rule->offset, 
-						payload_length - NOTIFY_PAYLOAD_HEADER_LENGTH - spi_size) != SUCCESS) 
+					!parse_chunk(this, rule_number, output + rule->offset,
+						payload_length - NOTIFY_PAYLOAD_HEADER_LENGTH - spi_size))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
-				}		
-				break;			
+				}
+				break;
 			}
 			case ENCRYPTED_DATA:
-			{				
+			{
 				if (payload_length < ENCRYPTION_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset,
-						payload_length - ENCRYPTION_PAYLOAD_HEADER_LENGTH) != SUCCESS) 
+					!parse_chunk(this, rule_number, output + rule->offset,
+							payload_length - ENCRYPTION_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
-				}		
-				break;	
+				}
+				break;
 			}
 			case TS_TYPE:
 			{
-				if (parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
+				if (!parse_uint8(this, rule_number, output + rule->offset))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
 				ts_type = *(u_int8_t*)(output + rule->offset);
-				break;							
+				break;
 			}
 			case ADDRESS:
 			{
-				size_t address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-				if (parse_chunk(this, rule_number, output + rule->offset,address_length) != SUCCESS) 
+				int address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+				
+				if (!parse_chunk(this, rule_number, output + rule->offset,
+								 address_length))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
-				break;							
+				break;
 			}
 			case TRAFFIC_SELECTORS:
 			{
 				if (payload_length < TS_PAYLOAD_HEADER_LENGTH ||
-					parse_list(this, rule_number, output + rule->offset, TRAFFIC_SELECTOR_SUBSTRUCTURE,
-						payload_length - TS_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+					!parse_list(this, rule_number, output + rule->offset,
+								TRAFFIC_SELECTOR_SUBSTRUCTURE,
+								payload_length - TS_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
-				break;							
+				break;
 			}
 			case UNKNOWN_DATA:
 			{
 				if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH ||
-					parse_chunk(this, rule_number, output + rule->offset,
-						payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+					!parse_chunk(this, rule_number, output + rule->offset,
+								payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
-				break;							
+				break;
 			}
 			default:
 			{
@@ -871,8 +820,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
  */
 static int get_remaining_byte_count (private_parser_t *this)
 {
-	int count = (this->input_roof - this->byte_pos);
-	return count;
+	return this->input_roof - this->byte_pos;
 }
 
 /**
@@ -889,7 +837,7 @@ static void reset_context (private_parser_t *this)
  */
 static void destroy(private_parser_t *this)
 {
-	free(this);	
+	free(this);
 }
 
 /*
@@ -899,7 +847,7 @@ parser_t *parser_create(chunk_t data)
 {
 	private_parser_t *this = malloc_thing(private_parser_t);
 	
-	this->public.parse_payload = (status_t(*)(parser_t*,payload_type_t,payload_t**)) parse_payload;
+	this->public.parse_payload = (status_t(*)(parser_t*,payload_type_t,payload_t**))parse_payload;
 	this->public.reset_context = (void(*)(parser_t*)) reset_context;
 	this->public.get_remaining_byte_count = (int (*) (parser_t *))get_remaining_byte_count;
 	this->public.destroy = (void(*)(parser_t*)) destroy;
@@ -909,5 +857,6 @@ parser_t *parser_create(chunk_t data)
 	this->bit_pos = 0;
 	this->input_roof = data.ptr + data.len;
 	
-	return (parser_t*)this;
+	return &this->public;
 }
+
diff --git a/src/charon/encoding/parser.h b/src/charon/encoding/parser.h
index 222e328d1..230492438 100644
--- a/src/charon/encoding/parser.h
+++ b/src/charon/encoding/parser.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: parser.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/auth_payload.c b/src/charon/encoding/payloads/auth_payload.c
index f9ca23236..53406f564 100644
--- a/src/charon/encoding/payloads/auth_payload.c
+++ b/src/charon/encoding/payloads/auth_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: auth_payload.c 4051 2008-06-10 09:08:27Z tobias $
  */
 
 #include "auth_payload.h"
diff --git a/src/charon/encoding/payloads/auth_payload.h b/src/charon/encoding/payloads/auth_payload.h
index 26375a398..4287f14d9 100644
--- a/src/charon/encoding/payloads/auth_payload.h
+++ b/src/charon/encoding/payloads/auth_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: auth_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/cert_payload.c b/src/charon/encoding/payloads/cert_payload.c
index 7ff334006..54a8c1392 100644
--- a/src/charon/encoding/payloads/cert_payload.c
+++ b/src/charon/encoding/payloads/cert_payload.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: cert_payload.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/cert_payload.h b/src/charon/encoding/payloads/cert_payload.h
index d6e328850..fba404ee2 100644
--- a/src/charon/encoding/payloads/cert_payload.h
+++ b/src/charon/encoding/payloads/cert_payload.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: cert_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/certreq_payload.c b/src/charon/encoding/payloads/certreq_payload.c
index 1b499e9e8..50adedb28 100644
--- a/src/charon/encoding/payloads/certreq_payload.c
+++ b/src/charon/encoding/payloads/certreq_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: certreq_payload.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/certreq_payload.h b/src/charon/encoding/payloads/certreq_payload.h
index a246f0e93..ff9814f8a 100644
--- a/src/charon/encoding/payloads/certreq_payload.h
+++ b/src/charon/encoding/payloads/certreq_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: certreq_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/configuration_attribute.c b/src/charon/encoding/payloads/configuration_attribute.c
index ad8177e1f..674feeddd 100644
--- a/src/charon/encoding/payloads/configuration_attribute.c
+++ b/src/charon/encoding/payloads/configuration_attribute.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: configuration_attribute.c 4844 2009-01-20 22:55:13Z andreas $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/configuration_attribute.h b/src/charon/encoding/payloads/configuration_attribute.h
index 13aaa0e90..404130114 100644
--- a/src/charon/encoding/payloads/configuration_attribute.h
+++ b/src/charon/encoding/payloads/configuration_attribute.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: configuration_attribute.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/cp_payload.c b/src/charon/encoding/payloads/cp_payload.c
index d39dc2a47..b5f1b35c7 100644
--- a/src/charon/encoding/payloads/cp_payload.c
+++ b/src/charon/encoding/payloads/cp_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: cp_payload.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/cp_payload.h b/src/charon/encoding/payloads/cp_payload.h
index c31b1667d..6ffcca708 100644
--- a/src/charon/encoding/payloads/cp_payload.h
+++ b/src/charon/encoding/payloads/cp_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: cp_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/delete_payload.c b/src/charon/encoding/payloads/delete_payload.c
index 01ee7f027..c2be1e8b5 100644
--- a/src/charon/encoding/payloads/delete_payload.c
+++ b/src/charon/encoding/payloads/delete_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: delete_payload.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/delete_payload.h b/src/charon/encoding/payloads/delete_payload.h
index 862deb9dc..58840741a 100644
--- a/src/charon/encoding/payloads/delete_payload.h
+++ b/src/charon/encoding/payloads/delete_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: delete_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/eap_payload.c b/src/charon/encoding/payloads/eap_payload.c
index d9a6fe6dd..1199bac45 100644
--- a/src/charon/encoding/payloads/eap_payload.c
+++ b/src/charon/encoding/payloads/eap_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_payload.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/eap_payload.h b/src/charon/encoding/payloads/eap_payload.h
index 337f82e12..a4d8a38c6 100644
--- a/src/charon/encoding/payloads/eap_payload.h
+++ b/src/charon/encoding/payloads/eap_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/encodings.c b/src/charon/encoding/payloads/encodings.c
index 66c1fd999..85caeda82 100644
--- a/src/charon/encoding/payloads/encodings.c
+++ b/src/charon/encoding/payloads/encodings.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: encodings.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 
@@ -24,7 +22,6 @@ ENUM(encoding_type_names, U_INT_4, ENCRYPTED_DATA,
 	"U_INT_8",
 	"U_INT_16",
 	"U_INT_32",
-	"U_INT_64",
 	"RESERVED_BIT",
 	"RESERVED_BYTE",
 	"FLAG",
diff --git a/src/charon/encoding/payloads/encodings.h b/src/charon/encoding/payloads/encodings.h
index ad98874a2..03554f0af 100644
--- a/src/charon/encoding/payloads/encodings.h
+++ b/src/charon/encoding/payloads/encodings.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: encodings.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -98,19 +96,6 @@ enum encoding_type_t {
 	 */
 	U_INT_32,
 	
-	/**
-	 * Representing a 64 Bit unsigned int value.
-	 * 
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 64 bit forward afterwards.
-	 * 
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 64 bit forward afterwards.
-	 */
-	U_INT_64,
-	
 	/**
 	 * represents a RESERVED_BIT used in FLAG-Bytes.
 	 * 
diff --git a/src/charon/encoding/payloads/encryption_payload.c b/src/charon/encoding/payloads/encryption_payload.c
index 7237c69c5..55a37bb25 100644
--- a/src/charon/encoding/payloads/encryption_payload.c
+++ b/src/charon/encoding/payloads/encryption_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: encryption_payload.c 3862 2008-04-22 07:14:24Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/encryption_payload.h b/src/charon/encoding/payloads/encryption_payload.h
index 1d3eeb793..3b94587ec 100644
--- a/src/charon/encoding/payloads/encryption_payload.h
+++ b/src/charon/encoding/payloads/encryption_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: encryption_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/endpoint_notify.c b/src/charon/encoding/payloads/endpoint_notify.c
index c9ef47afb..c30d29942 100644
--- a/src/charon/encoding/payloads/endpoint_notify.c
+++ b/src/charon/encoding/payloads/endpoint_notify.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: endpoint_notify.c 3735 2008-04-02 18:21:03Z tobias $
  */
 
 #include "endpoint_notify.h"
diff --git a/src/charon/encoding/payloads/endpoint_notify.h b/src/charon/encoding/payloads/endpoint_notify.h
index 36f483c67..66aabc683 100644
--- a/src/charon/encoding/payloads/endpoint_notify.h
+++ b/src/charon/encoding/payloads/endpoint_notify.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: endpoint_notify.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/id_payload.c b/src/charon/encoding/payloads/id_payload.c
index 347ad7563..4a527cb24 100644
--- a/src/charon/encoding/payloads/id_payload.c
+++ b/src/charon/encoding/payloads/id_payload.c
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: id_payload.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/id_payload.h b/src/charon/encoding/payloads/id_payload.h
index 9de21cc6a..555b1324b 100644
--- a/src/charon/encoding/payloads/id_payload.h
+++ b/src/charon/encoding/payloads/id_payload.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: id_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/ike_header.c b/src/charon/encoding/payloads/ike_header.c
index 1db64f0e3..d27bfb82c 100644
--- a/src/charon/encoding/payloads/ike_header.c
+++ b/src/charon/encoding/payloads/ike_header.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_header.c 3666 2008-03-26 18:40:19Z tobias $
  */
 
 /* offsetof macro */
diff --git a/src/charon/encoding/payloads/ike_header.h b/src/charon/encoding/payloads/ike_header.h
index 7292c2c9c..8de316d19 100644
--- a/src/charon/encoding/payloads/ike_header.h
+++ b/src/charon/encoding/payloads/ike_header.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_header.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/ke_payload.c b/src/charon/encoding/payloads/ke_payload.c
index 2f718e49c..aa3e075ca 100644
--- a/src/charon/encoding/payloads/ke_payload.c
+++ b/src/charon/encoding/payloads/ke_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ke_payload.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/ke_payload.h b/src/charon/encoding/payloads/ke_payload.h
index bc5c9224a..7e182d970 100644
--- a/src/charon/encoding/payloads/ke_payload.h
+++ b/src/charon/encoding/payloads/ke_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ke_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/nonce_payload.c b/src/charon/encoding/payloads/nonce_payload.c
index da68ce4ab..f9e075380 100644
--- a/src/charon/encoding/payloads/nonce_payload.c
+++ b/src/charon/encoding/payloads/nonce_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: nonce_payload.c 3589 2008-03-13 14:14:44Z martin $
  */
  
 /* offsetof macro */
diff --git a/src/charon/encoding/payloads/nonce_payload.h b/src/charon/encoding/payloads/nonce_payload.h
index b433c7023..4adaba481 100644
--- a/src/charon/encoding/payloads/nonce_payload.h
+++ b/src/charon/encoding/payloads/nonce_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: nonce_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/notify_payload.c b/src/charon/encoding/payloads/notify_payload.c
index a4377c275..d2a995ace 100644
--- a/src/charon/encoding/payloads/notify_payload.c
+++ b/src/charon/encoding/payloads/notify_payload.c
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: notify_payload.c 4842 2009-01-19 12:32:42Z andreas $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h
index 9f7577c26..a5f501dca 100644
--- a/src/charon/encoding/payloads/notify_payload.h
+++ b/src/charon/encoding/payloads/notify_payload.h
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: notify_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/payload.c b/src/charon/encoding/payloads/payload.c
index 71350458f..1cee6d2aa 100644
--- a/src/charon/encoding/payloads/payload.c
+++ b/src/charon/encoding/payloads/payload.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: payload.c 4618 2008-11-11 09:22:00Z tobias $
  */
 
 
diff --git a/src/charon/encoding/payloads/payload.h b/src/charon/encoding/payloads/payload.h
index 7cb1b7735..78f5b7b97 100644
--- a/src/charon/encoding/payloads/payload.h
+++ b/src/charon/encoding/payloads/payload.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/proposal_substructure.c b/src/charon/encoding/payloads/proposal_substructure.c
index daa015d3e..a8166023c 100644
--- a/src/charon/encoding/payloads/proposal_substructure.c
+++ b/src/charon/encoding/payloads/proposal_substructure.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: proposal_substructure.c 3658 2008-03-26 10:06:45Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/proposal_substructure.h b/src/charon/encoding/payloads/proposal_substructure.h
index 212366d77..8ccb917d6 100644
--- a/src/charon/encoding/payloads/proposal_substructure.h
+++ b/src/charon/encoding/payloads/proposal_substructure.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: proposal_substructure.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/sa_payload.c b/src/charon/encoding/payloads/sa_payload.c
index ecc3b0f60..3ca2f08c8 100644
--- a/src/charon/encoding/payloads/sa_payload.c
+++ b/src/charon/encoding/payloads/sa_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sa_payload.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/sa_payload.h b/src/charon/encoding/payloads/sa_payload.h
index 237432422..58ae72544 100644
--- a/src/charon/encoding/payloads/sa_payload.h
+++ b/src/charon/encoding/payloads/sa_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sa_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.c b/src/charon/encoding/payloads/traffic_selector_substructure.c
index eb5bbc626..7dcdce6aa 100644
--- a/src/charon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/charon/encoding/payloads/traffic_selector_substructure.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: traffic_selector_substructure.c 4639 2008-11-12 15:09:24Z martin $
  */
 
 #include "traffic_selector_substructure.h"
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.h b/src/charon/encoding/payloads/traffic_selector_substructure.h
index 9179d1478..ee3e204a0 100644
--- a/src/charon/encoding/payloads/traffic_selector_substructure.h
+++ b/src/charon/encoding/payloads/traffic_selector_substructure.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: traffic_selector_substructure.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/transform_attribute.c b/src/charon/encoding/payloads/transform_attribute.c
index b9b5ff879..507d04a34 100644
--- a/src/charon/encoding/payloads/transform_attribute.c
+++ b/src/charon/encoding/payloads/transform_attribute.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: transform_attribute.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <string.h>
@@ -248,7 +246,7 @@ static u_int16_t get_attribute_type (private_transform_attribute_t *this)
 /**
  * Implementation of transform_attribute_t.clone.
  */
-static transform_attribute_t * clone(private_transform_attribute_t *this)
+static transform_attribute_t * _clone(private_transform_attribute_t *this)
 {
 	private_transform_attribute_t *new_clone;
 	
@@ -302,7 +300,7 @@ transform_attribute_t *transform_attribute_create()
 	this->public.get_value = (u_int16_t (*) (transform_attribute_t *)) get_value;
 	this->public.set_attribute_type = (void (*) (transform_attribute_t *,u_int16_t type)) set_attribute_type;
 	this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type;
-	this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) clone;
+	this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) _clone;
 	this->public.destroy = (void (*) (transform_attribute_t *)) destroy;
 	
 	/* set default values of the fields */
diff --git a/src/charon/encoding/payloads/transform_attribute.h b/src/charon/encoding/payloads/transform_attribute.h
index 6755ff74c..f7d71a9df 100644
--- a/src/charon/encoding/payloads/transform_attribute.h
+++ b/src/charon/encoding/payloads/transform_attribute.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: transform_attribute.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/transform_substructure.c b/src/charon/encoding/payloads/transform_substructure.c
index 7c3d6421a..497bd53b2 100644
--- a/src/charon/encoding/payloads/transform_substructure.c
+++ b/src/charon/encoding/payloads/transform_substructure.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: transform_substructure.c 3971 2008-05-16 13:27:21Z tobias $
  */
 
 #include <stddef.h>
@@ -382,37 +380,23 @@ transform_substructure_t *transform_substructure_create()
 /*
  * Described in header
  */
-transform_substructure_t *transform_substructure_create_type(transform_type_t transform_type, u_int16_t transform_id, u_int16_t key_length)
+transform_substructure_t *transform_substructure_create_type(
+								transform_type_t transform_type,
+								u_int16_t transform_id, u_int16_t key_length)
 {
 	transform_substructure_t *transform = transform_substructure_create();
 	
 	transform->set_transform_type(transform,transform_type);
 	transform->set_transform_id(transform,transform_id);
 	
-	/* a keylength attribute is only created for variable length algos */
-	if (transform_type == ENCRYPTION_ALGORITHM)
+	if (key_length)
 	{
-		switch(transform_id)
-		{
-			case ENCR_AES_CBC:
-			case ENCR_IDEA:
-			case ENCR_CAST:
-			case ENCR_BLOWFISH:
-			case ENCR_AES_CCM_ICV8:
-			case ENCR_AES_CCM_ICV12:
-			case ENCR_AES_CCM_ICV16:
-			case ENCR_AES_GCM_ICV8:
-			case ENCR_AES_GCM_ICV12:
-			case ENCR_AES_GCM_ICV16:
-			{
-				transform_attribute_t *attribute = transform_attribute_create_key_length(key_length);
-				transform->add_transform_attribute(transform,attribute);
-				break;
-			}
-			default:
-				break;
-		}
+		transform_attribute_t *attribute;
+		
+		attribute = transform_attribute_create_key_length(key_length);
+		transform->add_transform_attribute(transform, attribute);
+	
 	}
-
 	return transform;
 }
+
diff --git a/src/charon/encoding/payloads/transform_substructure.h b/src/charon/encoding/payloads/transform_substructure.h
index cc8adc38a..b02a94a6c 100644
--- a/src/charon/encoding/payloads/transform_substructure.h
+++ b/src/charon/encoding/payloads/transform_substructure.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: transform_substructure.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/ts_payload.c b/src/charon/encoding/payloads/ts_payload.c
index 5d53793b1..92ddc380f 100644
--- a/src/charon/encoding/payloads/ts_payload.c
+++ b/src/charon/encoding/payloads/ts_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ts_payload.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/ts_payload.h b/src/charon/encoding/payloads/ts_payload.h
index 91f26f55d..3c8a6d595 100644
--- a/src/charon/encoding/payloads/ts_payload.h
+++ b/src/charon/encoding/payloads/ts_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ts_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/unknown_payload.c b/src/charon/encoding/payloads/unknown_payload.c
index 8a8db308d..309663233 100644
--- a/src/charon/encoding/payloads/unknown_payload.c
+++ b/src/charon/encoding/payloads/unknown_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: unknown_payload.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/unknown_payload.h b/src/charon/encoding/payloads/unknown_payload.h
index 03894c619..44b6e1a71 100644
--- a/src/charon/encoding/payloads/unknown_payload.h
+++ b/src/charon/encoding/payloads/unknown_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: unknown_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/encoding/payloads/vendor_id_payload.c b/src/charon/encoding/payloads/vendor_id_payload.c
index 3e47b9348..52d9e12a5 100644
--- a/src/charon/encoding/payloads/vendor_id_payload.c
+++ b/src/charon/encoding/payloads/vendor_id_payload.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: vendor_id_payload.c 4120 2008-06-27 15:22:27Z andreas $
  */
 
 #include <stddef.h>
diff --git a/src/charon/encoding/payloads/vendor_id_payload.h b/src/charon/encoding/payloads/vendor_id_payload.h
index b8798f24e..9ee9ea1d4 100644
--- a/src/charon/encoding/payloads/vendor_id_payload.h
+++ b/src/charon/encoding/payloads/vendor_id_payload.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: vendor_id_payload.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index f099a94ac..5188b79fe 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_interface.c 4997 2009-03-24 10:24:58Z martin $
  */
 
 #include "kernel_interface.h"
@@ -20,8 +18,6 @@
 #include <pthread.h>
 
 #include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/mutex.h>
 
 typedef struct private_kernel_interface_t private_kernel_interface_t;
 
@@ -35,16 +31,6 @@ struct private_kernel_interface_t {
 	 */
 	kernel_interface_t public;
 	
-	/**
-	 * list of registered ipsec kernel interfaces
-	 */
-	linked_list_t *ipsec_interfaces;
-	
-	/**
-	 * list of registered network kernel interfaces
-	 */
-	linked_list_t *net_interfaces;
-	
 	/**
 	 * ipsec interface
 	 */
@@ -54,11 +40,6 @@ struct private_kernel_interface_t {
 	 * network interface
 	 */
 	kernel_net_t *net;
-	
-	/**
-	 * locking mutex
-	 */
-	mutex_t *mutex;
 };
 
 /**
@@ -67,6 +48,10 @@ struct private_kernel_interface_t {
 static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *dst, 
 				 protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi);
 }
 
@@ -76,6 +61,10 @@ static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *d
 static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *dst, 
 					u_int32_t reqid, u_int16_t *cpi)
 {
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi);
 }
 
@@ -90,6 +79,10 @@ static status_t add_sa(private_kernel_interface_t *this, host_t *src, host_t *ds
 				ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
 				bool inbound)
 {
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
 			expire_soft, expire_hard, enc_alg, enc_key, int_alg, int_key,
 			mode, ipcomp, cpi, encap, inbound);
@@ -102,6 +95,10 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
 				   protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, 
 				   host_t *new_src, host_t *new_dst, bool encap, bool new_encap)
 {
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
 			new_src, new_dst, encap, new_encap);
 }
@@ -109,10 +106,14 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
 /**
  * Implementation of kernel_interface_t.del_sa
  */
-static status_t del_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi,
-				protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
+				u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
 {
-	return this->ipsec->del_sa(this->ipsec, dst, spi, protocol, cpi);
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi);
 }
 
 /**
@@ -124,6 +125,10 @@ static status_t add_policy(private_kernel_interface_t *this, host_t *src, host_t
 					u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
 					bool routed)
 {
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
 			direction, spi, protocol, reqid, mode, ipcomp, cpi, routed);
 }
@@ -135,6 +140,10 @@ static status_t query_policy(private_kernel_interface_t *this,
 					  traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 					  policy_dir_t direction, u_int32_t *use_time)
 {
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts, direction, use_time);
 }
 
@@ -145,6 +154,10 @@ static status_t del_policy(private_kernel_interface_t *this,
 					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 					policy_dir_t direction, bool unrouted)
 {
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts, direction, unrouted);
 }
 
@@ -154,6 +167,10 @@ static status_t del_policy(private_kernel_interface_t *this,
 static host_t *get_source_addr(private_kernel_interface_t *this,
 							   host_t *dest, host_t *src)
 {
+	if (!this->net)
+	{
+		return NULL;
+	}
 	return this->net->get_source_addr(this->net, dest, src);
 }
 
@@ -162,6 +179,10 @@ static host_t *get_source_addr(private_kernel_interface_t *this,
  */
 static host_t *get_nexthop(private_kernel_interface_t *this, host_t *dest)
 {
+	if (!this->net)
+	{
+		return NULL;
+	}
 	return this->net->get_nexthop(this->net, dest);
 }
 
@@ -170,6 +191,10 @@ static host_t *get_nexthop(private_kernel_interface_t *this, host_t *dest)
  */
 static char* get_interface(private_kernel_interface_t *this, host_t *host)
 {
+	if (!this->net)
+	{
+		return NULL;
+	}
 	return this->net->get_interface(this->net, host);
 }
 
@@ -179,6 +204,10 @@ static char* get_interface(private_kernel_interface_t *this, host_t *host)
 static enumerator_t *create_address_enumerator(private_kernel_interface_t *this,
 		bool include_down_ifaces, bool include_virtual_ips)
 {
+	if (!this->net)
+	{
+		return enumerator_create_empty();
+	}
 	return this->net->create_address_enumerator(this->net, include_down_ifaces,
 			include_virtual_ips);
 }
@@ -189,6 +218,10 @@ static enumerator_t *create_address_enumerator(private_kernel_interface_t *this,
 static status_t add_ip(private_kernel_interface_t *this, host_t *virtual_ip,
 				host_t *iface_ip)
 {
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->net->add_ip(this->net, virtual_ip, iface_ip);
 }
 
@@ -197,6 +230,10 @@ static status_t add_ip(private_kernel_interface_t *this, host_t *virtual_ip,
  */
 static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
 {
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->net->del_ip(this->net, virtual_ip);
 }
 
@@ -206,6 +243,10 @@ static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
 static status_t add_route(private_kernel_interface_t *this, chunk_t dst_net,
 		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->net->add_route(this->net, dst_net, prefixlen, gateway, src_ip,
 			if_name);
 }
@@ -216,6 +257,10 @@ static status_t add_route(private_kernel_interface_t *this, chunk_t dst_net,
 static status_t del_route(private_kernel_interface_t *this, chunk_t dst_net,
 		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
 	return this->net->del_route(this->net, dst_net, prefixlen, gateway, src_ip,
 			if_name);
 }
@@ -283,70 +328,42 @@ static status_t get_address_by_ts(private_kernel_interface_t *this,
  * Implementation of kernel_interface_t.add_ipsec_interface.
  */
 static void add_ipsec_interface(private_kernel_interface_t *this,
-		kernel_ipsec_constructor_t *create)
+		kernel_ipsec_constructor_t constructor)
 {
-	this->mutex->lock(this->mutex);
-	this->ipsec_interfaces->insert_last(this->ipsec_interfaces, create);
-	this->mutex->unlock(this->mutex);
+	if (!this->ipsec)
+	{
+		this->ipsec = constructor();
+	}
 }
 
 /**
  * Implementation of kernel_interface_t.remove_ipsec_interface.
  */
 static void remove_ipsec_interface(private_kernel_interface_t *this,
-		kernel_ipsec_constructor_t *create)
+		kernel_ipsec_constructor_t constructor)
 {
-	this->mutex->lock(this->mutex);
-	this->ipsec_interfaces->remove(this->ipsec_interfaces, create, NULL);
-	this->mutex->unlock(this->mutex);
+	/* TODO: replace if interface currently in use */
 }
 
 /**
  * Implementation of kernel_interface_t.add_net_interface.
  */
 static void add_net_interface(private_kernel_interface_t *this,
-		kernel_net_constructor_t *create)
+		kernel_net_constructor_t constructor)
 {
-	this->mutex->lock(this->mutex);
-	this->net_interfaces->insert_last(this->net_interfaces, create);
-	this->mutex->unlock(this->mutex);
+	if (!this->net)
+	{
+		this->net = constructor();
+	}
 }
 
 /**
  * Implementation of kernel_interface_t.remove_net_interface.
  */
 static void remove_net_interface(private_kernel_interface_t *this,
-		kernel_net_constructor_t *create)
-{
-	this->mutex->lock(this->mutex);
-	this->net_interfaces->remove(this->net_interfaces, create, NULL);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of kernel_interface_t.create_interfaces.
- */
-static void create_interfaces(private_kernel_interface_t *this)
+		kernel_net_constructor_t constructor)
 {
-	kernel_ipsec_constructor_t create_ipsec;
-	kernel_net_constructor_t create_net;
-	
-	this->mutex->lock(this->mutex);
-	if (this->ipsec_interfaces->get_first(this->ipsec_interfaces, (void**)&create_ipsec) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		charon->kill(charon, "no ipsec kernel interface loaded");
-	}
-	
-	if (this->net_interfaces->get_first(this->net_interfaces, (void**)&create_net) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		charon->kill(charon, "no network kernel interface loaded");
-	}
-	this->mutex->unlock(this->mutex);
-	
-	this->ipsec = create_ipsec();
-	this->net = create_net();
+	/* TODO: replace if interface currently in use */
 }
 
 /**
@@ -356,9 +373,6 @@ static void destroy(private_kernel_interface_t *this)
 {
 	DESTROY_IF(this->ipsec);
 	DESTROY_IF(this->net);
-	this->ipsec_interfaces->destroy(this->ipsec_interfaces);
-	this->net_interfaces->destroy(this->net_interfaces);
-	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -373,7 +387,7 @@ kernel_interface_t *kernel_interface_create()
 	this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
@@ -394,12 +408,8 @@ kernel_interface_t *kernel_interface_create()
 	this->public.add_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))add_net_interface;
 	this->public.remove_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))remove_net_interface;
 	
-	this->public.create_interfaces = (void (*)(kernel_interface_t*))create_interfaces;
 	this->public.destroy = (void (*)(kernel_interface_t*))destroy;
 	
-	this->ipsec_interfaces = linked_list_create();
-	this->net_interfaces = linked_list_create();
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
 	this->ipsec = NULL;
 	this->net = NULL;
 	
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index 29a07f74f..8c58c959a 100644
--- a/src/charon/kernel/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_interface.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -145,14 +143,15 @@ struct kernel_interface_t {
 	/**
 	 * Delete a previously installed SA from the SAD.
 	 * 
+	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param cpi			CPI for IPComp or 0
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int16_t cpi);
+	status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
 	
 	/**
 	 * Add a policy to the SPD.
@@ -363,11 +362,6 @@ struct kernel_interface_t {
 	 */
 	void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
 	
-	/**
-	 * Create the kernel interfaces classes.
-	 */
-	void (*create_interfaces)(kernel_interface_t *this);
-	
 	/**
 	 * Destroys a kernel_interface_manager_t object.
 	 */
diff --git a/src/charon/kernel/kernel_ipsec.c b/src/charon/kernel/kernel_ipsec.c
index 1fef2acca..45eef4907 100644
--- a/src/charon/kernel/kernel_ipsec.c
+++ b/src/charon/kernel/kernel_ipsec.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_ipsec.c 4430 2008-10-14 08:46:31Z tobias $
  */
 
 #include "kernel_ipsec.h"
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
index 24834c4b1..6e8c5bc63 100644
--- a/src/charon/kernel/kernel_ipsec.h
+++ b/src/charon/kernel/kernel_ipsec.h
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_ipsec.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -35,17 +33,15 @@ typedef struct kernel_ipsec_t kernel_ipsec_t;
 #include <encoding/payloads/proposal_substructure.h>
 
 /**
- * Mode of an CHILD_SA.
- *
- * These are equal to those defined in XFRM, so don't change.
+ * Mode of a CHILD_SA.
  */
 enum ipsec_mode_t {
 	/** transport mode, no inner address */
-	MODE_TRANSPORT = 0,
+	MODE_TRANSPORT = 1,
 	/** tunnel mode, inner and outer addresses */
-	MODE_TUNNEL = 1,
+	MODE_TUNNEL,
 	/** BEET mode, tunnel mode but fixed, bound inner addresses */
-	MODE_BEET = 4,
+	MODE_BEET,
 };
 
 /**
@@ -177,14 +173,15 @@ struct kernel_ipsec_t {
 	/**
 	 * Delete a previusly installed SA from the SAD.
 	 * 
+	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param cpi			CPI for IPComp or 0
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int16_t cpi);
+	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
 	
 	/**
 	 * Add a policy to the SPD.
diff --git a/src/charon/kernel/kernel_net.h b/src/charon/kernel/kernel_net.h
index df73bc1f9..02242f3a8 100644
--- a/src/charon/kernel/kernel_net.h
+++ b/src/charon/kernel/kernel_net.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_net.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/network/packet.c b/src/charon/network/packet.c
index b47e6322f..fd3a274bd 100644
--- a/src/charon/network/packet.c
+++ b/src/charon/network/packet.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: packet.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "packet.h"
diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h
index 8c1a07ab5..aacb203e9 100644
--- a/src/charon/network/packet.h
+++ b/src/charon/network/packet.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: packet.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
index 7f55df4d2..ab4d6d592 100644
--- a/src/charon/network/receiver.c
+++ b/src/charon/network/receiver.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: receiver.c 4699 2008-11-26 09:22:19Z tobias $
  */
 
 #include <stdlib.h>
@@ -57,56 +55,56 @@ struct private_receiver_t {
 	 * Threads job receiving packets
 	 */
 	callback_job_t *job;
-
+	
 	/**
 	 * Assigned thread.
 	 */
 	pthread_t assigned_thread;
 	 
- 	/**
- 	 * current secret to use for cookie calculation
- 	 */
- 	char secret[SECRET_LENGTH];
- 	
- 	/**
- 	 * previous secret used to verify older cookies
- 	 */
- 	char secret_old[SECRET_LENGTH];
- 	
- 	/**
- 	 * how many times we have used "secret" so far
- 	 */
- 	u_int32_t secret_used;
- 	
- 	/**
- 	 * time we did the cookie switch
- 	 */
- 	u_int32_t secret_switch;
- 	
- 	/**
- 	 * time offset to use, hides our system time
- 	 */
- 	u_int32_t secret_offset;
- 	
- 	/**
- 	 * the RNG to use for secret generation
- 	 */
- 	rng_t *rng;
- 	
- 	/**
- 	 * hasher to use for cookie calculation
- 	 */
- 	hasher_t *hasher;
- 	
- 	/**
- 	 * require cookies after this many half open IKE_SAs
- 	 */
- 	u_int32_t cookie_threshold;
- 	
- 	/**
- 	 * how many half open IKE_SAs per peer before blocking
- 	 */
- 	u_int32_t block_threshold;
+	/**
+	 * current secret to use for cookie calculation
+	 */
+	char secret[SECRET_LENGTH];
+	
+	/**
+	 * previous secret used to verify older cookies
+	 */
+	char secret_old[SECRET_LENGTH];
+	
+	/**
+	 * how many times we have used "secret" so far
+	 */
+	u_int32_t secret_used;
+	
+	/**
+	 * time we did the cookie switch
+	 */
+	u_int32_t secret_switch;
+	
+	/**
+	 * time offset to use, hides our system time
+	 */
+	u_int32_t secret_offset;
+	
+	/**
+	 * the RNG to use for secret generation
+	 */
+	rng_t *rng;
+	
+	/**
+	 * hasher to use for cookie calculation
+	 */
+	hasher_t *hasher;
+	
+	/**
+	 * require cookies after this many half open IKE_SAs
+	 */
+	u_int32_t cookie_threshold;
+	
+	/**
+	 * how many half open IKE_SAs per peer before blocking
+	 */
+	u_int32_t block_threshold;
 };
 
 /**
@@ -169,10 +167,10 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
 	u_int32_t t, now;
 	chunk_t reference;
 	chunk_t secret;
-
+	
 	now = time(NULL);
 	t = *(u_int32_t*)cookie.ptr;
-
+	
 	if (cookie.len != sizeof(u_int32_t) +
 			this->hasher->get_hash_size(this->hasher) || 
 		t < now - this->secret_offset - COOKIE_LIFETIME)
@@ -355,7 +353,7 @@ receiver_t *receiver_create()
 {
 	private_receiver_t *this = malloc_thing(private_receiver_t);
 	u_int32_t now = time(NULL);
-
+	
 	this->public.destroy = (void(*)(receiver_t*)) destroy;
 	
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
@@ -387,7 +385,7 @@ receiver_t *receiver_create()
 		this->cookie_threshold = 0;
 		this->block_threshold = 0;
 	}
-
+	
 	this->job = callback_job_create((callback_job_cb_t)receive_packets,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h
index 36a57df79..87797634e 100644
--- a/src/charon/network/receiver.h
+++ b/src/charon/network/receiver.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: receiver.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
index 3295ec2df..4910fe2e8 100644
--- a/src/charon/network/sender.c
+++ b/src/charon/network/sender.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sender.c 4582 2008-11-05 12:24:36Z martin $
  */
 
 #include <stdlib.h>
diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h
index 0c92017e4..55f67af70 100644
--- a/src/charon/network/sender.h
+++ b/src/charon/network/sender.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sender.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/network/socket-raw.c b/src/charon/network/socket-raw.c
index 40218f67d..148be486c 100644
--- a/src/charon/network/socket-raw.c
+++ b/src/charon/network/socket-raw.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: socket-raw.c 4646 2008-11-13 07:15:45Z martin $
  */
 
 /* for struct in6_pktinfo */
@@ -374,7 +372,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 	msg.msg_iovlen = 1;
 	msg.msg_flags = 0;
 	
-	if (!dst->is_anyaddr(dst))
+	if (!src->is_anyaddr(src))
 	{
 		if (family == AF_INET)
 		{
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index 8c516a9da..8627ca76d 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: socket.c 4688 2008-11-24 08:22:05Z martin $
  */
 
 /* for struct in6_pktinfo */
@@ -30,12 +28,11 @@
 #include <stdlib.h>
 #include <fcntl.h>
 #include <sys/ioctl.h>
+#include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 #include <netinet/udp.h>
-#include <linux/types.h>
-#include <linux/filter.h>
 #include <net/if.h>
 
 #include "socket.h"
@@ -54,10 +51,23 @@
 #define UDP_ENCAP_ESPINUDP 2
 #endif /*UDP_ENCAP_ESPINUDP*/
 
-/* needed for older kernel headers */
-#ifndef IPV6_2292PKTINFO
-#define IPV6_2292PKTINFO 2
-#endif /*IPV6_2292PKTINFO*/
+/* these are not defined on some platforms */
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#endif
+#ifndef SOL_IPV6
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+#ifndef SOL_UDP
+#define SOL_UDP IPPROTO_UDP
+#endif
+
+/* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
+ * previously defined IPV6_PKTINFO */
+#ifndef IPV6_RECVPKTINFO
+#define IPV6_RECVPKTINFO IPV6_PKTINFO;
+#endif
+
 
 typedef struct private_socket_t private_socket_t;
 
@@ -68,27 +78,27 @@ struct private_socket_t {
 	/**
 	 * public functions
 	 */
-	 socket_t public;
-	 
-	 /**
-	  * IPv4 socket (500)
-	  */
-	 int ipv4;
-	 
-	 /**
-	  * IPv4 socket for NATT (4500)
-	  */
-	 int ipv4_natt;
-	 
-	 /**
-	  * IPv6 socket (500)
-	  */
-	 int ipv6;
+	socket_t public;
+	
+	/**
+	 * IPv4 socket (500)
+	 */
+	int ipv4;
 	 
-	 /**
-	  * IPv6 socket for NATT (4500)
-	  */
-	 int ipv6_natt;
+	/**
+	 * IPv4 socket for NATT (4500)
+	 */
+	int ipv4_natt;
+	
+	/**
+	 * IPv6 socket (500)
+	 */
+	int ipv6;
+	
+	/**
+	 * IPv6 socket for NATT (4500)
+	 */
+	int ipv6_natt;
 };
 
 /**
@@ -104,8 +114,8 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 	int data_offset, oldstate;
 	fd_set rfds;
 	int max_fd = 0, selected = 0;
-	u_int16_t port;
-
+	u_int16_t port = 0;
+	
 	FD_ZERO(&rfds);
 	
 	if (this->ipv4)
@@ -201,7 +211,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 			}
 			
 			if (cmsgptr->cmsg_level == SOL_IPV6 &&
-				cmsgptr->cmsg_type == IPV6_2292PKTINFO)
+				cmsgptr->cmsg_type == IPV6_PKTINFO)
 			{
 				struct in6_pktinfo *pktinfo;
 				pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
@@ -214,14 +224,28 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
 			}
 			if (cmsgptr->cmsg_level == SOL_IP &&
-				cmsgptr->cmsg_type == IP_PKTINFO)
-			{			
+#ifdef IP_PKTINFO
+				cmsgptr->cmsg_type == IP_PKTINFO
+#elif defined(IP_RECVDSTADDR)
+				cmsgptr->cmsg_type == IP_RECVDSTADDR
+#else
+				FALSE
+#endif
+				)
+			{
+				struct in_addr *addr;
+				struct sockaddr_in dst;
+
+#ifdef IP_PKTINFO
 				struct in_pktinfo *pktinfo;
 				pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
-				struct sockaddr_in dst;
-				
+				addr = &pktinfo->ipi_addr;
+#elif defined(IP_RECVDSTADDR)
+				addr = (struct in_addr*)CMSG_DATA(cmsgptr);
+#endif
 				memset(&dst, 0, sizeof(dst));
-				memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr));
+				memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
+				
 				dst.sin_family = AF_INET;
 				dst.sin_port = htons(port);
 				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
@@ -340,24 +364,37 @@ status_t sender(private_socket_t *this, packet_t *packet)
 	msg.msg_iovlen = 1;
 	msg.msg_flags = 0;
 	
-	if (!dst->is_anyaddr(dst))
+	if (!src->is_anyaddr(src))
 	{
 		if (family == AF_INET)
 		{
+#if defined(IP_PKTINFO) || defined(IP_SENDSRCADDR)
+			struct in_addr *addr;
+			struct sockaddr_in *sin;
+#ifdef IP_PKTINFO
 			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
 			struct in_pktinfo *pktinfo;
-			struct sockaddr_in *sin;
-			
+#elif defined(IP_SENDSRCADDR)
+			char buf[CMSG_SPACE(sizeof(struct in_addr))];
+#endif
 			msg.msg_control = buf;
 			msg.msg_controllen = sizeof(buf);
 			cmsg = CMSG_FIRSTHDR(&msg);
 			cmsg->cmsg_level = SOL_IP;
+#ifdef IP_PKTINFO
 			cmsg->cmsg_type = IP_PKTINFO;
 			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
 			pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
 			memset(pktinfo, 0, sizeof(struct in_pktinfo));
+			addr = &pktinfo->ipi_spec_dst;
+#elif defined(IP_SENDSRCADDR)
+			cmsg->cmsg_type = IP_SENDSRCADDR;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
+			addr = (struct in_addr*)CMSG_DATA(cmsg);
+#endif
 			sin = (struct sockaddr_in*)src->get_sockaddr(src);
-			memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
+			memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
+#endif /* IP_PKTINFO || IP_SENDSRCADDR */
 		}
 		else
 		{
@@ -369,7 +406,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 			msg.msg_controllen = sizeof(buf);
 			cmsg = CMSG_FIRSTHDR(&msg);
 			cmsg->cmsg_level = SOL_IPV6;
-			cmsg->cmsg_type = IPV6_2292PKTINFO;
+			cmsg->cmsg_type = IPV6_PKTINFO;
 			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
 			pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
 			memset(pktinfo, 0, sizeof(struct in6_pktinfo));
@@ -389,14 +426,15 @@ status_t sender(private_socket_t *this, packet_t *packet)
 }
 
 /**
- * open a socket to send packets
+ * open a socket to send and receive packets
  */
 static int open_socket(private_socket_t *this, int family, u_int16_t port)
 {
 	int on = TRUE;
 	int type = UDP_ENCAP_ESPINUDP;
 	struct sockaddr_storage addr;
-	u_int sol, pktinfo;
+	socklen_t addrlen;
+	u_int sol, pktinfo = 0;
 	int skt;
 	
 	memset(&addr, 0, sizeof(addr));
@@ -409,8 +447,13 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 			sin->sin_family = AF_INET;
 			sin->sin_addr.s_addr = INADDR_ANY;
 			sin->sin_port = htons(port);
+			addrlen = sizeof(struct sockaddr_in);
 			sol = SOL_IP;
+#ifdef IP_PKTINFO
 			pktinfo = IP_PKTINFO;
+#elif defined(IP_RECVDSTADDR)
+			pktinfo = IP_RECVDSTADDR;
+#endif
 			break;
 		}
 		case AF_INET6:
@@ -419,8 +462,9 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 			sin6->sin6_family = AF_INET6;
 			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
 			sin6->sin6_port = htons(port);
+			addrlen = sizeof(struct sockaddr_in6);
 			sol = SOL_IPV6;
-			pktinfo = IPV6_2292PKTINFO;
+			pktinfo = IPV6_RECVPKTINFO;
 			break;
 		}
 		default:
@@ -440,8 +484,8 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 		return 0;
 	}
 	
-	/* bind the send socket */
-	if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	/* bind the socket */
+	if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
 	{
 		DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
 		close(skt);
@@ -449,11 +493,14 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 	}
 	
 	/* get additional packet info on receive */
-	if (setsockopt(skt, sol, pktinfo, &on, sizeof(on)) < 0)
+	if (pktinfo > 0)
 	{
-		DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
-		close(skt);
-		return 0;
+		if (setsockopt(skt, sol, pktinfo, &on, sizeof(on)) < 0)
+		{
+			DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
+			close(skt);
+			return 0;
+		}
 	}
 	
 	/* enable UDP decapsulation globally, only for one socket needed */
@@ -578,7 +625,7 @@ socket_t *socket_create()
 			DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
 		}
 	}
-
+	
 	this->ipv6 = open_socket(this, AF_INET6, IKEV2_UDP_PORT);
 	if (this->ipv6 == 0)
 	{
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
index af5d64edf..81f2ec5fe 100644
--- a/src/charon/network/socket.h
+++ b/src/charon/network/socket.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: socket.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/attr/Makefile.am b/src/charon/plugins/attr/Makefile.am
new file mode 100644
index 000000000..d5eb99d9f
--- /dev/null
+++ b/src/charon/plugins/attr/Makefile.am
@@ -0,0 +1,9 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-attr.la
+libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
+  attr_provider.h attr_provider.c
+libstrongswan_attr_la_LDFLAGS = -module
diff --git a/src/charon/plugins/attr/Makefile.in b/src/charon/plugins/attr/Makefile.in
new file mode 100644
index 000000000..c0467054e
--- /dev/null
+++ b/src/charon/plugins/attr/Makefile.in
@@ -0,0 +1,507 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/attr
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_attr_la_LIBADD =
+am_libstrongswan_attr_la_OBJECTS = attr_plugin.lo attr_provider.lo
+libstrongswan_attr_la_OBJECTS = $(am_libstrongswan_attr_la_OBJECTS)
+libstrongswan_attr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_attr_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_attr_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_attr_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-attr.la
+libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
+  attr_provider.h attr_provider.c
+
+libstrongswan_attr_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/attr/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/attr/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) 
+	$(libstrongswan_attr_la_LINK) -rpath $(plugindir) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/attr/attr_plugin.c b/src/charon/plugins/attr/attr_plugin.c
new file mode 100644
index 000000000..9d5532310
--- /dev/null
+++ b/src/charon/plugins/attr/attr_plugin.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "attr_plugin.h"
+#include "attr_provider.h"
+
+#include <daemon.h>
+
+typedef struct private_attr_plugin_t private_attr_plugin_t;
+
+/**
+ * private data of attr plugin
+ */
+struct private_attr_plugin_t {
+	
+	/**
+	 * implements plugin interface
+	 */
+	attr_plugin_t public;
+	
+	/**
+	 * CFG attributes provider
+	 */
+	attr_provider_t *provider;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_attr_plugin_t *this)
+{
+	charon->attributes->remove_provider(charon->attributes, &this->provider->provider);
+	this->provider->destroy(this->provider);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	this->provider = attr_provider_create();
+	charon->attributes->add_provider(charon->attributes, &this->provider->provider);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/attr/attr_plugin.h b/src/charon/plugins/attr/attr_plugin.h
new file mode 100644
index 000000000..9cbbd8bf5
--- /dev/null
+++ b/src/charon/plugins/attr/attr_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attr attr
+ * @ingroup cplugins
+ *
+ * @defgroup attr_plugin attr_plugin
+ * @{ @ingroup attr
+ */
+
+#ifndef ATTR_PLUGIN_H_
+#define ATTR_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct attr_plugin_t attr_plugin_t;
+
+/**
+ * Plugin providing configuration attribute through strongswan.conf.
+ */
+struct attr_plugin_t {
+	
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a attr_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** ATTR_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/attr/attr_provider.c b/src/charon/plugins/attr/attr_provider.c
new file mode 100644
index 000000000..02fa11327
--- /dev/null
+++ b/src/charon/plugins/attr/attr_provider.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "attr_provider.h"
+
+#include <time.h>
+
+#include <daemon.h>
+
+#define SERVER_MAX		2
+
+typedef struct private_attr_provider_t private_attr_provider_t;
+typedef struct attribute_entry_t attribute_entry_t;
+
+/**
+ * private data of attr_provider
+ */
+struct private_attr_provider_t {
+	
+	/**
+	 * public functions
+	 */
+	attr_provider_t public;
+	
+	/**
+	 * List of attributes, attribute_entry_t
+	 */
+	linked_list_t *attributes;
+};
+
+struct attribute_entry_t {
+	/** type of attribute */
+	configuration_attribute_type_t type;
+	/** attribute value */
+	chunk_t value;
+};
+
+/**
+ * convert enumerator value from attribute_entry
+ */
+static bool attr_enum_filter(void *null, attribute_entry_t **in,
+			configuration_attribute_type_t *type, void* none, chunk_t *value)
+{
+	*type = (*in)->type;
+	*value = (*in)->value;
+	return TRUE;
+}
+
+/**
+ * Implementation of attribute_provider_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(
+					private_attr_provider_t *this, identification_t *id)
+{
+	return enumerator_create_filter(
+						this->attributes->create_enumerator(this->attributes),
+						(void*)attr_enum_filter, NULL, NULL);
+}
+
+/**
+ * Implementation of attr_provider_t.destroy
+ */
+static void destroy(private_attr_provider_t *this)
+{
+	attribute_entry_t *entry;
+	
+	while (this->attributes->remove_last(this->attributes,
+										 (void**)&entry) == SUCCESS)
+	{
+		free(entry->value.ptr);
+		free(entry);
+	}
+	this->attributes->destroy(this->attributes);
+	free(this);
+}
+
+/**
+ * Add an attribute entry to the list
+ */
+static void add_entry(private_attr_provider_t *this, char *key, int nr,
+					  configuration_attribute_type_t type)
+{
+	attribute_entry_t *entry;
+	host_t *host;
+	char *str;
+	
+	str = lib->settings->get_str(lib->settings, "charon.%s%d", NULL, key, nr);
+	if (str)
+	{
+		host = host_create_from_string(str, 0);
+		if (host)
+		{
+			entry = malloc_thing(attribute_entry_t);
+			
+			if (host->get_family(host) == AF_INET6)
+			{
+				switch (type)
+				{
+					case INTERNAL_IP4_DNS:
+						type = INTERNAL_IP6_DNS;
+						break;
+					case INTERNAL_IP4_NBNS:
+						type = INTERNAL_IP6_NBNS;
+						break;
+					default:
+						break;
+				}
+			}
+			entry->type = type;
+			entry->value = chunk_clone(host->get_address(host));
+			host->destroy(host);
+			this->attributes->insert_last(this->attributes, entry);
+		}
+	}
+}
+
+/*
+ * see header file
+ */
+attr_provider_t *attr_provider_create(database_t *db)
+{
+	private_attr_provider_t *this;
+	int i;
+	
+	this = malloc_thing(private_attr_provider_t);
+	
+	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null;
+	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false;
+	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))create_attribute_enumerator;
+	this->public.destroy = (void(*)(attr_provider_t*))destroy;
+	
+	this->attributes = linked_list_create();
+	
+	for (i = 1; i <= SERVER_MAX; i++)
+	{
+		add_entry(this, "dns", i, INTERNAL_IP4_DNS);
+		add_entry(this, "nbns", i, INTERNAL_IP4_NBNS);
+	}
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/attr/attr_provider.h b/src/charon/plugins/attr/attr_provider.h
new file mode 100644
index 000000000..03cbadb4e
--- /dev/null
+++ b/src/charon/plugins/attr/attr_provider.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attr_provider attr_provider
+ * @{ @ingroup attr
+ */
+
+#ifndef ATTR_PROVIDER_H_
+#define ATTR_PROVIDER_H_
+
+#include <config/attributes/attribute_provider.h>
+
+typedef struct attr_provider_t attr_provider_t;
+
+/**
+ * Provide configuration attributes through static strongswan.conf definition.
+ */
+struct attr_provider_t {
+	
+	/**
+	 * Implements attribute provider interface
+	 */
+	attribute_provider_t provider;
+	
+	/**
+	 * Destroy a attr_provider instance.
+	 */
+	void (*destroy)(attr_provider_t *this);
+};
+
+/**
+ * Create a attr_provider instance.
+ */
+attr_provider_t *attr_provider_create();
+
+#endif /** ATTR_PROVIDER @}*/
diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in
index 47eece7ab..74d49ac73 100644
--- a/src/charon/plugins/eap_aka/Makefile.in
+++ b/src/charon/plugins/eap_aka/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -223,8 +232,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -319,7 +328,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/eap_aka/eap_aka.c b/src/charon/plugins/eap_aka/eap_aka.c
index bb3825d3d..82ee6c3f0 100644
--- a/src/charon/plugins/eap_aka/eap_aka.c
+++ b/src/charon/plugins/eap_aka/eap_aka.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_aka.c 4628 2008-11-11 15:19:13Z martin $
  */
 
 
@@ -880,7 +878,7 @@ static status_t server_initiate_challenge(private_eap_aka_t *this, chunk_t sqn,
 	/* Get the shared key K: */
 	if (load_key(this->server, this->peer, &this->k) != SUCCESS)
 	{
-		DBG1(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+		DBG1(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
 				"with EAP-AKA", this->server, this->peer);
 		return FAILED;
 	}
@@ -1202,7 +1200,7 @@ static status_t peer_process_challenge(private_eap_aka_t *this,
 	{
 	 	*out = build_aka_payload(this, EAP_RESPONSE, identifier,
 	 							 AKA_AUTHENTICATION_REJECT, AT_END);
-		DBG3(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+		DBG3(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
 			 "with EAP-AKA, sending %N", this->peer, this->server,
 			 aka_subtype_names, AKA_AUTHENTICATION_REJECT);
 		return NEED_MORE;
diff --git a/src/charon/plugins/eap_aka/eap_aka.h b/src/charon/plugins/eap_aka/eap_aka.h
index 196eaf429..7686802cf 100644
--- a/src/charon/plugins/eap_aka/eap_aka.h
+++ b/src/charon/plugins/eap_aka/eap_aka.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_aka.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/eap_aka/eap_aka_plugin.c b/src/charon/plugins/eap_aka/eap_aka_plugin.c
index 5c15b6d7e..e4a5326fe 100644
--- a/src/charon/plugins/eap_aka/eap_aka_plugin.c
+++ b/src/charon/plugins/eap_aka/eap_aka_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_aka_plugin.c 3491 2008-02-22 14:04:00Z martin $
  */
 
 #include "eap_aka_plugin.h"
diff --git a/src/charon/plugins/eap_aka/eap_aka_plugin.h b/src/charon/plugins/eap_aka/eap_aka_plugin.h
index 5fdc5c768..2c086ca80 100644
--- a/src/charon/plugins/eap_aka/eap_aka_plugin.h
+++ b/src/charon/plugins/eap_aka/eap_aka_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_aka_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in
index 0e8245804..19d648bbd 100644
--- a/src/charon/plugins/eap_gtc/Makefile.in
+++ b/src/charon/plugins/eap_gtc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -222,8 +231,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -318,7 +327,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c
index 0a93a90f6..cb4ab2e59 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc.c
+++ b/src/charon/plugins/eap_gtc/eap_gtc.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_gtc.c 3806 2008-04-15 05:56:35Z martin $
  */
  
 #include "eap_gtc.h"
@@ -174,7 +172,7 @@ static status_t process_peer(private_eap_gtc_t *this,
 											 this->peer, this->server);
 	if (shared == NULL)
 	{
-		DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'",
+		DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",
 			 this->peer, this->server);
 		return FAILED;
 	}
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.h b/src/charon/plugins/eap_gtc/eap_gtc.h
index 722881249..2eb8482f8 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc.h
+++ b/src/charon/plugins/eap_gtc/eap_gtc.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_gtc.h 3589 2008-03-13 14:14:44Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
index cea88ef9f..fda6c744a 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
+++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "eap_gtc_plugin.h"
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
index f858f0d15..abb6bdcb6 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
+++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in
index 212df3a94..f275cd770 100644
--- a/src/charon/plugins/eap_identity/Makefile.in
+++ b/src/charon/plugins/eap_identity/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -207,6 +215,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/eap_identity/eap_identity.c b/src/charon/plugins/eap_identity/eap_identity.c
index deaa183f4..e43c50c50 100644
--- a/src/charon/plugins/eap_identity/eap_identity.c
+++ b/src/charon/plugins/eap_identity/eap_identity.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_identity.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include "eap_identity.h"
diff --git a/src/charon/plugins/eap_identity/eap_identity.h b/src/charon/plugins/eap_identity/eap_identity.h
index 60f62e17c..7364a8bda 100644
--- a/src/charon/plugins/eap_identity/eap_identity.h
+++ b/src/charon/plugins/eap_identity/eap_identity.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_identity.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/eap_identity/eap_identity_plugin.c b/src/charon/plugins/eap_identity/eap_identity_plugin.c
index 1393a21a0..809254ccb 100644
--- a/src/charon/plugins/eap_identity/eap_identity_plugin.c
+++ b/src/charon/plugins/eap_identity/eap_identity_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_identity_plugin.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include "eap_identity_plugin.h"
diff --git a/src/charon/plugins/eap_identity/eap_identity_plugin.h b/src/charon/plugins/eap_identity/eap_identity_plugin.h
index ddb3ed457..0a7fb8228 100644
--- a/src/charon/plugins/eap_identity/eap_identity_plugin.h
+++ b/src/charon/plugins/eap_identity/eap_identity_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_identity_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in
index 7009f6488..372b80b3e 100644
--- a/src/charon/plugins/eap_md5/Makefile.in
+++ b/src/charon/plugins/eap_md5/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -222,8 +231,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -318,7 +327,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/eap_md5/eap_md5.c b/src/charon/plugins/eap_md5/eap_md5.c
index 0781e024b..36d726947 100644
--- a/src/charon/plugins/eap_md5/eap_md5.c
+++ b/src/charon/plugins/eap_md5/eap_md5.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_md5.c 4276 2008-08-22 10:44:51Z martin $
  */
  
 #include "eap_md5.h"
@@ -90,7 +88,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response)
 											 this->server, this->peer);
 	if (shared == NULL)
 	{
-		DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
 			 this->server, this->peer);
 		return NOT_FOUND;
 	}
diff --git a/src/charon/plugins/eap_md5/eap_md5.h b/src/charon/plugins/eap_md5/eap_md5.h
index 2617b9aea..3cff0dd79 100644
--- a/src/charon/plugins/eap_md5/eap_md5.h
+++ b/src/charon/plugins/eap_md5/eap_md5.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_md5.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/eap_md5/eap_md5_plugin.c b/src/charon/plugins/eap_md5/eap_md5_plugin.c
index cb6a9bd7c..e30152fc5 100644
--- a/src/charon/plugins/eap_md5/eap_md5_plugin.c
+++ b/src/charon/plugins/eap_md5/eap_md5_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_md5_plugin.c 3491 2008-02-22 14:04:00Z martin $
  */
 
 #include "eap_md5_plugin.h"
diff --git a/src/charon/plugins/eap_md5/eap_md5_plugin.h b/src/charon/plugins/eap_md5/eap_md5_plugin.h
index 3adbcfe27..eb5b38e94 100644
--- a/src/charon/plugins/eap_md5/eap_md5_plugin.h
+++ b/src/charon/plugins/eap_md5/eap_md5_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_md5_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.in b/src/charon/plugins/eap_mschapv2/Makefile.in
index e9dcae03e..5ae41d896 100644
--- a/src/charon/plugins/eap_mschapv2/Makefile.in
+++ b/src/charon/plugins/eap_mschapv2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -207,6 +215,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -227,8 +236,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -323,7 +332,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
index 07ca48e6f..0e3fac780 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -11,12 +11,13 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_mschapv2.c 4896 2009-02-24 13:39:50Z martin $
  */
 
 #include "eap_mschapv2.h"
 
+#include <ctype.h>
+#include <unistd.h>
+
 #include <daemon.h>
 #include <library.h>
 #include <utils/enumerator.h>
@@ -141,7 +142,7 @@ ENUM_END(mschapv2_error_names, ERROR_CHANGING_PASSWORD);
 /* Name we send as authenticator */
 #define MSCHAPV2_HOST_NAME "strongSwan"
 /* Message sent on success */
-#define SUCCESS_MESSAGE " M=Welcome to strongSwan"
+#define SUCCESS_MESSAGE " M=Welcome2strongSwan"
 /* Message sent on failure */
 #define FAILURE_MESSAGE "E=691 R=1 C="
 /* Length of the complete failure message */
@@ -366,7 +367,6 @@ static status_t AuthenticatorResponse(chunk_t password_hash_hash,
 	static const chunk_t magic1 = chunk_from_buf(magic1_data);
 	static const chunk_t magic2 = chunk_from_buf(magic2_data);
 	
-	status_t status = FAILED;
 	chunk_t digest = chunk_empty, concat;
 	hasher_t *hasher;
 	
@@ -456,7 +456,7 @@ static status_t GenerateMSK(chunk_t password_hash_hash,
 	hasher->allocate_hash(hasher, concat, &master_send_key);
 	master_send_key.len = 16;
 	
-	*msk = chunk_cat("cccc", master_receive_key, keypad, master_send_key, keypad);
+	*msk = chunk_cat("cccc", master_receive_key, master_send_key, keypad, keypad);
 	
 	hasher->destroy(hasher);
 	chunk_free(&master_key);
@@ -526,6 +526,24 @@ static chunk_t ascii_to_unicode(chunk_t ascii)
 	return unicode;
 }
 
+/**
+ * sanitize a string for printing
+ */
+static char* sanitize(char *str)
+{
+	char *pos = str;
+	
+	while (pos && *pos)
+	{
+		if (!isprint(*pos))
+		{
+			*pos = '?';
+		}
+		pos++;
+	}
+	return str;
+}
+
 /**
  * Returns a chunk of just the username part of the given user identity.
  * Note: the chunk points to internal data of the identification.
@@ -535,7 +553,7 @@ static chunk_t extract_username(identification_t* identification)
 	char *has_domain;
 	chunk_t id;
 	id = identification->get_encoding(identification);
-	has_domain = (char*)memrchr(id.ptr, '\\', id.len);
+	has_domain = (char*)memchr(id.ptr, '\\', id.len);
 	if (has_domain)
 	{
 		int len;
@@ -546,6 +564,14 @@ static chunk_t extract_username(identification_t* identification)
 	return id;
 }
 
+/**
+ * Set the ms_length field using aligned write
+ */
+static void set_ms_length(eap_mschapv2_header_t *eap, u_int16_t len)
+{
+	len = htons(len - 5);
+	memcpy(&eap->ms_length, &len, sizeof(u_int16_t));
+}
 
 /**
  * Implementation of eap_method_t.initiate for the peer
@@ -567,8 +593,6 @@ static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **ou
 	const char *name = MSCHAPV2_HOST_NAME;
 	u_int16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1;
 	
-	DBG1(DBG_IKE, "initiating EAP-MS-CHAPv2");
-	
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
@@ -585,7 +609,7 @@ static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **ou
 	eap->type = EAP_MSCHAPV2;
 	eap->opcode = MSCHAPV2_CHALLENGE;
 	eap->ms_chapv2_id = this->mschapv2id;
-	eap->ms_length = htons(len - 5);
+	set_ms_length(eap, len);
 	
 	cha = (eap_mschapv2_challenge_t*)eap->data;
 	cha->value_size = CHALLENGE_LEN;
@@ -625,7 +649,8 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 			
 	if (cha->value_size != CHALLENGE_LEN)
 	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: invalid challenge size");
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+			 "invalid challenge size");
 		return FAILED;
 	}
 			
@@ -643,11 +668,11 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	rng->destroy(rng);
 			
 	shared = charon->credentials->get_shared(charon->credentials,
-											 SHARED_EAP, this->peer, this->server);
+										SHARED_EAP, this->peer, this->server);
 	if (shared == NULL)
 	{
-		DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
-				this->server, this->peer);
+		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
+			 this->server, this->peer);
 		return NOT_FOUND;
 	}
 	
@@ -672,7 +697,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	eap->type = EAP_MSCHAPV2;
 	eap->opcode = MSCHAPV2_RESPONSE;
 	eap->ms_chapv2_id = this->mschapv2id;
-	eap->ms_length = htons(len - 5);
+	set_ms_length(eap, len);
 	
 	res = (eap_mschapv2_response_t*)eap->data;
 	res->value_size = RESPONSE_LEN;
@@ -725,7 +750,8 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 			token += 2;
 			if (strlen(token) != AUTH_RESPONSE_LEN - 2)
 			{
-				DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: invalid auth string");
+				DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+					 "invalid auth string");
 				goto error;
 			}
 			hex = chunk_create(token, AUTH_RESPONSE_LEN - 2);
@@ -741,7 +767,8 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 			
 	if (auth_string.ptr == NULL)	
 	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: auth string missing");
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+			 "auth string missing");
 		goto error;
 	}
 	
@@ -751,7 +778,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 		goto error;
 	}
 	
-	DBG1(DBG_IKE, "EAP-MS-CHAPv2 succeeded: '%s'", msg);
+	DBG1(DBG_IKE, "EAP-MS-CHAPv2 succeeded: '%s'", sanitize(msg));
 	
 	eap = alloca(len);
 	eap->code = EAP_RESPONSE;
@@ -780,7 +807,6 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 	char *message, *token, *msg = NULL;
 	int message_len, error, retryable;
 	chunk_t challenge = chunk_empty;
-	u_int16_t len = SHORT_HEADER_LEN;
 	
 	data = in->get_data(in);
 	eap = (eap_mschapv2_header_t*)data.ptr;
@@ -816,7 +842,8 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 			token += 2;
 			if (strlen(token) != 2 * CHALLENGE_LEN)
 			{
-				DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: invalid challenge");
+				DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message:"
+					 "invalid challenge");
 				goto error;
 			}
 			hex = chunk_create(token, 2 * CHALLENGE_LEN);
@@ -836,7 +863,8 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 	}
 	enumerator->destroy(enumerator);
 			
-	DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed with error %N: '%s'", mschapv2_error_names, error, msg);
+	DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed with error %N: '%s'",
+		 mschapv2_error_names, error, sanitize(msg));
 			
 	/**
 	 * at this point, if the error is retryable, we MAY retry the authentication
@@ -898,8 +926,8 @@ static status_t process_peer(private_eap_mschapv2_t *this, eap_payload_t *in,
 		}
 		default:
 		{
-			DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported OpCode (%N)!",
-					mschapv2_opcode_names, eap->opcode);
+			DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported "
+				 "OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
 			break;
 		}
 	}
@@ -925,7 +953,8 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
 		 * so, to clean up our state we just fail with an EAP-Failure.
 		 * this gives an unknown error on the windows side, but is also fine
 		 * with the standard. */
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed: maximum number of retries reached");
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed: "
+			 "maximum number of retries reached");
 		return FAILED;
 	}
 	
@@ -951,7 +980,7 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
 	eap->type = EAP_MSCHAPV2;
 	eap->opcode = MSCHAPV2_FAILURE;
 	eap->ms_chapv2_id = this->mschapv2id++; /* increase for each retry */
-	eap->ms_length = htons(len - 5);
+	set_ms_length(eap, len);
 	
 	hex = chunk_to_hex(this->challenge, NULL, TRUE);
 	snprintf(msg, FAILURE_MESSAGE_LEN, "%s%s", FAILURE_MESSAGE, hex.ptr);
@@ -977,6 +1006,7 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
 	identification_t *userid;
 	shared_key_t *shared;
 	int name_len;
+	char buf[256];
 	
 	data = in->get_data(in);
 	eap = (eap_mschapv2_header_t*)data.ptr;
@@ -991,16 +1021,16 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
 	peer_challenge = chunk_create(res->response.peer_challenge, CHALLENGE_LEN);
 	
 	name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
-	userid = identification_create_from_encoding(ID_EAP,
-												 chunk_create(res->name, name_len));
+	snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
+	userid = identification_create_from_string(buf);
+	DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
 	username = extract_username(userid);
-	DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%.*s'", name_len, res->name);
 	
 	shared = charon->credentials->get_shared(charon->credentials,
 											 SHARED_EAP, this->server, userid);
 	if (shared == NULL)
 	{
-		DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
 					  this->server, userid);
 		/* FIXME: windows 7 always sends the username that is first entered in
 		 * the username box, even, if the user changes it during retries (probably
@@ -1015,7 +1045,8 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
 	password = ascii_to_unicode(shared->get_key(shared));
 	shared->destroy(shared);
 	
-	if (GenerateStuff(this, this->challenge, peer_challenge, username, password) != SUCCESS)
+	if (GenerateStuff(this, this->challenge, peer_challenge,
+					  username, password) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");	
 		userid->destroy(userid);
@@ -1038,7 +1069,7 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
 		eap->type = EAP_MSCHAPV2;
 		eap->opcode = MSCHAPV2_SUCCESS;
 		eap->ms_chapv2_id = this->mschapv2id;
-		eap->ms_length = htons(len - 5);
+		set_ms_length(eap, len);
 		
 		hex = chunk_to_hex(this->auth_response, NULL, TRUE);
 		snprintf(msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE),
@@ -1063,7 +1094,8 @@ static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in,
 	
 	if (this->identifier != in->get_identifier(in))
 	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: unexpected identifier");
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+			 "unexpected identifier");
 		return FAILED;
 	}
 	
@@ -1092,8 +1124,8 @@ static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in,
 		}
 		default:
 		{
-			DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported OpCode (%N)!",
-					mschapv2_opcode_names, eap->opcode);
+			DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported "
+				 "OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
 			break;
 		}
 	}
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.h b/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
index d5638db00..34cc1141e 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_mschapv2.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
index 4303a3a7a..d0995c477 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_mschapv2_plugin.c 4882 2009-02-18 19:57:15Z tobias $
  */
 
 #include "eap_mschapv2_plugin.h"
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
index 0e671c3d6..9048fc64e 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_mschapv2_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/eap_radius/Makefile.in b/src/charon/plugins/eap_radius/Makefile.in
index 329ff981b..e7a4cd0f8 100644
--- a/src/charon/plugins/eap_radius/Makefile.in
+++ b/src/charon/plugins/eap_radius/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -207,6 +215,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -229,8 +238,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -327,7 +336,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c
index 1a02c5acf..ee2477440 100644
--- a/src/charon/plugins/eap_radius/eap_radius.c
+++ b/src/charon/plugins/eap_radius/eap_radius.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
  
 #include "eap_radius.h"
@@ -22,7 +20,6 @@
 
 #include <daemon.h>
 
-
 typedef struct private_eap_radius_t private_eap_radius_t;
 
 /**
@@ -64,6 +61,11 @@ struct private_eap_radius_t {
 	 * RADIUS client instance
 	 */
 	radius_client_t *client;
+	
+	/**
+	 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
+	 */
+	bool eap_start;
 };
 
 /**
@@ -137,7 +139,16 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
 	
 	request = radius_message_create_request();
 	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
-	add_eap_identity(this, request);
+	
+	if (this->eap_start)
+	{
+		request->add(request, RAT_EAP_MESSAGE, chunk_empty);
+	}
+	else
+	{
+		add_eap_identity(this, request);
+	}
+	
 	response = this->client->request(this->client, request);
 	if (response)
 	{
@@ -270,6 +281,8 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 	this->type = EAP_RADIUS;
 	this->vendor = 0;
 	this->msk = chunk_empty;
+	this->eap_start = lib->settings->get_bool(lib->settings, 
+								"charon.plugins.eap_radius.eap_start", FALSE);
 	
 	return &this->public;
 }
diff --git a/src/charon/plugins/eap_radius/eap_radius.h b/src/charon/plugins/eap_radius/eap_radius.h
index 7cb0a8615..8eb9e8c2d 100644
--- a/src/charon/plugins/eap_radius/eap_radius.h
+++ b/src/charon/plugins/eap_radius/eap_radius.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/eap_radius/eap_radius_plugin.c b/src/charon/plugins/eap_radius/eap_radius_plugin.c
index a429859a7..7c6a3c9ff 100644
--- a/src/charon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/charon/plugins/eap_radius/eap_radius_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "eap_radius_plugin.h"
diff --git a/src/charon/plugins/eap_radius/eap_radius_plugin.h b/src/charon/plugins/eap_radius/eap_radius_plugin.h
index 3ed194619..a79640796 100644
--- a/src/charon/plugins/eap_radius/eap_radius_plugin.h
+++ b/src/charon/plugins/eap_radius/eap_radius_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c
index a3ab1dd78..57d3f8f21 100644
--- a/src/charon/plugins/eap_radius/radius_client.c
+++ b/src/charon/plugins/eap_radius/radius_client.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "radius_client.h"
diff --git a/src/charon/plugins/eap_radius/radius_client.h b/src/charon/plugins/eap_radius/radius_client.h
index 2207b8713..889861a16 100644
--- a/src/charon/plugins/eap_radius/radius_client.h
+++ b/src/charon/plugins/eap_radius/radius_client.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/eap_radius/radius_message.c b/src/charon/plugins/eap_radius/radius_message.c
index a95d2bb93..59a639f31 100644
--- a/src/charon/plugins/eap_radius/radius_message.c
+++ b/src/charon/plugins/eap_radius/radius_message.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "radius_message.h"
diff --git a/src/charon/plugins/eap_radius/radius_message.h b/src/charon/plugins/eap_radius/radius_message.h
index d195bbe23..d4eec8590 100644
--- a/src/charon/plugins/eap_radius/radius_message.h
+++ b/src/charon/plugins/eap_radius/radius_message.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in
index be84728a4..2374567bc 100644
--- a/src/charon/plugins/eap_sim/Makefile.in
+++ b/src/charon/plugins/eap_sim/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -224,8 +233,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -320,7 +329,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/eap_sim/eap_sim.c b/src/charon/plugins/eap_sim/eap_sim.c
index 6110e823c..2dd6e534b 100644
--- a/src/charon/plugins/eap_sim/eap_sim.c
+++ b/src/charon/plugins/eap_sim/eap_sim.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_sim.c 4755 2008-12-04 10:10:37Z martin $
  */
 
 #include "eap_sim.h"
@@ -571,7 +569,7 @@ static bool get_card_triplet(private_eap_sim_t *this,
 	enumerator->destroy(enumerator);
 	if (!card)
 	{
-		DBG1(DBG_IKE, "no SIM card found matching '%D'", this->peer);
+		DBG1(DBG_IKE, "no SIM card found matching '%Y'", this->peer);
 	}
 	return success;
 }
@@ -775,7 +773,7 @@ static bool get_provider_triplet(private_eap_sim_t *this,
 		tried++;
 	}
 	enumerator->destroy(enumerator);
-	DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%D'",
+	DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
 		 tried, this->peer);
 	return FALSE;
 }
diff --git a/src/charon/plugins/eap_sim/eap_sim_plugin.c b/src/charon/plugins/eap_sim/eap_sim_plugin.c
index d937c57b4..cf18007c0 100644
--- a/src/charon/plugins/eap_sim/eap_sim_plugin.c
+++ b/src/charon/plugins/eap_sim/eap_sim_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_sim_plugin.c 3491 2008-02-22 14:04:00Z martin $
  */
 
 #include "eap_sim_plugin.h"
diff --git a/src/charon/plugins/eap_sim/eap_sim_plugin.h b/src/charon/plugins/eap_sim/eap_sim_plugin.h
index d90a72092..767eb65a5 100644
--- a/src/charon/plugins/eap_sim/eap_sim_plugin.h
+++ b/src/charon/plugins/eap_sim/eap_sim_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_sim_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in
index 9396b98cf..554b3a7bc 100644
--- a/src/charon/plugins/eap_sim_file/Makefile.in
+++ b/src/charon/plugins/eap_sim_file/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -91,6 +91,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -113,6 +114,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -124,6 +128,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -137,6 +142,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -197,6 +204,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -208,6 +216,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -230,8 +239,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -328,7 +337,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.c b/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
index 7969007d0..7d441ffb2 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "eap_sim_file_card.h"
@@ -52,13 +50,13 @@ static bool get_triplet(private_eap_sim_file_card_t *this,
 	identification_t *id;
 	char *c_rand, *c_sres, *c_kc;
 	
-	
-	DBG1(DBG_CFG, "looking for rand: %b", rand, RAND_LEN);
+	DBG2(DBG_CFG, "looking for rand: %b", rand, RAND_LEN);
 	
 	enumerator = this->triplets->create_enumerator(this->triplets);
 	while (enumerator->enumerate(enumerator, &id, &c_rand, &c_sres, &c_kc))
 	{
-		DBG1(DBG_CFG, "found triplet: %b %b %b", c_rand, RAND_LEN, c_sres, SRES_LEN, c_kc, KC_LEN);
+		DBG2(DBG_CFG, "found triplet: rand %b\nsres %b\n kc %b",
+			 c_rand, RAND_LEN, c_sres, SRES_LEN, c_kc, KC_LEN);
 		if (memeq(c_rand, rand, RAND_LEN))
 		{
 			memcpy(sres, c_sres, SRES_LEN);
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
index 9f28aa8fc..e7160a33b 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
index 6129ebb72..eb6fb4c9c 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "eap_sim_file_plugin.h"
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
index 8e603258f..24857d0b0 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
index ffb4b2901..89866ade6 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "eap_sim_file_provider.h"
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
index efd73802a..ec3bfb469 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
index 409e9cbd5..d093851c2 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "eap_sim_file_triplets.h"
@@ -45,16 +43,16 @@ struct private_eap_sim_file_triplets_t {
 	 * mutex to lock triplets list
 	 */
 	mutex_t *mutex;
-};
+};
 
 /**
  * A single triplet
- */
-typedef struct  {
-	identification_t *imsi;
-	char rand[RAND_LEN];
-	char sres[SRES_LEN];
-	char kc[KC_LEN];
+ */
+typedef struct  {
+	identification_t *imsi;
+	char rand[RAND_LEN];
+	char sres[SRES_LEN];
+	char kc[KC_LEN];
 } triplet_t;
 
 /**
@@ -105,7 +103,7 @@ static bool enumerator_enumerate(triplet_enumerator_t *e, identification_t **ims
 								 char **rand, char **sres, char **kc)
 {
 	triplet_t *triplet;
-
+	
 	if (e->inner->enumerate(e->inner, &triplet))
 	{
 		e->current = triplet;
@@ -148,45 +146,45 @@ static void parse_token(char *to, char *from, size_t len)
 	memset(to, 0, len);
 	memcpy(to + len - chunk.len, chunk.ptr, chunk.len);
 	free(chunk.ptr);
-}
-
-/**
- * Read the triplets from the file
- */
-static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
-{
-	char line[512];
-	FILE *file;
-	int i, nr = 0;
-	
-	file = fopen(path, "r");
-	if (file == NULL)
-	{
+}
+
+/**
+ * Read the triplets from the file
+ */
+static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
+{
+	char line[512];
+	FILE *file;
+	int i, nr = 0;
+	
+	file = fopen(path, "r");
+	if (file == NULL)
+	{
 		DBG1(DBG_CFG, "opening triplet file %s failed: %s", 
-			 path, strerror(errno));
-		return;
-	}
-	
-	/* read line by line */
-	while (fgets(line, sizeof(line), file))
-	{
+			 path, strerror(errno));
+		return;
+	}
+	
+	/* read line by line */
+	while (fgets(line, sizeof(line), file))
+	{
 		triplet_t *triplet;
 		enumerator_t *enumerator;
 		char *token;
-		
-		nr++;
-		/* skip comments, empty lines */
-		switch (line[0])
-		{
-			case '\n':
-			case '\r':
-			case '#':
-			case '\0':
-				continue;
-			default:
-				break;
+		
+		nr++;
+		/* skip comments, empty lines */
+		switch (line[0])
+		{
+			case '\n':
+			case '\r':
+			case '#':
+			case '\0':
+				continue;
+			default:
+				break;
 		}
-		triplet = malloc_thing(triplet_t);
+		triplet = malloc_thing(triplet_t);
 		memset(triplet, 0, sizeof(triplet_t));
 		
 		i = 0;
@@ -196,8 +194,7 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
 			switch (i++)
 			{
 				case 0: /* IMSI */
-					triplet->imsi = identification_create_from_encoding(ID_EAP,
-											chunk_create(token, strlen(token)));
+					triplet->imsi = identification_create_from_string(token);
 					continue;
 				case 1: /* rand */
 					parse_token(triplet->rand, token, RAND_LEN);
@@ -215,22 +212,22 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
 		}
 		enumerator->destroy(enumerator);
 		if (i < 4)
-		{
+		{
 			DBG1(DBG_CFG, "error in triplet file, line %d", nr);
 			triplet_destroy(triplet);
 			continue;
-		}
-		
-		DBG1(DBG_CFG, "triplet: imsi %D\nrand %b\nsres %b\nkc %b",
-			 triplet->imsi, triplet->rand, RAND_LEN,
+		}
+		
+		DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b",
+			 triplet->imsi, triplet->rand, RAND_LEN,
 			 triplet->sres, SRES_LEN, triplet->kc, KC_LEN);
 			 
-		this->triplets->insert_last(this->triplets, triplet);
-	}
+		this->triplets->insert_last(this->triplets, triplet);
+	}
 	fclose(file);
-	
+	
 	DBG1(DBG_CFG, "read %d triplets from %s",
-		 this->triplets->get_count(this->triplets), path);
+		 this->triplets->get_count(this->triplets), path);
 }
 
 /**
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
index a6e9188a5..d4ff2a781 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
@@ -28,17 +26,17 @@
 
 /**
  * size of RAND value
- */
+ */
 #define RAND_LEN 16
 
 /**
  * size of SRES value
- */
+ */
 #define SRES_LEN 4
 
 /**
  * size of KC value
- */
+ */
 #define KC_LEN 8
 
 typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
@@ -46,7 +44,7 @@ typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
 /**
  * Reads triplets from a triplets.dat file.
  *
- * The file is in freeradius triplet file syntax:
+ * The file is in freeradius triplet file syntax:
  * http://www.freeradius.org/radiusd/doc/rlm_sim_triplets
  */
 struct eap_sim_file_triplets_t {
diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in
index 4e3312f2b..a1efe9d5a 100644
--- a/src/charon/plugins/kernel_klips/Makefile.in
+++ b/src/charon/plugins/kernel_klips/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -207,6 +215,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
index b2811aa9d..c69ce4c9a 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_klips_ipsec.c 4793 2008-12-11 13:39:30Z tobias $
  */
 
 #include <sys/types.h>
@@ -1530,7 +1528,7 @@ static void schedule_expire(private_kernel_klips_ipsec_t *this,
 	expire->reqid = reqid;
 	expire->type = type;
 	job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL);
-	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time * 1000);
+	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time);
 }
 
 /**
@@ -1938,8 +1936,9 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *dst,
-					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
+					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
+					   u_int16_t cpi)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -2610,7 +2609,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
index 4d4e33813..306ec0ada 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_klips_ipsec.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.c b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
index 42d7307ec..d153ea8af 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_klips_plugin.c 4617 2008-11-11 08:45:19Z tobias $
  */
 
 
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.h b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
index 8dd2f1895..123550bf5 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
+++ b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_klips_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in
index b3b161315..b97738bff 100644
--- a/src/charon/plugins/kernel_netlink/Makefile.in
+++ b/src/charon/plugins/kernel_netlink/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -91,6 +91,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -113,6 +114,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -124,6 +128,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -137,6 +142,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -197,6 +204,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -208,6 +216,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -228,8 +237,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -326,7 +335,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index ee47914d3..9322d8dfe 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -16,8 +16,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_netlink_ipsec.c 4997 2009-03-24 10:24:58Z martin $
  */
 
 #include <sys/types.h>
@@ -170,14 +168,20 @@ static kernel_algorithm_t encryption_algs[] = {
 /*	{ENCR_DES_IV32, 			"***"				}, */
 	{ENCR_NULL, 				"cipher_null"		},
 	{ENCR_AES_CBC,	 			"aes"				},
-/*	{ENCR_AES_CTR, 				"***"				}, */
+	{ENCR_AES_CTR, 				"rfc3686(ctr(aes))"	},
 	{ENCR_AES_CCM_ICV8,			"rfc4309(ccm(aes))"	},
 	{ENCR_AES_CCM_ICV12,		"rfc4309(ccm(aes))"	},
 	{ENCR_AES_CCM_ICV16,		"rfc4309(ccm(aes))"	},
 	{ENCR_AES_GCM_ICV8,			"rfc4106(gcm(aes))"	},
 	{ENCR_AES_GCM_ICV12,		"rfc4106(gcm(aes))"	},
 	{ENCR_AES_GCM_ICV16,		"rfc4106(gcm(aes))"	},
-	{END_OF_LIST, 				NULL				},
+/*	{ENCR_NULL_AUTH_AES_GMAC,	"***"				}, */
+	{ENCR_CAMELLIA_CBC,			"cbc(camellia)"		},
+/*	{ENCR_CAMELLIA_CTR,			"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV8,	"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV12,	"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV16,	"***"				}, */
+	{END_OF_LIST, 				NULL				}
 };
 
 /**
@@ -192,7 +196,7 @@ static kernel_algorithm_t integrity_algs[] = {
 /*	{AUTH_DES_MAC,				"***"				}, */
 /*	{AUTH_KPDK_MD5,				"***"				}, */
 	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
-	{END_OF_LIST, 				NULL				},
+	{END_OF_LIST, 				NULL				}
 };
 
 /**
@@ -203,7 +207,7 @@ static kernel_algorithm_t compression_algs[] = {
 	{IPCOMP_DEFLATE,			"deflate"			},
 	{IPCOMP_LZS,				"lzs"				},
 	{IPCOMP_LZJH,				"lzjh"				},
-	{END_OF_LIST, 				NULL				},
+	{END_OF_LIST, 				NULL				}
 };
 
 /**
@@ -368,6 +372,24 @@ static protocol_id_t proto_kernel2ike(u_int8_t proto)
 	}
 }
 
+/**
+ * convert the general ipsec mode to the one defined in xfrm.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+	switch (mode)
+	{
+		case MODE_TRANSPORT:
+			return XFRM_MODE_TRANSPORT;
+		case MODE_TUNNEL:
+			return XFRM_MODE_TUNNEL;
+		case MODE_BEET:
+			return XFRM_MODE_BEET;
+		default:
+			return mode;
+	}
+}
+
 /**
  * convert a host_t to a struct xfrm_address
  */
@@ -797,7 +819,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 	host2xfrm(src, &userspi->info.saddr);
 	host2xfrm(dst, &userspi->info.id.daddr);
 	userspi->info.id.proto = proto;
-	userspi->info.mode = TRUE; /* tunnel mode */
+	userspi->info.mode = XFRM_MODE_TUNNEL;
 	userspi->info.reqid = reqid;
 	userspi->info.family = src->get_family(src);
 	userspi->min = min;
@@ -935,7 +957,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 	sa->id.spi = spi;
 	sa->id.proto = proto_ike2kernel(protocol);
 	sa->family = src->get_family(src);
-	sa->mode = mode;
+	sa->mode = mode2kernel(mode);
 	if (mode == MODE_TUNNEL)
 	{
 		sa->flags |= XFRM_STATE_AF_UNSPEC;
@@ -1210,8 +1232,9 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
-					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
+					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
+					   u_int16_t cpi)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
@@ -1220,7 +1243,7 @@ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
 	/* if IPComp was used, we first delete the additional IPComp SA */
 	if (cpi)
 	{
-		del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
+		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
 	}
 	
 	memset(&request, 0, sizeof(request));
@@ -1333,7 +1356,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 	}
 	
 	/* delete the old SA (without affecting the IPComp SA) */
-	if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
+	if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
 		free(out);
@@ -1520,7 +1543,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 		tmpl->reqid = reqid;
 		tmpl->id.proto = IPPROTO_COMP;
 		tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-		tmpl->mode = mode;
+		tmpl->mode = mode2kernel(mode);
 		tmpl->optional = direction != POLICY_OUT;
 		tmpl->family = src->get_family(src);
 		
@@ -1541,7 +1564,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 	tmpl->reqid = reqid;
 	tmpl->id.proto = proto_ike2kernel(protocol);
 	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-	tmpl->mode = mode;
+	tmpl->mode = mode2kernel(mode);
 	tmpl->family = src->get_family(src);
 	
 	host2xfrm(src, &tmpl->saddr);
@@ -1865,7 +1888,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
index 0b65c5213..3a45cce06 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_netlink_ipsec.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
index 6e4ddffe5..32154a7ea 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_netlink_net.c 4671 2008-11-18 09:52:28Z martin $
  */
 
 #include <sys/socket.h>
@@ -163,7 +161,11 @@ struct private_kernel_netlink_net_t {
 	 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
 	 */
 	bool process_route;
-
+	
+	/**
+	 * whether to actually install virtual IPs
+	 */
+	bool install_virtual_ip;
 };
 
 /**
@@ -219,7 +221,7 @@ static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
 				now.tv_usec -= 1000000;
 			}
 			this->last_roam = now;
-			charon->scheduler->schedule_job(charon->scheduler,
+			charon->scheduler->schedule_job_ms(charon->scheduler,
 					(job_t*)roam_job_create(address), ROAM_DELAY);
 		}
 	}
@@ -985,7 +987,12 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
 	addr_entry_t *addr;
 	enumerator_t *addrs, *ifaces;
 	int ifindex;
-
+	
+	if (!this->install_virtual_ip)
+	{	/* disabled by config */
+		return SUCCESS;
+	}
+	
 	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
 	
 	this->mutex->lock(this->mutex);
@@ -1059,7 +1066,12 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
 	enumerator_t *addrs, *ifaces;
 	status_t status;
 	int ifindex;
-
+	
+	if (!this->install_virtual_ip)
+	{	/* disabled by config */
+		return SUCCESS;
+	}
+	
 	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
 	
 	this->mutex->lock(this->mutex);
@@ -1175,7 +1187,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty
 /**
  * Implementation of kernel_net_t.add_route.
  */
-status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
 		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
 	return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
@@ -1185,7 +1197,7 @@ status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
 /**
  * Implementation of kernel_net_t.del_route.
  */
-status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
 		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
 	return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
@@ -1367,6 +1379,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 					"charon.routing_table_prio", IPSEC_ROUTING_TABLE_PRIO);
 	this->process_route = lib->settings->get_bool(lib->settings,
 					"charon.process_route", TRUE);
+	this->install_virtual_ip = lib->settings->get_bool(lib->settings,
+					"charon.install_virtual_ip", TRUE);
 	
 	this->socket = netlink_socket_create(NETLINK_ROUTE);
 	
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
index 39b96837b..ff9831d3c 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_netlink_net.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
index adc3d585f..77005e871 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_netlink_plugin.c 4350 2008-09-18 15:16:43Z tobias $
  */
 
 
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
index f08dbc023..ec6036b98 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_netlink_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
index 05bd4e397..7ef7cc56e 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_netlink_shared.c 4831 2009-01-09 09:37:13Z andreas $
  */
 
 #include <sys/socket.h>
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
index 90e464796..5a70e4d9b 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_netlink_shared.h 4660 2008-11-14 14:23:11Z martin $
  */
 
 #ifndef KERNEL_NETLINK_SHARED_H_
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in
index d606f4a23..df2492ef7 100644
--- a/src/charon/plugins/kernel_pfkey/Makefile.in
+++ b/src/charon/plugins/kernel_pfkey/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -207,6 +215,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 656c83083..56f0320dc 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,16 +12,38 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_pfkey_ipsec.c 4793 2008-12-11 13:39:30Z tobias $
  */
 
 #include <sys/types.h>
 #include <sys/socket.h>
+
+#ifdef HAVE_NET_PFKEYV2_H
+#include <net/pfkeyv2.h>
+#else
 #include <stdint.h>
-#include <linux/ipsec.h>
 #include <linux/pfkeyv2.h>
+#endif
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+#define HAVE_NATT
+#endif
+
+#ifdef HAVE_NETIPSEC_IPSEC_H
+#include <netipsec/ipsec.h>
+#elif defined(HAVE_NETINET6_IPSEC_H)
+#include <netinet6/ipsec.h>
+#else
+#include <linux/ipsec.h>
+#endif
+
+#ifdef HAVE_NATT
+#ifdef HAVE_NETINET_UDP_H
+#include <netinet/udp.h>
+#else
 #include <linux/udp.h>
+#endif /*HAVE_NETINET_UDP_H*/
+#endif /*HAVE_NATT*/
+
 #include <unistd.h>
 #include <pthread.h>
 #include <errno.h>
@@ -38,6 +60,30 @@
 #include <processing/jobs/delete_child_sa_job.h>
 #include <processing/jobs/update_sa_job.h>
 
+/** non linux specific */
+#ifndef IPPROTO_COMP
+#define IPPROTO_COMP IPPROTO_IPCOMP
+#endif
+
+#ifndef SADB_X_AALG_SHA2_256HMAC
+#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
+#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
+#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
+#endif
+
+#ifndef SADB_X_EALG_AESCBC
+#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
+#endif
+
+#ifndef SADB_X_EALG_CASTCBC
+#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
+#endif
+
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+
 /** from linux/in.h */
 #ifndef IP_IPSEC_POLICY
 #define IP_IPSEC_POLICY 16
@@ -46,7 +92,7 @@
 /* missing on uclibc */
 #ifndef IPV6_IPSEC_POLICY
 #define IPV6_IPSEC_POLICY 34
-#endif /*IPV6_IPSEC_POLICY*/
+#endif
 
 /** default priority of installed policies */
 #define PRIO_LOW 3000
@@ -160,8 +206,8 @@ struct route_entry_t {
 static void route_entry_destroy(route_entry_t *this)
 {
 	free(this->if_name);
-	this->src_ip->destroy(this->src_ip);
-	this->gateway->destroy(this->gateway);
+	DESTROY_IF(this->src_ip);
+	DESTROY_IF(this->gateway);
 	chunk_free(&this->dst_net);
 	free(this);
 }
@@ -217,7 +263,7 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
 	
 	/* src or dest proto may be "any" (0), use more restrictive one */
 	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
-	policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; 
+	policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
 	policy->dst.proto = policy->src.proto;
 	
 	return policy;
@@ -268,7 +314,6 @@ struct pfkey_msg_t
 	 */
 	struct sadb_msg *msg;
 	
-	
 	/**
 	 * PF_KEY message extensions
 	 */
@@ -305,7 +350,7 @@ struct pfkey_msg_t
 	};
 };
 
-ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
+ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
 	"SADB_EXT_RESERVED",
 	"SADB_EXT_SA",
 	"SADB_EXT_LIFETIME_CURRENT",
@@ -333,6 +378,7 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
 	"SADB_X_EXT_SEC_CTX",
 	"SADB_X_EXT_KMADDRESS"
 );
+
 /**
  * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
  */
@@ -396,8 +442,10 @@ static u_int8_t mode2kernel(ipsec_mode_t mode)
 			return IPSEC_MODE_TRANSPORT;
 		case MODE_TUNNEL:
 			return IPSEC_MODE_TUNNEL;
+#ifdef HAVE_IPSEC_MODE_BEET
 		case MODE_BEET:
 			return IPSEC_MODE_BEET;
+#endif
 		default:
 			return mode;
 	}
@@ -414,13 +462,16 @@ static u_int8_t dir2kernel(policy_dir_t dir)
 			return IPSEC_DIR_INBOUND;
 		case POLICY_OUT:
 			return IPSEC_DIR_OUTBOUND;
+#ifdef HAVE_IPSEC_DIR_FWD
 		case POLICY_FWD:
 			return IPSEC_DIR_FWD;
+#endif
 		default:
 			return dir;
 	}
 }
 
+#ifdef SADB_X_MIGRATE
 /**
  * convert the policy direction in ipsec.h to the general one.
  */
@@ -432,12 +483,16 @@ static policy_dir_t kernel2dir(u_int8_t  dir)
 			return POLICY_IN;
 		case IPSEC_DIR_OUTBOUND:
 			return POLICY_OUT;
+#ifdef HAVE_IPSEC_DIR_FWD
 		case IPSEC_DIR_FWD:
 			return POLICY_FWD;
+#endif
 		default:
 			return dir;
 	}
 }
+#endif /*SADB_X_MIGRATE*/
+
 typedef struct kernel_algorithm_t kernel_algorithm_t;
 
 /**
@@ -461,40 +516,42 @@ struct kernel_algorithm_t {
  * Algorithms for encryption
  */
 static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64, 			0							}, */
-	{ENCR_DES, 					SADB_EALG_DESCBC			},
-	{ENCR_3DES, 				SADB_EALG_3DESCBC			},
-/*	{ENCR_RC5, 					0							}, */
-/*	{ENCR_IDEA, 				0							}, */
-	{ENCR_CAST, 				SADB_X_EALG_CASTCBC			},
-	{ENCR_BLOWFISH, 			SADB_X_EALG_BLOWFISHCBC		},
-/*	{ENCR_3IDEA, 				0							}, */
-/*	{ENCR_DES_IV32, 			0							}, */
-	{ENCR_NULL, 				SADB_EALG_NULL				},
-	{ENCR_AES_CBC,	 			SADB_X_EALG_AESCBC			},
-/*	{ENCR_AES_CTR, 				SADB_X_EALG_AESCTR			}, */
+/*	{ENCR_DES_IV64,				0							}, */
+	{ENCR_DES,					SADB_EALG_DESCBC			},
+	{ENCR_3DES,					SADB_EALG_3DESCBC			},
+/*	{ENCR_RC5,					0							}, */
+/*	{ENCR_IDEA,					0							}, */
+	{ENCR_CAST,					SADB_X_EALG_CASTCBC			},
+	{ENCR_BLOWFISH,				SADB_X_EALG_BLOWFISHCBC		},
+/*	{ENCR_3IDEA,				0							}, */
+/*	{ENCR_DES_IV32,				0							}, */
+	{ENCR_NULL,					SADB_EALG_NULL				},
+	{ENCR_AES_CBC,				SADB_X_EALG_AESCBC			},
+/*	{ENCR_AES_CTR,				SADB_X_EALG_AESCTR			}, */
 /*  {ENCR_AES_CCM_ICV8,			SADB_X_EALG_AES_CCM_ICV8	}, */
 /*	{ENCR_AES_CCM_ICV12,		SADB_X_EALG_AES_CCM_ICV12	}, */
 /*	{ENCR_AES_CCM_ICV16,		SADB_X_EALG_AES_CCM_ICV16	}, */
 /*	{ENCR_AES_GCM_ICV8,			SADB_X_EALG_AES_GCM_ICV8	}, */
 /*	{ENCR_AES_GCM_ICV12,		SADB_X_EALG_AES_GCM_ICV12	}, */
 /*	{ENCR_AES_GCM_ICV16,		SADB_X_EALG_AES_GCM_ICV16	}, */
-	{END_OF_LIST, 				0							},
+	{END_OF_LIST,				0							},
 };
 
 /**
  * Algorithms for integrity protection
  */
 static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96, 			SADB_AALG_MD5HMAC			},
+	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
 	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
 	{AUTH_HMAC_SHA2_256_128,	SADB_X_AALG_SHA2_256HMAC	},
 	{AUTH_HMAC_SHA2_384_192,	SADB_X_AALG_SHA2_384HMAC	},
 	{AUTH_HMAC_SHA2_512_256,	SADB_X_AALG_SHA2_512HMAC	},
 /*	{AUTH_DES_MAC,				0,							}, */
 /*	{AUTH_KPDK_MD5,				0,							}, */
+#ifdef SADB_X_AALG_AES_XCBC_MAC
 	{AUTH_AES_XCBC_96,			SADB_X_AALG_AES_XCBC_MAC,	},
-	{END_OF_LIST, 				0,							},
+#endif
+	{END_OF_LIST,				0,							},
 };
 
 #if 0
@@ -502,11 +559,11 @@ static kernel_algorithm_t integrity_algs[] = {
  * Algorithms for IPComp, unused yet
  */
 static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI, 				0							}, */
+/*	{IPCOMP_OUI,				0							}, */
 	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
 	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
 	{IPCOMP_LZJH,				SADB_X_CALG_LZJH			},
-	{END_OF_LIST, 				0							},
+	{END_OF_LIST,				0							},
 };
 #endif
 
@@ -533,8 +590,11 @@ static void host2ext(host_t *host, struct sadb_address *ext)
 {
 	sockaddr_t *host_addr = host->get_sockaddr(host);
 	socklen_t *len = host->get_sockaddr_len(host);
- 	memcpy((char*)(ext + 1), host_addr, *len);
- 	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	host_addr->sa_len = *len;
+#endif
+	memcpy((char*)(ext + 1), host_addr, *len);
+	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
 }
 
 /**
@@ -562,10 +622,14 @@ static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
 	addr->sadb_address_exttype = type;
 	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
 	saddr->sa_family = family;
- 	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	saddr->sa_len = len;
+#endif
+	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
 	PFKEY_EXT_ADD(msg, addr);
 }
 
+#ifdef HAVE_NATT
 /**
  * add udp encap extensions to a sadb_msg
  */
@@ -592,6 +656,7 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
 	nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
 	PFKEY_EXT_ADD(msg, nat_port);
 }
+#endif /*HAVE_NATT*/
 
 /**
  * Convert a sadb_address to a traffic_selector
@@ -606,7 +671,7 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
      */
 	host = host_create_from_sockaddr((sockaddr_t*)&address[1])	;
 	ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
- 				address->sadb_address_proto, host->get_port(host));
+				address->sadb_address_proto, host->get_port(host));
 	return ts;
 }
 
@@ -645,7 +710,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
 		
 		if (out->ext[ext->sadb_ext_type])
 		{
-			DBG1(DBG_KNL, "duplicate %N extension",			
+			DBG1(DBG_KNL, "duplicate %N extension",
 						   sadb_ext_type_names, ext->sadb_ext_type);
 			break;
 		}
@@ -699,7 +764,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 	}
 	
 	while (TRUE)
-	{	
+	{
 		msg = (struct sadb_msg*)buf;
 		
 		len = recv(socket, buf, sizeof(buf), 0);
@@ -757,7 +822,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 	*out_len = len;
 	*out = (struct sadb_msg*)malloc(len);
 	memcpy(*out, buf, len);
-		
+	
 	this->mutex_pfkey->unlock(this->mutex_pfkey);
 	
 	return SUCCESS;
@@ -868,8 +933,9 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	charon->processor->queue_job(charon->processor, job);
 }
 
+#ifdef SADB_X_MIGRATE
 /**
- * Process a SADB_MIGRATE message from the kernel
+ * Process a SADB_X_MIGRATE message from the kernel
  */
 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
 {
@@ -893,7 +959,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	DBG2(DBG_KNL, "  policy %R === %R %N, id %u", src_ts, dst_ts,
 					 policy_dir_names, dir);
 	
-	/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */   
+	/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
 	if (response.x_kmaddress)
 	{
 		sockaddr_t *local_addr, *remote_addr;
@@ -924,7 +990,9 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 		DESTROY_IF(remote);
 	}
 }
+#endif /*SADB_X_MIGRATE*/
 
+#ifdef HAVE_NATT
 /**
  * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
  */
@@ -980,6 +1048,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 		}
 	}
 }
+#endif /*HAVE_NATT*/
 
 /**
  * Receives events from kernel
@@ -991,7 +1060,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 	int len, oldstate;
 	
 	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-	len = recv(this->socket_events, buf, sizeof(buf), 0);
+	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
 	pthread_setcancelstate(oldstate, NULL);
 	
 	if (len < 0)
@@ -1035,12 +1104,16 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 		case SADB_EXPIRE:
 			process_expire(this, msg);
 			break;
+#ifdef SADB_X_MIGRATE
 		case SADB_X_MIGRATE:
 			process_migrate(this, msg);
 			break;
+#endif /*SADB_X_MIGRATE*/
+#ifdef HAVE_NATT
 		case SADB_X_NAT_T_NEW_MAPPING:
 			process_mapping(this, msg);
 			break;
+#endif /*HAVE_NATT*/
 		default:
 			break;
 	}
@@ -1051,8 +1124,8 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 /**
  * Implementation of kernel_interface_t.get_spi.
  */
-static status_t get_spi(private_kernel_pfkey_ipsec_t *this, 
-						host_t *src, host_t *dst, 
+static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
+						host_t *src, host_t *dst,
 						protocol_id_t protocol, u_int32_t reqid,
 						u_int32_t *spi)
 {
@@ -1099,7 +1172,7 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
 		{
 			received_spi = response.sa->sadb_sa_spi;
 		}
-		free(out);	
+		free(out);
 	}
 	
 	if (received_spi == 0)
@@ -1114,8 +1187,8 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.get_cpi.
  */
-static status_t get_cpi(private_kernel_pfkey_ipsec_t *this, 
-						host_t *src, host_t *dst, 
+static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
+						host_t *src, host_t *dst,
 						u_int32_t reqid, u_int16_t *cpi)
 {
 	return FAILED;
@@ -1226,11 +1299,13 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 	{
 		/*TODO*/
 	}
-	
+
+#ifdef HAVE_NATT
 	if (encap)
 	{
 		add_encap_ext(msg, src, dst);
 	}
+#endif /*HAVE_NATT*/
 	
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
@@ -1346,11 +1421,13 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 	{
 		PFKEY_EXT_COPY(msg, response.key_auth);
 	}
-	
+
+#ifdef HAVE_NATT
 	if (new_encap)
 	{
 		add_encap_ext(msg, new_src, new_dst);
 	}
+#endif /*HAVE_NATT*/
 	
 	free(out);
 	
@@ -1374,8 +1451,9 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
-					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
+					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
+					   u_int16_t cpi)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1398,9 +1476,8 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
 	sa->sadb_sa_spi = spi;
 	PFKEY_EXT_ADD(msg, sa);
 	
-	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
-	 * it is not used for anything. */
-	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+	/* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
 	
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
@@ -1424,7 +1501,7 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
 /**
  * Implementation of kernel_interface_t.add_policy.
  */
-static status_t add_policy(private_kernel_pfkey_ipsec_t *this, 
+static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 						   host_t *src, host_t *dst,
 						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
@@ -1463,7 +1540,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 		this->policies->insert_last(this->policies, policy);
 		policy->refcount = 1;
 	}
-		
+	
 	memset(&request, 0, sizeof(request));
 	
 	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
@@ -1480,12 +1557,14 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
 	pol->sadb_x_policy_id = 0;
 	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
 	/* calculate priority based on source selector size, small size = high prio */
 	pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
 	pol->sadb_x_policy_priority -= policy->src.mask * 10;
 	pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
 	pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
-	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#endif
 	
 	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
 	req = (struct sadb_x_ipsecrequest*)(pol + 1);
@@ -1599,9 +1678,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 		{
 			free(route);
 		}
-	}	
+	}
 	
-	this->mutex->unlock(this->mutex);	
+	this->mutex->unlock(this->mutex);
 	
 	return SUCCESS;
 }
@@ -1610,7 +1689,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
  * Implementation of kernel_interface_t.query_policy.
  */
 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
-							 traffic_selector_t *src_ts, 
+							 traffic_selector_t *src_ts,
 							 traffic_selector_t *dst_ts,
 							 policy_dir_t direction, u_int32_t *use_time)
 {
@@ -1689,7 +1768,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
 	*use_time = response.lft_current->sadb_lifetime_usetime;
 	
 	free(out);
-			
+	
 	return SUCCESS;
 }
 
@@ -1697,7 +1776,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
  * Implementation of kernel_interface_t.del_policy.
  */
 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
-						   traffic_selector_t *src_ts, 
+						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
 						   policy_dir_t direction, bool unrouted)
 {
@@ -1722,7 +1801,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 		if (--found->refcount > 0)
 		{
 			/* is used by more SAs, keep in kernel */
-			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");	
+			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
 			policy_entry_destroy(policy);
 			this->mutex->unlock(this->mutex);
 			return SUCCESS;
@@ -1741,7 +1820,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 		return NOT_FOUND;
 	}
 	this->mutex->unlock(this->mutex);
-		
+	
 	memset(&request, 0, sizeof(request));
 	
 	msg = (struct sadb_msg*)request;
@@ -1791,7 +1870,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 			DBG1(DBG_KNL, "error uninstalling route installed with "
 						  "policy %R === %R %N", src_ts, dst_ts,
 						   policy_dir_names, direction);
-		}		
+		}
 		route_entry_destroy(route);
 	}
 	
@@ -1863,22 +1942,26 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
 		switch (family)
 		{
 			case AF_INET:
+			{
 				sol = SOL_IP;
 				ipsec_policy = IP_IPSEC_POLICY;
 				break;
+			}
 			case AF_INET6:
 			{
 				sol = SOL_IPV6;
 				ipsec_policy = IPV6_IPSEC_POLICY;
 				break;
 			}
+			default:
+				continue;
 		}
 		
 		memset(&policy, 0, sizeof(policy));
 		policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
 		policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 		policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-	
+		
 		policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
 		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 		{
@@ -1890,7 +1973,7 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
 		policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
 		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 		{
-			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", 
+			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
 				 strerror(errno));
 			status = FALSE;
 			break;
@@ -1912,7 +1995,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
index db05462f4..649f93733 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_pfkey_ipsec.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 93015d75a..09dc4780d 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_pfkey_plugin.c 4361 2008-10-01 16:47:51Z tobias $
  */
 
 
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
index f091c6d81..2f168aa9c 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: kernel_pfkey_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am
new file mode 100644
index 000000000..3ad445c09
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+
+libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+	kernel_pfroute_net.h kernel_pfroute_net.c
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.in b/src/charon/plugins/kernel_pfroute/Makefile.in
new file mode 100644
index 000000000..e585a7db2
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/Makefile.in
@@ -0,0 +1,510 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/kernel_pfroute
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_kernel_pfroute_la_LIBADD =
+am_libstrongswan_kernel_pfroute_la_OBJECTS = kernel_pfroute_plugin.lo \
+	kernel_pfroute_net.lo
+libstrongswan_kernel_pfroute_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_pfroute_la_OBJECTS)
+libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_pfroute_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+	kernel_pfroute_net.h kernel_pfroute_net.c
+
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/kernel_pfroute/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/kernel_pfroute/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_pfroute_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_net.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
new file mode 100644
index 000000000..c2b35a5ce
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -0,0 +1,713 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <ifaddrs.h>
+#include <net/route.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <errno.h>
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <utils/mutex.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/roam_job.h>
+
+#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
+#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
+#endif
+
+/** delay before firing roam jobs (ms) */
+#define ROAM_DELAY 100
+
+/** buffer size for PF_ROUTE messages */
+#define PFROUTE_BUFFER_SIZE 4096
+
+typedef struct addr_entry_t addr_entry_t;
+
+/**
+ * IP address in an inface_entry_t
+ */
+struct addr_entry_t {
+	
+	/** The ip address */
+	host_t *ip;
+	
+	/** virtual IP managed by us */
+	bool virtual;
+	
+	/** Number of times this IP is used, if virtual */
+	u_int refcount;
+};
+
+/**
+ * destroy a addr_entry_t object
+ */
+static void addr_entry_destroy(addr_entry_t *this)
+{
+	this->ip->destroy(this->ip);
+	free(this);
+}
+
+typedef struct iface_entry_t iface_entry_t;
+
+/**
+ * A network interface on this system, containing addr_entry_t's
+ */
+struct iface_entry_t {
+	
+	/** interface index */
+	int ifindex;
+	
+	/** name of the interface */
+	char ifname[IFNAMSIZ];
+	
+	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+	u_int flags;
+	
+	/** list of addresses as host_t */
+	linked_list_t *addrs;
+};
+
+/**
+ * destroy an interface entry
+ */
+static void iface_entry_destroy(iface_entry_t *this)
+{
+	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
+	free(this);
+}
+
+
+typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
+
+/**
+ * Private variables and functions of kernel_pfroute class.
+ */
+struct private_kernel_pfroute_net_t
+{
+	/**
+	 * Public part of the kernel_pfroute_t object.
+	 */
+	kernel_pfroute_net_t public;
+	
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+	
+	/**
+	 * Cached list of interfaces and their addresses (iface_entry_t)
+	 */
+	linked_list_t *ifaces;
+	
+	/**
+	 * job receiving PF_ROUTE events
+	 */
+	callback_job_t *job;
+	
+	/**
+	 * mutex to lock access to the PF_ROUTE socket
+	 */
+	mutex_t *mutex_pfroute;
+	
+	/**
+	 * PF_ROUTE socket to communicate with the kernel
+	 */
+	int socket;
+	
+	/**
+	 * PF_ROUTE socket to receive events
+	 */
+	int socket_events;
+	
+	/**
+	 * sequence number for messages sent to the kernel
+	 */
+	int seq;
+	
+	/**
+	 * time of last roam job
+	 */
+	struct timeval last_roam;
+};
+
+/**
+ * Start a roaming job. We delay it a bit and fire only one job
+ * for multiple events. Otherwise we would create too many jobs.
+ */
+static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
+{
+	struct timeval now;
+	
+	if (gettimeofday(&now, NULL) == 0)
+	{
+		if (timercmp(&now, &this->last_roam, >))
+		{
+			now.tv_usec += ROAM_DELAY * 1000;
+			while (now.tv_usec > 1000000)
+			{
+				now.tv_sec++;
+				now.tv_usec -= 1000000;
+			}
+			this->last_roam = now;
+			charon->scheduler->schedule_job_ms(charon->scheduler,
+				(job_t*)roam_job_create(address), ROAM_DELAY);
+		}
+	}
+}
+
+/**
+ * Process an RTM_*ADDR message from the kernel
+ */
+static void process_addr(private_kernel_pfroute_net_t *this,
+						 struct rt_msghdr *msg)
+{
+	struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
+	sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
+	host_t *host = NULL;
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	bool found = FALSE, changed = FALSE, roam = FALSE;
+	int i;
+	
+	for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
+	{
+		if (ifa->ifam_addrs & i)
+		{
+			if (RTA_IFA & i)
+			{
+				host = host_create_from_sockaddr(sockaddr);
+				break;
+			}
+			sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
+		}
+	}
+	
+	if (!host)
+	{
+		return;
+	}
+	
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == ifa->ifam_index)
+		{
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
+			{
+				if (host->ip_equals(host, addr->ip))
+				{
+					found = TRUE;
+					if (ifa->ifam_type == RTM_DELADDR)
+					{
+						iface->addrs->remove_at(iface->addrs, addrs);
+						if (!addr->virtual)
+						{
+							changed = TRUE;
+							DBG1(DBG_KNL, "%H disappeared from %s",
+								 host, iface->ifname);
+						}
+						addr_entry_destroy(addr);
+					}
+					else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
+					{
+						addr->refcount = 1;
+					}
+				}
+			}
+			addrs->destroy(addrs);
+			
+			if (!found && ifa->ifam_type == RTM_NEWADDR)
+			{
+				changed = TRUE;
+				addr = malloc_thing(addr_entry_t);
+				addr->ip = host->clone(host);
+				addr->virtual = FALSE;
+				addr->refcount = 1;
+				iface->addrs->insert_last(iface->addrs, addr);
+				DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+			}
+			
+			if (changed && (iface->flags & IFF_UP))
+			{
+				roam = TRUE;
+			}
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	host->destroy(host);
+	
+	if (roam)
+	{
+		fire_roam_job(this, TRUE);
+	}
+}
+
+/**
+ * Process an RTM_IFINFO message from the kernel
+ */
+static void process_link(private_kernel_pfroute_net_t *this,
+						 struct rt_msghdr *hdr)
+{
+	struct if_msghdr *msg = (struct if_msghdr*)hdr;
+	enumerator_t *enumerator;
+	iface_entry_t *iface;
+	bool roam = FALSE;
+	
+	if (msg->ifm_flags & IFF_LOOPBACK)
+	{	/* ignore loopback interfaces */
+		return;
+	}
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->ifaces->create_enumerator(this->ifaces);
+	while (enumerator->enumerate(enumerator, &iface))
+	{
+		if (iface->ifindex == msg->ifm_index)
+		{
+			if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
+			{
+				roam = TRUE;
+				DBG1(DBG_KNL, "interface %s activated", iface->ifname);
+			}
+			else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
+			{
+				roam = TRUE;
+				DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
+			}
+			iface->flags = msg->ifm_flags;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+	
+	if (roam)
+	{
+		fire_roam_job(this, TRUE);
+	}
+}
+
+/**
+ * Process an RTM_*ROUTE message from the kernel
+ */
+static void process_route(private_kernel_pfroute_net_t *this,
+						  struct rt_msghdr *msg)
+{
+
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
+{
+	unsigned char buf[PFROUTE_BUFFER_SIZE];
+	struct rt_msghdr *msg = (struct rt_msghdr*)buf;
+	int len, oldstate;
+	
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
+	pthread_setcancelstate(oldstate, NULL);
+	
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+	
+	if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
+		msg->rtm_version != RTM_VERSION)
+	{
+		DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
+		return JOB_REQUEUE_DIRECT;
+	}
+	
+	switch (msg->rtm_type)
+	{
+		case RTM_NEWADDR:
+		case RTM_DELADDR:
+			process_addr(this, msg);
+			break;
+		case RTM_IFINFO:
+		/*case RTM_IFANNOUNCE <- what about this*/
+			process_link(this, msg);
+			break;
+		case RTM_ADD:
+		case RTM_DELETE:
+			process_route(this, msg);
+		default:
+			break;
+	}
+	
+	return JOB_REQUEUE_DIRECT;
+}
+
+
+/** enumerator over addresses */
+typedef struct {
+	private_kernel_pfroute_net_t* this;
+	/** whether to enumerate down interfaces */
+	bool include_down_ifaces;
+	/** whether to enumerate virtual ip addresses */
+	bool include_virtual_ips;
+} address_enumerator_t;
+
+/**
+ * cleanup function for address enumerator
+ */
+static void address_enumerator_destroy(address_enumerator_t *data)
+{
+	data->this->mutex->unlock(data->this->mutex);
+	free(data);
+}
+
+/**
+ * filter for addresses
+ */
+static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+{
+	host_t *ip;
+	if (!data->include_virtual_ips && (*in)->virtual)
+	{   /* skip virtual interfaces added by us */
+		return FALSE;
+	}
+	ip = (*in)->ip;
+	if (ip->get_family(ip) == AF_INET6)
+	{
+		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip);
+		if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+		{   /* skip addresses with a unusable scope */
+			return FALSE;
+		}
+	}
+	*out = ip;
+	return TRUE;
+}
+
+/**
+ * enumerator constructor for interfaces
+ */
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+{
+	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+									(void*)filter_addresses, data, NULL);
+}
+
+/**
+ * filter for interfaces
+ */
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+{
+	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+	{   /* skip interfaces not up */
+		return FALSE;
+	}
+	*out = *in;
+	return TRUE;
+}
+
+/**
+ * implementation of kernel_net_t.create_address_enumerator
+ */
+static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this,
+		bool include_down_ifaces, bool include_virtual_ips)
+{
+	address_enumerator_t *data = malloc_thing(address_enumerator_t);
+	data->this = this;
+	data->include_down_ifaces = include_down_ifaces;
+	data->include_virtual_ips = include_virtual_ips;
+
+	this->mutex->lock(this->mutex);
+	return enumerator_create_nested(
+				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
+						(void*)filter_interfaces, data, NULL),
+				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+}
+
+/**
+ * implementation of kernel_net_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
+{
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	char *name = NULL;
+
+	DBG2(DBG_KNL, "getting interface name for %H", ip);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
+		{
+			if (ip->ip_equals(ip, addr->ip))
+			{
+				name = strdup(iface->ifname);
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (name)
+		{
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	
+	if (name)
+	{
+		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "%H is not a local address", ip);
+	}
+	return name;
+}
+
+/**
+ * Implementation of kernel_net_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_pfroute_net_t *this,
+							   host_t *dest, host_t *src)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.get_nexthop.
+ */
+static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.add_ip.
+ */
+static status_t add_ip(private_kernel_pfroute_net_t *this,
+						host_t *virtual_ip, host_t *iface_ip)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_ip.
+ */
+static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.add_route.
+ */
+static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_route.
+ */
+static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return FAILED;
+}
+
+/**
+ * Initialize a list of local addresses.
+ */
+static status_t init_address_list(private_kernel_pfroute_net_t *this)
+{
+	struct ifaddrs *ifap, *ifa;
+	iface_entry_t *iface, *current;
+	addr_entry_t *addr;
+	enumerator_t *ifaces, *addrs;
+	
+	DBG1(DBG_KNL, "listening on interfaces:");
+	
+	if (getifaddrs(&ifap) < 0)
+	{
+		DBG1(DBG_KNL, "  failed to get interfaces!");
+		return FAILED;
+	}
+	
+	for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
+	{
+		if (ifa->ifa_addr == NULL)
+		{
+			continue;
+		}
+		switch(ifa->ifa_addr->sa_family)
+		{
+			case AF_LINK:
+			case AF_INET:
+			case AF_INET6:
+			{
+				if (ifa->ifa_flags & IFF_LOOPBACK)
+				{	/* ignore loopback interfaces */
+					continue;
+				}
+				
+				iface = NULL;
+				ifaces = this->ifaces->create_enumerator(this->ifaces);
+				while (ifaces->enumerate(ifaces, &current))
+				{
+					if (streq(current->ifname, ifa->ifa_name))
+					{
+						iface = current;
+						break;
+					}
+				}
+				ifaces->destroy(ifaces);
+				
+				if (!iface)
+				{
+					iface = malloc_thing(iface_entry_t);
+					memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
+					iface->ifindex = if_nametoindex(ifa->ifa_name);
+					iface->flags = ifa->ifa_flags;
+					iface->addrs = linked_list_create();
+					this->ifaces->insert_last(this->ifaces, iface);
+				}
+				
+				if (ifa->ifa_addr->sa_family != AF_LINK)
+				{
+					addr = malloc_thing(addr_entry_t);
+					addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
+					addr->virtual = FALSE;
+					addr->refcount = 1;
+					iface->addrs->insert_last(iface->addrs, addr);
+				}
+			}
+		}
+	}
+	freeifaddrs(ifap);
+	
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->flags & IFF_UP)
+		{
+			DBG1(DBG_KNL, "  %s", iface->ifname);
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, (void**)&addr))
+			{
+				DBG1(DBG_KNL, "    %H", addr->ip);
+			}
+			addrs->destroy(addrs);
+		}
+	}
+	ifaces->destroy(ifaces);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_netlink_net_t.destroy.
+ */
+static void destroy(private_kernel_pfroute_net_t *this)
+{
+	this->job->cancel(this->job);
+	close(this->socket);
+	close(this->socket_events);
+	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	this->mutex->destroy(this->mutex);
+	this->mutex_pfroute->destroy(this->mutex_pfroute);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create()
+{
+	private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
+	
+	/* public functions */
+	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
+	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
+	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
+	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
+	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
+	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
+	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
+	
+	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
+	
+	/* private members */
+	this->ifaces = linked_list_create();
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex_pfroute = mutex_create(MUTEX_DEFAULT);
+	
+	this->seq = 0;
+	
+	/* create a PF_ROUTE socket to communicate with the kernel */
+	this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+	if (this->socket <= 0)
+	{
+		charon->kill(charon, "unable to create PF_ROUTE socket");
+	}
+	
+	/* create a PF_ROUTE socket to receive events */
+	this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+	if (this->socket_events <= 0)
+	{
+		charon->kill(charon, "unable to create PF_ROUTE event socket");
+	}
+	
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	
+	if (init_address_list(this) != SUCCESS)
+	{
+		charon->kill(charon, "unable to get interface list");
+	}
+	
+	return &this->public;
+}
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
new file mode 100644
index 000000000..10c3c9eb7
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfroute_net_i kernel_pfroute_net
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_NET_H_
+#define KERNEL_PFROUTE_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_pfroute_net_t kernel_pfroute_net_t;
+
+/**
+ * Implementation of the kernel net interface using PF_ROUTE.
+ */
+struct kernel_pfroute_net_t {
+
+	/**
+	 * Implements kernel_net_t interface
+	 */
+	kernel_net_t interface;
+};
+
+/**
+ * Create a PF_ROUTE kernel net interface instance.
+ *
+ * @return			kernel_pfroute_net_t instance
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create();
+
+#endif /** KERNEL_PFROUTE_NET_H_ @}*/
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
new file mode 100644
index 000000000..767049bb0
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_pfroute_plugin.h"
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
+
+/**
+ * private data of kernel PF_ROUTE plugin
+ */
+struct private_kernel_pfroute_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_pfroute_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfroute_plugin_t *this)
+{
+	charon->kernel_interface->remove_net_interface(charon->kernel_interface,
+						(kernel_net_constructor_t)kernel_pfroute_net_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	charon->kernel_interface->add_net_interface(charon->kernel_interface,
+						(kernel_net_constructor_t)kernel_pfroute_net_create);
+	
+	return &this->public.plugin;
+}
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
new file mode 100644
index 000000000..6caf097c6
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfroute kernel_pfroute
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_PLUGIN_H_
+#define KERNEL_PFROUTE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t;
+
+/**
+ * PF_ROUTE kernel interface plugin
+ */
+struct kernel_pfroute_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a kernel_pfroute_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in
index 5a24e83e9..056ac16d3 100644
--- a/src/charon/plugins/load_tester/Makefile.in
+++ b/src/charon/plugins/load_tester/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -92,6 +92,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -114,6 +115,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -125,6 +129,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -138,6 +143,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -198,6 +205,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -209,6 +217,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -233,8 +242,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -333,7 +342,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/load_tester/load_tester_config.c b/src/charon/plugins/load_tester/load_tester_config.c
index f3cd33b61..963f7cc01 100644
--- a/src/charon/plugins/load_tester/load_tester_config.c
+++ b/src/charon/plugins/load_tester/load_tester_config.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "load_tester_config.h"
@@ -57,9 +55,24 @@ struct private_load_tester_config_t {
 	proposal_t *proposal;
 	
 	/**
-	 * Authentication method to use
+	 * Authentication method(s) to use/expect from initiator
 	 */
-	auth_class_t class;
+	char *initiator_auth;
+	
+	/**
+	 * Authentication method(s) use/expected from responder
+	 */
+	char *responder_auth;
+	
+	/**
+	 * IKE_SA rekeying delay
+	 */
+	u_int ike_rekey;
+	
+	/**
+	 * CHILD_SA rekeying delay
+	 */
+	u_int child_rekey;
 	
 	/**
 	 * incremental numbering of generated configs
@@ -67,6 +80,97 @@ struct private_load_tester_config_t {
 	u_int num;
 };
 
+/**
+ * Generate auth config from string
+ */
+static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
+							  peer_cfg_t *peer_cfg, bool local, int num)
+{
+	enumerator_t *enumerator;
+	auth_cfg_t *auth;
+	identification_t *id;
+	auth_class_t class;
+	eap_type_t type;
+	char buf[128];
+	int rnd = 0;
+	
+	enumerator = enumerator_create_token(str, "|", " ");
+	while (enumerator->enumerate(enumerator, &str))
+	{
+		auth = auth_cfg_create();
+		rnd++;
+		
+		if (streq(str, "psk"))
+		{	/* PSK authentication, use FQDNs */
+			class = AUTH_CLASS_PSK;
+			if ((local && !num) || (!local && num))
+			{
+				id = identification_create_from_string("srv.strongswan.org");
+			}
+			else if (local)
+			{
+				snprintf(buf, sizeof(buf), "c%d-r%d.strongswan.org", num, rnd);
+				id = identification_create_from_string(buf);
+			}
+			else
+			{
+				id = identification_create_from_string("*.strongswan.org");
+			}
+		}
+		else if (strneq(str, "eap", strlen("eap")))
+		{	/* EAP authentication, use a NAI */
+			class = AUTH_CLASS_EAP;
+			if (*(str + strlen("eap")) == '-')
+			{
+				type = eap_type_from_string(str + strlen("eap-"));
+				if (type)
+				{
+					auth->add(auth, AUTH_RULE_EAP_TYPE, type);
+				}
+			}
+			if (local && num)
+			{
+				snprintf(buf, sizeof(buf), "1%.10d%.4d@strongswan.org", num, rnd);
+				id = identification_create_from_string(buf);
+			}
+			else
+			{
+				id = identification_create_from_encoding(ID_ANY, chunk_empty);
+			}
+		}
+		else
+		{
+			if (!streq(str, "pubkey"))
+			{
+				DBG1(DBG_CFG, "invalid authentication: '%s', fallback to pubkey",
+					 str);
+			}
+			/* certificate authentication, use distinguished names */
+			class = AUTH_CLASS_PUBKEY;
+			if ((local && !num) || (!local && num))
+			{
+				id = identification_create_from_string(
+							"CN=srv, OU=load-test, O=strongSwan");
+			}
+			else if (local)
+			{
+				snprintf(buf, sizeof(buf),
+						 "CN=c%d-r%d, OU=load-test, O=strongSwan", num, rnd);
+				id = identification_create_from_string(buf);
+			}
+			else
+			{
+				id = identification_create_from_string(
+								"CN=*, OU=load-test, O=strongSwan");
+			}
+		}
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
+		auth->add(auth, AUTH_RULE_IDENTITY, id);
+		peer_cfg->add_auth_cfg(peer_cfg, auth, local);
+	}
+	enumerator->destroy(enumerator);
+}
+
 /**
  * Generate a new initiator config, num = 0 for responder config
  */
@@ -76,36 +180,29 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	child_cfg_t *child_cfg;
 	peer_cfg_t *peer_cfg;
 	traffic_selector_t *ts;
-	auth_info_t *auth;
-	identification_t *local, *remote;
 	proposal_t *proposal;
-	char buf[128];
 	
+	ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", this->remote);
+	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
+	peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
+							   CERT_SEND_IF_ASKED, UNIQUE_NO, 1, /* keytries */
+							   this->ike_rekey, 0, /* rekey, reauth */
+							   0, this->ike_rekey, /* jitter, overtime */
+							   FALSE, 0, /* mobike, dpddelay */
+							   this->vip ? this->vip->clone(this->vip) : NULL,
+							   this->pool, FALSE, NULL, NULL);
 	if (num)
 	{	/* initiator */
-		snprintf(buf, sizeof(buf), "CN=cli-%d, OU=load-test, O=strongSwan", num);
-		local = identification_create_from_string(buf);
-		snprintf(buf, sizeof(buf), "CN=srv, OU=load-test, O=strongSwan", num);
-		remote = identification_create_from_string(buf);
+		generate_auth_cfg(this, this->initiator_auth, peer_cfg, TRUE, num);
+		generate_auth_cfg(this, this->responder_auth, peer_cfg, FALSE, num);
 	}
 	else
 	{	/* responder */
-		local = identification_create_from_string(
-										"CN=srv, OU=load-test, O=strongSwan");
-		remote = identification_create_from_string(
-										"CN=*, OU=load-test, O=strongSwan");
+		generate_auth_cfg(this, this->responder_auth, peer_cfg, TRUE, num);
+		generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
 	}
-	
-	ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", this->remote);
-	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
-	peer_cfg = peer_cfg_create("load-test", 2, ike_cfg, local, remote,
-			CERT_SEND_IF_ASKED, UNIQUE_NO, 1, 0, 0, /* keytries, rekey, reauth */
-			0, 0, FALSE, 0,	/* jitter, overtime, mobike, dpddelay */
-			this->vip ? this->vip->clone(this->vip) : NULL,
-			this->pool, FALSE, NULL, NULL);
-	auth = peer_cfg->get_auth(peer_cfg);
-	auth->add_item(auth, AUTHN_AUTH_CLASS, &this->class);
-	child_cfg = child_cfg_create("load-test", 600, 400, 100, NULL, TRUE,
+	child_cfg = child_cfg_create("load-test", this->child_rekey * 2,
+								 this->child_rekey, 0, NULL, TRUE,
 								 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
 	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
 	child_cfg->add_proposal(child_cfg, proposal);
@@ -169,7 +266,6 @@ static void destroy(private_load_tester_config_t *this)
 load_tester_config_t *load_tester_config_create()
 {
 	private_load_tester_config_t *this = malloc_thing(private_load_tester_config_t);
-	char *authstr;
 	
 	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
 	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
@@ -195,16 +291,15 @@ load_tester_config_t *load_tester_config_create()
 		this->proposal = proposal_create_from_string(PROTO_IKE,
 													 "aes128-sha1-modp768");
 	}
-	authstr = lib->settings->get_str(lib->settings,
-								"charon.plugins.load_tester.auth", "pubkey");
-	if (streq(authstr, "psk"))
-	{
-		this->class = AUTH_CLASS_PSK;
-	}
-	else
-	{
-		this->class = AUTH_CLASS_PUBKEY;
-	}
+	this->ike_rekey = lib->settings->get_int(lib->settings,
+				"charon.plugins.load_tester.ike_rekey", 0);
+	this->child_rekey = lib->settings->get_int(lib->settings,
+				"charon.plugins.load_tester.child_rekey", 600);
+	
+	this->initiator_auth = lib->settings->get_str(lib->settings,
+				"charon.plugins.load_tester.initiator_auth", "pubkey");
+	this->responder_auth = lib->settings->get_str(lib->settings,
+				"charon.plugins.load_tester.responder_auth", "pubkey");
 	
 	this->num = 1;
 	this->peer_cfg = generate_config(this, 0);
diff --git a/src/charon/plugins/load_tester/load_tester_config.h b/src/charon/plugins/load_tester/load_tester_config.h
index 92a0ff95b..f09a3f832 100644
--- a/src/charon/plugins/load_tester/load_tester_config.h
+++ b/src/charon/plugins/load_tester/load_tester_config.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/load_tester/load_tester_creds.c b/src/charon/plugins/load_tester/load_tester_creds.c
index 476a90b9f..fdb5fa370 100644
--- a/src/charon/plugins/load_tester/load_tester_creds.c
+++ b/src/charon/plugins/load_tester/load_tester_creds.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "load_tester_creds.h"
diff --git a/src/charon/plugins/load_tester/load_tester_creds.h b/src/charon/plugins/load_tester/load_tester_creds.h
index ed73f14c3..60cf67795 100644
--- a/src/charon/plugins/load_tester/load_tester_creds.h
+++ b/src/charon/plugins/load_tester/load_tester_creds.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.c b/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
index 4cc9dbc48..87d9ef42b 100644
--- a/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
+++ b/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "load_tester_diffie_hellman.h"
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
index 422428a54..045c4bb4a 100644
--- a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
+++ b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c
index 9abd65195..d37f7a7bd 100644
--- a/src/charon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "load_tester_ipsec.h"
@@ -88,8 +86,9 @@ static status_t update_sa(private_load_tester_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_load_tester_ipsec_t *this, host_t *dst,
-					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src,
+					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
+					   u_int16_t cpi)
 {
 	return SUCCESS;
 }
@@ -152,7 +151,7 @@ load_tester_ipsec_t *load_tester_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.h b/src/charon/plugins/load_tester/load_tester_ipsec.h
index 4f374032f..1e1bff84a 100644
--- a/src/charon/plugins/load_tester/load_tester_ipsec.h
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/load_tester/load_tester_listener.c b/src/charon/plugins/load_tester/load_tester_listener.c
index fe9e16fe7..fe9a90aed 100644
--- a/src/charon/plugins/load_tester/load_tester_listener.c
+++ b/src/charon/plugins/load_tester/load_tester_listener.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "load_tester_listener.h"
diff --git a/src/charon/plugins/load_tester/load_tester_listener.h b/src/charon/plugins/load_tester/load_tester_listener.h
index b61da0cb3..6842b3532 100644
--- a/src/charon/plugins/load_tester/load_tester_listener.h
+++ b/src/charon/plugins/load_tester/load_tester_listener.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c
index 444a92e2b..12ac7b090 100644
--- a/src/charon/plugins/load_tester/load_tester_plugin.c
+++ b/src/charon/plugins/load_tester/load_tester_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "load_tester_plugin.h"
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.h b/src/charon/plugins/load_tester/load_tester_plugin.h
index e0b64cfef..87e8914e0 100644
--- a/src/charon/plugins/load_tester/load_tester_plugin.h
+++ b/src/charon/plugins/load_tester/load_tester_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in
index 33c08eea8..cef486411 100644
--- a/src/charon/plugins/medcli/Makefile.in
+++ b/src/charon/plugins/medcli/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -227,8 +236,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -325,7 +334,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/medcli/medcli_config.c b/src/charon/plugins/medcli/medcli_config.c
index d1e6c0c9e..3b3332549 100644
--- a/src/charon/plugins/medcli/medcli_config.c
+++ b/src/charon/plugins/medcli/medcli_config.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #define _GNU_SOURCE
@@ -97,6 +95,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 {
 	enumerator_t *e;
 	peer_cfg_t *peer_cfg, *med_cfg;
+	auth_cfg_t *auth;
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
 	chunk_t me, other;
@@ -118,8 +117,6 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	med_cfg = peer_cfg_create(
 		"mediation", 2, ike_cfg,
-		identification_create_from_encoding(ID_KEY_ID, me),
-		identification_create_from_encoding(ID_KEY_ID, other),
 		CERT_NEVER_SEND, UNIQUE_REPLACE, 
 		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
@@ -128,6 +125,17 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 		TRUE, NULL, NULL); 				/* mediation, med by, peer id */
 	e->destroy(e);
 	
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, me));
+	med_cfg->add_auth_cfg(med_cfg, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, other));
+	med_cfg->add_auth_cfg(med_cfg, auth, FALSE);
+	
 	/* query mediated config:
 	 * - use any-any ike_cfg
 	 * - build peer_cfg on-the-fly using med_cfg
@@ -146,8 +154,6 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	}
 	peer_cfg = peer_cfg_create(
 		name, 2, this->ike->get_ref(this->ike),
-		identification_create_from_encoding(ID_KEY_ID, me),
-		identification_create_from_encoding(ID_KEY_ID, other),
 		CERT_NEVER_SEND, UNIQUE_REPLACE, 
 		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
@@ -156,6 +162,17 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 		FALSE, med_cfg,				 	/* mediation, med by */
 		identification_create_from_encoding(ID_KEY_ID, other));
 	
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, me));
+	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, other));
+	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+	
 	child_cfg = child_cfg_create(name, this->rekey*60 + this->rekey,
 							  this->rekey*60, this->rekey, NULL, TRUE,
 							  MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
@@ -199,7 +216,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	char *name, *local_net, *remote_net;
 	chunk_t me, other;
 	child_cfg_t *child_cfg;
-
+	auth_cfg_t *auth;
+	
 	DESTROY_IF(this->current);
 	if (!this->inner->enumerate(this->inner, &name, &me, &other,
 								&local_net, &remote_net))
@@ -209,14 +227,24 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	}
 	this->current = peer_cfg_create(
 				name, 2, this->ike->get_ref(this->ike),
-				identification_create_from_encoding(ID_KEY_ID, me),
-				identification_create_from_encoding(ID_KEY_ID, other),
 				CERT_NEVER_SEND, UNIQUE_REPLACE, 
 				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
 				TRUE, this->dpd, 				/* mobike, dpddelay */
 				NULL, NULL, 					/* vip, pool */
 				FALSE, NULL, NULL); 			/* mediation, med by, peer id */
+	
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, me));
+	this->current->add_auth_cfg(this->current, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, other));
+	this->current->add_auth_cfg(this->current, auth, FALSE);
+	
 	child_cfg = child_cfg_create(
 				name, this->rekey*60 + this->rekey,
 				this->rekey*60, this->rekey, NULL, TRUE,
diff --git a/src/charon/plugins/medcli/medcli_config.h b/src/charon/plugins/medcli/medcli_config.h
index 9c0357a26..a37280bd0 100644
--- a/src/charon/plugins/medcli/medcli_config.h
+++ b/src/charon/plugins/medcli/medcli_config.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/medcli/medcli_creds.c b/src/charon/plugins/medcli/medcli_creds.c
index 1e99f6990..d3c66ae35 100644
--- a/src/charon/plugins/medcli/medcli_creds.c
+++ b/src/charon/plugins/medcli/medcli_creds.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "medcli_creds.h"
@@ -96,7 +94,7 @@ static enumerator_t* create_private_enumerator(private_medcli_creds_t *this,
 	if ((type != KEY_RSA && type != KEY_ANY) ||
 		id == NULL || id->get_type(id) != ID_KEY_ID)
 	{
-		DBG1(DBG_CFG, "%N - %D", key_type_names, type, id);
+		DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id);
 		return NULL;
 	}
 	
diff --git a/src/charon/plugins/medcli/medcli_creds.h b/src/charon/plugins/medcli/medcli_creds.h
index 4e563b4ac..97bf1c226 100644
--- a/src/charon/plugins/medcli/medcli_creds.h
+++ b/src/charon/plugins/medcli/medcli_creds.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/medcli/medcli_listener.c b/src/charon/plugins/medcli/medcli_listener.c
index c057ea2b5..4d058c0cd 100644
--- a/src/charon/plugins/medcli/medcli_listener.c
+++ b/src/charon/plugins/medcli/medcli_listener.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "medcli_listener.h"
diff --git a/src/charon/plugins/medcli/medcli_listener.h b/src/charon/plugins/medcli/medcli_listener.h
index 291e66097..c6881f88a 100644
--- a/src/charon/plugins/medcli/medcli_listener.h
+++ b/src/charon/plugins/medcli/medcli_listener.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/medcli/medcli_plugin.c b/src/charon/plugins/medcli/medcli_plugin.c
index 1642ed2fe..908b144f0 100644
--- a/src/charon/plugins/medcli/medcli_plugin.c
+++ b/src/charon/plugins/medcli/medcli_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "medcli_plugin.h"
diff --git a/src/charon/plugins/medcli/medcli_plugin.h b/src/charon/plugins/medcli/medcli_plugin.h
index 791a5cea5..06f674b37 100644
--- a/src/charon/plugins/medcli/medcli_plugin.h
+++ b/src/charon/plugins/medcli/medcli_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in
index 2e97ca503..ec537e505 100644
--- a/src/charon/plugins/medsrv/Makefile.in
+++ b/src/charon/plugins/medsrv/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -323,7 +332,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/medsrv/medsrv_config.c b/src/charon/plugins/medsrv/medsrv_config.c
index bec6837c0..1ab7f3864 100644
--- a/src/charon/plugins/medsrv/medsrv_config.c
+++ b/src/charon/plugins/medsrv/medsrv_config.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include <string.h>
@@ -92,13 +90,13 @@ static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
 	if (e)
 	{
 		peer_cfg_t *peer_cfg;
+		auth_cfg_t *auth;
 		char *name;
 		
 		if (e->enumerate(e, &name))
 		{
 			peer_cfg = peer_cfg_create(
 				name, 2, this->ike->get_ref(this->ike),
-				me->clone(me), other->clone(other),
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
@@ -106,6 +104,16 @@ static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
 				NULL, NULL, 					/* vip, pool */
 				TRUE, NULL, NULL); 				/* mediation, med by, peer id */
 			e->destroy(e);
+			
+			auth = auth_cfg_create();
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+			auth->add(auth, AUTH_RULE_IDENTITY, me->clone(me));
+			peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+			auth = auth_cfg_create();
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+			auth->add(auth, AUTH_RULE_IDENTITY, other->clone(other));
+			peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+			
 			return enumerator_create_single(peer_cfg, (void*)peer_cfg->destroy);
 		}
 		e->destroy(e);
diff --git a/src/charon/plugins/medsrv/medsrv_config.h b/src/charon/plugins/medsrv/medsrv_config.h
index a92780144..2ed63bca7 100644
--- a/src/charon/plugins/medsrv/medsrv_config.h
+++ b/src/charon/plugins/medsrv/medsrv_config.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/medsrv/medsrv_creds.c b/src/charon/plugins/medsrv/medsrv_creds.c
index 5d2d46e53..7dac37f1f 100644
--- a/src/charon/plugins/medsrv/medsrv_creds.c
+++ b/src/charon/plugins/medsrv/medsrv_creds.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: medsrv_creds.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "medsrv_creds.h"
diff --git a/src/charon/plugins/medsrv/medsrv_creds.h b/src/charon/plugins/medsrv/medsrv_creds.h
index 0ce77167c..da23220c2 100644
--- a/src/charon/plugins/medsrv/medsrv_creds.h
+++ b/src/charon/plugins/medsrv/medsrv_creds.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: medsrv_creds.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/medsrv/medsrv_plugin.c b/src/charon/plugins/medsrv/medsrv_plugin.c
index e34a1d4de..4340d7991 100644
--- a/src/charon/plugins/medsrv/medsrv_plugin.c
+++ b/src/charon/plugins/medsrv/medsrv_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: medsrv_plugin.c 4137 2008-07-01 13:57:47Z martin $
  */
 
 #include "medsrv_plugin.h"
diff --git a/src/charon/plugins/medsrv/medsrv_plugin.h b/src/charon/plugins/medsrv/medsrv_plugin.h
index fbe04021f..4b183994f 100644
--- a/src/charon/plugins/medsrv/medsrv_plugin.h
+++ b/src/charon/plugins/medsrv/medsrv_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: medsrv_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
index 9c8c64fe1..9a0b48cd2 100644
--- a/src/charon/plugins/nm/Makefile.am
+++ b/src/charon/plugins/nm/Makefile.am
@@ -5,6 +5,9 @@ AM_CFLAGS = -rdynamic
 
 plugin_LTLIBRARIES = libstrongswan-nm.la
 libstrongswan_nm_la_SOURCES = \
-  nm_plugin.h nm_plugin.c nm_service.h nm_service.c nm_creds.h nm_creds.c
+  nm_plugin.h nm_plugin.c \
+  nm_service.h nm_service.c \
+  nm_creds.h nm_creds.c \
+  nm_handler.h nm_handler.c
 libstrongswan_nm_la_LDFLAGS = -module
 libstrongswan_nm_la_LIBADD = ${nm_LIBS}
diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in
index b3990fab1..a75af8a0f 100644
--- a/src/charon/plugins/nm/Makefile.in
+++ b/src/charon/plugins/nm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -52,7 +52,7 @@ LTLIBRARIES = $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_nm_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_nm_la_OBJECTS = nm_plugin.lo nm_service.lo \
-	nm_creds.lo
+	nm_creds.lo nm_handler.lo
 libstrongswan_nm_la_OBJECTS = $(am_libstrongswan_nm_la_OBJECTS)
 libstrongswan_nm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -214,7 +223,10 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFL
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-nm.la
 libstrongswan_nm_la_SOURCES = \
-  nm_plugin.h nm_plugin.c nm_service.h nm_service.c nm_creds.h nm_creds.c
+  nm_plugin.h nm_plugin.c \
+  nm_service.h nm_service.c \
+  nm_creds.h nm_creds.c \
+  nm_handler.h nm_handler.c
 
 libstrongswan_nm_la_LDFLAGS = -module
 libstrongswan_nm_la_LIBADD = ${nm_LIBS}
@@ -226,8 +238,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -288,6 +300,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_handler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_service.Plo@am__quote@
 
@@ -323,7 +336,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c
index e7cd640a7..d93b81c9a 100644
--- a/src/charon/plugins/nm/nm_creds.c
+++ b/src/charon/plugins/nm/nm_creds.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "nm_creds.h"
@@ -259,9 +257,7 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id
 {
 	this->lock->write_lock(this->lock);
 	DESTROY_IF(this->user);
-	/* for EAP authentication, we use always use ID_EAP type */
-	this->user = identification_create_from_encoding(ID_EAP,
-													 id->get_encoding(id));
+	this->user = id->clone(id);
 	free(this->pass);
 	this->pass = password ? strdup(password) : NULL;
 	this->lock->unlock(this->lock);
diff --git a/src/charon/plugins/nm/nm_creds.h b/src/charon/plugins/nm/nm_creds.h
index b0cc7a098..421442c81 100644
--- a/src/charon/plugins/nm/nm_creds.h
+++ b/src/charon/plugins/nm/nm_creds.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
@@ -23,6 +21,7 @@
 #ifndef NM_CREDS_H_
 #define NM_CREDS_H_
 
+#include <credentials/keys/private_key.h>
 #include <credentials/credential_set.h>
 
 typedef struct nm_creds_t nm_creds_t;
diff --git a/src/charon/plugins/nm/nm_handler.c b/src/charon/plugins/nm/nm_handler.c
new file mode 100644
index 000000000..026c47af2
--- /dev/null
+++ b/src/charon/plugins/nm/nm_handler.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "nm_handler.h"
+
+#include <daemon.h>
+
+typedef struct private_nm_handler_t private_nm_handler_t;
+
+/**
+ * Private data of an nm_handler_t object.
+ */
+struct private_nm_handler_t {
+	
+	/**
+	 * Public nm_handler_t interface.
+	 */
+	nm_handler_t public;
+	
+	/**
+	 * list of received DNS server attributes, pointer to 4 byte data
+	 */
+	linked_list_t *dns;
+	
+	/**
+	 * list of received NBNS server attributes, pointer to 4 byte data
+	 */
+	linked_list_t *nbns;
+};
+
+/**
+ * Implementation of attribute_handler_t.handle
+ */
+static bool handle(private_nm_handler_t *this, ike_sa_t *ike_sa,
+				   configuration_attribute_type_t type, chunk_t data)
+{
+	linked_list_t *list;
+	
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			list = this->dns;
+			break;
+		case INTERNAL_IP4_NBNS:
+			list = this->nbns;
+			break;
+		default:
+			return FALSE;
+	}
+	if (data.len != 4)
+	{
+		return FALSE;
+	}
+	list->insert_last(list, chunk_clone(data).ptr);
+	return TRUE;
+}
+
+/**
+ * convert plain byte ptrs to handy chunk during enumeration
+ */
+static bool filter_chunks(void* null, char **in, chunk_t *out)
+{
+	*out = chunk_create(*in, 4);
+	return TRUE;
+}
+
+/**
+ * Implementation of nm_handler_t.create_enumerator
+ */
+static enumerator_t* create_enumerator(private_nm_handler_t *this,
+									   configuration_attribute_type_t type)
+{
+	linked_list_t *list;
+	
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			list = this->dns;
+			break;
+		case INTERNAL_IP4_NBNS:
+			list = this->nbns;
+			break;
+		default:
+			return enumerator_create_empty();
+	}
+	return enumerator_create_filter(list->create_enumerator(list),
+						(void*)filter_chunks, NULL, NULL);
+}
+
+/**
+ * Implementation of nm_handler_t.reset
+ */
+static void reset(private_nm_handler_t *this)
+{
+	void *data;
+	
+	while (this->dns->remove_last(this->dns, (void**)&data) == SUCCESS)
+	{
+		free(data);
+	}
+	while (this->nbns->remove_last(this->nbns, (void**)&data) == SUCCESS)
+	{
+		free(data);
+	}
+}
+
+/**
+ * Implementation of nm_handler_t.destroy.
+ */
+static void destroy(private_nm_handler_t *this)
+{
+	reset(this);
+	this->dns->destroy(this->dns);
+	this->nbns->destroy(this->nbns);
+	free(this);
+}
+
+/**
+ * See header
+ */
+nm_handler_t *nm_handler_create()
+{
+	private_nm_handler_t *this = malloc_thing(private_nm_handler_t);
+	
+	this->public.handler.handle = (bool(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))handle;
+	this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))nop;
+	this->public.create_enumerator = (enumerator_t*(*)(nm_handler_t*, configuration_attribute_type_t type))create_enumerator;
+	this->public.reset = (void(*)(nm_handler_t*))reset;
+	this->public.destroy = (void(*)(nm_handler_t*))destroy;
+	
+	this->dns = linked_list_create();
+	this->nbns = linked_list_create();
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/nm/nm_handler.h b/src/charon/plugins/nm/nm_handler.h
new file mode 100644
index 000000000..d537bb8de
--- /dev/null
+++ b/src/charon/plugins/nm/nm_handler.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup nm_handler nm_handler
+ * @{ @ingroup nm
+ */
+
+#ifndef NM_HANDLER_H_
+#define NM_HANDLER_H_
+
+#include <config/attributes/attribute_handler.h>
+
+typedef struct nm_handler_t nm_handler_t;
+
+/**
+ * Handles DNS/NBNS attributes to pass to NM.
+ */
+struct nm_handler_t {
+	
+	/**
+	 * Implements attribute handler interface
+	 */
+	attribute_handler_t handler;
+	
+	/**
+	 * Create an enumerator over received attributes of a given kind.
+	 *
+	 * @param type		type of attributes to enumerate
+	 * @return			enumerator over attribute data (chunk_t)
+	 */
+	enumerator_t* (*create_enumerator)(nm_handler_t *this,
+									   configuration_attribute_type_t type);
+	/**
+	 * Reset state, flush all received attributes.
+	 */
+	void (*reset)(nm_handler_t *this);
+	
+	/**
+	 * Destroy a nm_handler_t.
+	 */
+	void (*destroy)(nm_handler_t *this);
+};
+
+/**
+ * Create a nm_handler instance.
+ */
+nm_handler_t *nm_handler_create();
+
+#endif /* NM_HANDLER_ @}*/
diff --git a/src/charon/plugins/nm/nm_plugin.c b/src/charon/plugins/nm/nm_plugin.c
index 1336293f4..1fb46f814 100644
--- a/src/charon/plugins/nm/nm_plugin.c
+++ b/src/charon/plugins/nm/nm_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -11,13 +11,12 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "nm_plugin.h"
 #include "nm_service.h"
 #include "nm_creds.h"
+#include "nm_handler.h"
 
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
@@ -50,6 +49,11 @@ struct private_nm_plugin_t {
 	 * credential set registered at the daemon
 	 */
 	nm_creds_t *creds;
+	
+	/**
+	 * attribute handler regeisterd at the daemon
+	 */
+	nm_handler_t *handler;
 };
 
 /**
@@ -59,8 +63,6 @@ static job_requeue_t run(private_nm_plugin_t *this)
 {
 	this->loop = g_main_loop_new(NULL, FALSE);
 	g_main_loop_run(this->loop);
-	g_main_loop_unref(this->loop);
-	
 	return JOB_REQUEUE_NONE;
 }
 
@@ -71,7 +73,11 @@ static void destroy(private_nm_plugin_t *this)
 {
 	if (this->loop)
 	{
-		g_main_loop_quit(this->loop);
+		if (g_main_loop_is_running(this->loop))
+		{
+			g_main_loop_quit(this->loop);
+		}
+		g_main_loop_unref(this->loop);
 	}
 	if (this->plugin)
 	{
@@ -79,6 +85,8 @@ static void destroy(private_nm_plugin_t *this)
 	}
 	charon->credentials->remove_set(charon->credentials, &this->creds->set);
 	this->creds->destroy(this->creds);
+	charon->attributes->remove_handler(charon->attributes, &this->handler->handler);
+	this->handler->destroy(this->handler);
 	free(this);
 }
 
@@ -99,8 +107,10 @@ plugin_t *plugin_create()
 	}
 	
 	this->creds = nm_creds_create();
+	this->handler = nm_handler_create();
 	charon->credentials->add_set(charon->credentials, &this->creds->set);
-	this->plugin = nm_strongswan_plugin_new(this->creds);
+	charon->attributes->add_handler(charon->attributes, &this->handler->handler);
+	this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
 	if (!this->plugin)
 	{
 		DBG1(DBG_CFG, "DBUS binding failed");
diff --git a/src/charon/plugins/nm/nm_plugin.h b/src/charon/plugins/nm/nm_plugin.h
index fadcbfb96..18d053e11 100644
--- a/src/charon/plugins/nm/nm_plugin.h
+++ b/src/charon/plugins/nm/nm_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index 72744b784..bca4d9e09 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include <nm-setting-vpn.h>
@@ -23,6 +21,7 @@
 #include <utils/host.h>
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
+#include <credentials/certificates/x509.h>
 
 #include <stdio.h>
 
@@ -34,16 +33,47 @@ G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
  * Private data of NMStrongswanPlugin
  */
 typedef struct {
+	/* implements bus listener interface */
 	listener_t listener;
+	/* IKE_SA we are listening on */
 	ike_sa_t *ike_sa;
+	/* backref to public plugin */
 	NMVPNPlugin *plugin;
+	/* credentials to use for authentication */
 	nm_creds_t *creds;
+	/* attribute handler for DNS/NBNS server information */
+	nm_handler_t *handler;
 } NMStrongswanPluginPrivate;
 
 #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
 			(G_TYPE_INSTANCE_GET_PRIVATE ((o), \
 				NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
 
+/**
+ * convert enumerated handler chunks to a UINT_ARRAY GValue
+ */
+static GValue* handler_to_val(nm_handler_t *handler,
+							 configuration_attribute_type_t type)
+{
+	GValue *val;
+	GArray *array;
+	enumerator_t *enumerator;
+	chunk_t chunk;
+	
+	enumerator = handler->create_enumerator(handler, type);
+	array = g_array_new (FALSE, TRUE, sizeof (guint32));
+	while (enumerator->enumerate(enumerator, &chunk))
+	{
+		g_array_append_val (array, *(u_int32_t*)chunk.ptr);
+	}
+	enumerator->destroy(enumerator);
+	val = g_slice_new0 (GValue);
+	g_value_init (val, DBUS_TYPE_G_UINT_ARRAY);
+	g_value_set_boxed (val, array);
+	
+	return val;
+}
+
 /**
  * signal IPv4 config to NM, set connection as established
  */
@@ -53,10 +83,12 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
 	GValue *val;
 	GHashTable *config;
 	host_t *me, *other;
+	nm_handler_t *handler;
 	
 	config = g_hash_table_new(g_str_hash, g_str_equal);
 	me = ike_sa->get_my_host(ike_sa);
 	other = ike_sa->get_other_host(ike_sa);
+	handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
 	
 	/* NM requires a tundev, but netkey does not use one. Passing an invalid
 	 * iface makes NM complain, but it accepts it without fiddling on eth0. */
@@ -75,6 +107,14 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
 	g_value_set_uint(val, me->get_address(me).len * 8);
 	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
 	
+	val = handler_to_val(handler, INTERNAL_IP4_DNS);
+	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
+	
+	val = handler_to_val(handler, INTERNAL_IP4_NBNS);
+	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NBNS, val);
+	
+	handler->reset(handler);
+	
 	nm_vpn_plugin_set_ip4_config(plugin, config);
 }
 
@@ -83,6 +123,10 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
  */
 static void signal_failure(NMVPNPlugin *plugin)
 {
+	nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
+	
+	handler->reset(handler);
+	
 	/* TODO: NM does not handle this failure!? */
 	nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); 
 	nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
@@ -151,9 +195,10 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	child_cfg_t *child_cfg;
 	traffic_selector_t *ts;
 	ike_sa_t *ike_sa;
-	auth_info_t *auth;
+	auth_cfg_t *auth;
 	auth_class_t auth_class = AUTH_CLASS_EAP;
 	certificate_t *cert = NULL;
+	x509_t *x509;
 	bool agent = FALSE;
 	
 	/**
@@ -201,7 +246,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	creds = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds;
 	creds->clear(creds);
 	
-	/* gateway cert */
+	/* gateway/CA cert */
 	str = nm_setting_vpn_get_data_item(settings, "certificate");
 	if (str)
 	{
@@ -215,7 +260,21 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 				    "Loading gateway certificate failed.");
 		return FALSE;
 	}
-	gateway = cert->get_subject(cert);
+	x509 = (x509_t*)cert;
+	if (x509->get_flags(x509) & X509_CA)
+	{	/* If the user configured a CA certificate, we use the IP/DNS
+		 * of the gateway as its identity. This identity will be used for
+		 * certificate lookup and requires the configured IP/DNS to be
+		 * included in the gateway certificate. */
+		gateway = identification_create_from_string((char*)address);
+		DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
+	}
+	else
+	{	/* For a gateway certificate, we use the cert subject as identity. */
+		gateway = cert->get_subject(cert);
+		gateway = gateway->clone(gateway);
+		DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
+	}
 	
 	if (auth_class == AUTH_CLASS_EAP)
 	{
@@ -223,8 +282,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		str = nm_setting_vpn_get_data_item(settings, "user");
 		if (str)
 		{
-			user = identification_create_from_encoding(ID_KEY_ID,
-											chunk_create(str, strlen(str)));
+			user = identification_create_from_string((char*)str);
 			str = nm_setting_vpn_get_secret(settings, "password");
 			creds->set_username_password(creds, user, (char*)str);
 		}
@@ -240,12 +298,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			private_key_t *private = NULL;
 			
 			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-									  BUILD_FROM_FILE, str, BUILD_END);	
+									  BUILD_FROM_FILE, str, BUILD_END);
 			if (!cert)
 			{
 				g_set_error(err, NM_VPN_PLUGIN_ERROR,
 							NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
 							"Loading peer certificate failed.");
+				gateway->destroy(gateway);
 				return FALSE;
 			}
 			/* try agent */  
@@ -304,6 +363,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			else
 			{
 				DESTROY_IF(cert);
+				gateway->destroy(gateway);
 				return FALSE;
 			}
 		}
@@ -313,6 +373,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	{
 		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
 					"Configuration parameters missing.");
+		gateway->destroy(gateway);
 		return FALSE;
 	}
 	
@@ -322,15 +383,21 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg,
-					user, gateway->clone(gateway),
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
 					36000, 0, /* rekey 10h, reauth none */
 					600, 600, /* jitter, over 10min */
 					TRUE, 0, /* mobike, DPD */
 					virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
 					NULL, FALSE, NULL, NULL); /* pool, mediation */
-	auth = peer_cfg->get_auth(peer_cfg);
-	auth->add_item(auth, AUTHN_AUTH_CLASS, &auth_class);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_class);
+	auth->add(auth, AUTH_RULE_IDENTITY, user);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+	
 	child_cfg = child_cfg_create(CONFIG_NAME,
 								 10800, 10200, /* lifetime 3h, rekey 2h50min */
 								 300, /* jitter 5min */
@@ -358,7 +425,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	{
 		peer_cfg->destroy(peer_cfg);
 	}
-	if (ike_sa->initiate(ike_sa, child_cfg) != SUCCESS)
+	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
 	{
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
 		
@@ -489,7 +556,8 @@ static void nm_strongswan_plugin_class_init(
 /**
  * Object constructor
  */
-NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds)
+NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
+											 nm_handler_t *handler)
 {
 	NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_object_new (
 					NM_TYPE_STRONGSWAN_PLUGIN,
@@ -498,6 +566,7 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds)
 	if (plugin)
 	{
 		NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds = creds;
+		NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler = handler;
 	}
 	return plugin;
 }
diff --git a/src/charon/plugins/nm/nm_service.h b/src/charon/plugins/nm/nm_service.h
index bc6ebcf99..b00000b6f 100644
--- a/src/charon/plugins/nm/nm_service.h
+++ b/src/charon/plugins/nm/nm_service.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
@@ -28,6 +26,7 @@
 #include <nm-vpn-plugin.h>
 
 #include "nm_creds.h"
+#include "nm_handler.h"
 
 #define NM_TYPE_STRONGSWAN_PLUGIN            (nm_strongswan_plugin_get_type ())
 #define NM_STRONGSWAN_PLUGIN(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPlugin))
@@ -50,6 +49,7 @@ typedef struct {
 
 GType nm_strongswan_plugin_get_type(void);
 
-NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds);
+NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
+											 nm_handler_t *handler);
 
 #endif /** NM_SERVICE_H_ @}*/
diff --git a/src/charon/plugins/resolv_conf/Makefile.am b/src/charon/plugins/resolv_conf/Makefile.am
new file mode 100644
index 000000000..917964f93
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/Makefile.am
@@ -0,0 +1,13 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic \
+  -DRESOLV_CONF=\"${resolv_conf}\"
+
+plugin_LTLIBRARIES = libstrongswan-resolv-conf.la
+libstrongswan_resolv_conf_la_SOURCES = \
+  resolv_conf_plugin.h resolv_conf_plugin.c \
+  resolv_conf_handler.h resolv_conf_handler.c 
+libstrongswan_resolv_conf_la_LDFLAGS = -module
+
+
diff --git a/src/charon/plugins/resolv_conf/Makefile.in b/src/charon/plugins/resolv_conf/Makefile.in
new file mode 100644
index 000000000..91ddae582
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/Makefile.in
@@ -0,0 +1,513 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/resolv_conf
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_resolv_conf_la_LIBADD =
+am_libstrongswan_resolv_conf_la_OBJECTS = resolv_conf_plugin.lo \
+	resolv_conf_handler.lo
+libstrongswan_resolv_conf_la_OBJECTS =  \
+	$(am_libstrongswan_resolv_conf_la_OBJECTS)
+libstrongswan_resolv_conf_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_resolv_conf_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_resolv_conf_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_resolv_conf_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic \
+  -DRESOLV_CONF=\"${resolv_conf}\"
+
+plugin_LTLIBRARIES = libstrongswan-resolv-conf.la
+libstrongswan_resolv_conf_la_SOURCES = \
+  resolv_conf_plugin.h resolv_conf_plugin.c \
+  resolv_conf_handler.h resolv_conf_handler.c 
+
+libstrongswan_resolv_conf_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/resolv_conf/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/plugins/resolv_conf/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-resolv-conf.la: $(libstrongswan_resolv_conf_la_OBJECTS) $(libstrongswan_resolv_conf_la_DEPENDENCIES) 
+	$(libstrongswan_resolv_conf_la_LINK) -rpath $(plugindir) $(libstrongswan_resolv_conf_la_OBJECTS) $(libstrongswan_resolv_conf_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolv_conf_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolv_conf_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
new file mode 100644
index 000000000..19e3b3275
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolv_conf_handler.h"
+
+#include <unistd.h>
+
+#include <daemon.h>
+#include <utils/mutex.h>
+
+typedef struct private_resolv_conf_handler_t private_resolv_conf_handler_t;
+
+/**
+ * Private data of an resolv_conf_handler_t object.
+ */
+struct private_resolv_conf_handler_t {
+	
+	/**
+	 * Public resolv_conf_handler_t interface.
+	 */
+	resolv_conf_handler_t public;
+	
+	/**
+	 * resolv.conf file to use
+	 */
+	char *file;
+	
+	/**
+	 * Mutex to access file exclusively
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Implementation of attribute_handler_t.handle
+ */
+static bool handle(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa,
+				   configuration_attribute_type_t type, chunk_t data)
+{
+	FILE *in, *out;
+	char buf[1024];
+	host_t *addr;
+	int family;
+	size_t len;
+	bool handled = FALSE;
+	
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			family = AF_INET;
+			break;
+		case INTERNAL_IP6_DNS:
+			family = AF_INET6;
+			break;
+		default:
+			return FALSE;
+	}
+	
+	this->mutex->lock(this->mutex);
+	
+	in = fopen(this->file, "r");
+	/* allows us to stream from in to out */
+	unlink(this->file);
+	out = fopen(this->file, "w");
+	if (out)
+	{
+		addr = host_create_from_chunk(family, data, 0);
+		fprintf(out, "nameserver %H   # by strongSwan, from %Y\n",
+				addr, ike_sa->get_other_id(ike_sa));
+		DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
+		addr->destroy(addr);
+		handled = TRUE;
+		
+		/* copy rest of the file */
+		if (in)
+		{
+			while ((len = fread(buf, 1, sizeof(buf), in)))
+			{
+				ignore_result(fwrite(buf, 1, len, out));
+			}
+			fclose(in);
+		}
+		fclose(out);
+	}
+	
+	if (!handled)
+	{
+		DBG1(DBG_IKE, "adding DNS server failed", this->file);
+	}
+	this->mutex->unlock(this->mutex);
+	return handled;
+}
+
+/**
+ * Implementation of attribute_handler_t.release
+ */
+static void release(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa,
+					configuration_attribute_type_t type, chunk_t data)
+{
+	FILE *in, *out;
+	char line[1024], matcher[512], *pos;
+	host_t *addr;
+	int family;
+	
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			family = AF_INET;
+			break;
+		case INTERNAL_IP6_DNS:
+			family = AF_INET6;
+			break;
+		default:
+			return;
+	}
+	
+	this->mutex->lock(this->mutex);
+	
+	in = fopen(this->file, "r");
+	if (in)
+	{
+		/* allows us to stream from in to out */
+		unlink(this->file);
+		out = fopen(this->file, "w");
+		if (out)
+		{
+			addr = host_create_from_chunk(family, data, 0);
+			snprintf(matcher, sizeof(matcher),
+					 "nameserver %H   # by strongSwan, from %Y\n",
+					 addr, ike_sa->get_other_id(ike_sa));
+			
+			/* copy all, but matching line */
+			while ((pos = fgets(line, sizeof(line), in)))
+			{
+				if (strneq(line, matcher, strlen(matcher)))
+				{
+					DBG1(DBG_IKE, "removing DNS server %H from %s",
+						 addr, this->file);
+				}
+				else
+				{
+					fputs(line, out);
+				}
+			}
+			addr->destroy(addr);
+			fclose(out);
+		}
+		fclose(in);
+	}
+	
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of resolv_conf_handler_t.destroy.
+ */
+static void destroy(private_resolv_conf_handler_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+resolv_conf_handler_t *resolv_conf_handler_create()
+{
+	private_resolv_conf_handler_t *this = malloc_thing(private_resolv_conf_handler_t);
+	
+	this->public.handler.handle = (bool(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))handle;
+	this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))release;
+	this->public.destroy = (void(*)(resolv_conf_handler_t*))destroy;
+	
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->file = lib->settings->get_str(lib->settings,
+								"charon.plugins.resolv-conf.file", RESOLV_CONF);
+	
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.h b/src/charon/plugins/resolv_conf/resolv_conf_handler.h
new file mode 100644
index 000000000..2635bb802
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolv_conf_handler resolv_conf_handler
+ * @{ @ingroup resolv_conf
+ */
+
+#ifndef RESOLV_CONF_HANDLER_H_
+#define RESOLV_CONF_HANDLER_H_
+
+#include <config/attributes/attribute_handler.h>
+
+typedef struct resolv_conf_handler_t resolv_conf_handler_t;
+
+/**
+ * Handle DNS configuration attributes by mangling a resolv.conf file.
+ */
+struct resolv_conf_handler_t {
+	
+	/**
+	 * Implements the attribute_handler_t interface
+	 */
+	attribute_handler_t handler;
+	
+	/**
+	 * Destroy a resolv_conf_handler_t.
+	 */
+	void (*destroy)(resolv_conf_handler_t *this);
+};
+
+/**
+ * Create a resolv_conf_handler instance.
+ */
+resolv_conf_handler_t *resolv_conf_handler_create();
+
+#endif /* RESOLV_CONF_HANDLER_ @}*/
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_plugin.c b/src/charon/plugins/resolv_conf/resolv_conf_plugin.c
new file mode 100644
index 000000000..ff9d96eb3
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/resolv_conf_plugin.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolv_conf_plugin.h"
+#include "resolv_conf_handler.h"
+
+#include <daemon.h>
+
+typedef struct private_resolv_conf_plugin_t private_resolv_conf_plugin_t;
+
+/**
+ * private data of resolv_conf plugin
+ */
+struct private_resolv_conf_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	resolv_conf_plugin_t public;
+	
+	/**
+	 * The registerd DNS attribute handler
+	 */
+	resolv_conf_handler_t *handler;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_resolv_conf_plugin_t *this)
+{
+	charon->attributes->remove_handler(charon->attributes,
+									   &this->handler->handler);
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_resolv_conf_plugin_t *this = malloc_thing(private_resolv_conf_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	this->handler = resolv_conf_handler_create();
+	charon->attributes->add_handler(charon->attributes, &this->handler->handler);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_plugin.h b/src/charon/plugins/resolv_conf/resolv_conf_plugin.h
new file mode 100644
index 000000000..f5943d9a3
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/resolv_conf_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolv_conf resolv_conf
+ * @ingroup cplugins
+ *
+ * @defgroup resolv_conf_plugin resolv_conf_plugin
+ * @{ @ingroup resolv_conf
+ */
+
+#ifndef RESOLV_CONF_PLUGIN_H_
+#define RESOLV_CONF_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct resolv_conf_plugin_t resolv_conf_plugin_t;
+
+/**
+ * Plugin that writes received DNS servers in a resolv.conf file.
+ */
+struct resolv_conf_plugin_t {
+	
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a resolv_conf_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** RESOLV_CONF_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in
index 428da0ec9..f06321ba7 100644
--- a/src/charon/plugins/smp/Makefile.in
+++ b/src/charon/plugins/smp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -223,8 +232,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -318,7 +327,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c
index 237e9d86a..562add06d 100644
--- a/src/charon/plugins/smp/smp.c
+++ b/src/charon/plugins/smp/smp.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: smp.c 4446 2008-10-15 12:24:44Z martin $
  */
 
 #include <stdlib.h>
@@ -109,7 +107,7 @@ static void write_id(xmlTextWriterPtr writer, char *element, identification_t *i
 					break;
 			}
 			xmlTextWriterWriteAttribute(writer, "type", type);
-			xmlTextWriterWriteFormatString(writer, "%D", id);
+			xmlTextWriterWriteFormatString(writer, "%Y", id);
 			break;
 		}
 		default:
@@ -294,8 +292,9 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 	/* <configlist> */
 	xmlTextWriterStartElement(writer, "configlist");
 	
-	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends);
-	while (enumerator->enumerate(enumerator, (void**)&peer_cfg))
+	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+														NULL, NULL, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &peer_cfg))
 	{
 		enumerator_t *children;
 		child_cfg_t *child_cfg;
@@ -310,8 +309,8 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 		/* <peerconfig> */
 		xmlTextWriterStartElement(writer, "peerconfig");
 		xmlTextWriterWriteElement(writer, "name", peer_cfg->get_name(peer_cfg));
-		write_id(writer, "local", peer_cfg->get_my_id(peer_cfg));
-		write_id(writer, "remote", peer_cfg->get_other_id(peer_cfg));
+		
+		/* TODO: write auth_cfgs */
 		
 		/* <ikeconfig> */
 		ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
diff --git a/src/charon/plugins/smp/smp.h b/src/charon/plugins/smp/smp.h
index 1f45befa6..5ec9f3bf8 100644
--- a/src/charon/plugins/smp/smp.h
+++ b/src/charon/plugins/smp/smp.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: smp.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in
index 3673af659..0848ea0dd 100644
--- a/src/charon/plugins/sql/Makefile.in
+++ b/src/charon/plugins/sql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -96,6 +96,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -118,6 +119,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -129,6 +133,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -142,6 +147,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -202,6 +209,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -213,6 +221,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -239,8 +248,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -370,7 +379,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index 9761e88e9..7d393b6f7 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * $Id$
  */
 
 #define _GNU_SOURCE
@@ -24,6 +22,7 @@
 #include <debug.h>
 #include <library.h>
 #include <utils/host.h>
+#include <utils/identification.h>
 
 /**
  * global database handle
@@ -401,11 +400,6 @@ static enumerator_t *create_lease_query(char *filter)
 				{
 					id = identification_create_from_string(value);
 				}
-				if (!id)
-				{
-					fprintf(stderr, "invalid 'id' in filter string.\n");
-					exit(-1);
-				}
 				break;
 			case FIL_ADDR:
 				if (value)
@@ -567,7 +561,7 @@ static void leases(char *filter, bool utc)
 				printf("    ");
 			}
 		}
-		printf("%D\n", identity);
+		printf("%Y\n", identity);
 		DESTROY_IF(address);
 		identity->destroy(identity);
 	}
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index 826aa8318..95d0d30d4 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "sql_attribute.h"
@@ -179,7 +177,7 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
  */
 static host_t* acquire_address(private_sql_attribute_t *this,
 							   char *name, identification_t *id,
-							   auth_info_t *auth, host_t *requested)
+							   host_t *requested)
 {
 	enumerator_t *enumerator;
 	u_int pool, timeout, identity;
@@ -263,8 +261,9 @@ sql_attribute_t *sql_attribute_create(database_t *db)
 	private_sql_attribute_t *this = malloc_thing(private_sql_attribute_t);
 	time_t now = time(NULL);
 	
-	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,auth_info_t *, host_t *))acquire_address;
+	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))acquire_address;
 	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
+	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))enumerator_create_empty;
 	this->public.destroy = (void(*)(sql_attribute_t*))destroy;
 	
 	this->db = db;
diff --git a/src/charon/plugins/sql/sql_attribute.h b/src/charon/plugins/sql/sql_attribute.h
index 57db4617e..23700dea9 100644
--- a/src/charon/plugins/sql/sql_attribute.h
+++ b/src/charon/plugins/sql/sql_attribute.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c
index d530f9fde..3e5efce34 100644
--- a/src/charon/plugins/sql/sql_config.c
+++ b/src/charon/plugins/sql/sql_config.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sql_config.c 4860 2009-02-11 13:09:52Z martin $
  */
 
 #include <string.h>
@@ -267,7 +265,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		peer_cfg_t *peer_cfg, *mediated_cfg;
 		ike_cfg_t *ike;
 		host_t *vip = NULL;
-		auth_info_t *auth;
+		auth_cfg_t *auth;
 		
 		local_id = identification_create_from_encoding(l_type, l_data);
 		remote_id = identification_create_from_encoding(r_type, r_data);
@@ -291,20 +289,26 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		if (ike)
 		{
 			peer_cfg = peer_cfg_create(
-					name, 2, ike, local_id, remote_id, cert_policy, uniqueid,
+					name, 2, ike, cert_policy, uniqueid,
 					keyingtries, rekeytime, reauthtime, jitter, overtime,
 					mobike,	dpd_delay, vip, pool,
 					mediation, mediated_cfg, peer_id);
-			auth = peer_cfg->get_auth(peer_cfg);
-			auth->add_item(auth, AUTHN_AUTH_CLASS, &auth_method);
+			auth = auth_cfg_create();
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
+			auth->add(auth, AUTH_RULE_IDENTITY, local_id->clone(local_id));
+			peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+			auth = auth_cfg_create();
+			auth->add(auth, AUTH_RULE_IDENTITY, remote_id->clone(remote_id));
 			if (eap_type)
 			{
-				auth->add_item(auth, AUTHN_EAP_TYPE, &eap_type);
+				auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+				auth->add(auth, AUTH_RULE_EAP_TYPE, eap_type);
 				if (eap_vendor)
 				{
-					auth->add_item(auth, AUTHN_EAP_VENDOR, &eap_vendor);
+					auth->add(auth, AUTH_RULE_EAP_VENDOR, eap_vendor);
 				}
 			}
+			peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 			add_child_cfgs(this, peer_cfg, id);
 			return peer_cfg;
 		}
diff --git a/src/charon/plugins/sql/sql_config.h b/src/charon/plugins/sql/sql_config.h
index bfcd7a7c1..abc6ef382 100644
--- a/src/charon/plugins/sql/sql_config.h
+++ b/src/charon/plugins/sql/sql_config.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sql_config.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/sql/sql_cred.c b/src/charon/plugins/sql/sql_cred.c
index 7313b7eb8..f8b7a35c1 100644
--- a/src/charon/plugins/sql/sql_cred.c
+++ b/src/charon/plugins/sql/sql_cred.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sql_cred.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <string.h>
diff --git a/src/charon/plugins/sql/sql_cred.h b/src/charon/plugins/sql/sql_cred.h
index a614f0cba..2a9a96df1 100644
--- a/src/charon/plugins/sql/sql_cred.h
+++ b/src/charon/plugins/sql/sql_cred.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sql_cred.h 3594 2008-03-13 14:53:57Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/sql/sql_logger.c b/src/charon/plugins/sql/sql_logger.c
index 4cbaaa3e6..20d42662b 100644
--- a/src/charon/plugins/sql/sql_logger.c
+++ b/src/charon/plugins/sql/sql_logger.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sql_logger.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <string.h>
diff --git a/src/charon/plugins/sql/sql_logger.h b/src/charon/plugins/sql/sql_logger.h
index 3346430a1..3636c2293 100644
--- a/src/charon/plugins/sql/sql_logger.h
+++ b/src/charon/plugins/sql/sql_logger.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sql_logger.h 3594 2008-03-13 14:53:57Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/sql/sql_plugin.c b/src/charon/plugins/sql/sql_plugin.c
index 24680ba5e..e5a4afd1d 100644
--- a/src/charon/plugins/sql/sql_plugin.c
+++ b/src/charon/plugins/sql/sql_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sql_plugin.c 4711 2008-11-27 14:33:41Z martin $
  */
 
 #include "sql_plugin.h"
diff --git a/src/charon/plugins/sql/sql_plugin.h b/src/charon/plugins/sql/sql_plugin.h
index d4f2d29f2..8de04a891 100644
--- a/src/charon/plugins/sql/sql_plugin.h
+++ b/src/charon/plugins/sql/sql_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sql_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am
index 7a341102b..fb58ba62b 100644
--- a/src/charon/plugins/stroke/Makefile.am
+++ b/src/charon/plugins/stroke/Makefile.am
@@ -1,7 +1,10 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
 
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CFLAGS = \
+-rdynamic \
+-DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_PIDDIR=\"${piddir}\"
 
 plugin_LTLIBRARIES = libstrongswan-stroke.la
 
diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in
index 645ae2a48..f246286a0 100644
--- a/src/charon/plugins/stroke/Makefile.in
+++ b/src/charon/plugins/stroke/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -207,12 +215,17 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CFLAGS = \
+-rdynamic \
+-DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_PIDDIR=\"${piddir}\"
+
 plugin_LTLIBRARIES = libstrongswan-stroke.la
 libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \
   stroke_socket.h stroke_socket.c \
@@ -233,8 +246,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -336,7 +349,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
index f850b5320..a7925ce3e 100644
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ b/src/charon/plugins/stroke/stroke_attribute.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "stroke_attribute.h"
@@ -191,7 +189,7 @@ int host2offset(pool_t *pool, host_t *addr)
  */
 static host_t* acquire_address(private_stroke_attribute_t *this,
 							   char *name, identification_t *id,
-							   auth_info_t *auth, host_t *requested)
+							   host_t *requested)
 {
 	pool_t *pool;
 	uintptr_t offset = 0;
@@ -208,8 +206,9 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			this->mutex->unlock(this->mutex);
 			return requested->clone(requested);
 		}
-
-		if (requested->get_family(requested) !=
+		
+		if (!requested->is_anyaddr(requested) &&
+			requested->get_family(requested) !=
 			pool->base->get_family(pool->base))
 		{
 			DBG1(DBG_CFG, "IP pool address family mismatch");
@@ -223,7 +222,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			id = pool->ids->get(pool->ids, id);
 			if (id)
 			{
-				DBG1(DBG_CFG, "reassigning offline lease to %D", id);
+				DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
 				pool->online->put(pool->online, id, (void*)offset);
 				break;
 			}
@@ -233,7 +232,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 		offset = (uintptr_t)pool->online->get(pool->online, id);
 		if (offset && offset == host2offset(pool, requested))
 		{
-			DBG1(DBG_CFG, "reassigning online lease to %D", id);
+			DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
 			break;
 		}
 		
@@ -245,7 +244,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			id = id->clone(id);
 			pool->ids->put(pool->ids, id, id);
 			pool->online->put(pool->online, id, (void*)offset);
-			DBG1(DBG_CFG, "assigning new lease to %D", id);
+			DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
 			break;
 		}
 		/* no more addresses, replace the first found offline lease */
@@ -257,7 +256,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			{
 				/* destroy reference to old ID */
 				old_id = pool->ids->remove(pool->ids, old_id);
-				DBG1(DBG_CFG, "reassigning existing offline lease of %D to %D",
+				DBG1(DBG_CFG, "reassigning existing offline lease by '%Y' to '%Y'",
 					 old_id, id);
 				if (old_id)
 				{
@@ -305,7 +304,7 @@ static bool release_address(private_stroke_attribute_t *this,
 				id = pool->ids->get(pool->ids, id);
 				if (id)
 				{
-					DBG1(DBG_CFG, "lease %H of %D went offline", address, id);
+					DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id);
 					pool->offline->put(pool->offline, id, (void*)offset);
 					found = TRUE;
 				}
@@ -530,8 +529,9 @@ stroke_attribute_t *stroke_attribute_create()
 {
 	private_stroke_attribute_t *this = malloc_thing(private_stroke_attribute_t);
 	
-	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,auth_info_t *, host_t *))acquire_address;
+	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,host_t *))acquire_address;
 	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
+	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))enumerator_create_empty;
 	this->public.add_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))add_pool;
 	this->public.del_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))del_pool;
 	this->public.create_pool_enumerator = (enumerator_t*(*)(stroke_attribute_t*))create_pool_enumerator;
diff --git a/src/charon/plugins/stroke/stroke_attribute.h b/src/charon/plugins/stroke/stroke_attribute.h
index 41ab6299b..fc273d1cb 100644
--- a/src/charon/plugins/stroke/stroke_attribute.h
+++ b/src/charon/plugins/stroke/stroke_attribute.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index 54356436f..fab06e6c5 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "stroke_ca.h"
@@ -398,14 +396,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 			first = FALSE;
 		}
 		fprintf(out, "\n");
-		fprintf(out, "  authname:    \"%D\"\n", cert->get_subject(cert));
+		fprintf(out, "  authname:    \"%Y\"\n", cert->get_subject(cert));
 
 		/* list authkey and keyid */
 		if (public)
 		{
-			fprintf(out, "  authkey:      %D\n",
+			fprintf(out, "  authkey:      %Y\n",
 					public->get_id(public, ID_PUBKEY_SHA1));
-			fprintf(out, "  keyid:        %D\n",
+			fprintf(out, "  keyid:        %Y\n",
 					public->get_id(public, ID_PUBKEY_INFO_SHA1));
 			public->destroy(public);
 		}
diff --git a/src/charon/plugins/stroke/stroke_ca.h b/src/charon/plugins/stroke/stroke_ca.h
index ee759ff4e..c882d7b4e 100644
--- a/src/charon/plugins/stroke/stroke_ca.h
+++ b/src/charon/plugins/stroke/stroke_ca.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index 59c58ca0d..028e71e71 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "stroke_config.h"
@@ -54,49 +52,6 @@ struct private_stroke_config_t {
 	stroke_cred_t *cred;
 };
 
-/**
- * data to pass peer_filter
- */
-typedef struct {
-	private_stroke_config_t *this;
-	identification_t *me;
-	identification_t *other;
-} peer_data_t;
-
-/**
- * destroy id enumerator data and unlock list
- */
-static void peer_data_destroy(peer_data_t *data)
-{
-	data->this->mutex->unlock(data->this->mutex);
-	free(data);
-}
-
-/**
- * filter function for peer configs
- */
-static bool peer_filter(peer_data_t *data, peer_cfg_t **in, peer_cfg_t **out)
-{
-	bool match_me = FALSE, match_other = FALSE;
-	identification_t *me, *other;
-	
-	me = (*in)->get_my_id(*in);
-	other = (*in)->get_other_id(*in);
-	
-	/* own ID may have wildcards in data (no IDr payload) or in config */
-	match_me = (!data->me || data->me->matches(data->me, me) ||
-				me->matches(me, data->me));
-	/* others ID has wildcards in config only */
-	match_other = (!data->other || data->other->matches(data->other, other));
-	
-	if (match_me && match_other)
-	{
-		*out = *in;
-		return TRUE;
-	}
-	return FALSE;
-}
-
 /**
  * Implementation of backend_t.create_peer_cfg_enumerator.
  */
@@ -104,41 +59,15 @@ static enumerator_t* create_peer_cfg_enumerator(private_stroke_config_t *this,
 												identification_t *me,
 												identification_t *other)
 {
-	peer_data_t *data;
-	
-	data = malloc_thing(peer_data_t);
-	data->this = this;
-	data->me = me;
-	data->other = other;
-	
 	this->mutex->lock(this->mutex);
-	return enumerator_create_filter(this->list->create_enumerator(this->list),
-									(void*)peer_filter, data,
-									(void*)peer_data_destroy);
-}
-
-/**
- * data to pass ike_filter
- */
-typedef struct {
-	private_stroke_config_t *this;
-	host_t *me;
-	host_t *other;
-} ike_data_t;
-
-/**
- * destroy id enumerator data and unlock list
- */
-static void ike_data_destroy(ike_data_t *data)
-{
-	data->this->mutex->unlock(data->this->mutex);
-	free(data);
+	return enumerator_create_cleaner(this->list->create_enumerator(this->list),
+									 (void*)this->mutex->unlock, this->mutex);
 }
 
 /**
  * filter function for ike configs
  */
-static bool ike_filter(ike_data_t *data, peer_cfg_t **in, ike_cfg_t **out)
+static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out)
 {
 	*out = (*in)->get_ike_cfg(*in);
 	return TRUE;
@@ -150,17 +79,10 @@ static bool ike_filter(ike_data_t *data, peer_cfg_t **in, ike_cfg_t **out)
 static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this,
 											   host_t *me, host_t *other)
 {
-	ike_data_t *data;
-	
-	data = malloc_thing(ike_data_t);
-	data->this = this;
-	data->me = me;
-	data->other = other;
-	
 	this->mutex->lock(this->mutex);
 	return enumerator_create_filter(this->list->create_enumerator(this->list),
-									(void*)ike_filter, data,
-									(void*)ike_data_destroy);
+									(void*)ike_filter, this->mutex,
+									(void*)this->mutex->unlock);
 }
 
 /**
@@ -171,56 +93,40 @@ static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *nam
 	enumerator_t *e1, *e2;
 	peer_cfg_t *current, *found = NULL;
 	child_cfg_t *child;
-
+	
 	this->mutex->lock(this->mutex);
 	e1 = this->list->create_enumerator(this->list);
 	while (e1->enumerate(e1, &current))
 	{
-        /* compare peer_cfgs name first */
-        if (streq(current->get_name(current), name))
-        {
-            found = current;
-            found->get_ref(found);
-            break;
-        }
-        /* compare all child_cfg names otherwise */
-        e2 = current->create_child_cfg_enumerator(current);
-        while (e2->enumerate(e2, &child))
-        {
-            if (streq(child->get_name(child), name))
-            {
-                found = current;
-                found->get_ref(found);
-                break;
-            }
-        }
-        e2->destroy(e2);
-        if (found)
-        {
-            break;
-        }
+		/* compare peer_cfgs name first */
+		if (streq(current->get_name(current), name))
+		{
+			found = current;
+			found->get_ref(found);
+			break;
+		}
+		/* compare all child_cfg names otherwise */
+		e2 = current->create_child_cfg_enumerator(current);
+		while (e2->enumerate(e2, &child))
+		{
+			if (streq(child->get_name(child), name))
+			{
+				found = current;
+				found->get_ref(found);
+				break;
+			}
+		}
+		e2->destroy(e2);
+		if (found)
+		{
+			break;
+		}
 	}
 	e1->destroy(e1);
 	this->mutex->unlock(this->mutex);
 	return found;
 }
 
-/**
- * check if a certificate has an ID
- */
-static identification_t *update_peerid(certificate_t *cert, identification_t *id)
-{
-	if (id->get_type(id) == ID_ANY || !cert->has_subject(cert, id))
-	{
-		DBG1(DBG_CFG, "  peerid %D not confirmed by certificate, "
-			 "defaulting to subject DN", id);
-		id->destroy(id);
-		id = cert->get_subject(cert);
-		return id->clone(id);
-	}
-	return id;
-}
-
 /**
  * parse a proposal string, either into ike_cfg or child_cfg
  */
@@ -332,45 +238,303 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 	add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
 	return ike_cfg;					 
 }
+
 /**
- * build a peer_cfg from a stroke msg
+ * Add CRL constraint to config
  */
-static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
-								  stroke_msg_t *msg, ike_cfg_t *ike_cfg,
-								  identification_t **my_issuer,
-								  identification_t **other_issuer)
+static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
 {
-	identification_t *me, *other, *peer_id = NULL;
-	peer_cfg_t *mediated_by = NULL;
-	host_t *vip = NULL;
-	certificate_t *cert;
-	unique_policy_t unique;
-	u_int32_t rekey = 0, reauth = 0, over, jitter;
+	/* CRL/OCSP policy, for remote config only */
+	if (!local)
+	{
+		switch (policy)
+		{
+			case CRL_STRICT_YES:
+				/* if yes, we require a GOOD validation */
+				cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
+				break;
+			case CRL_STRICT_IFURI:
+				/* for ifuri, a SKIPPED validation is sufficient */
+				cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_SKIPPED);
+				break;
+			default:
+				break;
+		}
+	}
+}
+
+/**
+ * build authentication config
+ */
+static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
+								  stroke_msg_t *msg, bool local, bool primary)
+{
+	identification_t *identity;
+	certificate_t *certificate;
+	char *auth, *id, *cert, *ca;
+	stroke_end_t *end, *other_end;
+	auth_cfg_t *cfg;
+	char eap_buf[32];
 	
-	me = identification_create_from_string(msg->add_conn.me.id ?
-						msg->add_conn.me.id : msg->add_conn.me.address);
-	if (!me)
+	/* select strings */
+	if (local)
 	{
-		DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id);
-		return NULL;
+		end = &msg->add_conn.me;
+		other_end = &msg->add_conn.other;
 	}
-	other = identification_create_from_string(msg->add_conn.other.id ?
-						msg->add_conn.other.id : msg->add_conn.other.address);
-	if (!other)
+	else
 	{
-		DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id);
-		me->destroy(me);
-		return NULL;
+		end = &msg->add_conn.other;
+		other_end = &msg->add_conn.me;
+	}
+	if (primary)
+	{
+		auth = end->auth;
+		id = end->id;
+		if (!id)
+		{	/* leftid/rightid fallback to address */
+			id = end->address;
+		}
+		cert = end->cert;
+		ca = end->ca;
+		if (ca && streq(ca, "%same"))
+		{
+			ca = other_end->ca;
+		}
+	}
+	else
+	{
+		auth = end->auth2;
+		id = end->id2;
+		if (local && !id)
+		{	/* leftid2 falls back to leftid */
+			id = end->id;
+		}
+		cert = end->cert2;
+		ca = end->ca2;
+		if (ca && streq(ca, "%same"))
+		{
+			ca = other_end->ca2;
+		}
+	}
+	
+	if (!auth)
+	{
+		if (primary)
+		{
+			if (local)
+			{	/* "leftauth" not defined, fall back to deprecated "authby" */
+				switch (msg->add_conn.auth_method)
+				{
+					default:
+					case AUTH_CLASS_PUBKEY:
+						auth = "pubkey";
+						break;
+					case AUTH_CLASS_PSK:
+						auth = "psk";
+						break;
+					case AUTH_CLASS_EAP:
+						auth = "eap";
+						break;
+				}
+			}
+			else
+			{	/* "rightauth" not defined, fall back to deprecated "eap" */
+				if (msg->add_conn.eap_type)
+				{
+					if (msg->add_conn.eap_vendor)
+					{
+						snprintf(eap_buf, sizeof(eap_buf), "eap-%d-%d",
+								 msg->add_conn.eap_type,
+								 msg->add_conn.eap_vendor);
+					}
+					else
+					{
+						snprintf(eap_buf, sizeof(eap_buf), "eap-%d",
+								 msg->add_conn.eap_type);
+					}
+					auth = eap_buf;
+				}
+				else
+				{	/* not EAP => no constraints for this peer */
+					auth = "any";
+				}
+			}
+		}
+		else
+		{	/* no second authentication round, fine */
+			return NULL;
+		}
 	}
 	
+	cfg = auth_cfg_create();
+	
+	/* add identity and peer certifcate */
+	identity = identification_create_from_string(id);
+	if (cert)
+	{
+		certificate = this->cred->load_peer(this->cred, cert);
+		if (certificate)
+		{
+			if (local)
+			{
+				this->ca->check_for_hash_and_url(this->ca, certificate);
+			}
+			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate); 
+			if (identity->get_type(identity) == ID_ANY ||
+				!certificate->has_subject(certificate, identity))
+			{
+				DBG1(DBG_CFG, "  peerid %Y not confirmed by certificate, "
+					 "defaulting to subject DN: %Y", identity,
+					 certificate->get_subject(certificate));
+				identity->destroy(identity);
+				identity = certificate->get_subject(certificate);
+				identity = identity->clone(identity);
+			}
+		}
+	}
+	cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
+	
+	/* CA constraint */
+	if (ca)
+	{
+		identity = identification_create_from_string(ca);
+		certificate = charon->credentials->get_cert(charon->credentials,
+											CERT_X509, KEY_ANY, identity, TRUE);
+		identity->destroy(identity);
+		if (certificate)
+		{
+			cfg->add(cfg, AUTH_RULE_CA_CERT, certificate);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "CA certificate %s not found, discarding CA "
+				 "constraint", ca);
+		}
+	}
+	
+	/* AC groups */
+	if (end->groups)
+	{
+		enumerator_t *enumerator;
+		char *group;
+		
+		enumerator = enumerator_create_token(end->groups, ",", " ");
+		while (enumerator->enumerate(enumerator, &group))
+		{
+			identity = identification_create_from_encoding(ID_IETF_ATTR_STRING,
+											chunk_create(group, strlen(group)));
+			cfg->add(cfg, AUTH_RULE_AC_GROUP, identity);
+		}
+		enumerator->destroy(enumerator);
+	}
+	
+	/* authentication metod (class, actually) */
+	if (streq(auth, "pubkey") ||
+		streq(auth, "rsasig") || streq(auth, "rsa") ||
+		streq(auth, "ecdsasig") || streq(auth, "ecdsa"))
+	{
+		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
+	}
+	else if (streq(auth, "psk") || streq(auth, "secret"))
+	{
+		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+	}
+	else if (strneq(auth, "eap", 3))
+	{
+		enumerator_t *enumerator;
+		char *str;
+		int i = 0, type = 0, vendor;
+		
+		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+		
+		/* parse EAP string, format: eap[-type[-vendor]] */
+		enumerator = enumerator_create_token(auth, "-", " ");
+		while (enumerator->enumerate(enumerator, &str))
+		{
+			switch (i)
+			{
+				case 1:
+					type = eap_type_from_string(str);
+					if (!type)
+					{
+						type = atoi(str);
+						if (!type)
+						{
+							DBG1(DBG_CFG, "unknown EAP method: %s", str);
+							break;
+						}
+					}
+					cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+					break;
+				case 2:
+					if (type)
+					{
+						vendor = atoi(str);
+						if (vendor)
+						{
+							cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+						}
+						else
+						{
+							DBG1(DBG_CFG, "unknown EAP vendor: %s", str);
+						}
+					}
+					break;
+				default:
+					break;
+			}
+			i++;
+		}
+		enumerator->destroy(enumerator);
+		
+		if (msg->add_conn.eap_identity)
+		{
+			if (streq(msg->add_conn.eap_identity, "%identity"))
+			{
+				identity = identification_create_from_encoding(ID_ANY,
+															   chunk_empty);
+			}
+			else
+			{
+				identity = identification_create_from_string(
+													msg->add_conn.eap_identity);
+			}
+			cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
+		}
+	}
+	else
+	{
+		if (!streq(auth, "any"))
+		{
+			DBG1(DBG_CFG, "authentication method %s unknown, fallback to any",
+				 auth);
+		}
+		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
+	}
+	return cfg;
+}
+
+/**
+ * build a peer_cfg from a stroke msg
+ */
+static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
+								  stroke_msg_t *msg, ike_cfg_t *ike_cfg)
+{
+	identification_t *peer_id = NULL;
+	peer_cfg_t *mediated_by = NULL;
+	host_t *vip = NULL;
+	unique_policy_t unique;
+	u_int32_t rekey = 0, reauth = 0, over, jitter;
+	peer_cfg_t *peer_cfg;
+	auth_cfg_t *auth_cfg;
 	
 #ifdef ME
 	if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
 	{
 		DBG1(DBG_CFG, "a mediation connection cannot be a"
 				" mediated connection at the same time, aborting");
-		me->destroy(me);
-		other->destroy(other);
 		return NULL;
 	}
 	
@@ -388,8 +552,6 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 		{
 			DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
 				 msg->add_conn.ikeme.mediated_by);
-			me->destroy(me);
-			other->destroy(other);
 			return NULL;
 		}
 		
@@ -399,56 +561,19 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 				 "no mediation connection, aborting", 
 				msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
 			mediated_by->destroy(mediated_by);
-			me->destroy(me);
-			other->destroy(other);
 			return NULL;
 		}
-	}
-	
-	if (msg->add_conn.ikeme.peerid)
-	{
-		peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
-		if (!peer_id)
-		{
-			DBG1(DBG_CFG, "invalid peer ID: %s\n", msg->add_conn.ikeme.peerid);
-			mediated_by->destroy(mediated_by);
-			me->destroy(me);
-			other->destroy(other);
-			return NULL;
-		}
-	}
-	else
-	{
-		/* no peer ID supplied, assume right ID */
-		peer_id = other->clone(other);
-	}
-#endif /* ME */
-	
-	if (msg->add_conn.me.cert)
-	{
-		cert = this->cred->load_peer(this->cred, msg->add_conn.me.cert);
-		if (cert)
+		if (msg->add_conn.ikeme.peerid)
 		{
-			identification_t *issuer = cert->get_issuer(cert);
-
-			*my_issuer = issuer->clone(issuer); 
-			this->ca->check_for_hash_and_url(this->ca, cert);
-			me = update_peerid(cert, me);
-			cert->destroy(cert);
+			peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
 		}
-	}
-	if (msg->add_conn.other.cert)
-	{
-		cert = this->cred->load_peer(this->cred, msg->add_conn.other.cert);
-		if (cert)
+		else if (msg->add_conn.other.id)
 		{
-			identification_t *issuer = cert->get_issuer(cert);
-
-			*other_issuer = issuer->clone(issuer); 
-			other = update_peerid(cert, other);
-			cert->destroy(cert);
+			peer_id = identification_create_from_string(msg->add_conn.other.id);
 		}
 	}
+#endif /* ME */
+	
 	jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
 	over = msg->add_conn.rekey.margin;
 	if (msg->add_conn.rekey.reauth)
@@ -512,179 +637,45 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	/* other.sourceip is managed in stroke_attributes. If it is set, we define
 	 * the pool name as the connection name, which the attribute provider
 	 * uses to serve pool addresses. */
-	return peer_cfg_create(msg->add_conn.name,
-		msg->add_conn.ikev2 ? 2 : 1, ike_cfg, me, other,
+	peer_cfg = peer_cfg_create(msg->add_conn.name,
+		msg->add_conn.ikev2 ? 2 : 1, ike_cfg,
 		msg->add_conn.me.sendcert, unique, 
 		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
 		msg->add_conn.mobike, msg->add_conn.dpd.delay,
 		vip, msg->add_conn.other.sourceip_size ?
 							msg->add_conn.name : msg->add_conn.other.sourceip,
 		msg->add_conn.ikeme.mediation, mediated_by, peer_id);
-}
-
-/**
- * fill in auth_info from stroke message
- */
-static void build_auth_info(private_stroke_config_t *this,
-							stroke_msg_t *msg, auth_info_t *auth,
-							identification_t *my_ca,
-							identification_t *other_ca)
-{
-	identification_t *id;
-	bool my_ca_same = FALSE;
-	bool other_ca_same = FALSE;
-	cert_validation_t valid;
-
-	switch (msg->add_conn.crl_policy)
-	{
-		case CRL_STRICT_YES:
-			valid = VALIDATION_GOOD;
-			auth->add_item(auth, AUTHZ_CRL_VALIDATION, &valid);
-			break;
-		case CRL_STRICT_IFURI:
-			valid = VALIDATION_SKIPPED;
-			auth->add_item(auth, AUTHZ_CRL_VALIDATION, &valid);
-			break;
-		default:
-			break;
-	}
 	
-	if (msg->add_conn.me.ca)
+	/* build leftauth= */
+	auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
+	if (auth_cfg)
 	{
-		if (my_ca)
-		{
-			my_ca->destroy(my_ca);
-			my_ca = NULL;
-		}
-		if (streq(msg->add_conn.me.ca, "%same"))
-		{
-			my_ca_same = TRUE;
-		}
-		else
-		{
-			my_ca = identification_create_from_string(msg->add_conn.me.ca);
-		}
+		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
 	}
-
-	if (msg->add_conn.other.ca)
-	{
-		if (other_ca)
-		{
-			other_ca->destroy(other_ca);
-			other_ca = NULL;
-		}
-		if (streq(msg->add_conn.other.ca, "%same"))
-		{
-			other_ca_same = TRUE;
-		}
-		else
-		{
-			other_ca = identification_create_from_string(msg->add_conn.other.ca);
-		}
-	}
-
-	if (other_ca_same && my_ca)
-	{
-		other_ca = my_ca->clone(my_ca);
-	}
-	else if (my_ca_same && other_ca)
-	{
-		my_ca = other_ca->clone(other_ca);
-	}
-	
-	if (other_ca)
-	{
-		DBG2(DBG_CFG, "  other ca: %D", other_ca);
-		certificate_t *cert = charon->credentials->get_cert(charon->credentials, 
-									CERT_X509, KEY_ANY, other_ca, TRUE);
-		if (cert)
-		{
-			auth->add_item(auth, AUTHZ_CA_CERT, cert);
-			cert->destroy(cert);
-		}
-		else
-		{
-			auth->add_item(auth, AUTHZ_CA_CERT_NAME, other_ca);
-		}
-		other_ca->destroy(other_ca);
+	else
+	{	/* we require at least one config on our side */
+		peer_cfg->destroy(peer_cfg);
+		return NULL;
 	}
-
-	if (my_ca)
+	/* build leftauth2= */
+	auth_cfg = build_auth_cfg(this, msg, TRUE, FALSE);
+	if (auth_cfg)
 	{
-		DBG2(DBG_CFG, "  my ca:    %D", my_ca);
-		certificate_t *cert = charon->credentials->get_cert(charon->credentials, 
-									CERT_X509, KEY_ANY, my_ca, TRUE);
-		if (cert)
-		{
-			auth->add_item(auth, AUTHN_CA_CERT, cert);
-			cert->destroy(cert);
-		}
-		else
-		{
-			auth->add_item(auth, AUTHN_CA_CERT_NAME, my_ca);
-		}
-		my_ca->destroy(my_ca);
+		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
 	}
-	auth->add_item(auth, AUTHN_AUTH_CLASS, &msg->add_conn.auth_method);
-	if (msg->add_conn.eap_type)
+	/* build rightauth= */
+	auth_cfg = build_auth_cfg(this, msg, FALSE, TRUE);
+	if (auth_cfg)
 	{
-		auth->add_item(auth, AUTHN_EAP_TYPE, &msg->add_conn.eap_type);
-		if (msg->add_conn.eap_vendor)
-		{
-			auth->add_item(auth, AUTHN_EAP_VENDOR, &msg->add_conn.eap_vendor);
-		}
+		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
 	}
-
-	if (msg->add_conn.eap_identity)
+	/* build rightauth2= */
+	auth_cfg = build_auth_cfg(this, msg, FALSE, FALSE);
+	if (auth_cfg)
 	{
-		if (streq(msg->add_conn.eap_identity, "%identity"))
-		{
-			id = identification_create_from_encoding(ID_ANY, chunk_empty);
-		}
-		else
-		{
-			id = identification_create_from_encoding(ID_EAP, chunk_create(
-										msg->add_conn.eap_identity,
-										strlen(msg->add_conn.eap_identity)));
-		}
-		auth->add_item(auth, AUTHN_EAP_IDENTITY, id);
-		id->destroy(id);
-	}
-
-	if (msg->add_conn.other.groups)
-	{
-		chunk_t line = { msg->add_conn.other.groups,
-						 strlen(msg->add_conn.other.groups) };
-
-		while (eat_whitespace(&line))
-		{
-			chunk_t group;
-
-			/* extract the next comma-separated group attribute */
-			if (!extract_token(&group, ',', &line))
-			{
-				group = line;
-				line.len = 0;
-			}
-
-			/* remove any trailing spaces */
-			while (group.len > 0 && *(group.ptr + group.len - 1) == ' ')
-			{
-				group.len--;
-			}
-
-			/* add the group attribute to the list */
-			if (group.len > 0)
-			{
-				identification_t *ac_group;
-
-				ac_group = identification_create_from_encoding(
-									ID_IETF_ATTR_STRING, group);
-				auth->add_item(auth, AUTHZ_AC_GROUP, ac_group);
-				ac_group->destroy(ac_group);	
-			}
-		}
+		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
 	}
+	return peer_cfg;
 }
 
 /**
@@ -799,7 +790,6 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
 	ike_cfg_t *ike_cfg, *existing_ike;
 	peer_cfg_t *peer_cfg, *existing;
 	child_cfg_t *child_cfg;
-	identification_t *my_issuer = NULL, *other_issuer = NULL;
 	enumerator_t *enumerator;
 	bool use_existing = FALSE;
 
@@ -808,15 +798,13 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
 	{
 		return;
 	}
-	peer_cfg = build_peer_cfg(this, msg, ike_cfg, &my_issuer, &other_issuer);
+	peer_cfg = build_peer_cfg(this, msg, ike_cfg);
 	if (!peer_cfg)
 	{
 		ike_cfg->destroy(ike_cfg);
 		return;
 	}
 	
-	build_auth_info(this, msg, peer_cfg->get_auth(peer_cfg),
-					my_issuer, other_issuer);
 	enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
 	while (enumerator->enumerate(enumerator, &existing))
 	{
@@ -850,9 +838,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
 	else
 	{
 		/* add config to backend */
-		DBG1(DBG_CFG, "added configuration '%s': %s[%D]...%s[%D]", msg->add_conn.name,
-			 ike_cfg->get_my_addr(ike_cfg), peer_cfg->get_my_id(peer_cfg),
-			 ike_cfg->get_other_addr(ike_cfg), peer_cfg->get_other_id(peer_cfg));
+		DBG1(DBG_CFG, "added configuration '%s'", msg->add_conn.name);
 		this->mutex->lock(this->mutex);
 		this->list->insert_last(this->list, peer_cfg);
 		this->mutex->unlock(this->mutex);
@@ -867,34 +853,50 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg)
 	enumerator_t *enumerator, *children;
 	peer_cfg_t *peer;
 	child_cfg_t *child;
+	bool deleted = FALSE;
 	
 	this->mutex->lock(this->mutex);
 	enumerator = this->list->create_enumerator(this->list);
 	while (enumerator->enumerate(enumerator, (void**)&peer))
 	{
-		/* remove peer config with such a name */
-		if (streq(peer->get_name(peer), msg->del_conn.name))
-		{
-			this->list->remove_at(this->list, enumerator);
-			peer->destroy(peer);
-			continue;
-		}
+		bool keep = FALSE;
+		
 		/* remove any child with such a name */
 		children = peer->create_child_cfg_enumerator(peer);
 		while (children->enumerate(children, &child))
 		{
 			if (streq(child->get_name(child), msg->del_conn.name))
 			{
-				peer->remove_child_cfg(peer, enumerator);
+				peer->remove_child_cfg(peer, children);
 				child->destroy(child);
+				deleted = TRUE;
+			}
+			else
+			{
+				keep = TRUE;
 			}
 		}
 		children->destroy(children);
+		
+		/* if peer config matches, or has no children anymore, remove it */
+		if (!keep || streq(peer->get_name(peer), msg->del_conn.name))
+		{
+			this->list->remove_at(this->list, enumerator);
+			peer->destroy(peer);
+			deleted = TRUE;
+		}
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
 	
-	DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
+	if (deleted)
+	{
+		DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "connection '%s' not found", msg->del_conn.name);
+	}
 }
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_config.h b/src/charon/plugins/stroke/stroke_config.h
index 12eb11a8f..270795e4a 100644
--- a/src/charon/plugins/stroke/stroke_config.h
+++ b/src/charon/plugins/stroke/stroke_config.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c
index 08d50519c..c572117a2 100644
--- a/src/charon/plugins/stroke/stroke_control.c
+++ b/src/charon/plugins/stroke/stroke_control.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "stroke_control.h"
@@ -145,11 +143,13 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 {
 	char *string, *pos = NULL, *name = NULL;
 	u_int32_t id = 0;
-	bool child;
+	bool child, all = FALSE;
 	int len;
 	ike_sa_t *ike_sa;
 	enumerator_t *enumerator;
+	linked_list_t *ike_list, *child_list;
 	stroke_log_info_t info;
+	uintptr_t del;
 	
 	string = msg->terminate.name;
 	
@@ -185,19 +185,44 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 		name = string;
 	}
 	else
-	{	/* is name[123] or name{23} */
-		string[len-1] = '\0';
-		id = atoi(pos + 1);
-		if (id == 0)
-		{
-			DBG1(DBG_CFG, "error parsing string");
-			return;
+	{
+		if (*(pos + 1) == '*')
+		{	/* is name[*] */
+			all = TRUE;
+			*pos = '\0';
+			name = string;
+		}
+		else
+		{	/* is name[123] or name{23} */
+			id = atoi(pos + 1);
+			if (id == 0)
+			{
+				DBG1(DBG_CFG, "error parsing string");
+				return;
+			}
 		}
 	}
 	
 	info.out = out;
 	info.level = msg->output_verbosity;
 	
+	if (id)
+	{
+		if (child)
+		{
+			charon->controller->terminate_child(charon->controller, id,
+									(controller_cb_t)stroke_log, &info);
+		}
+		else
+		{
+			charon->controller->terminate_ike(charon->controller, id,
+									(controller_cb_t)stroke_log, &info);
+		}
+		return;
+	}
+	
+	ike_list = linked_list_create();
+	child_list = linked_list_create();
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 	while (enumerator->enumerate(enumerator, &ike_sa))
 	{
@@ -209,35 +234,58 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 			children = ike_sa->create_child_sa_iterator(ike_sa);
 			while (children->iterate(children, (void**)&child_sa))
 			{
-				if ((name && streq(name, child_sa->get_name(child_sa))) ||
-					(id && id == child_sa->get_reqid(child_sa)))
+				if (streq(name, child_sa->get_name(child_sa)))
 				{
-					id = child_sa->get_reqid(child_sa);
-					children->destroy(children);
-					enumerator->destroy(enumerator);
-					
-					charon->controller->terminate_child(charon->controller, id,
-									(controller_cb_t)stroke_log, &info);
-					return;
+					child_list->insert_last(child_list,
+							(void*)(uintptr_t)child_sa->get_reqid(child_sa));
+					if (!all)
+					{
+						break;
+					}
 				}
 			}
 			children->destroy(children);
+			if (child_list->get_count(child_list) && !all)
+			{
+				break;
+			}
 		}
-		else if ((name && streq(name, ike_sa->get_name(ike_sa))) ||
-				 (id && id == ike_sa->get_unique_id(ike_sa)))
+		else if (streq(name, ike_sa->get_name(ike_sa)))
 		{
-			id = ike_sa->get_unique_id(ike_sa);
-			/* unlock manager first */
-			enumerator->destroy(enumerator);
-			
-			charon->controller->terminate_ike(charon->controller, id,
-								 	(controller_cb_t)stroke_log, &info);
-			return;
+			ike_list->insert_last(ike_list,
+						(void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
+			if (!all)
+			{
+				break;
+			}
 		}
-		
 	}
 	enumerator->destroy(enumerator);
-	DBG1(DBG_CFG, "no such SA found");
+	
+	enumerator = child_list->create_enumerator(child_list);
+	while (enumerator->enumerate(enumerator, &del))
+	{
+		charon->controller->terminate_child(charon->controller, del,
+									(controller_cb_t)stroke_log, &info);
+	}
+	enumerator->destroy(enumerator);
+	
+	enumerator = ike_list->create_enumerator(ike_list);
+	while (enumerator->enumerate(enumerator, &del))
+	{
+		charon->controller->terminate_ike(charon->controller, del,
+									(controller_cb_t)stroke_log, &info);
+	}
+	enumerator->destroy(enumerator);
+	
+	if (child_list->get_count(child_list) == 0 &&
+		ike_list->get_count(ike_list) == 0)
+	{
+		DBG1(DBG_CFG, "no %s_SA named '%s' found",
+			 child ? "CHILD" : "IKE", name);
+	}
+	ike_list->destroy(ike_list);
+	child_list->destroy(child_list);
 }
 
 /**
@@ -249,7 +297,7 @@ static void terminate_srcip(private_stroke_control_t *this,
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
 	host_t *start = NULL, *end = NULL, *vip;
-	chunk_t chunk_start, chunk_end, chunk_vip;
+	chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
 	
 	if (msg->terminate_srcip.start)
 	{
@@ -309,6 +357,46 @@ static void terminate_srcip(private_stroke_control_t *this,
 	DESTROY_IF(end);
 }
 
+/**
+ * Implementation of stroke_control_t.purge_ike
+ */
+static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+{
+	enumerator_t *enumerator;
+	iterator_t *iterator;
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+	linked_list_t *list;
+	uintptr_t del;
+	stroke_log_info_t info;
+	
+	info.out = out;
+	info.level = msg->output_verbosity;
+	
+	list = linked_list_create();
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		iterator = ike_sa->create_child_sa_iterator(ike_sa);
+		if (!iterator->iterate(iterator, (void**)&child_sa))
+		{
+			list->insert_last(list,
+						(void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
+		}
+		iterator->destroy(iterator);
+	}
+	enumerator->destroy(enumerator);
+	
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &del))
+	{
+		charon->controller->terminate_ike(charon->controller, del,
+									(controller_cb_t)stroke_log, &info);
+	}
+	enumerator->destroy(enumerator);
+	list->destroy(list);
+}
+
 /**
  * Implementation of stroke_control_t.route.
  */
@@ -316,7 +404,6 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
-	stroke_log_info_t info;
 	
 	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
 													  msg->route.name);
@@ -339,10 +426,14 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 		return;
 	}
 	
-	info.out = out;
-	info.level = msg->output_verbosity;
-	charon->controller->route(charon->controller, peer_cfg, child_cfg,
-							  (controller_cb_t)stroke_log, &info);
+	if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
+	{
+		fprintf(out, "configuration '%s' routed\n", msg->route.name);
+	}
+	else
+	{
+		fprintf(out, "routing configuration '%s' failed\n", msg->route.name);
+	}
 	peer_cfg->destroy(peer_cfg);
 	child_cfg->destroy(child_cfg);
 }
@@ -352,41 +443,24 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
  */
 static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
-	char *name;
-	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
 	enumerator_t *enumerator;
-	stroke_log_info_t info;
+	u_int32_t id;
 	
-	name = msg->terminate.name;
-	
-	info.out = out;
-	info.level = msg->output_verbosity;
-	
-	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
-	while (enumerator->enumerate(enumerator, &ike_sa))
+	enumerator = charon->traps->create_enumerator(charon->traps);
+	while (enumerator->enumerate(enumerator, NULL, &child_sa))
 	{
-		child_sa_t *child_sa;
-		iterator_t *children;
-		u_int32_t id;
-
-		children = ike_sa->create_child_sa_iterator(ike_sa);
-		while (children->iterate(children, (void**)&child_sa))
+		if (streq(msg->unroute.name, child_sa->get_name(child_sa)))
 		{
-			if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
-				streq(name, child_sa->get_name(child_sa)))
-			{
-				id = child_sa->get_reqid(child_sa);
-				children->destroy(children);
-				enumerator->destroy(enumerator);
-				charon->controller->unroute(charon->controller, id,
-								(controller_cb_t)stroke_log, &info);
-				return;
-			}
+			id = child_sa->get_reqid(child_sa);
+			enumerator->destroy(enumerator);
+			charon->traps->uninstall(charon->traps, id);
+			fprintf(out, "configuration '%s' unrouted\n", msg->unroute.name);
+			return;
 		}
-		children->destroy(children);
 	}
 	enumerator->destroy(enumerator);
-	DBG1(DBG_CFG, "no such SA found");
+	fprintf(out, "configuration '%s' not found\n", msg->unroute.name);
 }
 
 /**
@@ -407,6 +481,7 @@ stroke_control_t *stroke_control_create()
 	this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate;
 	this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate;
 	this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip;
+	this->public.purge_ike = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))purge_ike;
 	this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route;
 	this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute;
 	this->public.destroy = (void(*)(stroke_control_t*))destroy;
diff --git a/src/charon/plugins/stroke/stroke_control.h b/src/charon/plugins/stroke/stroke_control.h
index 26dc99b94..5a61a90a4 100644
--- a/src/charon/plugins/stroke/stroke_control.h
+++ b/src/charon/plugins/stroke/stroke_control.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
@@ -55,6 +53,13 @@ struct stroke_control_t {
 	 */
 	void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
 	
+	/**
+	 * Delete IKE_SAs without a CHILD_SA.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*purge_ike)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
+	
 	/**
 	 * Route a connection.
 	 *
@@ -70,9 +75,9 @@ struct stroke_control_t {
 	void (*unroute)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
 	
 	/**
-     * Destroy a stroke_control instance.
-     */
-    void (*destroy)(stroke_control_t *this);
+	 * Destroy a stroke_control instance.
+	 */
+	void (*destroy)(stroke_control_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 434aec22b..dc73299b8 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include <sys/stat.h>
@@ -382,10 +380,18 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
 	cert = lib->creds->create(lib->creds,
 							  CRED_CERTIFICATE, CERT_X509,
 							  BUILD_FROM_FILE, path,
-							  BUILD_X509_FLAG, X509_CA,
 							  BUILD_END);
 	if (cert)
 	{
+		x509_t *x509 = (x509_t*)cert;
+		
+		if (!(x509->get_flags(x509) & X509_CA))
+		{
+			cert->destroy(cert);
+			DBG1(DBG_CFG, "  ca certificate must have ca basic constraint set, "
+				 "discarded");
+			return NULL;
+		}
 		return (certificate_t*)add_cert(this, cert);
 	}
 	return NULL;
@@ -524,11 +530,32 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 		switch (type)
 		{
 			case CERT_X509:
-				cert = lib->creds->create(lib->creds,
-										  CRED_CERTIFICATE, CERT_X509,
-										  BUILD_FROM_FILE, file,
-										  BUILD_X509_FLAG, flag,
-										  BUILD_END);
+				if (flag & X509_CA)
+				{	/* for CA certificates, we strictly require CA
+					 * basicconstraints to be set */
+					cert = lib->creds->create(lib->creds,
+										CRED_CERTIFICATE, CERT_X509,
+										BUILD_FROM_FILE, file, BUILD_END);
+					if (cert)
+					{
+						x509_t *x509 = (x509_t*)cert;
+						
+						if (!(x509->get_flags(x509) & X509_CA))
+						{
+							DBG1(DBG_CFG, "  ca certificate must have ca "
+								 "basic constraint set, discarded");
+							cert->destroy(cert);
+							cert = NULL;
+						}
+					}
+				}
+				else
+				{	/* for all other flags, we add them to the certificate. */
+					cert = lib->creds->create(lib->creds,
+										CRED_CERTIFICATE, CERT_X509,
+										BUILD_FROM_FILE, file,
+										BUILD_X509_FLAG, flag, BUILD_END);
+				}
 				if (cert)
 				{
 					add_cert(this, cert);
@@ -568,13 +595,13 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 {
 	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
 	{
-		/* CRLs get written to /etc/ipsec.d/crls/authkeyId.crl */
+		/* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */
 		crl_t *crl = (crl_t*)cert;
 	
 		cert->get_ref(cert);
 		if (add_crl(this, crl))
 		{
-			char buf[256];
+			char buf[BUF_LEN];
 			chunk_t chunk, hex;
 			identification_t *id;
 			
@@ -585,14 +612,7 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 			free(hex.ptr);
 			
 			chunk = cert->get_encoding(cert);
-			if (chunk_write(chunk, buf, 022, TRUE))
-			{
-				DBG1(DBG_CFG, "  written crl to '%s'", buf);
-			}
-			else
-			{
-				DBG1(DBG_CFG, "  writing crl to '%s' failed", buf);
-			}
+			chunk_write(chunk, buf, "crl", 022, TRUE);
 			free(chunk.ptr);
 		}
 	}
@@ -905,26 +925,13 @@ static void load_secrets(private_stroke_cred_t *this)
 					continue;
 				}
 				
-				if (type == SHARED_EAP)
+				/* NULL terminate the ID string */
+				*(id.ptr + id.len) = '\0';
+				peer_id = identification_create_from_string(id.ptr);
+				if (peer_id->get_type(peer_id) == ID_ANY)
 				{
-					/* we use a special EAP identity type for EAP secrets */
-					peer_id = identification_create_from_encoding(ID_EAP, id);
-				}
-				else
-				{
-					/* NULL terminate the ID string */
-					*(id.ptr + id.len) = '\0';
-					peer_id = identification_create_from_string(id.ptr);
-					if (peer_id == NULL)
-					{
-						DBG1(DBG_CFG, "line %d: malformed ID: %s", line_nr, id.ptr);
-						goto error;
-					}
-					if (peer_id->get_type(peer_id) == ID_ANY)
-					{
-						peer_id->destroy(peer_id);
-						continue;
-					}
+					peer_id->destroy(peer_id);
+					continue;
 				}
 				
 				shared_key->add_owner(shared_key, peer_id);
diff --git a/src/charon/plugins/stroke/stroke_cred.h b/src/charon/plugins/stroke/stroke_cred.h
index fc7121622..8bc042f13 100644
--- a/src/charon/plugins/stroke/stroke_cred.h
+++ b/src/charon/plugins/stroke/stroke_cred.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 94b3def3a..564a511a1 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "stroke_list.h"
@@ -54,23 +52,6 @@ struct private_stroke_list_t {
 	stroke_attribute_t *attribute;
 };
 
-/**
- * get the authentication class of a config
- */
-auth_class_t get_auth_class(peer_cfg_t *config)
-{
-	auth_class_t *class;
-	auth_info_t *auth_info;
-	
-	auth_info = config->get_auth(config);
-	if (auth_info->get_item(auth_info, AUTHN_AUTH_CLASS, (void**)&class))
-	{
-		return *class;
-	}
-	/* fallback to pubkey authentication */
-	return AUTH_CLASS_PUBKEY;
-}
-
 /**
  * log an IKE_SA to out
  */
@@ -91,7 +72,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 		fprintf(out, " %V ago", &now, &established);
 	}
 	
-	fprintf(out, ", %H[%D]...%H[%D]\n",
+	fprintf(out, ", %H[%Y]...%H[%Y]\n",
 			ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
 			ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
 	
@@ -110,9 +91,11 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 		if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
 		{
 			time_t rekey, reauth;
+			peer_cfg_t *peer_cfg;
 			
 			rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY);
 			reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH);
+			peer_cfg = ike_sa->get_peer_cfg(ike_sa);
 			
 			if (rekey)
 			{
@@ -120,9 +103,24 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 			}
 			if (reauth)
 			{
-				fprintf(out, ", %N reauthentication in %V", auth_class_names,
-						get_auth_class(ike_sa->get_peer_cfg(ike_sa)),
-						&reauth, &now);
+				bool first = TRUE;
+				enumerator_t *enumerator;
+				auth_cfg_t *auth;
+				
+				fprintf(out, ", ");
+				enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, TRUE);
+				while (enumerator->enumerate(enumerator, &auth))
+				{
+					if (!first)
+					{
+						fprintf(out, "+");
+					}
+					first = FALSE;
+					fprintf(out, "%N", auth_class_names,
+							auth->get(auth, AUTH_RULE_AUTH_CLASS));
+				}
+				enumerator->destroy(enumerator);
+				fprintf(out, " reauthentication in %V", &reauth, &now);
 			}
 			if (!rekey && !reauth)
 			{
@@ -195,7 +193,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 					fprintf(out, "%N", encryption_algorithm_names, encr_alg);
 					if (encr_size)
 					{
-						fprintf(out, "-%d", encr_size);
+						fprintf(out, "_%u", encr_size);
 					}
 				}
 				if (int_alg != AUTH_UNDEFINED)
@@ -203,7 +201,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 					fprintf(out, "/%N", integrity_algorithm_names, int_alg);
 					if (int_size)
 					{
-						fprintf(out, "-%d", int_size);
+						fprintf(out, "_%u", int_size);
 					}
 				}
 			}
@@ -212,7 +210,14 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			rekey = child_sa->get_lifetime(child_sa, FALSE);
 			if (rekey)
 			{
-				fprintf(out, "in %V", &now, &rekey);
+				if (now > rekey)
+				{
+					fprintf(out, "active");
+				}
+				else
+				{
+					fprintf(out, "in %V", &now, &rekey);
+				}
 			}
 			else
 			{
@@ -247,6 +252,107 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			child_sa->get_traffic_selectors(child_sa, FALSE));
 }
 
+/**
+ * Log a configs local or remote authentication config to out
+ */
+static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
+{
+	enumerator_t *enumerator, *rules;
+	auth_rule_t rule;
+	auth_cfg_t *auth;
+	auth_class_t auth_class;
+	identification_t *id;
+	certificate_t *cert;
+	cert_validation_t valid;
+	char *name;
+	
+	name = peer_cfg->get_name(peer_cfg);
+	
+	enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
+	while (enumerator->enumerate(enumerator, &auth))
+	{
+		fprintf(out, "%12s:   %s [%Y] uses ", name,	local ? "local: " : "remote:",
+				auth->get(auth, AUTH_RULE_IDENTITY));
+
+		auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
+		if (auth_class != AUTH_CLASS_EAP)
+		{
+			fprintf(out, "%N authentication\n", auth_class_names, auth_class);
+		}
+		else
+		{
+			if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE) == EAP_NAK)
+			{
+				fprintf(out, "EAP authentication");
+			}
+			else
+			{
+				if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR))
+				{
+					fprintf(out, "EAP_%d-%d authentication",
+						(uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE),
+						(uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR));
+				}
+				else
+				{
+					fprintf(out, "%N authentication", eap_type_names,
+						(uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE));
+				}
+			}
+			id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+			if (id)
+			{
+				fprintf(out, " with EAP identity '%Y'", id);
+			}
+			fprintf(out, "\n");
+		}
+
+		cert = auth->get(auth, AUTH_RULE_CA_CERT);
+		if (cert)
+		{
+			fprintf(out, "%12s:    ca:    \"%Y\"\n", name, cert->get_subject(cert));
+		}
+
+		cert = auth->get(auth, AUTH_RULE_IM_CERT);
+		if (cert)
+		{
+			fprintf(out, "%12s:    im-ca: \"%Y\"\n", name, cert->get_subject(cert));
+		}
+
+		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+		if (cert)
+		{
+			fprintf(out, "%12s:    cert:  \"%Y\"\n", name,
+					cert->get_subject(cert));
+		}
+
+		valid = (uintptr_t)auth->get(auth, AUTH_RULE_OCSP_VALIDATION);
+		if (valid != VALIDATION_FAILED)
+		{
+			fprintf(out, "%12s:    ocsp:  status must be GOOD%s\n", name,
+					(valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
+		}
+		
+		valid = (uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION);
+		if (valid != VALIDATION_FAILED)
+		{
+			fprintf(out, "%12s:    crl:   status must be GOOD%s\n", name,
+					(valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
+		}
+
+		rules = auth->create_enumerator(auth);
+		while (rules->enumerate(rules, &rule, &id))
+		{
+			if (rule == AUTH_RULE_AC_GROUP)
+			{
+				fprintf(out, "%12s:    group: %Y\n", name, id);
+			}
+		}
+		rules->destroy(rules);
+	}
+	enumerator->destroy(enumerator);
+}
+
 /**
  * Implementation of stroke_list_t.status.
  */
@@ -255,8 +361,9 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 	enumerator_t *enumerator, *children;
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
+	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
-	bool found = FALSE;
+	bool first, found = FALSE;
 	char *name = msg->status.name;
 	
 	if (all)
@@ -266,10 +373,9 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		host_t *host;
 		u_int32_t dpd;
 		time_t now = time(NULL);
-		bool first = TRUE;
 		u_int size, online, offline;
 		
-		fprintf(out, "Performance:\n");
+		fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n");
 		fprintf(out, "  uptime: %V, since %T\n", &now, &this->uptime, &this->uptime, FALSE);
 		fprintf(out, "  worker threads: %d idle of %d,",
 				charon->processor->get_idle_threads(charon->processor),
@@ -287,6 +393,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		enumerator->destroy(enumerator);
 		fprintf(out, "\n");
 		
+		first = TRUE;
 		enumerator = this->attribute->create_pool_enumerator(this->attribute);
 		while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
 		{
@@ -299,7 +406,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 				first = FALSE;
 				fprintf(out, "Virtual IP pools (size/online/offline):\n");
 			}
-			fprintf(out, "  %s: %lu/%lu/%lu\n", pool, size, online, offline);
+			fprintf(out, "  %s: %u/%u/%u\n", pool, size, online, offline);
 		}
 		enumerator->destroy(enumerator);
 		
@@ -313,138 +420,42 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		enumerator->destroy(enumerator);
 	
 		fprintf(out, "Connections:\n");
-		enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends);
-		while (enumerator->enumerate(enumerator, (void**)&peer_cfg))
+		enumerator = charon->backends->create_peer_cfg_enumerator(
+									charon->backends, NULL, NULL, NULL, NULL);
+		while (enumerator->enumerate(enumerator, &peer_cfg))
 		{
-			void *ptr;
-			certificate_t *cert;
-			auth_item_t item;
-			auth_info_t *auth;
-			enumerator_t *auth_enumerator;
-			identification_t *my_ca = NULL, *other_ca = NULL;
-			identification_t *eap_identity = NULL;
-			u_int32_t *eap_type = NULL;
-			bool ac_groups = FALSE;
-
 			if (peer_cfg->get_ike_version(peer_cfg) != 2 ||
 				(name && !streq(name, peer_cfg->get_name(peer_cfg))))
 			{
 				continue;
 			}
 			
-			/* determine any required CAs, EAP type, EAP identity,
-			 * and the presence of AC groups
-			 */
-			auth = peer_cfg->get_auth(peer_cfg);
-			auth_enumerator = auth->create_item_enumerator(auth);
-			while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr))
-			{
-				switch (item)
-				{
-					case AUTHN_EAP_TYPE:
-						eap_type = (u_int32_t *)ptr;
-						break;
-					case AUTHN_EAP_IDENTITY:
-						eap_identity = (identification_t *)ptr;
-						break;
-					case AUTHN_CA_CERT:
-						cert = (certificate_t *)ptr;
-						my_ca = cert->get_subject(cert);
-						break;
-					case AUTHN_CA_CERT_NAME:
-						my_ca = (identification_t *)ptr;
-						break;
-					case AUTHZ_CA_CERT:
-						cert = (certificate_t *)ptr;
-						other_ca = cert->get_subject(cert);
-						break;
-					case AUTHZ_CA_CERT_NAME:
-						other_ca = (identification_t *)ptr;
-						break;
-					case AUTHZ_AC_GROUP:
-						ac_groups = TRUE;
-						break;
-					default:
-						break;
-				}
-			}
-			auth_enumerator->destroy(auth_enumerator);
-
 			ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
-			fprintf(out, "%12s:  %s[%D]...%s[%D]\n", peer_cfg->get_name(peer_cfg),
-					ike_cfg->get_my_addr(ike_cfg), peer_cfg->get_my_id(peer_cfg),
-					ike_cfg->get_other_addr(ike_cfg), peer_cfg->get_other_id(peer_cfg));
-			if (my_ca || other_ca)
-			{
-				fprintf(out, "%12s:  CAs: ", peer_cfg->get_name(peer_cfg));
-				if (my_ca)
-				{
-					fprintf(out, "\"%D\"...", my_ca);
-				}
-				else
-				{
-					fprintf(out, "%%any...");
-				}
-				if (other_ca)
-				{
-					fprintf(out, "\"%D\"\n", other_ca);
-				}
-				else
-				{
-					fprintf(out, "%%any\n");
-				}
-			}
-
-			if (ac_groups)
-			{
-				bool first = TRUE;
-
-				fprintf(out, "%12s:  groups: ",  peer_cfg->get_name(peer_cfg));
-				auth_enumerator = auth->create_item_enumerator(auth);
-				while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr))
-				{
-					if (item == AUTHZ_AC_GROUP)
-					{
-						identification_t *group = (identification_t *)ptr;
-
-						fprintf(out, "%s%D", first? "":", ", group);
-						first = FALSE;
-					}
-				}
-				auth_enumerator->destroy(auth_enumerator);
-				fprintf(out, "\n");
-			}
-
-			fprintf(out, "%12s:  %N ",  peer_cfg->get_name(peer_cfg),
-					auth_class_names, get_auth_class(peer_cfg));
-			if (eap_type)
-			{
-				fprintf(out, "and %N ", eap_type_names, *eap_type);
-			}
-			fprintf(out, "authentication");
-			if (eap_identity)
-			{
-				fprintf(out, ", EAP identity: '%D'", eap_identity);
-			}
+			fprintf(out, "%12s:  %s...%s", peer_cfg->get_name(peer_cfg),
+				ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg));
+			
 			dpd = peer_cfg->get_dpd(peer_cfg);
 			if (dpd)
 			{
 				fprintf(out, ", dpddelay=%us", dpd);
 			}
 			fprintf(out, "\n");
-
+			
+			log_auth_cfgs(out, peer_cfg, TRUE);
+			log_auth_cfgs(out, peer_cfg, FALSE);
+			
 			children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 			while (children->enumerate(children, &child_cfg))
 			{
 				linked_list_t *my_ts, *other_ts;
-
+				
 				my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
 				other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
-				fprintf(out, "%12s:    %#R=== %#R", child_cfg->get_name(child_cfg),
+				fprintf(out, "%12s:   child:  %#R=== %#R", child_cfg->get_name(child_cfg),
 						my_ts, other_ts);
 				my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 				other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-
+				
 				if (dpd)
 				{
 					fprintf(out, ", dpdaction=%N", action_names,
@@ -456,13 +467,25 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		}
 		enumerator->destroy(enumerator);
 	}
+
+	first = TRUE;	
+	enumerator = charon->traps->create_enumerator(charon->traps);
+	while (enumerator->enumerate(enumerator, NULL, &child_sa))
+	{
+		if (first)
+		{
+			fprintf(out, "Routed Connections:\n");
+			first = FALSE;
+		}
+		log_child_sa(out, child_sa, all);
+	}
+	enumerator->destroy(enumerator);
 	
 	fprintf(out, "Security Associations:\n");
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 	while (enumerator->enumerate(enumerator, &ike_sa))
 	{
 		bool ike_printed = FALSE;
-		child_sa_t *child_sa;
 		iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
 		
 		if (name == NULL || streq(name, ike_sa->get_name(ike_sa)))
@@ -588,8 +611,8 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
 					key_type_names, public->get_type(public),
 					public->get_keysize(public) * 8,
 					private ? ", has private key" : "");
-			fprintf(out, "  keyid:     %D\n", keyid);
-			fprintf(out, "  subjkey:   %D\n", id);
+			fprintf(out, "  keyid:     %Y\n", keyid);
+			fprintf(out, "  subjkey:   %Y\n", id);
 			DESTROY_IF(private);
 			public->destroy(public);
 		}
@@ -645,7 +668,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 				{
 					fprintf(out, ", ");
 				}
-				fprintf(out, "%D", altName);
+				fprintf(out, "%Y", altName);
 			}
 			if (!first_altName)
 			{
@@ -653,8 +676,8 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 			}
 			enumerator->destroy(enumerator);
 
-			fprintf(out, "  subject:  \"%D\"\n", cert->get_subject(cert));
-			fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+			fprintf(out, "  subject:  \"%Y\"\n", cert->get_subject(cert));
+			fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
 			fprintf(out, "  serial:    %#B\n", &serial);
 
 			/* list validity */
@@ -699,8 +722,8 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 						key_type_names, public->get_type(public),
 						public->get_keysize(public) * 8,
 						private ? ", has private key" : "");
-				fprintf(out, "  keyid:     %D\n", keyid);
-				fprintf(out, "  subjkey:   %D\n", id);
+				fprintf(out, "  keyid:     %Y\n", keyid);
+				fprintf(out, "  subjkey:   %Y\n", id);
 				DESTROY_IF(private);
 				public->destroy(public);
 			}
@@ -708,7 +731,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 			/* list optional authorityKeyIdentifier */
 			if (authkey)
 			{
-				fprintf(out, "  authkey:   %D\n", authkey);
+				fprintf(out, "  authkey:   %Y\n", authkey);
 			}
 		}
 	}
@@ -744,17 +767,17 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 
 		if (entityName)
 		{
-			fprintf(out, "  holder:   \"%D\"\n", entityName);
+			fprintf(out, "  holder:   \"%Y\"\n", entityName);
 		}
 		if (holderIssuer)
 		{
-			fprintf(out, "  hissuer:  \"%D\"\n", holderIssuer);
+			fprintf(out, "  hissuer:  \"%Y\"\n", holderIssuer);
 		}
 		if (holderSerial.ptr)
 		{
 			fprintf(out, "  hserial:   %#B\n", &holderSerial);
 		}
-		fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
 		fprintf(out, "  serial:    %#B\n", &serial);
 
 		/* list validity */
@@ -778,7 +801,7 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 		/* list optional authorityKeyIdentifier */
 		if (authkey)
 		{
-			fprintf(out, "  authkey:   %D\n", authkey);
+			fprintf(out, "  authkey:   %Y\n", authkey);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -808,7 +831,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 		}
 		fprintf(out, "\n");
 
-		fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
 
 		/* list optional crlNumber */
 		if (serial.ptr)
@@ -851,7 +874,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 		/* list optional authorityKeyIdentifier */
 		if (authkey)
 		{
-			fprintf(out, "  authkey:   %D\n", authkey);
+			fprintf(out, "  authkey:   %Y\n", authkey);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -876,7 +899,7 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
 			first = FALSE;
 		}
 
-		fprintf(out, "  signer:   \"%D\"\n", cert->get_issuer(cert));
+		fprintf(out, "  signer:   \"%Y\"\n", cert->get_issuer(cert));
 	}
 	enumerator->destroy(enumerator);
 }
@@ -1019,7 +1042,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
 	{
 		if (!address || address->ip_equals(address, lease))
 		{
-			fprintf(out, "  %15H   %s   '%D'\n",
+			fprintf(out, "  %15H   %s   '%Y'\n",
 					lease, on ? "online" : "offline", id);
 			found++;
 		}
diff --git a/src/charon/plugins/stroke/stroke_list.h b/src/charon/plugins/stroke/stroke_list.h
index 73a6ff6e4..2430abfbb 100644
--- a/src/charon/plugins/stroke/stroke_list.h
+++ b/src/charon/plugins/stroke/stroke_list.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_plugin.c b/src/charon/plugins/stroke/stroke_plugin.c
index 6933fc074..22c1125a1 100644
--- a/src/charon/plugins/stroke/stroke_plugin.c
+++ b/src/charon/plugins/stroke/stroke_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "stroke_plugin.h"
diff --git a/src/charon/plugins/stroke/stroke_plugin.h b/src/charon/plugins/stroke/stroke_plugin.h
index b4c367c6e..6e9d556ad 100644
--- a/src/charon/plugins/stroke/stroke_plugin.h
+++ b/src/charon/plugins/stroke/stroke_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: stroke.h 3589 2008-03-13 14:14:44Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_shared_key.c b/src/charon/plugins/stroke/stroke_shared_key.c
index 9c21eb830..8f53f509d 100644
--- a/src/charon/plugins/stroke/stroke_shared_key.c
+++ b/src/charon/plugins/stroke/stroke_shared_key.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "stroke_shared_key.h"
diff --git a/src/charon/plugins/stroke/stroke_shared_key.h b/src/charon/plugins/stroke/stroke_shared_key.h
index b456095ae..224062100 100644
--- a/src/charon/plugins/stroke/stroke_shared_key.h
+++ b/src/charon/plugins/stroke/stroke_shared_key.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index 53edde031..f61171e22 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "stroke_socket.h"
@@ -143,18 +141,28 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	pop_string(msg, &end->address);
 	pop_string(msg, &end->subnets);
 	pop_string(msg, &end->sourceip);
+	pop_string(msg, &end->auth);
+	pop_string(msg, &end->auth2);
 	pop_string(msg, &end->id);
+	pop_string(msg, &end->id2);
 	pop_string(msg, &end->cert);
+	pop_string(msg, &end->cert2);
 	pop_string(msg, &end->ca);
+	pop_string(msg, &end->ca2);
 	pop_string(msg, &end->groups);
 	pop_string(msg, &end->updown);
 	
 	DBG2(DBG_CFG, "  %s=%s", label, end->address);
 	DBG2(DBG_CFG, "  %ssubnet=%s", label, end->subnets);
 	DBG2(DBG_CFG, "  %ssourceip=%s", label, end->sourceip);
+	DBG2(DBG_CFG, "  %sauth=%s", label, end->auth);
+	DBG2(DBG_CFG, "  %sauth2=%s", label, end->auth2);
 	DBG2(DBG_CFG, "  %sid=%s", label, end->id);
+	DBG2(DBG_CFG, "  %sid2=%s", label, end->id2);
 	DBG2(DBG_CFG, "  %scert=%s", label, end->cert);
+	DBG2(DBG_CFG, "  %scert2=%s", label, end->cert2);
 	DBG2(DBG_CFG, "  %sca=%s", label, end->ca);
+	DBG2(DBG_CFG, "  %sca2=%s", label, end->ca2);
 	DBG2(DBG_CFG, "  %sgroups=%s", label, end->groups);
 	DBG2(DBG_CFG, "  %supdown=%s", label, end->updown);
 }
@@ -333,8 +341,15 @@ static void stroke_reread(private_stroke_socket_t *this,
 static void stroke_purge(private_stroke_socket_t *this,
 						 stroke_msg_t *msg, FILE *out)
 {
-	charon->credentials->flush_cache(charon->credentials,
-									 CERT_X509_OCSP_RESPONSE);
+	if (msg->purge.flags & PURGE_OCSP)
+	{
+		charon->credentials->flush_cache(charon->credentials,
+										 CERT_X509_OCSP_RESPONSE);
+	}
+	if (msg->purge.flags & PURGE_IKE)
+	{
+		this->control->purge_ike(this->control, msg, out);
+	}
 }
 
 /**
@@ -351,16 +366,16 @@ static void stroke_leases(private_stroke_socket_t *this,
 
 debug_t get_group_from_name(char *type)
 {
-	if (strcasecmp(type, "any") == 0) return DBG_ANY;
-	else if (strcasecmp(type, "mgr") == 0) return DBG_MGR;
-	else if (strcasecmp(type, "ike") == 0) return DBG_IKE;
-	else if (strcasecmp(type, "chd") == 0) return DBG_CHD;
-	else if (strcasecmp(type, "job") == 0) return DBG_JOB;
-	else if (strcasecmp(type, "cfg") == 0) return DBG_CFG;
-	else if (strcasecmp(type, "knl") == 0) return DBG_KNL;
-	else if (strcasecmp(type, "net") == 0) return DBG_NET;
-	else if (strcasecmp(type, "enc") == 0) return DBG_ENC;
-	else if (strcasecmp(type, "lib") == 0) return DBG_LIB;
+	if (strcaseeq(type, "any")) return DBG_ANY;
+	else if (strcaseeq(type, "mgr")) return DBG_MGR;
+	else if (strcaseeq(type, "ike")) return DBG_IKE;
+	else if (strcaseeq(type, "chd")) return DBG_CHD;
+	else if (strcaseeq(type, "job")) return DBG_JOB;
+	else if (strcaseeq(type, "cfg")) return DBG_CFG;
+	else if (strcaseeq(type, "knl")) return DBG_KNL;
+	else if (strcaseeq(type, "net")) return DBG_NET;
+	else if (strcaseeq(type, "enc")) return DBG_ENC;
+	else if (strcaseeq(type, "lib")) return DBG_LIB;
 	else return -1;
 }
 
@@ -561,8 +576,11 @@ static job_requeue_t receive(private_stroke_socket_t *this)
  */
 static bool open_socket(private_stroke_socket_t *this)
 {
-	struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET};
+	struct sockaddr_un socket_addr;
 	mode_t old;
+
+	socket_addr.sun_family = AF_UNIX;
+	strcpy(socket_addr.sun_path, STROKE_SOCKET);
 	
 	/* set up unix socket */
 	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
diff --git a/src/charon/plugins/stroke/stroke_socket.h b/src/charon/plugins/stroke/stroke_socket.h
index 7a772c56c..6073f5133 100644
--- a/src/charon/plugins/stroke/stroke_socket.h
+++ b/src/charon/plugins/stroke/stroke_socket.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in
index a29d2d4b1..e599135cb 100644
--- a/src/charon/plugins/uci/Makefile.in
+++ b/src/charon/plugins/uci/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -227,8 +236,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -326,7 +335,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/uci/uci_config.c b/src/charon/plugins/uci/uci_config.c
index c9d54a532..e697e8be6 100644
--- a/src/charon/plugins/uci/uci_config.c
+++ b/src/charon/plugins/uci/uci_config.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #define _GNU_SOURCE
@@ -82,24 +80,6 @@ static proposal_t *create_proposal(char *string, protocol_id_t proto)
 	return proposal;
 }
 
-/**
- * create an identity, with fallback to %any
- */
-static identification_t *create_id(char *string)
-{
-	identification_t *id = NULL;
-	
-	if (string)
-	{
-		id = identification_create_from_string(string);
-	}
-	if (!id)
-	{
-		id = identification_create_from_encoding(ID_ANY, chunk_empty);
-	}
-	return id;
-}
-
 /**
  * create an traffic selector, fallback to dynamic
  */
@@ -163,8 +143,7 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	char *remote_id, *remote_addr, *remote_net;
 	child_cfg_t *child_cfg;
 	ike_cfg_t *ike_cfg;
-	auth_info_t *auth;
-	auth_class_t class;
+	auth_cfg_t *auth;
 	
 	/* defaults */
 	name = "unnamed";
@@ -187,16 +166,26 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 		ike_cfg = ike_cfg_create(FALSE, FALSE, local_addr, remote_addr);
 		ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
 		this->peer_cfg = peer_cfg_create(
-					name, 2, ike_cfg, create_id(local_id), create_id(remote_id),
-					CERT_SEND_IF_ASKED, UNIQUE_NO,
+					name, 2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
 					1, create_rekey(ike_rekey), 0,  /* keytries, rekey, reauth */
 					1800, 900,						/* jitter, overtime */
 					TRUE, 60, 						/* mobike, dpddelay */
 					NULL, NULL, 					/* vip, pool */
 					FALSE, NULL, NULL); 			/* mediation, med by, peer id */
-		auth = this->peer_cfg->get_auth(this->peer_cfg);
-		class = AUTH_CLASS_PSK;
-		auth->add_item(auth, AUTHN_AUTH_CLASS, &class);
+		auth = auth_cfg_create();
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+		auth->add(auth, AUTH_RULE_IDENTITY,
+				  identification_create_from_string(local_id));
+		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, TRUE);
+		
+		auth = auth_cfg_create();
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+		if (remote_id)
+		{
+			auth->add(auth, AUTH_RULE_IDENTITY,
+					  identification_create_from_string(remote_id));
+		}
+		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
 		child_cfg = child_cfg_create(name,
 					create_rekey(esp_rekey) + 300, create_rekey(ike_rekey), 300,
 					NULL, TRUE,	MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
diff --git a/src/charon/plugins/uci/uci_config.h b/src/charon/plugins/uci/uci_config.h
index 67893f771..eac05b1df 100644
--- a/src/charon/plugins/uci/uci_config.h
+++ b/src/charon/plugins/uci/uci_config.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/uci/uci_control.c b/src/charon/plugins/uci/uci_control.c
index 2ffdd2b7b..f74224fa7 100644
--- a/src/charon/plugins/uci/uci_control.c
+++ b/src/charon/plugins/uci/uci_control.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #define _GNU_SOURCE
@@ -39,15 +37,15 @@ typedef struct private_uci_control_t private_uci_control_t;
  * private data of uci_control_t
  */
 struct private_uci_control_t {
-
+	
 	/**
- 	 * Public part
- 	 */
+	 * Public part
+	 */
 	uci_control_t public;
-
+	
 	/**
- 	 * Job 
- 	 */
+	 * Job 
+	 */
 	callback_job_t *job;
 };
 
@@ -86,13 +84,14 @@ static void status(private_uci_control_t *this, char *name)
 	char buf[2048];
 	FILE *out = NULL;
 	
-    configs = charon->backends->create_peer_cfg_enumerator(charon->backends);
-    while (configs->enumerate(configs, &peer_cfg))
-    {
-    	if (name && !streq(name, peer_cfg->get_name(peer_cfg)))
-    	{
-    		continue;
-    	}
+	configs = charon->backends->create_peer_cfg_enumerator(charon->backends,
+														NULL, NULL, NULL, NULL);
+	while (configs->enumerate(configs, &peer_cfg))
+	{
+		if (name && !streq(name, peer_cfg->get_name(peer_cfg)))
+		{
+			continue;
+		}
 		sas = charon->controller->create_ike_sa_enumerator(charon->controller);
 		while (sas->enumerate(sas, &ike_sa))
 		{
@@ -108,9 +107,9 @@ static void status(private_uci_control_t *this, char *name)
 					continue;
 				}
 			}
-	    	fprintf(out, "%-8s %-20D %-16H ", ike_sa->get_name(ike_sa),
-	    		ike_sa->get_other_id(ike_sa), ike_sa->get_other_host(ike_sa));
-	    	
+			fprintf(out, "%-8s %-20D %-16H ", ike_sa->get_name(ike_sa),
+				ike_sa->get_other_id(ike_sa), ike_sa->get_other_host(ike_sa));
+			
 			children = ike_sa->create_child_sa_iterator(ike_sa);
 			while (children->iterate(children, (void**)&child_sa))
 			{
@@ -118,7 +117,7 @@ static void status(private_uci_control_t *this, char *name)
 						child_sa->get_traffic_selectors(child_sa, FALSE));
 			}
 			children->destroy(children);
-	    	fprintf(out, "\n");
+			fprintf(out, "\n");
 		}
 		sas->destroy(sas);
 	}
@@ -142,7 +141,7 @@ static void initiate(private_uci_control_t *this, char *name)
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
 	enumerator_t *enumerator;
-
+	
 	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, name);
 	if (peer_cfg)
 	{
@@ -174,7 +173,7 @@ static void terminate(private_uci_control_t *this, char *name)
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
 	u_int id;
-
+	
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 	while (enumerator->enumerate(enumerator, &ike_sa))
 	{
@@ -240,7 +239,7 @@ static job_requeue_t receive(private_uci_control_t *this)
 	char message[128];
 	int oldstate, len;
 	FILE *in;
-
+	
 	memset(message, 0, sizeof(message));
 	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
 	in = fopen(FIFO_FILE, "r");
@@ -281,9 +280,9 @@ static void destroy(private_uci_control_t *this)
 uci_control_t *uci_control_create()
 {
 	private_uci_control_t *this = malloc_thing(private_uci_control_t);
-
+	
 	this->public.destroy = (void(*)(uci_control_t*))destroy;
-
+	
 	unlink(FIFO_FILE);
 	if (mkfifo(FIFO_FILE, S_IRUSR|S_IWUSR) != 0)
 	{
diff --git a/src/charon/plugins/uci/uci_control.h b/src/charon/plugins/uci/uci_control.h
index b5db32226..527ed82e7 100644
--- a/src/charon/plugins/uci/uci_control.h
+++ b/src/charon/plugins/uci/uci_control.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/uci/uci_creds.c b/src/charon/plugins/uci/uci_creds.c
index 60f6fc934..05bc6e109 100644
--- a/src/charon/plugins/uci/uci_creds.c
+++ b/src/charon/plugins/uci/uci_creds.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "uci_creds.h"
@@ -81,10 +79,6 @@ static bool shared_enumerator_enumerate(shared_enumerator_t *this,
 		if (me)
 		{
 			local = identification_create_from_string(local_id);
-			if (!local)
-			{
-				continue;
-			}
 			*me = this->me ? this->me->matches(this->me, local)
 						   : ID_MATCH_ANY;
 			local->destroy(local);
@@ -96,10 +90,6 @@ static bool shared_enumerator_enumerate(shared_enumerator_t *this,
 		if (other)
 		{
 			remote = identification_create_from_string(remote_id);
-			if (!remote)
-			{
-				continue;
-			}
 			*other = this->other ? this->other->matches(this->other, remote)
 								 : ID_MATCH_ANY;
 			remote->destroy(remote);
diff --git a/src/charon/plugins/uci/uci_creds.h b/src/charon/plugins/uci/uci_creds.h
index f1573a8a3..de50984a9 100644
--- a/src/charon/plugins/uci/uci_creds.h
+++ b/src/charon/plugins/uci/uci_creds.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/uci/uci_parser.c b/src/charon/plugins/uci/uci_parser.c
index 8f4acb938..f994e36f7 100644
--- a/src/charon/plugins/uci/uci_parser.c
+++ b/src/charon/plugins/uci/uci_parser.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "uci_parser.h"
diff --git a/src/charon/plugins/uci/uci_parser.h b/src/charon/plugins/uci/uci_parser.h
index b3e76962b..ef3d7b0f5 100644
--- a/src/charon/plugins/uci/uci_parser.h
+++ b/src/charon/plugins/uci/uci_parser.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/uci/uci_plugin.c b/src/charon/plugins/uci/uci_plugin.c
index fd84b224c..3ab4c92f8 100644
--- a/src/charon/plugins/uci/uci_plugin.c
+++ b/src/charon/plugins/uci/uci_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "uci_plugin.h"
diff --git a/src/charon/plugins/uci/uci_plugin.h b/src/charon/plugins/uci/uci_plugin.h
index d9a888aa1..e7743227c 100644
--- a/src/charon/plugins/uci/uci_plugin.h
+++ b/src/charon/plugins/uci/uci_plugin.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am
index 9c86aa69f..50c5e0362 100644
--- a/src/charon/plugins/unit_tester/Makefile.am
+++ b/src/charon/plugins/unit_tester/Makefile.am
@@ -8,7 +8,6 @@ plugin_LTLIBRARIES = libstrongswan-unit-tester.la
 libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
   tests/test_enumerator.c \
   tests/test_auth_info.c \
-  tests/test_fips_prf.c \
   tests/test_curl.c \
   tests/test_mysql.c \
   tests/test_sqlite.c \
@@ -16,11 +15,10 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
   tests/test_rsa_gen.c \
   tests/test_cert.c \
   tests/test_med_db.c \
-  tests/test_aes.c \
   tests/test_chunk.c \
   tests/test_pool.c \
   tests/test_agent.c \
-  tests/test_rng.c
+  tests/test_id.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module
 
diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in
index 537ec127e..2ee5e48d8 100644
--- a/src/charon/plugins/unit_tester/Makefile.in
+++ b/src/charon/plugins/unit_tester/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -51,10 +51,10 @@ pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_unit_tester_la_LIBADD =
 am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
-	test_enumerator.lo test_auth_info.lo test_fips_prf.lo \
-	test_curl.lo test_mysql.lo test_sqlite.lo test_mutex.lo \
-	test_rsa_gen.lo test_cert.lo test_med_db.lo test_aes.lo \
-	test_chunk.lo test_pool.lo test_agent.lo test_rng.lo
+	test_enumerator.lo test_auth_info.lo test_curl.lo \
+	test_mysql.lo test_sqlite.lo test_mutex.lo test_rsa_gen.lo \
+	test_cert.lo test_med_db.lo test_chunk.lo test_pool.lo \
+	test_agent.lo test_id.lo
 libstrongswan_unit_tester_la_OBJECTS =  \
 	$(am_libstrongswan_unit_tester_la_OBJECTS)
 libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \
@@ -93,6 +93,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -115,6 +116,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -126,6 +130,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -139,6 +144,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -199,6 +206,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -210,6 +218,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -220,7 +229,6 @@ plugin_LTLIBRARIES = libstrongswan-unit-tester.la
 libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
   tests/test_enumerator.c \
   tests/test_auth_info.c \
-  tests/test_fips_prf.c \
   tests/test_curl.c \
   tests/test_mysql.c \
   tests/test_sqlite.c \
@@ -228,11 +236,10 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
   tests/test_rsa_gen.c \
   tests/test_cert.c \
   tests/test_med_db.c \
-  tests/test_aes.c \
   tests/test_chunk.c \
   tests/test_pool.c \
   tests/test_agent.c \
-  tests/test_rng.c
+  tests/test_id.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module
 all: all-am
@@ -243,8 +250,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -304,19 +311,17 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_aes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_auth_info.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cert.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_enumerator.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_fips_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_id.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_med_db.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mysql.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pool.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rsa_gen.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_sqlite.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@
@@ -356,13 +361,6 @@ test_auth_info.lo: tests/test_auth_info.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
 
-test_fips_prf.lo: tests/test_fips_prf.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_fips_prf.lo -MD -MP -MF $(DEPDIR)/test_fips_prf.Tpo -c -o test_fips_prf.lo `test -f 'tests/test_fips_prf.c' || echo '$(srcdir)/'`tests/test_fips_prf.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_fips_prf.Tpo $(DEPDIR)/test_fips_prf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_fips_prf.c' object='test_fips_prf.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_fips_prf.lo `test -f 'tests/test_fips_prf.c' || echo '$(srcdir)/'`tests/test_fips_prf.c
-
 test_curl.lo: tests/test_curl.c
 @am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_curl.lo -MD -MP -MF $(DEPDIR)/test_curl.Tpo -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_curl.Tpo $(DEPDIR)/test_curl.Plo
@@ -412,13 +410,6 @@ test_med_db.lo: tests/test_med_db.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
 
-test_aes.lo: tests/test_aes.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_aes.lo -MD -MP -MF $(DEPDIR)/test_aes.Tpo -c -o test_aes.lo `test -f 'tests/test_aes.c' || echo '$(srcdir)/'`tests/test_aes.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_aes.Tpo $(DEPDIR)/test_aes.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_aes.c' object='test_aes.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_aes.lo `test -f 'tests/test_aes.c' || echo '$(srcdir)/'`tests/test_aes.c
-
 test_chunk.lo: tests/test_chunk.c
 @am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_chunk.lo -MD -MP -MF $(DEPDIR)/test_chunk.Tpo -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_chunk.Tpo $(DEPDIR)/test_chunk.Plo
@@ -440,12 +431,12 @@ test_agent.lo: tests/test_agent.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
 
-test_rng.lo: tests/test_rng.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_rng.lo -MD -MP -MF $(DEPDIR)/test_rng.Tpo -c -o test_rng.lo `test -f 'tests/test_rng.c' || echo '$(srcdir)/'`tests/test_rng.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_rng.Tpo $(DEPDIR)/test_rng.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_rng.c' object='test_rng.lo' libtool=yes @AMDEPBACKSLASH@
+test_id.lo: tests/test_id.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_id.lo -MD -MP -MF $(DEPDIR)/test_id.Tpo -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_id.Tpo $(DEPDIR)/test_id.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_id.c' object='test_id.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_rng.lo `test -f 'tests/test_rng.c' || echo '$(srcdir)/'`tests/test_rng.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -458,7 +449,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h
index 7a5aa5ab8..dcf2a5d18 100644
--- a/src/charon/plugins/unit_tester/tests.h
+++ b/src/charon/plugins/unit_tester/tests.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: tests.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -25,8 +23,7 @@ DEFINE_TEST("simple enumerator", test_enumerate, FALSE)
 DEFINE_TEST("nested enumerator", test_enumerate_nested, FALSE)
 DEFINE_TEST("filtered enumerator", test_enumerate_filtered, FALSE)
 DEFINE_TEST("token enumerator", test_enumerate_token, FALSE)
-DEFINE_TEST("auth info", test_auth_info, FALSE)
-DEFINE_TEST("FIPS PRF", fips_prf_test, FALSE)
+DEFINE_TEST("auth cfg", test_auth_cfg, FALSE)
 DEFINE_TEST("CURL get", test_curl_get, FALSE)
 DEFINE_TEST("MySQL operations", test_mysql, FALSE)
 DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
@@ -35,11 +32,9 @@ DEFINE_TEST("RSA key generation", test_rsa_gen, FALSE)
 DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, FALSE)
 DEFINE_TEST("X509 certificate", test_cert_x509, FALSE)
 DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE)
-DEFINE_TEST("AES-128 encryption", test_aes128, FALSE)
-DEFINE_TEST("AES-XCBC", test_aes_xcbc, FALSE)
 DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
 DEFINE_TEST("IP pool", test_pool, FALSE)
 DEFINE_TEST("SSH agent", test_agent, FALSE)
-DEFINE_TEST("RNG quality", test_rng, FALSE)
+DEFINE_TEST("ID parts", test_id_parts, FALSE)
 
 /** @}*/
diff --git a/src/charon/plugins/unit_tester/tests/test_aes.c b/src/charon/plugins/unit_tester/tests/test_aes.c
deleted file mode 100644
index 06e891d83..000000000
--- a/src/charon/plugins/unit_tester/tests/test_aes.c
+++ /dev/null
@@ -1,467 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-#include <library.h>
-#include <utils/mutex.h>
-
-#include <unistd.h>
-#include <sched.h>
-#include <pthread.h>
-
-/**
- * run a test using given values
- */
-static bool do_aes_test(u_char *key, int keysize, u_char *iv, 
-						u_char *plain, u_char *cipher, int len)
-{
-	crypter_t *crypter;
-	chunk_t enc, dec;
-	bool good = TRUE;
-	
-	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, keysize);
-	if (!crypter)
-	{
-		return FALSE;
-	}
-	crypter->set_key(crypter, chunk_create(key, keysize));
-	crypter->encrypt(crypter,
-					 chunk_create(plain, len), chunk_create(iv, 16), &enc);
-	if (!memeq(enc.ptr, cipher, len))
-	{
-		good = FALSE;
-	}
-	crypter->decrypt(crypter, enc, chunk_create(iv, 16), &dec);
-	if (!memeq(dec.ptr, plain, len))
-	{
-		good = FALSE;
-	}
-	free(enc.ptr);
-	free(dec.ptr);
-	crypter->destroy(crypter);
-	return good;
-}
-
-/*******************************************************************************
- * AES-128 test
- ******************************************************************************/
-bool test_aes128()
-{
-	/*
-	 * Test 1 of RFC3602
-	 * Key       : 0x06a9214036b8a15b512e03d534120006
-	 * IV        : 0x3dafba429d9eb430b422da802c9fac41
-	 * Plaintext : "Single block msg"
-	 * Ciphertext: 0xe353779c1079aeb82708942dbe77181a	
-	 */
-	u_char key1[] = {
-		0x06,0xa9,0x21,0x40,0x36,0xb8,0xa1,0x5b,
-		0x51,0x2e,0x03,0xd5,0x34,0x12,0x00,0x06
-	};
-	u_char iv1[] = {
-		0x3d,0xaf,0xba,0x42,0x9d,0x9e,0xb4,0x30,
-		0xb4,0x22,0xda,0x80,0x2c,0x9f,0xac,0x41
-	};
-	u_char plain1[] = {
-		'S','i','n','g','l','e',' ','b','l','o','c','k',' ','m','s','g'
-	};
-	u_char cipher1[] = {
-		0xe3,0x53,0x77,0x9c,0x10,0x79,0xae,0xb8,
-		0x27,0x08,0x94,0x2d,0xbe,0x77,0x18,0x1a
-	};
-	if (!do_aes_test(key1, 16, iv1, plain1, cipher1, sizeof(plain1)))
-	{
-		return FALSE;
-	}
-	
-	/*
-	 * Test 2 of RFC3602
-	 * Key       : 0xc286696d887c9aa0611bbb3e2025a45a
-	 * IV        : 0x562e17996d093d28ddb3ba695a2e6f58
-	 * Plaintext : 0x000102030405060708090a0b0c0d0e0f
-	 *              101112131415161718191a1b1c1d1e1f
-	 * Ciphertext: 0xd296cd94c2cccf8a3a863028b5e1dc0a
-     *		        7586602d253cfff91b8266bea6d61ab1	
-	 */
-	u_char key2[] = {
-		0xc2,0x86,0x69,0x6d,0x88,0x7c,0x9a,0xa0,
-		0x61,0x1b,0xbb,0x3e,0x20,0x25,0xa4,0x5a
-	};
-	u_char iv2[] = {
-		0x56,0x2e,0x17,0x99,0x6d,0x09,0x3d,0x28,
-		0xdd,0xb3,0xba,0x69,0x5a,0x2e,0x6f,0x58
-	};
-	u_char plain2[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-		0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
-		0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
-	};
-	u_char cipher2[] = {
-		0xd2,0x96,0xcd,0x94,0xc2,0xcc,0xcf,0x8a,
-		0x3a,0x86,0x30,0x28,0xb5,0xe1,0xdc,0x0a,
-		0x75,0x86,0x60,0x2d,0x25,0x3c,0xff,0xf9,
-		0x1b,0x82,0x66,0xbe,0xa6,0xd6,0x1a,0xb1
-	};
-	if (!do_aes_test(key2, 16, iv2, plain2, cipher2, sizeof(plain2)))
-	{
-		return FALSE;
-	}
-	 
-	/*
-	 * Test 3 of RFC3603
-	 * Key       : 0x56e47a38c5598974bc46903dba290349
-	 * IV        : 0x8ce82eefbea0da3c44699ed7db51b7d9
-	 * Plaintext : 0xa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
-     *		       b0b1b2b3b4b5b6b7b8b9babbbcbdbebf
-     *             c0c1c2c3c4c5c6c7c8c9cacbcccdcecf
-     *             d0d1d2d3d4d5d6d7d8d9dadbdcdddedf
-	 * Ciphertext: 0xc30e32ffedc0774e6aff6af0869f71aa
-     *             0f3af07a9a31a9c684db207eb0ef8e4e
-     *             35907aa632c3ffdf868bb7b29d3d46ad
-     *             83ce9f9a102ee99d49a53e87f4c3da55	
-	 */
-	u_char key3[] = {
-		0x56,0xe4,0x7a,0x38,0xc5,0x59,0x89,0x74,
-		0xbc,0x46,0x90,0x3d,0xba,0x29,0x03,0x49
-	};
-	u_char iv3[] = {
-		0x8c,0xe8,0x2e,0xef,0xbe,0xa0,0xda,0x3c,
-		0x44,0x69,0x9e,0xd7,0xdb,0x51,0xb7,0xd9
-	};
-	u_char plain3[] = {
-		0xa0,0xa1,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7,
-		0xa8,0xa9,0xaa,0xab,0xac,0xad,0xae,0xaf,
-		0xb0,0xb1,0xb2,0xb3,0xb4,0xb5,0xb6,0xb7,
-		0xb8,0xb9,0xba,0xbb,0xbc,0xbd,0xbe,0xbf,
-		0xc0,0xc1,0xc2,0xc3,0xc4,0xc5,0xc6,0xc7,
-		0xc8,0xc9,0xca,0xcb,0xcc,0xcd,0xce,0xcf,
-		0xd0,0xd1,0xd2,0xd3,0xd4,0xd5,0xd6,0xd7,
-		0xd8,0xd9,0xda,0xdb,0xdc,0xdd,0xde,0xdf
-	};
-	u_char cipher3[] = {
-		0xc3,0x0e,0x32,0xff,0xed,0xc0,0x77,0x4e,
-		0x6a,0xff,0x6a,0xf0,0x86,0x9f,0x71,0xaa,
-		0x0f,0x3a,0xf0,0x7a,0x9a,0x31,0xa9,0xc6,
-		0x84,0xdb,0x20,0x7e,0xb0,0xef,0x8e,0x4e,
-		0x35,0x90,0x7a,0xa6,0x32,0xc3,0xff,0xdf,
-		0x86,0x8b,0xb7,0xb2,0x9d,0x3d,0x46,0xad,
-		0x83,0xce,0x9f,0x9a,0x10,0x2e,0xe9,0x9d,
-		0x49,0xa5,0x3e,0x87,0xf4,0xc3,0xda,0x55
-	};
-	if (!do_aes_test(key3, 16, iv3, plain3, cipher3, sizeof(plain3)))
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * run a single xcbc test for prf and signer
- */
-static bool do_xcbc_test(u_int8_t *key, size_t keylen, u_int8_t *mac,
-						 u_int8_t *plain, size_t len)
-{
-	signer_t *signer;
-	prf_t *prf;
-	u_int8_t res[16];
-	
-	prf = lib->crypto->create_prf(lib->crypto, PRF_AES128_XCBC);
-	if (!prf)
-	{
-		return FALSE;
-	}
-	prf->set_key(prf, chunk_create(key, keylen));
-	prf->get_bytes(prf, chunk_create(plain, len), res);
-	if (!memeq(res, mac, 16))
-	{
-		DBG1(DBG_CFG, "expected %b\ngot %b", mac, 16, res, 16);
-		prf->destroy(prf);
-		return FALSE;
-	}
-	prf->destroy(prf);
-	
-	signer = lib->crypto->create_signer(lib->crypto, AUTH_AES_XCBC_96);
-	if (!signer)
-	{
-		return FALSE;
-	}
-	signer->set_key(signer, chunk_create(key, keylen));
-	if (!signer->verify_signature(signer, chunk_create(plain, len),
-								  chunk_create(mac, 12)))
-	{
-		return FALSE;
-	}
-	signer->destroy(signer);
-	return TRUE;
-}
-
-
-/*******************************************************************************
- * AES_XCBC mac test
- ******************************************************************************/
-bool test_aes_xcbc()
-{
-	/*  Vectors from RFC 3566 */
-
-	/* Test Case #1   : AES-XCBC-MAC-96 with 0-byte input
-	 * Key (K)        : 000102030405060708090a0b0c0d0e0f
-	 * Message (M)    : <empty string>
-	 * AES-XCBC-MAC   : 75f0251d528ac01c4573dfd584d79f29
-	 * AES-XCBC-MAC-96: 75f0251d528ac01c4573dfd5
-	 */
-	u_char key1[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
-	};
-	u_char plain1[] = {
-	};
-	u_char mac1[] = {
-		0x75,0xf0,0x25,0x1d,0x52,0x8a,0xc0,0x1c,
-		0x45,0x73,0xdf,0xd5,0x84,0xd7,0x9f,0x29
-	};
-	if (!do_xcbc_test(key1, 16,  mac1, plain1, sizeof(plain1)))
-	{
-		return FALSE;
-	}
-	
-	/*
-	 * Test Case #2   : AES-XCBC-MAC-96 with 3-byte input
-	 * Key (K)        : 000102030405060708090a0b0c0d0e0f
-	 * Message (M)    : 000102
-	 * AES-XCBC-MAC   : 5b376580ae2f19afe7219ceef172756f
-	 * AES-XCBC-MAC-96: 5b376580ae2f19afe7219cee
-	 */
-	u_char key2[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
-	};
-	u_char plain2[] = {
-		0x00,0x01,0x02
-	};
-	u_char mac2[] = {
-		0x5b,0x37,0x65,0x80,0xae,0x2f,0x19,0xaf,
-		0xe7,0x21,0x9c,0xee,0xf1,0x72,0x75,0x6f
-	};
-	if (!do_xcbc_test(key2, 16,  mac2, plain2, sizeof(plain2)))
-	{
-		return FALSE;
-	}
-
-	/* Test Case #3   : AES-XCBC-MAC-96 with 16-byte input
-	 * Key (K)        : 000102030405060708090a0b0c0d0e0f
-	 * Message (M)    : 000102030405060708090a0b0c0d0e0f
-	 * AES-XCBC-MAC   : d2a246fa349b68a79998a4394ff7a263
-	 * AES-XCBC-MAC-96: d2a246fa349b68a79998a439
-	 */
-	u_char key3[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
-	};
-	u_char plain3[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
-	};
-	u_char mac3[] = {
-		0xd2,0xa2,0x46,0xfa,0x34,0x9b,0x68,0xa7,
-		0x99,0x98,0xa4,0x39,0x4f,0xf7,0xa2,0x63
-	};
-	if (!do_xcbc_test(key3, 16,  mac3, plain3, sizeof(plain3)))
-	{
-		return FALSE;
-	}
-
-	/* Test Case #4   : AES-XCBC-MAC-96 with 20-byte input
-	 * Key (K)        : 000102030405060708090a0b0c0d0e0f
-	 * Message (M)    : 000102030405060708090a0b0c0d0e0f10111213
-	 * AES-XCBC-MAC   : 47f51b4564966215b8985c63055ed308
-	 * AES-XCBC-MAC-96: 47f51b4564966215b8985c63
-	 */
-	u_char key4[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
-	};
-	u_char plain4[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-		0x10,0x11,0x12,0x13
-	};
-	u_char mac4[] = {
-		0x47,0xf5,0x1b,0x45,0x64,0x96,0x62,0x15,
-		0xb8,0x98,0x5c,0x63,0x05,0x5e,0xd3,0x08
-	};
-	if (!do_xcbc_test(key4, 16,  mac4, plain4, sizeof(plain4)))
-	{
-		return FALSE;
-	}
-
-	/* Test Case #5   : AES-XCBC-MAC-96 with 32-byte input
-	 * Key (K)        : 000102030405060708090a0b0c0d0e0f
-	 * Message (M)    : 000102030405060708090a0b0c0d0e0f10111213141516171819
-	 * 	                1a1b1c1d1e1f
-	 * AES-XCBC-MAC   : f54f0ec8d2b9f3d36807734bd5283fd4
-	 * AES-XCBC-MAC-96: f54f0ec8d2b9f3d36807734b
-	 */
-	u_char key5[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
-	};
-	u_char plain5[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-		0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
-		0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
-	};
-	u_char mac5[] = {
-		0xf5,0x4f,0x0e,0xc8,0xd2,0xb9,0xf3,0xd3,
-		0x68,0x07,0x73,0x4b,0xd5,0x28,0x3f,0xd4
-	};
-	if (!do_xcbc_test(key5, 16,  mac5, plain5, sizeof(plain5)))
-	{
-		return FALSE;
-	}
-	
-	/* Test Case #7   : AES-XCBC-MAC-96 with 1000-byte input
-	 * Key (K)        : 000102030405060708090a0b0c0d0e0f
-	 * Message (M)    : 00000000000000000000 ... 00000000000000000000
-	 *                  [1000 bytes]
-	 * AES-XCBC-MAC   : f0dafee895db30253761103b5d84528f
-	 * AES-XCBC-MAC-96: f0dafee895db30253761103b
-	 */
-	u_char key7[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
-	};
-	u_char plain7[1000];
-	memset(plain7, 0, 1000);
-	u_char mac7[] = {
-		0xf0,0xda,0xfe,0xe8,0x95,0xdb,0x30,0x25,
-		0x37,0x61,0x10,0x3b,0x5d,0x84,0x52,0x8f
-	};
-	if (!do_xcbc_test(key7, 16, mac7, plain7, sizeof(plain7)))
-	{
-		return FALSE;
-	}
-	
-	/* variable key test, RFC4434 */
-	
-	/* Test Case AES-XCBC-PRF-128 with 20-byte input
-	 * Key        : 00010203040506070809
-	 * Message    : 000102030405060708090a0b0c0d0e0f10111213
-	 * PRF Output : 0fa087af7d866e7653434e602fdde835
-	 */
-	u_char key8[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,
-	};
-	u_char plain8[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-		0x10,0x11,0x12,0x13
-	};
-	u_char mac8[] = {
-		0x0f,0xa0,0x87,0xaf,0x7d,0x86,0x6e,0x76,
-		0x53,0x43,0x4e,0x60,0x2f,0xdd,0xe8,0x35
-	};
-	if (!do_xcbc_test(key8, 10, mac8, plain8, sizeof(plain8)))
-	{
-		return FALSE;
-	}
-
-	/* Test Case AES-XCBC-PRF-128 with 20-byte input
-	 * Key        : 000102030405060708090a0b0c0d0e0fedcb
-	 * Message    : 000102030405060708090a0b0c0d0e0f10111213
-	 * PRF Output : 8cd3c93ae598a9803006ffb67c40e9e4
-	 */
-	u_char key9[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-		0xed,0xcb
-	};
-	u_char plain9[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-		0x10,0x11,0x12,0x13
-	};
-	u_char mac9[] = {
-		0x8c,0xd3,0xc9,0x3a,0xe5,0x98,0xa9,0x80,
-		0x30,0x06,0xff,0xb6,0x7c,0x40,0xe9,0xe4
-	};
-	if (!do_xcbc_test(key9, 18, mac9, plain9, sizeof(plain9)))
-	{
-		return FALSE;
-	}
-	
-	
-	/* Test Case #10  : AES-XCBC-MAC-96 with 32-byte input using append mode
-	 * Key (K)        : 000102030405060708090a0b0c0d0e0f
-	 * Message (M)    : 000102030405060708090a0b0c0d0e0f10111213141516171819
-	 * 	                1a1b1c1d1e1f
-	 * AES-XCBC-MAC   : f54f0ec8d2b9f3d36807734bd5283fd4
-	 * AES-XCBC-MAC-96: f54f0ec8d2b9f3d36807734b
-	 */
-	u_char key10[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
-	};
-	u_char plain10[] = {
-		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-		0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-		0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
-		0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
-	};
-	u_char mac10[] = {
-		0xf5,0x4f,0x0e,0xc8,0xd2,0xb9,0xf3,0xd3,
-		0x68,0x07,0x73,0x4b,0xd5,0x28,0x3f,0xd4
-	};
-	int i;
-	prf_t *prf = lib->crypto->create_prf(lib->crypto, PRF_AES128_XCBC);
-	u_char res[16];
-	if (!prf)
-	{
-		return FALSE;
-	}
-	prf->set_key(prf, chunk_create(key10, sizeof(key10)));
-	for (i = 0; i < 4; i++)
-	{	/* bytes 0 - 3, 1 byte at once */
-		prf->get_bytes(prf, chunk_create(plain10 + i, 1), NULL);
-	}
-	for (i = 4; i < 5; i+=8)
-	{	/* bytes 4 - 11, at once */
-		prf->get_bytes(prf, chunk_create(plain10 + i, 8), NULL);
-	}
-	for (i = 12; i < 24; i+=4)
-	{	/* bytes 12 - 23, in blocks of 4 */
-		prf->get_bytes(prf, chunk_create(plain10 + i, 4), NULL);
-	}
-	for (i = 0; i < 4; i++)
-	{	/* 4 zero blobs */
-		prf->get_bytes(prf, chunk_create(NULL, 0), NULL);
-	}
-	for (i = 24; i < 25; i+=8)
-	{	/* bytes 24 - 32, at once */
-		prf->get_bytes(prf, chunk_create(plain10 + i, 8), res);
-	}
-	if (!memeq(res, mac10, 16))
-	{
-		DBG1(DBG_CFG, "expected %b\ngot %b", mac10, 16, res, 16);
-		prf->destroy(prf);
-		return FALSE;
-	}
-	prf->destroy(prf);
-	
-	return TRUE; 
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_auth_info.c b/src/charon/plugins/unit_tester/tests/test_auth_info.c
index 1719190b1..37bdd1087 100644
--- a/src/charon/plugins/unit_tester/tests/test_auth_info.c
+++ b/src/charon/plugins/unit_tester/tests/test_auth_info.c
@@ -15,7 +15,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <credentials/auth_info.h>
+#include <config/auth_cfg.h>
 
 
 char buf[] = {0x01,0x02,0x03,0x04};
@@ -75,14 +75,14 @@ chunk_t certchunk = chunk_from_buf(certbuf);
 /*******************************************************************************
  * auth info test
  ******************************************************************************/
-bool test_auth_info()
+bool test_auth_cfg()
 {
-	auth_info_t *auth = auth_info_create(), *auth2;
+	auth_cfg_t *auth = auth_cfg_create(), *auth2;
 	certificate_t *c1, *c2;
 	enumerator_t *enumerator;
 	int round = 0;
 	void *value;
-	auth_item_t type;
+	auth_rule_t type;
 	
 	c1 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 							BUILD_BLOB_ASN1_DER, certchunk,
@@ -92,8 +92,9 @@ bool test_auth_info()
 		return FALSE;
 	}
 	
-	auth->add_item(auth, AUTHN_SUBJECT_CERT, c1);
-	if (!auth->get_item(auth, AUTHN_SUBJECT_CERT, (void**)&c2))
+	auth->add(auth, AUTH_RULE_SUBJECT_CERT, c1->get_ref(c1));
+	c2 = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+	if (!c2)
 	{
 		return FALSE;
 	}
@@ -102,11 +103,11 @@ bool test_auth_info()
 		return FALSE;
 	}
 	
-	enumerator = auth->create_item_enumerator(auth);
+	enumerator = auth->create_enumerator(auth);
 	while (enumerator->enumerate(enumerator, &type, &value))
 	{
 		round++;
-		if (round == 1 && type == AUTHN_SUBJECT_CERT && value == c1)
+		if (round == 1 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
 		{
 			continue;
 		}
@@ -114,20 +115,20 @@ bool test_auth_info()
 	}
 	enumerator->destroy(enumerator);
 	
-	auth2 = auth_info_create();
-	auth2->add_item(auth2, AUTHN_CA_CERT, c1);
-	auth2->merge(auth2, auth);
+	auth2 = auth_cfg_create();
+	auth2->add(auth2, AUTH_RULE_CA_CERT, c1->get_ref(c1));
+	auth2->merge(auth2, auth, FALSE);
 	
 	round = 0;
-	enumerator = auth2->create_item_enumerator(auth2);
+	enumerator = auth2->create_enumerator(auth2);
 	while (enumerator->enumerate(enumerator, &type, &value))
 	{
 		round++;
-		if (round == 1 && type == AUTHN_CA_CERT && value == c1)
+		if (round == 1 && type == AUTH_RULE_CA_CERT && value == c1)
 		{
 			continue;
 		}
-		if (round == 2 && type == AUTHN_SUBJECT_CERT && value == c1)
+		if (round == 2 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
 		{
 			continue;
 		}
diff --git a/src/charon/plugins/unit_tester/tests/test_fips_prf.c b/src/charon/plugins/unit_tester/tests/test_fips_prf.c
deleted file mode 100644
index 29612143e..000000000
--- a/src/charon/plugins/unit_tester/tests/test_fips_prf.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <utils/linked_list.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * fips prf known value test
- ******************************************************************************/
-bool fips_prf_test()
-{
-	prf_t *prf;
-	u_int8_t key_buf[] = {
-		0xbd, 0x02, 0x9b, 0xbe, 0x7f, 0x51, 0x96, 0x0b,
-		0xcf, 0x9e, 0xdb, 0x2b, 0x61, 0xf0, 0x6f, 0x0f,
-		0xeb, 0x5a, 0x38, 0xb6
-	};
-	u_int8_t seed_buf[] = {
-		0x00	
-	};
-	u_int8_t result_buf[] = {
-		0x20, 0x70, 0xb3, 0x22, 0x3d, 0xba, 0x37, 0x2f,
-		0xde, 0x1c, 0x0f, 0xfc, 0x7b, 0x2e, 0x3b, 0x49,
-		0x8b, 0x26, 0x06, 0x14, 0x3c, 0x6c, 0x18, 0xba,
-		0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78,
-		0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16
-	};
-	chunk_t key = chunk_from_buf(key_buf);
-	chunk_t seed = chunk_from_buf(seed_buf);
-	chunk_t expected = chunk_from_buf(result_buf);
-	chunk_t result;
-	
-	prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160);
-	if (prf == NULL)
-	{
-		DBG1(DBG_CFG, "FIPS PRF implementation not found");
-		return FALSE;
-	}
-	prf->set_key(prf, key);
-	prf->allocate_bytes(prf, seed, &result);
-	prf->destroy(prf);
-	if (!chunk_equals(result, expected))
-	{
-		DBG1(DBG_CFG, "FIPS PRF result invalid:\nexpected: %Bresult: %B",
-			 &expected, &result);
-		chunk_free(&result);
-		return FALSE;
-	}
-	chunk_free(&result);
-	return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_id.c b/src/charon/plugins/unit_tester/tests/test_id.c
new file mode 100644
index 000000000..56dab2421
--- /dev/null
+++ b/src/charon/plugins/unit_tester/tests/test_id.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+/*******************************************************************************
+ * identification part enumeration test
+ ******************************************************************************/
+bool test_id_parts()
+{
+	identification_t *id;
+	enumerator_t *enumerator;
+	id_part_t part;
+	chunk_t data;
+	int i = 0;
+	
+	id = identification_create_from_string("C=CH, O=strongSwan, CN=tester");
+	
+	enumerator = id->create_part_enumerator(id);
+	while (enumerator->enumerate(enumerator, &part, &data))
+	{
+		switch (i++)
+		{
+			case 0:
+				if (part != ID_PART_RDN_C ||
+					!chunk_equals(data, chunk_create("CH", 2)))
+				{
+					return FALSE;
+				}
+				break;
+			case 1:
+				if (part != ID_PART_RDN_O ||
+					!chunk_equals(data, chunk_create("strongSwan", 10)))
+				{
+					return FALSE;
+				}
+				break;
+			case 2:
+				if (part != ID_PART_RDN_CN ||
+					!chunk_equals(data, chunk_create("tester", 6)))
+				{
+					return FALSE;
+				}
+				break;
+			default:
+				return FALSE;
+		}
+	}
+	if (i < 3)
+	{
+		return FALSE;
+	}
+	enumerator->destroy(enumerator);
+	id->destroy(id);
+	return TRUE;
+}
+
diff --git a/src/charon/plugins/unit_tester/tests/test_med_db.c b/src/charon/plugins/unit_tester/tests/test_med_db.c
index d65eb0cc4..7b4603bd7 100644
--- a/src/charon/plugins/unit_tester/tests/test_med_db.c
+++ b/src/charon/plugins/unit_tester/tests/test_med_db.c
@@ -33,8 +33,8 @@ bool test_med_db()
 	chunk_t keyid = chunk_from_buf(keyid_buf);
 	identification_t *id, *found;
 	enumerator_t *enumerator;
-	auth_info_t *auth;
 	public_key_t *public;
+	auth_cfg_t *auth;
 	bool good = FALSE;
 	
 	id = identification_create_from_encoding(ID_KEY_ID, keyid);
diff --git a/src/charon/plugins/unit_tester/tests/test_pool.c b/src/charon/plugins/unit_tester/tests/test_pool.c
index b11f71704..ba5330fd9 100644
--- a/src/charon/plugins/unit_tester/tests/test_pool.c
+++ b/src/charon/plugins/unit_tester/tests/test_pool.c
@@ -25,32 +25,24 @@
 
 static void* testing(void *thread)
 {
-	int i;	
-	auth_info_t *auth;
+	int i;
 	host_t *addr[ALLOCS];
 	identification_t *id[ALLOCS];
 	
-	
-	auth = auth_info_create();
-	
 	/* prepare identities */
 	for (i = 0; i < ALLOCS; i++)
 	{
 		char buf[256];
 		
-		snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (int)thread, i);
+		snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (uintptr_t)thread, i);
 		id[i] = identification_create_from_string(buf);
-		if (!id[i])
-		{
-			return (void*)FALSE;
-		}
 	}
 	
 	/* allocate addresses */
 	for (i = 0; i < ALLOCS; i++)
 	{
 		addr[i] = charon->attributes->acquire_address(charon->attributes, 
-													  "test", id[i], auth, NULL);
+													  "test", id[i], NULL);
 		if (!addr[i])
 		{
 			return (void*)FALSE;
@@ -69,7 +61,6 @@ static void* testing(void *thread)
 		addr[i]->destroy(addr[i]);
 		id[i]->destroy(id[i]);
 	}
-	auth->destroy(auth);
 	return (void*)TRUE;
 }
 
@@ -79,7 +70,7 @@ static void* testing(void *thread)
  ******************************************************************************/
 bool test_pool()
 {
-	int i;
+	uintptr_t i;
 	void *res;
 	pthread_t thread[THREADS];
 	
diff --git a/src/charon/plugins/unit_tester/tests/test_rng.c b/src/charon/plugins/unit_tester/tests/test_rng.c
deleted file mode 100644
index 60cbf2d36..000000000
--- a/src/charon/plugins/unit_tester/tests/test_rng.c
+++ /dev/null
@@ -1,221 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-#include <library.h>
-#include <utils/mutex.h>
-
-#include <unistd.h>
-#include <sched.h>
-#include <pthread.h>
-
-static bool test_monobit(chunk_t data)
-{
-	int i, j, bits = 0;
-	
-	for (i = 0; i < data.len; i++)
-	{
-		for (j = 0; j < 8; j++)
-		{
-			if (data.ptr[i] & (1<<j))
-			{
-				bits++;
-			}
-		}
-	}
-	DBG1(DBG_CFG, "  Monobit: %d/%d bits set", bits, data.len * 8);
-	if (bits > 9654 && bits < 10346)
-	{
-		return TRUE;
-	}
-	return FALSE;
-}
-
-static bool test_poker(chunk_t data)
-{
-	int i, counter[16];
-	double sum = 0.0;
-	
-	memset(counter, 0, sizeof(counter));
-	
-	for (i = 0; i < data.len; i++)
-	{
-		counter[data.ptr[i] & 0x0F]++;
-		counter[(data.ptr[i] & 0xF0) >> 4]++;
-	}
-	
-	for (i = 0; i < countof(counter); i++)
-	{
-		sum += (counter[i] * counter[i]) / 5000.0 * 16.0;
-	}
-	sum -= 5000.0;
-	DBG1(DBG_CFG, "  Poker: %f", sum);
-	if (sum > 1.03 && sum < 57.4)
-	{
-		return TRUE;
-	}
-	return FALSE;
-}
-
-static bool test_runs(chunk_t data)
-{
-	int i, j, zero_runs[7], one_runs[7], zero = 0, one = 0, longrun = 0;
-	bool ok = TRUE;
-	
-	memset(one_runs, 0, sizeof(zero_runs));
-	memset(zero_runs, 0, sizeof(one_runs));
-	
-	for (i = 0; i < data.len; i++)
-	{
-		for (j = 0; j < 8; j++)
-		{
-			if (data.ptr[i] & (1<<j))
-			{
-				if (one)
-				{
-					if (++one >= 34)
-					{
-						longrun++;
-						break;
-					}
-				}
-				else
-				{
-					zero_runs[min(6, zero)]++;
-					zero = 0;
-					one = 1;
-				}
-			}
-			else
-			{
-				if (zero)
-				{
-					if (++zero >= 34)
-					{
-						longrun++;
-						break;
-					}
-				}
-				else
-				{
-					one_runs[min(6, one)]++;
-					one = 0;
-					zero = 1;
-				}
-			}
-		}
-	}
-	
-	DBG1(DBG_CFG, "  Runs: zero: %d/%d/%d/%d/%d/%d, one: %d/%d/%d/%d/%d/%d, "
-		 "longruns: %d",
-		 zero_runs[1], zero_runs[2], zero_runs[3],
-		 zero_runs[4], zero_runs[5], zero_runs[6],
-		 one_runs[1], one_runs[2], one_runs[3],
-		 one_runs[4], one_runs[5], one_runs[6],
-		 longrun);
-	
-	if (longrun)
-	{
-		return FALSE;
-	}
-	
-	for (i = 1; i < countof(zero_runs); i++)
-	{
-		switch (i)
-		{
-			case 1:
-				ok &= zero_runs[i] > 2267 && zero_runs[i] < 2733;
-				ok &= one_runs[i] > 2267 && one_runs[i] < 2733;
-				break;
-			case 2:
-				ok &= zero_runs[i] > 1079 && zero_runs[i] < 1421;
-				ok &= one_runs[i] > 1079 && one_runs[i] < 1421;
-				break;
-			case 3:
-				ok &= zero_runs[i] > 502 && zero_runs[i] < 748;
-				ok &= one_runs[i] > 502 && one_runs[i] < 748;
-				break;
-			case 4:
-				ok &= zero_runs[i] > 223 && zero_runs[i] < 402;
-				ok &= one_runs[i] > 223 && one_runs[i] < 402;
-				break;
-			case 5:
-				ok &= zero_runs[i] > 90 && zero_runs[i] < 223;
-				ok &= one_runs[i] > 90 && one_runs[i] < 223;
-				break;
-			case 6:
-				ok &= zero_runs[i] > 90 && zero_runs[i] < 223;
-				ok &= one_runs[i] > 90 && one_runs[i] < 223;
-				break;
-		}
-		if (!ok)
-		{
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-static bool test_rng_quality(rng_quality_t quality)
-{
-	rng_t *rng;
-	chunk_t chunk;
-	
-	rng = lib->crypto->create_rng(lib->crypto, quality);
-	if (!rng)
-	{
-		return FALSE;
-	}
-	DBG1(DBG_CFG, "%N", rng_quality_names, quality);
-	rng->allocate_bytes(rng, 2500, &chunk);
-	
-	if (!test_monobit(chunk))
-	{
-		return FALSE;
-	}
-	if (!test_poker(chunk))
-	{
-		return FALSE;
-	}
-	if (!test_runs(chunk))
-	{
-		return FALSE;
-	}
-	
-	free(chunk.ptr);
-	rng->destroy(rng);
-	return TRUE;
-}
-
-/**
- * run a test using given values
- */
-bool test_rng()
-{
-	if (!test_rng_quality(RNG_WEAK))
-	{
-		return FALSE;
-	}
-	if (!test_rng_quality(RNG_STRONG))
-	{
-		return FALSE;
-	}
-	if (!test_rng_quality(RNG_REAL))
-	{
-		return FALSE;
-	}
-	return TRUE; 
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_rsa_gen.c b/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
index f13bb5bbf..1b7af63ee 100644
--- a/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
+++ b/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
@@ -22,7 +22,7 @@
 bool test_rsa_gen()
 {
 	char buf[] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08};
-	chunk_t data = chunk_from_buf(buf), sig;
+	chunk_t data = chunk_from_buf(buf), sig, crypt, plain;
 	private_key_t *private;
 	public_key_t *public;
 	u_int key_size;
@@ -59,6 +59,24 @@ bool test_rsa_gen()
 			return FALSE;
 		}
 		free(sig.ptr);
+		if (!public->encrypt(public, data, &crypt))
+		{
+			DBG1(DBG_CFG, "encrypting data with RSA failed");
+			return FALSE;
+		}
+		if (!private->decrypt(private, crypt, &plain))
+		{
+			DBG1(DBG_CFG, "decrypting data with RSA failed");
+			return FALSE;
+		}
+		if (!chunk_equals(data, plain))
+		{
+			DBG1(DBG_CFG, "decrpyted data invalid, expected %B, got %B", &
+				 data, &plain);
+			return FALSE;
+		}
+		chunk_clear(&crypt);
+		chunk_clear(&plain);
 		public->destroy(public);
 		private->destroy(private);
 	}
diff --git a/src/charon/plugins/unit_tester/unit_tester.c b/src/charon/plugins/unit_tester/unit_tester.c
index 28c6b4c11..c9651e601 100644
--- a/src/charon/plugins/unit_tester/unit_tester.c
+++ b/src/charon/plugins/unit_tester/unit_tester.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: unit_tester.c 3491 2008-02-22 14:04:00Z martin $
  */
 
 #include "unit_tester.h"
diff --git a/src/charon/plugins/unit_tester/unit_tester.h b/src/charon/plugins/unit_tester/unit_tester.h
index 760b0389b..33b13313d 100644
--- a/src/charon/plugins/unit_tester/unit_tester.h
+++ b/src/charon/plugins/unit_tester/unit_tester.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: unit_tester.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in
index 15bc7b95c..d0aac79f9 100644
--- a/src/charon/plugins/updown/Makefile.in
+++ b/src/charon/plugins/updown/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/charon/plugins/updown/updown_listener.c b/src/charon/plugins/updown/updown_listener.c
index 7dfb874cb..a6be35690 100644
--- a/src/charon/plugins/updown/updown_listener.c
+++ b/src/charon/plugins/updown/updown_listener.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #define _GNU_SOURCE
@@ -188,14 +186,14 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
 				"PLUTO_INTERFACE='%s' "
 				"PLUTO_REQID='%u' "
 				"PLUTO_ME='%H' "
-				"PLUTO_MY_ID='%D' "
+				"PLUTO_MY_ID='%Y' "
 				"PLUTO_MY_CLIENT='%s/%s' "
 				"PLUTO_MY_CLIENT_NET='%s' "
 				"PLUTO_MY_CLIENT_MASK='%s' "
 				"PLUTO_MY_PORT='%u' "
 				"PLUTO_MY_PROTOCOL='%u' "
 				"PLUTO_PEER='%H' "
-				"PLUTO_PEER_ID='%D' "
+				"PLUTO_PEER_ID='%Y' "
 				"PLUTO_PEER_CLIENT='%s/%s' "
 				"PLUTO_PEER_CLIENT_NET='%s' "
 				"PLUTO_PEER_CLIENT_MASK='%s' "
diff --git a/src/charon/plugins/updown/updown_listener.h b/src/charon/plugins/updown/updown_listener.h
index 0d09a4cea..cc59f61c6 100644
--- a/src/charon/plugins/updown/updown_listener.h
+++ b/src/charon/plugins/updown/updown_listener.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/plugins/updown/updown_plugin.c b/src/charon/plugins/updown/updown_plugin.c
index 2e5884222..4f0483fac 100644
--- a/src/charon/plugins/updown/updown_plugin.c
+++ b/src/charon/plugins/updown/updown_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "updown_plugin.h"
diff --git a/src/charon/plugins/updown/updown_plugin.h b/src/charon/plugins/updown/updown_plugin.h
index 99779d04e..2873b499d 100644
--- a/src/charon/plugins/updown/updown_plugin.h
+++ b/src/charon/plugins/updown/updown_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/processing/jobs/acquire_job.c b/src/charon/processing/jobs/acquire_job.c
index 50cebd88a..90b221b84 100644
--- a/src/charon/processing/jobs/acquire_job.c
+++ b/src/charon/processing/jobs/acquire_job.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: acquire_job.c 4535 2008-10-31 01:43:23Z andreas $
  */
 
 #include "acquire_job.h"
@@ -35,12 +33,12 @@ struct private_acquire_job_t {
 	 * reqid of the child to rekey
 	 */
 	u_int32_t reqid;
-
+	
 	/**
 	 * acquired source traffic selector
 	 */
 	traffic_selector_t *src_ts;
-
+	
 	/**
 	 * acquired destination traffic selector
 	 */
@@ -62,24 +60,8 @@ static void destroy(private_acquire_job_t *this)
  */
 static void execute(private_acquire_job_t *this)
 {
-	ike_sa_t *ike_sa = NULL;
-	
-	if (this->reqid)
-	{
-		ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-														this->reqid, TRUE);
-	}
-	if (ike_sa == NULL)
-	{
-		DBG1(DBG_JOB, "acquire job found no CHILD_SA with reqid {%d}",
-			 this->reqid);
-	}
-	else
-	{
-		ike_sa->acquire(ike_sa, this->reqid);
-		
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	}
+	charon->traps->acquire(charon->traps, this->reqid,
+						   this->src_ts, this->dst_ts);
 	destroy(this);
 }
 
@@ -92,14 +74,13 @@ acquire_job_t *acquire_job_create(u_int32_t reqid,
 {
 	private_acquire_job_t *this = malloc_thing(private_acquire_job_t);
 	
-	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
 	
-	/* private variables */
 	this->reqid = reqid;
 	this->src_ts = src_ts;
 	this->dst_ts = dst_ts;
 	
 	return &this->public;
 }
+
diff --git a/src/charon/processing/jobs/acquire_job.h b/src/charon/processing/jobs/acquire_job.h
index feea5c72a..a78e5274d 100644
--- a/src/charon/processing/jobs/acquire_job.h
+++ b/src/charon/processing/jobs/acquire_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: acquire_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -44,9 +42,7 @@ struct acquire_job_t {
 /**
  * Creates a job of type ACQUIRE.
  *
- * We use the reqid to find the routed CHILD_SA.
- *
- * @param reqid		reqid of the CHILD_SA to acquire
+ * @param reqid		reqid of the trapped CHILD_SA to acquire
  * @param src_ts	source traffic selector
  * @param dst_ts	destination traffic selector
  * @return			acquire_job_t object
diff --git a/src/charon/processing/jobs/callback_job.c b/src/charon/processing/jobs/callback_job.c
index f0cebd473..82b4643eb 100644
--- a/src/charon/processing/jobs/callback_job.c
+++ b/src/charon/processing/jobs/callback_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: callback_job.c 4579 2008-11-05 11:29:56Z martin $
  */
  
 #include "callback_job.h"
diff --git a/src/charon/processing/jobs/callback_job.h b/src/charon/processing/jobs/callback_job.h
index 012bb271c..2bb209cb7 100644
--- a/src/charon/processing/jobs/callback_job.h
+++ b/src/charon/processing/jobs/callback_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: callback_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/delete_child_sa_job.c b/src/charon/processing/jobs/delete_child_sa_job.c
index 26f538d67..206f07617 100644
--- a/src/charon/processing/jobs/delete_child_sa_job.c
+++ b/src/charon/processing/jobs/delete_child_sa_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: delete_child_sa_job.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "delete_child_sa_job.h"
diff --git a/src/charon/processing/jobs/delete_child_sa_job.h b/src/charon/processing/jobs/delete_child_sa_job.h
index a17c86b22..9bf6ee423 100644
--- a/src/charon/processing/jobs/delete_child_sa_job.h
+++ b/src/charon/processing/jobs/delete_child_sa_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: delete_child_sa_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.c b/src/charon/processing/jobs/delete_ike_sa_job.c
index c37e4e389..6d4639fad 100644
--- a/src/charon/processing/jobs/delete_ike_sa_job.c
+++ b/src/charon/processing/jobs/delete_ike_sa_job.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: delete_ike_sa_job.c 4722 2008-11-28 15:44:25Z martin $
  */
 
 #include "delete_ike_sa_job.h"
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.h b/src/charon/processing/jobs/delete_ike_sa_job.h
index fcb712e43..8209977f9 100644
--- a/src/charon/processing/jobs/delete_ike_sa_job.h
+++ b/src/charon/processing/jobs/delete_ike_sa_job.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: delete_ike_sa_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/initiate_mediation_job.c b/src/charon/processing/jobs/initiate_mediation_job.c
index 4d4fd8dc6..157d84341 100644
--- a/src/charon/processing/jobs/initiate_mediation_job.c
+++ b/src/charon/processing/jobs/initiate_mediation_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: initiate_mediation_job.c 4625 2008-11-11 13:12:05Z tobias $
  */
 
 #include "initiate_mediation_job.h"
@@ -75,6 +73,8 @@ static void initiate(private_initiate_mediation_job_t *this)
 {
 	ike_sa_t *mediated_sa, *mediation_sa;
 	peer_cfg_t *mediated_cfg, *mediation_cfg;
+	enumerator_t *enumerator;
+	auth_cfg_t *auth_cfg;
 	
 	mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 												   this->mediated_sa_id);
@@ -88,8 +88,20 @@ static void initiate(private_initiate_mediation_job_t *this)
 		mediation_cfg = mediated_cfg->get_mediated_by(mediated_cfg);
 		mediation_cfg->get_ref(mediation_cfg);
 		
+		enumerator = mediation_cfg->create_auth_cfg_enumerator(mediation_cfg,
+															   TRUE);
+		if (!enumerator->enumerate(enumerator, &auth_cfg) ||
+			auth_cfg->get(auth_cfg, AUTH_RULE_IDENTITY) == NULL)
+		{
+			mediated_cfg->destroy(mediated_cfg);
+			mediation_cfg->destroy(mediation_cfg);
+			enumerator->destroy(enumerator);
+			destroy(this);
+			return;
+		}
+		
 		if (charon->connect_manager->check_and_register(charon->connect_manager,
-				mediation_cfg->get_my_id(mediation_cfg),
+				auth_cfg->get(auth_cfg, AUTH_RULE_IDENTITY),
 				mediated_cfg->get_peer_id(mediated_cfg),
 				this->mediated_sa_id))
 		{
diff --git a/src/charon/processing/jobs/initiate_mediation_job.h b/src/charon/processing/jobs/initiate_mediation_job.h
index 17f5e4d18..084e1b9fd 100644
--- a/src/charon/processing/jobs/initiate_mediation_job.h
+++ b/src/charon/processing/jobs/initiate_mediation_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: initiate_mediation_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/job.h b/src/charon/processing/jobs/job.h
index e0a2d1df7..acc88b124 100644
--- a/src/charon/processing/jobs/job.h
+++ b/src/charon/processing/jobs/job.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/mediation_job.c b/src/charon/processing/jobs/mediation_job.c
index c177d8db3..cf522faff 100644
--- a/src/charon/processing/jobs/mediation_job.c
+++ b/src/charon/processing/jobs/mediation_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: mediation_job.c 3666 2008-03-26 18:40:19Z tobias $
  */
 
 #include "mediation_job.h"
@@ -101,7 +99,7 @@ static void execute(private_mediation_job_t *this)
 				/* send callback to a peer */
 				if (target_sa->callback(target_sa, this->source) != SUCCESS)
 				{
-					DBG1(DBG_JOB, "callback for '%D' to '%D' failed",
+					DBG1(DBG_JOB, "callback for '%Y' to '%Y' failed",
 							this->source, this->target);
 					charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
 					destroy(this);
@@ -114,7 +112,7 @@ static void execute(private_mediation_job_t *this)
 				if (target_sa->relay(target_sa, this->source, this->connect_id,
 						this->connect_key, this->endpoints, this->response) != SUCCESS)
 				{
-					DBG1(DBG_JOB, "mediation between '%D' and '%D' failed",
+					DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed",
 							this->source, this->target);
 					charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
 					/* FIXME: notify the initiator */
@@ -127,13 +125,13 @@ static void execute(private_mediation_job_t *this)
 		}
 		else
 		{
-			DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: "
+			DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
 					"SA not found", this->source, this->target);
 		}
 	}
 	else
 	{
-		DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: "
+		DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
 				"peer is not online anymore", this->source, this->target);
 	}
 	destroy(this);
diff --git a/src/charon/processing/jobs/mediation_job.h b/src/charon/processing/jobs/mediation_job.h
index 08e37915f..583ea8230 100644
--- a/src/charon/processing/jobs/mediation_job.h
+++ b/src/charon/processing/jobs/mediation_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: mediation_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/migrate_job.c b/src/charon/processing/jobs/migrate_job.c
index 47ff658f1..a57d0478b 100644
--- a/src/charon/processing/jobs/migrate_job.c
+++ b/src/charon/processing/jobs/migrate_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: migrate_job.c 4677 2008-11-19 15:31:27Z martin $
  */
 
 #include "migrate_job.h"
diff --git a/src/charon/processing/jobs/migrate_job.h b/src/charon/processing/jobs/migrate_job.h
index 9f39b9730..672a09b0a 100644
--- a/src/charon/processing/jobs/migrate_job.h
+++ b/src/charon/processing/jobs/migrate_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: migrate_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/process_message_job.c b/src/charon/processing/jobs/process_message_job.c
index 33bcae6f0..1f0b3e287 100644
--- a/src/charon/processing/jobs/process_message_job.c
+++ b/src/charon/processing/jobs/process_message_job.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: process_message_job.c 3666 2008-03-26 18:40:19Z tobias $
  */
 
 #include "process_message_job.h"
diff --git a/src/charon/processing/jobs/process_message_job.h b/src/charon/processing/jobs/process_message_job.h
index 0aae4c24e..b01d388f9 100644
--- a/src/charon/processing/jobs/process_message_job.h
+++ b/src/charon/processing/jobs/process_message_job.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: process_message_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/rekey_child_sa_job.c b/src/charon/processing/jobs/rekey_child_sa_job.c
index 42bf79d26..17fcf641b 100644
--- a/src/charon/processing/jobs/rekey_child_sa_job.c
+++ b/src/charon/processing/jobs/rekey_child_sa_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: rekey_child_sa_job.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "rekey_child_sa_job.h"
diff --git a/src/charon/processing/jobs/rekey_child_sa_job.h b/src/charon/processing/jobs/rekey_child_sa_job.h
index 14e4af5e1..2e2eef361 100644
--- a/src/charon/processing/jobs/rekey_child_sa_job.h
+++ b/src/charon/processing/jobs/rekey_child_sa_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: rekey_child_sa_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.c b/src/charon/processing/jobs/rekey_ike_sa_job.c
index 38aa41c27..1ceb1e144 100644
--- a/src/charon/processing/jobs/rekey_ike_sa_job.c
+++ b/src/charon/processing/jobs/rekey_ike_sa_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: rekey_ike_sa_job.c 3793 2008-04-11 08:14:48Z martin $
  */
  
 #include "rekey_ike_sa_job.h"
diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.h b/src/charon/processing/jobs/rekey_ike_sa_job.h
index c03711d73..0d830e134 100644
--- a/src/charon/processing/jobs/rekey_ike_sa_job.h
+++ b/src/charon/processing/jobs/rekey_ike_sa_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: rekey_ike_sa_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/retransmit_job.c b/src/charon/processing/jobs/retransmit_job.c
index 89858786e..122cad853 100644
--- a/src/charon/processing/jobs/retransmit_job.c
+++ b/src/charon/processing/jobs/retransmit_job.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: retransmit_job.c 3589 2008-03-13 14:14:44Z martin $
  */
  
 #include "retransmit_job.h"
diff --git a/src/charon/processing/jobs/retransmit_job.h b/src/charon/processing/jobs/retransmit_job.h
index a20369a1b..4c9bea1c8 100644
--- a/src/charon/processing/jobs/retransmit_job.h
+++ b/src/charon/processing/jobs/retransmit_job.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: retransmit_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/roam_job.c b/src/charon/processing/jobs/roam_job.c
index 0b323ae8b..c01f83248 100644
--- a/src/charon/processing/jobs/roam_job.c
+++ b/src/charon/processing/jobs/roam_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: roam_job.c 3804 2008-04-14 11:37:46Z martin $
  */
 
 #include <stdlib.h>
diff --git a/src/charon/processing/jobs/roam_job.h b/src/charon/processing/jobs/roam_job.h
index 6c0cbc2b7..7bb1227f5 100644
--- a/src/charon/processing/jobs/roam_job.h
+++ b/src/charon/processing/jobs/roam_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: roam_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/send_dpd_job.c b/src/charon/processing/jobs/send_dpd_job.c
index a7d0cf3f3..c6e81a56f 100644
--- a/src/charon/processing/jobs/send_dpd_job.c
+++ b/src/charon/processing/jobs/send_dpd_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: send_dpd_job.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stdlib.h>
diff --git a/src/charon/processing/jobs/send_dpd_job.h b/src/charon/processing/jobs/send_dpd_job.h
index 2b6b5fee3..91556a9d1 100644
--- a/src/charon/processing/jobs/send_dpd_job.h
+++ b/src/charon/processing/jobs/send_dpd_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: send_dpd_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/send_keepalive_job.c b/src/charon/processing/jobs/send_keepalive_job.c
index 82f6a5f55..5d3cfb530 100644
--- a/src/charon/processing/jobs/send_keepalive_job.c
+++ b/src/charon/processing/jobs/send_keepalive_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: send_keepalive_job.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stdlib.h>
diff --git a/src/charon/processing/jobs/send_keepalive_job.h b/src/charon/processing/jobs/send_keepalive_job.h
index 7b3fe9f60..f92e6217a 100644
--- a/src/charon/processing/jobs/send_keepalive_job.h
+++ b/src/charon/processing/jobs/send_keepalive_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: send_keepalive_job.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/jobs/update_sa_job.c b/src/charon/processing/jobs/update_sa_job.c
index acf263d25..5e6c83942 100644
--- a/src/charon/processing/jobs/update_sa_job.c
+++ b/src/charon/processing/jobs/update_sa_job.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include <stdlib.h>
diff --git a/src/charon/processing/jobs/update_sa_job.h b/src/charon/processing/jobs/update_sa_job.h
index 79b89bbe3..93262d46f 100644
--- a/src/charon/processing/jobs/update_sa_job.h
+++ b/src/charon/processing/jobs/update_sa_job.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c
index 68916937b..eb1db331b 100644
--- a/src/charon/processing/processor.c
+++ b/src/charon/processing/processor.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: processor.c 4802 2008-12-12 15:57:12Z martin $
  */
  
 #include <stdlib.h>
diff --git a/src/charon/processing/processor.h b/src/charon/processing/processor.h
index 6ab643b1f..e56e69382 100644
--- a/src/charon/processing/processor.h
+++ b/src/charon/processing/processor.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: processor.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c
index 593a51f0b..b3633f263 100644
--- a/src/charon/processing/scheduler.c
+++ b/src/charon/processing/scheduler.c
@@ -13,13 +13,10 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: scheduler.c 4799 2008-12-12 09:16:31Z martin $
  */
 
 #include <stdlib.h>
 #include <pthread.h>
-#include <sys/time.h>
 
 #include "scheduler.h"
 
@@ -41,7 +38,7 @@ struct event_t {
 	 * Time to fire the event.
 	 */
 	timeval_t time;
-
+	
 	/**
 	 * Every event has its assigned job.
 	 */
@@ -63,16 +60,17 @@ typedef struct private_scheduler_t private_scheduler_t;
  * Private data of a scheduler_t object.
  */
 struct private_scheduler_t {
+	
 	/**
 	 * Public part of a scheduler_t object.
 	 */
 	 scheduler_t public;
-
+	
 	/**
 	 * Job which queues scheduled jobs to the processor.
 	 */
 	callback_job_t *job;
-		
+	
 	/**
 	 * The heap in which the events are stored.
 	 */
@@ -87,12 +85,12 @@ struct private_scheduler_t {
 	 * The number of scheduled events.
 	 */
 	u_int event_count;
-
+	
 	/**
 	 * Exclusive access to list
 	 */
 	mutex_t *mutex;
-
+	
 	/**
 	 * Condvar to wait for next job.
 	 */
@@ -100,16 +98,27 @@ struct private_scheduler_t {
 };
 
 /**
- * Returns the difference of two timeval structs in milliseconds
+ * Comparse two timevals, return >0 if a > b, <0 if a < b and =0 if equal
  */
-static long time_difference(timeval_t *end, timeval_t *start)
+static int timeval_cmp(timeval_t *a, timeval_t *b)
 {
-	time_t s;
-	suseconds_t us;
-	
-	s = end->tv_sec - start->tv_sec;
-	us = end->tv_usec - start->tv_usec;
-	return (s * 1000 + us/1000);
+	if (a->tv_sec > b->tv_sec)
+	{
+		return 1;
+	}
+	if (a->tv_sec < b->tv_sec)
+	{
+		return -1;
+	}
+	if (a->tv_usec > b->tv_usec)
+	{
+		return 1;
+	}
+	if (a->tv_usec < b->tv_usec)
+	{
+		return -1;
+	}
+	return 0;
 }
 
 /**
@@ -146,20 +155,21 @@ static event_t *remove_event(private_scheduler_t *this)
 			u_int child = position << 1;
 			
 			if ((child + 1) <= this->event_count &&
-				time_difference(&this->heap[child + 1]->time,
-								&this->heap[child]->time) < 0)
+				timeval_cmp(&this->heap[child + 1]->time,
+							&this->heap[child]->time) < 0)
 			{
 				/* the "right" child is smaller */
 				child++;
 			}
 			
-			if (time_difference(&top->time, &this->heap[child]->time) <= 0)
+			if (timeval_cmp(&top->time, &this->heap[child]->time) <= 0)
 			{
-				/* the top event fires before the smaller of the two children, stop */
+				/* the top event fires before the smaller of the two children,
+				 * stop */
 				break;
 			}
 			
-			/* exchange with the smaller child */
+			/* swap with the smaller child */
 			this->heap[position] = this->heap[child];
 			position = child;
 		}
@@ -175,7 +185,6 @@ static job_requeue_t schedule(private_scheduler_t * this)
 {
 	timeval_t now;
 	event_t *event;
-	long difference;
 	int oldstate;
 	bool timed = FALSE;
 	
@@ -185,8 +194,7 @@ static job_requeue_t schedule(private_scheduler_t * this)
 	
 	if ((event = peek_event(this)) != NULL)
 	{
-		difference = time_difference(&now, &event->time);
-		if (difference >= 0)
+		if (timeval_cmp(&now, &event->time) >= 0)
 		{
 			remove_event(this);
 			this->mutex->unlock(this->mutex);
@@ -195,7 +203,16 @@ static job_requeue_t schedule(private_scheduler_t * this)
 			free(event);
 			return JOB_REQUEUE_DIRECT;
 		}
-		DBG2(DBG_JOB, "next event in %ldms, waiting", -difference);
+		timersub(&event->time, &now, &now);
+		if (now.tv_sec)
+		{
+			DBG2(DBG_JOB, "next event in %ds %dms, waiting",
+				 now.tv_sec, now.tv_usec/1000);
+		}
+		else
+		{
+			DBG2(DBG_JOB, "next event in %dms, waiting", now.tv_usec/1000);
+		}
 		timed = TRUE;
 	}
 	pthread_cleanup_push((void*)this->mutex->unlock, this->mutex);
@@ -228,25 +245,16 @@ static u_int get_job_load(private_scheduler_t *this)
 }
 
 /**
- * Implements scheduler_t.schedule_job.
+ * Implements scheduler_t.schedule_job_tv.
  */
-static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t time)
+static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
 {
-	timeval_t now;
 	event_t *event;
 	u_int position;
-	time_t s;
-	suseconds_t us;
 	
 	event = malloc_thing(event_t);
 	event->job = job;
-	
-	/* calculate absolute time */
-	s = time / 1000;
-	us = (time - s * 1000) * 1000;
-	gettimeofday(&now, NULL);
-	event->time.tv_usec = (now.tv_usec + us) % 1000000;
-	event->time.tv_sec = now.tv_sec + (now.tv_usec + us)/1000000 + s;
+	event->time = tv;
 	
 	this->mutex->lock(this->mutex);
 	
@@ -255,14 +263,15 @@ static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t time)
 	{
 		/* double the size of the heap */
 		this->heap_size <<= 1;
-		this->heap = (event_t**)realloc(this->heap, (this->heap_size + 1) * sizeof(event_t*));
+		this->heap = (event_t**)realloc(this->heap,
+									(this->heap_size + 1) * sizeof(event_t*));
 	}
 	/* "put" the event to the bottom */
 	position = this->event_count;
 	
 	/* then bubble it up */
-	while (position > 1 && time_difference(&this->heap[position >> 1]->time,
-										   &event->time) > 0)
+	while (position > 1 && timeval_cmp(&this->heap[position >> 1]->time,
+									   &event->time) > 0)
 	{
 		/* parent has to be fired after the new event, move up */
 		this->heap[position] = this->heap[position >> 1];
@@ -274,6 +283,35 @@ static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t time)
 	this->mutex->unlock(this->mutex);
 }
 
+/**
+ * Implements scheduler_t.schedule_job.
+ */
+static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
+{
+	timeval_t tv;
+	
+	gettimeofday(&tv, NULL);
+	tv.tv_sec += s;
+	
+	schedule_job_tv(this, job, tv);
+}
+
+/**
+ * Implements scheduler_t.schedule_job_ms.
+ */
+static void schedule_job_ms(private_scheduler_t *this, job_t *job, u_int32_t ms)
+{
+	timeval_t tv, add;
+	
+	gettimeofday(&tv, NULL);
+	add.tv_sec = ms / 1000;
+	add.tv_usec = (ms % 1000) * 1000;
+	
+	timeradd(&tv, &add, &tv);
+	
+	schedule_job_tv(this, job, tv);
+}
+
 /**
  * Implementation of scheduler_t.destroy.
  */
@@ -299,7 +337,9 @@ scheduler_t * scheduler_create()
 	private_scheduler_t *this = malloc_thing(private_scheduler_t);
 	
 	this->public.get_job_load = (u_int (*) (scheduler_t *this)) get_job_load;
-	this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job;
+	this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t s)) schedule_job;
+	this->public.schedule_job_ms = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job_ms;
+	this->public.schedule_job_tv = (void (*) (scheduler_t *this, job_t *job, timeval_t tv)) schedule_job_tv;
 	this->public.destroy = (void(*)(scheduler_t*)) destroy;
 	
 	/* Note: the root of the heap is at index 1 */
diff --git a/src/charon/processing/scheduler.h b/src/charon/processing/scheduler.h
index c3e177727..502f70b33 100644
--- a/src/charon/processing/scheduler.h
+++ b/src/charon/processing/scheduler.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -12,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: scheduler.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -26,25 +25,86 @@
 
 typedef struct scheduler_t scheduler_t;
 
+#include <sys/time.h>
+
 #include <library.h>
 #include <processing/jobs/job.h>
 
 /**
- * The scheduler queues and executes timed events.
+ * The scheduler queues timed events which are then passed to the processor.
+ *
+ * The scheduler is implemented as a heap. A heap is a special kind of tree-
+ * based data structure that satisfies the following property: if B is a child
+ * node of A, then key(A) >= (or <=) key(B). So either the element with the
+ * greatest (max-heap) or the smallest (min-heap) key is the root of the heap.
+ * We use a min-heap whith the key being the absolute unix time at which an
+ * event is scheduled. So the root is always the event that will fire next.
+ *
+ * An earlier implementation of the scheduler used a sorted linked list to store
+ * the events. That had the advantage that removing the next event was extremely
+ * fast, also, adding an event scheduled before or after all other events was
+ * equally fast (all in O(1)). The problem was, though, that adding an event
+ * in-between got slower, as the number of events grew larger (O(n)).
+ * For each connection there could be several events: IKE-rekey, NAT-keepalive,
+ * retransmissions, expire (half-open), and others. So a gateway that probably
+ * has to handle thousands of concurrent connnections has to be able to queue a
+ * large number of events as fast as possible. Locking makes this even worse, to
+ * provide thread-safety, no events can be processed, while an event is queued,
+ * so making the insertion fast is even more important.
+ *
+ * That's the advantage of the heap. Adding an element to the heap can be
+ * achieved in O(log n) - on the other hand, removing the root node also
+ * requires O(log n) operations. Consider 10000 queued events. Inserting a new
+ * event in the list implementation required up to 10000 comparisons. In the
+ * heap implementation, the worst case is about 13.3 comparisons. That's a
+ * drastic improvement.
  *
- * The scheduler stores timed events and passes them to the processor.
+ * The implementation itself uses a binary tree mapped to a one-based array to
+ * store the elements. This reduces storage overhead and simplifies navigation:
+ * the children of the node at position n are at position 2n and 2n+1 (likewise
+ * the parent node of the node at position n is at position [n/2]). Thus,
+ * navigating up and down the tree is reduced to simple index computations.
+ *
+ * Adding an element to the heap works as follows: The heap is always filled
+ * from left to right, until a row is full, then the next row is filled. Mapped
+ * to an array this gets as simple as putting the new element to the first free
+ * position. In a one-based array that position equals the number of elements
+ * currently stored in the heap. Then the heap property has to be restored, i.e.
+ * the new element has to be "bubbled up" the tree until the parent node's key
+ * is smaller or the element got the new root of the tree.
+ *
+ * Removing the next event from the heap works similarly. The event itself is
+ * the root node and stored at position 1 of the array. After removing it, the
+ * root has to be replaced and the heap property has to be restored. This is
+ * done by moving the bottom element (last row, rightmost element) to the root
+ * and then "seep it down" by swapping it with child nodes until none of the
+ * children has a smaller key or it is again a leaf node.
  */
-struct scheduler_t { 	
-
+struct scheduler_t {
+	
 	/**
-	 * Adds a event to the queue, using a relative time offset.
+	 * Adds a event to the queue, using a relative time offset in s.
 	 *
-	 * Schedules a job for execution using a relative time offset.
+	 * @param job 			job to schedule
+	 * @param time 			relative time to schedule job, in s
+	 */
+	void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t s);
+	
+	/**
+	 * Adds a event to the queue, using a relative time offset in ms.
+	 *
+	 * @param job 			job to schedule
+	 * @param time 			relative time to schedule job, in ms
+	 */
+	void (*schedule_job_ms) (scheduler_t *this, job_t *job, u_int32_t ms);
+	
+	/**
+	 * Adds a event to the queue, using an absolut time.
 	 *
- 	 * @param job 			job to schedule
-  	 * @param time 			relative to to schedule job (in ms)
+	 * @param job 			job to schedule
+	 * @param time 			absolut time to schedule job
 	 */
-	void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t time);
+	void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
 	
 	/**
 	 * Returns number of jobs scheduled.
@@ -61,7 +121,7 @@ struct scheduler_t {
 
 /**
  * Create a scheduler.
- * 
+ *
  * @return 		scheduler_t object
  */
 scheduler_t *scheduler_create(void);
diff --git a/src/charon/sa/authenticators/authenticator.c b/src/charon/sa/authenticators/authenticator.c
index 827c7a69a..ea8a16279 100644
--- a/src/charon/sa/authenticators/authenticator.c
+++ b/src/charon/sa/authenticators/authenticator.c
@@ -1,6 +1,6 @@
 /*
+ * Copyright (C) 2006-2009 Martin Willi
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: authenticator.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include <string.h>
@@ -23,6 +21,7 @@
 #include <sa/authenticators/pubkey_authenticator.h>
 #include <sa/authenticators/psk_authenticator.h>
 #include <sa/authenticators/eap_authenticator.h>
+#include <encoding/payloads/auth_payload.h>
 
 
 ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
@@ -35,7 +34,8 @@ ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS,
 	"ECDSA-521 signature");
 ENUM_END(auth_method_names, AUTH_ECDSA_521);
 
-ENUM(auth_class_names, AUTH_CLASS_PUBKEY, AUTH_CLASS_EAP,
+ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
+	"any",
 	"public key",
 	"pre-shared key",
 	"EAP",
@@ -44,17 +44,23 @@ ENUM(auth_class_names, AUTH_CLASS_PUBKEY, AUTH_CLASS_EAP,
 /**
  * Described in header.
  */
-authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
-												 auth_class_t class)
+authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init)
 {
-	switch (class)
+	switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
 	{
+		case AUTH_CLASS_ANY:
+			/* defaults to PUBKEY */
 		case AUTH_CLASS_PUBKEY:
-			return (authenticator_t*)pubkey_authenticator_create(ike_sa);
+			return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
+											received_nonce, sent_init);
 		case AUTH_CLASS_PSK:
-			return (authenticator_t*)psk_authenticator_create(ike_sa);
+			return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
+											received_nonce, sent_init);
 		case AUTH_CLASS_EAP:
-			return (authenticator_t*)eap_authenticator_create(ike_sa);
+			return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
+						received_nonce, sent_nonce, received_init, sent_init);
 		default:
 			return NULL;
 	}
@@ -63,19 +69,32 @@ authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
 /**
  * Described in header.
  */
-authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,
-												  auth_method_t method)
+authenticator_t *authenticator_create_verifier(
+									ike_sa_t *ike_sa, message_t *message,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init)
 {
-	switch (method)
+	auth_payload_t *auth_payload;
+	
+	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	if (auth_payload == NULL)
+	{
+		return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
+						received_nonce, sent_nonce, received_init, sent_init);
+	}
+	switch (auth_payload->get_auth_method(auth_payload))
 	{
 		case AUTH_RSA:
 		case AUTH_ECDSA_256:
 		case AUTH_ECDSA_384:
 		case AUTH_ECDSA_521:
-			return (authenticator_t*)pubkey_authenticator_create(ike_sa);
+			return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
+													sent_nonce, received_init);
 		case AUTH_PSK:
-			return (authenticator_t*)psk_authenticator_create(ike_sa);
+			return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
+													sent_nonce, received_init);
 		default:
 			return NULL;
 	}
 }
+
diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h
index 345cc7deb..c60881629 100644
--- a/src/charon/sa/authenticators/authenticator.h
+++ b/src/charon/sa/authenticators/authenticator.h
@@ -1,6 +1,6 @@
 /*
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: authenticator.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -30,9 +28,8 @@ typedef enum auth_class_t auth_class_t;
 typedef struct authenticator_t authenticator_t;
 
 #include <library.h>
+#include <config/auth_cfg.h>
 #include <sa/ike_sa.h>
-#include <config/peer_cfg.h>
-#include <encoding/payloads/auth_payload.h>
 
 /**
  * Method to use for authentication, as defined in IKEv2.
@@ -84,6 +81,8 @@ extern enum_name_t *auth_method_names;
  * certificate finally dictates wich method is used.
  */
 enum auth_class_t {
+	/** any class acceptable */
+	AUTH_CLASS_ANY = 0,
 	/** authentication using public keys (RSA, ECDSA) */
 	AUTH_CLASS_PUBKEY = 1,
 	/** authentication using a pre-shared secrets */
@@ -100,66 +99,70 @@ extern enum_name_t *auth_class_names;
 /**
  * Authenticator interface implemented by the various authenticators.
  *
- * Currently the following two AUTH methods are supported:
- *  - shared key message integrity code
- *  - RSA digital signature
- *  - EAP using the EAP framework and one of the EAP plugins
- *  - ECDSA is supported using OpenSSL
+ * An authenticator implementation handles AUTH and EAP payloads. Received
+ * messages are passed to the process() method, to send authentication data
+ * the message is passed to the build() method.
  */
 struct authenticator_t {
 
 	/**
-	 * Verify a received authentication payload.
+	 * Process an incoming message using the authenticator.
 	 *
-	 * @param ike_sa_init	binary representation of received ike_sa_init
-	 * @param my_nonce		the sent nonce
-	 * @param auth_payload	authentication payload to verify
+	 * @param message		message containing authentication payloads
 	 * @return
-	 *						- SUCCESS,
-	 *						- FAILED if verification failed
-	 *						- INVALID_ARG if auth_method does not match
-	 *						- NOT_FOUND if credentials not found
+	 *						- SUCCESS if authentication successful
+	 *						- FAILED if authentication failed
+	 *						- NEED_MORE if another exchange required
 	 */
-	status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
-						chunk_t my_nonce, auth_payload_t *auth_payload);
-
+	status_t (*process)(authenticator_t *this, message_t *message);
+	
 	/**
-	 * Build an authentication payload to send to the other peer.
+	 * Attach authentication data to an outgoing message.
 	 *
-	 * @param ike_sa_init	binary representation of sent ike_sa_init
-	 * @param other_nonce	the received nonce
-	 * @param auth_payload	the resulting authentication payload
+	 * @param message		message to add authentication data to
 	 * @return
-	 *						- SUCCESS,
-	 *						- NOT_FOUND if credentials not found
+	 *						- SUCCESS if authentication successful
+	 *						- FAILED if authentication failed
+	 *						- NEED_MORE if another exchange required
 	 */
-	status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
-					   chunk_t other_nonce, auth_payload_t **auth_payload);
-
+	status_t (*build)(authenticator_t *this, message_t *message);
+	
 	/**
-	 * Destroys a authenticator_t object.
+	 * Destroy authenticator instance.
 	 */
 	void (*destroy) (authenticator_t *this);
 };
 
 /**
- * Creates an authenticator for the specified auth class (as configured).
+ * Create an authenticator to build signatures.
  *
- * @param ike_sa		associated ike_sa
- * @param class			class of authentication to use
- * @return				authenticator_t object
+ * @param ike_sa			associated ike_sa
+ * @param cfg				authentication configuration
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					authenticator, NULL if not supported
  */
-authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
-												 auth_class_t class);
+authenticator_t *authenticator_create_builder(
+									ike_sa_t *ike_sa, auth_cfg_t *cfg,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init);
 
 /**
- * Creates an authenticator for method (as received in payload).
+ * Create an authenticator to verify signatures.
  * 
- * @param ike_sa		associated ike_sa
- * @param method		method as found in payload
- * @return				authenticator_t object
+ * @param ike_sa			associated ike_sa
+ * @param message			message containing authentication data
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					authenticator, NULL if not supported
  */
-authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,	
-												  auth_method_t method);
+authenticator_t *authenticator_create_verifier(
+									ike_sa_t *ike_sa, message_t *message,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init);
 
 #endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c
index c1c2d6fce..b8316036e 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.c
+++ b/src/charon/sa/authenticators/eap/eap_manager.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_manager.c 4579 2008-11-05 11:29:56Z martin $
  */
 
 #include "eap_manager.h"
@@ -65,9 +63,9 @@ struct private_eap_manager_t {
 	linked_list_t *methods;
 	
 	/**
-	 * mutex to lock methods
+	 * rwlock to lock methods
 	 */
-	mutex_t *mutex;
+	rwlock_t *lock;
 };
 
 /**
@@ -84,9 +82,9 @@ static void add_method(private_eap_manager_t *this, eap_type_t type,
 	entry->role = role;
 	entry->constructor = constructor;
 
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	this->methods->insert_last(this->methods, entry);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -97,7 +95,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
 	enumerator_t *enumerator;
 	eap_entry_t *entry;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	enumerator = this->methods->create_enumerator(this->methods);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -108,7 +106,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 /**
@@ -123,7 +121,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 	eap_entry_t *entry;
 	eap_method_t *method = NULL;
 	
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	enumerator = this->methods->create_enumerator(this->methods);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -138,7 +136,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	return method;
 }
 
@@ -148,7 +146,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 static void destroy(private_eap_manager_t *this)
 {
 	this->methods->destroy_function(this->methods, free);
-	this->mutex->destroy(this->mutex);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -165,7 +163,7 @@ eap_manager_t *eap_manager_create()
 	this->public.destroy = (void(*)(eap_manager_t*))destroy;
 	
 	this->methods = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/authenticators/eap/eap_manager.h b/src/charon/sa/authenticators/eap/eap_manager.h
index db5535a81..667c54a8e 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.h
+++ b/src/charon/sa/authenticators/eap/eap_manager.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c
index 2e4307eb4..1d1900301 100644
--- a/src/charon/sa/authenticators/eap/eap_method.c
+++ b/src/charon/sa/authenticators/eap/eap_method.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_method.c 4997 2009-03-24 10:24:58Z martin $
  */
 
 #include "eap_method.h"
@@ -36,6 +34,36 @@ ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
 	"EAP_EXPERIMENTAL");
 ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
 
+/*
+ * See header
+ */
+eap_type_t eap_type_from_string(char *name)
+{
+	int i;
+	static struct {
+		char *name;
+		eap_type_t type;
+	} types[] = {
+		{"identity",	EAP_IDENTITY},
+		{"md5",			EAP_MD5},
+		{"otp",			EAP_OTP},
+		{"gtc",			EAP_GTC},
+		{"sim",			EAP_SIM},
+		{"aka",			EAP_AKA},
+		{"mschapv2",	EAP_MSCHAPV2},
+		{"radius",		EAP_RADIUS},
+	};
+	
+	for (i = 0; i < countof(types); i++)
+	{
+		if (strcaseeq(name, types[i].name))
+		{
+			return types[i].type;
+		}
+	}
+	return 0;
+}
+
 ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
 	"EAP_REQUEST",
 	"EAP_RESPONSE",
@@ -48,3 +76,6 @@ ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
 	"EAP_PEER",
 );
 
+
+
+
diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h
index 6f3da1ba7..578b89e96 100644
--- a/src/charon/sa/authenticators/eap/eap_method.h
+++ b/src/charon/sa/authenticators/eap/eap_method.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_method.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -68,6 +66,14 @@ enum eap_type_t {
  */
 extern enum_name_t *eap_type_names;
 
+/**
+ * Lookup the EAP method type from a string.
+ *
+ * @param name		EAP method name (such as "md5", "aka")
+ * @return			method type, 0 if unkown
+ */
+eap_type_t eap_type_from_string(char *name);
+
 /**
  * EAP code, type of an EAP message
  */
@@ -83,7 +89,6 @@ enum eap_code_t {
  */
 extern enum_name_t *eap_code_names;
 
-
 /**
  * Interface of an EAP method for server and client side.
  *
diff --git a/src/charon/sa/authenticators/eap/sim_manager.c b/src/charon/sa/authenticators/eap/sim_manager.c
index e6817ca20..51cd4fb3f 100644
--- a/src/charon/sa/authenticators/eap/sim_manager.c
+++ b/src/charon/sa/authenticators/eap/sim_manager.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "sim_manager.h"
diff --git a/src/charon/sa/authenticators/eap/sim_manager.h b/src/charon/sa/authenticators/eap/sim_manager.h
index 69a2e4df9..3c6d66dfe 100644
--- a/src/charon/sa/authenticators/eap/sim_manager.h
+++ b/src/charon/sa/authenticators/eap/sim_manager.h
@@ -39,7 +39,7 @@ struct sim_card_t {
 	 * The returned identity owned by the sim_card and not destroyed outside.
 	 * The SIM card may return ID_ANY if it does not support/use an IMSI.
 	 *
-	 * @return		identity of type ID_EAP/ID_ANY
+	 * @return		identity
 	 */
 	identification_t* (*get_imsi)(sim_card_t *this);
 	
@@ -63,7 +63,7 @@ struct sim_provider_t {
 	/**
 	 * Get a single triplet to authenticate a EAP client.
 	 *
-	 * @param imsi	client identity of type ID_EAP
+	 * @param imsi	client identity
 	 * @param rand	RAND output buffer, fixed size 16 bytes
 	 * @param sres	SRES output buffer, fixed size 4 byte
 	 * @param kc	KC output buffer, fixed size 8 bytes
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 7b97fe56c..2abdf7a02 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -11,17 +11,14 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_authenticator.c 5037 2009-03-26 13:58:17Z andreas $
  */
 
-#include <string.h>
-
 #include "eap_authenticator.h"
 
 #include <daemon.h>
-#include <config/peer_cfg.h>
 #include <sa/authenticators/eap/eap_method.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/eap_payload.h>
 
 typedef struct private_eap_authenticator_t private_eap_authenticator_t;
 
@@ -41,9 +38,24 @@ struct private_eap_authenticator_t {
 	ike_sa_t *ike_sa;
 	
 	/**
-	 * Role of this authenticator, PEER or SERVER
+	 * others nonce to include in AUTH calculation
+	 */
+	chunk_t received_nonce;
+	
+	/**
+	 * our nonce to include in AUTH calculation
+	 */
+	chunk_t sent_nonce;
+	
+	/**
+	 * others IKE_SA_INIT message data to include in AUTH calculation
+	 */
+	chunk_t received_init;
+	
+	/**
+	 * our IKE_SA_INIT message data to include in AUTH calculation
 	 */
-	eap_role_t role;
+	chunk_t sent_init;
 	
 	/**
 	 * Current EAP method processing
@@ -56,442 +68,514 @@ struct private_eap_authenticator_t {
 	chunk_t msk;
 	
 	/**
-	 * should we do a EAP-Identity exchange as server?
+	 * EAP authentication method completed successfully
 	 */
-	bool do_eap_identity;
+	bool eap_complete;
 	
 	/**
-	 * saved EAP type if we do eap_identity
+	 * authentication payload verified successfully
 	 */
-	eap_type_t type;
+	bool auth_complete;
 	
 	/**
-	 * saved vendor id if we do eap_identity
+	 * generated EAP payload
 	 */
-	u_int32_t vendor;
+	eap_payload_t *eap_payload;
+	
+	/**
+	 * EAP identity of peer
+	 */
+	identification_t *eap_identity;
 };
+
 /**
- * Implementation of authenticator_t.verify.
+ * load an EAP method
  */
-static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
-					   chunk_t my_nonce, auth_payload_t *auth_payload)
+static eap_method_t *load_method(private_eap_authenticator_t *this,
+							eap_type_t type, u_int32_t vendor, eap_role_t role)
 {
-	chunk_t auth_data, recv_auth_data;
-	identification_t *other_id;
-	keymat_t *keymat;
-	
-	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	
-	auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
-									this->msk, other_id);
+	identification_t *server, *peer;
 	
-	recv_auth_data = auth_payload->get_data(auth_payload);
-	if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
+	if (role == EAP_SERVER)
 	{
-		DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
-		chunk_free(&auth_data);
-		return FAILED;
+		server = this->ike_sa->get_my_id(this->ike_sa);
+		peer = this->ike_sa->get_other_id(this->ike_sa);
 	}
-	chunk_free(&auth_data);
-	
-	DBG1(DBG_IKE, "authentication of '%D' with %N successful",
-		 other_id, auth_class_names, AUTH_CLASS_EAP);
-	return SUCCESS;
-}
-
-/**
- * Implementation of authenticator_t.build.
- */
-static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
-					  chunk_t other_nonce, auth_payload_t **auth_payload)
-{
-	identification_t *my_id;
-	chunk_t auth_data;
-	keymat_t *keymat;
-	
-	my_id = this->ike_sa->get_my_id(this->ike_sa);
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	
-	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
-		 my_id, auth_class_names, AUTH_CLASS_EAP);
-	
-	auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
-									this->msk, my_id);
-	
-	*auth_payload = auth_payload_create();
-	(*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
-	(*auth_payload)->set_data(*auth_payload, auth_data);
-	chunk_free(&auth_data);
-	
-	return SUCCESS;
+	else
+	{
+		server = this->ike_sa->get_other_id(this->ike_sa);
+		peer = this->ike_sa->get_my_id(this->ike_sa);
+	}
+	if (this->eap_identity)
+	{
+		peer = this->eap_identity;
+	}
+	return charon->eap->create_instance(charon->eap, type, vendor,
+										role, server, peer);
 }
 
 /**
- * get the peers identity to use in the EAP method
+ * Initiate EAP conversation as server
  */
-static identification_t *get_peer_id(private_eap_authenticator_t *this)
+static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
+										  bool do_identity)
 {
+	auth_cfg_t *auth;
+	eap_type_t type;
 	identification_t *id;
-	peer_cfg_t *config;
-	auth_info_t *auth;
+	u_int32_t vendor;
+	eap_payload_t *out;
+	
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	
-	id = this->ike_sa->get_eap_identity(this->ike_sa);
-	if (!id)
+	/* initiate EAP-Identity exchange if required */
+	if (!this->eap_identity && do_identity)
 	{
-		config = this->ike_sa->get_peer_cfg(this->ike_sa);
-		auth = config->get_auth(config);
-		if (!auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id) ||
-			id->get_type(id) == ID_ANY)
+		id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+		if (id)
 		{
-			if (this->role == EAP_PEER)
+			this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER);
+			if (this->method)
 			{
-				id = this->ike_sa->get_my_id(this->ike_sa);
-			}
-			else
-			{
-				id = this->ike_sa->get_other_id(this->ike_sa);
+				if (this->method->initiate(this->method, &out) == NEED_MORE)
+				{
+					DBG1(DBG_IKE, "initiating EAP-Identity request");
+					return out;
+				}
+				this->method->destroy(this->method);
 			}
+			DBG1(DBG_IKE, "EAP-Identity request configured, but not supported");
 		}
 	}
-	if (id->get_type(id) == ID_EAP)
+	/* invoke real EAP method */
+	type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
+	vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
+	this->method = load_method(this, type, vendor, EAP_SERVER);
+	if (this->method &&
+		this->method->initiate(this->method, &out) == NEED_MORE)
 	{
-		return id->clone(id);
+		if (vendor)
+		{
+			DBG1(DBG_IKE, "initiating EAP vendor type %d-%d", type, vendor);
+			
+		}
+		else
+		{
+			DBG1(DBG_IKE, "initiating %N", eap_type_names, type);
+		}
+		return out;
 	}
-	return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
-}
-
-/**
- * get the servers identity to use in the EAP method
- */
-static identification_t *get_server_id(private_eap_authenticator_t *this)
-{
-	identification_t *id;
-	
-	if (this->role == EAP_SERVER)
+	if (vendor)
 	{
-		id = this->ike_sa->get_my_id(this->ike_sa);
+		DBG1(DBG_IKE, "initiating EAP vendor type %d-%d failed", type, vendor);
 	}
 	else
 	{
-		id = this->ike_sa->get_other_id(this->ike_sa);
+		DBG1(DBG_IKE, "initiating %N failed", eap_type_names, type);
 	}
-	if (id->get_type(id) == ID_EAP)
-	{
-		return id->clone(id);
-	}
-	return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
-}
-
-/**
- * load an EAP method using the correct identities
- */
-static eap_method_t *load_method(private_eap_authenticator_t *this,
-							eap_type_t type, u_int32_t vendor, eap_role_t role)
-{
-	identification_t *server, *peer;
-	eap_method_t *method;
-	
-	server = get_server_id(this);
-	peer = get_peer_id(this);
-	method = charon->eap->create_instance(charon->eap, type, vendor, role,
-										  server, peer);		 
-	server->destroy(server);
-	peer->destroy(peer);
-	return method;
+	return eap_payload_create_code(EAP_FAILURE, 0);
 }
 
 /**
- * Implementation of eap_authenticator_t.initiate
+ * Handle EAP exchange as server
  */
-static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
-						 u_int32_t vendor, eap_payload_t **out)
+static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
+										 eap_payload_t *in)
 {
-	/* if initiate() is called, role is always server */
-	this->role = EAP_SERVER;
-	
-	if (this->do_eap_identity)
-	{	/* do an EAP-Identity request first */
-		this->type = type;
-		this->vendor = vendor;
-		vendor = 0;
-		type = EAP_IDENTITY;
-	}
+	eap_type_t type, received_type;
+	u_int32_t vendor, received_vendor;
+	eap_payload_t *out;
+	auth_cfg_t *cfg;
 	
-	if (type == 0)
+	if (in->get_code(in) != EAP_RESPONSE)
 	{
-		DBG1(DBG_IKE,
-			 "client requested EAP authentication, but configuration forbids it");
-		*out = eap_payload_create_code(EAP_FAILURE, 0);
-		return FAILED;
+		DBG1(DBG_IKE, "received %N, sending %N",
+			 eap_code_names, in->get_code(in), eap_code_names, EAP_FAILURE);
+		return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
 	}
 	
-	if (vendor)
-	{
-		DBG1(DBG_IKE, "requesting vendor specific EAP method %d-%d",
-			 type, vendor);
-	}
-	else
-	{
-		DBG1(DBG_IKE, "requesting EAP method %N", eap_type_names, type);
-	}
-	this->method = load_method(this, type, vendor, this->role);
-	if (this->method == NULL)
+	type = this->method->get_type(this->method, &vendor);
+	received_type = in->get_type(in, &received_vendor);
+	if (type != received_type || vendor != received_vendor)
 	{
-		if (vendor == 0 && type == EAP_IDENTITY)
+		if (received_vendor == 0 && received_type == EAP_NAK)
 		{
-			DBG1(DBG_IKE, "skipping %N, no implementation found",
-				 eap_type_names, type);
-			this->do_eap_identity = FALSE;
-			return initiate(this, this->type, this->vendor, out);
+			DBG1(DBG_IKE, "received %N, sending %N",
+				 eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received invalid EAP response, sending %N",
+				 eap_code_names, EAP_FAILURE);
 		}
-		DBG1(DBG_IKE, "configured EAP server method not supported, sending %N",
-			 eap_code_names, EAP_FAILURE);
-		*out = eap_payload_create_code(EAP_FAILURE, 0);
-		return FAILED;
+		return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
 	}
-	if (this->method->initiate(this->method, out) != NEED_MORE)
+	
+	switch (this->method->process(this->method, in, &out))
 	{
-		DBG1(DBG_IKE, "failed to initiate EAP exchange, sending %N",
-			 eap_code_names, EAP_FAILURE);
-		*out = eap_payload_create_code(EAP_FAILURE, 0);
-		return FAILED;	
+		case NEED_MORE:
+			return out;
+		case SUCCESS:
+			if (type == EAP_IDENTITY)
+			{
+				chunk_t data;
+				char buf[256];
+				
+				if (this->method->get_msk(this->method, &data) == SUCCESS)
+				{
+					snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
+					this->eap_identity = identification_create_from_string(buf);
+					DBG1(DBG_IKE, "received EAP identity '%Y'",
+						 this->eap_identity);
+				}
+				/* restart EAP exchange, but with real method */
+				this->method->destroy(this->method);
+				return server_initiate_eap(this, FALSE);
+			}
+			if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+			{
+				this->msk = chunk_clone(this->msk);
+			}
+			if (vendor)
+			{
+				DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
+					 "%sMSK established", type, vendor,
+					 this->msk.ptr ? "" : "no ");
+			}
+			else
+			{
+				DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
+					 eap_type_names, type, this->msk.ptr ? "" : "no ");
+			}
+			this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED,
+										TRUE);
+			cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+			cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+			if (vendor)
+			{
+				cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+			}
+			this->eap_complete = TRUE;
+			return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
+		case FAILED:
+		default:
+			if (vendor)
+			{
+				DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
+					 "peer %Y", type, vendor, 
+					 this->ike_sa->get_other_id(this->ike_sa));
+			}
+			else
+			{
+				DBG1(DBG_IKE, "EAP method %N failed for peer %Y",
+					 eap_type_names, type,
+					 this->ike_sa->get_other_id(this->ike_sa));
+			}
+			return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
 	}
-	return NEED_MORE;
 }
 
 /**
  * Processing method for a peer
  */
-static status_t process_peer(private_eap_authenticator_t *this,
-							 eap_payload_t *in, eap_payload_t **out)
+static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
+										 eap_payload_t *in)
 {
 	eap_type_t type;
 	u_int32_t vendor;
+	auth_cfg_t *auth;
+	eap_payload_t *out;
+	identification_t *id;
 	
 	type = in->get_type(in, &vendor);
 	
 	if (!vendor && type == EAP_IDENTITY)
 	{
-		eap_method_t *method;
+		DESTROY_IF(this->eap_identity);
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+		if (!id || id->get_type(id) == ID_ANY)
+		{
+			id = this->ike_sa->get_my_id(this->ike_sa);
+		}
+		DBG1(DBG_IKE, "server requested %N, sending '%Y'",
+			 eap_type_names, type, id);
+		this->eap_identity = id->clone(id);
 		
-		method = load_method(this, type, 0, EAP_PEER);
-		if (method == NULL || method->process(method, in, out) != SUCCESS)
+		this->method = load_method(this, type, vendor, EAP_PEER);
+		if (this->method)
 		{
-			DBG1(DBG_IKE, "EAP server requested %N, but unable to process",
-				 eap_type_names, type);
-			DESTROY_IF(method);
-			return FAILED;
+			if (this->method->process(this->method, in, &out) == SUCCESS)
+			{
+				this->method->destroy(this->method);
+				this->method = NULL;
+				return out;
+			}
+			this->method->destroy(this->method);
+			this->method = NULL;
 		}
-		DBG1(DBG_IKE, "EAP server requested %N", eap_type_names, type);	 
-		method->destroy(method);
-		return NEED_MORE;
+		DBG1(DBG_IKE, "%N not supported, sending EAP_NAK",
+			 eap_type_names, type);
+		return eap_payload_create_nak(in->get_identifier(in));
 	}
-	
-	/* create an eap_method for the first call */
 	if (this->method == NULL)
 	{
 		if (vendor)
 		{
-			DBG1(DBG_IKE, "EAP server requested vendor specific EAP method %d-%d",
+			DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
 				 type, vendor);
 		}
 		else
 		{
-			DBG1(DBG_IKE, "EAP server requested %N authentication",
+			DBG1(DBG_IKE, "server requested %N authentication",
 				 eap_type_names, type);
 		}
 		this->method = load_method(this, type, vendor, EAP_PEER);
-		if (this->method == NULL)
+		if (!this->method)
 		{
-			DBG1(DBG_IKE, "EAP server requested unsupported "
-				 "EAP method, sending EAP_NAK");
-			*out = eap_payload_create_nak(in->get_identifier(in));
-			return NEED_MORE;
+			DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
+			return eap_payload_create_nak(in->get_identifier(in));
 		}
 	}
 	
 	type = this->method->get_type(this->method, &vendor);
 	
-	switch (this->method->process(this->method, in, out))
+	if (this->method->process(this->method, in, &out) == NEED_MORE)
+	{	/* client methods should never return SUCCESS */
+		return out;
+	}
+	
+	if (vendor)
 	{
-		case NEED_MORE:
-			return NEED_MORE;
-		case SUCCESS:
-			if (vendor)
-			{
-				DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded",
-					 type, vendor);
-			}
-			else
-			{
-				DBG1(DBG_IKE, "EAP method %N succeeded", eap_type_names, type);
-			}
-			return SUCCESS;
-		case FAILED:
-		default:
-			if (vendor)
-			{
-				DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed",
-					 type, vendor);
-			}
-			else
-			{
-				DBG1(DBG_IKE, "EAP method %N failed",
-					 eap_type_names, type);
-			}
-			return FAILED;
+		DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", type, vendor);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
 	}
+	return NULL;
 }
 
 /**
- * handle an EAP-Identity response on the server
+ * Verify AUTH payload
  */
-static status_t process_eap_identity(private_eap_authenticator_t *this,
-									 eap_payload_t **out)
+static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
+						chunk_t nonce, chunk_t init)
 {
-	chunk_t data;
-	identification_t *id;
-
-	if (this->method->get_msk(this->method, &data) == SUCCESS)
+	auth_payload_t *auth_payload;
+	chunk_t auth_data, recv_auth_data;
+	identification_t *other_id;
+	auth_cfg_t *auth;
+	keymat_t *keymat;
+	
+	auth_payload = (auth_payload_t*)message->get_payload(message,
+														 AUTHENTICATION);
+	if (!auth_payload)
 	{
-		id = identification_create_from_encoding(ID_EAP, data);
-		DBG1(DBG_IKE, "using EAP identity '%D'", id);
-		this->ike_sa->set_eap_identity(this->ike_sa, id);
+		DBG1(DBG_IKE, "AUTH payload missing");
+		return FALSE;
 	}
-	/* restart EAP exchange, but with real method */
-	this->method->destroy(this->method);
-	this->method = NULL;
-	this->do_eap_identity = FALSE;
-	return initiate(this, this->type, this->vendor, out);
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
+									this->msk, other_id);
+	recv_auth_data = auth_payload->get_data(auth_payload);
+	if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
+	{
+		DBG1(DBG_IKE, "verification of AUTH payload with%s EAP MSK failed",
+			 this->msk.ptr ? "" : "out");
+		chunk_free(&auth_data);
+		return FALSE;
+	}
+	chunk_free(&auth_data);
+	
+	DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+		 other_id, auth_class_names, AUTH_CLASS_EAP);
+	this->auth_complete = TRUE;
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+	return TRUE;
+}
+
+/**
+ * Build AUTH payload
+ */
+static void build_auth(private_eap_authenticator_t *this, message_t *message,
+					   chunk_t nonce, chunk_t init)
+{
+	auth_payload_t *auth_payload;
+	identification_t *my_id;
+	chunk_t auth_data;
+	keymat_t *keymat;
+	
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	
+	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
+		 my_id, auth_class_names, AUTH_CLASS_EAP);
+	
+	auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
+	auth_payload = auth_payload_create();
+	auth_payload->set_auth_method(auth_payload, AUTH_PSK);
+	auth_payload->set_data(auth_payload, auth_data);
+	message->add_payload(message, (payload_t*)auth_payload);
+	chunk_free(&auth_data);
 }
 
 /**
- * Processing method for a server
+ * Implementation of authenticator_t.process for a server
  */
 static status_t process_server(private_eap_authenticator_t *this,
-							   eap_payload_t *in, eap_payload_t **out)
+							   message_t *message)
 {
-	eap_type_t type;
-	u_int32_t vendor;
+	eap_payload_t *eap_payload;
 	
-	type = this->method->get_type(this->method, &vendor);
+	if (this->eap_complete)
+	{
+		if (!verify_auth(this, message, this->sent_nonce, this->received_init))
+		{
+			return FAILED;
+		}
+		return NEED_MORE;
+	}
 	
-	switch (this->method->process(this->method, in, out))
+	if (!this->method)
 	{
-		case NEED_MORE:
-			return NEED_MORE;
-		case SUCCESS:
-			if (this->do_eap_identity)
-			{
-				return process_eap_identity(this, out);
-			}
-			if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
-			{
-				this->msk = chunk_clone(this->msk);
-			}
-			if (vendor)
-			{
-				DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded, "
-					 "%sMSK established", type, vendor,
-					 this->msk.ptr ? "" : "no ");
-			}
-			else
-			{
-				DBG1(DBG_IKE, "EAP method %N succeded, %sMSK established",
-					 eap_type_names, type, this->msk.ptr ? "" : "no ");
-			}
-			*out = eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
-			return SUCCESS;
-		case FAILED:
-		default:
-			if (vendor)
-			{
-				DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
-					 "peer %D", type, vendor, 
-					 this->ike_sa->get_other_id(this->ike_sa));
-			}
-			else
-			{
-				DBG1(DBG_IKE, "EAP method %N failed for peer '%D'",
-					 eap_type_names, type,
-					 this->ike_sa->get_other_id(this->ike_sa));
-			}
-			*out = eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
+		this->eap_payload = server_initiate_eap(this, TRUE);
+	}
+	else
+	{
+		eap_payload = (eap_payload_t*)message->get_payload(message,
+													EXTENSIBLE_AUTHENTICATION);
+		if (!eap_payload)
+		{
 			return FAILED;
+		}
+		this->eap_payload = server_process_eap(this, eap_payload);
 	}
+	return NEED_MORE;
 }
 
 /**
- * Implementation of eap_authenticator_t.process
+ * Implementation of authenticator_t.build for a server
  */
-static status_t process(private_eap_authenticator_t *this, eap_payload_t *in,
-						eap_payload_t **out)
+static status_t build_server(private_eap_authenticator_t *this,
+							 message_t *message)
 {
-	eap_code_t code = in->get_code(in);
+	if (this->eap_payload)
+	{
+		eap_code_t code;
+		
+		code = this->eap_payload->get_code(this->eap_payload);
+		message->add_payload(message, (payload_t*)this->eap_payload);
+		this->eap_payload = NULL;
+		if (code == EAP_FAILURE)
+		{
+			return FAILED;
+		}
+		return NEED_MORE;
+	}
+	if (this->eap_complete && this->auth_complete)
+	{
+		build_auth(this, message, this->received_nonce, this->sent_init);
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of authenticator_t.process for a client
+ */
+static status_t process_client(private_eap_authenticator_t *this,
+							   message_t *message)
+{
+	eap_payload_t *eap_payload;
 	
-	switch (this->role)
+	if (this->eap_complete)
 	{
-		case EAP_SERVER:
+		if (!verify_auth(this, message, this->sent_nonce, this->received_init))
 		{
-			switch (code)
+			return FAILED;
+		}
+		return SUCCESS;
+	}
+	
+	eap_payload = (eap_payload_t*)message->get_payload(message,
+													EXTENSIBLE_AUTHENTICATION);
+	if (eap_payload)
+	{
+		switch (eap_payload->get_code(eap_payload))
+		{
+			case EAP_REQUEST:
 			{
-				case EAP_RESPONSE:
+				this->eap_payload = client_process_eap(this, eap_payload);
+				if (this->eap_payload)
 				{
-					return process_server(this, in, out);
-				}
-				default:
-				{
-					DBG1(DBG_IKE, "received %N, sending %N",
-						 eap_code_names, code, eap_code_names, EAP_FAILURE);
-					*out = eap_payload_create_code(EAP_FAILURE,
-												   in->get_identifier(in));
-					return FAILED;
+					return NEED_MORE;
 				}
+				return FAILED;
 			}
-		}
-		case EAP_PEER:
-		{
-			switch (code)
+			case EAP_SUCCESS:
 			{
-				case EAP_REQUEST:
+				eap_type_t type;
+				u_int32_t vendor;
+				auth_cfg_t *cfg;
+				
+				if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
 				{
-					return process_peer(this, in, out);
+					this->msk = chunk_clone(this->msk);
 				}
-				case EAP_SUCCESS:
+				type = this->method->get_type(this->method, &vendor);
+				if (vendor)
 				{
-					if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
-					{
-						this->msk = chunk_clone(this->msk);
-					}
-					return SUCCESS;
+					DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
+						 "%sMSK established", type, vendor,
+						 this->msk.ptr ? "" : "no ");
 				}
-				case EAP_FAILURE:
-				default:
+				else
 				{
-					DBG1(DBG_IKE, "received %N, EAP authentication failed",
-						 eap_code_names, code);
-					return FAILED;
+					DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
+						 eap_type_names, type, this->msk.ptr ? "" : "no ");
 				}
+				cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+				cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+				if (vendor)
+				{
+					cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+				}
+				this->eap_complete = TRUE;
+				return NEED_MORE;
+			}
+			case EAP_FAILURE:
+			default:
+			{
+				DBG1(DBG_IKE, "received %N, EAP authentication failed",
+					 eap_code_names, eap_payload->get_code(eap_payload));
+				return FAILED;
 			}
-		}
-		default:
-		{
-			return FAILED;
 		}
 	}
+	return FAILED;
 }
 
 /**
- * Implementation of authenticator_t.is_mutual.
+ * Implementation of authenticator_t.build for a client
  */
-static bool is_mutual(private_eap_authenticator_t *this)
+static status_t build_client(private_eap_authenticator_t *this,	
+							 message_t *message)
 {
-	if (this->method)
+	if (this->eap_payload)
 	{
-		return this->method->is_mutual(this->method);
+		message->add_payload(message, (payload_t*)this->eap_payload);
+		this->eap_payload = NULL;
+		return NEED_MORE;
 	}
-	return FALSE;
+	if (this->eap_complete)
+	{
+		build_auth(this, message, this->received_nonce, this->sent_init);
+		return NEED_MORE;
+	}
+	return NEED_MORE;
 }
 
 /**
@@ -500,6 +584,8 @@ static bool is_mutual(private_eap_authenticator_t *this)
 static void destroy(private_eap_authenticator_t *this)
 {
 	DESTROY_IF(this->method);
+	DESTROY_IF(this->eap_payload);
+	DESTROY_IF(this->eap_identity);
 	chunk_free(&this->msk);
 	free(this);
 }
@@ -507,46 +593,56 @@ static void destroy(private_eap_authenticator_t *this)
 /*
  * Described in header.
  */
-eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
+eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init)
 {
-	peer_cfg_t *config;
-	auth_info_t *auth;
-	identification_t *id;
 	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
 	
-	/* public functions */
-	this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
-	this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
-	this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
-	
-	this->public.is_mutual = (bool(*)(eap_authenticator_t*))is_mutual;
-	this->public.initiate = (status_t(*)(eap_authenticator_t*,eap_type_t,u_int32_t,eap_payload_t**))initiate;
-	this->public.process = (status_t(*)(eap_authenticator_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
 	
-	/* private data */
 	this->ike_sa = ike_sa;
-	this->role = EAP_PEER;
+	this->received_init = received_init;
+	this->received_nonce = received_nonce;
+	this->sent_init = sent_init;
+	this->sent_nonce = sent_nonce;
+	this->msk = chunk_empty;
 	this->method = NULL;
+	this->eap_payload = NULL;
+	this->eap_complete = FALSE;
+	this->auth_complete = FALSE;
+	this->eap_identity = NULL;
+	
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init)
+{
+	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
+	
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+	
+	this->ike_sa = ike_sa;
+	this->received_init = received_init;
+	this->received_nonce = received_nonce;
+	this->sent_init = sent_init;
+	this->sent_nonce = sent_nonce;
 	this->msk = chunk_empty;
-	this->do_eap_identity = FALSE;
-	this->type = 0;
-	this->vendor = 0;
+	this->method = NULL;
+	this->eap_payload = NULL;
+	this->eap_complete = FALSE;
+	this->auth_complete = FALSE;
+	this->eap_identity = NULL;
 	
-	config = ike_sa->get_peer_cfg(ike_sa);
-	if (config)
-	{
-		auth = config->get_auth(config);
-		if (auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id))
-		{
-			if (id->get_type(id) == ID_ANY)
-			{	/* %any as configured EAP identity runs EAP-Identity first */
-				this->do_eap_identity = TRUE;
-			}
-			else
-			{
-				ike_sa->set_eap_identity(ike_sa, id->clone(id));
-			}
-		}
-	}
 	return &this->public;
 }
+
diff --git a/src/charon/sa/authenticators/eap_authenticator.h b/src/charon/sa/authenticators/eap_authenticator.h
index 3ee6839fa..b90a6f4df 100644
--- a/src/charon/sa/authenticators/eap_authenticator.h
+++ b/src/charon/sa/authenticators/eap_authenticator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: eap_authenticator.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -26,21 +24,13 @@
 typedef struct eap_authenticator_t eap_authenticator_t;
 
 #include <sa/authenticators/authenticator.h>
-#include <encoding/payloads/eap_payload.h>
 
 /**
- * Implementation of the authenticator_t interface using AUTH_CLASS_EAP.
+ * Implementation of authenticator_t using EAP authentication.
  *
  * Authentication using EAP involves the most complex authenticator. It stays
  * alive over multiple ike_auth transactions and handles multiple EAP
  * messages.
- * EAP authentication must be clearly distinguished between using
- * mutual EAP methods and using methods not providing server authentication.
- * If no mutual authentication is used, the server must prove it's identity
- * by traditional AUTH methods (RSA, psk). Only when the EAP method is mutual,
- * the client should accept an EAP-only authentication.
- * RFC4306 does always use traditional authentiction, EAP only authentication
- * is described in the internet draft draft-eronen-ipsec-ikev2-eap-auth-05.txt.
  *
  * @verbatim
                           ike_sa_init
@@ -49,12 +39,12 @@ typedef struct eap_authenticator_t eap_authenticator_t;
                  followed by multiple ike_auth:
 
      +--------+                                +--------+
-     |  EAP   |    ID, SA, TS, N(EAP_ONLY)     |  EAP   |
+     |  EAP   |       IDi, [IDr,] SA, TS       |  EAP   |
      | client |  --------------------------->  | server |
-     |        |          ID, [AUTH,] EAP       |        |  AUTH payload is
-     |        |  <---------------------------  |        |  only included if
-     |        |              EAP               |        |  authentication
-     |        |  --------------------------->  |        |  is not mutual.
+     |        |          ID, AUTH, EAP         |        |
+     |        |  <---------------------------  |        |
+     |        |              EAP               |        |
+     |        |  --------------------------->  |        |
      |        |              EAP               |        |
      |        |  <---------------------------  |        |
      |        |              EAP               |        |
@@ -74,74 +64,35 @@ struct eap_authenticator_t {
 	/**
 	 * Implemented authenticator_t interface.
 	 */
-	authenticator_t authenticator_interface;
-	
-	/**
-	 * Check if the EAP method was/is mutual and secure.
-	 *
-	 * RFC4306 proposes to authenticate the EAP responder (server) by standard
-	 * IKEv2 methods (RSA, psk). Not all, but some EAP methods
-	 * provide mutual authentication, which would result in a redundant
-	 * authentication. If the client supports EAP_ONLY_AUTHENTICATION, and
-	 * the the server provides mutual authentication, authentication using
-	 * RSA/PSK may be omitted. If the server did not include a traditional
-	 * AUTH payload, the client must verify that the server initiated mutual
-	 * EAP authentication before it can trust the server.
-	 *
-	 * @return		TRUE, if no AUTH payload required, FALSE otherwise
-	 */
-	bool (*is_mutual) (eap_authenticator_t* this);
-	
-	/**
-	 * Initiate the EAP exchange.
-	 *
-	 * The server initiates EAP exchanges, so the client never calls
-	 * this method. If initiate() returns NEED_MORE, the EAP authentication
-	 * process started. In any case, a payload is created in "out".
-	 *
-	 * @param type		EAP method to use to authenticate client
-	 * @param vendor	EAP vendor identifier, if type is vendor specific, or 0
-	 * @param out		created initiaal EAP message to send
-	 * @return
-	 *				- FAILED, if initiation failed
-	 *				- NEED_MORE, if more EAP exchanges reqired
-	 */
-	status_t (*initiate) (eap_authenticator_t* this, eap_type_t type,
-						  u_int32_t vendor, eap_payload_t **out);
-	
-	/**
-	 * Process an EAP message.
-	 *
-	 * After receiving an EAP message "in", the peer/server processes
-	 * the payload and creates a reply/subsequent request.
-	 * The server side always returns NEED_MORE if another EAP message
-	 * is expected from the client, SUCCESS if EAP exchange completed and
-	 * "out" is EAP_SUCCES, or FAILED if the EAP exchange failed with
-	 * a EAP_FAILURE payload in "out". Anyway, a payload in "out" is always
-	 * created.
-	 * The peer (client) side only creates a "out" payload if result is
-	 * NEED_MORE, a SUCCESS/FAILED is returned whenever a
-	 * EAP_SUCCESS/EAP_FAILURE message is received in "in".
-	 * If a SUCCESS is returned (on any side), the EAP authentication was
-	 * successful and the AUTH payload can be exchanged.
-	 *
-	 * @param in	received EAP message
-	 * @param out	created EAP message to send
-	 * @return
-	 *				- FAILED, if authentication/EAP exchange failed
-	 *				- SUCCESS, if authentication completed
-	 *				- NEED_MORE, if more EAP exchanges reqired
-	 */
-	status_t (*process) (eap_authenticator_t* this,
-						 eap_payload_t *in, eap_payload_t **out);
+	authenticator_t authenticator;
 };
 
 /**
- * Creates an authenticator for AUTH_CLASS_EAP.
+ * Create an authenticator to authenticate against an EAP server.
  *
- * @param ike_sa		associated ike_sa
- * @return				eap_authenticator_t object
+ * @param ike_sa			associated ike_sa
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					EAP authenticator
+ */
+eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init);
+
+/**
+ * Create an authenticator to authenticate EAP clients.
+ * 
+ * @param ike_sa			associated ike_sa
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					EAP authenticator
  */
-eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa);
+eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init);
 
 #endif /** EAP_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
index ae5a66479..742b67789 100644
--- a/src/charon/sa/authenticators/psk_authenticator.c
+++ b/src/charon/sa/authenticators/psk_authenticator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,17 +12,12 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: psk_authenticator.c 4495 2008-10-28 16:07:06Z martin $
  */
 
-#include <string.h>
-
 #include "psk_authenticator.h"
 
 #include <daemon.h>
-#include <credentials/auth_info.h>
-
+#include <encoding/payloads/auth_payload.h>
 
 typedef struct private_psk_authenticator_t private_psk_authenticator_t;
 
@@ -40,22 +35,74 @@ struct private_psk_authenticator_t {
 	 * Assigned IKE_SA
 	 */
 	ike_sa_t *ike_sa;
+	
+	/**
+	 * nonce to include in AUTH calculation
+	 */
+	chunk_t nonce;
+	
+	/**
+	 * IKE_SA_INIT message data to include in AUTH calculation
+	 */
+	chunk_t ike_sa_init;
 };
 
+/*
+ * Implementation of authenticator_t.build for builder
+ */
+static status_t build(private_psk_authenticator_t *this, message_t *message)
+{
+	identification_t *my_id, *other_id;
+	auth_payload_t *auth_payload;
+	shared_key_t *key;
+	chunk_t auth_data;
+	keymat_t *keymat;
+	
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
+		 my_id, auth_method_names, AUTH_PSK);
+	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
+										  my_id, other_id);
+	if (key == NULL)
+	{
+		DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
+		return NOT_FOUND;
+	}
+	auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
+									this->nonce, key->get_key(key), my_id);
+	key->destroy(key);
+	DBG2(DBG_IKE, "successfully created shared key MAC");
+	auth_payload = auth_payload_create();
+	auth_payload->set_auth_method(auth_payload, AUTH_PSK);
+	auth_payload->set_data(auth_payload, auth_data);
+	chunk_free(&auth_data);
+	message->add_payload(message, (payload_t*)auth_payload);
+	
+	return SUCCESS;
+}
+
 /**
- * Implementation of authenticator_t.verify.
+ * Implementation of authenticator_t.process for verifier
  */
-static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
- 					   chunk_t my_nonce, auth_payload_t *auth_payload)
+static status_t process(private_psk_authenticator_t *this, message_t *message)
 {
 	chunk_t auth_data, recv_auth_data;
 	identification_t *my_id, *other_id;
+	auth_payload_t *auth_payload;
+	auth_cfg_t *auth;
 	shared_key_t *key;
 	enumerator_t *enumerator;
 	bool authenticated = FALSE;
 	int keys_found = 0;
 	keymat_t *keymat;
 	
+	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	if (!auth_payload)
+	{
+		return FAILED;
+	}
 	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	recv_auth_data = auth_payload->get_data(auth_payload);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
@@ -66,11 +113,11 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 	{
 		keys_found++;
 		
-		auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
-										key->get_key(key), other_id);
+		auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
+									this->nonce, key->get_key(key), other_id);
 		if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
 		{
-			DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
 				 other_id, auth_method_names, AUTH_PSK);
 			authenticated = TRUE;
 		}
@@ -82,49 +129,26 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 	{
 		if (keys_found == 0)
 		{
-			DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+			DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
 			return NOT_FOUND;
 		}
-		DBG1(DBG_IKE, "tried %d shared key%s for '%D' - '%D', but MAC mismatched",
+		DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched",
 			 keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
 		return FAILED;
 	}
+	
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
 	return SUCCESS;
 }
 
 /**
- * Implementation of authenticator_t.build.
+ * Implementation of authenticator_t.process for builder
+ * Implementation of authenticator_t.build for verifier
  */
-static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init,
-					  chunk_t other_nonce, auth_payload_t **auth_payload)
+static status_t return_failed()
 {
-	identification_t *my_id, *other_id;
-	shared_key_t *key;
-	chunk_t auth_data;
-	keymat_t *keymat;
-	
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	my_id = this->ike_sa->get_my_id(this->ike_sa);
-	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
-		 my_id, auth_method_names, AUTH_PSK);
-	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
-										  my_id, other_id);
-	if (key == NULL)
-	{
-		DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
-		return NOT_FOUND;
-	}
-	auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
-									key->get_key(key), my_id);
-	key->destroy(key);
-	DBG2(DBG_IKE, "successfully created shared key MAC");
-	*auth_payload = auth_payload_create();
-	(*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
-	(*auth_payload)->set_data(*auth_payload, auth_data);
-	
-	chunk_free(&auth_data);
-	return SUCCESS;
+	return FAILED;
 }
 
 /**
@@ -138,17 +162,38 @@ static void destroy(private_psk_authenticator_t *this)
 /*
  * Described in header.
  */
-psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa)
+psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_init)
 {
 	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
 	
-	/* public functions */
-	this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
-	this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
-	this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
 	
-	/* private data */
 	this->ike_sa = ike_sa;
+	this->ike_sa_init = sent_init;
+	this->nonce = received_nonce;
 	
 	return &this->public;
 }
+
+/*
+ * Described in header.
+ */
+psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t sent_nonce, chunk_t received_init)
+{
+	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
+	
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+	
+	this->ike_sa = ike_sa;
+	this->ike_sa_init = received_init;
+	this->nonce = sent_nonce;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/sa/authenticators/psk_authenticator.h b/src/charon/sa/authenticators/psk_authenticator.h
index df65076a4..5bb743d93 100644
--- a/src/charon/sa/authenticators/psk_authenticator.h
+++ b/src/charon/sa/authenticators/psk_authenticator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: psk_authenticator.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -28,22 +26,36 @@ typedef struct psk_authenticator_t psk_authenticator_t;
 #include <sa/authenticators/authenticator.h>
 
 /**
- * Implementation of the authenticator_t interface using AUTH_PSK.
+ * Implementation of authenticator_t using pre-shared keys.
  */
 struct psk_authenticator_t {
 
 	/**
 	 * Implemented authenticator_t interface.
 	 */
-	authenticator_t authenticator_interface;
+	authenticator_t authenticator;
 };
 
 /**
- * Creates an authenticator for AUTH_PSK.
+ * Create an authenticator to build PSK signatures.
  *
- * @param ike_sa		associated ike_sa
- * @return				psk_authenticator_t object
+ * @param ike_sa			associated ike_sa
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					PSK authenticator
+ */
+psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_init);
+
+/**
+ * Create an authenticator to verify PSK signatures.
+ * 
+ * @param ike_sa			associated ike_sa
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @return					PSK authenticator
  */
-psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa);
+psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t sent_nonce, chunk_t received_init);
 
 #endif /** PSK_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c
index c16f3b888..44cabfb94 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.c
+++ b/src/charon/sa/authenticators/pubkey_authenticator.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,17 +13,12 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: pubkey_authenticator.c 4495 2008-10-28 16:07:06Z martin $
  */
 
-#include <string.h>
-
 #include "pubkey_authenticator.h"
 
 #include <daemon.h>
-#include <credentials/auth_info.h>
-
+#include <encoding/payloads/auth_payload.h>
 
 typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
 
@@ -41,95 +36,40 @@ struct private_pubkey_authenticator_t {
 	 * Assigned IKE_SA
 	 */
 	ike_sa_t *ike_sa;
-};
-
-/**
- * Implementation of authenticator_t.verify.
- */
-static status_t verify(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
- 					   chunk_t my_nonce, auth_payload_t *auth_payload)
-{
-	public_key_t *public;
-	auth_method_t auth_method;
-	chunk_t auth_data, octets;
-	identification_t *id;
-	auth_info_t *auth, *current_auth;
-	enumerator_t *enumerator;
-	key_type_t key_type = KEY_ECDSA;
-	signature_scheme_t scheme;
-	status_t status = FAILED;
-	keymat_t *keymat;
 	
-	id = this->ike_sa->get_other_id(this->ike_sa);
-	auth_method = auth_payload->get_auth_method(auth_payload);
-	switch (auth_method)
-	{
-		case AUTH_RSA:
-			/* We are currently fixed to SHA1 hashes.
-			 * TODO: allow other hash algorithms and note it in "auth" */
-			key_type = KEY_RSA;
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-			break;
-		case AUTH_ECDSA_256:
-			scheme = SIGN_ECDSA_256;
-			break;
-		case AUTH_ECDSA_384:
-			scheme = SIGN_ECDSA_384;
-			break;
-		case AUTH_ECDSA_521:
-			scheme = SIGN_ECDSA_521;
-			break;
-		default:
-			return INVALID_ARG;
-	}
-	auth_data = auth_payload->get_data(auth_payload);
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	octets = keymat->get_auth_octets(keymat, TRUE, ike_sa_init, my_nonce, id);
-	auth = this->ike_sa->get_other_auth(this->ike_sa);
-	enumerator = charon->credentials->create_public_enumerator(
-										charon->credentials, key_type, id, auth);
-	while (enumerator->enumerate(enumerator, &public, &current_auth))
-	{
-		if (public->verify(public, scheme, octets, auth_data))
-		{
-			DBG1(DBG_IKE, "authentication of '%D' with %N successful",
-						   id, auth_method_names, auth_method);
-			status = SUCCESS;
-			auth->merge(auth, current_auth);
-			break;
-		}
-		else
-		{
-			DBG1(DBG_IKE, "signature validation failed, looking for another key");
-		}
-	}
-	enumerator->destroy(enumerator);
-	chunk_free(&octets);
-	return status;
-}
+	/**
+	 * nonce to include in AUTH calculation
+	 */
+	chunk_t nonce;
+	
+	/**
+	 * IKE_SA_INIT message data to include in AUTH calculation
+	 */
+	chunk_t ike_sa_init;
+};
 
 /**
- * Implementation of authenticator_t.build.
+ * Implementation of authenticator_t.build for builder
  */
-static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
-					  chunk_t other_nonce, auth_payload_t **auth_payload)
+static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 {
 	chunk_t octets, auth_data;
 	status_t status = FAILED;
 	private_key_t *private;
 	identification_t *id;
-	auth_info_t *auth;
+	auth_cfg_t *auth;
+	auth_payload_t *auth_payload;
 	auth_method_t auth_method;
 	signature_scheme_t scheme;
 	keymat_t *keymat;
 
 	id = this->ike_sa->get_my_id(this->ike_sa);
-	auth = this->ike_sa->get_my_auth(this->ike_sa);
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
 	private = charon->credentials->get_private(charon->credentials, KEY_ANY,
 											   id, auth);
 	if (private == NULL)
 	{
-		DBG1(DBG_IKE, "no private key found for '%D'", id);
+		DBG1(DBG_IKE, "no private key found for '%Y'", id);
 		return NOT_FOUND;
 	}
 	
@@ -169,18 +109,18 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
 			return status;
 	}
 	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	octets = keymat->get_auth_octets(keymat, FALSE, ike_sa_init, other_nonce, id);
-	
+	octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+									 this->nonce, id);
 	if (private->sign(private, scheme, octets, &auth_data))
 	{
-		auth_payload_t *payload = auth_payload_create();
-		payload->set_auth_method(payload, auth_method);
-		payload->set_data(payload, auth_data);
-		*auth_payload = payload;
+		auth_payload = auth_payload_create();
+		auth_payload->set_auth_method(auth_payload, auth_method);
+		auth_payload->set_data(auth_payload, auth_data);
 		chunk_free(&auth_data);
+		message->add_payload(message, (payload_t*)auth_payload);
 		status = SUCCESS;
 	}
-	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id,
+	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
 		 auth_method_names, auth_method, 
 		 (status == SUCCESS)? "successful":"failed");
 	chunk_free(&octets);
@@ -189,6 +129,93 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
 	return status;
 }
 
+/**
+ * Implementation of authenticator_t.process for verifier
+ */
+static status_t process(private_pubkey_authenticator_t *this, message_t *message)
+{
+	public_key_t *public;
+	auth_method_t auth_method;
+	auth_payload_t *auth_payload;
+	chunk_t auth_data, octets;
+	identification_t *id;
+	auth_cfg_t *auth, *current_auth;
+	enumerator_t *enumerator;
+	key_type_t key_type = KEY_ECDSA;
+	signature_scheme_t scheme;
+	status_t status = NOT_FOUND;
+	keymat_t *keymat;
+	
+	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	if (!auth_payload)
+	{
+		return FAILED;
+	}
+	auth_method = auth_payload->get_auth_method(auth_payload);
+	switch (auth_method)
+	{
+		case AUTH_RSA:
+			/* We currently accept SHA1 signatures only
+			 * TODO: allow other hash algorithms and note it in "auth" */
+			key_type = KEY_RSA;
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			break;
+		case AUTH_ECDSA_256:
+			scheme = SIGN_ECDSA_256;
+			break;
+		case AUTH_ECDSA_384:
+			scheme = SIGN_ECDSA_384;
+			break;
+		case AUTH_ECDSA_521:
+			scheme = SIGN_ECDSA_521;
+			break;
+		default:
+			return INVALID_ARG;
+	}
+	auth_data = auth_payload->get_data(auth_payload);
+	id = this->ike_sa->get_other_id(this->ike_sa);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
+									 this->nonce, id);
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	enumerator = charon->credentials->create_public_enumerator(
+										charon->credentials, key_type, id, auth);
+	while (enumerator->enumerate(enumerator, &public, &current_auth))
+	{
+		if (public->verify(public, scheme, octets, auth_data))
+		{
+			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+						   id, auth_method_names, auth_method);
+			status = SUCCESS;
+			auth->merge(auth, current_auth, FALSE);
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+			break;
+		}
+		else
+		{
+			status = FAILED;
+			DBG1(DBG_IKE, "signature validation failed, looking for another key");
+		}
+	}
+	enumerator->destroy(enumerator);
+	chunk_free(&octets);
+	if (status == NOT_FOUND)
+	{
+		DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
+			 key_type_names, key_type, id);
+	}
+	return status;
+}
+
+/**
+ * Implementation of authenticator_t.process for builder
+ * Implementation of authenticator_t.build for verifier
+ */
+static status_t return_failed()
+{
+	return FAILED;
+}
+
 /**
  * Implementation of authenticator_t.destroy.
  */
@@ -200,17 +227,37 @@ static void destroy(private_pubkey_authenticator_t *this)
 /*
  * Described in header.
  */
-pubkey_authenticator_t *pubkey_authenticator_create(ike_sa_t *ike_sa)
+pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_init)
+{
+	private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
+	
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+	
+	this->ike_sa = ike_sa;
+	this->ike_sa_init = sent_init;
+	this->nonce = received_nonce;
+	
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t sent_nonce, chunk_t received_init)
 {
 	private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
 	
-	/* public functions */
-	this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
-	this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
-	this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
 	
-	/* private data */
 	this->ike_sa = ike_sa;
+	this->ike_sa_init = received_init;
+	this->nonce = sent_nonce;
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.h b/src/charon/sa/authenticators/pubkey_authenticator.h
index d2189fa97..e67f020ff 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.h
+++ b/src/charon/sa/authenticators/pubkey_authenticator.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: pubkey_authenticator.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -29,22 +27,36 @@ typedef struct pubkey_authenticator_t pubkey_authenticator_t;
 #include <sa/authenticators/authenticator.h>
 
 /**
- * Implementation of the authenticator_t interface using AUTH_PUBKEY.
+ * Implementation of authenticator_t using public key authenitcation.
  */
 struct pubkey_authenticator_t {
 
 	/**
 	 * Implemented authenticator_t interface.
 	 */
-	authenticator_t authenticator_interface;
+	authenticator_t authenticator;
 };
 
 /**
- * Creates an authenticator for AUTH_PUBKEY.
+ * Create an authenticator to build public key signatures.
  *
- * @param ike_sa		associated ike_sa
- * @return				pubkey_authenticator_t object
+ * @param ike_sa			associated ike_sa
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					public key authenticator
+ */
+pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_init);
+
+/**
+ * Create an authenticator to verify public key signatures.
+ * 
+ * @param ike_sa			associated ike_sa
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @return					public key authenticator
  */
-pubkey_authenticator_t *pubkey_authenticator_create(ike_sa_t *ike_sa);
+pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t sent_nonce, chunk_t received_init);
 
 #endif /** PUBKEY_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 022b9149a..9202e972e 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: child_sa.c 4677 2008-11-19 15:31:27Z martin $
  */
 
 #define _GNU_SOURCE
@@ -412,26 +410,11 @@ static u_int32_t get_lifetime(private_child_sa_t *this, bool hard)
  */
 static u_int32_t alloc_spi(private_child_sa_t *this, protocol_id_t protocol)
 {
-	switch (protocol)
-	{
-		case PROTO_AH:
-			if (charon->kernel_interface->get_spi(charon->kernel_interface, 
-							this->other_addr, this->my_addr, PROTO_AH,
-							this->reqid, &this->my_spi) == SUCCESS)
-			{
-				return this->my_spi;
-			}
-			break;
-		case PROTO_ESP:
-			if (charon->kernel_interface->get_spi(charon->kernel_interface,
-							this->other_addr, this->my_addr, PROTO_ESP,
+	if (charon->kernel_interface->get_spi(charon->kernel_interface,
+							this->other_addr, this->my_addr, protocol,
 							this->reqid, &this->my_spi) == SUCCESS)
-			{
-				return this->my_spi;
-			}
-			break;
-		default:
-			break;
+	{
+		return this->my_spi;
 	}
 	return 0;
 }
@@ -504,8 +487,14 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
 				this->mode, this->ipcomp, cpi, this->encap, update);
 	
 	now = time(NULL);
-	this->rekey_time = now + soft;
-	this->expire_time = now + hard;
+	if (soft)
+	{
+		this->rekey_time = now + soft;
+	}
+	if (hard)
+	{
+		this->expire_time = now + hard;
+	}
 	return status;
 }
 
@@ -724,14 +713,14 @@ static void destroy(private_child_sa_t *this)
 	if (this->my_spi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
-					this->my_addr, this->my_spi, this->protocol,
-					this->my_cpi);
+					this->other_addr, this->my_addr, this->my_spi,
+					this->protocol, this->my_cpi);
 	}
 	if (this->other_spi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
-					this->other_addr, this->other_spi, this->protocol,
-					this->other_cpi);
+					this->my_addr, this->other_addr, this->other_spi,
+					this->protocol, this->other_cpi);
 	}
 	
 	if (this->config->install_policy(this->config))
@@ -816,6 +805,8 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->protocol = PROTO_NONE;
 	this->mode = MODE_TUNNEL;
 	this->proposal = NULL;
+	this->rekey_time = 0;
+	this->expire_time = 0;
 	this->config = config;
 	config->get_ref(config);
 	
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index 70169f515..ec9b36dab 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: child_sa.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c
index b9141ffc1..a1b037de4 100644
--- a/src/charon/sa/connect_manager.c
+++ b/src/charon/sa/connect_manager.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: connect_manager.c 4579 2008-11-05 11:29:56Z martin $
  */
 
 #include "connect_manager.h"
@@ -734,11 +732,11 @@ static void build_pairs(check_list_t *checklist)
  */
 static status_t process_payloads(message_t *message, check_t *check)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
 
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) != NOTIFY)
 		{
@@ -796,7 +794,7 @@ static status_t process_payloads(message_t *message, check_t *check)
 				break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
 	if (!check->connect_id.ptr || !check->endpoint || !check->auth.ptr)
 	{
@@ -904,7 +902,7 @@ static void update_checklist_state(private_connect_manager_t *this, check_list_t
 		
 		callback_data_t *data = callback_data_create(this, checklist->connect_id);
 		job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-		charon->scheduler->schedule_job(charon->scheduler, job, ME_WAIT_TO_FINISH);
+		charon->scheduler->schedule_job_ms(charon->scheduler, job, ME_WAIT_TO_FINISH);
 		checklist->is_finishing = TRUE;
 	}
 	
@@ -1002,7 +1000,7 @@ static void queue_retransmission(private_connect_manager_t *this, check_list_t *
 	}
 	DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms", retransmission, pair->id, rto);
 	
-	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, rto);
+	charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)job, rto);
 }
 
 /**
@@ -1139,7 +1137,7 @@ static void schedule_checks(private_connect_manager_t *this, check_list_t *check
 {
 	callback_data_t *data = callback_data_create(this, checklist->connect_id);
 	checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-	charon->scheduler->schedule_job(charon->scheduler, checklist->sender, time);
+	charon->scheduler->schedule_job_ms(charon->scheduler, checklist->sender, time);
 }
 
 /**
@@ -1196,8 +1194,8 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli
 		}
 		else
 		{
-			DBG1(DBG_IKE, "there is no mediated connection waiting between '%D' "
-					"and '%D'", checklist->initiator.id, checklist->responder.id);
+			DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y' "
+					"and '%Y'", checklist->initiator.id, checklist->responder.id);
 		}
 	}
 }
@@ -1396,7 +1394,7 @@ static bool check_and_register(private_connect_manager_t *this,
 
 	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
 	{
-		DBG2(DBG_IKE, "registered waiting mediated connection with '%D'", peer_id);
+		DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'", peer_id);
 		initiated = initiated_create(id, peer_id);
 		this->initiated->insert_last(this->initiated, initiated);
 		already_there = FALSE;
@@ -1425,7 +1423,7 @@ static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *med
 
 	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
 	{
-		DBG2(DBG_IKE, "no waiting mediated connections with '%D'", peer_id);
+		DBG2(DBG_IKE, "no waiting mediated connections with '%Y'", peer_id);
 		this->mutex->unlock(this->mutex);
 		return;
 	}
diff --git a/src/charon/sa/connect_manager.h b/src/charon/sa/connect_manager.h
index c16f87352..b5abc853c 100644
--- a/src/charon/sa/connect_manager.h
+++ b/src/charon/sa/connect_manager.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: connect_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 6acbc6eef..6b7fa3582 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2006-2008 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_sa.c 4945 2009-03-16 14:23:36Z martin $
  */
 
 #include <sys/time.h>
@@ -57,10 +55,6 @@
 #include <processing/jobs/initiate_mediation_job.h>
 #endif
 
-#ifndef RESOLV_CONF
-#define RESOLV_CONF "/etc/resolv.conf"
-#endif
-
 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
 	"CREATED",
 	"CONNECTING",
@@ -72,17 +66,18 @@ ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
 );
 
 typedef struct private_ike_sa_t private_ike_sa_t;
+typedef struct attribute_entry_t attribute_entry_t;
 
 /**
  * Private data of an ike_sa_t object.
  */
 struct private_ike_sa_t {
-
+	
 	/**
 	 * Public members
 	 */
 	ike_sa_t public;
-
+	
 	/**
 	 * Identifier for the current IKE_SA.
 	 */
@@ -96,7 +91,7 @@ struct private_ike_sa_t {
 	/**
 	 * Current state of the IKE_SA
 	 */
-	ike_sa_state_t state;	
+	ike_sa_state_t state;
 	
 	/**
 	 * IKE configuration used to set up this IKE_SA
@@ -109,14 +104,14 @@ struct private_ike_sa_t {
 	peer_cfg_t *peer_cfg;
 	
 	/**
-	 * associated authentication/authorization info for local peer
+	 * currently used authentication ruleset, local (as auth_cfg_t)
 	 */
-	auth_info_t *my_auth;
+	auth_cfg_t *my_auth;
 	
 	/**
-	 * associated authentication/authorization info for remote peer
+	 * currently used authentication constraints, remote (as auth_cfg_t)
 	 */
-	auth_info_t *other_auth;
+	auth_cfg_t *other_auth;
 	
 	/**
 	 * Selected IKE proposal
@@ -179,7 +174,7 @@ struct private_ike_sa_t {
 	 * set of condition flags currently enabled for this IKE_SA
 	 */
 	ike_condition_t conditions;
-
+	
 	/**
 	 * Linked List containing the child sa's of the current IKE_SA.
 	 */
@@ -201,9 +196,9 @@ struct private_ike_sa_t {
 	host_t *other_virtual_ip;
 	
 	/**
-	 * List of DNS servers installed by us
+	 * List of configuration attributes (attribute_entry_t)
 	 */
-	linked_list_t *dns_servers;
+	linked_list_t *attributes;
 	
 	/**
 	 * list of peers additional addresses, transmitted via MOBIKE
@@ -219,7 +214,7 @@ struct private_ike_sa_t {
 	 * number pending UPDATE_SA_ADDRESS (MOBIKE)
 	 */
 	u_int32_t pending_updates;
-
+	
 	/**
 	 * NAT keep alive interval
 	 */
@@ -234,18 +229,30 @@ struct private_ike_sa_t {
 	 * how many times we have retried so far (keyingtries)
 	 */
 	u_int32_t keyingtry;
-
+	
 	/**
 	 * local host address to be used for IKE, set via MIGRATE kernel message
 	 */
 	host_t *local_host;
-
+	
 	/**
 	 * remote host address to be used for IKE, set via MIGRATE kernel message
 	 */
 	host_t *remote_host;
 };
 
+/**
+ * Entry to maintain install configuration attributes during IKE_SA lifetime
+ */
+struct attribute_entry_t {
+	/** handler used to install this attribute */
+	attribute_handler_t *handler;
+	/** attribute type */
+	configuration_attribute_type_t type;
+	/** attribute data */
+	chunk_t data;
+};
+
 /**
  * get the time of the latest traffic processed by the kernel
  */
@@ -355,40 +362,23 @@ static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
 	DESTROY_IF(this->peer_cfg);
 	peer_cfg->get_ref(peer_cfg);
 	this->peer_cfg = peer_cfg;
-
+	
 	if (this->ike_cfg == NULL)
 	{
 		this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
 		this->ike_cfg->get_ref(this->ike_cfg);
 	}
-	/* apply IDs if they are not already set */
-	if (this->my_id->contains_wildcards(this->my_id))
-	{
-		DESTROY_IF(this->my_id);
-		this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
-		this->my_id = this->my_id->clone(this->my_id);
-	}
-	if (this->other_id->contains_wildcards(this->other_id))
-	{
-		DESTROY_IF(this->other_id);
-		this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
-		this->other_id = this->other_id->clone(this->other_id);
-	}
-}
-
-/**
- * Implementation of ike_sa_t.get_my_auth.
- */
-static auth_info_t* get_my_auth(private_ike_sa_t *this)
-{
-	return this->my_auth;
 }
 
 /**
- * Implementation of ike_sa_t.get_other_auth.
+ * Implementation of ike_sa_t.get_auth_cfg
  */
-static auth_info_t* get_other_auth(private_ike_sa_t *this)
+static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local)
 {
+	if (local)
+	{
+		return this->my_auth;
+	}
 	return this->other_auth;
 }
 
@@ -460,7 +450,7 @@ static void send_keepalive(private_ike_sa_t *this)
 	}
 	job = send_keepalive_job_create(this->ike_sa_id);
 	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
-									(this->keepalive_interval - diff) * 1000);
+									this->keepalive_interval - diff);
 }
 
 /**
@@ -559,7 +549,7 @@ static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
  */
 static status_t send_dpd(private_ike_sa_t *this)
 {
-	send_dpd_job_t *job;
+	job_t *job;
 	time_t diff, delay;
 	
 	delay = this->peer_cfg->get_dpd(this->peer_cfg);
@@ -608,9 +598,8 @@ static status_t send_dpd(private_ike_sa_t *this)
 		}
 	}
 	/* recheck in "interval" seconds */
-	job = send_dpd_job_create(this->ike_sa_id);
-	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
-									(delay - diff) * 1000);
+	job = (job_t*)send_dpd_job_create(this->ike_sa_id);
+	charon->scheduler->schedule_job(charon->scheduler, job, delay - diff);
 	return SUCCESS;
 }
 
@@ -653,8 +642,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 				{
 					this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
 					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
-					charon->scheduler->schedule_job(charon->scheduler,
-													job, t * 1000);
+					charon->scheduler->schedule_job(charon->scheduler, job, t);
 					DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
 				}
 				t = this->peer_cfg->get_reauth_time(this->peer_cfg);
@@ -663,8 +651,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 				{
 					this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
 					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
-					charon->scheduler->schedule_job(charon->scheduler,
-													job, t * 1000);
+					charon->scheduler->schedule_job(charon->scheduler, job, t);
 					DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
 				}
 				t = this->peer_cfg->get_over_time(this->peer_cfg);
@@ -686,8 +673,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 					this->stats[STAT_DELETE] += t;
 					t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
 					job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-					charon->scheduler->schedule_job(charon->scheduler, job,
-													t * 1000);
+					charon->scheduler->schedule_job(charon->scheduler, job, t);
 					DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
 				}
 				
@@ -1117,9 +1103,11 @@ static void resolve_hosts(private_ike_sa_t *this)
 }
 
 /**
- * Initiates a CHILD_SA using the appropriate reqid
+ * Implementation of ike_sa_t.initiate
  */
-static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid)
+static status_t initiate(private_ike_sa_t *this,
+						 child_cfg_t *child_cfg, u_int32_t reqid,
+						 traffic_selector_t *tsi, traffic_selector_t *tsr)
 {
 	task_t *task;
 	
@@ -1181,7 +1169,7 @@ static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_c
 #endif /* ME */
 	{
 		/* normal IKE_SA with CHILD_SA */
-		task = (task_t*)child_create_create(&this->public, child_cfg);
+		task = (task_t*)child_create_create(&this->public, child_cfg, tsi, tsr);
 		child_cfg->destroy(child_cfg);
 		if (reqid)
 		{
@@ -1204,176 +1192,6 @@ static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_c
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.initiate.
- */
-static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
-{
-	return initiate_with_reqid(this, child_cfg, 0);
-}
-
-/**
- * Implementation of ike_sa_t.acquire.
- */
-static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
-{
-	child_cfg_t *child_cfg;
-	iterator_t *iterator;
-	child_sa_t *current, *child_sa = NULL;
-	
-	switch (this->state)
-	{
-		case IKE_DELETING:
-			DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
-				 "IKE_SA is deleting", reqid);
-			return FAILED;
-		case IKE_PASSIVE:
-			/* do not process acquires if passive */
-			return FAILED;
-		default:
-			break;
-	}
-	
-	/* find CHILD_SA */
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		if (current->get_reqid(current) == reqid)
-		{
-			child_sa = current;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	if (!child_sa)
-	{
-		DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
-			 "CHILD_SA not found", reqid);
-		return FAILED;
-	}
-	
-	child_cfg = child_sa->get_config(child_sa);
-	child_cfg->get_ref(child_cfg);
-	
-	return initiate_with_reqid(this, child_cfg, reqid);
-}
-
-/**
- * Implementation of ike_sa_t.route.
- */
-static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
-{
-	child_sa_t *child_sa;
-	iterator_t *iterator;
-	linked_list_t *my_ts, *other_ts;
-	host_t *me, *other;
-	status_t status;
-	
-	/* check if not already routed*/
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
-			streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
-		{
-			iterator->destroy(iterator);
-			DBG1(DBG_IKE, "routing CHILD_SA failed: already routed");
-			return FAILED;
-		}
-	}
-	iterator->destroy(iterator);
-	
-	switch (this->state)
-	{
-		case IKE_DELETING:
-		case IKE_REKEYING:
-			DBG1(DBG_IKE, "routing CHILD_SA failed: IKE_SA is %N",
-				 ike_sa_state_names, this->state);
-			return FAILED;
-		case IKE_CREATED:
-		case IKE_CONNECTING:
-		case IKE_ESTABLISHED:
-		case IKE_PASSIVE:
-		default:
-			break;
-	}
-	
-	resolve_hosts(this);
-
-	/* install kernel policies */
-	child_sa = child_sa_create(this->my_host, this->other_host,
-							   child_cfg, 0, FALSE);
-	me = this->my_host;
-	if (this->my_virtual_ip)
-	{
-		me = this->my_virtual_ip;
-	}
-	other = this->other_host;
-	if (this->other_virtual_ip)
-	{
-		other = this->other_virtual_ip;
-	}
-	
-	my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
-	other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
-
-	child_sa->set_mode(child_sa, child_cfg->get_mode(child_cfg));
-	status = child_sa->add_policies(child_sa, my_ts, other_ts);
-
-	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
-	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-	if (status == SUCCESS)
-	{
-		this->child_sas->insert_last(this->child_sas, child_sa);
-		DBG1(DBG_IKE, "CHILD_SA routed");
-	}
-	else
-	{
-		child_sa->destroy(child_sa);
-		DBG1(DBG_IKE, "routing CHILD_SA failed");
-	}
-	return status;
-}
-
-/**
- * Implementation of ike_sa_t.unroute.
- */
-static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
-{
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-	bool found = FALSE;
-	
-	/* find CHILD_SA in ROUTED state */
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
-			child_sa->get_reqid(child_sa) == reqid)
-		{
-			iterator->remove(iterator);
-			DBG1(DBG_IKE, "CHILD_SA unrouted");
-			child_sa->destroy(child_sa);
-			found = TRUE;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	
-	if (!found)
-	{
-		DBG1(DBG_IKE, "unrouting CHILD_SA failed: reqid %d not found", reqid);
-		return FAILED;
-	}
-	/* if we are not established, and we have no more routed childs, remove whole SA */
-	if (this->state == IKE_CREATED &&
-		this->child_sas->get_count(this->child_sas) == 0)
-	{
-		return DESTROY_ME;
-	}
-	return SUCCESS;
-}
-
 /**
  * Implementation of ike_sa_t.process_message.
  */
@@ -1438,19 +1256,20 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 			 exchange_type_names, message->get_exchange_type(message),
 			 message->get_request(message) ? "request" : "response",
 			 message->get_message_id(message));
+		
+		if (this->state == IKE_CREATED)
+		{	/* invalid initiation attempt, close SA */
+			return DESTROY_ME;
+		}
 		return status;
 	}
 	else
 	{
 		host_t *me, *other;
-		private_ike_sa_t *new;
-		iterator_t *iterator;
-		child_sa_t *child;
-		bool has_routed = FALSE;
 		
 		me = message->get_destination(message);
 		other = message->get_source(message);
-
+		
 		/* if this IKE_SA is virgin, we check for a config */
 		if (this->ike_cfg == NULL)
 		{
@@ -1480,59 +1299,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 				update_hosts(this, me, other);
 			}
 		}
-		status = this->task_manager->process_message(this->task_manager, message);
-		if (status != DESTROY_ME)
-		{
-			if (message->get_exchange_type(message) == IKE_AUTH &&
-				this->state == IKE_ESTABLISHED)
-			{
-				/* purge auth items if SA is up, as they contain certs
-				 * and other memory wasting elements */
-				this->my_auth->purge(this->my_auth);
-				this->other_auth->purge(this->other_auth);
-			}
-			return status;
-		}
-		/* if IKE_SA gets closed for any reasons, reroute routed children */
-		iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-		while (iterator->iterate(iterator, (void**)&child))
-		{
-			if (child->get_state(child) == CHILD_ROUTED)
-			{
-				has_routed = TRUE;
-				break;
-			}
-		}
-		iterator->destroy(iterator);
-		if (!has_routed)
-		{
-			return status;
-		}
-		/* move routed children to a new IKE_SA, apply connection info */
-		new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
-											charon->ike_sa_manager, TRUE);
-		set_peer_cfg(new, this->peer_cfg);
-		new->other_host->destroy(new->other_host);
-		new->other_host = this->other_host->clone(this->other_host);
-		if (!has_condition(this, COND_NAT_THERE))
-		{
-			new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
-		}
-		if (this->my_virtual_ip)
-		{
-			set_virtual_ip(new, TRUE, this->my_virtual_ip);
-		}
-		iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-		while (iterator->iterate(iterator, (void**)&child))
-		{
-			if (child->get_state(child) == CHILD_ROUTED)
-			{
-				route(new, child->get_config(child));
-			}
-		}
-		iterator->destroy(iterator);
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
-		return status;
+		return this->task_manager->process_message(this->task_manager, message);
 	}
 }
 
@@ -1841,7 +1608,7 @@ static status_t reestablish(private_ike_sa_t *this)
 #ifdef ME
 	if (this->peer_cfg->is_mediation(this->peer_cfg))
 	{
-		status = new->initiate(new, NULL);
+		status = new->initiate(new, NULL, 0, NULL, NULL);
 	}
 	else
 #endif /* ME */
@@ -1864,10 +1631,11 @@ static status_t reestablish(private_ike_sa_t *this)
 					DBG1(DBG_IKE, "restarting CHILD_SA %s",
 						 child_cfg->get_name(child_cfg));
 					child_cfg->get_ref(child_cfg);
-					status = new->initiate(new, child_cfg);
+					status = new->initiate(new, child_cfg, 0, NULL, NULL);
 					break;
 				case ACTION_ROUTE:
-					status = new->route(new, child_cfg);
+					charon->traps->install(charon->traps,
+										   this->peer_cfg, child_cfg);
 					break;
 				default:
 					continue;
@@ -1883,13 +1651,15 @@ static status_t reestablish(private_ike_sa_t *this)
 	if (status == DESTROY_ME)
 	{
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
-		return FAILED;
+		status = FAILED;
 	}
 	else
 	{
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
-		return SUCCESS;
+		status = SUCCESS;
 	}
+	charon->bus->set_sa(charon->bus, &this->public);
+	return status;
 }
 
 /**
@@ -1955,8 +1725,8 @@ static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
 			 " in %ds", lifetime, lifetime - reduction);
 		charon->scheduler->schedule_job(charon->scheduler,
-					(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
-					(lifetime - reduction) * 1000);
+						(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
+						lifetime - reduction);
 	}
 	else
 	{
@@ -2024,13 +1794,35 @@ static status_t roam(private_ike_sa_t *this, bool address)
 	return reauth(this);
 }
 
+/**
+ * Implementation of ike_sa_t.add_configuration_attribute
+ */
+static void add_configuration_attribute(private_ike_sa_t *this,
+							configuration_attribute_type_t type, chunk_t data)
+{
+	attribute_entry_t *entry;
+	attribute_handler_t *handler;
+	
+	handler = charon->attributes->handle(charon->attributes,
+										 &this->public, type, data);
+	if (handler)
+	{
+		entry = malloc_thing(attribute_entry_t);
+		entry->handler = handler;
+		entry->type = type;
+		entry->data = chunk_clone(data);
+		
+		this->attributes->insert_last(this->attributes, entry);
+	}
+}
+
 /**
  * Implementation of ike_sa_t.inherit.
  */
 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 {
 	child_sa_t *child_sa;
-	host_t *ip;
+	attribute_entry_t *entry;
 	
 	/* apply hosts and ids */
 	this->my_host->destroy(this->my_host);
@@ -2054,11 +1846,11 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 		other->other_virtual_ip = NULL;
 	}
 	
-	/* ... and DNS servers */
-	while (other->dns_servers->remove_last(other->dns_servers, 
-										   (void**)&ip) == SUCCESS)
+	/* ... and configuration attributes */
+	while (other->attributes->remove_last(other->attributes, 
+										  (void**)&entry) == SUCCESS)
 	{
-		this->dns_servers->insert_first(this->dns_servers, ip);
+		this->attributes->insert_first(this->attributes, entry);
 	}
 
 	/* inherit all conditions */
@@ -2102,158 +1894,36 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 		DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
 			 "lifetime reduced to %ds", reauth, delete);
 		charon->scheduler->schedule_job(charon->scheduler, 
-						(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
-						reauth * 1000);
+				(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
 		charon->scheduler->schedule_job(charon->scheduler, 
-						(job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
-						delete * 1000);
+				(job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
 	}
 	/* we have to initate here, there may be new tasks to handle */
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.remove_dns_server
- */
-static void remove_dns_servers(private_ike_sa_t *this)
-{
-	FILE *file;
-	struct stat stats;
-	chunk_t contents, line, orig_line, token;
-	char string[INET6_ADDRSTRLEN];
-	host_t *ip;
-	iterator_t *iterator;
-	
-	if (this->dns_servers->get_count(this->dns_servers) == 0)
-	{
-		/* don't touch anything if we have no nameservers installed */
-		return;
-	}
-	
-	file = fopen(RESOLV_CONF, "r");
-	if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
-	{
-		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
-			 RESOLV_CONF, strerror(errno));
-		return;
-	}
-	
-	contents = chunk_alloca((size_t)stats.st_size);
-	
-	if (fread(contents.ptr, 1, contents.len, file) != contents.len)
-	{
-		DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
-		fclose(file);
-		return;
-	}
-	
-	fclose(file);
-	file = fopen(RESOLV_CONF, "w");
-	if (file == NULL)
-	{
-		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
-			 RESOLV_CONF, strerror(errno));
-		return;
-	}
-	
-	iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
-	while (fetchline(&contents, &line))
-	{
-		bool found = FALSE;
-		orig_line = line;
-		if (extract_token(&token, ' ', &line) &&
-			strncasecmp(token.ptr, "nameserver", token.len) == 0)
-		{
-			if (!extract_token(&token, ' ', &line))
-			{
-				token = line;
-			}
-			iterator->reset(iterator);
-			while (iterator->iterate(iterator, (void**)&ip))
-			{
-				snprintf(string, sizeof(string), "%H", ip);
-				if (strlen(string) == token.len &&
-					strncmp(token.ptr, string, token.len) == 0)
-				{
-					iterator->remove(iterator);
-					ip->destroy(ip);
-					found = TRUE;
-					break;
-				}
-			}
-		}		
-		
-		if (!found)
-		{	
-			/* write line untouched back to file */
-			ignore_result(fwrite(orig_line.ptr, orig_line.len, 1, file));
-			fprintf(file, "\n");
-		}
-	}
-	iterator->destroy(iterator);
-	fclose(file);
-}
-
-/**
- * Implementation of ike_sa_t.add_dns_server
- */
-static void add_dns_server(private_ike_sa_t *this, host_t *dns)
-{
-	FILE *file;
-	struct stat stats;
-	chunk_t contents;
-
-	DBG1(DBG_IKE, "installing DNS server %H", dns);
-	
-	file = fopen(RESOLV_CONF, "a+");
-	if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
-	{
-		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
-			 RESOLV_CONF, strerror(errno));
-		return;
-	}
-
-	contents = chunk_alloca(stats.st_size);
-	
-	if (fread(contents.ptr, 1, contents.len, file) != contents.len)
-	{
-		DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
-		fclose(file);
-		return;
-	}
-	
-	fclose(file);
-	file = fopen(RESOLV_CONF, "w");
-	if (file == NULL)
-	{
-		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
-			 RESOLV_CONF, strerror(errno));
-		return;
-	}
-	
-	if (fprintf(file, "nameserver %H   # added by strongSwan, assigned by %D\n",
-		dns, this->other_id) < 0)
-	{
-		DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
-	}
-	else
-	{
-		this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
-	}
-	ignore_result(fwrite(contents.ptr, contents.len, 1, file));
-	
-	fclose(file);	
-}
-
 /**
  * Implementation of ike_sa_t.destroy.
  */
 static void destroy(private_ike_sa_t *this)
 {
+	attribute_entry_t *entry;
+	
 	charon->bus->set_sa(charon->bus, &this->public);
 	
 	set_state(this, IKE_DESTROYING);
 	
+	/* remove attributes first, as we pass the IKE_SA to the handler */
+	while (this->attributes->remove_last(this->attributes, 
+										 (void**)&entry) == SUCCESS)
+	{
+		charon->attributes->release(charon->attributes, entry->handler,
+									&this->public, entry->type, entry->data);
+		free(entry->data.ptr);
+		free(entry);
+	}
+	this->attributes->destroy(this->attributes);
+	
 	this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
 	
 	/* unset SA after here to avoid usage by the listeners */
@@ -2278,10 +1948,6 @@ static void destroy(private_ike_sa_t *this)
 		}
 		this->other_virtual_ip->destroy(this->other_virtual_ip);
 	}
-	
-	remove_dns_servers(this);
-	this->dns_servers->destroy_offset(this->dns_servers,
-													offsetof(host_t, destroy));
 	this->additional_addresses->destroy_offset(this->additional_addresses,
 													offsetof(host_t, destroy));
 #ifdef ME
@@ -2304,9 +1970,9 @@ static void destroy(private_ike_sa_t *this)
 	
 	DESTROY_IF(this->ike_cfg);
 	DESTROY_IF(this->peer_cfg);
-	DESTROY_IF(this->my_auth);
-	DESTROY_IF(this->other_auth);
 	DESTROY_IF(this->proposal);
+	this->my_auth->destroy(this->my_auth);
+	this->other_auth->destroy(this->other_auth);
 	
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	free(this);
@@ -2326,16 +1992,12 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.get_name = (char* (*)(ike_sa_t*))get_name;
 	this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
 	this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
-	this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
-	this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
-	this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
-	this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
+	this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*,u_int32_t,traffic_selector_t*,traffic_selector_t*)) initiate;
 	this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
 	this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
 	this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
 	this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
-	this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
-	this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
+	this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg;
 	this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
 	this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
 	this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
@@ -2383,7 +2045,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
 	this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
 	this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
-	this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
+	this->public.add_configuration_attribute = (void(*)(ike_sa_t*, configuration_attribute_type_t type, chunk_t data))add_configuration_attribute;
 	this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
 #ifdef ME
 	this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
@@ -2416,15 +2078,15 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time(NULL);
 	this->ike_cfg = NULL;
 	this->peer_cfg = NULL;
-	this->my_auth = auth_info_create();
-	this->other_auth = auth_info_create();
+	this->my_auth = auth_cfg_create();
+	this->other_auth = auth_cfg_create();
 	this->proposal = NULL;
 	this->task_manager = task_manager_create(&this->public);
 	this->unique_id = ++unique_id;
 	this->my_virtual_ip = NULL;
 	this->other_virtual_ip = NULL;
-	this->dns_servers = linked_list_create();
 	this->additional_addresses = linked_list_create();
+	this->attributes = linked_list_create();
 	this->nat_detection_dest = chunk_empty;
 	this->pending_updates = 0;
 	this->keyingtry = 0;
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index 3ca8d9521..b751bda0c 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2006-2008 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_sa.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -35,18 +33,19 @@ typedef struct ike_sa_t ike_sa_t;
 #include <library.h>
 #include <encoding/message.h>
 #include <encoding/payloads/proposal_substructure.h>
+#include <encoding/payloads/configuration_attribute.h>
 #include <sa/ike_sa_id.h>
 #include <sa/child_sa.h>
 #include <sa/tasks/task.h>
 #include <sa/keymat.h>
 #include <config/peer_cfg.h>
 #include <config/ike_cfg.h>
-#include <credentials/auth_info.h>
+#include <config/auth_cfg.h>
 
 /**
- * Timeout in milliseconds after that a half open IKE_SA gets deleted.
+ * Timeout in seconds after that a half open IKE_SA gets deleted.
  */
-#define HALF_OPEN_IKE_SA_TIMEOUT 30000
+#define HALF_OPEN_IKE_SA_TIMEOUT 30
 
 /**
  * Interval to send keepalives when NATed, in seconds.
@@ -82,6 +81,11 @@ enum ike_extension_t {
 	 * peer supports HTTP cert lookups as specified in RFC4306
 	 */
 	EXT_HASH_AND_URL = (1<<2),
+	
+	/**
+	 * peer supports multiple authentication exchanges, RFC4739
+	 */
+	EXT_MULTIPLE_AUTH = (1<<3),
 };
 
 /**
@@ -110,7 +114,7 @@ enum ike_condition_t {
 	COND_NAT_FAKE = (1<<3),
 	
 	/**
-	 * peer has ben authenticated using EAP
+	 * peer has been authenticated using EAP at least once
 	 */
 	COND_EAP_AUTHENTICATED = (1<<4),
 	
@@ -391,18 +395,12 @@ struct ike_sa_t {
 	void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
 	
 	/**
-	 * Get authentication/authorization info for local peer.
-	 *
-	 * @return				auth_info for me
-	 */
-	auth_info_t* (*get_my_auth)(ike_sa_t *this);
-	
-	/**
-	 * Get authentication/authorization info for remote peer.
+	 * Get the authentication config with rules of the current auth round.
 	 *
-	 * @return				auth_info for me
+	 * @param local			TRUE for local rules, FALSE for remote constraints
+	 * @return				current cfg
 	 */
-	auth_info_t* (*get_other_auth)(ike_sa_t *this);
+	auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
 	
 	/**
 	 * Get the selected proposal of this IKE_SA.
@@ -602,51 +600,21 @@ struct ike_sa_t {
 	/**
 	 * Initiate a new connection.
 	 *
-	 * The configs are owned by the IKE_SA after the call.
+	 * The configs are owned by the IKE_SA after the call. If the initiate
+	 * is triggered by a packet, traffic selectors of the packet can be added
+	 * to the CHILD_SA.
 	 * 
 	 * @param child_cfg		child config to create CHILD from
+	 * @param reqid			reqid to use for CHILD_SA, 0 assigne uniquely
+	 * @param tsi			source of triggering packet
+	 * @param tsr			destination of triggering packet.
 	 * @return				
 	 * 						- SUCCESS if initialization started
 	 * 						- DESTROY_ME if initialization failed
 	 */
-	status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg);
-
-	/**
-	 * Route a policy in the kernel.
-	 *
-	 * Installs the policies in the kernel. If traffic matches,
-	 * the kernel requests connection setup from the IKE_SA via acquire().
-	 * 
-	 * @param child_cfg		child config to route
-	 * @return				
-	 * 						- SUCCESS if routed successfully
-	 * 						- FAILED if routing failed
-	 */
-	status_t (*route) (ike_sa_t *this, child_cfg_t *child_cfg);
-
-	/**
-	 * Unroute a policy in the kernel previously routed.
-	 *
-	 * @param reqid			reqid of CHILD_SA to unroute
-	 * @return				
-	 * 						- SUCCESS if route removed
-	 *						- NOT_FOUND if CHILD_SA not found
-	 * 						- DESTROY_ME if last CHILD_SA was unrouted
-	 */
-	status_t (*unroute) (ike_sa_t *this, u_int32_t reqid);
-	
-	/**
-	 * Acquire connection setup for an installed kernel policy.
-	 *
-	 * If an installed policy raises an acquire, the kernel calls
-	 * this function to establish the CHILD_SA (and maybe the IKE_SA).
-	 *
-	 * @param reqid			reqid of the CHILD_SA the policy belongs to.
-	 * @return				
-	 * 						- SUCCESS if initialization started
-	 * 						- DESTROY_ME if initialization failed
-	 */
-	status_t (*acquire) (ike_sa_t *this, u_int32_t reqid);
+	status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
+						  u_int32_t reqid, traffic_selector_t *tsi,
+						  traffic_selector_t *tsr);
 	
 	/**
 	 * Initiates the deletion of an IKE_SA.
@@ -869,14 +837,18 @@ struct ike_sa_t {
 	host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
 	
 	/**
-	 * Add a DNS server to the system.
+	 * Register a configuration attribute to the IKE_SA.
 	 *
-	 * An IRAS may send a DNS server. To use it, it is installed on the
-	 * system. The DNS entry has a lifetime until the IKE_SA gets closed.
+	 * If an IRAS sends a configuration attribute it is installed and
+	 * registered at the IKE_SA. Attributes are inherit()ed and get released
+	 * when the IKE_SA is closed.
 	 *
-	 * @param dns			DNS server to install on the system
+	 * @param handler		handler installed the attribute, use for release()
+	 * @param type			configuration attribute type
+	 * @param data			associated attribute data
 	 */
-	void (*add_dns_server) (ike_sa_t *this, host_t *dns);
+	void (*add_configuration_attribute)(ike_sa_t *this,
+							configuration_attribute_type_t type, chunk_t data);
 	
 	/**
 	 * Set local and remote host addresses to be used for IKE.
@@ -888,7 +860,7 @@ struct ike_sa_t {
 	 * @param remote		remote kmaddress
 	 */
 	void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
-
+	
 	/**
 	 * Inherit all attributes of other to this after rekeying.
 	 *
diff --git a/src/charon/sa/ike_sa_id.c b/src/charon/sa/ike_sa_id.c
index e012d5944..94c5405f2 100644
--- a/src/charon/sa/ike_sa_id.c
+++ b/src/charon/sa/ike_sa_id.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_sa_id.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "ike_sa_id.h"
diff --git a/src/charon/sa/ike_sa_id.h b/src/charon/sa/ike_sa_id.h
index db36fda95..377e64e8a 100644
--- a/src/charon/sa/ike_sa_id.h
+++ b/src/charon/sa/ike_sa_id.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_sa_id.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index e2aacddd5..efe7c228c 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_sa_manager.c 5035 2009-03-26 13:18:19Z andreas $
  */
 
 #include <string.h>
@@ -901,25 +899,35 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
  */
 static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
 {
+	ike_sa_id_t *ike_sa_id;
+	ike_sa_t *ike_sa;
 	entry_t *entry;
 	u_int segment;
 	
-	entry = entry_create();
 	if (initiator)
 	{
-		entry->ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
+		ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
 	}
 	else
 	{
-		entry->ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE);
+		ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE);
+	}
+	ike_sa = ike_sa_create(ike_sa_id);
+	
+	DBG2(DBG_MGR, "created IKE_SA");
+	
+	if (!initiator)
+	{
+		ike_sa_id->destroy(ike_sa_id);
+		return ike_sa;
 	}
-	entry->ike_sa = ike_sa_create(entry->ike_sa_id);
 	
-	segment = put_entry(this, entry); 
+	entry = entry_create();
+	entry->ike_sa_id = ike_sa_id;
+	entry->ike_sa = ike_sa;
+	segment = put_entry(this, entry);
 	entry->checked_out = TRUE;
 	unlock_single_segment(this, segment);
-	
-	DBG2(DBG_MGR, "created IKE_SA");
 	return entry->ike_sa;
 }
 
@@ -1042,9 +1050,7 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 	enumerator_t *enumerator;
 	entry_t *entry;
 	ike_sa_t *ike_sa = NULL;
-	identification_t *my_id, *other_id;
-	host_t *my_host, *other_host;
-	ike_cfg_t *ike_cfg;
+	peer_cfg_t *current_cfg;
 	u_int segment;
 	
 	if (!this->reuse_ikesa)
@@ -1054,70 +1060,29 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 		return ike_sa;
 	}
 	
-	ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
-	my_id = peer_cfg->get_my_id(peer_cfg);
-	other_id = peer_cfg->get_other_id(peer_cfg);
-	my_host = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg), 0, 0);
-	other_host = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg), 0, 0);
-	
-	if (my_host && other_host)
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
-		enumerator = create_table_enumerator(this);
-		while (enumerator->enumerate(enumerator, &entry, &segment))
+		if (!wait_for_entry(this, entry, segment))
 		{
-			identification_t *found_my_id, *found_other_id;
-			host_t *found_my_host, *found_other_host;
-		
-			if (!wait_for_entry(this, entry, segment))
-			{
-				continue;
-			}
-		
-			if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
-			{
-				/* skip IKE_SAs which are not usable */
-				continue;
-			}
-		
-			found_my_id = entry->ike_sa->get_my_id(entry->ike_sa);
-			found_other_id = entry->ike_sa->get_other_id(entry->ike_sa);
-			found_my_host = entry->ike_sa->get_my_host(entry->ike_sa);
-			found_other_host = entry->ike_sa->get_other_host(entry->ike_sa);
+			continue;
+		}
+		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
+		{	/* skip IKE_SAs which are not usable */
+			continue;
+		}
 		
-			if (found_my_id->get_type(found_my_id) == ID_ANY &&
-				found_other_id->get_type(found_other_id) == ID_ANY)
-			{
-				/* IKE_SA has no IDs yet, so we can't use it */
-				continue;
-			}
-			DBG2(DBG_MGR, "candidate IKE_SA for \n"
-				 "  %H[%D]...%H[%D]\n"
-				 "  %H[%D]...%H[%D]",
-				 my_host, my_id, other_host, other_id,
-				 found_my_host, found_my_id, found_other_host, found_other_id);
-			/* compare ID and hosts. Supplied ID may contain wildcards, and IP
-			 * may be %any. */
-			if ((my_host->is_anyaddr(my_host) ||
-				 my_host->ip_equals(my_host, found_my_host)) &&
-				(other_host->is_anyaddr(other_host) ||
-				 other_host->ip_equals(other_host, found_other_host)) &&
-				found_my_id->matches(found_my_id, my_id) &&
-				found_other_id->matches(found_other_id, other_id) &&
-				streq(peer_cfg->get_name(peer_cfg),
-					  entry->ike_sa->get_name(entry->ike_sa)))
-			{
-				/* looks good, we take this one */
-				DBG2(DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]",
-					 my_host, my_id, other_host, other_id);
-				entry->checked_out = TRUE;
-				ike_sa = entry->ike_sa;
-				break;
-			}
+		current_cfg = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+		if (current_cfg && current_cfg->equals(current_cfg, peer_cfg))
+		{
+			DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config",
+				 current_cfg->get_name(current_cfg));
+			entry->checked_out = TRUE;
+			ike_sa = entry->ike_sa;
+			break;
 		}
-		enumerator->destroy(enumerator);
 	}
-	DESTROY_IF(my_host);
-	DESTROY_IF(other_host);
+	enumerator->destroy(enumerator);
 	
 	if (!ike_sa)
 	{	/* no IKE_SA using such a config, hand out a new */
@@ -1326,20 +1291,12 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 	
 	/* apply identities for duplicate test (only as responder) */
 	if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-			(!entry->my_id || !entry->other_id))
+		ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+		entry->my_id == NULL && entry->other_id == NULL)
 	{
-		if (!entry->my_id && my_id->get_type(my_id) != ID_ANY)
-		{
-			entry->my_id = my_id->clone(my_id);
-		}
-		if (!entry->other_id && other_id->get_type(other_id) != ID_ANY)
-		{
-			entry->other_id = other_id->clone(other_id);
-		}
-		if (entry->my_id && entry->other_id)
-		{
-			put_connected_peers(this, entry);
-		}
+		entry->my_id = my_id->clone(my_id);
+		entry->other_id = other_id->clone(other_id);
+		put_connected_peers(this, entry);
 	}
 	
 	unlock_single_segment(this, segment);
@@ -1477,7 +1434,7 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 					{
 						case UNIQUE_REPLACE:
 							DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
-									"'%D' due to uniqueness policy", other);
+									"'%Y' due to uniqueness policy", other);
 							status = duplicate->delete(duplicate);
 							break;
 						case UNIQUE_KEEP:
diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h
index 8fe991521..6da768080 100644
--- a/src/charon/sa/ike_sa_manager.h
+++ b/src/charon/sa/ike_sa_manager.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_sa_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -53,6 +51,9 @@ struct ike_sa_manager_t {
 	
 	/**
 	 * Create and check out a new IKE_SA.
+	 * 
+	 * @note If initiator equals FALSE, the returned IKE_SA is not registered
+	 * in the manager.
 	 *
 	 * @param initiator			TRUE for initiator, FALSE otherwise
 	 * @returns 				created and checked out IKE_SA
diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c
index b2e646c93..117d260ba 100644
--- a/src/charon/sa/keymat.c
+++ b/src/charon/sa/keymat.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "keymat.h"
@@ -415,17 +413,18 @@ static bool derive_child_keys(private_keymat_t *this,
 		/* to bytes */
 		enc_size /= 8;
 		
-	 	/* CCM/GCM needs additional bytes */
+		/* CCM/GCM/CTR needs additional bytes */
 		switch (enc_alg)
 		{
 			case ENCR_AES_CCM_ICV8:
 			case ENCR_AES_CCM_ICV12:
 			case ENCR_AES_CCM_ICV16:
 				enc_size += 3;
-				break;		
+				break;
 			case ENCR_AES_GCM_ICV8:
 			case ENCR_AES_GCM_ICV12:
 			case ENCR_AES_GCM_ICV16:
+			case ENCR_AES_CTR:
 				enc_size += 4;
 				break;
 			default:
@@ -463,6 +462,16 @@ static bool derive_child_keys(private_keymat_t *this,
 	
 	prf_plus->destroy(prf_plus);
 	
+	if (enc_size)
+	{
+		DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
+		DBG4(DBG_CHD, "encryption responder key %B", encr_r);
+	}
+	if (int_size)
+	{
+		DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
+		DBG4(DBG_CHD, "integrity responder key %B", integ_r);
+	}
 	return TRUE;
 }
 
diff --git a/src/charon/sa/keymat.h b/src/charon/sa/keymat.h
index 659e4dff2..43b9dd113 100644
--- a/src/charon/sa/keymat.h
+++ b/src/charon/sa/keymat.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c
index b508c48c3..890e567c7 100644
--- a/src/charon/sa/mediation_manager.c
+++ b/src/charon/sa/mediation_manager.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: mediation_manager.c 4579 2008-11-05 11:29:56Z martin $
  */
 
 #include "mediation_manager.h"
@@ -227,12 +225,12 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe
 	
 	if (!found)
 	{
-		DBG2(DBG_IKE, "adding peer '%D'", peer_id);
+		DBG2(DBG_IKE, "adding peer '%Y'", peer_id);
 		peer = peer_create(peer_id, NULL);
 		this->peers->insert_last(this->peers, peer);
 	}
 
-	DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%D'", peer_id);			
+	DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);			
 	peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
 	
 	/* send callbacks to registered peers */
@@ -284,7 +282,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
 
 	if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
 	{
-		DBG2(DBG_IKE, "adding peer %D", peer_id);
+		DBG2(DBG_IKE, "adding peer %Y", peer_id);
 		peer = peer_create(peer_id, NULL);
 		this->peers->insert_last(this->peers, peer);
 	}
@@ -292,7 +290,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
 	if (!peer->ike_sa_id)
 	{
 		/* the peer is not online */
-		DBG2(DBG_IKE, "requested peer '%D' is offline, registering peer '%D'", peer_id, requester);
+		DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'", peer_id, requester);
 		register_peer(peer, requester);
 		this->mutex->unlock(this->mutex);
 		return NULL;
diff --git a/src/charon/sa/mediation_manager.h b/src/charon/sa/mediation_manager.h
index 7eee09d67..29e16d84f 100644
--- a/src/charon/sa/mediation_manager.h
+++ b/src/charon/sa/mediation_manager.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: mediation_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
index e5c5fe178..2cd9532eb 100644
--- a/src/charon/sa/task_manager.c
+++ b/src/charon/sa/task_manager.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: task_manager.c 4857 2009-02-09 10:45:51Z martin $
  */
 
 #include "task_manager.h"
@@ -259,7 +257,7 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
 		this->initiating.retransmitted++;
 		job = (job_t*)retransmit_job_create(this->initiating.mid,
 											this->ike_sa->get_id(this->ike_sa));
-		charon->scheduler->schedule_job(charon->scheduler, job, timeout);
+		charon->scheduler->schedule_job_ms(charon->scheduler, job, timeout);
 	}
 	return SUCCESS;
 }
@@ -626,6 +624,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	
 	/* message complete, send it */
 	DESTROY_IF(this->responding.packet);
+	this->responding.packet = NULL;
 	status = this->ike_sa->generate_message(this->ike_sa, message,
 											&this->responding.packet);
 	charon->bus->message(charon->bus, message, FALSE);
@@ -650,167 +649,170 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 static status_t process_request(private_task_manager_t *this,
 								message_t *message)
 {
+	enumerator_t *enumerator;
 	iterator_t *iterator;
 	task_t *task = NULL;
 	payload_t *payload;
 	notify_payload_t *notify;
 	delete_payload_t *delete;
 	
-	/* create tasks depending on request type */
-	switch (message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
+	if (this->passive_tasks->get_count(this->passive_tasks) == 0)
+	{	/* create tasks depending on request type, if not already some queued */
+		switch (message->get_exchange_type(message))
 		{
-			task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-			task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-			task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
+			case IKE_SA_INIT:
+			{
+				task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
 #ifdef ME			
-			task = (task_t*)ike_me_create(this->ike_sa, FALSE);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
 #endif /* ME */
-			task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-			task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-			task = (task_t*)ike_config_create(this->ike_sa, FALSE);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-			task = (task_t*)child_create_create(this->ike_sa, NULL);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-			task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-			task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-			break;
-		}
-		case CREATE_CHILD_SA:
-		{	/* FIXME: we should prevent this on mediation connections */
-			bool notify_found = FALSE, ts_found = FALSE;
-			iterator = message->get_payload_iterator(message);
-			while (iterator->iterate(iterator, (void**)&payload))
-			{
-				switch (payload->get_type(payload))
+				task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_config_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)child_create_create(this->ike_sa, NULL, NULL, NULL);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				break;
+			}
+			case CREATE_CHILD_SA:
+			{	/* FIXME: we should prevent this on mediation connections */
+				bool notify_found = FALSE, ts_found = FALSE;
+				enumerator = message->create_payload_enumerator(message);
+				while (enumerator->enumerate(enumerator, &payload))
 				{
-					case NOTIFY:
+					switch (payload->get_type(payload))
 					{
-						/* if we find a rekey notify, its CHILD_SA rekeying */
-						notify = (notify_payload_t*)payload;
-						if (notify->get_notify_type(notify) == REKEY_SA &&
-							(notify->get_protocol_id(notify) == PROTO_AH ||
-							 notify->get_protocol_id(notify) == PROTO_ESP))
-						{
-							notify_found = TRUE;
+						case NOTIFY:
+						{	/* if we find a rekey notify, its CHILD_SA rekeying */
+							notify = (notify_payload_t*)payload;
+							if (notify->get_notify_type(notify) == REKEY_SA &&
+								(notify->get_protocol_id(notify) == PROTO_AH ||
+								 notify->get_protocol_id(notify) == PROTO_ESP))
+							{
+								notify_found = TRUE;
+							}
+							break;
 						}
-						break;
-					}
-					case TRAFFIC_SELECTOR_INITIATOR:
-					case TRAFFIC_SELECTOR_RESPONDER:
-					{
-						/* if we don't find a TS, its IKE rekeying */
-						ts_found = TRUE;
-						break;
+						case TRAFFIC_SELECTOR_INITIATOR:
+						case TRAFFIC_SELECTOR_RESPONDER:
+						{	/* if we don't find a TS, its IKE rekeying */
+							ts_found = TRUE;
+							break;
+						}
+						default:
+							break;
 					}
-					default:
-						break;
 				}
-			}
-			iterator->destroy(iterator);
-		
-			if (ts_found)
-			{
-				if (notify_found)
+				enumerator->destroy(enumerator);
+				
+				if (ts_found)
 				{
-					task = (task_t*)child_rekey_create(this->ike_sa,
-													   PROTO_NONE, 0);
+					if (notify_found)
+					{
+						task = (task_t*)child_rekey_create(this->ike_sa,
+														   PROTO_NONE, 0);
+					}
+					else
+					{
+						task = (task_t*)child_create_create(this->ike_sa,
+															NULL, NULL, NULL);
+					}
 				}
 				else
 				{
-					task = (task_t*)child_create_create(this->ike_sa, NULL);
+					task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
 				}
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				break;
 			}
-			else
-			{
-				task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
-			}
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-			break;
-		}
-		case INFORMATIONAL:
-		{
-			iterator = message->get_payload_iterator(message);
-			while (iterator->iterate(iterator, (void**)&payload))
+			case INFORMATIONAL:
 			{
-				switch (payload->get_type(payload))
+				enumerator = message->create_payload_enumerator(message);
+				while (enumerator->enumerate(enumerator, &payload))
 				{
-					case NOTIFY:
+					switch (payload->get_type(payload))
 					{
-						notify = (notify_payload_t*)payload;
-						switch (notify->get_notify_type(notify))
+						case NOTIFY:
 						{
-							case ADDITIONAL_IP4_ADDRESS:
-							case ADDITIONAL_IP6_ADDRESS:
-							case NO_ADDITIONAL_ADDRESSES:
-							case UPDATE_SA_ADDRESSES:
-							case NO_NATS_ALLOWED:
-							case UNACCEPTABLE_ADDRESSES:
-							case UNEXPECTED_NAT_DETECTED:
-							case COOKIE2:
-							case NAT_DETECTION_SOURCE_IP:
-							case NAT_DETECTION_DESTINATION_IP:
-								task = (task_t*)ike_mobike_create(
-														this->ike_sa, FALSE);
-								break;
-							case AUTH_LIFETIME:
-								task = (task_t*)ike_auth_lifetime_create(
-														this->ike_sa, FALSE);
-								break;
-							default:
-								break;
+							notify = (notify_payload_t*)payload;
+							switch (notify->get_notify_type(notify))
+							{
+								case ADDITIONAL_IP4_ADDRESS:
+								case ADDITIONAL_IP6_ADDRESS:
+								case NO_ADDITIONAL_ADDRESSES:
+								case UPDATE_SA_ADDRESSES:
+								case NO_NATS_ALLOWED:
+								case UNACCEPTABLE_ADDRESSES:
+								case UNEXPECTED_NAT_DETECTED:
+								case COOKIE2:
+								case NAT_DETECTION_SOURCE_IP:
+								case NAT_DETECTION_DESTINATION_IP:
+									task = (task_t*)ike_mobike_create(
+															this->ike_sa, FALSE);
+									break;
+								case AUTH_LIFETIME:
+									task = (task_t*)ike_auth_lifetime_create(
+															this->ike_sa, FALSE);
+									break;
+								default:
+									break;
+							}
+							break;
 						}
-						break;
-					}
-					case DELETE:
-					{
-						delete = (delete_payload_t*)payload;
-						if (delete->get_protocol_id(delete) == PROTO_IKE)
-						{
-							task = (task_t*)ike_delete_create(this->ike_sa, FALSE);
-						}
-						else
+						case DELETE:
 						{
-							task = (task_t*)child_delete_create(this->ike_sa,
+							delete = (delete_payload_t*)payload;
+							if (delete->get_protocol_id(delete) == PROTO_IKE)
+							{
+								task = (task_t*)ike_delete_create(this->ike_sa,
+																FALSE);
+							}
+							else
+							{
+								task = (task_t*)child_delete_create(this->ike_sa,
 																PROTO_NONE, 0);
+							}
+							break;
 						}
-						break;
+						default:
+							break;
 					}
-					default:
+					if (task)
+					{
 						break;
+					}
 				}
-				if (task)
+				enumerator->destroy(enumerator);
+			
+				if (task == NULL)
 				{
-					break;
+					task = (task_t*)ike_dpd_create(FALSE);
 				}
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				break;
 			}
-			iterator->destroy(iterator);
-			
-			if (task == NULL)
+#ifdef ME
+			case ME_CONNECT:
 			{
-				task = (task_t*)ike_dpd_create(FALSE);
+				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
 			}
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-			break;
-		}
-#ifdef ME
-		case ME_CONNECT:
-		{
-			task = (task_t*)ike_me_create(this->ike_sa, FALSE);
-			this->passive_tasks->insert_last(this->passive_tasks, task);
-		}
 #endif /* ME */
-		default:
-			break;
+			default:
+				break;
+		}
 	}
 	
 	/* let the tasks process the message */
@@ -941,15 +943,6 @@ static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *ot
 		task->migrate(task, this->ike_sa);
 		this->queued_tasks->insert_first(this->queued_tasks, task);
 	}
-	
-	/* reset active tasks and move them to others queued tasks */
-	while (other->active_tasks->remove_last(other->active_tasks,
-												(void**)&task) == SUCCESS)
-	{
-		DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
-		task->migrate(task, this->ike_sa);
-		this->queued_tasks->insert_first(this->queued_tasks, task);
-	}
 }
 
 /**
diff --git a/src/charon/sa/task_manager.h b/src/charon/sa/task_manager.h
index db21684c3..9c3b2cc87 100644
--- a/src/charon/sa/task_manager.h
+++ b/src/charon/sa/task_manager.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: task_manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index f6043979f..f51443738 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: child_create.c 4860 2009-02-11 13:09:52Z martin $
  */
 
 #include "child_create.h"
@@ -86,6 +84,16 @@ struct private_child_create_t {
 	 */
 	linked_list_t *tsr;
 	
+	/**
+	 * source of triggering packet
+	 */
+	traffic_selector_t *packet_tsi;
+	
+	/**
+	 * destination of triggering packet
+	 */
+	traffic_selector_t *packet_tsr;
+	
 	/**
 	 * optional diffie hellman exchange
 	 */
@@ -570,7 +578,7 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify
  */
 static void process_payloads(private_child_create_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
 	sa_payload_t *sa_payload;
 	ke_payload_t *ke_payload;
@@ -579,8 +587,8 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 	/* defaults to TUNNEL mode */
 	this->mode = MODE_TUNNEL;
 
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		switch (payload->get_type(payload))
 		{
@@ -616,7 +624,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 				break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -643,9 +651,9 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 			}
 			break;
 		case IKE_AUTH:
-			if (!message->get_payload(message, ID_INITIATOR))
+			if (message->get_message_id(message) != 1)
 			{
-				/* send only in the first request, not in subsequent EAP  */
+				/* send only in the first request, not in subsequent rounds */
 				return NEED_MORE;
 			}
 			break;
@@ -694,7 +702,17 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 	}
 	this->tsr = this->config->get_traffic_selectors(this->config, FALSE, 
 													NULL, other);
-
+	
+	if (this->packet_tsi)
+	{
+		this->tsi->insert_first(this->tsi,
+								this->packet_tsi->clone(this->packet_tsi));
+	}
+	if (this->packet_tsr)
+	{
+		this->tsr->insert_first(this->tsr,
+								this->packet_tsr->clone(this->packet_tsr));
+	}
 	this->proposals = this->config->get_proposals(this->config,
 												  this->dh_group == MODP_NONE);
 	this->mode = this->config->get_mode(this->config);
@@ -737,8 +755,6 @@ static status_t build_i(private_child_create_t *this, message_t *message)
  */
 static status_t process_r(private_child_create_t *this, message_t *message)
 {
-	peer_cfg_t *peer_cfg;
-
 	switch (message->get_exchange_type(message))
 	{
 		case IKE_SA_INIT:
@@ -747,42 +763,17 @@ static status_t process_r(private_child_create_t *this, message_t *message)
 			get_nonce(message, &this->other_nonce);
 			break;
 		case IKE_AUTH:
-			if (message->get_payload(message, ID_INITIATOR) == NULL)
+			if (message->get_message_id(message) != 1)
 			{
-				/* wait until extensible authentication completed, if used */
+				/* only handle first AUTH payload, not additional rounds */
 				return NEED_MORE;
 			}
 		default:
 			break;
 	}
-
+	
 	process_payloads(this, message);
 	
-	if (this->tsi == NULL || this->tsr == NULL)
-	{
-		DBG1(DBG_IKE, "TS payload missing in message");
-		return NEED_MORE;
-	}
-		  
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (peer_cfg)
-	{
-		host_t *me, *other;
-		
-		me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-		if (me == NULL)
-		{
-			me = this->ike_sa->get_my_host(this->ike_sa);
-		}
-		other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
-		if (other == NULL)
-		{
-			other = this->ike_sa->get_other_host(this->ike_sa);
-		}
-		
-		this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
-												  this->tsi, me, other);
-	}
 	return NEED_MORE;
 }
 
@@ -799,7 +790,7 @@ static void handle_child_sa_failure(private_child_create_t *this,
 		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
 		 * first */
 		DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
-		charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+		charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
 			delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
 			100);
 	}
@@ -810,10 +801,11 @@ static void handle_child_sa_failure(private_child_create_t *this,
  */
 static status_t build_r(private_child_create_t *this, message_t *message)
 {
+	peer_cfg_t *peer_cfg;
 	payload_t *payload;
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	bool no_dh = TRUE;
-
+	
 	switch (message->get_exchange_type(message))
 	{
 		case IKE_SA_INIT:
@@ -828,9 +820,8 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 			no_dh = FALSE;
 			break;
 		case IKE_AUTH:
-			if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
-			{
-				/* wait until extensible authentication completed, if used */
+			if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+			{	/* wait until all authentication round completed */
 				return NEED_MORE;
 			}
 		default:
@@ -844,6 +835,25 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		return SUCCESS;
 	}
 	
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg && this->tsi && this->tsr)
+	{
+		host_t *me, *other;
+		
+		me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+		if (me == NULL)
+		{
+			me = this->ike_sa->get_my_host(this->ike_sa);
+		}
+		other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
+		if (other == NULL)
+		{
+			other = this->ike_sa->get_other_host(this->ike_sa);
+		}
+		this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
+												  this->tsi, me, other);
+	}
+	
 	if (this->config == NULL)
 	{
 		DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
@@ -854,8 +864,8 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 	}
 	
 	/* check if ike_config_t included non-critical error notifies */
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) == NOTIFY)
 		{
@@ -868,7 +878,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 				{
 					DBG1(DBG_IKE,"configuration payload negotation "
 						 "failed, no CHILD_SA built");
-					iterator->destroy(iterator);
+					enumerator->destroy(enumerator);
 					handle_child_sa_failure(this, message);
 					return SUCCESS;
 				}
@@ -877,7 +887,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 			}
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
 	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
 			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
@@ -938,7 +948,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
  */
 static status_t process_i(private_child_create_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
 	bool no_dh = TRUE;
 
@@ -951,9 +961,8 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 			no_dh = FALSE;
 			break;
 		case IKE_AUTH:
-			if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
-			{
-				/* wait until extensible authentication completed, if used */
+			if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+			{	/* wait until all authentication round completed */
 				return NEED_MORE;
 			}
 		default:
@@ -961,8 +970,8 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 	}
 
 	/* check for erronous notifies */
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) == NOTIFY)
 		{
@@ -982,7 +991,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 				{
 					DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
 						 notify_type_names, type);
-					iterator->destroy(iterator);
+					enumerator->destroy(enumerator);
 					handle_child_sa_failure(this, message);
 					/* an error in CHILD_SA creation is not critical */
 					return SUCCESS;
@@ -1000,7 +1009,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 						 bad_group, diffie_hellman_group_names, this->dh_group);
 					
 					this->public.task.migrate(&this->public.task, this->ike_sa);
-					iterator->destroy(iterator);
+					enumerator->destroy(enumerator);
 					return NEED_MORE;
 				}
 				default:
@@ -1008,7 +1017,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 			}
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
 	process_payloads(this, message);
 	
@@ -1137,11 +1146,11 @@ static void destroy(private_child_create_t *this)
 {
 	chunk_free(&this->my_nonce);
 	chunk_free(&this->other_nonce);
-	if (this->tsi)
+	if (this->tsr)
 	{
 		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
 	}
-	if (this->tsr)
+	if (this->tsi)
 	{
 		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
 	}
@@ -1149,6 +1158,8 @@ static void destroy(private_child_create_t *this)
 	{
 		DESTROY_IF(this->child_sa);
 	}
+	DESTROY_IF(this->packet_tsi);
+	DESTROY_IF(this->packet_tsr);
 	DESTROY_IF(this->proposal);
 	DESTROY_IF(this->dh);
 	if (this->proposals)
@@ -1163,7 +1174,8 @@ static void destroy(private_child_create_t *this)
 /*
  * Described in header.
  */
-child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config)
+child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config,
+							traffic_selector_t *tsi, traffic_selector_t *tsr)
 {
 	private_child_create_t *this = malloc_thing(private_child_create_t);
 
@@ -1195,6 +1207,8 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config)
 	this->proposal = NULL;
 	this->tsi = NULL;
 	this->tsr = NULL;
+	this->packet_tsi = tsi ? tsi->clone(tsi) : NULL;
+	this->packet_tsr = tsr ? tsr->clone(tsr) : NULL;
 	this->dh = NULL;
 	this->dh_group = MODP_NONE;
 	this->keymat = ike_sa->get_keymat(ike_sa);
diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h
index d01baa594..ce2829a9a 100644
--- a/src/charon/sa/tasks/child_create.h
+++ b/src/charon/sa/tasks/child_create.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: child_create.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -73,8 +71,11 @@ struct child_create_t {
  *
  * @param ike_sa		IKE_SA this task works for
  * @param config		child_cfg if task initiator, NULL if responder
- * @return			 	child_create task to handle by the task_manager
+ * @param tsi			source of triggering packet, or NULL
+ * @param tsr			destination of triggering packet, or NULL
+ * @return				child_create task to handle by the task_manager
  */
-child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config);
+child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config,
+							traffic_selector_t *tsi, traffic_selector_t *tsr);
 
 #endif /** CHILD_CREATE_H_ @}*/
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
index 0fd4a056b..0d89c148e 100644
--- a/src/charon/sa/tasks/child_delete.c
+++ b/src/charon/sa/tasks/child_delete.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: child_delete.c 4730 2008-12-01 18:38:28Z martin $
  */
 
 #include "child_delete.h"
@@ -114,15 +112,16 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
  */
 static void process_payloads(private_child_delete_t *this, message_t *message)
 {
-	iterator_t *payloads, *spis;
+	enumerator_t *payloads;
+	iterator_t *spis;
 	payload_t *payload;
 	delete_payload_t *delete_payload;
 	u_int32_t *spi;
 	protocol_id_t protocol;
 	child_sa_t *child_sa;
 	
-	payloads = message->get_payload_iterator(message);
-	while (payloads->iterate(payloads, (void**)&payload))
+	payloads = message->create_payload_enumerator(message);
+	while (payloads->enumerate(payloads, &payload))
 	{
 		if (payload->get_type(payload) == DELETE)
 		{
@@ -202,10 +201,12 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 			{
 				case ACTION_RESTART:
 					child_cfg->get_ref(child_cfg);
-					status = this->ike_sa->initiate(this->ike_sa, child_cfg);
+					status = this->ike_sa->initiate(this->ike_sa, child_cfg, 0,
+													NULL, NULL);
 					break;
-				case ACTION_ROUTE:
-					status = this->ike_sa->route(this->ike_sa, child_cfg);
+				case ACTION_ROUTE:	
+					charon->traps->install(charon->traps,
+							this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg);
 					break;
 				default:
 					break;
diff --git a/src/charon/sa/tasks/child_delete.h b/src/charon/sa/tasks/child_delete.h
index 8886ff4a1..27d847035 100644
--- a/src/charon/sa/tasks/child_delete.h
+++ b/src/charon/sa/tasks/child_delete.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: child_delete.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
index 0d8cf2db7..6ab00dc5b 100644
--- a/src/charon/sa/tasks/child_rekey.c
+++ b/src/charon/sa/tasks/child_rekey.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: child_rekey.c 4730 2008-12-01 18:38:28Z martin $
  */
 
 #include "child_rekey.h"
@@ -103,11 +101,11 @@ static status_t process_i_delete(private_child_rekey_t *this, message_t *message
  */
 static void find_child(private_child_rekey_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
 	
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		notify_payload_t *notify;
 		u_int32_t spi;
@@ -131,7 +129,7 @@ static void find_child(private_child_rekey_t *this, message_t *message)
 		break;
 			
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -159,7 +157,7 @@ static status_t build_i(private_child_rekey_t *this, message_t *message)
 	
 	/* ... our CHILD_CREATE task does the hard work for us. */
 	reqid = this->child_sa->get_reqid(this->child_sa);
-	this->child_create = child_create_create(this->ike_sa, config);
+	this->child_create = child_create_create(this->ike_sa, config, NULL, NULL);
 	this->child_create->use_reqid(this->child_create, reqid);
 	this->child_create->task.build(&this->child_create->task, message);
 	
@@ -220,12 +218,12 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 	protocol_id_t protocol;
 	u_int32_t spi;
 	child_sa_t *to_delete;
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
 	
 	/* handle NO_ADDITIONAL_SAS notify */
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) == NOTIFY)
 		{
@@ -239,12 +237,12 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 				charon->processor->queue_job(charon->processor,
 						(job_t*)rekey_ike_sa_job_create(
 									this->ike_sa->get_id(this->ike_sa), TRUE));
-				iterator->destroy(iterator);
+				enumerator->destroy(enumerator);
 				return SUCCESS;
 			}
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
 	if (this->child_create->task.process(&this->child_create->task, message) == NEED_MORE)
 	{
@@ -269,7 +267,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 			DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
 				 				"trying again in %d seconds", retry);
 			this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-			charon->scheduler->schedule_job(charon->scheduler, job, retry * 1000);
+			charon->scheduler->schedule_job(charon->scheduler, job, retry);
 		}
 		return SUCCESS;
 	}
@@ -418,7 +416,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 		this->initiator = FALSE;
-		this->child_create = child_create_create(ike_sa, NULL);
+		this->child_create = child_create_create(ike_sa, NULL, NULL, NULL);
 	}
 	
 	this->ike_sa = ike_sa;
diff --git a/src/charon/sa/tasks/child_rekey.h b/src/charon/sa/tasks/child_rekey.h
index 42fce0742..5aae2fb39 100644
--- a/src/charon/sa/tasks/child_rekey.h
+++ b/src/charon/sa/tasks/child_rekey.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: child_rekey.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 93b145755..8d6cd56bd 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details
- *
- * $Id: ike_auth.c 4858 2009-02-10 17:21:44Z martin $
  */
 
 #include "ike_auth.h"
@@ -21,14 +19,12 @@
 #include <string.h>
 
 #include <daemon.h>
-#include <crypto/diffie_hellman.h>
 #include <encoding/payloads/id_payload.h>
 #include <encoding/payloads/auth_payload.h>
 #include <encoding/payloads/eap_payload.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <sa/authenticators/eap_authenticator.h>
 
-
 typedef struct private_ike_auth_t private_ike_auth_t;
 
 /**
@@ -72,220 +68,65 @@ struct private_ike_auth_t {
 	packet_t *other_packet;
 	
 	/**
-	 * EAP authenticator when using EAP
+	 * completed authentication configs initiated by us (auth_cfg_t)
 	 */
-	eap_authenticator_t *eap_auth;
+	linked_list_t *my_cfgs;
 	
 	/**
-	 * EAP payload received and ready to process
+	 * completed authentication configs initiated by other (auth_cfg_t)
 	 */
-	eap_payload_t *eap_payload;
+	linked_list_t *other_cfgs;;
 	
 	/**
-	 * has the peer been authenticated successfully?
+	 * currently active authenticator, to authenticate us
 	 */
-	bool peer_authenticated;
-};
-
-/**
- * get the authentication class of a config
- */
-auth_class_t get_auth_class(peer_cfg_t *config)
-{
-	auth_class_t *class;
-	auth_info_t *auth_info;
-	
-	auth_info = config->get_auth(config);
-	if (auth_info->get_item(auth_info, AUTHN_AUTH_CLASS, (void**)&class))
-	{
-		return *class;
-	}
-	/* fallback to pubkey authentication */
-	return AUTH_CLASS_PUBKEY;
-}
-
-/**
- * get the eap type/vendor
- */
-static eap_type_t get_eap_type(peer_cfg_t *config, u_int32_t *vendor)
-{
-	auth_info_t *auth_info;
-	u_int *ptr;
-	
-	*vendor = 0;
-	auth_info = config->get_auth(config);
-	if (auth_info->get_item(auth_info, AUTHN_EAP_VENDOR, (void**)&ptr))
-	{
-		*vendor = *ptr;
-	}
-	if (auth_info->get_item(auth_info, AUTHN_EAP_TYPE, (void**)&ptr))
-	{
-		return *ptr;
-	}
-	return EAP_NAK;
-}
-
-/**
- * build the AUTH payload
- */
-static status_t build_auth(private_ike_auth_t *this, message_t *message)
-{
-	authenticator_t *auth;
-	auth_payload_t *auth_payload;
-	peer_cfg_t *config;
-	status_t status;
-	
-	/* create own authenticator and add auth payload */
-	config = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (!config)
-	{
-		DBG1(DBG_IKE, "unable to authenticate, no peer config found");
-		return FAILED;
-	}
-	
-	auth = authenticator_create_from_class(this->ike_sa, get_auth_class(config));
-	if (auth == NULL)
-	{
-		DBG1(DBG_IKE, "configured authentication class %N not supported",
-			 auth_class_names, get_auth_class(config));
-		return FAILED;
-	}
-	
-	status = auth->build(auth, this->my_packet->get_data(this->my_packet),
-						 this->other_nonce, &auth_payload);
-	auth->destroy(auth);
-	if (status != SUCCESS)
-	{
-		DBG1(DBG_IKE, "generating authentication data failed");
-		return FAILED;
-	}
-	message->add_payload(message, (payload_t*)auth_payload);
-	return SUCCESS;
-}
-
-/**
- * build ID payload(s)
- */
-static status_t build_id(private_ike_auth_t *this, message_t *message)
-{
-	identification_t *me, *other;
-	id_payload_t *id;
-	peer_cfg_t *config;
+	authenticator_t *my_auth;
 	
-	me = this->ike_sa->get_my_id(this->ike_sa);
-	other = this->ike_sa->get_other_id(this->ike_sa);
-	config = this->ike_sa->get_peer_cfg(this->ike_sa);
-	
-	if (me->contains_wildcards(me))
-	{
-		me = config->get_my_id(config);
-		if (me->contains_wildcards(me))
-		{
-			DBG1(DBG_IKE, "negotiation of own ID failed");
-			return FAILED;
-		}
-		this->ike_sa->set_my_id(this->ike_sa, me->clone(me));
-	}
+	/**
+	 * currently active authenticator, to authenticate peer
+	 */
+	authenticator_t *other_auth;
 	
-	id = id_payload_create_from_identification(this->initiator ? ID_INITIATOR : ID_RESPONDER, me);
-	message->add_payload(message, (payload_t*)id);
+	/**
+	 * peer_cfg candidates, ordered by priority
+	 */
+	linked_list_t *candidates;
 	
-	/* as initiator, include other ID if it does not contain wildcards */
-	if (this->initiator && !other->contains_wildcards(other))
-	{
-		id = id_payload_create_from_identification(ID_RESPONDER, other);
-		message->add_payload(message, (payload_t*)id);
-	}
-	return SUCCESS;
-}
-
-/**
- * process AUTH payload
- */
-static status_t process_auth(private_ike_auth_t *this, message_t *message)
-{
-	auth_payload_t *auth_payload;
-	authenticator_t *auth;
-	auth_method_t auth_method;
-	status_t status;
+	/**
+	 * selected peer config (might change when using multiple authentications)
+	 */
+	peer_cfg_t *peer_cfg;
 	
-	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	/**
+	 * have we planned an(other) authentication exchange?
+	 */
+	bool do_another_auth;
 	
-	if (auth_payload == NULL)
-	{
-		/* AUTH payload is missing, client wants to use EAP authentication */
-		return NOT_FOUND;
-	}
+	/**
+	 * has the peer announced another authentication exchange?
+	 */
+	bool expect_another_auth;
 	
-	auth_method = auth_payload->get_auth_method(auth_payload);
-	auth = authenticator_create_from_method(this->ike_sa,
-									auth_payload->get_auth_method(auth_payload));
-	if (auth == NULL)
-	{
-		DBG1(DBG_IKE, "authentication method %N used by '%D' not supported",
-			auth_method_names, auth_method,
-			this->ike_sa->get_other_id(this->ike_sa));
-		return NOT_SUPPORTED;
-	}
-	status = auth->verify(auth, this->other_packet->get_data(this->other_packet), 
-						  this->my_nonce, auth_payload);
-	auth->destroy(auth);
-	if (status != SUCCESS)
-	{
-		DBG0(DBG_IKE, "authentication of '%D' with %N failed",
-			 this->ike_sa->get_other_id(this->ike_sa), 
-			 auth_method_names, auth_method);	
-		return FAILED;
-	}
-	return SUCCESS;
-}
+	/**
+	 * should we send a AUTHENTICATION_FAILED notify?
+	 */
+	bool authentication_failed;
+};
 
 /**
- * process ID payload(s)
+ * check if multiple authentication extension is enabled, configuration-wise
  */
-static status_t process_id(private_ike_auth_t *this, message_t *message)
+static bool multiple_auth_enabled()
 {
-	identification_t *id, *req;
-	id_payload_t *idr, *idi;
-
-	idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
-	idr = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
-
-	if ((this->initiator && idr == NULL) || (!this->initiator && idi == NULL))
-	{
-		DBG1(DBG_IKE, "ID payload missing in message");
-		return FAILED;
-	}
-	
-	if (this->initiator)
-	{
-		id = idr->get_identification(idr);
-		req = this->ike_sa->get_other_id(this->ike_sa);
-		if (!id->matches(id, req))
-		{
-			DBG0(DBG_IKE, "peer ID '%D' unacceptable, '%D' required", id, req);
-			id->destroy(id);
-			return FAILED;
-		}
-		this->ike_sa->set_other_id(this->ike_sa, id);
-	}
-	else
-	{
-		id = idi->get_identification(idi);
-		this->ike_sa->set_other_id(this->ike_sa, id);
-		if (idr)
-		{
-			id = idr->get_identification(idr);
-			this->ike_sa->set_my_id(this->ike_sa, id);
-		}
-	}
-	return SUCCESS;
+	return lib->settings->get_bool(lib->settings,
+								   "charon.multiple_authentication", TRUE);
 }
 
 /**
  * collect the needed information in the IKE_SA_INIT exchange from our message
  */
-static status_t collect_my_init_data(private_ike_auth_t *this, message_t *message)
+static status_t collect_my_init_data(private_ike_auth_t *this,
+									 message_t *message)
 {
 	nonce_payload_t *nonce;
 	
@@ -297,7 +138,7 @@ static status_t collect_my_init_data(private_ike_auth_t *this, message_t *messag
 	}
 	this->my_nonce = nonce->get_nonce(nonce);
 	
-	/* pre-generate the message, so we can store it for us */
+	/* pre-generate the message, keep a copy */
 	if (this->ike_sa->generate_message(this->ike_sa, message,
 									   &this->my_packet) != SUCCESS)
 	{
@@ -309,7 +150,8 @@ static status_t collect_my_init_data(private_ike_auth_t *this, message_t *messag
 /**
  * collect the needed information in the IKE_SA_INIT exchange from others message
  */
-static status_t collect_other_init_data(private_ike_auth_t *this, message_t *message)
+static status_t collect_other_init_data(private_ike_auth_t *this,
+										message_t *message)
 {
 	/* we collect the needed information in the IKE_SA_INIT exchange */
 	nonce_payload_t *nonce;
@@ -322,184 +164,186 @@ static status_t collect_other_init_data(private_ike_auth_t *this, message_t *mes
 	}
 	this->other_nonce = nonce->get_nonce(nonce);
 	
-	/* pre-generate the message, so we can store it for us */
+	/* keep a copy of the received packet */
 	this->other_packet = message->get_packet(message);
 	return NEED_MORE; 
 }
 
-
 /**
- * Implementation of task_t.build to create AUTH payload from EAP data
+ * Get the next authentication configuration
  */
-static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
+static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
 {
-	authenticator_t *auth;
-	auth_payload_t *auth_payload;
+	enumerator_t *e1, *e2;
+	auth_cfg_t *c1, *c2, *next = NULL;
 	
-	if (!this->initiator && !this->peer_authenticated)
+	/* find an available config not already done */
+	e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
+	while (e1->enumerate(e1, &c1))
 	{
-		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
-		return FAILED;
-	}
-	
-	auth = (authenticator_t*)this->eap_auth;
-	if (auth->build(auth, this->my_packet->get_data(this->my_packet),
-		this->other_nonce, &auth_payload) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "generating authentication data failed");
-		if (!this->initiator)
+		bool found = FALSE;
+		
+		if (local)
 		{
-			message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+			e2 = this->my_cfgs->create_enumerator(this->my_cfgs);
+		}
+		else
+		{
+			e2 = this->other_cfgs->create_enumerator(this->other_cfgs);
+		}
+		while (e2->enumerate(e2, &c2))
+		{
+			if (c2->complies(c2, c1, FALSE))
+			{
+				found = TRUE;
+				break;
+			}
+		}
+		e2->destroy(e2);
+		if (!found)
+		{
+			next = c1;
+			break;
 		}
-		return FAILED;
-	}
-	message->add_payload(message, (payload_t*)auth_payload);
-	if (!this->initiator)
-	{
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
-			 this->ike_sa->get_name(this->ike_sa),
-			 this->ike_sa->get_unique_id(this->ike_sa),
-			 this->ike_sa->get_my_host(this->ike_sa),
-			 this->ike_sa->get_my_id(this->ike_sa), 
-			 this->ike_sa->get_other_host(this->ike_sa),
-			 this->ike_sa->get_other_id(this->ike_sa));
-		return SUCCESS;
 	}
-	return NEED_MORE;
+	e1->destroy(e1);
+	return next;
 }
 
 /**
- * Implementation of task_t.process to verify AUTH payload after EAP
+ * Check if we have should initiate another authentication round
  */
-static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
+static bool do_another_auth(private_ike_auth_t *this)
 {
-	auth_payload_t *auth_payload;
-	authenticator_t *auth;
-
-	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
-	this->peer_authenticated = FALSE;
+	bool do_another = FALSE;
+	enumerator_t *done, *todo;
+	auth_cfg_t *done_cfg, *todo_cfg;
 	
-	if (auth_payload)
+	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
 	{
-		auth = (authenticator_t*)this->eap_auth;
-		if (auth->verify(auth, this->other_packet->get_data(this->other_packet), 
-						this->my_nonce, auth_payload) == SUCCESS)
-		{
-			this->peer_authenticated = TRUE;
-		}
+		return FALSE;
 	}
-
-	if (!this->peer_authenticated)
+	
+	done = this->my_cfgs->create_enumerator(this->my_cfgs);
+	todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
+	while (todo->enumerate(todo, &todo_cfg))
 	{
-		DBG0(DBG_IKE, "authentication of '%D' with %N failed",
-			 this->ike_sa->get_other_id(this->ike_sa), 
-			 auth_class_names, AUTH_CLASS_EAP);
-		if (this->initiator)
+		if (!done->enumerate(done, &done_cfg))
 		{
-			return FAILED;
+			done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		}
+		if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
+		{
+			do_another = TRUE;
+			break;
 		}
-		return NEED_MORE;
-	}
-	if (this->initiator)
-	{
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
-			 this->ike_sa->get_name(this->ike_sa),
-			 this->ike_sa->get_unique_id(this->ike_sa),
-			 this->ike_sa->get_my_host(this->ike_sa),
-			 this->ike_sa->get_my_id(this->ike_sa), 
-			 this->ike_sa->get_other_host(this->ike_sa),
-			 this->ike_sa->get_other_id(this->ike_sa));
-		return SUCCESS;
 	}
-	return NEED_MORE;
+	done->destroy(done);
+	todo->destroy(todo);
+	return do_another;
 }
 
 /**
- * Implementation of task_t.process for EAP exchanges
+ * Get peer configuration candidates from backends
  */
-static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
+static bool load_cfg_candidates(private_ike_auth_t *this)
 {
-	eap_payload_t *eap;
-
-	eap = (eap_payload_t*)message->get_payload(message, EXTENSIBLE_AUTHENTICATION);
-	if (eap == NULL)
-	{	
-		DBG1(DBG_IKE, "EAP payload missing");
-		return FAILED;
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+	host_t *me, *other;
+	identification_t *my_id, *other_id;
+	
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	
+	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+													me, other, my_id, other_id);
+	while (enumerator->enumerate(enumerator, &peer_cfg))
+	{
+		peer_cfg->get_ref(peer_cfg);
+		if (this->peer_cfg == NULL)
+		{	/* best match */
+			this->peer_cfg = peer_cfg;
+			this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
+		}
+		else
+		{
+			this->candidates->insert_last(this->candidates, peer_cfg);
+		}
 	}
-	switch (this->eap_auth->process(this->eap_auth, eap, &eap))
+	enumerator->destroy(enumerator);
+	if (this->peer_cfg)
 	{
-		case NEED_MORE:
-			this->eap_payload = eap;
-			return NEED_MORE;
-		case SUCCESS:
-			/* EAP exchange completed, now create and process AUTH */
-			this->eap_payload = NULL;
-			this->public.task.build = (status_t(*)(task_t*,message_t*))build_auth_eap;
-			this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
-			return NEED_MORE;
-		default:
-			this->eap_payload = NULL;
-			DBG0(DBG_IKE, "failed to authenticate against '%D' using EAP",
-				this->ike_sa->get_other_id(this->ike_sa));
-			return FAILED;
+		DBG1(DBG_CFG, "selected peer config '%s'",
+			 this->peer_cfg->get_name(this->peer_cfg));
+		return TRUE;
 	}
+	DBG1(DBG_CFG, "no matching peer config found");
+	return FALSE;
 }
 
 /**
- * Implementation of task_t.process for EAP exchanges
- */
-static status_t process_eap_r(private_ike_auth_t *this, message_t *message)
-{
-	this->eap_payload = (eap_payload_t*)message->get_payload(message, 
-													EXTENSIBLE_AUTHENTICATION);
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for EAP exchanges
- */
-static status_t build_eap_i(private_ike_auth_t *this, message_t *message)
-{
-	message->add_payload(message, (payload_t*)this->eap_payload);
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for EAP exchanges
+ * update the current peer candidate if necessary, using candidates
  */
-static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
+static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
 {
-	status_t status = NEED_MORE;
-	eap_payload_t *eap;
-		
-	if (this->eap_payload == NULL)
-	{
-		DBG1(DBG_IKE, "EAP payload missing");
-		return FAILED;
-	}
-	
-	switch (this->eap_auth->process(this->eap_auth, this->eap_payload, &eap))
+	do
 	{
-		case NEED_MORE:
+		if (this->peer_cfg)
+		{
+			bool complies = TRUE;
+			enumerator_t *e1, *e2, *tmp;
+			auth_cfg_t *c1, *c2;
 			
-			break;
-		case SUCCESS:
-			/* EAP exchange completed, now create and process AUTH */
-			this->public.task.build = (status_t(*)(task_t*,message_t*))build_auth_eap;
-			this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
-			break;
-		default:
-			DBG0(DBG_IKE, "authentication of '%D' with %N failed",
-				 this->ike_sa->get_other_id(this->ike_sa),
-				 auth_class_names, AUTH_CLASS_EAP);
-			status = FAILED;
-			break;
+			e1 = this->other_cfgs->create_enumerator(this->other_cfgs);
+			e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
+			
+			if (strict)
+			{	/* swap lists in strict mode: all configured rounds must be
+				 * fulfilled. If !strict, we check only the rounds done so far. */
+				tmp = e1;
+				e1 = e2;
+				e2 = tmp;
+			}
+			while (e1->enumerate(e1, &c1))
+			{
+				/* check if done authentications comply to configured ones */
+				if ((!e2->enumerate(e2, &c2)) ||
+					(!strict && !c1->complies(c1, c2, TRUE)) ||
+					(strict && !c2->complies(c2, c1, TRUE)))
+				{
+					complies = FALSE;
+					break;
+				}
+			}
+			e1->destroy(e1);
+			e2->destroy(e2);
+			if (complies)
+			{
+				break;
+			}
+			DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
+				 this->peer_cfg->get_name(this->peer_cfg));
+			this->peer_cfg->destroy(this->peer_cfg);
+		}
+		if (this->candidates->remove_first(this->candidates,
+										(void**)&this->peer_cfg) != SUCCESS)
+		{
+			DBG1(DBG_CFG, "no alternative config found");
+			this->peer_cfg = NULL;
+		}
+		else
+		{
+			DBG1(DBG_CFG, "switching to peer config '%s'",
+				 this->peer_cfg->get_name(this->peer_cfg));
+			this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
+		}
 	}
-	message->add_payload(message, (payload_t*)eap);
-	return status;
+	while (this->peer_cfg);
+	
+	return this->peer_cfg != NULL;
 }
 
 /**
@@ -507,31 +351,104 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
  */
 static status_t build_i(private_ike_auth_t *this, message_t *message)
 {
-	peer_cfg_t *config;
-
+	auth_cfg_t *cfg;
+	
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		return collect_my_init_data(this, message);
 	}
-		
-	if (build_id(this, message) != SUCCESS)
+	
+	if (this->peer_cfg == NULL)
 	{
-		return FAILED;
+		this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+		this->peer_cfg->get_ref(this->peer_cfg);
 	}
 	
-	config = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (get_auth_class(config) == AUTH_CLASS_EAP)
-	{
-		this->eap_auth = eap_authenticator_create(this->ike_sa);
+	if (message->get_message_id(message) == 1 &&
+		this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
+	{	/* in the first IKE_AUTH, indicate support for multiple authentication */
+		message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, chunk_empty);
 	}
-	else
+	
+	if (!this->do_another_auth && !this->my_auth)
+	{	/* we have done our rounds */
+		return NEED_MORE;
+	}
+	
+	/* check if an authenticator is in progress */
+	if (this->my_auth == NULL)
 	{
-		if (build_auth(this, message) != SUCCESS)
+		identification_t *id;
+		id_payload_t *id_payload;
+		
+		/* clean up authentication config from a previous round */
+		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		cfg->purge(cfg, TRUE);
+		
+		/* add (optional) IDr */
+		cfg = get_auth_cfg(this, FALSE);
+		if (cfg)
+		{
+			id = cfg->get(cfg, AUTH_RULE_IDENTITY);
+			if (id && !id->contains_wildcards(id))
+			{
+				this->ike_sa->set_other_id(this->ike_sa, id->clone(id));
+				id_payload = id_payload_create_from_identification(
+															ID_RESPONDER, id);
+				message->add_payload(message, (payload_t*)id_payload);
+			}
+		}
+		/* add IDi */
+		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
+		id = cfg->get(cfg, AUTH_RULE_IDENTITY);
+		if (!id)
+		{
+			DBG1(DBG_CFG, "configuration misses IDi");
+			return FAILED;
+		}
+		this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
+		id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
+		message->add_payload(message, (payload_t*)id_payload);
+		
+		/* build authentication data */
+		this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+							this->other_nonce, this->my_nonce,
+							this->other_packet->get_data(this->other_packet),
+							this->my_packet->get_data(this->my_packet));
+		if (!this->my_auth)
 		{
 			return FAILED;
 		}
 	}
-
+	switch (this->my_auth->build(this->my_auth, message))
+	{
+		case SUCCESS:
+			/* authentication step complete, reset authenticator */
+			cfg = auth_cfg_create();
+			cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
+			this->my_cfgs->insert_last(this->my_cfgs, cfg);
+			this->my_auth->destroy(this->my_auth);
+			this->my_auth = NULL;
+			break;
+		case NEED_MORE:
+			break;
+		default:
+			return FAILED;
+	}
+	
+	/* check for additional authentication rounds */
+	if (do_another_auth(this))
+	{
+		if (message->get_payload(message, AUTHENTICATION))
+		{
+			message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
+		}
+	}
+	else
+	{
+		this->do_another_auth = FALSE;
+	}
 	return NEED_MORE;
 }
 
@@ -540,45 +457,136 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
  */
 static status_t process_r(private_ike_auth_t *this, message_t *message)
 {
-	peer_cfg_t *config;
+	auth_cfg_t *cfg, *cand;
+	id_payload_t *id_payload;
+	identification_t *id;
 	
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		return collect_other_init_data(this, message);
 	}
 	
-	if (process_id(this, message) != SUCCESS)
+	if (this->my_auth == NULL && this->do_another_auth)
+	{
+		/* handle (optional) IDr payload, apply proposed identity */
+		id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
+		if (id_payload)
+		{
+			id = id_payload->get_identification(id_payload);
+		}
+		else
+		{
+			id = identification_create_from_encoding(ID_ANY, chunk_empty);
+		}
+		this->ike_sa->set_my_id(this->ike_sa, id);
+	}
+	
+	if (!this->expect_another_auth)
 	{
 		return NEED_MORE;
 	}
+	if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
+	{
+		this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+	}
 	
-	switch (process_auth(this, message))
+	if (this->other_auth == NULL)
+	{
+		/* handle IDi payload */
+		id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
+		if (!id_payload)
+		{
+			DBG1(DBG_IKE, "IDi payload missing");
+			return FAILED;
+		}
+		id = id_payload->get_identification(id_payload);
+		this->ike_sa->set_other_id(this->ike_sa, id);
+		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+		cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
+		
+		if (this->peer_cfg == NULL)
+		{
+			if (!load_cfg_candidates(this))
+			{
+				this->authentication_failed = TRUE;
+				return NEED_MORE;
+			}
+		}
+		if (message->get_payload(message, AUTHENTICATION) == NULL)
+		{	/* before authenticating with EAP, we need a EAP config */
+			cand = get_auth_cfg(this, FALSE);
+			while (!cand || (
+					(uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
+					(uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
+			{	/* peer requested EAP, but current config does not match */
+				this->peer_cfg->destroy(this->peer_cfg);
+				this->peer_cfg = NULL;
+				if (!update_cfg_candidates(this, FALSE))
+				{
+					this->authentication_failed = TRUE;
+					return NEED_MORE;
+				}
+				cand = get_auth_cfg(this, FALSE);
+			}
+			cfg->merge(cfg, cand, TRUE);
+		}
+		
+		/* verify authentication data */
+		this->other_auth = authenticator_create_verifier(this->ike_sa,
+							message, this->other_nonce, this->my_nonce,
+							this->other_packet->get_data(this->other_packet),
+							this->my_packet->get_data(this->my_packet));
+		if (!this->other_auth)
+		{
+			this->authentication_failed = TRUE;
+			return NEED_MORE;
+		}
+	}
+	switch (this->other_auth->process(this->other_auth, message))
 	{
 		case SUCCESS:
-			this->peer_authenticated = TRUE;
-			break;
-		case NOT_FOUND:
-			/* use EAP if no AUTH payload found */
-			this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, TRUE);
+			this->other_auth->destroy(this->other_auth);
+			this->other_auth = NULL;
 			break;
+		case NEED_MORE:
+			if (message->get_payload(message, AUTHENTICATION))
+			{	/* AUTH verification successful, but another build() needed */
+				break;
+			}
+			return NEED_MORE;
 		default:
+			this->authentication_failed = TRUE;
 			return NEED_MORE;
 	}
-
-	config = charon->backends->get_peer_cfg(charon->backends,
-									this->ike_sa->get_my_host(this->ike_sa),
-									this->ike_sa->get_other_host(this->ike_sa),
-									this->ike_sa->get_my_id(this->ike_sa),
-									this->ike_sa->get_other_id(this->ike_sa),
-									this->ike_sa->get_other_auth(this->ike_sa));
-	if (config)
+	
+	/* store authentication information */
+	cfg = auth_cfg_create();
+	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+	this->other_cfgs->insert_last(this->other_cfgs, cfg);
+	
+	/* another auth round done, invoke authorize hook */
+	if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
 	{
-		this->ike_sa->set_peer_cfg(this->ike_sa, config);
-		config->destroy(config);
+		DBG1(DBG_IKE, "round %d authorization hook forbids IKE_SA, cancelling",
+			 this->other_cfgs->get_count(this->other_cfgs));
+		this->authentication_failed = TRUE;
+		return NEED_MORE;
 	}
-	if (!this->peer_authenticated)
-	{	
-		this->eap_auth = eap_authenticator_create(this->ike_sa);
+	
+	if (!update_cfg_candidates(this, FALSE))
+	{
+		this->authentication_failed = TRUE;
+		return NEED_MORE;
+	}
+	
+	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
+	{
+		this->expect_another_auth = FALSE;
+		if (!update_cfg_candidates(this, TRUE))
+		{
+			this->authentication_failed = TRUE;
+			return NEED_MORE;
+		}
 	}
 	return NEED_MORE;
 }
@@ -588,54 +596,142 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
  */
 static status_t build_r(private_ike_auth_t *this, message_t *message)
 {
-	peer_cfg_t *config;
-	eap_type_t eap_type;
-	u_int32_t eap_vendor;
-	eap_payload_t *eap_payload;
-	status_t status;
-
+	auth_cfg_t *cfg;
+	
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
+		if (multiple_auth_enabled())
+		{
+			message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
+								chunk_empty);
+		}
 		return collect_my_init_data(this, message);
 	}
 	
-	if (!this->peer_authenticated && this->eap_auth == NULL)
+	if (this->authentication_failed || this->peer_cfg == NULL)
 	{
-		/* peer not authenticated, nor does it want to use EAP */
 		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
 		return FAILED;
 	}
 	
-	config = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (config == NULL)
+	if (this->my_auth == NULL && this->do_another_auth)
 	{
-		DBG1(DBG_IKE, "no matching config found for '%D'...'%D'",
-			 this->ike_sa->get_my_id(this->ike_sa),
-			 this->ike_sa->get_other_id(this->ike_sa));
-		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
-		return FAILED;
+		identification_t *id, *id_cfg;
+		id_payload_t *id_payload;
+		
+		/* add IDr */
+		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		cfg->purge(cfg, TRUE);
+		cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
+		
+		id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
+		id = this->ike_sa->get_my_id(this->ike_sa);
+		if (id->get_type(id) == ID_ANY)
+		{	/* no IDr received, apply configured ID */
+			if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
+			{
+				DBG1(DBG_CFG, "IDr not configured and negotiation failed");
+				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+									chunk_empty);
+				return FAILED;
+			}
+			this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
+			id = id_cfg;
+		}
+		else
+		{	/* IDr received, check if it matches configuration */
+			if (id_cfg && !id->matches(id, id_cfg))
+			{
+				DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
+				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+									chunk_empty);
+				return FAILED;
+			}
+		}
+		
+		id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
+		message->add_payload(message, (payload_t*)id_payload);
+		
+		/* build authentication data */
+		this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+							this->other_nonce, this->my_nonce,
+							this->other_packet->get_data(this->other_packet),
+							this->my_packet->get_data(this->my_packet));
+		if (!this->my_auth)
+		{
+			message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+			return FAILED;
+		}
 	}
 	
-	if (build_id(this, message) != SUCCESS ||
-		build_auth(this, message) != SUCCESS)
+	if (this->other_auth)
 	{
-		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
-		return FAILED;
+		switch (this->other_auth->build(this->other_auth, message))
+		{
+			case SUCCESS:
+				this->other_auth->destroy(this->other_auth);
+				this->other_auth = NULL;
+				break;
+			case NEED_MORE:
+				break;
+			default:
+				if (!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
+				{	/* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
+					message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+										chunk_empty);
+				}
+				return FAILED;
+		}
 	}
-	
-	if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-												 this->ike_sa))
+	if (this->my_auth)
 	{
-		DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
-		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
-		return FAILED;
+		switch (this->my_auth->build(this->my_auth, message))
+		{
+			case SUCCESS:
+				cfg = auth_cfg_create();
+				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
+						   TRUE);
+				this->my_cfgs->insert_last(this->my_cfgs, cfg);
+				this->my_auth->destroy(this->my_auth);
+				this->my_auth = NULL;
+				break;
+			case NEED_MORE:
+				break;
+			default:
+				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+									chunk_empty);
+				return FAILED;
+		}
 	}
 	
-	/* use "traditional" authentication if we could authenticate peer */
-	if (this->peer_authenticated)
+	/* check for additional authentication rounds */
+	if (do_another_auth(this))
+	{
+		message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
+	}
+	else
+	{
+		this->do_another_auth = FALSE;
+	}
+	if (!this->do_another_auth && !this->expect_another_auth)
 	{
+		if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+													 this->ike_sa))
+		{
+			DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
+			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+								chunk_empty);
+			return FAILED;
+		}
+		if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
+		{
+			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+								chunk_empty);
+			return FAILED;
+		}
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 			 this->ike_sa->get_name(this->ike_sa),
 			 this->ike_sa->get_unique_id(this->ike_sa),
 			 this->ike_sa->get_my_host(this->ike_sa),
@@ -644,21 +740,6 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 			 this->ike_sa->get_other_id(this->ike_sa));
 		return SUCCESS;
 	}
-	
-	/* initiate EAP authenitcation */
-	eap_type = get_eap_type(config, &eap_vendor);
-	status = this->eap_auth->initiate(this->eap_auth, eap_type,
-									  eap_vendor, &eap_payload);
-	message->add_payload(message, (payload_t*)eap_payload);
-	if (status != NEED_MORE)
-	{
-		DBG1(DBG_IKE, "unable to initiate EAP authentication");
-		return FAILED;
-	}
-	
-	/* switch to EAP methods */
-	this->public.task.build = (status_t(*)(task_t*,message_t*))build_eap_r;
-	this->public.task.process = (status_t(*)(task_t*,message_t*))process_eap_r;
 	return NEED_MORE;
 }
 
@@ -667,18 +748,22 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
  */
 static status_t process_i(private_ike_auth_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
-	peer_cfg_t *config;
-	auth_info_t *auth;
+	auth_cfg_t *cfg;
 	
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
+		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
+			multiple_auth_enabled())
+		{
+			this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+		}
 		return collect_other_init_data(this, message);
 	}
 	
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) == NOTIFY)
 		{
@@ -714,7 +799,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 					{
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
-						iterator->destroy(iterator);
+						enumerator->destroy(enumerator);
 						return FAILED;	
 					}
 					DBG2(DBG_IKE, "received %N notify",
@@ -724,39 +809,116 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 			}
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
-	if (process_id(this, message) != SUCCESS ||
-		process_auth(this, message) != SUCCESS)
+	if (this->my_auth)
 	{
-		return FAILED;
+		switch (this->my_auth->process(this->my_auth, message))
+		{
+			case SUCCESS:
+				cfg = auth_cfg_create();
+				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
+						   TRUE);
+				this->my_cfgs->insert_last(this->my_cfgs, cfg);
+				this->my_auth->destroy(this->my_auth);
+				this->my_auth = NULL;
+				this->do_another_auth = do_another_auth(this);
+				break;
+			case NEED_MORE:
+				break;
+			default:
+				return FAILED;
+		}
 	}
 	
-	if (this->eap_auth)
+	if (this->expect_another_auth)
 	{
-		/* switch to EAP authentication methods */
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_eap_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_eap_i;
-		return process_eap_i(this, message);
+		if (this->other_auth == NULL)
+		{
+			id_payload_t *id_payload;
+			identification_t *id;
+			
+			/* responder is not allowed to do EAP */
+			if (!message->get_payload(message, AUTHENTICATION))
+			{
+				DBG1(DBG_IKE, "AUTH payload missing");
+				return FAILED;
+			}
+			
+			/* handle IDr payload */
+			id_payload = (id_payload_t*)message->get_payload(message,
+															 ID_RESPONDER);
+			if (!id_payload)
+			{
+				DBG1(DBG_IKE, "IDr payload missing");
+				return FAILED;
+			}
+			id = id_payload->get_identification(id_payload);
+			this->ike_sa->set_other_id(this->ike_sa, id);
+			cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+			cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
+			
+			/* verify authentication data */
+			this->other_auth = authenticator_create_verifier(this->ike_sa,
+							message, this->other_nonce, this->my_nonce,
+							this->other_packet->get_data(this->other_packet),
+							this->my_packet->get_data(this->my_packet));
+			if (!this->other_auth)
+			{
+				return FAILED;
+			}
+		}
+		switch (this->other_auth->process(this->other_auth, message))
+		{
+			case SUCCESS:
+				break;
+			case NEED_MORE:
+				return NEED_MORE;
+			default:
+				return FAILED;
+		}
+		/* store authentication information, reset authenticator */
+		cfg = auth_cfg_create();
+		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+		this->other_cfgs->insert_last(this->other_cfgs, cfg);
+		this->other_auth->destroy(this->other_auth);
+		this->other_auth = NULL;
+		
+		/* another auth round done, invoke authorize hook */
+		if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
+		{
+			DBG1(DBG_IKE, "round %d authorization forbids IKE_SA, cancelling",
+				 this->other_cfgs->get_count(this->other_cfgs));
+			return FAILED;
+		}
 	}
 	
-	config = this->ike_sa->get_peer_cfg(this->ike_sa);
-	auth = this->ike_sa->get_other_auth(this->ike_sa);
-	if (!auth->complies(auth, config->get_auth(config)))
+	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
 	{
-		DBG0(DBG_IKE, "authorization of '%D' for config %s failed",
-			this->ike_sa->get_other_id(this->ike_sa), config->get_name(config));
-		return FAILED;
+		this->expect_another_auth = FALSE;
 	}
-	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
-		 this->ike_sa->get_name(this->ike_sa),
-		 this->ike_sa->get_unique_id(this->ike_sa),
-		 this->ike_sa->get_my_host(this->ike_sa),
-		 this->ike_sa->get_my_id(this->ike_sa),
-		 this->ike_sa->get_other_host(this->ike_sa),
-		 this->ike_sa->get_other_id(this->ike_sa));
-	return SUCCESS;
+	if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
+	{
+		if (!update_cfg_candidates(this, TRUE))
+		{
+			return FAILED;
+		}
+		if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
+		{
+			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+			return FAILED;
+		}
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+			 this->ike_sa->get_name(this->ike_sa),
+			 this->ike_sa->get_unique_id(this->ike_sa),
+			 this->ike_sa->get_my_host(this->ike_sa),
+			 this->ike_sa->get_my_id(this->ike_sa), 
+			 this->ike_sa->get_other_host(this->ike_sa),
+			 this->ike_sa->get_other_id(this->ike_sa));
+		return SUCCESS;
+	}
+	return NEED_MORE;
 }
 
 /**
@@ -776,28 +938,25 @@ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
 	chunk_free(&this->other_nonce);
 	DESTROY_IF(this->my_packet);
 	DESTROY_IF(this->other_packet);
-	if (this->eap_auth)
-	{
-		this->eap_auth->authenticator_interface.destroy(
-									&this->eap_auth->authenticator_interface);
-	}
+	DESTROY_IF(this->peer_cfg);
+	DESTROY_IF(this->my_auth);
+	DESTROY_IF(this->other_auth);
+	this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
+	this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
+	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
 	
 	this->my_packet = NULL;
 	this->other_packet = NULL;
-	this->peer_authenticated = FALSE;
-	this->eap_auth = NULL;
-	this->eap_payload = NULL;
 	this->ike_sa = ike_sa;
-	if (this->initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
+	this->peer_cfg = NULL;
+	this->my_auth = NULL;
+	this->other_auth = NULL;
+	this->do_another_auth = TRUE;
+	this->expect_another_auth = TRUE;
+	this->authentication_failed = FALSE;
+	this->my_cfgs = linked_list_create();
+	this->other_cfgs = linked_list_create();
+	this->candidates = linked_list_create();
 }
 
 /**
@@ -809,11 +968,12 @@ static void destroy(private_ike_auth_t *this)
 	chunk_free(&this->other_nonce);
 	DESTROY_IF(this->my_packet);
 	DESTROY_IF(this->other_packet);
-	if (this->eap_auth)
-	{
-		this->eap_auth->authenticator_interface.destroy(
-									&this->eap_auth->authenticator_interface);
-	}
+	DESTROY_IF(this->my_auth);
+	DESTROY_IF(this->other_auth);
+	DESTROY_IF(this->peer_cfg);
+	this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
+	this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
+	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
 	free(this);
 }
 
@@ -823,7 +983,7 @@ static void destroy(private_ike_auth_t *this)
 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
 {
 	private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
-
+	
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
@@ -845,9 +1005,16 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
 	this->other_nonce = chunk_empty;
 	this->my_packet = NULL;
 	this->other_packet = NULL;
-	this->peer_authenticated = FALSE;
-	this->eap_auth = NULL;
-	this->eap_payload = NULL;
+	this->peer_cfg = NULL;
+	this->my_cfgs = linked_list_create();
+	this->other_cfgs = linked_list_create();
+	this->candidates = linked_list_create();
+	this->my_auth = NULL;
+	this->other_auth = NULL;
+	this->do_another_auth = TRUE;
+	this->expect_another_auth = TRUE;
+	this->authentication_failed = FALSE;
 	
 	return &this->public;
 }
+
diff --git a/src/charon/sa/tasks/ike_auth.h b/src/charon/sa/tasks/ike_auth.h
index a4719ec24..bba46d961 100644
--- a/src/charon/sa/tasks/ike_auth.h
+++ b/src/charon/sa/tasks/ike_auth.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_auth.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_auth_lifetime.c b/src/charon/sa/tasks/ike_auth_lifetime.c
index cb17cc2dc..a047e6b81 100644
--- a/src/charon/sa/tasks/ike_auth_lifetime.c
+++ b/src/charon/sa/tasks/ike_auth_lifetime.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_auth_lifetime.c 4576 2008-11-05 08:32:38Z martin $
  */
 
 #include "ike_auth_lifetime.h"
@@ -64,12 +62,12 @@ static void add_auth_lifetime(private_ike_auth_lifetime_t *this, message_t *mess
  */
 static void process_payloads(private_ike_auth_lifetime_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
 	notify_payload_t *notify;
 	
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) == NOTIFY)
 		{
@@ -88,7 +86,7 @@ static void process_payloads(private_ike_auth_lifetime_t *this, message_t *messa
 			}
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 }
 
 /**
diff --git a/src/charon/sa/tasks/ike_auth_lifetime.h b/src/charon/sa/tasks/ike_auth_lifetime.h
index 46595e6ed..812caaf43 100644
--- a/src/charon/sa/tasks/ike_auth_lifetime.h
+++ b/src/charon/sa/tasks/ike_auth_lifetime.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_auth_lifetime.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c
index cb533236e..70e87c2e7 100644
--- a/src/charon/sa/tasks/ike_cert_post.c
+++ b/src/charon/sa/tasks/ike_cert_post.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_cert_post.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 #include "ike_cert_post.h"
@@ -22,6 +20,7 @@
 #include <sa/ike_sa.h>
 #include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/auth_payload.h>
 #include <credentials/certificates/x509.h>
 
 
@@ -97,71 +96,72 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, certifi
 	return payload;
 }
 
-/**
- * from ike_auth.c
- */
-auth_class_t get_auth_class(peer_cfg_t *config);
-
 /**
  * add certificates to message
  */
 static void build_certs(private_ike_cert_post_t *this, message_t *message)
 {
 	peer_cfg_t *peer_cfg;
+	auth_payload_t *payload;
 	
+	payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (peer_cfg && get_auth_class(peer_cfg) == AUTH_CLASS_PUBKEY)
+	if (!peer_cfg || !payload || payload->get_auth_method(payload) == AUTH_PSK)
+	{	/* no CERT payload for EAP/PSK */
+		return;
+	}
+	
+	switch (peer_cfg->get_cert_policy(peer_cfg))
 	{
-		switch (peer_cfg->get_cert_policy(peer_cfg))
+		case CERT_NEVER_SEND:
+			break;
+		case CERT_SEND_IF_ASKED:
+			if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
+			{
+				break;
+			}
+			/* FALL */
+		case CERT_ALWAYS_SEND:
 		{
-			case CERT_NEVER_SEND:
+			cert_payload_t *payload;
+			enumerator_t *enumerator;
+			certificate_t *cert;
+			auth_rule_t type;
+			auth_cfg_t *auth;
+			
+			auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+			
+			/* get subject cert first, then issuing certificates */
+			cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+			if (!cert)
+			{
 				break;
-			case CERT_SEND_IF_ASKED:
-				if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
-				{
-					break;
-				}
-				/* FALL */
-			case CERT_ALWAYS_SEND:
+			}
+			payload = build_cert_payload(this, cert);
+			if (!payload)
 			{
-				cert_payload_t *payload;
-				enumerator_t *enumerator;
-				certificate_t *cert;
-				auth_info_t *auth;
-				auth_item_t item;
-				
-				auth = this->ike_sa->get_my_auth(this->ike_sa);
-				/* get subject cert first, then issuing certificates */
-				if (!auth->get_item(auth, AUTHZ_SUBJECT_CERT, (void**)&cert))
-				{
-					break;
-				}
-				payload = build_cert_payload(this, cert);
-				if (!payload)
-				{
-					break;
-				}
-				DBG1(DBG_IKE, "sending end entity cert \"%D\"",
-					 cert->get_subject(cert));
-				message->add_payload(message, (payload_t*)payload);
-				
-				enumerator = auth->create_item_enumerator(auth);
-				while (enumerator->enumerate(enumerator, &item, &cert))
+				break;
+			}
+			DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
+				 cert->get_subject(cert));
+			message->add_payload(message, (payload_t*)payload);
+			
+			enumerator = auth->create_enumerator(auth);
+			while (enumerator->enumerate(enumerator, &type, &cert))
+			{
+				if (type == AUTH_RULE_IM_CERT)
 				{
-					if (item == AUTHZ_IM_CERT)
+					payload = cert_payload_create_from_cert(cert);
+					if (payload)
 					{
-						payload = cert_payload_create_from_cert(cert);
-						if (payload)
-						{
-							DBG1(DBG_IKE, "sending issuer cert \"%D\"",
-								 cert->get_subject(cert));
-							message->add_payload(message, (payload_t*)payload);
-						}
+						DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
+							 cert->get_subject(cert));
+						message->add_payload(message, (payload_t*)payload);
 					}
 				}
-				enumerator->destroy(enumerator);
-			}	
-		}
+			}
+			enumerator->destroy(enumerator);
+		}	
 	}
 }
 
@@ -170,12 +170,9 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
  */
 static status_t build_i(private_ike_cert_post_t *this, message_t *message)
 {
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		return NEED_MORE;
-	}
 	build_certs(this, message);
-	return SUCCESS;
+	
+	return NEED_MORE;
 }
 
 /**
@@ -191,11 +188,12 @@ static status_t process_r(private_ike_cert_post_t *this, message_t *message)
  */
 static status_t build_r(private_ike_cert_post_t *this, message_t *message)
 {
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
+	build_certs(this, message);
+	
+	if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+	{	/* stay alive, we might have additional rounds with certs */
 		return NEED_MORE;
 	}
-	build_certs(this, message);
 	return SUCCESS;
 }
 
@@ -204,8 +202,8 @@ static status_t build_r(private_ike_cert_post_t *this, message_t *message)
  */
 static status_t process_i(private_ike_cert_post_t *this, message_t *message)
 {
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
+	if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+	{	/* stay alive, we might have additional rounds with CERTS */
 		return NEED_MORE;
 	}
 	return SUCCESS;
diff --git a/src/charon/sa/tasks/ike_cert_post.h b/src/charon/sa/tasks/ike_cert_post.h
index ec9d172e1..fa555eac7 100644
--- a/src/charon/sa/tasks/ike_cert_post.h
+++ b/src/charon/sa/tasks/ike_cert_post.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_cert_post.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c
index 353b76a22..1c72f289f 100644
--- a/src/charon/sa/tasks/ike_cert_pre.c
+++ b/src/charon/sa/tasks/ike_cert_pre.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2007 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_cert_pre.c 4285 2008-08-26 05:15:34Z andreas $
  */
 
 #include "ike_cert_pre.h"
@@ -48,9 +46,14 @@ struct private_ike_cert_pre_t {
 	bool initiator;
 	
 	/**
-	 * Did we send a HTTP_CERT_LOOKUP_SUPPORTED Notify?
+	 * Do we accept HTTP certificate lookup requests
+	 */
+	bool do_http_lookup;
+	
+	/**
+	 * wheter this is the final authentication round
 	 */
-	bool http_cert_lookup_supported_sent;
+	bool final;
 };
 
 /**
@@ -58,23 +61,22 @@ struct private_ike_cert_pre_t {
  */
 static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
-	auth_info_t *auth;
-	bool ca_found = FALSE;
+	auth_cfg_t *auth;
 	
-	auth = this->ike_sa->get_my_auth(this->ike_sa);
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
 	
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		switch(payload->get_type(payload))
 		{
 			case CERTIFICATE_REQUEST:
 			{
 				certreq_payload_t *certreq = (certreq_payload_t*)payload;
-				chunk_t keyid;
 				enumerator_t *enumerator;
+				chunk_t keyid;
 				
 				this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
 				
@@ -96,17 +98,14 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 											CERT_X509, KEY_ANY, id, TRUE);
 					if (cert)
 					{
-						DBG1(DBG_IKE, "received cert request for \"%D\"",
+						DBG1(DBG_IKE, "received cert request for \"%Y\"",
 							 cert->get_subject(cert));
-						auth->add_item(auth, AUTHN_CA_CERT, cert);
-						cert->destroy(cert);
-						ca_found = TRUE;
+						auth->add(auth, AUTH_RULE_CA_CERT, cert);
 					}
 					else
 					{
 						DBG1(DBG_IKE, "received cert request for unknown ca "
-									  "with keyid %D", id);
-						auth->add_item(auth, AUTHN_CA_CERT_KEYID, id);
+									  "with keyid %Y", id);
 					}
 					id->destroy(id);
 				}
@@ -129,7 +128,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 				break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -140,6 +139,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 static certificate_t *try_get_cert(cert_payload_t *cert_payload)
 {
 	certificate_t *cert = NULL;
+	
 	switch (cert_payload->get_cert_encoding(cert_payload))
 	{
 		case ENC_X509_SIGNATURE:
@@ -158,7 +158,7 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload)
 			}
 			id = identification_create_from_encoding(ID_CERT_DER_SHA1, hash);
 			cert = charon->credentials->get_cert(charon->credentials, 
-									CERT_X509, KEY_ANY, id, FALSE);
+												 CERT_X509, KEY_ANY, id, FALSE);
 			id->destroy(id);
 			break;
 		}
@@ -175,78 +175,81 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload)
  */
 static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
-	auth_info_t *auth;
+	auth_cfg_t *auth;
 	bool first = TRUE;
 	
-	auth = this->ike_sa->get_other_auth(this->ike_sa);
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) == CERTIFICATE)
 		{
-			cert_payload_t *cert_payload = (cert_payload_t*)payload;
-			cert_encoding_t type = cert_payload->get_cert_encoding(cert_payload);
-			switch (type)
+			cert_payload_t *cert_payload;
+			cert_encoding_t encoding;
+			certificate_t *cert;
+			char *url;
+			
+			cert_payload = (cert_payload_t*)payload;
+			encoding = cert_payload->get_cert_encoding(cert_payload);
+			
+			switch (encoding)
 			{
-				case ENC_X509_SIGNATURE:
 				case ENC_X509_HASH_AND_URL:
 				{
-					if (type == ENC_X509_HASH_AND_URL &&
-						!this->http_cert_lookup_supported_sent)
+					if (!this->do_http_lookup)
 					{
 						DBG1(DBG_IKE, "received hash-and-url encoded cert, but"
 								" we don't accept them, ignore");
 						break;
 					}
-					
-					certificate_t *cert = try_get_cert(cert_payload);
-					
+					/* FALL */
+				}
+				case ENC_X509_SIGNATURE:
+				{
+					cert = try_get_cert(cert_payload);
 					if (cert)
 					{
-						/* we've got a certificate from the payload or the cache */ 
 						if (first)
-						{	/* the first certificate MUST be an end entity one */
-							DBG1(DBG_IKE, "received end entity cert \"%D\"",
+						{	/* the first is an end entity certificate */
+							DBG1(DBG_IKE, "received end entity cert \"%Y\"",
 								 cert->get_subject(cert));
-							auth->add_item(auth, AUTHN_SUBJECT_CERT, cert);
+							auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
 							first = FALSE;
 						}
 						else
 						{
-							DBG1(DBG_IKE, "received issuer cert \"%D\"",
+							DBG1(DBG_IKE, "received issuer cert \"%Y\"",
 								 cert->get_subject(cert));
-							auth->add_item(auth, AUTHN_IM_CERT, cert);
+							auth->add(auth, AUTH_HELPER_IM_CERT, cert);
 						}
-						cert->destroy(cert);
 					}
-					else if (type == ENC_X509_HASH_AND_URL)
+					else if (encoding == ENC_X509_HASH_AND_URL)
 					{
-						/* we received a "Hash and URL" encoded certificate that
-						 * we haven't fetched yet, we store the URL and fetch
-						 * it later */
-						char *url = cert_payload->get_url(cert_payload);
+						/* we fetch the certificate not yet, but only if
+						 * it is really needed during authentication */
+						url = cert_payload->get_url(cert_payload);
 						if (!url)
 						{
-							DBG1(DBG_IKE, "received invalid hash-and-url encoded"
-									" cert, ignore");
+							DBG1(DBG_IKE, "received invalid hash-and-url "
+								 "encoded cert, ignore");
 							break;
 						}
-						
+						url = strdup(url);
 						if (first)
-						{	/* the first certificate MUST be an end entity one */
+						{	/* first URL is for an end entity certificate */
 							DBG1(DBG_IKE, "received hash-and-url for end"
-									" entity cert \"%s\"", url);
-							auth->add_item(auth, AUTHN_SUBJECT_HASH_URL, url);
+								 " entity cert \"%s\"", url);
+							auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
 							first = FALSE;
 						}
 						else
 						{
 							DBG1(DBG_IKE, "received hash-and-url for issuer"
 									" cert \"%s\"", url);
-							auth->add_item(auth, AUTHN_IM_HASH_URL, url);
+							auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
 						}
 					}
 					break;
@@ -264,31 +267,23 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 				case ENC_OCSP_CONTENT:
 				default:
 					DBG1(DBG_ENC, "certificate encoding %N not supported",
-						 cert_encoding_names, cert_payload->get_cert_encoding(cert_payload));
+						 cert_encoding_names, encoding);
 			}
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 }
 
 /**
- * add a certificate request to the message, building request payload if required.
+ * add the keyid of a certificate to the certificate request payload
  */
-static void add_certreq_payload(message_t *message, certreq_payload_t **reqp, 
-								certificate_t *cert)
+static void add_certreq(certreq_payload_t **req, certificate_t *cert)
 {
-	public_key_t *public;
-	certreq_payload_t *req;
-
-	public = cert->get_public_key(cert);
-	if (!public)
-	{
-		return;
-	}
 	switch (cert->get_type(cert))
 	{
 		case CERT_X509:
 		{
+			public_key_t *public;
 			identification_t *keyid;
 			x509_t *x509 = (x509_t*)cert;
 			
@@ -296,22 +291,49 @@ static void add_certreq_payload(message_t *message, certreq_payload_t **reqp,
 			{	/* no CA cert, skip */
 				break;
 			}
-			if (*reqp == NULL)
+			public = cert->get_public_key(cert);
+			if (!public)
 			{
-				*reqp = certreq_payload_create_type(CERT_X509);
-				message->add_payload(message, (payload_t*)*reqp);
+				break;
+			}
+			if (*req == NULL)
+			{
+				*req = certreq_payload_create_type(CERT_X509);
 			}
-			req = *reqp;
 			keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-			req->add_keyid(req, keyid->get_encoding(keyid));
-			DBG1(DBG_IKE, "sending cert request for \"%D\"",
+			(*req)->add_keyid(*req, keyid->get_encoding(keyid));
+			public->destroy(public);
+			DBG1(DBG_IKE, "sending cert request for \"%Y\"",
 				 cert->get_subject(cert));
 			break;
 		}
 		default:
 			break;
 	}
-	public->destroy(public);
+}
+
+/**
+ * add a auth_cfg's CA certificates to the certificate request
+ */
+static void add_certreqs(certreq_payload_t **req, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	auth_rule_t type;
+	void *value;
+	
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		switch (type)
+		{
+			case AUTH_RULE_CA_CERT:
+				add_certreq(req, (certificate_t*)value);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -319,88 +341,96 @@ static void add_certreq_payload(message_t *message, certreq_payload_t **reqp,
  */
 static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
 {
+	enumerator_t *enumerator;
 	ike_cfg_t *ike_cfg;
 	peer_cfg_t *peer_cfg;
-	enumerator_t *enumerator;
 	certificate_t *cert;
-	bool restricted = FALSE;
-	certreq_payload_t *x509_req = NULL;
+	auth_cfg_t *auth;
+	certreq_payload_t *req = NULL;
 	
 	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 	if (!ike_cfg->send_certreq(ike_cfg))
 	{
 		return;
 	}
-
+	
 	/* check if we require a specific CA for that peer */
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 	if (peer_cfg)
 	{
-		void *ptr;
-		identification_t *id;
-		auth_item_t item;
-		auth_info_t *auth = peer_cfg->get_auth(peer_cfg);
-		enumerator_t *auth_enumerator = auth->create_item_enumerator(auth);
-
-		while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr))
+		enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
+		while (enumerator->enumerate(enumerator, &auth))
 		{
-			switch (item)
-			{
-				case AUTHZ_CA_CERT:
-					cert = (certificate_t *)ptr;
-					add_certreq_payload(message, &x509_req, cert);
-					restricted = TRUE;
-					break;
-				case AUTHZ_CA_CERT_NAME:
-					id = (identification_t *)ptr;
-					enumerator = charon->credentials->create_cert_enumerator(
-							charon->credentials, CERT_ANY, KEY_ANY, id, TRUE);
-					while (enumerator->enumerate(enumerator, &cert, TRUE))
-					{
-						add_certreq_payload(message, &x509_req, cert);
-						restricted = TRUE;
-					}
-					enumerator->destroy(enumerator);
-					break;
-				default:
-					break;
-			}
+			add_certreqs(&req, auth);
 		}
-		auth_enumerator->destroy(auth_enumerator);
+		enumerator->destroy(enumerator);
 	}
-		
-	if (!restricted)
+	
+	if (!req)
 	{
-		/* otherwise include all trusted CA certificates */
+		/* otherwise add all trusted CA certificates */
 		enumerator = charon->credentials->create_cert_enumerator(
 							charon->credentials, CERT_ANY, KEY_ANY, NULL, TRUE);
-		while (enumerator->enumerate(enumerator, &cert, TRUE))
+		while (enumerator->enumerate(enumerator, &cert))
 		{
-			add_certreq_payload(message, &x509_req, cert);
+			add_certreq(&req, cert);
 		}
 		enumerator->destroy(enumerator);
 	}
 	
-	/* if we've added at least one certreq, we notify our peer that we support
-	 * "Hash and URL" for the requested certificates */
-	if (lib->settings->get_bool(lib->settings, "charon.hash_and_url", FALSE) &&
-		message->get_payload(message, CERTIFICATE_REQUEST))
+	if (req)
 	{
-		message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED, chunk_empty);
-		this->http_cert_lookup_supported_sent = TRUE;
+		message->add_payload(message, (payload_t*)req);
+		
+		if (lib->settings->get_bool(lib->settings, "charon.hash_and_url", FALSE))
+		{
+			message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
+								chunk_empty);
+			this->do_http_lookup = TRUE;
+		}
 	}
 }
 
+/**
+ * Check if this is the final authentication round
+ */
+static bool final_auth(message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	notify_payload_t *notify;
+	
+	/* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */
+	if (message->get_payload(message, AUTHENTICATION) == NULL)
+	{
+		return FALSE;
+	}
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify = (notify_payload_t*)payload;
+			if (notify->get_notify_type(notify) == ANOTHER_AUTH_FOLLOWS)
+			{
+				enumerator->destroy(enumerator);
+				return FALSE;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return TRUE;
+}
+
 /**
  * Implementation of task_t.process for initiator
  */
 static status_t build_i(private_ike_cert_pre_t *this, message_t *message)
 {	
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		return NEED_MORE;
+	if (message->get_message_id(message) == 1)
+	{	/* initiator sends CERTREQs in first IKE_AUTH */
+		build_certreqs(this, message);
 	}
-	build_certreqs(this, message);
 	return NEED_MORE;
 }
 
@@ -408,13 +438,13 @@ static status_t build_i(private_ike_cert_pre_t *this, message_t *message)
  * Implementation of task_t.process for responder
  */
 static status_t process_r(private_ike_cert_pre_t *this, message_t *message)
-{	
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		return NEED_MORE;
+{
+	if (message->get_exchange_type(message) != IKE_SA_INIT)
+	{	/* handle certreqs/certs in any IKE_AUTH, just in case */
+		process_certreqs(this, message);
+		process_certs(this, message);
 	}
-	process_certreqs(this, message);
-	process_certs(this, message);
+	this->final = final_auth(message);
 	return NEED_MORE;
 }
 
@@ -426,9 +456,12 @@ static status_t build_r(private_ike_cert_pre_t *this, message_t *message)
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		build_certreqs(this, message);
-		return NEED_MORE;
 	}
-	return SUCCESS;
+	if (this->final)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
 }
 
 /**
@@ -439,10 +472,14 @@ static status_t process_i(private_ike_cert_pre_t *this, message_t *message)
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		process_certreqs(this, message);
-		return NEED_MORE;
 	}
 	process_certs(this, message);
-	return SUCCESS;
+	
+	if (final_auth(message))
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
 }
 
 /**
@@ -493,7 +530,8 @@ ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator)
 	
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
-	this->http_cert_lookup_supported_sent = FALSE;
+	this->do_http_lookup = FALSE;
+	this->final = FALSE;
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/ike_cert_pre.h b/src/charon/sa/tasks/ike_cert_pre.h
index d6d06b04f..d49005e68 100644
--- a/src/charon/sa/tasks/ike_cert_pre.h
+++ b/src/charon/sa/tasks/ike_cert_pre.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_cert_pre.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c
index b890e93ba..1f75521b6 100644
--- a/src/charon/sa/tasks/ike_config.c
+++ b/src/charon/sa/tasks/ike_config.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_config.c 4867 2009-02-13 11:57:50Z andreas $
  */
 
 #include "ike_config.h"
@@ -50,54 +48,34 @@ struct private_ike_config_t {
 	 * virtual ip
 	 */
 	host_t *virtual_ip;
-	
-	/**
-	 * list of DNS servers
-	 */
-	linked_list_t *dns;
-
-	/**
-	 * list of WINS servers
-	 */
-	linked_list_t *nbns;
 };
 
 /**
- * build configuration payloads and attributes
+ * build INTERNAL_IPV4/6_ADDRESS from virtual ip
  */
-static void build_payloads(private_ike_config_t *this, message_t *message,
-						   config_type_t type)
+static void build_vip(private_ike_config_t *this, host_t *vip, cp_payload_t *cp)
 {
-	cp_payload_t *cp;
 	configuration_attribute_t *ca;
 	chunk_t chunk, prefix;
 	
-	if (!this->virtual_ip)
-	{
-		return;
-	}
-
-	cp = cp_payload_create();
-	cp->set_config_type(cp, type);
-
 	ca = configuration_attribute_create();
 	
-	if (this->virtual_ip->get_family(this->virtual_ip) == AF_INET)
+	if (vip->get_family(vip) == AF_INET)
 	{
 		ca->set_type(ca, INTERNAL_IP4_ADDRESS);
-		if (this->virtual_ip->is_anyaddr(this->virtual_ip))
+		if (vip->is_anyaddr(vip))
 		{
 			chunk = chunk_empty;
 		}
 		else
 		{
-			chunk = this->virtual_ip->get_address(this->virtual_ip);
+			chunk = vip->get_address(vip);
 		}
 	}
 	else
 	{
 		ca->set_type(ca, INTERNAL_IP6_ADDRESS);
-		if (this->virtual_ip->is_anyaddr(this->virtual_ip))
+		if (vip->is_anyaddr(vip))
 		{
 			chunk = chunk_empty;
 		}
@@ -105,71 +83,12 @@ static void build_payloads(private_ike_config_t *this, message_t *message,
 		{
 			prefix = chunk_alloca(1);
 			*prefix.ptr = 64;
-			chunk = this->virtual_ip->get_address(this->virtual_ip);
+			chunk = vip->get_address(vip);
 			chunk = chunk_cata("cc", chunk, prefix);
 		}
 	}
 	ca->set_value(ca, chunk);
 	cp->add_configuration_attribute(cp, ca);
-	
-	/* we currently always add a DNS request if we request an IP */
-	if (this->initiator)
-	{
-		ca = configuration_attribute_create();
-		if (this->virtual_ip->get_family(this->virtual_ip) == AF_INET)
-		{
-			ca->set_type(ca, INTERNAL_IP4_DNS);
-		}
-		else
-		{
-			ca->set_type(ca, INTERNAL_IP6_DNS);
-		}
-		cp->add_configuration_attribute(cp, ca);
-	}
-	else
-	{
-		host_t *ip;
-		iterator_t *iterator;
-
-		/* Add internal DNS servers */
-		iterator = this->dns->create_iterator(this->dns, TRUE);
-		while (iterator->iterate(iterator, (void**)&ip))
-		{
-			ca = configuration_attribute_create();
-			if (ip->get_family(ip) == AF_INET)
-			{
-				ca->set_type(ca, INTERNAL_IP4_DNS);
-			}
-			else
-			{
-				ca->set_type(ca, INTERNAL_IP6_DNS);
-			}
-			chunk = ip->get_address(ip);
-			ca->set_value(ca, chunk);
-			cp->add_configuration_attribute(cp, ca);
-		}
-		iterator->destroy(iterator);
-
-		/* Add internal WINS servers */
-		iterator = this->nbns->create_iterator(this->nbns, TRUE);
-		while (iterator->iterate(iterator, (void**)&ip))
-		{
-			ca = configuration_attribute_create();
-			if (ip->get_family(ip) == AF_INET)
-			{
-				ca->set_type(ca, INTERNAL_IP4_NBNS);
-			}
-			else
-			{
-				ca->set_type(ca, INTERNAL_IP6_NBNS);
-			}
-			chunk = ip->get_address(ip);
-			ca->set_value(ca, chunk);
-			cp->add_configuration_attribute(cp, ca);
-		}
-		iterator->destroy(iterator);
-	}
-	message->add_payload(message, (payload_t*)cp);
 }
 
 /**
@@ -203,55 +122,23 @@ static void process_attribute(private_ike_config_t *this,
 				}
 				ip = host_create_from_chunk(family, addr, 0);
 			}
-			if (ip && !this->virtual_ip)
-			{
-				this->virtual_ip = ip;
-			}
-			break;
-		}
-		case INTERNAL_IP4_DNS:
-			family = AF_INET;
-			/* fall */
-		case INTERNAL_IP6_DNS:
-		{
-			addr = ca->get_value(ca);
-			if (addr.len == 0)
-			{
-				ip = host_create_any(family);
-			}
-			else
-			{
-				ip = host_create_from_chunk(family, addr, 0);
-			}
 			if (ip)
 			{
-				this->dns->insert_last(this->dns, ip);
+				DESTROY_IF(this->virtual_ip);
+				this->virtual_ip = ip;
 			}
 			break;
 		}
-		case INTERNAL_IP4_NBNS:
-		case INTERNAL_IP6_NBNS:
-		{
-			addr = ca->get_value(ca);
-			if (addr.len == 0)
+		default:
+			if (this->initiator)
 			{
-				ip = host_create_any(family);
+				this->ike_sa->add_configuration_attribute(this->ike_sa,
+										ca->get_type(ca), ca->get_value(ca));
 			}
 			else
 			{
-				ip = host_create_from_chunk(family, addr, 0);
+				/* we do not handle attribute requests other than for VIPs */
 			}
-			if (ip)
-			{
-				this->nbns->insert_last(this->nbns, ip);
-			}
-			break;
-		}
-		default:
-			DBG1(DBG_IKE, "ignoring %N config attribute", 
-	 			 configuration_attribute_type_names,
-	 			 ca->get_type(ca));
-			break;
 	}
 }
 
@@ -260,11 +147,12 @@ static void process_attribute(private_ike_config_t *this,
  */
 static void process_payloads(private_ike_config_t *this, message_t *message)
 {
-	iterator_t *iterator, *attributes;
+	enumerator_t *enumerator;
+	iterator_t *attributes;
 	payload_t *payload;
 	
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) == CONFIGURATION)
 		{
@@ -290,7 +178,7 @@ static void process_payloads(private_ike_config_t *this, message_t *message)
 			}
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -298,9 +186,8 @@ static void process_payloads(private_ike_config_t *this, message_t *message)
  */
 static status_t build_i(private_ike_config_t *this, message_t *message)
 {
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		message->get_payload(message, ID_INITIATOR))
-	{
+	if (message->get_message_id(message) == 1)
+	{	/* in first IKE_AUTH only */
 		peer_cfg_t *config;
 		host_t *vip;
 		
@@ -313,12 +200,28 @@ static status_t build_i(private_ike_config_t *this, message_t *message)
 		}
 		if (vip)
 		{
-			this->virtual_ip = vip->clone(vip);
+			configuration_attribute_t *ca;
+			cp_payload_t *cp;
+			
+			cp = cp_payload_create();
+			cp->set_config_type(cp, CFG_REQUEST);
+			
+			build_vip(this, vip, cp);
+			
+			/* we currently always add a DNS request if we request an IP */
+			ca = configuration_attribute_create();
+			if (vip->get_family(vip) == AF_INET)
+			{
+				ca->set_type(ca, INTERNAL_IP4_DNS);
+			}
+			else
+			{
+				ca->set_type(ca, INTERNAL_IP6_DNS);
+			}
+			cp->add_configuration_attribute(cp, ca);
+			message->add_payload(message, (payload_t*)cp);
 		}
-		
-		build_payloads(this, message, CFG_REQUEST);
 	}
-	
 	return NEED_MORE;
 }
 
@@ -327,9 +230,8 @@ static status_t build_i(private_ike_config_t *this, message_t *message)
  */
 static status_t process_r(private_ike_config_t *this, message_t *message)
 {
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		message->get_payload(message, ID_INITIATOR))
-	{
+	if (message->get_message_id(message) == 1)
+	{	/* in first IKE_AUTH only */
 		process_payloads(this, message);
 	}
 	return NEED_MORE;
@@ -340,25 +242,28 @@ static status_t process_r(private_ike_config_t *this, message_t *message)
  */
 static status_t build_r(private_ike_config_t *this, message_t *message)
 {
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		message->get_payload(message, EXTENSIBLE_AUTHENTICATION) == NULL)
-	{
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{	/* in last IKE_AUTH exchange */
 		peer_cfg_t *config = this->ike_sa->get_peer_cfg(this->ike_sa);
 		
 		if (config && this->virtual_ip)
 		{
-			host_t *ip = NULL;
+			enumerator_t *enumerator;
+			configuration_attribute_type_t type;
+			configuration_attribute_t *ca;
+			chunk_t value;
+			cp_payload_t *cp;
+			host_t *vip = NULL;
 			
 			DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
 			if (config->get_pool(config))
 			{
-				ip = charon->attributes->acquire_address(charon->attributes, 
+				vip = charon->attributes->acquire_address(charon->attributes, 
 									config->get_pool(config),
 									this->ike_sa->get_other_id(this->ike_sa),
-									this->ike_sa->get_other_auth(this->ike_sa),
 									this->virtual_ip);
 			}
-			if (ip == NULL)
+			if (vip == NULL)
 			{
 				DBG1(DBG_IKE, "no virtual IP found, sending %N",
 					 notify_type_names, INTERNAL_ADDRESS_FAILURE);
@@ -366,13 +271,28 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
 									chunk_empty);
 				return SUCCESS;
 			}
-			DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip);
-			this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, ip);
+			DBG1(DBG_IKE, "assigning virtual IP %H to peer", vip);
+			this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip);
+			
+			cp = cp_payload_create();
+			cp->set_config_type(cp, CFG_REPLY);
 			
-			this->virtual_ip->destroy(this->virtual_ip);
-			this->virtual_ip = ip;
+			build_vip(this, vip, cp);
+			vip->destroy(vip);
 			
-			build_payloads(this, message, CFG_REPLY);
+			/* if we add an IP, we also look for other attributes */
+			enumerator = charon->attributes->create_attribute_enumerator(
+				charon->attributes, this->ike_sa->get_other_id(this->ike_sa));
+			while (enumerator->enumerate(enumerator, &type, &value))
+			{
+				ca = configuration_attribute_create();
+				ca->set_type(ca, type);
+				ca->set_value(ca, value);
+				cp->add_configuration_attribute(cp, ca);
+			}
+			enumerator->destroy(enumerator);
+			
+			message->add_payload(message, (payload_t*)cp);
 		}
 		return SUCCESS;
 	}
@@ -384,39 +304,14 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
  */
 static status_t process_i(private_ike_config_t *this, message_t *message)
 {
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
-	{
-		host_t *ip;
-		peer_cfg_t *config;
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{	/* in last IKE_AUTH exchange */
 		
-		DESTROY_IF(this->virtual_ip);
-		this->virtual_ip = NULL;
-
 		process_payloads(this, message);
 		
-		if (this->virtual_ip == NULL)
-		{	/* force a configured virtual IP, even if server didn't return one */
-			config = this->ike_sa->get_peer_cfg(this->ike_sa);
-			this->virtual_ip = config->get_virtual_ip(config);
-			if (this->virtual_ip)
-			{
-				this->virtual_ip = this->virtual_ip->clone(this->virtual_ip);
-			}
-		}
-
-		if (this->virtual_ip && !this->virtual_ip->is_anyaddr(this->virtual_ip))
+		if (this->virtual_ip)
 		{
 			this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip);
-			
-			while (this->dns->remove_last(this->dns, (void**)&ip) == SUCCESS)
-			{
-				if (!ip->is_anyaddr(ip))
-				{
-					this->ike_sa->add_dns_server(this->ike_sa, ip);
-				}
-				ip->destroy(ip);
-			}
 		}
 		return SUCCESS;
 	}
@@ -437,11 +332,9 @@ static task_type_t get_type(private_ike_config_t *this)
 static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa)
 {
 	DESTROY_IF(this->virtual_ip);
-	this->dns->destroy_offset(this->dns, offsetof(host_t, destroy));
 	
 	this->ike_sa = ike_sa;
 	this->virtual_ip = NULL;
-	this->dns = linked_list_create();
 }
 
 /**
@@ -450,8 +343,6 @@ static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa)
 static void destroy(private_ike_config_t *this)
 {
 	DESTROY_IF(this->virtual_ip);
-	this->dns->destroy_offset(this->dns, offsetof(host_t, destroy));
-	this->nbns->destroy_offset(this->nbns, offsetof(host_t, destroy));
 	free(this);
 }
 
@@ -461,7 +352,7 @@ static void destroy(private_ike_config_t *this)
 ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
 {
 	private_ike_config_t *this = malloc_thing(private_ike_config_t);
-
+	
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
@@ -469,9 +360,7 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
 	this->initiator = initiator;
 	this->ike_sa = ike_sa;
 	this->virtual_ip = NULL;
-	this->dns = linked_list_create();
-	this->nbns = linked_list_create();
-
+	
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -479,49 +368,10 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
 	}
 	else
 	{
-		int i;
-
-		/* assign DNS servers */
-		for (i = 1; i <= DNS_SERVER_MAX; i++)
-		{
-			char dns_key[16], *dns_str;
-
-			snprintf(dns_key, sizeof(dns_key), "charon.dns%d", i);
-			dns_str = lib->settings->get_str(lib->settings, dns_key, NULL);
-			if (dns_str)
-			{
-				host_t *dns = host_create_from_string(dns_str, 0);
-
-				if (dns)
-				{
-					DBG2(DBG_CFG, "assigning DNS server %H to peer", dns);
-					this->dns->insert_last(this->dns, dns);
-				}
-			}
-		}
-
-		/* assign WINS servers */
-		for (i = 1; i <= NBNS_SERVER_MAX; i++)
-		{
-			char nbns_key[16], *nbns_str;
-
-			snprintf(nbns_key, sizeof(nbns_key), "charon.nbns%d", i);
-			nbns_str = lib->settings->get_str(lib->settings, nbns_key, NULL);
-			if (nbns_str)
-			{
-				host_t *nbns = host_create_from_string(nbns_str, 0);
-
-				if (nbns)
-				{
-					DBG2(DBG_CFG, "assigning NBNS server %H to peer", nbns);
-					this->nbns->insert_last(this->nbns, nbns);
-				}
-			}
-		}
-
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-
+	
 	return &this->public;
 }
+
diff --git a/src/charon/sa/tasks/ike_config.h b/src/charon/sa/tasks/ike_config.h
index cc709f4d6..32635e85e 100644
--- a/src/charon/sa/tasks/ike_config.h
+++ b/src/charon/sa/tasks/ike_config.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_config.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
index 1c051853c..f308a6358 100644
--- a/src/charon/sa/tasks/ike_delete.c
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_delete.c 4458 2008-10-17 03:44:06Z andreas $
  */
 
 #include "ike_delete.h"
@@ -56,7 +54,7 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
 {
 	delete_payload_t *delete_payload;
 
-	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa),
 		 this->ike_sa->get_my_host(this->ike_sa),
@@ -95,7 +93,7 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
 	DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa));
-	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa),
 		 this->ike_sa->get_my_host(this->ike_sa),
diff --git a/src/charon/sa/tasks/ike_delete.h b/src/charon/sa/tasks/ike_delete.h
index ea4e9832b..82782f393 100644
--- a/src/charon/sa/tasks/ike_delete.h
+++ b/src/charon/sa/tasks/ike_delete.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_delete.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_dpd.c b/src/charon/sa/tasks/ike_dpd.c
index 9f1d43cbf..3aa714049 100644
--- a/src/charon/sa/tasks/ike_dpd.c
+++ b/src/charon/sa/tasks/ike_dpd.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_dpd.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "ike_dpd.h"
diff --git a/src/charon/sa/tasks/ike_dpd.h b/src/charon/sa/tasks/ike_dpd.h
index 0eadd0db7..36388d15b 100644
--- a/src/charon/sa/tasks/ike_dpd.h
+++ b/src/charon/sa/tasks/ike_dpd.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_dpd.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
index 139107480..2705f5886 100644
--- a/src/charon/sa/tasks/ike_init.c
+++ b/src/charon/sa/tasks/ike_init.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_init.c 4717 2008-11-28 09:51:44Z martin $
  */
 
 #include "ike_init.h"
@@ -170,11 +168,11 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
  */
 static void process_payloads(private_ike_init_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
-
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		switch (payload->get_type(payload))
 		{
@@ -182,7 +180,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			{
 				sa_payload_t *sa_payload = (sa_payload_t*)payload;
 				linked_list_t *proposal_list;
-	
+				
 				proposal_list = sa_payload->get_proposals(sa_payload);
 				this->proposal = this->config->select_proposal(this->config,
 															   proposal_list);
@@ -225,7 +223,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 				break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -317,12 +315,12 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
 #ifdef ME
 	{
 		chunk_t connect_id = chunk_empty;
-		iterator_t *iterator;
+		enumerator_t *enumerator;
 		payload_t *payload;
-	
+		
 		/* check for a ME_CONNECTID notify */
-		iterator = message->get_payload_iterator(message);
-		while (iterator->iterate(iterator, (void**)&payload))
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
 		{
 			if (payload->get_type(payload) == NOTIFY)
 			{
@@ -353,7 +351,7 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
 				}
 			}
 		}
-		iterator->destroy(iterator);
+		enumerator->destroy(enumerator);
 		
 		if (connect_id.ptr)
 		{
@@ -458,12 +456,12 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
  */
 static status_t process_i(private_ike_init_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
-
+	
 	/* check for erronous notifies */
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) == NOTIFY)
 		{
@@ -489,19 +487,22 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 						this->ike_sa->reset(this->ike_sa);
 					}
 					
-					iterator->destroy(iterator);
+					enumerator->destroy(enumerator);
 					return NEED_MORE;
 				}
 				case NAT_DETECTION_SOURCE_IP:
 				case NAT_DETECTION_DESTINATION_IP:
 					/* skip, handled in ike_natd_t */
 					break;
+				case MULTIPLE_AUTH_SUPPORTED:
+					/* handled in ike_auth_t */
+					break;
 				case COOKIE:
 				{
 					chunk_free(&this->cookie);
 					this->cookie = chunk_clone(notify->get_notification_data(notify));
 					this->ike_sa->reset(this->ike_sa);
-					iterator->destroy(iterator);
+					enumerator->destroy(enumerator);
 					DBG2(DBG_IKE, "received %N notify", notify_type_names, type);
 					return NEED_MORE;
 				}
@@ -511,7 +512,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 					{
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
-						iterator->destroy(iterator);
+						enumerator->destroy(enumerator);
 						return FAILED;	
 					}
 					DBG2(DBG_IKE, "received %N notify",
@@ -521,7 +522,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 			}
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
 	process_payloads(this, message);
 
diff --git a/src/charon/sa/tasks/ike_init.h b/src/charon/sa/tasks/ike_init.h
index 84f28a98d..8d3810ef2 100644
--- a/src/charon/sa/tasks/ike_init.h
+++ b/src/charon/sa/tasks/ike_init.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_init.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c
index f58d51341..d359aa339 100644
--- a/src/charon/sa/tasks/ike_me.c
+++ b/src/charon/sa/tasks/ike_me.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_me.c 4640 2008-11-12 16:07:17Z martin $
  */
  
 #include "ike_me.h"
@@ -166,11 +164,11 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
  */
 static void process_payloads(private_ike_me_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
-
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) != NOTIFY)
 		{
@@ -237,7 +235,7 @@ static void process_payloads(private_ike_me_t *this, message_t *message)
 				break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -339,7 +337,7 @@ static status_t process_r(private_ike_me_t *this, message_t *message)
 			
 			if (this->callback)
 			{
-				DBG1(DBG_IKE, "received ME_CALLBACK for '%D'", this->peer_id);
+				DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id);
 				break;
 			}			
 			
@@ -471,7 +469,7 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
 			
 			if (this->failed)
 			{
-				DBG1(DBG_IKE, "peer '%D' is not online", this->peer_id);
+				DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id);
 				/* FIXME: notify the mediated connection (job?) */
 			}
 			else
diff --git a/src/charon/sa/tasks/ike_me.h b/src/charon/sa/tasks/ike_me.h
index 3bef0a7f1..4b35c313c 100644
--- a/src/charon/sa/tasks/ike_me.h
+++ b/src/charon/sa/tasks/ike_me.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_me.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c
index b5e065081..9a1afe744 100644
--- a/src/charon/sa/tasks/ike_mobike.c
+++ b/src/charon/sa/tasks/ike_mobike.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_mobike.c 4816 2008-12-19 14:34:40Z martin $
  */
 
 #include "ike_mobike.h"
@@ -97,12 +95,12 @@ static void flush_additional_addresses(private_ike_mobike_t *this)
  */
 static void process_payloads(private_ike_mobike_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
 	bool first = TRUE;
 	
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		int family = AF_INET;
 		notify_payload_t *notify;
@@ -181,7 +179,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 				break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -332,9 +330,8 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
  */
 static status_t build_i(private_ike_mobike_t *this, message_t *message)
 {
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		message->get_payload(message, ID_INITIATOR))
-	{
+	if (message->get_message_id(message) == 1)
+	{	/* only in first IKE_AUTH */
 		message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
 		build_address_list(this, message);
 	}
@@ -381,9 +378,8 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
  */
 static status_t process_r(private_ike_mobike_t *this, message_t *message)
 {
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		message->get_payload(message, ID_INITIATOR))
-	{
+	if (message->get_message_id(message) == 1)
+	{	/* only first IKE_AUTH */
 		process_payloads(this, message);
 	}
 	else if (message->get_exchange_type(message) == INFORMATIONAL)
diff --git a/src/charon/sa/tasks/ike_mobike.h b/src/charon/sa/tasks/ike_mobike.h
index 4a2006a80..919b5ddd3 100644
--- a/src/charon/sa/tasks/ike_mobike.h
+++ b/src/charon/sa/tasks/ike_mobike.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_mobike.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c
index eb84c876f..bb18e7bda 100644
--- a/src/charon/sa/tasks/ike_natd.c
+++ b/src/charon/sa/tasks/ike_natd.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_natd.c 5029 2009-03-26 11:49:07Z martin $
  */
 
 #include "ike_natd.h"
@@ -166,7 +164,7 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
  */
 static void process_payloads(private_ike_natd_t *this, message_t *message)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
 	notify_payload_t *notify;
 	chunk_t hash, src_hash, dst_hash;
@@ -184,8 +182,8 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 	DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
 	DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
 	
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) != NOTIFY)
 		{
@@ -235,7 +233,7 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 				break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
 	chunk_free(&src_hash);
 	chunk_free(&dst_hash);
diff --git a/src/charon/sa/tasks/ike_natd.h b/src/charon/sa/tasks/ike_natd.h
index 155ae4b4c..698394842 100644
--- a/src/charon/sa/tasks/ike_natd.h
+++ b/src/charon/sa/tasks/ike_natd.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_natd.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_reauth.c b/src/charon/sa/tasks/ike_reauth.c
index 61701075f..80f1b7b8c 100644
--- a/src/charon/sa/tasks/ike_reauth.c
+++ b/src/charon/sa/tasks/ike_reauth.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_reauth.c 4495 2008-10-28 16:07:06Z martin $
  */
 
 #include "ike_reauth.h"
@@ -100,7 +98,7 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 	/* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
 	if (peer_cfg->is_mediation(peer_cfg))
 	{
-		if (new->initiate(new, NULL) == DESTROY_ME)
+		if (new->initiate(new, NULL, 0, NULL, NULL) == DESTROY_ME)
 		{
 			charon->ike_sa_manager->checkin_and_destroy(
 								charon->ike_sa_manager, new);
@@ -128,7 +126,7 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 				/* initiate/queue all child SAs */
 				child_cfg_t *child_cfg = child_sa->get_config(child_sa);
 				child_cfg->get_ref(child_cfg);
-				if (new->initiate(new, child_cfg) == DESTROY_ME)
+				if (new->initiate(new, child_cfg, 0, NULL, NULL) == DESTROY_ME)
 				{
 					iterator->destroy(iterator);
 					charon->ike_sa_manager->checkin_and_destroy(
diff --git a/src/charon/sa/tasks/ike_reauth.h b/src/charon/sa/tasks/ike_reauth.h
index 689550c92..5e97b719c 100644
--- a/src/charon/sa/tasks/ike_reauth.h
+++ b/src/charon/sa/tasks/ike_reauth.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_reauth.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index e61d161bc..bead408a6 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_rekey.c 4730 2008-12-01 18:38:28Z martin $
  */
 
 #include "ike_rekey.h"
@@ -177,7 +175,7 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
 	
 	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
-	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 		 this->new_sa->get_name(this->new_sa),
 		 this->new_sa->get_unique_id(this->new_sa),
 		 this->ike_sa->get_my_host(this->ike_sa),
@@ -193,13 +191,12 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
  */
 static status_t process_i(private_ike_rekey_t *this, message_t *message)
 {
-	ike_sa_id_t *to_delete;
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	payload_t *payload;
-
+	
 	/* handle NO_ADDITIONAL_SAS notify */
-	iterator = message->get_payload_iterator(message);
-	while (iterator->iterate(iterator, (void**)&payload))
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
 		if (payload->get_type(payload) == NOTIFY)
 		{
@@ -213,12 +210,12 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 				charon->processor->queue_job(charon->processor,
 						(job_t*)rekey_ike_sa_job_create(
 									this->ike_sa->get_id(this->ike_sa), TRUE));
-				iterator->destroy(iterator);
+				enumerator->destroy(enumerator);
 				return SUCCESS;
 			}
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	
 	switch (this->ike_init->task.process(&this->ike_init->task, message))
 	{
@@ -235,7 +232,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 				DBG1(DBG_IKE, "IKE_SA rekeying failed, "
 					 					"trying again in %d seconds", retry);
 				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-				charon->scheduler->schedule_job(charon->scheduler, job, retry * 1000);
+				charon->scheduler->schedule_job(charon->scheduler, job, retry);
 			}
 			return SUCCESS;
 		case NEED_MORE:
@@ -245,17 +242,15 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 		default:
 			break;
 	}
-
+	
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
-	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 		 this->new_sa->get_name(this->new_sa),
 		 this->new_sa->get_unique_id(this->new_sa),
 		 this->ike_sa->get_my_host(this->ike_sa),
 		 this->ike_sa->get_my_id(this->ike_sa),
 		 this->ike_sa->get_other_host(this->ike_sa),
 		 this->ike_sa->get_other_id(this->ike_sa));
-
-	to_delete = this->ike_sa->get_id(this->ike_sa);
 	
 	/* check for collisions */
 	if (this->collision &&
@@ -273,8 +268,13 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 		if (memcmp(this_nonce.ptr, other_nonce.ptr, 
 				   min(this_nonce.len, other_nonce.len)) < 0)
 		{
+			/* peer should delete this SA. Add a timeout just in case. */
+			job_t *job = (job_t*)delete_ike_sa_job_create(
+									other->new_sa->get_id(other->new_sa), TRUE);
+			charon->scheduler->schedule_job(charon->scheduler, job, 10);
 			DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
+			other->new_sa = NULL;
 		}
 		else
 		{
@@ -285,11 +285,22 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 			host = this->ike_sa->get_other_host(this->ike_sa);
 			this->new_sa->set_other_host(this->new_sa, host->clone(host));
 			this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-			to_delete = this->new_sa->get_id(this->new_sa);
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
+			if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
+			{
+				charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager, this->new_sa);
+			}
+			else
+			{
+				charon->ike_sa_manager->checkin(
+										charon->ike_sa_manager, this->new_sa);
+			}
+			/* set threads active IKE_SA after checkin */
+			charon->bus->set_sa(charon->bus, this->ike_sa);
 			/* inherit to other->new_sa in destroy() */
 			this->new_sa = other->new_sa;
 			other->new_sa = NULL;
+			return SUCCESS;
 		}
 		/* set threads active IKE_SA after checkin */
 		charon->bus->set_sa(charon->bus, this->ike_sa);
diff --git a/src/charon/sa/tasks/ike_rekey.h b/src/charon/sa/tasks/ike_rekey.h
index ab82789f3..6748279ab 100644
--- a/src/charon/sa/tasks/ike_rekey.h
+++ b/src/charon/sa/tasks/ike_rekey.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ike_rekey.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/tasks/task.c b/src/charon/sa/tasks/task.c
index fd15379f3..9e35b62a5 100644
--- a/src/charon/sa/tasks/task.c
+++ b/src/charon/sa/tasks/task.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: task.c 4618 2008-11-11 09:22:00Z tobias $
  */
 
 #include "task.h"
diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h
index a5eb2caa3..f9b409f35 100644
--- a/src/charon/sa/tasks/task.h
+++ b/src/charon/sa/tasks/task.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: task.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/charon/sa/trap_manager.c b/src/charon/sa/trap_manager.c
new file mode 100644
index 000000000..a74fab93f
--- /dev/null
+++ b/src/charon/sa/trap_manager.c
@@ -0,0 +1,371 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "trap_manager.h"
+
+#include <daemon.h>
+#include <utils/mutex.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_trap_manager_t private_trap_manager_t;
+typedef struct trap_listener_t trap_listener_t;
+
+/**
+ * listener to track acquires
+ */
+struct trap_listener_t {
+	
+	/**
+	 * Implements listener interface
+	 */
+	listener_t listener;
+	
+	/**
+	 * points to trap_manager
+	 */
+	private_trap_manager_t *traps;
+};
+
+/**
+ * Private data of an trap_manager_t object.
+ */
+struct private_trap_manager_t {
+	
+	/**
+	 * Public trap_manager_t interface.
+	 */
+	trap_manager_t public;
+	
+	/**
+	 * Installed traps, as entry_t
+	 */
+	linked_list_t *traps;
+	
+	/**
+	 * read write lock for traps list
+	 */
+	rwlock_t *lock;
+	
+	/**
+	 * listener to track acquiring IKE_SAs
+	 */
+	trap_listener_t listener;
+};
+
+/**
+ * A installed trap entry
+ */
+typedef struct {
+	/** ref to peer_cfg to initiate */
+	peer_cfg_t *peer_cfg;
+	/** ref to instanciated CHILD_SA */
+	child_sa_t *child_sa;
+	/** pending IKE_SA connecting upon acquire */
+	ike_sa_t *pending;
+} entry_t;
+
+/**
+ * actually uninstall and destroy an installed entry
+ */
+static void destroy_entry(entry_t *entry)
+{
+	entry->child_sa->destroy(entry->child_sa);
+	entry->peer_cfg->destroy(entry->peer_cfg);
+	free(entry);
+}
+
+/**
+ * Implementation of trap_manager_t.install
+ */
+static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
+					 child_cfg_t *child)
+{
+	entry_t *entry;
+	ike_cfg_t *ike_cfg;
+	child_sa_t *child_sa;
+	host_t *me, *other;
+	linked_list_t *my_ts, *other_ts;
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	status_t status;
+	u_int32_t reqid;
+	
+	/* check if not already done */
+	this->lock->read_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (streq(entry->child_sa->get_name(entry->child_sa),
+				  child->get_name(child)))
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	if (found)
+	{
+		DBG1(DBG_CFG, "CHILD_SA named '%s' already routed",
+			 child->get_name(child));
+		return 0;
+	}
+	
+	/* try to resolve addresses */
+	ike_cfg = peer->get_ike_cfg(peer);
+	other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg), 
+								 0, IKEV2_UDP_PORT);
+	if (!other)
+	{
+		DBG1(DBG_CFG, "installing trap failed, remote address unknown");
+		return 0;
+	}
+	me = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg),
+							  other->get_family(other), IKEV2_UDP_PORT);
+	if (!me || me->is_anyaddr(me))
+	{
+		DESTROY_IF(me);
+		me = charon->kernel_interface->get_source_addr(
+									charon->kernel_interface, other, NULL);
+		if (!me)
+		{
+			DBG1(DBG_CFG, "installing trap failed, local address unknown");
+			other->destroy(other);
+			return 0;
+		}
+		me->set_port(me, IKEV2_UDP_PORT);
+	}
+	
+	/* create and route CHILD_SA */
+	child_sa = child_sa_create(me, other, child, 0, FALSE);
+	my_ts = child->get_traffic_selectors(child, TRUE, NULL, me);
+	other_ts = child->get_traffic_selectors(child, FALSE, NULL, other);
+	me->destroy(me);
+	other->destroy(other);
+	
+	child_sa->set_mode(child_sa, child->get_mode(child));
+	status = child_sa->add_policies(child_sa, my_ts, other_ts);
+	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+	if (status != SUCCESS)
+	{
+		child_sa->destroy(child_sa);
+		DBG1(DBG_CFG, "installing trap failed");
+		return 0;
+	}
+	
+	reqid = child_sa->get_reqid(child_sa);
+	entry = malloc_thing(entry_t);
+	entry->child_sa = child_sa;
+	entry->peer_cfg = peer->get_ref(peer);
+	entry->pending = NULL;
+	
+	this->lock->write_lock(this->lock);
+	this->traps->insert_last(this->traps, entry);
+	this->lock->unlock(this->lock);
+	
+	return reqid;
+}
+
+/**
+ * Implementation of trap_manager_t.uninstall
+ */
+static bool uninstall(private_trap_manager_t *this, u_int32_t reqid)
+{
+	enumerator_t *enumerator;
+	entry_t *entry, *found = NULL;
+	
+	this->lock->write_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
+		{
+			this->traps->remove_at(this->traps, enumerator);
+			found = entry;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	
+	if (!found)
+	{
+		DBG1(DBG_CFG, "trap %d not found to uninstall", reqid);
+		return FALSE;
+	}
+	
+	destroy_entry(found);
+	return TRUE;
+}
+
+/**
+ * convert enumerated entries to peer_cfg, child_sa
+ */
+static bool trap_filter(rwlock_t *lock, entry_t **entry, peer_cfg_t **peer_cfg,
+						void *none, child_sa_t **child_sa)
+{
+	if (peer_cfg)
+	{
+		*peer_cfg = (*entry)->peer_cfg;
+	}
+	if (child_sa)
+	{
+		*child_sa = (*entry)->child_sa;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of trap_manager_t.create_enumerator
+ */
+static enumerator_t* create_enumerator(private_trap_manager_t *this)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->traps->create_enumerator(this->traps),
+									(void*)trap_filter, this->lock,
+									(void*)this->lock->unlock);
+}
+
+/**
+ * Implementation of trap_manager_t.acquire
+ */
+static void acquire(private_trap_manager_t *this, u_int32_t reqid,
+					traffic_selector_t *src, traffic_selector_t *dst)
+{
+	enumerator_t *enumerator;
+	entry_t *entry, *found = NULL;
+	peer_cfg_t *peer;
+	child_cfg_t *child;
+	ike_sa_t *ike_sa;
+	
+	this->lock->read_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
+		{
+			found = entry;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	
+	if (!found)
+	{
+		DBG1(DBG_CFG, "trap not found, unable to acquire reqid %d",reqid);
+	}
+	else if (found->pending)
+	{
+		DBG1(DBG_CFG, "ignoring acquire, connection attempt pending");
+	}
+	else
+	{
+		child = found->child_sa->get_config(found->child_sa);
+		peer = found->peer_cfg;
+		ike_sa = charon->ike_sa_manager->checkout_by_config(
+												charon->ike_sa_manager, peer);
+		if (ike_sa->get_peer_cfg(ike_sa) == NULL)
+		{
+			ike_sa->set_peer_cfg(ike_sa, peer);
+		}
+		child->get_ref(child);
+		reqid = found->child_sa->get_reqid(found->child_sa);
+		if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME)
+		{
+			found->pending = ike_sa;
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
+		}
+	}
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(trap_listener_t *listener, ike_sa_t *ike_sa,
+							 ike_sa_state_t state)
+{
+	private_trap_manager_t *this;
+	enumerator_t *enumerator;
+	entry_t *entry;
+	
+	switch (state)
+	{
+		case IKE_ESTABLISHED:
+		case IKE_DESTROYING:
+			break;
+		default:
+			return TRUE;
+	}
+	
+	this = listener->traps;
+	this->lock->read_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->pending == ike_sa)
+		{
+			entry->pending = NULL;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return TRUE;
+}
+
+/**
+ * Implementation of trap_manager_t.destroy.
+ */
+static void destroy(private_trap_manager_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->listener.listener);
+	this->traps->invoke_function(this->traps, (void*)destroy_entry);
+	this->traps->destroy(this->traps);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+trap_manager_t *trap_manager_create()
+{
+	private_trap_manager_t *this = malloc_thing(private_trap_manager_t);
+	
+	this->public.install = (u_int(*)(trap_manager_t*, peer_cfg_t *peer, child_cfg_t *child))install;
+	this->public.uninstall = (bool(*)(trap_manager_t*, u_int32_t id))uninstall;
+	this->public.create_enumerator = (enumerator_t*(*)(trap_manager_t*))create_enumerator;
+	this->public.acquire = (void(*)(trap_manager_t*, u_int32_t reqid, traffic_selector_t *src, traffic_selector_t *dst))acquire;
+	this->public.destroy = (void(*)(trap_manager_t*))destroy;
+	
+	this->traps = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	
+	/* register listener for IKE state changes */
+	this->listener.traps = this;
+	memset(&this->listener.listener, 0, sizeof(listener_t));
+	this->listener.listener.ike_state_change = (void*)ike_state_change;
+	charon->bus->add_listener(charon->bus, &this->listener.listener);
+	
+	return &this->public;
+}
+
diff --git a/src/charon/sa/trap_manager.h b/src/charon/sa/trap_manager.h
new file mode 100644
index 000000000..cb6907cdc
--- /dev/null
+++ b/src/charon/sa/trap_manager.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup trap_manager trap_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef TRAP_MANAGER_H_
+#define TRAP_MANAGER_H_
+
+#include <library.h>
+#include <utils/enumerator.h>
+#include <config/peer_cfg.h>
+
+typedef struct trap_manager_t trap_manager_t;
+
+/**
+ * Manage policies to create SAs from traffic.
+ */
+struct trap_manager_t {
+	
+	/**
+	 * Install a policy as a trap.
+	 *
+	 * @param peer		peer configuration to initiate on trap
+	 * @param child 	child configuration to install as a trap
+	 * @return			reqid of installed CHILD_SA, 0 if failed
+	 */
+	u_int32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
+						 child_cfg_t *child);
+	
+	/**
+	 * Uninstall a trap policy.
+	 *
+	 * @param id		reqid of CHILD_SA to uninstall, returned by install()
+	 * @return			TRUE if uninstalled successfully
+	 */
+	bool (*uninstall)(trap_manager_t *this, u_int32_t reqid);
+	
+	/**
+	 * Create an enumerator over all installed traps.
+	 *
+	 * @return			enumerator over (peer_cfg_t, child_sa_t)
+	 */
+	enumerator_t* (*create_enumerator)(trap_manager_t *this);
+	
+	/**
+	 * Acquire an SA triggered by an installed trap.
+	 *
+	 * @param reqid		requid of the triggering CHILD_SA
+	 * @param src		source of the triggering packet
+	 * @param dst		destination of the triggering packet
+	 */
+	void (*acquire)(trap_manager_t *this, u_int32_t reqid,
+					traffic_selector_t *src, traffic_selector_t *dst);
+	
+	/**
+	 * Destroy a trap_manager_t.
+	 */
+	void (*destroy)(trap_manager_t *this);
+};
+
+/**
+ * Create a trap_manager instance.
+ */
+trap_manager_t *trap_manager_create();
+
+#endif /* TRAP_MANAGER_ @}*/
diff --git a/src/dumm/Makefile.am b/src/dumm/Makefile.am
index 029290fb6..b7fb3f7c8 100644
--- a/src/dumm/Makefile.am
+++ b/src/dumm/Makefile.am
@@ -1,4 +1,4 @@
-EXTRA_DIST = ext/dumm.c ext/extconf.rb ext/README \
+EXTRA_DIST = ext/dumm.c ext/README \
   ext/lib/dumm.rb ext/lib/dumm/guest.rb
 
 lib_LTLIBRARIES = libdumm.la
@@ -15,5 +15,18 @@ dumm_LDADD = libdumm.la ${gtk_LIBS}
 irdumm_LDADD = libdumm.la -lruby1.8
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
-  -I/usr/lib/ruby/1.8/i486-linux/
+  ${RUBYINCLUDE}
 AM_CFLAGS = -D_FILE_OFFSET_BITS=64
+
+all-local: ext
+
+clean-local:
+	(test -f ext/Makefile && cd ext && $(MAKE) clean && rm Makefile || true)
+
+install-data-local:
+	(test -f ext/Makefile && cd ext && $(MAKE) install)
+
+ext:	libdumm.la
+	(cd ext && $(RUBY) extconf.rb && $(MAKE))
+
+.PHONY: ext
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 6cf2a88af..fdbf41f47 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -97,6 +97,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -119,6 +120,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -130,6 +134,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -143,6 +148,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -203,6 +210,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -214,11 +222,12 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-EXTRA_DIST = ext/dumm.c ext/extconf.rb ext/README \
+EXTRA_DIST = ext/dumm.c ext/README \
   ext/lib/dumm.rb ext/lib/dumm/guest.rb
 
 lib_LTLIBRARIES = libdumm.la
@@ -233,7 +242,7 @@ libdumm_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
 dumm_LDADD = libdumm.la ${gtk_LIBS}
 irdumm_LDADD = libdumm.la -lruby1.8
 INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
-  -I/usr/lib/ruby/1.8/i486-linux/
+  ${RUBYINCLUDE}
 
 AM_CFLAGS = -D_FILE_OFFSET_BITS=64
 all: all-am
@@ -244,8 +253,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -380,7 +389,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
@@ -450,7 +459,7 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
@@ -482,7 +491,7 @@ maintainer-clean-generic:
 clean: clean-am
 
 clean-am: clean-generic clean-ipsecPROGRAMS clean-libLTLIBRARIES \
-	clean-libtool mostlyclean-am
+	clean-libtool clean-local mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -500,7 +509,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS
+install-data-am: install-data-local install-ipsecPROGRAMS
 
 install-dvi: install-dvi-am
 
@@ -540,21 +549,35 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-libLTLIBRARIES
 
 .MAKE: install-am install-strip
 
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-ipsecPROGRAMS clean-libLTLIBRARIES clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-libLTLIBRARIES \
-	install-man install-pdf install-pdf-am install-ps \
-	install-ps-am install-strip installcheck installcheck-am \
-	installdirs maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
-	uninstall-am uninstall-ipsecPROGRAMS uninstall-libLTLIBRARIES
+.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \
+	clean-generic clean-ipsecPROGRAMS clean-libLTLIBRARIES \
+	clean-libtool clean-local ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-data-local install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipsecPROGRAMS install-libLTLIBRARIES install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-ipsecPROGRAMS uninstall-libLTLIBRARIES
+
+
+all-local: ext
+
+clean-local:
+	(test -f ext/Makefile && cd ext && $(MAKE) clean && rm Makefile || true)
+
+install-data-local:
+	(test -f ext/Makefile && cd ext && $(MAKE) install)
+
+ext:	libdumm.la
+	(cd ext && $(RUBY) extconf.rb && $(MAKE))
 
+.PHONY: ext
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/dumm/bridge.h b/src/dumm/bridge.h
index 79a0a3a72..37b22a03e 100644
--- a/src/dumm/bridge.h
+++ b/src/dumm/bridge.h
@@ -24,19 +24,19 @@ typedef struct bridge_t bridge_t;
 #include "iface.h"
 
 /**
- * @brief Interface in a guest, connected to a tap device on the host.
+ * Interface in a guest, connected to a tap device on the host.
  */
 struct bridge_t {
 	
 	/**
-	 * @brief Get the name of the bridge.
+	 * Get the name of the bridge.
 	 *
 	 * @return			name of the bridge
 	 */
 	char* (*get_name)(bridge_t *this);
 	
 	/**
-	 * @brief Add an interface to a bridge.
+	 * Add an interface to a bridge.
 	 *
 	 * @param iface		interface to add
 	 * @return			TRUE if interface added
@@ -44,7 +44,7 @@ struct bridge_t {
 	bool (*connect_iface)(bridge_t *this, iface_t *iface);
 	
 	/**
-	 * @brief Remove an interface from a bridge.
+	 * Remove an interface from a bridge.
 	 *
 	 * @param iface		interface to remove
 	 * @return			TRUE if interface removed
@@ -52,20 +52,20 @@ struct bridge_t {
 	bool (*disconnect_iface)(bridge_t *this, iface_t *iface);
 	
 	/**
-	 * @brief Create an enumerator over all interfaces.
+	 * Create an enumerator over all interfaces.
 	 *
 	 * @return 			enumerator over iface_t's
 	 */
 	enumerator_t* (*create_iface_enumerator)(bridge_t *this);	
 	
 	/**
-	 * @brief Destroy a bridge
+	 * Destroy a bridge
 	 */
 	void (*destroy) (bridge_t *this);
 };
 
 /**
- * @brief Create a new bridge.
+ * Create a new bridge.
  *
  * @param name		name of the bridge to create
  * @return			bridge, NULL if failed
diff --git a/src/dumm/cowfs.c b/src/dumm/cowfs.c
index 88041811e..69f008976 100644
--- a/src/dumm/cowfs.c
+++ b/src/dumm/cowfs.c
@@ -96,7 +96,7 @@ static void rel(const char **path)
 static int get_rd(const char *path)
 {
 	private_cowfs_t *this = get_this();
-
+	
 	if (this->over_fd > 0 && faccessat(this->over_fd, path, F_OK, 0) == 0)
 	{
 		return this->over_fd;
@@ -223,7 +223,7 @@ static int copy(const char *path)
 static int cowfs_getattr(const char *path, struct stat *stbuf)
 {
 	rel(&path);
-
+	
 	if (fstatat(get_rd(path), path, stbuf, AT_SYMLINK_NOFOLLOW) < 0)
 	{
 		return -errno;
@@ -242,7 +242,7 @@ static int cowfs_access(const char *path, int mask)
 	{
 		return -errno;
 	}
-    return 0;
+	return 0;
 }
 
 /**
@@ -251,16 +251,16 @@ static int cowfs_access(const char *path, int mask)
 static int cowfs_readlink(const char *path, char *buf, size_t size)
 {
 	int res;
-
+	
 	rel(&path);
 	
 	res = readlinkat(get_rd(path), path, buf, size - 1);
-    if (res < 0)
-    {
-        return -errno;
+	if (res < 0)
+	{
+		return -errno;
 	}
-    buf[res] = '\0';
-    return 0;
+	buf[res] = '\0';
+	return 0;
 }
 
 /**
@@ -329,7 +329,7 @@ static int cowfs_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
 			{
 				st.st_ino = ent->d_ino;
 				st.st_mode = ent->d_type << 12;
-	        	filler(buf, ent->d_name, &st, 0);
+				filler(buf, ent->d_name, &st, 0);
 			}
 		}
 		closedir(d1);
@@ -343,7 +343,7 @@ static int cowfs_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
 			{
 				st.st_ino = ent->d_ino;
 				st.st_mode = ent->d_type << 12;
-	        	filler(buf, ent->d_name, &st, 0);
+				filler(buf, ent->d_name, &st, 0);
 			}
 		}
 		closedir(d2);
@@ -355,11 +355,11 @@ static int cowfs_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
 		{
 			st.st_ino = ent->d_ino;
 			st.st_mode = ent->d_type << 12;
-        	filler(buf, ent->d_name, &st, 0);
+			filler(buf, ent->d_name, &st, 0);
 		}
 		closedir(d3);
 	}
-    return 0;
+	return 0;
 }
 
 /**
@@ -369,13 +369,13 @@ static int cowfs_mknod(const char *path, mode_t mode, dev_t rdev)
 {
 	int fd;
 	rel(&path);
-
+	
 	fd = get_wr(path);
 	if (!clone_path(get_rd(path), fd, path))
 	{
 		return -errno;
 	}
-
+	
 	if (mknodat(fd, path, mode, rdev) < 0)
 	{
 		return -errno;
@@ -390,7 +390,7 @@ static int cowfs_mkdir(const char *path, mode_t mode)
 {
 	int fd;
 	rel(&path);
-
+	
 	fd = get_wr(path);
 	if (!clone_path(get_rd(path), fd, path))
 	{
@@ -415,7 +415,7 @@ static int cowfs_unlink(const char *path)
 	{
 		return -errno;
 	}
-    return 0;
+	return 0;
 }
 
 /**
@@ -430,7 +430,7 @@ static int cowfs_rmdir(const char *path)
 	{
 		return -errno;
 	}
-    return 0;
+	return 0;
 }
 
 /**
@@ -440,10 +440,10 @@ static int cowfs_symlink(const char *from, const char *to)
 {
 	int fd;
 	const char *fromrel = from;
-
+	
 	rel(&to);
 	rel(&fromrel);
-
+	
 	fd = get_wr(to);
 	if (!clone_path(get_rd(fromrel), fd, fromrel))
 	{
@@ -462,24 +462,18 @@ static int cowfs_symlink(const char *from, const char *to)
 static int cowfs_rename(const char *from, const char *to)
 {
 	int fd;
-	private_cowfs_t *this = get_this();
-
+	
 	rel(&from);
 	rel(&to);
-
-	fd = get_rd(from);
-	if (fd == this->master_fd)
+	
+	fd = copy(from);
+	if (fd < 0)
 	{
-		fd = copy(from);
-		if (fd < 0)
-		{
-			return -errno;
-		}
+		return -errno;
 	}
-	
 	if (renameat(fd, from, get_wr(to), to) < 0)
 	{
-	    return -errno;
+		return -errno;
 	}
 	return 0;
 }
@@ -490,7 +484,7 @@ static int cowfs_rename(const char *from, const char *to)
 static int cowfs_link(const char *from, const char *to)
 {
 	int rd, wr;
-
+	
 	rel(&from);
 	rel(&to);
 	
@@ -502,12 +496,12 @@ static int cowfs_link(const char *from, const char *to)
 		DBG1("cloning path '%s' failed", to);
 		return -errno;
 	}
-    if (linkat(rd, from, wr, to, 0) < 0)
-    {
+	if (linkat(rd, from, wr, to, 0) < 0)
+	{
 		DBG1("linking '%s' to '%s' failed", from, to);
-    	return -errno;
+		return -errno;
 	}
-    return 0;
+	return 0;
 }
 
 /**
@@ -517,25 +511,21 @@ static int cowfs_chmod(const char *path, mode_t mode)
 {
 	int fd;
 	struct stat st;
-	private_cowfs_t *this = get_this();
 	
 	rel(&path);
 	fd = get_rd(path);
-	if (fd == this->master_fd)
+	if (fstatat(fd, path, &st, 0) < 0)
 	{
-		if (fstatat(fd, path, &st, 0) < 0)
-		{
-			return -errno;
-		}
-		if (st.st_mode == mode)
-		{
-			return 0;
-		}
-		fd = copy(path);
-		if (fd < 0)
-		{
-			return -errno;
-		}
+		return -errno;
+	}
+	if (st.st_mode == mode)
+	{
+		return 0;
+	}
+	fd = copy(path);
+	if (fd < 0)
+	{
+		return -errno;
 	}
 	if (fchmodat(fd, path, mode, 0) < 0)
 	{
@@ -551,25 +541,21 @@ static int cowfs_chown(const char *path, uid_t uid, gid_t gid)
 {
 	int fd;
 	struct stat st;
-	private_cowfs_t *this = get_this();
 	
 	rel(&path);
 	fd = get_rd(path);
-	if (fd == this->master_fd)
+	if (fstatat(fd, path, &st, 0) < 0)
 	{
-		if (fstatat(fd, path, &st, 0) < 0)
-		{
-			return -errno;
-		}
-		if (st.st_uid == uid && st.st_gid == gid)
-		{
-			return 0;
-		}
-		fd = copy(path);
-		if (fd < 0)
-		{
-			return -errno;
-		}
+		return -errno;
+	}
+	if (st.st_uid == uid && st.st_gid == gid)
+	{
+		return 0;
+	}
+	fd = copy(path);
+	if (fd < 0)
+	{
+		return -errno;
 	}
 	if (fchownat(fd, path, uid, gid, AT_SYMLINK_NOFOLLOW) < 0)
 	{
@@ -586,25 +572,20 @@ static int cowfs_truncate(const char *path, off_t size)
 	int fd;
 	struct stat st;
 	
-	private_cowfs_t *this = get_this();
-
 	rel(&path);
 	fd = get_rd(path);
-	if (fd == this->master_fd)
+	if (fstatat(fd, path, &st, 0) < 0)
 	{
-		if (fstatat(fd, path, &st, 0) < 0)
-		{
-			return -errno;
-		}
-		if (st.st_size == size)
-		{
-			return 0;
-		}
-		fd = copy(path);
-		if (fd < 0)
-		{
-			return -errno;
-		}
+		return -errno;
+	}
+	if (st.st_size == size)
+	{
+		return 0;
+	}
+	fd = copy(path);
+	if (fd < 0)
+	{
+		return -errno;
 	}
 	fd = openat(fd, path, O_WRONLY);
 	if (fd < 0)
@@ -627,24 +608,19 @@ static int cowfs_utimens(const char *path, const struct timespec ts[2])
 {
 	struct timeval tv[2];
 	int fd;
-	private_cowfs_t *this = get_this();
-
+	
 	rel(&path);
-	fd = get_rd(path);
-	if (fd == this->master_fd)
+	fd = copy(path);
+	if (fd < 0)
 	{
-		fd = copy(path);
-		if (fd < 0)
-		{
-			return -errno;
-		}
+		return -errno;
 	}
-
+	
 	tv[0].tv_sec = ts[0].tv_sec;
 	tv[0].tv_usec = ts[0].tv_nsec / 1000;
 	tv[1].tv_sec = ts[1].tv_sec;
 	tv[1].tv_usec = ts[1].tv_nsec / 1000;
-
+	
 	if (futimesat(fd, path, tv) < 0)
 	{
 		return -errno;
@@ -658,10 +634,10 @@ static int cowfs_utimens(const char *path, const struct timespec ts[2])
 static int cowfs_open(const char *path, struct fuse_file_info *fi)
 {
 	int fd;
-
+	
 	rel(&path);
 	fd = get_rd(path);
-
+	
 	fd = openat(fd, path, fi->flags);
 	if (fd < 0)
 	{
@@ -678,11 +654,11 @@ static int cowfs_read(const char *path, char *buf, size_t size, off_t offset,
 					  struct fuse_file_info *fi)
 {
 	int file, fd, res;
-
+	
 	rel(&path);
-
+	
 	fd = get_rd(path);
-
+	
 	file = openat(fd, path, O_RDONLY);
 	if (file < 0)
 	{
@@ -704,20 +680,14 @@ static int cowfs_read(const char *path, char *buf, size_t size, off_t offset,
 static int cowfs_write(const char *path, const char *buf, size_t size,
 					   off_t offset, struct fuse_file_info *fi)
 {
-	private_cowfs_t *this = get_this();
 	int file, fd, res;
-
+	
 	rel(&path);
-
-	fd = get_wr(path);
-	if (fd == this->master_fd ||
-		(this->over_fd > 0 && fd == this->host_fd))
+	
+	fd = copy(path);
+	if (fd < 0)
 	{
-		fd = copy(path);
-		if (fd < 0)
-		{
-			return -errno;
-		}
+		return -errno;
 	}
 	file = openat(fd, path, O_WRONLY);
 	if (file < 0)
@@ -738,21 +708,15 @@ static int cowfs_write(const char *path, const char *buf, size_t size,
  */
 static int cowfs_statfs(const char *path, struct statvfs *stbuf)
 {
-	private_cowfs_t *this = get_this();
 	int fd;
 	
-	fd = this->host_fd;
-	if (this->over_fd > 0)
-	{
-		fd = this->over_fd;
-	}
-
+	fd = get_rd(path);
 	if (fstatvfs(fd, stbuf) < 0)
 	{
 		return -errno;
 	}
 	
-    return 0;
+	return 0;
 }
 
 /** 
@@ -771,26 +735,26 @@ static void *cowfs_init(struct fuse_conn_info *conn)
  * FUSE method vectors
  */
 static struct fuse_operations cowfs_operations = {
-    .getattr	= cowfs_getattr,
-    .access		= cowfs_access,
-    .readlink	= cowfs_readlink,
-    .readdir	= cowfs_readdir,
-    .mknod		= cowfs_mknod,
-    .mkdir		= cowfs_mkdir,
-    .symlink	= cowfs_symlink,
-    .unlink		= cowfs_unlink,
-    .rmdir		= cowfs_rmdir,
-    .rename		= cowfs_rename,
-    .link		= cowfs_link,
-    .chmod		= cowfs_chmod,
-    .chown		= cowfs_chown,
-    .truncate	= cowfs_truncate,
-    .utimens	= cowfs_utimens,
-    .open		= cowfs_open,
-    .read		= cowfs_read,
-    .write		= cowfs_write,
-    .statfs		= cowfs_statfs,
-    .init		= cowfs_init,
+	.getattr	= cowfs_getattr,
+	.access		= cowfs_access,
+	.readlink	= cowfs_readlink,
+	.readdir	= cowfs_readdir,
+	.mknod		= cowfs_mknod,
+	.mkdir		= cowfs_mkdir,
+	.symlink	= cowfs_symlink,
+	.unlink		= cowfs_unlink,
+	.rmdir		= cowfs_rmdir,
+	.rename		= cowfs_rename,
+	.link		= cowfs_link,
+	.chmod		= cowfs_chmod,
+	.chown		= cowfs_chown,
+	.truncate	= cowfs_truncate,
+	.utimens	= cowfs_utimens,
+	.open		= cowfs_open,
+	.read		= cowfs_read,
+	.write		= cowfs_write,
+	.statfs		= cowfs_statfs,
+	.init		= cowfs_init,
 };
 
 /**
@@ -854,63 +818,63 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 	this->public.set_overlay = (bool(*)(cowfs_t*, char *path))set_overlay;
 	this->public.destroy = (void(*)(cowfs_t*))destroy;
 	
-    this->master_fd = open(master, O_RDONLY | O_DIRECTORY);
-    if (this->master_fd < 0)
-    {
-    	DBG1("failed to open master filesystem '%s'", master);
-    	free(this);
-    	return NULL;
-    }
-    this->host_fd = open(host, O_RDONLY | O_DIRECTORY);
+	this->master_fd = open(master, O_RDONLY | O_DIRECTORY);
+	if (this->master_fd < 0)
+	{
+		DBG1("failed to open master filesystem '%s'", master);
+		free(this);
+		return NULL;
+	}
+	this->host_fd = open(host, O_RDONLY | O_DIRECTORY);
 	if (this->host_fd < 0)
-    {
-    	DBG1("failed to open host filesystem '%s'", host);
-    	close(this->master_fd);
-    	free(this);
-    	return NULL;
-    }
+	{
+		DBG1("failed to open host filesystem '%s'", host);
+		close(this->master_fd);
+		free(this);
+		return NULL;
+	}
 	this->over_fd = -1;
 	
-    this->chan = fuse_mount(mount, &args);
-    if (this->chan == NULL)
-    {
-    	DBG1("mounting cowfs FUSE on '%s' failed", mount);
-    	close(this->master_fd);
-    	close(this->host_fd);
-    	free(this);
-    	return NULL;
-    }
-    
-    this->fuse = fuse_new(this->chan, &args, &cowfs_operations,
-    					  sizeof(cowfs_operations), this);
-    if (this->fuse == NULL)
-    {
-    	DBG1("creating cowfs FUSE handle failed");
-    	close(this->master_fd);
-    	close(this->host_fd);
-    	fuse_unmount(mount, this->chan);
-    	free(this);
-    	return NULL;
-    }
-    
-    this->mount = strdup(mount);
-    this->master = strdup(master);
-    this->host = strdup(host);
-    this->over = NULL;
+	this->chan = fuse_mount(mount, &args);
+	if (this->chan == NULL)
+	{
+		DBG1("mounting cowfs FUSE on '%s' failed", mount);
+		close(this->master_fd);
+		close(this->host_fd);
+		free(this);
+		return NULL;
+	}
+	
+	this->fuse = fuse_new(this->chan, &args, &cowfs_operations,
+						  sizeof(cowfs_operations), this);
+	if (this->fuse == NULL)
+	{
+		DBG1("creating cowfs FUSE handle failed");
+		close(this->master_fd);
+		close(this->host_fd);
+		fuse_unmount(mount, this->chan);
+		free(this);
+		return NULL;
+	}
+	
+	this->mount = strdup(mount);
+	this->master = strdup(master);
+	this->host = strdup(host);
+	this->over = NULL;
 	
 	if (pthread_create(&this->thread, NULL, (void*)fuse_loop, this->fuse) != 0)
 	{
-    	DBG1("creating thread to handle FUSE failed");
-    	fuse_unmount(mount, this->chan);
-    	free(this->mount);
-    	free(this->master);
-    	free(this->host);
-    	close(this->master_fd);
-    	close(this->host_fd);
-    	free(this);
-    	return NULL;
-	}
-    
-    return &this->public;
+		DBG1("creating thread to handle FUSE failed");
+		fuse_unmount(mount, this->chan);
+		free(this->mount);
+		free(this->master);
+		free(this->host);
+		close(this->master_fd);
+		close(this->host_fd);
+		free(this);
+		return NULL;
+	}
+	
+	return &this->public;
 }
 
diff --git a/src/dumm/cowfs.h b/src/dumm/cowfs.h
index 419197dd6..bb589f158 100644
--- a/src/dumm/cowfs.h
+++ b/src/dumm/cowfs.h
@@ -21,13 +21,13 @@
 typedef struct cowfs_t cowfs_t;
 
 /**
- * @brief cowfs - Copy on write FUSE filesystem.
+ * cowfs - Copy on write FUSE filesystem.
  *
  */
 struct cowfs_t {
 	
 	/**
-	 * @brief Set an additional copy on write overlay.
+	 * Set an additional copy on write overlay.
 	 *
 	 * @param path		path of the overlay
 	 * @return 			FALSE if failed
@@ -35,13 +35,13 @@ struct cowfs_t {
 	bool (*set_overlay)(cowfs_t *this, char *path);
 	
 	/**
-	 * @brief Stop, umount and destroy a cowfs FUSE filesystem.
+	 * Stop, umount and destroy a cowfs FUSE filesystem.
 	 */
 	void (*destroy) (cowfs_t *this);
 };
 
 /**
- * @brief Mount a cowfs FUSE filesystem.
+ * Mount a cowfs FUSE filesystem.
  *
  * @param master		read only master file system directory
  * @param host			copy on write host directory
diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c
index cf8d9719c..2cb1235e1 100644
--- a/src/dumm/dumm.c
+++ b/src/dumm/dumm.c
@@ -28,8 +28,9 @@
 
 #include "dumm.h"
 
-#define PERME (S_IRWXU | S_IRWXG)
+#define PERME (S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH)
 #define GUEST_DIR "guests"
+#define TEMPLATE_DIR "templates"
 
 typedef struct private_dumm_t private_dumm_t;
 
@@ -133,10 +134,10 @@ static void clear_template(private_dumm_t *this)
 {
 	enumerator_t *enumerator;
 	guest_t *guest;
-
+	
 	free(this->template);
 	this->template = NULL;
-
+	
 	enumerator = this->guests->create_enumerator(this->guests);
 	while (enumerator->enumerate(enumerator, (void**)&guest))
 	{
@@ -165,7 +166,11 @@ static bool load_template(private_dumm_t *this, char *dir)
 		return FALSE;
 	}
 	
-	this->template = strdup(dir);
+	if (asprintf(&this->template, "%s/%s", TEMPLATE_DIR, dir) < 0)
+	{
+		this->template = NULL;
+		return FALSE;
+	}
 	if (access(this->template, F_OK) != 0)
 	{	/* does not exist, create template */
 		if (!mkdir_p(this->template, PERME))
@@ -188,6 +193,59 @@ static bool load_template(private_dumm_t *this, char *dir)
 	return TRUE;
 }
 
+/**
+ * Template directory enumerator
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** directory enumerator */
+	enumerator_t *inner;
+} template_enumerator_t;
+
+/**
+ * Implementation of template_enumerator_t.enumerate
+ */
+static bool template_enumerate(template_enumerator_t *this, char **template)
+{
+	struct stat st;
+	char *rel;
+	
+	while (this->inner->enumerate(this->inner, &rel, NULL, &st))
+	{
+		if (S_ISDIR(st.st_mode) && *rel != '.')
+		{
+			*template = rel;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of template_enumerator_t.destroy
+ */
+static void template_enumerator_destroy(template_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of dumm_t.create_template_enumerator
+ */
+static enumerator_t* create_template_enumerator(private_dumm_t *this)
+{
+	template_enumerator_t *enumerator;
+	
+	enumerator = malloc_thing(template_enumerator_t);
+	enumerator->public.enumerate = (void*)template_enumerate;
+	enumerator->public.destroy = (void*)template_enumerator_destroy;
+	enumerator->inner = enumerator_create_directory(TEMPLATE_DIR);
+	
+	return &enumerator->public;
+}
+
 /**
  * Implementation of dumm_t.destroy
  */
@@ -195,7 +253,7 @@ static void destroy(private_dumm_t *this)
 {
 	enumerator_t *enumerator;
 	guest_t *guest;
-
+	
 	this->bridges->destroy_offset(this->bridges, offsetof(bridge_t, destroy));
 	
 	enumerator = this->guests->create_enumerator(this->guests);
@@ -233,8 +291,8 @@ static void load_guests(private_dumm_t *this)
 	
 	while ((ent = readdir(dir)))
 	{
-		if (streq(ent->d_name, ".") ||  streq(ent->d_name, ".."))
-		{
+		if (*ent->d_name == '.')
+		{	/* skip ".", ".." and hidden files (such as ".svn") */
 			continue;
 		}
 		guest = guest_load(this->guest_dir, ent->d_name);
@@ -265,6 +323,7 @@ dumm_t *dumm_create(char *dir)
 	this->public.create_bridge_enumerator = (enumerator_t*(*)(dumm_t*))create_bridge_enumerator;
 	this->public.delete_bridge = (void(*)(dumm_t*,bridge_t*))delete_bridge;
 	this->public.load_template = (bool(*)(dumm_t*, char *name))load_template;
+	this->public.create_template_enumerator = (enumerator_t*(*)(dumm_t*))create_template_enumerator;
 	this->public.destroy = (void(*)(dumm_t*))destroy;
 	
 	if (dir && *dir == '/')
@@ -273,11 +332,11 @@ dumm_t *dumm_create(char *dir)
 	}
 	else
 	{
-	 	if (getcwd(cwd, sizeof(cwd)) == NULL)
-	 	{
-	 		free(this);
-	 		return NULL;
-	 	}
+		if (getcwd(cwd, sizeof(cwd)) == NULL)
+		{
+			free(this);
+			return NULL;
+		}
 		if (dir)
 		{
 			if (asprintf(&this->dir, "%s/%s", cwd, dir) < 0)
diff --git a/src/dumm/dumm.h b/src/dumm/dumm.h
index f5db0e45b..5f2e0542a 100644
--- a/src/dumm/dumm.h
+++ b/src/dumm/dumm.h
@@ -28,14 +28,14 @@
 typedef struct dumm_t dumm_t;
 
 /**
- * @brief dumm - Dynamic Uml Mesh Modeler
+ * dumm - Dynamic Uml Mesh Modeler
  *
  * Controls a group of UML guests and their networks.
  */
 struct dumm_t {
 
 	/**
-	 * @brief Starts a new UML guest
+	 * Starts a new UML guest
 	 *
 	 * @param name		name of the guest
 	 * @param kernel	UML kernel to use for guest
@@ -47,21 +47,21 @@ struct dumm_t {
 							  char *master, char *args);
 	
 	/**
-	 * @brief Create an enumerator over all guests.
+	 * Create an enumerator over all guests.
 	 *
 	 * @return			enumerator over guest_t's
 	 */
 	enumerator_t* (*create_guest_enumerator) (dumm_t *this);
 	
 	/**
-	 * @brief Delete a guest from disk.
+	 * Delete a guest from disk.
 	 *
 	 * @param guest		guest to destroy
 	 */
 	void (*delete_guest) (dumm_t *this, guest_t *guest);
 	
 	/**
-	 * @brief Create a new bridge.
+	 * Create a new bridge.
 	 *
 	 * @param name		name of the bridge to create
 	 * @return			created bridge
@@ -69,21 +69,21 @@ struct dumm_t {
 	bridge_t* (*create_bridge)(dumm_t *this, char *name);
 	
 	/**
-	 * @brief Create an enumerator over all bridges.
+	 * Create an enumerator over all bridges.
 	 *
 	 * @return			enumerator over bridge_t's
 	 */
 	enumerator_t* (*create_bridge_enumerator)(dumm_t *this);
 	
 	/**
-	 * @brief Delete a bridge.
+	 * Delete a bridge.
 	 *
 	 * @param bridge	bridge to destroy
 	 */
 	void (*delete_bridge) (dumm_t *this, bridge_t *bridge);
 	
 	/**
-	 * @brief Loads a template, create a new one if it does not exist.
+	 * Loads a template, create a new one if it does not exist.
 	 *
 	 * @param name		dir to the template, NULL to close
 	 * @return			FALSE if load/create failed
@@ -91,13 +91,20 @@ struct dumm_t {
 	bool (*load_template)(dumm_t *this, char *dir);
 	
 	/**
-	 * @brief stop all guests and destroy the modeler
+	 * Create an enumerator over all available templates.
+	 *
+	 * @return			enumerator over char*
+	 */
+	enumerator_t* (*create_template_enumerator)(dumm_t *this);
+	
+	/**
+	 * stop all guests and destroy the modeler
 	 */
 	void (*destroy) (dumm_t *this);
 };
 
 /**
- * @brief Create a group of UML hosts and networks.
+ * Create a group of UML hosts and networks.
  *
  * @param dir			directory to create guests/load from, NULL for cwd
  * @return				created UML group, or NULL if failed.
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index 2610affc3..f7caf252d 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * $Id: dumm.c 4447 2008-10-15 14:47:52Z martin $
  */
 
 #include <stdio.h>
@@ -24,11 +22,13 @@
 #include <library.h>
 #include <dumm.h>
 #include <debug.h>
+#include <utils/linked_list.h>
 
 #undef PACKAGE_NAME
 #undef PACKAGE_TARNAME
 #undef PACKAGE_VERSION
 #undef PACKAGE_STRING
+#undef PACKAGE_BUGREPORT
 #include <ruby.h>
 
 static dumm_t *dumm;
@@ -84,8 +84,6 @@ static void sigchld_handler(int signal, siginfo_t *info, void* ptr)
 	enumerator->destroy(enumerator);
 }
 
-
-
 /**
  * Guest bindings
  */
@@ -93,7 +91,9 @@ static VALUE guest_find(VALUE class, VALUE key)
 {
 	enumerator_t *enumerator;
 	guest_t *guest, *found = NULL;
-	if (TYPE(key) == T_SYMBOL) {
+	
+	if (TYPE(key) == T_SYMBOL)
+	{
 		key = rb_convert_type(key, T_STRING, "String", "to_s");
 	}
 	enumerator = dumm->create_guest_enumerator(dumm);
@@ -125,19 +125,26 @@ static VALUE guest_get(VALUE class, VALUE key)
 
 static VALUE guest_each(int argc, VALUE *argv, VALUE class)
 {
+	linked_list_t *list;
 	enumerator_t *enumerator;
 	guest_t *guest;
-
+	
 	if (!rb_block_given_p())
-    {
+	{
 		rb_raise(rb_eArgError, "must be called with a block");
 	}
+	list = linked_list_create();
 	enumerator = dumm->create_guest_enumerator(dumm);
 	while (enumerator->enumerate(enumerator, &guest))
 	{
-  		rb_yield(Data_Wrap_Struct(class, NULL, NULL, guest));
+		list->insert_last(list, guest);
 	}
 	enumerator->destroy(enumerator);
+	while (list->remove_first(list, (void**)&guest) == SUCCESS)
+	{
+		rb_yield(Data_Wrap_Struct(class, NULL, NULL, guest));
+	}
+	list->destroy(list);
 	return class;
 }
 
@@ -249,7 +256,9 @@ static VALUE guest_find_iface(VALUE self, VALUE key)
 	enumerator_t *enumerator;
 	iface_t *iface, *found = NULL;
 	guest_t *guest;
-	if (TYPE(key) == T_SYMBOL) {
+	
+	if (TYPE(key) == T_SYMBOL)
+	{
 		key = rb_convert_type(key, T_STRING, "String", "to_s");
 	}
 	Data_Get_Struct(self, guest_t, guest);
@@ -283,20 +292,27 @@ static VALUE guest_get_iface(VALUE self, VALUE key)
 static VALUE guest_each_iface(int argc, VALUE *argv, VALUE self)
 {
 	enumerator_t *enumerator;
+	linked_list_t *list;
 	guest_t *guest;
 	iface_t *iface;
-
+	
 	if (!rb_block_given_p())
-    {
+	{
 		rb_raise(rb_eArgError, "must be called with a block");
 	}
 	Data_Get_Struct(self, guest_t, guest);
+	list = linked_list_create();
 	enumerator = guest->create_iface_enumerator(guest);
 	while (enumerator->enumerate(enumerator, &iface))
 	{
-  		rb_yield(Data_Wrap_Struct(rbc_iface, NULL, NULL, iface));
+		list->insert_last(list, iface);
 	}
 	enumerator->destroy(enumerator);
+	while (list->remove_first(list, (void**)&iface) == SUCCESS)
+	{
+		rb_yield(Data_Wrap_Struct(rbc_iface, NULL, NULL, iface));
+	}
+	list->destroy(list);
 	return self;
 }
 
@@ -305,6 +321,10 @@ static VALUE guest_delete(VALUE self)
 	guest_t *guest;
 	
 	Data_Get_Struct(self, guest_t, guest);
+	if (guest->get_pid(guest))
+	{
+		rb_raise(rb_eRuntimeError, "guest is running");
+	}
 	dumm->delete_guest(dumm, guest);
 	return Qnil;
 }
@@ -338,11 +358,15 @@ static void guest_init()
 /**
  * Bridge binding
  */
-static VALUE bridge_get(VALUE class, VALUE key)
+static VALUE bridge_find(VALUE class, VALUE key)
 {
 	enumerator_t *enumerator;
 	bridge_t *bridge, *found = NULL;
 	
+	if (TYPE(key) == T_SYMBOL)
+	{
+		key = rb_convert_type(key, T_STRING, "String", "to_s");
+	}
 	enumerator = dumm->create_bridge_enumerator(dumm);
 	while (enumerator->enumerate(enumerator, &bridge))
 	{
@@ -355,26 +379,43 @@ static VALUE bridge_get(VALUE class, VALUE key)
 	enumerator->destroy(enumerator);
 	if (!found)
 	{
-		rb_raise(rb_eRuntimeError, "bridge not found");
+		return Qnil;
 	}
 	return Data_Wrap_Struct(class, NULL, NULL, found);
 }
 
+static VALUE bridge_get(VALUE class, VALUE key)
+{
+	VALUE bridge = bridge_find(class, key);
+	if (NIL_P(bridge))
+	{
+		rb_raise(rb_eRuntimeError, "bridge not found");
+	}
+	return bridge;
+}
+
 static VALUE bridge_each(int argc, VALUE *argv, VALUE class)
 {
 	enumerator_t *enumerator;
+	linked_list_t *list;
 	bridge_t *bridge;
-
+	
 	if (!rb_block_given_p())
-    {
+	{
 		rb_raise(rb_eArgError, "must be called with a block");
 	}
+	list = linked_list_create();
 	enumerator = dumm->create_bridge_enumerator(dumm);
 	while (enumerator->enumerate(enumerator, &bridge))
 	{
-  		rb_yield(Data_Wrap_Struct(class, NULL, NULL, bridge));
+		list->insert_last(list, bridge);
 	}
 	enumerator->destroy(enumerator);
+	while (list->remove_first(list, (void**)&bridge) == SUCCESS)
+	{
+		rb_yield(Data_Wrap_Struct(class, NULL, NULL, bridge));
+	}
+	list->destroy(list);
 	return class;
 }
 
@@ -402,20 +443,27 @@ static VALUE bridge_to_s(VALUE self)
 static VALUE bridge_each_iface(int argc, VALUE *argv, VALUE self)
 {
 	enumerator_t *enumerator;
+	linked_list_t *list;
 	bridge_t *bridge;
 	iface_t *iface;
-
+	
 	if (!rb_block_given_p())
-    {
+	{
 		rb_raise(rb_eArgError, "must be called with a block");
 	}
 	Data_Get_Struct(self, bridge_t, bridge);
+	list = linked_list_create();
 	enumerator = bridge->create_iface_enumerator(bridge);
 	while (enumerator->enumerate(enumerator, &iface))
 	{
-  		rb_yield(Data_Wrap_Struct(rbc_iface, NULL, NULL, iface));
+		list->insert_last(list, iface);
 	}
 	enumerator->destroy(enumerator);
+	while (list->remove_first(list, (void**)&iface) == SUCCESS)
+	{
+		rb_yield(Data_Wrap_Struct(rbc_iface, NULL, NULL, iface));
+	}
+	list->destroy(list);
 	return self;
 }
 
@@ -437,6 +485,8 @@ static void bridge_init()
 	rb_define_singleton_method(rbc_bridge, "[]", bridge_get, 1);
 	rb_define_singleton_method(rbc_bridge, "each", bridge_each, -1);
 	rb_define_singleton_method(rbc_bridge, "new", bridge_new, 1);
+	rb_define_singleton_method(rbc_bridge, "include?", bridge_find, 1);
+	rb_define_singleton_method(rbc_bridge, "bridge?", bridge_find, 1);
 	
 	rb_define_method(rbc_bridge, "to_s", bridge_to_s, 0);
 	rb_define_method(rbc_bridge, "each", bridge_each_iface, -1);
@@ -509,22 +559,29 @@ static VALUE iface_add_addr(VALUE self, VALUE name)
 static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self)
 {
 	enumerator_t *enumerator;
+	linked_list_t *list;
 	iface_t *iface;
 	host_t *addr;
 	char buf[64];
-
+	
 	if (!rb_block_given_p())
-    {
+	{
 		rb_raise(rb_eArgError, "must be called with a block");
 	}
 	Data_Get_Struct(self, iface_t, iface);
 	enumerator = iface->create_address_enumerator(iface);
 	while (enumerator->enumerate(enumerator, &addr))
 	{
-		snprintf(buf, sizeof(buf), "%H", addr);
-  		rb_yield(rb_str_new2(buf));
+		list->insert_last(list, addr->clone(addr));
 	}
 	enumerator->destroy(enumerator);
+	while (list->remove_first(list, (void**)&addr) == SUCCESS)
+	{
+		snprintf(buf, sizeof(buf), "%H", addr);
+		addr->destroy(addr);
+		rb_yield(rb_str_new2(buf));
+	}
+	list->destroy(list);
 	return self;
 }
 
@@ -595,12 +652,31 @@ static VALUE template_unload(VALUE class)
 	return class;
 }
 
+static VALUE template_each(int argc, VALUE *argv, VALUE class)
+{
+	enumerator_t *enumerator;
+	char *template;
+	
+	if (!rb_block_given_p())
+	{
+		rb_raise(rb_eArgError, "must be called with a block");
+	}
+	enumerator = dumm->create_template_enumerator(dumm);
+	while (enumerator->enumerate(enumerator, &template))
+	{
+		rb_yield(rb_str_new2(template));
+	}
+	enumerator->destroy(enumerator);
+	return class;
+}
+
 static void template_init()
 {
 	rbc_template = rb_define_class_under(rbm_dumm , "Template", rb_cObject);
 	
 	rb_define_singleton_method(rbc_template, "load", template_load, 1);
 	rb_define_singleton_method(rbc_template, "unload", template_unload, 0);
+	rb_define_singleton_method(rbc_template, "each", template_each, -1);
 }
 
 /**
diff --git a/src/dumm/ext/extconf.rb b/src/dumm/ext/extconf.rb
deleted file mode 100644
index 136be5c2c..000000000
--- a/src/dumm/ext/extconf.rb
+++ /dev/null
@@ -1,21 +0,0 @@
-#
-# DUMM for Ruby
-#
-
-require "mkmf"
-
-dir_config("dumm")
-
-unless find_header('library.h', '../../libstrongswan') and
-       find_header('dumm.h', '..')
-  puts "... failed: one or more header files not found!"
-  exit
-end
-
-unless find_library('dumm', 'dumm_create')
-  puts "... failed: 'libdumm' not found!"
-  exit
-end
-
-create_makefile("dumm")
-
diff --git a/src/dumm/ext/extconf.rb.in b/src/dumm/ext/extconf.rb.in
new file mode 100644
index 000000000..36536ec52
--- /dev/null
+++ b/src/dumm/ext/extconf.rb.in
@@ -0,0 +1,19 @@
+#
+# DUMM for Ruby
+#
+
+require 'mkmf'
+
+$defs << " @DEFS@"
+$CFLAGS << " -Wno-format"
+
+dir_config('dumm', '@top_srcdir@/src/dumm', '../.libs')
+dir_config('strongswan', '@top_srcdir@/src/libstrongswan', '../../libstrongswan/.libs')
+
+unless find_library('dumm', 'dumm_create')
+  puts "... failed: 'libdumm' not found!"
+  exit
+end
+
+create_makefile('dumm', '@top_srcdir@/src/dumm/ext')
+
diff --git a/src/dumm/ext/lib/dumm.rb b/src/dumm/ext/lib/dumm.rb
index 2e860ae9f..25939e9f4 100644
--- a/src/dumm/ext/lib/dumm.rb
+++ b/src/dumm/ext/lib/dumm.rb
@@ -11,11 +11,52 @@
   WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
   or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
   for more details.
-
-  $Id: dumm.rb 4295 2008-08-27 07:35:20Z tobias $
 =end
 
 require 'dumm.so'
 require 'dumm/guest'
 
+module Dumm
+  
+  # use guest/bridge indentifiers directly
+  def method_missing(id, *args)
+    if Guest.guest? id
+      return Guest[id]
+    end
+    if Bridge.bridge? id
+      return Bridge[id]
+    end
+    super(id, *args)
+  end
+  
+  # shortcut for Template loading
+  def template(name = nil)
+    if name
+      Template.load name
+    else
+      Template.each {|t| puts t }
+    end
+  end
+  
+  # unload templates, reset all guests and delete bridges
+  def reset
+    Template.unload
+    Guest.each { |guest|
+      guest.reset if guest.running?
+    }
+    Bridge.each { |bridge|
+      bridge.delete
+    }
+    return Dumm
+  end
+  
+  # wait until all running guests have booted up
+  def boot
+    Guest.each {|g|
+      g.boot if g.running?
+    }
+    return Dumm
+  end
+end
+
 # vim:sw=2 ts=2 et
diff --git a/src/dumm/ext/lib/dumm/guest.rb b/src/dumm/ext/lib/dumm/guest.rb
index bdd0c33d8..936f512dd 100644
--- a/src/dumm/ext/lib/dumm/guest.rb
+++ b/src/dumm/ext/lib/dumm/guest.rb
@@ -11,8 +11,6 @@
   WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
   or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
   for more details.
-
-  $Id: guest.rb 4295 2008-08-27 07:35:20Z tobias $
 =end
 
 module Dumm
@@ -34,6 +32,30 @@ module Dumm
       end
       self[id]
     end
+    
+    # delete all interfaces
+    def reset
+      each {|i|
+        i.delete
+      }
+    end
+    
+    # has the guest booted up?
+    def booted?
+      begin
+        exec("pgrep getty")
+      rescue
+        return false
+      end
+      return true
+    end
+    
+    # wait until the guest has booted
+    def boot
+      while not booted?
+        sleep(1)
+      end
+    end
   end
 end
 
diff --git a/src/dumm/guest.c b/src/dumm/guest.c
index 014a9113f..969a2a99d 100644
--- a/src/dumm/guest.c
+++ b/src/dumm/guest.c
@@ -36,8 +36,8 @@
 #include "mconsole.h"
 #include "cowfs.h"
 
-#define PERME (S_IRWXU | S_IRWXG)
-#define PERM (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)
+#define PERME (S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH)
+#define PERM (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH)
 
 #define MASTER_DIR "master"
 #define DIFF_DIR "diff"
@@ -300,7 +300,6 @@ static bool load_template(private_guest_t *this, char *path)
 {
 	char dir[PATH_MAX];
 	size_t len;
-	iface_t *iface;
 	
 	if (path == NULL)
 	{
@@ -324,10 +323,6 @@ static bool load_template(private_guest_t *this, char *path)
 	{
 		return FALSE;
 	}
-	while (this->ifaces->remove_last(this->ifaces, (void**)&iface) == SUCCESS)
-	{
-		iface->destroy(iface);
-	}
 	return TRUE;
 }
 
diff --git a/src/dumm/guest.h b/src/dumm/guest.h
index 19dc8a8bf..a1e4966ac 100644
--- a/src/dumm/guest.h
+++ b/src/dumm/guest.h
@@ -26,7 +26,7 @@ typedef struct guest_t guest_t;
 #include "iface.h"
 
 /**
- * @brief State of a guest (started, stopped, ...)
+ * State of a guest (started, stopped, ...)
  */
 enum guest_state_t {
 	/** guest kernel not running at all */
@@ -68,33 +68,33 @@ typedef pid_t (*invoke_function_t)(void *data, guest_t *guest,
 typedef void (*idle_function_t)(void);
 
 /**
- * @brief A guest is a UML instance running on the host.
+ * A guest is a UML instance running on the host.
  **/
 struct guest_t {
 	
 	/**
-	 * @brief Get the name of this guest.
+	 * Get the name of this guest.
 	 *
 	 * @return		name of the guest
 	 */
 	char* (*get_name) (guest_t *this);
 	
 	/**
-	 * @brief Get the process ID of the guest child process.
+	 * Get the process ID of the guest child process.
 	 *
 	 * @return		name of the guest
 	 */
 	pid_t (*get_pid) (guest_t *this);
 	
 	/**
-	 * @brief Get the state of the guest (stopped, started, etc.).
+	 * Get the state of the guest (stopped, started, etc.).
 	 *
 	 * @return		guests state
 	 */
 	guest_state_t (*get_state)(guest_t *this);	
 	
 	/**
-	 * @brief Start the guest.
+	 * Start the guest.
 	 *
 	 * @param invoke	UML guest invocation function
 	 * @param data		data to pass back to invoke function
@@ -105,14 +105,14 @@ struct guest_t {
 				   idle_function_t idle);
 	
 	/**
-	 * @brief Kill the guest.
+	 * Kill the guest.
 	 *
 	 * @param idle		idle function to call while waiting to termination
 	 */
 	void (*stop) (guest_t *this, idle_function_t idle);
 	
 	/**
-	 * @brief Create a new interface in the current scenario.
+	 * Create a new interface in the current scenario.
 	 *
 	 * @param name	name of the interface in the guest
 	 * @return		created interface, or NULL if failed
@@ -120,21 +120,21 @@ struct guest_t {
 	iface_t* (*create_iface)(guest_t *this, char *name);
 	
 	/**
-	 * @brief Destroy an interface on guest.
+	 * Destroy an interface on guest.
 	 *
 	 * @param iface	interface to destroy
 	 */
 	void (*destroy_iface)(guest_t *this, iface_t *iface);
 	
 	/**
-	 * @brief Create an enumerator over all guest interfaces.
+	 * Create an enumerator over all guest interfaces.
 	 *
 	 * @return		enumerator over iface_t's
 	 */
 	enumerator_t* (*create_iface_enumerator)(guest_t *this);
 	
 	/**
-	 * @brief Set the template COWFS overlay to use.
+	 * Set the template COWFS overlay to use.
 	 *
 	 * @param parent	parent directory where template diff should point to
 	 * @return			FALSE if failed
@@ -172,18 +172,18 @@ struct guest_t {
 					void *data, char *cmd, ...);
 	
 	/**
-	 * @brief Called whenever a SIGCHILD for the guests PID is received.
+	 * Called whenever a SIGCHILD for the guests PID is received.
 	 */
 	void (*sigchild)(guest_t *this);
 	
 	/**
-	 * @brief Close and destroy a guest with all interfaces
+	 * Close and destroy a guest with all interfaces
 	 */	
 	void (*destroy) (guest_t *this);
 };
 
 /**
- * @brief Create a new, unstarted guest.
+ * Create a new, unstarted guest.
  *
  * @param parent	parent directory to create the guest in
  * @param name		name of the guest to create
@@ -196,7 +196,7 @@ guest_t *guest_create(char *parent, char *name, char *kernel,
 					  char *master, char *args);
 
 /**
- * @brief Load a guest created with guest_create().
+ * Load a guest created with guest_create().
  *
  * @param parent	parent directory to look for a guest
  * @param name		name of the guest directory
diff --git a/src/dumm/iface.h b/src/dumm/iface.h
index 54a0554c0..7aef95c01 100644
--- a/src/dumm/iface.h
+++ b/src/dumm/iface.h
@@ -29,19 +29,19 @@ typedef struct iface_t iface_t;
 #include "guest.h"
 
 /**
- * @brief Interface in a guest, connected to a tap device on the host.
+ * Interface in a guest, connected to a tap device on the host.
  */
 struct iface_t {
 	
 	/**
-	 * @brief Get the interface name in the guest (e.g. eth0).
+	 * Get the interface name in the guest (e.g. eth0).
 	 *
 	 * @return			guest interface name
 	 */
 	char* (*get_guestif)(iface_t *this);
 	
 	/**
-	 * @brief Get the interface name at the host (e.g. tap0).
+	 * Get the interface name at the host (e.g. tap0).
 	 *
 	 * @return			host interface (tap device) name
 	 */
@@ -71,34 +71,34 @@ struct iface_t {
 	bool (*delete_address)(iface_t *this, host_t *addr);	
 	
 	/**
-	 * @brief Set the bridge this interface is attached to.
+	 * Set the bridge this interface is attached to.
 	 *
 	 * @param bridge	assigned bridge, or NULL for none
 	 */
 	void (*set_bridge)(iface_t *this, bridge_t *bridge);
 	
 	/**
-	 * @brief Get the bridge this iface is connected, or NULL.
+	 * Get the bridge this iface is connected, or NULL.
 	 *
 	 * @return			connected bridge, or NULL
 	 */
 	bridge_t* (*get_bridge)(iface_t *this);
 	
 	/**
-	 * @brief Get the guest this iface belongs to.
+	 * Get the guest this iface belongs to.
 	 *
 	 * @return			guest of this iface
 	 */
 	guest_t* (*get_guest)(iface_t *this);
 	
 	/**
-	 * @brief Destroy an interface
+	 * Destroy an interface
 	 */
 	void (*destroy) (iface_t *this);
 };
 
 /**
- * @brief Create a new interface for a guest
+ * Create a new interface for a guest
  *
  * @param name		name of the interface in the guest
  * @param guest		guest this iface is connecting
diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c
index 02db5ab7e..72d6d1b5e 100644
--- a/src/dumm/mconsole.c
+++ b/src/dumm/mconsole.c
@@ -147,8 +147,11 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
 			}
 			else if (reply.err)
 			{
-				DBG1("received mconsole error %d: %*.s",
-					 reply.err, reply.len, reply.data);
+				if (reply.len && *reply.data)
+				{
+					DBG1("received mconsole error %d: %*.s",
+						 reply.err, reply.len, reply.data);
+				}
 				break;
 			}
 		}
diff --git a/src/dumm/mconsole.h b/src/dumm/mconsole.h
index e8493b5bb..a4d93e48e 100644
--- a/src/dumm/mconsole.h
+++ b/src/dumm/mconsole.h
@@ -21,12 +21,12 @@
 typedef struct mconsole_t mconsole_t;
 
 /**
- * @brief UML mconsole, change running UML configuration using mconsole.
+ * UML mconsole, change running UML configuration using mconsole.
  */
 struct mconsole_t {
 	
 	/**
-	 * @brief Create a guest interface and connect it to tap host interface.
+	 * Create a guest interface and connect it to tap host interface.
 	 *
 	 * @param guest			name of the interface to create in the guest
 	 * @param host			name of the tap device to connect guest to
@@ -35,7 +35,7 @@ struct mconsole_t {
 	bool (*add_iface)(mconsole_t *this, char *guest, char *host);
 	
 	/**
-	 * @brief Delete a guest interface.
+	 * Delete a guest interface.
 	 *
 	 * @param guest			name of the interface to delete on the guest
 	 * @return				TRUE if interface deleted
@@ -54,13 +54,13 @@ struct mconsole_t {
 				char *cmd);
 	
 	/**
-	 * @brief Destroy the mconsole instance
+	 * Destroy the mconsole instance
 	 */
 	void (*destroy) (mconsole_t *this);
 };
 
 /**
- * @brief Create a new mconsole connection to a guest.
+ * Create a new mconsole connection to a guest.
  *
  * Waits for a notification from the guest through the notify socket and tries
  * to connect to the mconsole socket supplied in the received notification.
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 25c46e648..7ee0793ec 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -57,6 +57,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -79,6 +80,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -90,6 +94,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -103,6 +108,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -163,6 +170,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -174,6 +182,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -189,8 +198,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
index 44964e041..f3ca1ca06 100644
--- a/src/ipsec/Makefile.am
+++ b/src/ipsec/Makefile.am
@@ -12,5 +12,5 @@ ipsec : ipsec.in
 	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
 	-e "s:@IPSEC_CONFDIR@:$(confdir):" \
 	-e "s:@IPSEC_PIDDIR@:$(piddir):" \
-	$< > $@
+	$(srcdir)/$@.in > $@
 	chmod +x $@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index e32d0e91e..d5a6dc82f 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -65,6 +65,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -87,6 +88,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -98,6 +102,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -111,6 +116,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -171,6 +178,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -182,6 +190,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -197,8 +206,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -258,8 +267,8 @@ install-man8: $(man8_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    8*) ;; \
@@ -438,7 +447,7 @@ ipsec : ipsec.in
 	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
 	-e "s:@IPSEC_CONFDIR@:$(confdir):" \
 	-e "s:@IPSEC_PIDDIR@:$(piddir):" \
-	$< > $@
+	$(srcdir)/$@.in > $@
 	chmod +x $@
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8
index 5c0835fe4..0cd9914cc 100644
--- a/src/ipsec/ipsec.8
+++ b/src/ipsec/ipsec.8
@@ -1,5 +1,4 @@
 .TH IPSEC 8 "9 February 2006"
-.\" RCSID $Id: ipsec.8 3268 2007-10-08 19:59:18Z andreas $
 .SH NAME
 ipsec \- invoke IPsec utilities
 .SH SYNOPSIS
diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in
index 4f2c1caa3..1da3c2d90 100755
--- a/src/ipsec/ipsec.in
+++ b/src/ipsec/ipsec.in
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: ipsec.in 4790 2008-12-11 12:49:41Z martin $
 
 # define a minimum PATH environment in case it is not set
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
@@ -67,7 +65,7 @@ case "$1" in
 	echo "	rereadsecrets|rereadgroups"
 	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
 	echo "	rereadacerts|rereadcrls|rereadall"
-	echo "	purgeocsp"
+	echo "	purgeocsp|purgeike"
 	echo "	scencrypt|scdecrypt <value> [--inbase <base>] [--outbase <base>] [--keyid <id>]"
  	echo "	openac"
 	echo "	pluto"
@@ -184,6 +182,15 @@ rereadall|purgeocsp)
 	fi
 	exit "$rc"
 	;;
+purgeike)
+	rc=7
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		$IPSEC_STROKE purgeike
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
 ready)
 	shift
 	if [ -e $IPSEC_PLUTO_PID ]
diff --git a/src/libcrypto/Makefile.am b/src/libcrypto/Makefile.am
deleted file mode 100644
index 4416c8daf..000000000
--- a/src/libcrypto/Makefile.am
+++ /dev/null
@@ -1,11 +0,0 @@
-noinst_LIBRARIES = libcrypto.a
-libcrypto_a_SOURCES = \
-libaes/aes_xcbc_mac.c libaes/aes_cbc.c libaes/aes_xcbc_mac.h libaes/aes_cbc.h libaes/aes.c libaes/aes.h \
-include/md32_common.h include/cbc_generic.h include/hmac_generic.h libblowfish/bf_skey.c libblowfish/blowfish.h \
-libblowfish/bf_pi.h libblowfish/bf_locl.h libblowfish/bf_enc.c libsha2/hmac_sha2.c libsha2/sha2.h libsha2/hmac_sha2.h \
-libsha2/sha2.c libserpent/serpent_cbc.c libserpent/serpent_cbc.h libserpent/serpent.c libserpent/serpent.h \
-libtwofish/twofish_cbc.h libtwofish/twofish_cbc.c libtwofish/twofish.c libtwofish/twofish.h libdes/des_enc.c \
-libdes/podd.h libdes/sk.h libdes/set_key.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \
-libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_locl.h libdes/des_ver.h libdes/des.h
-
-INCLUDES = -I$(top_srcdir)/src/libcrypto/include
diff --git a/src/libcrypto/Makefile.in b/src/libcrypto/Makefile.in
deleted file mode 100644
index 0e4b3c7f4..000000000
--- a/src/libcrypto/Makefile.in
+++ /dev/null
@@ -1,741 +0,0 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcrypto
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-LIBRARIES = $(noinst_LIBRARIES)
-ARFLAGS = cru
-libcrypto_a_AR = $(AR) $(ARFLAGS)
-libcrypto_a_LIBADD =
-am_libcrypto_a_OBJECTS = aes_xcbc_mac.$(OBJEXT) aes_cbc.$(OBJEXT) \
-	aes.$(OBJEXT) bf_skey.$(OBJEXT) bf_enc.$(OBJEXT) \
-	hmac_sha2.$(OBJEXT) sha2.$(OBJEXT) serpent_cbc.$(OBJEXT) \
-	serpent.$(OBJEXT) twofish_cbc.$(OBJEXT) twofish.$(OBJEXT) \
-	des_enc.$(OBJEXT) set_key.$(OBJEXT) fcrypt_b.$(OBJEXT) \
-	fcrypt.$(OBJEXT) destest.$(OBJEXT) cbc_enc.$(OBJEXT) \
-	ecb_enc.$(OBJEXT)
-libcrypto_a_OBJECTS = $(am_libcrypto_a_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libcrypto_a_SOURCES)
-DIST_SOURCES = $(libcrypto_a_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-RANLIB = @RANLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-confdir = @confdir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-resolv_conf = @resolv_conf@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-simreader = @simreader@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-noinst_LIBRARIES = libcrypto.a
-libcrypto_a_SOURCES = \
-libaes/aes_xcbc_mac.c libaes/aes_cbc.c libaes/aes_xcbc_mac.h libaes/aes_cbc.h libaes/aes.c libaes/aes.h \
-include/md32_common.h include/cbc_generic.h include/hmac_generic.h libblowfish/bf_skey.c libblowfish/blowfish.h \
-libblowfish/bf_pi.h libblowfish/bf_locl.h libblowfish/bf_enc.c libsha2/hmac_sha2.c libsha2/sha2.h libsha2/hmac_sha2.h \
-libsha2/sha2.c libserpent/serpent_cbc.c libserpent/serpent_cbc.h libserpent/serpent.c libserpent/serpent.h \
-libtwofish/twofish_cbc.h libtwofish/twofish_cbc.c libtwofish/twofish.c libtwofish/twofish.h libdes/des_enc.c \
-libdes/podd.h libdes/sk.h libdes/set_key.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \
-libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_locl.h libdes/des_ver.h libdes/des.h
-
-INCLUDES = -I$(top_srcdir)/src/libcrypto/include
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libcrypto/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libcrypto/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-clean-noinstLIBRARIES:
-	-test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES)
-libcrypto.a: $(libcrypto_a_OBJECTS) $(libcrypto_a_DEPENDENCIES) 
-	-rm -f libcrypto.a
-	$(libcrypto_a_AR) libcrypto.a $(libcrypto_a_OBJECTS) $(libcrypto_a_LIBADD)
-	$(RANLIB) libcrypto.a
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_cbc.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_xcbc_mac.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bf_enc.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bf_skey.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cbc_enc.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_enc.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/destest.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ecb_enc.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fcrypt.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fcrypt_b.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_sha2.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent_cbc.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_key.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish_cbc.Po@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-aes_xcbc_mac.o: libaes/aes_xcbc_mac.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc_mac.o -MD -MP -MF $(DEPDIR)/aes_xcbc_mac.Tpo -c -o aes_xcbc_mac.o `test -f 'libaes/aes_xcbc_mac.c' || echo '$(srcdir)/'`libaes/aes_xcbc_mac.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes_xcbc_mac.Tpo $(DEPDIR)/aes_xcbc_mac.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes_xcbc_mac.c' object='aes_xcbc_mac.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc_mac.o `test -f 'libaes/aes_xcbc_mac.c' || echo '$(srcdir)/'`libaes/aes_xcbc_mac.c
-
-aes_xcbc_mac.obj: libaes/aes_xcbc_mac.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc_mac.obj -MD -MP -MF $(DEPDIR)/aes_xcbc_mac.Tpo -c -o aes_xcbc_mac.obj `if test -f 'libaes/aes_xcbc_mac.c'; then $(CYGPATH_W) 'libaes/aes_xcbc_mac.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes_xcbc_mac.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes_xcbc_mac.Tpo $(DEPDIR)/aes_xcbc_mac.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes_xcbc_mac.c' object='aes_xcbc_mac.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc_mac.obj `if test -f 'libaes/aes_xcbc_mac.c'; then $(CYGPATH_W) 'libaes/aes_xcbc_mac.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes_xcbc_mac.c'; fi`
-
-aes_cbc.o: libaes/aes_cbc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.o -MD -MP -MF $(DEPDIR)/aes_cbc.Tpo -c -o aes_cbc.o `test -f 'libaes/aes_cbc.c' || echo '$(srcdir)/'`libaes/aes_cbc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes_cbc.Tpo $(DEPDIR)/aes_cbc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes_cbc.c' object='aes_cbc.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.o `test -f 'libaes/aes_cbc.c' || echo '$(srcdir)/'`libaes/aes_cbc.c
-
-aes_cbc.obj: libaes/aes_cbc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.obj -MD -MP -MF $(DEPDIR)/aes_cbc.Tpo -c -o aes_cbc.obj `if test -f 'libaes/aes_cbc.c'; then $(CYGPATH_W) 'libaes/aes_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes_cbc.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes_cbc.Tpo $(DEPDIR)/aes_cbc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes_cbc.c' object='aes_cbc.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.obj `if test -f 'libaes/aes_cbc.c'; then $(CYGPATH_W) 'libaes/aes_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes_cbc.c'; fi`
-
-aes.o: libaes/aes.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes.o -MD -MP -MF $(DEPDIR)/aes.Tpo -c -o aes.o `test -f 'libaes/aes.c' || echo '$(srcdir)/'`libaes/aes.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes.Tpo $(DEPDIR)/aes.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes.c' object='aes.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes.o `test -f 'libaes/aes.c' || echo '$(srcdir)/'`libaes/aes.c
-
-aes.obj: libaes/aes.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes.obj -MD -MP -MF $(DEPDIR)/aes.Tpo -c -o aes.obj `if test -f 'libaes/aes.c'; then $(CYGPATH_W) 'libaes/aes.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes.Tpo $(DEPDIR)/aes.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes.c' object='aes.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes.obj `if test -f 'libaes/aes.c'; then $(CYGPATH_W) 'libaes/aes.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes.c'; fi`
-
-bf_skey.o: libblowfish/bf_skey.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bf_skey.o -MD -MP -MF $(DEPDIR)/bf_skey.Tpo -c -o bf_skey.o `test -f 'libblowfish/bf_skey.c' || echo '$(srcdir)/'`libblowfish/bf_skey.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/bf_skey.Tpo $(DEPDIR)/bf_skey.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libblowfish/bf_skey.c' object='bf_skey.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bf_skey.o `test -f 'libblowfish/bf_skey.c' || echo '$(srcdir)/'`libblowfish/bf_skey.c
-
-bf_skey.obj: libblowfish/bf_skey.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bf_skey.obj -MD -MP -MF $(DEPDIR)/bf_skey.Tpo -c -o bf_skey.obj `if test -f 'libblowfish/bf_skey.c'; then $(CYGPATH_W) 'libblowfish/bf_skey.c'; else $(CYGPATH_W) '$(srcdir)/libblowfish/bf_skey.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/bf_skey.Tpo $(DEPDIR)/bf_skey.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libblowfish/bf_skey.c' object='bf_skey.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bf_skey.obj `if test -f 'libblowfish/bf_skey.c'; then $(CYGPATH_W) 'libblowfish/bf_skey.c'; else $(CYGPATH_W) '$(srcdir)/libblowfish/bf_skey.c'; fi`
-
-bf_enc.o: libblowfish/bf_enc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bf_enc.o -MD -MP -MF $(DEPDIR)/bf_enc.Tpo -c -o bf_enc.o `test -f 'libblowfish/bf_enc.c' || echo '$(srcdir)/'`libblowfish/bf_enc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/bf_enc.Tpo $(DEPDIR)/bf_enc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libblowfish/bf_enc.c' object='bf_enc.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bf_enc.o `test -f 'libblowfish/bf_enc.c' || echo '$(srcdir)/'`libblowfish/bf_enc.c
-
-bf_enc.obj: libblowfish/bf_enc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bf_enc.obj -MD -MP -MF $(DEPDIR)/bf_enc.Tpo -c -o bf_enc.obj `if test -f 'libblowfish/bf_enc.c'; then $(CYGPATH_W) 'libblowfish/bf_enc.c'; else $(CYGPATH_W) '$(srcdir)/libblowfish/bf_enc.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/bf_enc.Tpo $(DEPDIR)/bf_enc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libblowfish/bf_enc.c' object='bf_enc.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bf_enc.obj `if test -f 'libblowfish/bf_enc.c'; then $(CYGPATH_W) 'libblowfish/bf_enc.c'; else $(CYGPATH_W) '$(srcdir)/libblowfish/bf_enc.c'; fi`
-
-hmac_sha2.o: libsha2/hmac_sha2.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_sha2.o -MD -MP -MF $(DEPDIR)/hmac_sha2.Tpo -c -o hmac_sha2.o `test -f 'libsha2/hmac_sha2.c' || echo '$(srcdir)/'`libsha2/hmac_sha2.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/hmac_sha2.Tpo $(DEPDIR)/hmac_sha2.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libsha2/hmac_sha2.c' object='hmac_sha2.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_sha2.o `test -f 'libsha2/hmac_sha2.c' || echo '$(srcdir)/'`libsha2/hmac_sha2.c
-
-hmac_sha2.obj: libsha2/hmac_sha2.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_sha2.obj -MD -MP -MF $(DEPDIR)/hmac_sha2.Tpo -c -o hmac_sha2.obj `if test -f 'libsha2/hmac_sha2.c'; then $(CYGPATH_W) 'libsha2/hmac_sha2.c'; else $(CYGPATH_W) '$(srcdir)/libsha2/hmac_sha2.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/hmac_sha2.Tpo $(DEPDIR)/hmac_sha2.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libsha2/hmac_sha2.c' object='hmac_sha2.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_sha2.obj `if test -f 'libsha2/hmac_sha2.c'; then $(CYGPATH_W) 'libsha2/hmac_sha2.c'; else $(CYGPATH_W) '$(srcdir)/libsha2/hmac_sha2.c'; fi`
-
-sha2.o: libsha2/sha2.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.o -MD -MP -MF $(DEPDIR)/sha2.Tpo -c -o sha2.o `test -f 'libsha2/sha2.c' || echo '$(srcdir)/'`libsha2/sha2.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha2.Tpo $(DEPDIR)/sha2.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libsha2/sha2.c' object='sha2.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.o `test -f 'libsha2/sha2.c' || echo '$(srcdir)/'`libsha2/sha2.c
-
-sha2.obj: libsha2/sha2.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.obj -MD -MP -MF $(DEPDIR)/sha2.Tpo -c -o sha2.obj `if test -f 'libsha2/sha2.c'; then $(CYGPATH_W) 'libsha2/sha2.c'; else $(CYGPATH_W) '$(srcdir)/libsha2/sha2.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha2.Tpo $(DEPDIR)/sha2.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libsha2/sha2.c' object='sha2.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.obj `if test -f 'libsha2/sha2.c'; then $(CYGPATH_W) 'libsha2/sha2.c'; else $(CYGPATH_W) '$(srcdir)/libsha2/sha2.c'; fi`
-
-serpent_cbc.o: libserpent/serpent_cbc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.o -MD -MP -MF $(DEPDIR)/serpent_cbc.Tpo -c -o serpent_cbc.o `test -f 'libserpent/serpent_cbc.c' || echo '$(srcdir)/'`libserpent/serpent_cbc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/serpent_cbc.Tpo $(DEPDIR)/serpent_cbc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libserpent/serpent_cbc.c' object='serpent_cbc.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.o `test -f 'libserpent/serpent_cbc.c' || echo '$(srcdir)/'`libserpent/serpent_cbc.c
-
-serpent_cbc.obj: libserpent/serpent_cbc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.obj -MD -MP -MF $(DEPDIR)/serpent_cbc.Tpo -c -o serpent_cbc.obj `if test -f 'libserpent/serpent_cbc.c'; then $(CYGPATH_W) 'libserpent/serpent_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libserpent/serpent_cbc.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/serpent_cbc.Tpo $(DEPDIR)/serpent_cbc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libserpent/serpent_cbc.c' object='serpent_cbc.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.obj `if test -f 'libserpent/serpent_cbc.c'; then $(CYGPATH_W) 'libserpent/serpent_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libserpent/serpent_cbc.c'; fi`
-
-serpent.o: libserpent/serpent.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent.o -MD -MP -MF $(DEPDIR)/serpent.Tpo -c -o serpent.o `test -f 'libserpent/serpent.c' || echo '$(srcdir)/'`libserpent/serpent.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/serpent.Tpo $(DEPDIR)/serpent.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libserpent/serpent.c' object='serpent.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent.o `test -f 'libserpent/serpent.c' || echo '$(srcdir)/'`libserpent/serpent.c
-
-serpent.obj: libserpent/serpent.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent.obj -MD -MP -MF $(DEPDIR)/serpent.Tpo -c -o serpent.obj `if test -f 'libserpent/serpent.c'; then $(CYGPATH_W) 'libserpent/serpent.c'; else $(CYGPATH_W) '$(srcdir)/libserpent/serpent.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/serpent.Tpo $(DEPDIR)/serpent.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libserpent/serpent.c' object='serpent.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent.obj `if test -f 'libserpent/serpent.c'; then $(CYGPATH_W) 'libserpent/serpent.c'; else $(CYGPATH_W) '$(srcdir)/libserpent/serpent.c'; fi`
-
-twofish_cbc.o: libtwofish/twofish_cbc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.o -MD -MP -MF $(DEPDIR)/twofish_cbc.Tpo -c -o twofish_cbc.o `test -f 'libtwofish/twofish_cbc.c' || echo '$(srcdir)/'`libtwofish/twofish_cbc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/twofish_cbc.Tpo $(DEPDIR)/twofish_cbc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libtwofish/twofish_cbc.c' object='twofish_cbc.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.o `test -f 'libtwofish/twofish_cbc.c' || echo '$(srcdir)/'`libtwofish/twofish_cbc.c
-
-twofish_cbc.obj: libtwofish/twofish_cbc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.obj -MD -MP -MF $(DEPDIR)/twofish_cbc.Tpo -c -o twofish_cbc.obj `if test -f 'libtwofish/twofish_cbc.c'; then $(CYGPATH_W) 'libtwofish/twofish_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libtwofish/twofish_cbc.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/twofish_cbc.Tpo $(DEPDIR)/twofish_cbc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libtwofish/twofish_cbc.c' object='twofish_cbc.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.obj `if test -f 'libtwofish/twofish_cbc.c'; then $(CYGPATH_W) 'libtwofish/twofish_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libtwofish/twofish_cbc.c'; fi`
-
-twofish.o: libtwofish/twofish.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish.o -MD -MP -MF $(DEPDIR)/twofish.Tpo -c -o twofish.o `test -f 'libtwofish/twofish.c' || echo '$(srcdir)/'`libtwofish/twofish.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/twofish.Tpo $(DEPDIR)/twofish.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libtwofish/twofish.c' object='twofish.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish.o `test -f 'libtwofish/twofish.c' || echo '$(srcdir)/'`libtwofish/twofish.c
-
-twofish.obj: libtwofish/twofish.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish.obj -MD -MP -MF $(DEPDIR)/twofish.Tpo -c -o twofish.obj `if test -f 'libtwofish/twofish.c'; then $(CYGPATH_W) 'libtwofish/twofish.c'; else $(CYGPATH_W) '$(srcdir)/libtwofish/twofish.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/twofish.Tpo $(DEPDIR)/twofish.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libtwofish/twofish.c' object='twofish.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish.obj `if test -f 'libtwofish/twofish.c'; then $(CYGPATH_W) 'libtwofish/twofish.c'; else $(CYGPATH_W) '$(srcdir)/libtwofish/twofish.c'; fi`
-
-des_enc.o: libdes/des_enc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_enc.o -MD -MP -MF $(DEPDIR)/des_enc.Tpo -c -o des_enc.o `test -f 'libdes/des_enc.c' || echo '$(srcdir)/'`libdes/des_enc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/des_enc.Tpo $(DEPDIR)/des_enc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/des_enc.c' object='des_enc.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_enc.o `test -f 'libdes/des_enc.c' || echo '$(srcdir)/'`libdes/des_enc.c
-
-des_enc.obj: libdes/des_enc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_enc.obj -MD -MP -MF $(DEPDIR)/des_enc.Tpo -c -o des_enc.obj `if test -f 'libdes/des_enc.c'; then $(CYGPATH_W) 'libdes/des_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/des_enc.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/des_enc.Tpo $(DEPDIR)/des_enc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/des_enc.c' object='des_enc.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_enc.obj `if test -f 'libdes/des_enc.c'; then $(CYGPATH_W) 'libdes/des_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/des_enc.c'; fi`
-
-set_key.o: libdes/set_key.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_key.o -MD -MP -MF $(DEPDIR)/set_key.Tpo -c -o set_key.o `test -f 'libdes/set_key.c' || echo '$(srcdir)/'`libdes/set_key.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/set_key.Tpo $(DEPDIR)/set_key.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/set_key.c' object='set_key.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_key.o `test -f 'libdes/set_key.c' || echo '$(srcdir)/'`libdes/set_key.c
-
-set_key.obj: libdes/set_key.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_key.obj -MD -MP -MF $(DEPDIR)/set_key.Tpo -c -o set_key.obj `if test -f 'libdes/set_key.c'; then $(CYGPATH_W) 'libdes/set_key.c'; else $(CYGPATH_W) '$(srcdir)/libdes/set_key.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/set_key.Tpo $(DEPDIR)/set_key.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/set_key.c' object='set_key.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_key.obj `if test -f 'libdes/set_key.c'; then $(CYGPATH_W) 'libdes/set_key.c'; else $(CYGPATH_W) '$(srcdir)/libdes/set_key.c'; fi`
-
-fcrypt_b.o: libdes/fcrypt_b.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fcrypt_b.o -MD -MP -MF $(DEPDIR)/fcrypt_b.Tpo -c -o fcrypt_b.o `test -f 'libdes/fcrypt_b.c' || echo '$(srcdir)/'`libdes/fcrypt_b.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fcrypt_b.Tpo $(DEPDIR)/fcrypt_b.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/fcrypt_b.c' object='fcrypt_b.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fcrypt_b.o `test -f 'libdes/fcrypt_b.c' || echo '$(srcdir)/'`libdes/fcrypt_b.c
-
-fcrypt_b.obj: libdes/fcrypt_b.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fcrypt_b.obj -MD -MP -MF $(DEPDIR)/fcrypt_b.Tpo -c -o fcrypt_b.obj `if test -f 'libdes/fcrypt_b.c'; then $(CYGPATH_W) 'libdes/fcrypt_b.c'; else $(CYGPATH_W) '$(srcdir)/libdes/fcrypt_b.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fcrypt_b.Tpo $(DEPDIR)/fcrypt_b.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/fcrypt_b.c' object='fcrypt_b.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fcrypt_b.obj `if test -f 'libdes/fcrypt_b.c'; then $(CYGPATH_W) 'libdes/fcrypt_b.c'; else $(CYGPATH_W) '$(srcdir)/libdes/fcrypt_b.c'; fi`
-
-fcrypt.o: libdes/fcrypt.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fcrypt.o -MD -MP -MF $(DEPDIR)/fcrypt.Tpo -c -o fcrypt.o `test -f 'libdes/fcrypt.c' || echo '$(srcdir)/'`libdes/fcrypt.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fcrypt.Tpo $(DEPDIR)/fcrypt.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/fcrypt.c' object='fcrypt.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fcrypt.o `test -f 'libdes/fcrypt.c' || echo '$(srcdir)/'`libdes/fcrypt.c
-
-fcrypt.obj: libdes/fcrypt.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fcrypt.obj -MD -MP -MF $(DEPDIR)/fcrypt.Tpo -c -o fcrypt.obj `if test -f 'libdes/fcrypt.c'; then $(CYGPATH_W) 'libdes/fcrypt.c'; else $(CYGPATH_W) '$(srcdir)/libdes/fcrypt.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fcrypt.Tpo $(DEPDIR)/fcrypt.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/fcrypt.c' object='fcrypt.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fcrypt.obj `if test -f 'libdes/fcrypt.c'; then $(CYGPATH_W) 'libdes/fcrypt.c'; else $(CYGPATH_W) '$(srcdir)/libdes/fcrypt.c'; fi`
-
-destest.o: libdes/destest.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT destest.o -MD -MP -MF $(DEPDIR)/destest.Tpo -c -o destest.o `test -f 'libdes/destest.c' || echo '$(srcdir)/'`libdes/destest.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/destest.Tpo $(DEPDIR)/destest.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/destest.c' object='destest.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o destest.o `test -f 'libdes/destest.c' || echo '$(srcdir)/'`libdes/destest.c
-
-destest.obj: libdes/destest.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT destest.obj -MD -MP -MF $(DEPDIR)/destest.Tpo -c -o destest.obj `if test -f 'libdes/destest.c'; then $(CYGPATH_W) 'libdes/destest.c'; else $(CYGPATH_W) '$(srcdir)/libdes/destest.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/destest.Tpo $(DEPDIR)/destest.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/destest.c' object='destest.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o destest.obj `if test -f 'libdes/destest.c'; then $(CYGPATH_W) 'libdes/destest.c'; else $(CYGPATH_W) '$(srcdir)/libdes/destest.c'; fi`
-
-cbc_enc.o: libdes/cbc_enc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cbc_enc.o -MD -MP -MF $(DEPDIR)/cbc_enc.Tpo -c -o cbc_enc.o `test -f 'libdes/cbc_enc.c' || echo '$(srcdir)/'`libdes/cbc_enc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/cbc_enc.Tpo $(DEPDIR)/cbc_enc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/cbc_enc.c' object='cbc_enc.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cbc_enc.o `test -f 'libdes/cbc_enc.c' || echo '$(srcdir)/'`libdes/cbc_enc.c
-
-cbc_enc.obj: libdes/cbc_enc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cbc_enc.obj -MD -MP -MF $(DEPDIR)/cbc_enc.Tpo -c -o cbc_enc.obj `if test -f 'libdes/cbc_enc.c'; then $(CYGPATH_W) 'libdes/cbc_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/cbc_enc.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/cbc_enc.Tpo $(DEPDIR)/cbc_enc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/cbc_enc.c' object='cbc_enc.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cbc_enc.obj `if test -f 'libdes/cbc_enc.c'; then $(CYGPATH_W) 'libdes/cbc_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/cbc_enc.c'; fi`
-
-ecb_enc.o: libdes/ecb_enc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ecb_enc.o -MD -MP -MF $(DEPDIR)/ecb_enc.Tpo -c -o ecb_enc.o `test -f 'libdes/ecb_enc.c' || echo '$(srcdir)/'`libdes/ecb_enc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ecb_enc.Tpo $(DEPDIR)/ecb_enc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/ecb_enc.c' object='ecb_enc.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ecb_enc.o `test -f 'libdes/ecb_enc.c' || echo '$(srcdir)/'`libdes/ecb_enc.c
-
-ecb_enc.obj: libdes/ecb_enc.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ecb_enc.obj -MD -MP -MF $(DEPDIR)/ecb_enc.Tpo -c -o ecb_enc.obj `if test -f 'libdes/ecb_enc.c'; then $(CYGPATH_W) 'libdes/ecb_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/ecb_enc.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ecb_enc.Tpo $(DEPDIR)/ecb_enc.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/ecb_enc.c' object='ecb_enc.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ecb_enc.obj `if test -f 'libdes/ecb_enc.c'; then $(CYGPATH_W) 'libdes/ecb_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/ecb_enc.c'; fi`
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
-	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
-	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LIBRARIES)
-installdirs:
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-info: info-am
-
-info-am:
-
-install-data-am:
-
-install-dvi: install-dvi-am
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-info: install-info-am
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-ps: install-ps-am
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am:
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcrypto/include/cbc_generic.h b/src/libcrypto/include/cbc_generic.h
deleted file mode 100644
index 0dd3a77d6..000000000
--- a/src/libcrypto/include/cbc_generic.h
+++ /dev/null
@@ -1,110 +0,0 @@
-#ifndef _CBC_GENERIC_H
-#define _CBC_GENERIC_H
-/*
- * CBC macro helpers
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- */
-
-/*
- * 	Heavily inspired in loop_AES
- */
-#define CBC_IMPL_BLK16(name, ctx_type, addr_type, enc_func, dec_func) \
-int name(ctx_type *ctx, const u_int8_t * in, u_int8_t * out, int ilen, const u_int8_t * iv, int encrypt) { \
-	int ret=ilen, pos; \
-	const u_int32_t *iv_i; \
-	if ((ilen) % 16) return 0; \
-	if (encrypt) { \
-		pos=0; \
-		while(pos<ilen) { \
-			if (pos==0) \
-				iv_i=(const u_int32_t*) iv; \
-			else \
-				iv_i=(const u_int32_t*) (out-16); \
-			*((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0])); \
-			*((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4])); \
-			*((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8])); \
-			*((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12])); \
-			enc_func(ctx, (addr_type) out, (addr_type) out); \
-			in+=16; \
-			out+=16; \
-			pos+=16; \
-		} \
-	} else { \
-		pos=ilen-16; \
-		in+=pos; \
-		out+=pos; \
-		while(pos>=0) { \
-			dec_func(ctx, (const addr_type) in, (addr_type) out); \
-			if (pos==0) \
-				iv_i=(const u_int32_t*) (iv); \
-			else \
-				iv_i=(const u_int32_t*) (in-16); \
-			*((u_int32_t *)(&out[ 0])) ^= iv_i[0]; \
-			*((u_int32_t *)(&out[ 4])) ^= iv_i[1]; \
-			*((u_int32_t *)(&out[ 8])) ^= iv_i[2]; \
-			*((u_int32_t *)(&out[12])) ^= iv_i[3]; \
-			in-=16; \
-			out-=16; \
-			pos-=16; \
-		} \
-	} \
-	return ret; \
-} 
-#define CBC_IMPL_BLK8(name, ctx_type, addr_type,  enc_func, dec_func) \
-int name(ctx_type *ctx, u_int8_t * in, u_int8_t * out, int ilen, const u_int8_t * iv, int encrypt) { \
-	int ret=ilen, pos; \
-	const u_int32_t *iv_i; \
-	if ((ilen) % 8) return 0; \
-	if (encrypt) { \
-		pos=0; \
-		while(pos<ilen) { \
-			if (pos==0) \
-				iv_i=(const u_int32_t*) iv; \
-			else \
-				iv_i=(const u_int32_t*) (out-8); \
-			*((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0])); \
-			*((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4])); \
-			enc_func(ctx, (addr_type)out, (addr_type)out); \
-			in+=8; \
-			out+=8; \
-			pos+=8; \
-		} \
-	} else { \
-		pos=ilen-8; \
-		in+=pos; \
-		out+=pos; \
-		while(pos>=0) { \
-			dec_func(ctx, (const addr_type)in, (addr_type)out); \
-			if (pos==0) \
-				iv_i=(const u_int32_t*) (iv); \
-			else \
-				iv_i=(const u_int32_t*) (in-8); \
-			*((u_int32_t *)(&out[ 0])) ^= iv_i[0]; \
-			*((u_int32_t *)(&out[ 4])) ^= iv_i[1]; \
-			in-=8; \
-			out-=8; \
-			pos-=8; \
-		} \
-	} \
-	return ret; \
-} 
-#define CBC_DECL(name, ctx_type) \
-int name(ctx_type *ctx, u_int8_t * in, u_int8_t * out, int ilen, const u_int8_t * iv, int encrypt)
-/*
-Eg.:
-CBC_IMPL_BLK16(AES_cbc_encrypt, aes_context, u_int8_t *, aes_encrypt, aes_decrypt);
-CBC_DECL(AES_cbc_encrypt, aes_context);
-*/
-#endif /* _CBC_GENERIC_H */
diff --git a/src/libcrypto/include/hmac_generic.h b/src/libcrypto/include/hmac_generic.h
deleted file mode 100644
index a749228e3..000000000
--- a/src/libcrypto/include/hmac_generic.h
+++ /dev/null
@@ -1,60 +0,0 @@
-#ifndef _HMAC_GENERIC_H
-#define _HMAC_GENERIC_H
-/*
- * HMAC macro helpers
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- */
-
-#ifndef DIVUP
-#define DIVUP(x,y) ((x + y -1) / y) /* divide, rounding upwards */
-#endif
-#ifndef HMAC_IPAD
-#define		HMAC_IPAD	0x36
-#define		HMAC_OPAD	0x5C
-#endif
-#define HMAC_SET_KEY_IMPL(func_name, hctx_t, blocksize, func_init, func_update) \
-void func_name(hctx_t *hctx, const u_int8_t * key, int keylen) { \
-	int i;\
-	u_int8_t kb[blocksize];		\
-	for (i = 0; i < DIVUP(keylen*8, 8); i++) {	\
-		kb[i] = key[i] ^ HMAC_IPAD;	\
-	}					\
-	for (; i < blocksize; i++) {		\
-		kb[i] = HMAC_IPAD;		\
-	}					\
-	func_init(&hctx->ictx);			\
-	func_update(&hctx->ictx, kb, blocksize);	\
-	for (i = 0; i < blocksize; i++) {	\
-		kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);	\
-	}					\
-	func_init(&hctx->octx);			\
-	func_update(&hctx->octx, kb, blocksize);	\
-}
-#define HMAC_HASH_IMPL(func_name, hctx_t, ctx_t, ahlen, func_update, func_result ) \
-void func_name(hctx_t *hctx, const u_int8_t * dat, int len, u_int8_t * hash, int hashlen) {	\
-	ctx_t ctx;	\
-	ctx=hctx->ictx;	\
-	if (dat) func_update(&ctx, dat, len);	\
-	if (hash) {				\
-		u_int8_t hash_buf[ahlen];			\
-		func_result(&ctx, hash_buf, ahlen);	\
-		ctx=hctx->octx;				\
-		func_update(&ctx, hash_buf, ahlen);	\
-		func_result(&ctx, hash, hashlen);	\
-		memset(&ctx, 0, sizeof (ctx));		\
-		memset(&hash_buf, 0, sizeof (hash_buf));\
-	}					\
-}
-#endif /* _HMAC_GENERIC_H */
diff --git a/src/libcrypto/include/md32_common.h b/src/libcrypto/include/md32_common.h
deleted file mode 100644
index 1a404a458..000000000
--- a/src/libcrypto/include/md32_common.h
+++ /dev/null
@@ -1,607 +0,0 @@
-/* crypto/md32_common.h */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-/*
- * This is a generic 32 bit "collector" for message digest algorithms.
- * Whenever needed it collects input character stream into chunks of
- * 32 bit values and invokes a block function that performs actual hash
- * calculations.
- *
- * Porting guide.
- *
- * Obligatory macros:
- *
- * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN
- *	this macro defines byte order of input stream.
- * HASH_CBLOCK
- *	size of a unit chunk HASH_BLOCK operates on.
- * HASH_LONG
- *	has to be at lest 32 bit wide, if it's wider, then
- *	HASH_LONG_LOG2 *has to* be defined along
- * HASH_CTX
- *	context structure that at least contains following
- *	members:
- *		typedef struct {
- *			...
- *			HASH_LONG	Nl,Nh;
- *			HASH_LONG	data[HASH_LBLOCK];
- *			int		num;
- *			...
- *			} HASH_CTX;
- * HASH_UPDATE
- *	name of "Update" function, implemented here.
- * HASH_TRANSFORM
- *	name of "Transform" function, implemented here.
- * HASH_FINAL
- *	name of "Final" function, implemented here.
- * HASH_BLOCK_HOST_ORDER
- *	name of "block" function treating *aligned* input message
- *	in host byte order, implemented externally.
- * HASH_BLOCK_DATA_ORDER
- *	name of "block" function treating *unaligned* input message
- *	in original (data) byte order, implemented externally (it
- *	actually is optional if data and host are of the same
- *	"endianess").
- * HASH_MAKE_STRING
- *	macro convering context variables to an ASCII hash string.
- *
- * Optional macros:
- *
- * B_ENDIAN or L_ENDIAN
- *	defines host byte-order.
- * HASH_LONG_LOG2
- *	defaults to 2 if not states otherwise.
- * HASH_LBLOCK
- *	assumed to be HASH_CBLOCK/4 if not stated otherwise.
- * HASH_BLOCK_DATA_ORDER_ALIGNED
- *	alternative "block" function capable of treating
- *	aligned input message in original (data) order,
- *	implemented externally.
- *
- * MD5 example:
- *
- *	#define DATA_ORDER_IS_LITTLE_ENDIAN
- *
- *	#define HASH_LONG		MD5_LONG
- *	#define HASH_LONG_LOG2		MD5_LONG_LOG2
- *	#define HASH_CTX		MD5_CTX
- *	#define HASH_CBLOCK		MD5_CBLOCK
- *	#define HASH_LBLOCK		MD5_LBLOCK
- *	#define HASH_UPDATE		MD5_Update
- *	#define HASH_TRANSFORM		MD5_Transform
- *	#define HASH_FINAL		MD5_Final
- *	#define HASH_BLOCK_HOST_ORDER	md5_block_host_order
- *	#define HASH_BLOCK_DATA_ORDER	md5_block_data_order
- *
- *					<appro@fy.chalmers.se>
- */
-
-#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
-#error "DATA_ORDER must be defined!"
-#endif
-
-#ifndef HASH_CBLOCK
-#error "HASH_CBLOCK must be defined!"
-#endif
-#ifndef HASH_LONG
-#error "HASH_LONG must be defined!"
-#endif
-#ifndef HASH_CTX
-#error "HASH_CTX must be defined!"
-#endif
-
-#ifndef HASH_UPDATE
-#error "HASH_UPDATE must be defined!"
-#endif
-#ifndef HASH_TRANSFORM
-#error "HASH_TRANSFORM must be defined!"
-#endif
-#ifndef HASH_FINAL
-#error "HASH_FINAL must be defined!"
-#endif
-
-#ifndef HASH_BLOCK_HOST_ORDER
-#error "HASH_BLOCK_HOST_ORDER must be defined!"
-#endif
-
-#if 0
-/*
- * Moved below as it's required only if HASH_BLOCK_DATA_ORDER_ALIGNED
- * isn't defined.
- */
-#ifndef HASH_BLOCK_DATA_ORDER
-#error "HASH_BLOCK_DATA_ORDER must be defined!"
-#endif
-#endif
-
-#ifndef HASH_LBLOCK
-#define HASH_LBLOCK	(HASH_CBLOCK/4)
-#endif
-
-#ifndef HASH_LONG_LOG2
-#define HASH_LONG_LOG2	2
-#endif
-
-/*
- * Engage compiler specific rotate intrinsic function if available.
- */
-#undef ROTATE
-#ifndef PEDANTIC
-# if defined(_MSC_VER)
-#  define ROTATE(a,n)	_lrotl(a,n)
-# elif defined(__MWERKS__)
-#  if defined(__POWERPC__)
-#   define ROTATE(a,n)	__rlwinm(a,n,0,31)
-#  elif defined(__MC68K__)
-    /* Motorola specific tweak. <appro@fy.chalmers.se> */
-#   define ROTATE(a,n)	( n<24 ? __rol(a,n) : __ror(a,32-n) )
-#  else
-#   define ROTATE(a,n)	__rol(a,n)
-#  endif
-# elif defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM)
-  /*
-   * Some GNU C inline assembler templates. Note that these are
-   * rotates by *constant* number of bits! But that's exactly
-   * what we need here...
-   *
-   * 					<appro@fy.chalmers.se>
-   */
-#  if defined(__i386)
-#   define ROTATE(a,n)	({ register unsigned int ret;	\
-				asm (			\
-				"roll %1,%0"		\
-				: "=r"(ret)		\
-				: "I"(n), "0"(a)	\
-				: "cc");		\
-			   ret;				\
-			})
-#  elif defined(__powerpc) || defined(__ppc)
-#   define ROTATE(a,n)	({ register unsigned int ret;	\
-				asm (			\
-				"rlwinm %0,%1,%2,0,31"	\
-				: "=r"(ret)		\
-				: "r"(a), "I"(n));	\
-			   ret;				\
-			})
-#  endif
-# endif
-
-/*
- * Engage compiler specific "fetch in reverse byte order"
- * intrinsic function if available.
- */
-# if defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM)
-  /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
-#  if defined(__i386) && !defined(I386_ONLY)
-#   define BE_FETCH32(a)	({ register unsigned int l=(a);\
-				asm (			\
-				"bswapl %0"		\
-				: "=r"(l) : "0"(l));	\
-			  l;				\
-			})
-#  elif defined(__powerpc)
-#   define LE_FETCH32(a)	({ register unsigned int l;	\
-				asm (			\
-				"lwbrx %0,0,%1"		\
-				: "=r"(l)		\
-				: "r"(a));		\
-			   l;				\
-			})
-
-#  elif defined(__sparc) && defined(ULTRASPARC)
-#  define LE_FETCH32(a)	({ register unsigned int l;		\
-				asm (				\
-				"lda [%1]#ASI_PRIMARY_LITTLE,%0"\
-				: "=r"(l)			\
-				: "r"(a));			\
-			   l;					\
-			})
-#  endif
-# endif
-#endif /* PEDANTIC */
-
-#if HASH_LONG_LOG2==2	/* Engage only if sizeof(HASH_LONG)== 4 */
-/* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
-#ifdef ROTATE
-/* 5 instructions with rotate instruction, else 9 */
-#define REVERSE_FETCH32(a,l)	(					\
-		l=*(const HASH_LONG *)(a),				\
-		((ROTATE(l,8)&0x00FF00FF)|(ROTATE((l&0x00FF00FF),24)))	\
-				)
-#else
-/* 6 instructions with rotate instruction, else 8 */
-#define REVERSE_FETCH32(a,l)	(				\
-		l=*(const HASH_LONG *)(a),			\
-		l=(((l>>8)&0x00FF00FF)|((l&0x00FF00FF)<<8)),	\
-		ROTATE(l,16)					\
-				)
-/*
- * Originally the middle line started with l=(((l&0xFF00FF00)>>8)|...
- * It's rewritten as above for two reasons:
- *	- RISCs aren't good at long constants and have to explicitely
- *	  compose 'em with several (well, usually 2) instructions in a
- *	  register before performing the actual operation and (as you
- *	  already realized:-) having same constant should inspire the
- *	  compiler to permanently allocate the only register for it;
- *	- most modern CPUs have two ALUs, but usually only one has
- *	  circuitry for shifts:-( this minor tweak inspires compiler
- *	  to schedule shift instructions in a better way...
- *
- *				<appro@fy.chalmers.se>
- */
-#endif
-#endif
-
-#ifndef ROTATE
-#define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
-#endif
-
-/*
- * Make some obvious choices. E.g., HASH_BLOCK_DATA_ORDER_ALIGNED
- * and HASH_BLOCK_HOST_ORDER ought to be the same if input data
- * and host are of the same "endianess". It's possible to mask
- * this with blank #define HASH_BLOCK_DATA_ORDER though...
- *
- *				<appro@fy.chalmers.se>
- */
-#if defined(B_ENDIAN)
-#  if defined(DATA_ORDER_IS_BIG_ENDIAN)
-#    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
-#      define HASH_BLOCK_DATA_ORDER_ALIGNED	HASH_BLOCK_HOST_ORDER
-#    endif
-#  elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
-#    ifndef HOST_FETCH32
-#      ifdef LE_FETCH32
-#        define HOST_FETCH32(p,l)	LE_FETCH32(p)
-#      elif defined(REVERSE_FETCH32)
-#        define HOST_FETCH32(p,l)	REVERSE_FETCH32(p,l)
-#      endif
-#    endif
-#  endif
-#elif defined(L_ENDIAN)
-#  if defined(DATA_ORDER_IS_LITTLE_ENDIAN)
-#    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
-#      define HASH_BLOCK_DATA_ORDER_ALIGNED	HASH_BLOCK_HOST_ORDER
-#    endif
-#  elif defined(DATA_ORDER_IS_BIG_ENDIAN)
-#    ifndef HOST_FETCH32
-#      ifdef BE_FETCH32
-#        define HOST_FETCH32(p,l)	BE_FETCH32(p)
-#      elif defined(REVERSE_FETCH32)
-#        define HOST_FETCH32(p,l)	REVERSE_FETCH32(p,l)
-#      endif
-#    endif
-#  endif
-#endif
-
-#if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
-#ifndef HASH_BLOCK_DATA_ORDER
-#error "HASH_BLOCK_DATA_ORDER must be defined!"
-#endif
-#endif
-
-#if defined(DATA_ORDER_IS_BIG_ENDIAN)
-
-#define HOST_c2l(c,l)	(l =(((unsigned long)(*((c)++)))<<24),		\
-			 l|=(((unsigned long)(*((c)++)))<<16),		\
-			 l|=(((unsigned long)(*((c)++)))<< 8),		\
-			 l|=(((unsigned long)(*((c)++)))    ),		\
-			 l)
-#define HOST_p_c2l(c,l,n)	{					\
-			switch (n) {					\
-			case 0: l =((unsigned long)(*((c)++)))<<24;	\
-			case 1: l|=((unsigned long)(*((c)++)))<<16;	\
-			case 2: l|=((unsigned long)(*((c)++)))<< 8;	\
-			case 3: l|=((unsigned long)(*((c)++)));		\
-				} }
-#define HOST_p_c2l_p(c,l,sc,len) {					\
-			switch (sc) {					\
-			case 0: l =((unsigned long)(*((c)++)))<<24;	\
-				if (--len == 0) break;			\
-			case 1: l|=((unsigned long)(*((c)++)))<<16;	\
-				if (--len == 0) break;			\
-			case 2: l|=((unsigned long)(*((c)++)))<< 8;	\
-				} }
-/* NOTE the pointer is not incremented at the end of this */
-#define HOST_c2l_p(c,l,n)	{					\
-			l=0; (c)+=n;					\
-			switch (n) {					\
-			case 3: l =((unsigned long)(*(--(c))))<< 8;	\
-			case 2: l|=((unsigned long)(*(--(c))))<<16;	\
-			case 1: l|=((unsigned long)(*(--(c))))<<24;	\
-				} }
-#define HOST_l2c(l,c)	(*((c)++)=(unsigned char)(((l)>>24)&0xff),	\
-			 *((c)++)=(unsigned char)(((l)>>16)&0xff),	\
-			 *((c)++)=(unsigned char)(((l)>> 8)&0xff),	\
-			 *((c)++)=(unsigned char)(((l)    )&0xff),	\
-			 l)
-
-#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
-
-#define HOST_c2l(c,l)	(l =(((unsigned long)(*((c)++)))    ),		\
-			 l|=(((unsigned long)(*((c)++)))<< 8),		\
-			 l|=(((unsigned long)(*((c)++)))<<16),		\
-			 l|=(((unsigned long)(*((c)++)))<<24),		\
-			 l)
-#define HOST_p_c2l(c,l,n)	{					\
-			switch (n) {					\
-			case 0: l =((unsigned long)(*((c)++)));		\
-			case 1: l|=((unsigned long)(*((c)++)))<< 8;	\
-			case 2: l|=((unsigned long)(*((c)++)))<<16;	\
-			case 3: l|=((unsigned long)(*((c)++)))<<24;	\
-				} }
-#define HOST_p_c2l_p(c,l,sc,len) {					\
-			switch (sc) {					\
-			case 0: l =((unsigned long)(*((c)++)));		\
-				if (--len == 0) break;			\
-			case 1: l|=((unsigned long)(*((c)++)))<< 8;	\
-				if (--len == 0) break;			\
-			case 2: l|=((unsigned long)(*((c)++)))<<16;	\
-				} }
-/* NOTE the pointer is not incremented at the end of this */
-#define HOST_c2l_p(c,l,n)	{					\
-			l=0; (c)+=n;					\
-			switch (n) {					\
-			case 3: l =((unsigned long)(*(--(c))))<<16;	\
-			case 2: l|=((unsigned long)(*(--(c))))<< 8;	\
-			case 1: l|=((unsigned long)(*(--(c))));		\
-				} }
-#define HOST_l2c(l,c)	(*((c)++)=(unsigned char)(((l)    )&0xff),	\
-			 *((c)++)=(unsigned char)(((l)>> 8)&0xff),	\
-			 *((c)++)=(unsigned char)(((l)>>16)&0xff),	\
-			 *((c)++)=(unsigned char)(((l)>>24)&0xff),	\
-			 l)
-
-#endif
-
-/*
- * Time for some action:-)
- */
-
-void HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
-	{
-	const unsigned char *data=data_;
-	register HASH_LONG * p;
-	register unsigned long l;
-	int sw,sc,ew,ec;
-
-	if (len==0) return;
-
-	l=(c->Nl+(len<<3))&0xffffffffL;
-	/* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
-	 * Wei Dai <weidai@eskimo.com> for pointing it out. */
-	if (l < c->Nl) /* overflow */
-		c->Nh++;
-	c->Nh+=(len>>29);
-	c->Nl=l;
-
-	if (c->num != 0)
-		{
-		p=c->data;
-		sw=c->num>>2;
-		sc=c->num&0x03;
-
-		if ((c->num+len) >= HASH_CBLOCK)
-			{
-			l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
-			for (; sw<HASH_LBLOCK; sw++)
-				{
-				HOST_c2l(data,l); p[sw]=l;
-				}
-			HASH_BLOCK_HOST_ORDER (c,p,1);
-			len-=(HASH_CBLOCK-c->num);
-			c->num=0;
-			/* drop through and do the rest */
-			}
-		else
-			{
-			c->num+=len;
-			if ((sc+len) < 4) /* ugly, add char's to a word */
-				{
-				l=p[sw]; HOST_p_c2l_p(data,l,sc,len); p[sw]=l;
-				}
-			else
-				{
-				ew=(c->num>>2);
-				ec=(c->num&0x03);
-				l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
-				for (; sw < ew; sw++)
-					{
-					HOST_c2l(data,l); p[sw]=l;
-					}
-				if (ec)
-					{
-					HOST_c2l_p(data,l,ec); p[sw]=l;
-					}
-				}
-			return;
-			}
-		}
-
-	sw=len/HASH_CBLOCK;
-	if (sw > 0)
-		{
-#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
-		/*
-		 * Note that HASH_BLOCK_DATA_ORDER_ALIGNED gets defined
-		 * only if sizeof(HASH_LONG)==4.
-		 */
-		if ((((unsigned long)data)%4) == 0)
-			{
-			/* data is properly aligned so that we can cast it: */
-			HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,sw);
-			sw*=HASH_CBLOCK;
-			data+=sw;
-			len-=sw;
-			}
-		else
-#if !defined(HASH_BLOCK_DATA_ORDER)
-			while (sw--)
-				{
-				memcpy (p=c->data,data,HASH_CBLOCK);
-				HASH_BLOCK_DATA_ORDER_ALIGNED(c,p,1);
-				data+=HASH_CBLOCK;
-				len-=HASH_CBLOCK;
-				}
-#endif
-#endif
-#if defined(HASH_BLOCK_DATA_ORDER)
-			{
-			HASH_BLOCK_DATA_ORDER(c,data,sw);
-			sw*=HASH_CBLOCK;
-			data+=sw;
-			len-=sw;
-			}
-#endif
-		}
-
-	if (len!=0)
-		{
-		p = c->data;
-		c->num = len;
-		ew=len>>2;	/* words to copy */
-		ec=len&0x03;
-		for (; ew; ew--,p++)
-			{
-			HOST_c2l(data,l); *p=l;
-			}
-		HOST_c2l_p(data,l,ec);
-		*p=l;
-		}
-	}
-
-
-void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data)
-	{
-#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
-	if ((((unsigned long)data)%4) == 0)
-		/* data is properly aligned so that we can cast it: */
-		HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,1);
-	else
-#if !defined(HASH_BLOCK_DATA_ORDER)
-		{
-		memcpy (c->data,data,HASH_CBLOCK);
-		HASH_BLOCK_DATA_ORDER_ALIGNED (c,c->data,1);
-		}
-#endif
-#endif
-#if defined(HASH_BLOCK_DATA_ORDER)
-	HASH_BLOCK_DATA_ORDER (c,data,1);
-#endif
-	}
-
-
-void HASH_FINAL (unsigned char *md, HASH_CTX *c)
-	{
-	register HASH_LONG *p;
-	register unsigned long l;
-	register int i,j;
-	static const unsigned char end[4]={0x80,0x00,0x00,0x00};
-	const unsigned char *cp=end;
-
-	/* c->num should definitly have room for at least one more byte. */
-	p=c->data;
-	i=c->num>>2;
-	j=c->num&0x03;
-
-#if 0
-	/* purify often complains about the following line as an
-	 * Uninitialized Memory Read.  While this can be true, the
-	 * following p_c2l macro will reset l when that case is true.
-	 * This is because j&0x03 contains the number of 'valid' bytes
-	 * already in p[i].  If and only if j&0x03 == 0, the UMR will
-	 * occur but this is also the only time p_c2l will do
-	 * l= *(cp++) instead of l|= *(cp++)
-	 * Many thanks to Alex Tang <altitude@cic.net> for pickup this
-	 * 'potential bug' */
-#ifdef PURIFY
-	if (j==0) p[i]=0; /* Yeah, but that's not the way to fix it:-) */
-#endif
-	l=p[i];
-#else
-	l = (j==0) ? 0 : p[i];
-#endif
-	HOST_p_c2l(cp,l,j); p[i++]=l; /* i is the next 'undefined word' */
-
-	if (i>(HASH_LBLOCK-2)) /* save room for Nl and Nh */
-		{
-		if (i<HASH_LBLOCK) p[i]=0;
-		HASH_BLOCK_HOST_ORDER (c,p,1);
-		i=0;
-		}
-	for (; i<(HASH_LBLOCK-2); i++)
-		p[i]=0;
-
-#if   defined(DATA_ORDER_IS_BIG_ENDIAN)
-	p[HASH_LBLOCK-2]=c->Nh;
-	p[HASH_LBLOCK-1]=c->Nl;
-#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
-	p[HASH_LBLOCK-2]=c->Nl;
-	p[HASH_LBLOCK-1]=c->Nh;
-#endif
-	HASH_BLOCK_HOST_ORDER (c,p,1);
-
-#ifndef HASH_MAKE_STRING
-#error "HASH_MAKE_STRING must be defined!"
-#else
-	HASH_MAKE_STRING(c,md);
-#endif
-
-	c->num=0;
-	/* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
-	 * but I'm not worried :-)
-	memset((void *)c,0,sizeof(HASH_CTX));
-	 */
-	}
diff --git a/src/libcrypto/libaes/aes.c b/src/libcrypto/libaes/aes.c
deleted file mode 100644
index 1748119ac..000000000
--- a/src/libcrypto/libaes/aes.c
+++ /dev/null
@@ -1,1415 +0,0 @@
-// I retain copyright in this code but I encourage its free use provided
-// that I don't carry any responsibility for the results. I am especially 
-// happy to see it used in free and open source software. If you do use 
-// it I would appreciate an acknowledgement of its origin in the code or
-// the product that results and I would also appreciate knowing a little
-// about the use to which it is being put. I am grateful to Frank Yellin
-// for some ideas that are used in this implementation.
-//
-// Dr B. R. Gladman <brg@gladman.uk.net> 6th April 2001.
-//
-// This is an implementation of the AES encryption algorithm (Rijndael)
-// designed by Joan Daemen and Vincent Rijmen. This version is designed
-// to provide both fixed and dynamic block and key lengths and can also 
-// run with either big or little endian internal byte order (see aes.h). 
-// It inputs block and key lengths in bytes with the legal values being 
-// 16, 24 and 32.
-
-/*
- * Modified by Jari Ruusu,  May 1 2001
- *  - Fixed some compile warnings, code was ok but gcc warned anyway.
- *  - Changed basic types: byte -> unsigned char, word -> u_int32_t
- *  - Major name space cleanup: Names visible to outside now begin
- *    with "aes_" or "AES_". A lot of stuff moved from aes.h to aes.c
- *  - Removed C++ and DLL support as part of name space cleanup.
- *  - Eliminated unnecessary recomputation of tables. (actual bug fix)
- *  - Merged precomputed constant tables to aes.c file.
- *  - Removed data alignment restrictions for portability reasons.
- *  - Made block and key lengths accept bit count (128/192/256)
- *    as well byte count (16/24/32).
- *  - Removed all error checks. This change also eliminated the need
- *    to preinitialize the context struct to zero.
- *  - Removed some totally unused constants.
- */
-
-#include "aes.h"
-
-// CONFIGURATION OPTIONS (see also aes.h)
-//
-// 1.  Define UNROLL for full loop unrolling in encryption and decryption.
-// 2.  Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
-// 3.  Define FIXED_TABLES for compiled rather than dynamic tables.
-// 4.  Define FF_TABLES to use tables for field multiplies and inverses.
-//     Do not enable this without understanding stack space requirements.
-// 5.  Define ARRAYS to use arrays to hold the local state block. If this
-//     is not defined, individually declared 32-bit words are used.
-// 6.  Define FAST_VARIABLE if a high speed variable block implementation
-//     is needed (essentially three separate fixed block size code sequences)
-// 7.  Define either ONE_TABLE or FOUR_TABLES for a fast table driven 
-//     version using 1 table (2 kbytes of table space) or 4 tables (8
-//     kbytes of table space) for higher speed.
-// 8.  Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed 
-//     increase by using tables for the last rounds but with more table
-//     space (2 or 8 kbytes extra).
-// 9.  If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but 
-//     slower version is provided.
-// 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
-//     or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
-
-#define UNROLL
-//#define PARTIAL_UNROLL
-
-#define FIXED_TABLES
-//#define FF_TABLES
-//#define ARRAYS
-#define FAST_VARIABLE
-
-//#define ONE_TABLE
-#define FOUR_TABLES
-
-//#define ONE_LR_TABLE
-#define FOUR_LR_TABLES
-
-//#define ONE_IM_TABLE
-#define FOUR_IM_TABLES
-
-#if defined(UNROLL) && defined (PARTIAL_UNROLL)
-#error both UNROLL and PARTIAL_UNROLL are defined
-#endif
-
-#if defined(ONE_TABLE) && defined (FOUR_TABLES)
-#error both ONE_TABLE and FOUR_TABLES are defined
-#endif
-
-#if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
-#error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
-#endif
-
-#if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
-#error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
-#endif
-
-#if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
-#error an illegal block size has been specified
-#endif  
-
-// upr(x,n): rotates bytes within words by n positions, moving bytes 
-// to higher index positions with wrap around into low positions
-// ups(x,n): moves bytes by n positions to higher index positions in 
-// words but without wrap around
-// bval(x,n): extracts a byte from a word
-
-#define upr(x,n)        (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
-#define ups(x,n)        ((x) << 8 * (n))
-#define bval(x,n)       ((unsigned char)((x) >> 8 * (n)))
-#define bytes2word(b0, b1, b2, b3)  \
-        ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
-
-
-/* little endian processor without data alignment restrictions: AES_LE_OK */
-/* original code: i386 */
-#if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386) 
-#define	AES_LE_OK 1
-/* added (tested): alpha  --jjo */
-#elif defined(__alpha__)|| defined (__alpha)
-#define AES_LE_OK 1
-/* added (tested): ia64  --jjo */
-#elif defined(__ia64__)|| defined (__ia64)
-#define AES_LE_OK 1
-#endif
-
-#ifdef AES_LE_OK
-/* little endian processor without data alignment restrictions */
-#define word_in(x)      *(u_int32_t*)(x)
-#define const_word_in(x)      *(const u_int32_t*)(x)
-#define word_out(x,v)   *(u_int32_t*)(x) = (v)
-#define const_word_out(x,v)   *(const u_int32_t*)(x) = (v)
-#else
-/* slower but generic big endian or with data alignment restrictions */
-/* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
-#define word_in(x)      ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
-#define const_word_in(x)      ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
-#define word_out(x,v)   ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
-#define const_word_out(x,v)   ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
-#endif
-
-// Disable at least some poor combinations of options
-
-#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
-#define FIXED_TABLES
-#undef  UNROLL
-#undef  ONE_LR_TABLE
-#undef  FOUR_LR_TABLES
-#undef  ONE_IM_TABLE
-#undef  FOUR_IM_TABLES
-#elif !defined(FOUR_TABLES)
-#ifdef  FOUR_LR_TABLES
-#undef  FOUR_LR_TABLES
-#define ONE_LR_TABLE
-#endif
-#ifdef  FOUR_IM_TABLES
-#undef  FOUR_IM_TABLES
-#define ONE_IM_TABLE
-#endif
-#elif !defined(AES_BLOCK_SIZE)
-#if defined(UNROLL)
-#define PARTIAL_UNROLL
-#undef UNROLL
-#endif
-#endif
-
-// the finite field modular polynomial and elements
-
-#define ff_poly 0x011b
-#define ff_hi   0x80
-
-// multiply four bytes in GF(2^8) by 'x' {02} in parallel
-
-#define m1  0x80808080
-#define m2  0x7f7f7f7f
-#define m3  0x0000001b
-#define FFmulX(x)  ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
-
-// The following defines provide alternative definitions of FFmulX that might
-// give improved performance if a fast 32-bit multiply is not available. Note
-// that a temporary variable u needs to be defined where FFmulX is used.
-
-// #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6)) 
-// #define m4  0x1b1b1b1b
-// #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4) 
-
-// perform column mix operation on four bytes in parallel
-
-#define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
-
-#if defined(FIXED_TABLES)
-
-// the S-Box table
-
-static const unsigned char s_box[256] =
-{
-    0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
-    0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
-    0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
-    0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
-    0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
-    0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
-    0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
-    0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
-    0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
-    0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
-    0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
-    0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
-    0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
-    0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
-    0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
-    0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
-    0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
-    0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
-    0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
-    0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
-    0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
-    0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
-    0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
-    0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
-    0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
-    0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
-    0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
-    0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
-    0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
-    0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
-    0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
-    0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
-};
-
-// the inverse S-Box table
-
-static const unsigned char inv_s_box[256] =
-{
-    0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
-    0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
-    0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
-    0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
-    0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
-    0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
-    0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
-    0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
-    0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
-    0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
-    0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
-    0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
-    0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
-    0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
-    0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
-    0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
-    0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
-    0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
-    0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
-    0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
-    0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
-    0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
-    0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
-    0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
-    0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
-    0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
-    0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
-    0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
-    0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
-    0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
-    0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
-    0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
-};
-
-#define w0(p)          0x000000##p
-
-// Number of elements required in this table for different
-// block and key lengths is:
-//
-// Nk =      4  6  8
-//        ----------
-// Nb = 4 | 10  8  7
-//      6 | 19 12 11
-//      8 | 29 19 14
-//
-// this table can be a table of bytes if the key schedule
-// code is adjusted accordingly
-
-static const u_int32_t rcon_tab[29] =
-{
-    w0(01), w0(02), w0(04), w0(08),
-    w0(10), w0(20), w0(40), w0(80),
-    w0(1b), w0(36), w0(6c), w0(d8),
-    w0(ab), w0(4d), w0(9a), w0(2f),
-    w0(5e), w0(bc), w0(63), w0(c6),
-    w0(97), w0(35), w0(6a), w0(d4),
-    w0(b3), w0(7d), w0(fa), w0(ef),
-    w0(c5)
-};
-
-#undef  w0
-
-#define r0(p,q,r,s) 0x##p##q##r##s
-#define r1(p,q,r,s) 0x##q##r##s##p
-#define r2(p,q,r,s) 0x##r##s##p##q
-#define r3(p,q,r,s) 0x##s##p##q##r
-#define w0(p)          0x000000##p
-#define w1(p)        0x0000##p##00
-#define w2(p)        0x00##p##0000
-#define w3(p)        0x##p##000000
-
-#if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES)) 
-
-//  data for forward tables (other than last round)
-
-#define f_table \
-    r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
-    r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
-    r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
-    r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
-    r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
-    r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
-    r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
-    r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
-    r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
-    r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
-    r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
-    r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
-    r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
-    r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
-    r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
-    r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
-    r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
-    r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
-    r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
-    r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
-    r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
-    r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
-    r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
-    r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
-    r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
-    r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
-    r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
-    r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
-    r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
-    r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
-    r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
-    r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
-    r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
-    r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
-    r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
-    r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
-    r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
-    r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
-    r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
-    r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
-    r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
-    r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
-    r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
-    r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
-    r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
-    r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
-    r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
-    r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
-    r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
-    r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
-    r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
-    r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
-    r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
-    r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
-    r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
-    r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
-    r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
-    r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
-    r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
-    r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
-    r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
-    r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
-    r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
-    r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
-
-//  data for inverse tables (other than last round)
-
-#define i_table \
-    r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
-    r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
-    r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
-    r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
-    r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
-    r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
-    r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
-    r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
-    r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
-    r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
-    r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
-    r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
-    r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
-    r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
-    r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
-    r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
-    r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
-    r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
-    r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
-    r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
-    r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
-    r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
-    r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
-    r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
-    r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
-    r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
-    r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
-    r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
-    r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
-    r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
-    r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
-    r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
-    r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
-    r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
-    r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
-    r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
-    r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
-    r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
-    r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
-    r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
-    r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
-    r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
-    r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
-    r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
-    r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
-    r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
-    r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
-    r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
-    r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
-    r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
-    r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
-    r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
-    r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
-    r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
-    r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
-    r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
-    r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
-    r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
-    r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
-    r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
-    r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
-    r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
-    r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
-    r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
-
-// generate the required tables in the desired endian format
-
-#undef  r
-#define r   r0
-
-#if defined(ONE_TABLE)
-static const u_int32_t ft_tab[256] =
-    {   f_table };
-#elif defined(FOUR_TABLES)
-static const u_int32_t ft_tab[4][256] =
-{   {   f_table },
-#undef  r
-#define r   r1
-    {   f_table },
-#undef  r
-#define r   r2
-    {   f_table },
-#undef  r
-#define r   r3
-    {   f_table }
-};
-#endif
-
-#undef  r
-#define r   r0
-#if defined(ONE_TABLE)
-static const u_int32_t it_tab[256] =
-    {   i_table };
-#elif defined(FOUR_TABLES)
-static const u_int32_t it_tab[4][256] =
-{   {   i_table },
-#undef  r
-#define r   r1
-    {   i_table },
-#undef  r
-#define r   r2
-    {   i_table },
-#undef  r
-#define r   r3
-    {   i_table }
-};
-#endif
-
-#endif
-
-#if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES)) 
-
-//  data for inverse tables (last round)
-
-#define li_table    \
-    w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
-    w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
-    w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
-    w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
-    w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
-    w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
-    w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
-    w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
-    w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
-    w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
-    w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
-    w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
-    w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
-    w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
-    w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
-    w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
-    w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
-    w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
-    w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
-    w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
-    w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
-    w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
-    w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
-    w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
-    w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
-    w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
-    w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
-    w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
-    w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
-    w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
-    w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
-    w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
-
-// generate the required tables in the desired endian format
-
-#undef  r
-#define r(p,q,r,s)  w0(q)
-#if defined(ONE_LR_TABLE)
-static const u_int32_t fl_tab[256] =
-    {   f_table     };
-#elif defined(FOUR_LR_TABLES)
-static const u_int32_t fl_tab[4][256] =
-{   {   f_table    },
-#undef  r
-#define r(p,q,r,s)   w1(q)
-    {   f_table    },
-#undef  r
-#define r(p,q,r,s)   w2(q)
-    {   f_table    },
-#undef  r
-#define r(p,q,r,s)   w3(q)
-    {   f_table    }
-};
-#endif
-
-#undef  w
-#define w   w0
-#if defined(ONE_LR_TABLE)
-static const u_int32_t il_tab[256] =
-    {   li_table    };
-#elif defined(FOUR_LR_TABLES)
-static const u_int32_t il_tab[4][256] =
-{   {   li_table    },
-#undef  w
-#define w   w1
-    {   li_table    },
-#undef  w
-#define w   w2
-    {   li_table    },
-#undef  w
-#define w   w3
-    {   li_table    }
-};
-#endif
-
-#endif
-
-#if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES)) 
-
-#define m_table \
-    r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
-    r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
-    r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
-    r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
-    r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
-    r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
-    r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
-    r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
-    r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
-    r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
-    r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
-    r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
-    r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
-    r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
-    r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
-    r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
-    r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
-    r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
-    r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
-    r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
-    r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
-    r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
-    r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
-    r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
-    r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
-    r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
-    r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
-    r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
-    r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
-    r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
-    r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
-    r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
-    r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
-    r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
-    r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
-    r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
-    r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
-    r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
-    r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
-    r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
-    r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
-    r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
-    r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
-    r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
-    r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
-    r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
-    r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
-    r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
-    r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
-    r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
-    r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
-    r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
-    r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
-    r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
-    r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
-    r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
-    r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
-    r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
-    r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
-    r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
-    r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
-    r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
-    r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
-    r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
-
-#undef r
-#define r   r0
-
-#if defined(ONE_IM_TABLE)
-static const u_int32_t im_tab[256] =
-    {   m_table };
-#elif defined(FOUR_IM_TABLES)
-static const u_int32_t im_tab[4][256] =
-{   {   m_table },
-#undef  r
-#define r   r1
-    {   m_table },
-#undef  r
-#define r   r2
-    {   m_table },
-#undef  r
-#define r   r3
-    {   m_table }
-};
-#endif
-
-#endif
-
-#else
-
-static int tab_gen = 0;
-
-static unsigned char  s_box[256];            // the S box
-static unsigned char  inv_s_box[256];        // the inverse S box
-static u_int32_t  rcon_tab[AES_RC_LENGTH];   // table of round constants
-
-#if defined(ONE_TABLE)
-static u_int32_t  ft_tab[256];
-static u_int32_t  it_tab[256];
-#elif defined(FOUR_TABLES)
-static u_int32_t  ft_tab[4][256];
-static u_int32_t  it_tab[4][256];
-#endif
-
-#if defined(ONE_LR_TABLE)
-static u_int32_t  fl_tab[256];
-static u_int32_t  il_tab[256];
-#elif defined(FOUR_LR_TABLES)
-static u_int32_t  fl_tab[4][256];
-static u_int32_t  il_tab[4][256];
-#endif
-
-#if defined(ONE_IM_TABLE)
-static u_int32_t  im_tab[256];
-#elif defined(FOUR_IM_TABLES)
-static u_int32_t  im_tab[4][256];
-#endif
-
-// Generate the tables for the dynamic table option
-
-#if !defined(FF_TABLES)
-
-// It will generally be sensible to use tables to compute finite 
-// field multiplies and inverses but where memory is scarse this 
-// code might sometimes be better.
-
-// return 2 ^ (n - 1) where n is the bit number of the highest bit
-// set in x with x in the range 1 < x < 0x00000200.   This form is
-// used so that locals within FFinv can be bytes rather than words
-
-static unsigned char hibit(const u_int32_t x)
-{   unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
-    
-    r |= (r >> 2);
-    r |= (r >> 4);
-    return (r + 1) >> 1;
-}
-
-// return the inverse of the finite field element x
-
-static unsigned char FFinv(const unsigned char x)
-{   unsigned char    p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
-
-    if(x < 2) return x;
-
-    for(;;)
-    {
-        if(!n1) return v1;
-
-        while(n2 >= n1)
-        {   
-            n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
-        }
-        
-        if(!n2) return v2;
-
-        while(n1 >= n2)
-        {   
-            n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
-        }
-    }
-}
-
-// define the finite field multiplies required for Rijndael
-
-#define FFmul02(x)  ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
-#define FFmul03(x)  ((x) ^ FFmul02(x))
-#define FFmul09(x)  ((x) ^ FFmul02(FFmul02(FFmul02(x))))
-#define FFmul0b(x)  ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
-#define FFmul0d(x)  ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
-#define FFmul0e(x)  FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
-
-#else
-
-#define FFinv(x)    ((x) ? pow[255 - log[x]]: 0)
-
-#define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
-#define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
-#define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
-#define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
-#define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
-#define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
-
-#endif
-
-// The forward and inverse affine transformations used in the S-box
-
-#define fwd_affine(x) \
-    (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
-
-#define inv_affine(x) \
-    (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
-
-static void gen_tabs(void)
-{   u_int32_t  i, w;
-
-#if defined(FF_TABLES)
-
-    unsigned char  pow[512], log[256];
-
-    // log and power tables for GF(2^8) finite field with
-    // 0x011b as modular polynomial - the simplest primitive
-    // root is 0x03, used here to generate the tables
-
-    i = 0; w = 1; 
-    do
-    {   
-        pow[i] = (unsigned char)w;
-        pow[i + 255] = (unsigned char)w;
-        log[w] = (unsigned char)i++;
-        w ^=  (w << 1) ^ (w & ff_hi ? ff_poly : 0);
-    }
-    while (w != 1);
-
-#endif
-
-    for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
-    {
-        rcon_tab[i] = bytes2word(w, 0, 0, 0);
-        w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
-    }
-
-    for(i = 0; i < 256; ++i)
-    {   unsigned char    b;
-
-        s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
-
-        w = bytes2word(b, 0, 0, 0);
-#if defined(ONE_LR_TABLE)
-        fl_tab[i] = w;
-#elif defined(FOUR_LR_TABLES)
-        fl_tab[0][i] = w;
-        fl_tab[1][i] = upr(w,1);
-        fl_tab[2][i] = upr(w,2);
-        fl_tab[3][i] = upr(w,3);
-#endif
-        w = bytes2word(FFmul02(b), b, b, FFmul03(b));
-#if defined(ONE_TABLE)
-        ft_tab[i] = w;
-#elif defined(FOUR_TABLES)
-        ft_tab[0][i] = w;
-        ft_tab[1][i] = upr(w,1);
-        ft_tab[2][i] = upr(w,2);
-        ft_tab[3][i] = upr(w,3);
-#endif
-        inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
-
-        w = bytes2word(b, 0, 0, 0);
-#if defined(ONE_LR_TABLE)
-        il_tab[i] = w;
-#elif defined(FOUR_LR_TABLES)
-        il_tab[0][i] = w;
-        il_tab[1][i] = upr(w,1);
-        il_tab[2][i] = upr(w,2);
-        il_tab[3][i] = upr(w,3);
-#endif
-        w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
-#if defined(ONE_TABLE)
-        it_tab[i] = w;
-#elif defined(FOUR_TABLES)
-        it_tab[0][i] = w;
-        it_tab[1][i] = upr(w,1);
-        it_tab[2][i] = upr(w,2);
-        it_tab[3][i] = upr(w,3);
-#endif
-#if defined(ONE_IM_TABLE)
-        im_tab[b] = w;
-#elif defined(FOUR_IM_TABLES)
-        im_tab[0][b] = w;
-        im_tab[1][b] = upr(w,1);
-        im_tab[2][b] = upr(w,2);
-        im_tab[3][b] = upr(w,3);
-#endif
-
-    }
-}
-
-#endif
-
-#define no_table(x,box,vf,rf,c) bytes2word( \
-    box[bval(vf(x,0,c),rf(0,c))], \
-    box[bval(vf(x,1,c),rf(1,c))], \
-    box[bval(vf(x,2,c),rf(2,c))], \
-    box[bval(vf(x,3,c),rf(3,c))])
-
-#define one_table(x,op,tab,vf,rf,c) \
- (     tab[bval(vf(x,0,c),rf(0,c))] \
-  ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
-  ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
-  ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
-
-#define four_tables(x,tab,vf,rf,c) \
- (  tab[0][bval(vf(x,0,c),rf(0,c))] \
-  ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
-  ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
-  ^ tab[3][bval(vf(x,3,c),rf(3,c))])
-
-#define vf1(x,r,c)  (x)
-#define rf1(r,c)    (r)
-#define rf2(r,c)    ((r-c)&3)
-
-#if defined(FOUR_LR_TABLES)
-#define ls_box(x,c)     four_tables(x,fl_tab,vf1,rf2,c)
-#elif defined(ONE_LR_TABLE)
-#define ls_box(x,c)     one_table(x,upr,fl_tab,vf1,rf2,c)
-#else
-#define ls_box(x,c)     no_table(x,s_box,vf1,rf2,c)
-#endif
-
-#if defined(FOUR_IM_TABLES)
-#define inv_mcol(x)     four_tables(x,im_tab,vf1,rf1,0)
-#elif defined(ONE_IM_TABLE)
-#define inv_mcol(x)     one_table(x,upr,im_tab,vf1,rf1,0)
-#else
-#define inv_mcol(x) \
-    (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
-    f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
-#endif
-
-// Subroutine to set the block size (if variable) in bytes, legal
-// values being 16, 24 and 32.
-
-#if defined(AES_BLOCK_SIZE)
-#define nc   (AES_BLOCK_SIZE / 4)
-#else
-#define nc   (cx->aes_Ncol)
-
-void aes_set_blk(aes_context *cx, int n_bytes)
-{
-#if !defined(FIXED_TABLES)
-    if(!tab_gen) { gen_tabs(); tab_gen = 1; }
-#endif
-
-    switch(n_bytes) {
-    case 32:        /* bytes */
-    case 256:       /* bits */
-        nc = 8;
-        break;
-    case 24:        /* bytes */
-    case 192:       /* bits */
-        nc = 6;
-        break;
-    case 16:        /* bytes */
-    case 128:       /* bits */
-    default:
-        nc = 4;
-        break;
-    }
-}
-
-#endif
-
-// Initialise the key schedule from the user supplied key. The key
-// length is now specified in bytes - 16, 24 or 32 as appropriate.
-// This corresponds to bit lengths of 128, 192 and 256 bits, and
-// to Nk values of 4, 6 and 8 respectively.
-
-#define mx(t,f) (*t++ = inv_mcol(*f),f++)
-#define cp(t,f) *t++ = *f++
-
-#if   AES_BLOCK_SIZE == 16
-#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s)
-#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s)
-#elif AES_BLOCK_SIZE == 24
-#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
-                    cp(d,s); cp(d,s)
-#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
-                    mx(d,s); mx(d,s)
-#elif AES_BLOCK_SIZE == 32
-#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
-                    cp(d,s); cp(d,s); cp(d,s); cp(d,s)
-#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
-                    mx(d,s); mx(d,s); mx(d,s); mx(d,s)
-#else
-
-#define cpy(d,s) \
-switch(nc) \
-{   case 8: cp(d,s); cp(d,s); \
-    case 6: cp(d,s); cp(d,s); \
-    case 4: cp(d,s); cp(d,s); \
-            cp(d,s); cp(d,s); \
-}
-
-#define mix(d,s) \
-switch(nc) \
-{   case 8: mx(d,s); mx(d,s); \
-    case 6: mx(d,s); mx(d,s); \
-    case 4: mx(d,s); mx(d,s); \
-            mx(d,s); mx(d,s); \
-}
-
-#endif
-
-void aes_set_key(aes_context *cx, const unsigned char in_key[], int n_bytes, const int f)
-{   u_int32_t    *kf, *kt, rci;
-
-#if !defined(FIXED_TABLES)
-    if(!tab_gen) { gen_tabs(); tab_gen = 1; }
-#endif
-
-    switch(n_bytes) {
-    case 32:                    /* bytes */
-    case 256:                   /* bits */
-        cx->aes_Nkey = 8;
-        break;
-    case 24:                    /* bytes */
-    case 192:                   /* bits */
-        cx->aes_Nkey = 6;
-        break;
-    case 16:                    /* bytes */
-    case 128:                   /* bits */
-    default:
-        cx->aes_Nkey = 4;
-        break;
-    }
-
-    cx->aes_Nrnd = (cx->aes_Nkey > nc ? cx->aes_Nkey : nc) + 6; 
-
-    cx->aes_e_key[0] = const_word_in(in_key     );
-    cx->aes_e_key[1] = const_word_in(in_key +  4);
-    cx->aes_e_key[2] = const_word_in(in_key +  8);
-    cx->aes_e_key[3] = const_word_in(in_key + 12);
-
-    kf = cx->aes_e_key; 
-    kt = kf + nc * (cx->aes_Nrnd + 1) - cx->aes_Nkey; 
-    rci = 0;
-
-    switch(cx->aes_Nkey)
-    {
-    case 4: do
-            {   kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
-                kf[5] = kf[1] ^ kf[4];
-                kf[6] = kf[2] ^ kf[5];
-                kf[7] = kf[3] ^ kf[6];
-                kf += 4;
-            }
-            while(kf < kt);
-            break;
-
-    case 6: cx->aes_e_key[4] = const_word_in(in_key + 16);
-            cx->aes_e_key[5] = const_word_in(in_key + 20);
-            do
-            {   kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
-                kf[ 7] = kf[1] ^ kf[ 6];
-                kf[ 8] = kf[2] ^ kf[ 7];
-                kf[ 9] = kf[3] ^ kf[ 8];
-                kf[10] = kf[4] ^ kf[ 9];
-                kf[11] = kf[5] ^ kf[10];
-                kf += 6;
-            }
-            while(kf < kt);
-            break;
-
-    case 8: cx->aes_e_key[4] = const_word_in(in_key + 16);
-            cx->aes_e_key[5] = const_word_in(in_key + 20);
-            cx->aes_e_key[6] = const_word_in(in_key + 24);
-            cx->aes_e_key[7] = const_word_in(in_key + 28);
-            do
-            {   kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
-                kf[ 9] = kf[1] ^ kf[ 8];
-                kf[10] = kf[2] ^ kf[ 9];
-                kf[11] = kf[3] ^ kf[10];
-                kf[12] = kf[4] ^ ls_box(kf[11],0);
-                kf[13] = kf[5] ^ kf[12];
-                kf[14] = kf[6] ^ kf[13];
-                kf[15] = kf[7] ^ kf[14];
-                kf += 8;
-            }
-            while (kf < kt);
-            break;
-    }
-
-    if(!f)
-    {   u_int32_t    i;
-        
-        kt = cx->aes_d_key + nc * cx->aes_Nrnd;
-        kf = cx->aes_e_key;
-        
-        cpy(kt, kf); kt -= 2 * nc;
-
-        for(i = 1; i < cx->aes_Nrnd; ++i)
-        { 
-#if defined(ONE_TABLE) || defined(FOUR_TABLES)
-#if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
-            u_int32_t    f2, f4, f8, f9;
-#endif
-            mix(kt, kf);
-#else
-            cpy(kt, kf);
-#endif
-            kt -= 2 * nc;
-        }
-        
-        cpy(kt, kf);
-    }
-}
-
-// y = output word, x = input word, r = row, c = column
-// for r = 0, 1, 2 and 3 = column accessed for row r
-
-#if defined(ARRAYS)
-#define s(x,c) x[c]
-#else
-#define s(x,c) x##c
-#endif
-
-// I am grateful to Frank Yellin for the following constructions
-// which, given the column (c) of the output state variable that
-// is being computed, return the input state variables which are
-// needed for each row (r) of the state
-
-// For the fixed block size options, compilers reduce these two 
-// expressions to fixed variable references. For variable block 
-// size code conditional clauses will sometimes be returned
-
-#define unused  77  // Sunset Strip
-
-#define fwd_var(x,r,c) \
- ( r==0 ?			\
-    ( c==0 ? s(x,0) \
-    : c==1 ? s(x,1) \
-    : c==2 ? s(x,2) \
-    : c==3 ? s(x,3) \
-    : c==4 ? s(x,4) \
-    : c==5 ? s(x,5) \
-    : c==6 ? s(x,6) \
-    : s(x,7))		\
- : r==1 ?			\
-    ( c==0 ? s(x,1) \
-    : c==1 ? s(x,2) \
-    : c==2 ? s(x,3) \
-    : c==3 ? nc==4 ? s(x,0) : s(x,4) \
-    : c==4 ? s(x,5) \
-    : c==5 ? nc==8 ? s(x,6) : s(x,0) \
-    : c==6 ? s(x,7) \
-    : s(x,0))		\
- : r==2 ?			\
-    ( c==0 ? nc==8 ? s(x,3) : s(x,2) \
-    : c==1 ? nc==8 ? s(x,4) : s(x,3) \
-    : c==2 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
-    : c==3 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
-    : c==4 ? nc==8 ? s(x,7) : s(x,0) \
-    : c==5 ? nc==8 ? s(x,0) : s(x,1) \
-    : c==6 ? s(x,1) \
-    : s(x,2))		\
- :					\
-    ( c==0 ? nc==8 ? s(x,4) : s(x,3) \
-    : c==1 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
-    : c==2 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
-    : c==3 ? nc==4 ? s(x,2) : nc==8 ? s(x,7) : s(x,0) \
-    : c==4 ? nc==8 ? s(x,0) : s(x,1) \
-    : c==5 ? nc==8 ? s(x,1) : s(x,2) \
-    : c==6 ? s(x,2) \
-    : s(x,3)))
-
-#define inv_var(x,r,c) \
- ( r==0 ?			\
-    ( c==0 ? s(x,0) \
-    : c==1 ? s(x,1) \
-    : c==2 ? s(x,2) \
-    : c==3 ? s(x,3) \
-    : c==4 ? s(x,4) \
-    : c==5 ? s(x,5) \
-    : c==6 ? s(x,6) \
-    : s(x,7))		\
- : r==1 ?			\
-    ( c==0 ? nc==4 ? s(x,3) : nc==8 ? s(x,7) : s(x,5) \
-    : c==1 ? s(x,0) \
-    : c==2 ? s(x,1) \
-    : c==3 ? s(x,2) \
-    : c==4 ? s(x,3) \
-    : c==5 ? s(x,4) \
-    : c==6 ? s(x,5) \
-    : s(x,6))		\
- : r==2 ?			\
-    ( c==0 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
-    : c==1 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
-    : c==2 ? nc==8 ? s(x,7) : s(x,0) \
-    : c==3 ? nc==8 ? s(x,0) : s(x,1) \
-    : c==4 ? nc==8 ? s(x,1) : s(x,2) \
-    : c==5 ? nc==8 ? s(x,2) : s(x,3) \
-    : c==6 ? s(x,3) \
-    : s(x,4))		\
- :					\
-    ( c==0 ? nc==4 ? s(x,1) : nc==8 ? s(x,4) : s(x,3) \
-    : c==1 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
-    : c==2 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
-    : c==3 ? nc==8 ? s(x,7) : s(x,0) \
-    : c==4 ? nc==8 ? s(x,0) : s(x,1) \
-    : c==5 ? nc==8 ? s(x,1) : s(x,2) \
-    : c==6 ? s(x,2) \
-    : s(x,3)))
-
-#define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
-#define so(y,x,c)   word_out(y + 4 * c, s(x,c))
-
-#if defined(FOUR_TABLES)
-#define fwd_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
-#define inv_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
-#elif defined(ONE_TABLE)
-#define fwd_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
-#define inv_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
-#else
-#define fwd_rnd(y,x,k,c)    s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
-#define inv_rnd(y,x,k,c)    s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
-#endif
-
-#if defined(FOUR_LR_TABLES)
-#define fwd_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
-#define inv_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
-#elif defined(ONE_LR_TABLE)
-#define fwd_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
-#define inv_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
-#else
-#define fwd_lrnd(y,x,k,c)   s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
-#define inv_lrnd(y,x,k,c)   s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
-#endif
-
-#if AES_BLOCK_SIZE == 16
-
-#if defined(ARRAYS)
-#define locals(y,x)     x[4],y[4]
-#else
-#define locals(y,x)     x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
-// the following defines prevent the compiler requiring the declaration
-// of generated but unused variables in the fwd_var and inv_var macros
-#define b04 unused
-#define b05 unused
-#define b06 unused
-#define b07 unused
-#define b14 unused
-#define b15 unused
-#define b16 unused
-#define b17 unused
-#endif
-#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
-                        s(y,2) = s(x,2); s(y,3) = s(x,3);
-#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
-#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
-#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
-
-#elif AES_BLOCK_SIZE == 24
-
-#if defined(ARRAYS)
-#define locals(y,x)     x[6],y[6]
-#else
-#define locals(y,x)     x##0,x##1,x##2,x##3,x##4,x##5, \
-                        y##0,y##1,y##2,y##3,y##4,y##5
-#define b06 unused
-#define b07 unused
-#define b16 unused
-#define b17 unused
-#endif
-#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
-                        s(y,2) = s(x,2); s(y,3) = s(x,3); \
-                        s(y,4) = s(x,4); s(y,5) = s(x,5);
-#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
-                        si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
-#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); \
-                        so(y,x,3); so(y,x,4); so(y,x,5)
-#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
-                        rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
-#else
-
-#if defined(ARRAYS)
-#define locals(y,x)     x[8],y[8]
-#else
-#define locals(y,x)     x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
-                        y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
-#endif
-#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
-                        s(y,2) = s(x,2); s(y,3) = s(x,3); \
-                        s(y,4) = s(x,4); s(y,5) = s(x,5); \
-                        s(y,6) = s(x,6); s(y,7) = s(x,7);
-
-#if AES_BLOCK_SIZE == 32
-
-#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
-                        si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
-#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
-                        so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
-#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
-                        rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
-#else
-
-#define state_in(y,x,k) \
-switch(nc) \
-{   case 8: si(y,x,k,7); si(y,x,k,6); \
-    case 6: si(y,x,k,5); si(y,x,k,4); \
-    case 4: si(y,x,k,3); si(y,x,k,2); \
-            si(y,x,k,1); si(y,x,k,0); \
-}
-
-#define state_out(y,x) \
-switch(nc) \
-{   case 8: so(y,x,7); so(y,x,6); \
-    case 6: so(y,x,5); so(y,x,4); \
-    case 4: so(y,x,3); so(y,x,2); \
-            so(y,x,1); so(y,x,0); \
-}
-
-#if defined(FAST_VARIABLE)
-
-#define round(rm,y,x,k) \
-switch(nc) \
-{   case 8: rm(y,x,k,7); rm(y,x,k,6); \
-            rm(y,x,k,5); rm(y,x,k,4); \
-            rm(y,x,k,3); rm(y,x,k,2); \
-            rm(y,x,k,1); rm(y,x,k,0); \
-            break; \
-    case 6: rm(y,x,k,5); rm(y,x,k,4); \
-            rm(y,x,k,3); rm(y,x,k,2); \
-            rm(y,x,k,1); rm(y,x,k,0); \
-            break; \
-    case 4: rm(y,x,k,3); rm(y,x,k,2); \
-            rm(y,x,k,1); rm(y,x,k,0); \
-            break; \
-}
-#else
-
-#define round(rm,y,x,k) \
-switch(nc) \
-{   case 8: rm(y,x,k,7); rm(y,x,k,6); \
-    case 6: rm(y,x,k,5); rm(y,x,k,4); \
-    case 4: rm(y,x,k,3); rm(y,x,k,2); \
-            rm(y,x,k,1); rm(y,x,k,0); \
-}
-
-#endif
-
-#endif
-#endif
-
-void aes_encrypt(const aes_context *cx, const unsigned char in_blk[], unsigned char out_blk[])
-{   u_int32_t        locals(b0, b1);
-    const u_int32_t  *kp = cx->aes_e_key;
-
-#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
-    u_int32_t        f2;
-#endif
-
-    state_in(b0, in_blk, kp); kp += nc;
-
-#if defined(UNROLL)
-
-    switch(cx->aes_Nrnd)
-    {
-    case 14:    round(fwd_rnd,  b1, b0, kp         ); 
-                round(fwd_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
-    case 12:    round(fwd_rnd,  b1, b0, kp         ); 
-                round(fwd_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
-    case 10:    round(fwd_rnd,  b1, b0, kp         );             
-                round(fwd_rnd,  b0, b1, kp +     nc);
-                round(fwd_rnd,  b1, b0, kp + 2 * nc); 
-                round(fwd_rnd,  b0, b1, kp + 3 * nc);
-                round(fwd_rnd,  b1, b0, kp + 4 * nc); 
-                round(fwd_rnd,  b0, b1, kp + 5 * nc);
-                round(fwd_rnd,  b1, b0, kp + 6 * nc); 
-                round(fwd_rnd,  b0, b1, kp + 7 * nc);
-                round(fwd_rnd,  b1, b0, kp + 8 * nc);
-                round(fwd_lrnd, b0, b1, kp + 9 * nc);
-    }
-
-#elif defined(PARTIAL_UNROLL)
-    {   u_int32_t    rnd;
-
-        for(rnd = 0; rnd < (cx->aes_Nrnd >> 1) - 1; ++rnd)
-        {
-            round(fwd_rnd, b1, b0, kp); 
-            round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
-        }
-
-        round(fwd_rnd,  b1, b0, kp);
-        round(fwd_lrnd, b0, b1, kp + nc);
-    }
-#else
-    {   u_int32_t    rnd;
-
-        for(rnd = 0; rnd < cx->aes_Nrnd - 1; ++rnd)
-        {
-            round(fwd_rnd, b1, b0, kp); 
-            l_copy(b0, b1); kp += nc;
-        }
-
-        round(fwd_lrnd, b0, b1, kp);
-    }
-#endif
-
-    state_out(out_blk, b0);
-}
-
-void aes_decrypt(const aes_context *cx, const unsigned char in_blk[], unsigned char out_blk[])
-{   u_int32_t        locals(b0, b1);
-    const u_int32_t  *kp = cx->aes_d_key;
-
-#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
-    u_int32_t        f2, f4, f8, f9; 
-#endif
-
-    state_in(b0, in_blk, kp); kp += nc;
-
-#if defined(UNROLL)
-
-    switch(cx->aes_Nrnd)
-    {
-    case 14:    round(inv_rnd,  b1, b0, kp         );
-                round(inv_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
-    case 12:    round(inv_rnd,  b1, b0, kp         );
-                round(inv_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
-    case 10:    round(inv_rnd,  b1, b0, kp         );             
-                round(inv_rnd,  b0, b1, kp +     nc);
-                round(inv_rnd,  b1, b0, kp + 2 * nc); 
-                round(inv_rnd,  b0, b1, kp + 3 * nc);
-                round(inv_rnd,  b1, b0, kp + 4 * nc); 
-                round(inv_rnd,  b0, b1, kp + 5 * nc);
-                round(inv_rnd,  b1, b0, kp + 6 * nc); 
-                round(inv_rnd,  b0, b1, kp + 7 * nc);
-                round(inv_rnd,  b1, b0, kp + 8 * nc);
-                round(inv_lrnd, b0, b1, kp + 9 * nc);
-    }
-
-#elif defined(PARTIAL_UNROLL)
-    {   u_int32_t    rnd;
-
-        for(rnd = 0; rnd < (cx->aes_Nrnd >> 1) - 1; ++rnd)
-        {
-            round(inv_rnd, b1, b0, kp); 
-            round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
-        }
-
-        round(inv_rnd,  b1, b0, kp);
-        round(inv_lrnd, b0, b1, kp + nc);
-    }
-#else
-    {   u_int32_t    rnd;
-
-        for(rnd = 0; rnd < cx->aes_Nrnd - 1; ++rnd)
-        {
-            round(inv_rnd, b1, b0, kp); 
-            l_copy(b0, b1); kp += nc;
-        }
-
-        round(inv_lrnd, b0, b1, kp);
-    }
-#endif
-
-    state_out(out_blk, b0);
-}
diff --git a/src/libcrypto/libaes/aes.h b/src/libcrypto/libaes/aes.h
deleted file mode 100644
index 4f1e3b335..000000000
--- a/src/libcrypto/libaes/aes.h
+++ /dev/null
@@ -1,97 +0,0 @@
-// I retain copyright in this code but I encourage its free use provided
-// that I don't carry any responsibility for the results. I am especially 
-// happy to see it used in free and open source software. If you do use 
-// it I would appreciate an acknowledgement of its origin in the code or
-// the product that results and I would also appreciate knowing a little
-// about the use to which it is being put. I am grateful to Frank Yellin
-// for some ideas that are used in this implementation.
-//
-// Dr B. R. Gladman <brg@gladman.uk.net> 6th April 2001.
-//
-// This is an implementation of the AES encryption algorithm (Rijndael)
-// designed by Joan Daemen and Vincent Rijmen. This version is designed
-// to provide both fixed and dynamic block and key lengths and can also 
-// run with either big or little endian internal byte order (see aes.h). 
-// It inputs block and key lengths in bytes with the legal values being 
-// 16, 24 and 32.
-
-/*
- * Modified by Jari Ruusu,  May 1 2001
- *  - Fixed some compile warnings, code was ok but gcc warned anyway.
- *  - Changed basic types: byte -> unsigned char, word -> u_int32_t
- *  - Major name space cleanup: Names visible to outside now begin
- *    with "aes_" or "AES_". A lot of stuff moved from aes.h to aes.c
- *  - Removed C++ and DLL support as part of name space cleanup.
- *  - Eliminated unnecessary recomputation of tables. (actual bug fix)
- *  - Merged precomputed constant tables to aes.c file.
- *  - Removed data alignment restrictions for portability reasons.
- *  - Made block and key lengths accept bit count (128/192/256)
- *    as well byte count (16/24/32).
- *  - Removed all error checks. This change also eliminated the need
- *    to preinitialize the context struct to zero.
- *  - Removed some totally unused constants.
- */
-
-#ifndef _AES_H
-#define _AES_H
-
-#if defined(__linux__) && defined(__KERNEL__)
-#  include <linux/types.h>
-#else 
-#  include <sys/types.h>
-#endif
-
-// CONFIGURATION OPTIONS (see also aes.c)
-//
-// Define AES_BLOCK_SIZE to set the cipher block size (16, 24 or 32) or
-// leave this undefined for dynamically variable block size (this will
-// result in much slower code).
-// IMPORTANT NOTE: AES_BLOCK_SIZE is in BYTES (16, 24, 32 or undefined). If
-// left undefined a slower version providing variable block length is compiled
-
-#define AES_BLOCK_SIZE  16
-
-// The number of key schedule words for different block and key lengths
-// allowing for method of computation which requires the length to be a
-// multiple of the key length
-//
-// Nk =       4   6   8
-//        -------------
-// Nb = 4 |  60  60  64
-//      6 |  96  90  96
-//      8 | 120 120 120
-
-#if !defined(AES_BLOCK_SIZE) || (AES_BLOCK_SIZE == 32)
-#define AES_KS_LENGTH   120
-#define AES_RC_LENGTH    29
-#else
-#define AES_KS_LENGTH   4 * AES_BLOCK_SIZE
-#define AES_RC_LENGTH   (9 * AES_BLOCK_SIZE) / 8 - 8
-#endif
-
-typedef struct
-{
-    u_int32_t    aes_Nkey;      // the number of words in the key input block
-    u_int32_t    aes_Nrnd;      // the number of cipher rounds
-    u_int32_t    aes_e_key[AES_KS_LENGTH];   // the encryption key schedule
-    u_int32_t    aes_d_key[AES_KS_LENGTH];   // the decryption key schedule
-#if !defined(AES_BLOCK_SIZE)
-    u_int32_t    aes_Ncol;      // the number of columns in the cipher state
-#endif
-} aes_context;
-
-// THE CIPHER INTERFACE
-
-#if !defined(AES_BLOCK_SIZE)
-extern void aes_set_blk(aes_context *, const int);
-#endif
-extern void aes_set_key(aes_context *, const unsigned char [], const int, const int);
-extern void aes_encrypt(const aes_context *, const unsigned char [], unsigned char []);
-extern void aes_decrypt(const aes_context *, const unsigned char [], unsigned char []);
-
-// The block length inputs to aes_set_block and aes_set_key are in numbers
-// of bytes or bits.  The calls to subroutines must be made in the above
-// order but multiple calls can be made without repeating earlier calls
-// if their parameters have not changed.
-
-#endif  // _AES_H
diff --git a/src/libcrypto/libaes/aes_cbc.c b/src/libcrypto/libaes/aes_cbc.c
deleted file mode 100644
index c406b1622..000000000
--- a/src/libcrypto/libaes/aes_cbc.c
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifdef __KERNEL__
-#include <linux/types.h>
-#else
-#include <sys/types.h>
-#endif
-#include "aes_cbc.h"
-#include "cbc_generic.h"
-/* returns bool success */
-int SS_AES_set_key(aes_context *aes_ctx, const u_int8_t *key, int keysize) {
-	aes_set_key(aes_ctx, key, keysize, 0);
-	return 1;	
-}
-CBC_IMPL_BLK16(SS_AES_cbc_encrypt, aes_context, u_int8_t *, aes_encrypt, aes_decrypt);
diff --git a/src/libcrypto/libaes/aes_cbc.h b/src/libcrypto/libaes/aes_cbc.h
deleted file mode 100644
index 65015da6e..000000000
--- a/src/libcrypto/libaes/aes_cbc.h
+++ /dev/null
@@ -1,4 +0,0 @@
-/* Glue header */
-#include "aes.h"
-int SS_AES_set_key(aes_context *aes_ctx, const u_int8_t * key, int keysize);
-int SS_AES_cbc_encrypt(aes_context *ctx, const u_int8_t * in, u_int8_t * out, int ilen, const u_int8_t * iv, int encrypt);
diff --git a/src/libcrypto/libaes/aes_xcbc_mac.c b/src/libcrypto/libaes/aes_xcbc_mac.c
deleted file mode 100644
index 89d7bc067..000000000
--- a/src/libcrypto/libaes/aes_xcbc_mac.c
+++ /dev/null
@@ -1,67 +0,0 @@
-#ifdef __KERNEL__
-#include <linux/types.h>
-#include <linux/kernel.h>
-#define DEBUG(x) 
-#else
-#include <stdio.h>
-#include <sys/types.h>
-#define DEBUG(x) x
-#endif
-
-#include "aes.h"
-#include "aes_xcbc_mac.h"
-
-int AES_xcbc_mac_set_key(aes_context_mac *ctxm, const u_int8_t *key, int keylen)
-{
-	int ret=1;
-	aes_block kn[3] = { 
-		{ 0x01010101, 0x01010101, 0x01010101, 0x01010101 },
-		{ 0x02020202, 0x02020202, 0x02020202, 0x02020202 },
-		{ 0x03030303, 0x03030303, 0x03030303, 0x03030303 },
-	};
-	aes_set_key(&ctxm->ctx_k1, key, keylen, 0);
-	aes_encrypt(&ctxm->ctx_k1, (u_int8_t *) kn[0], (u_int8_t *) kn[0]);
-	aes_encrypt(&ctxm->ctx_k1, (u_int8_t *) kn[1], (u_int8_t *) ctxm->k2);
-	aes_encrypt(&ctxm->ctx_k1, (u_int8_t *) kn[2], (u_int8_t *) ctxm->k3);
-	aes_set_key(&ctxm->ctx_k1, (u_int8_t *) kn[0], 16, 0);
-	return ret;
-}
-static void do_pad_xor(u_int8_t *out, const u_int8_t *in, int len) {
-	int pos=0;
-	for (pos=1; pos <= 16; pos++, in++, out++) {
-		if (pos <= len)
-			*out ^= *in;
-		if (pos > len) {
-			DEBUG(printf("put 0x80 at pos=%d\n", pos));
-			*out ^= 0x80;
-			break;
-		}
-	}
-}
-static void xor_block(aes_block res, const aes_block op) {
-	res[0] ^= op[0];
-	res[1] ^= op[1];
-	res[2] ^= op[2];
-	res[3] ^= op[3];
-}
-int AES_xcbc_mac_hash(const aes_context_mac *ctxm, const u_int8_t * in, int ilen, u_int8_t hash[16]) {
-	int ret=ilen;
-	u_int32_t out[4] = { 0, 0, 0, 0 }; 
-	for (; ilen > 16 ; ilen-=16) {
-		xor_block(out, (const u_int32_t*) &in[0]);
-		aes_encrypt(&ctxm->ctx_k1, in, (u_int8_t *)&out[0]);
-		in+=16; 
-	}
-	do_pad_xor((u_int8_t *)&out, in, ilen);
-	if (ilen==16) {
-		DEBUG(printf("using k3\n"));
-		xor_block(out, ctxm->k3);
-	}
-	else 
-	{
-		DEBUG(printf("using k2\n"));
-		xor_block(out, ctxm->k2);
-	}
-	aes_encrypt(&ctxm->ctx_k1, (u_int8_t *)out, hash);
-	return ret;
-} 
diff --git a/src/libcrypto/libaes/aes_xcbc_mac.h b/src/libcrypto/libaes/aes_xcbc_mac.h
deleted file mode 100644
index baf438cd4..000000000
--- a/src/libcrypto/libaes/aes_xcbc_mac.h
+++ /dev/null
@@ -1,12 +0,0 @@
-#ifndef _AES_XCBC_MAC_H
-#define _AES_XCBC_MAC_H
-
-typedef u_int32_t aes_block[4];
-typedef struct {
-	aes_context ctx_k1;
-	aes_block k2;
-	aes_block k3;
-} aes_context_mac;
-int AES_xcbc_mac_set_key(aes_context_mac *ctxm, const u_int8_t *key, int keylen);
-int AES_xcbc_mac_hash(const aes_context_mac *ctxm, const u_int8_t * in, int ilen, u_int8_t hash[16]);
-#endif /* _AES_XCBC_MAC_H */
diff --git a/src/libcrypto/libblowfish/bf_enc.c b/src/libcrypto/libblowfish/bf_enc.c
deleted file mode 100644
index aa6c79812..000000000
--- a/src/libcrypto/libblowfish/bf_enc.c
+++ /dev/null
@@ -1,306 +0,0 @@
-/* crypto/bf/bf_enc.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include "blowfish.h"
-#include "bf_locl.h"
-
-/* Blowfish as implemented from 'Blowfish: Springer-Verlag paper'
- * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
- * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
- */
-
-#if (BF_ROUNDS != 16) && (BF_ROUNDS != 20)
-#error If you set BF_ROUNDS to some value other than 16 or 20, you will have \
-to modify the code.
-#endif
-
-void BF_encrypt(BF_LONG *data, const BF_KEY *key)
-	{
-#ifndef BF_PTR2
-	const BF_LONG *p,*s;
-	BF_LONG l,r;
-
-	p=key->P;
-	s= &(key->S[0]);
-	l=data[0];
-	r=data[1];
-
-	l^=p[0];
-	BF_ENC(r,l,s,p[ 1]);
-	BF_ENC(l,r,s,p[ 2]);
-	BF_ENC(r,l,s,p[ 3]);
-	BF_ENC(l,r,s,p[ 4]);
-	BF_ENC(r,l,s,p[ 5]);
-	BF_ENC(l,r,s,p[ 6]);
-	BF_ENC(r,l,s,p[ 7]);
-	BF_ENC(l,r,s,p[ 8]);
-	BF_ENC(r,l,s,p[ 9]);
-	BF_ENC(l,r,s,p[10]);
-	BF_ENC(r,l,s,p[11]);
-	BF_ENC(l,r,s,p[12]);
-	BF_ENC(r,l,s,p[13]);
-	BF_ENC(l,r,s,p[14]);
-	BF_ENC(r,l,s,p[15]);
-	BF_ENC(l,r,s,p[16]);
-#if BF_ROUNDS == 20
-	BF_ENC(r,l,s,p[17]);
-	BF_ENC(l,r,s,p[18]);
-	BF_ENC(r,l,s,p[19]);
-	BF_ENC(l,r,s,p[20]);
-#endif
-	r^=p[BF_ROUNDS+1];
-
-	data[1]=l&0xffffffffL;
-	data[0]=r&0xffffffffL;
-#else
-	BF_LONG l,r,t,*k;
-
-	l=data[0];
-	r=data[1];
-	k=(BF_LONG*)key;
-
-	l^=k[0];
-	BF_ENC(r,l,k, 1);
-	BF_ENC(l,r,k, 2);
-	BF_ENC(r,l,k, 3);
-	BF_ENC(l,r,k, 4);
-	BF_ENC(r,l,k, 5);
-	BF_ENC(l,r,k, 6);
-	BF_ENC(r,l,k, 7);
-	BF_ENC(l,r,k, 8);
-	BF_ENC(r,l,k, 9);
-	BF_ENC(l,r,k,10);
-	BF_ENC(r,l,k,11);
-	BF_ENC(l,r,k,12);
-	BF_ENC(r,l,k,13);
-	BF_ENC(l,r,k,14);
-	BF_ENC(r,l,k,15);
-	BF_ENC(l,r,k,16);
-#if BF_ROUNDS == 20
-	BF_ENC(r,l,k,17);
-	BF_ENC(l,r,k,18);
-	BF_ENC(r,l,k,19);
-	BF_ENC(l,r,k,20);
-#endif
-	r^=k[BF_ROUNDS+1];
-
-	data[1]=l&0xffffffffL;
-	data[0]=r&0xffffffffL;
-#endif
-	}
-
-#ifndef BF_DEFAULT_OPTIONS
-
-void BF_decrypt(BF_LONG *data, const BF_KEY *key)
-	{
-#ifndef BF_PTR2
-	const BF_LONG *p,*s;
-	BF_LONG l,r;
-
-	p=key->P;
-	s= &(key->S[0]);
-	l=data[0];
-	r=data[1];
-
-	l^=p[BF_ROUNDS+1];
-#if BF_ROUNDS == 20
-	BF_ENC(r,l,s,p[20]);
-	BF_ENC(l,r,s,p[19]);
-	BF_ENC(r,l,s,p[18]);
-	BF_ENC(l,r,s,p[17]);
-#endif
-	BF_ENC(r,l,s,p[16]);
-	BF_ENC(l,r,s,p[15]);
-	BF_ENC(r,l,s,p[14]);
-	BF_ENC(l,r,s,p[13]);
-	BF_ENC(r,l,s,p[12]);
-	BF_ENC(l,r,s,p[11]);
-	BF_ENC(r,l,s,p[10]);
-	BF_ENC(l,r,s,p[ 9]);
-	BF_ENC(r,l,s,p[ 8]);
-	BF_ENC(l,r,s,p[ 7]);
-	BF_ENC(r,l,s,p[ 6]);
-	BF_ENC(l,r,s,p[ 5]);
-	BF_ENC(r,l,s,p[ 4]);
-	BF_ENC(l,r,s,p[ 3]);
-	BF_ENC(r,l,s,p[ 2]);
-	BF_ENC(l,r,s,p[ 1]);
-	r^=p[0];
-
-	data[1]=l&0xffffffffL;
-	data[0]=r&0xffffffffL;
-#else
-	BF_LONG l,r,t,*k;
-
-	l=data[0];
-	r=data[1];
-	k=(BF_LONG *)key;
-
-	l^=k[BF_ROUNDS+1];
-#if BF_ROUNDS == 20
-	BF_ENC(r,l,k,20);
-	BF_ENC(l,r,k,19);
-	BF_ENC(r,l,k,18);
-	BF_ENC(l,r,k,17);
-#endif
-	BF_ENC(r,l,k,16);
-	BF_ENC(l,r,k,15);
-	BF_ENC(r,l,k,14);
-	BF_ENC(l,r,k,13);
-	BF_ENC(r,l,k,12);
-	BF_ENC(l,r,k,11);
-	BF_ENC(r,l,k,10);
-	BF_ENC(l,r,k, 9);
-	BF_ENC(r,l,k, 8);
-	BF_ENC(l,r,k, 7);
-	BF_ENC(r,l,k, 6);
-	BF_ENC(l,r,k, 5);
-	BF_ENC(r,l,k, 4);
-	BF_ENC(l,r,k, 3);
-	BF_ENC(r,l,k, 2);
-	BF_ENC(l,r,k, 1);
-	r^=k[0];
-
-	data[1]=l&0xffffffffL;
-	data[0]=r&0xffffffffL;
-#endif
-	}
-
-void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
-	     const BF_KEY *schedule, unsigned char *ivec, int encrypt)
-	{
-	BF_LONG tin0,tin1;
-	BF_LONG tout0,tout1,xor0,xor1;
-	long l=length;
-	BF_LONG tin[2];
-
-	if (encrypt)
-		{
-		n2l(ivec,tout0);
-		n2l(ivec,tout1);
-		ivec-=8;
-		for (l-=8; l>=0; l-=8)
-			{
-			n2l(in,tin0);
-			n2l(in,tin1);
-			tin0^=tout0;
-			tin1^=tout1;
-			tin[0]=tin0;
-			tin[1]=tin1;
-			BF_encrypt(tin,schedule);
-			tout0=tin[0];
-			tout1=tin[1];
-			l2n(tout0,out);
-			l2n(tout1,out);
-			}
-		if (l != -8)
-			{
-			n2ln(in,tin0,tin1,l+8);
-			tin0^=tout0;
-			tin1^=tout1;
-			tin[0]=tin0;
-			tin[1]=tin1;
-			BF_encrypt(tin,schedule);
-			tout0=tin[0];
-			tout1=tin[1];
-			l2n(tout0,out);
-			l2n(tout1,out);
-			}
-		l2n(tout0,ivec);
-		l2n(tout1,ivec);
-		}
-	else
-		{
-		n2l(ivec,xor0);
-		n2l(ivec,xor1);
-		ivec-=8;
-		for (l-=8; l>=0; l-=8)
-			{
-			n2l(in,tin0);
-			n2l(in,tin1);
-			tin[0]=tin0;
-			tin[1]=tin1;
-			BF_decrypt(tin,schedule);
-			tout0=tin[0]^xor0;
-			tout1=tin[1]^xor1;
-			l2n(tout0,out);
-			l2n(tout1,out);
-			xor0=tin0;
-			xor1=tin1;
-			}
-		if (l != -8)
-			{
-			n2l(in,tin0);
-			n2l(in,tin1);
-			tin[0]=tin0;
-			tin[1]=tin1;
-			BF_decrypt(tin,schedule);
-			tout0=tin[0]^xor0;
-			tout1=tin[1]^xor1;
-			l2nn(tout0,tout1,out,l+8);
-			xor0=tin0;
-			xor1=tin1;
-			}
-		l2n(xor0,ivec);
-		l2n(xor1,ivec);
-		}
-	tin0=tin1=tout0=tout1=xor0=xor1=0;
-	tin[0]=tin[1]=0;
-	}
-
-#endif
diff --git a/src/libcrypto/libblowfish/bf_locl.h b/src/libcrypto/libblowfish/bf_locl.h
deleted file mode 100644
index 283bf4c43..000000000
--- a/src/libcrypto/libblowfish/bf_locl.h
+++ /dev/null
@@ -1,218 +0,0 @@
-/* crypto/bf/bf_locl.h */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef HEADER_BF_LOCL_H
-#define HEADER_BF_LOCL_H
-
-#undef c2l
-#define c2l(c,l)	(l =((unsigned long)(*((c)++)))    , \
-			 l|=((unsigned long)(*((c)++)))<< 8L, \
-			 l|=((unsigned long)(*((c)++)))<<16L, \
-			 l|=((unsigned long)(*((c)++)))<<24L)
-
-/* NOTE - c is not incremented as per c2l */
-#undef c2ln
-#define c2ln(c,l1,l2,n)	{ \
-			c+=n; \
-			l1=l2=0; \
-			switch (n) { \
-			case 8: l2 =((unsigned long)(*(--(c))))<<24L; \
-			case 7: l2|=((unsigned long)(*(--(c))))<<16L; \
-			case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \
-			case 5: l2|=((unsigned long)(*(--(c))));     \
-			case 4: l1 =((unsigned long)(*(--(c))))<<24L; \
-			case 3: l1|=((unsigned long)(*(--(c))))<<16L; \
-			case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \
-			case 1: l1|=((unsigned long)(*(--(c))));     \
-				} \
-			}
-
-#undef l2c
-#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
-			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
-
-/* NOTE - c is not incremented as per l2c */
-#undef l2cn
-#define l2cn(l1,l2,c,n)	{ \
-			c+=n; \
-			switch (n) { \
-			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
-			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
-			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
-			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
-			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
-			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
-			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
-			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
-				} \
-			}
-
-/* NOTE - c is not incremented as per n2l */
-#define n2ln(c,l1,l2,n)	{ \
-			c+=n; \
-			l1=l2=0; \
-			switch (n) { \
-			case 8: l2 =((unsigned long)(*(--(c))))    ; \
-			case 7: l2|=((unsigned long)(*(--(c))))<< 8; \
-			case 6: l2|=((unsigned long)(*(--(c))))<<16; \
-			case 5: l2|=((unsigned long)(*(--(c))))<<24; \
-			case 4: l1 =((unsigned long)(*(--(c))))    ; \
-			case 3: l1|=((unsigned long)(*(--(c))))<< 8; \
-			case 2: l1|=((unsigned long)(*(--(c))))<<16; \
-			case 1: l1|=((unsigned long)(*(--(c))))<<24; \
-				} \
-			}
-
-/* NOTE - c is not incremented as per l2n */
-#define l2nn(l1,l2,c,n)	{ \
-			c+=n; \
-			switch (n) { \
-			case 8: *(--(c))=(unsigned char)(((l2)    )&0xff); \
-			case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
-			case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
-			case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
-			case 4: *(--(c))=(unsigned char)(((l1)    )&0xff); \
-			case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
-			case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
-			case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
-				} \
-			}
-
-#undef n2l
-#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24L, \
-                         l|=((unsigned long)(*((c)++)))<<16L, \
-                         l|=((unsigned long)(*((c)++)))<< 8L, \
-                         l|=((unsigned long)(*((c)++))))
-
-#undef l2n
-#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
-                         *((c)++)=(unsigned char)(((l)     )&0xff))
-
-/* This is actually a big endian algorithm, the most significant byte
- * is used to lookup array 0 */
-
-#if defined(BF_PTR2)
-
-/*
- * This is basically a special Intel version. Point is that Intel
- * doesn't have many registers, but offers a reach choice of addressing
- * modes. So we spare some registers by directly traversing BF_KEY
- * structure and hiring the most decorated addressing mode. The code
- * generated by EGCS is *perfectly* competitive with assembler
- * implementation!
- */
-#define BF_ENC(LL,R,KEY,Pi) (\
-	LL^=KEY[Pi], \
-	t=  KEY[BF_ROUNDS+2 +   0 + ((R>>24)&0xFF)], \
-	t+= KEY[BF_ROUNDS+2 + 256 + ((R>>16)&0xFF)], \
-	t^= KEY[BF_ROUNDS+2 + 512 + ((R>>8 )&0xFF)], \
-	t+= KEY[BF_ROUNDS+2 + 768 + ((R    )&0xFF)], \
-	LL^=t \
-	)
-
-#elif defined(BF_PTR)
-
-#ifndef BF_LONG_LOG2
-#define BF_LONG_LOG2  2       /* default to BF_LONG being 32 bits */
-#endif
-#define BF_M  (0xFF<<BF_LONG_LOG2)
-#define BF_0  (24-BF_LONG_LOG2)
-#define BF_1  (16-BF_LONG_LOG2)
-#define BF_2  ( 8-BF_LONG_LOG2)
-#define BF_3  BF_LONG_LOG2 /* left shift */
-
-/*
- * This is normally very good on RISC platforms where normally you
- * have to explicitly "multiply" array index by sizeof(BF_LONG)
- * in order to calculate the effective address. This implementation
- * excuses CPU from this extra work. Power[PC] uses should have most
- * fun as (R>>BF_i)&BF_M gets folded into a single instruction, namely
- * rlwinm. So let'em double-check if their compiler does it.
- */
-
-#define BF_ENC(LL,R,S,P) ( \
-	LL^=P, \
-	LL^= (((*(BF_LONG *)((unsigned char *)&(S[  0])+((R>>BF_0)&BF_M))+ \
-		*(BF_LONG *)((unsigned char *)&(S[256])+((R>>BF_1)&BF_M)))^ \
-		*(BF_LONG *)((unsigned char *)&(S[512])+((R>>BF_2)&BF_M)))+ \
-		*(BF_LONG *)((unsigned char *)&(S[768])+((R<<BF_3)&BF_M))) \
-	)
-#else
-
-/*
- * This is a *generic* version. Seem to perform best on platforms that
- * offer explicit support for extraction of 8-bit nibbles preferably
- * complemented with "multiplying" of array index by sizeof(BF_LONG).
- * For the moment of this writing the list comprises Alpha CPU featuring
- * extbl and s[48]addq instructions.
- */
-
-#define BF_ENC(LL,R,S,P) ( \
-	LL^=P, \
-	LL^=(((	S[       ((int)(R>>24)&0xff)] + \
-		S[0x0100+((int)(R>>16)&0xff)])^ \
-		S[0x0200+((int)(R>> 8)&0xff)])+ \
-		S[0x0300+((int)(R    )&0xff)])&0xffffffffL \
-	)
-#endif
-
-#endif
diff --git a/src/libcrypto/libblowfish/bf_pi.h b/src/libcrypto/libblowfish/bf_pi.h
deleted file mode 100644
index 9949513c6..000000000
--- a/src/libcrypto/libblowfish/bf_pi.h
+++ /dev/null
@@ -1,325 +0,0 @@
-/* crypto/bf/bf_pi.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-static const BF_KEY bf_init= {
-	{
-	0x243f6a88L, 0x85a308d3L, 0x13198a2eL, 0x03707344L,
-	0xa4093822L, 0x299f31d0L, 0x082efa98L, 0xec4e6c89L,
-	0x452821e6L, 0x38d01377L, 0xbe5466cfL, 0x34e90c6cL,
-	0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L, 0xb5470917L,
-	0x9216d5d9L, 0x8979fb1b
-	},{
-	0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, 
-	0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, 
-	0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L, 
-	0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL, 
-	0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL, 
-	0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, 
-	0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL, 
-	0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL, 
-	0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L, 
-	0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L, 
-	0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, 
-	0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, 
-	0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL, 
-	0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L, 
-	0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L, 
-	0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, 
-	0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L, 
-	0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L, 
-	0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL, 
-	0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L, 
-	0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, 
-	0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, 
-	0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L, 
-	0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL, 
-	0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L, 
-	0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, 
-	0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, 
-	0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L, 
-	0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL, 
-	0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L, 
-	0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, 
-	0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, 
-	0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L, 
-	0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL, 
-	0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L, 
-	0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, 
-	0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL, 
-	0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L, 
-	0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL, 
-	0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L, 
-	0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, 
-	0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, 
-	0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L, 
-	0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L, 
-	0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L, 
-	0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, 
-	0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, 
-	0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL, 
-	0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL, 
-	0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L, 
-	0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, 
-	0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, 
-	0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L, 
-	0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL, 
-	0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L, 
-	0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, 
-	0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, 
-	0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L, 
-	0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L, 
-	0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L, 
-	0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, 
-	0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, 
-	0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L, 
-	0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL, 
-	0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L, 
-	0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, 
-	0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, 
-	0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL, 
-	0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L, 
-	0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L, 
-	0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, 
-	0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, 
-	0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L, 
-	0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L, 
-	0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL, 
-	0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, 
-	0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L, 
-	0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L, 
-	0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L, 
-	0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L, 
-	0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, 
-	0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL, 
-	0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL, 
-	0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L, 
-	0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL, 
-	0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, 
-	0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L, 
-	0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL, 
-	0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL, 
-	0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L, 
-	0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, 
-	0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, 
-	0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL, 
-	0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL, 
-	0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L, 
-	0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, 
-	0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, 
-	0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L, 
-	0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L, 
-	0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L, 
-	0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, 
-	0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, 
-	0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L, 
-	0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL, 
-	0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L, 
-	0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, 
-	0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L, 
-	0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L, 
-	0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L, 
-	0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L, 
-	0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, 
-	0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, 
-	0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L, 
-	0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L, 
-	0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L, 
-	0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, 
-	0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, 
-	0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L, 
-	0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L, 
-	0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L, 
-	0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, 
-	0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL, 
-	0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L, 
-	0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL, 
-	0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L, 
-	0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, 
-	0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, 
-	0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L, 
-	0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L, 
-	0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L, 
-	0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, 
-	0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L, 
-	0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L, 
-	0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L, 
-	0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL, 
-	0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, 
-	0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL, 
-	0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L, 
-	0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L, 
-	0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL, 
-	0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, 
-	0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, 
-	0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L, 
-	0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL, 
-	0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L, 
-	0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, 
-	0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L, 
-	0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL, 
-	0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L, 
-	0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L, 
-	0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, 
-	0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L, 
-	0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L, 
-	0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L, 
-	0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L, 
-	0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, 
-	0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, 
-	0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL, 
-	0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L, 
-	0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL, 
-	0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, 
-	0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, 
-	0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL, 
-	0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL, 
-	0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L, 
-	0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, 
-	0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, 
-	0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL, 
-	0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL, 
-	0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL, 
-	0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, 
-	0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L, 
-	0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L, 
-	0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L, 
-	0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L, 
-	0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, 
-	0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL, 
-	0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L, 
-	0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L, 
-	0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L, 
-	0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, 
-	0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L, 
-	0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L, 
-	0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L, 
-	0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L, 
-	0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, 
-	0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, 
-	0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL, 
-	0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L, 
-	0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL, 
-	0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, 
-	0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L, 
-	0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL, 
-	0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL, 
-	0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL, 
-	0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, 
-	0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, 
-	0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L, 
-	0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L, 
-	0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L, 
-	0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, 
-	0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, 
-	0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L, 
-	0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L, 
-	0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L, 
-	0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, 
-	0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, 
-	0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL, 
-	0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL, 
-	0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L, 
-	0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, 
-	0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, 
-	0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL, 
-	0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L, 
-	0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL, 
-	0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, 
-	0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L, 
-	0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L, 
-	0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L, 
-	0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L, 
-	0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, 
-	0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, 
-	0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L, 
-	0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L, 
-	0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L, 
-	0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, 
-	0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, 
-	0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L, 
-	0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L, 
-	0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL, 
-	0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, 
-	0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, 
-	0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L, 
-	0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL, 
-	0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL, 
-	0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, 
-	0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, 
-	0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L, 
-	0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L, 
-	0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL, 
-	0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, 
-	0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, 
-	0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL, 
-	0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L, 
-	0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L, 
-	0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, 
-	0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L, 
-	0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL, 
-	0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L, 
-	0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL, 
-	0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, 
-	0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L, 
-	0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL, 
-	0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L, 
-	0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL, 
-	0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L, 
-	}
-	};
-
diff --git a/src/libcrypto/libblowfish/bf_skey.c b/src/libcrypto/libblowfish/bf_skey.c
deleted file mode 100644
index 8cdbbd283..000000000
--- a/src/libcrypto/libblowfish/bf_skey.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/* crypto/bf/bf_skey.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifdef __KERNEL__
-#include <linux/types.h>
-#include <linux/string.h>
-#else
-#include <stdio.h>
-#include <string.h>
-#endif
-
-#include "blowfish.h"
-#include "bf_locl.h"
-#include "bf_pi.h"
-
-void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
-	{
-	int i;
-	BF_LONG *p,ri,in[2];
-	const unsigned char *d,*end;
-
-
-	memcpy((char *)key,(const char *)&bf_init,sizeof(BF_KEY));
-	p=key->P;
-
-	if (len > ((BF_ROUNDS+2)*4)) len=(BF_ROUNDS+2)*4;
-
-	d=data;
-	end= &(data[len]);
-	for (i=0; i<(BF_ROUNDS+2); i++)
-		{
-		ri= *(d++);
-		if (d >= end) d=data;
-
-		ri<<=8;
-		ri|= *(d++);
-		if (d >= end) d=data;
-
-		ri<<=8;
-		ri|= *(d++);
-		if (d >= end) d=data;
-
-		ri<<=8;
-		ri|= *(d++);
-		if (d >= end) d=data;
-
-		p[i]^=ri;
-		}
-
-	in[0]=0L;
-	in[1]=0L;
-	for (i=0; i<(BF_ROUNDS+2); i+=2)
-		{
-		BF_encrypt(in,key);
-		p[i  ]=in[0];
-		p[i+1]=in[1];
-		}
-
-	p=key->S;
-	for (i=0; i<4*256; i+=2)
-		{
-		BF_encrypt(in,key);
-		p[i  ]=in[0];
-		p[i+1]=in[1];
-		}
-	}
-
diff --git a/src/libcrypto/libblowfish/blowfish.h b/src/libcrypto/libblowfish/blowfish.h
deleted file mode 100644
index ccb97e272..000000000
--- a/src/libcrypto/libblowfish/blowfish.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/* crypto/bf/blowfish.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef HEADER_BLOWFISH_H
-#define HEADER_BLOWFISH_H
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-#ifdef NO_BF
-#error BF is disabled.
-#endif
-
-#define BF_ENCRYPT	1
-#define BF_DECRYPT	0
-
-/*
- * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- * ! BF_LONG has to be at least 32 bits wide. If it's wider, then !
- * ! BF_LONG_LOG2 has to be defined along.                        !
- * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- */
-
-#if defined(WIN16) || defined(__LP32__)
-#define BF_LONG unsigned long
-#elif defined(_CRAY) || defined(__ILP64__)
-#define BF_LONG unsigned long
-#define BF_LONG_LOG2 3
-#endif
-/*
- * _CRAY note. I could declare short, but I have no idea what impact
- * does it have on performance on none-T3E machines. I could declare
- * int, but at least on C90 sizeof(int) can be chosen at compile time.
- * So I've chosen long...
- *					<appro@fy.chalmers.se>
- */
-	
-/* des.h-like hack <jjo-ipsec@mendoza.gov.ar> */
-#ifndef BF_LONG
-#ifdef __KERNEL__
-#include <linux/types.h>
-#else
-#include <sys/types.h>
-#endif
-#define BF_LONG u_int32_t
-#endif
-
-#define BF_ROUNDS	16
-#define BF_BLOCK	8
-
-typedef struct bf_key_st
-	{
-	BF_LONG P[BF_ROUNDS+2];
-	BF_LONG S[4*256];
-	} BF_KEY;
-
- 
-void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
-
-void BF_encrypt(BF_LONG *data,const BF_KEY *key);
-void BF_decrypt(BF_LONG *data,const BF_KEY *key);
-
-void BF_ecb_encrypt(const unsigned char *in, unsigned char *out,
-	const BF_KEY *key, int enc);
-void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
-	const BF_KEY *schedule, unsigned char *ivec, int enc);
-void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length,
-	const BF_KEY *schedule, unsigned char *ivec, int *num, int enc);
-void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length,
-	const BF_KEY *schedule, unsigned char *ivec, int *num);
-const char *BF_options(void);
-
-#ifdef  __cplusplus
-}
-#endif
-
-#endif
diff --git a/src/libcrypto/libdes/cbc_enc.c b/src/libcrypto/libdes/cbc_enc.c
deleted file mode 100644
index a06f9f99e..000000000
--- a/src/libcrypto/libdes/cbc_enc.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/* crypto/des/cbc_enc.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include "des_locl.h"
-
-void des_cbc_encrypt(input, output, length, schedule, ivec, enc)
-des_cblock (*input);
-des_cblock (*output);
-long length;
-des_key_schedule schedule;
-des_cblock (*ivec);
-int enc;
-	{
-	register DES_LONG tin0,tin1;
-	register DES_LONG tout0,tout1,xor0,xor1;
-	register unsigned char *in,*out;
-	register long l=length;
-	DES_LONG tin[2];
-	unsigned char *iv;
-
-	in=(unsigned char *)input;
-	out=(unsigned char *)output;
-	iv=(unsigned char *)ivec;
-
-	if (enc)
-		{
-		c2l(iv,tout0);
-		c2l(iv,tout1);
-		for (l-=8; l>=0; l-=8)
-			{
-			c2l(in,tin0);
-			c2l(in,tin1);
-			tin0^=tout0; tin[0]=tin0;
-			tin1^=tout1; tin[1]=tin1;
-			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
-			tout0=tin[0]; l2c(tout0,out);
-			tout1=tin[1]; l2c(tout1,out);
-			}
-		if (l != -8)
-			{
-			c2ln(in,tin0,tin1,l+8);
-			tin0^=tout0; tin[0]=tin0;
-			tin1^=tout1; tin[1]=tin1;
-			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
-			tout0=tin[0]; l2c(tout0,out);
-			tout1=tin[1]; l2c(tout1,out);
-			}
-		}
-	else
-		{
-		c2l(iv,xor0);
-		c2l(iv,xor1);
-		for (l-=8; l>=0; l-=8)
-			{
-			c2l(in,tin0); tin[0]=tin0;
-			c2l(in,tin1); tin[1]=tin1;
-			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
-			tout0=tin[0]^xor0;
-			tout1=tin[1]^xor1;
-			l2c(tout0,out);
-			l2c(tout1,out);
-			xor0=tin0;
-			xor1=tin1;
-			}
-		if (l != -8)
-			{
-			c2l(in,tin0); tin[0]=tin0;
-			c2l(in,tin1); tin[1]=tin1;
-			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
-			tout0=tin[0]^xor0;
-			tout1=tin[1]^xor1;
-			l2cn(tout0,tout1,out,l+8);
-		/*	xor0=tin0;
-			xor1=tin1; */
-			}
-		}
-	tin0=tin1=tout0=tout1=xor0=xor1=0;
-	tin[0]=tin[1]=0;
-	}
-
diff --git a/src/libcrypto/libdes/des.h b/src/libcrypto/libdes/des.h
deleted file mode 100644
index baddf8647..000000000
--- a/src/libcrypto/libdes/des.h
+++ /dev/null
@@ -1,308 +0,0 @@
-/* crypto/des/des.org */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 
- *
- * Always modify des.org since des.h is automatically generated from
- * it during SSLeay configuration.
- *
- * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
- */
-
-#ifndef HEADER_DES_H
-#define HEADER_DES_H
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-/* Must be unsigned int on ia64/Itanium or DES breaks badly */
-
-#ifdef __KERNEL__
-#include <linux/types.h>
-#else
-#include <sys/types.h>
-#endif
-
-#ifndef DES_LONG
-#define DES_LONG u_int32_t
-#endif
-
-typedef unsigned char des_cblock[8];
-typedef struct des_ks_struct
-	{
-	union	{
-		des_cblock _;
-		/* make sure things are correct size on machines with
-		 * 8 byte longs */
-		DES_LONG pad[2];
-		} ks;
-#undef _
-#define _	ks._
-	} des_key_schedule[16];
-
-#define DES_KEY_SZ 	(sizeof(des_cblock))
-#define DES_SCHEDULE_SZ (sizeof(des_key_schedule))
-
-#define DES_ENCRYPT	1
-#define DES_DECRYPT	0
-
-#define DES_CBC_MODE	0
-#define DES_PCBC_MODE	1
-
-#define des_ecb2_encrypt(i,o,k1,k2,e) \
-	des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
-
-#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
-	des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
-
-#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
-	des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
-
-#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
-	des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
-
-#define C_Block des_cblock
-#define Key_schedule des_key_schedule
-#ifdef KERBEROS
-#define ENCRYPT DES_ENCRYPT
-#define DECRYPT DES_DECRYPT
-#endif
-#define KEY_SZ DES_KEY_SZ
-#define string_to_key des_string_to_key
-#define read_pw_string des_read_pw_string
-#define random_key des_random_key
-#define pcbc_encrypt des_pcbc_encrypt
-#define set_key des_set_key
-#define key_sched des_key_sched
-#define ecb_encrypt des_ecb_encrypt
-#define cbc_encrypt des_cbc_encrypt
-#define ncbc_encrypt des_ncbc_encrypt
-#define xcbc_encrypt des_xcbc_encrypt
-#define cbc_cksum des_cbc_cksum
-#define quad_cksum des_quad_cksum
-
-/* For compatibility with the MIT lib - eay 20/05/92 */
-typedef des_key_schedule bit_64;
-#define des_fixup_key_parity des_set_odd_parity
-#define des_check_key_parity check_parity
-
-extern int des_check_key;	/* defaults to false */
-extern int des_rw_mode;		/* defaults to DES_PCBC_MODE */
-
-/* The next line is used to disable full ANSI prototypes, if your
- * compiler has problems with the prototypes, make sure this line always
- * evaluates to true :-) */
-#if defined(MSDOS) || defined(__STDC__)
-#undef NOPROTO
-#endif
-#ifndef NOPROTO
-char *des_options(void);
-void des_ecb3_encrypt(des_cblock *input,des_cblock *output,
-	des_key_schedule ks1,des_key_schedule ks2,
-	des_key_schedule ks3, int enc);
-DES_LONG des_cbc_cksum(des_cblock *input,des_cblock *output,
-	long length,des_key_schedule schedule,des_cblock *ivec);
-void des_cbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,int enc);
-void des_ncbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,int enc);
-void des_xcbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,
-	des_cblock *inw,des_cblock *outw,int enc);
-void des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits,
-	long length,des_key_schedule schedule,des_cblock *ivec,int enc);
-void des_ecb_encrypt(des_cblock *input,des_cblock *output,
-	des_key_schedule ks,int enc);
-void des_encrypt(DES_LONG *data,des_key_schedule ks, int enc);
-void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc);
-void des_encrypt3(DES_LONG *data, des_key_schedule ks1,
-	des_key_schedule ks2, des_key_schedule ks3);
-void des_decrypt3(DES_LONG *data, des_key_schedule ks1,
-	des_key_schedule ks2, des_key_schedule ks3);
-void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, 
-	long length, des_key_schedule ks1, des_key_schedule ks2, 
-	des_key_schedule ks3, des_cblock *ivec, int enc);
-void des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out,
-	long length, des_key_schedule ks1, des_key_schedule ks2,
-	des_key_schedule ks3, des_cblock *ivec, int *num, int enc);
-void des_ede3_ofb64_encrypt(unsigned char *in, unsigned char *out,
-	long length, des_key_schedule ks1, des_key_schedule ks2,
-	des_key_schedule ks3, des_cblock *ivec, int *num);
-
-void des_xwhite_in2out(des_cblock (*des_key), des_cblock (*in_white),
-	des_cblock (*out_white));
-
-int des_enc_read(int fd,char *buf,int len,des_key_schedule sched,
-	des_cblock *iv);
-int des_enc_write(int fd,char *buf,int len,des_key_schedule sched,
-	des_cblock *iv);
-char *des_fcrypt(const char *buf,const char *salt, char *ret);
-#ifdef PERL5
-char *des_crypt(const char *buf,const char *salt);
-#else
-/* some stupid compilers complain because I have declared char instead
- * of const char */
-#ifndef __KERNEL__
-#ifdef HEADER_DES_LOCL_H
-char *crypt(const char *buf,const char *salt);
-#else /* HEADER_DES_LOCL_H */
-char *crypt(void);
-#endif /* HEADER_DES_LOCL_H */
-#endif /* __KERNEL__ */
-#endif /* PERL5 */
-void des_ofb_encrypt(unsigned char *in,unsigned char *out,
-	int numbits,long length,des_key_schedule schedule,des_cblock *ivec);
-void des_pcbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,int enc);
-DES_LONG des_quad_cksum(des_cblock *input,des_cblock *output,
-	long length,int out_count,des_cblock *seed);
-void des_random_seed(des_cblock key);
-void des_random_key(des_cblock ret);
-int des_read_password(des_cblock *key,char *prompt,int verify);
-int des_read_2passwords(des_cblock *key1,des_cblock *key2,
-	char *prompt,int verify);
-int des_read_pw_string(char *buf,int length,char *prompt,int verify);
-void des_set_odd_parity(des_cblock *key);
-int des_is_weak_key(des_cblock *key);
-int des_set_key(des_cblock *key,des_key_schedule schedule);
-int des_key_sched(des_cblock *key,des_key_schedule schedule);
-void des_string_to_key(char *str,des_cblock *key);
-void des_string_to_2keys(char *str,des_cblock *key1,des_cblock *key2);
-void des_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
-	des_key_schedule schedule, des_cblock *ivec, int *num, int enc);
-void des_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
-	des_key_schedule schedule, des_cblock *ivec, int *num);
-int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify);
-
-/* Extra functions from Mark Murray <mark@grondar.za> */
-/* The following functions are not in the normal unix build or the
- * SSLeay build.  When using the SSLeay build, use RAND_seed()
- * and RAND_bytes() instead. */
-int des_new_random_key(des_cblock *key);
-void des_init_random_number_generator(des_cblock *key);
-void des_set_random_generator_seed(des_cblock *key);
-void des_set_sequence_number(des_cblock new_sequence_number);
-void des_generate_random_block(des_cblock *block);
-
-#else
-
-char *des_options();
-void des_ecb3_encrypt();
-DES_LONG des_cbc_cksum();
-void des_cbc_encrypt();
-void des_ncbc_encrypt();
-void des_xcbc_encrypt();
-void des_cfb_encrypt();
-void des_ede3_cfb64_encrypt();
-void des_ede3_ofb64_encrypt();
-void des_ecb_encrypt();
-void des_encrypt();
-void des_encrypt2();
-void des_encrypt3();
-void des_decrypt3();
-void des_ede3_cbc_encrypt();
-int des_enc_read();
-int des_enc_write();
-char *des_fcrypt();
-#ifdef PERL5
-char *des_crypt();
-#else
-char *crypt();
-#endif
-void des_ofb_encrypt();
-void des_pcbc_encrypt();
-DES_LONG des_quad_cksum();
-void des_random_seed();
-void des_random_key();
-int des_read_password();
-int des_read_2passwords();
-int des_read_pw_string();
-void des_set_odd_parity();
-int des_is_weak_key();
-int des_set_key();
-int des_key_sched();
-void des_string_to_key();
-void des_string_to_2keys();
-void des_cfb64_encrypt();
-void des_ofb64_encrypt();
-int des_read_pw();
-void des_xwhite_in2out();
-
-/* Extra functions from Mark Murray <mark@grondar.za> */
-/* The following functions are not in the normal unix build or the
- * SSLeay build.  When using the SSLeay build, use RAND_seed()
- * and RAND_bytes() instead. */
-#ifdef FreeBSD
-int des_new_random_key();
-void des_init_random_number_generator();
-void des_set_random_generator_seed();
-void des_set_sequence_number();
-void des_generate_random_block();
-#endif
-
-#endif
-
-#ifdef  __cplusplus
-}
-#endif
-
-#endif
diff --git a/src/libcrypto/libdes/des_enc.c b/src/libcrypto/libdes/des_enc.c
deleted file mode 100644
index 1e1906d25..000000000
--- a/src/libcrypto/libdes/des_enc.c
+++ /dev/null
@@ -1,502 +0,0 @@
-/* crypto/des/des_enc.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include "des_locl.h"
-
-void des_encrypt(data, ks, enc)
-DES_LONG *data;
-des_key_schedule ks;
-int enc;
-	{
-	register DES_LONG l,r,t,u;
-#ifdef DES_PTR
-	register unsigned char *des_SP=(unsigned char *)des_SPtrans;
-#endif
-#ifndef DES_UNROLL
-	register int i;
-#endif
-	register DES_LONG *s;
-
-	r=data[0];
-	l=data[1];
-
-	IP(r,l);
-	/* Things have been modified so that the initial rotate is
-	 * done outside the loop.  This required the
-	 * des_SPtrans values in sp.h to be rotated 1 bit to the right.
-	 * One perl script later and things have a 5% speed up on a sparc2.
-	 * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
-	 * for pointing this out. */
-	/* clear the top bits on machines with 8byte longs */
-	/* shift left by 2 */
-	r=ROTATE(r,29)&0xffffffffL;
-	l=ROTATE(l,29)&0xffffffffL;
-
-	s=(DES_LONG *)ks;
-	/* I don't know if it is worth the effort of loop unrolling the
-	 * inner loop */
-	if (enc)
-		{
-#ifdef DES_UNROLL
-		D_ENCRYPT(l,r, 0); /*  1 */
-		D_ENCRYPT(r,l, 2); /*  2 */
-		D_ENCRYPT(l,r, 4); /*  3 */
-		D_ENCRYPT(r,l, 6); /*  4 */
-		D_ENCRYPT(l,r, 8); /*  5 */
-		D_ENCRYPT(r,l,10); /*  6 */
-		D_ENCRYPT(l,r,12); /*  7 */
-		D_ENCRYPT(r,l,14); /*  8 */
-		D_ENCRYPT(l,r,16); /*  9 */
-		D_ENCRYPT(r,l,18); /*  10 */
-		D_ENCRYPT(l,r,20); /*  11 */
-		D_ENCRYPT(r,l,22); /*  12 */
-		D_ENCRYPT(l,r,24); /*  13 */
-		D_ENCRYPT(r,l,26); /*  14 */
-		D_ENCRYPT(l,r,28); /*  15 */
-		D_ENCRYPT(r,l,30); /*  16 */
-#else
-		for (i=0; i<32; i+=8)
-			{
-			D_ENCRYPT(l,r,i+0); /*  1 */
-			D_ENCRYPT(r,l,i+2); /*  2 */
-			D_ENCRYPT(l,r,i+4); /*  3 */
-			D_ENCRYPT(r,l,i+6); /*  4 */
-			}
-#endif
-		}
-	else
-		{
-#ifdef DES_UNROLL
-		D_ENCRYPT(l,r,30); /* 16 */
-		D_ENCRYPT(r,l,28); /* 15 */
-		D_ENCRYPT(l,r,26); /* 14 */
-		D_ENCRYPT(r,l,24); /* 13 */
-		D_ENCRYPT(l,r,22); /* 12 */
-		D_ENCRYPT(r,l,20); /* 11 */
-		D_ENCRYPT(l,r,18); /* 10 */
-		D_ENCRYPT(r,l,16); /*  9 */
-		D_ENCRYPT(l,r,14); /*  8 */
-		D_ENCRYPT(r,l,12); /*  7 */
-		D_ENCRYPT(l,r,10); /*  6 */
-		D_ENCRYPT(r,l, 8); /*  5 */
-		D_ENCRYPT(l,r, 6); /*  4 */
-		D_ENCRYPT(r,l, 4); /*  3 */
-		D_ENCRYPT(l,r, 2); /*  2 */
-		D_ENCRYPT(r,l, 0); /*  1 */
-#else
-		for (i=30; i>0; i-=8)
-			{
-			D_ENCRYPT(l,r,i-0); /* 16 */
-			D_ENCRYPT(r,l,i-2); /* 15 */
-			D_ENCRYPT(l,r,i-4); /* 14 */
-			D_ENCRYPT(r,l,i-6); /* 13 */
-			}
-#endif
-		}
-
-	/* rotate and clear the top bits on machines with 8byte longs */
-	l=ROTATE(l,3)&0xffffffffL;
-	r=ROTATE(r,3)&0xffffffffL;
-
-	FP(r,l);
-	data[0]=l;
-	data[1]=r;
-	l=r=t=u=0;
-	}
-
-void des_encrypt2(data, ks, enc)
-DES_LONG *data;
-des_key_schedule ks;
-int enc;
-	{
-	register DES_LONG l,r,t,u;
-#ifdef DES_PTR
-	register unsigned char *des_SP=(unsigned char *)des_SPtrans;
-#endif
-#ifndef DES_UNROLL
-	register int i;
-#endif
-	register DES_LONG *s;
-
-	r=data[0];
-	l=data[1];
-
-	/* Things have been modified so that the initial rotate is
-	 * done outside the loop.  This required the
-	 * des_SPtrans values in sp.h to be rotated 1 bit to the right.
-	 * One perl script later and things have a 5% speed up on a sparc2.
-	 * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
-	 * for pointing this out. */
-	/* clear the top bits on machines with 8byte longs */
-	r=ROTATE(r,29)&0xffffffffL;
-	l=ROTATE(l,29)&0xffffffffL;
-
-	s=(DES_LONG *)ks;
-	/* I don't know if it is worth the effort of loop unrolling the
-	 * inner loop */
-	if (enc)
-		{
-#ifdef DES_UNROLL
-		D_ENCRYPT(l,r, 0); /*  1 */
-		D_ENCRYPT(r,l, 2); /*  2 */
-		D_ENCRYPT(l,r, 4); /*  3 */
-		D_ENCRYPT(r,l, 6); /*  4 */
-		D_ENCRYPT(l,r, 8); /*  5 */
-		D_ENCRYPT(r,l,10); /*  6 */
-		D_ENCRYPT(l,r,12); /*  7 */
-		D_ENCRYPT(r,l,14); /*  8 */
-		D_ENCRYPT(l,r,16); /*  9 */
-		D_ENCRYPT(r,l,18); /*  10 */
-		D_ENCRYPT(l,r,20); /*  11 */
-		D_ENCRYPT(r,l,22); /*  12 */
-		D_ENCRYPT(l,r,24); /*  13 */
-		D_ENCRYPT(r,l,26); /*  14 */
-		D_ENCRYPT(l,r,28); /*  15 */
-		D_ENCRYPT(r,l,30); /*  16 */
-#else
-		for (i=0; i<32; i+=8)
-			{
-			D_ENCRYPT(l,r,i+0); /*  1 */
-			D_ENCRYPT(r,l,i+2); /*  2 */
-			D_ENCRYPT(l,r,i+4); /*  3 */
-			D_ENCRYPT(r,l,i+6); /*  4 */
-			}
-#endif
-		}
-	else
-		{
-#ifdef DES_UNROLL
-		D_ENCRYPT(l,r,30); /* 16 */
-		D_ENCRYPT(r,l,28); /* 15 */
-		D_ENCRYPT(l,r,26); /* 14 */
-		D_ENCRYPT(r,l,24); /* 13 */
-		D_ENCRYPT(l,r,22); /* 12 */
-		D_ENCRYPT(r,l,20); /* 11 */
-		D_ENCRYPT(l,r,18); /* 10 */
-		D_ENCRYPT(r,l,16); /*  9 */
-		D_ENCRYPT(l,r,14); /*  8 */
-		D_ENCRYPT(r,l,12); /*  7 */
-		D_ENCRYPT(l,r,10); /*  6 */
-		D_ENCRYPT(r,l, 8); /*  5 */
-		D_ENCRYPT(l,r, 6); /*  4 */
-		D_ENCRYPT(r,l, 4); /*  3 */
-		D_ENCRYPT(l,r, 2); /*  2 */
-		D_ENCRYPT(r,l, 0); /*  1 */
-#else
-		for (i=30; i>0; i-=8)
-			{
-			D_ENCRYPT(l,r,i-0); /* 16 */
-			D_ENCRYPT(r,l,i-2); /* 15 */
-			D_ENCRYPT(l,r,i-4); /* 14 */
-			D_ENCRYPT(r,l,i-6); /* 13 */
-			}
-#endif
-		}
-	/* rotate and clear the top bits on machines with 8byte longs */
-	data[0]=ROTATE(l,3)&0xffffffffL;
-	data[1]=ROTATE(r,3)&0xffffffffL;
-	l=r=t=u=0;
-	}
-
-void des_encrypt3(data,ks1,ks2,ks3)
-DES_LONG *data;
-des_key_schedule ks1;
-des_key_schedule ks2;
-des_key_schedule ks3;
-	{
-	register DES_LONG l,r;
-
-	l=data[0];
-	r=data[1];
-	IP(l,r);
-	data[0]=l;
-	data[1]=r;
-	des_encrypt2((DES_LONG *)data,ks1,DES_ENCRYPT);
-	des_encrypt2((DES_LONG *)data,ks2,DES_DECRYPT);
-	des_encrypt2((DES_LONG *)data,ks3,DES_ENCRYPT);
-	l=data[0];
-	r=data[1];
-	FP(r,l);
-	data[0]=l;
-	data[1]=r;
-	}
-
-void des_decrypt3(data,ks1,ks2,ks3)
-DES_LONG *data;
-des_key_schedule ks1;
-des_key_schedule ks2;
-des_key_schedule ks3;
-	{
-	register DES_LONG l,r;
-
-	l=data[0];
-	r=data[1];
-	IP(l,r);
-	data[0]=l;
-	data[1]=r;
-	des_encrypt2((DES_LONG *)data,ks3,DES_DECRYPT);
-	des_encrypt2((DES_LONG *)data,ks2,DES_ENCRYPT);
-	des_encrypt2((DES_LONG *)data,ks1,DES_DECRYPT);
-	l=data[0];
-	r=data[1];
-	FP(r,l);
-	data[0]=l;
-	data[1]=r;
-	}
-
-#ifndef DES_DEFAULT_OPTIONS
-
-void des_ncbc_encrypt(input, output, length, schedule, ivec, enc)
-des_cblock (*input);
-des_cblock (*output);
-long length;
-des_key_schedule schedule;
-des_cblock (*ivec);
-int enc;
-	{
-	register DES_LONG tin0,tin1;
-	register DES_LONG tout0,tout1,xor0,xor1;
-	register unsigned char *in,*out;
-	register long l=length;
-	DES_LONG tin[2];
-	unsigned char *iv;
-
-	in=(unsigned char *)input;
-	out=(unsigned char *)output;
-	iv=(unsigned char *)ivec;
-
-	if (enc)
-		{
-		c2l(iv,tout0);
-		c2l(iv,tout1);
-		for (l-=8; l>=0; l-=8)
-			{
-			c2l(in,tin0);
-			c2l(in,tin1);
-			tin0^=tout0; tin[0]=tin0;
-			tin1^=tout1; tin[1]=tin1;
-			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
-			tout0=tin[0]; l2c(tout0,out);
-			tout1=tin[1]; l2c(tout1,out);
-			}
-		if (l != -8)
-			{
-			c2ln(in,tin0,tin1,l+8);
-			tin0^=tout0; tin[0]=tin0;
-			tin1^=tout1; tin[1]=tin1;
-			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
-			tout0=tin[0]; l2c(tout0,out);
-			tout1=tin[1]; l2c(tout1,out);
-			}
-		iv=(unsigned char *)ivec;
-		l2c(tout0,iv);
-		l2c(tout1,iv);
-		}
-	else
-		{
-		c2l(iv,xor0);
-		c2l(iv,xor1);
-		for (l-=8; l>=0; l-=8)
-			{
-			c2l(in,tin0); tin[0]=tin0;
-			c2l(in,tin1); tin[1]=tin1;
-			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
-			tout0=tin[0]^xor0;
-			tout1=tin[1]^xor1;
-			l2c(tout0,out);
-			l2c(tout1,out);
-			xor0=tin0;
-			xor1=tin1;
-			}
-		if (l != -8)
-			{
-			c2l(in,tin0); tin[0]=tin0;
-			c2l(in,tin1); tin[1]=tin1;
-			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
-			tout0=tin[0]^xor0;
-			tout1=tin[1]^xor1;
-			l2cn(tout0,tout1,out,l+8);
-			xor0=tin0;
-			xor1=tin1;
-			}
-
-		iv=(unsigned char *)ivec;
-		l2c(xor0,iv);
-		l2c(xor1,iv);
-		}
-	tin0=tin1=tout0=tout1=xor0=xor1=0;
-	tin[0]=tin[1]=0;
-	}
-
-void des_ede3_cbc_encrypt(input, output, length, ks1, ks2, ks3, ivec, enc)
-des_cblock (*input);
-des_cblock (*output);
-long length;
-des_key_schedule ks1;
-des_key_schedule ks2;
-des_key_schedule ks3;
-des_cblock (*ivec);
-int enc;
-	{
-	register DES_LONG tin0,tin1;
-	register DES_LONG tout0,tout1,xor0,xor1;
-	register unsigned char *in,*out;
-	register long l=length;
-	DES_LONG tin[2];
-	unsigned char *iv;
-
-	in=(unsigned char *)input;
-	out=(unsigned char *)output;
-	iv=(unsigned char *)ivec;
-
-	if (enc)
-		{
-		c2l(iv,tout0);
-		c2l(iv,tout1);
-		for (l-=8; l>=0; l-=8)
-			{
-			c2l(in,tin0);
-			c2l(in,tin1);
-			tin0^=tout0;
-			tin1^=tout1;
-
-			tin[0]=tin0;
-			tin[1]=tin1;
-			des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
-			tout0=tin[0];
-			tout1=tin[1];
-
-			l2c(tout0,out);
-			l2c(tout1,out);
-			}
-		if (l != -8)
-			{
-			c2ln(in,tin0,tin1,l+8);
-			tin0^=tout0;
-			tin1^=tout1;
-
-			tin[0]=tin0;
-			tin[1]=tin1;
-			des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
-			tout0=tin[0];
-			tout1=tin[1];
-
-			l2c(tout0,out);
-			l2c(tout1,out);
-			}
-		iv=(unsigned char *)ivec;
-		l2c(tout0,iv);
-		l2c(tout1,iv);
-		}
-	else
-		{
-		register DES_LONG t0,t1;
-
-		c2l(iv,xor0);
-		c2l(iv,xor1);
-		for (l-=8; l>=0; l-=8)
-			{
-			c2l(in,tin0);
-			c2l(in,tin1);
-
-			t0=tin0;
-			t1=tin1;
-
-			tin[0]=tin0;
-			tin[1]=tin1;
-			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
-			tout0=tin[0];
-			tout1=tin[1];
-
-			tout0^=xor0;
-			tout1^=xor1;
-			l2c(tout0,out);
-			l2c(tout1,out);
-			xor0=t0;
-			xor1=t1;
-			}
-		if (l != -8)
-			{
-			c2l(in,tin0);
-			c2l(in,tin1);
-			
-			t0=tin0;
-			t1=tin1;
-
-			tin[0]=tin0;
-			tin[1]=tin1;
-			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
-			tout0=tin[0];
-			tout1=tin[1];
-		
-			tout0^=xor0;
-			tout1^=xor1;
-			l2cn(tout0,tout1,out,l+8);
-			xor0=t0;
-			xor1=t1;
-			}
-
-		iv=(unsigned char *)ivec;
-		l2c(xor0,iv);
-		l2c(xor1,iv);
-		}
-	tin0=tin1=tout0=tout1=xor0=xor1=0;
-	tin[0]=tin[1]=0;
-	}
-
-#endif /* DES_DEFAULT_OPTIONS */
diff --git a/src/libcrypto/libdes/des_locl.h b/src/libcrypto/libdes/des_locl.h
deleted file mode 100644
index 4e0b3662f..000000000
--- a/src/libcrypto/libdes/des_locl.h
+++ /dev/null
@@ -1,515 +0,0 @@
-/* crypto/des/des_locl.org */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
- *
- * Always modify des_locl.org since des_locl.h is automatically generated from
- * it during SSLeay configuration.
- *
- * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
- */
-
-#ifndef HEADER_DES_LOCL_H
-#define HEADER_DES_LOCL_H
-
-#if defined(WIN32) || defined(WIN16)
-#ifndef MSDOS
-#define MSDOS
-#endif
-#endif
-
-#include "des.h"
-
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#define DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependancies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#define DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very mucy CPU dependant */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )		/* Newer Sparc's */
-  #define DES_PTR
-  #define DES_RISC1
-  #define DES_UNROLL
-#elif defined( __ultrix )	/* Older MIPS */
-  #define DES_PTR
-  #define DES_RISC2
-  #define DES_UNROLL
-#elif defined( __osf1__ )	/* Alpha */
-  #define DES_PTR
-  #define DES_RISC2
-#elif defined ( _AIX )		/* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )		/* HP-PA */
-  /* Unknown */
-#elif defined( __aux )		/* 68K */
-  /* Unknown */
-#elif defined( __dgux )		/* 88K (but P6 in latest boxes) */
-  #define DES_UNROLL
-#elif defined( __sgi )		/* Newer MIPS */
-  #define DES_PTR
-  #define DES_RISC2
-  #define DES_UNROLL
-#elif defined( i386 )		/* x86 boxes, should be gcc */
-  #define DES_PTR
-  #define DES_RISC1
-  #define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-
-#ifdef MSDOS		/* Visual C++ 2.1 (Windows NT/95) */
-#include <stdlib.h>
-#include <errno.h>
-#include <time.h>
-#include <io.h>
-#ifndef RAND
-#define RAND
-#endif
-#undef NOPROTO
-#endif
-
-#if defined(__STDC__) || defined(VMS) || defined(M_XENIX) || defined(MSDOS)
-#ifndef __KERNEL__
-#include <string.h>
-#else
-#include <linux/string.h>
-#endif
-#endif
-
-#ifndef RAND
-#define RAND
-#endif
-
-#ifdef linux
-#undef RAND
-#endif
-
-#ifdef MSDOS
-#define getpid() 2
-#define RAND
-#undef NOPROTO
-#endif
-
-#if defined(NOCONST)
-#define const
-#endif
-
-#ifdef __STDC__
-#undef NOPROTO
-#endif
-
-#ifdef RAND
-#define srandom(s) srand(s)
-#define random rand
-#endif
-
-#define ITERATIONS 16
-#define HALF_ITERATIONS 8
-
-/* used in des_read and des_write */
-#define MAXWRITE	(1024*16)
-#define BSIZE		(MAXWRITE+4)
-
-#define c2l(c,l)	(l =((DES_LONG)(*((c)++)))    , \
-			 l|=((DES_LONG)(*((c)++)))<< 8L, \
-			 l|=((DES_LONG)(*((c)++)))<<16L, \
-			 l|=((DES_LONG)(*((c)++)))<<24L)
-
-/* NOTE - c is not incremented as per c2l */
-#define c2ln(c,l1,l2,n)	{ \
-			c+=n; \
-			l1=l2=0; \
-			switch (n) { \
-			case 8: l2 =((DES_LONG)(*(--(c))))<<24L; \
-			case 7: l2|=((DES_LONG)(*(--(c))))<<16L; \
-			case 6: l2|=((DES_LONG)(*(--(c))))<< 8L; \
-			case 5: l2|=((DES_LONG)(*(--(c))));     \
-			case 4: l1 =((DES_LONG)(*(--(c))))<<24L; \
-			case 3: l1|=((DES_LONG)(*(--(c))))<<16L; \
-			case 2: l1|=((DES_LONG)(*(--(c))))<< 8L; \
-			case 1: l1|=((DES_LONG)(*(--(c))));     \
-				} \
-			}
-
-#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
-			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
-
-/* replacements for htonl and ntohl since I have no idea what to do
- * when faced with machines with 8 byte longs. */
-#define HDRSIZE 4
-
-#define n2l(c,l)	(l =((DES_LONG)(*((c)++)))<<24L, \
-			 l|=((DES_LONG)(*((c)++)))<<16L, \
-			 l|=((DES_LONG)(*((c)++)))<< 8L, \
-			 l|=((DES_LONG)(*((c)++))))
-
-#define l2n(l,c)	(*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
-			 *((c)++)=(unsigned char)(((l)     )&0xff))
-
-/* NOTE - c is not incremented as per l2c */
-#define l2cn(l1,l2,c,n)	{ \
-			c+=n; \
-			switch (n) { \
-			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
-			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
-			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
-			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
-			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
-			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
-			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
-			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
-				} \
-			}
-
-#if defined(WIN32)
-#define	ROTATE(a,n)	(_lrotr(a,n))
-#else
-#define	ROTATE(a,n)	(((a)>>(n))+((a)<<(32-(n))))
-#endif
-
-/* Don't worry about the LOAD_DATA() stuff, that is used by
- * fcrypt() to add it's little bit to the front */
-
-#ifdef DES_FCRYPT
-
-#define LOAD_DATA_tmp(R,S,u,t,E0,E1) \
-	{ DES_LONG tmp; LOAD_DATA(R,S,u,t,E0,E1,tmp); }
-
-#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
-	t=R^(R>>16L); \
-	u=t&E0; t&=E1; \
-	tmp=(u<<16); u^=R^s[S  ]; u^=tmp; \
-	tmp=(t<<16); t^=R^s[S+1]; t^=tmp
-#else
-#define LOAD_DATA_tmp(a,b,c,d,e,f) LOAD_DATA(a,b,c,d,e,f,g)
-#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
-	u=R^s[S  ]; \
-	t=R^s[S+1]
-#endif
-
-/* The changes to this macro may help or hinder, depending on the
- * compiler and the achitecture.  gcc2 always seems to do well :-).
- * Inspired by Dana How <how@isl.stanford.edu>
- * DO NOT use the alternative version on machines with 8 byte longs.
- * It does not seem to work on the Alpha, even when DES_LONG is 4
- * bytes, probably an issue of accessing non-word aligned objects :-( */
-#ifdef DES_PTR
-
-/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there
- * is no reason to not xor all the sub items together.  This potentially
- * saves a register since things can be xored directly into L */
-
-#if defined(DES_RISC1) || defined(DES_RISC2)
-#ifdef DES_RISC1
-#define D_ENCRYPT(LL,R,S) { \
-	unsigned int u1,u2,u3; \
-	LOAD_DATA(R,S,u,t,E0,E1,u1); \
-	u2=(int)u>>8L; \
-	u1=(int)u&0xfc; \
-	u2&=0xfc; \
-	t=ROTATE(t,4); \
-	u>>=16L; \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP      +u1); \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \
-	u3=(int)(u>>8L); \
-	u1=(int)u&0xfc; \
-	u3&=0xfc; \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+u1); \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+u3); \
-	u2=(int)t>>8L; \
-	u1=(int)t&0xfc; \
-	u2&=0xfc; \
-	t>>=16L; \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \
-	u3=(int)t>>8L; \
-	u1=(int)t&0xfc; \
-	u3&=0xfc; \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+u1); \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+u3); }
-#endif
-#ifdef DES_RISC2
-#define D_ENCRYPT(LL,R,S) { \
-	unsigned int u1,u2,s1,s2; \
-	LOAD_DATA(R,S,u,t,E0,E1,u1); \
-	u2=(int)u>>8L; \
-	u1=(int)u&0xfc; \
-	u2&=0xfc; \
-	t=ROTATE(t,4); \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP      +u1); \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \
-	s1=(int)(u>>16L); \
-	s2=(int)(u>>24L); \
-	s1&=0xfc; \
-	s2&=0xfc; \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+s1); \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+s2); \
-	u2=(int)t>>8L; \
-	u1=(int)t&0xfc; \
-	u2&=0xfc; \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \
-	s1=(int)(t>>16L); \
-	s2=(int)(t>>24L); \
-	s1&=0xfc; \
-	s2&=0xfc; \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+s1); \
-	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+s2); }
-#endif
-#else
-#define D_ENCRYPT(LL,R,S) { \
-	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
-	t=ROTATE(t,4); \
-	LL^= \
-	*(DES_LONG *)((unsigned char *)des_SP      +((u     )&0xfc))^ \
-	*(DES_LONG *)((unsigned char *)des_SP+0x200+((u>> 8L)&0xfc))^ \
-	*(DES_LONG *)((unsigned char *)des_SP+0x400+((u>>16L)&0xfc))^ \
-	*(DES_LONG *)((unsigned char *)des_SP+0x600+((u>>24L)&0xfc))^ \
-	*(DES_LONG *)((unsigned char *)des_SP+0x100+((t     )&0xfc))^ \
-	*(DES_LONG *)((unsigned char *)des_SP+0x300+((t>> 8L)&0xfc))^ \
-	*(DES_LONG *)((unsigned char *)des_SP+0x500+((t>>16L)&0xfc))^ \
-	*(DES_LONG *)((unsigned char *)des_SP+0x700+((t>>24L)&0xfc)); }
-#endif
-
-#else /* original version */
-
-#if defined(DES_RISC1) || defined(DES_RISC2)
-#ifdef DES_RISC1
-#define D_ENCRYPT(LL,R,S) {\
-	unsigned int u1,u2,u3; \
-	LOAD_DATA(R,S,u,t,E0,E1,u1); \
-	u>>=2L; \
-	t=ROTATE(t,6); \
-	u2=(int)u>>8L; \
-	u1=(int)u&0x3f; \
-	u2&=0x3f; \
-	u>>=16L; \
-	LL^=des_SPtrans[0][u1]; \
-	LL^=des_SPtrans[2][u2]; \
-	u3=(int)u>>8L; \
-	u1=(int)u&0x3f; \
-	u3&=0x3f; \
-	LL^=des_SPtrans[4][u1]; \
-	LL^=des_SPtrans[6][u3]; \
-	u2=(int)t>>8L; \
-	u1=(int)t&0x3f; \
-	u2&=0x3f; \
-	t>>=16L; \
-	LL^=des_SPtrans[1][u1]; \
-	LL^=des_SPtrans[3][u2]; \
-	u3=(int)t>>8L; \
-	u1=(int)t&0x3f; \
-	u3&=0x3f; \
-	LL^=des_SPtrans[5][u1]; \
-	LL^=des_SPtrans[7][u3]; }
-#endif
-#ifdef DES_RISC2
-#define D_ENCRYPT(LL,R,S) {\
-	unsigned int u1,u2,s1,s2; \
-	LOAD_DATA(R,S,u,t,E0,E1,u1); \
-	u>>=2L; \
-	t=ROTATE(t,6); \
-	u2=(int)u>>8L; \
-	u1=(int)u&0x3f; \
-	u2&=0x3f; \
-	LL^=des_SPtrans[0][u1]; \
-	LL^=des_SPtrans[2][u2]; \
-	s1=(int)u>>16L; \
-	s2=(int)u>>24L; \
-	s1&=0x3f; \
-	s2&=0x3f; \
-	LL^=des_SPtrans[4][s1]; \
-	LL^=des_SPtrans[6][s2]; \
-	u2=(int)t>>8L; \
-	u1=(int)t&0x3f; \
-	u2&=0x3f; \
-	LL^=des_SPtrans[1][u1]; \
-	LL^=des_SPtrans[3][u2]; \
-	s1=(int)t>>16; \
-	s2=(int)t>>24L; \
-	s1&=0x3f; \
-	s2&=0x3f; \
-	LL^=des_SPtrans[5][s1]; \
-	LL^=des_SPtrans[7][s2]; }
-#endif
-
-#else
-
-#define D_ENCRYPT(LL,R,S) {\
-	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
-	t=ROTATE(t,4); \
-	LL^=\
-		des_SPtrans[0][(u>> 2L)&0x3f]^ \
-		des_SPtrans[2][(u>>10L)&0x3f]^ \
-		des_SPtrans[4][(u>>18L)&0x3f]^ \
-		des_SPtrans[6][(u>>26L)&0x3f]^ \
-		des_SPtrans[1][(t>> 2L)&0x3f]^ \
-		des_SPtrans[3][(t>>10L)&0x3f]^ \
-		des_SPtrans[5][(t>>18L)&0x3f]^ \
-		des_SPtrans[7][(t>>26L)&0x3f]; }
-#endif
-#endif
-
-	/* IP and FP
-	 * The problem is more of a geometric problem that random bit fiddling.
-	 0  1  2  3  4  5  6  7      62 54 46 38 30 22 14  6
-	 8  9 10 11 12 13 14 15      60 52 44 36 28 20 12  4
-	16 17 18 19 20 21 22 23      58 50 42 34 26 18 10  2
-	24 25 26 27 28 29 30 31  to  56 48 40 32 24 16  8  0
-
-	32 33 34 35 36 37 38 39      63 55 47 39 31 23 15  7
-	40 41 42 43 44 45 46 47      61 53 45 37 29 21 13  5
-	48 49 50 51 52 53 54 55      59 51 43 35 27 19 11  3
-	56 57 58 59 60 61 62 63      57 49 41 33 25 17  9  1
-
-	The output has been subject to swaps of the form
-	0 1 -> 3 1 but the odd and even bits have been put into
-	2 3    2 0
-	different words.  The main trick is to remember that
-	t=((l>>size)^r)&(mask);
-	r^=t;
-	l^=(t<<size);
-	can be used to swap and move bits between words.
-
-	So l =  0  1  2  3  r = 16 17 18 19
-	        4  5  6  7      20 21 22 23
-	        8  9 10 11      24 25 26 27
-	       12 13 14 15      28 29 30 31
-	becomes (for size == 2 and mask == 0x3333)
-	   t =   2^16  3^17 -- --   l =  0  1 16 17  r =  2  3 18 19
-		 6^20  7^21 -- --        4  5 20 21       6  7 22 23
-		10^24 11^25 -- --        8  9 24 25      10 11 24 25
-		14^28 15^29 -- --       12 13 28 29      14 15 28 29
-
-	Thanks for hints from Richard Outerbridge - he told me IP&FP
-	could be done in 15 xor, 10 shifts and 5 ands.
-	When I finally started to think of the problem in 2D
-	I first got ~42 operations without xors.  When I remembered
-	how to use xors :-) I got it to its final state.
-	*/
-#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
-	(b)^=(t),\
-	(a)^=((t)<<(n)))
-
-#define IP(l,r) \
-	{ \
-	register DES_LONG tt; \
-	PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \
-	PERM_OP(l,r,tt,16,0x0000ffffL); \
-	PERM_OP(r,l,tt, 2,0x33333333L); \
-	PERM_OP(l,r,tt, 8,0x00ff00ffL); \
-	PERM_OP(r,l,tt, 1,0x55555555L); \
-	}
-
-#define FP(l,r) \
-	{ \
-	register DES_LONG tt; \
-	PERM_OP(l,r,tt, 1,0x55555555L); \
-	PERM_OP(r,l,tt, 8,0x00ff00ffL); \
-	PERM_OP(l,r,tt, 2,0x33333333L); \
-	PERM_OP(r,l,tt,16,0x0000ffffL); \
-	PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
-	}
-
-extern const DES_LONG des_SPtrans[8][64];
-
-#ifndef NOPROTO
-void fcrypt_body(DES_LONG *out,des_key_schedule ks,
-	DES_LONG Eswap0, DES_LONG Eswap1);
-#else
-void fcrypt_body();
-#endif
-
-#endif
diff --git a/src/libcrypto/libdes/des_ver.h b/src/libcrypto/libdes/des_ver.h
deleted file mode 100644
index 98352bc0d..000000000
--- a/src/libcrypto/libdes/des_ver.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/* crypto/des/des_ver.h */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-extern char *DES_version;	/* SSLeay version string */
-extern char *libdes_version;	/* old libdes version string */
diff --git a/src/libcrypto/libdes/destest.c b/src/libcrypto/libdes/destest.c
deleted file mode 100644
index ae896499e..000000000
--- a/src/libcrypto/libdes/destest.c
+++ /dev/null
@@ -1,871 +0,0 @@
-/* crypto/des/destest.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#if defined(WIN32) || defined(WIN16) || defined(WINDOWS)
-#ifndef MSDOS
-#define MSDOS
-#endif
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#ifndef MSDOS
-#include <unistd.h>
-#else
-#include <io.h>
-#endif
-#include <string.h>
-#include "des_locl.h"
-
-/* tisk tisk - the test keys don't all have odd parity :-( */
-/* test data */
-#define NUM_TESTS 34
-static unsigned char key_data[NUM_TESTS][8]={
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
-	{0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
-	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
-	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10},
-	{0x7C,0xA1,0x10,0x45,0x4A,0x1A,0x6E,0x57},
-	{0x01,0x31,0xD9,0x61,0x9D,0xC1,0x37,0x6E},
-	{0x07,0xA1,0x13,0x3E,0x4A,0x0B,0x26,0x86},
-	{0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E},
-	{0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6},
-	{0x01,0x13,0xB9,0x70,0xFD,0x34,0xF2,0xCE},
-	{0x01,0x70,0xF1,0x75,0x46,0x8F,0xB5,0xE6},
-	{0x43,0x29,0x7F,0xAD,0x38,0xE3,0x73,0xFE},
-	{0x07,0xA7,0x13,0x70,0x45,0xDA,0x2A,0x16},
-	{0x04,0x68,0x91,0x04,0xC2,0xFD,0x3B,0x2F},
-	{0x37,0xD0,0x6B,0xB5,0x16,0xCB,0x75,0x46},
-	{0x1F,0x08,0x26,0x0D,0x1A,0xC2,0x46,0x5E},
-	{0x58,0x40,0x23,0x64,0x1A,0xBA,0x61,0x76},
-	{0x02,0x58,0x16,0x16,0x46,0x29,0xB0,0x07},
-	{0x49,0x79,0x3E,0xBC,0x79,0xB3,0x25,0x8F},
-	{0x4F,0xB0,0x5E,0x15,0x15,0xAB,0x73,0xA7},
-	{0x49,0xE9,0x5D,0x6D,0x4C,0xA2,0x29,0xBF},
-	{0x01,0x83,0x10,0xDC,0x40,0x9B,0x26,0xD6},
-	{0x1C,0x58,0x7F,0x1C,0x13,0x92,0x4F,0xEF},
-	{0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
-	{0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E},
-	{0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
-	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
-	{0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10}};
-
-static unsigned char plain_data[NUM_TESTS][8]={
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
-	{0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x01},
-	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
-	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
-	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
-	{0x01,0xA1,0xD6,0xD0,0x39,0x77,0x67,0x42},
-	{0x5C,0xD5,0x4C,0xA8,0x3D,0xEF,0x57,0xDA},
-	{0x02,0x48,0xD4,0x38,0x06,0xF6,0x71,0x72},
-	{0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A},
-	{0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2},
-	{0x05,0x9B,0x5E,0x08,0x51,0xCF,0x14,0x3A},
-	{0x07,0x56,0xD8,0xE0,0x77,0x47,0x61,0xD2},
-	{0x76,0x25,0x14,0xB8,0x29,0xBF,0x48,0x6A},
-	{0x3B,0xDD,0x11,0x90,0x49,0x37,0x28,0x02},
-	{0x26,0x95,0x5F,0x68,0x35,0xAF,0x60,0x9A},
-	{0x16,0x4D,0x5E,0x40,0x4F,0x27,0x52,0x32},
-	{0x6B,0x05,0x6E,0x18,0x75,0x9F,0x5C,0xCA},
-	{0x00,0x4B,0xD6,0xEF,0x09,0x17,0x60,0x62},
-	{0x48,0x0D,0x39,0x00,0x6E,0xE7,0x62,0xF2},
-	{0x43,0x75,0x40,0xC8,0x69,0x8F,0x3C,0xFA},
-	{0x07,0x2D,0x43,0xA0,0x77,0x07,0x52,0x92},
-	{0x02,0xFE,0x55,0x77,0x81,0x17,0xF1,0x2A},
-	{0x1D,0x9D,0x5C,0x50,0x18,0xF7,0x28,0xC2},
-	{0x30,0x55,0x32,0x28,0x6D,0x6F,0x29,0x5A},
-	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
-	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
-	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
-	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}};
-
-static unsigned char cipher_data[NUM_TESTS][8]={
-	{0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7},
-	{0x73,0x59,0xB2,0x16,0x3E,0x4E,0xDC,0x58},
-	{0x95,0x8E,0x6E,0x62,0x7A,0x05,0x55,0x7B},
-	{0xF4,0x03,0x79,0xAB,0x9E,0x0E,0xC5,0x33},
-	{0x17,0x66,0x8D,0xFC,0x72,0x92,0x53,0x2D},
-	{0x8A,0x5A,0xE1,0xF8,0x1A,0xB8,0xF2,0xDD},
-	{0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7},
-	{0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4},
-	{0x69,0x0F,0x5B,0x0D,0x9A,0x26,0x93,0x9B},
-	{0x7A,0x38,0x9D,0x10,0x35,0x4B,0xD2,0x71},
-	{0x86,0x8E,0xBB,0x51,0xCA,0xB4,0x59,0x9A},
-	{0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A},
-	{0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95},
-	{0x86,0xA5,0x60,0xF1,0x0E,0xC6,0xD8,0x5B},
-	{0x0C,0xD3,0xDA,0x02,0x00,0x21,0xDC,0x09},
-	{0xEA,0x67,0x6B,0x2C,0xB7,0xDB,0x2B,0x7A},
-	{0xDF,0xD6,0x4A,0x81,0x5C,0xAF,0x1A,0x0F},
-	{0x5C,0x51,0x3C,0x9C,0x48,0x86,0xC0,0x88},
-	{0x0A,0x2A,0xEE,0xAE,0x3F,0xF4,0xAB,0x77},
-	{0xEF,0x1B,0xF0,0x3E,0x5D,0xFA,0x57,0x5A},
-	{0x88,0xBF,0x0D,0xB6,0xD7,0x0D,0xEE,0x56},
-	{0xA1,0xF9,0x91,0x55,0x41,0x02,0x0B,0x56},
-	{0x6F,0xBF,0x1C,0xAF,0xCF,0xFD,0x05,0x56},
-	{0x2F,0x22,0xE4,0x9B,0xAB,0x7C,0xA1,0xAC},
-	{0x5A,0x6B,0x61,0x2C,0xC2,0x6C,0xCE,0x4A},
-	{0x5F,0x4C,0x03,0x8E,0xD1,0x2B,0x2E,0x41},
-	{0x63,0xFA,0xC0,0xD0,0x34,0xD9,0xF7,0x93},
-	{0x61,0x7B,0x3A,0x0C,0xE8,0xF0,0x71,0x00},
-	{0xDB,0x95,0x86,0x05,0xF8,0xC8,0xC6,0x06},
-	{0xED,0xBF,0xD1,0xC6,0x6C,0x29,0xCC,0xC7},
-	{0x35,0x55,0x50,0xB2,0x15,0x0E,0x24,0x51},
-	{0xCA,0xAA,0xAF,0x4D,0xEA,0xF1,0xDB,0xAE},
-	{0xD5,0xD4,0x4F,0xF7,0x20,0x68,0x3D,0x0D},
-	{0x2A,0x2B,0xB0,0x08,0xDF,0x97,0xC2,0xF2}};
-
-static unsigned char cipher_ecb2[NUM_TESTS-1][8]={
-	{0x92,0x95,0xB5,0x9B,0xB3,0x84,0x73,0x6E},
-	{0x19,0x9E,0x9D,0x6D,0xF3,0x9A,0xA8,0x16},
-	{0x2A,0x4B,0x4D,0x24,0x52,0x43,0x84,0x27},
-	{0x35,0x84,0x3C,0x01,0x9D,0x18,0xC5,0xB6},
-	{0x4A,0x5B,0x2F,0x42,0xAA,0x77,0x19,0x25},
-	{0xA0,0x6B,0xA9,0xB8,0xCA,0x5B,0x17,0x8A},
-	{0xAB,0x9D,0xB7,0xFB,0xED,0x95,0xF2,0x74},
-	{0x3D,0x25,0x6C,0x23,0xA7,0x25,0x2F,0xD6},
-	{0xB7,0x6F,0xAB,0x4F,0xBD,0xBD,0xB7,0x67},
-	{0x8F,0x68,0x27,0xD6,0x9C,0xF4,0x1A,0x10},
-	{0x82,0x57,0xA1,0xD6,0x50,0x5E,0x81,0x85},
-	{0xA2,0x0F,0x0A,0xCD,0x80,0x89,0x7D,0xFA},
-	{0xCD,0x2A,0x53,0x3A,0xDB,0x0D,0x7E,0xF3},
-	{0xD2,0xC2,0xBE,0x27,0xE8,0x1B,0x68,0xE3},
-	{0xE9,0x24,0xCF,0x4F,0x89,0x3C,0x5B,0x0A},
-	{0xA7,0x18,0xC3,0x9F,0xFA,0x9F,0xD7,0x69},
-	{0x77,0x2C,0x79,0xB1,0xD2,0x31,0x7E,0xB1},
-	{0x49,0xAB,0x92,0x7F,0xD0,0x22,0x00,0xB7},
-	{0xCE,0x1C,0x6C,0x7D,0x85,0xE3,0x4A,0x6F},
-	{0xBE,0x91,0xD6,0xE1,0x27,0xB2,0xE9,0x87},
-	{0x70,0x28,0xAE,0x8F,0xD1,0xF5,0x74,0x1A},
-	{0xAA,0x37,0x80,0xBB,0xF3,0x22,0x1D,0xDE},
-	{0xA6,0xC4,0xD2,0x5E,0x28,0x93,0xAC,0xB3},
-	{0x22,0x07,0x81,0x5A,0xE4,0xB7,0x1A,0xAD},
-	{0xDC,0xCE,0x05,0xE7,0x07,0xBD,0xF5,0x84},
-	{0x26,0x1D,0x39,0x2C,0xB3,0xBA,0xA5,0x85},
-	{0xB4,0xF7,0x0F,0x72,0xFB,0x04,0xF0,0xDC},
-	{0x95,0xBA,0xA9,0x4E,0x87,0x36,0xF2,0x89},
-	{0xD4,0x07,0x3A,0xF1,0x5A,0x17,0x82,0x0E},
-	{0xEF,0x6F,0xAF,0xA7,0x66,0x1A,0x7E,0x89},
-	{0xC1,0x97,0xF5,0x58,0x74,0x8A,0x20,0xE7},
-	{0x43,0x34,0xCF,0xDA,0x22,0xC4,0x86,0xC8},
-	{0x08,0xD7,0xB4,0xFB,0x62,0x9D,0x08,0x85}};
-
-static unsigned char cbc_key [8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef};
-static unsigned char cbc2_key[8]={0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87};
-static unsigned char cbc3_key[8]={0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10};
-static unsigned char cbc_iv  [8]={0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10};
-static char cbc_data[40]="7654321 Now is the time for \0001";
-
-static unsigned char cbc_ok[32]={
-	0xcc,0xd1,0x73,0xff,0xab,0x20,0x39,0xf4,
-	0xac,0xd8,0xae,0xfd,0xdf,0xd8,0xa1,0xeb,
-	0x46,0x8e,0x91,0x15,0x78,0x88,0xba,0x68,
-	0x1d,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
-
-static unsigned char xcbc_ok[32]={
-	0x86,0x74,0x81,0x0D,0x61,0xA4,0xA5,0x48,
-	0xB9,0x93,0x03,0xE1,0xB8,0xBB,0xBD,0xBD,
-	0x64,0x30,0x0B,0xB9,0x06,0x65,0x81,0x76,
-	0x04,0x1D,0x77,0x62,0x17,0xCA,0x2B,0xD2,
-	};
-
-static unsigned char cbc3_ok[32]={
-	0x3F,0xE3,0x01,0xC9,0x62,0xAC,0x01,0xD0,
-	0x22,0x13,0x76,0x3C,0x1C,0xBD,0x4C,0xDC,
-	0x79,0x96,0x57,0xC0,0x64,0xEC,0xF5,0xD4,
-	0x1C,0x67,0x38,0x12,0xCF,0xDE,0x96,0x75};
-
-static unsigned char pcbc_ok[32]={
-	0xcc,0xd1,0x73,0xff,0xab,0x20,0x39,0xf4,
-	0x6d,0xec,0xb4,0x70,0xa0,0xe5,0x6b,0x15,
-	0xae,0xa6,0xbf,0x61,0xed,0x7d,0x9c,0x9f,
-	0xf7,0x17,0x46,0x3b,0x8a,0xb3,0xcc,0x88};
-
-static unsigned char cfb_key[8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef};
-static unsigned char cfb_iv[8]={0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef};
-static unsigned char cfb_buf1[40],cfb_buf2[40],cfb_tmp[8];
-static unsigned char plain[24]=
-	{
-	0x4e,0x6f,0x77,0x20,0x69,0x73,
-	0x20,0x74,0x68,0x65,0x20,0x74,
-	0x69,0x6d,0x65,0x20,0x66,0x6f,
-	0x72,0x20,0x61,0x6c,0x6c,0x20
-	};
-static unsigned char cfb_cipher8[24]= {
-	0xf3,0x1f,0xda,0x07,0x01,0x14, 0x62,0xee,0x18,0x7f,0x43,0xd8,
-	0x0a,0x7c,0xd9,0xb5,0xb0,0xd2, 0x90,0xda,0x6e,0x5b,0x9a,0x87 };
-static unsigned char cfb_cipher16[24]={
-	0xF3,0x09,0x87,0x87,0x7F,0x57, 0xF7,0x3C,0x36,0xB6,0xDB,0x70,
-	0xD8,0xD5,0x34,0x19,0xD3,0x86, 0xB2,0x23,0xB7,0xB2,0xAD,0x1B };
-static unsigned char cfb_cipher32[24]={
-	0xF3,0x09,0x62,0x49,0xA4,0xDF, 0xA4,0x9F,0x33,0xDC,0x7B,0xAD,
-	0x4C,0xC8,0x9F,0x64,0xE4,0x53, 0xE5,0xEC,0x67,0x20,0xDA,0xB6 };
-static unsigned char cfb_cipher48[24]={
-	0xF3,0x09,0x62,0x49,0xC7,0xF4, 0x30,0xB5,0x15,0xEC,0xBB,0x85,
-	0x97,0x5A,0x13,0x8C,0x68,0x60, 0xE2,0x38,0x34,0x3C,0xDC,0x1F };
-static unsigned char cfb_cipher64[24]={
-	0xF3,0x09,0x62,0x49,0xC7,0xF4, 0x6E,0x51,0xA6,0x9E,0x83,0x9B,
-	0x1A,0x92,0xF7,0x84,0x03,0x46, 0x71,0x33,0x89,0x8E,0xA6,0x22 };
-
-static unsigned char ofb_key[8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef};
-static unsigned char ofb_iv[8]={0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef};
-static unsigned char ofb_buf1[24],ofb_buf2[24],ofb_tmp[8];
-static unsigned char ofb_cipher[24]=
-	{
-	0xf3,0x09,0x62,0x49,0xc7,0xf4,0x6e,0x51,
-	0x35,0xf2,0x4a,0x24,0x2e,0xeb,0x3d,0x3f,
-	0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3
-	};
-
-DES_LONG cbc_cksum_ret=0xB462FEF7L;
-unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
-
-#ifndef NOPROTO
-static char *pt(unsigned char *p);
-static int cfb_test(int bits, unsigned char *cfb_cipher);
-static int cfb64_test(unsigned char *cfb_cipher);
-static int ede_cfb64_test(unsigned char *cfb_cipher);
-#else
-static char *pt();
-static int cfb_test();
-static int cfb64_test();
-static int ede_cfb64_test();
-#endif
-
-int main(argc,argv)
-int argc;
-char *argv[];
-	{
-	int i,j,err=0;
-	des_cblock in,out,outin,iv3;
-	des_key_schedule ks,ks2,ks3;
-	unsigned char cbc_in[40];
-	unsigned char cbc_out[40];
-	DES_LONG cs;
-	unsigned char qret[4][4],cret[8];
-	DES_LONG lqret[4];
-	int num;
-	char *str;
-
-	printf("Doing ecb\n");
-	for (i=0; i<NUM_TESTS; i++)
-		{
-		if ((j=des_key_sched((C_Block *)(key_data[i]),ks)) != 0)
-			{
-			printf("Key error %2d:%d\n",i+1,j);
-			err=1;
-			}
-		memcpy(in,plain_data[i],8);
-		memset(out,0,8);
-		memset(outin,0,8);
-		des_ecb_encrypt((C_Block *)in,(C_Block *)out,ks,DES_ENCRYPT);
-		des_ecb_encrypt((C_Block *)out,(C_Block *)outin,ks,DES_DECRYPT);
-
-		if (memcmp(out,cipher_data[i],8) != 0)
-			{
-			printf("Encryption error %2d\nk=%s p=%s o=%s act=%s\n",
-				i+1,pt(key_data[i]),pt(in),pt(cipher_data[i]),
-				pt(out));
-			err=1;
-			}
-		if (memcmp(in,outin,8) != 0)
-			{
-			printf("Decryption error %2d\nk=%s p=%s o=%s act=%s\n",
-				i+1,pt(key_data[i]),pt(out),pt(in),pt(outin));
-			err=1;
-			}
-		}
-
-#ifndef LIBDES_LIT
-	printf("Doing ede ecb\n");
-	for (i=0; i<(NUM_TESTS-1); i++)
-		{
-		if ((j=des_key_sched((C_Block *)(key_data[i]),ks)) != 0)
-			{
-			err=1;
-			printf("Key error %2d:%d\n",i+1,j);
-			}
-		if ((j=des_key_sched((C_Block *)(key_data[i+1]),ks2)) != 0)
-			{
-			printf("Key error %2d:%d\n",i+2,j);
-			err=1;
-			}
-		if ((j=des_key_sched((C_Block *)(key_data[i+2]),ks3)) != 0)
-			{
-			printf("Key error %2d:%d\n",i+3,j);
-			err=1;
-			}
-		memcpy(in,plain_data[i],8);
-		memset(out,0,8);
-		memset(outin,0,8);
-		des_ecb2_encrypt((C_Block *)in,(C_Block *)out,ks,ks2,
-			DES_ENCRYPT);
-		des_ecb2_encrypt((C_Block *)out,(C_Block *)outin,ks,ks2,
-			DES_DECRYPT);
-
-		if (memcmp(out,cipher_ecb2[i],8) != 0)
-			{
-			printf("Encryption error %2d\nk=%s p=%s o=%s act=%s\n",
-				i+1,pt(key_data[i]),pt(in),pt(cipher_ecb2[i]),
-				pt(out));
-			err=1;
-			}
-		if (memcmp(in,outin,8) != 0)
-			{
-			printf("Decryption error %2d\nk=%s p=%s o=%s act=%s\n",
-				i+1,pt(key_data[i]),pt(out),pt(in),pt(outin));
-			err=1;
-			}
-		}
-#endif
-
-	printf("Doing cbc\n");
-	if ((j=des_key_sched((C_Block *)cbc_key,ks)) != 0)
-		{
-		printf("Key error %d\n",j);
-		err=1;
-		}
-	memset(cbc_out,0,40);
-	memset(cbc_in,0,40);
-	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-	des_ncbc_encrypt((C_Block *)cbc_data,(C_Block *)cbc_out,
-		(long)strlen((char *)cbc_data)+1,ks,
-		(C_Block *)iv3,DES_ENCRYPT);
-	if (memcmp(cbc_out,cbc_ok,32) != 0)
-		printf("cbc_encrypt encrypt error\n");
-
-	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-	des_ncbc_encrypt((C_Block *)cbc_out,(C_Block *)cbc_in,
-		(long)strlen((char *)cbc_data)+1,ks,
-		(C_Block *)iv3,DES_DECRYPT);
-	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)) != 0)
-		{
-		printf("cbc_encrypt decrypt error\n");
-		err=1;
-		}
-
-#ifndef LIBDES_LIT
-	printf("Doing desx cbc\n");
-	if ((j=des_key_sched((C_Block *)cbc_key,ks)) != 0)
-		{
-		printf("Key error %d\n",j);
-		err=1;
-		}
-	memset(cbc_out,0,40);
-	memset(cbc_in,0,40);
-	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-	des_xcbc_encrypt((C_Block *)cbc_data,(C_Block *)cbc_out,
-		(long)strlen((char *)cbc_data)+1,ks,
-		(C_Block *)iv3,
-		(C_Block *)cbc2_key, (C_Block *)cbc3_key, DES_ENCRYPT);
-	if (memcmp(cbc_out,xcbc_ok,32) != 0)
-		{
-		printf("des_xcbc_encrypt encrypt error\n");
-		}
-	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-	des_xcbc_encrypt((C_Block *)cbc_out,(C_Block *)cbc_in,
-		(long)strlen((char *)cbc_data)+1,ks,
-		(C_Block *)iv3,
-		(C_Block *)cbc2_key, (C_Block *)cbc3_key, DES_DECRYPT);
-	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
-		{
-		printf("des_xcbc_encrypt decrypt error\n");
-		err=1;
-		}
-#endif
-
-	printf("Doing ede cbc\n");
-	if ((j=des_key_sched((C_Block *)cbc_key,ks)) != 0)
-		{
-		printf("Key error %d\n",j);
-		err=1;
-		}
-	if ((j=des_key_sched((C_Block *)cbc2_key,ks2)) != 0)
-		{
-		printf("Key error %d\n",j);
-		err=1;
-		}
-	if ((j=des_key_sched((C_Block *)cbc3_key,ks3)) != 0)
-		{
-		printf("Key error %d\n",j);
-		err=1;
-		}
-	memset(cbc_out,0,40);
-	memset(cbc_in,0,40);
-	i=strlen((char *)cbc_data)+1;
-	/* i=((i+7)/8)*8; */
-	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-
-	des_ede3_cbc_encrypt((C_Block *)cbc_data,(C_Block *)cbc_out,
-		16L,ks,ks2,ks3,(C_Block *)iv3,DES_ENCRYPT);
-	des_ede3_cbc_encrypt((C_Block *)&(cbc_data[16]),
-		(C_Block *)&(cbc_out[16]),
-		(long)i-16,ks,ks2,ks3,(C_Block *)iv3,DES_ENCRYPT);
-	if (memcmp(cbc_out,cbc3_ok,
-		(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
-		{
-		printf("des_ede3_cbc_encrypt encrypt error\n");
-		err=1;
-		}
-
-	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-	des_ede3_cbc_encrypt((C_Block *)cbc_out,(C_Block *)cbc_in,
-		(long)i,ks,ks2,ks3,(C_Block *)iv3,DES_DECRYPT);
-	if (memcmp(cbc_in,cbc_data,strlen(cbc_data)+1) != 0)
-		{
-		printf("des_ede3_cbc_encrypt decrypt error\n");
-		err=1;
-		}
-
-#ifndef LIBDES_LIT
-	printf("Doing pcbc\n");
-	if ((j=des_key_sched((C_Block *)cbc_key,ks)) != 0)
-		{
-		printf("Key error %d\n",j);
-		err=1;
-		}
-	memset(cbc_out,0,40);
-	memset(cbc_in,0,40);
-	des_pcbc_encrypt((C_Block *)cbc_data,(C_Block *)cbc_out,
-		(long)strlen(cbc_data)+1,ks,(C_Block *)cbc_iv,DES_ENCRYPT);
-	if (memcmp(cbc_out,pcbc_ok,32) != 0)
-		{
-		printf("pcbc_encrypt encrypt error\n");
-		err=1;
-		}
-	des_pcbc_encrypt((C_Block *)cbc_out,(C_Block *)cbc_in,
-		(long)strlen(cbc_data)+1,ks,(C_Block *)cbc_iv,DES_DECRYPT);
-	if (memcmp(cbc_in,cbc_data,strlen(cbc_data)+1) != 0)
-		{
-		printf("pcbc_encrypt decrypt error\n");
-		err=1;
-		}
-
-	printf("Doing ");
-	printf("cfb8 ");
-	err+=cfb_test(8,cfb_cipher8);
-	printf("cfb16 ");
-	err+=cfb_test(16,cfb_cipher16);
-	printf("cfb32 ");
-	err+=cfb_test(32,cfb_cipher32);
-	printf("cfb48 ");
-	err+=cfb_test(48,cfb_cipher48);
-	printf("cfb64 ");
-	err+=cfb_test(64,cfb_cipher64);
-
-	printf("cfb64() ");
-	err+=cfb64_test(cfb_cipher64);
-
-	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
-	for (i=0; i<sizeof(plain); i++)
-		des_cfb_encrypt(&(plain[i]),&(cfb_buf1[i]),
-			8,(long)1,ks,(C_Block *)cfb_tmp,DES_ENCRYPT);
-	if (memcmp(cfb_cipher8,cfb_buf1,sizeof(plain)) != 0)
-		{
-		printf("cfb_encrypt small encrypt error\n");
-		err=1;
-		}
-
-	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
-	for (i=0; i<sizeof(plain); i++)
-		des_cfb_encrypt(&(cfb_buf1[i]),&(cfb_buf2[i]),
-			8,(long)1,ks,(C_Block *)cfb_tmp,DES_DECRYPT);
-	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
-		{
-		printf("cfb_encrypt small decrypt error\n");
-		err=1;
-		}
-
-	printf("ede_cfb64() ");
-	err+=ede_cfb64_test(cfb_cipher64);
-
-	printf("done\n");
-
-	printf("Doing ofb\n");
-	des_key_sched((C_Block *)ofb_key,ks);
-	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
-	des_ofb_encrypt(plain,ofb_buf1,64,(long)sizeof(plain)/8,ks,
-		(C_Block *)ofb_tmp);
-	if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
-		{
-		printf("ofb_encrypt encrypt error\n");
-printf("%02X %02X %02X %02X %02X %02X %02X %02X\n",
-ofb_buf1[8+0], ofb_buf1[8+1], ofb_buf1[8+2], ofb_buf1[8+3],
-ofb_buf1[8+4], ofb_buf1[8+5], ofb_buf1[8+6], ofb_buf1[8+7]);
-printf("%02X %02X %02X %02X %02X %02X %02X %02X\n",
-ofb_buf1[8+0], ofb_cipher[8+1], ofb_cipher[8+2], ofb_cipher[8+3],
-ofb_buf1[8+4], ofb_cipher[8+5], ofb_cipher[8+6], ofb_cipher[8+7]);
-		err=1;
-		}
-	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
-	des_ofb_encrypt(ofb_buf1,ofb_buf2,64,(long)sizeof(ofb_buf1)/8,ks,
-		(C_Block *)ofb_tmp);
-	if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
-		{
-		printf("ofb_encrypt decrypt error\n");
-printf("%02X %02X %02X %02X %02X %02X %02X %02X\n",
-ofb_buf2[8+0], ofb_buf2[8+1], ofb_buf2[8+2], ofb_buf2[8+3],
-ofb_buf2[8+4], ofb_buf2[8+5], ofb_buf2[8+6], ofb_buf2[8+7]);
-printf("%02X %02X %02X %02X %02X %02X %02X %02X\n",
-plain[8+0], plain[8+1], plain[8+2], plain[8+3],
-plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
-		err=1;
-		}
-
-	printf("Doing ofb64\n");
-	des_key_sched((C_Block *)ofb_key,ks);
-	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
-	memset(ofb_buf1,0,sizeof(ofb_buf1));
-	memset(ofb_buf2,0,sizeof(ofb_buf1));
-	num=0;
-	for (i=0; i<sizeof(plain); i++)
-		{
-		des_ofb64_encrypt(&(plain[i]),&(ofb_buf1[i]),1,ks,
-			(C_Block *)ofb_tmp,&num);
-		}
-	if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
-		{
-		printf("ofb64_encrypt encrypt error\n");
-		err=1;
-		}
-	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
-	num=0;
-	des_ofb64_encrypt(ofb_buf1,ofb_buf2,(long)sizeof(ofb_buf1),ks,
-		(C_Block *)ofb_tmp,&num);
-	if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
-		{
-		printf("ofb64_encrypt decrypt error\n");
-		err=1;
-		}
-
-	printf("Doing ede_ofb64\n");
-	des_key_sched((C_Block *)ofb_key,ks);
-	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
-	memset(ofb_buf1,0,sizeof(ofb_buf1));
-	memset(ofb_buf2,0,sizeof(ofb_buf1));
-	num=0;
-	for (i=0; i<sizeof(plain); i++)
-		{
-		des_ede3_ofb64_encrypt(&(plain[i]),&(ofb_buf1[i]),1,ks,ks,ks,
-			(C_Block *)ofb_tmp,&num);
-		}
-	if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
-		{
-		printf("ede_ofb64_encrypt encrypt error\n");
-		err=1;
-		}
-	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
-	num=0;
-	des_ede3_ofb64_encrypt(ofb_buf1,ofb_buf2,(long)sizeof(ofb_buf1),ks,
-		ks,ks,(C_Block *)ofb_tmp,&num);
-	if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
-		{
-		printf("ede_ofb64_encrypt decrypt error\n");
-		err=1;
-		}
-
-	printf("Doing cbc_cksum\n");
-	des_key_sched((C_Block *)cbc_key,ks);
-	cs=des_cbc_cksum((C_Block *)cbc_data,(C_Block *)cret,
-		(long)strlen(cbc_data),ks,(C_Block *)cbc_iv);
-	if (cs != cbc_cksum_ret)
-		{
-		printf("bad return value (%08lX), should be %08lX\n",
-			(unsigned long)cs,(unsigned long)cbc_cksum_ret);
-		err=1;
-		}
-	if (memcmp(cret,cbc_cksum_data,8) != 0)
-		{
-		printf("bad cbc_cksum block returned\n");
-		err=1;
-		}
-
-	printf("Doing quad_cksum\n");
-	cs=quad_cksum((C_Block *)cbc_data,(C_Block *)qret,
-		(long)strlen(cbc_data),2,(C_Block *)cbc_iv);
-	for (i=0; i<4; i++)
-		{
-		lqret[i]=0;
-		memcpy(&(lqret[i]),&(qret[i][0]),4);
-		}
-	{ /* Big-endian fix */
-	static DES_LONG l=1;
-	static unsigned char *c=(unsigned char *)&l;
-	DES_LONG ll;
-
-	if (!c[0])
-		{
-		ll=lqret[0]^lqret[3];
-		lqret[0]^=ll;
-		lqret[3]^=ll;
-		ll=lqret[1]^lqret[2];
-		lqret[1]^=ll;
-		lqret[2]^=ll;
-		}
-	}
-	if (cs != 0x70d7a63aL)
-		{
-		printf("quad_cksum error, ret %08lx should be 70d7a63a\n",
-			(unsigned long)cs);
-		err=1;
-		}
-	if (lqret[0] != 0x327eba8dL)
-		{
-		printf("quad_cksum error, out[0] %08lx is not %08lx\n",
-			(unsigned long)lqret[0],0x327eba8dL);
-		err=1;
-		}
-	if (lqret[1] != 0x201a49ccL)
-		{
-		printf("quad_cksum error, out[1] %08lx is not %08lx\n",
-			(unsigned long)lqret[1],0x201a49ccL);
-		err=1;
-		}
-	if (lqret[2] != 0x70d7a63aL)
-		{
-		printf("quad_cksum error, out[2] %08lx is not %08lx\n",
-			(unsigned long)lqret[2],0x70d7a63aL);
-		err=1;
-		}
-	if (lqret[3] != 0x501c2c26L)
-		{
-		printf("quad_cksum error, out[3] %08lx is not %08lx\n",
-			(unsigned long)lqret[3],0x501c2c26L);
-		err=1;
-		}
-#endif
-
-	printf("input word alignment test");
-	for (i=0; i<4; i++)
-		{
-		printf(" %d",i);
-		des_ncbc_encrypt((C_Block *)&(cbc_out[i]),(C_Block *)cbc_in,
-			(long)strlen(cbc_data)+1,ks,(C_Block *)cbc_iv,
-			DES_ENCRYPT);
-		}
-	printf("\noutput word alignment test");
-	for (i=0; i<4; i++)
-		{
-		printf(" %d",i);
-		des_ncbc_encrypt((C_Block *)cbc_out,(C_Block *)&(cbc_in[i]),
-			(long)strlen(cbc_data)+1,ks,(C_Block *)cbc_iv,
-			DES_ENCRYPT);
-		}
-	printf("\n");
-	printf("fast crypt test ");
-	str=crypt("testing","ef");
-	if (strcmp("efGnQx2725bI2",str) != 0)
-		{
-		printf("fast crypt error, %s should be efGnQx2725bI2\n",str);
-		err=1;
-		}
-	str=crypt("bca76;23","yA");
-	if (strcmp("yA1Rp/1hZXIJk",str) != 0)
-		{
-		printf("fast crypt error, %s should be yA1Rp/1hZXIJk\n",str);
-		err=1;
-		}
-	printf("\n");
-	exit(err);
-	return(0);
-	}
-
-static char *pt(p)
-unsigned char *p;
-	{
-	static char bufs[10][20];
-	static int bnum=0;
-	char *ret;
-	int i;
-	static char *f="0123456789ABCDEF";
-
-	ret= &(bufs[bnum++][0]);
-	bnum%=10;
-	for (i=0; i<8; i++)
-		{
-		ret[i*2]=f[(p[i]>>4)&0xf];
-		ret[i*2+1]=f[p[i]&0xf];
-		}
-	ret[16]='\0';
-	return(ret);
-	}
-
-#ifndef LIBDES_LIT
-
-static int cfb_test(bits, cfb_cipher)
-int bits;
-unsigned char *cfb_cipher;
-	{
-	des_key_schedule ks;
-	int i,err=0;
-
-	des_key_sched((C_Block *)cfb_key,ks);
-	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
-	des_cfb_encrypt(plain,cfb_buf1,bits,(long)sizeof(plain),ks,
-		(C_Block *)cfb_tmp,DES_ENCRYPT);
-	if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0)
-		{
-		err=1;
-		printf("cfb_encrypt encrypt error\n");
-		for (i=0; i<24; i+=8)
-			printf("%s\n",pt(&(cfb_buf1[i])));
-		}
-	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
-	des_cfb_encrypt(cfb_buf1,cfb_buf2,bits,(long)sizeof(plain),ks,
-		(C_Block *)cfb_tmp,DES_DECRYPT);
-	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
-		{
-		err=1;
-		printf("cfb_encrypt decrypt error\n");
-		for (i=0; i<24; i+=8)
-			printf("%s\n",pt(&(cfb_buf1[i])));
-		}
-	return(err);
-	}
-
-static int cfb64_test(cfb_cipher)
-unsigned char *cfb_cipher;
-	{
-	des_key_schedule ks;
-	int err=0,i,n;
-
-	des_key_sched((C_Block *)cfb_key,ks);
-	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
-	n=0;
-	des_cfb64_encrypt(plain,cfb_buf1,(long)12,ks,
-		(C_Block *)cfb_tmp,&n,DES_ENCRYPT);
-	des_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),
-		(long)sizeof(plain)-12,ks,
-		(C_Block *)cfb_tmp,&n,DES_ENCRYPT);
-	if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0)
-		{
-		err=1;
-		printf("cfb_encrypt encrypt error\n");
-		for (i=0; i<24; i+=8)
-			printf("%s\n",pt(&(cfb_buf1[i])));
-		}
-	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
-	n=0;
-	des_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,ks,
-		(C_Block *)cfb_tmp,&n,DES_DECRYPT);
-	des_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
-		(long)sizeof(plain)-17,ks,
-		(C_Block *)cfb_tmp,&n,DES_DECRYPT);
-	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
-		{
-		err=1;
-		printf("cfb_encrypt decrypt error\n");
-		for (i=0; i<24; i+=8)
-			printf("%s\n",pt(&(cfb_buf2[i])));
-		}
-	return(err);
-	}
-
-static int ede_cfb64_test(cfb_cipher)
-unsigned char *cfb_cipher;
-	{
-	des_key_schedule ks;
-	int err=0,i,n;
-
-	des_key_sched((C_Block *)cfb_key,ks);
-	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
-	n=0;
-	des_ede3_cfb64_encrypt(plain,cfb_buf1,(long)12,ks,ks,ks,
-		(C_Block *)cfb_tmp,&n,DES_ENCRYPT);
-	des_ede3_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),
-		(long)sizeof(plain)-12,ks,ks,ks,
-		(C_Block *)cfb_tmp,&n,DES_ENCRYPT);
-	if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0)
-		{
-		err=1;
-		printf("ede_cfb_encrypt encrypt error\n");
-		for (i=0; i<24; i+=8)
-			printf("%s\n",pt(&(cfb_buf1[i])));
-		}
-	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
-	n=0;
-	des_ede3_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,ks,ks,ks,
-		(C_Block *)cfb_tmp,&n,DES_DECRYPT);
-	des_ede3_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
-		(long)sizeof(plain)-17,ks,ks,ks,
-		(C_Block *)cfb_tmp,&n,DES_DECRYPT);
-	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
-		{
-		err=1;
-		printf("ede_cfb_encrypt decrypt error\n");
-		for (i=0; i<24; i+=8)
-			printf("%s\n",pt(&(cfb_buf2[i])));
-		}
-	return(err);
-	}
-
-#endif
-
diff --git a/src/libcrypto/libdes/ecb_enc.c b/src/libcrypto/libdes/ecb_enc.c
deleted file mode 100644
index 0b7afcf3a..000000000
--- a/src/libcrypto/libdes/ecb_enc.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/* crypto/des/ecb_enc.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include "des_locl.h"
-#include "spr.h"
-
-char *libdes_version="libdes v 3.24 - 20-Apr-1996 - eay";
-char *DES_version="DES part of SSLeay 0.8.2b 08-Jan-1998";
-
-/* RCSID $Id: ecb_enc.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-/* This function ifdef'ed out for FreeS/WAN project. */
-#ifdef notdef
-char *des_options()
-	{
-	static int init=1;
-	static char buf[32];
-
-	if (init)
-		{
-		char *ptr,*unroll,*risc,*size;
-
-		init=0;
-#ifdef DES_PTR
-		ptr="ptr";
-#else
-		ptr="idx";
-#endif
-#if defined(DES_RISC1) || defined(DES_RISC2)
-#ifdef DES_RISC1
-		risc="risc1";
-#endif
-#ifdef DES_RISC2
-		risc="risc2";
-#endif
-#else
-		risc="cisc";
-#endif
-#ifdef DES_UNROLL
-		unroll="16";
-#else
-		unroll="4";
-#endif
-		if (sizeof(DES_LONG) != sizeof(long))
-			size="int";
-		else
-			size="long";
-		sprintf(buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,size);
-		}
-	return(buf);
-	}
-#endif
-		
-
-void des_ecb_encrypt(input, output, ks, enc)
-des_cblock (*input);
-des_cblock (*output);
-des_key_schedule ks;
-int enc;
-	{
-	register DES_LONG l;
-	register unsigned char *in,*out;
-	DES_LONG ll[2];
-
-	in=(unsigned char *)input;
-	out=(unsigned char *)output;
-	c2l(in,l); ll[0]=l;
-	c2l(in,l); ll[1]=l;
-	des_encrypt(ll,ks,enc);
-	l=ll[0]; l2c(l,out);
-	l=ll[1]; l2c(l,out);
-	l=ll[0]=ll[1]=0;
-	}
-
diff --git a/src/libcrypto/libdes/fcrypt.c b/src/libcrypto/libdes/fcrypt.c
deleted file mode 100644
index 8b9d0495b..000000000
--- a/src/libcrypto/libdes/fcrypt.c
+++ /dev/null
@@ -1,152 +0,0 @@
-/* NOCW */
-
-/* This version of crypt has been developed from my MIT compatable
- * DES library.
- * The library is available at pub/Crypto/DES at ftp.psy.uq.oz.au
- * Eric Young (eay@cryptsoft.com)
- */
-
-/* Modification by Jens Kupferschmidt (Cu)
- * I have included directive PARA for shared memory computers.
- * I have included a directive LONGCRYPT to using this routine to cipher
- * passwords with more then 8 bytes like HP-UX 10.x it used. The MAXPLEN
- * definition is the maximum of lenght of password and can changed. I have
- * defined 24.
- */
-
-#include "des_locl.h"
-
-/* Added more values to handle illegal salt values the way normal
- * crypt() implementations do.  The patch was sent by 
- * Bjorn Gronvall <bg@sics.se>
- */
-static unsigned const char con_salt[128]={
-0xD2,0xD3,0xD4,0xD5,0xD6,0xD7,0xD8,0xD9,
-0xDA,0xDB,0xDC,0xDD,0xDE,0xDF,0xE0,0xE1,
-0xE2,0xE3,0xE4,0xE5,0xE6,0xE7,0xE8,0xE9,
-0xEA,0xEB,0xEC,0xED,0xEE,0xEF,0xF0,0xF1,
-0xF2,0xF3,0xF4,0xF5,0xF6,0xF7,0xF8,0xF9,
-0xFA,0xFB,0xFC,0xFD,0xFE,0xFF,0x00,0x01,
-0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,
-0x0A,0x0B,0x05,0x06,0x07,0x08,0x09,0x0A,
-0x0B,0x0C,0x0D,0x0E,0x0F,0x10,0x11,0x12,
-0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1A,
-0x1B,0x1C,0x1D,0x1E,0x1F,0x20,0x21,0x22,
-0x23,0x24,0x25,0x20,0x21,0x22,0x23,0x24,
-0x25,0x26,0x27,0x28,0x29,0x2A,0x2B,0x2C,
-0x2D,0x2E,0x2F,0x30,0x31,0x32,0x33,0x34,
-0x35,0x36,0x37,0x38,0x39,0x3A,0x3B,0x3C,
-0x3D,0x3E,0x3F,0x40,0x41,0x42,0x43,0x44,
-};
-
-static unsigned const char cov_2char[64]={
-0x2E,0x2F,0x30,0x31,0x32,0x33,0x34,0x35,
-0x36,0x37,0x38,0x39,0x41,0x42,0x43,0x44,
-0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,
-0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,
-0x55,0x56,0x57,0x58,0x59,0x5A,0x61,0x62,
-0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,
-0x6B,0x6C,0x6D,0x6E,0x6F,0x70,0x71,0x72,
-0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A
-};
-
-#ifndef NOPROTO
-void fcrypt_body(DES_LONG *out,des_key_schedule ks,
-	DES_LONG Eswap0, DES_LONG Eswap1);
-
-#ifdef PERL5
-char *des_crypt(const char *buf,const char *salt);
-#else
-char *crypt(const char *buf,const char *salt);
-#endif
-#else
-void fcrypt_body();
-#ifdef PERL5
-char *des_crypt();
-#else
-char *crypt();
-#endif
-#endif
-
-#ifdef PERL5
-char *des_crypt(buf,salt)
-#else
-char *crypt(buf,salt)
-#endif
-const char *buf;
-const char *salt;
-	{
-	static char buff[14];
-
-	return(des_fcrypt(buf,salt,buff));
-	}
-
-
-char *des_fcrypt(buf,salt,ret)
-const char *buf;
-const char *salt;
-char *ret;
-	{
-	unsigned int i,j,x,y;
-	DES_LONG Eswap0,Eswap1;
-	DES_LONG out[2],ll;
-	des_cblock key;
-	des_key_schedule ks;
-	unsigned char bb[9];
-	unsigned char *b=bb;
-	unsigned char c,u;
-
-	/* eay 25/08/92
-	 * If you call crypt("pwd","*") as often happens when you
-	 * have * as the pwd field in /etc/passwd, the function
-	 * returns *\0XXXXXXXXX
-	 * The \0 makes the string look like * so the pwd "*" would
-	 * crypt to "*".  This was found when replacing the crypt in
-	 * our shared libraries.  People found that the disbled
-	 * accounts effectivly had no passwd :-(. */
-	x=ret[0]=((salt[0] == '\0')?'A':salt[0]);
-	Eswap0=con_salt[x]<<2;
-	x=ret[1]=((salt[1] == '\0')?'A':salt[1]);
-	Eswap1=con_salt[x]<<6;
-
-/* EAY
-r=strlen(buf);
-r=(r+7)/8;
-*/
-	for (i=0; i<8; i++)
-		{
-		c= *(buf++);
-		if (!c) break;
-		key[i]=(c<<1);
-		}
-	for (; i<8; i++)
-		key[i]=0;
-
-	des_set_key((des_cblock *)(key),ks);
-	fcrypt_body(&(out[0]),ks,Eswap0,Eswap1);
-
-	ll=out[0]; l2c(ll,b);
-	ll=out[1]; l2c(ll,b);
-	y=0;
-	u=0x80;
-	bb[8]=0;
-	for (i=2; i<13; i++)
-		{
-		c=0;
-		for (j=0; j<6; j++)
-			{
-			c<<=1;
-			if (bb[y] & u) c|=1;
-			u>>=1;
-			if (!u)
-				{
-				y++;
-				u=0x80;
-				}
-			}
-		ret[i]=cov_2char[c];
-		}
-	ret[13]='\0';
-	return(ret);
-	}
-
diff --git a/src/libcrypto/libdes/fcrypt_b.c b/src/libcrypto/libdes/fcrypt_b.c
deleted file mode 100644
index 5900645e7..000000000
--- a/src/libcrypto/libdes/fcrypt_b.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/* crypto/des/fcrypt_b.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/* #include <stdio.h> */
-
-/* This version of crypt has been developed from my MIT compatable
- * DES library.
- * The library is available at pub/Crypto/DES at ftp.psy.uq.oz.au
- * Eric Young (eay@cryptsoft.com)
- */
-
-#define DES_FCRYPT
-#include "des_locl.h"
-#undef DES_FCRYPT
-
-#undef PERM_OP
-#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
-	(b)^=(t),\
-	(a)^=((t)<<(n)))
-
-#undef HPERM_OP
-#define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
-	(a)=(a)^(t)^(t>>(16-(n))))\
-
-void fcrypt_body(out, ks, Eswap0, Eswap1)
-DES_LONG *out;
-des_key_schedule ks;
-DES_LONG Eswap0;
-DES_LONG Eswap1;
-	{
-	register DES_LONG l,r,t,u;
-#ifdef DES_PTR
-	register unsigned char *des_SP=(unsigned char *)des_SPtrans;
-#endif
-	register DES_LONG *s;
-	register int j;
-	register DES_LONG E0,E1;
-
-	l=0;
-	r=0;
-
-	s=(DES_LONG *)ks;
-	E0=Eswap0;
-	E1=Eswap1;
-
-	for (j=0; j<25; j++)
-		{
-#ifdef DES_UNROLL
-		register int i;
-
-		for (i=0; i<32; i+=8)
-			{
-			D_ENCRYPT(l,r,i+0); /*  1 */
-			D_ENCRYPT(r,l,i+2); /*  2 */
-			D_ENCRYPT(l,r,i+4); /*  1 */
-			D_ENCRYPT(r,l,i+6); /*  2 */
-			}
-#else
-		D_ENCRYPT(l,r, 0); /*  1 */
-		D_ENCRYPT(r,l, 2); /*  2 */
-		D_ENCRYPT(l,r, 4); /*  3 */
-		D_ENCRYPT(r,l, 6); /*  4 */
-		D_ENCRYPT(l,r, 8); /*  5 */
-		D_ENCRYPT(r,l,10); /*  6 */
-		D_ENCRYPT(l,r,12); /*  7 */
-		D_ENCRYPT(r,l,14); /*  8 */
-		D_ENCRYPT(l,r,16); /*  9 */
-		D_ENCRYPT(r,l,18); /*  10 */
-		D_ENCRYPT(l,r,20); /*  11 */
-		D_ENCRYPT(r,l,22); /*  12 */
-		D_ENCRYPT(l,r,24); /*  13 */
-		D_ENCRYPT(r,l,26); /*  14 */
-		D_ENCRYPT(l,r,28); /*  15 */
-		D_ENCRYPT(r,l,30); /*  16 */
-#endif
-
-		t=l;
-		l=r;
-		r=t;
-		}
-	l=ROTATE(l,3)&0xffffffffL;
-	r=ROTATE(r,3)&0xffffffffL;
-
-	PERM_OP(l,r,t, 1,0x55555555L);
-	PERM_OP(r,l,t, 8,0x00ff00ffL);
-	PERM_OP(l,r,t, 2,0x33333333L);
-	PERM_OP(r,l,t,16,0x0000ffffL);
-	PERM_OP(l,r,t, 4,0x0f0f0f0fL);
-
-	out[0]=r;
-	out[1]=l;
-	}
-
diff --git a/src/libcrypto/libdes/podd.h b/src/libcrypto/libdes/podd.h
deleted file mode 100644
index c00cd6ba0..000000000
--- a/src/libcrypto/libdes/podd.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/* crypto/des/podd.h */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-static const unsigned char odd_parity[256]={
-  1,  1,  2,  2,  4,  4,  7,  7,  8,  8, 11, 11, 13, 13, 14, 14,
- 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
- 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
- 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
- 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
- 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
- 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
-112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
-128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
-145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
-161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
-176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
-193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
-208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
-224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
-241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254};
diff --git a/src/libcrypto/libdes/set_key.c b/src/libcrypto/libdes/set_key.c
deleted file mode 100644
index 99ac27348..000000000
--- a/src/libcrypto/libdes/set_key.c
+++ /dev/null
@@ -1,246 +0,0 @@
-/* crypto/des/set_key.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/* set_key.c v 1.4 eay 24/9/91
- * 1.4 Speed up by 400% :-)
- * 1.3 added register declarations.
- * 1.2 unrolled make_key_sched a bit more
- * 1.1 added norm_expand_bits
- * 1.0 First working version
- */
-#include "des_locl.h"
-#include "podd.h"
-#include "sk.h"
-
-#ifndef NOPROTO
-static int check_parity(des_cblock (*key));
-#else
-static int check_parity();
-#endif
-
-int des_check_key=0;
-
-void des_set_odd_parity(key)
-des_cblock (*key);
-	{
-	int i;
-
-	for (i=0; i<DES_KEY_SZ; i++)
-		(*key)[i]=odd_parity[(*key)[i]];
-	}
-
-static int check_parity(key)
-des_cblock (*key);
-	{
-	int i;
-
-	for (i=0; i<DES_KEY_SZ; i++)
-		{
-		if ((*key)[i] != odd_parity[(*key)[i]])
-			return(0);
-		}
-	return(1);
-	}
-
-/* Weak and semi week keys as take from
- * %A D.W. Davies
- * %A W.L. Price
- * %T Security for Computer Networks
- * %I John Wiley & Sons
- * %D 1984
- * Many thanks to smb@ulysses.att.com (Steven Bellovin) for the reference
- * (and actual cblock values).
- */
-#define NUM_WEAK_KEY	16
-static des_cblock weak_keys[NUM_WEAK_KEY]={
-	/* weak keys */
-	{0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
-	{0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE},
-	{0x1F,0x1F,0x1F,0x1F,0x1F,0x1F,0x1F,0x1F},
-	{0xE0,0xE0,0xE0,0xE0,0xE0,0xE0,0xE0,0xE0},
-	/* semi-weak keys */
-	{0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE},
-	{0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01},
-	{0x1F,0xE0,0x1F,0xE0,0x0E,0xF1,0x0E,0xF1},
-	{0xE0,0x1F,0xE0,0x1F,0xF1,0x0E,0xF1,0x0E},
-	{0x01,0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1},
-	{0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1,0x01},
-	{0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E,0xFE},
-	{0xFE,0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E},
-	{0x01,0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E},
-	{0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E,0x01},
-	{0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE},
-	{0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1}};
-
-int des_is_weak_key(key)
-des_cblock (*key);
-	{
-	int i;
-
-	for (i=0; i<NUM_WEAK_KEY; i++)
-		/* Added == 0 to comparision, I obviously don't run
-		 * this section very often :-(, thanks to
-		 * engineering@MorningStar.Com for the fix
-		 * eay 93/06/29
-		 * Another problem, I was comparing only the first 4
-		 * bytes, 97/03/18 */
-		if (memcmp(weak_keys[i],key,sizeof(des_cblock)) == 0) return(1);
-	return(0);
-	}
-
-/* NOW DEFINED IN des_local.h
- * See ecb_encrypt.c for a pseudo description of these macros. 
- * #define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
- * 	(b)^=(t),\
- * 	(a)=((a)^((t)<<(n))))
- */
-
-#define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
-	(a)=(a)^(t)^(t>>(16-(n))))
-
-/* return 0 if key parity is odd (correct),
- * return -1 if key parity error,
- * return -2 if illegal weak key.
- */
-int des_set_key(key, schedule)
-des_cblock (*key);
-des_key_schedule schedule;
-	{
-	static int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
-	register DES_LONG c,d,t,s,t2;
-	register unsigned char *in;
-	register DES_LONG *k;
-	register int i;
-
-	if (des_check_key)
-		{
-		if (!check_parity(key))
-			return(-1);
-
-		if (des_is_weak_key(key))
-			return(-2);
-		}
-
-	k=(DES_LONG *)schedule;
-	in=(unsigned char *)key;
-
-	c2l(in,c);
-	c2l(in,d);
-
-	/* do PC1 in 60 simple operations */ 
-/*	PERM_OP(d,c,t,4,0x0f0f0f0fL);
-	HPERM_OP(c,t,-2, 0xcccc0000L);
-	HPERM_OP(c,t,-1, 0xaaaa0000L);
-	HPERM_OP(c,t, 8, 0x00ff0000L);
-	HPERM_OP(c,t,-1, 0xaaaa0000L);
-	HPERM_OP(d,t,-8, 0xff000000L);
-	HPERM_OP(d,t, 8, 0x00ff0000L);
-	HPERM_OP(d,t, 2, 0x33330000L);
-	d=((d&0x00aa00aaL)<<7L)|((d&0x55005500L)>>7L)|(d&0xaa55aa55L);
-	d=(d>>8)|((c&0xf0000000L)>>4);
-	c&=0x0fffffffL; */
-
-	/* I now do it in 47 simple operations :-)
-	 * Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
-	 * for the inspiration. :-) */
-	PERM_OP (d,c,t,4,0x0f0f0f0fL);
-	HPERM_OP(c,t,-2,0xcccc0000L);
-	HPERM_OP(d,t,-2,0xcccc0000L);
-	PERM_OP (d,c,t,1,0x55555555L);
-	PERM_OP (c,d,t,8,0x00ff00ffL);
-	PERM_OP (d,c,t,1,0x55555555L);
-	d=	(((d&0x000000ffL)<<16L)| (d&0x0000ff00L)     |
-		 ((d&0x00ff0000L)>>16L)|((c&0xf0000000L)>>4L));
-	c&=0x0fffffffL;
-
-	for (i=0; i<ITERATIONS; i++)
-		{
-		if (shifts2[i])
-			{ c=((c>>2L)|(c<<26L)); d=((d>>2L)|(d<<26L)); }
-		else
-			{ c=((c>>1L)|(c<<27L)); d=((d>>1L)|(d<<27L)); }
-		c&=0x0fffffffL;
-		d&=0x0fffffffL;
-		/* could be a few less shifts but I am to lazy at this
-		 * point in time to investigate */
-		s=	des_skb[0][ (c    )&0x3f                ]|
-			des_skb[1][((c>> 6)&0x03)|((c>> 7L)&0x3c)]|
-			des_skb[2][((c>>13)&0x0f)|((c>>14L)&0x30)]|
-			des_skb[3][((c>>20)&0x01)|((c>>21L)&0x06) |
-						  ((c>>22L)&0x38)];
-		t=	des_skb[4][ (d    )&0x3f                ]|
-			des_skb[5][((d>> 7L)&0x03)|((d>> 8L)&0x3c)]|
-			des_skb[6][ (d>>15L)&0x3f                ]|
-			des_skb[7][((d>>21L)&0x0f)|((d>>22L)&0x30)];
-
-		/* table contained 0213 4657 */
-		t2=((t<<16L)|(s&0x0000ffffL))&0xffffffffL;
-		*(k++)=ROTATE(t2,30)&0xffffffffL;
-
-		t2=((s>>16L)|(t&0xffff0000L));
-		*(k++)=ROTATE(t2,26)&0xffffffffL;
-		}
-	return(0);
-	}
-
-int des_key_sched(key, schedule)
-des_cblock (*key);
-des_key_schedule schedule;
-	{
-	return(des_set_key(key,schedule));
-	}
diff --git a/src/libcrypto/libdes/sk.h b/src/libcrypto/libdes/sk.h
deleted file mode 100644
index 240703070..000000000
--- a/src/libcrypto/libdes/sk.h
+++ /dev/null
@@ -1,204 +0,0 @@
-/* crypto/des/sk.h */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-static const DES_LONG des_skb[8][64]={
-{
-/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
-0x00000000L,0x00000010L,0x20000000L,0x20000010L,
-0x00010000L,0x00010010L,0x20010000L,0x20010010L,
-0x00000800L,0x00000810L,0x20000800L,0x20000810L,
-0x00010800L,0x00010810L,0x20010800L,0x20010810L,
-0x00000020L,0x00000030L,0x20000020L,0x20000030L,
-0x00010020L,0x00010030L,0x20010020L,0x20010030L,
-0x00000820L,0x00000830L,0x20000820L,0x20000830L,
-0x00010820L,0x00010830L,0x20010820L,0x20010830L,
-0x00080000L,0x00080010L,0x20080000L,0x20080010L,
-0x00090000L,0x00090010L,0x20090000L,0x20090010L,
-0x00080800L,0x00080810L,0x20080800L,0x20080810L,
-0x00090800L,0x00090810L,0x20090800L,0x20090810L,
-0x00080020L,0x00080030L,0x20080020L,0x20080030L,
-0x00090020L,0x00090030L,0x20090020L,0x20090030L,
-0x00080820L,0x00080830L,0x20080820L,0x20080830L,
-0x00090820L,0x00090830L,0x20090820L,0x20090830L,
-},{
-/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */
-0x00000000L,0x02000000L,0x00002000L,0x02002000L,
-0x00200000L,0x02200000L,0x00202000L,0x02202000L,
-0x00000004L,0x02000004L,0x00002004L,0x02002004L,
-0x00200004L,0x02200004L,0x00202004L,0x02202004L,
-0x00000400L,0x02000400L,0x00002400L,0x02002400L,
-0x00200400L,0x02200400L,0x00202400L,0x02202400L,
-0x00000404L,0x02000404L,0x00002404L,0x02002404L,
-0x00200404L,0x02200404L,0x00202404L,0x02202404L,
-0x10000000L,0x12000000L,0x10002000L,0x12002000L,
-0x10200000L,0x12200000L,0x10202000L,0x12202000L,
-0x10000004L,0x12000004L,0x10002004L,0x12002004L,
-0x10200004L,0x12200004L,0x10202004L,0x12202004L,
-0x10000400L,0x12000400L,0x10002400L,0x12002400L,
-0x10200400L,0x12200400L,0x10202400L,0x12202400L,
-0x10000404L,0x12000404L,0x10002404L,0x12002404L,
-0x10200404L,0x12200404L,0x10202404L,0x12202404L,
-},{
-/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */
-0x00000000L,0x00000001L,0x00040000L,0x00040001L,
-0x01000000L,0x01000001L,0x01040000L,0x01040001L,
-0x00000002L,0x00000003L,0x00040002L,0x00040003L,
-0x01000002L,0x01000003L,0x01040002L,0x01040003L,
-0x00000200L,0x00000201L,0x00040200L,0x00040201L,
-0x01000200L,0x01000201L,0x01040200L,0x01040201L,
-0x00000202L,0x00000203L,0x00040202L,0x00040203L,
-0x01000202L,0x01000203L,0x01040202L,0x01040203L,
-0x08000000L,0x08000001L,0x08040000L,0x08040001L,
-0x09000000L,0x09000001L,0x09040000L,0x09040001L,
-0x08000002L,0x08000003L,0x08040002L,0x08040003L,
-0x09000002L,0x09000003L,0x09040002L,0x09040003L,
-0x08000200L,0x08000201L,0x08040200L,0x08040201L,
-0x09000200L,0x09000201L,0x09040200L,0x09040201L,
-0x08000202L,0x08000203L,0x08040202L,0x08040203L,
-0x09000202L,0x09000203L,0x09040202L,0x09040203L,
-},{
-/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */
-0x00000000L,0x00100000L,0x00000100L,0x00100100L,
-0x00000008L,0x00100008L,0x00000108L,0x00100108L,
-0x00001000L,0x00101000L,0x00001100L,0x00101100L,
-0x00001008L,0x00101008L,0x00001108L,0x00101108L,
-0x04000000L,0x04100000L,0x04000100L,0x04100100L,
-0x04000008L,0x04100008L,0x04000108L,0x04100108L,
-0x04001000L,0x04101000L,0x04001100L,0x04101100L,
-0x04001008L,0x04101008L,0x04001108L,0x04101108L,
-0x00020000L,0x00120000L,0x00020100L,0x00120100L,
-0x00020008L,0x00120008L,0x00020108L,0x00120108L,
-0x00021000L,0x00121000L,0x00021100L,0x00121100L,
-0x00021008L,0x00121008L,0x00021108L,0x00121108L,
-0x04020000L,0x04120000L,0x04020100L,0x04120100L,
-0x04020008L,0x04120008L,0x04020108L,0x04120108L,
-0x04021000L,0x04121000L,0x04021100L,0x04121100L,
-0x04021008L,0x04121008L,0x04021108L,0x04121108L,
-},{
-/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
-0x00000000L,0x10000000L,0x00010000L,0x10010000L,
-0x00000004L,0x10000004L,0x00010004L,0x10010004L,
-0x20000000L,0x30000000L,0x20010000L,0x30010000L,
-0x20000004L,0x30000004L,0x20010004L,0x30010004L,
-0x00100000L,0x10100000L,0x00110000L,0x10110000L,
-0x00100004L,0x10100004L,0x00110004L,0x10110004L,
-0x20100000L,0x30100000L,0x20110000L,0x30110000L,
-0x20100004L,0x30100004L,0x20110004L,0x30110004L,
-0x00001000L,0x10001000L,0x00011000L,0x10011000L,
-0x00001004L,0x10001004L,0x00011004L,0x10011004L,
-0x20001000L,0x30001000L,0x20011000L,0x30011000L,
-0x20001004L,0x30001004L,0x20011004L,0x30011004L,
-0x00101000L,0x10101000L,0x00111000L,0x10111000L,
-0x00101004L,0x10101004L,0x00111004L,0x10111004L,
-0x20101000L,0x30101000L,0x20111000L,0x30111000L,
-0x20101004L,0x30101004L,0x20111004L,0x30111004L,
-},{
-/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */
-0x00000000L,0x08000000L,0x00000008L,0x08000008L,
-0x00000400L,0x08000400L,0x00000408L,0x08000408L,
-0x00020000L,0x08020000L,0x00020008L,0x08020008L,
-0x00020400L,0x08020400L,0x00020408L,0x08020408L,
-0x00000001L,0x08000001L,0x00000009L,0x08000009L,
-0x00000401L,0x08000401L,0x00000409L,0x08000409L,
-0x00020001L,0x08020001L,0x00020009L,0x08020009L,
-0x00020401L,0x08020401L,0x00020409L,0x08020409L,
-0x02000000L,0x0A000000L,0x02000008L,0x0A000008L,
-0x02000400L,0x0A000400L,0x02000408L,0x0A000408L,
-0x02020000L,0x0A020000L,0x02020008L,0x0A020008L,
-0x02020400L,0x0A020400L,0x02020408L,0x0A020408L,
-0x02000001L,0x0A000001L,0x02000009L,0x0A000009L,
-0x02000401L,0x0A000401L,0x02000409L,0x0A000409L,
-0x02020001L,0x0A020001L,0x02020009L,0x0A020009L,
-0x02020401L,0x0A020401L,0x02020409L,0x0A020409L,
-},{
-/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */
-0x00000000L,0x00000100L,0x00080000L,0x00080100L,
-0x01000000L,0x01000100L,0x01080000L,0x01080100L,
-0x00000010L,0x00000110L,0x00080010L,0x00080110L,
-0x01000010L,0x01000110L,0x01080010L,0x01080110L,
-0x00200000L,0x00200100L,0x00280000L,0x00280100L,
-0x01200000L,0x01200100L,0x01280000L,0x01280100L,
-0x00200010L,0x00200110L,0x00280010L,0x00280110L,
-0x01200010L,0x01200110L,0x01280010L,0x01280110L,
-0x00000200L,0x00000300L,0x00080200L,0x00080300L,
-0x01000200L,0x01000300L,0x01080200L,0x01080300L,
-0x00000210L,0x00000310L,0x00080210L,0x00080310L,
-0x01000210L,0x01000310L,0x01080210L,0x01080310L,
-0x00200200L,0x00200300L,0x00280200L,0x00280300L,
-0x01200200L,0x01200300L,0x01280200L,0x01280300L,
-0x00200210L,0x00200310L,0x00280210L,0x00280310L,
-0x01200210L,0x01200310L,0x01280210L,0x01280310L,
-},{
-/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */
-0x00000000L,0x04000000L,0x00040000L,0x04040000L,
-0x00000002L,0x04000002L,0x00040002L,0x04040002L,
-0x00002000L,0x04002000L,0x00042000L,0x04042000L,
-0x00002002L,0x04002002L,0x00042002L,0x04042002L,
-0x00000020L,0x04000020L,0x00040020L,0x04040020L,
-0x00000022L,0x04000022L,0x00040022L,0x04040022L,
-0x00002020L,0x04002020L,0x00042020L,0x04042020L,
-0x00002022L,0x04002022L,0x00042022L,0x04042022L,
-0x00000800L,0x04000800L,0x00040800L,0x04040800L,
-0x00000802L,0x04000802L,0x00040802L,0x04040802L,
-0x00002800L,0x04002800L,0x00042800L,0x04042800L,
-0x00002802L,0x04002802L,0x00042802L,0x04042802L,
-0x00000820L,0x04000820L,0x00040820L,0x04040820L,
-0x00000822L,0x04000822L,0x00040822L,0x04040822L,
-0x00002820L,0x04002820L,0x00042820L,0x04042820L,
-0x00002822L,0x04002822L,0x00042822L,0x04042822L,
-}};
diff --git a/src/libcrypto/libdes/spr.h b/src/libcrypto/libdes/spr.h
deleted file mode 100644
index a84d6a723..000000000
--- a/src/libcrypto/libdes/spr.h
+++ /dev/null
@@ -1,204 +0,0 @@
-/* crypto/des/spr.h */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-const DES_LONG des_SPtrans[8][64]={
-{
-/* nibble 0 */
-0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L,
-0x02000000L, 0x00080802L, 0x00080002L, 0x02000002L,
-0x00080802L, 0x02080800L, 0x02080000L, 0x00000802L,
-0x02000802L, 0x02000000L, 0x00000000L, 0x00080002L,
-0x00080000L, 0x00000002L, 0x02000800L, 0x00080800L,
-0x02080802L, 0x02080000L, 0x00000802L, 0x02000800L,
-0x00000002L, 0x00000800L, 0x00080800L, 0x02080002L,
-0x00000800L, 0x02000802L, 0x02080002L, 0x00000000L,
-0x00000000L, 0x02080802L, 0x02000800L, 0x00080002L,
-0x02080800L, 0x00080000L, 0x00000802L, 0x02000800L,
-0x02080002L, 0x00000800L, 0x00080800L, 0x02000002L,
-0x00080802L, 0x00000002L, 0x02000002L, 0x02080000L,
-0x02080802L, 0x00080800L, 0x02080000L, 0x02000802L,
-0x02000000L, 0x00000802L, 0x00080002L, 0x00000000L,
-0x00080000L, 0x02000000L, 0x02000802L, 0x02080800L,
-0x00000002L, 0x02080002L, 0x00000800L, 0x00080802L,
-},{
-/* nibble 1 */
-0x40108010L, 0x00000000L, 0x00108000L, 0x40100000L,
-0x40000010L, 0x00008010L, 0x40008000L, 0x00108000L,
-0x00008000L, 0x40100010L, 0x00000010L, 0x40008000L,
-0x00100010L, 0x40108000L, 0x40100000L, 0x00000010L,
-0x00100000L, 0x40008010L, 0x40100010L, 0x00008000L,
-0x00108010L, 0x40000000L, 0x00000000L, 0x00100010L,
-0x40008010L, 0x00108010L, 0x40108000L, 0x40000010L,
-0x40000000L, 0x00100000L, 0x00008010L, 0x40108010L,
-0x00100010L, 0x40108000L, 0x40008000L, 0x00108010L,
-0x40108010L, 0x00100010L, 0x40000010L, 0x00000000L,
-0x40000000L, 0x00008010L, 0x00100000L, 0x40100010L,
-0x00008000L, 0x40000000L, 0x00108010L, 0x40008010L,
-0x40108000L, 0x00008000L, 0x00000000L, 0x40000010L,
-0x00000010L, 0x40108010L, 0x00108000L, 0x40100000L,
-0x40100010L, 0x00100000L, 0x00008010L, 0x40008000L,
-0x40008010L, 0x00000010L, 0x40100000L, 0x00108000L,
-},{
-/* nibble 2 */
-0x04000001L, 0x04040100L, 0x00000100L, 0x04000101L,
-0x00040001L, 0x04000000L, 0x04000101L, 0x00040100L,
-0x04000100L, 0x00040000L, 0x04040000L, 0x00000001L,
-0x04040101L, 0x00000101L, 0x00000001L, 0x04040001L,
-0x00000000L, 0x00040001L, 0x04040100L, 0x00000100L,
-0x00000101L, 0x04040101L, 0x00040000L, 0x04000001L,
-0x04040001L, 0x04000100L, 0x00040101L, 0x04040000L,
-0x00040100L, 0x00000000L, 0x04000000L, 0x00040101L,
-0x04040100L, 0x00000100L, 0x00000001L, 0x00040000L,
-0x00000101L, 0x00040001L, 0x04040000L, 0x04000101L,
-0x00000000L, 0x04040100L, 0x00040100L, 0x04040001L,
-0x00040001L, 0x04000000L, 0x04040101L, 0x00000001L,
-0x00040101L, 0x04000001L, 0x04000000L, 0x04040101L,
-0x00040000L, 0x04000100L, 0x04000101L, 0x00040100L,
-0x04000100L, 0x00000000L, 0x04040001L, 0x00000101L,
-0x04000001L, 0x00040101L, 0x00000100L, 0x04040000L,
-},{
-/* nibble 3 */
-0x00401008L, 0x10001000L, 0x00000008L, 0x10401008L,
-0x00000000L, 0x10400000L, 0x10001008L, 0x00400008L,
-0x10401000L, 0x10000008L, 0x10000000L, 0x00001008L,
-0x10000008L, 0x00401008L, 0x00400000L, 0x10000000L,
-0x10400008L, 0x00401000L, 0x00001000L, 0x00000008L,
-0x00401000L, 0x10001008L, 0x10400000L, 0x00001000L,
-0x00001008L, 0x00000000L, 0x00400008L, 0x10401000L,
-0x10001000L, 0x10400008L, 0x10401008L, 0x00400000L,
-0x10400008L, 0x00001008L, 0x00400000L, 0x10000008L,
-0x00401000L, 0x10001000L, 0x00000008L, 0x10400000L,
-0x10001008L, 0x00000000L, 0x00001000L, 0x00400008L,
-0x00000000L, 0x10400008L, 0x10401000L, 0x00001000L,
-0x10000000L, 0x10401008L, 0x00401008L, 0x00400000L,
-0x10401008L, 0x00000008L, 0x10001000L, 0x00401008L,
-0x00400008L, 0x00401000L, 0x10400000L, 0x10001008L,
-0x00001008L, 0x10000000L, 0x10000008L, 0x10401000L,
-},{
-/* nibble 4 */
-0x08000000L, 0x00010000L, 0x00000400L, 0x08010420L,
-0x08010020L, 0x08000400L, 0x00010420L, 0x08010000L,
-0x00010000L, 0x00000020L, 0x08000020L, 0x00010400L,
-0x08000420L, 0x08010020L, 0x08010400L, 0x00000000L,
-0x00010400L, 0x08000000L, 0x00010020L, 0x00000420L,
-0x08000400L, 0x00010420L, 0x00000000L, 0x08000020L,
-0x00000020L, 0x08000420L, 0x08010420L, 0x00010020L,
-0x08010000L, 0x00000400L, 0x00000420L, 0x08010400L,
-0x08010400L, 0x08000420L, 0x00010020L, 0x08010000L,
-0x00010000L, 0x00000020L, 0x08000020L, 0x08000400L,
-0x08000000L, 0x00010400L, 0x08010420L, 0x00000000L,
-0x00010420L, 0x08000000L, 0x00000400L, 0x00010020L,
-0x08000420L, 0x00000400L, 0x00000000L, 0x08010420L,
-0x08010020L, 0x08010400L, 0x00000420L, 0x00010000L,
-0x00010400L, 0x08010020L, 0x08000400L, 0x00000420L,
-0x00000020L, 0x00010420L, 0x08010000L, 0x08000020L,
-},{
-/* nibble 5 */
-0x80000040L, 0x00200040L, 0x00000000L, 0x80202000L,
-0x00200040L, 0x00002000L, 0x80002040L, 0x00200000L,
-0x00002040L, 0x80202040L, 0x00202000L, 0x80000000L,
-0x80002000L, 0x80000040L, 0x80200000L, 0x00202040L,
-0x00200000L, 0x80002040L, 0x80200040L, 0x00000000L,
-0x00002000L, 0x00000040L, 0x80202000L, 0x80200040L,
-0x80202040L, 0x80200000L, 0x80000000L, 0x00002040L,
-0x00000040L, 0x00202000L, 0x00202040L, 0x80002000L,
-0x00002040L, 0x80000000L, 0x80002000L, 0x00202040L,
-0x80202000L, 0x00200040L, 0x00000000L, 0x80002000L,
-0x80000000L, 0x00002000L, 0x80200040L, 0x00200000L,
-0x00200040L, 0x80202040L, 0x00202000L, 0x00000040L,
-0x80202040L, 0x00202000L, 0x00200000L, 0x80002040L,
-0x80000040L, 0x80200000L, 0x00202040L, 0x00000000L,
-0x00002000L, 0x80000040L, 0x80002040L, 0x80202000L,
-0x80200000L, 0x00002040L, 0x00000040L, 0x80200040L,
-},{
-/* nibble 6 */
-0x00004000L, 0x00000200L, 0x01000200L, 0x01000004L,
-0x01004204L, 0x00004004L, 0x00004200L, 0x00000000L,
-0x01000000L, 0x01000204L, 0x00000204L, 0x01004000L,
-0x00000004L, 0x01004200L, 0x01004000L, 0x00000204L,
-0x01000204L, 0x00004000L, 0x00004004L, 0x01004204L,
-0x00000000L, 0x01000200L, 0x01000004L, 0x00004200L,
-0x01004004L, 0x00004204L, 0x01004200L, 0x00000004L,
-0x00004204L, 0x01004004L, 0x00000200L, 0x01000000L,
-0x00004204L, 0x01004000L, 0x01004004L, 0x00000204L,
-0x00004000L, 0x00000200L, 0x01000000L, 0x01004004L,
-0x01000204L, 0x00004204L, 0x00004200L, 0x00000000L,
-0x00000200L, 0x01000004L, 0x00000004L, 0x01000200L,
-0x00000000L, 0x01000204L, 0x01000200L, 0x00004200L,
-0x00000204L, 0x00004000L, 0x01004204L, 0x01000000L,
-0x01004200L, 0x00000004L, 0x00004004L, 0x01004204L,
-0x01000004L, 0x01004200L, 0x01004000L, 0x00004004L,
-},{
-/* nibble 7 */
-0x20800080L, 0x20820000L, 0x00020080L, 0x00000000L,
-0x20020000L, 0x00800080L, 0x20800000L, 0x20820080L,
-0x00000080L, 0x20000000L, 0x00820000L, 0x00020080L,
-0x00820080L, 0x20020080L, 0x20000080L, 0x20800000L,
-0x00020000L, 0x00820080L, 0x00800080L, 0x20020000L,
-0x20820080L, 0x20000080L, 0x00000000L, 0x00820000L,
-0x20000000L, 0x00800000L, 0x20020080L, 0x20800080L,
-0x00800000L, 0x00020000L, 0x20820000L, 0x00000080L,
-0x00800000L, 0x00020000L, 0x20000080L, 0x20820080L,
-0x00020080L, 0x20000000L, 0x00000000L, 0x00820000L,
-0x20800080L, 0x20020080L, 0x20020000L, 0x00800080L,
-0x20820000L, 0x00000080L, 0x00800080L, 0x20020000L,
-0x20820080L, 0x00800000L, 0x20800000L, 0x20000080L,
-0x00820000L, 0x00020080L, 0x20020080L, 0x20800000L,
-0x00000080L, 0x20820000L, 0x00820080L, 0x00000000L,
-0x20000000L, 0x20800080L, 0x00020000L, 0x00820080L,
-}};
diff --git a/src/libcrypto/libserpent/serpent.c b/src/libcrypto/libserpent/serpent.c
deleted file mode 100644
index f2cea250e..000000000
--- a/src/libcrypto/libserpent/serpent.c
+++ /dev/null
@@ -1,995 +0,0 @@
-
-/* Optimized implementation of the Serpent AES candidate algorithm
- * Designed by Anderson, Biham and Knudsen and Implemented by 
- * Gisle Sælensminde 2000. 
- *
- * The implementation is based on the pentium optimised sboxes of
- * Dag Arne Osvik. Even these sboxes are designed to be optimal for x86 
- * processors they are efficient on other processors as well, but the speedup 
- * isn't so impressive compared to other implementations.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Library General Public License
- * as published by the Free Software Foundation; either version 2 of
- * the License, or (at your option) any later version. 
- */
-
-#ifdef __KERNEL__
-#include <linux/init.h>
-#include <linux/types.h>
-
-#include <asm/byteorder.h>
-#else
-#include <sys/types.h>
-#include <asm/byteorder.h>
-#endif
-
-#include "serpent.h"
-
-#define rotl(reg, val) ((reg << val) | (reg >> (32 - val)))
-#define rotr(reg, val) ((reg >> val) | (reg << (32 - val)))
- 
-#ifdef __cpu_to_be32
-#define BLOCK_SWAP
-#define io_swap(x)  __cpu_to_be32(x)
-#else
-#undef BLOCK_SWAP
-#endif
-
-/* The sbox functions. The first four parameters is the input bits, and 
- * the last is a tempoary. These parameters are also used for output, but
- * the bit order is permuted. The output bit order from S0 is
- * (1 4 2 0 3), where 3 is the (now useless) tempoary. 
- */
-
-#define S0(r0,r1,r2,r3,r4) \
-      r3 = r3 ^ r0; \
-      r4 = r1; \
-      r1 = r1 & r3; \
-      r4 = r4 ^ r2; \
-      r1 = r1 ^ r0; \
-      r0 = r0 | r3; \
-      r0 = r0 ^ r4; \
-      r4 = r4 ^ r3; \
-      r3 = r3 ^ r2; \
-      r2 = r2 | r1; \
-      r2 = r2 ^ r4; \
-      r4 = -1 ^ r4; \
-      r4 = r4 | r1; \
-      r1 = r1 ^ r3; \
-      r1 = r1 ^ r4; \
-      r3 = r3 | r0; \
-      r1 = r1 ^ r3; \
-      r4 = r4 ^ r3; 
-
-#define S1(r0,r1,r2,r3,r4) \
-      r1 = -1 ^ r1; \
-      r4 = r0; \
-      r0 = r0 ^ r1; \
-      r4 = r4 | r1; \
-      r4 = r4 ^ r3; \
-      r3 = r3 & r0; \
-      r2 = r2 ^ r4; \
-      r3 = r3 ^ r1; \
-      r3 = r3 | r2; \
-      r0 = r0 ^ r4; \
-      r3 = r3 ^ r0; \
-      r1 = r1 & r2; \
-      r0 = r0 | r1; \
-      r1 = r1 ^ r4; \
-      r0 = r0 ^ r2; \
-      r4 = r4 | r3; \
-      r0 = r0 ^ r4; \
-      r4 = -1 ^ r4; \
-      r1 = r1 ^ r3; \
-      r4 = r4 & r2; \
-      r1 = -1 ^ r1; \
-      r4 = r4 ^ r0; \
-      r1 = r1 ^ r4; 
-
-#define S2(r0,r1,r2,r3,r4) \
-      r4 = r0; \
-      r0 = r0 & r2; \
-      r0 = r0 ^ r3; \
-      r2 = r2 ^ r1; \
-      r2 = r2 ^ r0; \
-      r3 = r3 | r4; \
-      r3 = r3 ^ r1; \
-      r4 = r4 ^ r2; \
-      r1 = r3; \
-      r3 = r3 | r4; \
-      r3 = r3 ^ r0; \
-      r0 = r0 & r1; \
-      r4 = r4 ^ r0; \
-      r1 = r1 ^ r3; \
-      r1 = r1 ^ r4; \
-      r4 = -1 ^ r4; 
-
-#define S3(r0,r1,r2,r3,r4) \
-      r4 = r0 ; \
-      r0 = r0 | r3; \
-      r3 = r3 ^ r1; \
-      r1 = r1 & r4; \
-      r4 = r4 ^ r2; \
-      r2 = r2 ^ r3; \
-      r3 = r3 & r0; \
-      r4 = r4 | r1; \
-      r3 = r3 ^ r4; \
-      r0 = r0 ^ r1; \
-      r4 = r4 & r0; \
-      r1 = r1 ^ r3; \
-      r4 = r4 ^ r2; \
-      r1 = r1 | r0; \
-      r1 = r1 ^ r2; \
-      r0 = r0 ^ r3; \
-      r2 = r1; \
-      r1 = r1 | r3; \
-      r1 = r1 ^ r0; 
-
-#define S4(r0,r1,r2,r3,r4) \
-      r1 = r1 ^ r3; \
-      r3 = -1 ^ r3; \
-      r2 = r2 ^ r3; \
-      r3 = r3 ^ r0; \
-      r4 = r1; \
-      r1 = r1 & r3; \
-      r1 = r1 ^ r2; \
-      r4 = r4 ^ r3; \
-      r0 = r0 ^ r4; \
-      r2 = r2 & r4; \
-      r2 = r2 ^ r0; \
-      r0 = r0 & r1; \
-      r3 = r3 ^ r0; \
-      r4 = r4 | r1; \
-      r4 = r4 ^ r0; \
-      r0 = r0 | r3; \
-      r0 = r0 ^ r2; \
-      r2 = r2 & r3; \
-      r0 = -1 ^ r0; \
-      r4 = r4 ^ r2; 
-
-#define S5(r0,r1,r2,r3,r4) \
-      r0 = r0 ^ r1; \
-      r1 = r1 ^ r3; \
-      r3 = -1 ^ r3; \
-      r4 = r1; \
-      r1 = r1 & r0; \
-      r2 = r2 ^ r3; \
-      r1 = r1 ^ r2; \
-      r2 = r2 | r4; \
-      r4 = r4 ^ r3; \
-      r3 = r3 & r1; \
-      r3 = r3 ^ r0; \
-      r4 = r4 ^ r1; \
-      r4 = r4 ^ r2; \
-      r2 = r2 ^ r0; \
-      r0 = r0 & r3; \
-      r2 = -1 ^ r2; \
-      r0 = r0 ^ r4; \
-      r4 = r4 | r3; \
-      r2 = r2 ^ r4; 
-
-#define S6(r0,r1,r2,r3,r4) \
-      r2 = -1 ^ r2; \
-      r4 = r3; \
-      r3 = r3 & r0; \
-      r0 = r0 ^ r4; \
-      r3 = r3 ^ r2; \
-      r2 = r2 | r4; \
-      r1 = r1 ^ r3; \
-      r2 = r2 ^ r0; \
-      r0 = r0 | r1; \
-      r2 = r2 ^ r1; \
-      r4 = r4 ^ r0; \
-      r0 = r0 | r3; \
-      r0 = r0 ^ r2; \
-      r4 = r4 ^ r3; \
-      r4 = r4 ^ r0; \
-      r3 = -1 ^ r3; \
-      r2 = r2 & r4; \
-      r2 = r2 ^ r3; 
-
-#define S7(r0,r1,r2,r3,r4) \
-      r4 = r2; \
-      r2 = r2 & r1; \
-      r2 = r2 ^ r3; \
-      r3 = r3 & r1; \
-      r4 = r4 ^ r2; \
-      r2 = r2 ^ r1; \
-      r1 = r1 ^ r0; \
-      r0 = r0 | r4; \
-      r0 = r0 ^ r2; \
-      r3 = r3 ^ r1; \
-      r2 = r2 ^ r3; \
-      r3 = r3 & r0; \
-      r3 = r3 ^ r4; \
-      r4 = r4 ^ r2; \
-      r2 = r2 & r0; \
-      r4 = -1 ^ r4; \
-      r2 = r2 ^ r4; \
-      r4 = r4 & r0; \
-      r1 = r1 ^ r3; \
-      r4 = r4 ^ r1; 
-
-/* The inverse sboxes */
-
-#define I0(r0,r1,r2,r3,r4) \
-      r2 = r2 ^ -1; \
-      r4 = r1; \
-      r1 = r1 | r0; \
-      r4 = r4 ^ -1; \
-      r1 = r1 ^ r2; \
-      r2 = r2 | r4; \
-      r1 = r1 ^ r3; \
-      r0 = r0 ^ r4; \
-      r2 = r2 ^ r0; \
-      r0 = r0 & r3; \
-      r4 = r4 ^ r0; \
-      r0 = r0 | r1; \
-      r0 = r0 ^ r2; \
-      r3 = r3 ^ r4; \
-      r2 = r2 ^ r1; \
-      r3 = r3 ^ r0; \
-      r3 = r3 ^ r1; \
-      r2 = r2 & r3; \
-      r4 = r4 ^ r2; 
- 
-#define I1(r0,r1,r2,r3,r4) \
-      r4 = r1; \
-      r1 = r1 ^ r3; \
-      r3 = r3 & r1; \
-      r4 = r4 ^ r2; \
-      r3 = r3 ^ r0; \
-      r0 = r0 | r1; \
-      r2 = r2 ^ r3; \
-      r0 = r0 ^ r4; \
-      r0 = r0 | r2; \
-      r1 = r1 ^ r3; \
-      r0 = r0 ^ r1; \
-      r1 = r1 | r3; \
-      r1 = r1 ^ r0; \
-      r4 = r4 ^ -1; \
-      r4 = r4 ^ r1; \
-      r1 = r1 | r0; \
-      r1 = r1 ^ r0; \
-      r1 = r1 | r4; \
-      r3 = r3 ^ r1; 
-
-#define I2(r0,r1,r2,r3,r4) \
-      r2 = r2 ^ r3; \
-      r3 = r3 ^ r0; \
-      r4 =  r3; \
-      r3 = r3 & r2; \
-      r3 = r3 ^ r1; \
-      r1 = r1 | r2; \
-      r1 = r1 ^ r4; \
-      r4 = r4 & r3; \
-      r2 = r2 ^ r3; \
-      r4 = r4 & r0; \
-      r4 = r4 ^ r2; \
-      r2 = r2 & r1; \
-      r2 = r2 | r0; \
-      r3 = r3 ^ -1; \
-      r2 = r2 ^ r3; \
-      r0 = r0 ^ r3; \
-      r0 = r0 & r1; \
-      r3 = r3 ^ r4; \
-      r3 = r3 ^ r0; 
-
-#define I3(r0,r1,r2,r3,r4) \
-      r4 =  r2; \
-      r2 = r2 ^ r1; \
-      r0 = r0 ^ r2; \
-      r4 = r4 & r2; \
-      r4 = r4 ^ r0; \
-      r0 = r0 & r1; \
-      r1 = r1 ^ r3; \
-      r3 = r3 | r4; \
-      r2 = r2 ^ r3; \
-      r0 = r0 ^ r3; \
-      r1 = r1 ^ r4; \
-      r3 = r3 & r2; \
-      r3 = r3 ^ r1; \
-      r1 = r1 ^ r0; \
-      r1 = r1 | r2; \
-      r0 = r0 ^ r3; \
-      r1 = r1 ^ r4; \
-      r0 = r0 ^ r1; 
-
-#define I4(r0,r1,r2,r3,r4) \
-      r4 =  r2; \
-      r2 = r2 & r3; \
-      r2 = r2 ^ r1; \
-      r1 = r1 | r3; \
-      r1 = r1 & r0; \
-      r4 = r4 ^ r2; \
-      r4 = r4 ^ r1; \
-      r1 = r1 & r2; \
-      r0 = r0 ^ -1; \
-      r3 = r3 ^ r4; \
-      r1 = r1 ^ r3; \
-      r3 = r3 & r0; \
-      r3 = r3 ^ r2; \
-      r0 = r0 ^ r1; \
-      r2 = r2 & r0; \
-      r3 = r3 ^ r0; \
-      r2 = r2 ^ r4; \
-      r2 = r2 | r3; \
-      r3 = r3 ^ r0; \
-      r2 = r2 ^ r1; 
-
-#define I5(r0,r1,r2,r3,r4) \
-      r1 = r1 ^ -1; \
-      r4 = r3; \
-      r2 = r2 ^ r1; \
-      r3 = r3 | r0; \
-      r3 = r3 ^ r2; \
-      r2 = r2 | r1; \
-      r2 = r2 & r0; \
-      r4 = r4 ^ r3; \
-      r2 = r2 ^ r4; \
-      r4 = r4 | r0; \
-      r4 = r4 ^ r1; \
-      r1 = r1 & r2; \
-      r1 = r1 ^ r3; \
-      r4 = r4 ^ r2; \
-      r3 = r3 & r4; \
-      r4 = r4 ^ r1; \
-      r3 = r3 ^ r0; \
-      r3 = r3 ^ r4; \
-      r4 = r4 ^ -1; 
-
-
-#define I6(r0,r1,r2,r3,r4) \
-      r0 = r0 ^ r2; \
-      r4 = r2; \
-      r2 = r2 & r0; \
-      r4 = r4 ^ r3; \
-      r2 = r2 ^ -1; \
-      r3 = r3 ^ r1; \
-      r2 = r2 ^ r3; \
-      r4 = r4 | r0; \
-      r0 = r0 ^ r2; \
-      r3 = r3 ^ r4; \
-      r4 = r4 ^ r1; \
-      r1 = r1 & r3; \
-      r1 = r1 ^ r0; \
-      r0 = r0 ^ r3; \
-      r0 = r0 | r2; \
-      r3 = r3 ^ r1; \
-      r4 = r4 ^ r0; 
-
-#define I7(r0,r1,r2,r3,r4) \
-      r4 = r2; \
-      r2 = r2 ^ r0; \
-      r0 = r0 & r3; \
-      r4 = r4 | r3; \
-      r2 = r2 ^ -1; \
-      r3 = r3 ^ r1; \
-      r1 = r1 | r0; \
-      r0 = r0 ^ r2; \
-      r2 = r2 & r4; \
-      r3 = r3 & r4; \
-      r1 = r1 ^ r2; \
-      r2 = r2 ^ r0; \
-      r0 = r0 | r2; \
-      r4 = r4 ^ r1; \
-      r0 = r0 ^ r3; \
-      r3 = r3 ^ r4; \
-      r4 = r4 | r0; \
-      r3 = r3 ^ r2; \
-      r4 = r4 ^ r2; 
-
-/* forward and inverse linear transformations */
-
-#define LINTRANS(r0,r1,r2,r3,r4) \
-      r0 = rotl(r0, 13); \
-      r2 = rotl(r2, 3); \
-      r3 = r3 ^ r2; \
-      r4 = r0 << 3; \
-      r1 = r1 ^ r0; \
-      r3 = r3 ^ r4; \
-      r1 = r1 ^ r2; \
-      r3 = rotl(r3, 7); \
-      r1 = rotl(r1, 1); \
-      r2 = r2 ^ r3; \
-      r4 = r1 << 7; \
-      r0 = r0 ^ r1; \
-      r2 = r2 ^ r4; \
-      r0 = r0 ^ r3; \
-      r2 = rotl(r2, 22); \
-      r0 = rotl(r0, 5);
-     
-#define ILINTRANS(r0,r1,r2,r3,r4) \
-      r2 = rotr(r2, 22); \
-      r0 = rotr(r0, 5); \
-      r2 = r2 ^ r3; \
-      r4 = r1 << 7; \
-      r0 = r0 ^ r1; \
-      r2 = r2 ^ r4; \
-      r0 = r0 ^ r3; \
-      r3 = rotr(r3, 7); \
-      r1 = rotr(r1, 1); \
-      r3 = r3 ^ r2; \
-      r4 = r0 << 3; \
-      r1 = r1 ^ r0; \
-      r3 = r3 ^ r4; \
-      r1 = r1 ^ r2; \
-      r2 = rotr(r2, 3); \
-      r0 = rotr(r0, 13); 
-
-
-#define KEYMIX(r0,r1,r2,r3,r4,IN) \
-      r0  = r0 ^ l_key[IN+8]; \
-      r1  = r1 ^ l_key[IN+9]; \
-      r2  = r2 ^ l_key[IN+10]; \
-      r3  = r3 ^ l_key[IN+11]; 
-
-#define GETKEY(r0, r1, r2, r3, IN) \
-      r0 = l_key[IN+8]; \
-      r1 = l_key[IN+9]; \
-      r2 = l_key[IN+10]; \
-      r3 = l_key[IN+11]; 
-
-#define SETKEY(r0, r1, r2, r3, IN) \
-      l_key[IN+8] = r0; \
-      l_key[IN+9] = r1; \
-      l_key[IN+10] = r2; \
-      l_key[IN+11] = r3;
-
-/* initialise the key schedule from the user supplied key   */
-
-int serpent_set_key(serpent_context *cx, const unsigned char *key, int key_len)
-{   const u32 *in_key = (const u32 *)key;
-    /* l_key - storage for the key schedule */
-    u32 *l_key   = cx->keyinfo;
-    u32  i,lk,r0,r1,r2,r3,r4;
-
-    if (key_len != 16 && key_len != 24 && key_len != 32)
-      return -1; /* unsupported key length */
-    
-    key_len *= 8;
-
-    i = 0; lk = (key_len + 31) / 32;
-    
-    while(i < lk)
-    {
-#ifdef  BLOCK_SWAP
-        l_key[i] = io_swap(in_key[lk - i - 1]);
-#else
-        l_key[i] = in_key[i];
-#endif  
-        i++;
-    }
-
-    if (key_len < 256)
-    {
-        while(i < 8)
-
-            l_key[i++] = 0;
-
-        i = key_len / 32; lk = 1 << key_len % 32; 
-
-        l_key[i] &= lk - 1;
-        l_key[i] |= lk;
-    }
-
-    for(i = 0; i < 132; ++i)
-    {
-        lk = l_key[i] ^ l_key[i + 3] ^ l_key[i + 5] 
-                                ^ l_key[i + 7] ^ 0x9e3779b9 ^ i;
-
-        l_key[i + 8] = (lk << 11) | (lk >> 21); 
-    }
-
-      GETKEY(r0, r1, r2, r3, 0);
-      S3(r0,r1,r2,r3,r4);
-      SETKEY(r1, r2, r3, r4, 0) 
-
-      GETKEY(r0, r1, r2, r3, 4);
-      S2(r0,r1,r2,r3,r4);
-      SETKEY(r2, r3, r1, r4, 4) 
-
-      GETKEY(r0, r1, r2, r3, 8);
-      S1(r0,r1,r2,r3,r4);
-      SETKEY(r3, r1, r2, r0, 8) 
-
-      GETKEY(r0, r1, r2, r3, 12);
-      S0(r0,r1,r2,r3,r4);
-      SETKEY(r1, r4, r2, r0, 12) 
-
-      GETKEY(r0, r1, r2, r3, 16);
-      S7(r0,r1,r2,r3,r4);
-      SETKEY(r2, r4, r3, r0, 16) 
-
-      GETKEY(r0, r1, r2, r3, 20);
-      S6(r0,r1,r2,r3,r4) 
-      SETKEY(r0, r1, r4, r2, 20) 
-
-      GETKEY(r0, r1, r2, r3, 24);
-      S5(r0,r1,r2,r3,r4);
-      SETKEY(r1, r3, r0, r2, 24) 
-
-      GETKEY(r0, r1, r2, r3, 28);
-      S4(r0,r1,r2,r3,r4) 
-      SETKEY(r1, r4, r0, r3, 28) 
-
-      GETKEY(r0, r1, r2, r3, 32);
-      S3(r0,r1,r2,r3,r4);
-      SETKEY(r1, r2, r3, r4, 32) 
-
-      GETKEY(r0, r1, r2, r3, 36);
-      S2(r0,r1,r2,r3,r4);
-      SETKEY(r2, r3, r1, r4, 36) 
-
-      GETKEY(r0, r1, r2, r3, 40);
-      S1(r0,r1,r2,r3,r4);
-      SETKEY(r3, r1, r2, r0, 40) 
-
-      GETKEY(r0, r1, r2, r3, 44);
-      S0(r0,r1,r2,r3,r4);
-      SETKEY(r1, r4, r2, r0, 44) 
-
-      GETKEY(r0, r1, r2, r3, 48);
-      S7(r0,r1,r2,r3,r4);
-      SETKEY(r2, r4, r3, r0, 48) 
-
-      GETKEY(r0, r1, r2, r3, 52);
-      S6(r0,r1,r2,r3,r4) 
-      SETKEY(r0, r1, r4, r2, 52) 
-
-      GETKEY(r0, r1, r2, r3, 56);
-      S5(r0,r1,r2,r3,r4);
-      SETKEY(r1, r3, r0, r2, 56) 
-
-      GETKEY(r0, r1, r2, r3, 60);
-      S4(r0,r1,r2,r3,r4) 
-      SETKEY(r1, r4, r0, r3, 60) 
-
-      GETKEY(r0, r1, r2, r3, 64);
-      S3(r0,r1,r2,r3,r4);
-      SETKEY(r1, r2, r3, r4, 64) 
-
-      GETKEY(r0, r1, r2, r3, 68);
-      S2(r0,r1,r2,r3,r4);
-      SETKEY(r2, r3, r1, r4, 68) 
-
-      GETKEY(r0, r1, r2, r3, 72);
-      S1(r0,r1,r2,r3,r4);
-      SETKEY(r3, r1, r2, r0, 72) 
-
-      GETKEY(r0, r1, r2, r3, 76);
-      S0(r0,r1,r2,r3,r4);
-      SETKEY(r1, r4, r2, r0, 76) 
-
-      GETKEY(r0, r1, r2, r3, 80);
-      S7(r0,r1,r2,r3,r4);
-      SETKEY(r2, r4, r3, r0, 80) 
-
-      GETKEY(r0, r1, r2, r3, 84);
-      S6(r0,r1,r2,r3,r4) 
-      SETKEY(r0, r1, r4, r2, 84) 
-
-      GETKEY(r0, r1, r2, r3, 88);
-      S5(r0,r1,r2,r3,r4);
-      SETKEY(r1, r3, r0, r2, 88) 
-
-      GETKEY(r0, r1, r2, r3, 92);
-      S4(r0,r1,r2,r3,r4) 
-      SETKEY(r1, r4, r0, r3, 92) 
-
-      GETKEY(r0, r1, r2, r3, 96);
-      S3(r0,r1,r2,r3,r4);
-      SETKEY(r1, r2, r3, r4, 96) 
-
-      GETKEY(r0, r1, r2, r3, 100);
-      S2(r0,r1,r2,r3,r4);
-      SETKEY(r2, r3, r1, r4, 100) 
-
-      GETKEY(r0, r1, r2, r3, 104);
-      S1(r0,r1,r2,r3,r4);
-      SETKEY(r3, r1, r2, r0, 104) 
-
-      GETKEY(r0, r1, r2, r3, 108);
-      S0(r0,r1,r2,r3,r4);
-      SETKEY(r1, r4, r2, r0, 108) 
-
-      GETKEY(r0, r1, r2, r3, 112);
-      S7(r0,r1,r2,r3,r4);
-      SETKEY(r2, r4, r3, r0, 112) 
-
-      GETKEY(r0, r1, r2, r3, 116);
-      S6(r0,r1,r2,r3,r4) 
-      SETKEY(r0, r1, r4, r2, 116) 
-
-      GETKEY(r0, r1, r2, r3, 120);
-      S5(r0,r1,r2,r3,r4);
-      SETKEY(r1, r3, r0, r2, 120) 
-
-      GETKEY(r0, r1, r2, r3, 124);
-      S4(r0,r1,r2,r3,r4) 
-      SETKEY(r1, r4, r0, r3, 124) 
-
-      GETKEY(r0, r1, r2, r3, 128);
-      S3(r0,r1,r2,r3,r4);
-      SETKEY(r1, r2, r3, r4, 128) 
-
-    return 0;
-};
-
-/* Encryption and decryption functions. The rounds are fully inlined. 
- * The sboxes alters the bit order of the output, and the altered
- * bit ordrer is used progressivly. */
-
-/* encrypt a block of text */
-
-int serpent_encrypt(serpent_context *cx, const u8 *in, 
-		    u8 *out)
-{    u32 *l_key = cx->keyinfo;
-     const u32 *in_blk = (const u32 *) in;
-     u32 *out_blk = (u32 *) out;
-     u32  r0,r1,r2,r3,r4;
-    
-#ifdef  BLOCK_SWAP
-    r0 = io_swap(in_blk[3]); r1 = io_swap(in_blk[2]); 
-    r2 = io_swap(in_blk[1]); r3 = io_swap(in_blk[0]);
-#else
-    r0 = in_blk[0]; r1 = in_blk[1]; r2 = in_blk[2]; r3 = in_blk[3];
-#endif
-
-      /* round 1  */
-      KEYMIX(r0,r1,r2,r3,r4,0);
-      S0(r0,r1,r2,r3,r4);
-      LINTRANS(r1,r4,r2,r0,r3);
-
-      /* round 2  */
-      KEYMIX(r1,r4,r2,r0,r3,4);
-      S1(r1,r4,r2,r0,r3);
-      LINTRANS(r0,r4,r2,r1,r3);
-
-      /* round 3  */
-      KEYMIX(r0,r4,r2,r1,r3,8);
-      S2(r0,r4,r2,r1,r3);
-      LINTRANS(r2,r1,r4,r3,r0);
-
-      /* round 4  */
-      KEYMIX(r2,r1,r4,r3,r0,12);
-      S3(r2,r1,r4,r3,r0);
-      LINTRANS(r1,r4,r3,r0,r2);
-
-      /* round 5  */
-      KEYMIX(r1,r4,r3,r0,r2,16);
-      S4(r1,r4,r3,r0,r2) 
-      LINTRANS(r4,r2,r1,r0,r3);
-
-      /* round 6  */
-      KEYMIX(r4,r2,r1,r0,r3,20);
-      S5(r4,r2,r1,r0,r3);
-      LINTRANS(r2,r0,r4,r1,r3);
-
-      /* round 7  */
-      KEYMIX(r2,r0,r4,r1,r3,24);
-      S6(r2,r0,r4,r1,r3) 
-      LINTRANS(r2,r0,r3,r4,r1);
-
-      /* round 8  */
-      KEYMIX(r2,r0,r3,r4,r1,28);
-      S7(r2,r0,r3,r4,r1);
-      LINTRANS(r3,r1,r4,r2,r0);
-
-      /* round 9  */
-      KEYMIX(r3,r1,r4,r2,r0,32);
-      S0(r3,r1,r4,r2,r0);
-      LINTRANS(r1,r0,r4,r3,r2);
-
-      /* round 10  */
-      KEYMIX(r1,r0,r4,r3,r2,36);
-      S1(r1,r0,r4,r3,r2);
-      LINTRANS(r3,r0,r4,r1,r2);
-
-      /* round 11  */
-      KEYMIX(r3,r0,r4,r1,r2,40);
-      S2(r3,r0,r4,r1,r2);
-      LINTRANS(r4,r1,r0,r2,r3);
-
-      /* round 12  */
-      KEYMIX(r4,r1,r0,r2,r3,44);
-      S3(r4,r1,r0,r2,r3);
-      LINTRANS(r1,r0,r2,r3,r4);
-
-      /* round 13  */
-      KEYMIX(r1,r0,r2,r3,r4,48);
-      S4(r1,r0,r2,r3,r4) 
-      LINTRANS(r0,r4,r1,r3,r2);
-
-      /* round 14  */
-      KEYMIX(r0,r4,r1,r3,r2,52);
-      S5(r0,r4,r1,r3,r2);
-      LINTRANS(r4,r3,r0,r1,r2);
-
-      /* round 15  */
-      KEYMIX(r4,r3,r0,r1,r2,56);
-      S6(r4,r3,r0,r1,r2) 
-      LINTRANS(r4,r3,r2,r0,r1);
-
-      /* round 16  */
-      KEYMIX(r4,r3,r2,r0,r1,60);
-      S7(r4,r3,r2,r0,r1);
-      LINTRANS(r2,r1,r0,r4,r3);
-
-      /* round 17  */
-      KEYMIX(r2,r1,r0,r4,r3,64);
-      S0(r2,r1,r0,r4,r3);
-      LINTRANS(r1,r3,r0,r2,r4);
-
-      /* round 18  */
-      KEYMIX(r1,r3,r0,r2,r4,68);
-      S1(r1,r3,r0,r2,r4);
-      LINTRANS(r2,r3,r0,r1,r4);
-
-      /* round 19  */
-      KEYMIX(r2,r3,r0,r1,r4,72);
-      S2(r2,r3,r0,r1,r4);
-      LINTRANS(r0,r1,r3,r4,r2);
-
-      /* round 20  */
-      KEYMIX(r0,r1,r3,r4,r2,76);
-      S3(r0,r1,r3,r4,r2);
-      LINTRANS(r1,r3,r4,r2,r0);
-
-      /* round 21  */
-      KEYMIX(r1,r3,r4,r2,r0,80);
-      S4(r1,r3,r4,r2,r0) 
-      LINTRANS(r3,r0,r1,r2,r4);
-
-      /* round 22  */
-      KEYMIX(r3,r0,r1,r2,r4,84);
-      S5(r3,r0,r1,r2,r4);
-      LINTRANS(r0,r2,r3,r1,r4);
-
-      /* round 23  */
-      KEYMIX(r0,r2,r3,r1,r4,88);
-      S6(r0,r2,r3,r1,r4) 
-      LINTRANS(r0,r2,r4,r3,r1);
-
-      /* round 24  */
-      KEYMIX(r0,r2,r4,r3,r1,92);
-      S7(r0,r2,r4,r3,r1);
-      LINTRANS(r4,r1,r3,r0,r2);
-
-      /* round 25  */
-      KEYMIX(r4,r1,r3,r0,r2,96);
-      S0(r4,r1,r3,r0,r2);
-      LINTRANS(r1,r2,r3,r4,r0);
-
-      /* round 26  */
-      KEYMIX(r1,r2,r3,r4,r0,100);
-      S1(r1,r2,r3,r4,r0);
-      LINTRANS(r4,r2,r3,r1,r0);
-
-      /* round 27  */
-      KEYMIX(r4,r2,r3,r1,r0,104);
-      S2(r4,r2,r3,r1,r0);
-      LINTRANS(r3,r1,r2,r0,r4);
-
-      /* round 28  */
-      KEYMIX(r3,r1,r2,r0,r4,108);
-      S3(r3,r1,r2,r0,r4);
-      LINTRANS(r1,r2,r0,r4,r3);
-
-      /* round 29  */
-      KEYMIX(r1,r2,r0,r4,r3,112);
-      S4(r1,r2,r0,r4,r3) 
-      LINTRANS(r2,r3,r1,r4,r0);
-
-      /* round 30  */
-      KEYMIX(r2,r3,r1,r4,r0,116);
-      S5(r2,r3,r1,r4,r0);
-      LINTRANS(r3,r4,r2,r1,r0);
-
-      /* round 31  */
-      KEYMIX(r3,r4,r2,r1,r0,120);
-      S6(r3,r4,r2,r1,r0) 
-      LINTRANS(r3,r4,r0,r2,r1);
-
-      /* round 32  */
-      KEYMIX(r3,r4,r0,r2,r1,124);
-      S7(r3,r4,r0,r2,r1);
-      KEYMIX(r0,r1,r2,r3,r4,128);
-
-    
-#ifdef  BLOCK_SWAP
-    out_blk[3] = io_swap(r0); out_blk[2] = io_swap(r1); 
-    out_blk[1] = io_swap(r2); out_blk[0] = io_swap(r3);
-#else
-    out_blk[0] = r0; out_blk[1] = r1; out_blk[2] = r2; out_blk[3] = r3;
-#endif
-    return 0;
-};
-
-/* decrypt a block of text  */
-
-int serpent_decrypt(serpent_context *cx, const u8 *in,
-		    u8 *out)
-{   u32 *l_key = cx->keyinfo;
-    const u32 *in_blk = (const u32 *)in;
-    u32 *out_blk = (u32 *)out;
-    u32  r0,r1,r2,r3,r4;
-    
-#ifdef  BLOCK_SWAP
-    r0 = io_swap(in_blk[3]); r1 = io_swap(in_blk[2]); 
-    r2 = io_swap(in_blk[1]); r3 = io_swap(in_blk[0]);
-#else
-    r0 = in_blk[0]; r1 = in_blk[1]; r2 = in_blk[2]; r3 = in_blk[3];
-#endif
-
-      /* round 1 */
-      KEYMIX(r0,r1,r2,r3,r4,128);
-      I7(r0,r1,r2,r3,r4);
-      KEYMIX(r3,r0,r1,r4,r2,124);
-
-      /* round 2  */
-      ILINTRANS(r3,r0,r1,r4,r2);
-      I6(r3,r0,r1,r4,r2);
-      KEYMIX(r0,r1,r2,r4,r3,120);
-
-      /* round 3  */
-      ILINTRANS(r0,r1,r2,r4,r3);
-      I5(r0,r1,r2,r4,r3);
-      KEYMIX(r1,r3,r4,r2,r0,116);
-
-      /* round 4  */
-      ILINTRANS(r1,r3,r4,r2,r0);
-      I4(r1,r3,r4,r2,r0);
-      KEYMIX(r1,r2,r4,r0,r3,112);
-
-      /* round 5  */
-      ILINTRANS(r1,r2,r4,r0,r3);
-      I3(r1,r2,r4,r0,r3);
-      KEYMIX(r4,r2,r0,r1,r3,108);
-
-      /* round 6  */
-      ILINTRANS(r4,r2,r0,r1,r3);
-      I2(r4,r2,r0,r1,r3);
-      KEYMIX(r2,r3,r0,r1,r4,104);
-
-      /* round 7  */
-      ILINTRANS(r2,r3,r0,r1,r4);
-      I1(r2,r3,r0,r1,r4);
-      KEYMIX(r4,r2,r1,r0,r3,100);
-
-      /* round 8  */
-      ILINTRANS(r4,r2,r1,r0,r3);
-      I0(r4,r2,r1,r0,r3);
-      KEYMIX(r4,r3,r2,r0,r1,96);
-
-      /* round 9  */
-      ILINTRANS(r4,r3,r2,r0,r1);
-      I7(r4,r3,r2,r0,r1);
-      KEYMIX(r0,r4,r3,r1,r2,92);
-
-      /* round 10  */
-      ILINTRANS(r0,r4,r3,r1,r2);
-      I6(r0,r4,r3,r1,r2);
-      KEYMIX(r4,r3,r2,r1,r0,88);
-
-      /* round 11  */
-      ILINTRANS(r4,r3,r2,r1,r0);
-      I5(r4,r3,r2,r1,r0);
-      KEYMIX(r3,r0,r1,r2,r4,84);
-
-      /* round 12  */
-      ILINTRANS(r3,r0,r1,r2,r4);
-      I4(r3,r0,r1,r2,r4);
-      KEYMIX(r3,r2,r1,r4,r0,80);
-
-      /* round 13  */
-      ILINTRANS(r3,r2,r1,r4,r0);
-      I3(r3,r2,r1,r4,r0);
-      KEYMIX(r1,r2,r4,r3,r0,76);
-
-      /* round 14  */
-      ILINTRANS(r1,r2,r4,r3,r0);
-      I2(r1,r2,r4,r3,r0);
-      KEYMIX(r2,r0,r4,r3,r1,72);
-
-      /* round 15  */
-      ILINTRANS(r2,r0,r4,r3,r1);
-      I1(r2,r0,r4,r3,r1);
-      KEYMIX(r1,r2,r3,r4,r0,68);
-
-      /* round 16  */
-      ILINTRANS(r1,r2,r3,r4,r0);
-      I0(r1,r2,r3,r4,r0);
-      KEYMIX(r1,r0,r2,r4,r3,64);
-
-      /* round 17  */
-      ILINTRANS(r1,r0,r2,r4,r3);
-      I7(r1,r0,r2,r4,r3);
-      KEYMIX(r4,r1,r0,r3,r2,60);
-
-      /* round 18  */
-      ILINTRANS(r4,r1,r0,r3,r2);
-      I6(r4,r1,r0,r3,r2);
-      KEYMIX(r1,r0,r2,r3,r4,56);
-
-      /* round 19  */
-      ILINTRANS(r1,r0,r2,r3,r4);
-      I5(r1,r0,r2,r3,r4);
-      KEYMIX(r0,r4,r3,r2,r1,52);
-
-      /* round 20  */
-      ILINTRANS(r0,r4,r3,r2,r1);
-      I4(r0,r4,r3,r2,r1);
-      KEYMIX(r0,r2,r3,r1,r4,48);
-
-      /* round 21  */
-      ILINTRANS(r0,r2,r3,r1,r4);
-      I3(r0,r2,r3,r1,r4);
-      KEYMIX(r3,r2,r1,r0,r4,44);
-
-      /* round 22  */
-      ILINTRANS(r3,r2,r1,r0,r4);
-      I2(r3,r2,r1,r0,r4);
-      KEYMIX(r2,r4,r1,r0,r3,40);
-
-      /* round 23  */
-      ILINTRANS(r2,r4,r1,r0,r3);
-      I1(r2,r4,r1,r0,r3);
-      KEYMIX(r3,r2,r0,r1,r4,36);
-
-      /* round 24  */
-      ILINTRANS(r3,r2,r0,r1,r4);
-      I0(r3,r2,r0,r1,r4);
-      KEYMIX(r3,r4,r2,r1,r0,32);
-
-      /* round 25  */
-      ILINTRANS(r3,r4,r2,r1,r0);
-      I7(r3,r4,r2,r1,r0);
-      KEYMIX(r1,r3,r4,r0,r2,28);
-
-      /* round 26  */
-      ILINTRANS(r1,r3,r4,r0,r2);
-      I6(r1,r3,r4,r0,r2);
-      KEYMIX(r3,r4,r2,r0,r1,24);
-
-      /* round 27  */
-      ILINTRANS(r3,r4,r2,r0,r1);
-      I5(r3,r4,r2,r0,r1);
-      KEYMIX(r4,r1,r0,r2,r3,20);
-
-      /* round 28  */
-      ILINTRANS(r4,r1,r0,r2,r3);
-      I4(r4,r1,r0,r2,r3);
-      KEYMIX(r4,r2,r0,r3,r1,16);
-
-      /* round 29  */
-      ILINTRANS(r4,r2,r0,r3,r1);
-      I3(r4,r2,r0,r3,r1);
-      KEYMIX(r0,r2,r3,r4,r1,12);
-
-      /* round 30  */
-      ILINTRANS(r0,r2,r3,r4,r1);
-      I2(r0,r2,r3,r4,r1);
-      KEYMIX(r2,r1,r3,r4,r0,8);
-
-      /* round 31  */
-      ILINTRANS(r2,r1,r3,r4,r0);
-      I1(r2,r1,r3,r4,r0);
-      KEYMIX(r0,r2,r4,r3,r1,4);
-
-      /* round 32  */
-      ILINTRANS(r0,r2,r4,r3,r1);
-      I0(r0,r2,r4,r3,r1);
-      KEYMIX(r0,r1,r2,r3,r4,0);
-    
-#ifdef  BLOCK_SWAP
-    out_blk[3] = io_swap(r0); out_blk[2] = io_swap(r1); 
-    out_blk[1] = io_swap(r2); out_blk[0] = io_swap(r3);
-#else
-    out_blk[0] = r0; out_blk[1] = r1; out_blk[2] = r2; out_blk[3] = r3;
-#endif
-    return 0;
-};
-
-
diff --git a/src/libcrypto/libserpent/serpent.h b/src/libcrypto/libserpent/serpent.h
deleted file mode 100644
index 6357f5bfa..000000000
--- a/src/libcrypto/libserpent/serpent.h
+++ /dev/null
@@ -1,17 +0,0 @@
-#ifndef SERPENT_H
-#define SERPENT_H
-#ifdef __KERNEL__
-#include <linux/types.h>
-#else
-#include <sys/types.h>
-#define u32 u_int32_t
-#define u8 u_int8_t
-#endif
-struct serpent_context {
-	u32  keyinfo[140]; /* storage for the key schedule         */
-};
-typedef struct serpent_context serpent_context;
-int serpent_set_key(serpent_context *ctx, const u8 * in_key, int key_len);
-int serpent_decrypt(serpent_context *ctx, const u8 * in_blk, u8 * out_blk);
-int serpent_encrypt(serpent_context *ctx, const u8 * in_blk, u8 * out_blk);
-#endif /* SERPENT_H */
diff --git a/src/libcrypto/libserpent/serpent_cbc.c b/src/libcrypto/libserpent/serpent_cbc.c
deleted file mode 100644
index 3b546278a..000000000
--- a/src/libcrypto/libserpent/serpent_cbc.c
+++ /dev/null
@@ -1,8 +0,0 @@
-#ifdef __KERNEL__
-#include <linux/types.h>
-#else
-#include <sys/types.h>
-#endif
-#include "serpent_cbc.h"
-#include "cbc_generic.h"
-CBC_IMPL_BLK16(serpent_cbc_encrypt, serpent_context, u_int8_t *, serpent_encrypt, serpent_decrypt);
diff --git a/src/libcrypto/libserpent/serpent_cbc.h b/src/libcrypto/libserpent/serpent_cbc.h
deleted file mode 100644
index 3064fa3bc..000000000
--- a/src/libcrypto/libserpent/serpent_cbc.h
+++ /dev/null
@@ -1,3 +0,0 @@
-/* Glue header */
-#include "serpent.h"
-int serpent_cbc_encrypt(serpent_context *ctx, const u_int8_t * in, u_int8_t * out, int ilen, const u_int8_t * iv, int encrypt);
diff --git a/src/libcrypto/libsha2/hmac_sha2.c b/src/libcrypto/libsha2/hmac_sha2.c
deleted file mode 100644
index ad107eb62..000000000
--- a/src/libcrypto/libsha2/hmac_sha2.c
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifdef __KERNEL__
-#include <linux/types.h>
-#include <linux/string.h>
-#else
-#include <sys/types.h>
-#include <string.h>
-#endif
-#include "hmac_generic.h"
-#include "sha2.h"
-#include "hmac_sha2.h"
-
-void inline sha256_result(sha256_context *ctx, u_int8_t * hash, int hashlen) {
-	sha256_final(ctx);
-	memcpy(hash, &ctx->sha_out[0], hashlen);
-}
-void inline sha512_result(sha512_context *ctx, u_int8_t * hash, int hashlen) {
-	sha512_final(ctx);
-	memcpy(hash, &ctx->sha_out[0], hashlen);
-}
-HMAC_SET_KEY_IMPL (sha256_hmac_set_key, 
-		sha256_hmac_context, SHA256_BLOCKSIZE, 
-		sha256_init, sha256_write)
-HMAC_HASH_IMPL (sha256_hmac_hash, 
-		sha256_hmac_context, sha256_context, SHA256_HASHLEN,
-		sha256_write, sha256_result)
-
-HMAC_SET_KEY_IMPL (sha512_hmac_set_key, 
-		sha512_hmac_context, SHA512_BLOCKSIZE, 
-		sha512_init, sha512_write)
-HMAC_HASH_IMPL (sha512_hmac_hash, 
-		sha512_hmac_context, sha512_context, SHA512_HASHLEN,
-		sha512_write, sha512_result)
diff --git a/src/libcrypto/libsha2/hmac_sha2.h b/src/libcrypto/libsha2/hmac_sha2.h
deleted file mode 100644
index b7f8c747c..000000000
--- a/src/libcrypto/libsha2/hmac_sha2.h
+++ /dev/null
@@ -1,17 +0,0 @@
-typedef struct {
-	sha256_context ictx,octx;
-} sha256_hmac_context;
-typedef struct {
-	sha512_context ictx,octx;
-} sha512_hmac_context;
-#define SHA256_BLOCKSIZE 64
-#define SHA256_HASHLEN   32
-#define SHA384_BLOCKSIZE 128	/* XXX ok? */
-#define SHA384_HASHLEN   48
-#define SHA512_BLOCKSIZE 128
-#define SHA512_HASHLEN   64
-
-void sha256_hmac_hash(sha256_hmac_context *hctx, const u_int8_t * dat, int len, u_int8_t * hash, int hashlen);
-void sha256_hmac_set_key(sha256_hmac_context *hctx, const u_int8_t * key, int keylen);
-void sha512_hmac_hash(sha512_hmac_context *hctx, const u_int8_t * dat, int len, u_int8_t * hash, int hashlen);
-void sha512_hmac_set_key(sha512_hmac_context *hctx, const u_int8_t * key, int keylen);
diff --git a/src/libcrypto/libsha2/sha2.c b/src/libcrypto/libsha2/sha2.c
deleted file mode 100644
index 4debdad67..000000000
--- a/src/libcrypto/libsha2/sha2.c
+++ /dev/null
@@ -1,437 +0,0 @@
-/*
- *  sha512.c
- *
- *  Written by Jari Ruusu, April 16 2001
- *
- *  Copyright 2001 by Jari Ruusu.
- *  Redistribution of this file is permitted under the GNU Public License.
- */
-
-#ifdef __KERNEL__
-#include <linux/string.h>
-#include <linux/types.h>
-#else
-#include <string.h>
-#include <sys/types.h>
-#endif
-#include "sha2.h"
-
-/* Define one or more of these. If none is defined, you get all of them */
-#if !defined(SHA256_NEEDED)&&!defined(SHA512_NEEDED)&&!defined(SHA384_NEEDED)
-# define SHA256_NEEDED  1
-# define SHA512_NEEDED  1
-# define SHA384_NEEDED  1
-#endif
-
-#if defined(SHA256_NEEDED)
-static const u_int32_t sha256_hashInit[8] = {
-    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c,
-    0x1f83d9ab, 0x5be0cd19
-};
-static const u_int32_t sha256_K[64] = {
-    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
-    0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
-    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
-    0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
-    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
-    0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
-    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
-    0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
-    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
-    0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
-    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
-};
-#endif
-
-#if defined(SHA512_NEEDED)
-static const u_int64_t sha512_hashInit[8] = {
-    0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, 0x3c6ef372fe94f82bULL,
-    0xa54ff53a5f1d36f1ULL, 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
-    0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
-};
-#endif
-
-#if defined(SHA384_NEEDED)
-static const u_int64_t sha384_hashInit[8] = {
-    0xcbbb9d5dc1059ed8ULL, 0x629a292a367cd507ULL, 0x9159015a3070dd17ULL,
-    0x152fecd8f70e5939ULL, 0x67332667ffc00b31ULL, 0x8eb44a8768581511ULL,
-    0xdb0c2e0d64f98fa7ULL, 0x47b5481dbefa4fa4ULL
-};
-#endif
-
-#if defined(SHA512_NEEDED) || defined(SHA384_NEEDED)
-static const u_int64_t sha512_K[80] = {
-    0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL,
-    0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
-    0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL,
-    0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
-    0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL,
-    0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
-    0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL,
-    0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
-    0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL,
-    0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
-    0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL,
-    0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
-    0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL,
-    0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
-    0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL,
-    0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
-    0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL,
-    0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
-    0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL,
-    0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
-    0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL,
-    0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
-    0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL,
-    0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
-    0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL,
-    0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
-    0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
-};
-#endif
-
-#define Ch(x,y,z)   (((x) & (y)) ^ ((~(x)) & (z)))
-#define Maj(x,y,z)  (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
-#define R(x,y)      ((y) >> (x))
-
-#if defined(SHA256_NEEDED)
-void sha256_init(sha256_context *ctx)
-{
-    memcpy(&ctx->sha_H[0], &sha256_hashInit[0], sizeof(ctx->sha_H));
-    ctx->sha_blocks = 0;
-    ctx->sha_bufCnt = 0;
-}
-
-#define S(x,y)      (((y) >> (x)) | ((y) << (32 - (x))))
-#define uSig0(x)    ((S(2,(x))) ^ (S(13,(x))) ^ (S(22,(x))))
-#define uSig1(x)    ((S(6,(x))) ^ (S(11,(x))) ^ (S(25,(x))))
-#define lSig0(x)    ((S(7,(x))) ^ (S(18,(x))) ^ (R(3,(x))))
-#define lSig1(x)    ((S(17,(x))) ^ (S(19,(x))) ^ (R(10,(x))))
-
-static void sha256_transform(sha256_context *ctx, const unsigned char *datap)
-{
-    register int    j;
-    u_int32_t       a, b, c, d, e, f, g, h;
-    u_int32_t       T1, T2, W[64], Wm2, Wm15;
-
-    /* read the data, big endian byte order */
-    j = 0;
-    do {
-        W[j] = (((u_int32_t)(datap[0]))<<24) | (((u_int32_t)(datap[1]))<<16) |
-               (((u_int32_t)(datap[2]))<<8 ) | ((u_int32_t)(datap[3]));
-        datap += 4;
-    } while(++j < 16);
-    
-    /* initialize variables a...h */
-    a = ctx->sha_H[0];
-    b = ctx->sha_H[1];
-    c = ctx->sha_H[2];
-    d = ctx->sha_H[3];
-    e = ctx->sha_H[4];
-    f = ctx->sha_H[5];
-    g = ctx->sha_H[6];
-    h = ctx->sha_H[7];
-
-    /* apply compression function */
-    j = 0;
-    do {
-        if(j >= 16) {
-            Wm2 = W[j - 2];
-            Wm15 = W[j - 15];
-            W[j] = lSig1(Wm2) + W[j - 7] + lSig0(Wm15) + W[j - 16];
-        }
-        T1 = h + uSig1(e) + Ch(e,f,g) + sha256_K[j] + W[j];
-        T2 = uSig0(a) + Maj(a,b,c);
-        h = g; g = f; f = e;
-        e = d + T1;
-        d = c; c = b; b = a;
-        a = T1 + T2;
-    } while(++j < 64);
-
-    /* compute intermediate hash value */
-    ctx->sha_H[0] += a;
-    ctx->sha_H[1] += b;
-    ctx->sha_H[2] += c;
-    ctx->sha_H[3] += d;
-    ctx->sha_H[4] += e;
-    ctx->sha_H[5] += f;
-    ctx->sha_H[6] += g;
-    ctx->sha_H[7] += h;
-
-    ctx->sha_blocks++;
-}
-
-void sha256_write(sha256_context *ctx, const unsigned char *datap, int length)
-{
-    while(length > 0) {
-        if(!ctx->sha_bufCnt) {
-            while(length >= sizeof(ctx->sha_out)) {
-                sha256_transform(ctx, datap);
-                datap += sizeof(ctx->sha_out);
-                length -= sizeof(ctx->sha_out);
-            }
-            if(!length) return;
-        }
-        ctx->sha_out[ctx->sha_bufCnt] = *datap++;
-        length--;
-        if(++ctx->sha_bufCnt == sizeof(ctx->sha_out)) {
-            sha256_transform(ctx, &ctx->sha_out[0]);
-            ctx->sha_bufCnt = 0;
-        }
-    }
-}
-
-void sha256_final(sha256_context *ctx)
-{
-    register int    j;
-    u_int64_t       bitLength;
-    u_int32_t       i;
-    unsigned char   padByte, *datap;
-
-    bitLength = (ctx->sha_blocks << 9) | (ctx->sha_bufCnt << 3);
-    padByte = 0x80;
-    sha256_write(ctx, &padByte, 1);
-
-    /* pad extra space with zeroes */
-    padByte = 0;
-    while(ctx->sha_bufCnt != 56) {
-        sha256_write(ctx, &padByte, 1);
-    }
-
-    /* write bit length, big endian byte order */
-    ctx->sha_out[56] = bitLength >> 56;
-    ctx->sha_out[57] = bitLength >> 48;
-    ctx->sha_out[58] = bitLength >> 40;
-    ctx->sha_out[59] = bitLength >> 32;
-    ctx->sha_out[60] = bitLength >> 24;
-    ctx->sha_out[61] = bitLength >> 16;
-    ctx->sha_out[62] = bitLength >> 8;
-    ctx->sha_out[63] = bitLength;
-    sha256_transform(ctx, &ctx->sha_out[0]);
-    
-    /* return results in ctx->sha_out[0...31] */
-    datap = &ctx->sha_out[0];
-    j = 0;
-    do {
-        i = ctx->sha_H[j];
-        datap[0] = i >> 24;
-        datap[1] = i >> 16;
-        datap[2] = i >> 8;
-        datap[3] = i;
-        datap += 4;
-    } while(++j < 8);
-
-    /* clear sensitive information */
-    memset(&ctx->sha_out[32], 0, sizeof(sha256_context) - 32);
-}
-
-void sha256_hash_buffer(unsigned char *ib, int ile, unsigned char *ob, int ole)
-{
-    sha256_context ctx;
-
-    if(ole < 1) return;
-    memset(ob, 0, ole);
-    if(ole > 32) ole = 32;
-    sha256_init(&ctx);
-    sha256_write(&ctx, ib, ile);
-    sha256_final(&ctx);
-    memcpy(ob, &ctx.sha_out[0], ole);
-    memset(&ctx, 0, sizeof(ctx));
-}
-
-#endif
-
-#if defined(SHA512_NEEDED)
-void sha512_init(sha512_context *ctx)
-{
-    memcpy(&ctx->sha_H[0], &sha512_hashInit[0], sizeof(ctx->sha_H));
-    ctx->sha_blocks = 0;
-    ctx->sha_blocksMSB = 0;
-    ctx->sha_bufCnt = 0;
-}
-#endif
-
-#if defined(SHA512_NEEDED) || defined(SHA384_NEEDED)
-#undef S
-#undef uSig0
-#undef uSig1
-#undef lSig0
-#undef lSig1
-#define S(x,y)      (((y) >> (x)) | ((y) << (64 - (x))))
-#define uSig0(x)    ((S(28,(x))) ^ (S(34,(x))) ^ (S(39,(x))))
-#define uSig1(x)    ((S(14,(x))) ^ (S(18,(x))) ^ (S(41,(x))))
-#define lSig0(x)    ((S(1,(x))) ^ (S(8,(x))) ^ (R(7,(x))))
-#define lSig1(x)    ((S(19,(x))) ^ (S(61,(x))) ^ (R(6,(x))))
-
-static void sha512_transform(sha512_context *ctx, const unsigned char *datap)
-{
-    register int    j;
-    u_int64_t       a, b, c, d, e, f, g, h;
-    u_int64_t       T1, T2, W[80], Wm2, Wm15;
-
-    /* read the data, big endian byte order */
-    j = 0;
-    do {
-        W[j] = (((u_int64_t)(datap[0]))<<56) | (((u_int64_t)(datap[1]))<<48) |
-               (((u_int64_t)(datap[2]))<<40) | (((u_int64_t)(datap[3]))<<32) |
-               (((u_int64_t)(datap[4]))<<24) | (((u_int64_t)(datap[5]))<<16) |
-               (((u_int64_t)(datap[6]))<<8 ) | ((u_int64_t)(datap[7]));
-        datap += 8;
-    } while(++j < 16);
-    
-    /* initialize variables a...h */
-    a = ctx->sha_H[0];
-    b = ctx->sha_H[1];
-    c = ctx->sha_H[2];
-    d = ctx->sha_H[3];
-    e = ctx->sha_H[4];
-    f = ctx->sha_H[5];
-    g = ctx->sha_H[6];
-    h = ctx->sha_H[7];
-
-    /* apply compression function */
-    j = 0;
-    do {
-        if(j >= 16) {
-            Wm2 = W[j - 2];
-            Wm15 = W[j - 15];
-            W[j] = lSig1(Wm2) + W[j - 7] + lSig0(Wm15) + W[j - 16];
-        }
-        T1 = h + uSig1(e) + Ch(e,f,g) + sha512_K[j] + W[j];
-        T2 = uSig0(a) + Maj(a,b,c);
-        h = g; g = f; f = e;
-        e = d + T1;
-        d = c; c = b; b = a;
-        a = T1 + T2;
-    } while(++j < 80);
-
-    /* compute intermediate hash value */
-    ctx->sha_H[0] += a;
-    ctx->sha_H[1] += b;
-    ctx->sha_H[2] += c;
-    ctx->sha_H[3] += d;
-    ctx->sha_H[4] += e;
-    ctx->sha_H[5] += f;
-    ctx->sha_H[6] += g;
-    ctx->sha_H[7] += h;
-
-    ctx->sha_blocks++;
-    if(!ctx->sha_blocks) ctx->sha_blocksMSB++;
-}
-
-void sha512_write(sha512_context *ctx, const unsigned char *datap, int length)
-{
-    while(length > 0) {
-        if(!ctx->sha_bufCnt) {
-            while(length >= sizeof(ctx->sha_out)) {
-                sha512_transform(ctx, datap);
-                datap += sizeof(ctx->sha_out);
-                length -= sizeof(ctx->sha_out);
-            }
-            if(!length) return;
-        }
-        ctx->sha_out[ctx->sha_bufCnt] = *datap++;
-        length--;
-        if(++ctx->sha_bufCnt == sizeof(ctx->sha_out)) {
-            sha512_transform(ctx, &ctx->sha_out[0]);
-            ctx->sha_bufCnt = 0;
-        }
-    }
-}
-
-void sha512_final(sha512_context *ctx)
-{
-    register int    j;
-    u_int64_t       bitLength, bitLengthMSB;
-    u_int64_t       i;
-    unsigned char   padByte, *datap;
-
-    bitLength = (ctx->sha_blocks << 10) | (ctx->sha_bufCnt << 3);
-    bitLengthMSB = (ctx->sha_blocksMSB << 10) | (ctx->sha_blocks >> 54);
-    padByte = 0x80;
-    sha512_write(ctx, &padByte, 1);
-
-    /* pad extra space with zeroes */
-    padByte = 0;
-    while(ctx->sha_bufCnt != 112) {
-        sha512_write(ctx, &padByte, 1);
-    }
-
-    /* write bit length, big endian byte order */
-    ctx->sha_out[112] = bitLengthMSB >> 56;
-    ctx->sha_out[113] = bitLengthMSB >> 48;
-    ctx->sha_out[114] = bitLengthMSB >> 40;
-    ctx->sha_out[115] = bitLengthMSB >> 32;
-    ctx->sha_out[116] = bitLengthMSB >> 24;
-    ctx->sha_out[117] = bitLengthMSB >> 16;
-    ctx->sha_out[118] = bitLengthMSB >> 8;
-    ctx->sha_out[119] = bitLengthMSB;
-    ctx->sha_out[120] = bitLength >> 56;
-    ctx->sha_out[121] = bitLength >> 48;
-    ctx->sha_out[122] = bitLength >> 40;
-    ctx->sha_out[123] = bitLength >> 32;
-    ctx->sha_out[124] = bitLength >> 24;
-    ctx->sha_out[125] = bitLength >> 16;
-    ctx->sha_out[126] = bitLength >> 8;
-    ctx->sha_out[127] = bitLength;
-    sha512_transform(ctx, &ctx->sha_out[0]);
-    
-    /* return results in ctx->sha_out[0...63] */
-    datap = &ctx->sha_out[0];
-    j = 0;
-    do {
-        i = ctx->sha_H[j];
-        datap[0] = i >> 56;
-        datap[1] = i >> 48;
-        datap[2] = i >> 40;
-        datap[3] = i >> 32;
-        datap[4] = i >> 24;
-        datap[5] = i >> 16;
-        datap[6] = i >> 8;
-        datap[7] = i;
-        datap += 8;
-    } while(++j < 8);
-
-    /* clear sensitive information */
-    memset(&ctx->sha_out[64], 0, sizeof(sha512_context) - 64);
-}
-
-void sha512_hash_buffer(unsigned char *ib, int ile, unsigned char *ob, int ole)
-{
-    sha512_context ctx;
-
-    if(ole < 1) return;
-    memset(ob, 0, ole);
-    if(ole > 64) ole = 64;
-    sha512_init(&ctx);
-    sha512_write(&ctx, ib, ile);
-    sha512_final(&ctx);
-    memcpy(ob, &ctx.sha_out[0], ole);
-    memset(&ctx, 0, sizeof(ctx));
-}
-#endif
-
-#if defined(SHA384_NEEDED)
-void sha384_init(sha512_context *ctx)
-{
-    memcpy(&ctx->sha_H[0], &sha384_hashInit[0], sizeof(ctx->sha_H));
-    ctx->sha_blocks = 0;
-    ctx->sha_blocksMSB = 0;
-    ctx->sha_bufCnt = 0;
-}
-
-void sha384_hash_buffer(unsigned char *ib, int ile, unsigned char *ob, int ole)
-{
-    sha512_context ctx;
-
-    if(ole < 1) return;
-    memset(ob, 0, ole);
-    if(ole > 48) ole = 48;
-    sha384_init(&ctx);
-    sha512_write(&ctx, ib, ile);
-    sha512_final(&ctx);
-    memcpy(ob, &ctx.sha_out[0], ole);
-    memset(&ctx, 0, sizeof(ctx));
-}
-#endif
diff --git a/src/libcrypto/libsha2/sha2.h b/src/libcrypto/libsha2/sha2.h
deleted file mode 100644
index 2dc03cfa8..000000000
--- a/src/libcrypto/libsha2/sha2.h
+++ /dev/null
@@ -1,52 +0,0 @@
-#ifndef _SHA2_H
-#define _SHA2_H
-/*
- *  sha512.h
- *
- *  Written by Jari Ruusu, April 16 2001
- *
- *  Copyright 2001 by Jari Ruusu.
- *  Redistribution of this file is permitted under the GNU Public License.
- */
-
-#ifdef __KERNEL__
-#include <linux/types.h>
-#else
-#include <sys/types.h>
-#endif
-
-typedef struct {
-    unsigned char   sha_out[64];    /* results are here, bytes 0...31 */
-    u_int32_t       sha_H[8];
-    u_int64_t       sha_blocks;
-    int             sha_bufCnt;
-} sha256_context;
-
-typedef struct {
-    unsigned char   sha_out[128];   /* results are here, bytes 0...63 */
-    u_int64_t       sha_H[8];
-    u_int64_t       sha_blocks;
-    u_int64_t       sha_blocksMSB;
-    int             sha_bufCnt;
-} sha512_context;
-
-/* no sha384_context, use sha512_context */
-
-/* 256 bit hash, provides 128 bits of security against collision attacks */
-extern void sha256_init(sha256_context *);
-extern void sha256_write(sha256_context *, const unsigned char *, int);
-extern void sha256_final(sha256_context *);
-extern void sha256_hash_buffer(unsigned char *, int, unsigned char *, int);
-
-/* 512 bit hash, provides 256 bits of security against collision attacks */
-extern void sha512_init(sha512_context *);
-extern void sha512_write(sha512_context *, const unsigned char *, int);
-extern void sha512_final(sha512_context *);
-extern void sha512_hash_buffer(unsigned char *, int, unsigned char *, int);
-
-/* 384 bit hash, provides 192 bits of security against collision attacks */
-extern void sha384_init(sha512_context *);
-/* no sha384_write(), use sha512_write() */
-/* no sha384_final(), use sha512_final(), result in ctx->sha_out[0...47]  */
-extern void sha384_hash_buffer(unsigned char *, int, unsigned char *, int);
-#endif /* _SHA2_H */
diff --git a/src/libcrypto/libtwofish/twofish.c b/src/libcrypto/libtwofish/twofish.c
deleted file mode 100644
index 0e01a92d2..000000000
--- a/src/libcrypto/libtwofish/twofish.c
+++ /dev/null
@@ -1,861 +0,0 @@
-/* NOTE: This implementation has been changed from the original
- * source. See ChangeLog for more information.
- * Maintained by Marc Mutz <Marc@Mutz.com>
- */
-
-/* Twofish for GPG
- * By Matthew Skala <mskala@ansuz.sooke.bc.ca>, July 26, 1998
- * 256-bit key length added March 20, 1999
- * Some modifications to reduce the text size by Werner Koch, April, 1998
- *
- * The original author has disclaimed all copyright interest in this
- * code and thus putting it in the public domain.
- *
- * This code is a "clean room" implementation, written from the paper
- * _Twofish: A 128-Bit Block Cipher_ by Bruce Schneier, John Kelsey,
- * Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, available
- * through http://www.counterpane.com/twofish.html
- *
- * For background information on multiplication in finite fields, used for
- * the matrix operations in the key schedule, see the book _Contemporary
- * Abstract Algebra_ by Joseph A. Gallian, especially chapter 22 in the
- * Third Edition.
- *
- * Only the 128- and 256-bit key sizes are supported.  This code is intended
- * for GNU C on a 32-bit system, but it should work almost anywhere.  Loops
- * are unrolled, precomputation tables are used, etc., for maximum speed at
- * some cost in memory consumption. */
-
-#ifdef __KERNEL__
-#include <linux/init.h>
-#include <linux/types.h>
-#else
-#include <sys/types.h>
-#define u8 u_int8_t
-#define u32 u_int32_t
-#endif
-
-#if 0 /* shouldn't this be #ifdef rotl32 ?
-       * Look at wordops.h: It includes asm/wordops.h.
-       * Anyway, we have to search in the macros for rot's,
-       * since they seem to be defined in a generic way. */
-#define rotl rotl32
-#define rotr rotr32
-#else
-#define rotl generic_rotl32
-#define rotr generic_rotr32
-#endif
-
-#include "twofish.h"
-/* The large precomputed tables for the Twofish cipher (twofish.c)
- * Taken from the same source as twofish.c
- * Marc Mutz <Marc@Mutz.com>
- */
-
-/* These two tables are the q0 and q1 permutations, exactly as described in
- * the Twofish paper. */
-
-static const u8 q0[256] = {
-   0xA9, 0x67, 0xB3, 0xE8, 0x04, 0xFD, 0xA3, 0x76, 0x9A, 0x92, 0x80, 0x78,
-   0xE4, 0xDD, 0xD1, 0x38, 0x0D, 0xC6, 0x35, 0x98, 0x18, 0xF7, 0xEC, 0x6C,
-   0x43, 0x75, 0x37, 0x26, 0xFA, 0x13, 0x94, 0x48, 0xF2, 0xD0, 0x8B, 0x30,
-   0x84, 0x54, 0xDF, 0x23, 0x19, 0x5B, 0x3D, 0x59, 0xF3, 0xAE, 0xA2, 0x82,
-   0x63, 0x01, 0x83, 0x2E, 0xD9, 0x51, 0x9B, 0x7C, 0xA6, 0xEB, 0xA5, 0xBE,
-   0x16, 0x0C, 0xE3, 0x61, 0xC0, 0x8C, 0x3A, 0xF5, 0x73, 0x2C, 0x25, 0x0B,
-   0xBB, 0x4E, 0x89, 0x6B, 0x53, 0x6A, 0xB4, 0xF1, 0xE1, 0xE6, 0xBD, 0x45,
-   0xE2, 0xF4, 0xB6, 0x66, 0xCC, 0x95, 0x03, 0x56, 0xD4, 0x1C, 0x1E, 0xD7,
-   0xFB, 0xC3, 0x8E, 0xB5, 0xE9, 0xCF, 0xBF, 0xBA, 0xEA, 0x77, 0x39, 0xAF,
-   0x33, 0xC9, 0x62, 0x71, 0x81, 0x79, 0x09, 0xAD, 0x24, 0xCD, 0xF9, 0xD8,
-   0xE5, 0xC5, 0xB9, 0x4D, 0x44, 0x08, 0x86, 0xE7, 0xA1, 0x1D, 0xAA, 0xED,
-   0x06, 0x70, 0xB2, 0xD2, 0x41, 0x7B, 0xA0, 0x11, 0x31, 0xC2, 0x27, 0x90,
-   0x20, 0xF6, 0x60, 0xFF, 0x96, 0x5C, 0xB1, 0xAB, 0x9E, 0x9C, 0x52, 0x1B,
-   0x5F, 0x93, 0x0A, 0xEF, 0x91, 0x85, 0x49, 0xEE, 0x2D, 0x4F, 0x8F, 0x3B,
-   0x47, 0x87, 0x6D, 0x46, 0xD6, 0x3E, 0x69, 0x64, 0x2A, 0xCE, 0xCB, 0x2F,
-   0xFC, 0x97, 0x05, 0x7A, 0xAC, 0x7F, 0xD5, 0x1A, 0x4B, 0x0E, 0xA7, 0x5A,
-   0x28, 0x14, 0x3F, 0x29, 0x88, 0x3C, 0x4C, 0x02, 0xB8, 0xDA, 0xB0, 0x17,
-   0x55, 0x1F, 0x8A, 0x7D, 0x57, 0xC7, 0x8D, 0x74, 0xB7, 0xC4, 0x9F, 0x72,
-   0x7E, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34, 0x6E, 0x50, 0xDE, 0x68,
-   0x65, 0xBC, 0xDB, 0xF8, 0xC8, 0xA8, 0x2B, 0x40, 0xDC, 0xFE, 0x32, 0xA4,
-   0xCA, 0x10, 0x21, 0xF0, 0xD3, 0x5D, 0x0F, 0x00, 0x6F, 0x9D, 0x36, 0x42,
-   0x4A, 0x5E, 0xC1, 0xE0
-};
-
-static const u8 q1[256] = {
-   0x75, 0xF3, 0xC6, 0xF4, 0xDB, 0x7B, 0xFB, 0xC8, 0x4A, 0xD3, 0xE6, 0x6B,
-   0x45, 0x7D, 0xE8, 0x4B, 0xD6, 0x32, 0xD8, 0xFD, 0x37, 0x71, 0xF1, 0xE1,
-   0x30, 0x0F, 0xF8, 0x1B, 0x87, 0xFA, 0x06, 0x3F, 0x5E, 0xBA, 0xAE, 0x5B,
-   0x8A, 0x00, 0xBC, 0x9D, 0x6D, 0xC1, 0xB1, 0x0E, 0x80, 0x5D, 0xD2, 0xD5,
-   0xA0, 0x84, 0x07, 0x14, 0xB5, 0x90, 0x2C, 0xA3, 0xB2, 0x73, 0x4C, 0x54,
-   0x92, 0x74, 0x36, 0x51, 0x38, 0xB0, 0xBD, 0x5A, 0xFC, 0x60, 0x62, 0x96,
-   0x6C, 0x42, 0xF7, 0x10, 0x7C, 0x28, 0x27, 0x8C, 0x13, 0x95, 0x9C, 0xC7,
-   0x24, 0x46, 0x3B, 0x70, 0xCA, 0xE3, 0x85, 0xCB, 0x11, 0xD0, 0x93, 0xB8,
-   0xA6, 0x83, 0x20, 0xFF, 0x9F, 0x77, 0xC3, 0xCC, 0x03, 0x6F, 0x08, 0xBF,
-   0x40, 0xE7, 0x2B, 0xE2, 0x79, 0x0C, 0xAA, 0x82, 0x41, 0x3A, 0xEA, 0xB9,
-   0xE4, 0x9A, 0xA4, 0x97, 0x7E, 0xDA, 0x7A, 0x17, 0x66, 0x94, 0xA1, 0x1D,
-   0x3D, 0xF0, 0xDE, 0xB3, 0x0B, 0x72, 0xA7, 0x1C, 0xEF, 0xD1, 0x53, 0x3E,
-   0x8F, 0x33, 0x26, 0x5F, 0xEC, 0x76, 0x2A, 0x49, 0x81, 0x88, 0xEE, 0x21,
-   0xC4, 0x1A, 0xEB, 0xD9, 0xC5, 0x39, 0x99, 0xCD, 0xAD, 0x31, 0x8B, 0x01,
-   0x18, 0x23, 0xDD, 0x1F, 0x4E, 0x2D, 0xF9, 0x48, 0x4F, 0xF2, 0x65, 0x8E,
-   0x78, 0x5C, 0x58, 0x19, 0x8D, 0xE5, 0x98, 0x57, 0x67, 0x7F, 0x05, 0x64,
-   0xAF, 0x63, 0xB6, 0xFE, 0xF5, 0xB7, 0x3C, 0xA5, 0xCE, 0xE9, 0x68, 0x44,
-   0xE0, 0x4D, 0x43, 0x69, 0x29, 0x2E, 0xAC, 0x15, 0x59, 0xA8, 0x0A, 0x9E,
-   0x6E, 0x47, 0xDF, 0x34, 0x35, 0x6A, 0xCF, 0xDC, 0x22, 0xC9, 0xC0, 0x9B,
-   0x89, 0xD4, 0xED, 0xAB, 0x12, 0xA2, 0x0D, 0x52, 0xBB, 0x02, 0x2F, 0xA9,
-   0xD7, 0x61, 0x1E, 0xB4, 0x50, 0x04, 0xF6, 0xC2, 0x16, 0x25, 0x86, 0x56,
-   0x55, 0x09, 0xBE, 0x91
-};
-
-/* These MDS tables are actually tables of MDS composed with q0 and q1,
- * because it is only ever used that way and we can save some time by
- * precomputing.  Of course the main saving comes from precomputing the
- * GF(2^8) multiplication involved in the MDS matrix multiply; by looking
- * things up in these tables we reduce the matrix multiply to four lookups
- * and three XORs.  Semi-formally, the definition of these tables is:
- * mds[0][i] = MDS (q1[i] 0 0 0)^T  mds[1][i] = MDS (0 q0[i] 0 0)^T
- * mds[2][i] = MDS (0 0 q1[i] 0)^T  mds[3][i] = MDS (0 0 0 q0[i])^T
- * where ^T means "transpose", the matrix multiply is performed in GF(2^8)
- * represented as GF(2)[x]/v(x) where v(x)=x^8+x^6+x^5+x^3+1 as described
- * by Schneier et al, and I'm casually glossing over the byte/word
- * conversion issues. */
-
-static const u32 mds[4][256] = {
-   {0xBCBC3275, 0xECEC21F3, 0x202043C6, 0xB3B3C9F4, 0xDADA03DB, 0x02028B7B,
-    0xE2E22BFB, 0x9E9EFAC8, 0xC9C9EC4A, 0xD4D409D3, 0x18186BE6, 0x1E1E9F6B,
-    0x98980E45, 0xB2B2387D, 0xA6A6D2E8, 0x2626B74B, 0x3C3C57D6, 0x93938A32,
-    0x8282EED8, 0x525298FD, 0x7B7BD437, 0xBBBB3771, 0x5B5B97F1, 0x474783E1,
-    0x24243C30, 0x5151E20F, 0xBABAC6F8, 0x4A4AF31B, 0xBFBF4887, 0x0D0D70FA,
-    0xB0B0B306, 0x7575DE3F, 0xD2D2FD5E, 0x7D7D20BA, 0x666631AE, 0x3A3AA35B,
-    0x59591C8A, 0x00000000, 0xCDCD93BC, 0x1A1AE09D, 0xAEAE2C6D, 0x7F7FABC1,
-    0x2B2BC7B1, 0xBEBEB90E, 0xE0E0A080, 0x8A8A105D, 0x3B3B52D2, 0x6464BAD5,
-    0xD8D888A0, 0xE7E7A584, 0x5F5FE807, 0x1B1B1114, 0x2C2CC2B5, 0xFCFCB490,
-    0x3131272C, 0x808065A3, 0x73732AB2, 0x0C0C8173, 0x79795F4C, 0x6B6B4154,
-    0x4B4B0292, 0x53536974, 0x94948F36, 0x83831F51, 0x2A2A3638, 0xC4C49CB0,
-    0x2222C8BD, 0xD5D5F85A, 0xBDBDC3FC, 0x48487860, 0xFFFFCE62, 0x4C4C0796,
-    0x4141776C, 0xC7C7E642, 0xEBEB24F7, 0x1C1C1410, 0x5D5D637C, 0x36362228,
-    0x6767C027, 0xE9E9AF8C, 0x4444F913, 0x1414EA95, 0xF5F5BB9C, 0xCFCF18C7,
-    0x3F3F2D24, 0xC0C0E346, 0x7272DB3B, 0x54546C70, 0x29294CCA, 0xF0F035E3,
-    0x0808FE85, 0xC6C617CB, 0xF3F34F11, 0x8C8CE4D0, 0xA4A45993, 0xCACA96B8,
-    0x68683BA6, 0xB8B84D83, 0x38382820, 0xE5E52EFF, 0xADAD569F, 0x0B0B8477,
-    0xC8C81DC3, 0x9999FFCC, 0x5858ED03, 0x19199A6F, 0x0E0E0A08, 0x95957EBF,
-    0x70705040, 0xF7F730E7, 0x6E6ECF2B, 0x1F1F6EE2, 0xB5B53D79, 0x09090F0C,
-    0x616134AA, 0x57571682, 0x9F9F0B41, 0x9D9D803A, 0x111164EA, 0x2525CDB9,
-    0xAFAFDDE4, 0x4545089A, 0xDFDF8DA4, 0xA3A35C97, 0xEAEAD57E, 0x353558DA,
-    0xEDEDD07A, 0x4343FC17, 0xF8F8CB66, 0xFBFBB194, 0x3737D3A1, 0xFAFA401D,
-    0xC2C2683D, 0xB4B4CCF0, 0x32325DDE, 0x9C9C71B3, 0x5656E70B, 0xE3E3DA72,
-    0x878760A7, 0x15151B1C, 0xF9F93AEF, 0x6363BFD1, 0x3434A953, 0x9A9A853E,
-    0xB1B1428F, 0x7C7CD133, 0x88889B26, 0x3D3DA65F, 0xA1A1D7EC, 0xE4E4DF76,
-    0x8181942A, 0x91910149, 0x0F0FFB81, 0xEEEEAA88, 0x161661EE, 0xD7D77321,
-    0x9797F5C4, 0xA5A5A81A, 0xFEFE3FEB, 0x6D6DB5D9, 0x7878AEC5, 0xC5C56D39,
-    0x1D1DE599, 0x7676A4CD, 0x3E3EDCAD, 0xCBCB6731, 0xB6B6478B, 0xEFEF5B01,
-    0x12121E18, 0x6060C523, 0x6A6AB0DD, 0x4D4DF61F, 0xCECEE94E, 0xDEDE7C2D,
-    0x55559DF9, 0x7E7E5A48, 0x2121B24F, 0x03037AF2, 0xA0A02665, 0x5E5E198E,
-    0x5A5A6678, 0x65654B5C, 0x62624E58, 0xFDFD4519, 0x0606F48D, 0x404086E5,
-    0xF2F2BE98, 0x3333AC57, 0x17179067, 0x05058E7F, 0xE8E85E05, 0x4F4F7D64,
-    0x89896AAF, 0x10109563, 0x74742FB6, 0x0A0A75FE, 0x5C5C92F5, 0x9B9B74B7,
-    0x2D2D333C, 0x3030D6A5, 0x2E2E49CE, 0x494989E9, 0x46467268, 0x77775544,
-    0xA8A8D8E0, 0x9696044D, 0x2828BD43, 0xA9A92969, 0xD9D97929, 0x8686912E,
-    0xD1D187AC, 0xF4F44A15, 0x8D8D1559, 0xD6D682A8, 0xB9B9BC0A, 0x42420D9E,
-    0xF6F6C16E, 0x2F2FB847, 0xDDDD06DF, 0x23233934, 0xCCCC6235, 0xF1F1C46A,
-    0xC1C112CF, 0x8585EBDC, 0x8F8F9E22, 0x7171A1C9, 0x9090F0C0, 0xAAAA539B,
-    0x0101F189, 0x8B8BE1D4, 0x4E4E8CED, 0x8E8E6FAB, 0xABABA212, 0x6F6F3EA2,
-    0xE6E6540D, 0xDBDBF252, 0x92927BBB, 0xB7B7B602, 0x6969CA2F, 0x3939D9A9,
-    0xD3D30CD7, 0xA7A72361, 0xA2A2AD1E, 0xC3C399B4, 0x6C6C4450, 0x07070504,
-    0x04047FF6, 0x272746C2, 0xACACA716, 0xD0D07625, 0x50501386, 0xDCDCF756,
-    0x84841A55, 0xE1E15109, 0x7A7A25BE, 0x1313EF91},
-
-   {0xA9D93939, 0x67901717, 0xB3719C9C, 0xE8D2A6A6, 0x04050707, 0xFD985252,
-    0xA3658080, 0x76DFE4E4, 0x9A084545, 0x92024B4B, 0x80A0E0E0, 0x78665A5A,
-    0xE4DDAFAF, 0xDDB06A6A, 0xD1BF6363, 0x38362A2A, 0x0D54E6E6, 0xC6432020,
-    0x3562CCCC, 0x98BEF2F2, 0x181E1212, 0xF724EBEB, 0xECD7A1A1, 0x6C774141,
-    0x43BD2828, 0x7532BCBC, 0x37D47B7B, 0x269B8888, 0xFA700D0D, 0x13F94444,
-    0x94B1FBFB, 0x485A7E7E, 0xF27A0303, 0xD0E48C8C, 0x8B47B6B6, 0x303C2424,
-    0x84A5E7E7, 0x54416B6B, 0xDF06DDDD, 0x23C56060, 0x1945FDFD, 0x5BA33A3A,
-    0x3D68C2C2, 0x59158D8D, 0xF321ECEC, 0xAE316666, 0xA23E6F6F, 0x82165757,
-    0x63951010, 0x015BEFEF, 0x834DB8B8, 0x2E918686, 0xD9B56D6D, 0x511F8383,
-    0x9B53AAAA, 0x7C635D5D, 0xA63B6868, 0xEB3FFEFE, 0xA5D63030, 0xBE257A7A,
-    0x16A7ACAC, 0x0C0F0909, 0xE335F0F0, 0x6123A7A7, 0xC0F09090, 0x8CAFE9E9,
-    0x3A809D9D, 0xF5925C5C, 0x73810C0C, 0x2C273131, 0x2576D0D0, 0x0BE75656,
-    0xBB7B9292, 0x4EE9CECE, 0x89F10101, 0x6B9F1E1E, 0x53A93434, 0x6AC4F1F1,
-    0xB499C3C3, 0xF1975B5B, 0xE1834747, 0xE66B1818, 0xBDC82222, 0x450E9898,
-    0xE26E1F1F, 0xF4C9B3B3, 0xB62F7474, 0x66CBF8F8, 0xCCFF9999, 0x95EA1414,
-    0x03ED5858, 0x56F7DCDC, 0xD4E18B8B, 0x1C1B1515, 0x1EADA2A2, 0xD70CD3D3,
-    0xFB2BE2E2, 0xC31DC8C8, 0x8E195E5E, 0xB5C22C2C, 0xE9894949, 0xCF12C1C1,
-    0xBF7E9595, 0xBA207D7D, 0xEA641111, 0x77840B0B, 0x396DC5C5, 0xAF6A8989,
-    0x33D17C7C, 0xC9A17171, 0x62CEFFFF, 0x7137BBBB, 0x81FB0F0F, 0x793DB5B5,
-    0x0951E1E1, 0xADDC3E3E, 0x242D3F3F, 0xCDA47676, 0xF99D5555, 0xD8EE8282,
-    0xE5864040, 0xC5AE7878, 0xB9CD2525, 0x4D049696, 0x44557777, 0x080A0E0E,
-    0x86135050, 0xE730F7F7, 0xA1D33737, 0x1D40FAFA, 0xAA346161, 0xED8C4E4E,
-    0x06B3B0B0, 0x706C5454, 0xB22A7373, 0xD2523B3B, 0x410B9F9F, 0x7B8B0202,
-    0xA088D8D8, 0x114FF3F3, 0x3167CBCB, 0xC2462727, 0x27C06767, 0x90B4FCFC,
-    0x20283838, 0xF67F0404, 0x60784848, 0xFF2EE5E5, 0x96074C4C, 0x5C4B6565,
-    0xB1C72B2B, 0xAB6F8E8E, 0x9E0D4242, 0x9CBBF5F5, 0x52F2DBDB, 0x1BF34A4A,
-    0x5FA63D3D, 0x9359A4A4, 0x0ABCB9B9, 0xEF3AF9F9, 0x91EF1313, 0x85FE0808,
-    0x49019191, 0xEE611616, 0x2D7CDEDE, 0x4FB22121, 0x8F42B1B1, 0x3BDB7272,
-    0x47B82F2F, 0x8748BFBF, 0x6D2CAEAE, 0x46E3C0C0, 0xD6573C3C, 0x3E859A9A,
-    0x6929A9A9, 0x647D4F4F, 0x2A948181, 0xCE492E2E, 0xCB17C6C6, 0x2FCA6969,
-    0xFCC3BDBD, 0x975CA3A3, 0x055EE8E8, 0x7AD0EDED, 0xAC87D1D1, 0x7F8E0505,
-    0xD5BA6464, 0x1AA8A5A5, 0x4BB72626, 0x0EB9BEBE, 0xA7608787, 0x5AF8D5D5,
-    0x28223636, 0x14111B1B, 0x3FDE7575, 0x2979D9D9, 0x88AAEEEE, 0x3C332D2D,
-    0x4C5F7979, 0x02B6B7B7, 0xB896CACA, 0xDA583535, 0xB09CC4C4, 0x17FC4343,
-    0x551A8484, 0x1FF64D4D, 0x8A1C5959, 0x7D38B2B2, 0x57AC3333, 0xC718CFCF,
-    0x8DF40606, 0x74695353, 0xB7749B9B, 0xC4F59797, 0x9F56ADAD, 0x72DAE3E3,
-    0x7ED5EAEA, 0x154AF4F4, 0x229E8F8F, 0x12A2ABAB, 0x584E6262, 0x07E85F5F,
-    0x99E51D1D, 0x34392323, 0x6EC1F6F6, 0x50446C6C, 0xDE5D3232, 0x68724646,
-    0x6526A0A0, 0xBC93CDCD, 0xDB03DADA, 0xF8C6BABA, 0xC8FA9E9E, 0xA882D6D6,
-    0x2BCF6E6E, 0x40507070, 0xDCEB8585, 0xFE750A0A, 0x328A9393, 0xA48DDFDF,
-    0xCA4C2929, 0x10141C1C, 0x2173D7D7, 0xF0CCB4B4, 0xD309D4D4, 0x5D108A8A,
-    0x0FE25151, 0x00000000, 0x6F9A1919, 0x9DE01A1A, 0x368F9494, 0x42E6C7C7,
-    0x4AECC9C9, 0x5EFDD2D2, 0xC1AB7F7F, 0xE0D8A8A8},
-
-   {0xBC75BC32, 0xECF3EC21, 0x20C62043, 0xB3F4B3C9, 0xDADBDA03, 0x027B028B,
-    0xE2FBE22B, 0x9EC89EFA, 0xC94AC9EC, 0xD4D3D409, 0x18E6186B, 0x1E6B1E9F,
-    0x9845980E, 0xB27DB238, 0xA6E8A6D2, 0x264B26B7, 0x3CD63C57, 0x9332938A,
-    0x82D882EE, 0x52FD5298, 0x7B377BD4, 0xBB71BB37, 0x5BF15B97, 0x47E14783,
-    0x2430243C, 0x510F51E2, 0xBAF8BAC6, 0x4A1B4AF3, 0xBF87BF48, 0x0DFA0D70,
-    0xB006B0B3, 0x753F75DE, 0xD25ED2FD, 0x7DBA7D20, 0x66AE6631, 0x3A5B3AA3,
-    0x598A591C, 0x00000000, 0xCDBCCD93, 0x1A9D1AE0, 0xAE6DAE2C, 0x7FC17FAB,
-    0x2BB12BC7, 0xBE0EBEB9, 0xE080E0A0, 0x8A5D8A10, 0x3BD23B52, 0x64D564BA,
-    0xD8A0D888, 0xE784E7A5, 0x5F075FE8, 0x1B141B11, 0x2CB52CC2, 0xFC90FCB4,
-    0x312C3127, 0x80A38065, 0x73B2732A, 0x0C730C81, 0x794C795F, 0x6B546B41,
-    0x4B924B02, 0x53745369, 0x9436948F, 0x8351831F, 0x2A382A36, 0xC4B0C49C,
-    0x22BD22C8, 0xD55AD5F8, 0xBDFCBDC3, 0x48604878, 0xFF62FFCE, 0x4C964C07,
-    0x416C4177, 0xC742C7E6, 0xEBF7EB24, 0x1C101C14, 0x5D7C5D63, 0x36283622,
-    0x672767C0, 0xE98CE9AF, 0x441344F9, 0x149514EA, 0xF59CF5BB, 0xCFC7CF18,
-    0x3F243F2D, 0xC046C0E3, 0x723B72DB, 0x5470546C, 0x29CA294C, 0xF0E3F035,
-    0x088508FE, 0xC6CBC617, 0xF311F34F, 0x8CD08CE4, 0xA493A459, 0xCAB8CA96,
-    0x68A6683B, 0xB883B84D, 0x38203828, 0xE5FFE52E, 0xAD9FAD56, 0x0B770B84,
-    0xC8C3C81D, 0x99CC99FF, 0x580358ED, 0x196F199A, 0x0E080E0A, 0x95BF957E,
-    0x70407050, 0xF7E7F730, 0x6E2B6ECF, 0x1FE21F6E, 0xB579B53D, 0x090C090F,
-    0x61AA6134, 0x57825716, 0x9F419F0B, 0x9D3A9D80, 0x11EA1164, 0x25B925CD,
-    0xAFE4AFDD, 0x459A4508, 0xDFA4DF8D, 0xA397A35C, 0xEA7EEAD5, 0x35DA3558,
-    0xED7AEDD0, 0x431743FC, 0xF866F8CB, 0xFB94FBB1, 0x37A137D3, 0xFA1DFA40,
-    0xC23DC268, 0xB4F0B4CC, 0x32DE325D, 0x9CB39C71, 0x560B56E7, 0xE372E3DA,
-    0x87A78760, 0x151C151B, 0xF9EFF93A, 0x63D163BF, 0x345334A9, 0x9A3E9A85,
-    0xB18FB142, 0x7C337CD1, 0x8826889B, 0x3D5F3DA6, 0xA1ECA1D7, 0xE476E4DF,
-    0x812A8194, 0x91499101, 0x0F810FFB, 0xEE88EEAA, 0x16EE1661, 0xD721D773,
-    0x97C497F5, 0xA51AA5A8, 0xFEEBFE3F, 0x6DD96DB5, 0x78C578AE, 0xC539C56D,
-    0x1D991DE5, 0x76CD76A4, 0x3EAD3EDC, 0xCB31CB67, 0xB68BB647, 0xEF01EF5B,
-    0x1218121E, 0x602360C5, 0x6ADD6AB0, 0x4D1F4DF6, 0xCE4ECEE9, 0xDE2DDE7C,
-    0x55F9559D, 0x7E487E5A, 0x214F21B2, 0x03F2037A, 0xA065A026, 0x5E8E5E19,
-    0x5A785A66, 0x655C654B, 0x6258624E, 0xFD19FD45, 0x068D06F4, 0x40E54086,
-    0xF298F2BE, 0x335733AC, 0x17671790, 0x057F058E, 0xE805E85E, 0x4F644F7D,
-    0x89AF896A, 0x10631095, 0x74B6742F, 0x0AFE0A75, 0x5CF55C92, 0x9BB79B74,
-    0x2D3C2D33, 0x30A530D6, 0x2ECE2E49, 0x49E94989, 0x46684672, 0x77447755,
-    0xA8E0A8D8, 0x964D9604, 0x284328BD, 0xA969A929, 0xD929D979, 0x862E8691,
-    0xD1ACD187, 0xF415F44A, 0x8D598D15, 0xD6A8D682, 0xB90AB9BC, 0x429E420D,
-    0xF66EF6C1, 0x2F472FB8, 0xDDDFDD06, 0x23342339, 0xCC35CC62, 0xF16AF1C4,
-    0xC1CFC112, 0x85DC85EB, 0x8F228F9E, 0x71C971A1, 0x90C090F0, 0xAA9BAA53,
-    0x018901F1, 0x8BD48BE1, 0x4EED4E8C, 0x8EAB8E6F, 0xAB12ABA2, 0x6FA26F3E,
-    0xE60DE654, 0xDB52DBF2, 0x92BB927B, 0xB702B7B6, 0x692F69CA, 0x39A939D9,
-    0xD3D7D30C, 0xA761A723, 0xA21EA2AD, 0xC3B4C399, 0x6C506C44, 0x07040705,
-    0x04F6047F, 0x27C22746, 0xAC16ACA7, 0xD025D076, 0x50865013, 0xDC56DCF7,
-    0x8455841A, 0xE109E151, 0x7ABE7A25, 0x139113EF},
-
-   {0xD939A9D9, 0x90176790, 0x719CB371, 0xD2A6E8D2, 0x05070405, 0x9852FD98,
-    0x6580A365, 0xDFE476DF, 0x08459A08, 0x024B9202, 0xA0E080A0, 0x665A7866,
-    0xDDAFE4DD, 0xB06ADDB0, 0xBF63D1BF, 0x362A3836, 0x54E60D54, 0x4320C643,
-    0x62CC3562, 0xBEF298BE, 0x1E12181E, 0x24EBF724, 0xD7A1ECD7, 0x77416C77,
-    0xBD2843BD, 0x32BC7532, 0xD47B37D4, 0x9B88269B, 0x700DFA70, 0xF94413F9,
-    0xB1FB94B1, 0x5A7E485A, 0x7A03F27A, 0xE48CD0E4, 0x47B68B47, 0x3C24303C,
-    0xA5E784A5, 0x416B5441, 0x06DDDF06, 0xC56023C5, 0x45FD1945, 0xA33A5BA3,
-    0x68C23D68, 0x158D5915, 0x21ECF321, 0x3166AE31, 0x3E6FA23E, 0x16578216,
-    0x95106395, 0x5BEF015B, 0x4DB8834D, 0x91862E91, 0xB56DD9B5, 0x1F83511F,
-    0x53AA9B53, 0x635D7C63, 0x3B68A63B, 0x3FFEEB3F, 0xD630A5D6, 0x257ABE25,
-    0xA7AC16A7, 0x0F090C0F, 0x35F0E335, 0x23A76123, 0xF090C0F0, 0xAFE98CAF,
-    0x809D3A80, 0x925CF592, 0x810C7381, 0x27312C27, 0x76D02576, 0xE7560BE7,
-    0x7B92BB7B, 0xE9CE4EE9, 0xF10189F1, 0x9F1E6B9F, 0xA93453A9, 0xC4F16AC4,
-    0x99C3B499, 0x975BF197, 0x8347E183, 0x6B18E66B, 0xC822BDC8, 0x0E98450E,
-    0x6E1FE26E, 0xC9B3F4C9, 0x2F74B62F, 0xCBF866CB, 0xFF99CCFF, 0xEA1495EA,
-    0xED5803ED, 0xF7DC56F7, 0xE18BD4E1, 0x1B151C1B, 0xADA21EAD, 0x0CD3D70C,
-    0x2BE2FB2B, 0x1DC8C31D, 0x195E8E19, 0xC22CB5C2, 0x8949E989, 0x12C1CF12,
-    0x7E95BF7E, 0x207DBA20, 0x6411EA64, 0x840B7784, 0x6DC5396D, 0x6A89AF6A,
-    0xD17C33D1, 0xA171C9A1, 0xCEFF62CE, 0x37BB7137, 0xFB0F81FB, 0x3DB5793D,
-    0x51E10951, 0xDC3EADDC, 0x2D3F242D, 0xA476CDA4, 0x9D55F99D, 0xEE82D8EE,
-    0x8640E586, 0xAE78C5AE, 0xCD25B9CD, 0x04964D04, 0x55774455, 0x0A0E080A,
-    0x13508613, 0x30F7E730, 0xD337A1D3, 0x40FA1D40, 0x3461AA34, 0x8C4EED8C,
-    0xB3B006B3, 0x6C54706C, 0x2A73B22A, 0x523BD252, 0x0B9F410B, 0x8B027B8B,
-    0x88D8A088, 0x4FF3114F, 0x67CB3167, 0x4627C246, 0xC06727C0, 0xB4FC90B4,
-    0x28382028, 0x7F04F67F, 0x78486078, 0x2EE5FF2E, 0x074C9607, 0x4B655C4B,
-    0xC72BB1C7, 0x6F8EAB6F, 0x0D429E0D, 0xBBF59CBB, 0xF2DB52F2, 0xF34A1BF3,
-    0xA63D5FA6, 0x59A49359, 0xBCB90ABC, 0x3AF9EF3A, 0xEF1391EF, 0xFE0885FE,
-    0x01914901, 0x6116EE61, 0x7CDE2D7C, 0xB2214FB2, 0x42B18F42, 0xDB723BDB,
-    0xB82F47B8, 0x48BF8748, 0x2CAE6D2C, 0xE3C046E3, 0x573CD657, 0x859A3E85,
-    0x29A96929, 0x7D4F647D, 0x94812A94, 0x492ECE49, 0x17C6CB17, 0xCA692FCA,
-    0xC3BDFCC3, 0x5CA3975C, 0x5EE8055E, 0xD0ED7AD0, 0x87D1AC87, 0x8E057F8E,
-    0xBA64D5BA, 0xA8A51AA8, 0xB7264BB7, 0xB9BE0EB9, 0x6087A760, 0xF8D55AF8,
-    0x22362822, 0x111B1411, 0xDE753FDE, 0x79D92979, 0xAAEE88AA, 0x332D3C33,
-    0x5F794C5F, 0xB6B702B6, 0x96CAB896, 0x5835DA58, 0x9CC4B09C, 0xFC4317FC,
-    0x1A84551A, 0xF64D1FF6, 0x1C598A1C, 0x38B27D38, 0xAC3357AC, 0x18CFC718,
-    0xF4068DF4, 0x69537469, 0x749BB774, 0xF597C4F5, 0x56AD9F56, 0xDAE372DA,
-    0xD5EA7ED5, 0x4AF4154A, 0x9E8F229E, 0xA2AB12A2, 0x4E62584E, 0xE85F07E8,
-    0xE51D99E5, 0x39233439, 0xC1F66EC1, 0x446C5044, 0x5D32DE5D, 0x72466872,
-    0x26A06526, 0x93CDBC93, 0x03DADB03, 0xC6BAF8C6, 0xFA9EC8FA, 0x82D6A882,
-    0xCF6E2BCF, 0x50704050, 0xEB85DCEB, 0x750AFE75, 0x8A93328A, 0x8DDFA48D,
-    0x4C29CA4C, 0x141C1014, 0x73D72173, 0xCCB4F0CC, 0x09D4D309, 0x108A5D10,
-    0xE2510FE2, 0x00000000, 0x9A196F9A, 0xE01A9DE0, 0x8F94368F, 0xE6C742E6,
-    0xECC94AEC, 0xFDD25EFD, 0xAB7FC1AB, 0xD8A8E0D8}
-};
-
-/* The exp_to_poly and poly_to_exp tables are used to perform efficient
- * operations in GF(2^8) represented as GF(2)[x]/w(x) where
- * w(x)=x^8+x^6+x^3+x^2+1.  We care about doing that because it's part of the
- * definition of the RS matrix in the key schedule.  Elements of that field
- * are polynomials of degree not greater than 7 and all coefficients 0 or 1,
- * which can be represented naturally by bytes (just substitute x=2).  In that
- * form, GF(2^8) addition is the same as bitwise XOR, but GF(2^8)
- * multiplication is inefficient without hardware support.  To multiply
- * faster, I make use of the fact x is a generator for the nonzero elements,
- * so that every element p of GF(2)[x]/w(x) is either 0 or equal to (x)^n for
- * some n in 0..254.  Note that that caret is exponentiation in GF(2^8),
- * *not* polynomial notation.  So if I want to compute pq where p and q are
- * in GF(2^8), I can just say:
- *    1. if p=0 or q=0 then pq=0
- *    2. otherwise, find m and n such that p=x^m and q=x^n
- *    3. pq=(x^m)(x^n)=x^(m+n), so add m and n and find pq
- * The translations in steps 2 and 3 are looked up in the tables
- * poly_to_exp (for step 2) and exp_to_poly (for step 3).  To see this
- * in action, look at the CALC_S macro.  As additional wrinkles, note that
- * one of my operands is always a constant, so the poly_to_exp lookup on it
- * is done in advance; I included the original values in the comments so
- * readers can have some chance of recognizing that this *is* the RS matrix
- * from the Twofish paper.  I've only included the table entries I actually
- * need; I never do a lookup on a variable input of zero and the biggest
- * exponents I'll ever see are 254 (variable) and 237 (constant), so they'll
- * never sum to more than 491.	I'm repeating part of the exp_to_poly table
- * so that I don't have to do mod-255 reduction in the exponent arithmetic.
- * Since I know my constant operands are never zero, I only have to worry
- * about zero values in the variable operand, and I do it with a simple
- * conditional branch.	I know conditionals are expensive, but I couldn't
- * see a non-horrible way of avoiding them, and I did manage to group the
- * statements so that each if covers four group multiplications. */
-
-static const u8 poly_to_exp[255] = {
-   0x00, 0x01, 0x17, 0x02, 0x2E, 0x18, 0x53, 0x03, 0x6A, 0x2F, 0x93, 0x19,
-   0x34, 0x54, 0x45, 0x04, 0x5C, 0x6B, 0xB6, 0x30, 0xA6, 0x94, 0x4B, 0x1A,
-   0x8C, 0x35, 0x81, 0x55, 0xAA, 0x46, 0x0D, 0x05, 0x24, 0x5D, 0x87, 0x6C,
-   0x9B, 0xB7, 0xC1, 0x31, 0x2B, 0xA7, 0xA3, 0x95, 0x98, 0x4C, 0xCA, 0x1B,
-   0xE6, 0x8D, 0x73, 0x36, 0xCD, 0x82, 0x12, 0x56, 0x62, 0xAB, 0xF0, 0x47,
-   0x4F, 0x0E, 0xBD, 0x06, 0xD4, 0x25, 0xD2, 0x5E, 0x27, 0x88, 0x66, 0x6D,
-   0xD6, 0x9C, 0x79, 0xB8, 0x08, 0xC2, 0xDF, 0x32, 0x68, 0x2C, 0xFD, 0xA8,
-   0x8A, 0xA4, 0x5A, 0x96, 0x29, 0x99, 0x22, 0x4D, 0x60, 0xCB, 0xE4, 0x1C,
-   0x7B, 0xE7, 0x3B, 0x8E, 0x9E, 0x74, 0xF4, 0x37, 0xD8, 0xCE, 0xF9, 0x83,
-   0x6F, 0x13, 0xB2, 0x57, 0xE1, 0x63, 0xDC, 0xAC, 0xC4, 0xF1, 0xAF, 0x48,
-   0x0A, 0x50, 0x42, 0x0F, 0xBA, 0xBE, 0xC7, 0x07, 0xDE, 0xD5, 0x78, 0x26,
-   0x65, 0xD3, 0xD1, 0x5F, 0xE3, 0x28, 0x21, 0x89, 0x59, 0x67, 0xFC, 0x6E,
-   0xB1, 0xD7, 0xF8, 0x9D, 0xF3, 0x7A, 0x3A, 0xB9, 0xC6, 0x09, 0x41, 0xC3,
-   0xAE, 0xE0, 0xDB, 0x33, 0x44, 0x69, 0x92, 0x2D, 0x52, 0xFE, 0x16, 0xA9,
-   0x0C, 0x8B, 0x80, 0xA5, 0x4A, 0x5B, 0xB5, 0x97, 0xC9, 0x2A, 0xA2, 0x9A,
-   0xC0, 0x23, 0x86, 0x4E, 0xBC, 0x61, 0xEF, 0xCC, 0x11, 0xE5, 0x72, 0x1D,
-   0x3D, 0x7C, 0xEB, 0xE8, 0xE9, 0x3C, 0xEA, 0x8F, 0x7D, 0x9F, 0xEC, 0x75,
-   0x1E, 0xF5, 0x3E, 0x38, 0xF6, 0xD9, 0x3F, 0xCF, 0x76, 0xFA, 0x1F, 0x84,
-   0xA0, 0x70, 0xED, 0x14, 0x90, 0xB3, 0x7E, 0x58, 0xFB, 0xE2, 0x20, 0x64,
-   0xD0, 0xDD, 0x77, 0xAD, 0xDA, 0xC5, 0x40, 0xF2, 0x39, 0xB0, 0xF7, 0x49,
-   0xB4, 0x0B, 0x7F, 0x51, 0x15, 0x43, 0x91, 0x10, 0x71, 0xBB, 0xEE, 0xBF,
-   0x85, 0xC8, 0xA1
-};
-
-static const u8 exp_to_poly[492] = {
-   0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D, 0x9A, 0x79, 0xF2,
-   0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC, 0xF5, 0xA7, 0x03,
-   0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3, 0x8B, 0x5B, 0xB6,
-   0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52, 0xA4, 0x05, 0x0A,
-   0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0, 0xED, 0x97, 0x63,
-   0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1, 0x0F, 0x1E, 0x3C,
-   0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A, 0xF4, 0xA5, 0x07,
-   0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11, 0x22, 0x44, 0x88,
-   0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51, 0xA2, 0x09, 0x12,
-   0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66, 0xCC, 0xD5, 0xE7,
-   0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB, 0x1B, 0x36, 0x6C,
-   0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19, 0x32, 0x64, 0xC8,
-   0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D, 0x5A, 0xB4, 0x25,
-   0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56, 0xAC, 0x15, 0x2A,
-   0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE, 0x91, 0x6F, 0xDE,
-   0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9, 0x3F, 0x7E, 0xFC,
-   0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE, 0xB1, 0x2F, 0x5E,
-   0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41, 0x82, 0x49, 0x92,
-   0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E, 0x71, 0xE2, 0x89,
-   0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB, 0xDB, 0xFB, 0xBB,
-   0x3B, 0x76, 0xEC, 0x95, 0x67, 0xCE, 0xD1, 0xEF, 0x93, 0x6B, 0xD6, 0xE1,
-   0x8F, 0x53, 0xA6, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D,
-   0x9A, 0x79, 0xF2, 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC,
-   0xF5, 0xA7, 0x03, 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3,
-   0x8B, 0x5B, 0xB6, 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52,
-   0xA4, 0x05, 0x0A, 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0,
-   0xED, 0x97, 0x63, 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1,
-   0x0F, 0x1E, 0x3C, 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A,
-   0xF4, 0xA5, 0x07, 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11,
-   0x22, 0x44, 0x88, 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51,
-   0xA2, 0x09, 0x12, 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66,
-   0xCC, 0xD5, 0xE7, 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB,
-   0x1B, 0x36, 0x6C, 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19,
-   0x32, 0x64, 0xC8, 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D,
-   0x5A, 0xB4, 0x25, 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56,
-   0xAC, 0x15, 0x2A, 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE,
-   0x91, 0x6F, 0xDE, 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9,
-   0x3F, 0x7E, 0xFC, 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE,
-   0xB1, 0x2F, 0x5E, 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41,
-   0x82, 0x49, 0x92, 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E,
-   0x71, 0xE2, 0x89, 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB
-};
-
-
-/* The table constants are indices of
- * S-box entries, preprocessed through q0 and q1. */
-static const u8 calc_sb_tbl[512] = {
-    0xA9, 0x75, 0x67, 0xF3, 0xB3, 0xC6, 0xE8, 0xF4,
-    0x04, 0xDB, 0xFD, 0x7B, 0xA3, 0xFB, 0x76, 0xC8,
-    0x9A, 0x4A, 0x92, 0xD3, 0x80, 0xE6, 0x78, 0x6B,
-    0xE4, 0x45, 0xDD, 0x7D, 0xD1, 0xE8, 0x38, 0x4B,
-    0x0D, 0xD6, 0xC6, 0x32, 0x35, 0xD8, 0x98, 0xFD,
-    0x18, 0x37, 0xF7, 0x71, 0xEC, 0xF1, 0x6C, 0xE1,
-    0x43, 0x30, 0x75, 0x0F, 0x37, 0xF8, 0x26, 0x1B,
-    0xFA, 0x87, 0x13, 0xFA, 0x94, 0x06, 0x48, 0x3F,
-    0xF2, 0x5E, 0xD0, 0xBA, 0x8B, 0xAE, 0x30, 0x5B,
-    0x84, 0x8A, 0x54, 0x00, 0xDF, 0xBC, 0x23, 0x9D,
-    0x19, 0x6D, 0x5B, 0xC1, 0x3D, 0xB1, 0x59, 0x0E,
-    0xF3, 0x80, 0xAE, 0x5D, 0xA2, 0xD2, 0x82, 0xD5,
-    0x63, 0xA0, 0x01, 0x84, 0x83, 0x07, 0x2E, 0x14,
-    0xD9, 0xB5, 0x51, 0x90, 0x9B, 0x2C, 0x7C, 0xA3,
-    0xA6, 0xB2, 0xEB, 0x73, 0xA5, 0x4C, 0xBE, 0x54,
-    0x16, 0x92, 0x0C, 0x74, 0xE3, 0x36, 0x61, 0x51,
-    0xC0, 0x38, 0x8C, 0xB0, 0x3A, 0xBD, 0xF5, 0x5A,
-    0x73, 0xFC, 0x2C, 0x60, 0x25, 0x62, 0x0B, 0x96,
-    0xBB, 0x6C, 0x4E, 0x42, 0x89, 0xF7, 0x6B, 0x10,
-    0x53, 0x7C, 0x6A, 0x28, 0xB4, 0x27, 0xF1, 0x8C,
-    0xE1, 0x13, 0xE6, 0x95, 0xBD, 0x9C, 0x45, 0xC7,
-    0xE2, 0x24, 0xF4, 0x46, 0xB6, 0x3B, 0x66, 0x70,
-    0xCC, 0xCA, 0x95, 0xE3, 0x03, 0x85, 0x56, 0xCB,
-    0xD4, 0x11, 0x1C, 0xD0, 0x1E, 0x93, 0xD7, 0xB8,
-    0xFB, 0xA6, 0xC3, 0x83, 0x8E, 0x20, 0xB5, 0xFF,
-    0xE9, 0x9F, 0xCF, 0x77, 0xBF, 0xC3, 0xBA, 0xCC,
-    0xEA, 0x03, 0x77, 0x6F, 0x39, 0x08, 0xAF, 0xBF,
-    0x33, 0x40, 0xC9, 0xE7, 0x62, 0x2B, 0x71, 0xE2,
-    0x81, 0x79, 0x79, 0x0C, 0x09, 0xAA, 0xAD, 0x82,
-    0x24, 0x41, 0xCD, 0x3A, 0xF9, 0xEA, 0xD8, 0xB9,
-    0xE5, 0xE4, 0xC5, 0x9A, 0xB9, 0xA4, 0x4D, 0x97,
-    0x44, 0x7E, 0x08, 0xDA, 0x86, 0x7A, 0xE7, 0x17,
-    0xA1, 0x66, 0x1D, 0x94, 0xAA, 0xA1, 0xED, 0x1D,
-    0x06, 0x3D, 0x70, 0xF0, 0xB2, 0xDE, 0xD2, 0xB3,
-    0x41, 0x0B, 0x7B, 0x72, 0xA0, 0xA7, 0x11, 0x1C,
-    0x31, 0xEF, 0xC2, 0xD1, 0x27, 0x53, 0x90, 0x3E,
-    0x20, 0x8F, 0xF6, 0x33, 0x60, 0x26, 0xFF, 0x5F,
-    0x96, 0xEC, 0x5C, 0x76, 0xB1, 0x2A, 0xAB, 0x49,
-    0x9E, 0x81, 0x9C, 0x88, 0x52, 0xEE, 0x1B, 0x21,
-    0x5F, 0xC4, 0x93, 0x1A, 0x0A, 0xEB, 0xEF, 0xD9,
-    0x91, 0xC5, 0x85, 0x39, 0x49, 0x99, 0xEE, 0xCD,
-    0x2D, 0xAD, 0x4F, 0x31, 0x8F, 0x8B, 0x3B, 0x01,
-    0x47, 0x18, 0x87, 0x23, 0x6D, 0xDD, 0x46, 0x1F,
-    0xD6, 0x4E, 0x3E, 0x2D, 0x69, 0xF9, 0x64, 0x48,
-    0x2A, 0x4F, 0xCE, 0xF2, 0xCB, 0x65, 0x2F, 0x8E,
-    0xFC, 0x78, 0x97, 0x5C, 0x05, 0x58, 0x7A, 0x19,
-    0xAC, 0x8D, 0x7F, 0xE5, 0xD5, 0x98, 0x1A, 0x57,
-    0x4B, 0x67, 0x0E, 0x7F, 0xA7, 0x05, 0x5A, 0x64,
-    0x28, 0xAF, 0x14, 0x63, 0x3F, 0xB6, 0x29, 0xFE,
-    0x88, 0xF5, 0x3C, 0xB7, 0x4C, 0x3C, 0x02, 0xA5,
-    0xB8, 0xCE, 0xDA, 0xE9, 0xB0, 0x68, 0x17, 0x44,
-    0x55, 0xE0, 0x1F, 0x4D, 0x8A, 0x43, 0x7D, 0x69,
-    0x57, 0x29, 0xC7, 0x2E, 0x8D, 0xAC, 0x74, 0x15,
-    0xB7, 0x59, 0xC4, 0xA8, 0x9F, 0x0A, 0x72, 0x9E,
-    0x7E, 0x6E, 0x15, 0x47, 0x22, 0xDF, 0x12, 0x34,
-    0x58, 0x35, 0x07, 0x6A, 0x99, 0xCF, 0x34, 0xDC,
-    0x6E, 0x22, 0x50, 0xC9, 0xDE, 0xC0, 0x68, 0x9B,
-    0x65, 0x89, 0xBC, 0xD4, 0xDB, 0xED, 0xF8, 0xAB,
-    0xC8, 0x12, 0xA8, 0xA2, 0x2B, 0x0D, 0x40, 0x52,
-    0xDC, 0xBB, 0xFE, 0x02, 0x32, 0x2F, 0xA4, 0xA9,
-    0xCA, 0xD7, 0x10, 0x61, 0x21, 0x1E, 0xF0, 0xB4,
-    0xD3, 0x50, 0x5D, 0x04, 0x0F, 0xF6, 0x00, 0xC2,
-    0x6F, 0x16, 0x9D, 0x25, 0x36, 0x86, 0x42, 0x56,
-    0x4A, 0x55, 0x5E, 0x09, 0xC1, 0xBE, 0xE0, 0x91
-};
-
-/* Macro to perform one column of the RS matrix multiplication.  The
- * parameters a, b, c, and d are the four bytes of output; i is the index
- * of the key bytes, and w, x, y, and z, are the column of constants from
- * the RS matrix, preprocessed through the poly_to_exp table. */
-
-#define CALC_S(a, b, c, d, i, w, x, y, z) \
-   if (key[i]) { \
-      tmp = poly_to_exp[key[i] - 1]; \
-      (a) ^= exp_to_poly[tmp + (w)]; \
-      (b) ^= exp_to_poly[tmp + (x)]; \
-      (c) ^= exp_to_poly[tmp + (y)]; \
-      (d) ^= exp_to_poly[tmp + (z)]; \
-   }
-
-/* Macros to calculate the key-dependent S-boxes for a 128-bit key using
- * the S vector from CALC_S.  CALC_SB_2 computes a single entry in all
- * four S-boxes, where i is the index of the entry to compute, and a and b
- * are the index numbers preprocessed through the q0 and q1 tables
- * respectively. */
-
-#define CALC_SB_2(i, a, b) \
-   ctx->s[0][i] = mds[0][q0[(a) ^ sa] ^ se]; \
-   ctx->s[1][i] = mds[1][q0[(b) ^ sb] ^ sf]; \
-   ctx->s[2][i] = mds[2][q1[(a) ^ sc] ^ sg]; \
-   ctx->s[3][i] = mds[3][q1[(b) ^ sd] ^ sh]
-
-/* Macro exactly like CALC_SB_2, but for 192-bit keys. */
-
-#define CALC_SB192_2(i, a, b) \
-   ctx->s[0][i] = mds[0][q0[q0[(b) ^ sa] ^ se] ^ si]; \
-   ctx->s[1][i] = mds[1][q0[q1[(b) ^ sb] ^ sf] ^ sj]; \
-   ctx->s[2][i] = mds[2][q1[q0[(a) ^ sc] ^ sg] ^ sk]; \
-   ctx->s[3][i] = mds[3][q1[q1[(a) ^ sd] ^ sh] ^ sl];
-
-/* Macro exactly like CALC_SB_2, but for 256-bit keys. */
-
-#define CALC_SB256_2(i, a, b) \
-   ctx->s[0][i] = mds[0][q0[q0[q1[(b) ^ sa] ^ se] ^ si] ^ sm]; \
-   ctx->s[1][i] = mds[1][q0[q1[q1[(a) ^ sb] ^ sf] ^ sj] ^ sn]; \
-   ctx->s[2][i] = mds[2][q1[q0[q0[(a) ^ sc] ^ sg] ^ sk] ^ so]; \
-   ctx->s[3][i] = mds[3][q1[q1[q0[(b) ^ sd] ^ sh] ^ sl] ^ sp];
-
-/* Macros to calculate the whitening and round subkeys.  CALC_K_2 computes the
- * last two stages of the h() function for a given index (either 2i or 2i+1).
- * a, b, c, and d are the four bytes going into the last two stages.  For
- * 128-bit keys, this is the entire h() function and a and c are the index
- * preprocessed through q0 and q1 respectively; for longer keys they are the
- * output of previous stages.  j is the index of the first key byte to use.
- * CALC_K computes a pair of subkeys for 128-bit Twofish, by calling CALC_K_2
- * twice, doing the Psuedo-Hadamard Transform, and doing the necessary
- * rotations.  Its parameters are: a, the array to write the results into,
- * j, the index of the first output entry, k and l, the preprocessed indices
- * for index 2i, and m and n, the preprocessed indices for index 2i+1.
- * CALC_K192_2 expands CALC_K_2 to handle 192-bit keys, by doing an
- * additional lookup-and-XOR stage.  The parameters a, b, c and d are the
- * four bytes going into the last three stages.  For 192-bit keys, c = d
- * are the index preprocessed through q0, and a = b are the index
- * preprocessed through q1; j is the index of the first key byte to use.
- * CALC_K192 is identical to CALC_K but for using the CALC_K192_2 macro
- * instead of CALC_K_2.
- * CALC_K256_2 expands CALC_K192_2 to handle 256-bit keys, by doing an
- * additional lookup-and-XOR stage.  The parameters a and b are the index
- * preprocessed through q0 and q1 respectively; j is the index of the first
- * key byte to use.  CALC_K256 is identical to CALC_K but for using the
- * CALC_K256_2 macro instead of CALC_K_2. */
-
-#define CALC_K_2(a, b, c, d, j) \
-     mds[0][q0[a ^ key[(j) + 8]] ^ key[j]] \
-   ^ mds[1][q0[b ^ key[(j) + 9]] ^ key[(j) + 1]] \
-   ^ mds[2][q1[c ^ key[(j) + 10]] ^ key[(j) + 2]] \
-   ^ mds[3][q1[d ^ key[(j) + 11]] ^ key[(j) + 3]]
-
-#define CALC_K(a, j, k, l, m, n) \
-   x = CALC_K_2 (k, l, k, l, 0); \
-   y = CALC_K_2 (m, n, m, n, 4); \
-   y = (y << 8) + (y >> 24); \
-   x += y; y += x; ctx->a[j] = x; \
-   ctx->a[(j) + 1] = (y << 9) + (y >> 23)
-
-#define CALC_K192_2(a, b, c, d, j) \
-   CALC_K_2 (q0[a ^ key[(j) + 16]], \
-	     q1[b ^ key[(j) + 17]], \
-	     q0[c ^ key[(j) + 18]], \
-	     q1[d ^ key[(j) + 19]], j)
-
-#define CALC_K192(a, j, k, l, m, n) \
-   x = CALC_K192_2 (l, l, k, k, 0); \
-   y = CALC_K192_2 (n, n, m, m, 4); \
-   y = (y << 8) + (y >> 24); \
-   x += y; y += x; ctx->a[j] = x; \
-   ctx->a[(j) + 1] = (y << 9) + (y >> 23)
-
-#define CALC_K256_2(a, b, j) \
-   CALC_K192_2 (q1[b ^ key[(j) + 24]], \
-	        q1[a ^ key[(j) + 25]], \
-	        q0[a ^ key[(j) + 26]], \
-	        q0[b ^ key[(j) + 27]], j)
-
-#define CALC_K256(a, j, k, l, m, n) \
-   x = CALC_K256_2 (k, l, 0); \
-   y = CALC_K256_2 (m, n, 4); \
-   y = (y << 8) + (y >> 24); \
-   x += y; y += x; ctx->a[j] = x; \
-   ctx->a[(j) + 1] = (y << 9) + (y >> 23)
-
-/* Perform the key setup. */
-
-int twofish_set_key (TWOFISH_context *ctx,
-			    const unsigned char *key, int key_len)
-{
-
-	int i, j, k;
-
-	/* Temporaries for CALC_K. */
-	u32 x, y;
-
-	/* The S vector used to key the S-boxes, split up into individual bytes.
-	 * 128-bit keys use only sa through sh; 256-bit use all of them. */
-	u8 sa = 0, sb = 0, sc = 0, sd = 0, se = 0, sf = 0, sg = 0, sh = 0;
-	u8 si = 0, sj = 0, sk = 0, sl = 0, sm = 0, sn = 0, so = 0, sp = 0;
-
-	/* Temporary for CALC_S. */
-	u8 tmp;
-
-	/* Check key length. */
-	if (key_len != 16 && key_len != 24 && key_len != 32)
-		return -1; /* unsupported key length */
-
-	/* Compute the first two words of the S vector.  The magic numbers are
-	 * the entries of the RS matrix, preprocessed through poly_to_exp. The
-	 * numbers in the comments are the original (polynomial form) matrix
-	 * entries. */
-	CALC_S (sa, sb, sc, sd, 0, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
-	CALC_S (sa, sb, sc, sd, 1, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
-	CALC_S (sa, sb, sc, sd, 2, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
-	CALC_S (sa, sb, sc, sd, 3, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
-	CALC_S (sa, sb, sc, sd, 4, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
-	CALC_S (sa, sb, sc, sd, 5, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
-	CALC_S (sa, sb, sc, sd, 6, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
-	CALC_S (sa, sb, sc, sd, 7, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
-	CALC_S (se, sf, sg, sh, 8, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
-	CALC_S (se, sf, sg, sh, 9, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
-	CALC_S (se, sf, sg, sh, 10, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
-	CALC_S (se, sf, sg, sh, 11, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
-	CALC_S (se, sf, sg, sh, 12, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
-	CALC_S (se, sf, sg, sh, 13, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
-	CALC_S (se, sf, sg, sh, 14, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
-	CALC_S (se, sf, sg, sh, 15, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
-
-	if (key_len == 24 || key_len == 32) { /* 192- or 256-bit key */
-		/* Calculate the third word of the S vector */
-		CALC_S (si, sj, sk, sl, 16, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
-		CALC_S (si, sj, sk, sl, 17, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
-		CALC_S (si, sj, sk, sl, 18, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
-		CALC_S (si, sj, sk, sl, 19, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
-		CALC_S (si, sj, sk, sl, 20, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
-		CALC_S (si, sj, sk, sl, 21, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
-		CALC_S (si, sj, sk, sl, 22, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
-		CALC_S (si, sj, sk, sl, 23, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
-	}
-
-	if (key_len == 32) { /* 256-bit key */
-		/* Calculate the fourth word of the S vector */
-		CALC_S (sm, sn, so, sp, 24, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
-		CALC_S (sm, sn, so, sp, 25, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
-		CALC_S (sm, sn, so, sp, 26, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
-		CALC_S (sm, sn, so, sp, 27, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
-		CALC_S (sm, sn, so, sp, 28, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
-		CALC_S (sm, sn, so, sp, 29, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
-		CALC_S (sm, sn, so, sp, 30, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
-		CALC_S (sm, sn, so, sp, 31, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
-
-		/* Compute the S-boxes. */
-		for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) {
-			CALC_SB256_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
-		}
-
-		/* Calculate whitening and round subkeys.  The constants are
-		 * indices of subkeys, preprocessed through q0 and q1. */
-		CALC_K256 (w, 0, 0xA9, 0x75, 0x67, 0xF3);
-		CALC_K256 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
-		CALC_K256 (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
-		CALC_K256 (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
-		CALC_K256 (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
-		CALC_K256 (k, 2, 0x80, 0xE6, 0x78, 0x6B);
-		CALC_K256 (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
-		CALC_K256 (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
-		CALC_K256 (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
-		CALC_K256 (k, 10, 0x35, 0xD8, 0x98, 0xFD);
-		CALC_K256 (k, 12, 0x18, 0x37, 0xF7, 0x71);
-		CALC_K256 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
-		CALC_K256 (k, 16, 0x43, 0x30, 0x75, 0x0F);
-		CALC_K256 (k, 18, 0x37, 0xF8, 0x26, 0x1B);
-		CALC_K256 (k, 20, 0xFA, 0x87, 0x13, 0xFA);
-		CALC_K256 (k, 22, 0x94, 0x06, 0x48, 0x3F);
-		CALC_K256 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
-		CALC_K256 (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
-		CALC_K256 (k, 28, 0x84, 0x8A, 0x54, 0x00);
-		CALC_K256 (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
-	} else if (key_len == 24) { /* 192-bit key */
-		/* Compute the S-boxes. */
-		for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) {
-		        CALC_SB192_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
-		}
-
-		/* Calculate whitening and round subkeys.  The constants are
-		 * indices of subkeys, preprocessed through q0 and q1. */
-		CALC_K192 (w, 0, 0xA9, 0x75, 0x67, 0xF3);
-		CALC_K192 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
-		CALC_K192 (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
-		CALC_K192 (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
-		CALC_K192 (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
-		CALC_K192 (k, 2, 0x80, 0xE6, 0x78, 0x6B);
-		CALC_K192 (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
-		CALC_K192 (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
-		CALC_K192 (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
-		CALC_K192 (k, 10, 0x35, 0xD8, 0x98, 0xFD);
-		CALC_K192 (k, 12, 0x18, 0x37, 0xF7, 0x71);
-		CALC_K192 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
-		CALC_K192 (k, 16, 0x43, 0x30, 0x75, 0x0F);
-		CALC_K192 (k, 18, 0x37, 0xF8, 0x26, 0x1B);
-		CALC_K192 (k, 20, 0xFA, 0x87, 0x13, 0xFA);
-		CALC_K192 (k, 22, 0x94, 0x06, 0x48, 0x3F);
-		CALC_K192 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
-		CALC_K192 (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
-		CALC_K192 (k, 28, 0x84, 0x8A, 0x54, 0x00);
-		CALC_K192 (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
-	} else { /* 128-bit key */
-		/* Compute the S-boxes. */
-		for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) {
-			CALC_SB_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
-		}
-
-		/* Calculate whitening and round subkeys.  The constants are
-		 * indices of subkeys, preprocessed through q0 and q1. */
-		CALC_K (w, 0, 0xA9, 0x75, 0x67, 0xF3);
-		CALC_K (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
-		CALC_K (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
-		CALC_K (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
-		CALC_K (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
-		CALC_K (k, 2, 0x80, 0xE6, 0x78, 0x6B);
-		CALC_K (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
-		CALC_K (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
-		CALC_K (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
-		CALC_K (k, 10, 0x35, 0xD8, 0x98, 0xFD);
-		CALC_K (k, 12, 0x18, 0x37, 0xF7, 0x71);
-		CALC_K (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
-		CALC_K (k, 16, 0x43, 0x30, 0x75, 0x0F);
-		CALC_K (k, 18, 0x37, 0xF8, 0x26, 0x1B);
-		CALC_K (k, 20, 0xFA, 0x87, 0x13, 0xFA);
-		CALC_K (k, 22, 0x94, 0x06, 0x48, 0x3F);
-		CALC_K (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
-		CALC_K (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
-		CALC_K (k, 28, 0x84, 0x8A, 0x54, 0x00);
-		CALC_K (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
-	}
-
-	return 0;
-}
-
-/* Macros to compute the g() function in the encryption and decryption
- * rounds.  G1 is the straight g() function; G2 includes the 8-bit
- * rotation for the high 32-bit word. */
-
-#define G1(a) \
-     (ctx->s[0][(a) & 0xFF]) ^ (ctx->s[1][((a) >> 8) & 0xFF]) \
-   ^ (ctx->s[2][((a) >> 16) & 0xFF]) ^ (ctx->s[3][(a) >> 24])
-
-#define G2(b) \
-     (ctx->s[1][(b) & 0xFF]) ^ (ctx->s[2][((b) >> 8) & 0xFF]) \
-   ^ (ctx->s[3][((b) >> 16) & 0xFF]) ^ (ctx->s[0][(b) >> 24])
-
-/* Encryption and decryption Feistel rounds.  Each one calls the two g()
- * macros, does the PHT, and performs the XOR and the appropriate bit
- * rotations.  The parameters are the round number (used to select subkeys),
- * and the four 32-bit chunks of the text. */
-
-#define ENCROUND(n, a, b, c, d) \
-   x = G1 (a); y = G2 (b); \
-   x += y; y += x + ctx->k[2 * (n) + 1]; \
-   (c) ^= x + ctx->k[2 * (n)]; \
-   (c) = ((c) >> 1) + ((c) << 31); \
-   (d) = (((d) << 1)+((d) >> 31)) ^ y
-
-#define DECROUND(n, a, b, c, d) \
-   x = G1 (a); y = G2 (b); \
-   x += y; y += x; \
-   (d) ^= y + ctx->k[2 * (n) + 1]; \
-   (d) = ((d) >> 1) + ((d) << 31); \
-   (c) = (((c) << 1)+((c) >> 31)); \
-   (c) ^= (x + ctx->k[2 * (n)])
-
-/* Encryption and decryption cycles; each one is simply two Feistel rounds
- * with the 32-bit chunks re-ordered to simulate the "swap" */
-
-#define ENCCYCLE(n) \
-   ENCROUND (2 * (n), a, b, c, d); \
-   ENCROUND (2 * (n) + 1, c, d, a, b)
-
-#define DECCYCLE(n) \
-   DECROUND (2 * (n) + 1, c, d, a, b); \
-   DECROUND (2 * (n), a, b, c, d)
-
-/* Macros to convert the input and output bytes into 32-bit words,
- * and simultaneously perform the whitening step.  INPACK packs word
- * number n into the variable named by x, using whitening subkey number m.
- * OUTUNPACK unpacks word number n from the variable named by x, using
- * whitening subkey number m. */
-
-#define INPACK(n, x, m) \
-   x = in[4 * (n)] ^ (in[4 * (n) + 1] << 8) \
-     ^ (in[4 * (n) + 2] << 16) ^ (in[4 * (n) + 3] << 24) ^ ctx->w[m]
-
-#define OUTUNPACK(n, x, m) \
-   x ^= ctx->w[m]; \
-   out[4 * (n)] = x; out[4 * (n) + 1] = x >> 8; \
-   out[4 * (n) + 2] = x >> 16; out[4 * (n) + 3] = x >> 24
-
-/* Encrypt one block.  in and out may be the same. */
-
-int twofish_encrypt (TWOFISH_context *ctx,
-			    const u8 *in, u8 *out)
-{
-	/* The four 32-bit chunks of the text. */
-	u32 a, b, c, d;
-	
-	/* Temporaries used by the round function. */
-	u32 x, y;
-	
-	/* Input whitening and packing. */
-	INPACK (0, a, 0);
-	INPACK (1, b, 1);
-	INPACK (2, c, 2);
-	INPACK (3, d, 3);
-	
-	/* Encryption Feistel cycles. */
-	ENCCYCLE (0);
-	ENCCYCLE (1);
-	ENCCYCLE (2);
-	ENCCYCLE (3);
-	ENCCYCLE (4);
-	ENCCYCLE (5);
-	ENCCYCLE (6);
-	ENCCYCLE (7);
-	
-	/* Output whitening and unpacking. */
-	OUTUNPACK (0, c, 4);
-	OUTUNPACK (1, d, 5);
-	OUTUNPACK (2, a, 6);
-	OUTUNPACK (3, b, 7);
-	
-	return 0;
-}
-
-/* Decrypt one block.  in and out may be the same. */
-
-int twofish_decrypt (TWOFISH_context *ctx,
-			    const u8 *in, u8 *out)
-{
-	/* The four 32-bit chunks of the text. */
-	u32 a, b, c, d;
-	
-	/* Temporaries used by the round function. */
-	u32 x, y;
-	
-	/* Input whitening and packing. */
-	INPACK (0, c, 4);
-	INPACK (1, d, 5);
-	INPACK (2, a, 6);
-	INPACK (3, b, 7);
-	
-	/* Encryption Feistel cycles. */
-	DECCYCLE (7);
-	DECCYCLE (6);
-	DECCYCLE (5);
-	DECCYCLE (4);
-	DECCYCLE (3);
-	DECCYCLE (2);
-	DECCYCLE (1);
-	DECCYCLE (0);
-
-	/* Output whitening and unpacking. */
-	OUTUNPACK (0, a, 0);
-	OUTUNPACK (1, b, 1);
-	OUTUNPACK (2, c, 2);
-	OUTUNPACK (3, d, 3);
-
-	return 0;
-}
-
-/* eof */
diff --git a/src/libcrypto/libtwofish/twofish.h b/src/libcrypto/libtwofish/twofish.h
deleted file mode 100644
index 9b289f265..000000000
--- a/src/libcrypto/libtwofish/twofish.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef TWOFISH_H
-#define TWOFISH_H
-#ifdef __KERNEL__
-#include <linux/types.h>
-#else
-#include <sys/types.h>
-#endif
-/* Structure for an expanded Twofish key.  s contains the key-dependent
- * S-boxes composed with the MDS matrix; w contains the eight "whitening"
- * subkeys, K[0] through K[7].	k holds the remaining, "round" subkeys.  Note
- * that k[i] corresponds to what the Twofish paper calls K[i+8]. */
-typedef struct {
-   u_int32_t s[4][256], w[8], k[32];
-} TWOFISH_context;
-
-typedef TWOFISH_context twofish_context;
-int twofish_set_key(twofish_context *tf_ctx, const u_int8_t * in_key, int key_len);
-int twofish_encrypt(twofish_context *tf_ctx, const u_int8_t * in, u_int8_t * out);
-int twofish_decrypt(twofish_context * tf_ctx, const u_int8_t * in, u_int8_t * out);
-#endif /* TWOFISH_H */
diff --git a/src/libcrypto/libtwofish/twofish_cbc.c b/src/libcrypto/libtwofish/twofish_cbc.c
deleted file mode 100644
index 6e5cf9025..000000000
--- a/src/libcrypto/libtwofish/twofish_cbc.c
+++ /dev/null
@@ -1,8 +0,0 @@
-#ifdef __KERNEL__
-#include <linux/types.h>
-#else
-#include <sys/types.h>
-#endif
-#include "twofish_cbc.h"
-#include "cbc_generic.h"
-CBC_IMPL_BLK16(twofish_cbc_encrypt, twofish_context, u_int8_t *, twofish_encrypt, twofish_decrypt);
diff --git a/src/libcrypto/libtwofish/twofish_cbc.h b/src/libcrypto/libtwofish/twofish_cbc.h
deleted file mode 100644
index 9fdea3526..000000000
--- a/src/libcrypto/libtwofish/twofish_cbc.h
+++ /dev/null
@@ -1,3 +0,0 @@
-/* Glue header */
-#include "twofish.h"
-int twofish_cbc_encrypt(twofish_context *ctx, const u_int8_t * in, u_int8_t * out, int ilen, const u_int8_t* iv, int encrypt);
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index f56322500..98f5ddd88 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -85,6 +85,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -107,6 +108,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -118,6 +122,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -131,6 +136,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +198,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -202,6 +210,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -223,8 +232,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -320,7 +329,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libfast/context.h b/src/libfast/context.h
index 3f21ea6f2..48b3c5e23 100644
--- a/src/libfast/context.h
+++ b/src/libfast/context.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: context.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libfast/controller.h b/src/libfast/controller.h
index 9bfb04bab..55ba6f58a 100644
--- a/src/libfast/controller.h
+++ b/src/libfast/controller.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libfast/dispatcher.c b/src/libfast/dispatcher.c
index e87fd246f..35ae55814 100644
--- a/src/libfast/dispatcher.c
+++ b/src/libfast/dispatcher.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: dispatcher.c 3672 2008-03-27 10:24:37Z martin $
  */
 
 #include "dispatcher.h"
diff --git a/src/libfast/dispatcher.h b/src/libfast/dispatcher.h
index bcd1712ce..5b4e3f947 100644
--- a/src/libfast/dispatcher.h
+++ b/src/libfast/dispatcher.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: dispatcher.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libfast/filter.h b/src/libfast/filter.h
index 614a2ef58..d2602db9d 100644
--- a/src/libfast/filter.h
+++ b/src/libfast/filter.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /*
diff --git a/src/libfast/request.c b/src/libfast/request.c
index ec022d41e..96dfab8e7 100644
--- a/src/libfast/request.c
+++ b/src/libfast/request.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: request.c 3531 2008-03-06 09:50:56Z martin $
  */
 
 #define _GNU_SOURCE
diff --git a/src/libfast/request.h b/src/libfast/request.h
index 25fa5fc60..b9ea88830 100644
--- a/src/libfast/request.h
+++ b/src/libfast/request.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: request.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libfast/session.c b/src/libfast/session.c
index cb2e736b8..455c8d5e1 100644
--- a/src/libfast/session.c
+++ b/src/libfast/session.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: session.c 4060 2008-06-11 14:11:01Z martin $
  */
 
 #define _GNU_SOURCE
diff --git a/src/libfast/session.h b/src/libfast/session.h
index a782a8fe4..524e60f46 100644
--- a/src/libfast/session.h
+++ b/src/libfast/session.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: session.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am
index d916fca17..44dd31577 100644
--- a/src/libfreeswan/Makefile.am
+++ b/src/libfreeswan/Makefile.am
@@ -1,19 +1,19 @@
 noinst_LIBRARIES = libfreeswan.a
 libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
 			atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
-			goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipcomp.h \
-			ipsec_ah.h ipsec_alg.h ipsec_encap.h ipsec_eroute.h ipsec_errs.h \
-			ipsec_esp.h ipsec_ipe4.h ipsec_kversion.h ipsec_life.h ipsec_md5h.h \
-			ipsec_param.h ipsec_policy.h ipsec_proto.h ipsec_radij.h ipsec_rcv.h \
-			ipsec_sa.h ipsec_sha1.h ipsec_stats.h ipsec_tunnel.h ipsec_xform.h \
-			ipsec_xmit.h  keyblobtoid.c optionsfrom.c pfkey_v2_build.c pfkey_v2_debug.c \
-			pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c radij.h rangetoa.c \
+			goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \
+			keyblobtoid.c pfkey_v2_build.c pfkey_v2_debug.c \
+			pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \
 			pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \
 			satot.c subnetof.c subnettoa.c subnettot.c \
 			subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
-			ultoa.c ultot.c version.c
-INCLUDES = -I$(top_srcdir)/src/pluto
+			ultoa.c ultot.c
+
+INCLUDES = \
+-I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/pluto
+
 dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
-                 keyblobtoid.3 optionsfrom.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
-                 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 version.3
+                 keyblobtoid.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
+                 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3
 
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index c973358ed..37c32b9fa 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -51,15 +51,15 @@ am_libfreeswan_a_OBJECTS = addrtoa.$(OBJEXT) addrtot.$(OBJEXT) \
 	atoul.$(OBJEXT) copyright.$(OBJEXT) datatot.$(OBJEXT) \
 	goodmask.$(OBJEXT) initaddr.$(OBJEXT) initsaid.$(OBJEXT) \
 	initsubnet.$(OBJEXT) keyblobtoid.$(OBJEXT) \
-	optionsfrom.$(OBJEXT) pfkey_v2_build.$(OBJEXT) \
-	pfkey_v2_debug.$(OBJEXT) pfkey_v2_ext_bits.$(OBJEXT) \
-	pfkey_v2_parse.$(OBJEXT) portof.$(OBJEXT) prng.$(OBJEXT) \
-	rangetoa.$(OBJEXT) rangetosubnet.$(OBJEXT) sameaddr.$(OBJEXT) \
-	satoa.$(OBJEXT) satot.$(OBJEXT) subnetof.$(OBJEXT) \
-	subnettoa.$(OBJEXT) subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) \
-	ttoaddr.$(OBJEXT) ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) \
-	ttosa.$(OBJEXT) ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) \
-	ultoa.$(OBJEXT) ultot.$(OBJEXT) version.$(OBJEXT)
+	pfkey_v2_build.$(OBJEXT) pfkey_v2_debug.$(OBJEXT) \
+	pfkey_v2_ext_bits.$(OBJEXT) pfkey_v2_parse.$(OBJEXT) \
+	portof.$(OBJEXT) prng.$(OBJEXT) rangetoa.$(OBJEXT) \
+	rangetosubnet.$(OBJEXT) sameaddr.$(OBJEXT) satoa.$(OBJEXT) \
+	satot.$(OBJEXT) subnetof.$(OBJEXT) subnettoa.$(OBJEXT) \
+	subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) ttoaddr.$(OBJEXT) \
+	ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) ttosa.$(OBJEXT) \
+	ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) ultoa.$(OBJEXT) \
+	ultot.$(OBJEXT)
 libfreeswan_a_OBJECTS = $(am_libfreeswan_a_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -97,6 +97,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -119,6 +120,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -130,6 +134,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -143,6 +148,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -203,6 +210,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -214,6 +222,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -221,22 +230,21 @@ xml_LIBS = @xml_LIBS@
 noinst_LIBRARIES = libfreeswan.a
 libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
 			atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
-			goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipcomp.h \
-			ipsec_ah.h ipsec_alg.h ipsec_encap.h ipsec_eroute.h ipsec_errs.h \
-			ipsec_esp.h ipsec_ipe4.h ipsec_kversion.h ipsec_life.h ipsec_md5h.h \
-			ipsec_param.h ipsec_policy.h ipsec_proto.h ipsec_radij.h ipsec_rcv.h \
-			ipsec_sa.h ipsec_sha1.h ipsec_stats.h ipsec_tunnel.h ipsec_xform.h \
-			ipsec_xmit.h  keyblobtoid.c optionsfrom.c pfkey_v2_build.c pfkey_v2_debug.c \
-			pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c radij.h rangetoa.c \
+			goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \
+			keyblobtoid.c pfkey_v2_build.c pfkey_v2_debug.c \
+			pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \
 			pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \
 			satot.c subnetof.c subnettoa.c subnettot.c \
 			subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
-			ultoa.c ultot.c version.c
+			ultoa.c ultot.c
+
+INCLUDES = \
+-I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/pluto
 
-INCLUDES = -I$(top_srcdir)/src/pluto
 dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
-                 keyblobtoid.3 optionsfrom.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
-                 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 version.3
+                 keyblobtoid.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
+                 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3
 
 all: all-am
 
@@ -246,8 +254,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -301,7 +309,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsaid.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsubnet.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyblobtoid.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_build.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_debug.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_ext_bits.Po@am__quote@
@@ -325,7 +332,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttoul.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ultoa.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ultot.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/version.Po@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -364,8 +370,8 @@ install-man3: $(man3_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    3*) ;; \
@@ -404,7 +410,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libfreeswan/addrtoa.c b/src/libfreeswan/addrtoa.c
index bb5d239ab..7acfa5ded 100644
--- a/src/libfreeswan/addrtoa.c
+++ b/src/libfreeswan/addrtoa.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: addrtoa.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/addrtot.c b/src/libfreeswan/addrtot.c
index 700553b40..6efdfccca 100644
--- a/src/libfreeswan/addrtot.c
+++ b/src/libfreeswan/addrtot.c
@@ -11,9 +11,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: addrtot.c 3265 2007-10-08 19:52:55Z andreas $
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
diff --git a/src/libfreeswan/addrtypeof.c b/src/libfreeswan/addrtypeof.c
index 8d68be12b..f402eca70 100644
--- a/src/libfreeswan/addrtypeof.c
+++ b/src/libfreeswan/addrtypeof.c
@@ -11,9 +11,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: addrtypeof.c 3265 2007-10-08 19:52:55Z andreas $
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
diff --git a/src/libfreeswan/anyaddr.3 b/src/libfreeswan/anyaddr.3
index 556627f7d..58789cf6c 100644
--- a/src/libfreeswan/anyaddr.3
+++ b/src/libfreeswan/anyaddr.3
@@ -1,5 +1,4 @@
 .TH IPSEC_ANYADDR 3 "8 Sept 2000"
-.\" RCSID $Id: anyaddr.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec anyaddr \- get "any" address
 .br
diff --git a/src/libfreeswan/anyaddr.c b/src/libfreeswan/anyaddr.c
index 12100f07e..2e9fa2787 100644
--- a/src/libfreeswan/anyaddr.c
+++ b/src/libfreeswan/anyaddr.c
@@ -11,9 +11,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: anyaddr.c 3265 2007-10-08 19:52:55Z andreas $
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
diff --git a/src/libfreeswan/atoaddr.3 b/src/libfreeswan/atoaddr.3
index 617609325..fce8884e4 100644
--- a/src/libfreeswan/atoaddr.3
+++ b/src/libfreeswan/atoaddr.3
@@ -1,5 +1,4 @@
 .TH IPSEC_ATOADDR 3 "11 June 2001"
-.\" RCSID $Id: atoaddr.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec atoaddr, addrtoa \- convert Internet addresses to and from ASCII
 .br
diff --git a/src/libfreeswan/atoaddr.c b/src/libfreeswan/atoaddr.c
index 1af90cd63..dd73be7f3 100644
--- a/src/libfreeswan/atoaddr.c
+++ b/src/libfreeswan/atoaddr.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: atoaddr.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/atoasr.3 b/src/libfreeswan/atoasr.3
index 8be2fa274..0b9a5fea3 100644
--- a/src/libfreeswan/atoasr.3
+++ b/src/libfreeswan/atoasr.3
@@ -1,5 +1,4 @@
 .TH IPSEC_ATOASR 3 "11 June 2001"
-.\" RCSID $Id: atoasr.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec atoasr \- convert ASCII to Internet address, subnet, or range
 .br
diff --git a/src/libfreeswan/atoasr.c b/src/libfreeswan/atoasr.c
index 03b7c5b7f..ef8412fe8 100644
--- a/src/libfreeswan/atoasr.c
+++ b/src/libfreeswan/atoasr.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: atoasr.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/atosa.3 b/src/libfreeswan/atosa.3
index cd2205bfe..f57fcf1e9 100644
--- a/src/libfreeswan/atosa.3
+++ b/src/libfreeswan/atosa.3
@@ -1,5 +1,4 @@
 .TH IPSEC_ATOSA 3 "11 June 2001"
-.\" RCSID $Id: atosa.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec atosa, satoa \- convert IPsec Security Association IDs to and from ASCII
 .SH SYNOPSIS
diff --git a/src/libfreeswan/atosa.c b/src/libfreeswan/atosa.c
index f49931716..aeb5742e1 100644
--- a/src/libfreeswan/atosa.c
+++ b/src/libfreeswan/atosa.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: atosa.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/atosubnet.c b/src/libfreeswan/atosubnet.c
index 3411e9e05..a123a39da 100644
--- a/src/libfreeswan/atosubnet.c
+++ b/src/libfreeswan/atosubnet.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: atosubnet.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/atoul.3 b/src/libfreeswan/atoul.3
index 2d710cbc9..6737b6b54 100644
--- a/src/libfreeswan/atoul.3
+++ b/src/libfreeswan/atoul.3
@@ -1,5 +1,4 @@
 .TH IPSEC_ATOUL 3 "11 June 2001"
-.\" RCSID $Id: atoul.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec atoul, ultoa \- convert unsigned-long numbers to and from ASCII
 .SH SYNOPSIS
diff --git a/src/libfreeswan/atoul.c b/src/libfreeswan/atoul.c
index a3bf07a60..7e51de8fe 100644
--- a/src/libfreeswan/atoul.c
+++ b/src/libfreeswan/atoul.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: atoul.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/copyright.c b/src/libfreeswan/copyright.c
index 3c382160a..65585b62e 100644
--- a/src/libfreeswan/copyright.c
+++ b/src/libfreeswan/copyright.c
@@ -11,14 +11,12 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: copyright.c 4181 2008-07-16 12:28:29Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
 
 static const char *co[] = {
- "Copyright (C) 1999-2008  Henry Spencer, Richard Guy Briggs,",
+ "Copyright (C) 1999-2009  Henry Spencer, Richard Guy Briggs,",
  "    D. Hugh Redelmeier, Sandy Harris, Claudia Schmeing,",
  "    Michael Richardson, Angelos D. Keromytis, John Ioannidis,",
  "",
diff --git a/src/libfreeswan/datatot.c b/src/libfreeswan/datatot.c
index cefe09ef0..b18d4b050 100644
--- a/src/libfreeswan/datatot.c
+++ b/src/libfreeswan/datatot.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: datatot.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h
index cbb8e2db4..cb14cd678 100644
--- a/src/libfreeswan/freeswan.h
+++ b/src/libfreeswan/freeswan.h
@@ -13,24 +13,10 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: freeswan.h 4632 2008-11-11 18:37:19Z martin $
  */
 #define	_FREESWAN_H	/* seen it, no need to see it again */
 
-
-
-/*
- * We've just got to have some datatypes defined...  And annoyingly, just
- * where we get them depends on whether we're in userland or not.
- */
-#ifdef __KERNEL__
-
-#  include <linux/types.h>
-#  include <linux/in.h>
-
-#else /* __KERNEL__ */
-
+#  include <sys/types.h>
 #  include <stdio.h>
 #  include <netinet/in.h>
 
@@ -41,25 +27,13 @@
 
 #  define DEBUG_NO_STATIC static
 
-#endif /* __KERNEL__ */
-
 #include <ipsec_param.h>
-
+#include <utils.h>
 
 /*
- * Grab the kernel version to see if we have NET_21, and therefore 
- * IPv6. Some of this is repeated from ipsec_kversions.h. Of course, 
- * we aren't really testing if the kernel has IPv6, but rather if the
- * the include files do.
+ * We assume header files have IPv6 (i.e. kernel version >= 2.1.0)
  */
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
 #define NET_21
-#endif
 
 #ifndef IPPROTO_COMP
 #  define IPPROTO_COMP 108
@@ -84,28 +58,6 @@
  * use their definitions directly, they are subject to change!
  */
 
-/* first, some quick fakes in case we're on an old system with no IPv6 */
-#ifndef s6_addr16
-struct in6_addr {
-	union 
-	{
-		__u8		u6_addr8[16];
-		__u16		u6_addr16[8];
-		__u32		u6_addr32[4];
-	} in6_u;
-#define s6_addr			in6_u.u6_addr8
-#define s6_addr16		in6_u.u6_addr16
-#define s6_addr32		in6_u.u6_addr32
-};
-struct sockaddr_in6 {
-	unsigned short int	sin6_family;    /* AF_INET6 */
-	__u16			sin6_port;      /* Transport layer port # */
-	__u32			sin6_flowinfo;  /* IPv6 flow information */
-	struct in6_addr		sin6_addr;      /* IPv6 address */
-	__u32			sin6_scope_id;  /* scope id (new in RFC2553) */
-};
-#endif	/* !s6_addr16 */
-
 /* then the main types */
 typedef struct {
 	union {
@@ -119,11 +71,7 @@ typedef struct {
 } ip_subnet;
 
 /* and the SA ID stuff */
-#ifdef __KERNEL__
-typedef __u32 ipsec_spi_t;
-#else
 typedef u_int32_t ipsec_spi_t;
-#endif
 typedef struct {		/* to identify an SA, we need: */
         ip_address dst;		/* A. destination host */
         ipsec_spi_t spi;	/* B. 32-bit SPI, assigned by dest. host */
@@ -147,7 +95,6 @@ struct sa_id {			/* old v4-only version */
 };
 
 /* misc */
-typedef const char *err_t;	/* error message, or NULL for success */
 struct prng {			/* pseudo-random-number-generator guts */
 	unsigned char sbox[256];
 	int i, j;
@@ -160,6 +107,8 @@ struct prng {			/* pseudo-random-number-generator guts */
  */
 typedef uint32_t IPsecSAref_t;
 
+#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
+
 #define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
 
 #define IPsecSAref2NFmark(x) ((x) << (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
@@ -220,7 +169,7 @@ size_t splitkeytoid(const unsigned char *e, size_t elen, const unsigned char *m,
 					size_t mlen, char *dst, size_t dstlen);
 #define	KEYID_BUF		10	/* up to 9 text digits plus NUL */
 err_t ttoprotoport(char *src, size_t src_len, u_int8_t *proto, u_int16_t *port,
-							int *has_port_wildcard);
+							bool *has_port_wildcard);
 
 /* initializations */
 void initsaid(const ip_address *addr, ipsec_spi_t spi, int proto, ip_said *dst);
@@ -269,8 +218,6 @@ unsigned long prng_count(struct prng *prng);
 void prng_final(struct prng *prng);
 
 /* odds and ends */
-const char *ipsec_version_code(void);
-const char *ipsec_version_string(void);
 const char **ipsec_copyright_notice(void);
 
 const char *dns_string_rr(int rr, char *buf, int bufsize);
@@ -436,19 +383,6 @@ bitstomask(
 	int n
 );
 
-
-
-/*
- * general utilities
- */
-
-#ifndef __KERNEL__
-/* option pickup from files (userland only because of use of FILE) */
-const char *optionsfrom(const char *filename, int *argcp, char ***argvp,
-						int optind, FILE *errorreport);
-#define ignore_result(call) { if (call); }
-#endif
-
 /*
  * Debugging levels for pfkey_lib_debug
  */
diff --git a/src/libfreeswan/goodmask.3 b/src/libfreeswan/goodmask.3
index eeff2f25d..b76d431ca 100644
--- a/src/libfreeswan/goodmask.3
+++ b/src/libfreeswan/goodmask.3
@@ -1,5 +1,4 @@
 .TH IPSEC_GOODMASK 3 "11 June 2001"
-.\" RCSID $Id: goodmask.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec goodmask \- is this Internet subnet mask a valid one?
 .br
diff --git a/src/libfreeswan/goodmask.c b/src/libfreeswan/goodmask.c
index 318a2879f..a2d51de0c 100644
--- a/src/libfreeswan/goodmask.c
+++ b/src/libfreeswan/goodmask.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: goodmask.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/initaddr.3 b/src/libfreeswan/initaddr.3
index bcbd3f88b..071e507aa 100644
--- a/src/libfreeswan/initaddr.3
+++ b/src/libfreeswan/initaddr.3
@@ -1,5 +1,4 @@
 .TH IPSEC_INITADDR 3 "11 Sept 2000"
-.\" RCSID $Id: initaddr.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec initaddr \- initialize an ip_address
 .br
diff --git a/src/libfreeswan/initaddr.c b/src/libfreeswan/initaddr.c
index 99870ded2..c30efb812 100644
--- a/src/libfreeswan/initaddr.c
+++ b/src/libfreeswan/initaddr.c
@@ -11,9 +11,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: initaddr.c 3265 2007-10-08 19:52:55Z andreas $
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
diff --git a/src/libfreeswan/initsaid.c b/src/libfreeswan/initsaid.c
index 43156e96e..fb8187422 100644
--- a/src/libfreeswan/initsaid.c
+++ b/src/libfreeswan/initsaid.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: initsaid.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/initsubnet.3 b/src/libfreeswan/initsubnet.3
index aaf2a64d5..3545fd426 100644
--- a/src/libfreeswan/initsubnet.3
+++ b/src/libfreeswan/initsubnet.3
@@ -1,5 +1,4 @@
 .TH IPSEC_INITSUBNET 3 "12 March 2002"
-.\" RCSID $Id: initsubnet.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec initsubnet \- initialize an ip_subnet
 .br
diff --git a/src/libfreeswan/initsubnet.c b/src/libfreeswan/initsubnet.c
index f2d8b4dc8..0e19098c5 100644
--- a/src/libfreeswan/initsubnet.c
+++ b/src/libfreeswan/initsubnet.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: initsubnet.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/internal.h b/src/libfreeswan/internal.h
index 921e47835..fa24f7d2d 100644
--- a/src/libfreeswan/internal.h
+++ b/src/libfreeswan/internal.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: internal.h 3265 2007-10-08 19:52:55Z andreas $
  */
 
 #ifndef ABITS
@@ -35,47 +33,14 @@
 #define	PASSTHROUGHDST	0
 #endif
 
-/*
- * Headers, greatly complicated by stupid and unnecessary inconsistencies
- * between the user environment and the kernel environment.  These are done
- * here so that this mess need exist in only one place.
- *
- * It may seem like a -I or two could avoid most of this, but on closer
- * inspection it is not quite that easy.
- */
-
-/* things that need to come from one place or the other, depending */
-#ifdef __KERNEL__
-#include <linux/types.h>
-#include <linux/socket.h>
-#include <linux/in.h>
-#include <linux/string.h>
-#include <linux/ctype.h>
-#define	assert(foo)	/* nothing */
-#else
 #include <sys/types.h>
 #include <netinet/in.h>
 #include <string.h>
 #include <ctype.h>
 #include <assert.h>
-#endif
-
-/* things that exist only in userland */
-#ifndef __KERNEL__
-
-/* You'd think this would be okay in the kernel too -- it's just a */
-/* bunch of constants -- but no, in RH5.1 it screws up other things. */
-/* (Credit:  Mike Warfield tracked this problem down.  Thanks Mike!) */
-/* Fortunately, we don't need it in the kernel subset of the library. */
 #include <limits.h>
-
-/* header files for things that should never be called in kernel */
 #include <netdb.h>
-
-/* memory allocation, currently user-only, macro-ized just in case */
 #include <stdlib.h>
 #define	MALLOC(n)	malloc(n)
 #define	FREE(p)		free(p)
 
-#endif /* __KERNEL__ */
-
diff --git a/src/libfreeswan/ipcomp.h b/src/libfreeswan/ipcomp.h
deleted file mode 100644
index 57f8cc7cc..000000000
--- a/src/libfreeswan/ipcomp.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * IPCOMP zlib interface code.
- * Copyright (C) 2000  Svenning Soerensen <svenning@post5.tele.dk>
- * Copyright (C) 2000, 2001  Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
-
- RCSID $Id: ipcomp.h 3265 2007-10-08 19:52:55Z andreas $
-
- */
-
-/* SSS */
-
-#ifndef _IPCOMP_H
-#define _IPCOMP_H
-
-/* Prefix all global deflate symbols with "ipcomp_" to avoid collisions with ppp_deflate & ext2comp */
-#ifndef IPCOMP_PREFIX
-#define IPCOMP_PREFIX
-#endif /* IPCOMP_PREFIX */
-
-#ifndef IPPROTO_COMP
-#define IPPROTO_COMP 108
-#endif /* IPPROTO_COMP */
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int sysctl_ipsec_debug_ipcomp;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-struct ipcomphdr {			/* IPCOMP header */
-    __u8    ipcomp_nh;		/* Next header (protocol) */
-    __u8    ipcomp_flags;	/* Reserved, must be 0 */
-    __u16   ipcomp_cpi;		/* Compression Parameter Index */
-};
-
-extern struct inet_protocol comp_protocol;
-extern int sysctl_ipsec_debug_ipcomp;
-
-#define IPCOMP_UNCOMPRESSABLE     0x000000001
-#define IPCOMP_COMPRESSIONERROR   0x000000002
-#define IPCOMP_PARMERROR          0x000000004
-#define IPCOMP_DECOMPRESSIONERROR 0x000000008
-
-#define IPCOMP_ADAPT_INITIAL_TRIES	8
-#define IPCOMP_ADAPT_INITIAL_SKIP	4
-#define IPCOMP_ADAPT_SUBSEQ_TRIES	2
-#define IPCOMP_ADAPT_SUBSEQ_SKIP	8
-
-/* Function prototypes */
-struct sk_buff *skb_compress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags);
-struct sk_buff *skb_decompress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags);
-
-#endif /* _IPCOMP_H */
diff --git a/src/libfreeswan/ipsec_ah.h b/src/libfreeswan/ipsec_ah.h
deleted file mode 100644
index aa34ce798..000000000
--- a/src/libfreeswan/ipsec_ah.h
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Authentication Header declarations
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_ah.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-#include "ipsec_md5h.h"
-#include "ipsec_sha1.h"
-
-#ifndef IPPROTO_AH
-#define IPPROTO_AH 51
-#endif /* IPPROTO_AH */
-
-#define AH_FLENGTH		12		/* size of fixed part */
-#define AHMD5_KMAX		64		/* MD5 max 512 bits key */
-#define AHMD5_AMAX		12		/* MD5 96 bits of authenticator */
-
-#define AHMD596_KLEN		16		/* MD5 128 bits key */
-#define AHSHA196_KLEN		20		/* SHA1 160 bits key */
-
-#define AHMD596_ALEN    	16		/* MD5 128 bits authentication length */
-#define AHSHA196_ALEN		20		/* SHA1 160 bits authentication length */
-
-#define AHMD596_BLKLEN  	64		/* MD5 block length */
-#define AHSHA196_BLKLEN 	64		/* SHA1 block length */
-#define AHSHA2_256_BLKLEN 	64		/* SHA2-256 block length */
-#define AHSHA2_384_BLKLEN 	128 		/* SHA2-384 block length (?) */
-#define AHSHA2_512_BLKLEN 	128		/* SHA2-512 block length */
-
-#define AH_BLKLEN_MAX 		128		/* keep up to date! */
-
-#define AH_AMAX         	AHSHA196_ALEN   /* keep up to date! */
-#define AHHMAC_HASHLEN  	12              /* authenticator length of 96bits */
-#define AHHMAC_RPLLEN   	4               /* 32 bit replay counter */
-
-#define DB_AH_PKTRX		0x0001
-#define DB_AH_PKTRX2		0x0002
-#define DB_AH_DMP		0x0004
-#define DB_AH_IPSA		0x0010
-#define DB_AH_XF		0x0020
-#define DB_AH_INAU		0x0040
-#define DB_AH_REPLAY		0x0100
-
-#ifdef __KERNEL__
-
-/* General HMAC algorithm is described in RFC 2104 */
-
-#define		HMAC_IPAD	0x36
-#define		HMAC_OPAD	0x5C
-
-struct md5_ctx {
-	MD5_CTX ictx;		/* context after H(K XOR ipad) */
-	MD5_CTX	octx;		/* context after H(K XOR opad) */
-};
-
-struct sha1_ctx {
-	SHA1_CTX ictx;		/* context after H(K XOR ipad) */
-	SHA1_CTX octx;		/* context after H(K XOR opad) */
-};
-
-struct auth_alg {
-	void (*init)(void *ctx);
-	void (*update)(void *ctx, unsigned char *bytes, __u32 len);
-	void (*final)(unsigned char *hash, void *ctx);
-	int hashlen;
-};
-
-extern struct inet_protocol ah_protocol;
-
-struct options;
-
-extern int 
-ah_rcv(struct sk_buff *skb,
-       struct device *dev,
-       struct options *opt, 
-       __u32 daddr,
-       unsigned short len,
-       __u32 saddr,
-       int redo,
-       struct inet_protocol *protocol);
-
-struct ahhdr				/* Generic AH header */
-{
-	__u8	ah_nh;			/* Next header (protocol) */
-	__u8	ah_hl;			/* AH length, in 32-bit words */
-	__u16	ah_rv;			/* reserved, must be 0 */
-	__u32	ah_spi;			/* Security Parameters Index */
-        __u32   ah_rpl;                 /* Replay prevention */
-	__u8	ah_data[AHHMAC_HASHLEN];/* Authentication hash */
-};
-#define AH_BASIC_LEN 8      /* basic AH header is 8 bytes, nh,hl,rv,spi
-			     * and the ah_hl, says how many bytes after that
-			     * to cover. */
-
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_ah;
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* __KERNEL__ */
diff --git a/src/libfreeswan/ipsec_alg.h b/src/libfreeswan/ipsec_alg.h
deleted file mode 100644
index 6b85be645..000000000
--- a/src/libfreeswan/ipsec_alg.h
+++ /dev/null
@@ -1,254 +0,0 @@
-/*
- * Modular extensions service and registration functions interface
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * $Id: ipsec_alg.h 3265 2007-10-08 19:52:55Z andreas $
- *
- */
-/*
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- */
-#ifndef IPSEC_ALG_H
-#define IPSEC_ALG_H
-
-/* 
- *   gcc >= 3.2 has removed __FUNCTION__, replaced by C99 __func__
- *   *BUT* its a compiler variable.
- */
-#if (__GNUC__ >= 3)
-#ifndef __FUNCTION__
-#define __FUNCTION__ __func__
-#endif
-#endif
-
-/*	Version 0.8.1-0 */
-#define IPSEC_ALG_VERSION	0x00080100
-
-#include <linux/types.h>
-#include <linux/list.h>
-#include <asm/atomic.h>
-/*	
- *	The following structs are used via pointers in ipsec_alg object to
- *	avoid ipsec_alg.h coupling with freeswan headers, thus simplifying
- *	module development
- */
-struct ipsec_sa;
-struct esp;
-
-/**************************************
- *
- *	Main registration object 
- *
- *************************************/
-#define IPSEC_ALG_VERSION_QUAD(v)	\
-	(v>>24),((v>>16)&0xff),((v>>8)&0xff),(v&0xff)
-/*	
- *	Main ipsec_alg objects: "OOPrograming wannabe"
- *	Hierachy (carefully handled with _minimal_ cast'ing):
- *
- *      ipsec_alg+
- *		 +->ipsec_alg_enc  (ixt_alg_type=SADB_EXT_SUPPORTED_ENCRYPT)
- *		 +->ipsec_alg_auth (ixt_alg_type=SADB_EXT_SUPPORTED_AUTH)
- */
-
-/***************************************************************
- *
- * 	INTERFACE object: struct ipsec_alg
- *
- ***************************************************************/
-
-/* 
- * 	common part for every struct ipsec_alg_*	
- * 	(sortof poor's man OOP)
- */
-#define IPSEC_ALG_STRUCT_COMMON \
-	unsigned ixt_version;	/* only allow this version (or 'near')*/ \
-	struct list_head ixt_list;	/* dlinked list */ \
-	struct module *ixt_module;	/* THIS_MODULE */ \
-	unsigned ixt_state;		/* state flags */ \
-	atomic_t ixt_refcnt; 	/* ref. count when pointed from ipsec_sa */ \
-	char ixt_name[16];	/* descriptive short name, eg. "3des" */ \
-	void *ixt_data;		/* private for algo implementation */ \
-	uint8_t  ixt_blocksize;	/* blocksize in bytes */ \
-	\
-	/* THIS IS A COPY of struct supported (lib/pfkey.h)        \
-	 * please keep in sync until we migrate 'supported' stuff  \
-	 * to ipsec_alg \
-	 */ \
-	uint16_t ixt_alg_type;	/* correspond to IPSEC_ALG_{ENCRYPT,AUTH} */ \
-	uint8_t  ixt_alg_id;	/* enc. alg. number, eg. ESP_3DES */ \
-	uint8_t  ixt_ivlen;	/* ivlen in bits, expected to be multiple of 8! */ \
-	uint16_t ixt_keyminbits;/* min. keybits (of entropy) */ \
-	uint16_t ixt_keymaxbits;/* max. keybits (of entropy) */
-
-#define ixt_support ixt_alg_type
-	
-#define IPSEC_ALG_ST_SUPP	0x01
-#define IPSEC_ALG_ST_REGISTERED 0x02
-#define IPSEC_ALG_ST_EXCL	0x04
-struct ipsec_alg {
-	IPSEC_ALG_STRUCT_COMMON
-};
-/* 
- * 	Note the const in cbc_encrypt IV arg:
- * 	some ciphers like to toast passed IV (eg. 3DES): make a local IV copy
- */
-struct ipsec_alg_enc {
-	IPSEC_ALG_STRUCT_COMMON
-	unsigned ixt_e_keylen;		/* raw key length in bytes          */
-	unsigned ixt_e_ctx_size;	/* sa_p->key_e_size */
-	int (*ixt_e_set_key)(struct ipsec_alg_enc *alg, __u8 *key_e, const __u8 *key, size_t keysize);
-	__u8 *(*ixt_e_new_key)(struct ipsec_alg_enc *alg, const __u8 *key, size_t keysize);
-	void (*ixt_e_destroy_key)(struct ipsec_alg_enc *alg, __u8 *key_e);
-	int (*ixt_e_cbc_encrypt)(struct ipsec_alg_enc *alg, __u8 *key_e, __u8 *in, int ilen, const __u8 *iv, int encrypt);
-};
-struct ipsec_alg_auth {
-	IPSEC_ALG_STRUCT_COMMON
-	unsigned ixt_a_keylen;		/* raw key length in bytes          */
-	unsigned ixt_a_ctx_size;	/* sa_p->key_a_size */
-	unsigned ixt_a_authlen;		/* 'natural' auth. hash len (bytes) */
-	int (*ixt_a_hmac_set_key)(struct ipsec_alg_auth *alg, __u8 *key_a, const __u8 *key, int keylen);
-	int (*ixt_a_hmac_hash)(struct ipsec_alg_auth *alg, __u8 *key_a, const __u8 *dat, int len, __u8 *hash, int hashlen);
-};
-/*	
- *	These are _copies_ of SADB_EXT_SUPPORTED_{AUTH,ENCRYPT}, 
- *	to avoid header coupling for true constants
- *	about headers ... "cp is your friend" --Linus
- */
-#define IPSEC_ALG_TYPE_AUTH	14
-#define IPSEC_ALG_TYPE_ENCRYPT	15
-
-/***************************************************************
- *
- * 	INTERFACE for module loading,testing, and unloading
- *
- ***************************************************************/
-/*	-  registration calls 	*/
-int register_ipsec_alg(struct ipsec_alg *);
-int unregister_ipsec_alg(struct ipsec_alg *);
-/*	-  optional (simple test) for algos 	*/
-int ipsec_alg_test(unsigned alg_type, unsigned alg_id, int testparm);
-/*	inline wrappers (usefull for type validation */
-static inline int register_ipsec_alg_enc(struct ipsec_alg_enc *ixt) {
-	return register_ipsec_alg((struct ipsec_alg*)ixt);
-}
-static inline int unregister_ipsec_alg_enc(struct ipsec_alg_enc *ixt) {
-	return unregister_ipsec_alg((struct ipsec_alg*)ixt);
-}
-static inline int register_ipsec_alg_auth(struct ipsec_alg_auth *ixt) {
-	return register_ipsec_alg((struct ipsec_alg*)ixt);
-}
-static inline int unregister_ipsec_alg_auth(struct ipsec_alg_auth *ixt) {
-	return unregister_ipsec_alg((struct ipsec_alg*)ixt);
-}
-
-/*****************************************************************
- *
- * 	INTERFACE for ENC services: key creation, encrypt function
- *
- *****************************************************************/
-
-#define IPSEC_ALG_ENCRYPT 1
-#define IPSEC_ALG_DECRYPT 0
-
-/* 	encryption key context creation function */
-int ipsec_alg_enc_key_create(struct ipsec_sa *sa_p);
-/* 
- * 	ipsec_alg_esp_encrypt(): encrypt ilen bytes in idat returns
- * 	0 or ERR<0
- */
-int ipsec_alg_esp_encrypt(struct ipsec_sa *sa_p, __u8 *idat, int ilen, const __u8 *iv, int action);
-
-/***************************************************************
- *
- * 	INTERFACE for AUTH services: key creation, hash functions
- *
- ***************************************************************/
-int ipsec_alg_auth_key_create(struct ipsec_sa *sa_p);
-int ipsec_alg_sa_esp_hash(const struct ipsec_sa *sa_p, const __u8 *espp, int len, __u8 *hash, int hashlen) ;
-#define ipsec_alg_sa_esp_update(c,k,l) ipsec_alg_sa_esp_hash(c,k,l,NULL,0)
-
-/* only called from ipsec_init.c */
-int ipsec_alg_init(void);
-
-/* algo module glue for static algos */
-void ipsec_alg_static_init(void);
-typedef int (*ipsec_alg_init_func_t) (void);
-
-/**********************************************
- *
- * 	INTERFACE for ipsec_sa init and wipe
- *
- **********************************************/
-
-/* returns true if ipsec_sa has ipsec_alg obj attached */
-/* 
- * Initializes ipsec_sa's ipsec_alg object, using already loaded
- * proto, authalg, encalg.; links ipsec_alg objects (enc, auth)
- */
-int ipsec_alg_sa_init(struct ipsec_sa *sa_p);
-/* 
- * Destroys ipsec_sa's ipsec_alg object
- * unlinking ipsec_alg objects
- */
-int ipsec_alg_sa_wipe(struct ipsec_sa *sa_p);
-
-/**********************************************
- *
- * 	2.2 backport for some 2.4 useful module stuff
- *
- **********************************************/
-#ifdef MODULE
-#ifndef THIS_MODULE
-#define THIS_MODULE          (&__this_module)
-#endif
-#ifndef module_init
-typedef int (*__init_module_func_t)(void);
-typedef void (*__cleanup_module_func_t)(void);
-
-#define module_init(x) \
-        int init_module(void) __attribute__((alias(#x))); \
-        static inline __init_module_func_t __init_module_inline(void) \
-        { return x; }
-#define module_exit(x) \
-        void cleanup_module(void) __attribute__((alias(#x))); \
-        static inline __cleanup_module_func_t __cleanup_module_inline(void) \
-        { return x; }
-#endif
-
-#define IPSEC_ALG_MODULE_INIT( func_name )	\
-	static int func_name(void);		\
-	module_init(func_name);			\
-	static int __init func_name(void)
-#define IPSEC_ALG_MODULE_EXIT( func_name )	\
-	static void func_name(void);		\
-	module_exit(func_name);			\
-	static void __exit func_name(void)
-#else	/* not MODULE */
-#ifndef THIS_MODULE
-#define THIS_MODULE          NULL
-#endif
-/*	
- *	I only want module_init() magic 
- *	when algo.c file *is THE MODULE*, in all other
- *	cases, initialization is called explicitely from ipsec_alg_init()
- */
-#define IPSEC_ALG_MODULE_INIT( func_name )	\
-	extern int func_name(void);		\
-	int func_name(void)
-#define IPSEC_ALG_MODULE_EXIT( func_name )	\
-	extern void func_name(void);		\
-	void func_name(void)
-#endif
-
-#endif /* IPSEC_ALG_H */
diff --git a/src/libfreeswan/ipsec_encap.h b/src/libfreeswan/ipsec_encap.h
deleted file mode 100644
index 4f8d2e9a0..000000000
--- a/src/libfreeswan/ipsec_encap.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * declarations relevant to encapsulation-like operations
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_encap.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-#ifndef _IPSEC_ENCAP_H_
-
-#define SENT_IP4	16	/* data is two struct in_addr + proto + ports*/
-			/* (2 * sizeof(struct in_addr)) */
-			/* sizeof(struct sockaddr_encap)
-			   - offsetof(struct sockaddr_encap, Sen.Sip4.Src) */
-
-struct sockaddr_encap
-{
-	__u8	sen_len;		/* length */
-	__u8	sen_family;		/* AF_ENCAP */
-	__u16	sen_type;		/* see SENT_* */
-	union
-	{
-		struct			/* SENT_IP4 */
-		{
-			struct in_addr Src;
-			struct in_addr Dst;
-			__u8 Proto;
-			__u16 Sport;
-			__u16 Dport;
-		} Sip4;
-	} Sen;
-};
-
-#define sen_ip_src	Sen.Sip4.Src
-#define sen_ip_dst	Sen.Sip4.Dst
-#define sen_proto       Sen.Sip4.Proto
-#define sen_sport       Sen.Sip4.Sport
-#define sen_dport       Sen.Sip4.Dport
-
-#ifndef AF_ENCAP
-#define AF_ENCAP 26
-#endif /* AF_ENCAP */
-
-#define _IPSEC_ENCAP_H_
-#endif /* _IPSEC_ENCAP_H_ */
diff --git a/src/libfreeswan/ipsec_eroute.h b/src/libfreeswan/ipsec_eroute.h
deleted file mode 100644
index 60af0f09b..000000000
--- a/src/libfreeswan/ipsec_eroute.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * @(#) declarations of eroute structures
- *
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
- * Copyright (C) 2001                    Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_eroute.h 3265 2007-10-08 19:52:55Z andreas $
- *
- * derived from ipsec_encap.h 1.15 on 2001/9/18 by mcr.
- *
- */
-
-#ifndef _IPSEC_EROUTE_H_
-
-#include "radij.h"
-#include "ipsec_encap.h"
-#include "ipsec_radij.h"
-
-/*
- * The "type" is really part of the address as far as the routing
- * system is concerned. By using only one bit in the type field
- * for each type, we sort-of make sure that different types of
- * encapsulation addresses won't be matched against the wrong type.
- */
-
-/*
- * An entry in the radix tree 
- */
-
-struct rjtentry
-{
-	struct	radij_node rd_nodes[2];	/* tree glue, and other values */
-#define	rd_key(r)	((struct sockaddr_encap *)((r)->rd_nodes->rj_key))
-#define	rd_mask(r)	((struct sockaddr_encap *)((r)->rd_nodes->rj_mask))
-	short	rd_flags;
-	short	rd_count;
-};
-
-struct ident
-{
-	__u16	type;	/* identity type */
-	__u64	id;	/* identity id */
-	__u8	len;	/* identity len */
-	caddr_t	data;	/* identity data */
-};
-
-/*
- * An encapsulation route consists of a pointer to a 
- * radix tree entry and a SAID (a destination_address/SPI/protocol triple).
- */
-
-struct eroute
-{
-	struct rjtentry er_rjt;
-	struct sa_id er_said;
-	uint32_t er_pid;
-	uint32_t er_count;
-	uint64_t er_lasttime;
-	struct sockaddr_encap er_eaddr; /* MCR get rid of _encap, it is silly*/
-	struct sockaddr_encap er_emask;
-        struct ident er_ident_s;
-        struct ident er_ident_d;
-	struct sk_buff* er_first;
-	struct sk_buff* er_last;
-};
-
-#define er_dst er_said.dst
-#define er_spi er_said.spi
-
-#define _IPSEC_EROUTE_H_
-#endif /* _IPSEC_EROUTE_H_ */
diff --git a/src/libfreeswan/ipsec_errs.h b/src/libfreeswan/ipsec_errs.h
deleted file mode 100644
index da7646870..000000000
--- a/src/libfreeswan/ipsec_errs.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * @(#) definition of ipsec_errs structure
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_errs.h 3265 2007-10-08 19:52:55Z andreas $
- *
- */
-
-/* 
- * This file describes the errors/statistics that FreeSWAN collects.
- *
- */
-
-struct ipsec_errs {
-	__u32		ips_alg_errs;	       /* number of algorithm errors */
-	__u32		ips_auth_errs;	       /* # of authentication errors */
-	__u32		ips_encsize_errs;      /* # of encryption size errors*/
-	__u32		ips_encpad_errs;       /* # of encryption pad  errors*/
-	__u32		ips_replaywin_errs;    /* # of pkt sequence errors */
-};
diff --git a/src/libfreeswan/ipsec_esp.h b/src/libfreeswan/ipsec_esp.h
deleted file mode 100644
index af1b488f2..000000000
--- a/src/libfreeswan/ipsec_esp.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_esp.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-#include "freeswan/ipsec_md5h.h"
-#include "freeswan/ipsec_sha1.h"
-
-#include "crypto/des.h"
-
-#ifndef IPPROTO_ESP
-#define IPPROTO_ESP 50
-#endif /* IPPROTO_ESP */
-
-#define ESP_HEADER_LEN		8	/* 64 bits header (spi+rpl)*/
-
-#define EMT_ESPDESCBC_ULEN	20	/* coming from user mode */
-#define EMT_ESPDES_KMAX		64	/* 512 bit secret key enough? */
-#define EMT_ESPDES_KEY_SZ	8	/* 56 bit secret key with parity = 64 bits */
-#define EMT_ESP3DES_KEY_SZ	24	/* 168 bit secret key with parity = 192 bits */
-#define EMT_ESPDES_IV_SZ	8	/* IV size */
-#define ESP_DESCBC_BLKLEN       8       /* DES-CBC block size */
-
-#define ESP_IV_MAXSZ		16	/* This is _critical_ */
-#define ESP_IV_MAXSZ_INT	(ESP_IV_MAXSZ/sizeof(int))
-
-#define DB_ES_PKTRX	0x0001
-#define DB_ES_PKTRX2	0x0002
-#define DB_ES_IPSA	0x0010
-#define DB_ES_XF	0x0020
-#define DB_ES_IPAD	0x0040
-#define DB_ES_INAU	0x0080
-#define DB_ES_OINFO	0x0100
-#define DB_ES_OINFO2	0x0200
-#define DB_ES_OH	0x0400
-#define DB_ES_REPLAY	0x0800
-
-#ifdef __KERNEL__
-struct des_eks {
-	des_key_schedule ks;
-};
-
-extern struct inet_protocol esp_protocol;
-
-struct options;
-
-extern int
-esp_rcv(struct sk_buff *skb,
-	struct device *dev,
-	struct options *opt, 
-	__u32 daddr,
-	unsigned short len,
-	__u32 saddr,
-	int redo,
-	struct inet_protocol *protocol);
-
-/* Only for 64 bits IVs, eg. ESP_3DES :P */
-struct esphdr
-{
-	__u32	esp_spi;		/* Security Parameters Index */
-        __u32   esp_rpl;                /* Replay counter */
-	__u8	esp_iv[8];		/* iv */
-};
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_esp;
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* __KERNEL__ */
diff --git a/src/libfreeswan/ipsec_ipe4.h b/src/libfreeswan/ipsec_ipe4.h
deleted file mode 100644
index bc86ae761..000000000
--- a/src/libfreeswan/ipsec_ipe4.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * IP-in-IP Header declarations
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_ipe4.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-/* The packet header is an IP header! */
-
-struct ipe4_xdata			/* transform table data */
-{
-	struct in_addr	i4_src;
-	struct in_addr	i4_dst;
-};
-
-#define EMT_IPE4_ULEN	8	/* coming from user mode */
diff --git a/src/libfreeswan/ipsec_kversion.h b/src/libfreeswan/ipsec_kversion.h
deleted file mode 100644
index 4a94021a2..000000000
--- a/src/libfreeswan/ipsec_kversion.h
+++ /dev/null
@@ -1,191 +0,0 @@
-#ifndef _FREESWAN_KVERSIONS_H
-/*
- * header file for FreeS/WAN library functions
- * Copyright (C) 1998, 1999, 2000  Henry Spencer.
- * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
- * 
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- *
- * RCSID $Id: ipsec_kversion.h 3265 2007-10-08 19:52:55Z andreas $
- */
-#define	_FREESWAN_KVERSIONS_H	/* seen it, no need to see it again */
-
-/*
- * this file contains a series of atomic defines that depend upon
- * kernel version numbers. The kernel versions are arranged
- * in version-order number (which is often not chronological)
- * and each clause enables or disables a feature.
- */
-
-/*
- * First, assorted kernel-version-dependent trickery.
- */
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,0)
-#define HEADER_CACHE_BIND_21
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
-#define SPINLOCK
-#define PROC_FS_21
-#define NETLINK_SOCK
-#define NET_21
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,19)
-#define net_device_stats enet_statistics
-#endif                                                                         
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
-#define SPINLOCK_23
-#define NETDEV_23
-#  ifndef CONFIG_IP_ALIAS
-#  define CONFIG_IP_ALIAS
-#  endif
-#include <linux/socket.h>
-#include <linux/skbuff.h>
-#include <linux/netlink.h>
-#  ifdef NETLINK_XFRM
-#  define NETDEV_25
-#  endif
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,25)
-#define PROC_FS_2325
-#undef  PROC_FS_21
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,30)
-#define PROC_NO_DUMMY
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,35)
-#define SKB_COPY_EXPAND
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,37)
-#define IP_SELECT_IDENT
-#endif
-
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,50)) && defined(CONFIG_NETFILTER)
-#define SKB_RESET_NFCT
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,2)
-#define IP_SELECT_IDENT_NEW
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4)
-#define IPH_is_SKB_PULLED
-#define SKB_COW_NEW
-#define PROTO_HANDLER_SINGLE_PARM
-#define IP_FRAGMENT_LINEARIZE 1
-#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
-#  ifdef REDHAT_BOGOSITY
-#  define IP_SELECT_IDENT_NEW
-#  define IPH_is_SKB_PULLED
-#  define SKB_COW_NEW
-#  define PROTO_HANDLER_SINGLE_PARM
-#  endif /* REDHAT_BOGOSITY */
-#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)
-#define MALLOC_SLAB
-#define LINUX_KERNEL_HAS_SNPRINTF
-#endif                                                                         
-
-#ifdef NET_21
-#  include <linux/in6.h>
-#else
-     /* old kernel in.h has some IPv6 stuff, but not quite enough */
-#  define	s6_addr16	s6_addr
-#  define	AF_INET6	10
-#  define uint8_t __u8
-#  define uint16_t __u16 
-#  define uint32_t __u32 
-#  define uint64_t __u64 
-#endif
-
-#ifdef NET_21
-# define ipsec_kfree_skb(a) kfree_skb(a)
-#else /* NET_21 */
-# define ipsec_kfree_skb(a) kfree_skb(a, FREE_WRITE)
-#endif /* NET_21 */
-
-#ifdef NETDEV_23
-# define device net_device
-# define ipsec_dev_get dev_get_by_name
-# define __ipsec_dev_get __dev_get_by_name
-# define ipsec_dev_put(x) dev_put(x)
-# define __ipsec_dev_put(x) __dev_put(x)
-# define ipsec_dev_hold(x) dev_hold(x)
-#else /* NETDEV_23 */
-# define ipsec_dev_get dev_get
-# define __ipsec_dev_put(x) 
-# define ipsec_dev_put(x)
-# define ipsec_dev_hold(x) 
-#endif /* NETDEV_23 */
-
-#ifndef SPINLOCK
-#  include <linux/bios32.h>
-     /* simulate spin locks and read/write locks */
-     typedef struct {
-       volatile char lock;
-     } spinlock_t;
-
-     typedef struct {
-       volatile unsigned int lock;
-     } rwlock_t;                                                                     
-
-#  define spin_lock_init(x) { (x)->lock = 0;}
-#  define rw_lock_init(x) { (x)->lock = 0; }
-
-#  define spin_lock(x) { while ((x)->lock) barrier(); (x)->lock=1;}
-#  define spin_lock_irq(x) { cli(); spin_lock(x);}
-#  define spin_lock_irqsave(x,flags) { save_flags(flags); spin_lock_irq(x);}
-
-#  define spin_unlock(x) { (x)->lock=0;}
-#  define spin_unlock_irq(x) { spin_unlock(x); sti();}
-#  define spin_unlock_irqrestore(x,flags) { spin_unlock(x); restore_flags(flags);}
-
-#  define read_lock(x) spin_lock(x)
-#  define read_lock_irq(x) spin_lock_irq(x)
-#  define read_lock_irqsave(x,flags) spin_lock_irqsave(x,flags)
-
-#  define read_unlock(x) spin_unlock(x)
-#  define read_unlock_irq(x) spin_unlock_irq(x)
-#  define read_unlock_irqrestore(x,flags) spin_unlock_irqrestore(x,flags)
-
-#  define write_lock(x) spin_lock(x)
-#  define write_lock_irq(x) spin_lock_irq(x)
-#  define write_lock_irqsave(x,flags) spin_lock_irqsave(x,flags)
-
-#  define write_unlock(x) spin_unlock(x)
-#  define write_unlock_irq(x) spin_unlock_irq(x)
-#  define write_unlock_irqrestore(x,flags) spin_unlock_irqrestore(x,flags)
-#endif /* !SPINLOCK */
-
-#ifndef SPINLOCK_23
-#  define spin_lock_bh(x)  spin_lock_irq(x)
-#  define spin_unlock_bh(x)  spin_unlock_irq(x)
-
-#  define read_lock_bh(x)  read_lock_irq(x)
-#  define read_unlock_bh(x)  read_unlock_irq(x)
-
-#  define write_lock_bh(x)  write_lock_irq(x)
-#  define write_unlock_bh(x)  write_unlock_irq(x)
-#endif /* !SPINLOCK_23 */
-
-#endif /* _FREESWAN_KVERSIONS_H */
diff --git a/src/libfreeswan/ipsec_life.h b/src/libfreeswan/ipsec_life.h
deleted file mode 100644
index 3508e007f..000000000
--- a/src/libfreeswan/ipsec_life.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Definitions relevant to IPSEC lifetimes
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_life.h 3265 2007-10-08 19:52:55Z andreas $
- *
- * This file derived from ipsec_xform.h on 2001/9/18 by mcr.
- *
- */
-
-/* 
- * This file describes the book keeping fields for the 
- *   IPsec Security Association Structure. ("ipsec_sa")
- *
- * This structure is never allocated directly by kernel code,
- * (it is always a static/auto or is part of a structure)
- * so it does not have a reference count.
- *
- */
-
-#ifndef _IPSEC_LIFE_H_
-
-/*
- *  _count is total count.
- *  _hard is hard limit (kill SA after this number)
- *  _soft is soft limit (try to renew SA after this number)
- *  _last is used in some special cases.
- *
- */
-
-struct ipsec_lifetime64
-{
-	__u64           ipl_count;
-	__u64           ipl_soft;
-	__u64           ipl_hard;
-	__u64           ipl_last;  
-};
-
-struct ipsec_lifetimes
-{
-	/* number of bytes processed */
-	struct ipsec_lifetime64 ipl_bytes;
-
-	/* number of packets processed */
-	struct ipsec_lifetime64 ipl_packets;
-
-	/* time since SA was added */
-	struct ipsec_lifetime64 ipl_addtime;
-
-	/* time since SA was first used */
-	struct ipsec_lifetime64 ipl_usetime;
-
-	/* from rfc2367:  
-         *         For CURRENT, the number of different connections,
-         *         endpoints, or flows that the association has been
-         *          allocated towards. For HARD and SOFT, the number of
-         *          these the association may be allocated towards
-         *          before it expires. The concept of a connection,
-         *          flow, or endpoint is system specific.
-	 *
-	 * mcr(2001-9-18) it is unclear what purpose these serve for FreeSWAN.
-	 *          They are maintained for PF_KEY compatibility. 
-	 */
-	struct ipsec_lifetime64 ipl_allocations;
-};
-
-enum ipsec_life_alive {
-	ipsec_life_harddied = -1,
-	ipsec_life_softdied = 0,
-	ipsec_life_okay     = 1
-};
-
-enum ipsec_life_type {
-	ipsec_life_timebased = 1,
-	ipsec_life_countbased= 0
-};
-
-#define _IPSEC_LIFE_H_
-#endif /* _IPSEC_LIFE_H_ */
diff --git a/src/libfreeswan/ipsec_md5h.h b/src/libfreeswan/ipsec_md5h.h
deleted file mode 100644
index ea98218a6..000000000
--- a/src/libfreeswan/ipsec_md5h.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * RCSID $Id: ipsec_md5h.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-/*
- * The rest of this file is Copyright RSA DSI. See the following comments
- * for the full Copyright notice.
- */
-
-#ifndef _IPSEC_MD5H_H_
-#define _IPSEC_MD5H_H_
-
-/* GLOBAL.H - RSAREF types and constants
- */
-
-/* PROTOTYPES should be set to one if and only if the compiler supports
-     function argument prototyping.
-   The following makes PROTOTYPES default to 0 if it has not already
-     been defined with C compiler flags.
- */
-#ifndef PROTOTYPES
-#define PROTOTYPES 1
-#endif /* !PROTOTYPES */
-
-/* POINTER defines a generic pointer type */
-typedef __u8 *POINTER;
-
-/* UINT2 defines a two byte word */
-typedef __u16 UINT2;
-
-/* UINT4 defines a four byte word */
-typedef __u32 UINT4;
-
-/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
-   If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
-     returns an empty list.
- */
-
-#if PROTOTYPES
-#define PROTO_LIST(list) list
-#else /* PROTOTYPES */
-#define PROTO_LIST(list) ()
-#endif /* PROTOTYPES */
-
-
-/* MD5.H - header file for MD5C.C
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-rights reserved.
-
-License to copy and use this software is granted provided that it
-is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-Algorithm" in all material mentioning or referencing this software
-or this function.
-
-License is also granted to make and use derivative works provided
-that such works are identified as "derived from the RSA Data
-Security, Inc. MD5 Message-Digest Algorithm" in all material
-mentioning or referencing the derived work.
-
-RSA Data Security, Inc. makes no representations concerning either
-the merchantability of this software or the suitability of this
-software for any particular purpose. It is provided "as is"
-without express or implied warranty of any kind.
-
-These notices must be retained in any copies of any part of this
-documentation and/or software.
- */
-
-/* MD5 context. */
-typedef struct {
-  UINT4 state[4];                                   /* state (ABCD) */
-  UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
-  unsigned char buffer[64];                         /* input buffer */
-} MD5_CTX;
-
-void MD5Init PROTO_LIST ((void *));
-void MD5Update PROTO_LIST
-  ((void *, unsigned char *, __u32));
-void MD5Final PROTO_LIST ((unsigned char [16], void *));
- 
-#endif /* _IPSEC_MD5H_H_ */
diff --git a/src/libfreeswan/ipsec_param.h b/src/libfreeswan/ipsec_param.h
index 209244c59..b0ee845a5 100644
--- a/src/libfreeswan/ipsec_param.h
+++ b/src/libfreeswan/ipsec_param.h
@@ -13,9 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ipsec_param.h 3265 2007-10-08 19:52:55Z andreas $
- *
  */
 
 /* 
@@ -28,40 +25,6 @@
 
 #ifndef _IPSEC_PARAM_H_
 
-#ifdef __KERNEL__
-#include "ipsec_kversion.h"
-
-/* Set number of ipsecX virtual devices here. */
-/* This must be < exp(field width of IPSEC_DEV_FORMAT) */
-/* It must also be reasonable so as not to overload the memory and CPU */
-/* constraints of the host. */
-#define IPSEC_NUM_IF	4
-/* The field width must be < IF_NAM_SIZ - strlen("ipsec") - 1. */
-/* With "ipsec" being 5 characters, that means 10 is the max field width */
-/* but machine memory and CPU constraints are not likely to tollerate */
-/* more than 3 digits.  The default is one digit. */
-/* Update: userland scripts get upset if they can't find "ipsec0", so */
-/* for now, no "0"-padding should be used (which would have been helpful */
-/* to make text-searches work */
-#define IPSEC_DEV_FORMAT "ipsec%d"
-/* For, say, 500 virtual ipsec devices, I would recommend: */
-/* #define IPSEC_NUM_IF	500 */
-/* #define IPSEC_DEV_FORMAT "ipsec%03d" */
-/* Note that the "interfaces=" line in /etc/ipsec.conf would be, um, challenging. */
-
-/* use dynamic ipsecX device allocation */
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif /* CONFIG_IPSEC_DYNDEV */
-
-
-#ifdef CONFIG_IPSEC_BIGGATE
-# define SADB_HASHMOD   8069
-#else /* CONFIG_IPSEC_BIGGATE */
-# define SADB_HASHMOD	257
-#endif /* CONFIG_IPSEC_BIGGATE */
-#endif /* __KERNEL__ */
-
 /*
  * This is for the SA reference table. This number is related to the
  * maximum number of SAs that KLIPS can concurrently deal with, plus enough
@@ -87,140 +50,5 @@
 # define IPSEC_SA_REF_CODE 1 
 #endif
 
-#ifdef __KERNEL__
-/* This is defined for 2.4, but not 2.2.... */
-#ifndef ARPHRD_VOID
-# define ARPHRD_VOID 0xFFFF
-#endif
-
-/*
- * Worry about PROC_FS stuff
- */
-#if defined(PROC_FS_2325)
-/* kernel 2.4 */
-# define IPSEC_PROC_LAST_ARG ,int *eof,void *data
-# define IPSEC_PROCFS_DEBUG_NO_STATIC
-# define IPSEC_PROC_SUBDIRS
-#else
-/* kernel <2.4 */
-# define IPSEC_PROCFS_DEBUG_NO_STATIC DEBUG_NO_STATIC
-
-# ifndef PROC_NO_DUMMY
-#  define IPSEC_PROC_LAST_ARG , int dummy
-# else
-#  define IPSEC_PROC_LAST_ARG
-# endif /* !PROC_NO_DUMMY */
-#endif /* PROC_FS_2325 */
-
-#if !defined(LINUX_KERNEL_HAS_SNPRINTF)
-/* GNU CPP specific! */
-# define snprintf(buf, len, fmt...) sprintf(buf, ##fmt)
-#endif /* !LINUX_KERNEL_HAS_SNPRINTF */
-
-#ifdef SPINLOCK
-# ifdef SPINLOCK_23
-#  include <linux/spinlock.h> /* *lock* */
-# else /* SPINLOCK_23 */
-#  include <asm/spinlock.h> /* *lock* */
-# endif /* SPINLOCK_23 */
-#endif /* SPINLOCK */
-
-#ifndef KLIPS_FIXES_DES_PARITY
-# define KLIPS_FIXES_DES_PARITY 1
-#endif /* !KLIPS_FIXES_DES_PARITY */
-
-/* we don't really want to print these unless there are really big problems */
-#ifndef KLIPS_DIVULGE_CYPHER_KEY
-# define KLIPS_DIVULGE_CYPHER_KEY 0
-#endif /* !KLIPS_DIVULGE_CYPHER_KEY */
-
-#ifndef KLIPS_DIVULGE_HMAC_KEY
-# define KLIPS_DIVULGE_HMAC_KEY 0
-#endif /* !KLIPS_DIVULGE_HMAC_KEY */
-
-#ifndef IPSEC_DISALLOW_IPOPTIONS
-# define IPSEC_DISALLOW_IPOPTIONS 1
-#endif /* !KLIPS_DIVULGE_HMAC_KEY */
-
-/* extra toggles for regression testing */
-#ifdef CONFIG_IPSEC_REGRESS
-
-/* 
- * should pfkey_acquire() become 100% lossy?
- *
- */
-extern int sysctl_ipsec_regress_pfkey_lossage;
-#ifndef KLIPS_PFKEY_ACQUIRE_LOSSAGE
-# ifdef CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE
-#  define KLIPS_PFKEY_ACQUIRE_LOSSAGE 100
-# else /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */
-/* not by default! */
-#  define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0
-# endif /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */
-#endif /* KLIPS_PFKEY_ACQUIRE_LOSSAGE */
-
-#endif /* CONFIG_IPSEC_REGRESS */
-
-/*
- * debugging routines.
- */
-#ifdef CONFIG_IPSEC_DEBUG
-extern void ipsec_print_ip(struct iphdr *ip);
-
-	#define KLIPS_PRINT(flag, format, args...) \
-		((flag) ? printk(KERN_INFO format , ## args) : 0)
-	#define KLIPS_PRINTMORE(flag, format, args...) \
-		((flag) ? printk(format , ## args) : 0)
-	#define KLIPS_IP_PRINT(flag, ip) \
-		((flag) ? ipsec_print_ip(ip) : 0)
-#else /* CONFIG_IPSEC_DEBUG */
-	#define KLIPS_PRINT(flag, format, args...) do ; while(0)
-	#define KLIPS_PRINTMORE(flag, format, args...) do ; while(0)
-	#define KLIPS_IP_PRINT(flag, ip) do ; while(0)
-#endif /* CONFIG_IPSEC_DEBUG */
-
-
-/* 
- * Stupid kernel API differences in APIs. Not only do some
- * kernels not have ip_select_ident, but some have differing APIs,
- * and SuSE has one with one parameter, but no way of checking to
- * see what is really what.
- */
-
-#ifdef SUSE_LINUX_2_4_19_IS_STUPID
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph)
-#else
-
-/* simplest case, nothing */
-#if !defined(IP_SELECT_IDENT)
-#define KLIPS_IP_SELECT_IDENT(iph, skb)  do { iph->id = htons(ip_id_count++); } while(0)
-#endif
-
-/* kernels > 2.3.37-ish */
-#if defined(IP_SELECT_IDENT) && !defined(IP_SELECT_IDENT_NEW)
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst)
-#endif
-
-/* kernels > 2.4.2 */
-#if defined(IP_SELECT_IDENT) && defined(IP_SELECT_IDENT_NEW)
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst, NULL)
-#endif
-
-#endif /* SUSE_LINUX_2_4_19_IS_STUPID */
-
-/*
- * make klips fail test:east-espiv-01.
- * exploit is at testing/attacks/espiv
- *
- */
-#define KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK 0
-
-
-/* IP_FRAGMENT_LINEARIZE is set in freeswan.h if Kernel > 2.4.4 */
-#ifndef IP_FRAGMENT_LINEARIZE
-# define IP_FRAGMENT_LINEARIZE 0
-#endif /* IP_FRAGMENT_LINEARIZE */
-#endif /* __KERNEL__ */
-
 #define _IPSEC_PARAM_H_
 #endif /* _IPSEC_PARAM_H_ */
diff --git a/src/libfreeswan/ipsec_policy.h b/src/libfreeswan/ipsec_policy.h
deleted file mode 100644
index bf074f18f..000000000
--- a/src/libfreeswan/ipsec_policy.h
+++ /dev/null
@@ -1,233 +0,0 @@
-#ifndef _IPSEC_POLICY_H
-/*
- * policy interface file between pluto and applications
- * Copyright (C) 2003              Michael Richardson <mcr@freeswan.org>
- * 
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- *
- * RCSID $Id: ipsec_policy.h 3839 2008-04-18 11:25:37Z andreas $
- */
-#define	_IPSEC_POLICY_H 	/* seen it, no need to see it again */
-
-
-/*
- * this file defines an interface between an application (or rather an
- * application library) and a key/policy daemon. It provides for inquiries
- * as to the current state of a connected socket, as well as for general
- * questions.
- *
- * In general, the interface is defined as a series of functional interfaces,
- * and the policy messages should be internal. However, because this is in
- * fact an ABI between pieces of the system that may get compiled and revised
- * seperately, this ABI must be public and revision controlled.
- *
- * It is expected that the daemon will always support previous versions.
- */
-
-#define IPSEC_POLICY_MSG_REVISION (unsigned)200305061
-
-enum ipsec_policy_command {
-  IPSEC_CMD_QUERY_FD       = 1,
-  IPSEC_CMD_QUERY_HOSTPAIR = 2,
-  IPSEC_CMD_QUERY_DSTONLY  = 3,
-};
-
-struct ipsec_policy_msg_head {
-  u_int32_t ipm_version;
-  u_int32_t ipm_msg_len;  
-  u_int32_t ipm_msg_type;
-  u_int32_t ipm_msg_seq;
-};
-
-enum ipsec_privacy_quality {
-  IPSEC_PRIVACY_NONE     = 0,
-  IPSEC_PRIVACY_INTEGRAL = 4,   /* not private at all. AH-like */
-  IPSEC_PRIVACY_UNKNOWN  = 8,   /* something is claimed, but details unavail */
-  IPSEC_PRIVACY_ROT13    = 12,  /* trivially breakable, i.e. 1DES */
-  IPSEC_PRIVACY_GAK      = 16,  /* known eavesdroppers */
-  IPSEC_PRIVACY_PRIVATE  = 32,  /* secure for at least a decade */
-  IPSEC_PRIVACY_STRONG   = 64,  /* ridiculously secure */
-  IPSEC_PRIVACY_TORTOISE = 192, /* even stronger, but very slow */
-  IPSEC_PRIVACY_OTP      = 224, /* some kind of *true* one time pad */
-};
-
-enum ipsec_bandwidth_quality {
-  IPSEC_QOS_UNKNOWN = 0,       /* unknown bandwidth */
-  IPSEC_QOS_INTERACTIVE = 16,  /* reasonably moderate jitter, moderate fast.
-				  Good enough for telnet/ssh. */
-  IPSEC_QOS_VOIP        = 32,  /* faster crypto, predicable jitter */
-  IPSEC_QOS_FTP         = 64,  /* higher throughput crypto, perhaps hardware
-				  offloaded, but latency/jitter may be bad */
-  IPSEC_QOS_WIRESPEED   = 128, /* expect to be able to fill your pipe */
-};
-
-/* moved from programs/pluto/constants.h */
-/* IPsec AH transform values
- * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3
- * and in http://www.iana.org/assignments/isakmp-registry
- */
-enum ipsec_authentication_algo {
-  AH_NONE         = 0,
-  AH_MD5          = 2,
-  AH_SHA          = 3,
-  AH_DES          = 4,
-  AH_SHA2_256     = 5,
-  AH_SHA2_384     = 6,
-  AH_SHA2_512     = 7,
-  AH_RIPEMD       = 8,
-  AH_AES_XCBC_MAC = 9,
-  AH_RSA          = 10
-};
-
-/* IPsec ESP transform values
- * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
- * and from http://www.iana.org/assignments/isakmp-registry
- */
-
-enum ipsec_cipher_algo {
-  ESP_NONE	    = 0,
-  ESP_DES_IV64      = 1,
-  ESP_DES           = 2,
-  ESP_3DES          = 3,
-  ESP_RC5           = 4,
-  ESP_IDEA          = 5,
-  ESP_CAST          = 6,
-  ESP_BLOWFISH      = 7,
-  ESP_3IDEA         = 8,
-  ESP_DES_IV32      = 9,
-  ESP_RC4           = 10,
-  ESP_NULL          = 11,
-  ESP_AES           = 12,
-  ESP_AES_CTR       = 13,
-  ESP_AES_CCM_8     = 14,
-  ESP_AES_CCM_12    = 15,
-  ESP_AES_CCM_16    = 16,
-  ESP_UNASSIGNED_17 = 17,
-  ESP_AES_GCM_8     = 18,
-  ESP_AES_GCM_12    = 19,
-  ESP_AES_GCM_16    = 20,
-  ESP_SEED_CBC      = 21,
-  ESP_CAMELLIA      = 22,
-  ESP_SERPENT       = 252,
-  ESP_TWOFISH       = 253
-};
-
-/* IPCOMP transform values
- * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
- */
-
-enum ipsec_comp_algo {
-  IPSCOMP_NONE   = 0,
-  IPCOMP_OUI     = 1,
-  IPCOMP_DEFLATE = 2,
-  IPCOMP_LZS     = 3,
-  IPCOMP_LZJH    = 4
-};
-
-/* Identification type values
- * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1 
- */
-
-enum ipsec_id_type {
-  ID_IMPOSSIBLE=             (-2),	/* private to Pluto */
-  ID_MYID=                   (-1),	/* private to Pluto */
-  ID_NONE=                     0,	/* private to Pluto */
-  ID_IPV4_ADDR=                1,
-  ID_FQDN=                     2,
-  ID_USER_FQDN=                3,
-  ID_IPV4_ADDR_SUBNET=         4,
-  ID_IPV6_ADDR=                5,
-  ID_IPV6_ADDR_SUBNET=         6,
-  ID_IPV4_ADDR_RANGE=          7,
-  ID_IPV6_ADDR_RANGE=          8,
-  ID_DER_ASN1_DN=              9,
-  ID_DER_ASN1_GN=              10,
-  ID_KEY_ID=                   11
-};
-
-/* Certificate type values
- * RFC 2408 ISAKMP, chapter 3.9
- */
-enum ipsec_cert_type {
-  CERT_NONE=			0,
-  CERT_PKCS7_WRAPPED_X509=	1,
-  CERT_PGP=			2,
-  CERT_DNS_SIGNED_KEY=		3,
-  CERT_X509_SIGNATURE=		4,
-  CERT_X509_KEY_EXCHANGE=	5,
-  CERT_KERBEROS_TOKENS=		6,
-  CERT_CRL=			7,
-  CERT_ARL=			8,
-  CERT_SPKI=			9,
-  CERT_X509_ATTRIBUTE=		10,
-  CERT_RAW_RSA_KEY=             11
-};
-
-/* a SIG record in ASCII */
-struct ipsec_dns_sig {
-  char fqdn[256];
-  char dns_sig[768];     /* empty string if not signed */
-};
-
-struct ipsec_raw_key {
-  char id_name[256];
-  char fs_keyid[8];
-};
-
-struct ipsec_identity {
-  enum ipsec_id_type     ii_type;
-  enum ipsec_cert_type   ii_format;
-  union {
-    struct ipsec_dns_sig ipsec_dns_signed;
-    /* some thing for PGP */
-    /* some thing for PKIX */
-    struct ipsec_raw_key ipsec_raw_key;
-  } ii_credential;
-};
-
-#define IPSEC_MAX_CREDENTIALS 32
-
-struct ipsec_policy_cmd_query {
-  struct ipsec_policy_msg_head head;
-
-  /* Query section */
-  ip_address query_local;     /* us   */
-  ip_address query_remote;    /* them */
-  u_short src_port, dst_port;
-
-  /* Answer section */
-  enum ipsec_privacy_quality     strength;
-  enum ipsec_bandwidth_quality   bandwidth;
-  enum ipsec_authentication_algo auth_detail;  
-  enum ipsec_cipher_algo         esp_detail;
-  enum ipsec_comp_algo           comp_detail;
-
-  int                            credential_count;
-
-  struct ipsec_identity credentials[IPSEC_MAX_CREDENTIALS];
-};
-
-#define IPSEC_POLICY_SOCKET "/var/run/pluto.info"
-
-/* prototypes */
-extern err_t ipsec_policy_lookup(int fd, struct ipsec_policy_cmd_query *result);
-extern err_t ipsec_policy_init(void);
-extern err_t ipsec_policy_final(void);
-extern err_t ipsec_policy_readmsg(int policysock,
-				  unsigned char *buf, size_t buflen);
-extern err_t ipsec_policy_sendrecv(unsigned char *buf, size_t buflen);
-extern err_t ipsec_policy_cgilookup(struct ipsec_policy_cmd_query *result);
-
-
-extern const char *ipsec_policy_version_code(void);
-extern const char *ipsec_policy_version_string(void);
-
-#endif /* _IPSEC_POLICY_H */
diff --git a/src/libfreeswan/ipsec_proto.h b/src/libfreeswan/ipsec_proto.h
deleted file mode 100644
index 23b9cf247..000000000
--- a/src/libfreeswan/ipsec_proto.h
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * @(#) prototypes for FreeSWAN functions 
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_proto.h 3265 2007-10-08 19:52:55Z andreas $
- *
- */
-
-#ifndef _IPSEC_PROTO_H_
-
-#include "ipsec_param.h"
-
-/*
- * This file is a kernel only file that declares prototypes for
- * all intra-module function calls and global data structures.
- *
- * Include this file last.
- *
- */
-
-/* ipsec_init.c */
-extern struct prng ipsec_prng;
-
-/* ipsec_sa.c */
-extern struct ipsec_sa *ipsec_sadb_hash[SADB_HASHMOD];
-extern spinlock_t       tdb_lock;
-extern int ipsec_sadb_init(void);
-
-extern struct ipsec_sa *ipsec_sa_getbyid(struct sa_id*);
-extern int ipsec_sa_put(struct ipsec_sa *);
-extern /* void */ int ipsec_sa_del(struct ipsec_sa *);
-extern /* void */ int ipsec_sa_delchain(struct ipsec_sa *);
-extern /* void */ int ipsec_sa_add(struct ipsec_sa *);
-
-extern int ipsec_sadb_cleanup(__u8);
-extern int ipsec_sa_wipe(struct ipsec_sa *);
-
-/* debug declarations */
-
-/* ipsec_proc.c */
-extern int  ipsec_proc_init(void);
-extern void ipsec_proc_cleanup(void);
-
-/* ipsec_radij.c */
-extern int ipsec_makeroute(struct sockaddr_encap *ea,
-			   struct sockaddr_encap *em,
-			   struct sa_id said,
-			   uint32_t pid,
-			   struct sk_buff *skb,
-			   struct ident *ident_s,
-			   struct ident *ident_d);
-
-extern int ipsec_breakroute(struct sockaddr_encap *ea,
-			    struct sockaddr_encap *em,
-			    struct sk_buff **first,
-			    struct sk_buff **last);
-
-int ipsec_radijinit(void);
-int ipsec_cleareroutes(void);
-int ipsec_radijcleanup(void);
-
-/* ipsec_life.c */
-extern enum ipsec_life_alive ipsec_lifetime_check(struct ipsec_lifetime64 *il64,
-						  const char *lifename,
-						  const char *saname,
-						  enum ipsec_life_type ilt,
-						  enum ipsec_direction idir,
-						  struct ipsec_sa *ips);
-
-
-extern int ipsec_lifetime_format(char *buffer,
-				 int   buflen,
-				 char *lifename,
-				 enum ipsec_life_type timebaselife,
-				 struct ipsec_lifetime64 *lifetime);
-
-extern void ipsec_lifetime_update_hard(struct ipsec_lifetime64 *lifetime,
-				       __u64 newvalue);
-
-extern void ipsec_lifetime_update_soft(struct ipsec_lifetime64 *lifetime,
-				       __u64 newvalue);
-
-
-
-
-#ifdef CONFIG_IPSEC_DEBUG
-
-extern int debug_xform;
-extern int debug_eroute;
-extern int debug_spi;
-extern int debug_netlink;
-
-#endif /* CONFIG_IPSEC_DEBUG */
-
-
-
-
-#define _IPSEC_PROTO_H
-#endif /* _IPSEC_PROTO_H_ */
diff --git a/src/libfreeswan/ipsec_radij.h b/src/libfreeswan/ipsec_radij.h
deleted file mode 100644
index 88e849eee..000000000
--- a/src/libfreeswan/ipsec_radij.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * @(#) Definitions relevant to the IPSEC <> radij tree interfacing
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_radij.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-#ifndef _IPSEC_RADIJ_H
-
-#include <freeswan.h>
-
-int ipsec_walk(char *);
-
-int ipsec_rj_walker_procprint(struct radij_node *, void *);
-int ipsec_rj_walker_delete(struct radij_node *, void *);
-
-/* This structure is used to pass information between
- * ipsec_eroute_get_info and ipsec_rj_walker_procprint
- * (through rj_walktree) and between calls of ipsec_rj_walker_procprint.
- */
-struct wsbuf
-{
-	/* from caller of ipsec_eroute_get_info: */
-	char *const buffer;	/* start of buffer provided */
-	const int length;	/* length of buffer provided */
-	const off_t offset;	/* file position of first character of interest */
-	/* accumulated by ipsec_rj_walker_procprint: */
-	int len;		/* number of character filled into buffer */
-	off_t begin;		/* file position contained in buffer[0] (<=offset) */
-};
-
-
-extern struct radij_node_head *rnh;
-extern spinlock_t eroute_lock;
-
-struct eroute * ipsec_findroute(struct sockaddr_encap *);
-
-#define O1(x) (int)(((x)>>24)&0xff)
-#define O2(x) (int)(((x)>>16)&0xff)
-#define O3(x) (int)(((x)>>8)&0xff)
-#define O4(x) (int)(((x))&0xff)
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_radij;
-void rj_dumptrees(void);
-
-#define DB_RJ_DUMPTREES	0x0001
-#define DB_RJ_FINDROUTE 0x0002
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#define _IPSEC_RADIJ_H
-#endif
diff --git a/src/libfreeswan/ipsec_rcv.h b/src/libfreeswan/ipsec_rcv.h
deleted file mode 100644
index d972a18b9..000000000
--- a/src/libfreeswan/ipsec_rcv.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * 
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_rcv.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-#define DB_RX_PKTRX	0x0001
-#define DB_RX_PKTRX2	0x0002
-#define DB_RX_DMP	0x0004
-#define DB_RX_IPSA	0x0010
-#define DB_RX_XF	0x0020
-#define DB_RX_IPAD	0x0040
-#define DB_RX_INAU	0x0080
-#define DB_RX_OINFO	0x0100
-#define DB_RX_OINFO2	0x0200
-#define DB_RX_OH	0x0400
-#define DB_RX_REPLAY	0x0800
-
-#ifdef __KERNEL__
-/* struct options; */
-
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/config.h>	/* for CONFIG_IP_FORWARD */
-#include <linux/version.h>
-#include <freeswan.h>
-
-#define IPSEC_BIRTH_TEMPLATE_MAXLEN 256
-
-struct ipsec_birth_reply {
-  int            packet_template_len;
-  unsigned char  packet_template[IPSEC_BIRTH_TEMPLATE_MAXLEN];
-};
-
-extern struct ipsec_birth_reply ipsec_ipv4_birth_packet;
-extern struct ipsec_birth_reply ipsec_ipv6_birth_packet;
-
-extern int
-#ifdef PROTO_HANDLER_SINGLE_PARM
-ipsec_rcv(struct sk_buff *skb);
-#else /* PROTO_HANDLER_SINGLE_PARM */
-ipsec_rcv(struct sk_buff *skb,
-#ifdef NET_21
-	  unsigned short xlen);
-#else /* NET_21 */
-	  struct device *dev,
-	  struct options *opt, 
-	  __u32 daddr,
-	  unsigned short len,
-	  __u32 saddr,
-	  int redo,
-	  struct inet_protocol *protocol);
-#endif /* NET_21 */
-#endif /* PROTO_HANDLER_SINGLE_PARM */
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_rcv;
-#endif /* CONFIG_IPSEC_DEBUG */
-extern int sysctl_ipsec_inbound_policy_check;
-#endif /* __KERNEL__ */
diff --git a/src/libfreeswan/ipsec_sa.h b/src/libfreeswan/ipsec_sa.h
deleted file mode 100644
index 9d178e11f..000000000
--- a/src/libfreeswan/ipsec_sa.h
+++ /dev/null
@@ -1,252 +0,0 @@
-/*
- * @(#) Definitions of IPsec Security Association (ipsec_sa)
- *
- * Copyright (C) 2001, 2002, 2003
- *                      Richard Guy Briggs  <rgb@freeswan.org>
- *                  and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_sa.h 3265 2007-10-08 19:52:55Z andreas $
- *
- * This file derived from ipsec_xform.h on 2001/9/18 by mcr.
- *
- */
-
-/* 
- * This file describes the IPsec Security Association Structure.
- *
- * This structure keeps track of a single transform that may be done
- * to a set of packets. It can describe applying the transform or
- * apply the reverse. (e.g. compression vs expansion). However, it
- * only describes one at a time. To describe both, two structures would
- * be used, but since the sides of the transform are performed 
- * on different machines typically it is usual to have only one side
- * of each association.
- * 
- */
-
-#ifndef _IPSEC_SA_H_
-
-#ifdef __KERNEL__
-#include "ipsec_stats.h"
-#include "ipsec_life.h"
-#include "ipsec_eroute.h"
-#endif /* __KERNEL__ */
-#include "ipsec_param.h"
-
-
-/* SAs are held in a table.
- * Entries in this table are referenced by IPsecSAref_t values.
- * IPsecSAref_t values are conceptually subscripts.  Because
- * we want to allocate the table piece-meal, the subscripting
- * is implemented with two levels, a bit like paged virtual memory.
- * This representation mechanism is known as an Iliffe Vector.
- *
- * The Main table (AKA the refTable) consists of 2^IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
- * pointers to subtables.
- * Each subtable has 2^IPSEC_SA_REF_SUBTABLE_IDX_WIDTH entries, each of which
- * is a pointer to an SA.
- *
- * An IPsecSAref_t contains either an exceptional value (signified by the
- * high-order bit being on) or a reference to a table entry.  A table entry
- * reference has the subtable subscript in the low-order
- * IPSEC_SA_REF_SUBTABLE_IDX_WIDTH bits and the Main table subscript
- * in the next lowest IPSEC_SA_REF_MAINTABLE_IDX_WIDTH bits.
- *
- * The Maintable entry for an IPsecSAref_t x, a pointer to its subtable, is
- * IPsecSAref2table(x).  It is of type struct IPsecSArefSubTable *.
- *
- * The pointer to the SA for x is IPsecSAref2SA(x).  It is of type
- * struct ipsec_sa*.  The macro definition clearly shows the two-level
- * access needed to find the SA pointer.
- *
- * The Maintable is allocated when IPsec is initialized.
- * Each subtable is allocated when needed, but the first is allocated
- * when IPsec is initialized.
- *
- * IPsecSAref_t is designed to be smaller than an NFmark so that
- * they can be stored in NFmarks and still leave a few bits for other
- * purposes.  The spare bits are in the low order of the NFmark
- * but in the high order of the IPsecSAref_t, so conversion is required.
- * We pick the upper bits of NFmark on the theory that they are less likely to
- * interfere with more pedestrian uses of nfmark.
- */
-
-
-typedef unsigned short int IPsecRefTableUnusedCount;
-
-#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
-
-#ifdef __KERNEL__
-#if ((IPSEC_SA_REF_TABLE_IDX_WIDTH - (1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) < 0)
-#error "IPSEC_SA_REF_TABLE_IDX_WIDTH("IPSEC_SA_REF_TABLE_IDX_WIDTH") MUST be < 1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH("IPSEC_SA_REF_MAINTABLE_IDX_WIDTH")"
-#endif
-
-#define IPSEC_SA_REF_SUBTABLE_IDX_WIDTH (IPSEC_SA_REF_TABLE_IDX_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
-
-#define IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
-#define IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
-
-#ifdef CONFIG_NETFILTER
-#define IPSEC_SA_REF_HOST_FIELD(x) ((struct sk_buff*)(x))->nfmark
-#define IPSEC_SA_REF_HOST_FIELD_TYPE typeof(IPSEC_SA_REF_HOST_FIELD(NULL))
-#else /* CONFIG_NETFILTER */
-/* just make it work for now, it doesn't matter, since there is no nfmark */
-#define IPSEC_SA_REF_HOST_FIELD_TYPE unsigned long
-#endif /* CONFIG_NETFILTER */
-#define IPSEC_SA_REF_HOST_FIELD_WIDTH (8 * sizeof(IPSEC_SA_REF_HOST_FIELD_TYPE))
-#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
-
-#define IPSEC_SA_REF_MASK        (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
-#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
-#define IPSEC_SA_REF_ENTRY_MASK  (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH))
-
-#define IPsecSAref2table(x) (((x) & IPSEC_SA_REF_TABLE_MASK) >> IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
-#define IPsecSAref2entry(x) ((x) & IPSEC_SA_REF_ENTRY_MASK)
-#define IPsecSArefBuild(x,y) (((x) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) + (y))
-
-#define IPsecSAref2SA(x) (ipsec_sadb.refTable[IPsecSAref2table(x)]->entry[IPsecSAref2entry(x)])
-#define IPsecSA2SAref(x) ((x)->ips_ref)
-
-#define EMT_INBOUND	0x01	/* SA direction, 1=inbound */
-
-/* 'struct ipsec_sa' should be 64bit aligned when allocated. */
-struct ipsec_sa 	                        
-{
-	IPsecSAref_t	ips_ref;		/* reference table entry number */
-	atomic_t	ips_refcount;		/* reference count for this struct */
-	struct ipsec_sa	*ips_hnext;		/* next in hash chain */
-	struct ipsec_sa	*ips_inext;	 	/* pointer to next xform */
-	struct ipsec_sa	*ips_onext;	 	/* pointer to prev xform */
-
-	struct ifnet	*ips_rcvif;	 	/* related rcv encap interface */
-
-	struct sa_id	ips_said;	 	/* SA ID */
-
-	__u32		ips_seq;		/* seq num of msg that initiated this SA */
-	__u32		ips_pid;		/* PID of process that initiated this SA */
-	__u8		ips_authalg;		/* auth algorithm for this SA */
-	__u8		ips_encalg;		/* enc algorithm for this SA */
-
-	struct ipsec_stats ips_errs;
-
-	__u8		ips_replaywin;		/* replay window size */
-	__u8		ips_state;		/* state of SA */
-	__u32		ips_replaywin_lastseq;	/* last pkt sequence num */
-	__u64		ips_replaywin_bitmap;	/* bitmap of received pkts */
-	__u32		ips_replaywin_maxdiff;	/* max pkt sequence difference */
-
-	__u32		ips_flags;		/* generic xform flags */
-
-
-	struct ipsec_lifetimes ips_life;	/* lifetime records */
-
-	/* selector information */
-	struct sockaddr*ips_addr_s;		/* src sockaddr */
-	struct sockaddr*ips_addr_d;		/* dst sockaddr */
-	struct sockaddr*ips_addr_p;		/* proxy sockaddr */
-	__u16		ips_addr_s_size;
-	__u16		ips_addr_d_size;
-	__u16		ips_addr_p_size;
-	ip_address	ips_flow_s;
-	ip_address	ips_flow_d;
-	ip_address	ips_mask_s;
-	ip_address	ips_mask_d;
-
-	__u16		ips_key_bits_a;		/* size of authkey in bits */
-	__u16		ips_auth_bits;		/* size of authenticator in bits */
-	__u16		ips_key_bits_e;		/* size of enckey in bits */
-	__u16		ips_iv_bits;	 	/* size of IV in bits */
-	__u8		ips_iv_size;
-	__u16		ips_key_a_size;
-	__u16		ips_key_e_size;
-
-	caddr_t		ips_key_a;		/* authentication key */
-	caddr_t		ips_key_e;		/* encryption key */
-	caddr_t	        ips_iv;			/* Initialisation Vector */
-
-	struct ident	ips_ident_s;		/* identity src */
-	struct ident	ips_ident_d;		/* identity dst */
-
-#ifdef CONFIG_IPSEC_IPCOMP
-	__u16		ips_comp_adapt_tries;	/* ipcomp self-adaption tries */
-	__u16		ips_comp_adapt_skip;	/* ipcomp self-adaption to-skip */
-	__u64		ips_comp_ratio_cbytes;	/* compressed bytes */
-	__u64		ips_comp_ratio_dbytes;	/* decompressed (or uncompressed) bytes */
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	__u8		ips_natt_type;
-	__u8		ips_natt_reserved[3];
-	__u16		ips_natt_sport;
-	__u16		ips_natt_dport;
-
-	struct sockaddr *ips_natt_oa;
-	__u16		ips_natt_oa_size;
-	__u16		ips_natt_reserved2;
-#endif
-
-#if 0
-	__u32		ips_sens_dpd;
-	__u8		ips_sens_sens_level;
-	__u8		ips_sens_sens_len;
-	__u64*		ips_sens_sens_bitmap;
-	__u8		ips_sens_integ_level;
-	__u8		ips_sens_integ_len;
-	__u64*		ips_sens_integ_bitmap;
-#endif
-	struct ipsec_alg_enc *ips_alg_enc;
-	struct ipsec_alg_auth *ips_alg_auth;
-	IPsecSAref_t	ips_ref_rel;
-};
-
-struct IPsecSArefSubTable
-{
-	struct ipsec_sa* entry[IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES];
-};
-
-struct ipsec_sadb {
-	struct IPsecSArefSubTable* refTable[IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES];
-	IPsecSAref_t refFreeList[IPSEC_SA_REF_FREELIST_NUM_ENTRIES];
-	int refFreeListHead;
-	int refFreeListTail;
-	IPsecSAref_t refFreeListCont;
-	IPsecSAref_t said_hash[SADB_HASHMOD];
-	spinlock_t sadb_lock;
-};
-
-extern struct ipsec_sadb ipsec_sadb;
-
-extern int ipsec_SAref_recycle(void);
-extern int ipsec_SArefSubTable_alloc(unsigned table);
-extern int ipsec_saref_freelist_init(void);
-extern int ipsec_sadb_init(void);
-extern struct ipsec_sa *ipsec_sa_alloc(int*error); /* pass in error var by pointer */
-extern IPsecSAref_t ipsec_SAref_alloc(int*erorr); /* pass in error var by pointer */
-extern int ipsec_sa_free(struct ipsec_sa* ips);
-extern struct ipsec_sa *ipsec_sa_getbyid(struct sa_id *said);
-extern int ipsec_sa_put(struct ipsec_sa *ips);
-extern int ipsec_sa_add(struct ipsec_sa *ips);
-extern int ipsec_sa_del(struct ipsec_sa *ips);
-extern int ipsec_sa_delchain(struct ipsec_sa *ips);
-extern int ipsec_sadb_cleanup(__u8 proto);
-extern int ipsec_sadb_free(void);
-extern int ipsec_sa_wipe(struct ipsec_sa *ips);
-#endif /* __KERNEL__ */
-
-enum ipsec_direction {
-	ipsec_incoming = 1,
-	ipsec_outgoing = 2
-};
-
-#define _IPSEC_SA_H_
-#endif /* _IPSEC_SA_H_ */
diff --git a/src/libfreeswan/ipsec_sha1.h b/src/libfreeswan/ipsec_sha1.h
deleted file mode 100644
index b0f952c92..000000000
--- a/src/libfreeswan/ipsec_sha1.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * RCSID $Id: ipsec_sha1.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-/*
- * Here is the original comment from the distribution:
-
-SHA-1 in C
-By Steve Reid <steve@edmweb.com>
-100% Public Domain
-
- * Adapted for use by the IPSEC code by John Ioannidis
- */
-
-
-#ifndef _IPSEC_SHA1_H_
-#define _IPSEC_SHA1_H_
-
-typedef struct
-{
-	__u32	state[5];
-	__u32	count[2];
-	__u8	buffer[64];
-} SHA1_CTX;
-
-void SHA1Transform(__u32 state[5], __u8 buffer[64]);
-void SHA1Init(void *context);
-void SHA1Update(void *context, unsigned char *data, __u32 len);
-void SHA1Final(unsigned char digest[20], void *context);
-
- 
-#endif /* _IPSEC_SHA1_H_ */
diff --git a/src/libfreeswan/ipsec_stats.h b/src/libfreeswan/ipsec_stats.h
deleted file mode 100644
index dabd02993..000000000
--- a/src/libfreeswan/ipsec_stats.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * @(#) definition of ipsec_stats structure
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_stats.h 3265 2007-10-08 19:52:55Z andreas $
- *
- */
-
-/* 
- * This file describes the errors/statistics that FreeSWAN collects.
- */
-
-#ifndef _IPSEC_STATS_H_
-
-struct ipsec_stats {
-	__u32		ips_alg_errs;	       /* number of algorithm errors */
-	__u32		ips_auth_errs;	       /* # of authentication errors */
-	__u32		ips_encsize_errs;      /* # of encryption size errors*/
-	__u32		ips_encpad_errs;       /* # of encryption pad  errors*/
-	__u32		ips_replaywin_errs;    /* # of pkt sequence errors */
-};
-
-extern int ipsec_snprintf(char * buf, ssize_t size, const char *fmt, ...);
-
-#define _IPSEC_STATS_H_
-#endif /* _IPSEC_STATS_H_ */
diff --git a/src/libfreeswan/ipsec_tunnel.h b/src/libfreeswan/ipsec_tunnel.h
deleted file mode 100644
index df52cf646..000000000
--- a/src/libfreeswan/ipsec_tunnel.h
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- * IPSEC tunneling code
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_tunnel.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-#include <linux/types.h>
-
-#ifdef NET_21
-# define DEV_QUEUE_XMIT(skb, device, pri) {\
-	skb->dev = device; \
-	neigh_compat_output(skb); \
-	/* skb->dst->output(skb); */ \
- }
-# define ICMP_SEND(skb_in, type, code, info, dev) \
-	icmp_send(skb_in, type, code, htonl(info))
-# define IP_SEND(skb, dev) \
-	ip_send(skb);
-#else /* NET_21 */
-# define DEV_QUEUE_XMIT(skb, device, pri) {\
-	dev_queue_xmit(skb, device, pri); \
- }
-# define ICMP_SEND(skb_in, type, code, info, dev) \
-	icmp_send(skb_in, type, code, info, dev)
-# define IP_SEND(skb, dev) \
-	if(ntohs(iph->tot_len) > physmtu) { \
-		ip_fragment(NULL, skb, dev, 0); \
-		ipsec_kfree_skb(skb); \
-	} else { \
-		dev_queue_xmit(skb, dev, SOPRI_NORMAL); \
-	}
-#endif /* NET_21 */
-
-
-/*
- * Heavily based on drivers/net/new_tunnel.c.  Lots
- * of ideas also taken from the 2.1.x version of drivers/net/shaper.c
- */
-
-struct ipsectunnelconf
-{
-	__u32	cf_cmd;
-	union
-	{
-		char 	cfu_name[12];
-	} cf_u;
-#define cf_name cf_u.cfu_name
-};
-
-#define IPSEC_SET_DEV	(SIOCDEVPRIVATE)
-#define IPSEC_DEL_DEV	(SIOCDEVPRIVATE + 1)
-#define IPSEC_CLR_DEV	(SIOCDEVPRIVATE + 2)
-
-#ifdef __KERNEL__
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-#  define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
-#endif
-struct ipsecpriv
-{
-	struct sk_buff_head sendq;
-	struct device *dev;
-	struct wait_queue *wait_queue;
-	char locked;
-	int  (*hard_start_xmit) (struct sk_buff *skb,
-		struct device *dev);
-	int  (*hard_header) (struct sk_buff *skb,
-		struct device *dev,
-		unsigned short type,
-		void *daddr,
-		void *saddr,
-		unsigned len);
-#ifdef NET_21
-	int  (*rebuild_header)(struct sk_buff *skb);
-#else /* NET_21 */
-	int  (*rebuild_header)(void *buff, struct device *dev,
-			unsigned long raddr, struct sk_buff *skb);
-#endif /* NET_21 */
-	int  (*set_mac_address)(struct device *dev, void *addr);
-#ifndef NET_21
-	void (*header_cache_bind)(struct hh_cache **hhp, struct device *dev,
-				 unsigned short htype, __u32 daddr);
-#endif /* !NET_21 */
-	void (*header_cache_update)(struct hh_cache *hh, struct device *dev, unsigned char *  haddr);
-	struct net_device_stats *(*get_stats)(struct device *dev);
-	struct net_device_stats mystats;
-	int mtu;	/* What is the desired MTU? */
-};
-
-extern char ipsec_tunnel_c_version[];
-
-extern struct device *ipsecdevices[IPSEC_NUM_IF];
-
-int ipsec_tunnel_init_devices(void);
-
-/* void */ int ipsec_tunnel_cleanup_devices(void);
-
-extern /* void */ int ipsec_init(void);
-
-extern int ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev);
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_tunnel;
-extern int sysctl_ipsec_debug_verbose;
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* __KERNEL__ */
-
-#ifdef CONFIG_IPSEC_DEBUG
-#define DB_TN_INIT	0x0001
-#define DB_TN_PROCFS	0x0002
-#define DB_TN_XMIT	0x0010
-#define DB_TN_OHDR	0x0020
-#define DB_TN_CROUT	0x0040
-#define DB_TN_OXFS	0x0080
-#define DB_TN_REVEC	0x0100
-#endif /* CONFIG_IPSEC_DEBUG */
diff --git a/src/libfreeswan/ipsec_xform.h b/src/libfreeswan/ipsec_xform.h
deleted file mode 100644
index 642a39bd5..000000000
--- a/src/libfreeswan/ipsec_xform.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Definitions relevant to IPSEC transformations
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_xform.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-#ifndef _IPSEC_XFORM_H_
-
-#include <freeswan.h>
-#include "ipsec_policy.h"
-
-#define XF_NONE			0	/* No transform set */
-#define XF_IP4			1	/* IPv4 inside IPv4 */
-#define XF_AHMD5		2	/* AH MD5 */
-#define XF_AHSHA		3	/* AH SHA */
-#define XF_ESP3DES		5	/* ESP DES3-CBC */
-#define XF_AHHMACMD5		6	/* AH-HMAC-MD5 with opt replay prot */
-#define XF_AHHMACSHA1		7	/* AH-HMAC-SHA1 with opt replay prot */
-#define XF_ESP3DESMD5		9	/* triple DES, HMAC-MD-5, 128-bits of authentication */
-#define	XF_ESP3DESMD596		10	/* triple DES, HMAC-MD-5, 96-bits of authentication */
-#define	XF_ESPNULLMD596		12	/* NULL, HMAC-MD-5 with 96-bits of authentication */
-#define	XF_ESPNULLSHA196	13	/* NULL, HMAC-SHA-1 with 96-bits of authentication */
-#define	XF_ESP3DESSHA196	14	/* triple DES, HMAC-SHA-1, 96-bits of authentication */
-#define XF_IP6			15	/* IPv6 inside IPv6 */
-#define XF_COMPDEFLATE		16	/* IPCOMP deflate */
-
-#define XF_CLR			126	/* Clear SA table */
-#define XF_DEL			127	/* Delete SA */
-
-#define XFT_AUTH		0x0001
-#define XFT_CONF		0x0100
-
-/* available if CONFIG_IPSEC_DEBUG is defined */
-#define DB_XF_INIT		0x0001
-
-#define PROTO2TXT(x) \
-	(x) == IPPROTO_AH ? "AH" : \
-	(x) == IPPROTO_ESP ? "ESP" : \
-	(x) == IPPROTO_IPIP ? "IPIP" : \
-	(x) == IPPROTO_COMP ? "COMP" : \
-	"UNKNOWN_proto"
-static inline const char *enc_name_id (unsigned id) {
-	static char buf[16];
-	snprintf(buf, sizeof(buf), "_ID%d", id);
-	return buf;
-}
-static inline const char *auth_name_id (unsigned id) {
-	static char buf[16];
-	snprintf(buf, sizeof(buf), "_ID%d", id);
-	return buf;
-}
-#define IPS_XFORM_NAME(x) \
-	PROTO2TXT((x)->ips_said.proto), \
-	(x)->ips_said.proto == IPPROTO_COMP ? \
-		((x)->ips_encalg == SADB_X_CALG_DEFLATE ? \
-		 "_DEFLATE" : "_UNKNOWN_comp") : \
-	(x)->ips_encalg == ESP_NONE ? "" : \
-	(x)->ips_encalg == ESP_3DES ? "_3DES" : \
-	(x)->ips_encalg == ESP_AES ? "_AES" : \
-	(x)->ips_encalg == ESP_SERPENT ? "_SERPENT" : \
-	(x)->ips_encalg == ESP_TWOFISH ? "_TWOFISH" : \
-	enc_name_id(x->ips_encalg)/* "_UNKNOWN_encr" */, \
-	(x)->ips_authalg == AH_NONE ? "" : \
-	(x)->ips_authalg == AH_MD5 ? "_HMAC_MD5" : \
-	(x)->ips_authalg == AH_SHA ? "_HMAC_SHA1" : \
-	(x)->ips_authalg == AH_SHA2_256 ? "_HMAC_SHA2_256" : \
-	(x)->ips_authalg == AH_SHA2_384 ? "_HMAC_SHA2_384" : \
-	(x)->ips_authalg == AH_SHA2_512 ? "_HMAC_SHA2_512" : \
-	auth_name_id(x->ips_authalg) /* "_UNKNOWN_auth" */ \
-
-#define _IPSEC_XFORM_H_
-#endif /* _IPSEC_XFORM_H_ */
diff --git a/src/libfreeswan/ipsec_xmit.h b/src/libfreeswan/ipsec_xmit.h
deleted file mode 100644
index 07ed7da43..000000000
--- a/src/libfreeswan/ipsec_xmit.h
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * IPSEC tunneling code
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_xmit.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-#include "freeswan/ipsec_sa.h"
-
-enum ipsec_xmit_value
-{
-	IPSEC_XMIT_STOLEN=2,
-	IPSEC_XMIT_PASS=1,
-	IPSEC_XMIT_OK=0,
-	IPSEC_XMIT_ERRMEMALLOC=-1,
-	IPSEC_XMIT_ESP_BADALG=-2,
-	IPSEC_XMIT_BADPROTO=-3,
-	IPSEC_XMIT_ESP_PUSHPULLERR=-4,
-	IPSEC_XMIT_BADLEN=-5,
-	IPSEC_XMIT_AH_BADALG=-6,
-	IPSEC_XMIT_SAIDNOTFOUND=-7,
-	IPSEC_XMIT_SAIDNOTLIVE=-8,
-	IPSEC_XMIT_REPLAYROLLED=-9,
-	IPSEC_XMIT_LIFETIMEFAILED=-10,
-	IPSEC_XMIT_CANNOTFRAG=-11,
-	IPSEC_XMIT_MSSERR=-12,
-	IPSEC_XMIT_ERRSKBALLOC=-13,
-	IPSEC_XMIT_ENCAPFAIL=-14,
-	IPSEC_XMIT_NODEV=-15,
-	IPSEC_XMIT_NOPRIVDEV=-16,
-	IPSEC_XMIT_NOPHYSDEV=-17,
-	IPSEC_XMIT_NOSKB=-18,
-	IPSEC_XMIT_NOIPV6=-19,
-	IPSEC_XMIT_NOIPOPTIONS=-20,
-	IPSEC_XMIT_TTLEXPIRED=-21,
-	IPSEC_XMIT_BADHHLEN=-22,
-	IPSEC_XMIT_PUSHPULLERR=-23,
-	IPSEC_XMIT_ROUTEERR=-24,
-	IPSEC_XMIT_RECURSDETECT=-25,
-	IPSEC_XMIT_IPSENDFAILURE=-26,
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	IPSEC_XMIT_ESPUDP=-27,
-#endif	
-};
-
-struct ipsec_xmit_state
-{
-	struct sk_buff *skb;		/* working skb pointer */
-	struct device *dev;		/* working dev pointer */
-	struct ipsecpriv *prv;		/* Our device' private space */
-	struct sk_buff *oskb;		/* Original skb pointer */
-	struct net_device_stats *stats;	/* This device's statistics */
-	struct iphdr  *iph;		/* Our new IP header */
-	__u32   newdst;			/* The other SG's IP address */
-	__u32	orgdst;			/* Original IP destination address */
-	__u32	orgedst;		/* 1st SG's IP address */
-	__u32   newsrc;			/* The new source SG's IP address */
-	__u32	orgsrc;			/* Original IP source address */
-	__u32	innersrc;		/* Innermost IP source address */
-	int	iphlen;			/* IP header length */
-	int	pyldsz;			/* upper protocol payload size */
-	int	headroom;
-	int	tailroom;
-	int     max_headroom;		/* The extra header space needed */
-	int	max_tailroom;		/* The extra stuffing needed */
-	int     ll_headroom;		/* The extra link layer hard_header space needed */
-	int     tot_headroom;		/* The total header space needed */
-	int	tot_tailroom;		/* The totalstuffing needed */
-	__u8	*saved_header;		/* saved copy of the hard header */
-	unsigned short   sport, dport;
-
-	struct sockaddr_encap matcher;	/* eroute search key */
-	struct eroute *eroute;
-	struct ipsec_sa *ipsp, *ipsq;	/* ipsec_sa pointers */
-	char sa_txt[SATOA_BUF];
-	size_t sa_len;
-	int hard_header_stripped;	/* has the hard header been removed yet? */
-	int hard_header_len;
-	struct device *physdev;
-/*	struct device *virtdev; */
-	short physmtu;
-	short mtudiff;
-#ifdef NET_21
-	struct rtable *route;
-#endif /* NET_21 */
-	struct sa_id outgoing_said;
-#ifdef NET_21
-	int pass;
-#endif /* NET_21 */
-	int error;
-	uint32_t eroute_pid;
-	struct ipsec_sa ips;
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL	
-	uint8_t natt_type;
-	uint8_t natt_head;
-	uint16_t natt_sport;
-	uint16_t natt_dport;
-#endif		
-};
-
-#if 0 /* save for alg refactorisation */
-struct xform_functions
-{
-	enum ipsec_xmit_value (*checks)(struct ipsec_xmit_state *ixs,
-				       struct sk_buff *skb);
-        enum ipsec_xmit_value (*encrypt)(struct ipsec_xmit_state *ixs);
-
-	enum ipsec_xmit_value (*setup_auth)(struct ipsec_xmit_state *ixs,
-					   struct sk_buff *skb,
-					   __u32          *replay,
-					   unsigned char **authenticator);
-	enum ipsec_xmit_value (*calc_auth)(struct ipsec_xmit_state *ixs,
-					struct sk_buff *skb);
-};
-#endif
-
-enum ipsec_xmit_value
-ipsec_xmit_sanity_check_dev(struct ipsec_xmit_state *ixs);
-
-enum ipsec_xmit_value
-ipsec_xmit_sanity_check_skb(struct ipsec_xmit_state *ixs);
-
-enum ipsec_xmit_value
-ipsec_xmit_encap_bundle(struct ipsec_xmit_state *ixs);
-
-extern int ipsec_xmit_trap_count;
-extern int ipsec_xmit_trap_sendcount;
-
-extern void ipsec_extract_ports(struct iphdr * iph, struct sockaddr_encap * er);
diff --git a/src/libfreeswan/keyblobtoid.3 b/src/libfreeswan/keyblobtoid.3
index e33603bb0..8b5bfb0a2 100644
--- a/src/libfreeswan/keyblobtoid.3
+++ b/src/libfreeswan/keyblobtoid.3
@@ -1,5 +1,4 @@
 .TH IPSEC_KEYBLOBTOID 3 "25 March 2002"
-.\" RCSID $Id: keyblobtoid.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec keyblobtoid, splitkeytoid \- generate key IDs from RSA keys
 .SH SYNOPSIS
diff --git a/src/libfreeswan/keyblobtoid.c b/src/libfreeswan/keyblobtoid.c
index f8c47a55c..118e61391 100644
--- a/src/libfreeswan/keyblobtoid.c
+++ b/src/libfreeswan/keyblobtoid.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: keyblobtoid.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/optionsfrom.3 b/src/libfreeswan/optionsfrom.3
deleted file mode 100644
index 717d280f0..000000000
--- a/src/libfreeswan/optionsfrom.3
+++ /dev/null
@@ -1,182 +0,0 @@
-.TH IPSEC_OPTIONSFROM 3 "16 Oct 1998"
-.\" RCSID $Id: optionsfrom.3 3265 2007-10-08 19:52:55Z andreas $
-.SH NAME
-ipsec optionsfrom \- read additional ``command-line'' options from file
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "const char *optionsfrom(char *filename, int *argcp,"
-.ti +1c
-.B "char ***argvp, int optind, FILE *errsto);"
-.SH DESCRIPTION
-.I Optionsfrom
-is called from within a
-.IR getopt_long (3)
-scan,
-as the result of the appearance of an option (preferably
-.BR \-\-optionsfrom )
-to insert additional ``command-line'' arguments
-into the scan immediately after
-the option.
-Typically this would be done to pick up options which are
-security-sensitive and should not be visible to
-.IR ps (1)
-and similar commands,
-and hence cannot be supplied as part
-of the actual command line or the environment.
-.PP
-.I Optionsfrom
-reads the additional arguments from the specified
-.IR filename ,
-allocates a new argument vector to hold pointers to the existing
-arguments plus the new ones,
-and amends
-.I argc
-and
-.I argv
-(via the pointers
-.I argcp
-and
-.IR argvp ,
-which must point to the
-.I argc
-and
-.I argv
-being supplied to
-.IR getopt_long (3))
-accordingly.
-.I Optind
-must be the index, in the original argument vector,
-of the next argument.
-.PP
-If
-.I errsto
-is NULL,
-.I optionsfrom
-returns NULL for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-If
-.I errsto
-is non-NULL and an error occurs,
-.I optionsfrom
-prints a suitable complaint onto the
-.I errsto
-descriptor and invokes
-.I exit
-with an exit status of 2;
-this is a convenience for cases where more sophisticated
-responses are not required.
-.PP
-The text of existing arguments is not disturbed by
-.IR optionsfrom ,
-so pointers to them and into them remain valid.
-.PP
-The file of additional arguments is an ASCII text file.
-Lines consisting solely of white space,
-and lines beginning with
-.BR # ,
-are comments and are ignored.
-Otherwise, a line which does not begin with
-.BR \-
-is taken to be a single argument;
-if it both begins and ends with double-quote ("),
-those quotes are stripped off (note, no other processing is done within
-the line!).
-A line beginning with
-.B \-
-is considered to contain multiple arguments separated by white space.
-.PP
-Because
-.I optionsfrom
-reads its entire file before the
-.IR getopt_long (3)
-scan is resumed, an
-.I optionsfrom
-file can contain another
-.B \-\-optionsfrom
-option.
-Obviously, infinite loops are possible here.
-If
-.I errsto
-is non-NULL,
-.I optionsfrom
-considers it an error to be called more than 100 times.
-If
-.I errsto
-is NULL,
-loop detection is up to the caller
-(and the internal loop counter is zeroed out).
-.SH EXAMPLE
-A reasonable way to invoke
-.I optionsfrom
-would be like so:
-.PP
-.nf
-.ft B
-#include <getopt.h>
-
-struct option opts[] = {
-	/* ... */
-	"optionsfrom",	1,	NULL,	'+',
-	/* ... */
-};
-
-int
-main(argc, argv)
-int argc;
-char *argv[];
-{
-	int opt;
-	extern char *optarg;
-	extern int optind;
-
-	while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
-		switch (opt) {
-		/* ... */
-		case '+':	/* optionsfrom */
-			optionsfrom(optarg, &argc, &argv, optind, stderr);
-			/* does not return on error */
-			break;
-		/* ... */
-		}
-	/* ... */
-.ft
-.fi
-.SH SEE ALSO
-getopt_long(3)
-.SH DIAGNOSTICS
-Errors in
-.I optionsfrom
-are:
-unable to open file;
-attempt to allocate temporary storage for argument or
-argument vector failed;
-read error in file;
-line too long.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-The double-quote convention is rather simplistic.
-.PP
-Line length is currently limited to 1023 bytes,
-and there is no continuation convention.
-.PP
-The restriction of error reports to literal strings
-(so that callers don't need to worry about freeing them or copying them)
-does limit the precision of error reporting.
-.PP
-The error-reporting convention lends itself
-to slightly obscure code,
-because many readers will not think of NULL as signifying success.
-.PP
-There is a certain element of unwarranted chumminess with
-the insides of
-.IR getopt_long (3)
-here.
-No non-public interfaces are actually used, but
-.IR optionsfrom
-does rely on
-.IR getopt_long (3)
-being well-behaved in certain ways that are not actually
-promised by the specs.
diff --git a/src/libfreeswan/optionsfrom.c b/src/libfreeswan/optionsfrom.c
deleted file mode 100644
index f4878f386..000000000
--- a/src/libfreeswan/optionsfrom.c
+++ /dev/null
@@ -1,301 +0,0 @@
-/*
- * pick up more options from a file, in the middle of an option scan
- * Copyright (C) 1998, 1999  Henry Spencer.
- * 
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- *
- * RCSID $Id: optionsfrom.c 3265 2007-10-08 19:52:55Z andreas $
- */
-#include "internal.h"
-#include "freeswan.h"
-
-#include <stdio.h>
-
-#define	MAX	100		/* loop-detection limit */
-
-/* internal work area */
-struct work {
-#	define	LOTS	1024
-	char buf[LOTS];
-	char *line;
-	char *pending;
-};
-
-static const char *dowork(const char *, int *, char ***, int);
-static const char *getanarg(FILE *, struct work *, char **);
-static char *getline(FILE *, char *, size_t);
-
-/*
- - optionsfrom - add some options, taken from a file, to argc/argv
- * If errsto is non-NULL, does not return in event of error.
- */
-const char *			/* NULL for success, else string literal */
-optionsfrom(filename, argcp, argvp, optind, errsto)
-const char *filename;
-int *argcp;			/* pointer to argc */
-char ***argvp;			/* pointer to argv */
-int optind;			/* current optind, number of next argument */
-FILE *errsto;			/* where to report errors (NULL means return) */
-{
-	const char *e;
-	static int nuses = 0;
-
-	if (errsto != NULL) {
-		nuses++;
-		if (nuses >= MAX) {
-			fprintf(errsto,
-				"%s: optionsfrom called %d times, looping?\n",
-				(*argvp)[0], nuses);
-			exit(2);
-		}
-	} else
-		nuses = 0;
-
-	e = dowork(filename, argcp, argvp, optind);
-	if (e != NULL && errsto != NULL) {
-		fprintf(errsto, "%s: optionsfrom failed: %s\n", (*argvp)[0], e);
-		exit(2);
-	}
-	return e;
-}
-
-/*
- - dowork - do all the real work of optionsfrom
- * Does not alter the existing arguments, but does relocate and alter
- * the argv pointer vector.
- */
-static const char *		/* NULL for success, else string literal */
-dowork(filename, argcp, argvp, optind)
-const char *filename;
-int *argcp;			/* pointer to argc */
-char ***argvp;			/* pointer to argv */
-int optind;			/* current optind, number of next argument */
-{
-	char **newargv;
-	char **tmp;
-	int newargc;
-	int next;		/* place for next argument */
-	int room;		/* how many more new arguments we can hold */
-#	define	SOME	10	/* first guess at how many we'll need */
-	FILE *f;
-	int i;
-	const char *p;
-	struct work wa;		/* for getanarg() */
-
-	f = fopen(filename, "r");
-	if (f == NULL)
-		return "unable to open file";
-
-	newargc = *argcp + SOME;
-	newargv = malloc((newargc+1) * sizeof(char *));
-	if (newargv == NULL)
-		return "unable to allocate memory";
-	memcpy(newargv, *argvp, optind * sizeof(char *));
-	room = SOME;
-	next = optind;
-
-	newargv[next] = NULL;
-	wa.pending = NULL;
-	while ((p = getanarg(f, &wa, &newargv[next])) == NULL) {
-		if (room == 0) {
-			newargc += SOME;
-			tmp = realloc(newargv, (newargc+1) * sizeof(char *));
-			if (tmp == NULL) {
-				p = "out of space for new argv";
-				break;		/* NOTE BREAK OUT */
-			}
-			newargv = tmp;
-			room += SOME;
-		}
-		next++;
-		room--;
-	}
-	if (p != NULL && !feof(f)) {	/* error of some kind */
-		for (i = optind+1; i <= next; i++)
-			if (newargv[i] != NULL)
-				free(newargv[i]);
-		free(newargv);
-		fclose(f);
-		return p;
-	}
-
-	fclose(f);
-	memcpy(newargv + next, *argvp + optind,
-					(*argcp+1-optind) * sizeof(char *));
-	*argcp += next - optind;
-	*argvp = newargv;
-	return NULL;
-}
-
-/*
- - getanarg - get a malloced argument from the file
- */
-static const char *		/* NULL for success, else string literal */
-getanarg(f, w, linep)
-FILE *f;
-struct work *w;
-char **linep;			/* where to store pointer if successful */
-{
-	size_t len;
-	char *p;
-	char *endp;
-
-	while (w->pending == NULL) {	/* no pending line */
-		if ((w->line = getline(f, w->buf, sizeof(w->buf))) == NULL)
-			return "error in line read";	/* caller checks EOF */
-		if (w->line[0] != '#' &&
-				*(w->line + strspn(w->line, " \t")) != '\0')
-			w->pending = w->line;
-	}
-
-	if (w->pending == w->line && w->line[0] != '-') {
-		/* fresh plain line */
-		w->pending = NULL;
-		p = w->line;
-		endp = p + strlen(p);
-		if (*p == '"' && endp > p+1 && *(endp-1) == '"') {
-			p++;
-			endp--;
-			*endp = '\0';
-		}
-		if (w->line == w->buf) {
-			*linep = malloc(endp - p + 1);
-			if (*linep == NULL)
-				return "out of memory for new line";
-			strcpy(*linep, p);
-		} else			/* getline already malloced it */
-			*linep = p;
-		return NULL;
-	}
-
-	/* chip off a piece of a pending line */
-	p = w->pending;
-	p += strspn(p, " \t");
-	endp = p + strcspn(p, " \t");
-	len = endp - p;
-	if (*endp != '\0') {
-		*endp++ = '\0';
-		endp += strspn(endp, " \t");
-	}
-	/* endp now points to next real character, or to line-end NUL */
-	*linep = malloc(len + 1);
-	if (*linep == NULL) {
-		if (w->line != w->buf)
-			free(w->line);
-		return "out of memory for new argument";
-	}
-	strcpy(*linep, p);
-	if (*endp == '\0') {
-		w->pending = NULL;
-		if (w->line != w->buf)
-			free(w->line);
-	} else
-		w->pending = endp;
-	return NULL;
-}
-
-/*
- - getline - read a line from the file, trim newline off
- */
-static char *			/* pointer to line, NULL for eof/error */
-getline(f, buf, bufsize)
-FILE *f;
-char *buf;			/* buffer to use, if convenient */
-size_t bufsize;			/* size of buf */
-{
-	size_t len;
-
-	if (fgets(buf, bufsize, f) == NULL)
-		return NULL;
-	len = strlen(buf);
-
-	if (len < bufsize-1 || buf[bufsize-1] == '\n') {
-		/* it fit */
-		buf[len-1] = '\0';
-		return buf;
-	}
-
-	/* oh crud, buffer overflow */
-	/* for now, to hell with it */
-	return NULL;
-}
-
-
-
-#ifdef TEST
-
-#include <getopt.h>
-
-char usage[] = "Usage: tester [--foo] [--bar] [--optionsfrom file] arg ...";
-struct option opts[] = {
-	"foo",		0,	NULL,	'f',
-	"bar",		0,	NULL,	'b',
-	"builtin",	0,	NULL,	'B',
-	"optionsfrom",	1,	NULL,	'+',
-	"help",		0,	NULL,	'h',
-	"version",	0,	NULL,	'v',
-	0,		0,	NULL,	0,
-};
-
-int
-main(argc, argv)
-int argc;
-char *argv[];
-{
-	int opt;
-	extern char *optarg;
-	extern int optind;
-	int errflg = 0;
-	const char *p;
-	int i;
-	FILE *errs = NULL;
-
-	while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
-		switch (opt) {
-		case 'f':
-		case 'b':
-			break;
-		case 'B':
-			errs = stderr;
-			break;
-		case '+':	/* optionsfrom */
-			p = optionsfrom(optarg, &argc, &argv, optind, errs);
-			if (p != NULL) {
-				fprintf(stderr, "%s: optionsfrom error: %s\n",
-								argv[0], p);
-				exit(1);
-			}
-			break;
-		case 'h':	/* help */
-			printf("%s\n", usage);
-			exit(0);
-			break;
-		case 'v':	/* version */
-			printf("1\n");
-			exit(0);
-			break;
-		case '?':
-		default:
-			errflg = 1;
-			break;
-		}
-	if (errflg) {
-		fprintf(stderr, "%s\n", usage);
-		exit(2);
-	}
-
-	for (i = 1; i < argc; i++)
-		printf("%d: `%s'\n", i, argv[i]);
-	exit(0);
-}
-
-
-#endif /* TEST */
diff --git a/src/libfreeswan/pfkey.h b/src/libfreeswan/pfkey.h
index 8c657ff51..ba0010bc7 100644
--- a/src/libfreeswan/pfkey.h
+++ b/src/libfreeswan/pfkey.h
@@ -11,128 +11,13 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: pfkey.h 3265 2007-10-08 19:52:55Z andreas $
  */
 
 #ifndef __NET_IPSEC_PF_KEY_H
 #define __NET_IPSEC_PF_KEY_H
-#ifdef __KERNEL__
-extern struct proto_ops pfkey_proto_ops;
-typedef struct sock pfkey_sock;
-extern int debug_pfkey;
-
-extern /* void */ int pfkey_init(void);
-extern /* void */ int pfkey_cleanup(void);
-
-extern struct sock *pfkey_sock_list;
-struct socket_list
-{
-	struct socket *socketp;
-	struct socket_list *next;
-};
-extern int pfkey_list_insert_socket(struct socket*, struct socket_list**);
-extern int pfkey_list_remove_socket(struct socket*, struct socket_list**);
-extern struct socket_list *pfkey_open_sockets;
-extern struct socket_list *pfkey_registered_sockets[SADB_SATYPE_MAX+1];
-
-/* 
- *	There is a field-by-field copy in klips/net/ipsec/ipsec_alg.h
- *	please keep in sync until we migrate all support stuff
- *	to ipsec_alg objects
- */
-struct supported
-{
-	uint16_t supported_alg_exttype;
-	uint8_t supported_alg_id;
-	uint8_t supported_alg_ivlen;
-	uint16_t supported_alg_minbits;
-	uint16_t supported_alg_maxbits;
-};
-extern struct supported_list *pfkey_supported_list[SADB_SATYPE_MAX+1];
-struct supported_list
-{
-	struct supported *supportedp;
-	struct supported_list *next;
-};
-extern int pfkey_list_insert_supported(struct supported*, struct supported_list**);
-extern int pfkey_list_remove_supported(struct supported*, struct supported_list**);
-
-struct sockaddr_key
-{
-	uint16_t	key_family;	/* PF_KEY */
-	uint16_t	key_pad;	/* not used */
-	uint32_t	key_pid;	/* process ID */
-};
-
-struct pfkey_extracted_data
-{
-	struct ipsec_sa* ips;
-	struct ipsec_sa* ips2;
-	struct eroute *eroute;
-};
-
-extern int
-pfkey_alloc_eroute(struct eroute** eroute);
-
-extern int
-pfkey_sa_process(struct sadb_ext *pfkey_ext,
-		 struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_lifetime_process(struct sadb_ext *pfkey_ext,
-		       struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_address_process(struct sadb_ext *pfkey_ext,
-		      struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_key_process(struct sadb_ext *pfkey_ext,
-		  struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_ident_process(struct sadb_ext *pfkey_ext,
-		    struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_sens_process(struct sadb_ext *pfkey_ext,
-		   struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_prop_process(struct sadb_ext *pfkey_ext,
-		   struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_supported_process(struct sadb_ext *pfkey_ext,
-			struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_spirange_process(struct sadb_ext *pfkey_ext,
-		       struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_x_kmprivate_process(struct sadb_ext *pfkey_ext,
-			  struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_x_satype_process(struct sadb_ext *pfkey_ext,
-		       struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_x_debug_process(struct sadb_ext *pfkey_ext,
-		      struct pfkey_extracted_data* extr);
-
-extern int pfkey_register_reply(int satype, struct sadb_msg *);
-extern int pfkey_upmsg(struct socket *, struct sadb_msg *);
-extern int pfkey_expire(struct ipsec_sa *, int);
-extern int pfkey_acquire(struct ipsec_sa *);
-#else /* ! __KERNEL__ */
 
 extern void (*pfkey_debug_func)(const char *message, ...);
 
-#endif /* __KERNEL__ */
-
 extern uint8_t satype2proto(uint8_t satype);
 extern uint8_t proto2satype(uint8_t proto);
 extern char* satype2name(uint8_t satype);
@@ -242,12 +127,6 @@ pfkey_ident_build(struct sadb_ext**	pfkey_ext,
 		  uint8_t               ident_len,
 		  char*			ident_string);
 
-#ifdef __KERNEL__
-extern int pfkey_nat_t_new_mapping(struct ipsec_sa *, struct sockaddr *, __u16);
-extern int pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr);
-extern int pfkey_x_nat_t_port_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr);
-#endif /* __KERNEL__ */
-
 int
 pfkey_x_nat_t_type_build(struct sadb_ext**  pfkey_ext,
             uint8_t         type);
diff --git a/src/libfreeswan/pfkey_v2_build.c b/src/libfreeswan/pfkey_v2_build.c
index 45a8a8e71..ddc21040f 100644
--- a/src/libfreeswan/pfkey_v2_build.c
+++ b/src/libfreeswan/pfkey_v2_build.c
@@ -11,51 +11,18 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: pfkey_v2_build.c 3265 2007-10-08 19:52:55Z andreas $
  */
 
 /*
  *		Template from klips/net/ipsec/ipsec/ipsec_parser.c.
  */
 
-char pfkey_v2_build_c_version[] = "$Id: pfkey_v2_build.c 3265 2007-10-08 19:52:55Z andreas $";
-
-/*
- * Some ugly stuff to allow consistent debugging code for use in the
- * kernel and in user space
-*/
-
-#ifdef __KERNEL__
-
-# include <linux/kernel.h>  /* for printk */
-
-# include "freeswan/ipsec_kversion.h" /* for malloc switch */
-# ifdef MALLOC_SLAB
-#  include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-#  include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h>  /* error codes */
-# include <linux/types.h>  /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h>   /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-# include <linux/ip.h>          /* struct iphdr */ 
-# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-#  include <linux/ipv6.h>        /* struct ipv6hdr */
-# endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-
-# define MALLOC(size) kmalloc(size, GFP_ATOMIC)
-# define FREE(obj) kfree(obj)
-# include <freeswan.h>
-#else /* __KERNEL__ */
+char pfkey_v2_build_c_version[] = "";
 
 # include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
-# include <malloc.h>
+# include <sys/socket.h>
+# include <stdlib.h>
+# include <errno.h>
 # include <string.h> /* memset */
 
 # include <freeswan.h>
@@ -63,8 +30,6 @@ unsigned int pfkey_lib_debug = 0;
 
 void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
 
-/* #define PLUTO */
-
 #define DEBUGGING(args...)  if(pfkey_lib_debug) { \
                               if(pfkey_debug_func != NULL) { \
                                 (*pfkey_debug_func)("pfkey_lib_debug:" args); \
@@ -73,22 +38,10 @@ void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
                               } }
 # define MALLOC(size) malloc(size)
 # define FREE(obj) free(obj)
-#endif /* __KERNEL__ */
 
 #include <pfkeyv2.h>
 #include <pfkey.h>
 
-#ifdef __KERNEL__
-
-#include "freeswan/radij.h"  /* rd_nodes */
-#include "freeswan/ipsec_encap.h"  /* sockaddr_encap */
-
-# define DEBUGGING(args...) \
-         KLIPS_PRINT(debug_pfkey, "klips_debug:" args)
-#endif /* __KERNEL__ */
-
-#include "ipsec_sa.h"  /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
-
 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
 
 void
@@ -483,14 +436,14 @@ pfkey_address_build(struct sadb_ext**	pfkey_ext,
 			"found address family AF_INET6.\n");
 		saddr_len = sizeof(struct sockaddr_in6);
 		sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x-%x"
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[0])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[1])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[2])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[3])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[4])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[5])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[6])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[7])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[0])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[1])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[2])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[3])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[4])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[5])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[6])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[7])
 			, ntohs(((struct sockaddr_in6*)address)->sin6_port));
 		break;
 	default:
diff --git a/src/libfreeswan/pfkey_v2_debug.c b/src/libfreeswan/pfkey_v2_debug.c
index 35e4f75f1..0256e2a03 100644
--- a/src/libfreeswan/pfkey_v2_debug.c
+++ b/src/libfreeswan/pfkey_v2_debug.c
@@ -13,36 +13,10 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: pfkey_v2_debug.c 3265 2007-10-08 19:52:55Z andreas $
- *
  */
 
-#ifdef __KERNEL__
-
-# include <linux/kernel.h>  /* for printk */
-
-# include "freeswan/ipsec_kversion.h" /* for malloc switch */
-# ifdef MALLOC_SLAB
-#  include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-#  include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h>  /* error codes */
-# include <linux/types.h>  /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h>   /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-extern int debug_pfkey;
-
-#else /* __KERNEL__ */
-
 # include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
-
-#endif /* __KERNEL__ */
+# include <errno.h>
 
 #include "freeswan.h"
 #include "pfkeyv2.h"
diff --git a/src/libfreeswan/pfkey_v2_ext_bits.c b/src/libfreeswan/pfkey_v2_ext_bits.c
index d6f31def4..b6ef4496d 100644
--- a/src/libfreeswan/pfkey_v2_ext_bits.c
+++ b/src/libfreeswan/pfkey_v2_ext_bits.c
@@ -11,48 +11,16 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: pfkey_v2_ext_bits.c 3265 2007-10-08 19:52:55Z andreas $
  */
 
 /*
  *		Template from klips/net/ipsec/ipsec/ipsec_parse.c.
  */
 
-char pfkey_v2_ext_bits_c_version[] = "$Id: pfkey_v2_ext_bits.c 3265 2007-10-08 19:52:55Z andreas $";
-
-/*
- * Some ugly stuff to allow consistent debugging code for use in the
- * kernel and in user space
-*/
-
-#ifdef __KERNEL__
-
-# include <linux/kernel.h>  /* for printk */
-
-# include "freeswan/ipsec_kversion.h" /* for malloc switch */
-# ifdef MALLOC_SLAB
-#  include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-#  include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h>  /* error codes */
-# include <linux/types.h>  /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h>   /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-# include <linux/ip.h>          /* struct iphdr */ 
-# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-#  include <linux/ipv6.h>
-# endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-
-#else /* __KERNEL__ */
+char pfkey_v2_ext_bits_c_version[] = "";
 
 # include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
-#endif
+# include <errno.h>
 
 #include <freeswan.h>
 #include <pfkeyv2.h>
diff --git a/src/libfreeswan/pfkey_v2_parse.c b/src/libfreeswan/pfkey_v2_parse.c
index e365d10b6..7ee08978c 100644
--- a/src/libfreeswan/pfkey_v2_parse.c
+++ b/src/libfreeswan/pfkey_v2_parse.c
@@ -11,83 +11,32 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: pfkey_v2_parse.c 3265 2007-10-08 19:52:55Z andreas $
  */
 
 /*
  *		Template from klips/net/ipsec/ipsec/ipsec_parser.c.
  */
 
-char pfkey_v2_parse_c_version[] = "$Id: pfkey_v2_parse.c 3265 2007-10-08 19:52:55Z andreas $";
-
-/*
- * Some ugly stuff to allow consistent debugging code for use in the
- * kernel and in user space
-*/
-
-#ifdef __KERNEL__
-
-# include <linux/kernel.h>  /* for printk */
-
-#include "freeswan/ipsec_kversion.h" /* for malloc switch */
-
-# ifdef MALLOC_SLAB
-#  include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-#  include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h>  /* error codes */
-# include <linux/types.h>  /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h>   /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-# include <linux/ip.h>          /* struct iphdr */ 
-# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-#  include <linux/ipv6.h>        /* struct ipv6hdr */
-# endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-extern int debug_pfkey;
-
-#include "freeswan.h"
-
-#include "ipsec_encap.h"
-
-#else /* __KERNEL__ */
+char pfkey_v2_parse_c_version[] = "";
 
 # include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
+# include <sys/socket.h>
+# include <errno.h>
 
 # include <freeswan.h>
 # include <constants.h>
 # include <defs.h>  /* for PRINTF_LIKE */
 # include <log.h>  /* for debugging and DBG_log */
 
-/* #define PLUTO */
-
 # ifdef PLUTO
 #  define DEBUGGING(level, args...)  { DBG_log("pfkey_lib_debug:" args);  }
 # else
 #  define DEBUGGING(level, args...)  if(pfkey_lib_debug & level) { printf("pfkey_lib_debug:" args); } else { ; }
 # endif
 
-#endif /* __KERNEL__ */
-
-
 #include <pfkeyv2.h>
 #include <pfkey.h>
 
-#ifdef __KERNEL__
-extern int sysctl_ipsec_debug_verbose;
-# define DEBUGGING(level, args...) \
-         KLIPS_PRINT( \
-		((debug_pfkey & level & (PF_KEY_DEBUG_PARSE_STRUCT | PF_KEY_DEBUG_PARSE_PROBLEM)) \
-		 || (sysctl_ipsec_debug_verbose && (debug_pfkey & level & PF_KEY_DEBUG_PARSE_FLOW))) \
- 		, "klips_debug:" args)
-#endif /* __KERNEL__ */
-#include "ipsec_sa.h"  /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
-
 
 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
 
@@ -96,21 +45,11 @@ struct satype_tbl {
 	uint8_t satype;
 	char* name;
 } static satype_tbl[] = {
-#ifdef __KERNEL__
-	{ IPPROTO_ESP,	SADB_SATYPE_ESP,	"ESP"  },
-	{ IPPROTO_AH,	SADB_SATYPE_AH,		"AH"   },
-	{ IPPROTO_IPIP,	SADB_X_SATYPE_IPIP,	"IPIP" },
-#ifdef CONFIG_IPSEC_IPCOMP
-	{ IPPROTO_COMP,	SADB_X_SATYPE_COMP,	"COMP" },
-#endif /* CONFIG_IPSEC_IPCOMP */
-	{ IPPROTO_INT,	SADB_X_SATYPE_INT,	"INT" },
-#else /* __KERNEL__ */
 	{ SA_ESP,	SADB_SATYPE_ESP,	"ESP"  },
 	{ SA_AH,	SADB_SATYPE_AH,		"AH"   },
 	{ SA_IPIP,	SADB_X_SATYPE_IPIP,	"IPIP" },
 	{ SA_COMP,	SADB_X_SATYPE_COMP,	"COMP" },
 	{ SA_INT,	SADB_X_SATYPE_INT,	"INT" },
-#endif /* __KERNEL__ */
 	{ 0,		0,			"UNKNOWN" }
 };
 
@@ -418,14 +357,14 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext)
 	case AF_INET6:
 		saddr_len = sizeof(struct sockaddr_in6);
 		sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x"
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[0])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[1])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[2])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[3])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[4])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[5])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[6])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[7]));
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[0])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[1])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[2])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[3])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[4])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[5])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[6])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[7]));
 		DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
 			  "pfkey_address_parse: "
 			  "found exttype=%u(%s) family=%d(AF_INET6) address=%s proto=%u port=%u.\n",
diff --git a/src/libfreeswan/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h
index 1ea1265d3..5ef5e747c 100644
--- a/src/libfreeswan/pfkeyv2.h
+++ b/src/libfreeswan/pfkeyv2.h
@@ -1,7 +1,3 @@
-/*
- * RCSID $Id: pfkeyv2.h 3846 2008-04-18 17:01:45Z andreas $
- */
-
 /*
 RFC 2367               PF_KEY Key Management API               July 1998
 
diff --git a/src/libfreeswan/portof.3 b/src/libfreeswan/portof.3
index ffa2c0125..112def560 100644
--- a/src/libfreeswan/portof.3
+++ b/src/libfreeswan/portof.3
@@ -1,5 +1,4 @@
 .TH IPSEC_PORTOF 3 "8 Sept 2000"
-.\" RCSID $Id: portof.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec portof \- get port field of an ip_address
 .br
diff --git a/src/libfreeswan/portof.c b/src/libfreeswan/portof.c
index 96d32acf2..6d06473ad 100644
--- a/src/libfreeswan/portof.c
+++ b/src/libfreeswan/portof.c
@@ -11,9 +11,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: portof.c 3265 2007-10-08 19:52:55Z andreas $
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
diff --git a/src/libfreeswan/prng.3 b/src/libfreeswan/prng.3
index 9d0130c0f..48c6ceed0 100644
--- a/src/libfreeswan/prng.3
+++ b/src/libfreeswan/prng.3
@@ -1,5 +1,4 @@
 .TH IPSEC_PRNG 3 "1 April 2002"
-.\" RCSID $Id: prng.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec prng_init \- initialize IPsec pseudorandom-number generator
 .br
diff --git a/src/libfreeswan/prng.c b/src/libfreeswan/prng.c
index cdf9eb0ed..6cb84e484 100644
--- a/src/libfreeswan/prng.c
+++ b/src/libfreeswan/prng.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: prng.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/radij.h b/src/libfreeswan/radij.h
deleted file mode 100644
index 2396020f7..000000000
--- a/src/libfreeswan/radij.h
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * RCSID $Id: radij.h 3265 2007-10-08 19:52:55Z andreas $
- */
-
-/*
- * This file is defived from ${SRC}/sys/net/radix.h of BSD 4.4lite
- *
- * Variable and procedure names have been modified so that they don't
- * conflict with the original BSD code, as a small number of modifications
- * have been introduced and we may want to reuse this code in BSD.
- * 
- * The `j' in `radij' is pronounced as a voiceless guttural (like a Greek
- * chi or a German ch sound (as `doch', not as in `milch'), or even a 
- * spanish j as in Juan.  It is not as far back in the throat like
- * the corresponding Hebrew sound, nor is it a soft breath like the English h.
- * It has nothing to do with the Dutch ij sound.
- * 
- * Here is the appropriate copyright notice:
- */
-
-/*
- * Copyright (c) 1988, 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)radix.h	8.1 (Berkeley) 6/10/93
- */
-
-#ifndef _RADIJ_H_
-#define	_RADIJ_H_
-
-/* 
-#define RJ_DEBUG
-*/
-
-#ifdef __KERNEL__
-
-#ifndef __P
-#ifdef __STDC__
-#define __P(x)  x
-#else
-#define __P(x)  ()
-#endif
-#endif
-
-/*
- * Radix search tree node layout.
- */
-
-struct radij_node
-{
-	struct	radij_mask *rj_mklist;	/* list of masks contained in subtree */
-	struct	radij_node *rj_p;	/* parent */
-	short	rj_b;			/* bit offset; -1-index(netmask) */
-	char	rj_bmask;		/* node: mask for bit test*/
-	u_char	rj_flags;		/* enumerated next */
-#define RJF_NORMAL	1		/* leaf contains normal route */
-#define RJF_ROOT	2		/* leaf is root leaf for tree */
-#define RJF_ACTIVE	4		/* This node is alive (for rtfree) */
-	union {
-		struct {			/* leaf only data: */
-			caddr_t	rj_Key;	/* object of search */
-			caddr_t	rj_Mask;	/* netmask, if present */
-			struct	radij_node *rj_Dupedkey;
-		} rj_leaf;
-		struct {			/* node only data: */
-			int	rj_Off;		/* where to start compare */
-			struct	radij_node *rj_L;/* progeny */
-			struct	radij_node *rj_R;/* progeny */
-		}rj_node;
-	}		rj_u;
-#ifdef RJ_DEBUG
-	int rj_info;
-	struct radij_node *rj_twin;
-	struct radij_node *rj_ybro;
-#endif
-};
-
-#define rj_dupedkey rj_u.rj_leaf.rj_Dupedkey
-#define rj_key rj_u.rj_leaf.rj_Key
-#define rj_mask rj_u.rj_leaf.rj_Mask
-#define rj_off rj_u.rj_node.rj_Off
-#define rj_l rj_u.rj_node.rj_L
-#define rj_r rj_u.rj_node.rj_R
-
-/*
- * Annotations to tree concerning potential routes applying to subtrees.
- */
-
-extern struct radij_mask {
-	short	rm_b;			/* bit offset; -1-index(netmask) */
-	char	rm_unused;		/* cf. rj_bmask */
-	u_char	rm_flags;		/* cf. rj_flags */
-	struct	radij_mask *rm_mklist;	/* more masks to try */
-	caddr_t	rm_mask;		/* the mask */
-	int	rm_refs;		/* # of references to this struct */
-} *rj_mkfreelist;
-
-#define MKGet(m) {\
-	if (rj_mkfreelist) {\
-		m = rj_mkfreelist; \
-		rj_mkfreelist = (m)->rm_mklist; \
-	} else \
-		R_Malloc(m, struct radij_mask *, sizeof (*(m))); }\
-
-#define MKFree(m) { (m)->rm_mklist = rj_mkfreelist; rj_mkfreelist = (m);}
-
-struct radij_node_head {
-	struct	radij_node *rnh_treetop;
-	int	rnh_addrsize;		/* permit, but not require fixed keys */
-	int	rnh_pktsize;		/* permit, but not require fixed keys */
-#if 0
-	struct	radij_node *(*rnh_addaddr)	/* add based on sockaddr */
-		__P((void *v, void *mask,
-		     struct radij_node_head *head, struct radij_node nodes[]));
-#endif
-	int (*rnh_addaddr)	/* add based on sockaddr */
-		__P((void *v, void *mask,
-		     struct radij_node_head *head, struct radij_node nodes[]));
-	struct	radij_node *(*rnh_addpkt)	/* add based on packet hdr */
-		__P((void *v, void *mask,
-		     struct radij_node_head *head, struct radij_node nodes[]));
-#if 0
-	struct	radij_node *(*rnh_deladdr)	/* remove based on sockaddr */
-		__P((void *v, void *mask, struct radij_node_head *head));
-#endif
-	int (*rnh_deladdr)	/* remove based on sockaddr */
-		__P((void *v, void *mask, struct radij_node_head *head, struct radij_node **node));
-	struct	radij_node *(*rnh_delpkt)	/* remove based on packet hdr */
-		__P((void *v, void *mask, struct radij_node_head *head));
-	struct	radij_node *(*rnh_matchaddr)	/* locate based on sockaddr */
-		__P((void *v, struct radij_node_head *head));
-	struct	radij_node *(*rnh_matchpkt)	/* locate based on packet hdr */
-		__P((void *v, struct radij_node_head *head));
-	int	(*rnh_walktree)			/* traverse tree */
-		__P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w));
-	struct	radij_node rnh_nodes[3];	/* empty tree for common case */
-};
-
-
-#define Bcmp(a, b, n) memcmp(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
-#define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
-#define Bzero(p, n) memset((caddr_t)(p), 0, (unsigned)(n))
-#define R_Malloc(p, t, n) ((p = (t) kmalloc((size_t)(n), GFP_ATOMIC)), Bzero((p),(n)))
-#define Free(p) kfree((caddr_t)p);
-
-void	 rj_init __P((void));
-int	 rj_inithead __P((void **, int));
-int	 rj_refines __P((void *, void *));
-int	 rj_walktree __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w));
-struct radij_node
-	 *rj_addmask __P((void *, int, int)) /* , rgb */ ;
-int /* * */ rj_addroute __P((void *, void *, struct radij_node_head *,
-			struct radij_node [2])) /* , rgb */ ;
-int /* * */ rj_delete __P((void *, void *, struct radij_node_head *, struct radij_node **)) /* , rgb */ ;
-struct radij_node /* rgb */
-	 *rj_insert __P((void *, struct radij_node_head *, int *,
-			struct radij_node [2])),
-	 *rj_match __P((void *, struct radij_node_head *)),
-	 *rj_newpair __P((void *, int, struct radij_node[2])),
-	 *rj_search __P((void *, struct radij_node *)),
-	 *rj_search_m __P((void *, struct radij_node *, void *));
-
-void rj_deltree(struct radij_node_head *);
-void rj_delnodes(struct radij_node *);
-void rj_free_mkfreelist(void);
-int radijcleartree(void);
-int radijcleanup(void);
-
-extern struct radij_node_head *mask_rjhead;
-extern int maj_keylen;
-#endif /* __KERNEL__ */
-
-#endif /* _RADIJ_H_ */
diff --git a/src/libfreeswan/rangetoa.c b/src/libfreeswan/rangetoa.c
index 4d1eb204e..c5a7ddfda 100644
--- a/src/libfreeswan/rangetoa.c
+++ b/src/libfreeswan/rangetoa.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: rangetoa.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/rangetosubnet.3 b/src/libfreeswan/rangetosubnet.3
index 27e765670..100b42bd9 100644
--- a/src/libfreeswan/rangetosubnet.3
+++ b/src/libfreeswan/rangetosubnet.3
@@ -1,5 +1,4 @@
 .TH IPSEC_RANGETOSUBNET 3 "8 Sept 2000"
-.\" RCSID $Id: rangetosubnet.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec rangetosubnet \- convert address range to subnet
 .SH SYNOPSIS
diff --git a/src/libfreeswan/rangetosubnet.c b/src/libfreeswan/rangetosubnet.c
index f68efa6bf..0defa0739 100644
--- a/src/libfreeswan/rangetosubnet.c
+++ b/src/libfreeswan/rangetosubnet.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: rangetosubnet.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/sameaddr.3 b/src/libfreeswan/sameaddr.3
index dc172029e..62886bf1a 100644
--- a/src/libfreeswan/sameaddr.3
+++ b/src/libfreeswan/sameaddr.3
@@ -1,5 +1,4 @@
 .TH IPSEC_ANYADDR 3 "28 Nov 2000"
-.\" RCSID $Id: sameaddr.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec sameaddr \- are two addresses the same?
 .br
diff --git a/src/libfreeswan/sameaddr.c b/src/libfreeswan/sameaddr.c
index 77f458e50..653b94c30 100644
--- a/src/libfreeswan/sameaddr.c
+++ b/src/libfreeswan/sameaddr.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: sameaddr.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/satoa.c b/src/libfreeswan/satoa.c
index 46ed1a483..fe7fb2ea0 100644
--- a/src/libfreeswan/satoa.c
+++ b/src/libfreeswan/satoa.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: satoa.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/satot.c b/src/libfreeswan/satot.c
index bb1e6c736..a16d62840 100644
--- a/src/libfreeswan/satot.c
+++ b/src/libfreeswan/satot.c
@@ -11,9 +11,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: satot.c 3265 2007-10-08 19:52:55Z andreas $
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
diff --git a/src/libfreeswan/subnetof.3 b/src/libfreeswan/subnetof.3
index 9358256cf..aacc76d2c 100644
--- a/src/libfreeswan/subnetof.3
+++ b/src/libfreeswan/subnetof.3
@@ -1,5 +1,4 @@
 .TH IPSEC_SUBNETOF 3 "11 June 2001"
-.\" RCSID $Id: subnetof.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec subnetof \- given Internet address and subnet mask, return subnet number
 .br
diff --git a/src/libfreeswan/subnetof.c b/src/libfreeswan/subnetof.c
index 4cc3653f3..55786a2e4 100644
--- a/src/libfreeswan/subnetof.c
+++ b/src/libfreeswan/subnetof.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: subnetof.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/subnettoa.c b/src/libfreeswan/subnettoa.c
index 6fc282de1..e8d98168d 100644
--- a/src/libfreeswan/subnettoa.c
+++ b/src/libfreeswan/subnettoa.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: subnettoa.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/subnettot.c b/src/libfreeswan/subnettot.c
index 7bdacc1fb..03d2e1e57 100644
--- a/src/libfreeswan/subnettot.c
+++ b/src/libfreeswan/subnettot.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: subnettot.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/subnettypeof.c b/src/libfreeswan/subnettypeof.c
index d2b09fde7..9fa15a7d5 100644
--- a/src/libfreeswan/subnettypeof.c
+++ b/src/libfreeswan/subnettypeof.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: subnettypeof.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/ttoaddr.3 b/src/libfreeswan/ttoaddr.3
index a1ede84b3..70671145e 100644
--- a/src/libfreeswan/ttoaddr.3
+++ b/src/libfreeswan/ttoaddr.3
@@ -1,5 +1,4 @@
 .TH IPSEC_TTOADDR 3 "28 Sept 2001"
-.\" RCSID $Id: ttoaddr.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec ttoaddr, tnatoaddr, addrtot \- convert Internet addresses to and from text
 .br
diff --git a/src/libfreeswan/ttoaddr.c b/src/libfreeswan/ttoaddr.c
index 15e8dfe55..e4ceec863 100644
--- a/src/libfreeswan/ttoaddr.c
+++ b/src/libfreeswan/ttoaddr.c
@@ -11,9 +11,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: ttoaddr.c 3684 2008-03-28 11:46:30Z martin $
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
diff --git a/src/libfreeswan/ttodata.3 b/src/libfreeswan/ttodata.3
index 0663407ff..8f4b1ec93 100644
--- a/src/libfreeswan/ttodata.3
+++ b/src/libfreeswan/ttodata.3
@@ -1,5 +1,4 @@
 .TH IPSEC_TTODATA 3 "16 August 2003"
-.\" RCSID $Id: ttodata.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec ttodata, datatot \- convert binary data bytes from and to text formats
 .SH SYNOPSIS
diff --git a/src/libfreeswan/ttodata.c b/src/libfreeswan/ttodata.c
index 5334ea124..b0d5e4d01 100644
--- a/src/libfreeswan/ttodata.c
+++ b/src/libfreeswan/ttodata.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: ttodata.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/ttoprotoport.c b/src/libfreeswan/ttoprotoport.c
index d64cfd5ee..c3d033168 100644
--- a/src/libfreeswan/ttoprotoport.c
+++ b/src/libfreeswan/ttoprotoport.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ttoprotoport.c 3265 2007-10-08 19:52:55Z andreas $
  */
 
 #include "internal.h"
@@ -28,7 +26,7 @@ char *src;		/* input string */
 size_t src_len;		/* length of input string, use strlen() if 0 */
 u_int8_t *proto;	/* extracted protocol number */
 u_int16_t *port;	/* extracted port number if it exists */
-int *has_port_wildcard;	/* set if port is %any */
+bool *has_port_wildcard;	/* set if port is %any */
 {
     char *end, *service_name;
     char proto_name[16];
diff --git a/src/libfreeswan/ttosa.3 b/src/libfreeswan/ttosa.3
index 3ae041de2..f9ea36a09 100644
--- a/src/libfreeswan/ttosa.3
+++ b/src/libfreeswan/ttosa.3
@@ -1,5 +1,4 @@
 .TH IPSEC_TTOSA 3 "26 Nov 2001"
-.\" RCSID $Id: ttosa.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec ttosa, satot \- convert IPsec Security Association IDs to and from text
 .br
diff --git a/src/libfreeswan/ttosa.c b/src/libfreeswan/ttosa.c
index 4e6a29f74..20e01b152 100644
--- a/src/libfreeswan/ttosa.c
+++ b/src/libfreeswan/ttosa.c
@@ -11,9 +11,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: ttosa.c 3265 2007-10-08 19:52:55Z andreas $
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
diff --git a/src/libfreeswan/ttosubnet.c b/src/libfreeswan/ttosubnet.c
index 82e569ea1..36c039a96 100644
--- a/src/libfreeswan/ttosubnet.c
+++ b/src/libfreeswan/ttosubnet.c
@@ -11,9 +11,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: ttosubnet.c 3265 2007-10-08 19:52:55Z andreas $
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
diff --git a/src/libfreeswan/ttoul.3 b/src/libfreeswan/ttoul.3
index 2bd08b4b0..ffd9fb38a 100644
--- a/src/libfreeswan/ttoul.3
+++ b/src/libfreeswan/ttoul.3
@@ -1,5 +1,4 @@
 .TH IPSEC_TTOUL 3 "16 Aug 2000"
-.\" RCSID $Id: ttoul.3 3265 2007-10-08 19:52:55Z andreas $
 .SH NAME
 ipsec ttoul, ultot \- convert unsigned-long numbers to and from text
 .SH SYNOPSIS
diff --git a/src/libfreeswan/ttoul.c b/src/libfreeswan/ttoul.c
index 1bd73a702..853a6130c 100644
--- a/src/libfreeswan/ttoul.c
+++ b/src/libfreeswan/ttoul.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: ttoul.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/ultoa.c b/src/libfreeswan/ultoa.c
index ae7c7e62b..ef45366a1 100644
--- a/src/libfreeswan/ultoa.c
+++ b/src/libfreeswan/ultoa.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: ultoa.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/ultot.c b/src/libfreeswan/ultot.c
index 9e1bfa36c..c4f2d7884 100644
--- a/src/libfreeswan/ultot.c
+++ b/src/libfreeswan/ultot.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * RCSID $Id: ultot.c 3265 2007-10-08 19:52:55Z andreas $
  */
 #include "internal.h"
 #include "freeswan.h"
diff --git a/src/libfreeswan/version.3 b/src/libfreeswan/version.3
deleted file mode 100644
index e43ee8b61..000000000
--- a/src/libfreeswan/version.3
+++ /dev/null
@@ -1,44 +0,0 @@
-.TH IPSEC_VERSION 3 "21 Nov 2001"
-.\" RCSID $Id: version.3 3265 2007-10-08 19:52:55Z andreas $
-.SH NAME
-ipsec ipsec_version_code \- get IPsec version code
-.br
-ipsec ipsec_version_string \- get full IPsec version string
-.br
-ipsec ipsec_copyright_notice \- get IPsec copyright notice
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "const char *ipsec_version_code(void);"
-.br
-.B "const char *ipsec_version_string(void);"
-.br
-.B "const char **ipsec_copyright_notice(void);"
-.SH DESCRIPTION
-These functions provide information on version numbering and copyright
-of the Linux FreeS/WAN IPsec implementation.
-.PP
-.I Ipsec_version_code
-returns a pointer to a string constant
-containing the current IPsec version code,
-such as ``1.92'' or ``snap2001Nov19b''.
-.PP
-.I Ipsec_version_string
-returns a pointer to a string constant giving a full version identification,
-consisting of the version code preceded by a prefix identifying the software,
-e.g. ``Linux FreeS/WAN 1.92''.
-.PP
-.I Ipsec_copyright_notice
-returns a pointer to a vector of pointers,
-terminated by a
-.BR NULL ,
-which is the text of a suitable copyright notice.
-Each pointer points to a string constant (possibly empty) which is one line
-of the somewhat-verbose copyright notice.
-The strings are NUL-terminated and do not contain a newline;
-supplying suitable line termination for the output device is
-the caller's responsibility.
-.SH SEE ALSO
-ipsec(8)
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
diff --git a/src/libfreeswan/version.c b/src/libfreeswan/version.c
deleted file mode 100644
index ffd2f5680..000000000
--- a/src/libfreeswan/version.c
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * return IPsec version information
- * Copyright (C) 2001  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- *
- * RCSID $Id: version.c 3265 2007-10-08 19:52:55Z andreas $
- */
-
-#ifdef __KERNEL__
-#include <linux/netdevice.h>
-#endif
-
-#include "freeswan.h"
-
-static const char strongswan_number[] = VERSION;
-static const char strongswan_string[] = "Linux strongSwan " VERSION;
-
-/*
- - ipsec_version_code - return IPsec version number/code, as string
- */
-const char *
-ipsec_version_code()
-{
-	return strongswan_number;
-}
-
-/*
- - ipsec_version_string - return full version string
- */
-const char *
-ipsec_version_string()
-{
-	return strongswan_string;
-}
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 1d0f837ef..212b9547d 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -22,12 +22,15 @@ asn1/pem.c asn1/pem.h \
 crypto/crypters/crypter.c crypto/crypters/crypter.h \
 crypto/hashers/hasher.h crypto/hashers/hasher.c \
 crypto/pkcs9.c crypto/pkcs9.h \
+crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords.h \
 crypto/prfs/prf.c crypto/prfs/prf.h \
 crypto/rngs/rng.c crypto/rngs/rng.h \
 crypto/prf_plus.h crypto/prf_plus.c \
 crypto/signers/signer.c crypto/signers/signer.h \
-crypto/diffie_hellman.c crypto/diffie_hellman.h \
 crypto/crypto_factory.c crypto/crypto_factory.h \
+crypto/crypto_tester.c crypto/crypto_tester.h \
+crypto/diffie_hellman.c crypto/diffie_hellman.h \
+crypto/transform.c crypto/transform.h \
 credentials/credential_factory.c credentials/credential_factory.h \
 credentials/builder.c credentials/builder.h \
 credentials/keys/private_key.c credentials/keys/private_key.h \
@@ -39,8 +42,9 @@ credentials/certificates/ac.h \
 credentials/certificates/crl.h credentials/certificates/crl.c \
 credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \
-fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
 database/database.h database/database_factory.h database/database_factory.c \
+fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+pgp/pgp.c pgp/pgp.h \
 utils.h utils.c \
 utils/host.c utils/host.h \
 utils/identification.c utils/identification.h \
@@ -54,15 +58,17 @@ utils/mutex.c utils/mutex.h \
 utils/backtrace.c utils/backtrace.h \
 plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
 
-libstrongswan_la_LIBADD = -lpthread -ldl
+libstrongswan_la_LIBADD = -lpthread $(DLLIB)
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
-			-DIPSEC_PLUGINDIR=\"${plugindir}\"
+AM_CFLAGS = \
+-DIPSEC_DIR=\"${ipsecdir}\" \
+-DIPSEC_PLUGINDIR=\"${plugindir}\"
 
 if USE_LEAK_DETECTIVE
   AM_CFLAGS += -DLEAK_DETECTIVE
-  libstrongswan_la_SOURCES += utils/leak_detective.c utils/leak_detective.h
+  libstrongswan_la_SOURCES += \
+    utils/leak_detective.c utils/leak_detective.h
 endif
 
 if USE_LOCK_PROFILER
@@ -78,15 +84,28 @@ if USE_VSTR
   libstrongswan_la_LIBADD += -lvstr
 endif
 
-EXTRA_DIST = asn1/oid.txt asn1/oid.pl
-BUILT_SOURCES = asn1/oid.c asn1/oid.h
-MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
+EXTRA_DIST = \
+asn1/oid.txt asn1/oid.pl \
+crypto/proposal/proposal_keywords.txt
+
+BUILT_SOURCES = \
+$(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
+$(srcdir)/crypto/proposal/proposal_keywords.c
+
+MAINTAINERCLEANFILES = \
+$(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
+$(srcdir)/crypto/proposal/proposal_keywords.c
 
-asn1/oid.c :	asn1/oid.pl asn1/oid.txt
-		(cd `dirname $<` && $(PERL) `basename $<`)
+$(srcdir)/asn1/oid.c :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
-asn1/oid.h :	asn1/oid.pl asn1/oid.txt
-		(cd `dirname $<` && $(PERL) `basename $<`)
+$(srcdir)/asn1/oid.h :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
+
+$(srcdir)/crypto/proposal/proposal_keywords.c:	$(srcdir)/crypto/proposal/proposal_keywords.txt \
+												$(srcdir)/crypto/proposal/proposal_keywords.h
+		$(GPERF) -N proposal_get_token -m 10 -C -G -c -t -D < \
+												$(srcdir)/crypto/proposal/proposal_keywords.txt > $@
 
 
 # build plugins with their own Makefile
@@ -102,6 +121,10 @@ if USE_DES
   SUBDIRS += plugins/des
 endif
 
+if USE_BLOWFISH
+  SUBDIRS += plugins/blowfish
+endif
+
 if USE_MD4
   SUBDIRS += plugins/md4
 endif
@@ -170,10 +193,18 @@ if USE_OPENSSL
   SUBDIRS += plugins/openssl
 endif
 
+if USE_GCRYPT
+  SUBDIRS += plugins/gcrypt
+endif
+
 if USE_AGENT
   SUBDIRS += plugins/agent
 endif
 
+if USE_TEST_VECTORS
+  SUBDIRS += plugins/test_vectors
+endif
+
 if USE_INTEGRITY_TEST
   SUBDIRS += fips
 endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index ed13138e4..dd25f0526 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -33,30 +33,35 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 @USE_LEAK_DETECTIVE_TRUE@am__append_1 = -DLEAK_DETECTIVE
-@USE_LEAK_DETECTIVE_TRUE@am__append_2 = utils/leak_detective.c utils/leak_detective.h
+@USE_LEAK_DETECTIVE_TRUE@am__append_2 = \
+@USE_LEAK_DETECTIVE_TRUE@    utils/leak_detective.c utils/leak_detective.h
+
 @USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER
 @USE_VSTR_TRUE@am__append_4 = -lvstr
 @USE_AES_TRUE@am__append_5 = plugins/aes
 @USE_DES_TRUE@am__append_6 = plugins/des
-@USE_MD4_TRUE@am__append_7 = plugins/md4
-@USE_MD5_TRUE@am__append_8 = plugins/md5
-@USE_SHA1_TRUE@am__append_9 = plugins/sha1
-@USE_SHA2_TRUE@am__append_10 = plugins/sha2
-@USE_FIPS_PRF_TRUE@am__append_11 = plugins/fips_prf
-@USE_GMP_TRUE@am__append_12 = plugins/gmp
-@USE_RANDOM_TRUE@am__append_13 = plugins/random
-@USE_HMAC_TRUE@am__append_14 = plugins/hmac
-@USE_XCBC_TRUE@am__append_15 = plugins/xcbc
-@USE_X509_TRUE@am__append_16 = plugins/x509
-@USE_PUBKEY_TRUE@am__append_17 = plugins/pubkey
-@USE_CURL_TRUE@am__append_18 = plugins/curl
-@USE_LDAP_TRUE@am__append_19 = plugins/ldap
-@USE_MYSQL_TRUE@am__append_20 = plugins/mysql
-@USE_SQLITE_TRUE@am__append_21 = plugins/sqlite
-@USE_PADLOCK_TRUE@am__append_22 = plugins/padlock
-@USE_OPENSSL_TRUE@am__append_23 = plugins/openssl
-@USE_AGENT_TRUE@am__append_24 = plugins/agent
-@USE_INTEGRITY_TEST_TRUE@am__append_25 = fips
+@USE_BLOWFISH_TRUE@am__append_7 = plugins/blowfish
+@USE_MD4_TRUE@am__append_8 = plugins/md4
+@USE_MD5_TRUE@am__append_9 = plugins/md5
+@USE_SHA1_TRUE@am__append_10 = plugins/sha1
+@USE_SHA2_TRUE@am__append_11 = plugins/sha2
+@USE_FIPS_PRF_TRUE@am__append_12 = plugins/fips_prf
+@USE_GMP_TRUE@am__append_13 = plugins/gmp
+@USE_RANDOM_TRUE@am__append_14 = plugins/random
+@USE_HMAC_TRUE@am__append_15 = plugins/hmac
+@USE_XCBC_TRUE@am__append_16 = plugins/xcbc
+@USE_X509_TRUE@am__append_17 = plugins/x509
+@USE_PUBKEY_TRUE@am__append_18 = plugins/pubkey
+@USE_CURL_TRUE@am__append_19 = plugins/curl
+@USE_LDAP_TRUE@am__append_20 = plugins/ldap
+@USE_MYSQL_TRUE@am__append_21 = plugins/mysql
+@USE_SQLITE_TRUE@am__append_22 = plugins/sqlite
+@USE_PADLOCK_TRUE@am__append_23 = plugins/padlock
+@USE_OPENSSL_TRUE@am__append_24 = plugins/openssl
+@USE_GCRYPT_TRUE@am__append_25 = plugins/gcrypt
+@USE_AGENT_TRUE@am__append_26 = plugins/agent
+@USE_TEST_VECTORS_TRUE@am__append_27 = plugins/test_vectors
+@USE_INTEGRITY_TEST_TRUE@am__append_28 = fips
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -75,7 +80,8 @@ am__installdirs = "$(DESTDIR)$(libdir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
-libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
 am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
 	printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \
@@ -83,11 +89,14 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	asn1/pem.c asn1/pem.h crypto/crypters/crypter.c \
 	crypto/crypters/crypter.h crypto/hashers/hasher.h \
 	crypto/hashers/hasher.c crypto/pkcs9.c crypto/pkcs9.h \
-	crypto/prfs/prf.c crypto/prfs/prf.h crypto/rngs/rng.c \
-	crypto/rngs/rng.h crypto/prf_plus.h crypto/prf_plus.c \
-	crypto/signers/signer.c crypto/signers/signer.h \
-	crypto/diffie_hellman.c crypto/diffie_hellman.h \
-	crypto/crypto_factory.c crypto/crypto_factory.h \
+	crypto/proposal/proposal_keywords.c \
+	crypto/proposal/proposal_keywords.h crypto/prfs/prf.c \
+	crypto/prfs/prf.h crypto/rngs/rng.c crypto/rngs/rng.h \
+	crypto/prf_plus.h crypto/prf_plus.c crypto/signers/signer.c \
+	crypto/signers/signer.h crypto/crypto_factory.c \
+	crypto/crypto_factory.h crypto/crypto_tester.c \
+	crypto/crypto_tester.h crypto/diffie_hellman.c \
+	crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
 	credentials/credential_factory.c \
 	credentials/credential_factory.h credentials/builder.c \
 	credentials/builder.h credentials/keys/private_key.c \
@@ -101,18 +110,19 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	credentials/certificates/crl.h credentials/certificates/crl.c \
 	credentials/certificates/ocsp_request.h \
 	credentials/certificates/ocsp_response.h \
-	credentials/certificates/ocsp_response.c fetcher/fetcher.h \
-	fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
-	database/database.h database/database_factory.h \
-	database/database_factory.c utils.h utils.c utils/host.c \
-	utils/host.h utils/identification.c utils/identification.h \
-	utils/iterator.h utils/lexparser.c utils/lexparser.h \
-	utils/linked_list.c utils/linked_list.h utils/hashtable.c \
-	utils/hashtable.h utils/enumerator.c utils/enumerator.h \
-	utils/optionsfrom.c utils/optionsfrom.h utils/mutex.c \
-	utils/mutex.h utils/backtrace.c utils/backtrace.h \
-	plugins/plugin_loader.c plugins/plugin_loader.h \
-	plugins/plugin.h utils/leak_detective.c utils/leak_detective.h \
+	credentials/certificates/ocsp_response.c database/database.h \
+	database/database_factory.h database/database_factory.c \
+	fetcher/fetcher.h fetcher/fetcher_manager.h \
+	fetcher/fetcher_manager.c pgp/pgp.c pgp/pgp.h utils.h utils.c \
+	utils/host.c utils/host.h utils/identification.c \
+	utils/identification.h utils/iterator.h utils/lexparser.c \
+	utils/lexparser.h utils/linked_list.c utils/linked_list.h \
+	utils/hashtable.c utils/hashtable.h utils/enumerator.c \
+	utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \
+	utils/mutex.c utils/mutex.h utils/backtrace.c \
+	utils/backtrace.h plugins/plugin_loader.c \
+	plugins/plugin_loader.h plugins/plugin.h \
+	utils/leak_detective.c utils/leak_detective.h \
 	fips/fips_canister_start.c fips/fips.c fips/fips.h \
 	fips/fips_canister_end.c
 @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo
@@ -120,39 +130,44 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 @USE_INTEGRITY_TEST_FALSE@	chunk.lo debug.lo enum.lo \
 @USE_INTEGRITY_TEST_FALSE@	settings.lo printf_hook.lo asn1.lo \
 @USE_INTEGRITY_TEST_FALSE@	asn1_parser.lo oid.lo pem.lo \
-@USE_INTEGRITY_TEST_FALSE@	crypter.lo hasher.lo pkcs9.lo prf.lo \
-@USE_INTEGRITY_TEST_FALSE@	rng.lo prf_plus.lo signer.lo \
-@USE_INTEGRITY_TEST_FALSE@	diffie_hellman.lo crypto_factory.lo \
+@USE_INTEGRITY_TEST_FALSE@	crypter.lo hasher.lo pkcs9.lo \
+@USE_INTEGRITY_TEST_FALSE@	proposal_keywords.lo prf.lo rng.lo \
+@USE_INTEGRITY_TEST_FALSE@	prf_plus.lo signer.lo \
+@USE_INTEGRITY_TEST_FALSE@	crypto_factory.lo crypto_tester.lo \
+@USE_INTEGRITY_TEST_FALSE@	diffie_hellman.lo transform.lo \
 @USE_INTEGRITY_TEST_FALSE@	credential_factory.lo builder.lo \
 @USE_INTEGRITY_TEST_FALSE@	private_key.lo public_key.lo \
 @USE_INTEGRITY_TEST_FALSE@	shared_key.lo certificate.lo x509.lo \
 @USE_INTEGRITY_TEST_FALSE@	crl.lo ocsp_response.lo \
-@USE_INTEGRITY_TEST_FALSE@	fetcher_manager.lo \
-@USE_INTEGRITY_TEST_FALSE@	database_factory.lo utils.lo host.lo \
-@USE_INTEGRITY_TEST_FALSE@	identification.lo lexparser.lo \
-@USE_INTEGRITY_TEST_FALSE@	linked_list.lo hashtable.lo \
-@USE_INTEGRITY_TEST_FALSE@	enumerator.lo optionsfrom.lo \
-@USE_INTEGRITY_TEST_FALSE@	mutex.lo backtrace.lo \
+@USE_INTEGRITY_TEST_FALSE@	database_factory.lo \
+@USE_INTEGRITY_TEST_FALSE@	fetcher_manager.lo pgp.lo utils.lo \
+@USE_INTEGRITY_TEST_FALSE@	host.lo identification.lo \
+@USE_INTEGRITY_TEST_FALSE@	lexparser.lo linked_list.lo \
+@USE_INTEGRITY_TEST_FALSE@	hashtable.lo enumerator.lo \
+@USE_INTEGRITY_TEST_FALSE@	optionsfrom.lo mutex.lo backtrace.lo \
 @USE_INTEGRITY_TEST_FALSE@	plugin_loader.lo $(am__objects_1)
 @USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS =  \
 @USE_INTEGRITY_TEST_TRUE@	fips_canister_start.lo fips.lo \
 @USE_INTEGRITY_TEST_TRUE@	library.lo chunk.lo debug.lo enum.lo \
 @USE_INTEGRITY_TEST_TRUE@	settings.lo printf_hook.lo asn1.lo \
 @USE_INTEGRITY_TEST_TRUE@	asn1_parser.lo oid.lo pem.lo \
-@USE_INTEGRITY_TEST_TRUE@	crypter.lo hasher.lo pkcs9.lo prf.lo \
-@USE_INTEGRITY_TEST_TRUE@	rng.lo prf_plus.lo signer.lo \
-@USE_INTEGRITY_TEST_TRUE@	diffie_hellman.lo crypto_factory.lo \
+@USE_INTEGRITY_TEST_TRUE@	crypter.lo hasher.lo pkcs9.lo \
+@USE_INTEGRITY_TEST_TRUE@	proposal_keywords.lo prf.lo rng.lo \
+@USE_INTEGRITY_TEST_TRUE@	prf_plus.lo signer.lo \
+@USE_INTEGRITY_TEST_TRUE@	crypto_factory.lo crypto_tester.lo \
+@USE_INTEGRITY_TEST_TRUE@	diffie_hellman.lo transform.lo \
 @USE_INTEGRITY_TEST_TRUE@	credential_factory.lo builder.lo \
 @USE_INTEGRITY_TEST_TRUE@	private_key.lo public_key.lo \
 @USE_INTEGRITY_TEST_TRUE@	shared_key.lo certificate.lo x509.lo \
 @USE_INTEGRITY_TEST_TRUE@	crl.lo ocsp_response.lo \
-@USE_INTEGRITY_TEST_TRUE@	fetcher_manager.lo \
-@USE_INTEGRITY_TEST_TRUE@	database_factory.lo utils.lo host.lo \
-@USE_INTEGRITY_TEST_TRUE@	identification.lo lexparser.lo \
-@USE_INTEGRITY_TEST_TRUE@	linked_list.lo hashtable.lo \
-@USE_INTEGRITY_TEST_TRUE@	enumerator.lo optionsfrom.lo mutex.lo \
-@USE_INTEGRITY_TEST_TRUE@	backtrace.lo plugin_loader.lo \
-@USE_INTEGRITY_TEST_TRUE@	$(am__objects_1) fips_canister_end.lo
+@USE_INTEGRITY_TEST_TRUE@	database_factory.lo \
+@USE_INTEGRITY_TEST_TRUE@	fetcher_manager.lo pgp.lo utils.lo \
+@USE_INTEGRITY_TEST_TRUE@	host.lo identification.lo \
+@USE_INTEGRITY_TEST_TRUE@	lexparser.lo linked_list.lo \
+@USE_INTEGRITY_TEST_TRUE@	hashtable.lo enumerator.lo \
+@USE_INTEGRITY_TEST_TRUE@	optionsfrom.lo mutex.lo backtrace.lo \
+@USE_INTEGRITY_TEST_TRUE@	plugin_loader.lo $(am__objects_1) \
+@USE_INTEGRITY_TEST_TRUE@	fips_canister_end.lo
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -179,12 +194,12 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/aes plugins/des plugins/md4 plugins/md5 \
-	plugins/sha1 plugins/sha2 plugins/fips_prf plugins/gmp \
-	plugins/random plugins/hmac plugins/xcbc plugins/x509 \
-	plugins/pubkey plugins/curl plugins/ldap plugins/mysql \
-	plugins/sqlite plugins/padlock plugins/openssl plugins/agent \
-	fips
+DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \
+	plugins/md5 plugins/sha1 plugins/sha2 plugins/fips_prf \
+	plugins/gmp plugins/random plugins/hmac plugins/xcbc \
+	plugins/x509 plugins/pubkey plugins/curl plugins/ldap \
+	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
+	plugins/gcrypt plugins/agent plugins/test_vectors fips
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -201,6 +216,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -223,6 +239,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -234,6 +253,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -247,6 +267,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -307,6 +329,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -318,6 +341,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -336,15 +360,21 @@ lib_LTLIBRARIES = libstrongswan.la
 @USE_INTEGRITY_TEST_FALSE@	crypto/hashers/hasher.h \
 @USE_INTEGRITY_TEST_FALSE@	crypto/hashers/hasher.c \
 @USE_INTEGRITY_TEST_FALSE@	crypto/pkcs9.c crypto/pkcs9.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/proposal/proposal_keywords.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/proposal/proposal_keywords.h \
 @USE_INTEGRITY_TEST_FALSE@	crypto/prfs/prf.c crypto/prfs/prf.h \
 @USE_INTEGRITY_TEST_FALSE@	crypto/rngs/rng.c crypto/rngs/rng.h \
 @USE_INTEGRITY_TEST_FALSE@	crypto/prf_plus.h crypto/prf_plus.c \
 @USE_INTEGRITY_TEST_FALSE@	crypto/signers/signer.c \
 @USE_INTEGRITY_TEST_FALSE@	crypto/signers/signer.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/diffie_hellman.c \
-@USE_INTEGRITY_TEST_FALSE@	crypto/diffie_hellman.h \
 @USE_INTEGRITY_TEST_FALSE@	crypto/crypto_factory.c \
 @USE_INTEGRITY_TEST_FALSE@	crypto/crypto_factory.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/crypto_tester.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/crypto_tester.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/diffie_hellman.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/diffie_hellman.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/transform.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/transform.h \
 @USE_INTEGRITY_TEST_FALSE@	credentials/credential_factory.c \
 @USE_INTEGRITY_TEST_FALSE@	credentials/credential_factory.h \
 @USE_INTEGRITY_TEST_FALSE@	credentials/builder.c \
@@ -365,13 +395,14 @@ lib_LTLIBRARIES = libstrongswan.la
 @USE_INTEGRITY_TEST_FALSE@	credentials/certificates/ocsp_request.h \
 @USE_INTEGRITY_TEST_FALSE@	credentials/certificates/ocsp_response.h \
 @USE_INTEGRITY_TEST_FALSE@	credentials/certificates/ocsp_response.c \
-@USE_INTEGRITY_TEST_FALSE@	fetcher/fetcher.h \
-@USE_INTEGRITY_TEST_FALSE@	fetcher/fetcher_manager.h \
-@USE_INTEGRITY_TEST_FALSE@	fetcher/fetcher_manager.c \
 @USE_INTEGRITY_TEST_FALSE@	database/database.h \
 @USE_INTEGRITY_TEST_FALSE@	database/database_factory.h \
-@USE_INTEGRITY_TEST_FALSE@	database/database_factory.c utils.h \
-@USE_INTEGRITY_TEST_FALSE@	utils.c utils/host.c utils/host.h \
+@USE_INTEGRITY_TEST_FALSE@	database/database_factory.c \
+@USE_INTEGRITY_TEST_FALSE@	fetcher/fetcher.h \
+@USE_INTEGRITY_TEST_FALSE@	fetcher/fetcher_manager.h \
+@USE_INTEGRITY_TEST_FALSE@	fetcher/fetcher_manager.c pgp/pgp.c \
+@USE_INTEGRITY_TEST_FALSE@	pgp/pgp.h utils.h utils.c \
+@USE_INTEGRITY_TEST_FALSE@	utils/host.c utils/host.h \
 @USE_INTEGRITY_TEST_FALSE@	utils/identification.c \
 @USE_INTEGRITY_TEST_FALSE@	utils/identification.h \
 @USE_INTEGRITY_TEST_FALSE@	utils/iterator.h utils/lexparser.c \
@@ -402,15 +433,20 @@ lib_LTLIBRARIES = libstrongswan.la
 @USE_INTEGRITY_TEST_TRUE@	crypto/hashers/hasher.h \
 @USE_INTEGRITY_TEST_TRUE@	crypto/hashers/hasher.c \
 @USE_INTEGRITY_TEST_TRUE@	crypto/pkcs9.c crypto/pkcs9.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/proposal/proposal_keywords.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/proposal/proposal_keywords.h \
 @USE_INTEGRITY_TEST_TRUE@	crypto/prfs/prf.c crypto/prfs/prf.h \
 @USE_INTEGRITY_TEST_TRUE@	crypto/rngs/rng.c crypto/rngs/rng.h \
 @USE_INTEGRITY_TEST_TRUE@	crypto/prf_plus.h crypto/prf_plus.c \
 @USE_INTEGRITY_TEST_TRUE@	crypto/signers/signer.c \
 @USE_INTEGRITY_TEST_TRUE@	crypto/signers/signer.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/diffie_hellman.c \
-@USE_INTEGRITY_TEST_TRUE@	crypto/diffie_hellman.h \
 @USE_INTEGRITY_TEST_TRUE@	crypto/crypto_factory.c \
 @USE_INTEGRITY_TEST_TRUE@	crypto/crypto_factory.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/crypto_tester.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/crypto_tester.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/diffie_hellman.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/diffie_hellman.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/transform.c crypto/transform.h \
 @USE_INTEGRITY_TEST_TRUE@	credentials/credential_factory.c \
 @USE_INTEGRITY_TEST_TRUE@	credentials/credential_factory.h \
 @USE_INTEGRITY_TEST_TRUE@	credentials/builder.c \
@@ -431,13 +467,14 @@ lib_LTLIBRARIES = libstrongswan.la
 @USE_INTEGRITY_TEST_TRUE@	credentials/certificates/ocsp_request.h \
 @USE_INTEGRITY_TEST_TRUE@	credentials/certificates/ocsp_response.h \
 @USE_INTEGRITY_TEST_TRUE@	credentials/certificates/ocsp_response.c \
-@USE_INTEGRITY_TEST_TRUE@	fetcher/fetcher.h \
-@USE_INTEGRITY_TEST_TRUE@	fetcher/fetcher_manager.h \
-@USE_INTEGRITY_TEST_TRUE@	fetcher/fetcher_manager.c \
 @USE_INTEGRITY_TEST_TRUE@	database/database.h \
 @USE_INTEGRITY_TEST_TRUE@	database/database_factory.h \
-@USE_INTEGRITY_TEST_TRUE@	database/database_factory.c utils.h \
-@USE_INTEGRITY_TEST_TRUE@	utils.c utils/host.c utils/host.h \
+@USE_INTEGRITY_TEST_TRUE@	database/database_factory.c \
+@USE_INTEGRITY_TEST_TRUE@	fetcher/fetcher.h \
+@USE_INTEGRITY_TEST_TRUE@	fetcher/fetcher_manager.h \
+@USE_INTEGRITY_TEST_TRUE@	fetcher/fetcher_manager.c pgp/pgp.c \
+@USE_INTEGRITY_TEST_TRUE@	pgp/pgp.h utils.h utils.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/host.c utils/host.h \
 @USE_INTEGRITY_TEST_TRUE@	utils/identification.c \
 @USE_INTEGRITY_TEST_TRUE@	utils/identification.h \
 @USE_INTEGRITY_TEST_TRUE@	utils/iterator.h utils/lexparser.c \
@@ -453,14 +490,23 @@ lib_LTLIBRARIES = libstrongswan.la
 @USE_INTEGRITY_TEST_TRUE@	plugins/plugin_loader.h \
 @USE_INTEGRITY_TEST_TRUE@	plugins/plugin.h $(am__append_2) \
 @USE_INTEGRITY_TEST_TRUE@	fips/fips_canister_end.c
-libstrongswan_la_LIBADD = -lpthread -ldl $(am__append_4)
+libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(am__append_4)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \
 	$(am__append_3)
-EXTRA_DIST = asn1/oid.txt asn1/oid.pl
-BUILT_SOURCES = asn1/oid.c asn1/oid.h
-MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
+EXTRA_DIST = \
+asn1/oid.txt asn1/oid.pl \
+crypto/proposal/proposal_keywords.txt
+
+BUILT_SOURCES = \
+$(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
+$(srcdir)/crypto/proposal/proposal_keywords.c
+
+MAINTAINERCLEANFILES = \
+$(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
+$(srcdir)/crypto/proposal/proposal_keywords.c
+
 
 # build plugins with their own Makefile
 #######################################
@@ -470,7 +516,8 @@ SUBDIRS = . $(am__append_5) $(am__append_6) $(am__append_7) \
 	$(am__append_14) $(am__append_15) $(am__append_16) \
 	$(am__append_17) $(am__append_18) $(am__append_19) \
 	$(am__append_20) $(am__append_21) $(am__append_22) \
-	$(am__append_23) $(am__append_24) $(am__append_25)
+	$(am__append_23) $(am__append_24) $(am__append_25) \
+	$(am__append_26) $(am__append_27) $(am__append_28)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -480,8 +527,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -551,6 +598,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_factory.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_tester.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/database_factory.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/debug.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/diffie_hellman.Plo@am__quote@
@@ -573,17 +621,20 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs9.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_loader.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf_plus.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/printf_hook.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_keywords.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/settings.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shared_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Plo@am__quote@
 
@@ -657,6 +708,13 @@ pkcs9.lo: crypto/pkcs9.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
 
+proposal_keywords.lo: crypto/proposal/proposal_keywords.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords.lo -MD -MP -MF $(DEPDIR)/proposal_keywords.Tpo -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/proposal_keywords.Tpo $(DEPDIR)/proposal_keywords.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/proposal/proposal_keywords.c' object='proposal_keywords.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
+
 prf.lo: crypto/prfs/prf.c
 @am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF $(DEPDIR)/prf.Tpo -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/prf.Tpo $(DEPDIR)/prf.Plo
@@ -685,6 +743,20 @@ signer.lo: crypto/signers/signer.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
 
+crypto_factory.lo: crypto/crypto_factory.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_factory.lo -MD -MP -MF $(DEPDIR)/crypto_factory.Tpo -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/crypto_factory.Tpo $(DEPDIR)/crypto_factory.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypto_factory.c' object='crypto_factory.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
+
+crypto_tester.lo: crypto/crypto_tester.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_tester.lo -MD -MP -MF $(DEPDIR)/crypto_tester.Tpo -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/crypto_tester.Tpo $(DEPDIR)/crypto_tester.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypto_tester.c' object='crypto_tester.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
+
 diffie_hellman.lo: crypto/diffie_hellman.c
 @am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF $(DEPDIR)/diffie_hellman.Tpo -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/diffie_hellman.Tpo $(DEPDIR)/diffie_hellman.Plo
@@ -692,12 +764,12 @@ diffie_hellman.lo: crypto/diffie_hellman.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
 
-crypto_factory.lo: crypto/crypto_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_factory.lo -MD -MP -MF $(DEPDIR)/crypto_factory.Tpo -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/crypto_factory.Tpo $(DEPDIR)/crypto_factory.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypto_factory.c' object='crypto_factory.lo' libtool=yes @AMDEPBACKSLASH@
+transform.lo: crypto/transform.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform.lo -MD -MP -MF $(DEPDIR)/transform.Tpo -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/transform.Tpo $(DEPDIR)/transform.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/transform.c' object='transform.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
 
 credential_factory.lo: credentials/credential_factory.c
 @am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_factory.lo -MD -MP -MF $(DEPDIR)/credential_factory.Tpo -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
@@ -762,6 +834,13 @@ ocsp_response.lo: credentials/certificates/ocsp_response.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
 
+database_factory.lo: database/database_factory.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='database/database_factory.c' object='database_factory.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
+
 fetcher_manager.lo: fetcher/fetcher_manager.c
 @am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher_manager.lo -MD -MP -MF $(DEPDIR)/fetcher_manager.Tpo -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
 @am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fetcher_manager.Tpo $(DEPDIR)/fetcher_manager.Plo
@@ -769,12 +848,12 @@ fetcher_manager.lo: fetcher/fetcher_manager.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
 
-database_factory.lo: database/database_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='database/database_factory.c' object='database_factory.lo' libtool=yes @AMDEPBACKSLASH@
+pgp.lo: pgp/pgp.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pgp.lo -MD -MP -MF $(DEPDIR)/pgp.Tpo -c -o pgp.lo `test -f 'pgp/pgp.c' || echo '$(srcdir)/'`pgp/pgp.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/pgp.Tpo $(DEPDIR)/pgp.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pgp/pgp.c' object='pgp.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pgp.lo `test -f 'pgp/pgp.c' || echo '$(srcdir)/'`pgp/pgp.c
 
 host.lo: utils/host.c
 @am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
@@ -955,7 +1034,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
@@ -1168,11 +1247,16 @@ uninstall-am: uninstall-libLTLIBRARIES
 	uninstall-libLTLIBRARIES
 
 
-asn1/oid.c :	asn1/oid.pl asn1/oid.txt
-		(cd `dirname $<` && $(PERL) `basename $<`)
+$(srcdir)/asn1/oid.c :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
+
+$(srcdir)/asn1/oid.h :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
-asn1/oid.h :	asn1/oid.pl asn1/oid.txt
-		(cd `dirname $<` && $(PERL) `basename $<`)
+$(srcdir)/crypto/proposal/proposal_keywords.c:	$(srcdir)/crypto/proposal/proposal_keywords.txt \
+												$(srcdir)/crypto/proposal/proposal_keywords.h
+		$(GPERF) -N proposal_get_token -m 10 -C -G -c -t -D < \
+												$(srcdir)/crypto/proposal/proposal_keywords.txt > $@
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 8b9762777..d2078cbbc 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -13,15 +13,14 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: asn1.c 5041 2009-03-27 08:58:48Z andreas $
  */
 
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
+#include <pthread.h>
 
-#include <library.h>
+#include <utils.h>
 #include <debug.h>
 
 #include "oid.h"
@@ -209,9 +208,13 @@ int asn1_known_oid(chunk_t object)
 		else
 		{
 			if (oid_names[oid].next)
+			{
 				oid = oid_names[oid].next;
+			}
 			else
+			{
 				return OID_UNKNOWN;
+			}
 		}
 	}
 	return -1;
@@ -220,7 +223,39 @@ int asn1_known_oid(chunk_t object)
 /*
  * Defined in header.
  */
-u_int asn1_length(chunk_t *blob)
+chunk_t asn1_build_known_oid(int n)
+{
+	chunk_t oid;
+	int i;
+	
+	if (n < 0 || n >= OID_MAX)
+	{
+		return chunk_empty;
+	}
+	
+	i = oid_names[n].level + 1;
+	oid = chunk_alloc(2 + i);
+	oid.ptr[0] = ASN1_OID;
+	oid.ptr[1] = i;
+	
+	do
+	{
+		if (oid_names[n].level >= i)
+		{
+			n--;
+			continue;
+		}
+		oid.ptr[--i + 2] = oid_names[n--].octet;
+	}
+	while (i > 0);
+	
+	return oid;
+}
+
+/*
+ * Defined in header.
+ */
+size_t asn1_length(chunk_t *blob)
 {
 	u_char n;
 	size_t len;
@@ -261,18 +296,28 @@ u_int asn1_length(chunk_t *blob)
 		len = 256*len + *blob->ptr++;
 		blob->len--;
 	}
+	if (len > blob->len)
+	{
+		DBG2("length is larger than remaining blob size");
+		return ASN1_INVALID_LENGTH;
+	}
 	return len;
 }
 
 #define TIME_MAX	0x7fffffff
 
+static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 };
+static const int tm_leap_1970 = 477;
+
 /**
  * Converts ASN.1 UTCTIME or GENERALIZEDTIME into calender time
  */
 time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 {
-	struct tm t;
-	time_t tc, tz_offset;
+	int tm_year, tm_mon, tm_day, tm_days, tm_hour, tm_min, tm_sec;
+	int tm_leap_4, tm_leap_100, tm_leap_400, tm_leap;
+	int tz_hour, tz_min, tz_offset;
+	time_t tm_secs;
 	u_char *eot = NULL;
 	
 	if ((eot = memchr(utctime->ptr, 'Z', utctime->len)) != NULL)
@@ -281,16 +326,18 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	}
 	else if ((eot = memchr(utctime->ptr, '+', utctime->len)) != NULL)
 	{
-		int tz_hour, tz_min;
-	
-		sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+		if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+		{
+			return 0; /* error in positive timezone offset format */
+		}
 		tz_offset = 3600*tz_hour + 60*tz_min;  /* positive time zone offset */
 	}
 	else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
 	{
-		int tz_hour, tz_min;
-	
-		sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+		if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+		{
+			return 0; /* error in negative timezone offset format */
+		}
 		tz_offset = -3600*tz_hour - 60*tz_min;  /* negative time zone offset */
 	}
 	else
@@ -303,45 +350,65 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 		const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
 													 "%4d%2d%2d%2d%2d";
 	
-		sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
-			   						 &t.tm_hour, &t.tm_min);
+		if (sscanf(utctime->ptr, format, &tm_year, &tm_mon, &tm_day,
+										 &tm_hour, &tm_min) != 5)
+		{
+			return 0; /* error in [yy]yymmddhhmm time format */
+		}
 	}
 	
 	/* is there a seconds field? */
 	if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
 	{
-		sscanf(eot-2, "%2d", &t.tm_sec);
+		if (sscanf(eot-2, "%2d", &tm_sec) != 1)
+		{
+			return 0; /* error in ss seconds field format */
+		}
 	}
 	else
 	{
-		t.tm_sec = 0;
+		tm_sec = 0;
 	}
 	
-	/* representation of year */
-	if (t.tm_year >= 1900)
+	/* representation of two-digit years */
+	if (type == ASN1_UTCTIME)
 	{
-		t.tm_year -= 1900;
+		tm_year += (tm_year < 50) ? 2000 : 1900;
 	}
-	else if (t.tm_year >= 100)
+	
+	/* prevent large 32 bit integer overflows */
+	if (sizeof(time_t) == 4 && tm_year > 2038)
 	{
-		return 0;
+		return TIME_MAX;
 	}
-	else if (t.tm_year < 50)
+
+	/* representation of months as 0..11*/
+	if (tm_mon < 1 || tm_mon > 12)
 	{
-		t.tm_year += 100;
+		return 0; /* error in month format */
 	}
+	tm_mon--;
 	
-	/* representation of month 0..11*/
-	t.tm_mon--;
-	
-	/* set daylight saving time to off */
-	t.tm_isdst = 0;
-	
-	/* convert to time_t */
-	tc = mktime(&t);
+	/* representation of days as 0..30 */
+	tm_day--;
 
-	/* if no conversion overflow occurred, compensate timezone */
-	return (tc == -1) ? TIME_MAX : (tc - timezone - tz_offset);
+	/* number of leap years between last year and 1970? */
+	tm_leap_4 = (tm_year - 1) / 4;
+	tm_leap_100 = tm_leap_4 / 25;
+	tm_leap_400 = tm_leap_100 / 4;
+	tm_leap = tm_leap_4 - tm_leap_100 + tm_leap_400 - tm_leap_1970;
+
+	/* if date later then February, is the current year a leap year? */
+	if (tm_mon > 1 && (tm_year % 4 == 0) &&
+		(tm_year % 100 != 0 || tm_year % 400 == 0))
+	{
+		tm_leap++;
+	}
+	tm_days = 365 * (tm_year - 1970) + days[tm_mon] + tm_day + tm_leap;
+	tm_secs = 60 * (60 * (24 * tm_days + tm_hour) + tm_min) + tm_sec - tz_offset;
+
+	/* has a 32 bit overflow occurred? */
+	return (tm_secs < 0) ? TIME_MAX : tm_secs;
 }
 
 /**
@@ -626,7 +693,7 @@ chunk_t asn1_simple_object(asn1_t tag, chunk_t content)
 }
 
 /**
- * Build an ASN.1 BITSTRING object
+ * Build an ASN.1 BIT_STRING object
  */
 chunk_t asn1_bitstring(const char *mode, chunk_t content)
 {
@@ -642,6 +709,41 @@ chunk_t asn1_bitstring(const char *mode, chunk_t content)
 	return object;
 }
 
+/**
+ * Build an ASN.1 INTEGER object
+ */
+chunk_t asn1_integer(const char *mode, chunk_t content)
+{
+	chunk_t object;
+	size_t len;
+	u_char *pos;
+
+	if (content.len == 0 || (content.len == 1 && *content.ptr == 0x00))
+	{
+		/* a zero ASN.1 integer does not have a value field */
+		len = 0;
+	}
+	else
+	{
+		/* ASN.1 integers must be positive numbers in two's complement */
+		len = content.len + ((*content.ptr & 0x80) ? 1 : 0);
+	}
+	pos = asn1_build_object(&object, ASN1_INTEGER, len);
+	if (len > content.len)
+	{
+		*pos++ = 0x00;
+	}
+	if (len)
+	{
+		memcpy(pos, content.ptr, content.len);
+	}
+	if (*mode == 'm')
+	{
+		free(content.ptr);
+	}
+	return object;
+}
+
 /**
  * Build an ASN.1 object from a variable number of individual chunks.
  * Depending on the mode, chunks either are moved ('m') or copied ('c').
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 4ea89730c..6a2b594c0 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: asn1.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -27,7 +25,8 @@
 
 #include <stdarg.h>
 
-#include <library.h>
+#include <utils.h>
+#include <chunk.h>
 
 /**
  * Definition of some primitive ASN1 types
@@ -106,6 +105,14 @@ chunk_t asn1_algorithmIdentifier(int oid);
  */
 int asn1_known_oid(chunk_t object);
 
+/**
+ * Converts a known OID index to an ASN.1 OID
+ *
+ * @param n			index into the oid_names[] table
+ * @return			allocated OID chunk, chunk_empty if index out of range
+ */
+chunk_t asn1_build_known_oid(int n);
+
 /**
  * Returns the length of an ASN.1 object
  * The blob pointer is advanced past the tag length fields
@@ -113,7 +120,7 @@ int asn1_known_oid(chunk_t object);
  * @param blob		pointer to an ASN.1 coded blob
  * @return			length of ASN.1 object
  */
-u_int asn1_length(chunk_t *blob);
+size_t asn1_length(chunk_t *blob);
 
 /**
  * Parses an ASN.1 algorithmIdentifier object
@@ -220,6 +227,15 @@ chunk_t asn1_simple_object(asn1_t tag, chunk_t content);
  */
 chunk_t asn1_bitstring(const char *mode, chunk_t content);
 
+/**
+ * Build an ASN.1 INTEGER object
+ *
+ * @param mode		'c' for copy or 'm' for move
+ * @param content	content of the INTEGER
+ * @return			chunk containing the ASN.1 coded INTEGER
+ */
+chunk_t asn1_integer(const char *mode, chunk_t content);
+
 /**
  * Build an ASN.1 object from a variable number of individual chunks
  *
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index 7a2028fc3..bc4c0b50f 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -13,15 +13,13 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: asn1_parser.c 3894 2008-04-28 18:44:21Z andreas $
  */
 
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
 
-#include <library.h>
+#include <utils.h>
 #include <debug.h>
 
 #include "asn1.h"
@@ -160,7 +158,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 	
 	blob1->len = asn1_length(blob);
 	
-	if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+	if (blob1->len == ASN1_INVALID_LENGTH)
 	{
 		DBG1("L%d - %s:  length of ASN.1 object invalid or too large", 
 					level, obj.name);
diff --git a/src/libstrongswan/asn1/asn1_parser.h b/src/libstrongswan/asn1/asn1_parser.h
index bcc966e04..b2f4133a1 100644
--- a/src/libstrongswan/asn1/asn1_parser.h
+++ b/src/libstrongswan/asn1/asn1_parser.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: asn1_parser.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -27,7 +25,9 @@
 
 #include <stdarg.h>
 
-#include <library.h>
+#include <utils.h>
+#include <chunk.h>
+#include <asn1/asn1.h>
 
 /**
  * Definition of ASN.1 flags
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index f9eb26d1d..53657b514 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -10,270 +10,300 @@
 #include "oid.h"
 
 const oid_t oid_names[] = {
-  {0x02,                       7, 1, "ITU-T Administration"      },  /*   0 */
-  {  0x82,                     0, 1, ""                          },  /*   1 */
-  {    0x06,                   0, 1, "Germany ITU-T member"      },  /*   2 */
-  {      0x01,                 0, 1, "Deutsche Telekom AG"       },  /*   3 */
-  {        0x0A,               0, 1, ""                          },  /*   4 */
-  {          0x07,             0, 1, ""                          },  /*   5 */
-  {            0x14,           0, 0, "ND"                        },  /*   6 */
-  {0x09,                      18, 1, "data"                      },  /*   7 */
-  {  0x92,                     0, 1, ""                          },  /*   8 */
-  {    0x26,                   0, 1, ""                          },  /*   9 */
-  {      0x89,                 0, 1, ""                          },  /*  10 */
-  {        0x93,               0, 1, ""                          },  /*  11 */
-  {          0xF2,             0, 1, ""                          },  /*  12 */
-  {            0x2C,           0, 1, ""                          },  /*  13 */
-  {              0x64,         0, 1, "pilot"                     },  /*  14 */
-  {                0x01,       0, 1, "pilotAttributeType"        },  /*  15 */
-  {                  0x01,    17, 0, "UID"                       },  /*  16 */
-  {                  0x19,     0, 0, "DC"                        },  /*  17 */
-  {0x55,                      52, 1, "X.500"                     },  /*  18 */
-  {  0x04,                    36, 1, "X.509"                     },  /*  19 */
-  {    0x03,                  21, 0, "CN"                        },  /*  20 */
-  {    0x04,                  22, 0, "S"                         },  /*  21 */
-  {    0x05,                  23, 0, "SN"                        },  /*  22 */
-  {    0x06,                  24, 0, "C"                         },  /*  23 */
-  {    0x07,                  25, 0, "L"                         },  /*  24 */
-  {    0x08,                  26, 0, "ST"                        },  /*  25 */
-  {    0x0A,                  27, 0, "O"                         },  /*  26 */
-  {    0x0B,                  28, 0, "OU"                        },  /*  27 */
-  {    0x0C,                  29, 0, "T"                         },  /*  28 */
-  {    0x0D,                  30, 0, "D"                         },  /*  29 */
-  {    0x24,                  31, 0, "userCertificate"           },  /*  30 */
-  {    0x29,                  32, 0, "N"                         },  /*  31 */
-  {    0x2A,                  33, 0, "G"                         },  /*  32 */
-  {    0x2B,                  34, 0, "I"                         },  /*  33 */
-  {    0x2D,                  35, 0, "ID"                        },  /*  34 */
-  {    0x48,                   0, 0, "role"                      },  /*  35 */
-  {  0x1D,                     0, 1, "id-ce"                     },  /*  36 */
-  {    0x09,                  38, 0, "subjectDirectoryAttrs"     },  /*  37 */
-  {    0x0E,                  39, 0, "subjectKeyIdentifier"      },  /*  38 */
-  {    0x0F,                  40, 0, "keyUsage"                  },  /*  39 */
-  {    0x10,                  41, 0, "privateKeyUsagePeriod"     },  /*  40 */
-  {    0x11,                  42, 0, "subjectAltName"            },  /*  41 */
-  {    0x12,                  43, 0, "issuerAltName"             },  /*  42 */
-  {    0x13,                  44, 0, "basicConstraints"          },  /*  43 */
-  {    0x14,                  45, 0, "crlNumber"                 },  /*  44 */
-  {    0x15,                  46, 0, "reasonCode"                },  /*  45 */
-  {    0x1F,                  47, 0, "crlDistributionPoints"     },  /*  46 */
-  {    0x20,                  48, 0, "certificatePolicies"       },  /*  47 */
-  {    0x23,                  49, 0, "authorityKeyIdentifier"    },  /*  48 */
-  {    0x25,                  50, 0, "extendedKeyUsage"          },  /*  49 */
-  {    0x37,                  51, 0, "targetInformation"         },  /*  50 */
-  {    0x38,                   0, 0, "noRevAvail"                },  /*  51 */
-  {0x2A,                     131, 1, ""                          },  /*  52 */
-  {  0x86,                     0, 1, ""                          },  /*  53 */
-  {    0x48,                   0, 1, ""                          },  /*  54 */
-  {      0x86,                95, 1, ""                          },  /*  55 */
-  {        0xF6,              61, 1, ""                          },  /*  56 */
-  {          0x7D,             0, 1, "NortelNetworks"            },  /*  57 */
-  {            0x07,           0, 1, "Entrust"                   },  /*  58 */
-  {              0x41,         0, 1, "nsn-ce"                    },  /*  59 */
-  {                0x00,       0, 0, "entrustVersInfo"           },  /*  60 */
-  {        0xF7,               0, 1, ""                          },  /*  61 */
-  {          0x0D,             0, 1, "RSADSI"                    },  /*  62 */
-  {            0x01,          90, 1, "PKCS"                      },  /*  63 */
-  {              0x01,        72, 1, "PKCS-1"                    },  /*  64 */
-  {                0x01,      66, 0, "rsaEncryption"             },  /*  65 */
-  {                0x02,      67, 0, "md2WithRSAEncryption"      },  /*  66 */
-  {                0x04,      68, 0, "md5WithRSAEncryption"      },  /*  67 */
-  {                0x05,      69, 0, "sha-1WithRSAEncryption"    },  /*  68 */
-  {                0x0B,      70, 0, "sha256WithRSAEncryption"   },  /*  69 */
-  {                0x0C,      71, 0, "sha384WithRSAEncryption"   },  /*  70 */
-  {                0x0D,       0, 0, "sha512WithRSAEncryption"   },  /*  71 */
-  {              0x07,        79, 1, "PKCS-7"                    },  /*  72 */
-  {                0x01,      74, 0, "data"                      },  /*  73 */
-  {                0x02,      75, 0, "signedData"                },  /*  74 */
-  {                0x03,      76, 0, "envelopedData"             },  /*  75 */
-  {                0x04,      77, 0, "signedAndEnvelopedData"    },  /*  76 */
-  {                0x05,      78, 0, "digestedData"              },  /*  77 */
-  {                0x06,       0, 0, "encryptedData"             },  /*  78 */
-  {              0x09,         0, 1, "PKCS-9"                    },  /*  79 */
-  {                0x01,      81, 0, "E"                         },  /*  80 */
-  {                0x02,      82, 0, "unstructuredName"          },  /*  81 */
-  {                0x03,      83, 0, "contentType"               },  /*  82 */
-  {                0x04,      84, 0, "messageDigest"             },  /*  83 */
-  {                0x05,      85, 0, "signingTime"               },  /*  84 */
-  {                0x06,      86, 0, "counterSignature"          },  /*  85 */
-  {                0x07,      87, 0, "challengePassword"         },  /*  86 */
-  {                0x08,      88, 0, "unstructuredAddress"       },  /*  87 */
-  {                0x0E,      89, 0, "extensionRequest"          },  /*  88 */
-  {                0x0F,       0, 0, "S/MIME Capabilities"       },  /*  89 */
-  {            0x02,          93, 1, "digestAlgorithm"           },  /*  90 */
-  {              0x02,        92, 0, "md2"                       },  /*  91 */
-  {              0x05,         0, 0, "md5"                       },  /*  92 */
-  {            0x03,           0, 1, "encryptionAlgorithm"       },  /*  93 */
-  {              0x07,         0, 0, "3des-ede-cbc"              },  /*  94 */
-  {      0xCE,                 0, 1, ""                          },  /*  95 */
-  {        0x3D,               0, 1, "ansi-X9-62"                },  /*  96 */
-  {          0x02,            99, 1, "id-publicKeyType"          },  /*  97 */
-  {            0x01,           0, 0, "id-ecPublicKey"            },  /*  98 */
-  {          0x03,           129, 1, "ellipticCurve"             },  /*  99 */
-  {            0x00,         121, 1, "c-TwoCurve"                },  /* 100 */
-  {              0x01,       102, 0, "c2pnb163v1"                },  /* 101 */
-  {              0x02,       103, 0, "c2pnb163v2"                },  /* 102 */
-  {              0x03,       104, 0, "c2pnb163v3"                },  /* 103 */
-  {              0x04,       105, 0, "c2pnb176w1"                },  /* 104 */
-  {              0x05,       106, 0, "c2tnb191v1"                },  /* 105 */
-  {              0x06,       107, 0, "c2tnb191v2"                },  /* 106 */
-  {              0x07,       108, 0, "c2tnb191v3"                },  /* 107 */
-  {              0x08,       109, 0, "c2onb191v4"                },  /* 108 */
-  {              0x09,       110, 0, "c2onb191v5"                },  /* 109 */
-  {              0x0A,       111, 0, "c2pnb208w1"                },  /* 110 */
-  {              0x0B,       112, 0, "c2tnb239v1"                },  /* 111 */
-  {              0x0C,       113, 0, "c2tnb239v2"                },  /* 112 */
-  {              0x0D,       114, 0, "c2tnb239v3"                },  /* 113 */
-  {              0x0E,       115, 0, "c2onb239v4"                },  /* 114 */
-  {              0x0F,       116, 0, "c2onb239v5"                },  /* 115 */
-  {              0x10,       117, 0, "c2pnb272w1"                },  /* 116 */
-  {              0x11,       118, 0, "c2pnb304w1"                },  /* 117 */
-  {              0x12,       119, 0, "c2tnb359v1"                },  /* 118 */
-  {              0x13,       120, 0, "c2pnb368w1"                },  /* 119 */
-  {              0x14,         0, 0, "c2tnb431r1"                },  /* 120 */
-  {            0x01,           0, 1, "primeCurve"                },  /* 121 */
-  {              0x01,       123, 0, "prime192v1"                },  /* 122 */
-  {              0x02,       124, 0, "prime192v2"                },  /* 123 */
-  {              0x03,       125, 0, "prime192v3"                },  /* 124 */
-  {              0x04,       126, 0, "prime239v1"                },  /* 125 */
-  {              0x05,       127, 0, "prime239v2"                },  /* 126 */
-  {              0x06,       128, 0, "prime239v3"                },  /* 127 */
-  {              0x07,         0, 0, "prime256v1"                },  /* 128 */
-  {          0x04,             0, 1, "id-ecSigType"              },  /* 129 */
-  {            0x01,           0, 0, "ecdsa-with-SHA1"           },  /* 130 */
-  {0x2B,                     231, 1, ""                          },  /* 131 */
-  {  0x06,                   184, 1, "dod"                       },  /* 132 */
-  {    0x01,                   0, 1, "internet"                  },  /* 133 */
-  {      0x04,               152, 1, "private"                   },  /* 134 */
-  {        0x01,               0, 1, "enterprise"                },  /* 135 */
-  {          0x82,           145, 1, ""                          },  /* 136 */
-  {            0x37,           0, 1, "Microsoft"                 },  /* 137 */
-  {              0x0A,       142, 1, ""                          },  /* 138 */
-  {                0x03,       0, 1, ""                          },  /* 139 */
-  {                  0x03,   141, 0, "msSGC"                     },  /* 140 */
-  {                  0x04,     0, 0, "msEncryptingFileSystem"    },  /* 141 */
-  {              0x14,         0, 1, "msEnrollmentInfrastructure"},  /* 142 */
-  {                0x02,       0, 1, "msCertificateTypeExtension"},  /* 143 */
-  {                  0x02,     0, 0, "msSmartcardLogon"          },  /* 144 */
-  {          0x89,             0, 1, ""                          },  /* 145 */
-  {            0x31,           0, 1, ""                          },  /* 146 */
-  {              0x01,         0, 1, ""                          },  /* 147 */
-  {                0x01,       0, 1, ""                          },  /* 148 */
-  {                  0x02,     0, 1, ""                          },  /* 149 */
-  {                    0x02, 151, 0, ""                          },  /* 150 */
-  {                    0x4B,   0, 0, "TCGID"                     },  /* 151 */
-  {      0x05,                 0, 1, "security"                  },  /* 152 */
-  {        0x05,               0, 1, "mechanisms"                },  /* 153 */
-  {          0x07,             0, 1, "id-pkix"                   },  /* 154 */
-  {            0x01,         157, 1, "id-pe"                     },  /* 155 */
-  {              0x01,         0, 0, "authorityInfoAccess"       },  /* 156 */
-  {            0x03,         167, 1, "id-kp"                     },  /* 157 */
-  {              0x01,       159, 0, "serverAuth"                },  /* 158 */
-  {              0x02,       160, 0, "clientAuth"                },  /* 159 */
-  {              0x03,       161, 0, "codeSigning"               },  /* 160 */
-  {              0x04,       162, 0, "emailProtection"           },  /* 161 */
-  {              0x05,       163, 0, "ipsecEndSystem"            },  /* 162 */
-  {              0x06,       164, 0, "ipsecTunnel"               },  /* 163 */
-  {              0x07,       165, 0, "ipsecUser"                 },  /* 164 */
-  {              0x08,       166, 0, "timeStamping"              },  /* 165 */
-  {              0x09,         0, 0, "ocspSigning"               },  /* 166 */
-  {            0x08,         169, 1, "id-otherNames"             },  /* 167 */
-  {              0x05,         0, 0, "xmppAddr"                  },  /* 168 */
-  {            0x0A,         174, 1, "id-aca"                    },  /* 169 */
-  {              0x01,       171, 0, "authenticationInfo"        },  /* 170 */
-  {              0x02,       172, 0, "accessIdentity"            },  /* 171 */
-  {              0x03,       173, 0, "chargingIdentity"          },  /* 172 */
-  {              0x04,         0, 0, "group"                     },  /* 173 */
-  {            0x30,           0, 1, "id-ad"                     },  /* 174 */
-  {              0x01,       183, 1, "ocsp"                      },  /* 175 */
-  {                0x01,     177, 0, "basic"                     },  /* 176 */
-  {                0x02,     178, 0, "nonce"                     },  /* 177 */
-  {                0x03,     179, 0, "crl"                       },  /* 178 */
-  {                0x04,     180, 0, "response"                  },  /* 179 */
-  {                0x05,     181, 0, "noCheck"                   },  /* 180 */
-  {                0x06,     182, 0, "archiveCutoff"             },  /* 181 */
-  {                0x07,       0, 0, "serviceLocator"            },  /* 182 */
-  {              0x02,         0, 0, "caIssuers"                 },  /* 183 */
-  {  0x0E,                   190, 1, "oiw"                       },  /* 184 */
-  {    0x03,                   0, 1, "secsig"                    },  /* 185 */
-  {      0x02,                 0, 1, "algorithms"                },  /* 186 */
-  {        0x07,             188, 0, "des-cbc"                   },  /* 187 */
-  {        0x1A,             189, 0, "sha-1"                     },  /* 188 */
-  {        0x1D,               0, 0, "sha-1WithRSASignature"     },  /* 189 */
-  {  0x24,                   197, 1, "TeleTrusT"                 },  /* 190 */
-  {    0x03,                   0, 1, "algorithm"                 },  /* 191 */
-  {      0x03,                 0, 1, "signatureAlgorithm"        },  /* 192 */
-  {        0x01,               0, 1, "rsaSignature"              },  /* 193 */
-  {          0x02,           195, 0, "rsaSigWithripemd160"       },  /* 194 */
-  {          0x03,           196, 0, "rsaSigWithripemd128"       },  /* 195 */
-  {          0x04,             0, 0, "rsaSigWithripemd256"       },  /* 196 */
-  {  0x81,                     0, 1, ""                          },  /* 197 */
-  {    0x04,                   0, 1, "Certicom"                  },  /* 198 */
-  {      0x00,                 0, 1, "curve"                     },  /* 199 */
-  {        0x01,             201, 0, "sect163k1"                 },  /* 200 */
-  {        0x02,             202, 0, "sect163r1"                 },  /* 201 */
-  {        0x03,             203, 0, "sect239k1"                 },  /* 202 */
-  {        0x04,             204, 0, "sect113r1"                 },  /* 203 */
-  {        0x05,             205, 0, "sect113r2"                 },  /* 204 */
-  {        0x06,             206, 0, "secp112r1"                 },  /* 205 */
-  {        0x07,             207, 0, "secp112r2"                 },  /* 206 */
-  {        0x08,             208, 0, "secp160r1"                 },  /* 207 */
-  {        0x09,             209, 0, "secp160k1"                 },  /* 208 */
-  {        0x0A,             210, 0, "secp256k1"                 },  /* 209 */
-  {        0x0F,             211, 0, "sect163r2"                 },  /* 210 */
-  {        0x10,             212, 0, "sect283k1"                 },  /* 211 */
-  {        0x11,             213, 0, "sect283r1"                 },  /* 212 */
-  {        0x16,             214, 0, "sect131r1"                 },  /* 213 */
-  {        0x17,             215, 0, "sect131r2"                 },  /* 214 */
-  {        0x18,             216, 0, "sect193r1"                 },  /* 215 */
-  {        0x19,             217, 0, "sect193r2"                 },  /* 216 */
-  {        0x1A,             218, 0, "sect233k1"                 },  /* 217 */
-  {        0x1B,             219, 0, "sect233r1"                 },  /* 218 */
-  {        0x1C,             220, 0, "secp128r1"                 },  /* 219 */
-  {        0x1D,             221, 0, "secp128r2"                 },  /* 220 */
-  {        0x1E,             222, 0, "secp160r2"                 },  /* 221 */
-  {        0x1F,             223, 0, "secp192k1"                 },  /* 222 */
-  {        0x20,             224, 0, "secp224k1"                 },  /* 223 */
-  {        0x21,             225, 0, "secp224r1"                 },  /* 224 */
-  {        0x22,             226, 0, "secp384r1"                 },  /* 225 */
-  {        0x23,             227, 0, "secp521r1"                 },  /* 226 */
-  {        0x24,             228, 0, "sect409k1"                 },  /* 227 */
-  {        0x25,             229, 0, "sect409r1"                 },  /* 228 */
-  {        0x26,             230, 0, "sect571k1"                 },  /* 229 */
-  {        0x27,               0, 0, "sect571r1"                 },  /* 230 */
-  {0x60,                       0, 1, ""                          },  /* 231 */
-  {  0x86,                     0, 1, ""                          },  /* 232 */
-  {    0x48,                   0, 1, ""                          },  /* 233 */
-  {      0x01,                 0, 1, "organization"              },  /* 234 */
-  {        0x65,             242, 1, "gov"                       },  /* 235 */
-  {          0x03,             0, 1, "csor"                      },  /* 236 */
-  {            0x04,           0, 1, "nistalgorithm"             },  /* 237 */
-  {              0x02,         0, 1, "hashalgs"                  },  /* 238 */
-  {                0x01,     240, 0, "id-SHA-256"                },  /* 239 */
-  {                0x02,     241, 0, "id-SHA-384"                },  /* 240 */
-  {                0x03,       0, 0, "id-SHA-512"                },  /* 241 */
-  {        0x86,               0, 1, ""                          },  /* 242 */
-  {          0xf8,             0, 1, ""                          },  /* 243 */
-  {            0x42,         256, 1, "netscape"                  },  /* 244 */
-  {              0x01,       251, 1, ""                          },  /* 245 */
-  {                0x01,     247, 0, "nsCertType"                },  /* 246 */
-  {                0x03,     248, 0, "nsRevocationUrl"           },  /* 247 */
-  {                0x04,     249, 0, "nsCaRevocationUrl"         },  /* 248 */
-  {                0x08,     250, 0, "nsCaPolicyUrl"             },  /* 249 */
-  {                0x0d,       0, 0, "nsComment"                 },  /* 250 */
-  {              0x03,       254, 1, "directory"                 },  /* 251 */
-  {                0x01,       0, 1, ""                          },  /* 252 */
-  {                  0x03,     0, 0, "employeeNumber"            },  /* 253 */
-  {              0x04,         0, 1, "policy"                    },  /* 254 */
-  {                0x01,       0, 0, "nsSGC"                     },  /* 255 */
-  {            0x45,           0, 1, "verisign"                  },  /* 256 */
-  {              0x01,         0, 1, "pki"                       },  /* 257 */
-  {                0x09,       0, 1, "attributes"                },  /* 258 */
-  {                  0x02,   260, 0, "messageType"               },  /* 259 */
-  {                  0x03,   261, 0, "pkiStatus"                 },  /* 260 */
-  {                  0x04,   262, 0, "failInfo"                  },  /* 261 */
-  {                  0x05,   263, 0, "senderNonce"               },  /* 262 */
-  {                  0x06,   264, 0, "recipientNonce"            },  /* 263 */
-  {                  0x07,   265, 0, "transID"                   },  /* 264 */
-  {                  0x08,     0, 0, "extensionReq"              }   /* 265 */
+ {0x02,                       7, 1,  0, "ITU-T Administration"      }, /*   0 */
+ {  0x82,                     0, 1,  1, ""                          }, /*   1 */
+ {    0x06,                   0, 1,  2, "Germany ITU-T member"      }, /*   2 */
+ {      0x01,                 0, 1,  3, "Deutsche Telekom AG"       }, /*   3 */
+ {        0x0A,               0, 1,  4, ""                          }, /*   4 */
+ {          0x07,             0, 1,  5, ""                          }, /*   5 */
+ {            0x14,           0, 0,  6, "ND"                        }, /*   6 */
+ {0x09,                      18, 1,  0, "data"                      }, /*   7 */
+ {  0x92,                     0, 1,  1, ""                          }, /*   8 */
+ {    0x26,                   0, 1,  2, ""                          }, /*   9 */
+ {      0x89,                 0, 1,  3, ""                          }, /*  10 */
+ {        0x93,               0, 1,  4, ""                          }, /*  11 */
+ {          0xF2,             0, 1,  5, ""                          }, /*  12 */
+ {            0x2C,           0, 1,  6, ""                          }, /*  13 */
+ {              0x64,         0, 1,  7, "pilot"                     }, /*  14 */
+ {                0x01,       0, 1,  8, "pilotAttributeType"        }, /*  15 */
+ {                  0x01,    17, 0,  9, "UID"                       }, /*  16 */
+ {                  0x19,     0, 0,  9, "DC"                        }, /*  17 */
+ {0x55,                      52, 1,  0, "X.500"                     }, /*  18 */
+ {  0x04,                    36, 1,  1, "X.509"                     }, /*  19 */
+ {    0x03,                  21, 0,  2, "CN"                        }, /*  20 */
+ {    0x04,                  22, 0,  2, "S"                         }, /*  21 */
+ {    0x05,                  23, 0,  2, "SN"                        }, /*  22 */
+ {    0x06,                  24, 0,  2, "C"                         }, /*  23 */
+ {    0x07,                  25, 0,  2, "L"                         }, /*  24 */
+ {    0x08,                  26, 0,  2, "ST"                        }, /*  25 */
+ {    0x0A,                  27, 0,  2, "O"                         }, /*  26 */
+ {    0x0B,                  28, 0,  2, "OU"                        }, /*  27 */
+ {    0x0C,                  29, 0,  2, "T"                         }, /*  28 */
+ {    0x0D,                  30, 0,  2, "D"                         }, /*  29 */
+ {    0x24,                  31, 0,  2, "userCertificate"           }, /*  30 */
+ {    0x29,                  32, 0,  2, "N"                         }, /*  31 */
+ {    0x2A,                  33, 0,  2, "G"                         }, /*  32 */
+ {    0x2B,                  34, 0,  2, "I"                         }, /*  33 */
+ {    0x2D,                  35, 0,  2, "ID"                        }, /*  34 */
+ {    0x48,                   0, 0,  2, "role"                      }, /*  35 */
+ {  0x1D,                     0, 1,  1, "id-ce"                     }, /*  36 */
+ {    0x09,                  38, 0,  2, "subjectDirectoryAttrs"     }, /*  37 */
+ {    0x0E,                  39, 0,  2, "subjectKeyIdentifier"      }, /*  38 */
+ {    0x0F,                  40, 0,  2, "keyUsage"                  }, /*  39 */
+ {    0x10,                  41, 0,  2, "privateKeyUsagePeriod"     }, /*  40 */
+ {    0x11,                  42, 0,  2, "subjectAltName"            }, /*  41 */
+ {    0x12,                  43, 0,  2, "issuerAltName"             }, /*  42 */
+ {    0x13,                  44, 0,  2, "basicConstraints"          }, /*  43 */
+ {    0x14,                  45, 0,  2, "crlNumber"                 }, /*  44 */
+ {    0x15,                  46, 0,  2, "reasonCode"                }, /*  45 */
+ {    0x1F,                  47, 0,  2, "crlDistributionPoints"     }, /*  46 */
+ {    0x20,                  48, 0,  2, "certificatePolicies"       }, /*  47 */
+ {    0x23,                  49, 0,  2, "authorityKeyIdentifier"    }, /*  48 */
+ {    0x25,                  50, 0,  2, "extendedKeyUsage"          }, /*  49 */
+ {    0x37,                  51, 0,  2, "targetInformation"         }, /*  50 */
+ {    0x38,                   0, 0,  2, "noRevAvail"                }, /*  51 */
+ {0x2A,                     143, 1,  0, ""                          }, /*  52 */
+ {  0x83,                    65, 1,  1, ""                          }, /*  53 */
+ {    0x08,                   0, 1,  2, "jp"                        }, /*  54 */
+ {      0x8C,                 0, 1,  3, ""                          }, /*  55 */
+ {        0x9A,               0, 1,  4, ""                          }, /*  56 */
+ {          0x4B,             0, 1,  5, ""                          }, /*  57 */
+ {            0x3D,           0, 1,  6, ""                          }, /*  58 */
+ {              0x01,         0, 1,  7, "security"                  }, /*  59 */
+ {                0x01,       0, 1,  8, "algorithm"                 }, /*  60 */
+ {                  0x01,     0, 1,  9, "symm-encryption-alg"       }, /*  61 */
+ {                    0x02,  63, 0, 10, "camellia128-cbc"           }, /*  62 */
+ {                    0x03,  64, 0, 10, "camellia192-cbc"           }, /*  63 */
+ {                    0x04,   0, 0, 10, "camellia256-cbc"           }, /*  64 */
+ {  0x86,                     0, 1,  1, ""                          }, /*  65 */
+ {    0x48,                   0, 1,  2, "us"                        }, /*  66 */
+ {      0x86,               107, 1,  3, ""                          }, /*  67 */
+ {        0xF6,              73, 1,  4, ""                          }, /*  68 */
+ {          0x7D,             0, 1,  5, "NortelNetworks"            }, /*  69 */
+ {            0x07,           0, 1,  6, "Entrust"                   }, /*  70 */
+ {              0x41,         0, 1,  7, "nsn-ce"                    }, /*  71 */
+ {                0x00,       0, 0,  8, "entrustVersInfo"           }, /*  72 */
+ {        0xF7,               0, 1,  4, ""                          }, /*  73 */
+ {          0x0D,             0, 1,  5, "RSADSI"                    }, /*  74 */
+ {            0x01,         102, 1,  6, "PKCS"                      }, /*  75 */
+ {              0x01,        84, 1,  7, "PKCS-1"                    }, /*  76 */
+ {                0x01,      78, 0,  8, "rsaEncryption"             }, /*  77 */
+ {                0x02,      79, 0,  8, "md2WithRSAEncryption"      }, /*  78 */
+ {                0x04,      80, 0,  8, "md5WithRSAEncryption"      }, /*  79 */
+ {                0x05,      81, 0,  8, "sha-1WithRSAEncryption"    }, /*  80 */
+ {                0x0B,      82, 0,  8, "sha256WithRSAEncryption"   }, /*  81 */
+ {                0x0C,      83, 0,  8, "sha384WithRSAEncryption"   }, /*  82 */
+ {                0x0D,       0, 0,  8, "sha512WithRSAEncryption"   }, /*  83 */
+ {              0x07,        91, 1,  7, "PKCS-7"                    }, /*  84 */
+ {                0x01,      86, 0,  8, "data"                      }, /*  85 */
+ {                0x02,      87, 0,  8, "signedData"                }, /*  86 */
+ {                0x03,      88, 0,  8, "envelopedData"             }, /*  87 */
+ {                0x04,      89, 0,  8, "signedAndEnvelopedData"    }, /*  88 */
+ {                0x05,      90, 0,  8, "digestedData"              }, /*  89 */
+ {                0x06,       0, 0,  8, "encryptedData"             }, /*  90 */
+ {              0x09,         0, 1,  7, "PKCS-9"                    }, /*  91 */
+ {                0x01,      93, 0,  8, "E"                         }, /*  92 */
+ {                0x02,      94, 0,  8, "unstructuredName"          }, /*  93 */
+ {                0x03,      95, 0,  8, "contentType"               }, /*  94 */
+ {                0x04,      96, 0,  8, "messageDigest"             }, /*  95 */
+ {                0x05,      97, 0,  8, "signingTime"               }, /*  96 */
+ {                0x06,      98, 0,  8, "counterSignature"          }, /*  97 */
+ {                0x07,      99, 0,  8, "challengePassword"         }, /*  98 */
+ {                0x08,     100, 0,  8, "unstructuredAddress"       }, /*  99 */
+ {                0x0E,     101, 0,  8, "extensionRequest"          }, /* 100 */
+ {                0x0F,       0, 0,  8, "S/MIME Capabilities"       }, /* 101 */
+ {            0x02,         105, 1,  6, "digestAlgorithm"           }, /* 102 */
+ {              0x02,       104, 0,  7, "md2"                       }, /* 103 */
+ {              0x05,         0, 0,  7, "md5"                       }, /* 104 */
+ {            0x03,           0, 1,  6, "encryptionAlgorithm"       }, /* 105 */
+ {              0x07,         0, 0,  7, "3des-ede-cbc"              }, /* 106 */
+ {      0xCE,                 0, 1,  3, ""                          }, /* 107 */
+ {        0x3D,               0, 1,  4, "ansi-X9-62"                }, /* 108 */
+ {          0x02,           111, 1,  5, "id-publicKeyType"          }, /* 109 */
+ {            0x01,           0, 0,  6, "id-ecPublicKey"            }, /* 110 */
+ {          0x03,           141, 1,  5, "ellipticCurve"             }, /* 111 */
+ {            0x00,         133, 1,  6, "c-TwoCurve"                }, /* 112 */
+ {              0x01,       114, 0,  7, "c2pnb163v1"                }, /* 113 */
+ {              0x02,       115, 0,  7, "c2pnb163v2"                }, /* 114 */
+ {              0x03,       116, 0,  7, "c2pnb163v3"                }, /* 115 */
+ {              0x04,       117, 0,  7, "c2pnb176w1"                }, /* 116 */
+ {              0x05,       118, 0,  7, "c2tnb191v1"                }, /* 117 */
+ {              0x06,       119, 0,  7, "c2tnb191v2"                }, /* 118 */
+ {              0x07,       120, 0,  7, "c2tnb191v3"                }, /* 119 */
+ {              0x08,       121, 0,  7, "c2onb191v4"                }, /* 120 */
+ {              0x09,       122, 0,  7, "c2onb191v5"                }, /* 121 */
+ {              0x0A,       123, 0,  7, "c2pnb208w1"                }, /* 122 */
+ {              0x0B,       124, 0,  7, "c2tnb239v1"                }, /* 123 */
+ {              0x0C,       125, 0,  7, "c2tnb239v2"                }, /* 124 */
+ {              0x0D,       126, 0,  7, "c2tnb239v3"                }, /* 125 */
+ {              0x0E,       127, 0,  7, "c2onb239v4"                }, /* 126 */
+ {              0x0F,       128, 0,  7, "c2onb239v5"                }, /* 127 */
+ {              0x10,       129, 0,  7, "c2pnb272w1"                }, /* 128 */
+ {              0x11,       130, 0,  7, "c2pnb304w1"                }, /* 129 */
+ {              0x12,       131, 0,  7, "c2tnb359v1"                }, /* 130 */
+ {              0x13,       132, 0,  7, "c2pnb368w1"                }, /* 131 */
+ {              0x14,         0, 0,  7, "c2tnb431r1"                }, /* 132 */
+ {            0x01,           0, 1,  6, "primeCurve"                }, /* 133 */
+ {              0x01,       135, 0,  7, "prime192v1"                }, /* 134 */
+ {              0x02,       136, 0,  7, "prime192v2"                }, /* 135 */
+ {              0x03,       137, 0,  7, "prime192v3"                }, /* 136 */
+ {              0x04,       138, 0,  7, "prime239v1"                }, /* 137 */
+ {              0x05,       139, 0,  7, "prime239v2"                }, /* 138 */
+ {              0x06,       140, 0,  7, "prime239v3"                }, /* 139 */
+ {              0x07,         0, 0,  7, "prime256v1"                }, /* 140 */
+ {          0x04,             0, 1,  5, "id-ecSigType"              }, /* 141 */
+ {            0x01,           0, 0,  6, "ecdsa-with-SHA1"           }, /* 142 */
+ {0x2B,                     243, 1,  0, ""                          }, /* 143 */
+ {  0x06,                   196, 1,  1, "dod"                       }, /* 144 */
+ {    0x01,                   0, 1,  2, "internet"                  }, /* 145 */
+ {      0x04,               164, 1,  3, "private"                   }, /* 146 */
+ {        0x01,               0, 1,  4, "enterprise"                }, /* 147 */
+ {          0x82,           157, 1,  5, ""                          }, /* 148 */
+ {            0x37,           0, 1,  6, "Microsoft"                 }, /* 149 */
+ {              0x0A,       154, 1,  7, ""                          }, /* 150 */
+ {                0x03,       0, 1,  8, ""                          }, /* 151 */
+ {                  0x03,   153, 0,  9, "msSGC"                     }, /* 152 */
+ {                  0x04,     0, 0,  9, "msEncryptingFileSystem"    }, /* 153 */
+ {              0x14,         0, 1,  7, "msEnrollmentInfrastructure"}, /* 154 */
+ {                0x02,       0, 1,  8, "msCertificateTypeExtension"}, /* 155 */
+ {                  0x02,     0, 0,  9, "msSmartcardLogon"          }, /* 156 */
+ {          0x89,             0, 1,  5, ""                          }, /* 157 */
+ {            0x31,           0, 1,  6, ""                          }, /* 158 */
+ {              0x01,         0, 1,  7, ""                          }, /* 159 */
+ {                0x01,       0, 1,  8, ""                          }, /* 160 */
+ {                  0x02,     0, 1,  9, ""                          }, /* 161 */
+ {                    0x02, 163, 0, 10, ""                          }, /* 162 */
+ {                    0x4B,   0, 0, 10, "TCGID"                     }, /* 163 */
+ {      0x05,                 0, 1,  3, "security"                  }, /* 164 */
+ {        0x05,               0, 1,  4, "mechanisms"                }, /* 165 */
+ {          0x07,             0, 1,  5, "id-pkix"                   }, /* 166 */
+ {            0x01,         169, 1,  6, "id-pe"                     }, /* 167 */
+ {              0x01,         0, 0,  7, "authorityInfoAccess"       }, /* 168 */
+ {            0x03,         179, 1,  6, "id-kp"                     }, /* 169 */
+ {              0x01,       171, 0,  7, "serverAuth"                }, /* 170 */
+ {              0x02,       172, 0,  7, "clientAuth"                }, /* 171 */
+ {              0x03,       173, 0,  7, "codeSigning"               }, /* 172 */
+ {              0x04,       174, 0,  7, "emailProtection"           }, /* 173 */
+ {              0x05,       175, 0,  7, "ipsecEndSystem"            }, /* 174 */
+ {              0x06,       176, 0,  7, "ipsecTunnel"               }, /* 175 */
+ {              0x07,       177, 0,  7, "ipsecUser"                 }, /* 176 */
+ {              0x08,       178, 0,  7, "timeStamping"              }, /* 177 */
+ {              0x09,         0, 0,  7, "ocspSigning"               }, /* 178 */
+ {            0x08,         181, 1,  6, "id-otherNames"             }, /* 179 */
+ {              0x05,         0, 0,  7, "xmppAddr"                  }, /* 180 */
+ {            0x0A,         186, 1,  6, "id-aca"                    }, /* 181 */
+ {              0x01,       183, 0,  7, "authenticationInfo"        }, /* 182 */
+ {              0x02,       184, 0,  7, "accessIdentity"            }, /* 183 */
+ {              0x03,       185, 0,  7, "chargingIdentity"          }, /* 184 */
+ {              0x04,         0, 0,  7, "group"                     }, /* 185 */
+ {            0x30,           0, 1,  6, "id-ad"                     }, /* 186 */
+ {              0x01,       195, 1,  7, "ocsp"                      }, /* 187 */
+ {                0x01,     189, 0,  8, "basic"                     }, /* 188 */
+ {                0x02,     190, 0,  8, "nonce"                     }, /* 189 */
+ {                0x03,     191, 0,  8, "crl"                       }, /* 190 */
+ {                0x04,     192, 0,  8, "response"                  }, /* 191 */
+ {                0x05,     193, 0,  8, "noCheck"                   }, /* 192 */
+ {                0x06,     194, 0,  8, "archiveCutoff"             }, /* 193 */
+ {                0x07,       0, 0,  8, "serviceLocator"            }, /* 194 */
+ {              0x02,         0, 0,  7, "caIssuers"                 }, /* 195 */
+ {  0x0E,                   202, 1,  1, "oiw"                       }, /* 196 */
+ {    0x03,                   0, 1,  2, "secsig"                    }, /* 197 */
+ {      0x02,                 0, 1,  3, "algorithms"                }, /* 198 */
+ {        0x07,             200, 0,  4, "des-cbc"                   }, /* 199 */
+ {        0x1A,             201, 0,  4, "sha-1"                     }, /* 200 */
+ {        0x1D,               0, 0,  4, "sha-1WithRSASignature"     }, /* 201 */
+ {  0x24,                   209, 1,  1, "TeleTrusT"                 }, /* 202 */
+ {    0x03,                   0, 1,  2, "algorithm"                 }, /* 203 */
+ {      0x03,                 0, 1,  3, "signatureAlgorithm"        }, /* 204 */
+ {        0x01,               0, 1,  4, "rsaSignature"              }, /* 205 */
+ {          0x02,           207, 0,  5, "rsaSigWithripemd160"       }, /* 206 */
+ {          0x03,           208, 0,  5, "rsaSigWithripemd128"       }, /* 207 */
+ {          0x04,             0, 0,  5, "rsaSigWithripemd256"       }, /* 208 */
+ {  0x81,                     0, 1,  1, ""                          }, /* 209 */
+ {    0x04,                   0, 1,  2, "Certicom"                  }, /* 210 */
+ {      0x00,                 0, 1,  3, "curve"                     }, /* 211 */
+ {        0x01,             213, 0,  4, "sect163k1"                 }, /* 212 */
+ {        0x02,             214, 0,  4, "sect163r1"                 }, /* 213 */
+ {        0x03,             215, 0,  4, "sect239k1"                 }, /* 214 */
+ {        0x04,             216, 0,  4, "sect113r1"                 }, /* 215 */
+ {        0x05,             217, 0,  4, "sect113r2"                 }, /* 216 */
+ {        0x06,             218, 0,  4, "secp112r1"                 }, /* 217 */
+ {        0x07,             219, 0,  4, "secp112r2"                 }, /* 218 */
+ {        0x08,             220, 0,  4, "secp160r1"                 }, /* 219 */
+ {        0x09,             221, 0,  4, "secp160k1"                 }, /* 220 */
+ {        0x0A,             222, 0,  4, "secp256k1"                 }, /* 221 */
+ {        0x0F,             223, 0,  4, "sect163r2"                 }, /* 222 */
+ {        0x10,             224, 0,  4, "sect283k1"                 }, /* 223 */
+ {        0x11,             225, 0,  4, "sect283r1"                 }, /* 224 */
+ {        0x16,             226, 0,  4, "sect131r1"                 }, /* 225 */
+ {        0x17,             227, 0,  4, "sect131r2"                 }, /* 226 */
+ {        0x18,             228, 0,  4, "sect193r1"                 }, /* 227 */
+ {        0x19,             229, 0,  4, "sect193r2"                 }, /* 228 */
+ {        0x1A,             230, 0,  4, "sect233k1"                 }, /* 229 */
+ {        0x1B,             231, 0,  4, "sect233r1"                 }, /* 230 */
+ {        0x1C,             232, 0,  4, "secp128r1"                 }, /* 231 */
+ {        0x1D,             233, 0,  4, "secp128r2"                 }, /* 232 */
+ {        0x1E,             234, 0,  4, "secp160r2"                 }, /* 233 */
+ {        0x1F,             235, 0,  4, "secp192k1"                 }, /* 234 */
+ {        0x20,             236, 0,  4, "secp224k1"                 }, /* 235 */
+ {        0x21,             237, 0,  4, "secp224r1"                 }, /* 236 */
+ {        0x22,             238, 0,  4, "secp384r1"                 }, /* 237 */
+ {        0x23,             239, 0,  4, "secp521r1"                 }, /* 238 */
+ {        0x24,             240, 0,  4, "sect409k1"                 }, /* 239 */
+ {        0x25,             241, 0,  4, "sect409r1"                 }, /* 240 */
+ {        0x26,             242, 0,  4, "sect571k1"                 }, /* 241 */
+ {        0x27,               0, 0,  4, "sect571r1"                 }, /* 242 */
+ {0x60,                       0, 1,  0, ""                          }, /* 243 */
+ {  0x86,                     0, 1,  1, ""                          }, /* 244 */
+ {    0x48,                   0, 1,  2, ""                          }, /* 245 */
+ {      0x01,               289, 1,  3, "organization"              }, /* 246 */
+ {        0x65,             265, 1,  4, "gov"                       }, /* 247 */
+ {          0x03,             0, 1,  5, "csor"                      }, /* 248 */
+ {            0x04,           0, 1,  6, "nistalgorithm"             }, /* 249 */
+ {              0x01,       260, 1,  7, "aes"                       }, /* 250 */
+ {                0x02,     252, 0,  8, "id-aes128-CBC"             }, /* 251 */
+ {                0x06,     253, 0,  8, "id-aes128-GCM"             }, /* 252 */
+ {                0x07,     254, 0,  8, "id-aes128-CCM"             }, /* 253 */
+ {                0x16,     255, 0,  8, "id-aes192-CBC"             }, /* 254 */
+ {                0x1A,     256, 0,  8, "id-aes192-GCM"             }, /* 255 */
+ {                0x1B,     257, 0,  8, "id-aes192-CCM"             }, /* 256 */
+ {                0x2A,     258, 0,  8, "id-aes256-CBC"             }, /* 257 */
+ {                0x2E,     259, 0,  8, "id-aes256-GCM"             }, /* 258 */
+ {                0x2F,       0, 0,  8, "id-aes256-CCM"             }, /* 259 */
+ {              0x02,         0, 1,  7, "hashalgs"                  }, /* 260 */
+ {                0x01,     262, 0,  8, "id-SHA-256"                }, /* 261 */
+ {                0x02,     263, 0,  8, "id-SHA-384"                }, /* 262 */
+ {                0x03,     264, 0,  8, "id-SHA-512"                }, /* 263 */
+ {                0x04,       0, 0,  8, "id-SHA-224"                }, /* 264 */
+ {        0x86,               0, 1,  4, ""                          }, /* 265 */
+ {          0xf8,             0, 1,  5, ""                          }, /* 266 */
+ {            0x42,         279, 1,  6, "netscape"                  }, /* 267 */
+ {              0x01,       274, 1,  7, ""                          }, /* 268 */
+ {                0x01,     270, 0,  8, "nsCertType"                }, /* 269 */
+ {                0x03,     271, 0,  8, "nsRevocationUrl"           }, /* 270 */
+ {                0x04,     272, 0,  8, "nsCaRevocationUrl"         }, /* 271 */
+ {                0x08,     273, 0,  8, "nsCaPolicyUrl"             }, /* 272 */
+ {                0x0d,       0, 0,  8, "nsComment"                 }, /* 273 */
+ {              0x03,       277, 1,  7, "directory"                 }, /* 274 */
+ {                0x01,       0, 1,  8, ""                          }, /* 275 */
+ {                  0x03,     0, 0,  9, "employeeNumber"            }, /* 276 */
+ {              0x04,         0, 1,  7, "policy"                    }, /* 277 */
+ {                0x01,       0, 0,  8, "nsSGC"                     }, /* 278 */
+ {            0x45,           0, 1,  6, "verisign"                  }, /* 279 */
+ {              0x01,         0, 1,  7, "pki"                       }, /* 280 */
+ {                0x09,       0, 1,  8, "attributes"                }, /* 281 */
+ {                  0x02,   283, 0,  9, "messageType"               }, /* 282 */
+ {                  0x03,   284, 0,  9, "pkiStatus"                 }, /* 283 */
+ {                  0x04,   285, 0,  9, "failInfo"                  }, /* 284 */
+ {                  0x05,   286, 0,  9, "senderNonce"               }, /* 285 */
+ {                  0x06,   287, 0,  9, "recipientNonce"            }, /* 286 */
+ {                  0x07,   288, 0,  9, "transID"                   }, /* 287 */
+ {                  0x08,     0, 0,  9, "extensionReq"              }, /* 288 */
+ {      0x86,                 0, 1,  3, "old-netscape"              }, /* 289 */
+ {        0xF7,               0, 1,  4, ""                          }, /* 290 */
+ {          0x0D,             0, 1,  5, ""                          }, /* 291 */
+ {            0x01,           0, 1,  6, ""                          }, /* 292 */
+ {              0x09,         0, 1,  7, ""                          }, /* 293 */
+ {                0x01,     295, 0,  8, "emailAddress"              }, /* 294 */
+ {                0x02,       0, 0,  8, "unstructuredName"          }  /* 295 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 72049259a..477789b62 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -5,6 +5,8 @@
  * Do not edit manually!
  */
 
+#include <sys/types.h>
+
 #ifndef OID_H_
 #define OID_H_
 
@@ -12,12 +14,31 @@ typedef struct {
     u_char octet;
     u_int  next;
     u_int  down;
+    u_int  level;
     const u_char *name;
 } oid_t;
 
 extern const oid_t oid_names[];
 
 #define OID_UNKNOWN							-1
+#define OID_NAME_DISTINGUISHER				6
+#define OID_PILOT_USERID					16
+#define OID_PILOT_DOMAIN_COMPONENT			17
+#define OID_COMMON_NAME						20
+#define OID_SURNAME							21
+#define OID_SERIAL_NUMBER					22
+#define OID_COUNTRY							23
+#define OID_LOCALITY						24
+#define OID_STATE_OR_PROVINCE				25
+#define OID_ORGANIZATION					26
+#define OID_ORGANIZATION_UNIT				27
+#define OID_TITLE							28
+#define OID_DESCRIPTION						29
+#define OID_USER_CERTIFICATE				30
+#define OID_NAME							31
+#define OID_GIVEN_NAME						32
+#define OID_INITIALS						33
+#define OID_UNIQUE_IDENTIFIER				34
 #define OID_ROLE							35
 #define OID_SUBJECT_KEY_ID					38
 #define OID_SUBJECT_ALT_NAME				41
@@ -29,117 +50,136 @@ extern const oid_t oid_names[];
 #define OID_EXTENDED_KEY_USAGE				49
 #define OID_TARGET_INFORMATION				50
 #define OID_NO_REV_AVAIL					51
-#define OID_RSA_ENCRYPTION					65
-#define OID_MD2_WITH_RSA					66
-#define OID_MD5_WITH_RSA					67
-#define OID_SHA1_WITH_RSA					68
-#define OID_SHA256_WITH_RSA					69
-#define OID_SHA384_WITH_RSA					70
-#define OID_SHA512_WITH_RSA					71
-#define OID_PKCS7_DATA						73
-#define OID_PKCS7_SIGNED_DATA				74
-#define OID_PKCS7_ENVELOPED_DATA			75
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA		76
-#define OID_PKCS7_DIGESTED_DATA				77
-#define OID_PKCS7_ENCRYPTED_DATA			78
-#define OID_PKCS9_EMAIL						80
-#define OID_PKCS9_CONTENT_TYPE				82
-#define OID_PKCS9_MESSAGE_DIGEST			83
-#define OID_PKCS9_SIGNING_TIME				84
-#define OID_MD2								91
-#define OID_MD5								92
-#define OID_3DES_EDE_CBC					94
-#define OID_EC_PUBLICKEY					98
-#define OID_C2PNB163V1						101
-#define OID_C2PNB163V2						102
-#define OID_C2PNB163V3						103
-#define OID_C2PNB176W1						104
-#define OID_C2PNB191V1						105
-#define OID_C2PNB191V2						106
-#define OID_C2PNB191V3						107
-#define OID_C2PNB191V4						108
-#define OID_C2PNB191V5						109
-#define OID_C2PNB208W1						110
-#define OID_C2PNB239V1						111
-#define OID_C2PNB239V2						112
-#define OID_C2PNB239V3						113
-#define OID_C2PNB239V4						114
-#define OID_C2PNB239V5						115
-#define OID_C2PNB272W1						116
-#define OID_C2PNB304W1						117
-#define OID_C2PNB359V1						118
-#define OID_C2PNB368W1						119
-#define OID_C2PNB431R1						120
-#define OID_PRIME192V1						122
-#define OID_PRIME192V2						123
-#define OID_PRIME192V3						124
-#define OID_PRIME239V1						125
-#define OID_PRIME239V2						126
-#define OID_PRIME239V3						127
-#define OID_PRIME256V1						128
-#define OID_ECDSA_WITH_SHA1					130
-#define OID_AUTHORITY_INFO_ACCESS			156
-#define OID_OCSP_SIGNING					166
-#define OID_XMPP_ADDR						168
-#define OID_AUTHENTICATION_INFO				170
-#define OID_ACCESS_IDENTITY					171
-#define OID_CHARGING_IDENTITY				172
-#define OID_GROUP							173
-#define OID_OCSP							175
-#define OID_BASIC							176
-#define OID_NONCE							177
-#define OID_CRL								178
-#define OID_RESPONSE						179
-#define OID_NO_CHECK						180
-#define OID_ARCHIVE_CUTOFF					181
-#define OID_SERVICE_LOCATOR					182
-#define OID_CA_ISSUERS						183
-#define OID_DES_CBC							187
-#define OID_SHA1							188
-#define OID_SHA1_WITH_RSA_OIW				189
-#define OID_SECT163K1						200
-#define OID_SECT163R1						201
-#define OID_SECT239K1						202
-#define OID_SECT113R1						203
-#define OID_SECT113R2						204
-#define OID_SECT112R1						205
-#define OID_SECT112R2						206
-#define OID_SECT160R1						207
-#define OID_SECT160K1						208
-#define OID_SECT256K1						209
-#define OID_SECT163R2						210
-#define OID_SECT283K1						211
-#define OID_SECT283R1						212
-#define OID_SECT131R1						213
-#define OID_SECT131R2						214
-#define OID_SECT193R1						215
-#define OID_SECT193R2						216
-#define OID_SECT233K1						217
-#define OID_SECT233R1						218
-#define OID_SECT128R1						219
-#define OID_SECT128R2						220
-#define OID_SECT160R2						221
-#define OID_SECT192K1						222
-#define OID_SECT224K1						223
-#define OID_SECT224R1						224
-#define OID_SECT384R1						225
-#define OID_SECT521R1						226
-#define OID_SECT409K1						227
-#define OID_SECT409R1						228
-#define OID_SECT571K1						229
-#define OID_SECT571R1						230
-#define OID_SHA256							239
-#define OID_SHA384							240
-#define OID_SHA512							241
-#define OID_NS_REVOCATION_URL				247
-#define OID_NS_CA_REVOCATION_URL			248
-#define OID_NS_CA_POLICY_URL				249
-#define OID_NS_COMMENT						250
-#define OID_PKI_MESSAGE_TYPE				259
-#define OID_PKI_STATUS						260
-#define OID_PKI_FAIL_INFO					261
-#define OID_PKI_SENDER_NONCE				262
-#define OID_PKI_RECIPIENT_NONCE				263
-#define OID_PKI_TRANS_ID					264
+#define OID_CAMELLIA128_CBC					62
+#define OID_CAMELLIA192_CBC					63
+#define OID_CAMELLIA256_CBC					64
+#define OID_RSA_ENCRYPTION					77
+#define OID_MD2_WITH_RSA					78
+#define OID_MD5_WITH_RSA					79
+#define OID_SHA1_WITH_RSA					80
+#define OID_SHA256_WITH_RSA					81
+#define OID_SHA384_WITH_RSA					82
+#define OID_SHA512_WITH_RSA					83
+#define OID_PKCS7_DATA						85
+#define OID_PKCS7_SIGNED_DATA				86
+#define OID_PKCS7_ENVELOPED_DATA			87
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA		88
+#define OID_PKCS7_DIGESTED_DATA				89
+#define OID_PKCS7_ENCRYPTED_DATA			90
+#define OID_PKCS9_EMAIL						92
+#define OID_PKCS9_CONTENT_TYPE				94
+#define OID_PKCS9_MESSAGE_DIGEST			95
+#define OID_PKCS9_SIGNING_TIME				96
+#define OID_MD2								103
+#define OID_MD5								104
+#define OID_3DES_EDE_CBC					106
+#define OID_EC_PUBLICKEY					110
+#define OID_C2PNB163V1						113
+#define OID_C2PNB163V2						114
+#define OID_C2PNB163V3						115
+#define OID_C2PNB176W1						116
+#define OID_C2PNB191V1						117
+#define OID_C2PNB191V2						118
+#define OID_C2PNB191V3						119
+#define OID_C2PNB191V4						120
+#define OID_C2PNB191V5						121
+#define OID_C2PNB208W1						122
+#define OID_C2PNB239V1						123
+#define OID_C2PNB239V2						124
+#define OID_C2PNB239V3						125
+#define OID_C2PNB239V4						126
+#define OID_C2PNB239V5						127
+#define OID_C2PNB272W1						128
+#define OID_C2PNB304W1						129
+#define OID_C2PNB359V1						130
+#define OID_C2PNB368W1						131
+#define OID_C2PNB431R1						132
+#define OID_PRIME192V1						134
+#define OID_PRIME192V2						135
+#define OID_PRIME192V3						136
+#define OID_PRIME239V1						137
+#define OID_PRIME239V2						138
+#define OID_PRIME239V3						139
+#define OID_PRIME256V1						140
+#define OID_ECDSA_WITH_SHA1					142
+#define OID_TCGID							163
+#define OID_AUTHORITY_INFO_ACCESS			168
+#define OID_OCSP_SIGNING					178
+#define OID_XMPP_ADDR						180
+#define OID_AUTHENTICATION_INFO				182
+#define OID_ACCESS_IDENTITY					183
+#define OID_CHARGING_IDENTITY				184
+#define OID_GROUP							185
+#define OID_OCSP							187
+#define OID_BASIC							188
+#define OID_NONCE							189
+#define OID_CRL								190
+#define OID_RESPONSE						191
+#define OID_NO_CHECK						192
+#define OID_ARCHIVE_CUTOFF					193
+#define OID_SERVICE_LOCATOR					194
+#define OID_CA_ISSUERS						195
+#define OID_DES_CBC							199
+#define OID_SHA1							200
+#define OID_SHA1_WITH_RSA_OIW				201
+#define OID_SECT163K1						212
+#define OID_SECT163R1						213
+#define OID_SECT239K1						214
+#define OID_SECT113R1						215
+#define OID_SECT113R2						216
+#define OID_SECT112R1						217
+#define OID_SECT112R2						218
+#define OID_SECT160R1						219
+#define OID_SECT160K1						220
+#define OID_SECT256K1						221
+#define OID_SECT163R2						222
+#define OID_SECT283K1						223
+#define OID_SECT283R1						224
+#define OID_SECT131R1						225
+#define OID_SECT131R2						226
+#define OID_SECT193R1						227
+#define OID_SECT193R2						228
+#define OID_SECT233K1						229
+#define OID_SECT233R1						230
+#define OID_SECT128R1						231
+#define OID_SECT128R2						232
+#define OID_SECT160R2						233
+#define OID_SECT192K1						234
+#define OID_SECT224K1						235
+#define OID_SECT224R1						236
+#define OID_SECT384R1						237
+#define OID_SECT521R1						238
+#define OID_SECT409K1						239
+#define OID_SECT409R1						240
+#define OID_SECT571K1						241
+#define OID_SECT571R1						242
+#define OID_AES128_CBC						251
+#define OID_AES128_GCM						252
+#define OID_AES128_CCM						253
+#define OID_AES192_CBC						254
+#define OID_AES192_GCM						255
+#define OID_AES192_CCM						256
+#define OID_AES256_CBC						257
+#define OID_AES256_GCM						258
+#define OID_AES256_CCM						259
+#define OID_SHA256							261
+#define OID_SHA384							262
+#define OID_SHA512							263
+#define OID_SHA224							264
+#define OID_NS_REVOCATION_URL				270
+#define OID_NS_CA_REVOCATION_URL			271
+#define OID_NS_CA_POLICY_URL				272
+#define OID_NS_COMMENT						273
+#define OID_EMPLOYEE_NUMBER					276
+#define OID_PKI_MESSAGE_TYPE				282
+#define OID_PKI_STATUS						283
+#define OID_PKI_FAIL_INFO					284
+#define OID_PKI_SENDER_NONCE				285
+#define OID_PKI_RECIPIENT_NONCE				286
+#define OID_PKI_TRANS_ID					287
+#define OID_EMAIL_ADDRESS					294
+#define OID_UNSTRUCTURED_NAME				295
+
+#define OID_MAX								296
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.pl b/src/libstrongswan/asn1/oid.pl
index 373101cc0..ed26febc9 100644
--- a/src/libstrongswan/asn1/oid.pl
+++ b/src/libstrongswan/asn1/oid.pl
@@ -32,12 +32,14 @@ print OID_H "/* Object identifiers (OIDs) used by strongSwan\n",
 	    " * ", $automatic, "\n",
 	    " * ", $warning, "\n",
 	    " */\n\n",
+	    "#include <sys/types.h>\n\n",
 	    "#ifndef OID_H_\n",
 	    "#define OID_H_\n\n",
 	    "typedef struct {\n",
 	    "    u_char octet;\n",
 	    "    u_int  next;\n",
 	    "    u_int  down;\n",
+	    "    u_int  level;\n",
 	    "    const u_char *name;\n",
 	    "} oid_t;\n",
 	    "\n",
@@ -77,6 +79,8 @@ while ($line = <SRC>)
     $counter++;
 }
 
+printf OID_H "\n#define OID_MAX%s%d\n", "\t" x 8, $counter;
+
 print OID_H "\n#endif /* OID_H_ */\n";
 
 close SRC;
@@ -113,12 +117,13 @@ for ($c = 0; $c < $counter; $c++)
 	}
     }
 
-    printf OID_C "  {%s%s,%s%3d, %d, %s%s}%s  /* %3d */\n"
+    printf OID_C " {%s%s,%s%3d, %d, %2d, %s%s}%s /* %3d */\n"
 	,' '  x @order[$c]
 	, @octet[$c]
 	, ' ' x (1 + $max_order - @order[$c])
 	, @next[$c]
 	, @order[$c+1] > @order[$c]
+	, @order[$c] / 2
 	, @name[$c]
 	, ' ' x ($max_name - length(@name[$c]))
 	, $c != $counter-1 ? "," : " "
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 6bb765787..1514f179f 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -4,7 +4,7 @@
       0x01                   "Deutsche Telekom AG"
         0x0A                 ""
           0x07               ""
-            0x14             "ND"
+            0x14             "ND"						OID_NAME_DISTINGUISHER
 0x09                         "data"
   0x92                       ""
     0x26                     ""
@@ -14,25 +14,25 @@
             0x2C             ""
               0x64           "pilot"
                 0x01         "pilotAttributeType"
-                  0x01       "UID"
-                  0x19       "DC"
+                  0x01       "UID"						OID_PILOT_USERID
+                  0x19       "DC"						OID_PILOT_DOMAIN_COMPONENT
 0x55                         "X.500"
   0x04                       "X.509"
-    0x03                     "CN"
-    0x04                     "S"
-    0x05                     "SN"
-    0x06                     "C"
-    0x07                     "L"
-    0x08                     "ST"
-    0x0A                     "O"
-    0x0B                     "OU"
-    0x0C                     "T"
-    0x0D                     "D"
-    0x24                     "userCertificate"
-    0x29                     "N"
-    0x2A                     "G"
-    0x2B                     "I"
-    0x2D                     "ID"
+    0x03                     "CN"						OID_COMMON_NAME
+    0x04                     "S"						OID_SURNAME
+    0x05                     "SN"						OID_SERIAL_NUMBER
+    0x06                     "C"						OID_COUNTRY
+    0x07                     "L"						OID_LOCALITY
+    0x08                     "ST"						OID_STATE_OR_PROVINCE
+    0x0A                     "O"						OID_ORGANIZATION
+    0x0B                     "OU"						OID_ORGANIZATION_UNIT
+    0x0C                     "T"						OID_TITLE
+    0x0D                     "D"						OID_DESCRIPTION
+    0x24                     "userCertificate"			OID_USER_CERTIFICATE
+    0x29                     "N"						OID_NAME
+    0x2A                     "G"						OID_GIVEN_NAME
+    0x2B                     "I"						OID_INITIALS
+    0x2D                     "ID"						OID_UNIQUE_IDENTIFIER
     0x48                     "role"						OID_ROLE
   0x1D                       "id-ce"
     0x09                     "subjectDirectoryAttrs"
@@ -51,8 +51,20 @@
     0x37                     "targetInformation"		OID_TARGET_INFORMATION
     0x38                     "noRevAvail"				OID_NO_REV_AVAIL
 0x2A                         ""
+  0x83                       ""
+    0x08                     "jp"
+      0x8C                   ""
+        0x9A                 ""
+          0x4B               ""
+            0x3D             ""
+              0x01           "security"
+                0x01         "algorithm"
+                  0x01       "symm-encryption-alg"
+                    0x02     "camellia128-cbc"			OID_CAMELLIA128_CBC
+                    0x03     "camellia192-cbc"			OID_CAMELLIA192_CBC
+                    0x04     "camellia256-cbc"			OID_CAMELLIA256_CBC
   0x86                       ""
-    0x48                     ""
+    0x48                     "us"
       0x86                   ""
         0xF6                 ""
           0x7D               "NortelNetworks"
@@ -149,7 +161,7 @@
                 0x01         ""
                   0x02       ""
                     0x02     ""
-                    0x4B     "TCGID"
+                    0x4B     "TCGID"					OID_TCGID
       0x05                   "security"
         0x05                 "mechanisms"
           0x07               "id-pkix"
@@ -236,10 +248,21 @@
         0x65                 "gov"
           0x03               "csor"
             0x04             "nistalgorithm"
+              0x01           "aes"
+                0x02         "id-aes128-CBC"			OID_AES128_CBC
+                0x06         "id-aes128-GCM"			OID_AES128_GCM
+                0x07         "id-aes128-CCM"			OID_AES128_CCM
+                0x16         "id-aes192-CBC"			OID_AES192_CBC
+                0x1A         "id-aes192-GCM"			OID_AES192_GCM
+                0x1B         "id-aes192-CCM"			OID_AES192_CCM
+                0x2A         "id-aes256-CBC"			OID_AES256_CBC
+                0x2E         "id-aes256-GCM"			OID_AES256_GCM
+                0x2F         "id-aes256-CCM"			OID_AES256_CCM
               0x02           "hashalgs"
                 0x01         "id-SHA-256"				OID_SHA256
                 0x02         "id-SHA-384"				OID_SHA384
                 0x03         "id-SHA-512"				OID_SHA512
+                0x04         "id-SHA-224"				OID_SHA224
         0x86                 ""
           0xf8               ""
             0x42             "netscape"
@@ -251,7 +274,7 @@
                 0x0d         "nsComment"				OID_NS_COMMENT
               0x03           "directory"
                 0x01         ""
-                  0x03       "employeeNumber"
+                  0x03       "employeeNumber"			OID_EMPLOYEE_NUMBER
               0x04           "policy"
                 0x01         "nsSGC"
             0x45             "verisign"
@@ -264,3 +287,10 @@
                   0x06       "recipientNonce"			OID_PKI_RECIPIENT_NONCE
                   0x07       "transID"					OID_PKI_TRANS_ID
                   0x08       "extensionReq"
+      0x86                   "old-netscape"
+        0xF7                 ""
+          0x0D               ""
+            0x01             ""
+              0x09           ""
+                0x01         "emailAddress"				OID_EMAIL_ADDRESS
+                0x02         "unstructuredName"			OID_UNSTRUCTURED_NAME
diff --git a/src/libstrongswan/asn1/pem.c b/src/libstrongswan/asn1/pem.c
index d3176b6bc..059795548 100755
--- a/src/libstrongswan/asn1/pem.c
+++ b/src/libstrongswan/asn1/pem.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: pem.c 4029 2008-06-03 12:14:02Z martin $
  */
 
 #include <stdio.h>
@@ -84,8 +82,8 @@ static bool find_boundary(const char* tag, chunk_t *line)
 /*
  * decrypts a passphrase protected encrypted data block
  */
-static bool pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_size,
-						 chunk_t *iv, chunk_t *passphrase)
+static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_size,
+							chunk_t *iv, chunk_t passphrase)
 {
 	hasher_t *hasher;
 	crypter_t *crypter;
@@ -95,10 +93,10 @@ static bool pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_si
 	chunk_t key = {alloca(key_size), key_size};
 	u_int8_t padding, *last_padding_pos, *first_padding_pos;
 	
-	if (passphrase == NULL || passphrase->len == 0)
+	if (passphrase.len == 0)
 	{
 		DBG1("  missing passphrase");
-		return FALSE;
+		return INVALID_ARG;
 	}
 
 	/* build key from passphrase and IV */
@@ -106,18 +104,18 @@ static bool pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_si
 	if (hasher == NULL)
 	{
 		DBG1("  MD5 hash algorithm not available");
-		return FALSE;
+		return NOT_SUPPORTED;
 	}
 	hash.len = hasher->get_hash_size(hasher);
 	hash.ptr = alloca(hash.len);
-	hasher->get_hash(hasher, *passphrase, NULL);
+	hasher->get_hash(hasher, passphrase, NULL);
 	hasher->get_hash(hasher, salt, hash.ptr);
 	memcpy(key.ptr, hash.ptr, hash.len);
 
 	if (key.len > hash.len)
 	{
 		hasher->get_hash(hasher, hash, NULL);
-		hasher->get_hash(hasher, *passphrase, NULL);
+		hasher->get_hash(hasher, passphrase, NULL);
 		hasher->get_hash(hasher, salt, hash.ptr);	
 		memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len);
 	}	
@@ -129,7 +127,7 @@ static bool pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_si
 	{
 		DBG1("  %N encryption algorithm not available",
 			 encryption_algorithm_names, alg);
-		return FALSE;
+		return NOT_SUPPORTED;
 	}
 	crypter->set_key(crypter, key);
 	
@@ -138,7 +136,7 @@ static bool pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_si
 	{
 		crypter->destroy(crypter);
 		DBG1("  data size is not multiple of block size");
-		return FALSE;
+		return PARSE_ERROR;
 	}
 	crypter->decrypt(crypter, *blob, *iv, &decrypted);
 	crypter->destroy(crypter);
@@ -156,12 +154,12 @@ static bool pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_si
 		if (*last_padding_pos != padding)
 		{
 			DBG1("  invalid passphrase");
-			return FALSE;
+			return INVALID_ARG;
 		}
 	}
 	/* remove padding */
 	blob->len -= padding;
-	return TRUE;
+	return SUCCESS;
 }
 
 /*  Converts a PEM encoded file into its binary form
@@ -169,7 +167,7 @@ static bool pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_si
  *  RFC 1421 Privacy Enhancement for Electronic Mail, February 1993
  *  RFC 934 Message Encapsulation, January 1985
  */
-bool pem_to_bin(chunk_t *blob, chunk_t *passphrase, bool *pgp)
+status_t pem_to_bin(chunk_t *blob, chunk_t passphrase, bool *pgp)
 {
 	typedef enum {
 		PEM_PRE    = 0,
@@ -239,17 +237,21 @@ bool pem_to_bin(chunk_t *blob, chunk_t *passphrase, bool *pgp)
 				DBG2("  %.*s", (int)line.len, line.ptr);
 				ugh = extract_parameter_value(&name, &value, &line);
 				if (ugh != NULL)
+				{
 					continue;
-
+				}
 				if (match("Proc-Type", &name) && *value.ptr == '4')
+				{
 					encrypted = TRUE;
+				}
 				else if (match("DEK-Info", &name))
 				{
 					chunk_t dek;
 
 					if (!extract_token(&dek, ',', &value))
+					{
 						dek = value;
-
+					}
 					if (match("DES-EDE3-CBC", &dek))
 					{
 						alg = ENCR_3DES;
@@ -274,7 +276,7 @@ bool pem_to_bin(chunk_t *blob, chunk_t *passphrase, bool *pgp)
 					{
 						DBG1("  encryption algorithm '%.s' not supported",
 							 dek.len, dek.ptr);
-						return FALSE;
+						return NOT_SUPPORTED;
 					}
 					eat_whitespace(&value);
 					iv = chunk_from_hex(value, iv.ptr);
@@ -317,11 +319,11 @@ bool pem_to_bin(chunk_t *blob, chunk_t *passphrase, bool *pgp)
 	if (state != PEM_POST)
 	{
 		DBG1("  file coded in unknown format, discarded");
-		return FALSE;
+		return PARSE_ERROR;
 	}
 	if (!encrypted)
 	{
-		return TRUE;
+		return SUCCESS;
 	}
 	return pem_decrypt(blob, alg, key_size, &iv, passphrase);
 	
@@ -337,7 +339,9 @@ bool pem_asn1_load_file(char *filename, chunk_t *passphrase,
 
 	if (fd)
 	{
+		chunk_t pass = chunk_empty;
 		int bytes;
+
 		fseek(fd, 0, SEEK_END );
 		blob->len = ftell(fd);
 		rewind(fd);
@@ -356,10 +360,13 @@ bool pem_asn1_load_file(char *filename, chunk_t *passphrase,
 		}
 
 		if (passphrase != NULL)
-			DBG4("  passphrase:", passphrase->ptr, passphrase->len);
+		{
+			pass = *passphrase;
+			DBG4("  passphrase: %#B", passphrase);
+		}
 
 		/* try PEM format */
-		if (pem_to_bin(blob, passphrase, pgp))
+		if (pem_to_bin(blob, pass, pgp) == SUCCESS)
 		{
 			if (*pgp)
 			{
diff --git a/src/libstrongswan/asn1/pem.h b/src/libstrongswan/asn1/pem.h
index 4b76fbe80..7385330d7 100755
--- a/src/libstrongswan/asn1/pem.h
+++ b/src/libstrongswan/asn1/pem.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: pem.h 4011 2008-05-23 19:18:08Z andreas $
  */
 
 #ifndef PEM_H_
@@ -23,9 +21,9 @@
 
 #include <library.h>
 
-bool pem_to_bin(chunk_t *blob, chunk_t *passphrase, bool *pgp);
+status_t pem_to_bin(chunk_t *blob, chunk_t passphrase, bool *pgp);
 
-bool pem_asn1_load_file(char *filename, chunk_t *passphrase,
-						chunk_t *blob, bool *pgp);
+bool pem_asn1_load_file(char *filename, chunk_t *passphrase, chunk_t *blob,
+						bool *pgp);
 
 #endif /*PEM_H_ @} */
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index 331ef4436..c9c181f87 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: chunk.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <stdio.h>
@@ -208,7 +206,7 @@ void chunk_split(chunk_t chunk, const char *mode, ...)
 /**
  * Described in header.
  */
-bool chunk_write(chunk_t chunk, char *path, mode_t mask, bool force)
+bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force)
 {
 	mode_t oldmask;
 	FILE *fd;
@@ -216,7 +214,7 @@ bool chunk_write(chunk_t chunk, char *path, mode_t mask, bool force)
 
 	if (!force && access(path, F_OK) == 0)
 	{
-		DBG1("  file '%s' already exists", path);
+		DBG1("  %s file '%s' already exists", label, path);
 		return FALSE;
 	}
 	oldmask = umask(mask);
@@ -225,18 +223,20 @@ bool chunk_write(chunk_t chunk, char *path, mode_t mask, bool force)
 	{
 		if (fwrite(chunk.ptr, sizeof(u_char), chunk.len, fd) == chunk.len)
 		{
+			DBG1("  written %s file '%s' (%d bytes)",
+				 label, path, chunk.len);
 			good = TRUE;
 		}
 		else
 		{
-			DBG1("  writing to file '%s' failed: %s", path, strerror(errno));
+			DBG1("  writing %s file '%s' failed: %s",
+				 label, path, strerror(errno));
 		}
 		fclose(fd);
-		return TRUE;
 	}
 	else
 	{
-		DBG1("  could not open file '%s': %s", path, strerror(errno));
+		DBG1("  could not open %s file '%s': %s", label, path, strerror(errno));
 	}
 	umask(oldmask);
 	return good;
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 125b86b12..3d8c360c5 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: chunk.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -41,7 +39,7 @@ struct chunk_t {
 	size_t len;
 };
 
-#include <library.h>
+#include <utils.h>
 
 /**
  * A { NULL, 0 }-chunk handy for initialization.
@@ -86,8 +84,14 @@ void chunk_split(chunk_t chunk, const char *mode, ...);
 
 /**
   * Write the binary contents of a chunk_t to a file
-  */
-bool chunk_write(chunk_t chunk, char *path, mode_t mask, bool force);
+  *
+ * @param path			path where file is written to
+ * @param label			label specifying file type 
+ * @param mask			file mode creation mask
+ * @param force			overwrite existing file by force
+ * @return				TRUE if write operation was successful
+ */
+bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force);
 
 /**
  * Convert a chunk of data to hex encoding.
@@ -95,7 +99,6 @@ bool chunk_write(chunk_t chunk, char *path, mode_t mask, bool force);
  * The resulting string is '\\0' terminated, but the chunk does not include
  * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1).
  *
- * @param chunk			data to convert
  * @param buf			buffer to write to, NULL to malloc
  * @param uppercase		TRUE to use uppercase letters
  * @return				chunk of encoded data
@@ -181,12 +184,12 @@ static inline void chunk_clear(chunk_t *chunk)
 /**
  * Clone a chunk on heap
  */
-#define chunk_clone(chunk) chunk_create_clone((chunk).len ? malloc(chunk.len) : NULL, chunk)
+#define chunk_clone(chunk) chunk_create_clone((chunk).len ? malloc((chunk).len) : NULL, chunk)
 
 /**
  * Clone a chunk on stack
  */
-#define chunk_clonea(chunk) chunk_create_clone(alloca(chunk.len), chunk)
+#define chunk_clonea(chunk) chunk_create_clone(alloca((chunk).len), chunk)
 
 /**
  * Concatenate chunks into a chunk on heap
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 0bca198f1..701cbcde3 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -20,6 +20,8 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_AGENT_SOCKET",
 	"BUILD_BLOB_ASN1_DER",
 	"BUILD_BLOB_ASN1_PEM",
+	"BUILD_BLOB_PGP",
+	"BUILD_BLOB_RFC_3110",
 	"BUILD_KEY_SIZE",
 	"BUILD_SIGNING_KEY",
 	"BUILD_SIGNING_CERT",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 4b3fb1ae4..01ccf2a5c 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -38,14 +38,18 @@ typedef builder_t* (*builder_constructor_t)(int subtype);
  * Parts to build credentials from.
  */
 enum builder_part_t {
-	/** path to a file containing an ASN1 blob, char* */
+	/** path to a file containing an ASN.1 blob, char* */
 	BUILD_FROM_FILE,
 	/** unix socket of a ssh/pgp agent, char* */
 	BUILD_AGENT_SOCKET,
-	/** DER encoded ASN1 blob, chunk_t */
+	/** DER encoded ASN.1 blob, chunk_t */
 	BUILD_BLOB_ASN1_DER,
-	/** PEM encoded ASN1 blob, null terminated char* */
+	/** PEM encoded ASN.1 blob, null terminated char* */
 	BUILD_BLOB_ASN1_PEM,
+	/**  OpenPGP key blob, chunk_t */
+	BUILD_BLOB_PGP,
+	/** RFC 3110 DNS public key blob, chunk_t */
+	BUILD_BLOB_RFC_3110,
 	/** key size in bits, as used for key generation, u_int */
 	BUILD_KEY_SIZE,
 	/** private key to use for signing, private_key_t* */
diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h
index 39ab8fe71..fb99b4756 100644
--- a/src/libstrongswan/credentials/certificates/ac.h
+++ b/src/libstrongswan/credentials/certificates/ac.h
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ac.h 3300 2007-10-12 21:53:18Z andreas $
  */
 
 /**
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index c5bc9a68d..041e2f1db 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: certificate.c 3664 2008-03-26 15:21:50Z martin $
  */
 
 #include "certificate.h"
@@ -31,11 +29,11 @@ ENUM(certificate_type_names, CERT_ANY, CERT_PGP,
 	"PGP",
 );
 
-ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_SKIPPED,
-	"VALIDATION_GOOD",
-	"VALIDATION_STALE",
-	"VALIDATION_REVOKED",
-	"VALIDATION_FAILED",
-	"VALIDATION_SKIPPED",
+ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
+	"GOOD",
+	"SKIPPED",
+	"STALE",
+	"FAILED",
+	"REVOKED",
 );
 
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 1fb151d9f..81fce5508 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -58,18 +58,20 @@ extern enum_name_t *certificate_type_names;
 
 /**
  * Result of a certificate validation.
+ *
+ * Order of values is relevant, sorted from good to bad.
  */
 enum cert_validation_t {
 	/** certificate has been validated successfully */
-	VALIDATION_GOOD,
+	VALIDATION_GOOD = 0,
+	/** validation has been skipped due to missing validation information */
+	VALIDATION_SKIPPED,
 	/** certificate has been validated, but check based on stale information */
 	VALIDATION_STALE,
-	/** certificate has been revoked */
-	VALIDATION_REVOKED,
 	/** validation failed due to a processing error */
 	VALIDATION_FAILED,
-	/** validation has been skipped due to missing validation information */
-	VALIDATION_SKIPPED,
+	/** certificate has been revoked */
+	VALIDATION_REVOKED,
 };
 
 /**
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 1fdc095c1..0d6654075 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: crl.c 3656 2008-03-25 22:28:27Z andreas $
  */
 
 #include "crl.h"
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 0c0493940..3fef0d710 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: crl.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/credentials/certificates/ocsp_request.h b/src/libstrongswan/credentials/certificates/ocsp_request.h
index 25ecb8d35..0b1871309 100644
--- a/src/libstrongswan/credentials/certificates/ocsp_request.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_request.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.c b/src/libstrongswan/credentials/certificates/ocsp_response.c
index 02e12f761..c4a39e28d 100644
--- a/src/libstrongswan/credentials/certificates/ocsp_response.c
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "ocsp_response.h"
diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h
index 3c9794956..a70f3eee4 100644
--- a/src/libstrongswan/credentials/certificates/ocsp_response.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c
index 15d223e3e..5d53f0c68 100644
--- a/src/libstrongswan/credentials/certificates/x509.c
+++ b/src/libstrongswan/credentials/certificates/x509.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: x509.c 3656 2008-03-25 22:28:27Z andreas $
  */
 
 #include "x509.h"
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 704f11522..eedab78f7 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: x509.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 5ae6980be..2e9a541d4 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: credential_factory.c 4777 2008-12-09 15:57:51Z martin $
  */
 
 #include "credential_factory.h"
@@ -158,6 +156,8 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
 				case BUILD_END:
 					break;
 				case BUILD_BLOB_ASN1_DER:
+				case BUILD_BLOB_PGP:
+				case BUILD_BLOB_RFC_3110:
 				case BUILD_SERIAL:
 					builder->add(builder, part, va_arg(args, chunk_t));
 					continue;
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index 42fb2df6d..5057a7aae 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -24,9 +24,6 @@
 typedef struct credential_factory_t credential_factory_t;
 typedef enum credential_type_t credential_type_t;
 
-#include <credentials/keys/private_key.h>
-#include <credentials/keys/public_key.h>
-#include <credentials/certificates/certificate.h>
 #include <credentials/builder.h>
 
 /**
diff --git a/src/libstrongswan/credentials/keys/private_key.c b/src/libstrongswan/credentials/keys/private_key.c
index 018cab1c0..0a01d0385 100644
--- a/src/libstrongswan/credentials/keys/private_key.c
+++ b/src/libstrongswan/credentials/keys/private_key.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: private_key.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include "private_key.h"
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
index 219926af1..f38af8ff4 100644
--- a/src/libstrongswan/credentials/keys/private_key.h
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: private_key.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -81,6 +79,14 @@ struct private_key_t {
 	 */
 	public_key_t* (*get_public_key)(private_key_t *this);
 	
+	/**
+	 * Check if two private keys are equal.
+	 * 
+	 * @param other		other private key
+	 * @return			TRUE, if equality
+	 */
+	bool (*equals) (private_key_t *this, private_key_t *other);
+
 	/**
 	 * Check if a private key belongs to a public key.
 	 * 
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index 80b9f03c3..c94c27f0a 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -11,27 +11,60 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: public_key.c 4051 2008-06-10 09:08:27Z tobias $
  */
 
+#include <asn1/oid.h>
+
 #include "public_key.h"
 
-ENUM(key_type_names, KEY_RSA, KEY_ECDSA,
+ENUM(key_type_names, KEY_RSA, KEY_DSA,
 	"RSA",
-	"ECDSA"
+	"ECDSA",
+	"DSA"
 );
 
-ENUM(signature_scheme_names, SIGN_DEFAULT, SIGN_ECDSA_521,
-	"DEFAULT",
+ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
+	"UNKNOWN",
+	"RSA_EMSA_PKCS1_NULL",
 	"RSA_EMSA_PKCS1_MD5",
 	"RSA_EMSA_PKCS1_SHA1",
 	"RSA_EMSA_PKCS1_SHA256",
 	"RSA_EMSA_PKCS1_SHA384",
 	"RSA_EMSA_PKCS1_SHA512",
+	"ECDSA_WITH_NULL",
 	"ECDSA_WITH_SHA1",
 	"ECDSA-256",
 	"ECDSA-384",
 	"ECDSA-521",
 );
 
+/*
+ * Defined in header.
+ */
+signature_scheme_t signature_scheme_from_oid(int oid)
+{
+	switch (oid)
+	{
+		case OID_MD5_WITH_RSA:
+		case OID_MD5:
+			return SIGN_RSA_EMSA_PKCS1_MD5;
+		case OID_SHA1_WITH_RSA:
+		case OID_SHA1:
+			return SIGN_RSA_EMSA_PKCS1_SHA1;
+		case OID_SHA256_WITH_RSA:
+		case OID_SHA256:
+			return SIGN_RSA_EMSA_PKCS1_SHA256;
+		case OID_SHA384_WITH_RSA:
+		case OID_SHA384:
+			return SIGN_RSA_EMSA_PKCS1_SHA384;
+		case OID_SHA512_WITH_RSA:
+		case OID_SHA512:
+			return SIGN_RSA_EMSA_PKCS1_SHA512;
+		case OID_ECDSA_WITH_SHA1:
+		case OID_EC_PUBLICKEY:
+			return SIGN_ECDSA_WITH_SHA1;
+		default:
+			return SIGN_UNKNOWN;
+	}
+}
+
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 65bb5f64d..c58531b73 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: public_key.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -36,12 +34,14 @@ typedef enum signature_scheme_t signature_scheme_t;
  */
 enum key_type_t {
 	/** key type wildcard */
-	KEY_ANY,
+	KEY_ANY   = 0,
 	/** RSA crypto system as in PKCS#1 */
-	KEY_RSA,
+	KEY_RSA   = 1,
 	/** ECDSA as in ANSI X9.62 */
-	KEY_ECDSA,
-	/** DSS, ElGamal, ... */
+	KEY_ECDSA = 2,
+	/** DSA */
+	KEY_DSA   = 3,
+	/** ElGamal, ... */
 };
 
 /**
@@ -52,29 +52,35 @@ extern enum_name_t *key_type_names;
 /**
  * Signature scheme for signature creation
  *
- * EMSA-PKCS1 signatures are from the PKCS#1 standard. They include
- * the ASN1-OID of the used hash algorithm.
+ * EMSA-PKCS1 signatures are defined in PKCS#1 standard.
+ * A prepended ASN.1 encoded digestInfo field contains the 
+ * OID of the used hash algorithm. The ASN.1 type of the PKCS#7
+ * variants is OCTET_STRING instead of the default BIT_STRING.
  */
 enum signature_scheme_t {
-	/** default scheme of that underlying crypto system */
-	SIGN_DEFAULT,
-	/** EMSA-PKCS1 with MD5  */
+	/** Unknown signature scheme                                       */
+	SIGN_UNKNOWN,
+	/** EMSA-PKCS1_v1.5 signature over digest without digestInfo       */
+	SIGN_RSA_EMSA_PKCS1_NULL,
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and MD5       */
 	SIGN_RSA_EMSA_PKCS1_MD5,
-	/** EMSA-PKCS1 signature as in PKCS#1 standard using SHA1 as hash.  */
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-1     */
 	SIGN_RSA_EMSA_PKCS1_SHA1,
-	/** EMSA-PKCS1 signature as in PKCS#1 standard using SHA256 as hash. */
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-256   */
 	SIGN_RSA_EMSA_PKCS1_SHA256,
-	/** EMSA-PKCS1 signature as in PKCS#1 standard using SHA384 as hash. */
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-384   */
 	SIGN_RSA_EMSA_PKCS1_SHA384,
-	/** EMSA-PKCS1 signature as in PKCS#1 standard using SHA512 as hash. */
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-512   */
 	SIGN_RSA_EMSA_PKCS1_SHA512,
-	/** ECDSA using SHA-1 as hash. */
+	/** ECDSA over precomputed digest                                  */
+	SIGN_ECDSA_WITH_NULL,
+	/** ECDSA with SHA-1                                               */
 	SIGN_ECDSA_WITH_SHA1,
-	/** ECDSA with SHA-256 on the P-256 curve as in RFC 4754 */
+	/** ECDSA on the P-256 curve with SHA-256 as in RFC 4754           */
 	SIGN_ECDSA_256,
-	/** ECDSA with SHA-384 on the P-384 curve as in RFC 4754 */
+	/** ECDSA on the P-384 curve with SHA-384 as in RFC 4754           */
 	SIGN_ECDSA_384,
-	/** ECDSA with SHA-512 on the P-521 curve as in RFC 4754 */
+	/** ECDSA on the P-521 curve with SHA-512 as in RFC 4754           */
 	SIGN_ECDSA_521,
 };
 
@@ -109,12 +115,20 @@ struct public_key_t {
 	/**
 	 * Encrypt a chunk of data.
 	 *
-	 * @param crypto	chunk containing plaintext data
-	 * @param plain		where to allocate encrypted data
+	 * @param plain		chunk containing plaintext data
+	 * @param crypto	where to allocate encrypted data
 	 * @return 			TRUE if data successfully encrypted
 	 */
-	bool (*encrypt)(public_key_t *this, chunk_t crypto, chunk_t *plain);
+	bool (*encrypt)(public_key_t *this, chunk_t plain, chunk_t *crypto);
 	
+	/**
+	 * Check if two public keys are equal.
+	 * 
+	 * @param other		other public key
+	 * @return			TRUE, if equality
+	 */
+	bool (*equals)(public_key_t *this, public_key_t *other);
+
 	/**
 	 * Get the strength of the key in bytes.
 	 * 
@@ -152,4 +166,12 @@ struct public_key_t {
 	void (*destroy)(public_key_t *this);
 };
 
+/**
+ * Conversion of ASN.1 signature or hash OID to signature scheme.
+ * 
+ * @param oid			ASN.1 OID
+ * @return				signature_scheme, SIGN_UNKNOWN if OID is unsupported
+ */
+signature_scheme_t signature_scheme_from_oid(int oid);
+
 #endif /** PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/credentials/keys/shared_key.c b/src/libstrongswan/credentials/keys/shared_key.c
index f55b52c3a..c6f141446 100644
--- a/src/libstrongswan/credentials/keys/shared_key.c
+++ b/src/libstrongswan/credentials/keys/shared_key.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: shared_key.c 3600 2008-03-14 15:11:29Z martin $
  */
 
 #include "shared_key.h"
diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c
index 13ba9c6e2..ebd35a8a0 100644
--- a/src/libstrongswan/crypto/crypters/crypter.c
+++ b/src/libstrongswan/crypto/crypters/crypter.c
@@ -12,22 +12,20 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: crypter.c 4880 2009-02-18 19:45:46Z tobias $
  */
 
+#include <asn1/oid.h>
+
 #include "crypter.h"
 
-ENUM_BEGIN(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_UNDEFINED,
-	"UNDEFINED");
-ENUM_NEXT(encryption_algorithm_names, ENCR_DES_IV64, ENCR_DES_IV32, ENCR_UNDEFINED,
+ENUM_BEGIN(encryption_algorithm_names, ENCR_DES_IV64, ENCR_DES_IV32,
 	"DES_IV64",
-	"DES",
-	"3DES",
-	"RC5",
-	"IDEA",
-	"CAST",
-	"BLOWFISH",
+	"DES_CBC",
+	"3DES_CBC",
+	"RC5_CBC",
+	"IDEA_CBC",
+	"CAST_CBC",
+	"BLOWFISH_CBC",
 	"3IDEA",
 	"DES_IV32");
 ENUM_NEXT(encryption_algorithm_names, ENCR_NULL, ENCR_AES_CCM_ICV16, ENCR_DES_IV32,
@@ -37,11 +35,128 @@ ENUM_NEXT(encryption_algorithm_names, ENCR_NULL, ENCR_AES_CCM_ICV16, ENCR_DES_IV
 	"AES_CCM_8",
 	"AES_CCM_12",
 	"AES_CCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_AES_GCM_ICV16, ENCR_AES_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_NULL_AUTH_AES_GMAC, ENCR_AES_CCM_ICV16,
 	"AES_GCM_8",
 	"AES_GCM_12",
-	"AES_GCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_DES_ECB, ENCR_DES_ECB, ENCR_AES_GCM_ICV16,
-	"DES_ECB");
-ENUM_END(encryption_algorithm_names, ENCR_DES_ECB);
+	"AES_GCM_16",
+	"NULL_AES_GMAC");
+ENUM_NEXT(encryption_algorithm_names, ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CCM_ICV16, ENCR_NULL_AUTH_AES_GMAC,
+	"CAMELLIA_CBC",
+	"CAMELLIA_CTR",
+	"CAMELLIA_CCM_8",
+	"CAMELLIA_CCM_12",
+	"CAMELLIA_CCM_16");
+ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, ENCR_CAMELLIA_CCM_ICV16,
+	"UNDEFINED",
+	"DES_ECB",
+	"SERPENT_CBC",
+	"TWOFISH_CBC");
+ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
+
+/*
+ * Described in header.
+ */
+encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size)
+{
+	encryption_algorithm_t alg;
+	size_t alg_key_size;
+
+	switch (oid)
+	{
+		case OID_DES_CBC:
+			alg = ENCR_DES;
+			alg_key_size = 0;
+			break;
+		case OID_3DES_EDE_CBC:
+			alg = ENCR_3DES;
+			alg_key_size = 0;
+			break;
+		case OID_AES128_CBC:
+			alg = ENCR_AES_CBC;
+			alg_key_size = 128;
+			break;
+		case OID_AES192_CBC:
+			alg = ENCR_AES_CBC;
+			alg_key_size = 192;
+			break;
+		case OID_AES256_CBC:
+			alg = ENCR_AES_CBC;
+			alg_key_size = 256;
+			break;
+		case OID_CAMELLIA128_CBC:
+			alg = ENCR_CAMELLIA_CBC;
+			alg_key_size = 128;
+			break;
+		case OID_CAMELLIA192_CBC:
+			alg = ENCR_CAMELLIA_CBC;
+			alg_key_size = 192;
+			break;
+		case OID_CAMELLIA256_CBC:
+			alg = ENCR_CAMELLIA_CBC;
+			alg_key_size = 256;
+			break;
+		default:
+			alg = ENCR_UNDEFINED;
+			alg_key_size = 0;
+	}
+	if (key_size)
+	{
+			*key_size = alg_key_size;
+	}
+	return alg;
+}
+
+/*
+ * Described in header.
+ */
+int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size)
+{
+	int oid;
+
+	switch(alg)
+	{
+		case ENCR_DES:
+			oid = OID_DES_CBC;
+			break;
+		case ENCR_3DES:
+			oid = OID_3DES_EDE_CBC;
+			break;
+		case ENCR_AES_CBC:
+			switch (key_size)
+			{
+				case 128:
+					oid = OID_AES128_CBC;
+					break;
+				case 192:
+					oid = OID_AES192_CBC;
+					break;
+				case 256:
+					oid = OID_AES256_CBC;
+					break;
+				default:
+					oid = OID_UNKNOWN;
+			}
+			break;
+		case ENCR_CAMELLIA_CBC:
+			switch (key_size)
+			{
+				case 128:
+					oid = OID_CAMELLIA128_CBC;
+					break;
+				case 192:
+					oid = OID_CAMELLIA192_CBC;
+					break;
+				case 256:
+					oid = OID_CAMELLIA256_CBC;
+					break;
+				default:
+					oid = OID_UNKNOWN;
+			}
+			break;
+		default:
+			oid = OID_UNKNOWN;
+	}
+	return oid;
+}
+
 
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index d61d98f95..2879e24c0 100644
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: crypter.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -33,28 +31,42 @@ typedef struct crypter_t crypter_t;
  * Encryption algorithm, as in IKEv2 RFC 3.3.2.
  */
 enum encryption_algorithm_t {
-	ENCR_UNDEFINED = 1024,
-	ENCR_DES_IV64 = 1,
-	ENCR_DES = 2,
-	ENCR_3DES = 3,
-	ENCR_RC5 = 4,
-	ENCR_IDEA = 5,
-	ENCR_CAST = 6,
-	ENCR_BLOWFISH = 7,
-	ENCR_3IDEA = 8,
-	ENCR_DES_IV32 = 9,
-	ENCR_NULL = 11,
-	ENCR_AES_CBC = 12,
-	ENCR_AES_CTR = 13,
-	ENCR_AES_CCM_ICV8 = 14,
-    ENCR_AES_CCM_ICV12 = 15,
-    ENCR_AES_CCM_ICV16 = 16,
-    ENCR_AES_GCM_ICV8 = 18,
-    ENCR_AES_GCM_ICV12 = 19,
-    ENCR_AES_GCM_ICV16 = 20,
-    ENCR_DES_ECB = 1025
+	ENCR_DES_IV64 =            1,
+	ENCR_DES =                 2,
+	ENCR_3DES =                3,
+	ENCR_RC5 =                 4,
+	ENCR_IDEA =                5,
+	ENCR_CAST =                6,
+	ENCR_BLOWFISH =            7,
+	ENCR_3IDEA =               8,
+	ENCR_DES_IV32 =            9,
+	ENCR_NULL =               11,
+	ENCR_AES_CBC =            12,
+	ENCR_AES_CTR =            13,
+	ENCR_AES_CCM_ICV8 =       14,
+	ENCR_AES_CCM_ICV12 =      15,
+	ENCR_AES_CCM_ICV16 =      16,
+	ENCR_AES_GCM_ICV8 =       18,
+	ENCR_AES_GCM_ICV12 =      19,
+	ENCR_AES_GCM_ICV16 =      20,
+	ENCR_NULL_AUTH_AES_GMAC = 21,
+	ENCR_CAMELLIA_CBC =       23,
+	ENCR_CAMELLIA_CTR =       24,
+	ENCR_CAMELLIA_CCM_ICV8 =  25,
+	ENCR_CAMELLIA_CCM_ICV12 = 26,
+	ENCR_CAMELLIA_CCM_ICV16 = 27,
+	ENCR_UNDEFINED =        1024,
+    ENCR_DES_ECB =          1025,
+	ENCR_SERPENT_CBC =      1026,
+    ENCR_TWOFISH_CBC =      1027
 };
 
+#define DES_BLOCK_SIZE			 8
+#define BLOWFISH_BLOCK_SIZE		 8
+#define AES_BLOCK_SIZE			16
+#define SERPENT_BLOCK_SIZE		16
+#define TWOFISH_BLOCK_SIZE		16
+
 /**
  * enum name for encryption_algorithm_t.
  */
@@ -122,4 +134,22 @@ struct crypter_t {
 	void (*destroy) (crypter_t *this);
 };
 
+/**
+ * Conversion of ASN.1 OID to encryption algorithm.
+ * 
+ * @param oid			ASN.1 OID
+ * @param key_size		returns size of encryption key in bits
+ * @return				encryption algorithm, ENCR_UNDEFINED if OID unsupported
+ */
+encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size);
+
+/**
+ * Conversion of encryption algorithm to ASN.1 OID.
+ * 
+ * @param alg			encryption algorithm
+ * @param key_size		size of encryption key in bits
+ * @return				ASN.1 OID, OID_UNKNOWN if OID is unknown
+ */
+int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size);
+
 #endif /** CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index dcc881f1d..fea8d0793 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -11,14 +11,14 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: crypto_factory.c 4592 2008-11-05 16:21:57Z martin $
  */
 
 #include "crypto_factory.h"
 
-#include <utils/linked_list.h>
+#include <debug.h>
 #include <utils/mutex.h>
+#include <utils/linked_list.h>
+#include <crypto/crypto_tester.h>
 
 typedef struct entry_t entry_t;
 struct entry_t {
@@ -77,6 +77,21 @@ struct private_crypto_factory_t {
 	 */
 	linked_list_t *dhs;
 	
+	/**
+	 * test manager to test crypto algorithms
+	 */
+	crypto_tester_t *tester;
+	
+	/**
+	 * whether to test algorithms during registration
+	 */
+	bool test_on_add;
+	
+	/**
+	 * whether to test algorithms on each crypto primitive construction
+	 */
+	bool test_on_create;
+	
 	/**
 	 * rwlock to lock access to modules
 	 */
@@ -92,13 +107,19 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 	enumerator_t *enumerator;
 	entry_t *entry;
 	crypter_t *crypter = NULL;
-
+	
 	this->lock->read_lock(this->lock);
 	enumerator = this->crypters->create_enumerator(this->crypters);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
 		if (entry->algo == algo)
 		{
+			if (this->test_on_create &&
+				!this->tester->test_crypter(this->tester, algo, key_size,
+										    entry->create_crypter))
+			{
+				continue;
+			}
 			crypter = entry->create_crypter(algo, key_size);
 			if (crypter)
 			{
@@ -120,13 +141,19 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 	enumerator_t *enumerator;
 	entry_t *entry;
 	signer_t *signer = NULL;
-
+	
 	this->lock->read_lock(this->lock);
 	enumerator = this->signers->create_enumerator(this->signers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
 		if (entry->algo == algo)
 		{
+			if (this->test_on_create &&
+				!this->tester->test_signer(this->tester, algo,
+										   entry->create_signer))
+			{
+				continue;
+			}
 			signer = entry->create_signer(algo);
 			if (signer)
 			{
@@ -136,7 +163,7 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
-
+	
 	return signer;
 }
 
@@ -156,6 +183,12 @@ static hasher_t* create_hasher(private_crypto_factory_t *this,
 	{
 		if (algo == HASH_PREFERRED || entry->algo == algo)
 		{
+			if (this->test_on_create && algo != HASH_PREFERRED &&
+				!this->tester->test_hasher(this->tester, algo,
+										   entry->create_hasher))
+			{
+				continue;
+			}
 			hasher = entry->create_hasher(entry->algo);
 			if (hasher)
 			{
@@ -184,6 +217,11 @@ static prf_t* create_prf(private_crypto_factory_t *this,
 	{
 		if (entry->algo == algo)
 		{
+			if (this->test_on_create &&
+				!this->tester->test_prf(this->tester, algo, entry->create_prf))
+			{
+				continue;
+			}
 			prf = entry->create_prf(algo);
 			if (prf)
 			{
@@ -205,13 +243,18 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
 	entry_t *entry;
 	u_int diff = ~0;
 	rng_constructor_t constr = NULL;
-
+	
 	this->lock->read_lock(this->lock);
 	enumerator = this->rngs->create_enumerator(this->rngs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{	/* find the best matching quality, but at least as good as requested */
 		if (entry->algo >= quality && diff > entry->algo - quality)
 		{
+			if (this->test_on_create &&
+				!this->tester->test_rng(this->tester, quality, entry->create_rng))
+			{
+				continue;
+			}
 			diff = entry->algo - quality;
 			constr = entry->create_rng;
 			if (diff == 0)
@@ -264,13 +307,17 @@ static void add_crypter(private_crypto_factory_t *this,
 						encryption_algorithm_t algo,
 						crypter_constructor_t create)
 {
-	entry_t *entry = malloc_thing(entry_t);
-	
-	entry->algo = algo;
-	entry->create_crypter = create;
-	this->lock->write_lock(this->lock);
-	this->crypters->insert_last(this->crypters, entry);
-	this->lock->unlock(this->lock);
+	if (!this->test_on_add ||
+		this->tester->test_crypter(this->tester, algo, 0, create))
+	{
+		entry_t *entry = malloc_thing(entry_t);
+		
+		entry->algo = algo;
+		entry->create_crypter = create;
+		this->lock->write_lock(this->lock);
+		this->crypters->insert_last(this->crypters, entry);
+		this->lock->unlock(this->lock);
+	}
 }
 
 /**
@@ -302,13 +349,17 @@ static void remove_crypter(private_crypto_factory_t *this,
 static void add_signer(private_crypto_factory_t *this,
 					   integrity_algorithm_t algo, signer_constructor_t create)
 {
-	entry_t *entry = malloc_thing(entry_t);
-	
-	entry->algo = algo;
-	entry->create_signer = create;
-	this->lock->write_lock(this->lock);
-	this->signers->insert_last(this->signers, entry);
-	this->lock->unlock(this->lock);
+	if (!this->test_on_add ||
+		this->tester->test_signer(this->tester, algo, create))
+	{
+		entry_t *entry = malloc_thing(entry_t);
+		
+		entry->algo = algo;
+		entry->create_signer = create;
+		this->lock->write_lock(this->lock);
+		this->signers->insert_last(this->signers, entry);
+		this->lock->unlock(this->lock);
+	}
 }
 
 /**
@@ -340,13 +391,17 @@ static void remove_signer(private_crypto_factory_t *this,
 static void add_hasher(private_crypto_factory_t *this, hash_algorithm_t algo,
 					   hasher_constructor_t create)
 {
-	entry_t *entry = malloc_thing(entry_t);
-	
-	entry->algo = algo;
-	entry->create_hasher = create;
-	this->lock->write_lock(this->lock);
-	this->hashers->insert_last(this->hashers, entry);
-	this->lock->unlock(this->lock);
+	if (!this->test_on_add ||
+		this->tester->test_hasher(this->tester, algo, create))
+	{
+		entry_t *entry = malloc_thing(entry_t);
+		
+		entry->algo = algo;
+		entry->create_hasher = create;
+		this->lock->write_lock(this->lock);
+		this->hashers->insert_last(this->hashers, entry);
+		this->lock->unlock(this->lock);
+	}
 }
 
 /**
@@ -378,13 +433,17 @@ static void remove_hasher(private_crypto_factory_t *this,
 static void add_prf(private_crypto_factory_t *this,
 					pseudo_random_function_t algo, prf_constructor_t create)
 {
-	entry_t *entry = malloc_thing(entry_t);
-	
-	entry->algo = algo;
-	entry->create_prf = create;
-	this->lock->write_lock(this->lock);
-	this->prfs->insert_last(this->prfs, entry);
-	this->lock->unlock(this->lock);
+	if (!this->test_on_add ||
+		this->tester->test_prf(this->tester, algo, create))
+	{
+		entry_t *entry = malloc_thing(entry_t);
+		
+		entry->algo = algo;
+		entry->create_prf = create;
+		this->lock->write_lock(this->lock);
+		this->prfs->insert_last(this->prfs, entry);
+		this->lock->unlock(this->lock);
+	}
 }
 
 /**
@@ -415,13 +474,17 @@ static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create)
 static void add_rng(private_crypto_factory_t *this, rng_quality_t quality,
 					rng_constructor_t create)
 {
-	entry_t *entry = malloc_thing(entry_t);
-	
-	entry->algo = quality;
-	entry->create_rng = create;
-	this->lock->write_lock(this->lock);
-	this->rngs->insert_last(this->rngs, entry);
-	this->lock->unlock(this->lock);
+	if (!this->test_on_add ||
+		this->tester->test_rng(this->tester, quality, create))
+	{
+		entry_t *entry = malloc_thing(entry_t);
+		
+		entry->algo = quality;
+		entry->create_rng = create;
+		this->lock->write_lock(this->lock);
+		this->rngs->insert_last(this->rngs, entry);
+		this->lock->unlock(this->lock);
+	}
 }
 
 /**
@@ -604,6 +667,30 @@ static enumerator_t* create_dh_enumerator(private_crypto_factory_t *this)
 	return create_enumerator(this, this->dhs, dh_filter);
 }
 
+/**
+ * Implementation of crypto_factory_t.add_test_vector
+ */
+static void add_test_vector(private_crypto_factory_t *this,
+							transform_type_t type, void *vector)
+{
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			return this->tester->add_crypter_vector(this->tester, vector);
+		case INTEGRITY_ALGORITHM:
+			return this->tester->add_signer_vector(this->tester, vector);
+		case HASH_ALGORITHM:
+			return this->tester->add_hasher_vector(this->tester, vector);
+		case PSEUDO_RANDOM_FUNCTION:
+			return this->tester->add_prf_vector(this->tester, vector);
+		case RANDOM_NUMBER_GENERATOR:
+			return this->tester->add_rng_vector(this->tester, vector);
+		default:
+			DBG1("%N test vectors not supported, ignored",
+				 transform_type_names, type);
+	}
+}
+
 /**
  * Implementation of crypto_factory_t.destroy
  */
@@ -615,6 +702,7 @@ static void destroy(private_crypto_factory_t *this)
 	this->prfs->destroy_function(this->prfs, free);
 	this->rngs->destroy_function(this->rngs, free);
 	this->dhs->destroy_function(this->dhs, free);
+	this->tester->destroy(this->tester);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -649,6 +737,7 @@ crypto_factory_t *crypto_factory_create()
 	this->public.create_hasher_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_hasher_enumerator;
 	this->public.create_prf_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_prf_enumerator;
 	this->public.create_dh_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_dh_enumerator;
+	this->public.add_test_vector = (void(*)(crypto_factory_t*, transform_type_t type, ...))add_test_vector;
 	this->public.destroy = (void(*)(crypto_factory_t*))destroy;
 	
 	this->crypters = linked_list_create();
@@ -658,6 +747,11 @@ crypto_factory_t *crypto_factory_create()
 	this->rngs = linked_list_create();
 	this->dhs = linked_list_create();
 	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->tester = crypto_tester_create();
+	this->test_on_add = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.on_add", FALSE);
+	this->test_on_create = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.on_create", FALSE);
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index e2d2de71a..f1ebcf90a 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -30,6 +30,7 @@ typedef struct crypto_factory_t crypto_factory_t;
 #include <crypto/prfs/prf.h>
 #include <crypto/rngs/rng.h>
 #include <crypto/diffie_hellman.h>
+#include <crypto/transform.h>
 
 /**
  * Constructor function for crypters
@@ -257,9 +258,17 @@ struct crypto_factory_t {
 	enumerator_t* (*create_dh_enumerator)(crypto_factory_t *this);
 	
 	/**
-     * Destroy a crypto_factory instance.
-     */
-    void (*destroy)(crypto_factory_t *this);
+	 * Add a test vector to the crypto factory.
+	 *
+	 * @param type			type of the test vector
+	 * @param ...			pointer to a test vector, defined in crypto_tester.h
+	 */
+	void (*add_test_vector)(crypto_factory_t *this, transform_type_t type, ...);
+	
+	/**
+	 * Destroy a crypto_factory instance.
+	 */
+	void (*destroy)(crypto_factory_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
new file mode 100644
index 000000000..b0b5aa969
--- /dev/null
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -0,0 +1,629 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "crypto_tester.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+
+typedef struct private_crypto_tester_t private_crypto_tester_t;
+
+/**
+ * Private data of an crypto_tester_t object.
+ */
+struct private_crypto_tester_t {
+	
+	/**
+	 * Public crypto_tester_t interface.
+	 */
+	crypto_tester_t public;
+	
+	/**
+	 * List of crypter test vectors
+	 */
+	linked_list_t *crypter;
+	
+	/**
+	 * List of signer test vectors
+	 */
+	linked_list_t *signer;
+	
+	/**
+	 * List of hasher test vectors
+	 */
+	linked_list_t *hasher;
+	
+	/**
+	 * List of PRF test vectors
+	 */
+	linked_list_t *prf;
+	
+	/**
+	 * List of RNG test vectors
+	 */
+	linked_list_t *rng;
+	
+	/**
+	 * Is a test vector required to pass a test?
+	 */
+	bool required;
+	
+	/**
+	 * should we run RNG_TRUE tests? Enough entropy?
+	 */
+	bool rng_true;
+};
+
+/**
+ * Implementation of crypto_tester_t.test_crypter
+ */
+static bool test_crypter(private_crypto_tester_t *this,
+	encryption_algorithm_t alg, size_t key_size, crypter_constructor_t create)
+{
+	enumerator_t *enumerator;
+	crypter_test_vector_t *vector;
+	bool failed = FALSE;
+	u_int tested = 0;
+	
+	enumerator = this->crypter->create_enumerator(this->crypter);
+	while (enumerator->enumerate(enumerator, &vector))
+	{
+		crypter_t *crypter;
+		chunk_t key, plain, cipher, iv;
+		
+		if (vector->alg != alg)
+		{
+			continue;
+		}
+		if (key_size && key_size != vector->key_size)
+		{	/* test only vectors with a specific key size, if key size given */
+			continue;
+		}
+		crypter = create(alg, vector->key_size);
+		if (!crypter)
+		{	/* key size not supported... */
+			continue;
+		}
+		
+		failed = FALSE;
+		tested++;
+		
+		key = chunk_create(vector->key, crypter->get_key_size(crypter));
+		crypter->set_key(crypter, key);
+		iv = chunk_create(vector->iv, crypter->get_block_size(crypter));
+		
+		/* allocated encryption */
+		plain = chunk_create(vector->plain, vector->len);
+		crypter->encrypt(crypter, plain, iv, &cipher);
+		if (!memeq(vector->cipher, cipher.ptr, cipher.len))
+		{
+			failed = TRUE;
+		}
+		/* inline decryption */
+		crypter->decrypt(crypter, cipher, iv, NULL);
+		if (!memeq(vector->plain, cipher.ptr, cipher.len))
+		{
+			failed = TRUE;
+		}
+		free(cipher.ptr);
+		/* allocated decryption */
+		cipher = chunk_create(vector->cipher, vector->len);
+		crypter->decrypt(crypter, cipher, iv, &plain);
+		if (!memeq(vector->plain, plain.ptr, plain.len))
+		{
+			failed = TRUE;
+		}
+		/* inline encryption */
+		crypter->encrypt(crypter, plain, iv, NULL);
+		if (!memeq(vector->cipher, plain.ptr, plain.len))
+		{
+			failed = TRUE;
+		}
+		free(plain.ptr);
+		
+		crypter->destroy(crypter);
+		if (failed)
+		{
+			DBG1("disabled %N: test vector %d failed",
+				 encryption_algorithm_names, alg, tested);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!tested)
+	{
+		DBG1("%s %N: no test vectors found",
+			 this->required ? "disabled" : "enabled ",
+			 encryption_algorithm_names, alg);
+		return !this->required;
+	}
+	if (!failed)
+	{
+		DBG1("enabled  %N: successfully passed %d test vectors",
+			 encryption_algorithm_names, alg, tested);
+	}
+	return !failed;
+}
+
+/**
+ * Implementation of crypto_tester_t.test_signer
+ */
+static bool test_signer(private_crypto_tester_t *this,
+						integrity_algorithm_t alg, signer_constructor_t create)
+{
+	enumerator_t *enumerator;
+	signer_test_vector_t *vector;
+	bool failed = FALSE;
+	u_int tested = 0;
+	
+	enumerator = this->signer->create_enumerator(this->signer);
+	while (enumerator->enumerate(enumerator, &vector))
+	{
+		signer_t *signer;
+		chunk_t key, data, mac;
+		
+		if (vector->alg != alg)
+		{
+			continue;
+		}
+		
+		tested++;
+		signer = create(alg);
+		if (!signer)
+		{
+			DBG1("disabled %N: creating instance failed",
+				 integrity_algorithm_names, alg);
+			failed = TRUE;
+			break;
+		}
+		
+		failed = FALSE;
+		
+		key = chunk_create(vector->key, signer->get_key_size(signer));
+		signer->set_key(signer, key);
+		
+		/* allocated signature */
+		data = chunk_create(vector->data, vector->len);
+		signer->allocate_signature(signer, data, &mac);
+		if (mac.len != signer->get_block_size(signer))
+		{
+			failed = TRUE;
+		}
+		if (!memeq(vector->mac, mac.ptr, mac.len))
+		{
+			failed = TRUE;
+		}
+		/* signature to existing buffer */
+		memset(mac.ptr, 0, mac.len);
+		signer->get_signature(signer, data, mac.ptr);
+		if (!memeq(vector->mac, mac.ptr, mac.len))
+		{
+			failed = TRUE;
+		}
+		/* signature verification, good case */
+		if (!signer->verify_signature(signer, data, mac))
+		{
+			failed = TRUE;
+		}
+		/* signature verification, bad case */
+		*(mac.ptr + mac.len - 1) += 1;
+		if (signer->verify_signature(signer, data, mac))
+		{
+			failed = TRUE;
+		}
+		/* signature to existing buffer, using append mode */
+		if (data.len > 2)
+		{
+			memset(mac.ptr, 0, mac.len);
+			signer->allocate_signature(signer, chunk_create(data.ptr, 1), NULL);
+			signer->get_signature(signer, chunk_create(data.ptr + 1, 1), NULL);
+			signer->get_signature(signer, chunk_skip(data, 2), mac.ptr);
+			if (!memeq(vector->mac, mac.ptr, mac.len))
+			{
+				failed = TRUE;
+			}
+		}
+		free(mac.ptr);
+		
+		signer->destroy(signer);
+		if (failed)
+		{
+			DBG1("disabled %N: test vector %d failed",
+				 integrity_algorithm_names, alg, tested);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!tested)
+	{
+		DBG1("%s %N: no test vectors found",
+			 this->required ? "disabled" : "enabled ",
+			 integrity_algorithm_names, alg);
+		return !this->required;
+	}
+	if (!failed)
+	{
+		DBG1("enabled  %N: successfully passed %d test vectors",
+			 integrity_algorithm_names, alg, tested);
+	}
+	return !failed;
+}
+
+/**
+ * Implementation of hasher_t.test_hasher
+ */
+static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
+						hasher_constructor_t create)
+{
+	enumerator_t *enumerator;
+	hasher_test_vector_t *vector;
+	bool failed = FALSE;
+	u_int tested = 0;
+	
+	enumerator = this->hasher->create_enumerator(this->hasher);
+	while (enumerator->enumerate(enumerator, &vector))
+	{
+		hasher_t *hasher;
+		chunk_t data, hash;
+		
+		if (vector->alg != alg)
+		{
+			continue;
+		}
+		
+		tested++;
+		hasher = create(alg);
+		if (!hasher)
+		{
+			DBG1("disabled %N: creating instance failed",
+				 hash_algorithm_names, alg);
+			failed = TRUE;
+			break;
+		}
+		
+		failed = FALSE;
+		
+		/* allocated hash */
+		data = chunk_create(vector->data, vector->len);
+		hasher->allocate_hash(hasher, data, &hash);
+		if (hash.len != hasher->get_hash_size(hasher))
+		{
+			failed = TRUE;
+		}
+		if (!memeq(vector->hash, hash.ptr, hash.len))
+		{
+			failed = TRUE;
+		}
+		/* hash to existing buffer */
+		memset(hash.ptr, 0, hash.len);
+		hasher->get_hash(hasher, data, hash.ptr);
+		if (!memeq(vector->hash, hash.ptr, hash.len))
+		{
+			failed = TRUE;
+		}
+		/* hasher to existing buffer, using append mode */
+		if (data.len > 2)
+		{
+			memset(hash.ptr, 0, hash.len);
+			hasher->allocate_hash(hasher, chunk_create(data.ptr, 1), NULL);
+			hasher->get_hash(hasher, chunk_create(data.ptr + 1, 1), NULL);
+			hasher->get_hash(hasher, chunk_skip(data, 2), hash.ptr);
+			if (!memeq(vector->hash, hash.ptr, hash.len))
+			{
+				failed = TRUE;
+			}
+		}
+		free(hash.ptr);
+		
+		hasher->destroy(hasher);
+		if (failed)
+		{
+			DBG1("disabled %N: test vector %d failed",
+				 hash_algorithm_names, alg), tested;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!tested)
+	{
+		DBG1("%s %N: no test vectors found",
+			 this->required ? "disabled" : "enabled ",
+			 hash_algorithm_names, alg);
+		return !this->required;
+	}
+	if (!failed)
+	{
+		DBG1("enabled  %N: successfully passed %d test vectors",
+			 hash_algorithm_names, alg, tested);
+	}
+	return !failed;
+}
+
+/**
+ * Implementation of crypto_tester_t.test_prf
+ */
+static bool test_prf(private_crypto_tester_t *this,
+					 pseudo_random_function_t alg, prf_constructor_t create)
+{
+	enumerator_t *enumerator;
+	prf_test_vector_t *vector;
+	bool failed = FALSE;
+	u_int tested = 0;
+	
+	enumerator = this->prf->create_enumerator(this->prf);
+	while (enumerator->enumerate(enumerator, &vector))
+	{
+		prf_t *prf;
+		chunk_t key, seed, out;
+		
+		if (vector->alg != alg)
+		{
+			continue;
+		}
+		
+		tested++;
+		prf = create(alg);
+		if (!prf)
+		{
+			DBG1("disabled %N: creating instance failed",
+				 pseudo_random_function_names, alg);
+			failed = TRUE;
+			break;
+		}
+		
+		failed = FALSE;
+		
+		key = chunk_create(vector->key, vector->key_size);
+		prf->set_key(prf, key);
+		
+		/* allocated bytes */
+		seed = chunk_create(vector->seed, vector->len);
+		prf->allocate_bytes(prf, seed, &out);
+		if (out.len != prf->get_block_size(prf))
+		{
+			failed = TRUE;
+		}
+		if (!memeq(vector->out, out.ptr, out.len))
+		{
+			failed = TRUE;
+		}
+		/* bytes to existing buffer */
+		memset(out.ptr, 0, out.len);
+		if (vector->stateful)
+		{
+			prf->set_key(prf, key);
+		}
+		prf->get_bytes(prf, seed, out.ptr);
+		if (!memeq(vector->out, out.ptr, out.len))
+		{
+			failed = TRUE;
+		}
+		/* bytes to existing buffer, using append mode */
+		if (seed.len > 2)
+		{
+			memset(out.ptr, 0, out.len);
+			if (vector->stateful)
+			{
+				prf->set_key(prf, key);
+			}
+			prf->allocate_bytes(prf, chunk_create(seed.ptr, 1), NULL);
+			prf->get_bytes(prf, chunk_create(seed.ptr + 1, 1), NULL);
+			prf->get_bytes(prf, chunk_skip(seed, 2), out.ptr);
+			if (!memeq(vector->out, out.ptr, out.len))
+			{
+				failed = TRUE;
+			}
+		}
+		free(out.ptr);
+		
+		prf->destroy(prf);
+		if (failed)
+		{
+			DBG1("disabled %N: test vector %d failed",
+				 pseudo_random_function_names, alg, tested);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!tested)
+	{
+		DBG1("%s %N: no test vectors found",
+			 this->required ? "disabled" : "enabled ",
+			 pseudo_random_function_names, alg);
+		return !this->required;
+	}
+	if (!failed)
+	{
+		DBG1("enabled  %N: successfully passed %d test vectors",
+			 pseudo_random_function_names, alg, tested);
+	}
+	return !failed;
+}
+
+/**
+ * Implementation of crypto_tester_t.test_rng
+ */
+static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
+					 rng_constructor_t create)
+{
+	enumerator_t *enumerator;
+	rng_test_vector_t *vector;
+	bool failed = FALSE;
+	u_int tested = 0;
+	
+	if (!this->rng_true && quality == RNG_TRUE)
+	{
+		DBG1("enabled  %N: skipping test (disabled by config)",
+			 rng_quality_names, quality);
+		return TRUE;
+	}
+	
+	enumerator = this->rng->create_enumerator(this->rng);
+	while (enumerator->enumerate(enumerator, &vector))
+	{
+		rng_t *rng;
+		chunk_t data;
+		
+		if (vector->quality != quality)
+		{
+			continue;
+		}
+		
+		tested++;
+		rng = create(quality);
+		if (!rng)
+		{
+			DBG1("disabled %N: creating instance failed",
+				 rng_quality_names, quality);
+			failed = TRUE;
+			break;
+		}
+		
+		failed = FALSE;
+		
+		/* allocated bytes */
+		rng->allocate_bytes(rng, vector->len, &data);
+		if (data.len != vector->len)
+		{
+			failed = TRUE;
+		}
+		if (!vector->test(vector->user, data))
+		{
+			failed = TRUE;
+		}
+		/* bytes to existing buffer */
+		memset(data.ptr, 0, data.len);
+		rng->get_bytes(rng, vector->len, data.ptr);
+		if (!vector->test(vector->user, data))
+		{
+			failed = TRUE;
+		}
+		free(data.ptr);
+		
+		rng->destroy(rng);
+		if (failed)
+		{
+			DBG1("disabled %N: test vector %d failed",
+				 rng_quality_names, quality, tested);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!tested)
+	{
+		DBG1("%s %N: no test vectors found",
+			 this->required ? ", disabled" : "enabled ",
+			 rng_quality_names, quality);
+		return !this->required;
+	}
+	if (!failed)
+	{
+		DBG1("enabled  %N: successfully passed %d test vectors",
+			 rng_quality_names, quality, tested);
+	}
+	return !failed;
+}
+
+/**
+ * Implementation of crypter_tester_t.add_crypter_vector
+ */
+static void add_crypter_vector(private_crypto_tester_t *this,
+							   crypter_test_vector_t *vector)
+{
+	this->crypter->insert_last(this->crypter, vector);
+}
+
+/**
+ * Implementation of crypter_tester_t.add_signer_vector
+ */
+static void add_signer_vector(private_crypto_tester_t *this,
+							  signer_test_vector_t *vector)
+{
+	this->signer->insert_last(this->signer, vector);
+}
+
+/**
+ * Implementation of crypter_tester_t.add_hasher_vector
+ */
+static void add_hasher_vector(private_crypto_tester_t *this,
+							  hasher_test_vector_t *vector)
+{
+	this->hasher->insert_last(this->hasher, vector);
+}
+
+/**
+ * Implementation of crypter_tester_t.add_prf_vector
+ */
+static void add_prf_vector(private_crypto_tester_t *this,
+						   prf_test_vector_t *vector)
+{
+	this->prf->insert_last(this->prf, vector);
+}
+
+/**
+ * Implementation of crypter_tester_t.add_rng_vector
+ */
+static void add_rng_vector(private_crypto_tester_t *this,
+						   rng_test_vector_t *vector)
+{
+	this->rng->insert_last(this->rng, vector);
+}
+
+/**
+ * Implementation of crypto_tester_t.destroy.
+ */
+static void destroy(private_crypto_tester_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	this->signer->destroy(this->signer);
+	this->hasher->destroy(this->hasher);
+	this->prf->destroy(this->prf);
+	this->rng->destroy(this->rng);
+	free(this);
+}
+
+/**
+ * See header
+ */
+crypto_tester_t *crypto_tester_create()
+{
+	private_crypto_tester_t *this = malloc_thing(private_crypto_tester_t);
+	
+	this->public.test_crypter = (bool(*)(crypto_tester_t*, encryption_algorithm_t alg,size_t key_size, crypter_constructor_t create))test_crypter;
+	this->public.test_signer = (bool(*)(crypto_tester_t*, integrity_algorithm_t alg, signer_constructor_t create))test_signer;
+	this->public.test_hasher = (bool(*)(crypto_tester_t*, hash_algorithm_t alg, hasher_constructor_t create))test_hasher;
+	this->public.test_prf = (bool(*)(crypto_tester_t*, pseudo_random_function_t alg, prf_constructor_t create))test_prf;
+	this->public.test_rng = (bool(*)(crypto_tester_t*, rng_quality_t quality, rng_constructor_t create))test_rng;
+	this->public.add_crypter_vector = (void(*)(crypto_tester_t*, crypter_test_vector_t *vector))add_crypter_vector;
+	this->public.add_signer_vector = (void(*)(crypto_tester_t*, signer_test_vector_t *vector))add_signer_vector;
+	this->public.add_hasher_vector = (void(*)(crypto_tester_t*, hasher_test_vector_t *vector))add_hasher_vector;
+	this->public.add_prf_vector = (void(*)(crypto_tester_t*, prf_test_vector_t *vector))add_prf_vector;
+	this->public.add_rng_vector = (void(*)(crypto_tester_t*, rng_test_vector_t *vector))add_rng_vector;
+	this->public.destroy = (void(*)(crypto_tester_t*))destroy;
+	
+	this->crypter = linked_list_create();
+	this->signer = linked_list_create();
+	this->hasher = linked_list_create();
+	this->prf = linked_list_create();
+	this->rng = linked_list_create();
+	
+	this->required = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.required", FALSE);
+	this->rng_true = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.rng_true", FALSE);
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h
new file mode 100644
index 000000000..d2929f33d
--- /dev/null
+++ b/src/libstrongswan/crypto/crypto_tester.h
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup crypto_tester crypto_tester
+ * @{ @ingroup crypto
+ */
+
+#ifndef CRYPTO_TESTER_H_
+#define CRYPTO_TESTER_H_
+
+typedef struct crypto_tester_t crypto_tester_t;
+
+#include <crypto/crypto_factory.h>
+
+typedef struct crypter_test_vector_t crypter_test_vector_t;
+typedef struct signer_test_vector_t signer_test_vector_t;
+typedef struct hasher_test_vector_t hasher_test_vector_t;
+typedef struct prf_test_vector_t prf_test_vector_t;
+typedef struct rng_test_vector_t rng_test_vector_t;
+
+struct crypter_test_vector_t {
+	/** encryption algorithm this vector tests */
+	encryption_algorithm_t alg;
+	/** key length to use, in bytes */
+	size_t key_size;
+	/** encryption key of test vector */
+	u_char *key;
+	/** initialization vector, using crypters blocksize bytes */
+	u_char *iv;
+	/** length of plain and cipher text */
+	size_t len;
+	/** plain text */
+	u_char *plain;
+	/** cipher text */
+	u_char *cipher;
+};
+
+struct signer_test_vector_t {
+	/** signer algorithm this test vector tests */
+	pseudo_random_function_t alg;
+	/** key to use, with a length the algorithm expects */
+	u_char *key;
+	/** size of the input data */
+	size_t len;
+	/** input data */
+	u_char *data;
+	/** expected output, with ouput size of the tested algorithm */
+	u_char *mac;
+};
+
+struct hasher_test_vector_t {
+	/** hash algorithm this test vector tests */
+	hash_algorithm_t alg;
+	/** length of the input data */
+	size_t len;
+	/** input data */
+	u_char *data;
+	/** expected hash, with hash size of the tested algorithm */
+	u_char *hash;
+};
+
+struct prf_test_vector_t {
+	/** prf algorithm this test vector tests */
+	pseudo_random_function_t alg;
+	/** is this PRF stateful? */
+	bool stateful;
+	/** key length to use, in bytes */
+	size_t key_size;
+	/** key to use */
+	u_char *key;
+	/** size of the seed data */
+	size_t len;
+	/** seed data */
+	u_char *seed;
+	/** expected output, with block size of the tested algorithm */
+	u_char *out;
+};
+
+/**
+ * Test vector for a RNG.
+ *
+ * Contains a callback function to analyze the output of a RNG,
+ */
+struct rng_test_vector_t {
+	/** quality of random data this test vector tests */
+	rng_quality_t quality;
+	/** callback function to test RNG output, returns TRUE if data ok */
+	bool (*test)(void *user, chunk_t data);
+	/** number of bytes the function requests */
+	size_t len;
+	/** user data passed back to the test() function on invocation */
+	void *user;
+};
+
+/**
+ * Cryptographic primitive testing framework.
+ */
+struct crypto_tester_t {
+	
+	/**
+	 * Test a crypter algorithm, optionally using a specified key size.
+	 *
+	 * @param alg			algorithm to test
+	 * @param key_size		key size to test, 0 for all 
+	 * @param create		constructor function for the crypter
+	 * @return				TRUE if test passed
+	 */
+	bool (*test_crypter)(crypto_tester_t *this, encryption_algorithm_t alg,
+						 size_t key_size, crypter_constructor_t create);
+	/**
+	 * Test a signer algorithm.
+	 *
+	 * @param alg			algorithm to test
+	 * @param create		constructor function for the signer
+	 * @return				TRUE if test passed
+	 */
+	bool (*test_signer)(crypto_tester_t *this, integrity_algorithm_t alg,
+						signer_constructor_t create);
+	/**
+	 * Test a hasher algorithm.
+	 *
+	 * @param alg			algorithm to test
+	 * @param create		constructor function for the hasher
+	 * @return				TRUE if test passed
+	 */
+	bool (*test_hasher)(crypto_tester_t *this, hash_algorithm_t alg,
+						hasher_constructor_t create);
+	/**
+	 * Test a PRF algorithm.
+	 *
+	 * @param alg			algorithm to test
+	 * @param create		constructor function for the PRF
+	 * @return				TRUE if test passed
+	 */
+	bool (*test_prf)(crypto_tester_t *this, pseudo_random_function_t alg,
+					 prf_constructor_t create);
+	/**
+	 * Test a RNG implementation.
+	 *
+	 * @param alg			algorithm to test
+	 * @param create		constructor function for the RNG
+	 * @return				TRUE if test passed
+	 */
+	bool (*test_rng)(crypto_tester_t *this, rng_quality_t quality,
+					 rng_constructor_t create);
+	/**
+	 * Add a test vector to test a crypter.
+	 *
+	 * @param vector		pointer to test vector
+	 */
+	void (*add_crypter_vector)(crypto_tester_t *this,
+							   crypter_test_vector_t *vector);
+	/**
+	 * Add a test vector to test a signer.
+	 *
+	 * @param vector		pointer to test vector
+	 */
+	void (*add_signer_vector)(crypto_tester_t *this,
+							  signer_test_vector_t *vector);
+	/**
+	 * Add a test vector to test a hasher.
+	 *
+	 * @param vector		pointer to test vector
+	 */
+	void (*add_hasher_vector)(crypto_tester_t *this,
+							  hasher_test_vector_t *vector);
+	/**
+	 * Add a test vector to test a PRF.
+	 *
+	 * @param vector		pointer to test vector
+	 */
+	void (*add_prf_vector)(crypto_tester_t *this, prf_test_vector_t *vector);
+	
+	/**
+	 * Add a test vector to test a RNG.
+	 *
+	 * @param vector		pointer to test vector
+	 */
+	void (*add_rng_vector)(crypto_tester_t *this, rng_test_vector_t *vector);
+	
+	/**
+	 * Destroy a crypto_tester_t.
+	 */
+	void (*destroy)(crypto_tester_t *this);
+};
+
+/**
+ * Create a crypto_tester instance.
+ */
+crypto_tester_t *crypto_tester_create();
+
+#endif /* CRYPTO_TESTER_ @}*/
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 53c3a1632..18d532697 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -12,30 +12,28 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: diffie_hellman.c 4685 2008-11-22 16:14:55Z martin $
  */
 
 #include "diffie_hellman.h"
 
 ENUM_BEGIN(diffie_hellman_group_names, MODP_NONE, MODP_1024_BIT,
 	"MODP_NONE",
-	"MODP_768_BIT",
-	"MODP_1024_BIT");
+	"MODP_768",
+	"MODP_1024");
 ENUM_NEXT(diffie_hellman_group_names, MODP_1536_BIT, MODP_1536_BIT, MODP_1024_BIT,
-	"MODP_1536_BIT");
+	"MODP_1536");
 ENUM_NEXT(diffie_hellman_group_names, MODP_2048_BIT, ECP_521_BIT, MODP_1536_BIT,
-	"MODP_2048_BIT",
-	"MODP_3072_BIT",
-	"MODP_4096_BIT",
-	"MODP_6144_BIT",
-	"MODP_8192_BIT",
-	"ECP_256_BIT",
-	"ECP_384_BIT",
-	"ECP_521_BIT");
+	"MODP_2048",
+	"MODP_3072",
+	"MODP_4096",
+	"MODP_6144",
+	"MODP_8192",
+	"ECP_256",
+	"ECP_384",
+	"ECP_521");
 ENUM_NEXT(diffie_hellman_group_names, ECP_192_BIT, ECP_224_BIT, ECP_521_BIT,
-	"ECP_192_BIT",
-	"ECP_224_BIT");
+	"ECP_192",
+	"ECP_224");
 ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_224_BIT,
 	"MODP_NULL");
 ENUM_END(diffie_hellman_group_names, MODP_NULL);
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index 5aaba383e..a40a73526 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: diffie_hellman.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index cf507442d..c58c2ad42 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -13,24 +13,22 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: hasher.c 4880 2009-02-18 19:45:46Z tobias $
  */
 
 #include "hasher.h"
 
 #include <asn1/oid.h>
 
-ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_MD4,
+ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512,
 	"HASH_UNKNOWN",
 	"HASH_PREFERRED",
 	"HASH_MD2",
+	"HASH_MD4",
 	"HASH_MD5",
 	"HASH_SHA1",
 	"HASH_SHA256",
 	"HASH_SHA384",
-	"HASH_SHA512",
-	"HASH_MD4"
+	"HASH_SHA512"
 );
 
 /*
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 1db5c14cc..098739fa3 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -13,13 +13,11 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: hasher.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
- * @defgroup traffic_selector traffic_selector
- * @{ @ingroup config
+ * @defgroup hasher hasher
+ * @{ @ingroup crypto
  */
 
 #ifndef HASHER_H_
@@ -39,12 +37,12 @@ enum hash_algorithm_t {
 	/** preferred hash function, general purpose */
 	HASH_PREFERRED	 	= 1,
 	HASH_MD2 			= 2,
-	HASH_MD5 			= 3,
-	HASH_SHA1 			= 4,
-	HASH_SHA256 		= 5,
-	HASH_SHA384 		= 6,
-	HASH_SHA512 		= 7,
-	HASH_MD4			= 8,
+	HASH_MD4			= 3,
+	HASH_MD5 			= 4,
+	HASH_SHA1 			= 5,
+	HASH_SHA256 		= 6,
+	HASH_SHA384 		= 7,
+	HASH_SHA512 		= 8
 };
 
 #define HASH_SIZE_MD2		16
diff --git a/src/libstrongswan/crypto/pkcs9.c b/src/libstrongswan/crypto/pkcs9.c
index 1c1b5a586..525ea9db5 100644
--- a/src/libstrongswan/crypto/pkcs9.c
+++ b/src/libstrongswan/crypto/pkcs9.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: pkcs9.c 3891 2008-04-28 16:00:52Z andreas $
  */
 
 #include <library.h>
diff --git a/src/libstrongswan/crypto/pkcs9.h b/src/libstrongswan/crypto/pkcs9.h
index 698f3c172..80d915701 100644
--- a/src/libstrongswan/crypto/pkcs9.h
+++ b/src/libstrongswan/crypto/pkcs9.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: pkcs9.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
diff --git a/src/libstrongswan/crypto/prf_plus.c b/src/libstrongswan/crypto/prf_plus.c
index 3d37d4ef7..a4fc377ef 100644
--- a/src/libstrongswan/crypto/prf_plus.c
+++ b/src/libstrongswan/crypto/prf_plus.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: prf_plus.c 4524 2008-10-29 14:12:54Z martin $
  */
 
 #include <string.h>
diff --git a/src/libstrongswan/crypto/prf_plus.h b/src/libstrongswan/crypto/prf_plus.h
index 4c98e4ad1..2e5b66152 100644
--- a/src/libstrongswan/crypto/prf_plus.h
+++ b/src/libstrongswan/crypto/prf_plus.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: prf_plus.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
diff --git a/src/libstrongswan/crypto/prfs/prf.c b/src/libstrongswan/crypto/prfs/prf.c
index 812f6278d..8681a5b97 100644
--- a/src/libstrongswan/crypto/prfs/prf.c
+++ b/src/libstrongswan/crypto/prfs/prf.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: prf.c 3619 2008-03-19 14:02:52Z martin $
  */
 
 #include "prf.h"
@@ -23,13 +21,14 @@ ENUM_BEGIN(pseudo_random_function_names, PRF_UNDEFINED, PRF_KEYED_SHA1,
 	"PRF_FIPS_SHA1_160",
 	"PRF_FIPS_DES",
 	"PRF_KEYED_SHA1");
-ENUM_NEXT(pseudo_random_function_names, PRF_HMAC_MD5, PRF_HMAC_SHA2_512, PRF_KEYED_SHA1,
+ENUM_NEXT(pseudo_random_function_names, PRF_HMAC_MD5, PRF_AES128_CMAC, PRF_KEYED_SHA1,
 	"PRF_HMAC_MD5",
 	"PRF_HMAC_SHA1",
 	"PRF_HMAC_TIGER",
-	"PRF_AES128_CBC",
+	"PRF_AES128_XCBC",
 	"PRF_HMAC_SHA2_256",
 	"PRF_HMAC_SHA2_384",
-	"PRF_HMAC_SHA2_512");
-ENUM_END(pseudo_random_function_names, PRF_HMAC_SHA2_512);
+	"PRF_HMAC_SHA2_512",
+	"PRF_AES128_CMAC");
+ENUM_END(pseudo_random_function_names, PRF_AES128_CMAC);
 
diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h
index e2b4f6fe0..f2a5afc45 100644
--- a/src/libstrongswan/crypto/prfs/prf.h
+++ b/src/libstrongswan/crypto/prfs/prf.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: prf.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -37,21 +35,25 @@ typedef struct prf_t prf_t;
  */
 enum pseudo_random_function_t {
 	PRF_UNDEFINED = 1024,
-	/** Implemented via hmac_prf_t. */
+	/** RFC2104 */
 	PRF_HMAC_MD5 = 1,
-	/** Implemented via hmac_prf_t. */
+	/** RFC2104 */
 	PRF_HMAC_SHA1 = 2,
+	/** RFC2104 */
 	PRF_HMAC_TIGER = 3,
+	/** RFC4434 */
 	PRF_AES128_XCBC = 4,
-	/** Implemented via hmac_prf_t. */
+	/** RFC4868 */
 	PRF_HMAC_SHA2_256 = 5,
-	/** Implemented via hmac_prf_t. */
+	/** RFC4868. */
 	PRF_HMAC_SHA2_384 = 6,
-	/** Implemented via hmac_prf_t. */
+	/** RFC4868 */
 	PRF_HMAC_SHA2_512 = 7,
-	/** Implemented via fips_prf_t, other output sizes would be possible */
+	/** RFC4615 */
+	PRF_AES128_CMAC = 8,
+	/** FIPS 186-2-change1 */
 	PRF_FIPS_SHA1_160 = 1025,
-	/** Could be implemented via fips_prf_t, uses fixed output size of 160bit */
+	/** FIPS 186-2-change1, uses fixed output size of 160bit */
 	PRF_FIPS_DES = 1026,
 	/** 
 	 * Keyed hash algorithm using SHA1, used in EAP-AKA:
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
new file mode 100644
index 000000000..14321e070
--- /dev/null
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -0,0 +1,270 @@
+/* C code produced by gperf version 3.0.3 */
+/* Command-line: /usr/bin/gperf -N proposal_get_token -m 10 -C -G -c -t -D  */
+/* Computed positions: -k'1,5,7,10,$' */
+
+#if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
+      && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
+      && (')' == 41) && ('*' == 42) && ('+' == 43) && (',' == 44) \
+      && ('-' == 45) && ('.' == 46) && ('/' == 47) && ('0' == 48) \
+      && ('1' == 49) && ('2' == 50) && ('3' == 51) && ('4' == 52) \
+      && ('5' == 53) && ('6' == 54) && ('7' == 55) && ('8' == 56) \
+      && ('9' == 57) && (':' == 58) && (';' == 59) && ('<' == 60) \
+      && ('=' == 61) && ('>' == 62) && ('?' == 63) && ('A' == 65) \
+      && ('B' == 66) && ('C' == 67) && ('D' == 68) && ('E' == 69) \
+      && ('F' == 70) && ('G' == 71) && ('H' == 72) && ('I' == 73) \
+      && ('J' == 74) && ('K' == 75) && ('L' == 76) && ('M' == 77) \
+      && ('N' == 78) && ('O' == 79) && ('P' == 80) && ('Q' == 81) \
+      && ('R' == 82) && ('S' == 83) && ('T' == 84) && ('U' == 85) \
+      && ('V' == 86) && ('W' == 87) && ('X' == 88) && ('Y' == 89) \
+      && ('Z' == 90) && ('[' == 91) && ('\\' == 92) && (']' == 93) \
+      && ('^' == 94) && ('_' == 95) && ('a' == 97) && ('b' == 98) \
+      && ('c' == 99) && ('d' == 100) && ('e' == 101) && ('f' == 102) \
+      && ('g' == 103) && ('h' == 104) && ('i' == 105) && ('j' == 106) \
+      && ('k' == 107) && ('l' == 108) && ('m' == 109) && ('n' == 110) \
+      && ('o' == 111) && ('p' == 112) && ('q' == 113) && ('r' == 114) \
+      && ('s' == 115) && ('t' == 116) && ('u' == 117) && ('v' == 118) \
+      && ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \
+      && ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126))
+/* The character set is not based on ISO-646.  */
+error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gperf@gnu.org>."
+#endif
+
+
+/* proposal keywords
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include <crypto/transform.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <crypto/diffie_hellman.h>
+
+struct proposal_token {
+    char             *name;
+    transform_type_t  type;
+	u_int16_t         algorithm;
+    u_int16_t         keysize;  
+};
+
+#define TOTAL_KEYWORDS 87
+#define MIN_WORD_LENGTH 3
+#define MAX_WORD_LENGTH 12
+#define MIN_HASH_VALUE 4
+#define MAX_HASH_VALUE 129
+/* maximum key range = 126, duplicates = 0 */
+
+#ifdef __GNUC__
+__inline
+#else
+#ifdef __cplusplus
+inline
+#endif
+#endif
+static unsigned int
+hash (str, len)
+     register const char *str;
+     register unsigned int len;
+{
+  static const unsigned char asso_values[] =
+    {
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130,  11,
+        2,  15,   5,  27,  21,   8,   5,   0, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130,  39, 130,  24,   0,   1,
+        8,   2,  50,   0,   9,  53, 130, 130,   0, 130,
+       42,   0, 130, 130,   5,   9,  34,   4, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
+      130, 130, 130, 130, 130, 130, 130
+    };
+  register int hval = len;
+
+  switch (hval)
+    {
+      default:
+        hval += asso_values[(unsigned char)str[9]];
+      /*FALLTHROUGH*/
+      case 9:
+      case 8:
+      case 7:
+        hval += asso_values[(unsigned char)str[6]];
+      /*FALLTHROUGH*/
+      case 6:
+      case 5:
+        hval += asso_values[(unsigned char)str[4]];
+      /*FALLTHROUGH*/
+      case 4:
+      case 3:
+      case 2:
+      case 1:
+        hval += asso_values[(unsigned char)str[0]+1];
+        break;
+    }
+  return hval + asso_values[(unsigned char)str[len - 1]];
+}
+
+static const struct proposal_token wordlist[] =
+  {
+    {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                0},
+    {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           192},
+    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,         0},
+    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           128},
+    {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           128},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                 0},
+    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           192},
+    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           128},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                0},
+    {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      192},
+    {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      192},
+    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      128},
+    {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      128},
+    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     192},
+    {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     192},
+    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     128},
+    {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     128},
+    {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     192},
+    {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     192},
+    {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     128},
+    {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     128},
+    {"aes192gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     192},
+    {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     192},
+    {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     128},
+    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     128},
+    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,              128},
+    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      192},
+    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      192},
+    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      128},
+    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      128},
+    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           256},
+    {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     192},
+    {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     192},
+    {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     128},
+    {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     128},
+    {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      256},
+    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      256},
+    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0},
+    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0},
+    {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     256},
+    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     256},
+    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0},
+    {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           256},
+    {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     256},
+    {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     256},
+    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,            0},
+    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,              0},
+    {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     256},
+    {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     256},
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0},
+    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,            0},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,              0},
+    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      256},
+    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      256},
+    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,              0},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,             0},
+    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,            0},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,              0},
+    {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     256},
+    {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     256},
+    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,         0},
+    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          192},
+    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      192},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,            0},
+    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,            0},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128},
+    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128},
+    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128},
+    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       192},
+    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,            0},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128},
+    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       192},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0},
+    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       128},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0},
+    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                0},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128},
+    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,            0},
+    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,              0},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       128},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       256},
+    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          256},
+    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      256},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       256},
+    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0}
+  };
+
+static const short lookup[] =
+  {
+    -1, -1, -1, -1,  0, -1, -1, -1,  1, -1,  2, -1,  3,  4,
+     5,  6, -1,  7,  8, -1,  9, 10, 11, 12, 13, 14, 15, 16,
+    17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, -1,
+    30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43,
+    44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57,
+    58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, -1,
+    71, -1, 72, -1, 73, -1, 74, 75, 76, 77, 78, -1, -1, 79,
+    -1, -1, -1, -1, -1, -1, 80, -1, -1, -1, -1, -1, -1, 81,
+    -1, -1, -1, -1, -1, -1, 82, 83, 84, -1, 85, -1, -1, -1,
+    -1, -1, -1, 86
+  };
+
+#ifdef __GNUC__
+__inline
+#ifdef __GNUC_STDC_INLINE__
+__attribute__ ((__gnu_inline__))
+#endif
+#endif
+const struct proposal_token *
+proposal_get_token (str, len)
+     register const char *str;
+     register unsigned int len;
+{
+  if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
+    {
+      register int key = hash (str, len);
+
+      if (key <= MAX_HASH_VALUE && key >= 0)
+        {
+          register int index = lookup[key];
+
+          if (index >= 0)
+            {
+              register const char *s = wordlist[index].name;
+
+              if (*str == *s && !strncmp (str + 1, s + 1, len - 1) && s[len] == '\0')
+                return &wordlist[index];
+            }
+        }
+    }
+  return 0;
+}
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.h b/src/libstrongswan/crypto/proposal/proposal_keywords.h
new file mode 100644
index 000000000..86cb7ef09
--- /dev/null
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.h
@@ -0,0 +1,34 @@
+/* proposal keywords
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef _PROPOSAL_KEYWORDS_H_
+#define _PROPOSAL_KEYWORDS_H_
+
+#include <crypto/transform.h>
+
+typedef struct proposal_token proposal_token_t;
+
+struct proposal_token {
+    char             *name;
+    transform_type_t  type;
+	u_int16_t         algorithm;
+    u_int16_t         keysize;  
+};
+
+extern const proposal_token_t* proposal_get_token(register const char *str,
+												  register unsigned int len);
+
+#endif /* _PROPOSAL_KEYWORDS_H_ */
+
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.txt b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
new file mode 100644
index 000000000..511fdd50a
--- /dev/null
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
@@ -0,0 +1,118 @@
+%{
+/* proposal keywords
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include <crypto/transform.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <crypto/diffie_hellman.h>
+
+%}
+struct proposal_token {
+    char             *name;
+    transform_type_t  type;
+	u_int16_t         algorithm;
+    u_int16_t         keysize;  
+};
+%%
+null,             ENCRYPTION_ALGORITHM, ENCR_NULL,                0
+des,              ENCRYPTION_ALGORITHM, ENCR_DES,                 0
+3des,             ENCRYPTION_ALGORITHM, ENCR_3DES,                0
+aes,              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           128
+aes128,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           128
+aes192,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           192
+aes256,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           256
+aes128ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           128
+aes192ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           192
+aes256ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           256
+aes128ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      128
+aes128ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      128
+aes128ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     128
+aes128ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     128
+aes128ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     128
+aes128ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     128
+aes192ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      192
+aes192ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      192
+aes192ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     192
+aes192ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     192
+aes192ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     192
+aes192ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     192
+aes256ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      256
+aes256ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      256
+aes256ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     256
+aes256ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     256
+aes256ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     256
+aes256ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     256
+aes128gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      128
+aes128gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      128
+aes128gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     128
+aes128gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     128
+aes128gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     128
+aes128gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     128
+aes192gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      192
+aes192gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      192
+aes192gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     192
+aes192gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     192
+aes192gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     192
+aes192gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     192
+aes256gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      256
+aes256gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      256
+aes256gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     256
+aes256gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     256
+aes256gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     256
+aes256gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     256
+blowfish,         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128
+blowfish128,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128
+blowfish192,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          192
+blowfish256,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          256
+camellia,         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128
+camellia128,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128
+camellia192,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      192
+camellia256,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      256
+cast128,          ENCRYPTION_ALGORITHM, ENCR_CAST,              128
+serpent,          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       128
+serpent128,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       128
+serpent192,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       192
+serpent256,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       256
+twofish,          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128
+twofish128,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128
+twofish192,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       192
+twofish256,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       256
+sha,              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0
+sha1,             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0
+sha256,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0
+sha2_256,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0
+sha384,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0
+sha2_384,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0
+sha512,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0
+sha2_512,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0
+md5,              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,         0
+aesxcbc,          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,         0
+modpnull,         DIFFIE_HELLMAN_GROUP, MODP_NULL,                0
+modp768,          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,             0
+modp1024,         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,            0
+modp1536,         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,            0
+modp2048,         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,            0
+modp3072,         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,            0
+modp4096,         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,            0
+modp6144,         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,            0
+modp8192,         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,            0
+ecp192,           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,              0
+ecp224,           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,              0
+ecp256,           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,              0
+ecp384,           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,              0
+ecp521,           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,              0
diff --git a/src/libstrongswan/crypto/rngs/rng.c b/src/libstrongswan/crypto/rngs/rng.c
index 435e043e8..67fd76910 100644
--- a/src/libstrongswan/crypto/rngs/rng.c
+++ b/src/libstrongswan/crypto/rngs/rng.c
@@ -11,14 +11,12 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "rng.h"
 
-ENUM(rng_quality_names, RNG_WEAK, RNG_REAL,
+ENUM(rng_quality_names, RNG_WEAK, RNG_TRUE,
 	"RNG_WEAK",
 	"RNG_STRONG",
-	"RNG_REAL",
+	"RNG_TRUE",
 );
diff --git a/src/libstrongswan/crypto/rngs/rng.h b/src/libstrongswan/crypto/rngs/rng.h
index 1c4d204f3..89bc2f2de 100644
--- a/src/libstrongswan/crypto/rngs/rng.h
+++ b/src/libstrongswan/crypto/rngs/rng.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: rng.h 3619 2008-03-19 14:02:52Z martin $
  */
  
 /**
@@ -36,8 +34,8 @@ enum rng_quality_t {
 	RNG_WEAK,
 	/** stronger randomness, usable for session keys */
 	RNG_STRONG,
-	/** real random, key material */
-	RNG_REAL,
+	/** true random key material */
+	RNG_TRUE,
 };
 
 /**
@@ -56,7 +54,7 @@ struct rng_t {
 	 * @param len		number of bytes to get
 	 * @param buffer	pointer where the generated bytes will be written
 	 */
-	void (*get_bytes) (rng_t *this, u_int len, u_int8_t *buffer);
+	void (*get_bytes) (rng_t *this, size_t len, u_int8_t *buffer);
 	
 	/**
 	 * Generates random bytes and allocate space for them.
@@ -64,7 +62,7 @@ struct rng_t {
 	 * @param len		number of bytes to get
 	 * @param chunk		chunk which will hold generated bytes
 	 */
-	void (*allocate_bytes) (rng_t *this, u_int len, chunk_t *chunk);
+	void (*allocate_bytes) (rng_t *this, size_t len, chunk_t *chunk);
 	
 	/**
 	 * Destroys a rng object.
diff --git a/src/libstrongswan/crypto/signers/signer.c b/src/libstrongswan/crypto/signers/signer.c
index 8412ff62e..1147e1f26 100644
--- a/src/libstrongswan/crypto/signers/signer.c
+++ b/src/libstrongswan/crypto/signers/signer.c
@@ -12,24 +12,27 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: signer.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "signer.h"
 
 ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_HMAC_SHA1_128,
 	"UNDEFINED",
-	"AUTH_HMAC_SHA1_128");
-ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_AES_XCBC_96, AUTH_HMAC_SHA1_128,
+	"HMAC_SHA1_128");
+ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_HMAC_SHA1_128,
 	"HMAC_MD5_96",
 	"HMAC_SHA1_96",
 	"DES_MAC",
 	"KPDK_MD5",
-	"AES_XCBC_96");
-ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_SHA2_256_128, AUTH_HMAC_SHA2_512_256, AUTH_AES_XCBC_96,
-	"AUTH_HMAC_SHA2_256_128",
-	"AUTH_HMAC_SHA2_384_192",
-	"AUTH_HMAC_SHA2_512_256");
+	"AES_XCBC_96",
+	"HMAC_MD5_128",
+	"HMAC_SHA1_160",
+	"AES_CMAC_96",
+	"AES_128_GMAC",
+	"AES_192_GMAC",
+	"AES_256_GMAC",
+	"HMAC_SHA2_256_128",
+	"HMAC_SHA2_384_192",
+	"HMAC_SHA2_512_256");
 ENUM_END(integrity_algorithm_names, AUTH_HMAC_SHA2_512_256);
 
diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h
index b2be2c030..0d9bfc5af 100644
--- a/src/libstrongswan/crypto/signers/signer.h
+++ b/src/libstrongswan/crypto/signers/signer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: signer.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -36,23 +34,36 @@ typedef struct signer_t signer_t;
  */
 enum integrity_algorithm_t {
 	AUTH_UNDEFINED = 1024,
-	/** Implemented via hmac_signer_t */
+	/** RFC4306 */
 	AUTH_HMAC_MD5_96 = 1,
-	/** Implemented via hmac_signer_t */
+	/** RFC4306 */
 	AUTH_HMAC_SHA1_96 = 2,
+	/** RFC4306 */
 	AUTH_DES_MAC = 3,
+	/** RFC1826 */
 	AUTH_KPDK_MD5 = 4,
+	/** RFC4306 */
 	AUTH_AES_XCBC_96 = 5,
-	/** Implemented via hmac_signer_t */
+	/** RFC4595 */
+	AUTH_HMAC_MD5_128 = 6,
+	/** RFC4595 */
+	AUTH_HMAC_SHA1_160 = 7,
+	/** RFC4494 */
+	AUTH_AES_CMAC_96 = 8,
+	/** RFC4543 */
+	AUTH_AES_128_GMAC = 9,
+	/** RFC4543 */
+	AUTH_AES_192_GMAC = 10,
+	/** RFC4543 */
+	AUTH_AES_256_GMAC = 11,
+	/** RFC4868 */
 	AUTH_HMAC_SHA2_256_128 = 12,
-	/** Implemented via hmac_signer_t */
+	/** RFC4868 */
 	AUTH_HMAC_SHA2_384_192 = 13,
-	/** Implemented via hmac_signer_t */
+	/** RFC4868 */
 	AUTH_HMAC_SHA2_512_256 = 14,
-	/** Implemented via hmac_signer_t */
+	/** private use */
 	AUTH_HMAC_SHA1_128 = 1025,
-	/** Implemented via hmac_signer_t */
-	AUTH_HMAC_MD5_128 = 1026,
 };
 
 /**
@@ -61,7 +72,7 @@ enum integrity_algorithm_t {
 extern enum_name_t *integrity_algorithm_names;
 
 /**
- * Generig interface for a symmetric signature algorithm.
+ * Generic interface for a symmetric signature algorithm.
  */
 struct signer_t {
 	/**
diff --git a/src/libstrongswan/crypto/transform.c b/src/libstrongswan/crypto/transform.c
new file mode 100644
index 000000000..af40f4de6
--- /dev/null
+++ b/src/libstrongswan/crypto/transform.c
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/transform.h>
+
+ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, RANDOM_NUMBER_GENERATOR,
+	"UNDEFINED_TRANSFORM_TYPE",
+	"HASH_ALGORITHM",
+	"RANDOM_NUMBER_GENERATOR");
+ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, RANDOM_NUMBER_GENERATOR,
+	"ENCRYPTION_ALGORITHM",
+	"PSEUDO_RANDOM_FUNCTION",
+	"INTEGRITY_ALGORITHM",
+	"DIFFIE_HELLMAN_GROUP",
+	"EXTENDED_SEQUENCE_NUMBERS");
+ENUM_END(transform_type_names, EXTENDED_SEQUENCE_NUMBERS);
+
diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h
new file mode 100644
index 000000000..d11700a73
--- /dev/null
+++ b/src/libstrongswan/crypto/transform.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup transforms transforms
+ * @{ @ingroup crypto
+ */
+
+#ifndef TRANSFORM_H_
+#define TRANSFORM_H_
+
+typedef enum transform_type_t transform_type_t;
+
+#include <library.h>
+
+/**
+ * Type of a transform, as in IKEv2 RFC 3.3.2.
+ */
+enum transform_type_t {
+	UNDEFINED_TRANSFORM_TYPE = 241,
+	HASH_ALGORITHM = 242,
+	RANDOM_NUMBER_GENERATOR = 243,
+	ENCRYPTION_ALGORITHM = 1,
+	PSEUDO_RANDOM_FUNCTION = 2,
+	INTEGRITY_ALGORITHM = 3,
+	DIFFIE_HELLMAN_GROUP = 4,
+	EXTENDED_SEQUENCE_NUMBERS = 5
+};
+
+/**
+ * enum names for transform_type_t.
+ */
+extern enum_name_t *transform_type_names;
+
+#endif /** TRANSFORM_H_ @}*/
diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c
index 9ceb829c6..76e0a4e89 100644
--- a/src/libstrongswan/database/database_factory.c
+++ b/src/libstrongswan/database/database_factory.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: database_factory.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include "database_factory.h"
diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/debug.c
index e20bef2da..b4a84cf76 100644
--- a/src/libstrongswan/debug.c
+++ b/src/libstrongswan/debug.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: debug.c 4058 2008-06-11 14:09:46Z martin $
  */
 
 #include <stdarg.h>
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h
index 3b98f6837..1413ff54e 100644
--- a/src/libstrongswan/debug.h
+++ b/src/libstrongswan/debug.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: debug.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c
index 32524d225..946a54deb 100644
--- a/src/libstrongswan/enum.c
+++ b/src/libstrongswan/enum.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: enum.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <stddef.h>
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/enum.h
index 877b3e6de..3f3ca1172 100644
--- a/src/libstrongswan/enum.h
+++ b/src/libstrongswan/enum.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: enum.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/fetcher/fetcher.h b/src/libstrongswan/fetcher/fetcher.h
index 9a7cc315e..70d14bf97 100644
--- a/src/libstrongswan/fetcher/fetcher.h
+++ b/src/libstrongswan/fetcher/fetcher.h
@@ -45,6 +45,18 @@ enum fetcher_option_t {
 	 */
 	FETCH_REQUEST_TYPE,
 	
+	/** 
+	 * HTTP header to be sent with with the fetch request.
+	 * Additional argument is a char*.
+	 */
+	FETCH_REQUEST_HEADER,
+
+	/** 
+	 * Use HTTP Version 1.0 instead of 1.1.
+	 * No additional argument is needed.
+	 */
+	FETCH_HTTP_VERSION_1_0,
+
 	/** 
 	 * Timeout to use for fetch, in seconds.
 	 * Additional argument is u_int
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index 5d58f224e..a30012bb1 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: fetcher_manager.c 4591 2008-11-05 16:12:54Z martin $
  */
 
 #include "fetcher_manager.h"
@@ -101,8 +99,12 @@ static status_t fetch(private_fetcher_manager_t *this,
 					good = fetcher->set_option(fetcher, opt, va_arg(args, chunk_t));
 					continue;
 				case FETCH_REQUEST_TYPE:
+				case FETCH_REQUEST_HEADER:
 					good = fetcher->set_option(fetcher, opt, va_arg(args, char*));
 					continue;
+				case FETCH_HTTP_VERSION_1_0:
+					good = fetcher->set_option(fetcher, opt);
+					continue;
 				case FETCH_TIMEOUT:
 					good = fetcher->set_option(fetcher, opt, va_arg(args, u_int));
 					continue;
diff --git a/src/libstrongswan/fips/Makefile.in b/src/libstrongswan/fips/Makefile.in
index d1c3ed5b6..cdced9423 100644
--- a/src/libstrongswan/fips/Makefile.in
+++ b/src/libstrongswan/fips/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -79,6 +79,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -101,6 +102,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -112,6 +116,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -125,6 +130,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +192,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -196,6 +204,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -217,8 +226,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -293,7 +302,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c
index c268a7429..d2296e5e9 100644
--- a/src/libstrongswan/fips/fips.c
+++ b/src/libstrongswan/fips/fips.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: fips.c 3681 2008-03-28 10:21:04Z martin $
  */
 
 #include <stdio.h>
diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h
index 9b777be5f..aae18e3b2 100644
--- a/src/libstrongswan/fips/fips.h
+++ b/src/libstrongswan/fips/fips.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: fips.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
diff --git a/src/libstrongswan/fips/fips_canister_end.c b/src/libstrongswan/fips/fips_canister_end.c
index 93f78e696..247d48927 100644
--- a/src/libstrongswan/fips/fips_canister_end.c
+++ b/src/libstrongswan/fips/fips_canister_end.c
@@ -2,8 +2,6 @@
  * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
  * and usage in source and binary forms are granted according to the
  * OpenSSL license.
- *
- * $Id: fips_canister_end.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stdio.h>
diff --git a/src/libstrongswan/fips/fips_canister_start.c b/src/libstrongswan/fips/fips_canister_start.c
index a15517ec1..4a5528a94 100644
--- a/src/libstrongswan/fips/fips_canister_start.c
+++ b/src/libstrongswan/fips/fips_canister_start.c
@@ -2,8 +2,6 @@
  * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
  * and usage in source and binary forms are granted according to the
  * OpenSSL license.
- *
- * $Id: fips_canister_start.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stdio.h>
diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c
index 4bf8b38dd..6f5fdcecf 100644
--- a/src/libstrongswan/fips/fips_signer.c
+++ b/src/libstrongswan/fips/fips_signer.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: fips_signer.c 4258 2008-08-19 18:51:30Z andreas $
  */
 
 #include <stdio.h>
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index cb8d43052..8e5a8a611 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: library.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include "library.h"
@@ -101,8 +99,6 @@ void library_init(char *settings)
 					 PRINTF_HOOK_ARGTYPE_END);
 	pfh->add_handler(pfh, 'B', chunk_printf_hook,
 					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
-	pfh->add_handler(pfh, 'D', identification_printf_hook,
-					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
 	pfh->add_handler(pfh, 'H', host_printf_hook,
 					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
 	pfh->add_handler(pfh, 'N', enum_printf_hook,
@@ -114,12 +110,14 @@ void library_init(char *settings)
 	pfh->add_handler(pfh, 'V', time_delta_printf_hook,
 					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_POINTER,
 					 PRINTF_HOOK_ARGTYPE_END);
+	pfh->add_handler(pfh, 'Y', identification_printf_hook,
+					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
 	
+	this->public.settings = settings_create(settings);
 	this->public.crypto = crypto_factory_create();
 	this->public.creds = credential_factory_create();
 	this->public.fetcher = fetcher_manager_create();
 	this->public.db = database_factory_create();
-	this->public.settings = settings_create(settings);
 	this->public.plugins = plugin_loader_create();
 }
 
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index a6d27551e..35c6b686a 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: library.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -63,9 +61,9 @@
 #include <settings.h>
 #include <plugins/plugin_loader.h>
 #include <crypto/crypto_factory.h>
-#include <credentials/credential_factory.h>
 #include <fetcher/fetcher_manager.h>
 #include <database/database_factory.h>
+#include <credentials/credential_factory.h>
 
 typedef struct library_t library_t;
 
diff --git a/src/libstrongswan/pgp/pgp.c b/src/libstrongswan/pgp/pgp.c
new file mode 100644
index 000000000..613c318c1
--- /dev/null
+++ b/src/libstrongswan/pgp/pgp.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2002-2009 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#include "pgp.h"
+
+ENUM_BEGIN(pgp_packet_tag_names, PGP_PKT_RESERVED, PGP_PKT_PUBLIC_SUBKEY,
+	"Reserved",
+	"Public-Key Encrypted Session Key Packet",
+	"Signature Packet",
+	"Symmetric-Key Encrypted Session Key Packet",
+	"One-Pass Signature Packet",
+	"Secret Key Packet",
+	"Public Key Packet",
+	"Secret Subkey Packet",
+	"Compressed Data Packet",
+	"Symmetrically Encrypted Data Packet",
+	"Marker Packet",
+	"Literal Data Packet",
+	"Trust Packet",
+	"User ID Packet",
+	"Public Subkey Packet"
+);
+ENUM_NEXT(pgp_packet_tag_names, PGP_PKT_USER_ATTRIBUTE, PGP_PKT_MOD_DETECT_CODE, PGP_PKT_PUBLIC_SUBKEY,
+	"User Attribute Packet",
+	"Sym. Encrypted and Integrity Protected Data Packet",
+	"Modification Detection Code Packet"
+);
+ENUM_END(pgp_packet_tag_names, PGP_PKT_MOD_DETECT_CODE);
+
+
+ENUM_BEGIN(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_RSA, PGP_PUBKEY_ALG_RSA_SIGN_ONLY,
+	"RSA",
+	"RSA_ENC_ONLY",
+	"RSA_SIGN_ONLY"
+);
+ENUM_NEXT(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY, PGP_PUBKEY_ALG_DIFFIE_HELLMAN, PGP_PUBKEY_ALG_RSA_SIGN_ONLY,
+	"ELGAMAL_ENC_ONLY",
+	"DSA",
+	"ECC",
+	"ECDSA",
+	"ELGAMAL",
+	"DIFFIE_HELLMAN"
+);
+ENUM_END(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_DIFFIE_HELLMAN);
+
+
+ENUM(pgp_sym_alg_names, PGP_SYM_ALG_PLAIN, PGP_SYM_ALG_TWOFISH,
+	"PLAINTEXT",
+	"IDEA",
+	"3DES",
+	"CAST5",
+	"BLOWFISH",
+	"SAFER",
+	"DES",
+	"AES_128",
+	"AES_192",
+	"AES_256",
+	"TWOFISH"
+);
+
+/*
+ * Defined in header.
+ */
+size_t pgp_length(chunk_t *blob, size_t len)
+{
+	size_t size = 0;
+
+	if (len > blob->len)
+	{
+		return PGP_INVALID_LENGTH;
+	}
+	blob->len -= len;
+
+	while (len-- > 0)
+	{
+		size = 256*size + *blob->ptr++;
+	}
+	return size;
+}
+
diff --git a/src/libstrongswan/pgp/pgp.h b/src/libstrongswan/pgp/pgp.h
new file mode 100644
index 000000000..677c5b1cc
--- /dev/null
+++ b/src/libstrongswan/pgp/pgp.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2002-2009 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+/**
+ * @defgroup pgpi pgp
+ * @{ @ingroup pgp
+ */
+
+#ifndef PGP_H_
+#define PGP_H_
+
+typedef enum pgp_packet_tag_t pgp_packet_tag_t;
+typedef enum pgp_pubkey_alg_t pgp_pubkey_alg_t;
+typedef enum pgp_sym_alg_t pgp_sym_alg_t;
+
+#include <chunk.h>
+#include <enum.h>
+
+/**
+ * OpenPGP packet tags as defined in section 4.3 of RFC 4880
+ */
+enum pgp_packet_tag_t {
+	PGP_PKT_RESERVED               =  0,
+	PGP_PKT_PUBKEY_ENC_SESSION_KEY =  1,
+	PGP_PKT_SIGNATURE              =  2,
+	PGP_PKT_SYMKEY_ENC_SESSION_KEY =  3,
+	PGP_PKT_ONE_PASS_SIGNATURE_PKT =  4,
+	PGP_PKT_SECRET_KEY             =  5,
+	PGP_PKT_PUBLIC_KEY             =  6,
+	PGP_PKT_SECRET_SUBKEY          =  7,
+	PGP_PKT_COMPRESSED_DATA        =  8,
+	PGP_PKT_SYMKEY_ENC_DATA        =  9,
+	PGP_PKT_MARKER                 = 10,
+	PGP_PKT_LITERAL_DATA           = 11,
+	PGP_PKT_TRUST                  = 12,
+	PGP_PKT_USER_ID                = 13,
+	PGP_PKT_PUBLIC_SUBKEY          = 14,
+	PGP_PKT_USER_ATTRIBUTE         = 17,
+	PGP_PKT_SYM_ENC_INT_PROT_DATA  = 18,
+	PGP_PKT_MOD_DETECT_CODE        = 19
+};
+
+/**
+ * Enum names for pgp_packet_tag_t
+ */
+extern enum_name_t *pgp_packet_tag_names;
+
+/**
+ * OpenPGP public key algorithms as defined in section 9.1 of RFC 4880
+ */
+enum pgp_pubkey_alg_t {
+	PGP_PUBKEY_ALG_RSA              =  1,
+	PGP_PUBKEY_ALG_RSA_ENC_ONLY     =  2,
+	PGP_PUBKEY_ALG_RSA_SIGN_ONLY    =  3,
+	PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY = 16,
+	PGP_PUBKEY_ALG_DSA              = 17,
+	PGP_PUBKEY_ALG_ECC              = 18,
+	PGP_PUBKEY_ALG_ECDSA            = 19,
+	PGP_PUBKEY_ALG_ELGAMAL          = 20,
+	PGP_PUBKEY_ALG_DIFFIE_HELLMAN   = 21,
+};
+
+/**
+ * Enum names for pgp_pubkey_alg_t
+ */
+extern enum_name_t *pgp_pubkey_alg_names;
+
+/**
+ * OpenPGP symmetric key algorithms as defined in section 9.2 of RFC 4880
+ */
+enum pgp_sym_alg_t {
+	PGP_SYM_ALG_PLAIN    =  0,
+	PGP_SYM_ALG_IDEA     =  1,
+	PGP_SYM_ALG_3DES     =  2,
+	PGP_SYM_ALG_CAST5    =  3,
+	PGP_SYM_ALG_BLOWFISH =  4,
+	PGP_SYM_ALG_SAFER    =  5,
+	PGP_SYM_ALG_DES      =  6,
+	PGP_SYM_ALG_AES_128  =  7,
+	PGP_SYM_ALG_AES_192  =  8,
+	PGP_SYM_ALG_AES_256  =  9,
+	PGP_SYM_ALG_TWOFISH  = 10
+};
+
+/**
+ * Enum names for pgp_sym_alg_t
+ */
+extern enum_name_t *pgp_sym_alg_names;
+
+#define PGP_INVALID_LENGTH	0xffffffff
+
+/**
+ * Returns the length of an OpenPGP (RFC 4880) packet
+ * The blob pointer is advanced past the length field
+ *
+ * @param blob		pointer to an OpenPGP blob
+ * @param len		size of the length field
+ * @return			length of the next OpenPGP packet
+ */
+size_t pgp_length(chunk_t *blob, size_t len);
+
+#endif /** PGP_H_ @}*/
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index e4eb7e5cf..19d3249b5 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -87,6 +87,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -109,6 +110,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -120,6 +124,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -133,6 +138,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +200,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -204,6 +212,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -221,8 +230,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -317,7 +326,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c
index ce4c6da99..c5b091750 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.c
+++ b/src/libstrongswan/plugins/aes/aes_crypter.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: aes_crypter.c 3900 2008-04-30 14:02:25Z martin $
  */
  
 #include "aes_crypter.h"
@@ -34,8 +32,6 @@
 #define AES_KS_LENGTH   120
 #define AES_RC_LENGTH    29
 
-#define AES_BLOCK_SIZE 16
-
 typedef struct private_aes_crypter_t private_aes_crypter_t;
 
 /**
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c
index 71e49ad73..63fa48330 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.c
+++ b/src/libstrongswan/plugins/aes/aes_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: aes_plugin.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include "aes_plugin.h"
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 6b2da9cb4..5a5202262 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -224,8 +233,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -320,7 +329,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index 474171ad1..84b85d4bd 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "agent_plugin.h"
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 5e7d0839e..ffdc6d778 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "agent_private_key.h"
@@ -191,8 +189,8 @@ static bool matches_pubkey(chunk_t key, public_key_t *pubkey)
 		return FALSE;
 	}
 	pubkeydata = asn1_wrap(ASN1_SEQUENCE, "mm", 
-						asn1_wrap(ASN1_INTEGER, "c", n),
-						asn1_wrap(ASN1_INTEGER, "c", e));
+						asn1_integer("c", n),
+						asn1_integer("c", e));
 	hasher->allocate_hash(hasher, pubkeydata, &hash);
 	free(pubkeydata.ptr);
 	id = pubkey->get_id(pubkey, ID_PUBKEY_SHA1);
@@ -271,7 +269,7 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	char buf[2048];
 	chunk_t blob = chunk_from_buf(buf);
 	
-	if (scheme != SIGN_DEFAULT && scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
+	if (scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
 	{
 		DBG1("signature scheme %N not supported by ssh-agent",
 			 signature_scheme_names, scheme);
@@ -389,8 +387,8 @@ static public_key_t* get_public_key(private_agent_private_key_t *this)
 	e = read_string(&key);
 	n = read_string(&key);
 	encoded = asn1_wrap(ASN1_SEQUENCE, "mm", 
-					asn1_wrap(ASN1_INTEGER, "c", n),
-					asn1_wrap(ASN1_INTEGER, "c", e));
+					asn1_integer("c", n),
+					asn1_integer("c", e));
 
 	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, 
 								BUILD_BLOB_ASN1_DER, encoded, BUILD_END);
@@ -442,8 +440,8 @@ static bool build_ids(private_agent_private_key_t *this)
 		return FALSE;
 	}
 	publicKey = asn1_wrap(ASN1_SEQUENCE, "mm", 
-					asn1_wrap(ASN1_INTEGER, "c", n),
-					asn1_wrap(ASN1_INTEGER, "c", e));
+					asn1_integer("c", n),
+					asn1_integer("c", e));
 	hasher->allocate_hash(hasher, publicKey, &hash);
 	this->keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
 	chunk_free(&hash);
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am
new file mode 100644
index 000000000..6bb82169e
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-blowfish.la
+
+libstrongswan_blowfish_la_SOURCES = \
+blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
+bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c 
+libstrongswan_blowfish_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
new file mode 100644
index 000000000..25cea73df
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -0,0 +1,513 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/blowfish
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_blowfish_la_LIBADD =
+am_libstrongswan_blowfish_la_OBJECTS = blowfish_plugin.lo \
+	blowfish_crypter.lo bf_skey.lo bf_enc.lo
+libstrongswan_blowfish_la_OBJECTS =  \
+	$(am_libstrongswan_blowfish_la_OBJECTS)
+libstrongswan_blowfish_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_blowfish_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_blowfish_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_blowfish_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-blowfish.la
+libstrongswan_blowfish_la_SOURCES = \
+blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
+bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c 
+
+libstrongswan_blowfish_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/blowfish/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/blowfish/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-blowfish.la: $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_DEPENDENCIES) 
+	$(libstrongswan_blowfish_la_LINK) -rpath $(plugindir) $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bf_enc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bf_skey.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/blowfish/bf_enc.c b/src/libstrongswan/plugins/blowfish/bf_enc.c
new file mode 100644
index 000000000..c2f3ce2e8
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/bf_enc.c
@@ -0,0 +1,306 @@
+/* crypto/bf/bf_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "blowfish.h"
+#include "bf_locl.h"
+
+/* Blowfish as implemented from 'Blowfish: Springer-Verlag paper'
+ * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
+ * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
+ */
+
+#if (BF_ROUNDS != 16) && (BF_ROUNDS != 20)
+#error If you set BF_ROUNDS to some value other than 16 or 20, you will have \
+to modify the code.
+#endif
+
+void BF_encrypt(BF_LONG *data, const BF_KEY *key)
+{
+#ifndef BF_PTR2
+	const BF_LONG *p,*s;
+	BF_LONG l,r;
+
+	p=key->P;
+	s= &(key->S[0]);
+	l=data[0];
+	r=data[1];
+
+	l^=p[0];
+	BF_ENC(r,l,s,p[ 1]);
+	BF_ENC(l,r,s,p[ 2]);
+	BF_ENC(r,l,s,p[ 3]);
+	BF_ENC(l,r,s,p[ 4]);
+	BF_ENC(r,l,s,p[ 5]);
+	BF_ENC(l,r,s,p[ 6]);
+	BF_ENC(r,l,s,p[ 7]);
+	BF_ENC(l,r,s,p[ 8]);
+	BF_ENC(r,l,s,p[ 9]);
+	BF_ENC(l,r,s,p[10]);
+	BF_ENC(r,l,s,p[11]);
+	BF_ENC(l,r,s,p[12]);
+	BF_ENC(r,l,s,p[13]);
+	BF_ENC(l,r,s,p[14]);
+	BF_ENC(r,l,s,p[15]);
+	BF_ENC(l,r,s,p[16]);
+#if BF_ROUNDS == 20
+	BF_ENC(r,l,s,p[17]);
+	BF_ENC(l,r,s,p[18]);
+	BF_ENC(r,l,s,p[19]);
+	BF_ENC(l,r,s,p[20]);
+#endif
+	r^=p[BF_ROUNDS+1];
+
+	data[1]=l&0xffffffffL;
+	data[0]=r&0xffffffffL;
+#else
+	BF_LONG l,r,t,*k;
+
+	l=data[0];
+	r=data[1];
+	k=(BF_LONG*)key;
+
+	l^=k[0];
+	BF_ENC(r,l,k, 1);
+	BF_ENC(l,r,k, 2);
+	BF_ENC(r,l,k, 3);
+	BF_ENC(l,r,k, 4);
+	BF_ENC(r,l,k, 5);
+	BF_ENC(l,r,k, 6);
+	BF_ENC(r,l,k, 7);
+	BF_ENC(l,r,k, 8);
+	BF_ENC(r,l,k, 9);
+	BF_ENC(l,r,k,10);
+	BF_ENC(r,l,k,11);
+	BF_ENC(l,r,k,12);
+	BF_ENC(r,l,k,13);
+	BF_ENC(l,r,k,14);
+	BF_ENC(r,l,k,15);
+	BF_ENC(l,r,k,16);
+#if BF_ROUNDS == 20
+	BF_ENC(r,l,k,17);
+	BF_ENC(l,r,k,18);
+	BF_ENC(r,l,k,19);
+	BF_ENC(l,r,k,20);
+#endif
+	r^=k[BF_ROUNDS+1];
+
+	data[1]=l&0xffffffffL;
+	data[0]=r&0xffffffffL;
+#endif
+}
+
+#ifndef BF_DEFAULT_OPTIONS
+
+void BF_decrypt(BF_LONG *data, const BF_KEY *key)
+{
+#ifndef BF_PTR2
+	const BF_LONG *p,*s;
+	BF_LONG l,r;
+
+	p=key->P;
+	s= &(key->S[0]);
+	l=data[0];
+	r=data[1];
+
+	l^=p[BF_ROUNDS+1];
+#if BF_ROUNDS == 20
+	BF_ENC(r,l,s,p[20]);
+	BF_ENC(l,r,s,p[19]);
+	BF_ENC(r,l,s,p[18]);
+	BF_ENC(l,r,s,p[17]);
+#endif
+	BF_ENC(r,l,s,p[16]);
+	BF_ENC(l,r,s,p[15]);
+	BF_ENC(r,l,s,p[14]);
+	BF_ENC(l,r,s,p[13]);
+	BF_ENC(r,l,s,p[12]);
+	BF_ENC(l,r,s,p[11]);
+	BF_ENC(r,l,s,p[10]);
+	BF_ENC(l,r,s,p[ 9]);
+	BF_ENC(r,l,s,p[ 8]);
+	BF_ENC(l,r,s,p[ 7]);
+	BF_ENC(r,l,s,p[ 6]);
+	BF_ENC(l,r,s,p[ 5]);
+	BF_ENC(r,l,s,p[ 4]);
+	BF_ENC(l,r,s,p[ 3]);
+	BF_ENC(r,l,s,p[ 2]);
+	BF_ENC(l,r,s,p[ 1]);
+	r^=p[0];
+
+	data[1]=l&0xffffffffL;
+	data[0]=r&0xffffffffL;
+#else
+	BF_LONG l,r,t,*k;
+
+	l=data[0];
+	r=data[1];
+	k=(BF_LONG *)key;
+
+	l^=k[BF_ROUNDS+1];
+#if BF_ROUNDS == 20
+	BF_ENC(r,l,k,20);
+	BF_ENC(l,r,k,19);
+	BF_ENC(r,l,k,18);
+	BF_ENC(l,r,k,17);
+#endif
+	BF_ENC(r,l,k,16);
+	BF_ENC(l,r,k,15);
+	BF_ENC(r,l,k,14);
+	BF_ENC(l,r,k,13);
+	BF_ENC(r,l,k,12);
+	BF_ENC(l,r,k,11);
+	BF_ENC(r,l,k,10);
+	BF_ENC(l,r,k, 9);
+	BF_ENC(r,l,k, 8);
+	BF_ENC(l,r,k, 7);
+	BF_ENC(r,l,k, 6);
+	BF_ENC(l,r,k, 5);
+	BF_ENC(r,l,k, 4);
+	BF_ENC(l,r,k, 3);
+	BF_ENC(r,l,k, 2);
+	BF_ENC(l,r,k, 1);
+	r^=k[0];
+
+	data[1]=l&0xffffffffL;
+	data[0]=r&0xffffffffL;
+#endif
+}
+
+void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+					const BF_KEY *schedule, unsigned char *ivec, int encrypt)
+{
+	BF_LONG tin0,tin1;
+	BF_LONG tout0,tout1,xor0,xor1;
+	long l=length;
+	BF_LONG tin[2];
+
+	if (encrypt)
+	{
+		n2l(ivec,tout0);
+		n2l(ivec,tout1);
+		ivec-=8;
+		for (l-=8; l>=0; l-=8)
+		{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_encrypt(tin,schedule);
+			tout0=tin[0];
+			tout1=tin[1];
+			l2n(tout0,out);
+			l2n(tout1,out);
+		}
+		if (l != -8)
+		{
+			n2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_encrypt(tin,schedule);
+			tout0=tin[0];
+			tout1=tin[1];
+			l2n(tout0,out);
+			l2n(tout1,out);
+		}
+		l2n(tout0,ivec);
+		l2n(tout1,ivec);
+	}
+	else
+	{
+		n2l(ivec,xor0);
+		n2l(ivec,xor1);
+		ivec-=8;
+		for (l-=8; l>=0; l-=8)
+		{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_decrypt(tin,schedule);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2n(tout0,out);
+			l2n(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+		}
+		if (l != -8)
+		{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_decrypt(tin,schedule);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2nn(tout0,tout1,out,l+8);
+			xor0=tin0;
+			xor1=tin1;
+		}
+		l2n(xor0,ivec);
+		l2n(xor1,ivec);
+	}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+}
+
+#endif
diff --git a/src/libstrongswan/plugins/blowfish/bf_locl.h b/src/libstrongswan/plugins/blowfish/bf_locl.h
new file mode 100644
index 000000000..283bf4c43
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/bf_locl.h
@@ -0,0 +1,218 @@
+/* crypto/bf/bf_locl.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BF_LOCL_H
+#define HEADER_BF_LOCL_H
+
+#undef c2l
+#define c2l(c,l)	(l =((unsigned long)(*((c)++)))    , \
+			 l|=((unsigned long)(*((c)++)))<< 8L, \
+			 l|=((unsigned long)(*((c)++)))<<16L, \
+			 l|=((unsigned long)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#undef c2ln
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))<<24L; \
+			case 7: l2|=((unsigned long)(*(--(c))))<<16L; \
+			case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \
+			case 5: l2|=((unsigned long)(*(--(c))));     \
+			case 4: l1 =((unsigned long)(*(--(c))))<<24L; \
+			case 3: l1|=((unsigned long)(*(--(c))))<<16L; \
+			case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \
+			case 1: l1|=((unsigned long)(*(--(c))));     \
+				} \
+			}
+
+#undef l2c
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#undef l2cn
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+				} \
+			}
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))    ; \
+			case 7: l2|=((unsigned long)(*(--(c))))<< 8; \
+			case 6: l2|=((unsigned long)(*(--(c))))<<16; \
+			case 5: l2|=((unsigned long)(*(--(c))))<<24; \
+			case 4: l1 =((unsigned long)(*(--(c))))    ; \
+			case 3: l1|=((unsigned long)(*(--(c))))<< 8; \
+			case 2: l1|=((unsigned long)(*(--(c))))<<16; \
+			case 1: l1|=((unsigned long)(*(--(c))))<<24; \
+				} \
+			}
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+				} \
+			}
+
+#undef n2l
+#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++))))
+
+#undef l2n
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+/* This is actually a big endian algorithm, the most significant byte
+ * is used to lookup array 0 */
+
+#if defined(BF_PTR2)
+
+/*
+ * This is basically a special Intel version. Point is that Intel
+ * doesn't have many registers, but offers a reach choice of addressing
+ * modes. So we spare some registers by directly traversing BF_KEY
+ * structure and hiring the most decorated addressing mode. The code
+ * generated by EGCS is *perfectly* competitive with assembler
+ * implementation!
+ */
+#define BF_ENC(LL,R,KEY,Pi) (\
+	LL^=KEY[Pi], \
+	t=  KEY[BF_ROUNDS+2 +   0 + ((R>>24)&0xFF)], \
+	t+= KEY[BF_ROUNDS+2 + 256 + ((R>>16)&0xFF)], \
+	t^= KEY[BF_ROUNDS+2 + 512 + ((R>>8 )&0xFF)], \
+	t+= KEY[BF_ROUNDS+2 + 768 + ((R    )&0xFF)], \
+	LL^=t \
+	)
+
+#elif defined(BF_PTR)
+
+#ifndef BF_LONG_LOG2
+#define BF_LONG_LOG2  2       /* default to BF_LONG being 32 bits */
+#endif
+#define BF_M  (0xFF<<BF_LONG_LOG2)
+#define BF_0  (24-BF_LONG_LOG2)
+#define BF_1  (16-BF_LONG_LOG2)
+#define BF_2  ( 8-BF_LONG_LOG2)
+#define BF_3  BF_LONG_LOG2 /* left shift */
+
+/*
+ * This is normally very good on RISC platforms where normally you
+ * have to explicitly "multiply" array index by sizeof(BF_LONG)
+ * in order to calculate the effective address. This implementation
+ * excuses CPU from this extra work. Power[PC] uses should have most
+ * fun as (R>>BF_i)&BF_M gets folded into a single instruction, namely
+ * rlwinm. So let'em double-check if their compiler does it.
+ */
+
+#define BF_ENC(LL,R,S,P) ( \
+	LL^=P, \
+	LL^= (((*(BF_LONG *)((unsigned char *)&(S[  0])+((R>>BF_0)&BF_M))+ \
+		*(BF_LONG *)((unsigned char *)&(S[256])+((R>>BF_1)&BF_M)))^ \
+		*(BF_LONG *)((unsigned char *)&(S[512])+((R>>BF_2)&BF_M)))+ \
+		*(BF_LONG *)((unsigned char *)&(S[768])+((R<<BF_3)&BF_M))) \
+	)
+#else
+
+/*
+ * This is a *generic* version. Seem to perform best on platforms that
+ * offer explicit support for extraction of 8-bit nibbles preferably
+ * complemented with "multiplying" of array index by sizeof(BF_LONG).
+ * For the moment of this writing the list comprises Alpha CPU featuring
+ * extbl and s[48]addq instructions.
+ */
+
+#define BF_ENC(LL,R,S,P) ( \
+	LL^=P, \
+	LL^=(((	S[       ((int)(R>>24)&0xff)] + \
+		S[0x0100+((int)(R>>16)&0xff)])^ \
+		S[0x0200+((int)(R>> 8)&0xff)])+ \
+		S[0x0300+((int)(R    )&0xff)])&0xffffffffL \
+	)
+#endif
+
+#endif
diff --git a/src/libstrongswan/plugins/blowfish/bf_pi.h b/src/libstrongswan/plugins/blowfish/bf_pi.h
new file mode 100644
index 000000000..9949513c6
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/bf_pi.h
@@ -0,0 +1,325 @@
+/* crypto/bf/bf_pi.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+static const BF_KEY bf_init= {
+	{
+	0x243f6a88L, 0x85a308d3L, 0x13198a2eL, 0x03707344L,
+	0xa4093822L, 0x299f31d0L, 0x082efa98L, 0xec4e6c89L,
+	0x452821e6L, 0x38d01377L, 0xbe5466cfL, 0x34e90c6cL,
+	0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L, 0xb5470917L,
+	0x9216d5d9L, 0x8979fb1b
+	},{
+	0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, 
+	0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, 
+	0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L, 
+	0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL, 
+	0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL, 
+	0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, 
+	0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL, 
+	0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL, 
+	0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L, 
+	0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L, 
+	0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, 
+	0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, 
+	0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL, 
+	0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L, 
+	0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L, 
+	0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, 
+	0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L, 
+	0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L, 
+	0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL, 
+	0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L, 
+	0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, 
+	0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, 
+	0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L, 
+	0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL, 
+	0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L, 
+	0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, 
+	0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, 
+	0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L, 
+	0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL, 
+	0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L, 
+	0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, 
+	0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, 
+	0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L, 
+	0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL, 
+	0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L, 
+	0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, 
+	0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL, 
+	0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L, 
+	0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL, 
+	0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L, 
+	0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, 
+	0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, 
+	0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L, 
+	0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L, 
+	0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L, 
+	0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, 
+	0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, 
+	0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL, 
+	0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL, 
+	0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L, 
+	0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, 
+	0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, 
+	0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L, 
+	0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL, 
+	0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L, 
+	0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, 
+	0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, 
+	0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L, 
+	0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L, 
+	0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L, 
+	0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, 
+	0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, 
+	0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L, 
+	0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL, 
+	0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L, 
+	0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, 
+	0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, 
+	0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL, 
+	0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L, 
+	0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L, 
+	0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, 
+	0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, 
+	0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L, 
+	0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L, 
+	0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL, 
+	0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, 
+	0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L, 
+	0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L, 
+	0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L, 
+	0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L, 
+	0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, 
+	0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL, 
+	0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL, 
+	0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L, 
+	0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL, 
+	0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, 
+	0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L, 
+	0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL, 
+	0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL, 
+	0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L, 
+	0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, 
+	0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, 
+	0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL, 
+	0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL, 
+	0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L, 
+	0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, 
+	0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, 
+	0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L, 
+	0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L, 
+	0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L, 
+	0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, 
+	0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, 
+	0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L, 
+	0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL, 
+	0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L, 
+	0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, 
+	0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L, 
+	0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L, 
+	0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L, 
+	0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L, 
+	0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, 
+	0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, 
+	0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L, 
+	0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L, 
+	0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L, 
+	0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, 
+	0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, 
+	0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L, 
+	0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L, 
+	0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L, 
+	0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, 
+	0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL, 
+	0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L, 
+	0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL, 
+	0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L, 
+	0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, 
+	0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, 
+	0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L, 
+	0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L, 
+	0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L, 
+	0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, 
+	0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L, 
+	0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L, 
+	0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L, 
+	0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL, 
+	0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, 
+	0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL, 
+	0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L, 
+	0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L, 
+	0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL, 
+	0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, 
+	0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, 
+	0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L, 
+	0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL, 
+	0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L, 
+	0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, 
+	0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L, 
+	0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL, 
+	0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L, 
+	0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L, 
+	0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, 
+	0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L, 
+	0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L, 
+	0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L, 
+	0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L, 
+	0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, 
+	0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, 
+	0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL, 
+	0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L, 
+	0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL, 
+	0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, 
+	0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, 
+	0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL, 
+	0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL, 
+	0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L, 
+	0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, 
+	0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, 
+	0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL, 
+	0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL, 
+	0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL, 
+	0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, 
+	0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L, 
+	0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L, 
+	0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L, 
+	0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L, 
+	0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, 
+	0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL, 
+	0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L, 
+	0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L, 
+	0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L, 
+	0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, 
+	0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L, 
+	0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L, 
+	0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L, 
+	0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L, 
+	0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, 
+	0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, 
+	0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL, 
+	0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L, 
+	0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL, 
+	0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, 
+	0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L, 
+	0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL, 
+	0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL, 
+	0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL, 
+	0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, 
+	0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, 
+	0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L, 
+	0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L, 
+	0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L, 
+	0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, 
+	0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, 
+	0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L, 
+	0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L, 
+	0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L, 
+	0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, 
+	0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, 
+	0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL, 
+	0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL, 
+	0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L, 
+	0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, 
+	0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, 
+	0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL, 
+	0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L, 
+	0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL, 
+	0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, 
+	0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L, 
+	0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L, 
+	0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L, 
+	0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L, 
+	0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, 
+	0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, 
+	0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L, 
+	0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L, 
+	0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L, 
+	0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, 
+	0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, 
+	0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L, 
+	0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L, 
+	0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL, 
+	0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, 
+	0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, 
+	0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L, 
+	0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL, 
+	0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL, 
+	0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, 
+	0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, 
+	0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L, 
+	0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L, 
+	0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL, 
+	0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, 
+	0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, 
+	0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL, 
+	0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L, 
+	0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L, 
+	0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, 
+	0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L, 
+	0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL, 
+	0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L, 
+	0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL, 
+	0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, 
+	0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L, 
+	0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL, 
+	0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L, 
+	0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL, 
+	0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L, 
+	}
+	};
+
diff --git a/src/libstrongswan/plugins/blowfish/bf_skey.c b/src/libstrongswan/plugins/blowfish/bf_skey.c
new file mode 100644
index 000000000..8cdbbd283
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/bf_skey.c
@@ -0,0 +1,122 @@
+/* crypto/bf/bf_skey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifdef __KERNEL__
+#include <linux/types.h>
+#include <linux/string.h>
+#else
+#include <stdio.h>
+#include <string.h>
+#endif
+
+#include "blowfish.h"
+#include "bf_locl.h"
+#include "bf_pi.h"
+
+void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
+	{
+	int i;
+	BF_LONG *p,ri,in[2];
+	const unsigned char *d,*end;
+
+
+	memcpy((char *)key,(const char *)&bf_init,sizeof(BF_KEY));
+	p=key->P;
+
+	if (len > ((BF_ROUNDS+2)*4)) len=(BF_ROUNDS+2)*4;
+
+	d=data;
+	end= &(data[len]);
+	for (i=0; i<(BF_ROUNDS+2); i++)
+		{
+		ri= *(d++);
+		if (d >= end) d=data;
+
+		ri<<=8;
+		ri|= *(d++);
+		if (d >= end) d=data;
+
+		ri<<=8;
+		ri|= *(d++);
+		if (d >= end) d=data;
+
+		ri<<=8;
+		ri|= *(d++);
+		if (d >= end) d=data;
+
+		p[i]^=ri;
+		}
+
+	in[0]=0L;
+	in[1]=0L;
+	for (i=0; i<(BF_ROUNDS+2); i+=2)
+		{
+		BF_encrypt(in,key);
+		p[i  ]=in[0];
+		p[i+1]=in[1];
+		}
+
+	p=key->S;
+	for (i=0; i<4*256; i+=2)
+		{
+		BF_encrypt(in,key);
+		p[i  ]=in[0];
+		p[i+1]=in[1];
+		}
+	}
+
diff --git a/src/libstrongswan/plugins/blowfish/blowfish.h b/src/libstrongswan/plugins/blowfish/blowfish.h
new file mode 100644
index 000000000..ccb97e272
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/blowfish.h
@@ -0,0 +1,133 @@
+/* crypto/bf/blowfish.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BLOWFISH_H
+#define HEADER_BLOWFISH_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_BF
+#error BF is disabled.
+#endif
+
+#define BF_ENCRYPT	1
+#define BF_DECRYPT	0
+
+/*
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ * ! BF_LONG has to be at least 32 bits wide. If it's wider, then !
+ * ! BF_LONG_LOG2 has to be defined along.                        !
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ */
+
+#if defined(WIN16) || defined(__LP32__)
+#define BF_LONG unsigned long
+#elif defined(_CRAY) || defined(__ILP64__)
+#define BF_LONG unsigned long
+#define BF_LONG_LOG2 3
+#endif
+/*
+ * _CRAY note. I could declare short, but I have no idea what impact
+ * does it have on performance on none-T3E machines. I could declare
+ * int, but at least on C90 sizeof(int) can be chosen at compile time.
+ * So I've chosen long...
+ *					<appro@fy.chalmers.se>
+ */
+	
+/* des.h-like hack <jjo-ipsec@mendoza.gov.ar> */
+#ifndef BF_LONG
+#ifdef __KERNEL__
+#include <linux/types.h>
+#else
+#include <sys/types.h>
+#endif
+#define BF_LONG u_int32_t
+#endif
+
+#define BF_ROUNDS	16
+#define BF_BLOCK	8
+
+typedef struct bf_key_st
+	{
+	BF_LONG P[BF_ROUNDS+2];
+	BF_LONG S[4*256];
+	} BF_KEY;
+
+ 
+void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+
+void BF_encrypt(BF_LONG *data,const BF_KEY *key);
+void BF_decrypt(BF_LONG *data,const BF_KEY *key);
+
+void BF_ecb_encrypt(const unsigned char *in, unsigned char *out,
+	const BF_KEY *key, int enc);
+void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+	const BF_KEY *schedule, unsigned char *ivec, int enc);
+void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length,
+	const BF_KEY *schedule, unsigned char *ivec, int *num, int enc);
+void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length,
+	const BF_KEY *schedule, unsigned char *ivec, int *num);
+const char *BF_options(void);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
new file mode 100644
index 000000000..5064bfef6
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
@@ -0,0 +1,197 @@
+/*
+ * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "blowfish.h"
+
+/* Blowfish as implemented from 'Blowfish: Springer-Verlag paper'
+ * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
+ * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
+ */
+ 
+#include "blowfish_crypter.h"
+
+typedef struct private_blowfish_crypter_t private_blowfish_crypter_t;
+
+/**
+ * Class implementing the Blowfish symmetric encryption algorithm.
+ * 
+ * @ingroup crypters
+ */
+struct private_blowfish_crypter_t {
+	
+	/**
+	 * Public part of this class.
+	 */
+	blowfish_crypter_t public;
+	
+	/**
+	 * Blowfish key schedule
+	 */
+	BF_KEY schedule;
+
+	/**
+	* Key size of this Blowfish cipher object.
+	*/
+	u_int32_t key_size;
+};
+
+/**
+ * Implementation of crypter_t.decrypt.
+ */
+static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
+					chunk_t *decrypted)
+{
+	u_int8_t *in, *out;
+	
+	if (decrypted)
+	{
+		*decrypted = chunk_alloc(data.len);
+		out = decrypted->ptr;
+	}
+	else
+	{
+		out = data.ptr;
+	}
+	in = data.ptr;
+	iv = chunk_clone(iv);
+
+	BF_cbc_encrypt(in, out, data.len, &this->schedule, iv.ptr, 0);
+
+	free(iv.ptr);
+}
+
+/**
+ * Implementation of crypter_t.decrypt.
+ */
+static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
+					 chunk_t *encrypted)
+{
+	u_int8_t *in, *out;
+	
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(data.len);
+		out = encrypted->ptr;
+	}
+	else
+	{
+		out = data.ptr;
+	}
+	in = data.ptr;
+	iv = chunk_clone(iv);
+
+	BF_cbc_encrypt(in, out, data.len, &this->schedule, iv.ptr, 1);
+
+	free(iv.ptr);
+}
+
+/**
+ * Implementation of crypter_t.get_block_size.
+ */
+static size_t get_block_size (private_blowfish_crypter_t *this)
+{
+	return BLOWFISH_BLOCK_SIZE;
+}
+
+/**
+ * Implementation of crypter_t.get_key_size.
+ */
+static size_t get_key_size (private_blowfish_crypter_t *this)
+{
+	return this->key_size;
+}
+
+/**
+ * Implementation of crypter_t.set_key.
+ */
+static void set_key (private_blowfish_crypter_t *this, chunk_t key)
+{
+	BF_set_key(&this->schedule, key.len , key.ptr);
+}
+
+/**
+ * Implementation of crypter_t.destroy and blowfish_crypter_t.destroy.
+ */
+static void destroy (private_blowfish_crypter_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_blowfish_crypter_t *this;
+	
+	if (algo != ENCR_BLOWFISH)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_blowfish_crypter_t);
+	
+	this->key_size = key_size;
+	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
+	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
+	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
+	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
+	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
+	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
new file mode 100644
index 000000000..2bb896e64
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup blowfish_crypter blowfish_crypter
+ * @{ @ingroup blowfish_p
+ */
+
+#ifndef BLOWFISH_CRYPTER_H_
+#define BLOWFISH_CRYPTER_H_
+
+typedef struct blowfish_crypter_t blowfish_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+/**
+ * Class implementing the Blowfish encryption algorithm.
+ */
+struct blowfish_crypter_t {
+	
+	/**
+	 * The crypter_t interface.
+	 */
+	crypter_t crypter_interface;
+};
+
+/**
+ * Constructor to create blowfish_crypter_t objects.
+ * 
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement
+ * @return				blowfish_crypter_t object, NULL if not supported
+ */
+blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo,
+								  size_t key_size);
+
+#endif /** BLOWFISH_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
new file mode 100644
index 000000000..6e2f6d4fa
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "blowfish_plugin.h"
+
+#include <library.h>
+#include "blowfish_crypter.h"
+
+typedef struct private_blowfish_plugin_t private_blowfish_plugin_t;
+
+/**
+ * private data of blowfish_plugin
+ */
+struct private_blowfish_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	blowfish_plugin_t public;
+};
+
+/**
+ * Implementation of blowfish_plugin_t.destroy
+ */
+static void destroy(private_blowfish_plugin_t *this)
+{
+	lib->crypto->remove_crypter(lib->crypto,
+								(crypter_constructor_t)blowfish_crypter_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_blowfish_plugin_t *this = malloc_thing(private_blowfish_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
+							 (crypter_constructor_t)blowfish_crypter_create);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.h b/src/libstrongswan/plugins/blowfish/blowfish_plugin.h
new file mode 100644
index 000000000..596a7c791
--- /dev/null
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup blowfish_p blowfish
+ * @ingroup plugins
+ *
+ * @defgroup blowfish_plugin blowfish_plugin
+ * @{ @ingroup blowfish_p
+ */
+
+#ifndef BLOWFISH_PLUGIN_H_
+#define BLOWFISH_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct blowfish_plugin_t blowfish_plugin_t;
+
+/**
+ * Plugin implementing Blowfish based algorithms in software.
+ */
+struct blowfish_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a blowfish_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** BLOWFISH_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index cd916ccbe..b413e035e 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -87,6 +87,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -109,6 +110,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -120,6 +124,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -133,6 +138,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +200,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -204,6 +212,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -222,8 +231,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -318,7 +327,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index cd54c76a3..7ee9fa1bd 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: curl_fetcher.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <curl/curl.h>
@@ -35,16 +33,16 @@ struct private_curl_fetcher_t {
 	 * Public data
 	 */
 	curl_fetcher_t public;
-
+	
 	/**
 	 * CURL handle
 	 */
 	CURL* curl;
 	
 	/**
-	 * request type, as set with FETCH_REQUEST_TYPE
+     * Optional HTTP headers
 	 */
-	char *request_type;
+	struct curl_slist *headers;
 };
 
 /**
@@ -52,15 +50,15 @@ struct private_curl_fetcher_t {
  */
 static size_t append(void *ptr, size_t size, size_t nmemb, chunk_t *data)
 {
-    size_t realsize = size * nmemb;
-
-    data->ptr = (u_char*)realloc(data->ptr, data->len + realsize);
-    if (data->ptr)
-    {
+	size_t realsize = size * nmemb;
+	
+	data->ptr = (u_char*)realloc(data->ptr, data->len + realsize);
+	if (data->ptr)
+	{
 		memcpy(&data->ptr[data->len], ptr, realsize);
 		data->len += realsize;
-    }
-    return realsize;
+	}
+	return realsize;
 }
 
 /**
@@ -68,9 +66,7 @@ static size_t append(void *ptr, size_t size, size_t nmemb, chunk_t *data)
  */
 static status_t fetch(private_curl_fetcher_t *this, char *uri, chunk_t *result)
 {
-	struct curl_slist *headers = NULL;
 	char error[CURL_ERROR_SIZE];
-	char buf[256];;
 	status_t status;
 	
 	*result = chunk_empty;
@@ -85,14 +81,12 @@ static status_t fetch(private_curl_fetcher_t *this, char *uri, chunk_t *result)
 	curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, DEFAULT_TIMEOUT);
 	curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, (void*)append);
 	curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, (void*)result);
-	if (this->request_type)
+	if (this->headers)
 	{
-		snprintf(buf, sizeof(buf), "Content-Type: %s", this->request_type);
-		headers = curl_slist_append(headers, buf);
-		curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, headers);
+		curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers);
 	}
-
-	DBG2("sending http request to '%s'...", uri);
+	
+	DBG2("  sending http request to '%s'...", uri);
 	switch (curl_easy_perform(this->curl))
 	{
 		case CURLE_UNSUPPORTED_PROTOCOL:
@@ -102,11 +96,10 @@ static status_t fetch(private_curl_fetcher_t *this, char *uri, chunk_t *result)
 			status = SUCCESS;
 			break;
 		default:
-    		DBG1("libcurl http request failed: %s", error);
+			DBG1("libcurl http request failed: %s", error);
 			status = FAILED;
 			break;
 	}
-	curl_slist_free_all(headers);
 	return status;
 }
 
@@ -123,13 +116,31 @@ static bool set_option(private_curl_fetcher_t *this, fetcher_option_t option, ..
 		case FETCH_REQUEST_DATA:
 		{
 			chunk_t data = va_arg(args, chunk_t);
+
 			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, (char*)data.ptr);
 			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, data.len);
 			return TRUE;
 		}
 		case FETCH_REQUEST_TYPE:
 		{
-			this->request_type = va_arg(args, char*);
+			char header[BUF_LEN];
+			char *request_type = va_arg(args, char*);
+
+			snprintf(header, BUF_LEN, "Content-Type: %s", request_type);
+			this->headers = curl_slist_append(this->headers, header);
+			return TRUE;
+		}
+		case FETCH_REQUEST_HEADER:
+		{
+			char *header = va_arg(args, char*);
+
+			this->headers = curl_slist_append(this->headers, header);
+			return TRUE;
+		}
+		case FETCH_HTTP_VERSION_1_0:
+		{
+			curl_easy_setopt(this->curl, CURLOPT_HTTP_VERSION,
+							 CURL_HTTP_VERSION_1_0);
 			return TRUE;
 		}
 		case FETCH_TIMEOUT:
@@ -148,6 +159,7 @@ static bool set_option(private_curl_fetcher_t *this, fetcher_option_t option, ..
  */
 static void destroy(private_curl_fetcher_t *this)
 {
+	curl_slist_free_all(this->headers);
 	curl_easy_cleanup(this->curl);
 	free(this);
 }
@@ -158,19 +170,19 @@ static void destroy(private_curl_fetcher_t *this)
 curl_fetcher_t *curl_fetcher_create()
 {
 	private_curl_fetcher_t *this = malloc_thing(private_curl_fetcher_t);
-
+	
 	this->curl = curl_easy_init();
 	if (this->curl == NULL)
 	{
 		free(this);
 		return NULL;
 	}
-	this->request_type = NULL;
-
+	this->headers = NULL;
+	
 	this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch;
 	this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option;
 	this->public.interface.destroy = (void (*)(fetcher_t*))destroy;
-
+	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
index a41c3815c..97fa07866 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: curl_plugin.c 3529 2008-03-05 15:26:24Z martin $
  */
 
 #include "curl_plugin.h"
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 415c126af..bbca6a032 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -87,6 +87,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -109,6 +110,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -120,6 +124,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -133,6 +138,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +200,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -204,6 +212,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -221,8 +230,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -317,7 +326,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index b0b18a2c1..680fe8b6a 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -56,13 +56,11 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
- *
- * $Id: des_crypter.c 4938 2009-03-12 18:38:13Z tobias $
  */
 
 #include "des_crypter.h"
 
-typedef u_char des_cblock[8];
+typedef u_char des_cblock[DES_BLOCK_SIZE];
 
 typedef struct des_ks_struct {
 	des_cblock _;
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index a0d8ce07b..e16b475d4 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: des_plugin.c 4887 2009-02-19 14:29:25Z tobias $
  */
 
 #include "des_plugin.h"
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 1e53f435f..881d7a36e 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -223,8 +232,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -319,7 +328,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
index df3d130a9..be28f10bc 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: fips_prf.c 3619 2008-03-19 14:02:52Z martin $
  */
 
 #include "fips_prf.h"
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
index 60fce8632..7576e79ad 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: fips_prf_plugin.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include "fips_prf_plugin.h"
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am
new file mode 100644
index 000000000..72cc409fc
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic $(LIBGCRYPT_CFLAGS)
+
+plugin_LTLIBRARIES = libstrongswan-gcrypt.la
+
+libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
+	gcrypt_rsa_public_key.h gcrypt_rsa_public_key.c \
+	gcrypt_rsa_private_key.h gcrypt_rsa_private_key.c \
+	gcrypt_dh.h gcrypt_dh.c \
+	gcrypt_rng.h gcrypt_rng.c \
+	gcrypt_crypter.h gcrypt_crypter.c \
+	gcrypt_hasher.h gcrypt_hasher.c
+
+libstrongswan_gcrypt_la_LDFLAGS = -module
+libstrongswan_gcrypt_la_LIBADD  = $(LIBGCRYPT_LIBS)
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
new file mode 100644
index 000000000..49994c593
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -0,0 +1,522 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/gcrypt
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_gcrypt_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_gcrypt_la_OBJECTS = gcrypt_plugin.lo \
+	gcrypt_rsa_public_key.lo gcrypt_rsa_private_key.lo \
+	gcrypt_dh.lo gcrypt_rng.lo gcrypt_crypter.lo gcrypt_hasher.lo
+libstrongswan_gcrypt_la_OBJECTS =  \
+	$(am_libstrongswan_gcrypt_la_OBJECTS)
+libstrongswan_gcrypt_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_gcrypt_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_gcrypt_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_gcrypt_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic $(LIBGCRYPT_CFLAGS)
+plugin_LTLIBRARIES = libstrongswan-gcrypt.la
+libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
+	gcrypt_rsa_public_key.h gcrypt_rsa_public_key.c \
+	gcrypt_rsa_private_key.h gcrypt_rsa_private_key.c \
+	gcrypt_dh.h gcrypt_dh.c \
+	gcrypt_rng.h gcrypt_rng.c \
+	gcrypt_crypter.h gcrypt_crypter.c \
+	gcrypt_hasher.h gcrypt_hasher.c
+
+libstrongswan_gcrypt_la_LDFLAGS = -module
+libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS)
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/gcrypt/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/gcrypt/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-gcrypt.la: $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_DEPENDENCIES) 
+	$(libstrongswan_gcrypt_la_LINK) -rpath $(plugindir) $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcrypt_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcrypt_dh.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcrypt_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcrypt_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcrypt_rng.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcrypt_rsa_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcrypt_rsa_public_key.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
new file mode 100644
index 000000000..f82d23185
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcrypt_crypter.h"
+
+#include <gcrypt.h>
+
+#include <debug.h>
+
+typedef struct private_gcrypt_crypter_t private_gcrypt_crypter_t;
+
+/**
+ * Private data of gcrypt_crypter_t
+ */
+struct private_gcrypt_crypter_t {
+	
+	/**
+	 * Public part of this class.
+	 */
+	gcrypt_crypter_t public;
+	
+	/**
+	 * gcrypt cipher handle
+	 */
+	gcry_cipher_hd_t h;
+	
+	/**
+	 * gcrypt algorithm identifier
+	 */
+	int alg;
+};
+
+/**
+ * Implementation of crypter_t.decrypt.
+ */
+static void decrypt(private_gcrypt_crypter_t *this, chunk_t data,
+					chunk_t iv, chunk_t *dst)
+{
+	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	
+	if (dst)
+	{
+		*dst = chunk_alloc(data.len);
+		gcry_cipher_decrypt(this->h, dst->ptr, dst->len, data.ptr, data.len);
+	}
+	else
+	{
+		gcry_cipher_decrypt(this->h, data.ptr, data.len, NULL, 0);
+	}
+}
+
+/**
+ * Implementation of crypter_t.encrypt.
+ */
+static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
+					chunk_t iv, chunk_t *dst)
+{
+	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	
+	if (dst)
+	{
+		*dst = chunk_alloc(data.len);
+		gcry_cipher_encrypt(this->h, dst->ptr, dst->len, data.ptr, data.len);
+	}
+	else
+	{
+		gcry_cipher_encrypt(this->h, data.ptr, data.len, NULL, 0);
+	}
+}
+
+/**
+ * Implementation of crypter_t.get_block_size.
+ */
+static size_t get_block_size(private_gcrypt_crypter_t *this)
+{
+	size_t len = 0;
+	
+	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
+	return len;
+}
+
+/**
+ * Implementation of crypter_t.get_key_size.
+ */
+static size_t get_key_size(private_gcrypt_crypter_t *this)
+{
+	size_t len = 0;
+	
+	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_KEYLEN, NULL, &len);
+	return len;
+}
+
+/**
+ * Implementation of crypter_t.set_key.
+ */
+static void set_key(private_gcrypt_crypter_t *this, chunk_t key)
+{
+	gcry_cipher_setkey(this->h, key.ptr, key.len);
+}
+
+/**
+ * Implementation of crypter_t.destroy.
+ */
+static void destroy (private_gcrypt_crypter_t *this)
+{
+	gcry_cipher_close(this->h);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
+										size_t key_size)
+{
+	private_gcrypt_crypter_t *this;
+	int gcrypt_alg;
+	int mode = GCRY_CIPHER_MODE_CBC;
+	gcry_error_t err;
+	
+	switch (algo)
+	{
+		case ENCR_DES:
+			gcrypt_alg = GCRY_CIPHER_DES;
+			break;
+		case ENCR_DES_ECB:
+			gcrypt_alg = GCRY_CIPHER_DES;
+			mode = GCRY_CIPHER_MODE_ECB;
+			break;
+		case ENCR_3DES:
+			gcrypt_alg = GCRY_CIPHER_3DES;
+			break;
+		case ENCR_IDEA:
+			/* currently not implemented in gcrypt */
+			return NULL;
+		case ENCR_CAST:
+			gcrypt_alg = GCRY_CIPHER_CAST5;
+			break;
+		case ENCR_BLOWFISH:
+			if (key_size != 16)
+			{	/* gcrypt currently supports 128 bit blowfish only */
+				return NULL;
+			}
+			gcrypt_alg = GCRY_CIPHER_BLOWFISH;
+			break;
+		/* case ENCR_AES_CTR:
+			mode = GCRY_CIPHER_MODE_CTR; */
+			/* fall */
+		case ENCR_AES_CBC:
+			switch (key_size)
+			{
+				case 16:
+					gcrypt_alg = GCRY_CIPHER_AES128;
+					break;
+				case 24:
+					gcrypt_alg = GCRY_CIPHER_AES192;
+					break;
+				case 32:
+					gcrypt_alg = GCRY_CIPHER_AES256;
+					break;
+				default:
+					return NULL;
+			}
+			break;
+		/* case ENCR_CAMELLIA_CTR:
+			mode = GCRY_CIPHER_MODE_CTR; */
+			/* fall */
+		case ENCR_CAMELLIA_CBC:
+			switch (key_size)
+			{
+#ifdef HAVE_GCRY_CIPHER_CAMELLIA
+				case 16:
+					gcrypt_alg = GCRY_CIPHER_CAMELLIA128;
+					break;
+				case 24:
+					gcrypt_alg = GCRY_CIPHER_CAMELLIA192;
+					break;
+				case 32:
+					gcrypt_alg = GCRY_CIPHER_CAMELLIA256;
+					break;
+#endif /* HAVE_GCRY_CIPHER_CAMELLIA */
+				default:
+					return NULL;
+			}
+			break;
+		case ENCR_SERPENT_CBC:
+			switch (key_size)
+			{
+				case 16:
+					gcrypt_alg = GCRY_CIPHER_SERPENT128;
+					break;
+				case 24:
+					gcrypt_alg = GCRY_CIPHER_SERPENT192;
+					break;
+				case 32:
+					gcrypt_alg = GCRY_CIPHER_SERPENT256;
+					break;
+				default:
+					return NULL;
+			}
+			break;
+		case ENCR_TWOFISH_CBC:
+			switch (key_size)
+			{
+				case 16:
+					gcrypt_alg = GCRY_CIPHER_TWOFISH128;
+					break;
+				case 32:
+					gcrypt_alg = GCRY_CIPHER_TWOFISH;
+					break;
+				default:
+					return NULL;
+			}
+			break;
+		default:
+			return NULL;
+	}
+	
+	this = malloc_thing(private_gcrypt_crypter_t);
+	
+	this->alg = gcrypt_alg;
+	err = gcry_cipher_open(&this->h, gcrypt_alg, mode, 0);
+	if (err)
+	{
+		DBG1("grcy_cipher_open(%N) failed: %s",
+			 encryption_algorithm_names, algo, gpg_strerror(err));
+		free(this);
+		return NULL;
+	}
+	
+	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *))encrypt;
+	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *))decrypt;
+	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *))get_block_size;
+	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *))get_key_size;
+	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t))set_key;
+	this->public.crypter_interface.destroy = (void (*) (crypter_t *))destroy;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
new file mode 100644
index 000000000..c5a5e6723
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcrypt_crypter gcrypt_crypter
+ * @{ @ingroup gcrypt_p
+ */
+
+#ifndef GCRYPT_CRYPTER_H_
+#define GCRYPT_CRYPTER_H_
+
+typedef struct gcrypt_crypter_t gcrypt_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+/**
+ * Implementation of crypters using gcrypt.
+ */
+struct gcrypt_crypter_t {
+	
+	/**
+	 * The crypter_t interface.
+	 */
+	crypter_t crypter_interface;
+};
+
+/**
+ * Constructor to create gcrypt_crypter_t.
+ * 
+ * @param algo			algorithm to implement
+ * @param key_size		key size in bytes
+ * @return				gcrypt_crypter_t, NULL if not supported
+ */
+gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
+										size_t key_size);
+
+#endif /** GCRYPT_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
new file mode 100644
index 000000000..89d9f2348
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -0,0 +1,564 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <gcrypt.h>
+
+#include "gcrypt_dh.h"
+
+#include <debug.h>
+
+/**
+ * Modulus of Group 1 (MODP_768_BIT).
+ */
+static u_int8_t group1_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x3A,0x36,0x20,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 2 (MODP_1024_BIT).
+ */
+static u_int8_t group2_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 5 (MODP_1536_BIT).
+ */
+static u_int8_t group5_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+/**
+ * Modulus of Group 14 (MODP_2048_BIT).
+ */
+static u_int8_t group14_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 15 (MODP_3072_BIT).
+ */
+static u_int8_t group15_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 16 (MODP_4096_BIT).
+ */
+static u_int8_t group16_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+	0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 17 (MODP_6144_BIT).
+ */
+static u_int8_t group17_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+	0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
+	0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
+	0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
+	0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
+	0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
+	0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
+	0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
+	0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
+	0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
+	0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
+	0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
+	0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
+	0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
+	0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
+	0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
+	0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
+	0xE6,0x94,0xF9,0x1E,0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 18 (MODP_8192_BIT).
+ */
+static u_int8_t group18_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+	0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
+	0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
+	0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
+	0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
+	0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
+	0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
+	0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
+	0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
+	0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
+	0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
+	0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
+	0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
+	0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
+	0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
+	0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
+	0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
+	0xE6,0x94,0xF9,0x1E,0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,
+	0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,0x73,0xB9,0x31,0xBA,
+	0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,
+	0x25,0x76,0xF6,0x93,0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,
+	0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,0xE3,0x9D,0x65,0x2D,
+	0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,
+	0x13,0xEB,0x57,0xA8,0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,
+	0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,0xA2,0xC0,0x87,0xE8,
+	0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,
+	0x6D,0x2A,0x13,0xF8,0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,
+	0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,0x08,0x46,0x85,0x1D,
+	0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,
+	0xFA,0xF3,0x6B,0xC3,0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,
+	0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,0xD5,0xEE,0x38,0x2B,
+	0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,
+	0x9E,0x30,0x50,0xE2,0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,
+	0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+};
+
+typedef struct modulus_entry_t modulus_entry_t;
+
+/** 
+ * Entry of the modulus list.
+ */
+struct modulus_entry_t {
+	/** IKEv2 DH group */
+	diffie_hellman_group_t group;
+	/** modulus */
+	chunk_t modulus;
+	/** optimum length of exponent in bytes */
+	size_t opt_len;
+	/** generator */
+	u_int16_t g;
+};
+
+/**
+ * All supported modulus values - optimum exponent size according to RFC 3526.
+ */
+static modulus_entry_t modulus_entries[] = {
+	{MODP_768_BIT,  {group1_modulus,  sizeof(group1_modulus)},  32, 2},
+	{MODP_1024_BIT, {group2_modulus,  sizeof(group2_modulus)},  32, 2},
+	{MODP_1536_BIT, {group5_modulus,  sizeof(group5_modulus)},  32, 2},
+	{MODP_2048_BIT, {group14_modulus, sizeof(group14_modulus)}, 48, 2},
+	{MODP_3072_BIT, {group15_modulus, sizeof(group15_modulus)}, 48, 2},
+	{MODP_4096_BIT, {group16_modulus, sizeof(group16_modulus)}, 64, 2},
+	{MODP_6144_BIT, {group17_modulus, sizeof(group17_modulus)}, 64, 2},
+	{MODP_8192_BIT, {group18_modulus, sizeof(group18_modulus)}, 64, 2},
+};
+
+/**
+ * Lookup the modulus in modulo table
+ */
+static modulus_entry_t *find_entry(diffie_hellman_group_t group)
+{
+	int i;
+	
+	for (i = 0; i < countof(modulus_entries); i++)
+	{
+		if (modulus_entries[i].group == group)
+		{
+			return &modulus_entries[i];
+		}
+	}
+	return NULL;
+}
+
+typedef struct private_gcrypt_dh_t private_gcrypt_dh_t;
+
+/**
+ * Private data of an gcrypt_dh_t object.
+ */
+struct private_gcrypt_dh_t {
+	
+	/**
+	 * Public gcrypt_dh_t interface
+	 */
+	gcrypt_dh_t public;
+	
+	/**
+	 * Diffie Hellman group number
+	 */
+	u_int16_t group;
+	
+	/* 
+	 * Generator value
+	 */	
+	gcry_mpi_t g;
+	
+	/**
+	 * Own private value
+	 */
+	gcry_mpi_t xa;
+	
+	/**
+	 * Own public value
+	 */
+	gcry_mpi_t ya;
+	
+	/**
+	 * Other public value
+	 */
+	gcry_mpi_t yb;
+	
+	/**
+	 * Shared secret
+	 */
+	gcry_mpi_t zz;
+	
+	/**
+	 * Modulus
+	 */
+	gcry_mpi_t p;
+	
+	/**
+	 * Modulus length.
+	 */
+	size_t p_len;
+};
+
+/**
+ * Implementation of gcrypt_dh_t.set_other_public_value.
+ */
+static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value)
+{
+	gcry_mpi_t p_min_1;
+	gcry_error_t err;
+	
+	if (this->yb)
+	{
+		gcry_mpi_release(this->yb);
+		this->yb = NULL;
+	}
+	err = gcry_mpi_scan(&this->yb, GCRYMPI_FMT_USG, value.ptr, value.len, NULL);
+	if (err)
+	{
+		DBG1("importing mpi yb failed: %s", gpg_strerror(err));
+		return;
+	}
+	
+	p_min_1 = gcry_mpi_new(this->p_len * 8);
+	gcry_mpi_sub_ui(p_min_1, this->p, 1);
+	
+	/* check public value: 
+	 * 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
+	 * 2. a public value larger or equal the modulus is invalid */
+	if (gcry_mpi_cmp_ui(this->yb, 1) > 0 &&
+		gcry_mpi_cmp(this->yb, p_min_1) < 0)
+	{
+		if (!this->zz)
+		{
+			this->zz = gcry_mpi_new(this->p_len * 8);
+		}
+		gcry_mpi_powm(this->zz, this->yb, this->xa, this->p);
+	}
+	else
+	{
+		DBG1("public DH value verification failed: y < 2 || y > p - 1 ");
+	}
+	gcry_mpi_release(p_min_1);
+}
+
+/**
+ * export a gcry_mpi to an allocated chunk of len bytes
+ */
+static chunk_t export_mpi(gcry_mpi_t value, size_t len)
+{
+	chunk_t chunk;
+	size_t written;
+	
+	chunk = chunk_alloc(len);
+	gcry_mpi_print(GCRYMPI_FMT_USG, chunk.ptr, chunk.len, &written, value);
+	if (written < len)
+	{	/* right-align number of written bytes in chunk */
+		memmove(chunk.ptr + (len - written), chunk.ptr, written);
+		memset(chunk.ptr, 0, len - written);
+	}
+	return chunk;
+}
+
+/**
+ * Implementation of gcrypt_dh_t.get_my_public_value.
+ */
+static void get_my_public_value(private_gcrypt_dh_t *this, chunk_t *value)
+{
+	*value = export_mpi(this->ya, this->p_len);
+}
+
+/**
+ * Implementation of gcrypt_dh_t.get_shared_secret.
+ */
+static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret)
+{
+	if (!this->zz)
+	{
+		return FAILED;
+	}
+	*secret = export_mpi(this->zz, this->p_len);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of gcrypt_dh_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(private_gcrypt_dh_t *this)
+{
+	return this->group;
+}
+
+/**
+ * Implementation of gcrypt_dh_t.destroy.
+ */
+static void destroy(private_gcrypt_dh_t *this)
+{
+	gcry_mpi_release(this->p);
+	gcry_mpi_release(this->xa);
+	gcry_mpi_release(this->ya);
+	gcry_mpi_release(this->g);
+	gcry_mpi_release(this->yb);
+	gcry_mpi_release(this->zz);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
+{
+	private_gcrypt_dh_t *this;
+	modulus_entry_t *entry;
+	gcry_error_t err;
+	chunk_t random;
+	rng_t *rng;
+	size_t len;
+	
+	entry = find_entry(group);
+	if (!entry)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_gcrypt_dh_t);
+	
+	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
+	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
+	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
+	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
+	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	
+	this->group = group;
+	this->p_len = entry->modulus.len;
+	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG,
+						entry->modulus.ptr, entry->modulus.len, NULL);
+	if (err)
+	{
+		DBG1("importing mpi modulus failed: %s", gpg_strerror(err));
+		free(this);
+		return NULL;
+	}
+	if (lib->settings->get_int(lib->settings,
+								"libstrongswan.dh_exponent_ansi_x9_42", TRUE))
+	{
+		len = this->p_len;
+	}
+	else
+	{
+		len = entry->opt_len;
+	}
+	
+	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	if (rng)
+	{	/* prefer external randomizer */
+		rng->allocate_bytes(rng, len, &random);
+		rng->destroy(rng);
+		err = gcry_mpi_scan(&this->xa, GCRYMPI_FMT_USG,
+							random.ptr, random.len, NULL);
+		chunk_clear(&random);
+		if (err)
+		{
+			DBG1("importing mpi xa failed: %s", gpg_strerror(err));
+			gcry_mpi_release(this->p);
+			free(this);
+			return NULL;
+		}
+	}
+	else
+	{	/* fallback to gcrypt internal randomizer, shouldn't ever happen */
+		this->xa = gcry_mpi_new(len * 8);
+		gcry_mpi_randomize(this->xa, len * 8, GCRY_STRONG_RANDOM);
+	}
+	if (len == this->p_len)
+	{
+		/* achieve bitsof(p)-1 by setting MSB to 0 */
+		gcry_mpi_clear_bit(this->xa, len * 8 - 1);
+	}
+	
+	this->g = gcry_mpi_set_ui(NULL, entry->g);
+	this->ya = gcry_mpi_new(this->p_len * 8);
+	this->yb = NULL;
+	this->zz = NULL;
+	
+	gcry_mpi_powm(this->ya, this->g, this->xa, this->p);
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
new file mode 100644
index 000000000..dbef96ca7
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcrypt_dh gcrypt_dh
+ * @{ @ingroup gcrypt_p
+ */
+
+#ifndef GCRYPT_DH_H_
+#define GCRYPT_DH_H_
+
+typedef struct gcrypt_dh_t gcrypt_dh_t;
+
+#include <library.h>
+
+/**
+ * Implementation of the Diffie-Hellman algorithm using libgcrypt mpi.
+ */
+struct gcrypt_dh_t {
+	
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new gcrypt_dh_t object.
+ * 
+ * @param group			Diffie Hellman group number to use
+ * @return				gcrypt_dh_t object, NULL if not supported
+ */
+gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group);
+
+#endif /** GCRYPT_DH_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
new file mode 100644
index 000000000..785ebda90
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcrypt_hasher.h"
+
+#include <debug.h>
+
+#include <gcrypt.h>
+
+typedef struct private_gcrypt_hasher_t private_gcrypt_hasher_t;
+
+/**
+ * Private data of gcrypt_hasher_t
+ */
+struct private_gcrypt_hasher_t {
+	
+	/**
+	 * Public part of this class.
+	 */
+	gcrypt_hasher_t public;
+	
+	/**
+	 * gcrypt hasher context
+	 */
+	gcry_md_hd_t hd;
+};
+
+/**
+ * Implementation of hasher_t.get_hash_size.
+ */
+static size_t get_hash_size(private_gcrypt_hasher_t *this)
+{
+	return gcry_md_get_algo_dlen(gcry_md_get_algo(this->hd));
+}
+
+/**
+ * Implementation of hasher_t.reset.
+ */
+static void reset(private_gcrypt_hasher_t *this)
+{
+	gcry_md_reset(this->hd);
+}
+
+/**
+ * Implementation of hasher_t.get_hash.
+ */
+static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
+					 u_int8_t *hash)
+{
+	gcry_md_write(this->hd, chunk.ptr, chunk.len);
+	if (hash)
+	{
+		memcpy(hash, gcry_md_read(this->hd, 0), get_hash_size(this));
+		gcry_md_reset(this->hd);
+	}
+}
+
+/**
+ * Implementation of hasher_t.allocate_hash.
+ */
+static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
+						  chunk_t *hash)
+{
+	if (hash)
+	{
+		*hash = chunk_alloc(get_hash_size(this));
+		get_hash(this, chunk, hash->ptr);
+	}
+	else
+	{
+		get_hash(this, chunk, NULL);
+	}
+}
+
+/**
+ * Implementation of hasher_t.destroy.
+ */
+static void destroy (private_gcrypt_hasher_t *this)
+{
+	gcry_md_close(this->hd);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
+{
+	private_gcrypt_hasher_t *this;
+	int gcrypt_alg;
+	gcry_error_t err;
+	
+	switch (algo)
+	{
+		case HASH_MD2:
+			gcrypt_alg = GCRY_MD_MD2;
+			break;
+		case HASH_MD4:
+			gcrypt_alg = GCRY_MD_MD4;
+			break;
+		case HASH_MD5:
+			gcrypt_alg = GCRY_MD_MD5;
+			break;
+		case HASH_SHA1:
+			gcrypt_alg = GCRY_MD_SHA1;
+			break;
+		case HASH_SHA256:
+			gcrypt_alg = GCRY_MD_SHA256;
+			break;
+		case HASH_SHA384:
+			gcrypt_alg = GCRY_MD_SHA384;
+			break;
+		case HASH_SHA512:
+			gcrypt_alg = GCRY_MD_SHA512;
+			break;
+		default:
+			return NULL;
+	}
+	
+	this = malloc_thing(private_gcrypt_hasher_t);
+	
+	err = gcry_md_open(&this->hd, gcrypt_alg, 0);
+	if (err)
+	{
+		DBG1("grcy_md_open(%N) failed: %s",
+			 hash_algorithm_names, algo, gpg_strerror(err));
+		free(this);
+		return NULL;
+	}
+	
+	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
+	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
+	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
+	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
+	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
new file mode 100644
index 000000000..6f724fba8
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcrypt_hasher gcrypt_hasher
+ * @{ @ingroup gcrypt_p
+ */
+
+#ifndef GCRYPT_HASHER_H_
+#define GCRYPT_HASHER_H_
+
+typedef struct gcrypt_hasher_t gcrypt_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hashers using libgcrypt.
+ */
+struct gcrypt_hasher_t {
+	
+	/**
+	 * The hasher_t interface.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * Constructor to create gcrypt_hasher_t.
+ * 
+ * @param algo			algorithm
+ * @return				gcrypt_hasher_t, NULL if not supported
+ */
+gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo);
+
+#endif /** GCRYPT_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
new file mode 100644
index 000000000..547329dde
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcrypt_plugin.h"
+
+#include "gcrypt_hasher.h"
+#include "gcrypt_crypter.h"
+#include "gcrypt_rng.h"
+#include "gcrypt_dh.h"
+#include "gcrypt_rsa_private_key.h"
+#include "gcrypt_rsa_public_key.h"
+
+#include <library.h>
+#include <debug.h>
+#include <utils/mutex.h>
+
+#include <errno.h>
+#include <gcrypt.h>
+
+typedef struct private_gcrypt_plugin_t private_gcrypt_plugin_t;
+
+/**
+ * private data of gcrypt_plugin
+ */
+struct private_gcrypt_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	gcrypt_plugin_t public;
+};
+
+/**
+ * gcrypt mutex initialization wrapper
+ */
+static int mutex_init(void **lock)
+{
+	*lock = mutex_create(MUTEX_DEFAULT);
+	return 0;
+}
+
+/**
+ * gcrypt mutex cleanup wrapper
+ */
+static int mutex_destroy(void **lock)
+{
+	mutex_t *mutex = *lock;
+	
+	mutex->destroy(mutex);
+	return 0;
+}
+
+/**
+ * gcrypt mutex lock wrapper
+ */
+static int mutex_lock(void **lock)
+{
+	mutex_t *mutex = *lock;
+	
+	mutex->lock(mutex);
+	return 0;
+}
+
+/**
+ * gcrypt mutex unlock wrapper
+ */
+static int mutex_unlock(void **lock)
+{
+	mutex_t *mutex = *lock;
+	
+	mutex->unlock(mutex);
+	return 0;
+}
+
+/**
+ * gcrypt locking functions using our mutex_t
+ */
+static struct gcry_thread_cbs thread_functions = {
+	GCRY_THREAD_OPTION_USER, NULL,
+	mutex_init, mutex_destroy, mutex_lock, mutex_unlock,
+	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+};
+
+/**
+ * Implementation of gcrypt_plugin_t.destroy
+ */
+static void destroy(private_gcrypt_plugin_t *this)
+{
+	lib->crypto->remove_hasher(lib->crypto,
+					(hasher_constructor_t)gcrypt_hasher_create);
+	lib->crypto->remove_crypter(lib->crypto,
+					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->remove_rng(lib->crypto,
+					(rng_constructor_t)gcrypt_rng_create);
+	lib->crypto->remove_dh(lib->crypto,
+					(dh_constructor_t)gcrypt_dh_create);
+	lib->creds->remove_builder(lib->creds,
+					(builder_constructor_t)gcrypt_rsa_private_key_builder);
+	lib->creds->remove_builder(lib->creds,
+					(builder_constructor_t)gcrypt_rsa_public_key_builder);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_gcrypt_plugin_t *this;
+	
+	gcry_control(GCRYCTL_SET_THREAD_CBS, &thread_functions);
+	
+	if (!gcry_check_version(GCRYPT_VERSION))
+	{
+		DBG1("libgcrypt version mismatch");
+		return NULL;
+	}
+	
+	/* we currently do not use secure memory */
+	gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
+	if (lib->settings->get_bool(lib->settings,
+							"libstrongswan.plugins.gcrypt.quick_random", FALSE))
+	{
+		gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+	}
+	gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+	
+	this = malloc_thing(private_gcrypt_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	/* hashers */
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+					(hasher_constructor_t)gcrypt_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_MD4,
+					(hasher_constructor_t)gcrypt_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+					(hasher_constructor_t)gcrypt_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+					(hasher_constructor_t)gcrypt_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+					(hasher_constructor_t)gcrypt_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+					(hasher_constructor_t)gcrypt_hasher_create);
+	
+	/* crypters */
+	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
+					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAST,
+					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
+					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
+					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
+					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC,
+					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC,
+					(crypter_constructor_t)gcrypt_crypter_create);
+	
+	/* random numbers */
+	lib->crypto->add_rng(lib->crypto, RNG_WEAK, 
+						 (rng_constructor_t)gcrypt_rng_create);
+	lib->crypto->add_rng(lib->crypto, RNG_STRONG, 
+						 (rng_constructor_t)gcrypt_rng_create);
+	lib->crypto->add_rng(lib->crypto, RNG_TRUE, 
+						 (rng_constructor_t)gcrypt_rng_create);
+	
+	/* diffie hellman groups, using modp */
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
+					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, 
+					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, 
+					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, 
+					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, 
+					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, 
+					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
+					(dh_constructor_t)gcrypt_dh_create);
+	
+	/* RSA */
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+					(builder_constructor_t)gcrypt_rsa_private_key_builder);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+					(builder_constructor_t)gcrypt_rsa_public_key_builder);
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.h b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.h
new file mode 100644
index 000000000..f2247ed5c
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcrypt_p gcrypt
+ * @ingroup plugins
+ *
+ * @defgroup gcrypt_plugin gcrypt_plugin
+ * @{ @ingroup gcrypt_p
+ */
+
+#ifndef GCRYPT_PLUGIN_H_
+#define GCRYPT_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct gcrypt_plugin_t gcrypt_plugin_t;
+
+/**
+ * Plugin implementing crypto functions via libgcrypt.
+ */
+struct gcrypt_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a gcrypt_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** GCRYPT_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
new file mode 100644
index 000000000..64b4eb8d0
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcrypt_rng.h"
+
+#include <gcrypt.h>
+
+typedef struct private_gcrypt_rng_t private_gcrypt_rng_t;
+
+/**
+ * Private data of an gcrypt_rng_t object.
+ */
+struct private_gcrypt_rng_t {
+
+	/**
+	 * Public gcrypt_rng_t interface.
+	 */
+	gcrypt_rng_t public;
+	
+	/**
+	 * RNG quality of this instance
+	 */
+	rng_quality_t quality;
+};
+
+/**
+ * Implementation of gcrypt_rng_t.get_bytes.
+ */
+static void get_bytes(private_gcrypt_rng_t *this, size_t bytes,
+					  u_int8_t *buffer)
+{
+	switch (this->quality)
+	{
+		case RNG_WEAK:
+			gcry_create_nonce(buffer, bytes);
+			break;
+		case RNG_STRONG:
+			gcry_randomize(buffer, bytes, GCRY_STRONG_RANDOM);
+			break;
+		case RNG_TRUE:
+			gcry_randomize(buffer, bytes, GCRY_VERY_STRONG_RANDOM);
+			break;
+	}
+}
+
+/**
+ * Implementation of gcrypt_rng_t.allocate_bytes.
+ */
+static void allocate_bytes(private_gcrypt_rng_t *this, size_t bytes,
+						   chunk_t *chunk)
+{
+	*chunk = chunk_alloc(bytes);
+	get_bytes(this, chunk->len, chunk->ptr);
+}
+
+/**
+ * Implementation of gcrypt_rng_t.destroy.
+ */
+static void destroy(private_gcrypt_rng_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+gcrypt_rng_t *gcrypt_rng_create(rng_quality_t quality)
+{
+	private_gcrypt_rng_t *this;
+	
+	switch (quality)
+	{
+		case RNG_WEAK:
+		case RNG_STRONG:
+		case RNG_TRUE:
+			break;
+		default:
+			return NULL;
+	}
+	
+	this = malloc_thing(private_gcrypt_rng_t);
+	
+	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
+	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
+	this->public.rng.destroy = (void (*) (rng_t *))destroy;
+	
+	this->quality = quality;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.h
new file mode 100644
index 000000000..3cfde8447
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+/**
+ * @defgroup gcrypt_rng gcrypt_rng
+ * @{ @ingroup gcrypt_p
+ */
+
+#ifndef GCRYPT_RNG_H_
+#define GCRYPT_RNG_H_
+
+typedef struct gcrypt_rng_t gcrypt_rng_t;
+
+#include <library.h>
+
+/**
+ * rng_t implementation using libgcrypt.
+ */
+struct gcrypt_rng_t {
+	
+	/**
+	 * Implements rng_t.
+	 */
+	rng_t rng;
+};
+
+/**
+ * Creates an gcrypt_rng_t instance.
+ * 
+ * @param quality	required quality of gcryptness
+ * @return			created gcrypt_rng_t
+ */
+gcrypt_rng_t *gcrypt_rng_create(rng_quality_t quality);
+
+#endif /** GCRYPT_RNG_H_ @} */
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
new file mode 100644
index 000000000..611ab2467
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -0,0 +1,734 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <gcrypt.h>
+
+#include "gcrypt_rsa_private_key.h"
+
+#include <debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+
+typedef struct private_gcrypt_rsa_private_key_t private_gcrypt_rsa_private_key_t;
+
+/**
+ * Private data of a gcrypt_rsa_private_key_t object.
+ */
+struct private_gcrypt_rsa_private_key_t {
+	
+	/**
+	 * Public interface
+	 */
+	gcrypt_rsa_private_key_t public;
+	
+	/**
+	 * gcrypt S-expression representing an RSA key
+	 */
+	gcry_sexp_t key;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKey object
+	 */
+	identification_t* keyid;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
+	 */
+	identification_t* keyid_info;
+	
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Implemented in gcrypt_rsa_public_key.c
+ */
+public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key);
+
+/**
+ * find a token in a S-expression
+ */
+chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name)
+{
+	gcry_sexp_t token;
+	chunk_t data = chunk_empty;
+	
+	token = gcry_sexp_find_token(sexp, name, 1);
+	if (token)
+	{
+		data.ptr = (char*)gcry_sexp_nth_data(token, 1, &data.len);
+		if (!data.ptr)
+		{
+			data.len = 0;
+		}
+		data = chunk_clone(data);
+		gcry_sexp_release(token);
+	}
+	return data;
+}
+
+/**
+ * Sign a chunk of data with direct PKCS#1 encoding, no hash OID
+ */
+static bool sign_raw(private_gcrypt_rsa_private_key_t *this,
+					 chunk_t data, chunk_t *signature)
+{
+	gcry_sexp_t in, out;
+	gcry_error_t err;
+	chunk_t em;
+	size_t k;
+	
+	/* EM = 0x00 || 0x01 || PS || 0x00 || T
+	 * PS = 0xFF padding, with length to fill em
+	 * T  = data
+	 */
+	k = gcry_pk_get_nbits(this->key) / 8;
+	if (data.len > k - 3)
+	{
+		return FALSE;
+	}
+	em = chunk_alloc(k);
+	memset(em.ptr, 0xFF, em.len);
+	em.ptr[0] = 0x00;
+	em.ptr[1] = 0x01;
+	em.ptr[em.len - data.len - 1] = 0x00;
+	memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
+	
+	err = gcry_sexp_build(&in, NULL, "(data(flags raw)(value %b))",
+						  em.len, em.ptr);
+	chunk_free(&em);
+	if (err)
+	{
+		DBG1("building signature S-expression failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	err = gcry_pk_sign(&out, in, this->key);
+	gcry_sexp_release(in);
+	if (err)
+	{
+		DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	*signature = gcrypt_rsa_find_token(out, "s");
+	gcry_sexp_release(out);
+	return !!signature->len;
+}
+
+/**
+ * Sign a chunk of data using hashing and PKCS#1 encoding
+ */
+static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
+					   hash_algorithm_t hash_algorithm, char *hash_name,
+					   chunk_t data, chunk_t *signature)
+{
+	hasher_t *hasher;
+	chunk_t hash;
+	gcry_error_t err;
+	gcry_sexp_t in, out;
+	int hash_oid;
+	
+	hash_oid = hasher_algorithm_to_oid(hash_algorithm);
+	if (hash_oid == OID_UNKNOWN)
+	{
+		return FALSE;
+	}
+	hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+	hasher->allocate_hash(hasher, data, &hash);
+	hasher->destroy(hasher);
+	
+	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))",
+						  hash_name, hash.len, hash.ptr);
+	chunk_free(&hash);
+	if (err)
+	{
+		DBG1("building signature S-expression failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	err = gcry_pk_sign(&out, in, this->key);
+	gcry_sexp_release(in);
+	if (err)
+	{
+		DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	*signature = gcrypt_rsa_find_token(out, "s");
+	gcry_sexp_release(out);
+	return !!signature->len;
+}
+
+/**
+ * Implementation of gcrypt_rsa_private_key.destroy.
+ */
+static key_type_t get_type(private_gcrypt_rsa_private_key_t *this)
+{
+	return KEY_RSA;
+}
+
+/**
+ * Implementation of gcrypt_rsa_private_key.destroy.
+ */
+static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme, 
+				 chunk_t data, chunk_t *sig)
+{
+	switch (scheme)
+	{
+		case SIGN_RSA_EMSA_PKCS1_NULL:
+			return sign_raw(this, data, sig);
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig);
+		case SIGN_RSA_EMSA_PKCS1_SHA256:
+			return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig);
+		case SIGN_RSA_EMSA_PKCS1_SHA384:
+			return sign_pkcs1(this, HASH_SHA384, "sha384", data, sig);
+		case SIGN_RSA_EMSA_PKCS1_SHA512:
+			return sign_pkcs1(this, HASH_SHA512, "sha512", data, sig);
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+			return sign_pkcs1(this, HASH_MD5, "md5", data, sig);
+		default:
+			DBG1("signature scheme %N not supported in RSA",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+/**
+ * Implementation of gcrypt_rsa_private_key.destroy.
+ */
+static bool decrypt(private_gcrypt_rsa_private_key_t *this,
+					chunk_t encrypted, chunk_t *plain)
+{
+	gcry_error_t err;
+	gcry_sexp_t in, out;
+	chunk_t padded;
+	u_char *pos = NULL;;
+	
+	err = gcry_sexp_build(&in, NULL, "(enc-val(flags)(rsa(a %b)))",
+						  encrypted.len, encrypted.ptr);
+	if (err)
+	{
+		DBG1("building decryption S-expression failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	err = gcry_pk_decrypt(&out, in, this->key);
+	gcry_sexp_release(in);
+	if (err)
+	{
+		DBG1("decrypting pkcs1 data failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	padded.ptr = (u_char*)gcry_sexp_nth_data(out, 1, &padded.len);
+	/* result is padded, but gcrypt strips leading zero:
+	 *  00 | 02 | RANDOM | 00 | DATA */
+	if (padded.ptr && padded.len > 2 && padded.ptr[0] == 0x02)
+	{
+		pos = memchr(padded.ptr, 0x00, padded.len - 1);
+		if (pos)
+		{
+			pos++;
+			*plain = chunk_clone(chunk_create(
+										pos, padded.len - (pos - padded.ptr)));
+		}
+	}
+	gcry_sexp_release(out);
+	if (!pos)
+	{
+		DBG1("decrypted data has invalid pkcs1 padding");
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of gcrypt_rsa_private_key.get_keysize.
+ */
+static size_t get_keysize(private_gcrypt_rsa_private_key_t *this)
+{
+	return gcry_pk_get_nbits(this->key) / 8;
+}
+
+/**
+ * Implementation of gcrypt_rsa_private_key.destroy.
+ */
+static identification_t* get_id(private_gcrypt_rsa_private_key_t *this,
+								id_type_t type)
+{
+	switch (type)
+	{
+		case ID_PUBKEY_INFO_SHA1:
+			return this->keyid_info;
+		case ID_PUBKEY_SHA1:
+			return this->keyid;
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Implementation of gcrypt_rsa_private_key.get_public_key.
+ */
+static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
+{
+	return gcrypt_rsa_public_key_create_from_sexp(this->key);
+}
+
+/**
+ * Implementation of gcrypt_rsa_private_key.equals.
+ */
+static bool equals(private_gcrypt_rsa_private_key_t *this, private_key_t *other)
+{
+	identification_t *keyid;
+
+	if (&this->public.interface == other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != KEY_RSA)
+	{
+		return FALSE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of gcrypt_rsa_private_key.belongs_to.
+ */
+static bool belongs_to(private_gcrypt_rsa_private_key_t *this,
+					   public_key_t *public)
+{
+	identification_t *keyid;
+	
+	if (public->get_type(public) != KEY_RSA)
+	{
+		return FALSE;
+	}
+	keyid = public->get_id(public, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of private_key_t.get_encoding.
+ */
+static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
+{
+	chunk_t cp, cq, cd, cexp1 = chunk_empty, cexp2 = chunk_empty;
+	gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2;
+	gcry_error_t err;
+	
+	/* p and q are swapped, gcrypt expects p < q */
+	cp = gcrypt_rsa_find_token(this->key, "q");
+	cq = gcrypt_rsa_find_token(this->key, "p");
+	cd = gcrypt_rsa_find_token(this->key, "d");
+	
+	err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL)
+		| gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL)
+		| gcry_mpi_scan(&d, GCRYMPI_FMT_USG, cd.ptr, cd.len, NULL);
+	if (err)
+	{
+		gcry_mpi_release(p);
+		gcry_mpi_release(q);
+		gcry_mpi_release(d);
+		chunk_clear(&cp);
+		chunk_clear(&cq);
+		chunk_clear(&cd);
+		DBG1("scanning mpi for export failed: %s", gpg_strerror(err));
+		return chunk_empty;
+	}
+	
+	gcry_mpi_sub_ui(p, p, 1);
+	exp1 = gcry_mpi_new(gcry_pk_get_nbits(this->key));
+	gcry_mpi_mod(exp1, d, p);
+	gcry_mpi_release(p);
+	
+	gcry_mpi_sub_ui(q, q, 1);
+	exp2 = gcry_mpi_new(gcry_pk_get_nbits(this->key));
+	gcry_mpi_mod(exp1, d, q);
+	gcry_mpi_release(q);
+	
+	err = gcry_mpi_aprint(GCRYMPI_FMT_USG, &cexp1.ptr, &cexp1.len, exp1)
+		| gcry_mpi_aprint(GCRYMPI_FMT_USG, &cexp2.ptr, &cexp2.len, exp2);
+	
+	gcry_mpi_release(d);
+	gcry_mpi_release(exp1);
+	gcry_mpi_release(exp2);
+	
+	if (err)
+	{
+		DBG1("printing mpi for export failed: %s", gpg_strerror(err));
+		chunk_clear(&cp);
+		chunk_clear(&cq);
+		chunk_clear(&cd);
+		chunk_clear(&cexp1);
+		chunk_clear(&cexp2);
+		return chunk_empty;
+	}
+	
+	return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", ASN1_INTEGER_0,
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")),
+			asn1_integer("m", cd),
+			asn1_integer("m", cp),
+			asn1_integer("m", cq),
+			asn1_integer("m", cexp1),
+			asn1_integer("m", cexp2),
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "u")));
+}
+
+/**
+ * Implementation of gcrypt_rsa_private_key.get_ref.
+ */
+static private_key_t* get_ref(private_gcrypt_rsa_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.interface;
+}
+
+/**
+ * Implementation of gcrypt_rsa_private_key.destroy.
+ */
+static void destroy(private_gcrypt_rsa_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		DESTROY_IF(this->keyid);
+		DESTROY_IF(this->keyid_info);
+		gcry_sexp_release(this->key);
+		free(this);
+	}
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty()
+{
+	private_gcrypt_rsa_private_key_t *this = malloc_thing(private_gcrypt_rsa_private_key_t);
+	
+	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
+	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
+	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
+	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
+	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
+	this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
+	this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
+	this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
+	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
+	
+	this->key = NULL;
+	this->keyid = NULL;
+	this->keyid_info = NULL;
+	this->ref = 1;
+	
+	return this;
+}
+
+/**
+ * build the keyids of a private/public key
+ */
+bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
+							 identification_t **keyid_info)
+{
+	chunk_t publicKeyInfo, publicKey, hash;
+	hasher_t *hasher;
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		DBG1("SHA1 hash algorithm not supported, unable to use RSA");
+		return FALSE;
+	}
+	publicKey = asn1_wrap(ASN1_SEQUENCE, "mm",
+				 asn1_integer("m", gcrypt_rsa_find_token(key, "n")),
+				 asn1_integer("m", gcrypt_rsa_find_token(key, "e")));
+	hasher->allocate_hash(hasher, publicKey, &hash);
+	*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
+	chunk_free(&hash);
+	
+	publicKeyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
+						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+						asn1_bitstring("m", publicKey));
+	hasher->allocate_hash(hasher, publicKeyInfo, &hash);
+	*keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
+	chunk_free(&hash);
+	
+	hasher->destroy(hasher);
+	chunk_free(&publicKeyInfo);
+	
+	return TRUE;
+}
+
+/**
+ * Generate an RSA key of specified key size
+ */
+static gcrypt_rsa_private_key_t *generate(size_t key_size)
+{
+	private_gcrypt_rsa_private_key_t *this;
+	gcry_sexp_t param, key;
+	gcry_error_t err;
+	
+	err = gcry_sexp_build(&param, NULL, "(genkey(rsa(nbits %d)))", key_size);
+	if (err)
+	{
+		DBG1("building S-expression failed: %s", gpg_strerror(err));
+		return NULL;
+	}
+	
+	err = gcry_pk_genkey(&key, param);
+	gcry_sexp_release(param);
+	if (err)
+	{
+		DBG1("generating RSA key failed: %s", gpg_strerror(err));
+		return NULL;
+	}
+	this = gcrypt_rsa_private_key_create_empty();
+	this->key = key;
+	
+	if (!gcrypt_rsa_build_keyids(this->key, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	return &this->public;
+}
+
+/**
+ * ASN.1 definition of a PKCS#1 RSA private key
+ */
+static const asn1Object_t privkeyObjects[] = {
+	{ 0, "RSAPrivateKey",		ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
+	{ 1,   "version",			ASN1_INTEGER,      ASN1_BODY }, /*  1 */
+	{ 1,   "modulus",			ASN1_INTEGER,      ASN1_BODY }, /*  2 */
+	{ 1,   "publicExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  3 */
+	{ 1,   "privateExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  4 */
+	{ 1,   "prime1",			ASN1_INTEGER,      ASN1_BODY }, /*  5 */
+	{ 1,   "prime2",			ASN1_INTEGER,      ASN1_BODY }, /*  6 */
+	{ 1,   "exponent1",			ASN1_INTEGER,      ASN1_BODY }, /*  7 */
+	{ 1,   "exponent2",			ASN1_INTEGER,      ASN1_BODY }, /*  8 */
+	{ 1,   "coefficient",		ASN1_INTEGER,      ASN1_BODY }, /*  9 */
+	{ 1,   "otherPrimeInfos",	ASN1_SEQUENCE,     ASN1_OPT |
+												   ASN1_LOOP }, /* 10 */
+	{ 2,     "otherPrimeInfo",	ASN1_SEQUENCE,     ASN1_NONE }, /* 11 */
+	{ 3,       "prime",			ASN1_INTEGER,      ASN1_BODY }, /* 12 */
+	{ 3,       "exponent",		ASN1_INTEGER,      ASN1_BODY }, /* 13 */
+	{ 3,       "coefficient",	ASN1_INTEGER,      ASN1_BODY }, /* 14 */
+	{ 1,   "end opt or loop",	ASN1_EOC,          ASN1_END  }, /* 15 */
+	{ 0, "exit",				ASN1_EOC,          ASN1_EXIT }
+};
+#define PRIV_KEY_VERSION		 1
+#define PRIV_KEY_MODULUS		 2
+#define PRIV_KEY_PUB_EXP		 3
+#define PRIV_KEY_PRIV_EXP		 4
+#define PRIV_KEY_PRIME1			 5
+#define PRIV_KEY_PRIME2			 6
+#define PRIV_KEY_EXP1			 7
+#define PRIV_KEY_EXP2			 8
+#define PRIV_KEY_COEFF			 9
+
+/**
+ * load private key from a ASN1 encoded blob
+ */
+static gcrypt_rsa_private_key_t *load(chunk_t blob)
+{
+	private_gcrypt_rsa_private_key_t *this;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID ;
+	bool success = FALSE;
+	chunk_t n, e, d, u, p, q;
+	gcry_error_t err;
+	
+	n = e = d = u = p = q = chunk_empty;
+	
+	parser = asn1_parser_create(privkeyObjects, blob);
+	parser->set_flags(parser, FALSE, TRUE);
+	
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PRIV_KEY_VERSION:
+				if (object.len > 0 && *object.ptr != 0)
+				{
+					goto end;
+				}
+				break;
+			case PRIV_KEY_MODULUS:
+				n = object;
+				break;
+			case PRIV_KEY_PUB_EXP:
+				e = object;
+				break;
+			case PRIV_KEY_PRIV_EXP:
+				d = object;
+				break;
+			case PRIV_KEY_PRIME1:
+				/* p and q are swapped, as gcrypt expects p < q */
+				q = object;
+				break;
+			case PRIV_KEY_PRIME2:
+				p = object;
+				break;
+			case PRIV_KEY_EXP1:
+			case PRIV_KEY_EXP2:
+				break;
+			case PRIV_KEY_COEFF:
+				u = object;
+				break;
+		}
+	}
+	success = parser->success(parser);
+	
+end:
+	parser->destroy(parser);
+	
+	if (!success)
+	{
+		return NULL;
+	}
+	
+	this = gcrypt_rsa_private_key_create_empty();
+	err = gcry_sexp_build(&this->key, NULL,
+					"(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))",
+					n.len, n.ptr, e.len, e.ptr, d.len, d.ptr,
+					p.len, p.ptr, q.len, q.ptr, u.len, u.ptr);
+	if (err)
+	{
+		DBG1("loading private key failed: %s", gpg_strerror(err));
+		free(this);
+		return NULL;
+	}
+	err = gcry_pk_testkey(this->key);
+	if (err)
+	{
+		DBG1("private key sanity check failed: %s", gpg_strerror(err));
+		destroy(this);
+		return NULL;
+	}
+	if (!gcrypt_rsa_build_keyids(this->key, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+typedef struct private_builder_t private_builder_t;
+
+/**
+ * Builder implementation for key loading/generation
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded/generated private key */
+	gcrypt_rsa_private_key_t *key;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static gcrypt_rsa_private_key_t *build(private_builder_t *this)
+{
+	gcrypt_rsa_private_key_t *key = this->key;
+	
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	if (!this->key)
+	{
+		va_list args;
+		
+		switch (part)
+		{
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				this->key = load(va_arg(args, chunk_t));
+				va_end(args);
+				return;
+			}
+			case BUILD_KEY_SIZE:
+			{
+				va_start(args, part);
+				this->key = generate(va_arg(args, u_int));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
+		}
+	}
+	if (this->key)
+	{
+		destroy((private_gcrypt_rsa_private_key_t*)this->key);
+	}
+	builder_cancel(&this->public);
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *gcrypt_rsa_private_key_builder(key_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != KEY_RSA)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->key = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
new file mode 100644
index 000000000..2edd7ce5d
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcrypt_rsa_private_key gcrypt_rsa_private_key
+ * @{ @ingroup gcrypt_p
+ */
+
+#ifndef GCRYPT_RSA_PRIVATE_KEY_H_
+#define GCRYPT_RSA_PRIVATE_KEY_H_
+
+#include <credentials/keys/private_key.h>
+
+typedef struct gcrypt_rsa_private_key_t gcrypt_rsa_private_key_t;
+
+/**
+ * Private_key_t implementation of RSA algorithm using libgcrypt.
+ */
+struct gcrypt_rsa_private_key_t {
+	
+	/**
+	 * Implements private_key_t interface
+	 */
+	private_key_t interface;
+};
+
+/**
+ * Create the builder for a private key.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @return 			builder instance
+ */
+builder_t *gcrypt_rsa_private_key_builder(key_type_t type);
+
+#endif /** GCRYPT_RSA_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
new file mode 100644
index 000000000..8024f58a7
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -0,0 +1,512 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#include <gcrypt.h>
+
+#include "gcrypt_rsa_public_key.h"
+
+#include <debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/pem.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct private_gcrypt_rsa_public_key_t private_gcrypt_rsa_public_key_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_gcrypt_rsa_public_key_t {
+	
+	/**
+	 * Public interface for this signer.
+	 */
+	gcrypt_rsa_public_key_t public;
+	
+	/**
+	 * gcrypt S-expression representing an public RSA key
+	 */
+	gcry_sexp_t key;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKey object
+	 */
+	identification_t* keyid;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
+	 */
+	identification_t* keyid_info;
+	
+	/**
+	 * reference counter
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Implemented in gcrypt_rsa_private_key.c
+ */
+chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name);
+bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
+							 identification_t **keyid_info);
+
+/**
+ * verification of a padded PKCS1 signature without an OID
+ */
+static bool verify_raw(private_gcrypt_rsa_public_key_t *this,
+						 chunk_t data, chunk_t signature)
+{
+	gcry_sexp_t in, sig;
+	gcry_error_t err;
+	chunk_t em;
+	size_t k;
+	
+	/* EM = 0x00 || 0x01 || PS || 0x00 || T
+	 * PS = 0xFF padding, with length to fill em
+	 * T  = data
+	 */
+	k = gcry_pk_get_nbits(this->key) / 8;
+	if (data.len > k - 3)
+	{
+		return FALSE;
+	}
+	em = chunk_alloc(k);
+	memset(em.ptr, 0xFF, em.len);
+	em.ptr[0] = 0x00;
+	em.ptr[1] = 0x01;
+	em.ptr[em.len - data.len - 1] = 0x00;
+	memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
+	
+	err = gcry_sexp_build(&in, NULL, "(data(flags raw)(value %b))",
+						  em.len, em.ptr);
+	chunk_free(&em);
+	if (err)
+	{
+		DBG1("building data S-expression failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	err = gcry_sexp_build(&sig, NULL, "(sig-val(rsa(s %b)))",
+						  signature.len, signature.ptr);
+	if (err)
+	{
+		DBG1("building signature S-expression failed: %s", gpg_strerror(err));
+		gcry_sexp_release(in);
+		return FALSE;
+	}
+	err = gcry_pk_verify(sig, in, this->key);
+	gcry_sexp_release(in);
+	gcry_sexp_release(sig);
+	if (err)
+	{
+		DBG1("RSA signature verification failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Verification of an EMSA PKCS1 signature described in PKCS#1
+ */
+static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
+						 hash_algorithm_t algorithm, char *hash_name,
+						 chunk_t data, chunk_t signature)
+{
+	hasher_t *hasher;
+	chunk_t hash;
+	gcry_error_t err;
+	gcry_sexp_t in, sig;
+	
+	hasher = lib->crypto->create_hasher(lib->crypto, algorithm);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+	hasher->allocate_hash(hasher, data, &hash);
+	hasher->destroy(hasher);
+	
+	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))",
+						  hash_name, hash.len, hash.ptr);
+	chunk_free(&hash);
+	if (err)
+	{
+		DBG1("building data S-expression failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	
+	err = gcry_sexp_build(&sig, NULL, "(sig-val(rsa(s %b)))",
+						  signature.len, signature.ptr);
+	if (err)
+	{
+		DBG1("building signature S-expression failed: %s", gpg_strerror(err));
+		gcry_sexp_release(in);
+		return FALSE;
+	}
+	err = gcry_pk_verify(sig, in, this->key);
+	gcry_sexp_release(in);
+	gcry_sexp_release(sig);
+	if (err)
+	{
+		DBG1("RSA signature verification failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of public_key_t.get_type.
+ */
+static key_type_t get_type(private_gcrypt_rsa_public_key_t *this)
+{
+	return KEY_RSA;
+}
+
+/**
+ * Implementation of public_key_t.verify.
+ */
+static bool verify(private_gcrypt_rsa_public_key_t *this,
+				   signature_scheme_t scheme, chunk_t data, chunk_t signature)
+{
+	switch (scheme)
+	{
+		case SIGN_RSA_EMSA_PKCS1_NULL:
+			return verify_raw(this, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+			return verify_pkcs1(this, HASH_MD5, "md5", data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA256:
+			return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA384:
+			return verify_pkcs1(this, HASH_SHA384, "sha384", data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA512:
+			return verify_pkcs1(this, HASH_SHA512, "sha512", data, signature);
+		default:
+			DBG1("signature scheme %N not supported in RSA",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+/**
+ * Implementation of public_key_t.encrypt.
+ */
+static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
+					 chunk_t *encrypted)
+{
+	gcry_sexp_t in, out;
+	gcry_error_t err;
+	
+	/* "pkcs1" uses PKCS 1.5 (section 8.1) block type 2 encryption:
+	 * 00 | 02 | RANDOM | 00 | DATA */
+	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(value %b))",
+						  plain.len, plain.ptr);
+	if (err)
+	{
+		DBG1("building encryption S-expression failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	err = gcry_pk_encrypt(&out, in, this->key);
+	gcry_sexp_release(in);
+	if (err)
+	{
+		DBG1("encrypting data using pkcs1 failed: %s", gpg_strerror(err));
+		return FALSE;
+	}
+	*encrypted = gcrypt_rsa_find_token(out, "a");
+	gcry_sexp_release(out);
+	return !!encrypted->len;
+}
+
+/**
+ * Implementation of gcrypt_rsa_public_key.equals.
+ */
+static bool equals(private_gcrypt_rsa_public_key_t *this, public_key_t *other)
+{
+	identification_t *keyid;
+
+	if (&this->public.interface == other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != KEY_RSA)
+	{
+		return FALSE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of public_key_t.get_keysize.
+ */
+static size_t get_keysize(private_gcrypt_rsa_public_key_t *this)
+{
+	return gcry_pk_get_nbits(this->key) / 8;
+}
+
+/**
+ * Implementation of public_key_t.get_id.
+ */
+static identification_t *get_id(private_gcrypt_rsa_public_key_t *this,
+								id_type_t type)
+{
+	switch (type)
+	{
+		case ID_PUBKEY_INFO_SHA1:
+			return this->keyid_info;
+		case ID_PUBKEY_SHA1:
+			return this->keyid;
+		default:
+			return NULL;
+	}
+}
+
+/*
+ * Implementation of public_key_t.get_encoding.
+ */
+static chunk_t get_encoding(private_gcrypt_rsa_public_key_t *this)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")));
+}
+
+/**
+ * Implementation of public_key_t.get_ref.
+ */
+static public_key_t* get_ref(private_gcrypt_rsa_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.interface;
+}
+
+/**
+ * Implementation of gcrypt_rsa_public_key.destroy.
+ */
+static void destroy(private_gcrypt_rsa_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		DESTROY_IF(this->keyid);
+		DESTROY_IF(this->keyid_info);
+		gcry_sexp_release(this->key);
+		free(this);
+	}
+}
+
+/**
+ * Generic private constructor
+ */
+static private_gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_create_empty()
+{
+	private_gcrypt_rsa_public_key_t *this = malloc_thing(private_gcrypt_rsa_public_key_t);
+	
+	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
+	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
+	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
+	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
+	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
+	this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
+	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
+	
+	this->key = NULL;
+	this->keyid = NULL;
+	this->keyid_info = NULL;
+	this->ref = 1;
+	
+	return this;
+}
+
+/**
+ * Create a public key from a S-expression, used in gcrypt_rsa_private_key
+ */
+public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key)
+{
+	private_gcrypt_rsa_public_key_t *this;
+	gcry_error_t err;
+	chunk_t n, e;
+	
+	this = gcrypt_rsa_public_key_create_empty();
+	n = gcrypt_rsa_find_token(key, "n");
+	e = gcrypt_rsa_find_token(key, "e");
+	
+	err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
+						  n.len, n.ptr, e.len, e.ptr);
+	chunk_free(&n);
+	chunk_free(&e);
+	if (err)
+	{
+		DBG1("loading public key failed: %s", gpg_strerror(err));
+		free(this);
+		return NULL;
+	}
+	if (!gcrypt_rsa_build_keyids(this->key, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public.interface;
+}
+
+/**
+ * ASN.1 definition of RSApublicKey
+ */
+static const asn1Object_t pubkeyObjects[] = {
+	{ 0, "RSAPublicKey",		ASN1_SEQUENCE,	ASN1_OBJ  }, /*  0 */
+	{ 1,   "modulus",			ASN1_INTEGER,	ASN1_BODY }, /*  1 */
+	{ 1,   "publicExponent",	ASN1_INTEGER,	ASN1_BODY }, /*  2 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
+};
+#define PUB_KEY_RSA_PUBLIC_KEY		0
+#define PUB_KEY_MODULUS				1
+#define PUB_KEY_EXPONENT			2
+
+/**
+ * Load a public key from an ASN1 encoded blob
+ */
+static gcrypt_rsa_public_key_t *load(chunk_t blob)
+{
+	private_gcrypt_rsa_public_key_t *this;
+	asn1_parser_t *parser;
+	chunk_t object, n, e;
+	int objectID;
+	bool success = FALSE;
+	gcry_error_t err;
+	
+	n = e = chunk_empty;
+	
+	parser = asn1_parser_create(pubkeyObjects, blob);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PUB_KEY_MODULUS:
+				n = object;
+				break;
+			case PUB_KEY_EXPONENT:
+				e = object;
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	
+	if (!success)
+	{
+		return NULL;
+	}
+	
+	this = gcrypt_rsa_public_key_create_empty();
+	err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
+						  n.len, n.ptr, e.len, e.ptr);
+	if (err)
+	{
+		DBG1("loading public key failed: %s", gpg_strerror(err));
+		free(this);
+		return NULL;
+	}
+	if (!gcrypt_rsa_build_keyids(this->key, &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+typedef struct private_builder_t private_builder_t;
+/**
+ * Builder implementation for key loading
+ */
+struct private_builder_t {
+	/** implements the builder interface */
+	builder_t public;
+	/** loaded public key */
+	gcrypt_rsa_public_key_t *key;
+};
+
+/**
+ * Implementation of builder_t.build
+ */
+static gcrypt_rsa_public_key_t *build(private_builder_t *this)
+{
+	gcrypt_rsa_public_key_t *key = this->key;
+	
+	free(this);
+	return key;
+}
+
+/**
+ * Implementation of builder_t.add
+ */
+static void add(private_builder_t *this, builder_part_t part, ...)
+{
+	if (!this->key)
+	{
+		va_list args;
+		
+		switch (part)
+		{
+			case BUILD_BLOB_ASN1_DER:
+			{
+				va_start(args, part);
+				this->key = load(va_arg(args, chunk_t));
+				va_end(args);
+				return;
+			}
+			default:
+				break;
+		}
+	}
+	if (this->key)
+	{
+		destroy((private_gcrypt_rsa_public_key_t*)this->key);
+	}
+	builder_cancel(&this->public);
+}
+
+/**
+ * Builder construction function
+ */
+builder_t *gcrypt_rsa_public_key_builder(key_type_t type)
+{
+	private_builder_t *this;
+	
+	if (type != KEY_RSA)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_builder_t);
+	
+	this->key = NULL;
+	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
+	this->public.build = (void*(*)(builder_t *this))build;
+	
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
new file mode 100644
index 000000000..102547276
--- /dev/null
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcrypt_rsa_public_key gcrypt_rsa_public_key
+ * @{ @ingroup gcrypt_p
+ */
+
+#ifndef GCRYPT_RSA_PUBLIC_KEY_H_
+#define GCRYPT_RSA_PUBLIC_KEY_H_
+
+typedef struct gcrypt_rsa_public_key_t gcrypt_rsa_public_key_t;
+
+#include <credentials/keys/public_key.h>
+
+/**
+ * public_key_t implementation of RSA algorithm using libgcrypt.
+ */
+struct gcrypt_rsa_public_key_t {
+
+	/**
+	 * Implements the public_key_t interface
+	 */
+	public_key_t interface;
+};
+
+/**
+ * Create the builder for a public key.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @return			builder instance
+ */
+builder_t *gcrypt_rsa_public_key_builder(key_type_t type);
+
+#endif /** GCRYPT_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index c406f3af6..a60cd998c 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -227,8 +236,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -325,7 +334,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index 294fb722f..a03e83e66 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: gmp_diffie_hellman.c 4566 2008-11-04 13:12:11Z martin $
  */
 
 #include <gmp.h>
@@ -30,7 +28,7 @@
  */
 static u_int8_t group1_modulus[] = {
 	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80	,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
 	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
 	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
 	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
@@ -562,7 +560,7 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	}
 
 	ansi_x9_42 = lib->settings->get_int(lib->settings,
-					 "charon.dh_exponent_ansi_x9_42", TRUE);
+					 "libstrongswan.dh_exponent_ansi_x9_42", TRUE);
 	exponent_len = (ansi_x9_42) ? this->p_len : this->opt_exponent_len;	
 	rng->allocate_bytes(rng, exponent_len, &random);
 	rng->destroy(rng);
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index 7711b6d34..f6ea964c1 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: gmp_plugin.c 4309 2008-08-28 11:07:57Z martin $
  */
 
 #include "gmp_plugin.h"
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index e445dd670..cbc112762 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: gmp_rsa_private_key.c 4345 2008-09-17 08:10:48Z martin $
  */
 
 #include <gmp.h>
@@ -28,6 +26,7 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
+#include <pgp/pgp.h>
 
 /**
  *  Public exponent to use for key generation.
@@ -112,11 +111,12 @@ struct private_gmp_rsa_private_key_t {
 };
 
 /**
- * shared functions, implemented in gmp_rsa_public_key.c
+ * Shared functions defined in gmp_rsa_public_key.c
  */
-bool gmp_rsa_public_key_build_id(mpz_t n, mpz_t e, identification_t **keyid,
-								 identification_t **keyid_info);
-gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e);
+extern bool gmp_rsa_public_key_build_id(mpz_t n, mpz_t e, 
+										identification_t **keyid,
+										identification_t **keyid_info);
+extern gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e);
 
 /**
  * Auxiliary function overwriting private key material with zero bytes
@@ -141,10 +141,10 @@ static status_t compute_prime(private_gmp_rsa_private_key_t *this,
 	rng_t *rng;
 	chunk_t random_bytes;
 	
-	rng = lib->crypto->create_rng(lib->crypto, RNG_REAL);
+	rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
 	if (!rng)
 	{
-		DBG1("no RNG of quality %N found", rng_quality_names, RNG_REAL);
+		DBG1("no RNG of quality %N found", rng_quality_names, RNG_TRUE);
 		return FAILED;
 	}
 	
@@ -217,33 +217,44 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 									   hash_algorithm_t hash_algorithm,
 									   chunk_t data, chunk_t *signature)
 {
-	hasher_t *hasher;
-	chunk_t em, digestInfo, hash;
-	int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
-	
-	if (hash_oid == OID_UNKNOWN)
+	chunk_t digestInfo = chunk_empty;
+	chunk_t em;
+
+	if (hash_algorithm != HASH_UNKNOWN)
 	{
-		return FALSE;
+		hasher_t *hasher;
+		chunk_t hash;
+		int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
+	
+		if (hash_oid == OID_UNKNOWN)
+		{
+			return FALSE;
+		}
+
+		hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
+		if (hasher == NULL)
+		{
+			return FALSE;
+		}
+		hasher->allocate_hash(hasher, data, &hash);
+		hasher->destroy(hasher);
+	
+		/* build DER-encoded digestInfo */
+		digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
+						asn1_algorithmIdentifier(hash_oid),
+						asn1_simple_object(ASN1_OCTET_STRING, hash)
+					  );
+		chunk_free(&hash);
+		data = digestInfo;
 	}
 
-	/* get hasher */
-	hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
-	if (hasher == NULL)
+	if (data.len > this->k - 3)
 	{
+		free(digestInfo.ptr);
+		DBG1("unable to sign %d bytes using a %dbit key", data.len, this->k * 8);
 		return FALSE;
 	}
 	
-	/* build hash */
-	hasher->allocate_hash(hasher, data, &hash);
-	hasher->destroy(hasher);
-	
-	/* build DER-encoded digestInfo */
-	digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
-					asn1_algorithmIdentifier(hash_oid),
-					asn1_simple_object(ASN1_OCTET_STRING, hash)
-				  );
-	chunk_free(&hash);
-
 	/* build chunk to rsa-decrypt:
 	 * EM = 0x00 || 0x01 || PS || 0x00 || T. 
 	 * PS = 0xFF padding, with length to fill em
@@ -257,9 +268,9 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 	/* set magic bytes */
 	*(em.ptr) = 0x00;
 	*(em.ptr+1) = 0x01;
-	*(em.ptr + em.len - digestInfo.len - 1) = 0x00;
+	*(em.ptr + em.len - data.len - 1) = 0x00;
 	/* set DER-encoded hash */
-	memcpy(em.ptr + em.len - digestInfo.len, digestInfo.ptr, digestInfo.len);
+	memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
 
 	/* build signature */
 	*signature = rsasp1(this, em);
@@ -271,7 +282,7 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 }
 
 /**
- * Implementation of gmp_rsa_private_key.destroy.
+ * Implementation of gmp_rsa_private_key.get_type.
  */
 static key_type_t get_type(private_gmp_rsa_private_key_t *this)
 {
@@ -279,15 +290,15 @@ static key_type_t get_type(private_gmp_rsa_private_key_t *this)
 }
 
 /**
- * Implementation of gmp_rsa_private_key.destroy.
+ * Implementation of gmp_rsa_private_key.sign.
  */
 static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, 
 				 chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
-		case SIGN_DEFAULT:
-			/* default is EMSA-PKCS1 using SHA1 */
+		case SIGN_RSA_EMSA_PKCS1_NULL:
+			return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
@@ -306,17 +317,46 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
 }
 
 /**
- * Implementation of gmp_rsa_private_key.destroy.
+ * Implementation of gmp_rsa_private_key.decrypt.
  */
-static bool decrypt(private_gmp_rsa_private_key_t *this,
-					chunk_t crypto, chunk_t *plain)
+static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
+					chunk_t *plain)
 {
-	DBG1("RSA private key decryption not implemented");
-	return FALSE;
+	chunk_t em, stripped;
+	bool success = FALSE;
+	
+	/* rsa decryption using PKCS#1 RSADP */
+	stripped = em = rsadp(this, crypto);
+
+	/* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
+
+	/* check for hex pattern 00 02 in decrypted message */
+	if ((*stripped.ptr++ != 0x00) || (*(stripped.ptr++) != 0x02))
+	{
+		DBG1("incorrect padding - probably wrong rsa key");
+		goto end;
+	}
+	stripped.len -= 2;
+
+	/* the plaintext data starts after first 0x00 byte */
+	while (stripped.len-- > 0 && *stripped.ptr++ != 0x00)
+
+	if (stripped.len == 0)
+	{
+		DBG1("no plaintext data");
+		goto end;
+	}
+
+	*plain = chunk_clone(stripped);
+	success = TRUE;
+
+end:
+	chunk_clear(&em);
+	return success;
 }
 
 /**
- * Implementation of gmp_rsa_private_key.destroy.
+ * Implementation of gmp_rsa_private_key.get_keysize.
  */
 static size_t get_keysize(private_gmp_rsa_private_key_t *this)
 {
@@ -324,7 +364,7 @@ static size_t get_keysize(private_gmp_rsa_private_key_t *this)
 }
 
 /**
- * Implementation of gmp_rsa_private_key.destroy.
+ * Implementation of gmp_rsa_private_key.get_id.
  */
 static identification_t* get_id(private_gmp_rsa_private_key_t *this,
 								id_type_t type)
@@ -349,7 +389,35 @@ static gmp_rsa_public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
 }
 
 /**
- * Implementation of gmp_rsa_private_key.destroy.
+ * Implementation of gmp_rsa_private_key.equals.
+ */
+static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
+{
+	identification_t *keyid;
+
+	if (&this->public.interface == other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != KEY_RSA)
+	{
+		return FALSE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of gmp_rsa_private_key.belongs_to.
  */
 static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
 {
@@ -373,19 +441,27 @@ static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public
 }
 
 /**
- * convert a MP integer into a DER coded ASN.1 object
+ * Convert a MP integer into a chunk_t
  */
-chunk_t gmp_mpz_to_asn1(const mpz_t value)
+chunk_t gmp_mpz_to_chunk(const mpz_t value)
 {
 	chunk_t n;
 	
-	n.len = 1 + mpz_sizeinbase(value, 2) / 8;  /* size in bytes */
+	n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
 	n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
 	if (n.ptr == NULL)
 	{	/* if we have zero in "value", gmp returns NULL */
 		n.len = 0;
 	}
-	return asn1_wrap(ASN1_INTEGER, "m", n);
+	return n;
+}
+
+/**
+ * Convert a MP integer into a DER coded ASN.1 object
+ */
+chunk_t gmp_mpz_to_asn1(const mpz_t value)
+{
+	return asn1_wrap(ASN1_INTEGER, "m", gmp_mpz_to_chunk(value));
 }
 
 /**
@@ -406,7 +482,7 @@ static chunk_t get_encoding(private_gmp_rsa_private_key_t *this)
 }
 
 /**
- * Implementation of gmp_rsa_private_key.destroy.
+ * Implementation of gmp_rsa_private_key.get_ref.
  */
 static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
 {
@@ -447,14 +523,14 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	/* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
 	 * We actually require more (for security).
 	 */
-	if (this->k < 512/8)
+	if (this->k < 512 / BITS_PER_BYTE)
 	{
 		DBG1("key shorter than 512 bits");
 		return FAILED;
 	}
 	
 	/* we picked a max modulus size to simplify buffer allocation */
-	if (this->k > 8192/8)
+	if (this->k > 8192 / BITS_PER_BYTE)
 	{
 		DBG1("key larger than 8192 bits");
 		return FAILED;
@@ -542,16 +618,17 @@ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
 {
 	private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
 	
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
-	this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
+	this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
+	this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
+	this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
+	this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (private_key_t*, id_type_t))get_id;
+	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
+	this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
+	this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
+	this->public.interface.get_encoding = (chunk_t (*) (private_key_t*))get_encoding;
+	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
+	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
 	
 	this->keyid = NULL;
 	this->keyid_info = NULL;
@@ -569,7 +646,7 @@ static gmp_rsa_private_key_t *generate(size_t key_size)
 	mpz_t m, q1, t;
 	private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
 	
-	key_size = key_size / 8;
+	key_size = key_size / BITS_PER_BYTE;
 	
 	/* Get values of primes p and q  */
 	if (compute_prime(this, key_size/2, &p) != SUCCESS)
@@ -680,7 +757,7 @@ static const asn1Object_t privkeyObjects[] = {
 /**
  * load private key from a ASN1 encoded blob
  */
-static gmp_rsa_private_key_t *load(chunk_t blob)
+static gmp_rsa_private_key_t *load_asn1_der(chunk_t blob)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
@@ -708,6 +785,7 @@ static gmp_rsa_private_key_t *load(chunk_t blob)
 			case PRIV_KEY_VERSION:
 				if (object.len > 0 && *object.ptr != 0)
 				{
+					DBG1("PKCS#1 private key format is not version 1");
 					goto end;
 				}
 				break;
@@ -757,13 +835,144 @@ end:
 		destroy(this);
 		return NULL;
 	}
+	if (check(this) != SUCCESS)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/**
+ * load private key from an OpenPGP blob coded according to section 
+ */
+static gmp_rsa_private_key_t *load_pgp(chunk_t blob)
+{
+	mpz_t u;
+	int objectID;
+	chunk_t packet = blob;
+	private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
+	
+	mpz_init(this->n);
+	mpz_init(this->e);
+	mpz_init(this->p);
+	mpz_init(this->q);
+	mpz_init(this->d);
+	mpz_init(this->exp1);
+	mpz_init(this->exp2);
+	mpz_init(this->coeff);
+
+	for (objectID = PRIV_KEY_MODULUS; objectID <= PRIV_KEY_COEFF; objectID++)
+	{
+		chunk_t object;	
+
+		switch (objectID)
+		{
+			case PRIV_KEY_PRIV_EXP:
+			{
+				pgp_sym_alg_t s2k;
+
+				/* string-to-key usage */
+				s2k = pgp_length(&packet, 1);
+				DBG2("L3 - string-to-key:  %d", s2k);
+
+				if (s2k == 255 || s2k == 254)
+				{
+					DBG1("string-to-key specifiers not supported");
+					goto end;
+				}
+				DBG2("  %N", pgp_sym_alg_names, s2k);
+
+				if (s2k != PGP_SYM_ALG_PLAIN)
+				{
+					DBG1("%N encryption not supported",  pgp_sym_alg_names, s2k);
+					goto end;
+				}
+				break;
+			}
+			case PRIV_KEY_EXP1:
+			case PRIV_KEY_EXP2:
+				/* not contained in OpenPGP secret key payload */
+				continue;
+			default:
+				break;
+		}		
+
+		DBG2("L3 - %s:", privkeyObjects[objectID].name);
+		object.len = pgp_length(&packet, 2);
+
+		if (object.len == PGP_INVALID_LENGTH)
+		{
+			DBG1("OpenPGP length is invalid");
+			goto end;
+		}
+		object.len = (object.len + 7) / BITS_PER_BYTE;
+		if (object.len > packet.len)
+		{
+			DBG1("OpenPGP field is too short");
+			goto end;
+		}
+		object.ptr = packet.ptr;
+		packet.ptr += object.len;
+		packet.len -= object.len;
+		DBG4("%B", &object);
+
+		switch (objectID)
+		{
+			case PRIV_KEY_MODULUS:
+				mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PUB_EXP:
+				mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PRIV_EXP:
+				mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PRIME1:
+				mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PRIME2:
+				mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_COEFF:
+				mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+		}
+	}
+
+	/* auxiliary variable */
+	mpz_init(u);
+
+	/* exp1 = d mod (p-1) */
+	mpz_sub_ui(u, this->p, 1);
+	mpz_mod(this->exp1, this->d, u);
+
+	/* exp2 = d mod (q-1) */
+	mpz_sub_ui(u, this->q, 1);
+	mpz_mod(this->exp2, this->d, u);
+
+	mpz_clear(u);
+	chunk_clear(&blob);
+
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
 
+	if (!gmp_rsa_public_key_build_id(this->n, this->e,
+									 &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
 	if (check(this) != SUCCESS)
 	{
 		destroy(this);
 		return NULL;
 	}
 	return &this->public;
+
+end:
+	chunk_clear(&blob);
+	destroy(this);
+	return NULL;
 }
 
 typedef struct private_builder_t private_builder_t;
@@ -804,7 +1013,15 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 			{
 				va_start(args, part);
 				chunk = va_arg(args, chunk_t);
-				this->key = load(chunk_clone(chunk));
+				this->key = load_asn1_der(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}		
+			case BUILD_BLOB_PGP:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->key = load_pgp(chunk_clone(chunk));
 				va_end(args);
 				return;
 			}		
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 8a89849cd..1f3e3072f 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: gmp_rsa_public_key.c 4345 2008-09-17 08:10:48Z martin $
  */
  
 #include <gmp.h>
@@ -30,11 +28,7 @@
 #include <asn1/asn1_parser.h>
 #include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
-
-/**
- * defined in gmp_rsa_private_key.c
- */
-extern chunk_t gmp_mpz_to_asn1(const mpz_t value);
+#include <pgp/pgp.h>
 
 typedef struct private_gmp_rsa_public_key_t private_gmp_rsa_public_key_t;
 
@@ -78,6 +72,12 @@ struct private_gmp_rsa_public_key_t {
 	refcount_t ref;
 };
 
+/**
+ * Shared functions defined in gmp_rsa_private_key.c
+ */
+extern chunk_t gmp_mpz_to_chunk(const mpz_t value);
+extern chunk_t gmp_mpz_to_asn1(const mpz_t value);
+
 /**
  * RSAEP algorithm specified in PKCS#1.
  */
@@ -140,11 +140,10 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 	/* remove any preceding 0-bytes from signature */
 	while (signature.len && *(signature.ptr) == 0x00)
 	{
-		signature.len -= 1;
-		signature.ptr++;
+		signature = chunk_skip(signature, 1);
 	}
 	
-	if (signature.len > this->k)
+	if (signature.len == 0 || signature.len > this->k)
 	{
 		return INVALID_ARG;
 	}
@@ -163,8 +162,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 	{
 		goto end;
 	}
-	em.ptr += 2;
-	em.len -= 2;
+	em = chunk_skip(em, 2);
 	
 	/* find magic 0x00 */
 	while (em.len > 0)
@@ -172,8 +170,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 		if (*em.ptr == 0x00)
 		{
 			/* found magic byte, stop */
-			em.ptr++;
-			em.len--;
+			em = chunk_skip(em, 1);
 			break;
 		}
 		else if (*em.ptr != 0xFF)
@@ -181,8 +178,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 			/* bad padding, decryption failed ?!*/
 			goto end;
 		}
-		em.ptr++;
-		em.len--;
+		em = chunk_skip(em, 1);
 	}
 
 	if (em.len == 0)
@@ -191,13 +187,24 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 		goto end;
 	}
 
-	/* parse ASN.1-based digestInfo */
-	{
+	if (algorithm == HASH_UNKNOWN)
+	{   /* IKEv1 signatures without digestInfo */
+		if (em.len != data.len)
+		{
+			DBG1("hash size in signature is %u bytes instead of %u bytes",
+				 em.len, data.len);
+			goto end;
+		}
+		success = memeq(em.ptr, data.ptr, data.len);
+	}
+	else
+	{   /* IKEv2 and X.509 certificate signatures */
 		asn1_parser_t *parser;
 		chunk_t object;
 		int objectID;
 		hash_algorithm_t hash_algorithm = HASH_UNKNOWN;
 
+		DBG2("signature verification:");
 		parser = asn1_parser_create(digestInfoObjects, em);
 
 		while (parser->iterate(parser, &objectID, &object))
@@ -220,8 +227,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 										 parser->get_level(parser)+1, NULL);
 
 					hash_algorithm = hasher_algorithm_from_oid(hash_oid);
-					if (hash_algorithm == HASH_UNKNOWN ||
-						(algorithm != HASH_UNKNOWN && hash_algorithm != algorithm))
+					if (hash_algorithm == HASH_UNKNOWN || hash_algorithm != algorithm)
 					{
 						DBG1("expected hash algorithm %N, but found %N (OID: %#B)",
 							 hash_algorithm_names, algorithm,
@@ -289,7 +295,7 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
 {
 	switch (scheme)
 	{
-		case SIGN_DEFAULT: /* default is EMSA-PKCS1 using included OID */
+		case SIGN_RSA_EMSA_PKCS1_NULL:
 			return verify_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 			return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
@@ -308,12 +314,96 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
 	}
 }
 
+#define MIN_PS_PADDING		8	
+
 /**
- * Implementation of public_key_t.get_keysize.
+ * Implementation of public_key_t.encrypt.
+ */
+static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
+					 chunk_t *crypto)
+{
+	chunk_t em;
+	u_char *pos;
+	int padding, i;
+ 	rng_t *rng;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (rng == NULL)
+	{
+		DBG1("no random generator available");
+		return FALSE;
+	}
+
+	/* number of pseudo-random padding octets */
+	padding = this->k - plain.len - 3;
+ 	if (padding < MIN_PS_PADDING)
+	{
+		DBG1("pseudo-random padding must be at least %d octets", MIN_PS_PADDING);
+		return FALSE;
+	}
+
+	/* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */
+	DBG2("padding %u bytes of data to the rsa modulus size of %u bytes",
+		 plain.len, this->k); 
+	em.len = this->k;
+	em.ptr = malloc(em.len); 
+	pos = em.ptr;
+	*pos++ = 0x00;
+	*pos++ = 0x02;
+
+	/* fill with pseudo random octets */
+	rng->get_bytes(rng, padding, pos);
+
+	/* replace zero-valued random octets */
+	for (i = 0; i < padding; i++)
+	{
+		while (*pos == 0)
+		{
+			rng->get_bytes(rng, 1, pos);
+		}
+		pos++;
+	}
+	rng->destroy(rng);
+
+	/* append the padding terminator */
+	*pos++ = 0x00;
+
+	/* now add the data */
+	memcpy(pos, plain.ptr, plain.len);
+	DBG3("padded data before rsa encryption: %B", &em);
+	
+	/* rsa encryption using PKCS#1 RSAEP */
+	*crypto = rsaep(this, em);
+	DBG3("rsa encrypted data: %B", crypto);
+	chunk_clear(&em);
+	return TRUE;
+}
+
+/**
+ * Implementation of gmp_rsa_public_key.equals.
  */
-static bool encrypt(private_gmp_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain)
+static bool equals(private_gmp_rsa_public_key_t *this, public_key_t *other)
 {
-	DBG1("RSA public key encryption not implemented");
+	identification_t *keyid;
+
+	if (&this->public.interface == other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != KEY_RSA)
+	{
+		return FALSE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
 	return FALSE;
 }
 
@@ -325,6 +415,46 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this)
 	return this->k;
 }
 
+/**
+ * Build the PGP version 3 RSA key identifier from n and e using
+ * MD5 hashed modulus and exponent. Also used in rsa_private_key.c.
+ */
+static identification_t* gmp_rsa_build_pgp_v3_keyid(mpz_t n, mpz_t e)
+{
+	identification_t *keyid;
+	chunk_t modulus, mod, exponent, exp, hash;
+	hasher_t *hasher;
+	
+	hasher= lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+	if (hasher == NULL)
+	{
+		DBG1("computation of PGP V3 keyid failed, no MD5 hasher is available");
+		return NULL;
+	}
+	mod = modulus  = gmp_mpz_to_chunk(n);
+	exp = exponent = gmp_mpz_to_chunk(e);
+
+	/* remove leading zero bytes before hashing modulus and exponent */
+	while (mod.len > 0 && *mod.ptr == 0x00)
+	{
+		mod.ptr++;
+		mod.len--;
+	} 
+	while (exp.len > 0 && *exp.ptr == 0x00)
+	{
+		exp.ptr++;
+		exp.len--;
+	} 
+	hasher->allocate_hash(hasher, mod, NULL);
+	hasher->allocate_hash(hasher, exp, &hash);
+	hasher->destroy(hasher);
+	keyid = identification_create_from_encoding(ID_KEY_ID, hash);
+	free(hash.ptr);
+	free(modulus.ptr);
+	free(exponent.ptr);
+	return keyid;
+}
+
 /**
  * Implementation of public_key_t.get_id.
  */
@@ -337,6 +467,8 @@ static identification_t *get_id(private_gmp_rsa_public_key_t *this,
 			return this->keyid_info;
 		case ID_PUBKEY_SHA1:
 			return this->keyid;
+		case ID_KEY_ID:
+			return gmp_rsa_build_pgp_v3_keyid(this->n, this->e);
 		default:
 			return NULL;
 	}
@@ -383,14 +515,15 @@ static private_gmp_rsa_public_key_t *gmp_rsa_public_key_create_empty()
 {
 	private_gmp_rsa_public_key_t *this = malloc_thing(private_gmp_rsa_public_key_t);
 	
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
-	this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
+	this->public.interface.get_type = (key_type_t (*) (public_key_t*))get_type;
+	this->public.interface.verify = (bool (*) (public_key_t*, signature_scheme_t, chunk_t, chunk_t))verify;
+	this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_;
+	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
+	this->public.interface.get_keysize = (size_t (*) (public_key_t*))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (public_key_t*, id_type_t))get_id;
+	this->public.interface.get_encoding = (chunk_t(*) (public_key_t*))get_encoding;
+	this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*) (public_key_t *this))destroy;
 	
 	this->keyid = NULL;
 	this->keyid_info = NULL;
@@ -445,7 +578,7 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e)
 	mpz_init_set(this->n, n);
 	mpz_init_set(this->e, e);
 	
-	this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8;
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) /  BITS_PER_BYTE;
 	if (!gmp_rsa_public_key_build_id(this->n, this->e,
 									 &this->keyid, &this->keyid_info))
 	{
@@ -469,9 +602,9 @@ static const asn1Object_t pubkeyObjects[] = {
 #define PUB_KEY_EXPONENT			2
 
 /**
- * Load a public key from an ASN1 encoded blob
+ * Load a public key from an ASN.1 encoded blob
  */
-static gmp_rsa_public_key_t *load(chunk_t blob)
+static gmp_rsa_public_key_t *load_asn1_der(chunk_t blob)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
@@ -507,7 +640,7 @@ static gmp_rsa_public_key_t *load(chunk_t blob)
 		return NULL;
 	}
 	
-	this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8;
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) /  BITS_PER_BYTE;
 
 	if (!gmp_rsa_public_key_build_id(this->n, this->e,
 									 &this->keyid, &this->keyid_info))
@@ -518,6 +651,133 @@ static gmp_rsa_public_key_t *load(chunk_t blob)
 	return &this->public;
 }
 
+/**
+ * Load a public key from an OpenPGP blob
+ */
+static gmp_rsa_public_key_t* load_pgp(chunk_t blob)
+{
+	int objectID;
+	chunk_t packet = blob;
+	private_gmp_rsa_public_key_t *this = gmp_rsa_public_key_create_empty();
+
+	mpz_init(this->n);
+	mpz_init(this->e);
+	
+	for (objectID = PUB_KEY_MODULUS; objectID <= PUB_KEY_EXPONENT; objectID++)
+	{
+		chunk_t object;	
+
+		DBG2("L3 - %s:", pubkeyObjects[objectID].name);
+		object.len = pgp_length(&packet, 2);
+
+		if (object.len == PGP_INVALID_LENGTH)
+		{
+			DBG1("OpenPGP length is invalid");
+			goto end;
+		}
+		object.len = (object.len + 7) / BITS_PER_BYTE;
+		if (object.len > packet.len)
+		{
+			DBG1("OpenPGP field is too short");
+			goto end;
+		}
+		object.ptr = packet.ptr;
+		packet.ptr += object.len;
+		packet.len -= object.len;
+		DBG4("%B", &object);
+
+		switch (objectID)
+		{
+			case PUB_KEY_MODULUS:
+				mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PUB_KEY_EXPONENT:
+				mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+		}
+	}
+
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) /  BITS_PER_BYTE;
+	free(blob.ptr);
+
+	if (!gmp_rsa_public_key_build_id(this->n, this->e,
+									 &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+
+end:
+	free(blob.ptr);
+	destroy(this);
+	return NULL;
+}
+
+/**
+ * Load a public key from an RFC 3110 encoded blob
+ */
+static gmp_rsa_public_key_t *load_rfc_3110(chunk_t blob)
+{
+	chunk_t exponent, modulus;
+	u_char *pos = blob.ptr;
+	size_t len  = blob.len;
+	private_gmp_rsa_public_key_t *this = gmp_rsa_public_key_create_empty();
+	
+	mpz_init(this->n);
+	mpz_init(this->e);
+
+	if (blob.len < 3)
+	{
+		DBG1("RFC 3110 public key blob too short for exponent length");
+		goto end;
+	}
+	if (pos[0] != 0x00)
+	{
+		exponent = chunk_create(pos + 1, pos[0]);
+		pos++;
+		len--;
+	}
+	else
+	{
+		exponent = chunk_create(pos + 3, 256*pos[1] + pos[2]);
+		pos += 3;
+		len -= 3;
+	}
+	if (exponent.len > len)
+	{
+		DBG1("RFC 3110 public key blob too short for exponent");
+		goto end;
+	}
+	pos += exponent.len;
+	len -= exponent.len;
+
+	if (len == 0)
+	{
+		DBG1("RFC 3110 public key blob has zero length modulus");
+		goto end;
+	}	
+	modulus = chunk_create(pos, len);
+
+	mpz_import(this->n, modulus.len,  1, 1, 1, 0, modulus.ptr);
+	mpz_import(this->e, exponent.len, 1, 1, 1, 0, exponent.ptr);
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) /  BITS_PER_BYTE;
+	free(blob.ptr);
+
+	if (!gmp_rsa_public_key_build_id(this->n, this->e,
+									 &this->keyid, &this->keyid_info))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+
+end:
+	free(blob.ptr);
+	destroy(this);
+	return NULL;
+}
+
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for key loading
@@ -556,7 +816,23 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 			{
 				va_start(args, part);
 				chunk = va_arg(args, chunk_t);
-				this->key = load(chunk_clone(chunk));
+				this->key = load_asn1_der(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}
+			case BUILD_BLOB_PGP:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->key = load_pgp(chunk_clone(chunk));
+				va_end(args);
+				return;
+			}
+			case BUILD_BLOB_RFC_3110:
+			{
+				va_start(args, part);
+				chunk = va_arg(args, chunk_t);
+				this->key = load_rfc_3110(chunk_clone(chunk));
 				va_end(args);
 				return;
 			}
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
index 46c8c3fd8..ed7b9429f 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: gmp_rsa_public_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index 067763049..fc36bd9fa 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -224,8 +233,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c
index b2f99bdc3..6dfa02233 100644
--- a/src/libstrongswan/plugins/hmac/hmac.c
+++ b/src/libstrongswan/plugins/hmac/hmac.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General hmac License
  * for more details.
- *
- * $Id: hmac.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include <string.h>
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index 7a09b7a4e..aa1e994b0 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: hmac_plugin.c 4997 2009-03-24 10:24:58Z martin $
  */
 
 #include "hmac_plugin.h"
@@ -70,6 +68,8 @@ plugin_t *plugin_create()
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, 
 							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, 
+							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, 
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, 
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.c b/src/libstrongswan/plugins/hmac/hmac_prf.c
index 8d843bc5a..454d40be3 100644
--- a/src/libstrongswan/plugins/hmac/hmac_prf.c
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: hmac_prf.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include "hmac_prf.h"
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.c b/src/libstrongswan/plugins/hmac/hmac_signer.c
index 89cae1716..b44bc2109 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.c
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: hmac_signer.c 4997 2009-03-24 10:24:58Z martin $
  */
 
 #include <string.h>
@@ -155,6 +153,10 @@ hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
 			hash = HASH_SHA1;
 			trunc = 16;
 			break;
+		case AUTH_HMAC_SHA1_160:
+			hash = HASH_SHA1;
+			trunc = 20;
+			break;
 		case AUTH_HMAC_MD5_96:
 			hash = HASH_MD5;
 			trunc = 12;
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index e0109c6e8..6eefc8546 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -87,6 +87,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -109,6 +110,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -120,6 +124,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -133,6 +138,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +200,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -204,6 +212,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -222,8 +231,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -318,7 +327,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index 8e55b800e..b2a40219f 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ldap_fetcher.c 3693 2008-03-28 22:44:45Z andreas $
  */
 
 #ifndef LDAP_DEPRECATED
diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.c b/src/libstrongswan/plugins/ldap/ldap_plugin.c
index 0925cb395..994f3db46 100644
--- a/src/libstrongswan/plugins/ldap/ldap_plugin.c
+++ b/src/libstrongswan/plugins/ldap/ldap_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ldap_plugin.c 3529 2008-03-05 15:26:24Z martin $
  */
 
 #include "ldap_plugin.h"
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 4dbe8a6c4..efdb64e90 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -87,6 +87,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -109,6 +110,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -120,6 +124,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -133,6 +138,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +200,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -204,6 +212,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -221,8 +230,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -317,7 +326,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/md4/md4_hasher.c b/src/libstrongswan/plugins/md4/md4_hasher.c
index 9053bc68d..3801110dc 100644
--- a/src/libstrongswan/plugins/md4/md4_hasher.c
+++ b/src/libstrongswan/plugins/md4/md4_hasher.c
@@ -17,8 +17,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: md4_hasher.c 4885 2009-02-19 10:16:45Z andreas $
  */
 
 #include <string.h>
diff --git a/src/libstrongswan/plugins/md4/md4_plugin.c b/src/libstrongswan/plugins/md4/md4_plugin.c
index df77314f7..43ae6261d 100644
--- a/src/libstrongswan/plugins/md4/md4_plugin.c
+++ b/src/libstrongswan/plugins/md4/md4_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: md4_plugin.c 4885 2009-02-19 10:16:45Z andreas $
  */
 
 #include "md4_plugin.h"
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index a73e78b05..15c98aba4 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -87,6 +87,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -109,6 +110,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -120,6 +124,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -133,6 +138,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +200,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -204,6 +212,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -221,8 +230,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -317,7 +326,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/md5/md5_hasher.c b/src/libstrongswan/plugins/md5/md5_hasher.c
index 2354139bb..0ec5c073a 100644
--- a/src/libstrongswan/plugins/md5/md5_hasher.c
+++ b/src/libstrongswan/plugins/md5/md5_hasher.c
@@ -17,8 +17,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: md5_hasher.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include <string.h>
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c
index c1c9a0805..b1a3b495c 100644
--- a/src/libstrongswan/plugins/md5/md5_plugin.c
+++ b/src/libstrongswan/plugins/md5/md5_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: md5_plugin.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include "md5_plugin.h"
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 9a16662b9..26b514ad6 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -87,6 +87,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -109,6 +110,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -120,6 +124,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -133,6 +138,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +200,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -204,6 +212,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -224,8 +233,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -320,7 +329,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 01f604fef..d0d5a3d15 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: mysql_database.c 4193 2008-07-21 11:13:06Z martin $
  */
 
 #define _GNU_SOURCE
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c
index 29348ac14..92914ae6d 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.c
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: mysql_plugin.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include "mysql_plugin.h"
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 0af89d377..0ebb5acf0 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -92,6 +92,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -114,6 +115,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -125,6 +129,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -138,6 +143,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -198,6 +205,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -209,6 +217,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -237,8 +246,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -341,7 +350,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index 5eddeb5f9..7f48f1009 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_crypter.c 4879 2009-02-18 19:41:33Z tobias $
  */
 
 #include "openssl_crypter.h"
@@ -133,10 +131,12 @@ static void crypt(private_openssl_crypter_t *this, chunk_t data,
 	}
 	EVP_CIPHER_CTX ctx;
 	EVP_CIPHER_CTX_init(&ctx);
-	EVP_CipherInit_ex(&ctx, this->cipher, NULL, this->key.ptr, iv.ptr, enc);
-	EVP_CIPHER_CTX_set_padding(&ctx, 0); /* disable padding */
+	EVP_CipherInit_ex(&ctx, this->cipher, NULL, NULL, NULL, enc);
+	EVP_CIPHER_CTX_set_padding(&ctx, 0); 		/* disable padding */
+	EVP_CIPHER_CTX_set_key_length(&ctx, this->key.len);
+	EVP_CipherInit_ex(&ctx, NULL, NULL, this->key.ptr, iv.ptr, enc);
 	EVP_CipherUpdate(&ctx, out, &len, data.ptr, data.len);
-	EVP_CipherFinal_ex(&ctx, out, &len); /* since padding is disabled this does nothing */
+	EVP_CipherFinal_ex(&ctx, out + len, &len); /* since padding is disabled this does nothing */
 	EVP_CIPHER_CTX_cleanup(&ctx);
 }
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.h b/src/libstrongswan/plugins/openssl/openssl_crypter.h
index 4510fb7ee..e5a899418 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.h
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * $Id: openssl_crypter.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index 7c83b3dea..fe042efdc 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_diffie_hellman.c 4639 2008-11-12 15:09:24Z martin $
  */
 
 #include <openssl/dh.h>
@@ -171,7 +169,7 @@ static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 	bool ansi_x9_42;
 	
 	ansi_x9_42 = lib->settings->get_bool(lib->settings,
-										 "charon.dh_exponent_ansi_x9_42", TRUE);
+										 "libstrongswan.dh_exponent_ansi_x9_42", TRUE);
 	
 	for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
 	{
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
index c67ce8970..bdc153812 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * $Id: openssl_diffie_hellman.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 9a89ad045..c93acb75c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_ec_diffie_hellman.c 4566 2008-11-04 13:12:11Z martin $
  */
 
 #include <openssl/ec.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
index 6b135b36b..9d17aed57 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * $Id: openssl_ec_diffie_hellman.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index aeab15f26..d6b442ae9 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_ec_private_key.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "openssl_ec_private_key.h"
@@ -130,36 +128,18 @@ static bool sig2chunk(const EC_GROUP *group, ECDSA_SIG *sig, chunk_t *chunk)
  * Build the signature
  */
 static bool build_signature(private_openssl_ec_private_key_t *this,
-							int hash_type, chunk_t data, chunk_t *signature)
+							chunk_t hash, chunk_t *signature)
 {
-	chunk_t hash = chunk_empty;
-	ECDSA_SIG *sig;
-	bool ret = FALSE;
-	
-	if (!openssl_hash_chunk(hash_type, data, &hash))
-	{
-		return FALSE;
-	}
-	
-	sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
+	ECDSA_SIG *sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
+	bool success;
+
 	if (!sig)
 	{
-		goto error;
-	}
-	
-	if (!sig2chunk(EC_KEY_get0_group(this->ec), sig, signature))
-	{
-		goto error;
-	}
-	
-	ret = TRUE;
-error:
-	chunk_free(&hash);
-	if (sig)
-	{
-		ECDSA_SIG_free(sig);
+		return FALSE;
 	}
-	return ret;
+	success = sig2chunk(EC_KEY_get0_group(this->ec), sig, signature);
+	ECDSA_SIG_free(sig);
+	return success;
 }
 
 /**
@@ -176,36 +156,51 @@ static key_type_t get_type(private_openssl_ec_private_key_t *this)
 static bool sign(private_openssl_ec_private_key_t *this, signature_scheme_t scheme, 
 				 chunk_t data, chunk_t *signature)
 {
-	EC_GROUP *req_group;
-	const EC_GROUP *my_group;
-	int hash, curve;
-	
-	if (!lookup_scheme(scheme, &hash, &curve))
-	{
-		DBG1("signature scheme %N not supported in EC",
-				 signature_scheme_names, scheme);
-		return FALSE;
-	}
-	
-	req_group = EC_GROUP_new_by_curve_name(curve);
-	if (!req_group)
+	bool success;
+
+	if (scheme == SIGN_ECDSA_WITH_NULL)
 	{
-		DBG1("signature scheme %N not supported in EC (required curve not supported)",
-				 signature_scheme_names, scheme);
-		return FALSE;
+		success = build_signature(this, data, signature);
 	}
-	
-	my_group = EC_KEY_get0_group(this->ec);
-	if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
+	else
 	{
-		DBG1("signature scheme %N not supported by private key",
-				 signature_scheme_names, scheme);
-		return FALSE;
-	}
+		EC_GROUP *req_group;
+		const EC_GROUP *my_group;
+		chunk_t hash = chunk_empty;
+		int hash_type, curve;
+
+		if (!lookup_scheme(scheme, &hash_type, &curve))
+		{
+			DBG1("signature scheme %N not supported in EC",
+					 signature_scheme_names, scheme);
+			return FALSE;
+		}
 	
-	EC_GROUP_free(req_group);
+		req_group = EC_GROUP_new_by_curve_name(curve);
+		if (!req_group)
+		{
+			DBG1("signature scheme %N not supported in EC (required curve not supported)",
+					 signature_scheme_names, scheme);
+			return FALSE;
+		}
 	
-	return build_signature(this, hash, data, signature);
+		my_group = EC_KEY_get0_group(this->ec);
+		if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
+		{
+			DBG1("signature scheme %N not supported by private key",
+					 signature_scheme_names, scheme);
+			return FALSE;
+		}
+		EC_GROUP_free(req_group);
+
+		if (!openssl_hash_chunk(hash_type, data, &hash))
+		{
+			return FALSE;
+		}
+		success = build_signature(this, hash, signature);
+		chunk_free(&hash);
+	}	
+	return success;
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
index 29588ce18..6a6f7c867 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * $Id: openssl_ec_private_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 923df3938..635a106dd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_ec_public_key.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "openssl_ec_public_key.h"
@@ -75,9 +73,16 @@ static bool verify_signature(private_openssl_ec_public_key_t *this,
 	ECDSA_SIG *sig;
 	bool valid = FALSE;
 	
-	if (!openssl_hash_chunk(hash_type, data, &hash))
+	if (hash_type == NID_undef)
 	{
-		return FALSE;
+		hash = data;
+	}
+	else
+	{
+		if (!openssl_hash_chunk(hash_type, data, &hash))
+		{
+			return FALSE;
+		}
 	}
 	
 	sig = ECDSA_SIG_new();
@@ -90,7 +95,6 @@ static bool verify_signature(private_openssl_ec_public_key_t *this,
 	{
 		goto error;
 	}
-	
 	valid = (ECDSA_do_verify(hash.ptr, hash.len, sig, this->ec) == 1);
 	
 error:
@@ -98,7 +102,10 @@ error:
 	{
 		ECDSA_SIG_free(sig);
 	}
-	chunk_free(&hash);
+	if (hash_type != NID_undef)
+	{
+		chunk_free(&hash);
+	}
 	return valid;
 }
 
@@ -160,6 +167,8 @@ static bool verify(private_openssl_ec_public_key_t *this, signature_scheme_t sch
 {
 	switch (scheme)
 	{
+		case SIGN_ECDSA_WITH_NULL:
+			return verify_signature(this, NID_undef, data, signature);
 		case SIGN_ECDSA_WITH_SHA1:
 			return verify_default_signature(this, data, signature);
 		case SIGN_ECDSA_256:
@@ -178,7 +187,7 @@ static bool verify(private_openssl_ec_public_key_t *this, signature_scheme_t sch
 /**
  * Implementation of public_key_t.get_keysize.
  */
-static bool encrypt(private_openssl_ec_public_key_t *this, chunk_t crypto, chunk_t *plain)
+static bool encrypt_(private_openssl_ec_public_key_t *this, chunk_t crypto, chunk_t *plain)
 {
 	DBG1("EC public key encryption not implemented");
 	return FALSE;
@@ -279,7 +288,7 @@ static private_openssl_ec_public_key_t *openssl_ec_public_key_create_empty()
 	
 	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
 	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt;
+	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
 	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
 	this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
 	this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
@@ -330,24 +339,6 @@ bool openssl_ec_public_key_build_id(EC_KEY *ec, identification_t **keyid,
 	return TRUE;
 }
 
-/**
- * Create a public key from BIGNUM values, used in openssl_ec_private_key.c
- */
-openssl_ec_public_key_t *openssl_ec_public_key_create_from_private_key(EC_KEY *ec)
-{
-	private_openssl_ec_public_key_t *this = openssl_ec_public_key_create_empty();
-	
-	this->ec = EC_KEY_new();
-	EC_KEY_set_public_key(this->ec, EC_KEY_get0_public_key(ec));
-	
-	if (!openssl_ec_public_key_build_id(this->ec, &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
 /**
  * Load a public key from an ASN1 encoded blob
  */
@@ -374,6 +365,14 @@ static openssl_ec_public_key_t *load(chunk_t blob)
 	return &this->public;
 }
 
+/**
+ * Create a public key from BIGNUM values, used in openssl_ec_private_key.c
+ */
+openssl_ec_public_key_t *openssl_ec_public_key_create_from_private_key(EC_KEY *ec)
+{
+	return (openssl_ec_public_key_t*)load(get_encoding_full(ec));
+}
+
 typedef struct private_builder_t private_builder_t;
 /**
  * Builder implementation for key loading
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
index 83552d590..bdbb2fe6e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_ec_public_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
index d344dbd51..ed3e57957 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_hasher.c 4879 2009-02-18 19:41:33Z tobias $
  */
 
 #include "openssl_hasher.h"
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.h b/src/libstrongswan/plugins/openssl/openssl_hasher.h
index 52699f7ff..aec5bc7dd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.h
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * $Id: openssl_hasher.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 725daff01..a90dff7f1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_plugin.c 4879 2009-02-18 19:41:33Z tobias $
  */
 
 #include <openssl/conf.h>
@@ -121,7 +119,7 @@ static void destroy_function(struct CRYPTO_dynlock_value *lock,
  */
 static unsigned long id_function(void)
 {
-	return pthread_self();
+	return (unsigned long)pthread_self();
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.h b/src/libstrongswan/plugins/openssl/openssl_plugin.h
index a6d2a060e..9f422c9d0 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.h
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * $Id: openssl_plugin.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 9730e0ab2..c5d4142da 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_rsa_private_key.c 4745 2008-12-03 10:12:20Z tobias $
  */
 
 #include "openssl_rsa_private_key.h"
@@ -80,65 +78,75 @@ openssl_rsa_public_key_t *openssl_rsa_public_key_create_from_n_e(BIGNUM *n, BIGN
  * Build an EMPSA PKCS1 signature described in PKCS#1
  */
 static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this,
-									   int type, chunk_t data, chunk_t *out)
+									   int type, chunk_t data, chunk_t *sig)
 {
 	bool success = FALSE;
-	u_char *sig = NULL;
-	u_int len;
-	const EVP_MD *hasher = EVP_get_digestbynid(type);
-	if (!hasher)
-	{
-		return FALSE;
-	}
-	
-	EVP_MD_CTX *ctx = EVP_MD_CTX_create();
-	EVP_PKEY *key = EVP_PKEY_new();
-	if (!ctx || !key)
-	{
-		goto error;
-	}
-	
-	if (!EVP_PKEY_set1_RSA(key, this->rsa))
-	{
-		goto error;
-	}
-	
-	if (!EVP_SignInit_ex(ctx, hasher, NULL))
-	{
-		goto error;
-	}
-	
-	if (!EVP_SignUpdate(ctx, data.ptr, data.len))
-	{
-		goto error;
-	}
-	
-	sig = malloc(EVP_PKEY_size(key));
-	if (EVP_SignFinal(ctx, sig, &len, key))
+
+	*sig = chunk_alloc(RSA_size(this->rsa));
+
+	if (type == NID_undef)
 	{
-		out->ptr = sig;
-		out->len = len;
-		success = TRUE;
+		if (RSA_private_encrypt(data.len, data.ptr, sig->ptr, this->rsa,
+								RSA_PKCS1_PADDING) == sig->len)
+		{
+			success = TRUE;
+		}
 	}
 	else
 	{
-		free(sig);
-	}
+		EVP_MD_CTX *ctx;
+		EVP_PKEY *key;
+		const EVP_MD *hasher;
+		u_int len;
+
+		hasher = EVP_get_digestbynid(type);
+		if (!hasher)
+		{
+			return FALSE;
+		}
+	
+		ctx = EVP_MD_CTX_create();
+		key = EVP_PKEY_new();
+		if (!ctx || !key)
+		{
+			goto error;
+		}
+		if (!EVP_PKEY_set1_RSA(key, this->rsa))
+		{
+			goto error;
+		}
+		if (!EVP_SignInit_ex(ctx, hasher, NULL))
+		{
+			goto error;
+		}
+		if (!EVP_SignUpdate(ctx, data.ptr, data.len))
+		{
+			goto error;
+		}
+		if (EVP_SignFinal(ctx, sig->ptr, &len, key))
+		{
+			success = TRUE;
+		}
 	
 error:
-	if (key)
-	{
-		EVP_PKEY_free(key);
+		if (key)
+		{
+			EVP_PKEY_free(key);
+		}
+		if (ctx)
+		{
+			EVP_MD_CTX_destroy(ctx);
+		}
 	}
-	if (ctx)
+	if (!success)
 	{
-		EVP_MD_CTX_destroy(ctx);
+		free(sig->ptr);
 	}
 	return success;
 }
 
 /**
- * Implementation of openssl_rsa_private_key.destroy.
+ * Implementation of openssl_rsa_private_key.get_type.
  */
 static key_type_t get_type(private_openssl_rsa_private_key_t *this)
 {
@@ -146,15 +154,15 @@ static key_type_t get_type(private_openssl_rsa_private_key_t *this)
 }
 
 /**
- * Implementation of openssl_rsa_private_key.destroy.
+ * Implementation of openssl_rsa_private_key.sign.
  */
 static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme, 
 				 chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
-		case SIGN_DEFAULT:
-			/* default is EMSA-PKCS1 using SHA1 */
+		case SIGN_RSA_EMSA_PKCS1_NULL:
+			return build_emsa_pkcs1_signature(this, NID_undef, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return build_emsa_pkcs1_signature(this, NID_sha1, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
@@ -173,7 +181,7 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
 }
 
 /**
- * Implementation of openssl_rsa_private_key.destroy.
+ * Implementation of openssl_rsa_private_key.decrypt.
  */
 static bool decrypt(private_openssl_rsa_private_key_t *this,
 					chunk_t crypto, chunk_t *plain)
@@ -183,7 +191,7 @@ static bool decrypt(private_openssl_rsa_private_key_t *this,
 }
 
 /**
- * Implementation of openssl_rsa_private_key.destroy.
+ * Implementation of openssl_rsa_private_key.get_keysize.
  */
 static size_t get_keysize(private_openssl_rsa_private_key_t *this)
 {
@@ -191,7 +199,7 @@ static size_t get_keysize(private_openssl_rsa_private_key_t *this)
 }
 
 /**
- * Implementation of openssl_rsa_private_key.destroy.
+ * Implementation of openssl_rsa_private_key.get_id.
  */
 static identification_t* get_id(private_openssl_rsa_private_key_t *this,
 								id_type_t type)
@@ -208,7 +216,7 @@ static identification_t* get_id(private_openssl_rsa_private_key_t *this,
 }
 
 /**
- * Implementation of openssl_rsa_private_key.destroy.
+ * Implementation of openssl_rsa_private_key.get_public_key.
  */
 static openssl_rsa_public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
 {
@@ -216,7 +224,35 @@ static openssl_rsa_public_key_t* get_public_key(private_openssl_rsa_private_key_
 }
 
 /**
- * Implementation of openssl_rsa_private_key.destroy.
+ * Implementation of openssl_rsa_private_key.equals.
+ */
+static bool equals(private_openssl_rsa_private_key_t *this, private_key_t *other)
+{
+	identification_t *keyid;
+
+	if (&this->public.interface == other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != KEY_RSA)
+	{
+		return FALSE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of openssl_rsa_private_key.belongs_to.
  */
 static bool belongs_to(private_openssl_rsa_private_key_t *this, public_key_t *public)
 {
@@ -255,7 +291,7 @@ static chunk_t get_encoding(private_openssl_rsa_private_key_t *this)
 }
 
 /**
- * Implementation of openssl_rsa_private_key.destroy.
+ * Implementation of openssl_rsa_private_key.get_ref.
  */
 static private_openssl_rsa_private_key_t* get_ref(private_openssl_rsa_private_key_t *this)
 {
@@ -288,16 +324,17 @@ static private_openssl_rsa_private_key_t *openssl_rsa_private_key_create_empty(v
 {
 	private_openssl_rsa_private_key_t *this = malloc_thing(private_openssl_rsa_private_key_t);
 	
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
-	this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
+	this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
+	this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
+	this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
+	this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
+	this->public.interface.get_id = (identification_t* (*) (private_key_t*, id_type_t))get_id;
+	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
+	this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
+	this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
+	this->public.interface.get_encoding = (chunk_t(*) (private_key_t*))get_encoding;
+	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
+	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
 	
 	this->engine = FALSE;
 	this->keyid = NULL;
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
index 05d83416c..53ec44b28 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * $Id: openssl_rsa_private_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 794fa8123..89912f24c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_rsa_public_key.c 4567 2008-11-04 14:05:42Z martin $
  */
 
 #include "openssl_rsa_public_key.h"
@@ -62,49 +60,65 @@ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
 										int type, chunk_t data, chunk_t signature)
 {
 	bool valid = FALSE;
-	const EVP_MD *hasher = EVP_get_digestbynid(type);
-	if (!hasher)
-	{
-		return FALSE;
-	}
-	
-	EVP_MD_CTX *ctx = EVP_MD_CTX_create();
-	EVP_PKEY *key = EVP_PKEY_new();
-	if (!ctx || !key)
-	{
-		goto error;
-	}
-	
-	if (!EVP_PKEY_set1_RSA(key, this->rsa))
-	{
-		goto error;
-	}
-	
-	if (!EVP_VerifyInit_ex(ctx, hasher, NULL))
+	int rsa_size = RSA_size(this->rsa);
+
+	/* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */
+	if (signature.len > rsa_size)
 	{
-		goto error;
+		signature = chunk_skip(signature, signature.len - rsa_size);
 	}
-	
-	if (!EVP_VerifyUpdate(ctx, data.ptr, data.len))
+
+	if (type == NID_undef)
 	{
-		goto error;
+		chunk_t hash = chunk_alloc(rsa_size);
+
+		hash.len = RSA_public_decrypt(signature.len, signature.ptr, hash.ptr,
+									  this->rsa, RSA_PKCS1_PADDING);
+		valid = chunk_equals(data, hash);
+		free(hash.ptr);
 	}
-	
-	/* VerifyFinal expects a signature of exactly RSA size (no leading 0x00) */
-	if (signature.len > RSA_size(this->rsa))
+	else
 	{
-		signature = chunk_skip(signature, signature.len - RSA_size(this->rsa));
-	}
-	valid = (EVP_VerifyFinal(ctx, signature.ptr, signature.len, key) == 1);
+		EVP_MD_CTX *ctx;
+		EVP_PKEY *key;
+		const EVP_MD *hasher;
+
+		hasher = EVP_get_digestbynid(type);
+		if (!hasher)
+		{
+			return FALSE;
+		}
+
+		ctx = EVP_MD_CTX_create();
+		key = EVP_PKEY_new();
+
+		if (!ctx || !key)
+		{
+			goto error;
+		}
+		if (!EVP_PKEY_set1_RSA(key, this->rsa))
+		{
+			goto error;
+		}
+		if (!EVP_VerifyInit_ex(ctx, hasher, NULL))
+		{
+			goto error;
+		}
+		if (!EVP_VerifyUpdate(ctx, data.ptr, data.len))
+		{
+			goto error;
+		}
+		valid = (EVP_VerifyFinal(ctx, signature.ptr, signature.len, key) == 1);
 	
 error:
-	if (key)
-	{
-		EVP_PKEY_free(key);
-	}
-	if (ctx)
-	{
-		EVP_MD_CTX_destroy(ctx);
+		if (key)
+		{
+			EVP_PKEY_free(key);
+		}
+		if (ctx)
+		{
+			EVP_MD_CTX_destroy(ctx);
+		}
 	}
 	return valid;
 }
@@ -125,8 +139,8 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 {
 	switch (scheme)
 	{
-		case SIGN_DEFAULT:
-			/* default is EMSA-PKCS1 using SHA1 */
+		case SIGN_RSA_EMSA_PKCS1_NULL:
+			return verify_emsa_pkcs1_signature(this, NID_undef, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
@@ -147,12 +161,40 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 /**
  * Implementation of public_key_t.get_keysize.
  */
-static bool encrypt(private_openssl_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain)
+static bool encrypt_(private_openssl_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain)
 {
 	DBG1("RSA public key encryption not implemented");
 	return FALSE;
 }
 
+/**
+ * Implementation of public_key_t.equals.
+ */
+static bool equals(private_openssl_rsa_public_key_t *this, public_key_t *other)
+{
+	identification_t *keyid;
+
+	if (&this->public.interface == other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != KEY_RSA)
+	{
+		return FALSE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid))
+	{
+		return TRUE;
+	}
+	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
+	if (keyid && keyid->equals(keyid, this->keyid_info))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
 /**
  * Implementation of public_key_t.get_keysize.
  */
@@ -263,7 +305,8 @@ static private_openssl_rsa_public_key_t *openssl_rsa_public_key_create_empty()
 	
 	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
 	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt;
+	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
+	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
 	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
 	this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
 	this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
index c97ba1b92..ff99ddbc5 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_rsa_public_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index 3c4f6595b..bb0c296e1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_util.c 4051 2008-06-10 09:08:27Z tobias $
  */
 
 #include "openssl_util.h"
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
index e780e2a25..6ba1ff07b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.h
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: openssl_util.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 290b4836d..7fe0cc198 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -227,8 +236,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -325,7 +334,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
index f6f9b3501..afdd85b79 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "padlock_aes_crypter.h"
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index d0b55bcd9..dddb73551 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "padlock_plugin.h"
@@ -159,7 +157,7 @@ plugin_t *plugin_create()
 	
 	if (this->features & PADLOCK_RNG_ENABLED)
 	{
-		lib->crypto->add_rng(lib->crypto, RNG_REAL,
+		lib->crypto->add_rng(lib->crypto, RNG_TRUE,
 						(rng_constructor_t)padlock_rng_create);
 		lib->crypto->add_rng(lib->crypto, RNG_STRONG,
 						(rng_constructor_t)padlock_rng_create);
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.c b/src/libstrongswan/plugins/padlock/padlock_rng.c
index 50d9f0c43..8a04dccfc 100644
--- a/src/libstrongswan/plugins/padlock/padlock_rng.c
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "padlock_rng.h"
@@ -126,7 +124,7 @@ padlock_rng_t *padlock_rng_create(rng_quality_t quality)
 		case RNG_STRONG:
 			this->quality = PADLOCK_QF1;
 			break;
-		case RNG_REAL:
+		case RNG_TRUE:
 			this->quality = PADLOCK_QF3;
 			break;
 	}
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.h b/src/libstrongswan/plugins/padlock/padlock_rng.h
index 505f4649c..237d8fbe2 100644
--- a/src/libstrongswan/plugins/padlock/padlock_rng.h
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
index 4ac5ddf4d..b5a6abc64 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include <string.h>
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 6480a2760..ad5a9e240 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: plugin_loader.c 4144 2008-07-02 08:19:43Z martin $
  */
 
 #define _GNU_SOURCE
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index eb5e19f08..4514424f2 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -323,7 +332,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index 762557094..863a8a1d4 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "pubkey_cert.h"
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.h b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
index b04824fee..394fc8b98 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.h
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
index dd7ac6fd1..7672e8dc1 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "pubkey_plugin.h"
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_public_key.c b/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
index 4b5f4aac2..6d3ae66ab 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: pubkey_public_key.c 4379 2008-10-08 01:19:26Z andreas $
  */
 
 #include "pubkey_public_key.h"
@@ -147,7 +145,7 @@ static void add(private_builder_t *this, builder_part_t part, ...)
 				va_start(args, part);
 				pem = va_arg(args, char *);
 				blob = chunk_clone(chunk_create(pem, strlen(pem)));
-				if (pem_to_bin(&blob, &chunk_empty, &pgp))
+				if (pem_to_bin(&blob, chunk_empty, &pgp) == SUCCESS)
 				{
 					this->key = pubkey_public_key_load(chunk_clone(blob));
 				}
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_public_key.h b/src/libstrongswan/plugins/pubkey/pubkey_public_key.h
index 0545feeee..d3198fab2 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_public_key.h
+++ b/src/libstrongswan/plugins/pubkey/pubkey_public_key.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: pubkey_public_key.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index f5e3c4cc9..0bed27468 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -224,8 +233,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -320,7 +329,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index 3eff81ee0..5f04f1d79 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "random_plugin.h"
@@ -54,7 +52,7 @@ plugin_t *plugin_create()
 	
 	lib->crypto->add_rng(lib->crypto, RNG_STRONG, 
 						 (rng_constructor_t)random_rng_create);
-	lib->crypto->add_rng(lib->crypto, RNG_REAL, 
+	lib->crypto->add_rng(lib->crypto, RNG_TRUE, 
 						 (rng_constructor_t)random_rng_create);
 	
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 45a1b5138..22d21574e 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include <string.h>
@@ -114,7 +112,7 @@ random_rng_t *random_rng_create(rng_quality_t quality)
 	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
 	this->public.rng.destroy = (void (*) (rng_t *))destroy;
 
-	if (quality == RNG_REAL)
+	if (quality == RNG_TRUE)
 	{
 		this->file = DEV_RANDOM;
 	}
diff --git a/src/libstrongswan/plugins/random/random_rng.h b/src/libstrongswan/plugins/random/random_rng.h
index 3426d694e..bcb9cb204 100644
--- a/src/libstrongswan/plugins/random/random_rng.h
+++ b/src/libstrongswan/plugins/random/random_rng.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
  
 /**
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index ece7381b2..c8b8905bb 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -224,8 +233,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -321,7 +330,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/sha1/sha1_hasher.c b/src/libstrongswan/plugins/sha1/sha1_hasher.c
index ea0882cb5..ba3dd9592 100644
--- a/src/libstrongswan/plugins/sha1/sha1_hasher.c
+++ b/src/libstrongswan/plugins/sha1/sha1_hasher.c
@@ -15,8 +15,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sha1_hasher.c 4308 2008-08-28 10:57:24Z martin $
  */
 
 #include <string.h>
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c
index 58f0faf56..b9eb62ac5 100644
--- a/src/libstrongswan/plugins/sha1/sha1_plugin.c
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sha1_plugin.c 4308 2008-08-28 10:57:24Z martin $
  */
 
 #include "sha1_plugin.h"
diff --git a/src/libstrongswan/plugins/sha1/sha1_prf.c b/src/libstrongswan/plugins/sha1/sha1_prf.c
index 668801caf..4a5f7c293 100644
--- a/src/libstrongswan/plugins/sha1/sha1_prf.c
+++ b/src/libstrongswan/plugins/sha1/sha1_prf.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "sha1_prf.h"
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 6b28b68a1..f37c93502 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -87,6 +87,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -109,6 +110,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -120,6 +124,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -133,6 +138,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +200,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -204,6 +212,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -221,8 +230,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -317,7 +326,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.c b/src/libstrongswan/plugins/sha2/sha2_hasher.c
index ca9c2f926..0e8811cca 100644
--- a/src/libstrongswan/plugins/sha2/sha2_hasher.c
+++ b/src/libstrongswan/plugins/sha2/sha2_hasher.c
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sha2_hasher.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include <string.h>
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c
index ebb2947ef..21bc592dc 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.c
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sha2_plugin.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include "sha2_plugin.h"
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index e6732a195..547548bd7 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index c8d9e5beb..ce873b714 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sqlite_database.c 4268 2008-08-21 11:58:58Z andreas $
  */
 
 #include "sqlite_database.h"
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
index 441e59a5e..bedf91e0f 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: sqlite_plugin.c 3488 2008-02-21 15:10:02Z martin $
  */
 
 #include "sqlite_plugin.h"
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
new file mode 100644
index 000000000..27d17c084
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -0,0 +1,33 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-test-vectors.la
+
+libstrongswan_test_vectors_la_SOURCES = \
+	test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
+	test_vectors/3des_cbc.c \
+	test_vectors/aes_cbc.c \
+	test_vectors/aes_xcbc.c \
+	test_vectors/blowfish.c \
+	test_vectors/camellia_cbc.c \
+	test_vectors/cast.c \
+	test_vectors/des.c \
+	test_vectors/idea.c \
+	test_vectors/null.c \
+	test_vectors/rc5.c \
+	test_vectors/serpent_cbc.c \
+	test_vectors/twofish_cbc.c \
+	test_vectors/md2.c \
+	test_vectors/md4.c \
+	test_vectors/md5.c \
+	test_vectors/md5_hmac.c \
+	test_vectors/sha1.c \
+	test_vectors/sha1_hmac.c \
+	test_vectors/sha2.c \
+	test_vectors/sha2_hmac.c \
+	test_vectors/fips_prf.c \
+	test_vectors/rng.c
+libstrongswan_test_vectors_la_LDFLAGS = -module
+
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
new file mode 100644
index 000000000..bb877620c
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -0,0 +1,710 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/test_vectors
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_test_vectors_la_LIBADD =
+am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
+	3des_cbc.lo aes_cbc.lo aes_xcbc.lo blowfish.lo camellia_cbc.lo \
+	cast.lo des.lo idea.lo null.lo rc5.lo serpent_cbc.lo \
+	twofish_cbc.lo md2.lo md4.lo md5.lo md5_hmac.lo sha1.lo \
+	sha1_hmac.lo sha2.lo sha2_hmac.lo fips_prf.lo rng.lo
+libstrongswan_test_vectors_la_OBJECTS =  \
+	$(am_libstrongswan_test_vectors_la_OBJECTS)
+libstrongswan_test_vectors_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_test_vectors_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_test_vectors_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_test_vectors_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-test-vectors.la
+libstrongswan_test_vectors_la_SOURCES = \
+	test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
+	test_vectors/3des_cbc.c \
+	test_vectors/aes_cbc.c \
+	test_vectors/aes_xcbc.c \
+	test_vectors/blowfish.c \
+	test_vectors/camellia_cbc.c \
+	test_vectors/cast.c \
+	test_vectors/des.c \
+	test_vectors/idea.c \
+	test_vectors/null.c \
+	test_vectors/rc5.c \
+	test_vectors/serpent_cbc.c \
+	test_vectors/twofish_cbc.c \
+	test_vectors/md2.c \
+	test_vectors/md4.c \
+	test_vectors/md5.c \
+	test_vectors/md5_hmac.c \
+	test_vectors/sha1.c \
+	test_vectors/sha1_hmac.c \
+	test_vectors/sha2.c \
+	test_vectors/sha2_hmac.c \
+	test_vectors/fips_prf.c \
+	test_vectors/rng.c
+
+libstrongswan_test_vectors_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/test_vectors/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/test_vectors/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-test-vectors.la: $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_DEPENDENCIES) 
+	$(libstrongswan_test_vectors_la_LINK) -rpath $(plugindir) $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/3des_cbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_cbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_xcbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_cbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cast.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/idea.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md2.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md4.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_hmac.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/null.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc5.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rng.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent_cbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1_hmac.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2_hmac.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_vectors_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish_cbc.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+3des_cbc.lo: test_vectors/3des_cbc.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT 3des_cbc.lo -MD -MP -MF $(DEPDIR)/3des_cbc.Tpo -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/3des_cbc.Tpo $(DEPDIR)/3des_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/3des_cbc.c' object='3des_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
+
+aes_cbc.lo: test_vectors/aes_cbc.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.lo -MD -MP -MF $(DEPDIR)/aes_cbc.Tpo -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes_cbc.Tpo $(DEPDIR)/aes_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_cbc.c' object='aes_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
+
+aes_xcbc.lo: test_vectors/aes_xcbc.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_xcbc.c' object='aes_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
+
+blowfish.lo: test_vectors/blowfish.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/blowfish.c' object='blowfish.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
+
+camellia_cbc.lo: test_vectors/camellia_cbc.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_cbc.lo -MD -MP -MF $(DEPDIR)/camellia_cbc.Tpo -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/camellia_cbc.Tpo $(DEPDIR)/camellia_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_cbc.c' object='camellia_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
+
+cast.lo: test_vectors/cast.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/cast.c' object='cast.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
+
+des.lo: test_vectors/des.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des.lo -MD -MP -MF $(DEPDIR)/des.Tpo -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/des.Tpo $(DEPDIR)/des.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/des.c' object='des.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
+
+idea.lo: test_vectors/idea.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT idea.lo -MD -MP -MF $(DEPDIR)/idea.Tpo -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/idea.Tpo $(DEPDIR)/idea.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/idea.c' object='idea.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
+
+null.lo: test_vectors/null.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT null.lo -MD -MP -MF $(DEPDIR)/null.Tpo -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/null.Tpo $(DEPDIR)/null.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/null.c' object='null.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
+
+rc5.lo: test_vectors/rc5.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rc5.lo -MD -MP -MF $(DEPDIR)/rc5.Tpo -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rc5.Tpo $(DEPDIR)/rc5.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/rc5.c' object='rc5.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
+
+serpent_cbc.lo: test_vectors/serpent_cbc.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.lo -MD -MP -MF $(DEPDIR)/serpent_cbc.Tpo -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/serpent_cbc.Tpo $(DEPDIR)/serpent_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/serpent_cbc.c' object='serpent_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
+
+twofish_cbc.lo: test_vectors/twofish_cbc.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.lo -MD -MP -MF $(DEPDIR)/twofish_cbc.Tpo -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/twofish_cbc.Tpo $(DEPDIR)/twofish_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/twofish_cbc.c' object='twofish_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
+
+md2.lo: test_vectors/md2.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md2.lo -MD -MP -MF $(DEPDIR)/md2.Tpo -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/md2.Tpo $(DEPDIR)/md2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md2.c' object='md2.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
+
+md4.lo: test_vectors/md4.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md4.lo -MD -MP -MF $(DEPDIR)/md4.Tpo -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/md4.Tpo $(DEPDIR)/md4.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md4.c' object='md4.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
+
+md5.lo: test_vectors/md5.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5.lo -MD -MP -MF $(DEPDIR)/md5.Tpo -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/md5.Tpo $(DEPDIR)/md5.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md5.c' object='md5.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
+
+md5_hmac.lo: test_vectors/md5_hmac.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hmac.lo -MD -MP -MF $(DEPDIR)/md5_hmac.Tpo -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/md5_hmac.Tpo $(DEPDIR)/md5_hmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md5_hmac.c' object='md5_hmac.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
+
+sha1.lo: test_vectors/sha1.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1.lo -MD -MP -MF $(DEPDIR)/sha1.Tpo -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha1.Tpo $(DEPDIR)/sha1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha1.c' object='sha1.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
+
+sha1_hmac.lo: test_vectors/sha1_hmac.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hmac.lo -MD -MP -MF $(DEPDIR)/sha1_hmac.Tpo -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha1_hmac.Tpo $(DEPDIR)/sha1_hmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha1_hmac.c' object='sha1_hmac.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
+
+sha2.lo: test_vectors/sha2.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.lo -MD -MP -MF $(DEPDIR)/sha2.Tpo -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha2.Tpo $(DEPDIR)/sha2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha2.c' object='sha2.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
+
+sha2_hmac.lo: test_vectors/sha2_hmac.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hmac.lo -MD -MP -MF $(DEPDIR)/sha2_hmac.Tpo -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha2_hmac.Tpo $(DEPDIR)/sha2_hmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha2_hmac.c' object='sha2_hmac.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
+
+fips_prf.lo: test_vectors/fips_prf.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF $(DEPDIR)/fips_prf.Tpo -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_prf.Tpo $(DEPDIR)/fips_prf.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/fips_prf.c' object='fips_prf.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
+
+rng.lo: test_vectors/rng.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
new file mode 100644
index 000000000..df5a9c9a8
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+TEST_VECTOR_CRYPTER(aes_cbc1)
+TEST_VECTOR_CRYPTER(aes_cbc2)
+TEST_VECTOR_CRYPTER(aes_cbc3)
+TEST_VECTOR_CRYPTER(aes_cbc4)
+TEST_VECTOR_CRYPTER(aes_cbc5)
+TEST_VECTOR_CRYPTER(aes_cbc6)
+TEST_VECTOR_CRYPTER(blowfish1)
+TEST_VECTOR_CRYPTER(blowfish2)
+TEST_VECTOR_CRYPTER(camellia_cbc1)
+TEST_VECTOR_CRYPTER(camellia_cbc2)
+TEST_VECTOR_CRYPTER(camellia_cbc3)
+TEST_VECTOR_CRYPTER(camellia_cbc4)
+TEST_VECTOR_CRYPTER(camellia_cbc5)
+TEST_VECTOR_CRYPTER(camellia_cbc6)
+TEST_VECTOR_CRYPTER(cast1)
+TEST_VECTOR_CRYPTER(des_cbc1)
+TEST_VECTOR_CRYPTER(des_cbc2)
+TEST_VECTOR_CRYPTER(des_ecb1)
+TEST_VECTOR_CRYPTER(des_ecb2)
+TEST_VECTOR_CRYPTER(des3_cbc1)
+TEST_VECTOR_CRYPTER(des3_cbc2)
+TEST_VECTOR_CRYPTER(idea1)
+TEST_VECTOR_CRYPTER(idea2)
+TEST_VECTOR_CRYPTER(null1)
+TEST_VECTOR_CRYPTER(rc5_1)
+TEST_VECTOR_CRYPTER(rc5_2)
+TEST_VECTOR_CRYPTER(serpent_cbc1)
+TEST_VECTOR_CRYPTER(serpent_cbc2)
+TEST_VECTOR_CRYPTER(serpent_cbc3)
+TEST_VECTOR_CRYPTER(serpent_cbc4)
+TEST_VECTOR_CRYPTER(serpent_cbc5)
+TEST_VECTOR_CRYPTER(serpent_cbc6)
+TEST_VECTOR_CRYPTER(twofish_cbc1)
+TEST_VECTOR_CRYPTER(twofish_cbc2)
+TEST_VECTOR_CRYPTER(twofish_cbc3)
+
+TEST_VECTOR_SIGNER(aes_xcbc_s1)
+TEST_VECTOR_SIGNER(aes_xcbc_s2)
+TEST_VECTOR_SIGNER(aes_xcbc_s3)
+TEST_VECTOR_SIGNER(aes_xcbc_s4)
+TEST_VECTOR_SIGNER(aes_xcbc_s5)
+TEST_VECTOR_SIGNER(md5_hmac_s1)
+TEST_VECTOR_SIGNER(md5_hmac_s2)
+TEST_VECTOR_SIGNER(md5_hmac_s3)
+TEST_VECTOR_SIGNER(md5_hmac_s4)
+TEST_VECTOR_SIGNER(sha1_hmac_s1)
+TEST_VECTOR_SIGNER(sha1_hmac_s2)
+TEST_VECTOR_SIGNER(sha1_hmac_s3)
+TEST_VECTOR_SIGNER(sha1_hmac_s4)
+TEST_VECTOR_SIGNER(sha1_hmac_s5)
+TEST_VECTOR_SIGNER(sha1_hmac_s6)
+TEST_VECTOR_SIGNER(sha256_hmac_s1)
+TEST_VECTOR_SIGNER(sha256_hmac_s2)
+TEST_VECTOR_SIGNER(sha256_hmac_s3)
+TEST_VECTOR_SIGNER(sha384_hmac_s1)
+TEST_VECTOR_SIGNER(sha384_hmac_s2)
+TEST_VECTOR_SIGNER(sha384_hmac_s3)
+TEST_VECTOR_SIGNER(sha512_hmac_s1)
+TEST_VECTOR_SIGNER(sha512_hmac_s2)
+TEST_VECTOR_SIGNER(sha512_hmac_s3)
+
+TEST_VECTOR_HASHER(md2_1)
+TEST_VECTOR_HASHER(md2_2)
+TEST_VECTOR_HASHER(md2_3)
+TEST_VECTOR_HASHER(md2_4)
+TEST_VECTOR_HASHER(md2_5)
+TEST_VECTOR_HASHER(md2_6)
+TEST_VECTOR_HASHER(md2_7)
+TEST_VECTOR_HASHER(md4_1)
+TEST_VECTOR_HASHER(md4_2)
+TEST_VECTOR_HASHER(md4_3)
+TEST_VECTOR_HASHER(md4_4)
+TEST_VECTOR_HASHER(md4_5)
+TEST_VECTOR_HASHER(md4_6)
+TEST_VECTOR_HASHER(md4_7)
+TEST_VECTOR_HASHER(md5_1)
+TEST_VECTOR_HASHER(md5_2)
+TEST_VECTOR_HASHER(md5_3)
+TEST_VECTOR_HASHER(md5_4)
+TEST_VECTOR_HASHER(md5_5)
+TEST_VECTOR_HASHER(md5_6)
+TEST_VECTOR_HASHER(md5_7)
+TEST_VECTOR_HASHER(sha1_1)
+TEST_VECTOR_HASHER(sha1_2)
+TEST_VECTOR_HASHER(sha1_3)
+TEST_VECTOR_HASHER(sha256_1)
+TEST_VECTOR_HASHER(sha256_2)
+TEST_VECTOR_HASHER(sha256_3)
+TEST_VECTOR_HASHER(sha384_1)
+TEST_VECTOR_HASHER(sha384_2)
+TEST_VECTOR_HASHER(sha384_3)
+TEST_VECTOR_HASHER(sha512_1)
+TEST_VECTOR_HASHER(sha512_2)
+TEST_VECTOR_HASHER(sha512_3)
+
+TEST_VECTOR_PRF(aes_xcbc_p1)
+TEST_VECTOR_PRF(aes_xcbc_p2)
+TEST_VECTOR_PRF(aes_xcbc_p3)
+TEST_VECTOR_PRF(aes_xcbc_p4)
+TEST_VECTOR_PRF(aes_xcbc_p5)
+TEST_VECTOR_PRF(aes_xcbc_p6)
+TEST_VECTOR_PRF(aes_xcbc_p7)
+TEST_VECTOR_PRF(md5_hmac_p1)
+TEST_VECTOR_PRF(md5_hmac_p2)
+TEST_VECTOR_PRF(md5_hmac_p3)
+TEST_VECTOR_PRF(md5_hmac_p4)
+TEST_VECTOR_PRF(md5_hmac_p5)
+TEST_VECTOR_PRF(md5_hmac_p6)
+TEST_VECTOR_PRF(sha1_hmac_p1)
+TEST_VECTOR_PRF(sha1_hmac_p2)
+TEST_VECTOR_PRF(sha1_hmac_p3)
+TEST_VECTOR_PRF(sha1_hmac_p4)
+TEST_VECTOR_PRF(sha1_hmac_p5)
+TEST_VECTOR_PRF(sha1_hmac_p6)
+TEST_VECTOR_PRF(sha256_hmac_p1)
+TEST_VECTOR_PRF(sha256_hmac_p2)
+TEST_VECTOR_PRF(sha256_hmac_p3)
+TEST_VECTOR_PRF(sha256_hmac_p4)
+TEST_VECTOR_PRF(sha256_hmac_p5)
+TEST_VECTOR_PRF(sha256_hmac_p6)
+TEST_VECTOR_PRF(sha384_hmac_p1)
+TEST_VECTOR_PRF(sha384_hmac_p2)
+TEST_VECTOR_PRF(sha384_hmac_p3)
+TEST_VECTOR_PRF(sha384_hmac_p4)
+TEST_VECTOR_PRF(sha384_hmac_p5)
+TEST_VECTOR_PRF(sha384_hmac_p6)
+TEST_VECTOR_PRF(sha512_hmac_p1)
+TEST_VECTOR_PRF(sha512_hmac_p2)
+TEST_VECTOR_PRF(sha512_hmac_p3)
+TEST_VECTOR_PRF(sha512_hmac_p4)
+TEST_VECTOR_PRF(sha512_hmac_p5)
+TEST_VECTOR_PRF(sha512_hmac_p6)
+TEST_VECTOR_PRF(fips_prf_1)
+
+TEST_VECTOR_RNG(rng_monobit_1)
+TEST_VECTOR_RNG(rng_monobit_2)
+TEST_VECTOR_RNG(rng_monobit_3)
+TEST_VECTOR_RNG(rng_poker_1)
+TEST_VECTOR_RNG(rng_poker_2)
+TEST_VECTOR_RNG(rng_poker_3)
+TEST_VECTOR_RNG(rng_runs_1)
+TEST_VECTOR_RNG(rng_runs_2)
+TEST_VECTOR_RNG(rng_runs_3)
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/3des_cbc.c b/src/libstrongswan/plugins/test_vectors/test_vectors/3des_cbc.c
new file mode 100644
index 000000000..de5658da7
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/3des_cbc.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Example 1 from NIST 3DES MMT
+ */
+crypter_test_vector_t des3_cbc1 = {
+	.alg = ENCR_3DES, .key_size = 24, .len = 8,
+	.key    = "\x62\x7f\x46\x0e\x08\x10\x4a\x10"
+			  "\x43\xcd\x26\x5d\x58\x40\xea\xf1"
+			  "\x31\x3e\xdf\x97\xdf\x2a\x8a\x8c",
+	.iv		= "\x8e\x29\xf7\x5e\xa7\x7e\x54\x75",
+	.plain	= "\x32\x6a\x49\x4c\xd3\x3f\xe7\x56",
+	.cipher	= "\xb2\x2b\x8d\x66\xde\x97\x06\x92"
+};
+
+/**
+ * Example 2 from NIST 3DES MMT
+ */
+crypter_test_vector_t des3_cbc2 = {
+	.alg = ENCR_3DES, .key_size = 24, .len = 16,
+	.key    = "\x37\xae\x5e\xbf\x46\xdf\xf2\xdc"
+			  "\x07\x54\xb9\x4f\x31\xcb\xb3\x85"
+			  "\x5e\x7f\xd3\x6d\xc8\x70\xbf\xae",
+	.iv		= "\x3d\x1d\xe3\xcc\x13\x2e\x3b\x65",
+	.plain	= "\x84\x40\x1f\x78\xfe\x6c\x10\x87\x6d\x8e\xa2\x30\x94\xea\x53\x09",
+	.cipher	= "\x7b\x1f\x7c\x7e\x3b\x1c\x94\x8e\xbd\x04\xa7\x5f\xfb\xa7\xd2\xf5"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_cbc.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_cbc.c
new file mode 100644
index 000000000..26aadb444
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_cbc.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test 1 of RFC3602
+ */
+crypter_test_vector_t aes_cbc1 = {
+	.alg = ENCR_AES_CBC, .key_size = 16, .len = 16,
+	.key	= "\x06\xa9\x21\x40\x36\xb8\xa1\x5b\x51\x2e\x03\xd5\x34\x12\x00\x06",
+	.iv		= "\x3d\xaf\xba\x42\x9d\x9e\xb4\x30\xb4\x22\xda\x80\x2c\x9f\xac\x41",
+	.plain	= "Single block msg",
+	.cipher	= "\xe3\x53\x77\x9c\x10\x79\xae\xb8\x27\x08\x94\x2d\xbe\x77\x18\x1a"
+};
+
+/**
+ * Test 2 of RFC3602
+ */
+crypter_test_vector_t aes_cbc2 = {
+	.alg = ENCR_AES_CBC, .key_size = 16, .len = 32,
+	.key	= "\xc2\x86\x69\x6d\x88\x7c\x9a\xa0\x61\x1b\xbb\x3e\x20\x25\xa4\x5a",
+	.iv		= "\x56\x2e\x17\x99\x6d\x09\x3d\x28\xdd\xb3\xba\x69\x5a\x2e\x6f\x58",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\xd2\x96\xcd\x94\xc2\xcc\xcf\x8a\x3a\x86\x30\x28\xb5\xe1\xdc\x0a"
+			  "\x75\x86\x60\x2d\x25\x3c\xff\xf9\x1b\x82\x66\xbe\xa6\xd6\x1a\xb1"
+};
+
+/**
+ * Test 3 of RFC3602
+ */
+crypter_test_vector_t aes_cbc3 = {
+	.alg = ENCR_AES_CBC, .key_size = 16, .len = 64,
+	.key	= "\x56\xe4\x7a\x38\xc5\x59\x89\x74\xbc\x46\x90\x3d\xba\x29\x03\x49",
+	.iv		= "\x8c\xe8\x2e\xef\xbe\xa0\xda\x3c\x44\x69\x9e\xd7\xdb\x51\xb7\xd9",
+	.plain	= "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
+			  "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
+			  "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+			  "\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf",
+	.cipher	= "\xc3\x0e\x32\xff\xed\xc0\x77\x4e\x6a\xff\x6a\xf0\x86\x9f\x71\xaa"
+			  "\x0f\x3a\xf0\x7a\x9a\x31\xa9\xc6\x84\xdb\x20\x7e\xb0\xef\x8e\x4e"
+			  "\x35\x90\x7a\xa6\x32\xc3\xff\xdf\x86\x8b\xb7\xb2\x9d\x3d\x46\xad"
+			  "\x83\xce\x9f\x9a\x10\x2e\xe9\x9d\x49\xa5\x3e\x87\xf4\xc3\xda\x55"
+};
+
+/**
+ * Test F.2.1 of NIST SP 800-38A 2001
+ */
+crypter_test_vector_t aes_cbc4 = {
+	.alg = ENCR_AES_CBC, .key_size = 16, .len = 64,
+	.key	= "\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
+	.iv		= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.plain	= "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+			  "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+			  "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
+			  "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
+	.cipher	= "\x76\x49\xab\xac\x81\x19\xb2\x46\xce\xe9\x8e\x9b\x12\xe9\x19\x7d"
+			  "\x50\x86\xcb\x9b\x50\x72\x19\xee\x95\xdb\x11\x3a\x91\x76\x78\xb2"
+			  "\x73\xbe\xd6\xb8\xe3\xc1\x74\x3b\x71\x16\xe6\x9e\x22\x22\x95\x16"
+			  "\x3f\xf1\xca\xa1\x68\x1f\xac\x09\x12\x0e\xca\x30\x75\x86\xe1\xa7"
+};
+
+/**
+ * Test F.2.3 of NIST SP 800-38A 2001
+ */
+crypter_test_vector_t aes_cbc5 = {
+	.alg = ENCR_AES_CBC, .key_size = 24, .len = 64,
+	.key	= "\x8e\x73\xb0\xf7\xda\x0e\x64\x52\xc8\x10\xf3\x2b\x80\x90\x79\xe5"
+			  "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b",
+	.iv		= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.plain	= "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+			  "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+			  "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
+			  "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
+	.cipher	= "\x4f\x02\x1d\xb2\x43\xbc\x63\x3d\x71\x78\x18\x3a\x9f\xa0\x71\xe8"
+			  "\xb4\xd9\xad\xa9\xad\x7d\xed\xf4\xe5\xe7\x38\x76\x3f\x69\x14\x5a"
+			  "\x57\x1b\x24\x20\x12\xfb\x7a\xe0\x7f\xa9\xba\xac\x3d\xf1\x02\xe0"
+			  "\x08\xb0\xe2\x79\x88\x59\x88\x81\xd9\x20\xa9\xe6\x4f\x56\x15\xcd"
+};
+
+/**
+ * Test F.2.5 of NIST SP 800-38A 2001
+ */
+crypter_test_vector_t aes_cbc6 = {
+	.alg = ENCR_AES_CBC, .key_size = 32, .len = 64,
+	.key	= "\x60\x3d\xeb\x10\x15\xca\x71\xbe\x2b\x73\xae\xf0\x85\x7d\x77\x81"
+			  "\x1f\x35\x2c\x07\x3b\x61\x08\xd7\x2d\x98\x10\xa3\x09\x14\xdf\xf4",
+	.iv		= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.plain	= "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+			  "\xae\x2d\x8a\x57\x1e\x03\xac\x9c\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+			  "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
+			  "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
+	.cipher	= "\xf5\x8c\x4c\x04\xd6\xe5\xf1\xba\x77\x9e\xab\xfb\x5f\x7b\xfb\xd6"
+			  "\x9c\xfc\x4e\x96\x7e\xdb\x80\x8d\x67\x9f\x77\x7b\xc6\x70\x2c\x7d"
+			  "\x39\xf2\x33\x69\xa9\xd9\xba\xcf\xa5\x30\xe2\x63\x04\x23\x14\x61"
+			  "\xb2\xeb\x05\xe2\xc3\x9b\xe9\xfc\xda\x6c\x19\x07\x8c\x6a\x9d\x1b"
+};
+
+
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_xcbc.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_xcbc.c
new file mode 100644
index 000000000..56d12f036
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_xcbc.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input
+ */
+signer_test_vector_t aes_xcbc_s1 = {
+	.alg = AUTH_AES_XCBC_96, .len = 0,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.data	= "",
+	.mac	= "\x75\xf0\x25\x1d\x52\x8a\xc0\x1c\x45\x73\xdf\xd5"
+};
+
+prf_test_vector_t aes_xcbc_p1 = {
+	.alg = PRF_AES128_XCBC, .key_size = 16, .len = 0,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.seed	= "",
+	.out	= "\x75\xf0\x25\x1d\x52\x8a\xc0\x1c\x45\x73\xdf\xd5\x84\xd7\x9f\x29"
+};
+
+/**
+ * RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input
+ */
+signer_test_vector_t aes_xcbc_s2 = {
+	.alg = AUTH_AES_XCBC_96, .len = 3,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.data	= "\x00\x01\x02",
+	.mac	= "\x5b\x37\x65\x80\xae\x2f\x19\xaf\xe7\x21\x9c\xee"
+};
+
+prf_test_vector_t aes_xcbc_p2 = {
+	.alg = PRF_AES128_XCBC, .key_size = 16, .len = 3,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.seed	= "\x00\x01\x02",
+	.out	= "\x5b\x37\x65\x80\xae\x2f\x19\xaf\xe7\x21\x9c\xee\xf1\x72\x75\x6f"
+};
+
+/**
+ * RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input
+ */
+signer_test_vector_t aes_xcbc_s3 = {
+	.alg = AUTH_AES_XCBC_96, .len = 16,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.data	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.mac	= "\xd2\xa2\x46\xfa\x34\x9b\x68\xa7\x99\x98\xa4\x39"
+};
+
+prf_test_vector_t aes_xcbc_p3 = {
+	.alg = PRF_AES128_XCBC, .key_size = 16, .len = 16,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.out	= "\xd2\xa2\x46\xfa\x34\x9b\x68\xa7\x99\x98\xa4\x39\x4f\xf7\xa2\x63"
+};
+
+/**
+ * RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input
+ */
+signer_test_vector_t aes_xcbc_s4 = {
+	.alg = AUTH_AES_XCBC_96, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.data	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.mac	= "\x47\xf5\x1b\x45\x64\x96\x62\x15\xb8\x98\x5c\x63"
+};
+
+prf_test_vector_t aes_xcbc_p4 = {
+	.alg = PRF_AES128_XCBC, .key_size = 16, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\x47\xf5\x1b\x45\x64\x96\x62\x15\xb8\x98\x5c\x63\x05\x5e\xd3\x08"
+};
+
+/**
+ * RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input
+ */
+signer_test_vector_t aes_xcbc_s5 = {
+	.alg = AUTH_AES_XCBC_96, .len = 32,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.data	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.mac	= "\xf5\x4f\x0e\xc8\xd2\xb9\xf3\xd3\x68\x07\x73\x4b"
+};
+
+prf_test_vector_t aes_xcbc_p5 = {
+	.alg = PRF_AES128_XCBC, .key_size = 16, .len = 32,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.out	= "\xf5\x4f\x0e\xc8\xd2\xb9\xf3\xd3\x68\x07\x73\x4b\xd5\x28\x3f\xd4"
+};
+
+/**
+ * RFC4434 Test Case: AES-XCBC-PRF-128 with 20-byte input, 10 byte key
+ */
+prf_test_vector_t aes_xcbc_p6 = {
+	.alg = PRF_AES128_XCBC, .key_size = 10, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\x0f\xa0\x87\xaf\x7d\x86\x6e\x76\x53\x43\x4e\x60\x2f\xdd\xe8\x35"
+};
+
+/**
+ * RFC4434 Test Case: AES-XCBC-PRF-128 with 20-byte input, 18 byte key
+ */
+prf_test_vector_t aes_xcbc_p7 = {
+	.alg = PRF_AES128_XCBC, .key_size = 18, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\xed\xcb",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\x8c\xd3\xc9\x3a\xe5\x98\xa9\x80\x30\x06\xff\xb6\x7c\x40\xe9\xe4"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/blowfish.c b/src/libstrongswan/plugins/test_vectors/test_vectors/blowfish.c
new file mode 100644
index 000000000..63bbb1261
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/blowfish.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Copyright (C) 2009 Andreas Steffen
+ * Copyright (C) JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test vector by Eric Young
+ */
+crypter_test_vector_t blowfish1 = {
+	.alg = ENCR_BLOWFISH, .key_size = 16, .len = 32,
+	.key	= "\x01\x23\x45\x67\x89\xAB\xCD\xEF\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87",
+	.iv		= "\xFE\xDC\xBA\x98\x76\x54\x32\x10",
+	.plain	= "7654321 Now is the time for \0\0\0\0",
+	.cipher	= "\x6B\x77\xB4\xD6\x30\x06\xDE\xE6\x05\xB1\x56\xE2\x74\x03\x97\x93"
+			  "\x58\xDE\xB9\xE7\x15\x46\x16\xD9\x59\xF1\x65\x2B\xD5\xFF\x92\xCC"
+};
+
+/**
+ * Test vector by Chilkat Software 
+ * (www.chilkatsoft.com/p/php_blowfish.asp)
+ */
+crypter_test_vector_t blowfish2 = {
+	.alg = ENCR_BLOWFISH, .key_size = 32, .len = 48,
+	.key	= "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36"
+			  "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50",
+	.iv		= "\x31\x32\x33\x34\x35\x36\x37\x38",
+	.plain	= "The quick brown fox jumped over the lazy dog\0\0\0\0",
+	.cipher	= "\x27\x68\x55\xca\x6c\x0d\x60\xf7\xd9\x70\x82\x10\x44\x0c\x10\x72"
+			  "\xe0\x5d\x07\x8e\x73\x3b\x34\xb4\x19\x8d\x60\x9d\xc2\xfc\xc2\xf0"
+			  "\xc3\x09\x26\xcd\xef\x3b\x6d\x52\xba\xf6\xe3\x45\xaa\x03\xf8\x3e"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_cbc.c b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_cbc.c
new file mode 100644
index 000000000..28c038878
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_cbc.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * All testvectors from https://www.cosic.esat.kuleuven.be/nessie/testvectors/
+ */
+
+/**
+ * Camellia 128 bit: set 8, vector #0
+ */
+crypter_test_vector_t camellia_cbc1 = {
+	.alg = ENCR_CAMELLIA_CBC, .key_size = 16, .len = 16,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x41\x0E\x33\xF3\x16\xDF\x4A\x72\xAA\x2B\xCD\x41\x14\xE2\x31\x4D",
+	.cipher	= "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
+};
+
+/**
+ * Camellia 128 bit: set 8, vector #1
+ */
+crypter_test_vector_t camellia_cbc2 = {
+	.alg = ENCR_CAMELLIA_CBC, .key_size = 16, .len = 16,
+	.key	= "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00\x95\x2C\x49\x10\x48\x81\xFF\x48",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x78\x35\x78\x66\xFD\x8B\x2C\xAE\xD4\xD1\xBB\xA3\xCF\xD5\x34\x0A",
+	.cipher	= "\xEA\x02\x47\x14\xAD\x5C\x4D\x84\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
+};
+
+/**
+ * Camellia 192 bit: set 8, vector #0
+ */
+crypter_test_vector_t camellia_cbc3 = {
+	.alg = ENCR_CAMELLIA_CBC, .key_size = 24, .len = 16,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x94\x1A\xC6\x45\x3C\x3F\x48\xA1\x69\xC2\xF4\xFE\x2B\xBE\x55\x32",
+	.cipher	= "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
+};
+
+/**
+ * Camellia 192 bit: set 8, vector #1
+ */
+crypter_test_vector_t camellia_cbc4 = {
+	.alg = ENCR_CAMELLIA_CBC, .key_size = 24, .len = 16,
+	.key	= "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00\x95\x2C\x49\x10\x48\x81\xFF\x48"
+			  "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x29\x2C\x5B\xBF\xD7\x72\xAD\x27\x95\x09\x12\x0F\x3F\x0A\xCD\x48",
+	.cipher	= "\xEA\x02\x47\x14\xAD\x5C\x4D\x84\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
+};
+
+/**
+ * Camellia 256 bit: set 8, vector #0
+ */
+crypter_test_vector_t camellia_cbc5 = {
+	.alg = ENCR_CAMELLIA_CBC, .key_size = 32, .len = 16,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x06\x36\x9B\x36\x08\xAE\x43\xCA\x79\xC8\x8B\xCF\x49\x7F\x67\x71",
+	.cipher	= "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
+};
+
+/**
+ * Camellia 256 bit: set 8, vector #1
+ */
+crypter_test_vector_t camellia_cbc6 = {
+	.alg = ENCR_CAMELLIA_CBC, .key_size = 32, .len = 16,
+	.key	= "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00\x95\x2C\x49\x10\x48\x81\xFF\x48"
+			  "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00\x95\x2C\x49\x10\x48\x81\xFF\x48",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\xE6\x84\x42\x17\x16\xFC\x0B\x01\xAE\xB5\xC6\x76\x51\x20\xF9\x5F",
+	.cipher	= "\xEA\x02\x47\x14\xAD\x5C\x4D\x84\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/cast.c b/src/libstrongswan/plugins/test_vectors/test_vectors/cast.c
new file mode 100644
index 000000000..a33a219ed
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/cast.c
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test from RFC 2144
+ */
+crypter_test_vector_t cast1 = {
+	.alg = ENCR_CAST, .key_size = 16, .len = 8,
+	.key    = "\x01\x23\x45\x67\x12\x34\x56\x78\x23\x45\x67\x89\x34\x56\x78\x9A",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x01\x23\x45\x67\x89\xAB\xCD\xEF",
+	.cipher	= "\x23\x8B\x4F\xE5\x84\x7E\x44\xB2"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/des.c b/src/libstrongswan/plugins/test_vectors/test_vectors/des.c
new file mode 100644
index 000000000..80b5f1010
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/des.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * All testvectors from https://www.cosic.esat.kuleuven.be/nessie/testvectors/
+ */
+
+/**
+ * DES 56 bit: set 8, vector #0
+ */
+crypter_test_vector_t des_ecb1 = {
+	.alg = ENCR_DES_ECB, .key_size = 8, .len = 8,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x41\xAD\x06\x85\x48\x80\x9D\x02",
+	.cipher	= "\x00\x11\x22\x33\x44\x55\x66\x77"
+};
+
+/**
+ * DES 56 bit: set 8, vector #1
+ */
+crypter_test_vector_t des_ecb2 = {
+	.alg = ENCR_DES_ECB, .key_size = 8, .len = 8,
+	.key	= "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\xB1\x0F\x84\x30\x97\xA0\xF9\x32",
+	.cipher	= "\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
+};
+
+/**
+ * DES 56 bit: set 8, vector #0
+ */
+crypter_test_vector_t des_cbc1 = {
+	.alg = ENCR_DES, .key_size = 8, .len = 8,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x41\xAD\x06\x85\x48\x80\x9D\x02",
+	.cipher	= "\x00\x11\x22\x33\x44\x55\x66\x77"
+};
+
+/**
+ * DES 56 bit: set 8, vector #1
+ */
+crypter_test_vector_t des_cbc2 = {
+	.alg = ENCR_DES, .key_size = 8, .len = 8,
+	.key	= "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\xB1\x0F\x84\x30\x97\xA0\xF9\x32",
+	.cipher	= "\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/fips_prf.c b/src/libstrongswan/plugins/test_vectors/test_vectors/fips_prf.c
new file mode 100644
index 000000000..74e000419
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/fips_prf.c
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * FIPS PRF known value test
+ */
+prf_test_vector_t fips_prf_1 = {
+	.alg = PRF_FIPS_SHA1_160, .stateful = TRUE, .key_size = 20, .len = 1,
+	.key	= "\xbd\x02\x9b\xbe\x7f\x51\x96\x0b\xcf\x9e\xdb\x2b\x61\xf0\x6f\x0f"
+			  "\xeb\x5a\x38\xb6",
+	.seed	= "\x00",
+	.out	= "\x20\x70\xb3\x22\x3d\xba\x37\x2f\xde\x1c\x0f\xfc\x7b\x2e\x3b\x49"
+			  "\x8b\x26\x06\x14\x3c\x6c\x18\xba\xcb\x0f\x6c\x55\xba\xbb\x13\x78"
+			  "\x8e\x20\xd7\x37\xa3\x27\x51\x16"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/idea.c b/src/libstrongswan/plugins/test_vectors/test_vectors/idea.c
new file mode 100644
index 000000000..4856a480f
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/idea.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * All testvectors from https://www.cosic.esat.kuleuven.be/nessie/testvectors/
+ */
+
+/**
+ * IDEA 128 bit: set 8, vector #0
+ */
+crypter_test_vector_t idea1 = {
+	.alg = ENCR_IDEA, .key_size = 16, .len = 8,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\xDB\x2D\x4A\x92\xAA\x68\x27\x3F",
+	.cipher	= "\x00\x11\x22\x33\x44\x55\x66\x77"
+};
+
+/**
+ * IDEA 128 bit: set 8, vector #1
+ */
+crypter_test_vector_t idea2 = {
+	.alg = ENCR_IDEA, .key_size = 16, .len = 8,
+	.key	= "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00\x95\x2C\x49\x10\x48\x81\xFF\x48",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\xF1\x29\xA6\x60\x1E\xF6\x2A\x47",
+	.cipher	= "\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
+};
+
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
new file mode 100644
index 000000000..3348e12d3
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * MD2 vectors from RFC 1319
+ */
+hasher_test_vector_t md2_1 = {
+	.alg = HASH_MD2, .len = 0,
+	.data	= "",
+	.hash	= "\x83\x50\xe5\xa3\xe2\x4c\x15\x3d\xf2\x27\x5c\x9f\x80\x69\x27\x73"
+};
+
+hasher_test_vector_t md2_2 = {
+	.alg = HASH_MD2, .len = 1,
+	.data	= "a",
+	.hash	= "\x32\xec\x01\xec\x4a\x6d\xac\x72\xc0\xab\x96\xfb\x34\xc0\xb5\xd1"
+};
+
+hasher_test_vector_t md2_3 = {
+	.alg = HASH_MD2, .len = 3,
+	.data	= "abc",
+	.hash	= "\xda\x85\x3b\x0d\x3f\x88\xd9\x9b\x30\x28\x3a\x69\xe6\xde\xd6\xbb"
+};
+
+hasher_test_vector_t md2_4 = {
+	.alg = HASH_MD2, .len = 14,
+	.data	= "message digest",
+	.hash	= "\xab\x4f\x49\x6b\xfb\x2a\x53\x0b\x21\x9f\xf3\x30\x31\xfe\x06\xb0"
+};
+
+hasher_test_vector_t md2_5 = {
+	.alg = HASH_MD2, .len = 26,
+	.data	= "abcdefghijklmnopqrstuvwxyz",
+	.hash	= "\x4e\x8d\xdf\xf3\x65\x02\x92\xab\x5a\x41\x08\xc3\xaa\x47\x94\x0b"
+};
+
+hasher_test_vector_t md2_6 = {
+	.alg = HASH_MD2, .len = 62,
+	.data	= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+	.hash	= "\xda\x33\xde\xf2\xa4\x2d\xf1\x39\x75\x35\x28\x46\xc3\x03\x38\xcd"
+};
+
+hasher_test_vector_t md2_7 = {
+	.alg = HASH_MD2, .len = 80,
+	.data	= "1234567890123456789012345678901234567890"
+			  "1234567890123456789012345678901234567890",
+	.hash	= "\xd5\x97\x6f\x79\xd8\x3d\x3a\x0d\xc9\x80\x6c\x3c\x66\xf3\xef\xd8"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/md4.c b/src/libstrongswan/plugins/test_vectors/test_vectors/md4.c
new file mode 100644
index 000000000..ef9406f5f
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/md4.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * MD4 vectors from RFC 1320
+ */
+hasher_test_vector_t md4_1 = {
+	.alg = HASH_MD4, .len = 0,
+	.data	= "",
+	.hash	= "\x31\xd6\xcf\xe0\xd1\x6a\xe9\x31\xb7\x3c\x59\xd7\xe0\xc0\x89\xc0"
+};
+
+hasher_test_vector_t md4_2 = {
+	.alg = HASH_MD4, .len = 1,
+	.data	= "a",
+	.hash	= "\xbd\xe5\x2c\xb3\x1d\xe3\x3e\x46\x24\x5e\x05\xfb\xdb\xd6\xfb\x24"
+};
+
+hasher_test_vector_t md4_3 = {
+	.alg = HASH_MD4, .len = 3,
+	.data	= "abc",
+	.hash	= "\xa4\x48\x01\x7a\xaf\x21\xd8\x52\x5f\xc1\x0a\xe8\x7a\xa6\x72\x9d"
+};
+
+hasher_test_vector_t md4_4 = {
+	.alg = HASH_MD4, .len = 14,
+	.data	= "message digest",
+	.hash	= "\xd9\x13\x0a\x81\x64\x54\x9f\xe8\x18\x87\x48\x06\xe1\xc7\x01\x4b"
+};
+
+hasher_test_vector_t md4_5 = {
+	.alg = HASH_MD4, .len = 26,
+	.data	= "abcdefghijklmnopqrstuvwxyz",
+	.hash	= "\xd7\x9e\x1c\x30\x8a\xa5\xbb\xcd\xee\xa8\xed\x63\xdf\x41\x2d\xa9"
+};
+
+hasher_test_vector_t md4_6 = {
+	.alg = HASH_MD4, .len = 62,
+	.data	= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+	.hash	= "\x04\x3f\x85\x82\xf2\x41\xdb\x35\x1c\xe6\x27\xe1\x53\xe7\xf0\xe4"
+};
+
+hasher_test_vector_t md4_7 = {
+	.alg = HASH_MD4, .len = 80,
+	.data	= "1234567890123456789012345678901234567890"
+			  "1234567890123456789012345678901234567890",
+	.hash	= "\xe3\x3b\x4d\xdc\x9c\x38\xf2\x19\x9c\x3e\x7b\x16\x4f\xcc\x05\x36"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/md5.c b/src/libstrongswan/plugins/test_vectors/test_vectors/md5.c
new file mode 100644
index 000000000..c7b213674
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/md5.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * MD5 vectors from RFC1321
+ */
+hasher_test_vector_t md5_1 = {
+	.alg = HASH_MD5, .len = 0,
+	.data	= "",
+	.hash	= "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04\xe9\x80\x09\x98\xec\xf8\x42\x7e"
+};
+
+hasher_test_vector_t md5_2 = {
+	.alg = HASH_MD5, .len = 1,
+	.data	= "a",
+	.hash	= "\x0c\xc1\x75\xb9\xc0\xf1\xb6\xa8\x31\xc3\x99\xe2\x69\x77\x26\x61"
+};
+
+hasher_test_vector_t md5_3 = {
+	.alg = HASH_MD5, .len = 3,
+	.data	= "abc",
+	.hash	= "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f\x72"
+};
+
+hasher_test_vector_t md5_4 = {
+	.alg = HASH_MD5, .len = 14,
+	.data	= "message digest",
+	.hash	= "\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d\x52\x5a\x2f\x31\xaa\xf1\x61\xd0"
+};
+
+hasher_test_vector_t md5_5 = {
+	.alg = HASH_MD5, .len = 26,
+	.data	= "abcdefghijklmnopqrstuvwxyz",
+	.hash	= "\xc3\xfc\xd3\xd7\x61\x92\xe4\x00\x7d\xfb\x49\x6c\xca\x67\xe1\x3b"
+};
+
+hasher_test_vector_t md5_6 = {
+	.alg = HASH_MD5, .len = 62,
+	.data	= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+	.hash	= "\xd1\x74\xab\x98\xd2\x77\xd9\xf5\xa5\x61\x1c\x2c\x9f\x41\x9d\x9f"
+};
+
+hasher_test_vector_t md5_7 = {
+	.alg = HASH_MD5, .len = 80,
+	.data	= "1234567890123456789012345678901234567890"
+			  "1234567890123456789012345678901234567890",
+	.hash	= "\x57\xed\xf4\xa2\x2b\xe3\xc9\x55\xac\x49\xda\x2e\x21\x07\xb6\x7a"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/md5_hmac.c b/src/libstrongswan/plugins/test_vectors/test_vectors/md5_hmac.c
new file mode 100644
index 000000000..5221d530c
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/md5_hmac.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * MD5 hmac test vectors from RFC2202
+ */
+signer_test_vector_t md5_hmac_s1 = {
+	.alg = AUTH_HMAC_MD5_96, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
+	.data	= "Hi There",
+	.mac	= "\x92\x94\x72\x7a\x36\x38\xbb\x1c\x13\xf4\x8e\xf8"
+};
+
+signer_test_vector_t md5_hmac_s2 = {
+	.alg = AUTH_HMAC_MD5_128, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
+	.data	= "Hi There",
+	.mac	= "\x92\x94\x72\x7a\x36\x38\xbb\x1c\x13\xf4\x8e\xf8\x15\x8b\xfc\x9d"
+};
+
+prf_test_vector_t md5_hmac_p1 = {
+	.alg = PRF_HMAC_MD5, .key_size = 16, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
+	.seed	= "Hi There",
+	.out	= "\x92\x94\x72\x7a\x36\x38\xbb\x1c\x13\xf4\x8e\xf8\x15\x8b\xfc\x9d"
+};
+
+prf_test_vector_t md5_hmac_p2 = {
+	.alg = PRF_HMAC_MD5, .key_size = 4, .len = 28,
+	.key	= "Jefe",
+	.seed	= "what do ya want for nothing?",
+	.out	= "\x75\x0c\x78\x3e\x6a\xb0\xb5\x03\xea\xa8\x6e\x31\x0a\x5d\xb7\x38"
+};
+
+signer_test_vector_t md5_hmac_s3 = {
+	.alg = AUTH_HMAC_MD5_96, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+	.data	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.mac	= "\x56\xbe\x34\x52\x1d\x14\x4c\x88\xdb\xb8\xc7\x33"
+};
+
+signer_test_vector_t md5_hmac_s4 = {
+	.alg = AUTH_HMAC_MD5_128, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+	.data	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.mac	= "\x56\xbe\x34\x52\x1d\x14\x4c\x88\xdb\xb8\xc7\x33\xf0\xe8\xb3\xf6"
+};
+
+prf_test_vector_t md5_hmac_p3 = {
+	.alg = PRF_HMAC_MD5, .key_size = 16, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+	.seed	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.out	= "\x56\xbe\x34\x52\x1d\x14\x4c\x88\xdb\xb8\xc7\x33\xf0\xe8\xb3\xf6"
+};
+
+prf_test_vector_t md5_hmac_p4 = {
+	.alg = PRF_HMAC_MD5, .key_size = 25, .len = 50,
+	.key	= "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
+			  "\x11\x12\x13\x14\x15\x16\x17\x18\x19",
+	.seed	= "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd",
+	.out	= "\x69\x7e\xaf\x0a\xca\x3a\x3a\xea\x3a\x75\x16\x47\x46\xff\xaa\x79"
+};
+
+prf_test_vector_t md5_hmac_p5 = {
+	.alg = PRF_HMAC_MD5, .key_size = 80, .len = 54,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+	.seed	= "Test Using Larger Than Block-Size Key - Hash Key First",
+	.out	= "\x6b\x1a\xb7\xfe\x4b\xd7\xbf\x8f\x0b\x62\xe6\xce\x61\xb9\xd0\xcd"
+};
+
+prf_test_vector_t md5_hmac_p6 = {
+	.alg = PRF_HMAC_MD5, .key_size = 80, .len = 73,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+	.seed	= "Test Using Larger Than Block-Size Key and Larger "
+			  "Than One Block-Size Data",
+	.out	= "\x6f\x63\x0f\xad\x67\xcd\xa0\xee\x1f\xb1\xf5\x62\xdb\x3a\xa5\x3e"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/null.c b/src/libstrongswan/plugins/test_vectors/test_vectors/null.c
new file mode 100644
index 000000000..c4f5d41b3
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/null.c
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+crypter_test_vector_t null1 = {
+	.alg = ENCR_NULL, .key_size = 0, .len = 44,
+	.key    = "",
+	.iv     = "",
+	.plain	= "The quick brown fox jumped over the lazy dog",
+	.cipher	= "The quick brown fox jumped over the lazy dog"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/rc5.c b/src/libstrongswan/plugins/test_vectors/test_vectors/rc5.c
new file mode 100644
index 000000000..458f63aa9
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/rc5.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * All testvectors from https://www.cosic.esat.kuleuven.be/nessie/testvectors/
+ */
+
+/**
+ * RC5 128 bit: set 8, vector #0
+ */
+crypter_test_vector_t rc5_1 = {
+	.alg = ENCR_RC5, .key_size = 16, .len = 8,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x96\x95\x0D\xDA\x65\x4A\x3D\x62",
+	.cipher	= "\x00\x11\x22\x33\x44\x55\x66\x77"
+};
+
+/**
+ * RC5 128 bit: set 8, vector #1
+ */
+crypter_test_vector_t rc5_2 = {
+	.alg = ENCR_RC5, .key_size = 16, .len = 8,
+	.key	= "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00\x95\x2C\x49\x10\x48\x81\xFF\x48",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x63\x8B\x3A\x5E\xF7\x2B\x66\x3F",
+	.cipher	= "\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
+};
+
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
new file mode 100644
index 000000000..8502df7ad
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+#include <debug.h>
+
+/**
+ * Monobit test
+ */
+typedef struct {
+	int lower;
+	int upper;
+} monobit_t;
+
+monobit_t monobit_all = {
+	.lower = 9654,
+	.upper = 10346
+};
+
+static bool test_monobit(monobit_t *param, chunk_t data)
+{
+	int i, j, bits = 0;
+	
+	for (i = 0; i < data.len; i++)
+	{
+		for (j = 0; j < 8; j++)
+		{
+			if (data.ptr[i] & (1<<j))
+			{
+				bits++;
+			}
+		}
+	}
+	DBG2("  Monobit: %d/%d bits set", bits, data.len * 8);
+	if (bits > param->lower && bits < param->upper)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+rng_test_vector_t rng_monobit_1 = {
+	RNG_WEAK, .len = 2500,
+	.test = (void*)test_monobit,
+	.user = &monobit_all
+};
+
+rng_test_vector_t rng_monobit_2 = {
+	RNG_STRONG, .len = 2500,
+	.test = (void*)test_monobit,
+	.user = &monobit_all
+};
+
+rng_test_vector_t rng_monobit_3 = {
+	RNG_TRUE, .len = 2500,
+	.test = (void*)test_monobit,
+	.user = &monobit_all
+};
+
+/**
+ * Poker test
+ */
+typedef struct {
+	double lower;
+	double upper;
+} poker_t;
+
+poker_t poker_all = {
+	.lower = 1.03,
+	.upper = 57.4
+};
+
+static bool test_poker(poker_t *param, chunk_t data)
+{
+	int i, counter[16];
+	double sum = 0.0;
+	
+	memset(counter, 0, sizeof(counter));
+	
+	for (i = 0; i < data.len; i++)
+	{
+		counter[data.ptr[i] & 0x0F]++;
+		counter[(data.ptr[i] & 0xF0) >> 4]++;
+	}
+	
+	for (i = 0; i < countof(counter); i++)
+	{
+		sum += (counter[i] * counter[i]) / 5000.0 * 16.0;
+	}
+	sum -= 5000.0;
+	DBG2("  Poker: %f", sum);
+	if (sum > param->lower && sum < param->upper)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+rng_test_vector_t rng_poker_1 = {
+	RNG_WEAK, .len = 2500,
+	.test = (void*)test_poker,
+	.user = &poker_all
+};
+
+rng_test_vector_t rng_poker_2 = {
+	RNG_STRONG, .len = 2500,
+	.test = (void*)test_poker,
+	.user = &poker_all
+};
+
+rng_test_vector_t rng_poker_3 = {
+	RNG_TRUE, .len = 2500,
+	.test = (void*)test_poker,
+	.user = &poker_all
+};
+
+/**
+ * Runs test
+ */
+typedef struct {
+	int longrun;
+	int lower[7];
+	int upper[7];
+} runs_t;
+
+runs_t runs_all = {
+	.longrun = 34,
+	.lower = {-1, 2267, 1079, 502, 223,  90,  90},
+	.upper = {-1, 2733, 1421, 748, 402, 223, 223},
+};
+
+static bool test_runs(runs_t *param, chunk_t data)
+{
+	int i, j, zero_runs[7], one_runs[7], zero = 0, one = 0, longrun = 0;
+	
+	memset(one_runs, 0, sizeof(zero_runs));
+	memset(zero_runs, 0, sizeof(one_runs));
+	
+	for (i = 0; i < data.len; i++)
+	{
+		for (j = 0; j < 8; j++)
+		{
+			if (data.ptr[i] & (1<<j))
+			{
+				if (one)
+				{
+					if (++one >= param->longrun)
+					{
+						longrun++;
+						break;
+					}
+				}
+				else
+				{
+					zero_runs[min(6, zero)]++;
+					zero = 0;
+					one = 1;
+				}
+			}
+			else
+			{
+				if (zero)
+				{
+					if (++zero >= param->longrun)
+					{
+						longrun++;
+						break;
+					}
+				}
+				else
+				{
+					one_runs[min(6, one)]++;
+					one = 0;
+					zero = 1;
+				}
+			}
+		}
+	}
+	
+	DBG2("  Runs: zero: %d/%d/%d/%d/%d/%d, one: %d/%d/%d/%d/%d/%d, "
+		 "longruns: %d",
+		 zero_runs[1], zero_runs[2], zero_runs[3],
+		 zero_runs[4], zero_runs[5], zero_runs[6],
+		 one_runs[1], one_runs[2], one_runs[3],
+		 one_runs[4], one_runs[5], one_runs[6],
+		 longrun);
+	
+	if (longrun)
+	{
+		return FALSE;
+	}
+	
+	for (i = 1; i < countof(zero_runs); i++)
+	{
+		if (zero_runs[i] <= param->lower[i] ||
+			zero_runs[i] >=  param->upper[i] ||
+			one_runs[i] <= param->lower[i] ||
+			one_runs[i] >=  param->upper[i])
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+rng_test_vector_t rng_runs_1 = {
+	RNG_WEAK, .len = 2500,
+	.test = (void*)test_runs,
+	.user = &runs_all
+};
+
+rng_test_vector_t rng_runs_2 = {
+	RNG_STRONG, .len = 2500,
+	.test = (void*)test_runs,
+	.user = &runs_all
+};
+
+rng_test_vector_t rng_runs_3 = {
+	RNG_TRUE, .len = 2500,
+	.test = (void*)test_runs,
+	.user = &runs_all
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/serpent_cbc.c b/src/libstrongswan/plugins/test_vectors/test_vectors/serpent_cbc.c
new file mode 100644
index 000000000..256a59603
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/serpent_cbc.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * All testvectors from https://www.cosic.esat.kuleuven.be/nessie/testvectors/
+ */
+
+/**
+ * Serpent 128 bit: set 8, vector #0
+ */
+crypter_test_vector_t serpent_cbc1 = {
+	.alg = ENCR_SERPENT_CBC, .key_size = 16, .len = 16,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x33\xB3\xDC\x87\xED\xDD\x9B\x0F\x6A\x1F\x40\x7D\x14\x91\x93\x65",
+	.cipher	= "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
+};
+
+/**
+ * Serpent 128 bit: set 8, vector #1
+ */
+crypter_test_vector_t serpent_cbc2 = {
+	.alg = ENCR_SERPENT_CBC, .key_size = 16, .len = 16,
+	.key	= "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00\x95\x2C\x49\x10\x48\x81\xFF\x48",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\xBE\xB6\xC0\x69\x39\x38\x22\xD3\xBE\x73\xFF\x30\x52\x5E\xC4\x3E",
+	.cipher	= "\xEA\x02\x47\x14\xAD\x5C\x4D\x84\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
+};
+
+/**
+ * Serpent 192 bit: set 8, vector #0
+ */
+crypter_test_vector_t serpent_cbc3 = {
+	.alg = ENCR_SERPENT_CBC, .key_size = 24, .len = 16,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x45\x28\xCA\xCC\xB9\x54\xD4\x50\x65\x5E\x8C\xFD\x71\xCB\xFA\xC7",
+	.cipher	= "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
+};
+
+/**
+ * Serpent 192 bit: set 8, vector #1
+ */
+crypter_test_vector_t serpent_cbc4 = {
+	.alg = ENCR_SERPENT_CBC, .key_size = 24, .len = 16,
+	.key	= "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00\x95\x2C\x49\x10\x48\x81\xFF\x48"
+			  "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\xE0\x20\x8B\xE2\x78\xE2\x14\x20\xC4\xB1\xB9\x74\x77\x88\xA9\x54",
+	.cipher	= "\xEA\x02\x47\x14\xAD\x5C\x4D\x84\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
+};
+
+/**
+ * Serpent 256 bit: set 8, vector #0
+ */
+crypter_test_vector_t serpent_cbc5 = {
+	.alg = ENCR_SERPENT_CBC, .key_size = 32, .len = 16,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x3D\xA4\x6F\xFA\x6F\x4D\x6F\x30\xCD\x25\x83\x33\xE5\xA6\x13\x69",
+	.cipher	= "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
+};
+
+/**
+ * Serpent 256 bit: set 8, vector #1
+ */
+crypter_test_vector_t serpent_cbc6 = {
+	.alg = ENCR_SERPENT_CBC, .key_size = 32, .len = 16,
+	.key	= "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00\x95\x2C\x49\x10\x48\x81\xFF\x48"
+			  "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00\x95\x2C\x49\x10\x48\x81\xFF\x48",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x67\x7C\x8D\xFA\xA0\x80\x71\x74\x3F\xD2\xB4\x15\xD1\xB2\x8A\xF2",
+	.cipher	= "\xEA\x02\x47\x14\xAD\x5C\x4D\x84\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha1.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha1.c
new file mode 100644
index 000000000..51f22716e
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha1.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * SHA-1 test vectors from "The Secure Hash Algorithm Validation System (SHAVS)"
+ */
+hasher_test_vector_t sha1_1 = {
+	.alg = HASH_SHA1, .len = 1,
+	.data	= "\x5e",
+	.hash	= "\x5e\x6f\x80\xa3\x4a\x97\x98\xca\xfc\x6a\x5d\xb9\x6c\xc5\x7b\xa4"
+			  "\xc4\xdb\x59\xc2"
+};
+
+hasher_test_vector_t sha1_2 = {
+	.alg = HASH_SHA1, .len = 16,
+	.data	= "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46",
+	.hash	= "\x82\xab\xff\x66\x05\xdb\xe1\xc1\x7d\xef\x12\xa3\x94\xfa\x22\xa8"
+			  "\x2b\x54\x4a\x35"
+};
+
+hasher_test_vector_t sha1_3 = {
+	.alg = HASH_SHA1, .len = 163,
+	.data	= "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f"
+			  "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15"
+			  "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92"
+			  "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f"
+			  "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04"
+			  "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca"
+			  "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b"
+			  "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60"
+			  "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80"
+			  "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27"
+			  "\xcd\xbb\xfb",
+	.hash	= "\xcb\x00\x82\xc8\xf1\x97\xd2\x60\x99\x1b\xa6\xa4\x60\xe7\x6e\x20"
+			  "\x2b\xad\x27\xb3"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha1_hmac.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha1_hmac.c
new file mode 100644
index 000000000..8d6f66373
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha1_hmac.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * SHA1 hmac test vectors from RFC2202
+ */
+signer_test_vector_t sha1_hmac_s1 = {
+	.alg = AUTH_HMAC_SHA1_96, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b",
+	.data	= "Hi There",
+	.mac	= "\xb6\x17\x31\x86\x55\x05\x72\x64\xe2\x8b\xc0\xb6"
+};
+
+signer_test_vector_t sha1_hmac_s2 = {
+	.alg = AUTH_HMAC_SHA1_128, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b",
+	.data	= "Hi There",
+	.mac	= "\xb6\x17\x31\x86\x55\x05\x72\x64\xe2\x8b\xc0\xb6\xfb\x37\x8c\x8e"
+};
+
+signer_test_vector_t sha1_hmac_s3 = {
+	.alg = AUTH_HMAC_SHA1_160, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b",
+	.data	= "Hi There",
+	.mac	= "\xb6\x17\x31\x86\x55\x05\x72\x64\xe2\x8b\xc0\xb6\xfb\x37\x8c\x8e"
+			  "\xf1\x46\xbe\x00"
+};
+
+prf_test_vector_t sha1_hmac_p1 = {
+	.alg = PRF_HMAC_SHA1, .key_size = 20, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b",
+	.seed	= "Hi There",
+	.out	= "\xb6\x17\x31\x86\x55\x05\x72\x64\xe2\x8b\xc0\xb6\xfb\x37\x8c\x8e"
+			  "\xf1\x46\xbe\x00"
+};
+
+prf_test_vector_t sha1_hmac_p2 = {
+	.alg = PRF_HMAC_SHA1, .key_size = 4, .len = 28,
+	.key	= "Jefe",
+	.seed	= "what do ya want for nothing?",
+	.out	= "\xef\xfc\xdf\x6a\xe5\xeb\x2f\xa2\xd2\x74\x16\xd5\xf1\x84\xdf\x9c"
+			  "\x25\x9a\x7c\x79"
+};
+
+signer_test_vector_t sha1_hmac_s4 = {
+	.alg = AUTH_HMAC_SHA1_96, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa",
+	.data	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.mac	= "\x12\x5d\x73\x42\xb9\xac\x11\xcd\x91\xa3\x9a\xf4"
+			  "\x63\xf1\x75\xd3"
+};
+
+signer_test_vector_t sha1_hmac_s5 = {
+	.alg = AUTH_HMAC_SHA1_128, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa",
+	.data	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.mac	= "\x12\x5d\x73\x42\xb9\xac\x11\xcd\x91\xa3\x9a\xf4\x8a\xa1\x7b\x4f"
+};
+
+signer_test_vector_t sha1_hmac_s6 = {
+	.alg = AUTH_HMAC_SHA1_160, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa",
+	.data	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.mac	= "\x12\x5d\x73\x42\xb9\xac\x11\xcd\x91\xa3\x9a\xf4\x8a\xa1\x7b\x4f"
+			  "\x63\xf1\x75\xd3"
+};
+
+prf_test_vector_t sha1_hmac_p3 = {
+	.alg = PRF_HMAC_SHA1, .key_size = 20, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa",
+	.seed	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.out	= "\x12\x5d\x73\x42\xb9\xac\x11\xcd\x91\xa3\x9a\xf4\x8a\xa1\x7b\x4f"
+			  "\x63\xf1\x75\xd3"
+};
+
+prf_test_vector_t sha1_hmac_p4 = {
+	.alg = PRF_HMAC_SHA1, .key_size = 25, .len = 50,
+	.key	= "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
+			  "\x11\x12\x13\x14\x15\x16\x17\x18\x19",
+	.seed	= "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd",
+	.out	= "\x4c\x90\x07\xf4\x02\x62\x50\xc6\xbc\x84\x14\xf9\xbf\x50\xc8\x6c"
+			  "\x2d\x72\x35\xda"
+};
+
+prf_test_vector_t sha1_hmac_p5 = {
+	.alg = PRF_HMAC_SHA1, .key_size = 80, .len = 54,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+	.seed	= "Test Using Larger Than Block-Size Key - Hash Key First",
+	.out	= "\xaa\x4a\xe5\xe1\x52\x72\xd0\x0e\x95\x70\x56\x37\xce\x8a\x3b\x55"
+			  "\xed\x40\x21\x12"
+};
+
+prf_test_vector_t sha1_hmac_p6 = {
+	.alg = PRF_HMAC_SHA1, .key_size = 80, .len = 73,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+	.seed	= "Test Using Larger Than Block-Size Key and Larger "
+			  "Than One Block-Size Data",
+	.out	= "\xe8\xe9\x9d\x0f\x45\x23\x7d\x78\x6d\x6b\xba\xa7\x96\x5c\x78\x08"
+			  "\xbb\xff\x1a\x91"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
new file mode 100644
index 000000000..e2bd42240
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * SHA-256 vectors from "The Secure Hash Algorithm Validation System (SHAVS)"
+ */
+hasher_test_vector_t sha256_1 = {
+	.alg = HASH_SHA256, .len = 1,
+	.data	= "\x19",
+	.hash	= "\x68\xaa\x2e\x2e\xe5\xdf\xf9\x6e\x33\x55\xe6\xc7\xee\x37\x3e\x3d"
+			  "\x6a\x4e\x17\xf7\x5f\x95\x18\xd8\x43\x70\x9c\x0c\x9b\xc3\xe3\xd4"
+};
+
+hasher_test_vector_t sha256_2 = {
+	.alg = HASH_SHA256, .len = 16,
+	.data	= "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52",
+	.hash	= "\x17\x5e\xe6\x9b\x02\xba\x9b\x58\xe2\xb0\xa5\xfd\x13\x81\x9c\xea"
+			  "\x57\x3f\x39\x40\xa9\x4f\x82\x51\x28\xcf\x42\x09\xbe\xab\xb4\xe8"
+};
+
+hasher_test_vector_t sha256_3 = {
+	.alg = HASH_SHA256, .len = 163,
+	.data	= "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0"
+			  "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00"
+			  "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77"
+			  "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74"
+			  "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b"
+			  "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca"
+			  "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4"
+			  "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09"
+			  "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a"
+			  "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39"
+			  "\x3d\x54\xd6",
+	.hash	= "\x97\xdb\xca\x7d\xf4\x6d\x62\xc8\xa4\x22\xc9\x41\xdd\x7e\x83\x5b"
+			  "\x8a\xd3\x36\x17\x63\xf7\xe9\xb2\xd9\x5f\x4f\x0d\xa6\xe1\xcc\xbc"
+};
+
+/**
+ * SHA-384 vectors from "The Secure Hash Algorithm Validation System (SHAVS)"
+ */
+hasher_test_vector_t sha384_1 = {
+	.alg = HASH_SHA384, .len = 1,
+	.data	= "\xb9",
+	.hash	= "\xbc\x80\x89\xa1\x90\x07\xc0\xb1\x41\x95\xf4\xec\xc7\x40\x94\xfe"
+			  "\xc6\x4f\x01\xf9\x09\x29\x28\x2c\x2f\xb3\x92\x88\x15\x78\x20\x8a"
+			  "\xd4\x66\x82\x8b\x1c\x6c\x28\x3d\x27\x22\xcf\x0a\xd1\xab\x69\x38"
+};
+
+hasher_test_vector_t sha384_2 = {
+	.alg = HASH_SHA384, .len = 16,
+	.data	= "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39",
+	.hash	= "\xc9\xa6\x84\x43\xa0\x05\x81\x22\x56\xb8\xec\x76\xb0\x05\x16\xf0"
+			  "\xdb\xb7\x4f\xab\x26\xd6\x65\x91\x3f\x19\x4b\x6f\xfb\x0e\x91\xea"
+			  "\x99\x67\x56\x6b\x58\x10\x9c\xbc\x67\x5c\xc2\x08\xe4\xc8\x23\xf7"
+};
+
+hasher_test_vector_t sha384_3 = {
+	.alg = HASH_SHA384, .len = 227,
+	.data	= "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf"
+			  "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f"
+			  "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61"
+			  "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42"
+			  "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71"
+			  "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8"
+			  "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6"
+			  "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8"
+			  "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa"
+			  "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a"
+			  "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4"
+			  "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96"
+			  "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc"
+			  "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14"
+			  "\x7e\xd0\x96",
+	.hash	= "\x4f\x44\x0d\xb1\xe6\xed\xd2\x89\x9f\xa3\x35\xf0\x95\x15\xaa\x02"
+			  "\x5e\xe1\x77\xa7\x9f\x4b\x4a\xaf\x38\xe4\x2b\x5c\x4d\xe6\x60\xf5"
+			  "\xde\x8f\xb2\xa5\xb2\xfb\xd2\xa3\xcb\xff\xd2\x0c\xff\x12\x88\xc0"
+};
+
+/**
+ * SHA-512 vectors from "The Secure Hash Algorithm Validation System (SHAVS)"
+ */
+hasher_test_vector_t sha512_1 = {
+	.alg = HASH_SHA512, .len = 1,
+	.data	= "\xd0",
+	.hash	= "\x99\x92\x20\x29\x38\xe8\x82\xe7\x3e\x20\xf6\xb6\x9e\x68\xa0\xa7"
+			  "\x14\x90\x90\x42\x3d\x93\xc8\x1b\xab\x3f\x21\x67\x8d\x4a\xce\xee"
+			  "\xe5\x0e\x4e\x8c\xaf\xad\xa4\xc8\x5a\x54\xea\x83\x06\x82\x6c\x4a"
+			  "\xd6\xe7\x4c\xec\xe9\x63\x1b\xfa\x8a\x54\x9b\x4a\xb3\xfb\xba\x15"
+};
+
+hasher_test_vector_t sha512_2 = {
+	.alg = HASH_SHA512, .len = 16,
+	.data	= "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0",
+	.hash	= "\xcb\x0b\x67\xa4\xb8\x71\x2c\xd7\x3c\x9a\xab\xc0\xb1\x99\xe9\x26"
+			  "\x9b\x20\x84\x4a\xfb\x75\xac\xbd\xd1\xc1\x53\xc9\x82\x89\x24\xc3"
+			  "\xdd\xed\xaa\xfe\x66\x9c\x5f\xdd\x0b\xc6\x6f\x63\x0f\x67\x73\x98"
+			  "\x82\x13\xeb\x1b\x16\xf5\x17\xad\x0d\xe4\xb2\xf0\xc9\x5c\x90\xf8"
+};
+
+hasher_test_vector_t sha512_3 = {
+	.alg = HASH_SHA512, .len = 227,
+	.data	= "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31"
+			  "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde"
+			  "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4"
+			  "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2"
+			  "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3"
+			  "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95"
+			  "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65"
+			  "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f"
+			  "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41"
+			  "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28"
+			  "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1"
+			  "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8"
+			  "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b"
+			  "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7"
+			  "\xfb\x40\xd2",
+	.hash	= "\xc6\x65\xbe\xfb\x36\xda\x18\x9d\x78\x82\x2d\x10\x52\x8c\xbf\x3b"
+			  "\x12\xb3\xee\xf7\x26\x03\x99\x09\xc1\xa1\x6a\x27\x0d\x48\x71\x93"
+			  "\x77\x96\x6b\x95\x7a\x87\x8e\x72\x05\x84\x77\x9a\x62\x82\x5c\x18"
+			  "\xda\x26\x41\x5e\x49\xa7\x17\x6a\x89\x4e\x75\x10\xfd\x14\x51\xf5"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2_hmac.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2_hmac.c
new file mode 100644
index 000000000..536eba8f6
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2_hmac.c
@@ -0,0 +1,353 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * SHA-256, SHA384, SHA512 hmac test vectors from RFC 4868
+ */
+prf_test_vector_t sha256_hmac_p1 = {
+	.alg = PRF_HMAC_SHA2_256, .key_size = 20, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b",
+	.seed	= "Hi There",
+	.out	= "\xb0\x34\x4c\x61\xd8\xdb\x38\x53\x5c\xa8\xaf\xce\xaf\x0b\xf1\x2b"
+			  "\x88\x1d\xc2\x00\xc9\x83\x3d\xa7\x26\xe9\x37\x6c\x2e\x32\xcf\xf7"
+};
+
+signer_test_vector_t sha256_hmac_s1 = {
+	.alg = AUTH_HMAC_SHA2_256_128, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
+	.data	= "Hi There",
+	.mac	= "\x19\x8a\x60\x7e\xb4\x4b\xfb\xc6\x99\x03\xa0\xf1\xcf\x2b\xbd\xc5"
+};
+
+prf_test_vector_t sha384_hmac_p1 = {
+	.alg = PRF_HMAC_SHA2_384, .key_size = 20, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b",
+	.seed	= "Hi There",
+	.out	= "\xaf\xd0\x39\x44\xd8\x48\x95\x62\x6b\x08\x25\xf4\xab\x46\x90\x7f"
+			  "\x15\xf9\xda\xdb\xe4\x10\x1e\xc6\x82\xaa\x03\x4c\x7c\xeb\xc5\x9c"
+			  "\xfa\xea\x9e\xa9\x07\x6e\xde\x7f\x4a\xf1\x52\xe8\xb2\xfa\x9c\xb6"
+};
+
+signer_test_vector_t sha384_hmac_s1 = {
+	.alg = AUTH_HMAC_SHA2_384_192, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
+	.data	= "Hi There",
+	.mac	= "\xb6\xa8\xd5\x63\x6f\x5c\x6a\x72\x24\xf9\x97\x7d\xcf\x7e\xe6\xc7"
+			  "\xfb\x6d\x0c\x48\xcb\xde\xe9\x73"
+};
+
+prf_test_vector_t sha512_hmac_p1 = {
+	.alg = PRF_HMAC_SHA2_512, .key_size = 20, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b",
+	.seed	= "Hi There",
+	.out	= "\x87\xaa\x7c\xde\xa5\xef\x61\x9d\x4f\xf0\xb4\x24\x1a\x1d\x6c\xb0"
+			  "\x23\x79\xf4\xe2\xce\x4e\xc2\x78\x7a\xd0\xb3\x05\x45\xe1\x7c\xde"
+			  "\xda\xa8\x33\xb7\xd6\xb8\xa7\x02\x03\x8b\x27\x4e\xae\xa3\xf4\xe4"
+			  "\xbe\x9d\x91\x4e\xeb\x61\xf1\x70\x2e\x69\x6c\x20\x3a\x12\x68\x54"
+};
+
+signer_test_vector_t sha512_hmac_s1 = {
+	.alg = AUTH_HMAC_SHA2_512_256, .len = 8,
+	.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+			  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
+	.data	= "Hi There",
+	.mac	= "\x63\x7e\xdc\x6e\x01\xdc\xe7\xe6\x74\x2a\x99\x45\x1a\xae\x82\xdf"
+			  "\x23\xda\x3e\x92\x43\x9e\x59\x0e\x43\xe7\x61\xb3\x3e\x91\x0f\xb8"
+};
+
+prf_test_vector_t sha256_hmac_p2 = {
+	.alg = PRF_HMAC_SHA2_256, .key_size = 4, .len = 28,
+	.key	= "Jefe",
+	.seed	= "what do ya want for nothing?",
+	.out	= "\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75\xc7"
+			  "\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec\x38\x43"
+};
+
+signer_test_vector_t sha256_hmac_s2 = {
+	.alg = AUTH_HMAC_SHA2_256_128, .len = 28,
+	.key	= "JefeJefeJefeJefeJefeJefeJefeJefe",
+	.data	= "what do ya want for nothing?",
+	.mac	= "\x16\x7f\x92\x85\x88\xc5\xcc\x2e\xef\x8e\x30\x93\xca\xa0\xe8\x7c"
+};
+
+prf_test_vector_t sha384_hmac_p2 = {
+	.alg = PRF_HMAC_SHA2_384, .key_size = 4, .len = 28,
+	.key	= "Jefe",
+	.seed	= "what do ya want for nothing?",
+	.out	= "\xaf\x45\xd2\xe3\x76\x48\x40\x31\x61\x7f\x78\xd2\xb5\x8a\x6b\x1b"
+			  "\x9c\x7e\xf4\x64\xf5\xa0\x1b\x47\xe4\x2e\xc3\x73\x63\x22\x44\x5e"
+			  "\x8e\x22\x40\xca\x5e\x69\xe2\xc7\x8b\x32\x39\xec\xfa\xb2\x16\x49"
+};
+
+signer_test_vector_t sha384_hmac_s2 = {
+	.alg = AUTH_HMAC_SHA2_384_192, .len = 28,
+	.key	= "JefeJefeJefeJefeJefeJefeJefeJefeJefeJefeJefeJefe",
+	.data	= "what do ya want for nothing?",
+	.mac	= "\x2c\x73\x53\x97\x4f\x18\x42\xfd\x66\xd5\x3c\x45\x2c\xa4\x21\x22"
+			  "\xb2\x8c\x0b\x59\x4c\xfb\x18\x4d"
+};
+
+prf_test_vector_t sha512_hmac_p2 = {
+	.alg = PRF_HMAC_SHA2_512, .key_size = 4, .len = 28,
+	.key	= "Jefe",
+	.seed	= "what do ya want for nothing?",
+	.out	= "\x16\x4b\x7a\x7b\xfc\xf8\x19\xe2\xe3\x95\xfb\xe7\x3b\x56\xe0\xa3"
+			  "\x87\xbd\x64\x22\x2e\x83\x1f\xd6\x10\x27\x0c\xd7\xea\x25\x05\x54"
+			  "\x97\x58\xbf\x75\xc0\x5a\x99\x4a\x6d\x03\x4f\x65\xf8\xf0\xe6\xfd"
+			  "\xca\xea\xb1\xa3\x4d\x4a\x6b\x4b\x63\x6e\x07\x0a\x38\xbc\xe7\x37"
+};
+
+signer_test_vector_t sha512_hmac_s2 = {
+	.alg = AUTH_HMAC_SHA2_512_256, .len = 28,
+	.key	= "JefeJefeJefeJefeJefeJefeJefeJefeJefeJefeJefeJefeJefeJefeJefeJefe",
+	.data	= "what do ya want for nothing?",
+	.mac	= "\xcb\x37\x09\x17\xae\x8a\x7c\xe2\x8c\xfd\x1d\x8f\x47\x05\xd6\x14"
+			  "\x1c\x17\x3b\x2a\x93\x62\xc1\x5d\xf2\x35\xdf\xb2\x51\xb1\x54\x54"
+};
+
+prf_test_vector_t sha256_hmac_p3 = {
+	.alg = PRF_HMAC_SHA2_256, .key_size = 20, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa",
+	.seed	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.out	= "\x77\x3e\xa9\x1e\x36\x80\x0e\x46\x85\x4d\xb8\xeb\xd0\x91\x81\xa7"
+			  "\x29\x59\x09\x8b\x3e\xf8\xc1\x22\xd9\x63\x55\x14\xce\xd5\x65\xfe"
+};
+
+signer_test_vector_t sha256_hmac_s3 = {
+	.alg = AUTH_HMAC_SHA2_256_128, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+	.data	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.mac	= "\xcd\xcb\x12\x20\xd1\xec\xcc\xea\x91\xe5\x3a\xba\x30\x92\xf9\x62"
+};
+
+prf_test_vector_t sha384_hmac_p3 = {
+	.alg = PRF_HMAC_SHA2_384, .key_size = 20, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa",
+	.seed	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.out	= "\x88\x06\x26\x08\xd3\xe6\xad\x8a\x0a\xa2\xac\xe0\x14\xc8\xa8\x6f"
+			  "\x0a\xa6\x35\xd9\x47\xac\x9f\xeb\xe8\x3e\xf4\xe5\x59\x66\x14\x4b"
+			  "\x2a\x5a\xb3\x9d\xc1\x38\x14\xb9\x4e\x3a\xb6\xe1\x01\xa3\x4f\x27"
+};
+
+signer_test_vector_t sha384_hmac_s3 = {
+	.alg = AUTH_HMAC_SHA2_384_192, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+	.data	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.mac	= "\x80\x9f\x43\x9b\xe0\x02\x74\x32\x1d\x4a\x53\x86\x52\x16\x4b\x53"
+			  "\x55\x4a\x50\x81\x84\xa0\xc3\x16"
+};
+
+prf_test_vector_t sha512_hmac_p3 = {
+	.alg = PRF_HMAC_SHA2_512, .key_size = 20, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa",
+	.seed	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.out	= "\xfa\x73\xb0\x08\x9d\x56\xa2\x84\xef\xb0\xf0\x75\x6c\x89\x0b\xe9"
+			  "\xb1\xb5\xdb\xdd\x8e\xe8\x1a\x36\x55\xf8\x3e\x33\xb2\x27\x9d\x39"
+			  "\xbf\x3e\x84\x82\x79\xa7\x22\xc8\x06\xb4\x85\xa4\x7e\x67\xc8\x07"
+			  "\xb9\x46\xa3\x37\xbe\xe8\x94\x26\x74\x27\x88\x59\xe1\x32\x92\xfb"
+};
+
+signer_test_vector_t sha512_hmac_s3 = {
+	.alg = AUTH_HMAC_SHA2_512_256, .len = 50,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+	.data	= "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+			  "\xdd\xdd",
+	.mac	= "\x2e\xe7\xac\xd7\x83\x62\x4c\xa9\x39\x87\x10\xf3\xee\x05\xae\x41"
+			  "\xb9\xf9\xb0\x51\x0c\x87\xe4\x9e\x58\x6c\xc9\xbf\x96\x17\x33\xd8"
+};
+
+prf_test_vector_t sha256_hmac_p4 = {
+	.alg = PRF_HMAC_SHA2_256, .key_size = 25, .len = 50,
+	.key	= "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
+			  "\x11\x12\x13\x14\x15\x16\x17\x18\x19",
+	.seed	= "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd",
+	.out	= "\x82\x55\x8a\x38\x9a\x44\x3c\x0e\xa4\xcc\x81\x98\x99\xf2\x08\x3a"
+			  "\x85\xf0\xfa\xa3\xe5\x78\xf8\x07\x7a\x2e\x3f\xf4\x67\x29\x66\x5b"
+};
+
+prf_test_vector_t sha384_hmac_p4 = {
+	.alg = PRF_HMAC_SHA2_384, .key_size = 25, .len = 50,
+	.key	= "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
+			  "\x11\x12\x13\x14\x15\x16\x17\x18\x19",
+	.seed	= "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd",
+	.out	= "\x3e\x8a\x69\xb7\x78\x3c\x25\x85\x19\x33\xab\x62\x90\xaf\x6c\xa7"
+			  "\x7a\x99\x81\x48\x08\x50\x00\x9c\xc5\x57\x7c\x6e\x1f\x57\x3b\x4e"
+			  "\x68\x01\xdd\x23\xc4\xa7\xd6\x79\xcc\xf8\xa3\x86\xc6\x74\xcf\xfb"
+};
+
+prf_test_vector_t sha512_hmac_p4 = {
+	.alg = PRF_HMAC_SHA2_512, .key_size = 25, .len = 50,
+	.key	= "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
+			  "\x11\x12\x13\x14\x15\x16\x17\x18\x19",
+	.seed	= "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+			  "\xcd\xcd",
+	.out	= "\xb0\xba\x46\x56\x37\x45\x8c\x69\x90\xe5\xa8\xc5\xf6\x1d\x4a\xf7"
+			  "\xe5\x76\xd9\x7f\xf9\x4b\x87\x2d\xe7\x6f\x80\x50\x36\x1e\xe3\xdb"
+			  "\xa9\x1c\xa5\xc1\x1a\xa2\x5e\xb4\xd6\x79\x27\x5c\xc5\x78\x80\x63"
+			  "\xa5\xf1\x97\x41\x12\x0c\x4f\x2d\xe2\xad\xeb\xeb\x10\xa2\x98\xdd"
+};
+
+prf_test_vector_t sha256_hmac_p5 = {
+	.alg = PRF_HMAC_SHA2_256, .key_size = 131, .len = 54,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa",
+	.seed	= "Test Using Larger Than Block-Size Key - Hash Key First",
+	.out	= "\x60\xe4\x31\x59\x1e\xe0\xb6\x7f\x0d\x8a\x26\xaa\xcb\xf5\xb7\x7f"
+			  "\x8e\x0b\xc6\x21\x37\x28\xc5\x14\x05\x46\x04\x0f\x0e\xe3\x7f\x54"
+};
+
+prf_test_vector_t sha384_hmac_p5 = {
+	.alg = PRF_HMAC_SHA2_384, .key_size = 131, .len = 54,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa",
+	.seed	= "Test Using Larger Than Block-Size Key - Hash Key First",
+	.out	= "\x4e\xce\x08\x44\x85\x81\x3e\x90\x88\xd2\xc6\x3a\x04\x1b\xc5\xb4"
+			  "\x4f\x9e\xf1\x01\x2a\x2b\x58\x8f\x3c\xd1\x1f\x05\x03\x3a\xc4\xc6"
+			  "\x0c\x2e\xf6\xab\x40\x30\xfe\x82\x96\x24\x8d\xf1\x63\xf4\x49\x52"
+};
+
+prf_test_vector_t sha512_hmac_p5 = {
+	.alg = PRF_HMAC_SHA2_512, .key_size = 131, .len = 54,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa",
+	.seed	= "Test Using Larger Than Block-Size Key - Hash Key First",
+	.out	= "\x80\xb2\x42\x63\xc7\xc1\xa3\xeb\xb7\x14\x93\xc1\xdd\x7b\xe8\xb4"
+			  "\x9b\x46\xd1\xf4\x1b\x4a\xee\xc1\x12\x1b\x01\x37\x83\xf8\xf3\x52"
+			  "\x6b\x56\xd0\x37\xe0\x5f\x25\x98\xbd\x0f\xd2\x21\x5d\x6a\x1e\x52"
+			  "\x95\xe6\x4f\x73\xf6\x3f\x0a\xec\x8b\x91\x5a\x98\x5d\x78\x65\x98"
+};
+
+prf_test_vector_t sha256_hmac_p6 = {
+	.alg = PRF_HMAC_SHA2_256, .key_size = 131, .len = 152,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa",
+	.seed	= "This is a test using a larger than block-size key and a larger "
+			  "than block-size data. The key needs to be hashed before being "
+			  "used by the HMAC algorithm.",
+	.out	= "\x9b\x09\xff\xa7\x1b\x94\x2f\xcb\x27\x63\x5f\xbc\xd5\xb0\xe9\x44"
+			  "\xbf\xdc\x63\x64\x4f\x07\x13\x93\x8a\x7f\x51\x53\x5c\x3a\x35\xe2"
+};
+
+prf_test_vector_t sha384_hmac_p6 = {
+	.alg = PRF_HMAC_SHA2_384, .key_size = 131, .len = 152,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa",
+	.seed	= "This is a test using a larger than block-size key and a larger "
+			  "than block-size data. The key needs to be hashed before being "
+			  "used by the HMAC algorithm.",
+	.out	= "\x66\x17\x17\x8e\x94\x1f\x02\x0d\x35\x1e\x2f\x25\x4e\x8f\xd3\x2c"
+			  "\x60\x24\x20\xfe\xb0\xb8\xfb\x9a\xdc\xce\xbb\x82\x46\x1e\x99\xc5"
+			  "\xa6\x78\xcc\x31\xe7\x99\x17\x6d\x38\x60\xe6\x11\x0c\x46\x52\x3e"
+};
+
+prf_test_vector_t sha512_hmac_p6 = {
+	.alg = PRF_HMAC_SHA2_512, .key_size = 131, .len = 152,
+	.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+			  "\xaa\xaa\xaa",
+	.seed	= "This is a test using a larger than block-size key and a larger "
+			  "than block-size data. The key needs to be hashed before being "
+			  "used by the HMAC algorithm.",
+	.out	= "\xe3\x7b\x6a\x77\x5d\xc8\x7d\xba\xa4\xdf\xa9\xf9\x6e\x5e\x3f\xfd"
+			  "\xde\xbd\x71\xf8\x86\x72\x89\x86\x5d\xf5\xa3\x2d\x20\xcd\xc9\x44"
+			  "\xb6\x02\x2c\xac\x3c\x49\x82\xb1\x0d\x5e\xeb\x55\xc3\xe4\xde\x15"
+			  "\x13\x46\x76\xfb\x6d\xe0\x44\x60\x65\xc9\x74\x40\xfa\x8c\x6a\x58"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/twofish_cbc.c b/src/libstrongswan/plugins/test_vectors/test_vectors/twofish_cbc.c
new file mode 100644
index 000000000..9c3ca20cc
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/twofish_cbc.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * All testvectors from http://www.schneier.com/code/ecb_ival.txt
+ */
+
+/**
+ * Twofish 128 bit: I=49
+ */
+crypter_test_vector_t twofish_cbc1 = {
+	.alg = ENCR_TWOFISH_CBC, .key_size = 16, .len = 16,
+	.key	= "\xBC\xA7\x24\xA5\x45\x33\xC6\x98\x7E\x14\xAA\x82\x79\x52\xF9\x21",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x6B\x45\x92\x86\xF3\xFF\xD2\x8D\x49\xF1\x5B\x15\x81\xB0\x8E\x42",
+	.cipher	= "\x5D\x9D\x4E\xEF\xFA\x91\x51\x57\x55\x24\xF1\x15\x81\x5A\x12\xE0"
+};
+
+/**
+ * Twofish 192 bit: I=49
+ */
+crypter_test_vector_t twofish_cbc2 = {
+	.alg = ENCR_TWOFISH_CBC, .key_size = 24, .len = 16,
+	.key	= "\xFB\x66\x52\x2C\x33\x2F\xCC\x4C\x04\x2A\xBE\x32\xFA\x9E\x90\x2F"
+			  "\xDE\xA4\xF3\xDA\x75\xEC\x7A\x8E",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\xF0\xAB\x73\x30\x11\x25\xFA\x21\xEF\x70\xBE\x53\x85\xFB\x76\xB6",
+	.cipher	= "\xE7\x54\x49\x21\x2B\xEE\xF9\xF4\xA3\x90\xBD\x86\x0A\x64\x09\x41"
+};
+
+/**
+ * Twofish 256 bit: I=49
+ */
+crypter_test_vector_t twofish_cbc3 = {
+	.alg = ENCR_TWOFISH_CBC, .key_size = 32, .len = 16,
+	.key	= "\x24\x8A\x7F\x35\x28\xB1\x68\xAC\xFD\xD1\x38\x6E\x3F\x51\xE3\x0C"
+			  "\x2E\x21\x58\xBC\x3E\x5F\xC7\x14\xC1\xEE\xEC\xA0\xEA\x69\x6D\x48",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x43\x10\x58\xF4\xDB\xC7\xF7\x34\xDA\x4F\x02\xF0\x4C\xC4\xF4\x59",
+	.cipher	= "\x37\xFE\x26\xFF\x1C\xF6\x61\x75\xF5\xDD\xF4\xC3\x3B\x97\xA2\x05"
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
new file mode 100644
index 000000000..b96dc0c9a
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_vectors_plugin.h"
+
+#include <crypto/crypto_factory.h>
+#include <crypto/crypto_tester.h>
+
+/* define symbols of all test vectors */
+#define TEST_VECTOR_CRYPTER(x) crypter_test_vector_t x;
+#define TEST_VECTOR_SIGNER(x) signer_test_vector_t x;
+#define TEST_VECTOR_HASHER(x) hasher_test_vector_t x;
+#define TEST_VECTOR_PRF(x) prf_test_vector_t x;
+#define TEST_VECTOR_RNG(x) rng_test_vector_t x;
+
+#include "test_vectors.h"
+
+#undef TEST_VECTOR_CRYPTER
+#undef TEST_VECTOR_SIGNER
+#undef TEST_VECTOR_HASHER
+#undef TEST_VECTOR_PRF
+#undef TEST_VECTOR_RNG
+
+#define TEST_VECTOR_CRYPTER(x)
+#define TEST_VECTOR_SIGNER(x)
+#define TEST_VECTOR_HASHER(x)
+#define TEST_VECTOR_PRF(x)
+#define TEST_VECTOR_RNG(x)
+
+/* create test vector arrays */
+#undef TEST_VECTOR_CRYPTER
+#define TEST_VECTOR_CRYPTER(x) &x,
+static crypter_test_vector_t *crypter[] = {
+#include "test_vectors.h"
+};
+#undef TEST_VECTOR_CRYPTER
+#define TEST_VECTOR_CRYPTER(x)
+
+#undef TEST_VECTOR_SIGNER
+#define TEST_VECTOR_SIGNER(x) &x,
+static signer_test_vector_t *signer[] = {
+#include "test_vectors.h"
+};
+#undef TEST_VECTOR_SIGNER
+#define TEST_VECTOR_SIGNER(x)
+
+#undef TEST_VECTOR_HASHER
+#define TEST_VECTOR_HASHER(x) &x,
+static hasher_test_vector_t *hasher[] = {
+#include "test_vectors.h"
+};
+#undef TEST_VECTOR_HASHER
+#define TEST_VECTOR_HASHER(x)
+
+#undef TEST_VECTOR_PRF
+#define TEST_VECTOR_PRF(x) &x,
+static prf_test_vector_t *prf[] = {
+#include "test_vectors.h"
+};
+#undef TEST_VECTOR_PRF
+#define TEST_VECTOR_PRF(x)
+
+#undef TEST_VECTOR_RNG
+#define TEST_VECTOR_RNG(x) &x,
+static rng_test_vector_t *rng[] = {
+#include "test_vectors.h"
+};
+#undef TEST_VECTOR_RNG
+#define TEST_VECTOR_RNG(x)
+
+typedef struct private_test_vectors_plugin_t private_test_vectors_plugin_t;
+
+/**
+ * private data of test_vectors_plugin
+ */
+struct private_test_vectors_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	test_vectors_plugin_t public;
+};
+
+/**
+ * Implementation of test_vectors_plugin_t.test_vectorstroy
+ */
+static void destroy(private_test_vectors_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_test_vectors_plugin_t *this = malloc_thing(private_test_vectors_plugin_t);
+	int i;
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	for (i = 0; i < countof(crypter); i++)
+	{
+		lib->crypto->add_test_vector(lib->crypto,
+									 ENCRYPTION_ALGORITHM, crypter[i]);
+	}
+	for (i = 0; i < countof(signer); i++)
+	{
+		lib->crypto->add_test_vector(lib->crypto,
+									 INTEGRITY_ALGORITHM, signer[i]);
+	}
+	for (i = 0; i < countof(hasher); i++)
+	{
+		lib->crypto->add_test_vector(lib->crypto,
+									 HASH_ALGORITHM, hasher[i]);
+	}
+	for (i = 0; i < countof(prf); i++)
+	{
+		lib->crypto->add_test_vector(lib->crypto,
+									 PSEUDO_RANDOM_FUNCTION, prf[i]);
+	}
+	for (i = 0; i < countof(rng); i++)
+	{
+		lib->crypto->add_test_vector(lib->crypto,
+									 RANDOM_NUMBER_GENERATOR, rng[i]);
+	}
+	
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.h b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.h
new file mode 100644
index 000000000..9cb959c88
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup test_vectors_p test_vectors
+ * @ingroup plugins
+ *
+ * @defgroup test_vectors_plugin test_vectors_plugin
+ * @{ @ingroup test_vectors_p
+ */
+
+#ifndef TEST_VECTORS_PLUGIN_H_
+#define TEST_VECTORS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct test_vectors_plugin_t test_vectors_plugin_t;
+
+/**
+ * Plugin providing various crypto test vectors.
+ */
+struct test_vectors_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a test_vectors_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** TEST_VECTORS_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 028bbd41a..0c62ad3b3 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -230,8 +239,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -331,7 +340,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/x509/ietf_attr_list.h b/src/libstrongswan/plugins/x509/ietf_attr_list.h
index 983c67d14..5807a899e 100644
--- a/src/libstrongswan/plugins/x509/ietf_attr_list.h
+++ b/src/libstrongswan/plugins/x509/ietf_attr_list.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 2168f9bc7..638f96b44 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "x509_ac.h"
@@ -32,6 +30,7 @@
 #include <utils/identification.h>
 #include <utils/linked_list.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/keys/private_key.h>
 
 extern identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob,
 							 int level0, chunk_t *authKeySerialNumber);
@@ -780,31 +779,11 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer)
 			return FALSE;
 		}
 	}
-	/* TODO: generic OID to scheme mapper? */
-	switch (this->algorithm)
-	{
-		case OID_MD5_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_MD5;
-			break;
-		case OID_SHA1_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-			break;
-		case OID_SHA256_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
-			break;
-		case OID_SHA384_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
-			break;
-		case OID_SHA512_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
-			break;
-		case OID_ECDSA_WITH_SHA1:
-			scheme = SIGN_ECDSA_WITH_SHA1;
-			break;
-		default:
-			return FALSE;
-	}
-	if (key == NULL)
+
+	/* determine signature scheme */
+	scheme = signature_scheme_from_oid(this->algorithm);
+
+	if (scheme == SIGN_UNKNOWN || key == NULL)
 	{
 		return FALSE;
 	}
diff --git a/src/libstrongswan/plugins/x509/x509_ac.h b/src/libstrongswan/plugins/x509/x509_ac.h
index 5df9c5f8a..958d5c57a 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.h
+++ b/src/libstrongswan/plugins/x509/x509_ac.h
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 4c6b45394..6fe1809c2 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -16,8 +16,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: x509_cert.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #define _GNU_SOURCE
@@ -37,6 +35,7 @@
 #include <asn1/asn1_parser.h>
 #include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
+#include <credentials/keys/private_key.h>
 #include <utils/linked_list.h>
 #include <utils/identification.h>
 
@@ -353,7 +352,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 		if (id_type != ID_ANY)
 		{
 			gn = identification_create_from_encoding(id_type, object);
-			DBG2("  '%D'", gn);
+			DBG2("  '%Y'", gn);
 			goto end;
 		}
 	}
@@ -510,9 +509,9 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
 								/* parsing went wrong - abort */
 								goto end;
 							}
-							DBG2("  '%D'", id);
+							DBG2("  '%Y'", id);
 							if (accessMethod == OID_OCSP &&
-								asprintf(&uri, "%D", id) > 0)
+								asprintf(&uri, "%Y", id) > 0)
 							{
 								this->ocsp_uris->insert_last(this->ocsp_uris, uri);
 							}
@@ -619,7 +618,7 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0,
 			{
 				char *uri;
 				
-				if (asprintf(&uri, "%D", id) > 0)
+				if (asprintf(&uri, "%Y", id) > 0)
 				{
 					this->crl_uris->insert_last(this->crl_uris, uri);
 				}
@@ -714,7 +713,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 				break;
 			case X509_OBJ_ISSUER:
 				this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2("  '%D'", this->issuer);
+				DBG2("  '%Y'", this->issuer);
 				break;
 			case X509_OBJ_NOT_BEFORE:
 				this->notBefore = asn1_parse_time(object, level);
@@ -724,14 +723,13 @@ static bool parse_certificate(private_x509_cert_t *this)
 				break;
 			case X509_OBJ_SUBJECT:
 				this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2("  '%D'", this->subject);
+				DBG2("  '%Y'", this->subject);
 				break;
 			case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
 				this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
 						KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
 				if (this->public_key == NULL)
 				{
-					DBG1("could not create public key");
 					goto end;
 				}
 				break;
@@ -911,32 +909,14 @@ static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
 	{
 		return FALSE;
 	}
-	/* TODO: generic OID to scheme mapper? */
-	switch (this->algorithm)
-	{
-		case OID_MD5_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_MD5;
-			break;
-		case OID_SHA1_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-			break;
-		case OID_SHA256_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
-			break;
-		case OID_SHA384_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
-			break;
-		case OID_SHA512_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
-			break;
-		case OID_ECDSA_WITH_SHA1:
-			scheme = SIGN_ECDSA_WITH_SHA1;
-			break;
-		default:
-			return FALSE;
-	}
+
+	/* get the public key of the issuer */
 	key = issuer->get_public_key(issuer);
-	if (key == NULL)
+
+	/* determine signature scheme */
+	scheme = signature_scheme_from_oid(this->algorithm);
+
+	if (scheme == SIGN_UNKNOWN || key == NULL)
 	{
 		return FALSE;
 	}
@@ -1124,19 +1104,19 @@ static private_x509_cert_t* create_empty(void)
 {
 	private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
 	
-	this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
-	this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
-	this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
-	this->public.interface.interface.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_subject;
-	this->public.interface.interface.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer;
-	this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
-	this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
-	this->public.interface.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-	this->public.interface.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
-	this->public.interface.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
-	this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
-	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
-	this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
+	this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
+	this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
+	this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer;
+	this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject;
+	this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer;
+	this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
+	this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
+	this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
+	this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer;
+	this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
+	this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
+	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
+	this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
 	this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
 	this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
 	this->public.interface.get_authKeyIdentifier = (identification_t* (*)(x509_t*))get_authKeyIdentifier;
@@ -1178,6 +1158,7 @@ static private_x509_cert_t *create_from_chunk(chunk_t chunk)
 	private_x509_cert_t *this = create_empty();
 	
 	this->encoding = chunk;
+	this->parsed = TRUE;
 	if (!parse_certificate(this))
 	{
 		destroy(this);
@@ -1191,17 +1172,15 @@ static private_x509_cert_t *create_from_chunk(chunk_t chunk)
 	}
 	
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher != NULL)
-	{
-		hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
-		hasher->destroy(hasher);
-	}
-	else
+	if (hasher == NULL)
 	{
-		DBG1("  unable to create hash of certificate, SHA1 not supported");		
+		DBG1("  unable to create hash of certificate, SHA1 not supported");	
+		destroy(this);
+		return NULL;	
 	}
+	hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
+	hasher->destroy(hasher);
 	
-	this->parsed = TRUE;
 	return this;
 }
 
@@ -1316,7 +1295,7 @@ static bool generate(private_builder_t *this)
 	
 	this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm", 
 		asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
-		asn1_simple_object(ASN1_INTEGER, this->cert->serialNumber),
+		asn1_integer("c", this->cert->serialNumber),
 		asn1_algorithmIdentifier(this->cert->algorithm),
 		issuer->get_encoding(issuer),
 		asn1_wrap(ASN1_SEQUENCE, "mm",
@@ -1352,33 +1331,22 @@ static bool generate(private_builder_t *this)
 static private_x509_cert_t *build(private_builder_t *this)
 {
 	private_x509_cert_t *cert;
-	x509_flag_t flags;
 	
-	if (this->cert && !this->cert->encoding.ptr)
+	if (this->cert)
 	{
-		if (!this->sign_key || !this->cert ||
-			!generate(this))
-		{
-			destroy(this->cert);
-			free(this);
-			return NULL;
+		this->cert->flags |= this->flags;
+		if (!this->cert->encoding.ptr)
+		{	/* generate a new certificate */
+			if (!this->sign_key || !generate(this))
+			{
+				destroy(this->cert);
+				free(this);
+				return NULL;
+			}
 		}
 	}
 	cert = this->cert;
-	flags =  this->flags;
 	free(this);
-	if (cert == NULL)
-	{
-		return NULL;
-	}
-	
-	if ((flags & X509_CA) && !(cert->flags & X509_CA))
-	{
-		DBG1("  ca certificate must have ca basic constraint set, discarded");
-		destroy(cert);
-		return NULL;
-	}
-	cert->flags |= flags;
 	return cert;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_cert.h b/src/libstrongswan/plugins/x509/x509_cert.h
index 8dbd8050a..5ebe1567d 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.h
+++ b/src/libstrongswan/plugins/x509/x509_cert.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: x509_cert.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index fd14dfebd..f502668cb 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: x509_crl.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include "x509_crl.h"
@@ -226,7 +224,7 @@ static bool parse(private_x509_crl_t *this)
 				break;
 			case CRL_OBJ_ISSUER:
 				this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2("  '%D'", this->issuer);
+				DBG2("  '%Y'", this->issuer);
 				break;
 			case CRL_OBJ_THIS_UPDATE:
 				this->thisUpdate = asn1_parse_time(object, level);
@@ -436,31 +434,11 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
 			return FALSE;
 		}
 	}
-	/* TODO: generic OID to scheme mapper? */
-	switch (this->algorithm)
-	{
-		case OID_MD5_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_MD5;
-			break;
-		case OID_SHA1_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-			break;
-		case OID_SHA256_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
-			break;
-		case OID_SHA384_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
-			break;
-		case OID_SHA512_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
-			break;
-		case OID_ECDSA_WITH_SHA1:
-			scheme = SIGN_ECDSA_WITH_SHA1;
-			break;
-		default:
-			return FALSE;
-	}
-	if (key == NULL)
+
+	/* determine signature scheme */
+	scheme = signature_scheme_from_oid(this->algorithm);
+
+	if (scheme == SIGN_UNKNOWN || key == NULL)
 	{
 		return FALSE;
 	}
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index 7b97b990d..4020d8d95 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: x509_ocsp_request.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 #include "x509_ocsp_request.h"
@@ -26,6 +24,7 @@
 #include <utils/linked_list.h>
 #include <debug.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/keys/private_key.h>
 
 #define NONCE_LEN		16
 
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 6bb59d8e6..1b3187258 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: x509_ocsp_response.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include "x509_ocsp_response.h"
@@ -523,12 +521,12 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 			case BASIC_RESPONSE_ID_BY_NAME:
 				this->responderId = identification_create_from_encoding(
 													ID_DER_ASN1_DN, object);
-				DBG2("  '%D'", this->responderId);
+				DBG2("  '%Y'", this->responderId);
 				break;
 			case BASIC_RESPONSE_ID_BY_KEY:
 				this->responderId = identification_create_from_encoding(
 													ID_PUBKEY_INFO_SHA1, object);
-				DBG2("  '%D'", this->responderId);
+				DBG2("  '%Y'", this->responderId);
 				break;
 			case BASIC_RESPONSE_PRODUCED_AT:
 				this->producedAt = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
@@ -726,32 +724,14 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer)
 	{
 		return FALSE;
 	}
-	/* TODO: generic OID to scheme mapper? */
-	switch (this->signatureAlgorithm)
-	{
-		case OID_MD5_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_MD5;
-			break;
-		case OID_SHA1_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-			break;
-		case OID_SHA256_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA256;
-			break;
-		case OID_SHA384_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA384;
-			break;
-		case OID_SHA512_WITH_RSA:
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA512;
-			break;
-		case OID_ECDSA_WITH_SHA1:
-			scheme = SIGN_ECDSA_WITH_SHA1;
-			break;
-		default:
-			return FALSE;
-	}
+
+	/* get the public key of the issuer */
 	key = issuer->get_public_key(issuer);
-	if (key == NULL)
+
+	/* determine signature scheme */
+	scheme = signature_scheme_from_oid(this->signatureAlgorithm);
+
+	if (scheme == SIGN_UNKNOWN || key == NULL)
 	{
 		return FALSE;
 	}
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 42768487d..9ed7f95bd 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: x509_plugin.c 3640 2008-03-21 10:52:11Z andreas $
  */
 
 #include "x509_plugin.h"
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 48c6ef954..82ef55bd5 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -224,8 +233,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index ab37eca40..dd63af005 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General xcbc License
  * for more details.
- *
- * $Id: xcbc.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <string.h>
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
index f1501476f..25f59c650 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "xcbc_plugin.h"
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.c b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
index 03056594d..a90f2d44f 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "xcbc_prf.h"
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.c b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
index 29eb2d25b..b394bb251 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include <string.h>
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c
index ceace27da..692ad9cf8 100644
--- a/src/libstrongswan/printf_hook.c
+++ b/src/libstrongswan/printf_hook.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: printf_hook.c 4975 2009-03-19 08:54:39Z martin $
  */
 
 #include "printf_hook.h"
@@ -62,7 +60,7 @@ struct printf_hook_handler_t {
 	 */
 	int argtypes[ARGS_MAX];
 
-#ifndef HAVE_PRINTF_HOOKS
+#ifdef USE_VSTR
 	/**
 	 * name required for Vstr
 	 */
@@ -77,7 +75,7 @@ static printf_hook_handler_t *printf_hooks[NUM_HANDLERS];
 #define SPEC_TO_INDEX(spec) ((int)(spec) - (int)'A')
 #define IS_VALID_SPEC(spec) (SPEC_TO_INDEX(spec) > -1 && SPEC_TO_INDEX(spec) < NUM_HANDLERS)
 
-#ifdef HAVE_PRINTF_HOOKS
+#if defined(HAVE_PRINTF_HOOKS) && !defined(USE_VSTR)
 
 /**
  * Printf hook print function. This is actually of type "printf_function",
@@ -165,7 +163,7 @@ static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec)
 }
 
 /**
- * Add a custom format handler to the given Vstr_conf object 
+ * Add a custom format handler to the given Vstr_conf object
  */
 static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler)
 {
@@ -340,7 +338,7 @@ static void add_handler(private_printf_hook_t *this, char spec,
 		return;
 	}
 	
-	handler = malloc_thing(printf_hook_handler_t); 
+	handler = malloc_thing(printf_hook_handler_t);
 	handler->hook = hook;
 	
 	va_start(args, hook);
@@ -361,7 +359,7 @@ static void add_handler(private_printf_hook_t *this, char spec,
 	
 	if (handler->numargs > 0)
 	{
-#ifdef HAVE_PRINTF_HOOKS
+#if defined(HAVE_PRINTF_HOOKS) && !defined(USE_VSTR)
 		register_printf_function(spec, custom_print, custom_arginfo);
 #else
 		Vstr_conf *conf = get_vstr_conf();
@@ -384,7 +382,7 @@ static void add_handler(private_printf_hook_t *this, char spec,
 static void destroy(private_printf_hook_t *this)
 {
 	int i;
-#ifndef HAVE_PRINTF_HOOKS
+#ifdef USE_VSTR
 	Vstr_conf *conf = get_vstr_conf();
 #endif
 	
@@ -393,7 +391,7 @@ static void destroy(private_printf_hook_t *this)
 		printf_hook_handler_t *handler = printf_hooks[i];
 		if (handler)
 		{
-#ifndef HAVE_PRINTF_HOOKS
+#ifdef USE_VSTR
 			vstr_fmt_del(conf, handler->name);
 			free(handler->name);
 #endif
@@ -401,7 +399,7 @@ static void destroy(private_printf_hook_t *this)
 		}
 	}
 	
-#ifndef HAVE_PRINTF_HOOKS
+#ifdef USE_VSTR
 	/* freeing the Vstr_conf of the main thread */
 	pthread_key_delete(vstr_conf_key);
 	vstr_free_conf(conf);
@@ -422,7 +420,7 @@ printf_hook_t *printf_hook_create()
 	
 	memset(printf_hooks, 0, sizeof(printf_hooks));
 	
-#ifndef HAVE_PRINTF_HOOKS
+#ifdef USE_VSTR
 	if (!vstr_init())
 	{
 		DBG1("failed to initialize Vstr library!");
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
index a82c1583c..02c973580 100644
--- a/src/libstrongswan/printf_hook.h
+++ b/src/libstrongswan/printf_hook.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: printf_hook.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -28,12 +26,13 @@ typedef struct printf_hook_t printf_hook_t;
 typedef struct printf_hook_spec_t printf_hook_spec_t;
 typedef enum printf_hook_argtype_t printf_hook_argtype_t;
 
-#ifdef HAVE_PRINTF_HOOKS
+#if defined(HAVE_PRINTF_HOOKS) && !defined(USE_VSTR)
 
+#include <stdio.h>
 #include <printf.h>
 
 enum printf_hook_argtype_t {
-	PRINTF_HOOK_ARGTYPE_END = PA_LAST,
+	PRINTF_HOOK_ARGTYPE_END = -1,
 	PRINTF_HOOK_ARGTYPE_INT = PA_INT,
 	PRINTF_HOOK_ARGTYPE_POINTER = PA_POINTER,
 };
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c
index a02823ba0..64ac09299 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/settings.c
@@ -11,12 +11,11 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #define _GNU_SOURCE
 #include <string.h>
+#include <stdarg.h>
 #include <stdio.h>
 #include <errno.h>
 
@@ -213,17 +212,17 @@ static bool get_bool(private_settings_t *this, char *key, bool def, ...)
 	va_end(args);
 	if (value)
 	{
-		if (strcasecmp(value, "true") == 0 ||
-			strcasecmp(value, "enabled") == 0 ||
-			strcasecmp(value, "yes") == 0 ||
-			strcasecmp(value, "1") == 0)
+		if (strcaseeq(value, "true") ||
+			strcaseeq(value, "enabled") ||
+			strcaseeq(value, "yes") ||
+			strcaseeq(value, "1"))
 		{
 			return TRUE;
 		}
-		else if (strcasecmp(value, "false") == 0 ||
-				 strcasecmp(value, "disabled") == 0 ||
-				 strcasecmp(value, "no") == 0 ||
-				 strcasecmp(value, "0") == 0)
+		else if (strcaseeq(value, "false") ||
+				 strcaseeq(value, "disabled") ||
+				 strcaseeq(value, "no") ||
+				 strcaseeq(value, "0"))
 		{
 			return FALSE;
 		}
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
index c487f7775..1816787ae 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/settings.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
@@ -25,7 +23,7 @@
 
 typedef struct settings_t settings_t;
 
-#include <library.h>
+#include <utils.h>
 #include <utils/enumerator.h>
 
 /**
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index be0e8e9e5..4a0eff45f 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: utils.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include "utils.h"
@@ -22,6 +20,7 @@
 #include <string.h>
 #include <stdio.h>
 #include <unistd.h>
+#include <limits.h>
 #include <dirent.h>
 #include <time.h>
 
@@ -147,6 +146,22 @@ void *return_null()
 	return NULL;
 }
 
+/**
+ * returns TRUE
+ */
+bool return_true()
+{
+	return TRUE;
+}
+
+/**
+ * returns FALSE
+ */
+bool return_false()
+{
+	return FALSE;
+}
+
 /**
  * nop operation
  */
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index b740e7473..debd0145b 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: utils.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
@@ -50,6 +48,11 @@
  */
 #define strneq(x,y,len) (strncmp(x, y, len) == 0)
 
+/**
+ * Macro compares two strings for equality ignoring case
+ */
+#define strcaseeq(x,y) (strcasecmp(x, y) == 0)
+
 /**
  * Macro compares two binary blobs for equality
  */
@@ -113,12 +116,22 @@
 /**
  * General purpose boolean type.
  */
-typedef int bool;
+#ifdef HAVE_STDBOOL_H
+# include <stdbool.h>
+#else
+# ifndef HAVE__BOOL
+#  define _Bool signed char
+# endif /* HAVE__BOOL */
+# define bool _Bool
+# define false 0
+# define true 1
+# define __bool_true_false_are_defined 1
+#endif /* HAVE_STDBOOL_H */
 #ifndef FALSE
-# define FALSE 0
+# define FALSE false
 #endif /* FALSE */
 #ifndef TRUE
-# define TRUE  1
+# define TRUE  true
 #endif /* TRUE */
 
 typedef enum status_t status_t;
@@ -249,6 +262,16 @@ void *return_null();
  */
 void nop();
 
+/**
+ * returns TRUE
+ */
+bool return_true();
+
+/**
+ * returns FALSE
+ */
+bool return_false();
+
 /**
  * Special type to count references
  */
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index 3caafdc38..f110521af 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #define _GNU_SOURCE
@@ -25,6 +23,8 @@
 # include <execinfo.h>
 #endif /* HAVE_BACKTRACE */
 
+#include <string.h>
+
 #include "backtrace.h"
 
 typedef struct private_backtrace_t private_backtrace_t;
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c
index e7653a9b2..24bafe66a 100644
--- a/src/libstrongswan/utils/enumerator.c
+++ b/src/libstrongswan/utils/enumerator.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: enumerator.c 4744 2008-12-03 10:03:59Z tobias $
  */
 
 #include "enumerator.h"
@@ -21,9 +19,11 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include <limits.h>
 #include <stdio.h>
 #include <dirent.h>
 #include <errno.h>
+#include <string.h>
 
 #include <debug.h>
 
diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/utils/enumerator.h
index 98f300609..4367d0836 100644
--- a/src/libstrongswan/utils/enumerator.h
+++ b/src/libstrongswan/utils/enumerator.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: enumerator.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -25,7 +23,7 @@
 
 typedef struct enumerator_t enumerator_t;
 
-#include <library.h>
+#include <utils.h>
 
 /**
  * Enumerate is simpler, but more flexible than iterator.
diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c
index 27a7a66c1..6d33d023b 100644
--- a/src/libstrongswan/utils/hashtable.c
+++ b/src/libstrongswan/utils/hashtable.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: hashtable.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <utils/linked_list.h>
diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/utils/hashtable.h
index 28804caf8..cbe51f557 100644
--- a/src/libstrongswan/utils/hashtable.h
+++ b/src/libstrongswan/utils/hashtable.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: hashtable.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index a40c42c49..484de5e54 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -14,8 +14,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: host.c 4977 2009-03-19 09:16:03Z martin $
  */
 
 #define _GNU_SOURCE
@@ -34,7 +32,7 @@ typedef struct private_host_t private_host_t;
 /**
  * Private Data of a host object.
  */
-struct private_host_t { 	
+struct private_host_t {
 	/**
 	 * Public data
 	 */
@@ -81,7 +79,7 @@ static socklen_t *get_sockaddr_len(private_host_t *this)
  */
 static bool is_anyaddr(private_host_t *this)
 {
-	switch (this->address.sa_family) 
+	switch (this->address.sa_family)
 	{
 		case AF_INET:
 		{
@@ -100,7 +98,7 @@ static bool is_anyaddr(private_host_t *this)
 		default:
 		{
 			return FALSE;
-		}	
+		}
 	}
 }
 
@@ -171,7 +169,7 @@ static chunk_t get_address(private_host_t *this)
 {
 	chunk_t address = chunk_empty;
 	
-	switch (this->address.sa_family) 
+	switch (this->address.sa_family)
 	{
 		case AF_INET:
 		{
@@ -206,7 +204,7 @@ static int get_family(private_host_t *this)
  */
 static u_int16_t get_port(private_host_t *this)
 {
-	switch (this->address.sa_family) 
+	switch (this->address.sa_family)
 	{
 		case AF_INET:
 		{
@@ -342,7 +340,7 @@ static void destroy(private_host_t *this)
 }
 
 /**
- * Creates an empty host_t object 
+ * Creates an empty host_t object
  */
 static private_host_t *host_create_empty(void)
 {
@@ -438,9 +436,12 @@ host_t *host_create_from_string(char *string, u_int16_t port)
 host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 {
 	private_host_t *this;
-	struct hostent host, *ptr;
+	struct hostent *ptr;
+	int ret = 0, err;
+#ifdef HAVE_GETHOSTBYNAME_R
+	struct hostent host;
 	char buf[512];
-	int err, ret;
+#endif
 
 	if (streq(string, "%any"))
 	{
@@ -455,37 +456,49 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 		/* gethostbyname does not like IPv6 addresses - fallback */
 		return host_create_from_string(string, port);
 	}
-	
+
+#ifdef HAVE_GETHOSTBYNAME_R
 	if (af)
-	{	
+	{
 		ret = gethostbyname2_r(string, af, &host, buf, sizeof(buf), &ptr, &err);
 	}
 	else
 	{
 		ret = gethostbyname_r(string, &host, buf, sizeof(buf), &ptr, &err);
 	}
-	if (ret != 0)
+#else
+	/* Some systems (e.g. Mac OS X) do not support gethostbyname_r */
+	if (af)
+	{
+		ptr = gethostbyname2(string, af);
+	}
+	else
 	{
-		DBG1("resolving '%s' failed: %s", string, hstrerror(err));
-		return NULL;
+		ptr = gethostbyname(string);
 	}
 	if (ptr == NULL)
 	{
-		DBG1("resolving '%s' failed", string);
+		err = h_errno;
+	}
+#endif
+	if (ret != 0 || ptr == NULL)
+	{
+		DBG1("resolving '%s' failed: %s", string, hstrerror(err));
+		return NULL;
 	}
 	this = host_create_empty();
-	this->address.sa_family = host.h_addrtype;
+	this->address.sa_family = ptr->h_addrtype;
 	switch (this->address.sa_family)
 	{
 		case AF_INET:
 			memcpy(&this->address4.sin_addr.s_addr,
-				   host.h_addr_list[0], host.h_length);
+				   ptr->h_addr_list[0], ptr->h_length);
 			this->address4.sin_port = htons(port);
 			this->socklen = sizeof(struct sockaddr_in);
 			break;
 		case AF_INET6:
 			memcpy(&this->address6.sin6_addr.s6_addr,
-				   host.h_addr_list[0], host.h_length);
+				   ptr->h_addr_list[0], ptr->h_length);
 			this->address6.sin6_port = htons(port);
 			this->socklen = sizeof(struct sockaddr_in6);
 			break;
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index bce6b1cc2..1c04c97ef 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: identification.c 5036 2009-03-26 13:25:46Z martin $
  */
 
 #define _GNU_SOURCE
@@ -58,111 +56,43 @@ ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_CERT_DER_SHA1, ID_KEY_ID,
 	"ID_CERT_DER_SHA1");
 ENUM_END(id_type_names, ID_CERT_DER_SHA1);
 
-/**
- * X.501 acronyms for well known object identifiers (OIDs)
- */
-static u_char oid_ND[]  = {
-	0x02, 0x82, 0x06, 0x01, 0x0A, 0x07, 0x14
-};
-static u_char oid_UID[] = {
-	0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x01
-};
-static u_char oid_DC[]  = {
-	0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19
-};
-static u_char oid_CN[] = {
-	0x55, 0x04, 0x03
-};
-static u_char oid_S[] = {
-	0x55, 0x04, 0x04
-};
-static u_char oid_SN[] = {
-	0x55, 0x04, 0x05
-};
-static u_char oid_C[] = {
-	0x55, 0x04, 0x06
-};
-static u_char oid_L[] = {
-	0x55, 0x04, 0x07
-};
-static u_char oid_ST[] = {
-	0x55, 0x04, 0x08
-};
-static u_char oid_O[] = {
-	0x55, 0x04, 0x0A
-};
-static u_char oid_OU[] = {
-	0x55, 0x04, 0x0B
-};
-static u_char oid_T[] = {
-	0x55, 0x04, 0x0C
-};
-static u_char oid_D[] = {
-	0x55, 0x04, 0x0D
-};
-static u_char oid_N[] = {
-	0x55, 0x04, 0x29
-};
-static u_char oid_G[] = {
-	0x55, 0x04, 0x2A
-};
-static u_char oid_I[] = {
-	0x55, 0x04, 0x2B
-};
-static u_char oid_ID[] = {
-	0x55, 0x04, 0x2D
-};
-static u_char oid_EN[]  = {
-	0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x42, 0x03, 0x01, 0x03
-};
-static u_char oid_E[] = {
-	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01
-};
-static u_char oid_UN[]  = {
-	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x02
-};
-static u_char oid_TCGID[] = {
-	0x2B, 0x06, 0x01, 0x04, 0x01, 0x89, 0x31, 0x01, 0x01, 0x02, 0x02, 0x4B
-};
-
 /**
  * coding of X.501 distinguished name 
  */
 typedef struct {
 	const u_char *name;
-	chunk_t oid;
+	int oid;
 	u_char type;
 } x501rdn_t;
 
 static const x501rdn_t x501rdns[] = {
-	{"ND", 				{oid_ND,     7}, ASN1_PRINTABLESTRING},
-	{"UID", 			{oid_UID,   10}, ASN1_PRINTABLESTRING},
-	{"DC", 				{oid_DC,    10}, ASN1_PRINTABLESTRING},
-	{"CN",				{oid_CN,     3}, ASN1_PRINTABLESTRING},
-	{"S", 				{oid_S,      3}, ASN1_PRINTABLESTRING},
-	{"SN", 				{oid_SN,     3}, ASN1_PRINTABLESTRING},
-	{"serialNumber", 	{oid_SN,     3}, ASN1_PRINTABLESTRING},
-	{"C", 				{oid_C,      3}, ASN1_PRINTABLESTRING},
-	{"L", 				{oid_L,      3}, ASN1_PRINTABLESTRING},
-	{"ST",				{oid_ST,     3}, ASN1_PRINTABLESTRING},
-	{"O", 				{oid_O,      3}, ASN1_PRINTABLESTRING},
-	{"OU", 				{oid_OU,     3}, ASN1_PRINTABLESTRING},
-	{"T", 				{oid_T,      3}, ASN1_PRINTABLESTRING},
-	{"D", 				{oid_D,      3}, ASN1_PRINTABLESTRING},
-	{"N", 				{oid_N,      3}, ASN1_PRINTABLESTRING},
-	{"G", 				{oid_G,      3}, ASN1_PRINTABLESTRING},
-	{"I", 				{oid_I,      3}, ASN1_PRINTABLESTRING},
-	{"ID", 				{oid_ID,     3}, ASN1_PRINTABLESTRING},
-	{"EN", 				{oid_EN,    10}, ASN1_PRINTABLESTRING},
-	{"employeeNumber",	{oid_EN,    10}, ASN1_PRINTABLESTRING},
-	{"E", 				{oid_E,      9}, ASN1_IA5STRING},
-	{"Email", 			{oid_E,      9}, ASN1_IA5STRING},
-	{"emailAddress",	{oid_E,      9}, ASN1_IA5STRING},
-	{"UN", 				{oid_UN,     9}, ASN1_IA5STRING},
-	{"unstructuredName",{oid_UN,     9}, ASN1_IA5STRING},
-	{"TCGID", 			{oid_TCGID, 12}, ASN1_PRINTABLESTRING}
+	{"ND", 				OID_NAME_DISTINGUISHER,		ASN1_PRINTABLESTRING},
+	{"UID", 			OID_PILOT_USERID,			ASN1_PRINTABLESTRING},
+	{"DC", 				OID_PILOT_DOMAIN_COMPONENT, ASN1_PRINTABLESTRING},
+	{"CN",				OID_COMMON_NAME,			ASN1_PRINTABLESTRING},
+	{"S", 				OID_SURNAME,				ASN1_PRINTABLESTRING},
+	{"SN", 				OID_SERIAL_NUMBER,			ASN1_PRINTABLESTRING},
+	{"serialNumber", 	OID_SERIAL_NUMBER,			ASN1_PRINTABLESTRING},
+	{"C", 				OID_COUNTRY,				ASN1_PRINTABLESTRING},
+	{"L", 				OID_LOCALITY,				ASN1_PRINTABLESTRING},
+	{"ST",				OID_STATE_OR_PROVINCE,		ASN1_PRINTABLESTRING},
+	{"O", 				OID_ORGANIZATION,			ASN1_PRINTABLESTRING},
+	{"OU", 				OID_ORGANIZATION_UNIT,		ASN1_PRINTABLESTRING},
+	{"T", 				OID_TITLE,					ASN1_PRINTABLESTRING},
+	{"D", 				OID_DESCRIPTION,			ASN1_PRINTABLESTRING},
+	{"N", 				OID_NAME,					ASN1_PRINTABLESTRING},
+	{"G", 				OID_GIVEN_NAME,				ASN1_PRINTABLESTRING},
+	{"I", 				OID_INITIALS,				ASN1_PRINTABLESTRING},
+	{"ID", 				OID_UNIQUE_IDENTIFIER,		ASN1_PRINTABLESTRING},
+	{"EN", 				OID_EMPLOYEE_NUMBER,		ASN1_PRINTABLESTRING},
+	{"employeeNumber",	OID_EMPLOYEE_NUMBER,		ASN1_PRINTABLESTRING},
+	{"E", 				OID_EMAIL_ADDRESS,			ASN1_IA5STRING},
+	{"Email", 			OID_EMAIL_ADDRESS,			ASN1_IA5STRING},
+	{"emailAddress",	OID_EMAIL_ADDRESS,			ASN1_IA5STRING},
+	{"UN", 				OID_UNSTRUCTURED_NAME,		ASN1_IA5STRING},
+	{"unstructuredName",OID_UNSTRUCTURED_NAME,		ASN1_IA5STRING},
+	{"TCGID", 			OID_TCGID,					ASN1_PRINTABLESTRING}
 };
-#define X501_RDN_ROOF   26
 
 /**
  * maximum number of RDNs in atodn()
@@ -208,34 +138,22 @@ static void update_chunk(chunk_t *ch, int n)
  * Remove any malicious characters from a chunk. We are very restrictive, but
  * whe use these strings only to present it to the user.
  */
-static chunk_t sanitize_chunk(chunk_t chunk)
+static bool sanitize_chunk(chunk_t chunk, chunk_t *clone)
 {
 	char *pos;
-	chunk_t clone = chunk_clone(chunk);
+	bool all_printable = TRUE;
+	
+	*clone = chunk_clone(chunk);
 	
-	for (pos = clone.ptr; pos < (char*)(clone.ptr + clone.len); pos++)
+	for (pos = clone->ptr; pos < (char*)(clone->ptr + clone->len); pos++)
 	{
-		switch (*pos)
+		if (!isprint(*pos))
 		{
-			case '\0':
-			case ' ':
-			case '*':
-			case '-':
-			case '.':
-			case '/':
-			case '0' ... '9':
-			case ':':
-			case '=':
-			case '@':
-			case 'A' ... 'Z':
-			case '_':
-			case 'a' ... 'z':
-				break;
-			default:
-				*pos = '?';
+			*pos = '?';
+			all_printable = FALSE;
 		}
 	}
-	return clone;
+	return all_printable;
 }
 
 /**
@@ -272,14 +190,15 @@ static bool init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
 /**
  * Fetches the next RDN in a DN
  */
-static bool get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, chunk_t *value, asn1_t *type, bool *next)
+static bool get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid,
+						 chunk_t *value, asn1_t *type, bool *next)
 {
 	chunk_t body;
-
+	
 	/* initialize return values */
 	*oid   = chunk_empty;
 	*value = chunk_empty;
-
+	
 	/* if all attributes have been parsed, get next rdn */
 	if (attribute->len <= 0)
 	{
@@ -371,19 +290,19 @@ static bool dntoa(chunk_t dn, chunk_t *str)
 	int oid_code;
 	bool next;
 	bool first = TRUE;
-
+	
 	if (!init_rdn(dn, &rdn, &attribute, &next))
 	{
 		return FALSE;
 	}
-
+	
 	while (next)
 	{
 		if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next))
 		{
 			return FALSE;
 		}
-
+		
 		if (first) 
 		{ /* first OID/value pair */
 			first = FALSE;
@@ -392,7 +311,7 @@ static bool dntoa(chunk_t dn, chunk_t *str)
 		{ /* separate OID/value pair by a comma */
 			update_chunk(str, snprintf(str->ptr,str->len,", "));
 		}
-
+		
 		/* print OID */
 		oid_code = asn1_known_oid(oid);
 		if (oid_code == OID_UNKNOWN)
@@ -404,7 +323,7 @@ static bool dntoa(chunk_t dn, chunk_t *str)
 			update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name));
 		}
 		/* print value */
-		proper = sanitize_chunk(value);
+		sanitize_chunk(value, &proper);
 		update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr));
 		chunk_free(&proper);
 	}
@@ -421,7 +340,7 @@ static bool same_dn(chunk_t a, chunk_t b)
 	chunk_t oid_a, oid_b, value_a, value_b;
 	asn1_t type_a, type_b;
 	bool next_a, next_b;
-
+	
 	/* same lengths for the DNs */
 	if (a.len != b.len)
 	{
@@ -438,7 +357,7 @@ static bool same_dn(chunk_t a, chunk_t b)
 	{
 		return FALSE;
 	}
-
+	
 	/* fetch next RDN pair */
 	while (next_a && next_b)
 	{
@@ -448,19 +367,19 @@ static bool same_dn(chunk_t a, chunk_t b)
 		{
 			return FALSE;
 		}
-
+		
 		/* OIDs must agree */
 		if (oid_a.len != oid_b.len || !memeq(oid_a.ptr, oid_b.ptr, oid_b.len))
 		{
 			return FALSE;
 		}
-
+		
 		/* same lengths for values */
 		if (value_a.len != value_b.len)
 		{
 			return FALSE;
 		}
-
+		
 		/* printableStrings and email RDNs require uppercase comparison */
 		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
 			(type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
@@ -499,17 +418,17 @@ bool match_dn(chunk_t a, chunk_t b, int *wildcards)
 	chunk_t oid_a, oid_b, value_a, value_b;
 	asn1_t type_a,  type_b;
 	bool next_a, next_b;
-
+	
 	/* initialize wildcard counter */
 	*wildcards = 0;
-
+	
 	/* initialize DN parsing */
 	if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) ||
 		!init_rdn(b, &rdn_b, &attribute_b, &next_b))
 	{
 		return FALSE;
 	}
-
+	
 	/* fetch next RDN pair */
 	while (next_a && next_b)
 	{
@@ -524,7 +443,7 @@ bool match_dn(chunk_t a, chunk_t b, int *wildcards)
 		{
 			return FALSE;
 		}
-
+		
 		/* does rdn_b contain a wildcard? */
 		if (value_b.len == 1 && *value_b.ptr == '*')
 		{
@@ -536,7 +455,7 @@ bool match_dn(chunk_t a, chunk_t b, int *wildcards)
 		{
 			return FALSE;
 		}
-
+		
 		/* printableStrings and email RDNs require uppercase comparison */
 		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
 			(type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
@@ -609,15 +528,18 @@ static status_t atodn(char *src, chunk_t *dn)
 				}
 				else
 				{
-					for (i = 0; i < X501_RDN_ROOF; i++)
+					bool found = FALSE;
+					
+					for (i = 0; i < countof(x501rdns); i++)
 					{
-						if (strlen(x501rdns[i].name) == oid.len
-						&&  strncasecmp(x501rdns[i].name, oid.ptr, oid.len) == 0)
+						if (strlen(x501rdns[i].name) == oid.len &&
+							strncasecmp(x501rdns[i].name, oid.ptr, oid.len) == 0)
 						{
-							break; /* found a valid OID */
+							found = TRUE;
+							break;
 						}
 					}
-					if (i == X501_RDN_ROOF)
+					if (!found)
 					{
 						status = NOT_SUPPORTED;
 						state = UNKNOWN_OID;
@@ -655,14 +577,24 @@ static status_t atodn(char *src, chunk_t *dn)
 					
 					if (rdn_count < RDN_MAX)
 					{
-						rdns[rdn_count] = 
-								asn1_wrap(ASN1_SET, "m",
-									asn1_wrap(ASN1_SEQUENCE, "mm",
-										asn1_wrap(ASN1_OID, "c", x501rdns[i].oid),
-										asn1_wrap(rdn_type, "c", name)
-									)
-								);
-						dn_len += rdns[rdn_count++].len;
+						chunk_t rdn_oid;
+						
+						rdn_oid = asn1_build_known_oid(x501rdns[i].oid);
+						if (rdn_oid.len)
+						{
+							rdns[rdn_count] = 
+									asn1_wrap(ASN1_SET, "m",
+										asn1_wrap(ASN1_SEQUENCE, "mm",
+											rdn_oid,
+											asn1_wrap(rdn_type, "c", name)
+										)
+									);
+							dn_len += rdns[rdn_count++].len;
+						}
+						else
+						{
+							status = INVALID_ARG;
+						}
 					}
 					else
 					{
@@ -677,12 +609,12 @@ static status_t atodn(char *src, chunk_t *dn)
 				break;
 		}
 	} while (*src++ != '\0');
-
+	
 	/* build the distinguished name sequence */
-   {
+	{
 		int i;
 		u_char *pos = asn1_build_object(dn, ASN1_SEQUENCE, dn_len);
-
+		
 		for (i = 0; i < rdn_count; i++)
 		{
 			memcpy(pos, rdns[i].ptr, rdns[i].len); 
@@ -690,7 +622,7 @@ static status_t atodn(char *src, chunk_t *dn)
 			free(rdns[i].ptr);
 		}
 	}
-
+	
 	if (status != SUCCESS)
 	{
 		free(dn->ptr);
@@ -945,9 +877,8 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
-		case ID_EAP:
 		case ID_IETF_ATTR_STRING:
-			proper = sanitize_chunk(this->encoded);
+			sanitize_chunk(this->encoded, &proper);
 			snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
 			chunk_free(&proper);
 			break;
@@ -961,6 +892,16 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 			snprintf(buf, sizeof(buf), "(ASN.1 general Name");
 			break;
 		case ID_KEY_ID:
+			if (sanitize_chunk(this->encoded, &proper))
+			{	/* fully printable, use ascii version */
+				snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
+			}
+			else
+			{	/* not printable, hex dump */
+				snprintf(buf, sizeof(buf), "%#B", &this->encoded);
+			}
+			chunk_free(&proper);
+			break;
 		case ID_PUBKEY_INFO_SHA1:
 		case ID_PUBKEY_SHA1:
 		case ID_CERT_DER_SHA1:
@@ -977,6 +918,124 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	return print_in_hook(dst, len, "%*s", spec->width, buf);
 }
 
+/**
+ * Enumerator over RDNs
+ */
+typedef struct {
+	/* implements enumerator interface */
+	enumerator_t public;
+	/* current RDN */
+	chunk_t rdn;
+	/* current attribute */
+	chunk_t attr;
+	/** have another RDN? */
+	bool next;
+} rdn_enumerator_t;
+
+/**
+ * Implementation of rdn_enumerator_t.enumerate
+ */
+static bool rdn_enumerate(rdn_enumerator_t *this,
+						  id_part_t *type, chunk_t *data)
+{
+	chunk_t oid, value;
+	asn1_t asn1_type;
+	
+	while (this->next)
+	{
+		if (!get_next_rdn(&this->rdn, &this->attr, &oid,
+						  &value, &asn1_type, &this->next))
+		{
+			return FALSE;
+		}
+		switch (asn1_known_oid(oid))
+		{
+			case OID_COMMON_NAME:
+				 *type = ID_PART_RDN_CN;
+				break;
+			case OID_SURNAME:
+				 *type = ID_PART_RDN_S;
+				break;
+			case OID_SERIAL_NUMBER:
+				 *type = ID_PART_RDN_SN;
+				break;
+			case OID_COUNTRY:
+				 *type = ID_PART_RDN_C;
+				break;
+			case OID_LOCALITY:
+				 *type = ID_PART_RDN_L;
+				break;
+			case OID_STATE_OR_PROVINCE:
+				 *type = ID_PART_RDN_ST;
+				break;
+			case OID_ORGANIZATION:
+				 *type = ID_PART_RDN_O;
+				break;
+			case OID_ORGANIZATION_UNIT:
+				 *type = ID_PART_RDN_OU;
+				break;
+			case OID_TITLE:
+				 *type = ID_PART_RDN_T;
+				break;
+			case OID_DESCRIPTION:
+				 *type = ID_PART_RDN_D;
+				break;
+			case OID_NAME:
+				 *type = ID_PART_RDN_N;
+				break;
+			case OID_GIVEN_NAME:
+				 *type = ID_PART_RDN_G;
+				break;
+			case OID_INITIALS:
+				 *type = ID_PART_RDN_I;
+				break;
+			case OID_UNIQUE_IDENTIFIER:
+				 *type = ID_PART_RDN_ID;
+				break;
+			case OID_EMAIL_ADDRESS:
+				*type = ID_PART_RDN_E;
+				break;
+			case OID_EMPLOYEE_NUMBER:
+				*type = ID_PART_RDN_EN;
+				break;
+			default:
+				continue;
+		}
+		*data = value;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of identification_t.create_part_enumerator
+ */
+static enumerator_t* create_part_enumerator(private_identification_t *this)
+{
+	switch (this->type)
+	{
+		case ID_DER_ASN1_DN:
+		{
+			rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t);
+			
+			e->public.enumerate = (void*)rdn_enumerate;
+			e->public.destroy = (void*)free;
+			if (init_rdn(this->encoded, &e->rdn, &e->attr, &e->next))
+			{
+				return &e->public;
+			}
+			free(e);
+			/* FALL */
+		}
+		case ID_RFC822_ADDR:
+			/* TODO */
+		case ID_FQDN:
+			/* TODO */
+		default:
+			return enumerator_create_empty();
+	}
+}
+
 /**
  * Implementation of identification_t.clone.
  */
@@ -1014,6 +1073,7 @@ static private_identification_t *identification_create(void)
 	this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
 	this->public.get_type = (id_type_t (*) (identification_t*))get_type;
 	this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards;
+	this->public.create_part_enumerator = (enumerator_t*(*)(identification_t*))create_part_enumerator;
 	this->public.clone = (identification_t* (*) (identification_t*))clone_;
 	this->public.destroy = (void (*) (identification_t*))destroy;
 	/* we use these as defaults, the may be overloaded for special ID types */
@@ -1043,8 +1103,9 @@ identification_t *identification_create_from_string(char *string)
 		 */
 		if (atodn(string, &this->encoded) != SUCCESS)
 		{
-			free(this);
-			return NULL;
+			this->type = ID_KEY_ID;
+			this->encoded = chunk_clone(chunk_create(string, strlen(string)));
+			return &this->public;
 		}
 		this->type = ID_DER_ASN1_DN;
 		this->public.equals = (bool (*) (identification_t*,identification_t*))equals_dn;
@@ -1084,11 +1145,11 @@ identification_t *identification_create_from_string(char *string)
 						(identification_t*,identification_t*))matches_string;
 					this->public.equals = (bool (*)
 						(identification_t*,identification_t*))equals_strcasecmp;
-					return &(this->public);
+					return &this->public;
 				}
 				this->encoded = chunk_clone(chunk);
 				this->type = ID_IPV4_ADDR;
-				return &(this->public);
+				return &this->public;
 			}
 			else
 			{
@@ -1098,12 +1159,14 @@ identification_t *identification_create_from_string(char *string)
 				
 				if (inet_pton(AF_INET6, string, &address) <= 0)
 				{
-					free(this);
-					return NULL;
+					this->type = ID_KEY_ID;
+					this->encoded = chunk_clone(chunk_create(string,
+															 strlen(string)));
+					return &this->public;
 				}
 				this->encoded = chunk_clone(chunk);
 				this->type = ID_IPV6_ADDR;
-				return &(this->public);
+				return &this->public;
 			}
 		}
 	}
@@ -1117,7 +1180,7 @@ identification_t *identification_create_from_string(char *string)
 				this->type = ID_KEY_ID;
 				this->encoded = chunk_from_hex(
 									chunk_create(string, strlen(string)), NULL);
-				return &(this->public);
+				return &this->public;
 			}
 			else
 			{
@@ -1128,7 +1191,7 @@ identification_t *identification_create_from_string(char *string)
 						(identification_t*,identification_t*))matches_string;
 				this->public.equals = (bool (*)
 							(identification_t*,identification_t*))equals_strcasecmp;
-				return &(this->public);
+				return &this->public;
 			}
 		}
 		else
@@ -1140,7 +1203,7 @@ identification_t *identification_create_from_string(char *string)
 					(identification_t*,identification_t*))matches_string;
 			this->public.equals = (bool (*)
 						(identification_t*,identification_t*))equals_strcasecmp;
-			return &(this->public);
+			return &this->public;
 		}
 	}
 }
@@ -1180,7 +1243,6 @@ identification_t *identification_create_from_encoding(id_type_t type, chunk_t en
 		case ID_PUBKEY_INFO_SHA1:
 		case ID_PUBKEY_SHA1:
 		case ID_CERT_DER_SHA1:
-		case ID_EAP:
 		case ID_IETF_ATTR_STRING:
 		default:
 			break;
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 2284b7b46..dc0aec18e 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: identification.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -29,6 +27,7 @@
 typedef enum id_type_t id_type_t;
 typedef struct identification_t identification_t;
 typedef enum id_match_t id_match_t;
+typedef enum id_part_t id_part_t;
 
 #include <library.h>
 
@@ -80,7 +79,8 @@ enum id_type_t {
 	 * An example of an ID_RFC822_ADDR is "jsmith@example.com".
 	 * The string MUST NOT contain any terminators.
 	 */
-	ID_RFC822_ADDR = 3,
+	ID_USER_FQDN   = 3,    /* IKEv1 only */
+	ID_RFC822_ADDR = 3,    /* IKEv2 only */
 
 	/**
 	 * ID data is an IPv4 subnet (IKEv1 only)
@@ -143,16 +143,16 @@ enum id_type_t {
 	 * SHA1 hash of the binary DER encoding of a certificate
 	 */
 	ID_CERT_DER_SHA1 = 204,
-	
+
 	/**
-	 * Generic EAP identity
+	 * IETF Attribute Syntax String (RFC 3281)
 	 */
-	ID_EAP = 205,
+	ID_IETF_ATTR_STRING = 205,
 
 	/**
-	 * IETF Attribute Syntax String (RFC 3281)
+	 * Private ID used by the pluto daemon for opportunistic encryption
 	 */
-	ID_IETF_ATTR_STRING = 206,
+	ID_MYID = 206,
 };
 
 /**
@@ -160,6 +160,56 @@ enum id_type_t {
  */
 extern enum_name_t *id_type_names;
 
+/**
+ * Type of an ID sub part.
+ */
+enum id_part_t {
+	/** Username part of an RFC822_ADDR */
+	ID_PART_USERNAME,
+	/** Domain part of an RFC822_ADDR */
+	ID_PART_DOMAIN,
+	
+	/** Top-Level domain of a FQDN */
+	ID_PART_TLD,
+	/** Second-Level domain of a FQDN */
+	ID_PART_SLD,
+	/** Another Level domain of a FQDN */
+	ID_PART_ALD,
+	
+	/** Country RDN of a DN */
+	ID_PART_RDN_C,
+	/** CommonName RDN of a DN */
+	ID_PART_RDN_CN,
+	/** Description RDN of a DN */
+	ID_PART_RDN_D,
+	/** Email RDN of a DN */
+	ID_PART_RDN_E,
+	/** EmployeeNumber RDN of a DN */
+	ID_PART_RDN_EN,
+	/** GivenName RDN of a DN */
+	ID_PART_RDN_G,
+	/** Initials RDN of a DN */
+	ID_PART_RDN_I,
+	/** UniqueIdentifier RDN of a DN */
+	ID_PART_RDN_ID,
+	/** Locality RDN of a DN */
+	ID_PART_RDN_L,
+	/** Name RDN of a DN */
+	ID_PART_RDN_N,
+	/** Organization RDN of a DN */
+	ID_PART_RDN_O,
+	/** OrganizationUnit RDN of a DN */
+	ID_PART_RDN_OU,
+	/** Surname RDN of a DN */
+	ID_PART_RDN_S,
+	/** SerialNumber RDN of a DN */
+	ID_PART_RDN_SN,
+	/** StateOrProvince RDN of a DN */
+	ID_PART_RDN_ST,
+	/** Title RDN of a DN */
+	ID_PART_RDN_T,
+};
+
 /**
  * Generic identification, such as used in ID payload.
  * 
@@ -224,6 +274,19 @@ struct identification_t {
 	 */
 	bool (*contains_wildcards) (identification_t *this);
 	
+	/**
+	 * Create an enumerator over subparts of an identity.
+	 *
+	 * Some identities are built from several parts, e.g. an E-Mail consists
+	 * of a username and a domain part, or a DistinguishedName contains several
+	 * RDNs.
+	 * For identity without subtypes (support), an empty enumerator is
+	 * returned.
+	 *
+	 * @return			an enumerator over (id_part_t type, chunk_t data)
+	 */
+	enumerator_t* (*create_part_enumerator)(identification_t *this);
+	
 	/**
 	 * Clone a identification_t instance.
 	 * 
@@ -257,16 +320,16 @@ struct identification_t {
  * N, G, I, ID, EN, EmployeeNumber, E, Email, emailAddress, UN, 
  * unstructuredName, TCGID.
  * 
+ * This constructor never returns NULL. If it does not find a suitable
+ * conversion function, it will copy the string to an ID_KEY_ID.
+ * 
  * @param string	input string, which will be converted
- * @return			created identification_t, NULL if not supported.
+ * @return			identification_t
  */
 identification_t * identification_create_from_string(char *string);
 
 /**
  * Creates an identification_t object from an encoded chunk.
- *
- * In contrast to identification_create_from_string(), this constructor never
- * returns NULL, even when the conversion to a string representation fails.
  * 
  * @param type		type of this id, such as ID_IPV4_ADDR
  * @param encoded	encoded bytes, such as from identification_t.get_encoding
diff --git a/src/libstrongswan/utils/iterator.h b/src/libstrongswan/utils/iterator.h
index 02eb1b9c0..1dbf01539 100644
--- a/src/libstrongswan/utils/iterator.h
+++ b/src/libstrongswan/utils/iterator.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: iterator.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 0e0866fec..2cac3b458 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: leak_detective.c 4936 2009-03-12 18:07:32Z tobias $
  */
 	
 #define _GNU_SOURCE
@@ -202,6 +200,11 @@ char *whitelist[] = {
 	"DH_new_method",
 	"ENGINE_load_builtin_engines",
 	"OPENSSL_config",
+	/* libgcrypt */
+	"gcry_control",
+	"gcry_check_version",
+	"gcry_randomize",
+	"gcry_create_nonce",
 };
 
 /**
diff --git a/src/libstrongswan/utils/lexparser.c b/src/libstrongswan/utils/lexparser.c
index 5725df1ea..2472f6751 100644
--- a/src/libstrongswan/utils/lexparser.c
+++ b/src/libstrongswan/utils/lexparser.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: lexparser.c 4877 2009-02-18 09:45:54Z martin $
  */
 
 #include "lexparser.h"
diff --git a/src/libstrongswan/utils/lexparser.h b/src/libstrongswan/utils/lexparser.h
index 6ae970e1e..7e2edb278 100644
--- a/src/libstrongswan/utils/lexparser.h
+++ b/src/libstrongswan/utils/lexparser.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: lexparser.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c
index bfe30b0df..a45468cca 100644
--- a/src/libstrongswan/utils/linked_list.c
+++ b/src/libstrongswan/utils/linked_list.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: linked_list.c 4936 2009-03-12 18:07:32Z tobias $
  */
 
 #include <stdlib.h>
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h
index aa603fefa..8b2de9083 100644
--- a/src/libstrongswan/utils/linked_list.h
+++ b/src/libstrongswan/utils/linked_list.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: linked_list.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
@@ -27,7 +25,6 @@
 
 typedef struct linked_list_t linked_list_t;
 
-#include <library.h>
 #include <utils/iterator.h>
 #include <utils/enumerator.h>
 
diff --git a/src/libstrongswan/utils/mutex.c b/src/libstrongswan/utils/mutex.c
index ba4b72b0c..8b3a25201 100644
--- a/src/libstrongswan/utils/mutex.c
+++ b/src/libstrongswan/utils/mutex.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: mutex.c 4803 2008-12-15 09:13:43Z martin $
  */
 
 #define _GNU_SOURCE
@@ -315,7 +313,7 @@ mutex_t *mutex_create(mutex_type_t type)
 /**
  * Implementation of condvar_t.wait.
  */
-static void wait(private_condvar_t *this, private_mutex_t *mutex)
+static void _wait(private_condvar_t *this, private_mutex_t *mutex)
 {
 	if (mutex->recursive)
 	{
@@ -389,7 +387,7 @@ static bool timed_wait(private_condvar_t *this, private_mutex_t *mutex,
 /**
  * Implementation of condvar_t.signal.
  */
-static void signal(private_condvar_t *this)
+static void _signal(private_condvar_t *this)
 {
 	pthread_cond_signal(&this->condvar);
 }
@@ -423,10 +421,10 @@ condvar_t *condvar_create(condvar_type_t type)
 		{
 			private_condvar_t *this = malloc_thing(private_condvar_t);
 		
-			this->public.wait = (void(*)(condvar_t*, mutex_t *mutex))wait;
+			this->public.wait = (void(*)(condvar_t*, mutex_t *mutex))_wait;
 			this->public.timed_wait = (bool(*)(condvar_t*, mutex_t *mutex, u_int timeout))timed_wait;
 			this->public.timed_wait_abs = (bool(*)(condvar_t*, mutex_t *mutex, timeval_t time))timed_wait_abs;
-			this->public.signal = (void(*)(condvar_t*))signal;
+			this->public.signal = (void(*)(condvar_t*))_signal;
 			this->public.broadcast = (void(*)(condvar_t*))broadcast;
 			this->public.destroy = (void(*)(condvar_t*))condvar_destroy;
 		
diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h
index 46c939fb8..c5c667992 100644
--- a/src/libstrongswan/utils/mutex.h
+++ b/src/libstrongswan/utils/mutex.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * $Id: mutex.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c
index 18427e197..bf47e6b98 100644
--- a/src/libstrongswan/utils/optionsfrom.c
+++ b/src/libstrongswan/utils/optionsfrom.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
- *
- * $Id: optionsfrom.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include <stdio.h>
diff --git a/src/libstrongswan/utils/optionsfrom.h b/src/libstrongswan/utils/optionsfrom.h
index 9372971ca..05269f4f5 100644
--- a/src/libstrongswan/utils/optionsfrom.h
+++ b/src/libstrongswan/utils/optionsfrom.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: optionsfrom.h 5003 2009-03-24 17:43:01Z martin $
  */
  
 /**
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index bce0ead39..49376379e 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -112,6 +112,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -134,6 +135,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -145,6 +149,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -158,6 +163,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -218,6 +225,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -229,6 +237,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -293,8 +302,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -588,7 +597,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/manager/controller/auth_controller.c b/src/manager/controller/auth_controller.c
index 13031198a..5f9c3b623 100644
--- a/src/manager/controller/auth_controller.c
+++ b/src/manager/controller/auth_controller.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: auth_controller.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "auth_controller.h"
diff --git a/src/manager/controller/auth_controller.h b/src/manager/controller/auth_controller.h
index e2cd48cc4..41e669fd0 100644
--- a/src/manager/controller/auth_controller.h
+++ b/src/manager/controller/auth_controller.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: auth_controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/manager/controller/config_controller.c b/src/manager/controller/config_controller.c
index 1f8289c71..dda2938a1 100644
--- a/src/manager/controller/config_controller.c
+++ b/src/manager/controller/config_controller.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: config_controller.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "config_controller.h"
diff --git a/src/manager/controller/config_controller.h b/src/manager/controller/config_controller.h
index 88d37424f..07cafd4ff 100644
--- a/src/manager/controller/config_controller.h
+++ b/src/manager/controller/config_controller.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: config_controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/manager/controller/control_controller.c b/src/manager/controller/control_controller.c
index b3149797f..c22591182 100644
--- a/src/manager/controller/control_controller.c
+++ b/src/manager/controller/control_controller.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: control_controller.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "control_controller.h"
diff --git a/src/manager/controller/control_controller.h b/src/manager/controller/control_controller.h
index 8992e5b48..c9bc1e4b3 100644
--- a/src/manager/controller/control_controller.h
+++ b/src/manager/controller/control_controller.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: control_controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/manager/controller/gateway_controller.c b/src/manager/controller/gateway_controller.c
index 68fdb7021..164bf5921 100644
--- a/src/manager/controller/gateway_controller.c
+++ b/src/manager/controller/gateway_controller.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: gateway_controller.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "gateway_controller.h"
diff --git a/src/manager/controller/gateway_controller.h b/src/manager/controller/gateway_controller.h
index 864c7a4bd..7d77bdccb 100644
--- a/src/manager/controller/gateway_controller.h
+++ b/src/manager/controller/gateway_controller.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: gateway_controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/manager/controller/ikesa_controller.c b/src/manager/controller/ikesa_controller.c
index ab3a089f0..c35ff42e6 100644
--- a/src/manager/controller/ikesa_controller.c
+++ b/src/manager/controller/ikesa_controller.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ikesa_controller.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "ikesa_controller.h"
diff --git a/src/manager/controller/ikesa_controller.h b/src/manager/controller/ikesa_controller.h
index 240e8db4f..3f6779629 100644
--- a/src/manager/controller/ikesa_controller.h
+++ b/src/manager/controller/ikesa_controller.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: ikesa_controller.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/manager/gateway.c b/src/manager/gateway.c
index e6c944873..f0d557c71 100644
--- a/src/manager/gateway.c
+++ b/src/manager/gateway.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: gateway.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "gateway.h"
diff --git a/src/manager/gateway.h b/src/manager/gateway.h
index 4ba301a0f..7c76fa474 100644
--- a/src/manager/gateway.h
+++ b/src/manager/gateway.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: gateway.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/manager/main.c b/src/manager/main.c
index e556a7415..6fef0bf3e 100644
--- a/src/manager/main.c
+++ b/src/manager/main.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: main.c 4333 2008-09-04 16:19:46Z andreas $
  */
 
 #include <dispatcher.h>
diff --git a/src/manager/manager.c b/src/manager/manager.c
index 7d1b2adba..72f402a48 100644
--- a/src/manager/manager.c
+++ b/src/manager/manager.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: manager.c 3589 2008-03-13 14:14:44Z martin $
  */
 
 #include "manager.h"
diff --git a/src/manager/manager.h b/src/manager/manager.h
index ecd29550b..dc5fc1831 100644
--- a/src/manager/manager.h
+++ b/src/manager/manager.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: manager.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/manager/storage.c b/src/manager/storage.c
index fee4c216e..00e688e08 100644
--- a/src/manager/storage.c
+++ b/src/manager/storage.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: storage.c 3917 2008-05-08 13:12:43Z martin $
  */
 
 #include "storage.h"
diff --git a/src/manager/storage.h b/src/manager/storage.h
index 6c5bea650..2495b3a26 100644
--- a/src/manager/storage.h
+++ b/src/manager/storage.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: storage.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/manager/xml.c b/src/manager/xml.c
index 1e9731cc2..5aa2e3e1e 100644
--- a/src/manager/xml.c
+++ b/src/manager/xml.c
@@ -11,10 +11,10 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: xml.c 3589 2008-03-13 14:14:44Z martin $
  */
 
+#include <string.h>
+
 #include "xml.h"
 
 #include <libxml/parser.h>
diff --git a/src/manager/xml.h b/src/manager/xml.h
index febe5c25d..230e0f925 100644
--- a/src/manager/xml.h
+++ b/src/manager/xml.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id: xml.h 5003 2009-03-24 17:43:01Z martin $
  */
 
 /**
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 89843860d..a9ef57922 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -98,6 +98,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -120,6 +121,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -131,6 +135,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -144,6 +149,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -204,6 +211,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -215,6 +223,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -266,8 +275,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -477,7 +486,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c
index 22fc6df2f..0dec27698 100755
--- a/src/medsrv/controller/peer_controller.c
+++ b/src/medsrv/controller/peer_controller.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #define _GNU_SOURCE
@@ -72,7 +70,7 @@ static void list(private_peer_controller_t *this, request_t *request)
 		{
 			request->setf(request, "peers.%d.alias=%s", id, alias);
 			identifier = identification_create_from_encoding(ID_KEY_ID, keyid);
-			request->setf(request, "peers.%d.identifier=%D", id, identifier);
+			request->setf(request, "peers.%d.identifier=%Y", id, identifier);
 			identifier->destroy(identifier);
 		}
 		query->destroy(query);
diff --git a/src/medsrv/controller/peer_controller.h b/src/medsrv/controller/peer_controller.h
index 511265487..f25c30281 100755
--- a/src/medsrv/controller/peer_controller.h
+++ b/src/medsrv/controller/peer_controller.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/medsrv/controller/user_controller.c b/src/medsrv/controller/user_controller.c
index 9e6d12340..bc4717e32 100755
--- a/src/medsrv/controller/user_controller.c
+++ b/src/medsrv/controller/user_controller.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #define _GNU_SOURCE
diff --git a/src/medsrv/controller/user_controller.h b/src/medsrv/controller/user_controller.h
index 897e28362..9d23795d7 100755
--- a/src/medsrv/controller/user_controller.h
+++ b/src/medsrv/controller/user_controller.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/medsrv/filter/auth_filter.c b/src/medsrv/filter/auth_filter.c
index 5036d26f1..76114a347 100755
--- a/src/medsrv/filter/auth_filter.c
+++ b/src/medsrv/filter/auth_filter.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "auth_filter.h"
diff --git a/src/medsrv/filter/auth_filter.h b/src/medsrv/filter/auth_filter.h
index 5ba270e72..f1fc565eb 100755
--- a/src/medsrv/filter/auth_filter.h
+++ b/src/medsrv/filter/auth_filter.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
diff --git a/src/medsrv/main.c b/src/medsrv/main.c
index 1f7b675bb..20dec9d37 100644
--- a/src/medsrv/main.c
+++ b/src/medsrv/main.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include <stdio.h>
diff --git a/src/medsrv/user.c b/src/medsrv/user.c
index 032859e2e..d204dd057 100644
--- a/src/medsrv/user.c
+++ b/src/medsrv/user.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #include "user.h"
diff --git a/src/medsrv/user.h b/src/medsrv/user.h
index b411f7c6f..2d1c738ca 100644
--- a/src/medsrv/user.h
+++ b/src/medsrv/user.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 #ifndef USER_H_
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index ae05b722f..7bf71b08f 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -84,6 +84,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -106,6 +107,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -117,6 +121,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -130,6 +135,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +197,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -201,6 +209,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -223,8 +232,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -325,8 +334,8 @@ install-man8: $(man8_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    8*) ;; \
@@ -365,7 +374,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 99464a236..3686c07ac 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -19,8 +19,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: openac.c 4749 2008-12-04 04:34:49Z andreas $
  */
 
 #include <stdio.h>
@@ -39,6 +37,7 @@
 #include <asn1/pem.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
+#include <credentials/keys/private_key.h>
 #include <utils/optionsfrom.h>
 
 #ifdef INTEGRITY_TEST
@@ -218,18 +217,35 @@ static bool stderr_quiet = FALSE;
 static void openac_dbg(int level, char *fmt, ...)
 {
 	int priority = LOG_INFO;
+	char buffer[8192];
+	char *current = buffer, *next;
 	va_list args;
 	
 	if (level <= debug_level)
 	{
 		va_start(args, fmt);
+
 		if (!stderr_quiet)
 		{
 			vfprintf(stderr, fmt, args);
 			fprintf(stderr, "\n");
 		}
-		vsyslog(priority, fmt, args);
+
+		/* write in memory buffer first */
+		vsnprintf(buffer, sizeof(buffer), fmt, args);
 		va_end(args);
+
+		/* do a syslog with every line */
+		while (current)
+		{
+			next = strchr(current, '\n');
+			if (next)
+			{
+				*(next++) = '\0';
+			}
+			syslog(priority, "%s\n", current);
+			current = next;
+		}
 	}
 }
 
@@ -547,9 +563,8 @@ int main(int argc, char **argv)
 	
 		/* write the attribute certificate to file */
 		attr_chunk = attr_cert->get_encoding(attr_cert);
-		if (chunk_write(attr_chunk, outfile, 0022, TRUE))
+		if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
 		{
-			DBG1("  wrote attribute cert file '%s' (%u bytes)", outfile, attr_chunk.len);
 			write_serial(serial);
 			status = 0;
 		}
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index f788bc3d1..01237305b 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -7,7 +7,6 @@ ipsec_PROGRAMS = pluto _pluto_adns
 pluto_SOURCES = \
 ac.c ac.h \
 alg_info.c alg_info.h \
-asn1.c asn1.h \
 ca.c ca.h \
 certs.c certs.h \
 connections.c connections.h \
@@ -19,11 +18,8 @@ db_ops.c db_ops.h \
 defs.c defs.h \
 demux.c demux.h \
 dnskey.c dnskey.h \
-dsa.c dsa.h \
-elgamal.c elgamal.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
-gcryptfix.c gcryptfix.h \
 id.c id.h \
 ike_alg.c ike_alg.h \
 ipsec_doi.c ipsec_doi.h \
@@ -36,23 +32,16 @@ kernel_pfkey.c kernel_pfkey.h \
 keys.c keys.h \
 lex.c lex.h \
 log.c log.h \
-md2.c md2.h \
-md5.c md5.h \
 modecfg.c modecfg.h \
-mp_defs.c mp_defs.h \
 nat_traversal.c nat_traversal.h \
 ocsp.c ocsp.h \
 packet.c packet.h \
 pem.c pem.h \
-pgp.c pgp.h \
-pkcs1.c pkcs1.h \
+pgpcert.c pgpcert.h \
 pkcs7.c pkcs7.h \
 plutomain.c \
-primegen.c smallprime.c \
 rcv_whack.c rcv_whack.h \
-rnd.c rnd.h \
 server.c server.h \
-sha1.c sha1.h \
 smartcard.c smartcard.h \
 spdb.c spdb.h \
 state.c state.h \
@@ -61,22 +50,17 @@ vendor.c vendor.h \
 virtual.c virtual.h \
 xauth.c xauth.h \
 x509.c x509.h \
-alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \
-alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \
 rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 
 _pluto_adns_SOURCES = adns.c adns.h
 
-LIBSTRONGSWANDIR=$(top_srcdir)/src/libstrongswan
+LIBSTRONGSWANDIR=$(top_builddir)/src/libstrongswan
 LIBFREESWANDIR=$(top_builddir)/src/libfreeswan
-LIBCRYPTODIR=$(top_builddir)/src/libcrypto
-
 
 INCLUDES = \
 -I${linuxdir} \
--I$(LIBSTRONGSWANDIR)\
+-I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libcrypto \
 -I$(top_srcdir)/src/whack
 
 AM_CFLAGS = \
@@ -84,24 +68,23 @@ AM_CFLAGS = \
 -DIPSEC_CONFDIR=\"${confdir}\" \
 -DIPSEC_PIDDIR=\"${piddir}\" \
 -DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
+-DIPSEC_PLUGINDIR=\"${plugindir}\" \
+-DPLUGINS=\""${pluto_plugins}\"" \
+-DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
 -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \
 -DPLUTO -DKLIPS -DDEBUG
 
 pluto_LDADD = \
-oid.o \
+$(LIBSTRONGSWANDIR)/libstrongswan.la \
 $(LIBFREESWANDIR)/libfreeswan.a \
-$(LIBCRYPTODIR)/libcrypto.a \
--lgmp -lresolv -lpthread -ldl
+-lresolv -lpthread $(DLLIB)
 
 _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
--lresolv -ldl
+-lresolv $(DLLIB)
 
 dist_man_MANS = pluto.8 ipsec.secrets.5
 
-oid.o :	$(LIBSTRONGSWANDIR)/asn1/oid.c $(LIBSTRONGSWANDIR)/asn1/oid.h
-		$(COMPILE) -c -o $@ $<
-
 # This compile option activates the sending of a strongSwan VID
 if USE_VENDORID
   AM_CFLAGS += -DVENDORID
@@ -122,23 +105,16 @@ if USE_NAT_TRANSPORT
   AM_CFLAGS += -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
 endif
 
-# This compile option activates dynamic URL fetching using libcurl
-if USE_CURL
-  pluto_LDADD += -lcurl
-  AM_CFLAGS += -DLIBCURL
-endif
-
-# This compile option activates dynamic LDAP CRL fetching
-if USE_LDAP
-  pluto_LDADD += -lldap -llber
-  AM_CFLAGS += -DLIBLDAP
-endif
-
 # This compile option activates smartcard support
 if USE_SMARTCARD
   AM_CFLAGS += -DSMARTCARD
 endif
 
+# This compile option activates the integrity test of libstrongswan
+if USE_INTEGRITY_TEST
+  AM_CFLAGS += -DINTEGRITY_TEST
+endif
+
 if USE_CAPABILITIES
   pluto_LDADD += -lcap
 endif
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 457f93d9f..01bda8540 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -50,21 +50,16 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
 # This compile option activates NAT traversal with IPSec transport mode
 @USE_NAT_TRANSPORT_TRUE@am__append_4 = -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
 
-# This compile option activates dynamic URL fetching using libcurl
-@USE_CURL_TRUE@am__append_5 = -lcurl
-@USE_CURL_TRUE@am__append_6 = -DLIBCURL
-
-# This compile option activates dynamic LDAP CRL fetching
-@USE_LDAP_TRUE@am__append_7 = -lldap -llber
-@USE_LDAP_TRUE@am__append_8 = -DLIBLDAP
-
 # This compile option activates smartcard support
-@USE_SMARTCARD_TRUE@am__append_9 = -DSMARTCARD
-@USE_CAPABILITIES_TRUE@am__append_10 = -lcap
-@USE_THREADS_TRUE@am__append_11 = -DTHREADS
+@USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD
+
+# This compile option activates the integrity test of libstrongswan
+@USE_INTEGRITY_TEST_TRUE@am__append_6 = -DINTEGRITY_TEST
+@USE_CAPABILITIES_TRUE@am__append_7 = -lcap
+@USE_THREADS_TRUE@am__append_8 = -DTHREADS
 subdir = src/pluto
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in TODO
+	$(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
@@ -77,34 +72,28 @@ ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am__pluto_adns_OBJECTS = adns.$(OBJEXT)
 _pluto_adns_OBJECTS = $(am__pluto_adns_OBJECTS)
-_pluto_adns_DEPENDENCIES = $(LIBFREESWANDIR)/libfreeswan.a
-am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) asn1.$(OBJEXT) \
-	ca.$(OBJEXT) certs.$(OBJEXT) connections.$(OBJEXT) \
-	constants.$(OBJEXT) cookie.$(OBJEXT) crl.$(OBJEXT) \
-	crypto.$(OBJEXT) db_ops.$(OBJEXT) defs.$(OBJEXT) \
-	demux.$(OBJEXT) dnskey.$(OBJEXT) dsa.$(OBJEXT) \
-	elgamal.$(OBJEXT) fetch.$(OBJEXT) foodgroups.$(OBJEXT) \
-	gcryptfix.$(OBJEXT) id.$(OBJEXT) ike_alg.$(OBJEXT) \
-	ipsec_doi.$(OBJEXT) kernel.$(OBJEXT) kernel_alg.$(OBJEXT) \
-	kernel_netlink.$(OBJEXT) kernel_noklips.$(OBJEXT) \
-	kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) lex.$(OBJEXT) \
-	log.$(OBJEXT) md2.$(OBJEXT) md5.$(OBJEXT) modecfg.$(OBJEXT) \
-	mp_defs.$(OBJEXT) nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) \
-	packet.$(OBJEXT) pem.$(OBJEXT) pgp.$(OBJEXT) pkcs1.$(OBJEXT) \
-	pkcs7.$(OBJEXT) plutomain.$(OBJEXT) primegen.$(OBJEXT) \
-	smallprime.$(OBJEXT) rcv_whack.$(OBJEXT) rnd.$(OBJEXT) \
-	server.$(OBJEXT) sha1.$(OBJEXT) smartcard.$(OBJEXT) \
-	spdb.$(OBJEXT) state.$(OBJEXT) timer.$(OBJEXT) \
-	vendor.$(OBJEXT) virtual.$(OBJEXT) xauth.$(OBJEXT) \
-	x509.$(OBJEXT) ike_alg_aes.$(OBJEXT) \
-	ike_alg_blowfish.$(OBJEXT) ike_alg_twofish.$(OBJEXT) \
-	ike_alg_serpent.$(OBJEXT) ike_alg_sha2.$(OBJEXT) \
-	ike_alginit.$(OBJEXT)
-pluto_OBJECTS = $(am_pluto_OBJECTS)
 am__DEPENDENCIES_1 =
-pluto_DEPENDENCIES = oid.o $(LIBFREESWANDIR)/libfreeswan.a \
-	$(LIBCRYPTODIR)/libcrypto.a $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+_pluto_adns_DEPENDENCIES = $(LIBFREESWANDIR)/libfreeswan.a \
+	$(am__DEPENDENCIES_1)
+am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \
+	certs.$(OBJEXT) connections.$(OBJEXT) constants.$(OBJEXT) \
+	cookie.$(OBJEXT) crl.$(OBJEXT) crypto.$(OBJEXT) \
+	db_ops.$(OBJEXT) defs.$(OBJEXT) demux.$(OBJEXT) \
+	dnskey.$(OBJEXT) fetch.$(OBJEXT) foodgroups.$(OBJEXT) \
+	id.$(OBJEXT) ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) \
+	kernel.$(OBJEXT) kernel_alg.$(OBJEXT) kernel_netlink.$(OBJEXT) \
+	kernel_noklips.$(OBJEXT) kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) \
+	lex.$(OBJEXT) log.$(OBJEXT) modecfg.$(OBJEXT) \
+	nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) packet.$(OBJEXT) \
+	pem.$(OBJEXT) pgpcert.$(OBJEXT) pkcs7.$(OBJEXT) \
+	plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) server.$(OBJEXT) \
+	smartcard.$(OBJEXT) spdb.$(OBJEXT) state.$(OBJEXT) \
+	timer.$(OBJEXT) vendor.$(OBJEXT) virtual.$(OBJEXT) \
+	xauth.$(OBJEXT) x509.$(OBJEXT)
+pluto_OBJECTS = $(am_pluto_OBJECTS)
+pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \
+	$(LIBFREESWANDIR)/libfreeswan.a $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -141,6 +130,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -163,6 +153,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -174,6 +167,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -187,6 +181,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -247,6 +243,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -258,6 +255,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -265,7 +263,6 @@ xml_LIBS = @xml_LIBS@
 pluto_SOURCES = \
 ac.c ac.h \
 alg_info.c alg_info.h \
-asn1.c asn1.h \
 ca.c ca.h \
 certs.c certs.h \
 connections.c connections.h \
@@ -277,11 +274,8 @@ db_ops.c db_ops.h \
 defs.c defs.h \
 demux.c demux.h \
 dnskey.c dnskey.h \
-dsa.c dsa.h \
-elgamal.c elgamal.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
-gcryptfix.c gcryptfix.h \
 id.c id.h \
 ike_alg.c ike_alg.h \
 ipsec_doi.c ipsec_doi.h \
@@ -294,23 +288,16 @@ kernel_pfkey.c kernel_pfkey.h \
 keys.c keys.h \
 lex.c lex.h \
 log.c log.h \
-md2.c md2.h \
-md5.c md5.h \
 modecfg.c modecfg.h \
-mp_defs.c mp_defs.h \
 nat_traversal.c nat_traversal.h \
 ocsp.c ocsp.h \
 packet.c packet.h \
 pem.c pem.h \
-pgp.c pgp.h \
-pkcs1.c pkcs1.h \
+pgpcert.c pgpcert.h \
 pkcs7.c pkcs7.h \
 plutomain.c \
-primegen.c smallprime.c \
 rcv_whack.c rcv_whack.h \
-rnd.c rnd.h \
 server.c server.h \
-sha1.c sha1.h \
 smartcard.c smartcard.h \
 spdb.c spdb.h \
 state.c state.h \
@@ -319,34 +306,33 @@ vendor.c vendor.h \
 virtual.c virtual.h \
 xauth.c xauth.h \
 x509.c x509.h \
-alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \
-alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \
 rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 
 _pluto_adns_SOURCES = adns.c adns.h
-LIBSTRONGSWANDIR = $(top_srcdir)/src/libstrongswan
+LIBSTRONGSWANDIR = $(top_builddir)/src/libstrongswan
 LIBFREESWANDIR = $(top_builddir)/src/libfreeswan
-LIBCRYPTODIR = $(top_builddir)/src/libcrypto
 INCLUDES = \
 -I${linuxdir} \
--I$(LIBSTRONGSWANDIR)\
+-I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libcrypto \
 -I$(top_srcdir)/src/whack
 
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
 	-DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
-	-DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO \
-	-DKLIPS -DDEBUG $(am__append_1) $(am__append_2) \
-	$(am__append_3) $(am__append_4) $(am__append_6) \
-	$(am__append_8) $(am__append_9) $(am__append_11)
-pluto_LDADD = oid.o $(LIBFREESWANDIR)/libfreeswan.a \
-	$(LIBCRYPTODIR)/libcrypto.a -lgmp -lresolv -lpthread -ldl \
-	$(am__append_5) $(am__append_7) $(am__append_10)
+	-DIPSEC_PLUGINDIR=\"${plugindir}\" \
+	-DPLUGINS=\""${pluto_plugins}\"" \
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DKERNEL26_SUPPORT \
+	-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \
+	$(am__append_1) $(am__append_2) $(am__append_3) \
+	$(am__append_4) $(am__append_5) $(am__append_6) \
+	$(am__append_8)
+pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \
+	$(LIBFREESWANDIR)/libfreeswan.a -lresolv -lpthread $(DLLIB) \
+	$(am__append_7)
 _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
--lresolv -ldl
+-lresolv $(DLLIB)
 
 dist_man_MANS = pluto.8 ipsec.secrets.5
 all: all-am
@@ -357,8 +343,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -426,7 +412,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ac.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/adns.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alg_info.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connections.Po@am__quote@
@@ -438,19 +423,10 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/defs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/demux.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dsa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/elgamal.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/foodgroups.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcryptfix.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_aes.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_blowfish.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_serpent.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_sha2.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_twofish.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alginit.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_doi.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_alg.Po@am__quote@
@@ -460,24 +436,16 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keys.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md2.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/modecfg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mp_defs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nat_traversal.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs1.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgpcert.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plutomain.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/primegen.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcv_whack.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rnd.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/server.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smallprime.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smartcard.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spdb.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/state.Po@am__quote@
@@ -508,90 +476,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
-ike_alg_aes.o: alg/ike_alg_aes.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_aes.o -MD -MP -MF $(DEPDIR)/ike_alg_aes.Tpo -c -o ike_alg_aes.o `test -f 'alg/ike_alg_aes.c' || echo '$(srcdir)/'`alg/ike_alg_aes.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alg_aes.Tpo $(DEPDIR)/ike_alg_aes.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_aes.c' object='ike_alg_aes.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_aes.o `test -f 'alg/ike_alg_aes.c' || echo '$(srcdir)/'`alg/ike_alg_aes.c
-
-ike_alg_aes.obj: alg/ike_alg_aes.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_aes.obj -MD -MP -MF $(DEPDIR)/ike_alg_aes.Tpo -c -o ike_alg_aes.obj `if test -f 'alg/ike_alg_aes.c'; then $(CYGPATH_W) 'alg/ike_alg_aes.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_aes.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alg_aes.Tpo $(DEPDIR)/ike_alg_aes.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_aes.c' object='ike_alg_aes.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_aes.obj `if test -f 'alg/ike_alg_aes.c'; then $(CYGPATH_W) 'alg/ike_alg_aes.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_aes.c'; fi`
-
-ike_alg_blowfish.o: alg/ike_alg_blowfish.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_blowfish.o -MD -MP -MF $(DEPDIR)/ike_alg_blowfish.Tpo -c -o ike_alg_blowfish.o `test -f 'alg/ike_alg_blowfish.c' || echo '$(srcdir)/'`alg/ike_alg_blowfish.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alg_blowfish.Tpo $(DEPDIR)/ike_alg_blowfish.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_blowfish.c' object='ike_alg_blowfish.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_blowfish.o `test -f 'alg/ike_alg_blowfish.c' || echo '$(srcdir)/'`alg/ike_alg_blowfish.c
-
-ike_alg_blowfish.obj: alg/ike_alg_blowfish.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_blowfish.obj -MD -MP -MF $(DEPDIR)/ike_alg_blowfish.Tpo -c -o ike_alg_blowfish.obj `if test -f 'alg/ike_alg_blowfish.c'; then $(CYGPATH_W) 'alg/ike_alg_blowfish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_blowfish.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alg_blowfish.Tpo $(DEPDIR)/ike_alg_blowfish.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_blowfish.c' object='ike_alg_blowfish.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_blowfish.obj `if test -f 'alg/ike_alg_blowfish.c'; then $(CYGPATH_W) 'alg/ike_alg_blowfish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_blowfish.c'; fi`
-
-ike_alg_twofish.o: alg/ike_alg_twofish.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_twofish.o -MD -MP -MF $(DEPDIR)/ike_alg_twofish.Tpo -c -o ike_alg_twofish.o `test -f 'alg/ike_alg_twofish.c' || echo '$(srcdir)/'`alg/ike_alg_twofish.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alg_twofish.Tpo $(DEPDIR)/ike_alg_twofish.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_twofish.c' object='ike_alg_twofish.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_twofish.o `test -f 'alg/ike_alg_twofish.c' || echo '$(srcdir)/'`alg/ike_alg_twofish.c
-
-ike_alg_twofish.obj: alg/ike_alg_twofish.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_twofish.obj -MD -MP -MF $(DEPDIR)/ike_alg_twofish.Tpo -c -o ike_alg_twofish.obj `if test -f 'alg/ike_alg_twofish.c'; then $(CYGPATH_W) 'alg/ike_alg_twofish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_twofish.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alg_twofish.Tpo $(DEPDIR)/ike_alg_twofish.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_twofish.c' object='ike_alg_twofish.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_twofish.obj `if test -f 'alg/ike_alg_twofish.c'; then $(CYGPATH_W) 'alg/ike_alg_twofish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_twofish.c'; fi`
-
-ike_alg_serpent.o: alg/ike_alg_serpent.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_serpent.o -MD -MP -MF $(DEPDIR)/ike_alg_serpent.Tpo -c -o ike_alg_serpent.o `test -f 'alg/ike_alg_serpent.c' || echo '$(srcdir)/'`alg/ike_alg_serpent.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alg_serpent.Tpo $(DEPDIR)/ike_alg_serpent.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_serpent.c' object='ike_alg_serpent.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_serpent.o `test -f 'alg/ike_alg_serpent.c' || echo '$(srcdir)/'`alg/ike_alg_serpent.c
-
-ike_alg_serpent.obj: alg/ike_alg_serpent.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_serpent.obj -MD -MP -MF $(DEPDIR)/ike_alg_serpent.Tpo -c -o ike_alg_serpent.obj `if test -f 'alg/ike_alg_serpent.c'; then $(CYGPATH_W) 'alg/ike_alg_serpent.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_serpent.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alg_serpent.Tpo $(DEPDIR)/ike_alg_serpent.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_serpent.c' object='ike_alg_serpent.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_serpent.obj `if test -f 'alg/ike_alg_serpent.c'; then $(CYGPATH_W) 'alg/ike_alg_serpent.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_serpent.c'; fi`
-
-ike_alg_sha2.o: alg/ike_alg_sha2.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_sha2.o -MD -MP -MF $(DEPDIR)/ike_alg_sha2.Tpo -c -o ike_alg_sha2.o `test -f 'alg/ike_alg_sha2.c' || echo '$(srcdir)/'`alg/ike_alg_sha2.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alg_sha2.Tpo $(DEPDIR)/ike_alg_sha2.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_sha2.c' object='ike_alg_sha2.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_sha2.o `test -f 'alg/ike_alg_sha2.c' || echo '$(srcdir)/'`alg/ike_alg_sha2.c
-
-ike_alg_sha2.obj: alg/ike_alg_sha2.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_sha2.obj -MD -MP -MF $(DEPDIR)/ike_alg_sha2.Tpo -c -o ike_alg_sha2.obj `if test -f 'alg/ike_alg_sha2.c'; then $(CYGPATH_W) 'alg/ike_alg_sha2.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_sha2.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alg_sha2.Tpo $(DEPDIR)/ike_alg_sha2.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_sha2.c' object='ike_alg_sha2.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_sha2.obj `if test -f 'alg/ike_alg_sha2.c'; then $(CYGPATH_W) 'alg/ike_alg_sha2.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_sha2.c'; fi`
-
-ike_alginit.o: alg/ike_alginit.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alginit.o -MD -MP -MF $(DEPDIR)/ike_alginit.Tpo -c -o ike_alginit.o `test -f 'alg/ike_alginit.c' || echo '$(srcdir)/'`alg/ike_alginit.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alginit.Tpo $(DEPDIR)/ike_alginit.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alginit.c' object='ike_alginit.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alginit.o `test -f 'alg/ike_alginit.c' || echo '$(srcdir)/'`alg/ike_alginit.c
-
-ike_alginit.obj: alg/ike_alginit.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alginit.obj -MD -MP -MF $(DEPDIR)/ike_alginit.Tpo -c -o ike_alginit.obj `if test -f 'alg/ike_alginit.c'; then $(CYGPATH_W) 'alg/ike_alginit.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alginit.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_alginit.Tpo $(DEPDIR)/ike_alginit.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alginit.c' object='ike_alginit.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alginit.obj `if test -f 'alg/ike_alginit.c'; then $(CYGPATH_W) 'alg/ike_alginit.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alginit.c'; fi`
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -608,8 +492,8 @@ install-man5: $(man5_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    5*) ;; \
@@ -653,8 +537,8 @@ install-man8: $(man8_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    8*) ;; \
@@ -693,7 +577,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
@@ -871,9 +755,6 @@ uninstall-man: uninstall-man5 uninstall-man8
 	uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \
 	uninstall-man8
 
-
-oid.o :	$(LIBSTRONGSWANDIR)/asn1/oid.c $(LIBSTRONGSWANDIR)/asn1/oid.h
-		$(COMPILE) -c -o $@ $<
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/pluto/TODO b/src/pluto/TODO
deleted file mode 100644
index 1c22b2f5c..000000000
--- a/src/pluto/TODO
+++ /dev/null
@@ -1,129 +0,0 @@
-Pluto TODO list
-===============
-RCSID $Id: TODO 3269 2007-10-08 20:03:02Z andreas $
-
-- should all log entries that are for errors say ERROR?
-
-- Add a "plug-in" facility so that others can add features without
-  changing the mainline code.  This is how X509/LDAP/biometric stuff
-  might be added.
-
-- (internal change only) routines for outputting payloads should plug
-  "np" into the previous payload so that a payload generating routine
-  need not know what the next payload will be.  This may be more bother
-  than it is worth.
-
-- notifications, in and out
-  + delete
-  + first contact
-  + last contact? (not part of drafts, but would be nice)
-
-- Make DNS usage for asynchronous (non-blocking)
-  + looking up KEY and TXT records during negotiation
-  + perhaps not for whack command arguments and ipsec.secrets since the
-    library code uses gethostbyname
-
-- check that ipsec auto and whack to agree on what is worth reporting
-
-- Should Pluto (rather than ipsec manual) install %passthrough conns?
-  That way Pluto would know of them.
-
-- For responding to Road Warriors, how can we decide if the RW has
-  gone away?  The rekeying event is perhaps too imprecise.  Even if
-  rekeying event is good enough, how do we know if the route should be
-  torn down?  Perhaps limiting a Phase 1 ID to one IP address would
-  help (limiting a client subnet to one peer already helps).  Perhaps
-  (in some rate-limited way) we can take an ICMP host unreachable
-  as a hint to do some authenticated and reliable probe.
-
-- it is annoying that Pluto and auto have different models for public keys.
-  + auto specifies one per connection
-  + Pluto allows one to be specified per id
-  Two connections with the same id are going to use the same key:
-  the one of the last conn to be added!
-
-  I think auto ought to be fixed.  It is hard for Pluto to warn when
-  there is a conflict since the deletion of a connection doesn't
-  prompt auto to tell pluto to delete the public key.
-
-- different connections with the same host IP addresses are randomly
-  interchangeable until the ID payload is received.  At least for the
-  Responder case (and eventually for the opportunistic Initiator).
-  Worse, all Road Warriors must be considered to have the
-  indistinguishable IP addresses.  This affects ISAKMP SA negotiation.
-  Currently, there is little flexibility in this negotiation, so the
-  problem is limited to the specification of acceptable authentication
-  method(s).  Correct, but more work than seems worthwhile, would be
-  to select the conn based on what is proposed.
-
-  Warning about such confusion at connection definition time isn't great
-  because there is no confusion when explicitly initiated (a particular
-  conn is specified).  Warning for a Road Warrior conn is possible
-  since it cannot be initiated (and has been implemented).
-
-- characterize and ameliorate DOS attacks.  Lots of rate limiting.
-
-- look at John Denker's wish list: http://www.quintillion.com/moat/wish.list
-
-- use of random numbers needs to be audited.
-
-- unknown (not just unimplemented) transforms cause a negotiation to
-  fail.  Only the transform should be rejected.
-
-- we need better policy control.  Our present flags need to be
-  modulated (forbid, allow, offer, require)
-
-- HS will specify how --copyright and --version should behave
-
-- HS will initiate project-wide terminology replacing ISAKMP SA, IPSEC
-  SA, Protection Suite, Phase 1, Main Mode, Phase 2, Quick Mode, ...
-  Simplicity and clarity will be a goal.
-
-- interface discovery ought to match what is specified in ipsec.conf.
-  This probably means grokking /proc/net/ipsec_tncfg.  Documented in
-  ipsec_tncfg(5).  This won't do for Hugh's debugging setup.
-
-
-Protocol Issues
-===============
-
-Notification and delete payloads seem to be "escape hatches" for the
-protocols.  As such, anything implemented using them seems to be
-kludged without being well designed or well situated or well
-constrained in the protocols.  Often the precise meaning (if any) or
-usage is under specified.  An implementation is allowed to ignore
-them, so they cannot really matter (but they too often do).  Their
-specification ought to be scrutinized by a protocol guru.
-
-Any extra payload in last main mode message is not protected (not
-authenticated by hash).
-
-Should notification payloads be interpreted before or after the normal
-payloads (i.e. understood in the context of, executed in the context of).
-
-What is the precise result of an INITIAL_CONNECTION?  What is a
-"system" (eg. does Phase 1 Identity count)?  What is "earlier" or
-"before" (simultaneous negotiation is possible, with time being only a
-partial order)?  Could it be used for FINAL_CONTACT (needed too)?
-
-Blasting out a pile of UDP messages, especially to a particular
-destination, is likely to provoke message loss.  The exchanges are
-just that, so they individually are self-throttling.  But what about
-multiple exchanges simultaneously?  What about notifications (example:
-when shutting down, a flurry of delete notifications are likely).
-Should the RFCs be designed to protect against this problem?
-
-draft-jenkins-ipsec-rekeying-03.txt rekeying is way too complicated.
-Our solution looks sound and simple (we have the Responder install the
-incoming IPSEC SA before sending its first reply).  In "2.2.1.4
-Responder Pre-Set-up Security Hole", the draft claims that setting up
-the IPSEC SA early leaves the Responder open to replay attacks.  I
-think that this is wrong: the Message Id, since it must not be reused,
-serves to prove that this isn't a replay.
-
-The details for notification messages suggested by
-draft-ietf-ipsec-notifymsg-02.txt are over-complicated, just to make
-them machine-comprehensible.  I think this is over-engineering,
-justified only if another level of negotiation is contemplated (ugh!).
-Plain text is probably sufficient for informing humans (I admit that
-there is a problem with I18N).
diff --git a/src/pluto/ac.c b/src/pluto/ac.c
index 6745ff484..3b5df9738 100644
--- a/src/pluto/ac.c
+++ b/src/pluto/ac.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ac.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdlib.h>
@@ -25,10 +23,11 @@
 
 #include <freeswan.h>
 
-#include "constants.h"
-#include "defs.h"
-#include "asn1.h"
+#include <utils.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
 #include <asn1/oid.h>
+
 #include "ac.h"
 #include "x509.h"
 #include "crl.h"
@@ -38,971 +37,947 @@
 #include "whack.h"
 #include "fetch.h"
 
-/* chained list of X.509 attribute certificates */
-
+/**
+ * Chained list of X.509 attribute certificates
+ */
 static x509acert_t *x509acerts   = NULL;
 
-/* chained list of ietfAttributes */
-
+/**
+ * Chained list of ietfAttributes
+ */
 static ietfAttrList_t *ietfAttributes = NULL;
 
-/* ASN.1 definition of ietfAttrSyntax */
-
+/**
+ * ASN.1 definition of ietfAttrSyntax
+ */
 static const asn1Object_t ietfAttrSyntaxObjects[] =
 {
-  { 0, "ietfAttrSyntax",		ASN1_SEQUENCE,        ASN1_NONE }, /*  0 */
-  { 1,   "policyAuthority",		ASN1_CONTEXT_C_0,     ASN1_OPT |
-							      ASN1_BODY }, /*  1 */
-  { 1,   "end opt",			ASN1_EOC,             ASN1_END  }, /*  2 */
-  { 1,   "values",			ASN1_SEQUENCE,        ASN1_LOOP }, /*  3 */
-  { 2,     "octets",			ASN1_OCTET_STRING,    ASN1_OPT |
-							      ASN1_BODY }, /*  4 */
-  { 2,     "end choice",		ASN1_EOC,             ASN1_END  }, /*  5 */
-  { 2,     "oid",			ASN1_OID,	      ASN1_OPT |
-							      ASN1_BODY }, /*  6 */
-  { 2,     "end choice",		ASN1_EOC,             ASN1_END  }, /*  7 */
-  { 2,     "string",			ASN1_UTF8STRING,      ASN1_OPT |
-							      ASN1_BODY }, /*  8 */
-  { 2,     "end choice",		ASN1_EOC,             ASN1_END  }, /*  9 */
-  { 1,   "end loop",			ASN1_EOC,	      ASN1_END  }  /* 10 */
+	{ 0, "ietfAttrSyntax",                ASN1_SEQUENCE,        ASN1_NONE }, /*  0 */
+	{ 1,   "policyAuthority",             ASN1_CONTEXT_C_0,     ASN1_OPT |
+																ASN1_BODY }, /*  1 */
+	{ 1,   "end opt",                     ASN1_EOC,             ASN1_END  }, /*  2 */
+	{ 1,   "values",                      ASN1_SEQUENCE,        ASN1_LOOP }, /*  3 */
+	{ 2,     "octets",                    ASN1_OCTET_STRING,    ASN1_OPT |
+																ASN1_BODY }, /*  4 */
+	{ 2,     "end choice",                ASN1_EOC,             ASN1_END  }, /*  5 */
+	{ 2,     "oid",                       ASN1_OID,             ASN1_OPT |
+																ASN1_BODY }, /*  6 */
+	{ 2,     "end choice",                ASN1_EOC,             ASN1_END  }, /*  7 */
+	{ 2,     "string",                    ASN1_UTF8STRING,      ASN1_OPT |
+																ASN1_BODY }, /*  8 */
+	{ 2,     "end choice",                ASN1_EOC,             ASN1_END  }, /*  9 */
+	{ 1,   "end loop",                    ASN1_EOC,             ASN1_END  }, /* 10 */
+	{ 0, "exit",                          ASN1_EOC,             ASN1_EXIT }
 };
 
-#define IETF_ATTR_OCTETS	 4
-#define IETF_ATTR_OID		 6
-#define IETF_ATTR_STRING	 8
-#define IETF_ATTR_ROOF		11
-
-/* ASN.1 definition of roleSyntax */
+#define IETF_ATTR_OCTETS         4
+#define IETF_ATTR_OID            6
+#define IETF_ATTR_STRING         8
 
+/**
+ * ASN.1 definition of roleSyntax
+ */
 static const asn1Object_t roleSyntaxObjects[] =
 {
-  { 0, "roleSyntax",			ASN1_SEQUENCE,        ASN1_NONE }, /*  0 */
-  { 1,   "roleAuthority",		ASN1_CONTEXT_C_0,     ASN1_OPT |
-							      ASN1_OBJ  }, /*  1 */
-  { 1,   "end opt",			ASN1_EOC,             ASN1_END  }, /*  2 */
-  { 1,   "roleName",			ASN1_CONTEXT_C_1,     ASN1_OBJ  }  /*  3 */
+	{ 0, "roleSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
+	{ 1,   "roleAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+												ASN1_OBJ  }, /* 1 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END  }, /* 2 */
+	{ 1,   "roleName",		ASN1_CONTEXT_C_1,	ASN1_OBJ  }, /* 3 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT }
 };
 
-#define ROLE_ROOF		4
-
-/* ASN.1 definition of an X509 attribute certificate */
-
+/**
+ * ASN.1 definition of an X509 attribute certificate
+ */
 static const asn1Object_t acObjects[] =
 {
-  { 0, "AttributeCertificate",		ASN1_SEQUENCE,        ASN1_OBJ  }, /*  0 */
-  { 1,   "AttributeCertificateInfo",    ASN1_SEQUENCE,        ASN1_OBJ  }, /*  1 */
-  { 2,	   "version",			ASN1_INTEGER,	      ASN1_DEF |
-							      ASN1_BODY }, /*  2 */
-  { 2,	   "holder",                    ASN1_SEQUENCE,	      ASN1_NONE }, /*  3 */
-  { 3,	     "baseCertificateID",	ASN1_CONTEXT_C_0,     ASN1_OPT  }, /*  4 */
-  { 4,	       "issuer",		ASN1_SEQUENCE,	      ASN1_OBJ  }, /*  5 */
-  { 4,	       "serial",		ASN1_INTEGER,	      ASN1_BODY }, /*  6 */
-  { 4,         "issuerUID",		ASN1_BIT_STRING,      ASN1_OPT |
-                                                              ASN1_BODY }, /*  7 */
-  { 4,         "end opt",		ASN1_EOC,             ASN1_END  }, /*  8 */
-  { 3,       "end opt",			ASN1_EOC,             ASN1_END  }, /*  9 */
-  { 3,	     "entityName",		ASN1_CONTEXT_C_1,     ASN1_OPT |
-							      ASN1_OBJ  }, /* 10 */
-  { 3,       "end opt",			ASN1_EOC,             ASN1_END  }, /* 11 */
-  { 3,	     "objectDigestInfo",	ASN1_CONTEXT_C_2,     ASN1_OPT  }, /* 12 */
-  { 4,	       "digestedObjectType",	ASN1_ENUMERATED,      ASN1_BODY }, /* 13*/
-  { 4,	       "otherObjectTypeID",	ASN1_OID,    	      ASN1_OPT |
-							      ASN1_BODY }, /* 14 */
-  { 4,         "end opt",		ASN1_EOC,             ASN1_END  }, /* 15*/
-  { 4,         "digestAlgorithm",	ASN1_EOC,             ASN1_RAW  }, /* 16 */
-  { 3,       "end opt",			ASN1_EOC,             ASN1_END  }, /* 17 */
-  { 2,	   "v2Form",			ASN1_CONTEXT_C_0,     ASN1_NONE }, /* 18 */
-  { 3,	     "issuerName",		ASN1_SEQUENCE,        ASN1_OPT |
-                                                              ASN1_OBJ  }, /* 19 */
-  { 3,       "end opt",			ASN1_EOC,             ASN1_END  }, /* 20 */
-  { 3,	     "baseCertificateID",	ASN1_CONTEXT_C_0,     ASN1_OPT  }, /* 21 */
-  { 4,	       "issuerSerial",		ASN1_SEQUENCE,        ASN1_NONE }, /* 22 */
-  { 5,	         "issuer",		ASN1_SEQUENCE,	      ASN1_OBJ  }, /* 23 */
-  { 5,	  	 "serial",		ASN1_INTEGER,	      ASN1_BODY }, /* 24 */
-  { 5,           "issuerUID",		ASN1_BIT_STRING,      ASN1_OPT |
-                                                              ASN1_BODY }, /* 25 */
-  { 5,           "end opt",		ASN1_EOC,             ASN1_END  }, /* 26 */
-  { 3,       "end opt",			ASN1_EOC,             ASN1_END  }, /* 27 */
-  { 3,       "objectDigestInfo",	ASN1_CONTEXT_C_1,     ASN1_OPT  }, /* 28 */
-  { 4,	       "digestInfo",		ASN1_SEQUENCE,        ASN1_OBJ  }, /* 29 */
-  { 5,  	 "digestedObjectType",	ASN1_ENUMERATED,      ASN1_BODY }, /* 30 */
-  { 5,	  	 "otherObjectTypeID",	ASN1_OID,    	      ASN1_OPT |
-							      ASN1_BODY }, /* 31 */
-  { 5,           "end opt",		ASN1_EOC,             ASN1_END  }, /* 32 */
-  { 5,           "digestAlgorithm",	ASN1_EOC,             ASN1_RAW  }, /* 33 */
-  { 3,       "end opt",			ASN1_EOC,             ASN1_END  }, /* 34 */
-  { 2,	   "signature",                 ASN1_EOC,             ASN1_RAW  }, /* 35 */
-  { 2,	   "serialNumber",              ASN1_INTEGER,         ASN1_BODY }, /* 36 */
-  { 2,	   "attrCertValidityPeriod",    ASN1_SEQUENCE,        ASN1_NONE }, /* 37 */
-  { 3,	     "notBeforeTime",           ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
-  { 3,	     "notAfterTime",            ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
-  { 2,	   "attributes",                ASN1_SEQUENCE,        ASN1_LOOP }, /* 40 */
-  { 3,       "attribute",		ASN1_SEQUENCE,        ASN1_NONE }, /* 41 */
-  { 4,         "type",			ASN1_OID,             ASN1_BODY }, /* 42 */
-  { 4,         "values",		ASN1_SET, 	      ASN1_LOOP }, /* 43 */
-  { 5,           "value",		ASN1_EOC, 	      ASN1_RAW  }, /* 44 */
-  { 4, 	       "end loop",		ASN1_EOC,	      ASN1_END  }, /* 45 */
-  { 2,     "end loop",			ASN1_EOC,             ASN1_END  }, /* 46 */
-  { 2,     "extensions",		ASN1_SEQUENCE,        ASN1_LOOP }, /* 47 */
-  { 3,       "extension",		ASN1_SEQUENCE,        ASN1_NONE }, /* 48 */
-  { 4,         "extnID",		ASN1_OID,             ASN1_BODY }, /* 49 */
-  { 4,         "critical",		ASN1_BOOLEAN,         ASN1_DEF |
-							      ASN1_BODY }, /* 50 */
-  { 4,         "extnValue",		ASN1_OCTET_STRING,    ASN1_BODY }, /* 51 */
-  { 2,     "end loop",			ASN1_EOC,             ASN1_END  }, /* 52 */
-  { 1,   "signatureAlgorithm",		ASN1_EOC,             ASN1_RAW  }, /* 53 */
-  { 1,   "signatureValue",		ASN1_BIT_STRING,      ASN1_BODY }  /* 54 */
+	{ 0, "AttributeCertificate",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  0 */
+	{ 1,   "AttributeCertificateInfo",		ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  1 */
+	{ 2,	   "version",					ASN1_INTEGER,		  ASN1_DEF |
+																  ASN1_BODY }, /*  2 */
+	{ 2,	   "holder",					ASN1_SEQUENCE,		  ASN1_NONE }, /*  3 */
+	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /*  4 */
+	{ 4,	       "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  5 */
+	{ 4,	       "serial",				ASN1_INTEGER,		  ASN1_BODY }, /*  6 */
+	{ 4,         "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
+																  ASN1_BODY }, /*  7 */
+	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /*  8 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /*  9 */
+	{ 3,	   "entityName",				ASN1_CONTEXT_C_1,	  ASN1_OPT |
+																  ASN1_OBJ  }, /* 10 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 11 */
+	{ 3,	     "objectDigestInfo",		ASN1_CONTEXT_C_2,	  ASN1_OPT  }, /* 12 */
+	{ 4,	       "digestedObjectType",	ASN1_ENUMERATED,	  ASN1_BODY }, /* 13 */
+	{ 4,	       "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+																  ASN1_BODY }, /* 14 */
+	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /* 15 */
+	{ 4,         "digestAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 16 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 17 */
+	{ 2,	   "v2Form",					ASN1_CONTEXT_C_0,	  ASN1_NONE }, /* 18 */
+	{ 3,	     "issuerName",				ASN1_SEQUENCE,		  ASN1_OPT |
+																  ASN1_OBJ  }, /* 19 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 20 */
+	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /* 21 */
+	{ 4,	       "issuerSerial",			ASN1_SEQUENCE,		  ASN1_NONE }, /* 22 */
+	{ 5,	         "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 23 */
+	{ 5,	  	 "serial",					ASN1_INTEGER,		  ASN1_BODY }, /* 24 */
+	{ 5,           "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
+																  ASN1_BODY }, /* 25 */
+	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 26 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 27 */
+	{ 3,       "objectDigestInfo",			ASN1_CONTEXT_C_1,	  ASN1_OPT  }, /* 28 */
+	{ 4,	       "digestInfo",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 29 */
+	{ 5,  	 "digestedObjectType",			ASN1_ENUMERATED,	  ASN1_BODY }, /* 30 */
+	{ 5,	  	 "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+																  ASN1_BODY }, /* 31 */
+	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 32 */
+	{ 5,           "digestAlgorithm",		ASN1_EOC,			  ASN1_RAW  }, /* 33 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 34 */
+	{ 2,	   "signature",					ASN1_EOC,			  ASN1_RAW  }, /* 35 */
+	{ 2,	   "serialNumber",				ASN1_INTEGER,		  ASN1_BODY }, /* 36 */
+	{ 2,	   "attrCertValidityPeriod",	ASN1_SEQUENCE,		  ASN1_NONE }, /* 37 */
+	{ 3,	     "notBeforeTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
+	{ 3,	     "notAfterTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
+	{ 2,	   "attributes",				ASN1_SEQUENCE,		  ASN1_LOOP }, /* 40 */
+	{ 3,       "attribute",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 41 */
+	{ 4,         "type",					ASN1_OID,			  ASN1_BODY }, /* 42 */
+	{ 4,         "values",					ASN1_SET, 			  ASN1_LOOP }, /* 43 */
+	{ 5,           "value",					ASN1_EOC, 			  ASN1_RAW  }, /* 44 */
+	{ 4, 	       "end loop",				ASN1_EOC,			  ASN1_END  }, /* 45 */
+	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 46 */
+	{ 2,     "extensions",					ASN1_SEQUENCE,		  ASN1_LOOP }, /* 47 */
+	{ 3,       "extension",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 48 */
+	{ 4,         "extnID",					ASN1_OID,			  ASN1_BODY }, /* 49 */
+	{ 4,         "critical",				ASN1_BOOLEAN,		  ASN1_DEF |
+																  ASN1_BODY }, /* 50 */
+	{ 4,         "extnValue",				ASN1_OCTET_STRING,	  ASN1_BODY }, /* 51 */
+	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 52 */
+	{ 1,   "signatureAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 53 */
+	{ 1,   "signatureValue",				ASN1_BIT_STRING,	  ASN1_BODY }, /* 54 */
+	{ 0, "exit",							ASN1_EOC,			  ASN1_EXIT }
 };
 
-#define AC_OBJ_CERTIFICATE		 0
-#define AC_OBJ_CERTIFICATE_INFO		 1
-#define AC_OBJ_VERSION			 2
-#define AC_OBJ_HOLDER_ISSUER		 5
-#define AC_OBJ_HOLDER_SERIAL		 6
-#define AC_OBJ_ENTITY_NAME		10
-#define AC_OBJ_ISSUER_NAME		19
-#define AC_OBJ_ISSUER			23
-#define AC_OBJ_SIG_ALG			35
-#define AC_OBJ_SERIAL_NUMBER		36
-#define AC_OBJ_NOT_BEFORE		38
-#define AC_OBJ_NOT_AFTER		39
-#define AC_OBJ_ATTRIBUTE_TYPE		42
-#define AC_OBJ_ATTRIBUTE_VALUE		44
-#define AC_OBJ_EXTN_ID			49
-#define AC_OBJ_CRITICAL			50
-#define AC_OBJ_EXTN_VALUE		51
-#define AC_OBJ_ALGORITHM		53
-#define AC_OBJ_SIGNATURE		54
-#define AC_OBJ_ROOF			55
+#define AC_OBJ_CERTIFICATE               0
+#define AC_OBJ_CERTIFICATE_INFO          1
+#define AC_OBJ_VERSION                   2
+#define AC_OBJ_HOLDER_ISSUER             5
+#define AC_OBJ_HOLDER_SERIAL             6
+#define AC_OBJ_ENTITY_NAME              10
+#define AC_OBJ_ISSUER_NAME              19
+#define AC_OBJ_ISSUER                   23
+#define AC_OBJ_SIG_ALG                  35
+#define AC_OBJ_SERIAL_NUMBER            36
+#define AC_OBJ_NOT_BEFORE               38
+#define AC_OBJ_NOT_AFTER                39
+#define AC_OBJ_ATTRIBUTE_TYPE           42
+#define AC_OBJ_ATTRIBUTE_VALUE          44
+#define AC_OBJ_EXTN_ID                  49
+#define AC_OBJ_CRITICAL                 50
+#define AC_OBJ_EXTN_VALUE               51
+#define AC_OBJ_ALGORITHM                53
+#define AC_OBJ_SIGNATURE                54
 
 const x509acert_t empty_ac = {
-      NULL     , /* *next */
-            0  , /* installed */
-    { NULL, 0 }, /* certificate */
-    { NULL, 0 }, /*   certificateInfo */
-            1  , /*     version */
-		 /*     holder */
-		 /*       baseCertificateID */
-    { NULL, 0 }, /*         holderIssuer */
-    { NULL, 0 }, /*         holderSerial */
-		 /*       entityName */
-    { NULL, 0 }, /*         generalNames */
-		 /*     v2Form */
-    { NULL, 0 }, /*       issuerName */
-                 /*     signature */
-    OID_UNKNOWN, /*       sigAlg */
-    { NULL, 0 }, /*     serialNumber */
-                 /*     attrCertValidityPeriod */
-            0  , /*       notBefore */
-            0  , /*       notAfter */
-		 /*     attributes */
-      NULL     , /*       charging */
-      NULL     , /*       groups */
-		 /*     extensions */
-    { NULL, 0 }, /*       authKeyID */
-    { NULL, 0 }, /*       authKeySerialNumber */
-      FALSE    , /*       noRevAvail */
-		 /*   signatureAlgorithm */
-    OID_UNKNOWN, /*     algorithm */
-    { NULL, 0 }, /*   signature */
+	  NULL     , /* *next */
+			0  , /* installed */
+	{ NULL, 0 }, /* certificate */
+	{ NULL, 0 }, /*   certificateInfo */
+			1  , /*     version */
+				 /*     holder */
+				 /*       baseCertificateID */
+	{ NULL, 0 }, /*         holderIssuer */
+	{ NULL, 0 }, /*         holderSerial */
+				 /*       entityName */
+	{ NULL, 0 }, /*         generalNames */
+				 /*     v2Form */
+	{ NULL, 0 }, /*       issuerName */
+				 /*     signature */
+	OID_UNKNOWN, /*       sigAlg */
+	{ NULL, 0 }, /*     serialNumber */
+				 /*     attrCertValidityPeriod */
+			0  , /*       notBefore */
+			0  , /*       notAfter */
+				 /*     attributes */
+	  NULL     , /*       charging */
+	  NULL     , /*       groups */
+				 /*     extensions */
+	{ NULL, 0 }, /*       authKeyID */
+	{ NULL, 0 }, /*       authKeySerialNumber */
+	  FALSE    , /*       noRevAvail */
+				 /*   signatureAlgorithm */
+	OID_UNKNOWN, /*     algorithm */
+	{ NULL, 0 }, /*   signature */
 };
 
 
-/*  compare two ietfAttributes, returns zero if a equals b
+/**
+ *  compare two ietfAttributes, returns zero if a equals b
  *  negative/positive if a is earlier/later in the alphabet than b
  */
-static int
-cmp_ietfAttr(ietfAttr_t *a,ietfAttr_t *b)
+static int cmp_ietfAttr(ietfAttr_t *a,ietfAttr_t *b)
 {
-    int cmp_len, len, cmp_value;
+	int cmp_len, len, cmp_value;
 
-    /* cannot compare OID with STRING or OCTETS attributes */
-    if (a->kind == IETF_ATTRIBUTE_OID && b->kind != IETF_ATTRIBUTE_OID)
-	return 1;
-	
-    cmp_len = a->value.len - b->value.len;
-    len = (cmp_len < 0)? a->value.len : b->value.len;
-    cmp_value = memcmp(a->value.ptr, b->value.ptr, len);
+	/* cannot compare OID with STRING or OCTETS attributes */
+	if (a->kind == IETF_ATTRIBUTE_OID && b->kind != IETF_ATTRIBUTE_OID)
+		return 1;
+		
+	cmp_len = a->value.len - b->value.len;
+	len = (cmp_len < 0)? a->value.len : b->value.len;
+	cmp_value = memcmp(a->value.ptr, b->value.ptr, len);
 
-    return (cmp_value == 0)? cmp_len : cmp_value;
+	return (cmp_value == 0)? cmp_len : cmp_value;
 }
 
-/*
+/**
  *  add an ietfAttribute to the chained list
  */
-static ietfAttr_t*
-add_ietfAttr(ietfAttr_t *attr)
+static ietfAttr_t* add_ietfAttr(ietfAttr_t *attr)
 {
-    ietfAttrList_t **listp = &ietfAttributes;
-    ietfAttrList_t *list = *listp;
-    int cmp = -1;
-
-    while (list != NULL)
-    {
-	cmp = cmp_ietfAttr(attr, list->attr);
-	if (cmp <= 0)
-	    break;
-	listp = &list->next;
-	list = *listp;
-    }
-
-    if (cmp == 0)
-    {
-	/* attribute already exists, increase count */
-	pfree(attr);
-	list->attr->count++;
-	return list->attr;
-    }
-    else
-    {
-	ietfAttrList_t *el = alloc_thing(ietfAttrList_t, "ietfAttrList");
-
-	/* new attribute, unshare value */
-	attr->value.ptr = clone_bytes(attr->value.ptr, attr->value.len
-	    , "attr value");
-	attr->count = 1;
-	time(&attr->installed);
-
-	el->attr = attr;
-	el->next = list;
-	*listp = el;
-
-	return attr;
-    }
+	ietfAttrList_t **listp = &ietfAttributes;
+	ietfAttrList_t *list = *listp;
+	int cmp = -1;
+
+	while (list != NULL)
+	{
+		cmp = cmp_ietfAttr(attr, list->attr);
+		if (cmp <= 0)
+			break;
+		listp = &list->next;
+		list = *listp;
+	}
+
+	if (cmp == 0)
+	{
+		/* attribute already exists, increase count */
+		free(attr);
+		list->attr->count++;
+		return list->attr;
+	}
+	else
+	{
+		ietfAttrList_t *el = malloc_thing(ietfAttrList_t);
+
+		/* new attribute, unshare value */
+		attr->value = chunk_clone(attr->value);
+		attr->count = 1;
+		time(&attr->installed);
+
+		el->attr = attr;
+		el->next = list;
+		*listp = el;
+
+		return attr;
+	}
 }
 
-/*
+/**
  * decodes a comma separated list of group attributes
  */
-void
-decode_groups(char *groups, ietfAttrList_t **listp)
+void decode_groups(char *groups, ietfAttrList_t **listp)
 {
-    if (groups == NULL)
-	return;
+	if (groups == NULL)
+		return;
 
-    while (strlen(groups) > 0)
-    {
-	char *end;
-	char *next = strchr(groups, ',');
+	while (strlen(groups) > 0)
+	{
+		char *end;
+		char *next = strchr(groups, ',');
 
-	if (next == NULL)
-	   end = next = groups + strlen(groups);
-	else
-	   end = next++;
+		if (next == NULL)
+		   end = next = groups + strlen(groups);
+		else
+		   end = next++;
 
-	/* eat preceeding whitespace */
-	while (groups < end && *groups == ' ')
-	    groups++;
+		/* eat preceeding whitespace */
+		while (groups < end && *groups == ' ')
+			groups++;
 
-	/* eat trailing whitespace */
-	while (end > groups && *(end-1) == ' ')
-	    end--;
+		/* eat trailing whitespace */
+		while (end > groups && *(end-1) == ' ')
+			end--;
 
-	if (groups < end)
-	{
-	    ietfAttr_t *attr   = alloc_thing(ietfAttr_t, "ietfAttr");
-	    ietfAttrList_t *el = alloc_thing(ietfAttrList_t, "ietfAttrList");
+		if (groups < end)
+		{
+			ietfAttr_t *attr   = malloc_thing(ietfAttr_t);
+			ietfAttrList_t *el = malloc_thing(ietfAttrList_t);
 
-	    attr->kind  = IETF_ATTRIBUTE_STRING;
-	    attr->value.ptr = groups;
-	    attr->value.len = end - groups;
-	    attr->count = 0;
+			attr->kind  = IETF_ATTRIBUTE_STRING;
+			attr->value.ptr = groups;
+			attr->value.len = end - groups;
+			attr->count = 0;
 
-	    el->attr = add_ietfAttr(attr);
-	    el->next = *listp;
-	    *listp = el;
-	}
+			el->attr = add_ietfAttr(attr);
+			el->next = *listp;
+			*listp = el;
+		}
 
-	groups = next;
-    }
+		groups = next;
+	}
 }
 
-static bool
-same_attribute(const ietfAttr_t *a, const ietfAttr_t *b)
+static bool same_attribute(const ietfAttr_t *a, const ietfAttr_t *b)
 {
-    return (a->kind == b->kind && a->value.len == b->value.len
-	   && memcmp(a->value.ptr, b->value.ptr, b->value.len) == 0);
+	return (a->kind == b->kind && a->value.len == b->value.len
+		   && memeq(a->value.ptr, b->value.ptr, b->value.len));
 }
 
-bool
-group_membership(const ietfAttrList_t *peer_list
-	       , const char *conn
-	       , const ietfAttrList_t *conn_list)
+bool group_membership(const ietfAttrList_t *peer_list
+			   , const char *conn
+			   , const ietfAttrList_t *conn_list)
 {
-    if (conn_list == NULL)
-	return TRUE;
-
-    while (peer_list != NULL)
-    {
-	const ietfAttr_t *peer_attr = peer_list->attr;
-	const ietfAttrList_t *list = conn_list;
+	if (conn_list == NULL)
+		return TRUE;
 
-	while (list != NULL)
+	while (peer_list != NULL)
 	{
-	    ietfAttr_t *conn_attr = list->attr;
+		const ietfAttr_t *peer_attr = peer_list->attr;
+		const ietfAttrList_t *list = conn_list;
 
-	    if (same_attribute(conn_attr, peer_attr))
-	    {
+		while (list != NULL)
+		{
+			ietfAttr_t *conn_attr = list->attr;
+
+			if (same_attribute(conn_attr, peer_attr))
+			{
+				DBG(DBG_CONTROL,
+					DBG_log("%s: peer matches group '%.*s'"
+						, conn
+						, (int)peer_attr->value.len, peer_attr->value.ptr)
+				)
+				return TRUE;
+			}
+			list = list->next;
+		}
+		peer_list = peer_list->next;
+	}
 		DBG(DBG_CONTROL,
-		    DBG_log("%s: peer matches group '%.*s'"
-			, conn
-			, (int)peer_attr->value.len, peer_attr->value.ptr)
+			DBG_log("%s: peer doesn't match any group", conn)
 		)
-		return TRUE;
-	    }
-	    list = list->next;
-	}
-	peer_list = peer_list->next;
-    }
-	DBG(DBG_CONTROL,
-	    DBG_log("%s: peer doesn't match any group", conn)
-	)
-    return FALSE;
+	return FALSE;
 }
 
-
-void
-unshare_ietfAttrList(ietfAttrList_t **listp)
+void unshare_ietfAttrList(ietfAttrList_t **listp)
 {
-    ietfAttrList_t *list = *listp;
-
-    while (list != NULL)
-    {
-	ietfAttrList_t *el = alloc_thing(ietfAttrList_t, "ietfAttrList");
-
-	el->attr = list->attr;
-	el->attr->count++;
-	el->next = NULL;
-	*listp = el;
-	listp = &el->next;
-	list = list->next;
-    }
+	ietfAttrList_t *list = *listp;
+
+	while (list != NULL)
+	{
+		ietfAttrList_t *el = malloc_thing(ietfAttrList_t);
+
+		el->attr = list->attr;
+		el->attr->count++;
+		el->next = NULL;
+		*listp = el;
+		listp = &el->next;
+		list = list->next;
+	}
 }
 
-/*
- * parses ietfAttrSyntax
+/**
+ * Parses ietfAttrSyntax
  */
-static ietfAttrList_t*
-parse_ietfAttrSyntax(chunk_t blob, int level0)
+static ietfAttrList_t* parse_ietfAttrSyntax(chunk_t blob, int level0)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-
-    ietfAttrList_t *list = NULL;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
 
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+	ietfAttrList_t *list = NULL;
 
-    while (objectID < IETF_ATTR_ROOF)
-    {
-	if (!extract_object(ietfAttrSyntaxObjects, &objectID, &object, &level, &ctx))
-	     return NULL;
+	parser = asn1_parser_create(ietfAttrSyntaxObjects, blob);
+	parser->set_top_level(parser, level0);
 
-	switch (objectID)
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	case IETF_ATTR_OCTETS:
-	case IETF_ATTR_OID:
-	case IETF_ATTR_STRING:
-	    {
-		ietfAttr_t *attr   = alloc_thing(ietfAttr_t, "ietfAttr");
-		ietfAttrList_t *el = alloc_thing(ietfAttrList_t, "ietfAttrList");
-
-		attr->kind  = (objectID - IETF_ATTR_OCTETS) / 2;
-		attr->value = object;
-		attr->count = 0;
-
-		el->attr = add_ietfAttr(attr);
-		el->next = list;
-		list = el;
-	    }
-	    break;
-	default:
-	    break;
+		switch (objectID)
+		{
+		case IETF_ATTR_OCTETS:
+		case IETF_ATTR_OID:
+		case IETF_ATTR_STRING:
+			{
+				ietfAttr_t *attr   = malloc_thing(ietfAttr_t);
+				ietfAttrList_t *el = malloc_thing(ietfAttrList_t);
+
+				attr->kind  = (objectID - IETF_ATTR_OCTETS) / 2;
+				attr->value = object;
+				attr->count = 0;
+
+				el->attr = add_ietfAttr(attr);
+				el->next = list;
+				list = el;
+			}
+			break;
+		default:
+			break;
+		}
 	}
-	objectID++;
-    }
-    return list;
+	parser->destroy(parser);
+	return list;
 }
-/*
- * parses roleSyntax
+
+/**
+ * Parses roleSyntax
  */
-static void
-parse_roleSyntax(chunk_t blob, int level0)
+static void parse_roleSyntax(chunk_t blob, int level0)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
 
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+	parser = asn1_parser_create(roleSyntaxObjects, blob);
+	parser->set_top_level(parser, level0);
 
-    while (objectID < ROLE_ROOF)
-    {
-	if (!extract_object(roleSyntaxObjects, &objectID, &object, &level, &ctx))
-	     return;
-
-	switch (objectID) {
-	default:
-	    break;
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			default:
+				break;
+		}
 	}
-	objectID++;
-    }
+	parser->destroy(parser);
 }
 
-/*
+/**
  *  Parses an X.509 attribute certificate
  */
-bool
-parse_ac(chunk_t blob, x509acert_t *ac)
+bool parse_ac(chunk_t blob, x509acert_t *ac)
 {
-    asn1_ctx_t ctx;
-    bool critical;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-    int type = OID_UNKNOWN;
-    int extn_oid = OID_UNKNOWN;
-
-    asn1_init(&ctx, blob, 0, FALSE, DBG_RAW);
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int type = OID_UNKNOWN;
+	int extn_oid = OID_UNKNOWN;
+	bool success = FALSE;
+	bool critical;
 
-    while (objectID < AC_OBJ_ROOF) {
+	parser = asn1_parser_create(acObjects, blob);
 
-	if (!extract_object(acObjects, &objectID, &object, &level, &ctx))
-	     return FALSE;
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser)+1;
 
-	/* those objects which will parsed further need the next higher level */
-	level++;
+		switch (objectID)
+		{
+		case AC_OBJ_CERTIFICATE:
+			ac->certificate = object;
+			break;
+		case AC_OBJ_CERTIFICATE_INFO:
+			ac->certificateInfo = object;
+			break;
+		case AC_OBJ_VERSION:
+			ac->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
+			DBG(DBG_PARSING,
+				DBG_log("  v%d", ac->version);
+			)
+			if (ac->version != 2)
+			{
+				plog("v%d attribute certificates are not supported"
+					, ac->version);
+				goto end;
+			}
+			break;
+		case AC_OBJ_HOLDER_ISSUER:
+			ac->holderIssuer = get_directoryName(object, level, FALSE);
+			break;
+		case AC_OBJ_HOLDER_SERIAL:
+			ac->holderSerial = object;
+			break;
+		case AC_OBJ_ENTITY_NAME:
+			ac->entityName = get_directoryName(object, level, TRUE);
+			break;
+		case AC_OBJ_ISSUER_NAME:
+			ac->issuerName = get_directoryName(object, level, FALSE);
+			break;
+		case AC_OBJ_SIG_ALG:
+			ac->sigAlg = asn1_parse_algorithmIdentifier(object, level, NULL);
+			break;
+		case AC_OBJ_SERIAL_NUMBER:
+			ac->serialNumber = object;
+			break;
+		case AC_OBJ_NOT_BEFORE:
+			ac->notBefore = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+			break;
+		case AC_OBJ_NOT_AFTER:
+			ac->notAfter = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+			break;
+		case AC_OBJ_ATTRIBUTE_TYPE:
+			type = asn1_known_oid(object);
+			break;
+		case AC_OBJ_ATTRIBUTE_VALUE:
+			{
+				switch (type) {
+				case OID_AUTHENTICATION_INFO:
+					DBG(DBG_PARSING,
+						DBG_log("  need to parse authenticationInfo")
+					)
+					break;
+				case OID_ACCESS_IDENTITY:
+					DBG(DBG_PARSING,
+						DBG_log("  need to parse accessIdentity")
+					)
+					break;
+				case OID_CHARGING_IDENTITY:
+					ac->charging = parse_ietfAttrSyntax(object, level);
+					break;
+				case OID_GROUP:
+					ac->groups = parse_ietfAttrSyntax(object, level);
+					break;
+				case OID_ROLE:
+					parse_roleSyntax(object, level);
+					break;
+				default:
+					break;
+				}
+			}
+			break;
+		case AC_OBJ_EXTN_ID:
+			extn_oid = asn1_known_oid(object);
+			break;
+		case AC_OBJ_CRITICAL:
+			critical = object.len && *object.ptr;
+			DBG(DBG_PARSING,
+				DBG_log("  %s",(critical)?"TRUE":"FALSE");
+			)
+			break;
+		case AC_OBJ_EXTN_VALUE:
+			{
+				switch (extn_oid) {
+				case OID_CRL_DISTRIBUTION_POINTS:
+					DBG(DBG_PARSING,
+						DBG_log("  need to parse crlDistributionPoints")
+					)
+					break;
+				case OID_AUTHORITY_KEY_ID:
+					parse_authorityKeyIdentifier(object, level
+						, &ac->authKeyID, &ac->authKeySerialNumber);
+					break;
+				case OID_TARGET_INFORMATION:
+					DBG(DBG_PARSING,
+						DBG_log("  need to parse targetInformation")
+					)
+					break;
+				case OID_NO_REV_AVAIL:
+					ac->noRevAvail = TRUE;
+					break;
+				default:
+					break;
+				}
+			}
+			break;
+		case AC_OBJ_ALGORITHM:
+			ac->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
+			break;
+		case AC_OBJ_SIGNATURE:
+			ac->signature = object;
+			break;
 
-	switch (objectID)
-	{
-	case AC_OBJ_CERTIFICATE:
-	    ac->certificate = object;
-	    break;
-	case AC_OBJ_CERTIFICATE_INFO:
-	    ac->certificateInfo = object;
-	    break;
-	case AC_OBJ_VERSION:
-	    ac->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
-	    DBG(DBG_PARSING,
-		DBG_log("  v%d", ac->version);
-	    )
-	    if (ac->version != 2)
-	    {
-		plog("v%d attribute certificates are not supported"
-		    , ac->version);
-		return FALSE;
-	    }
-	    break;
-	case AC_OBJ_HOLDER_ISSUER:
-	    ac->holderIssuer = get_directoryName(object, level, FALSE);
-	    break;
-	case AC_OBJ_HOLDER_SERIAL:
-	    ac->holderSerial = object;
-	    break;
-	case AC_OBJ_ENTITY_NAME:
-	    ac->entityName = get_directoryName(object, level, TRUE);
-	    break;
-	case AC_OBJ_ISSUER_NAME:
-	    ac->issuerName = get_directoryName(object, level, FALSE);
-	    break;
-	case AC_OBJ_SIG_ALG:
-	    ac->sigAlg = parse_algorithmIdentifier(object, level, NULL);
-	    break;
-	case AC_OBJ_SERIAL_NUMBER:
-	    ac->serialNumber = object;
-	    break;
-	case AC_OBJ_NOT_BEFORE:
-	    ac->notBefore = asn1totime(&object, ASN1_GENERALIZEDTIME);
-	    break;
-	case AC_OBJ_NOT_AFTER:
-	    ac->notAfter = asn1totime(&object, ASN1_GENERALIZEDTIME);
-	    break;
-	case AC_OBJ_ATTRIBUTE_TYPE:
-	    type = known_oid(object);
-	    break;
-	case AC_OBJ_ATTRIBUTE_VALUE:
-	    {
-		switch (type) {
-		case OID_AUTHENTICATION_INFO:
-		    DBG(DBG_PARSING,
-			DBG_log("  need to parse authenticationInfo")
-		    )
-		    break;
-		case OID_ACCESS_IDENTITY:
-		    DBG(DBG_PARSING,
-			DBG_log("  need to parse accessIdentity")
-		    )
-		    break;
-		case OID_CHARGING_IDENTITY:
-		    ac->charging = parse_ietfAttrSyntax(object, level);
-		    break;
-		case OID_GROUP:
-		    ac->groups = parse_ietfAttrSyntax(object, level);
-		    break;
-		case OID_ROLE:
-		    parse_roleSyntax(object, level);
-		    break;
-		default:
-		    break;
-		}
-	    }
-	    break;
-	case AC_OBJ_EXTN_ID:
-	    extn_oid = known_oid(object);
-	    break;
-	case AC_OBJ_CRITICAL:
-	    critical = object.len && *object.ptr;
-	    DBG(DBG_PARSING,
-		DBG_log("  %s",(critical)?"TRUE":"FALSE");
-	    )
-	    break;
-	case AC_OBJ_EXTN_VALUE:
-	    {
-		switch (extn_oid) {
-		case OID_CRL_DISTRIBUTION_POINTS:
-		    DBG(DBG_PARSING,
-			DBG_log("  need to parse crlDistributionPoints")
-		    )
-		    break;
-		case OID_AUTHORITY_KEY_ID:
-		    parse_authorityKeyIdentifier(object, level
-			, &ac->authKeyID, &ac->authKeySerialNumber);
-		    break;
-		case OID_TARGET_INFORMATION:
-		    DBG(DBG_PARSING,
-			DBG_log("  need to parse targetInformation")
-		    )
-		    break;
-		case OID_NO_REV_AVAIL:
-		    ac->noRevAvail = TRUE;
-		    break;
 		default:
-		    break;
+			break;
 		}
-	    }
-	    break;
-	case AC_OBJ_ALGORITHM:
-	    ac->algorithm = parse_algorithmIdentifier(object, level, NULL);
-	    break;
-	case AC_OBJ_SIGNATURE:
-	    ac->signature = object;
-	    break;
-
-	default:
-	    break;
 	}
-	objectID++;
-    }
-    time(&ac->installed);
-    return TRUE;
+	success = parser->success(parser);
+	time(&ac->installed);
+
+end:
+	parser->destroy(parser);
+	return success;
 }
 
-/*
- *  release an ietfAttribute, free it if count reaches zero
+/**
+ *  Release an ietfAttribute, free it if count reaches zero
  */
-static void
-release_ietfAttr(ietfAttr_t* attr)
+static void release_ietfAttr(ietfAttr_t* attr)
 {
-    if (--attr->count == 0)
-    {
-	ietfAttrList_t **plist = &ietfAttributes;
-	ietfAttrList_t *list = *plist;
-
-	while (list->attr != attr)
+	if (--attr->count == 0)
 	{
-	    plist = &list->next;
-	    list = *plist;
+		ietfAttrList_t **plist = &ietfAttributes;
+		ietfAttrList_t *list = *plist;
+
+		while (list->attr != attr)
+		{
+			plist = &list->next;
+			list = *plist;
+		}
+		*plist = list->next;
+		
+		free(attr->value.ptr);
+		free(attr);
+		free(list);
 	}
-        *plist = list->next;
-	
-	pfree(attr->value.ptr);
-	pfree(attr);
-	pfree(list);
-    }
 }
 
-/*
- *  free an ietfAttrList
+/**
+ *  Free an ietfAttrList
  */
-void
-free_ietfAttrList(ietfAttrList_t* list)
+void free_ietfAttrList(ietfAttrList_t* list)
 {
-    while (list != NULL)
-    {
-	ietfAttrList_t *el = list;
-
-	release_ietfAttr(el->attr);
-	list = list->next;
-	pfree(el);
-    }
+	while (list != NULL)
+	{
+		ietfAttrList_t *el = list;
+
+		release_ietfAttr(el->attr);
+		list = list->next;
+		free(el);
+	}
 }
 
-/*
- *  free a X.509 attribute certificate
+/**
+ *  Free a X.509 attribute certificate
  */
-void
-free_acert(x509acert_t *ac)
+void free_acert(x509acert_t *ac)
 {
-    if (ac != NULL)
-    {
-	free_ietfAttrList(ac->charging);
-	free_ietfAttrList(ac->groups);
-	pfreeany(ac->certificate.ptr);
-	pfree(ac);
-    }
+	if (ac != NULL)
+	{
+		free_ietfAttrList(ac->charging);
+		free_ietfAttrList(ac->groups);
+		free(ac->certificate.ptr);
+		free(ac);
+	}
 }
 
-/*
- *  free first X.509 attribute certificate in the chained list
+/**
+ *  Free first X.509 attribute certificate in the chained list
  */
-static void
-free_first_acert(void)
+static void free_first_acert(void)
 {
-    x509acert_t *first = x509acerts;
-    x509acerts = first->next;
-    free_acert(first);
+	x509acert_t *first = x509acerts;
+	x509acerts = first->next;
+	free_acert(first);
 }
 
-/*
+/**
  * Free all attribute certificates in the chained list
  */
-void
-free_acerts(void)
-{
-    while (x509acerts != NULL)
-	free_first_acert();
+void free_acerts(void)
+{ 
+	while (x509acerts != NULL)
+		free_first_acert();
 }
 
-/*
- *  get a X.509 attribute certificate for a given holder
+/**
+ *  Get a X.509 attribute certificate for a given holder
  */
-x509acert_t*
-get_x509acert(chunk_t issuer, chunk_t serial)
+x509acert_t* get_x509acert(chunk_t issuer, chunk_t serial)
 {
-    x509acert_t *ac = x509acerts;
-    x509acert_t *prev_ac = NULL;
+	x509acert_t *ac = x509acerts;
+	x509acert_t *prev_ac = NULL;
 
-    while (ac != NULL)
-    {
-	if (same_dn(issuer, ac->holderIssuer)
-	&&  same_serial(serial, ac->holderSerial))
+	while (ac != NULL)
 	{
-	    if (ac!= x509acerts)
-	    {
-		/* bring the certificate up front */
-		prev_ac->next = ac->next;
-		ac->next = x509acerts;
-		x509acerts = ac;
-	    }
-	    return ac;
+		if (same_dn(issuer, ac->holderIssuer)
+		&&  same_serial(serial, ac->holderSerial))
+		{
+			if (ac!= x509acerts)
+			{
+				/* bring the certificate up front */
+				prev_ac->next = ac->next;
+				ac->next = x509acerts;
+				x509acerts = ac;
+			}
+			return ac;
+		}
+		prev_ac = ac;
+		ac = ac->next;
 	}
-	prev_ac = ac;
-	ac = ac->next;
-    }
-    return NULL;
+	return NULL;
 }
 
-/*
- *  add a X.509 attribute certificate to the chained list
+/**
+ *  Add a X.509 attribute certificate to the chained list
  */
-static void
-add_acert(x509acert_t *ac)
+static void add_acert(x509acert_t *ac)
 {
-    x509acert_t *old_ac = get_x509acert(ac->holderIssuer, ac->holderSerial);
+	x509acert_t *old_ac = get_x509acert(ac->holderIssuer, ac->holderSerial);
 
-    if (old_ac != NULL)
-    {
-	if (ac->notBefore >old_ac->notBefore)
-	{
-	    /* delete the old attribute cert */
-	    free_first_acert();
-	    DBG(DBG_CONTROL,
-		DBG_log("attribute cert is newer - existing cert deleted")
-	    )
-	}
-	else
+	if (old_ac != NULL)
 	{
-	    DBG(DBG_CONTROL,
-		DBG_log("attribute cert is not newer - existing cert kept");
-	    )
-	    free_acert(ac);
-	    return;
+		if (ac->notBefore >old_ac->notBefore)
+		{
+			/* delete the old attribute cert */
+			free_first_acert();
+			DBG(DBG_CONTROL,
+				DBG_log("attribute cert is newer - existing cert deleted")
+			)
+		}
+		else
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("attribute cert is not newer - existing cert kept");
+			)
+			free_acert(ac);
+			return;
+		}
 	}
-    }
-    plog("attribute cert added");
+	plog("attribute cert added");
 
-    /* insert new attribute cert at the root of the chain */
-    ac->next = x509acerts;
-    x509acerts = ac;
+	/* insert new attribute cert at the root of the chain */
+	ac->next = x509acerts;
+	x509acerts = ac;
 }
 
-/* verify the validity of an attribute certificate by
+/**
+ * Verify the validity of an attribute certificate by
  * checking the notBefore and notAfter dates
  */
-static err_t
-check_ac_validity(const x509acert_t *ac)
+static err_t check_ac_validity(const x509acert_t *ac)
 {
-    time_t current_time;
-
-    time(&current_time);
-    DBG(DBG_CONTROL | DBG_PARSING,
-	DBG_log("  not before  : %s", timetoa(&ac->notBefore, TRUE));
-	DBG_log("  current time: %s", timetoa(&current_time, TRUE));
-	DBG_log("  not after   : %s", timetoa(&ac->notAfter, TRUE));
-    )
-
-    if (current_time < ac->notBefore)
-	return "attribute certificate is not valid yet";
-    if (current_time > ac->notAfter)
-	return "attribute certificate has expired";
-    else
-	return NULL;
+	time_t current_time;
+
+	time(&current_time);
+	DBG(DBG_CONTROL | DBG_PARSING,
+		DBG_log("  not before  : %T", &ac->notBefore, TRUE);
+		DBG_log("  current time: %T", &current_time, TRUE);
+		DBG_log("  not after   : %T", &ac->notAfter, TRUE);
+	)
+
+	if (current_time < ac->notBefore)
+		return "attribute certificate is not valid yet";
+	if (current_time > ac->notAfter)
+		return "attribute certificate has expired";
+	else
+		return NULL;
 }
 
-/*
+/**
  * verifies a X.509 attribute certificate
  */
-bool
-verify_x509acert(x509acert_t *ac, bool strict)
+bool verify_x509acert(x509acert_t *ac, bool strict)
 {
-    u_char buf[BUF_LEN];
-    x509cert_t *aacert;
-    err_t ugh = NULL;
-    time_t valid_until = ac->notAfter;
-
-    DBG(DBG_CONTROL,
-	dntoa(buf, BUF_LEN, ac->entityName);
-	DBG_log("holder: '%s'",buf);
-	dntoa(buf, BUF_LEN, ac->issuerName);
-	DBG_log("issuer: '%s'",buf);
-    )
-    
-    ugh = check_ac_validity(ac);
-
-    if (ugh != NULL)
-    {
-	plog("%s", ugh);
-	return FALSE;
-    }
-    DBG(DBG_CONTROL,
-	DBG_log("attribute certificate is valid")
-    )
-
-    lock_authcert_list("verify_x509acert");
-    aacert = get_authcert(ac->issuerName, ac->authKeySerialNumber
-	, ac->authKeyID, AUTH_AA);
-    unlock_authcert_list("verify_x509acert");
-
-    if (aacert == NULL)
-    {
-	plog("issuer aacert not found");
-	return FALSE;
-    }
-    DBG(DBG_CONTROL,
-	DBG_log("issuer aacert found")
-    )
-
-    if (!check_signature(ac->certificateInfo, ac->signature
-			 , ac->algorithm, ac->algorithm, aacert))
-    {
-	plog("attribute certificate signature is invalid");
-	return FALSE;
-    }
-    DBG(DBG_CONTROL,
-	DBG_log("attribute certificate signature is valid");
-    )
+	u_char buf[BUF_LEN];
+	x509cert_t *aacert;
+	err_t ugh = NULL;
+	time_t valid_until = ac->notAfter;
 
-    return verify_x509cert(aacert, strict, &valid_until);
+	DBG(DBG_CONTROL,
+		dntoa(buf, BUF_LEN, ac->entityName);
+		DBG_log("holder: '%s'",buf);
+		dntoa(buf, BUF_LEN, ac->issuerName);
+		DBG_log("issuer: '%s'",buf);
+	)
+	
+	ugh = check_ac_validity(ac);
+
+	if (ugh != NULL)
+	{
+		plog("%s", ugh);
+		return FALSE;
+	}
+	DBG(DBG_CONTROL,
+		DBG_log("attribute certificate is valid")
+	)
+
+	lock_authcert_list("verify_x509acert");
+	aacert = get_authcert(ac->issuerName, ac->authKeySerialNumber
+		, ac->authKeyID, AUTH_AA);
+	unlock_authcert_list("verify_x509acert");
+
+	if (aacert == NULL)
+	{
+		plog("issuer aacert not found");
+		return FALSE;
+	}
+	DBG(DBG_CONTROL,
+		DBG_log("issuer aacert found")
+	)
+
+	if (!x509_check_signature(ac->certificateInfo, ac->signature, ac->algorithm,
+							  aacert))
+	{
+		plog("attribute certificate signature is invalid");
+		return FALSE;
+	}
+	DBG(DBG_CONTROL,
+		DBG_log("attribute certificate signature is valid");
+	)
+
+	return verify_x509cert(aacert, strict, &valid_until);
 }
 
-/*
+/**
  * Loads X.509 attribute certificates
  */
-void
-load_acerts(void)
+void load_acerts(void)
 {
-    u_char buf[BUF_LEN];
-
-    /* change directory to specified path */
-    u_char *save_dir = getcwd(buf, BUF_LEN);
-
-    if (!chdir(A_CERT_PATH))
-    {
-	struct dirent **filelist;
-	int n;
+	u_char buf[BUF_LEN];
 
-	plog("Changing to directory '%s'",A_CERT_PATH);
-	n = scandir(A_CERT_PATH, &filelist, file_select, alphasort);
+	/* change directory to specified path */
+	u_char *save_dir = getcwd(buf, BUF_LEN);
 
-	if (n > 0)
+	if (!chdir(A_CERT_PATH))
 	{
-	    while (n--)
-	    {
-		chunk_t blob = empty_chunk;
-		bool pgp = FALSE;
+		struct dirent **filelist;
+		int n;
+
+		plog("Changing to directory '%s'",A_CERT_PATH);
+		n = scandir(A_CERT_PATH, &filelist, file_select, alphasort);
 
-		if (load_coded_file(filelist[n]->d_name, NULL, "acert", &blob, &pgp))
+		if (n > 0)
 		{
-		    x509acert_t *ac = alloc_thing(x509acert_t, "x509acert");
-		    
-		    *ac = empty_ac;
-
-		    if (parse_ac(blob, ac)
-		    && verify_x509acert(ac, FALSE))
-			add_acert(ac);
-		    else
-			free_acert(ac);
+			while (n--)
+			{
+				chunk_t blob = chunk_empty;
+				bool pgp = FALSE;
+
+				if (load_coded_file(filelist[n]->d_name, NULL, "acert", &blob, &pgp))
+				{
+					x509acert_t *ac = malloc_thing(x509acert_t);
+					
+					*ac = empty_ac;
+
+					if (parse_ac(blob, ac)
+					&& verify_x509acert(ac, FALSE))
+						add_acert(ac);
+					else
+						free_acert(ac);
+				}
+				free(filelist[n]);
+			}
+			free(filelist);
 		}
-		free(filelist[n]);
-	    }
-	    free(filelist);
 	}
-    }
-    /* restore directory path */
-    ignore_result(chdir(save_dir));
+	/* restore directory path */
+	ignore_result(chdir(save_dir));
 }
 
-/*
+/**
  * lists group attributes separated by commas on a single line
  */
-void
-format_groups(const ietfAttrList_t *list, char *buf, int len)
+void format_groups(const ietfAttrList_t *list, char *buf, int len)
 {
-    bool first_group = TRUE;
-
-    while (list != NULL && len > 0)
-    {
-	ietfAttr_t *attr = list->attr;
+	bool first_group = TRUE;
 
-	if (attr->kind == IETF_ATTRIBUTE_OCTETS
-	||  attr->kind == IETF_ATTRIBUTE_STRING)
+	while (list != NULL && len > 0)
 	{
-	    int written = snprintf(buf, len, "%s%.*s"
-			    , (first_group)? "" : ", "
-			    , (int)attr->value.len, attr->value.ptr);
-
-	    first_group = FALSE;
-	    
-	    /* return value of snprintf() up to glibc 2.0.6 */
-	    if (written < 0)
-		break;
-
-	    buf += written;
-	    len -= written;
+		ietfAttr_t *attr = list->attr;
+
+		if (attr->kind == IETF_ATTRIBUTE_OCTETS
+		||  attr->kind == IETF_ATTRIBUTE_STRING)
+		{
+			int written = snprintf(buf, len, "%s%.*s"
+							, (first_group)? "" : ", "
+							, (int)attr->value.len, attr->value.ptr);
+
+			first_group = FALSE;
+			
+			/* return value of snprintf() up to glibc 2.0.6 */
+			if (written < 0)
+				break;
+
+			buf += written;
+			len -= written;
+		}
+		list = list->next;
 	}
-	list = list->next;
-    }
 }
 
-/*
+/**
  *  list all X.509 attribute certificates in the chained list
  */
-void
-list_acerts(bool utc)
+void list_acerts(bool utc)
 {
-    x509acert_t *ac = x509acerts;
-    time_t now;
-
-    /* determine the current time */
-    time(&now);
+	x509acert_t *ac = x509acerts;
+	time_t now;
 
-    if (ac != NULL)
-    {
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of X.509 Attribute Certificates:");
-	whack_log(RC_COMMENT, " ");
-    }
+	/* determine the current time */
+	time(&now);
 
-    while (ac != NULL)
-    {
-	u_char buf[BUF_LEN];
-
-	whack_log(RC_COMMENT, "%s",timetoa(&ac->installed, utc));
-	if (ac->entityName.ptr != NULL)
+	if (ac != NULL)
 	{
-	    dntoa(buf, BUF_LEN, ac->entityName);
-	    whack_log(RC_COMMENT, "       holder:   '%s'", buf);
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "List of X.509 Attribute Certificates:");
+		whack_log(RC_COMMENT, " ");
 	}
-	if (ac->holderIssuer.ptr != NULL)
-	{
-	    dntoa(buf, BUF_LEN, ac->holderIssuer);
-	    whack_log(RC_COMMENT, "       hissuer:  '%s'", buf);
-	}
-	if (ac->holderSerial.ptr != NULL)
-	{
-	    datatot(ac->holderSerial.ptr, ac->holderSerial.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       hserial:   %s", buf);
-	}
-	if (ac->groups != NULL)
-	{
-	    format_groups(ac->groups, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       groups:    %s", buf);
-	}
-	dntoa(buf, BUF_LEN, ac->issuerName);
-	whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
-	datatot(ac->serialNumber.ptr, ac->serialNumber.len, ':'
-	    , buf, BUF_LEN);
-	whack_log(RC_COMMENT, "       serial:    %s", buf);
-	whack_log(RC_COMMENT, "       validity:  not before %s %s",
-		timetoa(&ac->notBefore, utc),
-		(ac->notBefore < now)?"ok":"fatal (not valid yet)");
-	whack_log(RC_COMMENT, "                  not after  %s %s",
-		timetoa(&ac->notAfter, utc),
-		check_expiry(ac->notAfter, ACERT_WARNING_INTERVAL, TRUE));
-	if (ac->authKeyID.ptr != NULL)
-	{
-	    datatot(ac->authKeyID.ptr, ac->authKeyID.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       authkey:   %s", buf);
-	}
-	if (ac->authKeySerialNumber.ptr != NULL)
+
+	while (ac != NULL)
 	{
-	    datatot(ac->authKeySerialNumber.ptr, ac->authKeySerialNumber.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       aserial:   %s", buf);
-	}
+		u_char buf[BUF_LEN];
+
+		whack_log(RC_COMMENT, "%T", &ac->installed, utc);
+		if (ac->entityName.ptr != NULL)
+		{
+			dntoa(buf, BUF_LEN, ac->entityName);
+			whack_log(RC_COMMENT, "       holder:   '%s'", buf);
+		}
+		if (ac->holderIssuer.ptr != NULL)
+		{
+			dntoa(buf, BUF_LEN, ac->holderIssuer);
+			whack_log(RC_COMMENT, "       hissuer:  '%s'", buf);
+		}
+		if (ac->holderSerial.ptr != NULL)
+		{
+			datatot(ac->holderSerial.ptr, ac->holderSerial.len, ':'
+				, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       hserial:   %s", buf);
+		}
+		if (ac->groups != NULL)
+		{
+			format_groups(ac->groups, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       groups:    %s", buf);
+		}
+		dntoa(buf, BUF_LEN, ac->issuerName);
+		whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
+		datatot(ac->serialNumber.ptr, ac->serialNumber.len, ':'
+			, buf, BUF_LEN);
+		whack_log(RC_COMMENT, "       serial:    %s", buf);
+		whack_log(RC_COMMENT, "       validity:  not before %T %s",
+				&ac->notBefore, utc,
+				(ac->notBefore < now)?"ok":"fatal (not valid yet)");
+		whack_log(RC_COMMENT, "                  not after  %T %s",
+				&ac->notAfter, utc,
+				check_expiry(ac->notAfter, ACERT_WARNING_INTERVAL, TRUE));
+		if (ac->authKeyID.ptr != NULL)
+		{
+			datatot(ac->authKeyID.ptr, ac->authKeyID.len, ':'
+				, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       authkey:   %s", buf);
+		}
+		if (ac->authKeySerialNumber.ptr != NULL)
+		{
+			datatot(ac->authKeySerialNumber.ptr, ac->authKeySerialNumber.len, ':'
+				, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       aserial:   %s", buf);
+		}
 
-	ac = ac->next;
-    }
+		ac = ac->next;
+	}
 }
 
-/*
+/**
  *  list all group attributes in alphabetical order
  */
-void
-list_groups(bool utc)
+void list_groups(bool utc)
 {
-    ietfAttrList_t *list = ietfAttributes;
-    
-    if (list != NULL)
-    {
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of Group Attributes:");
-	whack_log(RC_COMMENT, " ");
-    }
-
-    while (list != NULL)
-    {
-	ietfAttr_t *attr = list->attr;
-
-	whack_log(RC_COMMENT, "%s, count: %d", timetoa(&attr->installed, utc),
-		attr->count);
+	ietfAttrList_t *list = ietfAttributes;
 	
-	switch (attr->kind)
+	if (list != NULL)
 	{
-	case IETF_ATTRIBUTE_OCTETS:
-	case IETF_ATTRIBUTE_STRING:
-	    whack_log(RC_COMMENT, "       %.*s", (int)attr->value.len, attr->value.ptr);
-	    break;
-	case IETF_ATTRIBUTE_OID:
-	    whack_log(RC_COMMENT, "       OID");
-	    break;
-	default:
-	    break;
-        }
-
-	list = list->next;
-    }
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "List of Group Attributes:");
+		whack_log(RC_COMMENT, " ");
+	}
+
+	while (list != NULL)
+	{
+		ietfAttr_t *attr = list->attr;
+
+		whack_log(RC_COMMENT, "%T, count: %d", &attr->installed, utc, attr->count);
+		
+		switch (attr->kind)
+		{
+		case IETF_ATTRIBUTE_OCTETS:
+		case IETF_ATTRIBUTE_STRING:
+			whack_log(RC_COMMENT, "       %.*s", (int)attr->value.len, attr->value.ptr);
+			break;
+		case IETF_ATTRIBUTE_OID:
+			whack_log(RC_COMMENT, "       OID");
+			break;
+		default:
+			break;
+		}
+
+		list = list->next;
+	}
 }
diff --git a/src/pluto/ac.h b/src/pluto/ac.h
index d60ad25af..bee016143 100644
--- a/src/pluto/ac.h
+++ b/src/pluto/ac.h
@@ -1,7 +1,7 @@
 /* Support of X.509 attribute certificates
  * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
  * Copyright (C) 2003 Martin Berner, Lukas Suter
- 
+
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ac.h 3253 2007-10-06 21:39:00Z andreas $
  */
 
 #ifndef _AC_H
@@ -22,9 +20,9 @@
 /* definition of ietfAttribute kinds */
 
 typedef enum {
-    IETF_ATTRIBUTE_OCTETS =	0,
-    IETF_ATTRIBUTE_OID =	1,
-    IETF_ATTRIBUTE_STRING =	2
+	IETF_ATTRIBUTE_OCTETS =     0,
+	IETF_ATTRIBUTE_OID =        1,
+	IETF_ATTRIBUTE_STRING =     2
 } ietfAttribute_t;
 
 /* access structure for an ietfAttribute */
@@ -32,17 +30,17 @@ typedef enum {
 typedef struct ietfAttr ietfAttr_t;
 
 struct ietfAttr {
-  time_t	   installed;
-  int		   count;
+  time_t           installed;
+  int              count;
   ietfAttribute_t  kind;
-  chunk_t	   value;
+  chunk_t          value;
 };
 
 typedef struct ietfAttrList ietfAttrList_t;
 
 struct ietfAttrList {
   ietfAttrList_t   *next;
-  ietfAttr_t	   *attr;
+  ietfAttr_t       *attr;
 };
 
 
@@ -52,31 +50,31 @@ typedef struct x509acert x509acert_t;
 
 struct x509acert {
   x509acert_t    *next;
-  time_t	 installed;
-  chunk_t	 certificate;
-  chunk_t	   certificateInfo;
-  u_int		     version;
-		/*   holder */
-		/*     baseCertificateID */
-  chunk_t		 holderIssuer;
-  chunk_t		 holderSerial;
-  chunk_t		 entityName;
-                /*   v2Form */
-  chunk_t	       issuerName;
-                /*   signature */
+  time_t         installed;
+  chunk_t        certificate;
+  chunk_t          certificateInfo;
+  u_int              version;
+				/*   holder */
+				/*     baseCertificateID */
+  chunk_t                holderIssuer;
+  chunk_t                holderSerial;
+  chunk_t                entityName;
+				/*   v2Form */
+  chunk_t              issuerName;
+				/*   signature */
   int                  sigAlg;
-  chunk_t	     serialNumber;
-                /*   attrCertValidityPeriod */
+  chunk_t            serialNumber;
+				/*   attrCertValidityPeriod */
   time_t               notBefore;
   time_t               notAfter;
-		/*   attributes */
+				/*   attributes */
   ietfAttrList_t       *charging;
   ietfAttrList_t       *groups;
-		/*   extensions */
+				/*   extensions */
   chunk_t              authKeyID;
   chunk_t              authKeySerialNumber;
-  bool		       noRevAvail;
-		/* signatureAlgorithm */
+  bool                 noRevAvail;
+				/* signatureAlgorithm */
   int                algorithm;
   chunk_t          signature;
 };
@@ -88,7 +86,7 @@ extern void unshare_ietfAttrList(ietfAttrList_t **listp);
 extern void free_ietfAttrList(ietfAttrList_t *list);
 extern void decode_groups(char *groups, ietfAttrList_t **listp);
 extern bool group_membership(const ietfAttrList_t *my_list
-    , const char *conn, const ietfAttrList_t *conn_list);
+	, const char *conn, const ietfAttrList_t *conn_list);
 extern bool parse_ac(chunk_t blob, x509acert_t *ac);
 extern bool verify_x509acert(x509acert_t *ac, bool strict);
 extern x509acert_t* get_x509acert(chunk_t issuer, chunk_t serial);
diff --git a/src/pluto/adns.c b/src/pluto/adns.c
index a721d8837..95e22b96f 100644
--- a/src/pluto/adns.c
+++ b/src/pluto/adns.c
@@ -10,11 +10,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: adns.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
-#ifndef USE_LWRES	/* whole file! */
+#ifndef USE_LWRES       /* whole file! */
 
 /* This program executes as multiple processes.  The Master process
  * receives queries (struct adns_query messages) from Pluto and distributes
@@ -58,7 +56,7 @@
 #include <netinet/in.h>
 #include <arpa/nameser.h>
 #include <resolv.h>
-#include <netdb.h>	/* ??? for h_errno */
+#include <netdb.h>      /* ??? for h_errno */
 
 #include <freeswan.h>
 
@@ -70,11 +68,11 @@
 #endif
 
 #include "constants.h"
-#include "adns.h"	/* needs <resolv.h> */
+#include "adns.h"       /* needs <resolv.h> */
 
 /* shared by all processes */
 
-static const char *name;	/* program name, for messages */
+static const char *name;        /* program name, for messages */
 
 static bool debug = FALSE;
 
@@ -88,43 +86,43 @@ static bool debug = FALSE;
 static enum helper_exit_status
 read_pipe(int fd, unsigned char *stuff, size_t minlen, size_t maxlen)
 {
-    size_t n = 0;
-    size_t goal = minlen;
+	size_t n = 0;
+	size_t goal = minlen;
 
-    do {
-	ssize_t m = read(fd, stuff + n, goal - n);
+	do {
+		ssize_t m = read(fd, stuff + n, goal - n);
 
-	if (m == -1)
-	{
-	    if (errno != EINTR)
-	    {
-		syslog(LOG_ERR, "Input error on pipe: %s", strerror(errno));
-		return HES_IO_ERROR_IN;
-	    }
-	}
-	else if (m == 0)
-	{
-	    return HES_OK;	/* treat empty message as EOF */
-	}
-	else
-	{
-	    n += m;
-	    if (n >= sizeof(size_t))
-	    {
-		goal = *(size_t *)(void *)stuff;
-		if (goal < minlen || maxlen < goal)
+		if (m == -1)
 		{
-		    if (debug)
-			fprintf(stderr, "%lu : [%lu, %lu]\n"
-			    , (unsigned long)goal
-			    , (unsigned long)minlen, (unsigned long)maxlen);
-		    return HES_BAD_LEN;
+			if (errno != EINTR)
+			{
+				syslog(LOG_ERR, "Input error on pipe: %s", strerror(errno));
+				return HES_IO_ERROR_IN;
+			}
 		}
-	    }
-	}
-    } while (n < goal);
+		else if (m == 0)
+		{
+			return HES_OK;      /* treat empty message as EOF */
+		}
+		else
+		{
+			n += m;
+			if (n >= sizeof(size_t))
+			{
+				goal = *(size_t *)(void *)stuff;
+				if (goal < minlen || maxlen < goal)
+				{
+					if (debug)
+						fprintf(stderr, "%lu : [%lu, %lu]\n"
+							, (unsigned long)goal
+							, (unsigned long)minlen, (unsigned long)maxlen);
+					return HES_BAD_LEN;
+				}
+			}
+		}
+	} while (n < goal);
 
-    return HES_CONTINUE;
+	return HES_CONTINUE;
 }
 
 /* Write a variable-length record to a pipe.
@@ -135,27 +133,27 @@ read_pipe(int fd, unsigned char *stuff, size_t minlen, size_t maxlen)
 static enum helper_exit_status
 write_pipe(int fd, const unsigned char *stuff)
 {
-    size_t len = *(const size_t *)(const void *)stuff;
-    size_t n = 0;
+	size_t len = *(const size_t *)(const void *)stuff;
+	size_t n = 0;
 
-    do {
-	ssize_t m = write(fd, stuff + n, len - n);
+	do {
+		ssize_t m = write(fd, stuff + n, len - n);
 
-	if (m == -1)
-	{
-	    /* error, but ignore and retry if EINTR */
-	    if (errno != EINTR)
-	    {
-		syslog(LOG_ERR, "Output error from master: %s", strerror(errno));
-		return HES_IO_ERROR_OUT;
-	    }
-	}
-	else
-	{
-	    n += m;
-	}
-    } while (n != len);
-    return HES_CONTINUE;
+		if (m == -1)
+		{
+			/* error, but ignore and retry if EINTR */
+			if (errno != EINTR)
+			{
+				syslog(LOG_ERR, "Output error from master: %s", strerror(errno));
+				return HES_IO_ERROR_OUT;
+			}
+		}
+		else
+		{
+			n += m;
+		}
+	} while (n != len);
+	return HES_CONTINUE;
 }
 
 /**************** worker process ****************/
@@ -171,14 +169,14 @@ write_pipe(int fd, const unsigned char *stuff)
  */
 
 #if (__RES) <= 19960801
-# define OLD_RESOLVER	1
+# define OLD_RESOLVER   1
 #endif
 
 #ifdef OLD_RESOLVER
 
 # define res_ninit(statp) res_init()
 # define res_nquery(statp, dname, class, type, answer, anslen) \
-    res_query(dname, class, type, answer, anslen)
+	res_query(dname, class, type, answer, anslen)
 # define res_nclose(statp) res_close()
 
 static struct __res_state *statp = &_res;
@@ -193,75 +191,75 @@ static res_state statp = &my_res_state;
 static int
 worker(int qfd, int afd)
 {
-    {
-	int r = res_ninit(statp);
-
-	if (r != 0)
 	{
-	    syslog(LOG_ERR, "cannot initialize resolver");
-	    return HES_RES_INIT;
-	}
+		int r = res_ninit(statp);
+
+		if (r != 0)
+		{
+			syslog(LOG_ERR, "cannot initialize resolver");
+			return HES_RES_INIT;
+		}
 #ifndef OLD_RESOLVER
-	statp->options |= RES_ROTATE;
+		statp->options |= RES_ROTATE;
 #endif
-	statp->options |= RES_DEBUG;
-    }
+		statp->options |= RES_DEBUG;
+	}
 
-    for (;;)
-    {
-	struct adns_query q;
-	struct adns_answer a;
+	for (;;)
+	{
+		struct adns_query q;
+		struct adns_answer a;
 
-	enum helper_exit_status r = read_pipe(qfd, (unsigned char *)&q
-	    , sizeof(q), sizeof(q));
+		enum helper_exit_status r = read_pipe(qfd, (unsigned char *)&q
+			, sizeof(q), sizeof(q));
 
-	if (r != HES_CONTINUE)
-	    return r;	/* some kind of exit */
+		if (r != HES_CONTINUE)
+			return r;   /* some kind of exit */
 
-	if (q.qmagic != ADNS_Q_MAGIC)
-	{
-	    syslog(LOG_ERR, "error in input from master: bad magic");
-	    return HES_BAD_MAGIC;
-	}
+		if (q.qmagic != ADNS_Q_MAGIC)
+		{
+			syslog(LOG_ERR, "error in input from master: bad magic");
+			return HES_BAD_MAGIC;
+		}
 
-	a.amagic = ADNS_A_MAGIC;
-	a.serial = q.serial;
+		a.amagic = ADNS_A_MAGIC;
+		a.serial = q.serial;
 
-	a.result = res_nquery(statp, q.name_buf, C_IN, q.type, a.ans, sizeof(a.ans));
-	a.h_errno_val = h_errno;
+		a.result = res_nquery(statp, q.name_buf, C_IN, q.type, a.ans, sizeof(a.ans));
+		a.h_errno_val = h_errno;
 
-	a.len = offsetof(struct adns_answer, ans) + (a.result < 0? 0 : a.result);
+		a.len = offsetof(struct adns_answer, ans) + (a.result < 0? 0 : a.result);
 
 #ifdef DEBUG
-	if (((q.debugging & IMPAIR_DELAY_ADNS_KEY_ANSWER) && q.type == T_KEY)
-	|| ((q.debugging & IMPAIR_DELAY_ADNS_TXT_ANSWER) && q.type == T_TXT))
-	    sleep(30);	/* delay the answer */
+		if (((q.debugging & IMPAIR_DELAY_ADNS_KEY_ANSWER) && q.type == T_KEY)
+		|| ((q.debugging & IMPAIR_DELAY_ADNS_TXT_ANSWER) && q.type == T_TXT))
+			sleep(30);  /* delay the answer */
 #endif
 
-	/* write answer, possibly a bit at a time */
-	r = write_pipe(afd, (const unsigned char *)&a);
+		/* write answer, possibly a bit at a time */
+		r = write_pipe(afd, (const unsigned char *)&a);
 
-	if (r != HES_CONTINUE)
-	    return r;	/* some kind of exit */
-    }
+		if (r != HES_CONTINUE)
+			return r;   /* some kind of exit */
+	}
 }
 
 /**************** master process ****************/
 
 bool eof_from_pluto = FALSE;
-#define PLUTO_QFD	0	/* queries come on stdin */
-#define PLUTO_AFD	1	/* answers go out on stdout */
+#define PLUTO_QFD       0       /* queries come on stdin */
+#define PLUTO_AFD       1       /* answers go out on stdout */
 
 #ifndef MAX_WORKERS
-# define MAX_WORKERS 10	/* number of in-flight queries */
+# define MAX_WORKERS 10 /* number of in-flight queries */
 #endif
 
 struct worker_info {
-    int qfd;	/* query pipe's file descriptor */
-    int afd;	/* answer pipe's file descriptor */
-    pid_t pid;
-    bool busy;
-    void *continuation;	/* of outstanding request */
+	int qfd;    /* query pipe's file descriptor */
+	int afd;    /* answer pipe's file descriptor */
+	pid_t pid;
+	bool busy;
+	void *continuation; /* of outstanding request */
 };
 
 static struct worker_info wi[MAX_WORKERS];
@@ -270,300 +268,300 @@ static struct worker_info *wi_roof = wi;
 /* request FIFO */
 
 struct query_list {
-    struct query_list *next;
-    struct adns_query aq;
+	struct query_list *next;
+	struct adns_query aq;
 };
 
 static struct query_list *oldest_query = NULL;
-static struct query_list *newest_query;	/* undefined when oldest == NULL */
+static struct query_list *newest_query; /* undefined when oldest == NULL */
 static struct query_list *free_queries = NULL;
 
 static bool
 spawn_worker(void)
 {
-    int qfds[2];
-    int afds[2];
-    pid_t p;
-
-    if (pipe(qfds) != 0 || pipe(afds) != 0)
-    {
-	syslog(LOG_ERR, "pipe(2) failed: %s", strerror(errno));
-	exit(HES_PIPE);
-    }
-
-    wi_roof->qfd = qfds[1];	/* write end of query pipe */
-    wi_roof->afd = afds[0];	/* read end of answer pipe */
-
-    p = fork();
-    if (p == -1)
-    {
-	/* fork failed: ignore if at least one worker exists */
-	if (wi_roof == wi)
+	int qfds[2];
+	int afds[2];
+	pid_t p;
+
+	if (pipe(qfds) != 0 || pipe(afds) != 0)
+	{
+		syslog(LOG_ERR, "pipe(2) failed: %s", strerror(errno));
+		exit(HES_PIPE);
+	}
+
+	wi_roof->qfd = qfds[1];     /* write end of query pipe */
+	wi_roof->afd = afds[0];     /* read end of answer pipe */
+
+	p = fork();
+	if (p == -1)
+	{
+		/* fork failed: ignore if at least one worker exists */
+		if (wi_roof == wi)
+		{
+			syslog(LOG_ERR, "fork(2) error creating first worker: %s", strerror(errno));
+			exit(HES_FORK);
+		}
+		close(qfds[0]);
+		close(qfds[1]);
+		close(afds[0]);
+		close(afds[1]);
+		return FALSE;
+	}
+	else if (p == 0)
 	{
-	    syslog(LOG_ERR, "fork(2) error creating first worker: %s", strerror(errno));
-	    exit(HES_FORK);
+		/* child */
+		struct worker_info *w;
+
+		close(PLUTO_QFD);
+		close(PLUTO_AFD);
+		/* close all master pipes, including ours */
+		for (w = wi; w <= wi_roof; w++)
+		{
+			close(w->qfd);
+			close(w->afd);
+		}
+		exit(worker(qfds[0], afds[1]));
 	}
-	close(qfds[0]);
-	close(qfds[1]);
-	close(afds[0]);
-	close(afds[1]);
-	return FALSE;
-    }
-    else if (p == 0)
-    {
-	/* child */
-	struct worker_info *w;
-
-	close(PLUTO_QFD);
-	close(PLUTO_AFD);
-	/* close all master pipes, including ours */
-	for (w = wi; w <= wi_roof; w++)
+	else
 	{
-	    close(w->qfd);
-	    close(w->afd);
+		/* parent */
+		struct worker_info *w = wi_roof++;
+
+		w->pid = p;
+		w->busy = FALSE;
+		close(qfds[0]);
+		close(afds[1]);
+		return TRUE;
 	}
-	exit(worker(qfds[0], afds[1]));
-    }
-    else
-    {
-	/* parent */
-	struct worker_info *w = wi_roof++;
-
-	w->pid = p;
-	w->busy = FALSE;
-	close(qfds[0]);
-	close(afds[1]);
-	return TRUE;
-    }
 }
 
 static void
 send_eof(struct worker_info *w)
 {
-    pid_t p;
-    int status;
+	pid_t p;
+	int status;
 
-    close(w->qfd);
-    w->qfd = NULL_FD;
+	close(w->qfd);
+	w->qfd = NULL_FD;
 
-    close(w->afd);
-    w->afd = NULL_FD;
+	close(w->afd);
+	w->afd = NULL_FD;
 
-    /* reap child */
-    p = waitpid(w->pid, &status, 0);
-    /* ignore result -- what could we do with it? */
+	/* reap child */
+	p = waitpid(w->pid, &status, 0);
+	/* ignore result -- what could we do with it? */
 }
 
 static void
 forward_query(struct worker_info *w)
 {
-    struct query_list *q = oldest_query;
-
-    if (q == NULL)
-    {
-	if (eof_from_pluto)
-	    send_eof(w);
-    }
-    else
-    {
-	enum helper_exit_status r
-	    = write_pipe(w->qfd, (const unsigned char *) &q->aq);
-
-	if (r != HES_CONTINUE)
-	    exit(r);
-
-	w->busy = TRUE;
-
-	oldest_query = q->next;
-	q->next = free_queries;
-	free_queries = q;
-    }
+	struct query_list *q = oldest_query;
+
+	if (q == NULL)
+	{
+		if (eof_from_pluto)
+			send_eof(w);
+	}
+	else
+	{
+		enum helper_exit_status r
+			= write_pipe(w->qfd, (const unsigned char *) &q->aq);
+
+		if (r != HES_CONTINUE)
+			exit(r);
+
+		w->busy = TRUE;
+
+		oldest_query = q->next;
+		q->next = free_queries;
+		free_queries = q;
+	}
 }
 
 static void
 query(void)
 {
-    struct query_list *q = free_queries;
-    enum helper_exit_status r;
+	struct query_list *q = free_queries;
+	enum helper_exit_status r;
 
-    /* find an unused queue entry */
-    if (q == NULL)
-    {
-	q = malloc(sizeof(*q));
+	/* find an unused queue entry */
 	if (q == NULL)
 	{
-	    syslog(LOG_ERR, "malloc(3) failed");
-	    exit(HES_MALLOC);
+		q = malloc(sizeof(*q));
+		if (q == NULL)
+		{
+			syslog(LOG_ERR, "malloc(3) failed");
+			exit(HES_MALLOC);
+		}
 	}
-    }
-    else
-    {
-	free_queries = q->next;
-    }
-
-    r = read_pipe(PLUTO_QFD, (unsigned char *)&q->aq
-	, sizeof(q->aq), sizeof(q->aq));
-
-    if (r == HES_OK)
-    {
-	/* EOF: we're done, except for unanswered queries */
-	struct worker_info *w;
-
-	eof_from_pluto = TRUE;
-	q->next = free_queries;
-	free_queries = q;
-
-	/* Send bye-bye to unbusy processes.
-	 * Note that if there are queued queries, there won't be
-	 * any non-busy workers.
-	 */
-	for (w = wi; w != wi_roof; w++)
-	    if (!w->busy)
-		send_eof(w);
-    }
-    else if (r != HES_CONTINUE)
-    {
-	exit(r);
-    }
-    else if (q->aq.qmagic != ADNS_Q_MAGIC)
-    {
-	syslog(LOG_ERR, "error in query from Pluto: bad magic");
-	exit(HES_BAD_MAGIC);
-    }
-    else
-    {
-	struct worker_info *w;
-
-	/* got a query */
-
-	/* add it to FIFO */
-	q->next = NULL;
-	if (oldest_query == NULL)
-	    oldest_query = q;
 	else
-	    newest_query->next = q;
-	newest_query = q;
+	{
+		free_queries = q->next;
+	}
+
+	r = read_pipe(PLUTO_QFD, (unsigned char *)&q->aq
+		, sizeof(q->aq), sizeof(q->aq));
 
-	/* See if any worker available */
-	for (w = wi; ; w++)
+	if (r == HES_OK)
 	{
-	    if (w == wi_roof)
-	    {
-		/* no free worker */
-		if (w == wi + MAX_WORKERS)
-		    break;	/* no more to be created */
-		/* make a new one */
-		if (!spawn_worker())
-		    break;	/* cannot create one at this time */
-	    }
-	    if (!w->busy)
-	    {
-		/* assign first to free worker */
-		forward_query(w);
-		break;
-	    }
+		/* EOF: we're done, except for unanswered queries */
+		struct worker_info *w;
+
+		eof_from_pluto = TRUE;
+		q->next = free_queries;
+		free_queries = q;
+
+		/* Send bye-bye to unbusy processes.
+		 * Note that if there are queued queries, there won't be
+		 * any non-busy workers.
+		 */
+		for (w = wi; w != wi_roof; w++)
+			if (!w->busy)
+				send_eof(w);
+	}
+	else if (r != HES_CONTINUE)
+	{
+		exit(r);
+	}
+	else if (q->aq.qmagic != ADNS_Q_MAGIC)
+	{
+		syslog(LOG_ERR, "error in query from Pluto: bad magic");
+		exit(HES_BAD_MAGIC);
+	}
+	else
+	{
+		struct worker_info *w;
+
+		/* got a query */
+
+		/* add it to FIFO */
+		q->next = NULL;
+		if (oldest_query == NULL)
+			oldest_query = q;
+		else
+			newest_query->next = q;
+		newest_query = q;
+
+		/* See if any worker available */
+		for (w = wi; ; w++)
+		{
+			if (w == wi_roof)
+			{
+				/* no free worker */
+				if (w == wi + MAX_WORKERS)
+					break;      /* no more to be created */
+				/* make a new one */
+				if (!spawn_worker())
+					break;      /* cannot create one at this time */
+			}
+			if (!w->busy)
+			{
+				/* assign first to free worker */
+				forward_query(w);
+				break;
+			}
+		}
 	}
-    }
-    return;
+	return;
 }
 
 static void
 answer(struct worker_info *w)
 {
-    struct adns_answer a;
-    enum helper_exit_status r = read_pipe(w->afd, (unsigned char *)&a
-	, offsetof(struct adns_answer, ans), sizeof(a));
-
-    if (r == HES_OK)
-    {
-	/* unexpected EOF */
-	syslog(LOG_ERR, "unexpected EOF from worker");
-	exit(HES_IO_ERROR_IN);
-    }
-    else if (r != HES_CONTINUE)
-    {
-	exit(r);
-    }
-    else if (a.amagic != ADNS_A_MAGIC)
-    {
-	syslog(LOG_ERR, "Input from worker error: bad magic");
-	exit(HES_BAD_MAGIC);
-    }
-    else if (a.continuation != w->continuation)
-    {
-	/* answer doesn't match query */
-	syslog(LOG_ERR, "Input from worker error: continuation mismatch");
-	exit(HES_SYNC);
-    }
-    else
-    {
-	/* pass the answer on to Pluto */
-	enum helper_exit_status r
-	    = write_pipe(PLUTO_AFD, (const unsigned char *) &a);
-
-	if (r != HES_CONTINUE)
-	    exit(r);
-	w->busy = FALSE;
-	forward_query(w);
-    }
+	struct adns_answer a;
+	enum helper_exit_status r = read_pipe(w->afd, (unsigned char *)&a
+		, offsetof(struct adns_answer, ans), sizeof(a));
+
+	if (r == HES_OK)
+	{
+		/* unexpected EOF */
+		syslog(LOG_ERR, "unexpected EOF from worker");
+		exit(HES_IO_ERROR_IN);
+	}
+	else if (r != HES_CONTINUE)
+	{
+		exit(r);
+	}
+	else if (a.amagic != ADNS_A_MAGIC)
+	{
+		syslog(LOG_ERR, "Input from worker error: bad magic");
+		exit(HES_BAD_MAGIC);
+	}
+	else if (a.continuation != w->continuation)
+	{
+		/* answer doesn't match query */
+		syslog(LOG_ERR, "Input from worker error: continuation mismatch");
+		exit(HES_SYNC);
+	}
+	else
+	{
+		/* pass the answer on to Pluto */
+		enum helper_exit_status r
+			= write_pipe(PLUTO_AFD, (const unsigned char *) &a);
+
+		if (r != HES_CONTINUE)
+			exit(r);
+		w->busy = FALSE;
+		forward_query(w);
+	}
 }
 
 /* assumption: input limited; accept blocking on output */
 static int
 master(void)
 {
-    for (;;)
-    {
-	fd_set readfds;
-	int maxfd = PLUTO_QFD;		/* approximate lower bound */
-	int ndes = 0;
-	struct worker_info *w;
-
-	FD_ZERO(&readfds);
-	if (!eof_from_pluto)
+	for (;;)
 	{
-	    FD_SET(PLUTO_QFD, &readfds);
-	    ndes++;
-	}
-	for (w = wi; w != wi_roof; w++)
-	{
-	    if (w->busy)
-	    {
-		FD_SET(w->afd, &readfds);
-		ndes++;
-		if (maxfd < w->afd)
-		    maxfd = w->afd;
-	    }
-	}
+		fd_set readfds;
+		int maxfd = PLUTO_QFD;          /* approximate lower bound */
+		int ndes = 0;
+		struct worker_info *w;
+
+		FD_ZERO(&readfds);
+		if (!eof_from_pluto)
+		{
+			FD_SET(PLUTO_QFD, &readfds);
+			ndes++;
+		}
+		for (w = wi; w != wi_roof; w++)
+		{
+			if (w->busy)
+			{
+				FD_SET(w->afd, &readfds);
+				ndes++;
+				if (maxfd < w->afd)
+					maxfd = w->afd;
+			}
+		}
 
-	if (ndes == 0)
-	    return HES_OK;	/* done! */
+		if (ndes == 0)
+			return HES_OK;      /* done! */
 
-	do {
-	    ndes = select(maxfd + 1, &readfds, NULL, NULL, NULL);
-	} while (ndes == -1 && errno == EINTR);
-	if (ndes == -1)
-	{
-	    syslog(LOG_ERR, "select(2) error: %s", strerror(errno));
-	    exit(HES_IO_ERROR_SELECT);
-	}
-	else if (ndes > 0)
-	{
-	    if (FD_ISSET(PLUTO_QFD, &readfds))
-	    {
-		query();
-		ndes--;
-	    }
-	    for (w = wi; ndes > 0 && w != wi_roof; w++)
-	    {
-		if (w->busy && FD_ISSET(w->afd, &readfds))
+		do {
+			ndes = select(maxfd + 1, &readfds, NULL, NULL, NULL);
+		} while (ndes == -1 && errno == EINTR);
+		if (ndes == -1)
+		{
+			syslog(LOG_ERR, "select(2) error: %s", strerror(errno));
+			exit(HES_IO_ERROR_SELECT);
+		}
+		else if (ndes > 0)
 		{
-		    answer(w);
-		    ndes--;
+			if (FD_ISSET(PLUTO_QFD, &readfds))
+			{
+				query();
+				ndes--;
+			}
+			for (w = wi; ndes > 0 && w != wi_roof; w++)
+			{
+				if (w->busy && FD_ISSET(w->afd, &readfds))
+				{
+					answer(w);
+					ndes--;
+				}
+			}
 		}
-	    }
 	}
-    }
 }
 
 /* Not to be invoked by strangers -- user hostile.
@@ -574,42 +572,42 @@ master(void)
 static void
 adns_usage(const char *fmt, const char *arg)
 {
-    const char **sp = ipsec_copyright_notice();
+	const char **sp = ipsec_copyright_notice();
 
-    fprintf(stderr, "INTERNAL TO PLUTO: DO NOT EXECUTE\n");
+	fprintf(stderr, "INTERNAL TO PLUTO: DO NOT EXECUTE\n");
 
-    fprintf(stderr, fmt, arg);
-    fprintf(stderr, "\n%s\n", ipsec_version_string());
+	fprintf(stderr, fmt, arg);
+	fprintf(stderr, "\nstrongSwan "VERSION"\n");
 
-    for (; *sp != NULL; sp++)
-	fprintf(stderr, "%s\n", *sp);
+	for (; *sp != NULL; sp++)
+		fprintf(stderr, "%s\n", *sp);
 
-    syslog(LOG_ERR, fmt, arg);
-    exit(HES_INVOCATION);
+	syslog(LOG_ERR, fmt, arg);
+	exit(HES_INVOCATION);
 }
 
 int
 main(int argc UNUSED, char **argv)
 {
-    int i = 1;
+	int i = 1;
 
-    name = argv[0];
+	name = argv[0];
 
-    while (i < argc)
-    {
-	if (streq(argv[i], "-d"))
+	while (i < argc)
 	{
-	    i++;
-	    debug = TRUE;
-	}
-	else
-	{
-	    adns_usage("unexpected argument \"%s\"", argv[i]);
-	    /*NOTREACHED*/
+		if (streq(argv[i], "-d"))
+		{
+			i++;
+			debug = TRUE;
+		}
+		else
+		{
+			adns_usage("unexpected argument \"%s\"", argv[i]);
+			/*NOTREACHED*/
+		}
 	}
-    }
 
-    return master();
+	return master();
 }
 
 #endif /* !USE_LWRES */
diff --git a/src/pluto/adns.h b/src/pluto/adns.h
index f2d0b28bd..f564be232 100644
--- a/src/pluto/adns.h
+++ b/src/pluto/adns.h
@@ -10,11 +10,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: adns.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
-#ifndef USE_LWRES	/* whole file! */
+#ifndef USE_LWRES       /* whole file! */
 
 /* The interface in RHL6.x and BIND distribution 8.2.2 are different,
  * so we build some of our own :-(
@@ -38,38 +36,38 @@
  */
 
 struct adns_query {
-    size_t len;
-    unsigned int qmagic;
-    unsigned long serial;
-    lset_t debugging;	/* only used #ifdef DEBUG, but don't want layout to change */
-    u_char name_buf[NS_MAXDNAME + 2];
-    int type;	/* T_KEY or T_TXT */
+	size_t len;
+	unsigned int qmagic;
+	unsigned long serial;
+	lset_t debugging;   /* only used #ifdef DEBUG, but don't want layout to change */
+	u_char name_buf[NS_MAXDNAME + 2];
+	int type;   /* T_KEY or T_TXT */
 };
 
 struct adns_answer {
-    size_t len;
-    unsigned int amagic;
-    unsigned long serial;
-    struct adns_continuation *continuation;
-    int result;
-    int h_errno_val;
-    u_char ans[NS_PACKETSZ * 10];   /* very probably bigger than necessary */
+	size_t len;
+	unsigned int amagic;
+	unsigned long serial;
+	struct adns_continuation *continuation;
+	int result;
+	int h_errno_val;
+	u_char ans[NS_PACKETSZ * 10];   /* very probably bigger than necessary */
 };
 
 enum helper_exit_status {
-    HES_CONTINUE = -1,	/* not an exit */
-    HES_OK = 0,	/* all's well that ends well (perhaps EOF) */
-    HES_INVOCATION,	/* improper invocation */
-    HES_IO_ERROR_SELECT,	/* IO error in select() */
-    HES_MALLOC,	/* malloc failed */
-    HES_IO_ERROR_IN,	/* error reading pipe */
-    HES_IO_ERROR_OUT,	/* error reading pipe */
-    HES_PIPE,	/* pipe(2) failed */
-    HES_SYNC,	/* answer from worker doesn't match query */
-    HES_FORK,	/* fork(2) failed */
-    HES_RES_INIT,	/* resolver initialization failed */
-    HES_BAD_LEN,	/* implausible .len field */
-    HES_BAD_MAGIC,	/* .magic field wrong */
+	HES_CONTINUE = -1,  /* not an exit */
+	HES_OK = 0, /* all's well that ends well (perhaps EOF) */
+	HES_INVOCATION,     /* improper invocation */
+	HES_IO_ERROR_SELECT,        /* IO error in select() */
+	HES_MALLOC, /* malloc failed */
+	HES_IO_ERROR_IN,    /* error reading pipe */
+	HES_IO_ERROR_OUT,   /* error reading pipe */
+	HES_PIPE,   /* pipe(2) failed */
+	HES_SYNC,   /* answer from worker doesn't match query */
+	HES_FORK,   /* fork(2) failed */
+	HES_RES_INIT,       /* resolver initialization failed */
+	HES_BAD_LEN,        /* implausible .len field */
+	HES_BAD_MAGIC,      /* .magic field wrong */
 };
 
 #endif /* !USE_LWRES */
diff --git a/src/pluto/alg/ike_alg_aes.c b/src/pluto/alg/ike_alg_aes.c
deleted file mode 100644
index c635af723..000000000
--- a/src/pluto/alg/ike_alg_aes.c
+++ /dev/null
@@ -1,68 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-#include <sys/types.h>
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "libaes/aes_cbc.h"
-#include "alg_info.h"
-#include "ike_alg.h"
-
-#define  AES_CBC_BLOCK_SIZE	(128/BITS_PER_BYTE)
-#define  AES_KEY_MIN_LEN	128
-#define  AES_KEY_DEF_LEN	128
-#define  AES_KEY_MAX_LEN	256
-
-static void
-do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
-{
-    aes_context aes_ctx;
-    char iv_bak[AES_CBC_BLOCK_SIZE];
-    char *new_iv = NULL;	/* logic will avoid copy to NULL */
-
-    aes_set_key(&aes_ctx, key, key_size, 0);
-
-    /*	
-     *	my AES cbc does not touch passed IV (optimization for
-     *	ESP handling), so I must "emulate" des-like IV
-     *	crunching
-     */
-    if (!enc)
-	memcpy(new_iv=iv_bak, (char*) buf + buf_len - AES_CBC_BLOCK_SIZE
-		, AES_CBC_BLOCK_SIZE);
-
-    SS_AES_cbc_encrypt(&aes_ctx, buf, buf, buf_len, iv, enc);
-
-    if (enc)
-	new_iv = (char*) buf + buf_len-AES_CBC_BLOCK_SIZE;
-
-    memcpy(iv, new_iv, AES_CBC_BLOCK_SIZE);
-}
-
-struct encrypt_desc algo_aes =
-{
-	algo_type: 	IKE_ALG_ENCRYPT,
-	algo_id:   	OAKLEY_AES_CBC,
-	algo_next: 	NULL, 
-	enc_ctxsize: 	sizeof(aes_context),
-	enc_blocksize: 	AES_CBC_BLOCK_SIZE,
-	keyminlen: 	AES_KEY_MIN_LEN,
-	keydeflen: 	AES_KEY_DEF_LEN,
-	keymaxlen: 	AES_KEY_MAX_LEN,
-	do_crypt: 	do_aes,
-};
-
-int ike_alg_aes_init(void);
-
-int
-ike_alg_aes_init(void)
-{
-	int ret = ike_alg_register_enc(&algo_aes);
-	return ret;
-}
-/*
-IKE_ALG_INIT_NAME: ike_alg_aes_init
-*/
diff --git a/src/pluto/alg/ike_alg_blowfish.c b/src/pluto/alg/ike_alg_blowfish.c
deleted file mode 100644
index 2bbef051b..000000000
--- a/src/pluto/alg/ike_alg_blowfish.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-#include <sys/types.h>
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "libblowfish/blowfish.h"
-#include "alg_info.h"
-#include "ike_alg.h"
-
-#define  BLOWFISH_CBC_BLOCK_SIZE	8  	/* block size */
-#define  BLOWFISH_KEY_MIN_LEN	128
-#define  BLOWFISH_KEY_MAX_LEN	448
-
-
-static void
-do_blowfish(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
-{
-    BF_KEY bf_ctx;
-
-    BF_set_key(&bf_ctx, key_size , key);
-    BF_cbc_encrypt(buf, buf, buf_len, &bf_ctx, iv, enc);
-}
-
-struct encrypt_desc algo_blowfish =
-{
-	algo_type: IKE_ALG_ENCRYPT,
-	algo_id:   OAKLEY_BLOWFISH_CBC,
-	algo_next: NULL, 
-	enc_ctxsize: sizeof(BF_KEY),
-	enc_blocksize: BLOWFISH_CBC_BLOCK_SIZE,
-	keyminlen: BLOWFISH_KEY_MIN_LEN,
-	keydeflen: BLOWFISH_KEY_MIN_LEN,
-	keymaxlen: BLOWFISH_KEY_MAX_LEN,
-	do_crypt: do_blowfish,
-};
-
-int ike_alg_blowfish_init(void);
-
-int
-ike_alg_blowfish_init(void)
-{
-    int ret = ike_alg_register_enc(&algo_blowfish);
-
-    return ret;
-}
-/*
-IKE_ALG_INIT_NAME: ike_alg_blowfish_init
-*/
diff --git a/src/pluto/alg/ike_alg_serpent.c b/src/pluto/alg/ike_alg_serpent.c
deleted file mode 100644
index fb01caa41..000000000
--- a/src/pluto/alg/ike_alg_serpent.c
+++ /dev/null
@@ -1,70 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-#include <sys/types.h>
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "libserpent/serpent_cbc.h"
-#include "alg_info.h"
-#include "ike_alg.h"
-
-#define  SERPENT_CBC_BLOCK_SIZE	(128/BITS_PER_BYTE)
-#define  SERPENT_KEY_MIN_LEN	128
-#define  SERPENT_KEY_DEF_LEN	128
-#define  SERPENT_KEY_MAX_LEN	256
-
-static void
-do_serpent(u_int8_t *buf, size_t buf_size, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
-{
-    serpent_context serpent_ctx;
-    char iv_bak[SERPENT_CBC_BLOCK_SIZE];
-    char *new_iv = NULL;	/* logic will avoid copy to NULL */
-
-
-    serpent_set_key(&serpent_ctx, key, key_size);
-    /*	
-     *	my SERPENT cbc does not touch passed IV (optimization for
-     *	ESP handling), so I must "emulate" des-like IV
-     *	crunching
-     */
-    if (!enc)
-	    memcpy(new_iv=iv_bak, 
-			    (char*) buf + buf_size-SERPENT_CBC_BLOCK_SIZE,
-			    SERPENT_CBC_BLOCK_SIZE);
-
-    serpent_cbc_encrypt(&serpent_ctx, buf, buf, buf_size, iv, enc);
-
-    if (enc)
-	    new_iv = (char*) buf + buf_size-SERPENT_CBC_BLOCK_SIZE;
-
-    memcpy(iv, new_iv, SERPENT_CBC_BLOCK_SIZE);
-}
-
-struct encrypt_desc encrypt_desc_serpent =
-{
-	algo_type: 	IKE_ALG_ENCRYPT,
-	algo_id:   	OAKLEY_SERPENT_CBC,
-	algo_next: 	NULL,
-	enc_ctxsize: 	sizeof(struct serpent_context),
-	enc_blocksize: 	SERPENT_CBC_BLOCK_SIZE,
-        keyminlen: 	SERPENT_KEY_MIN_LEN,
-        keydeflen: 	SERPENT_KEY_DEF_LEN,
-        keymaxlen: 	SERPENT_KEY_MAX_LEN,
-        do_crypt: 	do_serpent,
-};
-
-int ike_alg_serpent_init(void);
-
-int
-ike_alg_serpent_init(void)
-{
-    int ret = ike_alg_register_enc(&encrypt_desc_serpent);
-
-    return ret;
-}
-/*
-IKE_ALG_INIT_NAME: ike_alg_serpent_init
-*/
diff --git a/src/pluto/alg/ike_alg_sha2.c b/src/pluto/alg/ike_alg_sha2.c
deleted file mode 100644
index 6b7c8438c..000000000
--- a/src/pluto/alg/ike_alg_sha2.c
+++ /dev/null
@@ -1,634 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-#include <sys/types.h>
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "libsha2/sha2.h"
-#include "alg_info.h"
-#include "ike_alg.h"
-
-static void
-sha256_hash_final(u_char *hash, sha256_context *ctx)
-{
-    sha256_final(ctx);
-    memcpy(hash, ctx->sha_out, SHA2_256_DIGEST_SIZE);
-}
-
-static void
-sha384_hash_final(u_char *hash, sha512_context *ctx)
-{
-    sha512_final(ctx);
-    memcpy(hash, ctx->sha_out, SHA2_384_DIGEST_SIZE);
-}
-
-static void
-sha512_hash_final(u_char *hash, sha512_context *ctx)
-{
-    sha512_final(ctx);
-    memcpy(hash, ctx->sha_out, SHA2_512_DIGEST_SIZE);
-}
-
-/* SHA-256 hash test vectors
- * from "The Secure Hash Algorithm Validation System (SHAVS)"
- * July 22, 2004, Lawrence E. Bassham III, NIST
- */
-
-static const u_char sha256_short2_msg[] = {
-    0x19
-};
-
-static const u_char sha256_short2_msg_digest[] = {
-    0x68, 0xaa, 0x2e, 0x2e, 0xe5, 0xdf, 0xf9, 0x6e,
-    0x33, 0x55, 0xe6, 0xc7, 0xee, 0x37, 0x3e, 0x3d,
-    0x6a, 0x4e, 0x17, 0xf7, 0x5f, 0x95, 0x18, 0xd8,
-    0x43, 0x70, 0x9c, 0x0c, 0x9b, 0xc3, 0xe3, 0xd4
-};
-
-static const u_char sha256_short4_msg[] = {
-    0xe3, 0xd7, 0x25, 0x70, 0xdc, 0xdd, 0x78, 0x7c,
-    0xe3, 0x88, 0x7a, 0xb2, 0xcd, 0x68, 0x46, 0x52
-};
-
-static const u_char sha256_short4_msg_digest[] = {
-    0x17, 0x5e, 0xe6, 0x9b, 0x02, 0xba, 0x9b, 0x58,
-    0xe2, 0xb0, 0xa5, 0xfd, 0x13, 0x81, 0x9c, 0xea,
-    0x57, 0x3f, 0x39, 0x40, 0xa9, 0x4f, 0x82, 0x51,
-    0x28, 0xcf, 0x42, 0x09, 0xbe, 0xab, 0xb4, 0xe8
-};
-
-static const u_char sha256_long2_msg[] = {
-    0x83, 0x26, 0x75, 0x4e, 0x22, 0x77, 0x37, 0x2f,
-    0x4f, 0xc1, 0x2b, 0x20, 0x52, 0x7a, 0xfe, 0xf0,
-    0x4d, 0x8a, 0x05, 0x69, 0x71, 0xb1, 0x1a, 0xd5,
-    0x71, 0x23, 0xa7, 0xc1, 0x37, 0x76, 0x00, 0x00,
-    0xd7, 0xbe, 0xf6, 0xf3, 0xc1, 0xf7, 0xa9, 0x08,
-    0x3a, 0xa3, 0x9d, 0x81, 0x0d, 0xb3, 0x10, 0x77,
-    0x7d, 0xab, 0x8b, 0x1e, 0x7f, 0x02, 0xb8, 0x4a,
-    0x26, 0xc7, 0x73, 0x32, 0x5f, 0x8b, 0x23, 0x74,
-    0xde, 0x7a, 0x4b, 0x5a, 0x58, 0xcb, 0x5c, 0x5c,
-    0xf3, 0x5b, 0xce, 0xe6, 0xfb, 0x94, 0x6e, 0x5b,
-    0xd6, 0x94, 0xfa, 0x59, 0x3a, 0x8b, 0xeb, 0x3f,
-    0x9d, 0x65, 0x92, 0xec, 0xed, 0xaa, 0x66, 0xca,
-    0x82, 0xa2, 0x9d, 0x0c, 0x51, 0xbc, 0xf9, 0x33,
-    0x62, 0x30, 0xe5, 0xd7, 0x84, 0xe4, 0xc0, 0xa4,
-    0x3f, 0x8d, 0x79, 0xa3, 0x0a, 0x16, 0x5c, 0xba,
-    0xbe, 0x45, 0x2b, 0x77, 0x4b, 0x9c, 0x71, 0x09,
-    0xa9, 0x7d, 0x13, 0x8f, 0x12, 0x92, 0x28, 0x96,
-    0x6f, 0x6c, 0x0a, 0xdc, 0x10, 0x6a, 0xad, 0x5a,
-    0x9f, 0xdd, 0x30, 0x82, 0x57, 0x69, 0xb2, 0xc6,
-    0x71, 0xaf, 0x67, 0x59, 0xdf, 0x28, 0xeb, 0x39,
-    0x3d, 0x54, 0xd6
-};
-
-static const u_char sha256_long2_msg_digest[] = {
-    0x97, 0xdb, 0xca, 0x7d, 0xf4, 0x6d, 0x62, 0xc8,
-    0xa4, 0x22, 0xc9, 0x41, 0xdd, 0x7e, 0x83, 0x5b,
-    0x8a, 0xd3, 0x36, 0x17, 0x63, 0xf7, 0xe9, 0xb2,
-    0xd9, 0x5f, 0x4f, 0x0d, 0xa6, 0xe1, 0xcc, 0xbc
-};
-
-static const hash_testvector_t sha256_hash_testvectors[] = {
-    { sizeof(sha256_short2_msg), sha256_short2_msg, sha256_short2_msg_digest },
-    { sizeof(sha256_short4_msg), sha256_short4_msg, sha256_short4_msg_digest },
-    { sizeof(sha256_long2_msg),  sha256_long2_msg,  sha256_long2_msg_digest  },
-    { 0, NULL, NULL }
-};
-
-/* SHA-384 hash test vectors
- * from "The Secure Hash Algorithm Validation System (SHAVS)"
- * July 22, 2004, Lawrence E. Bassham III, NIST
- */
-
-static const u_char sha384_short2_msg[] = {
-    0xb9
-};
-
-static const u_char sha384_short2_msg_digest[] = {
-    0xbc, 0x80, 0x89, 0xa1, 0x90, 0x07, 0xc0, 0xb1,
-    0x41, 0x95, 0xf4, 0xec, 0xc7, 0x40, 0x94, 0xfe,
-    0xc6, 0x4f, 0x01, 0xf9, 0x09, 0x29, 0x28, 0x2c,
-    0x2f, 0xb3, 0x92, 0x88, 0x15, 0x78, 0x20, 0x8a,
-    0xd4, 0x66, 0x82, 0x8b, 0x1c, 0x6c, 0x28, 0x3d,
-    0x27, 0x22, 0xcf, 0x0a, 0xd1, 0xab, 0x69, 0x38
-};
-
-static const u_char sha384_short4_msg[] = {
-     0xa4, 0x1c, 0x49, 0x77, 0x79, 0xc0, 0x37, 0x5f,
-     0xf1, 0x0a, 0x7f, 0x4e, 0x08, 0x59, 0x17, 0x39
-};
-
-static const u_char sha384_short4_msg_digest[] = {
-    0xc9, 0xa6, 0x84, 0x43, 0xa0, 0x05, 0x81, 0x22,
-    0x56, 0xb8, 0xec, 0x76, 0xb0, 0x05, 0x16, 0xf0,
-    0xdb, 0xb7, 0x4f, 0xab, 0x26, 0xd6, 0x65, 0x91,
-    0x3f, 0x19, 0x4b, 0x6f, 0xfb, 0x0e, 0x91, 0xea,
-    0x99, 0x67, 0x56, 0x6b, 0x58, 0x10, 0x9c, 0xbc,
-    0x67, 0x5c, 0xc2, 0x08, 0xe4, 0xc8, 0x23, 0xf7
-};
-
-static const u_char sha384_long2_msg[] = {
-    0x39, 0x96, 0x69, 0xe2, 0x8f, 0x6b, 0x9c, 0x6d,
-    0xbc, 0xbb, 0x69, 0x12, 0xec, 0x10, 0xff, 0xcf,
-    0x74, 0x79, 0x03, 0x49, 0xb7, 0xdc, 0x8f, 0xbe,
-    0x4a, 0x8e, 0x7b, 0x3b, 0x56, 0x21, 0xdb, 0x0f,
-    0x3e, 0x7d, 0xc8, 0x7f, 0x82, 0x32, 0x64, 0xbb,
-    0xe4, 0x0d, 0x18, 0x11, 0xc9, 0xea, 0x20, 0x61,
-    0xe1, 0xc8, 0x4a, 0xd1, 0x0a, 0x23, 0xfa, 0xc1,
-    0x72, 0x7e, 0x72, 0x02, 0xfc, 0x3f, 0x50, 0x42,
-    0xe6, 0xbf, 0x58, 0xcb, 0xa8, 0xa2, 0x74, 0x6e,
-    0x1f, 0x64, 0xf9, 0xb9, 0xea, 0x35, 0x2c, 0x71,
-    0x15, 0x07, 0x05, 0x3c, 0xf4, 0xe5, 0x33, 0x9d,
-    0x52, 0x86, 0x5f, 0x25, 0xcc, 0x22, 0xb5, 0xe8,
-    0x77, 0x84, 0xa1, 0x2f, 0xc9, 0x61, 0xd6, 0x6c,
-    0xb6, 0xe8, 0x95, 0x73, 0x19, 0x9a, 0x2c, 0xe6,
-    0x56, 0x5c, 0xbd, 0xf1, 0x3d, 0xca, 0x40, 0x38,
-    0x32, 0xcf, 0xcb, 0x0e, 0x8b, 0x72, 0x11, 0xe8,
-    0x3a, 0xf3, 0x2a, 0x11, 0xac, 0x17, 0x92, 0x9f,
-    0xf1, 0xc0, 0x73, 0xa5, 0x1c, 0xc0, 0x27, 0xaa,
-    0xed, 0xef, 0xf8, 0x5a, 0xad, 0x7c, 0x2b, 0x7c,
-    0x5a, 0x80, 0x3e, 0x24, 0x04, 0xd9, 0x6d, 0x2a,
-    0x77, 0x35, 0x7b, 0xda, 0x1a, 0x6d, 0xae, 0xed,
-    0x17, 0x15, 0x1c, 0xb9, 0xbc, 0x51, 0x25, 0xa4,
-    0x22, 0xe9, 0x41, 0xde, 0x0c, 0xa0, 0xfc, 0x50,
-    0x11, 0xc2, 0x3e, 0xcf, 0xfe, 0xfd, 0xd0, 0x96,
-    0x76, 0x71, 0x1c, 0xf3, 0xdb, 0x0a, 0x34, 0x40,
-    0x72, 0x0e ,0x16, 0x15, 0xc1, 0xf2, 0x2f, 0xbc,
-    0x3c, 0x72, 0x1d, 0xe5, 0x21, 0xe1, 0xb9, 0x9b,
-    0xa1, 0xbd, 0x55, 0x77, 0x40, 0x86, 0x42, 0x14,
-    0x7e, 0xd0, 0x96
-};
-
-static const u_char sha384_long2_msg_digest[] = {
-    0x4f, 0x44, 0x0d, 0xb1, 0xe6, 0xed, 0xd2, 0x89,
-    0x9f, 0xa3, 0x35, 0xf0, 0x95, 0x15, 0xaa, 0x02,
-    0x5e, 0xe1, 0x77, 0xa7, 0x9f, 0x4b, 0x4a, 0xaf,
-    0x38, 0xe4, 0x2b, 0x5c, 0x4d, 0xe6, 0x60, 0xf5,
-    0xde, 0x8f, 0xb2, 0xa5, 0xb2, 0xfb, 0xd2, 0xa3,
-    0xcb, 0xff, 0xd2, 0x0c, 0xff, 0x12, 0x88, 0xc0
-};
-
-static const hash_testvector_t sha384_hash_testvectors[] = {
-    { sizeof(sha384_short2_msg), sha384_short2_msg, sha384_short2_msg_digest },
-    { sizeof(sha384_short4_msg), sha384_short4_msg, sha384_short4_msg_digest },
-    { sizeof(sha384_long2_msg),  sha384_long2_msg,  sha384_long2_msg_digest  },
-    { 0, NULL, NULL }
-};
-
-/* SHA-512 hash test vectors
- * from "The Secure Hash Algorithm Validation System (SHAVS)"
- * July 22, 2004, Lawrence E. Bassham III, NIST
- */
-
-static const u_char sha512_short2_msg[] = {
-    0xd0
-};
-
-static const u_char sha512_short2_msg_digest[] = {
-    0x99, 0x92, 0x20, 0x29, 0x38, 0xe8, 0x82, 0xe7,
-    0x3e, 0x20, 0xf6, 0xb6, 0x9e, 0x68, 0xa0, 0xa7,
-    0x14, 0x90, 0x90, 0x42, 0x3d, 0x93, 0xc8, 0x1b,
-    0xab, 0x3f, 0x21, 0x67, 0x8d, 0x4a, 0xce, 0xee,
-    0xe5, 0x0e, 0x4e, 0x8c, 0xaf, 0xad, 0xa4, 0xc8,
-    0x5a, 0x54, 0xea, 0x83, 0x06, 0x82, 0x6c, 0x4a,
-    0xd6, 0xe7, 0x4c, 0xec, 0xe9, 0x63, 0x1b, 0xfa,
-    0x8a, 0x54, 0x9b, 0x4a, 0xb3, 0xfb, 0xba, 0x15
-};
-
-static const u_char sha512_short4_msg[] = {
-    0x8d, 0x4e, 0x3c, 0x0e, 0x38, 0x89, 0x19, 0x14,
-    0x91, 0x81, 0x6e, 0x9d, 0x98, 0xbf, 0xf0, 0xa0
-};
-
-static const u_char sha512_short4_msg_digest[] = {
-    0xcb, 0x0b, 0x67, 0xa4, 0xb8, 0x71, 0x2c, 0xd7,
-    0x3c, 0x9a, 0xab, 0xc0, 0xb1, 0x99, 0xe9, 0x26,
-    0x9b, 0x20, 0x84, 0x4a, 0xfb, 0x75, 0xac, 0xbd,
-    0xd1, 0xc1, 0x53, 0xc9, 0x82, 0x89, 0x24, 0xc3,
-    0xdd, 0xed, 0xaa, 0xfe, 0x66, 0x9c, 0x5f, 0xdd,
-    0x0b, 0xc6, 0x6f, 0x63, 0x0f, 0x67, 0x73, 0x98,
-    0x82, 0x13, 0xeb, 0x1b, 0x16, 0xf5, 0x17, 0xad,
-    0x0d, 0xe4, 0xb2, 0xf0, 0xc9, 0x5c, 0x90, 0xf8
-};
-
-static const u_char sha512_long2_msg[] = {
-    0xa5, 0x5f, 0x20, 0xc4, 0x11, 0xaa, 0xd1, 0x32,
-    0x80, 0x7a, 0x50, 0x2d, 0x65, 0x82, 0x4e, 0x31,
-    0xa2, 0x30, 0x54, 0x32, 0xaa, 0x3d, 0x06, 0xd3,
-    0xe2, 0x82, 0xa8, 0xd8, 0x4e, 0x0d, 0xe1, 0xde,
-    0x69, 0x74, 0xbf, 0x49, 0x54, 0x69, 0xfc, 0x7f,
-    0x33, 0x8f, 0x80, 0x54, 0xd5, 0x8c, 0x26, 0xc4,
-    0x93, 0x60, 0xc3, 0xe8, 0x7a, 0xf5, 0x65, 0x23,
-    0xac, 0xf6, 0xd8, 0x9d, 0x03, 0xe5, 0x6f, 0xf2,
-    0xf8, 0x68, 0x00, 0x2b, 0xc3, 0xe4, 0x31, 0xed,
-    0xc4, 0x4d, 0xf2, 0xf0, 0x22, 0x3d, 0x4b, 0xb3,
-    0xb2, 0x43, 0x58, 0x6e, 0x1a, 0x7d, 0x92, 0x49,
-    0x36, 0x69, 0x4f, 0xcb, 0xba, 0xf8, 0x8d, 0x95,
-    0x19, 0xe4, 0xeb, 0x50, 0xa6, 0x44, 0xf8, 0xe4,
-    0xf9, 0x5e, 0xb0, 0xea, 0x95, 0xbc, 0x44, 0x65,
-    0xc8, 0x82, 0x1a, 0xac, 0xd2, 0xfe, 0x15, 0xab,
-    0x49, 0x81, 0x16, 0x4b, 0xbb, 0x6d, 0xc3, 0x2f,
-    0x96, 0x90, 0x87, 0xa1, 0x45, 0xb0, 0xd9, 0xcc,
-    0x9c, 0x67, 0xc2, 0x2b, 0x76, 0x32, 0x99, 0x41,
-    0x9c, 0xc4, 0x12, 0x8b, 0xe9, 0xa0, 0x77, 0xb3,
-    0xac, 0xe6, 0x34, 0x06, 0x4e, 0x6d, 0x99, 0x28,
-    0x35, 0x13, 0xdc, 0x06, 0xe7, 0x51, 0x5d, 0x0d,
-    0x73, 0x13, 0x2e, 0x9a, 0x0d, 0xc6, 0xd3, 0xb1,
-    0xf8, 0xb2, 0x46, 0xf1, 0xa9, 0x8a, 0x3f, 0xc7,
-    0x29, 0x41, 0xb1, 0xe3, 0xbb, 0x20, 0x98, 0xe8,
-    0xbf, 0x16, 0xf2, 0x68, 0xd6, 0x4f, 0x0b, 0x0f,
-    0x47, 0x07, 0xfe, 0x1e, 0xa1, 0xa1, 0x79, 0x1b,
-    0xa2, 0xf3, 0xc0, 0xc7, 0x58, 0xe5, 0xf5, 0x51,
-    0x86, 0x3a, 0x96, 0xc9, 0x49, 0xad, 0x47, 0xd7,
-    0xfb, 0x40, 0xd2
-};
-
-static const u_char sha512_long2_msg_digest[] = {
-    0xc6, 0x65, 0xbe, 0xfb, 0x36, 0xda, 0x18, 0x9d,
-    0x78, 0x82, 0x2d, 0x10, 0x52, 0x8c, 0xbf, 0x3b,
-    0x12, 0xb3, 0xee, 0xf7, 0x26, 0x03, 0x99, 0x09,
-    0xc1, 0xa1, 0x6a, 0x27, 0x0d, 0x48, 0x71, 0x93,
-    0x77, 0x96, 0x6b, 0x95, 0x7a, 0x87, 0x8e, 0x72,
-    0x05, 0x84, 0x77, 0x9a, 0x62, 0x82, 0x5c, 0x18,
-    0xda, 0x26, 0x41, 0x5e, 0x49, 0xa7, 0x17, 0x6a,
-    0x89, 0x4e, 0x75, 0x10, 0xfd, 0x14, 0x51, 0xf5
-};
-
-static const hash_testvector_t sha512_hash_testvectors[] = {
-    { sizeof(sha512_short2_msg), sha512_short2_msg, sha512_short2_msg_digest },
-    { sizeof(sha512_short4_msg), sha512_short4_msg, sha512_short4_msg_digest },
-    { sizeof(sha512_long2_msg),  sha512_long2_msg,  sha512_long2_msg_digest  },
-    { 0, NULL, NULL }
-};
-
-/* SHA-256, SHA-384, and SHA-512 hmac test vectors
- * from RFC 4231 "Identifiers and Test Vectors for HMAC-SHA-224,
- * HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512"
- * December 2005, M. Nystrom, RSA Security
- */
-
-static const u_char sha2_hmac1_key[] = {
-    0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-    0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-    0x0b, 0x0b, 0x0b, 0x0b
-};
-
-static const u_char sha2_hmac1_msg[] = {
-    0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
-};
-
-static const u_char sha2_hmac1_256[] = {
-    0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53,
-    0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b,
-    0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7,
-    0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7
-};
-
-static const u_char sha2_hmac1_384[] = {
-    0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62,
-    0x6b, 0x08, 0x25, 0xf4, 0xab ,0x46, 0x90, 0x7f,
-    0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6,
-    0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c,
-    0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f,
-    0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6
-};
-
-static const u_char sha2_hmac1_512[] = {
-    0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d,
-    0x4f, 0xf0, 0xb4, 0x24, 0x1a, 0x1d, 0x6c, 0xb0,
-    0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78,
-    0x7a, 0xd0, 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde,
-    0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 0x02,
-    0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4,
-    0xbe, 0x9d, 0x91, 0x4e, 0xeb, 0x61, 0xf1, 0x70,
-    0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54
-};
-
-static const u_char sha2_hmac2_key[] = {
-    0x4a, 0x65, 0x66, 0x65
-};
-
-static const u_char sha2_hmac2_msg[] = {
-    0x77, 0x68, 0x61, 0x74, 0x20, 0x64, 0x6f, 0x20,
-    0x79, 0x61, 0x20, 0x77, 0x61, 0x6e, 0x74, 0x20,
-    0x66, 0x6f, 0x72, 0x20, 0x6e, 0x6f, 0x74, 0x68,
-    0x69, 0x6e, 0x67, 0x3f
-};
-
-static const u_char sha2_hmac2_256[] = {
-    0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e,
-    0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7,
-    0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83,
-    0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43
-};
-
-static const u_char sha2_hmac2_384[] = {
-    0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31,
-    0x61, 0x7f, 0x78, 0xd2, 0xb5, 0x8a, 0x6b, 0x1b,
-    0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47,
-    0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e,
-    0x8e, 0x22, 0x40, 0xca, 0x5e, 0x69, 0xe2, 0xc7,
-    0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49
-};
-
-static const u_char sha2_hmac2_512[] = {
-    0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2,
-    0xe3, 0x95, 0xfb, 0xe7, 0x3b, 0x56, 0xe0, 0xa3,
-    0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6,
-    0x10, 0x27, 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54,
-    0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99, 0x4a,
-    0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd,
-    0xca, 0xea, 0xb1, 0xa3, 0x4d, 0x4a, 0x6b, 0x4b,
-    0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37
-};
-
-static const u_char sha2_hmac3_key[] = {
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa
-};
-
-static const u_char sha2_hmac3_msg[] = {
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd
-};
-
-static const u_char sha2_hmac3_256[] = {
-    0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46,
-    0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7,
-    0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22,
-    0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe
-};
-
-static const u_char sha2_hmac3_384[] = {
-    0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a,
-    0x0a, 0xa2, 0xac, 0xe0, 0x14, 0xc8, 0xa8, 0x6f,
-    0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
-    0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b,
-    0x2a, 0x5a, 0xb3, 0x9d, 0xc1, 0x38, 0x14, 0xb9,
-    0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27
-};
-
-static const u_char sha2_hmac3_512[] = {
-    0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84,
-    0xef, 0xb0, 0xf0, 0x75, 0x6c, 0x89, 0x0b, 0xe9,
-    0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36,
-    0x55, 0xf8, 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39,
-    0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, 0xc8,
-    0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07,
-    0xb9, 0x46, 0xa3, 0x37, 0xbe, 0xe8, 0x94, 0x26,
-    0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb
-};
-
-static const u_char sha2_hmac4_key[] = {
-    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
-    0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
-    0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
-    0x19
-};
-
-static const u_char sha2_hmac4_msg[] = {
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd 
-};
-
-static const u_char sha2_hmac4_256[] = {
-    0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e,
-    0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a,
-    0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07,
-    0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b
-};
-
-static const u_char sha2_hmac4_384[] = {
-    0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85,
-    0x19, 0x33, 0xab, 0x62, 0x90, 0xaf, 0x6c, 0xa7,
-    0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c,
-    0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e,
-    0x68, 0x01, 0xdd, 0x23, 0xc4, 0xa7, 0xd6, 0x79,
-    0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb
-};
-
-static const u_char sha2_hmac4_512[] = {
-    0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69,
-    0x90, 0xe5, 0xa8, 0xc5, 0xf6, 0x1d, 0x4a, 0xf7,
-    0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d,
-    0xe7, 0x6f, 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb,
-    0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e, 0xb4,
-    0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63,
-    0xa5, 0xf1, 0x97, 0x41, 0x12, 0x0c, 0x4f, 0x2d,
-    0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd
-};
-
-static const u_char sha2_hmac6_key[] = {
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa
-};
-
-static const u_char sha2_hmac6_msg[] = {
-    0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
-    0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
-    0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
-    0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
-    0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x2d, 0x20,
-    0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79,
-    0x20, 0x46, 0x69, 0x72, 0x73, 0x74
-};
-
-static const u_char sha2_hmac6_256[] = {
-    0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f,
-    0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f,
-    0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14,
-    0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54
-};
-
-static const u_char sha2_hmac6_384[] = {
-    0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90,
-    0x88, 0xd2, 0xc6, 0x3a, 0x04, 0x1b, 0xc5, 0xb4,
-    0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
-    0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6,
-    0x0c, 0x2e, 0xf6, 0xab, 0x40, 0x30, 0xfe, 0x82,
-    0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52
-};
-
-static const u_char sha2_hmac6_512[] = {
-    0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb,
-    0xb7, 0x14, 0x93, 0xc1, 0xdd, 0x7b, 0xe8, 0xb4,
-    0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1,
-    0x12, 0x1b, 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52,
-    0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, 0x98,
-    0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52,
-    0x95, 0xe6, 0x4f, 0x73, 0xf6, 0x3f, 0x0a, 0xec,
-    0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98
-};
-
-static const u_char sha2_hmac7_msg[] = {
-    0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
-    0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x75,
-    0x73, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x20, 0x6c,
-    0x61, 0x72, 0x67, 0x65, 0x72, 0x20, 0x74, 0x68,
-    0x61, 0x6e, 0x20, 0x62, 0x6c, 0x6f, 0x63, 0x6b,
-    0x2d, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x6b, 0x65,
-    0x79, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x61, 0x20,
-    0x6c, 0x61, 0x72, 0x67, 0x65, 0x72, 0x20, 0x74,
-    0x68, 0x61, 0x6e, 0x20, 0x62, 0x6c, 0x6f, 0x63,
-    0x6b, 0x2d, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x64,
-    0x61, 0x74, 0x61, 0x2e, 0x20, 0x54, 0x68, 0x65,
-    0x20, 0x6b, 0x65, 0x79, 0x20, 0x6e, 0x65, 0x65,
-    0x64, 0x73, 0x20, 0x74, 0x6f, 0x20, 0x62, 0x65,
-    0x20, 0x68, 0x61, 0x73, 0x68, 0x65, 0x64, 0x20,
-    0x62, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x20, 0x62,
-    0x65, 0x69, 0x6e, 0x67, 0x20, 0x75, 0x73, 0x65,
-    0x64, 0x20, 0x62, 0x79, 0x20, 0x74, 0x68, 0x65,
-    0x20, 0x48, 0x4d, 0x41, 0x43, 0x20, 0x61, 0x6c,
-    0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x2e
-};
-
-static const u_char sha2_hmac7_256[] = {
-    0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb,
-    0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44,
-    0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93,
-    0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2
-};
-
-static const u_char sha2_hmac7_384[] = {
-    0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d,
-    0x35, 0x1e, 0x2f, 0x25, 0x4e, 0x8f, 0xd3, 0x2c,
-    0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
-    0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5,
-    0xa6, 0x78, 0xcc, 0x31, 0xe7, 0x99, 0x17, 0x6d,
-    0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e
-};
-
-static const u_char sha2_hmac7_512[] = {
-    0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba,
-    0xa4, 0xdf, 0xa9, 0xf9, 0x6e, 0x5e, 0x3f, 0xfd,
-    0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86,
-    0x5d, 0xf5, 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44,
-    0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, 0xb1,
-    0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15,
-    0x13, 0x46, 0x76, 0xfb, 0x6d, 0xe0, 0x44, 0x60,
-    0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58
-};
-
-static const hmac_testvector_t sha256_hmac_testvectors[] = {
-    { sizeof(sha2_hmac1_key), sha2_hmac1_key, sizeof(sha2_hmac1_msg), sha2_hmac1_msg, sha2_hmac1_256 },
-    { sizeof(sha2_hmac2_key), sha2_hmac2_key, sizeof(sha2_hmac2_msg), sha2_hmac2_msg, sha2_hmac2_256 },
-    { sizeof(sha2_hmac3_key), sha2_hmac3_key, sizeof(sha2_hmac3_msg), sha2_hmac3_msg, sha2_hmac3_256 },
-    { sizeof(sha2_hmac4_key), sha2_hmac4_key, sizeof(sha2_hmac4_msg), sha2_hmac4_msg, sha2_hmac4_256 },
-    { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac6_msg), sha2_hmac6_msg, sha2_hmac6_256 },
-    { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac7_msg), sha2_hmac7_msg, sha2_hmac7_256 },
-    { 0, NULL, 0, NULL, NULL }
-};
-
-static const hmac_testvector_t sha384_hmac_testvectors[] = {
-    { sizeof(sha2_hmac1_key), sha2_hmac1_key, sizeof(sha2_hmac1_msg), sha2_hmac1_msg, sha2_hmac1_384 },
-    { sizeof(sha2_hmac2_key), sha2_hmac2_key, sizeof(sha2_hmac2_msg), sha2_hmac2_msg, sha2_hmac2_384 },
-    { sizeof(sha2_hmac3_key), sha2_hmac3_key, sizeof(sha2_hmac3_msg), sha2_hmac3_msg, sha2_hmac3_384 },
-    { sizeof(sha2_hmac4_key), sha2_hmac4_key, sizeof(sha2_hmac4_msg), sha2_hmac4_msg, sha2_hmac4_384 },
-    { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac6_msg), sha2_hmac6_msg, sha2_hmac6_384 },
-    { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac7_msg), sha2_hmac7_msg, sha2_hmac7_384 },
-    { 0, NULL, 0, NULL, NULL }
-};
-
-static const hmac_testvector_t sha512_hmac_testvectors[] = {
-    { sizeof(sha2_hmac1_key), sha2_hmac1_key, sizeof(sha2_hmac1_msg), sha2_hmac1_msg, sha2_hmac1_512 },
-    { sizeof(sha2_hmac2_key), sha2_hmac2_key, sizeof(sha2_hmac2_msg), sha2_hmac2_msg, sha2_hmac2_512 },
-    { sizeof(sha2_hmac3_key), sha2_hmac3_key, sizeof(sha2_hmac3_msg), sha2_hmac3_msg, sha2_hmac3_512 },
-    { sizeof(sha2_hmac4_key), sha2_hmac4_key, sizeof(sha2_hmac4_msg), sha2_hmac4_msg, sha2_hmac4_512 },
-    { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac6_msg), sha2_hmac6_msg, sha2_hmac6_512 },
-    { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac7_msg), sha2_hmac7_msg, sha2_hmac7_512 },
-    { 0, NULL, 0, NULL, NULL }
-};
-
-struct hash_desc hash_desc_sha2_256 = {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA2_256,
-	algo_next: NULL,
-	hash_ctx_size:    sizeof(sha256_context),
-	hash_block_size:  SHA2_256_BLOCK_SIZE,
-	hash_digest_size: SHA2_256_DIGEST_SIZE,
-	hash_testvectors: sha256_hash_testvectors,
-	hmac_testvectors: sha256_hmac_testvectors,
-	hash_init: (void (*)(void *))sha256_init,
-	hash_update: (void (*)(void *, const u_char *, size_t ))sha256_write,
-	hash_final:(void (*)(u_char *, void *))sha256_hash_final
-};
-
-struct hash_desc hash_desc_sha2_384 = {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA2_384,
-	algo_next: NULL,
-	hash_ctx_size:    sizeof(sha512_context),
-	hash_block_size:  SHA2_384_BLOCK_SIZE,
-	hash_digest_size: SHA2_384_DIGEST_SIZE,
-	hash_testvectors: sha384_hash_testvectors,
-	hmac_testvectors: sha384_hmac_testvectors,
-	hash_init: (void (*)(void *))sha384_init,
-	hash_update: (void (*)(void *, const u_char *, size_t ))sha512_write,
-	hash_final:(void (*)(u_char *, void *))sha384_hash_final
-};
-
-struct hash_desc hash_desc_sha2_512 = {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA2_512,
-	algo_next: NULL,
-	hash_ctx_size:    sizeof(sha512_context),
-	hash_block_size:  SHA2_512_BLOCK_SIZE,
-	hash_digest_size: SHA2_512_DIGEST_SIZE,
-	hash_testvectors: sha512_hash_testvectors,
-	hmac_testvectors: sha512_hmac_testvectors,
-	hash_init: (void (*)(void *))sha512_init,
-	hash_update: (void (*)(void *, const u_char *, size_t ))sha512_write,
-	hash_final:(void (*)(u_char *, void *))sha512_hash_final
-};
-
-int ike_alg_sha2_init(void);
-
-int
-ike_alg_sha2_init(void)
-{
-    int ret
-;
-    ret = ike_alg_register_hash(&hash_desc_sha2_256);
-    if (ret)
-	goto out;
-    ret = ike_alg_register_hash(&hash_desc_sha2_384);
-    if (ret)
-	goto out;
-    ret = ike_alg_register_hash(&hash_desc_sha2_512);
-
-out:
-	return ret;
-}
-
-/*
-IKE_ALG_INIT_NAME: ike_alg_sha2_init
-*/
diff --git a/src/pluto/alg/ike_alg_twofish.c b/src/pluto/alg/ike_alg_twofish.c
deleted file mode 100644
index 1788bc394..000000000
--- a/src/pluto/alg/ike_alg_twofish.c
+++ /dev/null
@@ -1,85 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-#include <sys/types.h>
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "libtwofish/twofish_cbc.h"
-#include "alg_info.h"
-#include "ike_alg.h"
-
-#define  TWOFISH_CBC_BLOCK_SIZE	(128/BITS_PER_BYTE)
-#define  TWOFISH_KEY_MIN_LEN	128
-#define  TWOFISH_KEY_DEF_LEN	128
-#define  TWOFISH_KEY_MAX_LEN	256
-
-static void
-do_twofish(u_int8_t *buf, size_t buf_size, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
-{
-    twofish_context twofish_ctx;
-    char iv_bak[TWOFISH_CBC_BLOCK_SIZE];
-    char *new_iv = NULL;	/* logic will avoid copy to NULL */
-
-    twofish_set_key(&twofish_ctx, key, key_size);
-    /*	
-     *	my TWOFISH cbc does not touch passed IV (optimization for
-     *	ESP handling), so I must "emulate" des-like IV
-     *	crunching
-     */
-    if (!enc)
-	    memcpy(new_iv=iv_bak, 
-			    (char*) buf + buf_size-TWOFISH_CBC_BLOCK_SIZE,
-			    TWOFISH_CBC_BLOCK_SIZE);
-
-    twofish_cbc_encrypt(&twofish_ctx, buf, buf, buf_size, iv, enc);
-
-    if (enc)
-	    new_iv = (char*) buf + buf_size-TWOFISH_CBC_BLOCK_SIZE;
-
-    memcpy(iv, new_iv, TWOFISH_CBC_BLOCK_SIZE);
-}
-
-struct encrypt_desc encrypt_desc_twofish = 
-{
-	algo_type: 	IKE_ALG_ENCRYPT,
-	algo_id:   	OAKLEY_TWOFISH_CBC,
-	algo_next: 	NULL,
-	enc_ctxsize: 	sizeof(twofish_context),
-        enc_blocksize: 	TWOFISH_CBC_BLOCK_SIZE,
-        keydeflen: 	TWOFISH_KEY_MIN_LEN,
-        keyminlen: 	TWOFISH_KEY_DEF_LEN,
-	keymaxlen: 	TWOFISH_KEY_MAX_LEN,
-	do_crypt: 	do_twofish,
-};
-
-struct encrypt_desc encrypt_desc_twofish_ssh =
-{
-	algo_type: 	IKE_ALG_ENCRYPT,
-	algo_id:   	OAKLEY_TWOFISH_CBC_SSH,
-	algo_next: 	NULL,
-	enc_ctxsize: 	sizeof(twofish_context),
-        enc_blocksize: 	TWOFISH_CBC_BLOCK_SIZE,
-        keydeflen: 	TWOFISH_KEY_MIN_LEN,
-        keyminlen: 	TWOFISH_KEY_DEF_LEN,
-	keymaxlen: 	TWOFISH_KEY_MAX_LEN,
-	do_crypt: 	do_twofish,
-};
-
-int ike_alg_twofish_init(void);
-
-int
-ike_alg_twofish_init(void)
-{
-    int ret = ike_alg_register_enc(&encrypt_desc_twofish);
-
-    if (ike_alg_register_enc(&encrypt_desc_twofish_ssh) < 0)
-	plog("ike_alg_twofish_init(): Experimental OAKLEY_TWOFISH_CBC_SSH activation failed");
-
-    return ret;
-}
-/*
-IKE_ALG_INIT_NAME: ike_alg_twofish_init
-*/
diff --git a/src/pluto/alg/ike_alginit.c b/src/pluto/alg/ike_alginit.c
deleted file mode 100644
index 8784bf31b..000000000
--- a/src/pluto/alg/ike_alginit.c
+++ /dev/null
@@ -1,7 +0,0 @@
-extern int ike_alg_init(void); 		int ike_alg_init(void) {
-{ extern int ike_alg_aes_init (void); ike_alg_aes_init();}
-{ extern int ike_alg_blowfish_init (void); ike_alg_blowfish_init();}
-{ extern int ike_alg_serpent_init (void); ike_alg_serpent_init();}
-{ extern int ike_alg_sha2_init (void); ike_alg_sha2_init();}
-{ extern int ike_alg_twofish_init (void); ike_alg_twofish_init();}
-return 0;}
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index cd02d2358..a85a18905 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -1,6 +1,7 @@
 /*
  * Algorithm info parsing and creation functions
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * Copyright (C) JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -11,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- * 
- * RCSID $Id: alg_info.c 3846 2008-04-18 17:01:45Z andreas $
  */
 
 #include <stddef.h>
@@ -27,390 +26,187 @@
 
 #include <ctype.h>
 #include <freeswan.h>
-#include <ipsec_policy.h>
 #include <pfkeyv2.h>
 
+#include <utils.h>
+#include <utils/lexparser.h>
+#include <crypto/diffie_hellman.h>
+#include <crypto/transform.h>
+#include <crypto/proposal/proposal_keywords.h>
+
+
 #include "alg_info.h"
 #include "constants.h"
-#ifndef NO_PLUTO
 #include "defs.h"
 #include "log.h"
 #include "whack.h"
-#include "sha1.h"
-#include "md5.h"
 #include "crypto.h"
 #include "kernel_alg.h"
 #include "ike_alg.h"
-#else
-/*
- *	macros/functions for compilation without pluto (eg: spi for manual conns)
- */
-#include <assert.h>
-#define passert(x) assert(x)
-extern int debug;	/* eg: spi.c */
-#define DBG(cond, action)   { if (debug) { action ; } }
-#define DBG_log(x, args...) fprintf(stderr, x "\n" , ##args);
-#define RC_LOG_SERIOUS
-#define loglog(x, args...) fprintf(stderr, ##args);
-#define alloc_thing(thing, name) alloc_bytes(sizeof (thing), name)
-void * alloc_bytes(size_t size, const char *name) {
-	void *p=malloc(size);
-        if (p == NULL)
-		fprintf(stderr, "unable to malloc %lu bytes for %s",
-			(unsigned long) size, name);
-	memset(p, '\0', size);
-	return p;
-}
-#define pfreeany(ptr) free(ptr)
-#endif /* NO_PLUTO */
 
 /*
  * sadb/ESP aa attrib converters
  */
-int
-alg_info_esp_aa2sadb(int auth)
-{
-    int sadb_aalg = 0;
-
-    switch(auth) {
-	case AUTH_ALGORITHM_HMAC_MD5:
-	case AUTH_ALGORITHM_HMAC_SHA1:
-	    sadb_aalg = auth + 1;
-	    break;
-	case AUTH_ALGORITHM_HMAC_SHA2_256:
-	case AUTH_ALGORITHM_HMAC_SHA2_384:
-	case AUTH_ALGORITHM_HMAC_SHA2_512:
-	case AUTH_ALGORITHM_HMAC_RIPEMD:
-	    sadb_aalg = auth;
-	    break;
-	default:
-	    /* loose ... */
-	    sadb_aalg = auth;
-    }
-    return sadb_aalg;
-}
-
-int /* __attribute__ ((unused)) */
-alg_info_esp_sadb2aa(int sadb_aalg)
-{
-    int auth = 0;
-
-    switch(sadb_aalg) {
-	case SADB_AALG_MD5HMAC:
-	case SADB_AALG_SHA1HMAC:
-	    auth = sadb_aalg - 1;
-	    break;
-	/* since they are the same ...  :)  */
-	case AUTH_ALGORITHM_HMAC_SHA2_256:
-	case AUTH_ALGORITHM_HMAC_SHA2_384:
-	case AUTH_ALGORITHM_HMAC_SHA2_512:
-	case AUTH_ALGORITHM_HMAC_RIPEMD:
-	    auth = sadb_aalg;
-	    break;
-	default:
-	    /* loose ... */
-	    auth = sadb_aalg;
-    }
-    return auth;
-}
-
-/*
- * Search enum_name array with in prefixed uppercase
- */
-static int
-enum_search_prefix (enum_names *ed, const char *prefix, const char *str, int strlen)
-{
-    char buf[64];
-    char *ptr;
-    int ret;
-    int len = sizeof(buf) - 1;	/* reserve space for final \0 */
-
-    for (ptr = buf; *prefix; *ptr++ = *prefix++, len--);
-    while (strlen-- && len-- && *str) *ptr++ = toupper(*str++);
-    *ptr = 0;
-
-    DBG(DBG_CRYPT,
-	DBG_log("enum_search_prefix () calling enum_search(%p, \"%s\")"
-	    , ed, buf)
-    )
-    ret = enum_search(ed, buf);
-    return ret;
-}
-
-/*
- * Search enum_name array with in prefixed and postfixed uppercase
- */
-static int
-enum_search_ppfix (enum_names *ed, const char *prefix, const char *postfix, const char *str, int strlen)
-{
-    char buf[64];
-    char *ptr;
-    int ret;
-    int len = sizeof(buf) - 1;	/* reserve space for final \0 */
-
-    for (ptr = buf; *prefix; *ptr++ = *prefix++, len--);
-    while (strlen-- && len-- && *str) *ptr++ = toupper(*str++);
-    while (len-- && *postfix) *ptr++ = *postfix++;
-    *ptr = 0;
-
-    DBG(DBG_CRYPT,
-	DBG_log("enum_search_ppfixi () calling enum_search(%p, \"%s\")"
-	    , ed, buf)
-    )
-    ret = enum_search(ed, buf);
-    return ret;
-}
-
-/*
- * Search esp_transformid_names for a match, eg:
- * 	"3des" <=> "ESP_3DES"
- */
-#define ESP_MAGIC_ID 0x00ffff01
-
-static int
-ealg_getbyname_esp(const char *const str, int len)
+int alg_info_esp_aa2sadb(int auth)
 {
-    if (!str || !*str)
-	return -1;
-
-    /* leave special case for eg:  "id248" string */
-    if (strcmp("id", str) == 0)
-	return ESP_MAGIC_ID;
-
-    return enum_search_prefix(&esp_transformid_names, "ESP_", str, len);
+	int sadb_aalg = 0;
+
+	switch(auth) {
+		case AUTH_ALGORITHM_HMAC_MD5:
+		case AUTH_ALGORITHM_HMAC_SHA1:
+			sadb_aalg = auth + 1;
+			break;
+		case AUTH_ALGORITHM_HMAC_SHA2_256:
+		case AUTH_ALGORITHM_HMAC_SHA2_384:
+		case AUTH_ALGORITHM_HMAC_SHA2_512:
+		case AUTH_ALGORITHM_HMAC_RIPEMD:
+			sadb_aalg = auth;
+			break;
+		default:
+			/* loose ... */
+			sadb_aalg = auth;
+	}
+	return sadb_aalg;
 }
 
-/*
- * Search auth_alg_names for a match, eg:
- * 	"md5" <=> "AUTH_ALGORITHM_HMAC_MD5"
- */
-static int
-aalg_getbyname_esp(const char *const str, int len)
+int alg_info_esp_sadb2aa(int sadb_aalg)
 {
-    int ret;
-    unsigned num;
-
-    if (!str || !*str)
-	return -1;
-
-    /* interpret 'SHA' as 'SHA1' */
-    if (strncasecmp("SHA", str, len) == 0)
-	return AUTH_ALGORITHM_HMAC_SHA1;
-
-    /* interpret 'AESXCBC' as 'AES_XCBC_MAC' */
-    if (strncasecmp("AESXCBC", str, len) == 0)
-	return AUTH_ALGORITHM_AES_XCBC_MAC;
-
-    ret = enum_search_prefix(&auth_alg_names,"AUTH_ALGORITHM_HMAC_", str ,len);
-    if (ret >= 0)
-	return ret;
-
-    ret = enum_search_prefix(&auth_alg_names,"AUTH_ALGORITHM_", str, len);
-    if (ret >= 0)
-	return ret;
-
-    sscanf(str, "id%d%n", &ret, &num);
-    return (ret >= 0 && num != strlen(str))? -1 : ret;
+	int auth = 0;
+
+	switch(sadb_aalg) {
+		case SADB_AALG_MD5HMAC:
+		case SADB_AALG_SHA1HMAC:
+			auth = sadb_aalg - 1;
+			break;
+		/* since they are the same ...  :)  */
+		case AUTH_ALGORITHM_HMAC_SHA2_256:
+		case AUTH_ALGORITHM_HMAC_SHA2_384:
+		case AUTH_ALGORITHM_HMAC_SHA2_512:
+		case AUTH_ALGORITHM_HMAC_RIPEMD:
+			auth = sadb_aalg;
+			break;
+		default:
+			/* loose ... */
+			auth = sadb_aalg;
+	}
+	return auth;
 }
 
-static int
-modp_getbyname_esp(const char *const str, int len)
+void alg_info_free(struct alg_info *alg_info)
 {
-    int ret;
-
-    if (!str || !*str)
-	return -1;
-    
-    ret = enum_search_prefix(&oakley_group_names,"OAKLEY_GROUP_", str, len);
-    if (ret >= 0)
-	return ret;
-
-    ret = enum_search_ppfix(&oakley_group_names, "OAKLEY_GROUP_", " (extension)", str, len);
-    return ret;
-}
-
-void 
-alg_info_free(struct alg_info *alg_info)
-{
-    pfreeany(alg_info);
+	free(alg_info);
 }
 
 /*
  * Raw add routine: only checks for no duplicates
  */
-static void
-__alg_info_esp_add (struct alg_info_esp *alg_info, int ealg_id, unsigned ek_bits, int aalg_id, unsigned ak_bits)
+static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id,
+							   unsigned ek_bits, int aalg_id, unsigned ak_bits)
 {
-    struct esp_info *esp_info=alg_info->esp;
-    unsigned cnt = alg_info->alg_info_cnt, i;
+	struct esp_info *esp_info = alg_info->esp;
+	unsigned cnt = alg_info->alg_info_cnt, i;
 
-    /* check for overflows */
-    passert(cnt < elemsof(alg_info->esp));
+	/* check for overflows */
+	passert(cnt < countof(alg_info->esp));
 
-    /* dont add duplicates */
-    for (i = 0; i < cnt; i++)
-    {
-	if (esp_info[i].esp_ealg_id == ealg_id
-	&& (!ek_bits || esp_info[i].esp_ealg_keylen == ek_bits)
-	&& esp_info[i].esp_aalg_id == aalg_id
-	&& (!ak_bits || esp_info[i].esp_aalg_keylen == ak_bits))
-	    return;
-    }
+	/* dont add duplicates */
+	for (i = 0; i < cnt; i++)
+	{
+		if (esp_info[i].esp_ealg_id == ealg_id
+		&& (!ek_bits || esp_info[i].esp_ealg_keylen == ek_bits)
+		&& esp_info[i].esp_aalg_id == aalg_id
+		&& (!ak_bits || esp_info[i].esp_aalg_keylen == ak_bits))
+		{
+			return;
+		}
+	}
 
-    esp_info[cnt].esp_ealg_id = ealg_id;
-    esp_info[cnt].esp_ealg_keylen = ek_bits;
-    esp_info[cnt].esp_aalg_id = aalg_id;
-    esp_info[cnt].esp_aalg_keylen = ak_bits;
+	esp_info[cnt].esp_ealg_id = ealg_id;
+	esp_info[cnt].esp_ealg_keylen = ek_bits;
+	esp_info[cnt].esp_aalg_id = aalg_id;
+	esp_info[cnt].esp_aalg_keylen = ak_bits;
 
-    /* sadb values */
-    esp_info[cnt].encryptalg = ealg_id;
-    esp_info[cnt].authalg = alg_info_esp_aa2sadb(aalg_id);
-    alg_info->alg_info_cnt++;
+	/* sadb values */
+	esp_info[cnt].encryptalg = ealg_id;
+	esp_info[cnt].authalg = alg_info_esp_aa2sadb(aalg_id);
+	alg_info->alg_info_cnt++;
 
-    DBG(DBG_CRYPT,
-	DBG_log("__alg_info_esp_add() ealg=%d aalg=%d cnt=%d"
-	    , ealg_id, aalg_id, alg_info->alg_info_cnt)
-    )
+	DBG(DBG_CRYPT,
+		DBG_log("esp alg added: %s_%d/%s, cnt=%d",
+				enum_show(&esp_transformid_names, ealg_id), ek_bits,
+				enum_show(&auth_alg_names, aalg_id),
+				alg_info->alg_info_cnt)
+	)
 }
 
 /*
  * Add ESP alg info _with_ logic (policy):
  */
-static void
-alg_info_esp_add (struct alg_info *alg_info, int ealg_id, int ek_bits, int aalg_id, int ak_bits)
+static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id,
+							 int ek_bits, int aalg_id, int ak_bits)
 {
-    /* Policy: default to 3DES */
-    if (ealg_id == 0)
-	ealg_id = ESP_3DES;
-
-    if (ealg_id > 0)
-    {
-#ifndef NO_PLUTO
-	if (aalg_id > 0)
-#else
-	/* Allow no auth for manual conns (from spi.c) */
-	if (aalg_id >= 0)
-#endif
-	    __alg_info_esp_add((struct alg_info_esp *)alg_info,
-				ealg_id, ek_bits,
-				aalg_id, ak_bits);
-	else
+	/* Policy: default to 3DES */
+	if (ealg_id == 0)
 	{
-	    /* Policy: default to MD5 and SHA1 */
-	    __alg_info_esp_add((struct alg_info_esp *)alg_info,
-				ealg_id, ek_bits,
-				AUTH_ALGORITHM_HMAC_MD5, ak_bits);
-	    __alg_info_esp_add((struct alg_info_esp *)alg_info,
-				ealg_id, ek_bits,
-				AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
+		ealg_id = ESP_3DES;
+	}
+	if (ealg_id > 0)
+	{
+		if (aalg_id > 0)
+		{
+			__alg_info_esp_add((struct alg_info_esp *)alg_info,
+								ealg_id, ek_bits,
+								aalg_id, ak_bits);
+		}
+		else
+		{
+			/* Policy: default to MD5 and SHA1 */
+			__alg_info_esp_add((struct alg_info_esp *)alg_info,
+								ealg_id, ek_bits,
+								AUTH_ALGORITHM_HMAC_MD5, ak_bits);
+			__alg_info_esp_add((struct alg_info_esp *)alg_info,
+								ealg_id, ek_bits,
+								AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
+		}
 	}
-    }
-}
-
-#ifndef NO_PLUTO
-/**************************************
- *
- *	IKE alg
- *
- *************************************/
-/*
- * Search oakley_enc_names for a match, eg:
- * 	"3des_cbc" <=> "OAKLEY_3DES_CBC"
- */
-static int
-ealg_getbyname_ike(const char *const str, int len)
-{
-    int ret;
-
-    if (!str || !*str)
-	return -1;
-
-    ret = enum_search_prefix(&oakley_enc_names,"OAKLEY_", str, len);
-    if (ret >= 0)
-	return ret;
-
-    ret = enum_search_ppfix(&oakley_enc_names, "OAKLEY_", "_CBC", str, len);
-    return ret;
-}
-
-/*
- * Search  oakley_hash_names for a match, eg:
- * 	"md5" <=> "OAKLEY_MD5"
- */
-static int
-aalg_getbyname_ike(const char *const str, int len)
-{
-    int ret;
-    unsigned num;
-
-    if (!str || !*str)
-	return -1;
-
-    /* interpret 'SHA1' as 'SHA' */
-    if (strncasecmp("SHA1", str, len) == 0)
-	return enum_search(&oakley_hash_names, "OAKLEY_SHA");
-
-    ret = enum_search_prefix(&oakley_hash_names,"OAKLEY_", str, len);
-    if (ret >= 0)
-	return ret;
-
-    sscanf(str, "id%d%n", &ret, &num);
-    return (ret >=0 && num != strlen(str))? -1 : ret;
-}
-
-/*
- * Search oakley_group_names for a match, eg:
- * 	"modp1024" <=> "OAKLEY_GROUP_MODP1024"
- */
-static int
-modp_getbyname_ike(const char *const str, int len)
-{
-    int ret;
-
-    if (!str || !*str)
-	return -1;
-
-    ret = enum_search_prefix(&oakley_group_names,"OAKLEY_GROUP_", str, len);
-    if (ret >= 0)
-	return ret;
-
-    ret = enum_search_ppfix(&oakley_group_names, "OAKLEY_GROUP_", " (extension)", str, len);
-    return ret;
 }
 
-static void
-__alg_info_ike_add (struct alg_info_ike *alg_info, int ealg_id, unsigned ek_bits, int aalg_id, unsigned ak_bits, int modp_id)
+static void __alg_info_ike_add (struct alg_info_ike *alg_info, int ealg_id,
+								unsigned ek_bits, int aalg_id, unsigned ak_bits,
+								int modp_id)
 {
-    struct ike_info *ike_info = alg_info->ike;
-    unsigned cnt = alg_info->alg_info_cnt;
-    unsigned i;
+	struct ike_info *ike_info = alg_info->ike;
+	unsigned cnt = alg_info->alg_info_cnt;
+	unsigned i;
 
-    /* check for overflows */
-    passert(cnt < elemsof(alg_info->ike));
+	/* check for overflows */
+	passert(cnt < countof(alg_info->ike));
 
-    /* dont add duplicates */
-   for (i = 0;i < cnt; i++)
+	/* dont add duplicates */
+   for (i = 0; i < cnt; i++)
    {
-	if (ike_info[i].ike_ealg == ealg_id
-	&& (!ek_bits || ike_info[i].ike_eklen == ek_bits)
-	&&  ike_info[i].ike_halg == aalg_id
-	&& (!ak_bits || ike_info[i].ike_hklen == ak_bits)
-	&&  ike_info[i].ike_modp==modp_id)
-	    return;
-    }
+		if (ike_info[i].ike_ealg == ealg_id
+		&& (!ek_bits || ike_info[i].ike_eklen == ek_bits)
+		&&  ike_info[i].ike_halg == aalg_id
+		&& (!ak_bits || ike_info[i].ike_hklen == ak_bits)
+		&&  ike_info[i].ike_modp==modp_id)
+			return;
+	}
 
-    ike_info[cnt].ike_ealg = ealg_id;
-    ike_info[cnt].ike_eklen = ek_bits;
-    ike_info[cnt].ike_halg = aalg_id;
-    ike_info[cnt].ike_hklen = ak_bits;
-    ike_info[cnt].ike_modp = modp_id;
-    alg_info->alg_info_cnt++;
+	ike_info[cnt].ike_ealg = ealg_id;
+	ike_info[cnt].ike_eklen = ek_bits;
+	ike_info[cnt].ike_halg = aalg_id;
+	ike_info[cnt].ike_hklen = ak_bits;
+	ike_info[cnt].ike_modp = modp_id;
+	alg_info->alg_info_cnt++;
 
-    DBG(DBG_CRYPT,
-	DBG_log("__alg_info_ike_add() ealg=%d aalg=%d modp_id=%d, cnt=%d"
-		, ealg_id, aalg_id, modp_id
-		, alg_info->alg_info_cnt)
-    )
+	DBG(DBG_CRYPT,
+		DBG_log("ikg alg added: %s_%d/%s/%s, cnt=%d",
+				enum_show(&oakley_enc_names, ealg_id), ek_bits,
+				enum_show(&oakley_hash_names, aalg_id),
+				enum_show(&oakley_group_names, modp_id),
+				alg_info->alg_info_cnt)
+	)
 }
 
 /*
@@ -419,792 +215,449 @@ __alg_info_ike_add (struct alg_info_ike *alg_info, int ealg_id, unsigned ek_bits
  */
 
 static int default_ike_groups[] = { 
-    OAKLEY_GROUP_MODP1536,
-    OAKLEY_GROUP_MODP1024
+	MODP_1536_BIT,
+	MODP_1024_BIT
 };
 
-/*	
- *	Add IKE alg info _with_ logic (policy):
+/*      
+ *      Add IKE alg info _with_ logic (policy):
  */
-static void
-alg_info_ike_add (struct alg_info *alg_info, int ealg_id, int ek_bits, int aalg_id, int ak_bits, int modp_id)
+static void alg_info_ike_add (struct alg_info *alg_info, int ealg_id,
+							  int ek_bits, int aalg_id, int ak_bits, int modp_id)
 {
-    int i = 0;
-    int n_groups = elemsof(default_ike_groups);
-
-    /* if specified modp_id avoid loop over default_ike_groups */
-    if (modp_id)
-    {
-	n_groups=0;
-	goto in_loop;
-    }
-	
-    for (; n_groups--; i++)
-    {
-	modp_id = default_ike_groups[i];
-in_loop:
-	/* Policy: default to 3DES */
-	if (ealg_id == 0)
-	    ealg_id = OAKLEY_3DES_CBC;
+	int i = 0;
+	int n_groups = countof(default_ike_groups);
 
-	if (ealg_id > 0)
+	/* if specified modp_id avoid loop over default_ike_groups */
+	if (modp_id)
 	{
-	    if (aalg_id > 0)
-		__alg_info_ike_add((struct alg_info_ike *)alg_info,
-				   ealg_id, ek_bits,
-				   aalg_id, ak_bits,
-				   modp_id);
-	    else
-	    {
-		/* Policy: default to MD5 and SHA */
-		__alg_info_ike_add((struct alg_info_ike *)alg_info,
-				   ealg_id, ek_bits,
-				   OAKLEY_MD5, ak_bits,
-				   modp_id);
-		__alg_info_ike_add((struct alg_info_ike *)alg_info,
-				   ealg_id, ek_bits,
-				   OAKLEY_SHA, ak_bits,
-				   modp_id);
-	    }
+		n_groups=0;
+		goto in_loop;
+	}
+		
+	for (; n_groups--; i++)
+	{
+		modp_id = default_ike_groups[i];
+in_loop:
+		/* Policy: default to 3DES */
+		if (ealg_id == 0)
+		{
+			ealg_id = OAKLEY_3DES_CBC;
+		}
+		if (ealg_id > 0)
+		{
+			if (aalg_id > 0)
+			{
+				__alg_info_ike_add((struct alg_info_ike *)alg_info,
+								   ealg_id, ek_bits,
+								   aalg_id, ak_bits,
+								   modp_id);
+			}
+			else
+			{
+				/* Policy: default to MD5 and SHA */
+				__alg_info_ike_add((struct alg_info_ike *)alg_info,
+								   ealg_id, ek_bits,
+								   OAKLEY_MD5, ak_bits,
+								   modp_id);
+				__alg_info_ike_add((struct alg_info_ike *)alg_info,
+								   ealg_id, ek_bits,
+								   OAKLEY_SHA, ak_bits,
+								   modp_id);
+			}
+		}
 	}
-    }
-}
-#endif /* NO_PLUTO */
-
-/*	
- *	Creates a new alg_info by parsing passed string		
- */
-enum parser_state_esp {
-    ST_INI,
-    ST_EA,		/* encrypt algo   */
-    ST_EA_END,
-    ST_EK,		/* enc. key length */
-    ST_EK_END,
-    ST_AA,		/* auth algo */
-    ST_AA_END,
-    ST_AK,		/* auth. key length */
-    ST_AK_END,
-    ST_MODP,	/* modp spec */
-    ST_FLAG_STRICT,
-    ST_END,
-    ST_EOF,
-    ST_ERR
-};
-
-static const char *parser_state_esp_names[] = {
-    "ST_INI",
-    "ST_EA",
-    "ST_EA_END",
-    "ST_EK",
-    "ST_EK_END",
-    "ST_AA",
-    "ST_AA_END",
-    "ST_AK",
-    "ST_AK_END",
-    "ST_MOPD",
-    "ST_FLAG_STRICT",
-    "ST_END",
-    "ST_EOF",
-    "ST_ERR"
-};
-
-static const char*
-parser_state_name_esp(enum parser_state_esp state)
-{
-    return parser_state_esp_names[state];
-}
-
-/* XXX:jjo to implement different parser for ESP and IKE */
-struct parser_context {
-    unsigned state, old_state;
-    unsigned protoid;
-    char ealg_buf[16];
-    char aalg_buf[16];
-    char modp_buf[16];
-    int (*ealg_getbyname)(const char *const str, int len);
-    int (*aalg_getbyname)(const char *const str, int len);
-    int (*modp_getbyname)(const char *const str, int len);
-    char *ealg_str;
-    char *aalg_str;
-    char *modp_str;
-    int eklen;
-    int aklen;
-    int ch;
-    const char *err;
-};
-
-static inline void 
-parser_set_state(struct parser_context *p_ctx, enum parser_state_esp state)
-{
-    if (state != p_ctx->state)
-    {
-	p_ctx->old_state = p_ctx->state;
-	p_ctx->state = state;
-    }
 }
 
-static int 
-parser_machine(struct parser_context *p_ctx)
+static status_t alg_info_add(chunk_t alg, unsigned protoid,
+							 int *ealg, size_t *ealg_keysize,
+							 int *aalg, size_t *aalg_keysize, int *dh_group)
 {
-    int ch = p_ctx->ch;
-
-    /* special 'absolute' cases */
-    p_ctx->err = "No error.";
+	const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len);
 
-    /* chars that end algo strings */
-    switch (ch){
-    case 0:	/* end-of-string */
-    case '!':	/* flag as strict algo list */
-    case ',':	/* algo string separator */
-	switch (p_ctx->state) {
-	case ST_EA:
-	case ST_EK:
-	case ST_AA:
-	case ST_AK:
-	case ST_MODP:
-	case ST_FLAG_STRICT:
-	    {
-		enum parser_state_esp next_state = 0;
-
-		switch (ch) {
-		case 0:
-		    next_state = ST_EOF;
-		    break;
-		case ',':
-		    next_state = ST_END;
-		    break;
-		case '!':
-		    next_state = ST_FLAG_STRICT;
-		    break;
-	        }
-	        /* ch? parser_set_state(p_ctx, ST_END) : parser_set_state(p_ctx, ST_EOF) ; */
-	        parser_set_state(p_ctx, next_state);
-	        goto out;
-	    }
-	default:
-	    p_ctx->err = "String ended with invalid char";
-	    goto err;
-	}
-    }
-re_eval:
-    switch (p_ctx->state) {
-    case ST_INI:
-	if (isspace(ch))
-	    break;
-	if (isalnum(ch))
-	{
-	    *(p_ctx->ealg_str++) = ch;
-	    parser_set_state(p_ctx, ST_EA);
-	    break;
-	}
-	p_ctx->err = "No alphanum. char initially found";
-	goto err;
-    case ST_EA:
-	if (isalpha(ch) || ch == '_')
-	{
-	    *(p_ctx->ealg_str++) = ch;
-	    break;
-	}
-	if (isdigit(ch))
-	{
-	    /* bravely switch to enc keylen */
-	    *(p_ctx->ealg_str) = 0;
-	    parser_set_state(p_ctx, ST_EK);
-	    goto re_eval;
-	}
-	if (ch == '-')
-	{
-	    *(p_ctx->ealg_str) = 0;
-	    parser_set_state(p_ctx, ST_EA_END);
-	    break;
-	}
-	p_ctx->err = "No valid char found after enc alg string";
-	goto err;
-    case ST_EA_END:
-	if (isdigit(ch))
-	{
-	    /* bravely switch to enc keylen */
-	    parser_set_state(p_ctx, ST_EK);
-	    goto re_eval;
-	}
-	if (isalpha(ch))
-	{
-	    parser_set_state(p_ctx, ST_AA);
-	    goto re_eval;
-	}
-	p_ctx->err = "No alphanum char found after enc alg separator";
-	goto err;
-    case ST_EK:
-	if (ch == '-')
-	{
-	    parser_set_state(p_ctx, ST_EK_END);
-	    break;
-	}
-	if (isdigit(ch))
-	{
-	    p_ctx->eklen = p_ctx->eklen*10 + ch - '0';
-	    break;
-	}
-	p_ctx->err = "Non digit or valid separator found while reading enc keylen";
-	goto err;
-    case ST_EK_END:
-	if (isalpha(ch))
-	{
-	    parser_set_state(p_ctx, ST_AA);
-	    goto re_eval;
-	}
-	p_ctx->err = "Non alpha char found after enc keylen end separator";
-	goto err;
-    case ST_AA:
-	if (ch == '-')
-	{
-	    *(p_ctx->aalg_str++) = 0;
-	    parser_set_state(p_ctx, ST_AA_END);
-	    break;
-	}
-	if (isalnum(ch) || ch == '_')
-	{
-	    *(p_ctx->aalg_str++) = ch;
-	    break;
-	}
-	p_ctx->err = "Non alphanum or valid separator found in auth string";
-	goto err;
-    case ST_AA_END:
-	if (isdigit(ch))
-	{
-	    parser_set_state(p_ctx, ST_AK);
-	    goto re_eval;
-	}
-	/* Only allow modpXXXX string if we have a modp_getbyname method */
-	if ((p_ctx->modp_getbyname) && isalpha(ch))
-	{
-	    parser_set_state(p_ctx, ST_MODP);
-	    goto re_eval;
-	}
-	p_ctx->err = "Non initial digit found for auth keylen";
-	goto err;
-    case ST_AK:
-	if (ch=='-')
-	{
-	    parser_set_state(p_ctx, ST_AK_END);
-	    break;
-	}
-	if (isdigit(ch))
+	if (token == NULL)
 	{
-	    p_ctx->aklen = p_ctx->aklen*10 + ch - '0';
-	    break;
+		return FAILED;
 	}
-	p_ctx->err = "Non digit found for auth keylen";
-	goto err;
-    case ST_AK_END:
-	/* Only allow modpXXXX string if we have a modp_getbyname method */
-	if ((p_ctx->modp_getbyname) && isalpha(ch))
+	switch (token->type)
 	{
-	    parser_set_state(p_ctx, ST_MODP);
-	    goto re_eval;
-	}
-	p_ctx->err = "Non alpha char found after auth keylen";
-	goto err;
-    case ST_MODP:
-	if (isalnum(ch))
-	{
-	    *(p_ctx->modp_str++) = ch;
-	    break;
-	}
-	p_ctx->err = "Non alphanum char found after in modp string";
-	goto err;
-    case ST_FLAG_STRICT:
-	if (ch == 0)
-	    parser_set_state(p_ctx, ST_END);
-	p_ctx->err = "Flags character(s) must be at end of whole string";
-	goto err;
-
-    /* XXX */
-    case ST_END:
-    case ST_EOF:
-    case ST_ERR:
-	break;
-    /* XXX */
-    }
-out:
-    return p_ctx->state;
-err:
-    parser_set_state(p_ctx, ST_ERR);
-    return ST_ERR;
+		case ENCRYPTION_ALGORITHM:
+			if (*ealg != 0)
+			{
+				return FAILED;
+			}
+			*ealg = (protoid == PROTO_ISAKMP) ?
+					 oakley_from_encryption_algorithm(token->algorithm) :
+					 esp_from_encryption_algorithm(token->algorithm);
+			if (*ealg == 0)
+			{
+				return FAILED;
+			}
+			*ealg_keysize = token->keysize;
+			break;
+		case INTEGRITY_ALGORITHM:
+			if (*aalg != 0)
+			{
+				return FAILED;
+			}
+			*aalg = (protoid == PROTO_ISAKMP) ?
+					 oakley_from_integrity_algorithm(token->algorithm) :
+					 esp_from_integrity_algorithm(token->algorithm);
+			if (*aalg == 0)
+			{
+				return FAILED;
+			}
+			*aalg_keysize = token->keysize;
+			break;
+		case DIFFIE_HELLMAN_GROUP:
+			if (protoid == PROTO_ISAKMP)
+			{
+				if (*dh_group != 0)
+				{
+					return FAILED;
+				}
+				*dh_group = token->algorithm;
+			}
+			break;
+		default:
+			return FAILED;
+	}
+	return SUCCESS;
 }
 
-/*
- * Must be called for each "new" char, with new
- * character in ctx.ch
- */
-static void
-parser_init(struct parser_context *p_ctx, unsigned protoid)
-{
-    memset(p_ctx, 0, sizeof (*p_ctx));
-    p_ctx->protoid = protoid; /* XXX: jjo */
-    p_ctx->protoid = PROTO_IPSEC_ESP;
-    p_ctx->ealg_str = p_ctx->ealg_buf;
-    p_ctx->aalg_str = p_ctx->aalg_buf;
-    p_ctx->modp_str = p_ctx->modp_buf;
-    p_ctx->state = ST_INI;
-
-    switch (protoid) {
-#ifndef NO_PLUTO
-    case PROTO_ISAKMP:
-	p_ctx->ealg_getbyname = ealg_getbyname_ike;
-	p_ctx->aalg_getbyname = aalg_getbyname_ike;
-	p_ctx->modp_getbyname = modp_getbyname_ike;
-	break;
-#endif
-    case PROTO_IPSEC_ESP:
-	p_ctx->ealg_getbyname = ealg_getbyname_esp;
-	p_ctx->aalg_getbyname = aalg_getbyname_esp;
-	break;
-    }
-}
 
-static int
-parser_alg_info_add(struct parser_context *p_ctx, struct alg_info *alg_info)
+static status_t alg_info_parse_str(struct alg_info *alg_info, char *alg_str)
 {
-    int ealg_id = 0;
-    int aalg_id = 0;
-    int modp_id = 0;
-#ifndef NO_PLUTO
-    const struct oakley_group_desc *gd;
-#endif
+	char *strict, *single;
+	status_t status = SUCCESS;
 
-    if (*p_ctx->ealg_buf)
-    {
-	ealg_id = p_ctx->ealg_getbyname(p_ctx->ealg_buf, strlen(p_ctx->ealg_buf));
-	if (ealg_id == ESP_MAGIC_ID)
-	{
-	    ealg_id = p_ctx->eklen;
-	    p_ctx->eklen = 0;
-	}
-	if (ealg_id < 0)
+	strict = alg_str + strlen(alg_str) - 1;
+	if (*strict == '!')
 	{
-	    p_ctx->err = "enc_alg not found";
-	    return -1;
+		alg_info->alg_info_flags |= ALG_INFO_F_STRICT;
+		*strict = '\0';
 	}
-	DBG(DBG_CRYPT,
-	    DBG_log("parser_alg_info_add() ealg_getbyname(\"%s\")=%d"
-		, p_ctx->ealg_buf
-		, ealg_id)
-	)
-    }
-    if (*p_ctx->aalg_buf)
-    {
-	aalg_id = p_ctx->aalg_getbyname(p_ctx->aalg_buf, strlen(p_ctx->aalg_buf));
-	if (aalg_id < 0)
+	while ((single = strsep(&alg_str, ",")))
 	{
-	    p_ctx->err = "hash_alg not found";
-	    return -1;
-	}
-	DBG(DBG_CRYPT,
-	    DBG_log("parser_alg_info_add() aalg_getbyname(\"%s\")=%d"
-		, p_ctx->aalg_buf
-		, aalg_id)
-	)
-    }
-    if (p_ctx->modp_getbyname && *p_ctx->modp_buf)
-    {
-	modp_id = p_ctx->modp_getbyname(p_ctx->modp_buf, strlen(p_ctx->modp_buf));
-	if (modp_id < 0)
-	{
-	    p_ctx->err = "modp group not found";
-	    return -1;
-	}
-	DBG(DBG_CRYPT,
-	    DBG_log("parser_alg_info_add() modp_getbyname(\"%s\")=%d"
-		, p_ctx->modp_buf
-		, modp_id)
-	)
-    }
-    switch (alg_info->alg_info_protoid) {
-    case PROTO_IPSEC_ESP:
-	alg_info_esp_add(alg_info,
-			 ealg_id, p_ctx->eklen,
-			 aalg_id, p_ctx->aklen);
-	break;
-#ifndef NO_PLUTO
-    case PROTO_ISAKMP:
-	if (modp_id && !(gd = lookup_group(modp_id)))
-	{
-	    p_ctx->err = "found modp group id, but not supported";
-	    return -1;
-	}
-	alg_info_ike_add(alg_info,
-			 ealg_id, p_ctx->eklen,
-			 aalg_id, p_ctx->aklen,
-			 modp_id);
-	break;
-#endif
-    default:
-	return -1;
-    }
-    return 0;
-}
+		chunk_t string = { (u_char *)single, strlen(single) };
+		int ealg = 0;
+		int aalg = 0;
+		int dh_group = 0;
+		size_t ealg_keysize = 0;
+		size_t aalg_keysize = 0;
 
-static int
-alg_info_parse_str (struct alg_info *alg_info, const char *alg_str, const char **err_p)
-{
-    struct parser_context ctx;
-    int ret;
-    const char *ptr;
-    static char err_buf[256];
-
-    *err_buf = 0;
-    parser_init(&ctx, alg_info->alg_info_protoid);
-    if (err_p)
-	*err_p = NULL;
+		eat_whitespace(&string);
 
-    /* use default if nul esp string */
-    if (!*alg_str)
-    {
-	switch (alg_info->alg_info_protoid) {
-#ifndef NO_PLUTO
-	case PROTO_ISAKMP:
-	    alg_info_ike_add(alg_info, 0, 0, 0, 0, 0);
-	    return 0;
-#endif
-	case PROTO_IPSEC_ESP:
-	    alg_info_esp_add(alg_info, 0, 0, 0, 0);
-	    return 0;
-	default:
-	    /* IMPOSSIBLE */
-	    passert(alg_info->alg_info_protoid);
-	}
-    }
+		if (string.len > 0) 
+		{
+			chunk_t alg;
+
+			/* get all token, separated by '-' */
+			while (extract_token(&alg, '-', &string))
+			{
+				status |= alg_info_add(alg, alg_info->alg_info_protoid,
+									   &ealg, &ealg_keysize,
+									   &aalg, &aalg_keysize, &dh_group);
+			}
+			if (string.len)
+			{
+				status |= alg_info_add(string, alg_info->alg_info_protoid,
+									   &ealg, &ealg_keysize,
+									   &aalg, &aalg_keysize, &dh_group);
+			}
+		}
+		if (status == SUCCESS)
 
-    for (ret = 0, ptr = alg_str; ret < ST_EOF;)
-    {
-	ctx.ch = *ptr++;
-	ret = parser_machine(&ctx);
-		
-	switch (ret) {
-	case ST_FLAG_STRICT:
-	    alg_info->alg_info_flags |= ALG_INFO_F_STRICT;
-	    break;
-	case ST_END:
-	case ST_EOF:
-	    DBG(DBG_CRYPT,
-		DBG_log("alg_info_parse_str() ealg_buf=%s aalg_buf=%s"
-			"eklen=%d  aklen=%d",
-			ctx.ealg_buf, ctx.aalg_buf,
-			ctx.eklen, ctx.aklen)
-	    )
-	    if (parser_alg_info_add(&ctx, alg_info) < 0)
-	    {
-		snprintf(err_buf, sizeof(err_buf),
-		    "%s, enc_alg=\"%s\", auth_alg=\"%s\", modp=\"%s\"",
-		    ctx.err,
-		    ctx.ealg_buf,
-		    ctx.aalg_buf,
-		    ctx.modp_buf);
-		goto err;
-	    }
-	    /* zero out for next run (ST_END) */
-	    parser_init(&ctx, alg_info->alg_info_protoid);
-	    break;
-	case ST_ERR:
-	    snprintf(err_buf, sizeof(err_buf),
-		"%s, just after \"%.*s\" (old_state=%s)",
-		ctx.err,
-		(int)(ptr-alg_str-1), alg_str ,
-		parser_state_name_esp(ctx.old_state));
-	    goto err;
-	default:
-	    if (!ctx.ch)
-		break;
+		{
+			switch (alg_info->alg_info_protoid)
+			{
+				case PROTO_IPSEC_ESP:
+					alg_info_esp_add(alg_info, ealg, ealg_keysize,
+								 			   aalg, aalg_keysize);
+					break;
+				case PROTO_ISAKMP:
+					alg_info_ike_add(alg_info, ealg, ealg_keysize,
+											   aalg, aalg_keysize,
+											   dh_group);
+					break;
+				default:
+					break;
+			}
+		}
 	}
-    }
-    return 0;
-err:
-    if (err_p)
-	*err_p=err_buf;
-    return -1;
+	return status;
 }
 
-struct alg_info_esp *
-alg_info_esp_create_from_str (const char *alg_str, const char **err_p)
+struct alg_info_esp *alg_info_esp_create_from_str(char *alg_str)
 {
-    struct alg_info_esp *alg_info_esp;
-    char esp_buf[256];
-    static char err_buf[256];
-    char *pfs_name;
-    int ret = 0;
-    /*
-     * alg_info storage should be sized dynamically
-     * but this may require 2passes to know
-     * transform count in advance.
-     */
-    alg_info_esp = alloc_thing (struct alg_info_esp, "alg_info_esp");
-    if (!alg_info_esp)
-	goto out;
-
-    pfs_name=index (alg_str, ';');
-    if (pfs_name)
-    {
-	memcpy(esp_buf, alg_str, pfs_name-alg_str);
-	esp_buf[pfs_name-alg_str] = 0;
-	alg_str = esp_buf;
-	pfs_name++;
-
-	/* if pfs strings AND first char is not '0' */
-	if (*pfs_name && pfs_name[0] != '0')
+	struct alg_info_esp *alg_info_esp;
+	char esp_buf[BUF_LEN];
+	char *pfs_name;
+	status_t status = SUCCESS;
+	/*
+	 * alg_info storage should be sized dynamically
+	 * but this may require 2passes to know
+	 * transform count in advance.
+	 */
+	alg_info_esp = malloc_thing (struct alg_info_esp);
+	zero(alg_info_esp);
+
+	pfs_name=index (alg_str, ';');
+	if (pfs_name)
 	{
-	    ret = modp_getbyname_esp(pfs_name, strlen(pfs_name));
-	    if (ret < 0)
-	    {
-		/* Bomb if pfsgroup not found */
-		DBG(DBG_CRYPT,
-		    DBG_log("alg_info_esp_create_from_str(): pfsgroup \"%s\" not found"
-			, pfs_name)
-		)
-		if (*err_p)
-		{
-		    snprintf(err_buf, sizeof(err_buf),
-			"pfsgroup \"%s\" not found",
-			pfs_name);
+		memcpy(esp_buf, alg_str, pfs_name-alg_str);
+		esp_buf[pfs_name-alg_str] = 0;
+		alg_str = esp_buf;
+		pfs_name++;
 
-		    *err_p = err_buf;
+		/* if pfs strings AND first char is not '0' */
+		if (*pfs_name && pfs_name[0] != '0')
+		{
+			const proposal_token_t *token;
+
+			token = proposal_get_token(pfs_name, strlen(pfs_name));
+			if (token == NULL || token->type != DIFFIE_HELLMAN_GROUP)
+			{
+				/* Bomb if pfsgroup not found */
+				DBG(DBG_CRYPT,
+					DBG_log("alg_info_esp_create_from_str(): pfsgroup \"%s\" not found"
+						, pfs_name)
+				)
+				status = FAILED;
+				goto out;
+			}
+			alg_info_esp->esp_pfsgroup = token->algorithm;
 		}
-		goto out;
-	    }
-	    alg_info_esp->esp_pfsgroup = ret;
 	}
-    }
-    else
-	alg_info_esp->esp_pfsgroup = 0;
-		
-    alg_info_esp->alg_info_protoid = PROTO_IPSEC_ESP;
-    ret = alg_info_parse_str((struct alg_info *)alg_info_esp, alg_str, err_p) ;
+	else
+	{
+		alg_info_esp->esp_pfsgroup = 0;
+	}
+	alg_info_esp->alg_info_protoid = PROTO_IPSEC_ESP;
+	status = alg_info_parse_str((struct alg_info *)alg_info_esp, alg_str);
+
 out:
-    if (ret < 0)
-    {
-	pfreeany(alg_info_esp);
-	alg_info_esp = NULL;
-    }
-    return alg_info_esp;
+	if (status != SUCCESS)
+	{
+		free(alg_info_esp);
+		alg_info_esp = NULL;
+	}
+	return alg_info_esp;
 }
 
-#ifndef NO_PLUTO
-struct alg_info_ike *
-alg_info_ike_create_from_str (const char *alg_str, const char **err_p)
+struct alg_info_ike *alg_info_ike_create_from_str(char *alg_str)
 {
-    struct alg_info_ike *alg_info_ike;
-    /*
-     * alg_info storage should be sized dynamically
-     * but this may require 2passes to know
-     * transform count in advance.
-     */
-    alg_info_ike = alloc_thing (struct alg_info_ike, "alg_info_ike");
-    alg_info_ike->alg_info_protoid = PROTO_ISAKMP;
-
-    if (alg_info_parse_str((struct alg_info *)alg_info_ike,
-			   alg_str, err_p) < 0)
-    {
-	pfreeany(alg_info_ike);
-	return NULL;
-    }
-    return alg_info_ike;
+	struct alg_info_ike *alg_info_ike;
+	/*
+	 * alg_info storage should be sized dynamically
+	 * but this may require 2passes to know
+	 * transform count in advance.
+	 */
+	alg_info_ike = malloc_thing (struct alg_info_ike);
+	zero(alg_info_ike);
+	alg_info_ike->alg_info_protoid = PROTO_ISAKMP;
+
+	if (alg_info_parse_str((struct alg_info *)alg_info_ike, alg_str) != SUCCESS)
+	{
+		free(alg_info_ike);
+		return NULL;
+	}
+	return alg_info_ike;
 }
-#endif
 
 /*
- * 	alg_info struct can be shared by
- * 	several connections instances,
- * 	handle free() with ref_cnts
+ *      alg_info struct can be shared by
+ *      several connections instances,
+ *      handle free() with ref_cnts
  */
 void 
 alg_info_addref(struct alg_info *alg_info)
 {
-    if (alg_info != NULL)
-    {
-	alg_info->ref_cnt++;
-	DBG(DBG_CRYPT,
-	    DBG_log("alg_info_addref() alg_info->ref_cnt=%d"
-		, alg_info->ref_cnt)
-	)
-    }
+	if (alg_info != NULL)
+	{
+		alg_info->ref_cnt++;
+	}
 }
 
 void
 alg_info_delref(struct alg_info **alg_info_p)
 {
-    struct alg_info *alg_info = *alg_info_p;
+	struct alg_info *alg_info = *alg_info_p;
 
-    if (alg_info != NULL)
-    {
-	passert(alg_info->ref_cnt != 0);
-	alg_info->ref_cnt--;
-	DBG(DBG_CRYPT,
-	    DBG_log("alg_info_delref() alg_info->ref_cnt=%d"
-		, alg_info->ref_cnt)
-	)
-	if (alg_info->ref_cnt == 0)
+	if (alg_info != NULL)
 	{
-	    DBG(DBG_CRYPT,
-		DBG_log("alg_info_delref() freeing alg_info")
-	    )
-	    alg_info_free(alg_info);
+		passert(alg_info->ref_cnt != 0);
+		alg_info->ref_cnt--;
+		if (alg_info->ref_cnt == 0)
+		{
+			alg_info_free(alg_info);
+		}
+		*alg_info_p = NULL;
 	}
-	*alg_info_p = NULL;
-    }
 }
 
 /* snprint already parsed transform list (alg_info) */
 int
 alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info)
 {
-    char *ptr = buf;
-    int np = 0;
-    struct esp_info *esp_info;
-#ifndef NO_PLUTO
-    struct ike_info *ike_info;
-#endif
-    int cnt;
-	
-    switch (alg_info->alg_info_protoid) {
-    case PROTO_IPSEC_ESP:
-	{
-	    struct alg_info_esp *alg_info_esp = (struct alg_info_esp *)alg_info;
+	char *ptr = buf;
+	int np = 0;
+	struct esp_info *esp_info;
+	struct ike_info *ike_info;
+	int cnt;
+		
+	switch (alg_info->alg_info_protoid) {
+	case PROTO_IPSEC_ESP:
+		{
+			struct alg_info_esp *alg_info_esp = (struct alg_info_esp *)alg_info;
+
+			ALG_INFO_ESP_FOREACH(alg_info_esp, esp_info, cnt)
+			{
+				np = snprintf(ptr, buflen, "%s",
+						enum_show(&esp_transformid_names, esp_info->esp_ealg_id));
+				ptr += np;
+				buflen -= np;
+				if (esp_info->esp_ealg_keylen)
+				{
+					np = snprintf(ptr, buflen, "_%u", esp_info->esp_ealg_keylen);
+					ptr += np;
+					buflen -= np;
+				}
+				np = snprintf(ptr, buflen, "/%s, ",
+						enum_show(&auth_alg_names, esp_info->esp_aalg_id));
+				ptr += np;
+				buflen -= np;
+				if (buflen < 0)
+					goto out;
+			}
+			if (alg_info_esp->esp_pfsgroup)
+			{
+				np = snprintf(ptr, buflen, "; pfsgroup=%s; ",
+						enum_show(&oakley_group_names, alg_info_esp->esp_pfsgroup));
+				ptr += np;
+				buflen -= np;
+				if (buflen < 0)
+					goto out;
+			}
+			break;
+		}
 
-	    ALG_INFO_ESP_FOREACH(alg_info_esp, esp_info, cnt)
-	    {
-		np = snprintf(ptr, buflen, "%d_%03d-%d, "
-			, esp_info->esp_ealg_id
-			, (int)esp_info->esp_ealg_keylen
-			, esp_info->esp_aalg_id);
-		ptr += np;
-		buflen -= np;
-		if (buflen < 0)
-		    goto out;
-	    }
-	    if (alg_info_esp->esp_pfsgroup)
-	    {
-		np = snprintf(ptr, buflen, "; pfsgroup=%d; "
-			, alg_info_esp->esp_pfsgroup);
+	case PROTO_ISAKMP:
+		ALG_INFO_IKE_FOREACH((struct alg_info_ike *)alg_info, ike_info, cnt)
+		{
+			np = snprintf(ptr, buflen, "%s",
+					enum_show(&oakley_enc_names, ike_info->ike_ealg));
+			ptr += np;
+			buflen -= np;
+			if (ike_info->ike_eklen)
+			{
+				np = snprintf(ptr, buflen, "_%u", ike_info->ike_eklen);
+				ptr += np;
+				buflen -= np;
+			}
+			np = snprintf(ptr, buflen, "/%s/%s, ",
+					enum_show(&oakley_hash_names, ike_info->ike_halg),
+					enum_show(&oakley_group_names, ike_info->ike_modp));
+			ptr += np;
+			buflen -= np;
+			if (buflen < 0)
+				goto out;
+		}
+		break;
+	default:
+		np = snprintf(buf, buflen, "INVALID protoid=%d\n"
+				, alg_info->alg_info_protoid);
 		ptr += np;
 		buflen -= np;
-		if (buflen < 0)
-		    goto out;
-	    }
-	    break;
-	}
-#ifndef NO_PLUTO
-    case PROTO_ISAKMP:
-	ALG_INFO_IKE_FOREACH((struct alg_info_ike *)alg_info, ike_info, cnt)
-	{
-	    np = snprintf(ptr, buflen, "%d_%03d-%d-%d, "
-		    , ike_info->ike_ealg
-		    , (int)ike_info->ike_eklen
-		    , ike_info->ike_halg
-		    , ike_info->ike_modp);
-	    ptr += np;
-	    buflen -= np;
-	    if (buflen < 0)
 		goto out;
-	}
-	break;
-#endif
-    default:
-	np = snprintf(buf, buflen, "INVALID protoid=%d\n"
-		, alg_info->alg_info_protoid);
-	ptr += np;
-	buflen -= np;
-	goto out;
    }
 
    np = snprintf(ptr, buflen, "%s"
-	    , alg_info->alg_info_flags & ALG_INFO_F_STRICT?
-	    "strict":"");
+			, alg_info->alg_info_flags & ALG_INFO_F_STRICT?
+			"strict":"");
    ptr += np;
    buflen -= np;
 out:
-    if (buflen < 0)
-    {
-	loglog(RC_LOG_SERIOUS
-	    , "buffer space exhausted in alg_info_snprint_ike(), buflen=%d"
-	    , buflen);
-    }
-	
-    return ptr - buf;
+	if (buflen < 0)
+	{
+		loglog(RC_LOG_SERIOUS
+			, "buffer space exhausted in alg_info_snprint_ike(), buflen=%d"
+			, buflen);
+	}
+		
+	return ptr - buf;
 }
 
-#ifndef NO_PLUTO
-int
-alg_info_snprint_esp(char *buf, int buflen, struct alg_info_esp *alg_info)
+int alg_info_snprint_esp(char *buf, int buflen, struct alg_info_esp *alg_info)
 {
-    char *ptr = buf;
+	char *ptr = buf;
 
-    int cnt = alg_info->alg_info_cnt;
-    struct esp_info *esp_info = alg_info->esp;
+	int cnt = alg_info->alg_info_cnt;
+	struct esp_info *esp_info = alg_info->esp;
 
-    while (cnt--)
-    {
-	if (kernel_alg_esp_enc_ok(esp_info->esp_ealg_id, 0, NULL)
-	&&  kernel_alg_esp_auth_ok(esp_info->esp_aalg_id, NULL))
+	while (cnt--)
 	{
-	    u_int eklen = (esp_info->esp_ealg_keylen)
-		    ? esp_info->esp_ealg_keylen
-		    : kernel_alg_esp_enc_keylen(esp_info->esp_ealg_id)
-			    * BITS_PER_BYTE;
-
-	    u_int aklen = esp_info->esp_aalg_keylen
-		    ? esp_info->esp_aalg_keylen
-		    : kernel_alg_esp_auth_keylen(esp_info->esp_aalg_id)
-			    * BITS_PER_BYTE;
-
-	    int ret = snprintf(ptr, buflen, "%d_%03d-%d_%03d, ",
-			   esp_info->esp_ealg_id, eklen,
-			   esp_info->esp_aalg_id, aklen);
-	    ptr += ret;
-	    buflen -= ret;
-	    if (buflen < 0)
-	 	break;
+		if (kernel_alg_esp_enc_ok(esp_info->esp_ealg_id, 0, NULL)
+		&&  kernel_alg_esp_auth_ok(esp_info->esp_aalg_id, NULL))
+		{
+			u_int eklen = (esp_info->esp_ealg_keylen)
+					? esp_info->esp_ealg_keylen
+					: kernel_alg_esp_enc_keylen(esp_info->esp_ealg_id)
+							* BITS_PER_BYTE;
+
+			u_int aklen = esp_info->esp_aalg_keylen
+					? esp_info->esp_aalg_keylen
+					: kernel_alg_esp_auth_keylen(esp_info->esp_aalg_id)
+							* BITS_PER_BYTE;
+
+			int ret = snprintf(ptr, buflen, "%d_%03d-%d_%03d, ",
+						   esp_info->esp_ealg_id, eklen,
+						   esp_info->esp_aalg_id, aklen);
+			ptr += ret;
+			buflen -= ret;
+			if (buflen < 0)
+				break;
+		}
+		esp_info++;
 	}
-	esp_info++;
-    }
-    return ptr - buf;
+	return ptr - buf;
 }
 
-int
-alg_info_snprint_ike(char *buf, int buflen, struct alg_info_ike *alg_info)
+int alg_info_snprint_ike(char *buf, int buflen, struct alg_info_ike *alg_info)
 {
-    char *ptr = buf;
-
-    int cnt = alg_info->alg_info_cnt;
-    struct ike_info *ike_info = alg_info->ike;
+	char *ptr = buf;
 
-    while (cnt--)
-    {
-	struct encrypt_desc *enc_desc = ike_alg_get_encrypter(ike_info->ike_ealg);
-	struct hash_desc *hash_desc = ike_alg_get_hasher(ike_info->ike_halg);
+	int cnt = alg_info->alg_info_cnt;
+	struct ike_info *ike_info = alg_info->ike;
 
-	if (enc_desc != NULL &&  hash_desc != NULL
-	&& lookup_group(ike_info->ike_modp))
+	while (cnt--)
 	{
+		struct encrypt_desc *enc_desc = ike_alg_get_crypter(ike_info->ike_ealg);
+		struct hash_desc *hash_desc = ike_alg_get_hasher(ike_info->ike_halg);
+		struct dh_desc *dh_desc = ike_alg_get_dh_group(ike_info->ike_modp);
 
-	    u_int eklen = (ike_info->ike_eklen)
-			? ike_info->ike_eklen
-			: enc_desc->keydeflen;
-
-	    u_int aklen = (ike_info->ike_hklen)
-			? ike_info->ike_hklen
-			: hash_desc->hash_digest_size * BITS_PER_BYTE;
+		if (enc_desc &&  hash_desc && dh_desc)
+		{
 
-	    int ret = snprintf(ptr, buflen, "%d_%03d-%d_%03d-%d, ",
-			   ike_info->ike_ealg, eklen,
-			   ike_info->ike_halg, aklen,
-			   ike_info->ike_modp);
-	    ptr += ret;
-	    buflen -= ret;
-	    if (buflen < 0)
-		break;
+			u_int eklen = (ike_info->ike_eklen)
+						? ike_info->ike_eklen
+						: enc_desc->keydeflen;
+
+			u_int aklen = (ike_info->ike_hklen)
+						? ike_info->ike_hklen
+						: hash_desc->hash_digest_size * BITS_PER_BYTE;
+
+			int ret = snprintf(ptr, buflen, "%d_%03d-%d_%03d-%d, ",
+						   ike_info->ike_ealg, eklen,
+						   ike_info->ike_halg, aklen,
+						   ike_info->ike_modp);
+			ptr += ret;
+			buflen -= ret;
+			if (buflen < 0)
+				break;
+		}
+		ike_info++;
 	}
-	ike_info++;
-    }
-    return ptr - buf;
+	return ptr - buf;
 }
-#endif /* NO_PLUTO */
+
diff --git a/src/pluto/alg_info.h b/src/pluto/alg_info.h
index cacc2a354..fcf7efca0 100644
--- a/src/pluto/alg_info.h
+++ b/src/pluto/alg_info.h
@@ -10,76 +10,71 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: alg_info.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef ALG_INFO_H
 #define ALG_INFO_H
 
 struct esp_info {
-	u_int8_t transid;	/* ESP transform */
-	u_int16_t auth;		/* AUTH */
-	size_t enckeylen;	/* keylength for ESP transform */
-	size_t authkeylen;	/* keylength for AUTH */
-	u_int8_t encryptalg;	/* normally  encryptalg=transid */
-	u_int8_t authalg;	/* normally  authalg=auth+1 */
+		u_int8_t transid;       /* ESP transform */
+		u_int16_t auth;         /* AUTH */
+		size_t enckeylen;       /* keylength for ESP transform */
+		size_t authkeylen;      /* keylength for AUTH */
+		u_int8_t encryptalg;    /* normally  encryptalg=transid */
+		u_int8_t authalg;       /* normally  authalg=auth+1 */
 };
 
 struct ike_info {
-	u_int16_t ike_ealg;	/* high 16 bit nums for reserved */
-	u_int8_t ike_halg;
-	size_t ike_eklen;
-	size_t ike_hklen;
-	u_int16_t ike_modp;
+		u_int16_t ike_ealg;     /* high 16 bit nums for reserved */
+		u_int8_t ike_halg;
+		size_t ike_eklen;
+		size_t ike_hklen;
+		u_int16_t ike_modp;
 };
 
 #define ALG_INFO_COMMON \
-	int alg_info_cnt;		\
-	int ref_cnt;			\
-	unsigned alg_info_flags;	\
-	unsigned alg_info_protoid
+		int alg_info_cnt;               \
+		int ref_cnt;                    \
+		unsigned alg_info_flags;        \
+		unsigned alg_info_protoid
 
 struct alg_info {
-	ALG_INFO_COMMON;
+		ALG_INFO_COMMON;
 };
 
 struct alg_info_esp {
-	ALG_INFO_COMMON;
-	struct esp_info esp[64];
-	int esp_pfsgroup;
+		ALG_INFO_COMMON;
+		struct esp_info esp[64];
+		int esp_pfsgroup;
 };
 
 struct alg_info_ike {
-	ALG_INFO_COMMON;
-	struct ike_info ike[64];
+		ALG_INFO_COMMON;
+		struct ike_info ike[64];
 };
 #define esp_ealg_id transid
 #define esp_aalg_id auth
-#define esp_ealg_keylen enckeylen	/* bits */
-#define esp_aalg_keylen authkeylen	/* bits */
+#define esp_ealg_keylen enckeylen       /* bits */
+#define esp_aalg_keylen authkeylen      /* bits */
 
-/*	alg_info_flags bits */
-#define ALG_INFO_F_STRICT	0x01
+/*      alg_info_flags bits */
+#define ALG_INFO_F_STRICT       0x01
 
 extern int alg_info_esp_aa2sadb(int auth);
 extern int alg_info_esp_sadb2aa(int sadb_aalg);
 extern void alg_info_free(struct alg_info *alg_info);
 extern void alg_info_addref(struct alg_info *alg_info);
 extern void alg_info_delref(struct alg_info **alg_info);
-extern struct alg_info_esp* alg_info_esp_create_from_str(const char *alg_str
-    , const char **err_p);
-extern struct alg_info_ike* alg_info_ike_create_from_str(const char *alg_str
-    , const char **err_p);
+extern struct alg_info_esp* alg_info_esp_create_from_str(char *alg_str);
+extern struct alg_info_ike* alg_info_ike_create_from_str(char *alg_str);
 extern int alg_info_parse(const char *str);
-extern int alg_info_snprint(char *buf, int buflen
-    , struct alg_info *alg_info);
+extern int alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info);
 extern int alg_info_snprint_esp(char *buf, int buflen
-    , struct alg_info_esp *alg_info);
+	, struct alg_info_esp *alg_info);
 extern int alg_info_snprint_ike(char *buf, int buflen
-    , struct alg_info_ike *alg_info);
+	, struct alg_info_ike *alg_info);
 #define ALG_INFO_ESP_FOREACH(ai, ai_esp, i) \
-	for (i=(ai)->alg_info_cnt,ai_esp=(ai)->esp; i--; ai_esp++) 
+		for (i=(ai)->alg_info_cnt,ai_esp=(ai)->esp; i--; ai_esp++) 
 #define ALG_INFO_IKE_FOREACH(ai, ai_ike, i) \
-	for (i=(ai)->alg_info_cnt,ai_ike=(ai)->ike; i--; ai_ike++) 
+		for (i=(ai)->alg_info_cnt,ai_ike=(ai)->ike; i--; ai_ike++) 
 #endif /* ALG_INFO_H */
diff --git a/src/pluto/asn1.c b/src/pluto/asn1.c
deleted file mode 100644
index 529f597fb..000000000
--- a/src/pluto/asn1.c
+++ /dev/null
@@ -1,787 +0,0 @@
-/* Simple ASN.1 parser
- * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: asn1.c 5041 2009-03-27 08:58:48Z andreas $
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "mp_defs.h"
-#include "asn1.h"
-#include <asn1/oid.h>
-#include "log.h"
-
-/* some common prefabricated ASN.1 constants */
-
-static u_char ASN1_INTEGER_0_str[] = { 0x02, 0x00 };
-static u_char ASN1_INTEGER_1_str[] = { 0x02, 0x01, 0x01 };
-static u_char ASN1_INTEGER_2_str[] = { 0x02, 0x01, 0x02 };
-
-const chunk_t ASN1_INTEGER_0 = strchunk(ASN1_INTEGER_0_str);
-const chunk_t ASN1_INTEGER_1 = strchunk(ASN1_INTEGER_1_str);
-const chunk_t ASN1_INTEGER_2 = strchunk(ASN1_INTEGER_2_str);
-
-/* some popular algorithmIdentifiers */
-
-static u_char ASN1_md5_id_str[] = {
-    0x30, 0x0C,
-          0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05,
-	  0x05, 0x00
-};
-
-static u_char ASN1_sha1_id_str[] = {
-    0x30, 0x09,
-	  0x06, 0x05, 0x2B, 0x0E,0x03, 0x02, 0x1A,
-	  0x05, 0x00
-};
-
-static u_char ASN1_md5WithRSA_id_str[] = {
-    0x30, 0x0D,
-	  0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04,
-	  0x05, 0x00
-};
-
-static u_char ASN1_sha1WithRSA_id_str[] = {
-    0x30, 0x0D,
-	  0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05,
-	  0x05, 0x00
-};
-
-static u_char ASN1_rsaEncryption_id_str[] = {
-    0x30, 0x0D,
-	  0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
-	  0x05, 0x00
-};
-
-const chunk_t ASN1_md5_id = strchunk(ASN1_md5_id_str);
-const chunk_t ASN1_sha1_id = strchunk(ASN1_sha1_id_str);
-const chunk_t ASN1_rsaEncryption_id = strchunk(ASN1_rsaEncryption_id_str);
-const chunk_t ASN1_md5WithRSA_id = strchunk(ASN1_md5WithRSA_id_str);
-const chunk_t ASN1_sha1WithRSA_id = strchunk(ASN1_sha1WithRSA_id_str);
-
-/* ASN.1 definition of an algorithmIdentifier */
-
-static const asn1Object_t algorithmIdentifierObjects[] = {
-  { 0, "algorithmIdentifier",	ASN1_SEQUENCE,	ASN1_NONE }, /* 0 */
-  { 1,   "algorithm",		ASN1_OID,	ASN1_BODY }, /* 1 */
-  { 1,   "parameters",		ASN1_EOC,	ASN1_OPT |
-						ASN1_RAW  }, /* 2 */
-  { 1,   "end opt",		ASN1_EOC,	ASN1_END  }  /* 3 */
-};
-
-#define ALGORITHM_ID_ALG		1
-#define ALGORITHM_ID_PARAMETERS		2
-#define ALGORITHM_ID_ROOF		4
-
-/*
- * return the ASN.1 encoded algorithm identifier
- */
-chunk_t
-asn1_algorithmIdentifier(int oid)
-{
-    switch (oid)
-    {
-    case OID_RSA_ENCRYPTION:
-	return ASN1_rsaEncryption_id;
-    case OID_MD5_WITH_RSA:
-	return ASN1_md5WithRSA_id;
-    case OID_SHA1_WITH_RSA:
-	return ASN1_sha1WithRSA_id;
-    case OID_MD5:
-	return ASN1_md5_id;
-   case OID_SHA1:
-	return ASN1_sha1_id;
-   default:
-	return empty_chunk;
-    }
-}
-
-/*  If the oid is listed in the oid_names table then the corresponding
- *  position in the oid_names table is returned otherwise -1 is returned
- */
-int
-known_oid(chunk_t object)
-{
-    int oid = 0;
-
-    while (object.len)
-    {
-	if (oid_names[oid].octet == *object.ptr)
-	{
-	    if (--object.len == 0 || oid_names[oid].down == 0)
-	    {
-		return oid;          /* found terminal symbol */
-	    }
-	    else
-	    {
-		object.ptr++; oid++; /* advance to next hex octet */
-	    }
-	}
-	else
-	{
-	    if (oid_names[oid].next)
-		oid = oid_names[oid].next;
-	    else
-		return OID_UNKNOWN;
-	}
-    }
-    return -1;
-}
-
-/*
- *  Decodes the length in bytes of an ASN.1 object
- */
-u_int
-asn1_length(chunk_t *blob)
-{
-    u_char n;
-    size_t len;
-
-    /* advance from tag field on to length field */
-    blob->ptr++;
-    blob->len--;
-
-    /* read first octet of length field */
-    n = *blob->ptr++;
-    blob->len--;
-
-    if ((n & 0x80) == 0) /* single length octet */
-	return n;
-
-    /* composite length, determine number of length octets */
-    n &= 0x7f;
-
-    if (n > blob->len)
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("number of length octets is larger than ASN.1 object")
-	)
-	return ASN1_INVALID_LENGTH;
-    }
-
-    if (n > sizeof(len))
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("number of length octets is larger than limit of %d octets"
-		, (int)sizeof(len))
-	)
-	return ASN1_INVALID_LENGTH;
-    }
-
-    len = 0;
-    
-    while (n-- > 0)
-    {
-	len = 256*len + *blob->ptr++;
-	blob->len--;
-    }
-    return len;
-}
-
-/*
- * codes ASN.1 lengths up to a size of 16'777'215 bytes
- */
-void
-code_asn1_length(size_t length, chunk_t *code)
-{
-    if (length < 128)
-    {
-	code->ptr[0] = length;
-	code->len = 1;
-    }
-    else if (length < 256)
-    {
-	code->ptr[0] = 0x81;
-	code->ptr[1] = (u_char) length;
-	code->len = 2;
-    }
-    else if (length < 65536)
-    {
-	code->ptr[0] = 0x82;
-	code->ptr[1] = length >> 8;
-	code->ptr[2] = length & 0x00ff;
-	code->len = 3;
-    }
-    else
-    {
-	code->ptr[0] = 0x83;
-	code->ptr[1] = length >> 16;
-	code->ptr[2] = (length >> 8) & 0x00ff;
-	code->ptr[3] = length & 0x0000ff;
-	code->len = 4;
-    }
-}
-
-/*
- * build an empty asn.1 object with tag and length fields already filled in
- */
-u_char*
-build_asn1_object(chunk_t *object, asn1_t type, size_t datalen)
-{
-    u_char length_buf[4];
-    chunk_t length = { length_buf, 0 };
-    u_char *pos;
-
-    /* code the asn.1 length field */
-    code_asn1_length(datalen, &length);
-
-    /* allocate memory for the asn.1 TLV object */
-    object->len = 1 + length.len + datalen;
-    object->ptr = alloc_bytes(object->len, "asn1 object");
-
-    /* set position pointer at the start of the object */
-    pos = object->ptr;
-
-    /* copy the asn.1 tag field and advance the pointer */
-   *pos++ = type;
-   
-   /* copy the asn.1 length field and advance the pointer */
-   chunkcpy(pos, length);
-
-   return pos;
-}
-
-/*
- * build a simple ASN.1 object
- */
-chunk_t
-asn1_simple_object(asn1_t tag, chunk_t content)
-{
-    chunk_t object;
-
-    u_char *pos = build_asn1_object(&object, tag, content.len);
-    chunkcpy(pos, content);
-
-    return object;
-}
-
-/* Build an ASN.1 object from a variable number of individual chunks.
- * Depending on the mode, chunks either are moved ('m') or copied ('c').
- */
-chunk_t
-asn1_wrap(asn1_t type, const char *mode, ...)
-{
-    chunk_t construct;
-    va_list chunks;
-    u_char *pos;
-    int i;
-    int count = strlen(mode);
-	
-    /* sum up lengths of individual chunks */ 
-    va_start(chunks, mode);
-    construct.len = 0;
-    for (i = 0; i < count; i++)
-    {
-        chunk_t ch = va_arg(chunks, chunk_t);
-	construct.len += ch.len;
-    }
-    va_end(chunks);
-
-    /* allocate needed memory for construct */
-    pos = build_asn1_object(&construct, type, construct.len);
-
-    /* copy or move the chunks */
-    va_start(chunks, mode);
-    for (i = 0; i < count; i++)
-    {
-	chunk_t ch = va_arg(chunks, chunk_t);
-
-	switch (*mode++)
-	{
-	case 'm':
-	    mv_chunk(&pos, ch);
-	    break;
-	case 'c':
-	default:
-	    chunkcpy(pos, ch);
-	}
-    }
-    va_end(chunks);
-
-    return construct;
-}
-
-/*
- * convert a MP integer into a DER coded ASN.1 object
- */
-chunk_t
-asn1_integer_from_mpz(const mpz_t value)
-{
-    size_t bits = mpz_sizeinbase(value, 2);  /* size in bits */
-    size_t size = 1 + bits / BITS_PER_BYTE;  /* size in bytes */
-    chunk_t n = mpz_to_n(value, size);
-
-    return asn1_wrap(ASN1_INTEGER, "m", n);
-}
-
-/*
- *  determines if a character string is of type ASN.1 printableString
- */
-bool
-is_printablestring(chunk_t str)
-{
-    const char printablestring_charset[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 '()+,-./:=?";
-    u_int i;
-
-    for (i = 0; i < str.len; i++)
-    {
-	if (strchr(printablestring_charset, str.ptr[i]) == NULL)
-	    return FALSE;
-    }
-    return TRUE;
-}
-
-#define TIME_MAX	0x7fffffff
-
-/*
- *  Converts ASN.1 UTCTIME or GENERALIZEDTIME into calender time
- */
-time_t
-asn1totime(const chunk_t *utctime, asn1_t type)
-{
-    struct tm t;
-    time_t tc, tz_offset;
-    u_char *eot = NULL;
-
-    if ((eot = memchr(utctime->ptr, 'Z', utctime->len)) != NULL)
-    {
-	tz_offset = 0; /* Zulu time with a zero time zone offset */
-    }
-    else if ((eot = memchr(utctime->ptr, '+', utctime->len)) != NULL)
-    {
-	int tz_hour, tz_min;
-
-	sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
-	tz_offset = 3600*tz_hour + 60*tz_min;  /* positive time zone offset */
-    }
-    else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
-    {
-	int tz_hour, tz_min;
-
-	sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
-	tz_offset = -3600*tz_hour - 60*tz_min;  /* negative time zone offset */
-    }
-    else
-    {
-	return 0; /* error in time format */
-    }
-
-    /* parse ASN.1 time string */
-    {
-	const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
-						     "%4d%2d%2d%2d%2d";
-
-	sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
-				     &t.tm_hour, &t.tm_min);
-    }
-
-    /* is there a seconds field? */
-    if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
-    {
-	sscanf(eot-2, "%2d", &t.tm_sec);
-    }
-    else
-    {
-	t.tm_sec = 0;
-    }
-
-    /* representation of year */
-    if (t.tm_year >= 1900)
-    {
-	t.tm_year -= 1900;
-    }
-    else if (t.tm_year >= 100)
-    {
-	return 0;
-    }
-    else if (t.tm_year < 50)
-    {
-	t.tm_year += 100;
-    }
-
-    /* representation of month 0..11*/
-    t.tm_mon--;
-
-    /* set daylight saving time to off */
-    t.tm_isdst = 0;
-
-    /* convert to time_t */
-    tc = mktime(&t);
-
-    /* if no conversion overflow occurred, compensate timezone */
-    return (tc == -1) ? TIME_MAX : (tc - timezone - tz_offset);
-}
-
-/*
- *  convert a date into ASN.1 UTCTIME or GENERALIZEDTIME format
- */
-chunk_t
-timetoasn1(const time_t *time, asn1_t type)
-{
-    int offset;
-    const char *format;
-    char buf[TIMETOA_BUF];
-    chunk_t formatted_time;
-    struct tm *t = gmtime(time);
-
-    if (type == ASN1_GENERALIZEDTIME)
-    {
-	format = "%04d%02d%02d%02d%02d%02dZ";
-	offset = 1900;
-    }
-    else /* ASN1_UTCTIME */
-    {
-	format = "%02d%02d%02d%02d%02d%02dZ";
-	offset = (t->tm_year < 100)? 0 : -100;
-    }
-    sprintf(buf, format, t->tm_year + offset, t->tm_mon + 1, t->tm_mday
-	  	       , t->tm_hour, t->tm_min, t->tm_sec);
-    formatted_time.ptr = buf;
-    formatted_time.len = strlen(buf);
-    return asn1_simple_object(type, formatted_time);
-}
-
-
-/*
- * Initializes the internal context of the ASN.1 parser
- */
-void
-asn1_init(asn1_ctx_t *ctx, chunk_t blob, u_int level0,
-	bool implicit, u_int cond)
-{
-    ctx->blobs[0] = blob;
-    ctx->level0   = level0;
-    ctx->implicit = implicit;
-    ctx->cond     = cond;
-    memset(ctx->loopAddr, '\0', sizeof(ctx->loopAddr));
-}
-
-/*
- * print the value of an ASN.1 simple object
- */
-static void
-debug_asn1_simple_object(chunk_t object, asn1_t type, u_int cond)
-{
-    int oid;
-
-    switch (type)
-    {
-    case ASN1_OID:
-	oid = known_oid(object);
-	if (oid != OID_UNKNOWN)
-	{
-	    DBG(DBG_PARSING,
-		DBG_log("  '%s'",oid_names[oid].name);
-	    )
-	    return;
-	}
-	break;
-    case ASN1_UTF8STRING:
-    case ASN1_IA5STRING:
-    case ASN1_PRINTABLESTRING:
-    case ASN1_T61STRING:
-    case ASN1_VISIBLESTRING:
-	DBG(DBG_PARSING,
-	    DBG_log("  '%.*s'", (int)object.len, object.ptr);
-	)
-	return;
-    case ASN1_UTCTIME:
-    case ASN1_GENERALIZEDTIME:
-	DBG(DBG_PARSING,
-	    time_t time = asn1totime(&object, type);
-	    DBG_log("  '%s'", timetoa(&time, TRUE));
-	)
-	return;
-    default:
-	 break;
-    }
-    DBG(cond,
-	DBG_dump_chunk("", object);
-    )
-}
-
-/*
- * Parses and extracts the next ASN.1 object
- */
-bool
-extract_object(asn1Object_t const *objects,
-	u_int *objectID, chunk_t *object, u_int *level, asn1_ctx_t *ctx)
-{
-    asn1Object_t obj = objects[*objectID];
-    chunk_t *blob;
-    chunk_t *blob1;
-    u_char *start_ptr;
-
-    *object = empty_chunk;
-
-    if (obj.flags & ASN1_END)  /* end of loop or option found */
-    {
-	if (ctx->loopAddr[obj.level] && ctx->blobs[obj.level+1].len > 0)
-	{
-	    *objectID = ctx->loopAddr[obj.level]; /* another iteration */
-	    obj = objects[*objectID];
-	}
-	else
-	{
-	    ctx->loopAddr[obj.level] = 0;         /* exit loop or option*/
-	    return TRUE;
-	}
-    }
-
-    *level = ctx->level0 + obj.level;
-    blob = ctx->blobs + obj.level;
-    blob1 = blob + 1;
-    start_ptr = blob->ptr;
-
-   /* handle ASN.1 defaults values */
-
-    if ((obj.flags & ASN1_DEF)
-    && (blob->len == 0 || *start_ptr != obj.type) )
-    {
-	/* field is missing */
-	DBG(DBG_PARSING,
-	    DBG_log("L%d - %s:", *level, obj.name);
-	)
-	if (obj.type & ASN1_CONSTRUCTED)
-	{
-	    (*objectID)++ ;  /* skip context-specific tag */
-	}
-	return TRUE;
-    }
-
-    /* handle ASN.1 options */
-
-    if ((obj.flags & ASN1_OPT)
-    && (blob->len == 0 || *start_ptr != obj.type))
-    {
-        /* advance to end of missing option field */
-	do
-	    (*objectID)++;
-	while (!((objects[*objectID].flags & ASN1_END)
-	      && (objects[*objectID].level == obj.level)));
-	return TRUE;
-    }
-
-    /* an ASN.1 object must possess at least a tag and length field */
-
-    if (blob->len < 2)
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("L%d - %s:  ASN.1 object smaller than 2 octets",
-		    *level, obj.name);
-	)
-	return FALSE;
-    }
-
-    blob1->len = asn1_length(blob);
-
-    if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("L%d - %s:  length of ASN.1 object invalid or too large",
-		    *level, obj.name);
-	)
-	return FALSE;
-    }
-
-    blob1->ptr = blob->ptr;
-    blob->ptr += blob1->len;
-    blob->len -= blob1->len;
-
-    /* return raw ASN.1 object without prior type checking */
-
-    if (obj.flags & ASN1_RAW)
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("L%d - %s:", *level, obj.name);
-        )
-	object->ptr = start_ptr;
-	object->len = (size_t)(blob->ptr - start_ptr);
-	return TRUE;
-    }
-
-    if (*start_ptr != obj.type && !(ctx->implicit && *objectID == 0))
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
-		*level, obj.name, obj.type, *start_ptr);
-	    DBG_dump("", start_ptr, (u_int)(blob->ptr - start_ptr));
-	)
-	return FALSE;
-    }
-
-    DBG(DBG_PARSING,
-	DBG_log("L%d - %s:", ctx->level0+obj.level, obj.name);
-    )
-
-    /* In case of "SEQUENCE OF" or "SET OF" start a loop */
-
-    if (obj.flags & ASN1_LOOP)
-    {
-	if (blob1->len > 0)
-	{
-	    /* at least one item, start the loop */
-	    ctx->loopAddr[obj.level] = *objectID + 1;
-	}
-	else
-	{
-	    /* no items, advance directly to end of loop */
-	    do
-		(*objectID)++;
-	    while (!((objects[*objectID].flags & ASN1_END)
-		  && (objects[*objectID].level == obj.level)));
-	    return TRUE;
-	}
-    }
-
-    if (obj.flags & ASN1_OBJ)
-    {
-	object->ptr = start_ptr;
-	object->len = (size_t)(blob->ptr - start_ptr);
-	DBG(ctx->cond,
-	    DBG_dump_chunk("", *object);
-	)
-    }
-    else if (obj.flags & ASN1_BODY)
-    {
-	*object = *blob1;
-	debug_asn1_simple_object(*object, obj.type, ctx->cond);
-    }
-    return TRUE;
-}
-
-/*
- * parse an ASN.1 simple type
- */
-bool
-parse_asn1_simple_object(chunk_t *object, asn1_t type, u_int level
-, const char* name)
-{
-    size_t len;
-
-    /* an ASN.1 object must possess at least a tag and length field */
-    if (object->len < 2)
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("L%d - %s:  ASN.1 object smaller than 2 octets",
-		    level, name);
-	)
-	return FALSE;
-    }
-
-    if (*object->ptr != type)
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
-		level, name, type, *object->ptr);
-	)
-	return FALSE;
-    }
-
-    len = asn1_length(object);
-
-    if (len == ASN1_INVALID_LENGTH || object->len < len)
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("L%d - %s:  length of ASN.1 object invalid or too large",
-		    level, name);
-	)
-	return FALSE;
-    }
-
-    DBG(DBG_PARSING,
-	DBG_log("L%d - %s:", level, name);
-    )
-    debug_asn1_simple_object(*object, type, DBG_RAW);
-    return TRUE;
-}
-
-/*
- * extracts an algorithmIdentifier
- */
-int
-parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters)
-{
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int alg = OID_UNKNOWN;
-    int objectID = 0;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
-
-    while (objectID < ALGORITHM_ID_ROOF)
-    {
-	if (!extract_object(algorithmIdentifierObjects, &objectID, &object, &level, &ctx))
-	     return alg;
-
-	switch (objectID)
-	{
-	case ALGORITHM_ID_ALG:
-	    alg = known_oid(object);
-	    break;
-	case ALGORITHM_ID_PARAMETERS:
-	    if (parameters != NULL)
-		*parameters = object;
-	    break;
-	default:
-	    break;
-	}
-	objectID++;
-    }
-    return alg;
- }
-
-/*
- *  tests if a blob contains a valid ASN.1 set or sequence
- */
-bool
-is_asn1(chunk_t blob)
-{
-    u_int len;
-    u_char tag = *blob.ptr;
-
-    if (tag != ASN1_SEQUENCE && tag != ASN1_SET)
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("  file content is not binary ASN.1");
-	)
-	return FALSE;
-    }
-
-    len = asn1_length(&blob);
- 
-    /* exact match */
-    if (len == blob.len)
-    {
-	return TRUE;
-    }
-
-    /* some websites append a surplus newline character to the blob */
-    if (len + 1 == blob.len && *(blob.ptr + len) == '\n')
-    {
-	return TRUE;
-    }
-
-    DBG(DBG_PARSING,
-	DBG_log("  file size does not match ASN.1 coded length");
-    )
-    return FALSE;
-}
diff --git a/src/pluto/asn1.h b/src/pluto/asn1.h
deleted file mode 100644
index 730245e4a..000000000
--- a/src/pluto/asn1.h
+++ /dev/null
@@ -1,141 +0,0 @@
-/* Simple ASN.1 parser
- * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: asn1.h 3252 2007-10-06 21:24:50Z andreas $
- */
-
-#ifndef _ASN1_H
-#define _ASN1_H
-
-#include <stdarg.h>
-#include <gmp.h>
-
-#include "defs.h"
-
-/* Defines some primitive ASN1 types */
-
-typedef enum {
-    ASN1_EOC =			0x00,
-    ASN1_BOOLEAN =		0x01,
-    ASN1_INTEGER =		0x02,
-    ASN1_BIT_STRING =		0x03,
-    ASN1_OCTET_STRING = 	0x04,
-    ASN1_NULL = 		0x05,
-    ASN1_OID =			0x06,
-    ASN1_ENUMERATED =		0x0A,
-    ASN1_UTF8STRING =		0x0C,
-    ASN1_NUMERICSTRING =	0x12,
-    ASN1_PRINTABLESTRING =	0x13,
-    ASN1_T61STRING =		0x14,
-    ASN1_VIDEOTEXSTRING =	0x15,
-    ASN1_IA5STRING =		0x16,
-    ASN1_UTCTIME =		0x17,
-    ASN1_GENERALIZEDTIME =	0x18,
-    ASN1_GRAPHICSTRING =	0x19,
-    ASN1_VISIBLESTRING = 	0x1A,
-    ASN1_GENERALSTRING =	0x1B,
-    ASN1_UNIVERSALSTRING =	0x1C,
-    ASN1_BMPSTRING =		0x1E,
-
-    ASN1_CONSTRUCTED =		0x20,
-
-    ASN1_SEQUENCE =		0x30,
-
-    ASN1_SET =			0x31,
-
-    ASN1_CONTEXT_S_0 =		0x80,
-    ASN1_CONTEXT_S_1 =		0x81,
-    ASN1_CONTEXT_S_2 =		0x82,
-    ASN1_CONTEXT_S_3 =		0x83,
-    ASN1_CONTEXT_S_4 =		0x84,
-    ASN1_CONTEXT_S_5 =		0x85,
-    ASN1_CONTEXT_S_6 =		0x86,
-    ASN1_CONTEXT_S_7 =		0x87,
-    ASN1_CONTEXT_S_8 =		0x88,
-
-    ASN1_CONTEXT_C_0 =		0xA0,
-    ASN1_CONTEXT_C_1 =		0xA1,
-    ASN1_CONTEXT_C_2 =		0xA2,
-    ASN1_CONTEXT_C_3 =		0xA3,
-    ASN1_CONTEXT_C_4 =		0xA4,
-    ASN1_CONTEXT_C_5 =		0xA5
-} asn1_t;
-
-/* Definition of ASN1 flags */
-
-#define ASN1_NONE	0x00
-#define ASN1_DEF	0x01
-#define ASN1_OPT	0x02
-#define ASN1_LOOP	0x04
-#define ASN1_END	0x08
-#define ASN1_OBJ	0x10
-#define ASN1_BODY	0x20
-#define ASN1_RAW	0x40
-
-#define ASN1_INVALID_LENGTH	0xffffffff
-
-/* definition of an ASN.1 object */
-
-typedef struct {
-    u_int   level;
-    const u_char  *name;
-    asn1_t  type;
-    u_char  flags;
-} asn1Object_t;
-
-#define ASN1_MAX_LEVEL	10
-
-typedef struct {
-    bool  implicit;
-    u_int cond;
-    u_int level0;
-    u_int loopAddr[ASN1_MAX_LEVEL+1];
-    chunk_t  blobs[ASN1_MAX_LEVEL+2];
-} asn1_ctx_t;
-
-/* some common prefabricated ASN.1 constants */
-
-extern const chunk_t ASN1_INTEGER_0;
-extern const chunk_t ASN1_INTEGER_1;
-extern const chunk_t ASN1_INTEGER_2;
-
-/* some popular algorithmIdentifiers */
-extern const chunk_t ASN1_md5_id;
-extern const chunk_t ASN1_sha1_id;
-extern const chunk_t ASN1_rsaEncryption_id;
-extern const chunk_t ASN1_md5WithRSA_id;
-extern const chunk_t ASN1_sha1WithRSA_id;
-
-extern chunk_t asn1_algorithmIdentifier(int oid);
-extern int known_oid(chunk_t object);
-extern u_int asn1_length(chunk_t *blob);
-extern void code_asn1_length(size_t length, chunk_t *code);
-extern u_char* build_asn1_object(chunk_t *object, asn1_t type, size_t datalen);
-extern chunk_t asn1_integer_from_mpz(const mpz_t value);
-extern chunk_t asn1_simple_object(asn1_t tag, chunk_t content);
-extern chunk_t asn1_wrap(asn1_t type, const char *mode, ...);
-extern bool is_printablestring(chunk_t str);
-extern time_t asn1totime(const chunk_t *utctime, asn1_t type);
-extern chunk_t timetoasn1(const time_t *time, asn1_t type);
-extern void asn1_init(asn1_ctx_t *ctx, chunk_t blob
-    , u_int level0, bool implicit, u_int cond);
-extern bool extract_object(asn1Object_t const *objects
-    , u_int *objectID, chunk_t *object, u_int *level, asn1_ctx_t *ctx);
-extern bool parse_asn1_simple_object(chunk_t *object, asn1_t type, u_int level
-    , const char* name);
-extern int parse_algorithmIdentifier(chunk_t blob, int level0
-    , chunk_t *parameters);
-extern bool is_asn1(chunk_t blob);
-
-#endif /* _ASN1_H */
-
diff --git a/src/pluto/ca.c b/src/pluto/ca.c
index 816db53a8..4fdb8cfe7 100644
--- a/src/pluto/ca.c
+++ b/src/pluto/ca.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ca.c 4709 2008-11-27 10:20:25Z martin $
  */
 
 #include <stdlib.h>
@@ -23,7 +21,6 @@
 #include <sys/types.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -40,17 +37,17 @@
 static x509cert_t *x509authcerts = NULL;
 
 const ca_info_t empty_ca_info = {
-      NULL	  ,  /* next */
-      NULL	  ,  /* name */
-    UNDEFINED_TIME,
-    { NULL, 0 }	  ,  /* authName */
-    { NULL, 0 }	  ,  /* authKeyID */
-    { NULL, 0 }	  ,  /* authKey SerialNumber */
-      NULL	  ,  /* ldaphost */
-      NULL	  ,  /* ldapbase */
-      NULL	  ,  /* ocspori */
-      NULL	  ,  /* crluri */
-      FALSE	     /* strictcrlpolicy */
+	  NULL        ,  /* next */
+	  NULL        ,  /* name */
+	UNDEFINED_TIME,
+	{ NULL, 0 }   ,  /* authName */
+	{ NULL, 0 }   ,  /* authKeyID */
+	{ NULL, 0 }   ,  /* authKey SerialNumber */
+	  NULL        ,  /* ldaphost */
+	  NULL        ,  /* ldapbase */
+	  NULL        ,  /* ocspori */
+	  NULL        ,  /* crluri */
+	  FALSE          /* strictcrlpolicy */
 };
 
 /* chained list of X.509 certification authority information records */
@@ -63,52 +60,52 @@ static ca_info_t *ca_infos = NULL;
 bool
 trusted_ca(chunk_t a, chunk_t b, int *pathlen)
 {
-    bool match = FALSE;
-
-    /* no CA b specified -> any CA a is accepted */
-    if (b.ptr == NULL)
-    {
-	*pathlen = (a.ptr == NULL)? 0 : MAX_CA_PATH_LEN;
-	return TRUE;
-    }
-
-    /* no CA a specified -> trust cannot be established */
-    if (a.ptr == NULL)
-    {
-	*pathlen = MAX_CA_PATH_LEN;
-	return FALSE;
-    }
+	bool match = FALSE;
+
+	/* no CA b specified -> any CA a is accepted */
+	if (b.ptr == NULL)
+	{
+		*pathlen = (a.ptr == NULL)? 0 : MAX_CA_PATH_LEN;
+		return TRUE;
+	}
+
+	/* no CA a specified -> trust cannot be established */
+	if (a.ptr == NULL)
+	{
+		*pathlen = MAX_CA_PATH_LEN;
+		return FALSE;
+	}
 
-    *pathlen = 0;
+	*pathlen = 0;
 
-    /* CA a equals CA b -> we have a match */
-    if (same_dn(a, b))
-	return TRUE;
+	/* CA a equals CA b -> we have a match */
+	if (same_dn(a, b))
+		return TRUE;
 
-    /* CA a might be a subordinate CA of b */
-    lock_authcert_list("trusted_ca");
+	/* CA a might be a subordinate CA of b */
+	lock_authcert_list("trusted_ca");
 
-    while ((*pathlen)++ < MAX_CA_PATH_LEN)
-    {
-	x509cert_t *cacert = get_authcert(a, empty_chunk, empty_chunk, AUTH_CA);
+	while ((*pathlen)++ < MAX_CA_PATH_LEN)
+	{
+		x509cert_t *cacert = get_authcert(a, chunk_empty, chunk_empty, AUTH_CA);
 
-	/* cacert not found or self-signed root cacert-> exit */
-	if (cacert == NULL || same_dn(cacert->issuer, a))
-	    break;
+		/* cacert not found or self-signed root cacert-> exit */
+		if (cacert == NULL || same_dn(cacert->issuer, a))
+			break;
 
-	/* does the issuer of CA a match CA b? */
-	match = same_dn(cacert->issuer, b);
+		/* does the issuer of CA a match CA b? */
+		match = same_dn(cacert->issuer, b);
 
-	/* we have a match and exit the loop */
-	if (match)
-	    break;
+		/* we have a match and exit the loop */
+		if (match)
+			break;
 
-	/* go one level up in the CA chain */
-	a = cacert->issuer;
-    }
-    
-    unlock_authcert_list("trusted_ca");
-    return match;
+		/* go one level up in the CA chain */
+		a = cacert->issuer;
+	}
+	
+	unlock_authcert_list("trusted_ca");
+	return match;
 }
 
 /*
@@ -117,36 +114,36 @@ trusted_ca(chunk_t a, chunk_t b, int *pathlen)
 bool
 match_requested_ca(generalName_t *requested_ca, chunk_t our_ca, int *our_pathlen)
 {
-    /* if no ca is requested than any ca will match */
-    if (requested_ca == NULL)
-    {
-	*our_pathlen = 0;
-	return TRUE;
-    }
-
-    *our_pathlen = MAX_CA_PATH_LEN + 1;
+	/* if no ca is requested than any ca will match */
+	if (requested_ca == NULL)
+	{
+		*our_pathlen = 0;
+		return TRUE;
+	}
 
-    while (requested_ca != NULL)
-    {
-	int pathlen;
+	*our_pathlen = MAX_CA_PATH_LEN + 1;
 
-	if (trusted_ca(our_ca, requested_ca->name, &pathlen)
-	&& pathlen < *our_pathlen)
+	while (requested_ca != NULL)
 	{
-	    *our_pathlen = pathlen;
+		int pathlen;
+
+		if (trusted_ca(our_ca, requested_ca->name, &pathlen)
+		&& pathlen < *our_pathlen)
+		{
+			*our_pathlen = pathlen;
+		}
+		requested_ca = requested_ca->next;
 	}
-	requested_ca = requested_ca->next;
-    }
 
-    if (*our_pathlen > MAX_CA_PATH_LEN)
-    {
-	*our_pathlen = MAX_CA_PATH_LEN;
-	return FALSE;
-    }
-    else
-    {
-	return TRUE;
-    }
+	if (*our_pathlen > MAX_CA_PATH_LEN)
+	{
+		*our_pathlen = MAX_CA_PATH_LEN;
+		return FALSE;
+	}
+	else
+	{
+		return TRUE;
+	}
 }
 
 /*
@@ -155,9 +152,9 @@ match_requested_ca(generalName_t *requested_ca, chunk_t our_ca, int *our_pathlen
 static void
 free_first_authcert(void)
 {
-    x509cert_t *first = x509authcerts;
-    x509authcerts = first->next;
-    free_x509cert(first);
+	x509cert_t *first = x509authcerts;
+	x509authcerts = first->next;
+	free_x509cert(first);
 }
 
 /*
@@ -166,12 +163,12 @@ free_first_authcert(void)
 void
 free_authcerts(void)
 {
-    lock_authcert_list("free_authcerts");
+	lock_authcert_list("free_authcerts");
 
-    while (x509authcerts != NULL)
-        free_first_authcert();
+	while (x509authcerts != NULL)
+		free_first_authcert();
 
-    unlock_authcert_list("free_authcerts");
+	unlock_authcert_list("free_authcerts");
 }
 
 /*
@@ -180,29 +177,29 @@ free_authcerts(void)
 x509cert_t*
 get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid, u_char auth_flags)
 {
-    x509cert_t *cert = x509authcerts;
-    x509cert_t *prev_cert = NULL;
-
-    while (cert != NULL)
-    {
-	if (cert->authority_flags & auth_flags
-	&& ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID)
-	    : (same_dn(subject, cert->subject)
-	       && same_serial(serial, cert->serialNumber))))
+	x509cert_t *cert = x509authcerts;
+	x509cert_t *prev_cert = NULL;
+
+	while (cert != NULL)
 	{
-	    if (cert != x509authcerts)
-	    {
-		/* bring the certificate up front */
-		prev_cert->next = cert->next;
-		cert->next = x509authcerts;
-		x509authcerts = cert;
-	    }
-	    return cert;
+		if (cert->authority_flags & auth_flags
+		&& ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID)
+			: (same_dn(subject, cert->subject)
+			   && same_serial(serial, cert->serialNumber))))
+		{
+			if (cert != x509authcerts)
+			{
+				/* bring the certificate up front */
+				prev_cert->next = cert->next;
+				cert->next = x509authcerts;
+				x509authcerts = cert;
+			}
+			return cert;
+		}
+		prev_cert = cert;
+		cert = cert->next;
 	}
-	prev_cert = cert;
-	cert = cert->next;
-    }
-    return NULL;
+	return NULL;
 }
 
 /*
@@ -211,49 +208,49 @@ get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid, u_char auth_flags)
 x509cert_t*
 add_authcert(x509cert_t *cert, u_char auth_flags)
 {
-    x509cert_t *old_cert;
+	x509cert_t *old_cert;
 
-    /* set authority flags */
-    cert->authority_flags |= auth_flags;
+	/* set authority flags */
+	cert->authority_flags |= auth_flags;
 
-    lock_authcert_list("add_authcert");
+	lock_authcert_list("add_authcert");
 
-    old_cert = get_authcert(cert->subject, cert->serialNumber
-	, cert->subjectKeyID, auth_flags);
+	old_cert = get_authcert(cert->subject, cert->serialNumber
+		, cert->subjectKeyID, auth_flags);
 
-    if (old_cert != NULL)
-    {
-	if (same_x509cert(cert, old_cert))
-	{
-	    /* cert is already present, just add additional authority flags */
-	    old_cert->authority_flags |= cert->authority_flags;
-	    DBG(DBG_CONTROL | DBG_PARSING ,
-		DBG_log("  authcert is already present and identical")
-	    )
-	    unlock_authcert_list("add_authcert");
-
-	    free_x509cert(cert);
-	    return old_cert;
-	}
-	else
+	if (old_cert != NULL)
 	{
-	    /* cert is already present but will be replaced by new cert */
-	    free_first_authcert();
-	    DBG(DBG_CONTROL | DBG_PARSING ,
-		DBG_log("  existing authcert deleted")
-	    )
+		if (same_x509cert(cert, old_cert))
+		{
+			/* cert is already present, just add additional authority flags */
+			old_cert->authority_flags |= cert->authority_flags;
+			DBG(DBG_CONTROL | DBG_PARSING ,
+				DBG_log("  authcert is already present and identical")
+			)
+			unlock_authcert_list("add_authcert");
+
+			free_x509cert(cert);
+			return old_cert;
+		}
+		else
+		{
+			/* cert is already present but will be replaced by new cert */
+			free_first_authcert();
+			DBG(DBG_CONTROL | DBG_PARSING ,
+				DBG_log("  existing authcert deleted")
+			)
+		}
 	}
-    }
-
-    /* add new authcert to chained list */
-    cert->next = x509authcerts;
-    x509authcerts = cert;
-    share_x509cert(cert);  /* set count to one */
-    DBG(DBG_CONTROL | DBG_PARSING,
-	DBG_log("  authcert inserted")
-    )
-    unlock_authcert_list("add_authcert");
-    return cert;
+
+	/* add new authcert to chained list */
+	cert->next = x509authcerts;
+	x509authcerts = cert;
+	share_x509cert(cert);  /* set count to one */
+	DBG(DBG_CONTROL | DBG_PARSING,
+		DBG_log("  authcert inserted")
+	)
+	unlock_authcert_list("add_authcert");
+	return cert;
 }
 
 /*
@@ -262,41 +259,41 @@ add_authcert(x509cert_t *cert, u_char auth_flags)
 void
 load_authcerts(const char *type, const char *path, u_char auth_flags)
 {
-    struct dirent **filelist;
-    u_char buf[BUF_LEN];
-    u_char *save_dir;
-    int n;
-
-    /* change directory to specified path */
-    save_dir = getcwd(buf, BUF_LEN);
-
-    if (chdir(path))
-    {
-	plog("Could not change to directory '%s'", path);
-    }
-    else
-    {
-	plog("Changing to directory '%s'", path);
-	n = scandir(path, &filelist, file_select, alphasort);
-
-	if (n < 0)
-	    plog("  scandir() error");
-	else
-	{
-	    while (n--)
-	    {
-		cert_t cert;
+	struct dirent **filelist;
+	u_char buf[BUF_LEN];
+	u_char *save_dir;
+	int n;
 
-		if (load_cert(filelist[n]->d_name, type, &cert))
-		    add_authcert(cert.u.x509, auth_flags);
+	/* change directory to specified path */
+	save_dir = getcwd(buf, BUF_LEN);
 
-		free(filelist[n]);
-	    }
-	    free(filelist);
+	if (chdir(path))
+	{
+		plog("Could not change to directory '%s'", path);
 	}
-    }
-    /* restore directory path */
-    ignore_result(chdir(save_dir));
+	else
+	{
+		plog("Changing to directory '%s'", path);
+		n = scandir(path, &filelist, file_select, alphasort);
+
+		if (n < 0)
+			plog("  scandir() error");
+		else
+		{
+			while (n--)
+			{
+				cert_t cert;
+
+				if (load_cert(filelist[n]->d_name, type, &cert))
+					add_authcert(cert.u.x509, auth_flags);
+
+				free(filelist[n]);
+			}
+			free(filelist);
+		}
+	}
+	/* restore directory path */
+	ignore_result(chdir(save_dir));
 }
 
 /*
@@ -305,9 +302,9 @@ load_authcerts(const char *type, const char *path, u_char auth_flags)
 void
 list_authcerts(const char *caption, u_char auth_flags, bool utc)
 {
-    lock_authcert_list("list_authcerts");
-    list_x509cert_chain(caption, x509authcerts, auth_flags, utc);
-    unlock_authcert_list("list_authcerts");
+	lock_authcert_list("list_authcerts");
+	list_x509cert_chain(caption, x509authcerts, auth_flags, utc);
+	unlock_authcert_list("list_authcerts");
 }
 
 /*
@@ -315,19 +312,19 @@ list_authcerts(const char *caption, u_char auth_flags, bool utc)
  */
 static const x509cert_t*
 get_alt_cacert(chunk_t subject, chunk_t serial, chunk_t keyid
-    , const x509cert_t *cert)
+	, const x509cert_t *cert)
 {
-    while (cert != NULL)
-    {
-	if ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID)
-	    : (same_dn(subject, cert->subject)
-	       && same_serial(serial, cert->serialNumber)))
+	while (cert != NULL)
 	{
-	    return cert;
+		if ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID)
+			: (same_dn(subject, cert->subject)
+			   && same_serial(serial, cert->serialNumber)))
+		{
+			return cert;
+		}
+		cert = cert->next;
 	}
-	cert = cert->next;
-    }
-    return NULL;
+	return NULL;
 }
 
 /* establish trust into a candidate authcert by going up the trust chain.
@@ -336,85 +333,85 @@ get_alt_cacert(chunk_t subject, chunk_t serial, chunk_t keyid
 bool
 trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain)
 {
-    int pathlen;
-
-    lock_authcert_list("trust_authcert_candidate");
-
-    for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
-    {
-	const x509cert_t *authcert = NULL;
-	u_char buf[BUF_LEN];
-
-	DBG(DBG_CONTROL,
-	    dntoa(buf, BUF_LEN, cert->subject);
-	    DBG_log("subject: '%s'",buf);
-	    dntoa(buf, BUF_LEN, cert->issuer);
-	    DBG_log("issuer:  '%s'",buf);
-	    if (cert->authKeyID.ptr != NULL)
-	    {
-		datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
-		    , buf, BUF_LEN);
-		DBG_log("authkey:  %s", buf);
-	    }
-	)
+	int pathlen;
 
-	/* search in alternative chain first */
-	authcert = get_alt_cacert(cert->issuer, cert->authKeySerialNumber
-	    , cert->authKeyID, alt_chain);
+	lock_authcert_list("trust_authcert_candidate");
 
-	if (authcert != NULL)
+	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
 	{
-	    DBG(DBG_CONTROL,
-		DBG_log("issuer cacert found in alternative chain")
-	    )
-	}
-	else
-	{
-	    /* search in trusted chain */
-	    authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
-		, cert->authKeyID, AUTH_CA);
+		const x509cert_t *authcert = NULL;
+		u_char buf[BUF_LEN];
 
-	    if (authcert != NULL)
-	    {
 		DBG(DBG_CONTROL,
-		    DBG_log("issuer cacert found")
+			dntoa(buf, BUF_LEN, cert->subject);
+			DBG_log("subject: '%s'",buf);
+			dntoa(buf, BUF_LEN, cert->issuer);
+			DBG_log("issuer:  '%s'",buf);
+			if (cert->authKeyID.ptr != NULL)
+			{
+				datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
+					, buf, BUF_LEN);
+				DBG_log("authkey:  %s", buf);
+			}
 		)
-	    }
-	    else
-	    {
-		plog("issuer cacert not found");
-		unlock_authcert_list("trust_authcert_candidate");
-		return FALSE;
-	    }
-	}
 
-	if (!check_signature(cert->tbsCertificate, cert->signature
-			   , cert->algorithm, cert->algorithm, authcert))
-	{
-	    plog("certificate signature is invalid");
-	    unlock_authcert_list("trust_authcert_candidate");
-	    return FALSE;
-	}
-	DBG(DBG_CONTROL,
-	    DBG_log("certificate signature is valid")
-	)
+		/* search in alternative chain first */
+		authcert = get_alt_cacert(cert->issuer, cert->authKeySerialNumber
+			, cert->authKeyID, alt_chain);
+
+		if (authcert != NULL)
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("issuer cacert found in alternative chain")
+			)
+		}
+		else
+		{
+			/* search in trusted chain */
+			authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
+				, cert->authKeyID, AUTH_CA);
+
+			if (authcert != NULL)
+			{
+				DBG(DBG_CONTROL,
+					DBG_log("issuer cacert found")
+				)
+			}
+			else
+			{
+				plog("issuer cacert not found");
+				unlock_authcert_list("trust_authcert_candidate");
+				return FALSE;
+			}
+		}
+
+		if (!x509_check_signature(cert->tbsCertificate, cert->signature,
+								  cert->algorithm, authcert))
+		{
+			plog("certificate signature is invalid");
+			unlock_authcert_list("trust_authcert_candidate");
+			return FALSE;
+		}
+		DBG(DBG_CONTROL,
+			DBG_log("certificate signature is valid")
+		)
 
-	/* check if cert is a self-signed root ca */
-	if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
-	{
-	    DBG(DBG_CONTROL,
-		DBG_log("reached self-signed root ca")
-	    )
-	    unlock_authcert_list("trust_authcert_candidate");
-	    return TRUE;
+		/* check if cert is a self-signed root ca */
+		if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("reached self-signed root ca")
+			)
+			unlock_authcert_list("trust_authcert_candidate");
+			return TRUE;
+		}
+
+		/* go up one step in the trust chain */
+		cert = authcert;
 	}
-
-	/* go up one step in the trust chain */
-	cert = authcert;
-    }
-    plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
-    unlock_authcert_list("trust_authcert_candidate");
-    return FALSE;
+	plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	unlock_authcert_list("trust_authcert_candidate");
+	return FALSE;
 }
 
 /*
@@ -423,19 +420,19 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain)
 ca_info_t*
 get_ca_info(chunk_t authname, chunk_t serial, chunk_t keyid)
 {
-    ca_info_t *ca= ca_infos;
+	ca_info_t *ca= ca_infos;
 
-    while (ca!= NULL)
-    {
-	if ((keyid.ptr != NULL) ? same_keyid(keyid, ca->authKeyID)
-	    : (same_dn(authname, ca->authName)
-	       && same_serial(serial, ca->authKeySerialNumber)))
+	while (ca!= NULL)
 	{
-	    return ca;
+		if ((keyid.ptr != NULL) ? same_keyid(keyid, ca->authKeyID)
+			: (same_dn(authname, ca->authName)
+			   && same_serial(serial, ca->authKeySerialNumber)))
+		{
+			return ca;
+		}
+		ca = ca->next;
 	}
-	ca = ca->next;
-    }
-    return NULL;
+	return NULL;
 }
 
 
@@ -445,21 +442,18 @@ get_ca_info(chunk_t authname, chunk_t serial, chunk_t keyid)
 static void
 free_ca_info(ca_info_t* ca_info)
 {
-    if (ca_info == NULL)
-	return;
-
-    pfreeany(ca_info->name);
-    pfreeany(ca_info->ldaphost);
-    pfreeany(ca_info->ldapbase);
-    pfreeany(ca_info->ocspuri);
-
-    freeanychunk(ca_info->authName);
-    freeanychunk(ca_info->authKeyID);
-    freeanychunk(ca_info->authKeySerialNumber);
-
-    free_generalNames(ca_info->crluri, TRUE);
-
-    pfree(ca_info);
+	if (ca_info == NULL)
+		return;
+
+	free(ca_info->name);
+	free(ca_info->ldaphost);
+	free(ca_info->ldapbase);
+	free(ca_info->ocspuri);
+	free(ca_info->authName.ptr);
+	free(ca_info->authKeyID.ptr);
+	free(ca_info->authKeySerialNumber.ptr);
+	free_generalNames(ca_info->crluri, TRUE);
+	free(ca_info);
 }
 
 /*
@@ -468,13 +462,13 @@ free_ca_info(ca_info_t* ca_info)
 void
 free_ca_infos(void)
 {
-    while (ca_infos != NULL)
-    {
-	ca_info_t *ca = ca_infos;
+	while (ca_infos != NULL)
+	{
+		ca_info_t *ca = ca_infos;
 
-	ca_infos = ca_infos->next;
-	free_ca_info(ca);
-    }
+		ca_infos = ca_infos->next;
+		free_ca_info(ca);
+	}
 }
 
 /*
@@ -483,28 +477,28 @@ free_ca_infos(void)
 bool
 find_ca_info_by_name(const char *name, bool delete)
 {
-    ca_info_t **ca_p = &ca_infos;
-    ca_info_t *ca = *ca_p;
+	ca_info_t **ca_p = &ca_infos;
+	ca_info_t *ca = *ca_p;
 
-    while (ca != NULL)
-    {
-	/* is there already an entry? */
-	if (streq(name, ca->name))
+	while (ca != NULL)
 	{
-	    if (delete)
-	    {
-		lock_ca_info_list("find_ca_info_by_name");
-		*ca_p = ca->next;
-		free_ca_info(ca);
-		plog("deleting ca description \"%s\"", name);
-		unlock_ca_info_list("find_ca_info_by_name");
-	    }
-	    return TRUE;
+		/* is there already an entry? */
+		if (streq(name, ca->name))
+		{
+			if (delete)
+			{
+				lock_ca_info_list("find_ca_info_by_name");
+				*ca_p = ca->next;
+				free_ca_info(ca);
+				plog("deleting ca description \"%s\"", name);
+				unlock_ca_info_list("find_ca_info_by_name");
+			}
+			return TRUE;
+		}
+		ca_p = &ca->next;
+		ca = *ca_p;
 	}
-	ca_p = &ca->next;
-	ca = *ca_p;
-    }
-    return FALSE;
+	return FALSE;
 }
 
 
@@ -514,136 +508,133 @@ find_ca_info_by_name(const char *name, bool delete)
 void
 add_ca_info(const whack_message_t *msg)
 {
-    smartcard_t *sc = NULL;
-    cert_t cert;
-    bool valid_cert = FALSE;
-    bool cached_cert = FALSE;
-
-    if (find_ca_info_by_name(msg->name, FALSE))
-    {
-	loglog(RC_DUPNAME, "attempt to redefine ca record \"%s\"", msg->name);
-	return;
-    }
-
-    if (scx_on_smartcard(msg->cacert))
-    {
-	/* load CA cert from smartcard */
-	valid_cert = scx_load_cert(msg->cacert, &sc, &cert, &cached_cert);
-    }
-    else
-    {
-	/* load CA cert from file */
-	valid_cert = load_ca_cert(msg->cacert, &cert);
-    }
-
-    if (valid_cert)
-    {
-	char buf[BUF_LEN];
-	x509cert_t *cacert = cert.u.x509;
-	ca_info_t *ca = NULL;
-
-	/* does the authname already exist? */
-	ca = get_ca_info(cacert->subject, cacert->serialNumber
-		, cacert->subjectKeyID);
-	
-	if (ca != NULL)
-	{
-	    /* ca_info is already present */
-	    loglog(RC_DUPNAME, "  duplicate ca information in record \"%s\" found,"
-			       "ignoring \"%s\"", ca->name, msg->name);
-	    free_x509cert(cacert);
-	    return;
-	}
+	smartcard_t *sc = NULL;
+	cert_t cert;
+	bool valid_cert = FALSE;
+	bool cached_cert = FALSE;
 
-	plog("added ca description \"%s\"", msg->name);
-
-	/* create and initialize new ca_info record */
-	ca = alloc_thing(ca_info_t, "ca info");
-	*ca = empty_ca_info;
-
-	/* name */
-	ca->name = clone_str(msg->name, "ca name");
-	    
-	/* authName */
-	clonetochunk(ca->authName, cacert->subject.ptr
-	    , cacert->subject.len, "authName");
-	dntoa(buf, BUF_LEN, ca->authName);
-	DBG(DBG_CONTROL,
-	    DBG_log("authname: '%s'", buf)
-	)
-
-	/* authSerialNumber */
-	clonetochunk(ca->authKeySerialNumber, cacert->serialNumber.ptr
-	    , cacert->serialNumber.len, "authKeySerialNumber");
-
-	/* authKeyID */
-	if (cacert->subjectKeyID.ptr != NULL)
+	if (find_ca_info_by_name(msg->name, FALSE))
 	{
-	    clonetochunk(ca->authKeyID, cacert->subjectKeyID.ptr
-		, cacert->subjectKeyID.len, "authKeyID");
-	    datatot(cacert->subjectKeyID.ptr, cacert->subjectKeyID.len, ':'
-		, buf, BUF_LEN);
-	    DBG(DBG_CONTROL | DBG_PARSING ,
-		DBG_log("authkey:  %s", buf)
-	    )
+		loglog(RC_DUPNAME, "attempt to redefine ca record \"%s\"", msg->name);
+		return;
 	}
 
-	/* ldaphost */
-	ca->ldaphost = clone_str(msg->ldaphost, "ldaphost");
-
-	/* ldapbase */
-	ca->ldapbase = clone_str(msg->ldapbase, "ldapbase");
-
-	/* ocspuri */
-	if (msg->ocspuri != NULL)
+	if (scx_on_smartcard(msg->cacert))
 	{
-	    if (strncasecmp(msg->ocspuri, "http", 4) == 0)
-		ca->ocspuri = clone_str(msg->ocspuri, "ocspuri");
-	    else
-		plog("  ignoring ocspuri with unkown protocol");
+		/* load CA cert from smartcard */
+		valid_cert = scx_load_cert(msg->cacert, &sc, &cert, &cached_cert);
 	}
-
-	/* crluri2*/
-	if (msg->crluri2 != NULL)
+	else
 	{
-	    generalName_t gn =
-		{ NULL, GN_URI, {msg->crluri2, strlen(msg->crluri2)} };
-
-	    add_distribution_points(&gn, &ca->crluri);
+		/* load CA cert from file */
+		valid_cert = load_ca_cert(msg->cacert, &cert);
 	}
 
-	/* crluri */
-	if (msg->crluri != NULL)
+	if (valid_cert)
 	{
-	    generalName_t gn =
-		{ NULL, GN_URI, {msg->crluri, strlen(msg->crluri)} };
-
-	    add_distribution_points(&gn, &ca->crluri);
-	}
-
-	/* strictrlpolicy */
-	ca->strictcrlpolicy = msg->whack_strict;
-
-	/* insert ca_info record into the chained list */
-	lock_ca_info_list("add_ca_info");
-
-	ca->next = ca_infos;
-	ca_infos = ca;
-	ca->installed = time(NULL);
-	
-	unlock_ca_info_list("add_ca_info");
+		char buf[BUF_LEN];
+		x509cert_t *cacert = cert.u.x509;
+		ca_info_t *ca = NULL;
+
+		/* does the authname already exist? */
+		ca = get_ca_info(cacert->subject, cacert->serialNumber
+				, cacert->subjectKeyID);
+		
+		if (ca != NULL)
+		{
+			/* ca_info is already present */
+			loglog(RC_DUPNAME, "  duplicate ca information in record \"%s\" found,"
+							   "ignoring \"%s\"", ca->name, msg->name);
+			free_x509cert(cacert);
+			return;
+		}
+
+		plog("added ca description \"%s\"", msg->name);
+
+		/* create and initialize new ca_info record */
+		ca = malloc_thing(ca_info_t);
+		*ca = empty_ca_info;
+
+		/* name */
+		ca->name = clone_str(msg->name);
+			
+		/* authName */
+		ca->authName = chunk_clone(cacert->subject);
+		dntoa(buf, BUF_LEN, ca->authName);
+		DBG(DBG_CONTROL,
+			DBG_log("authname: '%s'", buf)
+		)
 
-	/* add cacert to list of authcerts */
-	if (!cached_cert && sc != NULL)
-	{
-	    if (sc->last_cert.type == CERT_X509_SIGNATURE)
-		sc->last_cert.u.x509->count--;
-	    sc->last_cert.u.x509 = add_authcert(cacert, AUTH_CA);
-	    share_cert(sc->last_cert);
+		/* authSerialNumber */
+		ca->authKeySerialNumber = chunk_clone(cacert->serialNumber);
+
+		/* authKeyID */
+		if (cacert->subjectKeyID.ptr != NULL)
+		{
+			ca->authKeyID = chunk_clone(cacert->subjectKeyID);
+			datatot(cacert->subjectKeyID.ptr, cacert->subjectKeyID.len, ':'
+				, buf, BUF_LEN);
+			DBG(DBG_CONTROL | DBG_PARSING ,
+				DBG_log("authkey:  %s", buf)
+			)
+		}
+
+		/* ldaphost */
+		ca->ldaphost = clone_str(msg->ldaphost);
+
+		/* ldapbase */
+		ca->ldapbase = clone_str(msg->ldapbase);
+
+		/* ocspuri */
+		if (msg->ocspuri != NULL)
+		{
+			if (strncasecmp(msg->ocspuri, "http", 4) == 0)
+				ca->ocspuri = clone_str(msg->ocspuri);
+			else
+				plog("  ignoring ocspuri with unkown protocol");
+		}
+
+		/* crluri2*/
+		if (msg->crluri2 != NULL)
+		{
+			generalName_t gn =
+				{ NULL, GN_URI, {msg->crluri2, strlen(msg->crluri2)} };
+
+			add_distribution_points(&gn, &ca->crluri);
+		}
+
+		/* crluri */
+		if (msg->crluri != NULL)
+		{
+			generalName_t gn =
+				{ NULL, GN_URI, {msg->crluri, strlen(msg->crluri)} };
+
+			add_distribution_points(&gn, &ca->crluri);
+		}
+
+		/* strictrlpolicy */
+		ca->strictcrlpolicy = msg->whack_strict;
+
+		/* insert ca_info record into the chained list */
+		lock_ca_info_list("add_ca_info");
+
+		ca->next = ca_infos;
+		ca_infos = ca;
+		ca->installed = time(NULL);
+		
+		unlock_ca_info_list("add_ca_info");
+
+		/* add cacert to list of authcerts */
+		if (!cached_cert && sc != NULL)
+		{
+			if (sc->last_cert.type == CERT_X509_SIGNATURE)
+				sc->last_cert.u.x509->count--;
+			sc->last_cert.u.x509 = add_authcert(cacert, AUTH_CA);
+			share_cert(sc->last_cert);
+		}
+		if (sc != NULL)
+			time(&sc->last_load);
 	}
-	if (sc != NULL)
-	    time(&sc->last_load);
-    }
 }
 
 /*
@@ -652,51 +643,51 @@ add_ca_info(const whack_message_t *msg)
 void
 list_ca_infos(bool utc)
 {
-    ca_info_t *ca = ca_infos;
-    
-    if (ca != NULL)
-    {
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of X.509 CA Information Records:");
-	whack_log(RC_COMMENT, " ");
-    }
-
-    while (ca != NULL)
-    {
-	u_char buf[BUF_LEN];
-
-	/* strictpolicy per CA not supported yet
-	 *
-	whack_log(RC_COMMENT, "%s, \"%s\", strictcrlpolicy: %s"
-		, timetoa(&ca->installed, utc), ca->name
-		, ca->strictcrlpolicy? "yes":"no");
-	*/
-	whack_log(RC_COMMENT, "%s, \"%s\"", timetoa(&ca->installed, utc), ca->name);
-	dntoa(buf, BUF_LEN, ca->authName);
-	whack_log(RC_COMMENT, "       authname: '%s'", buf);
-	if (ca->ldaphost != NULL)
-	    whack_log(RC_COMMENT, "       ldaphost: '%s'", ca->ldaphost);
-	if (ca->ldapbase != NULL)
-	    whack_log(RC_COMMENT, "       ldapbase: '%s'", ca->ldapbase);
-	if (ca->ocspuri != NULL)
-	    whack_log(RC_COMMENT, "       ocspuri:  '%s'", ca->ocspuri);
-
-	list_distribution_points(ca->crluri);
-
-	if (ca->authKeyID.ptr != NULL)
+	ca_info_t *ca = ca_infos;
+	
+	if (ca != NULL)
 	{
-	    datatot(ca->authKeyID.ptr, ca->authKeyID.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       authkey:   %s", buf);
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "List of X.509 CA Information Records:");
+		whack_log(RC_COMMENT, " ");
 	}
-	if (ca->authKeySerialNumber.ptr != NULL)
+
+	while (ca != NULL)
 	{
-	    datatot(ca->authKeySerialNumber.ptr, ca->authKeySerialNumber.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       aserial:   %s", buf);
+		u_char buf[BUF_LEN];
+
+		/* strictpolicy per CA not supported yet
+		 *
+		whack_log(RC_COMMENT, "%T, \"%s\", strictcrlpolicy: %s"
+				, &ca->installed, utc, ca->name
+				, ca->strictcrlpolicy? "yes":"no");
+		*/
+		whack_log(RC_COMMENT, "%T, \"%s\"", &ca->installed, utc, ca->name);
+		dntoa(buf, BUF_LEN, ca->authName);
+		whack_log(RC_COMMENT, "       authname: '%s'", buf);
+		if (ca->ldaphost != NULL)
+			whack_log(RC_COMMENT, "       ldaphost: '%s'", ca->ldaphost);
+		if (ca->ldapbase != NULL)
+			whack_log(RC_COMMENT, "       ldapbase: '%s'", ca->ldapbase);
+		if (ca->ocspuri != NULL)
+			whack_log(RC_COMMENT, "       ocspuri:  '%s'", ca->ocspuri);
+
+		list_distribution_points(ca->crluri);
+
+		if (ca->authKeyID.ptr != NULL)
+		{
+			datatot(ca->authKeyID.ptr, ca->authKeyID.len, ':'
+				, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       authkey:   %s", buf);
+		}
+		if (ca->authKeySerialNumber.ptr != NULL)
+		{
+			datatot(ca->authKeySerialNumber.ptr, ca->authKeySerialNumber.len, ':'
+				, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       aserial:   %s", buf);
+		}
+		ca = ca->next;
 	}
-	ca = ca->next;
-    }
 }
 
 
diff --git a/src/pluto/ca.h b/src/pluto/ca.h
index 13f874284..44d079b4c 100644
--- a/src/pluto/ca.h
+++ b/src/pluto/ca.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ca.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _CA_H
@@ -20,45 +18,45 @@
 #include "x509.h"
 #include "whack.h"
 
-#define MAX_CA_PATH_LEN		7
+#define MAX_CA_PATH_LEN         7
 
 /* authority flags */
 
-#define AUTH_NONE	0x00	/* no authorities */
-#define AUTH_CA		0x01	/* certification authority */
-#define AUTH_AA		0x02	/* authorization authority */
-#define AUTH_OCSP	0x04	/* ocsp signing authority */
+#define AUTH_NONE       0x00    /* no authorities */
+#define AUTH_CA         0x01    /* certification authority */
+#define AUTH_AA         0x02    /* authorization authority */
+#define AUTH_OCSP       0x04    /* ocsp signing authority */
 
 /* CA info structures */
 
 typedef struct ca_info ca_info_t;
 
 struct ca_info {
-    ca_info_t       *next;
-    char	    *name;
-    time_t	    installed;
-    chunk_t	    authName;
-    chunk_t	    authKeyID;
-    chunk_t	    authKeySerialNumber;
-    char	    *ldaphost;
-    char	    *ldapbase;
-    char	    *ocspuri;
-    generalName_t   *crluri;
-    bool	    strictcrlpolicy;
+	ca_info_t       *next;
+	char            *name;
+	time_t          installed;
+	chunk_t         authName;
+	chunk_t         authKeyID;
+	chunk_t         authKeySerialNumber;
+	char            *ldaphost;
+	char            *ldapbase;
+	char            *ocspuri;
+	generalName_t   *crluri;
+	bool            strictcrlpolicy;
 };
 
 extern bool trusted_ca(chunk_t a, chunk_t b, int *pathlen);
 extern bool match_requested_ca(generalName_t *requested_ca
-    , chunk_t our_ca, int *our_pathlen);
+	, chunk_t our_ca, int *our_pathlen);
 extern x509cert_t* get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid
-    , u_char auth_flags);
+	, u_char auth_flags);
 extern void load_authcerts(const char *type, const char *path
-    , u_char auth_flags);
+	, u_char auth_flags);
 extern x509cert_t* add_authcert(x509cert_t *cert, u_char auth_flags);
 extern void free_authcerts(void);
 extern void list_authcerts(const char *caption, u_char auth_flags, bool utc);
 extern bool trust_authcert_candidate(const x509cert_t *cert
-    , const x509cert_t *alt_chain);
+	, const x509cert_t *alt_chain);
 extern ca_info_t* get_ca_info(chunk_t name, chunk_t serial, chunk_t keyid);
 extern bool find_ca_info_by_name(const char *name, bool delete);
 extern void add_ca_info(const whack_message_t *msg);
diff --git a/src/pluto/certs.c b/src/pluto/certs.c
index 43976a913..ca3019b9b 100644
--- a/src/pluto/certs.c
+++ b/src/pluto/certs.c
@@ -1,5 +1,7 @@
 /* Certificate support for IKE authentication
- * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2002-2009 Andreas Steffen
+ *
+ * HSR - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: certs.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdlib.h>
@@ -19,241 +19,251 @@
 #include <string.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
+
+#include "library.h"
+#include "asn1/asn1.h"
 
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
-#include "asn1.h"
 #include "id.h"
-#include "x509.h"
-#include "pgp.h"
 #include "pem.h"
 #include "certs.h"
-#include "pkcs1.h"
 
-/*
+/**
  * used for initializatin of certs
  */
-const cert_t empty_cert = {CERT_NONE, {NULL}};
+const cert_t cert_empty = {CERT_NONE, {NULL}};
 
-/*
+/**
  * extracts the certificate to be sent to the peer
  */
-chunk_t
-get_mycert(cert_t cert)
+chunk_t cert_get_encoding(cert_t cert)
 {
-    switch (cert.type)
-    {
-    case CERT_PGP:
-	return cert.u.pgp->certificate;
-    case CERT_X509_SIGNATURE:
-	return cert.u.x509->certificate;
-    default:
-	return empty_chunk;
-    }
+	switch (cert.type)
+	{
+	case CERT_PGP:
+		return cert.u.pgp->certificate;
+	case CERT_X509_SIGNATURE:
+		return cert.u.x509->certificate;
+	default:
+		return chunk_empty;
+	}
+}
+
+public_key_t* cert_get_public_key(const cert_t cert)
+{
+	switch (cert.type)
+	{
+		case CERT_PGP:
+			return cert.u.pgp->public_key;
+			break;
+		case CERT_X509_SIGNATURE:
+			return cert.u.x509->public_key;
+			break;
+		default:
+			return NULL;
+	}
 }
 
 /* load a coded key or certificate file with autodetection
  * of binary DER or base64 PEM ASN.1 formats and armored PGP format
  */
-bool
-load_coded_file(const char *filename, prompt_pass_t *pass, const char *type
-, chunk_t *blob, bool *pgp)
+bool load_coded_file(char *filename, prompt_pass_t *pass, const char *type,
+					 chunk_t *blob, bool *pgp)
 {
-    err_t ugh = NULL;
+	err_t ugh = NULL;
+
+	FILE *fd = fopen(filename, "r");
 
-    FILE *fd = fopen(filename, "r");
+	if (fd)
+	{
+		int bytes;
+		fseek(fd, 0, SEEK_END );
+		blob->len = ftell(fd);
+		rewind(fd);
+		blob->ptr = malloc(blob->len);
+		bytes = fread(blob->ptr, 1, blob->len, fd);
+		fclose(fd);
+		plog("  loaded %s file '%s' (%d bytes)", type, filename, bytes);
 
-    if (fd)
-    {
-	int bytes;
-	fseek(fd, 0, SEEK_END );
-	blob->len = ftell(fd);
-	rewind(fd);
-	blob->ptr = alloc_bytes(blob->len, type);
-	bytes = fread(blob->ptr, 1, blob->len, fd);
-	fclose(fd);
-	plog("  loaded %s file '%s' (%d bytes)", type, filename, bytes);
+		*pgp = FALSE;
 
-	*pgp = FALSE;
+		/* try DER format */
+		if (is_asn1(*blob))
+		{
+			DBG(DBG_PARSING,
+				DBG_log("  file coded in DER format");
+			)
+			return TRUE;
+		}
 
-	/* try DER format */
-	if (is_asn1(*blob))
-	{
-	    DBG(DBG_PARSING,
-		DBG_log("  file coded in DER format");
-	    )
-	    return TRUE;
-	}
+		/* try PEM format */
+		ugh = pemtobin(blob, pass, filename, pgp);
 
-	/* try PEM format */
-	ugh = pemtobin(blob, pass, filename, pgp);
+		if (ugh == NULL)
+		{
+			if (*pgp)
+			{
+				DBG(DBG_PARSING,
+					DBG_log("  file coded in armored PGP format");
+				)
+				return TRUE;
+			}
+			if (is_asn1(*blob))
+			{
+				DBG(DBG_PARSING,
+					DBG_log("  file coded in PEM format");
+				)
+				return TRUE;
+			}
+			ugh = "file coded in unknown format, discarded";
+		}
 
-	if (ugh == NULL)
+		/* a conversion error has occured */
+		plog("  %s", ugh);
+		free(blob->ptr);
+		*blob = chunk_empty;
+	}
+	else
 	{
-	    if (*pgp)
-	    {
-                DBG(DBG_PARSING,
-                    DBG_log("  file coded in armored PGP format");
-                )
-                return TRUE;
-	    }
-	    if (is_asn1(*blob))
-	    {
-		DBG(DBG_PARSING,
-		    DBG_log("  file coded in PEM format");
-		)
-		return TRUE;
-	    }
-	    ugh = "file coded in unknown format, discarded";
+		plog("  could not open %s file '%s'", type, filename);
 	}
-
-	/* a conversion error has occured */
-	plog("  %s", ugh);
-	pfree(blob->ptr);
-	*blob = empty_chunk;
-    }
-    else
-    {
-	plog("  could not open %s file '%s'", type, filename);
-    }
-    return FALSE;
+	return FALSE;
 }
 
-/*
- *  Loads a PKCS#1 or PGP private RSA key file
+/**
+ *  Loads a PKCS#1 or PGP privatekey file
  */
-err_t
-load_rsa_private_key(const char* filename, prompt_pass_t *pass
-, RSA_private_key_t *key)
+private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
+								key_type_t type)
 {
-    err_t ugh = NULL;
-    bool pgp = FALSE;
-    chunk_t blob = empty_chunk;
+	private_key_t *key = NULL;
+	chunk_t blob = chunk_empty;
+	bool pgp = FALSE;
 
-    const char *path = concatenate_paths(PRIVATE_KEY_PATH, filename);
+	char *path = concatenate_paths(PRIVATE_KEY_PATH, filename);
 
-    if (load_coded_file(path, pass, "private key", &blob, &pgp))
-    {
-	if (pgp)
+	if (load_coded_file(path, pass, "private key", &blob, &pgp))
 	{
-	    if (!parse_pgp(blob, NULL, key))
-		ugh = "syntax error in PGP private key file";
+		if (pgp)
+		{
+ 			parse_pgp(blob, NULL, &key);
+		}
+		else
+		{
+			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 	 BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+		}
+		if (key == NULL)
+		{
+			plog("  syntax error in %s private key file", pgp ? "PGP":"PKCS#");
+		}			
+		free(blob.ptr);
 	}
 	else
 	{
-	    if (!pkcs1_parse_private_key(blob, key))
-		ugh = "syntax error in PKCS#1 private key file";
+		plog("  error loading private key file");
 	}
-	pfree(blob.ptr);
-    }
-    else
-	ugh = "error loading RSA private key file";
-
-    return ugh;
+	return key;
 }
-/*
+
+/**
  *  Loads a X.509 or OpenPGP certificate
  */
-bool
-load_cert(const char *filename, const char *label, cert_t *cert)
+bool load_cert(char *filename, const char *label, cert_t *cert)
 {
-    bool pgp = FALSE;
-    chunk_t blob = empty_chunk;
+	bool pgp = FALSE;
+	chunk_t blob = chunk_empty;
 
-    /* initialize cert struct */
-    cert->type = CERT_NONE;
-    cert->u.x509 = NULL;
+	/* initialize cert struct */
+	cert->type = CERT_NONE;
+	cert->u.x509 = NULL;
 
-    if (load_coded_file(filename, NULL, label, &blob, &pgp))
-    {
-	if (pgp)
-	{
-	    pgpcert_t *pgpcert = alloc_thing(pgpcert_t, "pgpcert");
-	    *pgpcert = empty_pgpcert;
-	    if (parse_pgp(blob, pgpcert, NULL))
-	    {
-		cert->type = CERT_PGP;
-		cert->u.pgp = pgpcert;
-		return TRUE;
-	    }
-	    else
-	    {
-		plog("  error in OpenPGP certificate");
-		free_pgpcert(pgpcert);
-		return FALSE;
-	    }
-	}
-	else
+	if (load_coded_file(filename, NULL, label, &blob, &pgp))
 	{
-	    x509cert_t *x509cert = alloc_thing(x509cert_t, "x509cert");
-	    *x509cert = empty_x509cert;
-	    if (parse_x509cert(blob, 0, x509cert))
-	    {
-		cert->type = CERT_X509_SIGNATURE;
-		cert->u.x509 = x509cert;
-		return TRUE;
-	    }
-	    else
-	    {
-		plog("  error in X.509 certificate");
-		free_x509cert(x509cert);
-		return FALSE;
-	    }
+		if (pgp)
+		{
+			pgpcert_t *pgpcert = malloc_thing(pgpcert_t);
+			*pgpcert = pgpcert_empty;
+			if (parse_pgp(blob, pgpcert, NULL))
+			{
+				cert->type = CERT_PGP;
+				cert->u.pgp = pgpcert;
+				return TRUE;
+			}
+			else
+			{
+				plog("  error in OpenPGP certificate");
+				free_pgpcert(pgpcert);
+				return FALSE;
+			}
+		}
+		else
+		{
+			x509cert_t *x509cert = malloc_thing(x509cert_t);
+			*x509cert = empty_x509cert;
+			if (parse_x509cert(blob, 0, x509cert))
+			{
+				cert->type = CERT_X509_SIGNATURE;
+				cert->u.x509 = x509cert;
+				return TRUE;
+			}
+			else
+			{
+				plog("  error in X.509 certificate");
+				free_x509cert(x509cert);
+				return FALSE;
+			}
+		}
 	}
-    }
-    return FALSE;
+	return FALSE;
 }
 
-/*
+/**
  *  Loads a host certificate
  */
-bool
-load_host_cert(const char *filename, cert_t *cert)
+bool load_host_cert(char *filename, cert_t *cert)
 {
-    const char *path = concatenate_paths(HOST_CERT_PATH, filename);
+	char *path = concatenate_paths(HOST_CERT_PATH, filename);
 
-    return load_cert(path, "host cert", cert);
+	return load_cert(path, "host cert", cert);
 }
 
-/*
+/**
  *  Loads a CA certificate
  */
-bool
-load_ca_cert(const char *filename, cert_t *cert)
+bool load_ca_cert(char *filename, cert_t *cert)
 {
-    const char *path = concatenate_paths(CA_CERT_PATH, filename);
+	char *path = concatenate_paths(CA_CERT_PATH, filename);
 
-    return load_cert(path, "CA cert", cert);
+	return load_cert(path, "CA cert", cert);
 }
 
-/*
+/**
  * establish equality of two certificates
  */
-bool
-same_cert(const cert_t *a, const cert_t *b)
+bool same_cert(const cert_t *a, const cert_t *b)
 {
-    return a->type == b->type && a->u.x509 == b->u.x509;
+	return a->type == b->type && a->u.x509 == b->u.x509;
 }
 
-/*  for each link pointing to the certif icate
- "  increase the count by one
+/**
+ * for each link pointing to the certificate increase the count by one
  */
-void
-share_cert(cert_t cert)
+void share_cert(cert_t cert)
 {
-    switch (cert.type)
-    {
-    case CERT_PGP:
-	share_pgpcert(cert.u.pgp);
-	break;
-    case CERT_X509_SIGNATURE:
-	share_x509cert(cert.u.x509);
-	break;
-    default:
-        break;
-    }
+	switch (cert.type)
+	{
+	case CERT_PGP:
+		share_pgpcert(cert.u.pgp);
+		break;
+	case CERT_X509_SIGNATURE:
+		share_x509cert(cert.u.x509);
+		break;
+	default:
+		break;
+	}
 }
 
 /*  release of a certificate decreases the count by one
@@ -263,16 +273,16 @@ void
 release_cert(cert_t cert)
 {
    switch (cert.type)
-    {
-    case CERT_PGP:
-	release_pgpcert(cert.u.pgp);
-	break;
-    case CERT_X509_SIGNATURE:
-	release_x509cert(cert.u.x509);
-	break;
-    default:
-        break;
-    }
+	{
+	case CERT_PGP:
+		release_pgpcert(cert.u.pgp);
+		break;
+	case CERT_X509_SIGNATURE:
+		release_x509cert(cert.u.x509);
+		break;
+	default:
+		break;
+	}
 }
 
 /*
@@ -281,7 +291,7 @@ release_cert(cert_t cert)
 void
 list_certs(bool utc)
 {
-    list_x509_end_certs(utc);
-    list_pgp_end_certs(utc);
+	list_x509_end_certs(utc);
+	list_pgp_end_certs(utc);
 }
 
diff --git a/src/pluto/certs.h b/src/pluto/certs.h
index b71c53e15..0810c52fa 100644
--- a/src/pluto/certs.h
+++ b/src/pluto/certs.h
@@ -1,5 +1,7 @@
 /* Certificate support for IKE authentication
- * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2002-2009 Andreas Steffen
+ *
+ * HSR - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,66 +12,65 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: certs.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _CERTS_H
 #define _CERTS_H
 
-#include "pkcs1.h"
+#include <credentials/keys/private_key.h>
+
 #include "x509.h"
-#include "pgp.h"
+#include "pgpcert.h"
 
 /* path definitions for private keys, end certs,
  * cacerts, attribute certs and crls
  */
 #define PRIVATE_KEY_PATH  IPSEC_CONFDIR "/ipsec.d/private"
 #define HOST_CERT_PATH    IPSEC_CONFDIR "/ipsec.d/certs"
-#define CA_CERT_PATH	  IPSEC_CONFDIR "/ipsec.d/cacerts"
-#define A_CERT_PATH	  IPSEC_CONFDIR "/ipsec.d/acerts"
-#define AA_CERT_PATH	  IPSEC_CONFDIR "/ipsec.d/aacerts"
-#define OCSP_CERT_PATH	  IPSEC_CONFDIR "/ipsec.d/ocspcerts"
-#define CRL_PATH	  IPSEC_CONFDIR "/ipsec.d/crls"
-#define REQ_PATH	  IPSEC_CONFDIR "/ipsec.d/reqs"
+#define CA_CERT_PATH      IPSEC_CONFDIR "/ipsec.d/cacerts"
+#define A_CERT_PATH       IPSEC_CONFDIR "/ipsec.d/acerts"
+#define AA_CERT_PATH      IPSEC_CONFDIR "/ipsec.d/aacerts"
+#define OCSP_CERT_PATH    IPSEC_CONFDIR "/ipsec.d/ocspcerts"
+#define CRL_PATH          IPSEC_CONFDIR "/ipsec.d/crls"
+#define REQ_PATH          IPSEC_CONFDIR "/ipsec.d/reqs"
 
 /* advance warning of imminent expiry of
  * cacerts, public keys, and crls
  */
-#define CA_CERT_WARNING_INTERVAL	30 /* days */
-#define OCSP_CERT_WARNING_INTERVAL	30 /* days */
-#define PUBKEY_WARNING_INTERVAL		 7 /* days */
-#define CRL_WARNING_INTERVAL		 7 /* days */
-#define ACERT_WARNING_INTERVAL		 1 /* day */
+#define CA_CERT_WARNING_INTERVAL        30 /* days */
+#define OCSP_CERT_WARNING_INTERVAL      30 /* days */
+#define PUBKEY_WARNING_INTERVAL          7 /* days */
+#define CRL_WARNING_INTERVAL             7 /* days */
+#define ACERT_WARNING_INTERVAL           1 /* day */
 
 /* certificate access structure
  * currently X.509 and OpenPGP certificates are supported
  */
 typedef struct {
-    u_char type;
-    union {
-	x509cert_t *x509;
-	pgpcert_t  *pgp;
-    } u;
+	u_char type;
+	union {
+		x509cert_t *x509;
+		pgpcert_t  *pgp;
+	} u;
 } cert_t;
 
 /* used for initialization */
-extern const cert_t empty_cert;
+extern const cert_t cert_empty;
 
 /*  do not send certificate requests
  *  flag set in plutomain.c and used in ipsec_doi.c
  */
 extern bool no_cr_send;
 
-extern err_t load_rsa_private_key(const char* filename, prompt_pass_t *pass
-    , RSA_private_key_t *key);
-extern chunk_t get_mycert(cert_t cert);
-extern bool load_coded_file(const char *filename, prompt_pass_t *pass
-    , const char *type, chunk_t *blob, bool *pgp);
-extern bool load_cert(const char *filename, const char *label
-    , cert_t *cert);
-extern bool load_host_cert(const char *filename, cert_t *cert);
-extern bool load_ca_cert(const char *filename, cert_t *cert);
+extern public_key_t* cert_get_public_key(const cert_t cert);
+extern chunk_t cert_get_encoding(cert_t cert);
+extern private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
+									   key_type_t type);
+extern bool load_coded_file(char *filename, prompt_pass_t *pass,
+							const char *type, chunk_t *blob, bool *pgp);
+extern bool load_cert(char *filename, const char *label, cert_t *cert);
+extern bool load_host_cert(char *filename, cert_t *cert);
+extern bool load_ca_cert(char *filename, cert_t *cert);
 extern bool same_cert(const cert_t *a, const cert_t *b);
 extern void share_cert(cert_t cert);
 extern void release_cert(cert_t cert);
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index cd118cb34..4deb722f7 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: connections.c 4924 2009-03-10 21:13:18Z andreas $
  */
 
 #include <string.h>
@@ -25,20 +23,21 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <resolv.h>
-#include <arpa/nameser.h>	/* missing from <resolv.h> on old systems */
+#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
 #include "kameipsec.h"
 
+#include <credentials/keys/private_key.h>
+
 #include "constants.h"
 #include "defs.h"
 #include "id.h"
 #include "x509.h"
 #include "ca.h"
 #include "crl.h"
-#include "pgp.h"
+#include "pgpcert.h"
 #include "certs.h"
 #include "ac.h"
 #include "smartcard.h"
@@ -48,13 +47,13 @@
 #include "demux.h"
 #include "state.h"
 #include "timer.h"
-#include "ipsec_doi.h"	/* needs demux.h and state.h */
+#include "ipsec_doi.h"  /* needs demux.h and state.h */
 #include "server.h"
 #include "kernel.h"
 #include "log.h"
 #include "keys.h"
-#include "adns.h"	/* needs <resolv.h> */
-#include "dnskey.h"	/* needs keys.h and adns.h */
+#include "adns.h"       /* needs <resolv.h> */
+#include "dnskey.h"     /* needs keys.h and adns.h */
 #include "whack.h"
 #include "alg_info.h"
 #include "ike_alg.h"
@@ -62,7 +61,7 @@
 #include "nat_traversal.h"
 #include "virtual.h"
 
-static void flush_pending_by_connection(struct connection *c);	/* forward */
+static void flush_pending_by_connection(struct connection *c);  /* forward */
 
 static struct connection *connections = NULL;
 
@@ -77,14 +76,14 @@ static struct connection *connections = NULL;
  */
 
 struct host_pair {
-    struct {
-	ip_address addr;
-	u_int16_t port;	/* host order */
-    } me, him;
-    bool initial_connection_sent;
-    struct connection *connections;	/* connections with this pair */
-    struct pending *pending;	/* awaiting Keying Channel */
-    struct host_pair *next;
+	struct {
+		ip_address addr;
+		u_int16_t port; /* host order */
+	} me, him;
+	bool initial_connection_sent;
+	struct connection *connections;     /* connections with this pair */
+	struct pending *pending;    /* awaiting Keying Channel */
+	struct host_pair *next;
 };
 
 static struct host_pair *host_pairs = NULL;
@@ -96,45 +95,45 @@ bool
 same_peer_ids(const struct connection *c, const struct connection *d
 , const struct id *his_id)
 {
-    return same_id(&c->spd.this.id, &d->spd.this.id)
-	&& same_id(his_id == NULL? &c->spd.that.id : his_id, &d->spd.that.id);
+	return same_id(&c->spd.this.id, &d->spd.this.id)
+		&& same_id(his_id == NULL? &c->spd.that.id : his_id, &d->spd.that.id);
 }
 
 static struct host_pair *
 find_host_pair(const ip_address *myaddr, u_int16_t myport
 , const ip_address *hisaddr, u_int16_t hisport)
 {
-    struct host_pair *p, *prev;
-
-    /* default hisaddr to an appropriate any */
-    if (hisaddr == NULL)
-	hisaddr = aftoinfo(addrtypeof(myaddr))->any;
-	
-    if (nat_traversal_enabled)
-    {
-	/**
-	 * port is not relevant in host_pair. with nat_traversal we
-	 * always use pluto_port (500)
-	 */
-	myport = pluto_port;
-	hisport = pluto_port;
-    }
-
-    for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
-    {
-	if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport
-	&&  sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
+	struct host_pair *p, *prev;
+
+	/* default hisaddr to an appropriate any */
+	if (hisaddr == NULL)
+		hisaddr = aftoinfo(addrtypeof(myaddr))->any;
+		
+	if (nat_traversal_enabled)
+	{
+		/**
+		 * port is not relevant in host_pair. with nat_traversal we
+		 * always use pluto_port (500)
+		 */
+		myport = pluto_port;
+		hisport = pluto_port;
+	}
+
+	for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
 	{
-	    if (prev != NULL)
-	    {
-		prev->next = p->next;	/* remove p from list */
-		p->next = host_pairs;	/* and stick it on front */
-		host_pairs = p;
-	    }
-	    break;
+		if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport
+		&&  sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
+		{
+			if (prev != NULL)
+			{
+				prev->next = p->next;   /* remove p from list */
+				p->next = host_pairs;   /* and stick it on front */
+				host_pairs = p;
+			}
+			break;
+		}
 	}
-    }
-    return p;
+	return p;
 }
 
 /* find head of list of connections with this pair of hosts */
@@ -142,63 +141,63 @@ static struct connection *
 find_host_pair_connections(const ip_address *myaddr, u_int16_t myport
 , const ip_address *hisaddr, u_int16_t hisport)
 {
-    struct host_pair *hp = find_host_pair(myaddr, myport, hisaddr, hisport);
-
-    if (nat_traversal_enabled && hp && hisaddr)
-    {
-	struct connection *c;
+	struct host_pair *hp = find_host_pair(myaddr, myport, hisaddr, hisport);
 
-	for (c = hp->connections; c != NULL; c = c->hp_next)
+	if (nat_traversal_enabled && hp && hisaddr)
 	{
-	    if (c->spd.this.host_port == myport && c->spd.that.host_port == hisport)
-		return c;
+		struct connection *c;
+
+		for (c = hp->connections; c != NULL; c = c->hp_next)
+		{
+			if (c->spd.this.host_port == myport && c->spd.that.host_port == hisport)
+				return c;
+		}
+		return NULL;
 	}
-	return NULL;
-    }
-    return hp == NULL? NULL : hp->connections;
+	return hp == NULL? NULL : hp->connections;
 }
 
 static void
 connect_to_host_pair(struct connection *c)
 {
-    if (oriented(*c))
-    {
-	struct host_pair *hp;
+	if (oriented(*c))
+	{
+		struct host_pair *hp;
 
-	ip_address his_addr = (c->spd.that.allow_any)
-			      ? *aftoinfo(addrtypeof(&c->spd.that.host_addr))->any
-			      : c->spd.that.host_addr;
+		ip_address his_addr = (c->spd.that.allow_any)
+							  ? *aftoinfo(addrtypeof(&c->spd.that.host_addr))->any
+							  : c->spd.that.host_addr;
 
-	hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
-	    , &his_addr, c->spd.that.host_port);
+		hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
+			, &his_addr, c->spd.that.host_port);
 
-	if (hp == NULL)
+		if (hp == NULL)
+		{
+			/* no suitable host_pair -- build one */
+			hp = malloc_thing(struct host_pair);
+			hp->me.addr = c->spd.this.host_addr;
+			hp->him.addr = his_addr;
+			hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
+			hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
+			hp->initial_connection_sent = FALSE;
+			hp->connections = NULL;
+			hp->pending = NULL;
+			hp->next = host_pairs;
+			host_pairs = hp;
+		}
+		c->host_pair = hp;
+		c->hp_next = hp->connections;
+		hp->connections = c;
+	}
+	else
 	{
-	    /* no suitable host_pair -- build one */
-	    hp = alloc_thing(struct host_pair, "host_pair");
-	    hp->me.addr = c->spd.this.host_addr;
-	    hp->him.addr = his_addr;
-	    hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
-	    hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
-	    hp->initial_connection_sent = FALSE;
-	    hp->connections = NULL;
-	    hp->pending = NULL;
-	    hp->next = host_pairs;
-	    host_pairs = hp;
+		/* since this connection isn't oriented, we place it
+		 * in the unoriented_connections list instead.
+		 */
+		c->host_pair = NULL;
+		c->hp_next = unoriented_connections;
+		unoriented_connections = c;
 	}
-	c->host_pair = hp;
-	c->hp_next = hp->connections;
-	hp->connections = c;
-    }
-    else
-    {
-	/* since this connection isn't oriented, we place it
-	 * in the unoriented_connections list instead.
-	 */
-	c->host_pair = NULL;
-	c->hp_next = unoriented_connections;
-	unoriented_connections = c;
-    }
 }
 
 /* find a connection by name.
@@ -209,317 +208,317 @@ connect_to_host_pair(struct connection *c)
 struct connection *
 con_by_name(const char *nm, bool strict)
 {
-    struct connection *p, *prev;
+	struct connection *p, *prev;
 
-    for (prev = NULL, p = connections; ; prev = p, p = p->ac_next)
-    {
-	if (p == NULL)
-	{
-	    if (strict)
-		whack_log(RC_UNKNOWN_NAME
-		    , "no connection named \"%s\"", nm);
-	    break;
-	}
-	if (streq(p->name, nm)
-	&& (!strict || p->kind != CK_INSTANCE))
+	for (prev = NULL, p = connections; ; prev = p, p = p->ac_next)
 	{
-	    if (prev != NULL)
-	    {
-		prev->ac_next = p->ac_next;	/* remove p from list */
-		p->ac_next = connections;	/* and stick it on front */
-		connections = p;
-	    }
-	    break;
+		if (p == NULL)
+		{
+			if (strict)
+				whack_log(RC_UNKNOWN_NAME
+					, "no connection named \"%s\"", nm);
+			break;
+		}
+		if (streq(p->name, nm)
+		&& (!strict || p->kind != CK_INSTANCE))
+		{
+			if (prev != NULL)
+			{
+				prev->ac_next = p->ac_next;     /* remove p from list */
+				p->ac_next = connections;       /* and stick it on front */
+				connections = p;
+			}
+			break;
+		}
 	}
-    }
-    return p;
+	return p;
 }
 
 void
 release_connection(struct connection *c, bool relations)
 {
-    if (c->kind == CK_INSTANCE)
-    {
-	/* This does everything we need.
-	 * Note that we will be called recursively by delete_connection,
-	 * but kind will be CK_GOING_AWAY.
-	 */
-	delete_connection(c, relations);
-    }
-    else
-    {
-	flush_pending_by_connection(c);
-	delete_states_by_connection(c, relations);
-	unroute_connection(c);
-    }
+	if (c->kind == CK_INSTANCE)
+	{
+		/* This does everything we need.
+		 * Note that we will be called recursively by delete_connection,
+		 * but kind will be CK_GOING_AWAY.
+		 */
+		delete_connection(c, relations);
+	}
+	else
+	{
+		flush_pending_by_connection(c);
+		delete_states_by_connection(c, relations);
+		unroute_connection(c);
+	}
 }
 
 /* Delete a connection */
 
 #define list_rm(etype, enext, e, ehead) { \
-	etype **ep; \
-	for (ep = &(ehead); *ep != (e); ep = &(*ep)->enext) \
-	    passert(*ep != NULL);    /* we must not come up empty-handed */ \
-	*ep = (e)->enext; \
-    }
+		etype **ep; \
+		for (ep = &(ehead); *ep != (e); ep = &(*ep)->enext) \
+			passert(*ep != NULL);    /* we must not come up empty-handed */ \
+		*ep = (e)->enext; \
+	}
 
 
 void
 delete_connection(struct connection *c, bool relations)
 {
-    struct connection *old_cur_connection
-	= cur_connection == c? NULL : cur_connection;
+	struct connection *old_cur_connection
+		= cur_connection == c? NULL : cur_connection;
 #ifdef DEBUG
-    lset_t old_cur_debugging = cur_debugging;
+	lset_t old_cur_debugging = cur_debugging;
 #endif
 
-    set_cur_connection(c);
-
-    /* Must be careful to avoid circularity:
-     * we mark c as going away so it won't get deleted recursively.
-     */
-    passert(c->kind != CK_GOING_AWAY);
-    if (c->kind == CK_INSTANCE)
-    {
-	plog("deleting connection \"%s\" instance with peer %s {isakmp=#%lu/ipsec=#%lu}"
-	     , c->name
-	     , ip_str(&c->spd.that.host_addr)
-	     , c->newest_isakmp_sa, c->newest_ipsec_sa);
-	c->kind = CK_GOING_AWAY;
-    }
-    else
-    {
-	plog("deleting connection");
-    }
-    release_connection(c, relations);	/* won't delete c */
-
-    if (c->kind == CK_GROUP)
-	delete_group(c);
-
-    /* free up any logging resources */
-    perpeer_logfree(c);
-
-    /* find and delete c from connections list */
-    list_rm(struct connection, ac_next, c, connections);
-    cur_connection = old_cur_connection;
-
-    /* find and delete c from the host pair list */
-    if (c->host_pair == NULL)
-    {
-	if (c->ikev1)
-	    list_rm(struct connection, hp_next, c, unoriented_connections);
-    }
-    else
-    {
-	struct host_pair *hp = c->host_pair;
-
-	list_rm(struct connection, hp_next, c, hp->connections);
-	c->host_pair = NULL;	/* redundant, but safe */
-
-	/* if there are no more connections with this host_pair
-	 * and we haven't even made an initial contact, let's delete
-	 * this guy in case we were created by an attempted DOS attack.
+	set_cur_connection(c);
+
+	/* Must be careful to avoid circularity:
+	 * we mark c as going away so it won't get deleted recursively.
 	 */
-	if (hp->connections == NULL
-	&& !hp->initial_connection_sent)
+	passert(c->kind != CK_GOING_AWAY);
+	if (c->kind == CK_INSTANCE)
+	{
+		plog("deleting connection \"%s\" instance with peer %s {isakmp=#%lu/ipsec=#%lu}"
+			 , c->name
+			 , ip_str(&c->spd.that.host_addr)
+			 , c->newest_isakmp_sa, c->newest_ipsec_sa);
+		c->kind = CK_GOING_AWAY;
+	}
+	else
+	{
+		plog("deleting connection");
+	}
+	release_connection(c, relations);   /* won't delete c */
+
+	if (c->kind == CK_GROUP)
+		delete_group(c);
+
+	/* free up any logging resources */
+	perpeer_logfree(c);
+
+	/* find and delete c from connections list */
+	list_rm(struct connection, ac_next, c, connections);
+	cur_connection = old_cur_connection;
+
+	/* find and delete c from the host pair list */
+	if (c->host_pair == NULL)
 	{
-	    passert(hp->pending == NULL);	/* ??? must deal with this! */
-	    list_rm(struct host_pair, next, hp, host_pairs);
-	    pfree(hp);
+		if (c->ikev1)
+			list_rm(struct connection, hp_next, c, unoriented_connections);
 	}
-    }
+	else
+	{
+		struct host_pair *hp = c->host_pair;
 
-    if (c->kind != CK_GOING_AWAY)
-	pfreeany(c->spd.that.virt);
+		list_rm(struct connection, hp_next, c, hp->connections);
+		c->host_pair = NULL;    /* redundant, but safe */
 
+		/* if there are no more connections with this host_pair
+		 * and we haven't even made an initial contact, let's delete
+		 * this guy in case we were created by an attempted DOS attack.
+		 */
+		if (hp->connections == NULL
+		&& !hp->initial_connection_sent)
+		{
+			passert(hp->pending == NULL);       /* ??? must deal with this! */
+			list_rm(struct host_pair, next, hp, host_pairs);
+			free(hp);
+		}
+	}
+	if (c->kind != CK_GOING_AWAY)
+	{
+		free(c->spd.that.virt);
+	}
 #ifdef DEBUG
-    cur_debugging = old_cur_debugging;
+	cur_debugging = old_cur_debugging;
 #endif
-    pfreeany(c->name);
-    free_id_content(&c->spd.this.id);
-    pfreeany(c->spd.this.updown);
-    freeanychunk(c->spd.this.ca);
-    free_ietfAttrList(c->spd.this.groups);
-    free_id_content(&c->spd.that.id);
-    pfreeany(c->spd.that.updown);
-    freeanychunk(c->spd.that.ca);
-    free_ietfAttrList(c->spd.that.groups);
-    free_generalNames(c->requested_ca, TRUE);
-    gw_delref(&c->gw_info);
-
-    lock_certs_and_keys("delete_connection");
-    release_cert(c->spd.this.cert);
-    scx_release(c->spd.this.sc);
-    release_cert(c->spd.that.cert);
-    scx_release(c->spd.that.sc);
-    unlock_certs_and_keys("delete_connection");
-
-    alg_info_delref((struct alg_info **)&c->alg_info_esp);
-    alg_info_delref((struct alg_info **)&c->alg_info_ike);
-
-    pfree(c);
+	free(c->name);
+	free_id_content(&c->spd.this.id);
+	free(c->spd.this.updown);
+	free(c->spd.this.ca.ptr);
+	free_ietfAttrList(c->spd.this.groups);
+	free_id_content(&c->spd.that.id);
+	free(c->spd.that.updown);
+	free(c->spd.that.ca.ptr);
+	free_ietfAttrList(c->spd.that.groups);
+	free_generalNames(c->requested_ca, TRUE);
+	gw_delref(&c->gw_info);
+
+	lock_certs_and_keys("delete_connection");
+	release_cert(c->spd.this.cert);
+	scx_release(c->spd.this.sc);
+	release_cert(c->spd.that.cert);
+	scx_release(c->spd.that.sc);
+	unlock_certs_and_keys("delete_connection");
+
+	alg_info_delref((struct alg_info **)&c->alg_info_esp);
+	alg_info_delref((struct alg_info **)&c->alg_info_ike);
+
+	free(c);
 }
 
 /* Delete connections with the specified name */
 void
 delete_connections_by_name(const char *name, bool strict)
 {
-    struct connection *c = con_by_name(name, strict);
+	struct connection *c = con_by_name(name, strict);
 
-    for (; c != NULL; c = con_by_name(name, FALSE))
-	delete_connection(c, FALSE);
+	for (; c != NULL; c = con_by_name(name, FALSE))
+		delete_connection(c, FALSE);
 }
 
 void
 delete_every_connection(void)
 {
-    while (connections != NULL)
-	delete_connection(connections, TRUE);
+	while (connections != NULL)
+		delete_connection(connections, TRUE);
 }
 
 void
 release_dead_interfaces(void)
 {
-    struct host_pair *hp;
-
-    for (hp = host_pairs; hp != NULL; hp = hp->next)
-    {
-	struct connection **pp
-	    , *p;
+	struct host_pair *hp;
 
-	for (pp = &hp->connections; (p = *pp) != NULL; )
+	for (hp = host_pairs; hp != NULL; hp = hp->next)
 	{
-	    if (p->interface->change == IFN_DELETE)
-	    {
-		/* this connection's interface is going away */
-		enum connection_kind k = p->kind;
-
-		release_connection(p, TRUE);
+		struct connection **pp
+			, *p;
 
-		if (k <= CK_PERMANENT)
+		for (pp = &hp->connections; (p = *pp) != NULL; )
 		{
-		    /* The connection should have survived release:
-		     * move it to the unoriented_connections list.
-		     */
-		    passert(p == *pp);
-
-		    p->interface = NULL;
-
-		    *pp = p->hp_next;	/* advance *pp */
-		    p->host_pair = NULL;
-		    p->hp_next = unoriented_connections;
-		    unoriented_connections = p;
-		}
-		else
-		{
-		    /* The connection should have vanished,
-		     * but the previous connection remains.
-		     */
-		    passert(p != *pp);
+			if (p->interface->change == IFN_DELETE)
+			{
+				/* this connection's interface is going away */
+				enum connection_kind k = p->kind;
+
+				release_connection(p, TRUE);
+
+				if (k <= CK_PERMANENT)
+				{
+					/* The connection should have survived release:
+					 * move it to the unoriented_connections list.
+					 */
+					passert(p == *pp);
+
+					p->interface = NULL;
+
+					*pp = p->hp_next;   /* advance *pp */
+					p->host_pair = NULL;
+					p->hp_next = unoriented_connections;
+					unoriented_connections = p;
+				}
+				else
+				{
+					/* The connection should have vanished,
+					 * but the previous connection remains.
+					 */
+					passert(p != *pp);
+				}
+			}
+			else
+			{
+				pp = &p->hp_next;       /* advance pp */
+			}
 		}
-	    }
-	    else
-	    {
-		pp = &p->hp_next;	/* advance pp */
-	    }
 	}
-    }
 }
 
 /* adjust orientations of connections to reflect newly added interfaces */
 void
 check_orientations(void)
 {
-    /* try to orient all the unoriented connections */
-    {
-	struct connection *c = unoriented_connections;
+	/* try to orient all the unoriented connections */
+	{
+		struct connection *c = unoriented_connections;
 
-	unoriented_connections = NULL;
+		unoriented_connections = NULL;
 
-	while (c != NULL)
-	{
-	    struct connection *nxt = c->hp_next;
+		while (c != NULL)
+		{
+			struct connection *nxt = c->hp_next;
 
-	    (void)orient(c);
-	    connect_to_host_pair(c);
-	    c = nxt;
+			(void)orient(c);
+			connect_to_host_pair(c);
+			c = nxt;
+		}
 	}
-    }
-
-    /* Check that no oriented connection has become double-oriented.
-     * In other words, the far side must not match one of our new interfaces.
-     */
-    {
-	struct iface *i;
 
-	for (i = interfaces; i != NULL; i = i->next)
+	/* Check that no oriented connection has become double-oriented.
+	 * In other words, the far side must not match one of our new interfaces.
+	 */
 	{
-	    if (i->change == IFN_ADD)
-	    {
-		struct host_pair *hp;
+		struct iface *i;
 
-		for (hp = host_pairs; hp != NULL; hp = hp->next)
+		for (i = interfaces; i != NULL; i = i->next)
 		{
-		    if (sameaddr(&hp->him.addr, &i->addr)
-		    && (!no_klips || hp->him.port == pluto_port))
-		    {
-			/* bad news: the whole chain of connections
-			 * hanging off this host pair has both sides
-			 * matching an interface.
-			 * We'll get rid of them, using orient and
-			 * connect_to_host_pair.  But we'll be lazy
-			 * and not ditch the host_pair itself (the
-			 * cost of leaving it is slight and cannot
-			 * be induced by a foe).
-			 */
-			struct connection *c = hp->connections;
-
-			hp->connections = NULL;
-			while (c != NULL)
+			if (i->change == IFN_ADD)
 			{
-			    struct connection *nxt = c->hp_next;
-
-			    c->interface = NULL;
-			    (void)orient(c);
-			    connect_to_host_pair(c);
-			    c = nxt;
+				struct host_pair *hp;
+
+				for (hp = host_pairs; hp != NULL; hp = hp->next)
+				{
+					if (sameaddr(&hp->him.addr, &i->addr)
+					&& (!no_klips || hp->him.port == pluto_port))
+					{
+						/* bad news: the whole chain of connections
+						 * hanging off this host pair has both sides
+						 * matching an interface.
+						 * We'll get rid of them, using orient and
+						 * connect_to_host_pair.  But we'll be lazy
+						 * and not ditch the host_pair itself (the
+						 * cost of leaving it is slight and cannot
+						 * be induced by a foe).
+						 */
+						struct connection *c = hp->connections;
+
+						hp->connections = NULL;
+						while (c != NULL)
+						{
+							struct connection *nxt = c->hp_next;
+
+							c->interface = NULL;
+							(void)orient(c);
+							connect_to_host_pair(c);
+							c = nxt;
+						}
+					}
+				}
 			}
-		    }
 		}
-	    }
 	}
-    }
 }
 
 static err_t
 default_end(struct end *e, ip_address *dflt_nexthop)
 {
-    err_t ugh = NULL;
-    const struct af_info *afi = aftoinfo(addrtypeof(&e->host_addr));
-
-    if (afi == NULL)
-	return "unknown address family in default_end";
-
-    /* default ID to IP (but only if not NO_IP -- WildCard) */
-    if (e->id.kind == ID_NONE && !isanyaddr(&e->host_addr))
-    {
-	e->id.kind = afi->id_addr;
-	e->id.ip_addr = e->host_addr;
-	e->has_id_wildcards = FALSE;
-    }
-
-    /* default nexthop to other side */
-    if (isanyaddr(&e->host_nexthop))
-	e->host_nexthop = *dflt_nexthop;
-
-    /* default client to subnet containing only self
-     * XXX This may mean that the client's address family doesn't match
-     * tunnel_addr_family.
-     */
-    if (!e->has_client)
-	ugh = addrtosubnet(&e->host_addr, &e->client);
-
-    return ugh;
+	err_t ugh = NULL;
+	const struct af_info *afi = aftoinfo(addrtypeof(&e->host_addr));
+
+	if (afi == NULL)
+		return "unknown address family in default_end";
+
+	/* default ID to IP (but only if not NO_IP -- WildCard) */
+	if (e->id.kind == ID_ANY && !isanyaddr(&e->host_addr))
+	{
+		e->id.kind = afi->id_addr;
+		e->id.ip_addr = e->host_addr;
+		e->has_id_wildcards = FALSE;
+	}
+
+	/* default nexthop to other side */
+	if (isanyaddr(&e->host_nexthop))
+		e->host_nexthop = *dflt_nexthop;
+
+	/* default client to subnet containing only self
+	 * XXX This may mean that the client's address family doesn't match
+	 * tunnel_addr_family.
+	 */
+	if (!e->has_client)
+		ugh = addrtosubnet(&e->host_addr, &e->client);
+
+	return ugh;
 }
 
 /* Format the topology of a connection end, leaving out defaults.
@@ -535,710 +534,702 @@ format_end(char *buf
 , bool is_left
 , lset_t policy)
 {
-    char client[SUBNETTOT_BUF];
-    const char *client_sep = "";
-    char protoport[sizeof(":255/65535")];
-    const char *host = NULL;
-    char host_space[ADDRTOT_BUF];
-    char host_port[sizeof(":65535")];
-    char host_id[BUF_LEN + 2];
-    char hop[ADDRTOT_BUF];
-    const char *hop_sep = "";
-    const char *open_brackets  = "";
-    const char *close_brackets = "";
-
-    if (isanyaddr(&this->host_addr))
-    {
-	switch (policy & (POLICY_GROUP | POLICY_OPPO))
+	char client[SUBNETTOT_BUF];
+	const char *client_sep = "";
+	char protoport[sizeof(":255/65535")];
+	const char *host = NULL;
+	char host_space[ADDRTOT_BUF];
+	char host_port[sizeof(":65535")];
+	char host_id[BUF_LEN + 2];
+	char hop[ADDRTOT_BUF];
+	const char *hop_sep = "";
+	const char *open_brackets  = "";
+	const char *close_brackets = "";
+
+	if (isanyaddr(&this->host_addr))
 	{
-	case POLICY_GROUP:
-	    host = "%group";
-	    break;
-	case POLICY_OPPO:
-	    host = "%opportunistic";
-	    break;
-	case POLICY_GROUP | POLICY_OPPO:
-	    host = "%opportunisticgroup";
-	    break;
-	default:
-	    host = "%any";
-	    break;
+		switch (policy & (POLICY_GROUP | POLICY_OPPO))
+		{
+		case POLICY_GROUP:
+			host = "%group";
+			break;
+		case POLICY_OPPO:
+			host = "%opportunistic";
+			break;
+		case POLICY_GROUP | POLICY_OPPO:
+			host = "%opportunisticgroup";
+			break;
+		default:
+			host = "%any";
+			break;
+		}
+	}
+
+	client[0] = '\0';
+
+	if (is_virtual_end(this) && isanyaddr(&this->host_addr))
+	{
+		host = "%virtual";
+	}
+
+	/* [client===] */
+	if (this->has_client)
+	{
+		ip_address client_net, client_mask;
+
+		networkof(&this->client, &client_net);
+		maskof(&this->client, &client_mask);
+		client_sep = "===";
+
+		/* {client_subnet_wildcard} */
+		if (this->has_client_wildcard)
+		{
+			open_brackets  = "{";
+			close_brackets = "}";
+		}
+
+		if (isanyaddr(&client_net) && isanyaddr(&client_mask)
+		&& (policy & (POLICY_GROUP | POLICY_OPPO)))
+			client_sep = "";    /* boring case */
+		else if (subnetisnone(&this->client))
+			strcpy(client, "?");
+		else
+			subnettot(&this->client, 0, client, sizeof(client));
+	}
+	else if (this->modecfg && isanyaddr(&this->host_srcip))
+	{
+		/* we are mode config client */
+		client_sep = "===";
+		strcpy(client, "%modecfg");
+	}
+
+	/* host */
+	if (host == NULL)
+	{
+		addrtot(&this->host_addr, 0, host_space, sizeof(host_space));
+		host = host_space;
 	}
-    }
-
-    client[0] = '\0';
-
-    if (is_virtual_end(this) && isanyaddr(&this->host_addr))
-    {
-	host = "%virtual";
-    }
-
-    /* [client===] */
-    if (this->has_client)
-    {
-	ip_address client_net, client_mask;
-
-	networkof(&this->client, &client_net);
-	maskof(&this->client, &client_mask);
-	client_sep = "===";
-
- 	/* {client_subnet_wildcard} */
- 	if (this->has_client_wildcard)
- 	{
- 	    open_brackets  = "{";
- 	    close_brackets = "}";
- 	}
-
-	if (isanyaddr(&client_net) && isanyaddr(&client_mask)
-	&& (policy & (POLICY_GROUP | POLICY_OPPO)))
-	    client_sep = "";	/* boring case */
-	else if (subnetisnone(&this->client))
-	    strcpy(client, "?");
+
+	host_port[0] = '\0';
+	if (this->host_port != IKE_UDP_PORT)
+		snprintf(host_port, sizeof(host_port), ":%u"
+			, this->host_port);
+
+	/* payload portocol and port */
+	protoport[0] = '\0';
+	if (this->has_port_wildcard)
+		snprintf(protoport, sizeof(protoport), ":%u/%%any", this->protocol);
+	else if (this->port || this->protocol)
+		snprintf(protoport, sizeof(protoport), ":%u/%u", this->protocol
+			, this->port);
+
+	/* id, if different from host */
+	host_id[0] = '\0';
+	if (this->id.kind == ID_MYID)
+	{
+		strcpy(host_id, "[%myid]");
+	}
+	else if (!(this->id.kind == ID_ANY
+	|| (id_is_ipaddr(&this->id) && sameaddr(&this->id.ip_addr, &this->host_addr))))
+	{
+		int len = idtoa(&this->id, host_id+1, sizeof(host_id)-2);
+
+		host_id[0] = '[';
+		strcpy(&host_id[len < 0? (ptrdiff_t)sizeof(host_id)-2 : 1 + len], "]");
+	}
+
+	/* [---hop] */
+	hop[0] = '\0';
+	hop_sep = "";
+	if (that != NULL && !sameaddr(&this->host_nexthop, &that->host_addr))
+	{
+		addrtot(&this->host_nexthop, 0, hop, sizeof(hop));
+		hop_sep = "---";
+	}
+
+	if (is_left)
+		snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s%s"
+			, open_brackets, client, close_brackets, client_sep
+			, this->allow_any? "%":""
+			, host, host_port, host_id, protoport
+			, hop_sep, hop);
 	else
-	    subnettot(&this->client, 0, client, sizeof(client));
-    }
-    else if (this->modecfg && isanyaddr(&this->host_srcip))
-    {
-	/* we are mode config client */
-	client_sep = "===";
-	strcpy(client, "%modecfg");
-    }
-
-    /* host */
-    if (host == NULL)
-    {
-	addrtot(&this->host_addr, 0, host_space, sizeof(host_space));
-	host = host_space;
-    }
-
-    host_port[0] = '\0';
-    if (this->host_port != IKE_UDP_PORT)
-	snprintf(host_port, sizeof(host_port), ":%u"
-	    , this->host_port);
-
-    /* payload portocol and port */
-    protoport[0] = '\0';
-    if (this->has_port_wildcard)
-	snprintf(protoport, sizeof(protoport), ":%u/%%any", this->protocol);
-    else if (this->port || this->protocol)
-	snprintf(protoport, sizeof(protoport), ":%u/%u", this->protocol
-	    , this->port);
-
-    /* id, if different from host */
-    host_id[0] = '\0';
-    if (this->id.kind == ID_MYID)
-    {
-	strcpy(host_id, "[%myid]");
-    }
-    else if (!(this->id.kind == ID_NONE
-    || (id_is_ipaddr(&this->id) && sameaddr(&this->id.ip_addr, &this->host_addr))))
-    {
-	int len = idtoa(&this->id, host_id+1, sizeof(host_id)-2);
-
-	host_id[0] = '[';
-	strcpy(&host_id[len < 0? (ptrdiff_t)sizeof(host_id)-2 : 1 + len], "]");
-    }
-
-    /* [---hop] */
-    hop[0] = '\0';
-    hop_sep = "";
-    if (that != NULL && !sameaddr(&this->host_nexthop, &that->host_addr))
-    {
-	addrtot(&this->host_nexthop, 0, hop, sizeof(hop));
-	hop_sep = "---";
-    }
-
-    if (is_left)
-	snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s%s"
-	    , open_brackets, client, close_brackets, client_sep
-	    , this->allow_any? "%":""
-	    , host, host_port, host_id, protoport
-	    , hop_sep, hop);
-    else
-	snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s%s"
-	    , hop, hop_sep
-	    , this->allow_any? "%":""
-	    , host, host_port, host_id, protoport, client_sep
-	    , open_brackets, client, close_brackets);
-    return strlen(buf);
+		snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s%s"
+			, hop, hop_sep
+			, this->allow_any? "%":""
+			, host, host_port, host_id, protoport, client_sep
+			, open_brackets, client, close_brackets);
+	return strlen(buf);
 }
 
 /* format topology of a connection.
  * Two symmetric ends separated by ...
  */
-#define CONNECTION_BUF	(2 * (END_BUF - 1) + 4)
+#define CONNECTION_BUF  (2 * (END_BUF - 1) + 4)
 
 static size_t
 format_connection(char *buf, size_t buf_len
-		  , const struct connection *c
-		  , struct spd_route *sr)
+				  , const struct connection *c
+				  , struct spd_route *sr)
 {
-    size_t w = format_end(buf, buf_len, &sr->this, &sr->that, TRUE, LEMPTY);
+	size_t w = format_end(buf, buf_len, &sr->this, &sr->that, TRUE, LEMPTY);
 
-    w += snprintf(buf + w, buf_len - w, "...");
-    return w + format_end(buf + w, buf_len - w, &sr->that, &sr->this, FALSE, c->policy);
+	w += snprintf(buf + w, buf_len - w, "...");
+	return w + format_end(buf + w, buf_len - w, &sr->that, &sr->this, FALSE, c->policy);
 }
 
 static void
 unshare_connection_strings(struct connection *c)
 {
-    c->name = clone_str(c->name, "connection name");
-
-    unshare_id_content(&c->spd.this.id);
-    c->spd.this.updown = clone_str(c->spd.this.updown, "updown");
-    scx_share(c->spd.this.sc);
-    share_cert(c->spd.this.cert);
-    if (c->spd.this.ca.ptr != NULL)
-	clonetochunk(c->spd.this.ca, c->spd.this.ca.ptr, c->spd.this.ca.len, "ca string");
-
-    unshare_id_content(&c->spd.that.id);
-    c->spd.that.updown = clone_str(c->spd.that.updown, "updown");
-    scx_share(c->spd.that.sc);
-    share_cert(c->spd.that.cert);
-    if (c->spd.that.ca.ptr != NULL)
-	clonetochunk(c->spd.that.ca, c->spd.that.ca.ptr, c->spd.that.ca.len, "ca string");
-
-    /* increment references to algo's */
-    alg_info_addref((struct alg_info *)c->alg_info_esp);
-    alg_info_addref((struct alg_info *)c->alg_info_ike);
+	c->name = clone_str(c->name);
+
+	unshare_id_content(&c->spd.this.id);
+	c->spd.this.updown = clone_str(c->spd.this.updown);
+	scx_share(c->spd.this.sc);
+	share_cert(c->spd.this.cert);
+	c->spd.this.ca = chunk_clone(c->spd.this.ca);
+
+	unshare_id_content(&c->spd.that.id);
+	c->spd.that.updown = clone_str(c->spd.that.updown);
+	scx_share(c->spd.that.sc);
+	share_cert(c->spd.that.cert);
+	c->spd.that.ca = chunk_clone(c->spd.that.ca);
+
+	/* increment references to algo's */
+	alg_info_addref((struct alg_info *)c->alg_info_esp);
+	alg_info_addref((struct alg_info *)c->alg_info_ike);
 }
 
-static void
-load_end_certificate(const char *filename, struct end *dst)
+static void load_end_certificate(char *filename, struct end *dst)
 {
-    time_t valid_until;
-    cert_t cert;
-    bool valid_cert = FALSE;
-    bool cached_cert = FALSE;
+	time_t valid_until;
+	cert_t cert;
+	bool valid_cert = FALSE;
+	bool cached_cert = FALSE;
 
-    /* initialize end certificate */
-    dst->cert.type = CERT_NONE;
-    dst->cert.u.x509 = NULL;
+	/* initialize end certificate */
+	dst->cert.type = CERT_NONE;
+	dst->cert.u.x509 = NULL;
 
-    /* initialize smartcard info record */
-    dst->sc = NULL;
+	/* initialize smartcard info record */
+	dst->sc = NULL;
 
-    if (filename != NULL)
-    {
-	if (scx_on_smartcard(filename))
-	{
-	    /* load cert from smartcard */
-	    valid_cert = scx_load_cert(filename, &dst->sc, &cert, &cached_cert);
-	}
-	else
+	if (filename != NULL)
 	{
-	    /* load cert from file */
-	    valid_cert = load_host_cert(filename, &cert);
+		if (scx_on_smartcard(filename))
+		{
+			/* load cert from smartcard */
+			valid_cert = scx_load_cert(filename, &dst->sc, &cert, &cached_cert);
+		}
+		else
+		{
+			/* load cert from file */
+			valid_cert = load_host_cert(filename, &cert);
+		}
 	}
-    }
-
-    if (valid_cert)
-    {
-	err_t ugh = NULL;
 
-	switch (cert.type)
+	if (valid_cert)
 	{
-	case CERT_PGP:
-	    select_pgpcert_id(cert.u.pgp, &dst->id);
-
-	    if (cached_cert)
-		dst->cert = cert;
-	    else
-	    {
-		valid_until = cert.u.pgp->until;
-		add_pgp_public_key(cert.u.pgp, cert.u.pgp->until, DAL_LOCAL);
-		dst->cert.type = cert.type;
-		dst->cert.u.pgp = add_pgpcert(cert.u.pgp);
-	    }
-	    break;
-	case CERT_X509_SIGNATURE:
-	    select_x509cert_id(cert.u.x509, &dst->id);
-
-	    if (cached_cert)
-		dst->cert = cert;
-	    else
-	    {
-		/* check validity of cert */
-		valid_until = cert.u.x509->notAfter;
-		ugh = check_validity(cert.u.x509, &valid_until);
-		if (ugh != NULL)
+		err_t ugh = NULL;
+
+		switch (cert.type)
 		{
-		    plog("  %s", ugh);
-		    free_x509cert(cert.u.x509);
-		    break;
-		}
+		case CERT_PGP:
+			select_pgpcert_id(cert.u.pgp, &dst->id);
 
-		DBG(DBG_CONTROL,
-		    DBG_log("certificate is valid")
-		)
-		add_x509_public_key(cert.u.x509, valid_until, DAL_LOCAL);
-		dst->cert.type = cert.type;
-		dst->cert.u.x509 = add_x509cert(cert.u.x509);
-	    }
-	    /* if no CA is defined, use issuer as default */
-	    if (dst->ca.ptr == NULL)
-		dst->ca = dst->cert.u.x509->issuer;
-	    break;
-	default:
-	    break;
-	}
+			if (cached_cert)
+				dst->cert = cert;
+			else
+			{
+				valid_until = cert.u.pgp->until;
+				add_pgp_public_key(cert.u.pgp, cert.u.pgp->until, DAL_LOCAL);
+				dst->cert.type = cert.type;
+				dst->cert.u.pgp = add_pgpcert(cert.u.pgp);
+			}
+			break;
+		case CERT_X509_SIGNATURE:
+			select_x509cert_id(cert.u.x509, &dst->id);
 
-	/* cache the certificate that was last retrieved from the smartcard */
-	if (dst->sc != NULL)
-	{
-	    if (!same_cert(&dst->sc->last_cert, &dst->cert))
-	    {
-		lock_certs_and_keys("load_end_certificates");
-		release_cert(dst->sc->last_cert);
-		dst->sc->last_cert = dst->cert;
-		share_cert(dst->cert);
-		unlock_certs_and_keys("load_end_certificates");
-	    }
-	    time(&dst->sc->last_load);
+			if (cached_cert)
+				dst->cert = cert;
+			else
+			{
+				/* check validity of cert */
+				valid_until = cert.u.x509->notAfter;
+				ugh = check_validity(cert.u.x509, &valid_until);
+				if (ugh != NULL)
+				{
+					plog("  %s", ugh);
+					free_x509cert(cert.u.x509);
+					break;
+				}
+
+				DBG(DBG_CONTROL,
+					DBG_log("certificate is valid")
+				)
+				add_x509_public_key(cert.u.x509, valid_until, DAL_LOCAL);
+				dst->cert.type = cert.type;
+				dst->cert.u.x509 = add_x509cert(cert.u.x509);
+			}
+			/* if no CA is defined, use issuer as default */
+			if (dst->ca.ptr == NULL)
+				dst->ca = dst->cert.u.x509->issuer;
+			break;
+		default:
+			break;
+		}
+
+		/* cache the certificate that was last retrieved from the smartcard */
+		if (dst->sc != NULL)
+		{
+			if (!same_cert(&dst->sc->last_cert, &dst->cert))
+			{
+				lock_certs_and_keys("load_end_certificates");
+				release_cert(dst->sc->last_cert);
+				dst->sc->last_cert = dst->cert;
+				share_cert(dst->cert);
+				unlock_certs_and_keys("load_end_certificates");
+			}
+			time(&dst->sc->last_load);
+		}
 	}
-    }
 }
 
 static bool
 extract_end(struct end *dst, const whack_end_t *src, const char *which)
 {
-    bool same_ca = FALSE;
+	bool same_ca = FALSE;
 
-    /* decode id, if any */
-    if (src->id == NULL)
-    {
-	dst->id.kind = ID_NONE;
-    }
-    else
-    {
-	err_t ugh = atoid(src->id, &dst->id, TRUE);
-
-	if (ugh != NULL)
+	/* decode id, if any */
+	if (src->id == NULL)
 	{
-	    loglog(RC_BADID, "bad %s --id: %s (ignored)", which, ugh);
-	    dst->id = empty_id;	/* ignore bad one */
+		dst->id.kind = ID_ANY;
+	}
+	else
+	{
+		err_t ugh = atoid(src->id, &dst->id, TRUE);
+
+		if (ugh != NULL)
+		{
+			loglog(RC_BADID, "bad %s --id: %s (ignored)", which, ugh);
+			dst->id = empty_id; /* ignore bad one */
+		}
 	}
-    }
 
-    dst->ca = empty_chunk;
+	dst->ca = chunk_empty;
 
-    /* decode CA distinguished name, if any */
-    if (src->ca != NULL)
-    {
-	if streq(src->ca, "%same")
-	    same_ca = TRUE;
-	else if (!streq(src->ca, "%any"))
+	/* decode CA distinguished name, if any */
+	if (src->ca != NULL)
 	{
-	    err_t ugh;
-
-	    dst->ca.ptr = temporary_cyclic_buffer();
-	    ugh = atodn(src->ca, &dst->ca);
-	    if (ugh != NULL)
-	    {
-		plog("bad CA string '%s': %s (ignored)", src->ca, ugh);
-		dst->ca = empty_chunk;
-	    }
+		if streq(src->ca, "%same")
+			same_ca = TRUE;
+		else if (!streq(src->ca, "%any"))
+		{
+			err_t ugh;
+
+			dst->ca.ptr = temporary_cyclic_buffer();
+			ugh = atodn(src->ca, &dst->ca);
+			if (ugh != NULL)
+			{
+				plog("bad CA string '%s': %s (ignored)", src->ca, ugh);
+				dst->ca = chunk_empty;
+			}
+		}
 	}
-    }
-
-    /* load local end certificate and extract ID, if any */
-    load_end_certificate(src->cert, dst);
-
-    /* does id has wildcards? */
-    dst->has_id_wildcards = id_count_wildcards(&dst->id) > 0;
-
-    /* decode group attributes, if any */
-    decode_groups(src->groups, &dst->groups);
-
-    /* the rest is simple copying of corresponding fields */
-    dst->host_addr = src->host_addr;
-    dst->host_nexthop = src->host_nexthop;
-    dst->host_srcip = src->host_srcip;
-    dst->has_natip = src->has_natip;
-    dst->client = src->client;
-    dst->protocol = src->protocol;
-    dst->port = src->port;
-    dst->has_port_wildcard = src->has_port_wildcard;
-    dst->key_from_DNS_on_demand = src->key_from_DNS_on_demand;
-    dst->has_client = src->has_client;
-    dst->has_client_wildcard = src->has_client_wildcard;
-    dst->modecfg = src->modecfg;
-    dst->hostaccess = src->hostaccess;
-    dst->allow_any = src->allow_any;
-    dst->sendcert = src->sendcert;
-    dst->updown = src->updown;
-    dst->host_port = src->host_port;
-
-    /* if host sourceip is defined but no client is present
-     * behind the host then set client to sourceip/32
-     */
-    if (addrbytesptr(&dst->host_srcip, NULL)
-    && !isanyaddr(&dst->host_srcip)
-    && !dst->has_natip
-    && !dst->has_client)
-    {
-	err_t ugh = addrtosubnet(&dst->host_srcip, &dst->client);
 
-	if (ugh != NULL)
-	    plog("could not assign host sourceip to client subnet");
-	else
-	    dst->has_client = TRUE;
-    }
-    return same_ca;
+	/* load local end certificate and extract ID, if any */
+	load_end_certificate(src->cert, dst);
+
+	/* does id has wildcards? */
+	dst->has_id_wildcards = id_count_wildcards(&dst->id) > 0;
+
+	/* decode group attributes, if any */
+	decode_groups(src->groups, &dst->groups);
+
+	/* the rest is simple copying of corresponding fields */
+	dst->host_addr = src->host_addr;
+	dst->host_nexthop = src->host_nexthop;
+	dst->host_srcip = src->host_srcip;
+	dst->has_natip = src->has_natip;
+	dst->client = src->client;
+	dst->protocol = src->protocol;
+	dst->port = src->port;
+	dst->has_port_wildcard = src->has_port_wildcard;
+	dst->key_from_DNS_on_demand = src->key_from_DNS_on_demand;
+	dst->has_client = src->has_client;
+	dst->has_client_wildcard = src->has_client_wildcard;
+	dst->modecfg = src->modecfg;
+	dst->hostaccess = src->hostaccess;
+	dst->allow_any = src->allow_any;
+	dst->sendcert = src->sendcert;
+	dst->updown = src->updown;
+	dst->host_port = src->host_port;
+
+	/* if host sourceip is defined but no client is present
+	 * behind the host then set client to sourceip/32
+	 */
+	if (addrbytesptr(&dst->host_srcip, NULL)
+	&& !isanyaddr(&dst->host_srcip)
+	&& !dst->has_natip
+	&& !dst->has_client)
+	{
+		err_t ugh = addrtosubnet(&dst->host_srcip, &dst->client);
+
+		if (ugh != NULL)
+			plog("could not assign host sourceip to client subnet");
+		else
+			dst->has_client = TRUE;
+	}
+	return same_ca;
 }
 
 static bool
 check_connection_end(const whack_end_t *this, const whack_end_t *that
 , const whack_message_t *wm)
 {
-    if (wm->addr_family != addrtypeof(&this->host_addr)
-    || wm->addr_family != addrtypeof(&this->host_nexthop)
-    || (this->has_client? wm->tunnel_addr_family : wm->addr_family)
-      != subnettypeof(&this->client)
-    || subnettypeof(&this->client) != subnettypeof(&that->client))
-    {
-	/* this should have been diagnosed by whack, so we need not be clear
-	 * !!! overloaded use of RC_CLASH
-	 */
-	loglog(RC_CLASH, "address family inconsistency in connection");
-	return FALSE;
-    }
+	if (wm->addr_family != addrtypeof(&this->host_addr)
+	|| wm->addr_family != addrtypeof(&this->host_nexthop)
+	|| (this->has_client? wm->tunnel_addr_family : wm->addr_family)
+	  != subnettypeof(&this->client)
+	|| subnettypeof(&this->client) != subnettypeof(&that->client))
+	{
+		/* this should have been diagnosed by whack, so we need not be clear
+		 * !!! overloaded use of RC_CLASH
+		 */
+		loglog(RC_CLASH, "address family inconsistency in connection");
+		return FALSE;
+	}
 
-    if (isanyaddr(&that->host_addr))
-    {
-	/* other side is wildcard: we must check if other conditions met */
-	if (isanyaddr(&this->host_addr))
+	if (isanyaddr(&that->host_addr))
 	{
-	    loglog(RC_ORIENT, "connection must specify host IP address for our side");
-	    return FALSE;
+		/* other side is wildcard: we must check if other conditions met */
+		if (isanyaddr(&this->host_addr))
+		{
+			loglog(RC_ORIENT, "connection must specify host IP address for our side");
+			return FALSE;
+		}
 	}
-    }
 
-    if (this->virt && (!isanyaddr(&this->host_addr) || this->has_client))
-    {
-	loglog(RC_CLASH,
-	    "virtual IP must only be used with %%any and without client");
-	return FALSE;
-    }
+	if (this->virt && (!isanyaddr(&this->host_addr) || this->has_client))
+	{
+		loglog(RC_CLASH,
+			"virtual IP must only be used with %%any and without client");
+		return FALSE;
+	}
 
-    return TRUE;	/* happy */
+	return TRUE;        /* happy */
 }
 
 struct connection *
 find_connection_by_reqid(uint32_t reqid)
 {
-    struct connection *c;
+	struct connection *c;
 
-    reqid &= ~3;
-    for (c = connections; c != NULL; c = c->ac_next)
-    {
-	if (c->spd.reqid == reqid)
-	    return c;
-    }
+	reqid &= ~3;
+	for (c = connections; c != NULL; c = c->ac_next)
+	{
+		if (c->spd.reqid == reqid)
+			return c;
+	}
 
-    return NULL;
+	return NULL;
 }
 
 static uint32_t
 gen_reqid(void)
 {
-    uint32_t start;
-    static uint32_t reqid = IPSEC_MANUAL_REQID_MAX & ~3;
-
-    start = reqid;
-    do {
-	reqid += 4;
-	if (reqid == 0)
-	    reqid = (IPSEC_MANUAL_REQID_MAX & ~3) + 4;
-	if (!find_connection_by_reqid(reqid))
-	    return reqid;
-    } while (reqid != start);
-
-    exit_log("unable to allocate reqid");
-    return 0; /* never reached ... */
+	uint32_t start;
+	static uint32_t reqid = IPSEC_MANUAL_REQID_MAX & ~3;
+
+	start = reqid;
+	do {
+		reqid += 4;
+		if (reqid == 0)
+			reqid = (IPSEC_MANUAL_REQID_MAX & ~3) + 4;
+		if (!find_connection_by_reqid(reqid))
+			return reqid;
+	} while (reqid != start);
+
+	exit_log("unable to allocate reqid");
+	return 0; /* never reached ... */
 }
 
 void
 add_connection(const whack_message_t *wm)
 {
-    if (con_by_name(wm->name, FALSE) != NULL)
-    {
-	loglog(RC_DUPNAME, "attempt to redefine connection \"%s\"", wm->name);
-    }
-    else if (wm->right.protocol != wm->left.protocol)
-    {
-	/* this should haven been diagnosed by whack
-	 * !!! overloaded use of RC_CLASH
-	 */
-	loglog(RC_CLASH, "the protocol must be the same for leftport and rightport");
-    }
-    else if (check_connection_end(&wm->right, &wm->left, wm)
-    && check_connection_end(&wm->left, &wm->right, wm))
-    {
-	bool same_rightca, same_leftca;
-	struct connection *c = alloc_thing(struct connection, "struct connection");
-
-	c->name   = wm->name;
-	c->ikev1  = wm->ikev1;
-	c->policy = wm->policy;
-
-	if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp)
-	    loglog(RC_COMMENT
-		, "ignoring --compress in \"%s\" because KLIPS is not configured to do IPCOMP"
-		, c->name);
-
-	if (wm->esp)
+	if (con_by_name(wm->name, FALSE) != NULL)
 	{
-	    const char *ugh;
-
-	     DBG(DBG_CONTROL,
-		DBG_log("from whack: got --esp=%s", wm->esp ? wm->esp: "NULL")
-	    )
-	    c->alg_info_esp= alg_info_esp_create_from_str(wm->esp? wm->esp : "", &ugh);
-
-	    DBG(DBG_CRYPT|DBG_CONTROL,
-		static char buf[256]="<NULL>";
-
-		if (c->alg_info_esp)
-		    alg_info_snprint(buf, sizeof(buf)
-			    ,(struct alg_info *)c->alg_info_esp);
-		DBG_log("esp string values: %s", buf);
-	    )
-	    if (c->alg_info_esp)
-	    {
-		if (c->alg_info_esp->alg_info_cnt==0)
-		     loglog(RC_LOG_SERIOUS
-			    , "got 0 transforms for esp=\"%s\"", wm->esp);
-	    }
-	    else
-	    {
-		loglog(RC_LOG_SERIOUS
-		       , "esp string error: %s", ugh? ugh : "Unknown");
-	    }
+		loglog(RC_DUPNAME, "attempt to redefine connection \"%s\"", wm->name);
 	}
-	
-	if (wm->ike)
+	else if (wm->right.protocol != wm->left.protocol)
 	{
-	    const char *ugh;
-
-	    DBG(DBG_CONTROL,
-		DBG_log("from whack: got --ike=%s", wm->ike ? wm->ike: "NULL")
-	    )
-	    c->alg_info_ike= alg_info_ike_create_from_str(wm->ike? wm->ike : "", &ugh);
-
-	    DBG(DBG_CRYPT|DBG_CONTROL,
-		static char buf[256]="<NULL>";
-
-		if (c->alg_info_ike)
-		    alg_info_snprint(buf, sizeof(buf)
-			    , (struct alg_info *)c->alg_info_ike);
-		DBG_log("ike string values: %s", buf);
-	    )
-	    if (c->alg_info_ike)
-	    {
-		if (c->alg_info_ike->alg_info_cnt==0)
-		    loglog(RC_LOG_SERIOUS
-			   , "got 0 transforms for ike=\"%s\"", wm->ike);
-	    }
-	    else
-	    {
-		loglog(RC_LOG_SERIOUS
-		       , "ike string error: %s", ugh? ugh : "Unknown");
-	    }
+		/* this should haven been diagnosed by whack
+		 * !!! overloaded use of RC_CLASH
+		 */
+		loglog(RC_CLASH, "the protocol must be the same for leftport and rightport");
 	}
-	
-	c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
-	c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
-	c->sa_rekey_margin = wm->sa_rekey_margin;
-	c->sa_rekey_fuzz = wm->sa_rekey_fuzz;
-	c->sa_keying_tries = wm->sa_keying_tries;
+	else if (check_connection_end(&wm->right, &wm->left, wm)
+	&& check_connection_end(&wm->left, &wm->right, wm))
+	{
+		bool same_rightca, same_leftca;
+		struct connection *c = malloc_thing(struct connection);
 
-	/* RFC 3706 DPD */
-	c->dpd_delay = wm->dpd_delay;
-	c->dpd_timeout = wm->dpd_timeout;
-	c->dpd_action = wm->dpd_action;
+		zero(c);
+		c->name   = wm->name;
+		c->ikev1  = wm->ikev1;
+		c->policy = wm->policy;
 
-	c->addr_family = wm->addr_family;
-	c->tunnel_addr_family = wm->tunnel_addr_family;
+		if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp)
+			loglog(RC_COMMENT
+				, "ignoring --compress in \"%s\" because KLIPS is not configured to do IPCOMP"
+				, c->name);
 
-	c->requested_ca = NULL;
+		if (wm->esp)
+		{
+			 DBG(DBG_CONTROL,
+				DBG_log("from whack: got --esp=%s", wm->esp ? wm->esp: "NULL")
+			)
+			c->alg_info_esp= alg_info_esp_create_from_str(wm->esp? wm->esp : "");
+
+			DBG(DBG_CRYPT|DBG_CONTROL,
+				static char buf[BUF_LEN]="<NULL>";
+
+				if (c->alg_info_esp)
+					alg_info_snprint(buf, sizeof(buf)
+							,(struct alg_info *)c->alg_info_esp);
+				DBG_log("esp proposal: %s", buf);
+			)
+			if (c->alg_info_esp)
+			{
+				if (c->alg_info_esp->alg_info_cnt==0)
+					 loglog(RC_LOG_SERIOUS
+							, "got 0 transforms for esp=\"%s\"", wm->esp);
+			}
+			else
+			{
+				loglog(RC_LOG_SERIOUS, "esp string error");
+			}
+		}
+		
+		if (wm->ike)
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("from whack: got --ike=%s", wm->ike ? wm->ike: "NULL")
+			)
+			c->alg_info_ike= alg_info_ike_create_from_str(wm->ike? wm->ike : "");
+
+			DBG(DBG_CRYPT|DBG_CONTROL,
+				static char buf[BUF_LEN]="<NULL>";
+
+				if (c->alg_info_ike)
+					alg_info_snprint(buf, sizeof(buf)
+							, (struct alg_info *)c->alg_info_ike);
+				DBG_log("ike proposal: %s", buf);
+			)
+			if (c->alg_info_ike)
+			{
+				if (c->alg_info_ike->alg_info_cnt==0)
+					loglog(RC_LOG_SERIOUS
+						   , "got 0 transforms for ike=\"%s\"", wm->ike);
+			}
+			else
+			{
+				loglog(RC_LOG_SERIOUS, "ike string error:");
+			}
+		}
+		
+		c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
+		c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
+		c->sa_rekey_margin = wm->sa_rekey_margin;
+		c->sa_rekey_fuzz = wm->sa_rekey_fuzz;
+		c->sa_keying_tries = wm->sa_keying_tries;
 
-	same_leftca  = extract_end(&c->spd.this, &wm->left, "left");
-	same_rightca = extract_end(&c->spd.that, &wm->right, "right");
+		/* RFC 3706 DPD */
+		c->dpd_delay = wm->dpd_delay;
+		c->dpd_timeout = wm->dpd_timeout;
+		c->dpd_action = wm->dpd_action;
 
-	if (same_rightca)
-	    c->spd.that.ca = c->spd.this.ca;
-	else if (same_leftca)
-	    c->spd.this.ca = c->spd.that.ca;
+		c->addr_family = wm->addr_family;
+		c->tunnel_addr_family = wm->tunnel_addr_family;
 
-	default_end(&c->spd.this, &c->spd.that.host_addr);
-	default_end(&c->spd.that, &c->spd.this.host_addr);
+		c->requested_ca = NULL;
 
-	/* force any wildcard host IP address, any wildcard subnet
-	 * or any wildcard ID to that end
-	 */
-	if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard
-	|| c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards
-	|| c->spd.this.allow_any)
-	{
-	    struct end t = c->spd.this;
+		same_leftca  = extract_end(&c->spd.this, &wm->left, "left");
+		same_rightca = extract_end(&c->spd.that, &wm->right, "right");
 
-	    c->spd.this = c->spd.that;
-	    c->spd.that = t;
-	}
+		if (same_rightca)
+			c->spd.that.ca = c->spd.this.ca;
+		else if (same_leftca)
+			c->spd.this.ca = c->spd.that.ca;
 
-	c->spd.next = NULL;
-	c->spd.reqid = gen_reqid();
+		default_end(&c->spd.this, &c->spd.that.host_addr);
+		default_end(&c->spd.that, &c->spd.this.host_addr);
 
-	/* set internal fields */
-	c->instance_serial = 0;
-	c->ac_next = connections;
-	connections = c;
-	c->interface = NULL;
-	c->spd.routing = RT_UNROUTED;
-	c->newest_isakmp_sa = SOS_NOBODY;
-	c->newest_ipsec_sa = SOS_NOBODY;
-	c->spd.eroute_owner = SOS_NOBODY;
-
-	if (c->policy & POLICY_GROUP)
-	{
-	    c->kind = CK_GROUP;
-	    add_group(c);
-	}
-	else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy))
-	|| c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard
-	|| c->spd.that.has_id_wildcards || c->spd.that.allow_any)
-	{
-	    /* Opportunistic or Road Warrior or wildcard client subnet
-	     * or wildcard ID */
-	    c->kind = CK_TEMPLATE;
-	}
-	else
-	{
-	    c->kind = CK_PERMANENT;
-	}
-	set_policy_prio(c);	/* must be after kind is set */
+		/* force any wildcard host IP address, any wildcard subnet
+		 * or any wildcard ID to that end
+		 */
+		if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard
+		|| c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards
+		|| c->spd.this.allow_any)
+		{
+			struct end t = c->spd.this;
+
+			c->spd.this = c->spd.that;
+			c->spd.that = t;
+		}
+
+		c->spd.next = NULL;
+		c->spd.reqid = gen_reqid();
+
+		/* set internal fields */
+		c->instance_serial = 0;
+		c->ac_next = connections;
+		connections = c;
+		c->interface = NULL;
+		c->spd.routing = RT_UNROUTED;
+		c->newest_isakmp_sa = SOS_NOBODY;
+		c->newest_ipsec_sa = SOS_NOBODY;
+		c->spd.eroute_owner = SOS_NOBODY;
+
+		if (c->policy & POLICY_GROUP)
+		{
+			c->kind = CK_GROUP;
+			add_group(c);
+		}
+		else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy))
+		|| c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard
+		|| c->spd.that.has_id_wildcards || c->spd.that.allow_any)
+		{
+			/* Opportunistic or Road Warrior or wildcard client subnet
+			 * or wildcard ID */
+			c->kind = CK_TEMPLATE;
+		}
+		else
+		{
+			c->kind = CK_PERMANENT;
+		}
+		set_policy_prio(c);     /* must be after kind is set */
 
 #ifdef DEBUG
-	c->extra_debugging = wm->debugging;
+		c->extra_debugging = wm->debugging;
 #endif
 
-	c->gw_info = NULL;
+		c->gw_info = NULL;
 
-	passert(!(wm->left.virt && wm->right.virt));
-	if (wm->left.virt || wm->right.virt)
-	{
-	    passert(isanyaddr(&c->spd.that.host_addr));
-	    c->spd.that.virt = create_virtual(c,
-		wm->left.virt ? wm->left.virt : wm->right.virt);
-	    if (c->spd.that.virt)
-		c->spd.that.has_client = TRUE;
-	}
+		passert(!(wm->left.virt && wm->right.virt));
+		if (wm->left.virt || wm->right.virt)
+		{
+			passert(isanyaddr(&c->spd.that.host_addr));
+			c->spd.that.virt = create_virtual(c,
+				wm->left.virt ? wm->left.virt : wm->right.virt);
+			if (c->spd.that.virt)
+				c->spd.that.has_client = TRUE;
+		}
 
-	unshare_connection_strings(c);
-	(void)orient(c);
+		unshare_connection_strings(c);
+		(void)orient(c);
 
-	if (c->ikev1)
-	    connect_to_host_pair(c);
+		if (c->ikev1)
+			connect_to_host_pair(c);
 
-	/* log all about this connection */
-	plog("added connection description \"%s\"", c->name);
-	DBG(DBG_CONTROL,
-	    char topo[CONNECTION_BUF];
-
-	    (void) format_connection(topo, sizeof(topo), c, &c->spd);
-
-	    DBG_log("%s", topo);
-
-	    /* Make sure that address families can be correctly inferred
-	     * from printed ends.
-	     */
-	    passert(c->addr_family == addrtypeof(&c->spd.this.host_addr)
-		&& c->addr_family == addrtypeof(&c->spd.this.host_nexthop)
-		&& (c->spd.this.has_client? c->tunnel_addr_family : c->addr_family)
-		  == subnettypeof(&c->spd.this.client)
-
-		&& c->addr_family == addrtypeof(&c->spd.that.host_addr)
-		&& c->addr_family == addrtypeof(&c->spd.that.host_nexthop)
-		&& (c->spd.that.has_client? c->tunnel_addr_family : c->addr_family)
-		  == subnettypeof(&c->spd.that.client));
-
-	    DBG_log("ike_life: %lus; ipsec_life: %lus; rekey_margin: %lus;"
-		" rekey_fuzz: %lu%%; keyingtries: %lu; policy: %s"
-		, (unsigned long) c->sa_ike_life_seconds
-		, (unsigned long) c->sa_ipsec_life_seconds
-		, (unsigned long) c->sa_rekey_margin
-		, (unsigned long) c->sa_rekey_fuzz
-		, (unsigned long) c->sa_keying_tries
-		, prettypolicy(c->policy));
-	);
-    }
-}
+		/* log all about this connection */
+		plog("added connection description \"%s\"", c->name);
+		DBG(DBG_CONTROL,
+			char topo[CONNECTION_BUF];
 
-/* Derive a template connection from a group connection and target.
- * Similar to instantiate().  Happens at whack --listen.
+			(void) format_connection(topo, sizeof(topo), c, &c->spd);
+
+			DBG_log("%s", topo);
+
+			/* Make sure that address families can be correctly inferred
+			 * from printed ends.
+			 */
+			passert(c->addr_family == addrtypeof(&c->spd.this.host_addr)
+				&& c->addr_family == addrtypeof(&c->spd.this.host_nexthop)
+				&& (c->spd.this.has_client? c->tunnel_addr_family : c->addr_family)
+				  == subnettypeof(&c->spd.this.client)
+
+				&& c->addr_family == addrtypeof(&c->spd.that.host_addr)
+				&& c->addr_family == addrtypeof(&c->spd.that.host_nexthop)
+				&& (c->spd.that.has_client? c->tunnel_addr_family : c->addr_family)
+				  == subnettypeof(&c->spd.that.client));
+
+			DBG_log("ike_life: %lus; ipsec_life: %lus; rekey_margin: %lus;"
+				" rekey_fuzz: %lu%%; keyingtries: %lu; policy: %s"
+				, (unsigned long) c->sa_ike_life_seconds
+				, (unsigned long) c->sa_ipsec_life_seconds
+				, (unsigned long) c->sa_rekey_margin
+				, (unsigned long) c->sa_rekey_fuzz
+				, (unsigned long) c->sa_keying_tries
+				, prettypolicy(c->policy));
+		);
+	}
+}
+
+/* Derive a template connection from a group connection and target.
+ * Similar to instantiate().  Happens at whack --listen.
  * Returns name of new connection.  May be NULL.
- * Caller is responsible for pfreeing.
+ * Caller is responsible for freeing.
  */
 char *
 add_group_instance(struct connection *group, const ip_subnet *target)
 {
-    char namebuf[100]
-	, targetbuf[SUBNETTOT_BUF];
-    struct connection *t;
-    char *name = NULL;
-
-    passert(group->kind == CK_GROUP);
-    passert(oriented(*group));
-
-    /* manufacture a unique name for this template */
-    subnettot(target, 0, targetbuf, sizeof(targetbuf));
-    snprintf(namebuf, sizeof(namebuf), "%s#%s", group->name, targetbuf);
-
-    if (con_by_name(namebuf, FALSE) != NULL)
-    {
-	loglog(RC_DUPNAME, "group name + target yields duplicate name \"%s\""
-	    , namebuf);
-    }
-    else
-    {
-	t = clone_thing(*group, "group instance");
-	t->name = namebuf;
-	unshare_connection_strings(t);
-	name = clone_str(t->name, "group instance name");
-	t->spd.that.client = *target;
-	t->policy &= ~(POLICY_GROUP | POLICY_GROUTED);
-	t->kind = isanyaddr(&t->spd.that.host_addr) && !NEVER_NEGOTIATE(t->policy)
-	    ? CK_TEMPLATE : CK_INSTANCE;
+	char namebuf[100]
+		, targetbuf[SUBNETTOT_BUF];
+	struct connection *t;
+	char *name = NULL;
 
-	/* reset log file info */
-	t->log_file_name = NULL;
-	t->log_file = NULL;
-	t->log_file_err = FALSE;
+	passert(group->kind == CK_GROUP);
+	passert(oriented(*group));
 
-	t->spd.reqid = gen_reqid();
+	/* manufacture a unique name for this template */
+	subnettot(target, 0, targetbuf, sizeof(targetbuf));
+	snprintf(namebuf, sizeof(namebuf), "%s#%s", group->name, targetbuf);
 
-	if (t->spd.that.virt)
+	if (con_by_name(namebuf, FALSE) != NULL)
 	{
-	    DBG_log("virtual_ip not supported in group instance");
-	    t->spd.that.virt = NULL;	
+		loglog(RC_DUPNAME, "group name + target yields duplicate name \"%s\""
+			, namebuf);
 	}
+	else
+	{
+		t = clone_thing(*group);
+		t->name = namebuf;
+		unshare_connection_strings(t);
+		name = clone_str(t->name);
+		t->spd.that.client = *target;
+		t->policy &= ~(POLICY_GROUP | POLICY_GROUTED);
+		t->kind = isanyaddr(&t->spd.that.host_addr) && !NEVER_NEGOTIATE(t->policy)
+			? CK_TEMPLATE : CK_INSTANCE;
+
+		/* reset log file info */
+		t->log_file_name = NULL;
+		t->log_file = NULL;
+		t->log_file_err = FALSE;
+
+		t->spd.reqid = gen_reqid();
+
+		if (t->spd.that.virt)
+		{
+			DBG_log("virtual_ip not supported in group instance");
+			t->spd.that.virt = NULL;    
+		}
 
-	/* add to connections list */
-	t->ac_next = connections;
-	connections = t;
+		/* add to connections list */
+		t->ac_next = connections;
+		connections = t;
 
-	/* same host_pair as parent: stick after parent on list */
-	group->hp_next = t;
+		/* same host_pair as parent: stick after parent on list */
+		group->hp_next = t;
 
-	/* route if group is routed */
-	if (group->policy & POLICY_GROUTED)
-	{
-	    if (!trap_connection(t))
-		whack_log(RC_ROUTE, "could not route");
+		/* route if group is routed */
+		if (group->policy & POLICY_GROUTED)
+		{
+			if (!trap_connection(t))
+				whack_log(RC_ROUTE, "could not route");
+		}
 	}
-    }
-    return name;
+	return name;
 }
 
 /* an old target has disappeared for a group: delete instance */
@@ -1246,17 +1237,17 @@ void
 remove_group_instance(const struct connection *group USED_BY_DEBUG
 , const char *name)
 {
-    passert(group->kind == CK_GROUP);
-    passert(oriented(*group));
+	passert(group->kind == CK_GROUP);
+	passert(oriented(*group));
 
-    delete_connections_by_name(name, FALSE);
+	delete_connections_by_name(name, FALSE);
 }
 
 /* Common part of instantiating a Road Warrior or Opportunistic connection.
  * his_id can be used to carry over an ID discovered in Phase 1.
  * It must not disagree with the one in c, but if that is unspecified,
  * the new connection will use his_id.
- * If his_id is NULL, and c.that.id is uninstantiated (ID_NONE), the
+ * If his_id is NULL, and c.that.id is uninstantiated (ID_ANY), the
  * new connection will continue to have an uninstantiated that.id.
  * Note: instantiation does not affect port numbers.
  *
@@ -1267,90 +1258,90 @@ instantiate(struct connection *c, const ip_address *him
 , u_int16_t his_port
 , const struct id *his_id)
 {
-    struct connection *d;
-    int wildcards;
-
-    passert(c->kind == CK_TEMPLATE);
-    passert(c->spd.next == NULL);
-
-    c->instance_serial++;
-    d = clone_thing(*c, "temporary connection");
-    d->spd.that.allow_any = FALSE;
-
-    if (his_id != NULL)
-    {
-	passert(match_id(his_id, &d->spd.that.id, &wildcards));
-	d->spd.that.id = *his_id;
-	d->spd.that.has_id_wildcards = FALSE;
-    }
-    unshare_connection_strings(d);
-    unshare_ietfAttrList(&d->spd.this.groups);
-    unshare_ietfAttrList(&d->spd.that.groups);
-    d->kind = CK_INSTANCE;
-
-    passert(oriented(*d));
-    d->spd.that.host_addr = *him;
-    setportof(htons(c->spd.that.port), &d->spd.that.host_addr);
-
-    if (his_port) d->spd.that.host_port = his_port;
-
-    default_end(&d->spd.that, &d->spd.this.host_addr);
-
-    /* We cannot guess what our next_hop should be, but if it was
-     * explicitly specified as 0.0.0.0, we set it to be him.
-     * (whack will not allow nexthop to be elided in RW case.)
-     */
-    default_end(&d->spd.this, &d->spd.that.host_addr);
-    d->spd.next = NULL;
-    d->spd.reqid = gen_reqid();
-
-    /* set internal fields */
-    d->ac_next = connections;
-    connections = d;
-    d->spd.routing = RT_UNROUTED;
-    d->newest_isakmp_sa = SOS_NOBODY;
-    d->newest_ipsec_sa = SOS_NOBODY;
-    d->spd.eroute_owner = SOS_NOBODY;
-
-    /* reset log file info */
-    d->log_file_name = NULL;
-    d->log_file = NULL;
-    d->log_file_err = FALSE;
-
-    connect_to_host_pair(d);
-
-    return d;
-    if (sameaddr(&d->spd.that.host_addr, &d->spd.this.host_nexthop))
-    {
-	d->spd.this.host_nexthop = *him;
-    }
+	struct connection *d;
+	int wildcards;
+
+	passert(c->kind == CK_TEMPLATE);
+	passert(c->spd.next == NULL);
+
+	c->instance_serial++;
+	d = clone_thing(*c);
+	d->spd.that.allow_any = FALSE;
+
+	if (his_id != NULL)
+	{
+		passert(match_id(his_id, &d->spd.that.id, &wildcards));
+		d->spd.that.id = *his_id;
+		d->spd.that.has_id_wildcards = FALSE;
+	}
+	unshare_connection_strings(d);
+	unshare_ietfAttrList(&d->spd.this.groups);
+	unshare_ietfAttrList(&d->spd.that.groups);
+	d->kind = CK_INSTANCE;
+
+	passert(oriented(*d));
+	d->spd.that.host_addr = *him;
+	setportof(htons(c->spd.that.port), &d->spd.that.host_addr);
+
+	if (his_port) d->spd.that.host_port = his_port;
+
+	default_end(&d->spd.that, &d->spd.this.host_addr);
+
+	/* We cannot guess what our next_hop should be, but if it was
+	 * explicitly specified as 0.0.0.0, we set it to be him.
+	 * (whack will not allow nexthop to be elided in RW case.)
+	 */
+	default_end(&d->spd.this, &d->spd.that.host_addr);
+	d->spd.next = NULL;
+	d->spd.reqid = gen_reqid();
+
+	/* set internal fields */
+	d->ac_next = connections;
+	connections = d;
+	d->spd.routing = RT_UNROUTED;
+	d->newest_isakmp_sa = SOS_NOBODY;
+	d->newest_ipsec_sa = SOS_NOBODY;
+	d->spd.eroute_owner = SOS_NOBODY;
+
+	/* reset log file info */
+	d->log_file_name = NULL;
+	d->log_file = NULL;
+	d->log_file_err = FALSE;
+
+	connect_to_host_pair(d);
+
+	return d;
+	if (sameaddr(&d->spd.that.host_addr, &d->spd.this.host_nexthop))
+	{
+		d->spd.this.host_nexthop = *him;
+	}
 }
 
 struct connection *
 rw_instantiate(struct connection *c, const ip_address *him, u_int16_t his_port
 , const ip_subnet *his_net, const struct id *his_id)
 {
-    struct connection *d = instantiate(c, him, his_port, his_id);
-
-    if (d && his_net && is_virtual_connection(c))
-    {
-	d->spd.that.client = *his_net;
-	d->spd.that.virt = NULL;
-	if (subnetishost(his_net) && addrinsubnet(him, his_net))
-	    d->spd.that.has_client = FALSE;
-    }
-
-    if (d->policy & POLICY_OPPO)
-    {
-	/* This must be before we know the client addresses.
-	 * Fill in one that is impossible.  This prevents anyone else from
-	 * trying to use this connection to get to a particular client
-	 */
-	d->spd.that.client = *aftoinfo(subnettypeof(&d->spd.that.client))->none;
-    }
-    DBG(DBG_CONTROL
-	, DBG_log("instantiated \"%s\" for %s" , d->name, ip_str(him)));
-    return d;
+	struct connection *d = instantiate(c, him, his_port, his_id);
+
+	if (d && his_net && is_virtual_connection(c))
+	{
+		d->spd.that.client = *his_net;
+		d->spd.that.virt = NULL;
+		if (subnetishost(his_net) && addrinsubnet(him, his_net))
+			d->spd.that.has_client = FALSE;
+	}
+
+	if (d->policy & POLICY_OPPO)
+	{
+		/* This must be before we know the client addresses.
+		 * Fill in one that is impossible.  This prevents anyone else from
+		 * trying to use this connection to get to a particular client
+		 */
+		d->spd.that.client = *aftoinfo(subnettypeof(&d->spd.that.client))->none;
+	}
+	DBG(DBG_CONTROL
+		, DBG_log("instantiated \"%s\" for %s" , d->name, ip_str(him)));
+	return d;
 }
 
 struct connection *
@@ -1361,77 +1352,77 @@ oppo_instantiate(struct connection *c
 , const ip_address *our_client USED_BY_DEBUG
 , const ip_address *peer_client)
 {
-    struct connection *d = instantiate(c, him, 0, his_id);
+	struct connection *d = instantiate(c, him, 0, his_id);
 
-    passert(d->spd.next == NULL);
+	passert(d->spd.next == NULL);
+
+	/* fill in our client side */
+	if (d->spd.this.has_client)
+	{
+		/* there was a client in the abstract connection
+		 * so we demand that the required client is within that subnet.
+		 */
+		passert(addrinsubnet(our_client, &d->spd.this.client));
+		happy(addrtosubnet(our_client, &d->spd.this.client));
+		/* opportunistic connections do not use port selectors */
+		setportof(0, &d->spd.this.client.addr);
+	}
+	else
+	{
+		/* there was no client in the abstract connection
+		 * so we demand that the required client be the host
+		 */
+		passert(sameaddr(our_client, &d->spd.this.host_addr));
+	}
 
-    /* fill in our client side */
-    if (d->spd.this.has_client)
-    {
-	/* there was a client in the abstract connection
-	 * so we demand that the required client is within that subnet.
+	/* fill in peer's client side.
+	 * If the client is the peer, excise the client from the connection.
 	 */
-	passert(addrinsubnet(our_client, &d->spd.this.client));
-	happy(addrtosubnet(our_client, &d->spd.this.client));
+	passert((d->policy & POLICY_OPPO)
+		&& addrinsubnet(peer_client, &d->spd.that.client));
+	happy(addrtosubnet(peer_client, &d->spd.that.client));
 	/* opportunistic connections do not use port selectors */
-	setportof(0, &d->spd.this.client.addr);
-    }
-    else
-    {
-	/* there was no client in the abstract connection
-	 * so we demand that the required client be the host
+	setportof(0, &d->spd.that.client.addr);
+
+	if (sameaddr(peer_client, &d->spd.that.host_addr))
+		d->spd.that.has_client = FALSE;
+
+	passert(d->gw_info == NULL);
+	gw_addref(gw);
+	d->gw_info = gw;
+
+	/* Adjust routing if something is eclipsing c.
+	 * It must be a %hold for us (hard to passert this).
+	 * If there was another instance eclipsing, we'd be using it.
+	 */
+	if (c->spd.routing == RT_ROUTED_ECLIPSED)
+		d->spd.routing = RT_ROUTED_PROSPECTIVE;
+
+	/* Remember if the template is routed:
+	 * if so, this instance applies for initiation
+	 * even if it is created for responding.
 	 */
-	passert(sameaddr(our_client, &d->spd.this.host_addr));
-    }
-
-    /* fill in peer's client side.
-     * If the client is the peer, excise the client from the connection.
-     */
-    passert((d->policy & POLICY_OPPO)
-	&& addrinsubnet(peer_client, &d->spd.that.client));
-    happy(addrtosubnet(peer_client, &d->spd.that.client));
-    /* opportunistic connections do not use port selectors */
-    setportof(0, &d->spd.that.client.addr);
-
-    if (sameaddr(peer_client, &d->spd.that.host_addr))
-	d->spd.that.has_client = FALSE;
-
-    passert(d->gw_info == NULL);
-    gw_addref(gw);
-    d->gw_info = gw;
-
-    /* Adjust routing if something is eclipsing c.
-     * It must be a %hold for us (hard to passert this).
-     * If there was another instance eclipsing, we'd be using it.
-     */
-    if (c->spd.routing == RT_ROUTED_ECLIPSED)
-	d->spd.routing = RT_ROUTED_PROSPECTIVE;
-
-    /* Remember if the template is routed:
-     * if so, this instance applies for initiation
-     * even if it is created for responding.
-     */
-    if (routed(c->spd.routing))
-	d->instance_initiation_ok = TRUE;
-
-    DBG(DBG_CONTROL,
-	char topo[CONNECTION_BUF];
-
-	(void) format_connection(topo, sizeof(topo), d, &d->spd);
-	DBG_log("instantiated \"%s\": %s", d->name, topo);
-    );
-    return d;
+	if (routed(c->spd.routing))
+		d->instance_initiation_ok = TRUE;
+
+	DBG(DBG_CONTROL,
+		char topo[CONNECTION_BUF];
+
+		(void) format_connection(topo, sizeof(topo), d, &d->spd);
+		DBG_log("instantiated \"%s\": %s", d->name, topo);
+	);
+	return d;
 }
 
 /* priority formatting */
 void
 fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
 {
-    if (pp == BOTTOM_PRIO)
-	snprintf(buf, POLICY_PRIO_BUF, "0");
-    else
-	snprintf(buf, POLICY_PRIO_BUF, "%lu,%lu"
-	    , pp>>16, (pp & ~(~(policy_prio_t)0 << 16)) >> 8);
+	if (pp == BOTTOM_PRIO)
+		snprintf(buf, POLICY_PRIO_BUF, "0");
+	else
+		snprintf(buf, POLICY_PRIO_BUF, "%lu,%lu"
+			, pp>>16, (pp & ~(~(policy_prio_t)0 << 16)) >> 8);
 }
 
 /* Format any information needed to identify an instance of a connection.
@@ -1442,65 +1433,65 @@ fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
 static size_t
 fmt_client(const ip_subnet *client, const ip_address *gw, const char *prefix, char buf[ADDRTOT_BUF])
 {
-    if (subnetisaddr(client, gw))
-    {
-	buf[0] = '\0';	/* compact denotation for "self" */
-    }
-    else
-    {
-	char *ap;
-
-	strcpy(buf, prefix);
-	ap = buf + strlen(prefix);
-	if (subnetisnone(client))
-	    strcpy(ap, "?");	/* unknown */
+	if (subnetisaddr(client, gw))
+	{
+		buf[0] = '\0';  /* compact denotation for "self" */
+	}
 	else
-	    subnettot(client, 0, ap, SUBNETTOT_BUF);
-    }
-    return strlen(buf);
+	{
+		char *ap;
+
+		strcpy(buf, prefix);
+		ap = buf + strlen(prefix);
+		if (subnetisnone(client))
+			strcpy(ap, "?");    /* unknown */
+		else
+			subnettot(client, 0, ap, SUBNETTOT_BUF);
+	}
+	return strlen(buf);
 }
 
 void
 fmt_conn_instance(const struct connection *c, char buf[CONN_INST_BUF])
 {
-    char *p = buf;
+	char *p = buf;
 
-    *p = '\0';
+	*p = '\0';
 
-    if (c->kind == CK_INSTANCE)
-    {
-	if (c->instance_serial != 0)
+	if (c->kind == CK_INSTANCE)
 	{
-	    snprintf(p, CONN_INST_BUF, "[%lu]", c->instance_serial);
-	    p += strlen(p);
-	}
+		if (c->instance_serial != 0)
+		{
+			snprintf(p, CONN_INST_BUF, "[%lu]", c->instance_serial);
+			p += strlen(p);
+		}
 
-	if (c->policy & POLICY_OPPO)
-	{
-	    size_t w = fmt_client(&c->spd.this.client, &c->spd.this.host_addr, " ", p);
+		if (c->policy & POLICY_OPPO)
+		{
+			size_t w = fmt_client(&c->spd.this.client, &c->spd.this.host_addr, " ", p);
 
-	    p += w;
+			p += w;
 
-	    strcpy(p, w == 0? " ..." : "=== ...");
-	    p += strlen(p);
+			strcpy(p, w == 0? " ..." : "=== ...");
+			p += strlen(p);
 
-	    addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF);
-	    p += strlen(p);
+			addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF);
+			p += strlen(p);
 
-	    (void) fmt_client(&c->spd.that.client, &c->spd.that.host_addr, "===", p);
-	}
-	else
-	{
-	    *p++ = ' ';
-	    addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF);
+			(void) fmt_client(&c->spd.that.client, &c->spd.that.host_addr, "===", p);
+		}
+		else
+		{
+			*p++ = ' ';
+			addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF);
 #
-	    if (c->spd.that.host_port != pluto_port)
-	    {
-		p += strlen(p);
-		sprintf(p, ":%d", c->spd.that.host_port);
-	    }
+			if (c->spd.that.host_port != pluto_port)
+			{
+				p += strlen(p);
+				sprintf(p, ":%d", c->spd.that.host_port);
+			}
+		}
 	}
-    }
 }
 
 /* Find an existing connection for a trapped outbound packet.
@@ -1520,124 +1511,124 @@ fmt_conn_instance(const struct connection *c, char buf[CONN_INST_BUF])
  */
 struct connection *
 find_connection_for_clients(struct spd_route **srp,
-			    const ip_address *our_client,
-			    const ip_address *peer_client,
-			    int transport_proto)
+							const ip_address *our_client,
+							const ip_address *peer_client,
+							int transport_proto)
 {
-    struct connection *c = connections, *best = NULL;
-    policy_prio_t best_prio = BOTTOM_PRIO;
-    struct spd_route *sr;
-    struct spd_route *best_sr = NULL;
-    int our_port  = ntohs(portof(our_client));
-    int peer_port = ntohs(portof(peer_client));
-
-    passert(!isanyaddr(our_client) && !isanyaddr(peer_client));
+	struct connection *c = connections, *best = NULL;
+	policy_prio_t best_prio = BOTTOM_PRIO;
+	struct spd_route *sr;
+	struct spd_route *best_sr = NULL;
+	int our_port  = ntohs(portof(our_client));
+	int peer_port = ntohs(portof(peer_client));
+
+	passert(!isanyaddr(our_client) && !isanyaddr(peer_client));
 #ifdef DEBUG
-    if (DBGP(DBG_CONTROL))
-    {
-	char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
+	if (DBGP(DBG_CONTROL))
+	{
+		char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
 
-	addrtot(our_client, 0, ocb, sizeof(ocb));
-	addrtot(peer_client, 0, pcb, sizeof(pcb));
-	DBG_log("find_connection: "
-		"looking for policy for connection: %s:%d/%d -> %s:%d/%d"
-		, ocb, transport_proto, our_port, pcb, transport_proto, peer_port);
-    }
+		addrtot(our_client, 0, ocb, sizeof(ocb));
+		addrtot(peer_client, 0, pcb, sizeof(pcb));
+		DBG_log("find_connection: "
+				"looking for policy for connection: %s:%d/%d -> %s:%d/%d"
+				, ocb, transport_proto, our_port, pcb, transport_proto, peer_port);
+	}
 #endif /* DEBUG */
 
-    for (c = connections; c != NULL; c = c->ac_next)
-    {
-	if (c->kind == CK_GROUP)
-	    continue;
-
-	for (sr = &c->spd; best!=c && sr; sr = sr->next)
+	for (c = connections; c != NULL; c = c->ac_next)
 	{
-	    if ((routed(sr->routing) || c->instance_initiation_ok)
-	    && addrinsubnet(our_client, &sr->this.client)
-	    && addrinsubnet(peer_client, &sr->that.client)
-	    && addrinsubnet(peer_client, &sr->that.client)
-	    && (!sr->this.protocol || transport_proto == sr->this.protocol)
-	    && (!sr->this.port || our_port == sr->this.port)
-	    && (!sr->that.port || peer_port == sr->that.port))
-	    {
-		char cib[CONN_INST_BUF];
-		char cib2[CONN_INST_BUF];
+		if (c->kind == CK_GROUP)
+			continue;
+
+		for (sr = &c->spd; best!=c && sr; sr = sr->next)
+		{
+			if ((routed(sr->routing) || c->instance_initiation_ok)
+			&& addrinsubnet(our_client, &sr->this.client)
+			&& addrinsubnet(peer_client, &sr->that.client)
+			&& addrinsubnet(peer_client, &sr->that.client)
+			&& (!sr->this.protocol || transport_proto == sr->this.protocol)
+			&& (!sr->this.port || our_port == sr->this.port)
+			&& (!sr->that.port || peer_port == sr->that.port))
+			{
+				char cib[CONN_INST_BUF];
+				char cib2[CONN_INST_BUF];
 
-		policy_prio_t prio = 8 * (c->prio + (c->kind == CK_INSTANCE))
-				   + 2 * (sr->this.port == our_port)
-				   + 2 * (sr->that.port == peer_port)
-				   +     (sr->this.protocol == transport_proto);
+				policy_prio_t prio = 8 * (c->prio + (c->kind == CK_INSTANCE))
+								   + 2 * (sr->this.port == our_port)
+								   + 2 * (sr->that.port == peer_port)
+								   +     (sr->this.protocol == transport_proto);
 
 #ifdef DEBUG
-		if (DBGP(DBG_CONTROL|DBG_CONTROLMORE))
-		{
-		    char c_ocb[SUBNETTOT_BUF], c_pcb[SUBNETTOT_BUF];
-
-		    subnettot(&c->spd.this.client, 0, c_ocb, sizeof(c_ocb));
-		    subnettot(&c->spd.that.client, 0, c_pcb, sizeof(c_pcb));
-		    DBG_log("find_connection: conn \"%s\"%s has compatible peers: %s->%s [pri: %ld]"
-			    , c->name
-			    , (fmt_conn_instance(c, cib), cib)
-			    , c_ocb, c_pcb, prio);
-		}
+				if (DBGP(DBG_CONTROL|DBG_CONTROLMORE))
+				{
+					char c_ocb[SUBNETTOT_BUF], c_pcb[SUBNETTOT_BUF];
+
+					subnettot(&c->spd.this.client, 0, c_ocb, sizeof(c_ocb));
+					subnettot(&c->spd.that.client, 0, c_pcb, sizeof(c_pcb));
+					DBG_log("find_connection: conn \"%s\"%s has compatible peers: %s->%s [pri: %ld]"
+							, c->name
+							, (fmt_conn_instance(c, cib), cib)
+							, c_ocb, c_pcb, prio);
+				}
 #endif /* DEBUG */
 
-		if (best == NULL)
-		{
-		    best = c;
-		    best_sr = sr;
-		    best_prio = prio;
-		}
-
-		DBG(DBG_CONTROLMORE,
-		    DBG_log("find_connection: "
-			    "comparing best \"%s\"%s [pri:%ld]{%p} (child %s) to \"%s\"%s [pri:%ld]{%p} (child %s)"
-			    , best->name
-			    , (fmt_conn_instance(best, cib), cib)
-			    , best_prio
-			    , best
-			    , (best->policy_next ? best->policy_next->name : "none")
-			    , c->name
-			    , (fmt_conn_instance(c, cib2), cib2)
-			    , prio
-			    , c
-			    , (c->policy_next ? c->policy_next->name : "none")));
-
-		if (prio > best_prio)
-		{
-		    best = c;
-		    best_sr = sr;
-		    best_prio = prio;
+				if (best == NULL)
+				{
+					best = c;
+					best_sr = sr;
+					best_prio = prio;
+				}
+
+				DBG(DBG_CONTROLMORE,
+					DBG_log("find_connection: "
+							"comparing best \"%s\"%s [pri:%ld]{%p} (child %s) to \"%s\"%s [pri:%ld]{%p} (child %s)"
+							, best->name
+							, (fmt_conn_instance(best, cib), cib)
+							, best_prio
+							, best
+							, (best->policy_next ? best->policy_next->name : "none")
+							, c->name
+							, (fmt_conn_instance(c, cib2), cib2)
+							, prio
+							, c
+							, (c->policy_next ? c->policy_next->name : "none")));
+
+				if (prio > best_prio)
+				{
+					best = c;
+					best_sr = sr;
+					best_prio = prio;
+				}
+			}
 		}
-	    }
 	}
-    }
 
-    if (best!= NULL && NEVER_NEGOTIATE(best->policy))
-	best = NULL;
+	if (best!= NULL && NEVER_NEGOTIATE(best->policy))
+		best = NULL;
 
-    if (srp != NULL && best != NULL)
-	*srp = best_sr;
+	if (srp != NULL && best != NULL)
+		*srp = best_sr;
 
 #ifdef DEBUG
-    if (DBGP(DBG_CONTROL))
-    {
-	if (best)
+	if (DBGP(DBG_CONTROL))
 	{
-	    char cib[CONN_INST_BUF];
-	    DBG_log("find_connection: concluding with \"%s\"%s [pri:%ld]{%p} kind=%s"
-		    , best->name
-		    , (fmt_conn_instance(best, cib), cib)
-		    , best_prio
-		    , best
-		    , enum_name(&connection_kind_names, best->kind));
-	} else {
-	    DBG_log("find_connection: concluding with empty");
+		if (best)
+		{
+			char cib[CONN_INST_BUF];
+			DBG_log("find_connection: concluding with \"%s\"%s [pri:%ld]{%p} kind=%s"
+					, best->name
+					, (fmt_conn_instance(best, cib), cib)
+					, best_prio
+					, best
+					, enum_name(&connection_kind_names, best->kind));
+		} else {
+			DBG_log("find_connection: concluding with empty");
+		}
 	}
-    }
 #endif /* DEBUG */
 
-    return best;
+	return best;
 }
 
 /* Find and instantiate a connection for an outgoing Opportunistic connection.
@@ -1664,203 +1655,203 @@ find_connection_for_clients(struct spd_route **srp,
  */
 struct connection *
 build_outgoing_opportunistic_connection(struct gw_info *gw
-					,const ip_address *our_client
-					,const ip_address *peer_client)
+										,const ip_address *our_client
+										,const ip_address *peer_client)
 {
-    struct iface *p;
-    struct connection *best = NULL;
-    struct spd_route *sr, *bestsr;
-    char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
-
-    addrtot(our_client, 0, ocb, sizeof(ocb));
-    addrtot(peer_client, 0, pcb, sizeof(pcb));
-
-    passert(!isanyaddr(our_client) && !isanyaddr(peer_client));
-
-    /* We don't know his ID yet, so gw id must be an ipaddr */
-    passert(gw->key != NULL);
-    passert(id_is_ipaddr(&gw->gw_id));
-
-    /* for each of our addresses... */
-    for (p = interfaces; p != NULL; p = p->next)
-    {
-	/* go through those connections with our address and NO_IP as hosts
-	 * We cannot know what port the peer would use, so we assume
-	 * that it is pluto_port (makes debugging easier).
-	 */
-	struct connection *c = find_host_pair_connections(&p->addr
-	    , pluto_port, (ip_address *)NULL, pluto_port);
+	struct iface *p;
+	struct connection *best = NULL;
+	struct spd_route *sr, *bestsr;
+	char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
+
+	addrtot(our_client, 0, ocb, sizeof(ocb));
+	addrtot(peer_client, 0, pcb, sizeof(pcb));
 
-	for (; c != NULL; c = c->hp_next)
+	passert(!isanyaddr(our_client) && !isanyaddr(peer_client));
+
+	/* We don't know his ID yet, so gw id must be an ipaddr */
+	passert(gw->key != NULL);
+	passert(id_is_ipaddr(&gw->gw_id));
+
+	/* for each of our addresses... */
+	for (p = interfaces; p != NULL; p = p->next)
 	{
-	    DBG(DBG_OPPO,
-		DBG_log("checking %s", c->name));
-	    if (c->kind == CK_GROUP)
-	    {
-		continue;
-	    }
-
-	    for (sr = &c->spd; best!=c && sr; sr = sr->next)
-	    {
-		if (routed(sr->routing)
-		&& addrinsubnet(our_client, &sr->this.client)
-		&& addrinsubnet(peer_client, &sr->that.client))
+		/* go through those connections with our address and NO_IP as hosts
+		 * We cannot know what port the peer would use, so we assume
+		 * that it is pluto_port (makes debugging easier).
+		 */
+		struct connection *c = find_host_pair_connections(&p->addr
+			, pluto_port, (ip_address *)NULL, pluto_port);
+
+		for (; c != NULL; c = c->hp_next)
 		{
-		    if (best == NULL)
-		    {
-			best = c;
-			break;
-		    }
-
-		    DBG(DBG_OPPO,
-			DBG_log("comparing best %s to %s"
-				, best->name, c->name));
-
-		    for (bestsr = &best->spd; best!=c && bestsr; bestsr=bestsr->next)
-		    {
-			if (!subnetinsubnet(&bestsr->this.client, &sr->this.client)
-			|| (samesubnet(&bestsr->this.client, &sr->this.client)
-			     && !subnetinsubnet(&bestsr->that.client
-						, &sr->that.client)))
+			DBG(DBG_OPPO,
+				DBG_log("checking %s", c->name));
+			if (c->kind == CK_GROUP)
+			{
+				continue;
+			}
+
+			for (sr = &c->spd; best!=c && sr; sr = sr->next)
 			{
-			    best = c;
+				if (routed(sr->routing)
+				&& addrinsubnet(our_client, &sr->this.client)
+				&& addrinsubnet(peer_client, &sr->that.client))
+				{
+					if (best == NULL)
+					{
+						best = c;
+						break;
+					}
+
+					DBG(DBG_OPPO,
+						DBG_log("comparing best %s to %s"
+								, best->name, c->name));
+
+					for (bestsr = &best->spd; best!=c && bestsr; bestsr=bestsr->next)
+					{
+						if (!subnetinsubnet(&bestsr->this.client, &sr->this.client)
+						|| (samesubnet(&bestsr->this.client, &sr->this.client)
+							 && !subnetinsubnet(&bestsr->that.client
+												, &sr->that.client)))
+						{
+							best = c;
+						}
+					}
+				}
 			}
-		    }
 		}
-	    }
 	}
-    }
 
-    if (best == NULL
-    || NEVER_NEGOTIATE(best->policy)
-    || (best->policy & POLICY_OPPO) == LEMPTY
-    || best->kind != CK_TEMPLATE)
-	return NULL;
-    else
-	return oppo_instantiate(best, &gw->gw_id.ip_addr, NULL, gw
-			      , our_client, peer_client);
+	if (best == NULL
+	|| NEVER_NEGOTIATE(best->policy)
+	|| (best->policy & POLICY_OPPO) == LEMPTY
+	|| best->kind != CK_TEMPLATE)
+		return NULL;
+	else
+		return oppo_instantiate(best, &gw->gw_id.ip_addr, NULL, gw
+							  , our_client, peer_client);
 }
 
 bool
 orient(struct connection *c)
 {
-    struct spd_route *sr;
-
-    if (!oriented(*c))
-    {
-	struct iface *p;
+	struct spd_route *sr;
 
-	for (sr = &c->spd; sr; sr = sr->next)
+	if (!oriented(*c))
 	{
-	    /* Note: this loop does not stop when it finds a match:
-	     * it continues checking to catch any ambiguity.
-	     */
-	    for (p = interfaces; p != NULL; p = p->next)
-	    {
-		if (p->ike_float)
-		    continue;
-
-		for (;;)
+		struct iface *p;
+
+		for (sr = &c->spd; sr; sr = sr->next)
 		{
-		    /* check if this interface matches this end */
-		    if (sameaddr(&sr->this.host_addr, &p->addr)
-		    && (!no_klips || sr->this.host_port == pluto_port))
-		    {
-			if (oriented(*c))
+			/* Note: this loop does not stop when it finds a match:
+			 * it continues checking to catch any ambiguity.
+			 */
+			for (p = interfaces; p != NULL; p = p->next)
 			{
-			    if (c->interface == p)
-				loglog(RC_LOG_SERIOUS
-				       , "both sides of \"%s\" are our interface %s!"
-				       , c->name, p->rname);
-			    else
-				loglog(RC_LOG_SERIOUS, "two interfaces match \"%s\" (%s, %s)"
-				       , c->name, c->interface->rname, p->rname);
-			    c->interface = NULL;	/* withdraw orientation */
-			    return FALSE;
+				if (p->ike_float)
+					continue;
+
+				for (;;)
+				{
+					/* check if this interface matches this end */
+					if (sameaddr(&sr->this.host_addr, &p->addr)
+					&& (!no_klips || sr->this.host_port == pluto_port))
+					{
+						if (oriented(*c))
+						{
+							if (c->interface == p)
+								loglog(RC_LOG_SERIOUS
+									   , "both sides of \"%s\" are our interface %s!"
+									   , c->name, p->rname);
+							else
+								loglog(RC_LOG_SERIOUS, "two interfaces match \"%s\" (%s, %s)"
+									   , c->name, c->interface->rname, p->rname);
+							c->interface = NULL;        /* withdraw orientation */
+							return FALSE;
+						}
+						c->interface = p;
+					}
+
+					/* done with this interface if it doesn't match that end */
+					if (!(sameaddr(&sr->that.host_addr, &p->addr)
+					&& (!no_klips || sr->that.host_port == pluto_port)))
+						break;
+
+					/* swap ends and try again.
+					 * It is a little tricky to see that this loop will stop.
+					 * Only continue if the far side matches.
+					 * If both sides match, there is an error-out.
+					 */
+					{
+						struct end t = sr->this;
+
+						sr->this = sr->that;
+						sr->that = t;
+					}
+				}
 			}
-			c->interface = p;
-		    }
-
-		    /* done with this interface if it doesn't match that end */
-		    if (!(sameaddr(&sr->that.host_addr, &p->addr)
-		    && (!no_klips || sr->that.host_port == pluto_port)))
-			break;
-
-		    /* swap ends and try again.
-		     * It is a little tricky to see that this loop will stop.
-		     * Only continue if the far side matches.
-		     * If both sides match, there is an error-out.
-		     */
-		    {
-			struct end t = sr->this;
-
-			sr->this = sr->that;
-			sr->that = t;
-		    }
 		}
-	    }
 	}
-    }
-    return oriented(*c);
+	return oriented(*c);
 }
 
 void
 initiate_connection(const char *name, int whackfd)
 {
-    struct connection *c = con_by_name(name, TRUE);
+	struct connection *c = con_by_name(name, TRUE);
 
-    if (c != NULL && c->ikev1)
-    {
-	set_cur_connection(c);
-	if (!oriented(*c))
-	{
-	    loglog(RC_ORIENT, "we have no ipsecN interface for either end of this connection");
-	}
-	else if (NEVER_NEGOTIATE(c->policy))
-	{
-	    loglog(RC_INITSHUNT
-		, "cannot initiate an authby=never connection");
-	}
-	else if (c->kind != CK_PERMANENT && !c->spd.that.allow_any)
-	{
-	    if (isanyaddr(&c->spd.that.host_addr))
-		loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address");
-	    else
-		loglog(RC_WILDCARD, "cannot initiate connection with ID wildcards");
-	}
-	else
+	if (c != NULL && c->ikev1)
 	{
-	    /* do we have to prompt for a PIN code? */
-	    if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD)
-	    {
-		scx_get_pin(c->spd.this.sc, whackfd);
-	    }
-	    if (c->spd.this.sc != NULL && !c->spd.this.sc->valid)
-	    {
-		loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
-	    }
-	    else
-	    {
-
-		if (c->spd.that.allow_any)
+		set_cur_connection(c);
+		if (!oriented(*c))
+		{
+			loglog(RC_ORIENT, "we have no ipsecN interface for either end of this connection");
+		}
+		else if (NEVER_NEGOTIATE(c->policy))
+		{
+			loglog(RC_INITSHUNT
+				, "cannot initiate an authby=never connection");
+		}
+		else if (c->kind != CK_PERMANENT && !c->spd.that.allow_any)
 		{
-		    c = instantiate(c, &c->spd.that.host_addr, c->spd.that.host_port
-				  , &c->spd.that.id);
+			if (isanyaddr(&c->spd.that.host_addr))
+				loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address");
+			else
+				loglog(RC_WILDCARD, "cannot initiate connection with ID wildcards");
 		}
+		else
+		{
+			/* do we have to prompt for a PIN code? */
+			if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD)
+			{
+				scx_get_pin(c->spd.this.sc, whackfd);
+			}
+			if (c->spd.this.sc != NULL && !c->spd.this.sc->valid)
+			{
+				loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
+			}
+			else
+			{
 
-		/* We will only request an IPsec SA if policy isn't empty
-		 * (ignoring Main Mode items).
-		 * This is a fudge, but not yet important.
-		 * If we are to proceed asynchronously, whackfd will be NULL_FD.
-		 */
-		c->policy |= POLICY_UP;
-		ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY);
-		whackfd = NULL_FD;	/* protect from close */
-	    }
+				if (c->spd.that.allow_any)
+				{
+					c = instantiate(c, &c->spd.that.host_addr, c->spd.that.host_port
+								  , &c->spd.that.id);
+				}
+
+				/* We will only request an IPsec SA if policy isn't empty
+				 * (ignoring Main Mode items).
+				 * This is a fudge, but not yet important.
+				 * If we are to proceed asynchronously, whackfd will be NULL_FD.
+				 */
+				c->policy |= POLICY_UP;
+				ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY);
+				whackfd = NULL_FD;      /* protect from close */
+			}
+		}
+		reset_cur_connection();
 	}
-	reset_cur_connection();
-    }
-    close_any(whackfd);
+	close_any(whackfd);
 }
 
 /* (Possibly) Opportunistic Initiation:
@@ -1874,10 +1865,10 @@ initiate_connection(const char *name, int whackfd)
  * Most of the code will be restarted if an ADNS request is made
  * to discover the gateway.  The only difference between the first
  * and second entry is whether gateways_from_dns is NULL or not.
- *	initiate_opportunistic: initial entrypoint
- *	continue_oppo: where we pickup when ADNS result arrives
- *	initiate_opportunistic_body: main body shared by above routines
- *	cannot_oppo: a helper function to log a diagnostic
+ *      initiate_opportunistic: initial entrypoint
+ *      continue_oppo: where we pickup when ADNS result arrives
+ *      initiate_opportunistic_body: main body shared by above routines
+ *      cannot_oppo: a helper function to log a diagnostic
  * This structure repeats a lot of code when the ADNS result arrives.
  * This seems like a waste, but anything learned the first time through
  * may no longer be true!
@@ -1887,174 +1878,174 @@ initiate_connection(const char *name, int whackfd)
  */
 
 enum find_oppo_step {
-    fos_start,
-    fos_myid_ip_txt,
-    fos_myid_hostname_txt,
-    fos_myid_ip_key,
-    fos_myid_hostname_key,
-    fos_our_client,
-    fos_our_txt,
+	fos_start,
+	fos_myid_ip_txt,
+	fos_myid_hostname_txt,
+	fos_myid_ip_key,
+	fos_myid_hostname_key,
+	fos_our_client,
+	fos_our_txt,
 #ifdef USE_KEYRR
-    fos_our_key,
+	fos_our_key,
 #endif /* USE_KEYRR */
-    fos_his_client,
-    fos_done
+	fos_his_client,
+	fos_done
 };
 
 #ifdef DEBUG
 static const char *const oppo_step_name[] = {
-    "fos_start",
-    "fos_myid_ip_txt",
-    "fos_myid_hostname_txt",
-    "fos_myid_ip_key",
-    "fos_myid_hostname_key",
-    "fos_our_client",
-    "fos_our_txt",
+	"fos_start",
+	"fos_myid_ip_txt",
+	"fos_myid_hostname_txt",
+	"fos_myid_ip_key",
+	"fos_myid_hostname_key",
+	"fos_our_client",
+	"fos_our_txt",
 #ifdef USE_KEYRR
-    "fos_our_key",
+	"fos_our_key",
 #endif /* USE_KEYRR */
-    "fos_his_client",
-    "fos_done"
+	"fos_his_client",
+	"fos_done"
 };
 #endif /* DEBUG */
 
 struct find_oppo_bundle {
-    enum find_oppo_step step;
-    err_t want;
-    bool failure_ok;            /* if true, continue_oppo should not die on DNS failure */
-    ip_address our_client;	/* not pointer! */
-    ip_address peer_client;
-    int transport_proto;
-    bool held;
-    policy_prio_t policy_prio;
-    ipsec_spi_t failure_shunt;	/* in host order!  0 for delete. */
-    int whackfd;
+	enum find_oppo_step step;
+	err_t want;
+	bool failure_ok;            /* if true, continue_oppo should not die on DNS failure */
+	ip_address our_client;      /* not pointer! */
+	ip_address peer_client;
+	int transport_proto;
+	bool held;
+	policy_prio_t policy_prio;
+	ipsec_spi_t failure_shunt;  /* in host order!  0 for delete. */
+	int whackfd;
 };
 
 struct find_oppo_continuation {
-    struct adns_continuation ac;	/* common prefix */
-    struct find_oppo_bundle b;
+	struct adns_continuation ac;        /* common prefix */
+	struct find_oppo_bundle b;
 };
 
 static void
 cannot_oppo(struct connection *c
-	    , struct find_oppo_bundle *b
-	    , err_t ugh)
+			, struct find_oppo_bundle *b
+			, err_t ugh)
 {
-    char pcb[ADDRTOT_BUF];
-    char ocb[ADDRTOT_BUF];
+	char pcb[ADDRTOT_BUF];
+	char ocb[ADDRTOT_BUF];
 
-    addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
-    addrtot(&b->our_client, 0, ocb, sizeof(ocb));
+	addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
+	addrtot(&b->our_client, 0, ocb, sizeof(ocb));
 
-    DBG(DBG_DNS | DBG_OPPO, DBG_log("Can't Opportunistically initiate for %s to %s: %s"
-	, ocb, pcb, ugh));
+	DBG(DBG_DNS | DBG_OPPO, DBG_log("Can't Opportunistically initiate for %s to %s: %s"
+		, ocb, pcb, ugh));
 
-    whack_log(RC_OPPOFAILURE
-	, "Can't Opportunistically initiate for %s to %s: %s"
-	, ocb, pcb, ugh);
+	whack_log(RC_OPPOFAILURE
+		, "Can't Opportunistically initiate for %s to %s: %s"
+		, ocb, pcb, ugh);
 
-    if (c != NULL && c->policy_next != NULL)
-    {
-	/* there is some policy that comes afterwards */
-	struct spd_route *shunt_spd;
-	struct connection *nc = c->policy_next;
-	struct state *st;
+	if (c != NULL && c->policy_next != NULL)
+	{
+		/* there is some policy that comes afterwards */
+		struct spd_route *shunt_spd;
+		struct connection *nc = c->policy_next;
+		struct state *st;
 
-	passert(c->kind == CK_TEMPLATE);
-	passert(c->policy_next->kind == CK_PERMANENT);
+		passert(c->kind == CK_TEMPLATE);
+		passert(c->policy_next->kind == CK_PERMANENT);
 
-	DBG(DBG_OPPO, DBG_log("OE failed for %s to %s, but %s overrides shunt"
-			      , ocb, pcb, c->policy_next->name));
+		DBG(DBG_OPPO, DBG_log("OE failed for %s to %s, but %s overrides shunt"
+							  , ocb, pcb, c->policy_next->name));
 
-	/*
-	 * okay, here we need add to the "next" policy, which is ought
-	 * to be an instance.
-	 * We will add another entry to the spd_route list for the specific
-	 * situation that we have.
-	 */
+		/*
+		 * okay, here we need add to the "next" policy, which is ought
+		 * to be an instance.
+		 * We will add another entry to the spd_route list for the specific
+		 * situation that we have.
+		 */
 
-	shunt_spd = clone_thing(nc->spd, "shunt eroute policy");
+		shunt_spd = clone_thing(nc->spd);
 
-	shunt_spd->next = nc->spd.next;
-	nc->spd.next = shunt_spd;
+		shunt_spd->next = nc->spd.next;
+		nc->spd.next = shunt_spd;
 
-	happy(addrtosubnet(&b->peer_client, &shunt_spd->that.client));
+		happy(addrtosubnet(&b->peer_client, &shunt_spd->that.client));
 
-	if (sameaddr(&b->peer_client, &shunt_spd->that.host_addr))
-	    shunt_spd->that.has_client = FALSE;
+		if (sameaddr(&b->peer_client, &shunt_spd->that.host_addr))
+			shunt_spd->that.has_client = FALSE;
 
-	/*
-	 * override the tunnel destination with the one from the secondaried
-	 * policy
-	 */
-	shunt_spd->that.host_addr = nc->spd.that.host_addr;
+		/*
+		 * override the tunnel destination with the one from the secondaried
+		 * policy
+		 */
+		shunt_spd->that.host_addr = nc->spd.that.host_addr;
 
-	/* now, lookup the state, and poke it up.
-	 */
+		/* now, lookup the state, and poke it up.
+		 */
 
-	st = state_with_serialno(nc->newest_ipsec_sa);
+		st = state_with_serialno(nc->newest_ipsec_sa);
 
-	/* XXX what to do if the IPSEC SA has died? */
-	passert(st != NULL);
+		/* XXX what to do if the IPSEC SA has died? */
+		passert(st != NULL);
 
-	/* link the new connection instance to the state's list of
-	 * connections
-	 */
+		/* link the new connection instance to the state's list of
+		 * connections
+		 */
 
-	DBG(DBG_OPPO, DBG_log("installing state: %ld for %s to %s"
-			      , nc->newest_ipsec_sa
-			      , ocb, pcb));
+		DBG(DBG_OPPO, DBG_log("installing state: %ld for %s to %s"
+							  , nc->newest_ipsec_sa
+							  , ocb, pcb));
 
 #ifdef DEBUG
-	if (DBGP(DBG_OPPO | DBG_CONTROLMORE))
-	{
-	    char state_buf[LOG_WIDTH];
-	    char state_buf2[LOG_WIDTH];
-	    time_t n = now();
-
-	    fmt_state(FALSE, st, n
-		      , state_buf, sizeof(state_buf)
-		      , state_buf2, sizeof(state_buf2));
-	    DBG_log("cannot_oppo, failure SA1: %s", state_buf);
-	    DBG_log("cannot_oppo, failure SA2: %s", state_buf2);
-	}
+		if (DBGP(DBG_OPPO | DBG_CONTROLMORE))
+		{
+			char state_buf[LOG_WIDTH];
+			char state_buf2[LOG_WIDTH];
+			time_t n = now();
+
+			fmt_state(FALSE, st, n
+					  , state_buf, sizeof(state_buf)
+					  , state_buf2, sizeof(state_buf2));
+			DBG_log("cannot_oppo, failure SA1: %s", state_buf);
+			DBG_log("cannot_oppo, failure SA2: %s", state_buf2);
+		}
 #endif /* DEBUG */
 
-	if (!route_and_eroute(c, shunt_spd, st))
-	{
-	    whack_log(RC_OPPOFAILURE
-		      , "failed to instantiate shunt policy %s for %s to %s"
-		      , c->name
-		      , ocb, pcb);
+		if (!route_and_eroute(c, shunt_spd, st))
+		{
+			whack_log(RC_OPPOFAILURE
+					  , "failed to instantiate shunt policy %s for %s to %s"
+					  , c->name
+					  , ocb, pcb);
+		}
+		return;
 	}
-	return;
-    }
 
 #ifdef KLIPS
-    if (b->held)
-    {
-	/* Replace HOLD with b->failure_shunt.
-	 * If no b->failure_shunt specified, use SPI_PASS -- THIS MAY CHANGE.
-	 */
-	if (b->failure_shunt == 0)
+	if (b->held)
 	{
-	    DBG(DBG_OPPO, DBG_log("no explicit failure shunt for %s to %s; installing %%pass"
-				  , ocb, pcb));
-	}
+		/* Replace HOLD with b->failure_shunt.
+		 * If no b->failure_shunt specified, use SPI_PASS -- THIS MAY CHANGE.
+		 */
+		if (b->failure_shunt == 0)
+		{
+			DBG(DBG_OPPO, DBG_log("no explicit failure shunt for %s to %s; installing %%pass"
+								  , ocb, pcb));
+		}
 
-	(void) replace_bare_shunt(&b->our_client, &b->peer_client
-	    , b->policy_prio
-	    , b->failure_shunt
-	    , b->failure_shunt != 0
-	    , b->transport_proto
-	    , ugh);
-    }
+		(void) replace_bare_shunt(&b->our_client, &b->peer_client
+			, b->policy_prio
+			, b->failure_shunt
+			, b->failure_shunt != 0
+			, b->transport_proto
+			, ugh);
+	}
 #endif
 }
 
 static void initiate_opportunistic_body(struct find_oppo_bundle *b
-    , struct adns_continuation *ac, err_t ac_ugh);	/* forward */
+	, struct adns_continuation *ac, err_t ac_ugh);      /* forward */
 
 void
 initiate_opportunistic(const ip_address *our_client
@@ -2063,93 +2054,93 @@ initiate_opportunistic(const ip_address *our_client
 , bool held
 , int whackfd)
 {
-    struct find_oppo_bundle b;
-
-    b.want = (whackfd == NULL_FD ? "whack" : "acquire");
-    b.failure_ok = FALSE;
-    b.our_client = *our_client;
-    b.peer_client = *peer_client;
-    b.transport_proto = transport_proto;
-    b.held = held;
-    b.policy_prio = BOTTOM_PRIO;
-    b.failure_shunt = 0;
-    b.whackfd = whackfd;
-    b.step = fos_start;
-    initiate_opportunistic_body(&b, NULL, NULL);
+	struct find_oppo_bundle b;
+
+	b.want = (whackfd == NULL_FD ? "whack" : "acquire");
+	b.failure_ok = FALSE;
+	b.our_client = *our_client;
+	b.peer_client = *peer_client;
+	b.transport_proto = transport_proto;
+	b.held = held;
+	b.policy_prio = BOTTOM_PRIO;
+	b.failure_shunt = 0;
+	b.whackfd = whackfd;
+	b.step = fos_start;
+	initiate_opportunistic_body(&b, NULL, NULL);
 }
 
 static void
 continue_oppo(struct adns_continuation *acr, err_t ugh)
 {
-    struct find_oppo_continuation *cr = (void *)acr;	/* inherit, damn you! */
-    struct connection *c;
-    bool was_held = cr->b.held;
-    int whackfd = cr->b.whackfd;
+	struct find_oppo_continuation *cr = (void *)acr;    /* inherit, damn you! */
+	struct connection *c;
+	bool was_held = cr->b.held;
+	int whackfd = cr->b.whackfd;
 
-    /* note: cr->id has no resources; cr->sgw_id is id_none:
-     * neither need freeing.
-     */
-    whack_log_fd = whackfd;
+	/* note: cr->id has no resources; cr->sgw_id is ID_ANY:
+	 * neither need freeing.
+	 */
+	whack_log_fd = whackfd;
 
 #ifdef KLIPS
-    /* Discover and record whether %hold has gone away.
-     * This could have happened while we were awaiting DNS.
-     * We must check BEFORE any call to cannot_oppo.
-     */
-    if (was_held)
-	cr->b.held = has_bare_hold(&cr->b.our_client, &cr->b.peer_client
-	    , cr->b.transport_proto);
+	/* Discover and record whether %hold has gone away.
+	 * This could have happened while we were awaiting DNS.
+	 * We must check BEFORE any call to cannot_oppo.
+	 */
+	if (was_held)
+		cr->b.held = has_bare_hold(&cr->b.our_client, &cr->b.peer_client
+			, cr->b.transport_proto);
 #endif
 
 #ifdef DEBUG
-    /* if we're going to ignore the error, at least note it in debugging log */
-    if (cr->b.failure_ok && ugh != NULL)
-    {
-	DBG(DBG_CONTROL | DBG_DNS,
-	    {
+	/* if we're going to ignore the error, at least note it in debugging log */
+	if (cr->b.failure_ok && ugh != NULL)
+	{
+		DBG(DBG_CONTROL | DBG_DNS,
+			{
+				char ocb[ADDRTOT_BUF];
+				char pcb[ADDRTOT_BUF];
+
+				addrtot(&cr->b.our_client, 0, ocb, sizeof(ocb));
+				addrtot(&cr->b.peer_client, 0, pcb, sizeof(pcb));
+				DBG_log("continuing from failed DNS lookup for %s, %s to %s: %s"
+					, cr->b.want, ocb, pcb, ugh);
+			});
+	}
+#endif
+
+	if (!cr->b.failure_ok && ugh != NULL)
+	{
+		c = find_connection_for_clients(NULL, &cr->b.our_client, &cr->b.peer_client
+			, cr->b.transport_proto);
+		cannot_oppo(c, &cr->b
+					, builddiag("%s: %s", cr->b.want, ugh));
+	}
+	else if (was_held && !cr->b.held)
+	{
+		/* was_held indicates we were started due to a %trap firing
+		 * (as opposed to a "whack --oppohere --oppothere").
+		 * Since the %hold has gone, we can assume that somebody else
+		 * has beaten us to the punch.  We can go home.  But lets log it.
+		 */
 		char ocb[ADDRTOT_BUF];
 		char pcb[ADDRTOT_BUF];
 
 		addrtot(&cr->b.our_client, 0, ocb, sizeof(ocb));
 		addrtot(&cr->b.peer_client, 0, pcb, sizeof(pcb));
-		DBG_log("continuing from failed DNS lookup for %s, %s to %s: %s"
-		    , cr->b.want, ocb, pcb, ugh);
-	    });
-    }
-#endif
 
-    if (!cr->b.failure_ok && ugh != NULL)
-    {
-	c = find_connection_for_clients(NULL, &cr->b.our_client, &cr->b.peer_client
-	    , cr->b.transport_proto);
-	cannot_oppo(c, &cr->b
-		    , builddiag("%s: %s", cr->b.want, ugh));
-    }
-    else if (was_held && !cr->b.held)
-    {
-	/* was_held indicates we were started due to a %trap firing
-	 * (as opposed to a "whack --oppohere --oppothere").
-	 * Since the %hold has gone, we can assume that somebody else
-	 * has beaten us to the punch.  We can go home.  But lets log it.
-	 */
-	char ocb[ADDRTOT_BUF];
-	char pcb[ADDRTOT_BUF];
+		loglog(RC_COMMENT
+			, "%%hold otherwise handled during DNS lookup for Opportunistic Initiation for %s to %s"
+			, ocb, pcb);
+	}
+	else
+	{
+		initiate_opportunistic_body(&cr->b, &cr->ac, ugh);
+		whackfd = NULL_FD;      /* was handed off */
+	}
 
-	addrtot(&cr->b.our_client, 0, ocb, sizeof(ocb));
-	addrtot(&cr->b.peer_client, 0, pcb, sizeof(pcb));
-
-	loglog(RC_COMMENT
-	    , "%%hold otherwise handled during DNS lookup for Opportunistic Initiation for %s to %s"
-	    , ocb, pcb);
-    }
-    else
-    {
-	initiate_opportunistic_body(&cr->b, &cr->ac, ugh);
-	whackfd = NULL_FD;	/* was handed off */
-    }
-
-    whack_log_fd = NULL_FD;
-    close_any(whackfd);
+	whack_log_fd = NULL_FD;
+	close_any(whackfd);
 }
 
 #ifdef USE_KEYRR
@@ -2158,110 +2149,112 @@ check_key_recs(enum myid_state try_state
 , const struct connection *c
 , struct adns_continuation *ac)
 {
-    /* Check if KEY lookup yielded good results.
-     * Looking up based on our ID.  Used if
-     * client is ourself, or if TXT had no public key.
-     * Note: if c is different this time, there is
-     * a chance that we did the wrong query.
-     * If so, treat as a kind of failure.
-     */
-    enum myid_state old_myid_state = myid_state;
-    const struct RSA_private_key *our_RSA_pri;
-    err_t ugh = NULL;
-
-    myid_state = try_state;
-
-    if (old_myid_state != myid_state
-    && old_myid_state == MYID_SPECIFIED)
-    {
-	ugh = "%myid was specified while we were guessing";
-    }
-    else if ((our_RSA_pri = get_RSA_private_key(c)) == NULL)
-    {
-	ugh = "we don't know our own RSA key";
-    }
-    else if (!same_id(&ac->id, &c->spd.this.id))
-    {
-	ugh = "our ID changed underfoot";
-    }
-    else
-    {
-	/* Similar to code in RSA_check_signature
-	 * for checking the other side.
+	/* Check if KEY lookup yielded good results.
+	 * Looking up based on our ID.  Used if
+	 * client is ourself, or if TXT had no public key.
+	 * Note: if c is different this time, there is
+	 * a chance that we did the wrong query.
+	 * If so, treat as a kind of failure.
 	 */
-	pubkey_list_t *kr;
+	enum myid_state old_myid_state = myid_state;
+	private_key_t *private;
+	err_t ugh = NULL;
+
+	myid_state = try_state;
 
-	ugh = "no KEY RR found for us";
-	for (kr = ac->keys_from_dns; kr != NULL; kr = kr->next)
+	if (old_myid_state != myid_state && old_myid_state == MYID_SPECIFIED)
 	{
-	    ugh = "all our KEY RRs have the wrong public key";
-	    if (kr->key->alg == PUBKEY_ALG_RSA
-	    && same_RSA_public_key(&our_RSA_pri->pub, &kr->key->u.rsa))
-	    {
-		ugh = NULL;	/* good! */
-		break;
-	    }
+		ugh = "%myid was specified while we were guessing";
+	}
+	else if ((private = get_private_key(c)) == NULL)
+	{
+		ugh = "we don't know our own RSA key";
+	}
+	else if (!same_id(&ac->id, &c->spd.this.id))
+	{
+		ugh = "our ID changed underfoot";
+	}
+	else
+	{
+		/* Similar to code in RSA_check_signature
+		 * for checking the other side.
+		 */
+		pubkey_list_t *kr;
+
+		ugh = "no KEY RR found for us";
+		for (kr = ac->keys_from_dns; kr != NULL; kr = kr->next)
+		{
+			ugh = "all our KEY RRs have the wrong public key";
+			if (kr->key->alg == PUBKEY_ALG_RSA
+			&& private->belongs_to(private, &kr->key->public_key))
+			{
+				ugh = NULL;     /* good! */
+				break;
+			}
+		}
 	}
-    }
-    if (ugh != NULL)
-	myid_state = old_myid_state;
-    return ugh;
+	if (ugh != NULL)
+		myid_state = old_myid_state;
+	return ugh;
 }
 #endif /* USE_KEYRR */
 
-static err_t
-check_txt_recs(enum myid_state try_state
-, const struct connection *c
-, struct adns_continuation *ac)
+static err_t check_txt_recs(enum myid_state try_state,
+							const struct connection *c,
+							struct adns_continuation *ac)
 {
-    /* Check if TXT lookup yielded good results.
-     * Looking up based on our ID.  Used if
-     * client is ourself, or if TXT had no public key.
-     * Note: if c is different this time, there is
-     * a chance that we did the wrong query.
-     * If so, treat as a kind of failure.
-     */
-    enum myid_state old_myid_state = myid_state;
-    const struct RSA_private_key *our_RSA_pri;
-    err_t ugh = NULL;
-
-    myid_state = try_state;
-
-    if (old_myid_state != myid_state
-    && old_myid_state == MYID_SPECIFIED)
-    {
-	ugh = "%myid was specified while we were guessing";
-    }
-    else if ((our_RSA_pri = get_RSA_private_key(c)) == NULL)
-    {
-	ugh = "we don't know our own RSA key";
-    }
-    else if (!same_id(&ac->id, &c->spd.this.id))
-    {
-	ugh = "our ID changed underfoot";
-    }
-    else
-    {
-	/* Similar to code in RSA_check_signature
-	 * for checking the other side.
+	/* Check if TXT lookup yielded good results.
+	 * Looking up based on our ID.  Used if
+	 * client is ourself, or if TXT had no public key.
+	 * Note: if c is different this time, there is
+	 * a chance that we did the wrong query.
+	 * If so, treat as a kind of failure.
 	 */
-	struct gw_info *gwp;
+	enum myid_state old_myid_state = myid_state;
+	private_key_t *private;
+	err_t ugh = NULL;
 
-	ugh = "no TXT RR found for us";
-	for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+	myid_state = try_state;
+
+	if (old_myid_state != myid_state
+	&& old_myid_state == MYID_SPECIFIED)
 	{
-	    ugh = "all our TXT RRs have the wrong public key";
-	    if (gwp->key->alg == PUBKEY_ALG_RSA
-	    && same_RSA_public_key(&our_RSA_pri->pub, &gwp->key->u.rsa))
-	    {
-		ugh = NULL;	/* good! */
-		break;
-	    }
+		ugh = "%myid was specified while we were guessing";
+	}
+	else if ((private = get_private_key(c)) == NULL)
+	{
+		ugh = "we don't know our own RSA key";
+	}
+	else if (!same_id(&ac->id, &c->spd.this.id))
+	{
+		ugh = "our ID changed underfoot";
+	}
+	else
+	{
+		/* Similar to code in RSA_check_signature
+		 * for checking the other side.
+		 */
+		struct gw_info *gwp;
+
+		ugh = "no TXT RR found for us";
+		for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+		{
+			public_key_t *pub_key = gwp->key->public_key;
+
+			ugh = "all our TXT RRs have the wrong public key";
+			if (pub_key->get_type(pub_key) == KEY_RSA &&
+			    private->belongs_to(private, pub_key))
+			{
+				ugh = NULL;     /* good! */
+				break;
+			}
+		}
 	}
-    }
-    if (ugh != NULL)
-	myid_state = old_myid_state;
-    return ugh;
+	if (ugh != NULL)
+	{
+		myid_state = old_myid_state;
+	}
+	return ugh;
 }
 
 
@@ -2271,776 +2264,775 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 , struct adns_continuation *ac
 , err_t ac_ugh)
 {
-    struct connection *c;
-    struct spd_route *sr;
+	struct connection *c;
+	struct spd_route *sr;
 
-    /* What connection shall we use?
-     * First try for one that explicitly handles the clients.
-     */
-    DBG(DBG_CONTROL,
-	{
-	    char ours[ADDRTOT_BUF];
-	    char his[ADDRTOT_BUF];
-	    int ourport;
-	    int hisport;
-
-	    addrtot(&b->our_client, 0, ours, sizeof(ours));
-	    addrtot(&b->peer_client, 0, his, sizeof(his));
-	    ourport = ntohs(portof(&b->our_client));
-	    hisport = ntohs(portof(&b->peer_client));
-	    DBG_log("initiate on demand from %s:%d to %s:%d proto=%d state: %s because: %s"
-		, ours, ourport, his, hisport, b->transport_proto
-		, oppo_step_name[b->step], b->want);
-	});
-    if (isanyaddr(&b->our_client) || isanyaddr(&b->peer_client))
-    {
-	cannot_oppo(NULL, b, "impossible IP address");
-    }
-    else if ((c = find_connection_for_clients(&sr
-					      , &b->our_client
-					      , &b->peer_client
-					      , b->transport_proto)) == NULL)
-    {
-	/* No connection explicitly handles the clients and there
-	 * are no Opportunistic connections -- whine and give up.
-	 * The failure policy cannot be gotten from a connection; we pick %pass.
+	/* What connection shall we use?
+	 * First try for one that explicitly handles the clients.
 	 */
-	cannot_oppo(NULL, b, "no routed Opportunistic template covers this pair");
-    }
-    else if (c->kind != CK_TEMPLATE)
-    {
-	/* We've found a connection that can serve.
-	 * Do we have to initiate it?
-	 * Not if there is currently an IPSEC SA.
-	 * But if there is an IPSEC SA, then KLIPS would not
-	 * have generated the acquire.  So we assume that there isn't one.
-	 * This may be redundant if a non-opportunistic
-	 * negotiation is already being attempted.
-	 */
-
-	/* If we are to proceed asynchronously, b->whackfd will be NULL_FD. */
-
-	if(c->kind == CK_INSTANCE)
+	DBG(DBG_CONTROL,
+		{
+			char ours[ADDRTOT_BUF];
+			char his[ADDRTOT_BUF];
+			int ourport;
+			int hisport;
+
+			addrtot(&b->our_client, 0, ours, sizeof(ours));
+			addrtot(&b->peer_client, 0, his, sizeof(his));
+			ourport = ntohs(portof(&b->our_client));
+			hisport = ntohs(portof(&b->peer_client));
+			DBG_log("initiate on demand from %s:%d to %s:%d proto=%d state: %s because: %s"
+				, ours, ourport, his, hisport, b->transport_proto
+				, oppo_step_name[b->step], b->want);
+		});
+	if (isanyaddr(&b->our_client) || isanyaddr(&b->peer_client))
 	{
-	    char cib[CONN_INST_BUF];
-	    /* there is already an instance being negotiated, no nothing */
-	    DBG(DBG_CONTROL, DBG_log("found existing instance \"%s\"%s, rekeying it"
-				     , c->name
-				     , (fmt_conn_instance(c, cib), cib)));
-	    /* XXX-mcr - return; */
+		cannot_oppo(NULL, b, "impossible IP address");
 	}
-
-	/* otherwise, there is some kind of static conn that can handle
-	 * this connection, so we initiate it */
-
-#ifdef KLIPS
-	if (b->held)
+	else if ((c = find_connection_for_clients(&sr
+											  , &b->our_client
+											  , &b->peer_client
+											  , b->transport_proto)) == NULL)
 	{
-	    /* what should we do on failure? */
-	    (void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client);
+		/* No connection explicitly handles the clients and there
+		 * are no Opportunistic connections -- whine and give up.
+		 * The failure policy cannot be gotten from a connection; we pick %pass.
+		 */
+		cannot_oppo(NULL, b, "no routed Opportunistic template covers this pair");
 	}
-#endif
-	ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
-	b->whackfd = NULL_FD;	/* protect from close */
-    }
-    else
-    {
-	/* We are handling an opportunistic situation.
-	 * This involves several DNS lookup steps that require suspension.
-	 * Note: many facts might change while we're suspended.
-	 * Here be dragons.
-	 *
-	 * The first chunk of code handles the result of the previous
-	 * DNS query (if any).  It also selects the kind of the next step.
-	 * The second chunk initiates the next DNS query (if any).
-	 */
-	enum find_oppo_step next_step = fos_myid_ip_txt;
-	err_t ugh = ac_ugh;
-	char mycredentialstr[BUF_LEN];
-	char cib[CONN_INST_BUF];
-
-	DBG(DBG_CONTROL, DBG_log("creating new instance from \"%s\"%s"
-				 , c->name
-				 , (fmt_conn_instance(c, cib), cib)));
-				 
-
-	idtoa(&sr->this.id, mycredentialstr, sizeof(mycredentialstr));
-
-	passert(c->policy & POLICY_OPPO);   /* can't initiate Road Warrior connections */
-
-	/* handle any DNS answer; select next step */
-
-	switch (b->step)
+	else if (c->kind != CK_TEMPLATE)
 	{
-	case fos_start:
-	    /* just starting out: select first query step */
-	    next_step = fos_myid_ip_txt;
-	    break;
-
-	case fos_myid_ip_txt:	/* TXT for our default IP address as %myid */
-	    ugh = check_txt_recs(MYID_IP, c, ac);
-	    if (ugh != NULL)
-	    {
-		/* cannot use our IP as OE identitiy for initiation */
-		DBG(DBG_OPPO, DBG_log("can not use our IP (%s:TXT) as identity: %s"
-				      , myid_str[MYID_IP]
-				      , ugh));
-		if (!logged_myid_ip_txt_warning)
-		{
-		    loglog(RC_LOG_SERIOUS
-			   , "can not use our IP (%s:TXT) as identity: %s"
-			   , myid_str[MYID_IP]
-			   , ugh);
-		    logged_myid_ip_txt_warning = TRUE;
-		}
+		/* We've found a connection that can serve.
+		 * Do we have to initiate it?
+		 * Not if there is currently an IPSEC SA.
+		 * But if there is an IPSEC SA, then KLIPS would not
+		 * have generated the acquire.  So we assume that there isn't one.
+		 * This may be redundant if a non-opportunistic
+		 * negotiation is already being attempted.
+		 */
 
-		next_step = fos_myid_hostname_txt;
-		ugh = NULL;	/* failure can be recovered from */
-	    }
-	    else
-	    {
-		/* we can use our IP as OE identity for initiation */
-		if (!logged_myid_ip_txt_warning)
-		{
-		    loglog(RC_LOG_SERIOUS
-			   , "using our IP (%s:TXT) as identity!"
-			   , myid_str[MYID_IP]);
-		    logged_myid_ip_txt_warning = TRUE;
-		}
+		/* If we are to proceed asynchronously, b->whackfd will be NULL_FD. */
 
-		next_step = fos_our_client;
-	    }
-	    break;
-
-	case fos_myid_hostname_txt:	/* TXT for our hostname as %myid */
-	    ugh = check_txt_recs(MYID_HOSTNAME, c, ac);
-	    if (ugh != NULL)
-	    {
-		/* cannot use our hostname as OE identitiy for initiation */
-		DBG(DBG_OPPO, DBG_log("can not use our hostname (%s:TXT) as identity: %s"
-				      , myid_str[MYID_HOSTNAME]
-				      , ugh));
-		if (!logged_myid_fqdn_txt_warning)
+		if(c->kind == CK_INSTANCE)
 		{
-		    loglog(RC_LOG_SERIOUS
-			   , "can not use our hostname (%s:TXT) as identity: %s"
-			   , myid_str[MYID_HOSTNAME]
-			   , ugh);
-		    logged_myid_fqdn_txt_warning = TRUE;
+			char cib[CONN_INST_BUF];
+			/* there is already an instance being negotiated, no nothing */
+			DBG(DBG_CONTROL, DBG_log("found existing instance \"%s\"%s, rekeying it"
+									 , c->name
+									 , (fmt_conn_instance(c, cib), cib)));
+			/* XXX-mcr - return; */
 		}
-#ifdef USE_KEYRR
-		next_step = fos_myid_ip_key;
-		ugh = NULL;	/* failure can be recovered from */
-#endif
-	    }
-	    else
-	    {
-		/* we can use our hostname as OE identity for initiation */
-		if (!logged_myid_fqdn_txt_warning)
-		{
-		    loglog(RC_LOG_SERIOUS
-			   , "using our hostname (%s:TXT) as identity!"
-			   , myid_str[MYID_HOSTNAME]);
-		    logged_myid_fqdn_txt_warning = TRUE;
-		}
-		next_step = fos_our_client;
-	    }
-	    break;
 
-#ifdef USE_KEYRR
-	case fos_myid_ip_key:	/* KEY for our default IP address as %myid */
-	    ugh = check_key_recs(MYID_IP, c, ac);
-	    if (ugh != NULL)
-	    {
-		/* cannot use our IP as OE identitiy for initiation */
-		DBG(DBG_OPPO, DBG_log("can not use our IP (%s:KEY) as identity: %s"
-				      , myid_str[MYID_IP]
-				      , ugh));
-		if (!logged_myid_ip_key_warning)
-		{
-		    loglog(RC_LOG_SERIOUS
-			   , "can not use our IP (%s:KEY) as identity: %s"
-			   , myid_str[MYID_IP]
-			   , ugh);
-		    logged_myid_ip_key_warning = TRUE;
-		}
-
-		next_step = fos_myid_hostname_key;
-		ugh = NULL;	/* failure can be recovered from */
-	    }
-	    else
-	    {
-		/* we can use our IP as OE identity for initiation */
-		if (!logged_myid_ip_key_warning)
-		{
-		    loglog(RC_LOG_SERIOUS
-			   , "using our IP (%s:KEY) as identity!"
-			   , myid_str[MYID_IP]);
-		    logged_myid_ip_key_warning = TRUE;
-		}
-		next_step = fos_our_client;
-	    }
-	    break;
-
-	case fos_myid_hostname_key:	/* KEY for our hostname as %myid */
-	    ugh = check_key_recs(MYID_HOSTNAME, c, ac);
-	    if (ugh != NULL)
-	    {
-		/* cannot use our IP as OE identitiy for initiation */
-		DBG(DBG_OPPO, DBG_log("can not use our hostname (%s:KEY) as identity: %s"
-				      , myid_str[MYID_HOSTNAME]
-				      , ugh));
-		if (!logged_myid_fqdn_key_warning)
-		{
-		    loglog(RC_LOG_SERIOUS
-			   , "can not use our hostname (%s:KEY) as identity: %s"
-			   , myid_str[MYID_HOSTNAME]
-			   , ugh);
-		    logged_myid_fqdn_key_warning = TRUE;
-		}
+		/* otherwise, there is some kind of static conn that can handle
+		 * this connection, so we initiate it */
 
-		next_step = fos_myid_hostname_key;
-		ugh = NULL;	/* failure can be recovered from */
-	    }
-	    else
-	    {
-		/* we can use our IP as OE identity for initiation */
-		if (!logged_myid_fqdn_key_warning)
+#ifdef KLIPS
+		if (b->held)
 		{
-		    loglog(RC_LOG_SERIOUS
-			   , "using our hostname (%s:KEY) as identity!"
-			   , myid_str[MYID_HOSTNAME]);
-		    logged_myid_fqdn_key_warning = TRUE;
+			/* what should we do on failure? */
+			(void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client);
 		}
-		next_step = fos_our_client;
-	    }
-	    break;
 #endif
-
-	case fos_our_client:	/* TXT for our client */
-	    {
-		/* Our client is not us: we must check the TXT records.
-		 * Note: if c is different this time, there is
-		 * a chance that we did the wrong query.
-		 * If so, treat as a kind of failure.
+		ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
+		b->whackfd = NULL_FD;   /* protect from close */
+	}
+	else
+	{
+		/* We are handling an opportunistic situation.
+		 * This involves several DNS lookup steps that require suspension.
+		 * Note: many facts might change while we're suspended.
+		 * Here be dragons.
+		 *
+		 * The first chunk of code handles the result of the previous
+		 * DNS query (if any).  It also selects the kind of the next step.
+		 * The second chunk initiates the next DNS query (if any).
 		 */
-		const struct RSA_private_key *our_RSA_pri = get_RSA_private_key(c);
+		enum find_oppo_step next_step = fos_myid_ip_txt;
+		err_t ugh = ac_ugh;
+		char mycredentialstr[BUF_LEN];
+		char cib[CONN_INST_BUF];
 
-		next_step = fos_his_client;	/* normal situation */
+		DBG(DBG_CONTROL, DBG_log("creating new instance from \"%s\"%s"
+								 , c->name
+								 , (fmt_conn_instance(c, cib), cib)));
+								
 
-		passert(sr != NULL);
+		idtoa(&sr->this.id, mycredentialstr, sizeof(mycredentialstr));
 
-		if (our_RSA_pri == NULL)
-		{
-		    ugh = "we don't know our own RSA key";
-		}
-		else if (sameaddr(&sr->this.host_addr, &b->our_client))
-		{
-		    /* this wasn't true when we started -- bail */
-		    ugh = "our IP address changed underfoot";
-		}
-		else if (!same_id(&ac->sgw_id, &sr->this.id))
-		{
-		    /* this wasn't true when we started -- bail */
-		    ugh = "our ID changed underfoot";
-		}
-		else
+		passert(c->policy & POLICY_OPPO);   /* can't initiate Road Warrior connections */
+
+		/* handle any DNS answer; select next step */
+
+		switch (b->step)
 		{
-		    /* Similar to code in quick_inI1_outR1_tail
-		     * for checking the other side.
-		     */
-		    struct gw_info *gwp;
-
-		    ugh = "no TXT RR for our client delegates us";
-		    for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
-		    {
-			passert(same_id(&gwp->gw_id, &sr->this.id));
-
-			ugh = "TXT RR for our client has wrong key";
-			/* If there is a key from the TXT record,
-			 * we count it as a win if we match the key.
-			 * If there was no key, we have a tentative win:
-			 * we need to check our KEY record to be sure.
-			 */
-			if (!gwp->gw_key_present)
+		case fos_start:
+			/* just starting out: select first query step */
+			next_step = fos_myid_ip_txt;
+			break;
+
+		case fos_myid_ip_txt:   /* TXT for our default IP address as %myid */
+			ugh = check_txt_recs(MYID_IP, c, ac);
+			if (ugh != NULL)
 			{
-			    /* Success, but the TXT had no key
-			     * so we must check our our own KEY records.
-			     */
-			    next_step = fos_our_txt;
-			    ugh = NULL;	/* good! */
-			    break;
+				/* cannot use our IP as OE identitiy for initiation */
+				DBG(DBG_OPPO, DBG_log("can not use our IP (%s:TXT) as identity: %s"
+									  , myid_str[MYID_IP]
+									  , ugh));
+				if (!logged_myid_ip_txt_warning)
+				{
+					loglog(RC_LOG_SERIOUS
+						   , "can not use our IP (%s:TXT) as identity: %s"
+						   , myid_str[MYID_IP]
+						   , ugh);
+					logged_myid_ip_txt_warning = TRUE;
+				}
+
+				next_step = fos_myid_hostname_txt;
+				ugh = NULL;     /* failure can be recovered from */
 			}
-			if (same_RSA_public_key(&our_RSA_pri->pub, &gwp->key->u.rsa))
+			else
 			{
-			    ugh = NULL;	/* good! */
-			    break;
+				/* we can use our IP as OE identity for initiation */
+				if (!logged_myid_ip_txt_warning)
+				{
+					loglog(RC_LOG_SERIOUS
+						   , "using our IP (%s:TXT) as identity!"
+						   , myid_str[MYID_IP]);
+					logged_myid_ip_txt_warning = TRUE;
+				}
+
+				next_step = fos_our_client;
 			}
-		    }
-		}
-	    }
-	    break;
-
-	case fos_our_txt:	/* TXT for us */
-	    {
-		/* Check if TXT lookup yielded good results.
-		 * Looking up based on our ID.  Used if
-		 * client is ourself, or if TXT had no public key.
-		 * Note: if c is different this time, there is
-		 * a chance that we did the wrong query.
-		 * If so, treat as a kind of failure.
-		 */
-		const struct RSA_private_key *our_RSA_pri = get_RSA_private_key(c);
-
-		next_step = fos_his_client;	/* unless we decide to look for KEY RR */
+			break;
 
-		if (our_RSA_pri == NULL)
-		{
-		    ugh = "we don't know our own RSA key";
-		}
-		else if (!same_id(&ac->id, &c->spd.this.id))
-		{
-		    ugh = "our ID changed underfoot";
-		}
-		else
-		{
-		    /* Similar to code in RSA_check_signature
-		     * for checking the other side.
-		     */
-		    struct gw_info *gwp;
-
-		    ugh = "no TXT RR for us";
-		    for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
-		    {
-			passert(same_id(&gwp->gw_id, &sr->this.id));
-
-			ugh = "TXT RR for us has wrong key";
-			if (gwp->gw_key_present
-			&& same_RSA_public_key(&our_RSA_pri->pub, &gwp->key->u.rsa))
+		case fos_myid_hostname_txt:     /* TXT for our hostname as %myid */
+			ugh = check_txt_recs(MYID_HOSTNAME, c, ac);
+			if (ugh != NULL)
 			{
-			    DBG(DBG_CONTROL,
-				DBG_log("initiate on demand found TXT with right public key at: %s"
-					, mycredentialstr));
-			    ugh = NULL;
-			    break;
-			}
-		    }
+				/* cannot use our hostname as OE identitiy for initiation */
+				DBG(DBG_OPPO, DBG_log("can not use our hostname (%s:TXT) as identity: %s"
+									  , myid_str[MYID_HOSTNAME]
+									  , ugh));
+				if (!logged_myid_fqdn_txt_warning)
+				{
+					loglog(RC_LOG_SERIOUS
+						   , "can not use our hostname (%s:TXT) as identity: %s"
+						   , myid_str[MYID_HOSTNAME]
+						   , ugh);
+					logged_myid_fqdn_txt_warning = TRUE;
+				}
 #ifdef USE_KEYRR
-		    if (ugh != NULL)
-		    {
-			/* if no TXT with right key, try KEY */
-			DBG(DBG_CONTROL,
-			    DBG_log("will try for KEY RR since initiate on demand found %s: %s"
-				    , ugh, mycredentialstr));
-			next_step = fos_our_key;
-			ugh = NULL;
-		    }
+				next_step = fos_myid_ip_key;
+				ugh = NULL;     /* failure can be recovered from */
 #endif
-		}
-	    }
-	    break;
+			}
+			else
+			{
+				/* we can use our hostname as OE identity for initiation */
+				if (!logged_myid_fqdn_txt_warning)
+				{
+					loglog(RC_LOG_SERIOUS
+						   , "using our hostname (%s:TXT) as identity!"
+						   , myid_str[MYID_HOSTNAME]);
+					logged_myid_fqdn_txt_warning = TRUE;
+				}
+				next_step = fos_our_client;
+			}
+			break;
 
 #ifdef USE_KEYRR
-	case fos_our_key:	/* KEY for us */
-	    {
-		/* Check if KEY lookup yielded good results.
-		 * Looking up based on our ID.  Used if
-		 * client is ourself, or if TXT had no public key.
-		 * Note: if c is different this time, there is
-		 * a chance that we did the wrong query.
-		 * If so, treat as a kind of failure.
-		 */
-		const struct RSA_private_key *our_RSA_pri = get_RSA_private_key(c);
+		case fos_myid_ip_key:   /* KEY for our default IP address as %myid */
+			ugh = check_key_recs(MYID_IP, c, ac);
+			if (ugh != NULL)
+			{
+				/* cannot use our IP as OE identitiy for initiation */
+				DBG(DBG_OPPO, DBG_log("can not use our IP (%s:KEY) as identity: %s"
+									  , myid_str[MYID_IP]
+									  , ugh));
+				if (!logged_myid_ip_key_warning)
+				{
+					loglog(RC_LOG_SERIOUS
+						   , "can not use our IP (%s:KEY) as identity: %s"
+						   , myid_str[MYID_IP]
+						   , ugh);
+					logged_myid_ip_key_warning = TRUE;
+				}
+
+				next_step = fos_myid_hostname_key;
+				ugh = NULL;     /* failure can be recovered from */
+			}
+			else
+			{
+				/* we can use our IP as OE identity for initiation */
+				if (!logged_myid_ip_key_warning)
+				{
+					loglog(RC_LOG_SERIOUS
+						   , "using our IP (%s:KEY) as identity!"
+						   , myid_str[MYID_IP]);
+					logged_myid_ip_key_warning = TRUE;
+				}
+				next_step = fos_our_client;
+			}
+			break;
 
-		next_step = fos_his_client;	/* always */
+		case fos_myid_hostname_key:     /* KEY for our hostname as %myid */
+			ugh = check_key_recs(MYID_HOSTNAME, c, ac);
+			if (ugh != NULL)
+			{
+				/* cannot use our IP as OE identitiy for initiation */
+				DBG(DBG_OPPO, DBG_log("can not use our hostname (%s:KEY) as identity: %s"
+									  , myid_str[MYID_HOSTNAME]
+									  , ugh));
+				if (!logged_myid_fqdn_key_warning)
+				{
+					loglog(RC_LOG_SERIOUS
+						   , "can not use our hostname (%s:KEY) as identity: %s"
+						   , myid_str[MYID_HOSTNAME]
+						   , ugh);
+					logged_myid_fqdn_key_warning = TRUE;
+				}
+
+				next_step = fos_myid_hostname_key;
+				ugh = NULL;     /* failure can be recovered from */
+			}
+			else
+			{
+				/* we can use our IP as OE identity for initiation */
+				if (!logged_myid_fqdn_key_warning)
+				{
+					loglog(RC_LOG_SERIOUS
+						   , "using our hostname (%s:KEY) as identity!"
+						   , myid_str[MYID_HOSTNAME]);
+					logged_myid_fqdn_key_warning = TRUE;
+				}
+				next_step = fos_our_client;
+			}
+			break;
+#endif
 
-		if (our_RSA_pri == NULL)
-		{
-		    ugh = "we don't know our own RSA key";
-		}
-		else if (!same_id(&ac->id, &c->spd.this.id))
-		{
-		    ugh = "our ID changed underfoot";
-		}
-		else
-		{
-		    /* Similar to code in RSA_check_signature
-		     * for checking the other side.
-		     */
-		    pubkey_list_t *kr;
-
-		    ugh = "no KEY RR found for us (and no good TXT RR)";
-		    for (kr = ac->keys_from_dns; kr != NULL; kr = kr->next)
-		    {
-			ugh = "all our KEY RRs have the wrong public key (and no good TXT RR)";
-			if (kr->key->alg == PUBKEY_ALG_RSA
-			&& same_RSA_public_key(&our_RSA_pri->pub, &kr->key->u.rsa))
+		case fos_our_client:    /* TXT for our client */
 			{
-			    /* do this only once a day */
-			    if (!logged_txt_warning)
-			    {
-				loglog(RC_LOG_SERIOUS
-				       , "found KEY RR but not TXT RR for %s. See http://www.freeswan.org/err/txt-change.html."
-				       , mycredentialstr);
-				logged_txt_warning = TRUE;
-			    }
-			    ugh = NULL;	/* good! */
-			    break;
+				/* Our client is not us: we must check the TXT records.
+				 * Note: if c is different this time, there is
+				 * a chance that we did the wrong query.
+				 * If so, treat as a kind of failure.
+				 */
+				private_key_t *private = get_private_key(c);
+
+				next_step = fos_his_client;     /* normal situation */
+
+				passert(sr != NULL);
+
+				if (private == NULL)
+				{
+					ugh = "we don't know our own RSA key";
+				}
+				else if (sameaddr(&sr->this.host_addr, &b->our_client))
+				{
+					/* this wasn't true when we started -- bail */
+					ugh = "our IP address changed underfoot";
+				}
+				else if (!same_id(&ac->sgw_id, &sr->this.id))
+				{
+					/* this wasn't true when we started -- bail */
+					ugh = "our ID changed underfoot";
+				}
+				else
+				{
+					/* Similar to code in quick_inI1_outR1_tail
+					 * for checking the other side.
+					 */
+					struct gw_info *gwp;
+
+					ugh = "no TXT RR for our client delegates us";
+					for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+					{
+						passert(same_id(&gwp->gw_id, &sr->this.id));
+
+						ugh = "TXT RR for our client has wrong key";
+						/* If there is a key from the TXT record,
+						 * we count it as a win if we match the key.
+						 * If there was no key, we have a tentative win:
+						 * we need to check our KEY record to be sure.
+						 */
+						if (!gwp->gw_key_present)
+						{
+							/* Success, but the TXT had no key
+							 * so we must check our our own KEY records.
+							 */
+							next_step = fos_our_txt;
+							ugh = NULL; /* good! */
+							break;
+						}
+						if (private->belongs_to(private, gwp->key->public_key))
+						{
+							ugh = NULL; /* good! */
+							break;
+						}
+					}
+				}
 			}
-		    }
-		}
-	    }
-	    break;
-#endif /* USE_KEYRR */
+			break;
 
-	case fos_his_client:	/* TXT for his client */
-	    {
-		/* We've finished last DNS queries: TXT for his client.
-		 * Using the information, try to instantiate a connection
-		 * and start negotiating.
-		 * We now know the peer.  The chosing of "c" ignored this,
-		 * so we will disregard its current value.
-		 * !!! We need to randomize the entry in gw that we choose.
-		 */
-		next_step = fos_done;	/* no more queries */
+		case fos_our_txt:       /* TXT for us */
+			{
+				/* Check if TXT lookup yielded good results.
+				 * Looking up based on our ID.  Used if
+				 * client is ourself, or if TXT had no public key.
+				 * Note: if c is different this time, there is
+				 * a chance that we did the wrong query.
+				 * If so, treat as a kind of failure.
+				 */
+				private_key_t *private = get_private_key(c);
+
+				next_step = fos_his_client;     /* unless we decide to look for KEY RR */
+
+				if (private == NULL)
+				{
+					ugh = "we don't know our own RSA key";
+				}
+				else if (!same_id(&ac->id, &c->spd.this.id))
+				{
+					ugh = "our ID changed underfoot";
+				}
+				else
+				{
+					/* Similar to code in RSA_check_signature
+					 * for checking the other side.
+					 */
+					struct gw_info *gwp;
+
+					ugh = "no TXT RR for us";
+					for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+					{
+						passert(same_id(&gwp->gw_id, &sr->this.id));
+
+						ugh = "TXT RR for us has wrong key";
+						if (gwp->gw_key_present &&
+							private->belongs_to(private, gwp->key->public_key))
+						{
+							DBG(DBG_CONTROL,
+								DBG_log("initiate on demand found TXT with right public key at: %s"
+										, mycredentialstr));
+							ugh = NULL;
+							break;
+						}
+					}
+#ifdef USE_KEYRR
+					if (ugh != NULL)
+					{
+						/* if no TXT with right key, try KEY */
+						DBG(DBG_CONTROL,
+							DBG_log("will try for KEY RR since initiate on demand found %s: %s"
+									, ugh, mycredentialstr));
+						next_step = fos_our_key;
+						ugh = NULL;
+					}
+#endif
+				}
+			}
+			break;
 
-		c = build_outgoing_opportunistic_connection(ac->gateways_from_dns
-							    , &b->our_client
-							    , &b->peer_client);
+#ifdef USE_KEYRR
+		case fos_our_key:       /* KEY for us */
+			{
+				/* Check if KEY lookup yielded good results.
+				 * Looking up based on our ID.  Used if
+				 * client is ourself, or if TXT had no public key.
+				 * Note: if c is different this time, there is
+				 * a chance that we did the wrong query.
+				 * If so, treat as a kind of failure.
+				 */
+				private_key_t *private = get_private_key(c);
+
+				next_step = fos_his_client;     /* always */
+
+				if (private == NULL)
+				{
+					ugh = "we don't know our own RSA key";
+				}
+				else if (!same_id(&ac->id, &c->spd.this.id))
+				{
+					ugh = "our ID changed underfoot";
+				}
+				else
+				{
+					/* Similar to code in RSA_check_signature
+					 * for checking the other side.
+					 */
+					pubkey_list_t *kr;
+
+					ugh = "no KEY RR found for us (and no good TXT RR)";
+					for (kr = ac->keys_from_dns; kr != NULL; kr = kr->next)
+					{
+						ugh = "all our KEY RRs have the wrong public key (and no good TXT RR)";
+						if (kr->key->alg == PUBKEY_ALG_RSA
+						&& private->belongs_to(private, kr->key->public_key))
+						{
+							/* do this only once a day */
+							if (!logged_txt_warning)
+							{
+								loglog(RC_LOG_SERIOUS
+									   , "found KEY RR but not TXT RR for %s. See http://www.freeswan.org/err/txt-change.html."
+									   , mycredentialstr);
+								logged_txt_warning = TRUE;
+							}
+							ugh = NULL; /* good! */
+							break;
+						}
+					}
+				}
+			}
+			break;
+#endif /* USE_KEYRR */
 
-		if (c == NULL)
-		{
-		    /* We cannot seem to instantiate a suitable connection:
-		     * complain clearly.
-		     */
-		    char ocb[ADDRTOT_BUF]
-			, pcb[ADDRTOT_BUF]
-			, pb[ADDRTOT_BUF];
-
-		    addrtot(&b->our_client, 0, ocb, sizeof(ocb));
-		    addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
-		    passert(id_is_ipaddr(&ac->gateways_from_dns->gw_id));
-		    addrtot(&ac->gateways_from_dns->gw_id.ip_addr, 0, pb, sizeof(pb));
-		    loglog(RC_OPPOFAILURE
-			, "no suitable connection for opportunism"
-			  " between %s and %s with %s as peer"
-			, ocb, pcb, pb);
+		case fos_his_client:    /* TXT for his client */
+			{
+				/* We've finished last DNS queries: TXT for his client.
+				 * Using the information, try to instantiate a connection
+				 * and start negotiating.
+				 * We now know the peer.  The chosing of "c" ignored this,
+				 * so we will disregard its current value.
+				 * !!! We need to randomize the entry in gw that we choose.
+				 */
+				next_step = fos_done;   /* no more queries */
+
+				c = build_outgoing_opportunistic_connection(ac->gateways_from_dns
+															, &b->our_client
+															, &b->peer_client);
+
+				if (c == NULL)
+				{
+					/* We cannot seem to instantiate a suitable connection:
+					 * complain clearly.
+					 */
+					char ocb[ADDRTOT_BUF]
+						, pcb[ADDRTOT_BUF]
+						, pb[ADDRTOT_BUF];
+
+					addrtot(&b->our_client, 0, ocb, sizeof(ocb));
+					addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
+					passert(id_is_ipaddr(&ac->gateways_from_dns->gw_id));
+					addrtot(&ac->gateways_from_dns->gw_id.ip_addr, 0, pb, sizeof(pb));
+					loglog(RC_OPPOFAILURE
+						, "no suitable connection for opportunism"
+						  " between %s and %s with %s as peer"
+						, ocb, pcb, pb);
 
 #ifdef KLIPS
-		    if (b->held)
-		    {
-			/* Replace HOLD with PASS.
-			 * The type of replacement *ought* to be
-			 * specified by policy.
-			 */
-			(void) replace_bare_shunt(&b->our_client, &b->peer_client
-			    , BOTTOM_PRIO
-			    , SPI_PASS	/* fail into PASS */
-			    , TRUE, b->transport_proto
-			    , "no suitable connection");
-		    }
+					if (b->held)
+					{
+						/* Replace HOLD with PASS.
+						 * The type of replacement *ought* to be
+						 * specified by policy.
+						 */
+						(void) replace_bare_shunt(&b->our_client, &b->peer_client
+							, BOTTOM_PRIO
+							, SPI_PASS  /* fail into PASS */
+							, TRUE, b->transport_proto
+							, "no suitable connection");
+					}
 #endif
-		}
-		else
-		{
-		    /* If we are to proceed asynchronously, b->whackfd will be NULL_FD. */
-		    passert(c->kind == CK_INSTANCE);
-		    passert(c->gw_info != NULL);
-		    passert(HAS_IPSEC_POLICY(c->policy));
-		    passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing));
+				}
+				else
+				{
+					/* If we are to proceed asynchronously, b->whackfd will be NULL_FD. */
+					passert(c->kind == CK_INSTANCE);
+					passert(c->gw_info != NULL);
+					passert(HAS_IPSEC_POLICY(c->policy));
+					passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing));
 #ifdef KLIPS
-		    if (b->held)
-		    {
-			/* what should we do on failure? */
-			(void) assign_hold(c, &c->spd
-					   , b->transport_proto
-					   , &b->our_client, &b->peer_client);
-		    }
+					if (b->held)
+					{
+						/* what should we do on failure? */
+						(void) assign_hold(c, &c->spd
+										   , b->transport_proto
+										   , &b->our_client, &b->peer_client);
+					}
 #endif
-		    c->gw_info->key->last_tried_time = now();
-		    ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
-		    b->whackfd = NULL_FD;	/* protect from close */
-		}
-	    }
-	    break;
+					c->gw_info->key->last_tried_time = now();
+					ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
+					b->whackfd = NULL_FD;       /* protect from close */
+				}
+			}
+			break;
 
-	default:
-	    bad_case(b->step);
-	}
+		default:
+			bad_case(b->step);
+		}
 
-	/* the second chunk: initiate the next DNS query (if any) */
-	DBG(DBG_CONTROL,
-	{
-	    char ours[ADDRTOT_BUF];
-	    char his[ADDRTOT_BUF];
+		/* the second chunk: initiate the next DNS query (if any) */
+		DBG(DBG_CONTROL,
+		{
+			char ours[ADDRTOT_BUF];
+			char his[ADDRTOT_BUF];
 
-	    addrtot(&b->our_client, 0, ours, sizeof(ours));
-	    addrtot(&b->peer_client, 0, his, sizeof(his));
-	    DBG_log("initiate on demand from %s to %s new state: %s with ugh: %s"
-		    , ours, his, oppo_step_name[b->step], ugh ? ugh : "ok");
-	});
+			addrtot(&b->our_client, 0, ours, sizeof(ours));
+			addrtot(&b->peer_client, 0, his, sizeof(his));
+			DBG_log("initiate on demand from %s to %s new state: %s with ugh: %s"
+					, ours, his, oppo_step_name[b->step], ugh ? ugh : "ok");
+		});
 
-	if (ugh != NULL)
-	{
-	    b->policy_prio = c->prio;
-	    b->failure_shunt = shunt_policy_spi(c, FALSE);
-	    cannot_oppo(c, b, ugh);
-	}
-	else if (next_step == fos_done)
-	{
-	    /* nothing to do */
-	}
-	else
-	{
-	    /* set up the next query */
-	    struct find_oppo_continuation *cr = alloc_thing(struct find_oppo_continuation
-		, "opportunistic continuation");
-	    struct id id;
-
-	    b->policy_prio = c->prio;
-	    b->failure_shunt = shunt_policy_spi(c, FALSE);
-	    cr->b = *b;	/* copy; start hand off of whackfd */
-	    cr->b.failure_ok = FALSE;
-	    cr->b.step = next_step;
-
-	    for (sr = &c->spd
-	    ; sr!=NULL && !sameaddr(&sr->this.host_addr, &b->our_client)
-	    ; sr = sr->next)
-		;
-
-	    if (sr == NULL)
-		sr = &c->spd;
-
-	    /* If a %hold shunt has replaced the eroute for this template,
-	     * record this fact.
-	     */
-	    if (b->held
-	    && sr->routing == RT_ROUTED_PROSPECTIVE && eclipsable(sr))
-	    {
-		sr->routing = RT_ROUTED_ECLIPSED;
-		eclipse_count++;
-	    }
-
-	    /* Switch to issue next query.
-	     * A case may turn out to be unnecessary.  If so, it falls
-	     * through to the next case.
-	     * Figuring out what %myid can stand for must be done before
-	     * our client credentials are looked up: we must know what
-	     * the client credentials may use to identify us.
-	     * On the other hand, our own credentials should be looked
-	     * up after our clients in case our credentials are not
-	     * needed at all.
-	     * XXX this is a wasted effort if we don't have credentials
-	     * BUT they are not needed.
-	     */
-	    switch (next_step)
-	    {
-	    case fos_myid_ip_txt:
-		if (c->spd.this.id.kind == ID_MYID
-		&& myid_state != MYID_SPECIFIED)
+		if (ugh != NULL)
 		{
-		    cr->b.failure_ok = TRUE;
-		    cr->b.want = b->want = "TXT record for IP address as %myid";
-		    ugh = start_adns_query(&myids[MYID_IP]
-			, &myids[MYID_IP]
-			, T_TXT
-			, continue_oppo
-			, &cr->ac);
-		    break;
+			b->policy_prio = c->prio;
+			b->failure_shunt = shunt_policy_spi(c, FALSE);
+			cannot_oppo(c, b, ugh);
 		}
-		cr->b.step = fos_myid_hostname_txt;
-		/* fall through */
-
-	    case fos_myid_hostname_txt:
-		if (c->spd.this.id.kind == ID_MYID
-		&& myid_state != MYID_SPECIFIED)
+		else if (next_step == fos_done)
+		{
+			/* nothing to do */
+		}
+		else
 		{
+			/* set up the next query */
+			struct find_oppo_continuation *cr = malloc_thing(struct find_oppo_continuation);
+			struct id id;
+
+			b->policy_prio = c->prio;
+			b->failure_shunt = shunt_policy_spi(c, FALSE);
+			cr->b = *b; /* copy; start hand off of whackfd */
+			cr->b.failure_ok = FALSE;
+			cr->b.step = next_step;
+
+			for (sr = &c->spd
+			; sr!=NULL && !sameaddr(&sr->this.host_addr, &b->our_client)
+			; sr = sr->next)
+				;
+
+			if (sr == NULL)
+				sr = &c->spd;
+
+			/* If a %hold shunt has replaced the eroute for this template,
+			 * record this fact.
+			 */
+			if (b->held
+			&& sr->routing == RT_ROUTED_PROSPECTIVE && eclipsable(sr))
+			{
+				sr->routing = RT_ROUTED_ECLIPSED;
+				eclipse_count++;
+			}
+
+			/* Switch to issue next query.
+			 * A case may turn out to be unnecessary.  If so, it falls
+			 * through to the next case.
+			 * Figuring out what %myid can stand for must be done before
+			 * our client credentials are looked up: we must know what
+			 * the client credentials may use to identify us.
+			 * On the other hand, our own credentials should be looked
+			 * up after our clients in case our credentials are not
+			 * needed at all.
+			 * XXX this is a wasted effort if we don't have credentials
+			 * BUT they are not needed.
+			 */
+			switch (next_step)
+			{
+			case fos_myid_ip_txt:
+				if (c->spd.this.id.kind == ID_MYID
+				&& myid_state != MYID_SPECIFIED)
+				{
+					cr->b.failure_ok = TRUE;
+					cr->b.want = b->want = "TXT record for IP address as %myid";
+					ugh = start_adns_query(&myids[MYID_IP]
+						, &myids[MYID_IP]
+						, T_TXT
+						, continue_oppo
+						, &cr->ac);
+					break;
+				}
+				cr->b.step = fos_myid_hostname_txt;
+				/* fall through */
+
+			case fos_myid_hostname_txt:
+				if (c->spd.this.id.kind == ID_MYID
+				&& myid_state != MYID_SPECIFIED)
+				{
 #ifdef USE_KEYRR
-		    cr->b.failure_ok = TRUE;
+					cr->b.failure_ok = TRUE;
 #else
-		    cr->b.failure_ok = FALSE;
+					cr->b.failure_ok = FALSE;
 #endif
-		    cr->b.want = b->want = "TXT record for hostname as %myid";
-		    ugh = start_adns_query(&myids[MYID_HOSTNAME]
-			, &myids[MYID_HOSTNAME]
-			, T_TXT
-			, continue_oppo
-			, &cr->ac);
-		    break;
-		}
+					cr->b.want = b->want = "TXT record for hostname as %myid";
+					ugh = start_adns_query(&myids[MYID_HOSTNAME]
+						, &myids[MYID_HOSTNAME]
+						, T_TXT
+						, continue_oppo
+						, &cr->ac);
+					break;
+				}
 
 #ifdef USE_KEYRR
-		cr->b.step = fos_myid_ip_key;
-		/* fall through */
-
-	    case fos_myid_ip_key:
-		if (c->spd.this.id.kind == ID_MYID
-		&& myid_state != MYID_SPECIFIED)
-		{
-		    cr->b.failure_ok = TRUE;
-		    cr->b.want = b->want = "KEY record for IP address as %myid (no good TXT)";
-		    ugh = start_adns_query(&myids[MYID_IP]
-			, (const struct id *) NULL	/* security gateway meaningless */
-			, T_KEY
-			, continue_oppo
-			, &cr->ac);
-		    break;
-		}
-		cr->b.step = fos_myid_hostname_key;
-		/* fall through */
-
-	    case fos_myid_hostname_key:
-		if (c->spd.this.id.kind == ID_MYID
-		&& myid_state != MYID_SPECIFIED)
-		{
-		    cr->b.failure_ok = FALSE;           /* last attempt! */
-		    cr->b.want = b->want = "KEY record for hostname as %myid (no good TXT)";
-		    ugh = start_adns_query(&myids[MYID_HOSTNAME]
-			, (const struct id *) NULL	/* security gateway meaningless */
-			, T_KEY
-			, continue_oppo
-			, &cr->ac);
-		    break;
-		}
+				cr->b.step = fos_myid_ip_key;
+				/* fall through */
+
+			case fos_myid_ip_key:
+				if (c->spd.this.id.kind == ID_MYID
+				&& myid_state != MYID_SPECIFIED)
+				{
+					cr->b.failure_ok = TRUE;
+					cr->b.want = b->want = "KEY record for IP address as %myid (no good TXT)";
+					ugh = start_adns_query(&myids[MYID_IP]
+						, (const struct id *) NULL      /* security gateway meaningless */
+						, T_KEY
+						, continue_oppo
+						, &cr->ac);
+					break;
+				}
+				cr->b.step = fos_myid_hostname_key;
+				/* fall through */
+
+			case fos_myid_hostname_key:
+				if (c->spd.this.id.kind == ID_MYID
+				&& myid_state != MYID_SPECIFIED)
+				{
+					cr->b.failure_ok = FALSE;           /* last attempt! */
+					cr->b.want = b->want = "KEY record for hostname as %myid (no good TXT)";
+					ugh = start_adns_query(&myids[MYID_HOSTNAME]
+						, (const struct id *) NULL      /* security gateway meaningless */
+						, T_KEY
+						, continue_oppo
+						, &cr->ac);
+					break;
+				}
 #endif
-		cr->b.step = fos_our_client;
-		/* fall through */
-
-	    case fos_our_client:	/* TXT for our client */
-		if (!sameaddr(&c->spd.this.host_addr, &b->our_client))
-		{
-		    /* Check that at least one TXT(reverse(b->our_client)) is workable.
-		     * Note: {unshare|free}_id_content not needed for id: ephemeral.
-		     */
-		    cr->b.want = b->want = "our client's TXT record";
-		    iptoid(&b->our_client, &id);
-		    ugh = start_adns_query(&id
-			, &c->spd.this.id	/* we are the security gateway */
-			, T_TXT
-			, continue_oppo
-			, &cr->ac);
-		    break;
-		}
-		cr->b.step = fos_our_txt;
-		/* fall through */
-
-	    case fos_our_txt:	/* TXT for us */
-		cr->b.failure_ok = b->failure_ok = TRUE;
-		cr->b.want = b->want = "our TXT record";
-		ugh = start_adns_query(&sr->this.id
-		    , &sr->this.id	       /* we are the security gateway XXX - maybe ignore? mcr */
-		    , T_TXT
-		    , continue_oppo
-		    , &cr->ac);
-		break;
+				cr->b.step = fos_our_client;
+				/* fall through */
+
+			case fos_our_client:        /* TXT for our client */
+				if (!sameaddr(&c->spd.this.host_addr, &b->our_client))
+				{
+					/* Check that at least one TXT(reverse(b->our_client)) is workable.
+					 * Note: {unshare|free}_id_content not needed for id: ephemeral.
+					 */
+					cr->b.want = b->want = "our client's TXT record";
+					iptoid(&b->our_client, &id);
+					ugh = start_adns_query(&id
+						, &c->spd.this.id       /* we are the security gateway */
+						, T_TXT
+						, continue_oppo
+						, &cr->ac);
+					break;
+				}
+				cr->b.step = fos_our_txt;
+				/* fall through */
+
+			case fos_our_txt:   /* TXT for us */
+				cr->b.failure_ok = b->failure_ok = TRUE;
+				cr->b.want = b->want = "our TXT record";
+				ugh = start_adns_query(&sr->this.id
+					, &sr->this.id             /* we are the security gateway XXX - maybe ignore? mcr */
+					, T_TXT
+					, continue_oppo
+					, &cr->ac);
+				break;
 
 #ifdef USE_KEYRR
-	    case fos_our_key:	/* KEY for us */
-		cr->b.want = b->want = "our KEY record";
-		cr->b.failure_ok = b->failure_ok = FALSE;
-		ugh = start_adns_query(&sr->this.id
-		    , (const struct id *) NULL	/* security gateway meaningless */
-		    , T_KEY
-		    , continue_oppo
-		    , &cr->ac);
-		break;
+			case fos_our_key:   /* KEY for us */
+				cr->b.want = b->want = "our KEY record";
+				cr->b.failure_ok = b->failure_ok = FALSE;
+				ugh = start_adns_query(&sr->this.id
+					, (const struct id *) NULL  /* security gateway meaningless */
+					, T_KEY
+					, continue_oppo
+					, &cr->ac);
+				break;
 #endif /* USE_KEYRR */
 
-	    case fos_his_client:	/* TXT for his client */
-		/* note: {unshare|free}_id_content not needed for id: ephemeral */
-		cr->b.want = b->want = "target's TXT record";
-		cr->b.failure_ok = b->failure_ok = FALSE;
-		iptoid(&b->peer_client, &id);
-		ugh = start_adns_query(&id
-		    , (const struct id *) NULL	/* security gateway unconstrained */
-		    , T_TXT
-		    , continue_oppo
-		    , &cr->ac);
-		break;
-
-	    default:
-		bad_case(next_step);
-	    }
+			case fos_his_client:        /* TXT for his client */
+				/* note: {unshare|free}_id_content not needed for id: ephemeral */
+				cr->b.want = b->want = "target's TXT record";
+				cr->b.failure_ok = b->failure_ok = FALSE;
+				iptoid(&b->peer_client, &id);
+				ugh = start_adns_query(&id
+					, (const struct id *) NULL  /* security gateway unconstrained */
+					, T_TXT
+					, continue_oppo
+					, &cr->ac);
+				break;
+
+			default:
+				bad_case(next_step);
+			}
 
-	    if (ugh == NULL)
-		b->whackfd = NULL_FD;	/* complete hand-off */
-	    else
-		cannot_oppo(c, b, ugh);
+			if (ugh == NULL)
+				b->whackfd = NULL_FD;   /* complete hand-off */
+			else
+				cannot_oppo(c, b, ugh);
+		}
 	}
-    }
-    close_any(b->whackfd);
+	close_any(b->whackfd);
 }
 
 void
 terminate_connection(const char *nm)
 {
-    /* Loop because more than one may match (master and instances)
-     * But at least one is required (enforced by con_by_name).
-     */
-    struct connection *c = con_by_name(nm, TRUE);
-
-    if (c == NULL || !c->ikev1)
-	return;
+	/* Loop because more than one may match (master and instances)
+	 * But at least one is required (enforced by con_by_name).
+	 */
+	struct connection *c = con_by_name(nm, TRUE);
 
-    do
-    {
-	struct connection *n = c->ac_next;  /* grab this before c might disappear */
+	if (c == NULL || !c->ikev1)
+		return;
 
-	if (streq(c->name, nm)
-	&& c->kind >= CK_PERMANENT
-	&& !NEVER_NEGOTIATE(c->policy))
+	do
 	{
-	    set_cur_connection(c);
-	    plog("terminating SAs using this connection");
-	    c->policy &= ~POLICY_UP;
-	    flush_pending_by_connection(c);
-	    delete_states_by_connection(c, FALSE);
-	    if (c->kind == CK_INSTANCE)
-		delete_connection(c, FALSE);
-	    reset_cur_connection();
-	}
-	c = n;
-    } while (c != NULL);
+		struct connection *n = c->ac_next;  /* grab this before c might disappear */
+
+		if (streq(c->name, nm)
+		&& c->kind >= CK_PERMANENT
+		&& !NEVER_NEGOTIATE(c->policy))
+		{
+			set_cur_connection(c);
+			plog("terminating SAs using this connection");
+			c->policy &= ~POLICY_UP;
+			flush_pending_by_connection(c);
+			delete_states_by_connection(c, FALSE);
+			if (c->kind == CK_INSTANCE)
+				delete_connection(c, FALSE);
+			reset_cur_connection();
+		}
+		c = n;
+	} while (c != NULL);
 }
 
 /* an ISAKMP SA has been established.
  * Note the serial number, and release any connections with
  * the same peer ID but different peer IP address.
  */
-bool uniqueIDs = FALSE;	/* --uniqueids? */
+bool uniqueIDs = FALSE; /* --uniqueids? */
 
 void
 ISAKMP_SA_established(struct connection *c, so_serial_t serial)
 {
-    c->newest_isakmp_sa = serial;
-
-    /* the connection is now oriented so that we are able to determine
-     * whether we are a mode config server with a virtual IP to send.
-     */
-    if (!isanyaddr(&c->spd.that.host_srcip) && !c->spd.that.has_natip)
-	c->spd.that.modecfg = TRUE;
-	
-    if (uniqueIDs)
-    {
-	/* for all connections: if the same Phase 1 IDs are used
-	 * for a different IP address, unorient that connection.
-	 */
-	struct connection *d;
+	c->newest_isakmp_sa = serial;
 
-	for (d = connections; d != NULL; )
+	/* the connection is now oriented so that we are able to determine
+	 * whether we are a mode config server with a virtual IP to send.
+	 */
+	if (!isanyaddr(&c->spd.that.host_srcip) && !c->spd.that.has_natip)
+		c->spd.that.modecfg = TRUE;
+		
+	if (uniqueIDs)
 	{
-	    struct connection *next = d->ac_next;	/* might move underneath us */
-
-	    if (d->kind >= CK_PERMANENT
-	    && same_id(&c->spd.this.id, &d->spd.this.id)
-	    && same_id(&c->spd.that.id, &d->spd.that.id)
-	    && !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
-	    {
-		release_connection(d, FALSE);
-	    }
-	    d = next;
+		/* for all connections: if the same Phase 1 IDs are used
+		 * for a different IP address, unorient that connection.
+		 */
+		struct connection *d;
+
+		for (d = connections; d != NULL; )
+		{
+			struct connection *next = d->ac_next;       /* might move underneath us */
+
+			if (d->kind >= CK_PERMANENT
+			&& same_id(&c->spd.this.id, &d->spd.this.id)
+			&& same_id(&c->spd.that.id, &d->spd.that.id)
+			&& !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
+			{
+				release_connection(d, FALSE);
+			}
+			d = next;
+		}
 	}
-    }
 }
 
 /* Find the connection to connection c's peer's client with the
@@ -3056,108 +3048,108 @@ ISAKMP_SA_established(struct connection *c, so_serial_t serial)
  */
 struct connection *
 route_owner(struct connection *c
-	    , struct spd_route **srp
-	    , struct connection **erop
-	    , struct spd_route **esrp)
+			, struct spd_route **srp
+			, struct connection **erop
+			, struct spd_route **esrp)
 {
-    struct connection *d
-	, *best_ro = c
-	, *best_ero = c;
-    struct spd_route *srd, *src;
-    struct spd_route *best_sr, *best_esr;
-    enum routing_t best_routing, best_erouting;
-
-    passert(oriented(*c));
-    best_sr  = NULL;
-    best_esr = NULL;
-    best_routing = c->spd.routing;
-    best_erouting = best_routing;
-
-    for (d = connections; d != NULL; d = d->ac_next)
-    {
-	for (srd = &d->spd; srd; srd = srd->next)
+	struct connection *d
+		, *best_ro = c
+		, *best_ero = c;
+	struct spd_route *srd, *src;
+	struct spd_route *best_sr, *best_esr;
+	enum routing_t best_routing, best_erouting;
+
+	passert(oriented(*c));
+	best_sr  = NULL;
+	best_esr = NULL;
+	best_routing = c->spd.routing;
+	best_erouting = best_routing;
+
+	for (d = connections; d != NULL; d = d->ac_next)
 	{
-	    if (srd->routing == RT_UNROUTED)
-		continue;
-
-	    for (src = &c->spd; src; src=src->next)
-	    {
-		if (!samesubnet(&src->that.client, &srd->that.client))
-		    continue;
-		if (src->that.protocol != srd->that.protocol)
-		    continue;
-		if (src->that.port != srd->that.port)
-		    continue;
-		passert(oriented(*d));
-		if (srd->routing > best_routing)
+		for (srd = &d->spd; srd; srd = srd->next)
 		{
-		    best_ro = d;
-		    best_sr = srd;
-		    best_routing = srd->routing;
-		}
+			if (srd->routing == RT_UNROUTED)
+				continue;
 
-		if (!samesubnet(&src->this.client, &srd->this.client))
-		    continue;
-		if (src->this.protocol != srd->this.protocol)
-		    continue;
-		if (src->this.port != srd->this.port)
-		    continue;
-		if (srd->routing > best_erouting)
-		{
-		    best_ero = d;
-		    best_esr = srd;
-		    best_erouting = srd->routing;
+			for (src = &c->spd; src; src=src->next)
+			{
+				if (!samesubnet(&src->that.client, &srd->that.client))
+					continue;
+				if (src->that.protocol != srd->that.protocol)
+					continue;
+				if (src->that.port != srd->that.port)
+					continue;
+				passert(oriented(*d));
+				if (srd->routing > best_routing)
+				{
+					best_ro = d;
+					best_sr = srd;
+					best_routing = srd->routing;
+				}
+
+				if (!samesubnet(&src->this.client, &srd->this.client))
+					continue;
+				if (src->this.protocol != srd->this.protocol)
+					continue;
+				if (src->this.port != srd->this.port)
+					continue;
+				if (srd->routing > best_erouting)
+				{
+					best_ero = d;
+					best_esr = srd;
+					best_erouting = srd->routing;
+				}
+			}
 		}
-	    }
 	}
-    }
 
-    DBG(DBG_CONTROL,
+	DBG(DBG_CONTROL,
+		{
+			char cib[CONN_INST_BUF];
+			err_t m = builddiag("route owner of \"%s\"%s %s:"
+				, c->name
+				, (fmt_conn_instance(c, cib), cib)
+				, enum_name(&routing_story, c->spd.routing));
+
+			if (!routed(best_ro->spd.routing))
+				m = builddiag("%s NULL", m);
+			else if (best_ro == c)
+				m = builddiag("%s self", m);
+			else
+				m = builddiag("%s \"%s\"%s %s", m
+					, best_ro->name
+					, (fmt_conn_instance(best_ro, cib), cib)
+					, enum_name(&routing_story, best_ro->spd.routing));
+
+			if (erop != NULL)
+			{
+				m = builddiag("%s; eroute owner:", m);
+				if (!erouted(best_ero->spd.routing))
+					m = builddiag("%s NULL", m);
+				else if (best_ero == c)
+					m = builddiag("%s self", m);
+				else
+					m = builddiag("%s \"%s\"%s %s", m
+						, best_ero->name
+						, (fmt_conn_instance(best_ero, cib), cib)
+						, enum_name(&routing_story, best_ero->spd.routing));
+			}
+
+			DBG_log("%s", m);
+		});
+
+	if (erop != NULL)
+		*erop = erouted(best_erouting)? best_ero : NULL;
+
+	if (srp != NULL )
 	{
-	    char cib[CONN_INST_BUF];
-	    err_t m = builddiag("route owner of \"%s\"%s %s:"
-		, c->name
-		, (fmt_conn_instance(c, cib), cib)
-		, enum_name(&routing_story, c->spd.routing));
-
-	    if (!routed(best_ro->spd.routing))
-		m = builddiag("%s NULL", m);
-	    else if (best_ro == c)
-		m = builddiag("%s self", m);
-	    else
-		m = builddiag("%s \"%s\"%s %s", m
-		    , best_ro->name
-		    , (fmt_conn_instance(best_ro, cib), cib)
-		    , enum_name(&routing_story, best_ro->spd.routing));
-
-	    if (erop != NULL)
-	    {
-		m = builddiag("%s; eroute owner:", m);
-		if (!erouted(best_ero->spd.routing))
-		    m = builddiag("%s NULL", m);
-		else if (best_ero == c)
-		    m = builddiag("%s self", m);
-		else
-		    m = builddiag("%s \"%s\"%s %s", m
-			, best_ero->name
-			, (fmt_conn_instance(best_ero, cib), cib)
-			, enum_name(&routing_story, best_ero->spd.routing));
-	    }
-
-	    DBG_log("%s", m);
-	});
-
-    if (erop != NULL)
-	*erop = erouted(best_erouting)? best_ero : NULL;
-
-    if (srp != NULL )
-    {
-	*srp = best_sr;
-	if (esrp != NULL )
-	    *esrp = best_esr;
-    }
-
-    return routed(best_routing)? best_ro : NULL;
+		*srp = best_sr;
+		if (esrp != NULL )
+			*esrp = best_esr;
+	}
+
+	return routed(best_routing)? best_ro : NULL;
 }
 
 /* Find a connection that owns the shunt eroute between subnets.
@@ -3167,20 +3159,20 @@ route_owner(struct connection *c
 struct connection *
 shunt_owner(const ip_subnet *ours, const ip_subnet *his)
 {
-    struct connection *c;
-    struct spd_route *sr;
+	struct connection *c;
+	struct spd_route *sr;
 
-    for (c = connections; c != NULL; c = c->ac_next)
-    {
-	for (sr = &c->spd; sr; sr = sr->next)
+	for (c = connections; c != NULL; c = c->ac_next)
 	{
-	    if (shunt_erouted(sr->routing)
-	    && samesubnet(ours, &sr->this.client)
-	    && samesubnet(his, &sr->that.client))
-		return c;
+		for (sr = &c->spd; sr; sr = sr->next)
+		{
+			if (shunt_erouted(sr->routing)
+			&& samesubnet(ours, &sr->this.client)
+			&& samesubnet(his, &sr->that.client))
+				return c;
+		}
 	}
-    }
-    return NULL;
+	return NULL;
 }
 
 /* Find some connection with this pair of hosts.
@@ -3191,25 +3183,25 @@ struct connection *
 find_host_connection(const ip_address *me, u_int16_t my_port
 , const ip_address *him, u_int16_t his_port, lset_t policy)
 {
-    struct connection *c = find_host_pair_connections(me, my_port, him, his_port);
-
-    if (policy != LEMPTY)
-    {
-	lset_t auth_requested  = policy & POLICY_ID_AUTH_MASK;
+	struct connection *c = find_host_pair_connections(me, my_port, him, his_port);
 
-	/* if we have requirements for the policy,
-	 * choose the first matching connection.
-	 */
-	while (c != NULL)
+	if (policy != LEMPTY)
 	{
-	    if (c->policy & auth_requested)
-	    {
-		break;
-	    }
-	    c = c->hp_next;
+		lset_t auth_requested  = policy & POLICY_ID_AUTH_MASK;
+
+		/* if we have requirements for the policy,
+		 * choose the first matching connection.
+		 */
+		while (c != NULL)
+		{
+			if (c->policy & auth_requested)
+			{
+				break;
+			}
+			c = c->hp_next;
+		}
 	}
-    }
-    return c;
+	return c;
 }
 
 /* given an up-until-now satisfactory connection, find the best connection
@@ -3266,187 +3258,197 @@ find_host_connection(const ip_address *me, u_int16_t my_port
  *
  * In the Initiator case, the particular connection might have been
  * specified by whatever provoked Pluto to initiate.  For example:
- *	whack --initiate connection-name
+ *      whack --initiate connection-name
  * The advantages of switching connections when we're the Initiator seem
  * less important than the disadvantages, so after FreeS/WAN 1.9, we
  * don't do this.
  */
-#define PRIO_NO_MATCH_FOUND	2048
+#define PRIO_NO_MATCH_FOUND     2048
 
 struct connection *
 refine_host_connection(const struct state *st, const struct id *peer_id
 , chunk_t peer_ca)
 {
-    struct connection *c = st->st_connection;
-    struct connection *d;
-    struct connection *best_found = NULL;
-    u_int16_t auth = st->st_oakley.auth;
-    lset_t auth_policy = POLICY_PSK;
-    const chunk_t *psk = NULL;
-    bool wcpip;	/* wildcard Peer IP? */
-    int best_prio = PRIO_NO_MATCH_FOUND;
-    int wildcards, our_pathlen, peer_pathlen;
-
-    if (same_id(&c->spd.that.id, peer_id)
-    && trusted_ca(peer_ca, c->spd.that.ca, &peer_pathlen)
-    && peer_pathlen == 0
-    && match_requested_ca(c->requested_ca, c->spd.this.ca, &our_pathlen)
-    && our_pathlen == 0)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("current connection is a full match"
-		    " -- no need to look further");
-	)
-	return c;
-    }
-
-    switch (auth)
-    {
-    case OAKLEY_PRESHARED_KEY:
-	auth_policy = POLICY_PSK;
-	psk = get_preshared_secret(c);
-	/* It should be virtually impossible to fail to find PSK:
-	 * we just used it to decode the current message!
-	 */
-	if (psk == NULL)
-	    return NULL;	/* cannot determine PSK! */
-	break;
-    case XAUTHInitPreShared:
-    case XAUTHRespPreShared:
-	auth_policy = POLICY_XAUTH_PSK;
-	psk = get_preshared_secret(c);
-	if (psk == NULL)
-	    return NULL;	/* cannot determine PSK! */
-	break;
-    case OAKLEY_RSA_SIG:
-	auth_policy = POLICY_RSASIG;
-	break;
-    case XAUTHInitRSA:
-    case XAUTHRespRSA:
-	auth_policy = POLICY_XAUTH_RSASIG;
-	break;
-    default:
-	bad_case(auth);
-    }
-
-    /* The current connection won't do: search for one that will.
-     * First search for one with the same pair of hosts.
-     * If that fails, search for a suitable Road Warrior or Opportunistic
-     * connection (i.e. wildcard peer IP).
-     * We need to match:
-     * - peer_id (slightly complicated by instantiation)
-     * - if PSK auth, the key must not change (we used it to decode message)
-     * - policy-as-used must be acceptable to new connection
-     */
-    d = c->host_pair->connections;
-    for (wcpip = FALSE; ; wcpip = TRUE)
-    {
-	for (; d != NULL; d = d->hp_next)
+	struct connection *c = st->st_connection;
+	struct connection *d;
+	struct connection *best_found = NULL;
+	u_int16_t auth = st->st_oakley.auth;
+	lset_t auth_policy = POLICY_PSK;
+	const chunk_t *psk = NULL;
+	bool wcpip; /* wildcard Peer IP? */
+	int best_prio = PRIO_NO_MATCH_FOUND;
+	int wildcards, our_pathlen, peer_pathlen;
+
+	if (same_id(&c->spd.that.id, peer_id)
+	&& trusted_ca(peer_ca, c->spd.that.ca, &peer_pathlen)
+	&& peer_pathlen == 0
+	&& match_requested_ca(c->requested_ca, c->spd.this.ca, &our_pathlen)
+	&& our_pathlen == 0)
 	{
-	    const char *match_name[] = {"no", "ok"};
-
-	    bool matching_id = match_id(peer_id
-					, &d->spd.that.id, &wildcards);
-	    bool matching_auth = (d->policy & auth_policy) != LEMPTY;
-
-	    bool matching_trust = trusted_ca(peer_ca
-					, d->spd.that.ca, &peer_pathlen);
-	    bool matching_request = match_requested_ca(c->requested_ca
-					, d->spd.this.ca, &our_pathlen);
-	    bool match = matching_id && matching_auth && matching_trust;
-
-	    int prio = (MAX_WILDCARDS + 1) * !matching_request + wildcards;
-
-	    prio = (MAX_CA_PATH_LEN + 1) * prio + peer_pathlen;
-	    prio = (MAX_CA_PATH_LEN + 1) * prio + our_pathlen;
-
-	    DBG(DBG_CONTROLMORE,
-		DBG_log("%s: %s match (id: %s, auth: %s, trust: %s, request: %s, prio: %4d)"
-		    , d->name
-		    , match ? "full":" no"
-		    , match_name[matching_id]
-		    , match_name[matching_auth]
-		    , match_name[matching_trust]
-		    , match_name[matching_request]
-		    , match ? prio:PRIO_NO_MATCH_FOUND)
-	    )
-
-	    /* do we have a match? */
-	    if (!match)
-		continue;
-
-	    /* ignore group connections */
-	    if (d->policy & POLICY_GROUP)
-		continue;
-
-	    if (c->spd.that.host_port != d->spd.that.host_port
-	    && d->kind == CK_INSTANCE)
-	    {
-		continue;
-	    }
-
-	    switch (auth)
-	    {
-	    case OAKLEY_PRESHARED_KEY:
-	    case XAUTHInitPreShared:
-	    case XAUTHRespPreShared:
-		/* secret must match the one we already used */
-		{
-		    const chunk_t *dpsk = get_preshared_secret(d);
-
-		    if (dpsk == NULL)
-			continue;	/* no secret */
+		DBG(DBG_CONTROL,
+			DBG_log("current connection is a full match"
+					" -- no need to look further");
+		)
+		return c;
+	}
 
-		    if (psk != dpsk)
-			if (psk->len != dpsk->len
-			|| memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
-			    continue;	/* different secret */
+	switch (auth)
+	{
+	case OAKLEY_PRESHARED_KEY:
+		auth_policy = POLICY_PSK;
+		psk = get_preshared_secret(c);
+		/* It should be virtually impossible to fail to find PSK:
+		 * we just used it to decode the current message!
+		 */
+		if (psk == NULL)
+		{
+			return NULL;        /* cannot determine PSK! */
 		}
 		break;
-
-	    case OAKLEY_RSA_SIG:
-	    case XAUTHInitRSA:
-	    case XAUTHRespRSA:
-		/*
-		 * We must at least be able to find our private key
-		.*/
- 		if (d->spd.this.sc == NULL		/* no smartcard */
-		&& get_RSA_private_key(d) == NULL)	/* no private key */
-		    continue;
+	case XAUTHInitPreShared:
+	case XAUTHRespPreShared:
+		auth_policy = POLICY_XAUTH_PSK;
+		psk = get_preshared_secret(c);
+		if (psk == NULL)
+		{
+			return NULL;        /* cannot determine PSK! */
+		}
 		break;
-
-	    default:
+	case OAKLEY_RSA_SIG:
+	case OAKLEY_ECDSA_256:
+	case OAKLEY_ECDSA_384:
+	case OAKLEY_ECDSA_521:
+		auth_policy = POLICY_PUBKEY;
+		break;
+	case XAUTHInitRSA:
+	case XAUTHRespRSA:
+		auth_policy = POLICY_XAUTH_RSASIG;
+		break;
+	default:
 		bad_case(auth);
-	    }
-
-	    /* d has passed all the tests.
-	     * We'll go with it if the Peer ID was an exact match.
-	     */
-	    if (prio == 0)
-	    {
-		return d;
-	    }
-
-	    /* We'll remember it as best_found in case an exact
-	     * match doesn't come along.
-	     */
-	    if (prio < best_prio)
-	    {
-		best_found = d;
-		best_prio = prio;
-	    }
 	}
-	if (wcpip)
-	    return best_found;	/* been around twice already */
 
-	/* Starting second time around.
-	 * We're willing to settle for a connection that needs Peer IP
-	 * instantiated: Road Warrior or Opportunistic.
-	 * Look on list of connections for host pair with wildcard Peer IP
+	/* The current connection won't do: search for one that will.
+	 * First search for one with the same pair of hosts.
+	 * If that fails, search for a suitable Road Warrior or Opportunistic
+	 * connection (i.e. wildcard peer IP).
+	 * We need to match:
+	 * - peer_id (slightly complicated by instantiation)
+	 * - if PSK auth, the key must not change (we used it to decode message)
+	 * - policy-as-used must be acceptable to new connection
 	 */
-	d = find_host_pair_connections(&c->spd.this.host_addr, c->spd.this.host_port
-	    , (ip_address *)NULL, c->spd.that.host_port);
-    }
+	d = c->host_pair->connections;
+	for (wcpip = FALSE; ; wcpip = TRUE)
+	{
+		for (; d != NULL; d = d->hp_next)
+		{
+			const char *match_name[] = {"no", "ok"};
+
+			bool matching_id = match_id(peer_id
+										, &d->spd.that.id, &wildcards);
+			bool matching_auth = (d->policy & auth_policy) != LEMPTY;
+
+			bool matching_trust = trusted_ca(peer_ca
+										, d->spd.that.ca, &peer_pathlen);
+			bool matching_request = match_requested_ca(c->requested_ca
+										, d->spd.this.ca, &our_pathlen);
+			bool match = matching_id && matching_auth && matching_trust;
+
+			int prio = (MAX_WILDCARDS + 1) * !matching_request + wildcards;
+
+			prio = (MAX_CA_PATH_LEN + 1) * prio + peer_pathlen;
+			prio = (MAX_CA_PATH_LEN + 1) * prio + our_pathlen;
+
+			DBG(DBG_CONTROLMORE,
+				DBG_log("%s: %s match (id: %s, auth: %s, trust: %s, request: %s, prio: %4d)"
+					, d->name
+					, match ? "full":" no"
+					, match_name[matching_id]
+					, match_name[matching_auth]
+					, match_name[matching_trust]
+					, match_name[matching_request]
+					, match ? prio:PRIO_NO_MATCH_FOUND)
+			)
+
+			/* do we have a match? */
+			if (!match)
+				continue;
+
+			/* ignore group connections */
+			if (d->policy & POLICY_GROUP)
+				continue;
+
+			if (c->spd.that.host_port != d->spd.that.host_port
+			&& d->kind == CK_INSTANCE)
+			{
+				continue;
+			}
+
+			switch (auth)
+			{
+			case OAKLEY_PRESHARED_KEY:
+			case XAUTHInitPreShared:
+			case XAUTHRespPreShared:
+				/* secret must match the one we already used */
+				{
+					const chunk_t *dpsk = get_preshared_secret(d);
+
+					if (dpsk == NULL)
+						continue;       /* no secret */
+
+					if (psk != dpsk)
+						if (psk->len != dpsk->len
+						|| memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
+							continue;   /* different secret */
+				}
+				break;
+
+			case OAKLEY_RSA_SIG:
+			case OAKLEY_ECDSA_256:
+			case OAKLEY_ECDSA_384:
+			case OAKLEY_ECDSA_521:
+			case XAUTHInitRSA:
+			case XAUTHRespRSA:
+				/*
+				 * We must at least be able to find our private key
+				.*/
+				if (d->spd.this.sc == NULL              /* no smartcard */
+				&& get_private_key(d) == NULL)      /* no private key */
+					continue;
+				break;
+
+			default:
+				bad_case(auth);
+			}
+
+			/* d has passed all the tests.
+			 * We'll go with it if the Peer ID was an exact match.
+			 */
+			if (prio == 0)
+			{
+				return d;
+			}
+
+			/* We'll remember it as best_found in case an exact
+			 * match doesn't come along.
+			 */
+			if (prio < best_prio)
+			{
+				best_found = d;
+				best_prio = prio;
+			}
+		}
+		if (wcpip)
+			return best_found;  /* been around twice already */
+
+		/* Starting second time around.
+		 * We're willing to settle for a connection that needs Peer IP
+		 * instantiated: Road Warrior or Opportunistic.
+		 * Look on list of connections for host pair with wildcard Peer IP
+		 */
+		d = find_host_pair_connections(&c->spd.this.host_addr, c->spd.this.host_port
+			, (ip_address *)NULL, c->spd.that.host_port);
+	}
 }
 
 /**
@@ -3456,35 +3458,35 @@ refine_host_connection(const struct state *st, const struct id *peer_id
 static bool
 is_virtual_net_used(const ip_subnet *peer_net, const struct id *peer_id)
 {
-    struct connection *d;
+	struct connection *d;
 
-    for (d = connections; d != NULL; d = d->ac_next)
-    {
-	switch (d->kind)
+	for (d = connections; d != NULL; d = d->ac_next)
 	{
-	case CK_PERMANENT:
-	case CK_INSTANCE:
-	    if ((subnetinsubnet(peer_net,&d->spd.that.client) ||
-		 subnetinsubnet(&d->spd.that.client,peer_net))
-	    && !same_id(&d->spd.that.id, peer_id))
-	    {
-		char buf[BUF_LEN];
-		char client[SUBNETTOT_BUF];
-
-		subnettot(peer_net, 0, client, sizeof(client));
-		idtoa(&d->spd.that.id, buf, sizeof(buf));
-		plog("Virtual IP %s is already used by '%s'", client, buf);
-		idtoa(peer_id, buf, sizeof(buf));
-		plog("Your ID is '%s'", buf);
-		return TRUE; /* already used by another one */
-	    }
-	    break;
-	case CK_GOING_AWAY:
-	default:
-	break;
+		switch (d->kind)
+		{
+		case CK_PERMANENT:
+		case CK_INSTANCE:
+			if ((subnetinsubnet(peer_net,&d->spd.that.client) ||
+				 subnetinsubnet(&d->spd.that.client,peer_net))
+			&& !same_id(&d->spd.that.id, peer_id))
+			{
+				char buf[BUF_LEN];
+				char client[SUBNETTOT_BUF];
+
+				subnettot(peer_net, 0, client, sizeof(client));
+				idtoa(&d->spd.that.id, buf, sizeof(buf));
+				plog("Virtual IP %s is already used by '%s'", client, buf);
+				idtoa(peer_id, buf, sizeof(buf));
+				plog("Your ID is '%s'", buf);
+				return TRUE; /* already used by another one */
+			}
+			break;
+		case CK_GOING_AWAY:
+		default:
+		break;
+		}
 	}
-    }
-    return FALSE; /* you can safely use it */
+	return FALSE; /* you can safely use it */
 }
 
 /* find_client_connection: given a connection suitable for ISAKMP
@@ -3512,9 +3514,9 @@ is_virtual_net_used(const ip_subnet *peer_net, const struct id *peer_id)
  * instantiation.  They are the IDs that have been authenticated.
  */
 
-#define PATH_WEIGHT	1
-#define WILD_WEIGHT	(MAX_CA_PATH_LEN+1)
-#define PRIO_WEIGHT	(MAX_WILDCARDS+1)*WILD_WEIGHT
+#define PATH_WEIGHT     1
+#define WILD_WEIGHT     (MAX_CA_PATH_LEN+1)
+#define PRIO_WEIGHT     (MAX_WILDCARDS+1)*WILD_WEIGHT
 
 /* fc_try: a helper function for find_client_connection */
 static struct connection *
@@ -3530,121 +3532,121 @@ fc_try(const struct connection *c
 , chunk_t peer_ca
 , const ietfAttrList_t *peer_list)
 {
-    struct connection *d;
-    struct connection *best = NULL;
-    policy_prio_t best_prio = BOTTOM_PRIO;
-    int wildcards, pathlen;
-
-    const bool peer_net_is_host = subnetisaddr(peer_net, &c->spd.that.host_addr);
-
-    for (d = hp->connections; d != NULL; d = d->hp_next)
-    {
-	struct spd_route *sr;
+	struct connection *d;
+	struct connection *best = NULL;
+	policy_prio_t best_prio = BOTTOM_PRIO;
+	int wildcards, pathlen;
 
-	if (d->policy & POLICY_GROUP)
-	    continue;
-
-	if (!(same_id(&c->spd.this.id, &d->spd.this.id)
-	&& match_id(&c->spd.that.id, &d->spd.that.id, &wildcards)
-	&& trusted_ca(peer_ca, d->spd.that.ca, &pathlen)
-	&& group_membership(peer_list, d->name, d->spd.that.groups)))
-	    continue;
-
-    	/* compare protocol and ports */
-	if (d->spd.this.protocol != our_protocol
-	||  d->spd.this.port != our_port
-	||  d->spd.that.protocol != peer_protocol
-	|| (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
-	    continue;
-
-	/* non-Opportunistic case:
-	 * our_client must match.
-	 *
-	 * So must peer_client, but the testing is complicated
-	 * by the fact that the peer might be a wildcard
-	 * and if so, the default value of that.client
-	 * won't match the default peer_net.  The appropriate test:
-	 *
-	 * If d has a peer client, it must match peer_net.
-	 * If d has no peer client, peer_net must just have peer itself.
-	 */
+	const bool peer_net_is_host = subnetisaddr(peer_net, &c->spd.that.host_addr);
 
-	for (sr = &d->spd; best != d && sr != NULL; sr = sr->next)
+	for (d = hp->connections; d != NULL; d = d->hp_next)
 	{
-	    policy_prio_t prio;
-#ifdef DEBUG
-	    if (DBGP(DBG_CONTROLMORE))
-	    {
-		char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
-		char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF];
+		struct spd_route *sr;
 
-		subnettot(our_net,  0, s1, sizeof(s1));
-		subnettot(peer_net, 0, d1, sizeof(d1));
-		subnettot(&sr->this.client,  0, s3, sizeof(s3));
-		subnettot(&sr->that.client,  0, d3, sizeof(d3));
-		DBG_log("  fc_try trying "
-			"%s:%s:%d/%d -> %s:%d/%d vs %s:%s:%d/%d -> %s:%d/%d"
-			, c->name, s1, c->spd.this.protocol, c->spd.this.port
-				 , d1, c->spd.that.protocol, c->spd.that.port
-			, d->name, s3, sr->this.protocol, sr->this.port
-				 , d3, sr->that.protocol, sr->that.port);
-	    }
-#endif /* DEBUG */
+		if (d->policy & POLICY_GROUP)
+			continue;
 
-	    if (!samesubnet(&sr->this.client, our_net))
-		continue;
+		if (!(same_id(&c->spd.this.id, &d->spd.this.id)
+		&& match_id(&c->spd.that.id, &d->spd.that.id, &wildcards)
+		&& trusted_ca(peer_ca, d->spd.that.ca, &pathlen)
+		&& group_membership(peer_list, d->name, d->spd.that.groups)))
+			continue;
 
-	    if (sr->that.has_client)
-	    {
-		if (sr->that.has_client_wildcard)
-		{
-		    if (!subnetinsubnet(peer_net, &sr->that.client))
+		/* compare protocol and ports */
+		if (d->spd.this.protocol != our_protocol
+		||  d->spd.this.port != our_port
+		||  d->spd.that.protocol != peer_protocol
+		|| (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
 			continue;
-		}
-		else
+
+		/* non-Opportunistic case:
+		 * our_client must match.
+		 *
+		 * So must peer_client, but the testing is complicated
+		 * by the fact that the peer might be a wildcard
+		 * and if so, the default value of that.client
+		 * won't match the default peer_net.  The appropriate test:
+		 *
+		 * If d has a peer client, it must match peer_net.
+		 * If d has no peer client, peer_net must just have peer itself.
+		 */
+
+		for (sr = &d->spd; best != d && sr != NULL; sr = sr->next)
 		{
-		    if (!samesubnet(&sr->that.client, peer_net) && !is_virtual_connection(d))
-			continue;
-		    if (is_virtual_connection(d)
-		    && (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr)
-		        || is_virtual_net_used(peer_net, peer_id?peer_id:&c->spd.that.id)))
-			    continue;
+			policy_prio_t prio;
+#ifdef DEBUG
+			if (DBGP(DBG_CONTROLMORE))
+			{
+				char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
+				char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF];
+
+				subnettot(our_net,  0, s1, sizeof(s1));
+				subnettot(peer_net, 0, d1, sizeof(d1));
+				subnettot(&sr->this.client,  0, s3, sizeof(s3));
+				subnettot(&sr->that.client,  0, d3, sizeof(d3));
+				DBG_log("  fc_try trying "
+						"%s:%s:%d/%d -> %s:%d/%d vs %s:%s:%d/%d -> %s:%d/%d"
+						, c->name, s1, c->spd.this.protocol, c->spd.this.port
+								 , d1, c->spd.that.protocol, c->spd.that.port
+						, d->name, s3, sr->this.protocol, sr->this.port
+								 , d3, sr->that.protocol, sr->that.port);
+			}
+#endif /* DEBUG */
+
+			if (!samesubnet(&sr->this.client, our_net))
+				continue;
+
+			if (sr->that.has_client)
+			{
+				if (sr->that.has_client_wildcard)
+				{
+					if (!subnetinsubnet(peer_net, &sr->that.client))
+						continue;
+				}
+				else
+				{
+					if (!samesubnet(&sr->that.client, peer_net) && !is_virtual_connection(d))
+						continue;
+					if (is_virtual_connection(d)
+					&& (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr)
+						|| is_virtual_net_used(peer_net, peer_id?peer_id:&c->spd.that.id)))
+							continue;
+				}
+			}
+			else
+			{
+				if (!peer_net_is_host)
+					continue;
+			}
+
+			/* We've run the gauntlet -- success:
+			 * We've got an exact match of subnets.
+			 * The connection is feasible, but we continue looking for the best.
+			 * The highest priority wins, implementing eroute-like rule.
+			 * - a routed connection is preferrred
+			 * - given that, the smallest number of ID wildcards are preferred
+			 * - given that, the shortest CA pathlength is preferred
+			 */
+			prio = PRIO_WEIGHT * routed(sr->routing)
+				 + WILD_WEIGHT * (MAX_WILDCARDS - wildcards)
+				 + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen)
+				 + 1;
+			if (prio > best_prio)
+			{
+				best = d;
+				best_prio = prio;
+			}
 		}
-	    }
-	    else
-	    {
-		if (!peer_net_is_host)
-		    continue;
-	    }
-
-	    /* We've run the gauntlet -- success:
-	     * We've got an exact match of subnets.
-	     * The connection is feasible, but we continue looking for the best.
-	     * The highest priority wins, implementing eroute-like rule.
-	     * - a routed connection is preferrred
-	     * - given that, the smallest number of ID wildcards are preferred
-	     * - given that, the shortest CA pathlength is preferred
-	     */
-	    prio = PRIO_WEIGHT * routed(sr->routing)
-		 + WILD_WEIGHT * (MAX_WILDCARDS - wildcards)
-		 + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen)
-		 + 1;
-	    if (prio > best_prio)
-	    {
-		best = d;
-		best_prio = prio;
-	    }
 	}
-    }
 
-    if (best != NULL && NEVER_NEGOTIATE(best->policy))
-	best = NULL;
+	if (best != NULL && NEVER_NEGOTIATE(best->policy))
+		best = NULL;
 
-    DBG(DBG_CONTROLMORE,
-	DBG_log("  fc_try concluding with %s [%ld]"
-		, (best ? best->name : "none"), best_prio)
-    )
-    return best;
+	DBG(DBG_CONTROLMORE,
+		DBG_log("  fc_try concluding with %s [%ld]"
+				, (best ? best->name : "none"), best_prio)
+	)
+	return best;
 }
 
 static struct connection *
@@ -3659,92 +3661,92 @@ fc_try_oppo(const struct connection *c
 , chunk_t peer_ca
 , const ietfAttrList_t *peer_list)
 {
-    struct connection *d;
-    struct connection *best = NULL;
-    policy_prio_t best_prio = BOTTOM_PRIO;
-    int wildcards, pathlen;
+	struct connection *d;
+	struct connection *best = NULL;
+	policy_prio_t best_prio = BOTTOM_PRIO;
+	int wildcards, pathlen;
 
-    for (d = hp->connections; d != NULL; d = d->hp_next)
-    {
-	struct spd_route *sr;
-	policy_prio_t prio;
-
-	if (d->policy & POLICY_GROUP)
-	    continue;
-
-	if (!(same_id(&c->spd.this.id, &d->spd.this.id)
-	&& match_id(&c->spd.that.id, &d->spd.that.id, &wildcards)
-	&& trusted_ca(peer_ca, d->spd.that.ca, &pathlen)
-	&& group_membership(peer_list, d->name, d->spd.that.groups)))
-	    continue;
-
-	/* compare protocol and ports */
-	if (d->spd.this.protocol != our_protocol
-	||  d->spd.this.port != our_port
-	||  d->spd.that.protocol != peer_protocol
-	|| (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
-	    continue;
-
-	/* Opportunistic case:
-	 * our_net must be inside d->spd.this.client
-	 * and peer_net must be inside d->spd.that.client
-	 * Note: this host_pair chain also has shunt
-	 * eroute conns (clear, drop), but they won't
-	 * be marked as opportunistic.
-	 */
-	for (sr = &d->spd; sr != NULL; sr = sr->next)
+	for (d = hp->connections; d != NULL; d = d->hp_next)
 	{
-#ifdef DEBUG
-	    if (DBGP(DBG_CONTROLMORE))
-	    {
-		char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
-		char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF];
+		struct spd_route *sr;
+		policy_prio_t prio;
 
-		subnettot(our_net,  0, s1, sizeof(s1));
-		subnettot(peer_net, 0, d1, sizeof(d1));
-		subnettot(&sr->this.client,  0, s3, sizeof(s3));
-		subnettot(&sr->that.client,  0, d3, sizeof(d3));
-		DBG_log("  fc_try_oppo trying %s:%s -> %s vs %s:%s -> %s"
-			, c->name, s1, d1, d->name, s3, d3);
-	    }
+		if (d->policy & POLICY_GROUP)
+			continue;
+
+		if (!(same_id(&c->spd.this.id, &d->spd.this.id)
+		&& match_id(&c->spd.that.id, &d->spd.that.id, &wildcards)
+		&& trusted_ca(peer_ca, d->spd.that.ca, &pathlen)
+		&& group_membership(peer_list, d->name, d->spd.that.groups)))
+			continue;
+
+		/* compare protocol and ports */
+		if (d->spd.this.protocol != our_protocol
+		||  d->spd.this.port != our_port
+		||  d->spd.that.protocol != peer_protocol
+		|| (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
+			continue;
+
+		/* Opportunistic case:
+		 * our_net must be inside d->spd.this.client
+		 * and peer_net must be inside d->spd.that.client
+		 * Note: this host_pair chain also has shunt
+		 * eroute conns (clear, drop), but they won't
+		 * be marked as opportunistic.
+		 */
+		for (sr = &d->spd; sr != NULL; sr = sr->next)
+		{
+#ifdef DEBUG
+			if (DBGP(DBG_CONTROLMORE))
+			{
+				char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
+				char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF];
+
+				subnettot(our_net,  0, s1, sizeof(s1));
+				subnettot(peer_net, 0, d1, sizeof(d1));
+				subnettot(&sr->this.client,  0, s3, sizeof(s3));
+				subnettot(&sr->that.client,  0, d3, sizeof(d3));
+				DBG_log("  fc_try_oppo trying %s:%s -> %s vs %s:%s -> %s"
+						, c->name, s1, d1, d->name, s3, d3);
+			}
 #endif /* DEBUG */
 
-	    if (!subnetinsubnet(our_net, &sr->this.client)
-	    || !subnetinsubnet(peer_net, &sr->that.client))
-		continue;
-
-	    /* The connection is feasible, but we continue looking for the best.
-	     * The highest priority wins, implementing eroute-like rule.
-	     * - our smallest client subnet is preferred (longest mask)
-	     * - given that, his smallest client subnet is preferred
-	     * - given that, a routed connection is preferrred
-	     * - given that, the smallest number of ID wildcards are preferred
-	     * - given that, the shortest CA pathlength is preferred
-	     */
-	    prio = PRIO_WEIGHT * (d->prio + routed(sr->routing))
-	    	 + WILD_WEIGHT * (MAX_WILDCARDS - wildcards)
-		 + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen);
-	    if (prio > best_prio)
-	    {
-		best = d;
-		best_prio = prio;
-	    }
+			if (!subnetinsubnet(our_net, &sr->this.client)
+			|| !subnetinsubnet(peer_net, &sr->that.client))
+				continue;
+
+			/* The connection is feasible, but we continue looking for the best.
+			 * The highest priority wins, implementing eroute-like rule.
+			 * - our smallest client subnet is preferred (longest mask)
+			 * - given that, his smallest client subnet is preferred
+			 * - given that, a routed connection is preferrred
+			 * - given that, the smallest number of ID wildcards are preferred
+			 * - given that, the shortest CA pathlength is preferred
+			 */
+			prio = PRIO_WEIGHT * (d->prio + routed(sr->routing))
+				 + WILD_WEIGHT * (MAX_WILDCARDS - wildcards)
+				 + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen);
+			if (prio > best_prio)
+			{
+				best = d;
+				best_prio = prio;
+			}
+		}
+	}
+
+	/* if the best wasn't opportunistic, we fail: it must be a shunt */
+	if (best != NULL
+	&& (NEVER_NEGOTIATE(best->policy)
+		|| (best->policy & POLICY_OPPO) == LEMPTY))
+	{
+		best = NULL;
 	}
-    }
-
-    /* if the best wasn't opportunistic, we fail: it must be a shunt */
-    if (best != NULL
-    && (NEVER_NEGOTIATE(best->policy)
-	|| (best->policy & POLICY_OPPO) == LEMPTY))
-    {
-	best = NULL;
-    }
-
-    DBG(DBG_CONTROLMORE,
-	DBG_log("  fc_try_oppo concluding with %s [%ld]"
-		, (best ? best->name : "none"), best_prio)
-    )
-    return best;
+
+	DBG(DBG_CONTROLMORE,
+		DBG_log("  fc_try_oppo concluding with %s [%ld]"
+				, (best ? best->name : "none"), best_prio)
+	)
+	return best;
 
 }
 
@@ -3754,28 +3756,28 @@ fc_try_oppo(const struct connection *c
 chunk_t
 get_peer_ca_and_groups(struct connection *c, const ietfAttrList_t **peer_list)
 {
-    struct state *p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
-
-    *peer_list = NULL;
+	struct state *p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
 
-    if (p1st != NULL
-    &&  p1st->st_peer_pubkey != NULL
-    &&  p1st->st_peer_pubkey->issuer.ptr != NULL)
-    {
-	x509acert_t *ac = get_x509acert(p1st->st_peer_pubkey->issuer
-				      , p1st->st_peer_pubkey->serial);;
+	*peer_list = NULL;
 
-	if (ac != NULL && verify_x509acert(ac, strict_crl_policy))
-	    *peer_list = ac->groups;
-	else
+	if (p1st != NULL
+	&&  p1st->st_peer_pubkey != NULL
+	&&  p1st->st_peer_pubkey->issuer.ptr != NULL)
 	{
-	    DBG(DBG_CONTROL,
-		DBG_log("no valid attribute cert found")
-	    )
+		x509acert_t *ac = get_x509acert(p1st->st_peer_pubkey->issuer
+									  , p1st->st_peer_pubkey->serial);;
+
+		if (ac != NULL && verify_x509acert(ac, strict_crl_policy))
+			*peer_list = ac->groups;
+		else
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("no valid attribute cert found")
+			)
+		}
+		return p1st->st_peer_pubkey->issuer;
 	}
-	return p1st->st_peer_pubkey->issuer;
-    }
-    return empty_chunk;
+	return chunk_empty;
 }
 
 struct connection *
@@ -3784,325 +3786,325 @@ find_client_connection(struct connection *c
 , const u_int8_t our_protocol, const u_int16_t our_port
 , const u_int8_t peer_protocol, const u_int16_t peer_port)
 {
-    struct connection *d;
-    struct spd_route *sr;
+	struct connection *d;
+	struct spd_route *sr;
 
-    const ietfAttrList_t *peer_list = NULL;
-    chunk_t peer_ca = get_peer_ca_and_groups(c, &peer_list);
+	const ietfAttrList_t *peer_list = NULL;
+	chunk_t peer_ca = get_peer_ca_and_groups(c, &peer_list);
 
 #ifdef DEBUG
-    if (DBGP(DBG_CONTROLMORE))
-    {
-	char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
-
-	subnettot(our_net,  0, s1, sizeof(s1));
-	subnettot(peer_net, 0, d1, sizeof(d1));
-
-	DBG_log("find_client_connection starting with %s"
-	    , (c ? c->name : "(none)"));
-	DBG_log("  looking for %s:%d/%d -> %s:%d/%d"
-	    , s1, our_protocol, our_port
-	    , d1, peer_protocol, peer_port);
-    }
-#endif /* DEBUG */
+	if (DBGP(DBG_CONTROLMORE))
+	{
+		char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
+
+		subnettot(our_net,  0, s1, sizeof(s1));
+		subnettot(peer_net, 0, d1, sizeof(d1));
 
-    /* give priority to current connection
-     * but even greater priority to a routed concrete connection
-     */
-    {
-	struct connection *unrouted = NULL;
-	int srnum = -1;
+		DBG_log("find_client_connection starting with %s"
+			, (c ? c->name : "(none)"));
+		DBG_log("  looking for %s:%d/%d -> %s:%d/%d"
+			, s1, our_protocol, our_port
+			, d1, peer_protocol, peer_port);
+	}
+#endif /* DEBUG */
 
-	for (sr = &c->spd; unrouted == NULL && sr != NULL; sr = sr->next)
+	/* give priority to current connection
+	 * but even greater priority to a routed concrete connection
+	 */
 	{
-	    srnum++;
+		struct connection *unrouted = NULL;
+		int srnum = -1;
+
+		for (sr = &c->spd; unrouted == NULL && sr != NULL; sr = sr->next)
+		{
+			srnum++;
 
 #ifdef DEBUG
-	    if (DBGP(DBG_CONTROLMORE))
-	    {
-		char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF];
-
-		subnettot(&sr->this.client, 0, s2, sizeof(s2));
-		subnettot(&sr->that.client, 0, d2, sizeof(d2));
-		DBG_log("  concrete checking against sr#%d %s -> %s"
-			, srnum, s2, d2);
-	    }
+			if (DBGP(DBG_CONTROLMORE))
+			{
+				char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF];
+
+				subnettot(&sr->this.client, 0, s2, sizeof(s2));
+				subnettot(&sr->that.client, 0, d2, sizeof(d2));
+				DBG_log("  concrete checking against sr#%d %s -> %s"
+						, srnum, s2, d2);
+			}
 #endif /* DEBUG */
 
-	    if (samesubnet(&sr->this.client, our_net)
-	    && samesubnet(&sr->that.client, peer_net)
-	    && sr->this.protocol == our_protocol
-	    && sr->this.port == our_port
-	    && sr->that.protocol == peer_protocol
-	    && sr->that.port == peer_port
-	    && group_membership(peer_list, c->name, sr->that.groups))
-	    {
-		passert(oriented(*c));
-		if (routed(sr->routing))
-		    return c;
-
-		unrouted = c;
-	    }
-	}
+			if (samesubnet(&sr->this.client, our_net)
+			&& samesubnet(&sr->that.client, peer_net)
+			&& sr->this.protocol == our_protocol
+			&& sr->this.port == our_port
+			&& sr->that.protocol == peer_protocol
+			&& sr->that.port == peer_port
+			&& group_membership(peer_list, c->name, sr->that.groups))
+			{
+				passert(oriented(*c));
+				if (routed(sr->routing))
+					return c;
 
-	/* exact match? */
-	d = fc_try(c, c->host_pair, NULL, our_net, peer_net
-	    , our_protocol, our_port, peer_protocol, peer_port
-	    , peer_ca, peer_list);
+				unrouted = c;
+			}
+		}
 
-	DBG(DBG_CONTROLMORE,
-	    DBG_log("  fc_try %s gives %s"
-		    , c->name
-		    , (d ? d->name : "none"))
-	)
+		/* exact match? */
+		d = fc_try(c, c->host_pair, NULL, our_net, peer_net
+			, our_protocol, our_port, peer_protocol, peer_port
+			, peer_ca, peer_list);
 
-	if (d == NULL)
-	    d = unrouted;
-    }
+		DBG(DBG_CONTROLMORE,
+			DBG_log("  fc_try %s gives %s"
+					, c->name
+					, (d ? d->name : "none"))
+		)
 
-    if (d == NULL)
-    {
-	/* look for an abstract connection to match */
-	struct spd_route *sr;
-	struct host_pair *hp = NULL;
+		if (d == NULL)
+			d = unrouted;
+	}
 
-	for (sr = &c->spd; hp==NULL && sr != NULL; sr = sr->next)
+	if (d == NULL)
 	{
-	    hp = find_host_pair(&sr->this.host_addr
-				, sr->this.host_port
-				, NULL
-				, sr->that.host_port);
+		/* look for an abstract connection to match */
+		struct spd_route *sr;
+		struct host_pair *hp = NULL;
+
+		for (sr = &c->spd; hp==NULL && sr != NULL; sr = sr->next)
+		{
+			hp = find_host_pair(&sr->this.host_addr
+								, sr->this.host_port
+								, NULL
+								, sr->that.host_port);
 #ifdef DEBUG
-	    if (DBGP(DBG_CONTROLMORE))
-	    {
-		char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF];
+			if (DBGP(DBG_CONTROLMORE))
+			{
+				char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF];
 
-		subnettot(&sr->this.client, 0, s2, sizeof(s2));
-		subnettot(&sr->that.client, 0, d2, sizeof(d2));
+				subnettot(&sr->this.client, 0, s2, sizeof(s2));
+				subnettot(&sr->that.client, 0, d2, sizeof(d2));
 
-		DBG_log("  checking hostpair %s -> %s is %s"
-			, s2, d2
-			, (hp ? "found" : "not found"));
-	    }
+				DBG_log("  checking hostpair %s -> %s is %s"
+						, s2, d2
+						, (hp ? "found" : "not found"));
+			}
 #endif /* DEBUG */
-	}
+		}
 
-	if (hp != NULL)
-	{
-	    /* RW match with actual peer_id or abstract peer_id? */
-	    d = fc_try(c, hp, NULL, our_net, peer_net
-		, our_protocol, our_port, peer_protocol, peer_port
-		, peer_ca, peer_list);
-
-	    if (d == NULL
-	    && subnetishost(our_net)
-	    && subnetishost(peer_net))
-	    {
-		/* Opportunistic match?
-		 * Always use abstract peer_id.
-		 * Note that later instantiation will result in the same peer_id.
-		 */
-		d = fc_try_oppo(c, hp, our_net, peer_net
-		    , our_protocol, our_port, peer_protocol, peer_port
-		    , peer_ca, peer_list);
-	    }
+		if (hp != NULL)
+		{
+			/* RW match with actual peer_id or abstract peer_id? */
+			d = fc_try(c, hp, NULL, our_net, peer_net
+				, our_protocol, our_port, peer_protocol, peer_port
+				, peer_ca, peer_list);
+
+			if (d == NULL
+			&& subnetishost(our_net)
+			&& subnetishost(peer_net))
+			{
+				/* Opportunistic match?
+				 * Always use abstract peer_id.
+				 * Note that later instantiation will result in the same peer_id.
+				 */
+				d = fc_try_oppo(c, hp, our_net, peer_net
+					, our_protocol, our_port, peer_protocol, peer_port
+					, peer_ca, peer_list);
+			}
+		}
 	}
-    }
 
-    DBG(DBG_CONTROLMORE,
-	DBG_log("  concluding with d = %s"
-		, (d ? d->name : "none"))
-    )
-    return d;
+	DBG(DBG_CONTROLMORE,
+		DBG_log("  concluding with d = %s"
+				, (d ? d->name : "none"))
+	)
+	return d;
 }
 
 int
 connection_compare(const struct connection *ca
 , const struct connection *cb)
 {
-    int ret;
-
-    /* DBG_log("comparing %s to %s", ca->name, cb->name);  */
-
-    ret = strcasecmp(ca->name, cb->name);
-    if (ret != 0)
-	return ret;
-
-    ret = ca->kind - cb->kind;	/* note: enum connection_kind behaves like int */
-    if (ret != 0)
-	return ret;
-
-    /* same name, and same type */
-    switch (ca->kind)
-    {
-    case CK_INSTANCE:
-	return ca->instance_serial < cb->instance_serial ? -1
-	    : ca->instance_serial > cb->instance_serial ? 1
-	    : 0;
-
-    default:
-	return ca->prio < cb->prio ? -1
-	    : ca->prio > cb->prio ? 1
-	    : 0;
-    }
+	int ret;
+
+	/* DBG_log("comparing %s to %s", ca->name, cb->name);  */
+
+	ret = strcasecmp(ca->name, cb->name);
+	if (ret != 0)
+		return ret;
+
+	ret = ca->kind - cb->kind;  /* note: enum connection_kind behaves like int */
+	if (ret != 0)
+		return ret;
+
+	/* same name, and same type */
+	switch (ca->kind)
+	{
+	case CK_INSTANCE:
+		return ca->instance_serial < cb->instance_serial ? -1
+			: ca->instance_serial > cb->instance_serial ? 1
+			: 0;
+
+	default:
+		return ca->prio < cb->prio ? -1
+			: ca->prio > cb->prio ? 1
+			: 0;
+	}
 }
 
 static int
 connection_compare_qsort(const void *a, const void *b)
 {
-    return connection_compare(*(const struct connection *const *)a
-			    , *(const struct connection *const *)b);
+	return connection_compare(*(const struct connection *const *)a
+							, *(const struct connection *const *)b);
 }
 
 void
 show_connections_status(bool all, const char *name)
 {
-    struct connection *c;
-    int count, i;
-    struct connection **array;
-
-    /* make an array of connections, and sort it */
-    count = 0;
-    for (c = connections; c != NULL; c = c->ac_next)
-    {
-	if (c->ikev1 && (name == NULL || streq(c->name, name)))
-	    count++;
-    }
-    array = alloc_bytes(sizeof(struct connection *)*count, "connection array");
-
-    count=0;
-    for (c = connections; c != NULL; c = c->ac_next)
-    {
-	if (c->ikev1 && (name == NULL || streq(c->name, name)))
-	    array[count++]=c;
-    }
-
-    /* sort it! */
-    qsort(array, count, sizeof(struct connection *), connection_compare_qsort);
-
-    for (i = 0; i < count; i++)
-    {
-	const char *ifn;
-	char instance[1 + 10 + 1];
-	char prio[POLICY_PRIO_BUF];
-
-	c = array[i];
-
-	ifn = oriented(*c)? c->interface->rname : "";
-
-	instance[0] = '\0';
-	if (c->kind == CK_INSTANCE && c->instance_serial != 0)
-	    snprintf(instance, sizeof(instance), "[%lu]", c->instance_serial);
-
-	/* show topology */
+	struct connection *c;
+	int count, i;
+	struct connection **array;
+
+	/* make an array of connections, and sort it */
+	count = 0;
+	for (c = connections; c != NULL; c = c->ac_next)
 	{
-	    char topo[CONNECTION_BUF];
-	    struct spd_route *sr = &c->spd;
-	    int num=0;
-
-	    while (sr != NULL)
-	    {
-		(void) format_connection(topo, sizeof(topo), c, sr);
-		whack_log(RC_COMMENT, "\"%s\"%s: %s; %s; eroute owner: #%lu"
-			  , c->name, instance, topo
-			  , enum_name(&routing_story, sr->routing)
-			  , sr->eroute_owner);
-		sr = sr->next;
-		num++;
-	    }
+		if (c->ikev1 && (name == NULL || streq(c->name, name)))
+			count++;
 	}
+	array = malloc(sizeof(struct connection *)*count);
 
-	if (all)
+	count=0;
+	for (c = connections; c != NULL; c = c->ac_next)
 	{
-	    /* show CAs if defined */
-	    if (c->spd.this.ca.ptr != NULL || c->spd.that.ca.ptr != NULL)
-	    {
-		char this_ca[BUF_LEN], that_ca[BUF_LEN];
-
-		dntoa_or_null(this_ca, BUF_LEN, c->spd.this.ca, "%any");
-		dntoa_or_null(that_ca, BUF_LEN, c->spd.that.ca, "%any");
-
-		whack_log(RC_COMMENT
-		    , "\"%s\"%s:   CAs: '%s'...'%s'"
-		    , c->name
-		    , instance
-		    , this_ca
-		    , that_ca);
-	    }
-
-	    /* show group attributes if defined */
-	    if (c->spd.that.groups != NULL)
-	    {
-		char buf[BUF_LEN];
-	
-		format_groups(c->spd.that.groups, buf, BUF_LEN);
-		whack_log(RC_COMMENT
-		    , "\"%s\"%s:   groups: %s"
-		    , c->name
-		    , instance
-		    , buf);
-	    }
-
-	    whack_log(RC_COMMENT
-		, "\"%s\"%s:   ike_life: %lus; ipsec_life: %lus;"
-		" rekey_margin: %lus; rekey_fuzz: %lu%%; keyingtries: %lu"
-		, c->name
-		, instance
-		, (unsigned long) c->sa_ike_life_seconds
-		, (unsigned long) c->sa_ipsec_life_seconds
-		, (unsigned long) c->sa_rekey_margin
-		, (unsigned long) c->sa_rekey_fuzz
-		, (unsigned long) c->sa_keying_tries);
-
-	    /* show DPD parameters if defined */
-	
-	    if (c->dpd_action != DPD_ACTION_NONE)
-		whack_log(RC_COMMENT
-		    , "\"%s\"%s:   dpd_action: %s;"
-		    " dpd_delay: %lus; dpd_timeout: %lus;"
-		    , c->name
-		    , instance
-		    , enum_show(&dpd_action_names, c->dpd_action)
-		    , (unsigned long) c->dpd_delay
-		    , (unsigned long) c->dpd_timeout);
-
-	    if (c->policy_next)
-	    {
-		whack_log(RC_COMMENT
-		    , "\"%s\"%s:   policy_next: %s"
-		    , c->name, instance, c->policy_next->name);
-	    }
-
-	    /* Note: we display key_from_DNS_on_demand as if policy [lr]KOD */
-	    fmt_policy_prio(c->prio, prio);
-	    whack_log(RC_COMMENT
-		, "\"%s\"%s:   policy: %s%s%s; prio: %s; interface: %s; "
-		, c->name
-		, instance
-		, prettypolicy(c->policy)
-		, c->spd.this.key_from_DNS_on_demand? "+lKOD" : ""
-		, c->spd.that.key_from_DNS_on_demand? "+rKOD" : ""
-		, prio
-		, ifn);
+		if (c->ikev1 && (name == NULL || streq(c->name, name)))
+			array[count++]=c;
 	}
 
-	whack_log(RC_COMMENT
-	    , "\"%s\"%s:   newest ISAKMP SA: #%ld; newest IPsec SA: #%ld; "
-	    , c->name
-	    , instance
-	    , c->newest_isakmp_sa
-	    , c->newest_ipsec_sa);
-	    
-	if (all)
+	/* sort it! */
+	qsort(array, count, sizeof(struct connection *), connection_compare_qsort);
+
+	for (i = 0; i < count; i++)
 	{
-	    ike_alg_show_connection(c, instance);
-	    kernel_alg_show_connection(c, instance);
+		const char *ifn;
+		char instance[1 + 10 + 1];
+		char prio[POLICY_PRIO_BUF];
+
+		c = array[i];
+
+		ifn = oriented(*c)? c->interface->rname : "";
+
+		instance[0] = '\0';
+		if (c->kind == CK_INSTANCE && c->instance_serial != 0)
+			snprintf(instance, sizeof(instance), "[%lu]", c->instance_serial);
+
+		/* show topology */
+		{
+			char topo[CONNECTION_BUF];
+			struct spd_route *sr = &c->spd;
+			int num=0;
+
+			while (sr != NULL)
+			{
+				(void) format_connection(topo, sizeof(topo), c, sr);
+				whack_log(RC_COMMENT, "\"%s\"%s: %s; %s; eroute owner: #%lu"
+						  , c->name, instance, topo
+						  , enum_name(&routing_story, sr->routing)
+						  , sr->eroute_owner);
+				sr = sr->next;
+				num++;
+			}
+		}
+
+		if (all)
+		{
+			/* show CAs if defined */
+			if (c->spd.this.ca.ptr != NULL || c->spd.that.ca.ptr != NULL)
+			{
+				char this_ca[BUF_LEN], that_ca[BUF_LEN];
+
+				dntoa_or_null(this_ca, BUF_LEN, c->spd.this.ca, "%any");
+				dntoa_or_null(that_ca, BUF_LEN, c->spd.that.ca, "%any");
+
+				whack_log(RC_COMMENT
+					, "\"%s\"%s:   CAs: '%s'...'%s'"
+					, c->name
+					, instance
+					, this_ca
+					, that_ca);
+			}
+
+			/* show group attributes if defined */
+			if (c->spd.that.groups != NULL)
+			{
+				char buf[BUF_LEN];
+		
+				format_groups(c->spd.that.groups, buf, BUF_LEN);
+				whack_log(RC_COMMENT
+					, "\"%s\"%s:   groups: %s"
+					, c->name
+					, instance
+					, buf);
+			}
+
+			whack_log(RC_COMMENT
+				, "\"%s\"%s:   ike_life: %lus; ipsec_life: %lus;"
+				" rekey_margin: %lus; rekey_fuzz: %lu%%; keyingtries: %lu"
+				, c->name
+				, instance
+				, (unsigned long) c->sa_ike_life_seconds
+				, (unsigned long) c->sa_ipsec_life_seconds
+				, (unsigned long) c->sa_rekey_margin
+				, (unsigned long) c->sa_rekey_fuzz
+				, (unsigned long) c->sa_keying_tries);
+
+			/* show DPD parameters if defined */
+		
+			if (c->dpd_action != DPD_ACTION_NONE)
+				whack_log(RC_COMMENT
+					, "\"%s\"%s:   dpd_action: %N;"
+					" dpd_delay: %lus; dpd_timeout: %lus;"
+					, c->name
+					, instance
+					, dpd_action_names, c->dpd_action
+					, (unsigned long) c->dpd_delay
+					, (unsigned long) c->dpd_timeout);
+
+			if (c->policy_next)
+			{
+				whack_log(RC_COMMENT
+					, "\"%s\"%s:   policy_next: %s"
+					, c->name, instance, c->policy_next->name);
+			}
+
+			/* Note: we display key_from_DNS_on_demand as if policy [lr]KOD */
+			fmt_policy_prio(c->prio, prio);
+			whack_log(RC_COMMENT
+				, "\"%s\"%s:   policy: %s%s%s; prio: %s; interface: %s; "
+				, c->name
+				, instance
+				, prettypolicy(c->policy)
+				, c->spd.this.key_from_DNS_on_demand? "+lKOD" : ""
+				, c->spd.that.key_from_DNS_on_demand? "+rKOD" : ""
+				, prio
+				, ifn);
+		}
+
+		whack_log(RC_COMMENT
+			, "\"%s\"%s:   newest ISAKMP SA: #%ld; newest IPsec SA: #%ld; "
+			, c->name
+			, instance
+			, c->newest_isakmp_sa
+			, c->newest_ipsec_sa);
+			
+		if (all)
+		{
+			ike_alg_show_connection(c, instance);
+			kernel_alg_show_connection(c, instance);
+		}
 	}
-    }
-    if (count > 0)
-	whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
+	if (count > 0)
+		whack_log(RC_COMMENT, BLANK_FORMAT);    /* spacer */
 
-    pfree(array);
+	free(array);
 }
 
 /* struct pending, the structure representing Quick Mode
@@ -4111,14 +4113,14 @@ show_connections_status(bool all, const char *name)
  */
 
 struct pending {
-    int whack_sock;
-    struct state *isakmp_sa;
-    struct connection *connection;
-    lset_t policy;
-    unsigned long try;
-    so_serial_t replacing;
-
-    struct pending *next;
+	int whack_sock;
+	struct state *isakmp_sa;
+	struct connection *connection;
+	lset_t policy;
+	unsigned long try;
+	so_serial_t replacing;
+
+	struct pending *next;
 };
 
 /* queue a Quick Mode negotiation pending completion of a suitable Main Mode */
@@ -4130,36 +4132,36 @@ add_pending(int whack_sock
 , unsigned long try
 , so_serial_t replacing)
 {
-    bool already_queued = FALSE;
-    struct pending *p = c->host_pair->pending;
+	bool already_queued = FALSE;
+	struct pending *p = c->host_pair->pending;
 
-    while (p != NULL)
-    {
-	if (streq(c->name, p->connection->name))
+	while (p != NULL)
 	{
-	    already_queued = TRUE;
-	    break;
+		if (streq(c->name, p->connection->name))
+		{
+			already_queued = TRUE;
+			break;
+		}
+		p = p->next;
 	}
-	p = p->next;
-    }
-    DBG(DBG_CONTROL,
-	DBG_log("Queuing pending Quick Mode with %s \"%s\"%s"
-		, ip_str(&c->spd.that.host_addr)
-		, c->name
-		, already_queued? " already done" : "")
-    )
-    if (already_queued)
-	return;
-
-    p = alloc_thing(struct pending, "struct pending");
-    p->whack_sock = whack_sock;
-    p->isakmp_sa = isakmp_sa;
-    p->connection = c;
-    p->policy = policy;
-    p->try = try;
-    p->replacing = replacing;
-    p->next = c->host_pair->pending;
-    c->host_pair->pending = p;
+	DBG(DBG_CONTROL,
+		DBG_log("Queuing pending Quick Mode with %s \"%s\"%s"
+				, ip_str(&c->spd.that.host_addr)
+				, c->name
+				, already_queued? " already done" : "")
+	)
+	if (already_queued)
+		return;
+
+	p = malloc_thing(struct pending);
+	p->whack_sock = whack_sock;
+	p->isakmp_sa = isakmp_sa;
+	p->connection = c;
+	p->policy = policy;
+	p->try = try;
+	p->replacing = replacing;
+	p->next = c->host_pair->pending;
+	c->host_pair->pending = p;
 }
 
 /* Release all the whacks awaiting the completion of this state.
@@ -4169,157 +4171,157 @@ add_pending(int whack_sock
 void
 release_pending_whacks(struct state *st, err_t story)
 {
-    struct pending *p;
-    struct stat stst;
+	struct pending *p;
+	struct stat stst;
 
-    if (st->st_whack_sock == NULL_FD || fstat(st->st_whack_sock, &stst) != 0)
-	zero(&stst);	/* resulting st_dev/st_ino ought to be distinct */
+	if (st->st_whack_sock == NULL_FD || fstat(st->st_whack_sock, &stst) != 0)
+		zero(&stst);    /* resulting st_dev/st_ino ought to be distinct */
 
-    release_whack(st);
+	release_whack(st);
 
-    for (p = st->st_connection->host_pair->pending; p != NULL; p = p->next)
-    {
-	if (p->isakmp_sa == st && p->whack_sock != NULL_FD)
+	for (p = st->st_connection->host_pair->pending; p != NULL; p = p->next)
 	{
-	    struct stat pst;
+		if (p->isakmp_sa == st && p->whack_sock != NULL_FD)
+		{
+			struct stat pst;
 
-	    if (fstat(p->whack_sock, &pst) == 0
-	    && (stst.st_dev != pst.st_dev || stst.st_ino != pst.st_ino))
-	    {
-		passert(whack_log_fd == NULL_FD);
-		whack_log_fd = p->whack_sock;
-		whack_log(RC_COMMENT
-		    , "%s for ISAKMP SA, but releasing whack for pending IPSEC SA"
-		    , story);
-		whack_log_fd = NULL_FD;
-	    }
-	    close(p->whack_sock);
-	    p->whack_sock = NULL_FD;
+			if (fstat(p->whack_sock, &pst) == 0
+			&& (stst.st_dev != pst.st_dev || stst.st_ino != pst.st_ino))
+			{
+				passert(whack_log_fd == NULL_FD);
+				whack_log_fd = p->whack_sock;
+				whack_log(RC_COMMENT
+					, "%s for ISAKMP SA, but releasing whack for pending IPSEC SA"
+					, story);
+				whack_log_fd = NULL_FD;
+			}
+			close(p->whack_sock);
+			p->whack_sock = NULL_FD;
+		}
 	}
-    }
 }
 
 static void
 delete_pending(struct pending **pp)
 {
-    struct pending *p = *pp;
+	struct pending *p = *pp;
 
-    *pp = p->next;
-    if (p->connection != NULL)
-	connection_discard(p->connection);
-    close_any(p->whack_sock);
-    pfree(p);
+	*pp = p->next;
+	if (p->connection != NULL)
+		connection_discard(p->connection);
+	close_any(p->whack_sock);
+	free(p);
 }
 
 void
 unpend(struct state *st)
 {
-    struct pending **pp
-	, *p;
+	struct pending **pp
+		, *p;
 
-    for (pp = &st->st_connection->host_pair->pending; (p = *pp) != NULL; )
-    {
-	if (p->isakmp_sa == st)
+	for (pp = &st->st_connection->host_pair->pending; (p = *pp) != NULL; )
 	{
-	    DBG(DBG_CONTROL, DBG_log("unqueuing pending Quick Mode with %s \"%s\""
-		, ip_str(&p->connection->spd.that.host_addr)
-		, p->connection->name));
-	    (void) quick_outI1(p->whack_sock, st, p->connection, p->policy
-		, p->try, p->replacing);
-	    p->whack_sock = NULL_FD;	/* ownership transferred */
-	    p->connection = NULL;	/* ownership transferred */
-	    delete_pending(pp);
-	}
-	else
-	{
-	    pp = &p->next;
+		if (p->isakmp_sa == st)
+		{
+			DBG(DBG_CONTROL, DBG_log("unqueuing pending Quick Mode with %s \"%s\""
+				, ip_str(&p->connection->spd.that.host_addr)
+				, p->connection->name));
+			(void) quick_outI1(p->whack_sock, st, p->connection, p->policy
+				, p->try, p->replacing);
+			p->whack_sock = NULL_FD;    /* ownership transferred */
+			p->connection = NULL;       /* ownership transferred */
+			delete_pending(pp);
+		}
+		else
+		{
+			pp = &p->next;
+		}
 	}
-    }
 }
 
 /* a Main Mode negotiation has been replaced; update any pending */
 void
 update_pending(struct state *os, struct state *ns)
 {
-    struct pending *p;
+	struct pending *p;
 
-    for (p = os->st_connection->host_pair->pending; p != NULL; p = p->next)
-    {
-	if (p->isakmp_sa == os)
-	    p->isakmp_sa = ns;
-	if (p->connection->spd.this.host_port != ns->st_connection->spd.this.host_port)
+	for (p = os->st_connection->host_pair->pending; p != NULL; p = p->next)
 	{
-	    p->connection->spd.this.host_port = ns->st_connection->spd.this.host_port;
-	    p->connection->spd.that.host_port = ns->st_connection->spd.that.host_port;
+		if (p->isakmp_sa == os)
+			p->isakmp_sa = ns;
+		if (p->connection->spd.this.host_port != ns->st_connection->spd.this.host_port)
+		{
+			p->connection->spd.this.host_port = ns->st_connection->spd.this.host_port;
+			p->connection->spd.that.host_port = ns->st_connection->spd.that.host_port;
+		}
 	}
-    }
 }
 
 /* a Main Mode negotiation has failed; discard any pending */
 void
 flush_pending_by_state(struct state *st)
 {
-    struct host_pair *hp = st->st_connection->host_pair;
+	struct host_pair *hp = st->st_connection->host_pair;
 
-    if (hp != NULL)
-    {
-	struct pending **pp
-	    , *p;
-
-	for (pp = &hp->pending; (p = *pp) != NULL; )
+	if (hp != NULL)
 	{
-	    if (p->isakmp_sa == st)
-		delete_pending(pp);
-	    else
-		pp = &p->next;
+		struct pending **pp
+			, *p;
+
+		for (pp = &hp->pending; (p = *pp) != NULL; )
+		{
+			if (p->isakmp_sa == st)
+				delete_pending(pp);
+			else
+				pp = &p->next;
+		}
 	}
-    }
 }
 
 /* a connection has been deleted; discard any related pending */
 static void
 flush_pending_by_connection(struct connection *c)
 {
-    if (c->host_pair != NULL)
-    {
-	struct pending **pp
-	    , *p;
-
-	for (pp = &c->host_pair->pending; (p = *pp) != NULL; )
+	if (c->host_pair != NULL)
 	{
-	    if (p->connection == c)
-	    {
-		p->connection = NULL;	/* prevent delete_pending from releasing */
-		delete_pending(pp);
-	    }
-	    else
-	    {
-		pp = &p->next;
-	    }
+		struct pending **pp
+			, *p;
+
+		for (pp = &c->host_pair->pending; (p = *pp) != NULL; )
+		{
+			if (p->connection == c)
+			{
+				p->connection = NULL;   /* prevent delete_pending from releasing */
+				delete_pending(pp);
+			}
+			else
+			{
+				pp = &p->next;
+			}
+		}
 	}
-    }
 }
 
 void
 show_pending_phase2(const struct host_pair *hp, const struct state *st)
 {
-    const struct pending *p;
+	const struct pending *p;
 
-    for (p = hp->pending; p != NULL; p = p->next)
-    {
-	if (p->isakmp_sa == st)
+	for (p = hp->pending; p != NULL; p = p->next)
 	{
-	    /* connection-name state-number [replacing state-number] */
-	    char cip[CONN_INST_BUF];
-
-	    fmt_conn_instance(p->connection, cip);
-	    whack_log(RC_COMMENT, "#%lu: pending Phase 2 for \"%s\"%s replacing #%lu"
-		, p->isakmp_sa->st_serialno
-		, p->connection->name
-		, cip
-		, p->replacing);
+		if (p->isakmp_sa == st)
+		{
+			/* connection-name state-number [replacing state-number] */
+			char cip[CONN_INST_BUF];
+
+			fmt_conn_instance(p->connection, cip);
+			whack_log(RC_COMMENT, "#%lu: pending Phase 2 for \"%s\"%s replacing #%lu"
+				, p->isakmp_sa->st_serialno
+				, p->connection->name
+				, cip
+				, p->replacing);
+		}
 	}
-    }
 }
 
 /* Delete a connection if it is an instance and it is no longer in use.
@@ -4329,18 +4331,18 @@ show_pending_phase2(const struct host_pair *hp, const struct state *st)
 void
 connection_discard(struct connection *c)
 {
-    if (c->kind == CK_INSTANCE)
-    {
-	/* see if it is being used by a pending */
-	struct pending *p;
+	if (c->kind == CK_INSTANCE)
+	{
+		/* see if it is being used by a pending */
+		struct pending *p;
 
-	for (p = c->host_pair->pending; p != NULL; p = p->next)
-	    if (p->connection == c)
-		return;	/* in use, so we're done */
+		for (p = c->host_pair->pending; p != NULL; p = p->next)
+			if (p->connection == c)
+				return; /* in use, so we're done */
 
-	if (!states_use_connection(c))
-	    delete_connection(c, FALSE);
-    }
+		if (!states_use_connection(c))
+			delete_connection(c, FALSE);
+	}
 }
 
 
@@ -4354,32 +4356,32 @@ long eclipse_count = 0;
 struct connection *
 eclipsed(struct connection *c, struct spd_route **esrp)
 {
-    struct connection *ue;
-    struct spd_route *sr1 = &c->spd;
+	struct connection *ue;
+	struct spd_route *sr1 = &c->spd;
 
-    ue = NULL;
+	ue = NULL;
 
-    while (sr1 != NULL && ue != NULL)
-    {
-	for (ue = connections; ue != NULL; ue = ue->ac_next)
+	while (sr1 != NULL && ue != NULL)
 	{
-	    struct spd_route *srue = &ue->spd;
-
-	    while (srue != NULL
-	    && srue->routing == RT_ROUTED_ECLIPSED
-	    && !(samesubnet(&sr1->this.client, &srue->this.client)
-		 && samesubnet(&sr1->that.client, &srue->that.client)))
-	    {
-		srue = srue->next;
-	    }
-	    if (srue != NULL && srue->routing==RT_ROUTED_ECLIPSED)
-	    {
-		*esrp = srue;
-		break;
-	    }
+		for (ue = connections; ue != NULL; ue = ue->ac_next)
+		{
+			struct spd_route *srue = &ue->spd;
+
+			while (srue != NULL
+			&& srue->routing == RT_ROUTED_ECLIPSED
+			&& !(samesubnet(&sr1->this.client, &srue->this.client)
+				 && samesubnet(&sr1->that.client, &srue->that.client)))
+			{
+				srue = srue->next;
+			}
+			if (srue != NULL && srue->routing==RT_ROUTED_ECLIPSED)
+			{
+				*esrp = srue;
+				break;
+			}
+		}
 	}
-    }
-    return ue;
+	return ue;
 }
 
 /*
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
index b11565296..16cbbfd72 100644
--- a/src/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: connections.h 4024 2008-05-29 07:49:47Z andreas $
  */
 
 #ifndef _CONNECTIONS_H
@@ -118,135 +116,135 @@
  * - display format: n,m
  */
 typedef unsigned long policy_prio_t;
-#define BOTTOM_PRIO   ((policy_prio_t)0)	/* smaller than any real prio */
+#define BOTTOM_PRIO   ((policy_prio_t)0)        /* smaller than any real prio */
 #define set_policy_prio(c) { (c)->prio = \
-	((policy_prio_t)(c)->spd.this.client.maskbits << 16) \
-	| ((policy_prio_t)(c)->spd.that.client.maskbits << 8) \
-	| (policy_prio_t)1; }
-#define POLICY_PRIO_BUF	(3+1+3+1)
+		((policy_prio_t)(c)->spd.this.client.maskbits << 16) \
+		| ((policy_prio_t)(c)->spd.that.client.maskbits << 8) \
+		| (policy_prio_t)1; }
+#define POLICY_PRIO_BUF (3+1+3+1)
 extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]);
 
 struct virtual_t;
 
 struct end {
-    struct id id;
-    ip_address
-	host_addr,
-	host_nexthop,
-	host_srcip;
-    ip_subnet client;
-
-    bool key_from_DNS_on_demand;
-    bool has_client;
-    bool has_client_wildcard;
-    bool has_port_wildcard;
-    bool has_id_wildcards;
-    bool has_natip;
-    char *updown;
-    u_int16_t host_port;	/* host order */
-    u_int16_t port;		/* host order */
-    u_int8_t protocol;
-    cert_t cert;		/* end certificate */
-    chunk_t ca;			/* CA distinguished name */
-    struct ietfAttrList *groups;/* access control groups */
-    smartcard_t *sc;		/* smartcard reader and key info */
-    struct virtual_t *virt;
-    bool modecfg;		/* this end: request local address from server */
-				/* that end: give local addresses to clients */
-    bool hostaccess;		/* allow access to host via iptables INPUT/OUTPUT */
-				/* rules if client behind host is a subnet */
-    bool allow_any;		/* IP address is subject to change */
-    certpolicy_t sendcert;	/* whether or not to send the certificate */
+	struct id id;
+	ip_address
+		host_addr,
+		host_nexthop,
+		host_srcip;
+	ip_subnet client;
+
+	bool key_from_DNS_on_demand;
+	bool has_client;
+	bool has_client_wildcard;
+	bool has_port_wildcard;
+	bool has_id_wildcards;
+	bool has_natip;
+	char *updown;
+	u_int16_t host_port;        /* host order */
+	u_int16_t port;             /* host order */
+	u_int8_t protocol;
+	cert_t cert;                /* end certificate */
+	chunk_t ca;                 /* CA distinguished name */
+	struct ietfAttrList *groups;/* access control groups */
+	smartcard_t *sc;            /* smartcard reader and key info */
+	struct virtual_t *virt;
+	bool modecfg;               /* this end: request local address from server */
+								/* that end: give local addresses to clients */
+	bool hostaccess;            /* allow access to host via iptables INPUT/OUTPUT */
+								/* rules if client behind host is a subnet */
+	bool allow_any;             /* IP address is subject to change */
+	certpolicy_t sendcert;      /* whether or not to send the certificate */
 };
 
 struct spd_route {
-    struct spd_route *next;
-    struct end this;
-    struct end that;
-    so_serial_t eroute_owner;
-    enum routing_t routing;	/* level of routing in place */
-    uint32_t reqid;
+	struct spd_route *next;
+	struct end this;
+	struct end that;
+	so_serial_t eroute_owner;
+	enum routing_t routing;     /* level of routing in place */
+	uint32_t reqid;
 };
 
 struct connection {
-    char *name;
-    bool ikev1;
+	char *name;
+	bool ikev1;
 
-    lset_t policy;
-    time_t sa_ike_life_seconds;
-    time_t sa_ipsec_life_seconds;
-    time_t sa_rekey_margin;
-    unsigned long sa_rekey_fuzz;
-    unsigned long sa_keying_tries;
+	lset_t policy;
+	time_t sa_ike_life_seconds;
+	time_t sa_ipsec_life_seconds;
+	time_t sa_rekey_margin;
+	unsigned long sa_rekey_fuzz;
+	unsigned long sa_keying_tries;
 
-    /* RFC 3706 DPD */
-    time_t dpd_delay;
-    time_t dpd_timeout;
-    dpd_action_t dpd_action;
+	/* RFC 3706 DPD */
+	time_t dpd_delay;
+	time_t dpd_timeout;
+	dpd_action_t dpd_action;
 
-    char              *log_file_name;       /* name of log file */
-    FILE              *log_file;            /* possibly open FILE */
-    TAILQ_ENTRY(connection) log_link;     /* linked list of open conns */
-    bool               log_file_err;        /* only bitch once */
+	char              *log_file_name;       /* name of log file */
+	FILE              *log_file;            /* possibly open FILE */
+	TAILQ_ENTRY(connection) log_link;     /* linked list of open conns */
+	bool               log_file_err;        /* only bitch once */
 
-    struct spd_route spd;
+	struct spd_route spd;
 
-    /* internal fields: */
+	/* internal fields: */
 
-    unsigned long instance_serial;
-    policy_prio_t prio;
-    bool instance_initiation_ok;	/* this is an instance of a policy that mandates initiate */
-    enum connection_kind kind;
-    const struct iface *interface;	/* filled in iff oriented */
+	unsigned long instance_serial;
+	policy_prio_t prio;
+	bool instance_initiation_ok;        /* this is an instance of a policy that mandates initiate */
+	enum connection_kind kind;
+	const struct iface *interface;      /* filled in iff oriented */
 
-    so_serial_t	/* state object serial number */
-	newest_isakmp_sa,
-	newest_ipsec_sa;
+	so_serial_t /* state object serial number */
+		newest_isakmp_sa,
+		newest_ipsec_sa;
 
 
 #ifdef DEBUG
-    lset_t extra_debugging;
+	lset_t extra_debugging;
 #endif
 
-    /* note: if the client is the gateway, the following must be equal */
-    sa_family_t addr_family;		/* between gateways */
-    sa_family_t tunnel_addr_family;	/* between clients */
+	/* note: if the client is the gateway, the following must be equal */
+	sa_family_t addr_family;            /* between gateways */
+	sa_family_t tunnel_addr_family;     /* between clients */
 
-    struct connection *policy_next;	/* if multiple policies,
-					   next one to apply */
+	struct connection *policy_next;     /* if multiple policies,
+										   next one to apply */
 
-    struct gw_info *gw_info;
-    struct alg_info_esp *alg_info_esp;
-    struct alg_info_ike *alg_info_ike;
+	struct gw_info *gw_info;
+	struct alg_info_esp *alg_info_esp;
+	struct alg_info_ike *alg_info_ike;
 
-    struct host_pair *host_pair;
-    struct connection *hp_next;		/* host pair list link */
+	struct host_pair *host_pair;
+	struct connection *hp_next;         /* host pair list link */
 
-    struct connection *ac_next;		/* all connections list link */
+	struct connection *ac_next;         /* all connections list link */
 
-    generalName_t *requested_ca;	/* collected certificate requests */
-    bool got_certrequest;
+	generalName_t *requested_ca;        /* collected certificate requests */
+	bool got_certrequest;
 };
 
 #define oriented(c) ((c).interface != NULL)
 extern bool orient(struct connection *c);
 
 extern bool same_peer_ids(const struct connection *c
-    , const struct connection *d, const struct id *his_id);
+	, const struct connection *d, const struct id *his_id);
 
 /* Format the topology of a connection end, leaving out defaults.
  * Largest left end looks like: client === host : port [ host_id ] --- hop
  * Note: if that==NULL, skip nexthop
  */
-#define END_BUF	(SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF + 10)
+#define END_BUF (SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF + 10)
 extern size_t format_end(char *buf, size_t buf_len
-    , const struct end *this, const struct end *that
-    , bool is_left, lset_t policy);
+	, const struct end *this, const struct end *that
+	, bool is_left, lset_t policy);
 
 extern void add_connection(const whack_message_t *wm);
 extern void initiate_connection(const char *name, int whackfd);
 extern void initiate_opportunistic(const ip_address *our_client
-    , const ip_address *peer_client, int transport_proto, bool held, int whackfd);
+	, const ip_address *peer_client, int transport_proto, bool held, int whackfd);
 extern void terminate_connection(const char *nm);
 extern void release_connection(struct connection *c, bool relations);
 extern void delete_connection(struct connection *c, bool relations);
@@ -257,87 +255,87 @@ extern void remove_group_instance(const struct connection *group, const char *na
 extern void release_dead_interfaces(void);
 extern void check_orientations(void);
 extern struct connection *route_owner(struct connection *c
-				      , struct spd_route **srp
-				      , struct connection **erop
-				      , struct spd_route **esrp);
+									  , struct spd_route **srp
+									  , struct connection **erop
+									  , struct spd_route **esrp);
 extern struct connection *shunt_owner(const ip_subnet *ours
-    , const ip_subnet *his);
+	, const ip_subnet *his);
 
-extern bool uniqueIDs;	/* --uniqueids? */
+extern bool uniqueIDs;  /* --uniqueids? */
 extern void ISAKMP_SA_established(struct connection *c, so_serial_t serial);
 
 #define his_id_was_instantiated(c) ((c)->kind == CK_INSTANCE \
-    && (id_is_ipaddr(&(c)->spd.that.id)? \
-    sameaddr(&(c)->spd.that.id.ip_addr, &(c)->spd.that.host_addr) : TRUE))
+	&& (id_is_ipaddr(&(c)->spd.that.id)? \
+	sameaddr(&(c)->spd.that.id.ip_addr, &(c)->spd.that.host_addr) : TRUE))
 
-struct state;	/* forward declaration of tag (defined in state.h) */
+struct state;   /* forward declaration of tag (defined in state.h) */
 extern struct connection
-    *con_by_name(const char *nm, bool strict),
-    *find_host_connection(const ip_address *me, u_int16_t my_port
-	, const ip_address *him, u_int16_t his_port, lset_t policy),
-    *refine_host_connection(const struct state *st, const struct id *id
-	, chunk_t peer_ca),
-    *find_client_connection(struct connection *c
-	, const ip_subnet *our_net
-	, const ip_subnet *peer_net
-	, const u_int8_t our_protocol
-	, const u_int16_t out_port
-	, const u_int8_t peer_protocol
-	, const u_int16_t peer_port),
-    *find_connection_by_reqid(uint32_t reqid);
+	*con_by_name(const char *nm, bool strict),
+	*find_host_connection(const ip_address *me, u_int16_t my_port
+		, const ip_address *him, u_int16_t his_port, lset_t policy),
+	*refine_host_connection(const struct state *st, const struct id *id
+		, chunk_t peer_ca),
+	*find_client_connection(struct connection *c
+		, const ip_subnet *our_net
+		, const ip_subnet *peer_net
+		, const u_int8_t our_protocol
+		, const u_int16_t out_port
+		, const u_int8_t peer_protocol
+		, const u_int16_t peer_port),
+	*find_connection_by_reqid(uint32_t reqid);
 
 extern struct connection *
 find_connection_for_clients(struct spd_route **srp
-			    , const ip_address *our_client
-			    , const ip_address *peer_client
-			    , int transport_proto);
+							, const ip_address *our_client
+							, const ip_address *peer_client
+							, int transport_proto);
 
 extern chunk_t get_peer_ca_and_groups(struct connection *c
-    , const ietfAttrList_t **peer_list);
-    
+	, const ietfAttrList_t **peer_list);
+	
 /* instantiating routines
  * Note: connection_discard() is in state.h because all its work
  * is looking through state objects.
  */
-struct gw_info;	/* forward declaration of tag (defined in dnskey.h) */
-struct alg_info;	/* forward declaration of tag (defined in alg_info.h) */
+struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
+struct alg_info;        /* forward declaration of tag (defined in alg_info.h) */
 extern struct connection *rw_instantiate(struct connection *c
-					 , const ip_address *him
-					 , u_int16_t his_port
-					 , const ip_subnet *his_net
-					 , const struct id *his_id);
+										 , const ip_address *him
+										 , u_int16_t his_port
+										 , const ip_subnet *his_net
+										 , const struct id *his_id);
 
 extern struct connection *oppo_instantiate(struct connection *c
-					   , const ip_address *him
-					   , const struct id *his_id
-					   , struct gw_info *gw
-					   , const ip_address *our_client
-					   , const ip_address *peer_client);
+										   , const ip_address *him
+										   , const struct id *his_id
+										   , struct gw_info *gw
+										   , const ip_address *our_client
+										   , const ip_address *peer_client);
 
 extern struct connection
   *build_outgoing_opportunistic_connection(struct gw_info *gw
-					   , const ip_address *our_client
-					   , const ip_address *peer_client);
+										   , const ip_address *our_client
+										   , const ip_address *peer_client);
 
 /* worst case: "[" serial "] " myclient "=== ..." peer "===" hisclient '\0' */
 #define CONN_INST_BUF \
-    (2 + 10 + 1 + SUBNETTOT_BUF + 7 + ADDRTOT_BUF + 3 + SUBNETTOT_BUF + 1)
+	(2 + 10 + 1 + SUBNETTOT_BUF + 7 + ADDRTOT_BUF + 3 + SUBNETTOT_BUF + 1)
 
 extern void fmt_conn_instance(const struct connection *c
-    , char buf[CONN_INST_BUF]);
+	, char buf[CONN_INST_BUF]);
 
 /* operations on "pending", the structure representing Quick Mode
  * negotiations delayed until a Keying Channel has been negotiated.
  */
 
-struct pending;	/* forward declaration (opaque outside connections.c) */
+struct pending; /* forward declaration (opaque outside connections.c) */
 
 extern void add_pending(int whack_sock
-    , struct state *isakmp_sa
-    , struct connection *c
-    , lset_t policy
-    , unsigned long try
-    , so_serial_t replacing);
+	, struct state *isakmp_sa
+	, struct connection *c
+	, lset_t policy
+	, unsigned long try
+	, so_serial_t replacing);
 
 extern void release_pending_whacks(struct state *st, err_t story);
 extern void unpend(struct state *st);
@@ -360,9 +358,9 @@ extern struct connection *eclipsed(struct connection *c, struct spd_route **);
 
 extern void show_connections_status(bool all, const char *name);
 extern int  connection_compare(const struct connection *ca
-    , const struct connection *cb);
+	, const struct connection *cb);
 extern void update_host_pair(const char *why, struct connection *c
-    , const ip_address *myaddr, u_int16_t myport
-    , const ip_address *hisaddr, u_int16_t hisport);
+	, const ip_address *myaddr, u_int16_t myport
+	, const ip_address *hisaddr, u_int16_t hisport);
 
 #endif /* _CONNECTIONS_H */
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index 50a75c0aa..adcd77131 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -1,5 +1,6 @@
 /* tables of names for values defined in constants.h
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: constants.c 4612 2008-11-11 06:37:37Z andreas $
  */
 
 /*
@@ -25,7 +24,6 @@
 #include <netinet/in.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -36,42 +34,36 @@
 
 const char compile_time_interop_options[] = ""
 #ifdef THREADS
-	" THREADS"
-#endif
-#ifdef LIBCURL
-	" LIBCURL"
-#endif
-#ifdef LIBLDAP
-	" LIBLDAP"
+		" THREADS"
 #endif
 #ifdef SMARTCARD
-	" SMARTCARD"
+		" SMARTCARD"
 #endif
 #ifdef VENDORID
-	" VENDORID"
+		" VENDORID"
 #endif
 #ifdef CISCO_QUIRKS
-	" CISCO_QUIRKS"
+		" CISCO_QUIRKS"
 #endif
 #ifdef USE_KEYRR
-	" KEYRR"
+		" KEYRR"
 #endif
-    ;
+	;
 
 /* version */
 
 static const char *const version_name[] = {
-	"ISAKMP Version 1.0",
+		"ISAKMP Version 1.0",
 };
 
 enum_names version_names =
-    { ISAKMP_MAJOR_VERSION<<ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION,
-	ISAKMP_MAJOR_VERSION<<ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION,
-	version_name, NULL };
+	{ ISAKMP_MAJOR_VERSION<<ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION,
+		ISAKMP_MAJOR_VERSION<<ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION,
+		version_name, NULL };
 
 /* RFC 2459 CRL reason codes */
 
-static const char *const crl_reason_name[] = {
+ENUM(crl_reason_names, REASON_UNSPECIFIED, REASON_REMOVE_FROM_CRL,
 	"unspecified",
 	"key compromise",
 	"ca compromise",
@@ -81,26 +73,20 @@ static const char *const crl_reason_name[] = {
 	"certificate hold",
 	"reason #7",
 	"remove from crl"
-    };
-
-enum_names crl_reason_names =
-    { REASON_UNSPECIFIED, REASON_REMOVE_FROM_CRL, crl_reason_name, NULL};
+);
 
 /* RFC 3706 Dead Peer Detection */
 
-static const char *const dpd_action_name[] = {
+ENUM(dpd_action_names, DPD_ACTION_NONE, DPD_ACTION_RESTART,
 	"none",
 	"clear",
 	"hold",
 	"restart"
-    };
-
-enum_names dpd_action_names =
-    { DPD_ACTION_NONE, DPD_ACTION_RESTART, dpd_action_name, NULL};
-        
+);	
+	
 /* Timer events */
 
-static const char *const timer_event_name[] = {
+ENUM(timer_event_names, EVENT_NULL, EVENT_LOG_DAILY,
 	"EVENT_NULL",
 	"EVENT_REINIT_SECRET",
 	"EVENT_SHUNT_SCAN",
@@ -113,16 +99,13 @@ static const char *const timer_event_name[] = {
 	"EVENT_DPD",
 	"EVENT_DPD_TIMEOUT",
 	"EVENT_LOG_DAILY"
-    };
-
-enum_names timer_event_names =
-    { EVENT_NULL, EVENT_LOG_DAILY, timer_event_name, NULL };
+);
 
 /* Domain of Interpretation */
 
 static const char *const doi_name[] = {
-	"ISAKMP_DOI_ISAKMP",
-	"ISAKMP_DOI_IPSEC",
+		"ISAKMP_DOI_ISAKMP",
+		"ISAKMP_DOI_IPSEC",
 };
 
 enum_names doi_names = { ISAKMP_DOI_ISAKMP, ISAKMP_DOI_IPSEC, doi_name, NULL };
@@ -155,7 +138,7 @@ const char *const debug_bit_names[] = {
 	"impair-bust-mr2",
 
 	NULL
-    };
+};
 #endif
 
 /* State of exchanges */
@@ -197,78 +180,78 @@ static const char *const state_name[] = {
 	"STATE_MODE_CFG_R4",
 
 	"STATE_IKE_ROOF"
-    };
+};
 
 enum_names state_names =
-    { STATE_MAIN_R0, STATE_IKE_ROOF-1, state_name, NULL };
+	{ STATE_MAIN_R0, STATE_IKE_ROOF-1, state_name, NULL };
 
 /* story for state */
 
 const char *const state_story[] = {
-	"expecting MI1",			 /* STATE_MAIN_R0 */
-	"sent MI1, expecting MR1",		 /* STATE_MAIN_I1 */
-	"sent MR1, expecting MI2",		 /* STATE_MAIN_R1 */
-	"sent MI2, expecting MR2",		 /* STATE_MAIN_I2 */
-	"sent MR2, expecting MI3",		 /* STATE_MAIN_R2 */
-	"sent MI3, expecting MR3",		 /* STATE_MAIN_I3 */
-	"sent MR3, ISAKMP SA established",	 /* STATE_MAIN_R3 */
-	"ISAKMP SA established",		 /* STATE_MAIN_I4 */
-
-	"expecting QI1",			 /* STATE_QUICK_R0 */
-	"sent QI1, expecting QR1",		 /* STATE_QUICK_I1 */
-	"sent QR1, inbound IPsec SA installed, expecting QI2",	/* STATE_QUICK_R1 */
-	"sent QI2, IPsec SA established",	 /* STATE_QUICK_I2 */
-	"IPsec SA established",			 /* STATE_QUICK_R2 */
-
-	"got Informational Message in clear",	 /* STATE_INFO */
-	"got encrypted Informational Message",	 /* STATE_INFO_PROTECTED */
-
-	"expecting XAUTH request",		 /* STATE_XAUTH_I0 */
-	"sent XAUTH request, expecting reply",	 /* STATE_XAUTH_R1 */
-	"sent XAUTH reply, expecting status",	 /* STATE_XAUTH_I1 */
-	"sent XAUTH status, expecting ack",	 /* STATE_XAUTH_R2 */
-	"sent XAUTH ack, established",		 /* STATE_XAUTH_I2 */
-	"received XAUTH ack, established",	 /* STATE_XAUTH_R3 */
-
-	"expecting ModeCfg request",		 /* STATE_MODE_CFG_R0 */
+	"expecting MI1",                         /* STATE_MAIN_R0 */
+	"sent MI1, expecting MR1",               /* STATE_MAIN_I1 */
+	"sent MR1, expecting MI2",               /* STATE_MAIN_R1 */
+	"sent MI2, expecting MR2",               /* STATE_MAIN_I2 */
+	"sent MR2, expecting MI3",               /* STATE_MAIN_R2 */
+	"sent MI3, expecting MR3",               /* STATE_MAIN_I3 */
+	"sent MR3, ISAKMP SA established",       /* STATE_MAIN_R3 */
+	"ISAKMP SA established",                 /* STATE_MAIN_I4 */
+
+	"expecting QI1",                         /* STATE_QUICK_R0 */
+	"sent QI1, expecting QR1",               /* STATE_QUICK_I1 */
+	"sent QR1, inbound IPsec SA installed, expecting QI2",  /* STATE_QUICK_R1 */
+	"sent QI2, IPsec SA established",        /* STATE_QUICK_I2 */
+	"IPsec SA established",                  /* STATE_QUICK_R2 */
+
+	"got Informational Message in clear",    /* STATE_INFO */
+	"got encrypted Informational Message",   /* STATE_INFO_PROTECTED */
+
+	"expecting XAUTH request",               /* STATE_XAUTH_I0 */
+	"sent XAUTH request, expecting reply",   /* STATE_XAUTH_R1 */
+	"sent XAUTH reply, expecting status",    /* STATE_XAUTH_I1 */
+	"sent XAUTH status, expecting ack",      /* STATE_XAUTH_R2 */
+	"sent XAUTH ack, established",           /* STATE_XAUTH_I2 */
+	"received XAUTH ack, established",       /* STATE_XAUTH_R3 */
+
+	"expecting ModeCfg request",             /* STATE_MODE_CFG_R0 */
 	"sent ModeCfg request, expecting reply", /* STATE_MODE_CFG_I1 */
-	"sent ModeCfg reply, established",	 /* STATE_MODE_CFG_R1 */
-	"received ModeCfg reply, established",	 /* STATE_MODE_CFG_I2 */
+	"sent ModeCfg reply, established",       /* STATE_MODE_CFG_R1 */
+	"received ModeCfg reply, established",   /* STATE_MODE_CFG_I2 */
 
-	"expecting ModeCfg set",		 /* STATE_MODE_CFG_I0 */
-	"sent ModeCfg set, expecting ack",	 /* STATE_MODE_CFG_R3 */
-	"sent ModeCfg ack, established",	 /* STATE_MODE_CFG_I3 */
-	"received ModeCfg ack, established",	 /* STATE_MODE_CFG_R4 */
-    };
+	"expecting ModeCfg set",                 /* STATE_MODE_CFG_I0 */
+	"sent ModeCfg set, expecting ack",       /* STATE_MODE_CFG_R3 */
+	"sent ModeCfg ack, established",         /* STATE_MODE_CFG_I3 */
+	"received ModeCfg ack, established",     /* STATE_MODE_CFG_R4 */
+};
 
 /* kind of struct connection */
 
 static const char *const connection_kind_name[] = {
-    "CK_GROUP",		/* policy group: instantiates to template */
-    "CK_TEMPLATE",	/* abstract connection, with wildcard */
-    "CK_PERMANENT",	/* normal connection */
-    "CK_INSTANCE",	/* instance of template, created for a particular attempt */
-    "CK_GOING_AWAY"	/* instance being deleted -- don't delete again */
+	"CK_GROUP",         /* policy group: instantiates to template */
+	"CK_TEMPLATE",      /* abstract connection, with wildcard */
+	"CK_PERMANENT",     /* normal connection */
+	"CK_INSTANCE",      /* instance of template, created for a particular attempt */
+	"CK_GOING_AWAY"     /* instance being deleted -- don't delete again */
 };
 
 enum_names connection_kind_names =
-    { CK_GROUP, CK_GOING_AWAY, connection_kind_name, NULL };
+	{ CK_GROUP, CK_GOING_AWAY, connection_kind_name, NULL };
 
 /* routing status names */
 
 static const char *const routing_story_strings[] = {
-    "unrouted",	/* RT_UNROUTED: unrouted */
-    "unrouted HOLD",	/* RT_UNROUTED_HOLD: unrouted, but HOLD shunt installed */
-    "eroute eclipsed",	/* RT_ROUTED_ECLIPSED: RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
-    "prospective erouted",	/* RT_ROUTED_PROSPECTIVE: routed, and prospective shunt installed */
-    "erouted HOLD",	/* RT_ROUTED_HOLD: routed, and HOLD shunt installed */
-    "fail erouted",	/* RT_ROUTED_FAILURE: routed, and failure-context shunt eroute installed */
-    "erouted",	/* RT_ROUTED_TUNNEL: routed, and erouted to an IPSEC SA group */
-    "keyed, unrouted",  /* RT_UNROUTED_KEYED: was routed+keyed, but it got turned into an outer policy */
-    };
+	"unrouted", /* RT_UNROUTED: unrouted */
+	"unrouted HOLD",    /* RT_UNROUTED_HOLD: unrouted, but HOLD shunt installed */
+	"eroute eclipsed",  /* RT_ROUTED_ECLIPSED: RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
+	"prospective erouted",      /* RT_ROUTED_PROSPECTIVE: routed, and prospective shunt installed */
+	"erouted HOLD",     /* RT_ROUTED_HOLD: routed, and HOLD shunt installed */
+	"fail erouted",     /* RT_ROUTED_FAILURE: routed, and failure-context shunt eroute installed */
+	"erouted",  /* RT_ROUTED_TUNNEL: routed, and erouted to an IPSEC SA group */
+	"keyed, unrouted",  /* RT_UNROUTED_KEYED: was routed+keyed, but it got turned into an outer policy */
+};
 
 enum_names routing_story =
-    { RT_UNROUTED, RT_ROUTED_TUNNEL, routing_story_strings, NULL};
+	{ RT_UNROUTED, RT_ROUTED_TUNNEL, routing_story_strings, NULL};
 
 /* Payload types (RFC 2408 "ISAKMP" section 3.1) */
 
@@ -296,16 +279,18 @@ const char *const payload_name[] = {
 	"ISAKMP_NEXT_NAT-D",
 	"ISAKMP_NEXT_NAT-OA",
 	NULL
-    };
+};
 
-const char *const payload_name_nat_d[] = { "ISAKMP_NEXT_NAT-D",
-	"ISAKMP_NEXT_NAT-OA", NULL };
+const char *const payload_name_nat_d[] = {
+	"ISAKMP_NEXT_NAT-D",
+	"ISAKMP_NEXT_NAT-OA", NULL
+};
 
 static enum_names payload_names_nat_d =
 	{ ISAKMP_NEXT_NATD_DRAFTS, ISAKMP_NEXT_NATOA_DRAFTS, payload_name_nat_d, NULL };
-	
+		
 enum_names payload_names =
-    { ISAKMP_NEXT_NONE, ISAKMP_NEXT_NATOA_RFC, payload_name, &payload_names_nat_d };
+	{ ISAKMP_NEXT_NONE, ISAKMP_NEXT_NATOA_RFC, payload_name, &payload_names_nat_d };
 
 /* Exchange types (note: two discontinuous ranges) */
 
@@ -317,26 +302,26 @@ static const char *const exchange_name[] = {
 	"ISAKMP_XCHG_AGGR",
 	"ISAKMP_XCHG_INFO",
 	"ISAKMP_XCHG_MODE_CFG",
-    };
+};
 
 static const char *const exchange_name2[] = {
 	"ISAKMP_XCHG_QUICK",
 	"ISAKMP_XCHG_NGRP",
 	"ISAKMP_XCHG_ACK_INFO",
-    };
+};
 
 static enum_names exchange_desc2 =
-    { ISAKMP_XCHG_QUICK, ISAKMP_XCHG_ACK_INFO, exchange_name2, NULL };
+	{ ISAKMP_XCHG_QUICK, ISAKMP_XCHG_ACK_INFO, exchange_name2, NULL };
 
 enum_names exchange_names =
-    { ISAKMP_XCHG_NONE, ISAKMP_XCHG_MODE_CFG, exchange_name, &exchange_desc2 };
+	{ ISAKMP_XCHG_NONE, ISAKMP_XCHG_MODE_CFG, exchange_name, &exchange_desc2 };
 
 /* Flag BITS */
 const char *const flag_bit_names[] = {
 	"ISAKMP_FLAG_ENCRYPTION",
 	"ISAKMP_FLAG_COMMIT",
 	NULL
-    };
+};
 
 /* Situation BITS definition for IPsec DOI */
 
@@ -345,7 +330,7 @@ const char *const sit_bit_names[] = {
 	"SIT_SECRECY",
 	"SIT_INTEGRITY",
 	NULL
-    };
+};
 
 /* Protocol IDs (RFC 2407 "IPsec DOI" section 4.4.1) */
 
@@ -354,78 +339,74 @@ static const char *const protocol_name[] = {
 	"PROTO_IPSEC_AH",
 	"PROTO_IPSEC_ESP",
 	"PROTO_IPCOMP",
-    };
+};
 
 enum_names protocol_names =
-    { PROTO_ISAKMP, PROTO_IPCOMP, protocol_name, NULL };
+	{ PROTO_ISAKMP, PROTO_IPCOMP, protocol_name, NULL };
 
 /* IPsec ISAKMP transform values */
 
 static const char *const isakmp_transform_name[] = {
 	"KEY_IKE",
-    };
+};
 
 enum_names isakmp_transformid_names =
-    { KEY_IKE, KEY_IKE, isakmp_transform_name, NULL };
+	{ KEY_IKE, KEY_IKE, isakmp_transform_name, NULL };
 
 /* IPsec AH transform values */
 
 static const char *const ah_transform_name[] = {
-	"AH_MD5",
-	"AH_SHA",
-	"AH_DES",
-	"AH_SHA2_256",
-	"AH_SHA2_384",
-	"AH_SHA2_512",
-	"AH_RIPEMD",
-	"AH_AES_XCBC_MAC",
-	"AH_RSA"
-    };
+	"HMAC_MD5",
+	"HMAC_SHA1",
+	"DES_MAC",
+	"HMAC_SHA2_256",
+	"HMAC_SHA2_384",
+	"HMAC_SHA2_512",
+	"HMAC_RIPEMD",
+	"AES_XCBC_96",
+	"SIG_RSA"
+};
 
 enum_names ah_transformid_names =
-    { AH_MD5, AH_RSA, ah_transform_name, NULL };
+	{ AH_MD5, AH_RSA, ah_transform_name, NULL };
 
 /* IPsec ESP transform values */
 
 static const char *const esp_transform_name[] = {
-	"ESP_DES_IV64",
-	"ESP_DES",
-	"ESP_3DES",
-	"ESP_RC5",
-	"ESP_IDEA",
-	"ESP_CAST",
-	"ESP_BLOWFISH",
-	"ESP_3IDEA",
-	"ESP_DES_IV32",
-	"ESP_RC4",
-	"ESP_NULL",
-	"ESP_AES",
-	"ESP_AES-CTR",
-	"ESP_AES-CCM_8",
-	"ESP_AES-CCM_12",
-	"ESP_AES-CCM_16",
-	"ESP_UNASSIGNED_17",
-	"ESP_AES_GCM_8",
-	"ESP_AES_GCM_12",
-	"ESP_AES_GCM_16",
-	"ESP_SEED_CBC",
-	"ESP_CAMELLIA"
-    };
+	"DES_IV64",
+	"DES_CBC",
+	"3DES_CBC",
+	"RC5_CBC",
+	"IDEA_CBC",
+	"CAST_CBC",
+	"BLOWFISH_CBC",
+	"3IDEA",
+	"DES_IV32",
+	"RC4",
+	"NULL",
+	"AES_CBC",
+	"AES_CTR",
+	"AES_CCM_8",
+	"AES_CCM_12",
+	"AES_CCM_16",
+	"UNASSIGNED_17",
+	"AES_GCM_8",
+	"AES_GCM_12",
+	"AES_GCM_16",
+	"SEED_CBC",
+	"CAMELLIA_CBC"
+};
 
-/*
- * ipsec drafts suggest "high" ESP ids values for testing,
- * assign generic ESP_ID<num> if not officially defined
- */
 static const char *const esp_transform_name_high[] = {
-	"ESP_SERPENT",
-	"ESP_TWOFISH"
-    };
+	"SERPENT_CBC",
+	"TWOFISH_CBC"
+};
 
 enum_names esp_transformid_names_high =
-    { ESP_SERPENT, ESP_TWOFISH, esp_transform_name_high, NULL };
+	{ ESP_SERPENT, ESP_TWOFISH, esp_transform_name_high, NULL };
 
 enum_names esp_transformid_names =
-    { ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transformid_names_high };
+	{ ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transformid_names_high };
 
 /* IPCOMP transform values */
 
@@ -434,10 +415,10 @@ static const char *const ipcomp_transform_name[] = {
 	"IPCOMP_DEFLAT",
 	"IPCOMP_LZS",
 	"IPCOMP_LZJH",
-    };
+};
 
 enum_names ipcomp_transformid_names =
-    { IPCOMP_OUI, IPCOMP_LZJH, ipcomp_transform_name, NULL };
+	{ IPCOMP_OUI, IPCOMP_LZJH, ipcomp_transform_name, NULL };
 
 /* Identification type values */
 
@@ -453,10 +434,10 @@ static const char *const ident_name[] = {
 	"ID_DER_ASN1_DN",
 	"ID_DER_ASN1_GN",
 	"ID_KEY_ID",
-    };
+};
 
 enum_names ident_names =
-    { ID_IPV4_ADDR, ID_KEY_ID, ident_name, NULL };
+	{ ID_IPV4_ADDR, ID_KEY_ID, ident_name, NULL };
 
 /* Certificate type values */
 
@@ -472,21 +453,18 @@ static const char *const cert_type_name[] = {
 	"CERT_ARL",
 	"CERT_SPKI",
 	"CERT_X509_ATTRIBUTE",
-    };
+};
 
 enum_names cert_type_names =
-    { CERT_NONE, CERT_X509_ATTRIBUTE, cert_type_name, NULL };
+	{ CERT_NONE, CERT_X509_ATTRIBUTE, cert_type_name, NULL };
 
 /* Certificate policy names */
 
-static const char *const cert_policy_name[] = {
+ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
 	"ALWAYS_SEND",
 	"SEND_IF_ASKED",
 	"NEVER_SEND",
-    };
-
-enum_names cert_policy_names =
-    { CERT_ALWAYS_SEND, CERT_NEVER_SEND, cert_policy_name, NULL };
+);
 
 /* Goal BITs for establishing an SA
  * Note: we drop the POLICY_ prefix so that logs are more concise.
@@ -494,7 +472,7 @@ enum_names cert_policy_names =
 
 const char *const sa_policy_bit_names[] = {
 	"PSK",
-	"RSASIG",
+	"PUBKEY",
 	"ENCRYPT",
 	"AUTHENTICATE",
 	"COMPRESS",
@@ -517,24 +495,23 @@ const char *const sa_policy_bit_names[] = {
 	"DONTREAUTH",
 	"BEET",
 	"MOBIKE",
-	"ECDSA",
 	"PROXY",
 	NULL
-    };
+};
 
 const char *const policy_shunt_names[4] = {
 	"TRAP",
 	"PASS",
 	"DROP",
 	"REJECT",
-    };
+};
 
 const char *const policy_fail_names[4] = {
 	"NONE",
 	"PASS",
 	"DROP",
 	"REJECT",
-    };
+};
 
 /* Oakley transform attributes
  * oakley_attr_bit_names does double duty: it is used for enum names
@@ -560,7 +537,7 @@ const char *const oakley_attr_bit_names[] = {
 	"OAKLEY_GROUP_ORDER",
 	"OAKLEY_BLOCK_SIZE",
 	NULL
-    };
+};
 
 static const char *const oakley_var_attr_name[] = {
 	"OAKLEY_GROUP_PRIME (variable length)",
@@ -574,36 +551,36 @@ static const char *const oakley_var_attr_name[] = {
 	NULL,
 	NULL,
 	"OAKLEY_GROUP_ORDER (variable length)",
-    };
+};
 
 static enum_names oakley_attr_desc_tv = {
-    OAKLEY_ENCRYPTION_ALGORITHM + ISAKMP_ATTR_AF_TV,
-    OAKLEY_GROUP_ORDER + ISAKMP_ATTR_AF_TV, oakley_attr_bit_names, NULL };
+	OAKLEY_ENCRYPTION_ALGORITHM + ISAKMP_ATTR_AF_TV,
+	OAKLEY_GROUP_ORDER + ISAKMP_ATTR_AF_TV, oakley_attr_bit_names, NULL };
 
 enum_names oakley_attr_names = {
-    OAKLEY_GROUP_PRIME, OAKLEY_GROUP_ORDER,
-    oakley_var_attr_name, &oakley_attr_desc_tv };
+	OAKLEY_GROUP_PRIME, OAKLEY_GROUP_ORDER,
+	oakley_var_attr_name, &oakley_attr_desc_tv };
 
 /* for each Oakley attribute, which enum_names describes its values? */
 enum_names *oakley_attr_val_descs[] = {
-	NULL,			/* (none) */
-	&oakley_enc_names,	/* OAKLEY_ENCRYPTION_ALGORITHM */
-	&oakley_hash_names,	/* OAKLEY_HASH_ALGORITHM */
-	&oakley_auth_names,	/* OAKLEY_AUTHENTICATION_METHOD */
-	&oakley_group_names,	/* OAKLEY_GROUP_DESCRIPTION */
+	NULL,                   /* (none) */
+	&oakley_enc_names,      /* OAKLEY_ENCRYPTION_ALGORITHM */
+	&oakley_hash_names,     /* OAKLEY_HASH_ALGORITHM */
+	&oakley_auth_names,     /* OAKLEY_AUTHENTICATION_METHOD */
+	&oakley_group_names,    /* OAKLEY_GROUP_DESCRIPTION */
 	&oakley_group_type_names,/* OAKLEY_GROUP_TYPE */
-	NULL,			/* OAKLEY_GROUP_PRIME */
-	NULL,			/* OAKLEY_GROUP_GENERATOR_ONE */
-	NULL,			/* OAKLEY_GROUP_GENERATOR_TWO */
-	NULL,			/* OAKLEY_GROUP_CURVE_A */
-	NULL,			/* OAKLEY_GROUP_CURVE_B */
-	&oakley_lifetime_names,	/* OAKLEY_LIFE_TYPE */
-	NULL,			/* OAKLEY_LIFE_DURATION */
-	&oakley_prf_names,	/* OAKLEY_PRF */
-	NULL,			/* OAKLEY_KEY_LENGTH */
-	NULL,			/* OAKLEY_FIELD_SIZE */
-	NULL,			/* OAKLEY_GROUP_ORDER */
-    };
+	NULL,                   /* OAKLEY_GROUP_PRIME */
+	NULL,                   /* OAKLEY_GROUP_GENERATOR_ONE */
+	NULL,                   /* OAKLEY_GROUP_GENERATOR_TWO */
+	NULL,                   /* OAKLEY_GROUP_CURVE_A */
+	NULL,                   /* OAKLEY_GROUP_CURVE_B */
+	&oakley_lifetime_names, /* OAKLEY_LIFE_TYPE */
+	NULL,                   /* OAKLEY_LIFE_DURATION */
+	&oakley_prf_names,      /* OAKLEY_PRF */
+	NULL,                   /* OAKLEY_KEY_LENGTH */
+	NULL,                   /* OAKLEY_FIELD_SIZE */
+	NULL,                   /* OAKLEY_GROUP_ORDER */
+};
 
 /* IPsec DOI attributes (RFC 2407 "IPsec DOI" section 4.5) */
 
@@ -617,7 +594,7 @@ static const char *const ipsec_attr_name[] = {
 	"KEY_ROUNDS",
 	"COMPRESS_DICT_SIZE",
 	"COMPRESS_PRIVATE_ALG",
-    };
+};
 
 static const char *const ipsec_var_attr_name[] = {
 	"SA_LIFE_DURATION (variable length)",
@@ -628,40 +605,40 @@ static const char *const ipsec_var_attr_name[] = {
 	NULL,
 	NULL,
 	"COMPRESS_PRIVATE_ALG (variable length)",
-    };
+};
 
 static enum_names ipsec_attr_desc_tv = {
-    SA_LIFE_TYPE + ISAKMP_ATTR_AF_TV,
-    COMPRESS_PRIVATE_ALG + ISAKMP_ATTR_AF_TV,
-    ipsec_attr_name, NULL };
+	SA_LIFE_TYPE + ISAKMP_ATTR_AF_TV,
+	COMPRESS_PRIVATE_ALG + ISAKMP_ATTR_AF_TV,
+	ipsec_attr_name, NULL };
 
 enum_names ipsec_attr_names = {
-    SA_LIFE_DURATION, COMPRESS_PRIVATE_ALG,
-    ipsec_var_attr_name, &ipsec_attr_desc_tv };
+	SA_LIFE_DURATION, COMPRESS_PRIVATE_ALG,
+	ipsec_var_attr_name, &ipsec_attr_desc_tv };
 
 /* for each IPsec attribute, which enum_names describes its values? */
 enum_names *ipsec_attr_val_descs[] = {
-	NULL,			/* (none) */
-	&sa_lifetime_names,	/* SA_LIFE_TYPE */
-	NULL,			/* SA_LIFE_DURATION */
-	&oakley_group_names,	/* GROUP_DESCRIPTION */
-	&enc_mode_names,		/* ENCAPSULATION_MODE */
-	&auth_alg_names,		/* AUTH_ALGORITHM */
-	NULL,			/* KEY_LENGTH */
-	NULL,			/* KEY_ROUNDS */
-	NULL,			/* COMPRESS_DICT_SIZE */
-	NULL,			/* COMPRESS_PRIVATE_ALG */
-    };
+	NULL,                   /* (none) */
+	&sa_lifetime_names,     /* SA_LIFE_TYPE */
+	NULL,                   /* SA_LIFE_DURATION */
+	&oakley_group_names,    /* GROUP_DESCRIPTION */
+	&enc_mode_names,                /* ENCAPSULATION_MODE */
+	&auth_alg_names,                /* AUTH_ALGORITHM */
+	NULL,                   /* KEY_LENGTH */
+	NULL,                   /* KEY_ROUNDS */
+	NULL,                   /* COMPRESS_DICT_SIZE */
+	NULL,                   /* COMPRESS_PRIVATE_ALG */
+};
 
 /* SA Lifetime Type attribute */
 
 static const char *const sa_lifetime_name[] = {
 	"SA_LIFE_TYPE_SECONDS",
 	"SA_LIFE_TYPE_KBYTES",
-    };
+};
 
 enum_names sa_lifetime_names =
-    { SA_LIFE_TYPE_SECONDS, SA_LIFE_TYPE_KBYTES, sa_lifetime_name, NULL };
+	{ SA_LIFE_TYPE_SECONDS, SA_LIFE_TYPE_KBYTES, sa_lifetime_name, NULL };
 
 /* Encapsulation Mode attribute */
 
@@ -670,55 +647,55 @@ static const char *const enc_mode_name[] = {
 	"ENCAPSULATION_MODE_TRANSPORT",
 	"ENCAPSULATION_MODE_UDP_TUNNEL",
 	"ENCAPSULATION_MODE_UDP_TRANSPORT",
-    };
+};
 
 static const char *const enc_udp_mode_name[] = {
-	"ENCAPSULATION_MODE_UDP_TUNNEL",
-	"ENCAPSULATION_MODE_UDP_TRANSPORT",
-    };
+		"ENCAPSULATION_MODE_UDP_TUNNEL",
+		"ENCAPSULATION_MODE_UDP_TRANSPORT",
+	};
 
 static enum_names enc_udp_mode_names =
-    { ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS, ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS, enc_udp_mode_name, NULL };
+	{ ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS, ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS, enc_udp_mode_name, NULL };
 
 enum_names enc_mode_names =
-    { ENCAPSULATION_MODE_TUNNEL, ENCAPSULATION_MODE_UDP_TRANSPORT_RFC, enc_mode_name, &enc_udp_mode_names };
+	{ ENCAPSULATION_MODE_TUNNEL, ENCAPSULATION_MODE_UDP_TRANSPORT_RFC, enc_mode_name, &enc_udp_mode_names };
 
 /* Auth Algorithm attribute */
 
 static const char *const auth_alg_name[] = {
-	"AUTH_ALGORITHM_HMAC_MD5",
-	"AUTH_ALGORITHM_HMAC_SHA1",
-	"AUTH_ALGORITHM_DES_MAC",
-	"AUTH_ALGORITHM_KPDK",
-	"AUTH_ALGORITHM_HMAC_SHA2_256",
-	"AUTH_ALGORITHM_HMAC_SHA2_384",
-	"AUTH_ALGORITHM_HMAC_SHA2_512",
-	"AUTH_ALGORITHM_HMAC_RIPEMD",
-	"AUTH_ALGORITHM_AES_XCBC_MAC",
-	"AUTH_ALGORITHM_SIG_RSA"
-    };
+	"HMAC_MD5",
+	"HMAC_SHA1",
+	"DES_MAC",
+	"KPDK",
+	"HMAC_SHA2_256",
+	"HMAC_SHA2_384",
+	"HMAC_SHA2_512",
+	"HMAC_RIPEMD",
+	"AES_XCBC_96",
+	"SIG_RSA"
+};
 
 static const char *const extended_auth_alg_name[] = {
-	"AUTH_ALGORITHM_NULL"
-    };
+	"NULL"
+	};
 
 enum_names extended_auth_alg_names =
-    { AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL };
+	{ AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL };
 
 enum_names auth_alg_names =
-    { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
-	, &extended_auth_alg_names };
+	{ AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
+		, &extended_auth_alg_names };
 
 /* From draft-beaulieu-ike-xauth */
 static const char *const xauth_type_name[] = {
-  "Generic",
-  "RADIUS-CHAP",
-  "OTP",
-  "S/KEY",
+	"Generic",
+	"RADIUS-CHAP",
+	"OTP",
+	"S/KEY",
 };
 
 enum_names xauth_type_names =
-    { XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL};
+	{ XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL};
 
 /* From draft-beaulieu-ike-xauth */
 static const char *const xauth_attr_tv_name[] = {
@@ -730,11 +707,11 @@ static const char *const xauth_attr_tv_name[] = {
 	NULL,
 	NULL,
 	"XAUTH_STATUS",
-    };
+};
 
 enum_names xauth_attr_tv_names = {
-    XAUTH_TYPE   + ISAKMP_ATTR_AF_TV,
-    XAUTH_STATUS + ISAKMP_ATTR_AF_TV, xauth_attr_tv_name, NULL };
+	XAUTH_TYPE   + ISAKMP_ATTR_AF_TV,
+	XAUTH_STATUS + ISAKMP_ATTR_AF_TV, xauth_attr_tv_name, NULL };
 
 static const char *const unity_attr_name[] = {
 	"UNITY_BANNER",
@@ -751,8 +728,15 @@ static const char *const unity_attr_name[] = {
 };
 
 enum_names unity_attr_names =
-    { UNITY_BANNER , UNITY_DDNS_HOSTNAME, unity_attr_name , &xauth_attr_tv_names };
+	{ UNITY_BANNER , UNITY_DDNS_HOSTNAME, unity_attr_name , &xauth_attr_tv_names };
 
+static const char *const microsoft_attr_name[] = {
+	"INTERNAL_IP4_SERVER",
+	"INTERNAL_IP6_SERVER",
+};
+
+enum_names microsoft_attr_names =
+	{ INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, microsoft_attr_name , &unity_attr_names };
 
 static const char *const xauth_attr_name[] = {
 	"XAUTH_USER_NAME",
@@ -764,10 +748,10 @@ static const char *const xauth_attr_name[] = {
 	"XAUTH_STATUS (wrong TLV syntax, should be TV)",
 	"XAUTH_NEXT_PIN",
 	"XAUTH_ANSWER",
-    };
+};
 
 enum_names xauth_attr_names =
-    { XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &unity_attr_names };
+	{ XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &microsoft_attr_names };
 
 static const char *const modecfg_attr_name[] = {
 	"INTERNAL_IP4_ADDRESS",
@@ -785,97 +769,104 @@ static const char *const modecfg_attr_name[] = {
 	"INTERNAL_IP4_SUBNET",
 	"SUPPORTED_ATTRIBUTES",
 	"INTERNAL_IP6_SUBNET",
-    };
+};
 
 enum_names modecfg_attr_names =
-    { INTERNAL_IP4_ADDRESS, INTERNAL_IP6_SUBNET, modecfg_attr_name , &xauth_attr_names };
+	{ INTERNAL_IP4_ADDRESS, INTERNAL_IP6_SUBNET, modecfg_attr_name , &xauth_attr_names };
 
 /* Oakley Lifetime Type attribute */
 
 static const char *const oakley_lifetime_name[] = {
 	"OAKLEY_LIFE_SECONDS",
 	"OAKLEY_LIFE_KILOBYTES",
-    };
+};
 
 enum_names oakley_lifetime_names =
-    { OAKLEY_LIFE_SECONDS, OAKLEY_LIFE_KILOBYTES, oakley_lifetime_name, NULL };
+	{ OAKLEY_LIFE_SECONDS, OAKLEY_LIFE_KILOBYTES, oakley_lifetime_name, NULL };
 
 /* Oakley PRF attribute (none defined) */
 
 enum_names oakley_prf_names =
-    { 1, 0, NULL, NULL };
+	{ 1, 0, NULL, NULL };
 
 /* Oakley Encryption Algorithm attribute */
 
 static const char *const oakley_enc_name[] = {
-	"OAKLEY_DES_CBC",
-	"OAKLEY_IDEA_CBC",
-	"OAKLEY_BLOWFISH_CBC",
-	"OAKLEY_RC5_R16_B64_CBC",
-	"OAKLEY_3DES_CBC",
-	"OAKLEY_CAST_CBC",
-	"OAKLEY_AES_CBC",
-    };
+	"DES_CBC",
+	"IDEA_CBC",
+	"BLOWFISH_CBC",
+	"RC5_R16_B64_CBC",
+	"3DES_CBC",
+	"CAST_CBC",
+	"AES_CBC",
+	"CAMELLIA_CBC"
+};
 
 #ifdef NO_EXTRA_IKE
 enum_names oakley_enc_names =
-    { OAKLEY_DES_CBC, OAKLEY_AES_CBC, oakley_enc_name, NULL };
+	{ OAKLEY_DES_CBC, OAKLEY_CAMELLIA_CBC, oakley_enc_name, NULL };
 #else
 static const char *const oakley_enc_name_draft_aes_cbc_02[] = {
-	"OAKLEY_MARS_CBC"	/*	65001	*/,
-	"OAKLEY_RC6_CBC"     	/*	65002	*/,
-	"OAKLEY_ID_65003"	/*	65003	*/,
-	"OAKLEY_SERPENT_CBC"	/*	65004	*/,
-	"OAKLEY_TWOFISH_CBC"	/*	65005	*/,
+	"MARS_CBC"       /*      65001   */,
+	"RC6_CBC"        /*      65002   */,
+	"ID_65003"       /*      65003   */,
+	"SERPENT_CBC"    /*      65004   */,
+	"TWOFISH_CBC"    /*      65005   */,
 };
+
 static const char *const oakley_enc_name_ssh[] = {
-	"OAKLEY_TWOFISH_CBC_SSH",
+	"TWOFISH_CBC_SSH",
 };
+
 enum_names oakley_enc_names_ssh =
-    { OAKLEY_TWOFISH_CBC_SSH, OAKLEY_TWOFISH_CBC_SSH, oakley_enc_name_ssh
-	, NULL };
+	{ OAKLEY_TWOFISH_CBC_SSH, OAKLEY_TWOFISH_CBC_SSH, oakley_enc_name_ssh
+		, NULL };
 
 enum_names oakley_enc_names_draft_aes_cbc_02 =
-    { OAKLEY_MARS_CBC, OAKLEY_TWOFISH_CBC, oakley_enc_name_draft_aes_cbc_02
-	, &oakley_enc_names_ssh };
+	{ OAKLEY_MARS_CBC, OAKLEY_TWOFISH_CBC, oakley_enc_name_draft_aes_cbc_02
+		, &oakley_enc_names_ssh };
 
 enum_names oakley_enc_names =
-    { OAKLEY_DES_CBC, OAKLEY_AES_CBC, oakley_enc_name
-	, &oakley_enc_names_draft_aes_cbc_02 };
+	{ OAKLEY_DES_CBC, OAKLEY_CAMELLIA_CBC, oakley_enc_name
+		, &oakley_enc_names_draft_aes_cbc_02 };
 #endif
 
 /* Oakley Hash Algorithm attribute */
 
 static const char *const oakley_hash_name[] = {
-	"OAKLEY_MD5",
-	"OAKLEY_SHA",
-	"OAKLEY_TIGER",
-	"OAKLEY_SHA2_256",
-	"OAKLEY_SHA2_384",
-	"OAKLEY_SHA2_512",
-    };
+	"HMAC_MD5",
+	"HMAC_SHA1",
+	"HMAC_TIGER",
+	"HMAC_SHA2_256",
+	"HMAC_SHA2_384",
+	"HMAC_SHA2_512",
+};
 
 enum_names oakley_hash_names =
-    { OAKLEY_MD5, OAKLEY_SHA2_512, oakley_hash_name, NULL };
+	{ OAKLEY_MD5, OAKLEY_SHA2_512, oakley_hash_name, NULL };
 
 /* Oakley Authentication Method attribute */
 
 static const char *const oakley_auth_name1[] = {
-	"OAKLEY_PRESHARED_KEY",
-	"OAKLEY_DSS_SIG",
-	"OAKLEY_RSA_SIG",
-	"OAKLEY_RSA_ENC",
-	"OAKLEY_RSA_ENC_REV",
-	"OAKLEY_ELGAMAL_ENC",
-	"OAKLEY_ELGAMAL_ENC_REV",
-    };
+	"pre-shared key",
+	"DSS signature",
+	"RSA signature",
+	"RSA encryption",
+	"RSA encryption revised",
+	"ElGamal encryption",
+	"ELGamal encryption revised",
+	"ECDSA signature",
+	"ECDSA-256 signature",
+	"ECDSA-384 signature",
+	"ECDSA-521-signature",   
+};
 
 static const char *const oakley_auth_name2[] = {
 	"HybridInitRSA",
 	"HybridRespRSA",
 	"HybridInitDSS",
 	"HybridRespDSS",
-    };
+};
 
 static const char *const oakley_auth_name3[] = {
 	"XAUTHInitPreShared",
@@ -888,44 +879,64 @@ static const char *const oakley_auth_name3[] = {
 	"XAUTHRespRSAEncryption",
 	"XAUTHInitRSARevisedEncryption",
 	"XAUTHRespRSARevisedEncryption",
-    };
+};
 
 static enum_names oakley_auth_names1 =
-    { OAKLEY_PRESHARED_KEY, OAKLEY_ELGAMAL_ENC_REV
-	, oakley_auth_name1, NULL };
+	{ OAKLEY_PRESHARED_KEY, OAKLEY_ECDSA_521
+		, oakley_auth_name1, NULL };
 
 static enum_names oakley_auth_names2 =
-    { HybridInitRSA, HybridRespDSS
-	, oakley_auth_name2, &oakley_auth_names1 };
+	{ HybridInitRSA, HybridRespDSS
+		, oakley_auth_name2, &oakley_auth_names1 };
 
 enum_names oakley_auth_names =
-    { XAUTHInitPreShared, XAUTHRespRSARevisedEncryption
-	, oakley_auth_name3, &oakley_auth_names2 };
+	{ XAUTHInitPreShared, XAUTHRespRSARevisedEncryption
+		, oakley_auth_name3, &oakley_auth_names2 };
 
 /* Oakley Group Description attribute */
 
 static const char *const oakley_group_name[] = {
-	"OAKLEY_GROUP_MODP768",
-	"OAKLEY_GROUP_MODP1024",
-	"OAKLEY_GROUP_GP155",
-	"OAKLEY_GROUP_GP185",
-	"OAKLEY_GROUP_MODP1536",
-    };
+	"MODP_768",
+	"MODP_1024",
+	"GP_155",
+	"GP_185",
+	"MODP_1536",
+};
 
 static const char *const oakley_group_name_rfc3526[] = {
-	"OAKLEY_GROUP_MODP2048",
-	"OAKLEY_GROUP_MODP3072",
-	"OAKLEY_GROUP_MODP4096",
-	"OAKLEY_GROUP_MODP6144",
-	"OAKLEY_GROUP_MODP8192"
+	"MODP_2048",
+	"MODP_3072",
+	"MODP_4096",
+	"MODP_6144",
+	"MODP_8192"
+};
+
+static const char *const oakley_group_name_rfc4753[] = {
+	"ECP_256",
+	"ECP_384",
+	"ECP_521"
+};
+
+static const char *const oakley_group_name_rfc5114[] = {
+	"ECP_192",
+	"ECP_224"
 };
+
+enum_names oakley_group_names_rfc5114 =
+	{ ECP_192_BIT, ECP_224_BIT,
+			oakley_group_name_rfc5114, NULL };
+
+enum_names oakley_group_names_rfc4753 =
+	{ ECP_256_BIT, ECP_521_BIT,
+			oakley_group_name_rfc4753, &oakley_group_names_rfc5114 };
+
 enum_names oakley_group_names_rfc3526 =
-    { OAKLEY_GROUP_MODP2048, OAKLEY_GROUP_MODP8192,
-	    oakley_group_name_rfc3526, NULL };
+	{ MODP_2048_BIT, MODP_8192_BIT,
+			oakley_group_name_rfc3526, &oakley_group_names_rfc4753 };
 
 enum_names oakley_group_names =
-    { OAKLEY_GROUP_MODP768, OAKLEY_GROUP_MODP1536, 
-	    oakley_group_name, &oakley_group_names_rfc3526 };
+	{ MODP_768_BIT, MODP_1536_BIT, 
+			oakley_group_name, &oakley_group_names_rfc3526 };
 
 /* Oakley Group Type attribute */
 
@@ -933,10 +944,10 @@ static const char *const oakley_group_type_name[] = {
 	"OAKLEY_GROUP_TYPE_MODP",
 	"OAKLEY_GROUP_TYPE_ECP",
 	"OAKLEY_GROUP_TYPE_EC2N",
-    };
+};
 
 enum_names oakley_group_type_names =
-    { OAKLEY_GROUP_TYPE_MODP, OAKLEY_GROUP_TYPE_EC2N, oakley_group_type_name, NULL };
+	{ OAKLEY_GROUP_TYPE_MODP, OAKLEY_GROUP_TYPE_EC2N, oakley_group_type_name, NULL };
 
 /* Notify messages -- error types */
 
@@ -971,38 +982,38 @@ static const char *const notification_name[] = {
 	"CERTIFICATE_UNAVAILABLE",
 	"UNSUPPORTED_EXCHANGE_TYPE",
 	"UNEQUAL_PAYLOAD_LENGTHS",
-    };
+};
 
 static const char *const notification_status_name[] = {
 	"CONNECTED",
-    };
+};
 
 static const char *const ipsec_notification_name[] = {
 	"IPSEC_RESPONDER_LIFETIME",
 	"IPSEC_REPLAY_STATUS",
 	"IPSEC_INITIAL_CONTACT",
-    };
+};
 
 static const char *const notification_dpd_name[] = {
-        "R_U_THERE",
-        "R_U_THERE_ACK",
+	"R_U_THERE",
+	"R_U_THERE_ACK",
 };
 
 enum_names notification_dpd_names =
-    { R_U_THERE, R_U_THERE_ACK,
-        notification_dpd_name, NULL };
+	{ R_U_THERE, R_U_THERE_ACK,
+		notification_dpd_name, NULL };
 
 enum_names ipsec_notification_names =
-    { IPSEC_RESPONDER_LIFETIME, IPSEC_INITIAL_CONTACT,
-	ipsec_notification_name, &notification_dpd_names };
+	{ IPSEC_RESPONDER_LIFETIME, IPSEC_INITIAL_CONTACT,
+		ipsec_notification_name, &notification_dpd_names };
 
 enum_names notification_status_names =
-    { CONNECTED, CONNECTED,
-	notification_status_name, &ipsec_notification_names };
+	{ CONNECTED, CONNECTED,
+		notification_status_name, &ipsec_notification_names };
 
 enum_names notification_names =
-    { INVALID_PAYLOAD_TYPE, UNEQUAL_PAYLOAD_LENGTHS,
-	notification_name, &notification_status_names };
+	{ INVALID_PAYLOAD_TYPE, UNEQUAL_PAYLOAD_LENGTHS,
+		notification_name, &notification_status_names };
 
 /* MODECFG
  * From draft-dukes-ike-mode-cfg
@@ -1014,20 +1025,20 @@ const char *const attr_msg_type_name[] = {
 	"ISAKMP_CFG_SET",
 	"ISAKMP_CFG_ACK",
 	NULL
-    };
+};
 
 enum_names attr_msg_type_names =
-    { 0 , ISAKMP_CFG_ACK, attr_msg_type_name , NULL };
+	{ 0 , ISAKMP_CFG_ACK, attr_msg_type_name , NULL };
 
 /* socket address family info */
 
 static const char *const af_inet_name[] = {
 	"AF_INET",
-    };
+};
 
 static const char *const af_inet6_name[] = {
 	"AF_INET6",
-    };
+};
 
 static enum_names af_names6 = { AF_INET6, AF_INET6, af_inet6_name, NULL };
 
@@ -1045,7 +1056,7 @@ const struct af_info af_inet4_info = {
 	32,
 	ID_IPV4_ADDR, ID_IPV4_ADDR_SUBNET, ID_IPV4_ADDR_RANGE,
 	&ipv4_any, &ipv4_wildcard, &ipv4_all,
-    };
+};
 
 const struct af_info af_inet6_info = {
 	AF_INET6,
@@ -1055,29 +1066,28 @@ const struct af_info af_inet6_info = {
 	128,
 	ID_IPV6_ADDR, ID_IPV6_ADDR_SUBNET, ID_IPV6_ADDR_RANGE,
 	&ipv6_any, &ipv6_wildcard, &ipv6_all,
-    };
+};
 
 const struct af_info *
 aftoinfo(int af)
 {
-    switch (af)
-    {
-	case AF_INET:
-	    return &af_inet4_info;
-	case AF_INET6:
-	    return &af_inet6_info;
-	default:
-	    return NULL;
-    }
+	switch (af)
+	{
+		case AF_INET:
+			return &af_inet4_info;
+		case AF_INET6:
+			return &af_inet6_info;
+		default:
+			return NULL;
+	}
 }
 
-bool
-subnetisnone(const ip_subnet *sn)
+bool subnetisnone(const ip_subnet *sn)
 {
-    ip_address base;
+	ip_address base;
 
-    networkof(sn, &base);
-    return isanyaddr(&base) && subnetishost(sn);
+	networkof(sn, &base);
+	return isanyaddr(&base) && subnetishost(sn);
 }
 
 /* BIND enumerated types */
@@ -1085,62 +1095,62 @@ subnetisnone(const ip_subnet *sn)
 #include <arpa/nameser.h>
 
 static const char *const rr_type_name[] = {
-	"T_A",	/* 1 host address */
-	"T_NS",	/* 2 authoritative server */
-	"T_MD",	/* 3 mail destination */
-	"T_MF",	/* 4 mail forwarder */
-	"T_CNAME",	/* 5 canonical name */
-	"T_SOA",	/* 6 start of authority zone */
-	"T_MB",	/* 7 mailbox domain name */
-	"T_MG",	/* 8 mail group member */
-	"T_MR",	/* 9 mail rename name */
-	"T_NULL",	/* 10 null resource record */
-	"T_WKS",	/* 11 well known service */
-	"T_PTR",	/* 12 domain name pointer */
-	"T_HINFO",	/* 13 host information */
-	"T_MINFO",	/* 14 mailbox information */
-	"T_MX",	/* 15 mail routing information */
-	"T_TXT",	/* 16 text strings */
-	"T_RP",	/* 17 responsible person */
-	"T_AFSDB",	/* 18 AFS cell database */
-	"T_X25",	/* 19 X_25 calling address */
-	"T_ISDN",	/* 20 ISDN calling address */
-	"T_RT",	/* 21 router */
-	"T_NSAP",	/* 22 NSAP address */
-	"T_NSAP_PTR",	/* 23 reverse NSAP lookup (deprecated) */
-	"T_SIG",	/* 24 security signature */
-	"T_KEY",	/* 25 security key */
-	"T_PX",	/* 26 X.400 mail mapping */
-	"T_GPOS",	/* 27 geographical position (withdrawn) */
-	"T_AAAA",	/* 28 IP6 Address */
-	"T_LOC",	/* 29 Location Information */
-	"T_NXT",	/* 30 Next Valid Name in Zone */
-	"T_EID",	/* 31 Endpoint identifier */
-	"T_NIMLOC",	/* 32 Nimrod locator */
-	"T_SRV",	/* 33 Server selection */
-	"T_ATMA",	/* 34 ATM Address */
-	"T_NAPTR",	/* 35 Naming Authority PoinTeR */
+	"T_A",  /* 1 host address */
+	"T_NS", /* 2 authoritative server */
+	"T_MD", /* 3 mail destination */
+	"T_MF", /* 4 mail forwarder */
+	"T_CNAME",      /* 5 canonical name */
+	"T_SOA",        /* 6 start of authority zone */
+	"T_MB", /* 7 mailbox domain name */
+	"T_MG", /* 8 mail group member */
+	"T_MR", /* 9 mail rename name */
+	"T_NULL",       /* 10 null resource record */
+	"T_WKS",        /* 11 well known service */
+	"T_PTR",        /* 12 domain name pointer */
+	"T_HINFO",      /* 13 host information */
+	"T_MINFO",      /* 14 mailbox information */
+	"T_MX", /* 15 mail routing information */
+	"T_TXT",        /* 16 text strings */
+	"T_RP", /* 17 responsible person */
+	"T_AFSDB",      /* 18 AFS cell database */
+	"T_X25",        /* 19 X_25 calling address */
+	"T_ISDN",       /* 20 ISDN calling address */
+	"T_RT", /* 21 router */
+	"T_NSAP",       /* 22 NSAP address */
+	"T_NSAP_PTR",   /* 23 reverse NSAP lookup (deprecated) */
+	"T_SIG",        /* 24 security signature */
+	"T_KEY",        /* 25 security key */
+	"T_PX", /* 26 X.400 mail mapping */
+	"T_GPOS",       /* 27 geographical position (withdrawn) */
+	"T_AAAA",       /* 28 IP6 Address */
+	"T_LOC",        /* 29 Location Information */
+	"T_NXT",        /* 30 Next Valid Name in Zone */
+	"T_EID",        /* 31 Endpoint identifier */
+	"T_NIMLOC",     /* 32 Nimrod locator */
+	"T_SRV",        /* 33 Server selection */
+	"T_ATMA",       /* 34 ATM Address */
+	"T_NAPTR",      /* 35 Naming Authority PoinTeR */
 	NULL
-    };
+};
 
 enum_names rr_type_names = { T_A, T_NAPTR, rr_type_name, NULL };
 
 /* Query type values which do not appear in resource records */
 static const char *const rr_qtype_name[] = {
-	"T_IXFR",	/* 251 incremental zone transfer */
-	"T_AXFR",	/* 252 transfer zone of authority */
-	"T_MAILB",	/* 253 transfer mailbox records */
-	"T_MAILA",	/* 254 transfer mail agent records */
-	"T_ANY",	/* 255 wildcard match */
+	"T_IXFR",       /* 251 incremental zone transfer */
+	"T_AXFR",       /* 252 transfer zone of authority */
+	"T_MAILB",      /* 253 transfer mailbox records */
+	"T_MAILA",      /* 254 transfer mail agent records */
+	"T_ANY",        /* 255 wildcard match */
 	NULL
-    };
+};
 
 enum_names rr_qtype_names = { T_IXFR, T_ANY, rr_qtype_name, &rr_type_names };
 
 static const char *const rr_class_name[] = {
-	"C_IN",	/* 1 the arpa internet */
+	"C_IN", /* 1 the arpa internet */
 	NULL
-    };
+};
 
 enum_names rr_class_names = { C_IN, C_IN, rr_class_name, NULL };
 
@@ -1149,34 +1159,33 @@ enum_names rr_class_names = { C_IN, C_IN, rr_class_name, NULL };
  *
  */
 const char *const natt_type_bitnames[] = {
-  "draft-ietf-ipsec-nat-t-ike-00/01",    /* 0 */
-  "draft-ietf-ipsec-nat-t-ike-02/03",
-  "RFC 3947",
-  "3",                                   /* 3 */
-  "4",   "5",   "6",   "7",
-  "8",   "9",   "10",  "11",
-  "12",  "13",  "14",  "15",
-  "16",  "17",  "18",  "19", 
-  "20",  "21",  "22",  "23",
-  "24",  "25",  "26",  "27",
-  "28",  "29",
-  "nat is behind me",
-  "nat is behind peer"
+	"draft-ietf-ipsec-nat-t-ike-00/01",    /* 0 */
+	"draft-ietf-ipsec-nat-t-ike-02/03",
+	"RFC 3947",
+	"3",                                   /* 3 */
+	"4",   "5",   "6",   "7",
+	"8",   "9",   "10",  "11",
+	"12",  "13",  "14",  "15",
+	"16",  "17",  "18",  "19", 
+	"20",  "21",  "22",  "23",
+	"24",  "25",  "26",  "27",
+	"28",  "29",
+	"nat is behind me",
+	"nat is behind peer"
 };
 
 /* look up enum names in an enum_names */
 
-const char *
-enum_name(enum_names *ed, unsigned long val)
+const char* enum_name(enum_names *ed, unsigned long val)
 {
-    enum_names	*p;
-
-    for (p = ed; p != NULL; p = p->en_next_range)
-    {
-	if (p->en_first <= val && val <= p->en_last)
-	    return p->en_names[val - p->en_first];
-    }
-    return NULL;
+	enum_names  *p;
+
+	for (p = ed; p != NULL; p = p->en_next_range)
+	{
+		if (p->en_first <= val && val <= p->en_last)
+			return p->en_names[val - p->en_first];
+	}
+	return NULL;
 }
 
 /* find or construct a string to describe an enum value
@@ -1185,16 +1194,16 @@ enum_name(enum_names *ed, unsigned long val)
 const char *
 enum_show(enum_names *ed, unsigned long val)
 {
-    const char *p = enum_name(ed, val);
+	const char *p = enum_name(ed, val);
 
-    if (p == NULL)
-    {
-	static char buf[12];	/* only one!  I hope that it is big enough */
+	if (p == NULL)
+	{
+		static char buf[12];    /* only one!  I hope that it is big enough */
 
-	snprintf(buf, sizeof(buf), "%lu??", val);
-	p = buf;
-    }
-    return p;
+		snprintf(buf, sizeof(buf), "%lu??", val);
+		p = buf;
+	}
+	return p;
 }
 
 
@@ -1203,123 +1212,126 @@ static char bitnamesbuf[200];   /* only one!  I hope that it is big enough! */
 int 
 enum_search(enum_names *ed, const char *str) 
 {
-    enum_names	*p;
-    const char *ptr;
-    unsigned en;
+	enum_names  *p;
+	const char *ptr;
+	unsigned en;
 
-    for (p = ed; p != NULL; p = p->en_next_range)
-	for (en = p->en_first; en <= p->en_last ;en++)
+	for (p = ed; p != NULL; p = p->en_next_range)
 	{
-	    ptr = p->en_names[en - p->en_first];
-	    if (ptr == 0) continue;
-	    /* if (strncmp(ptr, str, strlen(ptr))==0) */
-	    if (strcmp(ptr, str) == 0)
-		    return en;
+		for (en = p->en_first; en <= p->en_last ;en++)
+		{
+			ptr = p->en_names[en - p->en_first];
+			if (ptr == 0)
+			{
+				continue;
+			}
+			if (streq(ptr, str))
+			{
+				return en;
+			}
+		}
 	}
-    return -1;
+	return -1;
 }
 
 /* construct a string to name the bits on in a set
  * Result may be in STATIC buffer!
  * Note: prettypolicy depends on internal details.
  */
-const char *
-bitnamesof(const char *const table[], lset_t val)
+const char* bitnamesof(const char *const table[], lset_t val)
 {
-    char *p = bitnamesbuf;
-    lset_t bit;
-    const char *const *tp;
+	char *p = bitnamesbuf;
+	lset_t bit;
+	const char *const *tp;
 
-    if (val == 0)
-	return "none";
+	if (val == 0)
+		return "none";
 
-    for (tp = table, bit = 01; val != 0; bit <<= 1)
-    {
-	if (val & bit)
+	for (tp = table, bit = 01; val != 0; bit <<= 1)
 	{
-	    const char *n = *tp;
-	    size_t nl;
-
-	    if (n == NULL || *n == '\0')
-	    {
-		/* no name for this bit, so use hex */
-		static char flagbuf[sizeof("0x80000000")];
-
-		snprintf(flagbuf, sizeof(flagbuf), "0x%llx", bit);
-		n = flagbuf;
-	    }
-
-	    nl = strlen(n);
-
-	    if (p != bitnamesbuf && p < bitnamesbuf+sizeof(bitnamesbuf) - 1)
-		*p++ = '+';
-
-	    if (bitnamesbuf+sizeof(bitnamesbuf) - p > (ptrdiff_t)nl)
-	    {
-		strcpy(p, n);
-		p += nl;
-	    }
-	    val -= bit;
+		if (val & bit)
+		{
+			const char *n = *tp;
+			size_t nl;
+
+			if (n == NULL || *n == '\0')
+			{
+				/* no name for this bit, so use hex */
+				static char flagbuf[sizeof("0x80000000")];
+
+				snprintf(flagbuf, sizeof(flagbuf), "0x%llx", bit);
+				n = flagbuf;
+			}
+
+			nl = strlen(n);
+
+			if (p != bitnamesbuf && p < bitnamesbuf+sizeof(bitnamesbuf) - 1)
+				*p++ = '+';
+
+			if (bitnamesbuf+sizeof(bitnamesbuf) - p > (ptrdiff_t)nl)
+			{
+				strcpy(p, n);
+				p += nl;
+			}
+			val -= bit;
+		}
+		if (*tp != NULL)
+			tp++;   /* move on, but not past end */
 	}
-	if (*tp != NULL)
-	    tp++;   /* move on, but not past end */
-    }
-    *p = '\0';
-    return bitnamesbuf;
+	*p = '\0';
+	return bitnamesbuf;
 }
 
 /* print a policy: like bitnamesof, but it also does the non-bitfields.
  * Suppress the shunt and fail fields if 0.
  */
-const char *
-prettypolicy(lset_t policy)
+const char* prettypolicy(lset_t policy)
 {
-    const char *bn = bitnamesof(sa_policy_bit_names
-	, policy & ~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK));
-    size_t len;
-    lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT;
-    lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT;
-
-    if (bn != bitnamesbuf)
-	bitnamesbuf[0] = '\0';
-    len = strlen(bitnamesbuf);
-    if (shunt != 0)
-    {
-	snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+%s"
-	    , policy_shunt_names[shunt]);
-	len += strlen(bitnamesbuf + len);
-    }
-    if (fail != 0)
-    {
-	snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+failure%s"
-	    , policy_fail_names[fail]);
-	len += strlen(bitnamesbuf + len);
-    }
-    if (NEVER_NEGOTIATE(policy))
-    {
-	snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+NEVER_NEGOTIATE");
-	len += strlen(bitnamesbuf + len);
-    }
-    return bitnamesbuf;
+	const char *bn = bitnamesof(sa_policy_bit_names
+		, policy & ~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK));
+	size_t len;
+	lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT;
+	lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT;
+
+	if (bn != bitnamesbuf)
+		bitnamesbuf[0] = '\0';
+	len = strlen(bitnamesbuf);
+	if (shunt != 0)
+	{
+		snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+%s"
+			, policy_shunt_names[shunt]);
+		len += strlen(bitnamesbuf + len);
+	}
+	if (fail != 0)
+	{
+		snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+failure%s"
+			, policy_fail_names[fail]);
+		len += strlen(bitnamesbuf + len);
+	}
+	if (NEVER_NEGOTIATE(policy))
+	{
+		snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+NEVER_NEGOTIATE");
+		len += strlen(bitnamesbuf + len);
+	}
+	return bitnamesbuf;
 }
 
 /* test a set by seeing if all bits have names */
 
-bool
-testset(const char *const table[], lset_t val)
+bool testset(const char *const table[], lset_t val)
 {
-    lset_t bit;
-    const char *const *tp;
-
-    for (tp = table, bit = 01; val != 0; bit <<= 1, tp++)
-    {
-	const char *n = *tp;
-
-	if (n == NULL || ((val & bit) && *n == '\0'))
-	    return FALSE;
-	val &= ~bit;
-    }
-    return TRUE;
+	lset_t bit;
+	const char *const *tp;
+
+	for (tp = table, bit = 01; val != 0; bit <<= 1, tp++)
+	{
+		const char *n = *tp;
+
+		if (n == NULL || ((val & bit) && *n == '\0'))
+			return FALSE;
+		val &= ~bit;
+	}
+	return TRUE;
 }
 
 
@@ -1328,40 +1340,43 @@ const char sparse_end[] = "end of sparse names";
 /* look up enum names in a sparse_names */
 const char *sparse_name(sparse_names sd, unsigned long val)
 {
-    const struct sparse_name *p;
+	const struct sparse_name *p;
 
-    for (p = sd; p->name != sparse_end; p++)
-	if (p->val == val)
-	    return p->name;
-    return NULL;
+	for (p = sd; p->name != sparse_end; p++)
+		if (p->val == val)
+			return p->name;
+	return NULL;
 }
 
 /* find or construct a string to describe an sparse value
  * Result may be in STATIC buffer!
  */
-const char *
-sparse_val_show(sparse_names sd, unsigned long val)
+const char* sparse_val_show(sparse_names sd, unsigned long val)
 {
-    const char *p = sparse_name(sd, val);
+	const char *p = sparse_name(sd, val);
 
-    if (p == NULL)
-    {
-	static char buf[12];	/* only one!  I hope that it is big enough */
+	if (p == NULL)
+	{
+		static char buf[12];    /* only one!  I hope that it is big enough */
 
-	snprintf(buf, sizeof(buf), "%lu??", val);
-	p = buf;
-    }
-    return p;
+		snprintf(buf, sizeof(buf), "%lu??", val);
+		p = buf;
+	}
+	return p;
 }
 
 void init_constants(void)
 {
-    happy(anyaddr(AF_INET, &ipv4_any));
-    happy(anyaddr(AF_INET6, &ipv6_any));
+	happy(anyaddr(AF_INET, &ipv4_any));
+	happy(anyaddr(AF_INET6, &ipv6_any));
 
-    happy(addrtosubnet(&ipv4_any, &ipv4_wildcard));
-    happy(addrtosubnet(&ipv6_any, &ipv6_wildcard));
+	happy(addrtosubnet(&ipv4_any, &ipv4_wildcard));
+	happy(addrtosubnet(&ipv6_any, &ipv6_wildcard));
 
-    happy(initsubnet(&ipv4_any, 0, '0', &ipv4_all));
-    happy(initsubnet(&ipv6_any, 0, '0', &ipv6_all));
+	happy(initsubnet(&ipv4_any, 0, '0', &ipv4_all));
+	happy(initsubnet(&ipv6_any, 0, '0', &ipv6_all));
 }
+
+u_char secret_of_the_day[HASH_SIZE_SHA1];
+
+
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index 409dd1d61..5fe936e08 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -1,4 +1,3 @@
-
 /* manifest constants
  * Copyright (C) 1997 Angelos D. Keromytis.
  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
@@ -12,13 +11,15 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: constants.h 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #ifndef _CONSTANTS_H
 #define _CONSTANTS_H
 
+#include <utils.h>
+#include <utils/identification.h>
+#include <crypto/hashers/hasher.h>
+
 extern const char compile_time_interop_options[];
 
 extern void init_constants(void);
@@ -28,8 +29,6 @@ extern void init_constants(void);
  * Any changes here should be reflected there.
  */
 
-#define elemsof(array) (sizeof(array) / sizeof(*(array)))	/* number of elements in an array */
-
 /* Many routines return only success or failure, but wish to describe
  * the failure in a message.  We use the convention that they return
  * a NULL on success and a pointer to constant string on failure.
@@ -39,19 +38,10 @@ extern void init_constants(void);
  * <freeswan.h> defines err_t for this return type.
  */
 
-typedef int bool;
-#define FALSE	0
-#define TRUE	1
-
-#define NULL_FD	(-1)	/* NULL file descriptor */
+#define NULL_FD (-1)    /* NULL file descriptor */
 #define dup_any(fd) ((fd) == NULL_FD? NULL_FD : dup(fd))
 #define close_any(fd) { if ((fd) != NULL_FD) { close(fd); (fd) = NULL_FD; } }
 
-#define BITS_PER_BYTE	8
-
-#define streq(a, b) (strcmp((a), (b)) == 0)	/* clearer shorthand */
-#define strcaseeq(a, b) (strcasecmp((a), (b)) == 0)	/* clearer shorthand */
-
 /* set type with room for at least 64 elements for ALG opts (was 32 in stock FS) */
 
 typedef unsigned long long lset_t;
@@ -71,8 +61,8 @@ typedef unsigned long long lset_t;
 # define DEFAULT_CTLBASE IPSEC_PIDDIR "/pluto"
 #endif
 
-#define CTL_SUFFIX ".ctl"	/* for UNIX domain socket pathname */
-#define LOCK_SUFFIX ".pid"	/* for pluto's lock */
+#define CTL_SUFFIX ".ctl"       /* for UNIX domain socket pathname */
+#define LOCK_SUFFIX ".pid"      /* for pluto's lock */
 #define INFO_SUFFIX ".info"     /* for UNIX domain socket for apps */
 
 /* Routines to check and display values.
@@ -86,10 +76,10 @@ typedef unsigned long long lset_t;
  */
 
 struct enum_names {
-    unsigned long en_first;  /* first value in range */
-    unsigned long en_last;   /* last value in range (inclusive) */
-    const char *const *en_names;
-    const struct enum_names *en_next_range;	/* descriptor of next range */
+	unsigned long en_first;  /* first value in range */
+	unsigned long en_last;   /* last value in range (inclusive) */
+	const char *const *en_names;
+	const struct enum_names *en_next_range;     /* descriptor of next range */
 };
 
 typedef const struct enum_names enum_names;
@@ -108,8 +98,8 @@ extern const char *bitnamesof(const char *const table[], lset_t val);
  * Often appropriate for enums defined by others.
  */
 struct sparse_name {
-    unsigned long val;
-    const char *const name;
+	unsigned long val;
+	const char *const name;
 };
 typedef const struct sparse_name sparse_names[];
 
@@ -119,264 +109,172 @@ extern const char sparse_end[];
 
 #define FULL_INET_ADDRESS_SIZE    6
 
-/* Group parameters from draft-ietf-ike-01.txt section 6 */
-
-#define MODP_GENERATOR "2"
-
-#define MODP768_MODULUS \
-    "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \
-    "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \
-    "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \
-    "E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF"
-
-#define MODP1024_MODULUS \
-    "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \
-    "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \
-    "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \
-    "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED " \
-    "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 " \
-    "FFFFFFFF FFFFFFFF"
-
-#define MODP1536_MODULUS \
-    "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \
-    "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \
-    "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \
-    "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED " \
-    "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D " \
-    "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F " \
-    "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D " \
-    "670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF "
-
-/* draft-ietf-ipsec-ike-modp-groups-03.txt */
-#define MODP2048_MODULUS \
-	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
-	"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
-	"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
-	"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
-	"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
-	"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
-	"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
-	"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
-	"E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
-	"DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
-	"15728E5A 8AACAA68 FFFFFFFF FFFFFFFF"
-
-#define MODP3072_MODULUS \
-	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
-	"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
-	"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
-	"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
-	"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
-	"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
-	"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
-	"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
-	"E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
-	"DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
-	"15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
-	"ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
-	"ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
-	"F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
-	"BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
-	"43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF"
-
-#define MODP4096_MODULUS \
-	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
-	"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
-	"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
-	"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
-	"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
-	"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
-	"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
-	"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
-	"E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
-	"DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
-	"15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
-	"ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
-	"ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
-	"F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
-	"BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
-	"43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
-	"88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
-	"2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
-	"287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
-	"1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
-	"93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199" \
-	"FFFFFFFF FFFFFFFF"
-
-/* copy&pasted from rfc3526: */
-#define MODP6144_MODULUS \
-	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08" \
-	"8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B" \
-	"302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9" \
-	"A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6" \
-	"49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8" \
-	"FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
-	"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B E39E772C" \
-	"180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718" \
-	"3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AAAC42D AD33170D" \
-	"04507A33 A85521AB DF1CBA64 ECFB8504 58DBEF0A 8AEA7157 5D060C7D" \
-	"B3970F85 A6E1E4C7 ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226" \
-	"1AD2EE6B F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
-	"BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31 43DB5BFC" \
-	"E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7 88719A10 BDBA5B26" \
-	"99C32718 6AF4E23C 1A946834 B6150BDA 2583E9CA 2AD44CE8 DBBBC2DB" \
-	"04DE8EF9 2E8EFC14 1FBECAA6 287C5947 4E6BC05D 99B2964F A090C3A2" \
-	"233BA186 515BE7ED 1F612970 CEE2D7AF B81BDD76 2170481C D0069127" \
-	"D5B05AA9 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
-	"36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD F8FF9406" \
-	"AD9E530E E5DB382F 413001AE B06A53ED 9027D831 179727B0 865A8918" \
-	"DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B DB7F1447 E6CC254B 33205151" \
-	"2BD7AF42 6FB8F401 378CD2BF 5983CA01 C64B92EC F032EA15 D1721D03" \
-	"F482D7CE 6E74FEF6 D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F" \
-	"BEC7E8F3 23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
-	"CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328 06A1D58B" \
-	"B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C DA56C9EC 2EF29632" \
-	"387FE8D7 6E3C0468 043E8F66 3F4860EE 12BF2D5B 0B7474D6 E694F91E" \
-	"6DCC4024 FFFFFFFF FFFFFFFF"
-
-/* copy&pasted from rfc3526: */
-#define MODP8192_MODULUS \
-	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
-	"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
-	"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
-	"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
-	"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
-	"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
-	"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
-	"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
-	"E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
-	"DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
-	"15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
-	"ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
-	"ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
-	"F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
-	"BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
-	"43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
-	"88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
-	"2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
-	"287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
-	"1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
-	"93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
-	"36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD" \
-	"F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831" \
-	"179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B" \
-	"DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF" \
-	"5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6" \
-	"D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3" \
-	"23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
-	"CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328" \
-	"06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C" \
-	"DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE" \
-	"12BF2D5B 0B7474D6 E694F91E 6DBE1159 74A3926F 12FEE5E4" \
-	"38777CB6 A932DF8C D8BEC4D0 73B931BA 3BC832B6 8D9DD300" \
-	"741FA7BF 8AFC47ED 2576F693 6BA42466 3AAB639C 5AE4F568" \
-	"3423B474 2BF1C978 238F16CB E39D652D E3FDB8BE FC848AD9" \
-	"22222E04 A4037C07 13EB57A8 1A23F0C7 3473FC64 6CEA306B" \
-	"4BCBC886 2F8385DD FA9D4B7F A2C087E8 79683303 ED5BDD3A" \
-	"062B3CF5 B3A278A6 6D2A13F8 3F44F82D DF310EE0 74AB6A36" \
-	"4597E899 A0255DC1 64F31CC5 0846851D F9AB4819 5DED7EA1" \
-	"B1D510BD 7EE74D73 FAF36BC3 1ECFA268 359046F4 EB879F92" \
-	"4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47" \
-	"9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71" \
-	"60C980DD 98EDD3DF FFFFFFFF FFFFFFFF"
-#define LOCALSECRETSIZE		(512 / BITS_PER_BYTE)
-
 /* limits on nonce sizes.  See RFC2409 "The internet key exchange (IKE)" 5 */
-#define MINIMUM_NONCE_SIZE	8	/* bytes */
-#define DEFAULT_NONCE_SIZE	16	/* bytes */
-#define MAXIMUM_NONCE_SIZE	256	/* bytes */
+#define MINIMUM_NONCE_SIZE      8       /* bytes */
+#define DEFAULT_NONCE_SIZE      16      /* bytes */
+#define MAXIMUM_NONCE_SIZE      256     /* bytes */
 
 #define COOKIE_SIZE 8
 #define MAX_ISAKMP_SPI_SIZE 16
 
-#define MD2_DIGEST_SIZE		(128 / BITS_PER_BYTE)
-#define MD5_DIGEST_SIZE		(128 / BITS_PER_BYTE)
-#define SHA1_DIGEST_SIZE	(160 / BITS_PER_BYTE)
-#define SHA2_256_DIGEST_SIZE	(256 / BITS_PER_BYTE)
-#define SHA2_384_DIGEST_SIZE	(384 / BITS_PER_BYTE)
-#define SHA2_512_DIGEST_SIZE	(512 / BITS_PER_BYTE)
-
-#define MD5_BLOCK_SIZE		(512 / BITS_PER_BYTE)
-#define SHA1_BLOCK_SIZE		(512 / BITS_PER_BYTE)
-#define SHA2_256_BLOCK_SIZE	(512 / BITS_PER_BYTE)
-#define SHA2_384_BLOCK_SIZE	(1024 / BITS_PER_BYTE)
-#define SHA2_512_BLOCK_SIZE	(1024 / BITS_PER_BYTE)
-
-#define DES_CBC_BLOCK_SIZE	(64 / BITS_PER_BYTE)
-
-#define DSS_QBITS	160	/* bits in DSS's "q" (FIPS 186-1) */
+#define DES_CBC_BLOCK_SIZE      (64 / BITS_PER_BYTE)
 
 /* Maximum is required for SHA2_512 */
-#define MAX_DIGEST_LEN		SHA2_512_DIGEST_SIZE
-#define MAX_HASH_BLOCK_SIZE	SHA2_512_BLOCK_SIZE
+#define MAX_DIGEST_LEN          HASH_SIZE_SHA512
 
 /* RFC 2404 "HMAC-SHA-1-96" section 3 */
-#define HMAC_SHA1_KEY_LEN    SHA1_DIGEST_SIZE
+#define HMAC_SHA1_KEY_LEN		HASH_SIZE_SHA1
 
 /* RFC 2403 "HMAC-MD5-96" section 3 */
-#define HMAC_MD5_KEY_LEN    MD5_DIGEST_SIZE
+#define HMAC_MD5_KEY_LEN   		HASH_SIZE_MD5
 
-#define IKE_UDP_PORT	500
+#define IKE_UDP_PORT    500
+
+/* IPsec AH transform values
+ * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3
+ * and in http://www.iana.org/assignments/isakmp-registry
+ */
+enum ipsec_authentication_algo {
+  AH_NONE         = 0,
+  AH_MD5          = 2,
+  AH_SHA          = 3,
+  AH_DES          = 4,
+  AH_SHA2_256     = 5,
+  AH_SHA2_384     = 6,
+  AH_SHA2_512     = 7,
+  AH_RIPEMD       = 8,
+  AH_AES_XCBC_MAC = 9,
+  AH_RSA          = 10
+};
+
+extern enum_names ah_transformid_names;
+
+/* IPsec ESP transform values
+ * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
+ * and from http://www.iana.org/assignments/isakmp-registry
+ */
+
+enum ipsec_cipher_algo {
+  ESP_NONE          = 0,
+  ESP_DES_IV64      = 1,
+  ESP_DES           = 2,
+  ESP_3DES          = 3,
+  ESP_RC5           = 4,
+  ESP_IDEA          = 5,
+  ESP_CAST          = 6,
+  ESP_BLOWFISH      = 7,
+  ESP_3IDEA         = 8,
+  ESP_DES_IV32      = 9,
+  ESP_RC4           = 10,
+  ESP_NULL          = 11,
+  ESP_AES           = 12,
+  ESP_AES_CTR       = 13,
+  ESP_AES_CCM_8     = 14,
+  ESP_AES_CCM_12    = 15,
+  ESP_AES_CCM_16    = 16,
+  ESP_UNASSIGNED_17 = 17,
+  ESP_AES_GCM_8     = 18,
+  ESP_AES_GCM_12    = 19,
+  ESP_AES_GCM_16    = 20,
+  ESP_SEED_CBC      = 21,
+  ESP_CAMELLIA      = 22,
+  ESP_SERPENT       = 252,
+  ESP_TWOFISH       = 253
+};
+
+extern enum_names esp_transformid_names;
+
+/* IPCOMP transform values
+ * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
+ */
+
+enum ipsec_comp_algo {
+  IPSCOMP_NONE   = 0,
+  IPCOMP_OUI     = 1,
+  IPCOMP_DEFLATE = 2,
+  IPCOMP_LZS     = 3,
+  IPCOMP_LZJH    = 4
+};
+
+extern enum_names ipcomp_transformid_names;
+
+/* Certificate type values
+ * RFC 2408 ISAKMP, chapter 3.9
+ */
+enum ipsec_cert_type {
+  CERT_NONE=                0,
+  CERT_PKCS7_WRAPPED_X509=  1,
+  CERT_PGP=                 2,
+  CERT_DNS_SIGNED_KEY=      3,
+  CERT_X509_SIGNATURE=      4,
+  CERT_X509_KEY_EXCHANGE=   5,
+  CERT_KERBEROS_TOKENS=     6,
+  CERT_CRL=                 7,
+  CERT_ARL=                 8,
+  CERT_SPKI=                9,
+  CERT_X509_ATTRIBUTE=      10,
+  CERT_RAW_RSA_KEY=         11
+};
 
 /* RFC 2560 OCSP - certificate status */
 
 typedef enum {
-    CERT_GOOD = 	0,
-    CERT_REVOKED = 	1,
-    CERT_UNKNOWN = 	2,
-    CERT_UNDEFINED =	3
+	CERT_GOOD =         0,
+	CERT_REVOKED =      1,
+	CERT_UNKNOWN =      2,
+	CERT_UNDEFINED =    3
 } cert_status_t;
 
 /* RFC 2459 CRL reason codes */
 
-extern enum_names crl_reason_names;
+extern enum_name_t *crl_reason_names;
 
 typedef enum {
-    REASON_UNSPECIFIED =		0,
-    REASON_KEY_COMPROMISE = 		1,
-    REASON_CA_COMPROMISE = 		2,
-    REASON_AFFILIATION_CHANGED =	3,
-    REASON_SUPERSEDED =			4,
-    REASON_CESSATION_OF_OPERATON =	5,
-    REASON_CERTIFICATE_HOLD =		6,
-    REASON_REMOVE_FROM_CRL =		8
+	REASON_UNSPECIFIED =                0,
+	REASON_KEY_COMPROMISE =             1,
+	REASON_CA_COMPROMISE =              2,
+	REASON_AFFILIATION_CHANGED =        3,
+	REASON_SUPERSEDED =                 4,
+	REASON_CESSATION_OF_OPERATON =      5,
+	REASON_CERTIFICATE_HOLD =           6,
+	REASON_REMOVE_FROM_CRL =            8
 } crl_reason_t;
 
 /* RFC 3706 Dead Peer Detection */
 
-extern enum_names dpd_action_names;
+extern enum_name_t *dpd_action_names;
 
 typedef enum {
-    DPD_ACTION_NONE =    0,
-    DPD_ACTION_CLEAR =   1,
-    DPD_ACTION_HOLD  =   2,
-    DPD_ACTION_RESTART = 3,
-    DPD_ACTION_UNKNOWN = 4
+	DPD_ACTION_NONE =    0,
+	DPD_ACTION_CLEAR =   1,
+	DPD_ACTION_HOLD  =   2,
+	DPD_ACTION_RESTART = 3,
+	DPD_ACTION_UNKNOWN = 4
 } dpd_action_t;
 
 /* Timer events */
 
-extern enum_names timer_event_names;
+extern enum_name_t *timer_event_names;
 
 enum event_type {
-    EVENT_NULL,	/* non-event */
-    EVENT_REINIT_SECRET,	/* Refresh cookie secret */
+	EVENT_NULL, /* non-event */
+	EVENT_REINIT_SECRET,        /* Refresh cookie secret */
 #ifdef KLIPS
-    EVENT_SHUNT_SCAN,		/* scan shunt eroutes known to kernel */
+	EVENT_SHUNT_SCAN,           /* scan shunt eroutes known to kernel */
 #endif
-    EVENT_SO_DISCARD,		/* discard unfinished state object */
-    EVENT_RETRANSMIT,		/* Retransmit packet */
-    EVENT_SA_REPLACE,		/* SA replacement event */
-    EVENT_SA_REPLACE_IF_USED,	/* SA replacement event */
-    EVENT_SA_EXPIRE,		/* SA expiration event */
-    EVENT_NAT_T_KEEPALIVE,	/* NAT Traversal Keepalive */
-    EVENT_DPD,			/* dead peer detection */
-    EVENT_DPD_TIMEOUT,		/* dead peer detection timeout */
-    EVENT_LOG_DAILY     	/* reset certain log events/stats */
+	EVENT_SO_DISCARD,           /* discard unfinished state object */
+	EVENT_RETRANSMIT,           /* Retransmit packet */
+	EVENT_SA_REPLACE,           /* SA replacement event */
+	EVENT_SA_REPLACE_IF_USED,   /* SA replacement event */
+	EVENT_SA_EXPIRE,            /* SA expiration event */
+	EVENT_NAT_T_KEEPALIVE,      /* NAT Traversal Keepalive */
+	EVENT_DPD,                  /* dead peer detection */
+	EVENT_DPD_TIMEOUT,          /* dead peer detection timeout */
+	EVENT_LOG_DAILY             /* reset certain log events/stats */
 };
 
-#define EVENT_REINIT_SECRET_DELAY		3600 /* 1 hour */
-#define EVENT_RETRANSMIT_DELAY_0		10   /* 10 seconds */
+#define EVENT_REINIT_SECRET_DELAY               3600 /* 1 hour */
+#define EVENT_RETRANSMIT_DELAY_0                10   /* 10 seconds */
 
 /* Misc. stuff */
 
@@ -429,29 +327,29 @@ extern enum_names doi_names;
 extern const char *const debug_bit_names[];
 #endif
 
-#define DBG_RAW		LELEM(0)	/* raw packet I/O */
-#define DBG_CRYPT	LELEM(1)	/* encryption/decryption of messages */
-#define DBG_PARSING	LELEM(2)	/* show decoding of messages */
-#define DBG_EMITTING	LELEM(3)	/* show encoding of messages */
-#define DBG_CONTROL	LELEM(4)	/* control flow within Pluto */
-#define DBG_LIFECYCLE	LELEM(5)	/* SA lifecycle */
-#define DBG_KLIPS	LELEM(6)	/* messages to KLIPS */
-#define DBG_DNS		LELEM(7)	/* DNS activity */
-#define DBG_NATT	LELEM(8)	/* NAT-T */
-#define DBG_OPPO	LELEM(9)	/* opportunism */
-#define DBG_CONTROLMORE LELEM(10)	/* more detailed debugging */
+#define DBG_RAW         LELEM(0)        /* raw packet I/O */
+#define DBG_CRYPT       LELEM(1)        /* encryption/decryption of messages */
+#define DBG_PARSING     LELEM(2)        /* show decoding of messages */
+#define DBG_EMITTING    LELEM(3)        /* show encoding of messages */
+#define DBG_CONTROL     LELEM(4)        /* control flow within Pluto */
+#define DBG_LIFECYCLE   LELEM(5)        /* SA lifecycle */
+#define DBG_KLIPS       LELEM(6)        /* messages to KLIPS */
+#define DBG_DNS         LELEM(7)        /* DNS activity */
+#define DBG_NATT        LELEM(8)        /* NAT-T */
+#define DBG_OPPO        LELEM(9)        /* opportunism */
+#define DBG_CONTROLMORE LELEM(10)       /* more detailed debugging */
 
-#define DBG_PRIVATE	LELEM(11)	/* private information: DANGER! */
+#define DBG_PRIVATE     LELEM(11)       /* private information: DANGER! */
 
-#define IMPAIR0	12	/* first bit for IMPAIR_* */
+#define IMPAIR0 12      /* first bit for IMPAIR_* */
 
-#define IMPAIR_DELAY_ADNS_KEY_ANSWER	LELEM(IMPAIR0+0)	/* sleep before answering */
-#define IMPAIR_DELAY_ADNS_TXT_ANSWER	LELEM(IMPAIR0+1)	/* sleep before answering */
-#define IMPAIR_BUST_MI2	LELEM(IMPAIR0+2)	/* make MI2 really large */
-#define IMPAIR_BUST_MR2	LELEM(IMPAIR0+3)	/* make MI2 really large */
+#define IMPAIR_DELAY_ADNS_KEY_ANSWER    LELEM(IMPAIR0+0)        /* sleep before answering */
+#define IMPAIR_DELAY_ADNS_TXT_ANSWER    LELEM(IMPAIR0+1)        /* sleep before answering */
+#define IMPAIR_BUST_MI2 LELEM(IMPAIR0+2)        /* make MI2 really large */
+#define IMPAIR_BUST_MR2 LELEM(IMPAIR0+3)        /* make MI2 really large */
 
-#define DBG_NONE	0	/* no options on, including impairments */
-#define DBG_ALL		LRANGES(DBG_RAW, DBG_CONTROLMORE)  /* all logging options on EXCEPT DBG_PRIVATE */
+#define DBG_NONE        0       /* no options on, including impairments */
+#define DBG_ALL         LRANGES(DBG_RAW, DBG_CONTROLMORE)  /* all logging options on EXCEPT DBG_PRIVATE */
 
 /* State of exchanges
  *
@@ -484,86 +382,86 @@ extern enum_names state_names;
 extern const char *const state_story[];
 
 enum state_kind {
-    STATE_UNDEFINED,	/* 0 -- most likely accident */
+	STATE_UNDEFINED,    /* 0 -- most likely accident */
 
-    /*  Opportunism states: see "Opportunistic Encryption" 2.2 */
+	/*  Opportunism states: see "Opportunistic Encryption" 2.2 */
 
-    OPPO_ACQUIRE,	/* got an ACQUIRE message for this pair */
-    OPPO_GW_DISCOVERED,	/* got TXT specifying gateway */
+	OPPO_ACQUIRE,       /* got an ACQUIRE message for this pair */
+	OPPO_GW_DISCOVERED, /* got TXT specifying gateway */
 
-    /* IKE states */
+	/* IKE states */
 
-    STATE_MAIN_R0,
-    STATE_MAIN_I1,
-    STATE_MAIN_R1,
-    STATE_MAIN_I2,
-    STATE_MAIN_R2,
-    STATE_MAIN_I3,
-    STATE_MAIN_R3,
-    STATE_MAIN_I4,
+	STATE_MAIN_R0,
+	STATE_MAIN_I1,
+	STATE_MAIN_R1,
+	STATE_MAIN_I2,
+	STATE_MAIN_R2,
+	STATE_MAIN_I3,
+	STATE_MAIN_R3,
+	STATE_MAIN_I4,
 
-    STATE_QUICK_R0,
-    STATE_QUICK_I1,
-    STATE_QUICK_R1,
-    STATE_QUICK_I2,
-    STATE_QUICK_R2,
+	STATE_QUICK_R0,
+	STATE_QUICK_I1,
+	STATE_QUICK_R1,
+	STATE_QUICK_I2,
+	STATE_QUICK_R2,
 
-    STATE_INFO,
-    STATE_INFO_PROTECTED,
+	STATE_INFO,
+	STATE_INFO_PROTECTED,
 
-    /* XAUTH states */
+	/* XAUTH states */
 
-    STATE_XAUTH_I0,              /* initiator state (client) */
-    STATE_XAUTH_R1,              /* responder state (server) */
-    STATE_XAUTH_I1,
-    STATE_XAUTH_R2,
-    STATE_XAUTH_I2,
-    STATE_XAUTH_R3,
+	STATE_XAUTH_I0,              /* initiator state (client) */
+	STATE_XAUTH_R1,              /* responder state (server) */
+	STATE_XAUTH_I1,
+	STATE_XAUTH_R2,
+	STATE_XAUTH_I2,
+	STATE_XAUTH_R3,
 
-    /* Mode Config pull states */
+	/* Mode Config pull states */
 
-    STATE_MODE_CFG_R0,           /* responder state (server) */
-    STATE_MODE_CFG_I1,           /* initiator state (client) */
-    STATE_MODE_CFG_R1,
-    STATE_MODE_CFG_I2,
+	STATE_MODE_CFG_R0,           /* responder state (server) */
+	STATE_MODE_CFG_I1,           /* initiator state (client) */
+	STATE_MODE_CFG_R1,
+	STATE_MODE_CFG_I2,
 
-    /* Mode Config push states */
+	/* Mode Config push states */
 
-    STATE_MODE_CFG_I0,           /* initiator state (client) */
-    STATE_MODE_CFG_R3,           /* responder state (server) */
-    STATE_MODE_CFG_I3,
-    STATE_MODE_CFG_R4,
+	STATE_MODE_CFG_I0,           /* initiator state (client) */
+	STATE_MODE_CFG_R3,           /* responder state (server) */
+	STATE_MODE_CFG_I3,
+	STATE_MODE_CFG_R4,
 
-    STATE_IKE_ROOF
+	STATE_IKE_ROOF
 };
 
-#define STATE_IKE_FLOOR	STATE_MAIN_R0
+#define STATE_IKE_FLOOR STATE_MAIN_R0
 
-#define PHASE1_INITIATOR_STATES	 (LELEM(STATE_MAIN_I1) | LELEM(STATE_MAIN_I2) \
-    | LELEM(STATE_MAIN_I3) | LELEM(STATE_MAIN_I4))
+#define PHASE1_INITIATOR_STATES  (LELEM(STATE_MAIN_I1) | LELEM(STATE_MAIN_I2) \
+	| LELEM(STATE_MAIN_I3) | LELEM(STATE_MAIN_I4))
 #define ISAKMP_SA_ESTABLISHED_STATES ( \
-      LELEM(STATE_MAIN_R3)     | LELEM(STATE_MAIN_I4)     \
-    | LELEM(STATE_XAUTH_R1)    | LELEM(STATE_XAUTH_R2) | LELEM(STATE_XAUTH_R3) \
-    | LELEM(STATE_XAUTH_I1)    | LELEM(STATE_XAUTH_I2)    \
-    | LELEM(STATE_MODE_CFG_I1) | LELEM(STATE_MODE_CFG_R1) | LELEM(STATE_MODE_CFG_I2) \
-    | LELEM(STATE_MODE_CFG_R3) | LELEM(STATE_MODE_CFG_I3) | LELEM(STATE_MODE_CFG_R4))
+	  LELEM(STATE_MAIN_R3)     | LELEM(STATE_MAIN_I4)     \
+	| LELEM(STATE_XAUTH_R1)    | LELEM(STATE_XAUTH_R2) | LELEM(STATE_XAUTH_R3) \
+	| LELEM(STATE_XAUTH_I1)    | LELEM(STATE_XAUTH_I2)    \
+	| LELEM(STATE_MODE_CFG_I1) | LELEM(STATE_MODE_CFG_R1) | LELEM(STATE_MODE_CFG_I2) \
+	| LELEM(STATE_MODE_CFG_R3) | LELEM(STATE_MODE_CFG_I3) | LELEM(STATE_MODE_CFG_R4))
 
 #define IS_PHASE1(s) ((STATE_MAIN_R0 <= (s) && (s) <= STATE_MAIN_I4) \
-		   || (STATE_XAUTH_I0 <= (s) && (s) <= STATE_XAUTH_R3) \
-		   || (STATE_MODE_CFG_R0 <= (s) && (s) <= STATE_MODE_CFG_R4))
+				   || (STATE_XAUTH_I0 <= (s) && (s) <= STATE_XAUTH_R3) \
+				   || (STATE_MODE_CFG_R0 <= (s) && (s) <= STATE_MODE_CFG_R4))
 
 #define IS_QUICK(s) (STATE_QUICK_R0 <= (s) && (s) <= STATE_QUICK_R2)
 #define IS_ISAKMP_ENCRYPTED(s) (STATE_MAIN_I2 <= (s))
 
 #define IS_ISAKMP_SA_ESTABLISHED(s) (        \
-		   (s) == STATE_MAIN_R3      \
-		|| (s) == STATE_MAIN_I4      \
-		|| (s) == STATE_XAUTH_I2     \
-		|| (s) == STATE_XAUTH_R3     \
-		|| (s) == STATE_MODE_CFG_R1  \
-		|| (s) == STATE_MODE_CFG_I2  \
-		|| (s) == STATE_MODE_CFG_I3  \
-		|| (s) == STATE_MODE_CFG_R4)
+				   (s) == STATE_MAIN_R3      \
+				|| (s) == STATE_MAIN_I4      \
+				|| (s) == STATE_XAUTH_I2     \
+				|| (s) == STATE_XAUTH_R3     \
+				|| (s) == STATE_MODE_CFG_R1  \
+				|| (s) == STATE_MODE_CFG_I2  \
+				|| (s) == STATE_MODE_CFG_I3  \
+				|| (s) == STATE_MODE_CFG_R4)
 
 #define IS_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_I2 || (s) == STATE_QUICK_R2)
 #define IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_R1)
@@ -575,11 +473,11 @@ enum state_kind {
 extern enum_names connection_kind_names;
 
 enum connection_kind {
-    CK_GROUP,		/* policy group: instantiates to template */
-    CK_TEMPLATE,	/* abstract connection, with wildcard */
-    CK_PERMANENT,	/* normal connection */
-    CK_INSTANCE,	/* instance of template, created for a particular attempt */
-    CK_GOING_AWAY	/* instance being deleted -- don't delete again */
+	CK_GROUP,           /* policy group: instantiates to template */
+	CK_TEMPLATE,        /* abstract connection, with wildcard */
+	CK_PERMANENT,       /* normal connection */
+	CK_INSTANCE,        /* instance of template, created for a particular attempt */
+	CK_GOING_AWAY       /* instance being deleted -- don't delete again */
 };
 
 
@@ -593,14 +491,14 @@ extern enum_names routing_story;
 
 /* note that this is assumed to be ordered! */
 enum routing_t {
-    RT_UNROUTED,	/* unrouted */
-    RT_UNROUTED_HOLD,	/* unrouted, but HOLD shunt installed */
-    RT_ROUTED_ECLIPSED,	/* RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
-    RT_ROUTED_PROSPECTIVE,	/* routed, and prospective shunt installed */
-    RT_ROUTED_HOLD,	/* routed, and HOLD shunt installed */
-    RT_ROUTED_FAILURE,	/* routed, and failure-context shunt installed */
-    RT_ROUTED_TUNNEL,	/* routed, and erouted to an IPSEC SA group */
-    RT_UNROUTED_KEYED   /* keyed, but not routed, on purpose */
+	RT_UNROUTED,        /* unrouted */
+	RT_UNROUTED_HOLD,   /* unrouted, but HOLD shunt installed */
+	RT_ROUTED_ECLIPSED, /* RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
+	RT_ROUTED_PROSPECTIVE,      /* routed, and prospective shunt installed */
+	RT_ROUTED_HOLD,     /* routed, and HOLD shunt installed */
+	RT_ROUTED_FAILURE,  /* routed, and failure-context shunt installed */
+	RT_ROUTED_TUNNEL,   /* routed, and erouted to an IPSEC SA group */
+	RT_UNROUTED_KEYED   /* keyed, but not routed, on purpose */
 };
 
 #define routed(rs) ((rs) > RT_UNROUTED_HOLD)
@@ -618,25 +516,25 @@ enum routing_t {
 extern enum_names payload_names;
 extern const char *const payload_name[];
 
-#define ISAKMP_NEXT_NONE       0	/* No other payload following */
-#define ISAKMP_NEXT_SA         1	/* Security Association */
-#define ISAKMP_NEXT_P          2	/* Proposal */
-#define ISAKMP_NEXT_T          3	/* Transform */
-#define ISAKMP_NEXT_KE         4	/* Key Exchange */
-#define ISAKMP_NEXT_ID         5	/* Identification */
-#define ISAKMP_NEXT_CERT       6	/* Certificate */
-#define ISAKMP_NEXT_CR         7	/* Certificate Request */
-#define ISAKMP_NEXT_HASH       8	/* Hash */
-#define ISAKMP_NEXT_SIG        9	/* Signature */
-#define ISAKMP_NEXT_NONCE      10	/* Nonce */
-#define ISAKMP_NEXT_N          11	/* Notification */
-#define ISAKMP_NEXT_D          12	/* Delete */
-#define ISAKMP_NEXT_VID        13	/* Vendor ID */
+#define ISAKMP_NEXT_NONE       0        /* No other payload following */
+#define ISAKMP_NEXT_SA         1        /* Security Association */
+#define ISAKMP_NEXT_P          2        /* Proposal */
+#define ISAKMP_NEXT_T          3        /* Transform */
+#define ISAKMP_NEXT_KE         4        /* Key Exchange */
+#define ISAKMP_NEXT_ID         5        /* Identification */
+#define ISAKMP_NEXT_CERT       6        /* Certificate */
+#define ISAKMP_NEXT_CR         7        /* Certificate Request */
+#define ISAKMP_NEXT_HASH       8        /* Hash */
+#define ISAKMP_NEXT_SIG        9        /* Signature */
+#define ISAKMP_NEXT_NONCE      10       /* Nonce */
+#define ISAKMP_NEXT_N          11       /* Notification */
+#define ISAKMP_NEXT_D          12       /* Delete */
+#define ISAKMP_NEXT_VID        13       /* Vendor ID */
 #define ISAKMP_NEXT_ATTR       14       /* Mode config Attribute */
 
-#define ISAKMP_NEXT_NATD_RFC   20	/* NAT-Traversal: NAT-D (rfc) */
-#define ISAKMP_NEXT_NATOA_RFC  21	/* NAT-Traversal: NAT-OA (rfc) */
-#define ISAKMP_NEXT_ROOF       22	/* roof on payload types */
+#define ISAKMP_NEXT_NATD_RFC   20       /* NAT-Traversal: NAT-D (rfc) */
+#define ISAKMP_NEXT_NATOA_RFC  21       /* NAT-Traversal: NAT-OA (rfc) */
+#define ISAKMP_NEXT_ROOF       22       /* roof on payload types */
 
 #define ISAKMP_NEXT_NATD_DRAFTS   130   /* NAT-Traversal: NAT-D (drafts) */
 #define ISAKMP_NEXT_NATOA_DRAFTS  131   /* NAT-Traversal: NAT-OA (drafts) */
@@ -687,18 +585,24 @@ extern enum_names modecfg_attr_names;
 
 extern enum_names xauth_attr_names;
 
-/* ISAKMP mode config attributes specific to the Unity vendor Id */
-#define   UNITY_BANNER		    28672
-#define   UNITY_SAVE_PASSWD	    28673
-#define   UNITY_DEF_DOMAIN	    28674
-#define   UNITY_SPLITDNS_NAME	    28675
-#define   UNITY_SPLIT_INCLUDE	    28676
-#define   UNITY_NATT_PORT	    28677
-#define   UNITY_LOCAL_LAN	    28678
-#define   UNITY_PFS		    28679
-#define   UNITY_FW_TYPE		    28680
-#define   UNITY_BACKUP_SERVERS	    28681
-#define   UNITY_DDNS_HOSTNAME	    28682
+/* ISAKMP mode config attributes specific to Microsoft */
+#define INTERNAL_IP4_SERVER         23456
+#define INTERNAL_IP6_SERVER         23457
+
+extern enum_names microsoft_attr_names;
+
+/* ISAKMP mode config attributes specific to the Unity vendor ID */
+#define   UNITY_BANNER              28672
+#define   UNITY_SAVE_PASSWD         28673
+#define   UNITY_DEF_DOMAIN          28674
+#define   UNITY_SPLITDNS_NAME       28675
+#define   UNITY_SPLIT_INCLUDE       28676
+#define   UNITY_NATT_PORT           28677
+#define   UNITY_LOCAL_LAN           28678
+#define   UNITY_PFS                 28679
+#define   UNITY_FW_TYPE             28680
+#define   UNITY_BACKUP_SERVERS      28681
+#define   UNITY_DDNS_HOSTNAME       28682
 
 #define   UNITY_BASE                UNITY_BANNER
 
@@ -711,8 +615,8 @@ extern enum_names unity_attr_names;
 #define XAUTH_TYPE_SKEY    3
 
 /* Values for XAUTH_STATUS */
-#define	XAUTH_STATUS_FAIL       0
-#define	XAUTH_STATUS_OK         1
+#define XAUTH_STATUS_FAIL       0
+#define XAUTH_STATUS_OK         1
 
 extern enum_names xauth_type_names;
 
@@ -732,19 +636,19 @@ extern enum_names exchange_names;
 
 #define ISAKMP_XCHG_NONE       0
 #define ISAKMP_XCHG_BASE       1
-#define ISAKMP_XCHG_IDPROT     2	/* ID Protection */
-#define ISAKMP_XCHG_AO         3	/* Authentication Only */
-#define ISAKMP_XCHG_AGGR       4	/* Aggressive */
-#define ISAKMP_XCHG_INFO       5	/* Informational */
-#define ISAKMP_XCHG_MODE_CFG   6	/* Mode Config */
+#define ISAKMP_XCHG_IDPROT     2        /* ID Protection */
+#define ISAKMP_XCHG_AO         3        /* Authentication Only */
+#define ISAKMP_XCHG_AGGR       4        /* Aggressive */
+#define ISAKMP_XCHG_INFO       5        /* Informational */
+#define ISAKMP_XCHG_MODE_CFG   6        /* Mode Config */
 
 /* Extra exchange types, defined by Oakley
  * RFC2409 "The Internet Key Exchange (IKE)", near end of Appendix A
  */
-#define ISAKMP_XCHG_QUICK      32	/* Oakley Quick Mode */
-#define ISAKMP_XCHG_NGRP       33	/* Oakley New Group Mode */
+#define ISAKMP_XCHG_QUICK      32       /* Oakley Quick Mode */
+#define ISAKMP_XCHG_NGRP       33       /* Oakley New Group Mode */
 /* added in draft-ietf-ipsec-ike-01.txt, near end of Appendix A */
-#define ISAKMP_XCHG_ACK_INFO   34	/* Oakley Acknowledged Informational */
+#define ISAKMP_XCHG_ACK_INFO   34       /* Oakley Acknowledged Informational */
 
 /* Flag bits */
 
@@ -774,20 +678,14 @@ extern enum_names protocol_names;
 
 /* warning: trans_show uses enum_show, so same static buffer is used */
 #define trans_show(p, t) \
-    ((p)==PROTO_IPSEC_AH ? enum_show(&ah_transformid_names, (t)) \
-    : (p)==PROTO_IPSEC_ESP ? enum_show(&esp_transformid_names, (t)) \
-    : (p)==PROTO_IPCOMP ? enum_show(&ipcomp_transformid_names, (t)) \
-    : "??")
-
-/* many transform values are moved to freeswan/ipsec_policy.h */
-
-extern enum_names isakmp_transformid_names;
+	((p)==PROTO_IPSEC_AH ? enum_show(&ah_transformid_names, (t)) \
+	: (p)==PROTO_IPSEC_ESP ? enum_show(&esp_transformid_names, (t)) \
+	: (p)==PROTO_IPCOMP ? enum_show(&ipcomp_transformid_names, (t)) \
+	: "??")
 
 #define KEY_IKE               1
 
-extern enum_names ah_transformid_names;
-extern enum_names esp_transformid_names;
-extern enum_names ipcomp_transformid_names;
+extern enum_names isakmp_transformid_names;
 
 /* the following are from RFC 2393/draft-shacham-ippcp-rfc2393bis-05.txt 3.3 */
 typedef u_int16_t cpi_t;
@@ -801,15 +699,16 @@ typedef u_int16_t cpi_t;
 
 extern enum_names ident_names;
 extern enum_names cert_type_names;
-extern enum_names cert_policy_names;
+
+extern enum_name_t *cert_policy_names;
 
 typedef enum certpolicy {
-  CERT_ALWAYS_SEND   = 0,	/* the default */
-  CERT_SEND_IF_ASKED = 1,
-  CERT_NEVER_SEND    = 2,
+	CERT_ALWAYS_SEND   = 0,
+	CERT_SEND_IF_ASKED = 1, 
+	CERT_NEVER_SEND    = 2,
 
-  CERT_YES_SEND      = 3,	/* synonym for CERT_ALWAYS_SEND */
-  CERT_NO_SEND       = 4	/* synonym for CERT_NEVER_SEND  */
+ 	CERT_YES_SEND      = 3,       /* synonym for CERT_ALWAYS_SEND */
+	CERT_NO_SEND       = 4        /* synonym for CERT_NEVER_SEND  */
 } certpolicy_t;
 
 /* Policies for establishing an SA
@@ -825,36 +724,36 @@ extern const char *prettypolicy(lset_t policy);
 
 /* ISAKMP auth techniques (none means never negotiate) */
 #define POLICY_PSK           LELEM(0)
-#define POLICY_RSASIG        LELEM(1)
+#define POLICY_PUBKEY        LELEM(1)
 
-#define POLICY_ISAKMP_SHIFT	0	/* log2(POLICY_PSK) */
-#define POLICY_ID_AUTH_MASK	(POLICY_PSK | POLICY_RSASIG | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG)
-#define POLICY_ISAKMP_MASK	POLICY_ID_AUTH_MASK	/* all so far */
+#define POLICY_ISAKMP_SHIFT     0       /* log2(POLICY_PSK) */
+#define POLICY_ID_AUTH_MASK     (POLICY_PSK | POLICY_PUBKEY | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG)
+#define POLICY_ISAKMP_MASK      POLICY_ID_AUTH_MASK     /* all so far */
 
 /* Quick Mode (IPSEC) attributes */
-#define POLICY_ENCRYPT       LELEM(2)	/* must be first of IPSEC policies */
-#define POLICY_AUTHENTICATE  LELEM(3)	/* must be second */
-#define POLICY_COMPRESS      LELEM(4)	/* must be third */
+#define POLICY_ENCRYPT       LELEM(2)   /* must be first of IPSEC policies */
+#define POLICY_AUTHENTICATE  LELEM(3)   /* must be second */
+#define POLICY_COMPRESS      LELEM(4)   /* must be third */
 #define POLICY_TUNNEL        LELEM(5)
 #define POLICY_PFS           LELEM(6)
-#define POLICY_DISABLEARRIVALCHECK  LELEM(7)	/* supress tunnel egress address checking */
+#define POLICY_DISABLEARRIVALCHECK  LELEM(7)    /* supress tunnel egress address checking */
 
-#define POLICY_IPSEC_SHIFT	2	/* log2(POLICY_ENCRYPT) */
-#define POLICY_IPSEC_MASK	LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
+#define POLICY_IPSEC_SHIFT      2       /* log2(POLICY_ENCRYPT) */
+#define POLICY_IPSEC_MASK       LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
 
 /* shunt attributes: what to do when routed without tunnel (2 bits) */
-#define POLICY_SHUNT_SHIFT	8	/* log2(POLICY_SHUNT_PASS) */
-#define POLICY_SHUNT_MASK	(03ul << POLICY_SHUNT_SHIFT)
+#define POLICY_SHUNT_SHIFT      8       /* log2(POLICY_SHUNT_PASS) */
+#define POLICY_SHUNT_MASK       (03ul << POLICY_SHUNT_SHIFT)
 
-#define POLICY_SHUNT_TRAP	(0ul << POLICY_SHUNT_SHIFT) /* default: negotiate */
-#define POLICY_SHUNT_PASS	(1ul << POLICY_SHUNT_SHIFT)
-#define POLICY_SHUNT_DROP	(2ul << POLICY_SHUNT_SHIFT)
-#define POLICY_SHUNT_REJECT	(3ul << POLICY_SHUNT_SHIFT)
+#define POLICY_SHUNT_TRAP       (0ul << POLICY_SHUNT_SHIFT) /* default: negotiate */
+#define POLICY_SHUNT_PASS       (1ul << POLICY_SHUNT_SHIFT)
+#define POLICY_SHUNT_DROP       (2ul << POLICY_SHUNT_SHIFT)
+#define POLICY_SHUNT_REJECT     (3ul << POLICY_SHUNT_SHIFT)
 
 /* fail attributes: what to do with failed negotiation (2 bits) */
 
-#define POLICY_FAIL_SHIFT	10	/* log2(POLICY_FAIL_PASS) */
-#define POLICY_FAIL_MASK	(03ul << POLICY_FAIL_SHIFT)
+#define POLICY_FAIL_SHIFT       10      /* log2(POLICY_FAIL_PASS) */
+#define POLICY_FAIL_MASK        (03ul << POLICY_FAIL_SHIFT)
 
 #define POLICY_FAIL_NONE     (0ul << POLICY_FAIL_SHIFT) /* default */
 #define POLICY_FAIL_PASS     (1ul << POLICY_FAIL_SHIFT)
@@ -864,21 +763,20 @@ extern const char *prettypolicy(lset_t policy);
 /* connection policy
  * Other policies could vary per state object.  These live in connection.
  */
-#define POLICY_DONT_REKEY	LELEM(12)	/* don't rekey state either Phase */
-#define POLICY_OPPO		LELEM(13)	/* is this opportunistic? */
-#define POLICY_GROUP		LELEM(14)	/* is this a group template? */
-#define POLICY_GROUTED		LELEM(15)	/* do we want this group routed? */
-#define POLICY_UP		LELEM(16)	/* do we want this up? */
-#define POLICY_MODECFG_PUSH	LELEM(17)	/* is modecfg pushed by server? */
-#define POLICY_XAUTH_PSK	LELEM(18)	/* do we support XAUTH????PreShared? */
-#define POLICY_XAUTH_RSASIG	LELEM(19)	/* do we support XAUTH????RSA? */
-#define POLICY_XAUTH_SERVER	LELEM(20)	/* are we an XAUTH server? */
-#define POLICY_DONT_REAUTH	LELEM(21)	/* don't reauthenticate on rekeying, IKEv2 only */
-#define POLICY_BEET		LELEM(22)	/* bound end2end tunnel, IKEv2 */
-#define POLICY_MOBIKE		LELEM(23)	/* enable MOBIKE for IKEv2  */
-#define POLICY_FORCE_ENCAP	LELEM(24)	/* force UDP encapsulation (IKEv2)  */
-#define POLICY_ECDSASIG		LELEM(25)	/* ECDSA signature (IKEv2) */
-#define POLICY_PROXY		LELEM(26)	/* proxy transport mode (MIPv6) */
+#define POLICY_DONT_REKEY       LELEM(12)       /* don't rekey state either Phase */
+#define POLICY_OPPO             LELEM(13)       /* is this opportunistic? */
+#define POLICY_GROUP            LELEM(14)       /* is this a group template? */
+#define POLICY_GROUTED          LELEM(15)       /* do we want this group routed? */
+#define POLICY_UP               LELEM(16)       /* do we want this up? */
+#define POLICY_MODECFG_PUSH     LELEM(17)       /* is modecfg pushed by server? */
+#define POLICY_XAUTH_PSK        LELEM(18)       /* do we support XAUTH????PreShared? */
+#define POLICY_XAUTH_RSASIG     LELEM(19)       /* do we support XAUTH????RSA? */
+#define POLICY_XAUTH_SERVER     LELEM(20)       /* are we an XAUTH server? */
+#define POLICY_DONT_REAUTH      LELEM(21)       /* don't reauthenticate on rekeying, IKEv2 only */
+#define POLICY_BEET             LELEM(22)       /* bound end2end tunnel, IKEv2 */
+#define POLICY_MOBIKE           LELEM(23)       /* enable MOBIKE for IKEv2  */
+#define POLICY_FORCE_ENCAP      LELEM(24)       /* force UDP encapsulation (IKEv2)  */
+#define POLICY_PROXY            LELEM(25)       /* proxy transport mode (MIPv6) */
 
 /* Any IPsec policy?  If not, a connection description
  * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
@@ -903,17 +801,17 @@ extern const char *const oakley_attr_bit_names[];
 #define OAKLEY_AUTHENTICATION_METHOD   3
 #define OAKLEY_GROUP_DESCRIPTION       4
 #define OAKLEY_GROUP_TYPE              5
-#define OAKLEY_GROUP_PRIME             6	/* B/V */
-#define OAKLEY_GROUP_GENERATOR_ONE     7	/* B/V */
-#define OAKLEY_GROUP_GENERATOR_TWO     8	/* B/V */
-#define OAKLEY_GROUP_CURVE_A           9	/* B/V */
-#define OAKLEY_GROUP_CURVE_B          10	/* B/V */
+#define OAKLEY_GROUP_PRIME             6        /* B/V */
+#define OAKLEY_GROUP_GENERATOR_ONE     7        /* B/V */
+#define OAKLEY_GROUP_GENERATOR_TWO     8        /* B/V */
+#define OAKLEY_GROUP_CURVE_A           9        /* B/V */
+#define OAKLEY_GROUP_CURVE_B          10        /* B/V */
 #define OAKLEY_LIFE_TYPE              11
-#define OAKLEY_LIFE_DURATION          12	/* B/V */
+#define OAKLEY_LIFE_DURATION          12        /* B/V */
 #define OAKLEY_PRF                    13
 #define OAKLEY_KEY_LENGTH             14
 #define OAKLEY_FIELD_SIZE             15
-#define OAKLEY_GROUP_ORDER            16	/* B/V */
+#define OAKLEY_GROUP_ORDER            16        /* B/V */
 #define OAKLEY_BLOCK_SIZE             17
 
 /* for each Oakley attribute, which enum_names describes its values? */
@@ -926,14 +824,14 @@ extern enum_names *oakley_attr_val_descs[];
 extern enum_names ipsec_attr_names;
 
 #define SA_LIFE_TYPE             1
-#define SA_LIFE_DURATION         2	/* B/V */
+#define SA_LIFE_DURATION         2      /* B/V */
 #define GROUP_DESCRIPTION        3
 #define ENCAPSULATION_MODE       4
 #define AUTH_ALGORITHM           5
 #define KEY_LENGTH               6
 #define KEY_ROUNDS               7
 #define COMPRESS_DICT_SIZE       8
-#define COMPRESS_PRIVATE_ALG     9	/* B/V */
+#define COMPRESS_PRIVATE_ALG     9      /* B/V */
 
 /* for each IPsec attribute, which enum_names describes its values? */
 extern enum_names *ipsec_attr_val_descs[];
@@ -961,9 +859,9 @@ extern enum_names sa_lifetime_names;
 #define PLUTO_SA_LIFE_DURATION_DEFAULT     3600 /* one hour    (pluto(8)) */
 #define SA_LIFE_DURATION_MAXIMUM          86400 /* one day */
 
-#define SA_REPLACEMENT_MARGIN_DEFAULT	    540 /* (IPSEC & IKE) nine minutes */
-#define SA_REPLACEMENT_FUZZ_DEFAULT	    100 /* (IPSEC & IKE) 100% of MARGIN */
-#define SA_REPLACEMENT_RETRIES_DEFAULT	      3 /* (IPSEC & IKE) */
+#define SA_REPLACEMENT_MARGIN_DEFAULT       540 /* (IPSEC & IKE) nine minutes */
+#define SA_REPLACEMENT_FUZZ_DEFAULT         100 /* (IPSEC & IKE) 100% of MARGIN */
+#define SA_REPLACEMENT_RETRIES_DEFAULT        3 /* (IPSEC & IKE) */
 
 #define SA_LIFE_DURATION_K_DEFAULT  0xFFFFFFFFlu
 
@@ -971,7 +869,7 @@ extern enum_names sa_lifetime_names;
 
 extern enum_names enc_mode_names;
 
-#define ENCAPSULATION_MODE_UNSPECIFIED 0	/* not legal -- used internally */
+#define ENCAPSULATION_MODE_UNSPECIFIED 0        /* not legal -- used internally */
 #define ENCAPSULATION_MODE_TUNNEL      1
 #define ENCAPSULATION_MODE_TRANSPORT   2
 
@@ -985,18 +883,18 @@ extern enum_names enc_mode_names;
 
 extern enum_names auth_alg_names, extended_auth_alg_names;
 
-#define AUTH_ALGORITHM_NONE		0  /* our private designation */
-#define AUTH_ALGORITHM_HMAC_MD5		1
-#define AUTH_ALGORITHM_HMAC_SHA1	2
-#define AUTH_ALGORITHM_DES_MAC		3
-#define AUTH_ALGORITHM_KPDK		4
-#define AUTH_ALGORITHM_HMAC_SHA2_256	5
-#define AUTH_ALGORITHM_HMAC_SHA2_384	6
-#define AUTH_ALGORITHM_HMAC_SHA2_512	7
-#define AUTH_ALGORITHM_HMAC_RIPEMD	8
-#define AUTH_ALGORITHM_AES_XCBC_MAC	9
-#define AUTH_ALGORITHM_SIG_RSA		10
-#define AUTH_ALGORITHM_NULL		251
+#define AUTH_ALGORITHM_NONE             0  /* our private designation */
+#define AUTH_ALGORITHM_HMAC_MD5         1
+#define AUTH_ALGORITHM_HMAC_SHA1        2
+#define AUTH_ALGORITHM_DES_MAC          3
+#define AUTH_ALGORITHM_KPDK             4
+#define AUTH_ALGORITHM_HMAC_SHA2_256    5
+#define AUTH_ALGORITHM_HMAC_SHA2_384    6
+#define AUTH_ALGORITHM_HMAC_SHA2_512    7
+#define AUTH_ALGORITHM_HMAC_RIPEMD      8
+#define AUTH_ALGORITHM_AES_XCBC_MAC     9
+#define AUTH_ALGORITHM_SIG_RSA          10
+#define AUTH_ALGORITHM_NULL             251
 
 /* Oakley Lifetime Type attribute
  * draft-ietf-ipsec-ike-01.txt appendix A
@@ -1030,23 +928,24 @@ extern enum_names oakley_prf_names;
 
 extern enum_names oakley_enc_names;
 
-#define OAKLEY_DES_CBC			1
-#define OAKLEY_IDEA_CBC			2
-#define OAKLEY_BLOWFISH_CBC		3
-#define OAKLEY_RC5_R16_B64_CBC		4
-#define OAKLEY_3DES_CBC			5
-#define OAKLEY_CAST_CBC			6
-#define OAKLEY_AES_CBC			7
+#define OAKLEY_DES_CBC                  1
+#define OAKLEY_IDEA_CBC                 2
+#define OAKLEY_BLOWFISH_CBC             3
+#define OAKLEY_RC5_R16_B64_CBC          4
+#define OAKLEY_3DES_CBC                 5
+#define OAKLEY_CAST_CBC                 6
+#define OAKLEY_AES_CBC                  7
+#define OAKLEY_CAMELLIA_CBC             8
 
-#define OAKLEY_MARS_CBC			65001
-#define OAKLEY_RC6_CBC			65002
-#define OAKLEY_ID_65003			65003
-#define OAKLEY_SERPENT_CBC		65004
-#define OAKLEY_TWOFISH_CBC		65005
+#define OAKLEY_MARS_CBC                 65001
+#define OAKLEY_RC6_CBC                  65002
+#define OAKLEY_ID_65003                 65003
+#define OAKLEY_SERPENT_CBC              65004
+#define OAKLEY_TWOFISH_CBC              65005
 
-#define OAKLEY_TWOFISH_CBC_SSH		65289
+#define OAKLEY_TWOFISH_CBC_SSH          65289
 
-#define OAKLEY_ENCRYPT_MAX      	65535	/* pretty useless :) */
+#define OAKLEY_ENCRYPT_MAX              65535   /* pretty useless :) */
 
 /* Oakley Hash Algorithm attribute
  * draft-ietf-ipsec-ike-01.txt appendix A
@@ -1079,42 +978,35 @@ extern enum_names oakley_auth_names;
 #define OAKLEY_RSA_ENC_REV         5
 #define OAKLEY_ELGAMAL_ENC         6
 #define OAKLEY_ELGAMAL_ENC_REV     7
+#define OAKLEY_ECDSA_SIG           8
+#define OAKLEY_ECDSA_256           9
+#define OAKLEY_ECDSA_384          10
+#define OAKLEY_ECDSA_521          11
 
-#define OAKLEY_AUTH_ROOF           8	/* roof on auth values THAT WE SUPPORT */
+#define OAKLEY_AUTH_ROOF          12    /* roof on auth values THAT WE SUPPORT */
 
-#define HybridInitRSA			64221
-#define HybridRespRSA			64222
-#define HybridInitDSS			64223
-#define HybridRespDSS			64224
+#define HybridInitRSA                   64221
+#define HybridRespRSA                   64222
+#define HybridInitDSS                   64223
+#define HybridRespDSS                   64224
 
-#define XAUTHInitPreShared		65001
-#define XAUTHRespPreShared		65002
-#define XAUTHInitDSS			65003
+#define XAUTHInitPreShared              65001
+#define XAUTHRespPreShared              65002
+#define XAUTHInitDSS                    65003
 #define XAUTHRespDSS                    65004
-#define XAUTHInitRSA			65005
-#define XAUTHRespRSA			65006
-#define XAUTHInitRSAEncryption		65007
-#define XAUTHRespRSAEncryption		65008
-#define XAUTHInitRSARevisedEncryption	65009
-#define XAUTHRespRSARevisedEncryption	65010
+#define XAUTHInitRSA                    65005
+#define XAUTHRespRSA                    65006
+#define XAUTHInitRSAEncryption          65007
+#define XAUTHRespRSAEncryption          65008
+#define XAUTHInitRSARevisedEncryption   65009
+#define XAUTHRespRSARevisedEncryption   65010
 
 /* Oakley Group Description attribute
  * draft-ietf-ipsec-ike-01.txt appendix A
  */
 extern enum_names oakley_group_names;
 
-#define OAKLEY_GROUP_MODP768       1
-#define OAKLEY_GROUP_MODP1024      2
-#define OAKLEY_GROUP_GP155         3
-#define OAKLEY_GROUP_GP185         4
-#define OAKLEY_GROUP_MODP1536      5
-
-#define OAKLEY_GROUP_MODP2048      14
-#define OAKLEY_GROUP_MODP3072      15
-#define OAKLEY_GROUP_MODP4096      16
-#define OAKLEY_GROUP_MODP6144      17
-#define OAKLEY_GROUP_MODP8192      18
-/*	you must also touch: constants.c, crypto.c */
+/*      you must also touch: constants.c, crypto.c */
 
 /* Oakley Group Type attribute
  * draft-ietf-ipsec-ike-01.txt appendix A
@@ -1134,54 +1026,54 @@ extern enum_names notification_names;
 extern enum_names ipsec_notification_names;
 
 typedef enum {
-    NOTHING_WRONG =             0,  /* unofficial! */
-
-    INVALID_PAYLOAD_TYPE =       1,
-    DOI_NOT_SUPPORTED =          2,
-    SITUATION_NOT_SUPPORTED =    3,
-    INVALID_COOKIE =             4,
-    INVALID_MAJOR_VERSION =      5,
-    INVALID_MINOR_VERSION =      6,
-    INVALID_EXCHANGE_TYPE =      7,
-    INVALID_FLAGS =              8,
-    INVALID_MESSAGE_ID =         9,
-    INVALID_PROTOCOL_ID =       10,
-    INVALID_SPI =               11,
-    INVALID_TRANSFORM_ID =      12,
-    ATTRIBUTES_NOT_SUPPORTED =  13,
-    NO_PROPOSAL_CHOSEN =        14,
-    BAD_PROPOSAL_SYNTAX =       15,
-    PAYLOAD_MALFORMED =         16,
-    INVALID_KEY_INFORMATION =   17,
-    INVALID_ID_INFORMATION =    18,
-    INVALID_CERT_ENCODING =     19,
-    INVALID_CERTIFICATE =       20,
-    CERT_TYPE_UNSUPPORTED =     21,
-    INVALID_CERT_AUTHORITY =    22,
-    INVALID_HASH_INFORMATION =  23,
-    AUTHENTICATION_FAILED =     24,
-    INVALID_SIGNATURE =         25,
-    ADDRESS_NOTIFICATION =      26,
-    NOTIFY_SA_LIFETIME =        27,
-    CERTIFICATE_UNAVAILABLE =   28,
-    UNSUPPORTED_EXCHANGE_TYPE = 29,
-    UNEQUAL_PAYLOAD_LENGTHS =   30,
-
-    /* ISAKMP status type */
-    CONNECTED =              16384,
-
-    /* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
-     * These must be sent under the protection of an ISAKMP SA.
-     */
-    IPSEC_RESPONDER_LIFETIME = 24576,
-    IPSEC_REPLAY_STATUS =      24577,
-    IPSEC_INITIAL_CONTACT =    24578,
-
-    /* RFC 3706 DPD */
-    R_U_THERE =                36136,
-    R_U_THERE_ACK =            36137
-
-    } notification_t;
+	NOTHING_WRONG =             0,  /* unofficial! */
+
+	INVALID_PAYLOAD_TYPE =       1,
+	DOI_NOT_SUPPORTED =          2,
+	SITUATION_NOT_SUPPORTED =    3,
+	INVALID_COOKIE =             4,
+	INVALID_MAJOR_VERSION =      5,
+	INVALID_MINOR_VERSION =      6,
+	INVALID_EXCHANGE_TYPE =      7,
+	INVALID_FLAGS =              8,
+	INVALID_MESSAGE_ID =         9,
+	INVALID_PROTOCOL_ID =       10,
+	INVALID_SPI =               11,
+	INVALID_TRANSFORM_ID =      12,
+	ATTRIBUTES_NOT_SUPPORTED =  13,
+	NO_PROPOSAL_CHOSEN =        14,
+	BAD_PROPOSAL_SYNTAX =       15,
+	PAYLOAD_MALFORMED =         16,
+	INVALID_KEY_INFORMATION =   17,
+	INVALID_ID_INFORMATION =    18,
+	INVALID_CERT_ENCODING =     19,
+	INVALID_CERTIFICATE =       20,
+	CERT_TYPE_UNSUPPORTED =     21,
+	INVALID_CERT_AUTHORITY =    22,
+	INVALID_HASH_INFORMATION =  23,
+	AUTHENTICATION_FAILED =     24,
+	INVALID_SIGNATURE =         25,
+	ADDRESS_NOTIFICATION =      26,
+	NOTIFY_SA_LIFETIME =        27,
+	CERTIFICATE_UNAVAILABLE =   28,
+	UNSUPPORTED_EXCHANGE_TYPE = 29,
+	UNEQUAL_PAYLOAD_LENGTHS =   30,
+
+	/* ISAKMP status type */
+	CONNECTED =              16384,
+
+	/* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
+	 * These must be sent under the protection of an ISAKMP SA.
+	 */
+	IPSEC_RESPONDER_LIFETIME = 24576,
+	IPSEC_REPLAY_STATUS =      24577,
+	IPSEC_INITIAL_CONTACT =    24578,
+
+	/* RFC 3706 DPD */
+	R_U_THERE =                36136,
+	R_U_THERE_ACK =            36137
+
+	} notification_t;
 
 
 /* Public key algorithm number
@@ -1192,8 +1084,8 @@ typedef enum {
 
 enum pubkey_alg
 {
-    PUBKEY_ALG_RSA = 1,
-    PUBKEY_ALG_DSA = 3,
+	PUBKEY_ALG_RSA = 1,
+	PUBKEY_ALG_DSA = 3,
 };
 
 /* Limits on size of RSA moduli.
@@ -1203,37 +1095,37 @@ enum pubkey_alg
  * real security.  For now, we require 512 bits.
  */
 
-#define RSA_MIN_OCTETS_RFC	12
+#define RSA_MIN_OCTETS_RFC      12
 
-#define RSA_MIN_OCTETS	(512 / BITS_PER_BYTE)
-#define RSA_MIN_OCTETS_UGH	"RSA modulus too small for security: less than 512 bits"
+#define RSA_MIN_OCTETS  (512 / BITS_PER_BYTE)
+#define RSA_MIN_OCTETS_UGH      "RSA modulus too small for security: less than 512 bits"
 
-#define RSA_MAX_OCTETS	(8192 / BITS_PER_BYTE)
-#define RSA_MAX_OCTETS_UGH	"RSA modulus too large: more than 8192 bits"
+#define RSA_MAX_OCTETS  (8192 / BITS_PER_BYTE)
+#define RSA_MAX_OCTETS_UGH      "RSA modulus too large: more than 8192 bits"
 
 /* Note: RFC 2537 encoding adds a few bytes.  If you use a small
  * modulus like 3, the overhead is only 2 bytes
  */
-#define RSA_MAX_ENCODING_BYTES	(RSA_MAX_OCTETS + 2)
+#define RSA_MAX_ENCODING_BYTES  (RSA_MAX_OCTETS + 2)
 
 /* socket address family info */
 
 struct af_info
 {
-    int af;
-    const char *name;
-    size_t ia_sz;
-    size_t sa_sz;
-    int mask_cnt;
-    u_int8_t id_addr, id_subnet, id_range;
-    const ip_address *any;
-    const ip_subnet *none;	/* 0.0.0.0/32 or IPv6 equivalent */
-    const ip_subnet *all;	/* 0.0.0.0/0 or IPv6 equivalent */
+	int af;
+	const char *name;
+	size_t ia_sz;
+	size_t sa_sz;
+	int mask_cnt;
+	u_int8_t id_addr, id_subnet, id_range;
+	const ip_address *any;
+	const ip_subnet *none;      /* 0.0.0.0/32 or IPv6 equivalent */
+	const ip_subnet *all;       /* 0.0.0.0/0 or IPv6 equivalent */
 };
 
 extern const struct af_info
-    af_inet4_info,
-    af_inet6_info;
+	af_inet4_info,
+	af_inet6_info;
 
 extern const struct af_info *aftoinfo(int af);
 
@@ -1245,18 +1137,18 @@ extern bool subnetisnone(const ip_subnet *sn);
 /* BIND enumerated types */
 
 extern enum_names
-    rr_qtype_names,
-    rr_type_names,
-    rr_class_names;
+	rr_qtype_names,
+	rr_type_names,
+	rr_class_names;
 
 /* How authenticated is info that might have come from DNS?
  * In order of increasing confidence.
  */
 enum dns_auth_level {
-    DAL_UNSIGNED,	/* AD in response, but no signature: no authentication */
-    DAL_NOTSEC,	/* no AD in response: authentication impossible */
-    DAL_SIGNED,	/* AD and signature in response: authentic */
-    DAL_LOCAL	/* locally provided (pretty good) */
+	DAL_UNSIGNED,       /* AD in response, but no signature: no authentication */
+	DAL_NOTSEC, /* no AD in response: authentication impossible */
+	DAL_SIGNED, /* AD and signature in response: authentic */
+	DAL_LOCAL   /* locally provided (pretty good) */
 };
 
 /*
@@ -1272,4 +1164,7 @@ enum dns_auth_level {
 /* natt traversal types */
 extern const char *const natt_type_bitnames[];
 
+/* secret value for responder cookies */
+extern u_char secret_of_the_day[HASH_SIZE_SHA1];
+
 #endif /* _CONSTANTS_H */
diff --git a/src/pluto/cookie.c b/src/pluto/cookie.c
index 00197321c..00c863f18 100644
--- a/src/pluto/cookie.c
+++ b/src/pluto/cookie.c
@@ -1,6 +1,7 @@
 /* cookie generation/verification routines.
  * Copyright (C) 1997 Angelos D. Keromytis.
  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -11,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: cookie.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdio.h>
@@ -23,45 +22,52 @@
 
 #include <freeswan.h>
 
+#include <library.h>
+#include <crypto/rngs/rng.h>
+
 #include "constants.h"
 #include "defs.h"
-#include "sha1.h"
-#include "rnd.h"
 #include "cookie.h"
 
-const u_char zero_cookie[COOKIE_SIZE];	/* guaranteed 0 */
+const u_char zero_cookie[COOKIE_SIZE];  /* guaranteed 0 */
 
 /* Generate a cookie.
  * First argument is true if we're to create an Initiator cookie.
  * Length SHOULD be a multiple of sizeof(u_int32_t).
  */
-void
-get_cookie(bool initiator, u_int8_t *cookie, int length, const ip_address *addr)
+void get_cookie(bool initiator, u_int8_t *cookie, int length, ip_address *addr)
 {
-    u_char buffer[SHA1_DIGEST_SIZE];
-    SHA1_CTX ctx;
+	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	u_char buffer[HASH_SIZE_SHA1];
+
+	do {
+		if (initiator)
+		{
+			rng_t *rng;
+
+			rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+			rng->get_bytes(rng, length, cookie);
+			rng->destroy(rng);
+		}
+		else  /* Responder cookie */
+		{
+			chunk_t addr_chunk, secret_chunk, counter_chunk;
+			size_t addr_len;
+			static u_int32_t counter = 0;
+			unsigned char addr_buf[
+				sizeof(union {struct in_addr A; struct in6_addr B;})];
 
-    do {
-	if (initiator)
-	{
-	    get_rnd_bytes(cookie, length);
-	}
-	else  /* Responder cookie */
-	{
-	    /* This looks as good as any way */
-	    size_t addr_length;
-	    static u_int32_t counter = 0;
-	    unsigned char addr_buff[
-		sizeof(union {struct in_addr A; struct in6_addr B;})];
+			addr_len = addrbytesof(addr, addr_buf, sizeof(addr_buf));
+			addr_chunk = chunk_create(addr_buf, addr_len);
+			secret_chunk = chunk_create(secret_of_the_day, HASH_SIZE_SHA1);
+			counter++;
+			counter_chunk = chunk_create((void *) &counter, sizeof(counter));
+			hasher->get_hash(hasher, addr_chunk, NULL);
+			hasher->get_hash(hasher, secret_chunk, NULL);
+			hasher->get_hash(hasher, counter_chunk, buffer);
+			memcpy(cookie, buffer, length);
+		}
+	} while (is_zero_cookie(cookie));   /* probably never loops */
 
-	    addr_length = addrbytesof(addr, addr_buff, sizeof(addr_buff));
-	    SHA1Init(&ctx);
-	    SHA1Update(&ctx, addr_buff, addr_length);
-	    SHA1Update(&ctx, secret_of_the_day, sizeof(secret_of_the_day));
-	    counter++;
-	    SHA1Update(&ctx, (const void *) &counter, sizeof(counter));
-	    SHA1Final(buffer, &ctx);
-	    memcpy(cookie, buffer, length);
-	}
-    } while (is_zero_cookie(cookie));	/* probably never loops */
+	hasher->destroy(hasher);
 }
diff --git a/src/pluto/cookie.h b/src/pluto/cookie.h
index b52bb2299..809d66491 100644
--- a/src/pluto/cookie.h
+++ b/src/pluto/cookie.h
@@ -10,15 +10,13 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: cookie.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <freeswan.h>
 
-extern const u_char zero_cookie[COOKIE_SIZE];	/* guaranteed 0 */
+extern const u_char zero_cookie[COOKIE_SIZE];   /* guaranteed 0 */
 
-extern void get_cookie(bool initiator, u_int8_t *cookie, int length
-    , const ip_address *addr);
+extern void get_cookie(bool initiator, u_int8_t *cookie, int length,
+					   ip_address *addr);
 
 #define is_zero_cookie(cookie) all_zero((cookie), COOKIE_SIZE)
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index c891d19e6..c800f2acc 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -1,5 +1,7 @@
 /* Support of X.509 certificate revocation lists (CRLs)
- * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2000-2009 Andreas Steffen
+ *
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: crl.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdlib.h>
@@ -23,13 +23,15 @@
 #include <sys/types.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <crypto/hashers/hasher.h>
 
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
-#include "asn1.h"
-#include <asn1/oid.h>
 #include "x509.h"
 #include "crl.h"
 #include "ca.h"
@@ -37,482 +39,482 @@
 #include "keys.h"
 #include "whack.h"
 #include "fetch.h"
-#include "sha1.h"
+
 
 /* chained lists of X.509 crls */
 
 static x509crl_t  *x509crls      = NULL;
 
-/* ASN.1 definition of an X.509 certificate list */
-
+/**
+  * ASN.1 definition of an X.509 certificate revocation list
+ */
 static const asn1Object_t crlObjects[] = {
-  { 0, "certificateList",		ASN1_SEQUENCE,     ASN1_OBJ  }, /*  0 */
-  { 1,   "tbsCertList",			ASN1_SEQUENCE,     ASN1_OBJ  }, /*  1 */
-  { 2,     "version",			ASN1_INTEGER,      ASN1_OPT |
-							   ASN1_BODY }, /*  2 */
-  { 2,     "end opt",			ASN1_EOC,          ASN1_END  }, /*  3 */
-  { 2,     "signature",			ASN1_EOC,          ASN1_RAW  }, /*  4 */
-  { 2,     "issuer",			ASN1_SEQUENCE,     ASN1_OBJ  }, /*  5 */
-  { 2,     "thisUpdate",		ASN1_EOC,          ASN1_RAW  }, /*  6 */
-  { 2,     "nextUpdate",		ASN1_EOC,          ASN1_RAW  }, /*  7 */
-  { 2,     "revokedCertificates",	ASN1_SEQUENCE,     ASN1_OPT |
-							   ASN1_LOOP }, /*  8 */
-  { 3,       "certList",		ASN1_SEQUENCE,     ASN1_NONE }, /*  9 */
-  { 4,         "userCertificate",	ASN1_INTEGER,      ASN1_BODY }, /* 10 */
-  { 4,         "revocationDate",	ASN1_EOC,          ASN1_RAW  }, /* 11 */
-  { 4,         "crlEntryExtensions",	ASN1_SEQUENCE,     ASN1_OPT |
-							   ASN1_LOOP }, /* 12 */
-  { 5,           "extension",		ASN1_SEQUENCE,     ASN1_NONE }, /* 13 */
-  { 6,             "extnID",		ASN1_OID,          ASN1_BODY }, /* 14 */
-  { 6,             "critical",		ASN1_BOOLEAN,      ASN1_DEF |
-							   ASN1_BODY }, /* 15 */
-  { 6,             "extnValue",		ASN1_OCTET_STRING, ASN1_BODY }, /* 16 */
-  { 4,         "end opt or loop",	ASN1_EOC,          ASN1_END  }, /* 17 */
-  { 2,     "end opt or loop",		ASN1_EOC,          ASN1_END  }, /* 18 */
-  { 2,     "optional extensions",	ASN1_CONTEXT_C_0,  ASN1_OPT  }, /* 19 */
-  { 3,       "crlExtensions",		ASN1_SEQUENCE,     ASN1_LOOP }, /* 20 */
-  { 4,         "extension",		ASN1_SEQUENCE,     ASN1_NONE }, /* 21 */
-  { 5,           "extnID",		ASN1_OID,          ASN1_BODY }, /* 22 */
-  { 5,           "critical",		ASN1_BOOLEAN,      ASN1_DEF |
-							   ASN1_BODY }, /* 23 */
-  { 5,           "extnValue",		ASN1_OCTET_STRING, ASN1_BODY }, /* 24 */
-  { 3,       "end loop",		ASN1_EOC,          ASN1_END  }, /* 25 */
-  { 2,     "end opt",			ASN1_EOC,          ASN1_END  }, /* 26 */
-  { 1,   "signatureAlgorithm",		ASN1_EOC,          ASN1_RAW  }, /* 27 */
-  { 1,   "signatureValue",		ASN1_BIT_STRING,   ASN1_BODY }  /* 28 */
- };
-
-#define CRL_OBJ_CERTIFICATE_LIST		 0
+	{ 0, "certificateList",				ASN1_SEQUENCE,     ASN1_OBJ  }, /*  0 */
+	{ 1,   "tbsCertList",				ASN1_SEQUENCE,     ASN1_OBJ  }, /*  1 */
+	{ 2,     "version",					ASN1_INTEGER,      ASN1_OPT |
+														   ASN1_BODY }, /*  2 */
+	{ 2,     "end opt",					ASN1_EOC,          ASN1_END  }, /*  3 */
+	{ 2,     "signature",				ASN1_EOC,          ASN1_RAW  }, /*  4 */	
+	{ 2,     "issuer",					ASN1_SEQUENCE,     ASN1_OBJ  }, /*  5 */
+	{ 2,     "thisUpdate",				ASN1_EOC,          ASN1_RAW  }, /*  6 */
+	{ 2,     "nextUpdate",				ASN1_EOC,          ASN1_RAW  }, /*  7 */
+	{ 2,     "revokedCertificates",		ASN1_SEQUENCE,     ASN1_OPT |
+														   ASN1_LOOP }, /*  8 */
+	{ 3,       "certList",				ASN1_SEQUENCE,     ASN1_NONE }, /*  9 */
+	{ 4,         "userCertificate",		ASN1_INTEGER,      ASN1_BODY }, /* 10 */
+	{ 4,         "revocationDate",		ASN1_EOC,          ASN1_RAW  }, /* 11 */
+	{ 4,         "crlEntryExtensions",  ASN1_SEQUENCE,     ASN1_OPT |
+							   							   ASN1_LOOP }, /* 12 */
+	{ 5,           "extension",			ASN1_SEQUENCE,	   ASN1_NONE }, /* 13 */
+	{ 6,             "extnID",			ASN1_OID,          ASN1_BODY }, /* 14 */
+	{ 6,             "critical",		ASN1_BOOLEAN,      ASN1_DEF |
+														   ASN1_BODY }, /* 15 */
+	{ 6,             "extnValue",		ASN1_OCTET_STRING, ASN1_BODY }, /* 16 */
+	{ 4,         "end opt or loop",		ASN1_EOC,          ASN1_END  }, /* 17 */
+	{ 2,     "end opt or loop",			ASN1_EOC,          ASN1_END  }, /* 18 */
+	{ 2,     "optional extensions",		ASN1_CONTEXT_C_0,  ASN1_OPT  }, /* 19 */
+	{ 3,       "crlExtensions",			ASN1_SEQUENCE,     ASN1_LOOP }, /* 20 */
+	{ 4,         "extension",			ASN1_SEQUENCE,     ASN1_NONE }, /* 21 */
+	{ 5,           "extnID",			ASN1_OID,          ASN1_BODY }, /* 22 */
+	{ 5,           "critical",			ASN1_BOOLEAN,      ASN1_DEF |
+														   ASN1_BODY }, /* 23 */
+	{ 5,           "extnValue",			ASN1_OCTET_STRING, ASN1_BODY }, /* 24 */
+	{ 3,       "end loop",				ASN1_EOC,          ASN1_END  }, /* 25 */
+	{ 2,     "end opt",					ASN1_EOC,          ASN1_END  }, /* 26 */
+	{ 1,   "signatureAlgorithm",		ASN1_EOC,          ASN1_RAW  }, /* 27 */
+	{ 1,   "signatureValue",			ASN1_BIT_STRING,   ASN1_BODY }, /* 28 */
+	{ 0, "exit",						ASN1_EOC,		   ASN1_EXIT }
+};
+
+#define CRL_OBJ_CERTIFICATE_LIST         0
 #define CRL_OBJ_TBS_CERT_LIST			 1
-#define CRL_OBJ_VERSION				 2
-#define CRL_OBJ_SIG_ALG				 4
-#define CRL_OBJ_ISSUER				 5
-#define CRL_OBJ_THIS_UPDATE			 6
-#define CRL_OBJ_NEXT_UPDATE			 7
+#define CRL_OBJ_VERSION					 2
+#define CRL_OBJ_SIG_ALG					 4
+#define CRL_OBJ_ISSUER					 5
+#define CRL_OBJ_THIS_UPDATE				 6
+#define CRL_OBJ_NEXT_UPDATE				 7
 #define CRL_OBJ_USER_CERTIFICATE		10
 #define CRL_OBJ_REVOCATION_DATE			11
 #define CRL_OBJ_CRL_ENTRY_EXTN_ID		14
 #define CRL_OBJ_CRL_ENTRY_CRITICAL		15
-#define CRL_OBJ_CRL_ENTRY_EXTN_VALUE		16
-#define CRL_OBJ_EXTN_ID				22
-#define CRL_OBJ_CRITICAL			23
-#define CRL_OBJ_EXTN_VALUE			24
-#define CRL_OBJ_ALGORITHM			27
-#define CRL_OBJ_SIGNATURE			28
-#define CRL_OBJ_ROOF				29
-
+#define CRL_OBJ_CRL_ENTRY_EXTN_VALUE	16
+#define CRL_OBJ_EXTN_ID					22
+#define CRL_OBJ_CRITICAL				23
+#define CRL_OBJ_EXTN_VALUE				24
+#define CRL_OBJ_ALGORITHM				27
+#define CRL_OBJ_SIGNATURE				28
 
 const x509crl_t empty_x509crl = {
-      NULL        , /* *next */
-    UNDEFINED_TIME, /* installed */
-      NULL        , /* distributionPoints */
-    { NULL, 0 }   , /* certificateList */
-    { NULL, 0 }   , /*   tbsCertList */
-            1     , /*     version */
-    OID_UNKNOWN   , /*     sigAlg */
-    { NULL, 0 }   , /*     issuer */
-    UNDEFINED_TIME, /*     thisUpdate */
-    UNDEFINED_TIME, /*     nextUpdate */
-      NULL        , /*     revokedCertificates */
-                    /*     crlExtensions */
-                    /*       extension */
-                    /*         extnID */
-                    /*         critical */
-                    /*         extnValue */
-    { NULL, 0 }   , /*           authKeyID */
-    { NULL, 0 }   , /*           authKeySerialNumber */
-    { NULL, 0 }   , /*           crlNumber */
-    OID_UNKNOWN   , /*   algorithm */
-    { NULL, 0 }     /*   signature */
+	  NULL        , /* *next */
+	UNDEFINED_TIME, /* installed */
+	  NULL        , /* distributionPoints */
+	{ NULL, 0 }   , /* certificateList */
+	{ NULL, 0 }   , /*   tbsCertList */
+			1     , /*     version */
+	OID_UNKNOWN   , /*     sigAlg */
+	{ NULL, 0 }   , /*     issuer */
+	UNDEFINED_TIME, /*     thisUpdate */
+	UNDEFINED_TIME, /*     nextUpdate */
+	  NULL        , /*     revokedCertificates */
+					/*     crlExtensions */
+					/*       extension */
+					/*         extnID */
+					/*         critical */
+					/*         extnValue */
+	{ NULL, 0 }   , /*           authKeyID */
+	{ NULL, 0 }   , /*           authKeySerialNumber */
+	{ NULL, 0 }   , /*           crlNumber */
+	OID_UNKNOWN   , /*   algorithm */
+	{ NULL, 0 }     /*   signature */
 };
 
-/*
- *  get the X.509 CRL with a given issuer
+/**
+ *  Get the X.509 CRL with a given issuer
  */
-static x509crl_t*
-get_x509crl(chunk_t issuer, chunk_t serial, chunk_t keyid)
+static x509crl_t* get_x509crl(chunk_t issuer, chunk_t serial, chunk_t keyid)
 {
-    x509crl_t *crl = x509crls;
-    x509crl_t *prev_crl = NULL;
-
-    while (crl != NULL)
-    {
-	if ((keyid.ptr != NULL && crl->authKeyID.ptr != NULL)
-	? same_keyid(keyid, crl->authKeyID)
-	: (same_dn(crl->issuer, issuer) && same_serial(serial, crl->authKeySerialNumber)))
+	x509crl_t *crl = x509crls;
+	x509crl_t *prev_crl = NULL;
+
+	while (crl != NULL)
 	{
-	    if (crl != x509crls)
-	    {
-		/* bring the CRL up front */
-		prev_crl->next = crl->next;
-		crl->next = x509crls;
-		x509crls = crl;
-	    }
-	    return crl;
+		if ((keyid.ptr != NULL && crl->authKeyID.ptr != NULL)
+		? same_keyid(keyid, crl->authKeyID)
+		: (same_dn(crl->issuer, issuer) && same_serial(serial, crl->authKeySerialNumber)))
+		{
+			if (crl != x509crls)
+			{
+				/* bring the CRL up front */
+				prev_crl->next = crl->next;
+				crl->next = x509crls;
+				x509crls = crl;
+			}
+			return crl;
+		}
+		prev_crl = crl;
+		crl = crl->next;
 	}
-	prev_crl = crl;
-	crl = crl->next;
-    }
-    return NULL;
+	return NULL;
 }
 
-/*
- *  free the dynamic memory used to store revoked certificates
+/**
+ *  Free the dynamic memory used to store revoked certificates
  */
-static void
-free_revoked_certs(revokedCert_t* revokedCerts)
+static void free_revoked_certs(revokedCert_t* revokedCerts)
 {
-    while (revokedCerts != NULL)
-    {
-	revokedCert_t * revokedCert = revokedCerts;
-	revokedCerts = revokedCert->next;
-	pfree(revokedCert);
-    }
+	while (revokedCerts != NULL)
+	{
+		revokedCert_t * revokedCert = revokedCerts;
+		revokedCerts = revokedCert->next;
+		free(revokedCert);
+	}
 }
 
-/*
- *  free the dynamic memory used to store CRLs
+/**
+ *  Free the dynamic memory used to store CRLs
  */
-void
-free_crl(x509crl_t *crl)
+void free_crl(x509crl_t *crl)
 {
-    free_revoked_certs(crl->revokedCertificates);
-    free_generalNames(crl->distributionPoints, TRUE);
-    pfree(crl->certificateList.ptr);
-    pfree(crl);
+	free_revoked_certs(crl->revokedCertificates);
+	free_generalNames(crl->distributionPoints, TRUE);
+	free(crl->certificateList.ptr);
+	free(crl);
 }
 
-static void
-free_first_crl(void)
+static void free_first_crl(void)
 {
-    x509crl_t *crl = x509crls;
+	x509crl_t *crl = x509crls;
 
-    x509crls = crl->next;
-    free_crl(crl);
+	x509crls = crl->next;
+	free_crl(crl);
 }
 
-void
-free_crls(void)
+void free_crls(void)
 {
-    lock_crl_list("free_crls");
+	lock_crl_list("free_crls");
 
-    while (x509crls != NULL)
-	free_first_crl();
+	while (x509crls != NULL)
+		free_first_crl();
 
-    unlock_crl_list("free_crls");
+	unlock_crl_list("free_crls");
 }
 
-/*
+/**
  * Insert X.509 CRL into chained list
  */
-bool
-insert_crl(chunk_t blob, chunk_t crl_uri, bool cache_crl)
+bool insert_crl(chunk_t blob, chunk_t crl_uri, bool cache_crl)
 {
-    x509crl_t *crl = alloc_thing(x509crl_t, "x509crl");
-
-    *crl = empty_x509crl;
-
-    if (parse_x509crl(blob, 0, crl))
-    {
-	x509cert_t *issuer_cert;
-	x509crl_t *oldcrl;
-	bool valid_sig;
-	generalName_t *gn;
-
-	/* add distribution point */
-	gn = alloc_thing(generalName_t, "generalName");
-	gn->kind = GN_URI;
-	gn->name = crl_uri;
-	gn->next = crl->distributionPoints;
-	crl->distributionPoints = gn;
-
-	lock_authcert_list("insert_crl");
-	/* get the issuer cacert */
-	issuer_cert = get_authcert(crl->issuer, crl->authKeySerialNumber,
-	    crl->authKeyID, AUTH_CA);
-	if (issuer_cert == NULL)
-	{
-	    plog("crl issuer cacert not found");
-	    free_crl(crl);
-	    unlock_authcert_list("insert_crl");
-	    return FALSE;
-	}
-	DBG(DBG_CONTROL,
-	    DBG_log("crl issuer cacert found")
-	)
-
-	/* check the issuer's signature of the crl */
-	valid_sig = check_signature(crl->tbsCertList, crl->signature
-			, crl->algorithm, crl->algorithm, issuer_cert);
-	unlock_authcert_list("insert_crl");
+	x509crl_t *crl = malloc_thing(x509crl_t);
 
-	if (!valid_sig)
-	{
-	    free_crl(crl);
-	    return FALSE;
-	}
-	DBG(DBG_CONTROL,
-	    DBG_log("crl signature is valid")
-	)
-
-	lock_crl_list("insert_crl");
-	oldcrl = get_x509crl(crl->issuer, crl->authKeySerialNumber
-	    , crl->authKeyID);
+	*crl = empty_x509crl;
 
-	if (oldcrl != NULL)
+	if (parse_x509crl(blob, 0, crl))
 	{
-	    if (crl->thisUpdate > oldcrl->thisUpdate)
-	    {
-		/* keep any known CRL distribution points */
-		add_distribution_points(oldcrl->distributionPoints
-		    , &crl->distributionPoints);
-
-		/* now delete the old CRL */
-		free_first_crl();
+		x509cert_t *issuer_cert;
+		x509crl_t *oldcrl;
+		bool valid_sig;
+		generalName_t *gn;
+
+		/* add distribution point */
+		gn = malloc_thing(generalName_t);
+		gn->kind = GN_URI;
+		gn->name = crl_uri;
+		gn->next = crl->distributionPoints;
+		crl->distributionPoints = gn;
+
+		lock_authcert_list("insert_crl");
+		/* get the issuer cacert */
+		issuer_cert = get_authcert(crl->issuer, crl->authKeySerialNumber,
+			crl->authKeyID, AUTH_CA);
+		if (issuer_cert == NULL)
+		{
+			plog("crl issuer cacert not found");
+			free_crl(crl);
+			unlock_authcert_list("insert_crl");
+			return FALSE;
+		}
 		DBG(DBG_CONTROL,
-		    DBG_log("thisUpdate is newer - existing crl deleted")
+			DBG_log("crl issuer cacert found")
 		)
-	    }
-	    else
-	    {
-		unlock_crl_list("insert_crls");
+
+		/* check the issuer's signature of the crl */
+		valid_sig = x509_check_signature(crl->tbsCertList, crl->signature,
+										 crl->algorithm, issuer_cert);
+		unlock_authcert_list("insert_crl");
+
+		if (!valid_sig)
+		{
+			free_crl(crl);
+			return FALSE;
+		}
 		DBG(DBG_CONTROL,
-		    DBG_log("thisUpdate is not newer - existing crl not replaced");
+			DBG_log("crl signature is valid")
 		)
-		free_crl(crl);
-		return oldcrl->nextUpdate - time(NULL) > 2*crl_check_interval;
-	    }
-	}
 
-	/* insert new CRL */
-	crl->next = x509crls;
-	x509crls = crl;
+		lock_crl_list("insert_crl");
+		oldcrl = get_x509crl(crl->issuer, crl->authKeySerialNumber
+			, crl->authKeyID);
 
-	unlock_crl_list("insert_crl");
+		if (oldcrl != NULL)
+		{
+			if (crl->thisUpdate > oldcrl->thisUpdate)
+			{
+				/* keep any known CRL distribution points */
+				add_distribution_points(oldcrl->distributionPoints
+					, &crl->distributionPoints);
+
+				/* now delete the old CRL */
+				free_first_crl();
+				DBG(DBG_CONTROL,
+					DBG_log("thisUpdate is newer - existing crl deleted")
+				)
+			}
+			else
+			{
+				unlock_crl_list("insert_crls");
+				DBG(DBG_CONTROL,
+					DBG_log("thisUpdate is not newer - existing crl not replaced");
+				)
+				free_crl(crl);
+				return oldcrl->nextUpdate - time(NULL) > 2*crl_check_interval;
+			}
+		}
 
-	/* If crl caching is enabled then the crl is saved locally.
-         * Only http or ldap URIs are cached but not local file URIs.
-         * The issuer's subjectKeyID is used as a unique filename
-         */
-	if (cache_crl && strncasecmp(crl_uri.ptr, "file", 4) != 0)
+		/* insert new CRL */
+		crl->next = x509crls;
+		x509crls = crl;
+
+		unlock_crl_list("insert_crl");
+
+		/* If crl caching is enabled then the crl is saved locally.
+		 * Only http or ldap URIs are cached but not local file URIs.
+		 * The issuer's subjectKeyID is used as a unique filename
+		 */
+		if (cache_crl && strncasecmp(crl_uri.ptr, "file", 4) != 0)
+		{
+			char path[BUF_LEN], buf[BUF_LEN];
+			char digest_buf[HASH_SIZE_SHA1];
+			chunk_t subjectKeyID = chunk_from_buf(digest_buf);
+			bool has_keyID;
+			
+			if (issuer_cert->subjectKeyID.ptr == NULL)
+			{
+				has_keyID = compute_subjectKeyID(issuer_cert, subjectKeyID);
+			}
+			else
+			{
+				subjectKeyID = issuer_cert->subjectKeyID;
+				has_keyID = TRUE;
+			}
+			if (has_keyID)
+			{
+				datatot(subjectKeyID.ptr, subjectKeyID.len, 16, buf, BUF_LEN);
+				snprintf(path, BUF_LEN, "%s/%s.crl", CRL_PATH, buf);
+				chunk_write(crl->certificateList, path, "crl",  0022, TRUE);
+			}
+		}
+
+		/* is the fetched crl valid? */
+		return crl->nextUpdate - time(NULL) > 2*crl_check_interval;
+	}
+	else
 	{
-	    char path[BUF_LEN];
-	    char buf[BUF_LEN];
-	    char digest_buf[SHA1_DIGEST_SIZE];
-	    chunk_t subjectKeyID = { digest_buf, SHA1_DIGEST_SIZE };
-
-	    if (issuer_cert->subjectKeyID.ptr == NULL)
-		compute_subjectKeyID(issuer_cert, subjectKeyID);
-	    else
-		subjectKeyID = issuer_cert->subjectKeyID;
-
-	    datatot(subjectKeyID.ptr, subjectKeyID.len, 16, buf, BUF_LEN);
-	    snprintf(path, BUF_LEN, "%s/%s.crl", CRL_PATH, buf);
-	    write_chunk(path, "crl", crl->certificateList, 0022, TRUE);
+		plog("  error in X.509 crl");
+		free_crl(crl);
+		return FALSE;
 	}
-
-	/* is the fetched crl valid? */
-	return crl->nextUpdate - time(NULL) > 2*crl_check_interval;
-    }
-    else
-    {
-	plog("  error in X.509 crl");
-	free_crl(crl);
-	return FALSE;
-    }
 }
 
-/*
+/**
  *  Loads CRLs
  */
-void
-load_crls(void)
+void load_crls(void)
 {
-    struct dirent **filelist;
-    u_char buf[BUF_LEN];
-    u_char *save_dir;
-    int n;
-
-    /* change directory to specified path */
-    save_dir = getcwd(buf, BUF_LEN);
-    if (chdir(CRL_PATH))
-    {
-	plog("Could not change to directory '%s'", CRL_PATH);
-    }
-    else
-    {
-	plog("Changing to directory '%s'", CRL_PATH);
-	n = scandir(CRL_PATH, &filelist, file_select, alphasort);
-
-	if (n < 0)
-	    plog("  scandir() error");
+	struct dirent **filelist;
+	u_char buf[BUF_LEN];
+	u_char *save_dir;
+	int n;
+
+	/* change directory to specified path */
+	save_dir = getcwd(buf, BUF_LEN);
+	if (chdir(CRL_PATH))
+	{
+		plog("Could not change to directory '%s'", CRL_PATH);
+	}
 	else
 	{
-	    while (n--)
-	    {
-		bool pgp = FALSE;
-		chunk_t blob = empty_chunk;
-		char *filename = filelist[n]->d_name;
+		plog("Changing to directory '%s'", CRL_PATH);
+		n = scandir(CRL_PATH, &filelist, file_select, alphasort);
 
-		if (load_coded_file(filename, NULL, "crl", &blob, &pgp))
+		if (n < 0)
+			plog("  scandir() error");
+		else
 		{
-		    chunk_t crl_uri;
-
-		    crl_uri.len = 7 + sizeof(CRL_PATH) + strlen(filename);
-		    crl_uri.ptr = alloc_bytes(crl_uri.len + 1, "crl uri");
-
-		    /* build CRL file URI */
-		    snprintf(crl_uri.ptr, crl_uri.len + 1, "file://%s/%s"
-		        , CRL_PATH, filename);
-
-		    insert_crl(blob, crl_uri, FALSE);
+			while (n--)
+			{
+				bool pgp = FALSE;
+				chunk_t blob = chunk_empty;
+				char *filename = filelist[n]->d_name;
+
+				if (load_coded_file(filename, NULL, "crl", &blob, &pgp))
+				{
+					chunk_t crl_uri;
+
+					crl_uri.len = 7 + sizeof(CRL_PATH) + strlen(filename);
+					crl_uri.ptr = malloc(crl_uri.len + 1);
+
+					/* build CRL file URI */
+					snprintf(crl_uri.ptr, crl_uri.len + 1, "file://%s/%s"
+						, CRL_PATH, filename);
+
+					insert_crl(blob, crl_uri, FALSE);
+				}
+				free(filelist[n]);
+			}
+			free(filelist);
 		}
-		free(filelist[n]);
-	    }
-	    free(filelist);
 	}
-    }
-    /* restore directory path */
-    ignore_result(chdir(save_dir));
+	/* restore directory path */
+	ignore_result(chdir(save_dir));
 }
 
-/*
+/**
  * Parses a CRL revocation reason code
  */
-static crl_reason_t
-parse_crl_reasonCode(chunk_t object)
+static crl_reason_t parse_crl_reasonCode(chunk_t object)
 {
-    crl_reason_t reason = REASON_UNSPECIFIED;
-
-    if (*object.ptr == ASN1_ENUMERATED
-    &&  asn1_length(&object) == 1)
-    {
-	reason = *object.ptr;
-    }
-
-    DBG(DBG_PARSING,
-	DBG_log("  '%s'", enum_name(&crl_reason_names, reason))
-    )
-    return reason;
+	crl_reason_t reason = REASON_UNSPECIFIED;
+
+	if (*object.ptr == ASN1_ENUMERATED
+	&&  asn1_length(&object) == 1)
+	{
+		reason = *object.ptr;
+	}
+
+	DBG(DBG_PARSING,
+		DBG_log("  '%N'", crl_reason_names, reason)
+	)
+	return reason;
 }
 
 /*
  *  Parses an X.509 CRL
  */
-bool
-parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl)
+bool parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl)
 {
-    u_char buf[BUF_LEN];
-    asn1_ctx_t ctx;
-    bool critical;
-    chunk_t extnID;
-    chunk_t userCertificate = empty_chunk;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
-
-    while (objectID < CRL_OBJ_ROOF)
-    {
-	if (!extract_object(crlObjects, &objectID, &object, &level, &ctx))
-	     return FALSE;
-
-	/* those objects which will parsed further need the next higher level */
-	level++;
-
-	switch (objectID) {
-	case CRL_OBJ_CERTIFICATE_LIST:
-	    crl->certificateList = object;
-	    break;
-	case CRL_OBJ_TBS_CERT_LIST:
-	    crl->tbsCertList = object;
-	    break;
-	case CRL_OBJ_VERSION:
-	    crl->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
-	    DBG(DBG_PARSING,
-		DBG_log("  v%d", crl->version);
-	    )
-	    break;
-	case CRL_OBJ_SIG_ALG:
-	    crl->sigAlg = parse_algorithmIdentifier(object, level, NULL);
-	    break;
-	case CRL_OBJ_ISSUER:
-	    crl->issuer = object;
-	    DBG(DBG_PARSING,
-		dntoa(buf, BUF_LEN, object);
-		DBG_log("  '%s'",buf)
-	    )
-	    break;
-	case CRL_OBJ_THIS_UPDATE:
-	    crl->thisUpdate = parse_time(object, level);
-	    break;
-	case CRL_OBJ_NEXT_UPDATE:
-	    crl->nextUpdate = parse_time(object, level);
-	    break;
-	case CRL_OBJ_USER_CERTIFICATE:
-	    userCertificate = object;
-	    break;
-	case CRL_OBJ_REVOCATION_DATE:
-	    {
-		/* put all the serial numbers and the revocation date in a chained list
-		   with revocedCertificates pointing to the first revoked certificate */
-
-		revokedCert_t *revokedCert = alloc_thing(revokedCert_t, "revokedCert");
-		revokedCert->userCertificate = userCertificate;
-		revokedCert->revocationDate = parse_time(object, level);
-		revokedCert->revocationReason = REASON_UNSPECIFIED;
-		revokedCert->next = crl->revokedCertificates;
-		crl->revokedCertificates = revokedCert;
-	    }
-	    break;
-	case CRL_OBJ_CRL_ENTRY_EXTN_ID:
-	case CRL_OBJ_EXTN_ID:
-	    extnID = object;
-	    break;
-	case CRL_OBJ_CRL_ENTRY_CRITICAL:
-	case CRL_OBJ_CRITICAL:
-	    critical = object.len && *object.ptr;
-	    DBG(DBG_PARSING,
-		DBG_log("  %s",(critical)?"TRUE":"FALSE");
-	    )
-	    break;
-	case CRL_OBJ_CRL_ENTRY_EXTN_VALUE:
-	case CRL_OBJ_EXTN_VALUE:
-	    {
-		u_int extn_oid = known_oid(extnID);
-
-		if (extn_oid == OID_CRL_REASON_CODE)
-		{
-		    crl->revokedCertificates->revocationReason =
-			parse_crl_reasonCode(object);
-		}
-		else if (extn_oid == OID_AUTHORITY_KEY_ID)
-		{
-		    parse_authorityKeyIdentifier(object, level
-			, &crl->authKeyID, &crl->authKeySerialNumber);
-		}
-		else if (extn_oid == OID_CRL_NUMBER)
-		{
-		    if (!parse_asn1_simple_object(&object, ASN1_INTEGER, level, "crlNumber"))
-			return FALSE;
-		    crl->crlNumber = object;
+	u_char buf[BUF_LEN];
+	asn1_parser_t *parser;
+	chunk_t extnID;
+	chunk_t userCertificate = chunk_empty;
+	chunk_t object;
+	int objectID;
+	bool success = FALSE;
+	bool critical;
+
+	parser = asn1_parser_create(crlObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser)+1;
+
+		switch (objectID) {
+		case CRL_OBJ_CERTIFICATE_LIST:
+			crl->certificateList = object;
+			break;
+		case CRL_OBJ_TBS_CERT_LIST:
+			crl->tbsCertList = object;
+			break;
+		case CRL_OBJ_VERSION:
+			crl->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
+			DBG(DBG_PARSING,
+				DBG_log("  v%d", crl->version);
+			)
+			break;
+		case CRL_OBJ_SIG_ALG:
+			crl->sigAlg = asn1_parse_algorithmIdentifier(object, level, NULL);
+			break;
+		case CRL_OBJ_ISSUER:
+			crl->issuer = object;
+			DBG(DBG_PARSING,
+				dntoa(buf, BUF_LEN, object);
+				DBG_log("  '%s'",buf)
+			)
+			break;
+		case CRL_OBJ_THIS_UPDATE:
+			crl->thisUpdate = asn1_parse_time(object, level);
+			break;
+		case CRL_OBJ_NEXT_UPDATE:
+			crl->nextUpdate = asn1_parse_time(object, level);
+			break;
+		case CRL_OBJ_USER_CERTIFICATE:
+			userCertificate = object;
+			break;
+		case CRL_OBJ_REVOCATION_DATE:
+			{
+				/* put all the serial numbers and the revocation date in a chained list
+				   with revocedCertificates pointing to the first revoked certificate */
+
+				revokedCert_t *revokedCert = malloc_thing(revokedCert_t);
+				revokedCert->userCertificate = userCertificate;
+				revokedCert->revocationDate = asn1_parse_time(object, level);
+				revokedCert->revocationReason = REASON_UNSPECIFIED;
+				revokedCert->next = crl->revokedCertificates;
+				crl->revokedCertificates = revokedCert;
+			}
+			break;
+		case CRL_OBJ_CRL_ENTRY_EXTN_ID:
+		case CRL_OBJ_EXTN_ID:
+			extnID = object;
+			break;
+		case CRL_OBJ_CRL_ENTRY_CRITICAL:
+		case CRL_OBJ_CRITICAL:
+			critical = object.len && *object.ptr;
+			DBG(DBG_PARSING,
+				DBG_log("  %s",(critical)?"TRUE":"FALSE");
+			)
+			break;
+		case CRL_OBJ_CRL_ENTRY_EXTN_VALUE:
+		case CRL_OBJ_EXTN_VALUE:
+			{
+				u_int extn_oid = asn1_known_oid(extnID);
+
+				if (extn_oid == OID_CRL_REASON_CODE)
+				{
+					crl->revokedCertificates->revocationReason =
+						parse_crl_reasonCode(object);
+				}
+				else if (extn_oid == OID_AUTHORITY_KEY_ID)
+				{
+					parse_authorityKeyIdentifier(object, level
+						, &crl->authKeyID, &crl->authKeySerialNumber);
+				}
+				else if (extn_oid == OID_CRL_NUMBER)
+				{
+					if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
+												  level, "crlNumber"))
+					{
+						goto end;
+					}
+					crl->crlNumber = object;
+				}
+			}
+			break;
+		case CRL_OBJ_ALGORITHM:
+			crl->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
+			break;
+		case CRL_OBJ_SIGNATURE:
+			crl->signature = object;
+			break;
+		default:
+			break;
 		}
-	    }
-	    break;
-	case CRL_OBJ_ALGORITHM:
-	    crl->algorithm = parse_algorithmIdentifier(object, level, NULL);
-	    break;
-	case CRL_OBJ_SIGNATURE:
-	    crl->signature = object;
-	    break;
-	default:
-	    break;
 	}
-	objectID++;
-    }
-    time(&crl->installed);
-    return TRUE;
+	success = parser->success(parser);
+	time(&crl->installed);
+
+end:
+	parser->destroy(parser);
+	return success;
 }
 
 /*  Checks if the current certificate is revoked. It goes through the
@@ -523,28 +525,28 @@ static cert_status_t
 check_revocation(const x509crl_t *crl, chunk_t serial
 , time_t *revocationDate, crl_reason_t * revocationReason)
 {
-    revokedCert_t *revokedCert = crl->revokedCertificates;
-
-    *revocationDate = UNDEFINED_TIME;
-    *revocationReason = REASON_UNSPECIFIED;
-    
-    DBG(DBG_CONTROL,
-	DBG_dump_chunk("serial number:", serial)
-    )
-
-    while(revokedCert != NULL)
-    {
-	/* compare serial numbers */
-	if (revokedCert->userCertificate.len == serial.len &&
-	    memcmp(revokedCert->userCertificate.ptr, serial.ptr, serial.len) == 0)
+	revokedCert_t *revokedCert = crl->revokedCertificates;
+
+	*revocationDate = UNDEFINED_TIME;
+	*revocationReason = REASON_UNSPECIFIED;
+	
+	DBG(DBG_CONTROL,
+		DBG_dump_chunk("serial number:", serial)
+	)
+
+	while(revokedCert != NULL)
 	{
-	    *revocationDate = revokedCert->revocationDate;
-	    *revocationReason = revokedCert->revocationReason;
-	    return CERT_REVOKED;
+		/* compare serial numbers */
+		if (revokedCert->userCertificate.len == serial.len &&
+			memeq(revokedCert->userCertificate.ptr, serial.ptr, serial.len))
+		{
+			*revocationDate = revokedCert->revocationDate;
+			*revocationReason = revokedCert->revocationReason;
+			return CERT_REVOKED;
+		}
+		revokedCert = revokedCert->next;
 	}
-	revokedCert = revokedCert->next;
-    }
-    return CERT_GOOD;
+	return CERT_GOOD;
 }
 
 /*
@@ -553,37 +555,37 @@ check_revocation(const x509crl_t *crl, chunk_t serial
 void
 check_crls(void)
 {
-    x509crl_t *crl;
+	x509crl_t *crl;
 
-    lock_crl_list("check_crls");
-    crl = x509crls;
-
-    while (crl != NULL)
-    {
-	time_t time_left = crl->nextUpdate - time(NULL);
-	u_char buf[BUF_LEN];
+	lock_crl_list("check_crls");
+	crl = x509crls;
 
-	DBG(DBG_CONTROL,
-	    dntoa(buf, BUF_LEN, crl->issuer);
-	    DBG_log("issuer: '%s'",buf);
-	    if (crl->authKeyID.ptr != NULL)
-	    {
-		datatot(crl->authKeyID.ptr, crl->authKeyID.len, ':'
-		    , buf, BUF_LEN);
-		DBG_log("authkey: %s", buf);
-	    }
-	    DBG_log("%ld seconds left", time_left)
-	)
-	if (time_left < 2*crl_check_interval)
+	while (crl != NULL)
 	{
-	    fetch_req_t *req = build_crl_fetch_request(crl->issuer
-		, crl->authKeySerialNumber
-		, crl->authKeyID, crl->distributionPoints);
-	    add_crl_fetch_request(req);
+		time_t time_left = crl->nextUpdate - time(NULL);
+		u_char buf[BUF_LEN];
+
+		DBG(DBG_CONTROL,
+			dntoa(buf, BUF_LEN, crl->issuer);
+			DBG_log("issuer: '%s'",buf);
+			if (crl->authKeyID.ptr != NULL)
+			{
+				datatot(crl->authKeyID.ptr, crl->authKeyID.len, ':'
+					, buf, BUF_LEN);
+				DBG_log("authkey: %s", buf);
+			}
+			DBG_log("%ld seconds left", time_left)
+		)
+		if (time_left < 2*crl_check_interval)
+		{
+			fetch_req_t *req = build_crl_fetch_request(crl->issuer
+				, crl->authKeySerialNumber
+				, crl->authKeyID, crl->distributionPoints);
+			add_crl_fetch_request(req);
+		}
+		crl = crl->next;
 	}
-	crl = crl->next;
-    }
-    unlock_crl_list("check_crls");
+	unlock_crl_list("check_crls");
 }
 
 /*
@@ -593,118 +595,117 @@ cert_status_t
 verify_by_crl(const x509cert_t *cert, time_t *until, time_t *revocationDate
 , crl_reason_t *revocationReason)
 {
-    x509crl_t *crl;
-
-    ca_info_t *ca = get_ca_info(cert->issuer, cert->authKeySerialNumber
-			      , cert->authKeyID);
+	x509crl_t *crl;
 
-    generalName_t *crluri = (ca == NULL)? NULL : ca->crluri;
+	ca_info_t *ca = get_ca_info(cert->issuer, cert->authKeySerialNumber
+							  , cert->authKeyID);
 
-    *revocationDate = UNDEFINED_TIME;
-    *revocationReason = REASON_UNSPECIFIED;
+	generalName_t *crluri = (ca == NULL)? NULL : ca->crluri;
 
-    lock_crl_list("verify_by_crl");
-    crl = get_x509crl(cert->issuer, cert->authKeySerialNumber, cert->authKeyID);
+	*revocationDate = UNDEFINED_TIME;
+	*revocationReason = REASON_UNSPECIFIED;
 
-    if (crl == NULL)
-    {
-	unlock_crl_list("verify_by_crl");
-	plog("crl not found");
+	lock_crl_list("verify_by_crl");
+	crl = get_x509crl(cert->issuer, cert->authKeySerialNumber, cert->authKeyID);
 
-	if (cert->crlDistributionPoints != NULL)
+	if (crl == NULL)
 	{
-	    fetch_req_t *req = build_crl_fetch_request(cert->issuer
-		, cert->authKeySerialNumber
-		, cert->authKeyID, cert->crlDistributionPoints);
-	    add_crl_fetch_request(req);
-	}
+		unlock_crl_list("verify_by_crl");
+		plog("crl not found");
 
-	if (crluri != NULL)
-	{
-	    fetch_req_t *req = build_crl_fetch_request(cert->issuer
-		, cert->authKeySerialNumber
-		, cert->authKeyID, crluri);
-	    add_crl_fetch_request(req);
-	}
+		if (cert->crlDistributionPoints != NULL)
+		{
+			fetch_req_t *req = build_crl_fetch_request(cert->issuer
+				, cert->authKeySerialNumber
+				, cert->authKeyID, cert->crlDistributionPoints);
+			add_crl_fetch_request(req);
+		}
 
-	if (cert->crlDistributionPoints != 0 || crluri != NULL)
-	{
-	    wake_fetch_thread("verify_by_crl");
-	    return CERT_UNKNOWN;
+		if (crluri != NULL)
+		{
+			fetch_req_t *req = build_crl_fetch_request(cert->issuer
+				, cert->authKeySerialNumber
+				, cert->authKeyID, crluri);
+			add_crl_fetch_request(req);
+		}
+
+		if (cert->crlDistributionPoints != 0 || crluri != NULL)
+		{
+			wake_fetch_thread("verify_by_crl");
+			return CERT_UNKNOWN;
+		}
+		else
+			return CERT_UNDEFINED;
 	}
 	else
-	    return CERT_UNDEFINED;
-    }
-    else
-    {
-	x509cert_t *issuer_cert;
-	bool valid;
-
-	DBG(DBG_CONTROL,
-	    DBG_log("crl found")
-	)
-
-	add_distribution_points(cert->crlDistributionPoints
-		, &crl->distributionPoints);
-
-	add_distribution_points(crluri
-		, &crl->distributionPoints);
-
-	lock_authcert_list("verify_by_crl");
-
-	issuer_cert = get_authcert(crl->issuer, crl->authKeySerialNumber
-		, crl->authKeyID, AUTH_CA);
-	valid = check_signature(crl->tbsCertList, crl->signature
-		, crl->algorithm, crl->algorithm, issuer_cert);
-	
-	unlock_authcert_list("verify_by_crl");
-
-	if (valid)
 	{
-	    cert_status_t status;
+		x509cert_t *issuer_cert;
+		bool valid;
 
-	    DBG(DBG_CONTROL,
-		DBG_log("crl signature is valid")
-	    )
-	   /* return the expiration date */
-	    *until = crl->nextUpdate;
+		DBG(DBG_CONTROL,
+			DBG_log("crl found")
+		)
 
-	    /* has the certificate been revoked? */
-	    status = check_revocation(crl, cert->serialNumber, revocationDate
-	    			, revocationReason);
+		add_distribution_points(cert->crlDistributionPoints
+				, &crl->distributionPoints);
 
-	    if (*until < time(NULL))
-	    {
-		fetch_req_t *req;
+		add_distribution_points(crluri
+				, &crl->distributionPoints);
 
-		plog("crl update is overdue since %s"
-		    , timetoa(until, TRUE));
+		lock_authcert_list("verify_by_crl");
 
-		/* try to fetch a crl update */
-		req = build_crl_fetch_request(crl->issuer
-				, crl->authKeySerialNumber
-				, crl->authKeyID, crl->distributionPoints);
-		unlock_crl_list("verify_by_crl");
+		issuer_cert = get_authcert(crl->issuer, crl->authKeySerialNumber
+				, crl->authKeyID, AUTH_CA);
+		valid = x509_check_signature(crl->tbsCertList, crl->signature,
+									 crl->algorithm, issuer_cert);
+		
+		unlock_authcert_list("verify_by_crl");
 
-		add_crl_fetch_request(req);
-		wake_fetch_thread("verify_by_crl");
-	    }
-	    else
-	    {
-		unlock_crl_list("verify_by_crl");
-		DBG(DBG_CONTROL,
-		    DBG_log("crl is valid")
-		)
-	    }
-	    return status;
-	}
-	else
-	{
-	    unlock_crl_list("verify_by_crl");
-	    plog("crl signature is invalid");
-	    return CERT_UNKNOWN;
+		if (valid)
+		{
+			cert_status_t status;
+
+			DBG(DBG_CONTROL,
+				DBG_log("crl signature is valid")
+			)
+		   /* return the expiration date */
+			*until = crl->nextUpdate;
+
+			/* has the certificate been revoked? */
+			status = check_revocation(crl, cert->serialNumber, revocationDate
+								, revocationReason);
+
+			if (*until < time(NULL))
+			{
+				fetch_req_t *req;
+
+				plog("crl update is overdue since %T", until, TRUE);
+
+				/* try to fetch a crl update */
+				req = build_crl_fetch_request(crl->issuer
+								, crl->authKeySerialNumber
+								, crl->authKeyID, crl->distributionPoints);
+				unlock_crl_list("verify_by_crl");
+
+				add_crl_fetch_request(req);
+				wake_fetch_thread("verify_by_crl");
+			}
+			else
+			{
+				unlock_crl_list("verify_by_crl");
+				DBG(DBG_CONTROL,
+					DBG_log("crl is valid")
+				)
+			}
+			return status;
+		}
+		else
+		{
+			unlock_crl_list("verify_by_crl");
+			plog("crl signature is invalid");
+			return CERT_UNKNOWN;
+		}
 	}
-    }
 }
 
 /*
@@ -713,63 +714,63 @@ verify_by_crl(const x509cert_t *cert, time_t *until, time_t *revocationDate
 void
 list_crls(bool utc, bool strict)
 {
-    x509crl_t *crl;
+	x509crl_t *crl;
 
-    lock_crl_list("list_crls");
-    crl = x509crls;
+	lock_crl_list("list_crls");
+	crl = x509crls;
 
-    if (crl != NULL)
-    {
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of X.509 CRLs:");
-	whack_log(RC_COMMENT, " ");
-    }
-
-    while (crl != NULL)
-    {
-	u_char buf[BUF_LEN];
-	u_int revoked = 0;
-	revokedCert_t *revokedCert = crl->revokedCertificates;
-
-	/* count number of revoked certificates in CRL */
-	while (revokedCert != NULL)
-	{
-	    revoked++;
-	    revokedCert = revokedCert->next;
-        }
-
-	whack_log(RC_COMMENT, "%s, revoked certs: %d",
-		timetoa(&crl->installed, utc), revoked);
-	dntoa(buf, BUF_LEN, crl->issuer);
-	whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
-	if (crl->crlNumber.ptr != NULL)
+	if (crl != NULL)
 	{
-	    datatot(crl->crlNumber.ptr, crl->crlNumber.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       crlnumber: %s", buf);
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "List of X.509 CRLs:");
+		whack_log(RC_COMMENT, " ");
 	}
-	list_distribution_points(crl->distributionPoints);
-
-	whack_log(RC_COMMENT, "       updates:   this %s",
-		timetoa(&crl->thisUpdate, utc));
-	whack_log(RC_COMMENT, "                  next %s %s",
-		timetoa(&crl->nextUpdate, utc),
-		check_expiry(crl->nextUpdate, CRL_WARNING_INTERVAL, strict));
-	if (crl->authKeyID.ptr != NULL)
-	{
-	    datatot(crl->authKeyID.ptr, crl->authKeyID.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       authkey:   %s", buf);
-	}
-	if (crl->authKeySerialNumber.ptr != NULL)
+
+	while (crl != NULL)
 	{
-	    datatot(crl->authKeySerialNumber.ptr, crl->authKeySerialNumber.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       aserial:   %s", buf);
-	}
+		u_char buf[BUF_LEN];
+		u_int revoked = 0;
+		revokedCert_t *revokedCert = crl->revokedCertificates;
+
+		/* count number of revoked certificates in CRL */
+		while (revokedCert != NULL)
+		{
+			revoked++;
+			revokedCert = revokedCert->next;
+		}
+
+		whack_log(RC_COMMENT, "%T, revoked certs: %d",
+				&crl->installed, utc, revoked);
+		dntoa(buf, BUF_LEN, crl->issuer);
+		whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
+		if (crl->crlNumber.ptr != NULL)
+		{
+			datatot(crl->crlNumber.ptr, crl->crlNumber.len, ':'
+				, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       crlnumber: %s", buf);
+		}
+		list_distribution_points(crl->distributionPoints);
+
+		whack_log(RC_COMMENT, "       updates:   this %T",
+				&crl->thisUpdate, utc);
+		whack_log(RC_COMMENT, "                  next %T %s",
+				&crl->nextUpdate, utc,
+				check_expiry(crl->nextUpdate, CRL_WARNING_INTERVAL, strict));
+		if (crl->authKeyID.ptr != NULL)
+		{
+			datatot(crl->authKeyID.ptr, crl->authKeyID.len, ':'
+				, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       authkey:   %s", buf);
+		}
+		if (crl->authKeySerialNumber.ptr != NULL)
+		{
+			datatot(crl->authKeySerialNumber.ptr, crl->authKeySerialNumber.len, ':'
+				, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       aserial:   %s", buf);
+		}
 
-	crl = crl->next;
-    }
-    unlock_crl_list("list_crls");
+		crl = crl->next;
+	}
+	unlock_crl_list("list_crls");
 }
 
diff --git a/src/pluto/crl.h b/src/pluto/crl.h
index b5051dcac..7c110ad5a 100644
--- a/src/pluto/crl.h
+++ b/src/pluto/crl.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: crl.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include "constants.h"
@@ -22,9 +20,9 @@ typedef struct revokedCert revokedCert_t;
 
 struct revokedCert{
   revokedCert_t *next;
-  chunk_t	userCertificate;
-  time_t	revocationDate;
-  crl_reason_t	revocationReason;
+  chunk_t       userCertificate;
+  time_t        revocationDate;
+  crl_reason_t  revocationReason;
 };
 
 /* storage structure for an X.509 CRL */
@@ -33,28 +31,28 @@ typedef struct x509crl x509crl_t;
 
 struct x509crl {
   x509crl_t     *next;
-  time_t	 installed;
+  time_t         installed;
   generalName_t *distributionPoints;
   chunk_t        certificateList;
   chunk_t          tbsCertList;
   u_int              version;
-  	         /*  signature */
+				 /*  signature */
   int                  sigAlg;
   chunk_t            issuer;
   time_t             thisUpdate;
   time_t             nextUpdate;
   revokedCert_t      *revokedCertificates;
-                /*   v2 extensions */
-                /*   crlExtensions */
-                /*     extension */
-                /*       extnID */
-                /*       critical */
-                /*       extnValue */
-  chunk_t		 authKeyID;
-  chunk_t		 authKeySerialNumber;
-  chunk_t		 crlNumber;
+				/*   v2 extensions */
+				/*   crlExtensions */
+				/*     extension */
+				/*       extnID */
+				/*       critical */
+				/*       extnValue */
+  chunk_t                authKeyID;
+  chunk_t                authKeySerialNumber;
+  chunk_t                crlNumber;
 
-                /* signatureAlgorithm */
+				/* signatureAlgorithm */
   int                algorithm;
   chunk_t          signature;
 };
@@ -82,7 +80,7 @@ extern void load_crls(void);
 extern void check_crls(void);
 extern bool insert_crl(chunk_t blob, chunk_t crl_uri, bool cache_crl);
 extern cert_status_t verify_by_crl(const x509cert_t *cert, time_t *until
-    , time_t *revocationDate, crl_reason_t *revocationReason);
+	, time_t *revocationDate, crl_reason_t *revocationReason);
 extern void list_crls(bool utc, bool strict);
 extern void free_crls(void);
 extern void free_crl(x509crl_t *crl);
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index 207192e14..1adccc74e 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -1,6 +1,6 @@
 /* crypto interfaces
- * Copyright (C) 1998-2001  D. Hugh Redelmeier
- * Copyright (C) 2007 Andreas Steffen
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier
+ * Copyright (C) 2007-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -11,617 +11,582 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: crypto.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-#include <sys/types.h>
-
 #include <freeswan.h>
-#define HEADER_DES_LOCL_H   /* stupid trick to force prototype decl in <des.h> */
-#include <libdes/des.h>
-
-#include <errno.h>
 
 #include "constants.h"
 #include "defs.h"
-#include "state.h"
+#include "crypto.h"
 #include "log.h"
-#include "md5.h"
-#include "sha1.h"
-#include "crypto.h" /* requires sha1.h and md5.h */
-#include "alg_info.h"
-#include "ike_alg.h"
-
-
-/* moduli and generator. */
-
-static MP_INT
-    modp1024_modulus,
-    modp1536_modulus,
-    modp2048_modulus,
-    modp3072_modulus,
-    modp4096_modulus,
-    modp6144_modulus,
-    modp8192_modulus;
-
-MP_INT groupgenerator;	/* MODP group generator (2) */
-
-static void do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc);
-
-static struct encrypt_desc crypto_encryptor_3des =
-{ 	
-	algo_type: 	IKE_ALG_ENCRYPT,
-	algo_id:   	OAKLEY_3DES_CBC, 
-	algo_next: 	NULL,
-	enc_ctxsize: 	sizeof(des_key_schedule) * 3,
-	enc_blocksize: 	DES_CBC_BLOCK_SIZE, 
-	keydeflen: 	DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	keyminlen: 	DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	keymaxlen: 	DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	do_crypt: 	do_3des,
-};
-
-/* MD5 hash test vectors
- * from RFC 1321 "MD5 Message-Digest Algorithm"
- * April 1992, R. Rivest, RSA Data Security
- */
-
-static const u_char md5_test0_msg[] = {
-
-};
-
-static const u_char md5_test0_msg_digest[] = {
-    0xd4, 0x1d, 0x8c, 0xd9, 0x8f, 0x00, 0xb2, 0x04,
-    0xe9, 0x80, 0x09, 0x98, 0xec, 0xf8, 0x42, 0x7e
-};
-
-static const u_char md5_test1_msg[] = {
-    0x61
-};
-
-static const u_char md5_test1_msg_digest[] = {
-    0x0c, 0xc1, 0x75, 0xb9, 0xc0, 0xf1, 0xb6, 0xa8,
-    0x31, 0xc3, 0x99, 0xe2, 0x69, 0x77, 0x26, 0x61
-};
-
-static const u_char md5_test2_msg[] = {
-    0x61, 0x62, 0x63
-};
-
-static const u_char md5_test2_msg_digest[] = {
-    0x90, 0x01, 0x50, 0x98, 0x3c, 0xd2, 0x4f, 0xb0,
-    0xd6, 0x96, 0x3f, 0x7d, 0x28, 0xe1, 0x7f, 0x72
-};
-
-static const u_char md5_test3_msg[] = {
-    0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20,
-    0x64, 0x69, 0x67, 0x65, 0x73, 0x74
-};
-
-static const u_char md5_test3_msg_digest[] = {
-    0xf9, 0x6b, 0x69, 0x7d, 0x7c, 0xb7, 0x93, 0x8d,
-    0x52, 0x5a, 0x2f, 0x31, 0xaa, 0xf1, 0x61, 0xd0
-};
-
-static const u_char md5_test4_msg[] = {
-    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
-    0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
-    0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
-    0x79, 0x7a
-};
 
-static const u_char md5_test4_msg_digest[] = {
-    0xc3, 0xfc, 0xd3, 0xd7, 0x61, 0x92, 0xe4, 0x00,
-    0x7d, 0xfb, 0x49, 0x6c, 0xca, 0x67, 0xe1, 0x3b
-};
-
-static const u_char md5_test5_msg[] = {
-    0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
-    0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
-    0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
-    0x59, 0x5a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
-    0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
-    0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76,
-    0x77, 0x78, 0x79, 0x7a, 0x30, 0x31, 0x32, 0x33,
-    0x34, 0x35, 0x36, 0x37, 0x38, 0x39
-};
+static struct encrypt_desc encrypt_desc_3des =
+{       
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_3DES_CBC, 
+	algo_next:       NULL,
 
-static const u_char md5_test5_msg_digest[] = {
-    0xd1, 0x74, 0xab, 0x98, 0xd2, 0x77, 0xd9, 0xf5,
-    0xa5, 0x61, 0x1c, 0x2c, 0x9f, 0x41, 0x9d, 0x9f
+	enc_blocksize:	 DES_BLOCK_SIZE, 
+	keydeflen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	keyminlen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	keymaxlen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
 };
 
-static const u_char md5_test6_msg[] = {
-    0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
-    0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
-    0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34,
-    0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32,
-    0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30,
-    0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
-    0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
-    0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34,
-    0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32,
-    0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30
-};
+#define  AES_KEY_MIN_LEN	128
+#define  AES_KEY_DEF_LEN	128
+#define  AES_KEY_MAX_LEN	256
 
-static const u_char md5_test6_msg_digest[] = {
-    0x57, 0xed, 0xf4, 0xa2, 0x2b, 0xe3, 0xc9, 0x55,
-    0xac, 0x49, 0xda, 0x2e, 0x21, 0x07, 0xb6, 0x7a
-};
-
-static const hash_testvector_t md5_hash_testvectors[] = {
-    { sizeof(md5_test0_msg), md5_test0_msg, md5_test0_msg_digest },
-    { sizeof(md5_test1_msg), md5_test1_msg, md5_test1_msg_digest },
-    { sizeof(md5_test2_msg), md5_test2_msg, md5_test2_msg_digest },
-    { sizeof(md5_test3_msg), md5_test3_msg, md5_test3_msg_digest },
-    { sizeof(md5_test4_msg), md5_test4_msg, md5_test4_msg_digest },
-    { sizeof(md5_test5_msg), md5_test5_msg, md5_test5_msg_digest },
-    { sizeof(md5_test6_msg), md5_test6_msg, md5_test6_msg_digest },
-    { 0, NULL, NULL }
-};
-
-/* MD5 hmac test vectors
- * from RFC 2202 "Test Cases for HMAC-MD5 and HMAC-SHA-1"
- * September 1997, P. Cheng, IBM & R. Glenn, NIST
- */
-
-static const u_char md5_hmac1_key[] = {
-    0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-    0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
-};
-
-static const u_char md5_hmac1_msg[] = {
-    0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
-};
-
-static const u_char md5_hmac1[] = {
-    0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c,
-    0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d
-};
-
-static const u_char md5_hmac2_key[] = {
-    0x4a, 0x65, 0x66, 0x65
-};
-
-static const u_char md5_hmac2_msg[] = {
-    0x77, 0x68, 0x61, 0x74, 0x20, 0x64, 0x6f, 0x20,
-    0x79, 0x61, 0x20, 0x77, 0x61, 0x6e, 0x74, 0x20,
-    0x66, 0x6f, 0x72, 0x20, 0x6e, 0x6f, 0x74, 0x68,
-    0x69, 0x6e, 0x67, 0x3f
-};
+static struct encrypt_desc encrypt_desc_aes =
+{
+	algo_type: 	     IKE_ALG_ENCRYPT,
+	algo_id:   	     OAKLEY_AES_CBC,
+	algo_next: 	     NULL, 
 
-static const u_char md5_hmac2[] = {
-    0x75, 0x0c, 0x78, 0x3e, 0x6a, 0xb0, 0xb5, 0x03,
-    0xea, 0xa8, 0x6e, 0x31, 0x0a, 0x5d, 0xb7, 0x38
+	enc_blocksize: 	 AES_BLOCK_SIZE,
+	keyminlen: 		 AES_KEY_MIN_LEN,
+	keydeflen: 		 AES_KEY_DEF_LEN,
+	keymaxlen: 		 AES_KEY_MAX_LEN,
 };
 
-static const u_char md5_hmac3_key[] = {
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
-};
+#define  BLOWFISH_KEY_MIN_LEN	128
+#define  BLOWFISH_KEY_MAX_LEN	448
 
-static const u_char md5_hmac3_msg[] = {
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-    0xdd, 0xdd
-};
+static struct encrypt_desc encrypt_desc_blowfish =
+{
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_BLOWFISH_CBC,
+	algo_next:       NULL, 
 
-static const u_char md5_hmac3[] = {
-    0x56, 0xbe, 0x34, 0x52, 0x1d, 0x14, 0x4c, 0x88,
-    0xdb, 0xb8, 0xc7, 0x33, 0xf0, 0xe8, 0xb3, 0xf6
+	enc_blocksize:	 BLOWFISH_BLOCK_SIZE,
+	keyminlen:		 BLOWFISH_KEY_MIN_LEN,
+	keydeflen:		 BLOWFISH_KEY_MIN_LEN,
+	keymaxlen:		 BLOWFISH_KEY_MAX_LEN,
 };
 
-static const u_char md5_hmac4_key[] = {
-    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
-    0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
-    0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
-    0x19
-};
+#define  SERPENT_KEY_MIN_LEN	128
+#define  SERPENT_KEY_DEF_LEN	128
+#define  SERPENT_KEY_MAX_LEN	256
 
-static const u_char md5_hmac4_msg[] = {
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
-    0xcd, 0xcd 
-};
-
-static const u_char md5_hmac4[] = {
-    0x69, 0x7e, 0xaf, 0x0a, 0xca, 0x3a, 0x3a, 0xea,
-    0x3a, 0x75, 0x16, 0x47, 0x46, 0xff, 0xaa, 0x79
-};
+static struct encrypt_desc encrypt_desc_serpent =
+{
+	algo_type: 	    IKE_ALG_ENCRYPT,
+	algo_id:   	    OAKLEY_SERPENT_CBC,
+	algo_next: 	    NULL,
 
-static const u_char md5_hmac6_key[] = {
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	enc_blocksize:   SERPENT_BLOCK_SIZE,
+	keyminlen:		 SERPENT_KEY_MIN_LEN,
+	keydeflen:		 SERPENT_KEY_DEF_LEN,
+	keymaxlen:		 SERPENT_KEY_MAX_LEN,
 };
 
-static const u_char md5_hmac6_msg[] = {
-    0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
-    0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
-    0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
-    0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
-    0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x2d, 0x20,
-    0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79,
-    0x20, 0x46, 0x69, 0x72, 0x73, 0x74
-};
+#define  TWOFISH_KEY_MIN_LEN	128
+#define  TWOFISH_KEY_DEF_LEN	128
+#define  TWOFISH_KEY_MAX_LEN	256
 
-static const u_char md5_hmac6[] = {
-    0x6b, 0x1a, 0xb7, 0xfe, 0x4b, 0xd7, 0xbf, 0x8f,
-    0x0b, 0x62, 0xe6, 0xce, 0x61, 0xb9, 0xd0, 0xcd
-};
+static struct encrypt_desc encrypt_desc_twofish = 
+{
+	algo_type: 	     IKE_ALG_ENCRYPT,
+	algo_id:   	     OAKLEY_TWOFISH_CBC,
+	algo_next: 	     NULL,
 
-static const u_char md5_hmac7_msg[] = {
-    0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
-    0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
-    0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
-    0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
-    0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x61, 0x6e,
-    0x64, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65, 0x72,
-    0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x4f, 0x6e,
-    0x65, 0x20, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x2d,
-    0x53, 0x69, 0x7a, 0x65, 0x20, 0x44, 0x61, 0x74,
-    0x61
+	enc_blocksize:	 TWOFISH_BLOCK_SIZE,
+	keydeflen:		 TWOFISH_KEY_MIN_LEN,
+	keyminlen:		 TWOFISH_KEY_DEF_LEN,
+	keymaxlen:		 TWOFISH_KEY_MAX_LEN,
 };
 
-static const u_char md5_hmac7[] = {
-    0x6f, 0x63, 0x0f, 0xad, 0x67, 0xcd, 0xa0, 0xee,
-    0x1f, 0xb1, 0xf5, 0x62, 0xdb, 0x3a, 0xa5, 0x3e
-};
+static struct encrypt_desc encrypt_desc_twofish_ssh =
+{
+	algo_type: 	     IKE_ALG_ENCRYPT,
+	algo_id:   	     OAKLEY_TWOFISH_CBC_SSH,
+	algo_next: 	     NULL,
 
-static const hmac_testvector_t md5_hmac_testvectors[] = {
-    { sizeof(md5_hmac1_key), md5_hmac1_key, sizeof(md5_hmac1_msg), md5_hmac1_msg, md5_hmac1 },
-    { sizeof(md5_hmac2_key), md5_hmac2_key, sizeof(md5_hmac2_msg), md5_hmac2_msg, md5_hmac2 },
-    { sizeof(md5_hmac3_key), md5_hmac3_key, sizeof(md5_hmac3_msg), md5_hmac3_msg, md5_hmac3 },
-    { sizeof(md5_hmac4_key), md5_hmac4_key, sizeof(md5_hmac4_msg), md5_hmac4_msg, md5_hmac4 },
-    { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac6_msg), md5_hmac6_msg, md5_hmac6 },
-    { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac7_msg), md5_hmac7_msg, md5_hmac7 },
-    { 0, NULL, 0, NULL, NULL }
+	enc_blocksize:	 TWOFISH_BLOCK_SIZE,
+	keydeflen:		 TWOFISH_KEY_MIN_LEN,
+	keyminlen:		 TWOFISH_KEY_DEF_LEN,
+	keymaxlen:		 TWOFISH_KEY_MAX_LEN,
 };
 
-static struct hash_desc crypto_hasher_md5 =
-{ 	
+static struct hash_desc hash_desc_md5 =
+{       
 	algo_type: IKE_ALG_HASH,
 	algo_id:   OAKLEY_MD5,
 	algo_next: NULL, 
-	hash_ctx_size:    sizeof(MD5_CTX),
-	hash_block_size:  MD5_BLOCK_SIZE,
-	hash_digest_size: MD5_DIGEST_SIZE,
-	hash_testvectors: md5_hash_testvectors,
-	hmac_testvectors: md5_hmac_testvectors,
-	hash_init: (void (*)(void *)) MD5Init,
-	hash_update: (void (*)(void *, const u_int8_t *, size_t)) MD5Update,
-	hash_final: (void (*)(u_char *, void *)) MD5Final
+	hash_digest_size: HASH_SIZE_MD5,
 };
 
-/* SHA-1 test vectors
- * from "The Secure Hash Algorithm Validation System (SHAVS)"
- * July 22, 2004, Lawrence E. Bassham III, NIST
- */
-
-static const u_char sha1_short2_msg[] = {
-    0x5e
+static struct hash_desc hash_desc_sha1 =
+{       
+	algo_type: IKE_ALG_HASH,
+	algo_id:   OAKLEY_SHA,
+	algo_next: NULL, 
+	hash_digest_size: HASH_SIZE_SHA1,
 };
 
-static const u_char sha1_short2_msg_digest[] = {
-    0x5e, 0x6f, 0x80, 0xa3, 0x4a, 0x97, 0x98, 0xca,
-    0xfc, 0x6a, 0x5d, 0xb9, 0x6c, 0xc5, 0x7b, 0xa4,
-    0xc4, 0xdb, 0x59, 0xc2
+static struct hash_desc hash_desc_sha2_256 = {
+	algo_type: IKE_ALG_HASH,
+	algo_id:   OAKLEY_SHA2_256,
+	algo_next: NULL,
+	hash_digest_size: HASH_SIZE_SHA256,
 };
 
-static const u_char sha1_short4_msg[] = {
-    0x9a, 0x7d, 0xfd, 0xf1, 0xec, 0xea, 0xd0, 0x6e,
-    0xd6, 0x46, 0xaa, 0x55, 0xfe, 0x75, 0x71, 0x46
+static struct hash_desc hash_desc_sha2_384 = {
+	algo_type: IKE_ALG_HASH,
+	algo_id:   OAKLEY_SHA2_384,
+	algo_next: NULL,
+	hash_digest_size: HASH_SIZE_SHA384,
 };
 
-static const u_char sha1_short4_msg_digest[] = {
-    0x82, 0xab, 0xff, 0x66, 0x05, 0xdb, 0xe1, 0xc1,
-    0x7d, 0xef, 0x12, 0xa3, 0x94, 0xfa, 0x22, 0xa8,
-    0x2b, 0x54, 0x4a, 0x35
+static struct hash_desc hash_desc_sha2_512 = {
+	algo_type: IKE_ALG_HASH,
+	algo_id:   OAKLEY_SHA2_512,
+	algo_next: NULL,
+	hash_digest_size: HASH_SIZE_SHA512,
 };
 
-static const u_char sha1_long2_msg[] = {
-    0xf7, 0x8f, 0x92, 0x14, 0x1b, 0xcd, 0x17, 0x0a,
-    0xe8, 0x9b, 0x4f, 0xba, 0x15, 0xa1, 0xd5, 0x9f,
-    0x3f, 0xd8, 0x4d, 0x22, 0x3c, 0x92, 0x51, 0xbd,
-    0xac, 0xbb, 0xae, 0x61, 0xd0, 0x5e, 0xd1, 0x15,
-    0xa0, 0x6a, 0x7c, 0xe1, 0x17, 0xb7, 0xbe, 0xea,
-    0xd2, 0x44, 0x21, 0xde, 0xd9, 0xc3, 0x25, 0x92,
-    0xbd, 0x57, 0xed, 0xea, 0xe3, 0x9c, 0x39, 0xfa,
-    0x1f, 0xe8, 0x94, 0x6a, 0x84, 0xd0, 0xcf, 0x1f,
-    0x7b, 0xee, 0xad, 0x17, 0x13, 0xe2, 0xe0, 0x95,
-    0x98, 0x97, 0x34, 0x7f, 0x67, 0xc8, 0x0b, 0x04,
-    0x00, 0xc2, 0x09, 0x81, 0x5d, 0x6b, 0x10, 0xa6,
-    0x83, 0x83, 0x6f, 0xd5, 0x56, 0x2a, 0x56, 0xca,
-    0xb1, 0xa2, 0x8e, 0x81, 0xb6, 0x57, 0x66, 0x54,
-    0x63, 0x1c, 0xf1, 0x65, 0x66, 0xb8, 0x6e, 0x3b,
-    0x33, 0xa1, 0x08, 0xb0, 0x53, 0x07, 0xc0, 0x0a,
-    0xff, 0x14, 0xa7, 0x68, 0xed, 0x73, 0x50, 0x60,
-    0x6a, 0x0f, 0x85, 0xe6, 0xa9, 0x1d, 0x39, 0x6f,
-    0x5b, 0x5c, 0xbe, 0x57, 0x7f, 0x9b, 0x38, 0x80,
-    0x7c, 0x7d, 0x52, 0x3d, 0x6d, 0x79, 0x2f, 0x6e,
-    0xbc, 0x24, 0xa4, 0xec, 0xf2, 0xb3, 0xa4, 0x27,
-    0xcd, 0xbb, 0xfb
+const struct dh_desc unset_group = {
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_NONE, 
+	algo_next:  NULL,
+	ke_size:    0
 };
 
-static const u_char sha1_long2_msg_digest[] = {
-    0xcb, 0x00, 0x82, 0xc8, 0xf1, 0x97, 0xd2, 0x60,
-    0x99, 0x1b, 0xa6, 0xa4, 0x60, 0xe7, 0x6e, 0x20,
-    0x2b, 0xad, 0x27, 0xb3
+static struct dh_desc dh_desc_modp_1024 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_1024_BIT, 
+	algo_next:  NULL,
+	ke_size:    1024 / BITS_PER_BYTE
 };
 
-static const hash_testvector_t sha1_hash_testvectors[] = {
-    { sizeof(sha1_short2_msg), sha1_short2_msg, sha1_short2_msg_digest },
-    { sizeof(sha1_short4_msg), sha1_short4_msg, sha1_short4_msg_digest },
-    { sizeof(sha1_long2_msg),  sha1_long2_msg,  sha1_long2_msg_digest  },
-    { 0, NULL, NULL }
+static struct dh_desc dh_desc_modp_1536 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_1536_BIT, 
+	algo_next:  NULL,
+	ke_size:    1536 / BITS_PER_BYTE
 };
 
-/* SHA-1 hmac test vectors
- * from RFC 2202 "Test Cases for HMAC-MD5 and HMAC-SHA-1"
- * September 1997, P. Cheng, IBM & R. Glenn, NIST
- */
-
-static const u_char sha1_hmac1_key[] = {
-    0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-    0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-    0x0b, 0x0b, 0x0b, 0x0b
+static struct dh_desc dh_desc_modp_2048 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_2048_BIT, 
+	algo_next:  NULL,
+	ke_size:    2048 / BITS_PER_BYTE
 };
 
-static const u_char sha1_hmac1[] = {
-    0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
-    0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
-    0xf1, 0x46, 0xbe, 0x00
+static struct dh_desc dh_desc_modp_3072 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_3072_BIT, 
+	algo_next:  NULL,
+	ke_size:    3072 / BITS_PER_BYTE
 };
 
-static const u_char sha1_hmac2[] = {
-    0xef, 0xfc, 0xdf, 0x6a, 0xe5, 0xeb, 0x2f, 0xa2,
-    0xd2, 0x74, 0x16, 0xd5, 0xf1, 0x84, 0xdf, 0x9c,
-    0x25, 0x9a, 0x7c, 0x79
+static struct dh_desc dh_desc_modp_4096 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_4096_BIT, 
+	algo_next:  NULL,
+	ke_size:    4096 / BITS_PER_BYTE
 };
 
-static const u_char sha1_hmac3_key[] = {
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-    0xaa, 0xaa, 0xaa, 0xaa
+static struct dh_desc dh_desc_modp_6144 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_6144_BIT, 
+	algo_next:  NULL,
+	ke_size:    6144 / BITS_PER_BYTE
 };
 
-static const u_char sha1_hmac3[] = {
-    0x12, 0x5d, 0x73, 0x42, 0xb9, 0xac, 0x11, 0xcd,
-    0x91, 0xa3, 0x9a, 0xf4, 0x8a, 0xa1, 0x7b, 0x4f,
-    0x63, 0xf1, 0x75, 0xd3
+static struct dh_desc dh_desc_modp_8192 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_8192_BIT, 
+	algo_next:  NULL,
+	ke_size:    8192 / BITS_PER_BYTE
 };
 
-static const u_char sha1_hmac4[] = {
-    0x4c, 0x90, 0x07, 0xf4, 0x02, 0x62, 0x50, 0xc6,
-    0xbc, 0x84, 0x14, 0xf9, 0xbf, 0x50, 0xc8, 0x6c,
-    0x2d, 0x72, 0x35, 0xda
+static struct dh_desc dh_desc_ecp_256 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    ECP_256_BIT, 
+	algo_next:  NULL,
+	ke_size:    2*256 / BITS_PER_BYTE
 };
 
-static const u_char sha1_hmac6[] = {
-    0xaa, 0x4a, 0xe5, 0xe1, 0x52, 0x72, 0xd0, 0x0e,
-    0x95, 0x70, 0x56, 0x37, 0xce, 0x8a, 0x3b, 0x55,
-    0xed, 0x40, 0x21, 0x12
+static struct dh_desc dh_desc_ecp_384 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    ECP_384_BIT, 
+	algo_next:  NULL,
+	ke_size:    2*384 / BITS_PER_BYTE
 };
 
-static const u_char sha1_hmac7[] = {
-    0xe8, 0xe9, 0x9d, 0x0f, 0x45, 0x23, 0x7d, 0x78,
-    0x6d, 0x6b, 0xba, 0xa7, 0x96, 0x5c, 0x78, 0x08,
-    0xbb, 0xff, 0x1a, 0x91
+static struct dh_desc dh_desc_ecp_521 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    ECP_521_BIT, 
+	algo_next:  NULL,
+	ke_size:    2*528 / BITS_PER_BYTE
 };
 
-static const hmac_testvector_t sha1_hmac_testvectors[] = {
-    { sizeof(sha1_hmac1_key), sha1_hmac1_key, sizeof(md5_hmac1_msg), md5_hmac1_msg, sha1_hmac1 },
-    { sizeof(md5_hmac2_key),  md5_hmac2_key,  sizeof(md5_hmac2_msg), md5_hmac2_msg, sha1_hmac2 },
-    { sizeof(sha1_hmac3_key), sha1_hmac3_key, sizeof(md5_hmac3_msg), md5_hmac3_msg, sha1_hmac3 },
-    { sizeof(md5_hmac4_key),  md5_hmac4_key,  sizeof(md5_hmac4_msg), md5_hmac4_msg, sha1_hmac4 },
-    { sizeof(md5_hmac6_key),  md5_hmac6_key,  sizeof(md5_hmac6_msg), md5_hmac6_msg, sha1_hmac6 },
-    { sizeof(md5_hmac6_key),  md5_hmac6_key,  sizeof(md5_hmac7_msg), md5_hmac7_msg, sha1_hmac7 },
-    { 0, NULL, 0, NULL, NULL }
+static struct dh_desc dh_desc_ecp_192 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    ECP_192_BIT, 
+	algo_next:  NULL,
+	ke_size:    2*192 / BITS_PER_BYTE
 };
 
-static struct hash_desc crypto_hasher_sha1 =
-{ 	
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA,
-	algo_next: NULL, 
-	hash_ctx_size:    sizeof(SHA1_CTX),
-	hash_block_size:  SHA1_BLOCK_SIZE,
-	hash_digest_size: SHA1_DIGEST_SIZE,
-	hash_testvectors: sha1_hash_testvectors,
-	hmac_testvectors: sha1_hmac_testvectors,
-	hash_init: (void (*)(void *)) SHA1Init,
-	hash_update: (void (*)(void *, const u_int8_t *, size_t)) SHA1Update,
-	hash_final: (void (*)(u_char *, void *)) SHA1Final
+static struct dh_desc dh_desc_ecp_224 = {       
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    ECP_224_BIT, 
+	algo_next:  NULL,
+	ke_size:    2*224 / BITS_PER_BYTE
 };
 
-void
-init_crypto(void)
+void init_crypto(void)
 {
-    if (mpz_init_set_str(&groupgenerator, MODP_GENERATOR, 10) != 0
-    || mpz_init_set_str(&modp1024_modulus, MODP1024_MODULUS, 16) != 0
-    || mpz_init_set_str(&modp1536_modulus, MODP1536_MODULUS, 16) != 0
-    || mpz_init_set_str(&modp2048_modulus, MODP2048_MODULUS, 16) != 0
-    || mpz_init_set_str(&modp3072_modulus, MODP3072_MODULUS, 16) != 0
-    || mpz_init_set_str(&modp4096_modulus, MODP4096_MODULUS, 16) != 0
-    || mpz_init_set_str(&modp6144_modulus, MODP6144_MODULUS, 16) != 0
-    || mpz_init_set_str(&modp8192_modulus, MODP8192_MODULUS, 16) != 0)
-	exit_log("mpz_init_set_str() failed in init_crypto()");
-
-    ike_alg_add((struct ike_alg *) &crypto_encryptor_3des);
-    ike_alg_add((struct ike_alg *) &crypto_hasher_sha1);
-    ike_alg_add((struct ike_alg *) &crypto_hasher_md5);
-    ike_alg_init();
-    ike_alg_test();
+	enumerator_t *enumerator;
+	encryption_algorithm_t encryption_alg;
+	hash_algorithm_t hash_alg;
+	diffie_hellman_group_t dh_group;
+	bool no_md5  = TRUE;
+	bool no_sha1 = TRUE;
+
+	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &hash_alg))
+	{
+		const struct hash_desc *desc;
+
+		switch (hash_alg)
+		{
+			case HASH_SHA1:
+				desc = &hash_desc_sha1;
+				no_sha1 = FALSE;
+				break;
+			case HASH_SHA256:
+				desc = &hash_desc_sha2_256;
+				break;
+			case HASH_SHA384:
+				desc = &hash_desc_sha2_384;
+				break;
+			case HASH_SHA512:
+				desc = &hash_desc_sha2_512;
+				break;
+			case HASH_MD5:
+				desc = &hash_desc_md5;
+				no_md5 = FALSE;
+				break;
+			default:
+				continue;
+		}
+		ike_alg_add((struct ike_alg *)desc);
+	}
+	enumerator->destroy(enumerator);
+
+	if (no_sha1)
+	{
+		exit_log("pluto cannot run without a SHA-1 hasher");
+	}
+	if (no_md5)
+	{
+		exit_log("pluto cannot run without an MD5 hasher");
+	}
+		
+	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption_alg))
+	{
+		const struct encrypt_desc *desc;
+ 
+		switch (encryption_alg)
+		{
+			case ENCR_3DES:
+				desc = &encrypt_desc_3des;
+				break;
+			case ENCR_BLOWFISH:
+				desc = &encrypt_desc_blowfish;
+				break;
+			case ENCR_AES_CBC:
+				desc = &encrypt_desc_aes;
+				break;
+			case ENCR_TWOFISH_CBC:
+				desc = &encrypt_desc_twofish;
+				ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh);
+				break;
+			case ENCR_SERPENT_CBC:
+				desc = &encrypt_desc_serpent;
+				break;
+			default:
+				continue;			
+		}
+		ike_alg_add((struct ike_alg *)desc);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &dh_group))
+	{
+		const struct dh_desc *desc;
+
+		switch (dh_group)
+		{
+			case MODP_1024_BIT:
+				desc = &dh_desc_modp_1024;
+				break;
+			case MODP_1536_BIT:
+				desc = &dh_desc_modp_1536;
+				break;
+			case MODP_2048_BIT:
+				desc = &dh_desc_modp_2048;
+				break;
+			case MODP_3072_BIT:
+				desc = &dh_desc_modp_3072;
+				break;
+			case MODP_4096_BIT:
+				desc = &dh_desc_modp_4096;
+				break;
+			case MODP_6144_BIT:
+				desc = &dh_desc_modp_6144;
+				break;
+			case MODP_8192_BIT:
+				desc = &dh_desc_modp_8192;
+				break;
+			case ECP_256_BIT:
+				desc = &dh_desc_ecp_256;
+				break;
+			case ECP_384_BIT:
+				desc = &dh_desc_ecp_384;
+				break;
+			case ECP_521_BIT:
+				desc = &dh_desc_ecp_521;
+				break;
+			case ECP_192_BIT:
+				desc = &dh_desc_ecp_192;
+				break;
+			case ECP_224_BIT:
+				desc = &dh_desc_ecp_224;
+				break;
+			default:
+				continue;
+		}
+		ike_alg_add((struct ike_alg *)desc);
+	}
+	enumerator->destroy(enumerator);
 }
 
-/* Oakley group description
- *
- * See RFC2409 "The Internet key exchange (IKE)" 6.
- */
-
-const struct oakley_group_desc unset_group = {0, NULL, 0};	/* magic signifier */
-
-const struct oakley_group_desc oakley_group[OAKLEY_GROUP_SIZE] = {
-#   define BYTES(bits) (((bits) + BITS_PER_BYTE - 1) / BITS_PER_BYTE)
-    { OAKLEY_GROUP_MODP1024, &modp1024_modulus, BYTES(1024) },
-    { OAKLEY_GROUP_MODP1536, &modp1536_modulus, BYTES(1536) },
-    { OAKLEY_GROUP_MODP2048, &modp2048_modulus, BYTES(2048) },
-    { OAKLEY_GROUP_MODP3072, &modp3072_modulus, BYTES(3072) },
-    { OAKLEY_GROUP_MODP4096, &modp4096_modulus, BYTES(4096) },
-    { OAKLEY_GROUP_MODP6144, &modp6144_modulus, BYTES(6144) },
-    { OAKLEY_GROUP_MODP8192, &modp8192_modulus, BYTES(8192) },
-#   undef BYTES
-};
-
-const struct oakley_group_desc *
-lookup_group(u_int16_t group)
+void free_crypto(void)
 {
-    int i;
-
-    for (i = 0; i != elemsof(oakley_group); i++)
-	if (group == oakley_group[i].group)
-	    return &oakley_group[i];
-    return NULL;
+	/* currently nothing to do */
 }
 
-/* Encryption Routines
- *
- * Each uses and updates the state object's st_new_iv.
- * This must already be initialized.
+/**
+ * Converts IKEv1 encryption algorithm name to crypter name
  */
+encryption_algorithm_t oakley_to_encryption_algorithm(int alg)
+{
+	switch (alg)
+	{
+		case OAKLEY_DES_CBC:
+			return ENCR_DES;
+		case OAKLEY_IDEA_CBC:
+			return ENCR_IDEA; 
+		case OAKLEY_BLOWFISH_CBC:
+			return ENCR_BLOWFISH;
+		case OAKLEY_RC5_R16_B64_CBC:
+			return ENCR_RC5;
+		case OAKLEY_3DES_CBC:
+			return ENCR_3DES;
+		case OAKLEY_CAST_CBC:
+			return ENCR_CAST;
+		case OAKLEY_AES_CBC:
+			return ENCR_AES_CBC;
+		case OAKLEY_SERPENT_CBC:
+			return ENCR_SERPENT_CBC;
+		case OAKLEY_TWOFISH_CBC:
+		case OAKLEY_TWOFISH_CBC_SSH:
+			return ENCR_TWOFISH_CBC;
+		default:
+			return ENCR_UNDEFINED;
+	}
+}
 
-/* encrypt or decrypt part of an IKE message using DES
- * See RFC 2409 "IKE" Appendix B
+/**
+ * Converts IKEv1 hash algorithm name to hasher name
  */
-static void __attribute__ ((unused))
-do_des(bool enc, void *buf, size_t buf_len, struct state *st)
+hash_algorithm_t oakley_to_hash_algorithm(int alg)
 {
-    des_key_schedule ks;
-
-    (void) des_set_key((des_cblock *)st->st_enc_key.ptr, ks);
-
-    passert(st->st_new_iv_len >= DES_CBC_BLOCK_SIZE);
-    st->st_new_iv_len = DES_CBC_BLOCK_SIZE;	/* truncate */
-
-    des_ncbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
-	ks,
-	(des_cblock *)st->st_new_iv, enc);
+	switch (alg)
+	{
+		case OAKLEY_MD5:
+			return HASH_MD5;
+		case OAKLEY_SHA:
+			return HASH_SHA1;
+		case OAKLEY_SHA2_256:
+			return HASH_SHA256;
+		case OAKLEY_SHA2_384:
+			return HASH_SHA384;
+		case OAKLEY_SHA2_512:
+			return HASH_SHA512;
+		default:
+			return HASH_UNKNOWN;
+	}
 }
 
-/* encrypt or decrypt part of an IKE message using 3DES
- * See RFC 2409 "IKE" Appendix B
+/**
+ * Converts IKEv1 hash algorithm name to IKEv2 prf name
  */
-static void
-do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
+pseudo_random_function_t oakley_to_prf(int alg)
 {
-    des_key_schedule ks[3];
-
-    passert (!key_size || (key_size==(DES_CBC_BLOCK_SIZE * 3)))
-    (void) des_set_key((des_cblock *)key + 0, ks[0]);
-    (void) des_set_key((des_cblock *)key + 1, ks[1]);
-    (void) des_set_key((des_cblock *)key + 2, ks[2]);
-
-    des_ede3_cbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
-	ks[0], ks[1], ks[2],
-	(des_cblock *)iv, enc);
+	switch (alg)
+	{
+		case OAKLEY_MD5:
+			return PRF_HMAC_MD5;
+		case OAKLEY_SHA:
+			return PRF_HMAC_SHA1;
+		case OAKLEY_SHA2_256:
+			return PRF_HMAC_SHA2_256;
+		case OAKLEY_SHA2_384:
+			return PRF_HMAC_SHA2_384;
+		case OAKLEY_SHA2_512:
+			return PRF_HMAC_SHA2_512;
+		default:
+			return PRF_UNDEFINED;
+	}
 }
 
-/* hash and prf routines */
-void
-crypto_cbc_encrypt(const struct encrypt_desc *e, bool enc, u_int8_t *buf, size_t size, struct state *st)
+/**
+ * Maps IKEv1 authentication method to IKEv2 signature scheme
+ */
+signature_scheme_t oakley_to_signature_scheme(int method)
 {
-    passert(st->st_new_iv_len >= e->enc_blocksize);
-    st->st_new_iv_len = e->enc_blocksize;	/* truncate */
-
-    e->do_crypt(buf, size, st->st_enc_key.ptr, st->st_enc_key.len, st->st_new_iv, enc);
-    /*
-    e->set_key(&ctx, st->st_enc_key.ptr, st->st_enc_key.len);
-    e->cbc_crypt(&ctx, buf, size, st->st_new_iv, enc);
-    */
+	switch (method)
+	{
+		case OAKLEY_RSA_SIG:
+		case XAUTHInitRSA:
+		case XAUTHRespRSA:
+			return SIGN_RSA_EMSA_PKCS1_NULL;
+		case OAKLEY_ECDSA_256:
+		case OAKLEY_ECDSA_384:
+		case OAKLEY_ECDSA_521:
+			return SIGN_ECDSA_WITH_NULL;
+		default:
+			return SIGN_UNKNOWN;
+	}
 }
 
-/* HMAC package
- * rfc2104.txt specifies how HMAC works.
+/**
+ * Converts IKEv2 encryption to IKEv1 encryption algorithm
  */
-
-void
-hmac_init(struct hmac_ctx *ctx,
-    const struct hash_desc *h,
-    const u_char *key, size_t key_len)
+int oakley_from_encryption_algorithm(encryption_algorithm_t alg)
 {
-    int k;
-
-    ctx->h = h;
-    ctx->hmac_digest_size = h->hash_digest_size;
-
-    /* Prepare the two pads for the HMAC */
-
-    memset(ctx->buf1, '\0', h->hash_block_size);
-
-    if (key_len <= h->hash_block_size)
-    {
-	memcpy(ctx->buf1, key, key_len);
-    }
-    else
-    {
-	h->hash_init(&ctx->hash_ctx);
-	h->hash_update(&ctx->hash_ctx, key, key_len);
-	h->hash_final(ctx->buf1, &ctx->hash_ctx);
-    }
-
-    memcpy(ctx->buf2, ctx->buf1, h->hash_block_size);
-
-    for (k = 0; k < h->hash_block_size; k++)
-    {
-	ctx->buf1[k] ^= HMAC_IPAD;
-	ctx->buf2[k] ^= HMAC_OPAD;
-    }
-
-    hmac_reinit(ctx);
+	switch (alg)
+	{
+		case ENCR_DES:
+			return OAKLEY_DES_CBC;
+		case ENCR_3DES:
+			return OAKLEY_3DES_CBC;
+		case ENCR_RC5:
+			return OAKLEY_RC5_R16_B64_CBC;
+		case ENCR_IDEA:
+			return OAKLEY_IDEA_CBC;
+		case ENCR_CAST:
+			return OAKLEY_CAST_CBC;
+		case ENCR_BLOWFISH:
+			return OAKLEY_BLOWFISH_CBC;
+		case ENCR_AES_CBC:
+			return OAKLEY_AES_CBC;
+		case ENCR_CAMELLIA_CBC:
+			return OAKLEY_CAMELLIA_CBC;
+		case ENCR_SERPENT_CBC:
+			return OAKLEY_SERPENT_CBC;
+    	case ENCR_TWOFISH_CBC:
+			return OAKLEY_TWOFISH_CBC;
+		default:
+			return 0;
+	}
 }
 
-void
-hmac_reinit(struct hmac_ctx *ctx)
+/**
+ * Converts IKEv2 integrity to IKEv1 hash algorithm
+ */
+int oakley_from_integrity_algorithm(integrity_algorithm_t alg)
 {
-    ctx->h->hash_init(&ctx->hash_ctx);
-    ctx->h->hash_update(&ctx->hash_ctx, ctx->buf1, ctx->h->hash_block_size);
+	switch (alg)
+	{
+		case AUTH_HMAC_MD5_96:
+			return OAKLEY_MD5;
+		case AUTH_HMAC_SHA1_96:
+			return OAKLEY_SHA;
+		case AUTH_HMAC_SHA2_256_128:
+			return OAKLEY_SHA2_256;
+		case AUTH_HMAC_SHA2_384_192:
+			return OAKLEY_SHA2_384;
+		case AUTH_HMAC_SHA2_512_256:
+			return OAKLEY_SHA2_512;
+		default:
+			return 0;
+	}
 }
 
-void
-hmac_update(struct hmac_ctx *ctx,
-    const u_char *data, size_t data_len)
+/**
+ * Converts IKEv2 encryption to IKEv1 ESP encryption algorithm
+ */
+int esp_from_encryption_algorithm(encryption_algorithm_t alg)
 {
-    ctx->h->hash_update(&ctx->hash_ctx, data, data_len);
+	switch (alg)
+	{
+		case ENCR_DES:
+			return ESP_DES;
+		case ENCR_3DES:
+			return ESP_3DES;
+		case ENCR_RC5:
+			return ESP_RC5;
+		case ENCR_IDEA:
+			return ESP_IDEA;
+		case ENCR_CAST:
+			return ESP_CAST;
+		case ENCR_BLOWFISH:
+			return ESP_BLOWFISH;
+		case ENCR_NULL:
+			return ESP_NULL;
+		case ENCR_AES_CBC:
+			return ESP_AES;
+		case ENCR_AES_CTR:
+			return ESP_AES_CTR;
+		case ENCR_AES_CCM_ICV8:
+			return ESP_AES_CCM_8;
+		case ENCR_AES_CCM_ICV12:
+			return ESP_AES_CCM_12;
+		case ENCR_AES_CCM_ICV16:
+			return ESP_AES_CCM_16;
+		case ENCR_AES_GCM_ICV8:
+			return ESP_AES_GCM_8;
+		case ENCR_AES_GCM_ICV12:
+			return ESP_AES_GCM_12;
+		case ENCR_AES_GCM_ICV16:
+			return ESP_AES_GCM_16;
+		case ENCR_CAMELLIA_CBC:
+			return ESP_CAMELLIA;
+		case ENCR_SERPENT_CBC:
+			return ESP_SERPENT;
+    	case ENCR_TWOFISH_CBC:
+			return ESP_TWOFISH;
+		default:
+			return 0;
+	}
 }
 
-void
-hmac_final(u_char *output, struct hmac_ctx *ctx)
+/**
+ * Converts IKEv2 integrity to IKEv1 ESP authentication algorithm
+ */
+int esp_from_integrity_algorithm(integrity_algorithm_t alg)
 {
-    const struct hash_desc *h = ctx->h;
-
-    h->hash_final(output, &ctx->hash_ctx);
-
-    h->hash_init(&ctx->hash_ctx);
-    h->hash_update(&ctx->hash_ctx, ctx->buf2, h->hash_block_size);
-    h->hash_update(&ctx->hash_ctx, output, h->hash_digest_size);
-    h->hash_final(output, &ctx->hash_ctx);
+	switch (alg)
+	{
+		case AUTH_HMAC_MD5_96:
+			return AUTH_ALGORITHM_HMAC_MD5;
+		case AUTH_HMAC_SHA1_96:
+			return AUTH_ALGORITHM_HMAC_SHA1;
+		case AUTH_AES_XCBC_96:
+			return AUTH_ALGORITHM_AES_XCBC_MAC;
+		case AUTH_HMAC_SHA2_256_128:
+			return AUTH_ALGORITHM_HMAC_SHA2_256;
+		case AUTH_HMAC_SHA2_384_192:
+			return AUTH_ALGORITHM_HMAC_SHA2_384;
+		case AUTH_HMAC_SHA2_512_256:
+			return AUTH_ALGORITHM_HMAC_SHA2_512;
+		default:
+			return 0;
+	}
 }
diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h
index e773d86df..06c4e1d1a 100644
--- a/src/pluto/crypto.h
+++ b/src/pluto/crypto.h
@@ -10,31 +10,20 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: crypto.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
-#include <gmp.h>    /* GNU MP library */
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <crypto/hashers/hasher.h>
+#include <crypto/prfs/prf.h>
+#include <credentials/keys/public_key.h>
 
-#include "libsha2/sha2.h"
 #include "ike_alg.h"
 
 extern void init_crypto(void);
+extern void free_crypto(void);
 
-/* Oakley group descriptions */
-
-extern MP_INT groupgenerator;	/* MODP group generator (2) */
-
-struct oakley_group_desc {
-    u_int16_t group;
-    MP_INT *modulus;
-    size_t bytes;
-};
-
-extern const struct oakley_group_desc unset_group;	/* magic signifier */
-extern const struct oakley_group_desc *lookup_group(u_int16_t group);
-#define OAKLEY_GROUP_SIZE 7
-extern const struct oakley_group_desc oakley_group[OAKLEY_GROUP_SIZE];
+extern const struct dh_desc unset_group;      /* magic signifier */
 
 /* unification of cryptographic encoding/decoding algorithms
  * The IV is taken from and returned to st->st_new_iv.
@@ -46,63 +35,23 @@ extern const struct oakley_group_desc oakley_group[OAKLEY_GROUP_SIZE];
 #define MAX_OAKLEY_KEY_LEN0  (3 * DES_CBC_BLOCK_SIZE)
 #define MAX_OAKLEY_KEY_LEN  (256/BITS_PER_BYTE)
 
-struct state;	/* forward declaration, dammit */
+struct state;   /* forward declaration, dammit */
 
-void crypto_cbc_encrypt(const struct encrypt_desc *e, bool enc, u_int8_t *buf, size_t size, struct state *st);
-
-#define update_iv(st)	memcpy((st)->st_iv, (st)->st_new_iv \
-    , (st)->st_iv_len = (st)->st_new_iv_len)
+#define update_iv(st)   memcpy((st)->st_iv, (st)->st_new_iv \
+	, (st)->st_iv_len = (st)->st_new_iv_len)
 
 #define set_ph1_iv(st, iv) \
-    passert((st)->st_ph1_iv_len <= sizeof((st)->st_ph1_iv)); \
-    memcpy((st)->st_ph1_iv, (iv), (st)->st_ph1_iv_len);
+	passert((st)->st_ph1_iv_len <= sizeof((st)->st_ph1_iv)); \
+	memcpy((st)->st_ph1_iv, (iv), (st)->st_ph1_iv_len);
 
 /* unification of cryptographic hashing mechanisms */
 
-#ifndef NO_HASH_CTX
-union hash_ctx {
-	MD5_CTX ctx_md5;
-	SHA1_CTX ctx_sha1;
-	sha256_context ctx_sha256;
-	sha512_context ctx_sha512;
-    };
-
-/* HMAC package
- * Note that hmac_ctx can be (and is) copied since there are
- * no persistent pointers into it.
- */
-
-struct hmac_ctx {
-    const struct hash_desc *h;	/* underlying hash function */
-    size_t hmac_digest_size;	/* copy of h->hash_digest_size */
-    union hash_ctx hash_ctx;	/* ctx for hash function */
-    u_char buf1[MAX_HASH_BLOCK_SIZE];
-    u_char buf2[MAX_HASH_BLOCK_SIZE];
-    };
-
-extern void hmac_init(
-    struct hmac_ctx *ctx,
-    const struct hash_desc *h,
-    const u_char *key,
-    size_t key_len);
-
-#define hmac_init_chunk(ctx, h, ch) hmac_init((ctx), (h), (ch).ptr, (ch).len)
-
-extern void hmac_reinit(struct hmac_ctx *ctx);	/* saves recreating pads */
-
-extern void hmac_update(
-    struct hmac_ctx *ctx,
-    const u_char *data,
-    size_t data_len);
-
-#define hmac_update_chunk(ctx, ch) hmac_update((ctx), (ch).ptr, (ch).len)
-
-extern void hmac_final(u_char *output, struct hmac_ctx *ctx);
+extern encryption_algorithm_t oakley_to_encryption_algorithm(int alg);
+extern hash_algorithm_t oakley_to_hash_algorithm(int alg);
+extern pseudo_random_function_t oakley_to_prf(int alg);
+extern signature_scheme_t oakley_to_signature_scheme(int method);
+extern int oakley_from_encryption_algorithm(encryption_algorithm_t alg);
+extern int oakley_from_integrity_algorithm(integrity_algorithm_t alg);
+extern int esp_from_encryption_algorithm(encryption_algorithm_t alg);
+extern int esp_from_integrity_algorithm(integrity_algorithm_t alg);
 
-#define hmac_final_chunk(ch, name, ctx) { \
-	pfreeany((ch).ptr); \
-	(ch).len = (ctx)->hmac_digest_size; \
-	(ch).ptr = alloc_bytes((ch).len, name); \
-	hmac_final((ch).ptr, (ctx)); \
-    }
-#endif
diff --git a/src/pluto/db_ops.c b/src/pluto/db_ops.c
index 993baf53e..4ba4fa324 100644
--- a/src/pluto/db_ops.c
+++ b/src/pluto/db_ops.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: db_ops.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 /* 
@@ -31,22 +29,22 @@
  *               also update attrs_cur (by offset)
  *
  * db_context structure:
- * 	+---------------------+
- *	|  prop               |
- *	|    .protoid         |
- *	|    .trans           | --+
- *	|    .trans_cnt       |   |
- *	+---------------------+ <-+
- *	|  trans0             | ----> { trans#1 | ... | trans#i | ...   }
- *	+---------------------+                       ^
- *	|  trans_cur          | ----------------------' current transf.
- *	+---------------------+
- *	|  attrs0             | ----> { attr#1 | ... | attr#j | ...  }
- *	+---------------------+                      ^
- *	|  attrs_cur          | ---------------------' current attr.
- *	+---------------------+
- *	| max_trans,max_attrs |  max_trans/attrs: number of elem. of each vector
- *	+---------------------+
+ *      +---------------------+
+ *      |  prop               |
+ *      |    .protoid         |
+ *      |    .trans           | --+
+ *      |    .trans_cnt       |   |
+ *      +---------------------+ <-+
+ *      |  trans0             | ----> { trans#1 | ... | trans#i | ...   }
+ *      +---------------------+                       ^
+ *      |  trans_cur          | ----------------------' current transf.
+ *      +---------------------+
+ *      |  attrs0             | ----> { attr#1 | ... | attr#j | ...  }
+ *      +---------------------+                      ^
+ *      |  attrs_cur          | ---------------------' current attr.
+ *      +---------------------+
+ *      | max_trans,max_attrs |  max_trans/attrs: number of elem. of each vector
+ *      +---------------------+
  *
  * See testing examples at end for interface usage.
  */
@@ -69,50 +67,31 @@
 
 #include <assert.h>
 
-#ifndef NO_PLUTO
-#else
-#define passert(x) assert(x)
-extern int debug;	/* eg: spi.c */
-#define DBG(cond, action)   { if (debug) { action ; } }
-#define DBG_log(x, args...) fprintf(stderr, x "\n" , ##args);
-#define alloc_thing(thing, name) alloc_bytes(sizeof (thing), name)
-void * alloc_bytes(size_t size, const char *name) {
-	void *p=malloc(size);
-        if (p == NULL)
-		fprintf(stderr, "unable to malloc %lu bytes for %s",
-			(unsigned long) size, name);
-	memset(p, '\0', size);
-	return p;
-}
-#define pfreeany(ptr) free(ptr)
-
-#endif
-
 #ifdef NOT_YET
 /*
- * 	Allocator cache:
- * 	Because of the single-threaded nature of pluto/spdb.c, 
- * 	alloc()/free() is exercised many times with very small
- * 	lifetime objects.
- * 	Just caching last object (currently it will select the
- * 	largest) will avoid this allocation mas^Wperturbations
+ *      Allocator cache:
+ *      Because of the single-threaded nature of pluto/spdb.c, 
+ *      alloc()/free() is exercised many times with very small
+ *      lifetime objects.
+ *      Just caching last object (currently it will select the
+ *      largest) will avoid this allocation mas^Wperturbations
  *
  */
 struct db_ops_alloc_cache {
-	void *ptr;
-	int size;
+		void *ptr;
+		int size;
 };
 #endif
 
 #ifndef NO_DB_OPS_STATS
-/* 	
- * 	stats: do account for allocations 	
- * 	displayed in db_ops_show_status() 
+/*      
+ *      stats: do account for allocations       
+ *      displayed in db_ops_show_status() 
  */
 struct db_ops_stats {
-	int st_curr_cnt;	/* current number of allocations */
-	int st_total_cnt;	/* total allocations so far */
-	size_t st_maxsz;	/* max. size requested */
+		int st_curr_cnt;        /* current number of allocations */
+		int st_total_cnt;       /* total allocations so far */
+		size_t st_maxsz;        /* max. size requested */
 };
 #define DB_OPS_ZERO { 0, 0, 0};
 #define DB_OPS_STATS_DESC   "{curr_cnt, total_cnt, maxsz}"
@@ -121,239 +100,233 @@ struct db_ops_stats {
 static struct db_ops_stats db_context_st = DB_OPS_ZERO;
 static struct db_ops_stats db_trans_st = DB_OPS_ZERO;
 static struct db_ops_stats db_attrs_st = DB_OPS_ZERO;
-static __inline__ void * alloc_bytes_st (size_t size, const char *str, struct db_ops_stats *st) 
+static __inline__ void *malloc_bytes_st(size_t size, struct db_ops_stats *st) 
 {
-	void *ptr = alloc_bytes(size, str);
-	if (ptr)  {
-		st->st_curr_cnt++;
-		st->st_total_cnt++;
-		if (size > st->st_maxsz) st->st_maxsz=size;
-	}	
-	return ptr;
+		void *ptr = malloc(size);
+		if (ptr)
+		{
+				st->st_curr_cnt++;
+				st->st_total_cnt++;
+				if (size > st->st_maxsz) st->st_maxsz=size;
+		}       
+		return ptr;
 }
-#define ALLOC_BYTES_ST(z,s,st) alloc_bytes_st(z, s, &st);
-#define PFREE_ST(p,st)         do { st.st_curr_cnt--; pfree(p);  } while (0);
+#define ALLOC_BYTES_ST(z,st) malloc_bytes_st(z, &st);
+#define PFREE_ST(p,st)         do { st.st_curr_cnt--; free(p);  } while (0);
 
 #else
 
-#define ALLOC_BYTES_ST(z,s,n) alloc_bytes(z, s);
-#define PFREE_ST(p,n)         pfree(p);
+#define ALLOC_BYTES_ST(z,n) malloc(z);
+#define PFREE_ST(p,n)         free(p);
 
 #endif /* NO_DB_OPS_STATS */
-/*	Initialize db object
- *	max_trans and max_attrs can be 0, will be dynamically expanded
- *	as a result of "add" operations
+/*      Initialize db object
+ *      max_trans and max_attrs can be 0, will be dynamically expanded
+ *      as a result of "add" operations
  */
 int
 db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs) 
 {
-	int ret=-1;
+		ctx->trans0 = NULL;
+		ctx->attrs0 = NULL;
 
-	ctx->trans0 = NULL;
-	ctx->attrs0 = NULL;
+		if (max_trans > 0) { /* quite silly if not */
+				ctx->trans0 = ALLOC_BYTES_ST ( sizeof(struct db_trans) * max_trans, 
+								db_trans_st);
+				memset(ctx->trans0, '\0', sizeof(struct db_trans) * max_trans);
+		}
 
-	if (max_trans > 0) { /* quite silly if not */
-		ctx->trans0 = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans, 
-			"db_context->trans", db_trans_st);
-		if (!ctx->trans0) goto out;
-	}
+		if (max_attrs > 0) { /* quite silly if not */
+				ctx->attrs0 = ALLOC_BYTES_ST (sizeof(struct db_attr) * max_attrs,
+								db_attrs_st);
+				memset(ctx->attrs0, '\0', sizeof(struct db_attr) * max_attrs);
+		}
 
-	if (max_attrs > 0) { /* quite silly if not */
-		ctx->attrs0 = ALLOC_BYTES_ST (sizeof (struct db_attr) * max_attrs,
-				"db_context->attrs", db_attrs_st);
-		if (!ctx->attrs0) goto out;
-	}
-	ret = 0;
-out:
-	if (ret < 0 && ctx->trans0) {
-		PFREE_ST(ctx->trans0, db_trans_st);
-		ctx->trans0 = NULL;
-	}
-	ctx->max_trans = max_trans;
-	ctx->max_attrs = max_attrs;
-	ctx->trans_cur = ctx->trans0;
-	ctx->attrs_cur = ctx->attrs0;
-	ctx->prop.protoid = protoid;
-	ctx->prop.trans = ctx->trans0;
-	ctx->prop.trans_cnt = 0;
-	return ret;
+		ctx->max_trans = max_trans;
+		ctx->max_attrs = max_attrs;
+		ctx->trans_cur = ctx->trans0;
+		ctx->attrs_cur = ctx->attrs0;
+		ctx->prop.protoid = protoid;
+		ctx->prop.trans = ctx->trans0;
+		ctx->prop.trans_cnt = 0;
+		return 0;
 }
 
-/*	Expand storage for transforms by number delta_trans */
+/*      Expand storage for transforms by number delta_trans */
 static int
 db_trans_expand(struct db_context *ctx, int delta_trans)
 {
-	int ret = -1;
-	struct db_trans *new_trans, *old_trans;
-	int max_trans = ctx->max_trans + delta_trans;
-	int offset;
+		int ret = -1;
+		struct db_trans *new_trans, *old_trans;
+		int max_trans = ctx->max_trans + delta_trans;
+		int offset;
 
-	old_trans = ctx->trans0;
-	new_trans = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans, 
-			"db_context->trans (expand)", db_trans_st);
-	if (!new_trans)
-		goto out;
-	memcpy(new_trans, old_trans, ctx->max_trans * sizeof(struct db_trans));
-	
-	/* update trans0 (obviously) */
-	ctx->trans0 = ctx->prop.trans = new_trans;
-	/* update trans_cur (by offset) */
-	offset = (char *)(new_trans) - (char *)(old_trans);
+		old_trans = ctx->trans0;
+		new_trans = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans, 
+						db_trans_st);
+		if (!new_trans)
+				goto out;
+		memcpy(new_trans, old_trans, ctx->max_trans * sizeof(struct db_trans));
+		
+		/* update trans0 (obviously) */
+		ctx->trans0 = ctx->prop.trans = new_trans;
+		/* update trans_cur (by offset) */
+		offset = (char *)(new_trans) - (char *)(old_trans);
 
-	{
-	  char *cctx = (char *)(ctx->trans_cur);
-	  
-	  cctx += offset;
-	  ctx->trans_cur = (struct db_trans *)cctx;
-	}
-	/* update elem count */
-	ctx->max_trans = max_trans;
-	PFREE_ST(old_trans, db_trans_st);
-	ret = 0;
+		{
+		  char *cctx = (char *)(ctx->trans_cur);
+		
+		  cctx += offset;
+		  ctx->trans_cur = (struct db_trans *)cctx;
+		}
+		/* update elem count */
+		ctx->max_trans = max_trans;
+		PFREE_ST(old_trans, db_trans_st);
+		ret = 0;
 out:
-	return ret;
+		return ret;
 }
-/*	
- *	Expand storage for attributes by delta_attrs number AND
- *	rewrite trans->attr pointers
+/*      
+ *      Expand storage for attributes by delta_attrs number AND
+ *      rewrite trans->attr pointers
  */
 static int
 db_attrs_expand(struct db_context *ctx, int delta_attrs)
 {
-	int ret = -1;
-	struct db_attr *new_attrs, *old_attrs;
-	struct db_trans *t;
-	int ti;
-	int max_attrs = ctx->max_attrs + delta_attrs;
-	int offset;
+		int ret = -1;
+		struct db_attr *new_attrs, *old_attrs;
+		struct db_trans *t;
+		int ti;
+		int max_attrs = ctx->max_attrs + delta_attrs;
+		int offset;
+
+		old_attrs = ctx->attrs0;
+		new_attrs = ALLOC_BYTES_ST ( sizeof (struct db_attr) * max_attrs, 
+						db_attrs_st);
+		if (!new_attrs)
+				goto out;
 
-	old_attrs = ctx->attrs0;
-	new_attrs = ALLOC_BYTES_ST ( sizeof (struct db_attr) * max_attrs, 
-			"db_context->attrs (expand)", db_attrs_st);
-	if (!new_attrs)
-		goto out;
+		memcpy(new_attrs, old_attrs, ctx->max_attrs * sizeof(struct db_attr));
+		
+		/* update attrs0 and attrs_cur (obviously) */
+		offset = (char *)(new_attrs) - (char *)(old_attrs);
+		
+		{
+		  char *actx = (char *)(ctx->attrs0);
+		
+		  actx += offset;
+		  ctx->attrs0 = (struct db_attr *)actx;
+		
+		  actx = (char *)ctx->attrs_cur;
+		  actx += offset;
+		  ctx->attrs_cur = (struct db_attr *)actx;
+		}
 
-	memcpy(new_attrs, old_attrs, ctx->max_attrs * sizeof(struct db_attr));
-	
-	/* update attrs0 and attrs_cur (obviously) */
-	offset = (char *)(new_attrs) - (char *)(old_attrs);
-	
-	{
-	  char *actx = (char *)(ctx->attrs0);
-	  
-	  actx += offset;
-	  ctx->attrs0 = (struct db_attr *)actx;
-	  
-	  actx = (char *)ctx->attrs_cur;
-	  actx += offset;
-	  ctx->attrs_cur = (struct db_attr *)actx;
-	}
+		/* for each transform, rewrite attrs pointer by offsetting it */
+		for (t=ctx->prop.trans, ti=0; ti < ctx->prop.trans_cnt; t++, ti++) {
+				char *actx = (char *)(t->attrs);
 
-	/* for each transform, rewrite attrs pointer by offsetting it */
-	for (t=ctx->prop.trans, ti=0; ti < ctx->prop.trans_cnt; t++, ti++) {
-		char *actx = (char *)(t->attrs);
- 
-		actx += offset;
-		t->attrs = (struct db_attr *)actx;
-	}
-	/* update elem count */
-	ctx->max_attrs = max_attrs;
-	PFREE_ST(old_attrs, db_attrs_st);
-	ret = 0;
+				actx += offset;
+				t->attrs = (struct db_attr *)actx;
+		}
+		/* update elem count */
+		ctx->max_attrs = max_attrs;
+		PFREE_ST(old_attrs, db_attrs_st);
+		ret = 0;
 out:
-	return ret;
+		return ret;
 }
-/*	Allocate a new db object */
+/*      Allocate a new db object */
 struct db_context * 
 db_prop_new(u_int8_t protoid, int max_trans, int max_attrs) 
 {
-	struct db_context *ctx;
-	ctx = ALLOC_BYTES_ST ( sizeof (struct db_context), "db_context", db_context_st);
-	if (!ctx) goto out;
-	
-	if (db_prop_init(ctx, protoid, max_trans, max_attrs) < 0) {
-		PFREE_ST(ctx, db_context_st);
-		ctx=NULL;
-	}
+		struct db_context *ctx;
+		ctx = ALLOC_BYTES_ST ( sizeof (struct db_context), db_context_st);
+		if (!ctx) goto out;
+		
+		if (db_prop_init(ctx, protoid, max_trans, max_attrs) < 0) {
+				PFREE_ST(ctx, db_context_st);
+				ctx=NULL;
+		}
 out:
-	return ctx;
+		return ctx;
 }
-/*	Free a db object */
+/*      Free a db object */
 void
 db_destroy(struct db_context *ctx)
 {
-	if (ctx->trans0) PFREE_ST(ctx->trans0, db_trans_st);
-	if (ctx->attrs0) PFREE_ST(ctx->attrs0, db_attrs_st);
-	PFREE_ST(ctx, db_context_st);
+		if (ctx->trans0) PFREE_ST(ctx->trans0, db_trans_st);
+		if (ctx->attrs0) PFREE_ST(ctx->attrs0, db_attrs_st);
+		PFREE_ST(ctx, db_context_st);
 }
-/*	Start a new transform, expand trans0 is needed */
+/*      Start a new transform, expand trans0 is needed */
 int
 db_trans_add(struct db_context *ctx, u_int8_t transid)
 {
-	/*	skip incrementing current trans pointer the 1st time*/
-	if (ctx->trans_cur && ctx->trans_cur->attr_cnt)
-		ctx->trans_cur++;
-	/*	
-	 *	Strategy: if more space is needed, expand by 
-	 *	          <current_size>/2 + 1
-	 *
-	 *	This happens to produce a "reasonable" sequence
-	 *	after few allocations, eg.:
-	 *	0,1,2,4,8,13,20,31,47
-	 */
-	if ((ctx->trans_cur - ctx->trans0) >= ctx->max_trans) {
-		/* XXX:jjo if fails should shout and flag it */
-		if (db_trans_expand(ctx, ctx->max_trans/2 + 1)<0)
-			return -1;
-	}
-	ctx->trans_cur->transid = transid;
-	ctx->trans_cur->attrs=ctx->attrs_cur;
-	ctx->trans_cur->attr_cnt = 0;
-	ctx->prop.trans_cnt++;
-	return 0;
+		/*      skip incrementing current trans pointer the 1st time*/
+		if (ctx->trans_cur && ctx->trans_cur->attr_cnt)
+				ctx->trans_cur++;
+		/*      
+		 *      Strategy: if more space is needed, expand by 
+		 *                <current_size>/2 + 1
+		 *
+		 *      This happens to produce a "reasonable" sequence
+		 *      after few allocations, eg.:
+		 *      0,1,2,4,8,13,20,31,47
+		 */
+		if ((ctx->trans_cur - ctx->trans0) >= ctx->max_trans) {
+				/* XXX:jjo if fails should shout and flag it */
+				if (db_trans_expand(ctx, ctx->max_trans/2 + 1)<0)
+						return -1;
+		}
+		ctx->trans_cur->transid = transid;
+		ctx->trans_cur->attrs=ctx->attrs_cur;
+		ctx->trans_cur->attr_cnt = 0;
+		ctx->prop.trans_cnt++;
+		return 0;
 }
-/*	Add attr copy to current transform, expanding attrs0 if needed */
+/*      Add attr copy to current transform, expanding attrs0 if needed */
 int
 db_attr_add(struct db_context *ctx, const struct db_attr *a) 
 {
-	/*	
-	 *	Strategy: if more space is needed, expand by 
-	 *	          <current_size>/2 + 1
-	 */
-	if ((ctx->attrs_cur - ctx->attrs0) >= ctx->max_attrs) {
-		/* XXX:jjo if fails should shout and flag it */
-		if (db_attrs_expand(ctx, ctx->max_attrs/2 + 1) < 0)
-			return -1;
-	}
-	*ctx->attrs_cur++=*a;
-	ctx->trans_cur->attr_cnt++;
-	return 0;
+		/*      
+		 *      Strategy: if more space is needed, expand by 
+		 *                <current_size>/2 + 1
+		 */
+		if ((ctx->attrs_cur - ctx->attrs0) >= ctx->max_attrs) {
+				/* XXX:jjo if fails should shout and flag it */
+				if (db_attrs_expand(ctx, ctx->max_attrs/2 + 1) < 0)
+						return -1;
+		}
+		*ctx->attrs_cur++=*a;
+		ctx->trans_cur->attr_cnt++;
+		return 0;
 }
-/*	Add attr copy (by value) to current transform, 
- *	expanding attrs0 if needed, just calls db_attr_add().
+/*      Add attr copy (by value) to current transform, 
+ *      expanding attrs0 if needed, just calls db_attr_add().
  */
 int
 db_attr_add_values(struct db_context *ctx,  u_int16_t type, u_int16_t val)
 {
-	struct db_attr attr;
-	attr.type = type;
-	attr.val = val;
-	return db_attr_add (ctx, &attr);
+		struct db_attr attr;
+		attr.type = type;
+		attr.val = val;
+		return db_attr_add (ctx, &attr);
 }
 #ifndef NO_DB_OPS_STATS
 int
 db_ops_show_status(void)
 {
-	whack_log(RC_COMMENT, "stats " __FILE__ ": " 
-			DB_OPS_STATS_DESC " :"
-			DB_OPS_STATS_STR("context")
-			DB_OPS_STATS_STR("trans")
-			DB_OPS_STATS_STR("attrs"),
-			DB_OPS_STATS_F(db_context_st),
-			DB_OPS_STATS_F(db_trans_st),
-			DB_OPS_STATS_F(db_attrs_st)
-			);
-	return 0;
+		whack_log(RC_COMMENT, "stats " __FILE__ ": " 
+						DB_OPS_STATS_DESC " :"
+						DB_OPS_STATS_STR("context")
+						DB_OPS_STATS_STR("trans")
+						DB_OPS_STATS_STR("attrs"),
+						DB_OPS_STATS_F(db_context_st),
+						DB_OPS_STATS_F(db_trans_st),
+						DB_OPS_STATS_F(db_attrs_st)
+						);
+		return 0;
 }
 #endif /* NO_DB_OPS_STATS */
 /* 
@@ -362,51 +335,51 @@ db_ops_show_status(void)
 #ifdef TEST
 static void db_prop_print(struct db_prop *p)
 {
-	struct db_trans *t;
-	struct db_attr *a;
-	int ti, ai;
-	enum_names *n, *n_at, *n_av;
-	printf("protoid=\"%s\"\n", enum_name(&protocol_names, p->protoid));
-	for (ti=0, t=p->trans; ti< p->trans_cnt; ti++, t++) {
-		switch( t->transid) {
-			case PROTO_ISAKMP:
-				n=&isakmp_transformid_names;break;
-			case PROTO_IPSEC_ESP:
-				n=&esp_transformid_names;break;
-			default:
-				continue;
-		}
-		printf("  transid=\"%s\"\n", 
-			enum_name(n, t->transid));
-		for (ai=0, a=t->attrs; ai < t->attr_cnt; ai++, a++) {
-			int i;
-			switch( t->transid) {
-				case PROTO_ISAKMP:
-					n_at=&oakley_attr_names;
-					i=a->type|ISAKMP_ATTR_AF_TV;
-					n_av=oakley_attr_val_descs[(i)&ISAKMP_ATTR_RTYPE_MASK];
-					break;
-				case PROTO_IPSEC_ESP:
-					n_at=&ipsec_attr_names;
-					i=a->type|ISAKMP_ATTR_AF_TV;
-					n_av=ipsec_attr_val_descs[(i)&ISAKMP_ATTR_RTYPE_MASK];
-					break;
-				default:
-					continue;
-			}
-			printf("    type=\"%s\" value=\"%s\"\n", 
-				enum_name(n_at, i),
-				enum_name(n_av, a->val));
+		struct db_trans *t;
+		struct db_attr *a;
+		int ti, ai;
+		enum_names *n, *n_at, *n_av;
+		printf("protoid=\"%s\"\n", enum_name(&protocol_names, p->protoid));
+		for (ti=0, t=p->trans; ti< p->trans_cnt; ti++, t++) {
+				switch( t->transid) {
+						case PROTO_ISAKMP:
+								n=&isakmp_transformid_names;break;
+						case PROTO_IPSEC_ESP:
+								n=&esp_transformid_names;break;
+						default:
+								continue;
+				}
+				printf("  transid=\"%s\"\n", 
+						enum_name(n, t->transid));
+				for (ai=0, a=t->attrs; ai < t->attr_cnt; ai++, a++) {
+						int i;
+						switch( t->transid) {
+								case PROTO_ISAKMP:
+										n_at=&oakley_attr_names;
+										i=a->type|ISAKMP_ATTR_AF_TV;
+										n_av=oakley_attr_val_descs[(i)&ISAKMP_ATTR_RTYPE_MASK];
+										break;
+								case PROTO_IPSEC_ESP:
+										n_at=&ipsec_attr_names;
+										i=a->type|ISAKMP_ATTR_AF_TV;
+										n_av=ipsec_attr_val_descs[(i)&ISAKMP_ATTR_RTYPE_MASK];
+										break;
+								default:
+										continue;
+						}
+						printf("    type=\"%s\" value=\"%s\"\n", 
+								enum_name(n_at, i),
+								enum_name(n_av, a->val));
+				}
 		}
-	}
 
 }
 static void db_print(struct db_context *ctx) 
 {
-	printf("trans_cur diff=%d, attrs_cur diff=%d\n", 
-			ctx->trans_cur - ctx->trans0,
-			ctx->attrs_cur - ctx->attrs0);
-	db_prop_print(&ctx->prop);
+		printf("trans_cur diff=%d, attrs_cur diff=%d\n", 
+						ctx->trans_cur - ctx->trans0,
+						ctx->attrs_cur - ctx->attrs0);
+		db_prop_print(&ctx->prop);
 }
 
 void
@@ -415,25 +388,25 @@ void abort(void);
 void
 passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
 {
-    fprintf(stderr, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-    abort();	/* exiting correctly doesn't always work */
+	fprintf(stderr, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+	abort();    /* exiting correctly doesn't always work */
 }
 int main(void) {
-	struct db_context *ctx=db_prop_new(PROTO_ISAKMP, 0, 0);
-	db_trans_add(ctx, KEY_IKE);
-	db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC);
-	db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5);
-	db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG);
-	db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024);
-	db_trans_add(ctx, KEY_IKE);
-	db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_AES_CBC);
-	db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5);
-	db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
-	db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536);
-	db_trans_add(ctx, ESP_3DES);
-	db_attr_add_values(ctx, AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1);
-	db_print(ctx);
-	db_destroy(ctx);
-	return 0;
+		struct db_context *ctx=db_prop_new(PROTO_ISAKMP, 0, 0);
+		db_trans_add(ctx, KEY_IKE);
+		db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC);
+		db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5);
+		db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG);
+		db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024);
+		db_trans_add(ctx, KEY_IKE);
+		db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_AES_CBC);
+		db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5);
+		db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
+		db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536);
+		db_trans_add(ctx, ESP_3DES);
+		db_attr_add_values(ctx, AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1);
+		db_print(ctx);
+		db_destroy(ctx);
+		return 0;
 }
 #endif
diff --git a/src/pluto/db_ops.h b/src/pluto/db_ops.h
index 4004e710a..464c245dd 100644
--- a/src/pluto/db_ops.h
+++ b/src/pluto/db_ops.h
@@ -10,47 +10,45 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: db_ops.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _DB_OPS_H
 #define _DB_OPS_H
 
 /*
- * 	Main db object, (quite proposal "oriented")
+ *      Main db object, (quite proposal "oriented")
  */
 #ifndef NO_DB_CONTEXT
 struct db_context {
-	struct db_prop prop;		/* proposal buffer (not pointer) */
-	struct db_trans *trans0;	/* transf. list, dynamically sized */
-	struct db_trans *trans_cur;	/* current transform ptr */
-	struct db_attr *attrs0;		/* attr. list, dynamically sized */
-	struct db_attr *attrs_cur;	/* current attribute ptr */
-	int max_trans;			/* size of trans list */
-	int max_attrs;			/* size of attrs list */
+		struct db_prop prop;            /* proposal buffer (not pointer) */
+		struct db_trans *trans0;        /* transf. list, dynamically sized */
+		struct db_trans *trans_cur;     /* current transform ptr */
+		struct db_attr *attrs0;         /* attr. list, dynamically sized */
+		struct db_attr *attrs_cur;      /* current attribute ptr */
+		int max_trans;                  /* size of trans list */
+		int max_attrs;                  /* size of attrs list */
 };
 /*
- * 	Allocate a new db object
+ *      Allocate a new db object
  */
 struct db_context * db_prop_new(u_int8_t protoid, int max_trans, int max_attrs);
-/*	Initialize object for proposal building  */
+/*      Initialize object for proposal building  */
 int db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs);
-/*	Free all resourses for this db */
+/*      Free all resourses for this db */
 void db_destroy(struct db_context *ctx);
 
-/*	Start a new transform */
+/*      Start a new transform */
 int db_trans_add(struct db_context *ctx, u_int8_t transid);
-/*	Add a new attribute by copying db_attr content */
+/*      Add a new attribute by copying db_attr content */
 int db_attr_add(struct db_context *db_ctx, const struct db_attr *attr);
-/*	Add a new attribute by value */
+/*      Add a new attribute by value */
 int db_attr_add_values(struct db_context *ctx,  u_int16_t type, u_int16_t val);
 
-/*	Get proposal from db object */
+/*      Get proposal from db object */
 static __inline__ struct db_prop *db_prop_get(struct db_context *ctx) {
-	return &ctx->prop;
+		return &ctx->prop;
 }
-/*	Show stats (allocation, etc) */
+/*      Show stats (allocation, etc) */
 #endif /* NO_DB_CONTEXT */
 int db_ops_show_status(void);
 #endif /* _DB_OPS_H */
diff --git a/src/pluto/defs.c b/src/pluto/defs.c
index f2c1eab48..f83318e12 100644
--- a/src/pluto/defs.c
+++ b/src/pluto/defs.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: defs.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdlib.h>
@@ -27,296 +25,62 @@
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
-#include "whack.h"	/* for RC_LOG_SERIOUS */
-
-const chunk_t empty_chunk = { NULL, 0 };
+#include "whack.h"      /* for RC_LOG_SERIOUS */
 
 bool
 all_zero(const unsigned char *m, size_t len)
 {
-    size_t i;
-
-    for (i = 0; i != len; i++)
-	if (m[i] != '\0')
-	    return FALSE;
-    return TRUE;
-}
-
-/* memory allocation
- *
- * LEAK_DETECTIVE puts a wrapper around each allocation and maintains
- * a list of live ones.  If a dead one is freed, an assertion MIGHT fail.
- * If the live list is currupted, that will often be detected.
- * In the end, report_leaks() is called, and the names of remaining
- * live allocations are printed.  At the moment, it is hoped, not that
- * the list is empty, but that there will be no surprises.
- *
- * Accepted Leaks:
- * - "struct iface" and "device name" (for "discovered" net interfaces)
- * - "struct event in event_schedule()" (events not associated with states)
- * - "Pluto lock name" (one only, needed until end -- why bother?)
- */
-
-#ifdef LEAK_DETECTIVE
-
-/* this magic number is 3671129837 decimal (623837458 complemented) */
-#define LEAK_MAGIC 0xDAD0FEEDul
-
-union mhdr {
-    struct {
-	const char *name;
-	union mhdr *older, *newer;
-	unsigned long magic;
-    } i;    /* info */
-    unsigned long junk;	/* force maximal alignment */
-};
-
-static union mhdr *allocs = NULL;
-
-void *alloc_bytes(size_t size, const char *name)
-{
-    union mhdr *p = malloc(sizeof(union mhdr) + size);
-
-    if (p == NULL)
-	exit_log("unable to malloc %lu bytes for %s"
-	    , (unsigned long) size, name);
-    p->i.name = name;
-    p->i.older = allocs;
-    if (allocs != NULL)
-	allocs->i.newer = p;
-    allocs = p;
-    p->i.newer = NULL;
-    p->i.magic = LEAK_MAGIC;
-
-    memset(p+1, '\0', size);
-    return p+1;
-}
-
-void *
-clone_bytes(const void *orig, size_t size, const char *name)
-{
-    void *p = alloc_bytes(size, name);
-
-    memcpy(p, orig, size);
-    return p;
-}
-
-void
-pfree(void *ptr)
-{
-    union mhdr *p;
-
-    passert(ptr != NULL);
-    p = ((union mhdr *)ptr) - 1;
-    passert(p->i.magic == LEAK_MAGIC);
-    if (p->i.older != NULL)
-    {
-	passert(p->i.older->i.newer == p);
-	p->i.older->i.newer = p->i.newer;
-    }
-    if (p->i.newer == NULL)
-    {
-	passert(p == allocs);
-	allocs = p->i.older;
-    }
-    else
-    {
-	passert(p->i.newer->i.older == p);
-	p->i.newer->i.older = p->i.older;
-    }
-    p->i.magic = ~LEAK_MAGIC;
-    free(p);
-}
-
-void
-report_leaks(void)
-{
-    union mhdr
-	*p = allocs,
-	*pprev = NULL;
-    unsigned long n = 0;
-
-    while (p != NULL)
-    {
-	passert(p->i.magic == LEAK_MAGIC);
-	passert(pprev == p->i.newer);
-	pprev = p;
-	p = p->i.older;
-	n++;
-	if (p == NULL || pprev->i.name != p->i.name)
-	{
-	    if (n != 1)
-		plog("leak: %lu * %s", n, pprev->i.name);
-	    else
-		plog("leak: %s", pprev->i.name);
-	    n = 0;
-	}
-    }
-}
-
-#else /* !LEAK_DETECTIVE */
-
-void *alloc_bytes(size_t size, const char *name)
-{
-    void *p = malloc(size);
-
-    if (p == NULL)
-	exit_log("unable to malloc %lu bytes for %s"
-	    , (unsigned long) size, name);
-    memset(p, '\0', size);
-    return p;
-}
-
-void *clone_bytes(const void *orig, size_t size, const char *name)
-{
-    void *p = malloc(size);
+	size_t i;
 
-    if (p == NULL)
-	exit_log("unable to malloc %lu bytes for %s"
-	    , (unsigned long) size, name);
-    memcpy(p, orig, size);
-    return p;
+	for (i = 0; i != len; i++)
+		if (m[i] != '\0')
+			return FALSE;
+	return TRUE;
 }
-#endif /* !LEAK_DETECTIVE */
 
 /*  Note that there may be as many as six IDs that are temporary at
  *  one time before unsharing the two ends of a connection. So we need
  *  at least six temporary buffers for DER_ASN1_DN IDs.
  *  We rotate them. Be careful!
  */
-#define	MAX_BUF		10
+#define MAX_BUF         10
 
 char*
 temporary_cyclic_buffer(void)
 {
-    static char buf[MAX_BUF][BUF_LEN];	/* MAX_BUF internal buffers */
-    static int counter = 0;			/* cyclic counter */
+	static char buf[MAX_BUF][BUF_LEN];  /* MAX_BUF internal buffers */
+	static int counter = 0;                     /* cyclic counter */
 
-    if (++counter == MAX_BUF) counter = 0;	/* next internal buffer */
-    return buf[counter];			/* assign temporary buffer */
+	if (++counter == MAX_BUF) counter = 0;      /* next internal buffer */
+	return buf[counter];                        /* assign temporary buffer */
 }
 
 /* concatenates two sub paths into a string with a maximum size of BUF_LEN
  * use for temporary storage only
  */
-const char*
-concatenate_paths(const char *a, const char *b)
+char* concatenate_paths(char *a, char *b)
 {
-    char *c;
+	char *c;
 
-    if (*b == '/' || *b == '.')
-	return b;
+	if (*b == '/' || *b == '.')
+		return b;
 
-    c = temporary_cyclic_buffer();
-    snprintf(c, BUF_LEN, "%s/%s", a, b);
-    return c;
+	c = temporary_cyclic_buffer();
+	snprintf(c, BUF_LEN, "%s/%s", a, b);
+	return c;
 }
 
-/*  compare two chunks, returns zero if a equals b
- *  negative/positive if a is earlier/later in the alphabet than b
- */
-int
-cmp_chunk(chunk_t a, chunk_t b)
-{
-    int cmp_len, len, cmp_value;
-    
-    cmp_len = a.len - b.len;
-    len = (cmp_len < 0)? a.len : b.len;
-    cmp_value = memcmp(a.ptr, b.ptr, len);
-
-    return (cmp_value == 0)? cmp_len : cmp_value;
-};
-
 /* moves a chunk to a memory position, chunk is freed afterwards
  * position pointer is advanced after the insertion point
  */
 void
 mv_chunk(u_char **pos, chunk_t content)
 {
-    if (content.len > 0)
-    {
-	chunkcpy(*pos, content);
-	freeanychunk(content);
-    }
-}
-
-/*
- * write the binary contents of a chunk_t to a file
- */
-bool
-write_chunk(const char *filename, const char *label, chunk_t ch
-, mode_t mask, bool force)
-{
-    mode_t oldmask;
-    FILE *fd;
-    size_t written;
-
-    if (!force)
-    {
-	fd = fopen(filename, "r");
-	if (fd)
-	{
-	    fclose(fd);
-	    plog("  %s file '%s' already exists", label, filename);
-	    return FALSE;
-	}
-    }
-
-    /* set umask */
-    oldmask = umask(mask);
-
-    fd = fopen(filename, "w");
-
-    if (fd)
-    {
-	written = fwrite(ch.ptr, sizeof(u_char), ch.len, fd);
-	fclose(fd);
-	if (written != ch.len)
+	if (content.len > 0)
 	{
-	    plog("  writing to %s file '%s' failed", label, filename);
-	    umask(oldmask);
-	    return FALSE;
+		chunkcpy(*pos, content);
+		free(content.ptr);
 	}
-	plog("  written %s file '%s' (%d bytes)", label, filename, (int)ch.len);
-	umask(oldmask);
-	return TRUE;
-    }
-    else
-    {
-	plog("  could not open %s file '%s' for writing", label, filename);
-	umask(oldmask);
-	return FALSE;
-    }
-}
-
-/* Names of the months */
-
-static const char* months[] = {
-    "Jan", "Feb", "Mar", "Apr", "May", "Jun",
-    "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
-};
-
-
-/*
- *  Display a date either in local or UTC time
- */
-char*
-timetoa(const time_t *time, bool utc)
-{
-    static char buf[TIMETOA_BUF];
-
-    if (*time == UNDEFINED_TIME)
-	sprintf(buf, "--- -- --:--:--%s----", (utc)?" UTC ":" ");
-    else
-    {
-	struct tm *t = (utc)? gmtime(time) : localtime(time);
-
-	sprintf(buf, "%s %02d %02d:%02d:%02d%s%04d",
-	    months[t->tm_mon], t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec,
-	    (utc)?" UTC ":" ", t->tm_year + 1900
-	);
-    }
-    return buf;
 }
 
 /*  checks if the expiration date has been reached and
@@ -327,44 +91,44 @@ timetoa(const time_t *time, bool utc)
 const char*
 check_expiry(time_t expiration_date, int warning_interval, bool strict)
 {
-    time_t now;
-    int time_left;
-
-    if (expiration_date == UNDEFINED_TIME)
-      return "ok (expires never)";
+	time_t now;
+	int time_left;
 
-    /* determine the current time */
-    time(&now);
+	if (expiration_date == UNDEFINED_TIME)
+	  return "ok (expires never)";
 
-    time_left = (expiration_date - now);
-    if (time_left < 0)
-	return strict? "fatal (expired)" : "warning (expired)";
+	/* determine the current time */
+	time(&now);
 
-    if (time_left > 86400*warning_interval)
-	return "ok";
-    {
-	static char buf[35]; /* temporary storage */
-	const char* unit = "second";
+	time_left = (expiration_date - now);
+	if (time_left < 0)
+		return strict? "fatal (expired)" : "warning (expired)";
 
-	if (time_left > 172800)
-	{
-	    time_left /= 86400;
-	    unit = "day";
-	}
-	else if (time_left > 7200)
-	{
-	    time_left /= 3600;
-	    unit = "hour";
-	}
-	else if (time_left > 120)
+	if (time_left > 86400*warning_interval)
+		return "ok";
 	{
-	    time_left /= 60;
-	    unit = "minute";
+		static char buf[35]; /* temporary storage */
+		const char* unit = "second";
+
+		if (time_left > 172800)
+		{
+			time_left /= 86400;
+			unit = "day";
+		}
+		else if (time_left > 7200)
+		{
+			time_left /= 3600;
+			unit = "hour";
+		}
+		else if (time_left > 120)
+		{
+			time_left /= 60;
+			unit = "minute";
+		}
+		snprintf(buf, 35, "warning (expires in %d %s%s)", time_left,
+				 unit, (time_left == 1)?"":"s");
+		return buf;
 	}
-	snprintf(buf, 35, "warning (expires in %d %s%s)", time_left,
-		 unit, (time_left == 1)?"":"s");
-	return buf;
-    }
 }
 
 
@@ -374,8 +138,8 @@ check_expiry(time_t expiration_date, int warning_interval, bool strict)
 int
 file_select(const struct dirent *entry)
 {
-    return strcmp(entry->d_name, "." ) &&
-	   strcmp(entry->d_name, "..");
+	return strcmp(entry->d_name, "." ) &&
+		   strcmp(entry->d_name, "..");
 }
 
 
diff --git a/src/pluto/defs.h b/src/pluto/defs.h
index 574ce4a1a..8491f4ae8 100644
--- a/src/pluto/defs.h
+++ b/src/pluto/defs.h
@@ -11,128 +11,77 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: defs.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _DEFS_H
 #define _DEFS_H
 
+#include <string.h>
 #include <sys/types.h>
 
+#include <chunk.h>
+
 #ifdef KLIPS
-# define USED_BY_KLIPS	/* ignore */
+# define USED_BY_KLIPS  /* ignore */
 #else
-# define USED_BY_KLIPS	UNUSED
+# define USED_BY_KLIPS  UNUSED
 #endif
 
 #ifdef DEBUG
-# define USED_BY_DEBUG	/* ignore */
+# define USED_BY_DEBUG  /* ignore */
 #else
-# define USED_BY_DEBUG	UNUSED
+# define USED_BY_DEBUG  UNUSED
 #endif
 
-/* Length of temporary buffers */
-
-#define BUF_LEN	      512
-
 /* type of serial number of a state object
  * Needed in connections.h and state.h; here to simplify dependencies.
  */
 typedef unsigned long so_serial_t;
-#define SOS_NOBODY	0	/* null serial number */
-#define SOS_FIRST	1	/* first normal serial number */
+#define SOS_NOBODY      0       /* null serial number */
+#define SOS_FIRST       1       /* first normal serial number */
 
 /* memory allocation */
 
-extern void *alloc_bytes(size_t size, const char *name);
-#define alloc_thing(thing, name) (alloc_bytes(sizeof(thing), (name)))
+#define clone_thing(orig) clalloc((void *)&(orig), sizeof(orig))
 
-extern void *clone_bytes(const void *orig, size_t size, const char *name);
-#define clone_thing(orig, name) clone_bytes((const void *)&(orig), sizeof(orig), (name))
-#define clone_str(str, name) \
-    ((str) == NULL? NULL : clone_bytes((str), strlen((str))+1, (name)))
+#define clone_str(str) \
+	((str) == NULL? NULL : strdup(str))
+
+#define replace(p, q) \
+	{ free(p); (p) = (q); }
 
-#ifdef LEAK_DETECTIVE
-  extern void pfree(void *ptr);
-  extern void report_leaks(void);
-#else
-# define pfree(ptr) free(ptr)	/* ordinary stdc free */
-#endif
-#define pfreeany(p) { if ((p) != NULL) pfree(p); }
-#define replace(p, q) { pfreeany(p); (p) = (q); }
-
-
-/* chunk is a simple pointer-and-size abstraction */
-
-struct chunk {
-    u_char *ptr;
-    size_t len;
-    };
-typedef struct chunk chunk_t;
-
-#define setchunk(ch, addr, size) { (ch).ptr = (addr); (ch).len = (size); }
-#define strchunk(str) { str, sizeof(str) }
-/* NOTE: freeanychunk, unlike pfreeany, NULLs .ptr */
-#define freeanychunk(ch) { pfreeany((ch).ptr); (ch).ptr = NULL; }
-#define clonetochunk(ch, addr, size, name) \
-    { (ch).ptr = clone_bytes((addr), (ch).len = (size), name); }
-#define clonereplacechunk(ch, addr, size, name) \
-    { pfreeany((ch).ptr); clonetochunk(ch, addr, size, name); }
 #define chunkcpy(dst, chunk) \
-    { memcpy(dst, chunk.ptr, chunk.len); dst += chunk.len;}
-#define same_chunk(a, b) \
-    ( (a).len == (b).len && memcmp((a).ptr, (b).ptr, (b).len) == 0 )
+	{ memcpy(dst, chunk.ptr, chunk.len); dst += chunk.len;}
 
 extern char* temporary_cyclic_buffer(void);
-extern const char* concatenate_paths(const char *a, const char *b);
-
-extern const chunk_t empty_chunk;
-
-/* compare two chunks */
-extern int cmp_chunk(chunk_t a, chunk_t b);
+extern char* concatenate_paths(char *a, char *b);
 
 /* move a chunk to a memory position and free it after insertion */
 extern void mv_chunk(u_char **pos, chunk_t content);
 
-/* write the binary contents of a chunk_t to a file */
-extern bool write_chunk(const char *filename, const char *label, chunk_t ch
-    ,mode_t mask, bool force);
-
-/* display a date either in local or UTC time */
-extern char* timetoa(const time_t *time, bool utc);
-
 /* warns a predefined interval before expiry */
 extern const char* check_expiry(time_t expiration_date,
-    int warning_interval, bool strict);
+	int warning_interval, bool strict);
 
-#define MAX_PROMPT_PASS_TRIALS	5
-#define PROMPT_PASS_LEN		64
+#define MAX_PROMPT_PASS_TRIALS  5
+#define PROMPT_PASS_LEN         64
 
 /* struct used to prompt for a secret passphrase
  * from a console with file descriptor fd
  */
 typedef struct {
-    char secret[PROMPT_PASS_LEN+1];
-    bool prompt;
-    int fd;
+	char secret[PROMPT_PASS_LEN+1];
+	bool prompt;
+	int fd;
 } prompt_pass_t;
 
-/* no time defined in time_t */
-#define UNDEFINED_TIME	0
-
-/* size of timetoa string buffer */
-#define TIMETOA_BUF	30
-
 /* filter eliminating the directory entries '.' and '..' */
 typedef struct dirent dirent_t;
 extern int file_select(const dirent_t *entry);
 
 /* cleanly exit Pluto */
-
 extern void exit_pluto(int /*status*/) NEVER_RETURNS;
 
-
 /* zero all bytes */
 #define zero(x) memset((x), '\0', sizeof(*(x)))
 
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
index 04728a4a8..3cfc909af 100644
--- a/src/pluto/demux.c
+++ b/src/pluto/demux.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: demux.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 /* Ordering Constraints on Payloads
@@ -110,8 +108,8 @@
 #include <unistd.h>
 #include <errno.h>
 #include <sys/types.h>
-#include <sys/time.h>	/* only used for belt-and-suspenders select call */
-#include <sys/poll.h>	/* only used for forensic poll call */
+#include <sys/time.h>   /* only used for belt-and-suspenders select call */
+#include <sys/poll.h>   /* only used for forensic poll call */
 #include <sys/socket.h>
 #include <sys/ioctl.h>
 #include <netinet/in.h>
@@ -119,9 +117,9 @@
 #include <sys/queue.h>
 
 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
-#  include <asm/types.h>	/* for __u8, __u32 */
+#  include <asm/types.h>        /* for __u8, __u32 */
 #  include <linux/errqueue.h>
-#  include <sys/uio.h>	/* struct iovec */
+#  include <sys/uio.h>  /* struct iovec */
 #endif
 
 #include <freeswan.h>
@@ -132,15 +130,13 @@
 #include "connections.h"
 #include "state.h"
 #include "packet.h"
-#include "md5.h"
-#include "sha1.h"
-#include "crypto.h" /* requires sha1.h and md5.h */
+#include "crypto.h"
 #include "ike_alg.h"
 #include "log.h"
-#include "demux.h"	/* needs packet.h */
-#include "ipsec_doi.h"	/* needs demux.h and state.h */
+#include "demux.h"      /* needs packet.h */
+#include "ipsec_doi.h"  /* needs demux.h and state.h */
 #include "timer.h"
-#include "whack.h"	/* requires connections.h */
+#include "whack.h"      /* requires connections.h */
 #include "server.h"
 #include "nat_traversal.h"
 #include "vendor.h"
@@ -173,14 +169,14 @@ u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
  */
 
 struct state_microcode {
-    enum state_kind state, next_state;
-    lset_t flags;
-    lset_t req_payloads;	/* required payloads (allows just one) */
-    lset_t opt_payloads;	/* optional payloads (any mumber) */
-    /* if not ISAKMP_NEXT_NONE, process_packet will emit HDR with this as np */
-    u_int8_t first_out_payload;
-    enum event_type timeout_event;
-    state_transition_fn *processor;
+	enum state_kind state, next_state;
+	lset_t flags;
+	lset_t req_payloads;        /* required payloads (allows just one) */
+	lset_t opt_payloads;        /* optional payloads (any mumber) */
+	/* if not ISAKMP_NEXT_NONE, process_packet will emit HDR with this as np */
+	u_int8_t first_out_payload;
+	enum event_type timeout_event;
+	state_transition_fn *processor;
 };
 
 /* State Microcode Flags, in several groups */
@@ -190,19 +186,21 @@ struct state_microcode {
  * Note: SMF_ALL_AUTH matches 0 for those circumstances when no auth
  * has been set.
  */
-#define SMF_ALL_AUTH	LRANGE(0, OAKLEY_AUTH_ROOF-1)
-#define SMF_PSK_AUTH	LELEM(OAKLEY_PRESHARED_KEY)
-#define SMF_DS_AUTH	(LELEM(OAKLEY_DSS_SIG) | LELEM(OAKLEY_RSA_SIG))
-#define SMF_PKE_AUTH	(LELEM(OAKLEY_RSA_ENC) | LELEM(OAKLEY_ELGAMAL_ENC))
-#define SMF_RPKE_AUTH	(LELEM(OAKLEY_RSA_ENC_REV) | LELEM(OAKLEY_ELGAMAL_ENC_REV))
+#define SMF_ALL_AUTH    LRANGE(0, OAKLEY_AUTH_ROOF-1)
+#define SMF_PSK_AUTH    LELEM(OAKLEY_PRESHARED_KEY)
+#define SMF_DS_AUTH     (LELEM(OAKLEY_DSS_SIG)   | LELEM(OAKLEY_RSA_SIG)   | \
+						 LELEM(OAKLEY_ECDSA_SIG) | LELEM(OAKLEY_ECDSA_256) | \
+						 LELEM(OAKLEY_ECDSA_384) | LELEM(OAKLEY_ECDSA_521))
+#define SMF_PKE_AUTH    (LELEM(OAKLEY_RSA_ENC) | LELEM(OAKLEY_ELGAMAL_ENC))
+#define SMF_RPKE_AUTH   (LELEM(OAKLEY_RSA_ENC_REV) | LELEM(OAKLEY_ELGAMAL_ENC_REV))
 
 /* misc flags */
 
-#define SMF_INITIATOR	LELEM(OAKLEY_AUTH_ROOF + 0)
-#define SMF_FIRST_ENCRYPTED_INPUT	LELEM(OAKLEY_AUTH_ROOF + 1)
-#define SMF_INPUT_ENCRYPTED	LELEM(OAKLEY_AUTH_ROOF + 2)
-#define SMF_OUTPUT_ENCRYPTED	LELEM(OAKLEY_AUTH_ROOF + 3)
-#define SMF_RETRANSMIT_ON_DUPLICATE	LELEM(OAKLEY_AUTH_ROOF + 4)
+#define SMF_INITIATOR   LELEM(OAKLEY_AUTH_ROOF + 0)
+#define SMF_FIRST_ENCRYPTED_INPUT       LELEM(OAKLEY_AUTH_ROOF + 1)
+#define SMF_INPUT_ENCRYPTED     LELEM(OAKLEY_AUTH_ROOF + 2)
+#define SMF_OUTPUT_ENCRYPTED    LELEM(OAKLEY_AUTH_ROOF + 3)
+#define SMF_RETRANSMIT_ON_DUPLICATE     LELEM(OAKLEY_AUTH_ROOF + 4)
 
 #define SMF_ENCRYPTED (SMF_INPUT_ENCRYPTED | SMF_OUTPUT_ENCRYPTED)
 
@@ -210,14 +208,14 @@ struct state_microcode {
 #define SMF_REPLY   LELEM(OAKLEY_AUTH_ROOF + 5)
 
 /* this state completes P1, so any pending P2 negotiations should start */
-#define SMF_RELEASE_PENDING_P2	LELEM(OAKLEY_AUTH_ROOF + 6)
+#define SMF_RELEASE_PENDING_P2  LELEM(OAKLEY_AUTH_ROOF + 6)
 
 /* end of flags */
 
 
-static state_transition_fn	/* forward declaration */
-    unexpected,
-    informational;
+static state_transition_fn      /* forward declaration */
+	unexpected,
+	informational;
 
 /* state_microcode_table is a table of all state_microcode tuples.
  * It must be in order of state (the first element).
@@ -228,288 +226,288 @@ static state_transition_fn	/* forward declaration */
  */
 
 static const struct state_microcode
-    *ike_microcode_index[STATE_IKE_ROOF - STATE_IKE_FLOOR];
+	*ike_microcode_index[STATE_IKE_ROOF - STATE_IKE_FLOOR];
 
 static const struct state_microcode state_microcode_table[] = {
 #define PT(n) ISAKMP_NEXT_##n
 #define P(n) LELEM(PT(n))
 
-    /***** Phase 1 Main Mode *****/
-
-    /* No state for main_outI1: --> HDR, SA */
-
-    /* STATE_MAIN_R0: I1 --> R1
-     * HDR, SA --> HDR, SA
-     */
-    { STATE_MAIN_R0, STATE_MAIN_R1
-    , SMF_ALL_AUTH | SMF_REPLY
-    , P(SA), P(VID) | P(CR), PT(NONE)
-    , EVENT_RETRANSMIT, main_inI1_outR1},
-
-    /* STATE_MAIN_I1: R1 --> I2
-     * HDR, SA --> auth dependent
-     * SMF_PSK_AUTH, SMF_DS_AUTH: --> HDR, KE, Ni
-     * SMF_PKE_AUTH:
-     *	--> HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
-     * SMF_RPKE_AUTH:
-     *	--> HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
-     * Note: since we don't know auth at start, we cannot differentiate
-     * microcode entries based on it.
-     */
-    { STATE_MAIN_I1, STATE_MAIN_I2
-    , SMF_ALL_AUTH | SMF_INITIATOR | SMF_REPLY
-    , P(SA), P(VID) | P(CR), PT(NONE) /* don't know yet */
-    , EVENT_RETRANSMIT, main_inR1_outI2 },
-
-    /* STATE_MAIN_R1: I2 --> R2
-     * SMF_PSK_AUTH, SMF_DS_AUTH: HDR, KE, Ni --> HDR, KE, Nr
-     * SMF_PKE_AUTH: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
-     *	    --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
-     * SMF_RPKE_AUTH:
-     *	    HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
-     *	    --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
-     */
-    { STATE_MAIN_R1, STATE_MAIN_R2
-    , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY
-    , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE)
-    , EVENT_RETRANSMIT, main_inI2_outR2 },
-
-    { STATE_MAIN_R1, STATE_UNDEFINED
-    , SMF_PKE_AUTH | SMF_REPLY
-    , P(KE) | P(ID) | P(NONCE), P(VID) | P(CR) | P(HASH), PT(KE)
-    , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
-
-    { STATE_MAIN_R1, STATE_UNDEFINED
-    , SMF_RPKE_AUTH | SMF_REPLY
-    , P(NONCE) | P(KE) | P(ID), P(VID) | P(CR) | P(HASH) | P(CERT), PT(NONCE)
-    , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
-
-    /* for states from here on, output message must be encrypted */
-
-    /* STATE_MAIN_I2: R2 --> I3
-     * SMF_PSK_AUTH: HDR, KE, Nr --> HDR*, IDi1, HASH_I
-     * SMF_DS_AUTH: HDR, KE, Nr --> HDR*, IDi1, [ CERT, ] SIG_I
-     * SMF_PKE_AUTH: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
-     *	    --> HDR*, HASH_I
-     * SMF_RPKE_AUTH: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
-     *	    --> HDR*, HASH_I
-     */
-    { STATE_MAIN_I2, STATE_MAIN_I3
-    , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
-    , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(ID)
-    , EVENT_RETRANSMIT, main_inR2_outI3 },
-
-    { STATE_MAIN_I2, STATE_UNDEFINED
-    , SMF_PKE_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
-    , P(KE) | P(ID) | P(NONCE), P(VID) | P(CR), PT(HASH)
-    , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
-
-    { STATE_MAIN_I2, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
-    , P(NONCE) | P(KE) | P(ID), P(VID) | P(CR), PT(HASH)
-    , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
-
-    /* for states from here on, input message must be encrypted */
-
-    /* STATE_MAIN_R2: I3 --> R3
-     * SMF_PSK_AUTH: HDR*, IDi1, HASH_I --> HDR*, IDr1, HASH_R
-     * SMF_DS_AUTH: HDR*, IDi1, [ CERT, ] SIG_I --> HDR*, IDr1, [ CERT, ] SIG_R
-     * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_I --> HDR*, HASH_R
-     */
-    { STATE_MAIN_R2, STATE_MAIN_R3
-    , SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
-      | SMF_REPLY | SMF_RELEASE_PENDING_P2
-    , P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
-    , EVENT_SA_REPLACE, main_inI3_outR3 },
-
-    { STATE_MAIN_R2, STATE_MAIN_R3
-    , SMF_DS_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
-      | SMF_REPLY | SMF_RELEASE_PENDING_P2
-    , P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
-    , EVENT_SA_REPLACE, main_inI3_outR3 },
-
-    { STATE_MAIN_R2, STATE_UNDEFINED
-    , SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
-      | SMF_REPLY | SMF_RELEASE_PENDING_P2
-    , P(HASH), P(VID) | P(CR), PT(NONE)
-    , EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
-
-    /* STATE_MAIN_I3: R3 --> done
-     * SMF_PSK_AUTH: HDR*, IDr1, HASH_R --> done
-     * SMF_DS_AUTH: HDR*, IDr1, [ CERT, ] SIG_R --> done
-     * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_R --> done
-     * May initiate quick mode by calling quick_outI1
-     */
-    { STATE_MAIN_I3, STATE_MAIN_I4
-    , SMF_PSK_AUTH | SMF_INITIATOR
-      | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-    , P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
-    , EVENT_SA_REPLACE, main_inR3 },
-
-    { STATE_MAIN_I3, STATE_MAIN_I4
-    , SMF_DS_AUTH | SMF_INITIATOR
-      | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-    , P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
-    , EVENT_SA_REPLACE, main_inR3 },
-
-    { STATE_MAIN_I3, STATE_UNDEFINED
-    , SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_INITIATOR
-      | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-    , P(HASH), P(VID) | P(CR), PT(NONE)
-    , EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
-
-    /* STATE_MAIN_R3: can only get here due to packet loss */
-    { STATE_MAIN_R3, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
-    , LEMPTY, LEMPTY
-    , PT(NONE), EVENT_NULL, unexpected },
-
-    /* STATE_MAIN_I4: can only get here due to packet loss */
-    { STATE_MAIN_I4, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED
-    , LEMPTY, LEMPTY
-    , PT(NONE), EVENT_NULL, unexpected },
-
-
-    /***** Phase 2 Quick Mode *****/
-
-    /* No state for quick_outI1:
-     * --> HDR*, HASH(1), SA, Nr [, KE ] [, IDci, IDcr ]
-     */
-
-    /* STATE_QUICK_R0:
-     * HDR*, HASH(1), SA, Ni [, KE ] [, IDci, IDcr ] -->
-     * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ]
-     * Installs inbound IPsec SAs.
-     * Because it may suspend for asynchronous DNS, first_out_payload
-     * is set to NONE to suppress early emission of HDR*.
-     * ??? it is legal to have multiple SAs, but we don't support it yet.
-     */
-    { STATE_QUICK_R0, STATE_QUICK_R1
-    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
-    , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(NONE)
-    , EVENT_RETRANSMIT, quick_inI1_outR1 },
-
-    /* STATE_QUICK_I1:
-     * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ] -->
-     * HDR*, HASH(3)
-     * Installs inbound and outbound IPsec SAs, routing, etc.
-     * ??? it is legal to have multiple SAs, but we don't support it yet.
-     */
-    { STATE_QUICK_I1, STATE_QUICK_I2
-    , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_REPLY
-    , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(HASH)
-    , EVENT_SA_REPLACE, quick_inR1_outI2 },
-
-    /* STATE_QUICK_R1: HDR*, HASH(3) --> done
-     * Installs outbound IPsec SAs, routing, etc.
-     */
-    { STATE_QUICK_R1, STATE_QUICK_R2
-    , SMF_ALL_AUTH | SMF_ENCRYPTED
-    , P(HASH), LEMPTY, PT(NONE)
-    , EVENT_SA_REPLACE, quick_inI2 },
-
-    /* STATE_QUICK_I2: can only happen due to lost packet */
-    { STATE_QUICK_I2, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
-    , LEMPTY, LEMPTY, PT(NONE)
-    , EVENT_NULL, unexpected },
-
-    /* STATE_QUICK_R2: can only happen due to lost packet */
-    { STATE_QUICK_R2, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_ENCRYPTED
-    , LEMPTY, LEMPTY, PT(NONE)
-    , EVENT_NULL, unexpected },
-
-
-    /***** informational messages *****/
-
-    /* STATE_INFO: */
-    { STATE_INFO, STATE_UNDEFINED
-    , SMF_ALL_AUTH
-    , LEMPTY, LEMPTY, PT(NONE)
-    , EVENT_NULL, informational },
-
-    /* STATE_INFO_PROTECTED: */
-    { STATE_INFO_PROTECTED, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_ENCRYPTED
-    , P(HASH), LEMPTY, PT(NONE)
-    , EVENT_NULL, informational },
-
-    /* XAUTH state transitions */
-    { STATE_XAUTH_I0, STATE_XAUTH_I1
-    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
-    , P(ATTR) | P(HASH), P(VID), PT(HASH)
-    , EVENT_RETRANSMIT, xauth_inI0 },
-
-    { STATE_XAUTH_R1, STATE_XAUTH_R2
-    , SMF_ALL_AUTH | SMF_ENCRYPTED
-    , P(ATTR) | P(HASH), P(VID), PT(HASH)
-    , EVENT_RETRANSMIT, xauth_inR1 },
-
-    { STATE_XAUTH_I1, STATE_XAUTH_I2
-    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
-    , P(ATTR) | P(HASH), P(VID), PT(HASH)
-    , EVENT_SA_REPLACE, xauth_inI1 },
-
-    { STATE_XAUTH_R2, STATE_XAUTH_R3
-    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-    , P(ATTR) | P(HASH), P(VID), PT(NONE)
-    , EVENT_SA_REPLACE, xauth_inR2 },
-
-    { STATE_XAUTH_I2, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_ENCRYPTED
-    , LEMPTY, LEMPTY, PT(NONE)
-    , EVENT_NULL, unexpected },
-
-    { STATE_XAUTH_R3, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_ENCRYPTED
-    , LEMPTY, LEMPTY, PT(NONE)
-    , EVENT_NULL, unexpected },
-
-    /* ModeCfg pull mode state transitions */
-
-    { STATE_MODE_CFG_R0, STATE_MODE_CFG_R1
-    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
-    , P(ATTR) | P(HASH), P(VID), PT(HASH)
-    , EVENT_SA_REPLACE, modecfg_inR0 },
-
-    { STATE_MODE_CFG_I1, STATE_MODE_CFG_I2
-    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-    , P(ATTR) | P(HASH), P(VID), PT(HASH)
-    , EVENT_SA_REPLACE, modecfg_inI1 },
-
-    { STATE_MODE_CFG_R1, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_ENCRYPTED
-    , LEMPTY, LEMPTY, PT(NONE)
-    , EVENT_NULL, unexpected },
-
-    { STATE_MODE_CFG_I2, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_ENCRYPTED
-    , LEMPTY, LEMPTY, PT(NONE)
-    , EVENT_NULL, unexpected },
+	/***** Phase 1 Main Mode *****/
+
+	/* No state for main_outI1: --> HDR, SA */
+
+	/* STATE_MAIN_R0: I1 --> R1
+	 * HDR, SA --> HDR, SA
+	 */
+	{ STATE_MAIN_R0, STATE_MAIN_R1
+	, SMF_ALL_AUTH | SMF_REPLY
+	, P(SA), P(VID) | P(CR), PT(NONE)
+	, EVENT_RETRANSMIT, main_inI1_outR1},
+
+	/* STATE_MAIN_I1: R1 --> I2
+	 * HDR, SA --> auth dependent
+	 * SMF_PSK_AUTH, SMF_DS_AUTH: --> HDR, KE, Ni
+	 * SMF_PKE_AUTH:
+	 *  --> HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
+	 * SMF_RPKE_AUTH:
+	 *  --> HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
+	 * Note: since we don't know auth at start, we cannot differentiate
+	 * microcode entries based on it.
+	 */
+	{ STATE_MAIN_I1, STATE_MAIN_I2
+	, SMF_ALL_AUTH | SMF_INITIATOR | SMF_REPLY
+	, P(SA), P(VID) | P(CR), PT(NONE) /* don't know yet */
+	, EVENT_RETRANSMIT, main_inR1_outI2 },
+
+	/* STATE_MAIN_R1: I2 --> R2
+	 * SMF_PSK_AUTH, SMF_DS_AUTH: HDR, KE, Ni --> HDR, KE, Nr
+	 * SMF_PKE_AUTH: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
+	 *      --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
+	 * SMF_RPKE_AUTH:
+	 *      HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
+	 *      --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
+	 */
+	{ STATE_MAIN_R1, STATE_MAIN_R2
+	, SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY
+	, P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE)
+	, EVENT_RETRANSMIT, main_inI2_outR2 },
+
+	{ STATE_MAIN_R1, STATE_UNDEFINED
+	, SMF_PKE_AUTH | SMF_REPLY
+	, P(KE) | P(ID) | P(NONCE), P(VID) | P(CR) | P(HASH), PT(KE)
+	, EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
+
+	{ STATE_MAIN_R1, STATE_UNDEFINED
+	, SMF_RPKE_AUTH | SMF_REPLY
+	, P(NONCE) | P(KE) | P(ID), P(VID) | P(CR) | P(HASH) | P(CERT), PT(NONCE)
+	, EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
+
+	/* for states from here on, output message must be encrypted */
+
+	/* STATE_MAIN_I2: R2 --> I3
+	 * SMF_PSK_AUTH: HDR, KE, Nr --> HDR*, IDi1, HASH_I
+	 * SMF_DS_AUTH: HDR, KE, Nr --> HDR*, IDi1, [ CERT, ] SIG_I
+	 * SMF_PKE_AUTH: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
+	 *      --> HDR*, HASH_I
+	 * SMF_RPKE_AUTH: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
+	 *      --> HDR*, HASH_I
+	 */
+	{ STATE_MAIN_I2, STATE_MAIN_I3
+	, SMF_PSK_AUTH | SMF_DS_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
+	, P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(ID)
+	, EVENT_RETRANSMIT, main_inR2_outI3 },
+
+	{ STATE_MAIN_I2, STATE_UNDEFINED
+	, SMF_PKE_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
+	, P(KE) | P(ID) | P(NONCE), P(VID) | P(CR), PT(HASH)
+	, EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
+
+	{ STATE_MAIN_I2, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
+	, P(NONCE) | P(KE) | P(ID), P(VID) | P(CR), PT(HASH)
+	, EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
+
+	/* for states from here on, input message must be encrypted */
+
+	/* STATE_MAIN_R2: I3 --> R3
+	 * SMF_PSK_AUTH: HDR*, IDi1, HASH_I --> HDR*, IDr1, HASH_R
+	 * SMF_DS_AUTH: HDR*, IDi1, [ CERT, ] SIG_I --> HDR*, IDr1, [ CERT, ] SIG_R
+	 * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_I --> HDR*, HASH_R
+	 */
+	{ STATE_MAIN_R2, STATE_MAIN_R3
+	, SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
+	  | SMF_REPLY | SMF_RELEASE_PENDING_P2
+	, P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
+	, EVENT_SA_REPLACE, main_inI3_outR3 },
+
+	{ STATE_MAIN_R2, STATE_MAIN_R3
+	, SMF_DS_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
+	  | SMF_REPLY | SMF_RELEASE_PENDING_P2
+	, P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
+	, EVENT_SA_REPLACE, main_inI3_outR3 },
+
+	{ STATE_MAIN_R2, STATE_UNDEFINED
+	, SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
+	  | SMF_REPLY | SMF_RELEASE_PENDING_P2
+	, P(HASH), P(VID) | P(CR), PT(NONE)
+	, EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
+
+	/* STATE_MAIN_I3: R3 --> done
+	 * SMF_PSK_AUTH: HDR*, IDr1, HASH_R --> done
+	 * SMF_DS_AUTH: HDR*, IDr1, [ CERT, ] SIG_R --> done
+	 * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_R --> done
+	 * May initiate quick mode by calling quick_outI1
+	 */
+	{ STATE_MAIN_I3, STATE_MAIN_I4
+	, SMF_PSK_AUTH | SMF_INITIATOR
+	  | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+	, P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
+	, EVENT_SA_REPLACE, main_inR3 },
+
+	{ STATE_MAIN_I3, STATE_MAIN_I4
+	, SMF_DS_AUTH | SMF_INITIATOR
+	  | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+	, P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
+	, EVENT_SA_REPLACE, main_inR3 },
+
+	{ STATE_MAIN_I3, STATE_UNDEFINED
+	, SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_INITIATOR
+	  | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+	, P(HASH), P(VID) | P(CR), PT(NONE)
+	, EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
+
+	/* STATE_MAIN_R3: can only get here due to packet loss */
+	{ STATE_MAIN_R3, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
+	, LEMPTY, LEMPTY
+	, PT(NONE), EVENT_NULL, unexpected },
+
+	/* STATE_MAIN_I4: can only get here due to packet loss */
+	{ STATE_MAIN_I4, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED
+	, LEMPTY, LEMPTY
+	, PT(NONE), EVENT_NULL, unexpected },
+
+
+	/***** Phase 2 Quick Mode *****/
+
+	/* No state for quick_outI1:
+	 * --> HDR*, HASH(1), SA, Nr [, KE ] [, IDci, IDcr ]
+	 */
+
+	/* STATE_QUICK_R0:
+	 * HDR*, HASH(1), SA, Ni [, KE ] [, IDci, IDcr ] -->
+	 * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ]
+	 * Installs inbound IPsec SAs.
+	 * Because it may suspend for asynchronous DNS, first_out_payload
+	 * is set to NONE to suppress early emission of HDR*.
+	 * ??? it is legal to have multiple SAs, but we don't support it yet.
+	 */
+	{ STATE_QUICK_R0, STATE_QUICK_R1
+	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
+	, P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(NONE)
+	, EVENT_RETRANSMIT, quick_inI1_outR1 },
+
+	/* STATE_QUICK_I1:
+	 * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ] -->
+	 * HDR*, HASH(3)
+	 * Installs inbound and outbound IPsec SAs, routing, etc.
+	 * ??? it is legal to have multiple SAs, but we don't support it yet.
+	 */
+	{ STATE_QUICK_I1, STATE_QUICK_I2
+	, SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_REPLY
+	, P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(HASH)
+	, EVENT_SA_REPLACE, quick_inR1_outI2 },
+
+	/* STATE_QUICK_R1: HDR*, HASH(3) --> done
+	 * Installs outbound IPsec SAs, routing, etc.
+	 */
+	{ STATE_QUICK_R1, STATE_QUICK_R2
+	, SMF_ALL_AUTH | SMF_ENCRYPTED
+	, P(HASH), LEMPTY, PT(NONE)
+	, EVENT_SA_REPLACE, quick_inI2 },
+
+	/* STATE_QUICK_I2: can only happen due to lost packet */
+	{ STATE_QUICK_I2, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
+	, LEMPTY, LEMPTY, PT(NONE)
+	, EVENT_NULL, unexpected },
+
+	/* STATE_QUICK_R2: can only happen due to lost packet */
+	{ STATE_QUICK_R2, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_ENCRYPTED
+	, LEMPTY, LEMPTY, PT(NONE)
+	, EVENT_NULL, unexpected },
+
+
+	/***** informational messages *****/
+
+	/* STATE_INFO: */
+	{ STATE_INFO, STATE_UNDEFINED
+	, SMF_ALL_AUTH
+	, LEMPTY, LEMPTY, PT(NONE)
+	, EVENT_NULL, informational },
+
+	/* STATE_INFO_PROTECTED: */
+	{ STATE_INFO_PROTECTED, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_ENCRYPTED
+	, P(HASH), LEMPTY, PT(NONE)
+	, EVENT_NULL, informational },
+
+	/* XAUTH state transitions */
+	{ STATE_XAUTH_I0, STATE_XAUTH_I1
+	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
+	, P(ATTR) | P(HASH), P(VID), PT(HASH)
+	, EVENT_RETRANSMIT, xauth_inI0 },
+
+	{ STATE_XAUTH_R1, STATE_XAUTH_R2
+	, SMF_ALL_AUTH | SMF_ENCRYPTED
+	, P(ATTR) | P(HASH), P(VID), PT(HASH)
+	, EVENT_RETRANSMIT, xauth_inR1 },
+
+	{ STATE_XAUTH_I1, STATE_XAUTH_I2
+	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+	, P(ATTR) | P(HASH), P(VID), PT(HASH)
+	, EVENT_SA_REPLACE, xauth_inI1 },
+
+	{ STATE_XAUTH_R2, STATE_XAUTH_R3
+	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+	, P(ATTR) | P(HASH), P(VID), PT(NONE)
+	, EVENT_SA_REPLACE, xauth_inR2 },
+
+	{ STATE_XAUTH_I2, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_ENCRYPTED
+	, LEMPTY, LEMPTY, PT(NONE)
+	, EVENT_NULL, unexpected },
+
+	{ STATE_XAUTH_R3, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_ENCRYPTED
+	, LEMPTY, LEMPTY, PT(NONE)
+	, EVENT_NULL, unexpected },
+
+	/* ModeCfg pull mode state transitions */
+
+	{ STATE_MODE_CFG_R0, STATE_MODE_CFG_R1
+	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+	, P(ATTR) | P(HASH), P(VID), PT(HASH)
+	, EVENT_SA_REPLACE, modecfg_inR0 },
+
+	{ STATE_MODE_CFG_I1, STATE_MODE_CFG_I2
+	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+	, P(ATTR) | P(HASH), P(VID), PT(HASH)
+	, EVENT_SA_REPLACE, modecfg_inI1 },
+
+	{ STATE_MODE_CFG_R1, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_ENCRYPTED
+	, LEMPTY, LEMPTY, PT(NONE)
+	, EVENT_NULL, unexpected },
+
+	{ STATE_MODE_CFG_I2, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_ENCRYPTED
+	, LEMPTY, LEMPTY, PT(NONE)
+	, EVENT_NULL, unexpected },
 
    /* ModeCfg push mode state transitions */
 
-    { STATE_MODE_CFG_I0, STATE_MODE_CFG_I3
-    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
-    , P(ATTR) | P(HASH), P(VID), PT(HASH)
-    , EVENT_SA_REPLACE, modecfg_inI0 },
+	{ STATE_MODE_CFG_I0, STATE_MODE_CFG_I3
+	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+	, P(ATTR) | P(HASH), P(VID), PT(HASH)
+	, EVENT_SA_REPLACE, modecfg_inI0 },
 
-    { STATE_MODE_CFG_R3, STATE_MODE_CFG_R4
-    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-    , P(ATTR) | P(HASH), P(VID), PT(HASH)
-    , EVENT_SA_REPLACE, modecfg_inR3 },
+	{ STATE_MODE_CFG_R3, STATE_MODE_CFG_R4
+	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+	, P(ATTR) | P(HASH), P(VID), PT(HASH)
+	, EVENT_SA_REPLACE, modecfg_inR3 },
 
-    { STATE_MODE_CFG_I3, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_ENCRYPTED
-    , LEMPTY, LEMPTY, PT(NONE)
-    , EVENT_NULL, unexpected },
+	{ STATE_MODE_CFG_I3, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_ENCRYPTED
+	, LEMPTY, LEMPTY, PT(NONE)
+	, EVENT_NULL, unexpected },
 
-    { STATE_MODE_CFG_R4, STATE_UNDEFINED
-    , SMF_ALL_AUTH | SMF_ENCRYPTED
-    , LEMPTY, LEMPTY, PT(NONE)
-    , EVENT_NULL, unexpected },
+	{ STATE_MODE_CFG_R4, STATE_UNDEFINED
+	, SMF_ALL_AUTH | SMF_ENCRYPTED
+	, LEMPTY, LEMPTY, PT(NONE)
+	, EVENT_NULL, unexpected },
 
 #undef P
 #undef PT
@@ -518,23 +516,23 @@ static const struct state_microcode state_microcode_table[] = {
 void
 init_demux(void)
 {
-    /* fill ike_microcode_index:
-     * make ike_microcode_index[s] point to first entry in
-     * state_microcode_table for state s (backward scan makes this easier).
-     * Check that table is in order -- catch coding errors.
-     * For what it's worth, this routine is idempotent.
-     */
-    const struct state_microcode *t;
-
-    for (t = &state_microcode_table[elemsof(state_microcode_table) - 1];;)
-    {
-	passert(STATE_IKE_FLOOR <= t->state && t->state < STATE_IKE_ROOF);
-	ike_microcode_index[t->state - STATE_IKE_FLOOR] = t;
-	if (t == state_microcode_table)
-	    break;
-	t--;
-	passert(t[0].state <= t[1].state);
-    }
+	/* fill ike_microcode_index:
+	 * make ike_microcode_index[s] point to first entry in
+	 * state_microcode_table for state s (backward scan makes this easier).
+	 * Check that table is in order -- catch coding errors.
+	 * For what it's worth, this routine is idempotent.
+	 */
+	const struct state_microcode *t;
+
+	for (t = &state_microcode_table[countof(state_microcode_table) - 1];;)
+	{
+		passert(STATE_IKE_FLOOR <= t->state && t->state < STATE_IKE_ROOF);
+		ike_microcode_index[t->state - STATE_IKE_FLOOR] = t;
+		if (t == state_microcode_table)
+			break;
+		t--;
+		passert(t[0].state <= t[1].state);
+	}
 }
 
 /* Process any message on the MSG_ERRQUEUE
@@ -586,357 +584,357 @@ init_demux(void)
 static bool
 check_msg_errqueue(const struct iface *ifp, short interest)
 {
-    struct pollfd pfd;
+	struct pollfd pfd;
 
-    pfd.fd = ifp->fd;
-    pfd.events = interest | POLLPRI | POLLOUT;
+	pfd.fd = ifp->fd;
+	pfd.events = interest | POLLPRI | POLLOUT;
 
-    while (pfd.revents = 0
-    , poll(&pfd, 1, -1) > 0 && (pfd.revents & POLLERR))
-    {
-	u_int8_t buffer[3000];	/* hope that this is big enough */
-	union
+	while (pfd.revents = 0
+	, poll(&pfd, 1, -1) > 0 && (pfd.revents & POLLERR))
 	{
-	    struct sockaddr sa;
-	    struct sockaddr_in sa_in4;
-	    struct sockaddr_in6 sa_in6;
-	} from;
-
-	int from_len = sizeof(from);
-
-	int packet_len;
-
-	struct msghdr emh;
-	struct iovec eiov;
-	union {
-	    /* force alignment (not documented as necessary) */
-	    struct cmsghdr ecms;
+		u_int8_t buffer[3000];  /* hope that this is big enough */
+		union
+		{
+			struct sockaddr sa;
+			struct sockaddr_in sa_in4;
+			struct sockaddr_in6 sa_in6;
+		} from;
 
-	    /* how much space is enough? */
-	    unsigned char space[256];
-	} ecms_buf;
+		int from_len = sizeof(from);
 
-	struct cmsghdr *cm;
-	char fromstr[sizeof(" for message to  port 65536") + INET6_ADDRSTRLEN];
-	struct state *sender = NULL;
+		int packet_len;
 
-	zero(&from.sa);
-	from_len = sizeof(from);
+		struct msghdr emh;
+		struct iovec eiov;
+		union {
+			/* force alignment (not documented as necessary) */
+			struct cmsghdr ecms;
 
-	emh.msg_name = &from.sa;	/* ??? filled in? */
-	emh.msg_namelen = sizeof(from);
-	emh.msg_iov = &eiov;
-	emh.msg_iovlen = 1;
-	emh.msg_control = &ecms_buf;
-	emh.msg_controllen = sizeof(ecms_buf);
-	emh.msg_flags = 0;
+			/* how much space is enough? */
+			unsigned char space[256];
+		} ecms_buf;
 
-	eiov.iov_base = buffer;	/* see readv(2) */
-	eiov.iov_len = sizeof(buffer);
+		struct cmsghdr *cm;
+		char fromstr[sizeof(" for message to  port 65536") + INET6_ADDRSTRLEN];
+		struct state *sender = NULL;
 
-	packet_len = recvmsg(ifp->fd, &emh, MSG_ERRQUEUE);
+		zero(&from.sa);
+		from_len = sizeof(from);
 
-	if (packet_len == -1)
-	{
-	    log_errno((e, "recvmsg(,, MSG_ERRQUEUE) on %s failed in comm_handle"
-		, ifp->rname));
-	    break;
-	}
-	else if (packet_len == sizeof(buffer))
-	{
-	    plog("MSG_ERRQUEUE message longer than %lu bytes; truncated"
-		, (unsigned long) sizeof(buffer));
-	}
-	else
-	{
-	    sender = find_sender((size_t) packet_len, buffer);
-	}
+		emh.msg_name = &from.sa;        /* ??? filled in? */
+		emh.msg_namelen = sizeof(from);
+		emh.msg_iov = &eiov;
+		emh.msg_iovlen = 1;
+		emh.msg_control = &ecms_buf;
+		emh.msg_controllen = sizeof(ecms_buf);
+		emh.msg_flags = 0;
 
-	DBG_cond_dump(DBG_ALL, "rejected packet:\n", buffer, packet_len);
-	DBG_cond_dump(DBG_ALL, "control:\n", emh.msg_control, emh.msg_controllen);
-	/* ??? Andi Kleen <ak@suse.de> and misc documentation
-	 * suggests that name will have the original destination
-	 * of the packet.  We seem to see msg_namelen == 0.
-	 * Andi says that this is a kernel bug and has fixed it.
-	 * Perhaps in 2.2.18/2.4.0.
-	 */
-	passert(emh.msg_name == &from.sa);
-	DBG_cond_dump(DBG_ALL, "name:\n", emh.msg_name
-	    , emh.msg_namelen);
+		eiov.iov_base = buffer; /* see readv(2) */
+		eiov.iov_len = sizeof(buffer);
 
-	fromstr[0] = '\0';	/* usual case :-( */
-	switch (from.sa.sa_family)
-	{
-	char as[INET6_ADDRSTRLEN];
-
-	case AF_INET:
-	    if (emh.msg_namelen == sizeof(struct sockaddr_in))
-		snprintf(fromstr, sizeof(fromstr)
-		, " for message to %s port %u"
-		    , inet_ntop(from.sa.sa_family
-		    , &from.sa_in4.sin_addr, as, sizeof(as))
-		    , ntohs(from.sa_in4.sin_port));
-	    break;
-	case AF_INET6:
-	    if (emh.msg_namelen == sizeof(struct sockaddr_in6))
-		snprintf(fromstr, sizeof(fromstr)
-		    , " for message to %s port %u"
-		    , inet_ntop(from.sa.sa_family
-		    , &from.sa_in6.sin6_addr, as, sizeof(as))
-		    , ntohs(from.sa_in6.sin6_port));
-	    break;
-	}
+		packet_len = recvmsg(ifp->fd, &emh, MSG_ERRQUEUE);
 
-	for (cm = CMSG_FIRSTHDR(&emh)
-	; cm != NULL
-	; cm = CMSG_NXTHDR(&emh,cm))
-	{
-	    if (cm->cmsg_level == SOL_IP
-	    && cm->cmsg_type == IP_RECVERR)
-	    {
-		/* ip(7) and recvmsg(2) specify:
-		 * ee_origin is SO_EE_ORIGIN_ICMP for ICMP
-		 *  or SO_EE_ORIGIN_LOCAL for locally generated errors.
-		 * ee_type and ee_code are from the ICMP header.
-		 * ee_info is the discovered MTU for EMSGSIZE errors
-		 * ee_data is not used.
-		 *
-		 * ??? recvmsg(2) says "SOCK_EE_OFFENDER" but
-		 * means "SO_EE_OFFENDER".  The OFFENDER is really
-		 * the router that complained.  As such, the port
-		 * is meaningless.
-		 */
+		if (packet_len == -1)
+		{
+			log_errno((e, "recvmsg(,, MSG_ERRQUEUE) on %s failed in comm_handle"
+				, ifp->rname));
+			break;
+		}
+		else if (packet_len == sizeof(buffer))
+		{
+			plog("MSG_ERRQUEUE message longer than %lu bytes; truncated"
+				, (unsigned long) sizeof(buffer));
+		}
+		else
+		{
+			sender = find_sender((size_t) packet_len, buffer);
+		}
 
-		/* ??? cmsg(3) claims that CMSG_DATA returns
-		 * void *, but RFC 2292 and /usr/include/bits/socket.h
-		 * say unsigned char *.  The manual is being fixed.
+		DBG_cond_dump(DBG_ALL, "rejected packet:\n", buffer, packet_len);
+		DBG_cond_dump(DBG_ALL, "control:\n", emh.msg_control, emh.msg_controllen);
+		/* ??? Andi Kleen <ak@suse.de> and misc documentation
+		 * suggests that name will have the original destination
+		 * of the packet.  We seem to see msg_namelen == 0.
+		 * Andi says that this is a kernel bug and has fixed it.
+		 * Perhaps in 2.2.18/2.4.0.
 		 */
-		struct sock_extended_err *ee = (void *)CMSG_DATA(cm);
-		const char *offstr = "unspecified";
-		char offstrspace[INET6_ADDRSTRLEN];
-		char orname[50];
+		passert(emh.msg_name == &from.sa);
+		DBG_cond_dump(DBG_ALL, "name:\n", emh.msg_name
+			, emh.msg_namelen);
 
-		if (cm->cmsg_len > CMSG_LEN(sizeof(struct sock_extended_err)))
+		fromstr[0] = '\0';      /* usual case :-( */
+		switch (from.sa.sa_family)
 		{
-		    const struct sockaddr *offender = SO_EE_OFFENDER(ee);
-
-		    switch (offender->sa_family)
-		    {
-		    case AF_INET:
-			offstr = inet_ntop(offender->sa_family
-			    , &((const struct sockaddr_in *)offender)->sin_addr
-			    , offstrspace, sizeof(offstrspace));
+		char as[INET6_ADDRSTRLEN];
+
+		case AF_INET:
+			if (emh.msg_namelen == sizeof(struct sockaddr_in))
+				snprintf(fromstr, sizeof(fromstr)
+				, " for message to %s port %u"
+					, inet_ntop(from.sa.sa_family
+					, &from.sa_in4.sin_addr, as, sizeof(as))
+					, ntohs(from.sa_in4.sin_port));
 			break;
-		    case AF_INET6:
-			offstr = inet_ntop(offender->sa_family
-			    , &((const struct sockaddr_in6 *)offender)->sin6_addr
-			    , offstrspace, sizeof(offstrspace));
+		case AF_INET6:
+			if (emh.msg_namelen == sizeof(struct sockaddr_in6))
+				snprintf(fromstr, sizeof(fromstr)
+					, " for message to %s port %u"
+					, inet_ntop(from.sa.sa_family
+					, &from.sa_in6.sin6_addr, as, sizeof(as))
+					, ntohs(from.sa_in6.sin6_port));
 			break;
-		    default:
-			offstr = "unknown";
-			break;
-		    }
-		}
-
-		switch (ee->ee_origin)
-		{
-		case SO_EE_ORIGIN_NONE:
-		    snprintf(orname, sizeof(orname), "none");
-		    break;
-		case SO_EE_ORIGIN_LOCAL:
-		    snprintf(orname, sizeof(orname), "local");
-		    break;
-		case SO_EE_ORIGIN_ICMP:
-		    snprintf(orname, sizeof(orname)
-			, "ICMP type %d code %d (not authenticated)"
-			, ee->ee_type, ee->ee_code
-			);
-		    break;
-		case SO_EE_ORIGIN_ICMP6:
-		    snprintf(orname, sizeof(orname)
-			, "ICMP6 type %d code %d (not authenticated)"
-			, ee->ee_type, ee->ee_code
-			);
-		    break;
-		default:
-		    snprintf(orname, sizeof(orname), "invalid origin %lu"
-			, (unsigned long) ee->ee_origin);
-		    break;
 		}
 
+		for (cm = CMSG_FIRSTHDR(&emh)
+		; cm != NULL
+		; cm = CMSG_NXTHDR(&emh,cm))
 		{
-		    struct state *old_state = cur_state;
-
-		    cur_state = sender;
-
-		    /* note dirty trick to suppress ~ at start of format
-		     * if we know what state to blame.
-		     */
-		    if ((packet_len == 1) && (buffer[0] = 0xff)
+			if (cm->cmsg_level == SOL_IP
+			&& cm->cmsg_type == IP_RECVERR)
+			{
+				/* ip(7) and recvmsg(2) specify:
+				 * ee_origin is SO_EE_ORIGIN_ICMP for ICMP
+				 *  or SO_EE_ORIGIN_LOCAL for locally generated errors.
+				 * ee_type and ee_code are from the ICMP header.
+				 * ee_info is the discovered MTU for EMSGSIZE errors
+				 * ee_data is not used.
+				 *
+				 * ??? recvmsg(2) says "SOCK_EE_OFFENDER" but
+				 * means "SO_EE_OFFENDER".  The OFFENDER is really
+				 * the router that complained.  As such, the port
+				 * is meaningless.
+				 */
+
+				/* ??? cmsg(3) claims that CMSG_DATA returns
+				 * void *, but RFC 2292 and /usr/include/bits/socket.h
+				 * say unsigned char *.  The manual is being fixed.
+				 */
+				struct sock_extended_err *ee = (void *)CMSG_DATA(cm);
+				const char *offstr = "unspecified";
+				char offstrspace[INET6_ADDRSTRLEN];
+				char orname[50];
+
+				if (cm->cmsg_len > CMSG_LEN(sizeof(struct sock_extended_err)))
+				{
+					const struct sockaddr *offender = SO_EE_OFFENDER(ee);
+
+					switch (offender->sa_family)
+					{
+					case AF_INET:
+						offstr = inet_ntop(offender->sa_family
+							, &((const struct sockaddr_in *)offender)->sin_addr
+							, offstrspace, sizeof(offstrspace));
+						break;
+					case AF_INET6:
+						offstr = inet_ntop(offender->sa_family
+							, &((const struct sockaddr_in6 *)offender)->sin6_addr
+							, offstrspace, sizeof(offstrspace));
+						break;
+					default:
+						offstr = "unknown";
+						break;
+					}
+				}
+
+				switch (ee->ee_origin)
+				{
+				case SO_EE_ORIGIN_NONE:
+					snprintf(orname, sizeof(orname), "none");
+					break;
+				case SO_EE_ORIGIN_LOCAL:
+					snprintf(orname, sizeof(orname), "local");
+					break;
+				case SO_EE_ORIGIN_ICMP:
+					snprintf(orname, sizeof(orname)
+						, "ICMP type %d code %d (not authenticated)"
+						, ee->ee_type, ee->ee_code
+						);
+					break;
+				case SO_EE_ORIGIN_ICMP6:
+					snprintf(orname, sizeof(orname)
+						, "ICMP6 type %d code %d (not authenticated)"
+						, ee->ee_type, ee->ee_code
+						);
+					break;
+				default:
+					snprintf(orname, sizeof(orname), "invalid origin %lu"
+						, (unsigned long) ee->ee_origin);
+					break;
+				}
+
+				{
+					struct state *old_state = cur_state;
+
+					cur_state = sender;
+
+					/* note dirty trick to suppress ~ at start of format
+					 * if we know what state to blame.
+					 */
+					if ((packet_len == 1) && (buffer[0] = 0xff)
 #ifdef DEBUG
-			&& ((cur_debugging & DBG_NATT) == 0)
+						&& ((cur_debugging & DBG_NATT) == 0)
 #endif
-			) {
-			    /* don't log NAT-T keepalive related errors unless NATT debug is
-			     * enabled
-			     */
-		    }
-		    else
-		    plog((sender != NULL) + "~"
-			"ERROR: asynchronous network error report on %s"
-			"%s"
-			", complainant %s"
-			": %s"
-			" [errno %lu, origin %s"
-			/* ", pad %d, info %ld" */
-			/* ", data %ld" */
-			"]"
-			, ifp->rname
-			, fromstr
-			, offstr
-			, strerror(ee->ee_errno)
-			, (unsigned long) ee->ee_errno
-			, orname
-			/* , ee->ee_pad, (unsigned long)ee->ee_info */
-			/* , (unsigned long)ee->ee_data */
-			);
-		    cur_state = old_state;
+						) {
+							/* don't log NAT-T keepalive related errors unless NATT debug is
+							 * enabled
+							 */
+					}
+					else
+					plog((sender != NULL) + "~"
+						"ERROR: asynchronous network error report on %s"
+						"%s"
+						", complainant %s"
+						": %s"
+						" [errno %lu, origin %s"
+						/* ", pad %d, info %ld" */
+						/* ", data %ld" */
+						"]"
+						, ifp->rname
+						, fromstr
+						, offstr
+						, strerror(ee->ee_errno)
+						, (unsigned long) ee->ee_errno
+						, orname
+						/* , ee->ee_pad, (unsigned long)ee->ee_info */
+						/* , (unsigned long)ee->ee_data */
+						);
+					cur_state = old_state;
+				}
+			}
+			else
+			{
+				/* .cmsg_len is a kernel_size_t(!), but the value
+				 * certainly ought to fit in an unsigned long.
+				 */
+				plog("unknown cmsg: level %d, type %d, len %lu"
+					, cm->cmsg_level, cm->cmsg_type
+					, (unsigned long) cm->cmsg_len);
+			}
 		}
-	    }
-	    else
-	    {
-		/* .cmsg_len is a kernel_size_t(!), but the value
-		 * certainly ought to fit in an unsigned long.
-		 */
-		plog("unknown cmsg: level %d, type %d, len %lu"
-		    , cm->cmsg_level, cm->cmsg_type
-		    , (unsigned long) cm->cmsg_len);
-	    }
 	}
-    }
-    return (pfd.revents & interest) != 0;
+	return (pfd.revents & interest) != 0;
 }
 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
 
 bool
 send_packet(struct state *st, const char *where)
 {
-    struct connection *c = st->st_connection;
-    int port_buf;
-    bool err;
-    u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
-    u_int8_t *ptr;
-    unsigned long len;
-
-    if (c->interface->ike_float && st->st_tpacket.len != 1)
-    {
-	if ((unsigned long) st->st_tpacket.len > (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t)))
+	struct connection *c = st->st_connection;
+	int port_buf;
+	bool err;
+	u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
+	u_int8_t *ptr;
+	unsigned long len;
+
+	if (c->interface->ike_float && st->st_tpacket.len != 1)
 	{
-	    DBG_log("send_packet(): really too big");
-	    return FALSE;
+		if ((unsigned long) st->st_tpacket.len > (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t)))
+		{
+			DBG_log("send_packet(): really too big");
+			return FALSE;
+		}
+		ptr = ike_pkt;
+		/** Add Non-ESP marker **/
+		memset(ike_pkt, 0, sizeof(u_int32_t));
+		memcpy(ike_pkt + sizeof(u_int32_t), st->st_tpacket.ptr,
+			(unsigned long)st->st_tpacket.len);
+		len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t);
 	}
-	ptr = ike_pkt;
-	/** Add Non-ESP marker **/
-	memset(ike_pkt, 0, sizeof(u_int32_t));
-	memcpy(ike_pkt + sizeof(u_int32_t), st->st_tpacket.ptr,
-	    (unsigned long)st->st_tpacket.len);
-	len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t);
-    }
-    else
-    {
-	ptr = st->st_tpacket.ptr;
-	len = (unsigned long) st->st_tpacket.len;
-    }
-
-    DBG(DBG_RAW,
+	else
 	{
-	    DBG_log("sending %lu bytes for %s through %s to %s:%u:"
-		, (unsigned long) st->st_tpacket.len
-		, where
-		, c->interface->rname
- 		, ip_str(&c->spd.that.host_addr)
-		, (unsigned)c->spd.that.host_port);
-	    DBG_dump_chunk(NULL, st->st_tpacket);
-	});
-
-    /* XXX: Not very clean.  We manipulate the port of the ip_address to
-     * have a port in the sockaddr*, but we retain the original port
-     * and restore it afterwards.
-     */
-
-    port_buf = portof(&c->spd.that.host_addr);
-    setportof(htons(c->spd.that.host_port), &c->spd.that.host_addr);
+		ptr = st->st_tpacket.ptr;
+		len = (unsigned long) st->st_tpacket.len;
+	}
+
+	DBG(DBG_RAW,
+		{
+			DBG_log("sending %lu bytes for %s through %s to %s:%u:"
+				, (unsigned long) st->st_tpacket.len
+				, where
+				, c->interface->rname
+				, ip_str(&c->spd.that.host_addr)
+				, (unsigned)c->spd.that.host_port);
+			DBG_dump_chunk(NULL, st->st_tpacket);
+		});
+
+	/* XXX: Not very clean.  We manipulate the port of the ip_address to
+	 * have a port in the sockaddr*, but we retain the original port
+	 * and restore it afterwards.
+	 */
+
+	port_buf = portof(&c->spd.that.host_addr);
+	setportof(htons(c->spd.that.host_port), &c->spd.that.host_addr);
 
 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
-    (void) check_msg_errqueue(c->interface, POLLOUT);
+	(void) check_msg_errqueue(c->interface, POLLOUT);
 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
 
-    err = sendto(c->interface->fd
-    	, ptr, len, 0
-    	, sockaddrof(&c->spd.that.host_addr)
-    	, sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)len;
-
-    /* restore port */
-    setportof(port_buf, &c->spd.that.host_addr);
-
-    if (err)
-    {
-       /* do not log NAT-T Keep Alive packets */
-        if (streq(where, "NAT-T Keep Alive"))
- 	    return FALSE;
-	log_errno((e, "sendto on %s to %s:%u failed in %s"
-	    , c->interface->rname
-	    , ip_str(&c->spd.that.host_addr)
-	    , (unsigned)c->spd.that.host_port
-	    , where));
-	return FALSE;
-    }
-    else
-    {
-	return TRUE;
-    }
+	err = sendto(c->interface->fd
+		, ptr, len, 0
+		, sockaddrof(&c->spd.that.host_addr)
+		, sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)len;
+
+	/* restore port */
+	setportof(port_buf, &c->spd.that.host_addr);
+
+	if (err)
+	{
+	   /* do not log NAT-T Keep Alive packets */
+		if (streq(where, "NAT-T Keep Alive"))
+			return FALSE;
+		log_errno((e, "sendto on %s to %s:%u failed in %s"
+			, c->interface->rname
+			, ip_str(&c->spd.that.host_addr)
+			, (unsigned)c->spd.that.host_port
+			, where));
+		return FALSE;
+	}
+	else
+	{
+		return TRUE;
+	}
 }
 
 static stf_status
 unexpected(struct msg_digest *md)
 {
-    loglog(RC_LOG_SERIOUS, "unexpected message received in state %s"
-	, enum_name(&state_names, md->st->st_state));
-    return STF_IGNORE;
+	loglog(RC_LOG_SERIOUS, "unexpected message received in state %s"
+		, enum_name(&state_names, md->st->st_state));
+	return STF_IGNORE;
 }
 
 static stf_status
 informational(struct msg_digest *md UNUSED)
 {
-    struct payload_digest *const n_pld = md->chain[ISAKMP_NEXT_N];
-
-    /* If the Notification Payload is not null... */
-    if (n_pld != NULL)
-    {
-        pb_stream *const n_pbs = &n_pld->pbs;
-        struct isakmp_notification *const n = &n_pld->payload.notification;
-        int disp_len;
-        char disp_buf[200];
-
-        /* Switch on Notification Type (enum) */
-        switch (n->isan_type)
-        {
-        case R_U_THERE:
-            return dpd_inI_outR(md->st, n, n_pbs);
-
-        case R_U_THERE_ACK:
-            return dpd_inR(md->st, n, n_pbs);
-        default:
-            if (pbs_left(n_pbs) >= sizeof(disp_buf)-1)
-                disp_len = sizeof(disp_buf)-1;
-            else
-                disp_len = pbs_left(n_pbs);
-            memcpy(disp_buf, n_pbs->cur, disp_len);
-            disp_buf[disp_len] = '\0';
-            break;
-        }
-    }
-    return STF_IGNORE;
+	struct payload_digest *const n_pld = md->chain[ISAKMP_NEXT_N];
+
+	/* If the Notification Payload is not null... */
+	if (n_pld != NULL)
+	{
+		pb_stream *const n_pbs = &n_pld->pbs;
+		struct isakmp_notification *const n = &n_pld->payload.notification;
+		int disp_len;
+		char disp_buf[200];
+
+		/* Switch on Notification Type (enum) */
+		switch (n->isan_type)
+		{
+		case R_U_THERE:
+			return dpd_inI_outR(md->st, n, n_pbs);
+
+		case R_U_THERE_ACK:
+			return dpd_inR(md->st, n, n_pbs);
+		default:
+			if (pbs_left(n_pbs) >= sizeof(disp_buf)-1)
+				disp_len = sizeof(disp_buf)-1;
+			else
+				disp_len = pbs_left(n_pbs);
+			memcpy(disp_buf, n_pbs->cur, disp_len);
+			disp_buf[disp_len] = '\0';
+			break;
+		}
+	}
+	return STF_IGNORE;
 }
 
 /* message digest allocation and deallocation */
@@ -947,54 +945,57 @@ static struct msg_digest *md_pool = NULL;
 void
 free_md_pool(void)
 {
-    for (;;)
-    {
-	struct msg_digest *md = md_pool;
+	for (;;)
+	{
+		struct msg_digest *md = md_pool;
 
-	if (md == NULL)
-	    break;
-	md_pool = md->next;
-	pfree(md);
-    }
+		if (md == NULL)
+			break;
+		md_pool = md->next;
+		free(md);
+	}
 }
 
 static struct msg_digest *
-alloc_md(void)
+malloc_md(void)
 {
-    struct msg_digest *md = md_pool;
-
-    /* convenient initializer:
-     * - all pointers NULL
-     * - .note = NOTHING_WRONG
-     * - .encrypted = FALSE
-     */
-    static const struct msg_digest blank_md;
-
-    if (md == NULL)
-	md = alloc_thing(struct msg_digest, "msg_digest");
-    else
-	md_pool = md->next;
-
-    *md = blank_md;
-    md->digest_roof = md->digest;
-
-    /* note: although there may be multiple msg_digests at once
-     * (due to suspended state transitions), there is a single
-     * global reply_buffer.  It will need to be saved and restored.
-     */
-    init_pbs(&md->reply, reply_buffer, sizeof(reply_buffer), "reply packet");
-
-    return md;
+	struct msg_digest *md = md_pool;
+
+	/* convenient initializer:
+	 * - all pointers NULL
+	 * - .note = NOTHING_WRONG
+	 * - .encrypted = FALSE
+	 */
+	static const struct msg_digest blank_md;
+
+	if (md == NULL)
+	{
+		md = malloc_thing(struct msg_digest);
+		zero(md);
+	}
+	else
+		md_pool = md->next;
+
+	*md = blank_md;
+	md->digest_roof = md->digest;
+
+	/* note: although there may be multiple msg_digests at once
+	 * (due to suspended state transitions), there is a single
+	 * global reply_buffer.  It will need to be saved and restored.
+	 */
+	init_pbs(&md->reply, reply_buffer, sizeof(reply_buffer), "reply packet");
+
+	return md;
 }
 
 void
 release_md(struct msg_digest *md)
 {
-    freeanychunk(md->raw_packet);
-    pfreeany(md->packet_pbs.start);
-    md->packet_pbs.start = NULL;
-    md->next = md_pool;
-    md_pool = md;
+	chunk_free(&md->raw_packet);
+	free(md->packet_pbs.start);
+	md->packet_pbs.start = NULL;
+	md->next = md_pool;
+	md_pool = md;
 }
 
 /* wrapper for read_packet and process_packet
@@ -1013,35 +1014,35 @@ release_md(struct msg_digest *md)
 void
 comm_handle(const struct iface *ifp)
 {
-    static struct msg_digest *md;
+	static struct msg_digest *md;
 
 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
-    /* Even though select(2) says that there is a message,
-     * it might only be a MSG_ERRQUEUE message.  At least
-     * sometimes that leads to a hanging recvfrom.  To avoid
-     * what appears to be a kernel bug, check_msg_errqueue
-     * uses poll(2) and tells us if there is anything for us
-     * to read.
-     *
-     * This is early enough that teardown isn't required:
-     * just return on failure.
-     */
-    if (!check_msg_errqueue(ifp, POLLIN))
-	return;	/* no normal message to read */
+	/* Even though select(2) says that there is a message,
+	 * it might only be a MSG_ERRQUEUE message.  At least
+	 * sometimes that leads to a hanging recvfrom.  To avoid
+	 * what appears to be a kernel bug, check_msg_errqueue
+	 * uses poll(2) and tells us if there is anything for us
+	 * to read.
+	 *
+	 * This is early enough that teardown isn't required:
+	 * just return on failure.
+	 */
+	if (!check_msg_errqueue(ifp, POLLIN))
+		return; /* no normal message to read */
 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
 
-    md = alloc_md();
-    md->iface = ifp;
+	md = malloc_md();
+	md->iface = ifp;
 
-    if (read_packet(md))
-	process_packet(&md);
+	if (read_packet(md))
+		process_packet(&md);
 
-    if (md != NULL)
-	release_md(md);
+	if (md != NULL)
+		release_md(md);
 
-    cur_state = NULL;
-    reset_cur_connection();
-    cur_from = NULL;
+	cur_state = NULL;
+	reset_cur_connection();
+	cur_from = NULL;
 }
 
 /* read the message.
@@ -1052,177 +1053,177 @@ comm_handle(const struct iface *ifp)
 static bool
 read_packet(struct msg_digest *md)
 {
-    const struct iface *ifp = md->iface;
-    int packet_len;
-    u_int8_t *buffer;
-    u_int8_t *buffer_nat;
-    union
-    {
-	struct sockaddr sa;
-	struct sockaddr_in sa_in4;
-	struct sockaddr_in6 sa_in6;
-    } from;
-    int from_len = sizeof(from);
-    err_t from_ugh = NULL;
-    static const char undisclosed[] = "unknown source";
-
-    happy(anyaddr(addrtypeof(&ifp->addr), &md->sender));
-    zero(&from.sa);
-    ioctl(ifp->fd, FIONREAD, &packet_len);
-    buffer = alloc_bytes(packet_len, "buffer read packet");
-    packet_len = recvfrom(ifp->fd, buffer, packet_len, 0
-	, &from.sa, &from_len);
-
-    /* First: digest the from address.
-     * We presume that nothing here disturbs errno.
-     */
-    if (packet_len == -1
-    && from_len == sizeof(from)
-    && all_zero((const void *)&from.sa, sizeof(from)))
-    {
-	/* "from" is untouched -- not set by recvfrom */
-	from_ugh = undisclosed;
-    }
-    else if (from_len
-    < (int) (offsetof(struct sockaddr, sa_family) + sizeof(from.sa.sa_family)))
-    {
-	from_ugh = "truncated";
-    }
-    else
-    {
-	const struct af_info *afi = aftoinfo(from.sa.sa_family);
-
-	if (afi == NULL)
+	const struct iface *ifp = md->iface;
+	int packet_len;
+	u_int8_t *buffer;
+	u_int8_t *buffer_nat;
+	union
+	{
+		struct sockaddr sa;
+		struct sockaddr_in sa_in4;
+		struct sockaddr_in6 sa_in6;
+	} from;
+	int from_len = sizeof(from);
+	err_t from_ugh = NULL;
+	static const char undisclosed[] = "unknown source";
+
+	happy(anyaddr(addrtypeof(&ifp->addr), &md->sender));
+	zero(&from.sa);
+	ioctl(ifp->fd, FIONREAD, &packet_len);
+	buffer = malloc(packet_len);
+	packet_len = recvfrom(ifp->fd, buffer, packet_len, 0
+		, &from.sa, &from_len);
+
+	/* First: digest the from address.
+	 * We presume that nothing here disturbs errno.
+	 */
+	if (packet_len == -1
+	&& from_len == sizeof(from)
+	&& all_zero((const void *)&from.sa, sizeof(from)))
 	{
-	    from_ugh = "unexpected Address Family";
+		/* "from" is untouched -- not set by recvfrom */
+		from_ugh = undisclosed;
 	}
-	else if (from_len != (int)afi->sa_sz)
+	else if (from_len
+	< (int) (offsetof(struct sockaddr, sa_family) + sizeof(from.sa.sa_family)))
 	{
-	    from_ugh = "wrong length";
+		from_ugh = "truncated";
 	}
 	else
 	{
-	    switch (from.sa.sa_family)
-	    {
-	    case AF_INET:
-		from_ugh = initaddr((void *) &from.sa_in4.sin_addr
-		    , sizeof(from.sa_in4.sin_addr), AF_INET, &md->sender);
-		md->sender_port = ntohs(from.sa_in4.sin_port);
-		break;
-	    case AF_INET6:
-		from_ugh = initaddr((void *) &from.sa_in6.sin6_addr
-		    , sizeof(from.sa_in6.sin6_addr), AF_INET6, &md->sender);
-		md->sender_port = ntohs(from.sa_in6.sin6_port);
-		break;
-	    }
+		const struct af_info *afi = aftoinfo(from.sa.sa_family);
+
+		if (afi == NULL)
+		{
+			from_ugh = "unexpected Address Family";
+		}
+		else if (from_len != (int)afi->sa_sz)
+		{
+			from_ugh = "wrong length";
+		}
+		else
+		{
+			switch (from.sa.sa_family)
+			{
+			case AF_INET:
+				from_ugh = initaddr((void *) &from.sa_in4.sin_addr
+					, sizeof(from.sa_in4.sin_addr), AF_INET, &md->sender);
+				md->sender_port = ntohs(from.sa_in4.sin_port);
+				break;
+			case AF_INET6:
+				from_ugh = initaddr((void *) &from.sa_in6.sin6_addr
+					, sizeof(from.sa_in6.sin6_addr), AF_INET6, &md->sender);
+				md->sender_port = ntohs(from.sa_in6.sin6_port);
+				break;
+			}
+		}
 	}
-    }
 
-    /* now we report any actual I/O error */
-    if (packet_len == -1)
-    {
-	if (from_ugh == undisclosed
-	&& errno == ECONNREFUSED)
+	/* now we report any actual I/O error */
+	if (packet_len == -1)
 	{
-	    /* Tone down scary message for vague event:
-	     * We get "connection refused" in response to some
-	     * datagram we sent, but we cannot tell which one.
-	     */
-	    plog("some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details)");
+		if (from_ugh == undisclosed
+		&& errno == ECONNREFUSED)
+		{
+			/* Tone down scary message for vague event:
+			 * We get "connection refused" in response to some
+			 * datagram we sent, but we cannot tell which one.
+			 */
+			plog("some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details)");
+		}
+		else if (from_ugh != NULL)
+		{
+			log_errno((e, "recvfrom on %s failed; Pluto cannot decode source sockaddr in rejection: %s"
+				, ifp->rname, from_ugh));
+		}
+		else
+		{
+			log_errno((e, "recvfrom on %s from %s:%u failed"
+				, ifp->rname
+				, ip_str(&md->sender), (unsigned)md->sender_port));
+		}
+
+		return FALSE;
 	}
 	else if (from_ugh != NULL)
 	{
-	    log_errno((e, "recvfrom on %s failed; Pluto cannot decode source sockaddr in rejection: %s"
-		, ifp->rname, from_ugh));
-	}
-	else
-	{
-	    log_errno((e, "recvfrom on %s from %s:%u failed"
-		, ifp->rname
-		, ip_str(&md->sender), (unsigned)md->sender_port));
+		plog("recvfrom on %s returned misformed source sockaddr: %s"
+			, ifp->rname, from_ugh);
+		return FALSE;
 	}
+	cur_from = &md->sender;
+	cur_from_port = md->sender_port;
 
-	return FALSE;
-    }
-    else if (from_ugh != NULL)
-    {
-	plog("recvfrom on %s returned misformed source sockaddr: %s"
-	    , ifp->rname, from_ugh);
-	return FALSE;
-    }
-    cur_from = &md->sender;
-    cur_from_port = md->sender_port;
-
-    if (ifp->ike_float == TRUE)
-    {
-	u_int32_t non_esp;
-
-	if (packet_len < (int)sizeof(u_int32_t))
+	if (ifp->ike_float == TRUE)
 	{
-	    plog("recvfrom %s:%u too small packet (%d)"
-		, ip_str(cur_from), (unsigned) cur_from_port, packet_len);
-	    return FALSE;
-	}
-	memcpy(&non_esp, buffer, sizeof(u_int32_t));
-	if (non_esp != 0)
-	{
-	    plog("recvfrom %s:%u has no Non-ESP marker"
-		, ip_str(cur_from), (unsigned) cur_from_port);
-	    return FALSE;
+		u_int32_t non_esp;
+
+		if (packet_len < (int)sizeof(u_int32_t))
+		{
+			plog("recvfrom %s:%u too small packet (%d)"
+				, ip_str(cur_from), (unsigned) cur_from_port, packet_len);
+			return FALSE;
+		}
+		memcpy(&non_esp, buffer, sizeof(u_int32_t));
+		if (non_esp != 0)
+		{
+			plog("recvfrom %s:%u has no Non-ESP marker"
+				, ip_str(cur_from), (unsigned) cur_from_port);
+			return FALSE;
+		}
+		packet_len -= sizeof(u_int32_t);
+		buffer_nat = malloc(packet_len);
+		memcpy(buffer_nat, buffer + sizeof(u_int32_t), packet_len);
+		free(buffer);
+		buffer = buffer_nat;
 	}
-	packet_len -= sizeof(u_int32_t);
-	buffer_nat = alloc_bytes(packet_len, "buffer read packet");
-	memcpy(buffer_nat, buffer + sizeof(u_int32_t), packet_len);
-	pfree(buffer);
-	buffer = buffer_nat;
-    }
-
-    /* Clone actual message contents
-     * and set up md->packet_pbs to describe it.
-     */
-    init_pbs(&md->packet_pbs, buffer, packet_len, "packet");
-
-    DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL,
-	{
-	    DBG_log(BLANK_FORMAT);
-	    DBG_log("*received %d bytes from %s:%u on %s"
-		, (int) pbs_room(&md->packet_pbs)
-		, ip_str(cur_from), (unsigned) cur_from_port
-		, ifp->rname);
-	});
 
-    DBG(DBG_RAW,
-	DBG_dump("", md->packet_pbs.start, pbs_room(&md->packet_pbs)));
+	/* Clone actual message contents
+	 * and set up md->packet_pbs to describe it.
+	 */
+	init_pbs(&md->packet_pbs, buffer, packet_len, "packet");
 
-	if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff))
-	{
-	    /**
-	     * NAT-T Keep-alive packets should be discarded by kernel ESPinUDP
-	     * layer. But bogus keep-alive packets (sent with a non-esp marker)
-	     * can reach this point. Complain and discard them.
-	     */
-	    DBG(DBG_NATT,
-		DBG_log("NAT-T keep-alive (bogus ?) should not reach this point. "
-			"Ignored. Sender: %s:%u", ip_str(cur_from),
-			(unsigned) cur_from_port);
-	    )
-	    return FALSE;
-	}
+	DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL,
+		{
+			DBG_log(BLANK_FORMAT);
+			DBG_log("*received %d bytes from %s:%u on %s"
+				, (int) pbs_room(&md->packet_pbs)
+				, ip_str(cur_from), (unsigned) cur_from_port
+				, ifp->rname);
+		});
 
-#define IKEV2_VERSION_OFFSET	17
-#define IKEV2_VERSION		0x20
+	DBG(DBG_RAW,
+		DBG_dump("", md->packet_pbs.start, pbs_room(&md->packet_pbs)));
 
-    /* ignore IKEv2 packets - they will be handled by charon */
-    if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET
-    &&  md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION)
-    {
-	DBG(DBG_CONTROLMORE,
-	    DBG_log("  ignoring IKEv2 packet")
-	)
-	return FALSE;
-    }
+		if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff))
+		{
+			/**
+			 * NAT-T Keep-alive packets should be discarded by kernel ESPinUDP
+			 * layer. But bogus keep-alive packets (sent with a non-esp marker)
+			 * can reach this point. Complain and discard them.
+			 */
+			DBG(DBG_NATT,
+				DBG_log("NAT-T keep-alive (bogus ?) should not reach this point. "
+						"Ignored. Sender: %s:%u", ip_str(cur_from),
+						(unsigned) cur_from_port);
+			)
+			return FALSE;
+		}
+
+#define IKEV2_VERSION_OFFSET    17
+#define IKEV2_VERSION           0x20
+
+	/* ignore IKEv2 packets - they will be handled by charon */
+	if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET
+	&&  md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION)
+	{
+		DBG(DBG_CONTROLMORE,
+			DBG_log("  ignoring IKEv2 packet")
+		)
+		return FALSE;
+	}
 
-    return TRUE;
+	return TRUE;
 }
 
 /* process an input packet, possibly generating a reply.
@@ -1233,860 +1234,881 @@ read_packet(struct msg_digest *md)
 static void
 process_packet(struct msg_digest **mdp)
 {
-    struct msg_digest *md = *mdp;
-    const struct state_microcode *smc;
-    bool new_iv_set = FALSE;
-    bool restore_iv = FALSE;
-    u_char new_iv[MAX_DIGEST_LEN];
-    u_int new_iv_len = 0;
+	struct msg_digest *md = *mdp;
+	const struct state_microcode *smc;
+	bool new_iv_set = FALSE;
+	bool restore_iv = FALSE;
+	u_char new_iv[MAX_DIGEST_LEN];
+	u_int new_iv_len = 0;
 
-    struct state *st = NULL;
-    enum state_kind from_state = STATE_UNDEFINED;	/* state we started in */
+	struct state *st = NULL;
+	enum state_kind from_state = STATE_UNDEFINED;       /* state we started in */
 
 #define SEND_NOTIFICATION(t) { \
-    if (st) send_notification_from_state(st, from_state, t); \
-    else send_notification_from_md(md, t); }
+	if (st) send_notification_from_state(st, from_state, t); \
+	else send_notification_from_md(md, t); }
 
-    if (!in_struct(&md->hdr, &isakmp_hdr_desc, &md->packet_pbs, &md->message_pbs))
-    {
-	/* Identify specific failures:
-	 * - bad ISAKMP major/minor version numbers
-	 */
-	if (md->packet_pbs.roof - md->packet_pbs.cur >= (ptrdiff_t)isakmp_hdr_desc.size)
+	if (!in_struct(&md->hdr, &isakmp_hdr_desc, &md->packet_pbs, &md->message_pbs))
 	{
-	    struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
-	    if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION)
-	    {
-		SEND_NOTIFICATION(INVALID_MAJOR_VERSION);
-		return;
-	    }
-	    else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION)
-	    {
-		SEND_NOTIFICATION(INVALID_MINOR_VERSION);
+		/* Identify specific failures:
+		 * - bad ISAKMP major/minor version numbers
+		 */
+		if (md->packet_pbs.roof - md->packet_pbs.cur >= (ptrdiff_t)isakmp_hdr_desc.size)
+		{
+			struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
+			if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION)
+			{
+				SEND_NOTIFICATION(INVALID_MAJOR_VERSION);
+				return;
+			}
+			else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION)
+			{
+				SEND_NOTIFICATION(INVALID_MINOR_VERSION);
+				return;
+			}
+		}
+		SEND_NOTIFICATION(PAYLOAD_MALFORMED);
 		return;
-	    }
 	}
-	SEND_NOTIFICATION(PAYLOAD_MALFORMED);
-	return;
-    }
-
-    if (md->packet_pbs.roof != md->message_pbs.roof)
-    {
-	plog("size (%u) differs from size specified in ISAKMP HDR (%u)"
-	    , (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
+
+	if (md->packet_pbs.roof != md->message_pbs.roof)
+	{
+		plog("size (%u) differs from size specified in ISAKMP HDR (%u)"
+			, (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
 #ifdef CISCO_QUIRKS
-	if (pbs_room(&md->packet_pbs) - md->hdr.isa_length == 16)
-	    plog("Cisco VPN client appends 16 surplus NULL bytes");
-	else
+		if (pbs_room(&md->packet_pbs) - md->hdr.isa_length == 16)
+			plog("Cisco VPN client appends 16 surplus NULL bytes");
+		else
 #endif
-	return;
-    }
+		return;
+	}
 
-    switch (md->hdr.isa_xchg)
-    {
+	switch (md->hdr.isa_xchg)
+	{
 #ifdef NOTYET
-    case ISAKMP_XCHG_NONE:
-    case ISAKMP_XCHG_BASE:
+	case ISAKMP_XCHG_NONE:
+	case ISAKMP_XCHG_BASE:
 #endif
 
-    case ISAKMP_XCHG_IDPROT:	/* part of a Main Mode exchange */
-	if (md->hdr.isa_msgid != MAINMODE_MSGID)
-	{
-	    plog("Message ID was 0x%08lx but should be zero in Main Mode",
-		(unsigned long) md->hdr.isa_msgid);
-	    SEND_NOTIFICATION(INVALID_MESSAGE_ID);
-	    return;
-	}
-
-	if (is_zero_cookie(md->hdr.isa_icookie))
-	{
-	    plog("Initiator Cookie must not be zero in Main Mode message");
-	    SEND_NOTIFICATION(INVALID_COOKIE);
-	    return;
-	}
+	case ISAKMP_XCHG_IDPROT:    /* part of a Main Mode exchange */
+		if (md->hdr.isa_msgid != MAINMODE_MSGID)
+		{
+			plog("Message ID was 0x%08lx but should be zero in Main Mode",
+				(unsigned long) md->hdr.isa_msgid);
+			SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+			return;
+		}
 
-	if (is_zero_cookie(md->hdr.isa_rcookie))
-	{
-	    /* initial message from initiator
-	     * ??? what if this is a duplicate of another message?
-	     */
-	    if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
-	    {
-		plog("initial Main Mode message is invalid:"
-		    " its Encrypted Flag is on");
-		SEND_NOTIFICATION(INVALID_FLAGS);
-		return;
-	    }
+		if (is_zero_cookie(md->hdr.isa_icookie))
+		{
+			plog("Initiator Cookie must not be zero in Main Mode message");
+			SEND_NOTIFICATION(INVALID_COOKIE);
+			return;
+		}
 
-	    /* don't build a state until the message looks tasty */
-	    from_state = STATE_MAIN_R0;
-	}
-	else
-	{
-	    /* not an initial message */
+		if (is_zero_cookie(md->hdr.isa_rcookie))
+		{
+			/* initial message from initiator
+			 * ??? what if this is a duplicate of another message?
+			 */
+			if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
+			{
+				plog("initial Main Mode message is invalid:"
+					" its Encrypted Flag is on");
+				SEND_NOTIFICATION(INVALID_FLAGS);
+				return;
+			}
 
-	    st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-		, &md->sender, md->hdr.isa_msgid);
+			/* don't build a state until the message looks tasty */
+			from_state = STATE_MAIN_R0;
+		}
+		else
+		{
+			/* not an initial message */
 
-	    if (st == NULL)
-	    {
-		/* perhaps this is a first message from the responder
-		 * and contains a responder cookie that we've not yet seen.
-		 */
-		st = find_state(md->hdr.isa_icookie, zero_cookie
-		    , &md->sender, md->hdr.isa_msgid);
+			st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+				, &md->sender, md->hdr.isa_msgid);
 
-		if (st == NULL)
-		{
-		    plog("Main Mode message is part of an unknown exchange");
-		    /* XXX Could send notification back */
-		    return;
+			if (st == NULL)
+			{
+				/* perhaps this is a first message from the responder
+				 * and contains a responder cookie that we've not yet seen.
+				 */
+				st = find_state(md->hdr.isa_icookie, zero_cookie
+					, &md->sender, md->hdr.isa_msgid);
+
+				if (st == NULL)
+				{
+					plog("Main Mode message is part of an unknown exchange");
+					/* XXX Could send notification back */
+					return;
+				}
+			}
+			set_cur_state(st);
+			from_state = st->st_state;
 		}
-	    }
-	    set_cur_state(st);
-	    from_state = st->st_state;
-	}
-	break;
+		break;
 
 #ifdef NOTYET
-    case ISAKMP_XCHG_AO:
-    case ISAKMP_XCHG_AGGR:
+	case ISAKMP_XCHG_AO:
+	case ISAKMP_XCHG_AGGR:
 #endif
 
-    case ISAKMP_XCHG_INFO:	/* an informational exchange */
-	st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-	    , &md->sender, MAINMODE_MSGID);
+	case ISAKMP_XCHG_INFO:      /* an informational exchange */
+		st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+			, &md->sender, MAINMODE_MSGID);
 
-	if (st != NULL)
-	    set_cur_state(st);
+		if (st != NULL)
+			set_cur_state(st);
 
-	if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
-	{
-	    if (st == NULL)
-	    {
-		plog("Informational Exchange is for an unknown (expired?) SA");
-		/* XXX Could send notification back */
-		return;
-	    }
+		if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
+		{
+			if (st == NULL)
+			{
+				plog("Informational Exchange is for an unknown (expired?) SA");
+				/* XXX Could send notification back */
+				return;
+			}
 
-	    if (!IS_ISAKMP_ENCRYPTED(st->st_state))
-	    {
-		loglog(RC_LOG_SERIOUS, "encrypted Informational Exchange message is invalid"
-		    " because no key is known");
-		/* XXX Could send notification back */
-		return;
-	    }
+			if (!IS_ISAKMP_ENCRYPTED(st->st_state))
+			{
+				loglog(RC_LOG_SERIOUS, "encrypted Informational Exchange message is invalid"
+					" because no key is known");
+				/* XXX Could send notification back */
+				return;
+			}
 
-	    if (md->hdr.isa_msgid == MAINMODE_MSGID)
-	    {
-		loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
-		    " it has a Message ID of 0");
-		/* XXX Could send notification back */
-		return;
-	    }
-
-	    if (!reserve_msgid(st, md->hdr.isa_msgid))
-	    {
-		loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
-		    " it has a previously used Message ID (0x%08lx)"
-		    , (unsigned long)md->hdr.isa_msgid);
-		/* XXX Could send notification back */
-		return;
-	    }
+			if (md->hdr.isa_msgid == MAINMODE_MSGID)
+			{
+				loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
+					" it has a Message ID of 0");
+				/* XXX Could send notification back */
+				return;
+			}
 
-	    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-	    {
-	 	memcpy(st->st_ph1_iv, st->st_new_iv, st->st_new_iv_len);
-	 	st->st_ph1_iv_len = st->st_new_iv_len;
-		
-		/* backup new_iv */
-		new_iv_len = st->st_new_iv_len;
-		passert(new_iv_len <= MAX_DIGEST_LEN)
-		memcpy(new_iv, st->st_new_iv, new_iv_len);
-		restore_iv = TRUE;
-	    }
-	    init_phase2_iv(st, &md->hdr.isa_msgid);
-	    new_iv_set = TRUE;
-
-	    from_state = STATE_INFO_PROTECTED;
-	}
-	else
-	{
-	    if (st != NULL && IS_ISAKMP_ENCRYPTED(st->st_state))
-	    {
-		loglog(RC_LOG_SERIOUS, "Informational Exchange message"
-		    " must be encrypted");
-		/* XXX Could send notification back */
-		return;
-	    }
-	    from_state = STATE_INFO;
-	}
-	break;
+			if (!reserve_msgid(st, md->hdr.isa_msgid))
+			{
+				loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
+					" it has a previously used Message ID (0x%08lx)"
+					, (unsigned long)md->hdr.isa_msgid);
+				/* XXX Could send notification back */
+				return;
+			}
 
-    case ISAKMP_XCHG_QUICK:	/* part of a Quick Mode exchange */
-	if (is_zero_cookie(md->hdr.isa_icookie))
-	{
-	    plog("Quick Mode message is invalid because"
-		" it has an Initiator Cookie of 0");
-	    SEND_NOTIFICATION(INVALID_COOKIE);
-	    return;
-	}
+			if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+			{
+				memcpy(st->st_ph1_iv, st->st_new_iv, st->st_new_iv_len);
+				st->st_ph1_iv_len = st->st_new_iv_len;
+				
+				/* backup new_iv */
+				new_iv_len = st->st_new_iv_len;
+				passert(new_iv_len <= MAX_DIGEST_LEN)
+				memcpy(new_iv, st->st_new_iv, new_iv_len);
+				restore_iv = TRUE;
+			}
+			init_phase2_iv(st, &md->hdr.isa_msgid);
+			new_iv_set = TRUE;
 
-	if (is_zero_cookie(md->hdr.isa_rcookie))
-	{
-	    plog("Quick Mode message is invalid because"
-		" it has a Responder Cookie of 0");
-	    SEND_NOTIFICATION(INVALID_COOKIE);
-	    return;
-	}
+			from_state = STATE_INFO_PROTECTED;
+		}
+		else
+		{
+			if (st != NULL && IS_ISAKMP_ENCRYPTED(st->st_state))
+			{
+				loglog(RC_LOG_SERIOUS, "Informational Exchange message"
+					" must be encrypted");
+				/* XXX Could send notification back */
+				return;
+			}
+			from_state = STATE_INFO;
+		}
+		break;
 
-	if (md->hdr.isa_msgid == MAINMODE_MSGID)
-	{
-	    plog("Quick Mode message is invalid because"
-		" it has a Message ID of 0");
-	    SEND_NOTIFICATION(INVALID_MESSAGE_ID);
-	    return;
-	}
+	case ISAKMP_XCHG_QUICK:     /* part of a Quick Mode exchange */
+		if (is_zero_cookie(md->hdr.isa_icookie))
+		{
+			plog("Quick Mode message is invalid because"
+				" it has an Initiator Cookie of 0");
+			SEND_NOTIFICATION(INVALID_COOKIE);
+			return;
+		}
 
-	st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-	    , &md->sender, md->hdr.isa_msgid);
+		if (is_zero_cookie(md->hdr.isa_rcookie))
+		{
+			plog("Quick Mode message is invalid because"
+				" it has a Responder Cookie of 0");
+			SEND_NOTIFICATION(INVALID_COOKIE);
+			return;
+		}
 
-	if (st == NULL)
-	{
-	    /* No appropriate Quick Mode state.
-	     * See if we have a Main Mode state.
-	     * ??? what if this is a duplicate of another message?
-	     */
-	    st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-		, &md->sender, MAINMODE_MSGID);
-
-	    if (st == NULL)
-	    {
-		plog("Quick Mode message is for a non-existent (expired?)"
-		    " ISAKMP SA");
-		/* XXX Could send notification back */
-		return;
-	    }
+		if (md->hdr.isa_msgid == MAINMODE_MSGID)
+		{
+			plog("Quick Mode message is invalid because"
+				" it has a Message ID of 0");
+			SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+			return;
+		}
 
-	    set_cur_state(st);
+		st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+			, &md->sender, md->hdr.isa_msgid);
 
-	    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-	    {
-		loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because"
-		    " it is for an incomplete ISAKMP SA");
-		SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
-		return;
-	    }
-
-	    /* only accept this new Quick Mode exchange if it has a unique message ID */
-	    if (!reserve_msgid(st, md->hdr.isa_msgid))
-	    {
-		loglog(RC_LOG_SERIOUS, "Quick Mode I1 message is unacceptable because"
-		    " it uses a previously used Message ID 0x%08lx"
-		    " (perhaps this is a duplicated packet)"
-		    , (unsigned long) md->hdr.isa_msgid);
-		SEND_NOTIFICATION(INVALID_MESSAGE_ID);
-		return;
-	    }
+		if (st == NULL)
+		{
+			/* No appropriate Quick Mode state.
+			 * See if we have a Main Mode state.
+			 * ??? what if this is a duplicate of another message?
+			 */
+			st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+				, &md->sender, MAINMODE_MSGID);
 
-	    /* Quick Mode Initial IV */
-	    init_phase2_iv(st, &md->hdr.isa_msgid);
-	    new_iv_set = TRUE;
+			if (st == NULL)
+			{
+				plog("Quick Mode message is for a non-existent (expired?)"
+					" ISAKMP SA");
+				/* XXX Could send notification back */
+				return;
+			}
 
-	    from_state = STATE_QUICK_R0;
-	}
-	else
-	{
-	    set_cur_state(st);  
-	    from_state = st->st_state;
-	}
+			set_cur_state(st);
 
-	break;
+			if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+			{
+				loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because"
+					" it is for an incomplete ISAKMP SA");
+				SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
+				return;
+			}
 
-    case ISAKMP_XCHG_MODE_CFG:
-	if (is_zero_cookie(md->hdr.isa_icookie))
-	{
-	    plog("ModeCfg message is invalid because"
-		" it has an Initiator Cookie of 0");
-	    /* XXX Could send notification back */
-	    return;
-	}
+			/* only accept this new Quick Mode exchange if it has a unique message ID */
+			if (!reserve_msgid(st, md->hdr.isa_msgid))
+			{
+				loglog(RC_LOG_SERIOUS, "Quick Mode I1 message is unacceptable because"
+					" it uses a previously used Message ID 0x%08lx"
+					" (perhaps this is a duplicated packet)"
+					, (unsigned long) md->hdr.isa_msgid);
+				SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+				return;
+			}
 
-	if (is_zero_cookie(md->hdr.isa_rcookie))
-	{
-	    plog("ModeCfg message is invalid because"
-		" it has a Responder Cookie of 0");
-	    /* XXX Could send notification back */
-	    return;
-	}
+			/* Quick Mode Initial IV */
+			init_phase2_iv(st, &md->hdr.isa_msgid);
+			new_iv_set = TRUE;
 
-	if (md->hdr.isa_msgid == 0)
-	{
-	    plog("ModeCfg message is invalid because"
-		" it has a Message ID of 0");
-	    /* XXX Could send notification back */
-	    return;
-	}
+			from_state = STATE_QUICK_R0;
+		}
+		else
+		{
+			set_cur_state(st);  
+			from_state = st->st_state;
+		}
 
-	st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-			, &md->sender, md->hdr.isa_msgid);
+		break;
 
-	if (st == NULL)
-	{
-	    bool has_xauth_policy;
-
-	    /* No appropriate ModeCfg state.
-	     * See if we have a Main Mode state.
-	     * ??? what if this is a duplicate of another message?
-	     */
-	    st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-			    , &md->sender, 0);
-
-	    if (st == NULL)
-	    {
-		plog("ModeCfg message is for a non-existent (expired?)"
-		    " ISAKMP SA");
-		/* XXX Could send notification back */
-		return;
-	    }
+	case ISAKMP_XCHG_MODE_CFG:
+		if (is_zero_cookie(md->hdr.isa_icookie))
+		{
+			plog("ModeCfg message is invalid because"
+				" it has an Initiator Cookie of 0");
+			/* XXX Could send notification back */
+			return;
+		}
+
+		if (is_zero_cookie(md->hdr.isa_rcookie))
+		{
+			plog("ModeCfg message is invalid because"
+				" it has a Responder Cookie of 0");
+			/* XXX Could send notification back */
+			return;
+		}
+
+		if (md->hdr.isa_msgid == 0)
+		{
+			plog("ModeCfg message is invalid because"
+				" it has a Message ID of 0");
+			/* XXX Could send notification back */
+			return;
+		}
+
+		st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+						, &md->sender, md->hdr.isa_msgid);
+
+		if (st == NULL)
+		{
+			bool has_xauth_policy;
+
+			/* No appropriate ModeCfg state.
+			 * See if we have a Main Mode state.
+			 * ??? what if this is a duplicate of another message?
+			 */
+			st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+							, &md->sender, 0);
 
-	    set_cur_state(st);
+			if (st == NULL)
+			{
+				plog("ModeCfg message is for a non-existent (expired?)"
+					" ISAKMP SA");
+				/* XXX Could send notification back */
+				return;
+			}
+
+			set_cur_state(st);
+
+			/* the XAUTH_STATUS message might have a new msgid */
+			if (st->st_state == STATE_XAUTH_I1)
+			{
+				init_phase2_iv(st, &md->hdr.isa_msgid);
+				new_iv_set = TRUE;
+				from_state = st->st_state;
+				break;
+			}
+
+			if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+			{
+				loglog(RC_LOG_SERIOUS, "ModeCfg message is unacceptable because"
+						" it is for an incomplete ISAKMP SA (state=%s)"
+						, enum_name(&state_names, st->st_state));
+				/* XXX Could send notification back */
+				return;
+			}
+			init_phase2_iv(st, &md->hdr.isa_msgid);
+			new_iv_set = TRUE;
 
-	    /* the XAUTH_STATUS message might have a new msgid */
-	    if (st->st_state == STATE_XAUTH_I1)
-	    {
-		init_phase2_iv(st, &md->hdr.isa_msgid);
-		new_iv_set = TRUE;
-		from_state = st->st_state;
+			/*
+			 * okay, now we have to figure out if we are receiving a bogus
+			 * new message in an oustanding XAUTH server conversation
+			 * (i.e. a reply to our challenge)
+			 * (this occurs with some broken other implementations).
+			 *
+			 * or if receiving for the first time, an XAUTH challenge.
+			 *
+			 * or if we are getting a MODECFG request.
+			 *
+			 * we distinguish these states because we can not both be an
+			 * XAUTH server and client, and our policy tells us which
+			 * one we are.
+			 *
+			 * to complicate further, it is normal to start a new msgid
+			 * when going from one state to another, or when restarting
+			 * the challenge.
+			 *
+			 */
+
+			has_xauth_policy = (st->st_connection->policy
+							   & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
+							   != LEMPTY;
+
+			if (has_xauth_policy && !st->st_xauth.started
+			&& IS_PHASE1(st->st_state))
+			{
+				from_state = STATE_XAUTH_I0;
+			}
+			else if (st->st_connection->spd.that.modecfg
+			&& IS_PHASE1(st->st_state))
+			{
+				from_state = STATE_MODE_CFG_R0;
+			}
+			else if (st->st_connection->spd.this.modecfg
+			&& IS_PHASE1(st->st_state))
+			{
+				from_state = STATE_MODE_CFG_I0;
+			}
+			else
+			{
+				/* XXX check if we are being a mode config server here */
+				plog("received ModeCfg message when in state %s, and we aren't mode config client"
+					 , enum_name(&state_names, st->st_state));
+				return;
+			}
+		}
+		else
+		{
+			set_cur_state(st);
+			from_state = st->st_state;
+		}
 		break;
-	    }
-
-	    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-	    {
-		loglog(RC_LOG_SERIOUS, "ModeCfg message is unacceptable because"
-	       		" it is for an incomplete ISAKMP SA (state=%s)"
-	       		, enum_name(&state_names, st->st_state));
-		/* XXX Could send notification back */
-		return;
-	    }
-	    init_phase2_iv(st, &md->hdr.isa_msgid);
-	    new_iv_set = TRUE;
-
-	    /*
-	     * okay, now we have to figure out if we are receiving a bogus
-	     * new message in an oustanding XAUTH server conversation
-	     * (i.e. a reply to our challenge)
-	     * (this occurs with some broken other implementations).
-	     *
-	     * or if receiving for the first time, an XAUTH challenge.
-	     *
-	     * or if we are getting a MODECFG request.
-	     *
-	     * we distinguish these states because we can not both be an
-	     * XAUTH server and client, and our policy tells us which
-	     * one we are.
-	     *
-	     * to complicate further, it is normal to start a new msgid
-	     * when going from one state to another, or when restarting
-	     * the challenge.
-	     *
-	     */
-
-	    has_xauth_policy = (st->st_connection->policy
-			       & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
-			       != LEMPTY;
-
-	    if (has_xauth_policy && !st->st_xauth.started
-	    && IS_PHASE1(st->st_state))
-	    {
-		from_state = STATE_XAUTH_I0;
-	    }
-	    else if (st->st_connection->spd.that.modecfg
-	    && IS_PHASE1(st->st_state))
-	    {
-		from_state = STATE_MODE_CFG_R0;
-	    }
-	    else if (st->st_connection->spd.this.modecfg
-	    && IS_PHASE1(st->st_state))
-	    {
-		from_state = STATE_MODE_CFG_I0;
-	    }
-	    else
-	    {
-		/* XXX check if we are being a mode config server here */
-		plog("received ModeCfg message when in state %s, and we aren't mode config client"
-		     , enum_name(&state_names, st->st_state));
-		return;
-	    }
-	}
-	else
-	{
-	    set_cur_state(st);
-	    from_state = st->st_state;
-	}
-	break;
 
 #ifdef NOTYET
-    case ISAKMP_XCHG_NGRP:
-    case ISAKMP_XCHG_ACK_INFO:
+	case ISAKMP_XCHG_NGRP:
+	case ISAKMP_XCHG_ACK_INFO:
 #endif
 
-    default:
-	plog("unsupported exchange type %s in message"
-	    , enum_show(&exchange_names, md->hdr.isa_xchg));
-	SEND_NOTIFICATION(UNSUPPORTED_EXCHANGE_TYPE);
-	return;
-    }
-
-    /* We have found a from_state, and perhaps a state object.
-     * If we need to build a new state object,
-     * we wait until the packet has been sanity checked.
-     */
-
-    /* We don't support the Commit Flag.  It is such a bad feature.
-     * It isn't protected -- neither encrypted nor authenticated.
-     * A man in the middle turns it on, leading to DoS.
-     * We just ignore it, with a warning.
-     * By placing the check here, we could easily add a policy bit
-     * to a connection to suppress the warning.  This might be useful
-     * because the Commit Flag is expected from some peers.
-     */
-    if (md->hdr.isa_flags & ISAKMP_FLAG_COMMIT)
-    {
-	plog("IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag");
-    }
-
-    /* Set smc to describe this state's properties.
-     * Look up the appropriate microcode based on state and
-     * possibly Oakley Auth type.
-     */
-    passert(STATE_IKE_FLOOR <= from_state && from_state <= STATE_IKE_ROOF);
-    smc = ike_microcode_index[from_state - STATE_IKE_FLOOR];
-
-    if (st != NULL)
-    {
-	u_int16_t auth;
-
-	switch (st->st_oakley.auth)
-	{
-	case XAUTHInitPreShared:
-	case XAUTHRespPreShared:
-	    auth = OAKLEY_PRESHARED_KEY;
-	    break;
-	case XAUTHInitRSA:
-	case XAUTHRespRSA:
-	    auth = OAKLEY_RSA_SIG;
-	    break;
 	default:
-	    auth = st->st_oakley.auth;
+		plog("unsupported exchange type %s in message"
+			, enum_show(&exchange_names, md->hdr.isa_xchg));
+		SEND_NOTIFICATION(UNSUPPORTED_EXCHANGE_TYPE);
+		return;
 	}
-	
-	while (!LHAS(smc->flags, auth))
+
+	/* We have found a from_state, and perhaps a state object.
+	 * If we need to build a new state object,
+	 * we wait until the packet has been sanity checked.
+	 */
+
+	/* We don't support the Commit Flag.  It is such a bad feature.
+	 * It isn't protected -- neither encrypted nor authenticated.
+	 * A man in the middle turns it on, leading to DoS.
+	 * We just ignore it, with a warning.
+	 * By placing the check here, we could easily add a policy bit
+	 * to a connection to suppress the warning.  This might be useful
+	 * because the Commit Flag is expected from some peers.
+	 */
+	if (md->hdr.isa_flags & ISAKMP_FLAG_COMMIT)
 	{
-	    smc++;
-	    passert(smc->state == from_state);
+		plog("IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag");
 	}
-    }
-
-    /* Ignore a packet if the state has a suspended state transition
-     * Probably a duplicated packet but the original packet is not yet
-     * recorded in st->st_rpacket, so duplicate checking won't catch.
-     * ??? Should the packet be recorded earlier to improve diagnosis?
-     */
-    if (st != NULL && st->st_suspended_md != NULL)
-    {
-	loglog(RC_LOG, "discarding packet received during DNS lookup in %s"
-	    , enum_name(&state_names, st->st_state));
-	return;
-    }
-
-    /* Detect and handle duplicated packets.
-     * This won't work for the initial packet of an exchange
-     * because we won't have a state object to remember it.
-     * If we are in a non-receiving state (terminal), and the preceding
-     * state did transmit, then the duplicate may indicate that that
-     * transmission wasn't received -- retransmit it.
-     * Otherwise, just discard it.
-     * ??? Notification packets are like exchanges -- I hope that
-     * they are idempotent!
-     */
-    if (st != NULL
-    && st->st_rpacket.ptr != NULL
-    && st->st_rpacket.len == pbs_room(&md->packet_pbs)
-    && memcmp(st->st_rpacket.ptr, md->packet_pbs.start, st->st_rpacket.len) == 0)
-    {
-	if (smc->flags & SMF_RETRANSMIT_ON_DUPLICATE)
+
+	/* Set smc to describe this state's properties.
+	 * Look up the appropriate microcode based on state and
+	 * possibly Oakley Auth type.
+	 */
+	passert(STATE_IKE_FLOOR <= from_state && from_state <= STATE_IKE_ROOF);
+	smc = ike_microcode_index[from_state - STATE_IKE_FLOOR];
+
+	if (st != NULL)
 	{
-	    if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
-	    {
-		st->st_retransmit++;
-		loglog(RC_RETRANSMISSION
-		    , "retransmitting in response to duplicate packet; already %s"
-		    , enum_name(&state_names, st->st_state));
-		send_packet(st, "retransmit in response to duplicate");
-	    }
-	    else
-	    {
-		loglog(RC_LOG_SERIOUS, "discarding duplicate packet -- exhausted retransmission; already %s"
-		    , enum_name(&state_names, st->st_state));
-	    }
+		u_int16_t auth;
+
+		switch (st->st_oakley.auth)
+		{
+		case XAUTHInitPreShared:
+		case XAUTHRespPreShared:
+			auth = OAKLEY_PRESHARED_KEY;
+			break;
+		case XAUTHInitRSA:
+		case XAUTHRespRSA:
+			auth = OAKLEY_RSA_SIG;
+			break;
+		default:
+			auth = st->st_oakley.auth;
+		}
+		
+		while (!LHAS(smc->flags, auth))
+		{
+			smc++;
+			passert(smc->state == from_state);
+		}
 	}
-	else
+
+	/* Ignore a packet if the state has a suspended state transition
+	 * Probably a duplicated packet but the original packet is not yet
+	 * recorded in st->st_rpacket, so duplicate checking won't catch.
+	 * ??? Should the packet be recorded earlier to improve diagnosis?
+	 */
+	if (st != NULL && st->st_suspended_md != NULL)
 	{
-	    loglog(RC_LOG_SERIOUS, "discarding duplicate packet; already %s"
-		, enum_name(&state_names, st->st_state));
+		loglog(RC_LOG, "discarding packet received during DNS lookup in %s"
+			, enum_name(&state_names, st->st_state));
+		return;
 	}
-	return;
-    }
-
-    if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
-    {
-	DBG(DBG_CRYPT, DBG_log("received encrypted packet from %s:%u"
-	    , ip_str(&md->sender), (unsigned)md->sender_port));
 
-	if (st == NULL)
+	/* Detect and handle duplicated packets.
+	 * This won't work for the initial packet of an exchange
+	 * because we won't have a state object to remember it.
+	 * If we are in a non-receiving state (terminal), and the preceding
+	 * state did transmit, then the duplicate may indicate that that
+	 * transmission wasn't received -- retransmit it.
+	 * Otherwise, just discard it.
+	 * ??? Notification packets are like exchanges -- I hope that
+	 * they are idempotent!
+	 */
+	if (st != NULL
+	&& st->st_rpacket.ptr != NULL
+	&& st->st_rpacket.len == pbs_room(&md->packet_pbs)
+	&& memeq(st->st_rpacket.ptr, md->packet_pbs.start, st->st_rpacket.len))
 	{
-	    plog("discarding encrypted message for an unknown ISAKMP SA");
-	    SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
-	    return;
+		if (smc->flags & SMF_RETRANSMIT_ON_DUPLICATE)
+		{
+			if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
+			{
+				st->st_retransmit++;
+				loglog(RC_RETRANSMISSION
+					, "retransmitting in response to duplicate packet; already %s"
+					, enum_name(&state_names, st->st_state));
+				send_packet(st, "retransmit in response to duplicate");
+			}
+			else
+			{
+				loglog(RC_LOG_SERIOUS, "discarding duplicate packet -- exhausted retransmission; already %s"
+					, enum_name(&state_names, st->st_state));
+			}
+		}
+		else
+		{
+			loglog(RC_LOG_SERIOUS, "discarding duplicate packet; already %s"
+				, enum_name(&state_names, st->st_state));
+		}
+		return;
 	}
-	if (st->st_skeyid_e.ptr == (u_char *) NULL)
+
+	if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
 	{
-	    loglog(RC_LOG_SERIOUS, "discarding encrypted message"
-		" because we haven't yet negotiated keying materiel");
-	    SEND_NOTIFICATION(INVALID_FLAGS);
-	    return;
-	}
+		DBG(DBG_CRYPT, DBG_log("received encrypted packet from %s:%u"
+			, ip_str(&md->sender), (unsigned)md->sender_port));
+
+		if (st == NULL)
+		{
+			plog("discarding encrypted message for an unknown ISAKMP SA");
+			SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
+			return;
+		}
+		if (st->st_skeyid_e.ptr == (u_char *) NULL)
+		{
+			loglog(RC_LOG_SERIOUS, "discarding encrypted message"
+				" because we haven't yet negotiated keying materiel");
+			SEND_NOTIFICATION(INVALID_FLAGS);
+			return;
+		}
 
-	/* Mark as encrypted */
-	md->encrypted = TRUE;
+		/* Mark as encrypted */
+		md->encrypted = TRUE;
 
-	DBG(DBG_CRYPT, DBG_log("decrypting %u bytes using algorithm %s"
-	    , (unsigned) pbs_left(&md->message_pbs)
-	    , enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
+		DBG(DBG_CRYPT, DBG_log("decrypting %u bytes using algorithm %s"
+			, (unsigned) pbs_left(&md->message_pbs)
+			, enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
 
-	/* do the specified decryption
-	 *
-	 * IV is from st->st_iv or (if new_iv_set) st->st_new_iv.
-	 * The new IV is placed in st->st_new_iv
-	 *
-	 * See RFC 2409 "IKE" Appendix B
-	 *
-	 * XXX The IV should only be updated really if the packet
-	 * is successfully processed.
-	 * We should keep this value, check for a success return
-	 * value from the parsing routines and then replace.
-	 *
-	 * Each post phase 1 exchange generates IVs from
-	 * the last phase 1 block, not the last block sent.
-	 */
-	{
-	    const struct encrypt_desc *e = st->st_oakley.encrypter;
+		/* do the specified decryption
+		 *
+		 * IV is from st->st_iv or (if new_iv_set) st->st_new_iv.
+		 * The new IV is placed in st->st_new_iv
+		 *
+		 * See RFC 2409 "IKE" Appendix B
+		 *
+		 * XXX The IV should only be updated really if the packet
+		 * is successfully processed.
+		 * We should keep this value, check for a success return
+		 * value from the parsing routines and then replace.
+		 *
+		 * Each post phase 1 exchange generates IVs from
+		 * the last phase 1 block, not the last block sent.
+		 */
+		{
+			size_t crypter_block_size;
+			encryption_algorithm_t enc_alg;
+			crypter_t *crypter;
+			chunk_t data, iv;
+		    char *new_iv;
 
-	    if (pbs_left(&md->message_pbs) % e->enc_blocksize != 0)
-	    {
-		loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize");
-		SEND_NOTIFICATION(PAYLOAD_MALFORMED);
-		return;
-	    }
-
-	    /* XXX Detect weak keys */
-
-	    /* grab a copy of raw packet (for duplicate packet detection) */
-	    clonetochunk(md->raw_packet, md->packet_pbs.start
-		, pbs_room(&md->packet_pbs), "raw packet");
-
-	    /* Decrypt everything after header */
-	    if (!new_iv_set)
-	    {
-		/* use old IV */
-		passert(st->st_iv_len <= sizeof(st->st_new_iv));
-		st->st_new_iv_len = st->st_iv_len;
-		memcpy(st->st_new_iv, st->st_iv, st->st_new_iv_len);
-	    }
-	    crypto_cbc_encrypt(e, FALSE, md->message_pbs.cur, 
-			    pbs_left(&md->message_pbs) , st);
-	    if (restore_iv)
-	    {
-		memcpy(st->st_new_iv, new_iv, new_iv_len);
-		st->st_new_iv_len = new_iv_len;
-	    }
-	}
+			enc_alg = oakley_to_encryption_algorithm(st->st_oakley.encrypt);
+			crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len);
+			crypter_block_size = crypter->get_block_size(crypter);
 
-	DBG_cond_dump(DBG_CRYPT, "decrypted:\n", md->message_pbs.cur
-	    , md->message_pbs.roof - md->message_pbs.cur);
+			if (pbs_left(&md->message_pbs) % crypter_block_size != 0)
+			{
+				loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize");
+				SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+				return;
+			}
 
-	DBG_cond_dump(DBG_CRYPT, "next IV:"
-	    , st->st_new_iv, st->st_new_iv_len);
-    }
-    else
-    {
-	/* packet was not encryped -- should it have been? */
+			/* XXX Detect weak keys */
 
-	if (smc->flags & SMF_INPUT_ENCRYPTED)
-	{
-	    loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
-	    SEND_NOTIFICATION(INVALID_FLAGS);
-	    return;
+			/* grab a copy of raw packet (for duplicate packet detection) */
+			md->raw_packet = chunk_create(md->packet_pbs.start, pbs_room(&md->packet_pbs));
+			md->raw_packet = chunk_clone(md->raw_packet);
+
+			data = chunk_create(md->message_pbs.cur, pbs_left(&md->message_pbs));
+
+			/* Decrypt everything after header */
+			if (!new_iv_set)
+			{
+				/* use old IV */
+				passert(st->st_iv_len <= sizeof(st->st_new_iv));
+				st->st_new_iv_len = st->st_iv_len;
+				memcpy(st->st_new_iv, st->st_iv, st->st_new_iv_len);
+			}
+
+			/* form iv by truncation */
+			st->st_new_iv_len = crypter_block_size;
+			iv = chunk_create(st->st_new_iv, st->st_new_iv_len);
+			new_iv = alloca(crypter_block_size);
+			memcpy(new_iv, data.ptr + data.len - crypter_block_size,
+				   crypter_block_size);
+
+			crypter->set_key(crypter, st->st_enc_key);	
+			crypter->decrypt(crypter, data, iv, NULL);
+			crypter->destroy(crypter);
+
+    		memcpy(st->st_new_iv, new_iv, crypter_block_size);
+			if (restore_iv)
+			{
+				memcpy(st->st_new_iv, new_iv, new_iv_len);
+				st->st_new_iv_len = new_iv_len;
+			}
+		}
+
+		DBG_cond_dump(DBG_CRYPT, "decrypted:\n", md->message_pbs.cur
+			, md->message_pbs.roof - md->message_pbs.cur);
+
+		DBG_cond_dump(DBG_CRYPT, "next IV:"
+			, st->st_new_iv, st->st_new_iv_len);
 	}
-    }
-
-    /* Digest the message.
-     * Padding must be removed to make hashing work.
-     * Padding comes from encryption (so this code must be after decryption).
-     * Padding rules are described before the definition of
-     * struct isakmp_hdr in packet.h.
-     */
-    {
-	struct payload_digest *pd = md->digest;
-	int np = md->hdr.isa_np;
-	lset_t needed = smc->req_payloads;
-	const char *excuse
-	    = LIN(SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT, smc->flags)
-		? "probable authentication failure (mismatch of preshared secrets?): "
-		: "";
-
-	while (np != ISAKMP_NEXT_NONE)
+	else
 	{
-	    struct_desc *sd = np < ISAKMP_NEXT_ROOF? payload_descs[np] : NULL;
+		/* packet was not encryped -- should it have been? */
 
-	    if (pd == &md->digest[PAYLIMIT])
-	    {
-		loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT);
-		SEND_NOTIFICATION(PAYLOAD_MALFORMED);
-		return;
-	    }
-
-	    switch (np)
-	    {
-		case ISAKMP_NEXT_NATD_RFC:
-		case ISAKMP_NEXT_NATOA_RFC:
-		    if (!st || !(st->nat_traversal & NAT_T_WITH_RFC_VALUES))
-		    {
-			/*
-			 * don't accept NAT-D/NAT-OA reloc directly in message, unless
-			 * we're using NAT-T RFC
-			 */
-			sd = NULL;
-		    }
-		    break;
-	    }
-
-	    if (sd == NULL)
-	    {
-		/* payload type is out of range or requires special handling */
-		switch (np)
+		if (smc->flags & SMF_INPUT_ENCRYPTED)
 		{
-		case ISAKMP_NEXT_ID:
-		    sd = IS_PHASE1(from_state)
-			? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
-		    break;
-		case ISAKMP_NEXT_NATD_DRAFTS:
-		    np = ISAKMP_NEXT_NATD_RFC;  /* NAT-D relocated */
-		    sd = payload_descs[np];
-		    break;
-		case ISAKMP_NEXT_NATOA_DRAFTS:
-		    np = ISAKMP_NEXT_NATOA_RFC;  /* NAT-OA relocated */
-		    sd = payload_descs[np];
-		    break;
-		default:
-		    loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
-			" unexpected payload type (%s) at the outermost level"
-			, excuse, enum_show(&payload_names, np));
-		    SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
-		    return;
+			loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
+			SEND_NOTIFICATION(INVALID_FLAGS);
+			return;
 		}
-	    }
-
-	    {
-		lset_t s = LELEM(np);
+	}
 
-		if (LDISJOINT(s
-		, needed | smc->opt_payloads| LELEM(ISAKMP_NEXT_N) | LELEM(ISAKMP_NEXT_D)))
+	/* Digest the message.
+	 * Padding must be removed to make hashing work.
+	 * Padding comes from encryption (so this code must be after decryption).
+	 * Padding rules are described before the definition of
+	 * struct isakmp_hdr in packet.h.
+	 */
+	{
+		struct payload_digest *pd = md->digest;
+		int np = md->hdr.isa_np;
+		lset_t needed = smc->req_payloads;
+		const char *excuse
+			= LIN(SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT, smc->flags)
+				? "probable authentication failure (mismatch of preshared secrets?): "
+				: "";
+
+		while (np != ISAKMP_NEXT_NONE)
 		{
-		    loglog(RC_LOG_SERIOUS, "%smessage ignored because it "
-			   "contains an unexpected payload type (%s)"
-			, excuse, enum_show(&payload_names, np));
-		    SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
-		    return;
+			struct_desc *sd = np < ISAKMP_NEXT_ROOF? payload_descs[np] : NULL;
+
+			if (pd == &md->digest[PAYLIMIT])
+			{
+				loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT);
+				SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+				return;
+			}
+
+			switch (np)
+			{
+				case ISAKMP_NEXT_NATD_RFC:
+				case ISAKMP_NEXT_NATOA_RFC:
+					if (!st || !(st->nat_traversal & NAT_T_WITH_RFC_VALUES))
+					{
+						/*
+						 * don't accept NAT-D/NAT-OA reloc directly in message, unless
+						 * we're using NAT-T RFC
+						 */
+						sd = NULL;
+					}
+					break;
+			}
+
+			if (sd == NULL)
+			{
+				/* payload type is out of range or requires special handling */
+				switch (np)
+				{
+				case ISAKMP_NEXT_ID:
+					sd = IS_PHASE1(from_state)
+						? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
+					break;
+				case ISAKMP_NEXT_NATD_DRAFTS:
+					np = ISAKMP_NEXT_NATD_RFC;  /* NAT-D relocated */
+					sd = payload_descs[np];
+					break;
+				case ISAKMP_NEXT_NATOA_DRAFTS:
+					np = ISAKMP_NEXT_NATOA_RFC;  /* NAT-OA relocated */
+					sd = payload_descs[np];
+					break;
+				default:
+					loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
+						" unexpected payload type (%s) at the outermost level"
+						, excuse, enum_show(&payload_names, np));
+					SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
+					return;
+				}
+			}
+
+			{
+				lset_t s = LELEM(np);
+
+				if (LDISJOINT(s
+				, needed | smc->opt_payloads| LELEM(ISAKMP_NEXT_N) | LELEM(ISAKMP_NEXT_D)))
+				{
+					loglog(RC_LOG_SERIOUS, "%smessage ignored because it "
+						   "contains an unexpected payload type (%s)"
+						, excuse, enum_show(&payload_names, np));
+					SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
+					return;
+				}
+				needed &= ~s;
+			}
+
+			if (!in_struct(&pd->payload, sd, &md->message_pbs, &pd->pbs))
+			{
+				loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse);
+				if (md->hdr.isa_xchg != ISAKMP_XCHG_INFO)
+					SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+				return;
+			}
+
+			/* place this payload at the end of the chain for this type */
+			{
+				struct payload_digest **p;
+
+				for (p = &md->chain[np]; *p != NULL; p = &(*p)->next)
+					;
+				*p = pd;
+				pd->next = NULL;
+			}
+
+			np = pd->payload.generic.isag_np;
+			pd++;
+
+			/* since we've digested one payload happily, it is probably
+			 * the case that any decryption worked.  So we will not suggest
+			 * encryption failure as an excuse for subsequent payload
+			 * problems.
+			 */
+			excuse = "";
 		}
-		needed &= ~s;
-	    }
-
-	    if (!in_struct(&pd->payload, sd, &md->message_pbs, &pd->pbs))
-	    {
-		loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse);
-		if (md->hdr.isa_xchg != ISAKMP_XCHG_INFO)
-		    SEND_NOTIFICATION(PAYLOAD_MALFORMED);
-		return;
-	    }
-
-	    /* place this payload at the end of the chain for this type */
-	    {
-		struct payload_digest **p;
-
-		for (p = &md->chain[np]; *p != NULL; p = &(*p)->next)
-		    ;
-		*p = pd;
-		pd->next = NULL;
-	    }
-
-	    np = pd->payload.generic.isag_np;
-	    pd++;
-
-	    /* since we've digested one payload happily, it is probably
-	     * the case that any decryption worked.  So we will not suggest
-	     * encryption failure as an excuse for subsequent payload
-	     * problems.
-	     */
-	    excuse = "";
-	}
 
-	md->digest_roof = pd;
+		md->digest_roof = pd;
 
-	DBG(DBG_PARSING,
-	    if (pbs_left(&md->message_pbs) != 0)
-		DBG_log("removing %d bytes of padding", (int) pbs_left(&md->message_pbs)));
+		DBG(DBG_PARSING,
+			if (pbs_left(&md->message_pbs) != 0)
+				DBG_log("removing %d bytes of padding", (int) pbs_left(&md->message_pbs)));
 
-	md->message_pbs.roof = md->message_pbs.cur;
+		md->message_pbs.roof = md->message_pbs.cur;
 
-	/* check that all mandatory payloads appeared */
+		/* check that all mandatory payloads appeared */
 
-	if (needed != 0)
-	{
-	    loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s"
-		, enum_show(&state_names, from_state)
-		, bitnamesof(payload_name, needed));
-	    SEND_NOTIFICATION(PAYLOAD_MALFORMED);
-	    return;
+		if (needed != 0)
+		{
+			loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s"
+				, enum_show(&state_names, from_state)
+				, bitnamesof(payload_name, needed));
+			SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+			return;
+		}
 	}
-    }
 
-    /* more sanity checking: enforce most ordering constraints */
+	/* more sanity checking: enforce most ordering constraints */
 
-    if (IS_PHASE1(from_state))
-    {
-	/* rfc2409: The Internet Key Exchange (IKE), 5 Exchanges:
-	 * "The SA payload MUST precede all other payloads in a phase 1 exchange."
-	 */
-	if (md->chain[ISAKMP_NEXT_SA] != NULL
-	&& md->hdr.isa_np != ISAKMP_NEXT_SA)
+	if (IS_PHASE1(from_state))
 	{
-	    loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload");
-	    SEND_NOTIFICATION(PAYLOAD_MALFORMED);
-	    return;
+		/* rfc2409: The Internet Key Exchange (IKE), 5 Exchanges:
+		 * "The SA payload MUST precede all other payloads in a phase 1 exchange."
+		 */
+		if (md->chain[ISAKMP_NEXT_SA] != NULL
+		&& md->hdr.isa_np != ISAKMP_NEXT_SA)
+		{
+			loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload");
+			SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+			return;
+		}
 	}
-    }
-    else if (IS_QUICK(from_state))
-    {
-	/* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode
-	 *
-	 * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
-	 *  header and a SA payload MUST immediately follow the HASH."
-	 * [NOTE: there may be more than one SA payload, so this is not
-	 *  totally reasonable.  Probably all SAs should be so constrained.]
-	 *
-	 * "If ISAKMP is acting as a client negotiator on behalf of another
-	 *  party, the identities of the parties MUST be passed as IDci and
-	 *  then IDcr."
-	 *
-	 * "With the exception of the HASH, SA, and the optional ID payloads,
-	 *  there are no payload ordering restrictions on Quick Mode."
-	 */
-
-	if (md->hdr.isa_np != ISAKMP_NEXT_HASH)
+	else if (IS_QUICK(from_state))
 	{
-	    loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload");
-	    SEND_NOTIFICATION(PAYLOAD_MALFORMED);
-	    return;
-	}
+		/* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode
+		 *
+		 * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
+		 *  header and a SA payload MUST immediately follow the HASH."
+		 * [NOTE: there may be more than one SA payload, so this is not
+		 *  totally reasonable.  Probably all SAs should be so constrained.]
+		 *
+		 * "If ISAKMP is acting as a client negotiator on behalf of another
+		 *  party, the identities of the parties MUST be passed as IDci and
+		 *  then IDcr."
+		 *
+		 * "With the exception of the HASH, SA, and the optional ID payloads,
+		 *  there are no payload ordering restrictions on Quick Mode."
+		 */
 
-	{
-	    struct payload_digest *p;
-	    int i;
+		if (md->hdr.isa_np != ISAKMP_NEXT_HASH)
+		{
+			loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload");
+			SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+			return;
+		}
 
-	    for (p = md->chain[ISAKMP_NEXT_SA], i = 1; p != NULL
-	    ; p = p->next, i++)
-	    {
-		if (p != &md->digest[i])
 		{
-		    loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position");
-		    SEND_NOTIFICATION(PAYLOAD_MALFORMED);
-		    return;
+			struct payload_digest *p;
+			int i;
+
+			for (p = md->chain[ISAKMP_NEXT_SA], i = 1; p != NULL
+			; p = p->next, i++)
+			{
+				if (p != &md->digest[i])
+				{
+					loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position");
+					SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+					return;
+				}
+			}
+		}
+
+		/* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode:
+		 * "If ISAKMP is acting as a client negotiator on behalf of another
+		 *  party, the identities of the parties MUST be passed as IDci and
+		 *  then IDcr."
+		 */
+		{
+			struct payload_digest *id = md->chain[ISAKMP_NEXT_ID];
+
+			if (id != NULL)
+			{
+				if (id->next == NULL || id->next->next != NULL)
+				{
+					loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
+						" if any ID payload is present,"
+						" there must be exactly two");
+					SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+					return;
+				}
+				if (id+1 != id->next)
+				{
+					loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
+						" the ID payloads are not adjacent");
+					SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+					return;
+				}
+			}
 		}
-	    }
 	}
 
-	/* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode:
-	 * "If ISAKMP is acting as a client negotiator on behalf of another
-	 *  party, the identities of the parties MUST be passed as IDci and
-	 *  then IDcr."
+	/* Ignore payloads that we don't handle:
+	 * Delete, Notification, VendorID
 	 */
+	/* XXX Handle deletions */
+	/* XXX Handle Notifications */
+	/* XXX Handle VID payloads */
 	{
-	    struct payload_digest *id = md->chain[ISAKMP_NEXT_ID];
+		struct payload_digest *p;
 
-	    if (id != NULL)
-	    {
-		if (id->next == NULL || id->next->next != NULL)
+		for (p = md->chain[ISAKMP_NEXT_N]; p != NULL; p = p->next)
 		{
-		    loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
-			" if any ID payload is present,"
-			" there must be exactly two");
-		    SEND_NOTIFICATION(PAYLOAD_MALFORMED);
-		    return;
+			if (p->payload.notification.isan_type != R_U_THERE
+			&&  p->payload.notification.isan_type != R_U_THERE_ACK)
+			{
+				loglog(RC_LOG_SERIOUS, "ignoring informational payload, type %s"
+					, enum_show(&notification_names, p->payload.notification.isan_type));
+			}
+			DBG_cond_dump(DBG_PARSING, "info:", p->pbs.cur, pbs_left(&p->pbs));
 		}
-		if (id+1 != id->next)
+
+		for (p = md->chain[ISAKMP_NEXT_D]; p != NULL; p = p->next)
 		{
-		    loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
-			" the ID payloads are not adjacent");
-		    SEND_NOTIFICATION(PAYLOAD_MALFORMED);
-		    return;
+			accept_delete(st, md, p);
+			DBG_cond_dump(DBG_PARSING, "del:", p->pbs.cur, pbs_left(&p->pbs));
 		}
-	    }
-	}
-    }
-
-    /* Ignore payloads that we don't handle:
-     * Delete, Notification, VendorID
-     */
-    /* XXX Handle deletions */
-    /* XXX Handle Notifications */
-    /* XXX Handle VID payloads */
-    {
-	struct payload_digest *p;
-
-	for (p = md->chain[ISAKMP_NEXT_N]; p != NULL; p = p->next)
-	{
-	    if (p->payload.notification.isan_type != R_U_THERE
-	    &&  p->payload.notification.isan_type != R_U_THERE_ACK)
-	    {
-		loglog(RC_LOG_SERIOUS, "ignoring informational payload, type %s"
-		    , enum_show(&notification_names, p->payload.notification.isan_type));
-	    }
-	    DBG_cond_dump(DBG_PARSING, "info:", p->pbs.cur, pbs_left(&p->pbs));
-	}
 
-	for (p = md->chain[ISAKMP_NEXT_D]; p != NULL; p = p->next)
-	{
-	    accept_delete(st, md, p);
-	    DBG_cond_dump(DBG_PARSING, "del:", p->pbs.cur, pbs_left(&p->pbs));
-	}
-
-	for (p = md->chain[ISAKMP_NEXT_VID]; p != NULL; p = p->next)
-	{
-	    handle_vendorid(md, p->pbs.cur, pbs_left(&p->pbs));
+		for (p = md->chain[ISAKMP_NEXT_VID]; p != NULL; p = p->next)
+		{
+			handle_vendorid(md, p->pbs.cur, pbs_left(&p->pbs));
+		}
 	}
-    }
-    md->from_state = from_state;
-    md->smc = smc;
-    md->st = st;
+	md->from_state = from_state;
+	md->smc = smc;
+	md->st = st;
 
-    /* possibly fill in hdr */
-    if (smc->first_out_payload != ISAKMP_NEXT_NONE)
-	echo_hdr(md, (smc->flags & SMF_OUTPUT_ENCRYPTED) != 0
-	    , smc->first_out_payload);
+	/* possibly fill in hdr */
+	if (smc->first_out_payload != ISAKMP_NEXT_NONE)
+		echo_hdr(md, (smc->flags & SMF_OUTPUT_ENCRYPTED) != 0
+			, smc->first_out_payload);
 
-    complete_state_transition(mdp, smc->processor(md));
+	complete_state_transition(mdp, smc->processor(md));
 }
 
 /* complete job started by the state-specific state transition function */
@@ -2094,406 +2116,406 @@ process_packet(struct msg_digest **mdp)
 void
 complete_state_transition(struct msg_digest **mdp, stf_status result)
 {
-    bool has_xauth_policy;
-    bool is_xauth_server;
-    struct msg_digest *md = *mdp;
-    const struct state_microcode *smc = md->smc;
-    enum state_kind from_state = md->from_state;
-    struct state *st;
-
-    cur_state = st = md->st;	/* might have changed */
-
-    /* If state has DPD support, import it */
-    if (st && md->dpd)
-	st->st_dpd = TRUE;
-
-    switch (result)
-    {
-	case STF_IGNORE:
-	    break;
-
-	case STF_SUSPEND:
-	    /* the stf didn't complete its job: don't relase md */
-	    *mdp = NULL;
-	    break;
-
-	case STF_OK:
-	    /* advance the state */
-	    st->st_state = smc->next_state;
-
-	    /* Delete previous retransmission event.
-	     * New event will be scheduled below.
-	     */
-	    delete_event(st);
-
-	    /* replace previous receive packet with latest */
-
-	    pfreeany(st->st_rpacket.ptr);
-
-	    if (md->encrypted)
-	    {
-		/* if encrypted, duplication already done */
-		st->st_rpacket = md->raw_packet;
-		md->raw_packet.ptr = NULL;
-	    }
-	    else
-	    {
-		clonetochunk(st->st_rpacket
-		    , md->packet_pbs.start
-		    , pbs_room(&md->packet_pbs), "raw packet");
-	    }
-
-	    /* free previous transmit packet */
-	    freeanychunk(st->st_tpacket);
-
-	    /* if requested, send the new reply packet */
-	    if (smc->flags & SMF_REPLY)
-	    {
-		close_output_pbs(&md->reply);   /* good form, but actually a no-op */
-
-		clonetochunk(st->st_tpacket, md->reply.start
-		    , pbs_offset(&md->reply), "reply packet");
-
-		if (nat_traversal_enabled)
-		    nat_traversal_change_port_lookup(md, md->st);
-
-		/* actually send the packet
-		 * Note: this is a great place to implement "impairments"
-		 * for testing purposes.  Suppress or duplicate the
-		 * send_packet call depending on st->st_state.
-		 */
-		send_packet(st, enum_name(&state_names, from_state));
-	    }
+	bool has_xauth_policy;
+	bool is_xauth_server;
+	struct msg_digest *md = *mdp;
+	const struct state_microcode *smc = md->smc;
+	enum state_kind from_state = md->from_state;
+	struct state *st;
 
-	    /* Schedule for whatever timeout is specified */
-	    {
-		time_t delay = UNDEFINED_TIME;
-		enum event_type kind = smc->timeout_event;
-		bool agreed_time = FALSE;
-		struct connection *c = st->st_connection;
+	cur_state = st = md->st;    /* might have changed */
 
-		switch (kind)
-		{
-		case EVENT_RETRANSMIT:	/* Retransmit packet */
-		    delay = EVENT_RETRANSMIT_DELAY_0;
-		    break;
-
-		case EVENT_SA_REPLACE:	/* SA replacement event */
-		    if (IS_PHASE1(st->st_state))
-		    {
-			/* Note: we will defer to the "negotiated" (dictated)
-			 * lifetime if we are POLICY_DONT_REKEY.
-			 * This allows the other side to dictate
-			 * a time we would not otherwise accept
-			 * but it prevents us from having to initiate
-			 * rekeying.  The negative consequences seem
-			 * minor.
+	/* If state has DPD support, import it */
+	if (st && md->dpd)
+		st->st_dpd = TRUE;
+
+	switch (result)
+	{
+		case STF_IGNORE:
+			break;
+
+		case STF_SUSPEND:
+			/* the stf didn't complete its job: don't relase md */
+			*mdp = NULL;
+			break;
+
+		case STF_OK:
+			/* advance the state */
+			st->st_state = smc->next_state;
+
+			/* Delete previous retransmission event.
+			 * New event will be scheduled below.
 			 */
-			delay = c->sa_ike_life_seconds;
-			if ((c->policy & POLICY_DONT_REKEY)
-			|| delay >= st->st_oakley.life_seconds)
+			delete_event(st);
+
+			/* replace previous receive packet with latest */
+
+			free(st->st_rpacket.ptr);
+
+			if (md->encrypted)
 			{
-			    agreed_time = TRUE;
-			    delay = st->st_oakley.life_seconds;
+				/* if encrypted, duplication already done */
+				st->st_rpacket = md->raw_packet;
+				md->raw_packet.ptr = NULL;
 			}
-		    }
-		    else
-		    {
-			/* Delay is min of up to four things:
-			 * each can limit the lifetime.
-			 */
-			delay = c->sa_ipsec_life_seconds;
-			if (st->st_ah.present
-			&& delay >= st->st_ah.attrs.life_seconds)
+			else
 			{
-			    agreed_time = TRUE;
-			    delay = st->st_ah.attrs.life_seconds;
+				st->st_rpacket = chunk_create(md->packet_pbs.start,
+											  pbs_room(&md->packet_pbs));
+				st->st_rpacket = chunk_clone(st->st_rpacket);
 			}
-			if (st->st_esp.present
-			&& delay >= st->st_esp.attrs.life_seconds)
+
+			/* free previous transmit packet */
+			chunk_free(&st->st_tpacket);
+
+			/* if requested, send the new reply packet */
+			if (smc->flags & SMF_REPLY)
 			{
-			    agreed_time = TRUE;
-			    delay = st->st_esp.attrs.life_seconds;
+				close_output_pbs(&md->reply);   /* good form, but actually a no-op */
+
+				st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
+				st->st_tpacket = chunk_clone(st->st_tpacket);
+
+				if (nat_traversal_enabled)
+					nat_traversal_change_port_lookup(md, md->st);
+
+				/* actually send the packet
+				 * Note: this is a great place to implement "impairments"
+				 * for testing purposes.  Suppress or duplicate the
+				 * send_packet call depending on st->st_state.
+				 */
+				send_packet(st, enum_name(&state_names, from_state));
 			}
-			if (st->st_ipcomp.present
-			&& delay >= st->st_ipcomp.attrs.life_seconds)
+
+			/* Schedule for whatever timeout is specified */
 			{
-			    agreed_time = TRUE;
-			    delay = st->st_ipcomp.attrs.life_seconds;
+				time_t delay = UNDEFINED_TIME;
+				enum event_type kind = smc->timeout_event;
+				bool agreed_time = FALSE;
+				struct connection *c = st->st_connection;
+
+				switch (kind)
+				{
+				case EVENT_RETRANSMIT:  /* Retransmit packet */
+					delay = EVENT_RETRANSMIT_DELAY_0;
+					break;
+
+				case EVENT_SA_REPLACE:  /* SA replacement event */
+					if (IS_PHASE1(st->st_state))
+					{
+						/* Note: we will defer to the "negotiated" (dictated)
+						 * lifetime if we are POLICY_DONT_REKEY.
+						 * This allows the other side to dictate
+						 * a time we would not otherwise accept
+						 * but it prevents us from having to initiate
+						 * rekeying.  The negative consequences seem
+						 * minor.
+						 */
+						delay = c->sa_ike_life_seconds;
+						if ((c->policy & POLICY_DONT_REKEY)
+						|| delay >= st->st_oakley.life_seconds)
+						{
+							agreed_time = TRUE;
+							delay = st->st_oakley.life_seconds;
+						}
+					}
+					else
+					{
+						/* Delay is min of up to four things:
+						 * each can limit the lifetime.
+						 */
+						delay = c->sa_ipsec_life_seconds;
+						if (st->st_ah.present
+						&& delay >= st->st_ah.attrs.life_seconds)
+						{
+							agreed_time = TRUE;
+							delay = st->st_ah.attrs.life_seconds;
+						}
+						if (st->st_esp.present
+						&& delay >= st->st_esp.attrs.life_seconds)
+						{
+							agreed_time = TRUE;
+							delay = st->st_esp.attrs.life_seconds;
+						}
+						if (st->st_ipcomp.present
+						&& delay >= st->st_ipcomp.attrs.life_seconds)
+						{
+							agreed_time = TRUE;
+							delay = st->st_ipcomp.attrs.life_seconds;
+						}
+					}
+
+					/* By default, we plan to rekey.
+					 *
+					 * If there isn't enough time to rekey, plan to
+					 * expire.
+					 *
+					 * If we are --dontrekey, a lot more rules apply.
+					 * If we are the Initiator, use REPLACE_IF_USED.
+					 * If we are the Responder, and the dictated time
+					 * was unacceptable (too large), plan to REPLACE
+					 * (the only way to ratchet down the time).
+					 * If we are the Responder, and the dictated time
+					 * is acceptable, plan to EXPIRE.
+					 *
+					 * Important policy lies buried here.
+					 * For example, we favour the initiator over the
+					 * responder by making the initiator start rekeying
+					 * sooner.  Also, fuzz is only added to the
+					 * initiator's margin.
+					 *
+					 * Note: for ISAKMP SA, we let the negotiated
+					 * time stand (implemented by earlier logic).
+					 */
+					if (agreed_time
+					&& (c->policy & POLICY_DONT_REKEY))
+					{
+						kind = (smc->flags & SMF_INITIATOR)
+							? EVENT_SA_REPLACE_IF_USED
+							: EVENT_SA_EXPIRE;
+					}
+					if (kind != EVENT_SA_EXPIRE)
+					{
+						unsigned long marg = c->sa_rekey_margin;
+
+						if (smc->flags & SMF_INITIATOR)
+							marg += marg
+								* c->sa_rekey_fuzz / 100.E0
+								* (rand() / (RAND_MAX + 1.E0));
+						else
+							marg /= 2;
+
+						if ((unsigned long)delay > marg)
+						{
+							delay -= marg;
+							st->st_margin = marg;
+						}
+						else
+						{
+							kind = EVENT_SA_EXPIRE;
+						}
+					}
+					break;
+
+				case EVENT_NULL:                /* non-event */
+				case EVENT_REINIT_SECRET:       /* Refresh cookie secret */
+				default:
+					bad_case(kind);
+				}
+				event_schedule(kind, delay, st);
 			}
-		    }
-
-		    /* By default, we plan to rekey.
-		     *
-		     * If there isn't enough time to rekey, plan to
-		     * expire.
-		     *
-		     * If we are --dontrekey, a lot more rules apply.
-		     * If we are the Initiator, use REPLACE_IF_USED.
-		     * If we are the Responder, and the dictated time
-		     * was unacceptable (too large), plan to REPLACE
-		     * (the only way to ratchet down the time).
-		     * If we are the Responder, and the dictated time
-		     * is acceptable, plan to EXPIRE.
-		     *
-		     * Important policy lies buried here.
-		     * For example, we favour the initiator over the
-		     * responder by making the initiator start rekeying
-		     * sooner.  Also, fuzz is only added to the
-		     * initiator's margin.
-		     *
-		     * Note: for ISAKMP SA, we let the negotiated
-		     * time stand (implemented by earlier logic).
-		     */
-		    if (agreed_time
-		    && (c->policy & POLICY_DONT_REKEY))
-		    {
-			kind = (smc->flags & SMF_INITIATOR)
-			    ? EVENT_SA_REPLACE_IF_USED
-			    : EVENT_SA_EXPIRE;
-		    }
-		    if (kind != EVENT_SA_EXPIRE)
-		    {
-			unsigned long marg = c->sa_rekey_margin;
-
-			if (smc->flags & SMF_INITIATOR)
-			    marg += marg
-				* c->sa_rekey_fuzz / 100.E0
-				* (rand() / (RAND_MAX + 1.E0));
-			else
-			    marg /= 2;
 
-			if ((unsigned long)delay > marg)
+			/* tell whack and log of progress */
 			{
-			    delay -= marg;
-			    st->st_margin = marg;
+				const char *story = state_story[st->st_state - STATE_MAIN_R0];
+				enum rc_type w = RC_NEW_STATE + st->st_state;
+				char sadetails[128];
+				
+				sadetails[0]='\0';
+
+				if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+				{
+					char *b = sadetails;
+					const char *ini = " {";
+					const char *fin = "";
+
+					/* -1 is to leave space for "fin" */
+
+					if (st->st_esp.present)
+					{
+						snprintf(b, sizeof(sadetails)-(b-sadetails)-1
+								 , "%sESP=>0x%08x <0x%08x"
+								 , ini
+								 , ntohl(st->st_esp.attrs.spi)
+								 , ntohl(st->st_esp.our_spi));
+						ini = " ";
+						fin = "}";
+					}
+					/* advance b to end of string */
+					b = b + strlen(b);
+
+					if (st->st_ah.present)
+					{
+						snprintf(b, sizeof(sadetails)-(b-sadetails)-1
+								 , "%sAH=>0x%08x <0x%08x"
+								 , ini
+								 , ntohl(st->st_ah.attrs.spi)
+								 , ntohl(st->st_ah.our_spi));
+						ini = " ";
+						fin = "}";
+					}
+					/* advance b to end of string */
+					b = b + strlen(b);
+
+					if (st->st_ipcomp.present)
+					{
+						snprintf(b, sizeof(sadetails)-(b-sadetails)-1
+								 , "%sIPCOMP=>0x%08x <0x%08x"
+								 , ini
+								 , ntohl(st->st_ipcomp.attrs.spi)
+								 , ntohl(st->st_ipcomp.our_spi));
+						ini = " ";
+						fin = "}";
+					}
+					/* advance b to end of string */
+					b = b + strlen(b);
+
+					if (st->nat_traversal)
+					{
+						char oa[ADDRTOT_BUF];
+						addrtot(&st->nat_oa, 0, oa, sizeof(oa));
+						snprintf(b, sizeof(sadetails)-(b-sadetails)-1
+								 , "%sNATOA=%s"
+								 , ini, oa);
+						ini = " ";
+						fin = "}";
+					}
+
+					/* advance b to end of string */
+					b = b + strlen(b);
+
+					if (st->st_dpd)
+					{
+						snprintf(b, sizeof(sadetails)-(b-sadetails)-1
+								 , "%sDPD"
+								 , ini);
+						ini = " ";
+						fin = "}";
+					}
+
+					strcat(b, fin);
+				}
+
+				if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+				||  IS_IPSEC_SA_ESTABLISHED(st->st_state))
+				{
+					/* log our success */
+					plog("%s%s", story, sadetails);
+					w = RC_SUCCESS;
+				}
+
+				/* tell whack our progress */
+				whack_log(w
+					, "%s: %s%s"
+					, enum_name(&state_names, st->st_state)
+					, story, sadetails);
 			}
-			else
+
+			has_xauth_policy = (st->st_connection->policy
+							   & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
+							   != LEMPTY;
+			is_xauth_server =  (st->st_connection->policy
+							   & POLICY_XAUTH_SERVER)
+							   != LEMPTY;
+
+			/* Should we start XAUTH as a server */
+			if (has_xauth_policy && is_xauth_server
+			&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+			&& !st->st_xauth.started)
 			{
-			    kind = EVENT_SA_EXPIRE;
+				DBG(DBG_CONTROL,
+					DBG_log("starting XAUTH server")
+				)
+				xauth_send_request(st);
+				break;
 			}
-		    }
-		    break;
 
-		case EVENT_NULL:		/* non-event */
-		case EVENT_REINIT_SECRET:	/* Refresh cookie secret */
-		default:
-		    bad_case(kind);
-		}
-		event_schedule(kind, delay, st);
-	    }
-
-	    /* tell whack and log of progress */
-	    {
-		const char *story = state_story[st->st_state - STATE_MAIN_R0];
-		enum rc_type w = RC_NEW_STATE + st->st_state;
-		char sadetails[128];
-		
-		sadetails[0]='\0';
+			/* Wait for XAUTH request from server */
+			if (has_xauth_policy && !is_xauth_server
+			&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+			&& !st->st_xauth.started)
+			{
+				DBG(DBG_CONTROL,
+					DBG_log("waiting for XAUTH request from server")
+				)
+				break;
+			}
 
-		if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
-		{
-		    char *b = sadetails;
-		    const char *ini = " {";
-		    const char *fin = "";
-
-		    /* -1 is to leave space for "fin" */
-
-		    if (st->st_esp.present)
-		    {
-			snprintf(b, sizeof(sadetails)-(b-sadetails)-1
-				 , "%sESP=>0x%08x <0x%08x"
-				 , ini
-				 , ntohl(st->st_esp.attrs.spi)
-				 , ntohl(st->st_esp.our_spi));
-			ini = " ";
-			fin = "}";
-		    }
-		    /* advance b to end of string */
-		    b = b + strlen(b);
-
-		    if (st->st_ah.present)
-		    {
-			snprintf(b, sizeof(sadetails)-(b-sadetails)-1
-				 , "%sAH=>0x%08x <0x%08x"
-				 , ini
-				 , ntohl(st->st_ah.attrs.spi)
-				 , ntohl(st->st_ah.our_spi));
-			ini = " ";
-			fin = "}";
-		    }
-		    /* advance b to end of string */
-		    b = b + strlen(b);
-
-		    if (st->st_ipcomp.present)
-		    {
-			snprintf(b, sizeof(sadetails)-(b-sadetails)-1
-				 , "%sIPCOMP=>0x%08x <0x%08x"
-				 , ini
-				 , ntohl(st->st_ipcomp.attrs.spi)
-				 , ntohl(st->st_ipcomp.our_spi));
-			ini = " ";
-			fin = "}";
-		    }
-		    /* advance b to end of string */
-		    b = b + strlen(b);
-
-		    if (st->nat_traversal)
-		    {
-			char oa[ADDRTOT_BUF];
-			addrtot(&st->nat_oa, 0, oa, sizeof(oa));
-			snprintf(b, sizeof(sadetails)-(b-sadetails)-1
-				 , "%sNATOA=%s"
-				 , ini, oa);
-			ini = " ";
-			fin = "}";
-		    }
-
-		    /* advance b to end of string */
-		    b = b + strlen(b);
-
-		    if (st->st_dpd)
-		    {
-			snprintf(b, sizeof(sadetails)-(b-sadetails)-1
-				 , "%sDPD"
-				 , ini);
-			ini = " ";
-			fin = "}";
-		    }
-
-		    strcat(b, fin);
-		}
+			/* Should we start ModeConfig as a client? */
+			if (st->st_connection->spd.this.modecfg
+			&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+			&& !(st->st_connection->policy & POLICY_MODECFG_PUSH)
+			&& !st->st_modecfg.started)
+			{
+				DBG(DBG_CONTROL,
+					DBG_log("starting ModeCfg client in pull mode")
+				)
+				modecfg_send_request(st);
+				break;
+			}
 
-		if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-		||  IS_IPSEC_SA_ESTABLISHED(st->st_state))
-		{
-		    /* log our success */
-		    plog("%s%s", story, sadetails);
-		    w = RC_SUCCESS;
-		}
+			/* Should we start ModeConfig as a server? */
+			if (st->st_connection->spd.that.modecfg
+			&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+			&& !st->st_modecfg.started
+			&& (st->st_connection->policy & POLICY_MODECFG_PUSH))
+			{
+				DBG(DBG_CONTROL,
+					DBG_log("starting ModeCfg server in push mode")
+				)
+				modecfg_send_set(st);
+				break;
+			}
 
-		/* tell whack our progress */
-		whack_log(w
-		    , "%s: %s%s"
-		    , enum_name(&state_names, st->st_state)
-		    , story, sadetails);
-	    }
-
-	    has_xauth_policy = (st->st_connection->policy
-			       & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
-			       != LEMPTY;
-	    is_xauth_server =  (st->st_connection->policy
-			       & POLICY_XAUTH_SERVER)
-			       != LEMPTY;
-
-	    /* Should we start XAUTH as a server */
-	    if (has_xauth_policy && is_xauth_server
-	    && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-	    && !st->st_xauth.started)
-	    {
-		DBG(DBG_CONTROL,
-		    DBG_log("starting XAUTH server")
-		)
-		xauth_send_request(st);
-		break;
-	    }
-
-	    /* Wait for XAUTH request from server */
-	    if (has_xauth_policy && !is_xauth_server
-	    && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-	    && !st->st_xauth.started)
-	    {
-		DBG(DBG_CONTROL,
-		    DBG_log("waiting for XAUTH request from server")
-		)
-		break;
-	    }
-
-	    /* Should we start ModeConfig as a client? */
-	    if (st->st_connection->spd.this.modecfg
-	    && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-	    && !(st->st_connection->policy & POLICY_MODECFG_PUSH)
-	    && !st->st_modecfg.started)
-	    {
-		DBG(DBG_CONTROL,
-		    DBG_log("starting ModeCfg client in pull mode")
-		)
-		modecfg_send_request(st);
-		break;
-	    }
-
-	    /* Should we start ModeConfig as a server? */
-	    if (st->st_connection->spd.that.modecfg
-	    && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-	    && !st->st_modecfg.started
-	    && (st->st_connection->policy & POLICY_MODECFG_PUSH))
-	    {
-		DBG(DBG_CONTROL,
-		    DBG_log("starting ModeCfg server in push mode")
-		)
-		modecfg_send_set(st);
-		break;
-	    }
-
-	    /* Wait for ModeConfig set from server */
-	    if (st->st_connection->spd.this.modecfg
-	    && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-	    && !st->st_modecfg.vars_set)
-	    {
-		DBG(DBG_CONTROL,
-		    DBG_log("waiting for ModeCfg set from server")
-		)
-		break;
-	    }
+			/* Wait for ModeConfig set from server */
+			if (st->st_connection->spd.this.modecfg
+			&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+			&& !st->st_modecfg.vars_set)
+			{
+				DBG(DBG_CONTROL,
+					DBG_log("waiting for ModeCfg set from server")
+				)
+				break;
+			}
 
-	    if (smc->flags & SMF_RELEASE_PENDING_P2)
-	    {
-		/* Initiate any Quick Mode negotiations that
-		 * were waiting to piggyback on this Keying Channel.
-		 *
-		 * ??? there is a potential race condition
-		 * if we are the responder: the initial Phase 2
-		 * message might outrun the final Phase 1 message.
-		 * I think that retransmission will recover.
-		 */
-		unpend(st);
-	    }
-
-	    if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-	    ||  IS_IPSEC_SA_ESTABLISHED(st->st_state))
-		release_whack(st);
-	    break;
-
-	case STF_INTERNAL_ERROR:
-	    whack_log(RC_INTERNALERR + md->note
-		, "%s: internal error"
-		, enum_name(&state_names, st->st_state));
-
-	    DBG(DBG_CONTROL,
-		DBG_log("state transition function for %s had internal error"
-		    , enum_name(&state_names, from_state)));
-	    break;
-
-	default:	/* a shortcut to STF_FAIL, setting md->note */
-	    passert(result > STF_FAIL);
-	    md->note = result - STF_FAIL;
-	    result = STF_FAIL;
-	    /* FALL THROUGH ... */
-	case STF_FAIL:
-	    /* As it is, we act as if this message never happened:
-	     * whatever retrying was in place, remains in place.
-	     */
-	    whack_log(RC_NOTIFICATION + md->note
-		, "%s: %s"
-		, enum_name(&state_names, (st == NULL)? STATE_MAIN_R0:st->st_state)
-		, enum_name(&notification_names, md->note));
-
-	    SEND_NOTIFICATION(md->note);
-
-	    DBG(DBG_CONTROL,
-		DBG_log("state transition function for %s failed: %s"
-		    , enum_name(&state_names, from_state)
-		    , enum_name(&notification_names, md->note)));
-	    break;
-    }
+			if (smc->flags & SMF_RELEASE_PENDING_P2)
+			{
+				/* Initiate any Quick Mode negotiations that
+				 * were waiting to piggyback on this Keying Channel.
+				 *
+				 * ??? there is a potential race condition
+				 * if we are the responder: the initial Phase 2
+				 * message might outrun the final Phase 1 message.
+				 * I think that retransmission will recover.
+				 */
+				unpend(st);
+			}
+
+			if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+			||  IS_IPSEC_SA_ESTABLISHED(st->st_state))
+				release_whack(st);
+			break;
+
+		case STF_INTERNAL_ERROR:
+			whack_log(RC_INTERNALERR + md->note
+				, "%s: internal error"
+				, enum_name(&state_names, st->st_state));
+
+			DBG(DBG_CONTROL,
+				DBG_log("state transition function for %s had internal error"
+					, enum_name(&state_names, from_state)));
+			break;
+
+		default:        /* a shortcut to STF_FAIL, setting md->note */
+			passert(result > STF_FAIL);
+			md->note = result - STF_FAIL;
+			result = STF_FAIL;
+			/* FALL THROUGH ... */
+		case STF_FAIL:
+			/* As it is, we act as if this message never happened:
+			 * whatever retrying was in place, remains in place.
+			 */
+			whack_log(RC_NOTIFICATION + md->note
+				, "%s: %s"
+				, enum_name(&state_names, (st == NULL)? STATE_MAIN_R0:st->st_state)
+				, enum_name(&notification_names, md->note));
+
+			SEND_NOTIFICATION(md->note);
+
+			DBG(DBG_CONTROL,
+				DBG_log("state transition function for %s failed: %s"
+					, enum_name(&state_names, from_state)
+					, enum_name(&notification_names, md->note)));
+			break;
+	}
 }
diff --git a/src/pluto/demux.h b/src/pluto/demux.h
index 0348b3579..4faf6e532 100644
--- a/src/pluto/demux.h
+++ b/src/pluto/demux.h
@@ -10,13 +10,11 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: demux.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include "packet.h"
 
-struct state;	/* forward declaration of tag */
+struct state;   /* forward declaration of tag */
 extern void init_demux(void);
 extern bool send_packet(struct state *st, const char *where);
 extern void comm_handle(const struct iface *ifp);
@@ -36,9 +34,9 @@ extern u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
  */
 
 struct payload_digest {
-    pb_stream pbs;
-    union payload payload;
-    struct payload_digest *next;   /* of same kind */
+	pb_stream pbs;
+	union payload payload;
+	struct payload_digest *next;   /* of same kind */
 };
 
 /* message digest
@@ -46,30 +44,30 @@ struct payload_digest {
  */
 
 struct msg_digest {
-    struct msg_digest *next;	/* for free list */
-    chunk_t raw_packet;		/* if encrypted, received packet before decryption */
-    const struct iface *iface;	/* interface on which message arrived */
-    ip_address sender;	/* where message came from */
-    u_int16_t sender_port;	/* host order */
-    pb_stream packet_pbs;	/* whole packet */
-    pb_stream message_pbs;	/* message to be processed */
-    struct isakmp_hdr hdr;	/* message's header */
-    bool encrypted;		/* was it encrypted? */
-    enum state_kind from_state;	/* state we started in */
-    const struct state_microcode *smc;	/* microcode for initial state */
-    struct state *st;		/* current state object */
-    pb_stream reply;		/* room for reply */
-    pb_stream rbody;		/* room for reply body (after header) */
-    notification_t note;	/* reason for failure */
-    bool dpd;           	/* peer supports RFC 3706 DPD */
-    bool openpgp;		/* peer supports OpenPGP certificates */
+	struct msg_digest *next;    /* for free list */
+	chunk_t raw_packet;         /* if encrypted, received packet before decryption */
+	const struct iface *iface;  /* interface on which message arrived */
+	ip_address sender;  /* where message came from */
+	u_int16_t sender_port;      /* host order */
+	pb_stream packet_pbs;       /* whole packet */
+	pb_stream message_pbs;      /* message to be processed */
+	struct isakmp_hdr hdr;      /* message's header */
+	bool encrypted;             /* was it encrypted? */
+	enum state_kind from_state; /* state we started in */
+	const struct state_microcode *smc;  /* microcode for initial state */
+	struct state *st;           /* current state object */
+	pb_stream reply;            /* room for reply */
+	pb_stream rbody;            /* room for reply body (after header) */
+	notification_t note;        /* reason for failure */
+	bool dpd;                   /* peer supports RFC 3706 DPD */
+	bool openpgp;               /* peer supports OpenPGP certificates */
 
 #   define PAYLIMIT 40
-    struct payload_digest
-	digest[PAYLIMIT],
-	*digest_roof,
-	*chain[ISAKMP_NEXT_ROOF];
-	unsigned short nat_traversal_vid;
+	struct payload_digest
+		digest[PAYLIMIT],
+		*digest_roof,
+		*chain[ISAKMP_NEXT_ROOF];
+		unsigned short nat_traversal_vid;
 };
 
 extern void release_md(struct msg_digest *md);
@@ -79,11 +77,11 @@ extern void release_md(struct msg_digest *md);
  */
 
 typedef enum {
-    STF_IGNORE,	/* don't respond */
-    STF_SUSPEND,    /* unfinished -- don't release resources */
-    STF_OK,	/* success */
-    STF_INTERNAL_ERROR,	/* discard everything, we failed */
-    STF_FAIL	/* discard everything, something failed.  notification_t added. */
+	STF_IGNORE, /* don't respond */
+	STF_SUSPEND,    /* unfinished -- don't release resources */
+	STF_OK,     /* success */
+	STF_INTERNAL_ERROR, /* discard everything, we failed */
+	STF_FAIL    /* discard everything, something failed.  notification_t added. */
 } stf_status;
 
 typedef stf_status state_transition_fn(struct msg_digest *md);
diff --git a/src/pluto/dnskey.c b/src/pluto/dnskey.c
index 8ba0f7b73..ed901ade5 100644
--- a/src/pluto/dnskey.c
+++ b/src/pluto/dnskey.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: dnskey.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdlib.h>
@@ -26,32 +24,34 @@
 #include <netinet/in.h>
 #include <arpa/nameser.h>
 #include <resolv.h>
-#include <netdb.h>	/* ??? for h_errno */
+#include <netdb.h>      /* ??? for h_errno */
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
+
+#include <utils/identification.h>
+#include <credentials/keys/public_key.h>
 
 #include "constants.h"
-#include "adns.h"	/* needs <resolv.h> */
+#include "adns.h"       /* needs <resolv.h> */
 #include "defs.h"
 #include "log.h"
 #include "id.h"
 #include "connections.h"
-#include "keys.h"	    /* needs connections.h */
+#include "keys.h"           /* needs connections.h */
 #include "dnskey.h"
 #include "packet.h"
 #include "timer.h"
 
 /* somebody has to decide */
-#define MAX_TXT_RDATA	((MAX_KEY_BYTES * 8 / 6) + 40)	/* somewhat arbitrary overkill */
+#define MAX_TXT_RDATA   ((MAX_KEY_BYTES * 8 / 6) + 40)  /* somewhat arbitrary overkill */
 
 /* ADNS stuff */
 
-int adns_qfd = NULL_FD,	/* file descriptor for sending queries to adns (O_NONBLOCK) */
-    adns_afd = NULL_FD;	/* file descriptor for receiving answers from adns */
+int adns_qfd = NULL_FD, /* file descriptor for sending queries to adns (O_NONBLOCK) */
+	adns_afd = NULL_FD; /* file descriptor for receiving answers from adns */
 static pid_t adns_pid = 0;
-const char *pluto_adns_option = NULL;	/* path from --pluto_adns */
+const char *pluto_adns_option = NULL;   /* path from --pluto_adns */
 
 int adns_restart_count;
 #define ADNS_RESTART_MAX 20
@@ -59,152 +59,168 @@ int adns_restart_count;
 void
 init_adns(void)
 {
-    const char *adns_path = pluto_adns_option;
+	const char *adns_path = pluto_adns_option;
 #ifndef USE_LWRES
-    static const char adns_name[] = "_pluto_adns";
-    const char *helper_bin_dir = getenv("IPSEC_LIBDIR");
+	static const char adns_name[] = "_pluto_adns";
+	const char *helper_bin_dir = getenv("IPSEC_LIBDIR");
 #else /* USE_LWRES */
-    static const char adns_name[] = "lwdnsq";
-    const char *helper_bin_dir = getenv("IPSEC_EXECDIR");
+	static const char adns_name[] = "lwdnsq";
+	const char *helper_bin_dir = getenv("IPSEC_EXECDIR");
 #endif /* USE_LWRES */
-    char adns_path_space[4096];	/* plenty long? */
-    int qfds[2];
-    int afds[2];
-
-    /* find a pathname to the ADNS program */
-    if (adns_path == NULL)
-    {
-	/* pathname was not specified as an option: build it.
-	 * First, figure out the directory to be used.
-	 */
-	ssize_t n;
+	char adns_path_space[4096]; /* plenty long? */
+	int qfds[2];
+	int afds[2];
 
-	if (helper_bin_dir != NULL)
+	/* find a pathname to the ADNS program */
+	if (adns_path == NULL)
 	{
-	    n = strlen(helper_bin_dir);
-	    if ((size_t)n <= sizeof(adns_path_space) - sizeof(adns_name))
-	    {
-		strcpy(adns_path_space, helper_bin_dir);
-		if (n > 0 && adns_path_space[n -1] != '/')
-		    adns_path_space[n++] = '/';
-	    }
-	}
-	else
-	{
-	    /* The program will be in the same directory as Pluto,
-	     * so we use the sympolic link /proc/self/exe to
-	     * tell us of the path prefix.
-	     */
-	    n = readlink("/proc/self/exe", adns_path_space, sizeof(adns_path_space));
-
-	    if (n < 0)
-		exit_log_errno((e
-		    , "readlink(\"/proc/self/exe\") failed in init_adns()"));
-
-	}
-
-	if ((size_t)n > sizeof(adns_path_space) - sizeof(adns_name))
-	    exit_log("path to %s is too long", adns_name);
+		/* pathname was not specified as an option: build it.
+		 * First, figure out the directory to be used.
+		 */
+		ssize_t n;
 
-	while (n > 0 && adns_path_space[n - 1] != '/')
-	    n--;
+		if (helper_bin_dir != NULL)
+		{
+			n = strlen(helper_bin_dir);
+			if ((size_t)n <= sizeof(adns_path_space) - sizeof(adns_name))
+			{
+				strcpy(adns_path_space, helper_bin_dir);
+				if (n > 0 && adns_path_space[n -1] != '/')
+				{
+					adns_path_space[n++] = '/';
+				}
+			}
+		}
+		else
+		{
+			/* The program will be in the same directory as Pluto,
+			 * so we use the sympolic link /proc/self/exe to
+			 * tell us of the path prefix.
+			 */
+			n = readlink("/proc/self/exe", adns_path_space, sizeof(adns_path_space));
+
+			if (n < 0)
+			{
+				exit_log_errno((e
+					, "readlink(\"/proc/self/exe\") failed in init_adns()"));
+			}
+		}
 
-	strcpy(adns_path_space + n, adns_name);
-	adns_path = adns_path_space;
-    }
-    if (access(adns_path, X_OK) < 0)
-	exit_log_errno((e, "%s missing or not executable", adns_path));
+		if ((size_t)n > sizeof(adns_path_space) - sizeof(adns_name))
+		{
+			exit_log("path to %s is too long", adns_name);
+		}
 
-    if (pipe(qfds) != 0 || pipe(afds) != 0)
-	exit_log_errno((e, "pipe(2) failed in init_adns()"));
+		while (n > 0 && adns_path_space[n - 1] != '/')
+		{
+			n--;
+		}
+		strcpy(adns_path_space + n, adns_name);
+		adns_path = adns_path_space;
+	}
+	if (access(adns_path, X_OK) < 0)
+	{
+		exit_log_errno((e, "%s missing or not executable", adns_path));
+	}
 
-    adns_pid = fork();
-    switch (adns_pid)
-    {
-    case -1:
-	exit_log_errno((e, "fork() failed in init_adns()"));
+	if (pipe(qfds) != 0 || pipe(afds) != 0)
+	{
+		exit_log_errno((e, "pipe(2) failed in init_adns()"));
+	}
 
-    case 0:
-	/* child */
+	adns_pid = fork();
+	switch (adns_pid)
 	{
-	    /* Make stdin and stdout our pipes.
-	     * Take care to handle case where pipes already use these fds.
-	     */
-	    if (afds[1] == 0)
-		afds[1] = dup(afds[1]);	/* avoid being overwritten */
-	    if (qfds[0] != 0)
-	    {
-		dup2(qfds[0], 0);
+	case -1:
+		exit_log_errno((e, "fork() failed in init_adns()"));
+
+	case 0:
+		/* child */
+		{
+			/* Make stdin and stdout our pipes.
+			 * Take care to handle case where pipes already use these fds.
+			 */
+			if (afds[1] == 0)
+			{
+				afds[1] = dup(afds[1]); /* avoid being overwritten */
+			}
+			if (qfds[0] != 0)
+			{
+				dup2(qfds[0], 0);
+				close(qfds[0]);
+			}
+			if (afds[1] != 1)
+			{
+				dup2(afds[1], 1);
+				close(qfds[1]);
+			}
+			if (afds[0] > 1)
+			{
+				close(afds[0]);
+			}
+			if (afds[1] > 1)
+			{
+				close(afds[1]);
+			}
+			DBG(DBG_DNS, execlp(adns_path, adns_name, "-d", NULL));
+
+			execlp(adns_path, adns_name, NULL);
+			exit_log_errno((e, "execlp of %s failed", adns_path));
+		}
+	default:
+		/* parent */
 		close(qfds[0]);
-	    }
-	    if (afds[1] != 1)
-	    {
-		dup2(afds[1], 1);
-		close(qfds[1]);
-	    }
-	    if (afds[0] > 1)
-		close(afds[0]);
-	    if (afds[1] > 1)
+		adns_qfd = qfds[1];
+		adns_afd = afds[0];
 		close(afds[1]);
-
-	    DBG(DBG_DNS, execlp(adns_path, adns_name, "-d", NULL));
-
-	    execlp(adns_path, adns_name, NULL);
-	    exit_log_errno((e, "execlp of %s failed", adns_path));
+		fcntl(adns_qfd, F_SETFD, FD_CLOEXEC);
+		fcntl(adns_afd, F_SETFD, FD_CLOEXEC);
+		fcntl(adns_qfd, F_SETFL, O_NONBLOCK);
+		break;
 	}
-
-    default:
-	/* parent */
-	close(qfds[0]);
-	adns_qfd = qfds[1];
-	adns_afd = afds[0];
-	close(afds[1]);
-	fcntl(adns_qfd, F_SETFD, FD_CLOEXEC);
-	fcntl(adns_afd, F_SETFD, FD_CLOEXEC);
-	fcntl(adns_qfd, F_SETFL, O_NONBLOCK);
-	break;
-    }
 }
 
 void
 stop_adns(void)
 {
-    close_any(adns_qfd);
-    adns_qfd = NULL_FD;
-    close_any(adns_afd);
-    adns_afd = NULL_FD;
-
-    if (adns_pid != 0)
-    {
-	int status;
-	pid_t p = waitpid(adns_pid, &status, 0);
+	close_any(adns_qfd);
+	adns_qfd = NULL_FD;
+	close_any(adns_afd);
+	adns_afd = NULL_FD;
 
-	if (p == -1)
-	{
-	    log_errno((e, "waitpid for ADNS process failed"));
-	}
-	else if (WIFEXITED(status))
+	if (adns_pid != 0)
 	{
-	    if (WEXITSTATUS(status) != 0)
-		plog("ADNS process exited with status %d"
-		    , (int) WEXITSTATUS(status));
-	}
-	else if (WIFSIGNALED(status))
-	{
-	    plog("ADNS process terminated by signal %d", (int)WTERMSIG(status));
-	}
-	else
-	{
-	    plog("wait for end of ADNS process returned odd status 0x%x\n"
-		, status);
+		int status;
+		pid_t p = waitpid(adns_pid, &status, 0);
+
+		if (p == -1)
+		{
+			log_errno((e, "waitpid for ADNS process failed"));
+		}
+		else if (WIFEXITED(status))
+		{
+			if (WEXITSTATUS(status) != 0)
+			{
+				plog("ADNS process exited with status %d"
+					, (int) WEXITSTATUS(status));
+			}
+		}
+		else if (WIFSIGNALED(status))
+		{
+			plog("ADNS process terminated by signal %d", (int)WTERMSIG(status));
+		}
+		else
+		{
+			plog("wait for end of ADNS process returned odd status 0x%x\n"
+				, status);
+		}
 	}
-    }
 }
 
 
 
 /* tricky macro to pass any hot potato */
-#define TRY(x)	{ err_t ugh = x; if (ugh != NULL) return ugh; }
+#define TRY(x)  { err_t ugh = x; if (ugh != NULL) return ugh; }
 
 
 /* Process TXT X-IPsec-Server record, accumulating relevant ones
@@ -225,246 +241,270 @@ static const char our_TXT_attr[] = our_TXT_attr_string;
 static err_t
 decode_iii(u_char **pp, struct id *gw_id)
 {
-    u_char *p = *pp + strspn(*pp, " \t");
-    u_char *e = p + strcspn(p, " \t");
-    u_char under = *e;
-
-    if (p == e)
-	return "TXT " our_TXT_attr_string " badly formed (no gateway specified)";
-
-    *e = '\0';
-    if (*p == '@')
-    {
-	/* gateway specification in this record is @FQDN */
-	err_t ugh = atoid(p, gw_id, FALSE);
-
-	if (ugh != NULL)
-	    return builddiag("malformed FQDN in TXT " our_TXT_attr_string ": %s"
-		, ugh);
-    }
-    else
-    {
-	/* gateway specification is numeric */
-	ip_address ip;
-	err_t ugh = tnatoaddr(p, e-p
-	    , strchr(p, ':') == NULL? AF_INET : AF_INET6
-	    , &ip);
-
-	if (ugh != NULL)
-	    return builddiag("malformed IP address in TXT " our_TXT_attr_string ": %s"
-		, ugh);
-
-	if (isanyaddr(&ip))
-	    return "gateway address must not be 0.0.0.0 or 0::0";
-
-	iptoid(&ip, gw_id);
-    }
-
-    *e = under;
-    *pp = e + strspn(e, " \t");
-
-    return NULL;
+	u_char *p = *pp + strspn(*pp, " \t");
+	u_char *e = p + strcspn(p, " \t");
+	u_char under = *e;
+
+	if (p == e)
+	{
+		return "TXT " our_TXT_attr_string " badly formed (no gateway specified)";
+	}
+	*e = '\0';
+	if (*p == '@')
+	{
+		/* gateway specification in this record is @FQDN */
+		err_t ugh = atoid(p, gw_id, FALSE);
+
+		if (ugh != NULL)
+		{
+			return builddiag("malformed FQDN in TXT " our_TXT_attr_string ": %s"
+				, ugh);
+		}
+	}
+	else
+	{
+		/* gateway specification is numeric */
+		ip_address ip;
+		err_t ugh = tnatoaddr(p, e-p
+			, strchr(p, ':') == NULL? AF_INET : AF_INET6
+			, &ip);
+
+		if (ugh != NULL)
+		{
+			return builddiag("malformed IP address in TXT " our_TXT_attr_string ": %s"
+				, ugh);
+		}
+		if (isanyaddr(&ip))
+		{
+			return "gateway address must not be 0.0.0.0 or 0::0";
+		}
+		iptoid(&ip, gw_id);
+	}
+
+	*e = under;
+	*pp = e + strspn(e, " \t");
+
+	return NULL;
 }
 
 static err_t
 process_txt_rr_body(u_char *str
-, bool doit	/* should we capture information? */
+, bool doit     /* should we capture information? */
 , enum dns_auth_level dns_auth_level
 , struct adns_continuation *const cr)
 {
-    const struct id *client_id = &cr->id;	/* subject of query */
-    u_char *p = str;
-    unsigned long pref = 0;
-    struct gw_info gi;
+	const struct id *client_id = &cr->id;       /* subject of query */
+	u_char *p = str;
+	unsigned long pref = 0;
+	struct gw_info gi;
+
+	p += strspn(p, " \t");      /* ignore leading whitespace */
 
-    p += strspn(p, " \t");	/* ignore leading whitespace */
+	/* is this for us? */
+	if (strncasecmp(p, our_TXT_attr, sizeof(our_TXT_attr)-1) != 0)
+	{
+		return NULL;    /* neither interesting nor bad */
+	}
 
-    /* is this for us? */
-    if (strncasecmp(p, our_TXT_attr, sizeof(our_TXT_attr)-1) != 0)
-	return NULL;	/* neither interesting nor bad */
+	p += sizeof(our_TXT_attr) - 1;      /* ignore our attribute name */
+	p += strspn(p, " \t");      /* ignore leading whitespace */
 
-    p += sizeof(our_TXT_attr) - 1;	/* ignore our attribute name */
-    p += strspn(p, " \t");	/* ignore leading whitespace */
+	/* decode '(' nnn ')' */
+	if (*p != '(')
+	{
+		return "X-IPsec-Server missing '('";
+	}
 
-    /* decode '(' nnn ')' */
-    if (*p != '(')
-	return "X-IPsec-Server missing '('";
+	{
+		char *e;
 
-    {
-	char *e;
+		p++;
+		pref = strtoul(p, &e, 0);
+		if ((u_char *)e == p)
+		{
+			return "malformed X-IPsec-Server priority";
+		}
+		p = e + strspn(e, " \t");
 
-	p++;
-	pref = strtoul(p, &e, 0);
-	if ((u_char *)e == p)
-	    return "malformed X-IPsec-Server priority";
+		if (*p != ')')
+		{
+			return "X-IPsec-Server priority missing ')'";
+		}
+		p++;
+		p += strspn(p, " \t");
 
-	p = e + strspn(e, " \t");
+		if (pref > 0xFFFF)
+		{
+			return "X-IPsec-Server priority larger than 0xFFFF";
+		}
+	}
 
-	if (*p != ')')
-	    return "X-IPsec-Server priority missing ')'";
+	/* time for '=' */
 
+	if (*p != '=')
+	{
+		return "X-IPsec-Server priority missing '='";
+	}
 	p++;
 	p += strspn(p, " \t");
 
-	if (pref > 0xFFFF)
-	    return "X-IPsec-Server priority larger than 0xFFFF";
-    }
-
-    /* time for '=' */
+	/* Decode iii (Security Gateway ID). */
 
-    if (*p != '=')
-	return "X-IPsec-Server priority missing '='";
+	zero(&gi);  /* before first use */
 
-    p++;
-    p += strspn(p, " \t");
+	TRY(decode_iii(&p, &gi.gw_id));     /* will need to unshare_id_content */
 
-    /* Decode iii (Security Gateway ID). */
-
-    zero(&gi);	/* before first use */
-
-    TRY(decode_iii(&p, &gi.gw_id));	/* will need to unshare_id_content */
-
-    if (!cr->sgw_specified)
-    {
-	/* we don't know the peer's ID (because we are initiating
-	 * and we don't know who to initiate with.
-	 * So we're looking for gateway specs with an IP address
-	 */
-	if (!id_is_ipaddr(&gi.gw_id))
+	if (!cr->sgw_specified)
 	{
-	    DBG(DBG_DNS,
+		/* we don't know the peer's ID (because we are initiating
+		 * and we don't know who to initiate with.
+		 * So we're looking for gateway specs with an IP address
+		 */
+		if (!id_is_ipaddr(&gi.gw_id))
 		{
-		    char cidb[BUF_LEN];
-		    char gwidb[BUF_LEN];
-
-		    idtoa(client_id, cidb, sizeof(cidb));
-		    idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
-		    DBG_log("TXT %s record for %s: security gateway %s;"
-			" ignored because gateway's IP is unspecified"
-			, our_TXT_attr, cidb, gwidb);
-		});
-	    return NULL;	/* we cannot use this record, but it isn't wrong */
+			DBG(DBG_DNS,
+				{
+					char cidb[BUF_LEN];
+					char gwidb[BUF_LEN];
+
+					idtoa(client_id, cidb, sizeof(cidb));
+					idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
+					DBG_log("TXT %s record for %s: security gateway %s;"
+						" ignored because gateway's IP is unspecified"
+						, our_TXT_attr, cidb, gwidb);
+				});
+			return NULL;        /* we cannot use this record, but it isn't wrong */
+		}
 	}
-    }
-    else
-    {
-	/* We do know the peer's ID (because we are responding)
-	 * So we're looking for gateway specs specifying this known ID.
-	 */
-	const struct id *peer_id = &cr->sgw_id;
-
-	if (!same_id(peer_id, &gi.gw_id))
+	else
 	{
-	    DBG(DBG_DNS,
+		/* We do know the peer's ID (because we are responding)
+		 * So we're looking for gateway specs specifying this known ID.
+		 */
+		const struct id *peer_id = &cr->sgw_id;
+
+		if (!same_id(peer_id, &gi.gw_id))
 		{
-		    char cidb[BUF_LEN];
-		    char gwidb[BUF_LEN];
-		    char pidb[BUF_LEN];
-
-		    idtoa(client_id, cidb, sizeof(cidb));
-		    idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
-		    idtoa(peer_id, pidb, sizeof(pidb));
-		    DBG_log("TXT %s record for %s: security gateway %s;"
-			" ignored -- looking to confirm %s as gateway"
-			, our_TXT_attr, cidb, gwidb, pidb);
-		});
-	    return NULL;	/* we cannot use this record, but it isn't wrong */
+			DBG(DBG_DNS,
+				{
+					char cidb[BUF_LEN];
+					char gwidb[BUF_LEN];
+					char pidb[BUF_LEN];
+
+					idtoa(client_id, cidb, sizeof(cidb));
+					idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
+					idtoa(peer_id, pidb, sizeof(pidb));
+					DBG_log("TXT %s record for %s: security gateway %s;"
+						" ignored -- looking to confirm %s as gateway"
+						, our_TXT_attr, cidb, gwidb, pidb);
+				});
+			return NULL;        /* we cannot use this record, but it isn't wrong */
+		}
 	}
-    }
-
-    if (doit)
-    {
-	/* really accept gateway */
-	struct gw_info **gwip;	/* gateway insertion point */
 
-	gi.client_id = *client_id;	/* will need to unshare_id_content */
-
-	/* decode optional kkk: base 64 encoding of key */
-
-	gi.gw_key_present = *p != '\0';
-	if (gi.gw_key_present)
+	if (doit)
 	{
-	    /* Decode base 64 encoding of key.
-	     * Similar code is in process_lwdnsq_key.
-	     */
-	    u_char kb[RSA_MAX_ENCODING_BYTES];	/* plenty of space for binary form of public key */
-	    chunk_t kbc;
-	    struct RSA_public_key r;
-
-	    err_t ugh = ttodatav(p, 0, 64, kb, sizeof(kb), &kbc.len
-		, diag_space, sizeof(diag_space), TTODATAV_SPACECOUNTS);
-
-	    if (ugh != NULL)
-		return builddiag("malformed key data: %s", ugh);
-
-	    if (kbc.len > sizeof(kb))
-		return builddiag("key data larger than %lu bytes"
-		    , (unsigned long) sizeof(kb));
-
-	    kbc.ptr = kb;
-	    ugh = unpack_RSA_public_key(&r, &kbc);
-	    if (ugh != NULL)
-		return builddiag("invalid key data: %s", ugh);
-
-	    /* now find a key entry to put it in */
-	    gi.key = public_key_from_rsa(&r);
-
-	    free_RSA_public_content(&r);
+		/* really accept gateway */
+		struct gw_info **gwip;  /* gateway insertion point */
 
-	    unreference_key(&cr->last_info);
-	    cr->last_info = reference_key(gi.key);
-	}
-
-	/* we're home free!  Allocate everything and add to gateways list. */
-	gi.refcnt = 1;
-	gi.pref = pref;
-	gi.key->dns_auth_level = dns_auth_level;
-	gi.key->last_tried_time = gi.key->last_worked_time = NO_TIME;
-
-	/* find insertion point */
-	for (gwip = &cr->gateways_from_dns; *gwip != NULL && (*gwip)->pref < pref; gwip = &(*gwip)->next)
-	    ;
+		gi.client_id = *client_id;      /* will need to unshare_id_content */
 
-	DBG(DBG_DNS,
-	    {
-		char cidb[BUF_LEN];
-		char gwidb[BUF_LEN];
+		/* decode optional kkk: base 64 encoding of key */
 
-		idtoa(client_id, cidb, sizeof(cidb));
-		idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
+		gi.gw_key_present = *p != '\0';
 		if (gi.gw_key_present)
 		{
-		    DBG_log("gateway for %s is %s with key %s"
-			, cidb, gwidb, gi.key->u.rsa.keyid);
+			/* Decode base 64 encoding of key.
+			 * Similar code is in process_lwdnsq_key.
+			 */
+			u_char buf[RSA_MAX_ENCODING_BYTES];  /* plenty of space for binary form of public key */
+			size_t sz;
+			err_t ugh;
+			chunk_t rfc3110_chunk;
+			public_key_t *key;
+
+			ugh = ttodatav(p, 0, 64, buf, sizeof(buf), &sz,
+						diag_space, sizeof(diag_space), TTODATAV_SPACECOUNTS);
+			if (ugh)
+			{
+				return builddiag("malformed key data: %s", ugh);
+			}
+			if (sz > sizeof(buf))
+			{
+				return builddiag("key data larger than %lu bytes",
+								 (unsigned long) sizeof(buf));
+			}
+			rfc3110_chunk = chunk_create(buf, sz);
+			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+										BUILD_BLOB_RFC_3110, rfc3110_chunk,
+										BUILD_END);
+			if (key == NULL)
+			{
+				return builddiag("invalid key data");
+			}
+
+			/* now find a key entry to put it in */
+			gi.key = public_key_from_rsa(key);
+
+			unreference_key(&cr->last_info);
+			cr->last_info = reference_key(gi.key);
 		}
-		else
-		{
-		    DBG_log("gateway for %s is %s; no key specified"
-			, cidb, gwidb);
-		}
-	    });
 
-	gi.next = *gwip;
-	*gwip = clone_thing(gi, "gateway info");
-	unshare_id_content(&(*gwip)->gw_id);
-	unshare_id_content(&(*gwip)->client_id);
-    }
+		/* we're home free!  Allocate everything and add to gateways list. */
+		gi.refcnt = 1;
+		gi.pref = pref;
+		gi.key->dns_auth_level = dns_auth_level;
+		gi.key->last_tried_time = gi.key->last_worked_time = NO_TIME;
+
+		/* find insertion point */
+		for (gwip = &cr->gateways_from_dns; *gwip != NULL && (*gwip)->pref < pref; gwip = &(*gwip)->next)
+			;
+
+		DBG(DBG_DNS,
+			{
+				char cidb[BUF_LEN];
+				char gwidb[BUF_LEN];
+				identification_t *keyid;
+				public_key_t *pub_key;
+
+				idtoa(client_id, cidb, sizeof(cidb));
+				idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
+				pub_key = gi.key->public_key;
+				keyid = pub_key->get_id(pub_key, ID_PUBKEY_SHA1);
+
+				if (gi.gw_key_present)
+				{
+					DBG_log("gateway for %s is %s with key %Y"
+						, cidb, gwidb, keyid);
+				}
+				else
+				{
+					DBG_log("gateway for %s is %s; no key specified"
+						, cidb, gwidb);
+				}
+			});
+
+		gi.next = *gwip;
+		*gwip = clone_thing(gi);
+		unshare_id_content(&(*gwip)->gw_id);
+		unshare_id_content(&(*gwip)->client_id);
+	}
 
-    return NULL;
+	return NULL;
 }
 
 static const char *
 rr_typename(int type)
 {
-    switch (type)
-    {
-    case T_TXT:
-	return "TXT";
-    case T_KEY:
-	return "KEY";
-    default:
-	return "???";
-    }
+	switch (type)
+	{
+	case T_TXT:
+		return "TXT";
+	case T_KEY:
+		return "KEY";
+	default:
+		return "???";
+	}
 }
 
 
@@ -476,72 +516,72 @@ process_lwdnsq_key(u_char *str
 , enum dns_auth_level dns_auth_level
 , struct adns_continuation *const cr)
 {
-    /* fields of KEY record.  See RFC 2535 3.1 KEY RDATA format. */
-    unsigned long flags	/* 16 bits */
-	, protocol	/* 8 bits */
-	, algorithm;	/* 8 bits */
-
-    char *rest = str
-	, *p
-	, *endofnumber;
-
-    /* flags */
-    p = strsep(&rest, " \t");
-    if (p == NULL)
-	return "lwdnsq KEY: missing flags";
-
-    flags = strtoul(p, &endofnumber, 10);
-    if (*endofnumber != '\0')
-	return "lwdnsq KEY: malformed flags";
-
-    /* protocol */
-    p = strsep(&rest, " \t");
-    if (p == NULL)
-	return "lwdnsq KEY: missing protocol";
-
-    protocol = strtoul(p, &endofnumber, 10);
-    if (*endofnumber != '\0')
-	return "lwdnsq KEY: malformed protocol";
-
-    /* algorithm */
-    p = strsep(&rest, " \t");
-    if (p == NULL)
-	return "lwdnsq KEY: missing algorithm";
-
-    algorithm = strtoul(p, &endofnumber, 10);
-    if (*endofnumber != '\0')
-	return "lwdnsq KEY: malformed algorithm";
-
-    /* is this key interesting? */
-    if (protocol == 4	/* IPSEC (RFC 2535 3.1.3) */
-    && algorithm == 1	/* RSA/MD5 (RFC 2535 3.2) */
-    && (flags & 0x8000ul) == 0	/* use for authentication (3.1.2) */
-    && (flags & 0x2CF0ul) == 0)	/* must be zero */
-    {
-	/* Decode base 64 encoding of key.
-	 * Similar code is in process_txt_rr_body.
-	 */
-	u_char kb[RSA_MAX_ENCODING_BYTES];	/* plenty of space for binary form of public key */
-	chunk_t kbc;
-	err_t ugh = ttodatav(rest, 0, 64, kb, sizeof(kb), &kbc.len
-	    , diag_space, sizeof(diag_space), TTODATAV_IGNORESPACE);
-
-	if (ugh != NULL)
-	    return builddiag("malformed key data: %s", ugh);
-
-	if (kbc.len > sizeof(kb))
-	    return builddiag("key data larger than %lu bytes"
-		, (unsigned long) sizeof(kb));
-
-	kbc.ptr = kb;
-	TRY(add_public_key(&cr->id, dns_auth_level, PUBKEY_ALG_RSA, &kbc
-	    , &cr->keys_from_dns));
-
-	/* keep a reference to last one */
-	unreference_key(&cr->last_info);
-	cr->last_info = reference_key(cr->keys_from_dns->key);
-    }
-    return NULL;
+	/* fields of KEY record.  See RFC 2535 3.1 KEY RDATA format. */
+	unsigned long flags /* 16 bits */
+		, protocol      /* 8 bits */
+		, algorithm;    /* 8 bits */
+
+	char *rest = str
+		, *p
+		, *endofnumber;
+
+	/* flags */
+	p = strsep(&rest, " \t");
+	if (p == NULL)
+		return "lwdnsq KEY: missing flags";
+
+	flags = strtoul(p, &endofnumber, 10);
+	if (*endofnumber != '\0')
+		return "lwdnsq KEY: malformed flags";
+
+	/* protocol */
+	p = strsep(&rest, " \t");
+	if (p == NULL)
+		return "lwdnsq KEY: missing protocol";
+
+	protocol = strtoul(p, &endofnumber, 10);
+	if (*endofnumber != '\0')
+		return "lwdnsq KEY: malformed protocol";
+
+	/* algorithm */
+	p = strsep(&rest, " \t");
+	if (p == NULL)
+		return "lwdnsq KEY: missing algorithm";
+
+	algorithm = strtoul(p, &endofnumber, 10);
+	if (*endofnumber != '\0')
+		return "lwdnsq KEY: malformed algorithm";
+
+	/* is this key interesting? */
+	if (protocol == 4   /* IPSEC (RFC 2535 3.1.3) */
+	&& algorithm == 1   /* RSA/MD5 (RFC 2535 3.2) */
+	&& (flags & 0x8000ul) == 0  /* use for authentication (3.1.2) */
+	&& (flags & 0x2CF0ul) == 0) /* must be zero */
+	{
+		/* Decode base 64 encoding of key.
+		 * Similar code is in process_txt_rr_body.
+		 */
+		u_char kb[RSA_MAX_ENCODING_BYTES];      /* plenty of space for binary form of public key */
+		chunk_t kbc;
+		err_t ugh = ttodatav(rest, 0, 64, kb, sizeof(kb), &kbc.len
+			, diag_space, sizeof(diag_space), TTODATAV_IGNORESPACE);
+
+		if (ugh != NULL)
+			return builddiag("malformed key data: %s", ugh);
+
+		if (kbc.len > sizeof(kb))
+			return builddiag("key data larger than %lu bytes"
+				, (unsigned long) sizeof(kb));
+
+		kbc.ptr = kb;
+		TRY(add_public_key(&cr->id, dns_auth_level, PUBKEY_ALG_RSA, &kbc
+			, &cr->keys_from_dns));
+
+		/* keep a reference to last one */
+		unreference_key(&cr->last_info);
+		cr->last_info = reference_key(cr->keys_from_dns->key);
+	}
+	return NULL;
 }
 # endif /* USE_KEYRR */
 
@@ -580,158 +620,158 @@ process_lwdnsq_key(u_char *str
  *  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
  */
 struct qr_header {
-    u_int16_t	id;	/* 16-bit identifier to match query */
+	u_int16_t   id;     /* 16-bit identifier to match query */
 
-    u_int16_t	stuff;	/* packed crud: */
+	u_int16_t   stuff;  /* packed crud: */
 
-#define QRS_QR	0x8000	/* QR: on if this is a response */
+#define QRS_QR  0x8000  /* QR: on if this is a response */
 
-#define QRS_OPCODE_SHIFT	11  /* OPCODE field */
-#define QRS_OPCODE_MASK	0xF
-#define QRSO_QUERY	0   /* standard query */
-#define QRSO_IQUERY	1   /* inverse query */
-#define QRSO_STATUS	2   /* server status request query */
+#define QRS_OPCODE_SHIFT        11  /* OPCODE field */
+#define QRS_OPCODE_MASK 0xF
+#define QRSO_QUERY      0   /* standard query */
+#define QRSO_IQUERY     1   /* inverse query */
+#define QRSO_STATUS     2   /* server status request query */
 
-#define QRS_AA 0x0400	/* AA: on if Authoritative Answer */
-#define QRS_TC 0x0200	/* TC: on if truncation happened */
-#define QRS_RD 0x0100	/* RD: on if recursion desired */
-#define QRS_RA 0x0080	/* RA: on if recursion available */
-#define QRS_Z  0x0040	/* Z: reserved; must be zero */
-#define QRS_AD 0x0020	/* AD: on if authentic data (RFC 2535) */
-#define QRS_CD 0x0010	/* AD: on if checking disabled (RFC 2535) */
+#define QRS_AA 0x0400   /* AA: on if Authoritative Answer */
+#define QRS_TC 0x0200   /* TC: on if truncation happened */
+#define QRS_RD 0x0100   /* RD: on if recursion desired */
+#define QRS_RA 0x0080   /* RA: on if recursion available */
+#define QRS_Z  0x0040   /* Z: reserved; must be zero */
+#define QRS_AD 0x0020   /* AD: on if authentic data (RFC 2535) */
+#define QRS_CD 0x0010   /* AD: on if checking disabled (RFC 2535) */
 
-#define QRS_RCODE_SHIFT	0 /* RCODE field: response code */
-#define QRS_RCODE_MASK	0xF
-#define QRSR_OK	    0
+#define QRS_RCODE_SHIFT 0 /* RCODE field: response code */
+#define QRS_RCODE_MASK  0xF
+#define QRSR_OK     0
 
 
-    u_int16_t qdcount;	    /* number of entries in question section */
-    u_int16_t ancount;	    /* number of resource records in answer section */
-    u_int16_t nscount;	    /* number of name server resource records in authority section */
-    u_int16_t arcount;	    /* number of resource records in additional records section */
+	u_int16_t qdcount;      /* number of entries in question section */
+	u_int16_t ancount;      /* number of resource records in answer section */
+	u_int16_t nscount;      /* number of name server resource records in authority section */
+	u_int16_t arcount;      /* number of resource records in additional records section */
 };
 
 static field_desc qr_header_fields[] = {
-    { ft_nat, 16/BITS_PER_BYTE, "ID", NULL },
-    { ft_nat, 16/BITS_PER_BYTE, "stuff", NULL },
-    { ft_nat, 16/BITS_PER_BYTE, "QD Count", NULL },
-    { ft_nat, 16/BITS_PER_BYTE, "Answer Count", NULL },
-    { ft_nat, 16/BITS_PER_BYTE, "Authority Count", NULL },
-    { ft_nat, 16/BITS_PER_BYTE, "Additional Count", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_nat, 16/BITS_PER_BYTE, "ID", NULL },
+	{ ft_nat, 16/BITS_PER_BYTE, "stuff", NULL },
+	{ ft_nat, 16/BITS_PER_BYTE, "QD Count", NULL },
+	{ ft_nat, 16/BITS_PER_BYTE, "Answer Count", NULL },
+	{ ft_nat, 16/BITS_PER_BYTE, "Authority Count", NULL },
+	{ ft_nat, 16/BITS_PER_BYTE, "Additional Count", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 static struct_desc qr_header_desc = {
-    "Query Response Header",
-    qr_header_fields,
-    sizeof(struct qr_header)
+	"Query Response Header",
+	qr_header_fields,
+	sizeof(struct qr_header)
 };
 
 /* Messages for codes in RCODE (see RFC 1035 4.1.1) */
 static const err_t rcode_text[QRS_RCODE_MASK + 1] = {
-    NULL,   /* not an error */
-    "Format error - The name server was unable to interpret the query",
-    "Server failure - The name server was unable to process this query"
-	" due to a problem with the name server",
-    "Name Error - Meaningful only for responses from an authoritative name"
-	" server, this code signifies that the domain name referenced in"
-	" the query does not exist",
-    "Not Implemented - The name server does not support the requested"
-	" kind of query",
-    "Refused - The name server refuses to perform the specified operation"
-	" for policy reasons",
-    /* the rest are reserved for future use */
-    };
+	NULL,   /* not an error */
+	"Format error - The name server was unable to interpret the query",
+	"Server failure - The name server was unable to process this query"
+		" due to a problem with the name server",
+	"Name Error - Meaningful only for responses from an authoritative name"
+		" server, this code signifies that the domain name referenced in"
+		" the query does not exist",
+	"Not Implemented - The name server does not support the requested"
+		" kind of query",
+	"Refused - The name server refuses to perform the specified operation"
+		" for policy reasons",
+	/* the rest are reserved for future use */
+	};
 
 /* throw away a possibly compressed domain name */
 
 static err_t
 eat_name(pb_stream *pbs)
 {
-    u_char name_buf[NS_MAXDNAME + 2];
-    u_char *ip = pbs->cur;
-    unsigned oi = 0;
-    unsigned jump_count = 0;
-
-    for (;;)
-    {
-	u_int8_t b;
+	u_char name_buf[NS_MAXDNAME + 2];
+	u_char *ip = pbs->cur;
+	unsigned oi = 0;
+	unsigned jump_count = 0;
 
-	if (ip >= pbs->roof)
-	    return "ran out of message while skipping domain name";
-
-	b = *ip++;
-	if (jump_count == 0)
-	    pbs->cur = ip;
-
-	if (b == 0)
-	    break;
-
-	switch (b & 0xC0)
+	for (;;)
 	{
-	    case 0x00:
-		/* we grab the next b characters */
-		if (oi + b > NS_MAXDNAME)
-		    return "domain name too long";
+		u_int8_t b;
 
-		if (pbs->roof - ip <= b)
-		    return "domain name falls off end of message";
+		if (ip >= pbs->roof)
+			return "ran out of message while skipping domain name";
 
-		if (oi != 0)
-		    name_buf[oi++] = '.';
-
-		memcpy(name_buf + oi, ip, b);
-		oi += b;
-		ip += b;
+		b = *ip++;
 		if (jump_count == 0)
-		    pbs->cur = ip;
-		break;
-
-	    case 0xC0:
-		{
-		    unsigned ix;
-
-		    if (ip >= pbs->roof)
-			return "ran out of message in middle of compressed domain name";
-
-		    ix = ((b & ~0xC0u) << 8) | *ip++;
-		    if (jump_count == 0)
 			pbs->cur = ip;
 
-		    if (ix >= pbs_room(pbs))
-			return "impossible compressed domain name";
+		if (b == 0)
+			break;
 
-		    /* Avoid infinite loop.
-		     * There can be no more jumps than there are bytes
-		     * in the packet.  Not a tight limit, but good enough.
-		     */
-		    jump_count++;
-		    if (jump_count > pbs_room(pbs))
-			return "loop in compressed domain name";
-
-		    ip = pbs->start + ix;
+		switch (b & 0xC0)
+		{
+			case 0x00:
+				/* we grab the next b characters */
+				if (oi + b > NS_MAXDNAME)
+					return "domain name too long";
+
+				if (pbs->roof - ip <= b)
+					return "domain name falls off end of message";
+
+				if (oi != 0)
+					name_buf[oi++] = '.';
+
+				memcpy(name_buf + oi, ip, b);
+				oi += b;
+				ip += b;
+				if (jump_count == 0)
+					pbs->cur = ip;
+				break;
+
+			case 0xC0:
+				{
+					unsigned ix;
+
+					if (ip >= pbs->roof)
+						return "ran out of message in middle of compressed domain name";
+
+					ix = ((b & ~0xC0u) << 8) | *ip++;
+					if (jump_count == 0)
+						pbs->cur = ip;
+
+					if (ix >= pbs_room(pbs))
+						return "impossible compressed domain name";
+
+					/* Avoid infinite loop.
+					 * There can be no more jumps than there are bytes
+					 * in the packet.  Not a tight limit, but good enough.
+					 */
+					jump_count++;
+					if (jump_count > pbs_room(pbs))
+						return "loop in compressed domain name";
+
+					ip = pbs->start + ix;
+				}
+				break;
+
+			default:
+				return "invalid code in label";
 		}
-		break;
-
-	    default:
-		return "invalid code in label";
 	}
-    }
 
-    name_buf[oi++] = '\0';
+	name_buf[oi++] = '\0';
 
-    DBG(DBG_DNS, DBG_log("skipping name %s", name_buf));
+	DBG(DBG_DNS, DBG_log("skipping name %s", name_buf));
 
-    return NULL;
+	return NULL;
 }
 
 static err_t
 eat_name_helpfully(pb_stream *pbs, const char *context)
 {
-    err_t ugh = eat_name(pbs);
+	err_t ugh = eat_name(pbs);
 
-    return ugh == NULL? ugh
-	: builddiag("malformed name within DNS record of %s: %s", context, ugh);
+	return ugh == NULL? ugh
+		: builddiag("malformed name within DNS record of %s: %s", context, ugh);
 }
 
 /* non-variable part of 4.1.2 Question Section entry:
@@ -749,20 +789,20 @@ eat_name_helpfully(pb_stream *pbs, const char *context)
  */
 
 struct qs_fixed {
-    u_int16_t qtype;
-    u_int16_t qclass;
+	u_int16_t qtype;
+	u_int16_t qclass;
 };
 
 static field_desc qs_fixed_fields[] = {
-    { ft_loose_enum, 16/BITS_PER_BYTE, "QTYPE", &rr_qtype_names },
-    { ft_loose_enum, 16/BITS_PER_BYTE, "QCLASS", &rr_class_names },
-    { ft_end, 0, NULL, NULL }
+	{ ft_loose_enum, 16/BITS_PER_BYTE, "QTYPE", &rr_qtype_names },
+	{ ft_loose_enum, 16/BITS_PER_BYTE, "QCLASS", &rr_class_names },
+	{ ft_end, 0, NULL, NULL }
 };
 
 static struct_desc qs_fixed_desc = {
-    "Question Section entry fixed part",
-    qs_fixed_fields,
-    sizeof(struct qs_fixed)
+	"Question Section entry fixed part",
+	qs_fixed_fields,
+	sizeof(struct qs_fixed)
 };
 
 /* 4.1.3. Resource record format:
@@ -789,26 +829,26 @@ static struct_desc qs_fixed_desc = {
  */
 
 struct rr_fixed {
-    u_int16_t type;
-    u_int16_t class;
-    u_int32_t ttl;	/* actually signed */
-    u_int16_t rdlength;
+	u_int16_t type;
+	u_int16_t class;
+	u_int32_t ttl;      /* actually signed */
+	u_int16_t rdlength;
 };
 
 
 static field_desc rr_fixed_fields[] = {
-    { ft_loose_enum, 16/BITS_PER_BYTE, "type", &rr_type_names },
-    { ft_loose_enum, 16/BITS_PER_BYTE, "class", &rr_class_names },
-    { ft_nat, 32/BITS_PER_BYTE, "TTL", NULL },
-    { ft_nat, 16/BITS_PER_BYTE, "RD length", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_loose_enum, 16/BITS_PER_BYTE, "type", &rr_type_names },
+	{ ft_loose_enum, 16/BITS_PER_BYTE, "class", &rr_class_names },
+	{ ft_nat, 32/BITS_PER_BYTE, "TTL", NULL },
+	{ ft_nat, 16/BITS_PER_BYTE, "RD length", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 static struct_desc rr_fixed_desc = {
-    "Resource Record fixed part",
-    rr_fixed_fields,
-    /* note: following is tricky: avoids padding problems */
-    offsetof(struct rr_fixed, rdlength) + sizeof(u_int16_t)
+	"Resource Record fixed part",
+	rr_fixed_fields,
+	/* note: following is tricky: avoids padding problems */
+	offsetof(struct rr_fixed, rdlength) + sizeof(u_int16_t)
 };
 
 /* RFC 1035 3.3.14: TXT RRs have text in the RDATA field.
@@ -830,22 +870,22 @@ static struct_desc rr_fixed_desc = {
  */
 
 struct key_rdata {
-    u_int16_t flags;
-    u_int8_t protocol;
-    u_int8_t algorithm;
+	u_int16_t flags;
+	u_int8_t protocol;
+	u_int8_t algorithm;
 };
 
 static field_desc key_rdata_fields[] = {
-    { ft_nat, 16/BITS_PER_BYTE, "flags", NULL },
-    { ft_nat, 8/BITS_PER_BYTE, "protocol", NULL },
-    { ft_nat, 8/BITS_PER_BYTE, "algorithm", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_nat, 16/BITS_PER_BYTE, "flags", NULL },
+	{ ft_nat, 8/BITS_PER_BYTE, "protocol", NULL },
+	{ ft_nat, 8/BITS_PER_BYTE, "algorithm", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 static struct_desc key_rdata_desc = {
-    "KEY RR RData fixed part",
-    key_rdata_fields,
-    sizeof(struct key_rdata)
+	"KEY RR RData fixed part",
+	key_rdata_fields,
+	sizeof(struct key_rdata)
 };
 
 /* RFC 2535 4.1 SIG RDATA format:
@@ -872,30 +912,30 @@ static struct_desc key_rdata_desc = {
  */
 
 struct sig_rdata {
-    u_int16_t type_covered;
-    u_int8_t algorithm;
-    u_int8_t labels;
-    u_int32_t original_ttl;
-    u_int32_t sig_expiration;
-    u_int32_t sig_inception;
-    u_int16_t key_tag;
+	u_int16_t type_covered;
+	u_int8_t algorithm;
+	u_int8_t labels;
+	u_int32_t original_ttl;
+	u_int32_t sig_expiration;
+	u_int32_t sig_inception;
+	u_int16_t key_tag;
 };
 
 static field_desc sig_rdata_fields[] = {
-    { ft_nat, 16/BITS_PER_BYTE, "type_covered", NULL},
-    { ft_nat, 8/BITS_PER_BYTE, "algorithm", NULL},
-    { ft_nat, 8/BITS_PER_BYTE, "labels", NULL},
-    { ft_nat, 32/BITS_PER_BYTE, "original ttl", NULL},
-    { ft_nat, 32/BITS_PER_BYTE, "sig expiration", NULL},
-    { ft_nat, 32/BITS_PER_BYTE, "sig inception", NULL},
-    { ft_nat, 16/BITS_PER_BYTE, "key tag", NULL},
-    { ft_end, 0, NULL, NULL }
+	{ ft_nat, 16/BITS_PER_BYTE, "type_covered", NULL},
+	{ ft_nat, 8/BITS_PER_BYTE, "algorithm", NULL},
+	{ ft_nat, 8/BITS_PER_BYTE, "labels", NULL},
+	{ ft_nat, 32/BITS_PER_BYTE, "original ttl", NULL},
+	{ ft_nat, 32/BITS_PER_BYTE, "sig expiration", NULL},
+	{ ft_nat, 32/BITS_PER_BYTE, "sig inception", NULL},
+	{ ft_nat, 16/BITS_PER_BYTE, "key tag", NULL},
+	{ ft_end, 0, NULL, NULL }
 };
 
 static struct_desc sig_rdata_desc = {
-    "SIG RR RData fixed part",
-    sig_rdata_fields,
-    sizeof(struct sig_rdata)
+	"SIG RR RData fixed part",
+	sig_rdata_fields,
+	sizeof(struct sig_rdata)
 };
 
 /* handle a KEY Resource Record. */
@@ -903,38 +943,37 @@ static struct_desc sig_rdata_desc = {
 #ifdef USE_KEYRR
 static err_t
 process_key_rr(u_char *ptr, size_t len
-, bool doit	/* should we capture information? */
+, bool doit     /* should we capture information? */
 , enum dns_auth_level dns_auth_level
 , struct adns_continuation *const cr)
 {
-    pb_stream pbs;
-    struct key_rdata kr;
-
-    if (len < sizeof(struct key_rdata))
-	return "KEY Resource Record's RD Length is too small";
+	pb_stream pbs;
+	struct key_rdata kr;
 
-    init_pbs(&pbs, ptr, len, "KEY RR");
+	if (len < sizeof(struct key_rdata))
+		return "KEY Resource Record's RD Length is too small";
 
-    if (!in_struct(&kr, &key_rdata_desc, &pbs, NULL))
-	return "failed to get fixed part of KEY Resource Record RDATA";
+	init_pbs(&pbs, ptr, len, "KEY RR");
 
-    if (kr.protocol == 4	/* IPSEC (RFC 2535 3.1.3) */
-    && kr.algorithm == 1	/* RSA/MD5 (RFC 2535 3.2) */
-    && (kr.flags & 0x8000) == 0	/* use for authentication (3.1.2) */
-    && (kr.flags & 0x2CF0) == 0)	/* must be zero */
-    {
-	/* we have what seems to be a tasty key */
+	if (!in_struct(&kr, &key_rdata_desc, &pbs, NULL))
+		return "failed to get fixed part of KEY Resource Record RDATA";
 
-	if (doit)
+	if (kr.protocol == 4        /* IPSEC (RFC 2535 3.1.3) */
+	&& kr.algorithm == 1        /* RSA/MD5 (RFC 2535 3.2) */
+	&& (kr.flags & 0x8000) == 0 /* use for authentication (3.1.2) */
+	&& (kr.flags & 0x2CF0) == 0)        /* must be zero */
 	{
-	    chunk_t k;
+		/* we have what seems to be a tasty key */
+
+		if (doit)
+		{
+			chunk_t k = { pbs.cur, pbs_left(&pbs) };
 
-	    setchunk(k, pbs.cur, pbs_left(&pbs));
-	    TRY(add_public_key(&cr->id, dns_auth_level, PUBKEY_ALG_RSA, &k
-		, &cr->keys_from_dns));
+			TRY(add_public_key(&cr->id, dns_auth_level, PUBKEY_ALG_RSA, &k
+				, &cr->keys_from_dns));
+		}
 	}
-    }
-    return NULL;
+	return NULL;
 }
 #endif /* USE_KEYRR */
 
@@ -946,130 +985,130 @@ process_key_rr(u_char *ptr, size_t len
 static err_t
 unpack_txt_rdata(u_char *d, size_t dlen, const u_char *s, size_t slen)
 {
-    size_t i = 0
-	, o = 0;
+	size_t i = 0
+		, o = 0;
 
-    while (i < slen)
-    {
-	size_t cl = s[i++];
+	while (i < slen)
+	{
+		size_t cl = s[i++];
 
-	if (i + cl > slen)
-	    return "TXT rr RDATA representation malformed";
+		if (i + cl > slen)
+			return "TXT rr RDATA representation malformed";
 
-	if (o + cl >= dlen)
-	    return "TXT rr RDATA too large";
+		if (o + cl >= dlen)
+			return "TXT rr RDATA too large";
 
-	memcpy(d + o, s + i, cl);
-	i += cl;
-	o += cl;
-    }
-    d[o] = '\0';
-    if (strlen(d) != o)
-	return "TXT rr RDATA contains a NUL";
+		memcpy(d + o, s + i, cl);
+		i += cl;
+		o += cl;
+	}
+	d[o] = '\0';
+	if (strlen(d) != o)
+		return "TXT rr RDATA contains a NUL";
 
-    return NULL;
+	return NULL;
 }
 
 static err_t
 process_txt_rr(u_char *rdata, size_t rdlen
-, bool doit	/* should we capture information? */
+, bool doit     /* should we capture information? */
 , enum dns_auth_level dns_auth_level
 , struct adns_continuation *const cr)
 {
-    u_char str[RSA_MAX_ENCODING_BYTES * 8 / 6 + 20];	/* space for unpacked RDATA */
+	u_char str[RSA_MAX_ENCODING_BYTES * 8 / 6 + 20];    /* space for unpacked RDATA */
 
-    TRY(unpack_txt_rdata(str, sizeof(str), rdata, rdlen));
-    return process_txt_rr_body(str, doit, dns_auth_level, cr);
+	TRY(unpack_txt_rdata(str, sizeof(str), rdata, rdlen));
+	return process_txt_rr_body(str, doit, dns_auth_level, cr);
 }
 
 static err_t
 process_answer_section(pb_stream *pbs
-, bool doit	/* should we capture information? */
+, bool doit     /* should we capture information? */
 , enum dns_auth_level *dns_auth_level
-, u_int16_t ancount	/* number of RRs in the answer section */
+, u_int16_t ancount     /* number of RRs in the answer section */
 , struct adns_continuation *const cr)
 {
-    const int type = cr->query.type;	/* type of RR of interest */
-    unsigned c;
+	const int type = cr->query.type;    /* type of RR of interest */
+	unsigned c;
 
-    DBG(DBG_DNS, DBG_log("*Answer Section:"));
+	DBG(DBG_DNS, DBG_log("*Answer Section:"));
 
-    for (c = 0; c != ancount; c++)
-    {
-	struct rr_fixed rrf;
-	size_t tail;
+	for (c = 0; c != ancount; c++)
+	{
+		struct rr_fixed rrf;
+		size_t tail;
 
-	/* ??? do we need to match the name? */
+		/* ??? do we need to match the name? */
 
-	TRY(eat_name_helpfully(pbs, "Answer Section"));
+		TRY(eat_name_helpfully(pbs, "Answer Section"));
 
-	if (!in_struct(&rrf, &rr_fixed_desc, pbs, NULL))
-	    return "failed to get fixed part of Answer Section Resource Record";
+		if (!in_struct(&rrf, &rr_fixed_desc, pbs, NULL))
+			return "failed to get fixed part of Answer Section Resource Record";
 
-	if (rrf.rdlength > pbs_left(pbs))
-	    return "RD Length extends beyond end of message";
+		if (rrf.rdlength > pbs_left(pbs))
+			return "RD Length extends beyond end of message";
 
-	/* ??? should we care about ttl? */
+		/* ??? should we care about ttl? */
 
-	tail = rrf.rdlength;
+		tail = rrf.rdlength;
 
-	if (rrf.type == type && rrf.class == C_IN)
-	{
-	    err_t ugh = NULL;
+		if (rrf.type == type && rrf.class == C_IN)
+		{
+			err_t ugh = NULL;
 
-	    switch (type)
-	    {
+			switch (type)
+			{
 #ifdef USE_KEYRR
-	    case T_KEY:
-		ugh = process_key_rr(pbs->cur, tail, doit, *dns_auth_level, cr);
-		break;
+			case T_KEY:
+				ugh = process_key_rr(pbs->cur, tail, doit, *dns_auth_level, cr);
+				break;
 #endif /* USE_KEYRR */
-	    case T_TXT:
-		ugh = process_txt_rr(pbs->cur, tail, doit, *dns_auth_level, cr);
-		break;
-	    case T_SIG:
-		/* Check if SIG RR authenticates what we are learning.
-		 * The RRset covered by a SIG must have the same owner,
-		 * class, and type.
-		 * For us, the class is always C_IN, so that matches.
-		 * We decode the SIG RR's fixed part to check
-		 * that the type_covered field matches our query type
-		 * (this may be redundant).
-		 * We don't check the owner (apparently this is the
-		 * name on the record) -- we assume that it matches
-		 * or we would not have been given this SIG in the
-		 * Answer Section.
-		 *
-		 * We only look on first pass, and only if we've something
-		 * to learn.  This cuts down on useless decoding.
-		 */
-		if (!doit && *dns_auth_level == DAL_UNSIGNED)
-		{
-		    struct sig_rdata sr;
-
-		    if (!in_struct(&sr, &sig_rdata_desc, pbs, NULL))
-			ugh = "failed to get fixed part of SIG Resource Record RDATA";
-		    else if (sr.type_covered == type)
-			*dns_auth_level = DAL_SIGNED;
+			case T_TXT:
+				ugh = process_txt_rr(pbs->cur, tail, doit, *dns_auth_level, cr);
+				break;
+			case T_SIG:
+				/* Check if SIG RR authenticates what we are learning.
+				 * The RRset covered by a SIG must have the same owner,
+				 * class, and type.
+				 * For us, the class is always C_IN, so that matches.
+				 * We decode the SIG RR's fixed part to check
+				 * that the type_covered field matches our query type
+				 * (this may be redundant).
+				 * We don't check the owner (apparently this is the
+				 * name on the record) -- we assume that it matches
+				 * or we would not have been given this SIG in the
+				 * Answer Section.
+				 *
+				 * We only look on first pass, and only if we've something
+				 * to learn.  This cuts down on useless decoding.
+				 */
+				if (!doit && *dns_auth_level == DAL_UNSIGNED)
+				{
+					struct sig_rdata sr;
+
+					if (!in_struct(&sr, &sig_rdata_desc, pbs, NULL))
+						ugh = "failed to get fixed part of SIG Resource Record RDATA";
+					else if (sr.type_covered == type)
+						*dns_auth_level = DAL_SIGNED;
+				}
+				break;
+			default:
+				ugh = builddiag("unexpected RR type %d", type);
+				break;
+			}
+			if (ugh != NULL)
+				return ugh;
 		}
-		break;
-	    default:
-		ugh = builddiag("unexpected RR type %d", type);
-		break;
-	    }
-	    if (ugh != NULL)
-		return ugh;
+		in_raw(NULL, tail, pbs, "RR RDATA");
 	}
-	in_raw(NULL, tail, pbs, "RR RDATA");
-    }
 
-    return doit
-	&& cr->gateways_from_dns == NULL
+	return doit
+		&& cr->gateways_from_dns == NULL
 #ifdef USE_KEYRR
-	&& cr->keys_from_dns == NULL
+		&& cr->keys_from_dns == NULL
 #endif /* USE_KEYRR */
-	? builddiag("no suitable %s record found in DNS", rr_typename(type))
-	: NULL;
+		? builddiag("no suitable %s record found in DNS", rr_typename(type))
+		: NULL;
 }
 
 /* process DNS answer -- TXT or KEY query */
@@ -1078,153 +1117,153 @@ static err_t
 process_dns_answer(struct adns_continuation *const cr
 , u_char ans[], int anslen)
 {
-    const int type = cr->query.type;	/* type of record being sought */
-    int r;	/* all-purpose return value holder */
-    u_int16_t c;	/* number of current RR in current answer section */
-    pb_stream pbs;
-    u_int8_t *ans_start;	/* saved position of answer section */
-    struct qr_header qr_header;
-    enum dns_auth_level dns_auth_level;
+	const int type = cr->query.type;    /* type of record being sought */
+	int r;      /* all-purpose return value holder */
+	u_int16_t c;        /* number of current RR in current answer section */
+	pb_stream pbs;
+	u_int8_t *ans_start;        /* saved position of answer section */
+	struct qr_header qr_header;
+	enum dns_auth_level dns_auth_level;
 
-    init_pbs(&pbs, ans, anslen, "Query Response Message");
+	init_pbs(&pbs, ans, anslen, "Query Response Message");
 
-    /* decode and check header */
+	/* decode and check header */
 
-    if (!in_struct(&qr_header, &qr_header_desc, &pbs, NULL))
-	return "malformed header";
+	if (!in_struct(&qr_header, &qr_header_desc, &pbs, NULL))
+		return "malformed header";
 
-    /* ID: nothing to do with us */
+	/* ID: nothing to do with us */
 
-    /* stuff -- lots of things */
-    if ((qr_header.stuff & QRS_QR) == 0)
-	return "not a response?!?";
+	/* stuff -- lots of things */
+	if ((qr_header.stuff & QRS_QR) == 0)
+		return "not a response?!?";
 
-    if (((qr_header.stuff >> QRS_OPCODE_SHIFT) & QRS_OPCODE_MASK) != QRSO_QUERY)
-	return "unexpected opcode";
+	if (((qr_header.stuff >> QRS_OPCODE_SHIFT) & QRS_OPCODE_MASK) != QRSO_QUERY)
+		return "unexpected opcode";
 
-    /* I don't think we care about AA */
+	/* I don't think we care about AA */
 
-    if (qr_header.stuff & QRS_TC)
-	return "response truncated";
+	if (qr_header.stuff & QRS_TC)
+		return "response truncated";
 
-    /* I don't think we care about RD, RA, or CD */
+	/* I don't think we care about RD, RA, or CD */
 
-    /* AD means "authentic data" */
-    dns_auth_level = qr_header.stuff & QRS_AD? DAL_UNSIGNED : DAL_NOTSEC;
+	/* AD means "authentic data" */
+	dns_auth_level = qr_header.stuff & QRS_AD? DAL_UNSIGNED : DAL_NOTSEC;
 
-    if (qr_header.stuff & QRS_Z)
-	return "Z bit is not zero";
+	if (qr_header.stuff & QRS_Z)
+		return "Z bit is not zero";
 
-    r = (qr_header.stuff >> QRS_RCODE_SHIFT) & QRS_RCODE_MASK;
-    if (r != 0)
-	return r < (int)elemsof(rcode_text)? rcode_text[r] : "unknown rcode";
+	r = (qr_header.stuff >> QRS_RCODE_SHIFT) & QRS_RCODE_MASK;
+	if (r != 0)
+		return r < (int)countof(rcode_text)? rcode_text[r] : "unknown rcode";
 
-    if (qr_header.ancount == 0)
-	return builddiag("no %s RR found by DNS", rr_typename(type));
+	if (qr_header.ancount == 0)
+		return builddiag("no %s RR found by DNS", rr_typename(type));
 
-    /* end of header checking */
+	/* end of header checking */
 
-    /* Question Section processing */
+	/* Question Section processing */
 
-    /* 4.1.2. Question section format:
-     *                                 1  1  1  1  1  1
-     *   0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-     * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-     * |                                               |
-     * /                     QNAME                     /
-     * /                                               /
-     * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-     * |                     QTYPE                     |
-     * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-     * |                     QCLASS                    |
-     * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-     */
+	/* 4.1.2. Question section format:
+	 *                                 1  1  1  1  1  1
+	 *   0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+	 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+	 * |                                               |
+	 * /                     QNAME                     /
+	 * /                                               /
+	 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+	 * |                     QTYPE                     |
+	 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+	 * |                     QCLASS                    |
+	 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+	 */
 
-    DBG(DBG_DNS, DBG_log("*Question Section:"));
+	DBG(DBG_DNS, DBG_log("*Question Section:"));
 
-    for (c = 0; c != qr_header.qdcount; c++)
-    {
-	struct qs_fixed qsf;
+	for (c = 0; c != qr_header.qdcount; c++)
+	{
+		struct qs_fixed qsf;
 
-	TRY(eat_name_helpfully(&pbs, "Question Section"));
+		TRY(eat_name_helpfully(&pbs, "Question Section"));
 
-	if (!in_struct(&qsf, &qs_fixed_desc, &pbs, NULL))
-	    return "failed to get fixed part of Question Section";
+		if (!in_struct(&qsf, &qs_fixed_desc, &pbs, NULL))
+			return "failed to get fixed part of Question Section";
 
-	if (qsf.qtype != type)
-	    return "unexpected QTYPE in Question Section";
+		if (qsf.qtype != type)
+			return "unexpected QTYPE in Question Section";
 
-	if (qsf.qclass != C_IN)
-	    return "unexpected QCLASS in Question Section";
-    }
+		if (qsf.qclass != C_IN)
+			return "unexpected QCLASS in Question Section";
+	}
 
-    /* rest of sections are made up of Resource Records */
+	/* rest of sections are made up of Resource Records */
 
-    /* Answer Section processing -- error checking, noting T_SIG */
+	/* Answer Section processing -- error checking, noting T_SIG */
 
-    ans_start = pbs.cur;	/* remember start of answer section */
+	ans_start = pbs.cur;        /* remember start of answer section */
 
-    TRY(process_answer_section(&pbs, FALSE, &dns_auth_level
-	, qr_header.ancount, cr));
+	TRY(process_answer_section(&pbs, FALSE, &dns_auth_level
+		, qr_header.ancount, cr));
 
-    /* Authority Section processing (just sanity checking) */
+	/* Authority Section processing (just sanity checking) */
 
-    DBG(DBG_DNS, DBG_log("*Authority Section:"));
+	DBG(DBG_DNS, DBG_log("*Authority Section:"));
 
-    for (c = 0; c != qr_header.nscount; c++)
-    {
-	struct rr_fixed rrf;
-	size_t tail;
+	for (c = 0; c != qr_header.nscount; c++)
+	{
+		struct rr_fixed rrf;
+		size_t tail;
 
-	TRY(eat_name_helpfully(&pbs, "Authority Section"));
+		TRY(eat_name_helpfully(&pbs, "Authority Section"));
 
-	if (!in_struct(&rrf, &rr_fixed_desc, &pbs, NULL))
-	    return "failed to get fixed part of Authority Section Resource Record";
+		if (!in_struct(&rrf, &rr_fixed_desc, &pbs, NULL))
+			return "failed to get fixed part of Authority Section Resource Record";
 
-	if (rrf.rdlength > pbs_left(&pbs))
-	    return "RD Length extends beyond end of message";
+		if (rrf.rdlength > pbs_left(&pbs))
+			return "RD Length extends beyond end of message";
 
-	/* ??? should we care about ttl? */
+		/* ??? should we care about ttl? */
 
-	tail = rrf.rdlength;
+		tail = rrf.rdlength;
 
-	in_raw(NULL, tail, &pbs, "RR RDATA");
-    }
+		in_raw(NULL, tail, &pbs, "RR RDATA");
+	}
 
-    /* Additional Section processing (just sanity checking) */
+	/* Additional Section processing (just sanity checking) */
 
-    DBG(DBG_DNS, DBG_log("*Additional Section:"));
+	DBG(DBG_DNS, DBG_log("*Additional Section:"));
 
-    for (c = 0; c != qr_header.arcount; c++)
-    {
-	struct rr_fixed rrf;
-	size_t tail;
+	for (c = 0; c != qr_header.arcount; c++)
+	{
+		struct rr_fixed rrf;
+		size_t tail;
 
-	TRY(eat_name_helpfully(&pbs, "Additional Section"));
+		TRY(eat_name_helpfully(&pbs, "Additional Section"));
 
-	if (!in_struct(&rrf, &rr_fixed_desc, &pbs, NULL))
-	    return "failed to get fixed part of Additional Section Resource Record";
+		if (!in_struct(&rrf, &rr_fixed_desc, &pbs, NULL))
+			return "failed to get fixed part of Additional Section Resource Record";
 
-	if (rrf.rdlength > pbs_left(&pbs))
-	    return "RD Length extends beyond end of message";
+		if (rrf.rdlength > pbs_left(&pbs))
+			return "RD Length extends beyond end of message";
 
-	/* ??? should we care about ttl? */
+		/* ??? should we care about ttl? */
 
-	tail = rrf.rdlength;
+		tail = rrf.rdlength;
 
-	in_raw(NULL, tail, &pbs, "RR RDATA");
-    }
+		in_raw(NULL, tail, &pbs, "RR RDATA");
+	}
 
-    /* done all sections */
+	/* done all sections */
 
-    /* ??? is padding legal, or can we complain if more left in record? */
+	/* ??? is padding legal, or can we complain if more left in record? */
 
-    /* process Answer Section again -- accept contents */
+	/* process Answer Section again -- accept contents */
 
-    pbs.cur = ans_start;	/* go back to start of answer section */
+	pbs.cur = ans_start;        /* go back to start of answer section */
 
-    return process_answer_section(&pbs, TRUE, &dns_auth_level
-	, qr_header.ancount, cr);
+	return process_answer_section(&pbs, TRUE, &dns_auth_level
+		, qr_header.ancount, cr);
 }
 
 #endif /* ! USE_LWRES */
@@ -1239,101 +1278,101 @@ build_dns_name(u_char name_buf[NS_MAXDNAME + 2]
 , const char *typename USED_BY_DEBUG
 , const char *gwname   USED_BY_DEBUG)
 {
-    /* note: all end in "." to suppress relative searches */
-    id = resolve_myid(id);
-    switch (id->kind)
-    {
-    case ID_IPV4_ADDR:
-    {
-	/* XXX: this is really ugly and only temporary until addrtot can
-	 *      generate the correct format
-	 */
-	const unsigned char *b;
-	size_t bl USED_BY_DEBUG = addrbytesptr(&id->ip_addr, &b);
-
-	passert(bl == 4);
-	snprintf(name_buf, NS_MAXDNAME + 2, "%d.%d.%d.%d.in-addr.arpa."
-	    , b[3], b[2], b[1], b[0]);
-	break;
-    }
-
-    case ID_IPV6_ADDR:
-    {
-	/* ??? is this correct? */
-	const unsigned char *b;
-	size_t bl;
-	u_char *op = name_buf;
-	static const char suffix[] = "IP6.INT.";
-
-	for (bl = addrbytesptr(&id->ip_addr, &b); bl-- != 0; )
+	/* note: all end in "." to suppress relative searches */
+	id = resolve_myid(id);
+	switch (id->kind)
+	{
+	case ID_IPV4_ADDR:
 	{
-	    if (op + 4 + sizeof(suffix) >= name_buf + NS_MAXDNAME + 1)
-		return "IPv6 reverse name too long";
-	    op += sprintf(op, "%x.%x.", b[bl] & 0xF, b[bl] >> 4);
+		/* XXX: this is really ugly and only temporary until addrtot can
+		 *      generate the correct format
+		 */
+		const unsigned char *b;
+		size_t bl USED_BY_DEBUG = addrbytesptr(&id->ip_addr, &b);
+
+		passert(bl == 4);
+		snprintf(name_buf, NS_MAXDNAME + 2, "%d.%d.%d.%d.in-addr.arpa."
+			, b[3], b[2], b[1], b[0]);
+		break;
 	}
-	strcpy(op, suffix);
-	break;
-    }
 
-    case ID_FQDN:
-	/* strip trailing "." characters, then add one */
+	case ID_IPV6_ADDR:
 	{
-	    size_t il = id->name.len;
-
-	    while (il > 0 && id->name.ptr[il - 1] == '.')
-		il--;
-	    if (il > NS_MAXDNAME)
-		return "FQDN too long for domain name";
+		/* ??? is this correct? */
+		const unsigned char *b;
+		size_t bl;
+		u_char *op = name_buf;
+		static const char suffix[] = "IP6.INT.";
 
-	    memcpy(name_buf, id->name.ptr, il);
-	    strcpy(name_buf + il, ".");
+		for (bl = addrbytesptr(&id->ip_addr, &b); bl-- != 0; )
+		{
+			if (op + 4 + sizeof(suffix) >= name_buf + NS_MAXDNAME + 1)
+				return "IPv6 reverse name too long";
+			op += sprintf(op, "%x.%x.", b[bl] & 0xF, b[bl] >> 4);
+		}
+		strcpy(op, suffix);
+		break;
 	}
-	break;
 
-    default:
-	return "can only query DNS for key for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR";
-    }
+	case ID_FQDN:
+		/* strip trailing "." characters, then add one */
+		{
+			size_t il = id->name.len;
+
+			while (il > 0 && id->name.ptr[il - 1] == '.')
+				il--;
+			if (il > NS_MAXDNAME)
+				return "FQDN too long for domain name";
 
-    DBG(DBG_CONTROL | DBG_DNS, DBG_log("DNS query %lu for %s for %s (gw: %s)"
-	, serial, typename, name_buf, gwname));
-    return NULL;
+			memcpy(name_buf, id->name.ptr, il);
+			strcpy(name_buf + il, ".");
+		}
+		break;
+
+	default:
+		return "can only query DNS for key for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR";
+	}
+
+	DBG(DBG_CONTROL | DBG_DNS, DBG_log("DNS query %lu for %s for %s (gw: %s)"
+		, serial, typename, name_buf, gwname));
+	return NULL;
 }
 
 void
 gw_addref(struct gw_info *gw)
 {
-    if (gw != NULL)
-    {
-	DBG(DBG_DNS, DBG_log("gw_addref: %p refcnt: %d++", gw, gw->refcnt))
-	gw->refcnt++;
-    }
+	if (gw != NULL)
+	{
+		DBG(DBG_DNS, DBG_log("gw_addref: %p refcnt: %d++", gw, gw->refcnt))
+		gw->refcnt++;
+	}
 }
 
 void
 gw_delref(struct gw_info **gwp)
 {
-    struct gw_info *gw = *gwp;
-
-    if (gw != NULL)
-    {
-	DBG(DBG_DNS, DBG_log("gw_delref: %p refcnt: %d--", gw, gw->refcnt));
+	struct gw_info *gw = *gwp;
 
-	passert(gw->refcnt != 0);
-	gw->refcnt--;
-	if (gw->refcnt == 0)
+	if (gw != NULL)
 	{
-	    free_id_content(&gw->client_id);
-	    free_id_content(&gw->gw_id);
-	    if (gw->gw_key_present)
-		unreference_key(&gw->key);
-	    gw_delref(&gw->next);
-	    pfree(gw);	/* trickery could make this a tail-call */
+		DBG(DBG_DNS, DBG_log("gw_delref: %p refcnt: %d--", gw, gw->refcnt));
+
+		passert(gw->refcnt != 0);
+		gw->refcnt--;
+		if (gw->refcnt == 0)
+		{
+			free_id_content(&gw->client_id);
+			free_id_content(&gw->gw_id);
+			if (gw->gw_key_present)
+				unreference_key(&gw->key);
+			gw_delref(&gw->next);
+			free(gw);   /* trickery could make this a tail-call */
+		}
+		*gwp = NULL;
 	}
-	*gwp = NULL;
-    }
 }
 
-static int adns_in_flight = 0;	/* queries outstanding */
+static int adns_in_flight = 0;  /* queries outstanding */
 
 /* Start an asynchronous DNS query.
  *
@@ -1372,123 +1411,123 @@ static int adns_in_flight = 0;	/* queries outstanding */
  * disestablishing any logging context (whack_log_fd, cur_*).
  */
 
-static struct adns_continuation *continuations = NULL;	/* newest of queue */
-static struct adns_continuation *next_query = NULL;	/* oldest not sent */
+static struct adns_continuation *continuations = NULL;  /* newest of queue */
+static struct adns_continuation *next_query = NULL;     /* oldest not sent */
 
 static struct adns_continuation *
 continuation_for_qtid(unsigned long qtid)
 {
-    struct adns_continuation *cr = NULL;
+	struct adns_continuation *cr = NULL;
 
-    if (qtid != 0)
-	for (cr = continuations; cr != NULL && cr->qtid != qtid; cr = cr->previous)
-	    ;
-    return cr;
+	if (qtid != 0)
+		for (cr = continuations; cr != NULL && cr->qtid != qtid; cr = cr->previous)
+			;
+	return cr;
 }
 
 static void
 release_adns_continuation(struct adns_continuation *cr)
 {
-    passert(cr != next_query);
-    gw_delref(&cr->gateways_from_dns);
+	passert(cr != next_query);
+	gw_delref(&cr->gateways_from_dns);
 #ifdef USE_KEYRR
-    free_public_keys(&cr->keys_from_dns);
+	free_public_keys(&cr->keys_from_dns);
 #endif /* USE_KEYRR */
-    unshare_id_content(&cr->id);
-    unshare_id_content(&cr->sgw_id);
-
-    /* unlink from doubly-linked list */
-    if (cr->next == NULL)
-    {
-	passert(continuations == cr);
-	continuations = cr->previous;
-    }
-    else
-    {
-	passert(cr->next->previous == cr);
-	cr->next->previous = cr->previous;
-    }
-
-    if (cr->previous != NULL)
-    {
-	passert(cr->previous->next == cr);
-	cr->previous->next = cr->next;
-    }
-
-    pfree(cr);
+	unshare_id_content(&cr->id);
+	unshare_id_content(&cr->sgw_id);
+
+	/* unlink from doubly-linked list */
+	if (cr->next == NULL)
+	{
+		passert(continuations == cr);
+		continuations = cr->previous;
+	}
+	else
+	{
+		passert(cr->next->previous == cr);
+		cr->next->previous = cr->previous;
+	}
+
+	if (cr->previous != NULL)
+	{
+		passert(cr->previous->next == cr);
+		cr->previous->next = cr->next;
+	}
+
+	free(cr);
 }
 
 err_t
-start_adns_query(const struct id *id	/* domain to query */
-, const struct id *sgw_id	/* if non-null, any accepted gw_info must match */
-, int type	/* T_TXT or T_KEY, selecting rr type of interest */
+start_adns_query(const struct id *id    /* domain to query */
+, const struct id *sgw_id       /* if non-null, any accepted gw_info must match */
+, int type      /* T_TXT or T_KEY, selecting rr type of interest */
 , cont_fn_t cont_fn
 , struct adns_continuation *cr)
 {
-    static unsigned long qtid = 1;	/* query transaction id; NOTE: static */
-    const char *typename = rr_typename(type);
-    char gwidb[BUF_LEN];
-
-    if(adns_pid == 0
-       && adns_restart_count < ADNS_RESTART_MAX)
-    {
-	plog("ADNS helper was not running. Restarting attempt %d",adns_restart_count);
-	init_adns();
-    }
-
-
-    /* Splice this in at head of doubly-linked list of continuations.
-     * Note: this must be done before any release_adns_continuation().
-     */
-    cr->next = NULL;
-    cr->previous = continuations;
-    if (continuations != NULL)
-    {
-	passert(continuations->next == NULL);
-	continuations->next = cr;
-    }
-    continuations = cr;
-
-    cr->qtid = qtid++;
-    cr->type = type;
-    cr->cont_fn = cont_fn;
-    cr->id = *id;
-    unshare_id_content(&cr->id);
-    cr->sgw_specified = sgw_id != NULL;
-    cr->sgw_id = cr->sgw_specified? *sgw_id : empty_id;
-    unshare_id_content(&cr->sgw_id);
-    cr->gateways_from_dns = NULL;
+	static unsigned long qtid = 1;      /* query transaction id; NOTE: static */
+	const char *typename = rr_typename(type);
+	char gwidb[BUF_LEN];
+
+	if(adns_pid == 0
+	   && adns_restart_count < ADNS_RESTART_MAX)
+	{
+		plog("ADNS helper was not running. Restarting attempt %d",adns_restart_count);
+		init_adns();
+	}
+
+
+	/* Splice this in at head of doubly-linked list of continuations.
+	 * Note: this must be done before any release_adns_continuation().
+	 */
+	cr->next = NULL;
+	cr->previous = continuations;
+	if (continuations != NULL)
+	{
+		passert(continuations->next == NULL);
+		continuations->next = cr;
+	}
+	continuations = cr;
+
+	cr->qtid = qtid++;
+	cr->type = type;
+	cr->cont_fn = cont_fn;
+	cr->id = *id;
+	unshare_id_content(&cr->id);
+	cr->sgw_specified = sgw_id != NULL;
+	cr->sgw_id = cr->sgw_specified? *sgw_id : empty_id;
+	unshare_id_content(&cr->sgw_id);
+	cr->gateways_from_dns = NULL;
 #ifdef USE_KEYRR
-    cr->keys_from_dns = NULL;
+	cr->keys_from_dns = NULL;
 #endif /* USE_KEYRR */
 
 #ifdef DEBUG
-    cr->debugging = cur_debugging;
+	cr->debugging = cur_debugging;
 #else
-    cr->debugging = LEMPTY;
+	cr->debugging = LEMPTY;
 #endif
 
-    idtoa(&cr->sgw_id, gwidb, sizeof(gwidb));
+	idtoa(&cr->sgw_id, gwidb, sizeof(gwidb));
 
-    zero(&cr->query);
+	zero(&cr->query);
 
-    {
-	err_t ugh = build_dns_name(cr->query.name_buf, cr->qtid
-	    , id, typename, gwidb);
-
-	if (ugh != NULL)
 	{
-	    release_adns_continuation(cr);
-	    return ugh;
+		err_t ugh = build_dns_name(cr->query.name_buf, cr->qtid
+			, id, typename, gwidb);
+
+		if (ugh != NULL)
+		{
+			release_adns_continuation(cr);
+			return ugh;
+		}
 	}
-    }
 
-    if (next_query == NULL)
-	next_query = cr;
+	if (next_query == NULL)
+		next_query = cr;
 
-    unsent_ADNS_queries = TRUE;
+	unsent_ADNS_queries = TRUE;
 
-    return NULL;
+	return NULL;
 }
 
 /* send remaining ADNS queries (until pipe full or none left)
@@ -1501,79 +1540,79 @@ bool unsent_ADNS_queries = FALSE;
 void
 send_unsent_ADNS_queries(void)
 {
-    static const unsigned char *buf_end = NULL;	/* NOTE STATIC */
-    static const unsigned char *buf_cur = NULL;	/* NOTE STATIC */
+	static const unsigned char *buf_end = NULL; /* NOTE STATIC */
+	static const unsigned char *buf_cur = NULL; /* NOTE STATIC */
 
-    if (adns_qfd == NULL_FD)
-	return;	/* nothing useful to do */
+	if (adns_qfd == NULL_FD)
+		return; /* nothing useful to do */
 
-    for (;;)
-    {
-	if (buf_cur != buf_end)
+	for (;;)
 	{
-	    static int try = 0;	/* NOTE STATIC */
-	    size_t n = buf_end - buf_cur;
-	    ssize_t r = write(adns_qfd, buf_cur, n);
-
-	    if (r == -1)
-	    {
-		switch (errno)
+		if (buf_cur != buf_end)
 		{
-		case EINTR:
-		    continue;	/* try again now */
-		case EAGAIN:
-		    DBG(DBG_DNS, DBG_log("EAGAIN writing to ADNS"));
-		    break;	/* try again later */
-		default:
-		    try++;
-		    log_errno((e, "error %d writing DNS query", try));
-		    break;	/* try again later */
+			static int try = 0; /* NOTE STATIC */
+			size_t n = buf_end - buf_cur;
+			ssize_t r = write(adns_qfd, buf_cur, n);
+
+			if (r == -1)
+			{
+				switch (errno)
+				{
+				case EINTR:
+					continue;   /* try again now */
+				case EAGAIN:
+					DBG(DBG_DNS, DBG_log("EAGAIN writing to ADNS"));
+					break;      /* try again later */
+				default:
+					try++;
+					log_errno((e, "error %d writing DNS query", try));
+					break;      /* try again later */
+				}
+				unsent_ADNS_queries = TRUE;
+				break;  /* done! */
+			}
+			else
+			{
+				passert(r >= 0);
+				try = 0;
+				buf_cur += r;
+			}
 		}
-		unsent_ADNS_queries = TRUE;
-		break;	/* done! */
-	    }
-	    else
-	    {
-		passert(r >= 0);
-		try = 0;
-		buf_cur += r;
-	    }
-	}
-	else
-	{
-	    if (next_query == NULL)
-	    {
-		unsent_ADNS_queries = FALSE;
-		break;	/* done! */
-	    }
+		else
+		{
+			if (next_query == NULL)
+			{
+				unsent_ADNS_queries = FALSE;
+				break;  /* done! */
+			}
 
 #ifdef USE_LWRES
-	    next_query->used = FALSE;
-	    {
-		/* NOTE STATIC: */
-		static unsigned char qbuf[LWDNSQ_CMDBUF_LEN + 1];	/* room for NUL */
-
-		snprintf(qbuf, sizeof(qbuf), "%s %lu %s\n"
-		    , rr_typename(next_query->type)
-		    , next_query->qtid
-		    , next_query->query.name_buf);
-		DBG(DBG_DNS, DBG_log("lwdnsq query: %.*s", (int)(strlen(qbuf) - 1), qbuf));
-		buf_cur = qbuf;
-		buf_end = qbuf + strlen(qbuf);
-	    }
+			next_query->used = FALSE;
+			{
+				/* NOTE STATIC: */
+				static unsigned char qbuf[LWDNSQ_CMDBUF_LEN + 1];       /* room for NUL */
+
+				snprintf(qbuf, sizeof(qbuf), "%s %lu %s\n"
+					, rr_typename(next_query->type)
+					, next_query->qtid
+					, next_query->query.name_buf);
+				DBG(DBG_DNS, DBG_log("lwdnsq query: %.*s", (int)(strlen(qbuf) - 1), qbuf));
+				buf_cur = qbuf;
+				buf_end = qbuf + strlen(qbuf);
+			}
 #else /* !USE_LWRES */
-	    next_query->query.debugging = next_query->debugging;
-	    next_query->query.serial = next_query->qtid;
-	    next_query->query.len = sizeof(next_query->query);
-	    next_query->query.qmagic = ADNS_Q_MAGIC;
-	    next_query->query.type = next_query->type;
-	    buf_cur = (const void *)&next_query->query;
-	    buf_end = buf_cur + sizeof(next_query->query);
+			next_query->query.debugging = next_query->debugging;
+			next_query->query.serial = next_query->qtid;
+			next_query->query.len = sizeof(next_query->query);
+			next_query->query.qmagic = ADNS_Q_MAGIC;
+			next_query->query.type = next_query->type;
+			buf_cur = (const void *)&next_query->query;
+			buf_end = buf_cur + sizeof(next_query->query);
 #endif /* !USE_LWRES */
-	    next_query = next_query->next;
-	    adns_in_flight++;
+			next_query = next_query->next;
+			adns_in_flight++;
+		}
 	}
-    }
 }
 
 #ifdef USE_LWRES
@@ -1584,379 +1623,379 @@ send_unsent_ADNS_queries(void)
 static err_t
 process_lwdnsq_answer(char *ts)
 {
-    err_t ugh = NULL;
-    char *rest;
-    char *p;
-    char *endofnumber;
-    struct adns_continuation *cr = NULL;
-    unsigned long qtid;
-    time_t anstime;	/* time of answer */
-    char *atype;	/* type of answer */
-    long ttl;	/* ttl of answer; int, but long for conversion */
-    bool AuthenticatedData = FALSE;
-    static char scratch_null_str[] = "";	/* cannot be const, but isn't written */
-
-    /* query transaction id */
-    rest = ts;
-    p = strsep(&rest, " \t");
-    if (p == NULL)
-	return "lwdnsq: answer missing query transaction ID";
-
-    qtid = strtoul(p, &endofnumber, 10);
-    if (*endofnumber != '\0')
-	return "lwdnsq: malformed query transaction ID";
-
-    cr = continuation_for_qtid(qtid);
-    if (qtid != 0 && cr == NULL)
-	return "lwdnsq: unrecognized qtid";     /* can't happen! */
-
-    /* time */
-    p = strsep(&rest, " \t");
-    if (p == NULL)
-	return "lwdnsq: missing time";
-
-    anstime = strtoul(p, &endofnumber, 10);
-    if (*endofnumber != '\0')
-	return "lwdnsq: malformed time";
-
-    /* TTL */
-    p = strsep(&rest, " \t");
-    if (p == NULL)
-	return "lwdnsq: missing TTL";
-
-    ttl = strtol(p, &endofnumber, 10);
-    if (*endofnumber != '\0')
-	return "lwdnsq: malformed TTL";
-
-    /* type */
-    atype = strsep(&rest, " \t");
-    if (atype == NULL)
-	return "lwdnsq: missing type";
-
-    /* if rest is NULL, make it "", otherwise eat whitespace after type */
-    rest = rest == NULL? scratch_null_str : rest + strspn(rest, " \t");
-
-    if (strncasecmp(atype, "AD-", 3) == 0)
-    {
-	AuthenticatedData = TRUE;
-	atype += 3;
-    }
-
-    /* deal with each type */
-
-    if (cr == NULL)
-    {
-	/* we don't actually know which this applies to */
-	return builddiag("lwdnsq: 0 qtid invalid with %s", atype);
-    }
-    else if (strcaseeq(atype, "START"))
-    {
-	/* ignore */
-    }
-    else if (strcaseeq(atype, "DONE"))
-    {
-	if (!cr->used)
+	err_t ugh = NULL;
+	char *rest;
+	char *p;
+	char *endofnumber;
+	struct adns_continuation *cr = NULL;
+	unsigned long qtid;
+	time_t anstime;     /* time of answer */
+	char *atype;        /* type of answer */
+	long ttl;   /* ttl of answer; int, but long for conversion */
+	bool AuthenticatedData = FALSE;
+	static char scratch_null_str[] = "";        /* cannot be const, but isn't written */
+
+	/* query transaction id */
+	rest = ts;
+	p = strsep(&rest, " \t");
+	if (p == NULL)
+		return "lwdnsq: answer missing query transaction ID";
+
+	qtid = strtoul(p, &endofnumber, 10);
+	if (*endofnumber != '\0')
+		return "lwdnsq: malformed query transaction ID";
+
+	cr = continuation_for_qtid(qtid);
+	if (qtid != 0 && cr == NULL)
+		return "lwdnsq: unrecognized qtid";     /* can't happen! */
+
+	/* time */
+	p = strsep(&rest, " \t");
+	if (p == NULL)
+		return "lwdnsq: missing time";
+
+	anstime = strtoul(p, &endofnumber, 10);
+	if (*endofnumber != '\0')
+		return "lwdnsq: malformed time";
+
+	/* TTL */
+	p = strsep(&rest, " \t");
+	if (p == NULL)
+		return "lwdnsq: missing TTL";
+
+	ttl = strtol(p, &endofnumber, 10);
+	if (*endofnumber != '\0')
+		return "lwdnsq: malformed TTL";
+
+	/* type */
+	atype = strsep(&rest, " \t");
+	if (atype == NULL)
+		return "lwdnsq: missing type";
+
+	/* if rest is NULL, make it "", otherwise eat whitespace after type */
+	rest = rest == NULL? scratch_null_str : rest + strspn(rest, " \t");
+
+	if (strncasecmp(atype, "AD-", 3) == 0)
 	{
-	    /* "no results returned by lwdnsq" should not happen */
-	    cr->cont_fn(cr
-		, cr->gateways_from_dns == NULL
+		AuthenticatedData = TRUE;
+		atype += 3;
+	}
+
+	/* deal with each type */
+
+	if (cr == NULL)
+	{
+		/* we don't actually know which this applies to */
+		return builddiag("lwdnsq: 0 qtid invalid with %s", atype);
+	}
+	else if (strcaseeq(atype, "START"))
+	{
+		/* ignore */
+	}
+	else if (strcaseeq(atype, "DONE"))
+	{
+		if (!cr->used)
+		{
+			/* "no results returned by lwdnsq" should not happen */
+			cr->cont_fn(cr
+				, cr->gateways_from_dns == NULL
 #ifdef USE_KEYRR
-		  && cr->keys_from_dns == NULL
+				  && cr->keys_from_dns == NULL
 #endif /* USE_KEYRR */
-		    ? "no results returned by lwdnsq" : NULL);
-	    cr->used = TRUE;
+					? "no results returned by lwdnsq" : NULL);
+			cr->used = TRUE;
+		}
+		reset_globals();
+		release_adns_continuation(cr);
+		adns_in_flight--;
+	}
+	else if (strcaseeq(atype, "RETRY"))
+	{
+		if (!cr->used)
+		{
+			cr->cont_fn(cr, rest);
+			cr->used = TRUE;
+		}
 	}
-	reset_globals();
-	release_adns_continuation(cr);
-	adns_in_flight--;
-    }
-    else if (strcaseeq(atype, "RETRY"))
-    {
-	if (!cr->used)
+	else if (strcaseeq(atype, "FATAL"))
 	{
-	    cr->cont_fn(cr, rest);
-	    cr->used = TRUE;
+		if (!cr->used)
+		{
+			cr->cont_fn(cr, rest);
+			cr->used = TRUE;
+		}
 	}
-    }
-    else if (strcaseeq(atype, "FATAL"))
-    {
-	if (!cr->used)
+	else if (strcaseeq(atype, "DNSSEC"))
 	{
-	    cr->cont_fn(cr, rest);
-	    cr->used = TRUE;
+		/* ignore */
 	}
-    }
-    else if (strcaseeq(atype, "DNSSEC"))
-    {
-	/* ignore */
-    }
-    else if (strcaseeq(atype, "NAME"))
-    {
-	/* ignore */
-    }
-    else if (strcaseeq(atype, "TXT"))
-    {
-	char *end = rest + strlen(rest);
-	err_t txt_ugh;
-
-	if (*rest == '"' && end[-1] == '"')
+	else if (strcaseeq(atype, "NAME"))
 	{
-	    /* strip those pesky quotes */
-	    rest++;
-	    *--end = '\0';
+		/* ignore */
 	}
+	else if (strcaseeq(atype, "TXT"))
+	{
+		char *end = rest + strlen(rest);
+		err_t txt_ugh;
+
+		if (*rest == '"' && end[-1] == '"')
+		{
+			/* strip those pesky quotes */
+			rest++;
+			*--end = '\0';
+		}
 
-	txt_ugh = process_txt_rr_body(rest
-	    , TRUE
-	    , AuthenticatedData? DAL_SIGNED : DAL_NOTSEC
-	    , cr);
+		txt_ugh = process_txt_rr_body(rest
+			, TRUE
+			, AuthenticatedData? DAL_SIGNED : DAL_NOTSEC
+			, cr);
 
-	if (txt_ugh != NULL)
+		if (txt_ugh != NULL)
+		{
+			DBG(DBG_DNS,
+				DBG_log("error processing TXT resource record (%s) while processing: %s"
+						, txt_ugh, rest));
+			cr->cont_fn(cr, txt_ugh);
+			cr->used = TRUE;
+		}
+	}
+	else if (strcaseeq(atype, "SIG"))
+	{
+		/* record the SIG records for posterity */
+		if (cr->last_info != NULL)
+		{
+			free(cr->last_info->dns_sig);
+			cr->last_info->dns_sig = clone_str(rest);
+		}
+	}
+	else if (strcaseeq(atype, "A"))
+	{
+		/* ignore */
+	}
+	else if (strcaseeq(atype, "AAAA"))
 	{
-	    DBG(DBG_DNS,
-		DBG_log("error processing TXT resource record (%s) while processing: %s"
-			, txt_ugh, rest));
-	    cr->cont_fn(cr, txt_ugh);
-	    cr->used = TRUE;
+		/* ignore */
 	}
-    }
-    else if (strcaseeq(atype, "SIG"))
-    {
-	/* record the SIG records for posterity */
-	if (cr->last_info != NULL)
+	else if (strcaseeq(atype, "CNAME"))
 	{
-	    pfreeany(cr->last_info->dns_sig);
-	    cr->last_info->dns_sig = clone_str(rest, "sigrecord");
+		/* ignore */
+	}
+	else if (strcaseeq(atype, "CNAMEFROM"))
+	{
+		/* ignore */
+	}
+	else if (strcaseeq(atype, "PTR"))
+	{
+		/* ignore */
 	}
-    }
-    else if (strcaseeq(atype, "A"))
-    {
-	/* ignore */
-    }
-    else if (strcaseeq(atype, "AAAA"))
-    {
-	/* ignore */
-    }
-    else if (strcaseeq(atype, "CNAME"))
-    {
-	/* ignore */
-    }
-    else if (strcaseeq(atype, "CNAMEFROM"))
-    {
-	/* ignore */
-    }
-    else if (strcaseeq(atype, "PTR"))
-    {
-	/* ignore */
-    }
 #ifdef USE_KEYRR
-    else if (strcaseeq(atype, "KEY"))
-    {
-	err_t key_ugh = process_lwdnsq_key(rest
-	    , AuthenticatedData? DAL_SIGNED : DAL_NOTSEC
-	    , cr);
-
-	if (key_ugh != NULL)
+	else if (strcaseeq(atype, "KEY"))
 	{
-	    DBG(DBG_DNS,
-		DBG_log("error processing KEY resource record (%s) while processing: %s"
-			, key_ugh, rest));
-	    cr->cont_fn(cr, key_ugh);
-	    cr->used = TRUE;
+		err_t key_ugh = process_lwdnsq_key(rest
+			, AuthenticatedData? DAL_SIGNED : DAL_NOTSEC
+			, cr);
+
+		if (key_ugh != NULL)
+		{
+			DBG(DBG_DNS,
+				DBG_log("error processing KEY resource record (%s) while processing: %s"
+						, key_ugh, rest));
+			cr->cont_fn(cr, key_ugh);
+			cr->used = TRUE;
+		}
 	}
-    }
 #endif /* USE_KEYRR */
-    else
-    {
-	ugh = "lwdnsq: unrecognized type";
-    }
-    return ugh;
+	else
+	{
+		ugh = "lwdnsq: unrecognized type";
+	}
+	return ugh;
 }
 #endif /* USE_LWRES */
 
 static void
 recover_adns_die(void)
 {
-    struct adns_continuation *cr = NULL;
-    
-    adns_pid = 0;
-    if(adns_restart_count < ADNS_RESTART_MAX) {
-	adns_restart_count++;
+	struct adns_continuation *cr = NULL;
+	
+	adns_pid = 0;
+	if(adns_restart_count < ADNS_RESTART_MAX) {
+		adns_restart_count++;
 
-	/* next DNS query will restart it */
+		/* next DNS query will restart it */
 
-	/* we have to walk the list of the outstanding requests,
-	 * and redo them!
-	 */
+		/* we have to walk the list of the outstanding requests,
+		 * and redo them!
+		 */
 
-	cr = continuations;
+		cr = continuations;
 
-	/* find the head of the list */
-	if(continuations != NULL) {
-	    for (; cr->previous != NULL; cr = cr->previous);
-	}
-	    
-	next_query = cr;
+		/* find the head of the list */
+		if(continuations != NULL) {
+			for (; cr->previous != NULL; cr = cr->previous);
+		}
+			
+		next_query = cr;
 
-	if(next_query != NULL) {
-	    unsent_ADNS_queries = TRUE;
+		if(next_query != NULL) {
+			unsent_ADNS_queries = TRUE;
+		}
 	}
-    }
 }
 
 void reset_adns_restart_count(void)
 {
-    adns_restart_count=0;
+	adns_restart_count=0;
 }
 
 void
 handle_adns_answer(void)
 {
   /* These are retained across calls to handle_adns_answer. */
-    static size_t buflen = 0;	/* bytes in answer buffer */
+	static size_t buflen = 0;   /* bytes in answer buffer */
 #ifndef USE_LWRES
-    static struct adns_answer buf;
+	static struct adns_answer buf;
 #else /* USE_LWRES */
-    static char buf[LWDNSQ_RESULT_LEN_MAX];
-    static char buf_copy[LWDNSQ_RESULT_LEN_MAX];
+	static char buf[LWDNSQ_RESULT_LEN_MAX];
+	static char buf_copy[LWDNSQ_RESULT_LEN_MAX];
 #endif /* USE_LWRES */
 
-    ssize_t n;
+	ssize_t n;
 
-    passert(buflen < sizeof(buf));
-    n = read(adns_afd, (unsigned char *)&buf + buflen, sizeof(buf) - buflen);
+	passert(buflen < sizeof(buf));
+	n = read(adns_afd, (unsigned char *)&buf + buflen, sizeof(buf) - buflen);
 
-    if (n < 0)
-    {
-	if (errno != EINTR)
+	if (n < 0)
 	{
-	    log_errno((e, "error reading answer from adns"));
-	    /* ??? how can we recover? */
+		if (errno != EINTR)
+		{
+			log_errno((e, "error reading answer from adns"));
+			/* ??? how can we recover? */
+		}
+		n = 0;  /* now n reflects amount read */
 	}
-	n = 0;	/* now n reflects amount read */
-    }
-    else if (n == 0)
-    {
-	/* EOF */
-	if (adns_in_flight != 0)
+	else if (n == 0)
 	{
-	    plog("EOF from ADNS with %d queries outstanding (restarts %d)"
-		 , adns_in_flight, adns_restart_count);
-	    recover_adns_die();
+		/* EOF */
+		if (adns_in_flight != 0)
+		{
+			plog("EOF from ADNS with %d queries outstanding (restarts %d)"
+				 , adns_in_flight, adns_restart_count);
+			recover_adns_die();
+		}
+		if (buflen != 0)
+		{
+			plog("EOF from ADNS with %lu bytes of a partial answer outstanding"
+				 "(restarts %d)"
+				 , (unsigned long)buflen
+				 ,  adns_restart_count);
+			recover_adns_die();
+		}
+		stop_adns();
+		return;
 	}
-	if (buflen != 0)
+	else
 	{
-	    plog("EOF from ADNS with %lu bytes of a partial answer outstanding"
-		 "(restarts %d)"
-		 , (unsigned long)buflen
-		 ,  adns_restart_count);
-	    recover_adns_die();
+		passert(adns_in_flight > 0);
 	}
-	stop_adns();
-	return;
-    }
-    else
-    {
-	passert(adns_in_flight > 0);
-    }
-
-    buflen += n;
+
+	buflen += n;
 #ifndef USE_LWRES
-    while (buflen >= offsetof(struct adns_answer, ans) && buflen >= buf.len)
-    {
-	/* we've got a tasty answer -- process it */
-	err_t ugh;
-	struct adns_continuation *cr = continuation_for_qtid(buf.serial);	/* assume it works */
-	const char *typename = rr_typename(cr->query.type);
-	const char *name_buf = cr->query.name_buf;
+	while (buflen >= offsetof(struct adns_answer, ans) && buflen >= buf.len)
+	{
+		/* we've got a tasty answer -- process it */
+		err_t ugh;
+		struct adns_continuation *cr = continuation_for_qtid(buf.serial);       /* assume it works */
+		const char *typename = rr_typename(cr->query.type);
+		const char *name_buf = cr->query.name_buf;
 
 #ifdef USE_KEYRR
-	passert(cr->keys_from_dns == NULL);
+		passert(cr->keys_from_dns == NULL);
 #endif /* USE_KEYRR */
-	passert(cr->gateways_from_dns == NULL);
-	adns_in_flight--;
-	if (buf.result == -1)
-	{
-	    /* newer resolvers support statp->res_h_errno as well as h_errno.
-	     * That might be better, but older resolvers don't.
-	     * See resolver(3), if you have it.
-	     * The undocumented(!) h_errno values are defined in
-	     * /usr/include/netdb.h.
-	     */
-	    switch (buf.h_errno_val)
-	    {
-	    case NO_DATA:
-		ugh = builddiag("no %s record for %s", typename, name_buf);
-		break;
-	    case HOST_NOT_FOUND:
-		ugh = builddiag("no host %s for %s record", name_buf, typename);
-		break;
-	    default:
-		ugh = builddiag("failure querying DNS for %s of %s: %s"
-		    , typename, name_buf, hstrerror(buf.h_errno_val));
-		break;
-	    }
-	}
-	else if (buf.result > (int) sizeof(buf.ans))
-	{
-	    ugh = builddiag("(INTERNAL ERROR) answer too long (%ld) for buffer"
-		, (long)buf.result);
-	}
-	else
-	{
-	    ugh = process_dns_answer(cr, buf.ans, buf.result);
-	    if (ugh != NULL)
-		ugh = builddiag("failure processing %s record of DNS answer for %s: %s"
-		    , typename, name_buf, ugh);
+		passert(cr->gateways_from_dns == NULL);
+		adns_in_flight--;
+		if (buf.result == -1)
+		{
+			/* newer resolvers support statp->res_h_errno as well as h_errno.
+			 * That might be better, but older resolvers don't.
+			 * See resolver(3), if you have it.
+			 * The undocumented(!) h_errno values are defined in
+			 * /usr/include/netdb.h.
+			 */
+			switch (buf.h_errno_val)
+			{
+			case NO_DATA:
+				ugh = builddiag("no %s record for %s", typename, name_buf);
+				break;
+			case HOST_NOT_FOUND:
+				ugh = builddiag("no host %s for %s record", name_buf, typename);
+				break;
+			default:
+				ugh = builddiag("failure querying DNS for %s of %s: %s"
+					, typename, name_buf, hstrerror(buf.h_errno_val));
+				break;
+			}
+		}
+		else if (buf.result > (int) sizeof(buf.ans))
+		{
+			ugh = builddiag("(INTERNAL ERROR) answer too long (%ld) for buffer"
+				, (long)buf.result);
+		}
+		else
+		{
+			ugh = process_dns_answer(cr, buf.ans, buf.result);
+			if (ugh != NULL)
+				ugh = builddiag("failure processing %s record of DNS answer for %s: %s"
+					, typename, name_buf, ugh);
+		}
+		DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL | DBG_DNS,
+			DBG_log(BLANK_FORMAT);
+			if (ugh == NULL)
+				DBG_log("asynch DNS answer %lu for %s of %s"
+					, cr->query.serial, typename, name_buf);
+			else
+				DBG_log("asynch DNS answer %lu %s", cr->query.serial, ugh);
+			);
+
+		passert(GLOBALS_ARE_RESET());
+		cr->cont_fn(cr, ugh);
+		reset_globals();
+		release_adns_continuation(cr);
+
+		/* shift out answer that we've consumed */
+		buflen -= buf.len;
+		memmove((unsigned char *)&buf, (unsigned char *)&buf + buf.len, buflen);
 	}
-	DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL | DBG_DNS,
-	    DBG_log(BLANK_FORMAT);
-	    if (ugh == NULL)
-		DBG_log("asynch DNS answer %lu for %s of %s"
-		    , cr->query.serial, typename, name_buf);
-	    else
-		DBG_log("asynch DNS answer %lu %s", cr->query.serial, ugh);
-	    );
-
-	passert(GLOBALS_ARE_RESET());
-	cr->cont_fn(cr, ugh);
-	reset_globals();
-	release_adns_continuation(cr);
-
-	/* shift out answer that we've consumed */
-	buflen -= buf.len;
-	memmove((unsigned char *)&buf, (unsigned char *)&buf + buf.len, buflen);
-    }
 #else /* USE_LWRES */
-    for (;;)
-    {
-	err_t ugh;
-	char *nlp = memchr(buf, '\n', buflen);
+	for (;;)
+	{
+		err_t ugh;
+		char *nlp = memchr(buf, '\n', buflen);
 
-	if (nlp == NULL)
-	    break;
+		if (nlp == NULL)
+			break;
 
-	/* we've got a line */
-	*nlp++ = '\0';
+		/* we've got a line */
+		*nlp++ = '\0';
 
-	DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL | DBG_DNS
-	    , DBG_log("lwdns: %s", buf));
+		DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL | DBG_DNS
+			, DBG_log("lwdns: %s", buf));
 
-	/* process lwdnsq_answer may modify buf, so make a copy. */
-	buf_copy[0]='\0';
-	strncat(buf_copy, buf, sizeof(buf_copy));
+		/* process lwdnsq_answer may modify buf, so make a copy. */
+		buf_copy[0]='\0';
+		strncat(buf_copy, buf, sizeof(buf_copy));
 
-	ugh = process_lwdnsq_answer(buf_copy);
-	if (ugh != NULL)
-	    plog("failure processing lwdnsq output: %s; record: %s"
-		 , ugh, buf);
+		ugh = process_lwdnsq_answer(buf_copy);
+		if (ugh != NULL)
+			plog("failure processing lwdnsq output: %s; record: %s"
+				 , ugh, buf);
 
-	passert(GLOBALS_ARE_RESET());
-	reset_globals();
+		passert(GLOBALS_ARE_RESET());
+		reset_globals();
 
-	/* shift out answer that we've consumed */
-	buflen -= nlp - buf;
-	memmove(buf, nlp, buflen);
-    }
+		/* shift out answer that we've consumed */
+		buflen -= nlp - buf;
+		memmove(buf, nlp, buflen);
+	}
 #endif /* USE_LWRES */
 }
diff --git a/src/pluto/dnskey.h b/src/pluto/dnskey.h
index f69c226c8..976c715bf 100644
--- a/src/pluto/dnskey.h
+++ b/src/pluto/dnskey.h
@@ -10,14 +10,12 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: dnskey.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 extern int
-    adns_qfd,	/* file descriptor for sending queries to adns */
-    adns_afd;	/* file descriptor for receiving answers from adns */
-extern const char *pluto_adns_option;	/* path from --pluto_adns */
+	adns_qfd,   /* file descriptor for sending queries to adns */
+	adns_afd;   /* file descriptor for receiving answers from adns */
+extern const char *pluto_adns_option;   /* path from --pluto_adns */
 extern void init_adns(void);
 extern void stop_adns(void);
 extern void handle_adns_answer(void);
@@ -30,55 +28,55 @@ extern void send_unsent_ADNS_queries(void);
  * Freed by call to release_adns_continuation.
  */
 
-struct adns_continuation;	/* forward declaration (not far!) */
+struct adns_continuation;       /* forward declaration (not far!) */
 
 typedef void (*cont_fn_t)(struct adns_continuation *cr, err_t ugh);
 
 struct adns_continuation {
-    unsigned long qtid;	/* query transaction id number */
-    int type;	/* T_TXT or T_KEY, selecting rr type of interest */
-    cont_fn_t cont_fn;	/* function to carry on suspended work */
-    struct id id;	/* subject of query */
-    bool sgw_specified;
-    struct id sgw_id;	/* peer, if constrained */
-    lset_t debugging;	/* only used #ifdef DEBUG, but don't want layout to change */
-    struct gw_info *gateways_from_dns;	/* answer, if looking for our TXT rrs */
+	unsigned long qtid; /* query transaction id number */
+	int type;   /* T_TXT or T_KEY, selecting rr type of interest */
+	cont_fn_t cont_fn;  /* function to carry on suspended work */
+	struct id id;       /* subject of query */
+	bool sgw_specified;
+	struct id sgw_id;   /* peer, if constrained */
+	lset_t debugging;   /* only used #ifdef DEBUG, but don't want layout to change */
+	struct gw_info *gateways_from_dns;  /* answer, if looking for our TXT rrs */
 #ifdef USE_KEYRR
-    struct pubkey_list *keys_from_dns;	/* answer, if looking for KEY rrs */
+	struct pubkey_list *keys_from_dns;  /* answer, if looking for KEY rrs */
 #endif
-    struct adns_continuation *previous, *next;
-    struct pubkey *last_info;  /* the last structure we accumulated */
+	struct adns_continuation *previous, *next;
+	struct pubkey *last_info;  /* the last structure we accumulated */
 #ifdef USE_LWRES
-    bool used;	/* have we called the cont_fn yet? */
-    struct {
-	u_char name_buf[NS_MAXDNAME + 2];
-    } query;
+	bool used;  /* have we called the cont_fn yet? */
+	struct {
+		u_char name_buf[NS_MAXDNAME + 2];
+	} query;
 #else /* ! USE_LWRES */
-    struct adns_query query;
+	struct adns_query query;
 #endif /* ! USE_LWRES */
 };
 
-extern err_t start_adns_query(const struct id *id	/* domain to query */
-    , const struct id *sgw_id	/* if non-null, any accepted gw_info must match */
-    , int type	/* T_TXT or T_KEY, selecting rr type of interest */
-    , cont_fn_t cont_fn	/* continuation function */
-    , struct adns_continuation *cr);
+extern err_t start_adns_query(const struct id *id       /* domain to query */
+	, const struct id *sgw_id   /* if non-null, any accepted gw_info must match */
+	, int type  /* T_TXT or T_KEY, selecting rr type of interest */
+	, cont_fn_t cont_fn /* continuation function */
+	, struct adns_continuation *cr);
 
 
 /* Gateway info gleaned from reverse DNS of client */
 struct gw_info {
-    unsigned refcnt;	/* reference counted! */
-    unsigned pref;	/* preference: lower is better */
-#define NO_TIME ((time_t) -2)	/* time_t value meaning "not_yet" */
-    struct id client_id;	/* id of client of peer */
-    struct id gw_id;	/* id of peer (if id_is_ipaddr, .ip_addr is address) */
-    bool gw_key_present;
-    struct pubkey *key;
-    struct gw_info *next;
+	unsigned refcnt;    /* reference counted! */
+	unsigned pref;      /* preference: lower is better */
+#define NO_TIME ((time_t) -2)   /* time_t value meaning "not_yet" */
+	struct id client_id;        /* id of client of peer */
+	struct id gw_id;    /* id of peer (if id_is_ipaddr, .ip_addr is address) */
+	bool gw_key_present;
+	struct pubkey *key;
+	struct gw_info *next;
 };
 
 extern void gw_addref(struct gw_info *gw)
-    , gw_delref(struct gw_info **gwp);
+	, gw_delref(struct gw_info **gwp);
 
 extern void reset_adns_restart_count(void);
 
diff --git a/src/pluto/dsa.c b/src/pluto/dsa.c
deleted file mode 100644
index c5982fbf4..000000000
--- a/src/pluto/dsa.c
+++ /dev/null
@@ -1,476 +0,0 @@
-/* dsa.c  -  DSA signature scheme
- *	Copyright (C) 1998 Free Software Foundation, Inc.
- *
- * This file is part of GnuPG.
- *
- * GnuPG is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * GnuPG is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
- */
-
-#ifdef PLUTO
-#include <gmp.h>
-#include <freeswan.h>
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "rnd.h"
-#include "gcryptfix.h"
-#else /*! PLUTO */
-/* #include <config.h> */
-#endif /* !PLUTO */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#ifndef PLUTO
-/* #include <assert.h> */
-/* #include "util.h" */
-/* #include "mpi.h" */
-/* #include "cipher.h" */
-#endif
-
-#include "dsa.h"
-
-typedef struct {
-    MPI p;	    /* prime */
-    MPI q;	    /* group order */
-    MPI g;	    /* group generator */
-    MPI y;	    /* g^x mod p */
-} DSA_public_key;
-
-
-typedef struct {
-    MPI p;	    /* prime */
-    MPI q;	    /* group order */
-    MPI g;	    /* group generator */
-    MPI y;	    /* g^x mod p */
-    MPI x;	    /* secret exponent */
-} DSA_secret_key;
-
-
-static MPI gen_k( MPI q );
-static void test_keys( DSA_secret_key *sk, unsigned qbits );
-static int  check_secret_key( DSA_secret_key *sk );
-static void generate( DSA_secret_key *sk, unsigned nbits, MPI **ret_factors );
-static void sign(MPI r, MPI s, MPI input, DSA_secret_key *skey);
-static int  verify(MPI r, MPI s, MPI input, DSA_public_key *pkey);
-
-static void
-progress( int c )
-{
-    fputc( c, stderr );
-}
-
-
-/****************
- * Generate a random secret exponent k less than q
- */
-static MPI
-gen_k( MPI q )
-{
-    MPI k = mpi_alloc_secure( mpi_get_nlimbs(q) );
-    unsigned int nbits = mpi_get_nbits(q);
-    unsigned int nbytes = (nbits+7)/8;
-    char *rndbuf = NULL;
-
-    if( DBG_CIPHER )
-	log_debug("choosing a random k ");
-    for(;;) {
-	if( DBG_CIPHER )
-	    progress('.');
-
-	if( !rndbuf || nbits < 32 ) {
-	    m_free(rndbuf);
-	    rndbuf = get_random_bits( nbits, 1, 1 );
-	}
-	else { /* change only some of the higher bits */
-	    /* we could imporove this by directly requesting more memory
-	     * at the first call to get_random_bits() and use this the here
-	     * maybe it is easier to do this directly in random.c */
-	    char *pp = get_random_bits( 32, 1, 1 );
-	    memcpy( rndbuf,pp, 4 );
-	    m_free(pp);
-	}
-	mpi_set_buffer( k, rndbuf, nbytes, 0 );
-	if( mpi_test_bit( k, nbits-1 ) )
-	    mpi_set_highbit( k, nbits-1 );
-	else {
-	    mpi_set_highbit( k, nbits-1 );
-	    mpi_clear_bit( k, nbits-1 );
-	}
-
-	if( !(mpi_cmp( k, q ) < 0) ) {	/* check: k < q */
-	    if( DBG_CIPHER )
-		progress('+');
-	    continue; /* no  */
-	}
-	if( !(mpi_cmp_ui( k, 0 ) > 0) ) { /* check: k > 0 */
-	    if( DBG_CIPHER )
-		progress('-');
-	    continue; /* no */
-	}
-	break;	/* okay */
-    }
-    m_free(rndbuf);
-    if( DBG_CIPHER )
-	progress('\n');
-
-    return k;
-}
-
-
-static void
-test_keys( DSA_secret_key *sk, unsigned qbits )
-{
-    DSA_public_key pk;
-    MPI test = mpi_alloc( qbits / BITS_PER_MPI_LIMB );
-    MPI out1_a = mpi_alloc( qbits / BITS_PER_MPI_LIMB );
-    MPI out1_b = mpi_alloc( qbits / BITS_PER_MPI_LIMB );
-
-    pk.p = sk->p;
-    pk.q = sk->q;
-    pk.g = sk->g;
-    pk.y = sk->y;
-    /*mpi_set_bytes( test, qbits, get_random_byte, 0 );*/
-    {	char *p = get_random_bits( qbits, 0, 0 );
-	mpi_set_buffer( test, p, (qbits+7)/8, 0 );
-	m_free(p);
-    }
-
-    sign( out1_a, out1_b, test, sk );
-    if( !verify( out1_a, out1_b, test, &pk ) )
-	log_fatal("DSA:: sign, verify failed\n");
-
-    mpi_free( test );
-    mpi_free( out1_a );
-    mpi_free( out1_b );
-}
-
-
-
-/****************
- * Generate a DSA key pair with a key of size NBITS
- * Returns: 2 structures filled with all needed values
- *	    and an array with the n-1 factors of (p-1)
- */
-static void
-generate( DSA_secret_key *sk, unsigned nbits, MPI **ret_factors )
-{
-    MPI p;    /* the prime */
-    MPI q;    /* the 160 bit prime factor */
-    MPI g;    /* the generator */
-    MPI y;    /* g^x mod p */
-    MPI x;    /* the secret exponent */
-    MPI h, e;  /* helper */
-    unsigned qbits;
-    byte *rndbuf;
-
-    assert( nbits >= 512 && nbits <= 1024 );
-
-    qbits = 160;
-    p = generate_elg_prime( 1, nbits, qbits, NULL, ret_factors );
-    /* get q out of factors */
-    q = mpi_copy((*ret_factors)[0]);
-    if( mpi_get_nbits(q) != qbits )
-	BUG();
-
-    /* find a generator g (h and e are helpers)*/
-    /* e = (p-1)/q */
-    e = mpi_alloc( mpi_get_nlimbs(p) );
-    mpi_sub_ui( e, p, 1 );
-    mpi_fdiv_q( e, e, q );
-    g = mpi_alloc( mpi_get_nlimbs(p) );
-    h = mpi_alloc_set_ui( 1 ); /* we start with 2 */
-    do {
-	mpi_add_ui( h, h, 1 );
-	/* g = h^e mod p */
-	mpi_powm( g, h, e, p );
-    } while( !mpi_cmp_ui( g, 1 ) );  /* continue until g != 1 */
-
-    /* select a random number which has these properties:
-     *	 0 < x < q-1
-     * This must be a very good random number because this
-     * is the secret part. */
-    if( DBG_CIPHER )
-	log_debug("choosing a random x ");
-    assert( qbits >= 160 );
-    x = mpi_alloc_secure( mpi_get_nlimbs(q) );
-    mpi_sub_ui( h, q, 1 );  /* put q-1 into h */
-    rndbuf = NULL;
-    do {
-	if( DBG_CIPHER )
-	    progress('.');
-	if( !rndbuf )
-	    rndbuf = get_random_bits( qbits, 2, 1 );
-	else { /* change only some of the higher bits (= 2 bytes)*/
-	    char *r = get_random_bits( 16, 2, 1 );
-	    memcpy(rndbuf, r, 16/8 );
-	    m_free(r);
-	}
-	mpi_set_buffer( x, rndbuf, (qbits+7)/8, 0 );
-	mpi_clear_highbit( x, qbits+1 );
-    } while( !( mpi_cmp_ui( x, 0 )>0 && mpi_cmp( x, h )<0 ) );
-    m_free(rndbuf);
-    mpi_free( e );
-    mpi_free( h );
-
-    /* y = g^x mod p */
-    y = mpi_alloc( mpi_get_nlimbs(p) );
-    mpi_powm( y, g, x, p );
-
-    if( DBG_CIPHER ) {
-	progress('\n');
-	log_mpidump("dsa  p= ", p );
-	log_mpidump("dsa  q= ", q );
-	log_mpidump("dsa  g= ", g );
-	log_mpidump("dsa  y= ", y );
-	log_mpidump("dsa  x= ", x );
-    }
-
-    /* copy the stuff to the key structures */
-    sk->p = p;
-    sk->q = q;
-    sk->g = g;
-    sk->y = y;
-    sk->x = x;
-
-    /* now we can test our keys (this should never fail!) */
-    test_keys( sk, qbits );
-}
-
-
-
-/****************
- * Test whether the secret key is valid.
- * Returns: if this is a valid key.
- */
-static int
-check_secret_key( DSA_secret_key *sk )
-{
-    int rc;
-    MPI y = mpi_alloc( mpi_get_nlimbs(sk->y) );
-
-    mpi_powm( y, sk->g, sk->x, sk->p );
-    rc = !mpi_cmp( y, sk->y );
-    mpi_free( y );
-    return rc;
-}
-
-
-
-/****************
- * Make a DSA signature from HASH and put it into r and s.
- */
-
-static void
-sign(MPI r, MPI s, MPI hash, DSA_secret_key *skey )
-{
-    MPI k;
-    MPI kinv;
-    MPI tmp;
-
-    /* select a random k with 0 < k < q */
-    k = gen_k( skey->q );
-
-    /* r = (a^k mod p) mod q */
-    mpi_powm( r, skey->g, k, skey->p );
-    mpi_fdiv_r( r, r, skey->q );
-
-    /* kinv = k^(-1) mod q */
-    kinv = mpi_alloc( mpi_get_nlimbs(k) );
-    mpi_invm(kinv, k, skey->q );
-
-    /* s = (kinv * ( hash + x * r)) mod q */
-    tmp = mpi_alloc( mpi_get_nlimbs(skey->p) );
-    mpi_mul( tmp, skey->x, r );
-    mpi_add( tmp, tmp, hash );
-    mpi_mulm( s , kinv, tmp, skey->q );
-
-    mpi_free(k);
-    mpi_free(kinv);
-    mpi_free(tmp);
-}
-
-
-/****************
- * Returns true if the signature composed from R and S is valid.
- */
-static int
-verify(MPI r, MPI s, MPI hash, DSA_public_key *pkey )
-{
-    int rc;
-    MPI w, u1, u2, v;
-    MPI base[3];
-    MPI exp[3];
-
-
-    if( !(mpi_cmp_ui( r, 0 ) > 0 && mpi_cmp( r, pkey->q ) < 0) )
-	return 0; /* assertion	0 < r < q  failed */
-    if( !(mpi_cmp_ui( s, 0 ) > 0 && mpi_cmp( s, pkey->q ) < 0) )
-	return 0; /* assertion	0 < s < q  failed */
-
-    w  = mpi_alloc( mpi_get_nlimbs(pkey->q) );
-    u1 = mpi_alloc( mpi_get_nlimbs(pkey->q) );
-    u2 = mpi_alloc( mpi_get_nlimbs(pkey->q) );
-    v  = mpi_alloc( mpi_get_nlimbs(pkey->p) );
-
-    /* w = s^(-1) mod q */
-    mpi_invm( w, s, pkey->q );
-
-    /* u1 = (hash * w) mod q */
-    mpi_mulm( u1, hash, w, pkey->q );
-
-    /* u2 = r * w mod q  */
-    mpi_mulm( u2, r, w, pkey->q );
-
-    /* v =  g^u1 * y^u2 mod p mod q */
-    base[0] = pkey->g; exp[0] = u1;
-    base[1] = pkey->y; exp[1] = u2;
-    base[2] = NULL;    exp[2] = NULL;
-    mpi_mulpowm( v, base, exp, pkey->p );
-    mpi_fdiv_r( v, v, pkey->q );
-
-    rc = !mpi_cmp( v, r );
-
-    mpi_free(w);
-    mpi_free(u1);
-    mpi_free(u2);
-    mpi_free(v);
-    return rc;
-}
-
-
-/*********************************************
- **************  interface  ******************
- *********************************************/
-
-int
-dsa_generate( int algo, unsigned nbits, MPI *skey, MPI **retfactors )
-{
-    DSA_secret_key sk;
-
-    if( algo != PUBKEY_ALGO_DSA )
-	return G10ERR_PUBKEY_ALGO;
-
-    generate( &sk, nbits, retfactors );
-    skey[0] = sk.p;
-    skey[1] = sk.q;
-    skey[2] = sk.g;
-    skey[3] = sk.y;
-    skey[4] = sk.x;
-    return 0;
-}
-
-
-int
-dsa_check_secret_key( int algo, MPI *skey )
-{
-    DSA_secret_key sk;
-
-    if( algo != PUBKEY_ALGO_DSA )
-	return G10ERR_PUBKEY_ALGO;
-    if( !skey[0] || !skey[1] || !skey[2] || !skey[3] || !skey[4] )
-	return G10ERR_BAD_MPI;
-
-    sk.p = skey[0];
-    sk.q = skey[1];
-    sk.g = skey[2];
-    sk.y = skey[3];
-    sk.x = skey[4];
-    if( !check_secret_key( &sk ) )
-	return G10ERR_BAD_SECKEY;
-
-    return 0;
-}
-
-
-
-int
-dsa_sign( int algo, MPI *resarr, MPI data, MPI *skey )
-{
-    DSA_secret_key sk;
-
-    if( algo != PUBKEY_ALGO_DSA )
-	return G10ERR_PUBKEY_ALGO;
-    if( !data || !skey[0] || !skey[1] || !skey[2] || !skey[3] || !skey[4] )
-	return G10ERR_BAD_MPI;
-
-    sk.p = skey[0];
-    sk.q = skey[1];
-    sk.g = skey[2];
-    sk.y = skey[3];
-    sk.x = skey[4];
-    resarr[0] = mpi_alloc( mpi_get_nlimbs( sk.p ) );
-    resarr[1] = mpi_alloc( mpi_get_nlimbs( sk.p ) );
-    sign( resarr[0], resarr[1], data, &sk );
-    return 0;
-}
-
-int
-dsa_verify( int algo, MPI hash, MPI *data, MPI *pkey,
-		    int (*cmp)(void *, MPI) UNUSED, void *opaquev UNUSED)
-{
-    DSA_public_key pk;
-
-    if( algo != PUBKEY_ALGO_DSA )
-	return G10ERR_PUBKEY_ALGO;
-    if( !data[0] || !data[1] || !hash
-	|| !pkey[0] || !pkey[1] || !pkey[2] || !pkey[3] )
-	return G10ERR_BAD_MPI;
-
-    pk.p = pkey[0];
-    pk.q = pkey[1];
-    pk.g = pkey[2];
-    pk.y = pkey[3];
-    if( !verify( data[0], data[1], hash, &pk ) )
-	return G10ERR_BAD_SIGN;
-    return 0;
-}
-
-
-
-unsigned
-dsa_get_nbits( int algo, MPI *pkey )
-{
-    if( algo != PUBKEY_ALGO_DSA )
-	return 0;
-    return mpi_get_nbits( pkey[0] );
-}
-
-
-/****************
- * Return some information about the algorithm.  We need algo here to
- * distinguish different flavors of the algorithm.
- * Returns: A pointer to string describing the algorithm or NULL if
- *	    the ALGO is invalid.
- * Usage: Bit 0 set : allows signing
- *	      1 set : allows encryption
- */
-const char *
-dsa_get_info( int algo, int *npkey, int *nskey, int *nenc, int *nsig,
-							 int *use )
-{
-    *npkey = 4;
-    *nskey = 5;
-    *nenc = 0;
-    *nsig = 2;
-
-    switch( algo ) {
-      case PUBKEY_ALGO_DSA:   *use = PUBKEY_USAGE_SIG; return "DSA";
-      default: *use = 0; return NULL;
-    }
-}
-
-
diff --git a/src/pluto/dsa.h b/src/pluto/dsa.h
deleted file mode 100644
index 1456d65b6..000000000
--- a/src/pluto/dsa.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/* dsa.h  -  DSA signature scheme
- *	Copyright (C) 1998 Free Software Foundation, Inc.
- *
- * This file is part of GnuPG.
- *
- * GnuPG is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * GnuPG is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
- */
-#ifndef G10_DSA_H
-#define G10_DSA_H
-
-int dsa_generate( int algo, unsigned nbits, MPI *skey, MPI **retfactors );
-int dsa_check_secret_key( int algo, MPI *skey );
-int dsa_sign( int algo, MPI *resarr, MPI data, MPI *skey );
-int dsa_verify( int algo, MPI hash, MPI *data, MPI *pkey,
-		    int (*cmp)(void *, MPI), void *opaquev );
-unsigned dsa_get_nbits( int algo, MPI *pkey );
-const char *dsa_get_info( int algo, int *npkey, int *nskey,
-				    int *nenc, int *nsig, int *use );
-
-#endif /*G10_DSA_H*/
diff --git a/src/pluto/elgamal.c b/src/pluto/elgamal.c
deleted file mode 100644
index 0c099bb90..000000000
--- a/src/pluto/elgamal.c
+++ /dev/null
@@ -1,613 +0,0 @@
-/* elgamal.c  -  ElGamal Public Key encryption
- *	Copyright (C) 1998 Free Software Foundation, Inc.
- *
- * For a description of the algorithm, see:
- *   Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1996.
- *   ISBN 0-471-11709-9. Pages 476 ff.
- *
- * This file is part of GnuPG.
- *
- * GnuPG is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * GnuPG is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
- */
-
-#ifdef PLUTO
-#include <gmp.h>
-#include <freeswan.h>
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "rnd.h"
-#include "gcryptfix.h"
-#else /*! PLUTO */
-/* #include <config.h> */
-#endif /* !PLUTO */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#ifndef PLUTO
-/* #include "util.h" */
-/* #include "mpi.h" */
-/* #include "cipher.h" */
-#endif
-
-#include "elgamal.h"
-
-typedef struct {
-    MPI p;	    /* prime */
-    MPI g;	    /* group generator */
-    MPI y;	    /* g^x mod p */
-} ELG_public_key;
-
-
-typedef struct {
-    MPI p;	    /* prime */
-    MPI g;	    /* group generator */
-    MPI y;	    /* g^x mod p */
-    MPI x;	    /* secret exponent */
-} ELG_secret_key;
-
-
-static void test_keys( ELG_secret_key *sk, unsigned nbits );
-static MPI gen_k( MPI p );
-static void generate( ELG_secret_key *sk, unsigned nbits, MPI **factors );
-static int  check_secret_key( ELG_secret_key *sk );
-static void encrypt(MPI a, MPI b, MPI input, ELG_public_key *pkey );
-static void decrypt(MPI output, MPI a, MPI b, ELG_secret_key *skey );
-static void sign(MPI a, MPI b, MPI input, ELG_secret_key *skey);
-static int  verify(MPI a, MPI b, MPI input, ELG_public_key *pkey);
-
-
-static void
-progress( int c )
-{
-    fputc( c, stderr );
-}
-
-
-static void
-test_keys( ELG_secret_key *sk, unsigned nbits )
-{
-    ELG_public_key pk;
-    MPI test = mpi_alloc( 0 );
-    MPI out1_a = mpi_alloc( nbits / BITS_PER_MPI_LIMB );
-    MPI out1_b = mpi_alloc( nbits / BITS_PER_MPI_LIMB );
-    MPI out2 = mpi_alloc( nbits / BITS_PER_MPI_LIMB );
-
-    pk.p = sk->p;
-    pk.g = sk->g;
-    pk.y = sk->y;
-
-    /*mpi_set_bytes( test, nbits, get_random_byte, 0 );*/
-    {	char *p = get_random_bits( nbits, 0, 0 );
-	mpi_set_buffer( test, p, (nbits+7)/8, 0 );
-	m_free(p);
-    }
-
-    encrypt( out1_a, out1_b, test, &pk );
-    decrypt( out2, out1_a, out1_b, sk );
-    if( mpi_cmp( test, out2 ) )
-	log_fatal("ElGamal operation: encrypt, decrypt failed\n");
-
-    sign( out1_a, out1_b, test, sk );
-    if( !verify( out1_a, out1_b, test, &pk ) )
-	log_fatal("ElGamal operation: sign, verify failed\n");
-
-    mpi_free( test );
-    mpi_free( out1_a );
-    mpi_free( out1_b );
-    mpi_free( out2 );
-}
-
-
-/****************
- * generate a random secret exponent k from prime p, so
- * that k is relatively prime to p-1
- */
-static MPI
-gen_k( MPI p )
-{
-    MPI k = mpi_alloc_secure( 0 );
-    MPI temp = mpi_alloc( mpi_get_nlimbs(p) );
-    MPI p_1 = mpi_copy(p);
-    unsigned int nbits = mpi_get_nbits(p);
-    unsigned int nbytes = (nbits+7)/8;
-    char *rndbuf = NULL;
-
-    if( DBG_CIPHER )
-	log_debug("choosing a random k ");
-    mpi_sub_ui( p_1, p, 1);
-    for(;;) {
-	if( DBG_CIPHER )
-	    progress('.');
-	if( !rndbuf || nbits < 32 ) {
-	    m_free(rndbuf);
-	    rndbuf = get_random_bits( nbits, 1, 1 );
-	}
-	else { /* change only some of the higher bits */
-	    /* we could imporove this by directly requesting more memory
-	     * at the first call to get_random_bits() and use this the here
-	     * maybe it is easier to do this directly in random.c */
-	    char *pp = get_random_bits( 32, 1, 1 );
-	    memcpy( rndbuf,pp, 4 );
-	    m_free(pp);
-	}
-	mpi_set_buffer( k, rndbuf, nbytes, 0 );
-
-	for(;;) {
-	    /* make sure that the number is of the exact lenght */
-	    if( mpi_test_bit( k, nbits-1 ) )
-		mpi_set_highbit( k, nbits-1 );
-	    else {
-		mpi_set_highbit( k, nbits-1 );
-		mpi_clear_bit( k, nbits-1 );
-	    }
-	    if( !(mpi_cmp( k, p_1 ) < 0) ) {  /* check: k < (p-1) */
-		if( DBG_CIPHER )
-		    progress('+');
-		break; /* no  */
-	    }
-	    if( !(mpi_cmp_ui( k, 0 ) > 0) ) { /* check: k > 0 */
-		if( DBG_CIPHER )
-		    progress('-');
-		break; /* no */
-	    }
-	    if( mpi_gcd( temp, k, p_1 ) )
-		goto found;  /* okay, k is relatively prime to (p-1) */
-	    mpi_add_ui( k, k, 1 );
-	}
-    }
-  found:
-    m_free(rndbuf);
-    if( DBG_CIPHER )
-	progress('\n');
-    mpi_free(p_1);
-    mpi_free(temp);
-
-    return k;
-}
-
-/****************
- * Generate a key pair with a key of size NBITS
- * Returns: 2 structures filles with all needed values
- *	    and an array with n-1 factors of (p-1)
- */
-static void
-generate(  ELG_secret_key *sk, unsigned nbits, MPI **ret_factors )
-{
-    MPI p;    /* the prime */
-    MPI p_min1;
-    MPI g;
-    MPI x;    /* the secret exponent */
-    MPI y;
-    MPI temp;
-    unsigned qbits;
-    byte *rndbuf;
-
-    p_min1 = mpi_alloc( (nbits+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
-    temp   = mpi_alloc( (nbits+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
-    if( nbits < 512 )
-	qbits = 120;
-    else if( nbits <= 1024 )
-	qbits = 160;
-    else if( nbits <= 2048 )
-	qbits = 200;
-    else
-	qbits = 240;
-    g = mpi_alloc(1);
-    p = generate_elg_prime( 0, nbits, qbits, g, ret_factors );
-    mpi_sub_ui(p_min1, p, 1);
-
-
-    /* select a random number which has these properties:
-     *	 0 < x < p-1
-     * This must be a very good random number because this is the
-     * secret part.  The prime is public and may be shared anyway,
-     * so a random generator level of 1 is used for the prime.
-     */
-    x = mpi_alloc_secure( nbits/BITS_PER_MPI_LIMB );
-    if( DBG_CIPHER )
-	log_debug("choosing a random x ");
-    rndbuf = NULL;
-    do {
-	if( DBG_CIPHER )
-	    progress('.');
-	if( rndbuf ) { /* change only some of the higher bits */
-	    if( nbits < 16 ) {/* should never happen ... */
-		m_free(rndbuf);
-		rndbuf = get_random_bits( nbits, 2, 1 );
-	    }
-	    else {
-		char *r = get_random_bits( 16, 2, 1 );
-		memcpy(rndbuf, r, 16/8 );
-		m_free(r);
-	    }
-	}
-	else
-	    rndbuf = get_random_bits( nbits, 2, 1 );
-	mpi_set_buffer( x, rndbuf, (nbits+7)/8, 0 );
-	mpi_clear_highbit( x, nbits+1 );
-    } while( !( mpi_cmp_ui( x, 0 )>0 && mpi_cmp( x, p_min1 )<0 ) );
-    m_free(rndbuf);
-
-    y = mpi_alloc(nbits/BITS_PER_MPI_LIMB);
-    mpi_powm( y, g, x, p );
-
-    if( DBG_CIPHER ) {
-	progress('\n');
-	log_mpidump("elg  p= ", p );
-	log_mpidump("elg  g= ", g );
-	log_mpidump("elg  y= ", y );
-	log_mpidump("elg  x= ", x );
-    }
-
-    /* copy the stuff to the key structures */
-    sk->p = p;
-    sk->g = g;
-    sk->y = y;
-    sk->x = x;
-
-    /* now we can test our keys (this should never fail!) */
-    test_keys( sk, nbits - 64 );
-
-    mpi_free( p_min1 );
-    mpi_free( temp   );
-}
-
-
-/****************
- * Test whether the secret key is valid.
- * Returns: if this is a valid key.
- */
-static int
-check_secret_key( ELG_secret_key *sk )
-{
-    int rc;
-    MPI y = mpi_alloc( mpi_get_nlimbs(sk->y) );
-
-    mpi_powm( y, sk->g, sk->x, sk->p );
-    rc = !mpi_cmp( y, sk->y );
-    mpi_free( y );
-    return rc;
-}
-
-
-static void
-encrypt(MPI a, MPI b, MPI input, ELG_public_key *pkey )
-{
-    MPI k;
-
-    /* Note: maybe we should change the interface, so that it
-     * is possible to check that input is < p and return an
-     * error code.
-     */
-
-    k = gen_k( pkey->p );
-    mpi_powm( a, pkey->g, k, pkey->p );
-    /* b = (y^k * input) mod p
-     *	 = ((y^k mod p) * (input mod p)) mod p
-     * and because input is < p
-     *	 = ((y^k mod p) * input) mod p
-     */
-    mpi_powm( b, pkey->y, k, pkey->p );
-    mpi_mulm( b, b, input, pkey->p );
-  #if 0
-    if( DBG_CIPHER ) {
-	log_mpidump("elg encrypted y= ", pkey->y);
-	log_mpidump("elg encrypted p= ", pkey->p);
-	log_mpidump("elg encrypted k= ", k);
-	log_mpidump("elg encrypted M= ", input);
-	log_mpidump("elg encrypted a= ", a);
-	log_mpidump("elg encrypted b= ", b);
-    }
-  #endif
-    mpi_free(k);
-}
-
-
-
-
-static void
-decrypt(MPI output, MPI a, MPI b, ELG_secret_key *skey )
-{
-    MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
-
-    /* output = b/(a^x) mod p */
-
-    mpi_powm( t1, a, skey->x, skey->p );
-    mpi_invm( t1, t1, skey->p );
-    mpi_mulm( output, b, t1, skey->p );
-  #if 0
-    if( DBG_CIPHER ) {
-	log_mpidump("elg decrypted x= ", skey->x);
-	log_mpidump("elg decrypted p= ", skey->p);
-	log_mpidump("elg decrypted a= ", a);
-	log_mpidump("elg decrypted b= ", b);
-	log_mpidump("elg decrypted M= ", output);
-    }
-  #endif
-    mpi_free(t1);
-}
-
-
-/****************
- * Make an Elgamal signature out of INPUT
- */
-
-static void
-sign(MPI a, MPI b, MPI input, ELG_secret_key *skey )
-{
-    MPI k;
-    MPI t   = mpi_alloc( mpi_get_nlimbs(a) );
-    MPI inv = mpi_alloc( mpi_get_nlimbs(a) );
-    MPI p_1 = mpi_copy(skey->p);
-
-   /*
-    * b = (t * inv) mod (p-1)
-    * b = (t * inv(k,(p-1),(p-1)) mod (p-1)
-    * b = (((M-x*a) mod (p-1)) * inv(k,(p-1),(p-1))) mod (p-1)
-    *
-    */
-    mpi_sub_ui(p_1, p_1, 1);
-    k = gen_k( skey->p );
-    mpi_powm( a, skey->g, k, skey->p );
-    mpi_mul(t, skey->x, a );
-    mpi_subm(t, input, t, p_1 );
-    while( mpi_is_neg(t) )
-	mpi_add(t, t, p_1);
-    mpi_invm(inv, k, p_1 );
-    mpi_mulm(b, t, inv, p_1 );
-
-  #if 0
-    if( DBG_CIPHER ) {
-	log_mpidump("elg sign p= ", skey->p);
-	log_mpidump("elg sign g= ", skey->g);
-	log_mpidump("elg sign y= ", skey->y);
-	log_mpidump("elg sign x= ", skey->x);
-	log_mpidump("elg sign k= ", k);
-	log_mpidump("elg sign M= ", input);
-	log_mpidump("elg sign a= ", a);
-	log_mpidump("elg sign b= ", b);
-    }
-  #endif
-    mpi_free(k);
-    mpi_free(t);
-    mpi_free(inv);
-    mpi_free(p_1);
-}
-
-
-/****************
- * Returns true if the signature composed of A and B is valid.
- */
-static int
-verify(MPI a, MPI b, MPI input, ELG_public_key *pkey )
-{
-    int rc;
-    MPI t1;
-    MPI t2;
-    MPI base[4];
-    MPI exp[4];
-
-    if( !(mpi_cmp_ui( a, 0 ) > 0 && mpi_cmp( a, pkey->p ) < 0) )
-	return 0; /* assertion	0 < a < p  failed */
-
-    t1 = mpi_alloc( mpi_get_nlimbs(a) );
-    t2 = mpi_alloc( mpi_get_nlimbs(a) );
-
-  #if 0
-    /* t1 = (y^a mod p) * (a^b mod p) mod p */
-    mpi_powm( t1, pkey->y, a, pkey->p );
-    mpi_powm( t2, a, b, pkey->p );
-    mpi_mulm( t1, t1, t2, pkey->p );
-
-    /* t2 = g ^ input mod p */
-    mpi_powm( t2, pkey->g, input, pkey->p );
-
-    rc = !mpi_cmp( t1, t2 );
-  #elif 0
-    /* t1 = (y^a mod p) * (a^b mod p) mod p */
-    base[0] = pkey->y; exp[0] = a;
-    base[1] = a;       exp[1] = b;
-    base[2] = NULL;    exp[2] = NULL;
-    mpi_mulpowm( t1, base, exp, pkey->p );
-
-    /* t2 = g ^ input mod p */
-    mpi_powm( t2, pkey->g, input, pkey->p );
-
-    rc = !mpi_cmp( t1, t2 );
-  #else
-    /* t1 = g ^ - input * y ^ a * a ^ b  mod p */
-    mpi_invm(t2, pkey->g, pkey->p );
-    base[0] = t2     ; exp[0] = input;
-    base[1] = pkey->y; exp[1] = a;
-    base[2] = a;       exp[2] = b;
-    base[3] = NULL;    exp[3] = NULL;
-    mpi_mulpowm( t1, base, exp, pkey->p );
-    rc = !mpi_cmp_ui( t1, 1 );
-
-  #endif
-
-    mpi_free(t1);
-    mpi_free(t2);
-    return rc;
-}
-
-/*********************************************
- **************  interface  ******************
- *********************************************/
-
-int
-elg_generate( int algo, unsigned nbits, MPI *skey, MPI **retfactors )
-{
-    ELG_secret_key sk;
-
-    if( !is_ELGAMAL(algo) )
-	return G10ERR_PUBKEY_ALGO;
-
-    generate( &sk, nbits, retfactors );
-    skey[0] = sk.p;
-    skey[1] = sk.g;
-    skey[2] = sk.y;
-    skey[3] = sk.x;
-    return 0;
-}
-
-
-int
-elg_check_secret_key( int algo, MPI *skey )
-{
-    ELG_secret_key sk;
-
-    if( !is_ELGAMAL(algo) )
-	return G10ERR_PUBKEY_ALGO;
-    if( !skey[0] || !skey[1] || !skey[2] || !skey[3] )
-	return G10ERR_BAD_MPI;
-
-    sk.p = skey[0];
-    sk.g = skey[1];
-    sk.y = skey[2];
-    sk.x = skey[3];
-    if( !check_secret_key( &sk ) )
-	return G10ERR_BAD_SECKEY;
-
-    return 0;
-}
-
-
-
-int
-elg_encrypt( int algo, MPI *resarr, MPI data, MPI *pkey )
-{
-    ELG_public_key pk;
-
-    if( !is_ELGAMAL(algo) )
-	return G10ERR_PUBKEY_ALGO;
-    if( !data || !pkey[0] || !pkey[1] || !pkey[2] )
-	return G10ERR_BAD_MPI;
-
-    pk.p = pkey[0];
-    pk.g = pkey[1];
-    pk.y = pkey[2];
-    resarr[0] = mpi_alloc( mpi_get_nlimbs( pk.p ) );
-    resarr[1] = mpi_alloc( mpi_get_nlimbs( pk.p ) );
-    encrypt( resarr[0], resarr[1], data, &pk );
-    return 0;
-}
-
-int
-elg_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
-{
-    ELG_secret_key sk;
-
-    if( !is_ELGAMAL(algo) )
-	return G10ERR_PUBKEY_ALGO;
-    if( !data[0] || !data[1]
-	|| !skey[0] || !skey[1] || !skey[2] || !skey[3] )
-	return G10ERR_BAD_MPI;
-
-    sk.p = skey[0];
-    sk.g = skey[1];
-    sk.y = skey[2];
-    sk.x = skey[3];
-    *result = mpi_alloc_secure( mpi_get_nlimbs( sk.p ) );
-    decrypt( *result, data[0], data[1], &sk );
-    return 0;
-}
-
-int
-elg_sign( int algo, MPI *resarr, MPI data, MPI *skey )
-{
-    ELG_secret_key sk;
-
-    if( !is_ELGAMAL(algo) )
-	return G10ERR_PUBKEY_ALGO;
-    if( !data || !skey[0] || !skey[1] || !skey[2] || !skey[3] )
-	return G10ERR_BAD_MPI;
-
-    sk.p = skey[0];
-    sk.g = skey[1];
-    sk.y = skey[2];
-    sk.x = skey[3];
-    resarr[0] = mpi_alloc( mpi_get_nlimbs( sk.p ) );
-    resarr[1] = mpi_alloc( mpi_get_nlimbs( sk.p ) );
-    sign( resarr[0], resarr[1], data, &sk );
-    return 0;
-}
-
-int
-elg_verify( int algo, MPI hash, MPI *data, MPI *pkey,
-		    int (*cmp)(void *, MPI) UNUSED, void *opaquev UNUSED)
-{
-    ELG_public_key pk;
-
-    if( !is_ELGAMAL(algo) )
-	return G10ERR_PUBKEY_ALGO;
-    if( !data[0] || !data[1] || !hash
-	|| !pkey[0] || !pkey[1] || !pkey[2] )
-	return G10ERR_BAD_MPI;
-
-    pk.p = pkey[0];
-    pk.g = pkey[1];
-    pk.y = pkey[2];
-    if( !verify( data[0], data[1], hash, &pk ) )
-	return G10ERR_BAD_SIGN;
-    return 0;
-}
-
-
-
-unsigned
-elg_get_nbits( int algo, MPI *pkey )
-{
-    if( !is_ELGAMAL(algo) )
-	return 0;
-    return mpi_get_nbits( pkey[0] );
-}
-
-
-/****************
- * Return some information about the algorithm.  We need algo here to
- * distinguish different flavors of the algorithm.
- * Returns: A pointer to string describing the algorithm or NULL if
- *	    the ALGO is invalid.
- * Usage: Bit 0 set : allows signing
- *	      1 set : allows encryption
- * NOTE: This function allows signing also for ELG-E, which is not
- * okay but a bad hack to allow to work with old gpg keys. The real check
- * is done in the gnupg ocde depending on the packet version.
- */
-const char *
-elg_get_info( int algo, int *npkey, int *nskey, int *nenc, int *nsig,
-							 int *use )
-{
-    *npkey = 3;
-    *nskey = 4;
-    *nenc = 2;
-    *nsig = 2;
-
-    switch( algo ) {
-      case PUBKEY_ALGO_ELGAMAL:
-	*use = PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC;
-	return "ELG";
-      case PUBKEY_ALGO_ELGAMAL_E:
-	*use = PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC;
-	return "ELG-E";
-      default: *use = 0; return NULL;
-    }
-}
-
-
diff --git a/src/pluto/elgamal.h b/src/pluto/elgamal.h
deleted file mode 100644
index f104c2a52..000000000
--- a/src/pluto/elgamal.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/* elgamal.h
- *	Copyright (C) 1998 Free Software Foundation, Inc.
- *
- * This file is part of GnuPG.
- *
- * GnuPG is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * GnuPG is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
- */
-#ifndef G10_ELGAMAL_H
-#define G10_ELGAMAL_H
-
-int elg_generate( int algo, unsigned nbits, MPI *skey, MPI **retfactors );
-int elg_check_secret_key( int algo, MPI *skey );
-int elg_encrypt( int algo, MPI *resarr, MPI data, MPI *pkey );
-int elg_decrypt( int algo, MPI *result, MPI *data, MPI *skey );
-int elg_sign( int algo, MPI *resarr, MPI data, MPI *skey );
-int elg_verify( int algo, MPI hash, MPI *data, MPI *pkey,
-		    int (*cmp)(void *, MPI), void *opaquev );
-unsigned elg_get_nbits( int algo, MPI *pkey );
-const char *elg_get_info( int algo, int *npkey, int *nskey,
-				    int *nenc, int *nsig, int *use );
-
-
-#endif /*G10_ELGAMAL_H*/
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
index c8a98cd9b..6f7f1215f 100644
--- a/src/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -1,6 +1,6 @@
 /* Dynamic fetching of X.509 CRLs
  * Copyright (C) 2002 Stephane Laroche <stephane.laroche@colubris.com>
- * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2002-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: fetch.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdlib.h>
@@ -25,24 +23,17 @@
 #include <pthread.h>
 #endif
 
-#ifdef LIBCURL
-#include <curl/curl.h>
-#endif
-
 #include <freeswan.h>
 
-#ifdef LIBLDAP
-#ifndef LDAP_DEPRECATED
-#define LDAP_DEPRECATED		1
-#endif
-#include <ldap.h>
-#endif
+#include <library.h>
+#include <debug.h>
+#include <asn1/asn1.h>
+#include <asn1/pem.h>
 
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
 #include "id.h"
-#include "asn1.h"
 #include "pem.h"
 #include "x509.h"
 #include "ca.h"
@@ -52,13 +43,13 @@
 #include "fetch.h"
 
 fetch_req_t empty_fetch_req = {
-    NULL    , /* next */
-          0 , /* installed */
-          0 , /* trials */
+	NULL    , /* next */
+		  0 , /* installed */
+		  0 , /* trials */
   { NULL, 0}, /* issuer */
   { NULL, 0}, /* authKeyID */
   { NULL, 0}, /* authKeySerialNumber */
-    NULL      /* distributionPoints */
+	NULL      /* distributionPoints */
 };
 
 /* chained list of crl fetch requests */
@@ -79,189 +70,174 @@ static pthread_mutex_t ocsp_fetch_list_mutex = PTHREAD_MUTEX_INITIALIZER;
 static pthread_mutex_t fetch_wake_mutex      = PTHREAD_MUTEX_INITIALIZER;
 static pthread_cond_t  fetch_wake_cond       = PTHREAD_COND_INITIALIZER;
 
-/*
+/**
  * lock access to my certs and keys
  */
-void
-lock_certs_and_keys(const char *who)
+void lock_certs_and_keys(const char *who)
 {
-    pthread_mutex_lock(&certs_and_keys_mutex);
-    DBG(DBG_CONTROLMORE,
-	DBG_log("certs and keys locked by '%s'", who)
-    )
+	pthread_mutex_lock(&certs_and_keys_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("certs and keys locked by '%s'", who)
+	)
 }
 
-/*
- * unlock access to my certs and keys
+/**
+ * Unlock access to my certs and keys
  */
-void
-unlock_certs_and_keys(const char *who)
+void unlock_certs_and_keys(const char *who)
 {
-    DBG(DBG_CONTROLMORE,
-	DBG_log("certs and keys unlocked by '%s'", who)
-    )
-    pthread_mutex_unlock(&certs_and_keys_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("certs and keys unlocked by '%s'", who)
+	)
+	pthread_mutex_unlock(&certs_and_keys_mutex);
 }
 
-/*
- * lock access to the chained authcert list
+/**
+ * Lock access to the chained authcert list
  */
-void
-lock_authcert_list(const char *who)
+void lock_authcert_list(const char *who)
 {
-    pthread_mutex_lock(&authcert_list_mutex);
-    DBG(DBG_CONTROLMORE,
-	DBG_log("authcert list locked by '%s'", who)
-    )
+	pthread_mutex_lock(&authcert_list_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("authcert list locked by '%s'", who)
+	)
 }
 
-/*
- * unlock access to the chained authcert list
+/**
+ * Unlock access to the chained authcert list
  */
-void
-unlock_authcert_list(const char *who)
+void unlock_authcert_list(const char *who)
 {
-    DBG(DBG_CONTROLMORE,
-	DBG_log("authcert list unlocked by '%s'", who)
-    )
-    pthread_mutex_unlock(&authcert_list_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("authcert list unlocked by '%s'", who)
+	)
+	pthread_mutex_unlock(&authcert_list_mutex);
 }
 
-/*
- * lock access to the chained crl list
+/**
+ * Lock access to the chained crl list
  */
-void
-lock_crl_list(const char *who)
+void lock_crl_list(const char *who)
 {
-    pthread_mutex_lock(&crl_list_mutex);
-    DBG(DBG_CONTROLMORE,
-	DBG_log("crl list locked by '%s'", who)
-    )
+	pthread_mutex_lock(&crl_list_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("crl list locked by '%s'", who)
+	)
 }
 
-/*
- * unlock access to the chained crl list
+/**
+ * Unlock access to the chained crl list
  */
-void
-unlock_crl_list(const char *who)
+void unlock_crl_list(const char *who)
 {
-    DBG(DBG_CONTROLMORE,
-	DBG_log("crl list unlocked by '%s'", who)
-    )
-    pthread_mutex_unlock(&crl_list_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("crl list unlocked by '%s'", who)
+	)
+	pthread_mutex_unlock(&crl_list_mutex);
 }
 
-/*
- * lock access to the ocsp cache
+/**
+ * Lock access to the ocsp cache
  */
-extern void
-lock_ocsp_cache(const char *who)
+extern void lock_ocsp_cache(const char *who)
 {
-    pthread_mutex_lock(&ocsp_cache_mutex);
-    DBG(DBG_CONTROLMORE,
-	DBG_log("ocsp cache locked by '%s'", who)
-    )
+	pthread_mutex_lock(&ocsp_cache_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("ocsp cache locked by '%s'", who)
+	)
 }
 
-/*
- * unlock access to the ocsp cache
+/**
+ * Unlock access to the ocsp cache
  */
-extern void
-unlock_ocsp_cache(const char *who)
+extern void unlock_ocsp_cache(const char *who)
 {
-    DBG(DBG_CONTROLMORE,
-	DBG_log("ocsp cache unlocked by '%s'", who)
-    )
-    pthread_mutex_unlock(&ocsp_cache_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("ocsp cache unlocked by '%s'", who)
+	)
+	pthread_mutex_unlock(&ocsp_cache_mutex);
 }
 
-/*
- * lock access to the ca info list
+/**
+ * Lock access to the ca info list
  */
-extern void
-lock_ca_info_list(const char *who)
+extern void lock_ca_info_list(const char *who)
 {
-    pthread_mutex_lock(&ca_info_list_mutex);
-    DBG(DBG_CONTROLMORE,
-	DBG_log("ca info list locked by '%s'", who)
-    )
+	pthread_mutex_lock(&ca_info_list_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("ca info list locked by '%s'", who)
+	)
 }
 
-/*
- * unlock access to the ca info list
+/**
+ * Unlock access to the ca info list
  */
-extern void
-unlock_ca_info_list(const char *who)
+extern void unlock_ca_info_list(const char *who)
 {
-    DBG(DBG_CONTROLMORE,
-	DBG_log("ca info list unlocked by '%s'", who)
-    )
-    pthread_mutex_unlock(&ca_info_list_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("ca info list unlocked by '%s'", who)
+	)
+	pthread_mutex_unlock(&ca_info_list_mutex);
 }
 
-/*
- * lock access to the chained crl fetch request list
+/**
+ * Lock access to the chained crl fetch request list
  */
-static void
-lock_crl_fetch_list(const char *who)
+static void lock_crl_fetch_list(const char *who)
 {
-    pthread_mutex_lock(&crl_fetch_list_mutex);
-    DBG(DBG_CONTROLMORE,
-	DBG_log("crl fetch request list locked by '%s'", who)
-    )
+	pthread_mutex_lock(&crl_fetch_list_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("crl fetch request list locked by '%s'", who)
+	)
 }
 
-/*
- * unlock access to the chained crl fetch request list
+/**
+ * Unlock access to the chained crl fetch request list
  */
-static void
-unlock_crl_fetch_list(const char *who)
+static void unlock_crl_fetch_list(const char *who)
 {
-    DBG(DBG_CONTROLMORE,
-	DBG_log("crl fetch request list unlocked by '%s'", who)
-    )
-    pthread_mutex_unlock(&crl_fetch_list_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("crl fetch request list unlocked by '%s'", who)
+	)
+	pthread_mutex_unlock(&crl_fetch_list_mutex);
 }
 
-/*
- * lock access to the chained ocsp fetch request list
+/**
+ * Lock access to the chained ocsp fetch request list
  */
-static void
-lock_ocsp_fetch_list(const char *who)
+static void lock_ocsp_fetch_list(const char *who)
 {
-    pthread_mutex_lock(&ocsp_fetch_list_mutex);
-    DBG(DBG_CONTROLMORE,
-	DBG_log("ocsp fetch request list locked by '%s'", who)
-    )
+	pthread_mutex_lock(&ocsp_fetch_list_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("ocsp fetch request list locked by '%s'", who)
+	)
 }
 
-/*
- * unlock access to the chained ocsp fetch request list
+/**
+ * Unlock access to the chained ocsp fetch request list
  */
-static void
-unlock_ocsp_fetch_list(const char *who)
+static void unlock_ocsp_fetch_list(const char *who)
 {
-    DBG(DBG_CONTROLMORE,
-	DBG_log("ocsp fetch request list unlocked by '%s'", who)
-    )
-    pthread_mutex_unlock(&ocsp_fetch_list_mutex);
+	DBG(DBG_CONTROLMORE,
+		DBG_log("ocsp fetch request list unlocked by '%s'", who)
+	)
+	pthread_mutex_unlock(&ocsp_fetch_list_mutex);
 }
 
-/*
- * wakes up the sleeping fetch thread
+/**
+ * Wakes up the sleeping fetch thread
  */
-void
-wake_fetch_thread(const char *who)
+void wake_fetch_thread(const char *who)
 {
-    if (crl_check_interval > 0)
-    {
-	DBG(DBG_CONTROLMORE,
-	    DBG_log("fetch thread wake call by '%s'", who)
-	)
-	pthread_mutex_lock(&fetch_wake_mutex);
-	pthread_cond_signal(&fetch_wake_cond);
-	pthread_mutex_unlock(&fetch_wake_mutex);
-    }
+	if (crl_check_interval > 0)
+	{
+		DBG(DBG_CONTROLMORE,
+			DBG_log("fetch thread wake call by '%s'", who)
+		)
+		pthread_mutex_lock(&fetch_wake_mutex);
+		pthread_cond_signal(&fetch_wake_cond);
+		pthread_mutex_unlock(&fetch_wake_mutex);
+	}
 }
 #else /* !THREADS */
 #define lock_crl_fetch_list(who)    /* do nothing */
@@ -270,817 +246,506 @@ wake_fetch_thread(const char *who)
 #define unlock_ocsp_fetch_list(who) /* do nothing */
 #endif /* !THREADS */
 
-/*
- *  free the dynamic memory used to store fetch requests
+/**
+ *  Free the dynamic memory used to store fetch requests
  */
-static void
-free_fetch_request(fetch_req_t *req)
+static void free_fetch_request(fetch_req_t *req)
 {
-    pfree(req->issuer.ptr);
-    pfreeany(req->authKeySerialNumber.ptr);
-    pfreeany(req->authKeyID.ptr);
-    free_generalNames(req->distributionPoints, TRUE);
-    pfree(req);
-}
-
-/* writes data into a dynamically resizeable chunk_t
- * needed for libcurl responses
- */
-size_t
-write_buffer(void *ptr, size_t size, size_t nmemb, void *data)
-{
-    size_t realsize = size * nmemb;
-    chunk_t *mem = (chunk_t*)data;
-
-    mem->ptr = (u_char *)realloc(mem->ptr, mem->len + realsize);
-    if (mem->ptr) {
-	memcpy(&(mem->ptr[mem->len]), ptr, realsize);
-	mem->len += realsize;
-    }
-    return realsize;
+	free(req->issuer.ptr);
+	free(req->authKeySerialNumber.ptr);
+	free(req->authKeyID.ptr);
+	free_generalNames(req->distributionPoints, TRUE);
+	free(req);
 }
 
 #ifdef THREADS
-/*
- * fetches a binary blob from a url with libcurl
+/**
+ * Fetch an ASN.1 blob coded in PEM or DER format from a URL
  */
-static err_t
-fetch_curl(char *url, chunk_t *blob)
+bool fetch_asn1_blob(char *url, chunk_t *blob)
 {
-#ifdef LIBCURL
-    char errorbuffer[CURL_ERROR_SIZE] = "";
-    chunk_t response = empty_chunk;
-    CURLcode res;
-
-    /* get it with libcurl */
-    CURL *curl = curl_easy_init();
-
-    if (curl != NULL)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("Trying cURL '%s'", url)
-	)
-
-	curl_easy_setopt(curl, CURLOPT_URL, url);
-	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
-	curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
-	curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
-	curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE);
-	curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT);
-
-	res = curl_easy_perform(curl);
-
-	if (res == CURLE_OK)
-	{
-	    blob->len = response.len;
-	    blob->ptr = alloc_bytes(response.len, "curl blob");
-	    memcpy(blob->ptr, response.ptr, response.len);
-	}
-	else
+	DBG1("  fetching crl from '%s' ...", url);
+	if (lib->fetcher->fetch(lib->fetcher, url, blob, FETCH_END) != SUCCESS)
 	{
-	    plog("fetching uri (%s) with libcurl failed: %s", url, errorbuffer);
+		DBG1("crl fetching failed");
+		return FALSE;
 	}
-	curl_easy_cleanup(curl);
-	/* not using freeanychunk because of realloc (no leak detective) */
-	curl_free(response.ptr);
-    }
-    return strlen(errorbuffer) > 0 ? "libcurl error" : NULL;
-#else   /* !LIBCURL */
-    return "warning: not compiled with libcurl support";
-#endif  /* !LIBCURL */
-}
-
-#ifdef LIBLDAP
-/*
- * parses the result returned by an ldap query
- */
-static err_t
-parse_ldap_result(LDAP * ldap, LDAPMessage *result, chunk_t *blob)
-{
-    err_t ugh = NULL;
-
-    LDAPMessage * entry = ldap_first_entry(ldap, result);
 
-    if (entry != NULL)
-    {
-	BerElement *ber = NULL;
-	char *attr;
-	
-	attr = ldap_first_attribute(ldap, entry, &ber);
-
-	if (attr != NULL)
+	if (is_asn1(*blob))
 	{
-	    struct berval **values = ldap_get_values_len(ldap, entry, attr);
-
-	    if (values != NULL)
-	    {
-		if (values[0] != NULL)
-		{
-		    blob->len = values[0]->bv_len;
-		    blob->ptr = alloc_bytes(blob->len, "ldap blob");
-		    memcpy(blob->ptr, values[0]->bv_val, blob->len);
-		    if (values[1] != NULL)
-		    {
-			plog("warning: more than one value was fetched from LDAP URL");
-		    }
-		}
-		else
-		{
-		    ugh = "no values in attribute";
-		}
-		ldap_value_free_len(values);
-	    }
-	    else
-	    {
-		ugh = ldap_err2string(ldap_result2error(ldap, entry, 0));
-	    }
-	    ldap_memfree(attr);
+		DBG2("  fetched blob coded in DER format");
 	}
 	else
 	{
-	    ugh = ldap_err2string(ldap_result2error(ldap, entry, 0));
-	}
-	ber_free(ber, 0);
-    }
-    else
-    {
-	ugh = ldap_err2string(ldap_result2error(ldap, result, 0));
-    }
-    return ugh;
-}
-
-/*
- * fetches a binary blob from an ldap url
- */
-static err_t
-fetch_ldap_url(char *url, chunk_t *blob)
-{
-    LDAPURLDesc *lurl;
-    err_t ugh = NULL;
-    int rc;
-
-    DBG(DBG_CONTROL,
-	DBG_log("Trying LDAP URL '%s'", url)
-    )
-
-    rc = ldap_url_parse(url, &lurl);
-    
-    if (rc == LDAP_SUCCESS)
-    {
-	LDAP *ldap = ldap_init(lurl->lud_host, lurl->lud_port);
-
-	if (ldap != NULL)
-	{
-	    int ldap_version = LDAP_VERSION3;
-	    struct timeval timeout;
+		bool pgp = FALSE;
 
-	    timeout.tv_sec  = FETCH_CMD_TIMEOUT;
-	    timeout.tv_usec = 0;
-	    ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
-	    ldap_set_option(ldap, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
-
-	    rc = ldap_simple_bind_s(ldap, NULL, NULL);
-
-	    if (rc == LDAP_SUCCESS)
-	    {
-		LDAPMessage *result;
-
-		timeout.tv_sec = FETCH_CMD_TIMEOUT;
-		timeout.tv_usec = 0;
-		
-		rc = ldap_search_st(ldap, lurl->lud_dn
-					, lurl->lud_scope
-					, lurl->lud_filter
-					, lurl->lud_attrs
-					, 0, &timeout, &result);
-
-		if (rc == LDAP_SUCCESS)
+		if (pem_to_bin(blob, chunk_empty, &pgp) != SUCCESS)
 		{
-		    ugh = parse_ldap_result(ldap, result, blob);
-		    ldap_msgfree(result);
+			free(blob->ptr);
+			return FALSE;
+		}
+		if (is_asn1(*blob))
+		{
+			DBG2("  fetched blob coded in PEM format");
 		}
 		else
 		{
-		    ugh = ldap_err2string(rc);
+			DBG1("crl fetched successfully but data coded in unknown format");
+			free(blob->ptr);
+			return FALSE;
 		}
-	    }
-	    else
-	    {
-		ugh = ldap_err2string(rc);
-	    }
-	    ldap_unbind_s(ldap);
-	}
-	else
-	{
-	    ugh = "ldap init";
-	}
-	ldap_free_urldesc(lurl);
-    }
-    else
-    {
-	ugh = ldap_err2string(rc);
-    }
-    return ugh;
-}
-#else   /* !LIBLDAP */
-static err_t
-fetch_ldap_url(char *url, chunk_t *blob)
-{
-    return "LDAP URL fetching not activated in pluto source code";
-}
-#endif  /* !LIBLDAP */
-
-/*
- * fetch an ASN.1 blob coded in PEM or DER format from a URL
- */
-static err_t
-fetch_asn1_blob(char *url, chunk_t *blob)
-{
-    err_t ugh = NULL;
-
-    if (strlen(url) >= 4 && strncasecmp(url, "ldap", 4) == 0)
-    {
-	ugh = fetch_ldap_url(url, blob);
-    }
-    else
-    {
-	ugh = fetch_curl(url, blob);
-    }
-    if (ugh != NULL)
-	return ugh;
-
-    if (is_asn1(*blob))
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("  fetched blob coded in DER format")
-	)
-    }
-    else
-    {
-	bool pgp = FALSE;
-
-	ugh = pemtobin(blob, NULL, "", &pgp);
-	if (ugh == NULL)
-	{
-	    if (is_asn1(*blob))
-	    {
-		DBG(DBG_PARSING,
-		    DBG_log("  fetched blob coded in PEM format")
-		)
-	    }
-	    else
-	    {
-		ugh = "blob coded in unknown format";
-		pfree(blob->ptr);
-	    }
-	}
-	else
-	{
-	    pfree(blob->ptr);
 	}
-    }
-    return ugh;
+	return TRUE;
 }
 
-/*
- * complete a distributionPoint URI with ca information
+/**
+ * Complete a distributionPoint URI with ca information
  */
-static char*
-complete_uri(chunk_t distPoint, const char *ldaphost)
+static char* complete_uri(chunk_t distPoint, const char *ldaphost)
 {
-    char *uri;
-    char *ptr  = distPoint.ptr;
-    size_t len = distPoint.len;
+	char *uri;
+	char *ptr  = distPoint.ptr;
+	size_t len = distPoint.len;
 
-    char *symbol = memchr(ptr, ':', len);
+	char *symbol = memchr(ptr, ':', len);
 
-    if (symbol != NULL)
-    {
-	size_t type_len = symbol - ptr;
-	
-	if (type_len >= 4 && strncasecmp(ptr, "ldap", 4) == 0)
+	if (symbol != NULL)
 	{
-	    ptr = symbol + 1;
-	    len -= (type_len + 1);
-
-	    if (len > 2 && *ptr++ == '/' && *ptr++ == '/')
-	    {
-		len -= 2;
-		symbol = memchr(ptr, '/', len);
+		size_t type_len = symbol - ptr;
 		
-		if (symbol != NULL && symbol - ptr == 0 && ldaphost != NULL)
+		if (type_len >= 4 && strncasecmp(ptr, "ldap", 4) == 0)
 		{
-		    uri = alloc_bytes(distPoint.len+strlen(ldaphost)+1, "uri");
-
-		    /* insert the ldaphost into the uri */
-		    sprintf(uri, "%.*s%s%.*s"
-			, (int)(distPoint.len - len), distPoint.ptr
-			, ldaphost
-			, (int)len, symbol);
-		    return uri;
+			ptr = symbol + 1;
+			len -= (type_len + 1);
+
+			if (len > 2 && *ptr++ == '/' && *ptr++ == '/')
+			{
+				len -= 2;
+				symbol = memchr(ptr, '/', len);
+				
+				if (symbol != NULL && symbol - ptr == 0 && ldaphost != NULL)
+				{
+					uri = malloc(distPoint.len + strlen(ldaphost) + 1);
+
+					/* insert the ldaphost into the uri */
+					sprintf(uri, "%.*s%s%.*s"
+						, (int)(distPoint.len - len), distPoint.ptr
+						, ldaphost
+						, (int)len, symbol);
+					return uri;
+				}
+			}
 		}
-	    }
 	}
-    }
-    
-    /* default action:  copy distributionPoint without change */
-    uri = alloc_bytes(distPoint.len+1, "uri");
-    sprintf(uri, "%.*s", (int)distPoint.len, distPoint.ptr);
-    return uri;
+	
+	/* default action:  copy distributionPoint without change */
+	uri = malloc(distPoint.len + 1);
+	sprintf(uri, "%.*s", (int)distPoint.len, distPoint.ptr);
+	return uri;
 }
 
-/*
- * try to fetch the crls defined by the fetch requests
+/**
+ * Try to fetch the crls defined by the fetch requests
  */
-static void
-fetch_crls(bool cache_crls)
+static void fetch_crls(bool cache_crls)
 {
-    fetch_req_t *req;
-    fetch_req_t **reqp;
-
-    lock_crl_fetch_list("fetch_crls");
-    req  =  crl_fetch_reqs;
-    reqp = &crl_fetch_reqs;
-
-    while (req != NULL)
-    {
-	bool valid_crl = FALSE;
-	chunk_t blob = empty_chunk;
-	generalName_t *gn = req->distributionPoints;
-	const char *ldaphost;
-	ca_info_t *ca;
+	fetch_req_t *req;
+	fetch_req_t **reqp;
 
-	lock_ca_info_list("fetch_crls");
+	lock_crl_fetch_list("fetch_crls");
+	req  =  crl_fetch_reqs;
+	reqp = &crl_fetch_reqs;
 
-	ca = get_ca_info(req->issuer, req->authKeySerialNumber, req->authKeyID);
-	ldaphost = (ca == NULL)? NULL : ca->ldaphost;
-
-	while (gn != NULL)
+	while (req != NULL)
 	{
-	    char *uri = complete_uri(gn->name, ldaphost);
+		bool valid_crl = FALSE;
+		chunk_t blob = chunk_empty;
+		generalName_t *gn = req->distributionPoints;
+		const char *ldaphost;
+		ca_info_t *ca;
 
-	    err_t ugh = fetch_asn1_blob(uri, &blob);
-	    pfree(uri);
+		lock_ca_info_list("fetch_crls");
 
-	    if (ugh != NULL)
-	    {
-		plog("fetch failed:  %s", ugh);
-	    }
-	    else
-	    {
-		chunk_t crl_uri;
+		ca = get_ca_info(req->issuer, req->authKeySerialNumber, req->authKeyID);
+		ldaphost = (ca == NULL)? NULL : ca->ldaphost;
 
-		clonetochunk(crl_uri, gn->name.ptr, gn->name.len, "crl uri");
-		if (insert_crl(blob, crl_uri, cache_crls))
+		while (gn != NULL)
 		{
-		    DBG(DBG_CONTROL,
-			DBG_log("we have a valid crl")
-		    )
-		    valid_crl = TRUE;
-		    break;
+			char *uri = complete_uri(gn->name, ldaphost);
+
+			if (fetch_asn1_blob(uri, &blob))
+			{
+				chunk_t crl_uri = chunk_clone(gn->name);
+
+				if (insert_crl(blob, crl_uri, cache_crls))
+				{
+					DBG(DBG_CONTROL,
+						DBG_log("we have a valid crl")
+					)
+					valid_crl = TRUE;
+					free(uri);
+					break;
+				}
+			}
+			free(uri);
+			gn = gn->next;
 		}
-	    }
-	    gn = gn->next;
-	}
 
-	unlock_ca_info_list("fetch_crls");
+		unlock_ca_info_list("fetch_crls");
 
-	if (valid_crl)
-	{
-	    /* delete fetch request */
-	    fetch_req_t *req_free = req;
+		if (valid_crl)
+		{
+			/* delete fetch request */
+			fetch_req_t *req_free = req;
 
-	    req   = req->next;
-	    *reqp = req;
-	    free_fetch_request(req_free);
-	}
-	else
-	{
-	    /* try again next time */
-	    req->trials++;
-	    reqp = &req->next;
-	    req  =  req->next;
+			req   = req->next;
+			*reqp = req;
+			free_fetch_request(req_free);
+		}
+		else
+		{
+			/* try again next time */
+			req->trials++;
+			reqp = &req->next;
+			req  =  req->next;
+		}
 	}
-    }
-    unlock_crl_fetch_list("fetch_crls");
+	unlock_crl_fetch_list("fetch_crls");
 }
 
-static void
-fetch_ocsp_status(ocsp_location_t* location)
+static void fetch_ocsp_status(ocsp_location_t* location)
 {
-#ifdef LIBCURL
-    chunk_t request;
-    chunk_t response = empty_chunk;
-
-    CURL* curl;
-    CURLcode res;
-
-    request = build_ocsp_request(location);
+	chunk_t request, response;
+	char *uri;
 
-    DBG(DBG_CONTROL,
-    	DBG_log("sending ocsp request to location '%.*s'"
-	    , (int)location->uri.len, location->uri.ptr)
-    )
-    DBG(DBG_RAW,
-	DBG_dump_chunk("OCSP request", request)
-    )
-
-    /* send via http post using libcurl */
-    curl = curl_easy_init();
-
-    if (curl != NULL)
-    {
-	char errorbuffer[CURL_ERROR_SIZE];
-	struct curl_slist *headers = NULL;
-	char* uri = alloc_bytes(location->uri.len+1, "ocsp uri");
+	request = build_ocsp_request(location);
+	response = chunk_empty;
 
 	/* we need a null terminated string for curl */
+	uri = malloc(location->uri.len + 1);
 	memcpy(uri, location->uri.ptr, location->uri.len);
 	*(uri + location->uri.len) = '\0';
 
-	/* set content type header */
-	headers = curl_slist_append(headers, "Content-Type: application/ocsp-request");
-	curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
-
-	curl_easy_setopt(curl, CURLOPT_URL, uri);
-	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
-	curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
-	curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (void*)request.ptr);
-	curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, request.len);
-	curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
-	curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE);
-	curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT);
-
-	res = curl_easy_perform(curl);
-
-	if (res == CURLE_OK)
+	DBG1("  requesting ocsp status from '%s' ...", uri);
+	if (lib->fetcher->fetch(lib->fetcher, uri, &response, 
+							FETCH_REQUEST_DATA, request,
+							FETCH_REQUEST_TYPE, "application/ocsp-request",
+							FETCH_END) == SUCCESS)
 	{
-	    DBG(DBG_CONTROL,
-		DBG_log("received ocsp response")
-	    )
-	    DBG(DBG_RAW,
-		DBG_dump_chunk("OCSP response:\n", response)
-	    )
-	    parse_ocsp(location, response);
+		parse_ocsp(location, response);
 	}
 	else
 	{
-	    plog("failed to fetch ocsp status from '%s': %s", uri, errorbuffer);
+		DBG1("ocsp request to %s failed", uri);
 	}
-	curl_slist_free_all(headers);
-	curl_easy_cleanup(curl);
-	pfree(uri);
-	/* not using freeanychunk because of realloc (no leak detective) */
-	curl_free(response.ptr);
-    }
-    freeanychunk(location->nonce);
-    freeanychunk(request);
-
-    /* increment the trial counter of the unresolved fetch requests */
-    {
-	ocsp_certinfo_t *certinfo = location->certinfo;
-	
-	while (certinfo != NULL)
+
+	free(uri);
+	free(request.ptr);
+	chunk_free(&location->nonce);
+
+	/* increment the trial counter of the unresolved fetch requests */
 	{
-	    certinfo->trials++;
-	    certinfo = certinfo->next;
+		ocsp_certinfo_t *certinfo = location->certinfo;
+		
+		while (certinfo != NULL)
+		{
+			certinfo->trials++;
+			certinfo = certinfo->next;
+		}
 	}
-    }
-    return;
-#else   /* !LIBCURL */
-    plog("ocsp error: pluto wasn't compiled with libcurl support");
-#endif  /* !LIBCURL */
 }
 
-/*
- * try to fetch the necessary ocsp information
+/**
+ * Try to fetch the necessary ocsp information
  */
-static void
-fetch_ocsp(void)
+static void fetch_ocsp(void)
 {
-    ocsp_location_t *location;
+	ocsp_location_t *location;
 
-    lock_ocsp_fetch_list("fetch_ocsp");
-    location = ocsp_fetch_reqs;
+	lock_ocsp_fetch_list("fetch_ocsp");
+	location = ocsp_fetch_reqs;
 
-    /* fetch the ocps status for all locations */
-    while (location != NULL)
-    {
-	if (location->certinfo != NULL)
-	    fetch_ocsp_status(location);
-	location = location->next;
-    }
+	/* fetch the ocps status for all locations */
+	while (location != NULL)
+	{
+		if (location->certinfo != NULL)
+		{
+			fetch_ocsp_status(location);
+		}
+		location = location->next;
+	}
 
-    unlock_ocsp_fetch_list("fetch_ocsp");
+	unlock_ocsp_fetch_list("fetch_ocsp");
 }
 
-static void*
-fetch_thread(void *arg)
+static void* fetch_thread(void *arg)
 {
-    struct timespec wait_interval;
+	struct timespec wait_interval;
 
-    DBG(DBG_CONTROL,
-	DBG_log("fetch thread started")
-    )
+	DBG(DBG_CONTROL,
+		DBG_log("fetch thread started")
+	)
 
-    pthread_mutex_lock(&fetch_wake_mutex);
+	pthread_mutex_lock(&fetch_wake_mutex);
 
-    while(1)
-    {
-	int status;
+	while(1)
+	{
+		int status;
 
-	wait_interval.tv_nsec = 0;
-	wait_interval.tv_sec = time(NULL) + crl_check_interval;
+		wait_interval.tv_nsec = 0;
+		wait_interval.tv_sec = time(NULL) + crl_check_interval;
 
-	DBG(DBG_CONTROL,
-	    DBG_log("next regular crl check in %ld seconds", crl_check_interval)
-	)
-	status = pthread_cond_timedwait(&fetch_wake_cond, &fetch_wake_mutex
-					, &wait_interval);
+		DBG(DBG_CONTROL,
+			DBG_log("next regular crl check in %ld seconds", crl_check_interval)
+		)
+		status = pthread_cond_timedwait(&fetch_wake_cond, &fetch_wake_mutex
+										, &wait_interval);
 
-	if (status == ETIMEDOUT)
-	{
-	    DBG(DBG_CONTROL,
-		DBG_log(" ");
-		DBG_log("*time to check crls and the ocsp cache")
-	    )
-	    check_ocsp();
-	    check_crls();
-	}
-	else
-	{
-	    DBG(DBG_CONTROL,
-		DBG_log("fetch thread was woken up")
-	    )
+		if (status == ETIMEDOUT)
+		{
+			DBG(DBG_CONTROL,
+				DBG_log(" ");
+				DBG_log("*time to check crls and the ocsp cache")
+			)
+			check_ocsp();
+			check_crls();
+		}
+		else
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("fetch thread was woken up")
+			)
+		}
+		fetch_ocsp();
+		fetch_crls(cache_crls);
 	}
-	fetch_ocsp();
-	fetch_crls(cache_crls);
-    }
 }
 #endif /* THREADS*/
 
-/*
- * initializes curl and starts the fetching thread
+/**
+ * Initializes curl and starts the fetching thread
  */
-void
-init_fetch(void)
+void init_fetch(void)
 {
-#if defined(LIBCURL) || defined (THREADS)
-    int status;
-#endif
-
-#ifdef LIBCURL
-    /* init curl */
-    status = curl_global_init(CURL_GLOBAL_NOTHING);
-    if (status != CURLE_OK)
-    {
-	plog("libcurl could not be initialized, status = %d", status);
-    }
-#endif  /* LIBCURL */
-
-    if (crl_check_interval > 0)
-    {
-#ifdef THREADS
-	status = pthread_create( &thread, NULL, fetch_thread, NULL);
-	if (status != 0)
+	if (crl_check_interval > 0)
 	{
-	    plog("fetching thread could not be started, status = %d", status);
-	}
+#ifdef THREADS
+		int status = pthread_create( &thread, NULL, fetch_thread, NULL);
+
+		if (status != 0)
+		{
+			plog("fetching thread could not be started, status = %d", status);
+		}
 #else   /* !THREADS */
-	plog("warning: not compiled with pthread support");
+		plog("warning: not compiled with pthread support");
 #endif  /* !THREADS */
-    }
+	}
 }
 
-void
-free_crl_fetch(void)
+void free_crl_fetch(void)
 {
    lock_crl_fetch_list("free_crl_fetch");
 
-    while (crl_fetch_reqs != NULL)
-    {
-	fetch_req_t *req = crl_fetch_reqs;
-	crl_fetch_reqs = req->next;
-	free_fetch_request(req);
-    }
-
-    unlock_crl_fetch_list("free_crl_fetch");
-
-#ifdef LIBCURL
-    if (crl_check_interval > 0)
-    {
-	/* cleanup curl */
-	curl_global_cleanup();
-    }
-#endif  /* LIBCURL */
+	while (crl_fetch_reqs != NULL)
+	{
+		fetch_req_t *req = crl_fetch_reqs;
+		crl_fetch_reqs = req->next;
+		free_fetch_request(req);
+	}
+
+	unlock_crl_fetch_list("free_crl_fetch");
 }
 
-/*
- * free the chained list of ocsp requests
+/**
+ * Free the chained list of ocsp requests
  */
-void
-free_ocsp_fetch(void)
+void free_ocsp_fetch(void)
 {
-    lock_ocsp_fetch_list("free_ocsp_fetch");
-    free_ocsp_locations(&ocsp_fetch_reqs);
-    unlock_ocsp_fetch_list("free_ocsp_fetch");
+	lock_ocsp_fetch_list("free_ocsp_fetch");
+	free_ocsp_locations(&ocsp_fetch_reqs);
+	unlock_ocsp_fetch_list("free_ocsp_fetch");
 }
 
 
-/*
- * add additional distribution points
+/**
+ * Add additional distribution points
  */
-void
-add_distribution_points(const generalName_t *newPoints ,generalName_t **distributionPoints)
+void add_distribution_points(const generalName_t *newPoints ,generalName_t **distributionPoints)
 {
-    while (newPoints != NULL)
-    {
-	/* skip empty distribution point */
-	if (newPoints->name.len > 0)
-	{	
-	    bool add = TRUE;
-	    generalName_t *gn = *distributionPoints;
-
-	    while (gn != NULL)
-	    {
-		if (gn->kind == newPoints->kind
-		&& gn->name.len == newPoints->name.len
-		&& memcmp(gn->name.ptr, newPoints->name.ptr, gn->name.len) == 0)
-		{
-		    /* skip if the distribution point is already present */
-		    add = FALSE;
-		    break;
-	        }
-	        gn = gn->next;
-	    }
-
-	    if (add)
-	    {
-		/* clone additional distribution point */
-		gn = clone_thing(*newPoints, "generalName");
-		clonetochunk(gn->name, newPoints->name.ptr, newPoints->name.len
-		    , "crl uri");
-
-		/* insert additional CRL distribution point */
-		gn->next = *distributionPoints;
-		*distributionPoints = gn;
-	    }
+	while (newPoints != NULL)
+	{
+		/* skip empty distribution point */
+		if (newPoints->name.len > 0)
+		{       
+			bool add = TRUE;
+			generalName_t *gn = *distributionPoints;
+
+			while (gn != NULL)
+			{
+				if (gn->kind == newPoints->kind
+				&& gn->name.len == newPoints->name.len
+				&& memeq(gn->name.ptr, newPoints->name.ptr, gn->name.len))
+				{
+					/* skip if the distribution point is already present */
+					add = FALSE;
+					break;
+				}
+				gn = gn->next;
+			}
+
+			if (add)
+			{
+				/* clone additional distribution point */
+				gn = clone_thing(*newPoints);
+				gn->name = chunk_clone(newPoints->name);
+
+				/* insert additional CRL distribution point */
+				gn->next = *distributionPoints;
+				*distributionPoints = gn;
+			}
+		}
+		newPoints = newPoints->next;
 	}
-	newPoints = newPoints->next;
-    }
 }
 
-fetch_req_t*
-build_crl_fetch_request(chunk_t issuer, chunk_t authKeySerialNumber
-, chunk_t authKeyID, const generalName_t *gn)
+fetch_req_t* build_crl_fetch_request(chunk_t issuer, chunk_t authKeySerialNumber,
+									 chunk_t authKeyID, const generalName_t *gn)
 {
-    fetch_req_t *req = alloc_thing(fetch_req_t, "fetch request");
-    *req = empty_fetch_req;
-
-    /* note current time */
-    req->installed = time(NULL);
-
-    /* clone fields */
-    clonetochunk(req->issuer, issuer.ptr, issuer.len, "issuer");
-    if (authKeySerialNumber.ptr != NULL)
-    {
-	clonetochunk(req->authKeySerialNumber, authKeySerialNumber.ptr
-	    , authKeySerialNumber.len, "authKeySerialNumber");
-    }
-    if (authKeyID.ptr != NULL)
-    {
-	clonetochunk(req->authKeyID, authKeyID.ptr, authKeyID.len, "authKeyID");
-    }
-
-    /* copy distribution points */
-    add_distribution_points(gn, &req->distributionPoints);
-
-    return req;
+	fetch_req_t *req = malloc_thing(fetch_req_t);
+	*req = empty_fetch_req;
+
+	/* note current time */
+	req->installed = time(NULL);
+
+	/* clone fields */
+	req->issuer = chunk_clone(issuer);
+	req->authKeySerialNumber =  chunk_clone(authKeySerialNumber);
+	req->authKeyID = chunk_clone(authKeyID);
+
+	/* copy distribution points */
+	add_distribution_points(gn, &req->distributionPoints);
+
+	return req;
 }
 
-/*
- * add a crl fetch request to the chained list
+/**
+ * Add a crl fetch request to the chained list
  */
-void
-add_crl_fetch_request(fetch_req_t *req)
+void add_crl_fetch_request(fetch_req_t *req)
 {
-    fetch_req_t *r;
+	fetch_req_t *r;
 
-    lock_crl_fetch_list("add_crl_fetch_request");
-    r = crl_fetch_reqs;
+	lock_crl_fetch_list("add_crl_fetch_request");
+	r = crl_fetch_reqs;
 
-    while (r != NULL)
-    {
-	if ((req->authKeyID.ptr != NULL)? same_keyid(req->authKeyID, r->authKeyID)
-		: (same_dn(req->issuer, r->issuer)
-		&& same_serial(req->authKeySerialNumber, r->authKeySerialNumber)))
+	while (r != NULL)
 	{
-	    /* there is already a fetch request */
-	    DBG(DBG_CONTROL,
-		DBG_log("crl fetch request already exists")
-	    )
+		if ((req->authKeyID.ptr != NULL)? same_keyid(req->authKeyID, r->authKeyID)
+				: (same_dn(req->issuer, r->issuer)
+				&& same_serial(req->authKeySerialNumber, r->authKeySerialNumber)))
+		{
+			/* there is already a fetch request */
+			DBG(DBG_CONTROL,
+				DBG_log("crl fetch request already exists")
+			)
 
-	    /* there might be new distribution points */
-	    add_distribution_points(req->distributionPoints, &r->distributionPoints);
+			/* there might be new distribution points */
+			add_distribution_points(req->distributionPoints, &r->distributionPoints);
 
-	    unlock_crl_fetch_list("add_crl_fetch_request");
-	    free_fetch_request(req);
-	    return;
+			unlock_crl_fetch_list("add_crl_fetch_request");
+			free_fetch_request(req);
+			return;
+		}
+		r = r->next;
 	}
-	r = r->next;
-    }
 
-    /* insert new fetch request at the head of the queue */
-    req->next = crl_fetch_reqs;
-    crl_fetch_reqs = req;
+	/* insert new fetch request at the head of the queue */
+	req->next = crl_fetch_reqs;
+	crl_fetch_reqs = req;
 
-    DBG(DBG_CONTROL,
-	DBG_log("crl fetch request added")
-    )
-    unlock_crl_fetch_list("add_crl_fetch_request");
+	DBG(DBG_CONTROL,
+		DBG_log("crl fetch request added")
+	)
+	unlock_crl_fetch_list("add_crl_fetch_request");
 }
 
-/*
- * add an ocsp fetch request to the chained list
+/**
+ * Add an ocsp fetch request to the chained list
  */
-void
-add_ocsp_fetch_request(ocsp_location_t *location, chunk_t serialNumber)
+void add_ocsp_fetch_request(ocsp_location_t *location, chunk_t serialNumber)
 {
-    ocsp_certinfo_t certinfo;
+	ocsp_certinfo_t certinfo;
 
-    certinfo.serialNumber = serialNumber;
+	certinfo.serialNumber = serialNumber;
 
-    lock_ocsp_fetch_list("add_ocsp_fetch_request");
-    add_certinfo(location, &certinfo, &ocsp_fetch_reqs, TRUE);
-    unlock_ocsp_fetch_list("add_ocsp_fetch_request");
+	lock_ocsp_fetch_list("add_ocsp_fetch_request");
+	add_certinfo(location, &certinfo, &ocsp_fetch_reqs, TRUE);
+	unlock_ocsp_fetch_list("add_ocsp_fetch_request");
 }
 
-/*
- * list all distribution points
+/**
+ * List all distribution points
  */
-void
-list_distribution_points(const generalName_t *gn)
+void list_distribution_points(const generalName_t *gn)
 {
-    bool first_gn = TRUE;
-
-    while (gn != NULL)
-    {
-	whack_log(RC_COMMENT, "       %s '%.*s'", (first_gn)? "distPts: "
-	    :"         ", (int)gn->name.len, gn->name.ptr);
-	first_gn = FALSE;
-	gn = gn->next;
-    }
+	bool first_gn = TRUE;
+
+	while (gn != NULL)
+	{
+		whack_log(RC_COMMENT, "       %s '%.*s'", (first_gn)? "distPts: "
+			:"         ", (int)gn->name.len, gn->name.ptr);
+		first_gn = FALSE;
+		gn = gn->next;
+	}
 }
 
-/*
- *  list all fetch requests in the chained list
+/**
+ *  List all fetch requests in the chained list
  */
-void
-list_crl_fetch_requests(bool utc)
+void list_crl_fetch_requests(bool utc)
 {
-    fetch_req_t *req;
-
-    lock_crl_fetch_list("list_crl_fetch_requests");
-    req = crl_fetch_reqs;
-
-    if (req != NULL)
-    {
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of CRL fetch requests:");
-	whack_log(RC_COMMENT, " ");
-    }
-
-    while (req != NULL)
-    {
-	u_char buf[BUF_LEN];
-
-	whack_log(RC_COMMENT, "%s, trials: %d"
-	    , timetoa(&req->installed, utc), req->trials);
-	dntoa(buf, BUF_LEN, req->issuer);
-	whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
-	if (req->authKeyID.ptr != NULL)
+	fetch_req_t *req;
+
+	lock_crl_fetch_list("list_crl_fetch_requests");
+	req = crl_fetch_reqs;
+
+	if (req != NULL)
 	{
-	    datatot(req->authKeyID.ptr, req->authKeyID.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       authkey:   %s", buf);
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "List of CRL fetch requests:");
+		whack_log(RC_COMMENT, " ");
 	}
-	if (req->authKeySerialNumber.ptr != NULL)
+
+	while (req != NULL)
 	{
-	    datatot(req->authKeySerialNumber.ptr, req->authKeySerialNumber.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       aserial:   %s", buf);
+		u_char buf[BUF_LEN];
+
+		whack_log(RC_COMMENT, "%T, trials: %d"
+			, &req->installed, utc, req->trials);
+		dntoa(buf, BUF_LEN, req->issuer);
+		whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
+		if (req->authKeyID.ptr != NULL)
+		{
+			datatot(req->authKeyID.ptr, req->authKeyID.len, ':'
+				, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       authkey:   %s", buf);
+		}
+		if (req->authKeySerialNumber.ptr != NULL)
+		{
+			datatot(req->authKeySerialNumber.ptr, req->authKeySerialNumber.len, ':'
+				, buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       aserial:   %s", buf);
+		}
+		list_distribution_points(req->distributionPoints);
+		req = req->next;
 	}
-	list_distribution_points(req->distributionPoints);
-	req = req->next;
-    }
-    unlock_crl_fetch_list("list_crl_fetch_requests");
+	unlock_crl_fetch_list("list_crl_fetch_requests");
 }
 
-void
-list_ocsp_fetch_requests(bool utc)
+void list_ocsp_fetch_requests(bool utc)
 {
-    lock_ocsp_fetch_list("list_ocsp_fetch_requests");
-    list_ocsp_locations(ocsp_fetch_reqs, TRUE, utc, FALSE);
-    unlock_ocsp_fetch_list("list_ocsp_fetch_requests");
+	lock_ocsp_fetch_list("list_ocsp_fetch_requests");
+	list_ocsp_locations(ocsp_fetch_reqs, TRUE, utc, FALSE);
+	unlock_ocsp_fetch_list("list_ocsp_fetch_requests");
 
 }
diff --git a/src/pluto/fetch.h b/src/pluto/fetch.h
index 67be12d47..f7b4eb074 100644
--- a/src/pluto/fetch.h
+++ b/src/pluto/fetch.h
@@ -11,31 +11,29 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: fetch.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include "x509.h"
 
-#define FETCH_CMD_TIMEOUT	10	/* seconds */
+#define FETCH_CMD_TIMEOUT       10      /* seconds */
 
-struct ocsp_location;	/* forward declaration of ocsp_location defined in ocsp.h */
+struct ocsp_location;   /* forward declaration of ocsp_location defined in ocsp.h */
 
 typedef enum {
-    FETCH_GET =  1,
-    FETCH_POST = 2
+	FETCH_GET =  1,
+	FETCH_POST = 2
 } fetch_request_t;
 
 typedef struct fetch_req fetch_req_t;
 
 struct fetch_req {
-    fetch_req_t   *next;
-    time_t        installed;
-    int           trials;
-    chunk_t       issuer;
-    chunk_t       authKeyID;
-    chunk_t	  authKeySerialNumber;
-    generalName_t *distributionPoints;
+	fetch_req_t   *next;
+	time_t        installed;
+	int           trials;
+	chunk_t       issuer;
+	chunk_t       authKeyID;
+	chunk_t       authKeySerialNumber;
+	generalName_t *distributionPoints;
 };
 
 #ifdef THREADS
@@ -67,9 +65,9 @@ extern void init_fetch(void);
 extern void free_crl_fetch(void);
 extern void free_ocsp_fetch(void);
 extern void add_distribution_points(const generalName_t *newPoints
-    , generalName_t **distributionPoints);
+	, generalName_t **distributionPoints);
 extern fetch_req_t* build_crl_fetch_request(chunk_t issuer, chunk_t authKeySerialNumber
-    , chunk_t authKeyID, const generalName_t *gn);
+	, chunk_t authKeyID, const generalName_t *gn);
 extern void add_crl_fetch_request(fetch_req_t *req);
 extern void add_ocsp_fetch_request(struct ocsp_location *location, chunk_t serialNumber);
 extern void list_distribution_points(const generalName_t *gn);
diff --git a/src/pluto/foodgroups.c b/src/pluto/foodgroups.c
index 5b2836bce..ed9853fc4 100644
--- a/src/pluto/foodgroups.c
+++ b/src/pluto/foodgroups.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: foodgroups.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <string.h>
@@ -49,8 +47,8 @@ static size_t fg_path_space = 0;
  */
 
 struct fg_groups {
-    struct fg_groups *next;
-    struct connection *connection;
+	struct fg_groups *next;
+	struct connection *connection;
 };
 
 static struct fg_groups *groups = NULL;
@@ -66,10 +64,10 @@ static struct fg_groups *groups = NULL;
  */
 
 struct fg_targets {
-    struct fg_targets *next;
-    struct fg_groups *group;
-    ip_subnet subnet;
-    char *name;	/* name of instance of group conn */
+	struct fg_targets *next;
+	struct fg_groups *group;
+	ip_subnet subnet;
+	char *name; /* name of instance of group conn */
 };
 
 static struct fg_targets *targets = NULL;
@@ -83,24 +81,24 @@ struct fg_targets *new_targets;
 static int
 ipcmp(ip_address *a, ip_address *b)
 {
-    if (addrtypeof(a) != addrtypeof(b))
-    {
-	return addrtypeof(a) < addrtypeof(b)? -1 : 1;
-    }
-    else if (sameaddr(a, b))
-    {
-	return 0;
-    }
-    else
-    {
-	const struct sockaddr *sa = sockaddrof(a)
-	    , *sb = sockaddrof(b);
-
-	passert(addrtypeof(a) == AF_INET);	/* not yet implemented IPv6 version :-( */
-	return (ntohl(((const struct sockaddr_in *)sa)->sin_addr.s_addr)
-	    < ntohl(((const struct sockaddr_in *)sb)->sin_addr.s_addr))
-	    ? -1 : 1;
-    }
+	if (addrtypeof(a) != addrtypeof(b))
+	{
+		return addrtypeof(a) < addrtypeof(b)? -1 : 1;
+	}
+	else if (sameaddr(a, b))
+	{
+		return 0;
+	}
+	else
+	{
+		const struct sockaddr *sa = sockaddrof(a)
+			, *sb = sockaddrof(b);
+
+		passert(addrtypeof(a) == AF_INET);      /* not yet implemented IPv6 version :-( */
+		return (ntohl(((const struct sockaddr_in *)sa)->sin_addr.s_addr)
+			< ntohl(((const struct sockaddr_in *)sb)->sin_addr.s_addr))
+			? -1 : 1;
+	}
 }
 
 /* subnetcmp compares the two ip_subnet values a and b.
@@ -110,353 +108,353 @@ ipcmp(ip_address *a, ip_address *b)
 static int
 subnetcmp(const ip_subnet *a, const ip_subnet *b)
 {
-    ip_address neta, maska, netb, maskb;
-    int r;
-
-    networkof(a, &neta);
-    maskof(a, &maska);
-    networkof(b, &netb);
-    maskof(b, &maskb);
-    r = ipcmp(&neta, &netb);
-    if (r == 0)
-	r = ipcmp(&maska, &maskb);
-    return r;
+	ip_address neta, maska, netb, maskb;
+	int r;
+
+	networkof(a, &neta);
+	maskof(a, &maska);
+	networkof(b, &netb);
+	maskof(b, &maskb);
+	r = ipcmp(&neta, &netb);
+	if (r == 0)
+		r = ipcmp(&maska, &maskb);
+	return r;
 }
 
 static void
 read_foodgroup(struct fg_groups *g)
 {
-    const char *fgn = g->connection->name;
-    const ip_subnet *lsn = &g->connection->spd.this.client;
-    size_t plen = strlen(policygroups_dir) + 1 + strlen(fgn) + 1;
-    struct file_lex_position flp_space;
-
-    if (plen > fg_path_space)
-    {
-	pfreeany(fg_path);
-	fg_path_space = plen + 10;
-	fg_path = alloc_bytes(fg_path_space, "policy group path");
-    }
-    snprintf(fg_path, fg_path_space, "%s/%s", policygroups_dir, fgn);
-    if (!lexopen(&flp_space, fg_path, TRUE))
-    {
-	DBG(DBG_CONTROL, DBG_log("no group file \"%s\"", fg_path));
-    }
-    else
-    {
-	plog("loading group \"%s\"", fg_path);
-	for (;;)
+	const char *fgn = g->connection->name;
+	const ip_subnet *lsn = &g->connection->spd.this.client;
+	size_t plen = strlen(policygroups_dir) + 1 + strlen(fgn) + 1;
+	struct file_lex_position flp_space;
+
+	if (plen > fg_path_space)
+	{
+		free(fg_path);
+		fg_path_space = plen + 10;
+		fg_path = malloc(fg_path_space);
+	}
+	snprintf(fg_path, fg_path_space, "%s/%s", policygroups_dir, fgn);
+	if (!lexopen(&flp_space, fg_path, TRUE))
+	{
+		DBG(DBG_CONTROL, DBG_log("no group file \"%s\"", fg_path));
+	}
+	else
 	{
-	    switch (flp->bdry)
-	    {
-	    case B_none:
+		plog("loading group \"%s\"", fg_path);
+		for (;;)
 		{
-		    /* !!! this test is not sufficient for distinguishing address families.
-		     * We need a notation to specify that a FQDN is to be resolved to IPv6.
-		     */
-		    const struct af_info *afi = strchr(tok, ':') == NULL
-			? &af_inet4_info: &af_inet6_info;
-		    ip_subnet sn;
-		    err_t ugh;
-
-		    if (strchr(tok, '/') == NULL)
-		    {
-			/* no /, so treat as /32 or V6 equivalent */
-			ip_address t;
-
-			ugh = ttoaddr(tok, 0, afi->af, &t);
-			if (ugh == NULL)
-			    ugh = addrtosubnet(&t, &sn);
-		    }
-		    else
-		    {
-			ugh = ttosubnet(tok, 0, afi->af, &sn);
-		    }
-
-		    if (ugh != NULL)
-		    {
-			loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s \"%s\""
-			    , flp->filename, flp->lino, ugh, tok);
-		    }
-		    else if (afi->af != AF_INET)
-		    {
-			loglog(RC_LOG_SERIOUS
-			    , "\"%s\" line %d: unsupported Address Family \"%s\""
-			    , flp->filename, flp->lino, tok);
-		    }
-		    else
-		    {
-			/* Find where new entry ought to go in new_targets. */
-			struct fg_targets **pp;
-			int r;
-
-			for (pp = &new_targets; ; pp = &(*pp)->next)
-			{
-			    if (*pp == NULL)
-			    {
-				r = -1;	/* end of list is infinite */
-				break;
-			    }
-			    r = subnetcmp(lsn, &(*pp)->group->connection->spd.this.client);
-			    if (r == 0)
-				r = subnetcmp(&sn, &(*pp)->subnet);
-			    if (r <= 0)
-				break;
-			}
-
-			if (r == 0)
+			switch (flp->bdry)
 			{
-			    char source[SUBNETTOT_BUF];
-
-			    subnettot(lsn, 0, source, sizeof(source));
-			    loglog(RC_LOG_SERIOUS
-				, "\"%s\" line %d: subnet \"%s\", source %s, already \"%s\""
-				, flp->filename
-				, flp->lino
-				, tok
-				, source
-				, (*pp)->group->connection->name);
+			case B_none:
+				{
+					/* !!! this test is not sufficient for distinguishing address families.
+					 * We need a notation to specify that a FQDN is to be resolved to IPv6.
+					 */
+					const struct af_info *afi = strchr(tok, ':') == NULL
+						? &af_inet4_info: &af_inet6_info;
+					ip_subnet sn;
+					err_t ugh;
+
+					if (strchr(tok, '/') == NULL)
+					{
+						/* no /, so treat as /32 or V6 equivalent */
+						ip_address t;
+
+						ugh = ttoaddr(tok, 0, afi->af, &t);
+						if (ugh == NULL)
+							ugh = addrtosubnet(&t, &sn);
+					}
+					else
+					{
+						ugh = ttosubnet(tok, 0, afi->af, &sn);
+					}
+
+					if (ugh != NULL)
+					{
+						loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s \"%s\""
+							, flp->filename, flp->lino, ugh, tok);
+					}
+					else if (afi->af != AF_INET)
+					{
+						loglog(RC_LOG_SERIOUS
+							, "\"%s\" line %d: unsupported Address Family \"%s\""
+							, flp->filename, flp->lino, tok);
+					}
+					else
+					{
+						/* Find where new entry ought to go in new_targets. */
+						struct fg_targets **pp;
+						int r;
+
+						for (pp = &new_targets; ; pp = &(*pp)->next)
+						{
+							if (*pp == NULL)
+							{
+								r = -1; /* end of list is infinite */
+								break;
+							}
+							r = subnetcmp(lsn, &(*pp)->group->connection->spd.this.client);
+							if (r == 0)
+								r = subnetcmp(&sn, &(*pp)->subnet);
+							if (r <= 0)
+								break;
+						}
+
+						if (r == 0)
+						{
+							char source[SUBNETTOT_BUF];
+
+							subnettot(lsn, 0, source, sizeof(source));
+							loglog(RC_LOG_SERIOUS
+								, "\"%s\" line %d: subnet \"%s\", source %s, already \"%s\""
+								, flp->filename
+								, flp->lino
+								, tok
+								, source
+								, (*pp)->group->connection->name);
+						}
+						else
+						{
+							struct fg_targets *f = malloc_thing(struct fg_targets);
+
+							f->next = *pp;
+							f->group = g;
+							f->subnet = sn;
+							f->name = NULL;
+							*pp = f;
+						}
+					}
+				}
+				(void)shift();  /* next */
+				continue;
+
+			case B_record:
+				flp->bdry = B_none;     /* eat the Record Boundary */
+				(void)shift();  /* get real first token */
+				continue;
+
+			case B_file:
+				break;  /* done */
 			}
-			else
-			{
-			    struct fg_targets *f = alloc_thing(struct fg_targets, "fg_target");
-
-			    f->next = *pp;
-			    f->group = g;
-			    f->subnet = sn;
-			    f->name = NULL;
-			    *pp = f;
-			}
-		    }
+			break;      /* if we reach here, out of loop */
 		}
-		(void)shift();	/* next */
-		continue;
-
-	    case B_record:
-		flp->bdry = B_none;	/* eat the Record Boundary */
-		(void)shift();	/* get real first token */
-		continue;
-
-	    case B_file:
-		break;	/* done */
-	    }
-	    break;	/* if we reach here, out of loop */
+		lexclose();
 	}
-	lexclose();
-    }
 }
 
 static void
 free_targets(void)
 {
-    while (targets != NULL)
-    {
-	struct fg_targets *t = targets;
-
-	targets = t->next;
-	pfreeany(t->name);
-	pfree(t);
-    }
+	while (targets != NULL)
+	{
+		struct fg_targets *t = targets;
+
+		targets = t->next;
+		free(t->name);
+		free(t);
+	}
 }
 
 void
 load_groups(void)
 {
-    passert(new_targets == NULL);
+	passert(new_targets == NULL);
 
-    /* for each group, add config file targets into new_targets */
-    {
-	struct fg_groups *g;
+	/* for each group, add config file targets into new_targets */
+	{
+		struct fg_groups *g;
 
-	for (g = groups; g != NULL; g = g->next)
-	    if (oriented(*g->connection))
-		read_foodgroup(g);
-    }
+		for (g = groups; g != NULL; g = g->next)
+			if (oriented(*g->connection))
+				read_foodgroup(g);
+	}
 
-    /* dump new_targets */
-    DBG(DBG_CONTROL,
-	{
-	    struct fg_targets *t;
-
-	    for (t = new_targets; t != NULL; t = t->next)
-	    {
-		char asource[SUBNETTOT_BUF];
-		char atarget[SUBNETTOT_BUF];
-
-		subnettot(&t->group->connection->spd.this.client
-		    , 0, asource, sizeof(asource));
-		subnettot(&t->subnet, 0, atarget, sizeof(atarget));
-		DBG_log("%s->%s %s"
-		    , asource, atarget
-		    , t->group->connection->name);
-	    }
-	});
-
-    /* determine and deal with differences between targets and new_targets.
-     * structured like a merge.
-     */
-    {
-	struct fg_targets *op = targets
-	    , *np = new_targets;
-
-	while (op != NULL && np != NULL)
-	{
-	    int r = subnetcmp(&op->group->connection->spd.this.client
-		, &np->group->connection->spd.this.client);
-
-	    if (r == 0)
-		r = subnetcmp(&op->subnet, &np->subnet);
-
-	    if (r == 0 && op->group == np->group)
-	    {
-		/* unchanged -- steal name & skip over */
-		np->name = op->name;
-		op->name = NULL;
-		op = op->next;
-		np = np->next;
-	    }
-	    else
-	    {
-		/* note: following cases overlap! */
-		if (r <= 0)
+	/* dump new_targets */
+	DBG(DBG_CONTROL,
 		{
-		    remove_group_instance(op->group->connection, op->name);
-		    op = op->next;
-		}
-		if (r >= 0)
+			struct fg_targets *t;
+
+			for (t = new_targets; t != NULL; t = t->next)
+			{
+				char asource[SUBNETTOT_BUF];
+				char atarget[SUBNETTOT_BUF];
+
+				subnettot(&t->group->connection->spd.this.client
+					, 0, asource, sizeof(asource));
+				subnettot(&t->subnet, 0, atarget, sizeof(atarget));
+				DBG_log("%s->%s %s"
+					, asource, atarget
+					, t->group->connection->name);
+			}
+		});
+
+	/* determine and deal with differences between targets and new_targets.
+	 * structured like a merge.
+	 */
+	{
+		struct fg_targets *op = targets
+			, *np = new_targets;
+
+		while (op != NULL && np != NULL)
 		{
-		    np->name = add_group_instance(np->group->connection, &np->subnet);
-		    np = np->next;
+			int r = subnetcmp(&op->group->connection->spd.this.client
+				, &np->group->connection->spd.this.client);
+
+			if (r == 0)
+				r = subnetcmp(&op->subnet, &np->subnet);
+
+			if (r == 0 && op->group == np->group)
+			{
+				/* unchanged -- steal name & skip over */
+				np->name = op->name;
+				op->name = NULL;
+				op = op->next;
+				np = np->next;
+			}
+			else
+			{
+				/* note: following cases overlap! */
+				if (r <= 0)
+				{
+					remove_group_instance(op->group->connection, op->name);
+					op = op->next;
+				}
+				if (r >= 0)
+				{
+					np->name = add_group_instance(np->group->connection, &np->subnet);
+					np = np->next;
+				}
+			}
 		}
-	    }
+		for (; op != NULL; op = op->next)
+			remove_group_instance(op->group->connection, op->name);
+		for (; np != NULL; np = np->next)
+			np->name = add_group_instance(np->group->connection, &np->subnet);
+
+		/* update: new_targets replaces targets */
+		free_targets();
+		targets = new_targets;
+		new_targets = NULL;
 	}
-	for (; op != NULL; op = op->next)
-	    remove_group_instance(op->group->connection, op->name);
-	for (; np != NULL; np = np->next)
-	    np->name = add_group_instance(np->group->connection, &np->subnet);
-
-	/* update: new_targets replaces targets */
-	free_targets();
-	targets = new_targets;
-	new_targets = NULL;
-    }
 }
 
 
 void
 add_group(struct connection *c)
 {
-    struct fg_groups *g = alloc_thing(struct fg_groups, "policy group");
+	struct fg_groups *g = malloc_thing(struct fg_groups);
 
-    g->next = groups;
-    groups = g;
+	g->next = groups;
+	groups = g;
 
-    g->connection = c;
+	g->connection = c;
 }
 
 static struct fg_groups *
 find_group(const struct connection *c)
 {
-    struct fg_groups *g;
+	struct fg_groups *g;
 
-    for (g = groups; g != NULL && g->connection != c; g = g->next)
-	;
-    return g;
+	for (g = groups; g != NULL && g->connection != c; g = g->next)
+		;
+	return g;
 }
 
 void
 route_group(struct connection *c)
 {
-    /* it makes no sense to route a connection that is ISAKMP-only */
-    if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
-    {
-	loglog(RC_ROUTE, "cannot route an ISAKMP-only group connection");
-    }
-    else
-    {
-	struct fg_groups *g = find_group(c);
-	struct fg_targets *t;
-
-	passert(g != NULL);
-	g->connection->policy |= POLICY_GROUTED;
-	for (t = targets; t != NULL; t = t->next)
+	/* it makes no sense to route a connection that is ISAKMP-only */
+	if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
+	{
+		loglog(RC_ROUTE, "cannot route an ISAKMP-only group connection");
+	}
+	else
 	{
-	    if (t->group == g)
-	    {
-		struct connection *ci = con_by_name(t->name, FALSE);
+		struct fg_groups *g = find_group(c);
+		struct fg_targets *t;
 
-		if (ci != NULL)
+		passert(g != NULL);
+		g->connection->policy |= POLICY_GROUTED;
+		for (t = targets; t != NULL; t = t->next)
 		{
-		    set_cur_connection(ci);
-		    if (!trap_connection(ci))
-			whack_log(RC_ROUTE, "could not route");
-		    set_cur_connection(c);
+			if (t->group == g)
+			{
+				struct connection *ci = con_by_name(t->name, FALSE);
+
+				if (ci != NULL)
+				{
+					set_cur_connection(ci);
+					if (!trap_connection(ci))
+						whack_log(RC_ROUTE, "could not route");
+					set_cur_connection(c);
+				}
+			}
 		}
-	    }
 	}
-    }
 }
 
 void
 unroute_group(struct connection *c)
 {
-    struct fg_groups *g = find_group(c);
-    struct fg_targets *t;
-
-    passert(g != NULL);
-    g->connection->policy &= ~POLICY_GROUTED;
-    for (t = targets; t != NULL; t = t->next)
-    {
-	if (t->group == g)
+	struct fg_groups *g = find_group(c);
+	struct fg_targets *t;
+
+	passert(g != NULL);
+	g->connection->policy &= ~POLICY_GROUTED;
+	for (t = targets; t != NULL; t = t->next)
 	{
-	    struct connection *ci = con_by_name(t->name, FALSE);
-
-	    if (ci != NULL)
-	    {
-		set_cur_connection(ci);
-		unroute_connection(ci);
-		set_cur_connection(c);
-	    }
+		if (t->group == g)
+		{
+			struct connection *ci = con_by_name(t->name, FALSE);
+
+			if (ci != NULL)
+			{
+				set_cur_connection(ci);
+				unroute_connection(ci);
+				set_cur_connection(c);
+			}
+		}
 	}
-    }
 }
 
 void
 delete_group(const struct connection *c)
 {
-    struct fg_groups *g;
-
-    /* find and remove from groups */
-    {
-	struct fg_groups **pp;
+	struct fg_groups *g;
 
-	for (pp = &groups; (g = *pp)->connection != c; pp = &(*pp)->next)
-	    ;
+	/* find and remove from groups */
+	{
+		struct fg_groups **pp;
 
-	*pp = g->next;
-    }
+		for (pp = &groups; (g = *pp)->connection != c; pp = &(*pp)->next)
+			;
 
-    /* find and remove from targets */
-    {
-	struct fg_targets **pp;
+		*pp = g->next;
+	}
 
-	for (pp = &targets; *pp != NULL; )
+	/* find and remove from targets */
 	{
-	    struct fg_targets *t = *pp;
-
-	    if (t->group == g)
-	    {
-		*pp = t->next;
-		remove_group_instance(t->group->connection, t->name);
-		pfree(t);
-		/* pp is ready for next iteration */
-	    }
-	    else
-	    {
-		pp = &t->next;
-	    }
+		struct fg_targets **pp;
+
+		for (pp = &targets; *pp != NULL; )
+		{
+			struct fg_targets *t = *pp;
+
+			if (t->group == g)
+			{
+				*pp = t->next;
+				remove_group_instance(t->group->connection, t->name);
+				free(t);
+				/* pp is ready for next iteration */
+			}
+			else
+			{
+				pp = &t->next;
+			}
+		}
 	}
-    }
 
-    pfree(g);
+	free(g);
 }
diff --git a/src/pluto/foodgroups.h b/src/pluto/foodgroups.h
index d66f85423..b6d3386ae 100644
--- a/src/pluto/foodgroups.h
+++ b/src/pluto/foodgroups.h
@@ -10,11 +10,9 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: foodgroups.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
-struct connection;	/* forward declaration */
+struct connection;      /* forward declaration */
 extern void add_group(struct connection *c);
 extern void route_group(struct connection *c);
 extern void unroute_group(struct connection *c);
diff --git a/src/pluto/gcryptfix.c b/src/pluto/gcryptfix.c
deleted file mode 100644
index b8007046d..000000000
--- a/src/pluto/gcryptfix.c
+++ /dev/null
@@ -1,283 +0,0 @@
-/* Routines to make gcrypt routines feel at home in Pluto.
- * Copyright (C) 1999  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: gcryptfix.c 3252 2007-10-06 21:24:50Z andreas $
- */
-
-#include <stdlib.h>
-
-#include <gmp.h>
-#include <freeswan.h>
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "rnd.h"
-#include "gcryptfix.h"	/* includes <gmp.h> "defs.h" "rnd.h" */
-
-MPI
-mpi_alloc( unsigned nlimbs UNUSED )
-{
-    MPI n = alloc_bytes(sizeof *n, "mpi_alloc");
-
-    mpz_init(n);
-    return n;
-}
-
-MPI
-mpi_alloc_secure( unsigned nlimbs )
-{
-    return mpi_alloc(nlimbs);
-}
-
-MPI
-mpi_alloc_set_ui( unsigned long u)
-{
-    MPI n = alloc_bytes(sizeof *n, "mpi_copy");
-
-    mpz_init_set_ui(n, u);
-    return n;
-}
-
-MPI
-mpi_copy( MPI a )
-{
-    MPI n = alloc_bytes(sizeof *n, "mpi_copy");
-
-    mpz_init_set(n, a);
-    return n;
-}
-
-void
-mpi_free( MPI a )
-{
-    mpz_clear(a);
-    pfree(a);
-}
-
-int
-mpi_divisible_ui(MPI dividend, ulong divisor )
-{
-    ulong rem;
-    mpz_t remtoo;
-
-    mpz_init(remtoo);
-    rem = mpz_mod_ui(remtoo, dividend, divisor);
-    mpz_clear(remtoo);
-    return rem == 0;
-}
-
-unsigned
-mpi_trailing_zeros( MPI a )
-{
-    return mpz_scan1(a, 0);
-}
-
-unsigned
-mpi_get_nbits( MPI a )
-{
-    return mpz_sizeinbase(a, 2);
-}
-
-int
-mpi_test_bit( MPI a, unsigned n )
-{
-    /* inspired by gmp/mpz/clrbit.c */
-    mp_size_t li = n / mp_bits_per_limb;
-
-    if (li >= a->_mp_size)
-	return 0;
-    return (a->_mp_d[li] & ((mp_limb_t) 1 << (n % mp_bits_per_limb))) != 0;
-}
-
-void
-mpi_set_bit( MPI a, unsigned n )
-{
-    mpz_setbit(a, n);
-}
-
-void
-mpi_clear_bit( MPI a, unsigned n )
-{
-    mpz_clrbit(a, n);
-}
-
-void
-mpi_clear_highbit( MPI a, unsigned n )
-{
-    /* This seems whacky, but what do I know. */
-    mpz_fdiv_r_2exp(a, a, n);
-}
-
-void
-mpi_set_highbit( MPI a, unsigned n )
-{
-    /* This seems whacky, but what do I know. */
-    mpz_fdiv_r_2exp(a, a, n+1);
-    mpz_setbit(a, n);
-}
-
-void
-mpi_set_buffer( MPI a, const u_char *buffer, unsigned nbytes, int sign )
-{
-    /* this is a lot like n_to_mpz */
-    size_t i;
-
-    passert(sign == 0);	/* we won't hit any negative numbers */
-    mpz_init_set_ui(a, 0);
-
-    for (i = 0; i != nbytes; i++)
-    {
-	mpz_mul_ui(a, a, 1 << BITS_PER_BYTE);
-	mpz_add_ui(a, a, buffer[i]);
-    }
-}
-
-u_char *
-get_random_bits(size_t nbits, int level UNUSED, int secure UNUSED)
-{
-    size_t nbytes = (nbits+7)/8;
-    u_char *b = alloc_bytes(nbytes, "random bytes");
-
-    get_rnd_bytes(b, nbytes);
-    return b;
-}
-/**************** from gnupg-1.0.0/mpi/mpi-mpow.c
- * RES = (BASE[0] ^ EXP[0]) *  (BASE[1] ^ EXP[1]) * ... * mod M
- */
-#define barrett_mulm( w, u, v, m, y, k, r1, r2 ) mpi_mulm( (w), (u), (v), (m) )
-
-static int
-build_index( MPI *exparray, int k, int i, int t )
-{
-    int j, bitno;
-    int index = 0;
-
-    bitno = t-i;
-    for(j=k-1; j >= 0; j-- ) {
-	index <<= 1;
-	if( mpi_test_bit( exparray[j], bitno ) )
-	    index |= 1;
-    }
-    /*log_debug("t=%d i=%d index=%d\n", t, i, index );*/
-    return index;
-}
-
-void
-mpi_mulpowm( MPI res, MPI *basearray, MPI *exparray, MPI m)
-{
-    int k;	/* number of elements */
-    int t;	/* bit size of largest exponent */
-    int i, j, idx;
-    MPI *G;	/* table with precomputed values of size 2^k */
-    MPI tmp;
-  #ifdef USE_BARRETT
-    MPI barrett_y, barrett_r1, barrett_r2;
-    int barrett_k;
-  #endif
-
-    for(k=0; basearray[k]; k++ )
-	;
-    passert(k);
-    for(t=0, i=0; (tmp=exparray[i]); i++ ) {
-	/*log_mpidump("exp: ", tmp );*/
-	j = mpi_get_nbits(tmp);
-	if( j > t )
-	    t = j;
-    }
-    /*log_mpidump("mod: ", m );*/
-    passert(i==k);
-    passert(t);
-    passert( k < 10 );
-
-#ifdef PLUTO
-    m_alloc_ptrs_clear(G, 1<<k);
-#else
-    G = m_alloc_clear( (1<<k) * sizeof *G );
-#endif
-
-  #ifdef USE_BARRETT
-    barrett_y = init_barrett( m, &barrett_k, &barrett_r1, &barrett_r2 );
-  #endif
-    /* and calculate */
-    tmp =  mpi_alloc( mpi_get_nlimbs(m)+1 );
-    mpi_set_ui( res, 1 );
-    for(i = 1; i <= t; i++ ) {
-	barrett_mulm(tmp, res, res, m, barrett_y, barrett_k,
-				       barrett_r1, barrett_r2 );
-	idx = build_index( exparray, k, i, t );
-	passert( idx >= 0 && idx < (1<<k) );
-	if( !G[idx] ) {
-	    if( !idx )
-		 G[0] = mpi_alloc_set_ui( 1 );
-	    else {
-		for(j=0; j < k; j++ ) {
-		    if( (idx & (1<<j) ) ) {
-			if( !G[idx] )
-			    G[idx] = mpi_copy( basearray[j] );
-			else
-			    barrett_mulm( G[idx], G[idx], basearray[j],
-					       m, barrett_y, barrett_k, barrett_r1, barrett_r2	);
-		    }
-		}
-		if( !G[idx] )
-		    G[idx] = mpi_alloc(0);
-	    }
-	}
-	barrett_mulm(res, tmp, G[idx], m, barrett_y, barrett_k, barrett_r1, barrett_r2	);
-    }
-
-    /* cleanup */
-    mpi_free(tmp);
-  #ifdef USE_BARRETT
-    mpi_free(barrett_y);
-    mpi_free(barrett_r1);
-    mpi_free(barrett_r2);
-  #endif
-    for(i=0; i < (1<<k); i++ )
-	mpi_free(G[i]);
-    m_free(G);
-}
-
-void
-log_mpidump( const char *text UNUSED, MPI a )
-{
-    /* Print number in hex -- helpful to see if they match bytes.
-     * Humans are not going to do arithmetic with the large numbers!
-     * Much code adapted from mpz_to_n.
-     */
-    u_char buf[8048];	/* this ought to be big enough */
-    size_t len = (mpz_sizeinbase(a, 16) + 1) / 2;   /* bytes */
-    MP_INT temp1, temp2;
-    int i;
-
-    passert(len <= sizeof(buf));
-
-    mpz_init(&temp1);
-    mpz_init(&temp2);
-
-    mpz_set(&temp1, a);
-
-    for (i = len-1; i >= 0; i--)
-    {
-	buf[i] = mpz_mdivmod_ui(&temp2, NULL, &temp1, 1 << BITS_PER_BYTE);
-	mpz_set(&temp1, &temp2);
-    }
-
-    passert(mpz_sgn(&temp1) == 0);	/* we must have done all the bits */
-    mpz_clear(&temp1);
-    mpz_clear(&temp2);
-
-#ifdef DEBUG
-    DBG_dump(text, buf, len);
-#endif /* DEBUG */
-}
diff --git a/src/pluto/gcryptfix.h b/src/pluto/gcryptfix.h
deleted file mode 100644
index db2587c59..000000000
--- a/src/pluto/gcryptfix.h
+++ /dev/null
@@ -1,111 +0,0 @@
-/* Definitions to make gcrypt routines feel at home in Pluto.
- * Copyright (C) 1999  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: gcryptfix.h 3252 2007-10-06 21:24:50Z andreas $
- */
-
-#define DBG_CIPHER  1	/* some day we'll do this right */
-
-/* Simulate MPI routines with gmp routines.
- * gmp's MP_INT is a stuct; MPI's MPI is a pointer to an analogous struct.
- * gmp's mpz_t is an array of one of these structs to enable magic pointer
- * conversions to make the notation convenient (but confusing).
- */
-typedef u_char byte;
-typedef MP_INT *MPI;
-
-#define BITS_PER_MPI_LIMB mp_bits_per_limb
-
-extern MPI mpi_alloc( unsigned nlimbs );
-extern MPI mpi_alloc_secure( unsigned nlimbs );
-#define mpi_alloc_like(n) mpi_alloc(mpi_get_nlimbs(n))
-extern MPI mpi_alloc_set_ui( unsigned long u);
-#define mpi_set_ui(w, u) mpz_set_ui(w, u)
-#define mpi_set(w, u) mpz_set(w, u)
-extern void mpi_free( MPI a );
-extern MPI  mpi_copy( MPI a );
-extern unsigned mpi_get_nbits( MPI a );
-#define mpi_get_nlimbs(a)     ((a)->_mp_alloc)	/* dirty, but useless */
-extern void  mpi_set_buffer( MPI a, const u_char *buffer, unsigned nbytes, int sign );
-extern unsigned mpi_trailing_zeros( MPI a );
-extern int  mpi_test_bit( MPI a, unsigned n );
-extern void mpi_set_bit( MPI a, unsigned n );
-extern void mpi_clear_bit( MPI a, unsigned n );
-extern void mpi_clear_highbit( MPI a, unsigned n );
-extern void mpi_set_highbit( MPI a, unsigned n );
-#define mpi_cmp_ui(u, v) mpz_cmp_ui((u), (v))
-#define mpi_cmp(u, v) mpz_cmp((u), (v))
-#define mpi_is_neg(n) (mpz_sgn(n) < 0)
-#define mpi_add(w, u, v) mpz_add((w), (u), (v))
-#define mpi_add_ui(w, u, v) mpz_add_ui((w), (u), (v))
-#define mpi_sub_ui(w, u, v) mpz_sub_ui((w), (u), (v))
-#define mpi_subm( w, u, v, m) { mpz_sub( (w), (u), (v)) ; mpz_fdiv_r((w), (w), (m)); }
-#define mpi_mul( w, u, v) mpz_mul( (w), (u), (v))
-#define mpi_mul_ui( w, u, v) mpz_mul_ui( (w), (u), (v))
-#define mpi_mulm( w, u, v, m) { mpz_mul( (w), (u), (v)) ; mpz_fdiv_r((w), (w), (m)); }
-#define mpi_fdiv_q(quot, dividend, divisor) mpz_fdiv_q((quot), (dividend), (divisor))
-#define mpi_fdiv_r( rem, dividend, divisor ) mpz_fdiv_r( (rem), (dividend), (divisor) )
-#define mpi_fdiv_r_ui( rem, dividend, divisor )  mpz_fdiv_r_ui( (rem), (dividend), (divisor) )
-#define mpi_tdiv_q_2exp( w, u, count ) mpz_tdiv_q_2exp( (w), (u), (count) )
-extern int   mpi_divisible_ui(MPI dividend, ulong divisor );
-#define mpi_powm( res, base, exp, mod) mpz_powm( res, base, exp, mod)
-extern void mpi_mulpowm( MPI res, MPI *basearray, MPI *exparray, MPI mod);
-#define mpi_gcd( g, a, b ) ( mpz_gcd( (g), (a), (b) ), !mpi_cmp_ui( (g), 1))
-#define mpi_invm( x, a, n ) mpz_invert( (x), (a), (n) )
-
-#ifdef DEBUG
-# define log_debug(f...)  DBG_log(f)
-#else
-# define log_debug(f...)  do ; while (0)	/* do nothing, carefully */
-#endif
-#define log_fatal(f...)  exit_log(f)	/* overreaction? */
-extern void log_mpidump( const char *text, MPI a );
-
-#define assert(p) passert(p)
-#define BUG() passert(FALSE)
-
-#define m_alloc_ptrs_clear(pp, n) { \
-	int c = (n); \
-	(pp) = alloc_bytes((n) * sizeof(*(pp)), "m_alloc_ptrs_clear"); \
-	while (c > 0) (pp)[--c] = NULL; \
-    }
-
-extern u_char *get_random_bits(size_t nbits, int level, int secure);
-#define m_alloc(sz) alloc_bytes((sz), "m_alloc")	/* not initialized */
-#define m_free(n) pfree(n)  /* always freeing something from get_random_bits */
-
-/* declarations from gnupg-1.0.0/include/cipher.h */
-/*-- primegen.c --*/
-MPI generate_secret_prime( unsigned nbits );
-MPI generate_public_prime( unsigned nbits );
-MPI generate_elg_prime( int mode, unsigned pbits, unsigned qbits,
-					   MPI g, MPI **factors );
-
-#define PUBKEY_ALGO_ELGAMAL_E 16     /* encrypt only ElGamal (but not for v3)*/
-#define PUBKEY_ALGO_DSA       17
-#define PUBKEY_ALGO_ELGAMAL   20     /* sign and encrypt elgamal */
-
-#define is_ELGAMAL(a) ((a)==PUBKEY_ALGO_ELGAMAL || (a)==PUBKEY_ALGO_ELGAMAL_E)
-
-#define PUBKEY_USAGE_SIG     1	    /* key is good for signatures */
-#define PUBKEY_USAGE_ENC     2	    /* key is good for encryption */
-
-/* from gnupg-1.0.0/include/errors.h */
-
-#define G10ERR_PUBKEY_ALGO     4 /* Unknown pubkey algorithm */
-#define G10ERR_BAD_SECKEY      7 /* Bad secret key */
-#define G10ERR_BAD_SIGN        8 /* Bad signature */
-#define G10ERR_BAD_MPI	      30
-
-/*-- smallprime.c --*/
-extern ushort small_prime_numbers[];
diff --git a/src/pluto/id.c b/src/pluto/id.c
index 8db322a5e..f34775e68 100644
--- a/src/pluto/id.c
+++ b/src/pluto/id.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: id.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdlib.h>
@@ -22,13 +20,12 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <unistd.h>
-#ifndef HOST_NAME_MAX	/* POSIX 1003.1-2001 says <unistd.h> defines this */
-# define HOST_NAME_MAX	255 /* upper bound, according to SUSv2 */
+#ifndef HOST_NAME_MAX   /* POSIX 1003.1-2001 says <unistd.h> defines this */
+# define HOST_NAME_MAX  255 /* upper bound, according to SUSv2 */
 #endif
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -38,10 +35,10 @@
 #include "packet.h"
 #include "whack.h"
 
-const struct id empty_id;	/* ID_NONE */
+const struct id empty_id;       /* ID_ANY */
 
 enum myid_state myid_state = MYID_UNKNOWN;
-struct id myids[MYID_SPECIFIED+1];	/* %myid */
+struct id myids[MYID_SPECIFIED+1];      /* %myid */
 char *myid_str[MYID_SPECIFIED+1];     /* string form of IDs */
 
 /* initialize id module
@@ -50,100 +47,117 @@ char *myid_str[MYID_SPECIFIED+1];     /* string form of IDs */
 void
 init_id(void)
 {
-    passert(empty_id.kind == ID_NONE);
-    myid_state = MYID_UNKNOWN;
-    {
+	passert(empty_id.kind == ID_ANY);
+	myid_state = MYID_UNKNOWN;
+	{
+		enum myid_state s;
+
+		for (s = MYID_UNKNOWN; s <= MYID_SPECIFIED; s++)
+		{
+			myids[s] = empty_id;
+			myid_str[s] = NULL;
+		}
+	}
+	set_myid(MYID_SPECIFIED, getenv("IPSECmyid"));
+	set_myid(MYID_IP, getenv("defaultrouteaddr"));
+	set_myFQDN();
+}
+
+/*
+ *  free id module
+ */
+void
+free_id(void)
+{
 	enum myid_state s;
 
 	for (s = MYID_UNKNOWN; s <= MYID_SPECIFIED; s++)
 	{
-	    myids[s] = empty_id;
-	    myid_str[s] = NULL;
+		free_id_content(&myids[s]);
+		free(myid_str[s]);
 	}
-    }
-    set_myid(MYID_SPECIFIED, getenv("IPSECmyid"));
-    set_myid(MYID_IP, getenv("defaultrouteaddr"));
-    set_myFQDN();
 }
 
 static void
 calc_myid_str(enum myid_state s)
 {
-    /* preformat the ID name */
-    char buf[BUF_LEN];
+	/* preformat the ID name */
+	char buf[BUF_LEN];
 
-    idtoa(&myids[s], buf, BUF_LEN);
-    replace(myid_str[s], clone_str(buf, "myid string"));
+	idtoa(&myids[s], buf, BUF_LEN);
+	replace(myid_str[s], clone_str(buf));
 }
 
 
 void
 set_myid(enum myid_state s, char *idstr)
 {
-    if (idstr != NULL)
-    {
-	struct id id;
-	err_t ugh = atoid(idstr, &id, FALSE);
-
-	if (ugh != NULL)
-	{
-	    loglog(RC_BADID, "myid malformed: %s \"%s\"", ugh, idstr);
-	}
-	else
+	if (idstr != NULL)
 	{
-	    free_id_content(&myids[s]);
-	    unshare_id_content(&id);
-	    myids[s] = id;
-	    if (s == MYID_SPECIFIED)
-		myid_state = MYID_SPECIFIED;
-
-	    calc_myid_str(s);
+		struct id id;
+		err_t ugh = atoid(idstr, &id, FALSE);
+
+		if (ugh != NULL)
+		{
+			loglog(RC_BADID, "myid malformed: %s \"%s\"", ugh, idstr);
+		}
+		else
+		{
+			free_id_content(&myids[s]);
+			unshare_id_content(&id);
+			myids[s] = id;
+			if (s == MYID_SPECIFIED)
+				myid_state = MYID_SPECIFIED;
+
+			calc_myid_str(s);
+		}
 	}
-    }
 }
 
 void
 set_myFQDN(void)
 {
-    char FQDN[HOST_NAME_MAX + 1];
-    int r = gethostname(FQDN, sizeof(FQDN));
-
-    free_id_content(&myids[MYID_HOSTNAME]);
-    myids[MYID_HOSTNAME] = empty_id;
-    if (r != 0)
-    {
-	log_errno((e, "gethostname() failed in set_myFQDN"));
-    }
-    else
-    {
-	FQDN[sizeof(FQDN) - 1] = '\0';	/* insurance */
+	char FQDN[HOST_NAME_MAX + 1];
+	int r = gethostname(FQDN, sizeof(FQDN));
 
+	free_id_content(&myids[MYID_HOSTNAME]);
+	myids[MYID_HOSTNAME] = empty_id;
+	if (r != 0)
 	{
-	    size_t len = strlen(FQDN);
-
-	    if (len > 0 && FQDN[len-1] == '.')
-	    {
-		/* nuke trailing . */
-		FQDN[len-1]='\0';
-	    }
+		log_errno((e, "gethostname() failed in set_myFQDN"));
 	}
-
-	if (!strcaseeq(FQDN, "localhost.localdomain"))
+	else
 	{
-	    clonetochunk(myids[MYID_HOSTNAME].name, FQDN, strlen(FQDN), "my FQDN");
-	    myids[MYID_HOSTNAME].kind = ID_FQDN;
-	    calc_myid_str(MYID_HOSTNAME);
+		FQDN[sizeof(FQDN) - 1] = '\0';  /* insurance */
+
+		{
+			size_t len = strlen(FQDN);
+
+			if (len > 0 && FQDN[len-1] == '.')
+			{
+				/* nuke trailing . */
+				FQDN[len-1]='\0';
+			}
+		}
+
+		if (!strcaseeq(FQDN, "localhost.localdomain"))
+		{
+			chunk_t myid_name = { FQDN, strlen(FQDN) };
+
+			myids[MYID_HOSTNAME].name = chunk_clone(myid_name);
+			myids[MYID_HOSTNAME].kind = ID_FQDN;
+			calc_myid_str(MYID_HOSTNAME);
+		}
 	}
-    }
 }
 
 void
 show_myid_status(void)
 {
-    char idstr[BUF_LEN];
+	char idstr[BUF_LEN];
 
-    (void)idtoa(&myids[myid_state], idstr, sizeof(idstr));
-    whack_log(RC_COMMENT, "%%myid = %s", idstr);
+	(void)idtoa(&myids[myid_state], idstr, sizeof(idstr));
+	whack_log(RC_COMMENT, "%%myid = %s", idstr);
 }
 
 /* Convert textual form of id into a (temporary) struct id.
@@ -152,86 +166,86 @@ show_myid_status(void)
 err_t
 atoid(char *src, struct id *id, bool myid_ok)
 {
-    err_t ugh = NULL;
-
-    *id = empty_id;
-
-    if (myid_ok && streq("%myid", src))
-    {
-	id->kind = ID_MYID;
-    }
-    else if (strchr(src, '=') != NULL)
-    {
-	/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN */
-	id->kind = ID_DER_ASN1_DN;
-	id->name.ptr = temporary_cyclic_buffer(); /* assign temporary buffer */
-	id->name.len = 0;
-	/* convert from LDAP style or openssl x509 -subject style to ASN.1 DN
-	 * discard optional @ character in front of DN
-	 */
-	ugh = atodn((*src == '@')?src+1:src, &id->name);
-    }
-    else if (strchr(src, '@') == NULL)
-    {
-	if (streq(src, "%any") || streq(src, "0.0.0.0"))
+	err_t ugh = NULL;
+
+	*id = empty_id;
+
+	if (myid_ok && streq("%myid", src))
 	{
-	    /* any ID will be accepted */
-	    id->kind = ID_NONE;
+		id->kind = ID_MYID;
 	}
-	else
+	else if (strchr(src, '=') != NULL)
 	{
-	   /* !!! this test is not sufficient for distinguishing address families.
-	    * We need a notation to specify that a FQDN is to be resolved to IPv6.
-	    */
-	   const struct af_info *afi = strchr(src, ':') == NULL
-	? &af_inet4_info: &af_inet6_info;
-
-	   id->kind = afi->id_addr;
-	   ugh = ttoaddr(src, 0, afi->af, &id->ip_addr);
+		/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN */
+		id->kind = ID_DER_ASN1_DN;
+		id->name.ptr = temporary_cyclic_buffer(); /* assign temporary buffer */
+		id->name.len = 0;
+		/* convert from LDAP style or openssl x509 -subject style to ASN.1 DN
+		 * discard optional @ character in front of DN
+		 */
+		ugh = atodn((*src == '@')?src+1:src, &id->name);
 	}
-    }
-    else
-    {
-	if (*src == '@')
+	else if (strchr(src, '@') == NULL)
 	{
-	    if (*(src+1) == '#')
-	    {
-		/* if there is a second specifier (#) on the line
-		 * we interprete this as ID_KEY_ID
-		 */
-		id->kind = ID_KEY_ID;
-		id->name.ptr = src;
-		/* discard @~, convert from hex to bin */
-		ugh = ttodata(src+2, 0, 16, id->name.ptr, strlen(src), &id->name.len);
-	    }
-	    else if (*(src+1) == '~')
-	    {
-		/* if there is a second specifier (~) on the line
-		* we interprete this as a binary ID_DER_ASN1_DN
-		*/
-		id->kind = ID_DER_ASN1_DN;
-		id->name.ptr = src;
-		/* discard @~, convert from hex to bin */
-		ugh = ttodata(src+2, 0, 16, id->name.ptr, strlen(src), &id->name.len);
-	    }
-	    else
-	    {
-		id->kind = ID_FQDN;
-		id->name.ptr = src+1;	/* discard @ */
-		id->name.len = strlen(src)-1;
-	    }
+		if (streq(src, "%any") || streq(src, "0.0.0.0"))
+		{
+			/* any ID will be accepted */
+			id->kind = ID_ANY;
+		}
+		else
+		{
+		   /* !!! this test is not sufficient for distinguishing address families.
+			* We need a notation to specify that a FQDN is to be resolved to IPv6.
+			*/
+		   const struct af_info *afi = strchr(src, ':') == NULL
+		? &af_inet4_info: &af_inet6_info;
+
+		   id->kind = afi->id_addr;
+		   ugh = ttoaddr(src, 0, afi->af, &id->ip_addr);
+		}
 	}
 	else
 	{
-	    /* We leave in @, as per DOI 4.6.2.4
-	     * (but DNS wants . instead).
-	     */
-	    id->kind = ID_USER_FQDN;
-	    id->name.ptr = src;
-	    id->name.len = strlen(src);
+		if (*src == '@')
+		{
+			if (*(src+1) == '#')
+			{
+				/* if there is a second specifier (#) on the line
+				 * we interprete this as ID_KEY_ID
+				 */
+				id->kind = ID_KEY_ID;
+				id->name.ptr = src;
+				/* discard @~, convert from hex to bin */
+				ugh = ttodata(src+2, 0, 16, id->name.ptr, strlen(src), &id->name.len);
+			}
+			else if (*(src+1) == '~')
+			{
+				/* if there is a second specifier (~) on the line
+				* we interprete this as a binary ID_DER_ASN1_DN
+				*/
+				id->kind = ID_DER_ASN1_DN;
+				id->name.ptr = src;
+				/* discard @~, convert from hex to bin */
+				ugh = ttodata(src+2, 0, 16, id->name.ptr, strlen(src), &id->name.len);
+			}
+			else
+			{
+				id->kind = ID_FQDN;
+				id->name.ptr = src+1;   /* discard @ */
+				id->name.len = strlen(src)-1;
+			}
+		}
+		else
+		{
+			/* We leave in @, as per DOI 4.6.2.4
+			 * (but DNS wants . instead).
+			 */
+			id->kind = ID_USER_FQDN;
+			id->name.ptr = src;
+			id->name.len = strlen(src);
+		}
 	}
-    }
-    return ugh;
+	return ugh;
 }
 
 
@@ -241,72 +255,72 @@ atoid(char *src, struct id *id, bool myid_ok)
 int
 keyidtoa(char *dst, size_t dstlen, chunk_t keyid)
 {
-    int n = datatot(keyid.ptr, keyid.len, 'x', dst, dstlen);
-    return (((size_t)n < dstlen)? n : dstlen) - 1;
+	int n = datatot(keyid.ptr, keyid.len, 'x', dst, dstlen);
+	return (((size_t)n < dstlen)? n : dstlen) - 1;
 }
 
 void
 iptoid(const ip_address *ip, struct id *id)
 {
-    *id = empty_id;
-
-    switch (addrtypeof(ip))
-    {
-    case AF_INET:
-	id->kind = ID_IPV4_ADDR;
-	break;
-    case AF_INET6:
-	id->kind = ID_IPV6_ADDR;
-	break;
-    default:
-	bad_case(addrtypeof(ip));
-    }
-    id->ip_addr = *ip;
+	*id = empty_id;
+
+	switch (addrtypeof(ip))
+	{
+	case AF_INET:
+		id->kind = ID_IPV4_ADDR;
+		break;
+	case AF_INET6:
+		id->kind = ID_IPV6_ADDR;
+		break;
+	default:
+		bad_case(addrtypeof(ip));
+	}
+	id->ip_addr = *ip;
 }
 
 int
 idtoa(const struct id *id, char *dst, size_t dstlen)
 {
-    int n;
-
-    id = resolve_myid(id);
-    switch (id->kind)
-    {
-    case ID_NONE:
-	n = snprintf(dst, dstlen, "(none)");
-	break;
-    case ID_IPV4_ADDR:
-    case ID_IPV6_ADDR:
-	n = (int)addrtot(&id->ip_addr, 0, dst, dstlen) - 1;
-	break;
-    case ID_FQDN:
-	n = snprintf(dst, dstlen, "@%.*s", (int)id->name.len, id->name.ptr);
-	break;
-    case ID_USER_FQDN:
-	n = snprintf(dst, dstlen, "%.*s", (int)id->name.len, id->name.ptr);
-	break;
-    case ID_DER_ASN1_DN:
-	n = dntoa(dst, dstlen, id->name);
-	break;
-    case ID_KEY_ID:
-	n = keyidtoa(dst, dstlen, id->name);
-	break;
-    default:
-	n = snprintf(dst, dstlen, "unknown id kind %d", id->kind);
-	break;
-    }
-
-    /* "Sanitize" string so that log isn't endangered:
-     * replace unprintable characters with '?'.
-     */
-    if (n > 0)
-    {
-	for ( ; *dst != '\0'; dst++)
-	    if (!isprint(*dst))
-		*dst = '?';
-    }
-
-    return n;
+	int n;
+
+	id = resolve_myid(id);
+	switch (id->kind)
+	{
+	case ID_ANY:
+		n = snprintf(dst, dstlen, "(none)");
+		break;
+	case ID_IPV4_ADDR:
+	case ID_IPV6_ADDR:
+		n = (int)addrtot(&id->ip_addr, 0, dst, dstlen) - 1;
+		break;
+	case ID_FQDN:
+		n = snprintf(dst, dstlen, "@%.*s", (int)id->name.len, id->name.ptr);
+		break;
+	case ID_USER_FQDN:
+		n = snprintf(dst, dstlen, "%.*s", (int)id->name.len, id->name.ptr);
+		break;
+	case ID_DER_ASN1_DN:
+		n = dntoa(dst, dstlen, id->name);
+		break;
+	case ID_KEY_ID:
+		n = keyidtoa(dst, dstlen, id->name);
+		break;
+	default:
+		n = snprintf(dst, dstlen, "unknown id kind %d", id->kind);
+		break;
+	}
+
+	/* "Sanitize" string so that log isn't endangered:
+	 * replace unprintable characters with '?'.
+	 */
+	if (n > 0)
+	{
+		for ( ; *dst != '\0'; dst++)
+			if (!isprint(*dst))
+				*dst = '?';
+	}
+
+	return n;
 }
 
 /* Replace the shell metacharacters ', \, ", `, and $ in a character string
@@ -315,26 +329,26 @@ idtoa(const struct id *id, char *dst, size_t dstlen)
 void
 escape_metachar(const char *src, char *dst, size_t dstlen)
 {
-    while (*src != '\0' && dstlen > 4)
-    {
-	switch (*src)
+	while (*src != '\0' && dstlen > 4)
 	{
-	case '\'':
-	case '\\':
-	case '"':
-	case '`':
-	case '$':
-	    sprintf(dst,"\\%s%o", (*src < 64)?"0":"", *src);
-	    dst += 4;
-	    dstlen -= 4;
-	    break;
-	default:
-	    *dst++ = *src;
-	    dstlen--;
+		switch (*src)
+		{
+		case '\'':
+		case '\\':
+		case '"':
+		case '`':
+		case '$':
+			sprintf(dst,"\\%s%o", (*src < 64)?"0":"", *src);
+			dst += 4;
+			dstlen -= 4;
+			break;
+		default:
+			*dst++ = *src;
+			dstlen--;
+		}
+		src++;
 	}
-	src++;
-    }
-    *dst = '\0';
+	*dst = '\0';
 }
 
 
@@ -344,126 +358,126 @@ escape_metachar(const char *src, char *dst, size_t dstlen)
 void
 unshare_id_content(struct id *id)
 {
-    switch (id->kind)
-    {
-    case ID_FQDN:
-    case ID_USER_FQDN:
-    case ID_DER_ASN1_DN:
-    case ID_KEY_ID:
-	id->name.ptr = clone_bytes(id->name.ptr, id->name.len, "keep id name");
-	break;
-    case ID_MYID:
-    case ID_NONE:
-    case ID_IPV4_ADDR:
-    case ID_IPV6_ADDR:
-	break;
-    default:
-	bad_case(id->kind);
-    }
+	switch (id->kind)
+	{
+	case ID_FQDN:
+	case ID_USER_FQDN:
+	case ID_DER_ASN1_DN:
+	case ID_KEY_ID:
+		id->name = chunk_clone(id->name);
+		break;
+	case ID_MYID:
+	case ID_ANY:
+	case ID_IPV4_ADDR:
+	case ID_IPV6_ADDR:
+		break;
+	default:
+		bad_case(id->kind);
+	}
 }
 
 void
 free_id_content(struct id *id)
 {
-    switch (id->kind)
-    {
-    case ID_FQDN:
-    case ID_USER_FQDN:
-    case ID_DER_ASN1_DN:
-    case ID_KEY_ID:
-	freeanychunk(id->name);
-	break;
-    case ID_MYID:
-    case ID_NONE:
-    case ID_IPV4_ADDR:
-    case ID_IPV6_ADDR:
-	break;
-    default:
-	bad_case(id->kind);
-    }
+	switch (id->kind)
+	{
+	case ID_FQDN:
+	case ID_USER_FQDN:
+	case ID_DER_ASN1_DN:
+	case ID_KEY_ID:
+		free(id->name.ptr);
+		break;
+	case ID_MYID:
+	case ID_ANY:
+	case ID_IPV4_ADDR:
+	case ID_IPV6_ADDR:
+		break;
+	default:
+		bad_case(id->kind);
+	}
 }
 
 /* compare two struct id values */
 bool
 same_id(const struct id *a, const struct id *b)
 {
-    a = resolve_myid(a);
-    b = resolve_myid(b);
-    if (a->kind != b->kind)
-	return FALSE;
-    switch (a->kind)
-    {
-    case ID_NONE:
-	return TRUE;	/* kind of vacuous */
-
-    case ID_IPV4_ADDR:
-    case ID_IPV6_ADDR:
-	return sameaddr(&a->ip_addr, &b->ip_addr);
-
-    case ID_FQDN:
-    case ID_USER_FQDN:
-	/* assumptions:
-	 * - case should be ignored
-	 * - trailing "." should be ignored (even if the only character?)
-	 */
+	a = resolve_myid(a);
+	b = resolve_myid(b);
+	if (a->kind != b->kind)
+		return FALSE;
+	switch (a->kind)
 	{
-	    size_t al = a->name.len
-		, bl = b->name.len;
-
-	    while (al > 0 && a->name.ptr[al - 1] == '.')
-		al--;
-	    while (bl > 0 && b->name.ptr[bl - 1] == '.')
-		bl--;
-	    return al == bl
-		&& strncasecmp(a->name.ptr, b->name.ptr, al) == 0;
-	}
+	case ID_ANY:
+		return TRUE;    /* kind of vacuous */
+
+	case ID_IPV4_ADDR:
+	case ID_IPV6_ADDR:
+		return sameaddr(&a->ip_addr, &b->ip_addr);
+
+	case ID_FQDN:
+	case ID_USER_FQDN:
+		/* assumptions:
+		 * - case should be ignored
+		 * - trailing "." should be ignored (even if the only character?)
+		 */
+		{
+			size_t al = a->name.len
+				, bl = b->name.len;
+
+			while (al > 0 && a->name.ptr[al - 1] == '.')
+				al--;
+			while (bl > 0 && b->name.ptr[bl - 1] == '.')
+				bl--;
+			return al == bl
+				&& strncasecmp(a->name.ptr, b->name.ptr, al) == 0;
+		}
 
-    case ID_DER_ASN1_DN:
-	return same_dn(a->name, b->name);
+	case ID_DER_ASN1_DN:
+		return same_dn(a->name, b->name);
 
-    case ID_KEY_ID:
-	return a->name.len == b->name.len
-	    && memcmp(a->name.ptr, b->name.ptr, a->name.len) == 0;
+	case ID_KEY_ID:
+		return a->name.len == b->name.len
+			&& memeq(a->name.ptr, b->name.ptr, a->name.len);
 
-    default:
-	bad_case(a->kind);
-    }
-    return FALSE;
+	default:
+		bad_case(a->kind);
+	}
+	return FALSE;
 }
 
 /* compare two struct id values, DNs can contain wildcards */
 bool
 match_id(const struct id *a, const struct id *b, int *wildcards)
 {
-    if (b->kind == ID_NONE)
-    {
-	*wildcards = MAX_WILDCARDS;
-	return TRUE;
-    }
-    if (a->kind != b->kind)
-	return FALSE;
-    if (a->kind == ID_DER_ASN1_DN)
-	return match_dn(a->name, b->name, wildcards);
-    else
-    {
-	*wildcards = 0;
-	return same_id(a, b);
-    }
+	if (b->kind == ID_ANY)
+	{
+		*wildcards = MAX_WILDCARDS;
+		return TRUE;
+	}
+	if (a->kind != b->kind)
+		return FALSE;
+	if (a->kind == ID_DER_ASN1_DN)
+		return match_dn(a->name, b->name, wildcards);
+	else
+	{
+		*wildcards = 0;
+		return same_id(a, b);
+	}
 }
 
 /* count the numer of wildcards in an id */
 int
 id_count_wildcards(const struct id *id)
 {
-    switch (id->kind)
-    {
-    case ID_NONE:
-	return MAX_WILDCARDS;
-    case ID_DER_ASN1_DN:
-	return dn_count_wildcards(id->name);
-    default:
-	return 0;
-    }
+	switch (id->kind)
+	{
+	case ID_ANY:
+		return MAX_WILDCARDS;
+	case ID_DER_ASN1_DN:
+		return dn_count_wildcards(id->name);
+	default:
+		return 0;
+	}
 }
 
 /* build an ID payload
@@ -474,31 +488,31 @@ id_count_wildcards(const struct id *id)
 void
 build_id_payload(struct isakmp_ipsec_id *hd, chunk_t *tl, struct end *end)
 {
-    const struct id *id = resolve_myid(&end->id);
-
-    zero(hd);
-    hd->isaiid_idtype = id->kind;
-    switch (id->kind)
-    {
-    case ID_NONE:
-	hd->isaiid_idtype = aftoinfo(addrtypeof(&end->host_addr))->id_addr;
-	tl->len = addrbytesptr(&end->host_addr
-	    , (const unsigned char **)&tl->ptr);	/* sets tl->ptr too */
-	break;
-    case ID_FQDN:
-    case ID_USER_FQDN:
-    case ID_DER_ASN1_DN:
-    case ID_KEY_ID:
-	*tl = id->name;
-	break;
-    case ID_IPV4_ADDR:
-    case ID_IPV6_ADDR:
-	tl->len = addrbytesptr(&id->ip_addr
-	    , (const unsigned char **)&tl->ptr);	/* sets tl->ptr too */
-	break;
-    default:
-	bad_case(id->kind);
-    }
+	const struct id *id = resolve_myid(&end->id);
+
+	zero(hd);
+	hd->isaiid_idtype = id->kind;
+	switch (id->kind)
+	{
+	case ID_ANY:
+		hd->isaiid_idtype = aftoinfo(addrtypeof(&end->host_addr))->id_addr;
+		tl->len = addrbytesptr(&end->host_addr
+			, (const unsigned char **)&tl->ptr);        /* sets tl->ptr too */
+		break;
+	case ID_FQDN:
+	case ID_USER_FQDN:
+	case ID_DER_ASN1_DN:
+	case ID_KEY_ID:
+		*tl = id->name;
+		break;
+	case ID_IPV4_ADDR:
+	case ID_IPV6_ADDR:
+		tl->len = addrbytesptr(&id->ip_addr
+			, (const unsigned char **)&tl->ptr);        /* sets tl->ptr too */
+		break;
+	default:
+		bad_case(id->kind);
+	}
 }
 
 /*
diff --git a/src/pluto/id.h b/src/pluto/id.h
index 185c17f20..dc2dcdfa6 100644
--- a/src/pluto/id.h
+++ b/src/pluto/id.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: id.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _ID_H
@@ -20,25 +18,25 @@
 #include "defs.h"
 
 struct id {
-    int kind;		/* ID_* value */
-    ip_address ip_addr;	/* ID_IPV4_ADDR, ID_IPV6_ADDR */
-    chunk_t name;	/* ID_FQDN, ID_USER_FQDN (with @) */
-			/* ID_KEY_ID, ID_DER_ASN_DN       */
+	int kind;           /* ID_* value */
+	ip_address ip_addr; /* ID_IPV4_ADDR, ID_IPV6_ADDR */
+	chunk_t name;       /* ID_FQDN, ID_USER_FQDN (with @) */
+						/* ID_KEY_ID, ID_DER_ASN_DN       */
 };
 
 extern void init_id(void);
-
-extern const struct id empty_id;	/* ID_NONE */
+extern void free_id(void);
+extern const struct id empty_id;        /* ID_NONE */
 
 enum myid_state {
-    MYID_UNKNOWN,	/* not yet figured out */
-    MYID_HOSTNAME,	/* our current hostname */
-    MYID_IP,	/* our default IP address */
-    MYID_SPECIFIED	/* as specified by ipsec.conf */
+	MYID_UNKNOWN,       /* not yet figured out */
+	MYID_HOSTNAME,      /* our current hostname */
+	MYID_IP,            /* our default IP address */
+	MYID_SPECIFIED      /* as specified by ipsec.conf */
 };
 
 extern enum myid_state myid_state;
-extern struct id myids[MYID_SPECIFIED+1];	/* %myid */
+extern struct id myids[MYID_SPECIFIED+1];       /* %myid */
 extern char *myid_str[MYID_SPECIFIED+1];      /* strings */
 extern void set_myid(enum myid_state s, char *);
 extern void show_myid_status(void);
@@ -49,19 +47,19 @@ extern err_t atoid(char *src, struct id *id, bool myid_ok);
 extern int keyidtoa(char *dst, size_t dstlen, chunk_t keyid);
 extern void iptoid(const ip_address *ip, struct id *id);
 extern int idtoa(const struct id *id, char *dst, size_t dstlen);
-#define IDTOA_BUF	512
+#define IDTOA_BUF       512
 extern void escape_metachar(const char *src, char *dst, size_t dstlen);
-struct end;	/* forward declaration of tag (defined in connections.h) */
+struct end;     /* forward declaration of tag (defined in connections.h) */
 extern void unshare_id_content(struct id *id);
 extern void free_id_content(struct id *id);
 extern bool same_id(const struct id *a, const struct id *b);
-#define MAX_WILDCARDS	15
+#define MAX_WILDCARDS   15
 extern bool match_id(const struct id *a, const struct id *b, int *wildcards);
 extern int id_count_wildcards(const struct id *id);
 #define id_is_ipaddr(id) ((id)->kind == ID_IPV4_ADDR || (id)->kind == ID_IPV6_ADDR)
 
-struct isakmp_ipsec_id;	/* forward declaration of tag (defined in packet.h) */
+struct isakmp_ipsec_id; /* forward declaration of tag (defined in packet.h) */
 extern void
-    build_id_payload(struct isakmp_ipsec_id *hd, chunk_t *tl, struct end *end);
+	build_id_payload(struct isakmp_ipsec_id *hd, chunk_t *tl, struct end *end);
 
 #endif /* _ID_H */
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c
index 6759059fa..f833f85b5 100644
--- a/src/pluto/ike_alg.c
+++ b/src/pluto/ike_alg.c
@@ -1,5 +1,6 @@
 /* IKE modular algorithm handling interface
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * Copyright (C) JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ike_alg.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 #include <stdio.h>
@@ -21,16 +20,19 @@
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
+
+#include <library.h>
+#include <debug.h>
+#include <crypto/hashers/hasher.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/prfs/prf.h>
 
 #include "constants.h"
 #include "defs.h"
-#include "sha1.h"
-#include "md5.h"
 #include "crypto.h"
-
 #include "state.h"
 #include "packet.h"
+#include "keys.h"
 #include "log.h"
 #include "whack.h"
 #include "spdb.h"
@@ -42,7 +44,7 @@
 
 #define return_on(var, val) do { var=val;goto return_out; } while(0);
 
-/*
+/**
  * IKE algorithm list handling - registration and lookup
  */
 
@@ -50,540 +52,371 @@
 
 static struct ike_alg *ike_alg_base[IKE_ALG_MAX+1] = {NULL, NULL};
 
-/*
- * return ike_algo object by {type, id}
+/**
+ * Return ike_algo object by {type, id}
  */
-static struct ike_alg *
-ike_alg_find(u_int algo_type, u_int algo_id, u_int keysize __attribute__((unused)))
+static struct ike_alg *ike_alg_find(u_int algo_type, u_int algo_id,
+									u_int keysize __attribute__((unused)))
 {
-    struct ike_alg *e = ike_alg_base[algo_type];
+	struct ike_alg *e = ike_alg_base[algo_type];
 
-    while (e != NULL && algo_id > e->algo_id)
-    {
-	e = e->algo_next;
-    }
-    return (e != NULL && e->algo_id == algo_id) ? e : NULL;
+	while (e != NULL && algo_id > e->algo_id)
+	{
+		e = e->algo_next;
+	}
+	return (e != NULL && e->algo_id == algo_id) ? e : NULL;
 }
 
-/*
+/**
  * "raw" ike_alg list adding function
  */
-int
-ike_alg_add(struct ike_alg* a)
+int ike_alg_add(struct ike_alg* a)
 {
-    if (a->algo_type > IKE_ALG_MAX)
-    {
-	plog("ike_alg: Not added, invalid algorithm type");
-	return -EINVAL;
-    }
-
-    if (ike_alg_find(a->algo_type, a->algo_id, 0) != NULL)
-    {
-	plog("ike_alg: Not added, algorithm already exists");
-	return -EEXIST;
-    }
-
-    {
-	struct ike_alg **ep = &ike_alg_base[a->algo_type];
-	struct ike_alg *e = *ep;
-
-	while (e != NULL && a->algo_id > e->algo_id)
+	if (a->algo_type > IKE_ALG_MAX)
 	{
-	    ep = &e->algo_next;
-	    e = *ep;
+		plog("ike_alg: Not added, invalid algorithm type");
+		return -EINVAL;
 	}
-	*ep = a;
-	a->algo_next = e;
-	return 0;
-    }
-}
 
-/*
- * get IKE hash algorithm
- */
-struct hash_desc *ike_alg_get_hasher(u_int alg)
-{
-    return (struct hash_desc *) ike_alg_find(IKE_ALG_HASH, alg, 0);
-}
+	if (ike_alg_find(a->algo_type, a->algo_id, 0) != NULL)
+	{
+		plog("ike_alg: Not added, algorithm already exists");
+		return -EEXIST;
+	}
 
-/*
- * get IKE encryption algorithm
- */
-struct encrypt_desc *ike_alg_get_encrypter(u_int alg)
-{
-    return (struct encrypt_desc *) ike_alg_find(IKE_ALG_ENCRYPT, alg, 0);
-}
+	{
+		struct ike_alg **ep = &ike_alg_base[a->algo_type];
+		struct ike_alg *e = *ep;
 
-/*
- * check if IKE hash algorithm is present
- */
-bool
-ike_alg_hash_present(u_int halg)
-{
-    return ike_alg_get_hasher(halg) != NULL;
+		while (e != NULL && a->algo_id > e->algo_id)
+		{
+			ep = &e->algo_next;
+			e = *ep;
+		}
+		*ep = a;
+		a->algo_next = e;
+		return 0;
+	}
 }
 
-/*
- * check if IKE encryption algorithm is present
+/**
+ * Get IKE hash algorithm
  */
-bool
-ike_alg_enc_present(u_int ealg)
+struct hash_desc *ike_alg_get_hasher(u_int alg)
 {
-    return ike_alg_get_encrypter(ealg) != NULL;
+	return (struct hash_desc *) ike_alg_find(IKE_ALG_HASH, alg, 0);
 }
 
-/*
- * Validate and register IKE hash algorithm object
+/**
+ * Get IKE encryption algorithm
  */
-int
-ike_alg_register_hash(struct hash_desc *hash_desc)
+struct encrypt_desc *ike_alg_get_crypter(u_int alg)
 {
-    const char *alg_name = NULL;
-    int ret = 0;
-
-    if (hash_desc->algo_id > OAKLEY_HASH_MAX)
-    {
-	plog ("ike_alg: hash alg=%d > max=%d"
-		, hash_desc->algo_id, OAKLEY_HASH_MAX);
-	return_on(ret,-EINVAL);
-    }
-
-    if (hash_desc->hash_ctx_size > sizeof (union hash_ctx))
-    {
-	plog ("ike_alg: hash alg=%d has ctx_size=%d > hash_ctx=%d"
-	      , hash_desc->algo_id
-	      , (int)hash_desc->hash_ctx_size
-	      , (int)sizeof (union hash_ctx));
-	return_on(ret,-EOVERFLOW);
-    }
-
-    if (!(hash_desc->hash_init && hash_desc->hash_update && hash_desc->hash_final))
-    {
-	plog ("ike_alg: hash alg=%d needs hash_init(), hash_update() and hash_final()"
-	      , hash_desc->algo_id);
-	return_on(ret,-EINVAL);
-    }
-	
-    alg_name = enum_name(&oakley_hash_names, hash_desc->algo_id);
-    if (!alg_name)
-    {
-	plog ("ike_alg: hash alg=%d not found in constants.c:oakley_hash_names"
-	      , hash_desc->algo_id);
-	alg_name = "<NULL>";
-    }
-
-return_out:
-    if (ret == 0)
-	ret = ike_alg_add((struct ike_alg *)hash_desc);
-
-    plog("ike_alg: Activating %s hash: %s"
-	,alg_name, ret == 0 ? "Ok" : "FAILED");
-
-    return ret;
+	return (struct encrypt_desc *) ike_alg_find(IKE_ALG_ENCRYPT, alg, 0);
 }
 
-/*
- * Validate and register IKE encryption algorithm object
+/**
+ * Get IKE dh group
  */
-int
-ike_alg_register_enc(struct encrypt_desc *enc_desc)
+struct dh_desc *ike_alg_get_dh_group(u_int alg)
 {
-    int ret = ike_alg_add((struct ike_alg *)enc_desc);
-
-    const char *alg_name = enum_name(&oakley_enc_names, enc_desc->algo_id);
-
-    char alg_number[20];
-    
-    /* algorithm is not listed in oakley_enc_names */
-    if (alg_name == NULL)
-    {
-	snprintf(alg_number, sizeof(alg_number), "OAKLEY_ID_%d"
-	    , enc_desc->algo_id);
-	alg_name = alg_number;
-    }
-
-    plog("ike_alg: Activating %s encryption: %s"
-	, alg_name, ret == 0 ? "Ok" : "FAILED");
-
-    return ret;
+	return (struct dh_desc *) ike_alg_find(IKE_ALG_DH_GROUP, alg, 0);
 }
 
-/*
+/**
  * Get pfsgroup for this connection
  */
-const struct oakley_group_desc *
-ike_alg_pfsgroup(struct connection *c, lset_t policy)
+const struct dh_desc *ike_alg_pfsgroup(struct connection *c, lset_t policy)
 {
-    const struct oakley_group_desc * ret = NULL;
+	const struct dh_desc *ret = NULL;
 
-    if ((policy & POLICY_PFS)
-    && c->alg_info_esp
-    && c->alg_info_esp->esp_pfsgroup)
-	ret = lookup_group(c->alg_info_esp->esp_pfsgroup);
-    return ret;
+	if ((policy & POLICY_PFS) &&
+		c->alg_info_esp && c->alg_info_esp->esp_pfsgroup)
+	{
+		ret = ike_alg_get_dh_group(c->alg_info_esp->esp_pfsgroup);
+	}
+	return ret;
 }
 
-/*
+/**
  * Create an OAKLEY proposal based on alg_info and policy
  */
-struct db_context *
-ike_alg_db_new(struct alg_info_ike *ai , lset_t policy)
+struct db_context *ike_alg_db_new(struct connection *c, lset_t policy)
 {
-    struct db_context *db_ctx = NULL;
-    struct ike_info *ike_info;
-    struct encrypt_desc *enc_desc;
-    u_int ealg, halg, modp, eklen = 0;
-    int i;
-
-    bool is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY;
-
-    if (!ai)
-    {
-	whack_log(RC_LOG_SERIOUS, "no IKE algorithms "
-				  "for this connection "
-				  "(check ike algorithm string)");
-	goto fail;
-    }
-    policy &= POLICY_ID_AUTH_MASK;
-    db_ctx = db_prop_new(PROTO_ISAKMP, 8, 8 * 5);
-
-    /* for each group */
-    ALG_INFO_IKE_FOREACH(ai, ike_info, i)
-    {
-	ealg = ike_info->ike_ealg;
-	halg = ike_info->ike_halg;
-	modp = ike_info->ike_modp;
-	eklen= ike_info->ike_eklen;
-
-	if (!ike_alg_enc_present(ealg))
-	{
-	    DBG_log("ike_alg: ike enc ealg=%d not present"
-		    , ealg);
-	    continue;
-	}
-
-	if (!ike_alg_hash_present(halg)) 
-	{
-	    DBG_log("ike_alg: ike hash halg=%d not present"
-		    , halg);
-	    continue;
-	}
+	struct alg_info_ike *ai = c->alg_info_ike;
+	struct db_context *db_ctx = NULL;
+	struct ike_info *ike_info;
+	struct encrypt_desc *enc_desc;
+	u_int ealg, halg, modp, eklen = 0;
+	int i;
 
-	enc_desc = ike_alg_get_encrypter(ealg);
-	passert(enc_desc != NULL);
+	bool is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY;
 
-	if (eklen
-	&& (eklen < enc_desc->keyminlen || eklen >  enc_desc->keymaxlen))
+	if (!ai)
 	{
-	    DBG_log("ike_alg: ealg=%d (specified) keylen:%d, not valid min=%d, max=%d"
-		    , ealg
-		    , eklen
-		    , enc_desc->keyminlen
-		    , enc_desc->keymaxlen
-	    );
-	    continue;
+		whack_log(RC_LOG_SERIOUS, "no IKE algorithms "
+								  "for this connection "
+								  "(check ike algorithm string)");
+		goto fail;
 	}
+	policy &= POLICY_ID_AUTH_MASK;
+	db_ctx = db_prop_new(PROTO_ISAKMP, 8, 8 * 5);
 
-	if (policy & POLICY_RSASIG)
+	/* for each group */
+	ALG_INFO_IKE_FOREACH(ai, ike_info, i)
 	{
-	    db_trans_add(db_ctx, KEY_IKE);
-	    db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
-	    db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
-	    if (eklen)
-		db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
-	    db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG);
-	    db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
-	}
+		ealg = ike_info->ike_ealg;
+		halg = ike_info->ike_halg;
+		modp = ike_info->ike_modp;
+		eklen= ike_info->ike_eklen;
 
-	if (policy & POLICY_PSK)
-	{
-	    db_trans_add(db_ctx, KEY_IKE);
-	    db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
-	    db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
-	    if (eklen)
-		db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
-	    db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
-	    db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
-	}
+		if (!ike_alg_get_crypter(ealg))
+		{
+			plog("ike alg: crypter %s not present",
+					enum_show(&oakley_enc_names, ealg));
+			continue;
+		}
+		if (!ike_alg_get_hasher(halg)) 
+		{
+			plog("ike alg: hasher %s not present",
+					enum_show(&oakley_hash_names, halg));
+			continue;
+		}
+		if (!ike_alg_get_dh_group(modp)) 
+		{
+			plog("ike alg: dh group %s not present",
+					enum_show(&oakley_group_names, modp));
+			continue;
+		}
+		enc_desc = ike_alg_get_crypter(ealg);
 
-	if (policy & POLICY_XAUTH_RSASIG)
-	{
-	    db_trans_add(db_ctx, KEY_IKE);
-	    db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
-	    db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
-	    if (eklen)
-		db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
-	    db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
-		, is_xauth_server ? XAUTHRespRSA : XAUTHInitRSA);
-	    db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
-	}
+		if (policy & POLICY_PUBKEY)
+		{
+			int auth_method = 0;
+			private_key_t *key = get_private_key(c);
+
+			if (key == NULL)
+			{
+				plog("ike alg: unable to locate my private key");
+				continue;
+			}
+			switch (key->get_type(key))
+			{
+				case KEY_RSA:
+					auth_method = OAKLEY_RSA_SIG;
+					break;
+				case KEY_ECDSA:
+					switch (key->get_keysize(key))
+					{
+						case 32:
+							auth_method = OAKLEY_ECDSA_256;
+							break;
+						case 48:
+							auth_method = OAKLEY_ECDSA_384;
+							break;
+						case 66:
+							auth_method = OAKLEY_ECDSA_521;
+							break;
+						default:
+							continue;
+					}
+					break;
+				default:
+					continue;
+			}
+			db_trans_add(db_ctx, KEY_IKE);
+			db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
+			db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
+			if (eklen)
+			{
+				db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
+			}
+			db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, auth_method);
+			db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
+		}
 
-	if (policy & POLICY_XAUTH_PSK)
-	{
-	    db_trans_add(db_ctx, KEY_IKE);
-	    db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
-	    db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
-	    if (eklen)
-		db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
-	    db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
-		, is_xauth_server ? XAUTHRespPreShared : XAUTHInitPreShared);
-	    db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
+		if (policy & POLICY_PSK)
+		{
+			db_trans_add(db_ctx, KEY_IKE);
+			db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
+			db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
+			if (eklen)
+			{
+				db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
+			}
+			db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
+			db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
+		}
+
+		if (policy & POLICY_XAUTH_RSASIG)
+		{
+			db_trans_add(db_ctx, KEY_IKE);
+			db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
+			db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
+			if (eklen)
+			{
+				db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
+			}
+			db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
+				, is_xauth_server ? XAUTHRespRSA : XAUTHInitRSA);
+			db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
+		}
+
+		if (policy & POLICY_XAUTH_PSK)
+		{
+			db_trans_add(db_ctx, KEY_IKE);
+			db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
+			db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
+			if (eklen)
+			{
+				db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
+			}
+			db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
+				, is_xauth_server ? XAUTHRespPreShared : XAUTHInitPreShared);
+			db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
+		}
 	}
-    }
 fail:
-    return db_ctx;
+	return db_ctx;
 }
 
-/*
+/**
  * Show registered IKE algorithms
  */
-void
-ike_alg_list(void)
+void ike_alg_list(void)
 {
-    u_int i;
-    struct ike_alg *a;
-
-    whack_log(RC_COMMENT, " ");
-    whack_log(RC_COMMENT, "List of registered IKE Encryption Algorithms:");
-    whack_log(RC_COMMENT, " ");
-
-    for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
-    {
-        struct encrypt_desc *desc = (struct encrypt_desc*)a;
-
-	whack_log(RC_COMMENT, "#%-5d %s, blocksize: %d, keylen: %d-%d-%d"
-	    , a->algo_id
-	    , enum_name(&oakley_enc_names, a->algo_id)
-	    , (int)desc->enc_blocksize*BITS_PER_BYTE
-	    , desc->keyminlen
-	    , desc->keydeflen
-	    , desc->keymaxlen
-	);
-    }
-
-    whack_log(RC_COMMENT, " ");
-    whack_log(RC_COMMENT, "List of registered IKE Hash Algorithms:");
-    whack_log(RC_COMMENT, " ");
-
-    for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
-    {
-	whack_log(RC_COMMENT, "#%-5d %s, hashsize: %d"
-	    , a->algo_id
-	    , enum_name(&oakley_hash_names, a->algo_id)
-	    , (int)((struct hash_desc *)a)->hash_digest_size*BITS_PER_BYTE
-	);
-    }
-
-    whack_log(RC_COMMENT, " ");
-    whack_log(RC_COMMENT, "List of registered IKE DH Groups:");
-    whack_log(RC_COMMENT, " ");
-
-    for (i = 0; i < elemsof(oakley_group); i++)
-    {
-	const struct oakley_group_desc *gdesc=oakley_group + i;
-
-	whack_log(RC_COMMENT, "#%-5d %s, groupsize: %d"
-	    , gdesc->group
-	    , enum_name(&oakley_group_names, gdesc->group)
-	    , (int)gdesc->bytes*BITS_PER_BYTE
-	);
-    }
-}
-
-/*  Show IKE algorithms for
- *    - this connection (result from ike= string)
- *    - newest SA
- */
-void
-ike_alg_show_connection(struct connection *c, const char *instance)
-{
-    char buf[256];
-    struct state *st;
-
-    if (c->alg_info_ike)
-    {
-	alg_info_snprint(buf, sizeof(buf)-1, (struct alg_info *)c->alg_info_ike);
-	whack_log(RC_COMMENT
-		, "\"%s\"%s:   IKE algorithms wanted: %s"
-		, c->name
-		, instance
-		, buf
-	);
-
-	alg_info_snprint_ike(buf, sizeof(buf)-1, c->alg_info_ike);
-	whack_log(RC_COMMENT
-		, "\"%s\"%s:   IKE algorithms found:  %s"
-		, c->name
-		, instance
-		, buf
-	);
-    }
-
-    st = state_with_serialno(c->newest_isakmp_sa);
-    if (st)
-	whack_log(RC_COMMENT
-		, "\"%s\"%s:   IKE algorithm newest: %s_%d-%s-%s"
-		, c->name
-		, instance
-		, enum_show(&oakley_enc_names, st->st_oakley.encrypt)
-		+7 /* strlen("OAKLEY_") */
-		/* , st->st_oakley.encrypter->keydeflen */
-		, st->st_oakley.enckeylen
-		, enum_show(&oakley_hash_names, st->st_oakley.hash)
-		+7 /* strlen("OAKLEY_") */
-		, enum_show(&oakley_group_names, st->st_oakley.group->group)
-		+13 /* strlen("OAKLEY_GROUP_") */
-	);
-}
-
-/*
- * Apply a suite of testvectors to a hash algorithm
- */
-static bool
-ike_hash_test(const struct hash_desc *desc)
-{
-    bool hash_results = TRUE;
-    bool hmac_results = TRUE;
-
-    if (desc->hash_testvectors == NULL)
-    {
-	plog("  %s hash self-test not available", enum_name(&oakley_hash_names, desc->algo_id));
-    }
-    else
-    {
-	int i;
+	char buf[BUF_LEN];
+	char *pos;
+	int n, len;
+	struct ike_alg *a;
+
+	whack_log(RC_COMMENT, " ");
+	whack_log(RC_COMMENT, "List of registered IKEv1 Algorithms:");
+	whack_log(RC_COMMENT, " ");
+
+	pos = buf;
+	*pos = '\0';
+	len = BUF_LEN;
+	for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
+	{
+	    n = snprintf(pos, len, " %s", enum_name(&oakley_enc_names, a->algo_id));
+		pos += n;
+		len -= n;
+		if (len <= 0)
+		{
+			break;
+		}
+	}
+	whack_log(RC_COMMENT, "  encryption:%s", buf);
 
-	for (i = 0; desc->hash_testvectors[i].msg_digest != NULL; i++)
+	pos = buf;
+	*pos = '\0';
+	len = BUF_LEN;
+	for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
 	{
-	    u_char digest[MAX_DIGEST_LEN];
-	    bool result;
-
-	    union hash_ctx ctx;
-
-	    desc->hash_init(&ctx);
-	    desc->hash_update(&ctx, desc->hash_testvectors[i].msg
-				   ,desc->hash_testvectors[i].msg_size);
-	    desc->hash_final(digest, &ctx);
-	    result = memcmp(digest, desc->hash_testvectors[i].msg_digest
-				  , desc->hash_digest_size) == 0;
-	    DBG(DBG_CRYPT,
-		DBG_log("  hash testvector %d: %s", i, result ? "ok":"failed")
-	    )
-	    hash_results &= result;
+	    n = snprintf(pos, len, " %s", enum_name(&oakley_hash_names, a->algo_id));
+		pos += n;
+		len -= n;
+		if (len <= 0)
+		{
+			break;
+		}
 	}
-	plog("  %s hash self-test %s", enum_name(&oakley_hash_names, desc->algo_id)
-				, hash_results ? "passed":"failed");
-    }
-
-    if (desc->hmac_testvectors == NULL)
-    {
-	plog("  %s hmac self-test not available", enum_name(&oakley_hash_names, desc->algo_id));
-    }
-    else
-    {
-	int i;
+	whack_log(RC_COMMENT, "  integrity: %s", buf);
 
-	for (i = 0; desc->hmac_testvectors[i].hmac != NULL; i++)
+	pos = buf;
+	*pos = '\0';
+	len = BUF_LEN;
+	for (a = ike_alg_base[IKE_ALG_DH_GROUP]; a != NULL; a = a->algo_next)
 	{
-	    u_char digest[MAX_DIGEST_LEN];
-	    bool result;
-
-	    struct hmac_ctx ctx;
-
-	    hmac_init(&ctx, desc, desc->hmac_testvectors[i].key
-				, desc->hmac_testvectors[i].key_size);
-	    hmac_update(&ctx, desc->hmac_testvectors[i].msg
-			     ,desc->hmac_testvectors[i].msg_size);
-	    hmac_final(digest, &ctx);
-	    result = memcmp(digest, desc->hmac_testvectors[i].hmac
-				  , desc->hash_digest_size) == 0;
-	    DBG(DBG_CRYPT,
-		DBG_log("  hmac testvector %d: %s", i, result ? "ok":"failed")
-	    )
-	    hmac_results &= result;
+	    n = snprintf(pos, len, " %s", enum_name(&oakley_group_names, a->algo_id));
+		pos += n;
+		len -= n;
+		if (len <= 0)
+		{
+			break;
+		}
 	}
-	plog("  %s hmac self-test %s", enum_name(&oakley_hash_names, desc->algo_id)
-				, hmac_results ? "passed":"failed");
-    }
-    return hash_results && hmac_results;
+	whack_log(RC_COMMENT, "  dh-group:  %s", buf);
 }
 
-/*
- * Apply test vectors to registered encryption and hash algorithms
+/**
+ * Show IKE algorithms for this connection (result from ike= string)
+ * and newest SA
  */
-bool
-ike_alg_test(void)
+void ike_alg_show_connection(struct connection *c, const char *instance)
 {
-    bool all_results = TRUE;
-    struct ike_alg *a;
-
-    plog("Testing registered IKE encryption algorithms:");
-
-    for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
-    {
-	plog("  %s self-test not available", enum_name(&oakley_enc_names, a->algo_id));
-    }
-
-    plog("Testing registered IKE hash algorithms:");
-
-    for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
-    {
-        struct hash_desc *desc = (struct hash_desc*)a;
+	struct state *st = state_with_serialno(c->newest_isakmp_sa);
 
-	all_results &= ike_hash_test(desc);
-    }
-
-    if (all_results)
-	plog("All crypto self-tests passed");
-    else
-	plog("Some crypto self-tests failed");
-    return all_results;
+	if (st)
+	{
+		if (st->st_oakley.encrypt == OAKLEY_3DES_CBC)
+		{
+			whack_log(RC_COMMENT,
+					"\"%s\"%s:   IKE proposal: %s/%s/%s",
+					c->name, instance,
+					enum_show(&oakley_enc_names, st->st_oakley.encrypt),
+					enum_show(&oakley_hash_names, st->st_oakley.hash),
+					enum_show(&oakley_group_names, st->st_oakley.group->algo_id)
+			);
+		}
+		else
+		{
+			whack_log(RC_COMMENT,
+					"\"%s\"%s:   IKE proposal: %s_%u/%s/%s",
+					c->name, instance,
+					enum_show(&oakley_enc_names, st->st_oakley.encrypt),
+					st->st_oakley.enckeylen,
+					enum_show(&oakley_hash_names, st->st_oakley.hash),
+					enum_show(&oakley_group_names, st->st_oakley.group->algo_id)
+			);
+		}
+	}
 }
 
-/*
+/**
  * ML: make F_STRICT logic consider enc,hash/auth,modp algorithms
  */
-bool
-ike_alg_ok_final(u_int ealg, u_int key_len, u_int aalg, u_int group
-, struct alg_info_ike *alg_info_ike)
+bool ike_alg_ok_final(u_int ealg, u_int key_len, u_int aalg, u_int group,
+					  struct alg_info_ike *alg_info_ike)
 {
-    /*
-     * simple test to discard low key_len, will accept it only
-     * if specified in "esp" string
-     */
-    bool ealg_insecure = (key_len < 128);
-
-    if (ealg_insecure
-    || (alg_info_ike && alg_info_ike->alg_info_flags & ALG_INFO_F_STRICT))
-    {
-	int i;
-	struct ike_info *ike_info;
-
-	if (alg_info_ike)
+	/*
+	 * simple test to discard low key_len, will accept it only
+	 * if specified in "esp" string
+	 */
+	bool ealg_insecure = (key_len < 128);
+
+	if (ealg_insecure
+	|| (alg_info_ike && alg_info_ike->alg_info_flags & ALG_INFO_F_STRICT))
 	{
-	    ALG_INFO_IKE_FOREACH(alg_info_ike, ike_info, i)
-	    {
-		if (ike_info->ike_ealg == ealg
-		&& (ike_info->ike_eklen == 0 || key_len == 0 || ike_info->ike_eklen == key_len)
-		&& ike_info->ike_halg == aalg
-		&& ike_info->ike_modp == group)
+		int i;
+		struct ike_info *ike_info;
+
+		if (alg_info_ike)
 		{
-		    if (ealg_insecure)
-			loglog(RC_LOG_SERIOUS, "You should NOT use insecure IKE algorithms (%s)!"
-				, enum_name(&oakley_enc_names, ealg));
-		    return TRUE;
+			ALG_INFO_IKE_FOREACH(alg_info_ike, ike_info, i)
+			{
+				if (ike_info->ike_ealg == ealg
+				&& (ike_info->ike_eklen == 0 || key_len == 0 || ike_info->ike_eklen == key_len)
+				&& ike_info->ike_halg == aalg
+				&& ike_info->ike_modp == group)
+				{
+					if (ealg_insecure)
+						loglog(RC_LOG_SERIOUS, "You should NOT use insecure IKE algorithms (%s)!"
+								, enum_name(&oakley_enc_names, ealg));
+					return TRUE;
+				}
+			}
 		}
-	    }
+		plog("Oakley Transform [%s (%d), %s, %s] refused due to %s"
+				, enum_name(&oakley_enc_names, ealg), key_len
+				, enum_name(&oakley_hash_names, aalg)
+				, enum_name(&oakley_group_names, group)
+				, ealg_insecure ?
+					"insecure key_len and enc. alg. not listed in \"ike\" string" : "strict flag"
+		);
+		return FALSE;
 	}
-	plog("Oakley Transform [%s (%d), %s, %s] refused due to %s"
-		, enum_name(&oakley_enc_names, ealg), key_len
-		, enum_name(&oakley_hash_names, aalg)
-		, enum_name(&oakley_group_names, group)
-		, ealg_insecure ?
-		    "insecure key_len and enc. alg. not listed in \"ike\" string" : "strict flag"
-	);
-	return FALSE;
-    }
-    return TRUE;
+	return TRUE;
 }
 
diff --git a/src/pluto/ike_alg.h b/src/pluto/ike_alg.h
index dbf4076c5..458d14c3a 100644
--- a/src/pluto/ike_alg.h
+++ b/src/pluto/ike_alg.h
@@ -10,85 +10,63 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ike_alg.h 3252 2007-10-06 21:24:50Z andreas $
  */
- 
+
 #ifndef _IKE_ALG_H
 #define _IKE_ALG_H
 
+#include <freeswan.h>
+
 #include "connections.h"
 
 struct ike_alg {
-    u_int16_t algo_type;
-    u_int16_t algo_id;
-    struct ike_alg *algo_next;
+	u_int16_t algo_type;
+	u_int16_t algo_id;
+	struct ike_alg *algo_next;
 };
 
 struct encrypt_desc {
-    u_int16_t algo_type;
-    u_int16_t algo_id;
-    struct ike_alg *algo_next;
+	u_int16_t algo_type;
+	u_int16_t algo_id;
+	struct ike_alg *algo_next;
 
-    size_t enc_ctxsize;
-    size_t enc_blocksize;
-    u_int keydeflen;
-    u_int keymaxlen;
-    u_int keyminlen;
-    void (*do_crypt)(u_int8_t *dat, size_t datasize, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc);
+	size_t enc_blocksize;
+	u_int keydeflen;
+	u_int keymaxlen;
+	u_int keyminlen;
 };
 
-typedef struct hash_testvector hash_testvector_t;
+struct hash_desc {
+	u_int16_t algo_type;
+	u_int16_t algo_id;
+	struct ike_alg *algo_next;
 
-struct hash_testvector {
-    const size_t  msg_size;
-    const u_char *msg;
-    const u_char *msg_digest;
+	size_t hash_digest_size;
 };
 
-typedef struct hmac_testvector hmac_testvector_t;
-
-struct hmac_testvector {
-    const size_t  key_size;
-    const u_char *key;
-    const size_t  msg_size;
-    const u_char *msg;
-    const u_char *hmac;
-};
-struct hash_desc {
-    u_int16_t algo_type;
-    u_int16_t algo_id;
-    struct ike_alg *algo_next;
+struct dh_desc {
+	u_int16_t algo_type;
+	u_int16_t algo_id;
+	struct ike_alg *algo_next;
 
-    size_t hash_ctx_size;
-    size_t hash_block_size;
-    size_t hash_digest_size;
-    const hash_testvector_t *hash_testvectors;
-    const hmac_testvector_t *hmac_testvectors;
-    void (*hash_init)(void *ctx);
-    void (*hash_update)(void *ctx, const u_int8_t *in, size_t datasize);
-    void (*hash_final)(u_int8_t *out, void *ctx);
+	size_t ke_size;
 };
 
-#define IKE_ALG_ENCRYPT		0
-#define IKE_ALG_HASH		1
-#define IKE_ALG_MAX		IKE_ALG_HASH
+#define IKE_ALG_ENCRYPT         0
+#define IKE_ALG_HASH            1
+#define IKE_ALG_DH_GROUP		2
+#define IKE_ALG_MAX             IKE_ALG_DH_GROUP
 
 extern int ike_alg_add(struct ike_alg *a);
 extern struct hash_desc *ike_alg_get_hasher(u_int alg);
-extern struct encrypt_desc *ike_alg_get_encrypter(u_int alg);
-extern bool ike_alg_enc_present(u_int ealg);
-extern bool ike_alg_hash_present(u_int halg);
-extern int ike_alg_register_hash(struct hash_desc *a);
-extern int ike_alg_register_enc(struct encrypt_desc *e);
-extern const struct oakley_group_desc* ike_alg_pfsgroup(struct connection *c
-    , lset_t policy);
-extern struct db_context * ike_alg_db_new(struct alg_info_ike *ai, lset_t policy);
+extern struct encrypt_desc *ike_alg_get_crypter(u_int alg);
+extern struct dh_desc *ike_alg_get_dh_group(u_int alg);
+extern const struct dh_desc* ike_alg_pfsgroup(struct connection *c, lset_t policy);
+extern struct db_context * ike_alg_db_new(struct connection *c, lset_t policy);
 extern void ike_alg_list(void);
 extern void ike_alg_show_connection(struct connection *c, const char *instance);
-extern bool ike_alg_test(void);
 extern bool ike_alg_ok_final(u_int ealg, u_int key_len, u_int aalg, u_int group
-    , struct alg_info_ike *alg_info_ike);
+	, struct alg_info_ike *alg_info_ike);
 extern int ike_alg_init(void);
 
 #endif /* _IKE_ALG_H */
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 9721ac583..929768ee9 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -1,6 +1,7 @@
 /* IPsec DOI and Oakley resolution routines
  * Copyright (C) 1997 Angelos D. Keromytis.
  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -11,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ipsec_doi.c 5052 2009-03-30 03:47:14Z andreas $
  */
 
 #include <stdio.h>
@@ -24,16 +23,22 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <resolv.h>
-#include <arpa/nameser.h>	/* missing from <resolv.h> on old systems */
+#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
 #include <sys/queue.h>
-#include <sys/time.h>		/* for gettimeofday */
+#include <sys/time.h>           /* for gettimeofday */
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
+
+#include <library.h>
+#include <asn1/asn1.h>
+#include <crypto/hashers/hasher.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/rngs/rng.h>
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/public_key.h>
 
 #include "constants.h"
 #include "defs.h"
-#include "mp_defs.h"
 #include "state.h"
 #include "id.h"
 #include "x509.h"
@@ -44,25 +49,20 @@
 #include "connections.h"
 #include "keys.h"
 #include "packet.h"
-#include "demux.h"	/* needs packet.h */
-#include "adns.h"	/* needs <resolv.h> */
-#include "dnskey.h"	/* needs keys.h and adns.h */
+#include "demux.h"      /* needs packet.h */
+#include "adns.h"       /* needs <resolv.h> */
+#include "dnskey.h"     /* needs keys.h and adns.h */
 #include "kernel.h"
 #include "log.h"
 #include "cookie.h"
 #include "server.h"
 #include "spdb.h"
 #include "timer.h"
-#include "rnd.h"
-#include "ipsec_doi.h"	/* needs demux.h and state.h */
+#include "ipsec_doi.h"  /* needs demux.h and state.h */
 #include "whack.h"
 #include "fetch.h"
 #include "pkcs7.h"
-#include "asn1.h"
-
-#include "sha1.h"
-#include "md5.h"
-#include "crypto.h" /* requires sha1.h and md5.h */
+#include "crypto.h"
 #include "vendor.h"
 #include "alg_info.h"
 #include "ike_alg.h"
@@ -74,115 +74,84 @@
  * are we sending Pluto's Vendor ID?
  */
 #ifdef VENDORID
-#define SEND_PLUTO_VID	1
+#define SEND_PLUTO_VID  1
 #else /* !VENDORID */
-#define SEND_PLUTO_VID	0
+#define SEND_PLUTO_VID  0
 #endif /* !VENDORID */
 
 /*
  * are we sending an XAUTH VID?
  */
 #ifdef XAUTH_VID
-#define SEND_XAUTH_VID	1
+#define SEND_XAUTH_VID  1
 #else /* !XAUTH_VID */
-#define SEND_XAUTH_VID	0
+#define SEND_XAUTH_VID  0
 #endif /* !XAUTH_VID */
 
 /*
  * are we sending a Cisco Unity VID?
  */
 #ifdef CISCO_QUIRKS
-#define SEND_CISCO_UNITY_VID	1
+#define SEND_CISCO_UNITY_VID    1
 #else /* !CISCO_QUIRKS */
-#define SEND_CISCO_UNITY_VID	0
+#define SEND_CISCO_UNITY_VID    0
 #endif /* !CISCO_QUIRKS */
 
 /* MAGIC: perform f, a function that returns notification_t
  * and return from the ENCLOSING stf_status returning function if it fails.
  */
 #define RETURN_STF_FAILURE(f) \
-    { int r = (f); if (r != NOTHING_WRONG) return STF_FAIL + r; }
+	{ int r = (f); if (r != NOTHING_WRONG) return STF_FAIL + r; }
 
 /* create output HDR as replica of input HDR */
 void
 echo_hdr(struct msg_digest *md, bool enc, u_int8_t np)
 {
-    struct isakmp_hdr r_hdr = md->hdr;	/* mostly same as incoming header */
-
-    r_hdr.isa_flags &= ~ISAKMP_FLAG_COMMIT;	/* we won't ever turn on this bit */
-    if (enc)
-	r_hdr.isa_flags |= ISAKMP_FLAG_ENCRYPTION;
-    /* some day, we may have to set r_hdr.isa_version */
-    r_hdr.isa_np = np;
-    if (!out_struct(&r_hdr, &isakmp_hdr_desc, &md->reply, &md->rbody))
-	impossible();	/* surely must have room and be well-formed */
+	struct isakmp_hdr r_hdr = md->hdr;  /* mostly same as incoming header */
+
+	r_hdr.isa_flags &= ~ISAKMP_FLAG_COMMIT;     /* we won't ever turn on this bit */
+	if (enc)
+		r_hdr.isa_flags |= ISAKMP_FLAG_ENCRYPTION;
+	/* some day, we may have to set r_hdr.isa_version */
+	r_hdr.isa_np = np;
+	if (!out_struct(&r_hdr, &isakmp_hdr_desc, &md->reply, &md->rbody))
+		impossible();   /* surely must have room and be well-formed */
 }
 
 /* Compute DH shared secret from our local secret and the peer's public value.
  * We make the leap that the length should be that of the group
  * (see quoted passage at start of ACCEPT_KE).
  */
-static void
-compute_dh_shared(struct state *st, const chunk_t g
-, const struct oakley_group_desc *group)
+static void compute_dh_shared(struct state *st, const chunk_t g)
 {
-    MP_INT mp_g, mp_shared;
-    struct timeval tv0, tv1;
-    unsigned long tv_diff;
-
-    gettimeofday(&tv0, NULL);
-    passert(st->st_sec_in_use);
-    n_to_mpz(&mp_g, g.ptr, g.len);
-    mpz_init(&mp_shared);
-    mpz_powm(&mp_shared, &mp_g, &st->st_sec, group->modulus);
-    mpz_clear(&mp_g);
-    freeanychunk(st->st_shared);	/* happens in odd error cases */
-    st->st_shared = mpz_to_n(&mp_shared, group->bytes);
-    mpz_clear(&mp_shared);
-    gettimeofday(&tv1, NULL);
-    tv_diff=(tv1.tv_sec  - tv0.tv_sec) * 1000000 + (tv1.tv_usec - tv0.tv_usec);
-    DBG(DBG_CRYPT, 
-    	DBG_log("compute_dh_shared(): time elapsed (%s): %ld usec"
-		, enum_show(&oakley_group_names, st->st_oakley.group->group)
-		, tv_diff);
-       );
-    /* if took more than 200 msec ... */
-    if (tv_diff > 200000) {
-	loglog(RC_LOG_SERIOUS, "WARNING: compute_dh_shared(): for %s took "
-			"%ld usec"
-		, enum_show(&oakley_group_names, st->st_oakley.group->group)
-		, tv_diff);
-    }
-
-    DBG_cond_dump_chunk(DBG_CRYPT, "DH shared secret:\n", st->st_shared);
+	passert(st->st_dh);
+	st->st_dh->set_other_public_value(st->st_dh, g);
+	st->st_dh->get_shared_secret(st->st_dh, &st->st_shared);
+	DBG_cond_dump_chunk(DBG_CRYPT, "DH shared secret:\n", st->st_shared);
 }
 
 /* if we haven't already done so, compute a local DH secret (st->st_sec) and
  * the corresponding public value (g).  This is emitted as a KE payload.
  */
-static bool
-build_and_ship_KE(struct state *st, chunk_t *g
-, const struct oakley_group_desc *group, pb_stream *outs, u_int8_t np)
+static bool build_and_ship_KE(struct state *st, chunk_t *g,
+							  const struct dh_desc *group,
+							  pb_stream *outs, u_int8_t np)
 {
-    if (!st->st_sec_in_use)
-    {
-	u_char tmp[LOCALSECRETSIZE];
-	MP_INT mp_g;
-
-	get_rnd_bytes(tmp, LOCALSECRETSIZE);
-	st->st_sec_in_use = TRUE;
-	n_to_mpz(&st->st_sec, tmp, LOCALSECRETSIZE);
-
-	mpz_init(&mp_g);
-	mpz_powm(&mp_g, &groupgenerator, &st->st_sec, group->modulus);
-	freeanychunk(*g);	/* happens in odd error cases */
-	*g = mpz_to_n(&mp_g, group->bytes);
-	mpz_clear(&mp_g);
+	if (st->st_dh == NULL)
+	{
+		st->st_dh = lib->crypto->create_dh(lib->crypto, group->algo_id);
+		if (st->st_dh == NULL)
+		{
+			plog("Diffie Hellman group %N is not available",
+				 diffie_hellman_group_names, group->algo_id);
+			return FALSE;
+		}
+	}
+	st->st_dh->get_my_public_value(st->st_dh, g);
 	DBG(DBG_CRYPT,
-	    DBG_dump("Local DH secret:\n", tmp, LOCALSECRETSIZE);
-	    DBG_dump_chunk("Public DH value sent:\n", *g));
-    }
-    return out_generic_chunk(np, &isakmp_keyex_desc, outs, *g, "keyex value");
+		DBG_dump_chunk("Public DH value sent:\n", *g)
+	)
+	return out_generic_chunk(np, &isakmp_keyex_desc, outs, *g, "keyex value");
 }
 
 /* accept_ke
@@ -194,21 +163,22 @@ build_and_ship_KE(struct state *st, chunk_t *g
  *  Diffie-Hellman group enforced, if necessary, by pre-pending the
  *  value with zeros.
  */
-static notification_t
-accept_KE(chunk_t *dest, const char *val_name
-, const struct oakley_group_desc *gr
-, pb_stream *pbs)
+static notification_t accept_KE(chunk_t *dest, const char *val_name,
+								const struct dh_desc *gr,
+								pb_stream *pbs)
 {
-    if (pbs_left(pbs) != gr->bytes)
-    {
-	loglog(RC_LOG_SERIOUS, "KE has %u byte DH public value; %u required"
-	    , (unsigned) pbs_left(pbs), (unsigned) gr->bytes);
-	/* XXX Could send notification back */
-	return INVALID_KEY_INFORMATION;
-    }
-    clonereplacechunk(*dest, pbs->cur, pbs_left(pbs), val_name);
-    DBG_cond_dump_chunk(DBG_CRYPT, "DH public value received:\n", *dest);
-    return NOTHING_WRONG;
+	if (pbs_left(pbs) != gr->ke_size)
+	{
+		loglog(RC_LOG_SERIOUS, "KE has %u byte DH public value; %u required"
+			, (unsigned) pbs_left(pbs), gr->ke_size);
+		/* XXX Could send notification back */
+		return INVALID_KEY_INFORMATION;
+	}
+	free(dest->ptr);
+	*dest = chunk_create(pbs->cur, pbs_left(pbs));
+	*dest = chunk_clone(*dest);
+	DBG_cond_dump_chunk(DBG_CRYPT, "DH public value received:\n", *dest);
+	return NOTHING_WRONG;
 }
 
 /* accept_PFS_KE
@@ -216,652 +186,663 @@ accept_KE(chunk_t *dest, const char *val_name
  * Check and accept optional Quick Mode KE payload for PFS.
  * Extends ACCEPT_PFS to check whether KE is allowed or required.
  */
-static notification_t
-accept_PFS_KE(struct msg_digest *md, chunk_t *dest
-, const char *val_name, const char *msg_name)
+static notification_t accept_PFS_KE(struct msg_digest *md, chunk_t *dest,
+									const char *val_name, const char *msg_name)
 {
-    struct state *st = md->st;
-    struct payload_digest *const ke_pd = md->chain[ISAKMP_NEXT_KE];
+	struct state *st = md->st;
+	struct payload_digest *const ke_pd = md->chain[ISAKMP_NEXT_KE];
 
-    if (ke_pd == NULL)
-    {
-	if (st->st_pfs_group != NULL)
+	if (ke_pd == NULL)
 	{
-	    loglog(RC_LOG_SERIOUS, "missing KE payload in %s message", msg_name);
-	    return INVALID_KEY_INFORMATION;
-	}
-    }
-    else
-    {
-	if (st->st_pfs_group == NULL)
-	{
-	    loglog(RC_LOG_SERIOUS, "%s message KE payload requires a GROUP_DESCRIPTION attribute in SA"
-		, msg_name);
-	    return INVALID_KEY_INFORMATION;
+		if (st->st_pfs_group != NULL)
+		{
+			loglog(RC_LOG_SERIOUS, "missing KE payload in %s message", msg_name);
+			return INVALID_KEY_INFORMATION;
+		}
 	}
-	if (ke_pd->next != NULL)
+	else
 	{
-	    loglog(RC_LOG_SERIOUS, "%s message contains several KE payloads; we accept at most one", msg_name);
-	    return INVALID_KEY_INFORMATION;	/* ??? */
+		if (st->st_pfs_group == NULL)
+		{
+			loglog(RC_LOG_SERIOUS, "%s message KE payload requires a GROUP_DESCRIPTION attribute in SA"
+				, msg_name);
+			return INVALID_KEY_INFORMATION;
+		}
+		if (ke_pd->next != NULL)
+		{
+			loglog(RC_LOG_SERIOUS, "%s message contains several KE payloads; we accept at most one", msg_name);
+			return INVALID_KEY_INFORMATION;     /* ??? */
+		}
+		return accept_KE(dest, val_name, st->st_pfs_group, &ke_pd->pbs);
 	}
-	return accept_KE(dest, val_name, st->st_pfs_group, &ke_pd->pbs);
-    }
-    return NOTHING_WRONG;
+	return NOTHING_WRONG;
 }
 
-static bool
-build_and_ship_nonce(chunk_t *n, pb_stream *outs, u_int8_t np
-, const char *name)
+static bool build_and_ship_nonce(chunk_t *n, pb_stream *outs, u_int8_t np,
+								 const char *name)
 {
-    freeanychunk(*n);
-    setchunk(*n, alloc_bytes(DEFAULT_NONCE_SIZE, name), DEFAULT_NONCE_SIZE);
-    get_rnd_bytes(n->ptr, DEFAULT_NONCE_SIZE);
-    return out_generic_chunk(np, &isakmp_nonce_desc, outs, *n, name);
+	rng_t *rng;
+
+	free(n->ptr);
+	*n = chunk_create(malloc(DEFAULT_NONCE_SIZE), DEFAULT_NONCE_SIZE);
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	rng->get_bytes(rng, DEFAULT_NONCE_SIZE, n->ptr);
+	rng->destroy(rng);
+	return out_generic_chunk(np, &isakmp_nonce_desc, outs, *n, name);
 }
 
-static bool
-collect_rw_ca_candidates(struct msg_digest *md, generalName_t **top)
+static bool collect_rw_ca_candidates(struct msg_digest *md, generalName_t **top)
 {
-    struct connection *d = find_host_connection(&md->iface->addr
-	, pluto_port, (ip_address*)NULL, md->sender_port, LEMPTY);
+	struct connection *d = find_host_connection(&md->iface->addr
+		, pluto_port, (ip_address*)NULL, md->sender_port, LEMPTY);
 
-    for (; d != NULL; d = d->hp_next)
-    {
-	/* must be a road warrior connection */
-	if (d->kind == CK_TEMPLATE && !(d->policy & POLICY_OPPO)
-	&& d->spd.that.ca.ptr != NULL)
+	for (; d != NULL; d = d->hp_next)
 	{
-	    generalName_t *gn;
-	    bool new_entry = TRUE;
-
-	    for (gn = *top; gn != NULL; gn = gn->next)
-	    {
-		if (same_dn(gn->name, d->spd.that.ca))
+		/* must be a road warrior connection */
+		if (d->kind == CK_TEMPLATE && !(d->policy & POLICY_OPPO)
+		&& d->spd.that.ca.ptr != NULL)
 		{
-		    new_entry = FALSE;
-		    break;
+			generalName_t *gn;
+			bool new_entry = TRUE;
+
+			for (gn = *top; gn != NULL; gn = gn->next)
+			{
+				if (same_dn(gn->name, d->spd.that.ca))
+				{
+					new_entry = FALSE;
+					break;
+				}
+			}
+			if (new_entry)
+			{
+				gn = malloc_thing(generalName_t);
+				gn->kind = GN_DIRECTORY_NAME;
+				gn->name = d->spd.that.ca;
+				gn->next = *top;
+				*top = gn;
+			}
 		}
-	    }
-	    if (new_entry)
-	    {
-		gn = alloc_thing(generalName_t, "generalName");
-		gn->kind = GN_DIRECTORY_NAME;
-		gn->name = d->spd.that.ca;
-		gn->next = *top;
-		*top = gn;
-	    }
-	}
-    }
-    return *top != NULL;
+	}
+	return *top != NULL;
 }
 
-static bool
-build_and_ship_CR(u_int8_t type, chunk_t ca, pb_stream *outs, u_int8_t np)
+static bool build_and_ship_CR(u_int8_t type, chunk_t ca, pb_stream *outs,
+							  u_int8_t np)
 {
-    pb_stream cr_pbs;
-    struct isakmp_cr cr_hd;
-    cr_hd.isacr_np = np;
-    cr_hd.isacr_type = type;
+	pb_stream cr_pbs;
+	struct isakmp_cr cr_hd;
+	cr_hd.isacr_np = np;
+	cr_hd.isacr_type = type;
 
-    /* build CR header */
-    if (!out_struct(&cr_hd, &isakmp_ipsec_cert_req_desc, outs, &cr_pbs))
-	return FALSE;
+	/* build CR header */
+	if (!out_struct(&cr_hd, &isakmp_ipsec_cert_req_desc, outs, &cr_pbs))
+		return FALSE;
 
-    if (ca.ptr != NULL)
-    {
-	/* build CR body containing the distinguished name of the CA */
-	if (!out_chunk(ca, &cr_pbs, "CA"))
-	    return FALSE;
-    }
-    close_output_pbs(&cr_pbs);
-    return TRUE;
+	if (ca.ptr != NULL)
+	{
+		/* build CR body containing the distinguished name of the CA */
+		if (!out_chunk(ca, &cr_pbs, "CA"))
+			return FALSE;
+	}
+	close_output_pbs(&cr_pbs);
+	return TRUE;
 }
 
 /* Send a notification to the peer.  We could decide
  * whether to send the notification, based on the type and the
  * destination, if we care to.
  */
-static void
-send_notification(struct state *sndst, u_int16_t type, struct state *encst,
-    msgid_t msgid, u_char *icookie, u_char *rcookie,
-    u_char *spi, size_t spisize, u_char protoid)
+static void send_notification(struct state *sndst, u_int16_t type,
+							  struct state *encst, msgid_t msgid,
+							  u_char *icookie, u_char *rcookie,
+							  u_char *spi, size_t spisize, u_char protoid)
 {
-    u_char buffer[1024];
-    pb_stream pbs, r_hdr_pbs;
-    u_char *r_hashval    = NULL;  /* where in reply to jam hash value */
-    u_char *r_hash_start = NULL;  /* start of what is to be hashed */
-
-    passert((sndst) && (sndst->st_connection));
-
-    plog("sending %snotification %s to %s:%u"
-	, encst ? "encrypted " : ""
-	, enum_name(&notification_names, type)
-	, ip_str(&sndst->st_connection->spd.that.host_addr)
-	, (unsigned)sndst->st_connection->spd.that.host_port);
-
-    memset(buffer, 0, sizeof(buffer));
-    init_pbs(&pbs, buffer, sizeof(buffer), "ISAKMP notify");
-
-    /* HDR* */
-    {
-	struct isakmp_hdr hdr;
-
-	hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-	hdr.isa_np = encst ? ISAKMP_NEXT_HASH : ISAKMP_NEXT_N;
-	hdr.isa_xchg = ISAKMP_XCHG_INFO;
-	hdr.isa_msgid = msgid;
-	hdr.isa_flags = encst ? ISAKMP_FLAG_ENCRYPTION : 0;
-	if (icookie)
-	    memcpy(hdr.isa_icookie, icookie, COOKIE_SIZE);
-	if (rcookie)
-	    memcpy(hdr.isa_rcookie, rcookie, COOKIE_SIZE);
-	if (!out_struct(&hdr, &isakmp_hdr_desc, &pbs, &r_hdr_pbs))
-	    impossible();
-    }
-
-    /* HASH -- value to be filled later */
-    if (encst)
-    {
-	pb_stream hash_pbs;
-	if (!out_generic(ISAKMP_NEXT_N, &isakmp_hash_desc, &r_hdr_pbs,
-	    &hash_pbs))
-	    impossible();
-	r_hashval = hash_pbs.cur;  /* remember where to plant value */
-	if (!out_zero(
-	encst->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH"))
-	    impossible();
-	close_output_pbs(&hash_pbs);
-	r_hash_start = r_hdr_pbs.cur; /* hash from after HASH */
-    }
-
-    /* Notification Payload */
-    {
-	pb_stream not_pbs;
-	struct isakmp_notification isan;
-
-	isan.isan_doi = ISAKMP_DOI_IPSEC;
-	isan.isan_np = ISAKMP_NEXT_NONE;
-	isan.isan_type = type;
-	isan.isan_spisize = spisize;
-	isan.isan_protoid = protoid;
-
-	if (!out_struct(&isan, &isakmp_notification_desc, &r_hdr_pbs, &not_pbs)
-	    || !out_raw(spi, spisize, &not_pbs, "spi"))
-	    impossible();
-	close_output_pbs(&not_pbs);
-    }
-
-    /* calculate hash value and patch into Hash Payload */
-    if (encst)
-    {
-	struct hmac_ctx ctx;
-	hmac_init_chunk(&ctx, encst->st_oakley.hasher, encst->st_skeyid_a);
-	hmac_update(&ctx, (u_char *) &msgid, sizeof(msgid_t));
-	hmac_update(&ctx, r_hash_start, r_hdr_pbs.cur-r_hash_start);
-	hmac_final(r_hashval, &ctx);
+	u_char buffer[1024];
+	pb_stream pbs, r_hdr_pbs;
+	u_char *r_hashval    = NULL;  /* where in reply to jam hash value */
+	u_char *r_hash_start = NULL;  /* start of what is to be hashed */
 
-	DBG(DBG_CRYPT,
-	    DBG_log("HASH computed:");
-	    DBG_dump("", r_hashval, ctx.hmac_digest_size);
-	)
-    }
+	passert((sndst) && (sndst->st_connection));
 
-    /* Encrypt message (preserve st_iv and st_new_iv) */
-    if (encst)
-    {
-	u_char old_iv[MAX_DIGEST_LEN];
-	u_char new_iv[MAX_DIGEST_LEN];
+	plog("sending %snotification %s to %s:%u"
+		, encst ? "encrypted " : ""
+		, enum_name(&notification_names, type)
+		, ip_str(&sndst->st_connection->spd.that.host_addr)
+		, (unsigned)sndst->st_connection->spd.that.host_port);
+
+	memset(buffer, 0, sizeof(buffer));
+	init_pbs(&pbs, buffer, sizeof(buffer), "ISAKMP notify");
+
+	/* HDR* */
+	{
+		struct isakmp_hdr hdr;
+
+		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+		hdr.isa_np = encst ? ISAKMP_NEXT_HASH : ISAKMP_NEXT_N;
+		hdr.isa_xchg = ISAKMP_XCHG_INFO;
+		hdr.isa_msgid = msgid;
+		hdr.isa_flags = encst ? ISAKMP_FLAG_ENCRYPTION : 0;
+		if (icookie)
+			memcpy(hdr.isa_icookie, icookie, COOKIE_SIZE);
+		if (rcookie)
+			memcpy(hdr.isa_rcookie, rcookie, COOKIE_SIZE);
+		if (!out_struct(&hdr, &isakmp_hdr_desc, &pbs, &r_hdr_pbs))
+			impossible();
+	}
+
+	/* HASH -- value to be filled later */
+	if (encst)
+	{
+		pb_stream hash_pbs;
+		if (!out_generic(ISAKMP_NEXT_N, &isakmp_hash_desc, &r_hdr_pbs,
+			&hash_pbs))
+			impossible();
+		r_hashval = hash_pbs.cur;  /* remember where to plant value */
+		if (!out_zero(
+		encst->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH"))
+			impossible();
+		close_output_pbs(&hash_pbs);
+		r_hash_start = r_hdr_pbs.cur; /* hash from after HASH */
+	}
+
+	/* Notification Payload */
+	{
+		pb_stream not_pbs;
+		struct isakmp_notification isan;
+
+		isan.isan_doi = ISAKMP_DOI_IPSEC;
+		isan.isan_np = ISAKMP_NEXT_NONE;
+		isan.isan_type = type;
+		isan.isan_spisize = spisize;
+		isan.isan_protoid = protoid;
+
+		if (!out_struct(&isan, &isakmp_notification_desc, &r_hdr_pbs, &not_pbs)
+			|| !out_raw(spi, spisize, &not_pbs, "spi"))
+			impossible();
+		close_output_pbs(&not_pbs);
+	}
+
+	/* calculate hash value and patch into Hash Payload */
+	if (encst)
+	{
+		chunk_t msgid_chunk = chunk_from_thing(msgid);
+		chunk_t msg_chunk = { r_hash_start, r_hdr_pbs.cur-r_hash_start };
+		pseudo_random_function_t prf_alg;
+		prf_t *prf;
+
+		prf_alg = oakley_to_prf(encst->st_oakley.hash);
+		prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+		prf->set_key(prf, encst->st_skeyid_a);
+		prf->get_bytes(prf, msgid_chunk, NULL);
+		prf->get_bytes(prf, msg_chunk, r_hashval);
+
+		DBG(DBG_CRYPT,
+			DBG_log("HASH computed:");
+			DBG_dump("", r_hashval, prf->get_block_size(prf));
+		)
+		prf->destroy(prf);
+	}
+
+	/* Encrypt message (preserve st_iv and st_new_iv) */
+	if (encst)
+	{
+		u_char old_iv[MAX_DIGEST_LEN];
+		u_char new_iv[MAX_DIGEST_LEN];
+
+		u_int old_iv_len = encst->st_iv_len;
+		u_int new_iv_len = encst->st_new_iv_len;
+
+		if (old_iv_len > MAX_DIGEST_LEN || new_iv_len > MAX_DIGEST_LEN)
+			impossible();
+
+		memcpy(old_iv, encst->st_iv, old_iv_len);
+		memcpy(new_iv, encst->st_new_iv, new_iv_len);
+
+		if (!IS_ISAKMP_SA_ESTABLISHED(encst->st_state))
+		{
+			memcpy(encst->st_ph1_iv, encst->st_new_iv, encst->st_new_iv_len);
+			encst->st_ph1_iv_len = encst->st_new_iv_len;
+		}
+		init_phase2_iv(encst, &msgid);
+		if (!encrypt_message(&r_hdr_pbs, encst))
+			impossible();
+			
+		/* restore preserved st_iv and st_new_iv */
+		memcpy(encst->st_iv, old_iv, old_iv_len);
+		memcpy(encst->st_new_iv, new_iv, new_iv_len);
+		encst->st_iv_len = old_iv_len;
+		encst->st_new_iv_len = new_iv_len;
+	}
+	else
+	{
+		close_output_pbs(&r_hdr_pbs);
+	}
+
+	/* Send packet (preserve st_tpacket) */
+	{
+		chunk_t saved_tpacket = sndst->st_tpacket;
 
-	u_int old_iv_len = encst->st_iv_len;
-	u_int new_iv_len = encst->st_new_iv_len;
-
-	if (old_iv_len > MAX_DIGEST_LEN || new_iv_len > MAX_DIGEST_LEN)
-	    impossible();
-
-	memcpy(old_iv, encst->st_iv, old_iv_len);
-	memcpy(new_iv, encst->st_new_iv, new_iv_len);
-
-	if (!IS_ISAKMP_SA_ESTABLISHED(encst->st_state))
-	{
-	    memcpy(encst->st_ph1_iv, encst->st_new_iv, encst->st_new_iv_len);
-	    encst->st_ph1_iv_len = encst->st_new_iv_len;
-	}
-	init_phase2_iv(encst, &msgid);
-	if (!encrypt_message(&r_hdr_pbs, encst))
-	    impossible();
-	    
-	/* restore preserved st_iv and st_new_iv */
-	memcpy(encst->st_iv, old_iv, old_iv_len);
-	memcpy(encst->st_new_iv, new_iv, new_iv_len);
-	encst->st_iv_len = old_iv_len;
-	encst->st_new_iv_len = new_iv_len;
-    }
-    else
-    {
-	close_output_pbs(&r_hdr_pbs);
-    }
-
-    /* Send packet (preserve st_tpacket) */
-    {
-	chunk_t saved_tpacket = sndst->st_tpacket;
-
-	setchunk(sndst->st_tpacket, pbs.start, pbs_offset(&pbs));
-	send_packet(sndst, "ISAKMP notify");
-	sndst->st_tpacket = saved_tpacket;
-    }
+		sndst->st_tpacket = chunk_create(pbs.start, pbs_offset(&pbs));
+		send_packet(sndst, "ISAKMP notify");
+		sndst->st_tpacket = saved_tpacket;
+	}
 }
 
-void
-send_notification_from_state(struct state *st, enum state_kind state,
-    u_int16_t type)
+void send_notification_from_state(struct state *st, enum state_kind state,
+								  u_int16_t type)
 {
-    struct state *p1st;
-
-    passert(st);
-
-    if (state == STATE_UNDEFINED)
-	state = st->st_state;
-
-    if (IS_QUICK(state))
-    {
-	p1st = find_phase1_state(st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
-	if ((p1st == NULL) || (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state)))
-	{
-	    loglog(RC_LOG_SERIOUS,
-		"no Phase1 state for Quick mode notification");
-	    return;
-	}
-	send_notification(st, type, p1st, generate_msgid(p1st),
-	    st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
-    }
-    else if (IS_ISAKMP_ENCRYPTED(state) && st->st_enc_key.ptr != NULL)
-    {
-	send_notification(st, type, st, generate_msgid(st),
-	    st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
-    }
-    else
-    {
-	/* no ISAKMP SA established - don't encrypt notification */
-	send_notification(st, type, NULL, 0,
-	    st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
-    }
+	struct state *p1st;
+
+	passert(st);
+
+	if (state == STATE_UNDEFINED)
+		state = st->st_state;
+
+	if (IS_QUICK(state))
+	{
+		p1st = find_phase1_state(st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
+		if ((p1st == NULL) || (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state)))
+		{
+			loglog(RC_LOG_SERIOUS,
+				"no Phase1 state for Quick mode notification");
+			return;
+		}
+		send_notification(st, type, p1st, generate_msgid(p1st),
+			st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
+	}
+	else if (IS_ISAKMP_ENCRYPTED(state) && st->st_enc_key.ptr != NULL)
+	{
+		send_notification(st, type, st, generate_msgid(st),
+			st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
+	}
+	else
+	{
+		/* no ISAKMP SA established - don't encrypt notification */
+		send_notification(st, type, NULL, 0,
+			st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
+	}
 }
 
-void
-send_notification_from_md(struct msg_digest *md, u_int16_t type)
+void send_notification_from_md(struct msg_digest *md, u_int16_t type)
 {
-    /**
-     * Create a dummy state to be able to use send_packet in
-     * send_notification
-     *
-     * we need to set:
-     *   st_connection->that.host_addr
-     *   st_connection->that.host_port
-     *   st_connection->interface
-     */
-    struct state st;
-    struct connection cnx;
-
-    passert(md);
-
-    memset(&st, 0, sizeof(st));
-    memset(&cnx, 0, sizeof(cnx));
-    st.st_connection = &cnx;
-    cnx.spd.that.host_addr = md->sender;
-    cnx.spd.that.host_port = md->sender_port;
-    cnx.interface = md->iface;
-
-    send_notification(&st, type, NULL, 0,
-	md->hdr.isa_icookie, md->hdr.isa_rcookie, NULL, 0, PROTO_ISAKMP);
+	/**
+	 * Create a dummy state to be able to use send_packet in
+	 * send_notification
+	 *
+	 * we need to set:
+	 *   st_connection->that.host_addr
+	 *   st_connection->that.host_port
+	 *   st_connection->interface
+	 */
+	struct state st;
+	struct connection cnx;
+
+	passert(md);
+
+	memset(&st, 0, sizeof(st));
+	memset(&cnx, 0, sizeof(cnx));
+	st.st_connection = &cnx;
+	cnx.spd.that.host_addr = md->sender;
+	cnx.spd.that.host_port = md->sender_port;
+	cnx.interface = md->iface;
+
+	send_notification(&st, type, NULL, 0,
+		md->hdr.isa_icookie, md->hdr.isa_rcookie, NULL, 0, PROTO_ISAKMP);
 }
 
 /* Send a Delete Notification to announce deletion of ISAKMP SA or
  * inbound IPSEC SAs.  Does nothing if no such SAs are being deleted.
  * Delete Notifications cannot announce deletion of outbound IPSEC/ISAKMP SAs.
  */
-void
-send_delete(struct state *st)
+void send_delete(struct state *st)
 {
-    pb_stream reply_pbs;
-    pb_stream r_hdr_pbs;
-    msgid_t	msgid;
-    u_char buffer[8192];
-    struct state *p1st;
-    ip_said said[EM_MAXRELSPIS];
-    ip_said *ns = said;
-    u_char
-	*r_hashval,	/* where in reply to jam hash value */
-	*r_hash_start;	/* start of what is to be hashed */
-    bool isakmp_sa = FALSE;
-
-    if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
-    {
-	p1st = find_phase1_state(st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
-	if (p1st == NULL)
+	pb_stream reply_pbs;
+	pb_stream r_hdr_pbs;
+	msgid_t     msgid;
+	u_char buffer[8192];
+	struct state *p1st;
+	ip_said said[EM_MAXRELSPIS];
+	ip_said *ns = said;
+	u_char
+		*r_hashval,     /* where in reply to jam hash value */
+		*r_hash_start;  /* start of what is to be hashed */
+	bool isakmp_sa = FALSE;
+
+	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+	{
+		p1st = find_phase1_state(st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
+		if (p1st == NULL)
+		{
+			DBG(DBG_CONTROL, DBG_log("no Phase 1 state for Delete"));
+			return;
+		}
+
+		if (st->st_ah.present)
+		{
+			ns->spi = st->st_ah.our_spi;
+			ns->dst = st->st_connection->spd.this.host_addr;
+			ns->proto = PROTO_IPSEC_AH;
+			ns++;
+		}
+		if (st->st_esp.present)
+		{
+			ns->spi = st->st_esp.our_spi;
+			ns->dst = st->st_connection->spd.this.host_addr;
+			ns->proto = PROTO_IPSEC_ESP;
+			ns++;
+		}
+
+		passert(ns != said);    /* there must be some SAs to delete */
+	}
+	else if (IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+	{
+		p1st = st;
+		isakmp_sa = TRUE;
+	}
+	else
 	{
-	    DBG(DBG_CONTROL, DBG_log("no Phase 1 state for Delete"));
-	    return;
+		return; /* nothing to do */
 	}
 
-	if (st->st_ah.present)
+	msgid = generate_msgid(p1st);
+
+	zero(buffer);
+	init_pbs(&reply_pbs, buffer, sizeof(buffer), "delete msg");
+
+	/* HDR* */
 	{
-	    ns->spi = st->st_ah.our_spi;
-	    ns->dst = st->st_connection->spd.this.host_addr;
-	    ns->proto = PROTO_IPSEC_AH;
-	    ns++;
+		struct isakmp_hdr hdr;
+
+		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+		hdr.isa_np = ISAKMP_NEXT_HASH;
+		hdr.isa_xchg = ISAKMP_XCHG_INFO;
+		hdr.isa_msgid = msgid;
+		hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
+		memcpy(hdr.isa_icookie, p1st->st_icookie, COOKIE_SIZE);
+		memcpy(hdr.isa_rcookie, p1st->st_rcookie, COOKIE_SIZE);
+		if (!out_struct(&hdr, &isakmp_hdr_desc, &reply_pbs, &r_hdr_pbs))
+			impossible();
 	}
-	if (st->st_esp.present)
+
+	/* HASH -- value to be filled later */
+	{
+		pb_stream hash_pbs;
+
+		if (!out_generic(ISAKMP_NEXT_D, &isakmp_hash_desc, &r_hdr_pbs, &hash_pbs))
+			impossible();
+		r_hashval = hash_pbs.cur;       /* remember where to plant value */
+		if (!out_zero(p1st->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH(1)"))
+			impossible();
+		close_output_pbs(&hash_pbs);
+		r_hash_start = r_hdr_pbs.cur;   /* hash from after HASH(1) */
+	}
+
+	/* Delete Payloads */
+	if (isakmp_sa)
+	{
+		pb_stream del_pbs;
+		struct isakmp_delete isad;
+		u_char isakmp_spi[2*COOKIE_SIZE];
+
+		isad.isad_doi = ISAKMP_DOI_IPSEC;
+		isad.isad_np = ISAKMP_NEXT_NONE;
+		isad.isad_spisize = (2 * COOKIE_SIZE);
+		isad.isad_protoid = PROTO_ISAKMP;
+		isad.isad_nospi = 1;
+
+		memcpy(isakmp_spi, st->st_icookie, COOKIE_SIZE);
+		memcpy(isakmp_spi+COOKIE_SIZE, st->st_rcookie, COOKIE_SIZE);
+
+		if (!out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, &del_pbs)
+		|| !out_raw(&isakmp_spi, (2*COOKIE_SIZE), &del_pbs, "delete payload"))
+			impossible();
+		close_output_pbs(&del_pbs);
+	}
+	else
 	{
-	    ns->spi = st->st_esp.our_spi;
-	    ns->dst = st->st_connection->spd.this.host_addr;
-	    ns->proto = PROTO_IPSEC_ESP;
-	    ns++;
-	}
-
-	passert(ns != said);    /* there must be some SAs to delete */
-    }
-    else if (IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-    {
-	p1st = st;
-	isakmp_sa = TRUE;
-    }
-    else
-    {
-	return; /* nothing to do */
-    }
-
-    msgid = generate_msgid(p1st);
-
-    zero(buffer);
-    init_pbs(&reply_pbs, buffer, sizeof(buffer), "delete msg");
-
-    /* HDR* */
-    {
-	struct isakmp_hdr hdr;
-
-	hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-	hdr.isa_np = ISAKMP_NEXT_HASH;
-	hdr.isa_xchg = ISAKMP_XCHG_INFO;
-	hdr.isa_msgid = msgid;
-	hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
-	memcpy(hdr.isa_icookie, p1st->st_icookie, COOKIE_SIZE);
-	memcpy(hdr.isa_rcookie, p1st->st_rcookie, COOKIE_SIZE);
-	if (!out_struct(&hdr, &isakmp_hdr_desc, &reply_pbs, &r_hdr_pbs))
-	    impossible();
-    }
-
-    /* HASH -- value to be filled later */
-    {
-	pb_stream hash_pbs;
-
-	if (!out_generic(ISAKMP_NEXT_D, &isakmp_hash_desc, &r_hdr_pbs, &hash_pbs))
-	    impossible();
-	r_hashval = hash_pbs.cur;	/* remember where to plant value */
-	if (!out_zero(p1st->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH(1)"))
-	    impossible();
-	close_output_pbs(&hash_pbs);
-	r_hash_start = r_hdr_pbs.cur;	/* hash from after HASH(1) */
-    }
-
-    /* Delete Payloads */
-    if (isakmp_sa)
-    {
-	pb_stream del_pbs;
-	struct isakmp_delete isad;
-	u_char isakmp_spi[2*COOKIE_SIZE];
-
-	isad.isad_doi = ISAKMP_DOI_IPSEC;
-	isad.isad_np = ISAKMP_NEXT_NONE;
-	isad.isad_spisize = (2 * COOKIE_SIZE);
-	isad.isad_protoid = PROTO_ISAKMP;
-	isad.isad_nospi = 1;
-
-	memcpy(isakmp_spi, st->st_icookie, COOKIE_SIZE);
-	memcpy(isakmp_spi+COOKIE_SIZE, st->st_rcookie, COOKIE_SIZE);
-
-	if (!out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, &del_pbs)
-	|| !out_raw(&isakmp_spi, (2*COOKIE_SIZE), &del_pbs, "delete payload"))
-	    impossible();
-	close_output_pbs(&del_pbs);
-    }
-    else
-    {
-	while (ns != said)
-	{
-
-	    pb_stream del_pbs;
-	    struct isakmp_delete isad;
-
-	    ns--;
-	    isad.isad_doi = ISAKMP_DOI_IPSEC;
-	    isad.isad_np = ns == said? ISAKMP_NEXT_NONE : ISAKMP_NEXT_D;
-	    isad.isad_spisize = sizeof(ipsec_spi_t);
-	    isad.isad_protoid = ns->proto;
-
-	    isad.isad_nospi = 1;
-	    if (!out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, &del_pbs)
-	    || !out_raw(&ns->spi, sizeof(ipsec_spi_t), &del_pbs, "delete payload"))
-		impossible();
-	    close_output_pbs(&del_pbs);
-	}
-    }
-
-    /* calculate hash value and patch into Hash Payload */
-    {
-	struct hmac_ctx ctx;
-	hmac_init_chunk(&ctx, p1st->st_oakley.hasher, p1st->st_skeyid_a);
-	hmac_update(&ctx, (u_char *) &msgid, sizeof(msgid_t));
-	hmac_update(&ctx, r_hash_start, r_hdr_pbs.cur-r_hash_start);
-	hmac_final(r_hashval, &ctx);
+		while (ns != said)
+		{
 
-	DBG(DBG_CRYPT,
-	    DBG_log("HASH(1) computed:");
-	    DBG_dump("", r_hashval, ctx.hmac_digest_size);
-	)
-    }
-
-    /* Do a dance to avoid needing a new state object.
-     * We use the Phase 1 State.  This is the one with right
-     * IV, for one thing.
-     * The tricky bits are:
-     * - we need to preserve (save/restore) st_iv (but not st_iv_new)
-     * - we need to preserve (save/restore) st_tpacket.
-     */
-    {
-	u_char old_iv[MAX_DIGEST_LEN];
-	chunk_t saved_tpacket = p1st->st_tpacket;
-
-	memcpy(old_iv, p1st->st_iv, p1st->st_iv_len);
-	init_phase2_iv(p1st, &msgid);
-
-	if (!encrypt_message(&r_hdr_pbs, p1st))
-	    impossible();
-
-	setchunk(p1st->st_tpacket, reply_pbs.start, pbs_offset(&reply_pbs));
-	send_packet(p1st, "delete notify");
-	p1st->st_tpacket = saved_tpacket;
-
-	/* get back old IV for this state */
-	memcpy(p1st->st_iv, old_iv, p1st->st_iv_len);
-    }
+			pb_stream del_pbs;
+			struct isakmp_delete isad;
+
+			ns--;
+			isad.isad_doi = ISAKMP_DOI_IPSEC;
+			isad.isad_np = ns == said? ISAKMP_NEXT_NONE : ISAKMP_NEXT_D;
+			isad.isad_spisize = sizeof(ipsec_spi_t);
+			isad.isad_protoid = ns->proto;
+
+			isad.isad_nospi = 1;
+			if (!out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, &del_pbs)
+			|| !out_raw(&ns->spi, sizeof(ipsec_spi_t), &del_pbs, "delete payload"))
+				impossible();
+			close_output_pbs(&del_pbs);
+		}
+	}
+
+	/* calculate hash value and patch into Hash Payload */
+	{
+		chunk_t msgid_chunk = chunk_from_thing(msgid);
+		chunk_t msg_chunk = { r_hash_start, r_hdr_pbs.cur-r_hash_start };
+		pseudo_random_function_t prf_alg;
+		prf_t *prf;
+
+		prf_alg = oakley_to_prf(p1st->st_oakley.hash);
+		prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+		prf->set_key(prf, p1st->st_skeyid_a);
+		prf->get_bytes(prf, msgid_chunk, NULL);
+		prf->get_bytes(prf, msg_chunk, r_hashval);
+
+		DBG(DBG_CRYPT,
+			DBG_log("HASH(1) computed:");
+			DBG_dump("", r_hashval, prf->get_block_size(prf));
+		)
+
+		prf->destroy(prf);
+	}
+
+	/* Do a dance to avoid needing a new state object.
+	 * We use the Phase 1 State.  This is the one with right
+	 * IV, for one thing.
+	 * The tricky bits are:
+	 * - we need to preserve (save/restore) st_iv (but not st_iv_new)
+	 * - we need to preserve (save/restore) st_tpacket.
+	 */
+	{
+		u_char old_iv[MAX_DIGEST_LEN];
+		chunk_t saved_tpacket = p1st->st_tpacket;
+
+		memcpy(old_iv, p1st->st_iv, p1st->st_iv_len);
+		init_phase2_iv(p1st, &msgid);
+
+		if (!encrypt_message(&r_hdr_pbs, p1st))
+			impossible();
+
+		p1st->st_tpacket = chunk_create(reply_pbs.start, pbs_offset(&reply_pbs));
+		send_packet(p1st, "delete notify");
+		p1st->st_tpacket = saved_tpacket;
+
+		/* get back old IV for this state */
+		memcpy(p1st->st_iv, old_iv, p1st->st_iv_len);
+	}
 }
 
-void
-accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p)
+void accept_delete(struct state *st, struct msg_digest *md,
+				   struct payload_digest *p)
 {
-    struct isakmp_delete *d = &(p->payload.delete);
-    size_t sizespi;
-    int i;
-
-    if (!md->encrypted)
-    {
-	loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: not encrypted");
-	return;
-    }
-
-    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-    {
-	/* can't happen (if msg is encrypt), but just to be sure */
-	loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
-	"ISAKMP SA not established");
-	return;
-    }
-
-    if (d->isad_nospi == 0)
-    {
-	loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: no SPI");
-	return;
-    }
-
-    switch (d->isad_protoid)
-    {
-    case PROTO_ISAKMP:
-	sizespi = 2 * COOKIE_SIZE;
-	break;
-    case PROTO_IPSEC_AH:
-    case PROTO_IPSEC_ESP:
-	sizespi = sizeof(ipsec_spi_t);
-	break;
-    case PROTO_IPCOMP:
-	/* nothing interesting to delete */
-	return;
-    default:
-	loglog(RC_LOG_SERIOUS
-	    , "ignoring Delete SA payload: unknown Protocol ID (%s)"
-	    , enum_show(&protocol_names, d->isad_protoid));
-	return;
-    }
-
-    if (d->isad_spisize != sizespi)
-    {
-	loglog(RC_LOG_SERIOUS
-	    , "ignoring Delete SA payload: bad SPI size (%d) for %s"
-	    , d->isad_spisize, enum_show(&protocol_names, d->isad_protoid));
-	return;
-    }
-
-    if (pbs_left(&p->pbs) != d->isad_nospi * sizespi)
-    {
-	loglog(RC_LOG_SERIOUS
-	    , "ignoring Delete SA payload: invalid payload size");
-	return;
-    }
-
-    for (i = 0; i < d->isad_nospi; i++)
-    {
-	u_char *spi = p->pbs.cur + (i * sizespi);
-
-	if (d->isad_protoid == PROTO_ISAKMP)
-	{
-	    /**
-	     * ISAKMP
-	     */
-	    struct state *dst = find_state(spi /*iCookie*/
-		, spi+COOKIE_SIZE /*rCookie*/
-		, &st->st_connection->spd.that.host_addr
-		, MAINMODE_MSGID);
-
-	    if (dst == NULL)
-	    {
-		loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
-		    "ISAKMP SA not found (maybe expired)");
-	    }
-	    else if (!same_peer_ids(st->st_connection, dst->st_connection, NULL))
-	    {
-		/* we've not authenticated the relevant identities */
+	struct isakmp_delete *d = &(p->payload.delete);
+	size_t sizespi;
+	int i;
+
+	if (!md->encrypted)
+	{
+		loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: not encrypted");
+		return;
+	}
+
+	if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+	{
+		/* can't happen (if msg is encrypt), but just to be sure */
 		loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
-		    "ISAKMP SA used to convey Delete has different IDs from ISAKMP SA it deletes");
-	    }
-	    else
-	    {
-		struct connection *oldc;
-		
-		oldc = cur_connection;
-		set_cur_connection(dst->st_connection);
+		"ISAKMP SA not established");
+		return;
+	}
+
+	if (d->isad_nospi == 0)
+	{
+		loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: no SPI");
+		return;
+	}
 
-		if (nat_traversal_enabled)
-		    nat_traversal_change_port_lookup(md, dst);
+	switch (d->isad_protoid)
+	{
+	case PROTO_ISAKMP:
+		sizespi = 2 * COOKIE_SIZE;
+		break;
+	case PROTO_IPSEC_AH:
+	case PROTO_IPSEC_ESP:
+		sizespi = sizeof(ipsec_spi_t);
+		break;
+	case PROTO_IPCOMP:
+		/* nothing interesting to delete */
+		return;
+	default:
+		loglog(RC_LOG_SERIOUS
+			, "ignoring Delete SA payload: unknown Protocol ID (%s)"
+			, enum_show(&protocol_names, d->isad_protoid));
+		return;
+	}
 
-		loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
-		    "deleting ISAKMP State #%lu", dst->st_serialno);
-		delete_state(dst);
-		set_cur_connection(oldc);
-	    }
+	if (d->isad_spisize != sizespi)
+	{
+		loglog(RC_LOG_SERIOUS
+			, "ignoring Delete SA payload: bad SPI size (%d) for %s"
+			, d->isad_spisize, enum_show(&protocol_names, d->isad_protoid));
+		return;
 	}
-	else
+
+	if (pbs_left(&p->pbs) != d->isad_nospi * sizespi)
 	{
-	    /**
-	     * IPSEC (ESP/AH)
-	     */
-	    bool bogus;
-	    struct state *dst = find_phase2_state_to_delete(st
-		, d->isad_protoid
-		, *(ipsec_spi_t *)spi	/* network order */
-		, &bogus);
-
-	    if (dst == NULL)
-	    {
 		loglog(RC_LOG_SERIOUS
-		       , "ignoring Delete SA payload: %s SA(0x%08lx) not found (%s)"
-		       , enum_show(&protocol_names, d->isad_protoid)
-		       , (unsigned long)ntohl((unsigned long)*(ipsec_spi_t *)spi)
-		       , bogus ? "our SPI - bogus implementation" : "maybe expired");
-	    }
-	    else
-	    {
-		struct connection *rc = dst->st_connection;
-		struct connection *oldc;
-		
-		oldc = cur_connection;
-		set_cur_connection(rc);
-
-		if (nat_traversal_enabled)
-		    nat_traversal_change_port_lookup(md, dst);
-
-		if (rc->newest_ipsec_sa == dst->st_serialno
-		&& (rc->policy & POLICY_UP))
-		    {
-		    /* Last IPSec SA for a permanent connection that we
-		     * have initiated.  Replace it in a few seconds.
-		     *
-		     * Useful if the other peer is rebooting.
-		     */
-#define DELETE_SA_DELAY  EVENT_RETRANSMIT_DELAY_0
-		    if (dst->st_event != NULL
-		    && dst->st_event->ev_type == EVENT_SA_REPLACE
-		    && dst->st_event->ev_time <= DELETE_SA_DELAY + now())
-		    {
-			/* Patch from Angus Lees to ignore retransmited
-			 * Delete SA.
+			, "ignoring Delete SA payload: invalid payload size");
+		return;
+	}
+
+	for (i = 0; i < d->isad_nospi; i++)
+	{
+		u_char *spi = p->pbs.cur + (i * sizespi);
+
+		if (d->isad_protoid == PROTO_ISAKMP)
+		{
+			/**
+			 * ISAKMP
 			 */
-			loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
-			    "already replacing IPSEC State #%lu in %d seconds"
-			    , dst->st_serialno, (int)(dst->st_event->ev_time - now()));
-		    }
-		    else
-		    {
-			loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
-			    "replace IPSEC State #%lu in %d seconds"
-			    , dst->st_serialno, DELETE_SA_DELAY);
-			dst->st_margin = DELETE_SA_DELAY;
-			delete_event(dst);
-			event_schedule(EVENT_SA_REPLACE, DELETE_SA_DELAY, dst);
-		    }
+			struct state *dst = find_state(spi /*iCookie*/
+				, spi+COOKIE_SIZE /*rCookie*/
+				, &st->st_connection->spd.that.host_addr
+				, MAINMODE_MSGID);
+
+			if (dst == NULL)
+			{
+				loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
+					"ISAKMP SA not found (maybe expired)");
+			}
+			else if (!same_peer_ids(st->st_connection, dst->st_connection, NULL))
+			{
+				/* we've not authenticated the relevant identities */
+				loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
+					"ISAKMP SA used to convey Delete has different IDs from ISAKMP SA it deletes");
+			}
+			else
+			{
+				struct connection *oldc;
+				
+				oldc = cur_connection;
+				set_cur_connection(dst->st_connection);
+
+				if (nat_traversal_enabled)
+					nat_traversal_change_port_lookup(md, dst);
+
+				loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
+					"deleting ISAKMP State #%lu", dst->st_serialno);
+				delete_state(dst);
+				set_cur_connection(oldc);
+			}
 		}
 		else
 		{
-		    loglog(RC_LOG_SERIOUS, "received Delete SA(0x%08lx) payload: "
-			   "deleting IPSEC State #%lu"
-			   , (unsigned long)ntohl((unsigned long)*(ipsec_spi_t *)spi)
-			   , dst->st_serialno);
-		    delete_state(dst);
-		}
+			/**
+			 * IPSEC (ESP/AH)
+			 */
+			bool bogus;
+			struct state *dst = find_phase2_state_to_delete(st
+				, d->isad_protoid
+				, *(ipsec_spi_t *)spi   /* network order */
+				, &bogus);
 
-		/* reset connection */
-		set_cur_connection(oldc);
-	    }
+			if (dst == NULL)
+			{
+				loglog(RC_LOG_SERIOUS
+					   , "ignoring Delete SA payload: %s SA(0x%08lx) not found (%s)"
+					   , enum_show(&protocol_names, d->isad_protoid)
+					   , (unsigned long)ntohl((unsigned long)*(ipsec_spi_t *)spi)
+					   , bogus ? "our SPI - bogus implementation" : "maybe expired");
+			}
+			else
+			{
+				struct connection *rc = dst->st_connection;
+				struct connection *oldc;
+				
+				oldc = cur_connection;
+				set_cur_connection(rc);
+
+				if (nat_traversal_enabled)
+					nat_traversal_change_port_lookup(md, dst);
+
+				if (rc->newest_ipsec_sa == dst->st_serialno
+				&& (rc->policy & POLICY_UP))
+					{
+					/* Last IPSec SA for a permanent connection that we
+					 * have initiated.  Replace it in a few seconds.
+					 *
+					 * Useful if the other peer is rebooting.
+					 */
+#define DELETE_SA_DELAY  EVENT_RETRANSMIT_DELAY_0
+					if (dst->st_event != NULL
+					&& dst->st_event->ev_type == EVENT_SA_REPLACE
+					&& dst->st_event->ev_time <= DELETE_SA_DELAY + now())
+					{
+						/* Patch from Angus Lees to ignore retransmited
+						 * Delete SA.
+						 */
+						loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
+							"already replacing IPSEC State #%lu in %d seconds"
+							, dst->st_serialno, (int)(dst->st_event->ev_time - now()));
+					}
+					else
+					{
+						loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
+							"replace IPSEC State #%lu in %d seconds"
+							, dst->st_serialno, DELETE_SA_DELAY);
+						dst->st_margin = DELETE_SA_DELAY;
+						delete_event(dst);
+						event_schedule(EVENT_SA_REPLACE, DELETE_SA_DELAY, dst);
+					}
+				}
+				else
+				{
+					loglog(RC_LOG_SERIOUS, "received Delete SA(0x%08lx) payload: "
+						   "deleting IPSEC State #%lu"
+						   , (unsigned long)ntohl((unsigned long)*(ipsec_spi_t *)spi)
+						   , dst->st_serialno);
+					delete_state(dst);
+				}
+
+				/* reset connection */
+				set_cur_connection(oldc);
+			}
+		}
 	}
-    }
 }
 
 /* The whole message must be a multiple of 4 octets.
@@ -869,14 +850,13 @@ accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p)
  * rfc2408 3.6 Transform Payload.
  * Note: it talks about 4 BYTE boundaries!
  */
-void
-close_message(pb_stream *pbs)
+void close_message(pb_stream *pbs)
 {
-    size_t padding =  pad_up(pbs_offset(pbs), 4);
+	size_t padding =  pad_up(pbs_offset(pbs), 4);
 
-    if (padding != 0)
-	(void) out_zero(padding, pbs, "message padding");
-    close_output_pbs(pbs);
+	if (padding != 0)
+		(void) out_zero(padding, pbs, "message padding");
+	close_output_pbs(pbs);
 }
 
 /* Initiate an Oakley Main Mode exchange.
@@ -885,225 +865,220 @@ close_message(pb_stream *pbs)
  */
 static stf_status
 main_outI1(int whack_sock, struct connection *c, struct state *predecessor
-    , lset_t policy, unsigned long try)
+	, lset_t policy, unsigned long try)
 {
-    struct state *st = new_state();
-    pb_stream reply;	/* not actually a reply, but you know what I mean */
-    pb_stream rbody;
-
-    int vids_to_send = 0;
-    
-    /* set up new state */
-    st->st_connection = c;
-    set_cur_state(st);	/* we must reset before exit */
-    st->st_policy = policy & ~POLICY_IPSEC_MASK;
-    st->st_whack_sock = whack_sock;
-    st->st_try = try;
-    st->st_state = STATE_MAIN_I1;
-
-    /* determine how many Vendor ID payloads we will be sending */
-    if (SEND_PLUTO_VID)
-	vids_to_send++;
-    if (SEND_CISCO_UNITY_VID)
-	vids_to_send++;
-    if (c->spd.this.cert.type == CERT_PGP)
-	vids_to_send++;
-    if (SEND_XAUTH_VID)
-	vids_to_send++;
-    /* always send DPD Vendor ID */
-	vids_to_send++;
-    if (nat_traversal_enabled)
-	vids_to_send++;
+	struct state *st = new_state();
+	pb_stream reply;    /* not actually a reply, but you know what I mean */
+	pb_stream rbody;
+
+	int vids_to_send = 0;
+	
+	/* set up new state */
+	st->st_connection = c;
+	set_cur_state(st);  /* we must reset before exit */
+	st->st_policy = policy & ~POLICY_IPSEC_MASK;
+	st->st_whack_sock = whack_sock;
+	st->st_try = try;
+	st->st_state = STATE_MAIN_I1;
+
+	/* determine how many Vendor ID payloads we will be sending */
+	if (SEND_PLUTO_VID)
+		vids_to_send++;
+	if (SEND_CISCO_UNITY_VID)
+		vids_to_send++;
+	if (c->spd.this.cert.type == CERT_PGP)
+		vids_to_send++;
+	if (SEND_XAUTH_VID)
+		vids_to_send++;
+	/* always send DPD Vendor ID */
+		vids_to_send++;
+	if (nat_traversal_enabled)
+		vids_to_send++;
 
    get_cookie(TRUE, st->st_icookie, COOKIE_SIZE, &c->spd.that.host_addr);
 
-    insert_state(st);	/* needs cookies, connection, and msgid (0) */
+	insert_state(st);   /* needs cookies, connection, and msgid (0) */
 
-    if (HAS_IPSEC_POLICY(policy))
-	add_pending(dup_any(whack_sock), st, c, policy, 1
-	    , predecessor == NULL? SOS_NOBODY : predecessor->st_serialno);
+	if (HAS_IPSEC_POLICY(policy))
+		add_pending(dup_any(whack_sock), st, c, policy, 1
+			, predecessor == NULL? SOS_NOBODY : predecessor->st_serialno);
 
-    if (predecessor == NULL)
-	plog("initiating Main Mode");
-    else
-	plog("initiating Main Mode to replace #%lu", predecessor->st_serialno);
+	if (predecessor == NULL)
+		plog("initiating Main Mode");
+	else
+		plog("initiating Main Mode to replace #%lu", predecessor->st_serialno);
 
-    /* set up reply */
-    init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
+	/* set up reply */
+	init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
 
-    /* HDR out */
-    {
-	struct isakmp_hdr hdr;
+	/* HDR out */
+	{
+		struct isakmp_hdr hdr;
 
-	zero(&hdr);	/* default to 0 */
-	hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-	hdr.isa_np = ISAKMP_NEXT_SA;
-	hdr.isa_xchg = ISAKMP_XCHG_IDPROT;
-	memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
-	/* R-cookie, flags and MessageID are left zero */
+		zero(&hdr);     /* default to 0 */
+		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+		hdr.isa_np = ISAKMP_NEXT_SA;
+		hdr.isa_xchg = ISAKMP_XCHG_IDPROT;
+		memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
+		/* R-cookie, flags and MessageID are left zero */
 
-	if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
-	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
+		if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    /* SA out */
-    {
-	u_char *sa_start = rbody.cur;
-
-	if (!out_sa(&rbody, &oakley_sadb, st, TRUE
-	, vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE))
+	/* SA out */
 	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
-	}
+		u_char *sa_start = rbody.cur;
 
-	/* save initiator SA for later HASH */
-	passert(st->st_p1isa.ptr == NULL);	/* no leak!  (MUST be first time) */
-	clonetochunk(st->st_p1isa, sa_start, rbody.cur - sa_start
-	    , "sa in main_outI1");
-    }
+		if (!out_sa(&rbody, &oakley_sadb, st, TRUE
+		, vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
 
-    /* if enabled send Pluto Vendor ID */
-    if (SEND_PLUTO_VID)
-    {
-	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &rbody, VID_STRONGSWAN))
+		/* save initiator SA for later HASH */
+		passert(st->st_p1isa.ptr == NULL);      /* no leak!  (MUST be first time) */
+		st->st_p1isa = chunk_create(sa_start, rbody.cur - sa_start);
+		st->st_p1isa = chunk_clone(st->st_p1isa);
+	}
+
+	/* if enabled send Pluto Vendor ID */
+	if (SEND_PLUTO_VID)
 	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
+		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &rbody, VID_STRONGSWAN))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    /* if enabled send Cisco Unity Vendor ID */
-    if (SEND_CISCO_UNITY_VID)
-    {
-	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &rbody, VID_CISCO_UNITY))
+	/* if enabled send Cisco Unity Vendor ID */
+	if (SEND_CISCO_UNITY_VID)
 	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
+		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &rbody, VID_CISCO_UNITY))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
-    /* if we  have an OpenPGP certificate we assume an
-     * OpenPGP peer and have to send the Vendor ID
-     */
-    if (c->spd.this.cert.type == CERT_PGP)
-    {
-	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &rbody, VID_OPENPGP))
+	/* if we  have an OpenPGP certificate we assume an
+	 * OpenPGP peer and have to send the Vendor ID
+	 */
+	if (c->spd.this.cert.type == CERT_PGP)
 	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
+		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &rbody, VID_OPENPGP))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    /* Announce our ability to do eXtended AUTHentication to the peer */
-    if (SEND_XAUTH_VID)
-    {
-	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &rbody, VID_MISC_XAUTH))
+	/* Announce our ability to do eXtended AUTHentication to the peer */
+	if (SEND_XAUTH_VID)
 	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
+		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &rbody, VID_MISC_XAUTH))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    /* Announce our ability to do Dead Peer Detection to the peer */
-    {
-	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &rbody, VID_MISC_DPD))
+	/* Announce our ability to do Dead Peer Detection to the peer */
 	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
+		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &rbody, VID_MISC_DPD))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    if (nat_traversal_enabled)
-    {
-	/* Add supported NAT-Traversal VID */
-	if (!nat_traversal_add_vid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &rbody))
+	if (nat_traversal_enabled)
 	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
+		/* Add supported NAT-Traversal VID */
+		if (!nat_traversal_add_vid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &rbody))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
-
-    close_message(&rbody);
-    close_output_pbs(&reply);
 
-    clonetochunk(st->st_tpacket, reply.start, pbs_offset(&reply)
-	, "reply packet for main_outI1");
+	close_message(&rbody);
+	close_output_pbs(&reply);
+	st->st_tpacket = chunk_create(reply.start, pbs_offset(&reply));
+	st->st_tpacket = chunk_clone(st->st_tpacket);
 
-    /* Transmit */
+	/* Transmit */
 
-    send_packet(st, "main_outI1");
+	send_packet(st, "main_outI1");
 
-    /* Set up a retransmission event, half a minute henceforth */
-    delete_event(st);
-    event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
+	/* Set up a retransmission event, half a minute henceforth */
+	delete_event(st);
+	event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
 
-    if (predecessor != NULL)
-    {
-	update_pending(predecessor, st);
-	whack_log(RC_NEW_STATE + STATE_MAIN_I1
-	    , "%s: initiate, replacing #%lu"
-	    , enum_name(&state_names, st->st_state)
-	    , predecessor->st_serialno);
-    }
-    else
-    {
-	whack_log(RC_NEW_STATE + STATE_MAIN_I1
-	    , "%s: initiate", enum_name(&state_names, st->st_state));
-    }
-    reset_cur_state();
-    return STF_OK;
+	if (predecessor != NULL)
+	{
+		update_pending(predecessor, st);
+		whack_log(RC_NEW_STATE + STATE_MAIN_I1
+			, "%s: initiate, replacing #%lu"
+			, enum_name(&state_names, st->st_state)
+			, predecessor->st_serialno);
+	}
+	else
+	{
+		whack_log(RC_NEW_STATE + STATE_MAIN_I1
+			, "%s: initiate", enum_name(&state_names, st->st_state));
+	}
+	reset_cur_state();
+	return STF_OK;
 }
 
-void
-ipsecdoi_initiate(int whack_sock
-, struct connection *c
-, lset_t policy
-, unsigned long try
-, so_serial_t replacing)
+void ipsecdoi_initiate(int whack_sock, struct connection *c, lset_t policy,
+					   unsigned long try, so_serial_t replacing)
 {
-    /* If there's already an ISAKMP SA established, use that and
-     * go directly to Quick Mode.  We are even willing to use one
-     * that is still being negotiated, but only if we are the Initiator
-     * (thus we can be sure that the IDs are not going to change;
-     * other issues around intent might matter).
-     * Note: there is no way to initiate with a Road Warrior.
-     */
-    struct state *st = find_phase1_state(c
-	, ISAKMP_SA_ESTABLISHED_STATES | PHASE1_INITIATOR_STATES);
-
-    if (st == NULL)
-    {
-	(void) main_outI1(whack_sock, c, NULL, policy, try);
-    }
-    else if (HAS_IPSEC_POLICY(policy))
-    {
-	if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+	/* If there's already an ISAKMP SA established, use that and
+	 * go directly to Quick Mode.  We are even willing to use one
+	 * that is still being negotiated, but only if we are the Initiator
+	 * (thus we can be sure that the IDs are not going to change;
+	 * other issues around intent might matter).
+	 * Note: there is no way to initiate with a Road Warrior.
+	 */
+	struct state *st = find_phase1_state(c
+		, ISAKMP_SA_ESTABLISHED_STATES | PHASE1_INITIATOR_STATES);
+
+	if (st == NULL)
+	{
+		(void) main_outI1(whack_sock, c, NULL, policy, try);
+	}
+	else if (HAS_IPSEC_POLICY(policy))
 	{
-	    /* leave our Phase 2 negotiation pending */
-	    add_pending(whack_sock, st, c, policy, try, replacing);
+		if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+		{
+			/* leave our Phase 2 negotiation pending */
+			add_pending(whack_sock, st, c, policy, try, replacing);
+		}
+		else
+		{
+			/* ??? we assume that peer_nexthop_sin isn't important:
+			 * we already have it from when we negotiated the ISAKMP SA!
+			 * It isn't clear what to do with the error return.
+			 */
+			(void) quick_outI1(whack_sock, st, c, policy, try, replacing);
+		}
 	}
 	else
 	{
-	    /* ??? we assume that peer_nexthop_sin isn't important:
-	     * we already have it from when we negotiated the ISAKMP SA!
-	     * It isn't clear what to do with the error return.
-	     */
-	    (void) quick_outI1(whack_sock, st, c, policy, try, replacing);
-	}
-    }
-    else
-    {
-	close_any(whack_sock);
-    }
+		close_any(whack_sock);
+	}
 }
 
 /* Replace SA with a fresh one that is similar
@@ -1115,221 +1090,264 @@ ipsecdoi_initiate(int whack_sock
  * - duplicate whack fd, if live.
  * Does not delete the old state -- someone else will do that.
  */
-void
-ipsecdoi_replace(struct state *st, unsigned long try)
+void ipsecdoi_replace(struct state *st, unsigned long try)
 {
-    int whack_sock = dup_any(st->st_whack_sock);
-    lset_t policy = st->st_policy;
-
-    if (IS_PHASE1(st->st_state))
-    {
-	passert(!HAS_IPSEC_POLICY(policy));
-	(void) main_outI1(whack_sock, st->st_connection, st, policy, try);
-    }
-    else
-    {
-	/* Add features of actual old state to policy.  This ensures
-	 * that rekeying doesn't downgrade security.  I admit that
-	 * this doesn't capture everything.
-	 */
-	if (st->st_pfs_group != NULL)
-	    policy |= POLICY_PFS;
-	if (st->st_ah.present)
+	int whack_sock = dup_any(st->st_whack_sock);
+	lset_t policy = st->st_policy;
+
+	if (IS_PHASE1(st->st_state))
 	{
-	    policy |= POLICY_AUTHENTICATE;
-	    if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-		policy |= POLICY_TUNNEL;
+		passert(!HAS_IPSEC_POLICY(policy));
+		(void) main_outI1(whack_sock, st->st_connection, st, policy, try);
 	}
-	if (st->st_esp.present && st->st_esp.attrs.transid != ESP_NULL)
+	else
 	{
-	    policy |= POLICY_ENCRYPT;
-	    if (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-		policy |= POLICY_TUNNEL;
+		/* Add features of actual old state to policy.  This ensures
+		 * that rekeying doesn't downgrade security.  I admit that
+		 * this doesn't capture everything.
+		 */
+		if (st->st_pfs_group != NULL)
+			policy |= POLICY_PFS;
+		if (st->st_ah.present)
+		{
+			policy |= POLICY_AUTHENTICATE;
+			if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+				policy |= POLICY_TUNNEL;
+		}
+		if (st->st_esp.present && st->st_esp.attrs.transid != ESP_NULL)
+		{
+			policy |= POLICY_ENCRYPT;
+			if (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+				policy |= POLICY_TUNNEL;
+		}
+		if (st->st_ipcomp.present)
+		{
+			policy |= POLICY_COMPRESS;
+			if (st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+				policy |= POLICY_TUNNEL;
+		}
+		passert(HAS_IPSEC_POLICY(policy));
+		ipsecdoi_initiate(whack_sock, st->st_connection, policy, try
+			, st->st_serialno);
 	}
-	if (st->st_ipcomp.present)
-	{
-	    policy |= POLICY_COMPRESS;
-	    if (st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-		policy |= POLICY_TUNNEL;
-	}
-	passert(HAS_IPSEC_POLICY(policy));
-	ipsecdoi_initiate(whack_sock, st->st_connection, policy, try
-	    , st->st_serialno);
-    }
 }
 
 /* SKEYID for preshared keys.
  * See draft-ietf-ipsec-ike-01.txt 4.1
  */
-static bool
-skeyid_preshared(struct state *st)
+static bool skeyid_preshared(struct state *st)
 {
-    const chunk_t *pss = get_preshared_secret(st->st_connection);
+	const chunk_t *pss = get_preshared_secret(st->st_connection);
 
-    if (pss == NULL)
-    {
-	loglog(RC_LOG_SERIOUS, "preshared secret disappeared!");
-	return FALSE;
-    }
-    else
-    {
-	struct hmac_ctx ctx;
-
-	hmac_init_chunk(&ctx, st->st_oakley.hasher, *pss);
-	hmac_update_chunk(&ctx, st->st_ni);
-	hmac_update_chunk(&ctx, st->st_nr);
-	hmac_final_chunk(st->st_skeyid, "st_skeyid in skeyid_preshared()", &ctx);
-	return TRUE;
-    }
+	if (pss == NULL)
+	{
+		loglog(RC_LOG_SERIOUS, "preshared secret disappeared!");
+		return FALSE;
+	}
+	else
+	{
+		pseudo_random_function_t prf_alg;
+		prf_t *prf;
+
+		prf_alg = oakley_to_prf(st->st_oakley.hash);
+		prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+		if (prf == NULL)
+		{
+			loglog(RC_LOG_SERIOUS, "%N not available to compute skeyid",
+									pseudo_random_function_names, prf_alg);
+		return FALSE;
+		}
+		free(st->st_skeyid.ptr);
+		prf->set_key(prf, *pss);
+		prf->allocate_bytes(prf, st->st_ni, NULL);
+		prf->allocate_bytes(prf, st->st_nr, &st->st_skeyid);
+		prf->destroy(prf);
+		return TRUE;
+	}
 }
 
 static bool
 skeyid_digisig(struct state *st)
 {
-    struct hmac_ctx ctx;
-    chunk_t nir;
-
-    /* We need to hmac_init with the concatenation of Ni_b and Nr_b,
-     * so we have to build a temporary concatentation.
-     */
-    nir.len = st->st_ni.len + st->st_nr.len;
-    nir.ptr = alloc_bytes(nir.len, "Ni + Nr in skeyid_digisig");
-    memcpy(nir.ptr, st->st_ni.ptr, st->st_ni.len);
-    memcpy(nir.ptr+st->st_ni.len, st->st_nr.ptr, st->st_nr.len);
-    hmac_init_chunk(&ctx, st->st_oakley.hasher, nir);
-    pfree(nir.ptr);
-
-    hmac_update_chunk(&ctx, st->st_shared);
-    hmac_final_chunk(st->st_skeyid, "st_skeyid in skeyid_digisig()", &ctx);
-    return TRUE;
+	chunk_t nir;
+	pseudo_random_function_t prf_alg;
+	prf_t *prf;
+
+	prf_alg = oakley_to_prf(st->st_oakley.hash);
+	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+	if (prf == NULL)
+	{
+		loglog(RC_LOG_SERIOUS, "%N not available to compute skeyid",
+								pseudo_random_function_names, prf_alg);
+		return FALSE;
+	}
+	free(st->st_skeyid.ptr);
+	nir = chunk_cat("cc", st->st_ni, st->st_nr);
+	prf->set_key(prf, nir);
+	prf->allocate_bytes(prf, st->st_shared, &st->st_skeyid);
+	prf->destroy(prf);
+	free(nir.ptr);
+	return TRUE;
 }
 
 /* Generate the SKEYID_* and new IV
  * See draft-ietf-ipsec-ike-01.txt 4.1
  */
-static bool
-generate_skeyids_iv(struct state *st)
+static bool generate_skeyids_iv(struct state *st)
 {
-    /* Generate the SKEYID */
-    switch (st->st_oakley.auth)
-    {
-	case OAKLEY_PRESHARED_KEY:
-	case XAUTHInitPreShared:
-	case XAUTHRespPreShared:
-	    if (!skeyid_preshared(st))
-		return FALSE;
-	    break;
+	/* Generate the SKEYID */
+	switch (st->st_oakley.auth)
+	{
+		case OAKLEY_PRESHARED_KEY:
+		case XAUTHInitPreShared:
+		case XAUTHRespPreShared:
+			if (!skeyid_preshared(st))
+			{
+				return FALSE;
+			}
+			break;
 
-	case OAKLEY_RSA_SIG:
-	case XAUTHInitRSA:
-	case XAUTHRespRSA:
-	    if (!skeyid_digisig(st))
-		return FALSE;
-	    break;
+		case OAKLEY_RSA_SIG:
+		case OAKLEY_ECDSA_256:
+		case OAKLEY_ECDSA_384:
+		case OAKLEY_ECDSA_521:
+		case XAUTHInitRSA:
+		case XAUTHRespRSA:
+			if (!skeyid_digisig(st))
+			{
+				return FALSE;
+			}
+			break;
 
-	case OAKLEY_DSS_SIG:
-	    /* XXX */
+		case OAKLEY_DSS_SIG:
+			/* XXX */
 
-	case OAKLEY_RSA_ENC:
-	case OAKLEY_RSA_ENC_REV:
-	case OAKLEY_ELGAMAL_ENC:
-	case OAKLEY_ELGAMAL_ENC_REV:
-	    /* XXX */
+		case OAKLEY_RSA_ENC:
+		case OAKLEY_RSA_ENC_REV:
+		case OAKLEY_ELGAMAL_ENC:
+		case OAKLEY_ELGAMAL_ENC_REV:
+			/* XXX */
 
-	default:
-	    bad_case(st->st_oakley.auth);
-    }
-
-    /* generate SKEYID_* from SKEYID */
-    {
-	struct hmac_ctx ctx;
-
-	hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid);
-
-	/* SKEYID_D */
-	hmac_update_chunk(&ctx, st->st_shared);
-	hmac_update(&ctx, st->st_icookie, COOKIE_SIZE);
-	hmac_update(&ctx, st->st_rcookie, COOKIE_SIZE);
-	hmac_update(&ctx, "\0", 1);
-	hmac_final_chunk(st->st_skeyid_d, "st_skeyid_d in generate_skeyids_iv()", &ctx);
-
-	/* SKEYID_A */
-	hmac_reinit(&ctx);
-	hmac_update_chunk(&ctx, st->st_skeyid_d);
-	hmac_update_chunk(&ctx, st->st_shared);
-	hmac_update(&ctx, st->st_icookie, COOKIE_SIZE);
-	hmac_update(&ctx, st->st_rcookie, COOKIE_SIZE);
-	hmac_update(&ctx, "\1", 1);
-	hmac_final_chunk(st->st_skeyid_a, "st_skeyid_a in generate_skeyids_iv()", &ctx);
-
-	/* SKEYID_E */
-	hmac_reinit(&ctx);
-	hmac_update_chunk(&ctx, st->st_skeyid_a);
-	hmac_update_chunk(&ctx, st->st_shared);
-	hmac_update(&ctx, st->st_icookie, COOKIE_SIZE);
-	hmac_update(&ctx, st->st_rcookie, COOKIE_SIZE);
-	hmac_update(&ctx, "\2", 1);
-	hmac_final_chunk(st->st_skeyid_e, "st_skeyid_e in generate_skeyids_iv()", &ctx);
-    }
-
-    /* generate IV */
-    {
-	union hash_ctx hash_ctx;
-	const struct hash_desc *h = st->st_oakley.hasher;
-
-	st->st_new_iv_len = h->hash_digest_size;
-	passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
+		default:
+			bad_case(st->st_oakley.auth);
+	}
+
+	/* generate SKEYID_* from SKEYID */
+	{
+		char buf_skeyid_d[] = { 0x00 };
+		char buf_skeyid_a[] = { 0x01 };
+		char buf_skeyid_e[] = { 0x02 };
+		chunk_t seed_skeyid_d = chunk_from_buf(buf_skeyid_d);
+		chunk_t seed_skeyid_a = chunk_from_buf(buf_skeyid_a);
+		chunk_t seed_skeyid_e = chunk_from_buf(buf_skeyid_e);
+		chunk_t icookie = { st->st_icookie, COOKIE_SIZE };
+		chunk_t rcookie = { st->st_rcookie, COOKIE_SIZE };
+		pseudo_random_function_t prf_alg;
+		prf_t *prf;
+
+		prf_alg = oakley_to_prf(st->st_oakley.hash);
+		prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+		prf->set_key(prf, st->st_skeyid);
+
+		/* SKEYID_D */
+		free(st->st_skeyid_d.ptr);
+		prf->allocate_bytes(prf, st->st_shared, NULL);
+		prf->allocate_bytes(prf, icookie, NULL);
+		prf->allocate_bytes(prf, rcookie, NULL);
+		prf->allocate_bytes(prf, seed_skeyid_d, &st->st_skeyid_d); 
+
+		/* SKEYID_A */
+		free(st->st_skeyid_a.ptr);
+		prf->allocate_bytes(prf, st->st_skeyid_d, NULL);
+		prf->allocate_bytes(prf, st->st_shared, NULL);
+		prf->allocate_bytes(prf, icookie, NULL);
+		prf->allocate_bytes(prf, rcookie, NULL);
+		prf->allocate_bytes(prf, seed_skeyid_a, &st->st_skeyid_a); 
+
+		/* SKEYID_E */
+		free(st->st_skeyid_e.ptr);
+		prf->allocate_bytes(prf, st->st_skeyid_a, NULL);
+		prf->allocate_bytes(prf, st->st_shared, NULL);
+		prf->allocate_bytes(prf, icookie, NULL);
+		prf->allocate_bytes(prf, rcookie, NULL);
+		prf->allocate_bytes(prf, seed_skeyid_e, &st->st_skeyid_e); 
+
+		prf->destroy(prf);
+	}
+
+	/* generate IV */
+	{
+		hash_algorithm_t hash_alg;
+		hasher_t *hasher;
+
+		hash_alg = oakley_to_hash_algorithm(st->st_oakley.hash);
+		hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+		st->st_new_iv_len = hasher->get_hash_size(hasher);
+		passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
+
+		DBG(DBG_CRYPT,
+			DBG_dump_chunk("DH_i:", st->st_gi);
+			DBG_dump_chunk("DH_r:", st->st_gr);
+		);
+		
+		hasher->get_hash(hasher, st->st_gi, NULL);
+		hasher->get_hash(hasher, st->st_gr, st->st_new_iv);
+		hasher->destroy(hasher);
+	}
+
+	/* Oakley Keying Material
+	 * Derived from Skeyid_e: if it is not big enough, generate more
+	 * using the PRF.
+	 * See RFC 2409 "IKE" Appendix B
+	 */
+	{
+		size_t keysize = st->st_oakley.enckeylen/BITS_PER_BYTE;
+ 
+		/* free any existing key */
+		free(st->st_enc_key.ptr);
+
+		if (keysize > st->st_skeyid_e.len)
+		{
+			u_char keytemp[MAX_OAKLEY_KEY_LEN + MAX_DIGEST_LEN];
+			char seed_buf[] = { 0x00 };
+			chunk_t seed = chunk_from_buf(seed_buf);
+			size_t prf_block_size, i;
+			pseudo_random_function_t prf_alg;
+			prf_t *prf;
+
+			prf_alg = oakley_to_prf(st->st_oakley.hash);
+			prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+			prf->set_key(prf, st->st_skeyid_e);
+			prf_block_size = prf->get_block_size(prf);
+			
+			for (i = 0;;)
+			{
+				prf->get_bytes(prf, seed, &keytemp[i]);
+				i += prf_block_size;
+				if (i >= keysize)
+				{
+					break;
+				}
+				seed = chunk_create(&keytemp[i-prf_block_size], prf_block_size);
+			}
+			prf->destroy(prf);
+			st->st_enc_key = chunk_create(keytemp, keysize);
+		}
+		else
+		{
+			st->st_enc_key = chunk_create(st->st_skeyid_e.ptr, keysize);
+		}			
+		st->st_enc_key = chunk_clone(st->st_enc_key);
+	}
 
-        DBG(DBG_CRYPT,
-            DBG_dump_chunk("DH_i:", st->st_gi);
-            DBG_dump_chunk("DH_r:", st->st_gr);
-        );
-	h->hash_init(&hash_ctx);
-	h->hash_update(&hash_ctx, st->st_gi.ptr, st->st_gi.len);
-	h->hash_update(&hash_ctx, st->st_gr.ptr, st->st_gr.len);
-	h->hash_final(st->st_new_iv, &hash_ctx);
-    }
-
-    /* Oakley Keying Material
-     * Derived from Skeyid_e: if it is not big enough, generate more
-     * using the PRF.
-     * See RFC 2409 "IKE" Appendix B
-     */
-    {
-	/* const size_t keysize = st->st_oakley.encrypter->keydeflen/BITS_PER_BYTE; */
-	const size_t keysize = st->st_oakley.enckeylen/BITS_PER_BYTE;
-	u_char keytemp[MAX_OAKLEY_KEY_LEN + MAX_DIGEST_LEN];
-	u_char *k = st->st_skeyid_e.ptr;
-
-	if (keysize > st->st_skeyid_e.len)
-	{
-	    struct hmac_ctx ctx;
-	    size_t i = 0;
-
-	    hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid_e);
-	    hmac_update(&ctx, "\0", 1);
-	    for (;;)
-	    {
-		hmac_final(&keytemp[i], &ctx);
-		i += ctx.hmac_digest_size;
-		if (i >= keysize)
-		    break;
-		hmac_reinit(&ctx);
-		hmac_update(&ctx, &keytemp[i - ctx.hmac_digest_size], ctx.hmac_digest_size);
-	    }
-	    k = keytemp;
-	}
-	clonereplacechunk(st->st_enc_key, k, keysize, "st_enc_key");
-    }
-
-    DBG(DBG_CRYPT,
-	DBG_dump_chunk("Skeyid:  ", st->st_skeyid);
-	DBG_dump_chunk("Skeyid_d:", st->st_skeyid_d);
-	DBG_dump_chunk("Skeyid_a:", st->st_skeyid_a);
-	DBG_dump_chunk("Skeyid_e:", st->st_skeyid_e);
-	DBG_dump_chunk("enc key:", st->st_enc_key);
-	DBG_dump("IV:", st->st_new_iv, st->st_new_iv_len));
-    return TRUE;
+	DBG(DBG_CRYPT,
+		DBG_dump_chunk("Skeyid:  ", st->st_skeyid);
+		DBG_dump_chunk("Skeyid_d:", st->st_skeyid_d);
+		DBG_dump_chunk("Skeyid_a:", st->st_skeyid_a);
+		DBG_dump_chunk("Skeyid_e:", st->st_skeyid_e);
+		DBG_dump_chunk("enc key:", st->st_enc_key);
+		DBG_dump("IV:", st->st_new_iv, st->st_new_iv_len));
+	return TRUE;
 }
 
 /* Generate HASH_I or HASH_R for ISAKMP Phase I.
@@ -1338,288 +1356,126 @@ generate_skeyids_iv(struct state *st)
  * If the hashi argument is TRUE, generate HASH_I; if FALSE generate HASH_R.
  * If hashus argument is TRUE, we're generating a hash for our end.
  * See RFC2409 IKE 5.
- *
- * Generating the SIG_I and SIG_R for DSS is an odd perversion of this:
- * Most of the logic is the same, but SHA-1 is used in place of HMAC-whatever.
- * The extensive common logic is embodied in main_mode_hash_body().
- * See draft-ietf-ipsec-ike-01.txt 4.1 and 6.1.1.2
  */
-
-typedef void (*hash_update_t)(union hash_ctx *, const u_char *, size_t) ;
-static void
-main_mode_hash_body(struct state *st
-, bool hashi	/* Initiator? */
-, const pb_stream *idpl	/* ID payload, as PBS */
-, union hash_ctx *ctx
-, void (*hash_update_void)(void *, const u_char *input, size_t))
+ static void main_mode_hash(struct state *st, chunk_t *hash, bool hashi,
+							 const pb_stream *idpl)
 {
-#define HASH_UPDATE_T (union hash_ctx *, const u_char *input, unsigned int len)
-    hash_update_t hash_update=(hash_update_t)  hash_update_void;
-#if 0	/* if desperate to debug hashing */
-#   define hash_update(ctx, input, len) { \
-	DBG_dump("hash input", input, len); \
-	(hash_update)(ctx, input, len); \
+	chunk_t icookie = { st->st_icookie, COOKIE_SIZE };
+	chunk_t rcookie = { st->st_rcookie, COOKIE_SIZE };
+	chunk_t sa_body = { st->st_p1isa.ptr + sizeof(struct isakmp_generic),
+						st->st_p1isa.len - sizeof(struct isakmp_generic) };
+	chunk_t id_body = { idpl->start + sizeof(struct isakmp_generic),
+						pbs_offset(idpl) - sizeof(struct isakmp_generic) };
+	pseudo_random_function_t prf_alg;
+	prf_t *prf;
+
+	switch (st->st_oakley.auth)
+	{
+		case OAKLEY_ECDSA_256:
+			prf_alg = PRF_HMAC_SHA2_256;
+			break;
+		case OAKLEY_ECDSA_384:
+			prf_alg = PRF_HMAC_SHA2_384;
+			break;
+		case OAKLEY_ECDSA_521:
+			prf_alg = PRF_HMAC_SHA2_512;
+			break;
+		default:
+			prf_alg = oakley_to_prf(st->st_oakley.hash);
 	}
-#endif
-
-#   define hash_update_chunk(ctx, ch) hash_update((ctx), (ch).ptr, (ch).len)
-
-    if (hashi)
-    {
-	hash_update_chunk(ctx, st->st_gi);
-	hash_update_chunk(ctx, st->st_gr);
-	hash_update(ctx, st->st_icookie, COOKIE_SIZE);
-	hash_update(ctx, st->st_rcookie, COOKIE_SIZE);
-    }
-    else
-    {
-	hash_update_chunk(ctx, st->st_gr);
-	hash_update_chunk(ctx, st->st_gi);
-	hash_update(ctx, st->st_rcookie, COOKIE_SIZE);
-	hash_update(ctx, st->st_icookie, COOKIE_SIZE);
-    }
-
-    DBG(DBG_CRYPT, DBG_log("hashing %lu bytes of SA"
-	, (unsigned long) (st->st_p1isa.len - sizeof(struct isakmp_generic))));
-
-    /* SA_b */
-    hash_update(ctx, st->st_p1isa.ptr + sizeof(struct isakmp_generic)
-	, st->st_p1isa.len - sizeof(struct isakmp_generic));
-
-    /* Hash identification payload, without generic payload header.
-     * We used to reconstruct ID Payload for this purpose, but now
-     * we use the bytes as they appear on the wire to avoid
-     * "spelling problems".
-     */
-    hash_update(ctx
-	, idpl->start + sizeof(struct isakmp_generic)
-	, pbs_offset(idpl) - sizeof(struct isakmp_generic));
-
-#   undef hash_update_chunk
-#   undef hash_update
-}
-
-static size_t	/* length of hash */
-main_mode_hash(struct state *st
-, u_char *hash_val	/* resulting bytes */
-, bool hashi	/* Initiator? */
-, const pb_stream *idpl)	/* ID payload, as PBS; cur must be at end */
-{
-    struct hmac_ctx ctx;
-
-    hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid);
-    main_mode_hash_body(st, hashi, idpl, &ctx.hash_ctx, ctx.h->hash_update);
-    hmac_final(hash_val, &ctx);
-    return ctx.hmac_digest_size;
-}
-
-#if 0	/* only needed for DSS */
-static void
-main_mode_sha1(struct state *st
-, u_char *hash_val	/* resulting bytes */
-, size_t *hash_len	/* length of hash */
-, bool hashi	/* Initiator? */
-, const pb_stream *idpl)	/* ID payload, as PBS */
-{
-    union hash_ctx ctx;
-
-    SHA1Init(&ctx.ctx_sha1);
-    SHA1Update(&ctx.ctx_sha1, st->st_skeyid.ptr, st->st_skeyid.len);
-    *hash_len = SHA1_DIGEST_SIZE;
-    main_mode_hash_body(st, hashi, idpl, &ctx
-	, (void (*)(union hash_ctx *, const u_char *, unsigned int))&SHA1Update);
-    SHA1Final(hash_val, &ctx.ctx_sha1);
-}
-#endif
-
-/* Create an RSA signature of a hash.
- * Poorly specified in draft-ietf-ipsec-ike-01.txt 6.1.1.2.
- * Use PKCS#1 version 1.5 encryption of hash (called
- * RSAES-PKCS1-V1_5) in PKCS#2.
- */
-static size_t
-RSA_sign_hash(struct connection *c
-, u_char sig_val[RSA_MAX_OCTETS]
-, const u_char *hash_val, size_t hash_len)
-{
-    size_t sz = 0;
-    smartcard_t *sc = c->spd.this.sc;
-
-    if (sc == NULL)		/* no smartcard */
-    {
-	const struct RSA_private_key *k = get_RSA_private_key(c);
+	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+	prf->set_key(prf, st->st_skeyid);
 
-	if (k == NULL)
-	    return 0;	/* failure: no key to use */
-
-	sz = k->pub.k;
-	passert(RSA_MIN_OCTETS <= sz && 4 + hash_len < sz && sz <= RSA_MAX_OCTETS);
-	sign_hash(k, hash_val, hash_len, sig_val, sz);
-    }
-    else if (sc->valid) /* if valid pin then sign hash on the smartcard */
-    {
- 	lock_certs_and_keys("RSA_sign_hash");
-	if (!scx_establish_context(sc) || !scx_login(sc))
+	if (hashi)
 	{
-	    scx_release_context(sc);
-	    unlock_certs_and_keys("RSA_sign_hash");
-	    return 0;
+		prf->get_bytes(prf, st->st_gi, NULL);
+		prf->get_bytes(prf, st->st_gr, NULL);
+		prf->get_bytes(prf, icookie, NULL);
+		prf->get_bytes(prf, rcookie, NULL);
 	}
-
-	sz = scx_get_keylength(sc);
-	if (sz == 0)
+	else
 	{
-	    plog("failed to get keylength from smartcard");
-	    scx_release_context(sc);
-	    unlock_certs_and_keys("RSA_sign_hash");
-	    return 0;
+		prf->get_bytes(prf, st->st_gr, NULL);
+		prf->get_bytes(prf, st->st_gi, NULL);
+		prf->get_bytes(prf, rcookie, NULL);
+		prf->get_bytes(prf, icookie, NULL);
 	}
 
-	DBG(DBG_CONTROL | DBG_CRYPT,
-	    DBG_log("signing hash with RSA key from smartcard (slot: %d, id: %s)"
-		, (int)sc->slot, sc->id)
+	DBG(DBG_CRYPT,
+		DBG_log("hashing %u bytes of SA", sa_body.len)
 	)
-	sz = scx_sign_hash(sc, hash_val, hash_len, sig_val, sz) ? sz : 0;
-	if (!pkcs11_keep_state)
-	    scx_release_context(sc);
-	unlock_certs_and_keys("RSA_sign_hash");
-    }
-    return sz;
+	prf->get_bytes(prf, sa_body, NULL);
+
+	/* Hash identification payload, without generic payload header.
+	 * We used to reconstruct ID Payload for this purpose, but now
+	 * we use the bytes as they appear on the wire to avoid
+	 * "spelling problems".
+	 */
+	prf->get_bytes(prf, id_body, hash->ptr);
+	hash->len = prf->get_block_size(prf);
+	prf->destroy(prf);
 }
 
-/* Check a Main Mode RSA Signature against computed hash using RSA public key k.
- *
- * As a side effect, on success, the public key is copied into the
- * state object to record the authenticator.
- *
- * Can fail because wrong public key is used or because hash disagrees.
- * We distinguish because diagnostics should also.
- *
- * The result is NULL if the Signature checked out.
- * Otherwise, the first character of the result indicates
- * how far along failure occurred.  A greater character signifies
- * greater progress.
- *
- * Classes:
- * 0	reserved for caller
- * 1	SIG length doesn't match key length -- wrong key
- * 2-8	malformed ECB after decryption -- probably wrong key
- * 9	decrypted hash != computed hash -- probably correct key
- *
- * Although the math should be the same for generating and checking signatures,
- * it is not: the knowledge of the private key allows more efficient (i.e.
- * different) computation for encryption.
+/* Create a public key signature of a hash.
+ * Poorly specified in draft-ietf-ipsec-ike-01.txt 6.1.1.2.
+ * Use PKCS#1 version 1.5 encryption of hash (called
+ * RSAES-PKCS1-V1_5) in PKCS#2.
  */
-static err_t
-try_RSA_signature(const u_char hash_val[MAX_DIGEST_LEN], size_t hash_len
-, const pb_stream *sig_pbs, pubkey_t *kr
-, struct state *st)
+static size_t sign_hash(signature_scheme_t scheme, struct connection *c,
+						u_char sig_val[RSA_MAX_OCTETS], chunk_t hash)
 {
-    const u_char *sig_val = sig_pbs->cur;
-    size_t sig_len = pbs_left(sig_pbs);
-    u_char s[RSA_MAX_OCTETS];	/* for decrypted sig_val */
-    u_char *hash_in_s = &s[sig_len - hash_len];
-    const struct RSA_public_key *k = &kr->u.rsa;
-
-    /* decrypt the signature -- reversing RSA_sign_hash */
-    if (sig_len != k->k)
-    {
-	/* XXX notification: INVALID_KEY_INFORMATION */
-	return "1" "SIG length does not match public key length";
-    }
-
-    /* actual exponentiation; see PKCS#1 v2.0 5.1 */
-    {
-	chunk_t temp_s;
-	mpz_t c;
-
-	n_to_mpz(c, sig_val, sig_len);
-	mpz_powm(c, c, &k->e, &k->n);
-
-	temp_s = mpz_to_n(c, sig_len);	/* back to octets */
-	memcpy(s, temp_s.ptr, sig_len);
-	pfree(temp_s.ptr);
-	mpz_clear(c);
-    }
-
-    /* sanity check on signature: see if it matches
-     * PKCS#1 v1.5 8.1 encryption-block formatting
-     */
-    {
-	err_t ugh = NULL;
+	size_t sz = 0;
+	smartcard_t *sc = c->spd.this.sc;
 
-	if (s[0] != 0x00)
-	    ugh = "2" "no leading 00";
-	else if (hash_in_s[-1] != 0x00)
-	    ugh = "3" "00 separator not present";
-	else if (s[1] == 0x01)
+	if (sc == NULL)             /* no smartcard */
 	{
-	    const u_char *p;
+		chunk_t sig;
+		private_key_t *private = get_private_key(c);
 
-	    for (p = &s[2]; p != hash_in_s - 1; p++)
-	    {
-		if (*p != 0xFF)
+		if (private == NULL)
+		{
+			return 0;   /* failure: no key to use */
+		}
+		if (!private->sign(private, scheme, hash, &sig))
 		{
-		    ugh = "4" "invalid Padding String";
-		    break;
+			return 0;
 		}
-	    }
+		memcpy(sig_val, sig.ptr, sig.len);
+		sz = sig.len;
+		free(sig.ptr);
 	}
-	else if (s[1] == 0x02)
+	else if (sc->valid) /* if valid pin then sign hash on the smartcard */
 	{
-	    const u_char *p;
+		lock_certs_and_keys("sign_hash");
+		if (!scx_establish_context(sc) || !scx_login(sc))
+		{
+			scx_release_context(sc);
+			unlock_certs_and_keys("sign_hash");
+			return 0;
+		}
 
-	    for (p = &s[2]; p != hash_in_s - 1; p++)
-	    {
-		if (*p == 0x00)
+		sz = scx_get_keylength(sc);
+		if (sz == 0)
 		{
-		    ugh = "5" "invalid Padding String";
-		    break;
+			plog("failed to get keylength from smartcard");
+			scx_release_context(sc);
+			unlock_certs_and_keys("sign_hash");
+			return 0;
 		}
-	    }
-	}
-	else
-	    ugh = "6" "Block Type not 01 or 02";
 
-	if (ugh != NULL)
-	{
-	    /* note: it might be a good idea to make sure that
-	     * an observer cannot tell what kind of failure happened.
-	     * I don't know what this means in practice.
-	     */
-	    /* We probably selected the wrong public key for peer:
-	     * SIG Payload decrypted into malformed ECB
-	     */
-	    /* XXX notification: INVALID_KEY_INFORMATION */
-	    return ugh;
-	}
-    }
-
-    /* We have the decoded hash: see if it matches. */
-    if (memcmp(hash_val, hash_in_s, hash_len) != 0)
-    {
-	/* good: header, hash, signature, and other payloads well-formed
-	 * good: we could find an RSA Sig key for the peer.
-	 * bad: hash doesn't match
-	 * Guess: sides disagree about key to be used.
-	 */
-	DBG_cond_dump(DBG_CRYPT, "decrypted SIG", s, sig_len);
-	DBG_cond_dump(DBG_CRYPT, "computed HASH", hash_val, hash_len);
-	/* XXX notification: INVALID_HASH_INFORMATION */
-	return "9" "authentication failure: received SIG does not match computed HASH, but message is well-formed";
-    }
-
-    /* Success: copy successful key into state.
-     * There might be an old one if we previously aborted this
-     * state transition.
-     */
-    unreference_key(&st->st_peer_pubkey);
-    st->st_peer_pubkey = reference_key(kr);
-
-    return NULL;    /* happy happy */
+		DBG(DBG_CONTROL | DBG_CRYPT,
+			DBG_log("signing hash with private key from smartcard (slot: %d, id: %s)"
+				, (int)sc->slot, sc->id)
+		)
+		sz = scx_sign_hash(sc, hash.ptr, hash.len, sig_val, sz) ? sz : 0;
+		if (!pkcs11_keep_state)
+			scx_release_context(sc);
+		unlock_certs_and_keys("sign_hash");
+	}
+	return sz;
 }
 
-/* Check signature against all RSA public keys we can find.
+/* Check signature against all public keys we can find.
  * If we need keys from DNS KEY records, and they haven't been fetched,
  * return STF_SUSPEND to ask for asynch DNS lookup.
  *
@@ -1630,227 +1486,195 @@ try_RSA_signature(const u_char hash_val[MAX_DIGEST_LEN], size_t hash_len
  * If only we had coroutines.
  */
 struct tac_state {
-    /* RSA_check_signature's args that take_a_crack needs */
-    struct state *st;
-    const u_char *hash_val;
-    size_t hash_len;
-    const pb_stream *sig_pbs;
-
-    /* state carried between calls */
-    err_t best_ugh;	/* most successful failure */
-    int tried_cnt;	/* number of keys tried */
-    char tried[50];	/* keyids of tried public keys */
-    char *tn;	/* roof of tried[] */
+	struct state *st;
+	chunk_t hash;	
+	chunk_t sig;
+	int tried_cnt;      /* number of keys tried */
 };
 
-static bool
-take_a_crack(struct tac_state *s
-, pubkey_t *kr
-, const char *story USED_BY_DEBUG)
+static bool take_a_crack(struct tac_state *s, pubkey_t *kr)
 {
-    err_t ugh = try_RSA_signature(s->hash_val, s->hash_len, s->sig_pbs
-	, kr, s->st);
-    const struct RSA_public_key *k = &kr->u.rsa;
-
-    s->tried_cnt++;
-    if (ugh == NULL)
-    {
-	DBG(DBG_CRYPT | DBG_CONTROL
-	    , DBG_log("an RSA Sig check passed with *%s [%s]"
-		, k->keyid, story));
-	return TRUE;
-    }
-    else
-    {
-	DBG(DBG_CRYPT
-	    , DBG_log("an RSA Sig check failure %s with *%s [%s]"
-		, ugh + 1, k->keyid, story));
-	if (s->best_ugh == NULL || s->best_ugh[0] < ugh[0])
-	    s->best_ugh = ugh;
-	if (ugh[0] > '0'
-	&& s->tn - s->tried + KEYID_BUF + 2 < (ptrdiff_t)sizeof(s->tried))
-	{
-	    strcpy(s->tn, " *");
-	    strcpy(s->tn + 2, k->keyid);
-	    s->tn += strlen(s->tn);
+	public_key_t *pub_key = kr->public_key;
+	identification_t *keyid = pub_key->get_id(pub_key, ID_PUBKEY_INFO_SHA1);
+	signature_scheme_t scheme;
+
+	s->tried_cnt++;
+	scheme = oakley_to_signature_scheme(s->st->st_oakley.auth);
+
+	if (pub_key->verify(pub_key, scheme, s->hash, s->sig))
+	{
+		DBG(DBG_CRYPT | DBG_CONTROL,
+			DBG_log("%s check passed with keyid %Y",
+					enum_show(&oakley_auth_names, s->st->st_oakley.auth), keyid)
+		)
+		unreference_key(&s->st->st_peer_pubkey);
+		s->st->st_peer_pubkey = reference_key(kr);
+		return TRUE;
+	}
+	else
+	{
+		DBG(DBG_CRYPT,
+			DBG_log("%s check failed with keyid %Y",
+					enum_show(&oakley_auth_names, s->st->st_oakley.auth), keyid)
+		)
+		return FALSE;
 	}
-	return FALSE;
-    }
 }
 
-static stf_status
-RSA_check_signature(const struct id* peer
-, struct state *st
-, const u_char hash_val[MAX_DIGEST_LEN]
-, size_t hash_len
-, const pb_stream *sig_pbs
+static stf_status check_signature(key_type_t key_type, const struct id* peer,
+								  struct state *st, chunk_t hash,
+								  const pb_stream *sig_pbs,
 #ifdef USE_KEYRR
-, const pubkey_list_t *keys_from_dns
+								  const pubkey_list_t *keys_from_dns,
 #endif /* USE_KEYRR */
-, const struct gw_info *gateways_from_dns
-)
+								  const struct gw_info *gateways_from_dns)
 {
-    const struct connection *c = st->st_connection;
-    struct tac_state s;
-    err_t dns_ugh = NULL;
-
-    s.st = st;
-    s.hash_val = hash_val;
-    s.hash_len = hash_len;
-    s.sig_pbs = sig_pbs;
-
-    s.best_ugh = NULL;
-    s.tried_cnt = 0;
-    s.tn = s.tried;
-
-    /* try all gateway records hung off c */
-    if (c->policy & POLICY_OPPO)
-    {
-	struct gw_info *gw;
-
-	for (gw = c->gw_info; gw != NULL; gw = gw->next)
-	{
-	    /* only consider entries that have a key and are for our peer */
-	    if (gw->gw_key_present
-	    && same_id(&gw->gw_id, &c->spd.that.id)
-	    && take_a_crack(&s, gw->key, "key saved from DNS TXT"))
-		return STF_OK;
-	}
-    }
+	const struct connection *c = st->st_connection;
+	struct tac_state s;
 
-    /* try all appropriate Public keys */
-    {
-	pubkey_list_t *p, **pp;
+	s.st = st;
+	s.hash = hash;
+	s.sig  = chunk_create(sig_pbs->cur, pbs_left(sig_pbs));
+	s.tried_cnt = 0;
+
+	/* try all gateway records hung off c */
+	if (c->policy & POLICY_OPPO)
+	{
+		struct gw_info *gw;
 
-	pp = &pubkeys;
+		for (gw = c->gw_info; gw != NULL; gw = gw->next)
+		{
+			/* only consider entries that have a key and are for our peer */
+			if (gw->gw_key_present && same_id(&gw->gw_id, &c->spd.that.id)&&
+				take_a_crack(&s, gw->key))
+			{
+				return STF_OK;
+			}
+		}
+	}
 
-	for (p = pubkeys; p != NULL; p = *pp)
+	/* try all appropriate Public keys */
 	{
-	    pubkey_t *key = p->key;
+		pubkey_list_t *p, **pp;
 
-	    if (key->alg == PUBKEY_ALG_RSA && same_id(peer, &key->id))
-	    {
-		time_t now = time(NULL);
+		pp = &pubkeys;
 
-		/* check if found public key has expired */
-		if (key->until_time != UNDEFINED_TIME && key->until_time < now)
+		for (p = pubkeys; p != NULL; p = *pp)
 		{
-		    loglog(RC_LOG_SERIOUS,
-			"cached RSA public key has expired and has been deleted");
-		    *pp = free_public_keyentry(p);
-		    continue; /* continue with next public key */
-		}
+			pubkey_t *key = p->key;
+			key_type_t type = key->public_key->get_type(key->public_key);
 
-		if (take_a_crack(&s, key, "preloaded key"))
-		return STF_OK;
-	    }
-	    pp = &p->next;
-	}
+			if (type == key_type && same_id(peer, &key->id))
+			{
+				time_t now = time(NULL);
+
+				/* check if found public key has expired */
+				if (key->until_time != UNDEFINED_TIME && key->until_time < now)
+				{
+					loglog(RC_LOG_SERIOUS,
+						"cached public key has expired and has been deleted");
+					*pp = free_public_keyentry(p);
+					continue; /* continue with next public key */
+				}
+
+				if (take_a_crack(&s, key))
+				{
+					return STF_OK;
+				}
+			}
+			pp = &p->next;
+		}
    }
 
-    /* if no key was found (evidenced by best_ugh == NULL)
-     * and that side of connection is key_from_DNS_on_demand
-     * then go search DNS for keys for peer.
-     */
-    if (s.best_ugh == NULL && c->spd.that.key_from_DNS_on_demand)
-    {
-	if (gateways_from_dns != NULL)
+	/* if no key was found and that side of connection is
+	 * key_from_DNS_on_demand then go search DNS for keys for peer.
+	 */
+	if (s.tried_cnt == 0 && c->spd.that.key_from_DNS_on_demand)
 	{
-	    /* TXT keys */
-	    const struct gw_info *gwp;
+		if (gateways_from_dns != NULL)
+		{
+			/* TXT keys */
+			const struct gw_info *gwp;
 
-	    for (gwp = gateways_from_dns; gwp != NULL; gwp = gwp->next)
-		if (gwp->gw_key_present
-		&& take_a_crack(&s, gwp->key, "key from DNS TXT"))
-		    return STF_OK;
-	}
+			for (gwp = gateways_from_dns; gwp != NULL; gwp = gwp->next)
+			{
+				if (gwp->gw_key_present && take_a_crack(&s, gwp->key))
+				{
+					return STF_OK;
+				}
+			}
+		}
 #ifdef USE_KEYRR
-	else if (keys_from_dns != NULL)
-	{
-	    /* KEY keys */
-	    const pubkey_list_t *kr;
+		else if (keys_from_dns != NULL)
+		{
+			/* KEY keys */
+			const pubkey_list_t *kr;
 
-	    for (kr = keys_from_dns; kr != NULL; kr = kr->next)
-		if (kr->key->alg == PUBKEY_ALG_RSA
-		&& take_a_crack(&s, kr->key, "key from DNS KEY"))
-		    return STF_OK;
-	}
+			for (kr = keys_from_dns; kr != NULL; kr = kr->next)
+			{
+				if (kr->key->alg == PUBKEY_ALG_RSA && take_a_crack(&s, kr->key))
+				{
+					return STF_OK;
+				}
+			}
+		}
 #endif /* USE_KEYRR */
-	else
-	{
-	    /* nothing yet: ask for asynch DNS lookup */
-	    return STF_SUSPEND;
+		else
+		{
+			/* nothing yet: ask for asynch DNS lookup */
+			return STF_SUSPEND;
+		}
 	}
-    }
 
-    /* no acceptable key was found: diagnose */
-    {
-	char id_buf[BUF_LEN];	/* arbitrary limit on length of ID reported */
-
-	(void) idtoa(peer, id_buf, sizeof(id_buf));
-
-	if (s.best_ugh == NULL)
+	/* no acceptable key was found: diagnose */
 	{
-	    if (dns_ugh == NULL)
-		loglog(RC_LOG_SERIOUS, "no RSA public key known for '%s'"
-		    , id_buf);
-	    else
-		loglog(RC_LOG_SERIOUS, "no RSA public key known for '%s'"
-		    "; DNS search for KEY failed (%s)"
-		    , id_buf, dns_ugh);
+		char id_buf[BUF_LEN];   /* arbitrary limit on length of ID reported */
 
-	    /* ??? is this the best code there is? */
-	    return STF_FAIL + INVALID_KEY_INFORMATION;
-	}
+		idtoa(peer, id_buf, sizeof(id_buf));
 
-	if (s.best_ugh[0] == '9')
-	{
-	    loglog(RC_LOG_SERIOUS, "%s", s.best_ugh + 1);
-	    /* XXX Could send notification back */
-	    return STF_FAIL + INVALID_HASH_INFORMATION;
-	}
-	else
-	{
-	    if (s.tried_cnt == 1)
-	    {
-		loglog(RC_LOG_SERIOUS
-		    , "Signature check (on %s) failed (wrong key?); tried%s"
-		    , id_buf, s.tried);
-		DBG(DBG_CONTROL,
-		    DBG_log("public key for %s failed:"
-			" decrypted SIG payload into a malformed ECB (%s)"
-			, id_buf, s.best_ugh + 1));
-	    }
-	    else
-	    {
-		loglog(RC_LOG_SERIOUS
-		    , "Signature check (on %s) failed:"
-		      " tried%s keys but none worked."
-		    , id_buf, s.tried);
-		DBG(DBG_CONTROL,
-		    DBG_log("all %d public keys for %s failed:"
-			" best decrypted SIG payload into a malformed ECB (%s)"
-			, s.tried_cnt, id_buf, s.best_ugh + 1));
-	    }
-	    return STF_FAIL + INVALID_KEY_INFORMATION;
+		if (s.tried_cnt == 0)
+		{
+			loglog(RC_LOG_SERIOUS, "no public key known for '%s'", id_buf);
+		}
+		else if (s.tried_cnt == 1)
+		{
+			loglog(RC_LOG_SERIOUS, "signature check for '%s' failed: "
+					" wrong key?; tried %d", id_buf, s.tried_cnt);
+			DBG(DBG_CONTROL,
+				DBG_log("public key for '%s' failed: "
+						"decrypted SIG payload into a malformed ECB", id_buf)
+			)
+		}
+		else
+		{
+			loglog(RC_LOG_SERIOUS, "signature check for '%s' failed: "
+					  "tried %d keys but none worked.", id_buf, s.tried_cnt);
+			DBG(DBG_CONTROL,
+				DBG_log("all %d public keys for '%s' failed: "
+						"best decrypted SIG payload into a malformed ECB",
+						s.tried_cnt, id_buf)
+			)
+		}
+		return STF_FAIL + INVALID_KEY_INFORMATION;
 	}
-    }
 }
 
-static notification_t
-accept_nonce(struct msg_digest *md, chunk_t *dest, const char *name)
+static notification_t accept_nonce(struct msg_digest *md, chunk_t *dest,
+								   const char *name)
 {
-    pb_stream *nonce_pbs = &md->chain[ISAKMP_NEXT_NONCE]->pbs;
-    size_t len = pbs_left(nonce_pbs);
-
-    if (len < MINIMUM_NONCE_SIZE || MAXIMUM_NONCE_SIZE < len)
-    {
-	loglog(RC_LOG_SERIOUS, "%s length not between %d and %d"
-	    , name , MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE);
-	return PAYLOAD_MALFORMED;	/* ??? */
-    }
-    clonereplacechunk(*dest, nonce_pbs->cur, len, "nonce");
-    return NOTHING_WRONG;
+	pb_stream *nonce_pbs = &md->chain[ISAKMP_NEXT_NONCE]->pbs;
+	size_t len = pbs_left(nonce_pbs);
+
+	if (len < MINIMUM_NONCE_SIZE || MAXIMUM_NONCE_SIZE < len)
+	{
+		loglog(RC_LOG_SERIOUS, "%s length not between %d and %d"
+			, name , MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE);
+		return PAYLOAD_MALFORMED;       /* ??? */
+	}
+	free(dest->ptr);
+	*dest = chunk_create(nonce_pbs->cur, len);
+	*dest = chunk_clone(*dest);
+	return NOTHING_WRONG;
 }
 
 /* encrypt message, sans fixed part of header
@@ -1861,36 +1685,51 @@ accept_nonce(struct msg_digest *md, chunk_t *dest, const char *name)
 bool
 encrypt_message(pb_stream *pbs, struct state *st)
 {
-    const struct encrypt_desc *e = st->st_oakley.encrypter;
-    u_int8_t *enc_start = pbs->start + sizeof(struct isakmp_hdr);
-    size_t enc_len = pbs_offset(pbs) - sizeof(struct isakmp_hdr);
-
-    DBG_cond_dump(DBG_CRYPT | DBG_RAW, "encrypting:\n", enc_start, enc_len);
-
-    /* Pad up to multiple of encryption blocksize.
-     * See the description associated with the definition of
-     * struct isakmp_hdr in packet.h.
-     */
-    {
-	size_t padding = pad_up(enc_len, e->enc_blocksize);
-
-	if (padding != 0)
+	u_int8_t *enc_start = pbs->start + sizeof(struct isakmp_hdr);
+	size_t enc_len = pbs_offset(pbs) - sizeof(struct isakmp_hdr);
+	chunk_t data, iv;
+    char *new_iv;
+	size_t crypter_block_size;
+	encryption_algorithm_t enc_alg;
+	crypter_t *crypter;
+
+	DBG_cond_dump(DBG_CRYPT | DBG_RAW, "encrypting:\n", enc_start, enc_len);
+	enc_alg = oakley_to_encryption_algorithm(st->st_oakley.encrypt);
+	crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len);
+	crypter_block_size = crypter->get_block_size(crypter);
+
+	/* Pad up to multiple of encryption blocksize.
+	 * See the description associated with the definition of
+	 * struct isakmp_hdr in packet.h.
+	 */
 	{
-	    if (!out_zero(padding, pbs, "encryption padding"))
-		return FALSE;
-	    enc_len += padding;
+		size_t padding = pad_up(enc_len, crypter_block_size);
+
+		if (padding != 0)
+		{
+			if (!out_zero(padding, pbs, "encryption padding"))
+				return FALSE;
+			enc_len += padding;
+		}
 	}
-    }
 
-    DBG(DBG_CRYPT, DBG_log("encrypting using %s", enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
+	DBG(DBG_CRYPT, DBG_log("encrypting using %s", enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
+	data = chunk_create(enc_start, enc_len);
 
-    /* e->crypt(TRUE, enc_start, enc_len, st); */
-    crypto_cbc_encrypt(e, TRUE, enc_start, enc_len, st);
+	/* form iv by truncation */
+	st->st_new_iv_len = crypter_block_size;
+	iv = chunk_create(st->st_new_iv, st->st_new_iv_len);
 
-    update_iv(st);
-    DBG_cond_dump(DBG_CRYPT, "next IV:", st->st_iv, st->st_iv_len);
-    close_message(pbs);
-    return TRUE;
+	crypter->set_key(crypter, st->st_enc_key);
+	crypter->encrypt(crypter, data, iv, NULL);
+	crypter->destroy(crypter);
+ 
+	new_iv = data.ptr + data.len - crypter_block_size;
+	memcpy(st->st_new_iv, new_iv, crypter_block_size);
+	update_iv(st);
+	DBG_cond_dump(DBG_CRYPT, "next IV:", st->st_iv, st->st_iv_len);
+	close_message(pbs);
+	return TRUE;
 }
 
 /* Compute HASH(1), HASH(2) of Quick Mode.
@@ -1899,31 +1738,33 @@ encrypt_message(pb_stream *pbs, struct state *st)
  * Used by: quick_outI1, quick_inI1_outR1 (twice), quick_inR1_outI2
  * (see RFC 2409 "IKE" 5.5, pg. 18 or draft-ietf-ipsec-ike-01.txt 6.2 pg 25)
  */
-static size_t
-quick_mode_hash12(u_char *dest, const u_char *start, const u_char *roof
-, const struct state *st, const msgid_t *msgid, bool hash2)
+static size_t quick_mode_hash12(u_char *dest, u_char *start, u_char *roof,
+								const struct state *st,	const msgid_t *msgid,
+								bool hash2)
 {
-    struct hmac_ctx ctx;
-
-#if 0	/* if desperate to debug hashing */
-#   define hmac_update(ctx, ptr, len) { \
-	DBG_dump("hash input", (ptr), (len)); \
-	(hmac_update)((ctx), (ptr), (len)); \
-    }
-    DBG_dump("hash key", st->st_skeyid_a.ptr, st->st_skeyid_a.len);
-#endif
-    hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid_a);
-    hmac_update(&ctx, (const void *) msgid, sizeof(msgid_t));
-    if (hash2)
-	hmac_update_chunk(&ctx, st->st_ni);	/* include Ni_b in the hash */
-    hmac_update(&ctx, start, roof-start);
-    hmac_final(dest, &ctx);
-
-    DBG(DBG_CRYPT,
-	DBG_log("HASH(%d) computed:", hash2 + 1);
-	DBG_dump("", dest, ctx.hmac_digest_size));
-    return ctx.hmac_digest_size;
-#   undef hmac_update
+	chunk_t msgid_chunk = chunk_from_thing(*msgid);
+	chunk_t msg_chunk = { start, roof - start };
+	pseudo_random_function_t prf_alg;
+	prf_t *prf;
+	size_t prf_block_size;
+
+	prf_alg = oakley_to_prf(st->st_oakley.hash);
+	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+	prf->set_key(prf, st->st_skeyid_a);
+	prf->get_bytes(prf, msgid_chunk, NULL);
+	if (hash2)
+	{
+		prf->get_bytes(prf, st->st_ni, NULL); /* include Ni_b in the hash */
+	}     
+	prf->get_bytes(prf, msg_chunk, dest);
+	prf_block_size = prf->get_block_size(prf);
+	prf->destroy(prf);
+
+	DBG(DBG_CRYPT,
+		DBG_log("HASH(%d) computed:", hash2 + 1);
+		DBG_dump("", dest, prf_block_size)
+	)
+	return prf_block_size;
 }
 
 /* Compute HASH(3) in Quick Mode (part of Quick I2 message).
@@ -1932,44 +1773,54 @@ quick_mode_hash12(u_char *dest, const u_char *start, const u_char *roof
  * NOTE: this hash (unlike HASH(1) and HASH(2)) ONLY covers the
  * Message ID and Nonces.  This is a mistake.
  */
-static size_t
-quick_mode_hash3(u_char *dest, struct state *st)
+static size_t quick_mode_hash3(u_char *dest, struct state *st)
 {
-    struct hmac_ctx ctx;
-
-    hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid_a);
-    hmac_update(&ctx, "\0", 1);
-    hmac_update(&ctx, (u_char *) &st->st_msgid, sizeof(st->st_msgid));
-    hmac_update_chunk(&ctx, st->st_ni);
-    hmac_update_chunk(&ctx, st->st_nr);
-    hmac_final(dest, &ctx);
-    DBG_cond_dump(DBG_CRYPT, "HASH(3) computed:", dest, ctx.hmac_digest_size);
-    return ctx.hmac_digest_size;
+	char seed_buf[] = { 0x00 };
+	chunk_t seed_chunk = chunk_from_buf(seed_buf);
+	chunk_t msgid_chunk = chunk_from_thing(st->st_msgid);
+	pseudo_random_function_t prf_alg;
+	prf_t *prf;
+	size_t prf_block_size;
+	
+	prf_alg = oakley_to_prf(st->st_oakley.hash);
+	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+	prf->set_key(prf, st->st_skeyid_a);
+	prf->get_bytes(prf, seed_chunk, NULL );
+	prf->get_bytes(prf, msgid_chunk, NULL);
+	prf->get_bytes(prf, st->st_ni, NULL);
+	prf->get_bytes(prf, st->st_nr, dest);
+	prf_block_size = prf->get_block_size(prf);
+	prf->destroy(prf);
+
+	DBG_cond_dump(DBG_CRYPT, "HASH(3) computed:", dest, prf_block_size);
+	return prf_block_size;
 }
 
 /* Compute Phase 2 IV.
  * Uses Phase 1 IV from st_iv; puts result in st_new_iv.
  */
-void
-init_phase2_iv(struct state *st, const msgid_t *msgid)
+void init_phase2_iv(struct state *st, const msgid_t *msgid)
 {
-    const struct hash_desc *h = st->st_oakley.hasher;
-    union hash_ctx ctx;
+	chunk_t iv_chunk = { st->st_ph1_iv, st->st_ph1_iv_len };
+	chunk_t msgid_chunk = chunk_from_thing(*msgid);
+	hash_algorithm_t hash_alg;
+	hasher_t *hasher;
 
-    DBG_cond_dump(DBG_CRYPT, "last Phase 1 IV:"
-	, st->st_ph1_iv, st->st_ph1_iv_len);
+	hash_alg = oakley_to_hash_algorithm(st->st_oakley.hash);
+	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
 
-    st->st_new_iv_len = h->hash_digest_size;
-    passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
+	DBG_cond_dump(DBG_CRYPT, "last Phase 1 IV:",
+				  st->st_ph1_iv, st->st_ph1_iv_len);
 
-    h->hash_init(&ctx);
-    h->hash_update(&ctx, st->st_ph1_iv, st->st_ph1_iv_len);
-    passert(*msgid != 0);
-    h->hash_update(&ctx, (const u_char *)msgid, sizeof(*msgid));
-    h->hash_final(st->st_new_iv, &ctx);
+	st->st_new_iv_len = hasher->get_hash_size(hasher);
+	passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
+		
+	hasher->get_hash(hasher, iv_chunk, NULL);
+	hasher->get_hash(hasher, msgid_chunk, st->st_new_iv);
+	hasher->destroy(hasher);
 
-    DBG_cond_dump(DBG_CRYPT, "computed Phase 2 IV:"
-	, st->st_new_iv, st->st_new_iv_len);
+	DBG_cond_dump(DBG_CRYPT, "computed Phase 2 IV:",
+				  st->st_new_iv, st->st_new_iv_len);
 }
 
 /* Initiate quick mode.
@@ -1978,474 +1829,467 @@ init_phase2_iv(struct state *st, const msgid_t *msgid)
  * Note: this is not called from demux.c
  */
 
-static bool
-emit_subnet_id(ip_subnet *net
-, u_int8_t np, u_int8_t protoid, u_int16_t port, pb_stream *outs)
+static bool emit_subnet_id(ip_subnet *net, u_int8_t np, u_int8_t protoid,
+						   u_int16_t port, pb_stream *outs)
 {
-    struct isakmp_ipsec_id id;
-    pb_stream id_pbs;
-    ip_address ta;
-    const unsigned char *tbp;
-    size_t tal;
-
-    id.isaiid_np = np;
-    id.isaiid_idtype = subnetishost(net)
-		       ? aftoinfo(subnettypeof(net))->id_addr
-		       : aftoinfo(subnettypeof(net))->id_subnet;
-    id.isaiid_protoid = protoid;
-    id.isaiid_port = port;
-
-    if (!out_struct(&id, &isakmp_ipsec_identification_desc, outs, &id_pbs))
-	return FALSE;
-
-    networkof(net, &ta);
-    tal = addrbytesptr(&ta, &tbp);
-    if (!out_raw(tbp, tal, &id_pbs, "client network"))
-	return FALSE;
+	struct isakmp_ipsec_id id;
+	pb_stream id_pbs;
+	ip_address ta;
+	const unsigned char *tbp;
+	size_t tal;
+
+	id.isaiid_np = np;
+	id.isaiid_idtype = subnetishost(net)
+					   ? aftoinfo(subnettypeof(net))->id_addr
+					   : aftoinfo(subnettypeof(net))->id_subnet;
+	id.isaiid_protoid = protoid;
+	id.isaiid_port = port;
+
+	if (!out_struct(&id, &isakmp_ipsec_identification_desc, outs, &id_pbs))
+		return FALSE;
 
-    if (!subnetishost(net))
-    {
-	maskof(net, &ta);
+	networkof(net, &ta);
 	tal = addrbytesptr(&ta, &tbp);
-	if (!out_raw(tbp, tal, &id_pbs, "client mask"))
-	    return FALSE;
-    }
+	if (!out_raw(tbp, tal, &id_pbs, "client network"))
+		return FALSE;
+
+	if (!subnetishost(net))
+	{
+		maskof(net, &ta);
+		tal = addrbytesptr(&ta, &tbp);
+		if (!out_raw(tbp, tal, &id_pbs, "client mask"))
+			return FALSE;
+	}
 
-    close_output_pbs(&id_pbs);
-    return TRUE;
+	close_output_pbs(&id_pbs);
+	return TRUE;
 }
 
-stf_status
-quick_outI1(int whack_sock
-, struct state *isakmp_sa
-, struct connection *c
-, lset_t policy
-, unsigned long try
-, so_serial_t replacing)
+stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
+					   struct connection *c, lset_t policy, unsigned long try,
+					   so_serial_t replacing)
 {
-    struct state *st = duplicate_state(isakmp_sa);
-    pb_stream reply;	/* not really a reply */
-    pb_stream rbody;
-    u_char	/* set by START_HASH_PAYLOAD: */
-	*r_hashval,	/* where in reply to jam hash value */
-	*r_hash_start;	/* start of what is to be hashed */
-    bool has_client = c->spd.this.has_client || c->spd.that.has_client ||
-		      c->spd.this.protocol || c->spd.that.protocol ||
-		      c->spd.this.port || c->spd.that.port;
-    
-    bool send_natoa = FALSE;
-    u_int8_t np = ISAKMP_NEXT_NONE;
-
-    st->st_whack_sock = whack_sock;
-    st->st_connection = c;
-    set_cur_state(st);	/* we must reset before exit */
-    st->st_policy = policy;
-    st->st_try = try;
-
-    st->st_myuserprotoid = c->spd.this.protocol;
-    st->st_peeruserprotoid = c->spd.that.protocol;
-    st->st_myuserport = c->spd.this.port;
-    st->st_peeruserport = c->spd.that.port;
-
-    st->st_msgid = generate_msgid(isakmp_sa);
-    st->st_state = STATE_QUICK_I1;
-
-    insert_state(st);	/* needs cookies, connection, and msgid */
-
-    if (replacing == SOS_NOBODY)
-	plog("initiating Quick Mode %s {using isakmp#%lu}"
-	     , prettypolicy(policy)
-	     , isakmp_sa->st_serialno);
-    else
-	plog("initiating Quick Mode %s to replace #%lu {using isakmp#%lu}"
-	     , prettypolicy(policy)
-	     , replacing
-	     , isakmp_sa->st_serialno);
-
-    if (isakmp_sa->nat_traversal & NAT_T_DETECTED)
-    {
-	/* Duplicate nat_traversal status in new state */
-	st->nat_traversal = isakmp_sa->nat_traversal;
-
-	if (isakmp_sa->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
-	    has_client = TRUE;
-
-       nat_traversal_change_port_lookup(NULL, st);
-    }
-    else
-	st->nat_traversal = 0;
-
-    /* are we going to send a NAT-OA payload? */
-    if ((st->nat_traversal & NAT_T_WITH_NATOA)
-    && !(st->st_policy & POLICY_TUNNEL)
-    && (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)))
-    {
-	send_natoa = TRUE;
-	np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
-		  ISAKMP_NEXT_NATOA_RFC : ISAKMP_NEXT_NATOA_DRAFTS;
-    }
-
-    /* set up reply */
-    init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
-
-    /* HDR* out */
-    {
-	struct isakmp_hdr hdr;
-
-	hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-	hdr.isa_np = ISAKMP_NEXT_HASH;
-	hdr.isa_xchg = ISAKMP_XCHG_QUICK;
-	hdr.isa_msgid = st->st_msgid;
-	hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
-	memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
-	memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
-	if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
-	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
-	}
-    }
-
-    /* HASH(1) -- create and note space to be filled later */
-    START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_SA);
-
-    /* SA out */
-
-    /* 
-     * See if pfs_group has been specified for this conn,
-     * if not, fallback to old use-same-as-P1 behaviour
-     */
-#ifndef NO_IKE_ALG
-    if (st->st_connection)
-	    st->st_pfs_group = ike_alg_pfsgroup(st->st_connection, policy);
-    if (!st->st_pfs_group)
-#endif
-    /* If PFS specified, use the same group as during Phase 1:
-     * since no negotiation is possible, we pick one that is
-     * very likely supported.
-     */
-	    st->st_pfs_group = policy & POLICY_PFS? isakmp_sa->st_oakley.group : NULL;
-
-    /* Emit SA payload based on a subset of the policy bits.
-     * POLICY_COMPRESS is considered iff we can do IPcomp.
-     */
-    {
-	lset_t pm = POLICY_ENCRYPT | POLICY_AUTHENTICATE;
-
-	if (can_do_IPcomp)
-	    pm |= POLICY_COMPRESS;
-
-	if (!out_sa(&rbody
-	, &ipsec_sadb[(st->st_policy & pm) >> POLICY_IPSEC_SHIFT]
-	, st, FALSE, ISAKMP_NEXT_NONCE))
-	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
-	}
-    }
-
-    /* Ni out */
-    if (!build_and_ship_nonce(&st->st_ni, &rbody
-    , policy & POLICY_PFS? ISAKMP_NEXT_KE : has_client? ISAKMP_NEXT_ID : np
-    , "Ni"))
-    {
-	reset_cur_state();
-	return STF_INTERNAL_ERROR;
-    }
+	struct state *st = duplicate_state(isakmp_sa);
+	pb_stream reply;    /* not really a reply */
+	pb_stream rbody;
+	u_char      /* set by START_HASH_PAYLOAD: */
+		*r_hashval,     /* where in reply to jam hash value */
+		*r_hash_start;  /* start of what is to be hashed */
+	bool has_client = c->spd.this.has_client || c->spd.that.has_client ||
+					  c->spd.this.protocol || c->spd.that.protocol ||
+					  c->spd.this.port || c->spd.that.port;
+	
+	bool send_natoa = FALSE;
+	u_int8_t np = ISAKMP_NEXT_NONE;
+
+	st->st_whack_sock = whack_sock;
+	st->st_connection = c;
+	set_cur_state(st);  /* we must reset before exit */
+	st->st_policy = policy;
+	st->st_try = try;
+
+	st->st_myuserprotoid = c->spd.this.protocol;
+	st->st_peeruserprotoid = c->spd.that.protocol;
+	st->st_myuserport = c->spd.this.port;
+	st->st_peeruserport = c->spd.that.port;
+
+	st->st_msgid = generate_msgid(isakmp_sa);
+	st->st_state = STATE_QUICK_I1;
 
-    /* [ KE ] out (for PFS) */
+	insert_state(st);   /* needs cookies, connection, and msgid */
 
-    if (st->st_pfs_group != NULL)
-    {
-	if (!build_and_ship_KE(st, &st->st_gi, st->st_pfs_group
-	, &rbody, has_client? ISAKMP_NEXT_ID : np))
+	if (replacing == SOS_NOBODY)
+		plog("initiating Quick Mode %s {using isakmp#%lu}"
+			 , prettypolicy(policy)
+			 , isakmp_sa->st_serialno);
+	else
+		plog("initiating Quick Mode %s to replace #%lu {using isakmp#%lu}"
+			 , prettypolicy(policy)
+			 , replacing
+			 , isakmp_sa->st_serialno);
+
+	if (isakmp_sa->nat_traversal & NAT_T_DETECTED)
 	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
+		/* Duplicate nat_traversal status in new state */
+		st->nat_traversal = isakmp_sa->nat_traversal;
+
+		if (isakmp_sa->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+			has_client = TRUE;
+
+	   nat_traversal_change_port_lookup(NULL, st);
 	}
-    }
+	else
+		st->nat_traversal = 0;
 
-    /* [ IDci, IDcr ] out */
-    if (has_client)
-    {
-	/* IDci (we are initiator), then IDcr (peer is responder) */
-	if (!emit_subnet_id(&c->spd.this.client
-	  , ISAKMP_NEXT_ID, st->st_myuserprotoid, st->st_myuserport, &rbody)
-	|| !emit_subnet_id(&c->spd.that.client
-	  , np, st->st_peeruserprotoid, st->st_peeruserport, &rbody))
+	/* are we going to send a NAT-OA payload? */
+	if ((st->nat_traversal & NAT_T_WITH_NATOA)
+	&& !(st->st_policy & POLICY_TUNNEL)
+	&& (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)))
 	{
-	    reset_cur_state();
-	    return STF_INTERNAL_ERROR;
+		send_natoa = TRUE;
+		np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
+				  ISAKMP_NEXT_NATOA_RFC : ISAKMP_NEXT_NATOA_DRAFTS;
 	}
-    }
 
-    /* Send NAT-OA if our address is NATed */
-    if (send_natoa)
-    {
-	if (!nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &rbody, st))
+	/* set up reply */
+	init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
+
+	/* HDR* out */
 	{
-            reset_cur_state();
-	    return STF_INTERNAL_ERROR;
+		struct isakmp_hdr hdr;
+
+		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+		hdr.isa_np = ISAKMP_NEXT_HASH;
+		hdr.isa_xchg = ISAKMP_XCHG_QUICK;
+		hdr.isa_msgid = st->st_msgid;
+		hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
+		memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
+		memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
+		if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    /* finish computing  HASH(1), inserting it in output */
-    (void) quick_mode_hash12(r_hashval, r_hash_start, rbody.cur
-	, st, &st->st_msgid, FALSE);
+	/* HASH(1) -- create and note space to be filled later */
+	START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_SA);
 
-    /* encrypt message, except for fixed part of header */
+	/* SA out */
 
-    init_phase2_iv(isakmp_sa, &st->st_msgid);
-    st->st_new_iv_len = isakmp_sa->st_new_iv_len;
-    memcpy(st->st_new_iv, isakmp_sa->st_new_iv, st->st_new_iv_len);
+	/* 
+	 * See if pfs_group has been specified for this conn,
+	 * if not, fallback to old use-same-as-P1 behaviour
+	 */
+#ifndef NO_IKE_ALG
+	if (st->st_connection)
+			st->st_pfs_group = ike_alg_pfsgroup(st->st_connection, policy);
+	if (!st->st_pfs_group)
+#endif
+	/* If PFS specified, use the same group as during Phase 1:
+	 * since no negotiation is possible, we pick one that is
+	 * very likely supported.
+	 */
+			st->st_pfs_group = policy & POLICY_PFS? isakmp_sa->st_oakley.group : NULL;
 
-    if (!encrypt_message(&rbody, st))
-    {
-	reset_cur_state();
-	return STF_INTERNAL_ERROR;
-    }
-
-    /* save packet, now that we know its size */
-    clonetochunk(st->st_tpacket, reply.start, pbs_offset(&reply)
-	, "reply packet from quick_outI1");
-
-    /* send the packet */
-
-    send_packet(st, "quick_outI1");
-
-    delete_event(st);
-    event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
-
-    if (replacing == SOS_NOBODY)
-	whack_log(RC_NEW_STATE + STATE_QUICK_I1
-	    , "%s: initiate"
-	    , enum_name(&state_names, st->st_state));
-    else
-	whack_log(RC_NEW_STATE + STATE_QUICK_I1
-	    , "%s: initiate to replace #%lu"
-	    , enum_name(&state_names, st->st_state)
-	    , replacing);
-    reset_cur_state();
-    return STF_OK;
-}
+	/* Emit SA payload based on a subset of the policy bits.
+	 * POLICY_COMPRESS is considered iff we can do IPcomp.
+	 */
+	{
+		lset_t pm = POLICY_ENCRYPT | POLICY_AUTHENTICATE;
 
+		if (can_do_IPcomp)
+			pm |= POLICY_COMPRESS;
 
-/*
- * Decode the CERT payload of Phase 1.
- */
-static void
-decode_cert(struct msg_digest *md)
-{
-    struct payload_digest *p;
-
-    for (p = md->chain[ISAKMP_NEXT_CERT]; p != NULL; p = p->next)
-    {
-	struct isakmp_cert *const cert = &p->payload.cert;
-	chunk_t blob;
-	time_t valid_until;
-	blob.ptr = p->pbs.cur;
-	blob.len = pbs_left(&p->pbs);
-	if (cert->isacert_type == CERT_X509_SIGNATURE)
-	{
-	    x509cert_t cert = empty_x509cert;
-	    if (parse_x509cert(blob, 0, &cert))
-	    {
-		if (verify_x509cert(&cert, strict_crl_policy, &valid_until))
+		if (!out_sa(&rbody
+		, &ipsec_sadb[(st->st_policy & pm) >> POLICY_IPSEC_SHIFT]
+		, st, FALSE, ISAKMP_NEXT_NONCE))
 		{
-		    DBG(DBG_PARSING,
-			DBG_log("Public key validated")
-		    )
-		    add_x509_public_key(&cert, valid_until, DAL_SIGNED);
-		}
-		else
-		{
-		    plog("X.509 certificate rejected");
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
 		}
-		free_generalNames(cert.subjectAltName, FALSE);
-		free_generalNames(cert.crlDistributionPoints, FALSE);
-	    }
-	    else
-		plog("Syntax error in X.509 certificate");
 	}
-	else if (cert->isacert_type == CERT_PKCS7_WRAPPED_X509)
-	{
-	    x509cert_t *cert = NULL;
 
-	    if (pkcs7_parse_signedData(blob, NULL, &cert, NULL, NULL))
-		store_x509certs(&cert, strict_crl_policy);
-	    else
-		plog("Syntax error in PKCS#7 wrapped X.509 certificates");
-	}
-	else
+	/* Ni out */
+	if (!build_and_ship_nonce(&st->st_ni, &rbody
+	, policy & POLICY_PFS? ISAKMP_NEXT_KE : has_client? ISAKMP_NEXT_ID : np
+	, "Ni"))
 	{
-	    loglog(RC_LOG_SERIOUS, "ignoring %s certificate payload",
-		   enum_show(&cert_type_names, cert->isacert_type));
-	    DBG_cond_dump_chunk(DBG_PARSING, "CERT:\n", blob);
+		reset_cur_state();
+		return STF_INTERNAL_ERROR;
 	}
-    }
-}
 
-/*
- * Decode the CR payload of Phase 1.
- */
-static void
-decode_cr(struct msg_digest *md, struct connection *c)
-{
-    struct payload_digest *p;
+	/* [ KE ] out (for PFS) */
 
-    for (p = md->chain[ISAKMP_NEXT_CR]; p != NULL; p = p->next)
-    {
-	struct isakmp_cr *const cr = &p->payload.cr;
-	chunk_t ca_name;
-	
-	ca_name.len = pbs_left(&p->pbs);
-	ca_name.ptr = (ca_name.len > 0)? p->pbs.cur : NULL;
+	if (st->st_pfs_group != NULL)
+	{
+		if (!build_and_ship_KE(st, &st->st_gi, st->st_pfs_group
+		, &rbody, has_client? ISAKMP_NEXT_ID : np))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
+	}
 
-	DBG_cond_dump_chunk(DBG_PARSING, "CR", ca_name);
+	/* [ IDci, IDcr ] out */
+	if (has_client)
+	{
+		/* IDci (we are initiator), then IDcr (peer is responder) */
+		if (!emit_subnet_id(&c->spd.this.client
+		  , ISAKMP_NEXT_ID, st->st_myuserprotoid, st->st_myuserport, &rbody)
+		|| !emit_subnet_id(&c->spd.that.client
+		  , np, st->st_peeruserprotoid, st->st_peeruserport, &rbody))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
+	}
 
-	if (cr->isacr_type == CERT_X509_SIGNATURE)
+	/* Send NAT-OA if our address is NATed */
+	if (send_natoa)
 	{
-	    char buf[BUF_LEN];
+		if (!nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &rbody, st))
+		{
+			reset_cur_state();
+			return STF_INTERNAL_ERROR;
+		}
+	}
 
-	    if (ca_name.len > 0)
-	    {
-		generalName_t *gn;
-		
-		if (!is_asn1(ca_name))
-		    continue;
-
-		gn = alloc_thing(generalName_t, "generalName");
-		clonetochunk(ca_name, ca_name.ptr,ca_name.len, "ca name");
-		gn->kind = GN_DIRECTORY_NAME;
-		gn->name = ca_name;
-		gn->next = c->requested_ca;
-		c->requested_ca = gn;
-	    }
-	    c->got_certrequest = TRUE;
-
-	    DBG(DBG_PARSING | DBG_CONTROL,
-		dntoa_or_null(buf, BUF_LEN, ca_name, "%any");
-		DBG_log("requested CA: '%s'", buf);
-	    )
+	/* finish computing  HASH(1), inserting it in output */
+	(void) quick_mode_hash12(r_hashval, r_hash_start, rbody.cur
+		, st, &st->st_msgid, FALSE);
+
+	/* encrypt message, except for fixed part of header */
+
+	init_phase2_iv(isakmp_sa, &st->st_msgid);
+	st->st_new_iv_len = isakmp_sa->st_new_iv_len;
+	memcpy(st->st_new_iv, isakmp_sa->st_new_iv, st->st_new_iv_len);
+
+	if (!encrypt_message(&rbody, st))
+	{
+		reset_cur_state();
+		return STF_INTERNAL_ERROR;
 	}
+
+	/* save packet, now that we know its size */
+	st->st_tpacket = chunk_create(reply.start, pbs_offset(&reply));
+	st->st_tpacket = chunk_clone(st->st_tpacket);
+
+	/* send the packet */
+
+	send_packet(st, "quick_outI1");
+
+	delete_event(st);
+	event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
+
+	if (replacing == SOS_NOBODY)
+		whack_log(RC_NEW_STATE + STATE_QUICK_I1
+			, "%s: initiate"
+			, enum_name(&state_names, st->st_state));
 	else
-	    loglog(RC_LOG_SERIOUS, "ignoring %s certificate request payload",
-		   enum_show(&cert_type_names, cr->isacr_type));
-    }
+		whack_log(RC_NEW_STATE + STATE_QUICK_I1
+			, "%s: initiate to replace #%lu"
+			, enum_name(&state_names, st->st_state)
+			, replacing);
+	reset_cur_state();
+	return STF_OK;
 }
 
-/* Decode the ID payload of Phase 1 (main_inI3_outR3 and main_inR3)
- * Note: we may change connections as a result.
- * We must be called before SIG or HASH are decoded since we
- * may change the peer's RSA key or ID.
+
+/*
+ * Decode the CERT payload of Phase 1.
  */
-static bool
-decode_peer_id(struct msg_digest *md, struct id *peer)
+static void decode_cert(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    struct payload_digest *const id_pld = md->chain[ISAKMP_NEXT_ID];
-    const pb_stream *const id_pbs = &id_pld->pbs;
-    struct isakmp_id *const id = &id_pld->payload.id;
-
-    /* I think that RFC2407 (IPSEC DOI) 4.6.2 is confused.
-     * It talks about the protocol ID and Port fields of the ID
-     * Payload, but they don't exist as such in Phase 1.
-     * We use more appropriate names.
-     * isaid_doi_specific_a is in place of Protocol ID.
-     * isaid_doi_specific_b is in place of Port.
-     * Besides, there is no good reason for allowing these to be
-     * other than 0 in Phase 1.
-     */
-    if ((st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
-    &&	 id->isaid_doi_specific_a == IPPROTO_UDP
-    &&  (id->isaid_doi_specific_b == 0 || id->isaid_doi_specific_b == NAT_T_IKE_FLOAT_PORT))
-    {
-	DBG_log("protocol/port in Phase 1 ID Payload is %d/%d. "
-		"accepted with port_floating NAT-T",
-		id->isaid_doi_specific_a, id->isaid_doi_specific_b);
-    }
-    else if (!(id->isaid_doi_specific_a == 0 && id->isaid_doi_specific_b == 0)
-	 &&  !(id->isaid_doi_specific_a == IPPROTO_UDP && id->isaid_doi_specific_b == IKE_UDP_PORT))
-    {
-	loglog(RC_LOG_SERIOUS, "protocol/port in Phase 1 ID Payload must be 0/0 or %d/%d"
-	    " but are %d/%d"
-	    , IPPROTO_UDP, IKE_UDP_PORT
-	    , id->isaid_doi_specific_a, id->isaid_doi_specific_b);
-	return FALSE;
-    }
+	struct payload_digest *p;
+
+	for (p = md->chain[ISAKMP_NEXT_CERT]; p != NULL; p = p->next)
+	{
+		struct isakmp_cert *const cert = &p->payload.cert;
+		chunk_t blob;
+		time_t valid_until;
+		blob.ptr = p->pbs.cur;
+		blob.len = pbs_left(&p->pbs);
+		if (cert->isacert_type == CERT_X509_SIGNATURE)
+		{
+			x509cert_t cert = empty_x509cert;
+			if (parse_x509cert(blob, 0, &cert))
+			{
+				if (verify_x509cert(&cert, strict_crl_policy, &valid_until))
+				{
+					DBG(DBG_PARSING,
+						DBG_log("Public key validated")
+					)
+					add_x509_public_key(&cert, valid_until, DAL_SIGNED);
+				}
+				else
+				{
+					plog("X.509 certificate rejected");
+				}
+				DESTROY_IF(cert.public_key);
+				free_generalNames(cert.subjectAltName, FALSE);
+				free_generalNames(cert.crlDistributionPoints, FALSE);
+			}
+			else
+				plog("Syntax error in X.509 certificate");
+		}
+		else if (cert->isacert_type == CERT_PKCS7_WRAPPED_X509)
+		{
+			x509cert_t *cert = NULL;
+
+			if (pkcs7_parse_signedData(blob, NULL, &cert, NULL, NULL))
+				store_x509certs(&cert, strict_crl_policy);
+			else
+				plog("Syntax error in PKCS#7 wrapped X.509 certificates");
+		}
+		else
+		{
+			loglog(RC_LOG_SERIOUS, "ignoring %s certificate payload",
+				   enum_show(&cert_type_names, cert->isacert_type));
+			DBG_cond_dump_chunk(DBG_PARSING, "CERT:\n", blob);
+		}
+	}
+}
 
-    peer->kind = id->isaid_idtype;
+/*
+ * Decode the CR payload of Phase 1.
+ */
+static void decode_cr(struct msg_digest *md, struct connection *c)
+{
+	struct payload_digest *p;
 
-    switch (peer->kind)
-    {
-    case ID_IPV4_ADDR:
-    case ID_IPV6_ADDR:
-	/* failure mode for initaddr is probably inappropriate address length */
+	for (p = md->chain[ISAKMP_NEXT_CR]; p != NULL; p = p->next)
 	{
-	    err_t ugh = initaddr(id_pbs->cur, pbs_left(id_pbs)
-		, peer->kind == ID_IPV4_ADDR? AF_INET : AF_INET6
-		, &peer->ip_addr);
+		struct isakmp_cr *const cr = &p->payload.cr;
+		chunk_t ca_name;
+		
+		ca_name.len = pbs_left(&p->pbs);
+		ca_name.ptr = (ca_name.len > 0)? p->pbs.cur : NULL;
 
-	    if (ugh != NULL)
-	    {
-		loglog(RC_LOG_SERIOUS, "improper %s identification payload: %s"
-		    , enum_show(&ident_names, peer->kind), ugh);
-		/* XXX Could send notification back */
-		return FALSE;
-	    }
+		DBG_cond_dump_chunk(DBG_PARSING, "CR", ca_name);
+
+		if (cr->isacr_type == CERT_X509_SIGNATURE)
+		{
+			char buf[BUF_LEN];
+
+			if (ca_name.len > 0)
+			{
+				generalName_t *gn;
+				
+				if (!is_asn1(ca_name))
+					continue;
+
+				gn = malloc_thing(generalName_t);
+				ca_name = chunk_clone(ca_name);
+				gn->kind = GN_DIRECTORY_NAME;
+				gn->name = ca_name;
+				gn->next = c->requested_ca;
+				c->requested_ca = gn;
+			}
+			c->got_certrequest = TRUE;
+
+			DBG(DBG_PARSING | DBG_CONTROL,
+				dntoa_or_null(buf, BUF_LEN, ca_name, "%any");
+				DBG_log("requested CA: '%s'", buf);
+			)
+		}
+		else
+			loglog(RC_LOG_SERIOUS, "ignoring %s certificate request payload",
+				   enum_show(&cert_type_names, cr->isacr_type));
 	}
-	break;
+}
 
-    case ID_USER_FQDN:
-	if (memchr(id_pbs->cur, '@', pbs_left(id_pbs)) == NULL)
+/* Decode the ID payload of Phase 1 (main_inI3_outR3 and main_inR3)
+ * Note: we may change connections as a result.
+ * We must be called before SIG or HASH are decoded since we
+ * may change the peer's public key or ID.
+ */
+static bool decode_peer_id(struct msg_digest *md, struct id *peer)
+{
+	struct state *const st = md->st;
+	struct payload_digest *const id_pld = md->chain[ISAKMP_NEXT_ID];
+	const pb_stream *const id_pbs = &id_pld->pbs;
+	struct isakmp_id *const id = &id_pld->payload.id;
+
+	/* I think that RFC2407 (IPSEC DOI) 4.6.2 is confused.
+	 * It talks about the protocol ID and Port fields of the ID
+	 * Payload, but they don't exist as such in Phase 1.
+	 * We use more appropriate names.
+	 * isaid_doi_specific_a is in place of Protocol ID.
+	 * isaid_doi_specific_b is in place of Port.
+	 * Besides, there is no good reason for allowing these to be
+	 * other than 0 in Phase 1.
+	 */
+	if ((st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
+	&&   id->isaid_doi_specific_a == IPPROTO_UDP
+	&&  (id->isaid_doi_specific_b == 0 || id->isaid_doi_specific_b == NAT_T_IKE_FLOAT_PORT))
 	{
-	    loglog(RC_LOG_SERIOUS, "peer's ID_USER_FQDN contains no @");
-	    return FALSE;
+		DBG_log("protocol/port in Phase 1 ID Payload is %d/%d. "
+				"accepted with port_floating NAT-T",
+				id->isaid_doi_specific_a, id->isaid_doi_specific_b);
 	}
-	/* FALLTHROUGH */
-    case ID_FQDN:
-	if (memchr(id_pbs->cur, '\0', pbs_left(id_pbs)) != NULL)
+	else if (!(id->isaid_doi_specific_a == 0 && id->isaid_doi_specific_b == 0)
+		 &&  !(id->isaid_doi_specific_a == IPPROTO_UDP && id->isaid_doi_specific_b == IKE_UDP_PORT))
 	{
-	    loglog(RC_LOG_SERIOUS, "Phase 1 ID Payload of type %s contains a NUL"
-		, enum_show(&ident_names, peer->kind));
-	    return FALSE;
+		loglog(RC_LOG_SERIOUS, "protocol/port in Phase 1 ID Payload must be 0/0 or %d/%d"
+			" but are %d/%d"
+			, IPPROTO_UDP, IKE_UDP_PORT
+			, id->isaid_doi_specific_a, id->isaid_doi_specific_b);
+		return FALSE;
 	}
 
-	/* ??? ought to do some more sanity check, but what? */
+	peer->kind = id->isaid_idtype;
+
+	switch (peer->kind)
+	{
+	case ID_IPV4_ADDR:
+	case ID_IPV6_ADDR:
+		/* failure mode for initaddr is probably inappropriate address length */
+		{
+			err_t ugh = initaddr(id_pbs->cur, pbs_left(id_pbs)
+				, peer->kind == ID_IPV4_ADDR? AF_INET : AF_INET6
+				, &peer->ip_addr);
+
+			if (ugh != NULL)
+			{
+				loglog(RC_LOG_SERIOUS, "improper %s identification payload: %s"
+					, enum_show(&ident_names, peer->kind), ugh);
+				/* XXX Could send notification back */
+				return FALSE;
+			}
+		}
+		break;
+
+	case ID_USER_FQDN:
+		if (memchr(id_pbs->cur, '@', pbs_left(id_pbs)) == NULL)
+		{
+			loglog(RC_LOG_SERIOUS, "peer's ID_USER_FQDN contains no @");
+			return FALSE;
+		}
+		/* FALLTHROUGH */
+	case ID_FQDN:
+		if (memchr(id_pbs->cur, '\0', pbs_left(id_pbs)) != NULL)
+		{
+			loglog(RC_LOG_SERIOUS, "Phase 1 ID Payload of type %s contains a NUL"
+				, enum_show(&ident_names, peer->kind));
+			return FALSE;
+		}
 
-	setchunk(peer->name, id_pbs->cur, pbs_left(id_pbs));
-	break;
+		/* ??? ought to do some more sanity check, but what? */
 
-    case ID_KEY_ID:
-	setchunk(peer->name, id_pbs->cur, pbs_left(id_pbs));
-	DBG(DBG_PARSING,
- 	    DBG_dump_chunk("KEY ID:", peer->name));
-	break;
+		peer->name = chunk_create(id_pbs->cur, pbs_left(id_pbs));
+		break;
 
-    case ID_DER_ASN1_DN:
-	setchunk(peer->name, id_pbs->cur, pbs_left(id_pbs));
- 	DBG(DBG_PARSING,
- 	    DBG_dump_chunk("DER ASN1 DN:", peer->name));
-	break;
+	case ID_KEY_ID:
+		peer->name = chunk_create(id_pbs->cur, pbs_left(id_pbs));
+		DBG(DBG_PARSING,
+			DBG_dump_chunk("KEY ID:", peer->name));
+		break;
 
-    default:
-	/* XXX Could send notification back */
-	loglog(RC_LOG_SERIOUS, "Unacceptable identity type (%s) in Phase 1 ID Payload"
-	    , enum_show(&ident_names, peer->kind));
-	return FALSE;
-    }
+	case ID_DER_ASN1_DN:
+		peer->name = chunk_create(id_pbs->cur, pbs_left(id_pbs));
+		DBG(DBG_PARSING,
+			DBG_dump_chunk("DER ASN1 DN:", peer->name));
+		break;
 
-    {
-	char buf[BUF_LEN];
+	default:
+		/* XXX Could send notification back */
+		loglog(RC_LOG_SERIOUS, "Unacceptable identity type (%s) in Phase 1 ID Payload"
+			, enum_show(&ident_names, peer->kind));
+		return FALSE;
+	}
 
-	idtoa(peer, buf, sizeof(buf));
-	plog("Peer ID is %s: '%s'",
-	    enum_show(&ident_names, id->isaid_idtype), buf);
-    }
+	{
+		char buf[BUF_LEN];
 
-    /* check for certificates */
-    decode_cert(md);
-    return TRUE;
+		idtoa(peer, buf, sizeof(buf));
+		plog("Peer ID is %s: '%s'",
+			enum_show(&ident_names, id->isaid_idtype), buf);
+	}
+
+	/* check for certificates */
+	decode_cert(md);
+	return TRUE;
 }
 
 /* Now that we've decoded the ID payload, let's see if we
@@ -2454,111 +2298,111 @@ decode_peer_id(struct msg_digest *md, struct id *peer)
  * - if the initiation was explicit, we'd be ignoring user's intent
  * - if opportunistic, we'll lose our HOLD info
  */
-static bool
-switch_connection(struct msg_digest *md, struct id *peer, bool initiator)
+static bool switch_connection(struct msg_digest *md, struct id *peer,
+							  bool initiator)
 {
-    struct state *const st = md->st;
-    struct connection *c = st->st_connection;
+	struct state *const st = md->st;
+	struct connection *c = st->st_connection;
 
-    chunk_t peer_ca = (st->st_peer_pubkey != NULL)
-    		     ? st->st_peer_pubkey->issuer : empty_chunk;
+	chunk_t peer_ca = (st->st_peer_pubkey != NULL)
+					 ? st->st_peer_pubkey->issuer : chunk_empty;
 
-    DBG(DBG_CONTROL,
-	char buf[BUF_LEN];
-
-	dntoa_or_null(buf, BUF_LEN, peer_ca, "%none");
-	DBG_log("peer CA:      '%s'", buf);
-    )
+	DBG(DBG_CONTROL,
+		char buf[BUF_LEN];
 
-    if (initiator)
-    {
-	int pathlen;
+		dntoa_or_null(buf, BUF_LEN, peer_ca, "%none");
+		DBG_log("peer CA:      '%s'", buf);
+	)
 
-	if (!same_id(&c->spd.that.id, peer))
+	if (initiator)
 	{
-	    char expect[BUF_LEN]
-		, found[BUF_LEN];
+		int pathlen;
 
-	    idtoa(&c->spd.that.id, expect, sizeof(expect));
-	    idtoa(peer, found, sizeof(found));
-	    loglog(RC_LOG_SERIOUS
-		, "we require peer to have ID '%s', but peer declares '%s'"
-		, expect, found);
-	    return FALSE;
-	}
+		if (!same_id(&c->spd.that.id, peer))
+		{
+			char expect[BUF_LEN]
+				, found[BUF_LEN];
+
+			idtoa(&c->spd.that.id, expect, sizeof(expect));
+			idtoa(peer, found, sizeof(found));
+			loglog(RC_LOG_SERIOUS
+				, "we require peer to have ID '%s', but peer declares '%s'"
+				, expect, found);
+			return FALSE;
+		}
 
-	DBG(DBG_CONTROL,
-	    char buf[BUF_LEN];
+		DBG(DBG_CONTROL,
+			char buf[BUF_LEN];
 
-	    dntoa_or_null(buf, BUF_LEN, c->spd.that.ca, "%none");
-	    DBG_log("required CA:  '%s'", buf);
-        )
+			dntoa_or_null(buf, BUF_LEN, c->spd.that.ca, "%none");
+			DBG_log("required CA:  '%s'", buf);
+		)
 
-	if (!trusted_ca(peer_ca, c->spd.that.ca, &pathlen))
-	{
-	    loglog(RC_LOG_SERIOUS
-		, "we don't accept the peer's CA");
-	    return FALSE;
+		if (!trusted_ca(peer_ca, c->spd.that.ca, &pathlen))
+		{
+			loglog(RC_LOG_SERIOUS
+				, "we don't accept the peer's CA");
+			return FALSE;
+		}
 	}
-    }
-    else
-    {
-	struct connection *r;
+	else
+	{
+		struct connection *r;
 
-	/* check for certificate requests */
-	decode_cr(md, c);
+		/* check for certificate requests */
+		decode_cr(md, c);
 
-	r = refine_host_connection(st, peer, peer_ca);
+		r = refine_host_connection(st, peer, peer_ca);
 
-	/* delete the collected certificate requests */
-	free_generalNames(c->requested_ca, TRUE);
-	c->requested_ca = NULL;
+		/* delete the collected certificate requests */
+		free_generalNames(c->requested_ca, TRUE);
+		c->requested_ca = NULL;
 
-	if (r == NULL)
-	{
-	    char buf[BUF_LEN];
+		if (r == NULL)
+		{
+			char buf[BUF_LEN];
 
-	    idtoa(peer, buf, sizeof(buf));
-	    loglog(RC_LOG_SERIOUS, "no suitable connection for peer '%s'", buf);
-	    return FALSE;
-	}
+			idtoa(peer, buf, sizeof(buf));
+			loglog(RC_LOG_SERIOUS, "no suitable connection for peer '%s'", buf);
+			return FALSE;
+		}
 
-	DBG(DBG_CONTROL,
-	    char buf[BUF_LEN];
+		DBG(DBG_CONTROL,
+			char buf[BUF_LEN];
 
-	    dntoa_or_null(buf, BUF_LEN, r->spd.this.ca, "%none");
-	    DBG_log("offered CA:   '%s'", buf);
-	)
+			dntoa_or_null(buf, BUF_LEN, r->spd.this.ca, "%none");
+			DBG_log("offered CA:   '%s'", buf);
+		)
 
-	if (r != c)
-	{
-	    /* apparently, r is an improvement on c -- replace */
+		if (r != c)
+		{
+			/* apparently, r is an improvement on c -- replace */
 
-	    DBG(DBG_CONTROL
-		, DBG_log("switched from \"%s\" to \"%s\"", c->name, r->name));
-	    if (r->kind == CK_TEMPLATE)
-	    {
-		/* instantiate it, filling in peer's ID */
-		r = rw_instantiate(r, &c->spd.that.host_addr
-			, c->spd.that.host_port, NULL, peer);
-	    }
+			DBG(DBG_CONTROL
+				, DBG_log("switched from \"%s\" to \"%s\"", c->name, r->name));
+			if (r->kind == CK_TEMPLATE)
+			{
+				/* instantiate it, filling in peer's ID */
+				r = rw_instantiate(r, &c->spd.that.host_addr
+						, c->spd.that.host_port, NULL, peer);
+			}
 
-	    /* copy certificate request info */
-	    r->got_certrequest = c->got_certrequest;
+			/* copy certificate request info */
+			r->got_certrequest = c->got_certrequest;
 
-	    st->st_connection = r;	/* kill reference to c */
-	    set_cur_connection(r);
-	    connection_discard(c);
-	}
-	else if (c->spd.that.has_id_wildcards)
-	{
-	    free_id_content(&c->spd.that.id);
-	    c->spd.that.id = *peer;
-	    c->spd.that.has_id_wildcards = FALSE;
-	    unshare_id_content(&c->spd.that.id);
+			st->st_connection = r;      /* kill reference to c */
+			set_cur_connection(r);
+			connection_discard(c);
+		}
+		else if (c->spd.that.has_id_wildcards)
+		{
+			free_id_content(&c->spd.that.id);
+			c->spd.that.id = *peer;
+			c->spd.that.has_id_wildcards = FALSE;
+			unshare_id_content(&c->spd.that.id);
+		}
 	}
-    }
-    return TRUE;
+	return TRUE;
 }
 
 /* Decode the variable part of an ID packet (during Quick Mode).
@@ -2566,227 +2410,218 @@ switch_connection(struct msg_digest *md, struct id *peer, bool initiator)
  * Rejects 0.0.0.0/32 or IPv6 equivalent because
  * (1) it is wrong and (2) we use this value for inband signalling.
  */
-static bool
-decode_net_id(struct isakmp_ipsec_id *id
-, pb_stream *id_pbs
-, ip_subnet *net
-, const char *which)
+static bool decode_net_id(struct isakmp_ipsec_id *id, pb_stream *id_pbs,
+						  ip_subnet *net, const char *which)
 {
-    const struct af_info *afi = NULL;
+	const struct af_info *afi = NULL;
 
-    /* Note: the following may be a pointer into static memory
-     * that may be recycled, but only if the type is not known.
-     * That case is disposed of very early -- in the first switch.
-     */
-    const char *idtypename = enum_show(&ident_names, id->isaiid_idtype);
+	/* Note: the following may be a pointer into static memory
+	 * that may be recycled, but only if the type is not known.
+	 * That case is disposed of very early -- in the first switch.
+	 */
+	const char *idtypename = enum_show(&ident_names, id->isaiid_idtype);
 
-    switch (id->isaiid_idtype)
-    {
-	case ID_IPV4_ADDR:
-	case ID_IPV4_ADDR_SUBNET:
-	case ID_IPV4_ADDR_RANGE:
-	    afi = &af_inet4_info;
-	    break;
-	case ID_IPV6_ADDR:
-	case ID_IPV6_ADDR_SUBNET:
-	case ID_IPV6_ADDR_RANGE:
-	    afi = &af_inet6_info;
-	    break;
-	case ID_FQDN:
-	    return TRUE;
-	default:
-	    /* XXX support more */
-	    loglog(RC_LOG_SERIOUS, "unsupported ID type %s"
-		, idtypename);
-	    /* XXX Could send notification back */
-	    return FALSE;
-    }
-
-    switch (id->isaiid_idtype)
-    {
-	case ID_IPV4_ADDR:
-	case ID_IPV6_ADDR:
+	switch (id->isaiid_idtype)
 	{
-	    ip_address temp_address;
-	    err_t ugh;
-
-	    ugh = initaddr(id_pbs->cur, pbs_left(id_pbs), afi->af, &temp_address);
-
-	    if (ugh != NULL)
-	    {
-		loglog(RC_LOG_SERIOUS, "%s ID payload %s has wrong length in Quick I1 (%s)"
-		    , which, idtypename, ugh);
-		/* XXX Could send notification back */
-		return FALSE;
-	    }
-	    if (isanyaddr(&temp_address))
-	    {
-		loglog(RC_LOG_SERIOUS, "%s ID payload %s is invalid (%s) in Quick I1"
-		    , which, idtypename, ip_str(&temp_address));
-		/* XXX Could send notification back */
-		return FALSE;
-	    }
-	    happy(addrtosubnet(&temp_address, net));
-	    DBG(DBG_PARSING | DBG_CONTROL
-		, DBG_log("%s is %s", which, ip_str(&temp_address)));
-	    break;
+		case ID_IPV4_ADDR:
+		case ID_IPV4_ADDR_SUBNET:
+		case ID_IPV4_ADDR_RANGE:
+			afi = &af_inet4_info;
+			break;
+		case ID_IPV6_ADDR:
+		case ID_IPV6_ADDR_SUBNET:
+		case ID_IPV6_ADDR_RANGE:
+			afi = &af_inet6_info;
+			break;
+		case ID_FQDN:
+			return TRUE;
+		default:
+			/* XXX support more */
+			loglog(RC_LOG_SERIOUS, "unsupported ID type %s"
+				, idtypename);
+			/* XXX Could send notification back */
+			return FALSE;
 	}
 
-	case ID_IPV4_ADDR_SUBNET:
-	case ID_IPV6_ADDR_SUBNET:
+	switch (id->isaiid_idtype)
 	{
-	    ip_address temp_address, temp_mask;
-	    err_t ugh;
+		case ID_IPV4_ADDR:
+		case ID_IPV6_ADDR:
+		{
+			ip_address temp_address;
+			err_t ugh;
 
-	    if (pbs_left(id_pbs) != 2 * afi->ia_sz)
-	    {
-		loglog(RC_LOG_SERIOUS, "%s ID payload %s wrong length in Quick I1"
-		    , which, idtypename);
-		/* XXX Could send notification back */
-		return FALSE;
-	    }
-	    ugh = initaddr(id_pbs->cur
-		, afi->ia_sz, afi->af, &temp_address);
-	    if (ugh == NULL)
-		ugh = initaddr(id_pbs->cur + afi->ia_sz
-		    , afi->ia_sz, afi->af, &temp_mask);
-	    if (ugh == NULL)
-		ugh = initsubnet(&temp_address, masktocount(&temp_mask)
-		    , '0', net);
-	    if (ugh == NULL && subnetisnone(net))
-		ugh = "contains only anyaddr";
-	    if (ugh != NULL)
-	    {
-		loglog(RC_LOG_SERIOUS, "%s ID payload %s bad subnet in Quick I1 (%s)"
-		    , which, idtypename, ugh);
-		/* XXX Could send notification back */
-		return FALSE;
-	    }
-	    DBG(DBG_PARSING | DBG_CONTROL,
+			ugh = initaddr(id_pbs->cur, pbs_left(id_pbs), afi->af, &temp_address);
+
+			if (ugh != NULL)
+			{
+				loglog(RC_LOG_SERIOUS, "%s ID payload %s has wrong length in Quick I1 (%s)"
+					, which, idtypename, ugh);
+				/* XXX Could send notification back */
+				return FALSE;
+			}
+			if (isanyaddr(&temp_address))
+			{
+				loglog(RC_LOG_SERIOUS, "%s ID payload %s is invalid (%s) in Quick I1"
+					, which, idtypename, ip_str(&temp_address));
+				/* XXX Could send notification back */
+				return FALSE;
+			}
+			happy(addrtosubnet(&temp_address, net));
+			DBG(DBG_PARSING | DBG_CONTROL
+				, DBG_log("%s is %s", which, ip_str(&temp_address)));
+			break;
+		}
+
+		case ID_IPV4_ADDR_SUBNET:
+		case ID_IPV6_ADDR_SUBNET:
 		{
-		    char temp_buff[SUBNETTOT_BUF];
+			ip_address temp_address, temp_mask;
+			err_t ugh;
 
-		    subnettot(net, 0, temp_buff, sizeof(temp_buff));
-		    DBG_log("%s is subnet %s", which, temp_buff);
-		});
-	    break;
-	}
+			if (pbs_left(id_pbs) != 2 * afi->ia_sz)
+			{
+				loglog(RC_LOG_SERIOUS, "%s ID payload %s wrong length in Quick I1"
+					, which, idtypename);
+				/* XXX Could send notification back */
+				return FALSE;
+			}
+			ugh = initaddr(id_pbs->cur
+				, afi->ia_sz, afi->af, &temp_address);
+			if (ugh == NULL)
+				ugh = initaddr(id_pbs->cur + afi->ia_sz
+					, afi->ia_sz, afi->af, &temp_mask);
+			if (ugh == NULL)
+				ugh = initsubnet(&temp_address, masktocount(&temp_mask)
+					, '0', net);
+			if (ugh == NULL && subnetisnone(net))
+				ugh = "contains only anyaddr";
+			if (ugh != NULL)
+			{
+				loglog(RC_LOG_SERIOUS, "%s ID payload %s bad subnet in Quick I1 (%s)"
+					, which, idtypename, ugh);
+				/* XXX Could send notification back */
+				return FALSE;
+			}
+			DBG(DBG_PARSING | DBG_CONTROL,
+				{
+					char temp_buff[SUBNETTOT_BUF];
 
-	case ID_IPV4_ADDR_RANGE:
-	case ID_IPV6_ADDR_RANGE:
-	{
-	    ip_address temp_address_from, temp_address_to;
-	    err_t ugh;
+					subnettot(net, 0, temp_buff, sizeof(temp_buff));
+					DBG_log("%s is subnet %s", which, temp_buff);
+				});
+			break;
+		}
 
-	    if (pbs_left(id_pbs) != 2 * afi->ia_sz)
-	    {
-		loglog(RC_LOG_SERIOUS, "%s ID payload %s wrong length in Quick I1"
-		    , which, idtypename);
-		/* XXX Could send notification back */
-		return FALSE;
-	    }
-	    ugh = initaddr(id_pbs->cur, afi->ia_sz, afi->af, &temp_address_from);
-	    if (ugh == NULL)
-		ugh = initaddr(id_pbs->cur + afi->ia_sz
-		    , afi->ia_sz, afi->af, &temp_address_to);
-	    if (ugh != NULL)
-	    {
-		loglog(RC_LOG_SERIOUS, "%s ID payload %s malformed (%s) in Quick I1"
-		    , which, idtypename, ugh);
-		/* XXX Could send notification back */
-		return FALSE;
-	    }
-
-	    ugh = rangetosubnet(&temp_address_from, &temp_address_to, net);
-	    if (ugh == NULL && subnetisnone(net))
-		ugh = "contains only anyaddr";
-	    if (ugh != NULL)
-	    {
-		char temp_buff1[ADDRTOT_BUF], temp_buff2[ADDRTOT_BUF];
-
-		addrtot(&temp_address_from, 0, temp_buff1, sizeof(temp_buff1));
-		addrtot(&temp_address_to, 0, temp_buff2, sizeof(temp_buff2));
-		loglog(RC_LOG_SERIOUS, "%s ID payload in Quick I1, %s"
-		    " %s - %s unacceptable: %s"
-		    , which, idtypename, temp_buff1, temp_buff2, ugh);
-		return FALSE;
-	    }
-	    DBG(DBG_PARSING | DBG_CONTROL,
+		case ID_IPV4_ADDR_RANGE:
+		case ID_IPV6_ADDR_RANGE:
 		{
-		    char temp_buff[SUBNETTOT_BUF];
+			ip_address temp_address_from, temp_address_to;
+			err_t ugh;
 
-		    subnettot(net, 0, temp_buff, sizeof(temp_buff));
-		    DBG_log("%s is subnet %s (received as range)"
-			, which, temp_buff);
-		});
-	    break;
+			if (pbs_left(id_pbs) != 2 * afi->ia_sz)
+			{
+				loglog(RC_LOG_SERIOUS, "%s ID payload %s wrong length in Quick I1"
+					, which, idtypename);
+				/* XXX Could send notification back */
+				return FALSE;
+			}
+			ugh = initaddr(id_pbs->cur, afi->ia_sz, afi->af, &temp_address_from);
+			if (ugh == NULL)
+				ugh = initaddr(id_pbs->cur + afi->ia_sz
+					, afi->ia_sz, afi->af, &temp_address_to);
+			if (ugh != NULL)
+			{
+				loglog(RC_LOG_SERIOUS, "%s ID payload %s malformed (%s) in Quick I1"
+					, which, idtypename, ugh);
+				/* XXX Could send notification back */
+				return FALSE;
+			}
+
+			ugh = rangetosubnet(&temp_address_from, &temp_address_to, net);
+			if (ugh == NULL && subnetisnone(net))
+				ugh = "contains only anyaddr";
+			if (ugh != NULL)
+			{
+				char temp_buff1[ADDRTOT_BUF], temp_buff2[ADDRTOT_BUF];
+
+				addrtot(&temp_address_from, 0, temp_buff1, sizeof(temp_buff1));
+				addrtot(&temp_address_to, 0, temp_buff2, sizeof(temp_buff2));
+				loglog(RC_LOG_SERIOUS, "%s ID payload in Quick I1, %s"
+					" %s - %s unacceptable: %s"
+					, which, idtypename, temp_buff1, temp_buff2, ugh);
+				return FALSE;
+			}
+			DBG(DBG_PARSING | DBG_CONTROL,
+				{
+					char temp_buff[SUBNETTOT_BUF];
+
+					subnettot(net, 0, temp_buff, sizeof(temp_buff));
+					DBG_log("%s is subnet %s (received as range)"
+						, which, temp_buff);
+				});
+			break;
+		}
 	}
-    }
 
-    /* set the port selector */
-    setportof(htons(id->isaiid_port), &net->addr);
+	/* set the port selector */
+	setportof(htons(id->isaiid_port), &net->addr);
 
-    DBG(DBG_PARSING | DBG_CONTROL,
-        DBG_log("%s protocol/port is %d/%d", which, id->isaiid_protoid, id->isaiid_port)
-    )
+	DBG(DBG_PARSING | DBG_CONTROL,
+		DBG_log("%s protocol/port is %d/%d", which, id->isaiid_protoid, id->isaiid_port)
+	)
 
-    return TRUE;
+	return TRUE;
 }
 
 /* like decode, but checks that what is received matches what was sent */
-static bool
-
-check_net_id(struct isakmp_ipsec_id *id
-, pb_stream *id_pbs
-, u_int8_t *protoid
-, u_int16_t *port
-, ip_subnet *net
-, const char *which)
+static bool check_net_id(struct isakmp_ipsec_id *id, pb_stream *id_pbs,
+						 u_int8_t *protoid, u_int16_t *port, ip_subnet *net,
+						 const char *which)
 {
-    ip_subnet net_temp;
+	ip_subnet net_temp;
 
-    if (!decode_net_id(id, id_pbs, &net_temp, which))
-	return FALSE;
+	if (!decode_net_id(id, id_pbs, &net_temp, which))
+		return FALSE;
 
-    if (!samesubnet(net, &net_temp)
-    || *protoid != id->isaiid_protoid || *port != id->isaiid_port)
-    {
-	loglog(RC_LOG_SERIOUS, "%s ID returned doesn't match my proposal", which);
-	return FALSE;
-    }
-    return TRUE;
+	if (!samesubnet(net, &net_temp)
+	|| *protoid != id->isaiid_protoid || *port != id->isaiid_port)
+	{
+		loglog(RC_LOG_SERIOUS, "%s ID returned doesn't match my proposal", which);
+		return FALSE;
+	}
+	return TRUE;
 }
 
 /*
  * look for the existence of a non-expiring preloaded public key
  */
-static bool
-has_preloaded_public_key(struct state *st)
+static bool has_preloaded_public_key(struct state *st)
 {
-    struct connection *c = st->st_connection;
+	struct connection *c = st->st_connection;
 
-    /* do not consider rw connections since
-     * the peer's identity must be known
-     */
-    if (c->kind == CK_PERMANENT)
-    {
-	pubkey_list_t *p;
-
-	/* look for a matching RSA public key */
-	for (p = pubkeys; p != NULL; p = p->next)
+	/* do not consider rw connections since
+	 * the peer's identity must be known
+	 */
+	if (c->kind == CK_PERMANENT)
 	{
-	    pubkey_t *key = p->key;
+		pubkey_list_t *p;
 
-	    if (key->alg == PUBKEY_ALG_RSA &&
-		same_id(&c->spd.that.id, &key->id) &&
-		key->until_time == UNDEFINED_TIME)
-	    {
-		/* found a preloaded public key */
-		return TRUE;
-	    }
+		/* look for a matching RSA public key */
+		for (p = pubkeys; p != NULL; p = p->next)
+		{
+			pubkey_t *key = p->key;
+			key_type_t type = key->public_key->get_type(key->public_key);
+
+			if (type == KEY_RSA && same_id(&c->spd.that.id, &key->id) &&
+				key->until_time == UNDEFINED_TIME)
+			{
+				/* found a preloaded public key */
+				return TRUE;
+			}
+		}
 	}
-    }
-    return FALSE;
+	return FALSE;
 }
 
 /*
@@ -2794,161 +2629,181 @@ has_preloaded_public_key(struct state *st)
  * RFC 2409 "IKE" section 5.5
  * specifies how this is to be done.
  */
-static void
-compute_proto_keymat(struct state *st
-, u_int8_t protoid
-, struct ipsec_proto_info *pi)
+static void compute_proto_keymat(struct state *st, u_int8_t protoid,
+								 struct ipsec_proto_info *pi)
 {
-    size_t needed_len = 0; /* bytes of keying material needed */
-
-    /* Add up the requirements for keying material
-     * (It probably doesn't matter if we produce too much!)
-     */
-    switch (protoid)
-    {
-    case PROTO_IPSEC_ESP:
-	    switch (pi->attrs.transid)
-	    {
-	    case ESP_NULL:
-		needed_len = 0;
-		break;
-	    case ESP_DES:
-		needed_len = DES_CBC_BLOCK_SIZE;
-		break;
-	    case ESP_3DES:
-		needed_len = DES_CBC_BLOCK_SIZE * 3;
-		break;
-	    default:
+	size_t needed_len = 0; /* bytes of keying material needed */
+
+	/* Add up the requirements for keying material
+	 * (It probably doesn't matter if we produce too much!)
+	 */
+	switch (protoid)
+	{
+	case PROTO_IPSEC_ESP:
+			switch (pi->attrs.transid)
+			{
+			case ESP_NULL:
+				needed_len = 0;
+				break;
+			case ESP_DES:
+				needed_len = DES_CBC_BLOCK_SIZE;
+				break;
+			case ESP_3DES:
+				needed_len = DES_CBC_BLOCK_SIZE * 3;
+				break;
+			default:
 #ifndef NO_KERNEL_ALG
-		if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) {
-			/* XXX: check key_len "coupling with kernel.c's */
-			if (pi->attrs.key_len) {
-				needed_len=pi->attrs.key_len/8;
-				DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
-						"key_len=%d from peer",
-						(int)needed_len));
-			}
-			break;
-		}
+				if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) {
+						/* XXX: check key_len "coupling with kernel.c's */
+						if (pi->attrs.key_len) {
+								needed_len=pi->attrs.key_len/8;
+								DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
+												"key_len=%d from peer",
+												(int)needed_len));
+						}
+						break;
+				}
 #endif
-		bad_case(pi->attrs.transid);
-	    }
+				bad_case(pi->attrs.transid);
+			}
 
 #ifndef NO_KERNEL_ALG
-	    DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
-				    "needed_len (after ESP enc)=%d",
-				    (int)needed_len));
-	    if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) {
-		needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth);
-	    } else
+			DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
+									"needed_len (after ESP enc)=%d",
+									(int)needed_len));
+			if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) {
+				needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth);
+			} else
 #endif
-	    switch (pi->attrs.auth)
-	    {
-	    case AUTH_ALGORITHM_NONE:
-		break;
-	    case AUTH_ALGORITHM_HMAC_MD5:
-		needed_len += HMAC_MD5_KEY_LEN;
-		break;
-	    case AUTH_ALGORITHM_HMAC_SHA1:
-		needed_len += HMAC_SHA1_KEY_LEN;
-		break;
-	    case AUTH_ALGORITHM_DES_MAC:
-	    default:
-		bad_case(pi->attrs.auth);
-	    }
-	    DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
-				    "needed_len (after ESP auth)=%d",
-				    (int)needed_len));
-	    break;
-
-    case PROTO_IPSEC_AH:
-	    switch (pi->attrs.transid)
-	    {
-	    case AH_MD5:
-		needed_len = HMAC_MD5_KEY_LEN;
-		break;
-	    case AH_SHA:
-		needed_len = HMAC_SHA1_KEY_LEN;
-		break;
-	    default:
-		bad_case(pi->attrs.transid);
-	    }
-	    break;
-
-    default:
-	bad_case(protoid);
-    }
-
-    pi->keymat_len = needed_len;
-
-    /* Allocate space for the keying material.
-     * Although only needed_len bytes are desired, we
-     * must round up to a multiple of ctx.hmac_digest_size
-     * so that our buffer isn't overrun.
-     */
-    {
-	struct hmac_ctx ctx_me, ctx_peer;
-	size_t needed_space;	/* space needed for keying material (rounded up) */
-	size_t i;
-
-	hmac_init_chunk(&ctx_me, st->st_oakley.hasher, st->st_skeyid_d);
-	ctx_peer = ctx_me;	/* duplicate initial conditions */
-
-	needed_space = needed_len + pad_up(needed_len, ctx_me.hmac_digest_size);
-	replace(pi->our_keymat, alloc_bytes(needed_space, "keymat in compute_keymat()"));
-	replace(pi->peer_keymat, alloc_bytes(needed_space, "peer_keymat in quick_inI1_outR1()"));
-
-	for (i = 0;; )
-	{
-	    if (st->st_shared.ptr != NULL)
-	    {
-		/* PFS: include the g^xy */
-		hmac_update_chunk(&ctx_me, st->st_shared);
-		hmac_update_chunk(&ctx_peer, st->st_shared);
-	    }
-	    hmac_update(&ctx_me, &protoid, sizeof(protoid));
-	    hmac_update(&ctx_peer, &protoid, sizeof(protoid));
-
-	    hmac_update(&ctx_me, (u_char *)&pi->our_spi, sizeof(pi->our_spi));
-	    hmac_update(&ctx_peer, (u_char *)&pi->attrs.spi, sizeof(pi->attrs.spi));
-
-	    hmac_update_chunk(&ctx_me, st->st_ni);
-	    hmac_update_chunk(&ctx_peer, st->st_ni);
-
-	    hmac_update_chunk(&ctx_me, st->st_nr);
-	    hmac_update_chunk(&ctx_peer, st->st_nr);
-
-	    hmac_final(pi->our_keymat + i, &ctx_me);
-	    hmac_final(pi->peer_keymat + i, &ctx_peer);
-
-	    i += ctx_me.hmac_digest_size;
-	    if (i >= needed_space)
-		break;
+			switch (pi->attrs.auth)
+			{
+			case AUTH_ALGORITHM_NONE:
+				break;
+			case AUTH_ALGORITHM_HMAC_MD5:
+				needed_len += HMAC_MD5_KEY_LEN;
+				break;
+			case AUTH_ALGORITHM_HMAC_SHA1:
+				needed_len += HMAC_SHA1_KEY_LEN;
+				break;
+			case AUTH_ALGORITHM_DES_MAC:
+			default:
+				bad_case(pi->attrs.auth);
+			}
+			DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
+									"needed_len (after ESP auth)=%d",
+									(int)needed_len));
+			break;
+
+	case PROTO_IPSEC_AH:
+			switch (pi->attrs.transid)
+			{
+			case AH_MD5:
+				needed_len = HMAC_MD5_KEY_LEN;
+				break;
+			case AH_SHA:
+				needed_len = HMAC_SHA1_KEY_LEN;
+				break;
+			default:
+				bad_case(pi->attrs.transid);
+			}
+			break;
 
-	    /* more keying material needed: prepare to go around again */
+	default:
+		bad_case(protoid);
+	}
 
-	    hmac_reinit(&ctx_me);
-	    hmac_reinit(&ctx_peer);
+	pi->keymat_len = needed_len;
 
-	    hmac_update(&ctx_me, pi->our_keymat + i - ctx_me.hmac_digest_size
-		, ctx_me.hmac_digest_size);
-	    hmac_update(&ctx_peer, pi->peer_keymat + i - ctx_peer.hmac_digest_size
-		, ctx_peer.hmac_digest_size);
+	/* Allocate space for the keying material. Although only needed_len bytes
+	 * are desired, we must round up to a multiple of hash_size
+	 * so that our buffer isn't overrun.
+	 */
+	{
+		size_t needed_space; /* space needed for keying material (rounded up) */
+		size_t i, prf_block_size;
+		chunk_t protoid_chunk = chunk_from_thing(protoid);
+		chunk_t spi_our =  chunk_from_thing(pi->our_spi);
+		chunk_t spi_peer = chunk_from_thing(pi->attrs.spi);
+		pseudo_random_function_t prf_alg;
+		prf_t *prf_our, *prf_peer;
+
+		prf_alg  = oakley_to_prf(st->st_oakley.hash);
+		prf_our  = lib->crypto->create_prf(lib->crypto, prf_alg);
+		prf_peer = lib->crypto->create_prf(lib->crypto, prf_alg);
+		prf_our->set_key(prf_our, st->st_skeyid_d);
+		prf_peer->set_key(prf_peer, st->st_skeyid_d);
+		prf_block_size = prf_our->get_block_size(prf_our);
+
+		needed_space = needed_len + pad_up(needed_len, prf_block_size);
+		replace(pi->our_keymat, malloc(needed_space));
+		replace(pi->peer_keymat, malloc(needed_space));
+
+		for (i = 0;; )
+		{
+			char *keymat_i_our  = pi->our_keymat + i;
+			char *keymat_i_peer = pi->peer_keymat + i;
+			chunk_t keymat_our  = { keymat_i_our,  prf_block_size };
+			chunk_t keymat_peer = { keymat_i_peer, prf_block_size };
+			
+			if (st->st_shared.ptr != NULL)
+			{
+				/* PFS: include the g^xy */
+				prf_our->get_bytes(prf_our,   st->st_shared, NULL);
+				prf_peer->get_bytes(prf_peer, st->st_shared, NULL);
+			}
+			prf_our->get_bytes(prf_our,   protoid_chunk, NULL);
+			prf_peer->get_bytes(prf_peer, protoid_chunk, NULL);
+
+			prf_our->get_bytes(prf_our,   spi_our,  NULL);
+			prf_peer->get_bytes(prf_peer, spi_peer, NULL);
+
+			prf_our->get_bytes(prf_our,   st->st_ni, NULL);
+			prf_peer->get_bytes(prf_peer, st->st_ni, NULL);
+
+			prf_our->get_bytes(prf_our,   st->st_nr, keymat_i_our);
+			prf_peer->get_bytes(prf_peer, st->st_nr, keymat_i_peer);
+
+			i += prf_block_size;
+			if (i >= needed_space)
+			{
+				break;
+			}
+
+			/* more keying material needed: prepare to go around again */
+			prf_our->get_bytes(prf_our,   keymat_our,  NULL);
+			prf_peer->get_bytes(prf_peer, keymat_peer, NULL);
+		}
+		prf_our->destroy(prf_our);
+		prf_peer->destroy(prf_peer);
 	}
-    }
+	DBG(DBG_CRYPT,
+		DBG_dump("KEYMAT computed:\n", pi->our_keymat, pi->keymat_len);
+		DBG_dump("Peer KEYMAT computed:\n", pi->peer_keymat, pi->keymat_len));
+}
 
-    DBG(DBG_CRYPT,
-	DBG_dump("KEYMAT computed:\n", pi->our_keymat, pi->keymat_len);
-	DBG_dump("Peer KEYMAT computed:\n", pi->peer_keymat, pi->keymat_len));
+static void compute_keymats(struct state *st)
+{
+	if (st->st_ah.present)
+		compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah);
+	if (st->st_esp.present)
+		compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp);
 }
 
-static void
-compute_keymats(struct state *st)
+static bool uses_pubkey_auth(int auth)
 {
-    if (st->st_ah.present)
-	compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah);
-    if (st->st_esp.present)
-	compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp);
+	switch (auth)
+	{
+		case OAKLEY_RSA_SIG:
+		case OAKLEY_ECDSA_SIG:
+		case OAKLEY_ECDSA_256:
+		case OAKLEY_ECDSA_384:
+		case OAKLEY_ECDSA_521:
+		case XAUTHInitRSA:
+		case XAUTHRespRSA:
+			return TRUE;
+		default:
+			return FALSE;
+	}
 }
 
 /* State Transition Functions.
@@ -2973,261 +2828,272 @@ compute_keymats(struct state *st)
 /* Handle a Main Mode Oakley first packet (responder side).
  * HDR;SA --> HDR;SA
  */
-stf_status
-main_inI1_outR1(struct msg_digest *md)
+stf_status main_inI1_outR1(struct msg_digest *md)
 {
-    struct payload_digest *const sa_pd = md->chain[ISAKMP_NEXT_SA];
-    struct state *st;
-    struct connection *c;
-    struct isakmp_proposal proposal;
-    pb_stream proposal_pbs;
-    pb_stream r_sa_pbs;
-    u_int32_t ipsecdoisit;
-    lset_t policy = LEMPTY;
-    int vids_to_send = 0;
-
-    /* We preparse the peer's proposal in order to determine
-     * the requested authentication policy (RSA or PSK)
-     */
-    RETURN_STF_FAILURE(preparse_isakmp_sa_body(&sa_pd->payload.sa
-	, &sa_pd->pbs, &ipsecdoisit, &proposal_pbs, &proposal));
-
-    backup_pbs(&proposal_pbs);
-    RETURN_STF_FAILURE(parse_isakmp_policy(&proposal_pbs
-		     , proposal.isap_notrans, &policy));
-    restore_pbs(&proposal_pbs);
-
-    /* We are only considering candidate connections that match
-     * the requested authentication policy (RSA or PSK)
-     */
-    c = find_host_connection(&md->iface->addr, pluto_port
-			   , &md->sender, md->sender_port, policy);
-
-    if (c == NULL && md->iface->ike_float)
-    {
-	c = find_host_connection(&md->iface->addr, NAT_T_IKE_FLOAT_PORT
-		, &md->sender, md->sender_port, policy);
-    }
-
-    if (c == NULL)
-    {
-	/* See if a wildcarded connection can be found.
-	 * We cannot pick the right connection, so we're making a guess.
-	 * All Road Warrior connections are fair game:
-	 * we pick the first we come across (if any).
-	 * If we don't find any, we pick the first opportunistic
-	 * with the smallest subnet that includes the peer.
-	 * There is, of course, no necessary relationship between
-	 * an Initiator's address and that of its client,
-	 * but Food Groups kind of assumes one.
+	struct payload_digest *const sa_pd = md->chain[ISAKMP_NEXT_SA];
+	struct state *st;
+	struct connection *c;
+	struct isakmp_proposal proposal;
+	pb_stream proposal_pbs;
+	pb_stream r_sa_pbs;
+	u_int32_t ipsecdoisit;
+	lset_t policy = LEMPTY;
+	int vids_to_send = 0;
+
+	/* We preparse the peer's proposal in order to determine
+	 * the requested authentication policy (RSA or PSK)
+	 */
+	RETURN_STF_FAILURE(preparse_isakmp_sa_body(&sa_pd->payload.sa
+		, &sa_pd->pbs, &ipsecdoisit, &proposal_pbs, &proposal));
+
+	backup_pbs(&proposal_pbs);
+	RETURN_STF_FAILURE(parse_isakmp_policy(&proposal_pbs
+					 , proposal.isap_notrans, &policy));
+	restore_pbs(&proposal_pbs);
+
+	/* We are only considering candidate connections that match
+	 * the requested authentication policy (RSA or PSK)
 	 */
+	c = find_host_connection(&md->iface->addr, pluto_port
+						   , &md->sender, md->sender_port, policy);
+
+	if (c == NULL && md->iface->ike_float)
+	{
+		c = find_host_connection(&md->iface->addr, NAT_T_IKE_FLOAT_PORT
+				, &md->sender, md->sender_port, policy);
+	}
+
+	if (c == NULL)
 	{
-	    struct connection *d;
+		/* See if a wildcarded connection can be found.
+		 * We cannot pick the right connection, so we're making a guess.
+		 * All Road Warrior connections are fair game:
+		 * we pick the first we come across (if any).
+		 * If we don't find any, we pick the first opportunistic
+		 * with the smallest subnet that includes the peer.
+		 * There is, of course, no necessary relationship between
+		 * an Initiator's address and that of its client,
+		 * but Food Groups kind of assumes one.
+		 */
+		{
+			struct connection *d;
 
-	    d = find_host_connection(&md->iface->addr
-		, pluto_port, (ip_address*)NULL, md->sender_port, policy);
+			d = find_host_connection(&md->iface->addr
+				, pluto_port, (ip_address*)NULL, md->sender_port, policy);
+
+			for (; d != NULL; d = d->hp_next)
+			{
+				if (d->kind == CK_GROUP)
+				{
+					/* ignore */
+				}
+				else
+				{
+					if (d->kind == CK_TEMPLATE && !(d->policy & POLICY_OPPO))
+					{
+						/* must be Road Warrior: we have a winner */
+						c = d;
+						break;
+					}
+
+					/* Opportunistic or Shunt: pick tightest match */
+					if (addrinsubnet(&md->sender, &d->spd.that.client)
+					&& (c == NULL || !subnetinsubnet(&c->spd.that.client, &d->spd.that.client)))
+						c = d;
+				}
+			}
+		}
 
-	    for (; d != NULL; d = d->hp_next)
-	    {
-		if (d->kind == CK_GROUP)
+		if (c == NULL)
 		{
-		    /* ignore */
+			loglog(RC_LOG_SERIOUS, "initial Main Mode message received on %s:%u"
+				" but no connection has been authorized%s%s"
+				, ip_str(&md->iface->addr), ntohs(portof(&md->iface->addr))
+				, (policy != LEMPTY) ? " with policy=" : ""
+				, (policy != LEMPTY) ? bitnamesof(sa_policy_bit_names, policy) : "");
+			/* XXX notification is in order! */
+			return STF_IGNORE;
+		}
+		else if (c->kind != CK_TEMPLATE)
+		{
+			loglog(RC_LOG_SERIOUS, "initial Main Mode message received on %s:%u"
+				" but \"%s\" forbids connection"
+				, ip_str(&md->iface->addr), pluto_port, c->name);
+			/* XXX notification is in order! */
+			return STF_IGNORE;
 		}
 		else
 		{
-		    if (d->kind == CK_TEMPLATE && !(d->policy & POLICY_OPPO))
-		    {
-			/* must be Road Warrior: we have a winner */
-			c = d;
-			break;
-		    }
-
-		    /* Opportunistic or Shunt: pick tightest match */
-		    if (addrinsubnet(&md->sender, &d->spd.that.client)
-		    && (c == NULL || !subnetinsubnet(&c->spd.that.client, &d->spd.that.client)))
-			c = d;
+			/* Create a temporary connection that is a copy of this one.
+			 * His ID isn't declared yet.
+			 */
+			c = rw_instantiate(c, &md->sender, md->sender_port, NULL, NULL);
 		}
-	    }
+	}
+	else if (c->kind == CK_TEMPLATE)
+	{
+		/* Create an instance
+		 * This is a rare case: wildcard peer ID but static peer IP address
+		 */
+		 c = rw_instantiate(c, &md->sender, md->sender_port, NULL, &c->spd.that.id);
 	}
 
-	if (c == NULL)
+	/* Set up state */
+	md->st = st = new_state();
+	st->st_connection = c;
+	set_cur_state(st);  /* (caller will reset cur_state) */
+	st->st_try = 0;     /* not our job to try again from start */
+	st->st_policy = c->policy & ~POLICY_IPSEC_MASK;     /* only as accurate as connection */
+
+	memcpy(st->st_icookie, md->hdr.isa_icookie, COOKIE_SIZE);
+	get_cookie(FALSE, st->st_rcookie, COOKIE_SIZE, &md->sender);
+
+	insert_state(st);   /* needs cookies, connection, and msgid (0) */
+
+	st->st_doi = ISAKMP_DOI_IPSEC;
+	st->st_situation = SIT_IDENTITY_ONLY; /* We only support this */
+
+	if ((c->kind == CK_INSTANCE) && (c->spd.that.host_port != pluto_port))
 	{
-	    loglog(RC_LOG_SERIOUS, "initial Main Mode message received on %s:%u"
-		" but no connection has been authorized%s%s"
-		, ip_str(&md->iface->addr), ntohs(portof(&md->iface->addr))
-		, (policy != LEMPTY) ? " with policy=" : ""
-		, (policy != LEMPTY) ? bitnamesof(sa_policy_bit_names, policy) : "");
-	    /* XXX notification is in order! */
-	    return STF_IGNORE;
+	   plog("responding to Main Mode from unknown peer %s:%u"
+			, ip_str(&c->spd.that.host_addr), c->spd.that.host_port);
 	}
-	else if (c->kind != CK_TEMPLATE)
+	else if (c->kind == CK_INSTANCE)
 	{
-	    loglog(RC_LOG_SERIOUS, "initial Main Mode message received on %s:%u"
-		" but \"%s\" forbids connection"
-		, ip_str(&md->iface->addr), pluto_port, c->name);
-	    /* XXX notification is in order! */
-	    return STF_IGNORE;
+		plog("responding to Main Mode from unknown peer %s"
+			, ip_str(&c->spd.that.host_addr));
 	}
 	else
 	{
-	    /* Create a temporary connection that is a copy of this one.
-	     * His ID isn't declared yet.
-	     */
-	    c = rw_instantiate(c, &md->sender, md->sender_port, NULL, NULL);
+		plog("responding to Main Mode");
 	}
-    }
-    else if (c->kind == CK_TEMPLATE)
-    {
-	/* Create an instance
-	 * This is a rare case: wildcard peer ID but static peer IP address
-	 */
-	 c = rw_instantiate(c, &md->sender, md->sender_port, NULL, &c->spd.that.id);
-    }
-
-    /* Set up state */
-    md->st = st = new_state();
-    st->st_connection = c;
-    set_cur_state(st);	/* (caller will reset cur_state) */
-    st->st_try = 0;	/* not our job to try again from start */
-    st->st_policy = c->policy & ~POLICY_IPSEC_MASK;	/* only as accurate as connection */
-
-    memcpy(st->st_icookie, md->hdr.isa_icookie, COOKIE_SIZE);
-    get_cookie(FALSE, st->st_rcookie, COOKIE_SIZE, &md->sender);
-
-    insert_state(st);	/* needs cookies, connection, and msgid (0) */
-
-    st->st_doi = ISAKMP_DOI_IPSEC;
-    st->st_situation = SIT_IDENTITY_ONLY; /* We only support this */
-
-    if ((c->kind == CK_INSTANCE) && (c->spd.that.host_port != pluto_port))
-    {
-       plog("responding to Main Mode from unknown peer %s:%u"
-	    , ip_str(&c->spd.that.host_addr), c->spd.that.host_port);
-    }
-    else if (c->kind == CK_INSTANCE)
-    {
-	plog("responding to Main Mode from unknown peer %s"
-	    , ip_str(&c->spd.that.host_addr));
-    }
-    else
-    {
-	plog("responding to Main Mode");
-    }
-
-    /* parse_isakmp_sa also spits out a winning SA into our reply,
-     * so we have to build our md->reply and emit HDR before calling it.
-     */
-
-    /* determine how many Vendor ID payloads we will be sending */
-    if (SEND_PLUTO_VID)
-	vids_to_send++;
-    if (SEND_CISCO_UNITY_VID)
-	vids_to_send++;
-    if (md->openpgp)
-	vids_to_send++;
-    if (SEND_XAUTH_VID)
-	vids_to_send++;
-    /* always send DPD Vendor ID */
-	vids_to_send++;
-    if (md->nat_traversal_vid && nat_traversal_enabled)
-	vids_to_send++;
-
-    /* HDR out.
-     * We can't leave this to comm_handle() because we must
-     * fill in the cookie.
-     */
-    {
-	struct isakmp_hdr r_hdr = md->hdr;
-
-	r_hdr.isa_flags &= ~ISAKMP_FLAG_COMMIT;	/* we won't ever turn on this bit */
-	memcpy(r_hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
-	r_hdr.isa_np = ISAKMP_NEXT_SA;
-	if (!out_struct(&r_hdr, &isakmp_hdr_desc, &md->reply, &md->rbody))
-	    return STF_INTERNAL_ERROR;
-    }
 
-    /* start of SA out */
-    {
-	struct isakmp_sa r_sa = sa_pd->payload.sa;
+	/* parse_isakmp_sa also spits out a winning SA into our reply,
+	 * so we have to build our md->reply and emit HDR before calling it.
+	 */
 
-	r_sa.isasa_np = vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE;
+	/* determine how many Vendor ID payloads we will be sending */
+	if (SEND_PLUTO_VID)
+	{
+		vids_to_send++;
+	}
+	if (SEND_CISCO_UNITY_VID)
+	{
+		vids_to_send++;
+	}
+	if (md->openpgp)
+	{
+		vids_to_send++;
+	}
+	if (SEND_XAUTH_VID)
+	{
+		vids_to_send++;
+	}
+	/* always send DPD Vendor ID */
+		vids_to_send++;
+	if (md->nat_traversal_vid && nat_traversal_enabled)
+	{
+		vids_to_send++;
+	}
 
-	if (!out_struct(&r_sa, &isakmp_sa_desc, &md->rbody, &r_sa_pbs))
-	    return STF_INTERNAL_ERROR;
-    }
+	/* HDR out.
+	 * We can't leave this to comm_handle() because we must
+	 * fill in the cookie.
+	 */
+	{
+		struct isakmp_hdr r_hdr = md->hdr;
 
-    /* SA body in and out */
-    RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit, &proposal_pbs
-	,&proposal, &r_sa_pbs, st, FALSE));
+		r_hdr.isa_flags &= ~ISAKMP_FLAG_COMMIT; /* we won't ever turn on this bit */
+		memcpy(r_hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
+		r_hdr.isa_np = ISAKMP_NEXT_SA;
+		if (!out_struct(&r_hdr, &isakmp_hdr_desc, &md->reply, &md->rbody))
+			return STF_INTERNAL_ERROR;
+	}
 
-    /* if enabled send Pluto Vendor ID */
-    if (SEND_PLUTO_VID)
-    {
-	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &md->rbody, VID_STRONGSWAN))
+	/* start of SA out */
 	{
-	    return STF_INTERNAL_ERROR;
+		struct isakmp_sa r_sa = sa_pd->payload.sa;
+
+		r_sa.isasa_np = vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE;
+
+		if (!out_struct(&r_sa, &isakmp_sa_desc, &md->rbody, &r_sa_pbs))
+			return STF_INTERNAL_ERROR;
 	}
-    }
 
-    /* if enabled send Cisco Unity Vendor ID */
-    if (SEND_CISCO_UNITY_VID)
-    {
-	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &md->rbody, VID_CISCO_UNITY))
+	/* SA body in and out */
+	RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit, &proposal_pbs
+		,&proposal, &r_sa_pbs, st, FALSE));
+
+	/* if enabled send Pluto Vendor ID */
+	if (SEND_PLUTO_VID)
 	{
-	    return STF_INTERNAL_ERROR;
+		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &md->rbody, VID_STRONGSWAN))
+		{
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    /*
-     * if the peer sent an OpenPGP Vendor ID we offer the same capability
-     */
-    if (md->openpgp)
-    {
-	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &md->rbody, VID_OPENPGP))
+	/* if enabled send Cisco Unity Vendor ID */
+	if (SEND_CISCO_UNITY_VID)
 	{
-	    return STF_INTERNAL_ERROR;
+		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &md->rbody, VID_CISCO_UNITY))
+		{
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    /* Announce our ability to do eXtended AUTHentication to the peer */
-    if (SEND_XAUTH_VID)
-    {
-	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &md->rbody, VID_MISC_XAUTH))
+	/*
+	 * if the peer sent an OpenPGP Vendor ID we offer the same capability
+	 */
+	if (md->openpgp)
 	{
-	    return STF_INTERNAL_ERROR;
+		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &md->rbody, VID_OPENPGP))
+		{
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    /* Announce our ability to do Dead Peer Detection to the peer */
-    if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-    , &md->rbody, VID_MISC_DPD))
-    {
-	return STF_INTERNAL_ERROR;
-    }
+	/* Announce our ability to do eXtended AUTHentication to the peer */
+	if (SEND_XAUTH_VID)
+	{
+		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &md->rbody, VID_MISC_XAUTH))
+		{
+			return STF_INTERNAL_ERROR;
+		}
+	}
 
-    if (md->nat_traversal_vid && nat_traversal_enabled)
-    {
-	/* reply if NAT-Traversal draft is supported */
-	st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid);
+	/* Announce our ability to do Dead Peer Detection to the peer */
+	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+	, &md->rbody, VID_MISC_DPD))
+	{
+		return STF_INTERNAL_ERROR;
+	}
 
-	if (st->nat_traversal
-	&& !out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &md->rbody, md->nat_traversal_vid))
+	if (md->nat_traversal_vid && nat_traversal_enabled)
 	{
-	    return STF_INTERNAL_ERROR;
+		/* reply if NAT-Traversal draft is supported */
+		st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid);
+
+		if (st->nat_traversal
+		&& !out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+		, &md->rbody, md->nat_traversal_vid))
+		{
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    close_message(&md->rbody);
+	close_message(&md->rbody);
 
-    /* save initiator SA for HASH */
-    clonereplacechunk(st->st_p1isa, sa_pd->pbs.start, pbs_room(&sa_pd->pbs), "sa in main_inI1_outR1()");
+	/* save initiator SA for HASH */
+	free(st->st_p1isa.ptr);
+	st->st_p1isa = chunk_create(sa_pd->pbs.start, pbs_room(&sa_pd->pbs));
+	st->st_p1isa = chunk_clone(st->st_p1isa);
 
-    return STF_OK;
+	return STF_OK;
 }
 
 /* STATE_MAIN_I1: HDR, SA --> auth dependent
@@ -3240,95 +3106,94 @@ main_inI1_outR1(struct msg_digest *md)
  *
  * We must verify that the proposal received matches one we sent.
  */
-stf_status
-main_inR1_outI2(struct msg_digest *md)
+stf_status main_inR1_outI2(struct msg_digest *md)
 {
-    struct state *const st = md->st;
+	struct state *const st = md->st;
 
-    u_int8_t np = ISAKMP_NEXT_NONE;
+	u_int8_t np = ISAKMP_NEXT_NONE;
 
-    /* verify echoed SA */
-    {
-	u_int32_t ipsecdoisit;
-	pb_stream proposal_pbs;
-	struct isakmp_proposal proposal;
-	struct payload_digest *const sapd = md->chain[ISAKMP_NEXT_SA];
-
-	RETURN_STF_FAILURE(preparse_isakmp_sa_body(&sapd->payload.sa
-	    ,&sapd->pbs, &ipsecdoisit, &proposal_pbs, &proposal));
-	if (proposal.isap_notrans != 1)
-	{
-	    loglog(RC_LOG_SERIOUS, "a single Transform is required in a selecting Oakley Proposal; found %u"
-	    , (unsigned)proposal.isap_notrans);
-	    RETURN_STF_FAILURE(BAD_PROPOSAL_SYNTAX);
-        }
-	RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit
-	    , &proposal_pbs, &proposal, NULL, st, TRUE));
-    }
-
-    if (nat_traversal_enabled && md->nat_traversal_vid)
-    {
-	st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid);
-	plog("enabling possible NAT-traversal with method %s"
-	     , bitnamesof(natt_type_bitnames, st->nat_traversal));
-    }
-    if (st->nat_traversal & NAT_T_WITH_NATD)
-    {
-	np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
-		ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS;
-    }
-
-    /**************** build output packet HDR;KE;Ni ****************/
-
-    /* HDR out.
-     * We can't leave this to comm_handle() because the isa_np
-     * depends on the type of Auth (eventually).
-     */
-    echo_hdr(md, FALSE, ISAKMP_NEXT_KE);
-
-    /* KE out */
-    if (!build_and_ship_KE(st, &st->st_gi, st->st_oakley.group
-    , &md->rbody, ISAKMP_NEXT_NONCE))
-	return STF_INTERNAL_ERROR;
+	/* verify echoed SA */
+	{
+		u_int32_t ipsecdoisit;
+		pb_stream proposal_pbs;
+		struct isakmp_proposal proposal;
+		struct payload_digest *const sapd = md->chain[ISAKMP_NEXT_SA];
+
+		RETURN_STF_FAILURE(preparse_isakmp_sa_body(&sapd->payload.sa
+			,&sapd->pbs, &ipsecdoisit, &proposal_pbs, &proposal));
+		if (proposal.isap_notrans != 1)
+		{
+			loglog(RC_LOG_SERIOUS, "a single Transform is required in a selecting Oakley Proposal; found %u"
+			, (unsigned)proposal.isap_notrans);
+			RETURN_STF_FAILURE(BAD_PROPOSAL_SYNTAX);
+		}
+		RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit
+			, &proposal_pbs, &proposal, NULL, st, TRUE));
+	}
+
+	if (nat_traversal_enabled && md->nat_traversal_vid)
+	{
+		st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid);
+		plog("enabling possible NAT-traversal with method %s"
+			 , bitnamesof(natt_type_bitnames, st->nat_traversal));
+	}
+	if (st->nat_traversal & NAT_T_WITH_NATD)
+	{
+		np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
+				ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS;
+	}
+
+	/**************** build output packet HDR;KE;Ni ****************/
+
+	/* HDR out.
+	 * We can't leave this to comm_handle() because the isa_np
+	 * depends on the type of Auth (eventually).
+	 */
+	echo_hdr(md, FALSE, ISAKMP_NEXT_KE);
+
+	/* KE out */
+	if (!build_and_ship_KE(st, &st->st_gi, st->st_oakley.group
+	, &md->rbody, ISAKMP_NEXT_NONCE))
+		return STF_INTERNAL_ERROR;
 
 #ifdef DEBUG
-    /* Ni out */
-    if (!build_and_ship_nonce(&st->st_ni, &md->rbody
-    , (cur_debugging & IMPAIR_BUST_MI2)? ISAKMP_NEXT_VID : np, "Ni"))
-	return STF_INTERNAL_ERROR;
-
-    if (cur_debugging & IMPAIR_BUST_MI2)
-    {
-	/* generate a pointless large VID payload to push message over MTU */
-	pb_stream vid_pbs;
-
-	if (!out_generic(np, &isakmp_vendor_id_desc, &md->rbody, &vid_pbs))
-	    return STF_INTERNAL_ERROR;
-	if (!out_zero(1500 /*MTU?*/, &vid_pbs, "Filler VID"))
-	    return STF_INTERNAL_ERROR;
-	close_output_pbs(&vid_pbs);
-    }
+	/* Ni out */
+	if (!build_and_ship_nonce(&st->st_ni, &md->rbody
+	, (cur_debugging & IMPAIR_BUST_MI2)? ISAKMP_NEXT_VID : np, "Ni"))
+		return STF_INTERNAL_ERROR;
+
+	if (cur_debugging & IMPAIR_BUST_MI2)
+	{
+		/* generate a pointless large VID payload to push message over MTU */
+		pb_stream vid_pbs;
+
+		if (!out_generic(np, &isakmp_vendor_id_desc, &md->rbody, &vid_pbs))
+			return STF_INTERNAL_ERROR;
+		if (!out_zero(1500 /*MTU?*/, &vid_pbs, "Filler VID"))
+			return STF_INTERNAL_ERROR;
+		close_output_pbs(&vid_pbs);
+	}
 #else
-    /* Ni out */
-    if (!build_and_ship_nonce(&st->st_ni, &md->rbody, np, "Ni"))
-	return STF_INTERNAL_ERROR;
+	/* Ni out */
+	if (!build_and_ship_nonce(&st->st_ni, &md->rbody, np, "Ni"))
+		return STF_INTERNAL_ERROR;
 #endif
 
-    if (st->nat_traversal & NAT_T_WITH_NATD)
-    {
-	if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
-	    return STF_INTERNAL_ERROR;
-    }
+	if (st->nat_traversal & NAT_T_WITH_NATD)
+	{
+		if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
+			return STF_INTERNAL_ERROR;
+	}
 
-    /* finish message */
-    close_message(&md->rbody);
+	/* finish message */
+	close_message(&md->rbody);
 
-    /* Reinsert the state, using the responder cookie we just received */
-    unhash_state(st);
-    memcpy(st->st_rcookie, md->hdr.isa_rcookie, COOKIE_SIZE);
-    insert_state(st);	/* needs cookies, connection, and msgid (0) */
+	/* Reinsert the state, using the responder cookie we just received */
+	unhash_state(st);
+	memcpy(st->st_rcookie, md->hdr.isa_rcookie, COOKIE_SIZE);
+	insert_state(st);   /* needs cookies, connection, and msgid (0) */
 
-    return STF_OK;
+	return STF_OK;
 }
 
 /* STATE_MAIN_R1:
@@ -3336,140 +3201,137 @@ main_inR1_outI2(struct msg_digest *md)
  *
  * The following are not yet implemented:
  * PKE_AUTH: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
- *	    --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
+ *          --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
  * RPKE_AUTH:
- *	    HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
- *	    --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
+ *          HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
+ *          --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
  */
-stf_status
-main_inI2_outR2(struct msg_digest *md)
+stf_status main_inI2_outR2(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    pb_stream *keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
- 
-    /* send CR if auth is RSA and no preloaded RSA public key exists*/
-    bool RSA_auth = st->st_oakley.auth == OAKLEY_RSA_SIG
-		 || st->st_oakley.auth == XAUTHInitRSA
-		 || st->st_oakley.auth == XAUTHRespRSA;
-    bool send_cr = !no_cr_send && RSA_auth && !has_preloaded_public_key(st);
+	struct state *const st = md->st;
+	pb_stream *keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
 
-    u_int8_t np = ISAKMP_NEXT_NONE;
+	/* send CR if auth is RSA or ECDSA and no preloaded public key exists*/
+	bool pubkey_auth = uses_pubkey_auth(st->st_oakley.auth);
+	bool send_cr = !no_cr_send && pubkey_auth && !has_preloaded_public_key(st);
 
-    /* KE in */
-    RETURN_STF_FAILURE(accept_KE(&st->st_gi, "Gi", st->st_oakley.group, keyex_pbs));
+	u_int8_t np = ISAKMP_NEXT_NONE;
 
-    /* Ni in */
-    RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni"));
+	/* KE in */
+	RETURN_STF_FAILURE(accept_KE(&st->st_gi, "Gi", st->st_oakley.group, keyex_pbs));
+
+	/* Ni in */
+	RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni"));
 
-    if (st->nat_traversal & NAT_T_WITH_NATD)
-    {
-       nat_traversal_natd_lookup(md);
+	if (st->nat_traversal & NAT_T_WITH_NATD)
+	{
+	   nat_traversal_natd_lookup(md);
 
-       np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
-		ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS;
-    }
-    if (st->nat_traversal)
-    {
-       nat_traversal_show_result(st->nat_traversal, md->sender_port);
-    }
-    if (st->nat_traversal & NAT_T_WITH_KA)
-    {
-       nat_traversal_new_ka_event();
-    }
+	   np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
+				ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS;
+	}
+	if (st->nat_traversal)
+	{
+	   nat_traversal_show_result(st->nat_traversal, md->sender_port);
+	}
+	if (st->nat_traversal & NAT_T_WITH_KA)
+	{
+	   nat_traversal_new_ka_event();
+	}
 
-    /* decode certificate requests */
-    st->st_connection->got_certrequest = FALSE;
-    decode_cr(md, st->st_connection);
+	/* decode certificate requests */
+	st->st_connection->got_certrequest = FALSE;
+	decode_cr(md, st->st_connection);
 
-    /**************** build output packet HDR;KE;Nr ****************/
+	/**************** build output packet HDR;KE;Nr ****************/
 
-    /* HDR out done */
+	/* HDR out done */
 
-    /* KE out */
-    if (!build_and_ship_KE(st, &st->st_gr, st->st_oakley.group
-    , &md->rbody, ISAKMP_NEXT_NONCE))
-	return STF_INTERNAL_ERROR;
+	/* KE out */
+	if (!build_and_ship_KE(st, &st->st_gr, st->st_oakley.group
+	, &md->rbody, ISAKMP_NEXT_NONCE))
+		return STF_INTERNAL_ERROR;
 
 #ifdef DEBUG
-    /* Nr out */
-    if (!build_and_ship_nonce(&st->st_nr, &md->rbody
-    , (cur_debugging & IMPAIR_BUST_MR2)? ISAKMP_NEXT_VID
-	: (send_cr? ISAKMP_NEXT_CR : np), "Nr"))
-	return STF_INTERNAL_ERROR;
-
-    if (cur_debugging & IMPAIR_BUST_MR2)
-    {
-	/* generate a pointless large VID payload to push message over MTU */
-	pb_stream vid_pbs;
-
-	if (!out_generic((send_cr)? ISAKMP_NEXT_CR : np,
-	    &isakmp_vendor_id_desc, &md->rbody, &vid_pbs))
-	    return STF_INTERNAL_ERROR;
-	if (!out_zero(1500 /*MTU?*/, &vid_pbs, "Filler VID"))
-	    return STF_INTERNAL_ERROR;
-	close_output_pbs(&vid_pbs);
-    }
+	/* Nr out */
+	if (!build_and_ship_nonce(&st->st_nr, &md->rbody
+	, (cur_debugging & IMPAIR_BUST_MR2)? ISAKMP_NEXT_VID
+		: (send_cr? ISAKMP_NEXT_CR : np), "Nr"))
+		return STF_INTERNAL_ERROR;
+
+	if (cur_debugging & IMPAIR_BUST_MR2)
+	{
+		/* generate a pointless large VID payload to push message over MTU */
+		pb_stream vid_pbs;
+
+		if (!out_generic((send_cr)? ISAKMP_NEXT_CR : np,
+			&isakmp_vendor_id_desc, &md->rbody, &vid_pbs))
+			return STF_INTERNAL_ERROR;
+		if (!out_zero(1500 /*MTU?*/, &vid_pbs, "Filler VID"))
+			return STF_INTERNAL_ERROR;
+		close_output_pbs(&vid_pbs);
+	}
 #else
-    /* Nr out */
-    if (!build_and_ship_nonce(&st->st_nr, &md->rbody,
-	(send_cr)? ISAKMP_NEXT_CR : np, "Nr"))
-	return STF_INTERNAL_ERROR;
+	/* Nr out */
+	if (!build_and_ship_nonce(&st->st_nr, &md->rbody,
+		(send_cr)? ISAKMP_NEXT_CR : np, "Nr"))
+		return STF_INTERNAL_ERROR;
 #endif
 
-    /* CR out */
-    if (send_cr)
-    {
-	if (st->st_connection->kind == CK_PERMANENT)
+	/* CR out */
+	if (send_cr)
 	{
-	    if (!build_and_ship_CR(CERT_X509_SIGNATURE
-	    , st->st_connection->spd.that.ca
-	    , &md->rbody, np))
-		return STF_INTERNAL_ERROR;
+		if (st->st_connection->kind == CK_PERMANENT)
+		{
+			if (!build_and_ship_CR(CERT_X509_SIGNATURE
+			, st->st_connection->spd.that.ca
+			, &md->rbody, np))
+				return STF_INTERNAL_ERROR;
+		}
+		else
+		{
+			generalName_t *ca = NULL;
+
+			if (collect_rw_ca_candidates(md, &ca))
+			{
+				generalName_t *gn;
+
+				for (gn = ca; gn != NULL; gn = gn->next)
+				{
+					if (!build_and_ship_CR(CERT_X509_SIGNATURE, gn->name
+					, &md->rbody
+					, gn->next == NULL ? np : ISAKMP_NEXT_CR))
+						return STF_INTERNAL_ERROR;
+				}
+				free_generalNames(ca, FALSE);
+			}
+			else
+			{
+				if (!build_and_ship_CR(CERT_X509_SIGNATURE, chunk_empty
+				, &md->rbody, np))
+					return STF_INTERNAL_ERROR;
+			}
+		}
 	}
-	else
+
+	if (st->nat_traversal & NAT_T_WITH_NATD)
 	{
-	    generalName_t *ca = NULL;
+	   if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
+		   return STF_INTERNAL_ERROR;
+	}
 
-	    if (collect_rw_ca_candidates(md, &ca))
-	    {
-		generalName_t *gn;
+	/* finish message */
+	close_message(&md->rbody);
 
-		for (gn = ca; gn != NULL; gn = gn->next)
-		{
-		    if (!build_and_ship_CR(CERT_X509_SIGNATURE, gn->name
-		    , &md->rbody
-		    , gn->next == NULL ? np : ISAKMP_NEXT_CR))
-			return STF_INTERNAL_ERROR;
-		}
-		free_generalNames(ca, FALSE);
-	    }
-	    else
-	    {
-		if (!build_and_ship_CR(CERT_X509_SIGNATURE, empty_chunk
-		, &md->rbody, np))
-		    return STF_INTERNAL_ERROR;
-	    }
-	}
-    }
-
-    if (st->nat_traversal & NAT_T_WITH_NATD)
-    {
-       if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
-	   return STF_INTERNAL_ERROR;
-    }
-
-    /* finish message */
-    close_message(&md->rbody);
-
-    /* next message will be encrypted, but not this one.
-     * We could defer this calculation.
-     */
-    compute_dh_shared(st, st->st_gi, st->st_oakley.group);
-    if (!generate_skeyids_iv(st))
-	return STF_FAIL + AUTHENTICATION_FAILED;
-    update_iv(st);
-
-    return STF_OK;
+	/* next message will be encrypted, but not this one.
+	 * We could defer this calculation.
+	 */
+	compute_dh_shared(st, st->st_gi);
+	if (!generate_skeyids_iv(st))
+		return STF_FAIL + AUTHENTICATION_FAILED;
+	update_iv(st);
+
+	return STF_OK;
 }
 
 /* STATE_MAIN_I2:
@@ -3478,172 +3340,174 @@ main_inI2_outR2(struct msg_digest *md)
  *
  * The following are not yet implemented.
  * SMF_PKE_AUTH: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
- *	    --> HDR*, HASH_I
+ *          --> HDR*, HASH_I
  * SMF_RPKE_AUTH: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
- *	    --> HDR*, HASH_I
+ *          --> HDR*, HASH_I
  */
-stf_status
-main_inR2_outI3(struct msg_digest *md)
+stf_status main_inR2_outI3(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
-    pb_stream id_pbs;	/* ID Payload; also used for hash calculation */
-
-    certpolicy_t cert_policy = st->st_connection->spd.this.sendcert;
-    cert_t mycert = st->st_connection->spd.this.cert;
-    bool requested, send_cert, send_cr;
-
-    bool RSA_auth = st->st_oakley.auth == OAKLEY_RSA_SIG
-		 || st->st_oakley.auth == XAUTHInitRSA
-		 || st->st_oakley.auth == XAUTHRespRSA;
-
-    int auth_payload = RSA_auth ? ISAKMP_NEXT_SIG : ISAKMP_NEXT_HASH;
-
-    /* KE in */
-    RETURN_STF_FAILURE(accept_KE(&st->st_gr, "Gr", st->st_oakley.group, keyex_pbs));
-
-    /* Nr in */
-    RETURN_STF_FAILURE(accept_nonce(md, &st->st_nr, "Nr"));
-
-    /* decode certificate requests */
-    st->st_connection->got_certrequest = FALSE;
-    decode_cr(md, st->st_connection);
-
-    /* free collected certificate requests since as initiator
-     * we don't heed them anyway
-     */
-    free_generalNames(st->st_connection->requested_ca, TRUE);
-    st->st_connection->requested_ca = NULL;
-
-    /* send certificate if auth is RSA, we have one and we want
-     * or are requested to send it
-     */
-    requested = cert_policy == CERT_SEND_IF_ASKED
-		&& st->st_connection->got_certrequest;
-    send_cert = RSA_auth && mycert.type != CERT_NONE
-		&& (cert_policy == CERT_ALWAYS_SEND || requested);
-
-    /* send certificate request if we don't have a preloaded RSA public key */
-    send_cr = !no_cr_send && send_cert && !has_preloaded_public_key(st);
-
-    /* done parsing; initialize crypto  */
-    compute_dh_shared(st, st->st_gr, st->st_oakley.group);
-    if (!generate_skeyids_iv(st))
-	return STF_FAIL + AUTHENTICATION_FAILED;
-
-    if (st->nat_traversal & NAT_T_WITH_NATD)
-    {
-	nat_traversal_natd_lookup(md);
-    }
-    if (st->nat_traversal)
-    {
-	nat_traversal_show_result(st->nat_traversal, md->sender_port);
-    }
-    if (st->nat_traversal & NAT_T_WITH_KA)
-    {
-	nat_traversal_new_ka_event();
-    }
-
-    /*************** build output packet HDR*;IDii;HASH/SIG_I ***************/
-    /* ??? NOTE: this is almost the same as main_inI3_outR3's code */
-
-    /* HDR* out done */
-
-    /* IDii out */
-    {
-	struct isakmp_ipsec_id id_hd;
-	chunk_t id_b;
-
-	build_id_payload(&id_hd, &id_b, &st->st_connection->spd.this);
-	id_hd.isaiid_np = (send_cert)? ISAKMP_NEXT_CERT : auth_payload;
-	if (!out_struct(&id_hd, &isakmp_ipsec_identification_desc, &md->rbody, &id_pbs)
-	|| !out_chunk(id_b, &id_pbs, "my identity"))
-	    return STF_INTERNAL_ERROR;
-	close_output_pbs(&id_pbs);
-    }
+	struct state *const st = md->st;
+	pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
+	pb_stream id_pbs;   /* ID Payload; also used for hash calculation */
 
-    /* CERT out */
-    if (RSA_auth)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("our certificate policy is %s"
-		, enum_name(&cert_policy_names, cert_policy))
-	)
-	if (mycert.type != CERT_NONE)
-	{
-	    const char *request_text = "";
+	certpolicy_t cert_policy = st->st_connection->spd.this.sendcert;
+	cert_t mycert = st->st_connection->spd.this.cert;
+	bool requested, send_cert, send_cr;
+	bool pubkey_auth = uses_pubkey_auth(st->st_oakley.auth);
+
+	int auth_payload = pubkey_auth ? ISAKMP_NEXT_SIG : ISAKMP_NEXT_HASH;
+
+	/* KE in */
+	RETURN_STF_FAILURE(accept_KE(&st->st_gr, "Gr", st->st_oakley.group, keyex_pbs));
+
+	/* Nr in */
+	RETURN_STF_FAILURE(accept_nonce(md, &st->st_nr, "Nr"));
+
+	/* decode certificate requests */
+	st->st_connection->got_certrequest = FALSE;
+	decode_cr(md, st->st_connection);
+
+	/* free collected certificate requests since as initiator
+	 * we don't heed them anyway
+	 */
+	free_generalNames(st->st_connection->requested_ca, TRUE);
+	st->st_connection->requested_ca = NULL;
+
+	/* send certificate if auth is RSA, we have one and we want
+	 * or are requested to send it
+	 */
+	requested = cert_policy == CERT_SEND_IF_ASKED
+				&& st->st_connection->got_certrequest;
+	send_cert = pubkey_auth && mycert.type != CERT_NONE
+				&& (cert_policy == CERT_ALWAYS_SEND || requested);
+
+	/* send certificate request if we don't have a preloaded RSA public key */
+	send_cr = !no_cr_send && send_cert && !has_preloaded_public_key(st);
+
+	/* done parsing; initialize crypto  */
+	compute_dh_shared(st, st->st_gr);
+	if (!generate_skeyids_iv(st))
+		return STF_FAIL + AUTHENTICATION_FAILED;
 
-	    if (cert_policy == CERT_SEND_IF_ASKED)
-		request_text = (send_cert)? "upon request":"without request";
-	    plog("we have a cert %s sending it %s"
-		, send_cert? "and are":"but are not", request_text);
+	if (st->nat_traversal & NAT_T_WITH_NATD)
+	{
+		nat_traversal_natd_lookup(md);
 	}
-	else
+	if (st->nat_traversal)
+	{
+		nat_traversal_show_result(st->nat_traversal, md->sender_port);
+	}
+	if (st->nat_traversal & NAT_T_WITH_KA)
 	{
-	    plog("we don't have a cert");
+		nat_traversal_new_ka_event();
 	}
-    }
-    if (send_cert)
-    {
-	pb_stream cert_pbs;
 
-	struct isakmp_cert cert_hd;
-	cert_hd.isacert_np = (send_cr)? ISAKMP_NEXT_CR : ISAKMP_NEXT_SIG;
-	cert_hd.isacert_type = mycert.type;
+	/*************** build output packet HDR*;IDii;HASH/SIG_I ***************/
+	/* ??? NOTE: this is almost the same as main_inI3_outR3's code */
 
-	if (!out_struct(&cert_hd, &isakmp_ipsec_certificate_desc, &md->rbody, &cert_pbs))
-	    return STF_INTERNAL_ERROR;
-	if (!out_chunk(get_mycert(mycert), &cert_pbs, "CERT"))
-	    return STF_INTERNAL_ERROR;
-	close_output_pbs(&cert_pbs);
-    }
+	/* HDR* out done */
 
-    /* CR out */
-    if (send_cr)
-    {
-	if (!build_and_ship_CR(mycert.type, st->st_connection->spd.that.ca
-	, &md->rbody, ISAKMP_NEXT_SIG))
-	    return STF_INTERNAL_ERROR;
-    }
+	/* IDii out */
+	{
+		struct isakmp_ipsec_id id_hd;
+		chunk_t id_b;
 
-   /* HASH_I or SIG_I out */
-    {
-	u_char hash_val[MAX_DIGEST_LEN];
-	size_t hash_len = main_mode_hash(st, hash_val, TRUE, &id_pbs);
+		build_id_payload(&id_hd, &id_b, &st->st_connection->spd.this);
+		id_hd.isaiid_np = (send_cert)? ISAKMP_NEXT_CERT : auth_payload;
+		if (!out_struct(&id_hd, &isakmp_ipsec_identification_desc, &md->rbody, &id_pbs)
+		|| !out_chunk(id_b, &id_pbs, "my identity"))
+			return STF_INTERNAL_ERROR;
+		close_output_pbs(&id_pbs);
+	}
 
-	if (auth_payload == ISAKMP_NEXT_HASH)
+	/* CERT out */
+	if (pubkey_auth)
 	{
-	    /* HASH_I out */
-	    if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_hash_desc, &md->rbody
-	    , hash_val, hash_len, "HASH_I"))
-		return STF_INTERNAL_ERROR;
+		DBG(DBG_CONTROL,
+			DBG_log("our certificate policy is %N", cert_policy_names, cert_policy)
+		)
+		if (mycert.type != CERT_NONE)
+		{
+			const char *request_text = "";
+
+			if (cert_policy == CERT_SEND_IF_ASKED)
+				request_text = (send_cert)? "upon request":"without request";
+			plog("we have a cert %s sending it %s"
+				, send_cert? "and are":"but are not", request_text);
+		}
+		else
+		{
+			plog("we don't have a cert");
+		}
 	}
-	else
+	if (send_cert)
 	{
-	    /* SIG_I out */
-	    u_char sig_val[RSA_MAX_OCTETS];
-	    size_t sig_len = RSA_sign_hash(st->st_connection
-		, sig_val, hash_val, hash_len);
+		pb_stream cert_pbs;
 
-	    if (sig_len == 0)
-	    {
-		loglog(RC_LOG_SERIOUS, "unable to locate my private key for RSA Signature");
-		return STF_FAIL + AUTHENTICATION_FAILED;
-	    }
+		struct isakmp_cert cert_hd;
+		cert_hd.isacert_np = (send_cr)? ISAKMP_NEXT_CR : ISAKMP_NEXT_SIG;
+		cert_hd.isacert_type = mycert.type;
 
-	    if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
-	    , &md->rbody, sig_val, sig_len, "SIG_I"))
-		return STF_INTERNAL_ERROR;
+		if (!out_struct(&cert_hd, &isakmp_ipsec_certificate_desc, &md->rbody, &cert_pbs))
+			return STF_INTERNAL_ERROR;
+		if (!out_chunk(cert_get_encoding(mycert), &cert_pbs, "CERT"))
+			return STF_INTERNAL_ERROR;
+		close_output_pbs(&cert_pbs);
+	}
+
+	/* CR out */
+	if (send_cr)
+	{
+		if (!build_and_ship_CR(mycert.type, st->st_connection->spd.that.ca
+		, &md->rbody, ISAKMP_NEXT_SIG))
+			return STF_INTERNAL_ERROR;
+	}
+
+   /* HASH_I or SIG_I out */
+	{
+		u_char hash_buf[MAX_DIGEST_LEN];
+		chunk_t hash = chunk_from_buf(hash_buf);
+
+		main_mode_hash(st, &hash, TRUE, &id_pbs);
+
+		if (auth_payload == ISAKMP_NEXT_HASH)
+		{
+			/* HASH_I out */
+			if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_hash_desc, &md->rbody,
+								 hash.ptr, hash.len, "HASH_I"))
+			{
+				return STF_INTERNAL_ERROR;
+			}
+		}
+		else
+		{
+			/* SIG_I out */
+			u_char sig_val[RSA_MAX_OCTETS];
+			signature_scheme_t scheme;
+			size_t sig_len;
+
+			scheme = oakley_to_signature_scheme(st->st_oakley.auth);
+
+			sig_len = sign_hash(scheme, st->st_connection, sig_val, hash);
+			if (sig_len == 0)
+			{
+				loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature");
+				return STF_FAIL + AUTHENTICATION_FAILED;
+			}
+
+			if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
+			, &md->rbody, sig_val, sig_len, "SIG_I"))
+				return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    /* encrypt message, except for fixed part of header */
+	/* encrypt message, except for fixed part of header */
 
-    /* st_new_iv was computed by generate_skeyids_iv */
-    if (!encrypt_message(&md->rbody, st))
-	return STF_INTERNAL_ERROR;	/* ??? we may be partly committed */
+	/* st_new_iv was computed by generate_skeyids_iv */
+	if (!encrypt_message(&md->rbody, st))
+		return STF_INTERNAL_ERROR;      /* ??? we may be partly committed */
 
-    return STF_OK;
+	return STF_OK;
 }
 
 /* Shared logic for asynchronous lookup of DNS KEY records.
@@ -3651,31 +3515,31 @@ main_inR2_outI3(struct msg_digest *md)
  */
 
 enum key_oppo_step {
-    kos_null,
-    kos_his_txt
+	kos_null,
+	kos_his_txt
 #ifdef USE_KEYRR
-    , kos_his_key
+	, kos_his_key
 #endif
 };
 
 struct key_continuation {
-    struct adns_continuation ac;	/* common prefix */
-    struct msg_digest *md;
-    enum   key_oppo_step step;
-    bool                 failure_ok;
-    err_t                last_ugh;
+	struct adns_continuation ac;        /* common prefix */
+	struct msg_digest *md;
+	enum   key_oppo_step step;
+	bool                 failure_ok;
+	err_t                last_ugh;
 };
 
 typedef stf_status (key_tail_fn)(struct msg_digest *md
-				  , struct key_continuation *kc);
-static void
-report_key_dns_failure(struct id *id, err_t ugh)
+								  , struct key_continuation *kc);
+
+static void report_key_dns_failure(struct id *id, err_t ugh)
 {
-    char id_buf[BUF_LEN];	/* arbitrary limit on length of ID reported */
+	char id_buf[BUF_LEN];       /* arbitrary limit on length of ID reported */
 
-    (void) idtoa(id, id_buf, sizeof(id_buf));
-    loglog(RC_LOG_SERIOUS, "no RSA public key known for '%s'"
-	"; DNS search for KEY failed (%s)", id_buf, ugh);
+	(void) idtoa(id, id_buf, sizeof(id_buf));
+	loglog(RC_LOG_SERIOUS, "no RSA public key known for '%s'"
+		"; DNS search for KEY failed (%s)", id_buf, ugh);
 }
 
 
@@ -3688,135 +3552,145 @@ report_key_dns_failure(struct id *id, err_t ugh)
  */
 static stf_status
 main_id_and_auth(struct msg_digest *md
-		 , bool initiator	/* are we the Initiator? */
-		 , cont_fn_t cont_fn	/* continuation function */
-		 , const struct key_continuation *kc	/* current state, can be NULL */
+				 , bool initiator       /* are we the Initiator? */
+				 , cont_fn_t cont_fn    /* continuation function */
+				 , const struct key_continuation *kc    /* current state, can be NULL */
 )
 {
-    struct state *st = md->st;
-    u_char hash_val[MAX_DIGEST_LEN];
-    size_t hash_len;
-    struct id peer;
-    stf_status r = STF_OK;
-
-    /* ID Payload in */
-    if (!decode_peer_id(md, &peer))
-	return STF_FAIL + INVALID_ID_INFORMATION;
-
-    /* Hash the ID Payload.
-     * main_mode_hash requires idpl->cur to be at end of payload
-     * so we temporarily set if so.
-     */
-    {
-	pb_stream *idpl = &md->chain[ISAKMP_NEXT_ID]->pbs;
-	u_int8_t *old_cur = idpl->cur;
-
-	idpl->cur = idpl->roof;
-	hash_len = main_mode_hash(st, hash_val, !initiator, idpl);
-	idpl->cur = old_cur;
-    }
-
-    switch (st->st_oakley.auth)
-    {
-    case OAKLEY_PRESHARED_KEY:
-    case XAUTHInitPreShared:
-    case XAUTHRespPreShared:
-	{
-	    pb_stream *const hash_pbs = &md->chain[ISAKMP_NEXT_HASH]->pbs;
-
-	    if (pbs_left(hash_pbs) != hash_len
-	    || memcmp(hash_pbs->cur, hash_val, hash_len) != 0)
-	    {
-		DBG_cond_dump(DBG_CRYPT, "received HASH:"
-		    , hash_pbs->cur, pbs_left(hash_pbs));
-		loglog(RC_LOG_SERIOUS, "received Hash Payload does not match computed value");
-		/* XXX Could send notification back */
-		r = STF_FAIL + INVALID_HASH_INFORMATION;
-	    }
+	u_char hash_buf[MAX_DIGEST_LEN];
+	chunk_t hash = chunk_from_buf(hash_buf);
+	struct state *st = md->st;
+	struct id peer;
+	stf_status r = STF_OK;
+
+	/* ID Payload in */
+	if (!decode_peer_id(md, &peer))
+		return STF_FAIL + INVALID_ID_INFORMATION;
+
+	/* Hash the ID Payload.
+	 * main_mode_hash requires idpl->cur to be at end of payload
+	 * so we temporarily set if so.
+	 */
+	{
+		pb_stream *idpl = &md->chain[ISAKMP_NEXT_ID]->pbs;
+		u_int8_t *old_cur = idpl->cur;
+
+		idpl->cur = idpl->roof;
+		main_mode_hash(st, &hash, !initiator, idpl);
+		idpl->cur = old_cur;
 	}
-	break;
 
-    case OAKLEY_RSA_SIG:
-    case XAUTHInitRSA:
-    case XAUTHRespRSA:
-	r = RSA_check_signature(&peer, st, hash_val, hash_len
-	    , &md->chain[ISAKMP_NEXT_SIG]->pbs
+	switch (st->st_oakley.auth)
+	{
+	case OAKLEY_PRESHARED_KEY:
+	case XAUTHInitPreShared:
+	case XAUTHRespPreShared:
+		{
+			pb_stream *const hash_pbs = &md->chain[ISAKMP_NEXT_HASH]->pbs;
+
+			if (pbs_left(hash_pbs) != hash.len
+			|| memcmp(hash_pbs->cur, hash.ptr, hash.len) != 0)
+			{
+				DBG_cond_dump(DBG_CRYPT, "received HASH:"
+					, hash_pbs->cur, pbs_left(hash_pbs));
+				loglog(RC_LOG_SERIOUS, "received Hash Payload does not match computed value");
+				/* XXX Could send notification back */
+				r = STF_FAIL + INVALID_HASH_INFORMATION;
+			}
+		}
+		break;
+
+	case OAKLEY_RSA_SIG:
+	case XAUTHInitRSA:
+	case XAUTHRespRSA:
+		r = check_signature(KEY_RSA, &peer, st, hash,
+				 &md->chain[ISAKMP_NEXT_SIG]->pbs,
 #ifdef USE_KEYRR
-	    , kc == NULL? NULL : kc->ac.keys_from_dns
+				kc == NULL? NULL : kc->ac.keys_from_dns,
 #endif /* USE_KEYRR */
-	    , kc == NULL? NULL : kc->ac.gateways_from_dns
-	    );
-
-	if (r == STF_SUSPEND)
-	{
-	    /* initiate/resume asynchronous DNS lookup for key */
-	    struct key_continuation *nkc
-		= alloc_thing(struct key_continuation, "key continuation");
-	    enum key_oppo_step step_done = kc == NULL? kos_null : kc->step;
-	    err_t ugh = NULL;
+				kc == NULL? NULL : kc->ac.gateways_from_dns
+			);
+	
+		if (r == STF_SUSPEND)
+		{
+			/* initiate/resume asynchronous DNS lookup for key */
+			struct key_continuation *nkc = malloc_thing(struct key_continuation);
+			enum key_oppo_step step_done = kc == NULL? kos_null : kc->step;
+			err_t ugh = NULL;
 
-	    /* Record that state is used by a suspended md */
-	    passert(st->st_suspended_md == NULL);
-	    st->st_suspended_md = md;
+			/* Record that state is used by a suspended md */
+			passert(st->st_suspended_md == NULL);
+			st->st_suspended_md = md;
 
-	    nkc->failure_ok = FALSE;
-	    nkc->md = md;
+			nkc->failure_ok = FALSE;
+			nkc->md = md;
 
-	    switch (step_done)
-	    {
-	    case kos_null:
-		/* first try: look for the TXT records */
-		nkc->step = kos_his_txt;
+			switch (step_done)
+			{
+			case kos_null:
+				/* first try: look for the TXT records */
+				nkc->step = kos_his_txt;
 #ifdef USE_KEYRR
-		nkc->failure_ok = TRUE;
+				nkc->failure_ok = TRUE;
 #endif
-		ugh = start_adns_query(&peer
-				       , &peer	/* SG itself */
-				       , T_TXT
-				       , cont_fn
-				       , &nkc->ac);
-		break;
+				ugh = start_adns_query(&peer
+									   , &peer  /* SG itself */
+									   , T_TXT
+									   , cont_fn
+									   , &nkc->ac);
+				break;
 
 #ifdef USE_KEYRR
-	    case kos_his_txt:
-		/* second try: look for the KEY records */
-		nkc->step = kos_his_key;
-		ugh = start_adns_query(&peer
-				       , NULL	/* no sgw for KEY */
-				       , T_KEY
-				       , cont_fn
-				       , &nkc->ac);
-		break;
+			case kos_his_txt:
+				/* second try: look for the KEY records */
+				nkc->step = kos_his_key;
+				ugh = start_adns_query(&peer
+									   , NULL   /* no sgw for KEY */
+									   , T_KEY
+									   , cont_fn
+									   , &nkc->ac);
+				break;
 #endif /* USE_KEYRR */
 
-	    default:
-		bad_case(step_done);
-	    }
+			default:
+				bad_case(step_done);
+			}
 
-	    if (ugh != NULL)
-	    {
-		report_key_dns_failure(&peer, ugh);
-		st->st_suspended_md = NULL;
-		r = STF_FAIL + INVALID_KEY_INFORMATION;
-	    }
-	}
-	break;
+			if (ugh != NULL)
+			{
+				report_key_dns_failure(&peer, ugh);
+				st->st_suspended_md = NULL;
+				r = STF_FAIL + INVALID_KEY_INFORMATION;
+			}
+		}
+		break;
 
-    default:
-	bad_case(st->st_oakley.auth);
-    }
-    if (r != STF_OK)
-	return r;
+	case OAKLEY_ECDSA_256:
+	case OAKLEY_ECDSA_384:
+	case OAKLEY_ECDSA_521:
+		r = check_signature(KEY_ECDSA, &peer, st, hash,
+							&md->chain[ISAKMP_NEXT_SIG]->pbs,
+#ifdef USE_KEYRR
+							NULL,
+#endif /* USE_KEYRR */
+							NULL);
+		break;
+
+	default:
+		bad_case(st->st_oakley.auth);
+	}
+	if (r != STF_OK)
+		return r;
 
-    DBG(DBG_CRYPT, DBG_log("authentication succeeded"));
+	DBG(DBG_CRYPT, DBG_log("authentication succeeded"));
 
-    /*
-     * With the peer ID known, let's see if we need to switch connections.
-     */
-    if (!switch_connection(md, &peer, initiator))
-	return STF_FAIL + INVALID_ID_INFORMATION;
+	/*
+	 * With the peer ID known, let's see if we need to switch connections.
+	 */
+	if (!switch_connection(md, &peer, initiator))
+		return STF_FAIL + INVALID_ID_INFORMATION;
 
-    return r;
+	return r;
 }
 
 /* This continuation is called as part of either
@@ -3840,46 +3714,44 @@ main_id_and_auth(struct msg_digest *md
  * to find authentication, or we run out of things
  * to try.
  */
-static void
-key_continue(struct adns_continuation *cr
-, err_t ugh
-, key_tail_fn *tail)
+static void key_continue(struct adns_continuation *cr, err_t ugh, 
+						 key_tail_fn *tail)
 {
-    struct key_continuation *kc = (void *)cr;
-    struct state *st = kc->md->st;
-
-    passert(cur_state == NULL);
-
-    /* if st == NULL, our state has been deleted -- just clean up */
-    if (st != NULL)
-    {
-	stf_status r;
+	struct key_continuation *kc = (void *)cr;
+	struct state *st = kc->md->st;
 
-	passert(st->st_suspended_md == kc->md);
-	st->st_suspended_md = NULL;	/* no longer connected or suspended */
-	cur_state = st;
+	passert(cur_state == NULL);
 
-	if (!kc->failure_ok && ugh != NULL)
-	{
-	    report_key_dns_failure(&st->st_connection->spd.that.id, ugh);
-	    r = STF_FAIL + INVALID_KEY_INFORMATION;
-	}
-	else
+	/* if st == NULL, our state has been deleted -- just clean up */
+	if (st != NULL)
 	{
+		stf_status r;
+
+		passert(st->st_suspended_md == kc->md);
+		st->st_suspended_md = NULL;     /* no longer connected or suspended */
+		cur_state = st;
+
+		if (!kc->failure_ok && ugh != NULL)
+		{
+			report_key_dns_failure(&st->st_connection->spd.that.id, ugh);
+			r = STF_FAIL + INVALID_KEY_INFORMATION;
+		}
+		else
+		{
 
 #ifdef USE_KEYRR
-	    passert(kc->step == kos_his_txt || kc->step == kos_his_key);
+			passert(kc->step == kos_his_txt || kc->step == kos_his_key);
 #else
-	    passert(kc->step == kos_his_txt);
+			passert(kc->step == kos_his_txt);
 #endif
-	    kc->last_ugh = ugh;	/* record previous error in case we need it */
-	    r = (*tail)(kc->md, kc);
-	}
-	complete_state_transition(&kc->md, r);
-    }
-    if (kc->md != NULL)
-	release_md(kc->md);
-    cur_state = NULL;
+			kc->last_ugh = ugh; /* record previous error in case we need it */
+			r = (*tail)(kc->md, kc);
+		}
+		complete_state_transition(&kc->md, r);
+	}
+	if (kc->md != NULL)
+		release_md(kc->md);
+	cur_state = NULL;
 }
 
 /* STATE_MAIN_R2:
@@ -3893,174 +3765,173 @@ key_continue(struct adns_continuation *cr
  * - main_inI3_outR3_tail to finish or suspend for DNS lookup
  * - main_inI3_outR3_continue to start main_inI3_outR3_tail again
  */
-static key_tail_fn main_inI3_outR3_tail;	/* forward */
+static key_tail_fn main_inI3_outR3_tail;        /* forward */
 
-stf_status
-main_inI3_outR3(struct msg_digest *md)
+stf_status main_inI3_outR3(struct msg_digest *md)
 {
-    return main_inI3_outR3_tail(md, NULL);
+	return main_inI3_outR3_tail(md, NULL);
 }
 
-static void
-main_inI3_outR3_continue(struct adns_continuation *cr, err_t ugh)
+static void main_inI3_outR3_continue(struct adns_continuation *cr, err_t ugh)
 {
-    key_continue(cr, ugh, main_inI3_outR3_tail);
+	key_continue(cr, ugh, main_inI3_outR3_tail);
 }
 
 static stf_status
 main_inI3_outR3_tail(struct msg_digest *md
 , struct key_continuation *kc)
 {
-    struct state *const st = md->st;
-    u_int8_t auth_payload;
-    pb_stream r_id_pbs;	/* ID Payload; also used for hash calculation */
-    certpolicy_t cert_policy;
-    cert_t mycert;
-    bool RSA_auth;
-    bool send_cert;
-    bool requested;
-
-    /* ID and HASH_I or SIG_I in
-     * Note: this may switch the connection being used!
-     */
-    {
-	stf_status r = main_id_and_auth(md, FALSE
-					, main_inI3_outR3_continue
-					, kc);
-
-	if (r != STF_OK)
-	    return r;
-    }
-
-    /* send certificate if auth is RSA, we have one and we want
-     * or are requested to send it
-     */
-    cert_policy = st->st_connection->spd.this.sendcert;
-    mycert = st->st_connection->spd.this.cert;
-    requested = cert_policy == CERT_SEND_IF_ASKED
-		&& st->st_connection->got_certrequest;
-    RSA_auth = st->st_oakley.auth == OAKLEY_RSA_SIG
-	    || st->st_oakley.auth == XAUTHInitRSA
-            || st->st_oakley.auth == XAUTHRespRSA;
-    send_cert = RSA_auth
-		&& mycert.type != CERT_NONE
-		&& (cert_policy == CERT_ALWAYS_SEND || requested);
-
-    /*************** build output packet HDR*;IDir;HASH/SIG_R ***************/
-    /* proccess_packet() would automatically generate the HDR*
-     * payload if smc->first_out_payload is not ISAKMP_NEXT_NONE.
-     * We don't do this because we wish there to be no partially
-     * built output packet if we need to suspend for asynch DNS.
-     */
-    /* ??? NOTE: this is almost the same as main_inR2_outI3's code */
-
-    /* HDR* out
-     * If auth were PKE_AUTH or RPKE_AUTH, ISAKMP_NEXT_HASH would
-     * be first payload.
-     */
-    echo_hdr(md, TRUE, ISAKMP_NEXT_ID);
-
-    auth_payload = RSA_auth ? ISAKMP_NEXT_SIG : ISAKMP_NEXT_HASH;
-
-    /* IDir out */
-    {
-	/* id_hd should be struct isakmp_id, but struct isakmp_ipsec_id
-	 * allows build_id_payload() to work for both phases.
+	struct state *const st = md->st;
+	u_int8_t auth_payload;
+	pb_stream r_id_pbs; /* ID Payload; also used for hash calculation */
+	certpolicy_t cert_policy;
+	cert_t mycert;
+	bool pubkey_auth, send_cert, requested;
+
+	/* ID and HASH_I or SIG_I in
+	 * Note: this may switch the connection being used!
 	 */
-	struct isakmp_ipsec_id id_hd;
-	chunk_t id_b;
-
-	build_id_payload(&id_hd, &id_b, &st->st_connection->spd.this);
-	id_hd.isaiid_np = (send_cert)? ISAKMP_NEXT_CERT : auth_payload;
-	if (!out_struct(&id_hd, &isakmp_ipsec_identification_desc, &md->rbody, &r_id_pbs)
-	|| !out_chunk(id_b, &r_id_pbs, "my identity"))
-	    return STF_INTERNAL_ERROR;
-	close_output_pbs(&r_id_pbs);
-    }
-
-    /* CERT out */
-    if (RSA_auth)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("our certificate policy is %s"
-		, enum_name(&cert_policy_names, cert_policy))
-	)
-	if (mycert.type != CERT_NONE)
 	{
-	    const char *request_text = "";
+		stf_status r = main_id_and_auth(md, FALSE
+										, main_inI3_outR3_continue
+										, kc);
 
-	    if (cert_policy == CERT_SEND_IF_ASKED)
-		request_text = (send_cert)? "upon request":"without request";
-	    plog("we have a cert %s sending it %s"
-		, send_cert? "and are":"but are not", request_text);
+		if (r != STF_OK)
+			return r;
 	}
-	else
+
+	/* send certificate if pubkey authentication is used, we have one
+	 * and we want or are requested to send it
+	 */
+	cert_policy = st->st_connection->spd.this.sendcert;
+	mycert = st->st_connection->spd.this.cert;
+	requested = cert_policy == CERT_SEND_IF_ASKED
+				&& st->st_connection->got_certrequest;
+	pubkey_auth = uses_pubkey_auth(st->st_oakley.auth);
+	send_cert = pubkey_auth	&& mycert.type != CERT_NONE &&
+				(cert_policy == CERT_ALWAYS_SEND || requested);
+
+	/*************** build output packet HDR*;IDir;HASH/SIG_R ***************/
+	/* proccess_packet() would automatically generate the HDR*
+	 * payload if smc->first_out_payload is not ISAKMP_NEXT_NONE.
+	 * We don't do this because we wish there to be no partially
+	 * built output packet if we need to suspend for asynch DNS.
+	 */
+	/* ??? NOTE: this is almost the same as main_inR2_outI3's code */
+
+	/* HDR* out
+	 * If auth were PKE_AUTH or RPKE_AUTH, ISAKMP_NEXT_HASH would
+	 * be first payload.
+	 */
+	echo_hdr(md, TRUE, ISAKMP_NEXT_ID);
+
+	auth_payload = pubkey_auth ? ISAKMP_NEXT_SIG : ISAKMP_NEXT_HASH;
+
+	/* IDir out */
 	{
-	    plog("we don't have a cert");
+		/* id_hd should be struct isakmp_id, but struct isakmp_ipsec_id
+		 * allows build_id_payload() to work for both phases.
+		 */
+		struct isakmp_ipsec_id id_hd;
+		chunk_t id_b;
+
+		build_id_payload(&id_hd, &id_b, &st->st_connection->spd.this);
+		id_hd.isaiid_np = (send_cert)? ISAKMP_NEXT_CERT : auth_payload;
+		if (!out_struct(&id_hd, &isakmp_ipsec_identification_desc, &md->rbody, &r_id_pbs)
+		|| !out_chunk(id_b, &r_id_pbs, "my identity"))
+			return STF_INTERNAL_ERROR;
+		close_output_pbs(&r_id_pbs);
 	}
-    }
-    if (send_cert)
-    {
-	pb_stream cert_pbs;
 
-	struct isakmp_cert cert_hd;
-	cert_hd.isacert_np = ISAKMP_NEXT_SIG;
-	cert_hd.isacert_type = mycert.type;
+	/* CERT out */
+	if (pubkey_auth)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("our certificate policy is %N", cert_policy_names, cert_policy)
+		)
+		if (mycert.type != CERT_NONE)
+		{
+			const char *request_text = "";
 
-	if (!out_struct(&cert_hd, &isakmp_ipsec_certificate_desc, &md->rbody, &cert_pbs))
-	return STF_INTERNAL_ERROR;
-	if (!out_chunk(get_mycert(mycert), &cert_pbs, "CERT"))
-	    return STF_INTERNAL_ERROR;
-	close_output_pbs(&cert_pbs);
-    }
+			if (cert_policy == CERT_SEND_IF_ASKED)
+				request_text = (send_cert)? "upon request":"without request";
+			plog("we have a cert %s sending it %s"
+				, send_cert? "and are":"but are not", request_text);
+		}
+		else
+		{
+			plog("we don't have a cert");
+		}
+	}
+	if (send_cert)
+	{
+		pb_stream cert_pbs;
 
-    /* HASH_R or SIG_R out */
-    {
-	u_char hash_val[MAX_DIGEST_LEN];
-	size_t hash_len = main_mode_hash(st, hash_val, FALSE, &r_id_pbs);
+		struct isakmp_cert cert_hd;
+		cert_hd.isacert_np = ISAKMP_NEXT_SIG;
+		cert_hd.isacert_type = mycert.type;
 
-	if (auth_payload == ISAKMP_NEXT_HASH)
-	{
-	    /* HASH_R out */
-	    if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_hash_desc, &md->rbody
-	    , hash_val, hash_len, "HASH_R"))
+		if (!out_struct(&cert_hd, &isakmp_ipsec_certificate_desc, &md->rbody, &cert_pbs))
 		return STF_INTERNAL_ERROR;
+		if (!out_chunk(cert_get_encoding(mycert), &cert_pbs, "CERT"))
+			return STF_INTERNAL_ERROR;
+		close_output_pbs(&cert_pbs);
 	}
-	else
+
+	/* HASH_R or SIG_R out */
 	{
-	    /* SIG_R out */
-	    u_char sig_val[RSA_MAX_OCTETS];
-	    size_t sig_len = RSA_sign_hash(st->st_connection
-		, sig_val, hash_val, hash_len);
+		u_char hash_buf[MAX_DIGEST_LEN];
+		chunk_t hash = chunk_from_buf(hash_buf);
 
-	    if (sig_len == 0)
-	    {
-		loglog(RC_LOG_SERIOUS, "unable to locate my private key for RSA Signature");
-		return STF_FAIL + AUTHENTICATION_FAILED;
-	    }
+		main_mode_hash(st, &hash, FALSE, &r_id_pbs);
 
-	    if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
-	    , &md->rbody, sig_val, sig_len, "SIG_R"))
-		return STF_INTERNAL_ERROR;
+		if (auth_payload == ISAKMP_NEXT_HASH)
+		{
+			/* HASH_R out */
+			if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_hash_desc, &md->rbody,
+								 hash.ptr, hash.len, "HASH_R"))
+			{
+				return STF_INTERNAL_ERROR;
+			}
+		}
+		else
+		{
+			/* SIG_R out */
+			u_char sig_val[RSA_MAX_OCTETS];
+			signature_scheme_t scheme;
+			size_t sig_len;
+
+			scheme = oakley_to_signature_scheme(st->st_oakley.auth);
+
+			sig_len = sign_hash(scheme, st->st_connection, sig_val, hash);
+			if (sig_len == 0)
+			{
+				loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature");
+				return STF_FAIL + AUTHENTICATION_FAILED;
+			}
+
+			if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
+			, &md->rbody, sig_val, sig_len, "SIG_R"))
+				return STF_INTERNAL_ERROR;
+		}
 	}
-    }
 
-    /* encrypt message, sans fixed part of header */
+	/* encrypt message, sans fixed part of header */
 
-    if (!encrypt_message(&md->rbody, st))
-	return STF_INTERNAL_ERROR;	/* ??? we may be partly committed */
+	if (!encrypt_message(&md->rbody, st))
+		return STF_INTERNAL_ERROR;      /* ??? we may be partly committed */
 
-    /* Last block of Phase 1 (R3), kept for Phase 2 IV generation */
-    DBG_cond_dump(DBG_CRYPT, "last encrypted block of Phase 1:"
-	, st->st_new_iv, st->st_new_iv_len);
+	/* Last block of Phase 1 (R3), kept for Phase 2 IV generation */
+	DBG_cond_dump(DBG_CRYPT, "last encrypted block of Phase 1:"
+		, st->st_new_iv, st->st_new_iv_len);
 
-    ISAKMP_SA_established(st->st_connection, st->st_serialno);
+	ISAKMP_SA_established(st->st_connection, st->st_serialno);
 
-    /* Save Phase 1 IV */
-    st->st_ph1_iv_len = st->st_new_iv_len;
-    set_ph1_iv(st, st->st_new_iv);
+	/* Save Phase 1 IV */
+	st->st_ph1_iv_len = st->st_new_iv_len;
+	set_ph1_iv(st, st->st_new_iv);
 
-    return STF_OK;
+	return STF_OK;
 }
 
 /* STATE_MAIN_I3:
@@ -4073,48 +3944,45 @@ main_inI3_outR3_tail(struct msg_digest *md
  * - main_inR3_continue to start main_inR3_tail again
  */
 
-static key_tail_fn main_inR3_tail;	/* forward */
+static key_tail_fn main_inR3_tail;      /* forward */
 
-stf_status
-main_inR3(struct msg_digest *md)
+stf_status main_inR3(struct msg_digest *md)
 {
-    return main_inR3_tail(md, NULL);
+	return main_inR3_tail(md, NULL);
 }
 
-static void
-main_inR3_continue(struct adns_continuation *cr, err_t ugh)
+static void main_inR3_continue(struct adns_continuation *cr, err_t ugh)
 {
-    key_continue(cr, ugh, main_inR3_tail);
+	key_continue(cr, ugh, main_inR3_tail);
 }
 
-static stf_status
-main_inR3_tail(struct msg_digest *md
-, struct key_continuation *kc)
+static stf_status main_inR3_tail(struct msg_digest *md,
+								 struct key_continuation *kc)
 {
-    struct state *const st = md->st;
+	struct state *const st = md->st;
 
-    /* ID and HASH_R or SIG_R in
-     * Note: this may switch the connection being used!
-     */
-    {
-	stf_status r = main_id_and_auth(md, TRUE, main_inR3_continue, kc);
+	/* ID and HASH_R or SIG_R in
+	 * Note: this may switch the connection being used!
+	 */
+	{
+		stf_status r = main_id_and_auth(md, TRUE, main_inR3_continue, kc);
 
-	if (r != STF_OK)
-	    return r;
-    }
+		if (r != STF_OK)
+			return r;
+	}
 
-    /**************** done input ****************/
+	/**************** done input ****************/
 
-    ISAKMP_SA_established(st->st_connection, st->st_serialno);
+	ISAKMP_SA_established(st->st_connection, st->st_serialno);
 
-    /* Save Phase 1 IV */
-    st->st_ph1_iv_len = st->st_new_iv_len;
-    set_ph1_iv(st, st->st_new_iv);
+	/* Save Phase 1 IV */
+	st->st_ph1_iv_len = st->st_new_iv_len;
+	set_ph1_iv(st, st->st_new_iv);
 
 
-    update_iv(st);	/* finalize our Phase 1 IV */
+	update_iv(st);      /* finalize our Phase 1 IV */
 
-    return STF_OK;
+	return STF_OK;
 }
 
 /* Handle first message of Phase 2 -- Quick Mode.
@@ -4182,15 +4050,15 @@ main_inR3_tail(struct msg_digest *md
  */
 
 enum verify_oppo_step {
-    vos_fail,
-    vos_start,
-    vos_our_client,
-    vos_our_txt,
+	vos_fail,
+	vos_start,
+	vos_our_client,
+	vos_our_txt,
 #ifdef USE_KEYRR
-    vos_our_key,
+	vos_our_key,
 #endif /* USE_KEYRR */
-    vos_his_client,
-    vos_done
+	vos_his_client,
+	vos_done
 };
 
 static const char *const verify_step_name[] = {
@@ -4207,834 +4075,833 @@ static const char *const verify_step_name[] = {
 
 /* hold anything we can handle of a Phase 2 ID */
 struct p2id {
-    ip_subnet net;
-    u_int8_t proto;
-    u_int16_t port;
+	ip_subnet net;
+	u_int8_t proto;
+	u_int16_t port;
 };
 
 struct verify_oppo_bundle {
-    enum verify_oppo_step step;
-    bool failure_ok;      /* if true, quick_inI1_outR1_continue will try
-			   * other things on DNS failure */
-    struct msg_digest *md;
-    struct p2id my, his;
-    unsigned int new_iv_len;	/* p1st's might change */
-    u_char new_iv[MAX_DIGEST_LEN];
-    /* int whackfd; */	/* not needed because we are Responder */
+	enum verify_oppo_step step;
+	bool failure_ok;      /* if true, quick_inI1_outR1_continue will try
+						   * other things on DNS failure */
+	struct msg_digest *md;
+	struct p2id my, his;
+	unsigned int new_iv_len;    /* p1st's might change */
+	u_char new_iv[MAX_DIGEST_LEN];
+	/* int whackfd; */  /* not needed because we are Responder */
 };
 
 struct verify_oppo_continuation {
-    struct adns_continuation ac;	/* common prefix */
-    struct verify_oppo_bundle b;
+	struct adns_continuation ac;        /* common prefix */
+	struct verify_oppo_bundle b;
 };
 
 static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b
-    , struct adns_continuation *ac);
+	, struct adns_continuation *ac);
 
-stf_status
-quick_inI1_outR1(struct msg_digest *md)
+stf_status quick_inI1_outR1(struct msg_digest *md)
 {
-    const struct state *const p1st = md->st;
-    struct connection *c = p1st->st_connection;
-    struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
-    struct verify_oppo_bundle b;
-
-    /* HASH(1) in */
-    CHECK_QUICK_HASH(md
-	, quick_mode_hash12(hash_val, hash_pbs->roof, md->message_pbs.roof
-	    , p1st, &md->hdr.isa_msgid, FALSE)
-	, "HASH(1)", "Quick I1");
-
-    /* [ IDci, IDcr ] in
-     * We do this now (probably out of physical order) because
-     * we wish to select the correct connection before we consult
-     * it for policy.
-     */
-
-    if (id_pd != NULL)
-    {
-	/* ??? we are assuming IPSEC_DOI */
-
-	/* IDci (initiator is peer) */
-
-	if (!decode_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
-	, &b.his.net, "peer client"))
-	    return STF_FAIL + INVALID_ID_INFORMATION;
-
-	/* Hack for MS 818043 NAT-T Update */
-
-	if (id_pd->payload.ipsec_id.isaiid_idtype == ID_FQDN)
-	    happy(addrtosubnet(&c->spd.that.host_addr, &b.his.net));
-
-	/* End Hack for MS 818043 NAT-T Update */
-
-	b.his.proto = id_pd->payload.ipsec_id.isaiid_protoid;
-	b.his.port = id_pd->payload.ipsec_id.isaiid_port;
-	b.his.net.addr.u.v4.sin_port = htons(b.his.port);
-
-	/* IDcr (we are responder) */
-
-	if (!decode_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
-	, &b.my.net, "our client"))
-	    return STF_FAIL + INVALID_ID_INFORMATION;
-        
-	b.my.proto = id_pd->next->payload.ipsec_id.isaiid_protoid;
-	b.my.port = id_pd->next->payload.ipsec_id.isaiid_port;
-	b.my.net.addr.u.v4.sin_port = htons(b.my.port);
-    }
-    else
-    {
-	/* implicit IDci and IDcr: peer and self */
-	if (!sameaddrtype(&c->spd.this.host_addr, &c->spd.that.host_addr))
-	    return STF_FAIL;
-
-	happy(addrtosubnet(&c->spd.this.host_addr, &b.my.net));
-	happy(addrtosubnet(&c->spd.that.host_addr, &b.his.net));
-	b.his.proto = b.my.proto = 0;
-	b.his.port = b.my.port = 0;
-    }
-    b.step = vos_start;
-    b.md = md;
-    b.new_iv_len = p1st->st_new_iv_len;
-    memcpy(b.new_iv, p1st->st_new_iv, p1st->st_new_iv_len);
-    return quick_inI1_outR1_tail(&b, NULL);
+	const struct state *const p1st = md->st;
+	struct connection *c = p1st->st_connection;
+	struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
+	struct verify_oppo_bundle b;
+
+	/* HASH(1) in */
+	CHECK_QUICK_HASH(md
+		, quick_mode_hash12(hash_val, hash_pbs->roof, md->message_pbs.roof
+			, p1st, &md->hdr.isa_msgid, FALSE)
+		, "HASH(1)", "Quick I1");
+
+	/* [ IDci, IDcr ] in
+	 * We do this now (probably out of physical order) because
+	 * we wish to select the correct connection before we consult
+	 * it for policy.
+	 */
+
+	if (id_pd != NULL)
+	{
+		/* ??? we are assuming IPSEC_DOI */
+
+		/* IDci (initiator is peer) */
+
+		if (!decode_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
+		, &b.his.net, "peer client"))
+			return STF_FAIL + INVALID_ID_INFORMATION;
+
+		/* Hack for MS 818043 NAT-T Update */
+
+		if (id_pd->payload.ipsec_id.isaiid_idtype == ID_FQDN)
+			happy(addrtosubnet(&c->spd.that.host_addr, &b.his.net));
+
+		/* End Hack for MS 818043 NAT-T Update */
+
+		b.his.proto = id_pd->payload.ipsec_id.isaiid_protoid;
+		b.his.port = id_pd->payload.ipsec_id.isaiid_port;
+		b.his.net.addr.u.v4.sin_port = htons(b.his.port);
+
+		/* IDcr (we are responder) */
+
+		if (!decode_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
+		, &b.my.net, "our client"))
+			return STF_FAIL + INVALID_ID_INFORMATION;
+		
+		b.my.proto = id_pd->next->payload.ipsec_id.isaiid_protoid;
+		b.my.port = id_pd->next->payload.ipsec_id.isaiid_port;
+		b.my.net.addr.u.v4.sin_port = htons(b.my.port);
+	}
+	else
+	{
+		/* implicit IDci and IDcr: peer and self */
+		if (!sameaddrtype(&c->spd.this.host_addr, &c->spd.that.host_addr))
+			return STF_FAIL;
+
+		happy(addrtosubnet(&c->spd.this.host_addr, &b.my.net));
+		happy(addrtosubnet(&c->spd.that.host_addr, &b.his.net));
+		b.his.proto = b.my.proto = 0;
+		b.his.port = b.my.port = 0;
+	}
+	b.step = vos_start;
+	b.md = md;
+	b.new_iv_len = p1st->st_new_iv_len;
+	memcpy(b.new_iv, p1st->st_new_iv, p1st->st_new_iv_len);
+	return quick_inI1_outR1_tail(&b, NULL);
 }
 
 static void
 report_verify_failure(struct verify_oppo_bundle *b, err_t ugh)
 {
-    struct state *st = b->md->st;
-    char fgwb[ADDRTOT_BUF]
-	, cb[ADDRTOT_BUF];
-    ip_address client;
-    err_t which = NULL;
-
-    switch (b->step)
-    {
-    case vos_our_client:
-    case vos_our_txt:
+	struct state *st = b->md->st;
+	char fgwb[ADDRTOT_BUF]
+		, cb[ADDRTOT_BUF];
+	ip_address client;
+	err_t which = NULL;
+
+	switch (b->step)
+	{
+	case vos_our_client:
+	case vos_our_txt:
 #ifdef USE_KEYRR
-    case vos_our_key:
+	case vos_our_key:
 #endif /* USE_KEYRR */
-	which = "our";
-	networkof(&b->my.net, &client);
-	break;
-
-    case vos_his_client:
-	which = "his";
-	networkof(&b->his.net, &client);
-	break;
-
-    case vos_start:
-    case vos_done:
-    case vos_fail:
-    default:
-	bad_case(b->step);
-    }
-
-    addrtot(&st->st_connection->spd.that.host_addr, 0, fgwb, sizeof(fgwb));
-    addrtot(&client, 0, cb, sizeof(cb));
-    loglog(RC_OPPOFAILURE
-	, "gateway %s wants connection with %s as %s client, but DNS fails to confirm delegation: %s"
-	, fgwb, cb, which, ugh);
+		which = "our";
+		networkof(&b->my.net, &client);
+		break;
+
+	case vos_his_client:
+		which = "his";
+		networkof(&b->his.net, &client);
+		break;
+
+	case vos_start:
+	case vos_done:
+	case vos_fail:
+	default:
+		bad_case(b->step);
+	}
+
+	addrtot(&st->st_connection->spd.that.host_addr, 0, fgwb, sizeof(fgwb));
+	addrtot(&client, 0, cb, sizeof(cb));
+	loglog(RC_OPPOFAILURE
+		, "gateway %s wants connection with %s as %s client, but DNS fails to confirm delegation: %s"
+		, fgwb, cb, which, ugh);
 }
 
-static void
-quick_inI1_outR1_continue(struct adns_continuation *cr, err_t ugh)
+static void quick_inI1_outR1_continue(struct adns_continuation *cr, err_t ugh)
 {
-    stf_status r;
-    struct verify_oppo_continuation *vc = (void *)cr;
-    struct verify_oppo_bundle *b = &vc->b;
-    struct state *st = b->md->st;
-
-    passert(cur_state == NULL);
-    /* if st == NULL, our state has been deleted -- just clean up */
-    if (st != NULL)
-    {
-	passert(st->st_suspended_md == b->md);
-	st->st_suspended_md = NULL;	/* no longer connected or suspended */
-	cur_state = st;
-	if (!b->failure_ok && ugh != NULL)
-	{
-	    report_verify_failure(b, ugh);
-	    r = STF_FAIL + INVALID_ID_INFORMATION;
-	}
-	else
+	stf_status r;
+	struct verify_oppo_continuation *vc = (void *)cr;
+	struct verify_oppo_bundle *b = &vc->b;
+	struct state *st = b->md->st;
+
+	passert(cur_state == NULL);
+	/* if st == NULL, our state has been deleted -- just clean up */
+	if (st != NULL)
 	{
-	    r = quick_inI1_outR1_tail(b, cr);
+		passert(st->st_suspended_md == b->md);
+		st->st_suspended_md = NULL;     /* no longer connected or suspended */
+		cur_state = st;
+		if (!b->failure_ok && ugh != NULL)
+		{
+			report_verify_failure(b, ugh);
+			r = STF_FAIL + INVALID_ID_INFORMATION;
+		}
+		else
+		{
+			r = quick_inI1_outR1_tail(b, cr);
+		}
+		complete_state_transition(&b->md, r);
 	}
-	complete_state_transition(&b->md, r);
-    }
-    if (b->md != NULL)
-	release_md(b->md);
-    cur_state = NULL;
+	if (b->md != NULL)
+		release_md(b->md);
+	cur_state = NULL;
 }
 
-static stf_status
-quick_inI1_outR1_start_query(struct verify_oppo_bundle *b
-, enum verify_oppo_step next_step)
+static stf_status quick_inI1_outR1_start_query(struct verify_oppo_bundle *b,
+											   enum verify_oppo_step next_step)
 {
-    struct msg_digest *md = b->md;
-    struct state *p1st = md->st;
-    struct connection *c = p1st->st_connection;
-    struct verify_oppo_continuation *vc
-	= alloc_thing(struct verify_oppo_continuation, "verify continuation");
-    struct id id	/* subject of query */
-	, *our_id	/* needed for myid playing */
-	, our_id_space;	/* ephemeral: no need for unshare_id_content */
-    ip_address client;
-    err_t ugh = NULL;
-
-    /* Record that state is used by a suspended md */
-    b->step = next_step;    /* not just vc->b.step */
-    vc->b = *b;
-    passert(p1st->st_suspended_md == NULL);
-    p1st->st_suspended_md = b->md;
-
-    DBG(DBG_CONTROL,
-	{
-	    char ours[SUBNETTOT_BUF];
-	    char his[SUBNETTOT_BUF];
-
-	    subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
-	    subnettot(&c->spd.that.client, 0, his, sizeof(his));
-
-	    DBG_log("responding with DNS query - from %s to %s new state: %s"
-		    , ours, his, verify_step_name[b->step]);
-	});
-
-    /* Resolve %myid in a cheesy way.
-     * We have to do the resolution because start_adns_query
-     * et al have insufficient information to do so.
-     * If %myid is already known, we'll use that value
-     * (XXX this may be a mistake: it could be stale).
-     * If %myid is unknown, we should check to see if
-     * there are credentials for the IP address or the FQDN.
-     * Instead, we'll just assume the IP address since we are
-     * acting as the responder and only the IP address would
-     * have gotten it to us.
-     * We don't even try to do this for the other side:
-     * %myid makes no sense for the other side (but it is syntactically
-     * legal).
-     */
-    our_id = resolve_myid(&c->spd.this.id);
-    if (our_id->kind == ID_NONE)
-    {
-	iptoid(&c->spd.this.host_addr, &our_id_space);
-	our_id = &our_id_space;
-    }
-
-    switch (next_step)
-    {
-    case vos_our_client:
-	networkof(&b->my.net, &client);
-	iptoid(&client, &id);
-	vc->b.failure_ok = b->failure_ok = FALSE;
-	ugh = start_adns_query(&id
-	    , our_id
-	    , T_TXT
-	    , quick_inI1_outR1_continue
-	    , &vc->ac);
-	break;
-
-    case vos_our_txt:
-	vc->b.failure_ok = b->failure_ok = TRUE;
-	ugh = start_adns_query(our_id
-	    , our_id	/* self as SG */
-	    , T_TXT
-	    , quick_inI1_outR1_continue
-	    , &vc->ac);
-	break;
+	struct msg_digest *md = b->md;
+	struct state *p1st = md->st;
+	struct connection *c = p1st->st_connection;
+	struct verify_oppo_continuation *vc = malloc_thing(struct verify_oppo_continuation);
+	struct id id        /* subject of query */
+		, *our_id       /* needed for myid playing */
+		, our_id_space; /* ephemeral: no need for unshare_id_content */
+	ip_address client;
+	err_t ugh = NULL;
+
+	/* Record that state is used by a suspended md */
+	b->step = next_step;    /* not just vc->b.step */
+	vc->b = *b;
+	passert(p1st->st_suspended_md == NULL);
+	p1st->st_suspended_md = b->md;
+
+	DBG(DBG_CONTROL,
+		{
+			char ours[SUBNETTOT_BUF];
+			char his[SUBNETTOT_BUF];
+
+			subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
+			subnettot(&c->spd.that.client, 0, his, sizeof(his));
+
+			DBG_log("responding with DNS query - from %s to %s new state: %s"
+					, ours, his, verify_step_name[b->step]);
+		});
+
+	/* Resolve %myid in a cheesy way.
+	 * We have to do the resolution because start_adns_query
+	 * et al have insufficient information to do so.
+	 * If %myid is already known, we'll use that value
+	 * (XXX this may be a mistake: it could be stale).
+	 * If %myid is unknown, we should check to see if
+	 * there are credentials for the IP address or the FQDN.
+	 * Instead, we'll just assume the IP address since we are
+	 * acting as the responder and only the IP address would
+	 * have gotten it to us.
+	 * We don't even try to do this for the other side:
+	 * %myid makes no sense for the other side (but it is syntactically
+	 * legal).
+	 */
+	our_id = resolve_myid(&c->spd.this.id);
+	if (our_id->kind == ID_ANY)
+	{
+		iptoid(&c->spd.this.host_addr, &our_id_space);
+		our_id = &our_id_space;
+	}
+
+	switch (next_step)
+	{
+	case vos_our_client:
+		networkof(&b->my.net, &client);
+		iptoid(&client, &id);
+		vc->b.failure_ok = b->failure_ok = FALSE;
+		ugh = start_adns_query(&id
+			, our_id
+			, T_TXT
+			, quick_inI1_outR1_continue
+			, &vc->ac);
+		break;
+
+	case vos_our_txt:
+		vc->b.failure_ok = b->failure_ok = TRUE;
+		ugh = start_adns_query(our_id
+			, our_id    /* self as SG */
+			, T_TXT
+			, quick_inI1_outR1_continue
+			, &vc->ac);
+		break;
 
 #ifdef USE_KEYRR
-    case vos_our_key:
-	vc->b.failure_ok = b->failure_ok = FALSE;
-	ugh = start_adns_query(our_id
-	    , NULL
-	    , T_KEY
-	    , quick_inI1_outR1_continue
-	    , &vc->ac);
-	break;
+	case vos_our_key:
+		vc->b.failure_ok = b->failure_ok = FALSE;
+		ugh = start_adns_query(our_id
+			, NULL
+			, T_KEY
+			, quick_inI1_outR1_continue
+			, &vc->ac);
+		break;
 #endif
 
-    case vos_his_client:
-	networkof(&b->his.net, &client);
-	iptoid(&client, &id);
-	vc->b.failure_ok = b->failure_ok = FALSE;
-	ugh = start_adns_query(&id
-	    , &c->spd.that.id
-	    , T_TXT
-	    , quick_inI1_outR1_continue
-	    , &vc->ac);
-	break;
-
-    default:
-	bad_case(next_step);
-    }
-
-    if (ugh != NULL)
-    {
-	/* note: we'd like to use vc->b but vc has been freed
-	 * so we have to use b.  This is why we plunked next_state
-	 * into b, not just vc->b.
-	 */
-	report_verify_failure(b, ugh);
-	p1st->st_suspended_md = NULL;
-	return STF_FAIL + INVALID_ID_INFORMATION;
-    }
-    else
-    {
-	return STF_SUSPEND;
-    }
+	case vos_his_client:
+		networkof(&b->his.net, &client);
+		iptoid(&client, &id);
+		vc->b.failure_ok = b->failure_ok = FALSE;
+		ugh = start_adns_query(&id
+			, &c->spd.that.id
+			, T_TXT
+			, quick_inI1_outR1_continue
+			, &vc->ac);
+		break;
+
+	default:
+		bad_case(next_step);
+	}
+
+	if (ugh != NULL)
+	{
+		/* note: we'd like to use vc->b but vc has been freed
+		 * so we have to use b.  This is why we plunked next_state
+		 * into b, not just vc->b.
+		 */
+		report_verify_failure(b, ugh);
+		p1st->st_suspended_md = NULL;
+		return STF_FAIL + INVALID_ID_INFORMATION;
+	}
+	else
+	{
+		return STF_SUSPEND;
+	}
 }
 
-static enum verify_oppo_step
-quick_inI1_outR1_process_answer(struct verify_oppo_bundle *b
-, struct adns_continuation *ac
-, struct state *p1st)
+static enum verify_oppo_step quick_inI1_outR1_process_answer(
+										struct verify_oppo_bundle *b,
+										struct adns_continuation *ac,
+										struct state *p1st)
 {
-    struct connection *c = p1st->st_connection;
-    enum verify_oppo_step next_step = vos_our_client;
-    err_t ugh = NULL;
-
-    DBG(DBG_CONTROL,
-	{
-	    char ours[SUBNETTOT_BUF];
-	    char his[SUBNETTOT_BUF];
-
-	    subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
-	    subnettot(&c->spd.that.client, 0, his, sizeof(his));
-	    DBG_log("responding on demand from %s to %s state: %s"
-		    , ours, his, verify_step_name[b->step]);
-	});
-
-    /* process just completed DNS query (if any) */
-    switch (b->step)
-    {
-    case vos_start:
-	/* no query to digest */
-	next_step = vos_our_client;
-	break;
-
-    case vos_our_client:
-	next_step = vos_his_client;
-	{
-	    const struct RSA_private_key *pri = get_RSA_private_key(c);
-	    struct gw_info *gwp;
-
-	    if (pri == NULL)
-	    {
-		ugh = "we don't know our own key";
-		break;
-	    }
-	    ugh = "our client does not delegate us as its Security Gateway";
-	    for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
-	    {
-		ugh = "our client delegates us as its Security Gateway but with the wrong public key";
-		/* If there is no key in the TXT record,
-		 * we count it as a win, but we will have
-		 * to separately fetch and check the KEY record.
-		 * If there is a key from the TXT record,
-		 * we count it as a win if we match the key.
-		 */
-		if (!gwp->gw_key_present)
-		{
-		    next_step = vos_our_txt;
-		    ugh = NULL;	/* good! */
-		    break;
-		}
-		else if (same_RSA_public_key(&pri->pub, &gwp->key->u.rsa))
+	struct connection *c = p1st->st_connection;
+	enum verify_oppo_step next_step = vos_our_client;
+	err_t ugh = NULL;
+
+	DBG(DBG_CONTROL,
 		{
-		    ugh = NULL;	/* good! */
-		    break;
-		}
-	    }
-	}
-	break;
+			char ours[SUBNETTOT_BUF];
+			char his[SUBNETTOT_BUF];
 
-    case vos_our_txt:
-	next_step = vos_his_client;
+			subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
+			subnettot(&c->spd.that.client, 0, his, sizeof(his));
+			DBG_log("responding on demand from %s to %s state: %s"
+					, ours, his, verify_step_name[b->step]);
+		});
+
+	/* process just completed DNS query (if any) */
+	switch (b->step)
 	{
-	    const struct RSA_private_key *pri = get_RSA_private_key(c);
+	case vos_start:
+		/* no query to digest */
+		next_step = vos_our_client;
+		break;
+
+	case vos_our_client:
+		next_step = vos_his_client;
+		{
+			private_key_t *private = get_private_key(c);
+			struct gw_info *gwp;
 
-	    if (pri == NULL)
-	    {
-		ugh = "we don't know our own key";
+			if (private == NULL)
+			{
+				ugh = "we don't know our own key";
+				break;
+			}
+			ugh = "our client does not delegate us as its Security Gateway";
+			for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+			{
+				ugh = "our client delegates us as its Security Gateway but with the wrong public key";
+				/* If there is no key in the TXT record,
+				 * we count it as a win, but we will have
+				 * to separately fetch and check the KEY record.
+				 * If there is a key from the TXT record,
+				 * we count it as a win if we match the key.
+				 */
+				if (!gwp->gw_key_present)
+				{
+					next_step = vos_our_txt;
+					ugh = NULL; /* good! */
+					break;
+				}
+				else if (private->belongs_to(private, gwp->key->public_key))
+				{
+					ugh = NULL; /* good! */
+					break;
+				}
+			}
+		}
 		break;
-	    }
-	    {
-		struct gw_info *gwp;
 
-		for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+	case vos_our_txt:
+		next_step = vos_his_client;
 		{
+			private_key_t *private = get_private_key(c);
+
+			if (private == NULL)
+			{
+				ugh = "we don't know our own key";
+				break;
+			}
+			{
+				struct gw_info *gwp;
+
+				for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+				{
 #ifdef USE_KEYRR
-		    /* not an error yet, because we have to check KEY RR as well */
-		    ugh = NULL;
+					/* not an error yet, because we have to check KEY RR as well */
+					ugh = NULL;
 #else
-		    ugh = "our client delegation depends on our " RRNAME " record, but it has the wrong public key";
+					ugh = "our client delegation depends on our " RRNAME " record, but it has the wrong public key";
 #endif
-		    if (gwp->gw_key_present
-		    && same_RSA_public_key(&pri->pub, &gwp->key->u.rsa))
-		    {
-			ugh = NULL;	/* good! */
-			break;
-		    }
+					if (gwp->gw_key_present
+					&& private->belongs_to(private, gwp->key->public_key))
+					{
+						ugh = NULL;     /* good! */
+						break;
+					}
 #ifdef USE_KEYRR
-		    next_step = vos_our_key;
+					next_step = vos_our_key;
 #endif
+				}
+			}
 		}
-	    }
-	}
-	break;
+		break;
 
 #ifdef USE_KEYRR
-    case vos_our_key:
-	next_step = vos_his_client;
-	{
-	    const struct RSA_private_key *pri = get_RSA_private_key(c);
+	case vos_our_key:
+		next_step = vos_his_client;
+		{
+			private_key_t *private = get_private_key(c);
 
-	    if (pri == NULL)
-	    {
-		ugh = "we don't know our own key";
+			if (private == NULL)
+			{
+				ugh = "we don't know our own key";
+				break;
+			}
+			{
+				pubkey_list_t *kp;
+
+				ugh = "our client delegation depends on our missing " RRNAME " record";
+				for (kp = ac->keys_from_dns; kp != NULL; kp = kp->next)
+				{
+					ugh = "our client delegation depends on our " RRNAME " record, but it has the wrong public key";
+					if (private->belongs_to(private, kp->key->public_key))
+					{
+						/* do this only once a day */
+						if (!logged_txt_warning)
+						{
+							loglog(RC_LOG_SERIOUS, "found KEY RR but not TXT RR. See http://www.freeswan.org/err/txt-change.html.");
+							logged_txt_warning = TRUE;
+						}
+						ugh = NULL;     /* good! */
+						break;
+					}
+				}
+			}
+		}
 		break;
-	    }
-	    {
-		pubkey_list_t *kp;
+#endif /* USE_KEYRR */
 
-		ugh = "our client delegation depends on our missing " RRNAME " record";
-		for (kp = ac->keys_from_dns; kp != NULL; kp = kp->next)
+	case vos_his_client:
+		next_step = vos_done;
 		{
-		    ugh = "our client delegation depends on our " RRNAME " record, but it has the wrong public key";
-		    if (same_RSA_public_key(&pri->pub, &kp->key->u.rsa))
-		    {
-			/* do this only once a day */
-			if (!logged_txt_warning)
+			public_key_t *pub_key;
+			identification_t *p1st_keyid;
+			struct gw_info *gwp;
+		
+			/* check that the public key that authenticated
+			 * the ISAKMP SA (p1st) will do for this gateway.
+			 */
+			pub_key = p1st->st_peer_pubkey->public_key;
+			p1st_keyid = pub_key->get_id(pub_key, ID_PUBKEY_INFO_SHA1);
+
+			ugh = "peer's client does not delegate to peer";
+			for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
 			{
-			    loglog(RC_LOG_SERIOUS, "found KEY RR but not TXT RR. See http://www.freeswan.org/err/txt-change.html.");
-			    logged_txt_warning = TRUE;
+				ugh = "peer and its client disagree about public key";
+				/* If there is a key from the TXT record,
+				 * we count it as a win if we match the key.
+				 * If there was no key, we claim a match since
+				 * it implies fetching a KEY from the same
+				 * place we must have gotten it.
+				 */
+				if (!gwp->gw_key_present || p1st_keyid->equals(p1st_keyid,
+					 gwp->key->public_key->get_id(gwp->key->public_key,
+												  ID_PUBKEY_INFO_SHA1))
+				   )
+				{
+					ugh = NULL; /* good! */
+					break;
+				}
 			}
-			ugh = NULL;	/* good! */
-			break;
-		    }
 		}
-	    }
+		break;
+
+	default:
+		bad_case(b->step);
 	}
-	break;
-#endif /* USE_KEYRR */
 
-    case vos_his_client:
-	next_step = vos_done;
+	if (ugh != NULL)
 	{
-	    struct gw_info *gwp;
-
-	    /* check that the public key that authenticated
-	     * the ISAKMP SA (p1st) will do for this gateway.
-	     */
-
-	    ugh = "peer's client does not delegate to peer";
-	    for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
-	    {
-		ugh = "peer and its client disagree about public key";
-		/* If there is a key from the TXT record,
-		 * we count it as a win if we match the key.
-		 * If there was no key, we claim a match since
-		 * it implies fetching a KEY from the same
-		 * place we must have gotten it.
-		 */
-		if (!gwp->gw_key_present
-		|| same_RSA_public_key(&p1st->st_peer_pubkey->u.rsa
-		, &gwp->key->u.rsa))
-		{
-		    ugh = NULL;	/* good! */
-		    break;
-		}
-	    }
+		report_verify_failure(b, ugh);
+		next_step = vos_fail;
 	}
-	break;
-
-    default:
-	bad_case(b->step);
-    }
-
-    if (ugh != NULL)
-    {
-	report_verify_failure(b, ugh);
-	next_step = vos_fail;
-    }
-    return next_step;
+	return next_step;
 }
 
-static stf_status
-quick_inI1_outR1_tail(struct verify_oppo_bundle *b
-, struct adns_continuation *ac)
+static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
+										struct adns_continuation *ac)
 {
-    struct msg_digest *md = b->md;
-    struct state *const p1st = md->st;
-    struct connection *c = p1st->st_connection;
-    struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
-    ip_subnet *our_net = &b->my.net
-	, *his_net = &b->his.net;
-
-    u_char	/* set by START_HASH_PAYLOAD: */
-	*r_hashval,	/* where in reply to jam hash value */
-	*r_hash_start;	/* from where to start hashing */
-
-    /* Now that we have identities of client subnets, we must look for
-     * a suitable connection (our current one only matches for hosts).
-     */
-    {
-	struct connection *p = find_client_connection(c
-	    , our_net, his_net, b->my.proto, b->my.port, b->his.proto, b->his.port);
-
-	if (p == NULL)
-	{
-	    /* This message occurs in very puzzling circumstances
-	     * so we must add as much information and beauty as we can.
-	     */
-	    struct end
-		me = c->spd.this,
-		he = c->spd.that;
-	    char buf[2*SUBNETTOT_BUF + 2*ADDRTOT_BUF + 2*BUF_LEN + 2*ADDRTOT_BUF + 12]; /* + 12 for separating */
-	    size_t l;
-
-	    me.client = *our_net;
-	    me.has_client = !subnetisaddr(our_net, &me.host_addr);
-	    me.protocol = b->my.proto;
-	    me.port = b->my.port;
-
-	    he.client = *his_net;
-	    he.has_client = !subnetisaddr(his_net, &he.host_addr);
-	    he.protocol = b->his.proto;
-	    he.port = b->his.port;
-
-	    l = format_end(buf, sizeof(buf), &me, NULL, TRUE, LEMPTY);
-	    l += snprintf(buf + l, sizeof(buf) - l, "...");
-	    (void)format_end(buf + l, sizeof(buf) - l, &he, NULL, FALSE, LEMPTY);
-	    plog("cannot respond to IPsec SA request"
-		" because no connection is known for %s"
-		, buf);
-	    return STF_FAIL + INVALID_ID_INFORMATION;
-	}
-	else if (p != c)
-	{
-	    /* We've got a better connection: it can support the
-	     * specified clients.  But it may need instantiation.
-	     */
-	    if (p->kind == CK_TEMPLATE)
-	    {
-		/* Yup, it needs instantiation.  How much?
-		 * Is it a Road Warrior connection (simple)
-		 * or is it an Opportunistic connection (needing gw validation)?
-		 */
-		if (p->policy & POLICY_OPPO)
-		{
-		    /* Opportunistic case: delegation must be verified.
-		     * Here be dragons.
-		     */
-		    enum verify_oppo_step next_step;
-		    ip_address our_client, his_client;
-
-		    passert(subnetishost(our_net) && subnetishost(his_net));
-		    networkof(our_net, &our_client);
-		    networkof(his_net, &his_client);
-
-		    next_step = quick_inI1_outR1_process_answer(b, ac, p1st);
-		    if (next_step == vos_fail)
-			return STF_FAIL + INVALID_ID_INFORMATION;
+	struct msg_digest *md = b->md;
+	struct state *const p1st = md->st;
+	struct connection *c = p1st->st_connection;
+	struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
+	ip_subnet *our_net = &b->my.net
+		, *his_net = &b->his.net;
 
-		    /* short circuit: if peer's client is self,
-		     * accept that we've verified delegation in Phase 1
-		     */
-		    if (next_step == vos_his_client
-		    && sameaddr(&c->spd.that.host_addr, &his_client))
-			next_step = vos_done;
+	u_char      /* set by START_HASH_PAYLOAD: */
+		*r_hashval,     /* where in reply to jam hash value */
+		*r_hash_start;  /* from where to start hashing */
 
-		    /* the second chunk: initiate the next DNS query (if any) */
-		    DBG(DBG_CONTROL,
-			{
-			    char ours[SUBNETTOT_BUF];
-			    char his[SUBNETTOT_BUF];
-
-			    subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
-			    subnettot(&c->spd.that.client, 0, his, sizeof(his));
-
-			    DBG_log("responding on demand from %s to %s new state: %s"
-				    , ours, his, verify_step_name[next_step]);
-			});
-
-		    /* start next DNS query and suspend (if necessary) */
-		    if (next_step != vos_done)
-			return quick_inI1_outR1_start_query(b, next_step);
-
-		    /* Instantiate inbound Opportunistic connection,
-		     * carrying over authenticated peer ID
-		     * and filling in a few more details.
-		     * We used to include gateways_from_dns, but that
-		     * seems pointless at this stage of negotiation.
-		     * We should record DNS sec use, if any -- belongs in
-		     * state during perhaps.
-		     */
-		    p = oppo_instantiate(p, &c->spd.that.host_addr, &c->spd.that.id
-			, NULL, &our_client, &his_client);
-		}
-		else
+	/* Now that we have identities of client subnets, we must look for
+	 * a suitable connection (our current one only matches for hosts).
+	 */
+	{
+		struct connection *p = find_client_connection(c
+			, our_net, his_net, b->my.proto, b->my.port, b->his.proto, b->his.port);
+
+		if (p == NULL)
 		{
-		    /* Plain Road Warrior:
-		     * instantiate, carrying over authenticated peer ID
-		     */
-		    p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
-				, his_net, &c->spd.that.id);
+			/* This message occurs in very puzzling circumstances
+			 * so we must add as much information and beauty as we can.
+			 */
+			struct end
+				me = c->spd.this,
+				he = c->spd.that;
+			char buf[2*SUBNETTOT_BUF + 2*ADDRTOT_BUF + 2*BUF_LEN + 2*ADDRTOT_BUF + 12]; /* + 12 for separating */
+			size_t l;
+
+			me.client = *our_net;
+			me.has_client = !subnetisaddr(our_net, &me.host_addr);
+			me.protocol = b->my.proto;
+			me.port = b->my.port;
+
+			he.client = *his_net;
+			he.has_client = !subnetisaddr(his_net, &he.host_addr);
+			he.protocol = b->his.proto;
+			he.port = b->his.port;
+
+			l = format_end(buf, sizeof(buf), &me, NULL, TRUE, LEMPTY);
+			l += snprintf(buf + l, sizeof(buf) - l, "...");
+			(void)format_end(buf + l, sizeof(buf) - l, &he, NULL, FALSE, LEMPTY);
+			plog("cannot respond to IPsec SA request"
+				" because no connection is known for %s"
+				, buf);
+			return STF_FAIL + INVALID_ID_INFORMATION;
 		}
-	    }
+		else if (p != c)
+		{
+			/* We've got a better connection: it can support the
+			 * specified clients.  But it may need instantiation.
+			 */
+			if (p->kind == CK_TEMPLATE)
+			{
+				/* Yup, it needs instantiation.  How much?
+				 * Is it a Road Warrior connection (simple)
+				 * or is it an Opportunistic connection (needing gw validation)?
+				 */
+				if (p->policy & POLICY_OPPO)
+				{
+					/* Opportunistic case: delegation must be verified.
+					 * Here be dragons.
+					 */
+					enum verify_oppo_step next_step;
+					ip_address our_client, his_client;
+
+					passert(subnetishost(our_net) && subnetishost(his_net));
+					networkof(our_net, &our_client);
+					networkof(his_net, &his_client);
+
+					next_step = quick_inI1_outR1_process_answer(b, ac, p1st);
+					if (next_step == vos_fail)
+						return STF_FAIL + INVALID_ID_INFORMATION;
+
+					/* short circuit: if peer's client is self,
+					 * accept that we've verified delegation in Phase 1
+					 */
+					if (next_step == vos_his_client
+					&& sameaddr(&c->spd.that.host_addr, &his_client))
+						next_step = vos_done;
+
+					/* the second chunk: initiate the next DNS query (if any) */
+					DBG(DBG_CONTROL,
+						{
+							char ours[SUBNETTOT_BUF];
+							char his[SUBNETTOT_BUF];
+
+							subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
+							subnettot(&c->spd.that.client, 0, his, sizeof(his));
+
+							DBG_log("responding on demand from %s to %s new state: %s"
+									, ours, his, verify_step_name[next_step]);
+						});
+
+					/* start next DNS query and suspend (if necessary) */
+					if (next_step != vos_done)
+						return quick_inI1_outR1_start_query(b, next_step);
+
+					/* Instantiate inbound Opportunistic connection,
+					 * carrying over authenticated peer ID
+					 * and filling in a few more details.
+					 * We used to include gateways_from_dns, but that
+					 * seems pointless at this stage of negotiation.
+					 * We should record DNS sec use, if any -- belongs in
+					 * state during perhaps.
+					 */
+					p = oppo_instantiate(p, &c->spd.that.host_addr, &c->spd.that.id
+						, NULL, &our_client, &his_client);
+				}
+				else
+				{
+					/* Plain Road Warrior:
+					 * instantiate, carrying over authenticated peer ID
+					 */
+					p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
+								, his_net, &c->spd.that.id);
+				}
+			}
 #ifdef DEBUG
-	    /* temporarily bump up cur_debugging to get "using..." message
-	     * printed if we'd want it with new connection.
-	     */
-	    {
-		lset_t old_cur_debugging = cur_debugging;
-
-		cur_debugging |= p->extra_debugging;
-		DBG(DBG_CONTROL, DBG_log("using connection \"%s\"", p->name));
-		cur_debugging = old_cur_debugging;
-	    }
+			/* temporarily bump up cur_debugging to get "using..." message
+			 * printed if we'd want it with new connection.
+			 */
+			{
+				lset_t old_cur_debugging = cur_debugging;
+
+				cur_debugging |= p->extra_debugging;
+				DBG(DBG_CONTROL, DBG_log("using connection \"%s\"", p->name));
+				cur_debugging = old_cur_debugging;
+			}
 #endif
-	    c = p;
-	}
-	/* fill in the client's true ip address/subnet */
-	if (p->spd.that.has_client_wildcard)
-	{
-	    p->spd.that.client = *his_net;
-	    p->spd.that.has_client_wildcard = FALSE;
-	}
-	else if (is_virtual_connection(c))
-	{
-	    c->spd.that.client = *his_net;
-	    c->spd.that.virt = NULL;
-	    if (subnetishost(his_net) && addrinsubnet(&c->spd.that.host_addr, his_net))
-		c->spd.that.has_client = FALSE;
-	}
+			c = p;
+		}
+		/* fill in the client's true ip address/subnet */
+		if (p->spd.that.has_client_wildcard)
+		{
+			p->spd.that.client = *his_net;
+			p->spd.that.has_client_wildcard = FALSE;
+		}
+		else if (is_virtual_connection(c))
+		{
+			c->spd.that.client = *his_net;
+			c->spd.that.virt = NULL;
+			if (subnetishost(his_net) && addrinsubnet(&c->spd.that.host_addr, his_net))
+				c->spd.that.has_client = FALSE;
+		}
 
-	/* fill in the client's true port */
-	if (p->spd.that.has_port_wildcard)
-	{
-	    int port = htons(b->his.port);
+		/* fill in the client's true port */
+		if (p->spd.that.has_port_wildcard)
+		{
+			int port = htons(b->his.port);
 
-	    setportof(port, &p->spd.that.host_addr);
-	    setportof(port, &p->spd.that.client.addr);
+			setportof(port, &p->spd.that.host_addr);
+			setportof(port, &p->spd.that.client.addr);
 
-	    p->spd.that.port = b->his.port;
-	    p->spd.that.has_port_wildcard = FALSE;
+			p->spd.that.port = b->his.port;
+			p->spd.that.has_port_wildcard = FALSE;
+		}
 	}
-    }
-
-    /* now that we are sure of our connection, create our new state */
-    {
-	struct state *const st = duplicate_state(p1st);
-
-	/* first: fill in missing bits of our new state object
-	 * note: we don't copy over st_peer_pubkey, the public key
-	 * that authenticated the ISAKMP SA.  We only need it in this
-	 * routine, so we can "reach back" to p1st to get it.
-	 */
 
-	if (st->st_connection != c)
+	/* now that we are sure of our connection, create our new state */
 	{
-	    struct connection *t = st->st_connection;
+		struct state *const st = duplicate_state(p1st);
 
-	    st->st_connection = c;
-	    set_cur_connection(c);
-	    connection_discard(t);
-	}
+		/* first: fill in missing bits of our new state object
+		 * note: we don't copy over st_peer_pubkey, the public key
+		 * that authenticated the ISAKMP SA.  We only need it in this
+		 * routine, so we can "reach back" to p1st to get it.
+		 */
 
-	st->st_try = 0;	/* not our job to try again from start */
+		if (st->st_connection != c)
+		{
+			struct connection *t = st->st_connection;
 
-	st->st_msgid = md->hdr.isa_msgid;
+			st->st_connection = c;
+			set_cur_connection(c);
+			connection_discard(t);
+		}
 
-	st->st_new_iv_len = b->new_iv_len;
-	memcpy(st->st_new_iv, b->new_iv, b->new_iv_len);
+		st->st_try = 0; /* not our job to try again from start */
 
-	set_cur_state(st);	/* (caller will reset) */
-	md->st = st;	/* feed back new state */
+		st->st_msgid = md->hdr.isa_msgid;
 
-	st->st_peeruserprotoid = b->his.proto;
-	st->st_peeruserport = b->his.port;
-	st->st_myuserprotoid = b->my.proto;
-	st->st_myuserport = b->my.port;
+		st->st_new_iv_len = b->new_iv_len;
+		memcpy(st->st_new_iv, b->new_iv, b->new_iv_len);
 
-	insert_state(st);	/* needs cookies, connection, and msgid */
+		set_cur_state(st);      /* (caller will reset) */
+		md->st = st;    /* feed back new state */
 
-	/* copy the connection's
-	 * IPSEC policy into our state.  The ISAKMP policy is water under
-	 * the bridge, I think.  It will reflect the ISAKMP SA that we
-	 * are using.
-	 */
-	st->st_policy = (p1st->st_policy & POLICY_ISAKMP_MASK)
-	    | (c->policy & ~POLICY_ISAKMP_MASK);
+		st->st_peeruserprotoid = b->his.proto;
+		st->st_peeruserport = b->his.port;
+		st->st_myuserprotoid = b->my.proto;
+		st->st_myuserport = b->my.port;
 
-	if (p1st->nat_traversal & NAT_T_DETECTED)
-	{
-	    st->nat_traversal = p1st->nat_traversal;
-	    nat_traversal_change_port_lookup(md, md->st);
-	}
-	else
-	{
-	    st->nat_traversal = 0;
-	}
-	if ((st->nat_traversal & NAT_T_DETECTED)
-	&&  (st->nat_traversal & NAT_T_WITH_NATOA))
-	{
-	    nat_traversal_natoa_lookup(md);
-	}
+		insert_state(st);       /* needs cookies, connection, and msgid */
 
-	/* Start the output packet.
-	 *
-	 * proccess_packet() would automatically generate the HDR*
-	 * payload if smc->first_out_payload is not ISAKMP_NEXT_NONE.
-	 * We don't do this because we wish there to be no partially
-	 * built output packet if we need to suspend for asynch DNS.
-	 *
-	 * We build the reply packet as we parse the message since
-	 * the parse_ipsec_sa_body emits the reply SA
-	 */
+		/* copy the connection's
+		 * IPSEC policy into our state.  The ISAKMP policy is water under
+		 * the bridge, I think.  It will reflect the ISAKMP SA that we
+		 * are using.
+		 */
+		st->st_policy = (p1st->st_policy & POLICY_ISAKMP_MASK)
+			| (c->policy & ~POLICY_ISAKMP_MASK);
 
-	/* HDR* out */
-	echo_hdr(md, TRUE, ISAKMP_NEXT_HASH);
+		if (p1st->nat_traversal & NAT_T_DETECTED)
+		{
+			st->nat_traversal = p1st->nat_traversal;
+			nat_traversal_change_port_lookup(md, md->st);
+		}
+		else
+		{
+			st->nat_traversal = 0;
+		}
+		if ((st->nat_traversal & NAT_T_DETECTED)
+		&&  (st->nat_traversal & NAT_T_WITH_NATOA))
+		{
+			nat_traversal_natoa_lookup(md);
+		}
 
-	/* HASH(2) out -- first pass */
-	START_HASH_PAYLOAD(md->rbody, ISAKMP_NEXT_SA);
+		/* Start the output packet.
+		 *
+		 * proccess_packet() would automatically generate the HDR*
+		 * payload if smc->first_out_payload is not ISAKMP_NEXT_NONE.
+		 * We don't do this because we wish there to be no partially
+		 * built output packet if we need to suspend for asynch DNS.
+		 *
+		 * We build the reply packet as we parse the message since
+		 * the parse_ipsec_sa_body emits the reply SA
+		 */
 
-	/* process SA (in and out) */
-	{
-	    struct payload_digest *const sapd = md->chain[ISAKMP_NEXT_SA];
-	    pb_stream r_sa_pbs;
-	    struct isakmp_sa sa = sapd->payload.sa;
+		/* HDR* out */
+		echo_hdr(md, TRUE, ISAKMP_NEXT_HASH);
 
-	    /* sa header is unchanged -- except for np */
-	    sa.isasa_np = ISAKMP_NEXT_NONCE;
-	    if (!out_struct(&sa, &isakmp_sa_desc, &md->rbody, &r_sa_pbs))
-		return STF_INTERNAL_ERROR;
+		/* HASH(2) out -- first pass */
+		START_HASH_PAYLOAD(md->rbody, ISAKMP_NEXT_SA);
 
-	    /* parse and accept body */
-	    st->st_pfs_group = &unset_group;
-	    RETURN_STF_FAILURE(parse_ipsec_sa_body(&sapd->pbs
-		    , &sapd->payload.sa, &r_sa_pbs, FALSE, st));
-	}
+		/* process SA (in and out) */
+		{
+			struct payload_digest *const sapd = md->chain[ISAKMP_NEXT_SA];
+			pb_stream r_sa_pbs;
+			struct isakmp_sa sa = sapd->payload.sa;
+
+			/* sa header is unchanged -- except for np */
+			sa.isasa_np = ISAKMP_NEXT_NONCE;
+			if (!out_struct(&sa, &isakmp_sa_desc, &md->rbody, &r_sa_pbs))
+				return STF_INTERNAL_ERROR;
+
+			/* parse and accept body */
+			st->st_pfs_group = &unset_group;
+			RETURN_STF_FAILURE(parse_ipsec_sa_body(&sapd->pbs
+					, &sapd->payload.sa, &r_sa_pbs, FALSE, st));
+		}
 
-	passert(st->st_pfs_group != &unset_group);
+		passert(st->st_pfs_group != &unset_group);
 
-	if ((st->st_policy & POLICY_PFS) && st->st_pfs_group == NULL)
-	{
-	    loglog(RC_LOG_SERIOUS, "we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION");
-	    return STF_FAIL + NO_PROPOSAL_CHOSEN;	/* ??? */
-	}
+		if ((st->st_policy & POLICY_PFS) && st->st_pfs_group == NULL)
+		{
+			loglog(RC_LOG_SERIOUS, "we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION");
+			return STF_FAIL + NO_PROPOSAL_CHOSEN;       /* ??? */
+		}
 
-	/* Ni in */
-	RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni"));
+		/* Ni in */
+		RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni"));
 
-	/* [ KE ] in (for PFS) */
-	RETURN_STF_FAILURE(accept_PFS_KE(md, &st->st_gi, "Gi", "Quick Mode I1"));
+		/* [ KE ] in (for PFS) */
+		RETURN_STF_FAILURE(accept_PFS_KE(md, &st->st_gi, "Gi", "Quick Mode I1"));
 
-	plog("responding to Quick Mode");
+		plog("responding to Quick Mode");
 
-	/**** finish reply packet: Nr [, KE ] [, IDci, IDcr ] ****/
+		/**** finish reply packet: Nr [, KE ] [, IDci, IDcr ] ****/
 
-	/* Nr out */
-	if (!build_and_ship_nonce(&st->st_nr, &md->rbody
-	, st->st_pfs_group != NULL? ISAKMP_NEXT_KE : id_pd != NULL? ISAKMP_NEXT_ID : ISAKMP_NEXT_NONE
-	, "Nr"))
-	    return STF_INTERNAL_ERROR;
+		/* Nr out */
+		if (!build_and_ship_nonce(&st->st_nr, &md->rbody
+		, st->st_pfs_group != NULL? ISAKMP_NEXT_KE : id_pd != NULL? ISAKMP_NEXT_ID : ISAKMP_NEXT_NONE
+		, "Nr"))
+			return STF_INTERNAL_ERROR;
 
-	/* [ KE ] out (for PFS) */
+		/* [ KE ] out (for PFS) */
 
-	if (st->st_pfs_group != NULL)
-	{
-	    if (!build_and_ship_KE(st, &st->st_gr, st->st_pfs_group
-	    , &md->rbody, id_pd != NULL? ISAKMP_NEXT_ID : ISAKMP_NEXT_NONE))
-		    return STF_INTERNAL_ERROR;
+		if (st->st_pfs_group != NULL)
+		{
+			if (!build_and_ship_KE(st, &st->st_gr, st->st_pfs_group
+			, &md->rbody, id_pd != NULL? ISAKMP_NEXT_ID : ISAKMP_NEXT_NONE))
+					return STF_INTERNAL_ERROR;
 
-	    /* MPZ-Operations might be done after sending the packet... */
-	    compute_dh_shared(st, st->st_gi, st->st_pfs_group);
-	}
+			/* MPZ-Operations might be done after sending the packet... */
+			compute_dh_shared(st, st->st_gi);
+		}
 
-	/* [ IDci, IDcr ] out */
-	if  (id_pd != NULL)
-	{
-	    struct isakmp_ipsec_id *p = (void *)md->rbody.cur;	/* UGH! */
+		/* [ IDci, IDcr ] out */
+		if  (id_pd != NULL)
+		{
+			struct isakmp_ipsec_id *p = (void *)md->rbody.cur;  /* UGH! */
 
-	    if (!out_raw(id_pd->pbs.start, pbs_room(&id_pd->pbs), &md->rbody, "IDci"))
-		return STF_INTERNAL_ERROR;
-	    p->isaiid_np = ISAKMP_NEXT_ID;
+			if (!out_raw(id_pd->pbs.start, pbs_room(&id_pd->pbs), &md->rbody, "IDci"))
+				return STF_INTERNAL_ERROR;
+			p->isaiid_np = ISAKMP_NEXT_ID;
 
-	    p = (void *)md->rbody.cur;	/* UGH! */
+			p = (void *)md->rbody.cur;  /* UGH! */
 
-	    if (!out_raw(id_pd->next->pbs.start, pbs_room(&id_pd->next->pbs), &md->rbody, "IDcr"))
-		return STF_INTERNAL_ERROR;
-	    p->isaiid_np = ISAKMP_NEXT_NONE;
-	}
+			if (!out_raw(id_pd->next->pbs.start, pbs_room(&id_pd->next->pbs), &md->rbody, "IDcr"))
+				return STF_INTERNAL_ERROR;
+			p->isaiid_np = ISAKMP_NEXT_NONE;
+		}
 
-	if ((st->nat_traversal & NAT_T_WITH_NATOA)
-	&& (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
-	&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT))
-	{
-	    /** Send NAT-OA if our address is NATed and if we use Transport Mode */
-	    if (!nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &md->rbody, md->st))
-	    {
-		return STF_INTERNAL_ERROR;
-	    }
-	}
-	if ((st->nat_traversal & NAT_T_DETECTED)
-	&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT)
-	&& (c->spd.that.has_client))
-	{
-	    /** Remove client **/
-	    addrtosubnet(&c->spd.that.host_addr, &c->spd.that.client);
-	    c->spd.that.has_client = FALSE;
-	}
+		if ((st->nat_traversal & NAT_T_WITH_NATOA)
+		&& (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+		&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT))
+		{
+			/** Send NAT-OA if our address is NATed and if we use Transport Mode */
+			if (!nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &md->rbody, md->st))
+			{
+				return STF_INTERNAL_ERROR;
+			}
+		}
+		if ((st->nat_traversal & NAT_T_DETECTED)
+		&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT)
+		&& (c->spd.that.has_client))
+		{
+			/** Remove client **/
+			addrtosubnet(&c->spd.that.host_addr, &c->spd.that.client);
+			c->spd.that.has_client = FALSE;
+		}
 
-	/* Compute reply HASH(2) and insert in output */
-	(void)quick_mode_hash12(r_hashval, r_hash_start, md->rbody.cur
-	    , st, &st->st_msgid, TRUE);
+		/* Compute reply HASH(2) and insert in output */
+		(void)quick_mode_hash12(r_hashval, r_hash_start, md->rbody.cur
+			, st, &st->st_msgid, TRUE);
 
-	/* Derive new keying material */
-	compute_keymats(st);
+		/* Derive new keying material */
+		compute_keymats(st);
 
-	/* Tell the kernel to establish the new inbound SA
-	 * (unless the commit bit is set -- which we don't support).
-	 * We do this before any state updating so that
-	 * failure won't look like success.
-	 */
-	if (!install_inbound_ipsec_sa(st))
-	    return STF_INTERNAL_ERROR;	/* ??? we may be partly committed */
+		/* Tell the kernel to establish the new inbound SA
+		 * (unless the commit bit is set -- which we don't support).
+		 * We do this before any state updating so that
+		 * failure won't look like success.
+		 */
+		if (!install_inbound_ipsec_sa(st))
+			return STF_INTERNAL_ERROR;  /* ??? we may be partly committed */
 
-	/* encrypt message, except for fixed part of header */
+		/* encrypt message, except for fixed part of header */
 
-	if (!encrypt_message(&md->rbody, st))
-	    return STF_INTERNAL_ERROR;	/* ??? we may be partly committed */
+		if (!encrypt_message(&md->rbody, st))
+			return STF_INTERNAL_ERROR;  /* ??? we may be partly committed */
 
-	return STF_OK;
-    }
+		return STF_OK;
+	}
 }
 
 /*
  * Initialize RFC 3706 Dead Peer Detection
  */
-static void
-dpd_init(struct state *st)
+static void dpd_init(struct state *st)
 {
-    struct state *p1st = find_state(st->st_icookie, st->st_rcookie
-				, &st->st_connection->spd.that.host_addr, 0);
-    
-    if (p1st == NULL)
-	loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD");
-    else if (p1st->st_dpd)
-    {
-	plog("Dead Peer Detection (RFC 3706) enabled");
-	/* randomize the first DPD event */
-        
-	event_schedule(EVENT_DPD
-	    , (0.5 + rand()/(RAND_MAX + 1.E0)) * st->st_connection->dpd_delay
-	    , st);
-    }
+	struct state *p1st = find_state(st->st_icookie, st->st_rcookie
+								, &st->st_connection->spd.that.host_addr, 0);
+	
+	if (p1st == NULL)
+		loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD");
+	else if (p1st->st_dpd)
+	{
+		plog("Dead Peer Detection (RFC 3706) enabled");
+		/* randomize the first DPD event */
+		
+		event_schedule(EVENT_DPD
+			, (0.5 + rand()/(RAND_MAX + 1.E0)) * st->st_connection->dpd_delay
+			, st);
+	}
 }
 
 /* Handle (the single) message from Responder in Quick Mode.
@@ -5043,152 +4910,151 @@ dpd_init(struct state *st)
  * (see RFC 2409 "IKE" 5.5)
  * Installs inbound and outbound IPsec SAs, routing, etc.
  */
-stf_status
-quick_inR1_outI2(struct msg_digest *md)
+stf_status quick_inR1_outI2(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    const struct connection *c = st->st_connection;
-
-    /* HASH(2) in */
-    CHECK_QUICK_HASH(md
-	, quick_mode_hash12(hash_val, hash_pbs->roof, md->message_pbs.roof
-	    , st, &st->st_msgid, TRUE)
-	, "HASH(2)", "Quick R1");
+	struct state *const st = md->st;
+	const struct connection *c = st->st_connection;
 
-    /* SA in */
-    {
-	struct payload_digest *const sa_pd = md->chain[ISAKMP_NEXT_SA];
+	/* HASH(2) in */
+	CHECK_QUICK_HASH(md
+		, quick_mode_hash12(hash_val, hash_pbs->roof, md->message_pbs.roof
+			, st, &st->st_msgid, TRUE)
+		, "HASH(2)", "Quick R1");
 
-	RETURN_STF_FAILURE(parse_ipsec_sa_body(&sa_pd->pbs
-	    , &sa_pd->payload.sa, NULL, TRUE, st));
-    }
+	/* SA in */
+	{
+		struct payload_digest *const sa_pd = md->chain[ISAKMP_NEXT_SA];
 
-    /* Nr in */
-    RETURN_STF_FAILURE(accept_nonce(md, &st->st_nr, "Nr"));
+		RETURN_STF_FAILURE(parse_ipsec_sa_body(&sa_pd->pbs
+			, &sa_pd->payload.sa, NULL, TRUE, st));
+	}
 
-    /* [ KE ] in (for PFS) */
-    RETURN_STF_FAILURE(accept_PFS_KE(md, &st->st_gr, "Gr", "Quick Mode R1"));
+	/* Nr in */
+	RETURN_STF_FAILURE(accept_nonce(md, &st->st_nr, "Nr"));
 
-    if (st->st_pfs_group != NULL)
-	compute_dh_shared(st, st->st_gr, st->st_pfs_group);
+	/* [ KE ] in (for PFS) */
+	RETURN_STF_FAILURE(accept_PFS_KE(md, &st->st_gr, "Gr", "Quick Mode R1"));
 
-    /* [ IDci, IDcr ] in; these must match what we sent */
+	if (st->st_pfs_group != NULL)
+		compute_dh_shared(st, st->st_gr);
 
-    {
-	struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
+	/* [ IDci, IDcr ] in; these must match what we sent */
 
-	if (id_pd != NULL)
 	{
-	    /* ??? we are assuming IPSEC_DOI */
+		struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
+
+		if (id_pd != NULL)
+		{
+			/* ??? we are assuming IPSEC_DOI */
 
-	    /* IDci (we are initiator) */
+			/* IDci (we are initiator) */
 
-	    if (!check_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
-	    , &st->st_myuserprotoid, &st->st_myuserport
-	    , &st->st_connection->spd.this.client
-	    , "our client"))
-		return STF_FAIL + INVALID_ID_INFORMATION;
+			if (!check_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
+			, &st->st_myuserprotoid, &st->st_myuserport
+			, &st->st_connection->spd.this.client
+			, "our client"))
+				return STF_FAIL + INVALID_ID_INFORMATION;
 
-	    /* IDcr (responder is peer) */
+			/* IDcr (responder is peer) */
 
-	    if (!check_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
-	    , &st->st_peeruserprotoid, &st->st_peeruserport
-	    , &st->st_connection->spd.that.client
-	    , "peer client"))
-		return STF_FAIL + INVALID_ID_INFORMATION;
-	}
-	else
-	{
-	    /* no IDci, IDcr: we must check that the defaults match our proposal */
-	    if (!subnetisaddr(&c->spd.this.client, &c->spd.this.host_addr)
-	    || !subnetisaddr(&c->spd.that.client, &c->spd.that.host_addr))
-	    {
-		loglog(RC_LOG_SERIOUS, "IDci, IDcr payloads missing in message"
-		    " but default does not match proposal");
-		return STF_FAIL + INVALID_ID_INFORMATION;
-	    }
+			if (!check_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
+			, &st->st_peeruserprotoid, &st->st_peeruserport
+			, &st->st_connection->spd.that.client
+			, "peer client"))
+				return STF_FAIL + INVALID_ID_INFORMATION;
+		}
+		else
+		{
+			/* no IDci, IDcr: we must check that the defaults match our proposal */
+			if (!subnetisaddr(&c->spd.this.client, &c->spd.this.host_addr)
+			|| !subnetisaddr(&c->spd.that.client, &c->spd.that.host_addr))
+			{
+				loglog(RC_LOG_SERIOUS, "IDci, IDcr payloads missing in message"
+					" but default does not match proposal");
+				return STF_FAIL + INVALID_ID_INFORMATION;
+			}
+		}
 	}
-    }
 
-    /* check the peer's group attributes */
-    
-    {
-	const ietfAttrList_t *peer_list = NULL;
+	/* check the peer's group attributes */
 	
-	get_peer_ca_and_groups(st->st_connection, &peer_list);
-
-	if (!group_membership(peer_list, st->st_connection->name
-		, st->st_connection->spd.that.groups))
 	{
-	    char buf[BUF_LEN];
+		const ietfAttrList_t *peer_list = NULL;
+		
+		get_peer_ca_and_groups(st->st_connection, &peer_list);
 
-	    format_groups(st->st_connection->spd.that.groups, buf, BUF_LEN);
-	    loglog(RC_LOG_SERIOUS, "peer is not member of one of the groups: %s"
-		, buf);
-	    return STF_FAIL + INVALID_ID_INFORMATION;
-	}
-    }
+		if (!group_membership(peer_list, st->st_connection->name
+				, st->st_connection->spd.that.groups))
+		{
+			char buf[BUF_LEN];
 
-	if ((st->nat_traversal & NAT_T_DETECTED)
-	&&  (st->nat_traversal & NAT_T_WITH_NATOA))
-	{
-	    nat_traversal_natoa_lookup(md);
+			format_groups(st->st_connection->spd.that.groups, buf, BUF_LEN);
+			loglog(RC_LOG_SERIOUS, "peer is not member of one of the groups: %s"
+				, buf);
+			return STF_FAIL + INVALID_ID_INFORMATION;
+		}
 	}
 
-    /* ??? We used to copy the accepted proposal into the state, but it was
-     * never used.  From sa_pd->pbs.start, length pbs_room(&sa_pd->pbs).
-     */
+		if ((st->nat_traversal & NAT_T_DETECTED)
+		&&  (st->nat_traversal & NAT_T_WITH_NATOA))
+		{
+			nat_traversal_natoa_lookup(md);
+		}
+
+	/* ??? We used to copy the accepted proposal into the state, but it was
+	 * never used.  From sa_pd->pbs.start, length pbs_room(&sa_pd->pbs).
+	 */
 
-    /**************** build reply packet HDR*, HASH(3) ****************/
+	/**************** build reply packet HDR*, HASH(3) ****************/
 
-    /* HDR* out done */
+	/* HDR* out done */
 
-    /* HASH(3) out -- since this is the only content, no passes needed */
-    {
-	u_char	/* set by START_HASH_PAYLOAD: */
-	    *r_hashval,	/* where in reply to jam hash value */
-	    *r_hash_start;	/* start of what is to be hashed */
+	/* HASH(3) out -- since this is the only content, no passes needed */
+	{
+		u_char  /* set by START_HASH_PAYLOAD: */
+			*r_hashval, /* where in reply to jam hash value */
+			*r_hash_start;      /* start of what is to be hashed */
 
-	START_HASH_PAYLOAD(md->rbody, ISAKMP_NEXT_NONE);
-	(void)quick_mode_hash3(r_hashval, st);
-    }
+		START_HASH_PAYLOAD(md->rbody, ISAKMP_NEXT_NONE);
+		(void)quick_mode_hash3(r_hashval, st);
+	}
 
-    /* Derive new keying material */
-    compute_keymats(st);
+	/* Derive new keying material */
+	compute_keymats(st);
 
-    /* Tell the kernel to establish the inbound, outbound, and routing part
-     * of the new SA (unless the commit bit is set -- which we don't support).
-     * We do this before any state updating so that
-     * failure won't look like success.
-     */
-    if (!install_ipsec_sa(st, TRUE))
-	return STF_INTERNAL_ERROR;
+	/* Tell the kernel to establish the inbound, outbound, and routing part
+	 * of the new SA (unless the commit bit is set -- which we don't support).
+	 * We do this before any state updating so that
+	 * failure won't look like success.
+	 */
+	if (!install_ipsec_sa(st, TRUE))
+		return STF_INTERNAL_ERROR;
 
-    /* encrypt message, except for fixed part of header */
+	/* encrypt message, except for fixed part of header */
 
-    if (!encrypt_message(&md->rbody, st))
-	return STF_INTERNAL_ERROR;	/* ??? we may be partly committed */
+	if (!encrypt_message(&md->rbody, st))
+		return STF_INTERNAL_ERROR;      /* ??? we may be partly committed */
 
-    {
-      DBG(DBG_CONTROLMORE, DBG_log("inR1_outI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
-			       , st->st_connection->name
-			       , st->st_connection->instance_serial
-			       , st->st_serialno
-			       , st->st_connection->newest_ipsec_sa
-			       , st->st_connection->spd.eroute_owner));
-    }
-    
-    st->st_connection->newest_ipsec_sa = st->st_serialno;
+	{
+	  DBG(DBG_CONTROLMORE, DBG_log("inR1_outI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
+							   , st->st_connection->name
+							   , st->st_connection->instance_serial
+							   , st->st_serialno
+							   , st->st_connection->newest_ipsec_sa
+							   , st->st_connection->spd.eroute_owner));
+	}
+	
+	st->st_connection->newest_ipsec_sa = st->st_serialno;
 
-    /* note (presumed) success */
-    if (c->gw_info != NULL)
-	c->gw_info->key->last_worked_time = now();
+	/* note (presumed) success */
+	if (c->gw_info != NULL)
+		c->gw_info->key->last_worked_time = now();
 
-    /* If we want DPD on this connection then initialize it */
-    if (st->st_connection->dpd_action != DPD_ACTION_NONE)
-	dpd_init(st);
+	/* If we want DPD on this connection then initialize it */
+	if (st->st_connection->dpd_action != DPD_ACTION_NONE)
+		dpd_init(st);
 
-    return STF_OK;
+	return STF_OK;
 }
 
 /* Handle last message of Quick Mode.
@@ -5196,245 +5062,253 @@ quick_inR1_outI2(struct msg_digest *md)
  * (see RFC 2409 "IKE" 5.5)
  * Installs outbound IPsec SAs, routing, etc.
  */
-stf_status
-quick_inI2(struct msg_digest *md)
+stf_status quick_inI2(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-
-    /* HASH(3) in */
-    CHECK_QUICK_HASH(md, quick_mode_hash3(hash_val, st)
-	, "HASH(3)", "Quick I2");
-
-    /* Tell the kernel to establish the outbound and routing part of the new SA
-     * (the previous state established inbound)
-     * (unless the commit bit is set -- which we don't support).
-     * We do this before any state updating so that
-     * failure won't look like success.
-     */
-    if (!install_ipsec_sa(st, FALSE))
-	return STF_INTERNAL_ERROR;
-
-    {
-      DBG(DBG_CONTROLMORE, DBG_log("inI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
-			       , st->st_connection->name
-			       , st->st_connection->instance_serial
-			       , st->st_serialno
-			       , st->st_connection->newest_ipsec_sa
-			       , st->st_connection->spd.eroute_owner));
-    }
-
-    st->st_connection->newest_ipsec_sa = st->st_serialno;
-
-    update_iv(st);	/* not actually used, but tidy */
-
-    /* note (presumed) success */
-    {
-	struct gw_info *gw = st->st_connection->gw_info;
-
-	if (gw != NULL)
-	    gw->key->last_worked_time = now();
-    }
-
-    /* If we want DPD on this connection then initialize it */
-    if (st->st_connection->dpd_action != DPD_ACTION_NONE)
-	dpd_init(st);
-
-    return STF_OK;
+	struct state *const st = md->st;
+
+	/* HASH(3) in */
+	CHECK_QUICK_HASH(md, quick_mode_hash3(hash_val, st)
+		, "HASH(3)", "Quick I2");
+
+	/* Tell the kernel to establish the outbound and routing part of the new SA
+	 * (the previous state established inbound)
+	 * (unless the commit bit is set -- which we don't support).
+	 * We do this before any state updating so that
+	 * failure won't look like success.
+	 */
+	if (!install_ipsec_sa(st, FALSE))
+		return STF_INTERNAL_ERROR;
+
+	{
+	  DBG(DBG_CONTROLMORE, DBG_log("inI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
+							   , st->st_connection->name
+							   , st->st_connection->instance_serial
+							   , st->st_serialno
+							   , st->st_connection->newest_ipsec_sa
+							   , st->st_connection->spd.eroute_owner));
+	}
+
+	st->st_connection->newest_ipsec_sa = st->st_serialno;
+
+	update_iv(st);      /* not actually used, but tidy */
+
+	/* note (presumed) success */
+	{
+		struct gw_info *gw = st->st_connection->gw_info;
+
+		if (gw != NULL)
+			gw->key->last_worked_time = now();
+	}
+
+	/* If we want DPD on this connection then initialize it */
+	if (st->st_connection->dpd_action != DPD_ACTION_NONE)
+		dpd_init(st);
+
+	return STF_OK;
 }
 
-static stf_status
-send_isakmp_notification(struct state *st, u_int16_t type
-    , const void *data, size_t len)
+static stf_status send_isakmp_notification(struct state *st, u_int16_t type,
+										   const void *data, size_t len)
 {
-    msgid_t msgid;
-    pb_stream reply;
-    pb_stream rbody;
-    u_char
-	*r_hashval,     /* where in reply to jam hash value */
-	*r_hash_start;  /* start of what is to be hashed */
-        
-    msgid = generate_msgid(st);
-    
-    init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "ISAKMP notify");
-
-    /* HDR* */
-    {
-	struct isakmp_hdr hdr;
-
-        hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-        hdr.isa_np = ISAKMP_NEXT_HASH;
-        hdr.isa_xchg = ISAKMP_XCHG_INFO;
-        hdr.isa_msgid = msgid;
-        hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
-        memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
-        memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
-        if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
-            impossible();
-    }
-    /* HASH -- create and note space to be filled later */
-    START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_N);
-
-    /* NOTIFY */
-    {
-        pb_stream notify_pbs;
-        struct isakmp_notification isan;
-
-        isan.isan_np = ISAKMP_NEXT_NONE;
-        isan.isan_doi = ISAKMP_DOI_IPSEC;
-        isan.isan_protoid = PROTO_ISAKMP;
-        isan.isan_spisize = COOKIE_SIZE * 2;  
-        isan.isan_type = type;
-        if (!out_struct(&isan, &isakmp_notification_desc, &rbody, &notify_pbs))
-            return STF_INTERNAL_ERROR;
-        if (!out_raw(st->st_icookie, COOKIE_SIZE, &notify_pbs, "notify icookie"))
-            return STF_INTERNAL_ERROR;  
-        if (!out_raw(st->st_rcookie, COOKIE_SIZE, &notify_pbs, "notify rcookie"))
-            return STF_INTERNAL_ERROR;  
-        if (data != NULL && len > 0)
-            if (!out_raw(data, len, &notify_pbs, "notify data"))
-                return STF_INTERNAL_ERROR;    
-        close_output_pbs(&notify_pbs);
-    }
-            
-    {
-        /* finish computing HASH */     
-        struct hmac_ctx ctx;
-        hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid_a);
-        hmac_update(&ctx, (const u_char *) &msgid, sizeof(msgid_t));
-        hmac_update(&ctx, r_hash_start, rbody.cur-r_hash_start);
-        hmac_final(r_hashval, &ctx);  
-
-        DBG(DBG_CRYPT,
-                DBG_log("HASH computed:");
-                DBG_dump("", r_hashval, ctx.hmac_digest_size));
-    }
-
-    /* Encrypt message (preserve st_iv and st_new_iv) */
-    {
-	u_char old_iv[MAX_DIGEST_LEN];
-	u_char new_iv[MAX_DIGEST_LEN];
+	msgid_t msgid;
+	pb_stream reply;
+	pb_stream rbody;
+	u_char
+		*r_hashval,     /* where in reply to jam hash value */
+		*r_hash_start;  /* start of what is to be hashed */
+		
+	msgid = generate_msgid(st);
+	
+	init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "ISAKMP notify");
+
+	/* HDR* */
+	{
+		struct isakmp_hdr hdr;
+
+		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+		hdr.isa_np = ISAKMP_NEXT_HASH;
+		hdr.isa_xchg = ISAKMP_XCHG_INFO;
+		hdr.isa_msgid = msgid;
+		hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
+		memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
+		memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
+		if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
+			impossible();
+	}
+	/* HASH -- create and note space to be filled later */
+	START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_N);
 
-	u_int old_iv_len = st->st_iv_len;
-	u_int new_iv_len = st->st_new_iv_len;
+	/* NOTIFY */
+	{
+		pb_stream notify_pbs;
+		struct isakmp_notification isan;
+
+		isan.isan_np = ISAKMP_NEXT_NONE;
+		isan.isan_doi = ISAKMP_DOI_IPSEC;
+		isan.isan_protoid = PROTO_ISAKMP;
+		isan.isan_spisize = COOKIE_SIZE * 2;  
+		isan.isan_type = type;
+		if (!out_struct(&isan, &isakmp_notification_desc, &rbody, &notify_pbs))
+			return STF_INTERNAL_ERROR;
+		if (!out_raw(st->st_icookie, COOKIE_SIZE, &notify_pbs, "notify icookie"))
+			return STF_INTERNAL_ERROR;  
+		if (!out_raw(st->st_rcookie, COOKIE_SIZE, &notify_pbs, "notify rcookie"))
+			return STF_INTERNAL_ERROR;  
+		if (data != NULL && len > 0)
+			if (!out_raw(data, len, &notify_pbs, "notify data"))
+				return STF_INTERNAL_ERROR;    
+		close_output_pbs(&notify_pbs);
+	}
+			
+	{
+		/* finish computing HASH */     
+		chunk_t msgid_chunk = chunk_from_thing(msgid);
+		chunk_t msg_chunk = { r_hash_start, rbody.cur-r_hash_start };
+		pseudo_random_function_t prf_alg;
+		prf_t *prf;
+
+		prf_alg = oakley_to_prf(st->st_oakley.hash);
+		prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+		prf->set_key(prf, st->st_skeyid_a);
+		prf->get_bytes(prf, msgid_chunk, NULL);
+		prf->get_bytes(prf, msg_chunk, r_hashval);
+
+		DBG(DBG_CRYPT,
+			DBG_log("HASH computed:");
+			DBG_dump("", r_hashval, prf->get_block_size(prf));
+		)
+		prf->destroy(prf);
+	}
 
-	if (old_iv_len > MAX_DIGEST_LEN || new_iv_len > MAX_DIGEST_LEN)
-	    return STF_INTERNAL_ERROR;
+	/* Encrypt message (preserve st_iv and st_new_iv) */
+	{
+		u_char old_iv[MAX_DIGEST_LEN];
+		u_char new_iv[MAX_DIGEST_LEN];
 
-	memcpy(old_iv, st->st_iv, old_iv_len);
-	memcpy(new_iv, st->st_new_iv, new_iv_len);
+		u_int old_iv_len = st->st_iv_len;
+		u_int new_iv_len = st->st_new_iv_len;
 
-	init_phase2_iv(st, &msgid);
-	if (!encrypt_message(&rbody, st))
-	    return STF_INTERNAL_ERROR;
-     
-	/* restore preserved st_iv and st_new_iv */
-	memcpy(st->st_iv, old_iv, old_iv_len);
-	memcpy(st->st_new_iv, new_iv, new_iv_len);
-	st->st_iv_len = old_iv_len;
-	st->st_new_iv_len = new_iv_len;
-    }
-
-    /* Send packet (preserve st_tpacket) */
-    {
-        chunk_t saved_tpacket = st->st_tpacket;
-
-        setchunk(st->st_tpacket, reply.start, pbs_offset(&reply));
-        send_packet(st, "ISAKMP notify");
-        st->st_tpacket = saved_tpacket;
-    }
-
-    return STF_IGNORE;
+		if (old_iv_len > MAX_DIGEST_LEN || new_iv_len > MAX_DIGEST_LEN)
+			return STF_INTERNAL_ERROR;
+
+		memcpy(old_iv, st->st_iv, old_iv_len);
+		memcpy(new_iv, st->st_new_iv, new_iv_len);
+
+		init_phase2_iv(st, &msgid);
+		if (!encrypt_message(&rbody, st))
+			return STF_INTERNAL_ERROR;
+	
+		/* restore preserved st_iv and st_new_iv */
+		memcpy(st->st_iv, old_iv, old_iv_len);
+		memcpy(st->st_new_iv, new_iv, new_iv_len);
+		st->st_iv_len = old_iv_len;
+		st->st_new_iv_len = new_iv_len;
+	}
+
+	/* Send packet (preserve st_tpacket) */
+	{
+		chunk_t saved_tpacket = st->st_tpacket;
+
+		st->st_tpacket = chunk_create(reply.start, pbs_offset(&reply));
+		send_packet(st, "ISAKMP notify");
+		st->st_tpacket = saved_tpacket;
+	}
+
+	return STF_IGNORE;
 }
 
 /*
  * DPD Out Initiator
  */
-void
-dpd_outI(struct state *p2st)
+void dpd_outI(struct state *p2st)
 {
-    struct state *st;
-    u_int32_t seqno;
-    time_t tm;
-    time_t idle_time;
-    time_t delay = p2st->st_connection->dpd_delay;
-    time_t timeout = p2st->st_connection->dpd_timeout;
-
-    /* find the newest related Phase 1 state */
-    st = find_phase1_state(p2st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
-
-    if (st == NULL)
-    {
-	loglog(RC_LOG_SERIOUS, "DPD: Could not find newest phase 1 state");
-	return;
-    }
-
-    /* If no DPD, then get out of here */
-    if (!st->st_dpd)
- 	return;
-
-    /* schedule the next periodic DPD event */
-    event_schedule(EVENT_DPD, delay, p2st);
-
-    /* Current time */
-    tm = now();
-
-    /* Make sure we really need to invoke DPD */
-    if (!was_eroute_idle(p2st, delay, &idle_time))
-    {
+	struct state *st;
+	u_int32_t seqno;
+	time_t tm;
+	time_t idle_time;
+	time_t delay = p2st->st_connection->dpd_delay;
+	time_t timeout = p2st->st_connection->dpd_timeout;
+
+	/* find the newest related Phase 1 state */
+	st = find_phase1_state(p2st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
+
+	if (st == NULL)
+	{
+		loglog(RC_LOG_SERIOUS, "DPD: Could not find newest phase 1 state");
+		return;
+	}
+
+	/* If no DPD, then get out of here */
+	if (!st->st_dpd)
+		return;
+
+	/* schedule the next periodic DPD event */
+	event_schedule(EVENT_DPD, delay, p2st);
+
+	/* Current time */
+	tm = now();
+
+	/* Make sure we really need to invoke DPD */
+	if (!was_eroute_idle(p2st, delay, &idle_time))
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("recent eroute activity %u seconds ago, "
+					"no need to send DPD notification"
+				  , (int)idle_time)
+		)
+		st->st_last_dpd = tm;
+		delete_dpd_event(st);
+		return;
+	}
+
+	/* If an R_U_THERE has been sent or received recently, or if a
+	 * companion Phase 2 SA has shown eroute activity,
+	 * then we don't need to invoke DPD.
+	 */
+	if (tm < st->st_last_dpd + delay)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("recent DPD activity %u seconds ago, "
+					"no need to send DPD notification"
+				  , (int)(tm - st->st_last_dpd))
+		)
+		return;
+	}
+
+	if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+		return;
+
+	if (!st->st_dpd_seqno)
+	{
+		rng_t *rng;
+
+		/* Get a non-zero random value that has room to grow */
+		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		rng->get_bytes(rng, sizeof(st->st_dpd_seqno), (u_char *)&st->st_dpd_seqno);
+		rng->destroy(rng);
+		st->st_dpd_seqno &= 0x7fff;
+		st->st_dpd_seqno++;
+	}
+	seqno = htonl(st->st_dpd_seqno);
+
+	if (send_isakmp_notification(st, R_U_THERE, &seqno, sizeof(seqno)) != STF_IGNORE)
+	{
+		loglog(RC_LOG_SERIOUS, "DPD: Could not send R_U_THERE");
+		return;
+	}
 	DBG(DBG_CONTROL,
-	    DBG_log("recent eroute activity %u seconds ago, "
-		    "no need to send DPD notification"
-		  , (int)idle_time)
+		DBG_log("sent DPD notification R_U_THERE with seqno = %u", st->st_dpd_seqno)
 	)
+	st->st_dpd_expectseqno = st->st_dpd_seqno++;
 	st->st_last_dpd = tm;
-	delete_dpd_event(st);
-	return;
-    }
-
-    /* If an R_U_THERE has been sent or received recently, or if a
-     * companion Phase 2 SA has shown eroute activity,
-     * then we don't need to invoke DPD.
-     */
-    if (tm < st->st_last_dpd + delay)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("recent DPD activity %u seconds ago, "
-	    	    "no need to send DPD notification"
-		  , (int)(tm - st->st_last_dpd))
-	)
-	return;
-    }
-
-    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-	return;
-
-    if (!st->st_dpd_seqno)
-    {
-	/* Get a non-zero random value that has room to grow */
-	get_rnd_bytes((u_char *)&st->st_dpd_seqno, sizeof(st->st_dpd_seqno));
-	st->st_dpd_seqno &= 0x7fff;
-	st->st_dpd_seqno++;
-    }
-    seqno = htonl(st->st_dpd_seqno);
-
-    if (send_isakmp_notification(st, R_U_THERE, &seqno, sizeof(seqno)) != STF_IGNORE)
-    {
-	loglog(RC_LOG_SERIOUS, "DPD: Could not send R_U_THERE");
-	return;
-    }
-    DBG(DBG_CONTROL,
-	DBG_log("sent DPD notification R_U_THERE with seqno = %u", st->st_dpd_seqno)
-    )
-    st->st_dpd_expectseqno = st->st_dpd_seqno++;
-    st->st_last_dpd = tm;
-    /* Only schedule a new timeout if there isn't one currently,
-     * or if it would be sooner than the current timeout. */
-    if (st->st_dpd_event == NULL
-    || st->st_dpd_event->ev_time > tm + timeout)
-    {
-	delete_dpd_event(st);
-	event_schedule(EVENT_DPD_TIMEOUT, timeout, st);
-    }
+	/* Only schedule a new timeout if there isn't one currently,
+	 * or if it would be sooner than the current timeout. */
+	if (st->st_dpd_event == NULL
+	|| st->st_dpd_event->ev_time > tm + timeout)
+	{
+		delete_dpd_event(st);
+		event_schedule(EVENT_DPD_TIMEOUT, timeout, st);
+	}
 }
 
 /*
@@ -5444,139 +5318,139 @@ stf_status
 dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
 {
    time_t tm = now();
-    u_int32_t seqno;
-
-    if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-    {
-        loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA");
-        return STF_IGNORE;
-    }
-    if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
-    {
-        loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid SPI length (%d)", n->isan_spisize);
-        return STF_FAIL + PAYLOAD_MALFORMED;
-    }
-
-    if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
-    {
+	u_int32_t seqno;
+
+	if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+	{
+		loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA");
+		return STF_IGNORE;
+	}
+	if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
+	{
+		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid SPI length (%d)", n->isan_spisize);
+		return STF_FAIL + PAYLOAD_MALFORMED;
+	}
+
+	if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
+	{
 #ifdef APPLY_CRISCO
-        /* Ignore it, cisco sends odd icookies */
+		/* Ignore it, cisco sends odd icookies */
 #else
-        loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid icookie (broken Cisco?)");
-        return STF_FAIL + INVALID_COOKIE;
+		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid icookie (broken Cisco?)");
+		return STF_FAIL + INVALID_COOKIE;
 #endif
-    }
-    pbs->cur += COOKIE_SIZE;
-
-    if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
-    {
-        loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid rcookie (broken Cisco?)");
-	return STF_FAIL + INVALID_COOKIE;
-    }
-    pbs->cur += COOKIE_SIZE;
-
-    if (pbs_left(pbs) != sizeof(seqno))
-    {
-        loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid data length (%d)"
-	    , (int) pbs_left(pbs));
-        return STF_FAIL + PAYLOAD_MALFORMED;
-    }
-
-    seqno = ntohl(*(u_int32_t *)pbs->cur);
-    DBG(DBG_CONTROL,
-	DBG_log("received DPD notification R_U_THERE with seqno = %u", seqno)
-    )
-
-    if (st->st_dpd_peerseqno && seqno <= st->st_dpd_peerseqno) {
-        loglog(RC_LOG_SERIOUS, "DPD: Received old or duplicate R_U_THERE");
-        return STF_IGNORE;
-    }
-
-    st->st_dpd_peerseqno = seqno;
-    delete_dpd_event(st);
-
-    if (send_isakmp_notification(st, R_U_THERE_ACK, pbs->cur, pbs_left(pbs)) != STF_IGNORE)
-    {
-        loglog(RC_LOG_SERIOUS, "DPD Info: could not send R_U_THERE_ACK");
-        return STF_IGNORE;
-    }
-    DBG(DBG_CONTROL,
-	DBG_log("sent DPD notification R_U_THERE_ACK with seqno = %u", seqno)
-    )
-
-    st->st_last_dpd = tm;
-    return STF_IGNORE;
+	}
+	pbs->cur += COOKIE_SIZE;
+
+	if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
+	{
+		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid rcookie (broken Cisco?)");
+		return STF_FAIL + INVALID_COOKIE;
+	}
+	pbs->cur += COOKIE_SIZE;
+
+	if (pbs_left(pbs) != sizeof(seqno))
+	{
+		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid data length (%d)"
+			, (int) pbs_left(pbs));
+		return STF_FAIL + PAYLOAD_MALFORMED;
+	}
+
+	seqno = ntohl(*(u_int32_t *)pbs->cur);
+	DBG(DBG_CONTROL,
+		DBG_log("received DPD notification R_U_THERE with seqno = %u", seqno)
+	)
+
+	if (st->st_dpd_peerseqno && seqno <= st->st_dpd_peerseqno) {
+		loglog(RC_LOG_SERIOUS, "DPD: Received old or duplicate R_U_THERE");
+		return STF_IGNORE;
+	}
+
+	st->st_dpd_peerseqno = seqno;
+	delete_dpd_event(st);
+
+	if (send_isakmp_notification(st, R_U_THERE_ACK, pbs->cur, pbs_left(pbs)) != STF_IGNORE)
+	{
+		loglog(RC_LOG_SERIOUS, "DPD Info: could not send R_U_THERE_ACK");
+		return STF_IGNORE;
+	}
+	DBG(DBG_CONTROL,
+		DBG_log("sent DPD notification R_U_THERE_ACK with seqno = %u", seqno)
+	)
+
+	st->st_last_dpd = tm;
+	return STF_IGNORE;
 }
 
 /*
  * DPD out Responder
  */
-stf_status
-dpd_inR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
+stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
+				   pb_stream *pbs)
 {
-    u_int32_t seqno;
+	u_int32_t seqno;
 
-    if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-    {
-        loglog(RC_LOG_SERIOUS
-	    , "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA");
-        return STF_FAIL;
-    }
+	if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+	{
+		loglog(RC_LOG_SERIOUS
+			, "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA");
+		return STF_FAIL;
+	}
 
    if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
-    {
-        loglog(RC_LOG_SERIOUS
-	    , "DPD: R_U_THERE_ACK has invalid SPI length (%d)"
-	    , n->isan_spisize);
-        return STF_FAIL + PAYLOAD_MALFORMED;
-    }
-
-    if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
-    {
+	{
+		loglog(RC_LOG_SERIOUS
+			, "DPD: R_U_THERE_ACK has invalid SPI length (%d)"
+			, n->isan_spisize);
+		return STF_FAIL + PAYLOAD_MALFORMED;
+	}
+
+	if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
+	{
 #ifdef APPLY_CRISCO
-        /* Ignore it, cisco sends odd icookies */
+		/* Ignore it, cisco sends odd icookies */
 #else
-        loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid icookie");
-        return STF_FAIL + INVALID_COOKIE;
+		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid icookie");
+		return STF_FAIL + INVALID_COOKIE;
 #endif
-    }
-    pbs->cur += COOKIE_SIZE;
+	}
+	pbs->cur += COOKIE_SIZE;
 
-    if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
-    {
+	if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
+	{
 #ifdef APPLY_CRISCO
-        /* Ignore it, cisco sends odd icookies */
+		/* Ignore it, cisco sends odd icookies */
 #else
-        loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid rcookie");
-        return STF_FAIL + INVALID_COOKIE;
+		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid rcookie");
+		return STF_FAIL + INVALID_COOKIE;
 #endif
-    }
-    pbs->cur += COOKIE_SIZE;
-
-    if (pbs_left(pbs) != sizeof(seqno))
-    {
-        loglog(RC_LOG_SERIOUS
-	    , " DPD: R_U_THERE_ACK has invalid data length (%d)"
-	    , (int) pbs_left(pbs));
-        return STF_FAIL + PAYLOAD_MALFORMED;
-    }
-
-    seqno = ntohl(*(u_int32_t *)pbs->cur);
-    DBG(DBG_CONTROL,
-	DBG_log("received DPD notification R_U_THERE_ACK with seqno = %u"
-	, seqno)
-    )
-
-    if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno)
-    {
-        loglog(RC_LOG_SERIOUS
-	    , "DPD: R_U_THERE_ACK has unexpected sequence number");
-        return STF_FAIL + PAYLOAD_MALFORMED;
-    }
-
-    st->st_dpd_expectseqno = 0;
-    delete_dpd_event(st);
-    return STF_IGNORE;
+	}
+	pbs->cur += COOKIE_SIZE;
+
+	if (pbs_left(pbs) != sizeof(seqno))
+	{
+		loglog(RC_LOG_SERIOUS
+			, " DPD: R_U_THERE_ACK has invalid data length (%d)"
+			, (int) pbs_left(pbs));
+		return STF_FAIL + PAYLOAD_MALFORMED;
+	}
+
+	seqno = ntohl(*(u_int32_t *)pbs->cur);
+	DBG(DBG_CONTROL,
+		DBG_log("received DPD notification R_U_THERE_ACK with seqno = %u"
+		, seqno)
+	)
+
+	if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno)
+	{
+		loglog(RC_LOG_SERIOUS
+			, "DPD: R_U_THERE_ACK has unexpected sequence number");
+		return STF_FAIL + PAYLOAD_MALFORMED;
+	}
+
+	st->st_dpd_expectseqno = 0;
+	delete_dpd_event(st);
+	return STF_IGNORE;
 }
 
 /*
@@ -5589,67 +5463,67 @@ dpd_inR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
 void
 dpd_timeout(struct state *st)
 {
-    struct state *newest_phase1_st;
-    struct connection *c = st->st_connection;
-    int action = st->st_connection->dpd_action;
-    char cname[BUF_LEN];
-
-    passert(action == DPD_ACTION_HOLD
-	 || action == DPD_ACTION_CLEAR
-	 || DPD_ACTION_RESTART);
-
-    /* is there a newer phase1_state? */
-    newest_phase1_st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
-    if (newest_phase1_st != NULL && newest_phase1_st != st)
-    {
-	plog("DPD: Phase1 state #%ld has been superseded by #%ld"
-	     " - timeout ignored"
-	     , st->st_serialno, newest_phase1_st->st_serialno);
-	return;
-    }
-
-    loglog(RC_LOG_SERIOUS, "DPD: No response from peer - declaring peer dead");
-
-    /* delete the state, which is probably in phase 2 */
-    set_cur_connection(c);
-    plog("DPD: Terminating all SAs using this connection");
-    delete_states_by_connection(c, TRUE);
-    reset_cur_connection();
-
-    switch (action)
-    {
-    case DPD_ACTION_HOLD:
-	/* dpdaction=hold - Wipe the SA's but %trap the eroute so we don't
-	 * leak traffic.  Also, being in %trap means new packets will
-	 * force an initiation of the conn again.
-	 */
-	loglog(RC_LOG_SERIOUS, "DPD: Putting connection \"%s\" into %%trap", c->name);
-	if (c->kind == CK_INSTANCE)
-	    delete_connection(c, TRUE);
-	break;
-    case DPD_ACTION_CLEAR:
-	/* dpdaction=clear - Wipe the SA & eroute - everything */
-        loglog(RC_LOG_SERIOUS, "DPD: Clearing connection \"%s\"", c->name);
-        unroute_connection(c);
-	if (c->kind == CK_INSTANCE)
-	    delete_connection(c, TRUE);
-	break;
-    case DPD_ACTION_RESTART:
-	/* dpdaction=restart - Restart connection,
-	 * except if roadwarrior connection
-	 */
-	loglog(RC_LOG_SERIOUS, "DPD: Restarting connection \"%s\"", c->name);
-	unroute_connection(c);
-
-	/* caching the connection name before deletion */
-	strncpy(cname, c->name, BUF_LEN);
-
-	if (c->kind == CK_INSTANCE)
-	    delete_connection(c, TRUE);
-	initiate_connection(cname, NULL_FD);
-	break;
-    default:
-	loglog(RC_LOG_SERIOUS, "DPD: unknown action");
-    }
+	struct state *newest_phase1_st;
+	struct connection *c = st->st_connection;
+	int action = st->st_connection->dpd_action;
+	char cname[BUF_LEN];
+
+	passert(action == DPD_ACTION_HOLD
+		 || action == DPD_ACTION_CLEAR
+		 || DPD_ACTION_RESTART);
+
+	/* is there a newer phase1_state? */
+	newest_phase1_st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
+	if (newest_phase1_st != NULL && newest_phase1_st != st)
+	{
+		plog("DPD: Phase1 state #%ld has been superseded by #%ld"
+			 " - timeout ignored"
+			 , st->st_serialno, newest_phase1_st->st_serialno);
+		return;
+	}
+
+	loglog(RC_LOG_SERIOUS, "DPD: No response from peer - declaring peer dead");
+
+	/* delete the state, which is probably in phase 2 */
+	set_cur_connection(c);
+	plog("DPD: Terminating all SAs using this connection");
+	delete_states_by_connection(c, TRUE);
+	reset_cur_connection();
+
+	switch (action)
+	{
+	case DPD_ACTION_HOLD:
+		/* dpdaction=hold - Wipe the SA's but %trap the eroute so we don't
+		 * leak traffic.  Also, being in %trap means new packets will
+		 * force an initiation of the conn again.
+		 */
+		loglog(RC_LOG_SERIOUS, "DPD: Putting connection \"%s\" into %%trap", c->name);
+		if (c->kind == CK_INSTANCE)
+			delete_connection(c, TRUE);
+		break;
+	case DPD_ACTION_CLEAR:
+		/* dpdaction=clear - Wipe the SA & eroute - everything */
+		loglog(RC_LOG_SERIOUS, "DPD: Clearing connection \"%s\"", c->name);
+		unroute_connection(c);
+		if (c->kind == CK_INSTANCE)
+			delete_connection(c, TRUE);
+		break;
+	case DPD_ACTION_RESTART:
+		/* dpdaction=restart - Restart connection,
+		 * except if roadwarrior connection
+		 */
+		loglog(RC_LOG_SERIOUS, "DPD: Restarting connection \"%s\"", c->name);
+		unroute_connection(c);
+
+		/* caching the connection name before deletion */
+		strncpy(cname, c->name, BUF_LEN);
+
+		if (c->kind == CK_INSTANCE)
+			delete_connection(c, TRUE);
+		initiate_connection(cname, NULL_FD);
+		break;
+	default:
+		loglog(RC_LOG_SERIOUS, "DPD: unknown action");
+	}
 }
 
diff --git a/src/pluto/ipsec_doi.h b/src/pluto/ipsec_doi.h
index 60b5e4e31..2e242e903 100644
--- a/src/pluto/ipsec_doi.h
+++ b/src/pluto/ipsec_doi.h
@@ -10,55 +10,53 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ipsec_doi.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 extern void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np);
 
 extern void ipsecdoi_initiate(int whack_sock, struct connection *c
-    , lset_t policy, unsigned long try, so_serial_t replacing);
+	, lset_t policy, unsigned long try, so_serial_t replacing);
 
 extern void ipsecdoi_replace(struct state *st, unsigned long try);
 
 extern void init_phase2_iv(struct state *st, const msgid_t *msgid);
 
 extern stf_status quick_outI1(int whack_sock
-    , struct state *isakmp_sa
-    , struct connection *c
-    , lset_t policy
-    , unsigned long try
-    , so_serial_t replacing);
+	, struct state *isakmp_sa
+	, struct connection *c
+	, lset_t policy
+	, unsigned long try
+	, so_serial_t replacing);
 
 extern state_transition_fn
-    main_inI1_outR1,
-    main_inR1_outI2,
-    main_inI2_outR2,
-    main_inR2_outI3,
-    main_inI3_outR3,
-    main_inR3,
-    quick_inI1_outR1,
-    quick_inR1_outI2,
-    quick_inI2;
+	main_inI1_outR1,
+	main_inR1_outI2,
+	main_inI2_outR2,
+	main_inR2_outI3,
+	main_inI3_outR3,
+	main_inR3,
+	quick_inI1_outR1,
+	quick_inR1_outI2,
+	quick_inI2;
 
 extern void send_delete(struct state *st);
 extern void accept_delete(struct state *st, struct msg_digest *md
-    , struct payload_digest *p);
+	, struct payload_digest *p);
 extern void close_message(pb_stream *pbs);
 extern bool encrypt_message(pb_stream *pbs, struct state *st);
 
 
 extern void send_notification_from_state(struct state *st,
-    enum state_kind state, u_int16_t type);
+	enum state_kind state, u_int16_t type);
 extern void send_notification_from_md(struct msg_digest *md, u_int16_t type);
 
 extern const char *init_pluto_vendorid(void);
 
 extern void dpd_outI(struct state *st);
 extern stf_status dpd_inI_outR(struct state *st
-            , struct isakmp_notification *const n, pb_stream *n_pbs);
+			, struct isakmp_notification *const n, pb_stream *n_pbs);
 extern stf_status dpd_inR(struct state *st
-            , struct isakmp_notification *const n, pb_stream *n_pbs);
+			, struct isakmp_notification *const n, pb_stream *n_pbs);
 extern void dpd_timeout(struct state *st);
 
 /* START_HASH_PAYLOAD
@@ -70,14 +68,14 @@ extern void dpd_timeout(struct state *st);
  * - it references variables local to the caller (r_hashval, r_hash_start, st)
  */
 #define START_HASH_PAYLOAD(rbody, np) { \
-    pb_stream hash_pbs; \
-    if (!out_generic(np, &isakmp_hash_desc, &(rbody), &hash_pbs)) \
-	return STF_INTERNAL_ERROR; \
-    r_hashval = hash_pbs.cur;	/* remember where to plant value */ \
-    if (!out_zero(st->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH")) \
-	return STF_INTERNAL_ERROR; \
-    close_output_pbs(&hash_pbs); \
-    r_hash_start = (rbody).cur;	/* hash from after HASH payload */ \
+	pb_stream hash_pbs; \
+	if (!out_generic(np, &isakmp_hash_desc, &(rbody), &hash_pbs)) \
+		return STF_INTERNAL_ERROR; \
+	r_hashval = hash_pbs.cur;   /* remember where to plant value */ \
+	if (!out_zero(st->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH")) \
+		return STF_INTERNAL_ERROR; \
+	close_output_pbs(&hash_pbs); \
+	r_hash_start = (rbody).cur; /* hash from after HASH payload */ \
 }
 
 /* CHECK_QUICK_HASH
@@ -88,17 +86,17 @@ extern void dpd_timeout(struct state *st);
  *   expression to reference them (hash_val, hash_pbs)
  */
 #define CHECK_QUICK_HASH(md, do_hash, hash_name, msg_name) { \
-	pb_stream *const hash_pbs = &md->chain[ISAKMP_NEXT_HASH]->pbs; \
-	u_char hash_val[MAX_DIGEST_LEN]; \
-	size_t hash_len = do_hash; \
-	if (pbs_left(hash_pbs) != hash_len \
-	|| memcmp(hash_pbs->cur, hash_val, hash_len) != 0) \
-	{ \
-	    DBG_cond_dump(DBG_CRYPT, "received " hash_name ":", hash_pbs->cur, pbs_left(hash_pbs)); \
-	    loglog(RC_LOG_SERIOUS, "received " hash_name " does not match computed value in " msg_name); \
-	    /* XXX Could send notification back */ \
-	    return STF_FAIL + INVALID_HASH_INFORMATION; \
-	} \
-    }
+		pb_stream *const hash_pbs = &md->chain[ISAKMP_NEXT_HASH]->pbs; \
+		u_char hash_val[MAX_DIGEST_LEN]; \
+		size_t hash_len = do_hash; \
+		if (pbs_left(hash_pbs) != hash_len \
+		|| memcmp(hash_pbs->cur, hash_val, hash_len) != 0) \
+		{ \
+			DBG_cond_dump(DBG_CRYPT, "received " hash_name ":", hash_pbs->cur, pbs_left(hash_pbs)); \
+			loglog(RC_LOG_SERIOUS, "received " hash_name " does not match computed value in " msg_name); \
+			/* XXX Could send notification back */ \
+			return STF_FAIL + INVALID_HASH_INFORMATION; \
+		} \
+	}
 
 
diff --git a/src/pluto/kameipsec.h b/src/pluto/kameipsec.h
index 5f08c7d38..5e9d8ce99 100644
--- a/src/pluto/kameipsec.h
+++ b/src/pluto/kameipsec.h
@@ -3,45 +3,45 @@
 
 /* The definitions, required to talk to KAME racoon IKE. */
 
-#define IPSEC_PORT_ANY		0
-#define IPSEC_ULPROTO_ANY	255
-#define IPSEC_PROTO_ANY		255
+#define IPSEC_PORT_ANY          0
+#define IPSEC_ULPROTO_ANY       255
+#define IPSEC_PROTO_ANY         255
 
 enum {
-	IPSEC_MODE_ANY		= 0,	/* We do not support this for SA */
-	IPSEC_MODE_TRANSPORT	= 1,
-	IPSEC_MODE_TUNNEL	= 2
+		IPSEC_MODE_ANY          = 0,    /* We do not support this for SA */
+		IPSEC_MODE_TRANSPORT    = 1,
+		IPSEC_MODE_TUNNEL       = 2
 };
 
 enum {
-	IPSEC_DIR_ANY		= 0,
-	IPSEC_DIR_INBOUND	= 1,
-	IPSEC_DIR_OUTBOUND	= 2,
-	IPSEC_DIR_FWD		= 3,	/* It is our own */
-	IPSEC_DIR_MAX		= 4,
-	IPSEC_DIR_INVALID	= 5
+		IPSEC_DIR_ANY           = 0,
+		IPSEC_DIR_INBOUND       = 1,
+		IPSEC_DIR_OUTBOUND      = 2,
+		IPSEC_DIR_FWD           = 3,    /* It is our own */
+		IPSEC_DIR_MAX           = 4,
+		IPSEC_DIR_INVALID       = 5
 };
 
 enum {
-	IPSEC_POLICY_DISCARD	= 0,
-	IPSEC_POLICY_NONE	= 1,
-	IPSEC_POLICY_IPSEC	= 2,
-	IPSEC_POLICY_ENTRUST	= 3,
-	IPSEC_POLICY_BYPASS	= 4
+		IPSEC_POLICY_DISCARD    = 0,
+		IPSEC_POLICY_NONE       = 1,
+		IPSEC_POLICY_IPSEC      = 2,
+		IPSEC_POLICY_ENTRUST    = 3,
+		IPSEC_POLICY_BYPASS     = 4
 };
 
 enum {
-	IPSEC_LEVEL_DEFAULT	= 0,
-	IPSEC_LEVEL_USE		= 1,
-	IPSEC_LEVEL_REQUIRE	= 2,
-	IPSEC_LEVEL_UNIQUE	= 3
+		IPSEC_LEVEL_DEFAULT     = 0,
+		IPSEC_LEVEL_USE         = 1,
+		IPSEC_LEVEL_REQUIRE     = 2,
+		IPSEC_LEVEL_UNIQUE      = 3
 };
 
-#define IPSEC_MANUAL_REQID_MAX	0x3fff
+#define IPSEC_MANUAL_REQID_MAX  0x3fff
 
 #define IPSEC_REPLAYWSIZE  32
 
 #define IP_IPSEC_POLICY 16
 #define IPV6_IPSEC_POLICY 34
 
-#endif	/* __IPSEC_H */
+#endif  /* __IPSEC_H */
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index d42ac3372..f698de2c8 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: kernel.c 3846 2008-04-18 17:01:45Z andreas $
  */
 
 #include <stddef.h>
@@ -31,12 +29,14 @@
 #include <arpa/inet.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
+
+#include <library.h>
+#include <crypto/rngs/rng.h>
 
 #ifdef KLIPS
 #include <signal.h>
-#include <sys/time.h>	/* for select(2) */
-#include <sys/types.h>	/* for select(2) */
+#include <sys/time.h>   /* for select(2) */
+#include <sys/types.h>  /* for select(2) */
 #include <pfkeyv2.h>
 #include <pfkey.h>
 #include "kameipsec.h"
@@ -44,7 +44,6 @@
 
 #include "constants.h"
 #include "defs.h"
-#include "rnd.h"
 #include "id.h"
 #include "connections.h"
 #include "state.h"
@@ -56,7 +55,7 @@
 #include "log.h"
 #include "ca.h"
 #include "server.h"
-#include "whack.h"	/* for RC_LOG_SERIOUS */
+#include "whack.h"      /* for RC_LOG_SERIOUS */
 #include "keys.h"
 #include "nat_traversal.h"
 #include "alg_info.h"
@@ -69,7 +68,7 @@ bool can_do_IPcomp = TRUE;  /* can system actually perform IPCOMP? */
  * logic loses track and swats them?  64 is the best KLIPS can do.
  * And 32 is the best XFRM can do...
  */
-#define REPLAY_WINDOW	64
+#define REPLAY_WINDOW   64
 #define REPLAY_WINDOW_XFRM      32
 
 /* test if the routes required for two different connections agree
@@ -77,11 +76,11 @@ bool can_do_IPcomp = TRUE;  /* can system actually perform IPCOMP? */
  * testing that the interfaces and nexthops match.
  */
 #define routes_agree(c, d) ((c)->interface == (d)->interface \
-	&& sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
+		&& sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
 
 #ifndef KLIPS
 
-bool no_klips = TRUE;	/* don't actually use KLIPS */
+bool no_klips = TRUE;   /* don't actually use KLIPS */
 
 #else /* !KLIPS */
 
@@ -96,50 +95,49 @@ bool no_klips = TRUE;	/* don't actually use KLIPS */
  * which %holds are news and which others should expire.
  */
 
-#define SHUNT_SCAN_INTERVAL	(60 * 2)   /* time between scans of eroutes */
+#define SHUNT_SCAN_INTERVAL     (60 * 2)   /* time between scans of eroutes */
 
 /* SHUNT_PATIENCE only has resolution down to a multiple of the sample rate,
  * SHUNT_SCAN_INTERVAL.
  * By making SHUNT_PATIENCE an odd multiple of half of SHUNT_SCAN_INTERVAL,
  * we minimize the effects of jitter.
  */
-#define SHUNT_PATIENCE	(SHUNT_SCAN_INTERVAL * 15 / 2)	/* inactivity timeout */
+#define SHUNT_PATIENCE  (SHUNT_SCAN_INTERVAL * 15 / 2)  /* inactivity timeout */
 
 struct bare_shunt {
-    policy_prio_t policy_prio;
-    ip_subnet ours;
-    ip_subnet his;
-    ip_said said;
-    int transport_proto;
-    unsigned long count;
-    time_t last_activity;
-    char *why;
-    struct bare_shunt *next;
+	policy_prio_t policy_prio;
+	ip_subnet ours;
+	ip_subnet his;
+	ip_said said;
+	int transport_proto;
+	unsigned long count;
+	time_t last_activity;
+	char *why;
+	struct bare_shunt *next;
 };
 
 static struct bare_shunt *bare_shunts = NULL;
 
 #ifdef DEBUG
-static void
-DBG_bare_shunt(const char *op, const struct bare_shunt *bs)
+static void DBG_bare_shunt(const char *op, const struct bare_shunt *bs)
 {
-    DBG(DBG_KLIPS,
-	{
-	    int ourport = ntohs(portof(&(bs)->ours.addr));
-	    int hisport = ntohs(portof(&(bs)->his.addr));
-	    char ourst[SUBNETTOT_BUF];
-	    char hist[SUBNETTOT_BUF];
-	    char sat[SATOT_BUF];
-	    char prio[POLICY_PRIO_BUF];
-
-	    subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
-	    subnettot(&(bs)->his, 0, hist, sizeof(hist));
-	    satot(&(bs)->said, 0, sat, sizeof(sat));
-	    fmt_policy_prio(bs->policy_prio, prio);
-	    DBG_log("%s bare shunt %p %s:%d -> %s:%d => %s:%d %s    %s"
-		, op, (const void *)(bs), ourst, ourport, hist, hisport
-		, sat, (bs)->transport_proto, prio, (bs)->why);
-	});
+	DBG(DBG_KLIPS,
+		{
+			int ourport = ntohs(portof(&(bs)->ours.addr));
+			int hisport = ntohs(portof(&(bs)->his.addr));
+			char ourst[SUBNETTOT_BUF];
+			char hist[SUBNETTOT_BUF];
+			char sat[SATOT_BUF];
+			char prio[POLICY_PRIO_BUF];
+
+			subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
+			subnettot(&(bs)->his, 0, hist, sizeof(hist));
+			satot(&(bs)->said, 0, sat, sizeof(sat));
+			fmt_policy_prio(bs->policy_prio, prio);
+			DBG_log("%s bare shunt %p %s:%d -> %s:%d => %s:%d %s    %s"
+				, op, (const void *)(bs), ourst, ourport, hist, hisport
+				, sat, (bs)->transport_proto, prio, (bs)->why);
+		});
 }
 #else /* !DEBUG */
 #define DBG_bare_shunt(op, bs) {}
@@ -152,112 +150,108 @@ DBG_bare_shunt(const char *op, const struct bare_shunt *bs)
 struct eroute_info *orphaned_holds = NULL;
 
 /* forward declaration */
-static bool shunt_eroute(struct connection *c
-			 , struct spd_route *sr
-			 , enum routing_t rt_kind
-			 , unsigned int op, const char *opname);
-static void set_text_said(char *text_said
-			  , const ip_address *dst
-			  , ipsec_spi_t spi
-			  , int proto);
+static bool shunt_eroute(struct connection *c, struct spd_route *sr,
+						 enum routing_t rt_kind, unsigned int op,
+						 const char *opname);
 
-bool no_klips = FALSE;	/* don't actually use KLIPS */
+static void set_text_said(char *text_said, const ip_address *dst,
+						  ipsec_spi_t spi, int proto);
+
+bool no_klips = FALSE;  /* don't actually use KLIPS */
 
 static const struct pfkey_proto_info null_proto_info[2] = {
+		{
+				proto: IPPROTO_ESP,
+				encapsulation: ENCAPSULATION_MODE_TRANSPORT,
+				reqid: 0
+		},
+		{
+				proto: 0,
+				encapsulation: 0,
+				reqid: 0
+		}
+};
+
+void record_and_initiate_opportunistic(const ip_subnet *ours,
+									   const ip_subnet *his,
+									   int transport_proto, const char *why)
+{
+	passert(samesubnettype(ours, his));
+
+	/* Add to bare shunt list.
+	 * We need to do this because the shunt was installed by KLIPS
+	 * which can't do this itself.
+	 */
 	{
-		proto: IPPROTO_ESP,
-		encapsulation: ENCAPSULATION_MODE_TRANSPORT,
-		reqid: 0
-	},
+		struct bare_shunt *bs = malloc_thing(struct bare_shunt);
+
+		bs->why = clone_str(why);
+		bs->ours = *ours;
+		bs->his = *his;
+		bs->transport_proto = transport_proto;
+		bs->policy_prio = BOTTOM_PRIO;
+
+		bs->said.proto = SA_INT;
+		bs->said.spi = htonl(SPI_HOLD);
+		bs->said.dst = *aftoinfo(subnettypeof(ours))->any;
+
+		bs->count = 0;
+		bs->last_activity = now();
+
+		bs->next = bare_shunts;
+		bare_shunts = bs;
+		DBG_bare_shunt("add", bs);
+	}
+
+	/* actually initiate opportunism */
 	{
-	        proto: 0,
-		encapsulation: 0,
-		reqid: 0
+		ip_address src, dst;
+
+		networkof(ours, &src);
+		networkof(his, &dst);
+		initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
 	}
-};
 
-void
-record_and_initiate_opportunistic(const ip_subnet *ours
-				  , const ip_subnet *his
-				  , int transport_proto
-				  , const char *why)
-{
-    passert(samesubnettype(ours, his));
-
-    /* Add to bare shunt list.
-     * We need to do this because the shunt was installed by KLIPS
-     * which can't do this itself.
-     */
-    {
-	struct bare_shunt *bs = alloc_thing(struct bare_shunt, "bare shunt");
-
-	bs->why = clone_str(why, "story for bare shunt");
-	bs->ours = *ours;
-	bs->his = *his;
-	bs->transport_proto = transport_proto;
-	bs->policy_prio = BOTTOM_PRIO;
-
-	bs->said.proto = SA_INT;
-	bs->said.spi = htonl(SPI_HOLD);
-	bs->said.dst = *aftoinfo(subnettypeof(ours))->any;
-
-	bs->count = 0;
-	bs->last_activity = now();
-
-	bs->next = bare_shunts;
-	bare_shunts = bs;
-	DBG_bare_shunt("add", bs);
-    }
-
-    /* actually initiate opportunism */
-    {
-	ip_address src, dst;
-
-	networkof(ours, &src);
-	networkof(his, &dst);
-	initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
-    }
-
-    /* if present, remove from orphaned_holds list.
-     * NOTE: we do this last in case ours or his is a pointer into a member.
-     */
-    {
-	struct eroute_info **pp, *p;
-
-	for (pp = &orphaned_holds; (p = *pp) != NULL; pp = &p->next)
-	{
-	    if (samesubnet(ours, &p->ours)
-	    && samesubnet(his, &p->his)
-	    && transport_proto == p->transport_proto
-	    && portof(&ours->addr) == portof(&p->ours.addr)
-	    && portof(&his->addr) == portof(&p->his.addr))
-	    {
-		*pp = p->next;
-		pfree(p);
-		break;
-	    }
+	/* if present, remove from orphaned_holds list.
+	 * NOTE: we do this last in case ours or his is a pointer into a member.
+	 */
+	{
+		struct eroute_info **pp, *p;
+
+		for (pp = &orphaned_holds; (p = *pp) != NULL; pp = &p->next)
+		{
+			if (samesubnet(ours, &p->ours)
+			&& samesubnet(his, &p->his)
+			&& transport_proto == p->transport_proto
+			&& portof(&ours->addr) == portof(&p->ours.addr)
+			&& portof(&his->addr) == portof(&p->his.addr))
+			{
+				*pp = p->next;
+				free(p);
+				break;
+			}
+		}
 	}
-    }
 }
 
 #endif /* KLIPS */
 
 static unsigned get_proto_reqid(unsigned base, int proto)
 {
-    switch (proto)
-    {
-    default:
-    case IPPROTO_COMP:
-	base++;
-	/* fall through */
-    case IPPROTO_ESP:
-	base++;
-	/* fall through */
-    case IPPROTO_AH:
-	break;
-    }
-
-    return base;
+	switch (proto)
+	{
+	default:
+	case IPPROTO_COMP:
+		base++;
+		/* fall through */
+	case IPPROTO_ESP:
+		base++;
+		/* fall through */
+	case IPPROTO_AH:
+		break;
+	}
+
+	return base;
 }
 
 /* Generate Unique SPI numbers.
@@ -281,33 +275,39 @@ static unsigned get_proto_reqid(unsigned base, int proto)
  * check if the number was previously used (assuming that no
  * SPI lives longer than 4G of its successors).
  */
-ipsec_spi_t
-get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr, bool tunnel)
+ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr,
+						  bool tunnel)
 {
-    static ipsec_spi_t spi = 0;	/* host order, so not returned directly! */
-    char text_said[SATOT_BUF];
+	static ipsec_spi_t spi = 0; /* host order, so not returned directly! */
+	char text_said[SATOT_BUF];
+	rng_t *rng;
 
-    set_text_said(text_said, &sr->this.host_addr, 0, proto);
+	set_text_said(text_said, &sr->this.host_addr, 0, proto);
 
-    if (kernel_ops->get_spi)
-	return kernel_ops->get_spi(&sr->that.host_addr
-	    , &sr->this.host_addr, proto, tunnel
-	    , get_proto_reqid(sr->reqid, proto)
-	    , IPSEC_DOI_SPI_OUR_MIN, 0xffffffff
-	    , text_said);
-
-    spi++;
-    while (spi < IPSEC_DOI_SPI_OUR_MIN || spi == ntohl(avoid))
-	get_rnd_bytes((u_char *)&spi, sizeof(spi));
+	if (kernel_ops->get_spi)
+	{
+		return kernel_ops->get_spi(&sr->that.host_addr
+			, &sr->this.host_addr, proto, tunnel
+			, get_proto_reqid(sr->reqid, proto)
+			, IPSEC_DOI_SPI_OUR_MIN, 0xffffffff
+			, text_said);
+	}
 
-    DBG(DBG_CONTROL,
+	spi++;
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	while (spi < IPSEC_DOI_SPI_OUR_MIN || spi == ntohl(avoid))
 	{
-	    ipsec_spi_t spi_net = htonl(spi);
+		rng->get_bytes(rng, sizeof(spi), (u_char *)&spi);
+	}
+	rng->destroy(rng);
+	DBG(DBG_CONTROL,
+		{
+			ipsec_spi_t spi_net = htonl(spi);
 
-	    DBG_dump("generate SPI:", (u_char *)&spi_net, sizeof(spi_net));
-	});
+			DBG_dump("generate SPI:", (u_char *)&spi_net, sizeof(spi_net));
+		});
 
-    return htonl(spi);
+	return htonl(spi);
 }
 
 /* Generate Unique CPI numbers.
@@ -318,38 +318,40 @@ get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr, bool tunnel)
  * If we can't find one easily, return 0 (a bad SPI,
  * no matter what order) indicating failure.
  */
-ipsec_spi_t
-get_my_cpi(struct spd_route *sr, bool tunnel)
+ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel)
 {
-    static cpi_t
-	first_busy_cpi = 0,
-	latest_cpi;
-    char text_said[SATOT_BUF];
+	static cpi_t first_busy_cpi = 0, latest_cpi;
+	char text_said[SATOT_BUF];
+	rng_t *rng;
 
-    set_text_said(text_said, &sr->this.host_addr, 0, IPPROTO_COMP);
+	set_text_said(text_said, &sr->this.host_addr, 0, IPPROTO_COMP);
 
-    if (kernel_ops->get_spi)
-	return kernel_ops->get_spi(&sr->that.host_addr
-	    , &sr->this.host_addr, IPPROTO_COMP, tunnel
-	    , get_proto_reqid(sr->reqid, IPPROTO_COMP)
-	    , IPCOMP_FIRST_NEGOTIATED, IPCOMP_LAST_NEGOTIATED
-	    , text_said);
+	if (kernel_ops->get_spi)
+	{
+		return kernel_ops->get_spi(&sr->that.host_addr
+			, &sr->this.host_addr, IPPROTO_COMP, tunnel
+			, get_proto_reqid(sr->reqid, IPPROTO_COMP)
+			, IPCOMP_FIRST_NEGOTIATED, IPCOMP_LAST_NEGOTIATED
+			, text_said);
+	}
 
-    while (!(IPCOMP_FIRST_NEGOTIATED <= first_busy_cpi && first_busy_cpi < IPCOMP_LAST_NEGOTIATED))
-    {
-	get_rnd_bytes((u_char *)&first_busy_cpi, sizeof(first_busy_cpi));
-	latest_cpi = first_busy_cpi;
-    }
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	while (!(IPCOMP_FIRST_NEGOTIATED <= first_busy_cpi && first_busy_cpi < IPCOMP_LAST_NEGOTIATED))
+	{
+		rng->get_bytes(rng, sizeof(first_busy_cpi), (u_char *)&first_busy_cpi);
+		latest_cpi = first_busy_cpi;
+	}
+	rng->destroy(rng);
 
-    latest_cpi++;
+	latest_cpi++;
 
-    if (latest_cpi == first_busy_cpi)
-	find_my_cpi_gap(&latest_cpi, &first_busy_cpi);
+	if (latest_cpi == first_busy_cpi)
+		find_my_cpi_gap(&latest_cpi, &first_busy_cpi);
 
-    if (latest_cpi > IPCOMP_LAST_NEGOTIATED)
-	latest_cpi = IPCOMP_FIRST_NEGOTIATED;
+	if (latest_cpi > IPCOMP_LAST_NEGOTIATED)
+		latest_cpi = IPCOMP_FIRST_NEGOTIATED;
 
-    return htonl((ipsec_spi_t)latest_cpi);
+	return htonl((ipsec_spi_t)latest_cpi);
 }
 
 /* invoke the updown script to do the routing and firewall commands required
@@ -386,1003 +388,992 @@ get_my_cpi(struct spd_route *sr, bool tunnel)
  */
 
 #ifndef DEFAULT_UPDOWN
-# define DEFAULT_UPDOWN	"ipsec _updown"
+# define DEFAULT_UPDOWN "ipsec _updown"
 #endif
 
-static bool
-do_command(struct connection *c, struct spd_route *sr, const char *verb)
+static bool do_command(struct connection *c, struct spd_route *sr,
+					   const char *verb)
 {
-    char cmd[1536];	/* arbitrary limit on shell command length */
-    const char *verb_suffix;
-
-    /* figure out which verb suffix applies */
-    {
-	const char *hs, *cs;
+	char cmd[1536];     /* arbitrary limit on shell command length */
+	const char *verb_suffix;
 
-	switch (addrtypeof(&sr->this.host_addr))
+	/* figure out which verb suffix applies */
 	{
-	    case AF_INET:
-		hs = "-host";
-		cs = "-client";
-		break;
-	    case AF_INET6:
-		hs = "-host-v6";
-		cs = "-client-v6";
-		break;
-	    default:
-		loglog(RC_LOG_SERIOUS, "unknown address family");
-		return FALSE;
-	}
-	verb_suffix = subnetisaddr(&sr->this.client, &sr->this.host_addr)
-	    ? hs : cs;
-    }
-
-    /* form the command string */
-    {
-	char
-            nexthop_str[sizeof("PLUTO_NEXT_HOP='' ") +ADDRTOT_BUF] = "",
-            srcip_str[sizeof("PLUTO_MY_SOURCEIP='' ")+ADDRTOT_BUF] = "",
-	    me_str[ADDRTOT_BUF],
-	    myid_str[BUF_LEN],
-	    myclient_str[SUBNETTOT_BUF],
-	    myclientnet_str[ADDRTOT_BUF],
-	    myclientmask_str[ADDRTOT_BUF],
-	    peer_str[ADDRTOT_BUF],
-	    peerid_str[BUF_LEN],
-	    peerclient_str[SUBNETTOT_BUF],
-	    peerclientnet_str[ADDRTOT_BUF],
-	    peerclientmask_str[ADDRTOT_BUF],
-	    peerca_str[BUF_LEN],
-	    secure_myid_str[BUF_LEN] = "",
-	    secure_peerid_str[BUF_LEN] = "",
-	    secure_peerca_str[BUF_LEN] = "";
-	ip_address ta;
-	pubkey_list_t *p;
-
-	if (addrbytesptr(&sr->this.host_nexthop, NULL)
-	&& !isanyaddr(&sr->this.host_nexthop))
-	{
-	    char *n;
-
-	    strcpy(nexthop_str, "PLUTO_NEXT_HOP='");
-	    n = nexthop_str + strlen(nexthop_str);
-
-	    addrtot(&sr->this.host_nexthop, 0
-		    ,n , sizeof(nexthop_str)-strlen(nexthop_str));
-	    strncat(nexthop_str, "' ", sizeof(nexthop_str));
-	}
-
-	if (addrbytesptr(&sr->this.host_srcip, NULL)
-	&& !isanyaddr(&sr->this.host_srcip))
-        {
-	    char *n;
-
-	    strcpy(srcip_str, "PLUTO_MY_SOURCEIP='");
-	    n = srcip_str + strlen(srcip_str);
-
-	    addrtot(&sr->this.host_srcip, 0
-		    ,n , sizeof(srcip_str)-strlen(srcip_str));
-            strncat(srcip_str, "' ", sizeof(srcip_str));
-        }
-
-	addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
-	idtoa(&sr->this.id, myid_str, sizeof(myid_str));
-	escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
-	subnettot(&sr->this.client, 0, myclient_str, sizeof(myclientnet_str));
-	networkof(&sr->this.client, &ta);
-	addrtot(&ta, 0, myclientnet_str, sizeof(myclientnet_str));
-	maskof(&sr->this.client, &ta);
-	addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
-
-	addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
-	idtoa(&sr->that.id, peerid_str, sizeof(peerid_str));
-	escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
-	subnettot(&sr->that.client, 0, peerclient_str, sizeof(peerclientnet_str));
-	networkof(&sr->that.client, &ta);
-	addrtot(&ta, 0, peerclientnet_str, sizeof(peerclientnet_str));
-	maskof(&sr->that.client, &ta);
-	addrtot(&ta, 0, peerclientmask_str, sizeof(peerclientmask_str));
-
-	for (p = pubkeys; p != NULL; p = p->next)
-	{
-	    pubkey_t *key = p->key;
-	    int pathlen;
-
-	    if (key->alg == PUBKEY_ALG_RSA && same_id(&sr->that.id, &key->id)
-	    && trusted_ca(key->issuer, sr->that.ca, &pathlen))
-	    {
-		dntoa_or_null(peerca_str, BUF_LEN, key->issuer, "");
-		escape_metachar(peerca_str, secure_peerca_str, sizeof(secure_peerca_str));
-		break;
-	    }
-	}
-
-	if (-1 == snprintf(cmd, sizeof(cmd)
-	    , "2>&1 "	/* capture stderr along with stdout */
-	    "PLUTO_VERSION='1.1' "	/* change VERSION when interface spec changes */
-	    "PLUTO_VERB='%s%s' "
-	    "PLUTO_CONNECTION='%s' "
-	    "%s"	/* optional PLUTO_NEXT_HOP */
-	    "PLUTO_INTERFACE='%s' "
-	    "%s"	/* optional PLUTO_HOST_ACCESS */
-	    "PLUTO_REQID='%u' "
-	    "PLUTO_ME='%s' "
-	    "PLUTO_MY_ID='%s' "
-	    "PLUTO_MY_CLIENT='%s' "
-	    "PLUTO_MY_CLIENT_NET='%s' "
-	    "PLUTO_MY_CLIENT_MASK='%s' "
-	    "PLUTO_MY_PORT='%u' "
-	    "PLUTO_MY_PROTOCOL='%u' "
-	    "PLUTO_PEER='%s' "
-	    "PLUTO_PEER_ID='%s' "
-	    "PLUTO_PEER_CLIENT='%s' "
-	    "PLUTO_PEER_CLIENT_NET='%s' "
-	    "PLUTO_PEER_CLIENT_MASK='%s' "
-	    "PLUTO_PEER_PORT='%u' "
-	    "PLUTO_PEER_PROTOCOL='%u' "
-	    "PLUTO_PEER_CA='%s' "
-	    "%s"	/* optional PLUTO_MY_SRCIP */
-	    "%s"	/* actual script */
-	    , verb, verb_suffix
-	    , c->name
-	    , nexthop_str
-	    , c->interface->vname
-	    , sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : ""
-	    , sr->reqid + 1	/* ESP requid */
-	    , me_str
-	    , secure_myid_str
-	    , myclient_str
-	    , myclientnet_str
-	    , myclientmask_str
-	    , sr->this.port
-	    , sr->this.protocol
-	    , peer_str
-	    , secure_peerid_str
-	    , peerclient_str
-	    , peerclientnet_str
-	    , peerclientmask_str
-	    , sr->that.port
-	    , sr->that.protocol
-	    , secure_peerca_str
-	    , srcip_str
-	    , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
-	{
-	    loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
-	    return FALSE;
-	}
-    }
-
-    DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
-	, verb, verb_suffix, cmd));
-
-#ifdef KLIPS
-    if (!no_klips)
-    {
-	/* invoke the script, catching stderr and stdout
-	 * It may be of concern that some file descriptors will
-	 * be inherited.  For the ones under our control, we
-	 * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
-	 * Any used by library routines (perhaps the resolver or syslog)
-	 * will remain.
-	 */
-	FILE *f = popen(cmd, "r");
+		const char *hs, *cs;
 
-	if (f == NULL)
-	{
-	    loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
-	    return FALSE;
+		switch (addrtypeof(&sr->this.host_addr))
+		{
+			case AF_INET:
+				hs = "-host";
+				cs = "-client";
+				break;
+			case AF_INET6:
+				hs = "-host-v6";
+				cs = "-client-v6";
+				break;
+			default:
+				loglog(RC_LOG_SERIOUS, "unknown address family");
+				return FALSE;
+		}
+		verb_suffix = subnetisaddr(&sr->this.client, &sr->this.host_addr)
+			? hs : cs;
 	}
 
-	/* log any output */
-	for (;;)
+	/* form the command string */
 	{
-	    /* if response doesn't fit in this buffer, it will be folded */
-	    char resp[256];
+		char
+			nexthop_str[sizeof("PLUTO_NEXT_HOP='' ") +ADDRTOT_BUF] = "",
+			srcip_str[sizeof("PLUTO_MY_SOURCEIP='' ")+ADDRTOT_BUF] = "",
+			me_str[ADDRTOT_BUF],
+			myid_str[BUF_LEN],
+			myclient_str[SUBNETTOT_BUF],
+			myclientnet_str[ADDRTOT_BUF],
+			myclientmask_str[ADDRTOT_BUF],
+			peer_str[ADDRTOT_BUF],
+			peerid_str[BUF_LEN],
+			peerclient_str[SUBNETTOT_BUF],
+			peerclientnet_str[ADDRTOT_BUF],
+			peerclientmask_str[ADDRTOT_BUF],
+			peerca_str[BUF_LEN],
+			secure_myid_str[BUF_LEN] = "",
+			secure_peerid_str[BUF_LEN] = "",
+			secure_peerca_str[BUF_LEN] = "";
+		ip_address ta;
+		pubkey_list_t *p;
+
+		if (addrbytesptr(&sr->this.host_nexthop, NULL)
+		&& !isanyaddr(&sr->this.host_nexthop))
+		{
+			char *n;
+
+			strcpy(nexthop_str, "PLUTO_NEXT_HOP='");
+			n = nexthop_str + strlen(nexthop_str);
+
+			addrtot(&sr->this.host_nexthop, 0
+					,n , sizeof(nexthop_str)-strlen(nexthop_str));
+			strncat(nexthop_str, "' ", sizeof(nexthop_str));
+		}
 
-	    if (fgets(resp, sizeof(resp), f) == NULL)
-	    {
-		if (ferror(f))
+		if (addrbytesptr(&sr->this.host_srcip, NULL)
+		&& !isanyaddr(&sr->this.host_srcip))
 		{
-		    log_errno((e, "fgets failed on output of %s%s command"
-			, verb, verb_suffix));
-		    return FALSE;
+			char *n;
+
+			strcpy(srcip_str, "PLUTO_MY_SOURCEIP='");
+			n = srcip_str + strlen(srcip_str);
+
+			addrtot(&sr->this.host_srcip, 0
+					,n , sizeof(srcip_str)-strlen(srcip_str));
+			strncat(srcip_str, "' ", sizeof(srcip_str));
 		}
-		else
+
+		addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
+		idtoa(&sr->this.id, myid_str, sizeof(myid_str));
+		escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
+		subnettot(&sr->this.client, 0, myclient_str, sizeof(myclientnet_str));
+		networkof(&sr->this.client, &ta);
+		addrtot(&ta, 0, myclientnet_str, sizeof(myclientnet_str));
+		maskof(&sr->this.client, &ta);
+		addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
+
+		addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
+		idtoa(&sr->that.id, peerid_str, sizeof(peerid_str));
+		escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
+		subnettot(&sr->that.client, 0, peerclient_str, sizeof(peerclientnet_str));
+		networkof(&sr->that.client, &ta);
+		addrtot(&ta, 0, peerclientnet_str, sizeof(peerclientnet_str));
+		maskof(&sr->that.client, &ta);
+		addrtot(&ta, 0, peerclientmask_str, sizeof(peerclientmask_str));
+
+		for (p = pubkeys; p != NULL; p = p->next)
 		{
-		    passert(feof(f));
-		    break;
+			pubkey_t *key = p->key;
+			key_type_t type = key->public_key->get_type(key->public_key);
+			int pathlen;
+
+			if (type == KEY_RSA && same_id(&sr->that.id, &key->id) &&
+				trusted_ca(key->issuer, sr->that.ca, &pathlen))
+			{
+				dntoa_or_null(peerca_str, BUF_LEN, key->issuer, "");
+				escape_metachar(peerca_str, secure_peerca_str, sizeof(secure_peerca_str));
+				break;
+			}
 		}
-	    }
-	    else
-	    {
-		char *e = resp + strlen(resp);
 
-		if (e > resp && e[-1] == '\n')
-		    e[-1] = '\0';	/* trim trailing '\n' */
-		plog("%s%s output: %s", verb, verb_suffix, resp);
-	    }
+		if (-1 == snprintf(cmd, sizeof(cmd)
+			, "2>&1 "   /* capture stderr along with stdout */
+			"PLUTO_VERSION='1.1' "      /* change VERSION when interface spec changes */
+			"PLUTO_VERB='%s%s' "
+			"PLUTO_CONNECTION='%s' "
+			"%s"        /* optional PLUTO_NEXT_HOP */
+			"PLUTO_INTERFACE='%s' "
+			"%s"        /* optional PLUTO_HOST_ACCESS */
+			"PLUTO_REQID='%u' "
+			"PLUTO_ME='%s' "
+			"PLUTO_MY_ID='%s' "
+			"PLUTO_MY_CLIENT='%s' "
+			"PLUTO_MY_CLIENT_NET='%s' "
+			"PLUTO_MY_CLIENT_MASK='%s' "
+			"PLUTO_MY_PORT='%u' "
+			"PLUTO_MY_PROTOCOL='%u' "
+			"PLUTO_PEER='%s' "
+			"PLUTO_PEER_ID='%s' "
+			"PLUTO_PEER_CLIENT='%s' "
+			"PLUTO_PEER_CLIENT_NET='%s' "
+			"PLUTO_PEER_CLIENT_MASK='%s' "
+			"PLUTO_PEER_PORT='%u' "
+			"PLUTO_PEER_PROTOCOL='%u' "
+			"PLUTO_PEER_CA='%s' "
+			"%s"        /* optional PLUTO_MY_SRCIP */
+			"%s"        /* actual script */
+			, verb, verb_suffix
+			, c->name
+			, nexthop_str
+			, c->interface->vname
+			, sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : ""
+			, sr->reqid + 1     /* ESP requid */
+			, me_str
+			, secure_myid_str
+			, myclient_str
+			, myclientnet_str
+			, myclientmask_str
+			, sr->this.port
+			, sr->this.protocol
+			, peer_str
+			, secure_peerid_str
+			, peerclient_str
+			, peerclientnet_str
+			, peerclientmask_str
+			, sr->that.port
+			, sr->that.protocol
+			, secure_peerca_str
+			, srcip_str
+			, sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
+		{
+			loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
+			return FALSE;
+		}
 	}
 
-	/* report on and react to return code */
+	DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
+		, verb, verb_suffix, cmd));
+
+#ifdef KLIPS
+	if (!no_klips)
 	{
-	    int r = pclose(f);
+		/* invoke the script, catching stderr and stdout
+		 * It may be of concern that some file descriptors will
+		 * be inherited.  For the ones under our control, we
+		 * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
+		 * Any used by library routines (perhaps the resolver or syslog)
+		 * will remain.
+		 */
+		FILE *f = popen(cmd, "r");
 
-	    if (r == -1)
-	    {
-		log_errno((e, "pclose failed for %s%s command"
-		    , verb, verb_suffix));
-		return FALSE;
-	    }
-	    else if (WIFEXITED(r))
-	    {
-		if (WEXITSTATUS(r) != 0)
+		if (f == NULL)
 		{
-		    loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
-			, verb, verb_suffix, WEXITSTATUS(r));
-		    return FALSE;
+			loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
+			return FALSE;
+		}
+
+		/* log any output */
+		for (;;)
+		{
+			/* if response doesn't fit in this buffer, it will be folded */
+			char resp[256];
+
+			if (fgets(resp, sizeof(resp), f) == NULL)
+			{
+				if (ferror(f))
+				{
+					log_errno((e, "fgets failed on output of %s%s command"
+						, verb, verb_suffix));
+					return FALSE;
+				}
+				else
+				{
+					passert(feof(f));
+					break;
+				}
+			}
+			else
+			{
+				char *e = resp + strlen(resp);
+
+				if (e > resp && e[-1] == '\n')
+					e[-1] = '\0';       /* trim trailing '\n' */
+				plog("%s%s output: %s", verb, verb_suffix, resp);
+			}
+		}
+
+		/* report on and react to return code */
+		{
+			int r = pclose(f);
+
+			if (r == -1)
+			{
+				log_errno((e, "pclose failed for %s%s command"
+					, verb, verb_suffix));
+				return FALSE;
+			}
+			else if (WIFEXITED(r))
+			{
+				if (WEXITSTATUS(r) != 0)
+				{
+					loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
+						, verb, verb_suffix, WEXITSTATUS(r));
+					return FALSE;
+				}
+			}
+			else if (WIFSIGNALED(r))
+			{
+				loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
+					, verb, verb_suffix, WTERMSIG(r));
+				return FALSE;
+			}
+			else
+			{
+				loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
+					, verb, verb_suffix, r);
+				return FALSE;
+			}
 		}
-	    }
-	    else if (WIFSIGNALED(r))
-	    {
-		loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
-		    , verb, verb_suffix, WTERMSIG(r));
-		return FALSE;
-	    }
-	    else
-	    {
-		loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
-		    , verb, verb_suffix, r);
-		return FALSE;
-	    }
 	}
-    }
 #endif /* KLIPS */
-    return TRUE;
+	return TRUE;
 }
 
 /* Check that we can route (and eroute).  Diagnose if we cannot. */
 
 enum routability {
-    route_impossible = 0,
-    route_easy = 1,
-    route_nearconflict = 2,
-    route_farconflict = 3
+	route_impossible = 0,
+	route_easy = 1,
+	route_nearconflict = 2,
+	route_farconflict = 3
 };
 
-static enum routability
-could_route(struct connection *c)
+static enum routability could_route(struct connection *c)
 {
-    struct spd_route *esr, *rosr;
-    struct connection *ero	/* who, if anyone, owns our eroute? */
-	, *ro = route_owner(c, &rosr, &ero, &esr); /* who owns our route? */
-
-    /* it makes no sense to route a connection that is ISAKMP-only */
-    if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
-    {
-	loglog(RC_ROUTE, "cannot route an ISAKMP-only connection");
-	return route_impossible;
-    }
-
-    /* if this is a Road Warrior template, we cannot route.
-     * Opportunistic template is OK.
-     */
-    if (c->kind == CK_TEMPLATE && !(c->policy & POLICY_OPPO))
-    {
-	loglog(RC_ROUTE, "cannot route Road Warrior template");
-	return route_impossible;
-    }
-
-    /* if we don't know nexthop, we cannot route */
-    if (isanyaddr(&c->spd.this.host_nexthop))
-    {
-	loglog(RC_ROUTE, "cannot route connection without knowing our nexthop");
-	return route_impossible;
-    }
-
-    /* if routing would affect IKE messages, reject */
-    if (!no_klips
-    && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
-    && c->spd.this.host_port != IKE_UDP_PORT
-    && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
-    {
-	loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
-	return route_impossible;
-    }
-
-    /* If there is already a route for peer's client subnet
-     * and it disagrees about interface or nexthop, we cannot steal it.
-     * Note: if this connection is already routed (perhaps for another
-     * state object), the route will agree.
-     * This is as it should be -- it will arise during rekeying.
-     */
-    if (ro != NULL && !routes_agree(ro, c))
-    {
-	loglog(RC_LOG_SERIOUS, "cannot route -- route already in use for \"%s\""
-	    , ro->name);
-	return route_impossible;  /* another connection already
-				     using the eroute */
-    }
+	struct spd_route *esr, *rosr;
+	struct connection *ero      /* who, if anyone, owns our eroute? */
+		, *ro = route_owner(c, &rosr, &ero, &esr); /* who owns our route? */
 
-#ifdef KLIPS
-    /* if there is an eroute for another connection, there is a problem */
-    if (ero != NULL && ero != c)
-    {
-	struct connection *ero2, *ero_top;
-	struct connection *inside, *outside;
-
-	/*
-	 * note, wavesec (PERMANENT) goes *outside* and
-	 * OE goes *inside* (TEMPLATE)
+	/* it makes no sense to route a connection that is ISAKMP-only */
+	if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
+	{
+		loglog(RC_ROUTE, "cannot route an ISAKMP-only connection");
+		return route_impossible;
+	}
+
+	/* if this is a Road Warrior template, we cannot route.
+	 * Opportunistic template is OK.
 	 */
-	inside = NULL;
-	outside= NULL;
-	if (ero->kind == CK_PERMANENT
-	   && c->kind == CK_TEMPLATE)
+	if (c->kind == CK_TEMPLATE && !(c->policy & POLICY_OPPO))
 	{
-	    outside = ero;
-	    inside = c;
+		loglog(RC_ROUTE, "cannot route Road Warrior template");
+		return route_impossible;
 	}
-	else if (c->kind == CK_PERMANENT
-		&& ero->kind == CK_TEMPLATE)
+
+	/* if we don't know nexthop, we cannot route */
+	if (isanyaddr(&c->spd.this.host_nexthop))
 	{
-	    outside = c;
-	    inside = ero;
+		loglog(RC_ROUTE, "cannot route connection without knowing our nexthop");
+		return route_impossible;
 	}
 
-	/* okay, check again, with correct order */
-	if (outside && outside->kind == CK_PERMANENT
-	    && inside && inside->kind == CK_TEMPLATE)
+	/* if routing would affect IKE messages, reject */
+	if (!no_klips
+	&& c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
+	&& c->spd.this.host_port != IKE_UDP_PORT
+	&& addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
 	{
-	    char inst[CONN_INST_BUF];
+		loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
+		return route_impossible;
+	}
 
-	    /* this is a co-terminal attempt of the "near" kind. */
-	    /* when chaining, we chain from inside to outside */
+	/* If there is already a route for peer's client subnet
+	 * and it disagrees about interface or nexthop, we cannot steal it.
+	 * Note: if this connection is already routed (perhaps for another
+	 * state object), the route will agree.
+	 * This is as it should be -- it will arise during rekeying.
+	 */
+	if (ro != NULL && !routes_agree(ro, c))
+	{
+		loglog(RC_LOG_SERIOUS, "cannot route -- route already in use for \"%s\""
+			, ro->name);
+		return route_impossible;  /* another connection already
+									 using the eroute */
+	}
 
-	    /* XXX permit multiple deep connections? */
-	    passert(inside->policy_next == NULL);
+#ifdef KLIPS
+	/* if there is an eroute for another connection, there is a problem */
+	if (ero != NULL && ero != c)
+	{
+		struct connection *ero2, *ero_top;
+		struct connection *inside, *outside;
 
-	    inside->policy_next = outside;
+		/*
+		 * note, wavesec (PERMANENT) goes *outside* and
+		 * OE goes *inside* (TEMPLATE)
+		 */
+		inside = NULL;
+		outside= NULL;
+		if (ero->kind == CK_PERMANENT
+		   && c->kind == CK_TEMPLATE)
+		{
+			outside = ero;
+			inside = c;
+		}
+		else if (c->kind == CK_PERMANENT
+				&& ero->kind == CK_TEMPLATE)
+		{
+			outside = c;
+			inside = ero;
+		}
 
-	    /* since we are going to steal the eroute from the secondary
-	     * policy, we need to make sure that it no longer thinks that
-	     * it owns the eroute.
-	     */
-	    outside->spd.eroute_owner = SOS_NOBODY;
-	    outside->spd.routing = RT_UNROUTED_KEYED;
+		/* okay, check again, with correct order */
+		if (outside && outside->kind == CK_PERMANENT
+			&& inside && inside->kind == CK_TEMPLATE)
+		{
+			char inst[CONN_INST_BUF];
 
-	    /* set the priority of the new eroute owner to be higher
-	     * than that of the current eroute owner
-	     */
-	    inside->prio = outside->prio + 1;
+			/* this is a co-terminal attempt of the "near" kind. */
+			/* when chaining, we chain from inside to outside */
 
-	    fmt_conn_instance(inside, inst);
+			/* XXX permit multiple deep connections? */
+			passert(inside->policy_next == NULL);
 
-	    loglog(RC_LOG_SERIOUS
-		   , "conflict on eroute (%s), switching eroute to %s and linking %s"
-		   , inst, inside->name, outside->name);
+			inside->policy_next = outside;
 
-	    return route_nearconflict;
-	}
+			/* since we are going to steal the eroute from the secondary
+			 * policy, we need to make sure that it no longer thinks that
+			 * it owns the eroute.
+			 */
+			outside->spd.eroute_owner = SOS_NOBODY;
+			outside->spd.routing = RT_UNROUTED_KEYED;
 
-	/* look along the chain of policies for one with the same name */
-	ero_top = ero;
+			/* set the priority of the new eroute owner to be higher
+			 * than that of the current eroute owner
+			 */
+			inside->prio = outside->prio + 1;
 
-	for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
-	{
-	    if (ero2->kind == CK_TEMPLATE
-	    && streq(ero2->name, c->name))
-		break;
-	}
+			fmt_conn_instance(inside, inst);
 
-	/* If we fell of the end of the list, then we found no TEMPLATE
-	 * so there must be a conflict that we can't resolve.
-	 * As the names are not equal, then we aren't replacing/rekeying.
-	 */
-	if (ero2 == NULL)
-	{
-	    char inst[CONN_INST_BUF];
+			loglog(RC_LOG_SERIOUS
+				   , "conflict on eroute (%s), switching eroute to %s and linking %s"
+				   , inst, inside->name, outside->name);
+
+			return route_nearconflict;
+		}
+
+		/* look along the chain of policies for one with the same name */
+		ero_top = ero;
+
+		for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
+		{
+			if (ero2->kind == CK_TEMPLATE
+			&& streq(ero2->name, c->name))
+				break;
+		}
+
+		/* If we fell of the end of the list, then we found no TEMPLATE
+		 * so there must be a conflict that we can't resolve.
+		 * As the names are not equal, then we aren't replacing/rekeying.
+		 */
+		if (ero2 == NULL)
+		{
+			char inst[CONN_INST_BUF];
 
-	    fmt_conn_instance(ero, inst);
+			fmt_conn_instance(ero, inst);
 
-	    loglog(RC_LOG_SERIOUS
-		, "cannot install eroute -- it is in use for \"%s\"%s #%lu"
-		, ero->name, inst, esr->eroute_owner);
-	    return FALSE;	/* another connection already using the eroute */
+			loglog(RC_LOG_SERIOUS
+				, "cannot install eroute -- it is in use for \"%s\"%s #%lu"
+				, ero->name, inst, esr->eroute_owner);
+			return FALSE;       /* another connection already using the eroute */
+		}
 	}
-    }
 #endif /* KLIPS */
-    return route_easy;
+	return route_easy;
 }
 
-bool
-trap_connection(struct connection *c)
+bool trap_connection(struct connection *c)
 {
-    switch (could_route(c))
-    {
-    case route_impossible:
-	return FALSE;
-
-    case route_nearconflict:
-    case route_easy:
-	/* RT_ROUTED_TUNNEL is treated specially: we don't override
-	 * because we don't want to lose track of the IPSEC_SAs etc.
-	 */
-	if (c->spd.routing < RT_ROUTED_TUNNEL)
+	switch (could_route(c))
 	{
-	    return route_and_eroute(c, &c->spd, NULL);
+	case route_impossible:
+		return FALSE;
+
+	case route_nearconflict:
+	case route_easy:
+		/* RT_ROUTED_TUNNEL is treated specially: we don't override
+		 * because we don't want to lose track of the IPSEC_SAs etc.
+		 */
+		if (c->spd.routing < RT_ROUTED_TUNNEL)
+		{
+			return route_and_eroute(c, &c->spd, NULL);
+		}
+		return TRUE;
+
+	case route_farconflict:
+		return FALSE;
 	}
-	return TRUE;
 
-    case route_farconflict:
 	return FALSE;
-    }
-
-    return FALSE;
 }
 
-/* delete any eroute for a connection and unroute it if route isn't shared */
-void
-unroute_connection(struct connection *c)
+/**
+ * Delete any eroute for a connection and unroute it if route isn't shared
+ */
+void unroute_connection(struct connection *c)
 {
-    struct spd_route *sr;
-    enum routing_t cr;
-
-    for (sr = &c->spd; sr; sr = sr->next)
-    {
-	cr = sr->routing;
+	struct spd_route *sr;
+	enum routing_t cr;
 
-	if (erouted(cr))
+	for (sr = &c->spd; sr; sr = sr->next)
 	{
-	    /* cannot handle a live one */
-	    passert(sr->routing != RT_ROUTED_TUNNEL);
+		cr = sr->routing;
+
+		if (erouted(cr))
+		{
+			/* cannot handle a live one */
+			passert(sr->routing != RT_ROUTED_TUNNEL);
 #ifdef KLIPS
-	    shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
+			shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
 #endif
-	}
+		}
 
-	sr->routing = RT_UNROUTED;  /* do now so route_owner won't find us */
+		sr->routing = RT_UNROUTED;  /* do now so route_owner won't find us */
 
-	/* only unroute if no other connection shares it */
-	if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
-	    (void) do_command(c, sr, "unroute");
-    }
+		/* only unroute if no other connection shares it */
+		if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
+			(void) do_command(c, sr, "unroute");
+	}
 }
 
 
 #ifdef KLIPS
 
-static void
-set_text_said(char *text_said, const ip_address *dst, ipsec_spi_t spi, int proto)
+static void set_text_said(char *text_said, const ip_address *dst,
+						  ipsec_spi_t spi, int proto)
 {
-    ip_said said;
+	ip_said said;
 
-    initsaid(dst, spi, proto, &said);
-    satot(&said, 0, text_said, SATOT_BUF);
+	initsaid(dst, spi, proto, &said);
+	satot(&said, 0, text_said, SATOT_BUF);
 }
 
 /* find an entry in the bare_shunt table.
  * Trick: return a pointer to the pointer to the entry;
  * this allows the entry to be deleted.
  */
-static struct bare_shunt **
-bare_shunt_ptr(const ip_subnet *ours, const ip_subnet *his, int transport_proto)
+static struct bare_shunt** bare_shunt_ptr(const ip_subnet *ours,
+										  const ip_subnet *his, 
+										  int transport_proto)
 {
-    struct bare_shunt *p, **pp;
-
-    for (pp = &bare_shunts; (p = *pp) != NULL; pp = &p->next)
-    {
-	if (samesubnet(ours, &p->ours)
-	&& samesubnet(his, &p->his)
-	&& transport_proto == p->transport_proto
-	&& portof(&ours->addr) == portof(&p->ours.addr)
-	&& portof(&his->addr) == portof(&p->his.addr))
-	    return pp;
-    }
-    return NULL;
+	struct bare_shunt *p, **pp;
+
+	for (pp = &bare_shunts; (p = *pp) != NULL; pp = &p->next)
+	{
+		if (samesubnet(ours, &p->ours)
+		&& samesubnet(his, &p->his)
+		&& transport_proto == p->transport_proto
+		&& portof(&ours->addr) == portof(&p->ours.addr)
+		&& portof(&his->addr) == portof(&p->his.addr))
+			return pp;
+	}
+	return NULL;
 }
 
 /* free a bare_shunt entry, given a pointer to the pointer */
-static void
-free_bare_shunt(struct bare_shunt **pp)
+static void free_bare_shunt(struct bare_shunt **pp)
 {
-    if (pp == NULL)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("delete bare shunt: null pointer")
-	)
-    }
-    else
-    {
-	struct bare_shunt *p = *pp;
-
-	*pp = p->next;
-	DBG_bare_shunt("delete", p);
-	pfree(p->why);
-	pfree(p);
-    }
+	if (pp == NULL)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("delete bare shunt: null pointer")
+		)
+	}
+	else
+	{
+		struct bare_shunt *p = *pp;
+
+		*pp = p->next;
+		DBG_bare_shunt("delete", p);
+		free(p->why);
+		free(p);
+	}
 }
 
 void
 show_shunt_status(void)
 {
-    struct bare_shunt *bs;
-
-    for (bs = bare_shunts; bs != NULL; bs = bs->next)
-    {
-	/* Print interesting fields.  Ignore count and last_active. */
-
-	int ourport = ntohs(portof(&bs->ours.addr));
-	int hisport = ntohs(portof(&bs->his.addr));
-	char ourst[SUBNETTOT_BUF];
-	char hist[SUBNETTOT_BUF];
-	char sat[SATOT_BUF];
-	char prio[POLICY_PRIO_BUF];
-
-	subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
-	subnettot(&(bs)->his, 0, hist, sizeof(hist));
-	satot(&(bs)->said, 0, sat, sizeof(sat));
-	fmt_policy_prio(bs->policy_prio, prio);
-
-	whack_log(RC_COMMENT, "%s:%d -> %s:%d => %s:%d %s    %s"
-	    , ourst, ourport, hist, hisport, sat, bs->transport_proto
-	    , prio, bs->why);
-    }
-    if (bare_shunts != NULL)
-	whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
+	struct bare_shunt *bs;
+
+	for (bs = bare_shunts; bs != NULL; bs = bs->next)
+	{
+		/* Print interesting fields.  Ignore count and last_active. */
+
+		int ourport = ntohs(portof(&bs->ours.addr));
+		int hisport = ntohs(portof(&bs->his.addr));
+		char ourst[SUBNETTOT_BUF];
+		char hist[SUBNETTOT_BUF];
+		char sat[SATOT_BUF];
+		char prio[POLICY_PRIO_BUF];
+
+		subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
+		subnettot(&(bs)->his, 0, hist, sizeof(hist));
+		satot(&(bs)->said, 0, sat, sizeof(sat));
+		fmt_policy_prio(bs->policy_prio, prio);
+
+		whack_log(RC_COMMENT, "%s:%d -> %s:%d => %s:%d %s    %s"
+			, ourst, ourport, hist, hisport, sat, bs->transport_proto
+			, prio, bs->why);
+	}
+	if (bare_shunts != NULL)
+		whack_log(RC_COMMENT, BLANK_FORMAT);    /* spacer */
 }
 
 /* Setup an IPsec route entry.
  * op is one of the ERO_* operators.
  */
 
-static bool
-raw_eroute(const ip_address *this_host
-	   , const ip_subnet *this_client
-	   , const ip_address *that_host
-	   , const ip_subnet *that_client
-	   , ipsec_spi_t spi
-	   , unsigned int proto
-	   , unsigned int satype
-	   , unsigned int transport_proto
-	   , const struct pfkey_proto_info *proto_info
-	   , time_t use_lifetime
-	   , unsigned int op
-	   , const char *opname USED_BY_DEBUG)
+static bool raw_eroute(const ip_address *this_host,
+					   const ip_subnet *this_client,
+					   const ip_address *that_host,
+					   const ip_subnet *that_client,
+		   			   ipsec_spi_t spi,
+		   			   unsigned int proto,
+					   unsigned int satype,
+					   unsigned int transport_proto,
+					   const struct pfkey_proto_info *proto_info,
+					   time_t use_lifetime,
+					   unsigned int op,
+					   const char *opname USED_BY_DEBUG)
 {
-    char text_said[SATOT_BUF];
-
-    set_text_said(text_said, that_host, spi, proto);
-
-    DBG(DBG_CONTROL | DBG_KLIPS,
-	{
-	    int sport = ntohs(portof(&this_client->addr));
-	    int dport = ntohs(portof(&that_client->addr));
-	    char mybuf[SUBNETTOT_BUF];
-	    char peerbuf[SUBNETTOT_BUF];
+	char text_said[SATOT_BUF];
 
-	    subnettot(this_client, 0, mybuf, sizeof(mybuf));
-	    subnettot(that_client, 0, peerbuf, sizeof(peerbuf));
-	    DBG_log("%s eroute %s:%d -> %s:%d => %s:%d"
-		, opname, mybuf, sport, peerbuf, dport
-		, text_said, transport_proto);
-	});
+	set_text_said(text_said, that_host, spi, proto);
 
-    return kernel_ops->raw_eroute(this_host, this_client
-	, that_host, that_client, spi, satype, transport_proto, proto_info
-	, use_lifetime, op, text_said);
+	DBG(DBG_CONTROL | DBG_KLIPS,
+		{
+			int sport = ntohs(portof(&this_client->addr));
+			int dport = ntohs(portof(&that_client->addr));
+			char mybuf[SUBNETTOT_BUF];
+			char peerbuf[SUBNETTOT_BUF];
+
+			subnettot(this_client, 0, mybuf, sizeof(mybuf));
+			subnettot(that_client, 0, peerbuf, sizeof(peerbuf));
+			DBG_log("%s eroute %s:%d -> %s:%d => %s:%d"
+				, opname, mybuf, sport, peerbuf, dport
+				, text_said, transport_proto);
+		});
+
+	return kernel_ops->raw_eroute(this_host, this_client
+		, that_host, that_client, spi, satype, transport_proto, proto_info
+		, use_lifetime, op, text_said);
 }
 
 /* test to see if %hold remains */
-bool
-has_bare_hold(const ip_address *src, const ip_address *dst, int transport_proto)
+bool has_bare_hold(const ip_address *src, const ip_address *dst,
+				   int transport_proto)
 {
-    ip_subnet this_client, that_client;
-    struct bare_shunt **bspp;
-
-    passert(addrtypeof(src) == addrtypeof(dst));
-    happy(addrtosubnet(src, &this_client));
-    happy(addrtosubnet(dst, &that_client));
-    bspp = bare_shunt_ptr(&this_client, &that_client, transport_proto);
-    return bspp != NULL
-	&& (*bspp)->said.proto == SA_INT && (*bspp)->said.spi == htonl(SPI_HOLD);
+	ip_subnet this_client, that_client;
+	struct bare_shunt **bspp;
+
+	passert(addrtypeof(src) == addrtypeof(dst));
+	happy(addrtosubnet(src, &this_client));
+	happy(addrtosubnet(dst, &that_client));
+	bspp = bare_shunt_ptr(&this_client, &that_client, transport_proto);
+	return bspp != NULL
+		&& (*bspp)->said.proto == SA_INT && (*bspp)->said.spi == htonl(SPI_HOLD);
 }
 
 
 /* Replace (or delete) a shunt that is in the bare_shunts table.
  * Issues the PF_KEY commands and updates the bare_shunts table.
  */
-bool
-replace_bare_shunt(const ip_address *src, const ip_address *dst
-		   , policy_prio_t policy_prio
-		   , ipsec_spi_t shunt_spi	/* in host order! */
-		   , bool repl	/* if TRUE, replace; if FALSE, delete */
-		   , unsigned int transport_proto
-		   , const char *why)
+bool replace_bare_shunt(const ip_address *src, const ip_address *dst,
+						policy_prio_t policy_prio, ipsec_spi_t shunt_spi,
+						bool repl, unsigned int transport_proto, const char *why)
 {
-    ip_subnet this_client, that_client;
-    ip_subnet this_broad_client, that_broad_client;
-    const ip_address *null_host = aftoinfo(addrtypeof(src))->any;
-
-    passert(addrtypeof(src) == addrtypeof(dst));
-    happy(addrtosubnet(src, &this_client));
-    happy(addrtosubnet(dst, &that_client));
-    this_broad_client = this_client;
-    that_broad_client = that_client;
-    setportof(0, &this_broad_client.addr);
-    setportof(0, &that_broad_client.addr);
-
-    if (repl)
-    {
-	struct bare_shunt **bs_pp = bare_shunt_ptr(&this_broad_client
-						 , &that_broad_client, 0);
-
-	/* is there already a broad host-to-host bare shunt? */
-	if (bs_pp == NULL)
-	{
-	    if (raw_eroute(null_host, &this_broad_client, null_host, &that_broad_client
-			   , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
-			   , 0, null_proto_info
-			   , SHUNT_PATIENCE, ERO_ADD, why))
-	    {
-		struct bare_shunt *bs = alloc_thing(struct bare_shunt, "bare shunt");
-
-		bs->ours = this_broad_client;
-		bs->his =  that_broad_client;
-		bs->transport_proto = 0;
-		bs->said.proto = SA_INT;
-		bs->why = clone_str(why, "bare shunt story");
-		bs->policy_prio = policy_prio;
-		bs->said.spi = htonl(shunt_spi);
-		bs->said.dst = *null_host;
-		bs->count = 0;
-		bs->last_activity = now();
-		bs->next = bare_shunts;
-		bare_shunts = bs;
-		DBG_bare_shunt("add", bs);
-	    }
+	ip_subnet this_client, that_client;
+	ip_subnet this_broad_client, that_broad_client;
+	const ip_address *null_host = aftoinfo(addrtypeof(src))->any;
+
+	passert(addrtypeof(src) == addrtypeof(dst));
+	happy(addrtosubnet(src, &this_client));
+	happy(addrtosubnet(dst, &that_client));
+	this_broad_client = this_client;
+	that_broad_client = that_client;
+	setportof(0, &this_broad_client.addr);
+	setportof(0, &that_broad_client.addr);
+
+	if (repl)
+	{
+		struct bare_shunt **bs_pp = bare_shunt_ptr(&this_broad_client
+												 , &that_broad_client, 0);
+
+		/* is there already a broad host-to-host bare shunt? */
+		if (bs_pp == NULL)
+		{
+			if (raw_eroute(null_host, &this_broad_client, null_host, &that_broad_client
+						   , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
+						   , 0, null_proto_info
+						   , SHUNT_PATIENCE, ERO_ADD, why))
+			{
+				struct bare_shunt *bs = malloc_thing(struct bare_shunt);
+
+				bs->ours = this_broad_client;
+				bs->his =  that_broad_client;
+				bs->transport_proto = 0;
+				bs->said.proto = SA_INT;
+				bs->why = clone_str(why);
+				bs->policy_prio = policy_prio;
+				bs->said.spi = htonl(shunt_spi);
+				bs->said.dst = *null_host;
+				bs->count = 0;
+				bs->last_activity = now();
+				bs->next = bare_shunts;
+				bare_shunts = bs;
+				DBG_bare_shunt("add", bs);
+			}
+		}
+		shunt_spi = SPI_HOLD;
 	}
-	shunt_spi = SPI_HOLD;
-    }
 
-    if (raw_eroute(null_host, &this_client, null_host, &that_client
-		   , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
-		   , transport_proto, null_proto_info
-		   , SHUNT_PATIENCE, ERO_DELETE, why))
-    {
-	struct bare_shunt **bs_pp = bare_shunt_ptr(&this_client, &that_client
-					, transport_proto);
+	if (raw_eroute(null_host, &this_client, null_host, &that_client
+				   , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
+				   , transport_proto, null_proto_info
+				   , SHUNT_PATIENCE, ERO_DELETE, why))
+	{
+		struct bare_shunt **bs_pp = bare_shunt_ptr(&this_client, &that_client
+										, transport_proto);
 
-	/* delete bare eroute */
-	free_bare_shunt(bs_pp);
-	return TRUE;
-    }
-    else
-    {
-	return FALSE;
-    }
+		/* delete bare eroute */
+		free_bare_shunt(bs_pp);
+		return TRUE;
+	}
+	else
+	{
+		return FALSE;
+	}
 }
 
-static bool
-eroute_connection(struct spd_route *sr
-, ipsec_spi_t spi, unsigned int proto, unsigned int satype
-, const struct pfkey_proto_info *proto_info
-, unsigned int op, const char *opname)
+static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
+							  unsigned int proto, unsigned int satype,
+							  const struct pfkey_proto_info *proto_info,
+							  unsigned int op, const char *opname)
 {
-    const ip_address *peer = &sr->that.host_addr;
-    char buf2[256];
+	const ip_address *peer = &sr->that.host_addr;
+	char buf2[256];
 
-    snprintf(buf2, sizeof(buf2)
-	     , "eroute_connection %s", opname);
+	snprintf(buf2, sizeof(buf2)
+			 , "eroute_connection %s", opname);
 
-    if (proto == SA_INT)
-	peer = aftoinfo(addrtypeof(peer))->any;
+	if (proto == SA_INT)
+		peer = aftoinfo(addrtypeof(peer))->any;
 
-    return raw_eroute(&sr->this.host_addr, &sr->this.client
-		      , peer
-		      , &sr->that.client
-		      , spi, proto, satype
-		      , sr->this.protocol, proto_info, 0, op, buf2);
+	return raw_eroute(&sr->this.host_addr, &sr->this.client
+					  , peer
+					  , &sr->that.client
+					  , spi, proto, satype
+					  , sr->this.protocol, proto_info, 0, op, buf2);
 }
 
 /* assign a bare hold to a connection */
 
-bool
-assign_hold(struct connection *c USED_BY_DEBUG
-	    , struct spd_route *sr
-	    , int transport_proto
-	    , const ip_address *src, const ip_address *dst)
-{
-    /* either the automatically installed %hold eroute is broad enough
-     * or we try to add a broader one and delete the automatic one.
-     * Beware: this %hold might be already handled, but still squeak
-     * through because of a race.
-     */
-    enum routing_t ro = sr->routing	/* routing, old */
-	, rn = ro;			/* routing, new */
-
-    passert(LHAS(LELEM(CK_PERMANENT) | LELEM(CK_INSTANCE), c->kind));
-    /* figure out what routing should become */
-    switch (ro)
-    {
-    case RT_UNROUTED:
-	rn = RT_UNROUTED_HOLD;
-	break;
-    case RT_ROUTED_PROSPECTIVE:
-	rn = RT_ROUTED_HOLD;
-	break;
-    default:
-	/* no change: this %hold is old news and should just be deleted */
-	break;
-    }
-
-    /* we need a broad %hold, not the narrow one.
-     * First we ensure that there is a broad %hold.
-     * There may already be one (race condition): no need to create one.
-     * There may already be a %trap: replace it.
-     * There may not be any broad eroute: add %hold.
-     * Once the broad %hold is in place, delete the narrow one.
-     */
-    if (rn != ro)
-    {
-	if (erouted(ro)
-	? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
-		, null_proto_info
-		, ERO_REPLACE, "replace %trap with broad %hold")
-	: !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
-		, null_proto_info
-		, ERO_ADD, "add broad %hold"))
-	{
-	    return FALSE;
-	}
-    }
-    if (!replace_bare_shunt(src, dst, BOTTOM_PRIO, SPI_HOLD, FALSE
-    , transport_proto, "delete narrow %hold"))
-    {
-	return FALSE;
-    }
-    sr->routing = rn;
-    return TRUE;
-}
-
-/* install or remove eroute for SA Group */
-static bool
-sag_eroute(struct state *st, struct spd_route *sr
-	   , unsigned op, const char *opname)
-{
-    u_int inner_proto = 0;
-    u_int inner_satype = 0;
-    ipsec_spi_t inner_spi = 0;
-    struct pfkey_proto_info proto_info[4];
-    int i;
-    bool tunnel;
-
-    /* figure out the SPI and protocol (in two forms)
-     * for the innermost transformation.
-     */
-
-    i = sizeof(proto_info) / sizeof(proto_info[0]) - 1;
-    proto_info[i].proto = 0;
-    tunnel = FALSE;
-
-    if (st->st_ah.present)
-    {
-	inner_spi = st->st_ah.attrs.spi;
-	inner_proto = SA_AH;
-	inner_satype = SADB_SATYPE_AH;
-
-	i--;
-	proto_info[i].proto = IPPROTO_AH;
-	proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
-	tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-	proto_info[i].reqid = sr->reqid;
-    }
-
-    if (st->st_esp.present)
-    {
-	inner_spi = st->st_esp.attrs.spi;
-	inner_proto = SA_ESP;
-	inner_satype = SADB_SATYPE_ESP;
-
-	i--;
-	proto_info[i].proto = IPPROTO_ESP;
-	proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
-	tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-	proto_info[i].reqid = sr->reqid + 1;
-    }
-
-    if (st->st_ipcomp.present)
-    {
-	inner_spi = st->st_ipcomp.attrs.spi;
-	inner_proto = SA_COMP;
-	inner_satype = SADB_X_SATYPE_COMP;
-
-	i--;
-	proto_info[i].proto = IPPROTO_COMP;
-	proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
-	tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-	proto_info[i].reqid = sr->reqid + 2;
-    }
-
-    if (i == sizeof(proto_info) / sizeof(proto_info[0]) - 1)
-    {
-	impossible();	/* no transform at all! */
-    }
-
-    if (tunnel)
-    {
-	int j;
-
-	inner_spi = st->st_tunnel_out_spi;
-	inner_proto = SA_IPIP;
-	inner_satype = SADB_X_SATYPE_IPIP;
-
-	proto_info[i].encapsulation = ENCAPSULATION_MODE_TUNNEL;
-	for (j = i + 1; proto_info[j].proto; j++)
-	{
-	    proto_info[j].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-	}
-    }
-
-    return eroute_connection(sr
-	, inner_spi, inner_proto, inner_satype, proto_info + i
-	, op, opname);
-}
-
-/* compute a (host-order!) SPI to implement the policy in connection c */
-ipsec_spi_t
-shunt_policy_spi(struct connection *c, bool prospective)
+bool assign_hold(struct connection *c USED_BY_DEBUG, struct spd_route *sr,
+				 int transport_proto,
+				 const ip_address *src,
+				 const ip_address *dst)
 {
-    /* note: these are in host order :-( */
-    static const ipsec_spi_t shunt_spi[] =
-    {
-	SPI_TRAP,	/* --initiateontraffic */
-	SPI_PASS,	/* --pass */
-	SPI_DROP,	/* --drop */
-	SPI_REJECT,	/* --reject */
-    };
-
-    static const ipsec_spi_t fail_spi[] =
-    {
-	0,	/* --none*/
-	SPI_PASS,	/* --failpass */
-	SPI_DROP,	/* --faildrop */
-	SPI_REJECT,	/* --failreject */
-    };
-
-    return prospective
-	? shunt_spi[(c->policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT]
-	: fail_spi[(c->policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT];
-}
+	/* either the automatically installed %hold eroute is broad enough
+	 * or we try to add a broader one and delete the automatic one.
+	 * Beware: this %hold might be already handled, but still squeak
+	 * through because of a race.
+	 */
+	enum routing_t ro = sr->routing     /* routing, old */
+		, rn = ro;                      /* routing, new */
 
-/* Add/replace/delete a shunt eroute.
- * Such an eroute determines the fate of packets without the use
- * of any SAs.  These are defaults, in effect.
- * If a negotiation has not been attempted, use %trap.
- * If negotiation has failed, the choice between %trap/%pass/%drop/%reject
- * is specified in the policy of connection c.
- */
-static bool
-shunt_eroute(struct connection *c
-, struct spd_route *sr
-, enum routing_t rt_kind
-, unsigned int op, const char *opname)
-{
-    /* We are constructing a special SAID for the eroute.
-     * The destination doesn't seem to matter, but the family does.
-     * The protocol is SA_INT -- mark this as shunt.
-     * The satype has no meaning, but is required for PF_KEY header!
-     * The SPI signifies the kind of shunt.
-     */
-    ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE);
-    bool ok;
-
-    if (spi == 0)
-    {
-	/* we're supposed to end up with no eroute: rejig op and opname */
-	switch (op)
-	{
-	case ERO_REPLACE:
-	    /* replace with nothing == delete */
-	    op = ERO_DELETE;
-	    opname = "delete";
-	    break;
-	case ERO_ADD:
-	    /* add nothing == do nothing */
-	    return TRUE;
-	case ERO_DELETE:
-	    /* delete remains delete */
-	    break;
+	passert(LHAS(LELEM(CK_PERMANENT) | LELEM(CK_INSTANCE), c->kind));
+	/* figure out what routing should become */
+	switch (ro)
+	{
+	case RT_UNROUTED:
+		rn = RT_UNROUTED_HOLD;
+		break;
+	case RT_ROUTED_PROSPECTIVE:
+		rn = RT_ROUTED_HOLD;
+		break;
 	default:
-	    bad_case(op);
+		/* no change: this %hold is old news and should just be deleted */
+		break;
 	}
-    }
-    if (sr->routing == RT_ROUTED_ECLIPSED && c->kind == CK_TEMPLATE)
-    {
-	/* We think that we have an eroute, but we don't.
-	 * Adjust the request and account for eclipses.
+
+	/* we need a broad %hold, not the narrow one.
+	 * First we ensure that there is a broad %hold.
+	 * There may already be one (race condition): no need to create one.
+	 * There may already be a %trap: replace it.
+	 * There may not be any broad eroute: add %hold.
+	 * Once the broad %hold is in place, delete the narrow one.
 	 */
-	passert(eclipsable(sr));
-	switch (op)
-	{
-	case ERO_REPLACE:
-	    /* really an add */
-	    op = ERO_ADD;
-	    opname = "replace eclipsed";
-	    eclipse_count--;
-	    break;
-	case ERO_DELETE:
-	    /* delete unnecessary: we don't actually have an eroute */
-	    eclipse_count--;
-	    return TRUE;
-	case ERO_ADD:
-	default:
-	    bad_case(op);
+	if (rn != ro)
+	{
+		if (erouted(ro)
+		? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
+				, null_proto_info
+				, ERO_REPLACE, "replace %trap with broad %hold")
+		: !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
+				, null_proto_info
+				, ERO_ADD, "add broad %hold"))
+		{
+			return FALSE;
+		}
 	}
-    }
-    else if (eclipse_count > 0 && op == ERO_DELETE && eclipsable(sr))
-    {
-	/* maybe we are uneclipsing something */
-	struct spd_route *esr;
-	struct connection *ue = eclipsed(c, &esr);
-
-	if (ue != NULL)
-	{
-	    esr->routing = RT_ROUTED_PROSPECTIVE;
-	    return shunt_eroute(ue, esr
-				, RT_ROUTED_PROSPECTIVE, ERO_REPLACE, "restoring eclipsed");
-	}
-    }
-
-    ok = TRUE;
-    if (kernel_ops->inbound_eroute)
-    {
-	ok = raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
-	    , &c->spd.this.host_addr, &c->spd.this.client
-	    , htonl(spi), SA_INT, SADB_X_SATYPE_INT
-	    , 0, null_proto_info, 0
-	    , op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), opname);
-    }
-    return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT
-	, null_proto_info, op, opname) && ok;
+	if (!replace_bare_shunt(src, dst, BOTTOM_PRIO, SPI_HOLD, FALSE
+	, transport_proto, "delete narrow %hold"))
+	{
+		return FALSE;
+	}
+	sr->routing = rn;
+	return TRUE;
 }
 
-
-/*
- * This is only called when s is a likely SAID with  trailing protocol i.e.
- * it has the form :-
- *
- *   %<keyword>:p
- *   <ip-proto><spi>@a.b.c.d:p
- *
- * The task here is to remove the ":p" part so that the rest can be read
- * by another routine.
- */
-static const char *
-read_proto(const char * s, size_t * len, int * transport_proto)
+/* install or remove eroute for SA Group */
+static bool sag_eroute(struct state *st, struct spd_route *sr,
+					   unsigned op, const char *opname)
 {
-    const char * p;
-    const char * ugh;
-    unsigned long proto;
-    size_t l;
-
-    l = *len;
-    p = memchr(s, ':', l);
-    if (p == 0) {
-        *transport_proto = 0;
-        return 0;
-    }
-    ugh = ttoul(p+1, l-((p-s)+1), 10, &proto);
-    if (ugh != 0)
-        return ugh;
-    if (proto > 65535)
-        return "protocol number is too large, legal range is 0-65535";
-    *len = p-s;
-    *transport_proto = proto;
-    return 0;
-}
+	u_int inner_proto = 0;
+	u_int inner_satype = 0;
+	ipsec_spi_t inner_spi = 0;
+	struct pfkey_proto_info proto_info[4];
+	int i;
+	bool tunnel;
+
+	/* figure out the SPI and protocol (in two forms)
+	 * for the innermost transformation.
+	 */
 
+	i = sizeof(proto_info) / sizeof(proto_info[0]) - 1;
+	proto_info[i].proto = 0;
+	tunnel = FALSE;
 
-/* scan /proc/net/ipsec_eroute every once in a while, looking for:
+	if (st->st_ah.present)
+	{
+		inner_spi = st->st_ah.attrs.spi;
+		inner_proto = SA_AH;
+		inner_satype = SADB_SATYPE_AH;
+
+		i--;
+		proto_info[i].proto = IPPROTO_AH;
+		proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
+		tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
+		proto_info[i].reqid = sr->reqid;
+	}
+
+	if (st->st_esp.present)
+	{
+		inner_spi = st->st_esp.attrs.spi;
+		inner_proto = SA_ESP;
+		inner_satype = SADB_SATYPE_ESP;
+
+		i--;
+		proto_info[i].proto = IPPROTO_ESP;
+		proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
+		tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
+		proto_info[i].reqid = sr->reqid + 1;
+	}
+
+	if (st->st_ipcomp.present)
+	{
+		inner_spi = st->st_ipcomp.attrs.spi;
+		inner_proto = SA_COMP;
+		inner_satype = SADB_X_SATYPE_COMP;
+
+		i--;
+		proto_info[i].proto = IPPROTO_COMP;
+		proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
+		tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
+		proto_info[i].reqid = sr->reqid + 2;
+	}
+
+	if (i == sizeof(proto_info) / sizeof(proto_info[0]) - 1)
+	{
+		impossible();   /* no transform at all! */
+	}
+
+	if (tunnel)
+	{
+		int j;
+
+		inner_spi = st->st_tunnel_out_spi;
+		inner_proto = SA_IPIP;
+		inner_satype = SADB_X_SATYPE_IPIP;
+
+		proto_info[i].encapsulation = ENCAPSULATION_MODE_TUNNEL;
+		for (j = i + 1; proto_info[j].proto; j++)
+		{
+			proto_info[j].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+		}
+	}
+
+	return eroute_connection(sr
+		, inner_spi, inner_proto, inner_satype, proto_info + i
+		, op, opname);
+}
+
+/* compute a (host-order!) SPI to implement the policy in connection c */
+ipsec_spi_t
+shunt_policy_spi(struct connection *c, bool prospective)
+{
+	/* note: these are in host order :-( */
+	static const ipsec_spi_t shunt_spi[] =
+	{
+		SPI_TRAP,       /* --initiateontraffic */
+		SPI_PASS,       /* --pass */
+		SPI_DROP,       /* --drop */
+		SPI_REJECT,     /* --reject */
+	};
+
+	static const ipsec_spi_t fail_spi[] =
+	{
+		0,      /* --none*/
+		SPI_PASS,       /* --failpass */
+		SPI_DROP,       /* --faildrop */
+		SPI_REJECT,     /* --failreject */
+	};
+
+	return prospective
+		? shunt_spi[(c->policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT]
+		: fail_spi[(c->policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT];
+}
+
+/* Add/replace/delete a shunt eroute.
+ * Such an eroute determines the fate of packets without the use
+ * of any SAs.  These are defaults, in effect.
+ * If a negotiation has not been attempted, use %trap.
+ * If negotiation has failed, the choice between %trap/%pass/%drop/%reject
+ * is specified in the policy of connection c.
+ */
+static bool shunt_eroute(struct connection *c, struct spd_route *sr,
+						 enum routing_t rt_kind,
+						 unsigned int op, const char *opname)
+{
+	/* We are constructing a special SAID for the eroute.
+	 * The destination doesn't seem to matter, but the family does.
+	 * The protocol is SA_INT -- mark this as shunt.
+	 * The satype has no meaning, but is required for PF_KEY header!
+	 * The SPI signifies the kind of shunt.
+	 */
+	ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE);
+	bool ok;
+
+	if (spi == 0)
+	{
+		/* we're supposed to end up with no eroute: rejig op and opname */
+		switch (op)
+		{
+		case ERO_REPLACE:
+			/* replace with nothing == delete */
+			op = ERO_DELETE;
+			opname = "delete";
+			break;
+		case ERO_ADD:
+			/* add nothing == do nothing */
+			return TRUE;
+		case ERO_DELETE:
+			/* delete remains delete */
+			break;
+		default:
+			bad_case(op);
+		}
+	}
+	if (sr->routing == RT_ROUTED_ECLIPSED && c->kind == CK_TEMPLATE)
+	{
+		/* We think that we have an eroute, but we don't.
+		 * Adjust the request and account for eclipses.
+		 */
+		passert(eclipsable(sr));
+		switch (op)
+		{
+		case ERO_REPLACE:
+			/* really an add */
+			op = ERO_ADD;
+			opname = "replace eclipsed";
+			eclipse_count--;
+			break;
+		case ERO_DELETE:
+			/* delete unnecessary: we don't actually have an eroute */
+			eclipse_count--;
+			return TRUE;
+		case ERO_ADD:
+		default:
+			bad_case(op);
+		}
+	}
+	else if (eclipse_count > 0 && op == ERO_DELETE && eclipsable(sr))
+	{
+		/* maybe we are uneclipsing something */
+		struct spd_route *esr;
+		struct connection *ue = eclipsed(c, &esr);
+
+		if (ue != NULL)
+		{
+			esr->routing = RT_ROUTED_PROSPECTIVE;
+			return shunt_eroute(ue, esr
+								, RT_ROUTED_PROSPECTIVE, ERO_REPLACE, "restoring eclipsed");
+		}
+	}
+
+	ok = TRUE;
+	if (kernel_ops->inbound_eroute)
+	{
+		ok = raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
+			, &c->spd.this.host_addr, &c->spd.this.client
+			, htonl(spi), SA_INT, SADB_X_SATYPE_INT
+			, 0, null_proto_info, 0
+			, op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), opname);
+	}
+	return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT
+		, null_proto_info, op, opname) && ok;
+}
+
+
+/*
+ * This is only called when s is a likely SAID with  trailing protocol i.e.
+ * it has the form :-
+ *
+ *   %<keyword>:p
+ *   <ip-proto><spi>@a.b.c.d:p
+ *
+ * The task here is to remove the ":p" part so that the rest can be read
+ * by another routine.
+ */
+static const char *read_proto(const char * s, size_t * len, int * transport_proto)
+{
+	const char * p;
+	const char * ugh;
+	unsigned long proto;
+	size_t l;
+
+	l = *len;
+	p = memchr(s, ':', l);
+	if (p == 0) {
+		*transport_proto = 0;
+		return 0;
+	}
+	ugh = ttoul(p+1, l-((p-s)+1), 10, &proto);
+	if (ugh != 0)
+		return ugh;
+	if (proto > 65535)
+		return "protocol number is too large, legal range is 0-65535";
+	*len = p-s;
+	*transport_proto = proto;
+	return 0;
+}
+
+
+/* scan /proc/net/ipsec_eroute every once in a while, looking for:
  *
  * - %hold shunts of which Pluto isn't aware.  This situation could
  *   be caused by lost ACQUIRE messages.  When found, they will
@@ -1407,937 +1398,931 @@ read_proto(const char * s, size_t * len, int * transport_proto)
  * searching for each is sequential.  If this becomes a problem, faster
  * searches could be implemented (hash or radix tree, for example).
  */
-void
-scan_proc_shunts(void)
+void scan_proc_shunts(void)
 {
-    static const char procname[] = "/proc/net/ipsec_eroute";
-    FILE *f;
-    time_t nw = now();
-    int lino;
-    struct eroute_info *expired = NULL;
-
-    event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
-
-    DBG(DBG_CONTROL,
-    	DBG_log("scanning for shunt eroutes")
-    )
-
-    /* free any leftover entries: they will be refreshed if still current */
-    while (orphaned_holds != NULL)
-    {
-	struct eroute_info *p = orphaned_holds;
-
-	orphaned_holds = p->next;
-	pfree(orphaned_holds);
-    }
-
-    /* decode the /proc file.  Don't do anything strenuous to it
-     * (certainly no PF_KEY stuff) to minimize the chance that it
-     * might change underfoot.
-     */
-
-    f = fopen(procname, "r");
-    if (f == NULL)
-	return;
-
-    /* for each line... */
-    for (lino = 1; ; lino++)
-    {
-	unsigned char buf[1024];  /* should be big enough */
-	chunk_t field[10];	  /* 10 is loose upper bound */
-	chunk_t *ff = NULL;	  /* fixed fields (excluding optional count) */
-	int fi;
-	struct eroute_info eri;
-	char *cp;
-	err_t context = ""
-	    , ugh = NULL;
-
-	cp = fgets(buf, sizeof(buf), f);
-	if (cp == NULL)
-	    break;
-
-	/* break out each field
-	 * Note: if there are too many fields, just stop;
-	 * it will be diagnosed a little later.
-	 */
-	for (fi = 0; fi < (int)elemsof(field); fi++)
+	static const char procname[] = "/proc/net/ipsec_eroute";
+	FILE *f;
+	time_t nw = now();
+	int lino;
+	struct eroute_info *expired = NULL;
+
+	event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
+
+	DBG(DBG_CONTROL,
+		DBG_log("scanning for shunt eroutes")
+	)
+
+	/* free any leftover entries: they will be refreshed if still current */
+	while (orphaned_holds != NULL)
 	{
-	    static const char sep[] = " \t\n";	/* field-separating whitespace */
-	    size_t w;
+		struct eroute_info *p = orphaned_holds;
 
-	    cp += strspn(cp, sep);	/* find start of field */
-	    w = strcspn(cp, sep);	/* find width of field */
-	    setchunk(field[fi], cp, w);
-	    cp += w;
-	    if (w == 0)
-		break;
+		orphaned_holds = p->next;
+		free(orphaned_holds);
 	}
 
-	/* This odd do-hickey is to share error reporting code.
-	 * A break will get to that common code.  The setting
-	 * of "ugh" and "context" parameterize it.
+	/* decode the /proc file.  Don't do anything strenuous to it
+	 * (certainly no PF_KEY stuff) to minimize the chance that it
+	 * might change underfoot.
 	 */
-	do {
-	    /* Old entries have no packet count; new ones do.
-	     * check if things are as they should be.
-	     */
-	    if (fi == 5)
-		ff = &field[0];	/* old form, with no count */
-	    else if (fi == 6)
-		ff = &field[1];	/* new form, with count */
-	    else
-	    {
-		ugh = "has wrong number of fields";
-		break;
-	    }
-
-	    if (ff[1].len != 2
-	    || strncmp(ff[1].ptr, "->", 2) != 0
-	    || ff[3].len != 2
-	    || strncmp(ff[3].ptr, "=>", 2) != 0)
-	    {
-		ugh = "is missing -> or =>";
-		break;
-	    }
 
-	    /* actually digest fields of interest */
+	f = fopen(procname, "r");
+	if (f == NULL)
+		return;
 
-	    /* packet count */
+	/* for each line... */
+	for (lino = 1; ; lino++)
+	{
+		unsigned char buf[1024];  /* should be big enough */
+		chunk_t field[10];        /* 10 is loose upper bound */
+		chunk_t *ff = NULL;       /* fixed fields (excluding optional count) */
+		int fi;
+		struct eroute_info eri;
+		char *cp;
+		err_t context = ""
+			, ugh = NULL;
+
+		cp = fgets(buf, sizeof(buf), f);
+		if (cp == NULL)
+			break;
 
-	    eri.count = 0;
-	    if (ff != field)
-	    {
-		context = "count field is malformed: ";
-		ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count);
-		if (ugh != NULL)
-		    break;
-	    }
+		/* break out each field
+		 * Note: if there are too many fields, just stop;
+		 * it will be diagnosed a little later.
+		 */
+		for (fi = 0; fi < (int)countof(field); fi++)
+		{
+			static const char sep[] = " \t\n";  /* field-separating whitespace */
+			size_t w;
+
+			cp += strspn(cp, sep);      /* find start of field */
+			w = strcspn(cp, sep);       /* find width of field */
+			field[fi] = chunk_create(cp, w);
+			cp += w;
+			if (w == 0)
+				break;
+		}
 
-	    /* our client */
+		/* This odd do-hickey is to share error reporting code.
+		 * A break will get to that common code.  The setting
+		 * of "ugh" and "context" parameterize it.
+		 */
+		do {
+			/* Old entries have no packet count; new ones do.
+			 * check if things are as they should be.
+			 */
+			if (fi == 5)
+				ff = &field[0]; /* old form, with no count */
+			else if (fi == 6)
+				ff = &field[1]; /* new form, with count */
+			else
+			{
+				ugh = "has wrong number of fields";
+				break;
+			}
 
-	    context = "source subnet field malformed: ";
-	    ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours);
-	    if (ugh != NULL)
-		break;
+			if (ff[1].len != 2
+			|| strncmp(ff[1].ptr, "->", 2) != 0
+			|| ff[3].len != 2
+			|| strncmp(ff[3].ptr, "=>", 2) != 0)
+			{
+				ugh = "is missing -> or =>";
+				break;
+			}
 
-	    /* his client */
+			/* actually digest fields of interest */
 
-	    context = "destination subnet field malformed: ";
-	    ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his);
-	    if (ugh != NULL)
-		break;
+			/* packet count */
 
-	    /* SAID */
+			eri.count = 0;
+			if (ff != field)
+			{
+				context = "count field is malformed: ";
+				ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count);
+				if (ugh != NULL)
+					break;
+			}
 
-	    context = "SA ID field malformed: ";
-            ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto);
-	    if (ugh != NULL)
-		break;
-	    ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said);
-	} while (FALSE);
-
-	if (ugh != NULL)
-	{
-	    plog("INTERNAL ERROR: %s line %d %s%s"
-		, procname, lino, context, ugh);
-	    continue;	/* ignore rest of line */
-	}
-
-	/* Now we have decoded eroute, let's consider it.
-	 * For shunt eroutes:
-	 *
-	 * %hold: if not known, add to orphaned_holds list for initiation
-	 *    because ACQUIRE might have been lost.
-	 *
-	 * %pass, %drop, %reject: determine if idle; if so, blast it away.
-	 *    Can occur bare (if DNS provided insufficient information)
-	 *    or with a connection (failure context).
-	 *    Could even be installed by ipsec manual.
-	 *
-	 * %trap: always welcome.
-	 *
-	 * For other eroutes: find state and record count change
-	 */
-	if (eri.said.proto == SA_INT)
-	{
-	    /* shunt eroute */
-	    switch (ntohl(eri.said.spi))
-	    {
-	    case SPI_HOLD:
-		if (bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto) == NULL
-		&& shunt_owner(&eri.ours, &eri.his) == NULL)
+			/* our client */
+
+			context = "source subnet field malformed: ";
+			ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours);
+			if (ugh != NULL)
+				break;
+
+			/* his client */
+
+			context = "destination subnet field malformed: ";
+			ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his);
+			if (ugh != NULL)
+				break;
+
+			/* SAID */
+
+			context = "SA ID field malformed: ";
+			ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto);
+			if (ugh != NULL)
+				break;
+			ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said);
+		} while (FALSE);
+
+		if (ugh != NULL)
 		{
-		    int ourport = ntohs(portof(&eri.ours.addr));
-		    int hisport = ntohs(portof(&eri.his.addr));
-		    char ourst[SUBNETTOT_BUF];
-		    char hist[SUBNETTOT_BUF];
-		    char sat[SATOT_BUF];
-
-		    subnettot(&eri.ours, 0, ourst, sizeof(ourst));
-		    subnettot(&eri.his, 0, hist, sizeof(hist));
-		    satot(&eri.said, 0, sat, sizeof(sat));
-
-		    DBG(DBG_CONTROL,
-			DBG_log("add orphaned shunt %s:%d -> %s:%d => %s:%d"
-			    , ourst, ourport, hist, hisport, sat, eri.transport_proto)
-		     )
-		    eri.next = orphaned_holds;
-		    orphaned_holds = clone_thing(eri, "orphaned %hold");
+			plog("INTERNAL ERROR: %s line %d %s%s"
+				, procname, lino, context, ugh);
+			continue;   /* ignore rest of line */
 		}
-		break;
 
-	    case SPI_PASS:
-	    case SPI_DROP:
-	    case SPI_REJECT:
-		/* nothing sensible to do if we don't have counts */
-		if (ff != field)
+		/* Now we have decoded eroute, let's consider it.
+		 * For shunt eroutes:
+		 *
+		 * %hold: if not known, add to orphaned_holds list for initiation
+		 *    because ACQUIRE might have been lost.
+		 *
+		 * %pass, %drop, %reject: determine if idle; if so, blast it away.
+		 *    Can occur bare (if DNS provided insufficient information)
+		 *    or with a connection (failure context).
+		 *    Could even be installed by ipsec manual.
+		 *
+		 * %trap: always welcome.
+		 *
+		 * For other eroutes: find state and record count change
+		 */
+		if (eri.said.proto == SA_INT)
 		{
-		    struct bare_shunt **bs_pp
-			= bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto);
-
-		    if (bs_pp != NULL)
-		    {
-			struct bare_shunt *bs = *bs_pp;
-
-			if (eri.count != bs->count)
-			{
-			    bs->count = eri.count;
-			    bs->last_activity = nw;
-			}
-			else if (nw - bs->last_activity > SHUNT_PATIENCE)
+			/* shunt eroute */
+			switch (ntohl(eri.said.spi))
 			{
-			    eri.next = expired;
-			    expired = clone_thing(eri, "expired %pass");
+			case SPI_HOLD:
+				if (bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto) == NULL
+				&& shunt_owner(&eri.ours, &eri.his) == NULL)
+				{
+					int ourport = ntohs(portof(&eri.ours.addr));
+					int hisport = ntohs(portof(&eri.his.addr));
+					char ourst[SUBNETTOT_BUF];
+					char hist[SUBNETTOT_BUF];
+					char sat[SATOT_BUF];
+
+					subnettot(&eri.ours, 0, ourst, sizeof(ourst));
+					subnettot(&eri.his, 0, hist, sizeof(hist));
+					satot(&eri.said, 0, sat, sizeof(sat));
+
+					DBG(DBG_CONTROL,
+						DBG_log("add orphaned shunt %s:%d -> %s:%d => %s:%d"
+							, ourst, ourport, hist, hisport, sat, eri.transport_proto)
+					 )
+					eri.next = orphaned_holds;
+					orphaned_holds = clone_thing(eri);
+				}
+				break;
+
+			case SPI_PASS:
+			case SPI_DROP:
+			case SPI_REJECT:
+				/* nothing sensible to do if we don't have counts */
+				if (ff != field)
+				{
+					struct bare_shunt **bs_pp
+						= bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto);
+
+					if (bs_pp != NULL)
+					{
+						struct bare_shunt *bs = *bs_pp;
+
+						if (eri.count != bs->count)
+						{
+							bs->count = eri.count;
+							bs->last_activity = nw;
+						}
+						else if (nw - bs->last_activity > SHUNT_PATIENCE)
+						{
+							eri.next = expired;
+							expired = clone_thing(eri);
+						}
+					}
+				}
+				break;
+
+			case SPI_TRAP:
+				break;
+
+			default:
+				bad_case(ntohl(eri.said.spi));
 			}
-		    }
 		}
-		break;
-
-	    case SPI_TRAP:
-		break;
+		else
+		{
+			/* regular (non-shunt) eroute */
+			state_eroute_usage(&eri.ours, &eri.his, eri.count, nw);
+		}
+	}   /* for each line */
+	fclose(f);
 
-	    default:
-		bad_case(ntohl(eri.said.spi));
-	    }
-	}
-	else
+	/* Now that we've finished processing the /proc file,
+	 * it is safe to delete the expired %pass shunts.
+	 */
+	while (expired != NULL)
 	{
-	    /* regular (non-shunt) eroute */
-	    state_eroute_usage(&eri.ours, &eri.his, eri.count, nw);
-	}
-    }	/* for each line */
-    fclose(f);
-
-    /* Now that we've finished processing the /proc file,
-     * it is safe to delete the expired %pass shunts.
-     */
-    while (expired != NULL)
-    {
-	struct eroute_info *p = expired;
-	ip_address src, dst;
-
-	networkof(&p->ours, &src);
-	networkof(&p->his, &dst);
-	(void) replace_bare_shunt(&src, &dst
-	    , BOTTOM_PRIO	/* not used because we are deleting.  This value is a filler */
-	    , SPI_PASS	/* not used because we are deleting.  This value is a filler */
-	    , FALSE, p->transport_proto, "delete expired bare shunts");
-	expired = p->next;
-	pfree(p);
-    }
+		struct eroute_info *p = expired;
+		ip_address src, dst;
+
+		networkof(&p->ours, &src);
+		networkof(&p->his, &dst);
+		(void) replace_bare_shunt(&src, &dst
+			, BOTTOM_PRIO       /* not used because we are deleting.  This value is a filler */
+			, SPI_PASS  /* not used because we are deleting.  This value is a filler */
+			, FALSE, p->transport_proto, "delete expired bare shunts");
+		expired = p->next;
+		free(p);
+	}
 }
 
-static bool
-del_spi(ipsec_spi_t spi, int proto
-, const ip_address *src, const ip_address *dest)
+static bool del_spi(ipsec_spi_t spi, int proto,
+					const ip_address *src, const ip_address *dest)
 {
-    char text_said[SATOT_BUF];
-    struct kernel_sa sa;
+	char text_said[SATOT_BUF];
+	struct kernel_sa sa;
 
-    set_text_said(text_said, dest, spi, proto);
+	set_text_said(text_said, dest, spi, proto);
 
-    DBG(DBG_KLIPS, DBG_log("delete %s", text_said));
+	DBG(DBG_KLIPS, DBG_log("delete %s", text_said));
 
-    memset(&sa, 0, sizeof(sa));
-    sa.spi = spi;
-    sa.proto = proto;
-    sa.src = src;
-    sa.dst = dest;
-    sa.text_said = text_said;
+	memset(&sa, 0, sizeof(sa));
+	sa.spi = spi;
+	sa.proto = proto;
+	sa.src = src;
+	sa.dst = dest;
+	sa.text_said = text_said;
 
-    return kernel_ops->del_sa(&sa);
+	return kernel_ops->del_sa(&sa);
 }
 
 /* Setup a pair of SAs. Code taken from setsa.c and spigrp.c, in
  * ipsec-0.5.
  */
 
-static bool
-setup_half_ipsec_sa(struct state *st, bool inbound)
+static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 {
-    /* Build an inbound or outbound SA */
-
-    struct connection *c = st->st_connection;
-    ip_subnet src, dst;
-    ip_subnet src_client, dst_client;
-    ipsec_spi_t inner_spi = 0;
-    u_int proto = 0;
-    u_int satype = SADB_SATYPE_UNSPEC;
-    bool replace;
-
-    /* SPIs, saved for spigrouping or undoing, if necessary */
-    struct kernel_sa
-	said[EM_MAXRELSPIS],
-	*said_next = said;
-
-    char text_said[SATOT_BUF];
-    int encapsulation;
-
-    replace = inbound && (kernel_ops->get_spi != NULL);
-
-    src.maskbits = 0;
-    dst.maskbits = 0;
-
-    if (inbound)
-    {
-	src.addr = c->spd.that.host_addr;
-	dst.addr = c->spd.this.host_addr;
-	src_client = c->spd.that.client;
-	dst_client = c->spd.this.client;
-    }
-    else
-    {
-	src.addr = c->spd.this.host_addr,
-	dst.addr = c->spd.that.host_addr;
-	src_client = c->spd.this.client;
-	dst_client = c->spd.that.client;
-    }
-
-    encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-    if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-	|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-	|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-    {
-	encapsulation = ENCAPSULATION_MODE_TUNNEL;
-    }
-
-    memset(said, 0, sizeof(said));
-
-    /* If we are tunnelling, set up IP in IP pseudo SA */
-
-    if (kernel_ops->inbound_eroute)
-    {
-	inner_spi = 256;
-	proto = SA_IPIP;
-	satype = SADB_SATYPE_UNSPEC;
-    }
-    else if (encapsulation == ENCAPSULATION_MODE_TUNNEL)
-    {
-	/* XXX hack alert -- we SHOULD NOT HAVE TO HAVE A DIFFERENT SPI
-	 * XXX FOR IP-in-IP ENCAPSULATION!
-	 */
+	/* Build an inbound or outbound SA */
+
+	struct connection *c = st->st_connection;
+	ip_subnet src, dst;
+	ip_subnet src_client, dst_client;
+	ipsec_spi_t inner_spi = 0;
+	u_int proto = 0;
+	u_int satype = SADB_SATYPE_UNSPEC;
+	bool replace;
 
-	ipsec_spi_t ipip_spi;
+	/* SPIs, saved for spigrouping or undoing, if necessary */
+	struct kernel_sa
+		said[EM_MAXRELSPIS],
+		*said_next = said;
 
-	/* Allocate an SPI for the tunnel.
-	 * Since our peer will never see this,
-	 * and it comes from its own number space,
-	 * it is purely a local implementation wart.
-	 */
+	char text_said[SATOT_BUF];
+	int encapsulation;
+
+	replace = inbound && (kernel_ops->get_spi != NULL);
+
+	src.maskbits = 0;
+	dst.maskbits = 0;
+
+	if (inbound)
+	{
+		src.addr = c->spd.that.host_addr;
+		dst.addr = c->spd.this.host_addr;
+		src_client = c->spd.that.client;
+		dst_client = c->spd.this.client;
+	}
+	else
 	{
-	    static ipsec_spi_t last_tunnel_spi = IPSEC_DOI_SPI_OUR_MIN;
+		src.addr = c->spd.this.host_addr,
+		dst.addr = c->spd.that.host_addr;
+		src_client = c->spd.this.client;
+		dst_client = c->spd.that.client;
+	}
 
-	    ipip_spi = htonl(++last_tunnel_spi);
-	    if (inbound)
-		st->st_tunnel_in_spi = ipip_spi;
-	    else
-		st->st_tunnel_out_spi = ipip_spi;
+	encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+	if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+		|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+		|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+	{
+		encapsulation = ENCAPSULATION_MODE_TUNNEL;
 	}
 
-	set_text_said(text_said
-	    , &c->spd.that.host_addr, ipip_spi, SA_IPIP);
+	memset(said, 0, sizeof(said));
+
+	/* If we are tunnelling, set up IP in IP pseudo SA */
+
+	if (kernel_ops->inbound_eroute)
+	{
+		inner_spi = 256;
+		proto = SA_IPIP;
+		satype = SADB_SATYPE_UNSPEC;
+	}
+	else if (encapsulation == ENCAPSULATION_MODE_TUNNEL)
+	{
+		/* XXX hack alert -- we SHOULD NOT HAVE TO HAVE A DIFFERENT SPI
+		 * XXX FOR IP-in-IP ENCAPSULATION!
+		 */
 
-	said_next->src = &src.addr;
-	said_next->dst = &dst.addr;
-	said_next->src_client = &src_client;
-	said_next->dst_client = &dst_client;
-	said_next->spi = ipip_spi;
-	said_next->satype = SADB_X_SATYPE_IPIP;
-	said_next->text_said = text_said;
+		ipsec_spi_t ipip_spi;
 
-	if (!kernel_ops->add_sa(said_next, replace))
-	    goto fail;
+		/* Allocate an SPI for the tunnel.
+		 * Since our peer will never see this,
+		 * and it comes from its own number space,
+		 * it is purely a local implementation wart.
+		 */
+		{
+			static ipsec_spi_t last_tunnel_spi = IPSEC_DOI_SPI_OUR_MIN;
 
-	said_next++;
+			ipip_spi = htonl(++last_tunnel_spi);
+			if (inbound)
+				st->st_tunnel_in_spi = ipip_spi;
+			else
+				st->st_tunnel_out_spi = ipip_spi;
+		}
 
-	inner_spi = ipip_spi;
-	proto = SA_IPIP;
-	satype = SADB_X_SATYPE_IPIP;
-    }
+		set_text_said(text_said
+			, &c->spd.that.host_addr, ipip_spi, SA_IPIP);
 
-    /* set up IPCOMP SA, if any */
+		said_next->src = &src.addr;
+		said_next->dst = &dst.addr;
+		said_next->src_client = &src_client;
+		said_next->dst_client = &dst_client;
+		said_next->spi = ipip_spi;
+		said_next->satype = SADB_X_SATYPE_IPIP;
+		said_next->text_said = text_said;
 
-    if (st->st_ipcomp.present)
-    {
-	ipsec_spi_t ipcomp_spi = inbound? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
-	unsigned compalg;
+		if (!kernel_ops->add_sa(said_next, replace))
+			goto fail;
 
-	switch (st->st_ipcomp.attrs.transid)
-	{
-	    case IPCOMP_DEFLATE:
-		compalg = SADB_X_CALG_DEFLATE;
-		break;
+		said_next++;
 
-	    default:
-		loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented"
-		    , enum_name(&ipcomp_transformid_names, st->st_ipcomp.attrs.transid));
-		goto fail;
+		inner_spi = ipip_spi;
+		proto = SA_IPIP;
+		satype = SADB_X_SATYPE_IPIP;
 	}
 
-	set_text_said(text_said, &dst.addr, ipcomp_spi, SA_COMP);
-
-	said_next->src = &src.addr;
-	said_next->dst = &dst.addr;
-	said_next->src_client = &src_client;
-	said_next->dst_client = &dst_client;
-	said_next->spi = ipcomp_spi;
-	said_next->satype = SADB_X_SATYPE_COMP;
-	said_next->compalg = compalg;
-	said_next->encapsulation = encapsulation;
-	said_next->reqid = c->spd.reqid + 2;
-	said_next->text_said = text_said;
+	/* set up IPCOMP SA, if any */
 
-	if (!kernel_ops->add_sa(said_next, replace))
-	    goto fail;
+	if (st->st_ipcomp.present)
+	{
+		ipsec_spi_t ipcomp_spi = inbound? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
+		unsigned compalg;
 
-	said_next++;
+		switch (st->st_ipcomp.attrs.transid)
+		{
+			case IPCOMP_DEFLATE:
+				compalg = SADB_X_CALG_DEFLATE;
+				break;
+
+			default:
+				loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented"
+					, enum_name(&ipcomp_transformid_names, st->st_ipcomp.attrs.transid));
+				goto fail;
+		}
 
-	encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-    }
+		set_text_said(text_said, &dst.addr, ipcomp_spi, SA_COMP);
 
-    /* set up ESP SA, if any */
+		said_next->src = &src.addr;
+		said_next->dst = &dst.addr;
+		said_next->src_client = &src_client;
+		said_next->dst_client = &dst_client;
+		said_next->spi = ipcomp_spi;
+		said_next->satype = SADB_X_SATYPE_COMP;
+		said_next->compalg = compalg;
+		said_next->encapsulation = encapsulation;
+		said_next->reqid = c->spd.reqid + 2;
+		said_next->text_said = text_said;
 
-    if (st->st_esp.present)
-    {
-	ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
-	u_char *esp_dst_keymat = inbound? st->st_esp.our_keymat : st->st_esp.peer_keymat;
-	const struct esp_info *ei;
-	u_int16_t key_len;
-
-	static const struct esp_info esp_info[] = {
-	    { ESP_NULL, AUTH_ALGORITHM_HMAC_MD5,
-		0, HMAC_MD5_KEY_LEN,
-		SADB_EALG_NULL, SADB_AALG_MD5HMAC },
-	    { ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1,
-		0, HMAC_SHA1_KEY_LEN,
-		SADB_EALG_NULL, SADB_AALG_SHA1HMAC },
-
-	    { ESP_DES, AUTH_ALGORITHM_NONE,
-		DES_CBC_BLOCK_SIZE, 0,
-		SADB_EALG_DESCBC, SADB_AALG_NONE },
-	    { ESP_DES, AUTH_ALGORITHM_HMAC_MD5,
-		DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN,
-		SADB_EALG_DESCBC, SADB_AALG_MD5HMAC },
-	    { ESP_DES, AUTH_ALGORITHM_HMAC_SHA1,
-		DES_CBC_BLOCK_SIZE,
-		HMAC_SHA1_KEY_LEN, SADB_EALG_DESCBC, SADB_AALG_SHA1HMAC },
-
-	    { ESP_3DES, AUTH_ALGORITHM_NONE,
-		DES_CBC_BLOCK_SIZE * 3, 0,
-		SADB_EALG_3DESCBC, SADB_AALG_NONE },
-	    { ESP_3DES, AUTH_ALGORITHM_HMAC_MD5,
-		DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN,
-		SADB_EALG_3DESCBC, SADB_AALG_MD5HMAC },
-	    { ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1,
-		DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN,
-		SADB_EALG_3DESCBC, SADB_AALG_SHA1HMAC },
-	};
+		if (!kernel_ops->add_sa(said_next, replace))
+			goto fail;
 
-	u_int8_t natt_type = 0;
-	u_int16_t natt_sport = 0;
-	u_int16_t natt_dport = 0;
-	ip_address natt_oa;
+		said_next++;
 
-	if (st->nat_traversal & NAT_T_DETECTED)
-	{
-	    natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
-		ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
-	    natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
-	    natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
-	    natt_oa = st->nat_oa;
+		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
 	}
 
-	for (ei = esp_info; ; ei++)
+	/* set up ESP SA, if any */
+
+	if (st->st_esp.present)
 	{
-	    if (ei == &esp_info[elemsof(esp_info)])
-	    {
-		/* Check for additional kernel alg */
-#ifndef NO_KERNEL_ALG
-		if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid, 
-					st->st_esp.attrs.auth))!=NULL) {
-			break;
+		ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
+		u_char *esp_dst_keymat = inbound? st->st_esp.our_keymat : st->st_esp.peer_keymat;
+		const struct esp_info *ei;
+		u_int16_t key_len;
+
+		static const struct esp_info esp_info[] = {
+			{ ESP_NULL, AUTH_ALGORITHM_HMAC_MD5,
+				0, HMAC_MD5_KEY_LEN,
+				SADB_EALG_NULL, SADB_AALG_MD5HMAC },
+			{ ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1,
+				0, HMAC_SHA1_KEY_LEN,
+				SADB_EALG_NULL, SADB_AALG_SHA1HMAC },
+
+			{ ESP_DES, AUTH_ALGORITHM_NONE,
+				DES_CBC_BLOCK_SIZE, 0,
+				SADB_EALG_DESCBC, SADB_AALG_NONE },
+			{ ESP_DES, AUTH_ALGORITHM_HMAC_MD5,
+				DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN,
+				SADB_EALG_DESCBC, SADB_AALG_MD5HMAC },
+			{ ESP_DES, AUTH_ALGORITHM_HMAC_SHA1,
+				DES_CBC_BLOCK_SIZE,
+				HMAC_SHA1_KEY_LEN, SADB_EALG_DESCBC, SADB_AALG_SHA1HMAC },
+
+			{ ESP_3DES, AUTH_ALGORITHM_NONE,
+				DES_CBC_BLOCK_SIZE * 3, 0,
+				SADB_EALG_3DESCBC, SADB_AALG_NONE },
+			{ ESP_3DES, AUTH_ALGORITHM_HMAC_MD5,
+				DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN,
+				SADB_EALG_3DESCBC, SADB_AALG_MD5HMAC },
+			{ ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1,
+				DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN,
+				SADB_EALG_3DESCBC, SADB_AALG_SHA1HMAC },
+		};
+
+		u_int8_t natt_type = 0;
+		u_int16_t natt_sport = 0;
+		u_int16_t natt_dport = 0;
+		ip_address natt_oa;
+
+		if (st->nat_traversal & NAT_T_DETECTED)
+		{
+			natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
+				ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
+			natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
+			natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
+			natt_oa = st->nat_oa;
 		}
-#endif
 
-		/* note: enum_show may use a static buffer, so two
-		 * calls in one printf would be a mistake.
-		 * enum_name does the same job, without a static buffer,
-		 * assuming the name will be found.
-		 */
-		loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet"
-		    , enum_name(&esp_transformid_names, st->st_esp.attrs.transid)
-		    , enum_name(&auth_alg_names, st->st_esp.attrs.auth));
-		goto fail;
-	    }
-
-	    if (st->st_esp.attrs.transid == ei->transid
-	    && st->st_esp.attrs.auth == ei->auth)
-		break;
-	}
+		for (ei = esp_info; ; ei++)
+		{
+			if (ei == &esp_info[countof(esp_info)])
+			{
+				/* Check for additional kernel alg */
+#ifndef NO_KERNEL_ALG
+				if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid, 
+										st->st_esp.attrs.auth))!=NULL) {
+						break;
+				}
+#endif
 
-	key_len = st->st_esp.attrs.key_len/8;
-	if (key_len)
-	{
-	    /* XXX: must change to check valid _range_ key_len */
-	    if (key_len > ei->enckeylen)
-	    {
-		loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
-		    enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
-		    (int)key_len, (int)ei->enckeylen);
-		goto fail;
-	    }
-	}
-	else
-	{
-	    key_len = ei->enckeylen;
-	}
-	/* Grrrrr.... f*cking 7 bits jurassic algos  */
+				/* note: enum_show may use a static buffer, so two
+				 * calls in one printf would be a mistake.
+				 * enum_name does the same job, without a static buffer,
+				 * assuming the name will be found.
+				 */
+				loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet"
+					, enum_name(&esp_transformid_names, st->st_esp.attrs.transid)
+					, enum_name(&auth_alg_names, st->st_esp.attrs.auth));
+				goto fail;
+			}
 
-	/* 168 bits in kernel, need 192 bits for keymat_len */
-	if (ei->transid == ESP_3DES && key_len == 21) 
-	    key_len = 24;
+			if (st->st_esp.attrs.transid == ei->transid
+			&& st->st_esp.attrs.auth == ei->auth)
+				break;
+		}
 
-	/* 56 bits in kernel, need 64 bits for keymat_len */
-	if (ei->transid == ESP_DES && key_len == 7) 
-	    key_len = 8;
+		key_len = st->st_esp.attrs.key_len/8;
+		if (key_len)
+		{
+			/* XXX: must change to check valid _range_ key_len */
+			if (key_len > ei->enckeylen)
+			{
+				loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
+					enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
+					(int)key_len, (int)ei->enckeylen);
+				goto fail;
+			}
+		}
+		else
+		{
+			key_len = ei->enckeylen;
+		}
+		/* Grrrrr.... f*cking 7 bits jurassic algos  */
+
+		/* 168 bits in kernel, need 192 bits for keymat_len */
+		if (ei->transid == ESP_3DES && key_len == 21) 
+			key_len = 24;
+
+		/* 56 bits in kernel, need 64 bits for keymat_len */
+		if (ei->transid == ESP_DES && key_len == 7) 
+			key_len = 8;
+
+		/* divide up keying material */
+		/* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */
+		DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING, 
+			if(st->st_esp.keymat_len != key_len + ei->authkeylen)
+				DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
+						st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
+		)
+		passert(st->st_esp.keymat_len == key_len + ei->authkeylen);
+
+		set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
+
+		said_next->src = &src.addr;
+		said_next->dst = &dst.addr;
+		said_next->src_client = &src_client;
+		said_next->dst_client = &dst_client;
+		said_next->spi = esp_spi;
+		said_next->satype = SADB_SATYPE_ESP;
+		said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
+		said_next->authalg = ei->authalg;
+		said_next->authkeylen = ei->authkeylen;
+		/* said_next->authkey = esp_dst_keymat + ei->enckeylen; */
+		said_next->authkey = esp_dst_keymat + key_len;
+		said_next->encalg = ei->encryptalg;
+		/* said_next->enckeylen = ei->enckeylen; */
+		said_next->enckeylen = key_len;
+		said_next->enckey = esp_dst_keymat;
+		said_next->encapsulation = encapsulation;
+		said_next->reqid = c->spd.reqid + 1;
+		said_next->natt_sport = natt_sport;
+		said_next->natt_dport = natt_dport;
+		said_next->transid = st->st_esp.attrs.transid;
+		said_next->natt_type = natt_type;
+		said_next->natt_oa = &natt_oa;
+		said_next->text_said = text_said;
+
+		if (!kernel_ops->add_sa(said_next, replace))
+			goto fail;
+
+		said_next++;
+
+		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+	}
 
-	/* divide up keying material */
-	/* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */
-	DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING, 
-	    if(st->st_esp.keymat_len != key_len + ei->authkeylen)
-		DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
-			st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
-	)
-	passert(st->st_esp.keymat_len == key_len + ei->authkeylen);
-
-	set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
-
-	said_next->src = &src.addr;
-	said_next->dst = &dst.addr;
-	said_next->src_client = &src_client;
-	said_next->dst_client = &dst_client;
-	said_next->spi = esp_spi;
-	said_next->satype = SADB_SATYPE_ESP;
-	said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
-	said_next->authalg = ei->authalg;
-	said_next->authkeylen = ei->authkeylen;
-	/* said_next->authkey = esp_dst_keymat + ei->enckeylen; */
-	said_next->authkey = esp_dst_keymat + key_len;
-	said_next->encalg = ei->encryptalg;
-	/* said_next->enckeylen = ei->enckeylen; */
-	said_next->enckeylen = key_len;
-	said_next->enckey = esp_dst_keymat;
-	said_next->encapsulation = encapsulation;
-	said_next->reqid = c->spd.reqid + 1;
-	said_next->natt_sport = natt_sport;
-	said_next->natt_dport = natt_dport;
-	said_next->transid = st->st_esp.attrs.transid;
-	said_next->natt_type = natt_type;
-	said_next->natt_oa = &natt_oa;
-	said_next->text_said = text_said;
-
-	if (!kernel_ops->add_sa(said_next, replace))
-	    goto fail;
-
-	said_next++;
+	/* set up AH SA, if any */
 
-	encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-    }
+	if (st->st_ah.present)
+	{
+		ipsec_spi_t ah_spi = inbound? st->st_ah.our_spi : st->st_ah.attrs.spi;
+		u_char *ah_dst_keymat = inbound? st->st_ah.our_keymat : st->st_ah.peer_keymat;
 
-    /* set up AH SA, if any */
+		unsigned char authalg;
 
-    if (st->st_ah.present)
-    {
-	ipsec_spi_t ah_spi = inbound? st->st_ah.our_spi : st->st_ah.attrs.spi;
-	u_char *ah_dst_keymat = inbound? st->st_ah.our_keymat : st->st_ah.peer_keymat;
+		switch (st->st_ah.attrs.auth)
+		{
+		case AUTH_ALGORITHM_HMAC_MD5:
+			authalg = SADB_AALG_MD5HMAC;
+			break;
 
-	unsigned char authalg;
+		case AUTH_ALGORITHM_HMAC_SHA1:
+			authalg = SADB_AALG_SHA1HMAC;
+			break;
 
-	switch (st->st_ah.attrs.auth)
-	{
-	case AUTH_ALGORITHM_HMAC_MD5:
-	    authalg = SADB_AALG_MD5HMAC;
-	    break;
+		default:
+			loglog(RC_LOG_SERIOUS, "%s not implemented yet"
+				, enum_show(&auth_alg_names, st->st_ah.attrs.auth));
+			goto fail;
+		}
 
-	case AUTH_ALGORITHM_HMAC_SHA1:
-	    authalg = SADB_AALG_SHA1HMAC;
-	    break;
+		set_text_said(text_said, &dst.addr, ah_spi, SA_AH);
 
-	default:
-	    loglog(RC_LOG_SERIOUS, "%s not implemented yet"
-		, enum_show(&auth_alg_names, st->st_ah.attrs.auth));
-	    goto fail;
-	}
+		said_next->src = &src.addr;
+		said_next->dst = &dst.addr;
+		said_next->src_client = &src_client;
+		said_next->dst_client = &dst_client;
+		said_next->spi = ah_spi;
+		said_next->satype = SADB_SATYPE_AH;
+		said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
+		said_next->authalg = authalg;
+		said_next->authkeylen = st->st_ah.keymat_len;
+		said_next->authkey = ah_dst_keymat;
+		said_next->encapsulation = encapsulation;
+		said_next->reqid = c->spd.reqid;
+		said_next->text_said = text_said;
 
-	set_text_said(text_said, &dst.addr, ah_spi, SA_AH);
+		if (!kernel_ops->add_sa(said_next, replace))
+			goto fail;
 
-	said_next->src = &src.addr;
-	said_next->dst = &dst.addr;
-	said_next->src_client = &src_client;
-	said_next->dst_client = &dst_client;
-	said_next->spi = ah_spi;
-	said_next->satype = SADB_SATYPE_AH;
-	said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
-	said_next->authalg = authalg;
-	said_next->authkeylen = st->st_ah.keymat_len;
-	said_next->authkey = ah_dst_keymat;
-	said_next->encapsulation = encapsulation;
-	said_next->reqid = c->spd.reqid;
-	said_next->text_said = text_said;
+		said_next++;
 
-	if (!kernel_ops->add_sa(said_next, replace))
-	    goto fail;
+		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+	}
 
-	said_next++;
+	if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+	|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+	|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+	{
+		encapsulation = ENCAPSULATION_MODE_TUNNEL;
+	}
 
-	encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-    }
-
-    if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-    || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-    || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-    {
-	encapsulation = ENCAPSULATION_MODE_TUNNEL;
-    }
-
-    if (kernel_ops->inbound_eroute ? c->spd.eroute_owner == SOS_NOBODY
-	: encapsulation == ENCAPSULATION_MODE_TUNNEL)
-    {
-	/* If inbound, and policy does not specifie DISABLEARRIVALCHECK,
-	 * tell KLIPS to enforce the IP addresses appropriate for this tunnel.
-	 * Note reversed ends.
-	 * Not much to be done on failure.
-	 */
-	if (inbound && (c->policy & POLICY_DISABLEARRIVALCHECK) == 0)
+	if (kernel_ops->inbound_eroute ? c->spd.eroute_owner == SOS_NOBODY
+		: encapsulation == ENCAPSULATION_MODE_TUNNEL)
 	{
-	    struct pfkey_proto_info proto_info[4];
-	    int i = 0;
-	    
-	    if (st->st_ipcomp.present)
-	    {
-		proto_info[i].proto = IPPROTO_COMP;
-		proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
-		proto_info[i].reqid = c->spd.reqid + 2;
-		i++;
-	    }
-	    
-	    if (st->st_esp.present)
-	    {
-		proto_info[i].proto = IPPROTO_ESP;
-		proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
-		proto_info[i].reqid = c->spd.reqid + 1;
-		i++;
-	    }
-	    
-	    if (st->st_ah.present)
-	    {
-		proto_info[i].proto = IPPROTO_AH;
-		proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
-		proto_info[i].reqid = c->spd.reqid;
-		i++;
-	    }
-	    
-	    proto_info[i].proto = 0;
-	    
-	    if (kernel_ops->inbound_eroute
-		&& encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	    {
-		proto_info[0].encapsulation = ENCAPSULATION_MODE_TUNNEL;
-		for (i = 1; proto_info[i].proto; i++)
+		/* If inbound, and policy does not specifie DISABLEARRIVALCHECK,
+		 * tell KLIPS to enforce the IP addresses appropriate for this tunnel.
+		 * Note reversed ends.
+		 * Not much to be done on failure.
+		 */
+		if (inbound && (c->policy & POLICY_DISABLEARRIVALCHECK) == 0)
 		{
-		    proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+			struct pfkey_proto_info proto_info[4];
+			int i = 0;
+			
+			if (st->st_ipcomp.present)
+			{
+				proto_info[i].proto = IPPROTO_COMP;
+				proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
+				proto_info[i].reqid = c->spd.reqid + 2;
+				i++;
+			}
+			
+			if (st->st_esp.present)
+			{
+				proto_info[i].proto = IPPROTO_ESP;
+				proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
+				proto_info[i].reqid = c->spd.reqid + 1;
+				i++;
+			}
+			
+			if (st->st_ah.present)
+			{
+				proto_info[i].proto = IPPROTO_AH;
+				proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
+				proto_info[i].reqid = c->spd.reqid;
+				i++;
+			}
+			
+			proto_info[i].proto = 0;
+			
+			if (kernel_ops->inbound_eroute
+				&& encapsulation == ENCAPSULATION_MODE_TUNNEL)
+			{
+				proto_info[0].encapsulation = ENCAPSULATION_MODE_TUNNEL;
+				for (i = 1; proto_info[i].proto; i++)
+				{
+					proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+				}
+			}
+			
+			/* MCR - should be passed a spd_eroute structure here */
+			(void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
+							  , &c->spd.this.host_addr, &c->spd.this.client
+							  , inner_spi, proto, satype, c->spd.this.protocol
+							  , proto_info, 0
+							  , ERO_ADD_INBOUND, "add inbound");
 		}
-	    }
-	    
-	    /* MCR - should be passed a spd_eroute structure here */
-	    (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
-			      , &c->spd.this.host_addr, &c->spd.this.client
-			      , inner_spi, proto, satype, c->spd.this.protocol
-			      , proto_info, 0
-			      , ERO_ADD_INBOUND, "add inbound");
-	}
-    }
-
-    /* If there are multiple SPIs, group them. */
-    
-    if (kernel_ops->grp_sa && said_next > &said[1])
-    {
-	struct kernel_sa *s;
+	}
+
+	/* If there are multiple SPIs, group them. */
 	
-	/* group SAs, two at a time, inner to outer (backwards in said[])
-	 * The grouping is by pairs.  So if said[] contains ah esp ipip,
-	 * the grouping would be ipip:esp, esp:ah.
-	 */
-	for (s = said; s < said_next-1; s++)
-	{
-	    char
-		text_said0[SATOT_BUF],
-		text_said1[SATOT_BUF];
-
-	    /* group s[1] and s[0], in that order */
-	    
-	    set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto);
-	    set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto);
-	    
-	    DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0));
-	    
-	    s[0].text_said = text_said0;
-	    s[1].text_said = text_said1;
-	    
-	    if (!kernel_ops->grp_sa(s + 1, s))
-		goto fail;
-	}
-	/* could update said, but it will not be used */
-    }
-
-    return TRUE;
+	if (kernel_ops->grp_sa && said_next > &said[1])
+	{
+		struct kernel_sa *s;
+		
+		/* group SAs, two at a time, inner to outer (backwards in said[])
+		 * The grouping is by pairs.  So if said[] contains ah esp ipip,
+		 * the grouping would be ipip:esp, esp:ah.
+		 */
+		for (s = said; s < said_next-1; s++)
+		{
+			char
+				text_said0[SATOT_BUF],
+				text_said1[SATOT_BUF];
+
+			/* group s[1] and s[0], in that order */
+			
+			set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto);
+			set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto);
+			
+			DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0));
+			
+			s[0].text_said = text_said0;
+			s[1].text_said = text_said1;
+			
+			if (!kernel_ops->grp_sa(s + 1, s))
+				goto fail;
+		}
+		/* could update said, but it will not be used */
+	}
+
+	return TRUE;
 
 fail:
-    {
-	/* undo the done SPIs */
-	while (said_next-- != said)
-	    (void) del_spi(said_next->spi, said_next->proto
-		, &src.addr, said_next->dst);
-	return FALSE;
-    }
+	{
+		/* undo the done SPIs */
+		while (said_next-- != said)
+			(void) del_spi(said_next->spi, said_next->proto
+				, &src.addr, said_next->dst);
+		return FALSE;
+	}
 }
 
 /* teardown_ipsec_sa is a canibalized version of setup_ipsec_sa */
 
-static bool
-teardown_half_ipsec_sa(struct state *st, bool inbound)
+static bool teardown_half_ipsec_sa(struct state *st, bool inbound)
 {
-    /* We need to delete AH, ESP, and IP in IP SPIs.
-     * But if there is more than one, they have been grouped
-     * so deleting any one will do.  So we just delete the
-     * first one found.  It may or may not be the only one.
-     */
-    struct connection *c = st->st_connection;
-    struct {
-	unsigned proto;
-	struct ipsec_proto_info *info;
-    } protos[4];
-    int i;
-    bool result;
-
-    i = 0;
-    if (kernel_ops->inbound_eroute && inbound
-	&& c->spd.eroute_owner == SOS_NOBODY)
-    {
-	(void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
-	    , &c->spd.this.host_addr, &c->spd.this.client
-	    , 256, IPSEC_PROTO_ANY, SADB_SATYPE_UNSPEC, c->spd.this.protocol
-	    , null_proto_info, 0
-	    , ERO_DEL_INBOUND, "delete inbound");
-    }
-
-    if (!kernel_ops->grp_sa)
-    {
-	if (st->st_ah.present)
+	/* We need to delete AH, ESP, and IP in IP SPIs.
+	 * But if there is more than one, they have been grouped
+	 * so deleting any one will do.  So we just delete the
+	 * first one found.  It may or may not be the only one.
+	 */
+	struct connection *c = st->st_connection;
+	struct {
+		unsigned proto;
+		struct ipsec_proto_info *info;
+	} protos[4];
+	int i;
+	bool result;
+
+	i = 0;
+	if (kernel_ops->inbound_eroute && inbound
+		&& c->spd.eroute_owner == SOS_NOBODY)
 	{
-	    protos[i].info = &st->st_ah;
-	    protos[i].proto = SA_AH;
-	    i++;
+		(void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
+			, &c->spd.this.host_addr, &c->spd.this.client
+			, 256, IPSEC_PROTO_ANY, SADB_SATYPE_UNSPEC, c->spd.this.protocol
+			, null_proto_info, 0
+			, ERO_DEL_INBOUND, "delete inbound");
 	}
 
-	if (st->st_esp.present)
+	if (!kernel_ops->grp_sa)
 	{
-	    protos[i].info = &st->st_esp;
-	    protos[i].proto = SA_ESP;
-	    i++;
-	}
+		if (st->st_ah.present)
+		{
+			protos[i].info = &st->st_ah;
+			protos[i].proto = SA_AH;
+			i++;
+		}
 
-	if (st->st_ipcomp.present)
-	{
-	    protos[i].info = &st->st_ipcomp;
-	    protos[i].proto = SA_COMP;
-	    i++;
-	}
-    }
-    else if (st->st_ah.present)
-    {
-	protos[i].info = &st->st_ah;
-	protos[i].proto = SA_AH;
-	i++;
-    }
-    else if (st->st_esp.present)
-    {
-	protos[i].info = &st->st_esp;
-	protos[i].proto = SA_ESP;
-	i++;
-    }
-    else
-    {
-	impossible();	/* neither AH nor ESP in outbound SA bundle! */
-    }
-    protos[i].proto = 0;
-
-    result = TRUE;
-    for (i = 0; protos[i].proto; i++)
-    {
-	unsigned proto = protos[i].proto;
-	ipsec_spi_t spi;
-	const ip_address *src, *dst;
+		if (st->st_esp.present)
+		{
+			protos[i].info = &st->st_esp;
+			protos[i].proto = SA_ESP;
+			i++;
+		}
 
-	if (inbound)
+		if (st->st_ipcomp.present)
+		{
+			protos[i].info = &st->st_ipcomp;
+			protos[i].proto = SA_COMP;
+			i++;
+		}
+	}
+	else if (st->st_ah.present)
+	{
+		protos[i].info = &st->st_ah;
+		protos[i].proto = SA_AH;
+		i++;
+	}
+	else if (st->st_esp.present)
 	{
-	    spi = protos[i].info->our_spi;
-	    src = &c->spd.that.host_addr;
-	    dst = &c->spd.this.host_addr;
+		protos[i].info = &st->st_esp;
+		protos[i].proto = SA_ESP;
+		i++;
 	}
 	else
 	{
-	    spi = protos[i].info->attrs.spi;
-	    src = &c->spd.this.host_addr;
-	    dst = &c->spd.that.host_addr;
+		impossible();   /* neither AH nor ESP in outbound SA bundle! */
 	}
+	protos[i].proto = 0;
+
+	result = TRUE;
+	for (i = 0; protos[i].proto; i++)
+	{
+		unsigned proto = protos[i].proto;
+		ipsec_spi_t spi;
+		const ip_address *src, *dst;
+
+		if (inbound)
+		{
+			spi = protos[i].info->our_spi;
+			src = &c->spd.that.host_addr;
+			dst = &c->spd.this.host_addr;
+		}
+		else
+		{
+			spi = protos[i].info->attrs.spi;
+			src = &c->spd.this.host_addr;
+			dst = &c->spd.that.host_addr;
+		}
 
-	result &= del_spi(spi, proto, src, dst);
-    }
-    return result;
+		result &= del_spi(spi, proto, src, dst);
+	}
+	return result;
 }
 
 /*
  * get information about a given sa
  */
-bool
-get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
+bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
 {
-    char text_said[SATOT_BUF];
-    struct kernel_sa sa;
-    struct connection *c = st->st_connection;
-
-    *use_time = UNDEFINED_TIME;
+	char text_said[SATOT_BUF];
+	struct kernel_sa sa;
+	struct connection *c = st->st_connection;
 
-    if (kernel_ops->get_sa == NULL || !st->st_esp.present)
-	return FALSE;
+	*use_time = UNDEFINED_TIME;
 
-    memset(&sa, 0, sizeof(sa));
-    sa.proto = SA_ESP;
-
-    if (inbound)
-    {
-	sa.src = &c->spd.that.host_addr;
-	sa.dst = &c->spd.this.host_addr;
-	sa.spi = st->st_esp.our_spi;
-    }
-    else
-    {
-	sa.src = &c->spd.this.host_addr;
-	sa.dst = &c->spd.that.host_addr;
-	sa.spi = st->st_esp.attrs.spi;
-    }
-    set_text_said(text_said, sa.dst, sa.spi, sa.proto);
-
-    sa.text_said = text_said;
-
-    DBG(DBG_KLIPS,
-	DBG_log("get %s", text_said)
-    )
-    if (!kernel_ops->get_sa(&sa, bytes))
-	return FALSE;
-    DBG(DBG_KLIPS,
-	DBG_log("  current: %d bytes", *bytes)
-    )
+	if (kernel_ops->get_sa == NULL || !st->st_esp.present)
+		return FALSE;
 
-    if (st->st_serialno == c->spd.eroute_owner)
-    {
-	DBG(DBG_KLIPS,
-	    DBG_log("get %sbound policy with reqid %u"
-		, inbound? "in":"out", (u_int)c->spd.reqid + 1)
-	)
-	sa.transport_proto = c->spd.this.protocol;
-	sa.encapsulation = st->st_esp.attrs.encapsulation;
+	memset(&sa, 0, sizeof(sa));
+	sa.proto = SA_ESP;
 
 	if (inbound)
 	{
-	    sa.src_client = &c->spd.that.client;
-	    sa.dst_client = &c->spd.this.client;
+		sa.src = &c->spd.that.host_addr;
+		sa.dst = &c->spd.this.host_addr;
+		sa.spi = st->st_esp.our_spi;
 	}
 	else
 	{
-	    sa.src_client = &c->spd.this.client;
-	    sa.dst_client = &c->spd.that.client;
+		sa.src = &c->spd.this.host_addr;
+		sa.dst = &c->spd.that.host_addr;
+		sa.spi = st->st_esp.attrs.spi;
 	}
-	if (!kernel_ops->get_policy(&sa, inbound, use_time))
-	    return FALSE;
+	set_text_said(text_said, sa.dst, sa.spi, sa.proto);
+
+	sa.text_said = text_said;
+
 	DBG(DBG_KLIPS,
-	    DBG_log("  use_time: %s", timetoa(use_time, FALSE))
+		DBG_log("get %s", text_said)
 	)
-    }
-    return TRUE;
+	if (!kernel_ops->get_sa(&sa, bytes))
+		return FALSE;
+	DBG(DBG_KLIPS,
+		DBG_log("  current: %d bytes", *bytes)
+	)
+
+	if (st->st_serialno == c->spd.eroute_owner)
+	{
+		DBG(DBG_KLIPS,
+			DBG_log("get %sbound policy with reqid %u"
+				, inbound? "in":"out", (u_int)c->spd.reqid + 1)
+		)
+		sa.transport_proto = c->spd.this.protocol;
+		sa.encapsulation = st->st_esp.attrs.encapsulation;
+
+		if (inbound)
+		{
+			sa.src_client = &c->spd.that.client;
+			sa.dst_client = &c->spd.this.client;
+		}
+		else
+		{
+			sa.src_client = &c->spd.this.client;
+			sa.dst_client = &c->spd.that.client;
+		}
+		if (!kernel_ops->get_policy(&sa, inbound, use_time))
+			return FALSE;
+		DBG(DBG_KLIPS,
+			DBG_log("  use_time: %T", use_time, FALSE)
+		)
+	}
+	return TRUE;
 }
 
 const struct kernel_ops *kernel_ops;
 
 #endif /* KLIPS */
 
-void
-init_kernel(void)
+void init_kernel(void)
 {
 #ifdef KLIPS
 
-    if (no_klips)
-    {
-	kernel_ops = &noklips_kernel_ops;
-	return;
-    }
+	if (no_klips)
+	{
+		kernel_ops = &noklips_kernel_ops;
+		return;
+	}
 
-    init_pfkey();
+	init_pfkey();
 
-    kernel_ops = &klips_kernel_ops;
+	kernel_ops = &klips_kernel_ops;
 
 #if defined(linux) && defined(KERNEL26_SUPPORT)
-    {
-	bool linux_ipsec = 0;
-	struct stat buf;
-
-	linux_ipsec = (stat("/proc/net/pfkey", &buf) == 0);
-	if (linux_ipsec)
-	    {
-		plog("Using Linux 2.6 IPsec interface code");
-		kernel_ops = &linux_kernel_ops;
-	    }
-	else
-	    {
-		plog("Using KLIPS IPsec interface code");
-	    }
-    }
+	{
+		bool linux_ipsec = 0;
+		struct stat buf;
+
+		linux_ipsec = (stat("/proc/net/pfkey", &buf) == 0);
+		if (linux_ipsec)
+			{
+				plog("Using Linux 2.6 IPsec interface code");
+				kernel_ops = &linux_kernel_ops;
+			}
+		else
+			{
+				plog("Using KLIPS IPsec interface code");
+			}
+	}
 #endif
 
-    if (kernel_ops->init)
-    {
-	kernel_ops->init();
-    }
+	if (kernel_ops->init)
+	{
+		kernel_ops->init();
+	}
 
-    /* register SA types that we can negotiate */
-    can_do_IPcomp = FALSE;  /* until we get a response from KLIPS */
-    kernel_ops->pfkey_register();
+	/* register SA types that we can negotiate */
+	can_do_IPcomp = FALSE;  /* until we get a response from KLIPS */
+	kernel_ops->pfkey_register();
 
-    if (!kernel_ops->policy_lifetime)
-    {
-	event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
-    }
+	if (!kernel_ops->policy_lifetime)
+	{
+		event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
+	}
 #endif
 }
 
@@ -2345,60 +2330,59 @@ init_kernel(void)
  * The Responder will subsequently use install_ipsec_sa for the outbound.
  * The Initiator uses install_ipsec_sa to install both at once.
  */
-bool
-install_inbound_ipsec_sa(struct state *st)
+bool install_inbound_ipsec_sa(struct state *st)
 {
-    struct connection *const c = st->st_connection;
-
-    /* If our peer has a fixed-address client, check if we already
-     * have a route for that client that conflicts.  We will take this
-     * as proof that that route and the connections using it are
-     * obsolete and should be eliminated.  Interestingly, this is
-     * the only case in which we can tell that a connection is obsolete.
-     */
-    passert(c->kind == CK_PERMANENT || c->kind == CK_INSTANCE);
-    if (c->spd.that.has_client)
-    {
-	for (;;)
-	{
-	    struct spd_route *esr;
-	    struct connection *o = route_owner(c, &esr, NULL, NULL);
-
-	    if (o == NULL)
-		break;	/* nobody has a route */
-
-	    /* note: we ignore the client addresses at this end */
-	    if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr)
-	    && o->interface == c->interface)
-		break;	/* existing route is compatible */
-
-	    if (o->kind == CK_TEMPLATE && streq(o->name, c->name))
-		break;	/* ??? is this good enough?? */
-
-	    loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route"
-		, o->name, ip_str(&o->spd.that.host_addr));
-	    release_connection(o, FALSE);
-	}
-    }
-
-    DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa() checking if we can route"));
-    /* check that we will be able to route and eroute */
-    switch (could_route(c))
-    {
-    case route_easy:
-    case route_nearconflict:
-	break;
-
-    default:
-	return FALSE;
-    }
+	struct connection *const c = st->st_connection;
+
+	/* If our peer has a fixed-address client, check if we already
+	 * have a route for that client that conflicts.  We will take this
+	 * as proof that that route and the connections using it are
+	 * obsolete and should be eliminated.  Interestingly, this is
+	 * the only case in which we can tell that a connection is obsolete.
+	 */
+	passert(c->kind == CK_PERMANENT || c->kind == CK_INSTANCE);
+	if (c->spd.that.has_client)
+	{
+		for (;;)
+		{
+			struct spd_route *esr;
+			struct connection *o = route_owner(c, &esr, NULL, NULL);
+
+			if (o == NULL)
+				break;  /* nobody has a route */
+
+			/* note: we ignore the client addresses at this end */
+			if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr)
+			&& o->interface == c->interface)
+				break;  /* existing route is compatible */
+
+			if (o->kind == CK_TEMPLATE && streq(o->name, c->name))
+				break;  /* ??? is this good enough?? */
+
+			loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route"
+				, o->name, ip_str(&o->spd.that.host_addr));
+			release_connection(o, FALSE);
+		}
+	}
+
+	DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa() checking if we can route"));
+	/* check that we will be able to route and eroute */
+	switch (could_route(c))
+	{
+	case route_easy:
+	case route_nearconflict:
+		break;
+
+	default:
+		return FALSE;
+	}
 
 #ifdef KLIPS
-    /* (attempt to) actually set up the SAs */
-    return setup_half_ipsec_sa(st, TRUE);
+	/* (attempt to) actually set up the SAs */
+	return setup_half_ipsec_sa(st, TRUE);
 #else /* !KLIPS */
-    DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()"));
-    return TRUE;
+	DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()"));
+	return TRUE;
 #endif /* !KLIPS */
 }
 
@@ -2407,481 +2391,479 @@ install_inbound_ipsec_sa(struct state *st)
  * Any SA Group must have already been created.
  * On failure, steps will be unwound.
  */
-bool
-route_and_eroute(struct connection *c USED_BY_KLIPS
-		 , struct spd_route *sr USED_BY_KLIPS
-		 , struct state *st USED_BY_KLIPS)
+bool route_and_eroute(struct connection *c USED_BY_KLIPS,
+					  struct spd_route *sr USED_BY_KLIPS,
+					  struct state *st USED_BY_KLIPS)
 {
 #ifdef KLIPS
-    struct spd_route *esr;
-    struct spd_route *rosr;
-    struct connection *ero	/* who, if anyone, owns our eroute? */
-	, *ro = route_owner(c, &rosr, &ero, &esr);
-    bool eroute_installed = FALSE
-	, firewall_notified = FALSE
-	, route_installed = FALSE;
-
-    struct connection *ero_top;
-    struct bare_shunt **bspp;
-
-    DBG(DBG_CONTROLMORE,
-	DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu"
-		, c->name
-		, (c->policy_next ? c->policy_next->name : "none")
-		, ero ? ero->name : "null"
-		, esr 
-		, ro ? ro->name : "null"
-		, rosr
-		, st ? st->st_serialno : 0));
-
-    /* look along the chain of policies for one with the same name */
-    ero_top = ero;
+	struct spd_route *esr;
+	struct spd_route *rosr;
+	struct connection *ero      /* who, if anyone, owns our eroute? */
+		, *ro = route_owner(c, &rosr, &ero, &esr);
+	bool eroute_installed = FALSE
+		, firewall_notified = FALSE
+		, route_installed = FALSE;
+
+	struct connection *ero_top;
+	struct bare_shunt **bspp;
+
+	DBG(DBG_CONTROLMORE,
+		DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu"
+				, c->name
+				, (c->policy_next ? c->policy_next->name : "none")
+				, ero ? ero->name : "null"
+				, esr 
+				, ro ? ro->name : "null"
+				, rosr
+				, st ? st->st_serialno : 0));
+
+	/* look along the chain of policies for one with the same name */
+	ero_top = ero;
 
 #if 0
-    /* XXX - mcr this made sense before, and likely will make sense
-     * again, so I'l leaving this to remind me what is up */
-    if (ero!= NULL && ero->routing == RT_UNROUTED_KEYED)
-	ero = NULL;
-
-    for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
-	if ((ero2->kind == CK_TEMPLATE || ero2->kind==CK_SECONDARY)
-	&& streq(ero2->name, c->name))
-	    break;
+	/* XXX - mcr this made sense before, and likely will make sense
+	 * again, so I'l leaving this to remind me what is up */
+	if (ero!= NULL && ero->routing == RT_UNROUTED_KEYED)
+		ero = NULL;
+
+	for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
+		if ((ero2->kind == CK_TEMPLATE || ero2->kind==CK_SECONDARY)
+		&& streq(ero2->name, c->name))
+			break;
 #endif
 
-    bspp = (ero == NULL)
-	? bare_shunt_ptr(&sr->this.client, &sr->that.client, sr->this.protocol)
-	: NULL;
+	bspp = (ero == NULL)
+		? bare_shunt_ptr(&sr->this.client, &sr->that.client, sr->this.protocol)
+		: NULL;
 
-    /* install the eroute */
+	/* install the eroute */
 
-    passert(bspp == NULL || ero == NULL);	/* only one non-NULL */
+	passert(bspp == NULL || ero == NULL);       /* only one non-NULL */
 
-    if (bspp != NULL || ero != NULL)
-    {
-	/* We're replacing an eroute */
+	if (bspp != NULL || ero != NULL)
+	{
+		/* We're replacing an eroute */
 
-	/* if no state provided, then install a shunt for later */
-	if (st == NULL)
-	    eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
-					    , ERO_REPLACE, "replace");
-	else
-	    eroute_installed = sag_eroute(st, sr, ERO_REPLACE, "replace");
+		/* if no state provided, then install a shunt for later */
+		if (st == NULL)
+			eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
+											, ERO_REPLACE, "replace");
+		else
+			eroute_installed = sag_eroute(st, sr, ERO_REPLACE, "replace");
 
 #if 0
-	/* XXX - MCR. I previously felt that this was a bogus check */
-	if (ero != NULL && ero != c && esr != sr)
-	{
-	    /* By elimination, we must be eclipsing ero.  Check. */
-	    passert(ero->kind == CK_TEMPLATE && streq(ero->name, c->name));
-	    passert(LHAS(LELEM(RT_ROUTED_PROSPECTIVE) | LELEM(RT_ROUTED_ECLIPSED)
-		, esr->routing));
-	    passert(samesubnet(&esr->this.client, &sr->this.client)
-		&& samesubnet(&esr->that.client, &sr->that.client));
-	}
+		/* XXX - MCR. I previously felt that this was a bogus check */
+		if (ero != NULL && ero != c && esr != sr)
+		{
+			/* By elimination, we must be eclipsing ero.  Check. */
+			passert(ero->kind == CK_TEMPLATE && streq(ero->name, c->name));
+			passert(LHAS(LELEM(RT_ROUTED_PROSPECTIVE) | LELEM(RT_ROUTED_ECLIPSED)
+				, esr->routing));
+			passert(samesubnet(&esr->this.client, &sr->this.client)
+				&& samesubnet(&esr->that.client, &sr->that.client));
+		}
 #endif
-	/* remember to free bspp iff we make it out of here alive */
-    }
-    else
-    {
-	/* we're adding an eroute */
-
-	/* if no state provided, then install a shunt for later */
-	if (st == NULL)
-	    eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
-					    , ERO_ADD, "add");
-	else
-	    eroute_installed = sag_eroute(st, sr, ERO_ADD, "add");
-    }
-
-    /* notify the firewall of a new tunnel */
-
-    if (eroute_installed)
-    {
-	/* do we have to notify the firewall?  Yes, if we are installing
-	 * a tunnel eroute and the firewall wasn't notified
-	 * for a previous tunnel with the same clients.  Any Previous
-	 * tunnel would have to be for our connection, so the actual
-	 * test is simple.
-	 */
-	firewall_notified = st == NULL	/* not a tunnel eroute */
-	    || sr->eroute_owner != SOS_NOBODY	/* already notified */
-	    || do_command(c, sr, "up");	/* go ahead and notify */
-    }
-
-    /* install the route */
-
-    DBG(DBG_CONTROL,
-	DBG_log("route_and_eroute: firewall_notified: %s"
-		, firewall_notified ? "true" : "false"));
-    if (!firewall_notified)
-    {
-	/* we're in trouble -- don't do routing */
-    }
-    else if (ro == NULL)
-    {
-	/* a new route: no deletion required, but preparation is */
-	(void) do_command(c, sr, "prepare");	/* just in case; ignore failure */
-	route_installed = do_command(c, sr, "route");
-    }
-    else if (routed(sr->routing)
-    || routes_agree(ro, c))
-    {
-	route_installed = TRUE;	/* nothing to be done */
-    }
-    else
-    {
-	/* Some other connection must own the route
-	 * and the route must disagree.  But since could_route
-	 * must have allowed our stealing it, we'll do so.
-	 *
-	 * A feature of LINUX allows us to install the new route
-	 * before deleting the old if the nexthops differ.
-	 * This reduces the "window of vulnerability" when packets
-	 * might flow in the clear.
-	 */
-	if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
-	{
-	    (void) do_command(ro, sr, "unroute");
-	    route_installed = do_command(c, sr, "route");
+		/* remember to free bspp iff we make it out of here alive */
 	}
 	else
 	{
-	    route_installed = do_command(c, sr, "route");
-	    (void) do_command(ro, sr, "unroute");
+		/* we're adding an eroute */
+
+		/* if no state provided, then install a shunt for later */
+		if (st == NULL)
+			eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
+											, ERO_ADD, "add");
+		else
+			eroute_installed = sag_eroute(st, sr, ERO_ADD, "add");
 	}
 
-	/* record unrouting */
-	if (route_installed)
-	{
-	    do {
-		passert(!erouted(rosr->routing));
-		rosr->routing = RT_UNROUTED;
+	/* notify the firewall of a new tunnel */
 
-		/* no need to keep old value */
-		ro = route_owner(c, &rosr, NULL, NULL);
-	    } while (ro != NULL);
+	if (eroute_installed)
+	{
+		/* do we have to notify the firewall?  Yes, if we are installing
+		 * a tunnel eroute and the firewall wasn't notified
+		 * for a previous tunnel with the same clients.  Any Previous
+		 * tunnel would have to be for our connection, so the actual
+		 * test is simple.
+		 */
+		firewall_notified = st == NULL  /* not a tunnel eroute */
+			|| sr->eroute_owner != SOS_NOBODY   /* already notified */
+			|| do_command(c, sr, "up"); /* go ahead and notify */
 	}
-    }
 
-    /* all done -- clean up */
-    if (route_installed)
-    {
-	/* Success! */
+	/* install the route */
 
-	if (bspp != NULL)
+	DBG(DBG_CONTROL,
+		DBG_log("route_and_eroute: firewall_notified: %s"
+				, firewall_notified ? "true" : "false"));
+	if (!firewall_notified)
 	{
-	    free_bare_shunt(bspp);
+		/* we're in trouble -- don't do routing */
 	}
-	else if (ero != NULL && ero != c)
+	else if (ro == NULL)
 	{
-	    /* check if ero is an ancestor of c. */
-	    struct connection *ero2;
-
-	    for (ero2 = c; ero2 != NULL && ero2 != c; ero2 = ero2->policy_next)
-		;
-
-	    if (ero2 == NULL)
-	    {
-		/* By elimination, we must be eclipsing ero.  Checked above. */
-		if (ero->spd.routing != RT_ROUTED_ECLIPSED)
-		{
-		    ero->spd.routing = RT_ROUTED_ECLIPSED;
-		    eclipse_count++;
-		}
-	    }
+		/* a new route: no deletion required, but preparation is */
+		(void) do_command(c, sr, "prepare");    /* just in case; ignore failure */
+		route_installed = do_command(c, sr, "route");
 	}
-
-	if (st == NULL)
+	else if (routed(sr->routing)
+	|| routes_agree(ro, c))
 	{
-	    passert(sr->eroute_owner == SOS_NOBODY);
-	    sr->routing = RT_ROUTED_PROSPECTIVE;
+		route_installed = TRUE; /* nothing to be done */
 	}
 	else
 	{
-	    char cib[CONN_INST_BUF];
-	    sr->routing = RT_ROUTED_TUNNEL;
+		/* Some other connection must own the route
+		 * and the route must disagree.  But since could_route
+		 * must have allowed our stealing it, we'll do so.
+		 *
+		 * A feature of LINUX allows us to install the new route
+		 * before deleting the old if the nexthops differ.
+		 * This reduces the "window of vulnerability" when packets
+		 * might flow in the clear.
+		 */
+		if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
+		{
+			(void) do_command(ro, sr, "unroute");
+			route_installed = do_command(c, sr, "route");
+		}
+		else
+		{
+			route_installed = do_command(c, sr, "route");
+			(void) do_command(ro, sr, "unroute");
+		}
 
-	    DBG(DBG_CONTROL,
-		DBG_log("route_and_eroute: instance \"%s\"%s, setting eroute_owner {spd=%p,sr=%p} to #%ld (was #%ld) (newest_ipsec_sa=#%ld)"
-			, st->st_connection->name
-			, (fmt_conn_instance(st->st_connection, cib), cib)
-			, &st->st_connection->spd, sr
-			, st->st_serialno
-			, sr->eroute_owner
-			, st->st_connection->newest_ipsec_sa));
-	    sr->eroute_owner = st->st_serialno;
-	}
+		/* record unrouting */
+		if (route_installed)
+		{
+			do {
+				passert(!erouted(rosr->routing));
+				rosr->routing = RT_UNROUTED;
 
-	return TRUE;
-    }
-    else
-    {
-	/* Failure!  Unwind our work. */
-	if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
-	    (void) do_command(c, sr, "down");
+				/* no need to keep old value */
+				ro = route_owner(c, &rosr, NULL, NULL);
+			} while (ro != NULL);
+		}
+	}
 
-	if (eroute_installed)
+	/* all done -- clean up */
+	if (route_installed)
 	{
-	    /* Restore original eroute, if we can.
-	     * Since there is nothing much to be done if the restoration
-	     * fails, ignore success or failure.
-	     */
-	    if (bspp != NULL)
-	    {
-		/* Restore old bare_shunt.
-		 * I don't think that this case is very likely.
-		 * Normally a bare shunt would have been assigned
-		 * to a connection before we've gotten this far.
-		 */
-		struct bare_shunt *bs = *bspp;
-
-		(void) raw_eroute(&bs->said.dst	/* should be useless */
-		    , &bs->ours
-		    , &bs->said.dst	/* should be useless */
-		    , &bs->his
-		    , bs->said.spi	/* network order */
-		    , SA_INT
-		    , SADB_X_SATYPE_INT
-		    , 0
-		    , null_proto_info
-		    , SHUNT_PATIENCE
-		    , ERO_REPLACE, "restore");
-	    }
-	    else if (ero != NULL)
-	    {
-		/* restore ero's former glory */
-		if (esr->eroute_owner == SOS_NOBODY)
+		/* Success! */
+
+		if (bspp != NULL)
 		{
-		    /* note: normal or eclipse case */
-		    (void) shunt_eroute(ero, esr
-					, esr->routing, ERO_REPLACE, "restore");
+			free_bare_shunt(bspp);
 		}
-		else
+		else if (ero != NULL && ero != c)
 		{
-		    /* Try to find state that owned eroute.
-		     * Don't do anything if it cannot be found.
-		     * This case isn't likely since we don't run
-		     * the updown script when replacing a SA group
-		     * with its successor (for the same conn).
-		     */
-		    struct state *ost = state_with_serialno(esr->eroute_owner);
-
-		    if (ost != NULL)
-			(void) sag_eroute(ost, esr, ERO_REPLACE, "restore");
+			/* check if ero is an ancestor of c. */
+			struct connection *ero2;
+
+			for (ero2 = c; ero2 != NULL && ero2 != c; ero2 = ero2->policy_next)
+				;
+
+			if (ero2 == NULL)
+			{
+				/* By elimination, we must be eclipsing ero.  Checked above. */
+				if (ero->spd.routing != RT_ROUTED_ECLIPSED)
+				{
+					ero->spd.routing = RT_ROUTED_ECLIPSED;
+					eclipse_count++;
+				}
+			}
 		}
-	    }
-	    else
-	    {
-		/* there was no previous eroute: delete whatever we installed */
+
 		if (st == NULL)
-		    (void) shunt_eroute(c, sr
-					, sr->routing, ERO_DELETE, "delete");
+		{
+			passert(sr->eroute_owner == SOS_NOBODY);
+			sr->routing = RT_ROUTED_PROSPECTIVE;
+		}
 		else
-		    (void) sag_eroute(st, sr
-				      , ERO_DELETE, "delete");
-	    }
+		{
+			char cib[CONN_INST_BUF];
+			sr->routing = RT_ROUTED_TUNNEL;
+
+			DBG(DBG_CONTROL,
+				DBG_log("route_and_eroute: instance \"%s\"%s, setting eroute_owner {spd=%p,sr=%p} to #%ld (was #%ld) (newest_ipsec_sa=#%ld)"
+						, st->st_connection->name
+						, (fmt_conn_instance(st->st_connection, cib), cib)
+						, &st->st_connection->spd, sr
+						, st->st_serialno
+						, sr->eroute_owner
+						, st->st_connection->newest_ipsec_sa));
+			sr->eroute_owner = st->st_serialno;
+		}
+
+		return TRUE;
 	}
+	else
+	{
+		/* Failure!  Unwind our work. */
+		if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
+			(void) do_command(c, sr, "down");
 
-	return FALSE;
-    }
+		if (eroute_installed)
+		{
+			/* Restore original eroute, if we can.
+			 * Since there is nothing much to be done if the restoration
+			 * fails, ignore success or failure.
+			 */
+			if (bspp != NULL)
+			{
+				/* Restore old bare_shunt.
+				 * I don't think that this case is very likely.
+				 * Normally a bare shunt would have been assigned
+				 * to a connection before we've gotten this far.
+				 */
+				struct bare_shunt *bs = *bspp;
+
+				(void) raw_eroute(&bs->said.dst /* should be useless */
+					, &bs->ours
+					, &bs->said.dst     /* should be useless */
+					, &bs->his
+					, bs->said.spi      /* network order */
+					, SA_INT
+					, SADB_X_SATYPE_INT
+					, 0
+					, null_proto_info
+					, SHUNT_PATIENCE
+					, ERO_REPLACE, "restore");
+			}
+			else if (ero != NULL)
+			{
+				/* restore ero's former glory */
+				if (esr->eroute_owner == SOS_NOBODY)
+				{
+					/* note: normal or eclipse case */
+					(void) shunt_eroute(ero, esr
+										, esr->routing, ERO_REPLACE, "restore");
+				}
+				else
+				{
+					/* Try to find state that owned eroute.
+					 * Don't do anything if it cannot be found.
+					 * This case isn't likely since we don't run
+					 * the updown script when replacing a SA group
+					 * with its successor (for the same conn).
+					 */
+					struct state *ost = state_with_serialno(esr->eroute_owner);
+
+					if (ost != NULL)
+						(void) sag_eroute(ost, esr, ERO_REPLACE, "restore");
+				}
+			}
+			else
+			{
+				/* there was no previous eroute: delete whatever we installed */
+				if (st == NULL)
+					(void) shunt_eroute(c, sr
+										, sr->routing, ERO_DELETE, "delete");
+				else
+					(void) sag_eroute(st, sr
+									  , ERO_DELETE, "delete");
+			}
+		}
+
+		return FALSE;
+	}
 #else /* !KLIPS */
-    return TRUE;
+	return TRUE;
 #endif /* !KLIPS */
 }
 
-bool
-install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
+bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
 {
 #ifdef KLIPS
-    struct spd_route *sr;
-
-    DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
-			     , st->st_serialno
-			     , inbound_also?
-			     "inbound and outbound" : "outbound only"));
-
-    switch (could_route(st->st_connection))
-    {
-    case route_easy:
-    case route_nearconflict:
-	break;
+	struct spd_route *sr;
 
-    default:
-	return FALSE;
-    }
+	DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
+							 , st->st_serialno
+							 , inbound_also?
+							 "inbound and outbound" : "outbound only"));
 
-    /* (attempt to) actually set up the SA group */
-    if ((inbound_also && !setup_half_ipsec_sa(st, TRUE))
-    || !setup_half_ipsec_sa(st, FALSE))
-	return FALSE;
+	switch (could_route(st->st_connection))
+	{
+	case route_easy:
+	case route_nearconflict:
+		break;
 
-    for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next)
-    {
-	DBG(DBG_CONTROL, DBG_log("sr for #%ld: %s"
-				 , st->st_serialno
-				 , enum_name(&routing_story, sr->routing)));
+	default:
+		return FALSE;
+	}
 
-	/*
-	 * if the eroute owner is not us, then make it us.
-	 * See test co-terminal-02, pluto-rekey-01, pluto-unit-02/oppo-twice
-	 */
-	pexpect(sr->eroute_owner == SOS_NOBODY
-		|| sr->routing >= RT_ROUTED_TUNNEL);
+	/* (attempt to) actually set up the SA group */
+	if ((inbound_also && !setup_half_ipsec_sa(st, TRUE))
+	|| !setup_half_ipsec_sa(st, FALSE))
+		return FALSE;
 
-	if (sr->eroute_owner != st->st_serialno
-	    && sr->routing != RT_UNROUTED_KEYED)
+	for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next)
 	{
-	    if (!route_and_eroute(st->st_connection, sr, st))
-	    {
-		delete_ipsec_sa(st, FALSE);
-		/* XXX go and unroute any SRs that were successfully
-		 * routed already.
+		DBG(DBG_CONTROL, DBG_log("sr for #%ld: %s"
+								 , st->st_serialno
+								 , enum_name(&routing_story, sr->routing)));
+
+		/*
+		 * if the eroute owner is not us, then make it us.
+		 * See test co-terminal-02, pluto-rekey-01, pluto-unit-02/oppo-twice
 		 */
-		return FALSE;
-	    }
+		pexpect(sr->eroute_owner == SOS_NOBODY
+				|| sr->routing >= RT_ROUTED_TUNNEL);
+
+		if (sr->eroute_owner != st->st_serialno
+			&& sr->routing != RT_UNROUTED_KEYED)
+		{
+			if (!route_and_eroute(st->st_connection, sr, st))
+			{
+				delete_ipsec_sa(st, FALSE);
+				/* XXX go and unroute any SRs that were successfully
+				 * routed already.
+				 */
+				return FALSE;
+			}
+		}
 	}
-    }
 #else /* !KLIPS */
-    DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s"
-	, inbound_also? "inbound and oubound" : "outbound only"));
+	DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s"
+		, inbound_also? "inbound and oubound" : "outbound only"));
 
-    switch (could_route(st->st_connection))
-    {
-    case route_easy:
-    case route_nearconflict:
-	break;
+	switch (could_route(st->st_connection))
+	{
+	case route_easy:
+	case route_nearconflict:
+		break;
 
-    default:
-	return FALSE;
-    }
+	default:
+		return FALSE;
+	}
 
 
 #endif /* !KLIPS */
 
-    return TRUE;
+	return TRUE;
 }
 
 /* delete an IPSEC SA.
  * we may not succeed, but we bull ahead anyway because
  * we cannot do anything better by recognizing failure
  */
-void
-delete_ipsec_sa(struct state *st USED_BY_KLIPS, bool inbound_only USED_BY_KLIPS)
+void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
+					 bool inbound_only USED_BY_KLIPS)
 {
 #ifdef KLIPS
-    if (!inbound_only)
-    {
-	/* If the state is the eroute owner, we must adjust
-	 * the routing for the connection.
-	 */
-	struct connection *c = st->st_connection;
-	struct spd_route *sr;
-
-	passert(st->st_connection);
-
-	for (sr = &c->spd; sr; sr = sr->next)
+	if (!inbound_only)
 	{
-	    if (sr->eroute_owner == st->st_serialno
-	    && sr->routing == RT_ROUTED_TUNNEL)
-	    {
-		sr->eroute_owner = SOS_NOBODY;
-
-		/* Routing should become RT_ROUTED_FAILURE,
-		 * but if POLICY_FAIL_NONE, then we just go
-		 * right back to RT_ROUTED_PROSPECTIVE as if no
-		 * failure happened.
+		/* If the state is the eroute owner, we must adjust
+		 * the routing for the connection.
 		 */
-		sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
-		    ? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
+		struct connection *c = st->st_connection;
+		struct spd_route *sr;
 
-		(void) do_command(c, sr, "down");
-		if ((c->policy & POLICY_DONT_REKEY)
-		&& c->kind == CK_INSTANCE)
-		{
-		    /* in this special case, even if the connection
-		     * is still alive (due to an ISAKMP SA),
-		     * we get rid of routing.
-		     * Even though there is still an eroute, the c->routing
-		     * setting will convince unroute_connection to delete it.
-		     * unroute_connection would be upset if c->routing == RT_ROUTED_TUNNEL
-		     */
-		    unroute_connection(c);
-		}
-		else
+		passert(st->st_connection);
+
+		for (sr = &c->spd; sr; sr = sr->next)
 		{
-		    (void) shunt_eroute(c, sr, sr->routing, ERO_REPLACE, "replace with shunt");
+			if (sr->eroute_owner == st->st_serialno
+			&& sr->routing == RT_ROUTED_TUNNEL)
+			{
+				sr->eroute_owner = SOS_NOBODY;
+
+				/* Routing should become RT_ROUTED_FAILURE,
+				 * but if POLICY_FAIL_NONE, then we just go
+				 * right back to RT_ROUTED_PROSPECTIVE as if no
+				 * failure happened.
+				 */
+				sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
+					? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
+
+				(void) do_command(c, sr, "down");
+				if ((c->policy & POLICY_DONT_REKEY)
+				&& c->kind == CK_INSTANCE)
+				{
+					/* in this special case, even if the connection
+					 * is still alive (due to an ISAKMP SA),
+					 * we get rid of routing.
+					 * Even though there is still an eroute, the c->routing
+					 * setting will convince unroute_connection to delete it.
+					 * unroute_connection would be upset if c->routing == RT_ROUTED_TUNNEL
+					 */
+					unroute_connection(c);
+				}
+				else
+				{
+					(void) shunt_eroute(c, sr, sr->routing, ERO_REPLACE, "replace with shunt");
+				}
+			}
 		}
-	    }
+		(void) teardown_half_ipsec_sa(st, FALSE);
 	}
-	(void) teardown_half_ipsec_sa(st, FALSE);
-    }
-    (void) teardown_half_ipsec_sa(st, TRUE);
+	(void) teardown_half_ipsec_sa(st, TRUE);
 #else /* !KLIPS */
-    DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
+	DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
 #endif /* !KLIPS */
 }
 
 #ifdef KLIPS
 static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
 {
-    struct connection *c = st->st_connection;
-    char text_said[SATOT_BUF];
-    struct kernel_sa sa;	
-    ip_address
-	src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
-	dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
-
-    ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
-
-    u_int16_t
-	natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
-	natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
-
-    set_text_said(text_said, &dst, esp_spi, SA_ESP);
-
-    memset(&sa, 0, sizeof(sa));
-    sa.spi = esp_spi;
-    sa.src = &src;
-    sa.dst = &dst;
-    sa.text_said = text_said;
-    sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
-    sa.natt_sport = natt_sport;
-    sa.natt_dport = natt_dport;
-    sa.transid = st->st_esp.attrs.transid;
-
-    return kernel_ops->add_sa(&sa, TRUE);
+	struct connection *c = st->st_connection;
+	char text_said[SATOT_BUF];
+	struct kernel_sa sa;        
+	ip_address
+		src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
+		dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
+
+	ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
+
+	u_int16_t
+		natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
+		natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
+
+	set_text_said(text_said, &dst, esp_spi, SA_ESP);
+
+	memset(&sa, 0, sizeof(sa));
+	sa.spi = esp_spi;
+	sa.src = &src;
+	sa.dst = &dst;
+	sa.text_said = text_said;
+	sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
+	sa.natt_sport = natt_sport;
+	sa.natt_dport = natt_dport;
+	sa.transid = st->st_esp.attrs.transid;
+
+	return kernel_ops->add_sa(&sa, TRUE);
 }
 #endif
 
 bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
 {
 #ifdef KLIPS
-    if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
-    {
-	if (st->st_esp.present && (
-	   (!update_nat_t_ipsec_esp_sa (st, TRUE)) ||
-	   (!update_nat_t_ipsec_esp_sa (st, FALSE))))
+	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+	{
+		if (st->st_esp.present && (
+		   (!update_nat_t_ipsec_esp_sa (st, TRUE)) ||
+		   (!update_nat_t_ipsec_esp_sa (st, FALSE))))
+		{
+			return FALSE;
+		}
+	}
+	else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
 	{
-	    return FALSE;
+		if (st->st_esp.present && !update_nat_t_ipsec_esp_sa (st, FALSE))
+		{
+			return FALSE;
+		}
 	}
-    }
-    else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
-    {
-	if (st->st_esp.present && !update_nat_t_ipsec_esp_sa (st, FALSE))
+	else
 	{
-	    return FALSE;
+		DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__, st->st_state);
+		return FALSE;
 	}
-    }
-    else
-    {
-	DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__, st->st_state);
-	return FALSE;
-    }
-    return TRUE;
+	return TRUE;
 #else /* !KLIPS */
-    DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
-    return TRUE;
+	DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
+	return TRUE;
 #endif /* !KLIPS */
 }
 
@@ -2890,106 +2872,105 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
  * If FALSE, DPD is not necessary. We also return TRUE for errors, as they
  * could mean that the SA is broken and needs to be replace anyway.
  */
-bool
-was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
+bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
 {
-    static const char procname[] = "/proc/net/ipsec_spi";
-    FILE *f;
-    char buf[1024];
-    u_int bytes;
-    int ret = TRUE;
-
-    passert(st != NULL);
-
-    f = fopen(procname, "r");
-    if (f == NULL)
-    {
-	/* Can't open the file, perhaps were are on 26sec? */
-	time_t use_time;
-
-	if (get_sa_info(st, TRUE, &bytes, &use_time)
-	&& use_time != UNDEFINED_TIME)
-	{
-	    *idle_time = time(NULL) - use_time;
-	    ret = *idle_time >= idle_max;
-	}
-    }
-    else 
-    {
-	while (f != NULL)
-	{
-	    char *line;
-	    char text_said[SATOT_BUF];
-	    u_int8_t proto = 0;
-	    ip_address dst;
-	    ip_said said;
-	    ipsec_spi_t spi = 0;
-	    static const char idle[] = "idle=";
-
-	    dst = st->st_connection->spd.this.host_addr; /* inbound SA */
-	    if (st->st_ah.present)
-	    {
-		proto = SA_AH;
-		spi = st->st_ah.our_spi;
-	    }
-	    if (st->st_esp.present)
-	    {
-		proto = SA_ESP;
-		spi = st->st_esp.our_spi;
-	    }
-
-	    if (proto == 0 && spi == 0)
-	    {
-		ret = TRUE;
-		break;
-	    }
-
-	    initsaid(&dst, spi, proto, &said);
-	    satot(&said, 'x', text_said, SATOT_BUF);
+	static const char procname[] = "/proc/net/ipsec_spi";
+	FILE *f;
+	char buf[1024];
+	u_int bytes;
+	int ret = TRUE;
 
-	    line = fgets(buf, sizeof(buf), f);
-	    if (line == NULL)
-	    {
-		/* Reached end of list */
-		ret = TRUE;
-		break;
-	    }
+	passert(st != NULL);
 
-	    if (strncmp(line, text_said, strlen(text_said)) == 0)
-	    {
-		/* we found a match, now try to find idle= */
-		char *p = strstr(line, idle);
+	f = fopen(procname, "r");
+	if (f == NULL)
+	{
+		/* Can't open the file, perhaps were are on 26sec? */
+		time_t use_time;
 
-		if (p == NULL)
-		{
-		    /* SAs which haven't been used yet don't have it */
-		    ret = TRUE; /* it didn't have traffic */
-		    break;
-		}
-		p += sizeof(idle)-1;
-		if (*p == '\0')
-		{
-		    ret = TRUE; /* be paranoid */
-		    break;
-		}
-		if (sscanf(p, "%d", (int *) idle_time) <= 0)
-		{
-		    ret = TRUE;
-		    break;
-		}
-		if (*idle_time >= idle_max)
+		if (get_sa_info(st, TRUE, &bytes, &use_time)
+		&& use_time != UNDEFINED_TIME)
 		{
-		    ret = TRUE;
-		    break;
+			*idle_time = time(NULL) - use_time;
+			ret = *idle_time >= idle_max;
 		}
-		else
+	}
+	else 
+	{
+		while (f != NULL)
 		{
-		    ret = FALSE;
-		    break;
+			char *line;
+			char text_said[SATOT_BUF];
+			u_int8_t proto = 0;
+			ip_address dst;
+			ip_said said;
+			ipsec_spi_t spi = 0;
+			static const char idle[] = "idle=";
+
+			dst = st->st_connection->spd.this.host_addr; /* inbound SA */
+			if (st->st_ah.present)
+			{
+				proto = SA_AH;
+				spi = st->st_ah.our_spi;
+			}
+			if (st->st_esp.present)
+			{
+				proto = SA_ESP;
+				spi = st->st_esp.our_spi;
+			}
+
+			if (proto == 0 && spi == 0)
+			{
+				ret = TRUE;
+				break;
+			}
+
+			initsaid(&dst, spi, proto, &said);
+			satot(&said, 'x', text_said, SATOT_BUF);
+
+			line = fgets(buf, sizeof(buf), f);
+			if (line == NULL)
+			{
+				/* Reached end of list */
+				ret = TRUE;
+				break;
+			}
+
+			if (strneq(line, text_said, strlen(text_said)))
+			{
+				/* we found a match, now try to find idle= */
+				char *p = strstr(line, idle);
+
+				if (p == NULL)
+				{
+					/* SAs which haven't been used yet don't have it */
+					ret = TRUE; /* it didn't have traffic */
+					break;
+				}
+				p += sizeof(idle)-1;
+				if (*p == '\0')
+				{
+					ret = TRUE; /* be paranoid */
+					break;
+				}
+				if (sscanf(p, "%d", (int *) idle_time) <= 0)
+				{
+					ret = TRUE;
+					break;
+				}
+				if (*idle_time >= idle_max)
+				{
+					ret = TRUE;
+					break;
+				}
+				else
+				{
+					ret = FALSE;
+					break;
+				}
+			}
 		}
-	    }
+		fclose(f);
 	}
-	fclose(f);
-    }
-    return ret;
+	return ret;
 }
diff --git a/src/pluto/kernel.h b/src/pluto/kernel.h
index fdc2bf0a8..06850abfd 100644
--- a/src/pluto/kernel.h
+++ b/src/pluto/kernel.h
@@ -10,13 +10,11 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: kernel.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include "connections.h"
 
-extern bool no_klips;	/* don't actually use KLIPS */
+extern bool no_klips;   /* don't actually use KLIPS */
 extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */
 
 #ifdef KLIPS
@@ -28,96 +26,96 @@ extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */
  * limited to appropriate source and destination addresses.
  */
 
-#define ERO_MASK	0xFF
-#define ERO_FLAG_SHIFT	8
+#define ERO_MASK        0xFF
+#define ERO_FLAG_SHIFT  8
 
-#define ERO_DELETE	SADB_X_DELFLOW
-#define ERO_ADD	SADB_X_ADDFLOW
-#define ERO_REPLACE	(SADB_X_ADDFLOW | (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
-#define ERO_ADD_INBOUND	(SADB_X_ADDFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-#define ERO_DEL_INBOUND	(SADB_X_DELFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+#define ERO_DELETE      SADB_X_DELFLOW
+#define ERO_ADD SADB_X_ADDFLOW
+#define ERO_REPLACE     (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
+#define ERO_ADD_INBOUND (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+#define ERO_DEL_INBOUND (SADB_X_DELFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
 
 struct pfkey_proto_info {
-	int proto;
-	int encapsulation;
-	unsigned reqid;
+		int proto;
+		int encapsulation;
+		unsigned reqid;
 };
 struct sadb_msg;
 
 struct kernel_sa {
-	const ip_address *src;
-	const ip_address *dst;
+		const ip_address *src;
+		const ip_address *dst;
 
-	const ip_subnet *src_client;
-	const ip_subnet *dst_client;
+		const ip_subnet *src_client;
+		const ip_subnet *dst_client;
 
-	ipsec_spi_t spi;
-	unsigned proto;
-	unsigned satype;
-	unsigned transport_proto;
-	unsigned replay_window;
-	unsigned reqid;
+		ipsec_spi_t spi;
+		unsigned proto;
+		unsigned satype;
+		unsigned transport_proto;
+		unsigned replay_window;
+		unsigned reqid;
 
-	unsigned authalg;
-	unsigned authkeylen;
-	char *authkey;
+		unsigned authalg;
+		unsigned authkeylen;
+		char *authkey;
 
-	unsigned encalg;
-	unsigned enckeylen;
-	char *enckey;
+		unsigned encalg;
+		unsigned enckeylen;
+		char *enckey;
 
-	unsigned compalg;
+		unsigned compalg;
 
-	int encapsulation;
+		int encapsulation;
 
-	u_int16_t natt_sport, natt_dport;
-	u_int8_t transid, natt_type;
-	ip_address *natt_oa;
+		u_int16_t natt_sport, natt_dport;
+		u_int8_t transid, natt_type;
+		ip_address *natt_oa;
 
-	const char *text_said;
+		const char *text_said;
 };
 
 struct kernel_ops {
-	enum {
-	        KERNEL_TYPE_NONE,
-		KERNEL_TYPE_KLIPS,
-		KERNEL_TYPE_LINUX,
-	} type;
-	bool inbound_eroute;
-	bool policy_lifetime;
-	int *async_fdp;
-
-	void (*init)(void);
-	void (*pfkey_register)(void);
-	void (*pfkey_register_response)(const struct sadb_msg *msg);
-	void (*process_queue)(void);
-	void (*process_msg)(void);
-	bool (*raw_eroute)(const ip_address *this_host,
-			   const ip_subnet *this_client,
-			   const ip_address *that_host,
-			   const ip_subnet *that_client,
-			   ipsec_spi_t spi,
-			   unsigned int satype,
-			   unsigned int transport_proto,
-			   const struct pfkey_proto_info *proto_info,
-			   time_t use_lifetime,
-			   unsigned int op,
-			   const char *text_said);
-	bool (*get_policy)(const struct kernel_sa *sa, bool inbound,
-			   time_t *use_time);
-	bool (*add_sa)(const struct kernel_sa *sa, bool replace);
-	bool (*grp_sa)(const struct kernel_sa *sa_outer,
-		       const struct kernel_sa *sa_inner);
-	bool (*del_sa)(const struct kernel_sa *sa);
-	bool (*get_sa)(const struct kernel_sa *sa, u_int *bytes);
-	ipsec_spi_t (*get_spi)(const ip_address *src,
-			       const ip_address *dst,
-			       int proto,
-			       bool tunnel_mode,
-			       unsigned reqid,
-			       ipsec_spi_t min,
-			       ipsec_spi_t max,
-			       const char *text_said);
+		enum {
+				KERNEL_TYPE_NONE,
+				KERNEL_TYPE_KLIPS,
+				KERNEL_TYPE_LINUX,
+		} type;
+		bool inbound_eroute;
+		bool policy_lifetime;
+		int *async_fdp;
+
+		void (*init)(void);
+		void (*pfkey_register)(void);
+		void (*pfkey_register_response)(const struct sadb_msg *msg);
+		void (*process_queue)(void);
+		void (*process_msg)(void);
+		bool (*raw_eroute)(const ip_address *this_host,
+						   const ip_subnet *this_client,
+						   const ip_address *that_host,
+						   const ip_subnet *that_client,
+						   ipsec_spi_t spi,
+						   unsigned int satype,
+						   unsigned int transport_proto,
+						   const struct pfkey_proto_info *proto_info,
+						   time_t use_lifetime,
+						   unsigned int op,
+						   const char *text_said);
+		bool (*get_policy)(const struct kernel_sa *sa, bool inbound,
+						   time_t *use_time);
+		bool (*add_sa)(const struct kernel_sa *sa, bool replace);
+		bool (*grp_sa)(const struct kernel_sa *sa_outer,
+					   const struct kernel_sa *sa_inner);
+		bool (*del_sa)(const struct kernel_sa *sa);
+		bool (*get_sa)(const struct kernel_sa *sa, u_int *bytes);
+		ipsec_spi_t (*get_spi)(const ip_address *src,
+							   const ip_address *dst,
+							   int proto,
+							   bool tunnel_mode,
+							   unsigned reqid,
+							   ipsec_spi_t min,
+							   ipsec_spi_t max,
+							   const char *text_said);
 };
 
 
@@ -126,13 +124,13 @@ extern const struct kernel_ops *kernel_ops;
 /* information from /proc/net/ipsec_eroute */
 
 struct eroute_info {
-    unsigned long count;
-    ip_subnet ours;
-    ip_subnet his;
-    ip_address dst;
-    ip_said	said;
-    int transport_proto;
-    struct eroute_info *next;
+	unsigned long count;
+	ip_subnet ours;
+	ip_subnet his;
+	ip_address dst;
+	ip_said     said;
+	int transport_proto;
+	struct eroute_info *next;
 };
 
 extern struct eroute_info *orphaned_holds;
@@ -144,13 +142,13 @@ extern void show_shunt_status(void);
  * Is there a PF_KEY equivalent?
  */
 #ifndef EM_MAXRELSPIS
-# define EM_MAXRELSPIS 4	/* AH ESP IPCOMP IPIP */
+# define EM_MAXRELSPIS 4        /* AH ESP IPCOMP IPIP */
 #endif
 
 extern void record_and_initiate_opportunistic(const ip_subnet *
-					      , const ip_subnet *
-					      , int transport_proto
-					      , const char *why);
+											  , const ip_subnet *
+											  , int transport_proto
+											  , const char *why);
 
 extern void init_kernel(void);
 
@@ -160,39 +158,39 @@ extern bool trap_connection(struct connection *c);
 extern void unroute_connection(struct connection *c);
 
 extern bool has_bare_hold(const ip_address *src, const ip_address *dst
-			  , int transport_proto);
+						  , int transport_proto);
 
 extern bool replace_bare_shunt(const ip_address *src, const ip_address *dst
-			       , policy_prio_t policy_prio
-			       , ipsec_spi_t shunt_spi	/* in host order! */
-			       , bool repl
-			       , unsigned int transport_proto
-			       , const char *why);
+							   , policy_prio_t policy_prio
+							   , ipsec_spi_t shunt_spi  /* in host order! */
+							   , bool repl
+							   , unsigned int transport_proto
+							   , const char *why);
 
 extern bool assign_hold(struct connection *c
-			, struct spd_route *sr
-			, int transport_proto
-			, const ip_address *src, const ip_address *dst);
+						, struct spd_route *sr
+						, int transport_proto
+						, const ip_address *src, const ip_address *dst);
 
 extern ipsec_spi_t shunt_policy_spi(struct connection *c, bool prospective);
 
 
-struct state;	/* forward declaration of tag */
+struct state;   /* forward declaration of tag */
 extern ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid
-				 , int proto
-				 , struct spd_route *sr
-				 , bool tunnel_mode);
+								 , int proto
+								 , struct spd_route *sr
+								 , bool tunnel_mode);
 extern ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel_mode);
 
 extern bool install_inbound_ipsec_sa(struct state *st);
 extern bool install_ipsec_sa(struct state *st, bool inbound_also);
 extern void delete_ipsec_sa(struct state *st, bool inbound_only);
 extern bool route_and_eroute(struct connection *c
-			     , struct spd_route *sr
-			     , struct state *st);
+							 , struct spd_route *sr
+							 , struct state *st);
 extern bool was_eroute_idle(struct state *st, time_t idle_max
-    , time_t *idle_time);
+	, time_t *idle_time);
 extern bool get_sa_info(struct state *st, bool inbound, u_int *bytes
-    , time_t *use_time);
+	, time_t *use_time);
 
 extern bool update_ipsec_sa(struct state *st);
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index 571d9cc9b..1590bdf02 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -1,5 +1,6 @@
 /* Kernel runtime algorithm handling interface
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * Copyright (C) JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: kernel_alg.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdio.h>
@@ -27,7 +26,6 @@
 #include <pfkey.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -38,22 +36,10 @@
 #include "kernel.h"
 #include "kernel_alg.h"
 #include "alg_info.h"
-
-#ifndef NO_PLUTO
 #include "log.h"
 #include "whack.h"
 #include "db_ops.h"
-#else
-/*
- *	macros/functions for compilation without pluto (eg: spi for manual conns)
- */
-extern int debug;
-#include <assert.h>
-#define passert(x) assert(x)
-#define DBG(cond, action)   { if (debug) { action ; } }
-#define DBG_log(x, args...) fprintf(stderr, x "\n" , ##args);
-#define plog(x, args...) fprintf(stderr, x "\n" , ##args);
-#endif /* NO_PLUTO */
+
 /* ALG storage */
 static struct sadb_alg esp_aalg[SADB_AALG_MAX+1];
 static struct sadb_alg esp_ealg[SADB_EALG_MAX+1];
@@ -62,714 +48,669 @@ static int esp_aalg_num = 0;
 
 #define ESP_EALG_PRESENT(algo) (((algo)<=SADB_EALG_MAX)&&(esp_ealg[(algo)].sadb_alg_id==(algo)))
 #define ESP_EALG_FOR_EACH_UPDOWN(algo) \
-	for (algo=SADB_EALG_MAX; algo >0 ; algo--) \
-		if (ESP_EALG_PRESENT(algo))
+		for (algo=SADB_EALG_MAX; algo >0 ; algo--) \
+				if (ESP_EALG_PRESENT(algo))
 #define ESP_AALG_PRESENT(algo) ((algo<=SADB_AALG_MAX)&&(esp_aalg[(algo)].sadb_alg_id==(algo)))
 #define ESP_AALG_FOR_EACH_UPDOWN(algo) \
-	for (algo=SADB_AALG_MAX; algo >0 ; algo--) \
-		if (ESP_AALG_PRESENT(algo))
+		for (algo=SADB_AALG_MAX; algo >0 ; algo--) \
+				if (ESP_AALG_PRESENT(algo))
 
-static struct sadb_alg*
-sadb_alg_ptr (int satype, int exttype, int alg_id, int rw)
+static struct sadb_alg* sadb_alg_ptr (int satype, int exttype, int alg_id,
+									  int rw)
 {
-    struct sadb_alg *alg_p = NULL;
-
-    switch (exttype)
-    {
-    case SADB_EXT_SUPPORTED_AUTH:
-	if (alg_id > SADB_AALG_MAX)
-	    return NULL;
-	break;
-    case SADB_EXT_SUPPORTED_ENCRYPT:
-	if (alg_id > SADB_EALG_MAX)
-	    return NULL;
-	break;
-    default:
-	return NULL;
-    }
-
-    switch (satype)
-    {
-    case SADB_SATYPE_ESP:
-	alg_p = (exttype == SADB_EXT_SUPPORTED_ENCRYPT)?
-		    &esp_ealg[alg_id] : &esp_aalg[alg_id];
-	/* get for write: increment elem count */
-	if (rw)
+	struct sadb_alg *alg_p = NULL;
+
+	switch (exttype)
 	{
-	    (exttype == SADB_EXT_SUPPORTED_ENCRYPT)?
-		esp_ealg_num++ : esp_aalg_num++;
+	case SADB_EXT_SUPPORTED_AUTH:
+		if (alg_id > SADB_AALG_MAX)
+			return NULL;
+		break;
+	case SADB_EXT_SUPPORTED_ENCRYPT:
+		if (alg_id > SADB_EALG_MAX)
+			return NULL;
+		break;
+	default:
+		return NULL;
 	}
-	break;
-    case SADB_SATYPE_AH:
-    default:
-	return NULL;
-    }
-    
-    return alg_p;
+
+	switch (satype)
+	{
+	case SADB_SATYPE_ESP:
+		alg_p = (exttype == SADB_EXT_SUPPORTED_ENCRYPT)?
+					&esp_ealg[alg_id] : &esp_aalg[alg_id];
+		/* get for write: increment elem count */
+		if (rw)
+		{
+			(exttype == SADB_EXT_SUPPORTED_ENCRYPT)?
+				esp_ealg_num++ : esp_aalg_num++;
+		}
+		break;
+	case SADB_SATYPE_AH:
+	default:
+		return NULL;
+	}
+	
+	return alg_p;
 }
 
-const struct sadb_alg *
-kernel_alg_sadb_alg_get(int satype, int exttype, int alg_id)
+const struct sadb_alg* kernel_alg_sadb_alg_get(int satype, int exttype,
+											   int alg_id)
 {
-    return sadb_alg_ptr(satype, exttype, alg_id, 0);
+	return sadb_alg_ptr(satype, exttype, alg_id, 0);
 }
 
 /*
- * 	Forget previous registration
+ *      Forget previous registration
  */
-static void 
-kernel_alg_init(void)
+static void kernel_alg_init(void)
 {
-    DBG(DBG_KLIPS,
-	DBG_log("alg_init(): memset(%p, 0, %d) memset(%p, 0, %d)",
-		&esp_aalg,  (int)sizeof (esp_aalg),
-		&esp_ealg,  (int)sizeof (esp_ealg))
-    )
-    memset (&esp_aalg, 0, sizeof (esp_aalg));
-    memset (&esp_ealg, 0, sizeof (esp_ealg));
-    esp_ealg_num=esp_aalg_num = 0;
+	DBG(DBG_KLIPS,
+		DBG_log("alg_init(): memset(%p, 0, %d) memset(%p, 0, %d)",
+				&esp_aalg,  (int)sizeof (esp_aalg),
+				&esp_ealg,  (int)sizeof (esp_ealg))
+	)
+	memset (&esp_aalg, 0, sizeof (esp_aalg));
+	memset (&esp_ealg, 0, sizeof (esp_ealg));
+	esp_ealg_num=esp_aalg_num = 0;
 }
 
-static int
-kernel_alg_add(int satype, int exttype, const struct sadb_alg *sadb_alg)
+static int kernel_alg_add(int satype, int exttype,
+						  const struct sadb_alg *sadb_alg)
 {
-    struct sadb_alg *alg_p = NULL;
-    int alg_id = sadb_alg->sadb_alg_id;
-
-    DBG(DBG_KLIPS,
-	DBG_log("kernel_alg_add(): satype=%d, exttype=%d, alg_id=%d",
-		satype, exttype, sadb_alg->sadb_alg_id)
-    )
-    if (!(alg_p = sadb_alg_ptr(satype, exttype, alg_id, 1)))
-	return -1;
-
-    /* This logic "mimics" KLIPS: first algo implementation will be used */
-    if (alg_p->sadb_alg_id)
-    {
+	struct sadb_alg *alg_p = NULL;
+	int alg_id = sadb_alg->sadb_alg_id;
+
 	DBG(DBG_KLIPS,
-	    DBG_log("kernel_alg_add(): discarding already setup "
-		    "satype=%d, exttype=%d, alg_id=%d",
-		    satype, exttype, sadb_alg->sadb_alg_id)
+		DBG_log("kernel_alg_add(): satype=%d, exttype=%d, alg_id=%d",
+				satype, exttype, sadb_alg->sadb_alg_id)
 	)
-	return 0;
-    }
-    *alg_p = *sadb_alg;
-    return 1;
+	if (!(alg_p = sadb_alg_ptr(satype, exttype, alg_id, 1)))
+		return -1;
+
+	/* This logic "mimics" KLIPS: first algo implementation will be used */
+	if (alg_p->sadb_alg_id)
+	{
+		DBG(DBG_KLIPS,
+			DBG_log("kernel_alg_add(): discarding already setup "
+					"satype=%d, exttype=%d, alg_id=%d",
+					satype, exttype, sadb_alg->sadb_alg_id)
+		)
+		return 0;
+	}
+	*alg_p = *sadb_alg;
+	return 1;
 }
 
-bool
-kernel_alg_esp_enc_ok(u_int alg_id, u_int key_len,
-		struct alg_info_esp *alg_info __attribute__((unused)))
+bool kernel_alg_esp_enc_ok(u_int alg_id, u_int key_len,
+					struct alg_info_esp *alg_info __attribute__((unused)))
 {
-    struct sadb_alg *alg_p = NULL;
-
-    /*
-     * test #1: encrypt algo must be present
-     */
-    int ret = ESP_EALG_PRESENT(alg_id);
-    if (!ret) goto out;
-
-    alg_p = &esp_ealg[alg_id];
-    
-    /*
-     * test #2: if key_len specified, it must be in range
-     */
-    if (key_len
-    && (key_len < alg_p->sadb_alg_minbits || key_len > alg_p->sadb_alg_maxbits))
-    {
-	plog("kernel_alg_db_add() key_len not in range: alg_id=%d, "
-	     "key_len=%d, alg_minbits=%d, alg_maxbits=%d"
-	     , alg_id, key_len
-	     , alg_p->sadb_alg_minbits
-	     , alg_p->sadb_alg_maxbits);
-	ret = FALSE;
-    }
+	struct sadb_alg *alg_p = NULL;
+
+	/*
+	 * test #1: encrypt algo must be present
+	 */
+	int ret = ESP_EALG_PRESENT(alg_id);
+	if (!ret) goto out;
+
+	alg_p = &esp_ealg[alg_id];
+	
+	/*
+	 * test #2: if key_len specified, it must be in range
+	 */
+	if (key_len
+	&& (key_len < alg_p->sadb_alg_minbits || key_len > alg_p->sadb_alg_maxbits))
+	{
+		plog("kernel_alg_db_add() key_len not in range: alg_id=%d, "
+			 "key_len=%d, alg_minbits=%d, alg_maxbits=%d"
+			 , alg_id, key_len
+			 , alg_p->sadb_alg_minbits
+			 , alg_p->sadb_alg_maxbits);
+		ret = FALSE;
+	}
 
 out:
-    if (ret)
-    {
-	DBG(DBG_KLIPS,
-	    DBG_log("kernel_alg_esp_enc_ok(%d,%d): "
-		    "alg_id=%d, "
-		    "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
-		    "res=%d, ret=%d"
-		    , alg_id, key_len
-		    , alg_p->sadb_alg_id
-		    , alg_p->sadb_alg_ivlen
-		    , alg_p->sadb_alg_minbits
-		    , alg_p->sadb_alg_maxbits
-		    , alg_p->sadb_alg_reserved
-		    , ret);
-	)
-    }
-    else
-    {
-	DBG(DBG_KLIPS,
-	    DBG_log("kernel_alg_esp_enc_ok(%d,%d): NO", alg_id, key_len);
-	)
-    }
-    return ret;
+	if (ret)
+	{
+		DBG(DBG_KLIPS,
+			DBG_log("kernel_alg_esp_enc_ok(%d,%d): "
+					"alg_id=%d, "
+					"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
+					"res=%d, ret=%d"
+					, alg_id, key_len
+					, alg_p->sadb_alg_id
+					, alg_p->sadb_alg_ivlen
+					, alg_p->sadb_alg_minbits
+					, alg_p->sadb_alg_maxbits
+					, alg_p->sadb_alg_reserved
+					, ret);
+		)
+	}
+	else
+	{
+		DBG(DBG_KLIPS,
+			DBG_log("kernel_alg_esp_enc_ok(%d,%d): NO", alg_id, key_len);
+		)
+	}
+	return ret;
 }
 
 /* 
  * ML: make F_STRICT logic consider enc,auth algorithms 
  */
-#ifndef NO_PLUTO
-bool
-kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg, struct alg_info_esp *alg_info)
+bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
+							 struct alg_info_esp *alg_info)
 {
-    int ealg_insecure;
-
-    /*
-     * key_len passed comes from esp_attrs read from peer
-     * For many older algoritms (eg 3DES) this key_len is fixed
-     * and get passed as 0.
-     * ... then get default key_len
-     */
-    if (key_len == 0)
-	key_len = kernel_alg_esp_enc_keylen(ealg) * BITS_PER_BYTE;
-
-    /*
-     * simple test to toss low key_len, will accept it only
-     * if specified in "esp" string
-     */
-    ealg_insecure = (key_len < 128) ;
-
-    if (ealg_insecure
-    || (alg_info && alg_info->alg_info_flags & ALG_INFO_F_STRICT))
-    {
-	int i;
-	struct esp_info *esp_info;
+	int ealg_insecure;
 
-	if (alg_info)
+	/*
+	 * key_len passed comes from esp_attrs read from peer
+	 * For many older algoritms (eg 3DES) this key_len is fixed
+	 * and get passed as 0.
+	 * ... then get default key_len
+	 */
+	if (key_len == 0)
+		key_len = kernel_alg_esp_enc_keylen(ealg) * BITS_PER_BYTE;
+
+	/*
+	 * simple test to toss low key_len, will accept it only
+	 * if specified in "esp" string
+	 */
+	ealg_insecure = (key_len < 128) ;
+
+	if (ealg_insecure
+	|| (alg_info && alg_info->alg_info_flags & ALG_INFO_F_STRICT))
 	{
-	    ALG_INFO_ESP_FOREACH(alg_info, esp_info, i)
-	    {
-		if (esp_info->esp_ealg_id == ealg
-		&& (esp_info->esp_ealg_keylen == 0 || key_len == 0
-		    || esp_info->esp_ealg_keylen == key_len)
-		&&  esp_info->esp_aalg_id == aalg)
+		int i;
+		struct esp_info *esp_info;
+
+		if (alg_info)
 		{
-		    if (ealg_insecure)
-		    {
-			loglog(RC_LOG_SERIOUS
-			    , "You should NOT use insecure ESP algorithms [%s (%d)]!"
-			    , enum_name(&esp_transformid_names, ealg), key_len);
-		    }
-		    return TRUE;
+			ALG_INFO_ESP_FOREACH(alg_info, esp_info, i)
+			{
+				if (esp_info->esp_ealg_id == ealg
+				&& (esp_info->esp_ealg_keylen == 0 || key_len == 0
+					|| esp_info->esp_ealg_keylen == key_len)
+				&&  esp_info->esp_aalg_id == aalg)
+				{
+					if (ealg_insecure)
+					{
+						loglog(RC_LOG_SERIOUS
+							, "You should NOT use insecure ESP algorithms [%s (%d)]!"
+							, enum_name(&esp_transformid_names, ealg), key_len);
+					}
+					return TRUE;
+				}
+			}
 		}
-	    }
+		plog("IPSec Transform [%s (%d), %s] refused due to %s",
+				enum_name(&esp_transformid_names, ealg), key_len,
+				enum_name(&auth_alg_names, aalg),
+				ealg_insecure ? "insecure key_len and enc. alg. not listed in \"esp\" string" : "strict flag");
+		return FALSE;
 	}
-	plog("IPSec Transform [%s (%d), %s] refused due to %s",
-		enum_name(&esp_transformid_names, ealg), key_len,
-		enum_name(&auth_alg_names, aalg),
-		ealg_insecure ? "insecure key_len and enc. alg. not listed in \"esp\" string" : "strict flag");
-	return FALSE;
-    }
-    return TRUE;
+	return TRUE;
 }
-#endif /* NO_PLUTO */
 
-/*	
- *	Load kernel_alg arrays from /proc
- * 	used in manual mode from klips/utils/spi.c
+/**      
+ * Load kernel_alg arrays from /proc used in manual mode from klips/utils/spi.c
  */
-int
-kernel_alg_proc_read(void)
+int kernel_alg_proc_read(void)
 {
-    int satype;
-    int supp_exttype;
-    int alg_id, ivlen, minbits, maxbits;
-    struct sadb_alg sadb_alg;
-    int ret;
-    char buf[128];
+	int satype;
+	int supp_exttype;
+	int alg_id, ivlen, minbits, maxbits;
+	struct sadb_alg sadb_alg;
+	int ret;
+	char buf[128];
 
-    FILE *fp=fopen("/proc/net/pf_key_supported", "r");
+	FILE *fp=fopen("/proc/net/pf_key_supported", "r");
 
-    if (!fp)
-	return -1;
+	if (!fp)
+		return -1;
 
-    kernel_alg_init();
+	kernel_alg_init();
 
-    while (fgets(buf, sizeof(buf), fp))
-    {
-	if (buf[0] != ' ') /* skip titles */
-	    continue;
+	while (fgets(buf, sizeof(buf), fp))
+	{
+		if (buf[0] != ' ') /* skip titles */
+			continue;
 
-	sscanf(buf, "%d %d %d %d %d %d"
-		,&satype, &supp_exttype
-		, &alg_id, &ivlen
-		, &minbits, &maxbits);
+		sscanf(buf, "%d %d %d %d %d %d"
+				,&satype, &supp_exttype
+				, &alg_id, &ivlen
+				, &minbits, &maxbits);
 
-	switch (satype)
-	{
-	case SADB_SATYPE_ESP:
-	    switch(supp_exttype)
-	    {
-	    case SADB_EXT_SUPPORTED_AUTH:
-	    case SADB_EXT_SUPPORTED_ENCRYPT:
-		sadb_alg.sadb_alg_id = alg_id;
-		sadb_alg.sadb_alg_ivlen = ivlen;
-		sadb_alg.sadb_alg_minbits = minbits;
-		sadb_alg.sadb_alg_maxbits = maxbits;
-		ret = kernel_alg_add(satype, supp_exttype, &sadb_alg);
-		DBG(DBG_CRYPT,
-		    DBG_log("kernel_alg_proc_read() alg_id=%d, "
-			    "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
-			    "ret=%d"
-			    , sadb_alg.sadb_alg_id
-			    , sadb_alg.sadb_alg_ivlen
-			    , sadb_alg.sadb_alg_minbits
-			    , sadb_alg.sadb_alg_maxbits
-			    , ret)
-		)
-	    }
-	default:
-	    continue;
+		switch (satype)
+		{
+		case SADB_SATYPE_ESP:
+			switch(supp_exttype)
+			{
+			case SADB_EXT_SUPPORTED_AUTH:
+			case SADB_EXT_SUPPORTED_ENCRYPT:
+				sadb_alg.sadb_alg_id = alg_id;
+				sadb_alg.sadb_alg_ivlen = ivlen;
+				sadb_alg.sadb_alg_minbits = minbits;
+				sadb_alg.sadb_alg_maxbits = maxbits;
+				ret = kernel_alg_add(satype, supp_exttype, &sadb_alg);
+				DBG(DBG_CRYPT,
+					DBG_log("kernel_alg_proc_read() alg_id=%d, "
+							"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
+							"ret=%d"
+							, sadb_alg.sadb_alg_id
+							, sadb_alg.sadb_alg_ivlen
+							, sadb_alg.sadb_alg_minbits
+							, sadb_alg.sadb_alg_maxbits
+							, ret)
+				)
+			}
+		default:
+			continue;
+		}
 	}
-    }
-    fclose(fp);
-    return 0;
+	fclose(fp);
+	return 0;
 }
 
-/*	
- *	Load kernel_alg arrays pluto's SADB_REGISTER	
- * 	user by pluto/kernel.c
+/**     
+ * Load kernel_alg arrays pluto's SADB_REGISTER user by pluto/kernel.c
  */
-
-void
-kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
+void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 {
-    /* Trick: one 'type-mangle-able' pointer to ease offset/assign */
-    union {
-	const struct sadb_msg *msg;
-	const struct sadb_supported *supported;
-	const struct sadb_ext *ext;
-	const struct sadb_alg *alg;
-	const char *ch;
-    } sadb;
-
-    int satype;
-    int msglen;
-    int i = 0;
-
-    /* Initialize alg arrays */
-    kernel_alg_init();
-    satype = msg_buf->sadb_msg_satype;
-    sadb.msg = msg_buf;
-    msglen = sadb.msg->sadb_msg_len*IPSEC_PFKEYv2_ALIGN;
-    msglen -= sizeof(struct sadb_msg);
-    buflen -= sizeof(struct sadb_msg);
-    passert(buflen > 0);
-
-    sadb.msg++;
-
-    while(msglen)
-    {
-	int supp_exttype = sadb.supported->sadb_supported_exttype;
-	int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN;
-
-	DBG(DBG_KLIPS,
-	    DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
-		    "sadb_msg_len=%d sadb_supported_len=%d"
-		    , satype==SADB_SATYPE_ESP? "ESP" : "AH"
-		    , msg_buf->sadb_msg_len, supp_len)
-	)
-	sadb.supported++;
-	msglen -= supp_len;
-	buflen -= supp_len;
-	passert(buflen >= 0);
-
-	for (supp_len -= sizeof(struct sadb_supported);
-	     supp_len;
-	     supp_len -= sizeof(struct sadb_alg), sadb.alg++,i++)
+	/* Trick: one 'type-mangle-able' pointer to ease offset/assign */
+	union {
+		const struct sadb_msg *msg;
+		const struct sadb_supported *supported;
+		const struct sadb_ext *ext;
+		const struct sadb_alg *alg;
+		const char *ch;
+	} sadb;
+
+	int satype;
+	int msglen;
+	int i = 0;
+
+	/* Initialize alg arrays */
+	kernel_alg_init();
+	satype = msg_buf->sadb_msg_satype;
+	sadb.msg = msg_buf;
+	msglen = sadb.msg->sadb_msg_len*IPSEC_PFKEYv2_ALIGN;
+	msglen -= sizeof(struct sadb_msg);
+	buflen -= sizeof(struct sadb_msg);
+	passert(buflen > 0);
+
+	sadb.msg++;
+
+	while(msglen)
 	{
-	    int ret = kernel_alg_add(satype, supp_exttype, sadb.alg);
-
-	    DBG(DBG_KLIPS,
-		DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
-			"alg[%d], exttype=%d, satype=%d, alg_id=%d, "
-			"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
-			"res=%d, ret=%d"
-			, satype==SADB_SATYPE_ESP? "ESP" : "AH"
-			, i
-			, supp_exttype
-			, satype
-			, sadb.alg->sadb_alg_id
-			, sadb.alg->sadb_alg_ivlen
-			, sadb.alg->sadb_alg_minbits
-			, sadb.alg->sadb_alg_maxbits
-			, sadb.alg->sadb_alg_reserved
-			, ret)
-	    )
+		int supp_exttype = sadb.supported->sadb_supported_exttype;
+		int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN;
+
+		DBG(DBG_KLIPS,
+			DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
+					"sadb_msg_len=%d sadb_supported_len=%d"
+					, satype==SADB_SATYPE_ESP? "ESP" : "AH"
+					, msg_buf->sadb_msg_len, supp_len)
+		)
+		sadb.supported++;
+		msglen -= supp_len;
+		buflen -= supp_len;
+		passert(buflen >= 0);
+
+		for (supp_len -= sizeof(struct sadb_supported);
+			 supp_len;
+			 supp_len -= sizeof(struct sadb_alg), sadb.alg++,i++)
+		{
+			int ret = kernel_alg_add(satype, supp_exttype, sadb.alg);
+
+			DBG(DBG_KLIPS,
+				DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
+						"alg[%d], exttype=%d, satype=%d, alg_id=%d, "
+						"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
+						"res=%d, ret=%d"
+						, satype==SADB_SATYPE_ESP? "ESP" : "AH"
+						, i
+						, supp_exttype
+						, satype
+						, sadb.alg->sadb_alg_id
+						, sadb.alg->sadb_alg_ivlen
+						, sadb.alg->sadb_alg_minbits
+						, sadb.alg->sadb_alg_maxbits
+						, sadb.alg->sadb_alg_reserved
+						, ret)
+			)
+		}
 	}
-    }
 }
 
-u_int
-kernel_alg_esp_enc_keylen(u_int alg_id)
+u_int kernel_alg_esp_enc_keylen(u_int alg_id)
 {
-    u_int keylen = 0;
+	u_int keylen = 0;
 
-    if (!ESP_EALG_PRESENT(alg_id))
-	goto none;
+	if (!ESP_EALG_PRESENT(alg_id))
+		goto none;
 
-    keylen = esp_ealg[alg_id].sadb_alg_maxbits/BITS_PER_BYTE;
+	keylen = esp_ealg[alg_id].sadb_alg_maxbits/BITS_PER_BYTE;
 
-    switch (alg_id)
-    {
-	/*
-	 * this is veryUgly[TM]
-	 * Peer should have sent KEY_LENGTH attribute for ESP_AES
-	 * but if not do force it to 128 instead of using sadb_alg_maxbits
-	 * from kernel.
-	 */
-	case ESP_AES:
-	    keylen = 128/BITS_PER_BYTE;
-	    break;
-    }
-
-none:	
-    DBG(DBG_KLIPS,
-	DBG_log("kernel_alg_esp_enc_keylen():"
-		"alg_id=%d, keylen=%d",
-		alg_id, keylen)
-    )
-    return keylen;
+	switch (alg_id)
+	{
+		/*
+		 * this is veryUgly[TM]
+		 * Peer should have sent KEY_LENGTH attribute for ESP_AES
+		 * but if not do force it to 128 instead of using sadb_alg_maxbits
+		 * from kernel.
+		 */
+		case ESP_AES:
+			keylen = 128/BITS_PER_BYTE;
+			break;
+	}
+
+none:   
+	DBG(DBG_KLIPS,
+		DBG_log("kernel_alg_esp_enc_keylen():"
+				"alg_id=%d, keylen=%d",
+				alg_id, keylen)
+	)
+	return keylen;
 }
 
-struct sadb_alg *
-kernel_alg_esp_sadb_alg(u_int alg_id)
+struct sadb_alg* kernel_alg_esp_sadb_alg(u_int alg_id)
 {
-    struct sadb_alg *sadb_alg = (ESP_EALG_PRESENT(alg_id))
-		? &esp_ealg[alg_id] : NULL;
-
-    DBG(DBG_KLIPS,
-	DBG_log("kernel_alg_esp_sadb_alg(): alg_id=%d, sadb_alg=%p"
-		, alg_id, sadb_alg)
-    )
-    return sadb_alg;
+	struct sadb_alg *sadb_alg = (ESP_EALG_PRESENT(alg_id))
+				? &esp_ealg[alg_id] : NULL;
+
+	DBG(DBG_KLIPS,
+		DBG_log("kernel_alg_esp_sadb_alg(): alg_id=%d, sadb_alg=%p"
+				, alg_id, sadb_alg)
+	)
+	return sadb_alg;
 }
 
-#ifndef NO_PLUTO
 void kernel_alg_list(void)
 {
-    u_int sadb_id;
-
-    whack_log(RC_COMMENT, " ");
-    whack_log(RC_COMMENT, "List of registered ESP Encryption Algorithms:");
-    whack_log(RC_COMMENT, " ");
-
-    for (sadb_id = 1; sadb_id <= SADB_EALG_MAX; sadb_id++)
-    {
-	if (ESP_EALG_PRESENT(sadb_id))
+	char buf[BUF_LEN];
+	char *pos;
+	int n, len;
+	u_int sadb_id;
+
+	whack_log(RC_COMMENT, " ");
+	whack_log(RC_COMMENT, "List of registered ESP Algorithms:");
+	whack_log(RC_COMMENT, " ");
+
+	pos = buf;
+	*pos = '\0';
+	len = BUF_LEN;
+	for (sadb_id = 1; sadb_id <= SADB_EALG_MAX; sadb_id++)
 	{
-	    struct sadb_alg *alg_p = &esp_ealg[sadb_id];
-
-	    whack_log(RC_COMMENT, "#%-5d %s, blocksize: %d, keylen: %d-%d"
-		, sadb_id
-		, enum_name(&esp_transformid_names, sadb_id)
-		, alg_p->sadb_alg_ivlen
-		, alg_p->sadb_alg_minbits
-		, alg_p->sadb_alg_maxbits
-	    );
+		if (ESP_EALG_PRESENT(sadb_id))
+		{
+			n = snprintf(pos, len, " %s",
+						 enum_name(&esp_transformid_names, sadb_id));
+			pos += n;
+			len -= n;
+			if (len <= 0)
+			{
+				break;
+			}
+		}
 	}
-    }
-    
-    whack_log(RC_COMMENT, " ");
-    whack_log(RC_COMMENT, "List of registered ESP Authentication Algorithms:");
-    whack_log(RC_COMMENT, " ");
-
-    for (sadb_id = 1; sadb_id <= SADB_AALG_MAX; sadb_id++)
-    {
-	if (ESP_AALG_PRESENT(sadb_id))
+	whack_log(RC_COMMENT, "  encryption:%s", buf);
+	
+	pos = buf;
+	*pos = '\0';
+	len = BUF_LEN;
+	for (sadb_id = 1; sadb_id <= SADB_AALG_MAX; sadb_id++)
 	{
-	    u_int aaid = alg_info_esp_sadb2aa(sadb_id);
-	    struct sadb_alg *alg_p = &esp_aalg[sadb_id];
-
-	    whack_log(RC_COMMENT, "#%-5d %s, keylen: %d-%d"
-		, aaid
-		, enum_name(&auth_alg_names, aaid)
-		, alg_p->sadb_alg_minbits
-		, alg_p->sadb_alg_maxbits
-	    );
+		if (ESP_AALG_PRESENT(sadb_id))
+		{
+			u_int aaid = alg_info_esp_sadb2aa(sadb_id);
+
+			n = snprintf(pos, len, " %s", enum_name(&auth_alg_names, aaid));
+			pos += n;
+			len -= n;
+			if (len <= 0)
+			{
+				break;
+			}
+		}
 	}
-    }
+	whack_log(RC_COMMENT, "  integrity: %s", buf);
 }
 
-void
-kernel_alg_show_connection(struct connection *c, const char *instance)
+void kernel_alg_show_connection(struct connection *c, const char *instance)
 {
-    char buf[256];
-    struct state *st;
-
-    if (c->alg_info_esp)
-    {
-	alg_info_snprint(buf, sizeof(buf), (struct alg_info *)c->alg_info_esp);
-	whack_log(RC_COMMENT
-		, "\"%s\"%s:   ESP algorithms wanted: %s"
-		, c->name
-		, instance
-		, buf);
-    }
-    if (c->alg_info_esp)
-    {
-	alg_info_snprint_esp(buf, sizeof(buf), c->alg_info_esp);
-	whack_log(RC_COMMENT
-		, "\"%s\"%s:   ESP algorithms loaded: %s"
-		, c->name
-		, instance
-		, buf);
-    }
-    st = state_with_serialno(c->newest_ipsec_sa);
-    if (st && st->st_esp.present)
-	whack_log(RC_COMMENT
-		, "\"%s\"%s:   ESP algorithm newest: %s_%d-%s; pfsgroup=%s"
-		, c->name
-		, instance
-		, enum_show(&esp_transformid_names, st->st_esp.attrs.transid)
-		+4 /* strlen("ESP_") */
-		, st->st_esp.attrs.key_len
-		, enum_show(&auth_alg_names, st->st_esp.attrs.auth)+
-		+15 /* strlen("AUTH_ALGORITHM_") */
-		, c->policy & POLICY_PFS ?
-			c->alg_info_esp->esp_pfsgroup ?
-					enum_show(&oakley_group_names, 
-						c->alg_info_esp->esp_pfsgroup)
-						+13 /*strlen("OAKLEY_GROUP_")*/
-				: "<Phase1>"
-			: "<N/A>"
-	);
+	struct state *st = state_with_serialno(c->newest_ipsec_sa);
+
+	if (st && st->st_esp.present)
+	{
+		const char *aalg_name, *pfsgroup_name;
+
+		aalg_name = (c->policy & POLICY_AUTHENTICATE) ?
+					enum_show(&ah_transformid_names, st->st_ah.attrs.transid):
+					enum_show(&auth_alg_names, st->st_esp.attrs.auth);
+
+		pfsgroup_name = (c->policy & POLICY_PFS) ?
+						(c->alg_info_esp->esp_pfsgroup) ?
+							enum_show(&oakley_group_names, 
+										  c->alg_info_esp->esp_pfsgroup) :
+							"<Phase1>" : "<N/A>";
+
+		if (st->st_esp.attrs.key_len)
+		{
+			whack_log(RC_COMMENT, "\"%s\"%s:   ESP%s proposal: %s_%u/%s/%s",
+				c->name, instance,
+				(st->st_ah.present) ? "/AH" : "",
+				enum_show(&esp_transformid_names, st->st_esp.attrs.transid),
+				st->st_esp.attrs.key_len, aalg_name, pfsgroup_name);
+		}
+		else
+		{
+			whack_log(RC_COMMENT, "\"%s\"%s:   ESP%s proposal: %s/%s/%s",
+				c->name, instance,
+				(st->st_ah.present) ? "/AH" : "",
+				enum_show(&esp_transformid_names, st->st_esp.attrs.transid),
+				aalg_name, pfsgroup_name);
+		}
+	}
 }
-#endif /* NO_PLUTO */
 
-bool
-kernel_alg_esp_auth_ok(u_int auth,
-		struct alg_info_esp *alg_info __attribute__((unused)))
+bool kernel_alg_esp_auth_ok(u_int auth,
+					struct alg_info_esp *alg_info __attribute__((unused)))
 {
-    return ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth));
+	return ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth));
 }
 
-u_int
-kernel_alg_esp_auth_keylen(u_int auth)
+u_int kernel_alg_esp_auth_keylen(u_int auth)
 {
-    u_int sadb_aalg = alg_info_esp_aa2sadb(auth);
+	u_int sadb_aalg = alg_info_esp_aa2sadb(auth);
 
-    u_int a_keylen = (sadb_aalg)
-		   ? esp_aalg[sadb_aalg].sadb_alg_maxbits/BITS_PER_BYTE
-		   : 0;
+	u_int a_keylen = (sadb_aalg)
+				   ? esp_aalg[sadb_aalg].sadb_alg_maxbits/BITS_PER_BYTE
+				   : 0;
 
-    DBG(DBG_CONTROL | DBG_CRYPT | DBG_PARSING,
-	DBG_log("kernel_alg_esp_auth_keylen(auth=%d, sadb_aalg=%d): "
-		"a_keylen=%d", auth, sadb_aalg, a_keylen)
-    )
-    return a_keylen;
+	DBG(DBG_CONTROL | DBG_CRYPT | DBG_PARSING,
+		DBG_log("kernel_alg_esp_auth_keylen(auth=%d, sadb_aalg=%d): "
+				"a_keylen=%d", auth, sadb_aalg, a_keylen)
+	)
+	return a_keylen;
 }
 
-struct esp_info *
-kernel_alg_esp_info(int transid, int auth)
+struct esp_info* kernel_alg_esp_info(int transid, int auth)
 {
-    int sadb_aalg, sadb_ealg;
-    static struct esp_info ei_buf;
-
-    sadb_ealg = transid;
-    sadb_aalg = alg_info_esp_aa2sadb(auth);
-
-    if (!ESP_EALG_PRESENT(sadb_ealg))
-	goto none;
-    if (!ESP_AALG_PRESENT(sadb_aalg))
-	goto none;
-
-    memset(&ei_buf, 0, sizeof (ei_buf));
-    ei_buf.transid = transid;
-    ei_buf.auth = auth;
-
-    /* don't return "default" keylen because this value is used from
-     * setup_half_ipsec_sa() to "validate" keylen
-     * In effect,  enckeylen will be used as "max" value
-     */
-    ei_buf.enckeylen = esp_ealg[sadb_ealg].sadb_alg_maxbits/BITS_PER_BYTE;
-    ei_buf.authkeylen = esp_aalg[sadb_aalg].sadb_alg_maxbits/BITS_PER_BYTE;
-    ei_buf.encryptalg = sadb_ealg;
-    ei_buf.authalg = sadb_aalg;
-
-    DBG(DBG_PARSING,
-	DBG_log("kernel_alg_esp_info():"
-		"transid=%d, auth=%d, ei=%p, "
-		"enckeylen=%d, authkeylen=%d, encryptalg=%d, authalg=%d",
-		transid, auth, &ei_buf,
-		(int)ei_buf.enckeylen, (int)ei_buf.authkeylen,
-		ei_buf.encryptalg, ei_buf.authalg)
-    )
-    return &ei_buf;
+	int sadb_aalg, sadb_ealg;
+	static struct esp_info ei_buf;
+
+	sadb_ealg = transid;
+	sadb_aalg = alg_info_esp_aa2sadb(auth);
+
+	if (!ESP_EALG_PRESENT(sadb_ealg))
+		goto none;
+	if (!ESP_AALG_PRESENT(sadb_aalg))
+		goto none;
+
+	memset(&ei_buf, 0, sizeof (ei_buf));
+	ei_buf.transid = transid;
+	ei_buf.auth = auth;
+
+	/* don't return "default" keylen because this value is used from
+	 * setup_half_ipsec_sa() to "validate" keylen
+	 * In effect,  enckeylen will be used as "max" value
+	 */
+	ei_buf.enckeylen = esp_ealg[sadb_ealg].sadb_alg_maxbits/BITS_PER_BYTE;
+	ei_buf.authkeylen = esp_aalg[sadb_aalg].sadb_alg_maxbits/BITS_PER_BYTE;
+	ei_buf.encryptalg = sadb_ealg;
+	ei_buf.authalg = sadb_aalg;
+
+	DBG(DBG_PARSING,
+		DBG_log("kernel_alg_esp_info():"
+				"transid=%d, auth=%d, ei=%p, "
+				"enckeylen=%d, authkeylen=%d, encryptalg=%d, authalg=%d",
+				transid, auth, &ei_buf,
+				(int)ei_buf.enckeylen, (int)ei_buf.authkeylen,
+				ei_buf.encryptalg, ei_buf.authalg)
+	)
+	return &ei_buf;
 
 none:
-    DBG(DBG_PARSING,
-	DBG_log("kernel_alg_esp_info():"
-		"transid=%d, auth=%d, ei=NULL",
-		transid, auth)
-    )
-    return NULL;
+	DBG(DBG_PARSING,
+		DBG_log("kernel_alg_esp_info():"
+				"transid=%d, auth=%d, ei=NULL",
+				transid, auth)
+	)
+	return NULL;
 }
 
-#ifndef NO_PLUTO
-static void
-kernel_alg_policy_algorithms(struct esp_info *esp_info)
+static void kernel_alg_policy_algorithms(struct esp_info *esp_info)
 {
-    u_int ealg_id = esp_info->esp_ealg_id;
-
-    switch(ealg_id)
-    {
-    case 0:
-    case ESP_DES:
-    case ESP_3DES:
-    case ESP_NULL:
-    case ESP_CAST:
-            break;
-    default:
-	if (!esp_info->esp_ealg_keylen)
+	u_int ealg_id = esp_info->esp_ealg_id;
+
+	switch(ealg_id)
 	{
-	    /* algos that need  KEY_LENGTH
-	     *
-	     * Note: this is a very dirty hack ;-)
-	     * Idea: Add a key_length_needed attribute to
-	     * esp_ealg ??
-	     */
-	    esp_info->esp_ealg_keylen = esp_ealg[ealg_id].sadb_alg_maxbits;
+	case 0:
+	case ESP_DES:
+	case ESP_3DES:
+	case ESP_NULL:
+	case ESP_CAST:
+			break;
+	default:
+		if (!esp_info->esp_ealg_keylen)
+		{
+			/* algos that need  KEY_LENGTH
+			 *
+			 * Note: this is a very dirty hack ;-)
+			 * Idea: Add a key_length_needed attribute to
+			 * esp_ealg ??
+			 */
+			esp_info->esp_ealg_keylen = esp_ealg[ealg_id].sadb_alg_maxbits;
+		}
 	}
-    }
 }
 
-static bool 
-kernel_alg_db_add(struct db_context *db_ctx, struct esp_info *esp_info, lset_t policy)
+static bool kernel_alg_db_add(struct db_context *db_ctx,
+							  struct esp_info *esp_info, lset_t policy)
 {
-    u_int ealg_id, aalg_id;
-
-    ealg_id = esp_info->esp_ealg_id;
+	u_int ealg_id, aalg_id;
 
-    if (!ESP_EALG_PRESENT(ealg_id))
-    {
-	DBG_log("kernel_alg_db_add() kernel enc ealg_id=%d not present", ealg_id);
-	return FALSE;
-    }
-    
-    if (!(policy & POLICY_AUTHENTICATE))    /* skip ESP auth attrs for AH */
-    {
-	aalg_id = alg_info_esp_aa2sadb(esp_info->esp_aalg_id);
+	ealg_id = esp_info->esp_ealg_id;
 
-	if (!ESP_AALG_PRESENT(aalg_id))
+	if (!ESP_EALG_PRESENT(ealg_id))
 	{
-	    DBG_log("kernel_alg_db_add() kernel auth "
-		    "aalg_id=%d not present", aalg_id);
-	    return FALSE;
+		DBG_log("kernel_alg_db_add() kernel enc ealg_id=%d not present", ealg_id);
+		return FALSE;
 	}
-    }
+	
+	if (!(policy & POLICY_AUTHENTICATE))    /* skip ESP auth attrs for AH */
+	{
+		aalg_id = alg_info_esp_aa2sadb(esp_info->esp_aalg_id);
 
-    /* do algo policy */
-    kernel_alg_policy_algorithms(esp_info);
+		if (!ESP_AALG_PRESENT(aalg_id))
+		{
+			DBG_log("kernel_alg_db_add() kernel auth "
+					"aalg_id=%d not present", aalg_id);
+			return FALSE;
+		}
+	}
 
-    /*	open new transformation */
-    db_trans_add(db_ctx, ealg_id);
+	/* do algo policy */
+	kernel_alg_policy_algorithms(esp_info);
 
-    /* add ESP auth attr */
-    if (!(policy & POLICY_AUTHENTICATE))
-	db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id);
+	/*  open new transformation */
+	db_trans_add(db_ctx, ealg_id);
 
-    /* add keylegth if specified in esp= string */
-    if (esp_info->esp_ealg_keylen)
-	db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen);
-	
-    return TRUE;
+	/* add ESP auth attr */
+	if (!(policy & POLICY_AUTHENTICATE))
+		db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id);
+
+	/* add keylegth if specified in esp= string */
+	if (esp_info->esp_ealg_keylen)
+		db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen);
+		
+	return TRUE;
 }
 
-/*	
- *	Create proposal with runtime kernel algos, merging
- *	with passed proposal if not NULL
+/*      
+ *      Create proposal with runtime kernel algos, merging
+ *      with passed proposal if not NULL
  *
- *	for now this function does free() previous returned
- *	malloced pointer (this quirk allows easier spdb.c change)
+ *      for now this function does free() previous returned
+ *      malloced pointer (this quirk allows easier spdb.c change)
  */
-struct db_context * 
-kernel_alg_db_new(struct alg_info_esp *alg_info, lset_t policy )
+struct db_context* kernel_alg_db_new(struct alg_info_esp *alg_info,
+									 lset_t policy )
 {
-    const struct esp_info *esp_info;
-    struct esp_info tmp_esp_info;
-    struct db_context *ctx_new=NULL;
-    struct db_trans *t;
-    struct db_prop  *prop;
-    u_int trans_cnt;
-    int tn = 0;
-
-    if (!(policy & POLICY_ENCRYPT))	/* not possible, I think  */
-	return NULL;
+	const struct esp_info *esp_info;
+	struct esp_info tmp_esp_info;
+	struct db_context *ctx_new = NULL;
+	struct db_prop  *prop;
+	u_int trans_cnt = esp_ealg_num * esp_aalg_num;
 
-    trans_cnt = esp_ealg_num * esp_aalg_num;
-    DBG(DBG_EMITTING,
-	DBG_log("kernel_alg_db_prop_new() initial trans_cnt=%d"
-		, trans_cnt)
-    )
-
-    /* pass aprox. number of transforms and attributes */
-    ctx_new = db_prop_new(PROTO_IPSEC_ESP, trans_cnt, trans_cnt * 2);
+	if (!(policy & POLICY_ENCRYPT))     /* not possible, I think  */
+	{
+		return NULL;
+	}
 
-    /*
-     * Loop: for each element (struct esp_info) of alg_info,
-     *       if kernel support is present then build the transform (and attrs)
-     *       if NULL alg_info, propose everything ...
-     */
+	/* pass aprox. number of transforms and attributes */
+	ctx_new = db_prop_new(PROTO_IPSEC_ESP, trans_cnt, trans_cnt * 2);
 
-    if (alg_info)
-    {
-	int i;
+	/*
+	 * Loop: for each element (struct esp_info) of alg_info,
+	 *       if kernel support is present then build the transform (and attrs)
+	 *       if NULL alg_info, propose everything ...
+	 */
 
-	ALG_INFO_ESP_FOREACH(alg_info, esp_info, i)
+	if (alg_info)
 	{
-	    tmp_esp_info = *esp_info;
-	    kernel_alg_db_add(ctx_new, &tmp_esp_info, policy);
+		int i;
+
+		ALG_INFO_ESP_FOREACH(alg_info, esp_info, i)
+		{
+			tmp_esp_info = *esp_info;
+			kernel_alg_db_add(ctx_new, &tmp_esp_info, policy);
+		}
 	}
-    }
-    else
-    {
-	u_int ealg_id;
-	
-	ESP_EALG_FOR_EACH_UPDOWN(ealg_id)
+	else
 	{
-	    u_int aalg_id;
-
-	    tmp_esp_info.esp_ealg_id = ealg_id;
-	    tmp_esp_info.esp_ealg_keylen = 0;
-
-	    for (aalg_id = 1; aalg_id <= SADB_AALG_MAX; aalg_id++)
-	    {
-		if (ESP_AALG_PRESENT(aalg_id))
+		u_int ealg_id;
+		
+		ESP_EALG_FOR_EACH_UPDOWN(ealg_id)
 		{
-		    tmp_esp_info.esp_aalg_id = alg_info_esp_sadb2aa(aalg_id);
-		    tmp_esp_info.esp_aalg_keylen = 0;
-		    kernel_alg_db_add(ctx_new, &tmp_esp_info, policy);
+			u_int aalg_id;
+
+			tmp_esp_info.esp_ealg_id = ealg_id;
+			tmp_esp_info.esp_ealg_keylen = 0;
+
+			for (aalg_id = 1; aalg_id <= SADB_AALG_MAX; aalg_id++)
+			{
+				if (ESP_AALG_PRESENT(aalg_id))
+				{
+					tmp_esp_info.esp_aalg_id = alg_info_esp_sadb2aa(aalg_id);
+					tmp_esp_info.esp_aalg_keylen = 0;
+					kernel_alg_db_add(ctx_new, &tmp_esp_info, policy);
+				}
+			}
 		}
-	    }
 	}
-    }
-
-    prop = db_prop_get(ctx_new);
-
-    DBG(DBG_CONTROL|DBG_EMITTING,
-	DBG_log("kernel_alg_db_prop_new() "
-		"will return p_new->protoid=%d, p_new->trans_cnt=%d"
-		, prop->protoid, prop->trans_cnt)
-    )
-
-    for (t = prop->trans, tn = 0; tn < prop->trans_cnt; tn++)
-    {
-	DBG(DBG_CONTROL|DBG_EMITTING,
-	    DBG_log("kernel_alg_db_prop_new() "
-		    "    trans[%d]: transid=%d, attr_cnt=%d, "
-		    "attrs[0].type=%d, attrs[0].val=%d"
-		    , tn
-		    , t[tn].transid, t[tn].attr_cnt
-		    , t[tn].attrs[0].type, t[tn].attrs[0].val)
-	)
-    }
-    return ctx_new;
+	prop = db_prop_get(ctx_new);
+	return ctx_new;
 }
-#endif /* NO_PLUTO */
+
diff --git a/src/pluto/kernel_alg.h b/src/pluto/kernel_alg.h
index 14c2664aa..5ce8c3003 100644
--- a/src/pluto/kernel_alg.h
+++ b/src/pluto/kernel_alg.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: kernel_alg.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _KERNEL_ALG_H
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index 4269de66e..b4b4774c7 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: kernel_netlink.c 3850 2008-04-18 20:01:49Z andreas $
  */
 
 #if defined(linux) && defined(KERNEL26_SUPPORT)
@@ -39,7 +37,7 @@
 #include "kernel_netlink.h"
 #include "kernel_pfkey.h"
 #include "log.h"
-#include "whack.h"	/* for RC_LOG_SERIOUS */
+#include "whack.h"      /* for RC_LOG_SERIOUS */
 #include "kernel_alg.h"
 
 /* Minimum priority number in SPD used by pluto. */
@@ -48,72 +46,72 @@
 static int netlinkfd = NULL_FD;
 static int netlink_bcast_fd = NULL_FD;
 
-#define NE(x) { x, #x }	/* Name Entry -- shorthand for sparse_names */
+#define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */
 
 static sparse_names xfrm_type_names = {
-	NE(NLMSG_NOOP),
-	NE(NLMSG_ERROR),
-	NE(NLMSG_DONE),
-	NE(NLMSG_OVERRUN),
+		NE(NLMSG_NOOP),
+		NE(NLMSG_ERROR),
+		NE(NLMSG_DONE),
+		NE(NLMSG_OVERRUN),
 
-	NE(XFRM_MSG_NEWSA),
-	NE(XFRM_MSG_DELSA),
-	NE(XFRM_MSG_GETSA),
+		NE(XFRM_MSG_NEWSA),
+		NE(XFRM_MSG_DELSA),
+		NE(XFRM_MSG_GETSA),
 
-	NE(XFRM_MSG_NEWPOLICY),
-	NE(XFRM_MSG_DELPOLICY),
-	NE(XFRM_MSG_GETPOLICY),
+		NE(XFRM_MSG_NEWPOLICY),
+		NE(XFRM_MSG_DELPOLICY),
+		NE(XFRM_MSG_GETPOLICY),
 
-	NE(XFRM_MSG_ALLOCSPI),
-	NE(XFRM_MSG_ACQUIRE),
-	NE(XFRM_MSG_EXPIRE),
+		NE(XFRM_MSG_ALLOCSPI),
+		NE(XFRM_MSG_ACQUIRE),
+		NE(XFRM_MSG_EXPIRE),
 
-	NE(XFRM_MSG_UPDPOLICY),
-	NE(XFRM_MSG_UPDSA),
+		NE(XFRM_MSG_UPDPOLICY),
+		NE(XFRM_MSG_UPDSA),
 
-	NE(XFRM_MSG_POLEXPIRE),
+		NE(XFRM_MSG_POLEXPIRE),
 
-	NE(XFRM_MSG_MAX),
+		NE(XFRM_MSG_MAX),
 
-	{ 0, sparse_end }
+		{ 0, sparse_end }
 };
 
 #undef NE
 
 /* Authentication algorithms */
 static sparse_names aalg_list = {
-	{ SADB_X_AALG_NULL, "digest_null" },
-	{ SADB_AALG_MD5HMAC, "md5" },
-	{ SADB_AALG_SHA1HMAC, "sha1" },
-	{ SADB_X_AALG_SHA2_256HMAC, "sha256" },
-	{ SADB_X_AALG_SHA2_384HMAC, "sha384" },
-	{ SADB_X_AALG_SHA2_512HMAC, "sha512" },
-	{ SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
-	{ SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"},
-	{ SADB_X_AALG_NULL, "null" },
-	{ 0, sparse_end }
+		{ SADB_X_AALG_NULL, "digest_null" },
+		{ SADB_AALG_MD5HMAC, "md5" },
+		{ SADB_AALG_SHA1HMAC, "sha1" },
+		{ SADB_X_AALG_SHA2_256HMAC, "sha256" },
+		{ SADB_X_AALG_SHA2_384HMAC, "sha384" },
+		{ SADB_X_AALG_SHA2_512HMAC, "sha512" },
+		{ SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
+		{ SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"},
+		{ SADB_X_AALG_NULL, "null" },
+		{ 0, sparse_end }
 };
 
 /* Encryption algorithms */
 static sparse_names ealg_list = {
-	{ SADB_EALG_NULL, "cipher_null" },
-	{ SADB_EALG_DESCBC, "des" },
-	{ SADB_EALG_3DESCBC, "des3_ede" },
-	{ SADB_X_EALG_CASTCBC, "cast128" },
-	{ SADB_X_EALG_BLOWFISHCBC, "blowfish" },
-	{ SADB_X_EALG_AESCBC, "aes" },
-	{ SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" },
-	{ SADB_X_EALG_SERPENTCBC, "serpent" },
-	{ SADB_X_EALG_TWOFISHCBC, "twofish" },
-	{ 0, sparse_end }
+		{ SADB_EALG_NULL, "cipher_null" },
+		{ SADB_EALG_DESCBC, "des" },
+		{ SADB_EALG_3DESCBC, "des3_ede" },
+		{ SADB_X_EALG_CASTCBC, "cast128" },
+		{ SADB_X_EALG_BLOWFISHCBC, "blowfish" },
+		{ SADB_X_EALG_AESCBC, "aes" },
+		{ SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" },
+		{ SADB_X_EALG_SERPENTCBC, "serpent" },
+		{ SADB_X_EALG_TWOFISHCBC, "twofish" },
+		{ 0, sparse_end }
 };
 
 /* Compression algorithms */
 static sparse_names calg_list = {
-	{ SADB_X_CALG_DEFLATE, "deflate" },
-	{ SADB_X_CALG_LZS, "lzs" },
-	{ SADB_X_CALG_LZJH, "lzjh" },
-	{ 0, sparse_end }
+		{ SADB_X_CALG_DEFLATE, "deflate" },
+		{ SADB_X_CALG_LZS, "lzs" },
+		{ SADB_X_CALG_LZJH, "lzjh" },
+		{ 0, sparse_end }
 };
 
 /** ip2xfrm - Take an IP address and convert to an xfrm.
@@ -124,14 +122,14 @@ static sparse_names calg_list = {
 static void
 ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
 {
-    if (addr->u.v4.sin_family == AF_INET)
-    {
-	xaddr->a4 = addr->u.v4.sin_addr.s_addr;
-    }
-    else
-    {
-	memcpy(xaddr->a6, &addr->u.v6.sin6_addr, sizeof(xaddr->a6));
-    }
+	if (addr->u.v4.sin_family == AF_INET)
+	{
+		xaddr->a4 = addr->u.v4.sin_addr.s_addr;
+	}
+	else
+	{
+		memcpy(xaddr->a6, &addr->u.v6.sin6_addr, sizeof(xaddr->a6));
+	}
 }
 
 /** init_netlink - Initialize the netlink inferface.  Opens the sockets and
@@ -140,32 +138,32 @@ ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
 static void
 init_netlink(void)
 {
-    struct sockaddr_nl addr;
+	struct sockaddr_nl addr;
 
-    netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
+	netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
 
-    if (netlinkfd < 0)
-	exit_log_errno((e, "socket() in init_netlink()"));
+	if (netlinkfd < 0)
+		exit_log_errno((e, "socket() in init_netlink()"));
 
-    if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0)
-	exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()"));
+	if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0)
+		exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()"));
 
-    netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
+	netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
 
-    if (netlink_bcast_fd < 0)
-	exit_log_errno((e, "socket() for bcast in init_netlink()"));
+	if (netlink_bcast_fd < 0)
+		exit_log_errno((e, "socket() for bcast in init_netlink()"));
 
-    if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0)
-	exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()"));
+	if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0)
+		exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()"));
 
-    if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0)
-	exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()"));
+	if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0)
+		exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()"));
 
-    addr.nl_family = AF_NETLINK;
-    addr.nl_pid = getpid();
-    addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
-    if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0)
-	exit_log_errno((e, "Failed to bind bcast socket in init_netlink()"));
+	addr.nl_family = AF_NETLINK;
+	addr.nl_pid = getpid();
+	addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
+	if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0)
+		exit_log_errno((e, "Failed to bind bcast socket in init_netlink()"));
 }
 
 /** send_netlink_msg
@@ -182,139 +180,139 @@ static bool
 send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
 , const char *description, const char *text_said)
 {
-    struct {
-	struct nlmsghdr n;
-	struct nlmsgerr e;
-	char data[1024];
-    } rsp;
-
-    size_t len;
-    ssize_t r;
-    struct sockaddr_nl addr;
-    static uint32_t seq;
-
-    if (no_klips)
-    {
-	return TRUE;
-    }
-
-    hdr->nlmsg_seq = ++seq;
-    len = hdr->nlmsg_len;
-    do {
-	r = write(netlinkfd, hdr, len);
-    } while (r < 0 && errno == EINTR);
-    if (r < 0)
-    {
-	log_errno((e
-	    , "netlink write() of %s message"
-	      " for %s %s failed"
-	    , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-	    , description, text_said));
-	return FALSE;
-    }
-    else if ((size_t)r != len)
-    {
-	loglog(RC_LOG_SERIOUS
-	    , "ERROR: netlink write() of %s message"
-	      " for %s %s truncated: %ld instead of %lu"
-	    , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-	    , description, text_said
-	    , (long)r, (unsigned long)len);
-	return FALSE;
-    }
-
-    for (;;) {
-	socklen_t alen;
+	struct {
+		struct nlmsghdr n;
+		struct nlmsgerr e;
+		char data[1024];
+	} rsp;
+
+	size_t len;
+	ssize_t r;
+	struct sockaddr_nl addr;
+	static uint32_t seq;
+
+	if (no_klips)
+	{
+		return TRUE;
+	}
 
-	alen = sizeof(addr);
-	r = recvfrom(netlinkfd, &rsp, sizeof(rsp), 0
-	    , (struct sockaddr *)&addr, &alen);
+	hdr->nlmsg_seq = ++seq;
+	len = hdr->nlmsg_len;
+	do {
+		r = write(netlinkfd, hdr, len);
+	} while (r < 0 && errno == EINTR);
 	if (r < 0)
 	{
-	    if (errno == EINTR)
-	    {
-		continue;
-	    }
-	    log_errno((e
-		, "netlink recvfrom() of response to our %s message"
-		  " for %s %s failed"
-		, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-		, description, text_said));
-	    return FALSE;
+		log_errno((e
+			, "netlink write() of %s message"
+			  " for %s %s failed"
+			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+			, description, text_said));
+		return FALSE;
 	}
-	else if ((size_t) r < sizeof(rsp.n))
+	else if ((size_t)r != len)
 	{
-	    plog("netlink read truncated message: %ld bytes; ignore message"
-		, (long) r);
-	    continue;
+		loglog(RC_LOG_SERIOUS
+			, "ERROR: netlink write() of %s message"
+			  " for %s %s truncated: %ld instead of %lu"
+			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+			, description, text_said
+			, (long)r, (unsigned long)len);
+		return FALSE;
 	}
-	else if (addr.nl_pid != 0)
+
+	for (;;) {
+		socklen_t alen;
+
+		alen = sizeof(addr);
+		r = recvfrom(netlinkfd, &rsp, sizeof(rsp), 0
+			, (struct sockaddr *)&addr, &alen);
+		if (r < 0)
+		{
+			if (errno == EINTR)
+			{
+				continue;
+			}
+			log_errno((e
+				, "netlink recvfrom() of response to our %s message"
+				  " for %s %s failed"
+				, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+				, description, text_said));
+			return FALSE;
+		}
+		else if ((size_t) r < sizeof(rsp.n))
+		{
+			plog("netlink read truncated message: %ld bytes; ignore message"
+				, (long) r);
+			continue;
+		}
+		else if (addr.nl_pid != 0)
+		{
+			/* not for us: ignore */
+			DBG(DBG_KLIPS,
+				DBG_log("netlink: ignoring %s message from process %u"
+					, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)
+					, addr.nl_pid));
+			continue;
+		}
+		else if (rsp.n.nlmsg_seq != seq)
+		{
+			DBG(DBG_KLIPS,
+				DBG_log("netlink: ignoring out of sequence (%u/%u) message %s"
+					, rsp.n.nlmsg_seq, seq
+					, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)));
+			continue;
+		}
+		break;
+	}
+
+	if (rsp.n.nlmsg_len > (size_t) r)
 	{
-	    /* not for us: ignore */
-	    DBG(DBG_KLIPS,
-		DBG_log("netlink: ignoring %s message from process %u"
-		    , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)
-		    , addr.nl_pid));
-	    continue;
+		loglog(RC_LOG_SERIOUS
+			, "netlink recvfrom() of response to our %s message"
+			  " for %s %s was truncated: %ld instead of %lu"
+			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+			, description, text_said
+			, (long) len, (unsigned long) rsp.n.nlmsg_len);
+		return FALSE;
 	}
-	else if (rsp.n.nlmsg_seq != seq)
+	else if (rsp.n.nlmsg_type != NLMSG_ERROR
+	&& (rbuf && rsp.n.nlmsg_type != rbuf->nlmsg_type))
 	{
-	    DBG(DBG_KLIPS,
-		DBG_log("netlink: ignoring out of sequence (%u/%u) message %s"
-		    , rsp.n.nlmsg_seq, seq
-		    , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)));
-	    continue;
+		loglog(RC_LOG_SERIOUS
+			, "netlink recvfrom() of response to our %s message"
+			  " for %s %s was of wrong type (%s)"
+			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+			, description, text_said
+			, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type));
+		return FALSE;
 	}
-	break;
-    }
-
-    if (rsp.n.nlmsg_len > (size_t) r)
-    {
-	loglog(RC_LOG_SERIOUS
-	    , "netlink recvfrom() of response to our %s message"
-	      " for %s %s was truncated: %ld instead of %lu"
-	    , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-	    , description, text_said
-	    , (long) len, (unsigned long) rsp.n.nlmsg_len);
-	return FALSE;
-    }
-    else if (rsp.n.nlmsg_type != NLMSG_ERROR
-    && (rbuf && rsp.n.nlmsg_type != rbuf->nlmsg_type))
-    {
-	loglog(RC_LOG_SERIOUS
-	    , "netlink recvfrom() of response to our %s message"
-	      " for %s %s was of wrong type (%s)"
-	    , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-	    , description, text_said
-	    , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type));
-	return FALSE;
-    }
-    else if (rbuf)
-    {
-	if ((size_t) r > rbuf_len)
+	else if (rbuf)
 	{
-	    loglog(RC_LOG_SERIOUS
-		, "netlink recvfrom() of response to our %s message"
-		  " for %s %s was too long: %ld > %lu"
-		, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-		, description, text_said
-		, (long)r, (unsigned long)rbuf_len);
-	    return FALSE;
+		if ((size_t) r > rbuf_len)
+		{
+			loglog(RC_LOG_SERIOUS
+				, "netlink recvfrom() of response to our %s message"
+				  " for %s %s was too long: %ld > %lu"
+				, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+				, description, text_said
+				, (long)r, (unsigned long)rbuf_len);
+			return FALSE;
+		}
+		memcpy(rbuf, &rsp, r);
+		return TRUE;
+	}
+	else if (rsp.n.nlmsg_type == NLMSG_ERROR && rsp.e.error)
+	{
+		loglog(RC_LOG_SERIOUS
+			, "ERROR: netlink response for %s %s included errno %d: %s"
+			, description, text_said
+			, -rsp.e.error
+			, strerror(-rsp.e.error));
+		return FALSE;
 	}
-	memcpy(rbuf, &rsp, r);
-	return TRUE;
-    }
-    else if (rsp.n.nlmsg_type == NLMSG_ERROR && rsp.e.error)
-    {
-	loglog(RC_LOG_SERIOUS
-	    , "ERROR: netlink response for %s %s included errno %d: %s"
-	    , description, text_said
-	    , -rsp.e.error
-	    , strerror(-rsp.e.error));
-	return FALSE;
-    }
 
-    return TRUE;
+	return TRUE;
 }
 
 /** netlink_policy -
@@ -327,36 +325,36 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
 static bool
 netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said)
 {
-    struct {
-	struct nlmsghdr n;
-	struct nlmsgerr e;
-    } rsp;
-    int error;
-
-    rsp.n.nlmsg_type = NLMSG_ERROR;
-    if (!send_netlink_msg(hdr, &rsp.n, sizeof(rsp), "policy", text_said))
-    {
-	return FALSE;
-    }
+	struct {
+		struct nlmsghdr n;
+		struct nlmsgerr e;
+	} rsp;
+	int error;
+
+	rsp.n.nlmsg_type = NLMSG_ERROR;
+	if (!send_netlink_msg(hdr, &rsp.n, sizeof(rsp), "policy", text_said))
+	{
+		return FALSE;
+	}
 
-    error = -rsp.e.error;
-    if (!error)
-    {
-	return TRUE;
-    }
+	error = -rsp.e.error;
+	if (!error)
+	{
+		return TRUE;
+	}
 
-    if (error == ENOENT && enoent_ok)
-    {
-	return TRUE;
-    }
-
-    loglog(RC_LOG_SERIOUS
-	, "ERROR: netlink %s response for flow %s included errno %d: %s"
-	, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-	, text_said
-	, error
-	, strerror(error));
-    return FALSE;
+	if (error == ENOENT && enoent_ok)
+	{
+		return TRUE;
+	}
+
+	loglog(RC_LOG_SERIOUS
+		, "ERROR: netlink %s response for flow %s included errno %d: %s"
+		, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+		, text_said
+		, error
+		, strerror(error));
+	return FALSE;
 }
 
 /** netlink_raw_eroute
@@ -376,192 +374,192 @@ netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said)
  */
 static bool
 netlink_raw_eroute(const ip_address *this_host
-		 , const ip_subnet *this_client
-		 , const ip_address *that_host
-		 , const ip_subnet *that_client
-		 , ipsec_spi_t spi
-		 , unsigned int satype
-		 , unsigned int transport_proto
-		 , const struct pfkey_proto_info *proto_info
-		 , time_t use_lifetime UNUSED
-		 , unsigned int op
-		 , const char *text_said)
+				 , const ip_subnet *this_client
+				 , const ip_address *that_host
+				 , const ip_subnet *that_client
+				 , ipsec_spi_t spi
+				 , unsigned int satype
+				 , unsigned int transport_proto
+				 , const struct pfkey_proto_info *proto_info
+				 , time_t use_lifetime UNUSED
+				 , unsigned int op
+				 , const char *text_said)
 {
-    struct {
-	struct nlmsghdr n;
-	union {
-	    struct xfrm_userpolicy_info p;
-	    struct xfrm_userpolicy_id id;
-	} u;
-	char data[1024];
-    } req;
-    int shift;
-    int dir;
-    int family;
-    int policy;
-    bool ok;
-    bool enoent_ok;
-
-    policy = IPSEC_POLICY_IPSEC;
-
-    if (satype == SADB_X_SATYPE_INT)
-    {
-	/* shunt route */
-	switch (ntohl(spi))
+	struct {
+		struct nlmsghdr n;
+		union {
+			struct xfrm_userpolicy_info p;
+			struct xfrm_userpolicy_id id;
+		} u;
+		char data[1024];
+	} req;
+	int shift;
+	int dir;
+	int family;
+	int policy;
+	bool ok;
+	bool enoent_ok;
+
+	policy = IPSEC_POLICY_IPSEC;
+
+	if (satype == SADB_X_SATYPE_INT)
 	{
-	case SPI_PASS:
-	    policy = IPSEC_POLICY_NONE;
-	    break;
-	case SPI_DROP:
-	case SPI_REJECT:
-	default:
-	    policy = IPSEC_POLICY_DISCARD;
-	    break;
-	case SPI_TRAP:
-	case SPI_TRAPSUBNET:
-	case SPI_HOLD:
-	    if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-	    {
-		return TRUE;
-	    }
-	    break;
-	}
-    }
-
-    memset(&req, 0, sizeof(req));
-    req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-
-    family = that_client->addr.u.v4.sin_family;
-    shift = (family == AF_INET) ? 5 : 7;
-
-    req.u.p.sel.sport = portof(&this_client->addr);
-    req.u.p.sel.dport = portof(&that_client->addr);
-    req.u.p.sel.sport_mask = (req.u.p.sel.sport) ? ~0:0;
-    req.u.p.sel.dport_mask = (req.u.p.sel.dport) ? ~0:0;
-    ip2xfrm(&this_client->addr, &req.u.p.sel.saddr);
-    ip2xfrm(&that_client->addr, &req.u.p.sel.daddr);
-    req.u.p.sel.prefixlen_s = this_client->maskbits;
-    req.u.p.sel.prefixlen_d = that_client->maskbits;
-    req.u.p.sel.proto = transport_proto;
-    req.u.p.sel.family = family;
-
-    dir = XFRM_POLICY_OUT;
-    if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-    {
-	dir = XFRM_POLICY_IN;
-    }
-
-    if ((op & ERO_MASK) == ERO_DELETE)
-    {
-	req.u.id.dir = dir;
-	req.n.nlmsg_type = XFRM_MSG_DELPOLICY;
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.id)));
-    }
-    else
-    {
-    	int src, dst;
-
-	req.u.p.dir = dir;
-
-    	src = req.u.p.sel.prefixlen_s;
-    	dst = req.u.p.sel.prefixlen_d;
-	if (dir != XFRM_POLICY_OUT) {
-	    src = req.u.p.sel.prefixlen_d;
-	    dst = req.u.p.sel.prefixlen_s;
+		/* shunt route */
+		switch (ntohl(spi))
+		{
+		case SPI_PASS:
+			policy = IPSEC_POLICY_NONE;
+			break;
+		case SPI_DROP:
+		case SPI_REJECT:
+		default:
+			policy = IPSEC_POLICY_DISCARD;
+			break;
+		case SPI_TRAP:
+		case SPI_TRAPSUBNET:
+		case SPI_HOLD:
+			if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+			{
+				return TRUE;
+			}
+			break;
+		}
 	}
-	req.u.p.priority = MIN_SPD_PRIORITY
-	    + (((2 << shift) - src) << shift)
-	    + (2 << shift) - dst;
 
-	req.u.p.action = XFRM_POLICY_ALLOW;
-	if (policy == IPSEC_POLICY_DISCARD)
+	memset(&req, 0, sizeof(req));
+	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+
+	family = that_client->addr.u.v4.sin_family;
+	shift = (family == AF_INET) ? 5 : 7;
+
+	req.u.p.sel.sport = portof(&this_client->addr);
+	req.u.p.sel.dport = portof(&that_client->addr);
+	req.u.p.sel.sport_mask = (req.u.p.sel.sport) ? ~0:0;
+	req.u.p.sel.dport_mask = (req.u.p.sel.dport) ? ~0:0;
+	ip2xfrm(&this_client->addr, &req.u.p.sel.saddr);
+	ip2xfrm(&that_client->addr, &req.u.p.sel.daddr);
+	req.u.p.sel.prefixlen_s = this_client->maskbits;
+	req.u.p.sel.prefixlen_d = that_client->maskbits;
+	req.u.p.sel.proto = transport_proto;
+	req.u.p.sel.family = family;
+
+	dir = XFRM_POLICY_OUT;
+	if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
 	{
-	    req.u.p.action = XFRM_POLICY_BLOCK;
+		dir = XFRM_POLICY_IN;
 	}
-	req.u.p.lft.soft_use_expires_seconds = use_lifetime;
-	req.u.p.lft.soft_byte_limit = XFRM_INF;
-	req.u.p.lft.soft_packet_limit = XFRM_INF;
-	req.u.p.lft.hard_byte_limit = XFRM_INF;
-	req.u.p.lft.hard_packet_limit = XFRM_INF;
-
-	req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
-	if (op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
+
+	if ((op & ERO_MASK) == ERO_DELETE)
 	{
-	    req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
+		req.u.id.dir = dir;
+		req.n.nlmsg_type = XFRM_MSG_DELPOLICY;
+		req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.id)));
 	}
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));
-    }
-
-    if (policy == IPSEC_POLICY_IPSEC && (op & ERO_MASK) != ERO_DELETE)
-    {
-	struct rtattr *attr;
-	struct xfrm_user_tmpl tmpl[4];
-	int i;
-
-	memset(tmpl, 0, sizeof(tmpl));
-	for (i = 0; proto_info[i].proto; i++)
+	else
 	{
-	    tmpl[i].reqid = proto_info[i].reqid;
-	    tmpl[i].id.proto = proto_info[i].proto;
-	    tmpl[i].optional =
-		proto_info[i].proto == IPPROTO_COMP && dir != XFRM_POLICY_OUT;
-	    tmpl[i].aalgos = tmpl[i].ealgos = tmpl[i].calgos = ~0;
-	    tmpl[i].mode =
-		proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-
-	    if (!tmpl[i].mode)
-	    {
-		continue;
-	    }
-
-	    ip2xfrm(this_host, &tmpl[i].saddr);
-	    ip2xfrm(that_host, &tmpl[i].id.daddr);
+		int src, dst;
+
+		req.u.p.dir = dir;
+
+		src = req.u.p.sel.prefixlen_s;
+		dst = req.u.p.sel.prefixlen_d;
+		if (dir != XFRM_POLICY_OUT) {
+			src = req.u.p.sel.prefixlen_d;
+			dst = req.u.p.sel.prefixlen_s;
+		}
+		req.u.p.priority = MIN_SPD_PRIORITY
+			+ (((2 << shift) - src) << shift)
+			+ (2 << shift) - dst;
+
+		req.u.p.action = XFRM_POLICY_ALLOW;
+		if (policy == IPSEC_POLICY_DISCARD)
+		{
+			req.u.p.action = XFRM_POLICY_BLOCK;
+		}
+		req.u.p.lft.soft_use_expires_seconds = use_lifetime;
+		req.u.p.lft.soft_byte_limit = XFRM_INF;
+		req.u.p.lft.soft_packet_limit = XFRM_INF;
+		req.u.p.lft.hard_byte_limit = XFRM_INF;
+		req.u.p.lft.hard_packet_limit = XFRM_INF;
+
+		req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
+		if (op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
+		{
+			req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
+		}
+		req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));
 	}
 
-	attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
-	attr->rta_type = XFRMA_TMPL;
-	attr->rta_len = i * sizeof(tmpl[0]);
-	memcpy(RTA_DATA(attr), tmpl, attr->rta_len);
-	attr->rta_len = RTA_LENGTH(attr->rta_len);
-	req.n.nlmsg_len += attr->rta_len;
-    }
-
-    enoent_ok = FALSE;
-    if (op == ERO_DEL_INBOUND)
-    {
-	enoent_ok = TRUE;
-    }
-    else if (op == ERO_DELETE && ntohl(spi) == SPI_HOLD)
-    {
-	enoent_ok = TRUE;
-    }
-
-    ok = netlink_policy(&req.n, enoent_ok, text_said);
-    switch (dir)
-    {
-    case XFRM_POLICY_IN:
-	if (req.n.nlmsg_type == XFRM_MSG_DELPOLICY)
+	if (policy == IPSEC_POLICY_IPSEC && (op & ERO_MASK) != ERO_DELETE)
 	{
-	    req.u.id.dir = XFRM_POLICY_FWD;
+		struct rtattr *attr;
+		struct xfrm_user_tmpl tmpl[4];
+		int i;
+
+		memset(tmpl, 0, sizeof(tmpl));
+		for (i = 0; proto_info[i].proto; i++)
+		{
+			tmpl[i].reqid = proto_info[i].reqid;
+			tmpl[i].id.proto = proto_info[i].proto;
+			tmpl[i].optional =
+				proto_info[i].proto == IPPROTO_COMP && dir != XFRM_POLICY_OUT;
+			tmpl[i].aalgos = tmpl[i].ealgos = tmpl[i].calgos = ~0;
+			tmpl[i].mode =
+				proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
+
+			if (!tmpl[i].mode)
+			{
+				continue;
+			}
+
+			ip2xfrm(this_host, &tmpl[i].saddr);
+			ip2xfrm(that_host, &tmpl[i].id.daddr);
+		}
+
+		attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
+		attr->rta_type = XFRMA_TMPL;
+		attr->rta_len = i * sizeof(tmpl[0]);
+		memcpy(RTA_DATA(attr), tmpl, attr->rta_len);
+		attr->rta_len = RTA_LENGTH(attr->rta_len);
+		req.n.nlmsg_len += attr->rta_len;
 	}
-	else if (!ok)
+
+	enoent_ok = FALSE;
+	if (op == ERO_DEL_INBOUND)
 	{
-	    break;
+		enoent_ok = TRUE;
 	}
-	else if (proto_info[0].encapsulation != ENCAPSULATION_MODE_TUNNEL
-	&& satype != SADB_X_SATYPE_INT)
+	else if (op == ERO_DELETE && ntohl(spi) == SPI_HOLD)
 	{
-	    break;
+		enoent_ok = TRUE;
 	}
-	else
+
+	ok = netlink_policy(&req.n, enoent_ok, text_said);
+	switch (dir)
 	{
-	    req.u.p.dir = XFRM_POLICY_FWD;
+	case XFRM_POLICY_IN:
+		if (req.n.nlmsg_type == XFRM_MSG_DELPOLICY)
+		{
+			req.u.id.dir = XFRM_POLICY_FWD;
+		}
+		else if (!ok)
+		{
+			break;
+		}
+		else if (proto_info[0].encapsulation != ENCAPSULATION_MODE_TUNNEL
+		&& satype != SADB_X_SATYPE_INT)
+		{
+			break;
+		}
+		else
+		{
+			req.u.p.dir = XFRM_POLICY_FWD;
+		}
+		ok &= netlink_policy(&req.n, enoent_ok, text_said);
+		break;
 	}
-	ok &= netlink_policy(&req.n, enoent_ok, text_said);
-	break;
-    }
 
-    return ok;
+	return ok;
 }
 
 /** netlink_add_sa - Add an SA into the kernel SPDB via netlink
@@ -573,130 +571,130 @@ netlink_raw_eroute(const ip_address *this_host
 static bool
 netlink_add_sa(const struct kernel_sa *sa, bool replace)
 {
-    struct {
-	struct nlmsghdr n;
-	struct xfrm_usersa_info p;
-	char data[1024];
-    } req;
-    struct rtattr *attr;
-
-    memset(&req, 0, sizeof(req));
-    req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-    req.n.nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
-
-    ip2xfrm(sa->src, &req.p.saddr);
-    ip2xfrm(sa->dst, &req.p.id.daddr);
-
-    req.p.id.spi = sa->spi;
-    req.p.id.proto = satype2proto(sa->satype);
-    req.p.family = sa->src->u.v4.sin_family;
-    req.p.mode = (sa->encapsulation == ENCAPSULATION_MODE_TUNNEL);
-    req.p.replay_window = sa->replay_window;
-    req.p.reqid = sa->reqid;
-    req.p.lft.soft_byte_limit = XFRM_INF;
-    req.p.lft.soft_packet_limit = XFRM_INF;
-    req.p.lft.hard_byte_limit = XFRM_INF;
-    req.p.lft.hard_packet_limit = XFRM_INF;
-
-    req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.p)));
-
-    attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
-
-    if (sa->authalg)
-    {
-	struct xfrm_algo algo;
-	const char *name;
-
-	name = sparse_name(aalg_list, sa->authalg);
-	if (!name) {
-	    loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u"
-		, sa->authalg);
-	    return FALSE;
-	}
+	struct {
+		struct nlmsghdr n;
+		struct xfrm_usersa_info p;
+		char data[1024];
+	} req;
+	struct rtattr *attr;
+
+	memset(&req, 0, sizeof(req));
+	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	req.n.nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
 
-	strcpy(algo.alg_name, name);
-	algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+	ip2xfrm(sa->src, &req.p.saddr);
+	ip2xfrm(sa->dst, &req.p.id.daddr);
 
-	attr->rta_type = XFRMA_ALG_AUTH;
-	attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
+	req.p.id.spi = sa->spi;
+	req.p.id.proto = satype2proto(sa->satype);
+	req.p.family = sa->src->u.v4.sin_family;
+	req.p.mode = (sa->encapsulation == ENCAPSULATION_MODE_TUNNEL);
+	req.p.replay_window = sa->replay_window;
+	req.p.reqid = sa->reqid;
+	req.p.lft.soft_byte_limit = XFRM_INF;
+	req.p.lft.soft_packet_limit = XFRM_INF;
+	req.p.lft.hard_byte_limit = XFRM_INF;
+	req.p.lft.hard_packet_limit = XFRM_INF;
 
-	memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-	memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
-	    , sa->authkeylen);
+	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.p)));
 
-	req.n.nlmsg_len += attr->rta_len;
-	attr = (struct rtattr *)((char *)attr + attr->rta_len);
-    }
+	attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
+
+	if (sa->authalg)
+	{
+		struct xfrm_algo algo;
+		const char *name;
 
-    if (sa->encalg)
-    {
-	struct xfrm_algo algo;
-	const char *name;
+		name = sparse_name(aalg_list, sa->authalg);
+		if (!name) {
+			loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u"
+				, sa->authalg);
+			return FALSE;
+		}
 
-	name = sparse_name(ealg_list, sa->encalg);
-	if (!name) {
-	    loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u"
-		, sa->encalg);
-	    return FALSE;
+		strcpy(algo.alg_name, name);
+		algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+
+		attr->rta_type = XFRMA_ALG_AUTH;
+		attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
+
+		memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+		memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
+			, sa->authkeylen);
+
+		req.n.nlmsg_len += attr->rta_len;
+		attr = (struct rtattr *)((char *)attr + attr->rta_len);
 	}
 
-	strcpy(algo.alg_name, name);
-	algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE;
+	if (sa->encalg)
+	{
+		struct xfrm_algo algo;
+		const char *name;
 
-	attr->rta_type = XFRMA_ALG_CRYPT;
-	attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen);
+		name = sparse_name(ealg_list, sa->encalg);
+		if (!name) {
+			loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u"
+				, sa->encalg);
+			return FALSE;
+		}
 
-	memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-	memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->enckey
-	    , sa->enckeylen);
+		strcpy(algo.alg_name, name);
+		algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE;
 
-	req.n.nlmsg_len += attr->rta_len;
-	attr = (struct rtattr *)((char *)attr + attr->rta_len);
-    }
+		attr->rta_type = XFRMA_ALG_CRYPT;
+		attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen);
 
-    if (sa->compalg)
-    {
-	struct xfrm_algo algo;
-	const char *name;
+		memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+		memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->enckey
+			, sa->enckeylen);
 
-	name = sparse_name(calg_list, sa->compalg);
-	if (!name) {
-	    loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u"
-		, sa->compalg);
-	    return FALSE;
+		req.n.nlmsg_len += attr->rta_len;
+		attr = (struct rtattr *)((char *)attr + attr->rta_len);
 	}
 
-	strcpy(algo.alg_name, name);
-	algo.alg_key_len = 0;
+	if (sa->compalg)
+	{
+		struct xfrm_algo algo;
+		const char *name;
 
-	attr->rta_type = XFRMA_ALG_COMP;
-	attr->rta_len = RTA_LENGTH(sizeof(algo));
+		name = sparse_name(calg_list, sa->compalg);
+		if (!name) {
+			loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u"
+				, sa->compalg);
+			return FALSE;
+		}
 
-	memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+		strcpy(algo.alg_name, name);
+		algo.alg_key_len = 0;
 
-	req.n.nlmsg_len += attr->rta_len;
-	attr = (struct rtattr *)((char *)attr + attr->rta_len);
-    }
+		attr->rta_type = XFRMA_ALG_COMP;
+		attr->rta_len = RTA_LENGTH(sizeof(algo));
 
-    if (sa->natt_type)
-    {
-	struct xfrm_encap_tmpl natt;
+		memcpy(RTA_DATA(attr), &algo, sizeof(algo));
 
-	natt.encap_type = sa->natt_type;
-	natt.encap_sport = ntohs(sa->natt_sport);
-	natt.encap_dport = ntohs(sa->natt_dport);
-	memset (&natt.encap_oa, 0, sizeof (natt.encap_oa));
+		req.n.nlmsg_len += attr->rta_len;
+		attr = (struct rtattr *)((char *)attr + attr->rta_len);
+	}
 
-	attr->rta_type = XFRMA_ENCAP;
-	attr->rta_len = RTA_LENGTH(sizeof(natt));
+	if (sa->natt_type)
+	{
+		struct xfrm_encap_tmpl natt;
+
+		natt.encap_type = sa->natt_type;
+		natt.encap_sport = ntohs(sa->natt_sport);
+		natt.encap_dport = ntohs(sa->natt_dport);
+		memset (&natt.encap_oa, 0, sizeof (natt.encap_oa));
 
-	memcpy(RTA_DATA(attr), &natt, sizeof(natt));
+		attr->rta_type = XFRMA_ENCAP;
+		attr->rta_len = RTA_LENGTH(sizeof(natt));
 
-	req.n.nlmsg_len += attr->rta_len;
-	attr = (struct rtattr *)((char *)attr + attr->rta_len);
-    }
+		memcpy(RTA_DATA(attr), &natt, sizeof(natt));
 
-    return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
+		req.n.nlmsg_len += attr->rta_len;
+		attr = (struct rtattr *)((char *)attr + attr->rta_len);
+	}
+
+	return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
 }
 
 /** netlink_del_sa - Delete an SA from the Kernel
@@ -707,113 +705,113 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
 static bool
 netlink_del_sa(const struct kernel_sa *sa)
 {
-    struct {
-	struct nlmsghdr n;
-	struct xfrm_usersa_id id;
-	char data[1024];
-    } req;
+	struct {
+		struct nlmsghdr n;
+		struct xfrm_usersa_id id;
+		char data[1024];
+	} req;
 
-    memset(&req, 0, sizeof(req));
-    req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-    req.n.nlmsg_type = XFRM_MSG_DELSA;
+	memset(&req, 0, sizeof(req));
+	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	req.n.nlmsg_type = XFRM_MSG_DELSA;
 
-    ip2xfrm(sa->dst, &req.id.daddr);
+	ip2xfrm(sa->dst, &req.id.daddr);
 
-    req.id.spi = sa->spi;
-    req.id.family = sa->src->u.v4.sin_family;
-    req.id.proto = sa->proto;
+	req.id.spi = sa->spi;
+	req.id.family = sa->src->u.v4.sin_family;
+	req.id.proto = sa->proto;
 
-    req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
+	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
 
-    return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said);
+	return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said);
 }
 
 static bool
 netlink_error(const char *req_type, const struct nlmsghdr *n
 , const struct nlmsgerr *e, int rsp_size)
 {
-    if (n->nlmsg_type == NLMSG_ERROR)
-    {
-	DBG(DBG_KLIPS,
-	    DBG_log("%s returned with errno %d: %s"
-	    , req_type
-	    , -e->error
-	    , strerror(-e->error))
-	)
-	return TRUE;
-    }
-    if (n->nlmsg_len < NLMSG_LENGTH(rsp_size))
-    {
-	plog("%s returned message with length %lu < %lu bytes"
-	    , req_type
-	    , (unsigned long) n->nlmsg_len
-	    , (unsigned long) rsp_size);
-	return TRUE;
-    }
-    return FALSE;
+	if (n->nlmsg_type == NLMSG_ERROR)
+	{
+		DBG(DBG_KLIPS,
+			DBG_log("%s returned with errno %d: %s"
+			, req_type
+			, -e->error
+			, strerror(-e->error))
+		)
+		return TRUE;
+	}
+	if (n->nlmsg_len < NLMSG_LENGTH(rsp_size))
+	{
+		plog("%s returned message with length %lu < %lu bytes"
+			, req_type
+			, (unsigned long) n->nlmsg_len
+			, (unsigned long) rsp_size);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 static bool
 netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
 {
-    struct {
-	struct nlmsghdr n;
-	struct xfrm_userpolicy_id id;
-    } req;
-
-    struct {
-	struct nlmsghdr n;
-	union {
-	    struct nlmsgerr e;
-	    struct xfrm_userpolicy_info info;
-	} u;
-	char data[1024];
-    } rsp;
-
-    memset(&req, 0, sizeof(req));
-    req.n.nlmsg_flags = NLM_F_REQUEST;
-    req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
-
-    req.id.sel.sport = portof(&sa->src_client->addr);
-    req.id.sel.dport = portof(&sa->dst_client->addr);
-    req.id.sel.sport_mask = (req.id.sel.sport) ? ~0:0;
-    req.id.sel.dport_mask = (req.id.sel.dport) ? ~0:0;
-    ip2xfrm(&sa->src_client->addr, &req.id.sel.saddr);
-    ip2xfrm(&sa->dst_client->addr, &req.id.sel.daddr);
-    req.id.sel.prefixlen_s = sa->src_client->maskbits;
-    req.id.sel.prefixlen_d = sa->dst_client->maskbits;
-    req.id.sel.proto = sa->transport_proto;
-    req.id.sel.family = sa->dst_client->addr.u.v4.sin_family;
-
-    req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-    rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
-
-    req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT;
-
-    if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
-	return FALSE;
+	struct {
+		struct nlmsghdr n;
+		struct xfrm_userpolicy_id id;
+	} req;
+
+	struct {
+		struct nlmsghdr n;
+		union {
+			struct nlmsgerr e;
+			struct xfrm_userpolicy_info info;
+		} u;
+		char data[1024];
+	} rsp;
+
+	memset(&req, 0, sizeof(req));
+	req.n.nlmsg_flags = NLM_F_REQUEST;
+	req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
+
+	req.id.sel.sport = portof(&sa->src_client->addr);
+	req.id.sel.dport = portof(&sa->dst_client->addr);
+	req.id.sel.sport_mask = (req.id.sel.sport) ? ~0:0;
+	req.id.sel.dport_mask = (req.id.sel.dport) ? ~0:0;
+	ip2xfrm(&sa->src_client->addr, &req.id.sel.saddr);
+	ip2xfrm(&sa->dst_client->addr, &req.id.sel.daddr);
+	req.id.sel.prefixlen_s = sa->src_client->maskbits;
+	req.id.sel.prefixlen_d = sa->dst_client->maskbits;
+	req.id.sel.proto = sa->transport_proto;
+	req.id.sel.family = sa->dst_client->addr.u.v4.sin_family;
+
+	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
+	rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
+
+	req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT;
 
-    if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
-	return FALSE;
+	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+		return FALSE;
+
+	if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+		return FALSE;
 
-    *use_time = (time_t)rsp.u.info.curlft.use_time;
+	*use_time = (time_t)rsp.u.info.curlft.use_time;
 
-    if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
-    {
-	time_t use_time_fwd;
+	if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
+	{
+		time_t use_time_fwd;
 
-	req.id.dir = XFRM_POLICY_FWD;
+		req.id.dir = XFRM_POLICY_FWD;
 
-	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
-	    return FALSE;
+		if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+			return FALSE;
 
-	if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
-	    return FALSE;
+		if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+			return FALSE;
 
-        use_time_fwd = (time_t)rsp.u.info.curlft.use_time;
-	*use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd;
-    }
-    return TRUE;
+		use_time_fwd = (time_t)rsp.u.info.curlft.use_time;
+		*use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd;
+	}
+	return TRUE;
 }
 
 
@@ -825,60 +823,60 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
 static bool
 netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
 {
-    struct {
-	struct nlmsghdr n;
-	struct xfrm_usersa_id id;
-    } req;
-
-    struct {
-	struct nlmsghdr n;
-	union {
-	    struct nlmsgerr e;
-	    struct xfrm_usersa_info info;
-	} u;
-	char data[1024];
-    } rsp;
-
-    memset(&req, 0, sizeof(req));
-    req.n.nlmsg_flags = NLM_F_REQUEST;
-    req.n.nlmsg_type = XFRM_MSG_GETSA;
-
-    ip2xfrm(sa->dst, &req.id.daddr);
-
-    req.id.spi = sa->spi;
-    req.id.family = sa->src->u.v4.sin_family;
-    req.id.proto = sa->proto;
-
-    req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-    rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
-
-    if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said))
-	return FALSE;
+	struct {
+		struct nlmsghdr n;
+		struct xfrm_usersa_id id;
+	} req;
 
-    if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
-	return FALSE;
+	struct {
+		struct nlmsghdr n;
+		union {
+			struct nlmsgerr e;
+			struct xfrm_usersa_info info;
+		} u;
+		char data[1024];
+	} rsp;
+
+	memset(&req, 0, sizeof(req));
+	req.n.nlmsg_flags = NLM_F_REQUEST;
+	req.n.nlmsg_type = XFRM_MSG_GETSA;
+
+	ip2xfrm(sa->dst, &req.id.daddr);
 
-    *bytes = (u_int) rsp.u.info.curlft.bytes;
+	req.id.spi = sa->spi;
+	req.id.family = sa->src->u.v4.sin_family;
+	req.id.proto = sa->proto;
 
-    return TRUE;
+	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
+	rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
+
+	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said))
+		return FALSE;
+
+	if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+		return FALSE;
+
+	*bytes = (u_int) rsp.u.info.curlft.bytes;
+
+	return TRUE;
 }
 
 static void
 linux_pfkey_register_response(const struct sadb_msg *msg)
 {
-    switch (msg->sadb_msg_satype)
-    {
-    case SADB_SATYPE_ESP:
+	switch (msg->sadb_msg_satype)
+	{
+	case SADB_SATYPE_ESP:
 #ifndef NO_KERNEL_ALG
-	    kernel_alg_register_pfkey(msg, msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
+			kernel_alg_register_pfkey(msg, msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
 #endif
-	    break;
-    case SADB_X_SATYPE_IPCOMP:
-	can_do_IPcomp = TRUE;
-	break;
-    default:
-	break;
-    }
+			break;
+	case SADB_X_SATYPE_IPCOMP:
+		can_do_IPcomp = TRUE;
+		break;
+	default:
+		break;
+	}
 }
 
 /** linux_pfkey_register - Register via PFKEY our capabilities
@@ -887,10 +885,10 @@ linux_pfkey_register_response(const struct sadb_msg *msg)
 static void
 linux_pfkey_register(void)
 {
-    pfkey_register_proto(SADB_SATYPE_AH, "AH");
-    pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
-    pfkey_register_proto(SADB_X_SATYPE_IPCOMP, "IPCOMP");
-    pfkey_close();
+	pfkey_register_proto(SADB_SATYPE_AH, "AH");
+	pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
+	pfkey_register_proto(SADB_X_SATYPE_IPCOMP, "IPCOMP");
+	pfkey_close();
 }
 
 /** Create ip_address out of xfrm_address_t.
@@ -903,18 +901,18 @@ linux_pfkey_register(void)
 static err_t
 xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst)
 {
-    switch (family)
-    {
-    case AF_INET:   /* IPv4 */
-    case AF_UNSPEC: /* Unspecified, we assume IPv4 */
-	initaddr((const void *) &src->a4, sizeof(src->a4), AF_INET, dst);
-	return NULL;
-    case AF_INET6:  /* IPv6 */
-	initaddr((const void *) &src->a6, sizeof(src->a6), AF_INET6, dst);
-	return NULL;
-    default:
-	return "unknown address family";
-    }
+	switch (family)
+	{
+	case AF_INET:   /* IPv4 */
+	case AF_UNSPEC: /* Unspecified, we assume IPv4 */
+		initaddr((const void *) &src->a4, sizeof(src->a4), AF_INET, dst);
+		return NULL;
+	case AF_INET6:  /* IPv6 */
+		initaddr((const void *) &src->a6, sizeof(src->a6), AF_INET6, dst);
+		return NULL;
+	default:
+		return "unknown address family";
+	}
 }
 
 /* Create a pair of ip_address's out of xfrm_sel.
@@ -926,29 +924,29 @@ xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst)
  */
 static err_t
 xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
-		    , ip_address *src
-		    , ip_address *dst)
+					, ip_address *src
+					, ip_address *dst)
 {
-    int family;
-    err_t ugh;
-
-    family = sel->family;
-
-    if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src))
-	|| (ugh = xfrm_to_ip_address(family, &sel->daddr, dst)))
-	return ugh;
-
-    /* family has been verified in xfrm_to_ip_address. */
-    if (family == AF_INET)
-    {
-	src->u.v4.sin_port = sel->sport;
-	dst->u.v4.sin_port = sel->dport;
-    }
-    else
-    {
-	src->u.v6.sin6_port = sel->sport;
-	dst->u.v6.sin6_port = sel->dport;
-    }
+	int family;
+	err_t ugh;
+
+	family = sel->family;
+
+	if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src))
+		|| (ugh = xfrm_to_ip_address(family, &sel->daddr, dst)))
+		return ugh;
+
+	/* family has been verified in xfrm_to_ip_address. */
+	if (family == AF_INET)
+	{
+		src->u.v4.sin_port = sel->sport;
+		dst->u.v4.sin_port = sel->dport;
+	}
+	else
+	{
+		src->u.v6.sin6_port = sel->sport;
+		dst->u.v6.sin6_port = sel->dport;
+	}
 
    return NULL;
 }
@@ -956,194 +954,194 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
 static void
 netlink_acquire(struct nlmsghdr *n)
 {
-    struct xfrm_user_acquire *acquire;
-    ip_address src, dst;
-    ip_subnet ours, his;
-    unsigned transport_proto;
-    err_t ugh = NULL;
-
-    if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*acquire)))
-    {
-	plog("netlink_acquire got message with length %lu < %lu bytes; ignore message"
-	    , (unsigned long) n->nlmsg_len
-	    , (unsigned long) sizeof(*acquire));
-	return;
-    }
-
-    acquire = NLMSG_DATA(n);
-    transport_proto = acquire->sel.proto;
-
-    /* XXX also the type of src/dst should be checked to make sure
-     *     that they aren't v4 to v6 or something goofy
-     */
-   
-    if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst))
-    && !(ugh = addrtosubnet(&src, &ours))
-    && !(ugh = addrtosubnet(&dst, &his)))
-	record_and_initiate_opportunistic(&ours, &his, transport_proto
-	    , "%acquire-netlink");
-
-    if (ugh != NULL)
-	plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh);
+	struct xfrm_user_acquire *acquire;
+	ip_address src, dst;
+	ip_subnet ours, his;
+	unsigned transport_proto;
+	err_t ugh = NULL;
+
+	if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*acquire)))
+	{
+		plog("netlink_acquire got message with length %lu < %lu bytes; ignore message"
+			, (unsigned long) n->nlmsg_len
+			, (unsigned long) sizeof(*acquire));
+		return;
+	}
+
+	acquire = NLMSG_DATA(n);
+	transport_proto = acquire->sel.proto;
+
+	/* XXX also the type of src/dst should be checked to make sure
+	 *     that they aren't v4 to v6 or something goofy
+	 */
+
+	if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst))
+	&& !(ugh = addrtosubnet(&src, &ours))
+	&& !(ugh = addrtosubnet(&dst, &his)))
+		record_and_initiate_opportunistic(&ours, &his, transport_proto
+			, "%acquire-netlink");
+
+	if (ugh != NULL)
+		plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh);
 }
 
 static void
 netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
 {
-    ip_address src, dst;
-    unsigned transport_proto;
-    err_t ugh = NULL;
-  
-    transport_proto = pol->sel.proto;
-
-    if (!(ugh = xfrm_sel_to_ip_pair(&pol->sel, &src, &dst)))
-    {
-	plog("XFRM_MSG_POLEXPIRE message from kernel malformed: %s", ugh);
-	return;
-    }
-
-    replace_bare_shunt(&src, &dst, BOTTOM_PRIO, SPI_PASS, FALSE, transport_proto
-	, "delete expired bare shunt");
+	ip_address src, dst;
+	unsigned transport_proto;
+	err_t ugh = NULL;
+
+	transport_proto = pol->sel.proto;
+
+	if (!(ugh = xfrm_sel_to_ip_pair(&pol->sel, &src, &dst)))
+	{
+		plog("XFRM_MSG_POLEXPIRE message from kernel malformed: %s", ugh);
+		return;
+	}
+
+	replace_bare_shunt(&src, &dst, BOTTOM_PRIO, SPI_PASS, FALSE, transport_proto
+		, "delete expired bare shunt");
 }
 
 static void
 netlink_policy_expire(struct nlmsghdr *n)
 {
-    struct xfrm_user_polexpire *upe;
-    struct {
-	struct nlmsghdr n;
-	struct xfrm_userpolicy_id id;
-    } req;
-
-    struct {
-	struct nlmsghdr n;
-	union {
-	    struct nlmsgerr e;
-	    struct xfrm_userpolicy_info pol;
-	} u;
-	char data[1024];
-    } rsp;
-
-    if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*upe)))
-    {
-	plog("netlink_policy_expire got message with length %lu < %lu bytes; ignore message"
-	    , (unsigned long) n->nlmsg_len
-	    , (unsigned long) sizeof(*upe));
-	return;
-    }
-
-    upe = NLMSG_DATA(n);
-    req.id.dir = upe->pol.dir;
-    req.id.index = upe->pol.index;
-    req.n.nlmsg_flags = NLM_F_REQUEST;
-    req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
-    req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-
-    rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
-
-    if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
-	return;
-
-    if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol)))
-	return;
-
-    if (req.id.index != rsp.u.pol.index)
-    {
-	DBG(DBG_KLIPS,
-	    DBG_log("netlink_policy_expire: policy was replaced: "
-		    "dir=%d, oldindex=%d, newindex=%d"
-		, req.id.dir, req.id.index, rsp.u.pol.index));
-	return;
-    }
-
-    if (upe->pol.curlft.add_time != rsp.u.pol.curlft.add_time)
-    {
-	DBG(DBG_KLIPS,
-	    DBG_log("netlink_policy_expire: policy was replaced "
-		    " and you have won the lottery: "
-		    "dir=%d, index=%d"
-		, req.id.dir, req.id.index));
-	return;
-    }
-
-    switch (upe->pol.dir)
-    {
-    case XFRM_POLICY_OUT:
-	netlink_shunt_expire(&rsp.u.pol);
-	break;
-    }
+	struct xfrm_user_polexpire *upe;
+	struct {
+		struct nlmsghdr n;
+		struct xfrm_userpolicy_id id;
+	} req;
+
+	struct {
+		struct nlmsghdr n;
+		union {
+			struct nlmsgerr e;
+			struct xfrm_userpolicy_info pol;
+		} u;
+		char data[1024];
+	} rsp;
+
+	if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*upe)))
+	{
+		plog("netlink_policy_expire got message with length %lu < %lu bytes; ignore message"
+			, (unsigned long) n->nlmsg_len
+			, (unsigned long) sizeof(*upe));
+		return;
+	}
+
+	upe = NLMSG_DATA(n);
+	req.id.dir = upe->pol.dir;
+	req.id.index = upe->pol.index;
+	req.n.nlmsg_flags = NLM_F_REQUEST;
+	req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
+	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
+
+	rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
+
+	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+		return;
+
+	if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol)))
+		return;
+
+	if (req.id.index != rsp.u.pol.index)
+	{
+		DBG(DBG_KLIPS,
+			DBG_log("netlink_policy_expire: policy was replaced: "
+					"dir=%d, oldindex=%d, newindex=%d"
+				, req.id.dir, req.id.index, rsp.u.pol.index));
+		return;
+	}
+
+	if (upe->pol.curlft.add_time != rsp.u.pol.curlft.add_time)
+	{
+		DBG(DBG_KLIPS,
+			DBG_log("netlink_policy_expire: policy was replaced "
+					" and you have won the lottery: "
+					"dir=%d, index=%d"
+				, req.id.dir, req.id.index));
+		return;
+	}
+
+	switch (upe->pol.dir)
+	{
+	case XFRM_POLICY_OUT:
+		netlink_shunt_expire(&rsp.u.pol);
+		break;
+	}
 }
 
 static bool
 netlink_get(void)
 {
-    struct {
-	struct nlmsghdr n;
-	char data[1024];
-    } rsp;
-    ssize_t r;
-    struct sockaddr_nl addr;
-    socklen_t alen;
-
-    alen = sizeof(addr);
-    r = recvfrom(netlink_bcast_fd, &rsp, sizeof(rsp), 0
-	, (struct sockaddr *)&addr, &alen);
-    if (r < 0)
-    {
-	if (errno == EAGAIN)
-	    return FALSE;
-	if (errno != EINTR)
-	    log_errno((e, "recvfrom() failed in netlink_get"));
-	return TRUE;
-    }
-    else if ((size_t) r < sizeof(rsp.n))
-    {
-	plog("netlink_get read truncated message: %ld bytes; ignore message"
-	    , (long) r);
-	return TRUE;
-    }
-    else if (addr.nl_pid != 0)
-    {
-	/* not for us: ignore */
+	struct {
+		struct nlmsghdr n;
+		char data[1024];
+	} rsp;
+	ssize_t r;
+	struct sockaddr_nl addr;
+	socklen_t alen;
+
+	alen = sizeof(addr);
+	r = recvfrom(netlink_bcast_fd, &rsp, sizeof(rsp), 0
+		, (struct sockaddr *)&addr, &alen);
+	if (r < 0)
+	{
+		if (errno == EAGAIN)
+			return FALSE;
+		if (errno != EINTR)
+			log_errno((e, "recvfrom() failed in netlink_get"));
+		return TRUE;
+	}
+	else if ((size_t) r < sizeof(rsp.n))
+	{
+		plog("netlink_get read truncated message: %ld bytes; ignore message"
+			, (long) r);
+		return TRUE;
+	}
+	else if (addr.nl_pid != 0)
+	{
+		/* not for us: ignore */
+		DBG(DBG_KLIPS,
+			DBG_log("netlink_get: ignoring %s message from process %u"
+				, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)
+				, addr.nl_pid));
+		return TRUE;
+	}
+	else if ((size_t) r != rsp.n.nlmsg_len)
+	{
+		plog("netlink_get read message with length %ld that doesn't equal nlmsg_len %lu bytes; ignore message"
+			, (long) r
+			, (unsigned long) rsp.n.nlmsg_len);
+		return TRUE;
+	}
+
 	DBG(DBG_KLIPS,
-	    DBG_log("netlink_get: ignoring %s message from process %u"
-		, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)
-		, addr.nl_pid));
-	return TRUE;
-    }
-    else if ((size_t) r != rsp.n.nlmsg_len)
-    {
-	plog("netlink_get read message with length %ld that doesn't equal nlmsg_len %lu bytes; ignore message"
-	    , (long) r
-	    , (unsigned long) rsp.n.nlmsg_len);
+		DBG_log("netlink_get: %s message"
+				, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)));
+
+	switch (rsp.n.nlmsg_type)
+	{
+	case XFRM_MSG_ACQUIRE:
+		netlink_acquire(&rsp.n);
+		break;
+	case XFRM_MSG_POLEXPIRE:
+		netlink_policy_expire(&rsp.n);
+		break;
+	default:
+		/* ignored */
+		break;
+	}
+
 	return TRUE;
-    }
-
-    DBG(DBG_KLIPS,
-	DBG_log("netlink_get: %s message"
-		, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)));
-
-    switch (rsp.n.nlmsg_type)
-    {
-    case XFRM_MSG_ACQUIRE:
-	netlink_acquire(&rsp.n);
-	break;
-    case XFRM_MSG_POLEXPIRE:
-	netlink_policy_expire(&rsp.n);
-	break;
-    default:
-	/* ignored */
-	break;
-    }
-
-    return TRUE;
 }
 
 static void
 netlink_process_msg(void)
 {
-    while (netlink_get())
-	;
+	while (netlink_get())
+		;
 }
 
 static ipsec_spi_t
@@ -1156,65 +1154,65 @@ netlink_get_spi(const ip_address *src
 , ipsec_spi_t max
 , const char *text_said)
 {
-    struct {
-	struct nlmsghdr n;
-	struct xfrm_userspi_info spi;
-    } req;
-
-    struct {
-	struct nlmsghdr n;
-	union {
-	    struct nlmsgerr e;
-	    struct xfrm_usersa_info sa;
-	} u;
-	char data[1024];
-    } rsp;
-
-    memset(&req, 0, sizeof(req));
-    req.n.nlmsg_flags = NLM_F_REQUEST;
-    req.n.nlmsg_type = XFRM_MSG_ALLOCSPI;
-
-    ip2xfrm(src, &req.spi.info.saddr);
-    ip2xfrm(dst, &req.spi.info.id.daddr);
-    req.spi.info.mode = tunnel_mode;
-    req.spi.info.reqid = reqid;
-    req.spi.info.id.proto = proto;
-    req.spi.info.family = src->u.v4.sin_family;
-    req.spi.min = min;
-    req.spi.max = max;
-
-    req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.spi)));
-    rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
-
-    if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said))
-	return 0;
-
-    if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa)))
-	return 0;
-
-    DBG(DBG_KLIPS,
-	DBG_log("netlink_get_spi: allocated 0x%x for %s"
-	    , ntohl(rsp.u.sa.id.spi), text_said));
-    return rsp.u.sa.id.spi;
+	struct {
+		struct nlmsghdr n;
+		struct xfrm_userspi_info spi;
+	} req;
+
+	struct {
+		struct nlmsghdr n;
+		union {
+			struct nlmsgerr e;
+			struct xfrm_usersa_info sa;
+		} u;
+		char data[1024];
+	} rsp;
+
+	memset(&req, 0, sizeof(req));
+	req.n.nlmsg_flags = NLM_F_REQUEST;
+	req.n.nlmsg_type = XFRM_MSG_ALLOCSPI;
+
+	ip2xfrm(src, &req.spi.info.saddr);
+	ip2xfrm(dst, &req.spi.info.id.daddr);
+	req.spi.info.mode = tunnel_mode;
+	req.spi.info.reqid = reqid;
+	req.spi.info.id.proto = proto;
+	req.spi.info.family = src->u.v4.sin_family;
+	req.spi.min = min;
+	req.spi.max = max;
+
+	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.spi)));
+	rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
+
+	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said))
+		return 0;
+
+	if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa)))
+		return 0;
+
+	DBG(DBG_KLIPS,
+		DBG_log("netlink_get_spi: allocated 0x%x for %s"
+			, ntohl(rsp.u.sa.id.spi), text_said));
+	return rsp.u.sa.id.spi;
 }
 
 const struct kernel_ops linux_kernel_ops = {
-	type: KERNEL_TYPE_LINUX,
-	inbound_eroute: 1,
-	policy_lifetime: 1,
-	async_fdp: &netlink_bcast_fd,
-
-	init: init_netlink,
-	pfkey_register: linux_pfkey_register,
-	pfkey_register_response: linux_pfkey_register_response,
-	process_msg: netlink_process_msg,
-	raw_eroute: netlink_raw_eroute,
-	get_policy: netlink_get_policy,
-	add_sa: netlink_add_sa,
-	del_sa: netlink_del_sa,
-	get_sa: netlink_get_sa,
-	process_queue: NULL,
-	grp_sa: NULL,
-	get_spi: netlink_get_spi,
+		type: KERNEL_TYPE_LINUX,
+		inbound_eroute: 1,
+		policy_lifetime: 1,
+		async_fdp: &netlink_bcast_fd,
+
+		init: init_netlink,
+		pfkey_register: linux_pfkey_register,
+		pfkey_register_response: linux_pfkey_register_response,
+		process_msg: netlink_process_msg,
+		raw_eroute: netlink_raw_eroute,
+		get_policy: netlink_get_policy,
+		add_sa: netlink_add_sa,
+		del_sa: netlink_del_sa,
+		get_sa: netlink_get_sa,
+		process_queue: NULL,
+		grp_sa: NULL,
+		get_spi: netlink_get_spi,
 };
 #endif /* linux && KLIPS */
diff --git a/src/pluto/kernel_netlink.h b/src/pluto/kernel_netlink.h
index 91ba71c5c..65163c966 100644
--- a/src/pluto/kernel_netlink.h
+++ b/src/pluto/kernel_netlink.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: kernel_netlink.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #if defined(KLIPS) && defined(linux)
diff --git a/src/pluto/kernel_noklips.c b/src/pluto/kernel_noklips.c
index 4ac3eb153..82a6ab648 100644
--- a/src/pluto/kernel_noklips.c
+++ b/src/pluto/kernel_noklips.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: kernel_noklips.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <errno.h>
@@ -39,7 +37,7 @@
 #include "kernel.h"
 #include "kernel_noklips.h"
 #include "log.h"
-#include "whack.h"	/* for RC_LOG_SERIOUS */
+#include "whack.h"      /* for RC_LOG_SERIOUS */
 
 void
 init_noklips(void)
@@ -71,30 +69,30 @@ noklips_register(void)
 
 static bool
 noklips_raw_eroute(const ip_address *this_host UNUSED
-		   , const ip_subnet *this_client UNUSED
-		   , const ip_address *that_host UNUSED
-		   , const ip_subnet *that_client UNUSED
-		   , ipsec_spi_t spi UNUSED
-		   , unsigned int satype UNUSED
-		   , unsigned int transport_proto UNUSED
-		   , const struct pfkey_proto_info *proto_info UNUSED
-		   , time_t use_lifetime UNUSED
-		   , unsigned int op UNUSED
-		   , const char *text_said UNUSED)
+				   , const ip_subnet *this_client UNUSED
+				   , const ip_address *that_host UNUSED
+				   , const ip_subnet *that_client UNUSED
+				   , ipsec_spi_t spi UNUSED
+				   , unsigned int satype UNUSED
+				   , unsigned int transport_proto UNUSED
+				   , const struct pfkey_proto_info *proto_info UNUSED
+				   , time_t use_lifetime UNUSED
+				   , unsigned int op UNUSED
+				   , const char *text_said UNUSED)
 {
   return TRUE;
 }
 
 static bool
 noklips_add_sa(const struct kernel_sa *sa UNUSED
-	       , bool replace UNUSED)
+			   , bool replace UNUSED)
 {
   return TRUE;
 }
 
 static bool
 noklips_grp_sa(const struct kernel_sa *sa0 UNUSED
-	       , const struct kernel_sa *sa1 UNUSED)
+			   , const struct kernel_sa *sa1 UNUSED)
 {
   return TRUE;
 }
@@ -107,20 +105,20 @@ noklips_del_sa(const struct kernel_sa *sa UNUSED)
 
 
 const struct kernel_ops noklips_kernel_ops = {
-	type: KERNEL_TYPE_NONE,
-	async_fdp: NULL,
-	
-	init: init_noklips,
-	pfkey_register: noklips_register,
-	pfkey_register_response: noklips_register_response,
-	process_queue: noklips_dequeue,
-	process_msg: noklips_event,
-	raw_eroute: noklips_raw_eroute,
-	add_sa: noklips_add_sa,
-	grp_sa: noklips_grp_sa,
-	del_sa: noklips_del_sa,
-	get_sa: NULL,
-	get_spi: NULL,
-        inbound_eroute: FALSE,
-	policy_lifetime: FALSE
+		type: KERNEL_TYPE_NONE,
+		async_fdp: NULL,
+		
+		init: init_noklips,
+		pfkey_register: noklips_register,
+		pfkey_register_response: noklips_register_response,
+		process_queue: noklips_dequeue,
+		process_msg: noklips_event,
+		raw_eroute: noklips_raw_eroute,
+		add_sa: noklips_add_sa,
+		grp_sa: noklips_grp_sa,
+		del_sa: noklips_del_sa,
+		get_sa: NULL,
+		get_spi: NULL,
+		inbound_eroute: FALSE,
+		policy_lifetime: FALSE
 };
diff --git a/src/pluto/kernel_noklips.h b/src/pluto/kernel_noklips.h
index db819eed7..3da55d80b 100644
--- a/src/pluto/kernel_noklips.h
+++ b/src/pluto/kernel_noklips.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: kernel_noklips.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 extern void init_noklips(void);
diff --git a/src/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c
index 742afaf52..7ac405fd4 100644
--- a/src/pluto/kernel_pfkey.c
+++ b/src/pluto/kernel_pfkey.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: kernel_pfkey.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifdef KLIPS
@@ -40,7 +38,7 @@
 #include "kernel.h"
 #include "kernel_pfkey.h"
 #include "log.h"
-#include "whack.h"	/* for RC_LOG_SERIOUS */
+#include "whack.h"      /* for RC_LOG_SERIOUS */
 #include "demux.h"
 #include "nat_traversal.h"
 #include "alg_info.h"
@@ -50,64 +48,64 @@
 static int pfkeyfd = NULL_FD;
 
 typedef u_int32_t pfkey_seq_t;
-static pfkey_seq_t pfkey_seq = 0;	/* sequence number for our PF_KEY messages */
+static pfkey_seq_t pfkey_seq = 0;       /* sequence number for our PF_KEY messages */
 
 static pid_t pid;
 
-#define NE(x) { x, #x }	/* Name Entry -- shorthand for sparse_names */
+#define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */
 
 static sparse_names pfkey_type_names = {
-	NE(SADB_RESERVED),
-	NE(SADB_GETSPI),
-	NE(SADB_UPDATE),
-	NE(SADB_ADD),
-	NE(SADB_DELETE),
-	NE(SADB_GET),
-	NE(SADB_ACQUIRE),
-	NE(SADB_REGISTER),
-	NE(SADB_EXPIRE),
-	NE(SADB_FLUSH),
-	NE(SADB_DUMP),
-	NE(SADB_X_PROMISC),
-	NE(SADB_X_PCHANGE),
-	NE(SADB_X_GRPSA),
-	NE(SADB_X_ADDFLOW),
-	NE(SADB_X_DELFLOW),
-	NE(SADB_X_DEBUG),
-	NE(SADB_X_NAT_T_NEW_MAPPING),
-	NE(SADB_MAX),	
-	{ 0, sparse_end }
+		NE(SADB_RESERVED),
+		NE(SADB_GETSPI),
+		NE(SADB_UPDATE),
+		NE(SADB_ADD),
+		NE(SADB_DELETE),
+		NE(SADB_GET),
+		NE(SADB_ACQUIRE),
+		NE(SADB_REGISTER),
+		NE(SADB_EXPIRE),
+		NE(SADB_FLUSH),
+		NE(SADB_DUMP),
+		NE(SADB_X_PROMISC),
+		NE(SADB_X_PCHANGE),
+		NE(SADB_X_GRPSA),
+		NE(SADB_X_ADDFLOW),
+		NE(SADB_X_DELFLOW),
+		NE(SADB_X_DEBUG),
+		NE(SADB_X_NAT_T_NEW_MAPPING),
+		NE(SADB_MAX),   
+		{ 0, sparse_end }
 };
 
 #ifdef NEVER /* not needed yet */
 static sparse_names pfkey_ext_names = {
-	NE(SADB_EXT_RESERVED),
-	NE(SADB_EXT_SA),
-	NE(SADB_EXT_LIFETIME_CURRENT),
-	NE(SADB_EXT_LIFETIME_HARD),
-	NE(SADB_EXT_LIFETIME_SOFT),
-	NE(SADB_EXT_ADDRESS_SRC),
-	NE(SADB_EXT_ADDRESS_DST),
-	NE(SADB_EXT_ADDRESS_PROXY),
-	NE(SADB_EXT_KEY_AUTH),
-	NE(SADB_EXT_KEY_ENCRYPT),
-	NE(SADB_EXT_IDENTITY_SRC),
-	NE(SADB_EXT_IDENTITY_DST),
-	NE(SADB_EXT_SENSITIVITY),
-	NE(SADB_EXT_PROPOSAL),
-	NE(SADB_EXT_SUPPORTED_AUTH),
-	NE(SADB_EXT_SUPPORTED_ENCRYPT),
-	NE(SADB_EXT_SPIRANGE),
-	NE(SADB_X_EXT_KMPRIVATE),
-	NE(SADB_X_EXT_SATYPE2),
-	NE(SADB_X_EXT_SA2),
-	NE(SADB_X_EXT_ADDRESS_DST2),
-	NE(SADB_X_EXT_ADDRESS_SRC_FLOW),
-	NE(SADB_X_EXT_ADDRESS_DST_FLOW),
-	NE(SADB_X_EXT_ADDRESS_SRC_MASK),
-	NE(SADB_X_EXT_ADDRESS_DST_MASK),
-	NE(SADB_X_EXT_DEBUG),
-	{ 0, sparse_end }
+		NE(SADB_EXT_RESERVED),
+		NE(SADB_EXT_SA),
+		NE(SADB_EXT_LIFETIME_CURRENT),
+		NE(SADB_EXT_LIFETIME_HARD),
+		NE(SADB_EXT_LIFETIME_SOFT),
+		NE(SADB_EXT_ADDRESS_SRC),
+		NE(SADB_EXT_ADDRESS_DST),
+		NE(SADB_EXT_ADDRESS_PROXY),
+		NE(SADB_EXT_KEY_AUTH),
+		NE(SADB_EXT_KEY_ENCRYPT),
+		NE(SADB_EXT_IDENTITY_SRC),
+		NE(SADB_EXT_IDENTITY_DST),
+		NE(SADB_EXT_SENSITIVITY),
+		NE(SADB_EXT_PROPOSAL),
+		NE(SADB_EXT_SUPPORTED_AUTH),
+		NE(SADB_EXT_SUPPORTED_ENCRYPT),
+		NE(SADB_EXT_SPIRANGE),
+		NE(SADB_X_EXT_KMPRIVATE),
+		NE(SADB_X_EXT_SATYPE2),
+		NE(SADB_X_EXT_SA2),
+		NE(SADB_X_EXT_ADDRESS_DST2),
+		NE(SADB_X_EXT_ADDRESS_SRC_FLOW),
+		NE(SADB_X_EXT_ADDRESS_DST_FLOW),
+		NE(SADB_X_EXT_ADDRESS_SRC_MASK),
+		NE(SADB_X_EXT_ADDRESS_DST_MASK),
+		NE(SADB_X_EXT_DEBUG),
+		{ 0, sparse_end }
 };
 #endif /* NEVER */
 
@@ -116,24 +114,24 @@ static sparse_names pfkey_ext_names = {
 void
 init_pfkey(void)
 {
-    pid = getpid();
+	pid = getpid();
 
-    /* open PF_KEY socket */
+	/* open PF_KEY socket */
 
-    pfkeyfd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	pfkeyfd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
 
-    if (pfkeyfd == -1)
-	exit_log_errno((e, "socket() in init_pfkeyfd()"));
+	if (pfkeyfd == -1)
+		exit_log_errno((e, "socket() in init_pfkeyfd()"));
 
-#ifdef NEVER	/* apparently unsupported! */
-    if (fcntl(pfkeyfd, F_SETFL, O_NONBLOCK) != 0)
-	exit_log_errno((e, "fcntl(O_NONBLOCK) in init_pfkeyfd()"));
+#ifdef NEVER    /* apparently unsupported! */
+	if (fcntl(pfkeyfd, F_SETFL, O_NONBLOCK) != 0)
+		exit_log_errno((e, "fcntl(O_NONBLOCK) in init_pfkeyfd()"));
 #endif
-    if (fcntl(pfkeyfd, F_SETFD, FD_CLOEXEC) != 0)
-	exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_pfkeyfd()"));
+	if (fcntl(pfkeyfd, F_SETFD, FD_CLOEXEC) != 0)
+		exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_pfkeyfd()"));
 
-    DBG(DBG_KLIPS,
-	DBG_log("process %u listening for PF_KEY_V2 on file descriptor %d", (unsigned)pid, pfkeyfd));
+	DBG(DBG_KLIPS,
+		DBG_log("process %u listening for PF_KEY_V2 on file descriptor %d", (unsigned)pid, pfkeyfd));
 }
 
 /* Kinds of PF_KEY message from the kernel:
@@ -153,9 +151,9 @@ init_pfkey(void)
  */
 
 typedef union {
-	unsigned char bytes[PFKEYv2_MAX_MSGSIZE];
-	struct sadb_msg msg;
-    } pfkey_buf;
+		unsigned char bytes[PFKEYv2_MAX_MSGSIZE];
+		struct sadb_msg msg;
+	} pfkey_buf;
 
 /* queue of unprocessed PF_KEY messages input from kernel
  * Note that the pfkey_buf may be partly allocated, reflecting
@@ -163,41 +161,41 @@ typedef union {
  * must come first.
  */
 typedef struct pfkey_item {
-	struct pfkey_item *next;
-	pfkey_buf buf;
-    } pfkey_item;
+		struct pfkey_item *next;
+		pfkey_buf buf;
+	} pfkey_item;
 
-static pfkey_item *pfkey_iq_head = NULL;	/* oldest */
-static pfkey_item *pfkey_iq_tail;	/* youngest */
+static pfkey_item *pfkey_iq_head = NULL;        /* oldest */
+static pfkey_item *pfkey_iq_tail;       /* youngest */
 
 static bool
 pfkey_input_ready(void)
 {
-    fd_set readfds;
-    int ndes;
-    struct timeval tm;
+	fd_set readfds;
+	int ndes;
+	struct timeval tm;
 
-    tm.tv_sec = 0;	/* don't wait at all */
-    tm.tv_usec = 0;
+	tm.tv_sec = 0;      /* don't wait at all */
+	tm.tv_usec = 0;
 
-    FD_ZERO(&readfds);	/* we only care about pfkeyfd */
-    FD_SET(pfkeyfd, &readfds);
+	FD_ZERO(&readfds);  /* we only care about pfkeyfd */
+	FD_SET(pfkeyfd, &readfds);
 
-    do {
-	ndes = select(pfkeyfd + 1, &readfds, NULL, NULL, &tm);
-    } while (ndes == -1 && errno == EINTR);
+	do {
+		ndes = select(pfkeyfd + 1, &readfds, NULL, NULL, &tm);
+	} while (ndes == -1 && errno == EINTR);
 
-    if (ndes < 0)
-    {
-	log_errno((e, "select() failed in pfkey_get()"));
-	return FALSE;
-    }
+	if (ndes < 0)
+	{
+		log_errno((e, "select() failed in pfkey_get()"));
+		return FALSE;
+	}
 
-    if (ndes == 0)
-	return FALSE;	/* nothing to read */
+	if (ndes == 0)
+		return FALSE;   /* nothing to read */
 
-    passert(ndes == 1 && FD_ISSET(pfkeyfd, &readfds));
-    return TRUE;
+	passert(ndes == 1 && FD_ISSET(pfkeyfd, &readfds));
+	return TRUE;
 }
 
 /* get a PF_KEY message from kernel.
@@ -210,93 +208,93 @@ pfkey_input_ready(void)
 static bool
 pfkey_get(pfkey_buf *buf)
 {
-    for (;;)
-    {
-	/* len must be less than PFKEYv2_MAX_MSGSIZE,
-	 * so it should fit in an int.  We use this fact when printing it.
-	 */
-	ssize_t len;
+	for (;;)
+	{
+		/* len must be less than PFKEYv2_MAX_MSGSIZE,
+		 * so it should fit in an int.  We use this fact when printing it.
+		 */
+		ssize_t len;
 
-	if (!pfkey_input_ready())
-	    return FALSE;
+		if (!pfkey_input_ready())
+			return FALSE;
 
-	len = read(pfkeyfd, buf->bytes, sizeof(buf->bytes));
+		len = read(pfkeyfd, buf->bytes, sizeof(buf->bytes));
 
-	if (len < 0)
-	{
-	    if (errno == EAGAIN)
-		return FALSE;
+		if (len < 0)
+		{
+			if (errno == EAGAIN)
+				return FALSE;
 
-	    log_errno((e, "read() failed in pfkey_get()"));
-	    return FALSE;
-	}
-	else if ((size_t) len < sizeof(buf->msg))
-	{
-	    plog("pfkey_get read truncated PF_KEY message: %d bytes; ignoring message"
-		, (int) len);
-	}
-	else if ((size_t) len != buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN)
-	{
-	    plog("pfkey_get read PF_KEY message with length %d that doesn't equal sadb_msg_len %u * %u; ignoring message"
-		, (int) len
-		, (unsigned) buf->msg.sadb_msg_len
-		, (unsigned) IPSEC_PFKEYv2_ALIGN);
-	}
-	else if (!(buf->msg.sadb_msg_pid == (unsigned)pid
-	|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_ACQUIRE)
-	|| (buf->msg.sadb_msg_type == SADB_REGISTER)
-	|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING)))
-	{
-	    /* not for us: ignore */
-	    DBG(DBG_KLIPS,
-		DBG_log("pfkey_get: ignoring PF_KEY %s message %u for process %u"
-		    , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-		    , buf->msg.sadb_msg_seq
-		    , buf->msg.sadb_msg_pid));
-	}
-	else
-	{
-	    DBG(DBG_KLIPS,
-		DBG_log("pfkey_get: %s message %u"
-		    , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-		    , buf->msg.sadb_msg_seq));
-	    return TRUE;
+			log_errno((e, "read() failed in pfkey_get()"));
+			return FALSE;
+		}
+		else if ((size_t) len < sizeof(buf->msg))
+		{
+			plog("pfkey_get read truncated PF_KEY message: %d bytes; ignoring message"
+				, (int) len);
+		}
+		else if ((size_t) len != buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN)
+		{
+			plog("pfkey_get read PF_KEY message with length %d that doesn't equal sadb_msg_len %u * %u; ignoring message"
+				, (int) len
+				, (unsigned) buf->msg.sadb_msg_len
+				, (unsigned) IPSEC_PFKEYv2_ALIGN);
+		}
+		else if (!(buf->msg.sadb_msg_pid == (unsigned)pid
+		|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_ACQUIRE)
+		|| (buf->msg.sadb_msg_type == SADB_REGISTER)
+		|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING)))
+		{
+			/* not for us: ignore */
+			DBG(DBG_KLIPS,
+				DBG_log("pfkey_get: ignoring PF_KEY %s message %u for process %u"
+					, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
+					, buf->msg.sadb_msg_seq
+					, buf->msg.sadb_msg_pid));
+		}
+		else
+		{
+			DBG(DBG_KLIPS,
+				DBG_log("pfkey_get: %s message %u"
+					, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
+					, buf->msg.sadb_msg_seq));
+			return TRUE;
+		}
 	}
-    }
 }
 
 /* get a response to a specific message */
 static bool
 pfkey_get_response(pfkey_buf *buf, pfkey_seq_t seq)
 {
-    while (pfkey_get(buf))
-    {
-	if (buf->msg.sadb_msg_pid == (unsigned)pid
-	&& buf->msg.sadb_msg_seq == seq)
+	while (pfkey_get(buf))
 	{
-	    return TRUE;
-	}
-	else
-	{
-	    /* Not for us: queue it. */
-	    size_t bl = buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
-	    pfkey_item *it = alloc_bytes(offsetof(pfkey_item, buf) + bl, "pfkey_item");
-
-	    memcpy(&it->buf, buf, bl);
-
-	    it->next = NULL;
-	    if (pfkey_iq_head == NULL)
-	    {
-		pfkey_iq_head = it;
-	    }
-	    else
-	    {
-		pfkey_iq_tail->next = it;
-	    }
-	    pfkey_iq_tail = it;
+		if (buf->msg.sadb_msg_pid == (unsigned)pid
+		&& buf->msg.sadb_msg_seq == seq)
+		{
+			return TRUE;
+		}
+		else
+		{
+			/* Not for us: queue it. */
+			size_t bl = buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
+			pfkey_item *it = malloc(offsetof(pfkey_item, buf) + bl);
+
+			memcpy(&it->buf, buf, bl);
+
+			it->next = NULL;
+			if (pfkey_iq_head == NULL)
+			{
+				pfkey_iq_head = it;
+			}
+			else
+			{
+				pfkey_iq_tail->next = it;
+			}
+			pfkey_iq_tail = it;
+		}
 	}
-    }
-    return FALSE;
+	return FALSE;
 }
 
 /* Process a SADB_REGISTER message from the kernel.
@@ -307,34 +305,34 @@ pfkey_get_response(pfkey_buf *buf, pfkey_seq_t seq)
 static void
 klips_pfkey_register_response(const struct sadb_msg *msg)
 {
-    /* Find out what the kernel can support.
-     * In fact, the only question at the moment
-     * is whether it can support IPcomp.
-     * So we ignore the rest.
-     * ??? we really should pay attention to what transforms are supported.
-     */
-    switch (msg->sadb_msg_satype)
-    {
-    case SADB_SATYPE_AH:
-	break;
-    case SADB_SATYPE_ESP:
+	/* Find out what the kernel can support.
+	 * In fact, the only question at the moment
+	 * is whether it can support IPcomp.
+	 * So we ignore the rest.
+	 * ??? we really should pay attention to what transforms are supported.
+	 */
+	switch (msg->sadb_msg_satype)
+	{
+	case SADB_SATYPE_AH:
+		break;
+	case SADB_SATYPE_ESP:
 #ifndef NO_KERNEL_ALG
-	kernel_alg_register_pfkey(msg, sizeof (pfkey_buf));
+		kernel_alg_register_pfkey(msg, sizeof (pfkey_buf));
 #endif
-	break;
-    case SADB_X_SATYPE_COMP:
-	/* ??? There ought to be an extension to list the
-	 * supported algorithms, but RFC 2367 doesn't
-	 * list one for IPcomp.  KLIPS uses SADB_X_CALG_DEFLATE.
-	 * Since we only implement deflate, we'll assume this.
-	 */
-	can_do_IPcomp = TRUE;
-	break;
-    case SADB_X_SATYPE_IPIP:
-	break;
-    default:
-	break;
-    }
+		break;
+	case SADB_X_SATYPE_COMP:
+		/* ??? There ought to be an extension to list the
+		 * supported algorithms, but RFC 2367 doesn't
+		 * list one for IPcomp.  KLIPS uses SADB_X_CALG_DEFLATE.
+		 * Since we only implement deflate, we'll assume this.
+		 */
+		can_do_IPcomp = TRUE;
+		break;
+	case SADB_X_SATYPE_IPIP:
+		break;
+	default:
+		break;
+	}
 }
 
 /* Processs a SADB_ACQUIRE message from KLIPS.
@@ -357,33 +355,33 @@ klips_pfkey_register_response(const struct sadb_msg *msg)
 static void
 process_pfkey_acquire(pfkey_buf *buf, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
-    struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
-    struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
-    int src_proto = srcx->sadb_address_proto;
-    int dst_proto = dstx->sadb_address_proto;
-    ip_address *src = (ip_address*)&srcx[1];
-    ip_address *dst = (ip_address*)&dstx[1];
-    ip_subnet ours, his;
-    err_t ugh = NULL;
-
-    /* assumption: we're only catching our own outgoing packets
-     * so source is our end and destination is the other end.
-     * Verifying this is not actually convenient.
-     *
-     * This stylized control structure yields a complaint or
-     * desired results.  For compactness, a pointer value is
-     * treated as a boolean.  Logically, the structure is:
-     * keep going as long as things are OK.
-     */
-    if (buf->msg.sadb_msg_pid == 0	/* we only wish to hear from kernel */
-    && !(ugh = src_proto == dst_proto? NULL : "src and dst protocols differ")
-    && !(ugh = addrtypeof(src) == addrtypeof(dst)? NULL : "conflicting address types")
-    && !(ugh = addrtosubnet(src, &ours))
-    && !(ugh = addrtosubnet(dst, &his)))
-	record_and_initiate_opportunistic(&ours, &his, src_proto, "%acquire");
-
-    if (ugh != NULL)
-	plog("SADB_ACQUIRE message from KLIPS malformed: %s", ugh);
+	struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
+	struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
+	int src_proto = srcx->sadb_address_proto;
+	int dst_proto = dstx->sadb_address_proto;
+	ip_address *src = (ip_address*)&srcx[1];
+	ip_address *dst = (ip_address*)&dstx[1];
+	ip_subnet ours, his;
+	err_t ugh = NULL;
+
+	/* assumption: we're only catching our own outgoing packets
+	 * so source is our end and destination is the other end.
+	 * Verifying this is not actually convenient.
+	 *
+	 * This stylized control structure yields a complaint or
+	 * desired results.  For compactness, a pointer value is
+	 * treated as a boolean.  Logically, the structure is:
+	 * keep going as long as things are OK.
+	 */
+	if (buf->msg.sadb_msg_pid == 0      /* we only wish to hear from kernel */
+	&& !(ugh = src_proto == dst_proto? NULL : "src and dst protocols differ")
+	&& !(ugh = addrtypeof(src) == addrtypeof(dst)? NULL : "conflicting address types")
+	&& !(ugh = addrtosubnet(src, &ours))
+	&& !(ugh = addrtosubnet(dst, &his)))
+		record_and_initiate_opportunistic(&ours, &his, src_proto, "%acquire");
+
+	if (ugh != NULL)
+		plog("SADB_ACQUIRE message from KLIPS malformed: %s", ugh);
 
 }
 
@@ -394,73 +392,73 @@ process_pfkey_acquire(pfkey_buf *buf, struct sadb_ext *extensions[SADB_EXT_MAX +
 static void
 pfkey_async(pfkey_buf *buf)
 {
-    struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-
-    if (pfkey_msg_parse(&buf->msg, NULL, extensions, EXT_BITS_OUT))
-    {
-	plog("pfkey_async:"
-	    " unparseable PF_KEY message:"
-	    " %s len=%d, errno=%d, seq=%d, pid=%d; message ignored"
-	    , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-	    , buf->msg.sadb_msg_len
-	    , buf->msg.sadb_msg_errno
-	    , buf->msg.sadb_msg_seq
-	    , buf->msg.sadb_msg_pid);
-    }
-    else
-    {
-	DBG(DBG_CONTROL | DBG_KLIPS, DBG_log("pfkey_async:"
-	    " %s len=%u, errno=%u, satype=%u, seq=%u, pid=%u"
-	    , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-	    , buf->msg.sadb_msg_len
-	    , buf->msg.sadb_msg_errno
-	    , buf->msg.sadb_msg_satype
-	    , buf->msg.sadb_msg_seq
-	    , buf->msg.sadb_msg_pid));
-
-	switch (buf->msg.sadb_msg_type)
+	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+
+	if (pfkey_msg_parse(&buf->msg, NULL, extensions, EXT_BITS_OUT))
 	{
-	case SADB_REGISTER:
-	    kernel_ops->pfkey_register_response(&buf->msg);
-	    break;
-	case SADB_ACQUIRE:
-	    /* to simulate loss of ACQUIRE, delete this call */
-	    process_pfkey_acquire(buf, extensions);
-	    break;
-	case SADB_X_NAT_T_NEW_MAPPING:
-	    process_pfkey_nat_t_new_mapping(&(buf->msg), extensions);
-	    break;
-	default:
-	    /* ignored */
-	    break;
+		plog("pfkey_async:"
+			" unparseable PF_KEY message:"
+			" %s len=%d, errno=%d, seq=%d, pid=%d; message ignored"
+			, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
+			, buf->msg.sadb_msg_len
+			, buf->msg.sadb_msg_errno
+			, buf->msg.sadb_msg_seq
+			, buf->msg.sadb_msg_pid);
+	}
+	else
+	{
+		DBG(DBG_CONTROL | DBG_KLIPS, DBG_log("pfkey_async:"
+			" %s len=%u, errno=%u, satype=%u, seq=%u, pid=%u"
+			, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
+			, buf->msg.sadb_msg_len
+			, buf->msg.sadb_msg_errno
+			, buf->msg.sadb_msg_satype
+			, buf->msg.sadb_msg_seq
+			, buf->msg.sadb_msg_pid));
+
+		switch (buf->msg.sadb_msg_type)
+		{
+		case SADB_REGISTER:
+			kernel_ops->pfkey_register_response(&buf->msg);
+			break;
+		case SADB_ACQUIRE:
+			/* to simulate loss of ACQUIRE, delete this call */
+			process_pfkey_acquire(buf, extensions);
+			break;
+		case SADB_X_NAT_T_NEW_MAPPING:
+			process_pfkey_nat_t_new_mapping(&(buf->msg), extensions);
+			break;
+		default:
+			/* ignored */
+			break;
+		}
 	}
-    }
 }
 
 /* asynchronous messages from our queue */
 static void
 pfkey_dequeue(void)
 {
-    while (pfkey_iq_head != NULL)
-    {
-	pfkey_item *it = pfkey_iq_head;
-
-	pfkey_async(&it->buf);
-	pfkey_iq_head = it->next;
-	pfree(it);
-    }
-
-    /* Handle any orphaned holds, but only if no pfkey input is pending.
-     * For each, we initiate Opportunistic.
-     * note: we don't need to advance the pointer because
-     * record_and_initiate_opportunistic will remove the current
-     * record each time we call it.
-     */
-    while (orphaned_holds != NULL && !pfkey_input_ready())
-      record_and_initiate_opportunistic(&orphaned_holds->ours
-					, &orphaned_holds->his
-					, orphaned_holds->transport_proto
-					, "%hold found-pfkey");
+	while (pfkey_iq_head != NULL)
+	{
+		pfkey_item *it = pfkey_iq_head;
+
+		pfkey_async(&it->buf);
+		pfkey_iq_head = it->next;
+		free(it);
+	}
+
+	/* Handle any orphaned holds, but only if no pfkey input is pending.
+	 * For each, we initiate Opportunistic.
+	 * note: we don't need to advance the pointer because
+	 * record_and_initiate_opportunistic will remove the current
+	 * record each time we call it.
+	 */
+	while (orphaned_holds != NULL && !pfkey_input_ready())
+	  record_and_initiate_opportunistic(&orphaned_holds->ours
+										, &orphaned_holds->his
+										, orphaned_holds->transport_proto
+										, "%hold found-pfkey");
 
 }
 
@@ -468,10 +466,10 @@ pfkey_dequeue(void)
 static void
 pfkey_event(void)
 {
-    pfkey_buf buf;
+	pfkey_buf buf;
 
-    if (pfkey_get(&buf))
-	pfkey_async(&buf);
+	if (pfkey_get(&buf))
+		pfkey_async(&buf);
 }
 
 static bool
@@ -480,17 +478,17 @@ pfkey_build(int error
 , const char *text_said
 , struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
-    if (error == 0)
-    {
-	return TRUE;
-    }
-    else
-    {
-	loglog(RC_LOG_SERIOUS, "building of %s %s failed, code %d"
-	    , description, text_said, error);
-	pfkey_extensions_free(extensions);
-	return FALSE;
-    }
+	if (error == 0)
+	{
+		return TRUE;
+	}
+	else
+	{
+		loglog(RC_LOG_SERIOUS, "building of %s %s failed, code %d"
+			, description, text_said, error);
+		pfkey_extensions_free(extensions);
+		return FALSE;
+	}
 }
 
 /* pfkey_extensions_init + pfkey_build + pfkey_msg_hdr_build */
@@ -501,10 +499,10 @@ pfkey_msg_start(u_int8_t msg_type
 , const char *text_said
 , struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
-    pfkey_extensions_init(extensions);
-    return pfkey_build(pfkey_msg_hdr_build(&extensions[0], msg_type
-	    , satype, 0, ++pfkey_seq, pid)
-	, description, text_said, extensions);
+	pfkey_extensions_init(extensions);
+	return pfkey_build(pfkey_msg_hdr_build(&extensions[0], msg_type
+			, satype, 0, ++pfkey_seq, pid)
+		, description, text_said, extensions);
 }
 
 /* pfkey_build + pfkey_address_build */
@@ -515,15 +513,15 @@ pfkeyext_address(u_int16_t exttype
 , const char *text_said
 , struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
-    /* the following variable is only needed to silence
-     * a warning caused by the fact that the argument
-     * to sockaddrof is NOT pointer to const!
-     */
-    ip_address t = *address;
-
-    return pfkey_build(pfkey_address_build(extensions + exttype
-	    , exttype, 0, 0, sockaddrof(&t))
-	, description, text_said, extensions);
+	/* the following variable is only needed to silence
+	 * a warning caused by the fact that the argument
+	 * to sockaddrof is NOT pointer to const!
+	 */
+	ip_address t = *address;
+
+	return pfkey_build(pfkey_address_build(extensions + exttype
+			, exttype, 0, 0, sockaddrof(&t))
+		, description, text_said, extensions);
 }
 
 /* pfkey_build + pfkey_x_protocol_build */
@@ -533,10 +531,10 @@ pfkeyext_protocol(int transport_proto
 , const char *text_said
 , struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
-    return (transport_proto == 0)? TRUE 
-	: pfkey_build(
-	    pfkey_x_protocol_build(extensions + SADB_X_EXT_PROTOCOL, transport_proto)
-	    , description, text_said, extensions);
+	return (transport_proto == 0)? TRUE 
+		: pfkey_build(
+			pfkey_x_protocol_build(extensions + SADB_X_EXT_PROTOCOL, transport_proto)
+			, description, text_said, extensions);
 }
 
 
@@ -551,376 +549,376 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1]
 , const char *text_said
 , pfkey_buf *response)
 {
-    struct sadb_msg *pfkey_msg;
-    bool success = TRUE;
-    int error;
-
-    error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
-
-    if (error != 0)
-    {
-	loglog(RC_LOG_SERIOUS, "pfkey_msg_build of %s %s failed, code %d"
-	    , description, text_said, error);
-	success = FALSE;
-    }
-    else
-    {
-	size_t len = pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
+	struct sadb_msg *pfkey_msg;
+	bool success = TRUE;
+	int error;
 
-	DBG(DBG_KLIPS,
-	    DBG_log("finish_pfkey_msg: %s message %u for %s %s"
-		, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
-		, pfkey_msg->sadb_msg_seq
-		, description, text_said);
-	    DBG_dump(NULL, (void *) pfkey_msg, len));
+	error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
 
-	if (!no_klips)
+	if (error != 0)
 	{
-	    ssize_t r = write(pfkeyfd, pfkey_msg, len);
-
-	    if (r != (ssize_t)len)
-	    {
-		if (r < 0)
-		{
-		    log_errno((e
-			, "pfkey write() of %s message %u"
-			  " for %s %s failed"
-			, sparse_val_show(pfkey_type_names
-			    , pfkey_msg->sadb_msg_type)
-			, pfkey_msg->sadb_msg_seq
-			, description, text_said));
-		}
-		else
-		{
-		    loglog(RC_LOG_SERIOUS
-			, "ERROR: pfkey write() of %s message %u"
-			  " for %s %s truncated: %ld instead of %ld"
-			, sparse_val_show(pfkey_type_names
-			    , pfkey_msg->sadb_msg_type)
-			, pfkey_msg->sadb_msg_seq
-			, description, text_said
-			, (long)r, (long)len);
-		}
+		loglog(RC_LOG_SERIOUS, "pfkey_msg_build of %s %s failed, code %d"
+			, description, text_said, error);
 		success = FALSE;
+	}
+	else
+	{
+		size_t len = pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
 
-		/* if we were compiled with debugging, but we haven't already
-		 * dumped the KLIPS command, do so.
-		 */
-#ifdef DEBUG
-		if ((cur_debugging & DBG_KLIPS) == 0)
-		    DBG_dump(NULL, (void *) pfkey_msg, len);
-#endif
-	    }
-	    else
-	    {
-		/* Check response from KLIPS.
-		 * It ought to be an echo, perhaps with additional info.
-		 * If the caller wants it, response will point to space.
-		 */
-		pfkey_buf b;
-		pfkey_buf *bp = response != NULL? response : &b;
+		DBG(DBG_KLIPS,
+			DBG_log("finish_pfkey_msg: %s message %u for %s %s"
+				, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
+				, pfkey_msg->sadb_msg_seq
+				, description, text_said);
+			DBG_dump(NULL, (void *) pfkey_msg, len));
 
-		if (!pfkey_get_response(bp, ((struct sadb_msg *) extensions[0])->sadb_msg_seq))
-		{
-		    loglog(RC_LOG_SERIOUS
-			, "ERROR: no response to our PF_KEY %s message for %s %s"
-			, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
-			, description, text_said);
-		    success = FALSE;
-		}
-		else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
-		{
-		    loglog(RC_LOG_SERIOUS
-			, "FreeS/WAN ERROR: response to our PF_KEY %s message for %s %s was of wrong type (%s)"
-			, sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type)
-			, description, text_said
-			, sparse_val_show(pfkey_type_names, bp->msg.sadb_msg_type));
-		    success = FALSE;
-		}
-		else if (response == NULL && bp->msg.sadb_msg_errno != 0)
+		if (!no_klips)
 		{
-		    /* KLIPS is signalling a problem */
-		    loglog(RC_LOG_SERIOUS
-			, "ERROR: PF_KEY %s response for %s %s included errno %u: %s"
-			, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
-			, description, text_said
-			, (unsigned) bp->msg.sadb_msg_errno
-			, strerror(bp->msg.sadb_msg_errno));
-		    success = FALSE;
+			ssize_t r = write(pfkeyfd, pfkey_msg, len);
+
+			if (r != (ssize_t)len)
+			{
+				if (r < 0)
+				{
+					log_errno((e
+						, "pfkey write() of %s message %u"
+						  " for %s %s failed"
+						, sparse_val_show(pfkey_type_names
+							, pfkey_msg->sadb_msg_type)
+						, pfkey_msg->sadb_msg_seq
+						, description, text_said));
+				}
+				else
+				{
+					loglog(RC_LOG_SERIOUS
+						, "ERROR: pfkey write() of %s message %u"
+						  " for %s %s truncated: %ld instead of %ld"
+						, sparse_val_show(pfkey_type_names
+							, pfkey_msg->sadb_msg_type)
+						, pfkey_msg->sadb_msg_seq
+						, description, text_said
+						, (long)r, (long)len);
+				}
+				success = FALSE;
+
+				/* if we were compiled with debugging, but we haven't already
+				 * dumped the KLIPS command, do so.
+				 */
+#ifdef DEBUG
+				if ((cur_debugging & DBG_KLIPS) == 0)
+					DBG_dump(NULL, (void *) pfkey_msg, len);
+#endif
+			}
+			else
+			{
+				/* Check response from KLIPS.
+				 * It ought to be an echo, perhaps with additional info.
+				 * If the caller wants it, response will point to space.
+				 */
+				pfkey_buf b;
+				pfkey_buf *bp = response != NULL? response : &b;
+
+				if (!pfkey_get_response(bp, ((struct sadb_msg *) extensions[0])->sadb_msg_seq))
+				{
+					loglog(RC_LOG_SERIOUS
+						, "ERROR: no response to our PF_KEY %s message for %s %s"
+						, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
+						, description, text_said);
+					success = FALSE;
+				}
+				else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
+				{
+					loglog(RC_LOG_SERIOUS
+						, "FreeS/WAN ERROR: response to our PF_KEY %s message for %s %s was of wrong type (%s)"
+						, sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type)
+						, description, text_said
+						, sparse_val_show(pfkey_type_names, bp->msg.sadb_msg_type));
+					success = FALSE;
+				}
+				else if (response == NULL && bp->msg.sadb_msg_errno != 0)
+				{
+					/* KLIPS is signalling a problem */
+					loglog(RC_LOG_SERIOUS
+						, "ERROR: PF_KEY %s response for %s %s included errno %u: %s"
+						, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
+						, description, text_said
+						, (unsigned) bp->msg.sadb_msg_errno
+						, strerror(bp->msg.sadb_msg_errno));
+					success = FALSE;
+				}
+			}
 		}
-	    }
 	}
-    }
 
-    /* all paths must exit this way to free resources */
-    pfkey_extensions_free(extensions);
-    pfkey_msg_free(&pfkey_msg);
-    return success;
+	/* all paths must exit this way to free resources */
+	pfkey_extensions_free(extensions);
+	pfkey_msg_free(&pfkey_msg);
+	return success;
 }
 
 /*  register SA types that can be negotiated */
 void
 pfkey_register_proto(unsigned satype, const char *satypename)
 {
-    struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-    pfkey_buf pfb;
-
-    if (!(pfkey_msg_start(SADB_REGISTER
-      , satype
-      , satypename, NULL, extensions)
-    && finish_pfkey_msg(extensions, satypename, "", &pfb)))
-    {
-	/* ??? should this be loglog */
-	plog("no KLIPS support for %s", satypename);
-    }
-    else
-    {
-	kernel_ops->pfkey_register_response(&pfb.msg);
-	DBG(DBG_KLIPS,
-	    DBG_log("%s registered with kernel.", satypename));
-    }
+	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+	pfkey_buf pfb;
+
+	if (!(pfkey_msg_start(SADB_REGISTER
+	  , satype
+	  , satypename, NULL, extensions)
+	&& finish_pfkey_msg(extensions, satypename, "", &pfb)))
+	{
+		/* ??? should this be loglog */
+		plog("no KLIPS support for %s", satypename);
+	}
+	else
+	{
+		kernel_ops->pfkey_register_response(&pfb.msg);
+		DBG(DBG_KLIPS,
+			DBG_log("%s registered with kernel.", satypename));
+	}
 }
 
 static void
 klips_pfkey_register(void)
 {
-    pfkey_register_proto(SADB_SATYPE_AH, "AH");
-    pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
-    can_do_IPcomp = FALSE;  /* until we get a response from KLIPS */
-    pfkey_register_proto(SADB_X_SATYPE_COMP, "IPCOMP");
-    pfkey_register_proto(SADB_X_SATYPE_IPIP, "IPIP");
+	pfkey_register_proto(SADB_SATYPE_AH, "AH");
+	pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
+	can_do_IPcomp = FALSE;  /* until we get a response from KLIPS */
+	pfkey_register_proto(SADB_X_SATYPE_COMP, "IPCOMP");
+	pfkey_register_proto(SADB_X_SATYPE_IPIP, "IPIP");
 }
 
 static bool
 pfkey_raw_eroute(const ip_address *this_host
-		 , const ip_subnet *this_client
-		 , const ip_address *that_host
-		 , const ip_subnet *that_client
-		 , ipsec_spi_t spi
-		 , unsigned int satype
-		 , unsigned int transport_proto
-		 , const struct pfkey_proto_info *proto_info UNUSED
-		 , time_t use_lifetime UNUSED
-		 , unsigned int op
-		 , const char *text_said)
+				 , const ip_subnet *this_client
+				 , const ip_address *that_host
+				 , const ip_subnet *that_client
+				 , ipsec_spi_t spi
+				 , unsigned int satype
+				 , unsigned int transport_proto
+				 , const struct pfkey_proto_info *proto_info UNUSED
+				 , time_t use_lifetime UNUSED
+				 , unsigned int op
+				 , const char *text_said)
 {
-    struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-    ip_address
-	sflow_ska,
-	dflow_ska,
-	smask_ska,
-	dmask_ska;
-    int sport = ntohs(portof(&this_client->addr));
-    int dport = ntohs(portof(&that_client->addr));
-
-    networkof(this_client, &sflow_ska);
-    maskof(this_client, &smask_ska);
-    setportof(sport ? ~0:0, &smask_ska);
-
-    networkof(that_client, &dflow_ska);
-    maskof(that_client, &dmask_ska);
-    setportof(dport ? ~0:0, &dmask_ska);
-
-    if (!pfkey_msg_start(op & ERO_MASK, satype
-		       , "pfkey_msg_hdr flow", text_said, extensions))
-    {
-	return FALSE;
-    }
-
-    if (op != ERO_DELETE)
-    {
-	if (!(pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-					 , SADB_EXT_SA
-					 , spi	/* in network order */
-					 , 0, 0, 0, 0, op >> ERO_FLAG_SHIFT)
-			  , "pfkey_sa add flow", text_said, extensions)
-
-	    && pfkeyext_address(SADB_EXT_ADDRESS_SRC, this_host
-		, "pfkey_addr_s add flow", text_said, extensions)
-
-	    && pfkeyext_address(SADB_EXT_ADDRESS_DST, that_host
-				, "pfkey_addr_d add flow", text_said
-				, extensions)))
+	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+	ip_address
+		sflow_ska,
+		dflow_ska,
+		smask_ska,
+		dmask_ska;
+	int sport = ntohs(portof(&this_client->addr));
+	int dport = ntohs(portof(&that_client->addr));
+
+	networkof(this_client, &sflow_ska);
+	maskof(this_client, &smask_ska);
+	setportof(sport ? ~0:0, &smask_ska);
+
+	networkof(that_client, &dflow_ska);
+	maskof(that_client, &dmask_ska);
+	setportof(dport ? ~0:0, &dmask_ska);
+
+	if (!pfkey_msg_start(op & ERO_MASK, satype
+					   , "pfkey_msg_hdr flow", text_said, extensions))
 	{
-	    return FALSE;
+		return FALSE;
 	}
-    }
 
-    if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_FLOW, &sflow_ska
-			  , "pfkey_addr_sflow", text_said, extensions))
-    {
-	return FALSE;
-    }
+	if (op != ERO_DELETE)
+	{
+		if (!(pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
+										 , SADB_EXT_SA
+										 , spi  /* in network order */
+										 , 0, 0, 0, 0, op >> ERO_FLAG_SHIFT)
+						  , "pfkey_sa add flow", text_said, extensions)
+
+			&& pfkeyext_address(SADB_EXT_ADDRESS_SRC, this_host
+				, "pfkey_addr_s add flow", text_said, extensions)
+
+			&& pfkeyext_address(SADB_EXT_ADDRESS_DST, that_host
+								, "pfkey_addr_d add flow", text_said
+								, extensions)))
+		{
+			return FALSE;
+		}
+	}
 
-    if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_FLOW, &dflow_ska
-			, "pfkey_addr_dflow", text_said, extensions))
-    {
-	return FALSE;
-    }
+	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_FLOW, &sflow_ska
+						  , "pfkey_addr_sflow", text_said, extensions))
+	{
+		return FALSE;
+	}
 
-    if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_MASK, &smask_ska
-			, "pfkey_addr_smask", text_said, extensions))
-    {
-	return FALSE;
-    }
+	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_FLOW, &dflow_ska
+						, "pfkey_addr_dflow", text_said, extensions))
+	{
+		return FALSE;
+	}
 
-    if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_MASK, &dmask_ska
-			, "pfkey_addr_dmask", text_said, extensions))
-    {
-	return FALSE;
-    }
+	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_MASK, &smask_ska
+						, "pfkey_addr_smask", text_said, extensions))
+	{
+		return FALSE;
+	}
 
-    if (!pfkeyext_protocol(transport_proto
-			, "pfkey_x_protocol", text_said, extensions))
-    {
-	return FALSE;
-    }
+	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_MASK, &dmask_ska
+						, "pfkey_addr_dmask", text_said, extensions))
+	{
+		return FALSE;
+	}
+
+	if (!pfkeyext_protocol(transport_proto
+						, "pfkey_x_protocol", text_said, extensions))
+	{
+		return FALSE;
+	}
 
-    return finish_pfkey_msg(extensions, "flow", text_said, NULL);
+	return finish_pfkey_msg(extensions, "flow", text_said, NULL);
 }
 
 static bool
 pfkey_add_sa(const struct kernel_sa *sa, bool replace)
 {
-    struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-
-    return pfkey_msg_start(replace ? SADB_UPDATE : SADB_ADD, sa->satype
-	, "pfkey_msg_hdr Add SA", sa->text_said, extensions)
-
-    && pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-	    , SADB_EXT_SA
-	    , sa->spi	/* in network order */
-	    , sa->replay_window, SADB_SASTATE_MATURE
-	    , sa->authalg, sa->encalg ? sa->encalg: sa->compalg, 0)
-	, "pfkey_sa Add SA", sa->text_said, extensions)
-
-    && pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src
-	, "pfkey_addr_s Add SA", sa->text_said, extensions)
-
-    && pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst
-	, "pfkey_addr_d Add SA", sa->text_said, extensions)
-
-    && (sa->authkeylen == 0
-	|| pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH]
-		, SADB_EXT_KEY_AUTH, sa->authkeylen * BITS_PER_BYTE
-		, sa->authkey)
-	    , "pfkey_key_a Add SA", sa->text_said, extensions))
-
-    && (sa->enckeylen == 0
-	|| pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT]
-		, SADB_EXT_KEY_ENCRYPT, sa->enckeylen * BITS_PER_BYTE
-		, sa->enckey)
-	    , "pfkey_key_e Add SA", sa->text_said, extensions))
-
-    && (sa->natt_type == 0
-	|| pfkey_build(pfkey_x_nat_t_type_build(
-		&extensions[SADB_X_EXT_NAT_T_TYPE], sa->natt_type),
-		"pfkey_nat_t_type Add ESP SA",  sa->text_said, extensions))
-    && (sa->natt_sport == 0
-	|| pfkey_build(pfkey_x_nat_t_port_build(
-			&extensions[SADB_X_EXT_NAT_T_SPORT], SADB_X_EXT_NAT_T_SPORT,
-			sa->natt_sport), "pfkey_nat_t_sport Add ESP SA", sa->text_said,
-			extensions))
-    && (sa->natt_dport == 0
-	|| pfkey_build(pfkey_x_nat_t_port_build(
-			&extensions[SADB_X_EXT_NAT_T_DPORT], SADB_X_EXT_NAT_T_DPORT,
-			sa->natt_dport), "pfkey_nat_t_dport Add ESP SA", sa->text_said,
-			extensions))
-    && (sa->natt_type == 0 || isanyaddr(sa->natt_oa)
-	|| pfkeyext_address(SADB_X_EXT_NAT_T_OA, sa->natt_oa
-	    , "pfkey_nat_t_oa Add ESP SA", sa->text_said, extensions))
-
-    && finish_pfkey_msg(extensions, "Add SA", sa->text_said, NULL);
+	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+
+	return pfkey_msg_start(replace ? SADB_UPDATE : SADB_ADD, sa->satype
+		, "pfkey_msg_hdr Add SA", sa->text_said, extensions)
+
+	&& pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
+			, SADB_EXT_SA
+			, sa->spi   /* in network order */
+			, sa->replay_window, SADB_SASTATE_MATURE
+			, sa->authalg, sa->encalg ? sa->encalg: sa->compalg, 0)
+		, "pfkey_sa Add SA", sa->text_said, extensions)
+
+	&& pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src
+		, "pfkey_addr_s Add SA", sa->text_said, extensions)
+
+	&& pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst
+		, "pfkey_addr_d Add SA", sa->text_said, extensions)
+
+	&& (sa->authkeylen == 0
+		|| pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH]
+				, SADB_EXT_KEY_AUTH, sa->authkeylen * BITS_PER_BYTE
+				, sa->authkey)
+			, "pfkey_key_a Add SA", sa->text_said, extensions))
+
+	&& (sa->enckeylen == 0
+		|| pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT]
+				, SADB_EXT_KEY_ENCRYPT, sa->enckeylen * BITS_PER_BYTE
+				, sa->enckey)
+			, "pfkey_key_e Add SA", sa->text_said, extensions))
+
+	&& (sa->natt_type == 0
+		|| pfkey_build(pfkey_x_nat_t_type_build(
+				&extensions[SADB_X_EXT_NAT_T_TYPE], sa->natt_type),
+				"pfkey_nat_t_type Add ESP SA",  sa->text_said, extensions))
+	&& (sa->natt_sport == 0
+		|| pfkey_build(pfkey_x_nat_t_port_build(
+						&extensions[SADB_X_EXT_NAT_T_SPORT], SADB_X_EXT_NAT_T_SPORT,
+						sa->natt_sport), "pfkey_nat_t_sport Add ESP SA", sa->text_said,
+						extensions))
+	&& (sa->natt_dport == 0
+		|| pfkey_build(pfkey_x_nat_t_port_build(
+						&extensions[SADB_X_EXT_NAT_T_DPORT], SADB_X_EXT_NAT_T_DPORT,
+						sa->natt_dport), "pfkey_nat_t_dport Add ESP SA", sa->text_said,
+						extensions))
+	&& (sa->natt_type == 0 || isanyaddr(sa->natt_oa)
+		|| pfkeyext_address(SADB_X_EXT_NAT_T_OA, sa->natt_oa
+			, "pfkey_nat_t_oa Add ESP SA", sa->text_said, extensions))
+
+	&& finish_pfkey_msg(extensions, "Add SA", sa->text_said, NULL);
 
 }
 
 static bool
 pfkey_grp_sa(const struct kernel_sa *sa0, const struct kernel_sa *sa1)
 {
-    struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
 
-    return pfkey_msg_start(SADB_X_GRPSA, sa1->satype
-	, "pfkey_msg_hdr group", sa1->text_said, extensions)
+	return pfkey_msg_start(SADB_X_GRPSA, sa1->satype
+		, "pfkey_msg_hdr group", sa1->text_said, extensions)
 
-    && pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-	    , SADB_EXT_SA
-	    , sa1->spi	/* in network order */
-	    , 0, 0, 0, 0, 0)
-	, "pfkey_sa group", sa1->text_said, extensions)
+	&& pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
+			, SADB_EXT_SA
+			, sa1->spi  /* in network order */
+			, 0, 0, 0, 0, 0)
+		, "pfkey_sa group", sa1->text_said, extensions)
 
-    && pfkeyext_address(SADB_EXT_ADDRESS_DST, sa1->dst
-	, "pfkey_addr_d group", sa1->text_said, extensions)
+	&& pfkeyext_address(SADB_EXT_ADDRESS_DST, sa1->dst
+		, "pfkey_addr_d group", sa1->text_said, extensions)
 
-    && pfkey_build(pfkey_x_satype_build(&extensions[SADB_X_EXT_SATYPE2]
-	    , sa0->satype)
-	, "pfkey_satype group", sa0->text_said, extensions)
+	&& pfkey_build(pfkey_x_satype_build(&extensions[SADB_X_EXT_SATYPE2]
+			, sa0->satype)
+		, "pfkey_satype group", sa0->text_said, extensions)
 
-    && pfkey_build(pfkey_sa_build(&extensions[SADB_X_EXT_SA2]
-	    , SADB_X_EXT_SA2
-	    , sa0->spi	/* in network order */
-	    , 0, 0, 0, 0, 0)
-	, "pfkey_sa2 group", sa0->text_said, extensions)
+	&& pfkey_build(pfkey_sa_build(&extensions[SADB_X_EXT_SA2]
+			, SADB_X_EXT_SA2
+			, sa0->spi  /* in network order */
+			, 0, 0, 0, 0, 0)
+		, "pfkey_sa2 group", sa0->text_said, extensions)
 
-    && pfkeyext_address(SADB_X_EXT_ADDRESS_DST2, sa0->dst
-	, "pfkey_addr_d2 group", sa0->text_said, extensions)
+	&& pfkeyext_address(SADB_X_EXT_ADDRESS_DST2, sa0->dst
+		, "pfkey_addr_d2 group", sa0->text_said, extensions)
 
-    && finish_pfkey_msg(extensions, "group", sa1->text_said, NULL);
+	&& finish_pfkey_msg(extensions, "group", sa1->text_said, NULL);
 }
 
 static bool
 pfkey_del_sa(const struct kernel_sa *sa)
 {
-    struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
 
-    return pfkey_msg_start(SADB_DELETE, proto2satype(sa->proto)
-	, "pfkey_msg_hdr delete SA", sa->text_said, extensions)
+	return pfkey_msg_start(SADB_DELETE, proto2satype(sa->proto)
+		, "pfkey_msg_hdr delete SA", sa->text_said, extensions)
 
-    && pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-	    , SADB_EXT_SA
-	    , sa->spi	/* in host order */
-	    , 0, SADB_SASTATE_MATURE, 0, 0, 0)
-	, "pfkey_sa delete SA", sa->text_said, extensions)
+	&& pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
+			, SADB_EXT_SA
+			, sa->spi   /* in host order */
+			, 0, SADB_SASTATE_MATURE, 0, 0, 0)
+		, "pfkey_sa delete SA", sa->text_said, extensions)
 
-    && pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src
-	, "pfkey_addr_s delete SA", sa->text_said, extensions)
+	&& pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src
+		, "pfkey_addr_s delete SA", sa->text_said, extensions)
 
-    && pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst
-	, "pfkey_addr_d delete SA", sa->text_said, extensions)
+	&& pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst
+		, "pfkey_addr_d delete SA", sa->text_said, extensions)
 
-    && finish_pfkey_msg(extensions, "Delete SA", sa->text_said, NULL);
+	&& finish_pfkey_msg(extensions, "Delete SA", sa->text_said, NULL);
 }
 
 void
 pfkey_close(void)
 {
-    while (pfkey_iq_head != NULL)
-    {
-	pfkey_item *it = pfkey_iq_head;
+	while (pfkey_iq_head != NULL)
+	{
+		pfkey_item *it = pfkey_iq_head;
 
-	pfkey_iq_head = it->next;
-	pfree(it);
-    }
+		pfkey_iq_head = it->next;
+		free(it);
+	}
 
-    close(pfkeyfd);
-    pfkeyfd = NULL_FD;
+	close(pfkeyfd);
+	pfkeyfd = NULL_FD;
 }
 
 const struct kernel_ops klips_kernel_ops = {
-	type: KERNEL_TYPE_KLIPS,
-	async_fdp: &pfkeyfd,
-
-	pfkey_register: klips_pfkey_register,
-	pfkey_register_response: klips_pfkey_register_response,
-	process_queue: pfkey_dequeue,
-	process_msg: pfkey_event,
-	raw_eroute: pfkey_raw_eroute,
-	add_sa: pfkey_add_sa,
-	grp_sa: pfkey_grp_sa,
-	del_sa: pfkey_del_sa,
-	get_sa: NULL,
-	get_spi: NULL,
-        inbound_eroute: FALSE,
-	policy_lifetime: FALSE,
-	init: NULL
+		type: KERNEL_TYPE_KLIPS,
+		async_fdp: &pfkeyfd,
+
+		pfkey_register: klips_pfkey_register,
+		pfkey_register_response: klips_pfkey_register_response,
+		process_queue: pfkey_dequeue,
+		process_msg: pfkey_event,
+		raw_eroute: pfkey_raw_eroute,
+		add_sa: pfkey_add_sa,
+		grp_sa: pfkey_grp_sa,
+		del_sa: pfkey_del_sa,
+		get_sa: NULL,
+		get_spi: NULL,
+		inbound_eroute: FALSE,
+		policy_lifetime: FALSE,
+		init: NULL
 };
 #endif /* KLIPS */
diff --git a/src/pluto/kernel_pfkey.h b/src/pluto/kernel_pfkey.h
index 23ac982e8..ad20a5888 100644
--- a/src/pluto/kernel_pfkey.h
+++ b/src/pluto/kernel_pfkey.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: kernel_pfkey.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifdef KLIPS
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index 1aed7a63f..6dfbd6732 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: keys.c 3738 2008-04-02 19:04:45Z andreas $
  */
 
 #include <stddef.h>
@@ -25,33 +23,34 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <resolv.h>
-#include <arpa/nameser.h>	/* missing from <resolv.h> on old systems */
+#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
 #include <sys/queue.h>
 
 #include <glob.h>
 #ifndef GLOB_ABORTED
-# define GLOB_ABORTED    GLOB_ABEND	/* fix for old versions */
+# define GLOB_ABORTED    GLOB_ABEND     /* fix for old versions */
 #endif
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
+
+#include <library.h>
+#include <asn1/asn1.h>
 
 #include "constants.h"
 #include "defs.h"
-#include "mp_defs.h"
 #include "id.h"
 #include "x509.h"
-#include "pgp.h"
+#include "pgpcert.h"
 #include "certs.h"
 #include "smartcard.h"
 #include "connections.h"
 #include "state.h"
 #include "lex.h"
 #include "keys.h"
-#include "adns.h"	/* needs <resolv.h> */
-#include "dnskey.h"	/* needs keys.h and adns.h */
+#include "adns.h"       /* needs <resolv.h> */
+#include "dnskey.h"     /* needs keys.h and adns.h */
 #include "log.h"
-#include "whack.h"	/* for RC_LOG_SERIOUS */
+#include "whack.h"      /* for RC_LOG_SERIOUS */
 #include "timer.h"
 #include "fetch.h"
 #include "xauth.h"
@@ -61,77 +60,34 @@ const char *shared_secrets_file = SHARED_SECRETS_FILE;
 typedef struct id_list id_list_t;
 
 struct id_list {
-    struct id id;
-    id_list_t *next;
+	struct id id;
+	id_list_t *next;
 };
 
 typedef struct secret secret_t;
 
 struct secret {
-    id_list_t *ids;
-    enum PrivateKeyKind kind;
-    union {
-	chunk_t preshared_secret;
-	RSA_private_key_t RSA_private_key;
-	xauth_t xauth_secret;
-	smartcard_t *smartcard;
-    } u;
-    secret_t *next;
+	id_list_t *ids;
+	enum PrivateKeyKind kind;
+	union {
+		chunk_t        preshared_secret;
+		xauth_t        xauth_secret;
+		private_key_t *private_key;
+		smartcard_t   *smartcard;
+	} u;
+	secret_t *next;
 };
 
-static pubkey_t*
-allocate_RSA_public_key(const cert_t cert)
-{
-    pubkey_t *pk = alloc_thing(pubkey_t, "pubkey");
-    chunk_t e = empty_chunk, n = empty_chunk;
-
-    switch (cert.type)
-    {
-    case CERT_PGP:
-	e = cert.u.pgp->publicExponent;
-	n = cert.u.pgp->modulus;
-	break;
-    case CERT_X509_SIGNATURE:
-	e = cert.u.x509->publicExponent;
-	n = cert.u.x509->modulus;
-	break;
-    default:
-	plog("RSA public key allocation error");
-    }
-
-    init_RSA_public_key(&pk->u.rsa, e, n);
-    DBG(DBG_RAW,
-	RSA_show_public_key(&pk->u.rsa)
-    )
-
-    pk->alg = PUBKEY_ALG_RSA;
-    pk->id  = empty_id;
-    pk->issuer = empty_chunk;
-    pk->serial = empty_chunk;
-
-    return pk;
-}
-
 /*
  * free a public key struct
  */
-static void
-free_public_key(pubkey_t *pk)
+static void free_public_key(pubkey_t *pk)
 {
-    free_id_content(&pk->id);
-    freeanychunk(pk->issuer);
-    freeanychunk(pk->serial);
-
-    /* algorithm-specific freeing */
-    switch (pk->alg)
-    {
-    case PUBKEY_ALG_RSA:
-	free_RSA_public_content(&pk->u.rsa);
-	break;
-    default:
-	bad_case(pk->alg);
-    }
-    pfree(pk);
+	DESTROY_IF(pk->public_key);
+	free_id_content(&pk->id);
+	free(pk->issuer.ptr);
+	free(pk->serial.ptr);
+	free(pk);
 }
 
 secret_t *secrets = NULL;
@@ -140,227 +96,215 @@ secret_t *secrets = NULL;
  * me and the peer.  We match the Id (if none, the IP address).
  * Failure is indicated by a NULL.
  */
-static const secret_t *
-get_secret(const struct connection *c, enum PrivateKeyKind kind, bool asym)
+static const secret_t* get_secret(const struct connection *c,
+								  enum PrivateKeyKind kind, bool asym)
 {
-    enum {	/* bits */
-	match_default = 01,
-	match_him = 02,
-	match_me = 04
-    };
-
-    unsigned int best_match = 0;
-    secret_t *best = NULL;
-    secret_t *s;
-    const struct id *my_id  = &c->spd.this.id
-	          , *his_id = &c->spd.that.id;
-    struct id rw_id;
-
-    /* is there a certificate assigned to this connection? */
-    if (kind == PPK_RSA && c->spd.this.cert.type != CERT_NONE)
-    {
-	pubkey_t *my_public_key = allocate_RSA_public_key(c->spd.this.cert);
-
-	for (s = secrets; s != NULL; s = s->next)
+	enum {      /* bits */
+		match_default = 0x01,
+		match_him     = 0x02,
+		match_me      = 0x04
+	};
+
+	unsigned int best_match = 0;
+	secret_t *best = NULL;
+	secret_t *s;
+	const struct id *my_id  = &c->spd.this.id
+				  , *his_id = &c->spd.that.id;
+	struct id rw_id;
+
+	/* is there a certificate assigned to this connection? */
+	if (kind == PPK_PUBKEY && c->spd.this.cert.type != CERT_NONE)
 	{
-	    if (s->kind == kind &&
-		same_RSA_public_key(&s->u.RSA_private_key.pub, &my_public_key->u.rsa))
-	    {
-		best = s;
-		break; /* we have found the private key - no sense in searching further */
-	    }
-	}
-	free_public_key(my_public_key);
-	return best;
-    }
-
-    if (his_id_was_instantiated(c))
-    {
-	/* roadwarrior: replace him with 0.0.0.0 */
-	rw_id.kind = c->spd.that.id.kind;
-	rw_id.name = empty_chunk;
-	happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
-	his_id = &rw_id;
-    }
-    else if (kind == PPK_PSK
-    && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK))
-    && ((c->kind == CK_TEMPLATE && c->spd.that.id.kind == ID_NONE) ||
-        (c->kind == CK_INSTANCE && id_is_ipaddr(&c->spd.that.id))))
-    {
-	/* roadwarrior: replace him with 0.0.0.0 */
-	rw_id.kind = ID_IPV4_ADDR;
-	happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
-	his_id = &rw_id;
-    }
-
-    for (s = secrets; s != NULL; s = s->next)
-    {
-	if (s->kind == kind)
-	{
-	    unsigned int match = 0;
+		public_key_t *pub_key = cert_get_public_key(c->spd.this.cert);
 
-	    if (s->ids == NULL)
-	    {
-		/* a default (signified by lack of ids):
-		 * accept if no more specific match found
-		 */
-		match = match_default;
-	    }
-	    else
-	    {
-		/* check if both ends match ids */
-		id_list_t *i;
-
-		for (i = s->ids; i != NULL; i = i->next)
+		for (s = secrets; s != NULL; s = s->next)
 		{
-		    if (same_id(my_id, &i->id))
-			match |= match_me;
-
-		    if (same_id(his_id, &i->id))
-			match |= match_him;
+			if (s->kind == kind &&
+				s->u.private_key->belongs_to(s->u.private_key, pub_key))
+			{
+				best = s;
+				break; /* we have found the private key - no sense in searching further */
+			}
 		}
+		return best;
+	}
 
-		/* If our end matched the only id in the list,
-		 * default to matching any peer.
-		 * A more specific match will trump this.
-		 */
-		if (match == match_me
-		&& s->ids->next == NULL)
-		    match |= match_default;
-	    }
-
-	    switch (match)
-	    {
-	    case match_me:
-		/* if this is an asymmetric (eg. public key) system,
-		 * allow this-side-only match to count, even if
-		 * there are other ids in the list.
-		 */
-		if (!asym)
-		    break;
-		/* FALLTHROUGH */
-	    case match_default:	/* default all */
-	    case match_me | match_default:	/* default peer */
-	    case match_me | match_him:	/* explicit */
-		if (match == best_match)
-		{
-		    /* two good matches are equally good:
-		     * do they agree?
-		     */
-		    bool same = FALSE;
-
-		    switch (kind)
-		    {
-		    case PPK_PSK:
-			same = s->u.preshared_secret.len == best->u.preshared_secret.len
-			    && memcmp(s->u.preshared_secret.ptr, best->u.preshared_secret.ptr, s->u.preshared_secret.len) == 0;
-			break;
-		    case PPK_RSA:
-			/* Dirty trick: since we have code to compare
-			 * RSA public keys, but not private keys, we
-			 * make the assumption that equal public keys
-			 * mean equal private keys.  This ought to work.
-			 */
-			same = same_RSA_public_key(&s->u.RSA_private_key.pub
-					      , &best->u.RSA_private_key.pub);
-			break;
-		    default:
-			bad_case(kind);
-		    }
-		    if (!same)
-		    {
-			loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with distinct secrets match endpoints:"
-			    " first secret used");
-			best = s;	/* list is backwards: take latest in list */
-		    }
-		}
-		else if (match > best_match)
+	if (his_id_was_instantiated(c))
+	{
+		/* roadwarrior: replace him with 0.0.0.0 */
+		rw_id.kind = c->spd.that.id.kind;
+		rw_id.name = chunk_empty;
+		happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
+		his_id = &rw_id;
+	}
+	else if (kind == PPK_PSK
+	&& (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK))
+	&& ((c->kind == CK_TEMPLATE && c->spd.that.id.kind == ID_ANY) ||
+		(c->kind == CK_INSTANCE && id_is_ipaddr(&c->spd.that.id))))
+	{
+		/* roadwarrior: replace him with 0.0.0.0 */
+		rw_id.kind = ID_IPV4_ADDR;
+		happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
+		his_id = &rw_id;
+	}
+
+	for (s = secrets; s != NULL; s = s->next)
+	{
+		if (s->kind == kind)
 		{
-		    /* this is the best match so far */
-		    best_match = match;
-		    best = s;
+			unsigned int match = 0;
+
+			if (s->ids == NULL)
+			{
+				/* a default (signified by lack of ids):
+				 * accept if no more specific match found
+				 */
+				match = match_default;
+			}
+			else
+			{
+				/* check if both ends match ids */
+				id_list_t *i;
+
+				for (i = s->ids; i != NULL; i = i->next)
+				{
+					if (same_id(my_id, &i->id))
+					{
+						match |= match_me;
+					}
+					if (same_id(his_id, &i->id))
+					{
+						match |= match_him;
+					}
+				}
+
+				/* If our end matched the only id in the list,
+				 * default to matching any peer.
+				 * A more specific match will trump this.
+				 */
+				if (match == match_me && s->ids->next == NULL)
+				{
+					match |= match_default;
+				}
+			}
+
+			switch (match)
+			{
+			case match_me:
+				/* if this is an asymmetric (eg. public key) system,
+				 * allow this-side-only match to count, even if
+				 * there are other ids in the list.
+				 */
+				if (!asym)
+				{
+					break;
+				}
+				/* FALLTHROUGH */
+			case match_default: /* default all */
+			case match_me | match_default:      /* default peer */
+			case match_me | match_him:  /* explicit */
+				if (match == best_match)
+				{
+					/* two good matches are equally good:
+					 * do they agree?
+					 */
+					bool same = FALSE;
+
+					switch (kind)
+					{
+					case PPK_PSK:
+						same = s->u.preshared_secret.len == best->u.preshared_secret.len
+								&& memeq(s->u.preshared_secret.ptr, best->u.preshared_secret.ptr, s->u.preshared_secret.len);
+						break;
+					case PPK_PUBKEY:
+						same = s->u.private_key->equals(s->u.private_key, best->u.private_key);
+						break;
+					default:
+						bad_case(kind);
+					}
+					if (!same)
+					{
+						loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with distinct secrets match endpoints:"
+							" first secret used");
+						best = s;       /* list is backwards: take latest in list */
+					}
+				}
+				else if (match > best_match)
+				{
+					/* this is the best match so far */
+					best_match = match;
+					best = s;
+				}
+			}
 		}
-	    }
 	}
-    }
-    return best;
+	return best;
 }
 
 /* find the appropriate preshared key (see get_secret).
  * Failure is indicated by a NULL pointer.
  * Note: the result is not to be freed by the caller.
  */
-const chunk_t *
-get_preshared_secret(const struct connection *c)
+const chunk_t* get_preshared_secret(const struct connection *c)
 {
-    const secret_t *s = get_secret(c, PPK_PSK, FALSE);
+	const secret_t *s = get_secret(c, PPK_PSK, FALSE);
 
-    DBG(DBG_PRIVATE,
-	if (s == NULL)
-	    DBG_log("no Preshared Key Found");
-	else
-	    DBG_dump_chunk("Preshared Key", s->u.preshared_secret);
-    )
-    return s == NULL? NULL : &s->u.preshared_secret;
+	DBG(DBG_PRIVATE,
+		if (s == NULL)
+			DBG_log("no Preshared Key Found");
+		else
+			DBG_dump_chunk("Preshared Key", s->u.preshared_secret);
+	)
+	return s == NULL? NULL : &s->u.preshared_secret;
 }
 
-/* check the existence of an RSA private key matching an RSA public
- * key contained in an X.509 or OpenPGP certificate
+/* check the existence of a private key matching a public key contained
+ * in an X.509 or OpenPGP certificate
  */
-bool
-has_private_key(cert_t cert)
+bool has_private_key(cert_t cert)
 {
-    secret_t *s;
-    bool has_key = FALSE;
-    pubkey_t *pubkey = allocate_RSA_public_key(cert);
-
-    for (s = secrets; s != NULL; s = s->next)
-    {
-	if (s->kind == PPK_RSA &&
-	    same_RSA_public_key(&s->u.RSA_private_key.pub, &pubkey->u.rsa))
+	secret_t *s;
+	bool has_key = FALSE;
+	public_key_t *pub_key = cert_get_public_key(cert);
+
+	for (s = secrets; s != NULL; s = s->next)
 	{
-	    has_key = TRUE;
-	    break;
+		if (s->kind == PPK_PUBKEY &&
+			s->u.private_key->belongs_to(s->u.private_key, pub_key))
+		{
+			has_key = TRUE;
+			break;
+		}
 	}
-    }
-    free_public_key(pubkey);
-    return has_key;
+	return has_key;
 }
 
 /*
- * get the matching RSA private key belonging to a given X.509 certificate
+ * get the matching private key belonging to a given X.509 certificate
  */
-const RSA_private_key_t*
-get_x509_private_key(const x509cert_t *cert)
+private_key_t* get_x509_private_key(const x509cert_t *cert)
 {
-    secret_t *s;
-    const RSA_private_key_t *pri = NULL;
-    const cert_t c = {CERT_X509_SIGNATURE, {(x509cert_t*)cert}};
-
-    pubkey_t *pubkey = allocate_RSA_public_key(c);
+	secret_t *s;
 
-    for (s = secrets; s != NULL; s = s->next)
-    {
-	if (s->kind == PPK_RSA &&
-	    same_RSA_public_key(&s->u.RSA_private_key.pub, &pubkey->u.rsa))
+	for (s = secrets; s != NULL; s = s->next)
 	{
-	    pri = &s->u.RSA_private_key;
-	    break;
+		if (s->kind == PPK_PUBKEY &&
+			s->u.private_key->belongs_to(s->u.private_key, cert->public_key))
+		{
+			return s->u.private_key;
+		}
 	}
-    }
-    free_public_key(pubkey);
-    return pri;
+	return NULL;
 }
 
-/* find the appropriate RSA private key (see get_secret).
+/* find the appropriate private key (see get_secret).
  * Failure is indicated by a NULL pointer.
  */
-const RSA_private_key_t *
-get_RSA_private_key(const struct connection *c)
+private_key_t* get_private_key(const struct connection *c)
 {
-    const secret_t *s = get_secret(c, PPK_RSA, TRUE);
+	const secret_t *s = get_secret(c, PPK_PUBKEY, TRUE);
 
-    return s == NULL? NULL : &s->u.RSA_private_key;
+	return s == NULL? NULL : s->u.private_key;
 }
 
 /* digest a secrets file
@@ -403,1100 +347,1071 @@ get_RSA_private_key(const struct connection *c)
  */
 
 /* parse PSK from file */
-static err_t
-process_psk_secret(chunk_t *psk)
+static err_t process_psk_secret(chunk_t *psk)
 {
-    err_t ugh = NULL;
-
-    if (*tok == '"' || *tok == '\'')
-    {
-	clonetochunk(*psk, tok+1, flp->cur - tok  - 2, "PSK");
-	(void) shift();
-    }
-    else
-    {
-	char buf[BUF_LEN];	/* limit on size of binary representation of key */
-	size_t sz;
-
-	ugh = ttodatav(tok, flp->cur - tok, 0, buf, sizeof(buf), &sz
-	    , diag_space, sizeof(diag_space), TTODATAV_SPACECOUNTS);
-	if (ugh != NULL)
+	err_t ugh = NULL;
+
+	if (*tok == '"' || *tok == '\'')
 	{
-	    /* ttodata didn't like PSK data */
-	    ugh = builddiag("PSK data malformed (%s): %s", ugh, tok);
+		chunk_t secret = { tok + 1, flp->cur - tok  -2 };
+
+		*psk = chunk_clone(secret);
+		(void) shift();
 	}
 	else
 	{
-	    clonetochunk(*psk, buf, sz, "PSK");
-	    (void) shift();
+		char buf[BUF_LEN];      /* limit on size of binary representation of key */
+		size_t sz;
+
+		ugh = ttodatav(tok, flp->cur - tok, 0, buf, sizeof(buf), &sz
+			, diag_space, sizeof(diag_space), TTODATAV_SPACECOUNTS);
+		if (ugh != NULL)
+		{
+			/* ttodata didn't like PSK data */
+			ugh = builddiag("PSK data malformed (%s): %s", ugh, tok);
+		}
+		else
+		{
+			chunk_t secret = { buf, sz };
+			*psk = chunk_clone(secret);
+			(void) shift();
+		}
 	}
-    }
-    return ugh;
+	return ugh;
 }
 
-/* Parse fields of RSA private key.
- * A braced list of keyword and value pairs.
- * At the moment, each field is required, in order.
- * The fields come from BIND 8.2's representation
+typedef enum rsa_private_key_part_t rsa_private_key_part_t;
+
+enum rsa_private_key_part_t {
+	RSA_PART_MODULUS          = 0,
+	RSA_PART_PUBLIC_EXPONENT  = 1,
+	RSA_PART_PRIVATE_EXPONENT = 2,
+	RSA_PART_PRIME1           = 3,
+	RSA_PART_PRIME2           = 4,
+	RSA_PART_EXPONENT1        = 5,
+	RSA_PART_EXPONENT2        = 6,
+	RSA_PART_COEFFICIENT      = 7
+}; 
+
+const char *rsa_private_key_part_names[] = {
+	"Modulus",
+	"PublicExponent",
+	"PrivateExponent",
+	"Prime1",
+	"Prime2",
+	"Exponent1",
+	"Exponent2",
+	"Coefficient"
+};
+
+/**
+ * Parse fields of an RSA private key in BIND 8.2's representation
+ * consistiong of a braced list of keyword and value pairs in required order.
+ * Conversion into ASN.1 DER encoded PKCS#1 representation.
  */
-static err_t
-process_rsa_secret(RSA_private_key_t *rsak)
+static err_t process_rsa_secret(private_key_t **key)
 {
-    char buf[RSA_MAX_ENCODING_BYTES];	/* limit on size of binary representation of key */
-    const struct fld *p;
-
-    /* save bytes of Modulus and PublicExponent for keyid calculation */
-    unsigned char ebytes[sizeof(buf)];
-    unsigned char *eb_next = ebytes;
-    chunk_t pub_bytes[2];
-    chunk_t *pb_next = &pub_bytes[0];
-
-    for (p = RSA_private_field; p < &RSA_private_field[RSA_PRIVATE_FIELD_ELEMENTS]; p++)
-    {
-	size_t sz;
+	chunk_t asn1_chunk[countof(rsa_private_key_part_names)];
+	chunk_t pkcs1_chunk;
+	u_char buf[RSA_MAX_ENCODING_BYTES];   /* limit on size of binary representation of key */
+	rsa_private_key_part_t part, p;
+	size_t sz, len = 0;
 	err_t ugh;
 
-	if (!shift())
+	for (part = RSA_PART_MODULUS; part <= RSA_PART_COEFFICIENT; part++)
 	{
-	    return "premature end of RSA key";
+		chunk_t rsa_private_key_part;
+		const char *keyword = rsa_private_key_part_names[part];
+
+		if (!shift())
+		{
+			ugh = "premature end of RSA key";
+			goto end;
+		}
+		if (!tokeqword(keyword))
+		{
+			ugh = builddiag("%s keyword not found where expected in RSA key"
+				, keyword);
+			goto end;
+		}
+		if (!(shift() && (!tokeq(":") || shift())))   /* ignore optional ":" */
+		{
+			ugh = "premature end of RSA key";
+			goto end;
+		}
+		ugh = ttodatav(tok, flp->cur - tok, 0, buf, sizeof(buf), &sz,
+					   diag_space, sizeof(diag_space), TTODATAV_SPACECOUNTS);
+		if (ugh)
+		{
+			ugh = builddiag("RSA data malformed (%s): %s", ugh, tok);
+			part++;
+			goto end;
+		}
+		rsa_private_key_part = chunk_create(buf, sz);
+		asn1_chunk[part] = asn1_integer("c", rsa_private_key_part);
+		len += asn1_chunk[part].len;
 	}
-	else if (!tokeqword(p->name))
+
+	/* We require an (indented) '}' and the end of the record.
+	 * We break down the test so that the diagnostic will be more helpful.
+	 * Some people don't seem to wish to indent the brace!
+	 */
+	if (!shift() || !tokeq("}"))
 	{
-	    return builddiag("%s keyword not found where expected in RSA key"
-		, p->name);
+		ugh = "malformed end of RSA private key -- indented '}' required";
+		goto end;
 	}
-	else if (!(shift()
-	&& (!tokeq(":") || shift())))	/* ignore optional ":" */
+	if (shift())
 	{
-	    return "premature end of RSA key";
+		ugh = "malformed end of RSA private key -- unexpected token after '}'";
+		goto end;
 	}
-	else if (NULL != (ugh = ttodatav(tok, flp->cur - tok
-	, 0, buf, sizeof(buf), &sz, diag_space, sizeof(diag_space)
-	, TTODATAV_SPACECOUNTS)))
+
+	pkcs1_chunk = asn1_wrap(ASN1_SEQUENCE, "ccccccccc",
+					 		ASN1_INTEGER_0,
+							asn1_chunk[RSA_PART_MODULUS],
+							asn1_chunk[RSA_PART_PUBLIC_EXPONENT],
+							asn1_chunk[RSA_PART_PRIVATE_EXPONENT],
+							asn1_chunk[RSA_PART_PRIME1],
+							asn1_chunk[RSA_PART_PRIME2],
+							asn1_chunk[RSA_PART_EXPONENT1],
+							asn1_chunk[RSA_PART_EXPONENT2],
+							asn1_chunk[RSA_PART_COEFFICIENT]);
+
+	*key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+										  BUILD_BLOB_ASN1_DER, pkcs1_chunk,
+										  BUILD_END);
+	free(pkcs1_chunk.ptr);
+	if (*key == NULL)
 	{
-	    /* in RSA key, ttodata didn't like */
-	    return builddiag("RSA data malformed (%s): %s", ugh, tok);
+		ugh = "parsing of RSA private key failed";
 	}
-	else
+
+end:
+	/* clean up and return */
+	for (p = RSA_PART_MODULUS ; p < part; p++)
 	{
-	    MP_INT *n = (MP_INT *) ((char *)rsak + p->offset);
-
-	    n_to_mpz(n, buf, sz);
-	    if (pb_next < &pub_bytes[elemsof(pub_bytes)])
-	    {
-		if (eb_next - ebytes + sz > sizeof(ebytes))
-		    return "public key takes too many bytes";
-
-		setchunk(*pb_next, eb_next, sz);
-		memcpy(eb_next, buf, sz);
-		eb_next += sz;
-		pb_next++;
-	    }
-#if 0	/* debugging info that compromises security */
-	    {
-		size_t sz = mpz_sizeinbase(n, 16);
-		char buf[RSA_MAX_OCTETS * 2 + 2];	/* ought to be big enough */
-
-		passert(sz <= sizeof(buf));
-		mpz_get_str(buf, 16, n);
-
-		loglog(RC_LOG_SERIOUS, "%s: %s", p->name, buf);
-	    }
-#endif
+		free(asn1_chunk[p].ptr);
 	}
-    }
-
-    /* We require an (indented) '}' and the end of the record.
-     * We break down the test so that the diagnostic will be
-     * more helpful.  Some people don't seem to wish to indent
-     * the brace!
-     */
-    if (!shift() || !tokeq("}"))
-    {
-	return "malformed end of RSA private key -- indented '}' required";
-    }
-    else if (shift())
-    {
-	return "malformed end of RSA private key -- unexpected token after '}'";
-    }
-    else
-    {
-	unsigned bits = mpz_sizeinbase(&rsak->pub.n, 2);
-
-	rsak->pub.k = (bits + BITS_PER_BYTE - 1) / BITS_PER_BYTE;
-	rsak->pub.keyid[0] = '\0';	/* in case of splitkeytoid failure */
-	splitkeytoid(pub_bytes[1].ptr, pub_bytes[1].len
-	    , pub_bytes[0].ptr, pub_bytes[0].len
-	    , rsak->pub.keyid, sizeof(rsak->pub.keyid));
-	return RSA_private_key_sanity(rsak);
-    }
+	return ugh;	
 }
 
-/* process rsa key file protected with optional passphrase which can either be
+/**
+ * process a key file protected with optional passphrase which can either be
  * read from ipsec.secrets or prompted for by using whack
  */
-static err_t
-process_rsa_keyfile(RSA_private_key_t *rsak, int whackfd)
+static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd)
 {
-    char filename[BUF_LEN];
-    prompt_pass_t pass;
-
-    memset(filename,'\0', BUF_LEN);
-    memset(pass.secret,'\0', sizeof(pass.secret));
-    pass.prompt = FALSE;
-    pass.fd = whackfd;
+	char filename[BUF_LEN];
+	prompt_pass_t pass;
 
-    /* we expect the filename of a PKCS#1 private key file */
+	memset(filename,'\0', BUF_LEN);
+	memset(pass.secret,'\0', sizeof(pass.secret));
+	pass.prompt = FALSE;
+	pass.fd = whackfd;
 
-    if (*tok == '"' || *tok == '\'')  /* quoted filename */
-	memcpy(filename, tok+1, flp->cur - tok - 2);
-    else
-    	memcpy(filename, tok, flp->cur - tok);
+	/* we expect the filename of a PKCS#1 private key file */
 
-    if (shift())
-    {
-	/* we expect an appended passphrase or passphrase prompt*/
-	if (tokeqword("%prompt"))
-	{
-	    if (pass.fd == NULL_FD)
-		return "RSA private key file -- enter passphrase using 'ipsec secrets'";
-	    pass.prompt = TRUE;
-	}
+	if (*tok == '"' || *tok == '\'')  /* quoted filename */
+		memcpy(filename, tok+1, flp->cur - tok - 2);
 	else
+		memcpy(filename, tok, flp->cur - tok);
+
+	if (shift())
 	{
-	    char *passphrase = tok;
-	    size_t len = flp->cur - passphrase;
-
-	    if (*tok == '"' || *tok == '\'')  /* quoted passphrase */
-	    {
-		passphrase++;
-		len -= 2;
-	    }
-	    if (len > PROMPT_PASS_LEN)
-		return "RSA private key file -- passphrase exceeds 64 characters";
-
-	    memcpy(pass.secret, passphrase, len);
+		/* we expect an appended passphrase or passphrase prompt*/
+		if (tokeqword("%prompt"))
+		{
+			if (pass.fd == NULL_FD)
+			{
+				return "Private key file -- enter passphrase using 'ipsec secrets'";
+			}
+			pass.prompt = TRUE;
+		}
+		else
+		{
+			char *passphrase = tok;
+			size_t len = flp->cur - passphrase;
+
+			if (*tok == '"' || *tok == '\'')  /* quoted passphrase */
+			{
+				passphrase++;
+				len -= 2;
+			}
+			if (len > PROMPT_PASS_LEN)
+			{
+				return "Private key file -- passphrase exceeds 64 characters";
+			}
+			memcpy(pass.secret, passphrase, len);
+		}
+		if (shift())
+		{
+			return "Private key file -- unexpected token after passphrase";
+		}
 	}
-	if (shift())
-	    return "RSA private key file -- unexpected token after passphrase";
-    }
-    return load_rsa_private_key(filename, &pass, rsak);
+	*key = load_private_key(filename, &pass, type);
+
+	return key ? NULL : "Private key file -- could not be loaded";
 }
 
-/*
- * process xauth secret read from ipsec.secrets
+/**
+ * Process xauth secret read from ipsec.secrets
  */
-static err_t
-process_xauth(secret_t *s)
+static err_t process_xauth(secret_t *s)
 {
-    chunk_t user_name;
-
-    s->kind = PPK_XAUTH;
-
-    if (!shift())
-	return "missing xauth user name";
-    if (*tok == '"' || *tok == '\'')  /* quoted user name */
-    {
-	user_name.ptr = tok + 1;
-	user_name.len = flp->cur - tok - 2;
-    }
-    else
-    {
-	user_name.ptr = tok;
-	user_name.len = flp->cur - tok;
-    }
-    plog("  loaded xauth credentials of user '%.*s'"
-		, user_name.len
-		, user_name.ptr);
-    clonetochunk(s->u.xauth_secret.user_name
-	, user_name.ptr, user_name.len, "xauth user name");
-
-    if (!shift())
-	return "missing xauth user password";
-    return process_psk_secret(&s->u.xauth_secret.user_password);
+	chunk_t user_name;
+
+	s->kind = PPK_XAUTH;
+
+	if (!shift())
+		return "missing xauth user name";
+	if (*tok == '"' || *tok == '\'')  /* quoted user name */
+	{
+		user_name.ptr = tok + 1;
+		user_name.len = flp->cur - tok - 2;
+	}
+	else
+	{
+		user_name.ptr = tok;
+		user_name.len = flp->cur - tok;
+	}
+	plog("  loaded xauth credentials of user '%.*s'"
+				, user_name.len
+				, user_name.ptr);
+	s->u.xauth_secret.user_name = chunk_clone(user_name);
+
+	if (!shift())
+		return "missing xauth user password";
+	return process_psk_secret(&s->u.xauth_secret.user_password);
 }
 
-/* get XAUTH secret from chained secrets lists
+/**
+ * Get XAUTH secret from chained secrets lists
  * only one entry is currently supported
  */
-static bool
-xauth_get_secret(xauth_t *xauth_secret)
+static bool xauth_get_secret(xauth_t *xauth_secret)
 {
-    secret_t *s;
-    bool found = FALSE;
+	secret_t *s;
+	bool found = FALSE;
 
-    for (s = secrets; s != NULL; s = s->next)
-    {
-	if (s->kind == PPK_XAUTH)
+	for (s = secrets; s != NULL; s = s->next)
 	{
-	    if (found)
-	    {
-		plog("found multiple xauth secrets - first selected");
-	    }
-	    else
-	    {
-		found = TRUE;
-		*xauth_secret = s->u.xauth_secret;
-	    }
+		if (s->kind == PPK_XAUTH)
+		{
+			if (found)
+			{
+				plog("found multiple xauth secrets - first selected");
+			}
+			else
+			{
+				found = TRUE;
+				*xauth_secret = s->u.xauth_secret;
+			}
+		}
 	}
-    }
-    return found;
+	return found;
 }
 
-/*
+/**
  * find a matching secret
  */
-static bool
-xauth_verify_secret(const xauth_peer_t *peer, const xauth_t *xauth_secret)
+static bool xauth_verify_secret(const xauth_peer_t *peer,
+								const xauth_t *xauth_secret)
 {
-    bool found = FALSE;
-    secret_t *s;
+	bool found = FALSE;
+	secret_t *s;
 
-    for (s = secrets; s != NULL; s = s->next)
-    {
-	if (s->kind == PPK_XAUTH)
+	for (s = secrets; s != NULL; s = s->next)
 	{
-	    if (!same_chunk(xauth_secret->user_name, s->u.xauth_secret.user_name))
-		continue;
-	    found = TRUE;
-	    if (same_chunk(xauth_secret->user_password, s->u.xauth_secret.user_password))
-		return TRUE;
+		if (s->kind == PPK_XAUTH)
+		{
+			if (!chunk_equals(xauth_secret->user_name, s->u.xauth_secret.user_name))
+			{
+				continue;
+			}
+			found = TRUE;
+			if (chunk_equals(xauth_secret->user_password, s->u.xauth_secret.user_password))
+			{
+				return TRUE;
+			}
+		}
 	}
-    }
-    plog("xauth user '%.*s' %s"
-       , xauth_secret->user_name.len, xauth_secret->user_name.ptr
-       , found? "sent wrong password":"not found");
-    return FALSE;
+	plog("xauth user '%.*s' %s"
+	   , xauth_secret->user_name.len, xauth_secret->user_name.ptr
+	   , found? "sent wrong password":"not found");
+	return FALSE;
 }
 
-/*
+/**
  * the global xauth_module struct is defined here
  */
 xauth_module_t xauth_module;
 
-/*
- * assign the default xauth functions to any null function pointers
+/**
+ * Assign the default xauth functions to any null function pointers
  */
-void
-xauth_defaults(void)
+void xauth_defaults(void)
 {
-    if (xauth_module.get_secret == NULL)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("xauth module: using default get_secret() function")
-	)
-	xauth_module.get_secret = xauth_get_secret;
-    }
-    if (xauth_module.verify_secret == NULL)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("xauth module: using default verify_secret() function")
-	)
-	xauth_module.verify_secret = xauth_verify_secret;
-    }
+	if (xauth_module.get_secret == NULL)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("xauth module: using default get_secret() function")
+		)
+		xauth_module.get_secret = xauth_get_secret;
+	}
+	if (xauth_module.verify_secret == NULL)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("xauth module: using default verify_secret() function")
+		)
+		xauth_module.verify_secret = xauth_verify_secret;
+	}
 };
 
-/*
- * process pin read from ipsec.secrets or prompted for it using whack
+/**
+ * Process pin read from ipsec.secrets or prompted for it using whack
  */
-static err_t
-process_pin(secret_t *s, int whackfd)
+static err_t process_pin(secret_t *s, int whackfd)
 {
-    smartcard_t *sc;
-    const char *pin_status = "no pin";
-
-    s->kind = PPK_PIN;
-
-    /* looking for the smartcard keyword */
-    if (!shift() || strncmp(tok, SCX_TOKEN, strlen(SCX_TOKEN)) != 0)
-	 return "PIN keyword must be followed by %smartcard<reader>:<id>";
-
-    sc = scx_add(scx_parse_number_slot_id(tok + strlen(SCX_TOKEN)));
-    s->u.smartcard = sc;
-    scx_share(sc);
-    if (sc->pin.ptr != NULL)
-    {
-	scx_release_context(sc);
-	scx_free_pin(&sc->pin);
-    }
-    sc->valid = FALSE;
-
-    if (!shift())
-	return "PIN statement must be terminated either by <pin code>, %pinpad or %prompt";
-
-    if (tokeqword("%prompt"))
-    {
-	shift();
-	/* if whackfd exists, whack will be used to prompt for a pin */
-	if (whackfd != NULL_FD)
-	    pin_status = scx_get_pin(sc, whackfd) ? "valid pin" : "invalid pin";
+	smartcard_t *sc;
+	const char *pin_status = "no pin";
+
+	s->kind = PPK_PIN;
+
+	/* looking for the smartcard keyword */
+	if (!shift() || strncmp(tok, SCX_TOKEN, strlen(SCX_TOKEN)) != 0)
+		 return "PIN keyword must be followed by %smartcard<reader>:<id>";
+
+	sc = scx_add(scx_parse_number_slot_id(tok + strlen(SCX_TOKEN)));
+	s->u.smartcard = sc;
+	scx_share(sc);
+	if (sc->pin.ptr != NULL)
+	{
+		scx_release_context(sc);
+		scx_free_pin(&sc->pin);
+	}
+	sc->valid = FALSE;
+
+	if (!shift())
+		return "PIN statement must be terminated either by <pin code>, %pinpad or %prompt";
+
+	if (tokeqword("%prompt"))
+	{
+		shift();
+		/* if whackfd exists, whack will be used to prompt for a pin */
+		if (whackfd != NULL_FD)
+			pin_status = scx_get_pin(sc, whackfd) ? "valid pin" : "invalid pin";
+		else
+			pin_status = "pin entry via prompt";
+	}
+	else if (tokeqword("%pinpad"))
+	{
+		chunk_t empty_pin = { "", 0 };
+
+		shift();
+
+		/* pin will be entered via pin pad during verification */
+		sc->pin = chunk_clone(empty_pin);
+		sc->pinpad = TRUE;
+		sc->valid = TRUE;
+		pin_status = "pin entry via pad";
+		if (pkcs11_keep_state)
+		{
+			scx_verify_pin(sc);
+		}
+	}
 	else
-	    pin_status = "pin entry via prompt";
-    }
-    else if (tokeqword("%pinpad"))
-    {
-	shift();
-	/* pin will be entered via pin pad during verification */
-	clonetochunk(sc->pin, "", 0, "empty pin");
-	sc->pinpad = TRUE;
-	sc->valid = TRUE;
-	pin_status = "pin entry via pad";
-	if (pkcs11_keep_state)
-	    scx_verify_pin(sc);
-    }
-    else
-    {	
-	/* we read the pin directly from ipsec.secrets */
-	err_t ugh = process_psk_secret(&sc->pin);
-	if (ugh != NULL)
-	return ugh;
-	/* verify the pin */
-	pin_status = scx_verify_pin(sc) ? "valid PIN" : "invalid PIN";
-    }
+	{   
+		/* we read the pin directly from ipsec.secrets */
+		err_t ugh = process_psk_secret(&sc->pin);
+		if (ugh != NULL)
+		return ugh;
+		/* verify the pin */
+		pin_status = scx_verify_pin(sc) ? "valid PIN" : "invalid PIN";
+	}
 #ifdef SMARTCARD
-    {
-	char buf[BUF_LEN];
+	{
+		char buf[BUF_LEN];
 
-	if (sc->any_slot)
-	    snprintf(buf, BUF_LEN, "any slot");
-	else
-	    snprintf(buf, BUF_LEN, "slot: %lu", sc->slot);
+		if (sc->any_slot)
+			snprintf(buf, BUF_LEN, "any slot");
+		else
+			snprintf(buf, BUF_LEN, "slot: %lu", sc->slot);
 
-        plog("  %s for #%d (%s, id: %s)"
-	    , pin_status, sc->number, scx_print_slot(sc, ""), sc->id);
-    }
+		plog("  %s for #%d (%s, id: %s)"
+			, pin_status, sc->number, scx_print_slot(sc, ""), sc->id);
+	}
 #else
-    plog("  warning: SMARTCARD support is deactivated in pluto/Makefile!");
+	plog("  warning: SMARTCARD support is deactivated in pluto/Makefile!");
 #endif
-    return NULL;
+	return NULL;
 }
 
-static void
-log_psk(secret_t *s)
+static void log_psk(secret_t *s)
 {
-    int n = 0;
-    char buf[BUF_LEN];
-    id_list_t *id_list = s->ids;
-
-    if (id_list == NULL)
-    {
-	n = snprintf(buf, BUF_LEN, "%%any");
-    }
-    else
-    {
-	do
+	int n = 0;
+	char buf[BUF_LEN];
+	id_list_t *id_list = s->ids;
+
+	if (id_list == NULL)
 	{
-	    n += idtoa(&id_list->id, buf + n, BUF_LEN - n);
-	    if (n >= BUF_LEN)
-	    {
-		n = BUF_LEN - 1;
-		break;
-	    }
-	    else if (n < BUF_LEN - 1)
-	    {
-		n += snprintf(buf + n, BUF_LEN - n, " ");
-	    }
-	    id_list = id_list->next;
+		n = snprintf(buf, BUF_LEN, "%%any");
 	}
-	while (id_list);
-    }
-    plog("  loaded shared key for %.*s", n, buf);
+	else
+	{
+		do
+		{
+			n += idtoa(&id_list->id, buf + n, BUF_LEN - n);
+			if (n >= BUF_LEN)
+			{
+				n = BUF_LEN - 1;
+				break;
+			}
+			else if (n < BUF_LEN - 1)
+			{
+				n += snprintf(buf + n, BUF_LEN - n, " ");
+			}
+			id_list = id_list->next;
+		}
+		while (id_list);
+	}
+	plog("  loaded shared key for %.*s", n, buf);
 }
 
-static void
-process_secret(secret_t *s, int whackfd)
+static void process_secret(secret_t *s, int whackfd)
 {
-    err_t ugh = NULL;
-
-    s->kind = PPK_PSK;	/* default */
-    if (*tok == '"' || *tok == '\'')
-    {
-	/* old PSK format: just a string */
-	log_psk(s);
-	ugh = process_psk_secret(&s->u.preshared_secret);
-    }
-    else if (tokeqword("psk"))
-    {
-	/* preshared key: quoted string or ttodata format */
-	log_psk(s);
-	ugh = !shift()? "unexpected end of record in PSK"
-	    : process_psk_secret(&s->u.preshared_secret);
-    }
-    else if (tokeqword("rsa"))
-    {
-	/* RSA key: the fun begins.
-	 * A braced list of keyword and value pairs.
-	 */
-	s->kind = PPK_RSA;
-	if (!shift())
+	err_t ugh = NULL;
+
+	s->kind = PPK_PSK;  /* default */
+	if (*tok == '"' || *tok == '\'')
+	{
+		/* old PSK format: just a string */
+		log_psk(s);
+		ugh = process_psk_secret(&s->u.preshared_secret);
+	}
+	else if (tokeqword("psk"))
+	{
+		/* preshared key: quoted string or ttodata format */
+		log_psk(s);
+		ugh = !shift()? "unexpected end of record in PSK"
+			: process_psk_secret(&s->u.preshared_secret);
+	}
+	else if (tokeqword("rsa"))
+	{
+		/* RSA key: the fun begins.
+		 * A braced list of keyword and value pairs.
+		 */
+		s->kind = PPK_PUBKEY;
+		if (!shift())
+		{
+			ugh = "bad RSA key syntax";
+		}
+		else if (tokeq("{"))
+		{
+			ugh = process_rsa_secret(&s->u.private_key);
+		}
+		else
+		{
+		   ugh = process_keyfile(&s->u.private_key, KEY_RSA, whackfd);
+		}
+	}
+	else if (tokeqword("ecdsa"))
+	{
+		s->kind = PPK_PUBKEY;
+		if (!shift())
+		{
+			ugh = "bad ECDSA key syntax";
+		}
+		else
+		{
+		   ugh = process_keyfile(&s->u.private_key, KEY_ECDSA, whackfd);
+		}
+	}
+	else if (tokeqword("xauth"))
 	{
-	    ugh = "bad RSA key syntax";
+		ugh = process_xauth(s);
 	}
-	else if (tokeq("{"))
+	else if (tokeqword("pin"))
 	{
-	    ugh = process_rsa_secret(&s->u.RSA_private_key);
+		ugh = process_pin(s, whackfd);
 	}
 	else
 	{
-	   ugh = process_rsa_keyfile(&s->u.RSA_private_key, whackfd);
+		ugh = builddiag("unrecognized key format: %s", tok);
 	}
-    }
-    else if (tokeqword("xauth"))
-    {
-	ugh = process_xauth(s);
-    }
-    else if (tokeqword("pin"))
-    {
-	ugh = process_pin(s, whackfd);
-    }
-    else
-    {
-	ugh = builddiag("unrecognized key format: %s", tok);
-    }
-
-    if (ugh != NULL)
-    {
-	loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s"
-	    , flp->filename, flp->lino, ugh);
-	pfree(s);
-    }
-    else if (flushline("expected record boundary in key"))
-    {
-	/* gauntlet has been run: install new secret */
-	lock_certs_and_keys("process_secret");
-	s->next = secrets;
-	secrets = s;
-	unlock_certs_and_keys("process_secrets");
-    }
-}
-
-static void process_secrets_file(const char *file_pat, int whackfd);	/* forward declaration */
-
-static void
-process_secret_records(int whackfd)
-{
-    /* read records from ipsec.secrets and load them into our table */
-    for (;;)
-    {
-	(void)flushline(NULL);	/* silently ditch leftovers, if any */
-	if (flp->bdry == B_file)
-	    break;
-
-	flp->bdry = B_none;	/* eat the Record Boundary */
-	(void)shift();	/* get real first token */
 
-	if (tokeqword("include"))
+	if (ugh != NULL)
 	{
-	    /* an include directive */
-	    char fn[MAX_TOK_LEN];	/* space for filename (I hope) */
-	    char *p = fn;
-	    char *end_prefix = strrchr(flp->filename, '/');
-
-	    if (!shift())
-	    {
-		loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of include directive"
-		    , flp->filename, flp->lino);
-		continue;   /* abandon this record */
-	    }
-
-	    /* if path is relative and including file's pathname has
-	     * a non-empty dirname, prefix this path with that dirname.
-	     */
-	    if (tok[0] != '/' && end_prefix != NULL)
-	    {
-		size_t pl = end_prefix - flp->filename + 1;
-
-		/* "clamp" length to prevent problems now;
-		 * will be rediscovered and reported later.
-		 */
-		if (pl > sizeof(fn))
-		    pl = sizeof(fn);
-		memcpy(fn, flp->filename, pl);
-		p += pl;
-	    }
-	    if (flp->cur - tok >= &fn[sizeof(fn)] - p)
-	    {
-		loglog(RC_LOG_SERIOUS, "\"%s\" line %d: include pathname too long"
-		    , flp->filename, flp->lino);
-		continue;   /* abandon this record */
-	    }
-	    strcpy(p, tok);
-	    (void) shift();	/* move to Record Boundary, we hope */
-	    if (flushline("ignoring malformed INCLUDE -- expected Record Boundary after filename"))
-	    {
-		process_secrets_file(fn, whackfd);
-		tok = NULL;	/* correct, but probably redundant */
-	    }
+		loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s"
+			, flp->filename, flp->lino, ugh);
+		free(s);
 	}
-	else
+	else if (flushline("expected record boundary in key"))
 	{
-	    /* expecting a list of indices and then the key info */
-	    secret_t *s = alloc_thing(secret_t, "secret");
+		/* gauntlet has been run: install new secret */
+		lock_certs_and_keys("process_secret");
+		s->next = secrets;
+		secrets = s;
+		unlock_certs_and_keys("process_secrets");
+	}
+}
 
-	    s->ids = NULL;
-	    s->kind = PPK_PSK;	/* default */
-	    setchunk(s->u.preshared_secret, NULL, 0);
-	    s->next = NULL;
+static void process_secrets_file(const char *file_pat, int whackfd);    /* forward declaration */
 
-	    for (;;)
-	    {
-		if (tok[0] == '"' || tok[0] == '\'')
+static void process_secret_records(int whackfd)
+{
+	/* read records from ipsec.secrets and load them into our table */
+	for (;;)
+	{
+		(void)flushline(NULL);  /* silently ditch leftovers, if any */
+		if (flp->bdry == B_file)
 		{
-		    /* found key part */
-		    process_secret(s, whackfd);
-		    break;
+			break;
 		}
-		else if (tokeq(":"))
+		flp->bdry = B_none;     /* eat the Record Boundary */
+		(void)shift();  /* get real first token */
+
+		if (tokeqword("include"))
 		{
-		    /* found key part */
-		    shift();	/* discard explicit separator */
-		    process_secret(s, whackfd);
-		    break;
+			/* an include directive */
+			char fn[MAX_TOK_LEN];       /* space for filename (I hope) */
+			char *p = fn;
+			char *end_prefix = strrchr(flp->filename, '/');
+
+			if (!shift())
+			{
+				loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of include directive"
+					, flp->filename, flp->lino);
+				continue;   /* abandon this record */
+			}
+
+			/* if path is relative and including file's pathname has
+			 * a non-empty dirname, prefix this path with that dirname.
+			 */
+			if (tok[0] != '/' && end_prefix != NULL)
+			{
+				size_t pl = end_prefix - flp->filename + 1;
+
+				/* "clamp" length to prevent problems now;
+				 * will be rediscovered and reported later.
+				 */
+				if (pl > sizeof(fn))
+				{
+					pl = sizeof(fn);
+				}
+				memcpy(fn, flp->filename, pl);
+				p += pl;
+			}
+			if (flp->cur - tok >= &fn[sizeof(fn)] - p)
+			{
+				loglog(RC_LOG_SERIOUS, "\"%s\" line %d: include pathname too long"
+					, flp->filename, flp->lino);
+				continue;   /* abandon this record */
+			}
+			strcpy(p, tok);
+			(void) shift();     /* move to Record Boundary, we hope */
+			if (flushline("ignoring malformed INCLUDE -- expected Record Boundary after filename"))
+			{
+				process_secrets_file(fn, whackfd);
+				tok = NULL;     /* correct, but probably redundant */
+			}
 		}
 		else
 		{
-		    /* an id
-		     * See RFC2407 IPsec Domain of Interpretation 4.6.2
-		     */
-		    struct id id;
-		    err_t ugh;
-
-		    if (tokeq("%any"))
-		    {
-			id = empty_id;
-			id.kind = ID_IPV4_ADDR;
-			ugh = anyaddr(AF_INET, &id.ip_addr);
-		    }
-		    else if (tokeq("%any6"))
-		    {
-			id = empty_id;
-			id.kind = ID_IPV6_ADDR;
-			ugh = anyaddr(AF_INET6, &id.ip_addr);
-		    }
-		    else
-		    {
-			ugh = atoid(tok, &id, FALSE);
-		    }
-
-		    if (ugh != NULL)
-		    {
-			loglog(RC_LOG_SERIOUS
-			    , "ERROR \"%s\" line %d: index \"%s\" %s"
-			    , flp->filename, flp->lino, tok, ugh);
-		    }
-		    else
-		    {
-			id_list_t *i = alloc_thing(id_list_t
-			    , "id_list");
-
-			i->id = id;
-			unshare_id_content(&i->id);
-			i->next = s->ids;
-			s->ids = i;
-			/* DBG_log("id type %d: %s %.*s", i->kind, ip_str(&i->ip_addr), (int)i->name.len, i->name.ptr); */
-		    }
-		    if (!shift())
-		    {
-			/* unexpected Record Boundary or EOF */
-			loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of id list"
-			    , flp->filename, flp->lino);
-			break;
-		    }
+			/* expecting a list of indices and then the key info */
+			secret_t *s = malloc_thing(secret_t);
+
+			zero(s);
+			s->ids = NULL;
+			s->kind = PPK_PSK;  /* default */
+			s->u.preshared_secret = chunk_empty;
+			s->next = NULL;
+
+			for (;;)
+			{
+				if (tok[0] == '"' || tok[0] == '\'')
+				{
+					/* found key part */
+					process_secret(s, whackfd);
+					break;
+				}
+				else if (tokeq(":"))
+				{
+					/* found key part */
+					shift();    /* discard explicit separator */
+					process_secret(s, whackfd);
+					break;
+				}
+				else
+				{
+					/* an id
+					 * See RFC2407 IPsec Domain of Interpretation 4.6.2
+					 */
+					struct id id;
+					err_t ugh;
+
+					if (tokeq("%any"))
+					{
+						id = empty_id;
+						id.kind = ID_IPV4_ADDR;
+						ugh = anyaddr(AF_INET, &id.ip_addr);
+					}
+					else if (tokeq("%any6"))
+					{
+						id = empty_id;
+						id.kind = ID_IPV6_ADDR;
+						ugh = anyaddr(AF_INET6, &id.ip_addr);
+					}
+					else
+					{
+						ugh = atoid(tok, &id, FALSE);
+					}
+
+					if (ugh != NULL)
+					{
+						loglog(RC_LOG_SERIOUS
+							, "ERROR \"%s\" line %d: index \"%s\" %s"
+							, flp->filename, flp->lino, tok, ugh);
+					}
+					else
+					{
+						id_list_t *i = malloc_thing(id_list_t);
+
+						i->id = id;
+						unshare_id_content(&i->id);
+						i->next = s->ids;
+						s->ids = i;
+						/* DBG_log("id type %d: %s %.*s", i->kind, ip_str(&i->ip_addr), (int)i->name.len, i->name.ptr); */
+					}
+					if (!shift())
+					{
+						/* unexpected Record Boundary or EOF */
+						loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of id list"
+							, flp->filename, flp->lino);
+						break;
+					}
+				}
+			}
 		}
-	    }
 	}
-    }
 }
 
-static int
-globugh(const char *epath, int eerrno)
+static int globugh(const char *epath, int eerrno)
 {
-    log_errno_routine(eerrno, "problem with secrets file \"%s\"", epath);
-    return 1;	/* stop glob */
+	log_errno_routine(eerrno, "problem with secrets file \"%s\"", epath);
+	return 1;   /* stop glob */
 }
 
-static void
-process_secrets_file(const char *file_pat, int whackfd)
+static void process_secrets_file(const char *file_pat, int whackfd)
 {
-    struct file_lex_position pos;
-    char **fnp;
-    glob_t globbuf;
-
-    pos.depth = flp == NULL? 0 : flp->depth + 1;
+	struct file_lex_position pos;
+	char **fnp;
+	glob_t globbuf;
 
-    if (pos.depth > 10)
-    {
-	loglog(RC_LOG_SERIOUS, "preshared secrets file \"%s\" nested too deeply", file_pat);
-	return;
-    }
+	pos.depth = flp == NULL? 0 : flp->depth + 1;
 
-    /* do globbing */
-    {
-	int r = glob(file_pat, GLOB_ERR, globugh, &globbuf);
+	if (pos.depth > 10)
+	{
+		loglog(RC_LOG_SERIOUS, "preshared secrets file \"%s\" nested too deeply", file_pat);
+		return;
+	}
 
-	if (r != 0)
+	/* do globbing */
 	{
-	    switch (r)
-	    {
-	    case GLOB_NOSPACE:
-		loglog(RC_LOG_SERIOUS, "out of space processing secrets filename \"%s\"", file_pat);
-		break;
-	    case GLOB_ABORTED:
-		break;	/* already logged */
-	    case GLOB_NOMATCH:
-		loglog(RC_LOG_SERIOUS, "no secrets filename matched \"%s\"", file_pat);
-		break;
-	    default:
-		loglog(RC_LOG_SERIOUS, "unknown glob error %d", r);
-		break;
-	    }
-	    globfree(&globbuf);
-	    return;
+		int r = glob(file_pat, GLOB_ERR, globugh, &globbuf);
+
+		if (r != 0)
+		{
+			switch (r)
+			{
+			case GLOB_NOSPACE:
+				loglog(RC_LOG_SERIOUS, "out of space processing secrets filename \"%s\"", file_pat);
+				break;
+			case GLOB_ABORTED:
+				break;  /* already logged */
+			case GLOB_NOMATCH:
+				loglog(RC_LOG_SERIOUS, "no secrets filename matched \"%s\"", file_pat);
+				break;
+			default:
+				loglog(RC_LOG_SERIOUS, "unknown glob error %d", r);
+				break;
+			}
+			globfree(&globbuf);
+			return;
+		}
 	}
-    }
 
-    /* for each file... */
-    for (fnp = globbuf.gl_pathv; *fnp != NULL; fnp++)
-    {
-	if (lexopen(&pos, *fnp, FALSE))
+	/* for each file... */
+	for (fnp = globbuf.gl_pathv; *fnp != NULL; fnp++)
 	{
-	    plog("loading secrets from \"%s\"", *fnp);
-	    (void) flushline("file starts with indentation (continuation notation)");
-	    process_secret_records(whackfd);
-	    lexclose();
+		if (lexopen(&pos, *fnp, FALSE))
+		{
+			plog("loading secrets from \"%s\"", *fnp);
+			(void) flushline("file starts with indentation (continuation notation)");
+			process_secret_records(whackfd);
+			lexclose();
+		}
 	}
-    }
 
-    globfree(&globbuf);
+	globfree(&globbuf);
 }
 
-void
-free_preshared_secrets(void)
+void free_preshared_secrets(void)
 {
-    lock_certs_and_keys("free_preshared_secrets");
+	lock_certs_and_keys("free_preshared_secrets");
 
-    if (secrets != NULL)
-    {
-	secret_t *s, *ns;
+	if (secrets != NULL)
+	{
+		secret_t *s, *ns;
 
-	plog("forgetting secrets");
+		plog("forgetting secrets");
 
-	for (s = secrets; s != NULL; s = ns)
-	{
-	    id_list_t *i, *ni;
-
-	    ns = s->next;	/* grab before freeing s */
-	    for (i = s->ids; i != NULL; i = ni)
-	    {
-		ni = i->next;	/* grab before freeing i */
-		free_id_content(&i->id);
-		pfree(i);
-	    }
-	    switch (s->kind)
-	    {
-	    case PPK_PSK:
-		pfree(s->u.preshared_secret.ptr);
-		break;
-	    case PPK_RSA:
-		free_RSA_private_content(&s->u.RSA_private_key);
-		break;
-	    case PPK_XAUTH:
-		pfree(s->u.xauth_secret.user_name.ptr);
-		pfree(s->u.xauth_secret.user_password.ptr);
-		break;
-	    case PPK_PIN:
-		scx_release(s->u.smartcard);
-		break;
-	    default:
-		bad_case(s->kind);
-	    }
-	    pfree(s);
+		for (s = secrets; s != NULL; s = ns)
+		{
+			id_list_t *i, *ni;
+
+			ns = s->next;       /* grab before freeing s */
+			for (i = s->ids; i != NULL; i = ni)
+			{
+				ni = i->next;   /* grab before freeing i */
+				free_id_content(&i->id);
+				free(i);
+			}
+			switch (s->kind)
+			{
+			case PPK_PSK:
+				free(s->u.preshared_secret.ptr);
+				break;
+			case PPK_PUBKEY:
+				DESTROY_IF(s->u.private_key);
+				break;
+			case PPK_XAUTH:
+				free(s->u.xauth_secret.user_name.ptr);
+				free(s->u.xauth_secret.user_password.ptr);
+				break;
+			case PPK_PIN:
+				scx_release(s->u.smartcard);
+				break;
+			default:
+				bad_case(s->kind);
+			}
+			free(s);
+		}
+		secrets = NULL;
 	}
-	secrets = NULL;
-    }
 
-    unlock_certs_and_keys("free_preshard_secrets");
+	unlock_certs_and_keys("free_preshard_secrets");
 }
 
-void
-load_preshared_secrets(int whackfd)
+void load_preshared_secrets(int whackfd)
 {
-    free_preshared_secrets();
-    (void) process_secrets_file(shared_secrets_file, whackfd);
+	free_preshared_secrets();
+	(void) process_secrets_file(shared_secrets_file, whackfd);
 }
 
 /* public key machinery
  * Note: caller must set dns_auth_level.
  */
 
-pubkey_t *
-public_key_from_rsa(const RSA_public_key_t *k)
+pubkey_t* public_key_from_rsa(public_key_t *key)
 {
-    pubkey_t *p = alloc_thing(pubkey_t, "pubkey");
-
-    p->id = empty_id;	/* don't know, doesn't matter */
-    p->issuer = empty_chunk;
-    p->serial = empty_chunk;
-    p->alg = PUBKEY_ALG_RSA;
-
-    memcpy(p->u.rsa.keyid, k->keyid, sizeof(p->u.rsa.keyid));
-    p->u.rsa.k = k->k;
-    mpz_init_set(&p->u.rsa.e, &k->e);
-    mpz_init_set(&p->u.rsa.n, &k->n);
-
-    /* note that we return a 1 reference count upon creation:
-     * invariant: recount > 0.
-     */
-    p->refcnt = 1;
-    time(&p->installed_time);
-    return p;
+	pubkey_t *p = malloc_thing(pubkey_t);
+
+	zero(p);
+	p->id = empty_id;   /* don't know, doesn't matter */
+	p->issuer = chunk_empty;
+	p->serial = chunk_empty;
+	p->public_key = key;
+
+	/* note that we return a 1 reference count upon creation:
+	 * invariant: recount > 0.
+	 */
+	p->refcnt = 1;
+	time(&p->installed_time);
+	return p;
 }
 
 /* Free a public key record.
  * As a convenience, this returns a pointer to next.
  */
-pubkey_list_t *
-free_public_keyentry(pubkey_list_t *p)
+pubkey_list_t* free_public_keyentry(pubkey_list_t *p)
 {
-    pubkey_list_t *nxt = p->next;
+	pubkey_list_t *nxt = p->next;
 
-    if (p->key != NULL)
-	unreference_key(&p->key);
-    pfree(p);
-    return nxt;
+	if (p->key != NULL)
+	{
+		unreference_key(&p->key);
+	}
+	free(p);
+	return nxt;
 }
 
-void
-free_public_keys(pubkey_list_t **keys)
+void free_public_keys(pubkey_list_t **keys)
 {
-    while (*keys != NULL)
-	*keys = free_public_keyentry(*keys);
+	while (*keys != NULL)
+	{
+		*keys = free_public_keyentry(*keys);
+	}
 }
 
 /* root of chained public key list */
 
-pubkey_list_t *pubkeys = NULL;	/* keys from ipsec.conf */
+pubkey_list_t *pubkeys = NULL;  /* keys from ipsec.conf */
 
-void
-free_remembered_public_keys(void)
+void free_remembered_public_keys(void)
 {
-    free_public_keys(&pubkeys);
+	free_public_keys(&pubkeys);
 }
 
-/* transfer public keys from *keys list to front of pubkeys list */
-void
-transfer_to_public_keys(struct gw_info *gateways_from_dns
+/**
+ * Transfer public keys from *keys list to front of pubkeys list
+ */
+void transfer_to_public_keys(struct gw_info *gateways_from_dns
 #ifdef USE_KEYRR
 , pubkey_list_t **keys
 #endif /* USE_KEYRR */
 )
 {
-    {
-	struct gw_info *gwp;
-
-	for (gwp = gateways_from_dns; gwp != NULL; gwp = gwp->next)
 	{
-	    pubkey_list_t *pl = alloc_thing(pubkey_list_t, "from TXT");
+		struct gw_info *gwp;
 
-	    pl->key = gwp->key;	/* note: this is a transfer */
-	    gwp->key = NULL;	/* really, it is! */
-	    pl->next = pubkeys;
-	    pubkeys = pl;
+		for (gwp = gateways_from_dns; gwp != NULL; gwp = gwp->next)
+		{
+			pubkey_list_t *pl = malloc_thing(pubkey_list_t);
+
+			pl->key = gwp->key; /* note: this is a transfer */
+			gwp->key = NULL;    /* really, it is! */
+			pl->next = pubkeys;
+			pubkeys = pl;
+		}
 	}
-    }
 
 #ifdef USE_KEYRR
-    {
-	pubkey_list_t **pp = keys;
-
-	while (*pp != NULL)
-	    pp = &(*pp)->next;
-	*pp = pubkeys;
-	pubkeys = *keys;
-	*keys = NULL;
-    }
+	{
+		pubkey_list_t **pp = keys;
+
+		while (*pp != NULL)
+		{
+			pp = &(*pp)->next;
+		}
+		*pp = pubkeys;
+		pubkeys = *keys;
+		*keys = NULL;
+	}
 #endif /* USE_KEYRR */
 }
 
-/* decode of RSA pubkey chunk
- * - format specified in RFC 2537 RSA/MD5 Keys and SIGs in the DNS
- * - exponent length in bytes (1 or 3 octets)
- *   + 1 byte if in [1, 255]
- *   + otherwise 0x00 followed by 2 bytes of length
- * - exponent
- * - modulus
- */
-err_t
-unpack_RSA_public_key(RSA_public_key_t *rsa, const chunk_t *pubkey)
-{
-    chunk_t exp;
-    chunk_t mod;
-
-    if (pubkey->len < 3)
-	return "RSA public key blob way to short";	/* not even room for length! */
-
-    if (pubkey->ptr[0] != 0x00)
-    {
-	setchunk(exp, pubkey->ptr + 1, pubkey->ptr[0]);
-    }
-    else
-    {
-	setchunk(exp, pubkey->ptr + 3
-	    , (pubkey->ptr[1] << BITS_PER_BYTE) + pubkey->ptr[2]);
-    }
-
-    if (pubkey->len - (exp.ptr - pubkey->ptr) < exp.len + RSA_MIN_OCTETS_RFC)
-	return "RSA public key blob too short";
-
-    mod.ptr = exp.ptr + exp.len;
-    mod.len = &pubkey->ptr[pubkey->len] - mod.ptr;
-
-    if (mod.len < RSA_MIN_OCTETS)
-	return RSA_MIN_OCTETS_UGH;
-
-    if (mod.len > RSA_MAX_OCTETS)
-	return RSA_MAX_OCTETS_UGH;
-
-    init_RSA_public_key(rsa, exp, mod);
-    rsa->k = mpz_sizeinbase(&rsa->n, 2);	/* size in bits, for a start */
-    rsa->k = (rsa->k + BITS_PER_BYTE - 1) / BITS_PER_BYTE;	/* now octets */
-    DBG(DBG_RAW,
-	RSA_show_public_key(rsa)
-    )
-
-    if (rsa->k != mod.len)
-    {
-	mpz_clear(&rsa->e);
-	mpz_clear(&rsa->n);
-	return "RSA modulus shorter than specified";
-    }
-
-    return NULL;
-}
 
-static void
-install_public_key(pubkey_t *pk, pubkey_list_t **head)
+static void install_public_key(pubkey_t *pk, pubkey_list_t **head)
 {
-    pubkey_list_t *p = alloc_thing(pubkey_list_t, "pubkey entry");
+	pubkey_list_t *p = malloc_thing(pubkey_list_t);
 
-    unshare_id_content(&pk->id);
+	unshare_id_content(&pk->id);
 
-    /* copy issuer dn */
-    if (pk->issuer.ptr != NULL)
-	pk->issuer.ptr = clone_bytes(pk->issuer.ptr, pk->issuer.len, "issuer dn");
+	/* copy issuer dn */
+	pk->issuer = chunk_clone(pk->issuer);
 
-    /* copy serial number */
-    if (pk->serial.ptr != NULL)
-	pk->serial.ptr = clone_bytes(pk->serial.ptr, pk->serial.len, "serialNumber");
+	/* copy serial number */
+	pk->serial = chunk_clone(pk->serial);
 
-    /* store the time the public key was installed */
-    time(&pk->installed_time);
+	/* store the time the public key was installed */
+	time(&pk->installed_time);
 
-    /* install new key at front */
-    p->key = reference_key(pk);
-    p->next = *head;
-    *head = p;
+	/* install new key at front */
+	p->key = reference_key(pk);
+	p->next = *head;
+	*head = p;
 }
 
-
-void
-delete_public_keys(const struct id *id, enum pubkey_alg alg
-, chunk_t issuer, chunk_t serial)
+void delete_public_keys(const struct id *id, key_type_t type,
+						chunk_t issuer, chunk_t serial)
 {
-    pubkey_list_t **pp, *p;
-    pubkey_t *pk;
-
-    for (pp = &pubkeys; (p = *pp) != NULL; )
-    {
-	pk = p->key;
-
-	if (same_id(id, &pk->id) && pk->alg == alg
-	&& (issuer.ptr == NULL || pk->issuer.ptr == NULL
-	    || same_dn(issuer, pk->issuer))
-	&& same_serial(serial, pk->serial))
-	    *pp = free_public_keyentry(p);
-	else
-	    pp = &p->next;
-    }
+	pubkey_list_t **pp, *p;
+	pubkey_t *pk;
+	key_type_t pk_type;
+
+	for (pp = &pubkeys; (p = *pp) != NULL; )
+	{
+		pk = p->key;
+		pk_type = pk->public_key->get_type(pk->public_key);
+
+		if (same_id(id, &pk->id) && pk_type == type
+		&& (issuer.ptr == NULL || pk->issuer.ptr == NULL
+			|| same_dn(issuer, pk->issuer))
+		&& same_serial(serial, pk->serial))
+		{
+			*pp = free_public_keyentry(p);
+		}
+		else
+		{
+			pp = &p->next;
+		}
+	}
 }
 
-pubkey_t *
-reference_key(pubkey_t *pk)
+pubkey_t* reference_key(pubkey_t *pk)
 {
-    pk->refcnt++;
-    return pk;
+	pk->refcnt++;
+	return pk;
 }
 
 void
 unreference_key(pubkey_t **pkp)
 {
-    pubkey_t *pk = *pkp;
-    char b[BUF_LEN];
+	pubkey_t *pk = *pkp;
+	char b[BUF_LEN];
 
-    if (pk == NULL)
-	return;
+	if (pk == NULL)
+	{
+		return;
+	}
 
-    /* print stuff */
-    DBG(DBG_CONTROLMORE,
-	idtoa(&pk->id, b, sizeof(b));
-	DBG_log("unreference key: %p %s cnt %d--", pk, b, pk->refcnt)
-    )
+	/* print stuff */
+	DBG(DBG_CONTROLMORE,
+		idtoa(&pk->id, b, sizeof(b));
+		DBG_log("unreference key: %p %s cnt %d--", pk, b, pk->refcnt)
+	)
 
-    /* cancel out the pointer */
-    *pkp = NULL;
+	/* cancel out the pointer */
+	*pkp = NULL;
 
-    passert(pk->refcnt != 0);
-    pk->refcnt--;
-    if (pk->refcnt == 0)
-	free_public_key(pk);
+	passert(pk->refcnt != 0);
+	pk->refcnt--;
+	if (pk->refcnt == 0)
+	{
+		free_public_key(pk);
+	}
 }
 
-err_t
-add_public_key(const struct id *id
-, enum dns_auth_level dns_auth_level
-, enum pubkey_alg alg
-, const chunk_t *key
-, pubkey_list_t **head)
+bool add_public_key(const struct id *id, enum dns_auth_level dns_auth_level,
+					enum pubkey_alg alg, chunk_t rfc3110_key,
+					pubkey_list_t **head)
 {
-    pubkey_t *pk = alloc_thing(pubkey_t, "pubkey");
+	public_key_t *key = NULL;
+	pubkey_t *pk;
 
-    /* first: algorithm-specific decoding of key chunk */
-    switch (alg)
-    {
-    case PUBKEY_ALG_RSA:
+   /* first: algorithm-specific decoding of key chunk */
+	switch (alg)
 	{
-	    err_t ugh = unpack_RSA_public_key(&pk->u.rsa, key);
-
-	    if (ugh != NULL)
-	    {
-		pfree(pk);
-		return ugh;
-	    }
+		case PUBKEY_ALG_RSA:
+			key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+										BUILD_BLOB_RFC_3110, rfc3110_key,
+										BUILD_END);
+			if (key == NULL)
+			{
+				return FALSE;
+			}
+			break;
+		default:
+			bad_case(alg);
 	}
-	break;
-    default:
-	bad_case(alg);
-    }
-
-    pk->id = *id;
-    pk->dns_auth_level = dns_auth_level;
-    pk->alg = alg;
-    pk->until_time = UNDEFINED_TIME;
-    pk->issuer = empty_chunk;
-    pk->serial = empty_chunk;
-       
-    install_public_key(pk, head);
-    return NULL;
+
+	pk = malloc_thing(pubkey_t);
+	zero(pk);
+	pk->public_key = key;
+	pk->id = *id;
+	pk->dns_auth_level = dns_auth_level;
+	pk->until_time = UNDEFINED_TIME;
+	pk->issuer = chunk_empty;
+	pk->serial = chunk_empty;
+	install_public_key(pk, head);
+	return TRUE;
 }
 
 /* extract id and public key from x.509 certificate and
  * insert it into a pubkeyrec
  */
-void
-add_x509_public_key(x509cert_t *cert , time_t until
-    , enum dns_auth_level dns_auth_level)
+void add_x509_public_key(x509cert_t *cert , time_t until,
+						 enum dns_auth_level dns_auth_level)
 {
-    generalName_t *gn;
-    pubkey_t *pk;
-    cert_t c = { CERT_X509_SIGNATURE, {cert} };
-
-    /* we support RSA only */
-    if (cert->subjectPublicKeyAlgorithm != PUBKEY_ALG_RSA)
-	return;
-
-    /* ID type: ID_DER_ASN1_DN  (X.509 subject field) */
-    pk = allocate_RSA_public_key(c);
-    pk->id.kind = ID_DER_ASN1_DN;
-    pk->id.name = cert->subject;
-    pk->dns_auth_level = dns_auth_level;
-    pk->until_time = until;
-    pk->issuer = cert->issuer;
-    pk->serial = cert->serialNumber;
-    delete_public_keys(&pk->id, pk->alg, pk->issuer, pk->serial);
-    install_public_key(pk, &pubkeys);
-
-    gn = cert->subjectAltName;
-
-    while (gn != NULL) /* insert all subjectAltNames */
-    {
-	struct id id = empty_id;
-
-	gntoid(&id, gn);
-	if (id.kind != ID_NONE)
+	generalName_t *gn;
+	pubkey_t *pk;
+	key_type_t pk_type;
+
+	/* ID type: ID_DER_ASN1_DN  (X.509 subject field) */
+	pk = malloc_thing(pubkey_t);
+	zero(pk);
+	pk->public_key = cert->public_key->get_ref(cert->public_key);
+	pk->id.kind = ID_DER_ASN1_DN;
+	pk->id.name = cert->subject;
+	pk->dns_auth_level = dns_auth_level;
+	pk->until_time = until;
+	pk->issuer = cert->issuer;
+	pk->serial = cert->serialNumber;
+	pk_type = pk->public_key->get_type(pk->public_key);
+	delete_public_keys(&pk->id, pk_type, pk->issuer, pk->serial);
+	install_public_key(pk, &pubkeys);
+
+	gn = cert->subjectAltName;
+
+	while (gn != NULL) /* insert all subjectAltNames */
 	{
-	    pk = allocate_RSA_public_key(c);
-	    pk->id = id;
-	    pk->dns_auth_level = dns_auth_level;
-	    pk->until_time = until;
-	    pk->issuer = cert->issuer;
-	    pk->serial = cert->serialNumber;
-	    delete_public_keys(&pk->id, pk->alg, pk->issuer, pk->serial);
-	    install_public_key(pk, &pubkeys);
+		struct id id = empty_id;
+
+		gntoid(&id, gn);
+		if (id.kind != ID_ANY)
+		{
+			pk = malloc_thing(pubkey_t);
+			zero(pk);
+			pk->public_key = cert->public_key->get_ref(cert->public_key);
+			pk->id = id;
+			pk->dns_auth_level = dns_auth_level;
+			pk->until_time = until;
+			pk->issuer = cert->issuer;
+			pk->serial = cert->serialNumber;
+			delete_public_keys(&pk->id, pk_type, pk->issuer, pk->serial);
+			install_public_key(pk, &pubkeys);
+		}
+		gn = gn->next;
 	}
-	gn = gn->next;
-    }
 }
 
 /* extract id and public key from OpenPGP certificate and
  * insert it into a pubkeyrec
  */
-void
-add_pgp_public_key(pgpcert_t *cert , time_t until
-    , enum dns_auth_level dns_auth_level)
+void add_pgp_public_key(pgpcert_t *cert , time_t until,
+						enum dns_auth_level dns_auth_level)
 {
-    pubkey_t *pk;
-    cert_t c;
-
-    c.type = CERT_PGP;
-    c.u.pgp = cert;
-
-    /* we support RSA only */
-    if (cert->pubkeyAlg != PUBKEY_ALG_RSA)
-    {
-	plog("  RSA public keys supported only");
-	return;
-    }
-
-    pk = allocate_RSA_public_key(c);
-    pk->id.kind = ID_KEY_ID;
-    pk->id.name.ptr = cert->fingerprint;
-    pk->id.name.len = PGP_FINGERPRINT_SIZE;
-    pk->dns_auth_level = dns_auth_level;
-    pk->until_time = until;
-    delete_public_keys(&pk->id, pk->alg, empty_chunk, empty_chunk);
-    install_public_key(pk, &pubkeys);
+	pubkey_t *pk;
+	key_type_t pk_type;
+
+	pk = malloc_thing(pubkey_t);
+	zero(pk);
+	pk->public_key = cert->public_key->get_ref(cert->public_key);
+	pk->id.kind = ID_KEY_ID;
+	pk->id.name = cert->fingerprint->get_encoding(cert->fingerprint);
+	pk->dns_auth_level = dns_auth_level;
+	pk->until_time = until;
+	pk_type = pk->public_key->get_type(pk->public_key);
+	delete_public_keys(&pk->id, pk_type, chunk_empty, chunk_empty);
+	install_public_key(pk, &pubkeys);
 }
 
 /*  when a X.509 certificate gets revoked, all instances of
  *  the corresponding public key must be removed
  */
-void
-remove_x509_public_key(const x509cert_t *cert)
+void remove_x509_public_key(const x509cert_t *cert)
 {
-    const cert_t c = {CERT_X509_SIGNATURE, {(x509cert_t*)cert}};
-    pubkey_list_t *p, **pp;
-    pubkey_t *revoked_pk;
+	public_key_t *revoked_key = cert->public_key;
+	pubkey_list_t *p, **pp;
 
-    revoked_pk = allocate_RSA_public_key(c);
-    p          = pubkeys;
-    pp         = &pubkeys;
+	p  = pubkeys;
+	pp = &pubkeys;
 
-    while(p != NULL)
-   {
-	if (same_RSA_public_key(&p->key->u.rsa, &revoked_pk->u.rsa))
-	{
-	    /* remove p from list and free memory */
-	    *pp = free_public_keyentry(p);
-	    loglog(RC_LOG_SERIOUS,
-		"invalid RSA public key deleted");
-	}
-	else
+	while(p != NULL)
 	{
-	    pp = &p->next;
+		if (revoked_key->equals(revoked_key, p->key->public_key))
+		{
+			/* remove p from list and free memory */
+			*pp = free_public_keyentry(p);
+			loglog(RC_LOG_SERIOUS, "invalid public key deleted");
+		}
+		else
+		{
+			pp = &p->next;
+		}
+		p =*pp;
 	}
-	p =*pp;
-    }
-    free_public_key(revoked_pk);
 }
 
 /*
@@ -1504,45 +1419,41 @@ remove_x509_public_key(const x509cert_t *cert)
  */
 void list_public_keys(bool utc)
 {
-    pubkey_list_t *p = pubkeys;
-
-    if (p != NULL)
-    {
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of Public Keys:");
-	whack_log(RC_COMMENT, " ");
-    }
+	pubkey_list_t *p = pubkeys;
 
-    while (p != NULL)
-    {
-	pubkey_t *key = p->key;
+	if (p != NULL)
+	{
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "List of Public Keys:");
+		whack_log(RC_COMMENT, " ");
+	}
 
-	if (key->alg == PUBKEY_ALG_RSA)
+	while (p != NULL)
 	{
-	    char buf[BUF_LEN];
-	    char expires_buf[TIMETOA_BUF];
-
-	    idtoa(&key->id, buf, BUF_LEN);
-	    strcpy(expires_buf, timetoa(&key->until_time, utc));
-	    whack_log(RC_COMMENT, "%s, %4d RSA Key %s, until %s %s",
-
-		timetoa(&key->installed_time, utc), 8*key->u.rsa.k, key->u.rsa.keyid,
-		expires_buf,
-		check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
-	    whack_log(RC_COMMENT,"       %s '%s'",
-		enum_show(&ident_names, key->id.kind), buf);
-	    if (key->issuer.len > 0)
-	    {
-		dntoa(buf, BUF_LEN, key->issuer);
-		whack_log(RC_COMMENT,"       issuer: '%s'", buf);
-	    }
-	    if (key->serial.len > 0)
-	    {
-		datatot(key->serial.ptr, key->serial.len, ':'
-			, buf, BUF_LEN);
-		whack_log(RC_COMMENT,"       serial:  %s", buf);
-	    }
+		pubkey_t *key = p->key;
+		public_key_t *public = key->public_key;
+		identification_t *keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
+		char buf[BUF_LEN];
+
+		idtoa(&key->id, buf, BUF_LEN);
+		whack_log(RC_COMMENT,"%T, '%s'", &key->installed_time, utc, buf);
+		whack_log(RC_COMMENT, "       pubkey:  %N %4d bits, until %T %s",
+			key_type_names, public->get_type(public),
+			public->get_keysize(public) * BITS_PER_BYTE,
+			&key->until_time, utc,
+			check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
+		whack_log(RC_COMMENT,"       keyid:   %Y", keyid);
+		if (key->issuer.len > 0)
+		{
+			dntoa(buf, BUF_LEN, key->issuer);
+			whack_log(RC_COMMENT,"       issuer: '%s'", buf);
+		}
+		if (key->serial.len > 0)
+		{
+			datatot(key->serial.ptr, key->serial.len, ':'
+					, buf, BUF_LEN);
+			whack_log(RC_COMMENT,"       serial:  %s", buf);
+		}
+		p = p->next;
 	}
-	p = p->next;
-    }
 }
diff --git a/src/pluto/keys.h b/src/pluto/keys.h
index b06e536a5..8bc94d839 100644
--- a/src/pluto/keys.h
+++ b/src/pluto/keys.h
@@ -1,5 +1,6 @@
 /* mechanisms for preshared keys (public, private, and preshared secrets)
  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen, Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,16 +11,14 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: keys.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _KEYS_H
 #define _KEYS_H
 
-#include <gmp.h>    /* GNU Multi-Precision library */
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/public_key.h>
 
-#include "pkcs1.h"
 #include "certs.h"
 
 #ifndef SHARED_SECRETS_FILE
@@ -32,11 +31,10 @@ extern void load_preshared_secrets(int whackfd);
 extern void free_preshared_secrets(void);
 
 enum PrivateKeyKind {
-    PPK_PSK,
- /* PPK_DSS, */	/* not implemented */
-    PPK_RSA,
-    PPK_XAUTH,
-    PPK_PIN
+	PPK_PSK,
+	PPK_PUBKEY,
+	PPK_XAUTH,
+	PPK_PIN
 };
 
 extern void xauth_defaults(void);
@@ -45,69 +43,64 @@ extern void xauth_defaults(void);
 struct connection;
 
 extern const chunk_t *get_preshared_secret(const struct connection *c);
-extern err_t unpack_RSA_public_key(RSA_public_key_t *rsa, const chunk_t *pubkey);
-extern const RSA_private_key_t *get_RSA_private_key(const struct connection *c);
-extern const RSA_private_key_t *get_x509_private_key(const x509cert_t *cert);
+extern private_key_t *get_private_key(const struct connection *c);
+extern private_key_t *get_x509_private_key(const x509cert_t *cert);
 
 /* public key machinery  */
 
 typedef struct pubkey pubkey_t;
 
 struct pubkey {
-    struct id id;
-    unsigned refcnt;	/* reference counted! */
-    enum dns_auth_level dns_auth_level;
-    char *dns_sig;
-    time_t installed_time
-	, last_tried_time
-	, last_worked_time
-	, until_time;
-    chunk_t issuer;
-    chunk_t serial;
-    enum pubkey_alg alg;
-    union {
-	RSA_public_key_t rsa;
-    } u;
+	struct id id;
+	unsigned refcnt;    /* reference counted! */
+	enum dns_auth_level dns_auth_level;
+	char *dns_sig;
+	time_t installed_time
+		, last_tried_time
+		, last_worked_time
+		, until_time;
+	chunk_t issuer;
+	chunk_t serial;
+	public_key_t *public_key;
 };
 
 typedef struct pubkey_list pubkey_list_t;
 
 struct pubkey_list {
-    pubkey_t *key;
-    pubkey_list_t *next;
+	pubkey_t *key;
+	pubkey_list_t *next;
 };
 
-extern pubkey_list_t *pubkeys;	/* keys from ipsec.conf or from certs */
+extern pubkey_list_t *pubkeys;  /* keys from ipsec.conf or from certs */
 
-extern pubkey_t *public_key_from_rsa(const RSA_public_key_t *k);
+extern pubkey_t *public_key_from_rsa(public_key_t *key);
 extern pubkey_list_t *free_public_keyentry(pubkey_list_t *p);
 extern void free_public_keys(pubkey_list_t **keys);
 extern void free_remembered_public_keys(void);
-extern void delete_public_keys(const struct id *id, enum pubkey_alg alg
-    , chunk_t issuer, chunk_t serial);
-
+extern void delete_public_keys(const struct id *id, key_type_t type,
+							   chunk_t issuer, chunk_t serial);
 extern pubkey_t *reference_key(pubkey_t *pk);
 extern void unreference_key(pubkey_t **pkp);
 
-extern err_t add_public_key(const struct id *id
-    , enum dns_auth_level dns_auth_level
-    , enum pubkey_alg alg
-    , const chunk_t *key
-    , pubkey_list_t **head);
+extern bool add_public_key(const struct id *id,
+						   enum dns_auth_level dns_auth_level,
+						   enum pubkey_alg alg,
+						   chunk_t rfc3110_key,
+						   pubkey_list_t **head);
 
 extern bool has_private_key(cert_t cert);
 extern void add_x509_public_key(x509cert_t *cert, time_t until
-    , enum dns_auth_level dns_auth_level);
+	, enum dns_auth_level dns_auth_level);
 extern void add_pgp_public_key(pgpcert_t *cert, time_t until
-    , enum dns_auth_level dns_auth_level);
+	, enum dns_auth_level dns_auth_level);
 extern void remove_x509_public_key(const x509cert_t *cert);
 extern void list_public_keys(bool utc);
 
-struct gw_info;	/* forward declaration of tag (defined in dnskey.h) */
+struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
 extern void transfer_to_public_keys(struct gw_info *gateways_from_dns
 #ifdef USE_KEYRR
-    , pubkey_list_t **keys
+	, pubkey_list_t **keys
 #endif /* USE_KEYRR */
-    );
+	);
 
 #endif /* _KEYS_H */
diff --git a/src/pluto/lex.c b/src/pluto/lex.c
index 08ab43876..f48d24a54 100644
--- a/src/pluto/lex.c
+++ b/src/pluto/lex.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: lex.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdio.h>
@@ -27,7 +25,7 @@
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
-#include "whack.h"	/* for RC_LOG_SERIOUS */
+#include "whack.h"      /* for RC_LOG_SERIOUS */
 #include "lex.h"
 
 struct file_lex_position *flp = NULL;
@@ -39,36 +37,36 @@ struct file_lex_position *flp = NULL;
 bool
 lexopen(struct file_lex_position *new_flp, const char *name, bool optional)
 {
-    FILE *f = fopen(name, "r");
-
-    if (f == NULL)
-    {
-	if (!optional || errno != ENOENT)
-	    log_errno((e, "could not open \"%s\"", name));
-	return FALSE;
-    }
-    else
-    {
-	new_flp->previous = flp;
-	flp = new_flp;
-	flp->filename = name;
-	flp->fp = f;
-	flp->lino = 0;
-	flp->bdry = B_none;
-
-	flp->cur = flp->buffer;	/* nothing loaded yet */
-	flp->under = *flp->cur = '\0';
-
-	(void) shift();	/* prime tok */
-	return TRUE;
-    }
+	FILE *f = fopen(name, "r");
+
+	if (f == NULL)
+	{
+		if (!optional || errno != ENOENT)
+			log_errno((e, "could not open \"%s\"", name));
+		return FALSE;
+	}
+	else
+	{
+		new_flp->previous = flp;
+		flp = new_flp;
+		flp->filename = name;
+		flp->fp = f;
+		flp->lino = 0;
+		flp->bdry = B_none;
+
+		flp->cur = flp->buffer; /* nothing loaded yet */
+		flp->under = *flp->cur = '\0';
+
+		(void) shift(); /* prime tok */
+		return TRUE;
+	}
 }
 
 void
 lexclose(void)
 {
-    fclose(flp->fp);
-    flp = flp->previous;
+	fclose(flp->fp);
+	flp = flp->previous;
 }
 
 /* Token decoding: shift() loads the next token into tok.
@@ -88,110 +86,110 @@ char *tok;
 bool
 shift(void)
 {
-    char *p = flp->cur;
-    char *sor = NULL;	/* start of record for any new lines */
+	char *p = flp->cur;
+	char *sor = NULL;   /* start of record for any new lines */
 
-    passert(flp->bdry == B_none);
+	passert(flp->bdry == B_none);
 
-    *p = flp->under;
-    flp->under = '\0';
+	*p = flp->under;
+	flp->under = '\0';
 
-    for (;;)
-    {
-	switch (*p)
+	for (;;)
 	{
-	case '\0':	/* end of line */
-	case '#':	/* comment to end of line: treat as end of line */
-	    /* get the next line */
-	    if (fgets(flp->buffer, sizeof(flp->buffer)-1, flp->fp) == NULL)
-	    {
-		flp->bdry = B_file;
-		tok = flp->cur = NULL;
-		return FALSE;
-	    }
-	    else
-	    {
-		/* strip trailing whitespace, including \n */
-
-		for (p = flp->buffer+strlen(flp->buffer)-1
-		; p>flp->buffer && isspace(p[-1]); p--)
-		    ;
-		*p = '\0';
-
-		flp->lino++;
-		sor = p = flp->buffer;
-	    }
-	    break;	/* try again for a token */
-
-	case ' ':	/* whitespace */
-	case '\t':
-	    p++;
-	    break;	/* try again for a token */
-
-	case '"':	/* quoted token */
-	case '\'':
-	    if (p != sor)
-	    {
-		/* we have a quoted token: note and advance to its end */
-		tok = p;
-		p = strchr(p+1, *p);
-		if (p == NULL)
-		{
-		    loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unterminated string"
-			, flp->filename, flp->lino);
-		    p = tok + strlen(tok);
-		}
-		else
-		{
-		    p++;	/* include delimiter in token */
-		}
-
-		/* remember token delimiter and replace with '\0' */
-		flp->under = *p;
-		*p = '\0';
-		flp->cur = p;
-		return TRUE;
-	    }
-	    /* FALL THROUGH */
-	default:
-	    if (p != sor)
-	    {
-		/* we seem to have a token: note and advance to its end */
-		tok = p;
-
-		if (p[0] == '0' && p[1] == 't')
+		switch (*p)
 		{
-		    /* 0t... token goes to end of line */
-		    p += strlen(p);
-		}
-		else
-		{
-		    /* "ordinary" token: up to whitespace or end of line */
-		    do {
+		case '\0':      /* end of line */
+		case '#':       /* comment to end of line: treat as end of line */
+			/* get the next line */
+			if (fgets(flp->buffer, sizeof(flp->buffer)-1, flp->fp) == NULL)
+			{
+				flp->bdry = B_file;
+				tok = flp->cur = NULL;
+				return FALSE;
+			}
+			else
+			{
+				/* strip trailing whitespace, including \n */
+
+				for (p = flp->buffer+strlen(flp->buffer)-1
+				; p>flp->buffer && isspace(p[-1]); p--)
+					;
+				*p = '\0';
+
+				flp->lino++;
+				sor = p = flp->buffer;
+			}
+			break;      /* try again for a token */
+
+		case ' ':       /* whitespace */
+		case '\t':
 			p++;
-		    } while (*p != '\0' && !isspace(*p))
-			;
-
-		    /* fudge to separate ':' from a preceding adjacent token */
-		    if (p-1 > tok && p[-1] == ':')
-			p--;
+			break;      /* try again for a token */
+
+		case '"':       /* quoted token */
+		case '\'':
+			if (p != sor)
+			{
+				/* we have a quoted token: note and advance to its end */
+				tok = p;
+				p = strchr(p+1, *p);
+				if (p == NULL)
+				{
+					loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unterminated string"
+						, flp->filename, flp->lino);
+					p = tok + strlen(tok);
+				}
+				else
+				{
+					p++;        /* include delimiter in token */
+				}
+
+				/* remember token delimiter and replace with '\0' */
+				flp->under = *p;
+				*p = '\0';
+				flp->cur = p;
+				return TRUE;
+			}
+			/* FALL THROUGH */
+		default:
+			if (p != sor)
+			{
+				/* we seem to have a token: note and advance to its end */
+				tok = p;
+
+				if (p[0] == '0' && p[1] == 't')
+				{
+					/* 0t... token goes to end of line */
+					p += strlen(p);
+				}
+				else
+				{
+					/* "ordinary" token: up to whitespace or end of line */
+					do {
+						p++;
+					} while (*p != '\0' && !isspace(*p))
+						;
+
+					/* fudge to separate ':' from a preceding adjacent token */
+					if (p-1 > tok && p[-1] == ':')
+						p--;
+				}
+
+				/* remember token delimiter and replace with '\0' */
+				flp->under = *p;
+				*p = '\0';
+				flp->cur = p;
+				return TRUE;
+			}
+
+			/* we have a start-of-record: return it, deferring "real" token */
+			flp->bdry = B_record;
+			tok = NULL;
+			flp->under = *p;
+			flp->cur = p;
+			return FALSE;
 		}
-
-		/* remember token delimiter and replace with '\0' */
-		flp->under = *p;
-		*p = '\0';
-		flp->cur = p;
-		return TRUE;
-	    }
-
-	    /* we have a start-of-record: return it, deferring "real" token */
-	    flp->bdry = B_record;
-	    tok = NULL;
-	    flp->under = *p;
-	    flp->cur = p;
-	    return FALSE;
 	}
-    }
 }
 
 /* ensures we are at a Record (or File) boundary, optionally warning if not */
@@ -199,15 +197,15 @@ shift(void)
 bool
 flushline(const char *m)
 {
-    if (flp->bdry != B_none)
-    {
-	return TRUE;
-    }
-    else
-    {
-	if (m != NULL)
-	    loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s", flp->filename, flp->lino, m);
-	do ; while (shift());
-	return FALSE;
-    }
+	if (flp->bdry != B_none)
+	{
+		return TRUE;
+	}
+	else
+	{
+		if (m != NULL)
+			loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s", flp->filename, flp->lino, m);
+		do ; while (shift());
+		return FALSE;
+	}
 }
diff --git a/src/pluto/lex.h b/src/pluto/lex.h
index 450149c64..f16769144 100644
--- a/src/pluto/lex.h
+++ b/src/pluto/lex.h
@@ -10,22 +10,20 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: lex.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #define MAX_TOK_LEN 2048    /* includes terminal '\0' */
 struct file_lex_position
 {
-    int depth;	/* how deeply we are nested */
-    const char *filename;
-    FILE *fp;
-    enum { B_none, B_record, B_file } bdry;	/* current boundary */
-    int lino;	/* line number in file */
-    char buffer[MAX_TOK_LEN + 1];    /* note: one extra char for our use (jamming '"') */
-    char *cur;	/* cursor */
-    char under;	/* except in shift(): character orignally at *cur */
-    struct file_lex_position *previous;
+	int depth;  /* how deeply we are nested */
+	const char *filename;
+	FILE *fp;
+	enum { B_none, B_record, B_file } bdry;     /* current boundary */
+	int lino;   /* line number in file */
+	char buffer[MAX_TOK_LEN + 1];    /* note: one extra char for our use (jamming '"') */
+	char *cur;  /* cursor */
+	char under; /* except in shift(): character orignally at *cur */
+	struct file_lex_position *previous;
 };
 
 extern struct file_lex_position *flp;
diff --git a/src/pluto/log.c b/src/pluto/log.c
index b7c1ba8b8..e34409f1c 100644
--- a/src/pluto/log.c
+++ b/src/pluto/log.c
@@ -1,6 +1,7 @@
 /* error logging functions
  * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -11,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: log.c 4246 2008-08-03 18:01:21Z andreas $
  */
 
 #include <stdio.h>
@@ -23,13 +22,15 @@
 #include <errno.h>
 #include <string.h>
 #include <unistd.h>
-#include <signal.h>	/* used only if MSG_NOSIGNAL not defined */
+#include <signal.h>     /* used only if MSG_NOSIGNAL not defined */
 #include <sys/queue.h>
 #include <libgen.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
 #include <freeswan.h>
+#include <library.h>
+#include <debug.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -38,27 +39,27 @@
 #include "state.h"
 #include "connections.h"
 #include "kernel.h"
-#include "whack.h"	/* needs connections.h */
+#include "whack.h"      /* needs connections.h */
 #include "timer.h"
 
 /* close one per-peer log */
-static void perpeer_logclose(struct connection *c);	/* forward */
+static void perpeer_logclose(struct connection *c);     /* forward */
 
 
 bool
-    log_to_stderr = TRUE,	/* should log go to stderr? */
-    log_to_syslog = TRUE,	/* should log go to syslog? */
-    log_to_perpeer= FALSE;	/* should log go to per-IP file? */
+	log_to_stderr = TRUE,       /* should log go to stderr? */
+	log_to_syslog = TRUE,       /* should log go to syslog? */
+	log_to_perpeer= FALSE;      /* should log go to per-IP file? */
 
 bool
-    logged_txt_warning = FALSE;  /* should we complain about finding KEY? */
+	logged_txt_warning = FALSE;  /* should we complain about finding KEY? */
 
 /* should we complain when we find no local id */
 bool
-    logged_myid_fqdn_txt_warning = FALSE,
-    logged_myid_ip_txt_warning   = FALSE,
-    logged_myid_fqdn_key_warning = FALSE,
-    logged_myid_ip_key_warning   = FALSE;
+	logged_myid_fqdn_txt_warning = FALSE,
+	logged_myid_ip_txt_warning   = FALSE,
+	logged_myid_fqdn_key_warning = FALSE,
+	logged_myid_ip_key_warning   = FALSE;
 
 /* may include trailing / */
 const char *base_perpeer_logdir = PERPEERLOGDIR;
@@ -74,42 +75,110 @@ static TAILQ_HEAD(perpeer, connection) perpeer_list;
  * If the context provides a whack file descriptor, messages
  * should be copied to it -- see whack_log()
  */
-int whack_log_fd = NULL_FD;	/* only set during whack_handle() */
-struct state *cur_state = NULL;	/* current state, for diagnostics */
-struct connection *cur_connection = NULL;	/* current connection, for diagnostics */
-const ip_address *cur_from = NULL;	/* source of current current message */
-u_int16_t cur_from_port;	/* host order */
+int whack_log_fd = NULL_FD;     /* only set during whack_handle() */
+struct state *cur_state = NULL; /* current state, for diagnostics */
+struct connection *cur_connection = NULL;       /* current connection, for diagnostics */
+const ip_address *cur_from = NULL;      /* source of current current message */
+u_int16_t cur_from_port;        /* host order */
+
+/**
+ * pluto dbg function for libstrongswan
+ */
+static void pluto_dbg(int level, char *fmt, ...)
+{
+	int priority = LOG_INFO;
+	int debug_level;
+	char buffer[8192];
+	char *current = buffer, *next;
+	va_list args;
+
+	if (cur_debugging & DBG_PRIVATE)
+	{
+		debug_level = 4;
+	}
+	else if (cur_debugging & DBG_RAW)
+	{
+		debug_level = 3;
+	}	
+	else if (cur_debugging & DBG_PARSING)
+	{
+		debug_level = 2;
+	}
+	else 
+	{
+		debug_level = 1;
+	}
+
+	if (level <= debug_level)
+	{
+		va_start(args, fmt);
+
+		if (log_to_stderr)
+		{
+			if (level > 1)
+			{
+				fprintf(stderr, "| ");
+			}
+			vfprintf(stderr, fmt, args);
+			fprintf(stderr, "\n");
+		}
+		if (log_to_syslog)
+		{
+			/* write in memory buffer first */
+			vsnprintf(buffer, sizeof(buffer), fmt, args);
+
+			/* do a syslog with every line */
+			while (current)
+			{
+				next = strchr(current, '\n');
+				if (next)
+				{
+					*(next++) = '\0';
+				}
+				syslog(priority, "%s%s\n", (level > 1)? "| ":"", current);
+				current = next;
+			}
+		}
+		va_end(args);
+	}
+}
 
 void
 init_log(const char *program)
 {
-    if (log_to_stderr)
-	setbuf(stderr, NULL);
-    if (log_to_syslog)
-	openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+	/* enable pluto debugging hook for libstrongswan */
+	dbg = pluto_dbg;
 
-    TAILQ_INIT(&perpeer_list);
+	if (log_to_stderr)
+	{
+		setbuf(stderr, NULL);
+	}
+	if (log_to_syslog)
+	{
+		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+	}
+	TAILQ_INIT(&perpeer_list);
 }
 
 void
 close_peerlog(void)
 {
-    /* exit if the queue has not been initialized */
-    if (perpeer_list.tqh_first == NULL)
-      return;
+	/* exit if the queue has not been initialized */
+	if (perpeer_list.tqh_first == NULL)
+	  return;
 
-    /* end of queue is given by pointer to "HEAD" */
-    while (TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list)
-       perpeer_logclose(TAILQ_LAST(&perpeer_list, perpeer));
+	/* end of queue is given by pointer to "HEAD" */
+	while (TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list)
+	   perpeer_logclose(TAILQ_LAST(&perpeer_list, perpeer));
 }
 
 void
 close_log(void)
 {
-    if (log_to_syslog)
-	closelog();
+	if (log_to_syslog)
+		closelog();
 
-    close_peerlog();
+	close_peerlog();
 }
 
 /* Sanitize character string in situ: turns dangerous characters into \OOO.
@@ -120,50 +189,50 @@ close_log(void)
 static size_t
 sanitize(char *buf, size_t size)
 {
-#   define UGLY_WIDTH	4	/* width for ugly character: \OOO */
-    size_t len;
-    size_t added = 0;
-    char *p;
-
-    passert(size >= UGLY_WIDTH);	/* need room to swing cat */
-
-    /* find right side of string to be sanitized and count
-     * number of columns to be added.  Stop on end of string
-     * or lack of room for more result.
-     */
-    for (p = buf; *p != '\0' && &p[added] < &buf[size - UGLY_WIDTH]; )
-    {
-	unsigned char c = *p++;
-
-	if (c == '\\' || !isprint(c))
-	    added += UGLY_WIDTH - 1;
-    }
-
-    /* at this point, p points after last original character to be
-     * included.  added is how many characters are added to sanitize.
-     * so p[added] will point after last sanitized character.
-     */
-
-    p[added] = '\0';
-    len = &p[added] - buf;
-
-    /* scan backwards, copying characters to their new home
-     * and inserting the expansions for ugly characters.
-     * It is finished when no more shifting is required.
-     * This is a predecrement loop.
-     */
-    while (added != 0)
-    {
-	char fmtd[UGLY_WIDTH + 1];
-	unsigned char c;
-
-	while ((c = *--p) != '\\' && isprint(c))
-	    p[added] = c;
-	added -= UGLY_WIDTH - 1;
-	snprintf(fmtd, sizeof(fmtd), "\\%03o", c);
-	memcpy(p + added, fmtd, UGLY_WIDTH);
-    }
-    return len;
+#   define UGLY_WIDTH   4       /* width for ugly character: \OOO */
+	size_t len;
+	size_t added = 0;
+	char *p;
+
+	passert(size >= UGLY_WIDTH);        /* need room to swing cat */
+
+	/* find right side of string to be sanitized and count
+	 * number of columns to be added.  Stop on end of string
+	 * or lack of room for more result.
+	 */
+	for (p = buf; *p != '\0' && &p[added] < &buf[size - UGLY_WIDTH]; )
+	{
+		unsigned char c = *p++;
+
+		if (c == '\\' || !isprint(c))
+			added += UGLY_WIDTH - 1;
+	}
+
+	/* at this point, p points after last original character to be
+	 * included.  added is how many characters are added to sanitize.
+	 * so p[added] will point after last sanitized character.
+	 */
+
+	p[added] = '\0';
+	len = &p[added] - buf;
+
+	/* scan backwards, copying characters to their new home
+	 * and inserting the expansions for ugly characters.
+	 * It is finished when no more shifting is required.
+	 * This is a predecrement loop.
+	 */
+	while (added != 0)
+	{
+		char fmtd[UGLY_WIDTH + 1];
+		unsigned char c;
+
+		while ((c = *--p) != '\\' && isprint(c))
+			p[added] = c;
+		added -= UGLY_WIDTH - 1;
+		snprintf(fmtd, sizeof(fmtd), "\\%03o", c);
+		memcpy(p + added, fmtd, UGLY_WIDTH);
+	}
+	return len;
 #   undef UGLY_WIDTH
 }
 
@@ -174,349 +243,348 @@ sanitize(char *buf, size_t size)
 static void
 fmt_log(char *buf, size_t buf_len, const char *fmt, va_list ap)
 {
-    bool reproc = *fmt == '~';
-    size_t ps;
-    struct connection *c = cur_state != NULL ? cur_state->st_connection
-	: cur_connection;
-
-    buf[0] = '\0';
-    if (reproc)
-	fmt++;	/* ~ at start of format suppresses this prefix */
-    else if (c != NULL)
-    {
-	/* start with name of connection */
-	char *const be = buf + buf_len;
-	char *bp = buf;
-
-	snprintf(bp, be - bp, "\"%s\"", c->name);
-	bp += strlen(bp);
-
-	/* if it fits, put in any connection instance information */
-	if (be - bp > CONN_INST_BUF)
+	bool reproc = *fmt == '~';
+	size_t ps;
+	struct connection *c = cur_state != NULL ? cur_state->st_connection
+		: cur_connection;
+
+	buf[0] = '\0';
+	if (reproc)
+		fmt++;  /* ~ at start of format suppresses this prefix */
+	else if (c != NULL)
 	{
-	    fmt_conn_instance(c, bp);
-	    bp += strlen(bp);
-	}
+		/* start with name of connection */
+		char *const be = buf + buf_len;
+		char *bp = buf;
+
+		snprintf(bp, be - bp, "\"%s\"", c->name);
+		bp += strlen(bp);
+
+		/* if it fits, put in any connection instance information */
+		if (be - bp > CONN_INST_BUF)
+		{
+			fmt_conn_instance(c, bp);
+			bp += strlen(bp);
+		}
 
-	if (cur_state != NULL)
+		if (cur_state != NULL)
+		{
+			/* state number */
+			snprintf(bp, be - bp, " #%lu", cur_state->st_serialno);
+			bp += strlen(bp);
+		}
+		snprintf(bp, be - bp, ": ");
+	}
+	else if (cur_from != NULL)
 	{
-	    /* state number */
-	    snprintf(bp, be - bp, " #%lu", cur_state->st_serialno);
-	    bp += strlen(bp);
+		/* peer's IP address */
+		/* Note: must not use ip_str() because our caller might! */
+		char ab[ADDRTOT_BUF];
+
+		(void) addrtot(cur_from, 0, ab, sizeof(ab));
+		snprintf(buf, buf_len, "packet from %s:%u: "
+			, ab, (unsigned)cur_from_port);
 	}
-	snprintf(bp, be - bp, ": ");
-    }
-    else if (cur_from != NULL)
-    {
-	/* peer's IP address */
-	/* Note: must not use ip_str() because our caller might! */
-	char ab[ADDRTOT_BUF];
-
-	(void) addrtot(cur_from, 0, ab, sizeof(ab));
-	snprintf(buf, buf_len, "packet from %s:%u: "
-	    , ab, (unsigned)cur_from_port);
-    }
-
-    ps = strlen(buf);
-    vsnprintf(buf + ps, buf_len - ps, fmt, ap);
-    if (!reproc)
-	(void)sanitize(buf, buf_len);
+
+	ps = strlen(buf);
+	vsnprintf(buf + ps, buf_len - ps, fmt, ap);
+	if (!reproc)
+		(void)sanitize(buf, buf_len);
 }
 
 static void
 perpeer_logclose(struct connection *c)
 {
-    /* only free/close things if we had used them! */
-    if (c->log_file != NULL)
-    {
-	passert(perpeer_count > 0);
-
-	TAILQ_REMOVE(&perpeer_list, c, log_link);
-	perpeer_count--;
-	fclose(c->log_file);
-	c->log_file=NULL;
-    }
+	/* only free/close things if we had used them! */
+	if (c->log_file != NULL)
+	{
+		passert(perpeer_count > 0);
+
+		TAILQ_REMOVE(&perpeer_list, c, log_link);
+		perpeer_count--;
+		fclose(c->log_file);
+		c->log_file=NULL;
+	}
 }
 
 void
 perpeer_logfree(struct connection *c)
 {
-    perpeer_logclose(c);
-    if (c->log_file_name != NULL)
-    {
-	pfree(c->log_file_name);
-	c->log_file_name = NULL;
-	c->log_file_err = FALSE;
-    }
+	perpeer_logclose(c);
+	if (c->log_file_name != NULL)
+	{
+		free(c->log_file_name);
+		c->log_file_name = NULL;
+		c->log_file_err = FALSE;
+	}
 }
 
 /* open the per-peer log */
 static void
 open_peerlog(struct connection *c)
 {
-    syslog(LOG_INFO, "opening log file for conn %s", c->name);
+	syslog(LOG_INFO, "opening log file for conn %s", c->name);
 
-    if (c->log_file_name == NULL)
-    {
-	char peername[ADDRTOT_BUF], dname[ADDRTOT_BUF];
-	int  peernamelen, lf_len;
-
-	addrtot(&c->spd.that.host_addr, 'Q', peername, sizeof(peername));
-	peernamelen = strlen(peername);
-
-	/* copy IP address, turning : and . into / */
+	if (c->log_file_name == NULL)
 	{
-	    char c, *p, *q;
-
-	    p = peername;
-	    q = dname;
-	    do {
-		c = *p++;
-		if (c == '.' || c == ':')
-		    c = '/';
-		*q++ = c;
-	    } while (c != '\0');
-	}
-
-	lf_len = peernamelen * 2
-	    + strlen(base_perpeer_logdir)
-	    + sizeof("//.log")
-	    + 1;
-	c->log_file_name = alloc_bytes(lf_len, "per-peer log file name");
-
-	fprintf(stderr, "base dir |%s| dname |%s| peername |%s|"
-		, base_perpeer_logdir, dname, peername);
-	snprintf(c->log_file_name, lf_len, "%s/%s/%s.log"
-		 , base_perpeer_logdir, dname, peername);
+		char peername[ADDRTOT_BUF], dname[ADDRTOT_BUF];
+		int  peernamelen, lf_len;
 
-	syslog(LOG_DEBUG, "conn %s logfile is %s", c->name, c->log_file_name);
-    }
+		addrtot(&c->spd.that.host_addr, 'Q', peername, sizeof(peername));
+		peernamelen = strlen(peername);
 
-    /* now open the file, creating directories if necessary */
-
-    {  /* create the directory */
-	char *dname;
-	int   bpl_len = strlen(base_perpeer_logdir);
-	char *slashloc;
-
-	dname = clone_str(c->log_file_name, "temp copy of file name");
-	dname = dirname(dname);
-
-	if (access(dname, W_OK) != 0)
-	{
-	    if (errno != ENOENT)
-	    {
-		if (c->log_file_err)
+		/* copy IP address, turning : and . into / */
 		{
-		    syslog(LOG_CRIT, "can not write to %s: %s"
-			   , dname, strerror(errno));
-		    c->log_file_err = TRUE;
-		    pfree(dname);
-		    return;
+			char c, *p, *q;
+
+			p = peername;
+			q = dname;
+			do {
+				c = *p++;
+				if (c == '.' || c == ':')
+					c = '/';
+				*q++ = c;
+			} while (c != '\0');
 		}
-	    }
 
-	    /* directory does not exist, walk path creating dirs */
-	    /* start at base_perpeer_logdir */
-	    slashloc = dname + bpl_len;
-	    slashloc++;    /* since, by construction there is a slash
-			      right there */
+		lf_len = peernamelen * 2
+			+ strlen(base_perpeer_logdir)
+			+ sizeof("//.log")
+			+ 1;
+		c->log_file_name = malloc(lf_len);
+
+		fprintf(stderr, "base dir |%s| dname |%s| peername |%s|"
+				, base_perpeer_logdir, dname, peername);
+		snprintf(c->log_file_name, lf_len, "%s/%s/%s.log"
+				 , base_perpeer_logdir, dname, peername);
 
-	    while (*slashloc != '\0')
-	    {
-		char saveslash;
+		syslog(LOG_DEBUG, "conn %s logfile is %s", c->name, c->log_file_name);
+	}
 
-		/* look for next slash */
-		while (*slashloc != '\0' && *slashloc != '/') slashloc++;
+	/* now open the file, creating directories if necessary */
 
-		saveslash = *slashloc;
+	{  /* create the directory */
+		char *dname;
+		int   bpl_len = strlen(base_perpeer_logdir);
+		char *slashloc;
 
-		*slashloc = '\0';
+		dname = clone_str(c->log_file_name);
+		dname = dirname(dname);
 
-		if (mkdir(dname, 0750) != 0 && errno != EEXIST)
+		if (access(dname, W_OK) != 0)
 		{
-		    syslog(LOG_CRIT, "can not create dir %s: %s"
-			   , dname, strerror(errno));
-		    c->log_file_err = TRUE;
-		    pfree(dname);
-		    return;
+			if (errno != ENOENT)
+			{
+				if (c->log_file_err)
+				{
+					syslog(LOG_CRIT, "can not write to %s: %s"
+						   , dname, strerror(errno));
+					c->log_file_err = TRUE;
+					free(dname);
+					return;
+				}
+			}
+
+			/* directory does not exist, walk path creating dirs */
+			/* start at base_perpeer_logdir */
+			slashloc = dname + bpl_len;
+			slashloc++;    /* since, by construction there is a slash
+							  right there */
+
+			while (*slashloc != '\0')
+			{
+				char saveslash;
+
+				/* look for next slash */
+				while (*slashloc != '\0' && *slashloc != '/') slashloc++;
+
+				saveslash = *slashloc;
+
+				*slashloc = '\0';
+
+				if (mkdir(dname, 0750) != 0 && errno != EEXIST)
+				{
+					syslog(LOG_CRIT, "can not create dir %s: %s"
+						   , dname, strerror(errno));
+					c->log_file_err = TRUE;
+					free(dname);
+					return;
+				}
+				syslog(LOG_DEBUG, "created new directory %s", dname);
+				*slashloc = saveslash;
+				slashloc++;
+			}
 		}
-		syslog(LOG_DEBUG, "created new directory %s", dname);
-		*slashloc = saveslash;
-		slashloc++;
-	    }
+		free(dname);
 	}
 
-	pfree(dname);
-    }
+	c->log_file = fopen(c->log_file_name, "a");
+	if (c->log_file == NULL)
+	{
+		if (c->log_file_err)
+		{
+			syslog(LOG_CRIT, "logging system can not open %s: %s"
+				   , c->log_file_name, strerror(errno));
+			c->log_file_err = TRUE;
+		}
+		return;
+	}
 
-    c->log_file = fopen(c->log_file_name, "a");
-    if (c->log_file == NULL)
-    {
-	if (c->log_file_err)
+	/* look for a connection to close! */
+	while (perpeer_count >= MAX_PEERLOG_COUNT)
 	{
-	    syslog(LOG_CRIT, "logging system can not open %s: %s"
-		   , c->log_file_name, strerror(errno));
-	    c->log_file_err = TRUE;
+		/* can not be NULL because perpeer_count > 0 */
+		passert(TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list);
+
+		perpeer_logclose(TAILQ_LAST(&perpeer_list, perpeer));
 	}
-	return;
-    }
-
-    /* look for a connection to close! */
-    while (perpeer_count >= MAX_PEERLOG_COUNT)
-    {
-	/* can not be NULL because perpeer_count > 0 */
-	passert(TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list);
-
-	perpeer_logclose(TAILQ_LAST(&perpeer_list, perpeer));
-    }
-
-    /* insert this into the list */
-    TAILQ_INSERT_HEAD(&perpeer_list, c, log_link);
-    passert(c->log_file != NULL);
-    perpeer_count++;
+
+	/* insert this into the list */
+	TAILQ_INSERT_HEAD(&perpeer_list, c, log_link);
+	passert(c->log_file != NULL);
+	perpeer_count++;
 }
 
 /* log a line to cur_connection's log */
 static void
 peerlog(const char *prefix, const char *m)
 {
-    if (cur_connection == NULL)
-    {
-	/* we can not log it in this case. Oh well. */
-	return;
-    }
-
-    if (cur_connection->log_file == NULL)
-    {
-	open_peerlog(cur_connection);
-    }
-
-    /* despite our attempts above, we may not be able to open the file. */
-    if (cur_connection->log_file != NULL)
-    {
-	char datebuf[32];
-	time_t n;
-	struct tm *t;
-
-	time(&n);
-	t = localtime(&n);
-
-	strftime(datebuf, sizeof(datebuf), "%Y-%m-%d %T", t);
-	fprintf(cur_connection->log_file, "%s %s%s\n", datebuf, prefix, m);
-
-	/* now move it to the front of the list */
-	TAILQ_REMOVE(&perpeer_list, cur_connection, log_link);
-	TAILQ_INSERT_HEAD(&perpeer_list, cur_connection, log_link);
-    }
+	if (cur_connection == NULL)
+	{
+		/* we can not log it in this case. Oh well. */
+		return;
+	}
+
+	if (cur_connection->log_file == NULL)
+	{
+		open_peerlog(cur_connection);
+	}
+
+	/* despite our attempts above, we may not be able to open the file. */
+	if (cur_connection->log_file != NULL)
+	{
+		char datebuf[32];
+		time_t n;
+		struct tm *t;
+
+		time(&n);
+		t = localtime(&n);
+
+		strftime(datebuf, sizeof(datebuf), "%Y-%m-%d %T", t);
+		fprintf(cur_connection->log_file, "%s %s%s\n", datebuf, prefix, m);
+
+		/* now move it to the front of the list */
+		TAILQ_REMOVE(&perpeer_list, cur_connection, log_link);
+		TAILQ_INSERT_HEAD(&perpeer_list, cur_connection, log_link);
+	}
 }
 
 void
 plog(const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    fmt_log(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	fmt_log(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "%s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_WARNING, "%s", m);
-    if (log_to_perpeer)
-	peerlog("", m);
+	if (log_to_stderr)
+		fprintf(stderr, "%s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_WARNING, "%s", m);
+	if (log_to_perpeer)
+		peerlog("", m);
 
-    whack_log(RC_LOG, "~%s", m);
+	whack_log(RC_LOG, "~%s", m);
 }
 
 void
 loglog(int mess_no, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    fmt_log(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	fmt_log(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "%s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_WARNING, "%s", m);
-    if (log_to_perpeer)
-	peerlog("", m);
+	if (log_to_stderr)
+		fprintf(stderr, "%s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_WARNING, "%s", m);
+	if (log_to_perpeer)
+		peerlog("", m);
 
-    whack_log(mess_no, "~%s", m);
+	whack_log(mess_no, "~%s", m);
 }
 
 void
 log_errno_routine(int e, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
-
-    va_start(args, message);
-    fmt_log(m, sizeof(m), message, args);
-    va_end(args);
-
-    if (log_to_stderr)
-	fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-    if (log_to_syslog)
-	syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
-    if (log_to_perpeer)
-    {
-	peerlog(strerror(e), m);
-    }
-
-    whack_log(RC_LOG_SERIOUS
-	, "~ERROR: %s. Errno %d: %s", m, e, strerror(e));
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
+
+	va_start(args, message);
+	fmt_log(m, sizeof(m), message, args);
+	va_end(args);
+
+	if (log_to_stderr)
+		fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+	if (log_to_syslog)
+		syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
+	if (log_to_perpeer)
+	{
+		peerlog(strerror(e), m);
+	}
+
+	whack_log(RC_LOG_SERIOUS
+		, "~ERROR: %s. Errno %d: %s", m, e, strerror(e));
 }
 
 void
 exit_log(const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    fmt_log(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	fmt_log(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "FATAL ERROR: %s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_ERR, "FATAL ERROR: %s", m);
-    if (log_to_perpeer)
-	peerlog("FATAL ERROR: ", m);
+	if (log_to_stderr)
+		fprintf(stderr, "FATAL ERROR: %s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_ERR, "FATAL ERROR: %s", m);
+	if (log_to_perpeer)
+		peerlog("FATAL ERROR: ", m);
 
-    whack_log(RC_LOG_SERIOUS, "~FATAL ERROR: %s", m);
+	whack_log(RC_LOG_SERIOUS, "~FATAL ERROR: %s", m);
 
-    exit_pluto(1);
+	exit_pluto(1);
 }
 
 void
 exit_log_errno_routine(int e, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    fmt_log(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	fmt_log(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-    if (log_to_syslog)
-	syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
-    if (log_to_perpeer)
-	peerlog(strerror(e), m);
+	if (log_to_stderr)
+		fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+	if (log_to_syslog)
+		syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
+	if (log_to_perpeer)
+		peerlog(strerror(e), m);
 
-    whack_log(RC_LOG_SERIOUS
-	, "~FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
+	whack_log(RC_LOG_SERIOUS
+		, "~FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
 
-    exit_pluto(1);
+	exit_pluto(1);
 }
 
 /* emit message to whack.
@@ -531,65 +599,65 @@ static volatile sig_atomic_t dying_breath = FALSE;
 void
 whack_log(int mess_no, const char *message, ...)
 {
-    int wfd = whack_log_fd != NULL_FD ? whack_log_fd
-	: cur_state != NULL ? cur_state->st_whack_sock
-	: NULL_FD;
+	int wfd = whack_log_fd != NULL_FD ? whack_log_fd
+		: cur_state != NULL ? cur_state->st_whack_sock
+		: NULL_FD;
 
-    if (wfd != NULL_FD
+	if (wfd != NULL_FD
 #ifdef DEBUG
-    || dying_breath
+	|| dying_breath
 #endif
-    )
-    {
-	va_list args;
-	char m[LOG_WIDTH];	/* longer messages will be truncated */
-	int prelen = snprintf(m, sizeof(m), "%03d ", mess_no);
+	)
+	{
+		va_list args;
+		char m[LOG_WIDTH];      /* longer messages will be truncated */
+		int prelen = snprintf(m, sizeof(m), "%03d ", mess_no);
 
-	passert(prelen >= 0);
+		passert(prelen >= 0);
 
-	va_start(args, message);
-	fmt_log(m+prelen, sizeof(m)-prelen, message, args);
-	va_end(args);
+		va_start(args, message);
+		fmt_log(m+prelen, sizeof(m)-prelen, message, args);
+		va_end(args);
 
 #if DEBUG
-	if (dying_breath)
-	{
-	    /* status output copied to log */
-	    if (log_to_stderr)
-		fprintf(stderr, "%s\n", m + prelen);
-	    if (log_to_syslog)
-		syslog(LOG_WARNING, "%s", m + prelen);
-	    if (log_to_perpeer)
-		peerlog("", m);
-	}
+		if (dying_breath)
+		{
+			/* status output copied to log */
+			if (log_to_stderr)
+				fprintf(stderr, "%s\n", m + prelen);
+			if (log_to_syslog)
+				syslog(LOG_WARNING, "%s", m + prelen);
+			if (log_to_perpeer)
+				peerlog("", m);
+		}
 #endif
 
-	if (wfd != NULL_FD)
-	{
-	    /* write to whack socket, but suppress possible SIGPIPE */
-	    size_t len = strlen(m);
-#ifdef MSG_NOSIGNAL	/* depends on version of glibc??? */
-	    m[len] = '\n';	/* don't need NUL, do need NL */
-	    (void) send(wfd, m, len + 1, MSG_NOSIGNAL);
+		if (wfd != NULL_FD)
+		{
+			/* write to whack socket, but suppress possible SIGPIPE */
+			size_t len = strlen(m);
+#ifdef MSG_NOSIGNAL     /* depends on version of glibc??? */
+			m[len] = '\n';      /* don't need NUL, do need NL */
+			(void) send(wfd, m, len + 1, MSG_NOSIGNAL);
 #else /* !MSG_NOSIGNAL */
-	    int r;
-	    struct sigaction act
-		, oldact;
+			int r;
+			struct sigaction act
+				, oldact;
 
-	    m[len] = '\n';	/* don't need NUL, do need NL */
-	    act.sa_handler = SIG_IGN;
-	    sigemptyset(&act.sa_mask);
-	    act.sa_flags = 0;	/* no nothing */
-	    r = sigaction(SIGPIPE, &act, &oldact);
-	    passert(r == 0);
+			m[len] = '\n';      /* don't need NUL, do need NL */
+			act.sa_handler = SIG_IGN;
+			sigemptyset(&act.sa_mask);
+			act.sa_flags = 0;   /* no nothing */
+			r = sigaction(SIGPIPE, &act, &oldact);
+			passert(r == 0);
 
-	    (void) write(wfd, m, len + 1);
+			(void) write(wfd, m, len + 1);
 
-	    r = sigaction(SIGPIPE, &oldact, NULL);
-	    passert(r == 0);
+			r = sigaction(SIGPIPE, &oldact, NULL);
+			passert(r == 0);
 #endif /* !MSG_NOSIGNAL */
+		}
 	}
-    }
 }
 
 /* Build up a diagnostic in a static buffer.
@@ -607,16 +675,16 @@ char diag_space[sizeof(diag_space)];
 err_t
 builddiag(const char *fmt, ...)
 {
-    static char diag_space[LOG_WIDTH];	/* longer messages will be truncated */
-    char t[sizeof(diag_space)];	/* build result here first */
-    va_list args;
-
-    va_start(args, fmt);
-    t[0] = '\0';	/* in case nothing terminates string */
-    vsnprintf(t, sizeof(t), fmt, args);
-    va_end(args);
-    strcpy(diag_space, t);
-    return diag_space;
+	static char diag_space[LOG_WIDTH];  /* longer messages will be truncated */
+	char t[sizeof(diag_space)]; /* build result here first */
+	va_list args;
+
+	va_start(args, fmt);
+	t[0] = '\0';        /* in case nothing terminates string */
+	vsnprintf(t, sizeof(t), fmt, args);
+	va_end(args);
+	strcpy(diag_space, t);
+	return diag_space;
 }
 
 /* Debugging message support */
@@ -626,51 +694,51 @@ builddiag(const char *fmt, ...)
 void
 switch_fail(int n, const char *file_str, unsigned long line_no)
 {
-    char buf[30];
+	char buf[30];
 
-    snprintf(buf, sizeof(buf), "case %d unexpected", n);
-    passert_fail(buf, file_str, line_no);
+	snprintf(buf, sizeof(buf), "case %d unexpected", n);
+	passert_fail(buf, file_str, line_no);
 }
 
 void
 passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
 {
-    /* we will get a possibly unplanned prefix.  Hope it works */
-    loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-    if (!dying_breath)
-    {
-	dying_breath = TRUE;
-	show_status(TRUE, NULL);
-    }
-    abort();	/* exiting correctly doesn't always work */
+	/* we will get a possibly unplanned prefix.  Hope it works */
+	loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+	if (!dying_breath)
+	{
+		dying_breath = TRUE;
+		show_status(TRUE, NULL);
+	}
+	abort();    /* exiting correctly doesn't always work */
 }
 
 void
 pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
 {
-    /* we will get a possibly unplanned prefix.  Hope it works */
-    loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+	/* we will get a possibly unplanned prefix.  Hope it works */
+	loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
 }
 
 lset_t
-    base_debugging = DBG_NONE,	/* default to reporting nothing */
-    cur_debugging =  DBG_NONE;
+	base_debugging = DBG_NONE,  /* default to reporting nothing */
+	cur_debugging =  DBG_NONE;
 
 void
 extra_debugging(const struct connection *c)
 {
-    if(c == NULL)
-    {
-	reset_debugging();
-	return;
-    }
-
-    if (c!= NULL && c->extra_debugging != 0)
-    {
-	plog("enabling for connection: %s"
-	    , bitnamesof(debug_bit_names, c->extra_debugging & ~cur_debugging));
-	cur_debugging |= c->extra_debugging;
-    }
+	if(c == NULL)
+	{
+		reset_debugging();
+		return;
+	}
+
+	if (c!= NULL && c->extra_debugging != 0)
+	{
+		plog("enabling for connection: %s"
+			, bitnamesof(debug_bit_names, c->extra_debugging & ~cur_debugging));
+		cur_debugging |= c->extra_debugging;
+	}
 }
 
 /* log a debugging message (prefixed by "| ") */
@@ -678,21 +746,21 @@ extra_debugging(const struct connection *c)
 void
 DBG_log(const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
 
-    (void)sanitize(m, sizeof(m));
+	(void)sanitize(m, sizeof(m));
 
-    if (log_to_stderr)
-	fprintf(stderr, "| %s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_DEBUG, "| %s", m);
-    if (log_to_perpeer)
-	peerlog("| ", m);
+	if (log_to_stderr)
+		fprintf(stderr, "| %s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_DEBUG, "| %s", m);
+	if (log_to_perpeer)
+		peerlog("| ", m);
 }
 
 /* dump raw bytes in hex to stderr (for lack of any better destination) */
@@ -700,82 +768,99 @@ DBG_log(const char *message, ...)
 void
 DBG_dump(const char *label, const void *p, size_t len)
 {
-#   define DUMP_LABEL_WIDTH 20	/* arbitrary modest boundary */
-#   define DUMP_WIDTH	(4 * (1 + 4 * 3) + 1)
-    char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
-    char *bp;
-    const unsigned char *cp = p;
-
-    bp = buf;
+#   define DUMP_LABEL_WIDTH 20  /* arbitrary modest boundary */
+#   define DUMP_WIDTH   (4 * (1 + 4 * 3) + 1)
+	char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
+	char *bp;
+	const unsigned char *cp = p;
 
-    if (label != NULL && label[0] != '\0')
-    {
-	/* Handle the label.  Care must be taken to avoid buffer overrun. */
-	size_t llen = strlen(label);
+	bp = buf;
 
-	if (llen + 1 > sizeof(buf))
+	if (label != NULL && label[0] != '\0')
 	{
-	    DBG_log("%s", label);
-	}
-	else
-	{
-	    strcpy(buf, label);
-	    if (buf[llen-1] == '\n')
-	    {
-		buf[llen-1] = '\0';	/* get rid of newline */
-		DBG_log("%s", buf);
-	    }
-	    else if (llen < DUMP_LABEL_WIDTH)
-	    {
-		bp = buf + llen;
-	    }
-	    else
-	    {
-		DBG_log("%s", buf);
-	    }
+		/* Handle the label.  Care must be taken to avoid buffer overrun. */
+		size_t llen = strlen(label);
+
+		if (llen + 1 > sizeof(buf))
+		{
+			DBG_log("%s", label);
+		}
+		else
+		{
+			strcpy(buf, label);
+			if (buf[llen-1] == '\n')
+			{
+				buf[llen-1] = '\0';     /* get rid of newline */
+				DBG_log("%s", buf);
+			}
+			else if (llen < DUMP_LABEL_WIDTH)
+			{
+				bp = buf + llen;
+			}
+			else
+			{
+				DBG_log("%s", buf);
+			}
+		}
 	}
-    }
 
-    do {
-	int i, j;
+	do {
+		int i, j;
 
-	for (i = 0; len!=0 && i!=4; i++)
-	{
-	    *bp++ = ' ';
-	    for (j = 0; len!=0 && j!=4; len--, j++)
-	    {
-		static const char hexdig[] = "0123456789abcdef";
-
-		*bp++ = ' ';
-		*bp++ = hexdig[(*cp >> 4) & 0xF];
-		*bp++ = hexdig[*cp & 0xF];
-		cp++;
-	    }
-	}
-	*bp = '\0';
-	DBG_log("%s", buf);
-	bp = buf;
-    } while (len != 0);
+		for (i = 0; len!=0 && i!=4; i++)
+		{
+			*bp++ = ' ';
+			for (j = 0; len!=0 && j!=4; len--, j++)
+			{
+				static const char hexdig[] = "0123456789abcdef";
+
+				*bp++ = ' ';
+				*bp++ = hexdig[(*cp >> 4) & 0xF];
+				*bp++ = hexdig[*cp & 0xF];
+				cp++;
+			}
+		}
+		*bp = '\0';
+		DBG_log("%s", buf);
+		bp = buf;
+	} while (len != 0);
 #   undef DUMP_LABEL_WIDTH
 #   undef DUMP_WIDTH
 }
 
 #endif /* DEBUG */
 
-void
-show_status(bool all, const char *name)
+static void show_loaded_plugins()
 {
-    if (all)
-    {
-	show_ifaces_status();
-	show_myid_status();
-	show_debug_status();
-	whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
-    }
-    show_connections_status(all, name);
-    show_states_status(all, name);
+	char buf[BUF_LEN], *plugin;
+	int len = 0;
+	enumerator_t *enumerator;
+	
+	buf[0] = '\0';	
+	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
+	while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
+	{
+		len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
+	}
+	enumerator->destroy(enumerator);
+	whack_log(RC_COMMENT, "loaded plugins: %s", buf);
+}
+
+void show_status(bool all, const char *name)
+{
+	if (all)
+	{
+		whack_log(RC_COMMENT, "Status of IKEv1 pluto daemon (strongSwan "VERSION"):");
+		show_ifaces_status();
+		show_myid_status();
+		show_loaded_plugins();
+		show_debug_status();
+		whack_log(RC_COMMENT, BLANK_FORMAT);    /* spacer */
+	}
+	show_connections_status(all, name);
+	show_states_status(all, name);
 #ifdef KLIPS
-    show_shunt_status();
+	show_shunt_status();
 #endif
 }
 
@@ -788,10 +873,10 @@ show_status(bool all, const char *name)
 const char *
 ip_str(const ip_address *src)
 {
-    static char buf[ADDRTOT_BUF];
+	static char buf[ADDRTOT_BUF];
 
-    addrtot(src, 0, buf, sizeof(buf));
-    return buf;
+	addrtot(src, 0, buf, sizeof(buf));
+	return buf;
 }
 
 /*
@@ -802,35 +887,31 @@ ip_str(const ip_address *src)
 void
 daily_log_reset(void)
 {
-    /* now perform actions */
-    logged_txt_warning = FALSE;
+	/* now perform actions */
+	logged_txt_warning = FALSE;
 
-    logged_myid_fqdn_txt_warning = FALSE;
-    logged_myid_ip_txt_warning   = FALSE;
-    logged_myid_fqdn_key_warning = FALSE;
-    logged_myid_ip_key_warning   = FALSE;
+	logged_myid_fqdn_txt_warning = FALSE;
+	logged_myid_ip_txt_warning   = FALSE;
+	logged_myid_fqdn_key_warning = FALSE;
+	logged_myid_ip_key_warning   = FALSE;
 }
 
 void
 daily_log_event(void)
 {
-    struct tm *ltime;
-    time_t n, interval;
-
-    /* attempt to schedule oneself to midnight, local time
-     * do this by getting seconds in the day, and delaying
-     * by 86400 - hour*3600+minutes*60+seconds.
-     */
-    time(&n);
-    ltime = localtime(&n);
-    interval = (24 * 60 * 60)
-      - (ltime->tm_sec
-	 + ltime->tm_min  * 60
-	 + ltime->tm_hour * 3600);
-
-    event_schedule(EVENT_LOG_DAILY, interval, NULL);
-
-    daily_log_reset();
+	struct tm lt;
+	time_t t, interval;
+
+	/* attempt to schedule oneself to midnight, local time
+	 * do this by getting seconds in the day, and delaying
+	 * by 86400 - 3600*hours - 60*minutes - seconds.
+	 */
+	time(&t);
+	localtime_r(&t, &lt);
+	interval = 3600 * (24 - lt.tm_hour) - 60 * lt.tm_min - lt.tm_sec;
+
+	event_schedule(EVENT_LOG_DAILY, interval, NULL);
+	daily_log_reset();
 }
 
 /*
diff --git a/src/pluto/log.h b/src/pluto/log.h
index db0fb0202..52c01bbd4 100644
--- a/src/pluto/log.h
+++ b/src/pluto/log.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: log.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <freeswan.h>
@@ -27,49 +25,49 @@
 #ifdef DEBUG
 
 extern void passert_fail(const char *pred_str
-    , const char *file_str, unsigned long line_no) NEVER_RETURNS;
+	, const char *file_str, unsigned long line_no) NEVER_RETURNS;
 
 extern void pexpect_log(const char *pred_str
-			, const char *file_str, unsigned long line_no);
+						, const char *file_str, unsigned long line_no);
 
 # define impossible() passert_fail("impossible", __FILE__, __LINE__)
 
 extern void switch_fail(int n
-    , const char *file_str, unsigned long line_no) NEVER_RETURNS;
+	, const char *file_str, unsigned long line_no) NEVER_RETURNS;
 
 # define bad_case(n) switch_fail((int) n, __FILE__, __LINE__)
 
 # define passert(pred) { \
-	if (!(pred)) \
-	    passert_fail(#pred, __FILE__, __LINE__); \
-    }
+		if (!(pred)) \
+			passert_fail(#pred, __FILE__, __LINE__); \
+	}
 
 # define pexpect(pred) { \
-	if (!(pred)) \
-	    pexpect_log(#pred, __FILE__, __LINE__); \
-    }
+		if (!(pred)) \
+			pexpect_log(#pred, __FILE__, __LINE__); \
+	}
 
 /* assert that an err_t is NULL; evaluate exactly once */
 # define happy(x) { \
-	err_t ugh = x; \
-	if (ugh != NULL) \
-	    passert_fail(ugh, __FILE__, __LINE__); \
-    }
+		err_t ugh = x; \
+		if (ugh != NULL) \
+			passert_fail(ugh, __FILE__, __LINE__); \
+	}
 
 #else /*!DEBUG*/
 
 # define impossible() abort()
 # define bad_case(n) abort()
-# define passert(pred)  { }	/* do nothing */
-# define happy(x)  { (void) x; }	/* evaluate non-judgementally */
+# define passert(pred)  { }     /* do nothing */
+# define happy(x)  { (void) x; }        /* evaluate non-judgementally */
 
 #endif /*!DEBUG*/
 
 
 extern bool
-    log_to_stderr,	/* should log go to stderr? */
-    log_to_syslog,	/* should log go to syslog? */
-    log_to_perpeer;     /* should log go to per-IP file? */
+	log_to_stderr,      /* should log go to stderr? */
+	log_to_syslog,      /* should log go to syslog? */
+	log_to_perpeer;     /* should log go to per-IP file? */
 
 extern const char *base_perpeer_logdir;
 
@@ -84,25 +82,25 @@ extern const char *base_perpeer_logdir;
  * If the context provides a whack file descriptor, messages
  * should be copied to it -- see whack_log()
  */
-extern int whack_log_fd;	/* only set during whack_handle() */
-extern struct state *cur_state;	/* current state, for diagnostics */
-extern struct connection *cur_connection;	/* current connection, for diagnostics */
-extern const ip_address *cur_from;	/* source of current current message */
-extern u_int16_t cur_from_port;	/* host order */
+extern int whack_log_fd;        /* only set during whack_handle() */
+extern struct state *cur_state; /* current state, for diagnostics */
+extern struct connection *cur_connection;       /* current connection, for diagnostics */
+extern const ip_address *cur_from;      /* source of current current message */
+extern u_int16_t cur_from_port; /* host order */
 
 #ifdef DEBUG
 
-  extern lset_t cur_debugging;	/* current debugging level */
+  extern lset_t cur_debugging;  /* current debugging level */
 
   extern void extra_debugging(const struct connection *c);
 
 # define reset_debugging() { cur_debugging = base_debugging; }
 
 # define GLOBALS_ARE_RESET() (whack_log_fd == NULL_FD \
-    && cur_state == NULL \
-    && cur_connection == NULL \
-    && cur_from == NULL \
-    && cur_debugging == base_debugging)
+	&& cur_state == NULL \
+	&& cur_connection == NULL \
+	&& cur_from == NULL \
+	&& cur_debugging == base_debugging)
 
 #else /*!DEBUG*/
 
@@ -111,40 +109,40 @@ extern u_int16_t cur_from_port;	/* host order */
 # define reset_debugging() { }
 
 # define GLOBALS_ARE_RESET() (whack_log_fd == NULL_FD \
-    && cur_state == NULL \
-    && cur_connection == NULL \
-    && cur_from == NULL)
+	&& cur_state == NULL \
+	&& cur_connection == NULL \
+	&& cur_from == NULL)
 
 #endif /*!DEBUG*/
 
 #define reset_globals() { \
-    whack_log_fd = NULL_FD; \
-    cur_state = NULL; \
-    cur_from = NULL; \
-    reset_cur_connection(); \
-    }
+	whack_log_fd = NULL_FD; \
+	cur_state = NULL; \
+	cur_from = NULL; \
+	reset_cur_connection(); \
+	}
 
 
 #define set_cur_connection(c) { \
-    cur_connection = (c); \
-    extra_debugging(c); \
-    }
+	cur_connection = (c); \
+	extra_debugging(c); \
+	}
 
 #define reset_cur_connection() { \
-    cur_connection = NULL; \
-    reset_debugging(); \
-    }
+	cur_connection = NULL; \
+	reset_debugging(); \
+	}
 
 
 #define set_cur_state(s) { \
-    cur_state = (s); \
-    extra_debugging((s)->st_connection); \
-    }
+	cur_state = (s); \
+	extra_debugging((s)->st_connection); \
+	}
 
 #define reset_cur_state() { \
-    cur_state = NULL; \
-    reset_debugging(); \
-    }
+	cur_state = NULL; \
+	reset_debugging(); \
+	}
 
 extern void init_log(const char *program);
 extern void close_log(void);
@@ -188,12 +186,12 @@ extern void show_status(bool all, const char *name);
  * restriction is not checked in any way: violators will produce
  * confusing results (without crashing!).
  */
-extern char diag_space[LOG_WIDTH];	/* output buffer, but can be occupied at call */
+extern char diag_space[LOG_WIDTH];      /* output buffer, but can be occupied at call */
 extern err_t builddiag(const char *fmt, ...) PRINTF_LIKE(1);
 
 #ifdef DEBUG
 
-extern lset_t base_debugging;	/* bits selecting what to report */
+extern lset_t base_debugging;   /* bits selecting what to report */
 
 #define DBGP(cond)         (cur_debugging & (cond))
 #define DBG(cond, action)   { if (DBGP(cond)) { action ; } }
@@ -204,7 +202,7 @@ extern void DBG_dump(const char *label, const void *p, size_t len);
 
 #else /*!DEBUG*/
 
-#define DBG(cond, action)	{ }	/* do nothing */
+#define DBG(cond, action)       { }     /* do nothing */
 
 #endif /*!DEBUG*/
 
diff --git a/src/pluto/md2.c b/src/pluto/md2.c
deleted file mode 100644
index d6465477d..000000000
--- a/src/pluto/md2.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/* MD2C.C - RSA Data Security, Inc., MD2 message-digest algorithm
- */
-
-/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
-   rights reserved.
-
-   License to copy and use this software is granted for
-   non-commercial Internet Privacy-Enhanced Mail provided that it is
-   identified as the "RSA Data Security, Inc. MD2 Message Digest
-   Algorithm" in all material mentioning or referencing this software
-   or this function.
-
-   RSA Data Security, Inc. makes no representations concerning either
-   the merchantability of this software or the suitability of this
-   software for any particular purpose. It is provided "as is"
-   without express or implied warranty of any kind.
-
-   These notices must be retained in any copies of any part of this
-   documentation and/or software.
- */
-
-#include "md2.h"
-
-#define HAVEMEMCOPY 1	/* use ISO C's memcpy and memset */
-
-static void MD2Transform PROTO_LIST
-  ((unsigned char [16], unsigned char [16], const unsigned char [16]));
-
-#ifdef HAVEMEMCOPY
-#include <memory.h>
-#define MD2_memcpy	memcpy
-#define MD2_memset	memset
-#else
-#ifdef HAVEBCOPY
-#define MD2_memcpy(_a,_b,_c) memcpy((_a), (_b),(_c))
-#define MD2_memset(_a,_b,_c) memset((_a), '\0',(_c))
-#else
-static void MD2_memcpy PROTO_LIST ((POINTER, CONST_POINTER, unsigned int));
-static void MD2_memset PROTO_LIST ((POINTER, int, unsigned int));
-#endif
-#endif
-
-/* Permutation of 0..255 constructed from the digits of pi. It gives a
-   "random" nonlinear byte substitution operation.
- */
-static unsigned char PI_SUBST[256] = {
-  41, 46, 67, 201, 162, 216, 124, 1, 61, 54, 84, 161, 236, 240, 6,
-  19, 98, 167, 5, 243, 192, 199, 115, 140, 152, 147, 43, 217, 188,
-  76, 130, 202, 30, 155, 87, 60, 253, 212, 224, 22, 103, 66, 111, 24,
-  138, 23, 229, 18, 190, 78, 196, 214, 218, 158, 222, 73, 160, 251,
-  245, 142, 187, 47, 238, 122, 169, 104, 121, 145, 21, 178, 7, 63,
-  148, 194, 16, 137, 11, 34, 95, 33, 128, 127, 93, 154, 90, 144, 50,
-  39, 53, 62, 204, 231, 191, 247, 151, 3, 255, 25, 48, 179, 72, 165,
-  181, 209, 215, 94, 146, 42, 172, 86, 170, 198, 79, 184, 56, 210,
-  150, 164, 125, 182, 118, 252, 107, 226, 156, 116, 4, 241, 69, 157,
-  112, 89, 100, 113, 135, 32, 134, 91, 207, 101, 230, 45, 168, 2, 27,
-  96, 37, 173, 174, 176, 185, 246, 28, 70, 97, 105, 52, 64, 126, 15,
-  85, 71, 163, 35, 221, 81, 175, 58, 195, 92, 249, 206, 186, 197,
-  234, 38, 44, 83, 13, 110, 133, 40, 132, 9, 211, 223, 205, 244, 65,
-  129, 77, 82, 106, 220, 55, 200, 108, 193, 171, 250, 36, 225, 123,
-  8, 12, 189, 177, 74, 120, 136, 149, 139, 227, 99, 232, 109, 233,
-  203, 213, 254, 59, 0, 29, 57, 242, 239, 183, 14, 102, 88, 208, 228,
-  166, 119, 114, 248, 235, 117, 75, 10, 49, 68, 80, 180, 143, 237,
-  31, 26, 219, 153, 141, 51, 159, 17, 131, 20
-};
-
-static const unsigned char *PADDING[] = {
-  (const unsigned char *)"",
-  (const unsigned char *)"\001",
-  (const unsigned char *)"\002\002",
-  (const unsigned char *)"\003\003\003",
-  (const unsigned char *)"\004\004\004\004",
-  (const unsigned char *)"\005\005\005\005\005",
-  (const unsigned char *)"\006\006\006\006\006\006",
-  (const unsigned char *)"\007\007\007\007\007\007\007",
-  (const unsigned char *)"\010\010\010\010\010\010\010\010",
-  (const unsigned char *)"\011\011\011\011\011\011\011\011\011",
-  (const unsigned char *)"\012\012\012\012\012\012\012\012\012\012",
-  (const unsigned char *)"\013\013\013\013\013\013\013\013\013\013\013",
-  (const unsigned char *)"\014\014\014\014\014\014\014\014\014\014\014\014",
-  (const unsigned char *)
-    "\015\015\015\015\015\015\015\015\015\015\015\015\015",
-  (const unsigned char *)
-    "\016\016\016\016\016\016\016\016\016\016\016\016\016\016",
-  (const unsigned char *)
-    "\017\017\017\017\017\017\017\017\017\017\017\017\017\017\017",
-  (const unsigned char *)
-    "\020\020\020\020\020\020\020\020\020\020\020\020\020\020\020\020"
-};
-
-/* MD2 initialization. Begins an MD2 operation, writing a new context.
- */
-void MD2Init (context)
-MD2_CTX *context;                                        /* context */
-{
-  context->count = 0;
-  MD2_memset ((POINTER)context->state, 0, sizeof (context->state));
-  MD2_memset
-    ((POINTER)context->checksum, 0, sizeof (context->checksum));
-}
-
-/* MD2 block update operation. Continues an MD2 message-digest
-     operation, processing another message block, and updating the
-     context.
- */
-void MD2Update (context, input, inputLen)
-MD2_CTX *context;                                        /* context */
-const unsigned char *input;                          /* input block */
-unsigned int inputLen;                     /* length of input block */
-{
-  unsigned int i, index, partLen;
-
-  /* Update number of bytes mod 16 */
-  index = context->count;
-  context->count = (index + inputLen) & 0xf;
-
-  partLen = 16 - index;
-
-  /* Transform as many times as possible.
-    */
-  if (inputLen >= partLen) {
-    MD2_memcpy
-      ((POINTER)&context->buffer[index], (CONST_POINTER)input, partLen);
-    MD2Transform (context->state, context->checksum, context->buffer);
-
-    for (i = partLen; i + 15 < inputLen; i += 16)
-      MD2Transform (context->state, context->checksum, &input[i]);
-
-    index = 0;
-  }
-  else
-    i = 0;
-
-  /* Buffer remaining input */
-  MD2_memcpy
-    ((POINTER)&context->buffer[index], (CONST_POINTER)&input[i],
-     inputLen-i);
-}
-
-/* MD2 finalization. Ends an MD2 message-digest operation, writing the
-     message digest and zeroizing the context.
- */
-void MD2Final (digest, context)
-
-unsigned char digest[16];                         /* message digest */
-MD2_CTX *context;                                        /* context */
-{
-  unsigned int index, padLen;
-
-  /* Pad out to multiple of 16.
-   */
-  index = context->count;
-  padLen = 16 - index;
-  MD2Update (context, PADDING[padLen], padLen);
-
-  /* Extend with checksum */
-  MD2Update (context, context->checksum, 16);
-
-  /* Store state in digest */
-  MD2_memcpy ((POINTER)digest, (POINTER)context->state, 16);
-
-  /* Zeroize sensitive information.
-   */
-  MD2_memset ((POINTER)context, 0, sizeof (*context));
-}
-
-/* MD2 basic transformation. Transforms state and updates checksum
-     based on block.
- */
-static void MD2Transform (state, checksum, block)
-unsigned char state[16];
-unsigned char checksum[16];
-const unsigned char block[16];
-{
-  unsigned int i, j, t;
-  unsigned char x[48];
-
-  /* Form encryption block from state, block, state ^ block.
-   */
-  MD2_memcpy ((POINTER)x, (CONST_POINTER)state, 16);
-  MD2_memcpy ((POINTER)x+16, (CONST_POINTER)block, 16);
-  for (i = 0; i < 16; i++)
-    x[i+32] = state[i] ^ block[i];
-
-  /* Encrypt block (18 rounds).
-   */
-  t = 0;
-  for (i = 0; i < 18; i++) {
-    for (j = 0; j < 48; j++)
-      t = x[j] ^= PI_SUBST[t];
-    t = (t + i) & 0xff;
-  }
-
-  /* Save new state */
-  MD2_memcpy ((POINTER)state, (POINTER)x, 16);
-
-  /* Update checksum.
-   */
-  t = checksum[15];
-  for (i = 0; i < 16; i++)
-    t = checksum[i] ^= PI_SUBST[block[i] ^ t];
-
-  /* Zeroize sensitive information.
-   */
-  MD2_memset ((POINTER)x, 0, sizeof (x));
-}
-
-#ifndef HAVEMEMCOPY
-#ifndef HAVEBCOPY
-/* Note: Replace "for loop" with standard memcpy if possible.
- */
-static void MD2_memcpy (output, input, len)
-POINTER output;
-POINTER input;
-unsigned int len;
-{
-  unsigned int i;
-
-  for (i = 0; i < len; i++)
-    output[i] = input[i];
-}
-
-/* Note: Replace "for loop" with standard memset if possible.
- */
-static void MD2_memset (output, value, len)
-POINTER output;
-int value;
-unsigned int len;
-{
-  unsigned int i;
-
-  for (i = 0; i < len; i++)
-    ((char *)output)[i] = (char)value;
-}
-#endif
-#endif
-
diff --git a/src/pluto/md2.h b/src/pluto/md2.h
deleted file mode 100644
index b3b48dd92..000000000
--- a/src/pluto/md2.h
+++ /dev/null
@@ -1,72 +0,0 @@
-#ifndef _GLOBAL_H_
-#define _GLOBAL_H_
-/* GLOBAL.H - RSAREF types and constants
- */
-
-/* PROTOTYPES should be set to one if and only if the compiler supports
-     function argument prototyping.
-   The following makes PROTOTYPES default to 0 if it has not already
-     been defined with C compiler flags.
- */
-#ifndef PROTOTYPES
-#define PROTOTYPES 1
-#endif
-
-/* POINTER defines a generic pointer type */
-typedef unsigned char *POINTER;
-typedef const unsigned char *CONST_POINTER;
-
-/* UINT2 defines a two byte word */
-typedef unsigned short int UINT2;
-
-/* UINT4 defines a four byte word */
-typedef unsigned long int UINT4;
-
-/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
-   If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
-     returns an empty list.
- */
-
-#if PROTOTYPES
-#define PROTO_LIST(list) list
-#else
-#define PROTO_LIST(list) ()
-#endif
-
-#endif
-
-/* MD2.H - header file for MD2C.C
- */
-
-/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
-   rights reserved.
-
-   License to copy and use this software is granted for
-   non-commercial Internet Privacy-Enhanced Mail provided that it is
-   identified as the "RSA Data Security, Inc. MD2 Message Digest
-   Algorithm" in all material mentioning or referencing this software
-   or this function.
-
-   RSA Data Security, Inc. makes no representations concerning either
-   the merchantability of this software or the suitability of this
-   software for any particular purpose. It is provided "as is"
-   without express or implied warranty of any kind.
-
-   These notices must be retained in any copies of any part of this
-   documentation and/or software.
- */
-
-/* MD2 context. */
-typedef struct {
-  unsigned char state[16];                                 /* state */
-  unsigned char checksum[16];                           /* checksum */
-  unsigned int count;                 /* number of bytes, modulo 16 */
-  unsigned char buffer[16];                         /* input buffer */
-} MD2_CTX;
-
-void MD2Init PROTO_LIST ((MD2_CTX *));
-void MD2Update PROTO_LIST
-  ((MD2_CTX *, const unsigned char *, unsigned int));
-void MD2Final PROTO_LIST ((unsigned char [16], MD2_CTX *));
-
-#define _MD2_H_
diff --git a/src/pluto/md5.c b/src/pluto/md5.c
deleted file mode 100644
index 5d75e38a4..000000000
--- a/src/pluto/md5.c
+++ /dev/null
@@ -1,385 +0,0 @@
-/*
- * The rest of the code is derived from MD5C.C by RSADSI. Minor cosmetic
- * changes to accomodate it in the kernel by ji.
- * Minor changes to make 64 bit clean by Peter Onion (i.e. using u_int*_t).
- */
-
-/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-rights reserved.
-
-License to copy and use this software is granted provided that it
-is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-Algorithm" in all material mentioning or referencing this software
-or this function.
-
-License is also granted to make and use derivative works provided
-that such works are identified as "derived from the RSA Data
-Security, Inc. MD5 Message-Digest Algorithm" in all material
-mentioning or referencing the derived work.
-
-RSA Data Security, Inc. makes no representations concerning either
-the merchantability of this software or the suitability of this
-software for any particular purpose. It is provided "as is"
-without express or implied warranty of any kind.
-
-These notices must be retained in any copies of any part of this
-documentation and/or software.
- */
-
-/*
- * Additions by JI
- *
- * HAVEMEMCOPY is defined if mem* routines are available
- *
- * HAVEHTON is defined if htons() and htonl() can be used
- * for big/little endian conversions
- *
- */
-
-#include <stddef.h>
-#include <string.h>
-#include <sys/types.h>	/* for u_int*_t */
-#include <endian.h>	/* sets BYTE_ORDER, LITTLE_ENDIAN, and BIG_ENDIAN */
-
-#include "md5.h"
-
-#define HAVEMEMCOPY 1	/* use ISO C's memcpy and memset */
-
-/* Constants for MD5Transform routine.
- */
-
-#define S11 7
-#define S12 12
-#define S13 17
-#define S14 22
-#define S21 5
-#define S22 9
-#define S23 14
-#define S24 20
-#define S31 4
-#define S32 11
-#define S33 16
-#define S34 23
-#define S41 6
-#define S42 10
-#define S43 15
-#define S44 21
-
-#define MD5Transform _MD5Transform
-
-static void MD5Transform PROTO_LIST ((UINT4 [4], const unsigned char [64]));
-
-#if BYTE_ORDER == LITTLE_ENDIAN
-#define Encode MD5_memcpy
-#define Decode MD5_memcpy
-#else
-static void Encode PROTO_LIST
-  ((unsigned char *, UINT4 *, unsigned int));
-static void Decode PROTO_LIST
-  ((UINT4 *, unsigned char *, unsigned int));
-#endif
-
-#ifdef HAVEMEMCOPY
-#include <memory.h>
-#define MD5_memcpy	memcpy
-#define MD5_memset	memset
-#else
-#ifdef HAVEBCOPY
-#define MD5_memcpy(_a,_b,_c) memcpy((_a), (_b),(_c))
-#define MD5_memset(_a,_b,_c) memset((_a), '\0',(_c))
-#else
-static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
-static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
-#endif
-#endif
-static unsigned char PADDING[64] = {
-  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/* F, G, H and I are basic MD5 functions.
- */
-#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
-#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
-#define H(x, y, z) ((x) ^ (y) ^ (z))
-#define I(x, y, z) ((y) ^ ((x) | (~z)))
-
-/* ROTATE_LEFT rotates x left n bits.
- */
-#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
-
-/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
-Rotation is separate from addition to prevent recomputation.
- */
-#define FF(a, b, c, d, x, s, ac) { \
- (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define GG(a, b, c, d, x, s, ac) { \
- (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define HH(a, b, c, d, x, s, ac) { \
- (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define II(a, b, c, d, x, s, ac) { \
- (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-
-/* MD5 initialization. Begins an MD5 operation, writing a new context.
- */
-void MD5Init (context)
-MD5_CTX *context;                                        /* context */
-{
-  context->count[0] = context->count[1] = 0;
-  /* Load magic initialization constants.
-*/
-  context->state[0] = 0x67452301;
-  context->state[1] = 0xefcdab89;
-  context->state[2] = 0x98badcfe;
-  context->state[3] = 0x10325476;
-}
-
-/* MD5 block update operation. Continues an MD5 message-digest
-  operation, processing another message block, and updating the
-  context.
- */
-void MD5Update (context, input, inputLen)
-MD5_CTX *context;                                        /* context */
-const unsigned char *input;                          /* input block */
-UINT4 inputLen;                            /* length of input block */
-{
-  UINT4 i;
-  unsigned int index, partLen;
-
-  /* Compute number of bytes mod 64 */
-  index = (unsigned int)((context->count[0] >> 3) & 0x3F);
-
-  /* Update number of bits */
-  if ((context->count[0] += (inputLen << 3)) < (inputLen << 3))
-	context->count[1]++;
-  context->count[1] += (inputLen >> 29);
-
-  partLen = 64 - index;
-
-  /* Transform as many times as possible. */
-  if (inputLen >= partLen) {
-	MD5_memcpy((POINTER)&context->buffer[index], (CONSTPOINTER)input, partLen);
-	MD5Transform (context->state, context->buffer);
-
-	for (i = partLen; i + 63 < inputLen; i += 64)
-	    MD5Transform (context->state, &input[i]);
-
-	index = 0;
-  }
-  else
-	i = 0;
-
-  /* Buffer remaining input */
-  MD5_memcpy((POINTER)&context->buffer[index], (CONSTPOINTER)&input[i], inputLen-i);
-}
-
-/* MD5 finalization. Ends an MD5 message-digest operation, writing the
-  the message digest and zeroizing the context.
- */
-void MD5Final (digest, context)
-unsigned char digest[16];                         /* message digest */
-MD5_CTX *context;                                       /* context */
-{
-  unsigned char bits[8];
-  unsigned int index, padLen;
-
-  /* Save number of bits */
-  Encode (bits, context->count, 8);
-
-  /* Pad out to 56 mod 64.
-*/
-  index = (unsigned int)((context->count[0] >> 3) & 0x3f);
-  padLen = (index < 56) ? (56 - index) : (120 - index);
-  MD5Update (context, PADDING, padLen);
-
-  /* Append length (before padding) */
-  MD5Update (context, bits, 8);
-
-  if (digest != NULL)			/* Bill Simpson's padding */
-  {
-	  /* store state in digest */
-	  Encode (digest, context->state, 16);
-
-	  /* Zeroize sensitive information.
-	   */
-	  MD5_memset ((POINTER)context, 0, sizeof (*context));
-  }
-}
-
-/* MD5 basic transformation. Transforms state based on block.
- */
-static void MD5Transform (state, block)
-UINT4 state[4];
-const unsigned char block[64];
-{
-  UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
-
-  Decode (x, block, 64);
-
-  /* Round 1 */
-  FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
-  FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
-  FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
-  FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
-  FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
-  FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
-  FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
-  FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
-  FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
-  FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
-  FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
-  FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
-  FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
-  FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
-  FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
-  FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
-
- /* Round 2 */
-  GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
-  GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
-  GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
-  GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
-  GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
-  GG (d, a, b, c, x[10], S22,  0x2441453); /* 22 */
-  GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
-  GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
-  GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
-  GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
-  GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
-  GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
-  GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
-  GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
-  GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
-  GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
-
-  /* Round 3 */
-  HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
-  HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
-  HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
-  HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
-  HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
-  HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
-  HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
-  HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
-  HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
-  HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
-  HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
-  HH (b, c, d, a, x[ 6], S34,  0x4881d05); /* 44 */
-  HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
-  HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
-  HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
-  HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
-
-  /* Round 4 */
-  II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
-  II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
-  II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
-  II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
-  II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
-  II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
-  II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
-  II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
-  II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
-  II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
-  II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
-  II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
-  II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
-  II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
-  II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
-  II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
-
-  state[0] += a;
-  state[1] += b;
-  state[2] += c;
-  state[3] += d;
-
-  /* Zeroize sensitive information.
-*/
-  MD5_memset ((POINTER)x, 0, sizeof (x));
-}
-
-#if BYTE_ORDER != LITTLE_ENDIAN
-
-/* Encodes input (UINT4) into output (unsigned char). Assumes len is
-  a multiple of 4.
- */
-static void Encode (output, input, len)
-unsigned char *output;
-UINT4 *input;
-unsigned int len;
-{
-  unsigned int i, j;
-
-  for (i = 0, j = 0; j < len; i++, j += 4) {
- output[j] = (unsigned char)(input[i] & 0xff);
- output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
- output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
- output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
-  }
-}
-
-/* Decodes input (unsigned char) into output (UINT4). Assumes len is
-  a multiple of 4.
- */
-static void Decode (output, input, len)
-UINT4 *output;
-unsigned char *input;
-unsigned int len;
-{
-  unsigned int i, j;
-
-  for (i = 0, j = 0; j < len; i++, j += 4)
- output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
-   (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
-}
-
-#endif
-
-#ifndef HAVEMEMCOPY
-#ifndef HAVEBCOPY
-/* Note: Replace "for loop" with standard memcpy if possible.
- */
-
-static void MD5_memcpy (output, input, len)
-POINTER output;
-POINTER input;
-unsigned int len;
-{
-  unsigned int i;
-
-  for (i = 0; i < len; i++)
-
- output[i] = input[i];
-}
-
-/* Note: Replace "for loop" with standard memset if possible.
- */
-static void MD5_memset (output, value, len)
-POINTER output;
-int value;
-unsigned int len;
-{
-  unsigned int i;
-
-  for (i = 0; i < len; i++)
- ((char *)output)[i] = (char)value;
-}
-#endif
-#endif
-
diff --git a/src/pluto/md5.h b/src/pluto/md5.h
deleted file mode 100644
index 9b29bc46e..000000000
--- a/src/pluto/md5.h
+++ /dev/null
@@ -1,75 +0,0 @@
-#ifndef _GLOBAL_H_
-#define _GLOBAL_H_
-/* GLOBAL.H - RSAREF types and constants
- */
-
-/* PROTOTYPES should be set to one if and only if the compiler supports
-     function argument prototyping.
-   The following makes PROTOTYPES default to 0 if it has not already
-     been defined with C compiler flags.
- */
-#ifndef PROTOTYPES
-#define PROTOTYPES 1
-#endif
-
-/* POINTER defines a generic pointer type */
-typedef unsigned char *POINTER;
-typedef const unsigned char *CONSTPOINTER;
-
-/* UINT2 defines a two byte word */
-typedef u_int16_t UINT2;
-
-/* UINT4 defines a four byte word */
-typedef u_int32_t UINT4;
-
-/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
-   If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
-     returns an empty list.
- */
-
-#if PROTOTYPES
-#define PROTO_LIST(list) list
-#else
-#define PROTO_LIST(list) ()
-#endif
-
-#endif
-
-/* MD5.H - header file for MD5C.C
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-rights reserved.
-
-License to copy and use this software is granted provided that it
-is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-Algorithm" in all material mentioning or referencing this software
-or this function.
-
-License is also granted to make and use derivative works provided
-that such works are identified as "derived from the RSA Data
-Security, Inc. MD5 Message-Digest Algorithm" in all material
-mentioning or referencing the derived work.
-
-RSA Data Security, Inc. makes no representations concerning either
-the merchantability of this software or the suitability of this
-software for any particular purpose. It is provided "as is"
-without express or implied warranty of any kind.
-
-These notices must be retained in any copies of any part of this
-documentation and/or software.
- */
-
-/* MD5 context. */
-typedef struct {
-  UINT4 state[4];                                   /* state (ABCD) */
-  UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
-  unsigned char buffer[64];                         /* input buffer */
-} MD5_CTX;
-
-void MD5Init PROTO_LIST ((MD5_CTX *));
-void MD5Update PROTO_LIST
-  ((MD5_CTX *, const unsigned char *, UINT4));
-void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *));
-
-#define _MD5_H_
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index 93624588a..228827f2a 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2001-2002 Colubris Networks
  * Copyright (C) 2003 Sean Mathews - Nu Tech Software Solutions, inc.
  * Copyright (C) 2003-2004 Xelerance Corporation
- * Copyright (C) 2006-2007 Andreas Steffen - Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2006-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,8 +14,6 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: modecfg.c 3738 2008-04-02 19:04:45Z andreas $
- *
  * This code originally written by Colubris Networks, Inc.
  * Extraction of patch and porting to 1.99 codebases by Xelerance Corporation
  * Porting to 2.x by Sean Mathews
@@ -27,6 +25,9 @@
 
 #include <freeswan.h>
 
+#include <library.h>
+#include <crypto/prfs/prf.h>
+
 #include "constants.h"
 #include "defs.h"
 #include "state.h"
@@ -34,21 +35,23 @@
 #include "timer.h"
 #include "ipsec_doi.h"
 #include "log.h"
-#include "md5.h"
-#include "sha1.h"
 #include "crypto.h"
 #include "modecfg.h"
 #include "whack.h"
 #include "xauth.h"
 
-#define MAX_XAUTH_TRIES		3
+#define MAX_XAUTH_TRIES         3
+#define DNS_SERVER_MAX          2
+#define NBNS_SERVER_MAX         2
 
 #define SUPPORTED_ATTR_SET   ( LELEM(INTERNAL_IP4_ADDRESS)         \
-                             | LELEM(INTERNAL_IP4_NETMASK)         \
-                             | LELEM(INTERNAL_IP4_DNS)             \
-                             | LELEM(INTERNAL_IP4_NBNS)            \
-                             | LELEM(APPLICATION_VERSION)          \
-                             )
+							 | LELEM(INTERNAL_IP4_NETMASK)         \
+							 | LELEM(INTERNAL_IP4_DNS)             \
+							 | LELEM(INTERNAL_IP4_NBNS)            \
+							 | LELEM(APPLICATION_VERSION)          \
+							 | LELEM(INTERNAL_IP6_DNS)             \
+							 | LELEM(INTERNAL_IP6_NBNS)            \
+							 )
 
 #define SUPPORTED_UNITY_ATTR_SET ( LELEM(UNITY_BANNER - UNITY_BASE) )
 
@@ -61,21 +64,21 @@ typedef struct internal_addr internal_addr_t;
 
 struct internal_addr
 {
-    lset_t attr_set;
-    lset_t xauth_attr_set;
-    lset_t unity_attr_set;
+	lset_t attr_set;
+	lset_t xauth_attr_set;
+	lset_t unity_attr_set;
 
-    /* ModeCfg variables */
-    ip_address ipaddr;
-    ip_address dns[2];
-    ip_address wins[2];
+	/* ModeCfg variables */
+	ip_address ipaddr;
+	ip_address dns[DNS_SERVER_MAX];
+	ip_address nbns[NBNS_SERVER_MAX];
 
-    char *unity_banner;
+	char *unity_banner;
 
-    /* XAUTH variables */
-    u_int16_t  xauth_type;
-    xauth_t    xauth_secret;
-    bool       xauth_status;
+	/* XAUTH variables */
+	u_int16_t  xauth_type;
+	xauth_t    xauth_secret;
+	bool       xauth_status;
 };
 
 /*
@@ -84,20 +87,30 @@ struct internal_addr
 static void
 init_internal_addr(internal_addr_t *ia)
 {
-    ia->attr_set = LEMPTY;
-    ia->xauth_attr_set = LEMPTY;
-    ia->xauth_secret.user_name = empty_chunk;
-    ia->xauth_secret.user_password = empty_chunk;
-    ia->xauth_type = XAUTH_TYPE_GENERIC;
-    ia->xauth_status = XAUTH_STATUS_FAIL;
-    ia->unity_attr_set = LEMPTY;
-    ia->unity_banner = NULL;
-
-    anyaddr(AF_INET, &ia->ipaddr);
-    anyaddr(AF_INET, &ia->dns[0]);
-    anyaddr(AF_INET, &ia->dns[1]);
-    anyaddr(AF_INET, &ia->wins[0]);
-    anyaddr(AF_INET, &ia->wins[1]);
+	int i;
+
+	ia->attr_set = LEMPTY;
+	ia->xauth_attr_set = LEMPTY;
+	ia->xauth_secret.user_name = chunk_empty;
+	ia->xauth_secret.user_password = chunk_empty;
+	ia->xauth_type = XAUTH_TYPE_GENERIC;
+	ia->xauth_status = XAUTH_STATUS_FAIL;
+	ia->unity_attr_set = LEMPTY;
+	ia->unity_banner = NULL;
+
+	anyaddr(AF_INET, &ia->ipaddr);
+
+	/* initialize DNS server information */
+	for (i = 0; i < DNS_SERVER_MAX; i++)
+	{
+		anyaddr(AF_INET, &ia->dns[i]);
+	}
+
+	/* initialize WINS server information */
+	for (i = 0; i < NBNS_SERVER_MAX; i++)
+	{
+		anyaddr(AF_INET, &ia->nbns[i]);
+	}
 }
 
 /*
@@ -106,97 +119,152 @@ init_internal_addr(internal_addr_t *ia)
 static void
 get_internal_addr(struct connection *c, internal_addr_t *ia)
 {
-    if (isanyaddr(&c->spd.that.host_srcip))
-    {
-	/* not defined in connection - fetch it from LDAP */
-    }
-    else
-    {
-	char srcip[ADDRTOT_BUF];
-
-	ia->ipaddr = c->spd.that.host_srcip;
-
-	addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
-	plog("assigning virtual IP source address %s", srcip);
-    }
-
-    if (!isanyaddr(&ia->ipaddr))	/* We got an IP address, send it */
-    {
-	c->spd.that.client.addr     = ia->ipaddr;
-	c->spd.that.client.maskbits = 32;
-	c->spd.that.has_client      = TRUE;
-	
-	ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS)
-		     | LELEM(INTERNAL_IP4_NETMASK);
-    }
-
-    if (!isanyaddr(&ia->dns[0]))	/* We got DNS addresses, send them */
-	ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
-
-    if (!isanyaddr(&ia->wins[0]))	/* We got WINS addresses, send them */
-	ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
+	int i, dns_idx = 0, nbns_idx = 0;
+
+	if (isanyaddr(&c->spd.that.host_srcip))
+	{
+		/* not defined in connection - fetch it from LDAP */
+	}
+	else
+	{
+		char srcip[ADDRTOT_BUF];
+
+		ia->ipaddr = c->spd.that.host_srcip;
+
+		addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
+		plog("assigning virtual IP source address %s", srcip);
+	}
+
+	if (!isanyaddr(&ia->ipaddr))        /* We got an IP address, send it */
+	{
+		c->spd.that.client.addr     = ia->ipaddr;
+		c->spd.that.client.maskbits = 32;
+		c->spd.that.has_client      = TRUE;
+		
+		ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS)
+					 | LELEM(INTERNAL_IP4_NETMASK);
+	}
+
+	/* assign DNS servers */
+	for (i = 1; i <= DNS_SERVER_MAX; i++)
+	{
+		char dns_key[16], *dns_str;
+
+		snprintf(dns_key, sizeof(dns_key), "pluto.dns%d", i);
+		dns_str = lib->settings->get_str(lib->settings, dns_key, NULL);
+		if (dns_str)
+		{
+			err_t ugh;
+			sa_family_t family = strchr(dns_str, ':') ? AF_INET6 : AF_INET;
+
+			ugh = ttoaddr(dns_str, 0, family, &ia->dns[dns_idx]);
+			if (ugh != NULL)
+			{
+				plog("error in DNS server address: %s", ugh);
+				continue;
+			}
+			plog("assigning DNS server %s to peer", dns_str);
+
+			/* differentiate between IP4 and IP6 in modecfg_build_msg() */ 
+			ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
+			dns_idx++;
+		}
+	}
+
+	/* assign WINS servers */
+	for (i = 1; i <= NBNS_SERVER_MAX; i++)
+	{
+		char nbns_key[16], *nbns_str;
+
+		snprintf(nbns_key, sizeof(nbns_key), "pluto.nbns%d", i);
+		nbns_str = lib->settings->get_str(lib->settings, nbns_key, NULL);
+		if (nbns_str)
+		{
+			err_t ugh;
+			sa_family_t family = strchr(nbns_str, ':') ? AF_INET6 : AF_INET;
+
+			ugh = ttoaddr(nbns_str, 0, family, &ia->nbns[nbns_idx]);
+			if (ugh != NULL)
+			{
+				plog("error in WINS server address: %s", ugh);
+				continue;
+			}
+			plog("assigning NBNS server %s to peer", nbns_str);
+
+			/* differentiate between IP4 and IP6 in modecfg_build_msg() */ 
+			ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
+			nbns_idx++;
+		}
+	}
 }
 
+
 /*
  * Set srcip and client subnet to internal IP address
  */
 static bool
 set_internal_addr(struct connection *c, internal_addr_t *ia)
 {
-    if (ia->attr_set & LELEM(INTERNAL_IP4_ADDRESS)
-    && !isanyaddr(&ia->ipaddr))
-    {
-	if (addrbytesptr(&c->spd.this.host_srcip, NULL) == 0
-	|| isanyaddr(&c->spd.this.host_srcip)
-	|| sameaddr(&c->spd.this.host_srcip, &ia->ipaddr))
+	if (ia->attr_set & LELEM(INTERNAL_IP4_ADDRESS)
+	&& !isanyaddr(&ia->ipaddr))
 	{
-	    char srcip[ADDRTOT_BUF];
+		if (addrbytesptr(&c->spd.this.host_srcip, NULL) == 0
+		|| isanyaddr(&c->spd.this.host_srcip)
+		|| sameaddr(&c->spd.this.host_srcip, &ia->ipaddr))
+		{
+			char srcip[ADDRTOT_BUF];
 
-	    addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
-	    plog("setting virtual IP source address to %s", srcip);
-	}
-	else
-	{
-	    char old_srcip[ADDRTOT_BUF];
-	    char new_srcip[ADDRTOT_BUF];
+			addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
+			plog("setting virtual IP source address to %s", srcip);
+		}
+		else
+		{
+			char old_srcip[ADDRTOT_BUF];
+			char new_srcip[ADDRTOT_BUF];
 
-	    addrtot(&c->spd.this.host_srcip, 0, old_srcip, sizeof(old_srcip));
-	    addrtot(&ia->ipaddr, 0, new_srcip, sizeof(new_srcip));
-	    plog("replacing virtual IP source address %s by %s"
-		, old_srcip, new_srcip);
+			addrtot(&c->spd.this.host_srcip, 0, old_srcip, sizeof(old_srcip));
+			addrtot(&ia->ipaddr, 0, new_srcip, sizeof(new_srcip));
+			plog("replacing virtual IP source address %s by %s"
+				, old_srcip, new_srcip);
+		}
+		
+		/* setting srcip */
+		c->spd.this.host_srcip = ia->ipaddr;
+
+		/* setting client subnet to srcip/32 */
+		addrtosubnet(&ia->ipaddr, &c->spd.this.client);
+		setportof(0, &c->spd.this.client.addr);
+		c->spd.this.has_client = TRUE;
+		return TRUE;
 	}
-	
-	/* setting srcip */
-	c->spd.this.host_srcip = ia->ipaddr;
-
-	/* setting client subnet to srcip/32 */
-	addrtosubnet(&ia->ipaddr, &c->spd.this.client);
-	setportof(0, &c->spd.this.client.addr);
-	c->spd.this.has_client = TRUE;
-	return TRUE;
-    }
-    return FALSE;
+	return FALSE;
 }
 
 /*
  * Compute HASH of Mode Config.
  */
-static size_t
-modecfg_hash(u_char *dest, const u_char *start, const u_char *roof
-	    , const struct state *st)
+static size_t modecfg_hash(u_char *dest, u_char *start, u_char *roof,
+						   const struct state *st)
 {
-    struct hmac_ctx ctx;
-
-    hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid_a);
-    hmac_update(&ctx, (const u_char *) &st->st_msgid, sizeof(st->st_msgid));
-    hmac_update(&ctx, start, roof-start);
-    hmac_final(dest, &ctx);
-
-    DBG(DBG_CRYPT,
-	DBG_log("ModeCfg HASH computed:");
- 	DBG_dump("", dest, ctx.hmac_digest_size)
-    ) 
-    return ctx.hmac_digest_size;
+	chunk_t msgid_chunk = chunk_from_thing(st->st_msgid);
+	chunk_t msg_chunk = { start, roof - start };
+	size_t prf_block_size;
+	pseudo_random_function_t prf_alg;
+	prf_t *prf;
+
+	prf_alg = oakley_to_prf(st->st_oakley.hash);
+	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+	prf->set_key(prf, st->st_skeyid_a);
+	prf->get_bytes(prf, msgid_chunk, NULL);
+	prf->get_bytes(prf, msg_chunk, dest);
+	prf_block_size = prf->get_block_size(prf);
+	prf->destroy(prf);
+
+	DBG(DBG_CRYPT,
+		DBG_log("ModeCfg HASH computed:");
+		DBG_dump("", dest, prf_block_size)
+	) 
+	return prf_block_size;
 }
 
 
@@ -205,202 +273,222 @@ modecfg_hash(u_char *dest, const u_char *start, const u_char *roof
  */
 static stf_status
 modecfg_build_msg(struct state *st, pb_stream *rbody
-				  , u_int16_t msg_type
-				  , internal_addr_t *ia
-				  , u_int16_t ap_id)
+								  , u_int16_t msg_type
+								  , internal_addr_t *ia
+								  , u_int16_t ap_id)
 {
-    u_char *r_hash_start, *r_hashval;
+	u_char *r_hash_start, *r_hashval;
 
-    START_HASH_PAYLOAD(*rbody, ISAKMP_NEXT_ATTR);
+	START_HASH_PAYLOAD(*rbody, ISAKMP_NEXT_ATTR);
 
-    /* ATTR out */
-    {
-	struct isakmp_mode_attr attrh;
-	struct isakmp_attribute attr;
-	pb_stream strattr,attrval;
-	int attr_type;
-	int dns_idx, wins_idx;
-	bool dont_advance;
-	bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY;
-	bool is_unity_attr_set = ia->unity_attr_set != LEMPTY;
-	lset_t attr_set = ia->attr_set;
-
-	attrh.isama_np         = ISAKMP_NEXT_NONE;
-	attrh.isama_type       = msg_type;
-	attrh.isama_identifier = ap_id;
-
-	if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr))
-	    return STF_INTERNAL_ERROR;
-
-	attr_type = 0;
-	dns_idx = 0;
-	wins_idx = 0;
-
-	while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set)
+	/* ATTR out */
 	{
-	    if (attr_set == LEMPTY)
-	    {
-		if (is_xauth_attr_set)
-	  	{
-		    attr_set = ia->xauth_attr_set;
-		    attr_type = XAUTH_BASE;
-		    is_xauth_attr_set = FALSE;
-		}
-		else
+		struct isakmp_mode_attr attrh;
+		struct isakmp_attribute attr;
+		pb_stream strattr,attrval;
+		int attr_type, dns_attr_type, nbns_attr_type;
+		int dns_idx, nbns_idx;
+		bool dont_advance;
+		bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY;
+		bool is_unity_attr_set = ia->unity_attr_set != LEMPTY;
+		lset_t attr_set = ia->attr_set;
+
+		attrh.isama_np         = ISAKMP_NEXT_NONE;
+		attrh.isama_type       = msg_type;
+		attrh.isama_identifier = ap_id;
+
+		if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr))
 		{
-		    attr_set = ia->unity_attr_set;
-		    attr_type = UNITY_BASE;
-		    is_unity_attr_set = FALSE;
+			return STF_INTERNAL_ERROR;
 		}
-	    }
-	
-	    dont_advance = FALSE;
+		attr_type = 0;
+		dns_idx = 0;
+		nbns_idx = 0;
 
-	    if (attr_set & 1)
-	    {
-		const u_char *byte_ptr;
-		u_int len;
-
-		/* ISAKMP attr out */
-		if (attr_type == XAUTH_TYPE)
-		{
-		    attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
-		    attr.isaat_lv = ia->xauth_type;
-		}
-		else if (attr_type == XAUTH_STATUS)
+		while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set)
 		{
-		    attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
-		    attr.isaat_lv = ia->xauth_status;
-		}
-		else
-		{
-		    attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
-		}
-		out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval);
-
-		switch (attr_type)
-		{
-		case INTERNAL_IP4_ADDRESS:
-		    if (!isanyaddr(&ia->ipaddr))
-		    {
-			len = addrbytesptr(&ia->ipaddr, &byte_ptr);
- 			out_raw(byte_ptr, len, &attrval, "IP4_addr");
-		    }
- 		    break;
-		case INTERNAL_IP4_NETMASK:
-		    {
- 			u_int  mask;
-#if 0
-			char mask[4],bits[8]={0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
-			int t,m=st->st_connection->that.host_addr.maskbit;
-			for (t=0; t<4; t++)
+			if (attr_set == LEMPTY)
 			{
-			    if (m < 8)
-				mask[t] = bits[m];
-			    else
-				mask[t] = 0xff;
-			    m -= 8;
+				if (is_xauth_attr_set)
+				{
+					attr_set = ia->xauth_attr_set;
+					attr_type = XAUTH_BASE;
+					is_xauth_attr_set = FALSE;
+				}
+				else
+				{
+					attr_set = ia->unity_attr_set;
+					attr_type = UNITY_BASE;
+					is_unity_attr_set = FALSE;
+				}
 			}
-#endif				    
-			if (st->st_connection->spd.this.client.maskbits == 0)
- 			    mask = 0;
- 			else
- 			    mask = 0xffffffff * 1;
-			    out_raw(&mask, 4, &attrval, "IP4_mask");
-		    }
-		    break;
-		case INTERNAL_IP4_SUBNET:
-		    {
-			char mask[4];
-			char bits[8] = {0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
-			int t;
-			int m = st->st_connection->spd.this.client.maskbits;
+		
+			dont_advance = FALSE;
 
-			for (t = 0; t < 4; t++)
+			if (attr_set & 1)
 			{
-			    if (m < 8)
-				mask[t] = bits[m];
-			    else
-				mask[t] = 0xff;
-			    m -= 8;
-			    if (m < 0)
-			        m = 0;
+				const u_char *byte_ptr;
+				u_int len;
+
+				/* ISAKMP attr out */
+				if (attr_type == XAUTH_TYPE)
+				{
+					attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
+					attr.isaat_lv = ia->xauth_type;
+				}
+				else if (attr_type == XAUTH_STATUS)
+				{
+					attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
+					attr.isaat_lv = ia->xauth_status;
+				}
+				else if (attr_type == INTERNAL_IP4_DNS && !isanyaddr(&ia->dns[dns_idx]))
+				{
+					dns_attr_type = (addrtypeof(&ia->dns[dns_idx]) == AF_INET) ?
+										INTERNAL_IP4_DNS : INTERNAL_IP6_DNS;
+					attr.isaat_af_type = dns_attr_type | ISAKMP_ATTR_AF_TLV;
+
+				}
+				else if (attr_type == INTERNAL_IP4_NBNS && !isanyaddr(&ia->nbns[nbns_idx]))
+				{
+					nbns_attr_type = (addrtypeof(&ia->nbns[nbns_idx]) == AF_INET) ?
+										INTERNAL_IP4_NBNS : INTERNAL_IP6_NBNS;
+					attr.isaat_af_type = nbns_attr_type | ISAKMP_ATTR_AF_TLV;
+
+				}
+				else
+				{
+					attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
+				}
+				out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval);
+
+				switch (attr_type)
+				{
+				case INTERNAL_IP4_ADDRESS:
+					if (!isanyaddr(&ia->ipaddr))
+					{
+						len = addrbytesptr(&ia->ipaddr, &byte_ptr);
+						out_raw(byte_ptr, len, &attrval, "IP4_addr");
+					}
+					break;
+				case INTERNAL_IP4_NETMASK:
+					{
+						u_int  mask;
+#if 0
+						char mask[4],bits[8]={0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
+						int t,m=st->st_connection->that.host_addr.maskbit;
+						for (t=0; t<4; t++)
+						{
+							if (m < 8)
+								mask[t] = bits[m];
+							else
+								mask[t] = 0xff;
+							m -= 8;
+						}
+#endif                              
+						if (st->st_connection->spd.this.client.maskbits == 0)
+						{
+							mask = 0;
+						}
+						else
+						{
+							mask = 0xffffffff * 1;
+							out_raw(&mask, 4, &attrval, "IP4_mask");
+						}
+					}
+					break;
+				case INTERNAL_IP4_SUBNET:
+					{
+						char mask[4];
+						char bits[8] = {0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
+						int t;
+						int m = st->st_connection->spd.this.client.maskbits;
+
+						for (t = 0; t < 4; t++)
+						{
+							mask[t] = (m < 8) ? bits[m] : 0xff;
+							m -= 8;
+							if (m < 0)
+							{
+								m = 0;
+							}
+						}
+						len = addrbytesptr(&st->st_connection->spd.this.client.addr, &byte_ptr);
+						out_raw(byte_ptr, len, &attrval, "IP4_subnet");
+						out_raw(mask, sizeof(mask), &attrval, "IP4_submsk");
+					}
+					break;
+				case INTERNAL_IP4_DNS:
+				case INTERNAL_IP6_DNS:
+					if (!isanyaddr(&ia->dns[dns_idx]))
+					{
+						len = addrbytesptr(&ia->dns[dns_idx++], &byte_ptr);
+						out_raw(byte_ptr, len, &attrval, "IP_dns");
+					}
+					if (dns_idx < DNS_SERVER_MAX && !isanyaddr(&ia->dns[dns_idx]))
+					{
+						dont_advance = TRUE;
+					}
+					break;
+				case INTERNAL_IP4_NBNS:
+				case INTERNAL_IP6_NBNS:
+					if (!isanyaddr(&ia->nbns[nbns_idx]))
+					{
+						len = addrbytesptr(&ia->nbns[nbns_idx++], &byte_ptr);
+						out_raw(byte_ptr, len, &attrval, "IP_nbns");
+					}
+					if (nbns_idx < NBNS_SERVER_MAX && !isanyaddr(&ia->nbns[nbns_idx]))
+					{
+						dont_advance = TRUE;
+					}
+					break;
+				case XAUTH_TYPE:
+					break;
+				case XAUTH_USER_NAME:
+					if (ia->xauth_secret.user_name.ptr != NULL)
+					{
+						out_raw(ia->xauth_secret.user_name.ptr
+							  , ia->xauth_secret.user_name.len
+							  , &attrval, "xauth_user_name");
+					}
+					break;
+				case XAUTH_USER_PASSWORD:
+					if (ia->xauth_secret.user_password.ptr != NULL)
+					{
+						out_raw(ia->xauth_secret.user_password.ptr
+							  , ia->xauth_secret.user_password.len
+							  , &attrval, "xauth_user_password");
+					}
+					break;
+				case XAUTH_STATUS:
+					break;
+				case UNITY_BANNER:
+					if (ia->unity_banner != NULL)
+					{
+						out_raw(ia->unity_banner
+							  , strlen(ia->unity_banner)
+							  , &attrval, "UNITY_BANNER");
+					}
+					break;
+				default:
+					plog("attempt to send unsupported mode cfg attribute %s."
+						 , enum_show(&modecfg_attr_names, attr_type));
+					break;
+				}
+				close_output_pbs(&attrval);
+			}
+			if (!dont_advance)
+			{
+				attr_type++;
+				attr_set >>= 1;
 			}
-			len = addrbytesptr(&st->st_connection->spd.this.client.addr, &byte_ptr);
-			out_raw(byte_ptr, len, &attrval, "IP4_subnet");
-			out_raw(mask, sizeof(mask), &attrval, "IP4_submsk");
-		    }
-		    break;
-		case INTERNAL_IP4_DNS:
-		    if (!isanyaddr(&ia->dns[dns_idx]))
-		    {
- 		    	len = addrbytesptr(&ia->dns[dns_idx++], &byte_ptr);
- 		        out_raw(byte_ptr, len, &attrval, "IP4_dns");
-		    }
-		    if (dns_idx < 2 && !isanyaddr(&ia->dns[dns_idx]))
-		    {
-			dont_advance = TRUE;
-		    }
- 		    break;
-		case INTERNAL_IP4_NBNS:
-		    if (!isanyaddr(&ia->wins[wins_idx]))
-		    {
-			len = addrbytesptr(&ia->wins[wins_idx++], &byte_ptr);
-			out_raw(byte_ptr, len, &attrval, "IP4_wins");
-		    }
-		    if (wins_idx < 2 && !isanyaddr(&ia->wins[wins_idx]))
-		    {
-			dont_advance = TRUE;
-		    }
-		    break;
-		case XAUTH_TYPE:
-		    break;
-		case XAUTH_USER_NAME:
-		    if (ia->xauth_secret.user_name.ptr != NULL)
-		    {
-			out_raw(ia->xauth_secret.user_name.ptr
-			      , ia->xauth_secret.user_name.len
-			      , &attrval, "xauth_user_name");
-		    }
-		    break;
-		case XAUTH_USER_PASSWORD:
-		    if (ia->xauth_secret.user_password.ptr != NULL)
-		    {
-			out_raw(ia->xauth_secret.user_password.ptr
-			      , ia->xauth_secret.user_password.len
-			      , &attrval, "xauth_user_password");
-		    }
-		    break;
-		case XAUTH_STATUS:
-		    break;
-		case UNITY_BANNER:
-		    if (ia->unity_banner != NULL)
-		    {
-			out_raw(ia->unity_banner
-			      , strlen(ia->unity_banner)
-			      , &attrval, "UNITY_BANNER");
-		    }
-		    break;
-		default:
-		    plog("attempt to send unsupported mode cfg attribute %s."
-			 , enum_show(&modecfg_attr_names, attr_type));
-		    break;
 		}
-		close_output_pbs(&attrval);
-	    }
-	    if (!dont_advance)
-	    {
-		attr_type++;
-		attr_set >>= 1;
-	    }
+		close_message(&strattr);
 	}
-	close_message(&strattr);
-    }
 
-    modecfg_hash(r_hashval, r_hash_start, rbody->cur, st);
-    close_message(rbody);
-    encrypt_message(rbody, st);
-    return STF_OK;
+	modecfg_hash(r_hashval, r_hash_start, rbody->cur, st);
+	close_message(rbody);
+	encrypt_message(rbody, st);
+	return STF_OK;
 }
 
 /*
@@ -409,55 +497,56 @@ modecfg_build_msg(struct state *st, pb_stream *rbody
 static stf_status
 modecfg_send_msg(struct state *st, int isama_type, internal_addr_t *ia)
 {
-    pb_stream msg;
-    pb_stream rbody;
-    char buf[BUF_LEN];
-
-    /* set up attr */
-    init_pbs(&msg, buf, sizeof(buf), "ModeCfg msg buffer");
-
-    /* this is the beginning of a new exchange */
-    st->st_msgid = generate_msgid(st);
-    init_phase2_iv(st, &st->st_msgid);
-
-    /* HDR out */
-    {
-	struct isakmp_hdr hdr;
-
-	zero(&hdr);	/* default to 0 */
-	hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-	hdr.isa_np = ISAKMP_NEXT_HASH;
-	hdr.isa_xchg = ISAKMP_XCHG_MODE_CFG;
-	hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
-	memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
-	memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
-	hdr.isa_msgid = st->st_msgid;
-
-	if (!out_struct(&hdr, &isakmp_hdr_desc, &msg, &rbody))
+	pb_stream msg;
+	pb_stream rbody;
+	char buf[BUF_LEN];
+
+	/* set up attr */
+	init_pbs(&msg, buf, sizeof(buf), "ModeCfg msg buffer");
+
+	/* this is the beginning of a new exchange */
+	st->st_msgid = generate_msgid(st);
+	init_phase2_iv(st, &st->st_msgid);
+
+	/* HDR out */
 	{
-	    return STF_INTERNAL_ERROR;
+		struct isakmp_hdr hdr;
+
+		zero(&hdr);     /* default to 0 */
+		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+		hdr.isa_np = ISAKMP_NEXT_HASH;
+		hdr.isa_xchg = ISAKMP_XCHG_MODE_CFG;
+		hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
+		memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
+		memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
+		hdr.isa_msgid = st->st_msgid;
+
+		if (!out_struct(&hdr, &isakmp_hdr_desc, &msg, &rbody))
+		{
+			return STF_INTERNAL_ERROR;
+		}
 	}
-    }
-
-    /* ATTR out */
-    modecfg_build_msg(st, &rbody
-			, isama_type
-			, ia
-			, 0 /* XXX isama_id */
-		     );
-
-    freeanychunk(st->st_tpacket);
-    clonetochunk(st->st_tpacket, msg.start, pbs_offset(&msg), "ModeCfg msg");
-
-    /* Transmit */
-    send_packet(st, "ModeCfg msg");
-
-    if (st->st_event->ev_type != EVENT_RETRANSMIT)
-    {
-	delete_event(st);
-	event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
-    }
-    return STF_OK;
+
+	/* ATTR out */
+	modecfg_build_msg(st, &rbody
+						, isama_type
+						, ia
+						, 0 /* XXX isama_id */
+					 );
+
+	free(st->st_tpacket.ptr);
+	st->st_tpacket = chunk_create(msg.start, pbs_offset(&msg));
+	st->st_tpacket = chunk_clone(st->st_tpacket);
+
+	/* Transmit */
+	send_packet(st, "ModeCfg msg");
+
+	if (st->st_event->ev_type != EVENT_RETRANSMIT)
+	{
+		delete_event(st);
+		event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
+	}
+	return STF_OK;
 }
 
 /*
@@ -466,111 +555,184 @@ modecfg_send_msg(struct state *st, int isama_type, internal_addr_t *ia)
 static stf_status
 modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
 {
-    struct isakmp_attribute attr;
-    pb_stream strattr;
-
-    while (pbs_left(attrs) >= sizeof(struct isakmp_attribute))
-    {
-	u_int16_t attr_type;
-	u_int16_t attr_len;
+	struct isakmp_attribute attr;
+	pb_stream strattr;
+	err_t ugh;
+	char buf[BUF_LEN];
+	int dns_idx = 0;
+	int nbns_idx = 0;
 
-	if (!in_struct(&attr, &isakmp_modecfg_attribute_desc, attrs, &strattr))
+	while (pbs_left(attrs) >= sizeof(struct isakmp_attribute))
 	{
-	    return STF_FAIL;
-	}
-	attr_type = attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK;
-	attr_len  = attr.isaat_lv;
+		u_int16_t attr_type;
+		u_int16_t attr_len;
 
-	switch (attr_type)
-	{
-	case INTERNAL_IP4_ADDRESS:
-	    if (attr_len == 4)
-	    {
-		initaddr((char *)(strattr.cur), 4, AF_INET, &ia->ipaddr);
-	    }
-	    /* fall through to set attribute flag */
-	case INTERNAL_IP4_NETMASK:
-	case INTERNAL_IP4_DNS:
-	case INTERNAL_IP4_SUBNET:
-	case INTERNAL_IP4_NBNS:
-	case INTERNAL_ADDRESS_EXPIRY:
-	case INTERNAL_IP4_DHCP:
-	case INTERNAL_IP6_ADDRESS:
-	case INTERNAL_IP6_NETMASK:
-	case INTERNAL_IP6_DNS:
-	case INTERNAL_IP6_NBNS:
-	case INTERNAL_IP6_DHCP:
-	case SUPPORTED_ATTRIBUTES:
-	case INTERNAL_IP6_SUBNET:
-	    ia->attr_set |= LELEM(attr_type);
-	    break;
-	case APPLICATION_VERSION:
-	    if (attr_len > 0)
-	    {
-		DBG(DBG_PARSING,
-		    DBG_log("   '%.*s'", attr_len, strattr.cur)
-		)
-	    }
-	    ia->attr_set |= LELEM(attr_type);
-	    break;
-	case XAUTH_TYPE:
-	    ia->xauth_type = attr.isaat_lv;
-	    ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
-	    break;
-	case XAUTH_USER_NAME:
-	    setchunk(ia->xauth_secret.user_name, strattr.cur, attr_len);
-	    ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
-	    break;
-	case XAUTH_USER_PASSWORD:
-	    setchunk(ia->xauth_secret.user_password, strattr.cur, attr_len);
-	    ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
-	    break;
-	case XAUTH_STATUS:
-	    ia->xauth_status = attr.isaat_lv;
-	    ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
-	    break;
-	case XAUTH_MESSAGE:
-	    if (attr_len > 0)
-	    {
-		DBG(DBG_PARSING,
-		    DBG_log("   '%.*s'", attr_len, strattr.cur)
-		)
-	    }
-	    /* fall through to set attribute flag */
-	case XAUTH_PASSCODE:
-	case XAUTH_CHALLENGE:
-	case XAUTH_DOMAIN:
-	case XAUTH_NEXT_PIN:
-	case XAUTH_ANSWER:
-	    ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
-	    break;
-	case UNITY_DDNS_HOSTNAME:
-	    if (attr_len > 0)
-	    {
-		DBG(DBG_PARSING,
-		    DBG_log("   '%.*s'", attr_len, strattr.cur)
-		)
-	    }
-	    /* fall through to set attribute flag */
-	case UNITY_BANNER:
-	case UNITY_SAVE_PASSWD:
-	case UNITY_DEF_DOMAIN:
-	case UNITY_SPLITDNS_NAME:
-	case UNITY_SPLIT_INCLUDE:
-	case UNITY_NATT_PORT:
-	case UNITY_LOCAL_LAN:
-	case UNITY_PFS:
-	case UNITY_FW_TYPE:
-	case UNITY_BACKUP_SERVERS:
-	    ia->unity_attr_set |= LELEM(attr_type - UNITY_BASE);
-	    break;
-	default:
-	    plog("unsupported ModeCfg attribute %s received."
-		, enum_show(&modecfg_attr_names, attr_type));
-	    break;
+		if (!in_struct(&attr, &isakmp_modecfg_attribute_desc, attrs, &strattr))
+		{
+			return STF_FAIL;
+		}
+		attr_type = attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK;
+		attr_len  = attr.isaat_lv;
+
+		switch (attr_type)
+		{
+		case INTERNAL_IP4_ADDRESS:
+			if (attr_len == 4)
+			{
+				ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->ipaddr);
+				if (ugh != NULL)
+				{
+					plog("received invalid virtual IPv4 address: %s", ugh);
+				}
+			}
+			ia->attr_set |= LELEM(attr_type);
+			break;
+		case INTERNAL_IP4_DNS:
+			if (attr_len == 4 && dns_idx < DNS_SERVER_MAX)
+			{
+				ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->dns[dns_idx]);
+				if (ugh != NULL)
+				{
+					plog("received invalid IPv4 DNS server address: %s", ugh);
+				}
+				else
+				{
+					addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN);
+					plog("received IPv4 DNS server address %s", buf);
+					dns_idx++;
+				}
+			}
+			ia->attr_set |= LELEM(attr_type);
+			break;
+		case INTERNAL_IP4_NBNS:
+			if (attr_len == 4 && nbns_idx < NBNS_SERVER_MAX)
+			{
+				ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->nbns[nbns_idx]);
+				if (ugh != NULL)
+				{
+					plog("received invalid IPv4 WINS server address: %s", ugh);
+				}
+				else
+				{
+					addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN);
+					plog("received IPv4 WINS server address %s", buf);
+					nbns_idx++;
+				}
+			}
+			ia->attr_set |= LELEM(attr_type);
+			break;
+		case INTERNAL_IP6_DNS:
+			if (attr_len == 16 && dns_idx < DNS_SERVER_MAX)
+			{
+				ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->dns[dns_idx]);
+				if (ugh != NULL)
+				{
+					plog("received invalid IPv6 DNS server address: %s", ugh);
+				}
+				else
+				{
+					addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN);
+					plog("received IPv6 DNS server address %s", buf);
+					dns_idx++;
+				}
+			}
+			ia->attr_set |= LELEM(attr_type);
+			break;
+		case INTERNAL_IP6_NBNS:
+			if (attr_len == 16 && nbns_idx < NBNS_SERVER_MAX)
+			{
+				ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->nbns[nbns_idx]);
+				if (ugh != NULL)
+				{
+					plog("received invalid IPv6 WINS server address: %s", ugh);
+				}
+				else
+				{
+					addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN);
+					plog("received IPv6 WINS server address %s", buf);
+					nbns_idx++;
+				}
+			}
+			ia->attr_set |= LELEM(attr_type);
+			break;
+		case INTERNAL_IP4_NETMASK:
+		case INTERNAL_IP4_SUBNET:
+		case INTERNAL_ADDRESS_EXPIRY:
+		case INTERNAL_IP4_DHCP:
+		case INTERNAL_IP6_ADDRESS:
+		case INTERNAL_IP6_NETMASK:
+		case INTERNAL_IP6_DHCP:
+		case SUPPORTED_ATTRIBUTES:
+		case INTERNAL_IP6_SUBNET:
+			ia->attr_set |= LELEM(attr_type);
+			break;
+		case APPLICATION_VERSION:
+			if (attr_len > 0)
+			{
+				DBG(DBG_PARSING,
+					DBG_log("   '%.*s'", attr_len, strattr.cur)
+				)
+			}
+			ia->attr_set |= LELEM(attr_type);
+			break;
+		case XAUTH_TYPE:
+			ia->xauth_type = attr.isaat_lv;
+			ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+			break;
+		case XAUTH_USER_NAME:
+			ia->xauth_secret.user_name = chunk_create(strattr.cur, attr_len);
+			ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+			break;
+		case XAUTH_USER_PASSWORD:
+			ia->xauth_secret.user_password = chunk_create(strattr.cur, attr_len);
+			ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+			break;
+		case XAUTH_STATUS:
+			ia->xauth_status = attr.isaat_lv;
+			ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+			break;
+		case XAUTH_MESSAGE:
+			if (attr_len > 0)
+			{
+				DBG(DBG_PARSING,
+					DBG_log("   '%.*s'", attr_len, strattr.cur)
+				)
+			}
+			/* fall through to set attribute flag */
+		case XAUTH_PASSCODE:
+		case XAUTH_CHALLENGE:
+		case XAUTH_DOMAIN:
+		case XAUTH_NEXT_PIN:
+		case XAUTH_ANSWER:
+			ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+			break;
+		case UNITY_DDNS_HOSTNAME:
+			if (attr_len > 0)
+			{
+				DBG(DBG_PARSING,
+					DBG_log("   '%.*s'", attr_len, strattr.cur)
+				)
+			}
+			/* fall through to set attribute flag */
+		case UNITY_BANNER:
+		case UNITY_SAVE_PASSWD:
+		case UNITY_DEF_DOMAIN:
+		case UNITY_SPLITDNS_NAME:
+		case UNITY_SPLIT_INCLUDE:
+		case UNITY_NATT_PORT:
+		case UNITY_LOCAL_LAN:
+		case UNITY_PFS:
+		case UNITY_FW_TYPE:
+		case UNITY_BACKUP_SERVERS:
+			ia->unity_attr_set |= LELEM(attr_type - UNITY_BASE);
+			break;
+		default:
+			plog("unsupported ModeCfg attribute %s received."
+				, enum_show(&modecfg_attr_names, attr_type));
+			break;
+		}
 	}
-    }
-    return STF_OK;
+	return STF_OK;
 }
 
 /* 
@@ -578,50 +740,52 @@ modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
  */
 static stf_status
 modecfg_parse_msg(struct msg_digest *md, int isama_type, u_int16_t *isama_id
-		, internal_addr_t *ia)
+				, internal_addr_t *ia)
 {
-    struct state *const st = md->st;
-    struct payload_digest *p;
-    stf_status stat;
+	struct state *const st = md->st;
+	struct payload_digest *p;
+	stf_status stat;
 
-    st->st_msgid = md->hdr.isa_msgid;
+	st->st_msgid = md->hdr.isa_msgid;
 
-    CHECK_QUICK_HASH(md, modecfg_hash(hash_val
-				    , hash_pbs->roof
-				    , md->message_pbs.roof, st)
-		       , "MODECFG-HASH", "ISAKMP_CFG_MSG");
+	CHECK_QUICK_HASH(md, modecfg_hash(hash_val
+									, hash_pbs->roof
+									, md->message_pbs.roof, st)
+					   , "MODECFG-HASH", "ISAKMP_CFG_MSG");
 
-    /* process the ModeCfg payloads received */
-    for (p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next)
-    {
-	internal_addr_t ia_candidate;
+	/* process the ModeCfg payloads received */
+	for (p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next)
+	{
+		internal_addr_t ia_candidate;
 
-	init_internal_addr(&ia_candidate);
+		init_internal_addr(&ia_candidate);
 
-	if (p->payload.attribute.isama_type == isama_type)
-	{
-	    *isama_id = p->payload.attribute.isama_identifier;
+		if (p->payload.attribute.isama_type == isama_type)
+		{
+			*isama_id = p->payload.attribute.isama_identifier;
 
-	    stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
-	    if (stat == STF_OK)
-	    {
-		/* return with a valid set of attributes */
-		*ia = ia_candidate;
-		return STF_OK;
-	    }
-	}
-	else
-	{
-	    plog("expected %s, got %s instead (ignored)"
-		, enum_name(&attr_msg_type_names, isama_type)
-		, enum_name(&attr_msg_type_names, p->payload.attribute.isama_type));
+			stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
+			if (stat == STF_OK)
+			{
+				/* return with a valid set of attributes */
+				*ia = ia_candidate;
+				return STF_OK;
+			}
+		}
+		else
+		{
+			plog("expected %s, got %s instead (ignored)"
+				, enum_name(&attr_msg_type_names, isama_type)
+				, enum_name(&attr_msg_type_names, p->payload.attribute.isama_type));
 
-	    stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
+			stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
+		}
+		if (stat != STF_OK)
+		{
+			return stat;
+		}
 	}
-	if (stat != STF_OK)
-	    return stat;
-    }
-    return STF_IGNORE;
+	return STF_IGNORE;
 }
 
 /*
@@ -630,20 +794,22 @@ modecfg_parse_msg(struct msg_digest *md, int isama_type, u_int16_t *isama_id
 stf_status
 modecfg_send_request(struct state *st)
 {
-    stf_status stat;
-    internal_addr_t ia;
+	stf_status stat;
+	internal_addr_t ia;
 
-    init_internal_addr(&ia);
+	init_internal_addr(&ia);
 
-    ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS)
-	        | LELEM(INTERNAL_IP4_NETMASK);
+	ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS)
+				| LELEM(INTERNAL_IP4_NETMASK);
 
-    plog("sending ModeCfg request");
-    st->st_state = STATE_MODE_CFG_I1;
-    stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
-    if (stat == STF_OK)
-	st->st_modecfg.started = TRUE;
-    return stat;
+	plog("sending ModeCfg request");
+	st->st_state = STATE_MODE_CFG_I1;
+	stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
+	if (stat == STF_OK)
+	{
+		st->st_modecfg.started = TRUE;
+	}
+	return stat;
 }
 
 /* STATE_MODE_CFG_R0:
@@ -654,38 +820,40 @@ modecfg_send_request(struct state *st)
 stf_status
 modecfg_inR0(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    u_int16_t isama_id;
-    internal_addr_t ia;
-    bool want_unity_banner;
-    stf_status stat, stat_build;
-
-    stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
-    if (stat != STF_OK)
-	return stat;
-
-    want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY;
+	struct state *const st = md->st;
+	u_int16_t isama_id;
+	internal_addr_t ia;
+	bool want_unity_banner;
+	stf_status stat, stat_build;
 
-    init_internal_addr(&ia);
-    get_internal_addr(st->st_connection, &ia);
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
+	if (stat != STF_OK)
+	{
+		return stat;
+	}
 
-    if (want_unity_banner)
-    {
-	ia.unity_banner = UNITY_BANNER_STR;
-	ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
-    }
+	want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY;
+	init_internal_addr(&ia);
+	get_internal_addr(st->st_connection, &ia);
 
-    plog("sending ModeCfg reply");
+	if (want_unity_banner)
+	{
+		ia.unity_banner = UNITY_BANNER_STR;
+		ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
+	}
 
-    stat_build = modecfg_build_msg(st, &md->rbody
-				     , ISAKMP_CFG_REPLY
-				     , &ia
-				     , isama_id);
-    if (stat_build != STF_OK)
-	return stat_build;
+	plog("sending ModeCfg reply");
 
-    st->st_msgid = 0;
-    return STF_OK;
+	stat_build = modecfg_build_msg(st, &md->rbody
+									 , ISAKMP_CFG_REPLY
+									 , &ia
+									 , isama_id);
+	if (stat_build != STF_OK)
+	{
+		return stat_build;
+	}
+	st->st_msgid = 0;
+	return STF_OK;
 }
 
 /* STATE_MODE_CFG_I1:
@@ -696,20 +864,21 @@ modecfg_inR0(struct msg_digest *md)
 stf_status
 modecfg_inI1(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    u_int16_t isama_id;
-    internal_addr_t ia;
-    stf_status stat;
-
-    plog("parsing ModeCfg reply");
+	struct state *const st = md->st;
+	u_int16_t isama_id;
+	internal_addr_t ia;
+	stf_status stat;
 
-    stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
-    if (stat != STF_OK)
-	return stat;
+	plog("parsing ModeCfg reply");
 
-    st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
-    st->st_msgid = 0;
-    return STF_OK;
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
+	if (stat != STF_OK)
+	{
+		return stat;
+	}
+	st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
+	st->st_msgid = 0;
+	return STF_OK;
 }
 
 
@@ -719,23 +888,25 @@ modecfg_inI1(struct msg_digest *md)
 stf_status
 modecfg_send_set(struct state *st)
 {
-    stf_status stat;
-    internal_addr_t ia;
+	stf_status stat;
+	internal_addr_t ia;
 
-    init_internal_addr(&ia);
-    get_internal_addr(st->st_connection, &ia);
+	init_internal_addr(&ia);
+	get_internal_addr(st->st_connection, &ia);
 
 #ifdef CISCO_QUIRKS
-    ia.unity_banner = UNITY_BANNER_STR;
-    ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
+	ia.unity_banner = UNITY_BANNER_STR;
+	ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
 #endif
 
    plog("sending ModeCfg set");
-    st->st_state = STATE_MODE_CFG_R3;
-    stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
-    if (stat == STF_OK)
-	st->st_modecfg.started = TRUE;
-    return stat;
+	st->st_state = STATE_MODE_CFG_R3;
+	stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
+	if (stat == STF_OK)
+	{
+		st->st_modecfg.started = TRUE;
+	}
+	return stat;
 }
 
 /* STATE_MODE_CFG_I0:
@@ -746,38 +917,40 @@ modecfg_send_set(struct state *st)
 stf_status
 modecfg_inI0(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    u_int16_t isama_id;
-    internal_addr_t ia;
-    lset_t attr_set, unity_attr_set;
-    stf_status stat, stat_build;
+	struct state *const st = md->st;
+	u_int16_t isama_id;
+	internal_addr_t ia;
+	lset_t attr_set, unity_attr_set;
+	stf_status stat, stat_build;
 
-    plog("parsing ModeCfg set");
+	plog("parsing ModeCfg set");
 
-    stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
-    if (stat != STF_OK)
-	return stat;
-
-    st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
-
-    /* prepare ModeCfg ack which sends zero length attributes */
-    attr_set = ia.attr_set;
-    unity_attr_set = ia.unity_attr_set;
-    init_internal_addr(&ia);
-    ia.attr_set = attr_set & SUPPORTED_ATTR_SET;
-    ia.unity_attr_set = unity_attr_set & SUPPORTED_UNITY_ATTR_SET;
-
-    plog("sending ModeCfg ack");
-
-    stat_build = modecfg_build_msg(st, &md->rbody
-			 	     , ISAKMP_CFG_ACK
-			 	     , &ia
-			 	     , isama_id);
-    if (stat_build != STF_OK)
-	return stat_build;
-
-    st->st_msgid = 0;
-    return STF_OK;
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
+	if (stat != STF_OK)
+	{
+		return stat;
+	}
+	st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
+
+	/* prepare ModeCfg ack which sends zero length attributes */
+	attr_set = ia.attr_set;
+	unity_attr_set = ia.unity_attr_set;
+	init_internal_addr(&ia);
+	ia.attr_set = attr_set & SUPPORTED_ATTR_SET;
+	ia.unity_attr_set = unity_attr_set & SUPPORTED_UNITY_ATTR_SET;
+
+	plog("sending ModeCfg ack");
+
+	stat_build = modecfg_build_msg(st, &md->rbody
+									 , ISAKMP_CFG_ACK
+									 , &ia
+									 , isama_id);
+	if (stat_build != STF_OK)
+	{
+		return stat_build;
+	}
+	st->st_msgid = 0;
+	return STF_OK;
 }
 
 /* STATE_MODE_CFG_R3:
@@ -788,19 +961,20 @@ modecfg_inI0(struct msg_digest *md)
 stf_status
 modecfg_inR3(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    u_int16_t isama_id;
-    internal_addr_t ia;
-    stf_status stat;
+	struct state *const st = md->st;
+	u_int16_t isama_id;
+	internal_addr_t ia;
+	stf_status stat;
 
-    plog("parsing ModeCfg ack");
-
-    stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
-    if (stat != STF_OK)
-	return stat;
+	plog("parsing ModeCfg ack");
 
-    st->st_msgid = 0;
-    return STF_OK;
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
+	if (stat != STF_OK)
+	{
+		return stat;
+	}
+	st->st_msgid = 0;
+	return STF_OK;
 }
 
 /*
@@ -809,19 +983,21 @@ modecfg_inR3(struct msg_digest *md)
 stf_status
 xauth_send_request(struct state *st)
 {
-    stf_status stat;
-    internal_addr_t ia;
-
-    init_internal_addr(&ia);
-    ia.xauth_attr_set = LELEM(XAUTH_USER_NAME     - XAUTH_BASE)
-		      | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
-
-    plog("sending XAUTH request");
-    st->st_state = STATE_XAUTH_R1;
-    stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
-    if (stat == STF_OK)
-	st->st_xauth.started = TRUE;
-    return stat;
+	stf_status stat;
+	internal_addr_t ia;
+
+	init_internal_addr(&ia);
+	ia.xauth_attr_set = LELEM(XAUTH_USER_NAME     - XAUTH_BASE)
+					  | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
+
+	plog("sending XAUTH request");
+	st->st_state = STATE_XAUTH_R1;
+	stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
+	if (stat == STF_OK)
+	{
+		st->st_xauth.started = TRUE;
+	}
+	return stat;
 }
 
 /* STATE_XAUTH_I0:
@@ -832,97 +1008,102 @@ xauth_send_request(struct state *st)
 stf_status
 xauth_inI0(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    u_int16_t isama_id;
-    internal_addr_t ia;
-    stf_status stat, stat_build;
-    bool xauth_type_present;
+	struct state *const st = md->st;
+	u_int16_t isama_id;
+	internal_addr_t ia;
+	stf_status stat, stat_build;
+	bool xauth_type_present;
 
-    plog("parsing XAUTH request");
+	plog("parsing XAUTH request");
 
-    stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
-    if (stat != STF_OK)
-	return stat;
- 
-    /* check XAUTH attributes */
-    xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY;
-
-    if (xauth_type_present && ia.xauth_type != XAUTH_TYPE_GENERIC)
-    {
-	plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type));
-	stat = STF_FAIL;
-    }
-    else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
-    {
-	plog("user name attribute is missing in XAUTH request");
-	stat = STF_FAIL;
-    }
-    else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
-    {
-	plog("user password attribute is missing in XAUTH request");
-	stat = STF_FAIL;
-    }
-
-    /* prepare XAUTH reply */
-    init_internal_addr(&ia);
-
-    if (stat == STF_OK)
-    {
-	/* get user credentials using a plugin function */
-	if (!xauth_module.get_secret(&ia.xauth_secret))
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
+	if (stat != STF_OK)
 	{
-	    plog("xauth user credentials not found");
-	    stat = STF_FAIL;
+		return stat;
 	}
-    }
-    if (stat == STF_OK)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("my xauth user name is '%.*s'"
-		   , ia.xauth_secret.user_name.len
-		   , ia.xauth_secret.user_name.ptr)
-	)
-	DBG(DBG_PRIVATE,
-	    DBG_log("my xauth user password is '%.*s'"
-		   , ia.xauth_secret.user_password.len
-		   , ia.xauth_secret.user_password.ptr)
-	)
-	ia.xauth_attr_set = LELEM(XAUTH_USER_NAME     - XAUTH_BASE)
-		 	  | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
-        if (xauth_type_present)
-	    ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE);
-    }
-    else
-    {
-	ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
-	ia.xauth_status = XAUTH_STATUS_FAIL;
-    }
 
-    plog("sending XAUTH reply");
+	/* check XAUTH attributes */
+	xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY;
 
-    stat_build = modecfg_build_msg(st, &md->rbody
-				     , ISAKMP_CFG_REPLY
-				     , &ia
-				     , isama_id);
-    if (stat_build != STF_OK)
-	return stat_build;
+	if (xauth_type_present && ia.xauth_type != XAUTH_TYPE_GENERIC)
+	{
+		plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type));
+		stat = STF_FAIL;
+	}
+	else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
+	{
+		plog("user name attribute is missing in XAUTH request");
+		stat = STF_FAIL;
+	}
+	else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
+	{
+		plog("user password attribute is missing in XAUTH request");
+		stat = STF_FAIL;
+	}
 
-    if (stat == STF_OK)
-    {
-	st->st_xauth.started = TRUE;
-	st->st_msgid = 0;
-	return STF_OK;
-    }
-    else
-    {
-	/* send XAUTH reply msg and then delete ISAKMP SA */
-	freeanychunk(st->st_tpacket);
-	clonetochunk(st->st_tpacket, md->reply.start
-	    , pbs_offset(&md->reply), "XAUTH reply msg");
-	send_packet(st, "XAUTH reply msg");
-	delete_state(st);
-	return STF_IGNORE;
-    }
+	/* prepare XAUTH reply */
+	init_internal_addr(&ia);
+
+	if (stat == STF_OK)
+	{
+		/* get user credentials using a plugin function */
+		if (!xauth_module.get_secret(&ia.xauth_secret))
+		{
+			plog("xauth user credentials not found");
+			stat = STF_FAIL;
+		}
+	}
+	if (stat == STF_OK)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("my xauth user name is '%.*s'"
+				   , ia.xauth_secret.user_name.len
+				   , ia.xauth_secret.user_name.ptr)
+		)
+		DBG(DBG_PRIVATE,
+			DBG_log("my xauth user password is '%.*s'"
+				   , ia.xauth_secret.user_password.len
+				   , ia.xauth_secret.user_password.ptr)
+		)
+		ia.xauth_attr_set = LELEM(XAUTH_USER_NAME     - XAUTH_BASE)
+						  | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
+		if (xauth_type_present)
+		{
+			ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE);
+		}
+	}
+	else
+	{
+		ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
+		ia.xauth_status = XAUTH_STATUS_FAIL;
+	}
+
+	plog("sending XAUTH reply");
+
+	stat_build = modecfg_build_msg(st, &md->rbody
+									 , ISAKMP_CFG_REPLY
+									 , &ia
+									 , isama_id);
+	if (stat_build != STF_OK)
+	{
+		return stat_build;
+	}
+	if (stat == STF_OK)
+	{
+		st->st_xauth.started = TRUE;
+		st->st_msgid = 0;
+		return STF_OK;
+	}
+	else
+	{
+		/* send XAUTH reply msg and then delete ISAKMP SA */
+		free(st->st_tpacket.ptr);
+		st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
+		st->st_tpacket = chunk_clone(st->st_tpacket);
+		send_packet(st, "XAUTH reply msg");
+		delete_state(st);
+		return STF_IGNORE;
+	}
 }
 
 /* STATE_XAUTH_R1:
@@ -933,72 +1114,76 @@ xauth_inI0(struct msg_digest *md)
 stf_status
 xauth_inR1(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    u_int16_t isama_id;
-    internal_addr_t ia;
-    stf_status stat, stat_build;
+	struct state *const st = md->st;
+	u_int16_t isama_id;
+	internal_addr_t ia;
+	stf_status stat, stat_build;
 
-    plog("parsing XAUTH reply");
+	plog("parsing XAUTH reply");
 
-    stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
-    if (stat != STF_OK)
-	return stat;
- 
-    /* did the client return an XAUTH FAIL status? */
-    if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY)
-    {
-	plog("received FAIL status in XAUTH reply");
-
-	/* client is not able to do XAUTH, delete ISAKMP SA */
-	delete_state(st);
-	return STF_IGNORE;
-    }
-
-    /* check XAUTH reply */
-    if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
-    {
-	plog("user name attribute is missing in XAUTH reply");
-	st->st_xauth.status = FALSE;
-    }
-    else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
-    {
-	plog("user password attribute is missing in XAUTH reply");
-	st->st_xauth.status = FALSE;
-    }
-    else 
-    {
-	xauth_peer_t peer;
-
-	peer.conn_name = st->st_connection->name;
-	addrtot(&md->sender, 0, peer.ip_address, sizeof(peer.ip_address));
-	idtoa(&md->st->st_connection->spd.that.id, peer.id, sizeof(peer.id));
-
-	DBG(DBG_CONTROL,
-	    DBG_log("peer xauth user name is '%.*s'"
-		   , ia.xauth_secret.user_name.len
-		   , ia.xauth_secret.user_name.ptr)
-	)
-	DBG(DBG_PRIVATE,
-	    DBG_log("peer xauth user password is '%.*s'"
-		   , ia.xauth_secret.user_password.len
-		   , ia.xauth_secret.user_password.ptr)
-	)
-	/* verify the user credentials using a plugin function */
-	st->st_xauth.status = xauth_module.verify_secret(&peer, &ia.xauth_secret);
-	plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
-    }
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
+	if (stat != STF_OK)
+	{
+		return stat;
+	}
+
+	/* did the client return an XAUTH FAIL status? */
+	if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY)
+	{
+		plog("received FAIL status in XAUTH reply");
+
+		/* client is not able to do XAUTH, delete ISAKMP SA */
+		delete_state(st);
+		return STF_IGNORE;
+	}
+
+	/* check XAUTH reply */
+	if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
+	{
+		plog("user name attribute is missing in XAUTH reply");
+		st->st_xauth.status = FALSE;
+	}
+	else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
+	{
+		plog("user password attribute is missing in XAUTH reply");
+		st->st_xauth.status = FALSE;
+	}
+	else 
+	{
+		xauth_peer_t peer;
+
+		peer.conn_name = st->st_connection->name;
+		addrtot(&md->sender, 0, peer.ip_address, sizeof(peer.ip_address));
+		idtoa(&md->st->st_connection->spd.that.id, peer.id, sizeof(peer.id));
+
+		DBG(DBG_CONTROL,
+			DBG_log("peer xauth user name is '%.*s'"
+				   , ia.xauth_secret.user_name.len
+				   , ia.xauth_secret.user_name.ptr)
+		)
+		DBG(DBG_PRIVATE,
+			DBG_log("peer xauth user password is '%.*s'"
+				   , ia.xauth_secret.user_password.len
+				   , ia.xauth_secret.user_password.ptr)
+		)
+		/* verify the user credentials using a plugin function */
+		st->st_xauth.status = xauth_module.verify_secret(&peer, &ia.xauth_secret);
+		plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
+	}
 
-    /* prepare XAUTH set which sends the authentication status */
-    init_internal_addr(&ia);
-    ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
-    ia.xauth_status = (st->st_xauth.status)? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL;
+	/* prepare XAUTH set which sends the authentication status */
+	init_internal_addr(&ia);
+	ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
+	ia.xauth_status = (st->st_xauth.status)? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL;
 
-    plog("sending XAUTH status:");
+	plog("sending XAUTH status:");
 
-    stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
-    if (stat_build != STF_OK)
-	return stat_build;
-    return STF_OK;
+	stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
+	if (stat_build != STF_OK)
+	{
+		return stat_build;
+	}
+	return STF_OK;
 }
 
 /* STATE_XAUTH_I1:
@@ -1009,47 +1194,48 @@ xauth_inR1(struct msg_digest *md)
 stf_status
 xauth_inI1(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    u_int16_t isama_id;
-    internal_addr_t ia;
-    stf_status stat, stat_build;
-
-    plog("parsing XAUTH status");
-    stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
-    if (stat != STF_OK)
-    {
-	/* notification payload - not exactly the right choice, but okay */
-	md->note = ATTRIBUTES_NOT_SUPPORTED;
-	return stat;
-    }
-
-    st->st_xauth.status = ia.xauth_status;
-    plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
-
-    plog("sending XAUTH ack");
-    init_internal_addr(&ia);
-    stat_build = modecfg_build_msg(st, &md->rbody
-				     , ISAKMP_CFG_ACK
-				     , &ia
-				     , isama_id);
-    if (stat_build != STF_OK)
-	return stat_build;
- 
-    if (st->st_xauth.status)
-    {
-	st->st_msgid = 0;
-	return STF_OK;
-    }
-    else
-    {
-	/* send XAUTH ack msg and then delete ISAKMP SA */
-	freeanychunk(st->st_tpacket);
-	clonetochunk(st->st_tpacket, md->reply.start
-	    , pbs_offset(&md->reply), "XAUTH ack msg");
-	send_packet(st, "XAUTH ack msg");
-	delete_state(st);
-	return STF_IGNORE;
-    }
+	struct state *const st = md->st;
+	u_int16_t isama_id;
+	internal_addr_t ia;
+	stf_status stat, stat_build;
+
+	plog("parsing XAUTH status");
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
+	if (stat != STF_OK)
+	{
+		/* notification payload - not exactly the right choice, but okay */
+		md->note = ATTRIBUTES_NOT_SUPPORTED;
+		return stat;
+	}
+
+	st->st_xauth.status = ia.xauth_status;
+	plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
+
+	plog("sending XAUTH ack");
+	init_internal_addr(&ia);
+	stat_build = modecfg_build_msg(st, &md->rbody
+									 , ISAKMP_CFG_ACK
+									 , &ia
+									 , isama_id);
+	if (stat_build != STF_OK)
+	{
+		return stat_build;
+	}
+	if (st->st_xauth.status)
+	{
+		st->st_msgid = 0;
+		return STF_OK;
+	}
+	else
+	{
+		/* send XAUTH ack msg and then delete ISAKMP SA */
+		free(st->st_tpacket.ptr);
+		st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
+		st->st_tpacket = chunk_clone(st->st_tpacket);
+		send_packet(st, "XAUTH ack msg");
+		delete_state(st);
+		return STF_IGNORE;
+	}
 }
 
 /* STATE_XAUTH_R2:
@@ -1060,25 +1246,26 @@ xauth_inI1(struct msg_digest *md)
 stf_status
 xauth_inR2(struct msg_digest *md)
 {
-    struct state *const st = md->st;
-    u_int16_t isama_id;
-    internal_addr_t ia;
-    stf_status stat;
+	struct state *const st = md->st;
+	u_int16_t isama_id;
+	internal_addr_t ia;
+	stf_status stat;
 
-    plog("parsing XAUTH ack");
+	plog("parsing XAUTH ack");
 
-    stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
-    if (stat != STF_OK)
-	return stat;
-
-    st->st_msgid = 0;
-    if (st->st_xauth.status)
-    {
-	return STF_OK;
-    }
-    else
-    {
-	delete_state(st);
-	return STF_IGNORE;
-    }
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
+	if (stat != STF_OK)
+	{
+		return stat;
+	}
+	st->st_msgid = 0;
+	if (st->st_xauth.status)
+	{
+		return STF_OK;
+	}
+	else
+	{
+		delete_state(st);
+		return STF_IGNORE;
+	}
 }
diff --git a/src/pluto/modecfg.h b/src/pluto/modecfg.h
index 95481de89..86bfc6ed2 100644
--- a/src/pluto/modecfg.h
+++ b/src/pluto/modecfg.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: modecfg.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _MODECFG_H
diff --git a/src/pluto/mp_defs.c b/src/pluto/mp_defs.c
deleted file mode 100644
index cdae8ee79..000000000
--- a/src/pluto/mp_defs.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/* some multiprecision utilities
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: mp_defs.c 3252 2007-10-06 21:24:50Z andreas $
- */
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "mp_defs.h"
-#include "log.h"
-
-/* Convert MP_INT to network form (binary octets, big-endian).
- * We do the malloc; caller must eventually do free.
- */
-chunk_t
-mpz_to_n(const MP_INT *mp, size_t bytes)
-{
-    chunk_t r;
-    MP_INT temp1, temp2;
-    int i;
-
-    r.len = bytes;
-    r.ptr = alloc_bytes(r.len, "host representation of large integer");
-
-    mpz_init(&temp1);
-    mpz_init(&temp2);
-
-    mpz_set(&temp1, mp);
-
-    for (i = r.len-1; i >= 0; i--)
-    {
-	r.ptr[i] = mpz_mdivmod_ui(&temp2, NULL, &temp1, 1 << BITS_PER_BYTE);
-	mpz_set(&temp1, &temp2);
-    }
-
-    passert(mpz_sgn(&temp1) == 0);	/* we must have done all the bits */
-    mpz_clear(&temp1);
-    mpz_clear(&temp2);
-
-    return r;
-}
-
-/* Convert network form (binary bytes, big-endian) to MP_INT.
- * The *mp must not be previously mpz_inited.
- */
-void
-n_to_mpz(MP_INT *mp, const u_char *nbytes, size_t nlen)
-{
-    size_t i;
-
-    mpz_init_set_ui(mp, 0);
-
-    for (i = 0; i != nlen; i++)
-    {
-	mpz_mul_ui(mp, mp, 1 << BITS_PER_BYTE);
-	mpz_add_ui(mp, mp, nbytes[i]);
-    }
-}
diff --git a/src/pluto/mp_defs.h b/src/pluto/mp_defs.h
deleted file mode 100644
index e0ec74df8..000000000
--- a/src/pluto/mp_defs.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/* some multiprecision utilities
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: mp_defs.h 3252 2007-10-06 21:24:50Z andreas $
- */
-
-#ifndef _MP_DEFS_H
-#define _MP_DEFS_H
-
-#include <gmp.h>
-
-#include "defs.h"
-
-extern void n_to_mpz(MP_INT *mp, const u_char *nbytes, size_t nlen);
-extern chunk_t mpz_to_n(const MP_INT *mp, size_t bytes);
-
-/* var := mod(base ** exp, mod), ensuring var is mpz_inited */
-#define mpz_init_powm(flag, var, base, exp, mod) { \
-    if (!(flag)) \
-	mpz_init(&(var)); \
-    (flag) = TRUE; \
-    mpz_powm(&(var), &(base), &(exp), (mod)); \
-    }
-
-#endif /* _MP_DEFS_H */
diff --git a/src/pluto/nat_traversal.c b/src/pluto/nat_traversal.c
index 95ce9e32e..de3972fe2 100644
--- a/src/pluto/nat_traversal.c
+++ b/src/pluto/nat_traversal.c
@@ -1,5 +1,6 @@
 /* FreeS/WAN NAT-Traversal
  * Copyright (C) 2002-2005 Mathieu Lafon - Arkoon Network Security
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: nat_traversal.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdio.h>
@@ -26,10 +25,12 @@
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
 #include <pfkeyv2.h>
 #include <pfkey.h>
 
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
@@ -42,8 +43,6 @@
 #include "whack.h"
 #include "timer.h"
 #include "cookie.h"
-#include "sha1.h"
-#include "md5.h"
 #include "crypto.h"
 #include "vendor.h"
 #include "ike_alg.h"
@@ -79,81 +78,91 @@ static bool _force_ka = 0;
 static const char *natt_version = "0.6c";
 
 void init_nat_traversal (bool activate, unsigned int keep_alive_period,
-	bool fka, bool spf)
+		bool fka, bool spf)
 {
-    nat_traversal_enabled = activate;
-    nat_traversal_support_non_ike = activate;
+	nat_traversal_enabled = activate;
+	nat_traversal_support_non_ike = activate;
 #ifdef NAT_T_SUPPORT_LAST_DRAFTS
-    nat_traversal_support_port_floating = activate ? spf : FALSE;
+	nat_traversal_support_port_floating = activate ? spf : FALSE;
 #endif
-    _force_ka = fka;
-    _kap = keep_alive_period ? keep_alive_period : DEFAULT_KEEP_ALIVE_PERIOD;
-    plog("  including NAT-Traversal patch (Version %s)%s%s%s"
-	 , natt_version, activate ? "" : " [disabled]"
-	 , activate & fka ? " [Force KeepAlive]" : ""
-	 , activate & !spf ? " [Port Floating disabled]" : "");
+	_force_ka = fka;
+	_kap = keep_alive_period ? keep_alive_period : DEFAULT_KEEP_ALIVE_PERIOD;
+	plog("  including NAT-Traversal patch (Version %s)%s%s%s"
+		 , natt_version, activate ? "" : " [disabled]"
+		 , activate & fka ? " [Force KeepAlive]" : ""
+		 , activate & !spf ? " [Port Floating disabled]" : "");
 }
 
 static void disable_nat_traversal (int type)
 {
-    if (type == ESPINUDP_WITH_NON_IKE)
-	nat_traversal_support_non_ike = FALSE;
-    else
-	nat_traversal_support_port_floating = FALSE;
-
-    if (!nat_traversal_support_non_ike &&
-        !nat_traversal_support_port_floating)
-	    nat_traversal_enabled = FALSE;
+	if (type == ESPINUDP_WITH_NON_IKE)
+		nat_traversal_support_non_ike = FALSE;
+	else
+		nat_traversal_support_port_floating = FALSE;
+
+	if (!nat_traversal_support_non_ike &&
+		!nat_traversal_support_port_floating)
+			nat_traversal_enabled = FALSE;
 }
 
-static void _natd_hash(const struct hash_desc *hasher, char *hash,
-	u_int8_t *icookie, u_int8_t *rcookie,
-	const ip_address *ip, u_int16_t port)
+static void _natd_hash(const struct hash_desc *oakley_hasher, char *hash,
+		u_int8_t *icookie, u_int8_t *rcookie,
+		const ip_address *ip, u_int16_t port)
 {
-    union hash_ctx ctx;
-
-    if (is_zero_cookie(icookie))
-	DBG_log("_natd_hash: Warning, icookie is zero !!");
-    if (is_zero_cookie(rcookie))
-	DBG_log("_natd_hash: Warning, rcookie is zero !!");
-
-    /**
-     * draft-ietf-ipsec-nat-t-ike-01.txt
-     *
-     *   HASH = HASH(CKY-I | CKY-R | IP | Port)
-     *
-     * All values in network order
-     */
-    hasher->hash_init(&ctx);
-    hasher->hash_update(&ctx, icookie, COOKIE_SIZE);
-    hasher->hash_update(&ctx, rcookie, COOKIE_SIZE);
-    switch (addrtypeof(ip)) {
-    case AF_INET:
-	hasher->hash_update(&ctx, (const u_char *)&ip->u.v4.sin_addr.s_addr
-		, sizeof(ip->u.v4.sin_addr.s_addr));
-	break;
-    case AF_INET6:
-	hasher->hash_update(&ctx, (const u_char *)&ip->u.v6.sin6_addr.s6_addr
-		, sizeof(ip->u.v6.sin6_addr.s6_addr));
-	break;
-    }
-    hasher->hash_update(&ctx, (const u_char *)&port, sizeof(u_int16_t));
-    hasher->hash_final(hash, &ctx);
-#ifdef NAT_D_DEBUG
-    DBG(DBG_NATT,
-	DBG_log("_natd_hash: hasher=%p(%d)", hasher, (int)hasher->hash_digest_len);
-	DBG_dump("_natd_hash: icookie=", icookie, COOKIE_SIZE);
-	DBG_dump("_natd_hash: rcookie=", rcookie, COOKIE_SIZE);
-	switch (addrtypeof(ip)) {
-	case AF_INET:
-	    DBG_dump("_natd_hash: ip=", &ip->u.v4.sin_addr.s_addr
-		, sizeof(ip->u.v4.sin_addr.s_addr));
-	    break;
+	if (is_zero_cookie(icookie))
+	{
+		DBG_log("_natd_hash: Warning, icookie is zero !!");
 	}
-	DBG_log("_natd_hash: port=%d", port);
-	DBG_dump("_natd_hash: hash=", hash, hasher->hash_digest_len);
-    );
+	if (is_zero_cookie(rcookie))
+	{
+		DBG_log("_natd_hash: Warning, rcookie is zero !!");
+	}
+
+	/**
+	 * draft-ietf-ipsec-nat-t-ike-01.txt
+	 *
+	 *   HASH = HASH(CKY-I | CKY-R | IP | Port)
+	 *
+	 * All values in network order
+	 */
+	{
+		chunk_t icookie_chunk = { icookie, COOKIE_SIZE };
+		chunk_t rcookie_chunk = { rcookie, COOKIE_SIZE };
+		chunk_t port_chunk = chunk_from_thing(port);
+		chunk_t addr_chunk;
+		hash_algorithm_t hash_alg;
+		hasher_t *hasher;
+		size_t hash_size;
+
+		hash_alg = oakley_to_hash_algorithm(oakley_hasher->algo_id);
+		hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+		hasher->get_hash(hasher, icookie_chunk, NULL);
+		hasher->get_hash(hasher, rcookie_chunk, NULL);
+		switch (addrtypeof(ip))
+		{
+			case AF_INET:
+				addr_chunk = chunk_from_thing(ip->u.v4.sin_addr.s_addr);
+				break;
+			case AF_INET6:
+				addr_chunk = chunk_from_thing(ip->u.v6.sin6_addr.s6_addr);
+				break;
+			default:
+				addr_chunk = chunk_empty; /* should never occur */ 
+		}
+		hasher->get_hash(hasher, addr_chunk, NULL);
+		hasher->get_hash(hasher, port_chunk, hash);
+		hash_size = hasher->get_hash_size(hasher);
+		hasher->destroy(hasher);
+#ifdef NAT_D_DEBUG
+		DBG(DBG_NATT,
+			DBG_dump_chunk("_natd_hash: icookie=", icookie_chunk);
+			DBG_dump_chunk("_natd_hash: rcookie=", rcookie_chunk);
+			DBG_dump_chunk("_natd_hash: ip=", addr_chunk);
+			DBG_log("_natd_hash: port=%d", port);
+			DBG_dump("_natd_hash: hash=", hash, hash_size);
+		)
 #endif
+	}
 }
 
 /* Add NAT-Traversal VIDs (supported ones)
@@ -161,180 +170,180 @@ static void _natd_hash(const struct hash_desc *hasher, char *hash,
  */
 bool nat_traversal_add_vid(u_int8_t np, pb_stream *outs)
 {
-    bool r = TRUE;
-
-    if (nat_traversal_support_port_floating)
-    {
-	u_int8_t last_np = nat_traversal_support_non_ike ?
-				ISAKMP_NEXT_VID : np;
-
-	if (r)
-	    r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_RFC);
-	if (r)
-	    r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_03);
-	if (r)
-	    r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_02);
-	if (r)
-	    r = out_vendorid(last_np, outs, VID_NATT_IETF_02_N);
-    }
-    if (nat_traversal_support_non_ike)
-    {
-	if (r)
-	    r = out_vendorid(np, outs, VID_NATT_IETF_00);
-    }
-    return r;
+	bool r = TRUE;
+
+	if (nat_traversal_support_port_floating)
+	{
+		u_int8_t last_np = nat_traversal_support_non_ike ?
+								ISAKMP_NEXT_VID : np;
+
+		if (r)
+			r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_RFC);
+		if (r)
+			r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_03);
+		if (r)
+			r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_02);
+		if (r)
+			r = out_vendorid(last_np, outs, VID_NATT_IETF_02_N);
+	}
+	if (nat_traversal_support_non_ike)
+	{
+		if (r)
+			r = out_vendorid(np, outs, VID_NATT_IETF_00);
+	}
+	return r;
 }
 
 u_int32_t nat_traversal_vid_to_method(unsigned short nat_t_vid)
 {
-    switch (nat_t_vid)
-    {
-    case VID_NATT_IETF_00:
-	return LELEM(NAT_TRAVERSAL_IETF_00_01);
-    case VID_NATT_IETF_02:
-    case VID_NATT_IETF_02_N:
-    case VID_NATT_IETF_03:
-	return LELEM(NAT_TRAVERSAL_IETF_02_03);
-    case VID_NATT_RFC:
-	return LELEM(NAT_TRAVERSAL_RFC);
-    }
-    return 0;
+	switch (nat_t_vid)
+	{
+	case VID_NATT_IETF_00:
+		return LELEM(NAT_TRAVERSAL_IETF_00_01);
+	case VID_NATT_IETF_02:
+	case VID_NATT_IETF_02_N:
+	case VID_NATT_IETF_03:
+		return LELEM(NAT_TRAVERSAL_IETF_02_03);
+	case VID_NATT_RFC:
+		return LELEM(NAT_TRAVERSAL_RFC);
+	}
+	return 0;
 }
 
 void nat_traversal_natd_lookup(struct msg_digest *md)
 {
-    char hash[MAX_DIGEST_LEN];
-    struct payload_digest *p;
-    struct state *st = md->st;
-    int i;
-
-    if (!st || !md->iface || !st->st_oakley.hasher)
-    {
-	loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
-		, __FILE__, __LINE__);
-	return;
-    }
-
-    /** Count NAT-D **/
-    for (p = md->chain[ISAKMP_NEXT_NATD_RFC], i=0; p != NULL; p = p->next, i++);
-
-    /*
-     * We need at least 2 NAT-D (1 for us, many for peer)
-     */
-    if (i < 2)
-    {
-	loglog(RC_LOG_SERIOUS,
-	    "NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negociation", i);
-	st->nat_traversal = 0;
-	return;
-    }
-
-    /*
-     * First one with my IP & port
-     */
-    p = md->chain[ISAKMP_NEXT_NATD_RFC];
-    _natd_hash(st->st_oakley.hasher, hash, st->st_icookie, st->st_rcookie,
-	&(md->iface->addr), ntohs(st->st_connection->spd.this.host_port));
-
-    if (!(pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len &&
-	  memcmp(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len) == 0))
-    {
+	char hash[MAX_DIGEST_LEN];
+	struct payload_digest *p;
+	struct state *st = md->st;
+	int i;
+
+	if (!st || !md->iface || !st->st_oakley.hasher)
+	{
+		loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
+				, __FILE__, __LINE__);
+		return;
+	}
+
+	/** Count NAT-D **/
+	for (p = md->chain[ISAKMP_NEXT_NATD_RFC], i=0; p != NULL; p = p->next, i++);
+
+	/*
+	 * We need at least 2 NAT-D (1 for us, many for peer)
+	 */
+	if (i < 2)
+	{
+		loglog(RC_LOG_SERIOUS,
+			"NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negociation", i);
+		st->nat_traversal = 0;
+		return;
+	}
+
+	/*
+	 * First one with my IP & port
+	 */
+	p = md->chain[ISAKMP_NEXT_NATD_RFC];
+	_natd_hash(st->st_oakley.hasher, hash, st->st_icookie, st->st_rcookie,
+		&(md->iface->addr), ntohs(st->st_connection->spd.this.host_port));
+
+	if (!(pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len &&
+		  memeq(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len)))
+	{
 #ifdef NAT_D_DEBUG
-	DBG(DBG_NATT,
-	    DBG_log("NAT_TRAVERSAL_NAT_BHND_ME");
-	    DBG_dump("expected NAT-D:", hash
-	    		, st->st_oakley.hasher->hash_digest_len);
-	    DBG_dump("received NAT-D:", p->pbs.cur, pbs_left(&p->pbs));
-	)
+		DBG(DBG_NATT,
+			DBG_log("NAT_TRAVERSAL_NAT_BHND_ME");
+			DBG_dump("expected NAT-D:", hash
+						, st->st_oakley.hasher->hash_digest_len);
+			DBG_dump("received NAT-D:", p->pbs.cur, pbs_left(&p->pbs));
+		)
 #endif
-	st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
-    }
-
-    /*
-     * The others with sender IP & port
-     */
-    _natd_hash(st->st_oakley.hasher, hash, st->st_icookie, st->st_rcookie,
-		&(md->sender), ntohs(md->sender_port));
-    for (p = p->next, i=0 ; p != NULL; p = p->next)
-    {
-	if (pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len &&
-	    memcmp(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len) == 0)
-	{
-	    i++;
-	}
-    }
-    if (!i)
-    {
+		st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
+	}
+
+	/*
+	 * The others with sender IP & port
+	 */
+	_natd_hash(st->st_oakley.hasher, hash, st->st_icookie, st->st_rcookie,
+				&(md->sender), ntohs(md->sender_port));
+	for (p = p->next, i=0 ; p != NULL; p = p->next)
+	{
+		if (pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len &&
+			memeq(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len))
+		{
+			i++;
+		}
+	}
+	if (!i)
+	{
 #ifdef NAT_D_DEBUG
-	DBG(DBG_NATT,
-	    DBG_log("NAT_TRAVERSAL_NAT_BHND_PEER");
-	    DBG_dump("expected NAT-D:", hash
-			, st->st_oakley.hasher->hash_digest_len);
-	    p = md->chain[ISAKMP_NEXT_NATD_RFC];
-	    for (p = p->next, i=0 ; p != NULL; p = p->next)
-	    {
-		DBG_dump("received NAT-D:", p->pbs.cur, pbs_left(&p->pbs));
-	    }
-	)
+		DBG(DBG_NATT,
+			DBG_log("NAT_TRAVERSAL_NAT_BHND_PEER");
+			DBG_dump("expected NAT-D:", hash
+						, st->st_oakley.hasher->hash_digest_len);
+			p = md->chain[ISAKMP_NEXT_NATD_RFC];
+			for (p = p->next, i=0 ; p != NULL; p = p->next)
+			{
+				DBG_dump("received NAT-D:", p->pbs.cur, pbs_left(&p->pbs));
+			}
+		)
 #endif
-	st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
-    }
+		st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
+	}
 #ifdef FORCE_NAT_TRAVERSAL
-    st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
-    st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
+	st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
+	st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
 #endif
 }
 
 bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
-	struct msg_digest *md)
+		struct msg_digest *md)
 {
-    char hash[MAX_DIGEST_LEN];
-    struct state *st = md->st;
-
-    if (!st || !st->st_oakley.hasher)
-    {
-	loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
-			, __FILE__, __LINE__);
-	return FALSE;
-    }
-
-    DBG(DBG_EMITTING,
-	DBG_log("sending NATD payloads")
-    )
-	
-    /*
-     * First one with sender IP & port
-     */
-    _natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
-	is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
-	&(md->sender),
+	char hash[MAX_DIGEST_LEN];
+	struct state *st = md->st;
+
+	if (!st || !st->st_oakley.hasher)
+	{
+		loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
+						, __FILE__, __LINE__);
+		return FALSE;
+	}
+
+	DBG(DBG_EMITTING,
+		DBG_log("sending NATD payloads")
+	)
+		
+	/*
+	 * First one with sender IP & port
+	 */
+	_natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
+		is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
+		&(md->sender),
 #ifdef FORCE_NAT_TRAVERSAL
-	0
+		0
 #else
-	ntohs(md->sender_port)
+		ntohs(md->sender_port)
 #endif
-    );
-    if (!out_generic_raw((st->nat_traversal & NAT_T_WITH_RFC_VALUES
-	? ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS), &isakmp_nat_d, outs,
-	hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"))
-    {
-	return FALSE;
-    }
-
-    /*
-     * Second one with my IP & port
-     */
-    _natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
-	is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
-	&(md->iface->addr),
+	);
+	if (!out_generic_raw((st->nat_traversal & NAT_T_WITH_RFC_VALUES
+		? ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS), &isakmp_nat_d, outs,
+		hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"))
+	{
+		return FALSE;
+	}
+
+	/*
+	 * Second one with my IP & port
+	 */
+	_natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
+		is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
+		&(md->iface->addr),
 #ifdef FORCE_NAT_TRAVERSAL
-	0
+		0
 #else
-	ntohs(st->st_connection->spd.this.host_port)
+		ntohs(st->st_connection->spd.this.host_port)
 #endif
-    );
-    return (out_generic_raw(np, &isakmp_nat_d, outs,
-	hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"));
+	);
+	return (out_generic_raw(np, &isakmp_nat_d, outs,
+		hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"));
 }
 
 /*
@@ -344,245 +353,245 @@ bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
  */
 void nat_traversal_natoa_lookup(struct msg_digest *md)
 {
-    struct payload_digest *p;
-    struct state *st = md->st;
-    int i;
-    ip_address ip;
-
-    if (!st || !md->iface)
-    {
-	loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
-		, __FILE__, __LINE__);
-	return;
-    }
-
-    /* Initialize NAT-OA */
-    anyaddr(AF_INET, &st->nat_oa);
-
-    /* Count NAT-OA **/
-    for (p = md->chain[ISAKMP_NEXT_NATOA_RFC], i=0; p != NULL; p = p->next, i++);
-
-    DBG(DBG_NATT,
-	DBG_log("NAT-Traversal: received %d NAT-OA.", i)
-    )
-
-    if (i == 0)
-	return;
-
-    if (!(st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER)))
-    {
-	loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %d NAT-OA. "
-			"ignored because peer is not NATed", i);
-	return;
-    }
-
-    if (i > 1)
-    {
-	loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %d NAT-OA. "
-		"using first, ignoring others", i);
-    }
-
-    /* Take first */
-    p = md->chain[ISAKMP_NEXT_NATOA_RFC];
-
-    DBG(DBG_PARSING,
-	DBG_dump("NAT-OA:", p->pbs.start, pbs_room(&p->pbs));
-    );
-
-    switch (p->payload.nat_oa.isanoa_idtype)
-    {
-    case ID_IPV4_ADDR:
-	if (pbs_left(&p->pbs) == sizeof(struct in_addr))
-	{
-	    initaddr(p->pbs.cur, pbs_left(&p->pbs), AF_INET, &ip);
-	}
-	else
+	struct payload_digest *p;
+	struct state *st = md->st;
+	int i;
+	ip_address ip;
+
+	if (!st || !md->iface)
 	{
-	    loglog(RC_LOG_SERIOUS, "NAT-Traversal: received IPv4 NAT-OA "
-			"with invalid IP size (%d)", (int)pbs_left(&p->pbs));
-	    return;
+		loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
+				, __FILE__, __LINE__);
+		return;
 	}
-	break;
-    case ID_IPV6_ADDR:
-	if (pbs_left(&p->pbs) == sizeof(struct in6_addr))
+
+	/* Initialize NAT-OA */
+	anyaddr(AF_INET, &st->nat_oa);
+
+	/* Count NAT-OA **/
+	for (p = md->chain[ISAKMP_NEXT_NATOA_RFC], i=0; p != NULL; p = p->next, i++);
+
+	DBG(DBG_NATT,
+		DBG_log("NAT-Traversal: received %d NAT-OA.", i)
+	)
+
+	if (i == 0)
+		return;
+
+	if (!(st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER)))
 	{
-	    initaddr(p->pbs.cur, pbs_left(&p->pbs), AF_INET6, &ip);
+		loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %d NAT-OA. "
+						"ignored because peer is not NATed", i);
+		return;
 	}
-	else
+
+	if (i > 1)
 	{
-	    loglog(RC_LOG_SERIOUS, "NAT-Traversal: received IPv6 NAT-OA "
-			"with invalid IP size (%d)", (int)pbs_left(&p->pbs));
-	    return;
+		loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %d NAT-OA. "
+				"using first, ignoring others", i);
 	}
-	break;
-    default:
-	loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
-			"invalid ID Type (%d) in NAT-OA - ignored",
-			p->payload.nat_oa.isanoa_idtype);
-	    return;
-    }
 
-    DBG(DBG_NATT,
+	/* Take first */
+	p = md->chain[ISAKMP_NEXT_NATOA_RFC];
+
+	DBG(DBG_PARSING,
+		DBG_dump("NAT-OA:", p->pbs.start, pbs_room(&p->pbs));
+	);
+
+	switch (p->payload.nat_oa.isanoa_idtype)
 	{
-	    char ip_t[ADDRTOT_BUF];
-	    addrtot(&ip, 0, ip_t, sizeof(ip_t));
-	
-	    DBG_log("received NAT-OA: %s", ip_t);
+	case ID_IPV4_ADDR:
+		if (pbs_left(&p->pbs) == sizeof(struct in_addr))
+		{
+			initaddr(p->pbs.cur, pbs_left(&p->pbs), AF_INET, &ip);
+		}
+		else
+		{
+			loglog(RC_LOG_SERIOUS, "NAT-Traversal: received IPv4 NAT-OA "
+						"with invalid IP size (%d)", (int)pbs_left(&p->pbs));
+			return;
+		}
+		break;
+	case ID_IPV6_ADDR:
+		if (pbs_left(&p->pbs) == sizeof(struct in6_addr))
+		{
+			initaddr(p->pbs.cur, pbs_left(&p->pbs), AF_INET6, &ip);
+		}
+		else
+		{
+			loglog(RC_LOG_SERIOUS, "NAT-Traversal: received IPv6 NAT-OA "
+						"with invalid IP size (%d)", (int)pbs_left(&p->pbs));
+			return;
+		}
+		break;
+	default:
+		loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
+						"invalid ID Type (%d) in NAT-OA - ignored",
+						p->payload.nat_oa.isanoa_idtype);
+			return;
 	}
-    )
 
-    if (isanyaddr(&ip))
-	loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %%any NAT-OA...");
-    else
-	st->nat_oa = ip;
+	DBG(DBG_NATT,
+		{
+			char ip_t[ADDRTOT_BUF];
+			addrtot(&ip, 0, ip_t, sizeof(ip_t));
+		
+			DBG_log("received NAT-OA: %s", ip_t);
+		}
+	)
+
+	if (isanyaddr(&ip))
+		loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %%any NAT-OA...");
+	else
+		st->nat_oa = ip;
 }
 
 bool nat_traversal_add_natoa(u_int8_t np, pb_stream *outs,
-	struct state *st)
+		struct state *st)
 {
-    struct isakmp_nat_oa natoa;
-    pb_stream pbs;
-    unsigned char ip_val[sizeof(struct in6_addr)];
-    size_t ip_len = 0;
-    ip_address *ip;
-
-    if ((!st) || (!st->st_connection))
-    {
-	loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
-			, __FILE__, __LINE__);
-	return FALSE;
-    }
-    ip = &(st->st_connection->spd.this.host_addr);
-
-    memset(&natoa, 0, sizeof(natoa));
-    natoa.isanoa_np = np;
-
-    switch (addrtypeof(ip))
-    {
-    case AF_INET:
-	ip_len = sizeof(ip->u.v4.sin_addr.s_addr);
-	memcpy(ip_val, &ip->u.v4.sin_addr.s_addr, ip_len);
-	natoa.isanoa_idtype = ID_IPV4_ADDR;
-	break;
-    case AF_INET6:
-	ip_len = sizeof(ip->u.v6.sin6_addr.s6_addr);
-	memcpy(ip_val, &ip->u.v6.sin6_addr.s6_addr, ip_len);
-	natoa.isanoa_idtype = ID_IPV6_ADDR;
-	break;
-    default:
-	loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
-			"invalid addrtypeof()=%d", addrtypeof(ip));
-	return FALSE;
-    }
-
-    if (!out_struct(&natoa, &isakmp_nat_oa, outs, &pbs))
-	return FALSE;
-
-    if (!out_raw(ip_val, ip_len, &pbs, "NAT-OA"))
-	return FALSE;
-
-    DBG(DBG_NATT,
-	DBG_dump("NAT-OA (S):", ip_val, ip_len)
-    )
-
-    close_output_pbs(&pbs);
-    return TRUE;
+	struct isakmp_nat_oa natoa;
+	pb_stream pbs;
+	unsigned char ip_val[sizeof(struct in6_addr)];
+	size_t ip_len = 0;
+	ip_address *ip;
+
+	if ((!st) || (!st->st_connection))
+	{
+		loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
+						, __FILE__, __LINE__);
+		return FALSE;
+	}
+	ip = &(st->st_connection->spd.this.host_addr);
+
+	memset(&natoa, 0, sizeof(natoa));
+	natoa.isanoa_np = np;
+
+	switch (addrtypeof(ip))
+	{
+	case AF_INET:
+		ip_len = sizeof(ip->u.v4.sin_addr.s_addr);
+		memcpy(ip_val, &ip->u.v4.sin_addr.s_addr, ip_len);
+		natoa.isanoa_idtype = ID_IPV4_ADDR;
+		break;
+	case AF_INET6:
+		ip_len = sizeof(ip->u.v6.sin6_addr.s6_addr);
+		memcpy(ip_val, &ip->u.v6.sin6_addr.s6_addr, ip_len);
+		natoa.isanoa_idtype = ID_IPV6_ADDR;
+		break;
+	default:
+		loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
+						"invalid addrtypeof()=%d", addrtypeof(ip));
+		return FALSE;
+	}
+
+	if (!out_struct(&natoa, &isakmp_nat_oa, outs, &pbs))
+		return FALSE;
+
+	if (!out_raw(ip_val, ip_len, &pbs, "NAT-OA"))
+		return FALSE;
+
+	DBG(DBG_NATT,
+		DBG_dump("NAT-OA (S):", ip_val, ip_len)
+	)
+
+	close_output_pbs(&pbs);
+	return TRUE;
 }
 
 void nat_traversal_show_result (u_int32_t nt, u_int16_t sport)
 {
-    const char *mth = NULL, *rslt = NULL;
-
-    switch (nt & NAT_TRAVERSAL_METHOD)
-    {
-    case LELEM(NAT_TRAVERSAL_IETF_00_01):
-	mth = natt_type_bitnames[0];
-	break;
-    case LELEM(NAT_TRAVERSAL_IETF_02_03):
-	mth = natt_type_bitnames[1];
-	break;
-    case LELEM(NAT_TRAVERSAL_RFC):
-	mth = natt_type_bitnames[2];
-	break;
-    }
-    
-    switch (nt & NAT_T_DETECTED)
-    {
-    case 0:
-	rslt = "no NAT detected";
-	break;
-    case LELEM(NAT_TRAVERSAL_NAT_BHND_ME):
-	rslt = "i am NATed";
-	break;
-    case LELEM(NAT_TRAVERSAL_NAT_BHND_PEER):
-	rslt = "peer is NATed";
-	break;
-    case LELEM(NAT_TRAVERSAL_NAT_BHND_ME) | LELEM(NAT_TRAVERSAL_NAT_BHND_PEER):
-	rslt = "both are NATed";
-	break;
-    }
-
-    loglog(RC_LOG_SERIOUS,
-	"NAT-Traversal: Result using %s: %s",
-	mth ? mth : "unknown method",
-	rslt ? rslt : "unknown result"
-    );
-
-    if ((nt & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER))
-    &&	(sport == IKE_UDP_PORT)
-    &&	((nt & NAT_T_WITH_PORT_FLOATING)==0))
-    {
+	const char *mth = NULL, *rslt = NULL;
+
+	switch (nt & NAT_TRAVERSAL_METHOD)
+	{
+	case LELEM(NAT_TRAVERSAL_IETF_00_01):
+		mth = natt_type_bitnames[0];
+		break;
+	case LELEM(NAT_TRAVERSAL_IETF_02_03):
+		mth = natt_type_bitnames[1];
+		break;
+	case LELEM(NAT_TRAVERSAL_RFC):
+		mth = natt_type_bitnames[2];
+		break;
+	}
+	
+	switch (nt & NAT_T_DETECTED)
+	{
+	case 0:
+		rslt = "no NAT detected";
+		break;
+	case LELEM(NAT_TRAVERSAL_NAT_BHND_ME):
+		rslt = "i am NATed";
+		break;
+	case LELEM(NAT_TRAVERSAL_NAT_BHND_PEER):
+		rslt = "peer is NATed";
+		break;
+	case LELEM(NAT_TRAVERSAL_NAT_BHND_ME) | LELEM(NAT_TRAVERSAL_NAT_BHND_PEER):
+		rslt = "both are NATed";
+		break;
+	}
+
 	loglog(RC_LOG_SERIOUS,
-		"Warning: peer is NATed but source port is still udp/%d. "
-		"Ipsec-passthrough NAT device suspected -- NAT-T may not work.",
-		IKE_UDP_PORT
+		"NAT-Traversal: Result using %s: %s",
+		mth ? mth : "unknown method",
+		rslt ? rslt : "unknown result"
 	);
-    }
+
+	if ((nt & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER))
+	&&  (sport == IKE_UDP_PORT)
+	&&  ((nt & NAT_T_WITH_PORT_FLOATING)==0))
+	{
+		loglog(RC_LOG_SERIOUS,
+				"Warning: peer is NATed but source port is still udp/%d. "
+				"Ipsec-passthrough NAT device suspected -- NAT-T may not work.",
+				IKE_UDP_PORT
+		);
+	}
 }
 
 int nat_traversal_espinudp_socket (int sk, u_int32_t type)
 {
-    int r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
+	int r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
 
-    if (r < 0 && errno == ENOPROTOOPT)
-    {
-	loglog(RC_LOG_SERIOUS,
-		"NAT-Traversal: ESPINUDP(%d) not supported by kernel -- "
-		"NAT-T disabled", type);
-	disable_nat_traversal(type);
-    }
-    return r;
+	if (r < 0 && errno == ENOPROTOOPT)
+	{
+		loglog(RC_LOG_SERIOUS,
+				"NAT-Traversal: ESPINUDP(%d) not supported by kernel -- "
+				"NAT-T disabled", type);
+		disable_nat_traversal(type);
+	}
+	return r;
 }
 
 void nat_traversal_new_ka_event (void)
 {
-    if (_ka_evt)
-	return;  /* event already scheduled */
+	if (_ka_evt)
+		return;  /* event already scheduled */
 
-    event_schedule(EVENT_NAT_T_KEEPALIVE, _kap, NULL);
-    _ka_evt = 1;
+	event_schedule(EVENT_NAT_T_KEEPALIVE, _kap, NULL);
+	_ka_evt = 1;
 }
 
 static void nat_traversal_send_ka (struct state *st)
 {
-    static unsigned char ka_payload = 0xff;
-    chunk_t sav;
+	static unsigned char ka_payload = 0xff;
+	chunk_t sav;
 
-    DBG(DBG_NATT,
-	DBG_log("ka_event: send NAT-KA to %s:%d",
-		ip_str(&st->st_connection->spd.that.host_addr),
-		st->st_connection->spd.that.host_port);
-    )
+	DBG(DBG_NATT,
+		DBG_log("ka_event: send NAT-KA to %s:%d",
+				ip_str(&st->st_connection->spd.that.host_addr),
+				st->st_connection->spd.that.host_port);
+	)
 
-    /* save state chunk */
-    setchunk(sav, st->st_tpacket.ptr, st->st_tpacket.len);
+	/* save state chunk */
+	sav = st->st_tpacket;
 
-    /* send keep alive */
-    setchunk(st->st_tpacket, &ka_payload, 1);
-    send_packet(st, "NAT-T Keep Alive");
+	/* send keep alive */
+	st->st_tpacket = chunk_create(&ka_payload, 1);
+	send_packet(st, "NAT-T Keep Alive");
 
-    /* restore state chunk */
-    setchunk(st->st_tpacket, sav.ptr, sav.len);
+	/* restore state chunk */
+	st->st_tpacket = sav;
 }
 
 /**
@@ -590,277 +599,277 @@ static void nat_traversal_send_ka (struct state *st)
  */
 static void nat_traversal_ka_event_state (struct state *st, void *data)
 {
-    unsigned int *_kap_st = (unsigned int *)data;
-    const struct connection *c = st->st_connection;
-
-    if (!c)
-	return;
+	unsigned int *_kap_st = (unsigned int *)data;
+	const struct connection *c = st->st_connection;
 
-    if ((st->st_state == STATE_MAIN_R3 || st->st_state == STATE_MAIN_I4)
-    &&	(st->nat_traversal & NAT_T_DETECTED)
-    &&	((st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) || _force_ka))
-    {
-	/*
-	 * - ISAKMP established
-	 * - NAT-Traversal detected
-	 * - NAT-KeepAlive needed (we are NATed)
-	 */
-	if (c->newest_isakmp_sa != st->st_serialno)
-	{
-	    /*
-	     * if newest is also valid, ignore this one, we will only use
-	     * newest.
-	     */
-	    struct state *st_newest;
-
-	    st_newest = state_with_serialno(c->newest_isakmp_sa);
-	    if (st_newest
-	    && (st_newest->st_state == STATE_MAIN_R3 || st_newest->st_state == STATE_MAIN_I4)
-	    && (st_newest->nat_traversal & NAT_T_DETECTED)
-	    && ((st_newest->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) || _force_ka))
-	    {
+	if (!c)
 		return;
-	    }
+
+	if ((st->st_state == STATE_MAIN_R3 || st->st_state == STATE_MAIN_I4)
+	&&  (st->nat_traversal & NAT_T_DETECTED)
+	&&  ((st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) || _force_ka))
+	{
+		/*
+		 * - ISAKMP established
+		 * - NAT-Traversal detected
+		 * - NAT-KeepAlive needed (we are NATed)
+		 */
+		if (c->newest_isakmp_sa != st->st_serialno)
+		{
+			/*
+			 * if newest is also valid, ignore this one, we will only use
+			 * newest.
+			 */
+			struct state *st_newest;
+
+			st_newest = state_with_serialno(c->newest_isakmp_sa);
+			if (st_newest
+			&& (st_newest->st_state == STATE_MAIN_R3 || st_newest->st_state == STATE_MAIN_I4)
+			&& (st_newest->nat_traversal & NAT_T_DETECTED)
+			&& ((st_newest->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) || _force_ka))
+			{
+				return;
+			}
+		}
+		set_cur_state(st);
+		nat_traversal_send_ka(st);
+		reset_cur_state();
+		(*_kap_st)++;
 	}
-	set_cur_state(st);
-	nat_traversal_send_ka(st);
-	reset_cur_state();
-	(*_kap_st)++;
-    }
 }
 
 void nat_traversal_ka_event (void)
 {
-    unsigned int _kap_st = 0;
+	unsigned int _kap_st = 0;
 
-    _ka_evt = 0;  /* ready to be reschedule */
+	_ka_evt = 0;  /* ready to be reschedule */
 
-    for_each_state((void *)nat_traversal_ka_event_state, &_kap_st);
+	for_each_state((void *)nat_traversal_ka_event_state, &_kap_st);
 
-    /* if there are still states who needs Keep-Alive, schedule new event */
-    if (_kap_st)
-	nat_traversal_new_ka_event();
+	/* if there are still states who needs Keep-Alive, schedule new event */
+	if (_kap_st)
+		nat_traversal_new_ka_event();
 }
 
 struct _new_mapp_nfo {
-	ip_address addr;
-	u_int16_t sport, dport;
+		ip_address addr;
+		u_int16_t sport, dport;
 };
 
 static void nat_traversal_find_new_mapp_state (struct state *st, void *data)
 {
-    struct connection *c = st->st_connection;
-    struct _new_mapp_nfo *nfo = (struct _new_mapp_nfo *)data;
-
-    if (c != NULL
-    && sameaddr(&c->spd.that.host_addr, &(nfo->addr))
-    &&	c->spd.that.host_port == nfo->sport)
-    {
+	struct connection *c = st->st_connection;
+	struct _new_mapp_nfo *nfo = (struct _new_mapp_nfo *)data;
 
-	/* change host port */
-	c->spd.that.host_port = nfo->dport;
-
-	if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
-	||  IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
+	if (c != NULL
+	&& sameaddr(&c->spd.that.host_addr, &(nfo->addr))
+	&&  c->spd.that.host_port == nfo->sport)
 	{
-	    if (!update_ipsec_sa(st))
-	    {
-		/*
-		 * If ipsec update failed, restore old port or we'll
-		 * not be able to update anymore.
-		 */
-		c->spd.that.host_port = nfo->sport;
-	    }
+
+		/* change host port */
+		c->spd.that.host_port = nfo->dport;
+
+		if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
+		||  IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
+		{
+			if (!update_ipsec_sa(st))
+			{
+				/*
+				 * If ipsec update failed, restore old port or we'll
+				 * not be able to update anymore.
+				 */
+				c->spd.that.host_port = nfo->sport;
+			}
+		}
 	}
-    }
 }
 
 static int nat_traversal_new_mapping(const ip_address *src, u_int16_t sport,
-	const ip_address *dst, u_int16_t dport)
+		const ip_address *dst, u_int16_t dport)
 {
-    char srca[ADDRTOT_BUF], dsta[ADDRTOT_BUF];
-    struct _new_mapp_nfo nfo;
-
-    addrtot(src, 0, srca, ADDRTOT_BUF);
-    addrtot(dst, 0, dsta, ADDRTOT_BUF);
-
-    if (!sameaddr(src, dst))
-    {
-	loglog(RC_LOG_SERIOUS, "nat_traversal_new_mapping: "
-		"address change currently not supported [%s:%d,%s:%d]",
-		srca, sport, dsta, dport);
-	return -1;
-    }
-
-    if (sport == dport)
-    {
-	/* no change */
-	return 0;
-    }
+	char srca[ADDRTOT_BUF], dsta[ADDRTOT_BUF];
+	struct _new_mapp_nfo nfo;
 
-    DBG_log("NAT-T: new mapping %s:%d/%d)", srca, sport, dport);
+	addrtot(src, 0, srca, ADDRTOT_BUF);
+	addrtot(dst, 0, dsta, ADDRTOT_BUF);
 
-    nfo.addr = *src;
-    nfo.sport = sport;
-    nfo.dport = dport;
+	if (!sameaddr(src, dst))
+	{
+		loglog(RC_LOG_SERIOUS, "nat_traversal_new_mapping: "
+				"address change currently not supported [%s:%d,%s:%d]",
+				srca, sport, dsta, dport);
+		return -1;
+	}
+
+	if (sport == dport)
+	{
+		/* no change */
+		return 0;
+	}
 
-    for_each_state((void *)nat_traversal_find_new_mapp_state, &nfo);
+	DBG_log("NAT-T: new mapping %s:%d/%d)", srca, sport, dport);
 
-    return 0;
+	nfo.addr = *src;
+	nfo.sport = sport;
+	nfo.dport = dport;
+
+	for_each_state((void *)nat_traversal_find_new_mapp_state, &nfo);
+
+	return 0;
 }
 
 void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st)
 {
-    struct connection *c = st ? st->st_connection : NULL;
-    struct iface *i = NULL;
+	struct connection *c = st ? st->st_connection : NULL;
+	struct iface *i = NULL;
 
-    if ((st == NULL) || (c == NULL))
-	return;
+	if ((st == NULL) || (c == NULL))
+		return;
 
-    if (md)
-    {
-	/*
-	 * If source port has changed, update (including other states and
-	 * established kernel SA)
-	 */
-	if (c->spd.that.host_port != md->sender_port)
+	if (md)
 	{
-	    nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
-			&c->spd.that.host_addr, md->sender_port);
+		/*
+		 * If source port has changed, update (including other states and
+		 * established kernel SA)
+		 */
+		if (c->spd.that.host_port != md->sender_port)
+		{
+			nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
+						&c->spd.that.host_addr, md->sender_port);
+		}
+
+		/*
+		 * If interface type has changed, update local port (500/4500)
+		 */
+		if ((c->spd.this.host_port == NAT_T_IKE_FLOAT_PORT && !md->iface->ike_float)
+		||  (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT &&  md->iface->ike_float))
+		{
+			c->spd.this.host_port = (md->iface->ike_float)
+				? NAT_T_IKE_FLOAT_PORT : pluto_port;
+
+			DBG(DBG_NATT,
+				DBG_log("NAT-T: updating local port to %d", c->spd.this.host_port);
+			);
+		}
 	}
 
 	/*
-	 * If interface type has changed, update local port (500/4500)
-	 */
-	if ((c->spd.this.host_port == NAT_T_IKE_FLOAT_PORT && !md->iface->ike_float)
-	||  (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT &&  md->iface->ike_float))
-	{
-	    c->spd.this.host_port = (md->iface->ike_float)
-		? NAT_T_IKE_FLOAT_PORT : pluto_port;
-
-	    DBG(DBG_NATT,
-		DBG_log("NAT-T: updating local port to %d", c->spd.this.host_port);
-	    );
-	}
-    }
-
-    /*
-     * If we're initiator and NAT-T (with port floating) is detected, we
-     * need to change port (MAIN_I3 or QUICK_I1)
-     */
-    if ((st->st_state == STATE_MAIN_I3 || st->st_state == STATE_QUICK_I1)
-    &&	(st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
-    &&	(st->nat_traversal & NAT_T_DETECTED)
-    &&	(c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT))
-    {
-	DBG(DBG_NATT,
-	    DBG_log("NAT-T: floating to port %d", NAT_T_IKE_FLOAT_PORT);
-	)
-	c->spd.this.host_port = NAT_T_IKE_FLOAT_PORT;
-	c->spd.that.host_port = NAT_T_IKE_FLOAT_PORT;
-	/*
-	 * Also update pending connections or they will be deleted if uniqueids
-	 * option is set.
+	 * If we're initiator and NAT-T (with port floating) is detected, we
+	 * need to change port (MAIN_I3 or QUICK_I1)
 	 */
-	update_pending(st, st);
-    }
-
-    /*
-     * Find valid interface according to local port (500/4500)
-     */
-    if ((c->spd.this.host_port == NAT_T_IKE_FLOAT_PORT && !c->interface->ike_float)
-    ||  (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT &&  c->interface->ike_float))
-    {
-	for (i = interfaces; i !=  NULL; i = i->next)
-	{
-	    if (sameaddr(&c->interface->addr, &i->addr)
-	    && i->ike_float != c->interface->ike_float)
-	    {
+	if ((st->st_state == STATE_MAIN_I3 || st->st_state == STATE_QUICK_I1)
+	&&  (st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
+	&&  (st->nat_traversal & NAT_T_DETECTED)
+	&&  (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT))
+	{
 		DBG(DBG_NATT,
-		    DBG_log("NAT-T: using interface %s:%d", i->rname,
-			i->ike_float ? NAT_T_IKE_FLOAT_PORT : pluto_port);
+			DBG_log("NAT-T: floating to port %d", NAT_T_IKE_FLOAT_PORT);
 		)
-		c->interface = i;
-		break;
-	    }
+		c->spd.this.host_port = NAT_T_IKE_FLOAT_PORT;
+		c->spd.that.host_port = NAT_T_IKE_FLOAT_PORT;
+		/*
+		 * Also update pending connections or they will be deleted if uniqueids
+		 * option is set.
+		 */
+		update_pending(st, st);
+	}
+
+	/*
+	 * Find valid interface according to local port (500/4500)
+	 */
+	if ((c->spd.this.host_port == NAT_T_IKE_FLOAT_PORT && !c->interface->ike_float)
+	||  (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT &&  c->interface->ike_float))
+	{
+		for (i = interfaces; i !=  NULL; i = i->next)
+		{
+			if (sameaddr(&c->interface->addr, &i->addr)
+			&& i->ike_float != c->interface->ike_float)
+			{
+				DBG(DBG_NATT,
+					DBG_log("NAT-T: using interface %s:%d", i->rname,
+						i->ike_float ? NAT_T_IKE_FLOAT_PORT : pluto_port);
+				)
+				c->interface = i;
+				break;
+			}
+		}
 	}
-    }
 }
 
 struct _new_klips_mapp_nfo {
-	struct sadb_sa *sa;
-	ip_address src, dst;
-	u_int16_t sport, dport;
+		struct sadb_sa *sa;
+		ip_address src, dst;
+		u_int16_t sport, dport;
 };
 
 static void nat_t_new_klips_mapp (struct state *st, void *data)
 {
-    struct connection *c = st->st_connection;
-    struct _new_klips_mapp_nfo *nfo = (struct _new_klips_mapp_nfo *)data;
-
-    if (c != NULL && st->st_esp.present
-    &&	sameaddr(&c->spd.that.host_addr, &(nfo->src))
-    &&  st->st_esp.our_spi == nfo->sa->sadb_sa_spi)
-    {
-	nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
-				  &(nfo->dst), nfo->dport);
-    }
+	struct connection *c = st->st_connection;
+	struct _new_klips_mapp_nfo *nfo = (struct _new_klips_mapp_nfo *)data;
+
+	if (c != NULL && st->st_esp.present
+	&&  sameaddr(&c->spd.that.host_addr, &(nfo->src))
+	&&  st->st_esp.our_spi == nfo->sa->sadb_sa_spi)
+	{
+		nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
+								  &(nfo->dst), nfo->dport);
+	}
 }
 
 void process_pfkey_nat_t_new_mapping(
-	struct sadb_msg *msg __attribute__ ((unused)),
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+		struct sadb_msg *msg __attribute__ ((unused)),
+		struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
-    struct _new_klips_mapp_nfo nfo;
-    struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
-    struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
-    struct sockaddr *srca, *dsta;
-    err_t ugh = NULL;
-
-    nfo.sa = (void *) extensions[SADB_EXT_SA];
-
-    if (!nfo.sa || !srcx || !dstx)
-    {
-	plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: "
-		"got NULL params");
-	return;
-    }
-
-    srca = ((struct sockaddr *)(void *)&srcx[1]);
-    dsta = ((struct sockaddr *)(void *)&dstx[1]);
-
-    if (srca->sa_family != AF_INET || dsta->sa_family != AF_INET)
-    {
-	ugh = "only AF_INET supported";
-    }
-    else
-    {
-	char text_said[SATOT_BUF];
-	char _srca[ADDRTOT_BUF], _dsta[ADDRTOT_BUF];
-	ip_said said;
-
-	initaddr((const void *) &((const struct sockaddr_in *)srca)->sin_addr,
-			sizeof(((const struct sockaddr_in *)srca)->sin_addr),
-			srca->sa_family, &(nfo.src));
-	nfo.sport = ntohs(((const struct sockaddr_in *)srca)->sin_port);
-	initaddr((const void *) &((const struct sockaddr_in *)dsta)->sin_addr,
-			sizeof(((const struct sockaddr_in *)dsta)->sin_addr),
-			dsta->sa_family, &(nfo.dst));
-	nfo.dport = ntohs(((const struct sockaddr_in *)dsta)->sin_port);
+	struct _new_klips_mapp_nfo nfo;
+	struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
+	struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
+	struct sockaddr *srca, *dsta;
+	err_t ugh = NULL;
 
-	DBG(DBG_NATT,
-	    initsaid(&nfo.src, nfo.sa->sadb_sa_spi, SA_ESP, &said);
-	    satot(&said, 0, text_said, SATOT_BUF);
-	    addrtot(&nfo.src, 0, _srca, ADDRTOT_BUF);
-	    addrtot(&nfo.dst, 0, _dsta, ADDRTOT_BUF);
-	    DBG_log("new klips mapping %s %s:%d %s:%d",
-			text_said, _srca, nfo.sport, _dsta, nfo.dport);
-	)
+	nfo.sa = (void *) extensions[SADB_EXT_SA];
 
-	for_each_state((void *)nat_t_new_klips_mapp, &nfo);
-    }
+	if (!nfo.sa || !srcx || !dstx)
+	{
+		plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: "
+				"got NULL params");
+		return;
+	}
+
+	srca = ((struct sockaddr *)(void *)&srcx[1]);
+	dsta = ((struct sockaddr *)(void *)&dstx[1]);
+
+	if (srca->sa_family != AF_INET || dsta->sa_family != AF_INET)
+	{
+		ugh = "only AF_INET supported";
+	}
+	else
+	{
+		char text_said[SATOT_BUF];
+		char _srca[ADDRTOT_BUF], _dsta[ADDRTOT_BUF];
+		ip_said said;
+
+		initaddr((const void *) &((const struct sockaddr_in *)srca)->sin_addr,
+						sizeof(((const struct sockaddr_in *)srca)->sin_addr),
+						srca->sa_family, &(nfo.src));
+		nfo.sport = ntohs(((const struct sockaddr_in *)srca)->sin_port);
+		initaddr((const void *) &((const struct sockaddr_in *)dsta)->sin_addr,
+						sizeof(((const struct sockaddr_in *)dsta)->sin_addr),
+						dsta->sa_family, &(nfo.dst));
+		nfo.dport = ntohs(((const struct sockaddr_in *)dsta)->sin_port);
+
+		DBG(DBG_NATT,
+			initsaid(&nfo.src, nfo.sa->sadb_sa_spi, SA_ESP, &said);
+			satot(&said, 0, text_said, SATOT_BUF);
+			addrtot(&nfo.src, 0, _srca, ADDRTOT_BUF);
+			addrtot(&nfo.dst, 0, _dsta, ADDRTOT_BUF);
+			DBG_log("new klips mapping %s %s:%d %s:%d",
+						text_said, _srca, nfo.sport, _dsta, nfo.dport);
+		)
+
+		for_each_state((void *)nat_t_new_klips_mapp, &nfo);
+	}
 
-    if (ugh != NULL)
-	plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: %s", ugh);
+	if (ugh != NULL)
+		plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: %s", ugh);
 }
 
diff --git a/src/pluto/nat_traversal.h b/src/pluto/nat_traversal.h
index 9041d84de..98b0a2bc0 100644
--- a/src/pluto/nat_traversal.h
+++ b/src/pluto/nat_traversal.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: nat_traversal.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _NAT_TRAVERSAL_H
@@ -32,37 +30,37 @@
  * NAT-Traversal methods which need NAT-D
  */
 #define NAT_T_WITH_NATD \
-	( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
-	LELEM(NAT_TRAVERSAL_RFC) )
+		( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
+		LELEM(NAT_TRAVERSAL_RFC) )
 /**
  * NAT-Traversal methods which need NAT-OA
  */
 #define NAT_T_WITH_NATOA \
-	( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
-	LELEM(NAT_TRAVERSAL_RFC) )
+		( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
+		LELEM(NAT_TRAVERSAL_RFC) )
 /**
  * NAT-Traversal methods which use NAT-KeepAlive
  */
 #define NAT_T_WITH_KA \
-	( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
-	LELEM(NAT_TRAVERSAL_RFC) )
+		( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
+		LELEM(NAT_TRAVERSAL_RFC) )
 /**
  * NAT-Traversal methods which use floating port
  */
 #define NAT_T_WITH_PORT_FLOATING \
-	( LELEM(NAT_TRAVERSAL_IETF_02_03) | LELEM(NAT_TRAVERSAL_RFC) )
+		( LELEM(NAT_TRAVERSAL_IETF_02_03) | LELEM(NAT_TRAVERSAL_RFC) )
 
 /**
  * NAT-Traversal methods which use officials values (RFC)
  */
 #define NAT_T_WITH_RFC_VALUES \
-	( LELEM(NAT_TRAVERSAL_RFC) )
+		( LELEM(NAT_TRAVERSAL_RFC) )
 
 /**
  * NAT-Traversal detected
  */
 #define NAT_T_DETECTED \
-	( LELEM(NAT_TRAVERSAL_NAT_BHND_ME) | LELEM(NAT_TRAVERSAL_NAT_BHND_PEER) )
+		( LELEM(NAT_TRAVERSAL_NAT_BHND_ME) | LELEM(NAT_TRAVERSAL_NAT_BHND_PEER) )
 
 /**
  * NAT-T Port Floating
@@ -70,7 +68,7 @@
 #define NAT_T_IKE_FLOAT_PORT     4500
 
 void init_nat_traversal (bool activate, unsigned int keep_alive_period,
-	bool fka, bool spf);
+		bool fka, bool spf);
 
 extern bool nat_traversal_enabled;
 extern bool nat_traversal_support_non_ike;
@@ -82,7 +80,7 @@ extern bool nat_traversal_support_port_floating;
 void nat_traversal_natd_lookup(struct msg_digest *md);
 #ifndef PB_STREAM_UNDEFINED
 bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
-	struct msg_digest *md);
+		struct msg_digest *md);
 #endif
 
 /**
@@ -91,7 +89,7 @@ bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
 void nat_traversal_natoa_lookup(struct msg_digest *md);
 #ifndef PB_STREAM_UNDEFINED
 bool nat_traversal_add_natoa(u_int8_t np, pb_stream *outs,
-	struct state *st);
+		struct state *st);
 #endif
 
 /**
@@ -119,8 +117,8 @@ void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st);
  */
 #ifdef __PFKEY_V2_H
 void process_pfkey_nat_t_new_mapping(
-	struct sadb_msg *,
-	struct sadb_ext *[SADB_EXT_MAX + 1]);
+		struct sadb_msg *,
+		struct sadb_ext *[SADB_EXT_MAX + 1]);
 #endif
 
 /**
@@ -133,22 +131,22 @@ nat_traversal_port_float(struct state *st, struct msg_digest *md, bool in);
  * Encapsulation mode macro (see demux.c)
  */
 #define NAT_T_ENCAPSULATION_MODE(st,nat_t_policy) ( \
-	((st)->nat_traversal & NAT_T_DETECTED) \
-		? ( ((nat_t_policy) & POLICY_TUNNEL) \
-			? ( ((st)->nat_traversal & NAT_T_WITH_RFC_VALUES) \
-				? (ENCAPSULATION_MODE_UDP_TUNNEL_RFC) \
-				: (ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS) \
-			  ) \
-			: ( ((st)->nat_traversal & NAT_T_WITH_RFC_VALUES) \
-				? (ENCAPSULATION_MODE_UDP_TRANSPORT_RFC) \
-				: (ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS) \
-			  ) \
-		  ) \
-		: ( ((st)->st_policy & POLICY_TUNNEL) \
-			? (ENCAPSULATION_MODE_TUNNEL) \
-			: (ENCAPSULATION_MODE_TRANSPORT) \
-		  ) \
-	)
+		((st)->nat_traversal & NAT_T_DETECTED) \
+				? ( ((nat_t_policy) & POLICY_TUNNEL) \
+						? ( ((st)->nat_traversal & NAT_T_WITH_RFC_VALUES) \
+								? (ENCAPSULATION_MODE_UDP_TUNNEL_RFC) \
+								: (ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS) \
+						  ) \
+						: ( ((st)->nat_traversal & NAT_T_WITH_RFC_VALUES) \
+								? (ENCAPSULATION_MODE_UDP_TRANSPORT_RFC) \
+								: (ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS) \
+						  ) \
+				  ) \
+				: ( ((st)->st_policy & POLICY_TUNNEL) \
+						? (ENCAPSULATION_MODE_TUNNEL) \
+						: (ENCAPSULATION_MODE_TRANSPORT) \
+				  ) \
+		)
 
 #endif /* _NAT_TRAVERSAL_H */
 
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index 74b86bf19..80164fa1d 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ocsp.c 4827 2009-01-09 01:36:13Z andreas $
  */
 
 #include <unistd.h>
@@ -24,7 +22,13 @@
 #include <fcntl.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
+
+#include <library.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <crypto/rngs/rng.h>
+#include <crypto/hashers/hasher.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -32,120 +36,116 @@
 #include "x509.h"
 #include "crl.h"
 #include "ca.h"
-#include "rnd.h"
-#include "asn1.h"
 #include "certs.h"
 #include "smartcard.h"
-#include <asn1/oid.h>
 #include "whack.h"
-#include "pkcs1.h"
 #include "keys.h"
 #include "fetch.h"
 #include "ocsp.h"
 
-#define NONCE_LENGTH		16
+#define NONCE_LENGTH            16
 
 static const char *const cert_status_names[] = {
-    "good",
-    "revoked",
-    "unknown",
-    "undefined"
+	"good",
+	"revoked",
+	"unknown",
+	"undefined"
 };
 
 
 static const char *const response_status_names[] = {
-    "successful",
-    "malformed request",
-    "internal error",
-    "try later",
-    "status #4",
-    "signature required",
-    "unauthorized"
+	"successful",
+	"malformed request",
+	"internal error",
+	"try later",
+	"status #4",
+	"signature required",
+	"unauthorized"
 };
 
 /* response container */
 typedef struct response response_t;
 
 struct response {
-    chunk_t  tbs;
-    chunk_t  responder_id_name;
-    chunk_t  responder_id_key;
-    time_t   produced_at;
-    chunk_t  responses;
-    chunk_t  nonce;
-    int      algorithm;
-    chunk_t  signature;
+	chunk_t  tbs;
+	chunk_t  responder_id_name;
+	chunk_t  responder_id_key;
+	time_t   produced_at;
+	chunk_t  responses;
+	chunk_t  nonce;
+	int      algorithm;
+	chunk_t  signature;
 };
 
 const response_t empty_response = {
-    { NULL, 0 }   ,	/* tbs */
-    { NULL, 0 }   ,	/* responder_id_name */
-    { NULL, 0 }   ,	/* responder_id_key */
-    UNDEFINED_TIME,	/* produced_at */
-    { NULL, 0 }   ,	/* single_response */
-    { NULL, 0 }   ,	/* nonce */
-    OID_UNKNOWN   ,	/* signature_algorithm */
-    { NULL, 0 }		/* signature */
+	{ NULL, 0 }   ,     /* tbs */
+	{ NULL, 0 }   ,     /* responder_id_name */
+	{ NULL, 0 }   ,     /* responder_id_key */
+	UNDEFINED_TIME,     /* produced_at */
+	{ NULL, 0 }   ,     /* single_response */
+	{ NULL, 0 }   ,     /* nonce */
+	OID_UNKNOWN   ,     /* signature_algorithm */
+	{ NULL, 0 }         /* signature */
 };
 
 /* single response container */
 typedef struct single_response single_response_t;
 
 struct single_response {
-    single_response_t *next;
-    int               hash_algorithm;
-    chunk_t           issuer_name_hash;
-    chunk_t           issuer_key_hash;
-    chunk_t           serialNumber;
-    cert_status_t     status;
-    time_t            revocationTime;
-    crl_reason_t      revocationReason;
-    time_t            thisUpdate;
-    time_t            nextUpdate;
+	single_response_t *next;
+	int               hash_algorithm;
+	chunk_t           issuer_name_hash;
+	chunk_t           issuer_key_hash;
+	chunk_t           serialNumber;
+	cert_status_t     status;
+	time_t            revocationTime;
+	crl_reason_t      revocationReason;
+	time_t            thisUpdate;
+	time_t            nextUpdate;
 };
 
 const single_response_t empty_single_response = {
-      NULL            ,	/* *next */
-    OID_UNKNOWN       ,	/* hash_algorithm */
-    { NULL, 0 }       ,	/* issuer_name_hash */
-    { NULL, 0 }       ,	/* issuer_key_hash */
-    { NULL, 0 }       ,	/* serial_number */
-    CERT_UNDEFINED    ,	/* status */
-    UNDEFINED_TIME    ,	/* revocationTime */
-    REASON_UNSPECIFIED,	/* revocationReason */
-    UNDEFINED_TIME    ,	/* this_update */
-    UNDEFINED_TIME	/* next_update */
+	  NULL            , /* *next */
+	OID_UNKNOWN       , /* hash_algorithm */
+	{ NULL, 0 }       , /* issuer_name_hash */
+	{ NULL, 0 }       , /* issuer_key_hash */
+	{ NULL, 0 }       , /* serial_number */
+	CERT_UNDEFINED    , /* status */
+	UNDEFINED_TIME    , /* revocationTime */
+	REASON_UNSPECIFIED, /* revocationReason */
+	UNDEFINED_TIME    , /* this_update */
+	UNDEFINED_TIME      /* next_update */
 };
 
 
 /* list of single requests */
 typedef struct request_list request_list_t;
 struct request_list {
-    chunk_t request;
-    request_list_t *next;
+	chunk_t request;
+	request_list_t *next;
 };
 
 /* some OCSP specific prefabricated ASN.1 constants */
 
 static u_char ASN1_nonce_oid_str[] = {
-    0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
+	0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
 };
 
-static const chunk_t ASN1_nonce_oid = strchunk(ASN1_nonce_oid_str);
+static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
 
 static u_char ASN1_response_oid_str[] = {
-    0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
+	0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
 };
 
-static const chunk_t ASN1_response_oid = strchunk(ASN1_response_oid_str);
+static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
 
 static u_char ASN1_response_content_str[] = {
-    0x04, 0x0D,
-	  0x30, 0x0B,
-		0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+	0x04, 0x0D,
+		  0x30, 0x0B,
+				0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
 };
 
-static const chunk_t ASN1_response_content = strchunk(ASN1_response_content_str);
+static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
 
 /* default OCSP uri */
 static chunk_t ocsp_default_uri;
@@ -158,57 +158,60 @@ static x509cert_t *ocsp_requestor_cert = NULL;
 
 static smartcard_t *ocsp_requestor_sc = NULL;
 
-static const struct RSA_private_key *ocsp_requestor_pri = NULL;
-
-/* asn.1 definitions for parsing */
+static private_key_t *ocsp_requestor_key = NULL;
 
+/**
+ * ASN.1 definition of ocspResponse
+ */
 static const asn1Object_t ocspResponseObjects[] = {
-  { 0, "OCSPResponse",                  ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
-  { 1,   "responseStatus",              ASN1_ENUMERATED,   ASN1_BODY }, /*  1 */
-  { 1,   "responseBytesContext",        ASN1_CONTEXT_C_0,  ASN1_OPT  }, /*  2 */
-  { 2,     "responseBytes",             ASN1_SEQUENCE,     ASN1_NONE }, /*  3 */
-  { 3,       "responseType",            ASN1_OID,          ASN1_BODY }, /*  4 */
-  { 3,       "response",                ASN1_OCTET_STRING, ASN1_BODY }, /*  5 */
-  { 1,   "end opt",                     ASN1_EOC,          ASN1_END  }  /*  6 */
+	{ 0, "OCSPResponse",			ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
+	{ 1,   "responseStatus",		ASN1_ENUMERATED,	ASN1_BODY }, /* 1 */
+	{ 1,   "responseBytesContext",	ASN1_CONTEXT_C_0,	ASN1_OPT  }, /* 2 */
+	{ 2,     "responseBytes",		ASN1_SEQUENCE,		ASN1_NONE }, /* 3 */
+	{ 3,       "responseType",		ASN1_OID,			ASN1_BODY }, /* 4 */
+	{ 3,       "response",			ASN1_OCTET_STRING,	ASN1_BODY }, /* 5 */
+	{ 1,   "end opt",				ASN1_EOC,			ASN1_END  }, /* 6 */
+	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT }
 };
-
 #define OCSP_RESPONSE_STATUS	1
-#define OCSP_RESPONSE_TYPE	4
-#define OCSP_RESPONSE		5
-#define OCSP_RESPONSE_ROOF	7
+#define OCSP_RESPONSE_TYPE		4
+#define OCSP_RESPONSE			5
 
+/**
+ * ASN.1 definition of basicResponse
+ */
 static const asn1Object_t basicResponseObjects[] = {
-  { 0, "BasicOCSPResponse",             ASN1_SEQUENCE,        ASN1_NONE }, /*  0 */
-  { 1,   "tbsResponseData",             ASN1_SEQUENCE,        ASN1_OBJ  }, /*  1 */
-  { 2,     "versionContext",            ASN1_CONTEXT_C_0,     ASN1_NONE |
-							      ASN1_DEF  }, /*  2 */
-  { 3,       "version",                 ASN1_INTEGER,         ASN1_BODY }, /*  3 */
-  { 2,     "responderIdContext",        ASN1_CONTEXT_C_1,     ASN1_OPT  }, /*  4 */
-  { 3,       "responderIdByName",       ASN1_SEQUENCE,        ASN1_OBJ  }, /*  5 */
-  { 2,     "end choice",                ASN1_EOC,             ASN1_END  }, /*  6 */
-  { 2,     "responderIdContext",        ASN1_CONTEXT_C_2,     ASN1_OPT  }, /*  7 */
-  { 3,       "responderIdByKey",        ASN1_OCTET_STRING,    ASN1_BODY }, /*  8 */
-  { 2,     "end choice",                ASN1_EOC,             ASN1_END  }, /*  9 */
-  { 2,     "producedAt",                ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 10 */
-  { 2,     "responses",                 ASN1_SEQUENCE,        ASN1_OBJ  }, /* 11 */
-  { 2,     "responseExtensionsContext", ASN1_CONTEXT_C_1,     ASN1_OPT  }, /* 12 */
-  { 3,       "responseExtensions",      ASN1_SEQUENCE,        ASN1_LOOP }, /* 13 */
-  { 4,         "extension",             ASN1_SEQUENCE,        ASN1_NONE }, /* 14 */
-  { 5,           "extnID",              ASN1_OID,             ASN1_BODY }, /* 15 */
-  { 5,           "critical",            ASN1_BOOLEAN,         ASN1_BODY |
-							      ASN1_DEF  }, /* 16 */
-  { 5,           "extnValue",           ASN1_OCTET_STRING,    ASN1_BODY }, /* 17 */
-  { 4,         "end loop",              ASN1_EOC,             ASN1_END  }, /* 18 */
-  { 2,     "end opt",                   ASN1_EOC,             ASN1_END  }, /* 19 */
-  { 1,   "signatureAlgorithm",          ASN1_EOC,             ASN1_RAW  }, /* 20 */
-  { 1,   "signature",                   ASN1_BIT_STRING,      ASN1_BODY }, /* 21 */
-  { 1,   "certsContext",                ASN1_CONTEXT_C_0,     ASN1_OPT  }, /* 22 */
-  { 2,     "certs",                     ASN1_SEQUENCE,        ASN1_LOOP }, /* 23 */
-  { 3,       "certificate",             ASN1_SEQUENCE,        ASN1_OBJ  }, /* 24 */
-  { 2,     "end loop",                  ASN1_EOC,	      ASN1_END  }, /* 25 */
-  { 1,   "end opt",                     ASN1_EOC,             ASN1_END  }  /* 26 */
+	{ 0, "BasicOCSPResponse",				ASN1_SEQUENCE,			ASN1_NONE }, /*  0 */
+	{ 1,   "tbsResponseData",				ASN1_SEQUENCE,			ASN1_OBJ  }, /*  1 */
+	{ 2,     "versionContext",				ASN1_CONTEXT_C_0,		ASN1_NONE |
+																	ASN1_DEF  }, /*  2 */
+	{ 3,       "version",					ASN1_INTEGER,			ASN1_BODY }, /*  3 */
+	{ 2,     "responderIdContext",			ASN1_CONTEXT_C_1,		ASN1_OPT  }, /*  4 */
+	{ 3,       "responderIdByName",			ASN1_SEQUENCE,			ASN1_OBJ  }, /*  5 */
+	{ 2,     "end choice",					ASN1_EOC,				ASN1_END  }, /*  6 */
+	{ 2,     "responderIdContext",			ASN1_CONTEXT_C_2,		ASN1_OPT  }, /*  7 */
+	{ 3,       "responderIdByKey",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  8 */
+	{ 2,     "end choice",					ASN1_EOC,				ASN1_END  }, /*  9 */
+	{ 2,     "producedAt",					ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 10 */
+	{ 2,     "responses",					ASN1_SEQUENCE,			ASN1_OBJ  }, /* 11 */
+	{ 2,     "responseExtensionsContext",	ASN1_CONTEXT_C_1,		ASN1_OPT  }, /* 12 */
+	{ 3,       "responseExtensions",		ASN1_SEQUENCE,			ASN1_LOOP }, /* 13 */
+	{ 4,         "extension",				ASN1_SEQUENCE,			ASN1_NONE }, /* 14 */
+	{ 5,           "extnID",				ASN1_OID,				ASN1_BODY }, /* 15 */
+	{ 5,           "critical",				ASN1_BOOLEAN,			ASN1_BODY |
+																	ASN1_DEF  }, /* 16 */
+	{ 5,           "extnValue",				ASN1_OCTET_STRING,		ASN1_BODY }, /* 17 */
+	{ 4,         "end loop",				ASN1_EOC,				ASN1_END  }, /* 18 */
+	{ 2,     "end opt",						ASN1_EOC,				ASN1_END  }, /* 19 */
+	{ 1,   "signatureAlgorithm",			ASN1_EOC,				ASN1_RAW  }, /* 20 */
+	{ 1,   "signature",						ASN1_BIT_STRING,		ASN1_BODY }, /* 21 */
+	{ 1,   "certsContext",					ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 22 */
+	{ 2,     "certs",						ASN1_SEQUENCE,			ASN1_LOOP }, /* 23 */
+	{ 3,       "certificate",				ASN1_SEQUENCE,			ASN1_RAW  }, /* 24 */
+	{ 2,     "end loop",					ASN1_EOC,				ASN1_END  }, /* 25 */
+	{ 1,   "end opt",						ASN1_EOC,				ASN1_END  }, /* 26 */
+	{ 0, "exit",							ASN1_EOC,				ASN1_EXIT }
 };
-
 #define BASIC_RESPONSE_TBS_DATA		 1
 #define BASIC_RESPONSE_VERSION		 3
 #define BASIC_RESPONSE_ID_BY_NAME	 5
@@ -221,1349 +224,1326 @@ static const asn1Object_t basicResponseObjects[] = {
 #define BASIC_RESPONSE_ALGORITHM	20
 #define BASIC_RESPONSE_SIGNATURE	21
 #define BASIC_RESPONSE_CERTIFICATE	24
-#define BASIC_RESPONSE_ROOF		27
 
+/**
+ * ASN.1 definition of responses
+ */
 static const asn1Object_t responsesObjects[] = {
-  { 0, "responses",                   ASN1_SEQUENCE,          ASN1_LOOP }, /*  0 */
-  { 1,   "singleResponse",            ASN1_EOC,               ASN1_RAW  }, /*  1 */
-  { 0, "end loop",                    ASN1_EOC,               ASN1_END  }  /*  2 */
+	{ 0, "responses",			ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
+	{ 1,   "singleResponse",	ASN1_EOC,		ASN1_RAW  }, /* 1 */
+	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }, /* 2 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
 };
+#define RESPONSES_SINGLE_RESPONSE	1
 
-#define RESPONSES_SINGLE_RESPONSE	 1
-#define RESPONSES_ROOF			 3
-
+/**
+ * ASN.1 definition of singleResponse
+ */
 static const asn1Object_t singleResponseObjects[] = {
-  { 0, "singleResponse",            ASN1_SEQUENCE,          ASN1_BODY }, /*  0 */
-  { 1,   "certID",                  ASN1_SEQUENCE,          ASN1_NONE }, /*  1 */
-  { 2,     "algorithm",             ASN1_EOC,               ASN1_RAW  }, /*  2 */
-  { 2,     "issuerNameHash",        ASN1_OCTET_STRING,      ASN1_BODY }, /*  3 */
-  { 2,     "issuerKeyHash",         ASN1_OCTET_STRING,      ASN1_BODY }, /*  4 */
-  { 2,     "serialNumber",          ASN1_INTEGER,           ASN1_BODY }, /*  5 */
-  { 1,   "certStatusGood",          ASN1_CONTEXT_S_0,       ASN1_OPT  }, /*  6 */
-  { 1,   "end opt",                 ASN1_EOC,               ASN1_END  }, /*  7 */
-  { 1,   "certStatusRevoked",       ASN1_CONTEXT_C_1,       ASN1_OPT  }, /*  8 */
-  { 2,     "revocationTime",        ASN1_GENERALIZEDTIME,   ASN1_BODY }, /*  9 */
-  { 2,     "revocationReason",      ASN1_CONTEXT_C_0,       ASN1_OPT  }, /* 10 */
-  { 3,       "crlReason",           ASN1_ENUMERATED,        ASN1_BODY }, /* 11 */
-  { 2,     "end opt",               ASN1_EOC,               ASN1_END  }, /* 12 */
-  { 1,   "end opt",                 ASN1_EOC,               ASN1_END  }, /* 13 */
-  { 1,   "certStatusUnknown",       ASN1_CONTEXT_S_2,       ASN1_OPT  }, /* 14 */
-  { 1,   "end opt",                 ASN1_EOC,               ASN1_END  }, /* 15 */
-  { 1,   "thisUpdate",              ASN1_GENERALIZEDTIME,   ASN1_BODY }, /* 16 */
-  { 1,   "nextUpdateContext",       ASN1_CONTEXT_C_0,       ASN1_OPT  }, /* 17 */
-  { 2,     "nextUpdate",            ASN1_GENERALIZEDTIME,   ASN1_BODY }, /* 18 */
-  { 1,   "end opt",                 ASN1_EOC,               ASN1_END  }, /* 19 */
-  { 1,   "singleExtensionsContext", ASN1_CONTEXT_C_1,       ASN1_OPT  }, /* 20 */
-  { 2,     "singleExtensions",      ASN1_SEQUENCE,          ASN1_LOOP }, /* 21 */
-  { 3,       "extension",           ASN1_SEQUENCE,          ASN1_NONE }, /* 22 */
-  { 4,         "extnID",            ASN1_OID,               ASN1_BODY }, /* 23 */
-  { 4,         "critical",          ASN1_BOOLEAN,           ASN1_BODY |
-							    ASN1_DEF  }, /* 24 */
-  { 4,         "extnValue",         ASN1_OCTET_STRING,      ASN1_BODY }, /* 25 */
-  { 2,     "end loop",              ASN1_EOC,               ASN1_END  }, /* 26 */
-  { 1,   "end opt",                 ASN1_EOC,               ASN1_END  }  /* 27 */
+	{ 0, "singleResponse",				ASN1_SEQUENCE,			ASN1_BODY }, /*  0 */
+	{ 1,   "certID",					ASN1_SEQUENCE,			ASN1_NONE }, /*  1 */
+	{ 2,     "algorithm",				ASN1_EOC,				ASN1_RAW  }, /*  2 */
+	{ 2,     "issuerNameHash",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  3 */
+	{ 2,     "issuerKeyHash",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  4 */
+	{ 2,     "serialNumber",			ASN1_INTEGER,			ASN1_BODY }, /*  5 */
+	{ 1,   "certStatusGood",			ASN1_CONTEXT_S_0,		ASN1_OPT  }, /*  6 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /*  7 */
+	{ 1,   "certStatusRevoked",			ASN1_CONTEXT_C_1,		ASN1_OPT  }, /*  8 */
+	{ 2,     "revocationTime",			ASN1_GENERALIZEDTIME,	ASN1_BODY }, /*  9 */
+	{ 2,     "revocationReason",		ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 10 */
+	{ 3,       "crlReason",				ASN1_ENUMERATED,		ASN1_BODY }, /* 11 */
+	{ 2,     "end opt",					ASN1_EOC,				ASN1_END  }, /* 12 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 13 */
+	{ 1,   "certStatusUnknown",			ASN1_CONTEXT_S_2,		ASN1_OPT  }, /* 14 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 15 */
+	{ 1,   "thisUpdate",				ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 16 */
+	{ 1,   "nextUpdateContext",			ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 17 */
+	{ 2,     "nextUpdate",				ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 18 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 19 */
+	{ 1,   "singleExtensionsContext",	ASN1_CONTEXT_C_1,		ASN1_OPT  }, /* 20 */
+	{ 2,     "singleExtensions",		ASN1_SEQUENCE,			ASN1_LOOP }, /* 21 */
+	{ 3,       "extension",				ASN1_SEQUENCE,			ASN1_NONE }, /* 22 */
+	{ 4,         "extnID",				ASN1_OID,				ASN1_BODY }, /* 23 */
+	{ 4,         "critical",			ASN1_BOOLEAN,			ASN1_BODY |
+																ASN1_DEF  }, /* 24 */
+	{ 4,         "extnValue",			ASN1_OCTET_STRING,		ASN1_BODY }, /* 25 */
+	{ 2,     "end loop",				ASN1_EOC,				ASN1_END  }, /* 26 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 27 */
+	{ 0, "exit",						ASN1_EOC,				ASN1_EXIT }
 };
-
-#define SINGLE_RESPONSE_ALGORITHM			 2
-#define SINGLE_RESPONSE_ISSUER_NAME_HASH		 3
-#define SINGLE_RESPONSE_ISSUER_KEY_HASH			 4
-#define SINGLE_RESPONSE_SERIAL_NUMBER			 5
-#define SINGLE_RESPONSE_CERT_STATUS_GOOD		 6
-#define SINGLE_RESPONSE_CERT_STATUS_REVOKED		 8
+#define SINGLE_RESPONSE_ALGORITHM					 2
+#define SINGLE_RESPONSE_ISSUER_NAME_HASH			 3
+#define SINGLE_RESPONSE_ISSUER_KEY_HASH				 4
+#define SINGLE_RESPONSE_SERIAL_NUMBER				 5
+#define SINGLE_RESPONSE_CERT_STATUS_GOOD			 6
+#define SINGLE_RESPONSE_CERT_STATUS_REVOKED			 8
 #define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME	 9
 #define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON		11
-#define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN		14
-#define SINGLE_RESPONSE_THIS_UPDATE			16
-#define SINGLE_RESPONSE_NEXT_UPDATE			18
-#define SINGLE_RESPONSE_EXT_ID				23
-#define SINGLE_RESPONSE_CRITICAL			24
-#define SINGLE_RESPONSE_EXT_VALUE			25
-#define SINGLE_RESPONSE_ROOF				28
-
-/* build an ocsp location from certificate information
+#define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN			14
+#define SINGLE_RESPONSE_THIS_UPDATE					16
+#define SINGLE_RESPONSE_NEXT_UPDATE					18
+#define SINGLE_RESPONSE_EXT_ID						23
+#define SINGLE_RESPONSE_CRITICAL					24
+#define SINGLE_RESPONSE_EXT_VALUE					25
+
+/*
+ * Build an ocsp location from certificate information
  * without unsharing its contents
  */
-static bool
-build_ocsp_location(const x509cert_t *cert, ocsp_location_t *location)
+static bool build_ocsp_location(const x509cert_t *cert, ocsp_location_t *location)
 {
-    static u_char digest[SHA1_DIGEST_SIZE];  /* temporary storage */
+	hasher_t *hasher;
+	static u_char digest[HASH_SIZE_SHA1];  /* temporary storage */
+	
+	location->uri = cert->accessLocation;
 
-    location->uri = cert->accessLocation;
+	if (location->uri.ptr == NULL)
+	{
+		ca_info_t *ca = get_ca_info(cert->issuer, cert->authKeySerialNumber
+				, cert->authKeyID);
+		if (ca != NULL && ca->ocspuri != NULL)
+		{
+			location->uri = chunk_create(ca->ocspuri, strlen(ca->ocspuri));
+		}
+		else
+		{   /* abort if no ocsp location uri is defined */
+			return FALSE;
+		}
+	}
+	
+	/* compute authNameID from as SHA-1 hash of issuer DN */
+	location->authNameID = chunk_create(digest, HASH_SIZE_SHA1);
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		return FALSE;
+	}
+ 	hasher->get_hash(hasher, cert->issuer, digest);
+	hasher->destroy(hasher);
 
-    if (location->uri.ptr == NULL)
-    {
-	ca_info_t *ca = get_ca_info(cert->issuer, cert->authKeySerialNumber
-		, cert->authKeyID);
-	if (ca != NULL && ca->ocspuri != NULL)
-	    setchunk(location->uri, ca->ocspuri, strlen(ca->ocspuri))
-	else
-	    /* abort if no ocsp location uri is defined */
-	    return FALSE;
-    }
-    
-    setchunk(location->authNameID, digest, SHA1_DIGEST_SIZE);
-    compute_digest(cert->issuer, OID_SHA1, &location->authNameID);
-
-    location->next = NULL;
-    location->issuer = cert->issuer;
-    location->authKeyID = cert->authKeyID;
-    location->authKeySerialNumber = cert->authKeySerialNumber;
-    
-    if (cert->authKeyID.ptr == NULL) 
-    {
-	x509cert_t *authcert = get_authcert(cert->issuer
-		, cert->authKeySerialNumber, cert->authKeyID, AUTH_CA);
-
-	if (authcert != NULL)
+	location->next = NULL;
+	location->issuer = cert->issuer;
+	location->authKeyID = cert->authKeyID;
+	location->authKeySerialNumber = cert->authKeySerialNumber;
+	
+	if (cert->authKeyID.ptr == NULL) 
 	{
-	    location->authKeyID = authcert->subjectKeyID;
-	    location->authKeySerialNumber = authcert->serialNumber;
+		x509cert_t *authcert = get_authcert(cert->issuer
+				, cert->authKeySerialNumber, cert->authKeyID, AUTH_CA);
+
+		if (authcert != NULL)
+		{
+			location->authKeyID = authcert->subjectKeyID;
+			location->authKeySerialNumber = authcert->serialNumber;
+		}
 	}
-    }
 
-    location->nonce = empty_chunk;
-    location->certinfo = NULL;
+	location->nonce = chunk_empty;
+	location->certinfo = NULL;
 
-    return TRUE;
+	return TRUE;
 }
 
-/*
- * compare two ocsp locations for equality
+/**
+ * Compare two ocsp locations for equality
  */
-static bool
-same_ocsp_location(const ocsp_location_t *a, const ocsp_location_t *b)
+static bool same_ocsp_location(const ocsp_location_t *a, const ocsp_location_t *b)
 {
-    return ((a->authKeyID.ptr != NULL)
-		? same_keyid(a->authKeyID, b->authKeyID)
-		: (same_dn(a->issuer, b->issuer)
-		    && same_serial(a->authKeySerialNumber, b->authKeySerialNumber)))
-	    && same_chunk(a->uri, b->uri);
+	return ((a->authKeyID.ptr != NULL)
+				? same_keyid(a->authKeyID, b->authKeyID)
+				: (same_dn(a->issuer, b->issuer)
+					&& same_serial(a->authKeySerialNumber, b->authKeySerialNumber)))
+			&& chunk_equals(a->uri, b->uri);
 }
 
-/*
- * find an existing ocsp location in a chained list
+/**
+ * Find an existing ocsp location in a chained list
  */
-ocsp_location_t*
-get_ocsp_location(const ocsp_location_t * loc, ocsp_location_t *chain)
+ocsp_location_t* get_ocsp_location(const ocsp_location_t * loc, ocsp_location_t *chain)
 {
 
-    while (chain != NULL)
-    {
-	if (same_ocsp_location(loc, chain))
-	    return chain;
-	chain = chain->next;
-    }
-    return NULL;
+	while (chain != NULL)
+	{
+		if (same_ocsp_location(loc, chain))
+			return chain;
+		chain = chain->next;
+	}
+	return NULL;
 }
- 
-/* retrieves the status of a cert from the ocsp cache
+
+/**
+ * Retrieves the status of a cert from the ocsp cache
  * returns CERT_UNDEFINED if no status is found
  */
-static cert_status_t
-get_ocsp_status(const ocsp_location_t *loc, chunk_t serialNumber
-    ,time_t *nextUpdate, time_t *revocationTime, crl_reason_t *revocationReason)
+static cert_status_t get_ocsp_status(const ocsp_location_t *loc,
+									 chunk_t serialNumber,
+									 time_t *nextUpdate, time_t *revocationTime,
+									 crl_reason_t *revocationReason)
 {
-    ocsp_certinfo_t *certinfo, **certinfop;
-    int cmp = -1;
+	ocsp_certinfo_t *certinfo, **certinfop;
+	int cmp = -1;
 
-    /* find location */
-    ocsp_location_t *location = get_ocsp_location(loc, ocsp_cache);
+	/* find location */
+	ocsp_location_t *location = get_ocsp_location(loc, ocsp_cache);
 
-    if (location == NULL)
-	return CERT_UNDEFINED;
-
-    /* traverse list of certinfos in increasing order */
-    certinfop = &location->certinfo;
-    certinfo = *certinfop;
+	if (location == NULL)
+		return CERT_UNDEFINED;
 
-    while (certinfo != NULL)
-    {
-	cmp = cmp_chunk(serialNumber, certinfo->serialNumber);
-	if (cmp <= 0)
-	    break;
-	certinfop = &certinfo->next;
+	/* traverse list of certinfos in increasing order */
+	certinfop = &location->certinfo;
 	certinfo = *certinfop;
-    }
 
-    if (cmp == 0)
-    {
-	*nextUpdate = certinfo->nextUpdate;
-	*revocationTime = certinfo->revocationTime;
-	*revocationReason = certinfo->revocationReason;
-	return certinfo->status;
-    }
+	while (certinfo != NULL)
+	{
+		cmp = chunk_compare(serialNumber, certinfo->serialNumber);
+		if (cmp <= 0)
+			break;
+		certinfop = &certinfo->next;
+		certinfo = *certinfop;
+	}
+
+	if (cmp == 0)
+	{
+		*nextUpdate = certinfo->nextUpdate;
+		*revocationTime = certinfo->revocationTime;
+		*revocationReason = certinfo->revocationReason;
+		return certinfo->status;
+	}
 
-    return CERT_UNDEFINED;
+	return CERT_UNDEFINED;
 }
 
-/*
- * verify the ocsp status of a certificate
+/**
+ * Verify the ocsp status of a certificate
  */
-cert_status_t
-verify_by_ocsp(const x509cert_t *cert, time_t *until
-, time_t *revocationDate, crl_reason_t *revocationReason)
+cert_status_t verify_by_ocsp(const x509cert_t *cert, time_t *until,
+							 time_t *revocationDate,
+							 crl_reason_t *revocationReason)
 {
-    cert_status_t status;
-    ocsp_location_t location;
-    time_t nextUpdate = 0;
-
-    *revocationDate = UNDEFINED_TIME;
-    *revocationReason = REASON_UNSPECIFIED;
-    
-    /* is an ocsp location defined? */
-    if (!build_ocsp_location(cert, &location))
-	return CERT_UNDEFINED;
+	cert_status_t status;
+	ocsp_location_t location;
+	time_t nextUpdate = 0;
+
+	*revocationDate = UNDEFINED_TIME;
+	*revocationReason = REASON_UNSPECIFIED;
+	
+	/* is an ocsp location defined? */
+	if (!build_ocsp_location(cert, &location))
+		return CERT_UNDEFINED;
+
+	lock_ocsp_cache("verify_by_ocsp");
+	status = get_ocsp_status(&location, cert->serialNumber, &nextUpdate
+		, revocationDate, revocationReason);
+	unlock_ocsp_cache("verify_by_ocsp");
+
+	if (status == CERT_UNDEFINED || nextUpdate < time(NULL))
+	{
+		plog("ocsp status is stale or not in cache");
+		add_ocsp_fetch_request(&location, cert->serialNumber);
 
-    lock_ocsp_cache("verify_by_ocsp");
-    status = get_ocsp_status(&location, cert->serialNumber, &nextUpdate
-	, revocationDate, revocationReason);
-    unlock_ocsp_cache("verify_by_ocsp");
-
-    if (status == CERT_UNDEFINED || nextUpdate < time(NULL))
-    {
-	plog("ocsp status is stale or not in cache");
-	add_ocsp_fetch_request(&location, cert->serialNumber);
-
-	/* inititate fetching of ocsp status */
-	wake_fetch_thread("verify_by_ocsp");
-    }
-    *until = nextUpdate;
-    return status;
+		/* inititate fetching of ocsp status */
+		wake_fetch_thread("verify_by_ocsp");
+	}
+	*until = nextUpdate;
+	return status;
 }
 
-/*
- * check if an ocsp status is about to expire
+/**
+ * Check if an ocsp status is about to expire
  */
-void
-check_ocsp(void)
+void check_ocsp(void)
 {
-    ocsp_location_t *location;
-
-    lock_ocsp_cache("check_ocsp");
-    location = ocsp_cache;
-    
-    while (location != NULL)
-    {
-	char buf[BUF_LEN];
-	bool first = TRUE;
-	ocsp_certinfo_t *certinfo = location->certinfo;
+	ocsp_location_t *location;
 
-	while (certinfo != NULL)
+	lock_ocsp_cache("check_ocsp");
+	location = ocsp_cache;
+	
+	while (location != NULL)
 	{
-	    if (!certinfo->once)
-	    {
-		time_t time_left = certinfo->nextUpdate - time(NULL);
+		char buf[BUF_LEN];
+		bool first = TRUE;
+		ocsp_certinfo_t *certinfo = location->certinfo;
 
-		DBG(DBG_CONTROL,
-		    if (first)
-		    {
-			dntoa(buf, BUF_LEN, location->issuer);
-			DBG_log("issuer: '%s'", buf);
-			if (location->authKeyID.ptr != NULL)
+		while (certinfo != NULL)
+		{
+			if (!certinfo->once)
 			{
-			    datatot(location->authKeyID.ptr, location->authKeyID.len
-				, ':', buf, BUF_LEN);
-			    DBG_log("authkey: %s", buf);
+				time_t time_left = certinfo->nextUpdate - time(NULL);
+
+				DBG(DBG_CONTROL,
+					if (first)
+					{
+						dntoa(buf, BUF_LEN, location->issuer);
+						DBG_log("issuer: '%s'", buf);
+						if (location->authKeyID.ptr != NULL)
+						{
+							datatot(location->authKeyID.ptr, location->authKeyID.len
+								, ':', buf, BUF_LEN);
+							DBG_log("authkey: %s", buf);
+						}
+						first = FALSE;
+					}
+					datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len
+						, ':', buf, BUF_LEN);
+					DBG_log("serial: %s, %ld seconds left", buf, time_left)
+				)
+
+				if (time_left < 2*crl_check_interval)
+					add_ocsp_fetch_request(location, certinfo->serialNumber);
 			}
-			first = FALSE;
-		    }
-		    datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len
-			, ':', buf, BUF_LEN);
-		    DBG_log("serial: %s, %ld seconds left", buf, time_left)
-		)
-
-		if (time_left < 2*crl_check_interval)
-		    add_ocsp_fetch_request(location, certinfo->serialNumber);
-	    }
-	    certinfo = certinfo->next;
+			certinfo = certinfo->next;
+		}
+		location = location->next;
 	}
-	location = location->next;
-    }
-    unlock_ocsp_cache("check_ocsp");
+	unlock_ocsp_cache("check_ocsp");
 }
 
-/*
+/**
  *  frees the allocated memory of a certinfo struct
  */
-static void
-free_certinfo(ocsp_certinfo_t *certinfo)
+static void free_certinfo(ocsp_certinfo_t *certinfo)
 {
-    freeanychunk(certinfo->serialNumber);
-    pfree(certinfo);
+	free(certinfo->serialNumber.ptr);
+	free(certinfo);
 }
 
-/*
+/**
  * frees all certinfos in a chained list
  */
-static void
-free_certinfos(ocsp_certinfo_t *chain)
+static void free_certinfos(ocsp_certinfo_t *chain)
 {
-    ocsp_certinfo_t *certinfo;
+	ocsp_certinfo_t *certinfo;
 
-    while (chain != NULL)
-    {
-	certinfo = chain;
-	chain = chain->next;
-	free_certinfo(certinfo);
-    }
+	while (chain != NULL)
+	{
+		certinfo = chain;
+		chain = chain->next;
+		free_certinfo(certinfo);
+	}
 }
 
-/*
- * frees the memory allocated to an ocsp location including all certinfos
+/**
+ * Frees the memory allocated to an ocsp location including all certinfos
  */
-static void
-free_ocsp_location(ocsp_location_t* location)
+static void free_ocsp_location(ocsp_location_t* location)
 {
-    freeanychunk(location->issuer);
-    freeanychunk(location->authNameID);
-    freeanychunk(location->authKeyID);
-    freeanychunk(location->authKeySerialNumber);
-    freeanychunk(location->uri);
-    free_certinfos(location->certinfo);
-    pfree(location);
+	free(location->issuer.ptr);
+	free(location->authNameID.ptr);
+	free(location->authKeyID.ptr);
+	free(location->authKeySerialNumber.ptr);
+	free(location->uri.ptr);
+	free_certinfos(location->certinfo);
+	free(location);
 }
 
 /*
- * free a chained list of ocsp locations
+ * Free a chained list of ocsp locations
  */
-void
-free_ocsp_locations(ocsp_location_t **chain)
+void free_ocsp_locations(ocsp_location_t **chain)
 {
-    while (*chain != NULL)
-    {
-	ocsp_location_t *location = *chain;
-	*chain = location->next;
-	free_ocsp_location(location);
-    }
+	while (*chain != NULL)
+	{
+		ocsp_location_t *location = *chain;
+		*chain = location->next;
+		free_ocsp_location(location);
+	}
 }
 
-/*
- * free the ocsp cache
+/**
+ * Free the ocsp cache
  */
-void
-free_ocsp_cache(void)
+void free_ocsp_cache(void)
 {
-    lock_ocsp_cache("free_ocsp_cache");
-    free_ocsp_locations(&ocsp_cache);
-    unlock_ocsp_cache("free_ocsp_cache");
+	lock_ocsp_cache("free_ocsp_cache");
+	free_ocsp_locations(&ocsp_cache);
+	unlock_ocsp_cache("free_ocsp_cache");
 }
 
-/*
- * frees the ocsp cache and global variables
+/**
+ * Frees the ocsp cache and global variables
  */
-void
-free_ocsp(void)
+void free_ocsp(void)
 {
-    pfreeany(ocsp_default_uri.ptr);
-    free_ocsp_cache();
+	free(ocsp_default_uri.ptr);
+	free_ocsp_cache();
 }
 
-/*
- * list a chained list of ocsp_locations
+/**
+ * List a chained list of ocsp_locations
  */
-void
-list_ocsp_locations(ocsp_location_t *location, bool requests, bool utc
-, bool strict)
+void list_ocsp_locations(ocsp_location_t *location, bool requests,
+						 bool utc, bool strict)
 {
-    bool first = TRUE;
-
-    while (location != NULL)
-    {
-	ocsp_certinfo_t *certinfo = location->certinfo;
+	bool first = TRUE;
 
-	if (certinfo != NULL)
+	while (location != NULL)
 	{
-	    u_char buf[BUF_LEN];
-
-	    if (first)
-	    {
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of OCSP %s:", requests?
-		    "fetch requests":"responses");
-		first = FALSE;
-            }
-	    whack_log(RC_COMMENT, " ");
-	    if (location->issuer.ptr != NULL)
-	    {
-		dntoa(buf, BUF_LEN, location->issuer);
-		whack_log(RC_COMMENT, "       issuer:  '%s'", buf);
-	    }
-	    whack_log(RC_COMMENT, "       uri:     '%.*s'", (int)location->uri.len
-		, location->uri.ptr);
-	    if (location->authNameID.ptr != NULL)
-	    {
-		datatot(location->authNameID.ptr, location->authNameID.len, ':'
-		    , buf, BUF_LEN);
-		whack_log(RC_COMMENT, "       authname: %s", buf);
-	    }
-	    if (location->authKeyID.ptr != NULL)
-	    {
-		datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
-		    , buf, BUF_LEN);
-		whack_log(RC_COMMENT, "       authkey:  %s", buf);
-	    }
-	    if (location->authKeySerialNumber.ptr != NULL)
-	    {
-		datatot(location->authKeySerialNumber.ptr
-		    , location->authKeySerialNumber.len, ':', buf, BUF_LEN);
-		whack_log(RC_COMMENT, "       aserial:  %s", buf);
-	    }
-	    while (certinfo != NULL)
-	    {
-		char thisUpdate[TIMETOA_BUF];
-
-		strcpy(thisUpdate, timetoa(&certinfo->thisUpdate, utc));
-
-		if (requests)
-		{
-		    whack_log(RC_COMMENT, "%s, trials: %d", thisUpdate
-			, certinfo->trials);
-		}
-		else if (certinfo->once)
-		{
-		    whack_log(RC_COMMENT, "%s, onetime use%s", thisUpdate
-			, (certinfo->nextUpdate < time(NULL))? " (expired)": "");
-		}
-		else
+		ocsp_certinfo_t *certinfo = location->certinfo;
+
+		if (certinfo != NULL)
 		{
-		    whack_log(RC_COMMENT, "%s, until %s %s", thisUpdate
-			, timetoa(&certinfo->nextUpdate, utc)
-			, check_expiry(certinfo->nextUpdate, OCSP_WARNING_INTERVAL, strict));
+			u_char buf[BUF_LEN];
+
+			if (first)
+			{
+				whack_log(RC_COMMENT, " ");
+				whack_log(RC_COMMENT, "List of OCSP %s:", requests?
+					"fetch requests":"responses");
+				first = FALSE;
+			}
+			whack_log(RC_COMMENT, " ");
+			if (location->issuer.ptr != NULL)
+			{
+				dntoa(buf, BUF_LEN, location->issuer);
+				whack_log(RC_COMMENT, "       issuer:  '%s'", buf);
+			}
+			whack_log(RC_COMMENT, "       uri:     '%.*s'", (int)location->uri.len
+				, location->uri.ptr);
+			if (location->authNameID.ptr != NULL)
+			{
+				datatot(location->authNameID.ptr, location->authNameID.len, ':'
+					, buf, BUF_LEN);
+				whack_log(RC_COMMENT, "       authname: %s", buf);
+			}
+			if (location->authKeyID.ptr != NULL)
+			{
+				datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
+					, buf, BUF_LEN);
+				whack_log(RC_COMMENT, "       authkey:  %s", buf);
+			}
+			if (location->authKeySerialNumber.ptr != NULL)
+			{
+				datatot(location->authKeySerialNumber.ptr
+					, location->authKeySerialNumber.len, ':', buf, BUF_LEN);
+				whack_log(RC_COMMENT, "       aserial:  %s", buf);
+			}
+			while (certinfo != NULL)
+			{
+				char thisUpdate[BUF_LEN];
+
+				snprintf(thisUpdate, BUF_LEN, "%T", &certinfo->thisUpdate, utc);
+
+				if (requests)
+				{
+					whack_log(RC_COMMENT, "%s, trials: %d", thisUpdate
+						, certinfo->trials);
+				}
+				else if (certinfo->once)
+				{
+					whack_log(RC_COMMENT, "%s, onetime use%s", thisUpdate
+						, (certinfo->nextUpdate < time(NULL))? " (expired)": "");
+				}
+				else
+				{
+					whack_log(RC_COMMENT, "%s, until %T %s", thisUpdate
+						, &certinfo->nextUpdate, utc
+						, check_expiry(certinfo->nextUpdate, OCSP_WARNING_INTERVAL, strict));
+				}
+				datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len, ':'
+					, buf, BUF_LEN);
+				whack_log(RC_COMMENT, "       serial:   %s, %s", buf
+					, cert_status_names[certinfo->status]);
+				certinfo = certinfo->next;
+			}
 		}
-		datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len, ':'
-		    , buf, BUF_LEN);
-		whack_log(RC_COMMENT, "       serial:   %s, %s", buf
-		    , cert_status_names[certinfo->status]);
-		certinfo = certinfo->next;
-	    }
+		location = location->next;
 	}
-	location = location->next;
-    }
 }
 
-/*
- * list the ocsp cache
+/**
+ * List the ocsp cache
  */
-void
-list_ocsp_cache(bool utc, bool strict)
+void list_ocsp_cache(bool utc, bool strict)
 {
-    lock_ocsp_cache("list_ocsp_cache");
-    list_ocsp_locations(ocsp_cache, FALSE, utc, strict);
-    unlock_ocsp_cache("list_ocsp_cache");
+	lock_ocsp_cache("list_ocsp_cache");
+	list_ocsp_locations(ocsp_cache, FALSE, utc, strict);
+	unlock_ocsp_cache("list_ocsp_cache");
 }
 
-static bool
-get_ocsp_requestor_cert(ocsp_location_t *location)
+static bool get_ocsp_requestor_cert(ocsp_location_t *location)
 {
-    x509cert_t *cert = NULL;
+	x509cert_t *cert = NULL;
 
-    /* initialize temporary static storage */
-    ocsp_requestor_cert = NULL;
-    ocsp_requestor_sc   = NULL;
-    ocsp_requestor_pri  = NULL;
+	/* initialize temporary static storage */
+	ocsp_requestor_cert = NULL;
+	ocsp_requestor_sc   = NULL;
+	ocsp_requestor_key  = NULL;
 
-    for (;;)
-    {
-	char buf[BUF_LEN];
-
-	/* looking for a certificate from the same issuer */
-	cert = get_x509cert(location->issuer, location->authKeySerialNumber
-		    ,location->authKeyID, cert);
-   	if (cert == NULL)
-	    break;
-
-	DBG(DBG_CONTROL,
-	    dntoa(buf, BUF_LEN, cert->subject);
-	    DBG_log("candidate: '%s'", buf);
-	)
-
-	if (cert->smartcard)
+	for (;;)
 	{
-	    /* look for a matching private key on a smartcard */
-	    smartcard_t *sc = scx_get(cert);
+		char buf[BUF_LEN];
+
+		/* looking for a certificate from the same issuer */
+		cert = get_x509cert(location->issuer, location->authKeySerialNumber
+					,location->authKeyID, cert);
+		if (cert == NULL)
+			break;
 
-	    if (sc != NULL)
-	    {
 		DBG(DBG_CONTROL,
-		    DBG_log("matching smartcard found")
+			dntoa(buf, BUF_LEN, cert->subject);
+			DBG_log("candidate: '%s'", buf);
 		)
-		if (sc->valid)
+
+		if (cert->smartcard)
 		{
-		    ocsp_requestor_cert = cert;
-		    ocsp_requestor_sc = sc;
-		    return TRUE;
+			/* look for a matching private key on a smartcard */
+			smartcard_t *sc = scx_get(cert);
+
+			if (sc != NULL)
+			{
+				DBG(DBG_CONTROL,
+					DBG_log("matching smartcard found")
+				)
+				if (sc->valid)
+				{
+					ocsp_requestor_cert = cert;
+					ocsp_requestor_sc = sc;
+					return TRUE;
+				}
+				plog("unable to sign ocsp request without PIN");
+			}
 		}
-		plog("unable to sign ocsp request without PIN");
-	    }
-	}
-	else
-	{
-	    /* look for a matching private key in the chained list */
-	    const struct RSA_private_key *pri = get_x509_private_key(cert);
+		else
+		{
+			/* look for a matching private key in the chained list */
+			private_key_t *private = get_x509_private_key(cert);
 
-	    if (pri != NULL)
-	    {
-		DBG(DBG_CONTROL,
-		    DBG_log("matching private key found")
-		)
-		ocsp_requestor_cert = cert;
-		ocsp_requestor_pri = pri;
-		return TRUE;
-	    }
+			if (private != NULL)
+			{
+				DBG(DBG_CONTROL,
+					DBG_log("matching private key found")
+				)
+				ocsp_requestor_cert = cert;
+				ocsp_requestor_key = private;
+				return TRUE;
+			}
+		}
 	}
-    }
-    return FALSE;
+	return FALSE;
 }
 
-static chunk_t
-generate_signature(chunk_t digest, smartcard_t *sc
-    , const RSA_private_key_t *pri)
+static chunk_t sc_build_sha1_signature(chunk_t tbs, smartcard_t *sc)
 {
-    chunk_t sigdata;
-    u_char *pos;
-    size_t siglen = 0;
-
-    if (sc != NULL)
-    {
-	/* RSA signature is done on smartcard */
+	hasher_t *hasher;
+	u_char *pos;
+	u_char digest_buf[HASH_SIZE_SHA1];
+	chunk_t digest = chunk_from_buf(digest_buf);
+	chunk_t digest_info, sigdata;
+	size_t siglen = 0;
 
 	if (!scx_establish_context(sc) || !scx_login(sc))
 	{
-	    scx_release_context(sc);
-	    return empty_chunk;
+		scx_release_context(sc);
+		return chunk_empty;
 	}
 
 	siglen = scx_get_keylength(sc);
 
 	if (siglen == 0)
 	{
-	    plog("failed to get keylength from smartcard");
-	    scx_release_context(sc);
-	    return empty_chunk;
+		plog("failed to get keylength from smartcard");
+		scx_release_context(sc);
+		return chunk_empty;
 	}
 
 	DBG(DBG_CONTROL | DBG_CRYPT,
-	    DBG_log("signing hash with RSA key from smartcard (slot: %d, id: %s)"
-		, (int)sc->slot, sc->id)
+		DBG_log("signing hash with RSA key from smartcard (slot: %d, id: %s)"
+			, (int)sc->slot, sc->id)
 	)
 
-	pos = build_asn1_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		return chunk_empty;
+	}
+ 	hasher->get_hash(hasher, tbs, digest_buf);
+	hasher->destroy(hasher);
+
+	/* according to PKCS#1 v2.1 digest must be packaged into
+	 * an ASN.1 structure for encryption
+	 */
+	digest_info = asn1_wrap(ASN1_SEQUENCE, "cm"
+		, asn1_algorithmIdentifier(OID_SHA1)
+		, asn1_simple_object(ASN1_OCTET_STRING, digest));
+
+	pos = asn1_build_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
 	*pos++ = 0x00;
-	scx_sign_hash(sc, digest.ptr, digest.len, pos, siglen);
+	scx_sign_hash(sc, digest_info.ptr, digest_info.len, pos, siglen);
+	free(digest_info.ptr);
+
 	if (!pkcs11_keep_state)
-	    scx_release_context(sc);
-    }
-    else
-    {
-	/* RSA signature is done in software */
-	siglen = pri->pub.k;
-	pos = build_asn1_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
-	*pos++ = 0x00;
-	sign_hash(pri, digest.ptr, digest.len, pos, siglen);
-    }
-    return sigdata;
+	{
+		scx_release_context(sc);
+	}
+	return sigdata;
 }
 
-/*
- * build signature into ocsp request
- * gets built only if a request cert with
- * a corresponding private key is found
+/**
+ * build signature into ocsp request gets built only if a request cert
+ * with a corresponding private key is found
  */
-static chunk_t
-build_signature(chunk_t tbsRequest)
+static chunk_t build_signature(chunk_t tbsRequest)
 {
-    chunk_t sigdata, certs;
-    chunk_t digest_info;
-
-    u_char digest_buf[MAX_DIGEST_LEN];
-    chunk_t digest_raw = { digest_buf, MAX_DIGEST_LEN };
-
-    if (!compute_digest(tbsRequest, OID_SHA1, &digest_raw))
-	return empty_chunk;
-
-    /* according to PKCS#1 v2.1 digest must be packaged into
-     * an ASN.1 structure for encryption
-     */
-    digest_info = asn1_wrap(ASN1_SEQUENCE, "cm"
-	, ASN1_sha1_id
-	, asn1_simple_object(ASN1_OCTET_STRING, digest_raw));
-
-    /* generate the RSA signature */
-    sigdata = generate_signature(digest_info
-	, ocsp_requestor_sc
-	, ocsp_requestor_pri);
-    freeanychunk(digest_info);
-
-    /* has the RSA signature generation been successful? */
-    if (sigdata.ptr == NULL)
-	return empty_chunk;
-
-    /* include our certificate */
-    certs = asn1_wrap(ASN1_CONTEXT_C_0, "m"
-		, asn1_simple_object(ASN1_SEQUENCE
-		    , ocsp_requestor_cert->certificate
-		  )
-	    );
-
-    /* build signature comprising algorithm, signature and cert */
-    return asn1_wrap(ASN1_CONTEXT_C_0, "m"
-		, asn1_wrap(ASN1_SEQUENCE, "cmm"
-		    , ASN1_sha1WithRSA_id
-		    , sigdata
-		    , certs
-		  )
-	   );
+	chunk_t sigdata, certs;
+
+	if (ocsp_requestor_sc != NULL)
+	{
+		/* RSA signature is done on smartcard */
+		sigdata = sc_build_sha1_signature(tbsRequest, ocsp_requestor_sc);
+	}
+	else
+	{
+		/* RSA signature is done in software */
+		sigdata = x509_build_signature(tbsRequest, OID_SHA1, ocsp_requestor_key,
+									   TRUE);
+	}
+	if (sigdata.ptr == NULL)
+	{
+		return chunk_empty;
+	}
+
+	/* include our certificate */
+	certs = asn1_wrap(ASN1_CONTEXT_C_0, "m"
+				, asn1_simple_object(ASN1_SEQUENCE
+					, ocsp_requestor_cert->certificate
+				  )
+			);
+
+	/* build signature comprising algorithm, signature and cert */
+	return asn1_wrap(ASN1_CONTEXT_C_0, "m"
+				, asn1_wrap(ASN1_SEQUENCE, "cmm"
+					, asn1_algorithmIdentifier(OID_SHA1_WITH_RSA)
+					, sigdata
+					, certs
+				  )
+		   );
 }
 
-/* build request (into requestList)
+/**
+ * Build request (into requestList)
  * no singleRequestExtensions used
  */
-static chunk_t
-build_request(ocsp_location_t *location, ocsp_certinfo_t *certinfo)
+static chunk_t build_request(ocsp_location_t *location, ocsp_certinfo_t *certinfo)
 {
-    chunk_t reqCert = asn1_wrap(ASN1_SEQUENCE, "cmmm"
-		, ASN1_sha1_id
-		, asn1_simple_object(ASN1_OCTET_STRING, location->authNameID)
-		, asn1_simple_object(ASN1_OCTET_STRING, location->authKeyID)
-		, asn1_simple_object(ASN1_INTEGER, certinfo->serialNumber));
+	chunk_t reqCert = asn1_wrap(ASN1_SEQUENCE, "cmmm"
+				, asn1_algorithmIdentifier(OID_SHA1)
+				, asn1_simple_object(ASN1_OCTET_STRING, location->authNameID)
+				, asn1_simple_object(ASN1_OCTET_STRING, location->authKeyID)
+				, asn1_simple_object(ASN1_INTEGER, certinfo->serialNumber));
 
-    return asn1_wrap(ASN1_SEQUENCE, "m", reqCert);
+	return asn1_wrap(ASN1_SEQUENCE, "m", reqCert);
 }
 
-/*
+/**
  * build requestList (into TBSRequest)
  */
-static chunk_t
-build_request_list(ocsp_location_t *location)
+static chunk_t build_request_list(ocsp_location_t *location)
 {
-    chunk_t requestList;
-    request_list_t *reqs = NULL;
-    ocsp_certinfo_t *certinfo = location->certinfo;
-    u_char *pos;
-
-    size_t datalen = 0;
-
-    /* build content */
-    while (certinfo != NULL)
-    {
-	/* build request for every certificate in list
-	 * and store them in a chained list
-	 */
-	request_list_t *req = alloc_thing(request_list_t, "ocsp request");
+	chunk_t requestList;
+	request_list_t *reqs = NULL;
+	ocsp_certinfo_t *certinfo = location->certinfo;
+	u_char *pos;
 
-	req->request = build_request(location, certinfo);
-	req->next = reqs;
-	reqs = req;
+	size_t datalen = 0;
 
-	datalen += req->request.len;
-	certinfo = certinfo->next;
-    }
+	/* build content */
+	while (certinfo != NULL)
+	{
+		/* build request for every certificate in list
+		 * and store them in a chained list
+		 */
+		request_list_t *req = malloc_thing(request_list_t);
+
+		req->request = build_request(location, certinfo);
+		req->next = reqs;
+		reqs = req;
+
+		datalen += req->request.len;
+		certinfo = certinfo->next;
+	}
 
-    pos = build_asn1_object(&requestList, ASN1_SEQUENCE
-	    , datalen);
+	pos = asn1_build_object(&requestList, ASN1_SEQUENCE, datalen);
 
-    /* copy all in chained list, free list afterwards */
-    while (reqs != NULL)
-    {
- 	request_list_t *req = reqs;
+	/* copy all in chained list, free list afterwards */
+	while (reqs != NULL)
+	{
+		request_list_t *req = reqs;
 
-	mv_chunk(&pos, req->request);
-	reqs = reqs->next;
-	pfree(req);
-    }
+		mv_chunk(&pos, req->request);
+		reqs = reqs->next;
+		free(req);
+	}
 
-    return requestList;
+	return requestList;
 }
 
-/*
- * build requestorName (into TBSRequest)
+/**
+ * Build requestorName (into TBSRequest)
  */
-static chunk_t
-build_requestor_name(void)
+static chunk_t build_requestor_name(void)
 {
-    return asn1_wrap(ASN1_CONTEXT_C_1, "m"
-		, asn1_simple_object(ASN1_CONTEXT_C_4
-		    , ocsp_requestor_cert->subject));
+	return asn1_wrap(ASN1_CONTEXT_C_1, "m"
+				, asn1_simple_object(ASN1_CONTEXT_C_4
+					, ocsp_requestor_cert->subject));
 }
 
-/*
+/**
  * build nonce extension (into requestExtensions)
  */
-static chunk_t
-build_nonce_extension(ocsp_location_t *location)
+static chunk_t build_nonce_extension(ocsp_location_t *location)
 {
-    /* generate a random nonce */
-    location->nonce.ptr = alloc_bytes(NONCE_LENGTH, "ocsp nonce"),
-    location->nonce.len = NONCE_LENGTH;
-    get_rnd_bytes(location->nonce.ptr, NONCE_LENGTH);
-
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_nonce_oid
-		, asn1_simple_object(ASN1_OCTET_STRING, location->nonce));
+	rng_t *rng;
+
+	/* generate a random nonce */
+	location->nonce.ptr = malloc(NONCE_LENGTH),
+	location->nonce.len = NONCE_LENGTH;
+	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	rng->get_bytes(rng, location->nonce.len, location->nonce.ptr);
+	rng->destroy(rng);
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm"
+				, ASN1_nonce_oid
+				, asn1_simple_object(ASN1_OCTET_STRING, location->nonce));
 }
 
-/*
- * build requestExtensions (into TBSRequest)
+/**
+ * Build requestExtensions (into TBSRequest)
  */
-static chunk_t
-build_request_ext(ocsp_location_t *location)
+static chunk_t build_request_ext(ocsp_location_t *location)
 {
-    return asn1_wrap(ASN1_CONTEXT_C_2, "m"
-		, asn1_wrap(ASN1_SEQUENCE, "mm"
-		    , build_nonce_extension(location)
-		    , asn1_wrap(ASN1_SEQUENCE, "cc"
-			, ASN1_response_oid
-			, ASN1_response_content
-		      )
-		  )
-	    );
+	return asn1_wrap(ASN1_CONTEXT_C_2, "m"
+				, asn1_wrap(ASN1_SEQUENCE, "mm"
+					, build_nonce_extension(location)
+					, asn1_wrap(ASN1_SEQUENCE, "cc"
+						, ASN1_response_oid
+						, ASN1_response_content
+					  )
+				  )
+			);
 }
 
-/*
- * build TBSRequest (into OCSPRequest)
+/**
+ * Build TBSRequest (into OCSPRequest)
  */
-static chunk_t
-build_tbs_request(ocsp_location_t *location, bool has_requestor_cert)
+static chunk_t build_tbs_request(ocsp_location_t *location, bool has_requestor_cert)
 {
-    /* version is skipped since the default is ok */
-    return asn1_wrap(ASN1_SEQUENCE, "mmm"
-		, (has_requestor_cert)
-			? build_requestor_name()
-			: empty_chunk
-		, build_request_list(location)
-		, build_request_ext(location));
+	/* version is skipped since the default is ok */
+	return asn1_wrap(ASN1_SEQUENCE, "mmm"
+				, (has_requestor_cert)
+						? build_requestor_name()
+						: chunk_empty
+				, build_request_list(location)
+				, build_request_ext(location));
 }
 
-/* assembles an ocsp request to given location
+/**
+ * Assembles an ocsp request to given location
  * and sets nonce field in location to the sent nonce
  */
-chunk_t
-build_ocsp_request(ocsp_location_t *location)
+chunk_t build_ocsp_request(ocsp_location_t *location)
 {
-    bool has_requestor_cert;
-    chunk_t tbsRequest, signature;
-    char buf[BUF_LEN];
-
-    DBG(DBG_CONTROL,
-	DBG_log("assembling ocsp request");
-	dntoa(buf, BUF_LEN, location->issuer);
-	DBG_log("issuer: '%s'", buf);
-	if (location->authKeyID.ptr != NULL)
-	{
-	    datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
-		, buf, BUF_LEN);
-	    DBG_log("authkey: %s", buf);
-	}
-    )
-    lock_certs_and_keys("build_ocsp_request");
+	bool has_requestor_cert;
+	chunk_t tbsRequest, signature;
+	char buf[BUF_LEN];
 
-    /* looks for requestor cert and matching private key */
-    has_requestor_cert = get_ocsp_requestor_cert(location);
+	DBG(DBG_CONTROL,
+		DBG_log("assembling ocsp request");
+		dntoa(buf, BUF_LEN, location->issuer);
+		DBG_log("issuer: '%s'", buf);
+		if (location->authKeyID.ptr != NULL)
+		{
+			datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
+				, buf, BUF_LEN);
+			DBG_log("authkey: %s", buf);
+		}
+	)
+	lock_certs_and_keys("build_ocsp_request");
+
+	/* looks for requestor cert and matching private key */
+	has_requestor_cert = get_ocsp_requestor_cert(location);
 
-    /* build content */
-    tbsRequest = build_tbs_request(location, has_requestor_cert);
+	/* build content */
+	tbsRequest = build_tbs_request(location, has_requestor_cert);
 
-    /* sign tbsReuqest */
-    signature = (has_requestor_cert)? build_signature(tbsRequest)
-				    : empty_chunk;
+	/* sign tbsReuqest */
+	signature = (has_requestor_cert)? build_signature(tbsRequest)
+									: chunk_empty;
 
-    unlock_certs_and_keys("build_ocsp_request");
+	unlock_certs_and_keys("build_ocsp_request");
 
-    return asn1_wrap(ASN1_SEQUENCE, "mm"
-		, tbsRequest
-		, signature);
+	return asn1_wrap(ASN1_SEQUENCE, "mm"
+				, tbsRequest
+				, signature);
 }
 
-/*
- * check if the OCSP response has a valid signature
+/**
+ * Check if the OCSP response has a valid signature
  */
-static bool
-valid_ocsp_response(response_t *res)
+static bool valid_ocsp_response(response_t *res)
 {
-    int pathlen;
-    x509cert_t *authcert;
+	int pathlen;
+	x509cert_t *authcert;
 
-    lock_authcert_list("valid_ocsp_response");
+	lock_authcert_list("valid_ocsp_response");
 
-    authcert = get_authcert(res->responder_id_name, empty_chunk
-		    , res->responder_id_key, AUTH_OCSP | AUTH_CA);
-
-    if (authcert == NULL)
-    {
-	plog("no matching ocsp signer cert found");
-	unlock_authcert_list("valid_ocsp_response");
-	return FALSE;
-    }
-    DBG(DBG_CONTROL,
-	DBG_log("ocsp signer cert found")
-    )
-
-    if (!check_signature(res->tbs, res->signature, res->algorithm
-		       , res->algorithm, authcert))
-    {
-	plog("signature of ocsp response is invalid");
-	unlock_authcert_list("valid_ocsp_response");
-	return FALSE;
-    }
-    DBG(DBG_CONTROL,
-	DBG_log("signature of ocsp response is valid")
-    )
-
-
-    for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
-    {
-	u_char buf[BUF_LEN];
-	err_t ugh = NULL;
-	time_t until;
-
-	x509cert_t *cert = authcert;
-
-	DBG(DBG_CONTROL,
-	    dntoa(buf, BUF_LEN, cert->subject);
-	    DBG_log("subject: '%s'",buf);
-	    dntoa(buf, BUF_LEN, cert->issuer);
-	    DBG_log("issuer:  '%s'",buf);
-	    if (cert->authKeyID.ptr != NULL)
-	    {
-		datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
-		    , buf, BUF_LEN);
-		DBG_log("authkey:  %s", buf);
-	    }
-	)
-
-	ugh = check_validity(authcert, &until);
-
-	if (ugh != NULL)
-	{
-	    plog("%s", ugh);
-	    unlock_authcert_list("valid_ocsp_response");
-	    return FALSE;
-        }
-	
-	DBG(DBG_CONTROL,
-	    DBG_log("certificate is valid")
-	)
-	
-	authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
-	    , cert->authKeyID, AUTH_CA);
+	authcert = get_authcert(res->responder_id_name, chunk_empty
+					, res->responder_id_key, AUTH_OCSP | AUTH_CA);
 
 	if (authcert == NULL)
 	{
-	    plog("issuer cacert not found");
-	    unlock_authcert_list("valid_ocsp_response");
-	    return FALSE;
+		plog("no matching ocsp signer cert found");
+		unlock_authcert_list("valid_ocsp_response");
+		return FALSE;
 	}
 	DBG(DBG_CONTROL,
-	    DBG_log("issuer cacert found")
+		DBG_log("ocsp signer cert found")
 	)
 
-	if (!check_signature(cert->tbsCertificate, cert->signature
-			   , cert->algorithm, cert->algorithm, authcert))
+	if (!x509_check_signature(res->tbs, res->signature, res->algorithm, authcert))
 	{
-	    plog("certificate signature is invalid");
-	    unlock_authcert_list("valid_ocsp_response");
-	    return FALSE;
+		plog("signature of ocsp response is invalid");
+		unlock_authcert_list("valid_ocsp_response");
+		return FALSE;
 	}
 	DBG(DBG_CONTROL,
-	    DBG_log("certificate signature is valid")
+		DBG_log("signature of ocsp response is valid")
 	)
 
-	/* check if cert is self-signed */
-	if (same_dn(cert->issuer, cert->subject))
+
+	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
 	{
-	    DBG(DBG_CONTROL,
-		DBG_log("reached self-signed root ca")
-	    )
-	    unlock_authcert_list("valid_ocsp_response");
-	    return TRUE;
+		u_char buf[BUF_LEN];
+		err_t ugh = NULL;
+		time_t until;
+
+		x509cert_t *cert = authcert;
+
+		DBG(DBG_CONTROL,
+			dntoa(buf, BUF_LEN, cert->subject);
+			DBG_log("subject: '%s'",buf);
+			dntoa(buf, BUF_LEN, cert->issuer);
+			DBG_log("issuer:  '%s'",buf);
+			if (cert->authKeyID.ptr != NULL)
+			{
+				datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
+					, buf, BUF_LEN);
+				DBG_log("authkey:  %s", buf);
+			}
+		)
+
+		ugh = check_validity(authcert, &until);
+
+		if (ugh != NULL)
+		{
+			plog("%s", ugh);
+			unlock_authcert_list("valid_ocsp_response");
+			return FALSE;
+		}
+		
+		DBG(DBG_CONTROL,
+			DBG_log("certificate is valid")
+		)
+		
+		authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
+			, cert->authKeyID, AUTH_CA);
+
+		if (authcert == NULL)
+		{
+			plog("issuer cacert not found");
+			unlock_authcert_list("valid_ocsp_response");
+			return FALSE;
+		}
+		DBG(DBG_CONTROL,
+			DBG_log("issuer cacert found")
+		)
+
+		if (!x509_check_signature(cert->tbsCertificate, cert->signature,
+								  cert->algorithm, authcert))
+		{
+			plog("certificate signature is invalid");
+			unlock_authcert_list("valid_ocsp_response");
+			return FALSE;
+		}
+		DBG(DBG_CONTROL,
+			DBG_log("certificate signature is valid")
+		)
+
+		/* check if cert is self-signed */
+		if (same_dn(cert->issuer, cert->subject))
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("reached self-signed root ca")
+			)
+			unlock_authcert_list("valid_ocsp_response");
+			return TRUE;
+		}
 	}
-    }
-    plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
-    unlock_authcert_list("valid_ocsp_response");
-    return FALSE;
+	plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	unlock_authcert_list("valid_ocsp_response");
+	return FALSE;
 }
 
-/*
- * parse a basic OCSP response
+/**
+ * Parse a basic OCSP response
  */
-static bool
-parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
+static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
 {
-    asn1_ctx_t ctx;
-    bool critical;
-    chunk_t object;
-    u_int level, version;
-    u_char buf[BUF_LEN];
-    int objectID = 0;
-    int extn_oid = OID_UNKNOWN;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
-
-    while (objectID < BASIC_RESPONSE_ROOF)
-    {
-	if (!extract_object(basicResponseObjects, &objectID, &object, &level, &ctx))
-	    return FALSE;
-	
-	switch (objectID)
+	asn1_parser_t *parser;
+	chunk_t object;
+	u_int version;
+	u_char buf[BUF_LEN];
+	int objectID;
+	int extn_oid = OID_UNKNOWN;
+	bool success = FALSE;
+	bool critical;
+
+	parser = asn1_parser_create(basicResponseObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	case BASIC_RESPONSE_TBS_DATA:
-	    res->tbs = object;
-	    break;
-	case BASIC_RESPONSE_VERSION:
-	    version = (object.len)? (1 + (u_int)*object.ptr) : 1;
-	    if (version != OCSP_BASIC_RESPONSE_VERSION)
-	    {
-		plog("wrong ocsp basic response version (version= %i)",  version);
-		return FALSE;
-	    }
-	    break;
-	case BASIC_RESPONSE_ID_BY_NAME:
-	    res->responder_id_name = object;
-	    DBG(DBG_PARSING,
-		dntoa(buf, BUF_LEN, object);
-		DBG_log("  '%s'",buf)
-	    )
-	    break;
-	case BASIC_RESPONSE_ID_BY_KEY:
-	    res->responder_id_key = object;
-	    break;
-	case BASIC_RESPONSE_PRODUCED_AT:
-	    res->produced_at = asn1totime(&object, ASN1_GENERALIZEDTIME);
-	    break;
-	case BASIC_RESPONSE_RESPONSES:
-	    res->responses = object;
-	    break;
-	case BASIC_RESPONSE_EXT_ID:
-	    extn_oid = known_oid(object);
-	    break;
-	case BASIC_RESPONSE_CRITICAL:
-	    critical = object.len && *object.ptr;
-	    DBG(DBG_PARSING,
-		DBG_log("  %s",(critical)?"TRUE":"FALSE");
-	    )
-	    break;
-	case BASIC_RESPONSE_EXT_VALUE:
-	    if (extn_oid == OID_NONCE)
-		res->nonce = object;
-	    break;
-	case BASIC_RESPONSE_ALGORITHM:
-	    res->algorithm = parse_algorithmIdentifier(object, level+1, NULL);
-	    break;
-	case BASIC_RESPONSE_SIGNATURE:
-	    res->signature = object;
-	    break;
-	case BASIC_RESPONSE_CERTIFICATE:
-	    {
-		chunk_t blob;
-		x509cert_t *cert = alloc_thing(x509cert_t, "ocspcert");
-
-		clonetochunk(blob, object.ptr, object.len, "ocspcert blob");
-		*cert = empty_x509cert;
-
-		if (parse_x509cert(blob, level+1, cert)
-		&& cert->isOcspSigner
-		&& trust_authcert_candidate(cert, NULL))
+		switch (objectID)
 		{
-		    add_authcert(cert, AUTH_OCSP);
-		}
-		else
-		{
-		    DBG(DBG_CONTROL | DBG_PARSING,
-			DBG_log("embedded ocsp certificate rejected")
-		    )
-		    free_x509cert(cert);
+		case BASIC_RESPONSE_TBS_DATA:
+			res->tbs = object;
+			break;
+		case BASIC_RESPONSE_VERSION:
+			version = (object.len)? (1 + (u_int)*object.ptr) : 1;
+			if (version != OCSP_BASIC_RESPONSE_VERSION)
+			{
+				plog("wrong ocsp basic response version (version= %i)",  version);
+				goto end;
+			}
+			break;
+		case BASIC_RESPONSE_ID_BY_NAME:
+			res->responder_id_name = object;
+			DBG(DBG_PARSING,
+				dntoa(buf, BUF_LEN, object);
+				DBG_log("  '%s'",buf)
+			)
+			break;
+		case BASIC_RESPONSE_ID_BY_KEY:
+			res->responder_id_key = object;
+			break;
+		case BASIC_RESPONSE_PRODUCED_AT:
+			res->produced_at = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+			break;
+		case BASIC_RESPONSE_RESPONSES:
+			res->responses = object;
+			break;
+		case BASIC_RESPONSE_EXT_ID:
+			extn_oid = asn1_known_oid(object);
+			break;
+		case BASIC_RESPONSE_CRITICAL:
+			critical = object.len && *object.ptr;
+			DBG(DBG_PARSING,
+				DBG_log("  %s",(critical)?"TRUE":"FALSE");
+			)
+			break;
+		case BASIC_RESPONSE_EXT_VALUE:
+			if (extn_oid == OID_NONCE)
+				res->nonce = object;
+			break;
+		case BASIC_RESPONSE_ALGORITHM:
+			res->algorithm = asn1_parse_algorithmIdentifier(object,
+								parser->get_level(parser)+1, NULL);
+			break;
+		case BASIC_RESPONSE_SIGNATURE:
+			res->signature = object;
+			break;
+		case BASIC_RESPONSE_CERTIFICATE:
+			{
+				chunk_t blob = chunk_clone(object);
+				x509cert_t *cert = malloc_thing(x509cert_t);
+
+				*cert = empty_x509cert;
+
+				if (parse_x509cert(blob, parser->get_level(parser)+1, cert)
+				&& cert->isOcspSigner
+				&& trust_authcert_candidate(cert, NULL))
+				{
+					add_authcert(cert, AUTH_OCSP);
+				}
+				else
+				{
+					DBG(DBG_CONTROL | DBG_PARSING,
+						DBG_log("embedded ocsp certificate rejected")
+					)
+					free_x509cert(cert);
+				}
+			}
+			break;
 		}
-	    }
-	    break;
 	}
-	objectID++;
-    }
-    return TRUE;
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	return success;
+
 }
 
 
-/*
- * parse an ocsp response and return the result as a response_t struct
+/**
+ * Parse an ocsp response and return the result as a response_t struct
  */
-static response_status
-parse_ocsp_response(chunk_t blob, response_t * res)
+static response_status parse_ocsp_response(chunk_t blob, response_t * res)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-    int ocspResponseType = OID_UNKNOWN;
-    response_status rStatus = STATUS_INTERNALERROR;
-
-    asn1_init(&ctx, blob, 0, FALSE, DBG_RAW);
-
-    while (objectID < OCSP_RESPONSE_ROOF)
-    {
-	if (!extract_object(ocspResponseObjects, &objectID, &object, &level, &ctx))
-	    return STATUS_INTERNALERROR;
-
-	switch (objectID) {
-	case OCSP_RESPONSE_STATUS:
-	    rStatus = (response_status) *object.ptr;
-
-	    switch (rStatus)
-	    {
-	    case STATUS_SUCCESSFUL:
-		break;
-	    case STATUS_MALFORMEDREQUEST:
-	    case STATUS_INTERNALERROR:
-	    case STATUS_TRYLATER:
-	    case STATUS_SIGREQUIRED:
-	    case STATUS_UNAUTHORIZED:
-		plog("ocsp response: server said '%s'"
-		    , response_status_names[rStatus]);
-		return rStatus;
-	    default:
-		return STATUS_INTERNALERROR;
-	    }
-	    break;
-	case OCSP_RESPONSE_TYPE:
-	    ocspResponseType = known_oid(object);
-	    break;
-	case OCSP_RESPONSE:
-	    {
-		switch (ocspResponseType) {
-		case OID_BASIC:
-		    if (!parse_basic_ocsp_response(object, level+1, res))
-			return STATUS_INTERNALERROR;
-		    break;
-		default:
-		    DBG(DBG_CONTROL,
-			DBG_log("ocsp response is not of type BASIC");
-			DBG_dump_chunk("ocsp response OID: ", object);
-		    )
-		    return STATUS_INTERNALERROR;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int ocspResponseType = OID_UNKNOWN;
+	bool success = FALSE;
+	response_status rStatus = STATUS_INTERNALERROR;
+
+	parser = asn1_parser_create(ocspResponseObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID) {
+		case OCSP_RESPONSE_STATUS:
+			rStatus = (response_status) *object.ptr;
+
+			switch (rStatus)
+			{
+			case STATUS_SUCCESSFUL:
+				break;
+			case STATUS_MALFORMEDREQUEST:
+			case STATUS_INTERNALERROR:
+			case STATUS_TRYLATER:
+			case STATUS_SIGREQUIRED:
+			case STATUS_UNAUTHORIZED:
+				plog("ocsp response: server said '%s'"
+					, response_status_names[rStatus]);
+				goto end;
+			default:
+				goto end;
+			}
+			break;
+		case OCSP_RESPONSE_TYPE:
+			ocspResponseType = asn1_known_oid(object);
+			break;
+		case OCSP_RESPONSE:
+			{
+				switch (ocspResponseType) {
+				case OID_BASIC:
+					success = parse_basic_ocsp_response(object,
+									parser->get_level(parser)+1, res);
+					break;
+				default:
+					DBG(DBG_CONTROL,
+						DBG_log("ocsp response is not of type BASIC");
+						DBG_dump_chunk("ocsp response OID: ", object);
+					)
+					goto end;
+				}
+			}
+			break;
 		}
-	    }
-	    break;
 	}
-	objectID++;
-    }
-    return rStatus;
+	success &= parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	return rStatus;
 }
 
-/*
- * parse a basic OCSP response
+/**
+ * Parse a basic OCSP response
  */
-static bool
-parse_ocsp_single_response(chunk_t blob, int level0, single_response_t *sres)
+static bool parse_ocsp_single_response(chunk_t blob, int level0,
+									   single_response_t *sres)
 {
-    u_int level, extn_oid;
-    asn1_ctx_t ctx;
-    bool critical;
-    chunk_t object;
-    int objectID = 0;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+	asn1_parser_t *parser;
+	chunk_t object;
+	u_int extn_oid;
+	int objectID;
+	bool critical;
+	bool success = FALSE;
 
-    while (objectID < SINGLE_RESPONSE_ROOF)
-    {
-	if (!extract_object(singleResponseObjects, &objectID, &object, &level, &ctx))
-	    return FALSE;
+	parser = asn1_parser_create(singleResponseObjects, blob);
+	parser->set_top_level(parser, level0);
 
-	switch (objectID)
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	case SINGLE_RESPONSE_ALGORITHM:
-	    sres->hash_algorithm = parse_algorithmIdentifier(object, level+1, NULL);
-	    break;
-	case SINGLE_RESPONSE_ISSUER_NAME_HASH:
-	    sres->issuer_name_hash = object;
-	    break;
-	case SINGLE_RESPONSE_ISSUER_KEY_HASH:
-	    sres->issuer_key_hash = object;
-	    break;
-	case SINGLE_RESPONSE_SERIAL_NUMBER:
-	    sres->serialNumber = object;
-	    break;
-	case SINGLE_RESPONSE_CERT_STATUS_GOOD:
-	    sres->status = CERT_GOOD;
-	    break;
-	case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
-	    sres->status = CERT_REVOKED;
-	    break;
-	case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
-	    sres->revocationTime = asn1totime(&object, ASN1_GENERALIZEDTIME);
-	    break;
-	case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
-	    sres->revocationReason = (object.len == 1)
-		? *object.ptr : REASON_UNSPECIFIED;
-	    break;
-	case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
-	    sres->status = CERT_UNKNOWN;
-	    break;
-	case SINGLE_RESPONSE_THIS_UPDATE:
-	    sres->thisUpdate = asn1totime(&object, ASN1_GENERALIZEDTIME);
-	    break;
-	case SINGLE_RESPONSE_NEXT_UPDATE:
-	    sres->nextUpdate = asn1totime(&object, ASN1_GENERALIZEDTIME);
-	    break;
-	case SINGLE_RESPONSE_EXT_ID:
-	    extn_oid = known_oid(object);
-	    break;
-	case SINGLE_RESPONSE_CRITICAL:
-	    critical = object.len && *object.ptr;
-	    DBG(DBG_PARSING,
-		DBG_log("  %s",(critical)?"TRUE":"FALSE");
-	    )
-	case SINGLE_RESPONSE_EXT_VALUE:
-	    break;
+		switch (objectID)
+		{
+		case SINGLE_RESPONSE_ALGORITHM:
+			sres->hash_algorithm = asn1_parse_algorithmIdentifier(object,
+										parser->get_level(parser)+1, NULL);
+			break;
+		case SINGLE_RESPONSE_ISSUER_NAME_HASH:
+			sres->issuer_name_hash = object;
+			break;
+		case SINGLE_RESPONSE_ISSUER_KEY_HASH:
+			sres->issuer_key_hash = object;
+			break;
+		case SINGLE_RESPONSE_SERIAL_NUMBER:
+			sres->serialNumber = object;
+			break;
+		case SINGLE_RESPONSE_CERT_STATUS_GOOD:
+			sres->status = CERT_GOOD;
+			break;
+		case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
+			sres->status = CERT_REVOKED;
+			break;
+		case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
+			sres->revocationTime = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+			break;
+		case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
+			sres->revocationReason = (object.len == 1)
+				? *object.ptr : REASON_UNSPECIFIED;
+			break;
+		case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
+			sres->status = CERT_UNKNOWN;
+			break;
+		case SINGLE_RESPONSE_THIS_UPDATE:
+			sres->thisUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+			break;
+		case SINGLE_RESPONSE_NEXT_UPDATE:
+			sres->nextUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
+			break;
+		case SINGLE_RESPONSE_EXT_ID:
+			extn_oid = asn1_known_oid(object);
+			break;
+		case SINGLE_RESPONSE_CRITICAL:
+			critical = object.len && *object.ptr;
+			DBG(DBG_PARSING,
+				DBG_log("  %s",(critical)?"TRUE":"FALSE");
+			)
+		case SINGLE_RESPONSE_EXT_VALUE:
+			break;
+		}
 	}
-	objectID++;
-    }
-    return TRUE;
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
 }
 
-/*
- * add an ocsp location to a chained list
+/**
+ * Add an ocsp location to a chained list
  */
-ocsp_location_t*
-add_ocsp_location(const ocsp_location_t *loc, ocsp_location_t **chain)
+ocsp_location_t* add_ocsp_location(const ocsp_location_t *loc,
+								   ocsp_location_t **chain)
 {
-    ocsp_location_t *location = alloc_thing(ocsp_location_t, "ocsp location");
-
-    /* unshare location fields */
-    clonetochunk(location->issuer
-		, loc->issuer.ptr, loc->issuer.len
-		, "ocsp issuer");
-
-    clonetochunk(location->authNameID
-		, loc->authNameID.ptr, loc->authNameID.len
-		, "ocsp authNameID");
-
-    if (loc->authKeyID.ptr == NULL)
-	location->authKeyID = empty_chunk;
-    else
-	clonetochunk(location->authKeyID
-		, loc->authKeyID.ptr, loc->authKeyID.len
-		, "ocsp authKeyID");
-
-    if (loc->authKeySerialNumber.ptr == NULL)
-	location->authKeySerialNumber = empty_chunk;
-    else
-	clonetochunk(location->authKeySerialNumber
-    		, loc->authKeySerialNumber.ptr, loc->authKeySerialNumber.len
-		, "ocsp authKeySerialNumber");
-
-    clonetochunk(location->uri
-		, loc->uri.ptr, loc->uri.len
-		, "ocsp uri");
-
-    location->certinfo = NULL;
-
-    /* insert new ocsp location in front of chain */
-    location->next = *chain;
-    *chain = location;
-
-    DBG(DBG_CONTROL,
-	DBG_log("new ocsp location added")
-    )
-
-    return location;
+	ocsp_location_t *location = malloc_thing(ocsp_location_t);
+
+	/* unshare location fields */
+	location->issuer = chunk_clone(loc->issuer);
+	location->authNameID = chunk_clone(loc->authNameID);
+	location->authKeyID = chunk_clone(loc->authKeyID);
+	location->authKeySerialNumber = chunk_clone(loc->authKeySerialNumber);
+	location->uri = chunk_clone(loc->uri);
+	location->certinfo = NULL;
+
+	/* insert new ocsp location in front of chain */
+	location->next = *chain;
+	*chain = location;
+
+	DBG(DBG_CONTROL,
+		DBG_log("new ocsp location added")
+	)
+
+	return location;
 }
 
-/*
+/**
  * add a certinfo struct to a chained list
  */
-void
-add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info, ocsp_location_t **chain
-    , bool request)
+void add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info,
+				  ocsp_location_t **chain, bool request)
 {
-    ocsp_location_t *location;
-    ocsp_certinfo_t *certinfo, **certinfop;
-    char buf[BUF_LEN];
-    time_t now;
-    int cmp = -1;
-
-    location = get_ocsp_location(loc, *chain);
-    if (location == NULL)
-	location = add_ocsp_location(loc, chain);
-
-    /* traverse list of certinfos in increasing order */
-    certinfop = &location->certinfo;
-    certinfo = *certinfop;
-
-    while (certinfo != NULL)
-    {
-	cmp = cmp_chunk(info->serialNumber, certinfo->serialNumber);
-	if (cmp <= 0)
-	    break;
-	certinfop = &certinfo->next;
+	ocsp_location_t *location;
+	ocsp_certinfo_t *certinfo, **certinfop;
+	char buf[BUF_LEN];
+	time_t now;
+	int cmp = -1;
+
+	location = get_ocsp_location(loc, *chain);
+	if (location == NULL)
+	{
+		location = add_ocsp_location(loc, chain);
+	}
+
+	/* traverse list of certinfos in increasing order */
+	certinfop = &location->certinfo;
 	certinfo = *certinfop;
-    }
-
-    if (cmp != 0)
-    {
-	/* add a new certinfo entry */
-	ocsp_certinfo_t *cnew = alloc_thing(ocsp_certinfo_t, "ocsp certinfo");
-	clonetochunk(cnew->serialNumber, info->serialNumber.ptr
-	    , info->serialNumber.len, "serialNumber");
-	cnew->next = certinfo;
-	*certinfop = cnew;
-	certinfo = cnew;
-    }
-	
-    DBG(DBG_CONTROL,
-	datatot(info->serialNumber.ptr, info->serialNumber.len, ':'
-	    , buf, BUF_LEN);
-	DBG_log("ocsp %s for serial %s %s"
-	    , request?"fetch request":"certinfo"
-	    , buf
-	    , (cmp == 0)? (request?"already exists":"updated"):"added")
-    )
-
-    time(&now);
-   
-    if (request)
-    {
-	certinfo->status = CERT_UNDEFINED;
-	
+
+	while (certinfo != NULL)
+	{
+		cmp = chunk_compare(info->serialNumber, certinfo->serialNumber);
+		if (cmp <= 0)
+			break;
+		certinfop = &certinfo->next;
+		certinfo = *certinfop;
+	}
+
 	if (cmp != 0)
-	    certinfo->thisUpdate = now;
-
-	certinfo->nextUpdate = UNDEFINED_TIME;
-    }
-    else
-    {
-	certinfo->status = info->status;
-	certinfo->revocationTime = info->revocationTime;
-	certinfo->revocationReason = info->revocationReason;
-	
-	certinfo->thisUpdate = (info->thisUpdate != UNDEFINED_TIME)?
-	    info->thisUpdate : now;
+	{
+		/* add a new certinfo entry */
+		ocsp_certinfo_t *cnew = malloc_thing(ocsp_certinfo_t);
+
+		cnew->serialNumber = chunk_clone(info->serialNumber);
+		cnew->next = certinfo;
+		*certinfop = cnew;
+		certinfo = cnew;
+	}
+		
+	DBG(DBG_CONTROL,
+		datatot(info->serialNumber.ptr, info->serialNumber.len, ':'
+			, buf, BUF_LEN);
+		DBG_log("ocsp %s for serial %s %s"
+			, request?"fetch request":"certinfo"
+			, buf
+			, (cmp == 0)? (request?"already exists":"updated"):"added")
+	)
+
+	time(&now);
+
+	if (request)
+	{
+		certinfo->status = CERT_UNDEFINED;
+		
+		if (cmp != 0)
+		{
+			certinfo->thisUpdate = now;
+		}
+		certinfo->nextUpdate = UNDEFINED_TIME;
+	}
+	else
+	{
+		certinfo->status = info->status;
+		certinfo->revocationTime = info->revocationTime;
+		certinfo->revocationReason = info->revocationReason;
+		
+		certinfo->thisUpdate = (info->thisUpdate != UNDEFINED_TIME)?
+			info->thisUpdate : now;
 
-	certinfo->once = (info->nextUpdate == UNDEFINED_TIME);
+		certinfo->once = (info->nextUpdate == UNDEFINED_TIME);
 
-	certinfo->nextUpdate = (certinfo->once)?
-	    (now + OCSP_DEFAULT_VALID_TIME) : info->nextUpdate;
-    }
+		certinfo->nextUpdate = (certinfo->once)?
+			(now + OCSP_DEFAULT_VALID_TIME) : info->nextUpdate;
+	}
 }
 
-/*
- * process received ocsp single response and add it to ocsp cache
+/**
+ * Process received ocsp single response and add it to ocsp cache
  */
-static void
-process_single_response(ocsp_location_t *location, single_response_t *sres)
+static void process_single_response(ocsp_location_t *location,
+									single_response_t *sres)
 {
-    ocsp_certinfo_t *certinfo, **certinfop;
-    int cmp = -1;
-
-    if (sres->hash_algorithm != OID_SHA1)
-    {
-	plog("only SHA-1 hash supported in OCSP single response");
-	return;
-    }
-    if (!(same_chunk(sres->issuer_name_hash, location->authNameID)
-    &&   same_chunk(sres->issuer_key_hash, location->authKeyID)))
-    {
-	plog("ocsp single response has wrong issuer");
-	return;
-    }
-    
-    /* traverse list of certinfos in increasing order */
-    certinfop = &location->certinfo;
-    certinfo = *certinfop;
-
-    while (certinfo != NULL)
-    {
-	cmp = cmp_chunk(sres->serialNumber, certinfo->serialNumber);
-	if (cmp <= 0)
-	    break;
-	certinfop = &certinfo->next;
+	ocsp_certinfo_t *certinfo, **certinfop;
+	int cmp = -1;
+
+	if (sres->hash_algorithm != OID_SHA1)
+	{
+		plog("only SHA-1 hash supported in OCSP single response");
+		return;
+	}
+	if (!(chunk_equals(sres->issuer_name_hash, location->authNameID)
+	&&   chunk_equals(sres->issuer_key_hash, location->authKeyID)))
+	{
+		plog("ocsp single response has wrong issuer");
+		return;
+	}
+	
+	/* traverse list of certinfos in increasing order */
+	certinfop = &location->certinfo;
 	certinfo = *certinfop;
-    }
-
-    if (cmp != 0)
-    {
-	plog("received unrequested cert status from ocsp server");
-	return;
-    }
-
-    /* unlink cert from ocsp fetch request list */
-    *certinfop = certinfo->next;
-    
-    /* update certinfo using the single response information */
-    certinfo->thisUpdate = sres->thisUpdate;
-    certinfo->nextUpdate = sres->nextUpdate;
-    certinfo->status = sres->status;
-    certinfo->revocationTime = sres->revocationTime;
-    certinfo->revocationReason = sres->revocationReason;
-    
-    /* add or update certinfo in ocsp cache */
-    lock_ocsp_cache("process_single_response");
-    add_certinfo(location, certinfo, &ocsp_cache, FALSE);
-    unlock_ocsp_cache("process_single_response");
-
-    /* free certinfo unlinked from ocsp fetch request list */
-    free_certinfo(certinfo);
 
+	while (certinfo != NULL)
+	{
+		cmp = chunk_compare(sres->serialNumber, certinfo->serialNumber);
+		if (cmp <= 0)
+			break;
+		certinfop = &certinfo->next;
+		certinfo = *certinfop;
+	}
+
+	if (cmp != 0)
+	{
+		plog("received unrequested cert status from ocsp server");
+		return;
+	}
+
+	/* unlink cert from ocsp fetch request list */
+	*certinfop = certinfo->next;
+	
+	/* update certinfo using the single response information */
+	certinfo->thisUpdate = sres->thisUpdate;
+	certinfo->nextUpdate = sres->nextUpdate;
+	certinfo->status = sres->status;
+	certinfo->revocationTime = sres->revocationTime;
+	certinfo->revocationReason = sres->revocationReason;
+	
+	/* add or update certinfo in ocsp cache */
+	lock_ocsp_cache("process_single_response");
+	add_certinfo(location, certinfo, &ocsp_cache, FALSE);
+	unlock_ocsp_cache("process_single_response");
+
+	/* free certinfo unlinked from ocsp fetch request list */
+	free_certinfo(certinfo);
 }
 
-/*
- *  parse and verify ocsp response and update the ocsp cache
+/**
+ *  Parse and verify ocsp response and update the ocsp cache
  */
-void
-parse_ocsp(ocsp_location_t *location, chunk_t blob)
+void parse_ocsp(ocsp_location_t *location, chunk_t blob)
 {
-    response_t res = empty_response;
-
-    /* parse the ocsp response without looking at the single responses yet */
-    response_status status = parse_ocsp_response(blob, &res);
-
-    if (status != STATUS_SUCCESSFUL)
-    {
-	plog("error in ocsp response");
-	return;
-    }
-    /* check if there was a nonce in the request */
-    if (location->nonce.ptr != NULL && res.nonce.ptr == NULL)
-    {
-	plog("ocsp response contains no nonce, replay attack possible");
-    }
-    /* check if the nonce is identical */
-    if (res.nonce.ptr != NULL && !same_chunk(res.nonce, location->nonce))
-    {
-	plog("invalid nonce in ocsp response");
-	return;
-    }
-    /* check if the response is signed by a trusted key */
-    if (!valid_ocsp_response(&res))
-    {
-	plog("invalid ocsp response");
-	return;
-    }
-    DBG(DBG_CONTROL,
-	DBG_log("valid ocsp response")
-    )
-
-    /* now parse the single responses one at a time */
-    {
-	u_int level;
-	asn1_ctx_t ctx;
-	chunk_t object;
-	int objectID = 0;
+	response_t res = empty_response;
 
-	asn1_init(&ctx, res.responses, 0, FALSE, DBG_RAW);
+	/* parse the ocsp response without looking at the single responses yet */
+	response_status status = parse_ocsp_response(blob, &res);
 
-	while (objectID < RESPONSES_ROOF)
+	if (status != STATUS_SUCCESSFUL)
+	{
+		plog("error in ocsp response");
+		return;
+	}
+	/* check if there was a nonce in the request */
+	if (location->nonce.ptr != NULL && res.nonce.ptr == NULL)
+	{
+		plog("ocsp response contains no nonce, replay attack possible");
+	}
+	/* check if the nonce is identical */
+	if (res.nonce.ptr != NULL && !chunk_equals(res.nonce, location->nonce))
+	{
+		plog("invalid nonce in ocsp response");
+		return;
+	}
+	/* check if the response is signed by a trusted key */
+	if (!valid_ocsp_response(&res))
 	{
-	    if (!extract_object(responsesObjects, &objectID, &object, &level, &ctx))
+		plog("invalid ocsp response");
 		return;
-	    
-	    if (objectID == RESPONSES_SINGLE_RESPONSE)
-	    {
-		single_response_t sres = empty_single_response;
+	}
+	DBG(DBG_CONTROL,
+		DBG_log("valid ocsp response")
+	)
 
-		if (parse_ocsp_single_response(object, level+1, &sres))
+	/* now parse the single responses one at a time */
+	{
+		asn1_parser_t *parser;
+		chunk_t object;
+		int objectID;
+
+		parser = asn1_parser_create(responsesObjects, res.responses);
+
+		while (parser->iterate(parser, &objectID, &object))
 		{
-		    process_single_response(location, &sres);
+			if (objectID == RESPONSES_SINGLE_RESPONSE)
+			{
+				single_response_t sres = empty_single_response;
+
+				if (!parse_ocsp_single_response(object,
+						 				parser->get_level(parser)+1, &sres))
+				{
+					goto end;
+				}
+				process_single_response(location, &sres);
+			}
 		}
-	    }
-	    objectID++;
+end:
+		parser->destroy(parser);
 	}
-    }
 }
diff --git a/src/pluto/ocsp.h b/src/pluto/ocsp.h
index 6bf42831b..d8ee7bd8c 100644
--- a/src/pluto/ocsp.h
+++ b/src/pluto/ocsp.h
@@ -11,27 +11,25 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: ocsp.h 3253 2007-10-06 21:39:00Z andreas $
  */
 
 #include "constants.h"
 
 /* constants */
 
-#define OCSP_BASIC_RESPONSE_VERSION	1
-#define OCSP_DEFAULT_VALID_TIME		120  /* validity of one-time response in seconds */
-#define OCSP_WARNING_INTERVAL		2    /* days */
+#define OCSP_BASIC_RESPONSE_VERSION     1
+#define OCSP_DEFAULT_VALID_TIME         120  /* validity of one-time response in seconds */
+#define OCSP_WARNING_INTERVAL           2    /* days */
 
 /* OCSP response status */
 
 typedef enum {
-    STATUS_SUCCESSFUL = 	0,
-    STATUS_MALFORMEDREQUEST = 	1,
-    STATUS_INTERNALERROR = 	2,
-    STATUS_TRYLATER = 		3,
-    STATUS_SIGREQUIRED = 	5,
-    STATUS_UNAUTHORIZED= 	6
+	STATUS_SUCCESSFUL =         0,
+	STATUS_MALFORMEDREQUEST =   1,
+	STATUS_INTERNALERROR =      2,
+	STATUS_TRYLATER =           3,
+	STATUS_SIGREQUIRED =        5,
+	STATUS_UNAUTHORIZED=        6
 } response_status;
 
 /* OCSP access structures */
@@ -39,46 +37,46 @@ typedef enum {
 typedef struct ocsp_certinfo ocsp_certinfo_t;
 
 struct ocsp_certinfo {
-    ocsp_certinfo_t  *next;
-    int              trials;
-    chunk_t          serialNumber;
-    cert_status_t    status;
-    bool             once;
-    crl_reason_t     revocationReason;
-    time_t           revocationTime;
-    time_t           thisUpdate;
-    time_t           nextUpdate;
+	ocsp_certinfo_t  *next;
+	int              trials;
+	chunk_t          serialNumber;
+	cert_status_t    status;
+	bool             once;
+	crl_reason_t     revocationReason;
+	time_t           revocationTime;
+	time_t           thisUpdate;
+	time_t           nextUpdate;
 };
 
 typedef struct ocsp_location ocsp_location_t;
 
 struct ocsp_location {
-    ocsp_location_t  *next;
-    chunk_t          issuer;
-    chunk_t          authNameID;
-    chunk_t          authKeyID;
-    chunk_t	     authKeySerialNumber;
-    chunk_t          uri;
-    chunk_t          nonce;
-    ocsp_certinfo_t  *certinfo;
+	ocsp_location_t  *next;
+	chunk_t          issuer;
+	chunk_t          authNameID;
+	chunk_t          authKeyID;
+	chunk_t          authKeySerialNumber;
+	chunk_t          uri;
+	chunk_t          nonce;
+	ocsp_certinfo_t  *certinfo;
 };
 
 extern ocsp_location_t* get_ocsp_location(const ocsp_location_t *loc
-    , ocsp_location_t *chain);
+	, ocsp_location_t *chain);
 extern ocsp_location_t* add_ocsp_location(const ocsp_location_t *loc
-    , ocsp_location_t **chain);
+	, ocsp_location_t **chain);
 extern void add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info
-    , ocsp_location_t **chain, bool request);
+	, ocsp_location_t **chain, bool request);
 extern void check_ocsp(void);
 extern cert_status_t verify_by_ocsp(const x509cert_t *cert, time_t *until
-    , time_t *revocationTime, crl_reason_t *revocationReason);
+	, time_t *revocationTime, crl_reason_t *revocationReason);
 extern bool ocsp_set_request_cert(char* path);
 extern void ocsp_set_default_uri(char* uri);
 extern void ocsp_cache_add_cert(const x509cert_t* cert);
 extern chunk_t build_ocsp_request(ocsp_location_t* location);
 extern void parse_ocsp(ocsp_location_t* location, chunk_t blob);
 extern void list_ocsp_locations(ocsp_location_t *location, bool requests
-    , bool utc, bool strict);
+	, bool utc, bool strict);
 extern void list_ocsp_cache(bool utc, bool strict);
 extern void free_ocsp_locations(ocsp_location_t **chain);
 extern void free_ocsp_cache(void);
diff --git a/src/pluto/packet.c b/src/pluto/packet.c
index e8a3a1e11..01967efed 100644
--- a/src/pluto/packet.c
+++ b/src/pluto/packet.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: packet.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdio.h>
@@ -27,7 +25,7 @@
 #include "defs.h"
 #include "log.h"
 #include "packet.h"
-#include "whack.h"	/* for RC_LOG_SERIOUS */
+#include "whack.h"      /* for RC_LOG_SERIOUS */
 
 /* ISAKMP Header: for all messages
  * layout from RFC 2408 "ISAKMP" section 3.1
@@ -49,15 +47,15 @@
  */
 
 static field_desc isa_fields[] = {
-    { ft_raw, COOKIE_SIZE, "initiator cookie", NULL },
-    { ft_raw, COOKIE_SIZE, "responder cookie", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_enum, 8/BITS_PER_BYTE, "ISAKMP version", &version_names },
-    { ft_enum, 8/BITS_PER_BYTE, "exchange type", &exchange_names },
-    { ft_set, 8/BITS_PER_BYTE, "flags", flag_bit_names },
-    { ft_raw, 32/BITS_PER_BYTE, "message ID", NULL },
-    { ft_len, 32/BITS_PER_BYTE, "length", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_raw, COOKIE_SIZE, "initiator cookie", NULL },
+	{ ft_raw, COOKIE_SIZE, "responder cookie", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_enum, 8/BITS_PER_BYTE, "ISAKMP version", &version_names },
+	{ ft_enum, 8/BITS_PER_BYTE, "exchange type", &exchange_names },
+	{ ft_set, 8/BITS_PER_BYTE, "flags", flag_bit_names },
+	{ ft_raw, 32/BITS_PER_BYTE, "message ID", NULL },
+	{ ft_len, 32/BITS_PER_BYTE, "length", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_hdr_desc = { "ISAKMP Message", isa_fields, sizeof(struct isakmp_hdr) };
@@ -74,10 +72,10 @@ struct_desc isakmp_hdr_desc = { "ISAKMP Message", isa_fields, sizeof(struct isak
  */
 
 static field_desc isag_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_generic_desc = { "ISAKMP Generic Payload", isag_fields, sizeof(struct isakmp_generic) };
@@ -100,36 +98,36 @@ struct_desc isakmp_generic_desc = { "ISAKMP Generic Payload", isag_fields, sizeo
 
 /* Oakley Attributes */
 static field_desc isaat_fields_oakley[] = {
-    { ft_af_enum, 16/BITS_PER_BYTE, "af+type", &oakley_attr_names },
-    { ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_af_enum, 16/BITS_PER_BYTE, "af+type", &oakley_attr_names },
+	{ ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_oakley_attribute_desc = {
-    "ISAKMP Oakley attribute",
-    isaat_fields_oakley, sizeof(struct isakmp_attribute) };
+	"ISAKMP Oakley attribute",
+	isaat_fields_oakley, sizeof(struct isakmp_attribute) };
 
 /* IPsec DOI Attributes */
 static field_desc isaat_fields_ipsec[] = {
-    { ft_af_enum, 16/BITS_PER_BYTE, "af+type", &ipsec_attr_names },
-    { ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_af_enum, 16/BITS_PER_BYTE, "af+type", &ipsec_attr_names },
+	{ ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_ipsec_attribute_desc = {
-    "ISAKMP IPsec DOI attribute",
-    isaat_fields_ipsec, sizeof(struct isakmp_attribute) };
+	"ISAKMP IPsec DOI attribute",
+	isaat_fields_ipsec, sizeof(struct isakmp_attribute) };
 
 /* Mode Config Attributes */
 static field_desc isaat_fields_modecfg[] = {
-    { ft_af_loose_enum, 16/BITS_PER_BYTE, "ModeCfg attr type", &modecfg_attr_names },
-    { ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_af_loose_enum, 16/BITS_PER_BYTE, "ModeCfg attr type", &modecfg_attr_names },
+	{ ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_modecfg_attribute_desc = {
-    "ISAKMP ModeCfg attribute",
-    isaat_fields_modecfg, sizeof(struct isakmp_attribute) };
+	"ISAKMP ModeCfg attribute",
+	isaat_fields_modecfg, sizeof(struct isakmp_attribute) };
 
 /* ISAKMP Security Association Payload
  * layout from RFC 2408 "ISAKMP" section 3.4
@@ -148,18 +146,18 @@ struct_desc isakmp_modecfg_attribute_desc = {
  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 static field_desc isasa_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_sa_desc = { "ISAKMP Security Association Payload", isasa_fields, sizeof(struct isakmp_sa) };
 
 static field_desc ipsec_sit_field[] = {
-    { ft_set, 32/BITS_PER_BYTE, "IPsec DOI SIT", &sit_bit_names },
-    { ft_end, 0, NULL, NULL }
+	{ ft_set, 32/BITS_PER_BYTE, "IPsec DOI SIT", &sit_bit_names },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc ipsec_sit_desc = { "IPsec DOI SIT", ipsec_sit_field, sizeof(u_int32_t) };
@@ -179,14 +177,14 @@ struct_desc ipsec_sit_desc = { "IPsec DOI SIT", ipsec_sit_field, sizeof(u_int32_
  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 static field_desc isap_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_nat, 8/BITS_PER_BYTE, "proposal number", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "protocol ID", &protocol_names },
-    { ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
-    { ft_nat, 8/BITS_PER_BYTE, "number of transforms", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_nat, 8/BITS_PER_BYTE, "proposal number", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "protocol ID", &protocol_names },
+	{ ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
+	{ ft_nat, 8/BITS_PER_BYTE, "number of transforms", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_proposal_desc = { "ISAKMP Proposal Payload", isap_fields, sizeof(struct isakmp_proposal) };
@@ -210,63 +208,63 @@ struct_desc isakmp_proposal_desc = { "ISAKMP Proposal Payload", isap_fields, siz
 
 /* PROTO_ISAKMP */
 static field_desc isat_fields_isakmp[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "transform ID", &isakmp_transformid_names },
-    { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &isakmp_transformid_names },
+	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_isakmp_transform_desc = {
-    "ISAKMP Transform Payload (ISAKMP)",
-    isat_fields_isakmp, sizeof(struct isakmp_transform) };
+	"ISAKMP Transform Payload (ISAKMP)",
+	isat_fields_isakmp, sizeof(struct isakmp_transform) };
 
 /* PROTO_IPSEC_AH */
 static field_desc isat_fields_ah[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "transform ID", &ah_transformid_names },
-    { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &ah_transformid_names },
+	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_ah_transform_desc = {
-    "ISAKMP Transform Payload (AH)",
-    isat_fields_ah, sizeof(struct isakmp_transform) };
+	"ISAKMP Transform Payload (AH)",
+	isat_fields_ah, sizeof(struct isakmp_transform) };
 
 /* PROTO_IPSEC_ESP */
 static field_desc isat_fields_esp[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "transform ID", &esp_transformid_names },
-    { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &esp_transformid_names },
+	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_esp_transform_desc = {
-    "ISAKMP Transform Payload (ESP)",
-    isat_fields_esp, sizeof(struct isakmp_transform) };
+	"ISAKMP Transform Payload (ESP)",
+	isat_fields_esp, sizeof(struct isakmp_transform) };
 
 /* PROTO_IPCOMP */
 static field_desc isat_fields_ipcomp[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "transform ID", &ipcomp_transformid_names },
-    { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &ipcomp_transformid_names },
+	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_ipcomp_transform_desc = {
-    "ISAKMP Transform Payload (COMP)",
-    isat_fields_ipcomp, sizeof(struct isakmp_transform) };
+	"ISAKMP Transform Payload (COMP)",
+	isat_fields_ipcomp, sizeof(struct isakmp_transform) };
 
 
 /* ISAKMP Key Exchange Payload: no fixed fields beyond the generic ones.
@@ -303,13 +301,13 @@ struct_desc isakmp_keyex_desc = { "ISAKMP Key Exchange Payload", isag_fields, si
  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 static field_desc isaid_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },	/* ??? depends on DOI? */
-    { ft_nat, 8/BITS_PER_BYTE, "DOI specific A", NULL },	/* ??? depends on DOI? */
-    { ft_nat, 16/BITS_PER_BYTE, "DOI specific B", NULL },	/* ??? depends on DOI? */
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },      /* ??? depends on DOI? */
+	{ ft_nat, 8/BITS_PER_BYTE, "DOI specific A", NULL },        /* ??? depends on DOI? */
+	{ ft_nat, 16/BITS_PER_BYTE, "DOI specific B", NULL },       /* ??? depends on DOI? */
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_identification_desc = { "ISAKMP Identification Payload", isaid_fields, sizeof(struct isakmp_id) };
@@ -330,13 +328,13 @@ struct_desc isakmp_identification_desc = { "ISAKMP Identification Payload", isai
  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 static field_desc isaiid_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },
-    { ft_nat, 8/BITS_PER_BYTE, "Protocol ID", NULL },	/* ??? UDP/TCP or 0? */
-    { ft_nat, 16/BITS_PER_BYTE, "port", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },
+	{ ft_nat, 8/BITS_PER_BYTE, "Protocol ID", NULL },   /* ??? UDP/TCP or 0? */
+	{ ft_nat, 16/BITS_PER_BYTE, "port", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_ipsec_identification_desc = { "ISAKMP Identification Payload (IPsec DOI)", isaiid_fields, sizeof(struct isakmp_ipsec_id) };
@@ -357,11 +355,11 @@ struct_desc isakmp_ipsec_identification_desc = { "ISAKMP Identification Payload
  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 static field_desc isacert_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "cert encoding", &cert_type_names },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "cert encoding", &cert_type_names },
+	{ ft_end, 0, NULL, NULL }
 };
 
 /* Note: the size field of isakmp_ipsec_certificate_desc cannot be
@@ -385,11 +383,11 @@ static field_desc isacert_fields[] = {
  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 static field_desc isacr_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "cert type", &cert_type_names },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "cert type", &cert_type_names },
+	{ ft_end, 0, NULL, NULL }
 };
 
 /* Note: the size field of isakmp_ipsec_cert_req_desc cannot be
@@ -469,14 +467,14 @@ struct_desc isakmp_nonce_desc = { "ISAKMP Nonce Payload", isag_fields, sizeof(st
  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 static field_desc isan_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
-    { ft_nat, 8/BITS_PER_BYTE, "protocol ID", NULL },	/* ??? really enum: ISAKMP, IPSEC, ESP, ... */
-    { ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
-    { ft_enum, 16/BITS_PER_BYTE, "Notify Message Type", &notification_names },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
+	{ ft_nat, 8/BITS_PER_BYTE, "protocol ID", NULL },   /* ??? really enum: ISAKMP, IPSEC, ESP, ... */
+	{ ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
+	{ ft_enum, 16/BITS_PER_BYTE, "Notify Message Type", &notification_names },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_notification_desc = { "ISAKMP Notification Payload", isan_fields, sizeof(struct isakmp_notification) };
@@ -500,14 +498,14 @@ struct_desc isakmp_notification_desc = { "ISAKMP Notification Payload", isan_fie
  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 static field_desc isad_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
-    { ft_nat, 8/BITS_PER_BYTE, "protocol ID", NULL },	/* ??? really enum: ISAKMP, IPSEC */
-    { ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
-    { ft_nat, 16/BITS_PER_BYTE, "number of SPIs", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
+	{ ft_nat, 8/BITS_PER_BYTE, "protocol ID", NULL },   /* ??? really enum: ISAKMP, IPSEC */
+	{ ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
+	{ ft_nat, 16/BITS_PER_BYTE, "number of SPIs", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_delete_desc = { "ISAKMP Delete Payload", isad_fields, sizeof(struct isakmp_delete) };
@@ -532,26 +530,26 @@ struct_desc isakmp_vendor_id_desc = { "ISAKMP Vendor ID Payload", isag_fields, s
 /*
  * From draft-dukes-ike-mode-cfg
 3.2. Attribute Payload
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     ! Next Payload  !   RESERVED    !         Payload Length        !
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     !     Type      !   RESERVED    !           Identifier          ! 
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     !                                                               !
-     ~                           Attributes                          ~
-     !                                                               !
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+						   1                   2                   3
+	   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	 ! Next Payload  !   RESERVED    !         Payload Length        !
+	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	 !     Type      !   RESERVED    !           Identifier          ! 
+	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	 !                                                               !
+	 ~                           Attributes                          ~
+	 !                                                               !
+	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 static field_desc isaattr_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "Attr Msg Type", &attr_msg_type_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_nat, 16/BITS_PER_BYTE, "Identifier", NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "Attr Msg Type", &attr_msg_type_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_nat, 16/BITS_PER_BYTE, "Identifier", NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_attr_desc = { "ISAKMP Mode Attribute", isaattr_fields, sizeof(struct isakmp_mode_attr) };
@@ -581,12 +579,12 @@ struct_desc isakmp_nat_d = { "ISAKMP NAT-D Payload", isag_fields, sizeof(struct
  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 static field_desc isanat_oa_fields[] = {
-    { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-    { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-    { ft_len, 16/BITS_PER_BYTE, "length", NULL },
-    { ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },
-    { ft_mbz, 24/BITS_PER_BYTE, NULL, NULL },
-    { ft_end, 0, NULL, NULL }
+	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
+	{ ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },
+	{ ft_mbz, 24/BITS_PER_BYTE, NULL, NULL },
+	{ ft_end, 0, NULL, NULL }
 };
 
 struct_desc isakmp_nat_oa = { "ISAKMP NAT-OA Payload", isanat_oa_fields, sizeof(struct isakmp_nat_oa) };
@@ -600,40 +598,40 @@ struct_desc isakmp_nat_oa = { "ISAKMP NAT-OA Payload", isanat_oa_fields, sizeof(
  * We make all these entries NULL
  */
 struct_desc *const payload_descs[ISAKMP_NEXT_ROOF] = {
-    NULL,				/* 0 ISAKMP_NEXT_NONE (No other payload following) */
-    &isakmp_sa_desc,			/* 1 ISAKMP_NEXT_SA (Security Association) */
-    NULL,				/* 2 ISAKMP_NEXT_P (Proposal) */
-    NULL,				/* 3 ISAKMP_NEXT_T (Transform) */
-    &isakmp_keyex_desc,			/* 4 ISAKMP_NEXT_KE (Key Exchange) */
-    NULL,				/* 5 ISAKMP_NEXT_ID (Identification) */
-    &isakmp_ipsec_certificate_desc,	/* 6 ISAKMP_NEXT_CERT (Certificate) */
-    &isakmp_ipsec_cert_req_desc,	/* 7 ISAKMP_NEXT_CR (Certificate Request) */
-    &isakmp_hash_desc,			/* 8 ISAKMP_NEXT_HASH (Hash) */
-    &isakmp_signature_desc,		/* 9 ISAKMP_NEXT_SIG (Signature) */
-    &isakmp_nonce_desc,			/* 10 ISAKMP_NEXT_NONCE (Nonce) */
-    &isakmp_notification_desc,		/* 11 ISAKMP_NEXT_N (Notification) */
-    &isakmp_delete_desc,		/* 12 ISAKMP_NEXT_D (Delete) */
-    &isakmp_vendor_id_desc,		/* 13 ISAKMP_NEXT_VID (Vendor ID) */
-    &isakmp_attr_desc,			/* 14 ISAKMP_NEXT_ATTR (Mode Config) */
-    NULL,				/* 15 */
-    NULL,				/* 16 */
-    NULL,				/* 17 */
-    NULL,				/* 18 */
-    NULL,				/* 19 */
-    &isakmp_nat_d,              	/* 20=130 ISAKMP_NEXT_NATD (NAT-D) */
-    &isakmp_nat_oa,             	/* 20=131 ISAKMP_NEXT_NATOA (NAT-OA) */
+	NULL,                               /* 0 ISAKMP_NEXT_NONE (No other payload following) */
+	&isakmp_sa_desc,                    /* 1 ISAKMP_NEXT_SA (Security Association) */
+	NULL,                               /* 2 ISAKMP_NEXT_P (Proposal) */
+	NULL,                               /* 3 ISAKMP_NEXT_T (Transform) */
+	&isakmp_keyex_desc,                 /* 4 ISAKMP_NEXT_KE (Key Exchange) */
+	NULL,                               /* 5 ISAKMP_NEXT_ID (Identification) */
+	&isakmp_ipsec_certificate_desc,     /* 6 ISAKMP_NEXT_CERT (Certificate) */
+	&isakmp_ipsec_cert_req_desc,        /* 7 ISAKMP_NEXT_CR (Certificate Request) */
+	&isakmp_hash_desc,                  /* 8 ISAKMP_NEXT_HASH (Hash) */
+	&isakmp_signature_desc,             /* 9 ISAKMP_NEXT_SIG (Signature) */
+	&isakmp_nonce_desc,                 /* 10 ISAKMP_NEXT_NONCE (Nonce) */
+	&isakmp_notification_desc,          /* 11 ISAKMP_NEXT_N (Notification) */
+	&isakmp_delete_desc,                /* 12 ISAKMP_NEXT_D (Delete) */
+	&isakmp_vendor_id_desc,             /* 13 ISAKMP_NEXT_VID (Vendor ID) */
+	&isakmp_attr_desc,                  /* 14 ISAKMP_NEXT_ATTR (Mode Config) */
+	NULL,                               /* 15 */
+	NULL,                               /* 16 */
+	NULL,                               /* 17 */
+	NULL,                               /* 18 */
+	NULL,                               /* 19 */
+	&isakmp_nat_d,                      /* 20=130 ISAKMP_NEXT_NATD (NAT-D) */
+	&isakmp_nat_oa,                     /* 20=131 ISAKMP_NEXT_NATOA (NAT-OA) */
 };
 
 void
 init_pbs(pb_stream *pbs, u_int8_t *start, size_t len, const char *name)
 {
-    pbs->container = NULL;
-    pbs->desc = NULL;
-    pbs->name = name;
-    pbs->start = pbs->cur = start;
-    pbs->roof = start + len;
-    pbs->lenfld = NULL;
-    pbs->lenfld_desc = NULL;
+	pbs->container = NULL;
+	pbs->desc = NULL;
+	pbs->name = name;
+	pbs->start = pbs->cur = start;
+	pbs->roof = start + len;
+	pbs->lenfld = NULL;
+	pbs->lenfld_desc = NULL;
 }
 
 #ifdef DEBUG
@@ -648,85 +646,85 @@ void
 DBG_print_struct(const char *label, const void *struct_ptr
 , struct_desc *sd, bool len_meaningful)
 {
-    bool immediate = FALSE;
-    const u_int8_t *inp = struct_ptr;
-    field_desc *fp;
-
-    DBG_log("%s%s:", label, sd->name);
+	bool immediate = FALSE;
+	const u_int8_t *inp = struct_ptr;
+	field_desc *fp;
 
-    for (fp = sd->fields; fp->field_type != ft_end; fp++)
-    {
-	int i = fp->size;
-	u_int32_t n = 0;
+	DBG_log("%s%s:", label, sd->name);
 
-	switch (fp->field_type)
+	for (fp = sd->fields; fp->field_type != ft_end; fp++)
 	{
-	case ft_mbz:	/* must be zero */
-	    inp += i;
-	    break;
-	case ft_nat:		/* natural number (may be 0) */
-	case ft_len:		/* length of this struct and any following crud */
-	case ft_lv:		/* length/value field of attribute */
-	case ft_enum:		/* value from an enumeration */
-	case ft_loose_enum:	/* value from an enumeration with only some names known */
-	case ft_af_enum:	/* Attribute Format + value from an enumeration */
-	case ft_af_loose_enum:	/* Attribute Format + value from an enumeration */
-	case ft_set:		/* bits representing set */
-	    switch (i)
-	    {
-	    case 8/BITS_PER_BYTE:
-		n = *(const u_int8_t *)inp;
-		break;
-	    case 16/BITS_PER_BYTE:
-		n = *(const u_int16_t *)inp;
-		break;
-	    case 32/BITS_PER_BYTE:
-		n = *(const u_int32_t *)inp;
-		break;
-	    default:
-		bad_case(i);
-	    }
-	    switch (fp->field_type)
-	    {
-	    case ft_len:	/* length of this struct and any following crud */
-	    case ft_lv:		/* length/value field of attribute */
-		if (!immediate && !len_meaningful)
-		    break;
-		/* FALL THROUGH */
-	    case ft_nat:	/* natural number (may be 0) */
-		DBG_log("   %s: %lu", fp->name, (unsigned long)n);
-		break;
-	    case ft_af_enum:	   /* Attribute Format + value from an enumeration */
-	    case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
-		if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-		    immediate = TRUE;
-		/* FALL THROUGH */
-	    case ft_enum:	/* value from an enumeration */
-	    case ft_loose_enum:	/* value from an enumeration with only some names known */
-		DBG_log("   %s: %s", fp->name, enum_show(fp->desc, n));
-		break;
-	    case ft_set:	/* bits representing set */
-		DBG_log("   %s: %s", fp->name, bitnamesof(fp->desc, n));
-		break;
-	    default:
-		bad_case(fp->field_type);
-	    }
-	    inp += i;
-	    break;
-
-	case ft_raw:	/* bytes to be left in network-order */
-	    {
-		char m[50];	/* arbitrary limit on name width in log */
-
-		snprintf(m, sizeof(m), "   %s:", fp->name);
-		DBG_dump(m, inp, i);
-		inp += i;
-	    }
-	    break;
-	default:
-	    bad_case(fp->field_type);
+		int i = fp->size;
+		u_int32_t n = 0;
+
+		switch (fp->field_type)
+		{
+		case ft_mbz:    /* must be zero */
+			inp += i;
+			break;
+		case ft_nat:            /* natural number (may be 0) */
+		case ft_len:            /* length of this struct and any following crud */
+		case ft_lv:             /* length/value field of attribute */
+		case ft_enum:           /* value from an enumeration */
+		case ft_loose_enum:     /* value from an enumeration with only some names known */
+		case ft_af_enum:        /* Attribute Format + value from an enumeration */
+		case ft_af_loose_enum:  /* Attribute Format + value from an enumeration */
+		case ft_set:            /* bits representing set */
+			switch (i)
+			{
+			case 8/BITS_PER_BYTE:
+				n = *(const u_int8_t *)inp;
+				break;
+			case 16/BITS_PER_BYTE:
+				n = *(const u_int16_t *)inp;
+				break;
+			case 32/BITS_PER_BYTE:
+				n = *(const u_int32_t *)inp;
+				break;
+			default:
+				bad_case(i);
+			}
+			switch (fp->field_type)
+			{
+			case ft_len:        /* length of this struct and any following crud */
+			case ft_lv:         /* length/value field of attribute */
+				if (!immediate && !len_meaningful)
+					break;
+				/* FALL THROUGH */
+			case ft_nat:        /* natural number (may be 0) */
+				DBG_log("   %s: %lu", fp->name, (unsigned long)n);
+				break;
+			case ft_af_enum:       /* Attribute Format + value from an enumeration */
+			case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
+				if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+					immediate = TRUE;
+				/* FALL THROUGH */
+			case ft_enum:       /* value from an enumeration */
+			case ft_loose_enum: /* value from an enumeration with only some names known */
+				DBG_log("   %s: %s", fp->name, enum_show(fp->desc, n));
+				break;
+			case ft_set:        /* bits representing set */
+				DBG_log("   %s: %s", fp->name, bitnamesof(fp->desc, n));
+				break;
+			default:
+				bad_case(fp->field_type);
+			}
+			inp += i;
+			break;
+
+		case ft_raw:    /* bytes to be left in network-order */
+			{
+				char m[50];     /* arbitrary limit on name width in log */
+
+				snprintf(m, sizeof(m), "   %s:", fp->name);
+				DBG_dump(m, inp, i);
+				inp += i;
+			}
+			break;
+		default:
+			bad_case(fp->field_type);
+		}
 	}
-    }
 }
 
 static void
@@ -734,35 +732,35 @@ DBG_prefix_print_struct(const pb_stream *pbs
 , const char *label, const void *struct_ptr
 , struct_desc *sd, bool len_meaningful)
 {
-    /* print out a title, with a prefix of asterisks to show
-     * the nesting level.
-     */
-    char space[40];	/* arbitrary limit on label+flock-of-* */
-    size_t len = strlen(label);
-
-    if (sizeof(space) <= len)
-    {
-	DBG_print_struct(label, struct_ptr, sd, len_meaningful);
-    }
-    else
-    {
-	const pb_stream *p = pbs;
-	char *pre = &space[sizeof(space) - (len + 1)];
-
-	strcpy(pre, label);
-
-	/* put at least one * out */
-	for (;;)
+	/* print out a title, with a prefix of asterisks to show
+	 * the nesting level.
+	 */
+	char space[40];     /* arbitrary limit on label+flock-of-* */
+	size_t len = strlen(label);
+
+	if (sizeof(space) <= len)
+	{
+		DBG_print_struct(label, struct_ptr, sd, len_meaningful);
+	}
+	else
 	{
-	    if (pre <= space)
-		break;
-	    *--pre = '*';
-	    if (p == NULL)
-		break;
-	    p = p->container;
+		const pb_stream *p = pbs;
+		char *pre = &space[sizeof(space) - (len + 1)];
+
+		strcpy(pre, label);
+
+		/* put at least one * out */
+		for (;;)
+		{
+			if (pre <= space)
+				break;
+			*--pre = '*';
+			if (p == NULL)
+				break;
+			p = p->container;
+		}
+		DBG_print_struct(pre, struct_ptr, sd, len_meaningful);
 	}
-	DBG_print_struct(pre, struct_ptr, sd, len_meaningful);
-    }
 }
 
 #endif
@@ -785,191 +783,191 @@ bool
 in_struct(void *struct_ptr, struct_desc *sd
 , pb_stream *ins, pb_stream *obj_pbs)
 {
-    err_t ugh = NULL;
-    u_int8_t *cur = ins->cur;
-
-    if (ins->roof - cur < (ptrdiff_t)sd->size)
-    {
-	ugh = builddiag("not enough room in input packet for %s", sd->name);
-    }
-    else
-    {
-	u_int8_t *roof = cur + sd->size;    /* may be changed by a length field */
-	u_int8_t *outp = struct_ptr;
-	bool immediate = FALSE;
-	field_desc *fp;
+	err_t ugh = NULL;
+	u_int8_t *cur = ins->cur;
 
-	for (fp = sd->fields; ugh == NULL; fp++)
+	if (ins->roof - cur < (ptrdiff_t)sd->size)
 	{
-	    size_t i = fp->size;
-
-	    passert(ins->roof - cur >= (ptrdiff_t)i);
-	    passert(cur - ins->cur <= (ptrdiff_t)(sd->size - i));
-	    passert(outp - (cur - ins->cur) == struct_ptr);
-
-#if 0
-	    DBG(DBG_PARSING, DBG_log("%d %s"
-		, (int) (cur - ins->cur), fp->name == NULL? "" : fp->name));
-#endif
-	    switch (fp->field_type)
-	    {
-	    case ft_mbz:	/* must be zero */
-		for (; i != 0; i--)
-		{
-		    if (*cur++ != 0)
-		    {
-			ugh = builddiag("byte %d of %s must be zero, but is not"
-			    , (int) (cur - ins->cur), sd->name);
-			break;
-		    }
-		    *outp++ = '\0';	/* probably redundant */
-		}
-		break;
-
-	    case ft_nat:	   /* natural number (may be 0) */
-	    case ft_len:	   /* length of this struct and any following crud */
-	    case ft_lv:		   /* length/value field of attribute */
-	    case ft_enum:	   /* value from an enumeration */
-	    case ft_loose_enum:    /* value from an enumeration with only some names known */
-	    case ft_af_enum:	   /* Attribute Format + value from an enumeration */
-	    case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
-	    case ft_set:	   /* bits representing set */
-	    {
-		u_int32_t n = 0;
-
-		for (; i != 0; i--)
-		    n = (n << BITS_PER_BYTE) | *cur++;
+		ugh = builddiag("not enough room in input packet for %s", sd->name);
+	}
+	else
+	{
+		u_int8_t *roof = cur + sd->size;    /* may be changed by a length field */
+		u_int8_t *outp = struct_ptr;
+		bool immediate = FALSE;
+		field_desc *fp;
 
-		switch (fp->field_type)
-		{
-		case ft_len:	/* length of this struct and any following crud */
-		case ft_lv:	/* length/value field of attribute */
-		{
-		    u_int32_t len = fp->field_type == ft_len? n
-			: immediate? sd->size : n + sd->size;
-
-		    if (len < sd->size)
-		    {
-			ugh = builddiag("%s of %s is smaller than minimum"
-			    , fp->name, sd->name);
-		    }
-		    else if (pbs_left(ins) < len)
-		    {
-			ugh = builddiag("%s of %s is larger than can fit"
-			    , fp->name, sd->name);
-		    }
-		    else
-		    {
-			roof = ins->cur + len;
-		    }
-		    break;
-		}
-		case ft_af_loose_enum:	/* Attribute Format + value from an enumeration */
-		    if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-			immediate = TRUE;
-		    break;
-		case ft_af_enum:	/* Attribute Format + value from an enumeration */
-		    if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-			immediate = TRUE;
-		    /* FALL THROUGH */
-		case ft_enum:	/* value from an enumeration */
-		    if (enum_name(fp->desc, n) == NULL)
-		    {
-			ugh = builddiag("%s of %s has an unknown value: %lu"
-			    , fp->name, sd->name, (unsigned long)n);
-		    }
-		    /* FALL THROUGH */
-		case ft_loose_enum:	/* value from an enumeration with only some names known */
-		    break;
-		case ft_set:	/* bits representing set */
-		    if (!testset(fp->desc, n))
-		    {
-			ugh = builddiag("bitset %s of %s has unknown member(s): %s"
-			    , fp->name, sd->name, bitnamesof(fp->desc, n));
-		    }
-		    break;
-		default:
-			break;
-		}
-		i = fp->size;
-		switch (i)
+		for (fp = sd->fields; ugh == NULL; fp++)
 		{
-		case 8/BITS_PER_BYTE:
-		    *(u_int8_t *)outp = n;
-		    break;
-		case 16/BITS_PER_BYTE:
-		    *(u_int16_t *)outp = n;
-		    break;
-		case 32/BITS_PER_BYTE:
-		    *(u_int32_t *)outp = n;
-		    break;
-		default:
-		    bad_case(i);
-		}
-		outp += i;
-		break;
-	    }
+			size_t i = fp->size;
 
-	    case ft_raw:	/* bytes to be left in network-order */
-		for (; i != 0; i--)
-		{
-		    *outp++ = *cur++;
-		}
-		break;
+			passert(ins->roof - cur >= (ptrdiff_t)i);
+			passert(cur - ins->cur <= (ptrdiff_t)(sd->size - i));
+			passert(outp - (cur - ins->cur) == struct_ptr);
 
-	    case ft_end:	/* end of field list */
-		passert(cur == ins->cur + sd->size);
-		if (obj_pbs != NULL)
-		{
-		    init_pbs(obj_pbs, ins->cur, roof - ins->cur, sd->name);
-		    obj_pbs->container = ins;
-		    obj_pbs->desc = sd;
-		    obj_pbs->cur = cur;
+#if 0
+			DBG(DBG_PARSING, DBG_log("%d %s"
+				, (int) (cur - ins->cur), fp->name == NULL? "" : fp->name));
+#endif
+			switch (fp->field_type)
+			{
+			case ft_mbz:        /* must be zero */
+				for (; i != 0; i--)
+				{
+					if (*cur++ != 0)
+					{
+						ugh = builddiag("byte %d of %s must be zero, but is not"
+							, (int) (cur - ins->cur), sd->name);
+						break;
+					}
+					*outp++ = '\0';     /* probably redundant */
+				}
+				break;
+
+			case ft_nat:           /* natural number (may be 0) */
+			case ft_len:           /* length of this struct and any following crud */
+			case ft_lv:            /* length/value field of attribute */
+			case ft_enum:          /* value from an enumeration */
+			case ft_loose_enum:    /* value from an enumeration with only some names known */
+			case ft_af_enum:       /* Attribute Format + value from an enumeration */
+			case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
+			case ft_set:           /* bits representing set */
+			{
+				u_int32_t n = 0;
+
+				for (; i != 0; i--)
+					n = (n << BITS_PER_BYTE) | *cur++;
+
+				switch (fp->field_type)
+				{
+				case ft_len:    /* length of this struct and any following crud */
+				case ft_lv:     /* length/value field of attribute */
+				{
+					u_int32_t len = fp->field_type == ft_len? n
+						: immediate? sd->size : n + sd->size;
+
+					if (len < sd->size)
+					{
+						ugh = builddiag("%s of %s is smaller than minimum"
+							, fp->name, sd->name);
+					}
+					else if (pbs_left(ins) < len)
+					{
+						ugh = builddiag("%s of %s is larger than can fit"
+							, fp->name, sd->name);
+					}
+					else
+					{
+						roof = ins->cur + len;
+					}
+					break;
+				}
+				case ft_af_loose_enum:  /* Attribute Format + value from an enumeration */
+					if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+						immediate = TRUE;
+					break;
+				case ft_af_enum:        /* Attribute Format + value from an enumeration */
+					if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+						immediate = TRUE;
+					/* FALL THROUGH */
+				case ft_enum:   /* value from an enumeration */
+					if (enum_name(fp->desc, n) == NULL)
+					{
+						ugh = builddiag("%s of %s has an unknown value: %lu"
+							, fp->name, sd->name, (unsigned long)n);
+					}
+					/* FALL THROUGH */
+				case ft_loose_enum:     /* value from an enumeration with only some names known */
+					break;
+				case ft_set:    /* bits representing set */
+					if (!testset(fp->desc, n))
+					{
+						ugh = builddiag("bitset %s of %s has unknown member(s): %s"
+							, fp->name, sd->name, bitnamesof(fp->desc, n));
+					}
+					break;
+				default:
+						break;
+				}
+				i = fp->size;
+				switch (i)
+				{
+				case 8/BITS_PER_BYTE:
+					*(u_int8_t *)outp = n;
+					break;
+				case 16/BITS_PER_BYTE:
+					*(u_int16_t *)outp = n;
+					break;
+				case 32/BITS_PER_BYTE:
+					*(u_int32_t *)outp = n;
+					break;
+				default:
+					bad_case(i);
+				}
+				outp += i;
+				break;
+			}
+
+			case ft_raw:        /* bytes to be left in network-order */
+				for (; i != 0; i--)
+				{
+					*outp++ = *cur++;
+				}
+				break;
+
+			case ft_end:        /* end of field list */
+				passert(cur == ins->cur + sd->size);
+				if (obj_pbs != NULL)
+				{
+					init_pbs(obj_pbs, ins->cur, roof - ins->cur, sd->name);
+					obj_pbs->container = ins;
+					obj_pbs->desc = sd;
+					obj_pbs->cur = cur;
+				}
+				ins->cur = roof;
+				DBG(DBG_PARSING
+					, DBG_prefix_print_struct(ins, "parse ", struct_ptr, sd, TRUE));
+				return TRUE;
+
+			default:
+				bad_case(fp->field_type);
+			}
 		}
-		ins->cur = roof;
-		DBG(DBG_PARSING
-		    , DBG_prefix_print_struct(ins, "parse ", struct_ptr, sd, TRUE));
-		return TRUE;
-
-	    default:
-		bad_case(fp->field_type);
-	    }
 	}
-    }
 
-    /* some failure got us here: report it */
-    loglog(RC_LOG_SERIOUS, ugh);
-    return FALSE;
+	/* some failure got us here: report it */
+	loglog(RC_LOG_SERIOUS, ugh);
+	return FALSE;
 }
 
 bool
 in_raw(void *bytes, size_t len, pb_stream *ins, const char *name)
 {
-    if (pbs_left(ins) < len)
-    {
-	loglog(RC_LOG_SERIOUS, "not enough bytes left to get %s from %s", name, ins->name);
-	return FALSE;
-    }
-    else
-    {
-	if (bytes == NULL)
+	if (pbs_left(ins) < len)
 	{
-	    DBG(DBG_PARSING
-		, DBG_log("skipping %u raw bytes of %s (%s)"
-		    , (unsigned) len, ins->name, name);
-		  DBG_dump(name, ins->cur, len));
+		loglog(RC_LOG_SERIOUS, "not enough bytes left to get %s from %s", name, ins->name);
+		return FALSE;
 	}
 	else
 	{
-	    memcpy(bytes, ins->cur, len);
-	    DBG(DBG_PARSING
-		, DBG_log("parsing %u raw bytes of %s into %s"
-		    , (unsigned) len, ins->name, name);
-		  DBG_dump(name, bytes, len));
+		if (bytes == NULL)
+		{
+			DBG(DBG_PARSING
+				, DBG_log("skipping %u raw bytes of %s (%s)"
+					, (unsigned) len, ins->name, name);
+				  DBG_dump(name, ins->cur, len));
+		}
+		else
+		{
+			memcpy(bytes, ins->cur, len);
+			DBG(DBG_PARSING
+				, DBG_log("parsing %u raw bytes of %s into %s"
+					, (unsigned) len, ins->name, name);
+				  DBG_dump(name, bytes, len));
+		}
+		ins->cur += len;
+		return TRUE;
 	}
-	ins->cur += len;
-	return TRUE;
-    }
 }
 
 /* "emit" a host struct into a network packet.
@@ -994,227 +992,227 @@ bool
 out_struct(const void *struct_ptr, struct_desc *sd
 , pb_stream *outs, pb_stream *obj_pbs)
 {
-    err_t ugh = NULL;
-    const u_int8_t *inp = struct_ptr;
-    u_int8_t *cur = outs->cur;
-
-    DBG(DBG_EMITTING
-	, DBG_prefix_print_struct(outs, "emit ", struct_ptr, sd, obj_pbs==NULL));
-
-    if (outs->roof - cur < (ptrdiff_t)sd->size)
-    {
-	ugh = builddiag("not enough room left in output packet to place %s"
-	    , sd->name);
-    }
-    else
-    {
-	bool immediate = FALSE;
-	pb_stream obj;
-	field_desc *fp;
+	err_t ugh = NULL;
+	const u_int8_t *inp = struct_ptr;
+	u_int8_t *cur = outs->cur;
 
-	obj.lenfld = NULL;  /* until a length field is discovered */
-	obj.lenfld_desc = NULL;
+	DBG(DBG_EMITTING
+		, DBG_prefix_print_struct(outs, "emit ", struct_ptr, sd, obj_pbs==NULL));
 
-	for (fp = sd->fields; ugh == NULL; fp++)
+	if (outs->roof - cur < (ptrdiff_t)sd->size)
 	{
-	    size_t i = fp->size;
-
-	    passert(outs->roof - cur >= (ptrdiff_t)i);
-	    passert(cur - outs->cur <= (ptrdiff_t)(sd->size - i));
-	    passert(inp - (cur - outs->cur) == struct_ptr);
-
-#if 0
-	    DBG(DBG_EMITTING, DBG_log("%d %s"
-		, (int) (cur - outs->cur), fp->name == NULL? "" : fp->name);
-#endif
-	    switch (fp->field_type)
-	    {
-	    case ft_mbz:	/* must be zero */
-		inp += i;
-		for (; i != 0; i--)
-		    *cur++ = '\0';
-		break;
-	    case ft_nat:	   /* natural number (may be 0) */
-	    case ft_len:	   /* length of this struct and any following crud */
-	    case ft_lv:		   /* length/value field of attribute */
-	    case ft_enum:	   /* value from an enumeration */
-	    case ft_loose_enum:	   /* value from an enumeration with only some names known */
-	    case ft_af_enum:	   /* Attribute Format + value from an enumeration */
-	    case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
-	    case ft_set:	   /* bits representing set */
-	    {
-		u_int32_t n = 0;
+		ugh = builddiag("not enough room left in output packet to place %s"
+			, sd->name);
+	}
+	else
+	{
+		bool immediate = FALSE;
+		pb_stream obj;
+		field_desc *fp;
 
-		switch (i)
-		{
-		case 8/BITS_PER_BYTE:
-		    n = *(const u_int8_t *)inp;
-		    break;
-		case 16/BITS_PER_BYTE:
-		    n = *(const u_int16_t *)inp;
-		    break;
-		case 32/BITS_PER_BYTE:
-		    n = *(const u_int32_t *)inp;
-		    break;
-		default:
-		    bad_case(i);
-		}
+		obj.lenfld = NULL;  /* until a length field is discovered */
+		obj.lenfld_desc = NULL;
 
-		switch (fp->field_type)
+		for (fp = sd->fields; ugh == NULL; fp++)
 		{
-		case ft_len:	/* length of this struct and any following crud */
-		case ft_lv:	/* length/value field of attribute */
-		    if (immediate)
-			break;	/* not a length */
-		    /* We can't check the length because it will likely
-		     * be filled in after variable part is supplied.
-		     * We do record where this is so that it can be
-		     * filled in by a subsequent close_output_pbs().
-		     */
-		    passert(obj.lenfld == NULL);	/* only one ft_len allowed */
-		    obj.lenfld = cur;
-		    obj.lenfld_desc = fp;
-		    break;
-		case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
-		    if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-			immediate = TRUE;
-		    break;
-		case ft_af_enum:	/* Attribute Format + value from an enumeration */
-		    if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-			immediate = TRUE;
-		    /* FALL THROUGH */
-		case ft_enum:	/* value from an enumeration */
-		    if (enum_name(fp->desc, n) == NULL)
-		    {
-			ugh = builddiag("%s of %s has an unknown value: %lu"
-			    , fp->name, sd->name, (unsigned long)n);
-		    }
-		    /* FALL THROUGH */
-		case ft_loose_enum:	/* value from an enumeration with only some names known */
-		    break;
-		case ft_set:	/* bits representing set */
-		    if (!testset(fp->desc, n))
-		    {
-			ugh = builddiag("bitset %s of %s has unknown member(s): %s"
-			    , fp->name, sd->name, bitnamesof(fp->desc, n));
-		    }
-		    break;
-		default:
-		    break;
-		}
+			size_t i = fp->size;
 
-		while (i-- != 0)
-		{
-		    cur[i] = (u_int8_t)n;
-		    n >>= BITS_PER_BYTE;
-		}
-		inp += fp->size;
-		cur += fp->size;
-		break;
-	    }
-	    case ft_raw:	/* bytes to be left in network-order */
-		for (; i != 0; i--)
-		    *cur++ = *inp++;
-		break;
-	    case ft_end:	/* end of field list */
-		passert(cur == outs->cur + sd->size);
-
-		obj.container = outs;
-		obj.desc = sd;
-		obj.name = sd->name;
-		obj.start = outs->cur;
-		obj.cur = cur;
-		obj.roof = outs->roof;	/* limit of possible */
-		/* obj.lenfld and obj.lenfld_desc already set */
-
-		if (obj_pbs == NULL)
-		{
-		    close_output_pbs(&obj); /* fill in length field, if any */
-		}
-		else
-		{
-		    /* We set outs->cur to outs->roof so that
-		     * any attempt to output something into outs
-		     * before obj is closed will trigger an error.
-		     */
-		    outs->cur = outs->roof;
+			passert(outs->roof - cur >= (ptrdiff_t)i);
+			passert(cur - outs->cur <= (ptrdiff_t)(sd->size - i));
+			passert(inp - (cur - outs->cur) == struct_ptr);
 
-		    *obj_pbs = obj;
+#if 0
+			DBG(DBG_EMITTING, DBG_log("%d %s"
+				, (int) (cur - outs->cur), fp->name == NULL? "" : fp->name);
+#endif
+			switch (fp->field_type)
+			{
+			case ft_mbz:        /* must be zero */
+				inp += i;
+				for (; i != 0; i--)
+					*cur++ = '\0';
+				break;
+			case ft_nat:           /* natural number (may be 0) */
+			case ft_len:           /* length of this struct and any following crud */
+			case ft_lv:            /* length/value field of attribute */
+			case ft_enum:          /* value from an enumeration */
+			case ft_loose_enum:    /* value from an enumeration with only some names known */
+			case ft_af_enum:       /* Attribute Format + value from an enumeration */
+			case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
+			case ft_set:           /* bits representing set */
+			{
+				u_int32_t n = 0;
+
+				switch (i)
+				{
+				case 8/BITS_PER_BYTE:
+					n = *(const u_int8_t *)inp;
+					break;
+				case 16/BITS_PER_BYTE:
+					n = *(const u_int16_t *)inp;
+					break;
+				case 32/BITS_PER_BYTE:
+					n = *(const u_int32_t *)inp;
+					break;
+				default:
+					bad_case(i);
+				}
+
+				switch (fp->field_type)
+				{
+				case ft_len:    /* length of this struct and any following crud */
+				case ft_lv:     /* length/value field of attribute */
+					if (immediate)
+						break;  /* not a length */
+					/* We can't check the length because it will likely
+					 * be filled in after variable part is supplied.
+					 * We do record where this is so that it can be
+					 * filled in by a subsequent close_output_pbs().
+					 */
+					passert(obj.lenfld == NULL);        /* only one ft_len allowed */
+					obj.lenfld = cur;
+					obj.lenfld_desc = fp;
+					break;
+				case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
+					if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+						immediate = TRUE;
+					break;
+				case ft_af_enum:        /* Attribute Format + value from an enumeration */
+					if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+						immediate = TRUE;
+					/* FALL THROUGH */
+				case ft_enum:   /* value from an enumeration */
+					if (enum_name(fp->desc, n) == NULL)
+					{
+						ugh = builddiag("%s of %s has an unknown value: %lu"
+							, fp->name, sd->name, (unsigned long)n);
+					}
+					/* FALL THROUGH */
+				case ft_loose_enum:     /* value from an enumeration with only some names known */
+					break;
+				case ft_set:    /* bits representing set */
+					if (!testset(fp->desc, n))
+					{
+						ugh = builddiag("bitset %s of %s has unknown member(s): %s"
+							, fp->name, sd->name, bitnamesof(fp->desc, n));
+					}
+					break;
+				default:
+					break;
+				}
+
+				while (i-- != 0)
+				{
+					cur[i] = (u_int8_t)n;
+					n >>= BITS_PER_BYTE;
+				}
+				inp += fp->size;
+				cur += fp->size;
+				break;
+			}
+			case ft_raw:        /* bytes to be left in network-order */
+				for (; i != 0; i--)
+					*cur++ = *inp++;
+				break;
+			case ft_end:        /* end of field list */
+				passert(cur == outs->cur + sd->size);
+
+				obj.container = outs;
+				obj.desc = sd;
+				obj.name = sd->name;
+				obj.start = outs->cur;
+				obj.cur = cur;
+				obj.roof = outs->roof;  /* limit of possible */
+				/* obj.lenfld and obj.lenfld_desc already set */
+
+				if (obj_pbs == NULL)
+				{
+					close_output_pbs(&obj); /* fill in length field, if any */
+				}
+				else
+				{
+					/* We set outs->cur to outs->roof so that
+					 * any attempt to output something into outs
+					 * before obj is closed will trigger an error.
+					 */
+					outs->cur = outs->roof;
+
+					*obj_pbs = obj;
+				}
+				return TRUE;
+
+			default:
+				bad_case(fp->field_type);
+			}
 		}
-		return TRUE;
-
-	    default:
-		bad_case(fp->field_type);
-	    }
 	}
-    }
 
-    /* some failure got us here: report it */
-    loglog(RC_LOG_SERIOUS, ugh);	/* ??? serious, but errno not relevant */
-    return FALSE;
+	/* some failure got us here: report it */
+	loglog(RC_LOG_SERIOUS, ugh);        /* ??? serious, but errno not relevant */
+	return FALSE;
 }
 
 bool
 out_generic(u_int8_t np, struct_desc *sd
 , pb_stream *outs, pb_stream *obj_pbs)
 {
-    struct isakmp_generic gen;
+	struct isakmp_generic gen;
 
-    passert(sd->fields == isakmp_generic_desc.fields);
-    gen.isag_np = np;
-    return out_struct(&gen, sd, outs, obj_pbs);
+	passert(sd->fields == isakmp_generic_desc.fields);
+	gen.isag_np = np;
+	return out_struct(&gen, sd, outs, obj_pbs);
 }
 
 bool
 out_generic_raw(u_int8_t np, struct_desc *sd
 , pb_stream *outs, const void *bytes, size_t len, const char *name)
 {
-    pb_stream pbs;
+	pb_stream pbs;
 
-    if (!out_generic(np, sd, outs, &pbs)
-    || !out_raw(bytes, len, &pbs, name))
-	return FALSE;
-    close_output_pbs(&pbs);
-    return TRUE;
+	if (!out_generic(np, sd, outs, &pbs)
+	|| !out_raw(bytes, len, &pbs, name))
+		return FALSE;
+	close_output_pbs(&pbs);
+	return TRUE;
 }
 
 bool
 out_raw(const void *bytes, size_t len, pb_stream *outs, const char *name)
 {
-    if (pbs_left(outs) < len)
-    {
-	loglog(RC_LOG_SERIOUS, "not enough room left to place %lu bytes of %s in %s"
-	    , (unsigned long) len, name, outs->name);
-	return FALSE;
-    }
-    else
-    {
-	DBG(DBG_EMITTING
-	    , DBG_log("emitting %u raw bytes of %s into %s"
-		, (unsigned) len, name, outs->name);
-	      DBG_dump(name, bytes, len));
-	memcpy(outs->cur, bytes, len);
-	outs->cur += len;
-	return TRUE;
-    }
+	if (pbs_left(outs) < len)
+	{
+		loglog(RC_LOG_SERIOUS, "not enough room left to place %lu bytes of %s in %s"
+			, (unsigned long) len, name, outs->name);
+		return FALSE;
+	}
+	else
+	{
+		DBG(DBG_EMITTING
+			, DBG_log("emitting %u raw bytes of %s into %s"
+				, (unsigned) len, name, outs->name);
+			  DBG_dump(name, bytes, len));
+		memcpy(outs->cur, bytes, len);
+		outs->cur += len;
+		return TRUE;
+	}
 }
 
 bool
 out_zero(size_t len, pb_stream *outs, const char *name)
 {
-    if (pbs_left(outs) < len)
-    {
-	loglog(RC_LOG_SERIOUS, "not enough room left to place %s in %s", name, outs->name);
-	return FALSE;
-    }
-    else
-    {
-	DBG(DBG_EMITTING, DBG_log("emitting %u zero bytes of %s into %s"
-	    , (unsigned) len, name, outs->name));
-	memset(outs->cur, 0x00, len);
-	outs->cur += len;
-	return TRUE;
-    }
+	if (pbs_left(outs) < len)
+	{
+		loglog(RC_LOG_SERIOUS, "not enough room left to place %s in %s", name, outs->name);
+		return FALSE;
+	}
+	else
+	{
+		DBG(DBG_EMITTING, DBG_log("emitting %u zero bytes of %s into %s"
+			, (unsigned) len, name, outs->name));
+		memset(outs->cur, 0x00, len);
+		outs->cur += len;
+		return TRUE;
+	}
 }
 
 /* Record current length.
@@ -1224,21 +1222,21 @@ out_zero(size_t len, pb_stream *outs, const char *name)
 void
 close_output_pbs(pb_stream *pbs)
 {
-    if (pbs->lenfld != NULL)
-    {
-	u_int32_t len = pbs_offset(pbs);
-	int i = pbs->lenfld_desc->size;
-
-	if (pbs->lenfld_desc->field_type == ft_lv)
-	    len -= sizeof(struct isakmp_attribute);
-	DBG(DBG_EMITTING, DBG_log("emitting length of %s: %lu"
-	    , pbs->name, (unsigned long) len));
-	while (i-- != 0)
+	if (pbs->lenfld != NULL)
 	{
-	    pbs->lenfld[i] = (u_int8_t)len;
-	    len >>= BITS_PER_BYTE;
+		u_int32_t len = pbs_offset(pbs);
+		int i = pbs->lenfld_desc->size;
+
+		if (pbs->lenfld_desc->field_type == ft_lv)
+			len -= sizeof(struct isakmp_attribute);
+		DBG(DBG_EMITTING, DBG_log("emitting length of %s: %lu"
+			, pbs->name, (unsigned long) len));
+		while (i-- != 0)
+		{
+			pbs->lenfld[i] = (u_int8_t)len;
+			len >>= BITS_PER_BYTE;
+		}
 	}
-    }
-    if (pbs->container != NULL)
-	pbs->container->cur = pbs->cur;	/* pass space utilization up */
+	if (pbs->container != NULL)
+		pbs->container->cur = pbs->cur; /* pass space utilization up */
 }
diff --git a/src/pluto/packet.h b/src/pluto/packet.h
index 1eadf0e02..1510b81a0 100644
--- a/src/pluto/packet.h
+++ b/src/pluto/packet.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: packet.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _PACKET_H
@@ -23,9 +21,9 @@
  */
 
 typedef const struct struct_desc {
-    const char *name;
-    const struct field_desc *fields;
-    size_t size;
+	const char *name;
+	const struct field_desc *fields;
+	size_t size;
 } struct_desc;
 
 /* Note: if an ft_af_enum field has the ISAKMP_ATTR_AF_TV bit set,
@@ -35,24 +33,24 @@ typedef const struct struct_desc {
  */
 
 enum field_type {
-    ft_mbz,	      /* must be zero */
-    ft_nat,	      /* natural number (may be 0) */
-    ft_len,	      /* length of this struct and any following crud */
-    ft_lv,	      /* length/value field of attribute */
-    ft_enum,	      /* value from an enumeration */
-    ft_loose_enum,    /* value from an enumeration with only some names known */
-    ft_af_loose_enum, /* Attribute Format + enumeration, some names known */
-    ft_af_enum,       /* Attribute Format + value from an enumeration */
-    ft_set,	      /* bits representing set */
-    ft_raw,	      /* bytes to be left in network-order */
-    ft_end,	      /* end of field list */
+	ft_mbz,           /* must be zero */
+	ft_nat,           /* natural number (may be 0) */
+	ft_len,           /* length of this struct and any following crud */
+	ft_lv,            /* length/value field of attribute */
+	ft_enum,          /* value from an enumeration */
+	ft_loose_enum,    /* value from an enumeration with only some names known */
+	ft_af_loose_enum, /* Attribute Format + enumeration, some names known */
+	ft_af_enum,       /* Attribute Format + value from an enumeration */
+	ft_set,           /* bits representing set */
+	ft_raw,           /* bytes to be left in network-order */
+	ft_end,           /* end of field list */
 };
 
 typedef const struct field_desc {
-    enum field_type field_type;
-    int	size;	/* size, in bytes, of field */
-    const char *name;
-    const void *desc;	/* enum_names for enum or char *[] for bits */
+	enum field_type field_type;
+	int size;   /* size, in bytes, of field */
+	const char *name;
+	const void *desc;   /* enum_names for enum or char *[] for bits */
 } field_desc;
 
 /* The formatting of input and output of packets is done
@@ -62,18 +60,18 @@ typedef const struct field_desc {
  * Actual packet transfer is done elsewhere.
  */
 typedef struct packet_byte_stream {
-    struct packet_byte_stream *container;   /* PBS of which we are part */
-    struct_desc *desc;
-    const char *name;	/* what does this PBS represent? */
-    u_int8_t
-	*start,
-	*cur,	/* current position in stream */
-	*roof;	/* byte after last in PBS (actually just a limit on output) */
-    /* For an output PBS, the length field will be filled in later so
-     * we need to record its particulars.  Note: it may not be aligned.
-     */
-    u_int8_t *lenfld;
-    field_desc *lenfld_desc;
+	struct packet_byte_stream *container;   /* PBS of which we are part */
+	struct_desc *desc;
+	const char *name;   /* what does this PBS represent? */
+	u_int8_t
+		*start,
+		*cur,   /* current position in stream */
+		*roof;  /* byte after last in PBS (actually just a limit on output) */
+	/* For an output PBS, the length field will be filled in later so
+	 * we need to record its particulars.  Note: it may not be aligned.
+	 */
+	u_int8_t *lenfld;
+	field_desc *lenfld_desc;
 } pb_stream;
 
 /* For an input PBS, pbs_offset is amount of stream processed.
@@ -88,17 +86,17 @@ typedef struct packet_byte_stream {
 extern void init_pbs(pb_stream *pbs, u_int8_t *start, size_t len, const char *name);
 
 extern bool in_struct(void *struct_ptr, struct_desc *sd,
-    pb_stream *ins, pb_stream *obj_pbs);
+	pb_stream *ins, pb_stream *obj_pbs);
 extern bool in_raw(void *bytes, size_t len, pb_stream *ins, const char *name);
 
 extern bool out_struct(const void *struct_ptr, struct_desc *sd,
-    pb_stream *outs, pb_stream *obj_pbs);
+	pb_stream *outs, pb_stream *obj_pbs);
 extern bool out_generic(u_int8_t np, struct_desc *sd,
-    pb_stream *outs, pb_stream *obj_pbs);
+	pb_stream *outs, pb_stream *obj_pbs);
 extern bool out_generic_raw(u_int8_t np, struct_desc *sd,
-    pb_stream *outs, const void *bytes, size_t len, const char *name);
+	pb_stream *outs, const void *bytes, size_t len, const char *name);
 #define out_generic_chunk(np, sd, outs, ch, name) \
-	out_generic_raw(np, sd, outs, (ch).ptr, (ch).len, name)
+		out_generic_raw(np, sd, outs, (ch).ptr, (ch).len, name)
 extern bool out_zero(size_t len, pb_stream *outs, const char *name);
 extern bool out_raw(const void *bytes, size_t len, pb_stream *outs, const char *name);
 #define out_chunk(ch, outs, name) out_raw((ch).ptr, (ch).len, (outs), (name))
@@ -106,7 +104,7 @@ extern void close_output_pbs(pb_stream *pbs);
 
 #ifdef DEBUG
 extern void DBG_print_struct(const char *label, const void *struct_ptr,
-    struct_desc *sd, bool len_meaningful);
+	struct_desc *sd, bool len_meaningful);
 #endif
 
 /* ISAKMP Header: for all messages
@@ -160,16 +158,16 @@ extern void DBG_print_struct(const char *label, const void *struct_ptr,
 
 struct isakmp_hdr
 {
-    u_int8_t    isa_icookie[COOKIE_SIZE];
-    u_int8_t    isa_rcookie[COOKIE_SIZE];
-    u_int8_t    isa_np;                 /* Next payload */
-    u_int8_t	isa_version;	/* high-order 4 bits: Major; low order 4: Minor */
-#define ISA_MAJ_SHIFT	4
-#define ISA_MIN_MASK	(~((~0u) << ISA_MAJ_SHIFT))
-    u_int8_t    isa_xchg;		/* Exchange type */
-    u_int8_t    isa_flags;
-    u_int32_t   isa_msgid;		/* Message ID (RAW) */
-    u_int32_t   isa_length;		/* Length of message */
+	u_int8_t    isa_icookie[COOKIE_SIZE];
+	u_int8_t    isa_rcookie[COOKIE_SIZE];
+	u_int8_t    isa_np;                 /* Next payload */
+	u_int8_t    isa_version;    /* high-order 4 bits: Major; low order 4: Minor */
+#define ISA_MAJ_SHIFT   4
+#define ISA_MIN_MASK    (~((~0u) << ISA_MAJ_SHIFT))
+	u_int8_t    isa_xchg;               /* Exchange type */
+	u_int8_t    isa_flags;
+	u_int32_t   isa_msgid;              /* Message ID (RAW) */
+	u_int32_t   isa_length;             /* Length of message */
 };
 
 extern struct_desc isakmp_hdr_desc;
@@ -186,9 +184,9 @@ extern struct_desc isakmp_hdr_desc;
  */
 struct isakmp_generic
 {
-    u_int8_t    isag_np;
-    u_int8_t    isag_reserved;
-    u_int16_t   isag_length;
+	u_int8_t    isag_np;
+	u_int8_t    isag_reserved;
+	u_int16_t   isag_length;
 };
 
 extern struct_desc isakmp_generic_desc;
@@ -209,17 +207,17 @@ extern struct_desc isakmp_generic_desc;
  */
 struct isakmp_attribute
 {
-    /* The high order bit of isaat_af_type is the Attribute Format
-     * If it is off, the format is TLV: lv is the length of the following
-     * attribute value.
-     * If it is on, the format is TV: lv is the value of the attribute.
-     * ISAKMP_ATTR_AF_MASK is the mask in host form.
-     *
-     * The low order 15 bits of isaat_af_type is the Attribute Type.
-     * ISAKMP_ATTR_RTYPE_MASK is the mask in host form.
-     */
-    u_int16_t isaat_af_type;   /* high order bit: AF; lower 15: rtype */
-    u_int16_t isaat_lv;			/* Length or value */
+	/* The high order bit of isaat_af_type is the Attribute Format
+	 * If it is off, the format is TLV: lv is the length of the following
+	 * attribute value.
+	 * If it is on, the format is TV: lv is the value of the attribute.
+	 * ISAKMP_ATTR_AF_MASK is the mask in host form.
+	 *
+	 * The low order 15 bits of isaat_af_type is the Attribute Type.
+	 * ISAKMP_ATTR_RTYPE_MASK is the mask in host form.
+	 */
+	u_int16_t isaat_af_type;   /* high order bit: AF; lower 15: rtype */
+	u_int16_t isaat_lv;                 /* Length or value */
 };
 
 #define ISAKMP_ATTR_AF_MASK 0x8000
@@ -229,8 +227,8 @@ struct isakmp_attribute
 #define ISAKMP_ATTR_RTYPE_MASK 0x7FFF
 
 extern struct_desc
-    isakmp_oakley_attribute_desc,
-    isakmp_ipsec_attribute_desc;
+	isakmp_oakley_attribute_desc,
+	isakmp_ipsec_attribute_desc;
 
 /* ISAKMP Security Association Payload
  * layout from RFC 2408 "ISAKMP" section 3.4
@@ -250,10 +248,10 @@ extern struct_desc
  */
 struct isakmp_sa
 {
-    u_int8_t  isasa_np;			/* Next payload */
-    u_int8_t  isasa_reserved;
-    u_int16_t isasa_length;		/* Payload length */
-    u_int32_t isasa_doi;		/* DOI */
+	u_int8_t  isasa_np;                 /* Next payload */
+	u_int8_t  isasa_reserved;
+	u_int16_t isasa_length;             /* Payload length */
+	u_int32_t isasa_doi;                /* DOI */
 };
 
 extern struct_desc isakmp_sa_desc;
@@ -276,13 +274,13 @@ extern struct_desc ipsec_sit_desc;
  */
 struct isakmp_proposal
 {
-    u_int8_t    isap_np;
-    u_int8_t    isap_reserved;
-    u_int16_t   isap_length;
-    u_int8_t    isap_proposal;
-    u_int8_t    isap_protoid;
-    u_int8_t    isap_spisize;
-    u_int8_t    isap_notrans;		/* Number of transforms */
+	u_int8_t    isap_np;
+	u_int8_t    isap_reserved;
+	u_int16_t   isap_length;
+	u_int8_t    isap_proposal;
+	u_int8_t    isap_protoid;
+	u_int8_t    isap_spisize;
+	u_int8_t    isap_notrans;           /* Number of transforms */
 };
 
 extern struct_desc isakmp_proposal_desc;
@@ -305,19 +303,19 @@ extern struct_desc isakmp_proposal_desc;
  */
 struct isakmp_transform
 {
-    u_int8_t    isat_np;
-    u_int8_t    isat_reserved;
-    u_int16_t   isat_length;
-    u_int8_t    isat_transnum;		/* Number of the transform */
-    u_int8_t    isat_transid;
-    u_int16_t   isat_reserved2;
+	u_int8_t    isat_np;
+	u_int8_t    isat_reserved;
+	u_int16_t   isat_length;
+	u_int8_t    isat_transnum;          /* Number of the transform */
+	u_int8_t    isat_transid;
+	u_int16_t   isat_reserved2;
 };
 
 extern struct_desc
-    isakmp_isakmp_transform_desc,
-    isakmp_ah_transform_desc,
-    isakmp_esp_transform_desc,
-    isakmp_ipcomp_transform_desc;
+	isakmp_isakmp_transform_desc,
+	isakmp_ah_transform_desc,
+	isakmp_esp_transform_desc,
+	isakmp_ipcomp_transform_desc;
 
 /* ISAKMP Key Exchange Payload: no fixed fields beyond the generic ones.
  * layout from RFC 2408 "ISAKMP" section 3.7
@@ -354,12 +352,12 @@ extern struct_desc isakmp_keyex_desc;
  */
 struct isakmp_id
 {
-    u_int8_t    isaid_np;
-    u_int8_t    isaid_reserved;
-    u_int16_t   isaid_length;
-    u_int8_t    isaid_idtype;
-    u_int8_t    isaid_doi_specific_a;
-    u_int16_t   isaid_doi_specific_b;
+	u_int8_t    isaid_np;
+	u_int8_t    isaid_reserved;
+	u_int16_t   isaid_length;
+	u_int8_t    isaid_idtype;
+	u_int8_t    isaid_doi_specific_a;
+	u_int16_t   isaid_doi_specific_b;
 };
 
 extern struct_desc isakmp_identification_desc;
@@ -381,12 +379,12 @@ extern struct_desc isakmp_identification_desc;
  */
 struct isakmp_ipsec_id
 {
-    u_int8_t    isaiid_np;
-    u_int8_t    isaiid_reserved;
-    u_int16_t   isaiid_length;
-    u_int8_t    isaiid_idtype;
-    u_int8_t    isaiid_protoid;
-    u_int16_t   isaiid_port;
+	u_int8_t    isaiid_np;
+	u_int8_t    isaiid_reserved;
+	u_int16_t   isaiid_length;
+	u_int8_t    isaiid_idtype;
+	u_int8_t    isaiid_protoid;
+	u_int16_t   isaiid_port;
 };
 
 extern struct_desc isakmp_ipsec_identification_desc;
@@ -408,17 +406,17 @@ extern struct_desc isakmp_ipsec_identification_desc;
  */
 struct isakmp_cert
 {
-    u_int8_t    isacert_np;
-    u_int8_t    isacert_reserved;
-    u_int16_t   isacert_length;
-    u_int8_t    isacert_type;
+	u_int8_t    isacert_np;
+	u_int8_t    isacert_reserved;
+	u_int16_t   isacert_length;
+	u_int8_t    isacert_type;
 };
 
 /* NOTE: this packet type has a fixed portion that is not a
  * multiple of 4 octets.  This means that sizeof(struct isakmp_cert)
  * yields the wrong value for the length.
  */
-#define ISAKMP_CERT_SIZE		5
+#define ISAKMP_CERT_SIZE                5
 
 extern struct_desc isakmp_ipsec_certificate_desc;
 
@@ -439,17 +437,17 @@ extern struct_desc isakmp_ipsec_certificate_desc;
  */
 struct isakmp_cr
 {
-    u_int8_t    isacr_np;
-    u_int8_t    isacr_reserved;
-    u_int16_t   isacr_length;
-    u_int8_t    isacr_type;
+	u_int8_t    isacr_np;
+	u_int8_t    isacr_reserved;
+	u_int16_t   isacr_length;
+	u_int8_t    isacr_type;
 };
 
 /* NOTE: this packet type has a fixed portion that is not a
  * multiple of 4 octets.  This means that sizeof(struct isakmp_cr)
  * yields the wrong value for the length.
  */
-#define ISAKMP_CR_SIZE		5
+#define ISAKMP_CR_SIZE          5
 
 extern struct_desc isakmp_ipsec_cert_req_desc;
 
@@ -526,13 +524,13 @@ extern struct_desc isakmp_nonce_desc;
  */
 struct isakmp_notification
 {
-    u_int8_t    isan_np;
-    u_int8_t    isan_reserved;
-    u_int16_t   isan_length;
-    u_int32_t   isan_doi;
-    u_int8_t    isan_protoid;
-    u_int8_t    isan_spisize;
-    u_int16_t   isan_type;
+	u_int8_t    isan_np;
+	u_int8_t    isan_reserved;
+	u_int16_t   isan_length;
+	u_int32_t   isan_doi;
+	u_int8_t    isan_protoid;
+	u_int8_t    isan_spisize;
+	u_int16_t   isan_type;
 };
 
 extern struct_desc isakmp_notification_desc;
@@ -557,40 +555,40 @@ extern struct_desc isakmp_notification_desc;
  */
 struct isakmp_delete
 {
-    u_int8_t    isad_np;
-    u_int8_t    isad_reserved;
-    u_int16_t   isad_length;
-    u_int32_t   isad_doi;
-    u_int8_t    isad_protoid;
-    u_int8_t    isad_spisize;
-    u_int16_t   isad_nospi;
+	u_int8_t    isad_np;
+	u_int8_t    isad_reserved;
+	u_int16_t   isad_length;
+	u_int32_t   isad_doi;
+	u_int8_t    isad_protoid;
+	u_int8_t    isad_spisize;
+	u_int16_t   isad_nospi;
 };
 
 extern struct_desc isakmp_delete_desc;
 
 /* From draft-dukes-ike-mode-cfg
 3.2. Attribute Payload
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     ! Next Payload  !   RESERVED    !         Payload Length        !
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     !     Type      !   RESERVED    !           Identifier          !
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     !                                                               !
-     !                                                               !
-     ~                           Attributes                          ~
-     !                                                               !
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+						   1                   2                   3
+	   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	 ! Next Payload  !   RESERVED    !         Payload Length        !
+	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	 !     Type      !   RESERVED    !           Identifier          !
+	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+	 !                                                               !
+	 !                                                               !
+	 ~                           Attributes                          ~
+	 !                                                               !
+	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 struct isakmp_mode_attr
 {
-    u_int8_t    isama_np;
-    u_int8_t    isama_reserved;
-    u_int16_t   isama_length;
-    u_int8_t    isama_type;
-    u_int8_t    isama_reserved2;
-    u_int16_t   isama_identifier;
+	u_int8_t    isama_np;
+	u_int8_t    isama_reserved;
+	u_int16_t   isama_length;
+	u_int8_t    isama_type;
+	u_int8_t    isama_reserved2;
+	u_int16_t   isama_identifier;
 };
 
 extern struct_desc isakmp_attr_desc;
@@ -614,12 +612,12 @@ extern struct_desc isakmp_vendor_id_desc;
 
 struct isakmp_nat_oa
 {
-    u_int8_t    isanoa_np;
-    u_int8_t    isanoa_reserved_1;
-    u_int16_t   isanoa_length;
-    u_int8_t    isanoa_idtype;
-    u_int8_t    isanoa_reserved_2;
-    u_int16_t   isanoa_reserved_3;
+	u_int8_t    isanoa_np;
+	u_int8_t    isanoa_reserved_1;
+	u_int16_t   isanoa_length;
+	u_int8_t    isanoa_idtype;
+	u_int8_t    isanoa_reserved_2;
+	u_int16_t   isanoa_reserved_3;
 };
 
 extern struct_desc isakmp_nat_d;
@@ -628,18 +626,18 @@ extern struct_desc isakmp_nat_oa;
 /* union of all payloads */
 
 union payload {
-    struct isakmp_generic generic;
-    struct isakmp_sa sa;
-    struct isakmp_proposal proposal;
-    struct isakmp_transform transform;
-    struct isakmp_id id;    /* Main Mode */
-    struct isakmp_cert cert;
-    struct isakmp_cr cr;
-    struct isakmp_ipsec_id ipsec_id;	/* Quick Mode */
-    struct isakmp_notification notification;
-    struct isakmp_delete delete;
-    struct isakmp_nat_oa nat_oa;
-    struct isakmp_mode_attr attribute;
+	struct isakmp_generic generic;
+	struct isakmp_sa sa;
+	struct isakmp_proposal proposal;
+	struct isakmp_transform transform;
+	struct isakmp_id id;    /* Main Mode */
+	struct isakmp_cert cert;
+	struct isakmp_cr cr;
+	struct isakmp_ipsec_id ipsec_id;    /* Quick Mode */
+	struct isakmp_notification notification;
+	struct isakmp_delete delete;
+	struct isakmp_nat_oa nat_oa;
+	struct isakmp_mode_attr attribute;
 };
 
 /* descriptor for each payload type
diff --git a/src/pluto/pem.c b/src/pluto/pem.c
index 5ebe4b576..646447c1a 100644
--- a/src/pluto/pem.c
+++ b/src/pluto/pem.c
@@ -1,5 +1,6 @@
 /* Loading of PEM encoded files with optional encryption
- * Copyright (C) 2001-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2001-2009 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: pem.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 /* decrypt a PEM encoded data block using DES-EDE3-CBC
@@ -27,437 +26,101 @@
 #include <sys/types.h>
 
 #include <freeswan.h>
-#define HEADER_DES_LOCL_H   /* stupid trick to force prototype decl in <des.h> */
-#include <libdes/des.h>
+
+#include <library.h>
+#include <asn1/pem.h>
 
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
-#include "md5.h"
 #include "whack.h"
 #include "pem.h"
 
-/*
- * check the presence of a pattern in a character string
- */
-static bool
-present(const char* pattern, chunk_t* ch)
-{
-    u_int pattern_len = strlen(pattern);
-
-    if (ch->len >= pattern_len && strncmp(ch->ptr, pattern, pattern_len) == 0)
-    {
-	ch->ptr += pattern_len;
-	ch->len -= pattern_len;
-	return TRUE;
-    }
-    return FALSE;
-}
-
-/*
- * compare string with chunk
- */
-static bool
-match(const char *pattern, const chunk_t *ch)
-{
-    return ch->len == strlen(pattern) &&
-	   strncmp(pattern, ch->ptr, ch->len) == 0;
-}
-
-/*
- * find a boundary of the form -----tag name-----
- */
-static bool
-find_boundary(const char* tag, chunk_t *line)
-{
-    chunk_t name = empty_chunk;
-
-    if (!present("-----", line))
-	return FALSE;
-    if (!present(tag, line))
-	return FALSE;
-    if (*line->ptr != ' ')
-	return FALSE;
-    line->ptr++;  line->len--;
-
-    /* extract name */
-    name.ptr = line->ptr;
-    while (line->len > 0)
-    {
-	if (present("-----", line))
-	{
-	    DBG(DBG_PARSING,
-		DBG_log("  -----%s %.*s-----",
-			tag, (int)name.len, name.ptr);
-	    )
-	    return TRUE;
-	}
-	line->ptr++;  line->len--;  name.len++;
-    }
-    return FALSE;
-}
-
-/*
- * eat whitespace
- */
-static void
-eat_whitespace(chunk_t *src)
-{
-    while (src->len > 0 && (*src->ptr == ' ' || *src->ptr == '\t'))
-    {
-	src->ptr++;  src->len--;
-    }
-}
-
-/*
- * extracts a token ending with a given termination symbol
- */
-static bool
-extract_token(chunk_t *token, char termination, chunk_t *src)
-{
-    u_char *eot = memchr(src->ptr, termination, src->len);
-
-    /* initialize empty token */
-    *token = empty_chunk;
-
-    if (eot == NULL) /* termination symbol not found */
-	return FALSE;
-
-    /* extract token */
-    token->ptr = src->ptr;
-    token->len = (u_int)(eot - src->ptr);
-
-    /* advance src pointer after termination symbol */
-    src->ptr = eot + 1;
-    src->len -= (token->len + 1);
-
-   return TRUE;
-}
-
-/*
- * extracts a name: value pair from the PEM header
- */
-static bool
-extract_parameter(chunk_t *name, chunk_t *value, chunk_t *line)
-{
-    DBG(DBG_PARSING,
-	DBG_log("  %.*s", (int)line->len, line->ptr);
-    )
-
-    /* extract name */
-    if (!extract_token(name,':', line))
-	return FALSE;
-
-    eat_whitespace(line);
-
-    /* extract value */
-    *value = *line;
-    return TRUE;
-}
-
-/*
- *  fetches a new line terminated by \n or \r\n
- */
-static bool
-fetchline(chunk_t *src, chunk_t *line)
-{
-    if (src->len == 0) /* end of src reached */
-	return FALSE;
-
-    if (extract_token(line, '\n', src))
-    {
-	if (line->len > 0 && *(line->ptr + line->len -1) == '\r')
-	    line->len--;  /* remove optional \r */
-    }
-    else /*last line ends without newline */
-    {
-	*line = *src;
-	src->ptr += src->len;
-	src->len = 0;
-    }
-    return TRUE;
-}
-
-/*
- * decrypts a DES-EDE-CBC encrypted data block
- */
-static bool
-pem_decrypt_3des(chunk_t *blob, chunk_t *iv, const char *passphrase)
-{
-    MD5_CTX context;
-    u_char digest[MD5_DIGEST_SIZE];
-    u_char des_iv[DES_CBC_BLOCK_SIZE];
-    u_char key[24];
-    des_cblock *deskey = (des_cblock *)key;
-    des_key_schedule ks[3];
-    u_char padding, *last_padding_pos, *first_padding_pos;
-
-    /* Convert passphrase to 3des key */
-    MD5Init(&context);
-    MD5Update(&context, passphrase, strlen(passphrase));
-    MD5Update(&context, iv->ptr, iv->len);
-    MD5Final(digest, &context);
-
-    memcpy(key, digest, MD5_DIGEST_SIZE);
-
-    MD5Init(&context);
-    MD5Update(&context, digest, MD5_DIGEST_SIZE);
-    MD5Update(&context, passphrase, strlen(passphrase));
-    MD5Update(&context, iv->ptr, iv->len);
-    MD5Final(digest, &context);
-
-    memcpy(key + MD5_DIGEST_SIZE, digest, 24 - MD5_DIGEST_SIZE);
-
-    (void) des_set_key(&deskey[0], ks[0]);
-    (void) des_set_key(&deskey[1], ks[1]);
-    (void) des_set_key(&deskey[2], ks[2]);
-
-    /* decrypt data block */
-    memcpy(des_iv, iv->ptr, DES_CBC_BLOCK_SIZE);
-    des_ede3_cbc_encrypt((des_cblock *)blob->ptr, (des_cblock *)blob->ptr,
-	blob->len, ks[0], ks[1], ks[2], (des_cblock *)des_iv, FALSE);
-
-    /* determine amount of padding */
-    last_padding_pos = blob->ptr + blob->len - 1;
-    padding = *last_padding_pos;
-    first_padding_pos = (padding > blob->len)?
-			 blob->ptr : last_padding_pos - padding;
-
-    /* check the padding pattern */
-    while (--last_padding_pos > first_padding_pos)
-    {
-	if (*last_padding_pos != padding)
-	    return FALSE;
-    }
-
-    /* remove padding */
-    blob->len -= padding;
-    return TRUE;
-}
-
-/*
- * optionally prompts for a passphrase before decryption
- * currently we support DES-EDE3-CBC, only
+/**
+ *  Converts a PEM encoded file into its binary form
+ *  RFC 1421 Privacy Enhancement for Electronic Mail, February 1993
+ *  RFC 934 Message Encapsulation, January 1985
  */
-static err_t
-pem_decrypt(chunk_t *blob, chunk_t *iv, prompt_pass_t *pass, const char* label)
+err_t pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label, bool *pgp)
 {
-    DBG(DBG_CRYPT,
-	DBG_log("  decrypting file using 'DES-EDE3-CBC'");
-    )
-    if (iv->len != DES_CBC_BLOCK_SIZE)
-	return "size of DES-EDE3-CBC IV is not 8 bytes";
-
-    if (pass == NULL)
-	return "no passphrase available";
+	chunk_t password = chunk_empty;
 
-    /* do we prompt for the passphrase? */
-    if (pass->prompt && pass->fd != NULL_FD)
-    {
-	int i;
-	chunk_t blob_copy;
- 	err_t ugh = "invalid passphrase, too many trials";
-
-	whack_log(RC_ENTERSECRET, "need passphrase for '%s'", label);
-
-	for (i = 0; i < MAX_PROMPT_PASS_TRIALS; i++)
+	/* do we prompt for the passphrase? */
+	if (pass && pass->prompt && pass->fd != NULL_FD)
 	{
-	    int n;
-
-	    if (i > 0)
-	    whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
-
-	    n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
-
-	    if (n == -1)
-	    {
-		err_t ugh = "read(whackfd) failed";
-
-		whack_log(RC_LOG_SERIOUS,ugh);
-		return ugh;
-	    }
+		int i;
+		chunk_t blob_copy;
+		err_t ugh = "invalid passphrase, too many trials";
+		status_t status;
 
-	    pass->secret[n-1] = '\0';
-	    
-	    if (strlen(pass->secret) == 0)
-	    {
-	        err_t ugh = "no passphrase entered, aborted";
+		whack_log(RC_ENTERSECRET, "need passphrase for '%s'", label);
 
+		for (i = 0; i < MAX_PROMPT_PASS_TRIALS; i++)
+		{
+			int n;
+
+			if (i > 0)
+			{
+				whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
+			}
+			n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
+
+			if (n == -1)
+			{
+				err_t ugh = "read(whackfd) failed";
+
+				whack_log(RC_LOG_SERIOUS,ugh);
+				return ugh;
+			}
+
+			pass->secret[n-1] = '\0';
+			
+			if (strlen(pass->secret) == 0)
+			{
+				err_t ugh = "no passphrase entered, aborted";
+
+				whack_log(RC_LOG_SERIOUS, ugh);
+				return ugh;
+			}
+
+			blob_copy = chunk_clone(*blob);
+			password = chunk_create(pass->secret, strlen(pass->secret));
+
+			status = pem_to_bin(blob, password, pgp);
+			if (status != INVALID_ARG)
+			{
+				if (status == SUCCESS)
+				{
+					whack_log(RC_SUCCESS, "valid passphrase");
+				}
+				else
+				{
+					whack_log(RC_LOG_SERIOUS, "%N, aborted", status_names, status);
+				}
+				free(blob_copy.ptr);
+				return NULL;
+			}
+			
+			/* blob is useless after wrong decryption, restore the original */
+			free(blob->ptr);
+			*blob = blob_copy;
+		}
 		whack_log(RC_LOG_SERIOUS, ugh);
 		return ugh;
-	    }
-
-	    clonetochunk(blob_copy, blob->ptr, blob->len, "blob copy");
-
-	    if (pem_decrypt_3des(blob, iv, pass->secret))
-	    {
-		whack_log(RC_SUCCESS, "valid passphrase");
-		pfree(blob_copy.ptr);
-		return NULL;
-	    }
-	    
-	    /* blob is useless after wrong decryption, restore the original */
-	    pfree(blob->ptr);
-	    *blob = blob_copy;
-	}
-	whack_log(RC_LOG_SERIOUS, ugh);
-	return ugh;
-    }
-    else
-    {
-	if (pem_decrypt_3des(blob, iv, pass->secret))
-	    return NULL;
-	else
-	    return "invalid passphrase";
-    }
-}
-
-/*  Converts a PEM encoded file into its binary form
- *
- *  RFC 1421 Privacy Enhancement for Electronic Mail, February 1993
- *  RFC 934 Message Encapsulation, January 1985
- */
-err_t
-pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label, bool *pgp)
-{
-    typedef enum {
-	PEM_PRE    = 0,
-	PEM_MSG    = 1,
-	PEM_HEADER = 2,
-	PEM_BODY   = 3,
-	PEM_POST   = 4,
-	PEM_ABORT  = 5
-    } state_t;
-
-    bool encrypted = FALSE;
-
-    state_t state  = PEM_PRE;
-
-    chunk_t src    = *blob;
-    chunk_t dst    = *blob;
-    chunk_t line   = empty_chunk;
-    chunk_t iv     = empty_chunk;
-
-    u_char iv_buf[MAX_DIGEST_LEN];
-
-    /* zero size of converted blob */
-    dst.len = 0;
-
-    /* zero size of IV */
-    iv.ptr = iv_buf;
-    iv.len = 0;
-
-    while (fetchline(&src, &line))
-    {
-	if (state == PEM_PRE)
-	{
-	    if (find_boundary("BEGIN", &line))
-	    {
-		*pgp = FALSE;
-		state = PEM_MSG;
-	    }
-	    continue;
 	}
 	else
 	{
-	    if (find_boundary("END", &line))
-	    {
-		state = PEM_POST;
-		break;
-	    }
-	    if (state == PEM_MSG)
-	    {
-		state = (memchr(line.ptr, ':', line.len) == NULL)?
-			    PEM_BODY : PEM_HEADER;
-	    }
-	    if (state == PEM_HEADER)
-	    {
-		chunk_t name  = empty_chunk;
-		chunk_t value = empty_chunk;
-
-		/* an empty line separates HEADER and BODY */
-		if (line.len == 0)
-		{
-		    state = PEM_BODY;
-		    continue;
-		}
-
-	        /* we are looking for a name: value pair */
-		if (!extract_parameter(&name, &value, &line))
-		    continue;
-
-		if (match("Proc-Type", &name) && *value.ptr == '4')
-			encrypted = TRUE;
-		else if (match("DEK-Info", &name))
+		if (pass)
 		{
-		    const char *ugh = NULL;
-		    size_t len = 0;
-		    chunk_t dek;
-
-		    if (!extract_token(&dek, ',', &value))
-			dek = value;
-
-		    /* we support DES-EDE3-CBC encrypted files, only */
-		    if (!match("DES-EDE3-CBC", &dek))
-			return "we support DES-EDE3-CBC encrypted files, only";
-
-		    eat_whitespace(&value);
-		    ugh = ttodata(value.ptr, value.len, 16,
-		    		  iv.ptr, MAX_DIGEST_LEN, &len);
-		    if (ugh)
-			return "error in IV";
-
-		    iv.len = len;
+			password = chunk_create(pass->secret, strlen(pass->secret));
 		}
-	    }
-	    else /* state is PEM_BODY */
-	    {
-		const char *ugh = NULL;
-		size_t len = 0;
-		chunk_t data;
-
-		/* remove any trailing whitespace */
-		if (!extract_token(&data ,' ', &line))
-		    data = line;
-
-		/* check for PGP armor checksum */
-		if (*data.ptr == '=')
+		if (pem_to_bin(blob, password, pgp) == SUCCESS)
 		{
-		    *pgp = TRUE;
-		    data.ptr++;
-		    data.len--;
-		    DBG(DBG_PARSING,
-			DBG_log("  Armor checksum: %.*s", (int)data.len, data.ptr);
-		    )
-		    continue;
-		}
-
-		ugh = ttodata(data.ptr, data.len, 64,
-			      dst.ptr, blob->len - dst.len, &len);
-		if (ugh)
-		{
-		    DBG(DBG_PARSING,
-			DBG_log("  %s", ugh);
-		    )
-		    state = PEM_ABORT;
-		    break;
+			return NULL;
 		}
 		else
 		{
-		    dst.ptr += len;
-		    dst.len += len;
+			return "pem to bin conversion failed";
 		}
-	    }
-	}
-    }
-    /* set length to size of binary blob */
-    blob->len = dst.len;
-
-    if (state != PEM_POST)
-	return "file coded in unknown format, discarded";
-
-    if (encrypted)
-	return pem_decrypt(blob, &iv, pass, label);
-    else
-	return NULL;
+	}	
 }
diff --git a/src/pluto/pem.h b/src/pluto/pem.h
index e74915cb2..5e97b99ed 100644
--- a/src/pluto/pem.h
+++ b/src/pluto/pem.h
@@ -1,5 +1,7 @@
 /* Loading of PEM encoded files with optional encryption
- * Copyright (C) 2001-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2001-2009 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil 
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,9 +12,7 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: pem.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
-extern err_t pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label
-    , bool *pgp);
+extern err_t pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label,
+					  bool *pgp);
diff --git a/src/pluto/pgp.c b/src/pluto/pgp.c
deleted file mode 100644
index b956ce4d7..000000000
--- a/src/pluto/pgp.c
+++ /dev/null
@@ -1,647 +0,0 @@
-/* Support of OpenPGP certificates
- * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: pgp.c 3252 2007-10-06 21:24:50Z andreas $
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include <freeswan.h>
-#include <ipsec_policy.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "mp_defs.h"
-#include "log.h"
-#include "id.h"
-#include "pgp.h"
-#include "certs.h"
-#include "md5.h"
-#include "whack.h"
-#include "pkcs1.h"
-#include "keys.h"
-
-/*
- * chained list of OpenPGP end certificates
- */
-static pgpcert_t *pgpcerts   = NULL;
-
-/*
- * OpenPGP packet tags defined in section 4.3 of RFC 2440
- */
-#define PGP_PKT_RESERVED		 0
-#define PGP_PKT_PUBKEY_ENC_SESSION_KEY	 1
-#define PGP_PKT_SIGNATURE		 2
-#define PGP_PKT_SYMKEY_ENC_SESSION_KEY	 3
-#define PGP_PKT_ONE_PASS_SIGNATURE_PKT	 4
-#define PGP_PKT_SECRET_KEY		 5
-#define PGP_PKT_PUBLIC_KEY		 6
-#define PGP_PKT_SECRET_SUBKEY		 7
-#define PGP_PKT_COMPRESSED_DATA		 8
-#define PGP_PKT_SYMKEY_ENC_DATA		 9
-#define PGP_PKT_MARKER			10
-#define PGP_PKT_LITERAL_DATA		11
-#define PGP_PKT_TRUST			12
-#define PGP_PKT_USER_ID			13
-#define PGP_PKT_PUBLIC_SUBKEY		14
-#define PGP_PKT_ROOF			15
-
-static const char *const pgp_packet_type_name[] = {
-    "Reserved",
-    "Public-Key Encrypted Session Key Packet",
-    "Signature Packet",
-    "Symmetric-Key Encrypted Session Key Packet",
-    "One-Pass Signature Packet",
-    "Secret Key Packet",
-    "Public Key Packet",
-    "Secret Subkey Packet",
-    "Compressed Data Packet",
-    "Symmetrically Encrypted Data Packet",
-    "Marker Packet",
-    "Literal Data Packet",
-    "Trust Packet",
-    "User ID Packet",
-    "Public Subkey Packet"
-};
-
-/*
- * OpenPGP public key algorithms defined in section 9.1 of RFC 2440
- */
-#define PGP_PUBKEY_ALG_RSA 		 1
-#define PGP_PUBKEY_ALG_RSA_ENC_ONLY	 2
-#define PGP_PUBKEY_ALG_RSA_SIGN_ONLY	 3
-#define PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY	16
-#define PGP_PUBKEY_ALG_DSA		17
-#define PGP_PUBKEY_ALG_ECC		18
-#define PGP_PUBKEY_ALG_ECDSA		19
-#define PGP_PUBKEY_ALG_ELGAMAL		20
-
-/*
- * OpenPGP symmetric key algorithms defined in section 9.2 of RFC 2440
-  */
-#define PGP_SYM_ALG_PLAIN	 0
-#define PGP_SYM_ALG_IDEA	 1
-#define PGP_SYM_ALG_3DES	 2
-#define PGP_SYM_ALG_CAST5	 3
-#define PGP_SYM_ALG_BLOWFISH	 4
-#define PGP_SYM_ALG_SAFER	 5
-#define PGP_SYM_ALG_DES		 6
-#define PGP_SYM_ALG_AES		 7
-#define PGP_SYM_ALG_AES_192	 8
-#define PGP_SYM_ALG_AES_256	 9
-#define PGP_SYM_ALG_TWOFISH	10
-#define PGP_SYM_ALG_ROOF	11
-
-static const char *const pgp_sym_alg_name[] = {
-    "Plaintext",
-    "IDEA",
-    "3DES",
-    "CAST5",
-    "Blowfish",
-    "SAFER",
-    "DES",
-    "AES",
-    "AES-192",
-    "AES-256",
-    "Twofish"
-};
-
-/*
- * Size of PGP Key ID
- */
-#define PGP_KEYID_SIZE		8
-
-const pgpcert_t empty_pgpcert = {
-      NULL     , /* *next */
-            0  , /* installed */
-            0  , /* count */
-    { NULL, 0 }, /* certificate */
-            0  , /* created */
-            0  , /* until */
-            0  , /* pubkeyAlgorithm */
-    { NULL, 0 }, /* modulus */
-    { NULL, 0 }, /* publicExponent */
-       ""        /* fingerprint */
-};
-
-static size_t
-pgp_size(chunk_t *blob, int len)
-{
-    size_t size = 0;
-
-    blob->len -= len;
-    while (len-- > 0)
-	size = 256*size + *blob->ptr++;
-    return size;
-}
-
-/*
- * extracts the length of a PGP packet
- */
-static size_t
-pgp_old_packet_length(chunk_t *blob)
-{
-    /* bits 0 and 1 define the packet length type */
-    int len_type = 0x03 & *blob->ptr++;
-
-    blob->len--;
-
-    /* len_type: 0 -> 1 byte, 1 -> 2 bytes, 2 -> 4 bytes */
-    return pgp_size(blob, (len_type == 0)? 1: len_type << 1);
-}
-
-/*
- * extracts PGP packet version (V3 or V4)
- */
-static u_char
-pgp_version(chunk_t *blob)
-{
-    u_char version = *blob->ptr++;
-    blob->len--;
-    DBG(DBG_PARSING,
-	DBG_log("L3 - version:");
-	DBG_log("  V%d", version)
-    )
-    return version;
-}
-
-/*
- * Parse OpenPGP public key packet defined in section 5.5.2 of RFC 2440
- */
-static bool
-parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
-{
-    u_char version = pgp_version(packet);
-
-    if (version < 3 || version > 4)
-    {
-	plog("PGP packet version V%d not supported", version);
-	return FALSE;
-    }
-
-    /* creation date - 4 bytes */
-    cert->created = (time_t)pgp_size(packet, 4);
-    DBG(DBG_PARSING,
-	DBG_log("L3 - created:");
-	DBG_log("  %s", timetoa(&cert->created, TRUE))
-    )
-
-    if (version == 3)
-    {
-	/* validity in days - 2 bytes */
-	cert->until   = (time_t)pgp_size(packet, 2);
-
-	/* validity of 0 days means that the key never expires */
-	if (cert->until > 0)
-	    cert->until = cert->created + 24*3600*cert->until;
-
-	DBG(DBG_PARSING,
-	    DBG_log("L3 - until:");
-	    DBG_log("  %s", timetoa(&cert->until, TRUE));
-	)
-    }
-
-    /* public key algorithm - 1 byte */
-    DBG(DBG_PARSING,
-	DBG_log("L3 - public key algorithm:")
-    )
-
-    switch (pgp_size(packet, 1))
-    {
-    case PGP_PUBKEY_ALG_RSA:
-    case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
-	cert->pubkeyAlg = PUBKEY_ALG_RSA;
-	DBG(DBG_PARSING,
-	    DBG_log("  RSA")
-	)
-	/* modulus n */
-	cert->modulus.len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
-	cert->modulus.ptr = packet->ptr;
-	packet->ptr += cert->modulus.len;
-	packet->len -= cert->modulus.len;
-	DBG(DBG_PARSING,
-	    DBG_log("L3 - modulus:")
-	)
-	DBG_cond_dump_chunk(DBG_RAW, "", cert->modulus);
-
-	/* public exponent e */
-	cert->publicExponent.len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
-	cert->publicExponent.ptr = packet->ptr;
-	packet->ptr += cert->publicExponent.len;
-	packet->len -= cert->publicExponent.len;
-	DBG(DBG_PARSING,
-	    DBG_log("L3 - public exponent:")
-	)
-	DBG_cond_dump_chunk(DBG_RAW, "", cert->publicExponent);
-
-	if (version == 3)
-	{
-	    /* a V3 fingerprint is the MD5 hash of modulus and public exponent */
-            MD5_CTX context;
-            MD5Init(&context);
-            MD5Update(&context, cert->modulus.ptr, cert->modulus.len);
-	    MD5Update(&context, cert->publicExponent.ptr, cert->publicExponent.len);
-            MD5Final(cert->fingerprint, &context);
-	}
-	else
-	{
-	    plog("  computation of V4 key ID not implemented yet");
-	}
-	break;
-    case PGP_PUBKEY_ALG_DSA:
-	cert->pubkeyAlg = PUBKEY_ALG_DSA;
-	DBG(DBG_PARSING,
-	    DBG_log("  DSA")
-	)
-	plog("  DSA public keys not supported");
-	return FALSE;
-     default:
-	cert->pubkeyAlg = 0;
-	DBG(DBG_PARSING,
-	    DBG_log("  other")
-	)
-	plog(" exotic not RSA public keys not supported");
-	return FALSE;
-    }
-    return TRUE;
-}
-
-/*
- * Parse OpenPGP secret key packet defined in section 5.5.3 of RFC 2440
- */
-static bool
-parse_pgp_secretkey_packet(chunk_t *packet, RSA_private_key_t *key)
-{
-    int i, s2k;
-    pgpcert_t cert = empty_pgpcert;
-
-    if (!parse_pgp_pubkey_packet(packet, &cert))
-	return FALSE;
-
-    init_RSA_public_key((RSA_public_key_t *)key, cert.publicExponent
-					       , cert.modulus);
-
-    /* string-to-key usage */
-    s2k = pgp_size(packet, 1);
-
-    DBG(DBG_PARSING,
-	DBG_log("L3 - string-to-key:  %d", s2k)
-    )
-
-    if (s2k == 255)
-    {
-	plog("  string-to-key specifiers not supported");
-	return FALSE;
-    }
-
-    if (s2k >= PGP_SYM_ALG_ROOF)
-    {
-	plog("  undefined symmetric key algorithm");
-	return FALSE;
-    }
-
-    /* a known symmetric key algorithm is specified*/
-    DBG(DBG_PARSING,
-	DBG_log("  %s", pgp_sym_alg_name[s2k])
-    )
-
-    /* private key is unencrypted */
-    if (s2k == PGP_SYM_ALG_PLAIN)
-    {
-	for (i = 2; i < RSA_PRIVATE_FIELD_ELEMENTS; i++)
-	{
-	    mpz_t u;  /* auxiliary variable */
-
-	    /* compute offset to private key component i*/
-	    MP_INT *n = (MP_INT*)((char *)key + RSA_private_field[i].offset);
-
-	    switch (i)
-	    {
-	    case 2:
-	    case 3:
-	    case 4:
-		{
-		    size_t len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
-
-		    n_to_mpz(n, packet->ptr, len);
-		    DBG(DBG_PARSING,
-			DBG_log("L3 - %s:", RSA_private_field[i].name)
-		    )
-		    DBG_cond_dump(DBG_PRIVATE, "", packet->ptr, len);
-		    packet->ptr += len;
-		    packet->len -= len;
-		}
-		break;
-	    case 5:		/* dP = d mod (p-1) */
-		mpz_init(u);
-		mpz_sub_ui(u, &key->p, 1);
-		mpz_mod(n, &key->d, u);
-		mpz_clear(u);
-		break;
-	    case 6:		/* dQ = d mod (q-1) */
-		mpz_init(u);
-		mpz_sub_ui(u, &key->q, 1);
-		mpz_mod(n, &key->d, u);
-		mpz_clear(u);
-		break;
-	    case 7:		/* qInv = (q^-1) mod p */
-		mpz_invert(n, &key->q, &key->p);
-		if (mpz_cmp_ui(n, 0) < 0)
-		    mpz_add(n, n, &key->p);
-		passert(mpz_cmp(n, &key->p) < 0);
-		break;
-	    }
-	}
-	return TRUE;
-    }
-
-    plog("  %s encryption not supported",  pgp_sym_alg_name[s2k]);
-    return FALSE;
-}
-
-/*
- * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440
- */
-static bool
-parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert)
-{
-    time_t created;
-    chunk_t keyid;
-    u_char  sig_type;
-    u_char version = pgp_version(packet);
-
-    /* we parse only V3 signature packets */
-    if (version != 3)
-	return TRUE;
-
-    /* size byte must have the value 5 */
-    if (pgp_size(packet, 1) != 5)
-    {
-	plog(" size must be 5");
-	return FALSE;
-    }
-
-    /* signature type - 1 byte */
-    sig_type = (u_char)pgp_size(packet, 1);
-    DBG(DBG_PARSING,
-	DBG_log("L3 - signature type:  0x%2x", sig_type)
-    )
-
-    /* creation date - 4 bytes */
-    created = (time_t)pgp_size(packet, 4);
-    DBG(DBG_PARSING,
-	DBG_log("L3 - created:");
-	DBG_log("  %s", timetoa(&cert->created, TRUE))
-    )
-
-    /* key ID of signer - 8 bytes */
-    keyid.ptr = packet->ptr;
-    keyid.len = PGP_KEYID_SIZE;
-    DBG_cond_dump_chunk(DBG_PARSING, "L3 - key ID of signer", keyid);
-
-   return TRUE;
-}
-
-bool
-parse_pgp(chunk_t blob, pgpcert_t *cert, RSA_private_key_t *key)
-{
-    DBG(DBG_PARSING,
-	DBG_log("L0 - PGP file:")
-    )
-    DBG_cond_dump_chunk(DBG_RAW, "", blob);
-
-    if (cert != NULL)
-    {
-	/* parse a PGP certificate file */
-	cert->certificate = blob;
-	time(&cert->installed);
-    }
-    else if (key == NULL)
-    {
-	/* should not occur, nothing to parse */
-	return FALSE;
-    }
-
-    while (blob.len > 0)
-    {
-	chunk_t packet = empty_chunk;
-	u_char packet_tag = *blob.ptr;
-
-	DBG(DBG_PARSING,
-	    DBG_log("L1 - PGP packet:  tag= 0x%2x", packet_tag)
-	)
-
-	/* bit 7 must be set */
-	if (!(packet_tag & 0x80))
-	{
-	    plog("  incorrect Packet Tag");
-	    return FALSE;
-	}
-
-	/* bit 6 set defines new packet format */
-	if (packet_tag & 0x40)
-	{
-	    plog("  new PGP packet format not supported");
-	    return FALSE;
-	}
-	else
-	{
-	    int packet_type = (packet_tag & 0x3C) >> 2;
-
-	    packet.len = pgp_old_packet_length(&blob);
-	    packet.ptr = blob.ptr;
-	    blob.ptr += packet.len;
-	    blob.len -= packet.len;
-	    DBG(DBG_PARSING,
-		DBG_log("  %s (%d), old format, %d bytes",
-		    (packet_type < PGP_PKT_ROOF) ?
-		    pgp_packet_type_name[packet_type] :
-		    "Undefined Packet Type", packet_type, (int)packet.len);
-		DBG_log("L2 - body:")
-	    )
-	    DBG_cond_dump_chunk(DBG_RAW, "", packet);
-
-	    if (cert != NULL)
-	    {
-		/* parse a PGP certificate */
-		switch (packet_type)
-		{
-		case PGP_PKT_PUBLIC_KEY:
-		    if (!parse_pgp_pubkey_packet(&packet, cert))
-			return FALSE;
-		    break;
-		case PGP_PKT_SIGNATURE:
-		    if (!parse_pgp_signature_packet(&packet, cert))
-			return FALSE;
-		    break;
-		case PGP_PKT_USER_ID:
-		    DBG(DBG_PARSING,
-			DBG_log("L3 - user ID:");
-			DBG_log("  '%.*s'", (int)packet.len, packet.ptr)
-		    )
-		    break;
-		default:
-		    break;
-		}
-	    }
-	    else
-	    {
-		/* parse a PGP private key file */
-		switch (packet_type)
-		{
-		case PGP_PKT_SECRET_KEY:
-		    if (!parse_pgp_secretkey_packet(&packet, key))
-			return FALSE;
-		    break;
-		default:
-		    break;
-		}
-	    }
-	}
-    }
-    return TRUE;
-}
-
-/*
- *  compare two OpenPGP certificates
- */
-static bool
-same_pgpcert(pgpcert_t *a, pgpcert_t *b)
-{
-    return a->certificate.len == b->certificate.len &&
-	memcmp(a->certificate.ptr, b->certificate.ptr, b->certificate.len) == 0;
-}
-
-/*
- * for each link pointing to the certificate increase the count by one
- */
-void
-share_pgpcert(pgpcert_t *cert)
-{
-    if (cert != NULL)
- 	cert->count++;
-}
-
-/*
- * select the OpenPGP keyid as ID
- */
-void
-select_pgpcert_id(pgpcert_t *cert, struct id *end_id)
-{
-    end_id->kind = ID_KEY_ID;
-    end_id->name.len = PGP_FINGERPRINT_SIZE;
-    end_id->name.ptr = cert->fingerprint;
-    end_id->name.ptr = temporary_cyclic_buffer();
-    memcpy(end_id->name.ptr, cert->fingerprint, PGP_FINGERPRINT_SIZE);
-}
-
-/*
- *  add an OpenPGP user/host certificate to the chained list
- */
-pgpcert_t*
-add_pgpcert(pgpcert_t *cert)
-{
-    pgpcert_t *c = pgpcerts;
-
-    while (c != NULL)
-    {
-	if (same_pgpcert(c, cert)) /* already in chain, free cert */
-	{
-	    free_pgpcert(cert);
-	    return c;
-	}
-	c = c->next;
-    }
-
-    /* insert new cert at the root of the chain */
-    cert->next = pgpcerts;
-    pgpcerts = cert;
-    DBG(DBG_CONTROL | DBG_PARSING,
-	DBG_log("  pgp cert inserted")
-    )
-    return cert;
-}
-
-/*  release of a certificate decreases the count by one
- "  the certificate is freed when the counter reaches zero
- */
-void
-release_pgpcert(pgpcert_t *cert)
-{
-    if (cert != NULL && --cert->count == 0)
-    {
-	pgpcert_t **pp = &pgpcerts;
-	while (*pp != cert)
-	    pp = &(*pp)->next;
-        *pp = cert->next;
-	free_pgpcert(cert);
-    }
-}
-
-/*
- *  free a PGP certificate
- */
-void
-free_pgpcert(pgpcert_t *cert)
-{
-    if (cert != NULL)
-    {
-	if (cert->certificate.ptr != NULL)
-	    pfree(cert->certificate.ptr);
-	pfree(cert);
-    }
-}
-
-/*
- *  list all PGP end certificates in a chained list
- */
-void
-list_pgp_end_certs(bool utc)
-{
-   pgpcert_t *cert = pgpcerts;
-   time_t now;
-
-    /* determine the current time */
-    time(&now);
-
-    if (cert != NULL)
-    {
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of PGP End certificates:");
-	whack_log(RC_COMMENT, " ");
-    }
-
-    while (cert != NULL)
-    {
-	unsigned keysize;
-	char buf[BUF_LEN];
-	cert_t c;
-
-	c.type = CERT_PGP;
-	c.u.pgp = cert;
-
-	whack_log(RC_COMMENT, "%s, count: %d", timetoa(&cert->installed, utc), cert->count);
-	datatot(cert->fingerprint, PGP_FINGERPRINT_SIZE, 'x', buf, BUF_LEN);
-	whack_log(RC_COMMENT, "       fingerprint:  %s", buf);
-	form_keyid(cert->publicExponent, cert->modulus, buf, &keysize);
-	whack_log(RC_COMMENT, "       pubkey:   %4d RSA Key %s%s", 8*keysize, buf,
-		(has_private_key(c))? ", has private key" : "");
-	whack_log(RC_COMMENT, "       created:  %s", timetoa(&cert->created, utc));
-	whack_log(RC_COMMENT, "       until:    %s %s", timetoa(&cert->until, utc),
-		check_expiry(cert->until, CA_CERT_WARNING_INTERVAL, TRUE));
-	cert = cert->next;
-    }
-}
-
diff --git a/src/pluto/pgp.h b/src/pluto/pgp.h
deleted file mode 100644
index 514265086..000000000
--- a/src/pluto/pgp.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* Support of OpenPGP certificates
- * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: pgp.h 3252 2007-10-06 21:24:50Z andreas $
- */
-
-#ifndef _PGP_H
-#define _PGP_H
-
-#include "pkcs1.h"
-/*
- * Length of PGP V3 fingerprint
- */
-#define PGP_FINGERPRINT_SIZE	MD5_DIGEST_SIZE
-
-typedef char fingerprint_t[PGP_FINGERPRINT_SIZE];
-
-/* access structure for an OpenPGP certificate */
-
-typedef struct pgpcert pgpcert_t;
-
-struct pgpcert {
-  pgpcert_t	    *next;
-  time_t	    installed;
-  int		    count;
-  chunk_t	    certificate;
-  time_t	    created;
-  time_t	    until;
-  enum pubkey_alg   pubkeyAlg;
-  chunk_t	    modulus;
-  chunk_t	    publicExponent;
-  fingerprint_t	    fingerprint;
-};
-
-extern const pgpcert_t empty_pgpcert;
-extern bool parse_pgp(chunk_t blob, pgpcert_t *cert, RSA_private_key_t *key);
-extern void share_pgpcert(pgpcert_t *cert);
-extern void select_pgpcert_id(pgpcert_t *cert, struct id *end_id);
-extern pgpcert_t* add_pgpcert(pgpcert_t *cert);
-extern void list_pgp_end_certs(bool utc);
-extern void release_pgpcert(pgpcert_t *cert);
-extern void free_pgpcert(pgpcert_t *cert);
-
-#endif /* _PGP_H */
diff --git a/src/pluto/pgpcert.c b/src/pluto/pgpcert.c
new file mode 100644
index 000000000..7fb8232d5
--- /dev/null
+++ b/src/pluto/pgpcert.c
@@ -0,0 +1,496 @@
+/* Support of OpenPGP certificates
+ * Copyright (C) 2002-2009 Andreas Steffen
+ *
+ * HSR - Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <freeswan.h>
+
+#include <library.h>
+#include <pgp/pgp.h>
+#include <crypto/hashers/hasher.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "id.h"
+#include "pgpcert.h"
+#include "certs.h"
+#include "whack.h"
+#include "keys.h"
+
+/**
+ * Chained list of OpenPGP end certificates
+ */
+static pgpcert_t *pgpcerts   = NULL;
+
+/**
+ * Size of PGP Key ID
+ */
+#define PGP_KEYID_SIZE          8
+
+const pgpcert_t pgpcert_empty = {
+	  NULL     , /* next */
+            0  , /* version */
+			0  , /* installed */
+			0  , /* count */
+	{ NULL, 0 }, /* certificate */
+			0  , /* created */
+			0  , /* until */
+	  NULL     , /* public key */
+	  NULL       /* fingerprint */
+};
+
+
+/**
+ * Extracts the length of a PGP packet
+ */
+static size_t pgp_old_packet_length(chunk_t *blob)
+{
+	/* bits 0 and 1 define the packet length type */
+	int len_type = 0x03 & *blob->ptr++;
+
+	blob->len--;
+
+	/* len_type: 0 -> 1 byte, 1 -> 2 bytes, 2 -> 4 bytes */
+	return pgp_length(blob, (len_type == 0)? 1: len_type << 1);
+}
+
+/**
+ * Extracts PGP packet version (V3 or V4)
+ */
+static u_char pgp_version(chunk_t *blob)
+{
+	u_char version = *blob->ptr++;
+	blob->len--;
+	DBG(DBG_PARSING,
+		DBG_log("L3 - version:");
+		DBG_log("  V%d", version)
+	)
+	return version;
+}
+
+/**
+ * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440
+ */
+static bool parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert)
+{
+	time_t created;
+	chunk_t keyid;
+	u_char  sig_type;
+	u_char version = pgp_version(packet);
+
+	/* we parse only V3 signature packets */
+	if (version != 3)
+	{
+		return TRUE;
+	}
+
+	/* size byte must have the value 5 */
+	if (pgp_length(packet, 1) != 5)
+	{
+		plog("  size must be 5");
+		return FALSE;
+	}
+
+	/* signature type - 1 byte */
+	sig_type = (u_char)pgp_length(packet, 1);
+	DBG(DBG_PARSING,
+		DBG_log("L3 - signature type:  0x%2x", sig_type)
+	)
+
+	/* creation date - 4 bytes */
+	created = (time_t)pgp_length(packet, 4);
+	DBG(DBG_PARSING,
+		DBG_log("L3 - created:");
+		DBG_log("  %T", &cert->created, TRUE)
+	)
+
+	/* key ID of signer - 8 bytes */
+	keyid.ptr = packet->ptr;
+	keyid.len = PGP_KEYID_SIZE;
+	DBG_cond_dump_chunk(DBG_PARSING, "L3 - key ID of signer", keyid);
+
+   return TRUE;
+}
+
+/**
+ * Parses the version and validity of an OpenPGP public key packet
+ */
+static bool parse_pgp_pubkey_version_validity(chunk_t *packet, pgpcert_t *cert)
+{
+	cert->version = pgp_version(packet);
+
+	if (cert->version < 3 || cert->version > 4)
+	{
+		plog("OpenPGP packet version V%d not supported", cert->version);
+		return FALSE;
+	}
+
+	/* creation date - 4 bytes */
+	cert->created = (time_t)pgp_length(packet, 4);
+	DBG(DBG_PARSING,
+		DBG_log("L3 - created:");
+		DBG_log("  %T", &cert->created, TRUE)
+	)
+
+	if (cert->version == 3)
+	{
+		/* validity in days - 2 bytes */
+		cert->until   = (time_t)pgp_length(packet, 2);
+
+		/* validity of 0 days means that the key never expires */
+		if (cert->until > 0)
+		{
+			cert->until = cert->created + 24*3600*cert->until;
+		}
+		DBG(DBG_PARSING,
+			DBG_log("L3 - until:");
+			DBG_log("  %T", &cert->until, TRUE);
+		)
+	}
+	return TRUE;
+}
+
+/**
+ * Parse OpenPGP public key packet defined in section 5.5.2 of RFC 4880
+ */
+static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
+{
+	pgp_pubkey_alg_t pubkey_alg;
+	public_key_t *key;
+
+	if (!parse_pgp_pubkey_version_validity(packet, cert))
+	{
+		return FALSE;
+	}
+
+	/* public key algorithm - 1 byte */
+	pubkey_alg = pgp_length(packet, 1);
+	DBG(DBG_PARSING,
+		DBG_log("L3 - public key algorithm:");
+		DBG_log("  %N", pgp_pubkey_alg_names, pubkey_alg)
+	)
+	
+	switch (pubkey_alg)
+	{
+		case PGP_PUBKEY_ALG_RSA:
+		case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
+			key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+												 BUILD_BLOB_PGP, *packet,
+												 BUILD_END);
+			if (key == NULL)
+			{
+				return FALSE;
+			}
+			cert->public_key = key;
+
+			if (cert->version == 3)
+			{
+				cert->fingerprint = key->get_id(key, ID_KEY_ID);
+				if (cert->fingerprint == NULL)
+				{
+					return FALSE;
+				}
+			}
+			else
+			{
+				plog("  computation of V4 key ID not implemented yet");
+				return FALSE;
+			}
+			break;
+	 	default:
+			plog("  non RSA public keys not supported");
+			return FALSE;
+	}
+	return TRUE;
+}
+
+/*
+ * Parse OpenPGP secret key packet defined in section 5.5.3 of RFC 4880
+ */
+static bool parse_pgp_secretkey_packet(chunk_t *packet, private_key_t **key)
+{
+	pgp_pubkey_alg_t pubkey_alg;
+	pgpcert_t cert = pgpcert_empty;
+
+	if (!parse_pgp_pubkey_version_validity(packet, &cert))
+	{
+		return FALSE;
+	}
+
+	/* public key algorithm - 1 byte */
+	pubkey_alg = pgp_length(packet, 1);
+	DBG(DBG_PARSING,
+		DBG_log("L3 - public key algorithm:");
+		DBG_log("  %N", pgp_pubkey_alg_names, pubkey_alg)
+	)
+	
+	switch (pubkey_alg)
+	{
+		case PGP_PUBKEY_ALG_RSA:
+		case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
+			*key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+												  BUILD_BLOB_PGP, *packet,
+												  BUILD_END);
+			break;
+	 	default:
+			plog("  non RSA private keys not supported");
+			return FALSE;
+	}
+	return (*key != NULL);
+}
+
+bool parse_pgp(chunk_t blob, pgpcert_t *cert, private_key_t **key)
+{
+	DBG(DBG_PARSING,
+		DBG_log("L0 - PGP file:")
+	)
+	DBG_cond_dump_chunk(DBG_RAW, "", blob);
+
+	if (cert != NULL)
+	{
+		/* parse a PGP certificate file */
+		cert->certificate = blob;
+		time(&cert->installed);
+	}
+	else if (key == NULL)
+	{
+		/* should not occur, nothing to parse */
+		return FALSE;
+	}
+
+	while (blob.len > 0)
+	{
+		chunk_t packet = chunk_empty;
+		u_char packet_tag = *blob.ptr;
+
+		DBG(DBG_PARSING,
+			DBG_log("L1 - PGP packet:  tag= 0x%2x", packet_tag)
+		)
+
+		/* bit 7 must be set */
+		if (!(packet_tag & 0x80))
+		{
+			plog("  incorrect Packet Tag");
+			return FALSE;
+		}
+
+		/* bit 6 set defines new packet format */
+		if (packet_tag & 0x40)
+		{
+			plog("  new PGP packet format not supported");
+			return FALSE;
+		}
+		else
+		{
+			int packet_type = (packet_tag & 0x3C) >> 2;
+
+			packet.len = pgp_old_packet_length(&blob);
+			packet.ptr = blob.ptr;
+			blob.ptr += packet.len;
+			blob.len -= packet.len;
+			DBG(DBG_PARSING,
+				DBG_log("  %N (%d), old format, %u bytes",
+						pgp_packet_tag_names, packet_type,
+						packet_type, packet.len);
+				DBG_log("L2 - body:")
+			)
+			DBG_cond_dump_chunk(DBG_RAW, "", packet);
+
+			if (cert != NULL)
+			{
+				/* parse a PGP certificate */
+				switch (packet_type)
+				{
+					case PGP_PKT_PUBLIC_KEY:
+						if (!parse_pgp_pubkey_packet(&packet, cert))
+						{
+							return FALSE;
+						}
+						break;
+					case PGP_PKT_SIGNATURE:
+						if (!parse_pgp_signature_packet(&packet, cert))
+						{
+							return FALSE;
+						}
+						break;
+					case PGP_PKT_USER_ID:
+						DBG(DBG_PARSING,
+							DBG_log("L3 - user ID:");
+							DBG_log("  '%.*s'", (int)packet.len, packet.ptr)
+						)
+						break;
+					default:
+						break;
+				}
+			}
+			else
+			{
+				/* parse a PGP private key file */
+				switch (packet_type)
+				{
+					case PGP_PKT_SECRET_KEY:
+						if (!parse_pgp_secretkey_packet(&packet, key))
+						{
+							return FALSE;
+						}
+						break;
+					case PGP_PKT_USER_ID:
+						DBG(DBG_PARSING,
+							DBG_log("L3 - user ID:");
+							DBG_log("  '%.*s'", (int)packet.len, packet.ptr)
+						)
+						break;
+					default:
+						break;
+				}
+
+			}
+		}
+	}
+	return TRUE;
+}
+
+/**
+ *  Compare two OpenPGP certificates
+ */
+static bool same_pgpcert(pgpcert_t *a, pgpcert_t *b)
+{
+	return a->certificate.len == b->certificate.len &&
+		memeq(a->certificate.ptr, b->certificate.ptr, b->certificate.len);
+}
+
+/**
+ * For each link pointing to the certificate increase the count by one
+ */
+void share_pgpcert(pgpcert_t *cert)
+{
+	if (cert != NULL)
+	{
+		cert->count++;
+	}
+}
+
+/**
+ * Select the OpenPGP keyid as ID
+ */
+void select_pgpcert_id(pgpcert_t *cert, struct id *end_id)
+{
+	end_id->kind = ID_KEY_ID;
+	end_id->name = cert->fingerprint->get_encoding(cert->fingerprint);
+}
+
+/**
+ *  Add an OpenPGP user/host certificate to the chained list
+ */
+pgpcert_t* add_pgpcert(pgpcert_t *cert)
+{
+	pgpcert_t *c = pgpcerts;
+
+	while (c != NULL)
+	{
+		if (same_pgpcert(c, cert)) /* already in chain, free cert */
+		{
+			free_pgpcert(cert);
+			return c;
+		}
+		c = c->next;
+	}
+
+	/* insert new cert at the root of the chain */
+	cert->next = pgpcerts;
+	pgpcerts = cert;
+	DBG(DBG_CONTROL | DBG_PARSING,
+		DBG_log("  pgp cert inserted")
+	)
+	return cert;
+}
+
+/**
+ *  Release of a certificate decreases the count by one.
+ *  The certificate is freed when the counter reaches zero
+ */
+void release_pgpcert(pgpcert_t *cert)
+{
+	if (cert != NULL && --cert->count == 0)
+	{
+		pgpcert_t **pp = &pgpcerts;
+		while (*pp != cert)
+		{
+			pp = &(*pp)->next;
+		}
+		*pp = cert->next;
+		free_pgpcert(cert);
+	}
+}
+
+/**
+ *  Free a PGP certificate
+ */
+void free_pgpcert(pgpcert_t *cert)
+{
+	if (cert != NULL)
+	{
+		DESTROY_IF(cert->public_key);
+		DESTROY_IF(cert->fingerprint);
+		free(cert->certificate.ptr);
+		free(cert);
+	}
+}
+
+/**
+ *  List all PGP end certificates in a chained list
+ */
+void list_pgp_end_certs(bool utc)
+{
+   pgpcert_t *cert = pgpcerts;
+   time_t now;
+
+	/* determine the current time */
+	time(&now);
+
+	if (cert != NULL)
+	{
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "List of PGP End certificates:");
+		whack_log(RC_COMMENT, " ");
+	}
+
+	while (cert != NULL)
+	{
+		public_key_t *key = cert->public_key;
+		cert_t c;
+
+		c.type = CERT_PGP;
+		c.u.pgp = cert;
+
+		whack_log(RC_COMMENT, "%T, count: %d", &cert->installed, utc, cert->count);
+		whack_log(RC_COMMENT, "       digest:   %Y", cert->fingerprint);
+		whack_log(RC_COMMENT, "       created:  %T", &cert->created, utc);
+		whack_log(RC_COMMENT, "       until:    %T %s", &cert->until, utc,
+				check_expiry(cert->until, CA_CERT_WARNING_INTERVAL, TRUE));
+		whack_log(RC_COMMENT, "       pubkey:   %N %4d bits%s",
+				key_type_names, key->get_type(key),
+				key->get_keysize(key) * BITS_PER_BYTE,				
+				has_private_key(c)? ", has private key" : "");
+		whack_log(RC_COMMENT, "       keyid:    %Y",
+				key->get_id(key, ID_PUBKEY_INFO_SHA1));
+		cert = cert->next;
+	}
+}
+
diff --git a/src/pluto/pgpcert.h b/src/pluto/pgpcert.h
new file mode 100644
index 000000000..727648391
--- /dev/null
+++ b/src/pluto/pgpcert.h
@@ -0,0 +1,56 @@
+/* Support of OpenPGP certificates
+ * Copyright (C) 2002-2009 Andreas Steffen
+ *
+ * HSR - Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef _PGPCERT_H
+#define _PGPCERT_H
+
+#include <crypto/hashers/hasher.h>
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/public_key.h>
+
+/*
+ * Length of PGP V3 fingerprint
+ */
+#define PGP_FINGERPRINT_SIZE    HASH_SIZE_MD5
+
+typedef char fingerprint_t[PGP_FINGERPRINT_SIZE];
+
+/* access structure for an OpenPGP certificate */
+
+typedef struct pgpcert pgpcert_t;
+
+struct pgpcert {
+	pgpcert_t        *next;
+	int              version;
+	time_t           installed;
+	int              count;
+	chunk_t          certificate;
+	time_t           created;
+	time_t           until;
+	public_key_t     *public_key;
+	identification_t *fingerprint;
+};
+
+extern const pgpcert_t pgpcert_empty;
+extern bool parse_pgp(chunk_t blob, pgpcert_t *cert, private_key_t **key);
+extern void share_pgpcert(pgpcert_t *cert);
+extern void select_pgpcert_id(pgpcert_t *cert, struct id *end_id);
+extern pgpcert_t* add_pgpcert(pgpcert_t *cert);
+extern void list_pgp_end_certs(bool utc);
+extern void release_pgpcert(pgpcert_t *cert);
+extern void free_pgpcert(pgpcert_t *cert);
+
+#endif /* _PGPCERT_H */
diff --git a/src/pluto/pkcs1.c b/src/pluto/pkcs1.c
deleted file mode 100644
index 49a06a8bc..000000000
--- a/src/pluto/pkcs1.c
+++ /dev/null
@@ -1,676 +0,0 @@
-/* Support of PKCS#1 private key data structures
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Copyright (C) 2002-2005 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: pkcs1.c 3427 2008-01-27 20:17:15Z andreas $
- */
-
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <freeswan.h>
-#include <libsha2/sha2.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "mp_defs.h"
-#include "asn1.h"
-#include <asn1/oid.h>
-#include "log.h"
-#include "pkcs1.h"
-#include "md2.h"
-#include "md5.h"
-#include "sha1.h"
-#include "rnd.h"
-
-const struct fld RSA_private_field[] =
-{
-    { "Modulus",         offsetof(RSA_private_key_t, pub.n) },
-    { "PublicExponent",  offsetof(RSA_private_key_t, pub.e) },
-
-    { "PrivateExponent", offsetof(RSA_private_key_t, d) },
-    { "Prime1",          offsetof(RSA_private_key_t, p) },
-    { "Prime2",          offsetof(RSA_private_key_t, q) },
-    { "Exponent1",       offsetof(RSA_private_key_t, dP) },
-    { "Exponent2",       offsetof(RSA_private_key_t, dQ) },
-    { "Coefficient",     offsetof(RSA_private_key_t, qInv) },
-};
-
-/* ASN.1 definition of a PKCS#1 RSA private key */
-
-static const asn1Object_t privkeyObjects[] = {
-  { 0, "RSAPrivateKey",			ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
-  { 1,   "version",			ASN1_INTEGER,      ASN1_BODY }, /*  1 */
-  { 1,   "modulus",			ASN1_INTEGER,      ASN1_BODY }, /*  2 */
-  { 1,   "publicExponent",		ASN1_INTEGER,      ASN1_BODY }, /*  3 */
-  { 1,   "privateExponent",		ASN1_INTEGER,      ASN1_BODY }, /*  4 */
-  { 1,   "prime1",			ASN1_INTEGER,      ASN1_BODY }, /*  5 */
-  { 1,   "prime2",			ASN1_INTEGER,      ASN1_BODY }, /*  6 */
-  { 1,   "exponent1",			ASN1_INTEGER,      ASN1_BODY }, /*  7 */
-  { 1,   "exponent2",			ASN1_INTEGER,      ASN1_BODY }, /*  8 */
-  { 1,   "coefficient",			ASN1_INTEGER,      ASN1_BODY }, /*  9 */
-  { 1,   "otherPrimeInfos",		ASN1_SEQUENCE,     ASN1_OPT |
-							   ASN1_LOOP }, /* 10 */
-  { 2,     "otherPrimeInfo",		ASN1_SEQUENCE,     ASN1_NONE }, /* 11 */
-  { 3,       "prime",			ASN1_INTEGER,      ASN1_BODY }, /* 12 */
-  { 3,       "exponent",		ASN1_INTEGER,      ASN1_BODY }, /* 13 */
-  { 3,       "coefficient",		ASN1_INTEGER,      ASN1_BODY }, /* 14 */
-  { 1,   "end opt or loop",		ASN1_EOC,          ASN1_END  }  /* 15 */
-};
-
-#define PKCS1_PRIV_KEY_VERSION		 1
-#define PKCS1_PRIV_KEY_MODULUS		 2
-#define PKCS1_PRIV_KEY_PUB_EXP		 3
-#define PKCS1_PRIV_KEY_COEFF		 9
-#define PKCS1_PRIV_KEY_ROOF		16
-
-
-/*
- * forms the FreeS/WAN keyid from the public exponent e and modulus n
- */
-void
-form_keyid(chunk_t e, chunk_t n, char* keyid, unsigned *keysize)
-{
-    /* eliminate leading zero bytes in modulus from ASN.1 coding */
-    while (n.len > 1 && *n.ptr == 0x00)
-    {
-	n.ptr++;  n.len--;
-    }
-
-    /* form the FreeS/WAN keyid */
-    keyid[0] = '\0';	/* in case of splitkeytoid failure */
-    splitkeytoid(e.ptr, e.len, n.ptr, n.len, keyid, KEYID_BUF);
-
-    /* return the RSA modulus size in octets */
-    *keysize = n.len;
-}
-
-/*
- * initialize an RSA_public_key_t object
- */
-void
-init_RSA_public_key(RSA_public_key_t *rsa, chunk_t e, chunk_t n)
-{
-    n_to_mpz(&rsa->e, e.ptr, e.len);
-    n_to_mpz(&rsa->n, n.ptr, n.len);
-
-    form_keyid(e, n, rsa->keyid, &rsa->k);
-}
-
-#ifdef DEBUG
-static void
-RSA_show_key_fields(RSA_private_key_t *k, int fieldcnt)
-{
-    const struct fld *p;
-
-    DBG_log(" keyid: *%s", k->pub.keyid);
-
-    for (p = RSA_private_field; p < &RSA_private_field[fieldcnt]; p++)
-    {
-	MP_INT *n = (MP_INT *) ((char *)k + p->offset);
-	size_t sz = mpz_sizeinbase(n, 16);
-	char buf[RSA_MAX_OCTETS * 2 + 2];	/* ought to be big enough */
-
-	passert(sz <= sizeof(buf));
-	mpz_get_str(buf, 16, n);
-
-	DBG_log(" %s: 0x%s", p->name, buf);
-    }
-}
-
-/* debugging info that compromises security! */
-void
-RSA_show_private_key(RSA_private_key_t *k)
-{
-    RSA_show_key_fields(k, elemsof(RSA_private_field));
-}
-
-void
-RSA_show_public_key(RSA_public_key_t *k)
-{
-    /* Kludge: pretend that it is a private key, but only display the
-     * first two fields (which are the public key).
-     */
-    passert(offsetof(RSA_private_key_t, pub) == 0);
-    RSA_show_key_fields((RSA_private_key_t *)k, 2);
-}
-#endif
-
-err_t
-RSA_private_key_sanity(RSA_private_key_t *k)
-{
-    /* note that the *last* error found is reported */
-    err_t ugh = NULL;
-    mpz_t t, u, q1;
-
-#ifdef DEBUG	/* debugging info that compromises security */
-    DBG(DBG_PRIVATE, RSA_show_private_key(k));
-#endif
-
-    /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
-     * We actually require more (for security).
-     */
-    if (k->pub.k < RSA_MIN_OCTETS)
-	return RSA_MIN_OCTETS_UGH;
-
-    /* we picked a max modulus size to simplify buffer allocation */
-    if (k->pub.k > RSA_MAX_OCTETS)
-	return RSA_MAX_OCTETS_UGH;
-
-    mpz_init(t);
-    mpz_init(u);
-    mpz_init(q1);
-
-    /* check that n == p * q */
-    mpz_mul(u, &k->p, &k->q);
-    if (mpz_cmp(u, &k->pub.n) != 0)
-	ugh = "n != p * q";
-
-    /* check that e divides neither p-1 nor q-1 */
-    mpz_sub_ui(t, &k->p, 1);
-    mpz_mod(t, t, &k->pub.e);
-    if (mpz_cmp_ui(t, 0) == 0)
-	ugh = "e divides p-1";
-
-    mpz_sub_ui(t, &k->q, 1);
-    mpz_mod(t, t, &k->pub.e);
-    if (mpz_cmp_ui(t, 0) == 0)
-	ugh = "e divides q-1";
-
-    /* check that d is e^-1 (mod lcm(p-1, q-1)) */
-    /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
-    mpz_sub_ui(q1, &k->q, 1);
-    mpz_sub_ui(u, &k->p, 1);
-    mpz_gcd(t, u, q1);		/* t := gcd(p-1, q-1) */
-    mpz_mul(u, u, q1);		/* u := (p-1) * (q-1) */
-    mpz_divexact(u, u, t);	/* u := lcm(p-1, q-1) */
-
-    mpz_mul(t, &k->d, &k->pub.e);
-    mpz_mod(t, t, u);
-    if (mpz_cmp_ui(t, 1) != 0)
-	ugh = "(d * e) mod (lcm(p-1, q-1)) != 1";
-
-    /* check that dP is d mod (p-1) */
-    mpz_sub_ui(u, &k->p, 1);
-    mpz_mod(t, &k->d, u);
-    if (mpz_cmp(t, &k->dP) != 0)
-	ugh = "dP is not congruent to d mod (p-1)";
-
-    /* check that dQ is d mod (q-1) */
-    mpz_sub_ui(u, &k->q, 1);
-    mpz_mod(t, &k->d, u);
-    if (mpz_cmp(t, &k->dQ) != 0)
-	ugh = "dQ is not congruent to d mod (q-1)";
-
-    /* check that qInv is (q^-1) mod p */
-    mpz_mul(t, &k->qInv, &k->q);
-    mpz_mod(t, t, &k->p);
-    if (mpz_cmp_ui(t, 1) != 0)
-	ugh = "qInv is not conguent ot (q^-1) mod p";
-
-    mpz_clear(t);
-    mpz_clear(u);
-    mpz_clear(q1);
-    return ugh;
-}
-
-/*
- * Check the equality of two RSA public keys
- */
-bool
-same_RSA_public_key(const RSA_public_key_t *a, const RSA_public_key_t *b)
-{
-    return a == b
-    || (a->k == b->k && mpz_cmp(&a->n, &b->n) == 0 && mpz_cmp(&a->e, &b->e) == 0);
-}
-
-/*
- *  Parses a PKCS#1 private key
- */
-bool
-pkcs1_parse_private_key(chunk_t blob, RSA_private_key_t *key)
-{
-    err_t ugh = NULL;
-    asn1_ctx_t ctx;
-    chunk_t object, modulus, exp;
-    u_int level;
-    int objectID = 0;
-
-    asn1_init(&ctx, blob, 0, FALSE, DBG_PRIVATE);
-
-    while (objectID < PKCS1_PRIV_KEY_ROOF) {
-
-	if (!extract_object(privkeyObjects, &objectID, &object, &level, &ctx))
-	     return FALSE;
-
-	if (objectID == PKCS1_PRIV_KEY_VERSION)
-	{
-	    if (object.len > 0 && *object.ptr != 0)
-	    {
-		plog("  wrong PKCS#1 private key version");
-		return FALSE;
-	    }
-	}
-	else if (objectID >= PKCS1_PRIV_KEY_MODULUS &&
-		 objectID <= PKCS1_PRIV_KEY_COEFF)
-	{
-	    MP_INT *u = (MP_INT *) ((char *)key
-		+ RSA_private_field[objectID - PKCS1_PRIV_KEY_MODULUS].offset);
-
-	    n_to_mpz(u, object.ptr, object.len);
-
-	    if (objectID == PKCS1_PRIV_KEY_MODULUS)
-		modulus = object;
-	    else if (objectID == PKCS1_PRIV_KEY_PUB_EXP)
-		exp = object;
-	}
-	objectID++;
-    }
-    form_keyid(exp, modulus, key->pub.keyid, &key->pub.k);
-    ugh = RSA_private_key_sanity(key);
-    return (ugh == NULL);
-}
-
-/*
- *  compute a digest over a binary blob
- */
-bool
-compute_digest(chunk_t tbs, int alg, chunk_t *digest)
-{
-    switch (alg)
-    {
-    case OID_MD2:
-    case OID_MD2_WITH_RSA:
-	{
-	    MD2_CTX context;
-
-	    MD2Init(&context);
-	    MD2Update(&context, tbs.ptr, tbs.len);
-	    MD2Final(digest->ptr, &context);
-	    digest->len = MD2_DIGEST_SIZE;
-	    return TRUE;
-	}
-     case OID_MD5:
-     case OID_MD5_WITH_RSA:
-	{
-	    MD5_CTX context;
-
-	    MD5Init(&context);
-	    MD5Update(&context, tbs.ptr, tbs.len);
-	    MD5Final(digest->ptr, &context);
-	    digest->len = MD5_DIGEST_SIZE;
-	    return TRUE;
-	}
-     case OID_SHA1:
-     case OID_SHA1_WITH_RSA:
-     case OID_SHA1_WITH_RSA_OIW:
-	{
-	    SHA1_CTX context;
-
-	    SHA1Init(&context);
-	    SHA1Update(&context, tbs.ptr, tbs.len);
-	    SHA1Final(digest->ptr, &context);
-	    digest->len = SHA1_DIGEST_SIZE;
-	    return TRUE;
-	}
-     case OID_SHA256:
-     case OID_SHA256_WITH_RSA:
-	{
-	    sha256_context context;
-
-	    sha256_init(&context);
-	    sha256_write(&context, tbs.ptr, tbs.len);
-	    sha256_final(&context);
-	    memcpy(digest->ptr, context.sha_out, SHA2_256_DIGEST_SIZE);
-	    digest->len = SHA2_256_DIGEST_SIZE;
-	    return TRUE;
-	}
-     case OID_SHA384:
-     case OID_SHA384_WITH_RSA:
-	{
-	    sha512_context context;
-
-	    sha384_init(&context);
-	    sha512_write(&context, tbs.ptr, tbs.len);
-	    sha512_final(&context);
-	    memcpy(digest->ptr, context.sha_out, SHA2_384_DIGEST_SIZE);
-	    digest->len = SHA2_384_DIGEST_SIZE;
-	    return TRUE;
-	}
-     case OID_SHA512:
-     case OID_SHA512_WITH_RSA:
-	{
-	    sha512_context context;
-
-	    sha512_init(&context);
-	    sha512_write(&context, tbs.ptr, tbs.len);
-	    sha512_final(&context);
-	    memcpy(digest->ptr, context.sha_out, SHA2_512_DIGEST_SIZE);
-	    digest->len = SHA2_512_DIGEST_SIZE;
-	    return TRUE;
-	}
-     default:
-	digest->len = 0;
-	return FALSE;
-    }
-}
-
-/*
- * compute an RSA signature with PKCS#1 padding
- */
-void
-sign_hash(const RSA_private_key_t *k, const u_char *hash_val, size_t hash_len
-    , u_char *sig_val, size_t sig_len)
-{
-    chunk_t ch;
-    mpz_t t1, t2;
-    size_t padlen;
-    u_char *p = sig_val;
-
-    DBG(DBG_CONTROL | DBG_CRYPT,
-	DBG_log("signing hash with RSA Key *%s", k->pub.keyid)
-    )
-    /* PKCS#1 v1.5 8.1 encryption-block formatting */
-    *p++ = 0x00;
-    *p++ = 0x01;	/* BT (block type) 01 */
-    padlen = sig_len - 3 - hash_len;
-    memset(p, 0xFF, padlen);
-    p += padlen;
-    *p++ = 0x00;
-    memcpy(p, hash_val, hash_len);
-    passert(p + hash_len - sig_val == (ptrdiff_t)sig_len);
-
-    /* PKCS#1 v1.5 8.2 octet-string-to-integer conversion */
-    n_to_mpz(t1, sig_val, sig_len);	/* (could skip leading 0x00) */
-
-    /* PKCS#1 v1.5 8.3 RSA computation y = x^c mod n
-     * Better described in PKCS#1 v2.0 5.1 RSADP.
-     * There are two methods, depending on the form of the private key.
-     * We use the one based on the Chinese Remainder Theorem.
-     */
-    mpz_init(t2);
-
-    mpz_powm(t2, t1, &k->dP, &k->p);	/* m1 = c^dP mod p */
-
-    mpz_powm(t1, t1, &k->dQ, &k->q);	/* m2 = c^dQ mod Q */
-
-    mpz_sub(t2, t2, t1);	/* h = qInv (m1 - m2) mod p */
-    mpz_mod(t2, t2, &k->p);
-    mpz_mul(t2, t2, &k->qInv);
-    mpz_mod(t2, t2, &k->p);
-
-    mpz_mul(t2, t2, &k->q);	/* m = m2 + h q */
-    mpz_add(t1, t1, t2);
-
-    /* PKCS#1 v1.5 8.4 integer-to-octet-string conversion */
-    ch = mpz_to_n(t1, sig_len);
-    memcpy(sig_val, ch.ptr, sig_len);
-    pfree(ch.ptr);
-
-    mpz_clear(t1);
-    mpz_clear(t2);
-}
-
-/*
- * encrypt data with an RSA public key after padding
- */
-chunk_t
-RSA_encrypt(const RSA_public_key_t *key, chunk_t in)
-{
-    u_char padded[RSA_MAX_OCTETS];
-    u_char *pos = padded;
-    int padding = key->k - in.len - 3;
-    int i;
-
-    if (padding < 8 || key->k > RSA_MAX_OCTETS)
-	return empty_chunk;
-
-    /* add padding according to PKCS#1 7.2.1 1.+2. */
-    *pos++ = 0x00;
-    *pos++ = 0x02;
-
-    /* pad with pseudo random bytes unequal to zero */
-    for (i = 0; i < padding; i++)
-    {
-	get_rnd_bytes(pos, padding);
-	while (!*pos)
-	{
-	    get_rnd_bytes(pos, 1);
-	}
-	pos++;
-    }
-
-    /* append the padding terminator */
-    *pos++ = 0x00;
-
-    /* now add the data */
-    memcpy(pos, in.ptr, in.len);
-    DBG(DBG_RAW,
-	DBG_dump_chunk("data for rsa encryption:\n", in);
-	DBG_dump("padded data for rsa encryption:\n", padded, key->k)
-    )
-
-    /* convert chunk to integer (PKCS#1 7.2.1 3.a) */
-    {
-	chunk_t out;
-	mpz_t m, c;
-
-	mpz_init(c);
-	n_to_mpz(m, padded, key->k);
-
-	/* encrypt(PKCS#1 7.2.1 3.b) */
-	mpz_powm(c, m, &key->e, &key->n);
-
-	/* convert integer back to a chunk (PKCS#1 7.2.1 3.c) */
-	out = mpz_to_n(c, key->k);
-	mpz_clear(c);
-	mpz_clear(m);
-
-	DBG(DBG_RAW,
-	    DBG_dump_chunk("rsa encrypted data:\n", out)
-	)
-	return out;
-    }
-}
-
-/*
- * decrypt data with an RSA private key and remove padding
- */
-bool
-RSA_decrypt(const RSA_private_key_t *key, chunk_t in, chunk_t *out)
-{
-    chunk_t padded;
-    u_char *pos;
-    mpz_t t1, t2;
-
-    n_to_mpz(t1, in.ptr,in.len);
-
-    /* PKCS#1 v1.5 8.3 RSA computation y = x^c mod n
-     * Better described in PKCS#1 v2.0 5.1 RSADP.
-     * There are two methods, depending on the form of the private key.
-     * We use the one based on the Chinese Remainder Theorem.
-     */
-    mpz_init(t2);
-
-    mpz_powm(t2, t1, &key->dP, &key->p);	/* m1 = c^dP mod p */
-    mpz_powm(t1, t1, &key->dQ, &key->q);	/* m2 = c^dQ mod Q */
-
-    mpz_sub(t2, t2, t1);	/* h = qInv (m1 - m2) mod p */
-    mpz_mod(t2, t2, &key->p);
-    mpz_mul(t2, t2, &key->qInv);
-    mpz_mod(t2, t2, &key->p);
-
-    mpz_mul(t2, t2, &key->q);	/* m = m2 + h q */
-    mpz_add(t1, t1, t2);
-
-    padded = mpz_to_n(t1, key->pub.k);
-    mpz_clear(t1);
-    mpz_clear(t2);
-
-    DBG(DBG_PRIVATE,
-	DBG_dump_chunk("rsa decrypted data with padding:\n", padded)
-    )
-    pos = padded.ptr;
-
-    /* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
-
-    /* check for hex pattern 00 02 in decrypted message */
-    if ((*pos++ != 0x00) || (*(pos++) != 0x02))
-    {
-	plog("incorrect padding - probably wrong RSA key");
-	freeanychunk(padded);
-	return FALSE;
-    }
-    padded.len -= 2;
-
-    /* the plaintext data starts after first 0x00 byte */
-    while (padded.len-- > 0 && *pos++ != 0x00)
-
-    if (padded.len == 0)
-    {
-	plog("no plaintext data");
-	freeanychunk(padded);
-	return FALSE;
-    }
-
-    clonetochunk(*out, pos, padded.len, "decrypted data");
-    freeanychunk(padded);
-    return TRUE;
-}
-
-/*
- * build signatureValue
- */
-chunk_t
-pkcs1_build_signature(chunk_t tbs, int hash_alg, const RSA_private_key_t *key
-, bool bit_string)
-{
-
-    size_t siglen = key->pub.k;
-
-    u_char digest_buf[MAX_DIGEST_LEN];
-    chunk_t digest = { digest_buf, MAX_DIGEST_LEN };
-    chunk_t digestInfo, alg_id, signatureValue;
-    u_char *pos;
-
-    switch (hash_alg)
-    {
-    case OID_MD5:
-    case OID_MD5_WITH_RSA:
-	alg_id = ASN1_md5_id;
-	break;
-    case OID_SHA1:
-    case OID_SHA1_WITH_RSA:
-	alg_id = ASN1_sha1_id;
-	break;
-    default:
-	return empty_chunk;
-    }
-    compute_digest(tbs, hash_alg, &digest);
-
-    /* according to PKCS#1 v2.1 digest must be packaged into
-     * an ASN.1 structure for encryption
-     */
-    digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm"
-		    , alg_id
-		    , asn1_simple_object(ASN1_OCTET_STRING, digest));
-
-    /* generate the RSA signature */
-    if (bit_string)
-    {
-	pos = build_asn1_object(&signatureValue, ASN1_BIT_STRING, 1 + siglen);
-	*pos++ = 0x00;
-    }
-    else
-    {
-	pos = build_asn1_object(&signatureValue, ASN1_OCTET_STRING, siglen);
-    }
-    sign_hash(key, digestInfo.ptr, digestInfo.len, pos, siglen);
-    pfree(digestInfo.ptr);
-
-    return signatureValue;
-}
-
-/*
- * build a DER-encoded PKCS#1 private key object
- */
-chunk_t
-pkcs1_build_private_key(const RSA_private_key_t *key)
-{
-    chunk_t pkcs1 = asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm"
-			, ASN1_INTEGER_0
-			, asn1_integer_from_mpz(&key->pub.n)
-			, asn1_integer_from_mpz(&key->pub.e)
-			, asn1_integer_from_mpz(&key->d)
-			, asn1_integer_from_mpz(&key->p)
-			, asn1_integer_from_mpz(&key->q)
-			, asn1_integer_from_mpz(&key->dP)
-			, asn1_integer_from_mpz(&key->dQ)
-			, asn1_integer_from_mpz(&key->qInv));
-
-    DBG(DBG_PRIVATE,
-	DBG_dump_chunk("PKCS#1 encoded private key:", pkcs1)
-    )
-    return pkcs1;
-}
-
-/*
- * build a DER-encoded PKCS#1 public key object
- */
-chunk_t
-pkcs1_build_public_key(const RSA_public_key_t *rsa)
-{
-    return asn1_wrap(ASN1_SEQUENCE, "mm"
-		, asn1_integer_from_mpz(&rsa->n)
-		, asn1_integer_from_mpz(&rsa->e));
-}
-
-/*
- * build a DER-encoded publicKeyInfo object
- */
-chunk_t
-pkcs1_build_publicKeyInfo(const RSA_public_key_t *rsa)
-{
-    chunk_t publicKey;
-    chunk_t rawKey = pkcs1_build_public_key(rsa);
-
-    u_char *pos = build_asn1_object(&publicKey, ASN1_BIT_STRING
-			, 1 + rawKey.len);
-    *pos++ = 0x00;
-    mv_chunk(&pos, rawKey);
-
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_rsaEncryption_id
-		, publicKey);	
-}
-void
-free_RSA_public_content(RSA_public_key_t *rsa)
-{
-    mpz_clear(&rsa->n);
-    mpz_clear(&rsa->e);
-}
-
-void
-free_RSA_private_content(RSA_private_key_t *rsak)
-{
-    free_RSA_public_content(&rsak->pub);
-    mpz_clear(&rsak->d);
-    mpz_clear(&rsak->p);
-    mpz_clear(&rsak->q);
-    mpz_clear(&rsak->dP);
-    mpz_clear(&rsak->dQ);
-    mpz_clear(&rsak->qInv);
-}
-
diff --git a/src/pluto/pkcs1.h b/src/pluto/pkcs1.h
deleted file mode 100644
index 16a6f02b9..000000000
--- a/src/pluto/pkcs1.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/* Support of PKCS#1 private key data structures
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Copyright (C) 2002-2005 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: pkcs1.h 3252 2007-10-06 21:24:50Z andreas $
- */
-
-#ifndef _PKCS1_H
-#define _PKCS1_H
-
-#include <gmp.h>    /* GNU Multi Precision library */
-
-#include "defs.h"
-
-typedef struct RSA_public_key RSA_public_key_t;
-
-struct RSA_public_key
-{
-    char keyid[KEYID_BUF];	/* see ipsec_keyblobtoid(3) */
-
-    /* length of modulus n in octets: [RSA_MIN_OCTETS, RSA_MAX_OCTETS] */
-    unsigned k;
-
-    /* public: */
-    MP_INT
-	n,	/* modulus: p * q */
-	e;	/* exponent: relatively prime to (p-1) * (q-1) [probably small] */
-};
-
-typedef struct RSA_private_key RSA_private_key_t;
-
-struct RSA_private_key {
-    struct RSA_public_key pub;	/* must be at start for RSA_show_public_key */
-
-    MP_INT
-	d,	/* private exponent: (e^-1) mod ((p-1) * (q-1)) */
-	/* help for Chinese Remainder Theorem speedup: */
-	p,	/* first secret prime */
-	q,	/* second secret prime */
-	dP,	/* first factor's exponent: (e^-1) mod (p-1) == d mod (p-1) */
-	dQ,	/* second factor's exponent: (e^-1) mod (q-1) == d mod (q-1) */
-	qInv;	/* (q^-1) mod p */
-};
-
-struct fld {
-    const char *name;
-    size_t offset;
-};
-
-extern const struct fld RSA_private_field[];
-#define RSA_PRIVATE_FIELD_ELEMENTS	8
-
-extern void init_RSA_public_key(RSA_public_key_t *rsa, chunk_t e, chunk_t n);
-extern bool pkcs1_parse_private_key(chunk_t blob, RSA_private_key_t *key);
-extern chunk_t pkcs1_build_private_key(const RSA_private_key_t *key);
-extern chunk_t pkcs1_build_public_key(const RSA_public_key_t *rsa);
-extern chunk_t pkcs1_build_publicKeyInfo(const RSA_public_key_t *rsa);
-extern chunk_t pkcs1_build_signature(chunk_t tbs, int hash_alg
-    , const RSA_private_key_t *key, bool bit_string);
-extern bool compute_digest(chunk_t tbs, int alg, chunk_t *digest);
-extern void sign_hash(const RSA_private_key_t *k, const u_char *hash_val
-    , size_t hash_len, u_char *sig_val, size_t sig_len);
-extern chunk_t RSA_encrypt(const RSA_public_key_t *key, chunk_t in);
-extern bool RSA_decrypt(const RSA_private_key_t *key, chunk_t in
-    , chunk_t *out);
-extern bool same_RSA_public_key(const RSA_public_key_t *a
-    , const RSA_public_key_t *b);
-extern void form_keyid(chunk_t e, chunk_t n, char* keyid, unsigned *keysize);
-extern err_t RSA_private_key_sanity(RSA_private_key_t *k);
-#ifdef DEBUG
-extern void RSA_show_public_key(RSA_public_key_t *k);
-extern void RSA_show_private_key(RSA_private_key_t *k);
-#endif
-extern void free_RSA_public_content(RSA_public_key_t *rsa);
-extern void free_RSA_private_content(RSA_private_key_t *rsak);
-
-#endif /* _PKCS1_H */
diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c
index 60636f385..7248b042f 100644
--- a/src/pluto/pkcs7.c
+++ b/src/pluto/pkcs7.c
@@ -1,7 +1,8 @@
 /* Support of PKCS#7 data structures
  * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Copyright (C) 2002-2005 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
+ * Copyright (C) 2002-2009 Andreas Steffen
+ *
+ * HSR Hochschule fuer Technik Rapperswil, Switzerland
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -12,564 +13,562 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: pkcs7.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdlib.h>
 #include <string.h>
-#include <libdes/des.h>
 
 #include <freeswan.h>
 
+#include <library.h>
+#include <debug.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <crypto/rngs/rng.h>
+#include <crypto/crypters/crypter.h>
+
 #include "constants.h"
 #include "defs.h"
-#include "asn1.h"
-#include <asn1/oid.h>
-#include "log.h"
 #include "x509.h"
 #include "certs.h"
 #include "pkcs7.h"
-#include "rnd.h"
 
 const contentInfo_t empty_contentInfo = {
-    OID_UNKNOWN , /* type */
-    { NULL, 0 }   /* content */
+	OID_UNKNOWN , /* type */
+	{ NULL, 0 }   /* content */
 };
 
-/* ASN.1 definition of the PKCS#7 ContentInfo type */
-
+/**
+ * ASN.1 definition of the PKCS#7 ContentInfo type
+ */
 static const asn1Object_t contentInfoObjects[] = {
-  { 0, "contentInfo",			ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
-  { 1,   "contentType",			ASN1_OID,          ASN1_BODY }, /*  1 */
-  { 1,   "content",			ASN1_CONTEXT_C_0,  ASN1_OPT |
-							   ASN1_BODY }, /*  2 */
-  { 1,   "end opt",			ASN1_EOC,	   ASN1_END  }  /*  3 */
+	{ 0, "contentInfo",                     ASN1_SEQUENCE,     ASN1_NONE          }, /*  0 */
+	{ 1,   "contentType",                   ASN1_OID,          ASN1_BODY          }, /*  1 */
+	{ 1,   "content",                       ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_BODY }, /*  2 */
+	{ 1,   "end opt",                       ASN1_EOC,          ASN1_END           }, /*  3 */
+	{ 0, "exit",                            ASN1_EOC,          ASN1_EXIT          }
 };
+#define PKCS7_INFO_TYPE         1
+#define PKCS7_INFO_CONTENT      2
 
-#define PKCS7_INFO_TYPE		1
-#define PKCS7_INFO_CONTENT	2
-#define PKCS7_INFO_ROOF		4
-
-/* ASN.1 definition of the PKCS#7 signedData type */
-
+/**
+ * ASN.1 definition of the PKCS#7 signedData type
+ */
 static const asn1Object_t signedDataObjects[] = {
-  { 0, "signedData",			  ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
-  { 1,   "version",			  ASN1_INTEGER,      ASN1_BODY }, /*  1 */
-  { 1,   "digestAlgorithms",		  ASN1_SET,          ASN1_LOOP }, /*  2 */
-  { 2,     "algorithm",			  ASN1_EOC,          ASN1_RAW  }, /*  3 */
-  { 1,   "end loop",			  ASN1_EOC,          ASN1_END  }, /*  4 */
-  { 1,   "contentInfo",			  ASN1_EOC,          ASN1_RAW  }, /*  5 */
-  { 1,   "certificates",		  ASN1_CONTEXT_C_0,  ASN1_OPT |
-							     ASN1_LOOP }, /*  6 */
-  { 2,      "certificate",		  ASN1_SEQUENCE,     ASN1_OBJ  }, /*  7 */
-  { 1,   "end opt or loop",		  ASN1_EOC,	     ASN1_END  }, /*  8 */
-  { 1,   "crls",			  ASN1_CONTEXT_C_1,  ASN1_OPT |
-							     ASN1_LOOP }, /*  9 */
-  { 2,	    "crl",			  ASN1_SEQUENCE,     ASN1_OBJ  }, /* 10 */
-  { 1,   "end opt or loop",		  ASN1_EOC,	     ASN1_END  }, /* 11 */
-  { 1,   "signerInfos",			  ASN1_SET,	     ASN1_LOOP }, /* 12 */
-  { 2,     "signerInfo",		  ASN1_SEQUENCE,     ASN1_NONE }, /* 13 */
-  { 3,       "version",			  ASN1_INTEGER,	     ASN1_BODY }, /* 14 */
-  { 3,       "issuerAndSerialNumber",	  ASN1_SEQUENCE,     ASN1_BODY }, /* 15 */
-  { 4,         "issuer",	          ASN1_SEQUENCE,     ASN1_OBJ  }, /* 16 */
-  { 4,         "serial",	          ASN1_INTEGER,	     ASN1_BODY }, /* 17 */
-  { 3,       "digestAlgorithm",		  ASN1_EOC,	     ASN1_RAW  }, /* 18 */
-  { 3,       "authenticatedAttributes",	  ASN1_CONTEXT_C_0,  ASN1_OPT |
-							     ASN1_OBJ  }, /* 19 */
-  { 3,       "end opt",			  ASN1_EOC,	     ASN1_END  }, /* 20 */
-  { 3,       "digestEncryptionAlgorithm", ASN1_EOC,	     ASN1_RAW  }, /* 21 */
-  { 3,       "encryptedDigest",		  ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */
-  { 3,       "unauthenticatedAttributes", ASN1_CONTEXT_C_1,  ASN1_OPT  }, /* 23 */
-  { 3,       "end opt",			  ASN1_EOC,	     ASN1_END  }, /* 24 */
-  { 1,   "end loop",			  ASN1_EOC,	     ASN1_END  }  /* 25 */
+	{ 0, "signedData",                      ASN1_SEQUENCE,     ASN1_NONE          }, /*  0 */
+	{ 1,   "version",                       ASN1_INTEGER,      ASN1_BODY          }, /*  1 */
+	{ 1,   "digestAlgorithms",              ASN1_SET,          ASN1_LOOP          }, /*  2 */
+	{ 2,     "algorithm",                   ASN1_EOC,          ASN1_RAW           }, /*  3 */
+	{ 1,   "end loop",                      ASN1_EOC,          ASN1_END           }, /*  4 */
+	{ 1,   "contentInfo",                   ASN1_EOC,          ASN1_RAW           }, /*  5 */
+	{ 1,   "certificates",                  ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_LOOP }, /*  6 */
+	{ 2,      "certificate",                ASN1_SEQUENCE,     ASN1_OBJ           }, /*  7 */
+	{ 1,   "end opt or loop",               ASN1_EOC,          ASN1_END           }, /*  8 */
+	{ 1,   "crls",                          ASN1_CONTEXT_C_1,  ASN1_OPT|ASN1_LOOP }, /*  9 */
+	{ 2,      "crl",                        ASN1_SEQUENCE,     ASN1_OBJ           }, /* 10 */
+	{ 1,   "end opt or loop",               ASN1_EOC,          ASN1_END           }, /* 11 */
+	{ 1,   "signerInfos",                   ASN1_SET,          ASN1_LOOP          }, /* 12 */
+	{ 2,     "signerInfo",                  ASN1_SEQUENCE,     ASN1_NONE          }, /* 13 */
+	{ 3,       "version",                   ASN1_INTEGER,      ASN1_BODY          }, /* 14 */
+	{ 3,       "issuerAndSerialNumber",     ASN1_SEQUENCE,     ASN1_BODY          }, /* 15 */
+	{ 4,         "issuer",                  ASN1_SEQUENCE,     ASN1_OBJ           }, /* 16 */
+	{ 4,         "serial",                  ASN1_INTEGER,      ASN1_BODY          }, /* 17 */
+	{ 3,       "digestAlgorithm",           ASN1_EOC,          ASN1_RAW           }, /* 18 */
+	{ 3,       "authenticatedAttributes",   ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_OBJ  }, /* 19 */
+	{ 3,       "end opt",                   ASN1_EOC,          ASN1_END           }, /* 20 */
+	{ 3,       "digestEncryptionAlgorithm", ASN1_EOC,          ASN1_RAW           }, /* 21 */
+	{ 3,       "encryptedDigest",           ASN1_OCTET_STRING, ASN1_BODY          }, /* 22 */
+	{ 3,       "unauthenticatedAttributes", ASN1_CONTEXT_C_1,  ASN1_OPT           }, /* 23 */
+	{ 3,       "end opt",                   ASN1_EOC,          ASN1_END           }, /* 24 */
+	{ 1,   "end loop",                      ASN1_EOC,          ASN1_END           }, /* 25 */
+	{ 0, "exit",                            ASN1_EOC,          ASN1_EXIT          }
 };
+#define PKCS7_DIGEST_ALG                 3
+#define PKCS7_SIGNED_CONTENT_INFO        5
+#define PKCS7_SIGNED_CERT                7
+#define PKCS7_SIGNER_INFO               13
+#define PKCS7_SIGNED_ISSUER             16
+#define PKCS7_SIGNED_SERIAL_NUMBER      17
+#define PKCS7_DIGEST_ALGORITHM          18
+#define PKCS7_AUTH_ATTRIBUTES           19
+#define PKCS7_DIGEST_ENC_ALGORITHM      21
+#define PKCS7_ENCRYPTED_DIGEST          22
 
-#define PKCS7_DIGEST_ALG	 	 3
-#define PKCS7_SIGNED_CONTENT_INFO	 5
-#define PKCS7_SIGNED_CERT	 	 7
-#define PKCS7_SIGNER_INFO		13
-#define PKCS7_SIGNED_ISSUER		16
-#define PKCS7_SIGNED_SERIAL_NUMBER	17
-#define PKCS7_DIGEST_ALGORITHM		18
-#define PKCS7_AUTH_ATTRIBUTES		19
-#define PKCS7_DIGEST_ENC_ALGORITHM	21
-#define PKCS7_ENCRYPTED_DIGEST		22
-#define PKCS7_SIGNED_ROOF		26
-
-/* ASN.1 definition of the PKCS#7 envelopedData type */
-
+/**
+ * ASN.1 definition of the PKCS#7 envelopedData type
+ */
 static const asn1Object_t envelopedDataObjects[] = {
-  { 0, "envelopedData",				ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
-  { 1,   "version",				ASN1_INTEGER, 		ASN1_BODY }, /*  1 */
-  { 1,   "recipientInfos",			ASN1_SET,    		ASN1_LOOP }, /*  2 */
-  { 2,     "recipientInfo",			ASN1_SEQUENCE, 		ASN1_BODY }, /*  3 */
-  { 3,       "version",				ASN1_INTEGER, 		ASN1_BODY }, /*  4 */
-  { 3,       "issuerAndSerialNumber",	        ASN1_SEQUENCE,		ASN1_BODY }, /*  5 */
-  { 4,         "issuer",	        	ASN1_SEQUENCE,		ASN1_OBJ  }, /*  6 */
-  { 4,         "serial",	        	ASN1_INTEGER,		ASN1_BODY }, /*  7 */
-  { 3,       "encryptionAlgorithm",	       	ASN1_EOC,		ASN1_RAW  }, /*  8 */
-  { 3,       "encryptedKey",		       	ASN1_OCTET_STRING,	ASN1_BODY }, /*  9 */
-  { 1,   "end loop",				ASN1_EOC,		ASN1_END  }, /* 10 */
-  { 1,   "encryptedContentInfo",		ASN1_SEQUENCE,		ASN1_OBJ  }, /* 11 */
-  { 2,     "contentType",			ASN1_OID,		ASN1_BODY }, /* 12 */
-  { 2,     "contentEncryptionAlgorithm",	ASN1_EOC,		ASN1_RAW  }, /* 13 */
-  { 2,     "encryptedContent",			ASN1_CONTEXT_S_0, 	ASN1_BODY }  /* 14 */
+	{ 0, "envelopedData",                  ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
+	{ 1,   "version",                      ASN1_INTEGER,      ASN1_BODY }, /*  1 */
+	{ 1,   "recipientInfos",               ASN1_SET,          ASN1_LOOP }, /*  2 */
+	{ 2,     "recipientInfo",              ASN1_SEQUENCE,     ASN1_BODY }, /*  3 */
+	{ 3,       "version",                  ASN1_INTEGER,      ASN1_BODY }, /*  4 */
+	{ 3,       "issuerAndSerialNumber",    ASN1_SEQUENCE,     ASN1_BODY }, /*  5 */
+	{ 4,         "issuer",                 ASN1_SEQUENCE,     ASN1_OBJ  }, /*  6 */
+	{ 4,         "serial",                 ASN1_INTEGER,      ASN1_BODY }, /*  7 */
+	{ 3,       "encryptionAlgorithm",      ASN1_EOC,          ASN1_RAW  }, /*  8 */
+	{ 3,       "encryptedKey",             ASN1_OCTET_STRING, ASN1_BODY }, /*  9 */
+	{ 1,   "end loop",                     ASN1_EOC,          ASN1_END  }, /* 10 */
+	{ 1,   "encryptedContentInfo",         ASN1_SEQUENCE,     ASN1_OBJ  }, /* 11 */
+	{ 2,     "contentType",                ASN1_OID,          ASN1_BODY }, /* 12 */
+	{ 2,     "contentEncryptionAlgorithm", ASN1_EOC,          ASN1_RAW  }, /* 13 */
+	{ 2,     "encryptedContent",           ASN1_CONTEXT_S_0,  ASN1_BODY }, /* 14 */
+	{ 0, "exit",                           ASN1_EOC,          ASN1_EXIT }
 };
+#define PKCS7_ENVELOPED_VERSION          1
+#define PKCS7_RECIPIENT_INFO_VERSION     4
+#define PKCS7_ISSUER                     6
+#define PKCS7_SERIAL_NUMBER              7
+#define PKCS7_ENCRYPTION_ALG             8
+#define PKCS7_ENCRYPTED_KEY              9
+#define PKCS7_CONTENT_TYPE              12
+#define PKCS7_CONTENT_ENC_ALGORITHM     13
+#define PKCS7_ENCRYPTED_CONTENT         14
+#define PKCS7_ENVELOPED_ROOF            15
 
-#define PKCS7_ENVELOPED_VERSION		 1
-#define PKCS7_RECIPIENT_INFO_VERSION	 4
-#define PKCS7_ISSUER			 6
-#define PKCS7_SERIAL_NUMBER		 7
-#define PKCS7_ENCRYPTION_ALG		 8
-#define PKCS7_ENCRYPTED_KEY		 9
-#define PKCS7_CONTENT_TYPE		12
-#define PKCS7_CONTENT_ENC_ALGORITHM	13
-#define PKCS7_ENCRYPTED_CONTENT		14
-#define PKCS7_ENVELOPED_ROOF		15
-
-/* PKCS7 contentInfo OIDs */
+/**
+ * PKCS7 contentInfo OIDs
+ */
 
 static u_char ASN1_pkcs7_data_oid_str[] = {
-    0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01
+	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01
 };
 
 static u_char ASN1_pkcs7_signed_data_oid_str[] = {
-    0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02
+	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02
 };
 
 static u_char ASN1_pkcs7_enveloped_data_oid_str[] = {
-    0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x03
+	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x03
 };
 
 static u_char ASN1_pkcs7_signed_enveloped_data_oid_str[] = {
-    0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x04
+	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x04
 };
 
 static u_char ASN1_pkcs7_digested_data_oid_str[] = {
-    0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05
+	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05
 };
 
 static char ASN1_pkcs7_encrypted_data_oid_str[] = {
-    0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06
+	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06
 };
 
 static const chunk_t ASN1_pkcs7_data_oid = 
-			strchunk(ASN1_pkcs7_data_oid_str);
+						chunk_from_buf(ASN1_pkcs7_data_oid_str);
 static const chunk_t ASN1_pkcs7_signed_data_oid =
-			strchunk(ASN1_pkcs7_signed_data_oid_str);
+						chunk_from_buf(ASN1_pkcs7_signed_data_oid_str);
 static const chunk_t ASN1_pkcs7_enveloped_data_oid =
-			strchunk(ASN1_pkcs7_enveloped_data_oid_str);
+						chunk_from_buf(ASN1_pkcs7_enveloped_data_oid_str);
 static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid = 
-			strchunk(ASN1_pkcs7_signed_enveloped_data_oid_str);
+						chunk_from_buf(ASN1_pkcs7_signed_enveloped_data_oid_str);
 static const chunk_t ASN1_pkcs7_digested_data_oid =
-			strchunk(ASN1_pkcs7_digested_data_oid_str);
+						chunk_from_buf(ASN1_pkcs7_digested_data_oid_str);
 static const chunk_t ASN1_pkcs7_encrypted_data_oid =
-			strchunk(ASN1_pkcs7_encrypted_data_oid_str);
+						chunk_from_buf(ASN1_pkcs7_encrypted_data_oid_str);
 
-/* 3DES and DES encryption OIDs */
+/**
+ * 3DES and DES encryption OIDs
+ */
 
 static u_char ASN1_3des_ede_cbc_oid_str[] = {
-    0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x03, 0x07
+	0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x03, 0x07
 };
 
 static u_char ASN1_des_cbc_oid_str[] = {
-    0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x07
+	0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x07
 };
 
 static const chunk_t ASN1_3des_ede_cbc_oid = 
-			strchunk(ASN1_3des_ede_cbc_oid_str);
+						chunk_from_buf(ASN1_3des_ede_cbc_oid_str);
 static const chunk_t ASN1_des_cbc_oid =
-			strchunk(ASN1_des_cbc_oid_str);
+						chunk_from_buf(ASN1_des_cbc_oid_str);
 
-/* PKCS#7 attribute type OIDs */
+/**
+ * PKCS#7 attribute type OIDs
+ */
 
 static u_char ASN1_contentType_oid_str[] = {
-    0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03
+	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03
 };
 
 static u_char ASN1_messageDigest_oid_str[] = {
-    0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04
+	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04
 };
 
 static const chunk_t ASN1_contentType_oid =
-			strchunk(ASN1_contentType_oid_str);
+						chunk_from_buf(ASN1_contentType_oid_str);
 static const chunk_t ASN1_messageDigest_oid =
-			strchunk(ASN1_messageDigest_oid_str);
+						chunk_from_buf(ASN1_messageDigest_oid_str);
 
-/*
+/**
  * Parse PKCS#7 ContentInfo object
  */
-bool
-pkcs7_parse_contentInfo(chunk_t blob, u_int level0, contentInfo_t *cInfo)
+bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0, contentInfo_t *cInfo)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success = FALSE;
 
-    while (objectID < PKCS7_INFO_ROOF)
-    {
-	if (!extract_object(contentInfoObjects, &objectID, &object, &level, &ctx))
-	     return FALSE;
+	parser = asn1_parser_create(contentInfoObjects, blob);
+	parser->set_top_level(parser, level0);
 
-	if (objectID == PKCS7_INFO_TYPE)
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	    cInfo->type = known_oid(object);
-	    if (cInfo->type < OID_PKCS7_DATA
-	    ||  cInfo->type > OID_PKCS7_ENCRYPTED_DATA)
-	    {
-		plog("unknown pkcs7 content type");
-		return FALSE;
-	    }
-	}
-	else if (objectID == PKCS7_INFO_CONTENT)
-	{
-	    cInfo->content = object;
+		if (objectID == PKCS7_INFO_TYPE)
+		{
+			cInfo->type = asn1_known_oid(object);
+			if (cInfo->type < OID_PKCS7_DATA
+			||  cInfo->type > OID_PKCS7_ENCRYPTED_DATA)
+			{
+				DBG1("unknown pkcs7 content type");
+				goto end;
+			}
+		}
+		else if (objectID == PKCS7_INFO_CONTENT)
+		{
+			cInfo->content = object;
+		}
 	}
-	objectID++;
-    }
-    return TRUE;
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	return success;
 }
 
-/*
+/**
  * Parse a PKCS#7 signedData object
  */
-bool
-pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
-, chunk_t *attributes, const x509cert_t *cacert)
+bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert,
+							chunk_t *attributes, const x509cert_t *cacert)
 {
-    u_char buf[BUF_LEN];
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int digest_alg = OID_UNKNOWN;
-    int enc_alg    = OID_UNKNOWN;
-    int signerInfos = 0;
-    int objectID = 0;
-
-    contentInfo_t cInfo = empty_contentInfo;
-    chunk_t encrypted_digest = empty_chunk;
-
-    if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
-	return FALSE;
-
-    if (cInfo.type != OID_PKCS7_SIGNED_DATA)
-    {
-	plog("pkcs7 content type is not signedData");
-	return FALSE;
-    }
-
-    asn1_init(&ctx, cInfo.content, 2, FALSE, DBG_RAW);
-
-    while (objectID < PKCS7_SIGNED_ROOF)
-   {
-	if (!extract_object(signedDataObjects, &objectID, &object, &level, &ctx))
-	     return FALSE;
-
-	switch (objectID)
-	{
-	case PKCS7_DIGEST_ALG:
-	    digest_alg = parse_algorithmIdentifier(object, level, NULL);
-	    break;
-	case PKCS7_SIGNED_CONTENT_INFO:
-	    if (data != NULL)
-	    {
-		pkcs7_parse_contentInfo(object, level, data);
-	    }
-	    break;
-	case PKCS7_SIGNED_CERT:
-	    if (cert != NULL)
-	    {
-		chunk_t cert_blob;
-
-		x509cert_t *newcert = alloc_thing(x509cert_t
-					, "pkcs7 wrapped x509cert");
-
-		clonetochunk(cert_blob, object.ptr, object.len
-			    , "pkcs7 cert blob");
-		*newcert = empty_x509cert;
-
-		DBG(DBG_CONTROL | DBG_PARSING,
-		    DBG_log("parsing pkcs7-wrapped certificate")
-		)
-		if (parse_x509cert(cert_blob, level+1, newcert))
-		{
-		    newcert->next = *cert;
-		    *cert = newcert;
-		}
-	        else
-		{
-		    free_x509cert(newcert);
-	    	}
-	    }
-	    break;
-	case PKCS7_SIGNER_INFO:
-	    signerInfos++;
-	    DBG(DBG_PARSING,
-		DBG_log("  signer #%d", signerInfos)
-	    )
-	    break;	
-	case PKCS7_SIGNED_ISSUER:
-	    DBG(DBG_PARSING,
-		dntoa(buf, BUF_LEN, object);
-		DBG_log("  '%s'",buf)
-	    )
-	    break;
-	case PKCS7_AUTH_ATTRIBUTES:
-	    if (attributes != NULL)
-	    {
-		*attributes = object;
-		*attributes->ptr = ASN1_SET;
-	    }
-	    break;
-	case PKCS7_DIGEST_ALGORITHM:
-	    digest_alg = parse_algorithmIdentifier(object, level, NULL);
-	    break;
-	case PKCS7_DIGEST_ENC_ALGORITHM:
-	    enc_alg = parse_algorithmIdentifier(object, level, NULL);
-	    break;
-	case PKCS7_ENCRYPTED_DIGEST:
-	    encrypted_digest = object;
-	}
-	objectID++;
-    }
-
-    /* check the signature only if a cacert is available */
-    if (cacert != NULL)
-    {
-	if (signerInfos == 0)
+	u_char buf[BUF_LEN];
+	asn1_parser_t *parser;
+	chunk_t object;
+	int digest_alg = OID_UNKNOWN;
+	int enc_alg    = OID_UNKNOWN;
+	int signerInfos = 0;
+	int objectID;
+	bool success = FALSE;
+
+	contentInfo_t cInfo = empty_contentInfo;
+	chunk_t encrypted_digest = chunk_empty;
+
+	if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
 	{
-	    plog("no signerInfo object found");
-	    return FALSE;
+		return FALSE;
 	}
-	else if (signerInfos > 1)
+	if (cInfo.type != OID_PKCS7_SIGNED_DATA)
 	{
-	    plog("more than one signerInfo object found");
-	    return FALSE;
+		DBG1("pkcs7 content type is not signedData");
+		return FALSE;
 	}
-	if (attributes->ptr == NULL)
+
+	parser = asn1_parser_create(signedDataObjects, blob);
+	parser->set_top_level(parser, 2);
+
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	    plog("no authenticatedAttributes object found");
-	    return FALSE;
+		u_int level = parser->get_level(parser);
+
+		switch (objectID)
+		{
+		case PKCS7_DIGEST_ALG:
+			digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
+			break;
+		case PKCS7_SIGNED_CONTENT_INFO:
+			if (data != NULL)
+			{
+				pkcs7_parse_contentInfo(object, level, data);
+			}
+			break;
+		case PKCS7_SIGNED_CERT:
+			if (cert != NULL)
+			{
+				chunk_t cert_blob = chunk_clone(object);
+				x509cert_t *newcert = malloc_thing(x509cert_t);
+
+				*newcert = empty_x509cert;
+
+				DBG2("  parsing pkcs7-wrapped certificate");
+				if (parse_x509cert(cert_blob, level+1, newcert))
+				{
+					newcert->next = *cert;
+					*cert = newcert;
+				}
+				else
+				{
+					free_x509cert(newcert);
+				}
+			}
+			break;
+		case PKCS7_SIGNER_INFO:
+			signerInfos++;
+			DBG2("  signer #%d", signerInfos);
+			break;      
+		case PKCS7_SIGNED_ISSUER:
+			dntoa(buf, BUF_LEN, object);
+			DBG2("  '%s'",buf);
+			break;
+		case PKCS7_AUTH_ATTRIBUTES:
+			if (attributes != NULL)
+			{
+				*attributes = object;
+				*attributes->ptr = ASN1_SET;
+			}
+			break;
+		case PKCS7_DIGEST_ALGORITHM:
+			digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
+			break;
+		case PKCS7_DIGEST_ENC_ALGORITHM:
+			enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
+			break;
+		case PKCS7_ENCRYPTED_DIGEST:
+			encrypted_digest = object;
+		}
 	}
-	if (!check_signature(*attributes, encrypted_digest, digest_alg
-	   , enc_alg, cacert))
+	success = parser->success(parser);
+	parser->destroy(parser);
+	if (!success)
 	{
-	    plog("invalid signature");
-	    return FALSE;
+		return FALSE;
 	}
-	else
+
+	/* check the signature only if a cacert is available */
+	if (cacert != NULL)
 	{
-	    DBG(DBG_CONTROL,
-		DBG_log("signature is valid")
-	    )
+		public_key_t *key = cacert->public_key;
+		signature_scheme_t scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+
+		if (signerInfos == 0)
+		{
+			DBG1("no signerInfo object found");
+			return FALSE;
+		}
+		else if (signerInfos > 1)
+		{
+			DBG1("more than one signerInfo object found");
+			return FALSE;
+		}
+		if (attributes->ptr == NULL)
+		{
+			DBG1("no authenticatedAttributes object found");
+			return FALSE;
+		}
+		if (enc_alg != OID_RSA_ENCRYPTION)
+		{
+			DBG1("only RSA digest encryption supported");
+			return FALSE;
+		}
+
+		/* determine signature scheme */
+		scheme = signature_scheme_from_oid(digest_alg);
+
+		if (scheme == SIGN_UNKNOWN)
+		{
+			return FALSE;
+		}
+		if (key->verify(key, scheme, *attributes, encrypted_digest))
+		{
+			DBG2("signature is valid");
+		}
+		else
+		{
+			DBG1("invalid signature");
+			return FALSE;
+		}
 	}
-    }
-    return TRUE;
+	return TRUE;
 }
 
-/*
+/**
  * Parse a PKCS#7 envelopedData object
  */
-bool
-pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data
-, chunk_t serialNumber, const RSA_private_key_t *key)
+bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
+							   chunk_t serialNumber,
+							   private_key_t *key)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    chunk_t iv                = empty_chunk;
-    chunk_t symmetric_key     = empty_chunk;
-    chunk_t encrypted_content = empty_chunk;
-
-    u_char buf[BUF_LEN];
-    u_int level;
-    u_int total_keys = 3;
-    int enc_alg         = OID_UNKNOWN;
-    int content_enc_alg = OID_UNKNOWN;
-    int objectID = 0;
-
-    contentInfo_t cInfo = empty_contentInfo;
-    *data = empty_chunk;
-
-    if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
-	goto failed;
-
-    if (cInfo.type != OID_PKCS7_ENVELOPED_DATA)
-    {
-	plog("pkcs7 content type is not envelopedData");
-	return FALSE;
-    }
-
-    asn1_init(&ctx, cInfo.content, 2, FALSE, DBG_RAW);
-
-    while (objectID < PKCS7_ENVELOPED_ROOF)
-    {
-	if (!extract_object(envelopedDataObjects, &objectID, &object, &level, &ctx))
-	     goto failed;
-
-	switch (objectID)
-	{
-	case PKCS7_ENVELOPED_VERSION:
-	if (*object.ptr != 0)
+	asn1_parser_t *parser;
+	chunk_t object;
+	chunk_t iv                = chunk_empty;
+	chunk_t symmetric_key     = chunk_empty;
+	chunk_t encrypted_content = chunk_empty;
+
+	crypter_t *crypter = NULL;
+
+	u_char buf[BUF_LEN];
+	int enc_alg         = OID_UNKNOWN;
+	int content_enc_alg = OID_UNKNOWN;
+	int objectID;
+	bool success = FALSE;
+
+	contentInfo_t cInfo = empty_contentInfo;
+	*data = chunk_empty;
+
+	if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
 	{
-	    plog("envelopedData version is not 0");
-	    goto failed;
-	}
-	break;
-	case PKCS7_RECIPIENT_INFO_VERSION:
-	    if (*object.ptr != 0)
-	    {
-		plog("recipient info version is not 0");
-		goto failed;
-	    }
-	    break;
-	case PKCS7_ISSUER:
-	    DBG(DBG_PARSING,
-		dntoa(buf, BUF_LEN, object);
-		DBG_log("  '%s'", buf)
-	    )
-	    break;	
-	case PKCS7_SERIAL_NUMBER:
-	    if (!same_chunk(serialNumber, object))
-	    {
-		plog("serial numbers do not match");
-		goto failed;
-	    }	
-	    break;	
-	case PKCS7_ENCRYPTION_ALG:
-	    enc_alg = parse_algorithmIdentifier(object, level, NULL);
-	    if (enc_alg != OID_RSA_ENCRYPTION)
-	    {
-		plog("only rsa encryption supported");
-		goto failed;
-	    } 
-	    break;
-	case PKCS7_ENCRYPTED_KEY:
-	    if (!RSA_decrypt(key, object, &symmetric_key))
-	    {
-		plog("symmetric key could not be decrypted with rsa");
-		goto failed;
-	    }
-	    DBG(DBG_PRIVATE,
-		DBG_dump_chunk("symmetric key :", symmetric_key)
-	    )
-	    break;
-	case PKCS7_CONTENT_TYPE:
-	    if (known_oid(object) != OID_PKCS7_DATA)
-	    {
-		 plog("encrypted content not of type pkcs7 data");
-		 goto failed;
-	    }
-	    break;
-	case PKCS7_CONTENT_ENC_ALGORITHM:
-	    content_enc_alg = parse_algorithmIdentifier(object, level, &iv);
-
-	    switch (content_enc_alg)
-	    {
-	    case OID_DES_CBC:
-		total_keys = 1;
-		break;
-	    case OID_3DES_EDE_CBC:
-		total_keys = 3;
-		break;
-	    default:
-		plog("Only DES and 3DES supported for symmetric encryption");
-		goto failed;
-	    }
-	    if (symmetric_key.len != (total_keys * DES_CBC_BLOCK_SIZE))
-	    {
-		plog("key length is not %d",(total_keys * DES_CBC_BLOCK_SIZE));
-		goto failed;
-	    }
-	    if (!parse_asn1_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV"))
-	    {
-		plog("IV could not be parsed");
 		goto failed;
-	    }
-	    if (iv.len != DES_CBC_BLOCK_SIZE)
-	    {
-		plog("IV has wrong length");
+	}
+	if (cInfo.type != OID_PKCS7_ENVELOPED_DATA)
+	{
+		DBG1("pkcs7 content type is not envelopedData");
 		goto failed;
-	    }
-	    break;
-	case PKCS7_ENCRYPTED_CONTENT:
-	    encrypted_content = object;
-	    break;
 	}
-	objectID++;
-    }
 
-    /* decrypt the content */
-    {
-	u_int i;
-	des_cblock des_key[3], des_iv;
-	des_key_schedule key_s[3];
+	parser = asn1_parser_create(envelopedDataObjects, cInfo.content);
+	parser->set_top_level(parser, 2);
 
-	memcpy((char *)des_key, symmetric_key.ptr, symmetric_key.len);
-	memcpy((char *)des_iv, iv.ptr, iv.len);
-
-	for (i = 0; i < total_keys; i++)
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	    if (des_set_key(&des_key[i], key_s[i]))
-	    {
-		plog("des key schedule failed");
-		goto failed;
-	    }
-	}
+		u_int level = parser->get_level(parser);
 
-	data->len = encrypted_content.len;
-	data->ptr = alloc_bytes(data->len, "decrypted data");
+		switch (objectID)
+		{
+		case PKCS7_ENVELOPED_VERSION:
+		if (*object.ptr != 0)
+		{
+			DBG1("envelopedData version is not 0");
+			goto end;
+		}
+		break;
+		case PKCS7_RECIPIENT_INFO_VERSION:
+			if (*object.ptr != 0)
+			{
+				DBG1("recipient info version is not 0");
+				goto end;
+			}
+			break;
+		case PKCS7_ISSUER:
+			dntoa(buf, BUF_LEN, object);
+			DBG2("  '%s'", buf);
+			break;      
+		case PKCS7_SERIAL_NUMBER:
+			if (!chunk_equals(serialNumber, object))
+			{
+				DBG1("serial numbers do not match");
+				goto end;
+			}   
+			break;      
+		case PKCS7_ENCRYPTION_ALG:
+			enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
+			if (enc_alg != OID_RSA_ENCRYPTION)
+			{
+				DBG1("only rsa encryption supported");
+				goto end;
+			} 
+			break;
+		case PKCS7_ENCRYPTED_KEY:
+			if (!key->decrypt(key, object, &symmetric_key))
+			{
+				DBG1("symmetric key could not be decrypted with rsa");
+				goto end;
+			}
+			DBG4("symmetric key %B", &symmetric_key);
+			break;
+		case PKCS7_CONTENT_TYPE:
+			if (asn1_known_oid(object) != OID_PKCS7_DATA)
+			{
+				 DBG1("encrypted content not of type pkcs7 data");
+				 goto end;
+			}
+			break;
+		case PKCS7_CONTENT_ENC_ALGORITHM:
+			content_enc_alg = asn1_parse_algorithmIdentifier(object, level, &iv);
+	
+			if (content_enc_alg == OID_UNKNOWN)
+			{
+				DBG1("unknown content encryption algorithm");
+				goto end;
+			}
+			if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV"))
+			{
+				DBG1("IV could not be parsed");
+				goto end;
+			}
+			break;
+		case PKCS7_ENCRYPTED_CONTENT:
+			encrypted_content = object;
+			break;
+		}
+	}
+	success = parser->success(parser);
 
-	switch (content_enc_alg)
+end:
+	parser->destroy(parser);
+	if (!success)
 	{
-	case OID_DES_CBC:
-	    des_cbc_encrypt((des_cblock*)encrypted_content.ptr
-			  , (des_cblock*)data->ptr, data->len
-			  , key_s[0], &des_iv, DES_DECRYPT);
-	    break;
-	case OID_3DES_EDE_CBC:
-	    des_ede3_cbc_encrypt( (des_cblock*)encrypted_content.ptr
-				, (des_cblock*)data->ptr, data->len
-				, key_s[0], key_s[1], key_s[2]
-				, &des_iv, DES_DECRYPT);
+		goto failed;
 	}
-	DBG(DBG_PRIVATE,
-	    DBG_dump_chunk("decrypted content with padding:\n", *data)
-	)
-    }
- 
-    /* remove the padding */
-    {
-	u_char *pos = data->ptr + data->len - 1;
-	u_char pattern = *pos;
-	size_t padding = pattern;
-
-	if (padding > data->len)
+	success = FALSE;
+
+	/* decrypt the content */
 	{
-	    plog("padding greater than data length");
-	    goto failed;
+		encryption_algorithm_t alg;
+		size_t key_size;
+		crypter_t *crypter;
+
+		alg = encryption_algorithm_from_oid(content_enc_alg, &key_size);
+		if (alg == ENCR_UNDEFINED)
+		{
+			DBG1("unsupported content encryption algorithm");
+			goto failed;
+		}
+		crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size);
+		if (crypter == NULL)
+		{
+			DBG1("crypter %N not available", encryption_algorithm_names, alg);
+			goto failed;
+		}
+		if (symmetric_key.len != crypter->get_key_size(crypter))
+		{
+			DBG1("symmetric key length %d is wrong", symmetric_key.len);
+			goto failed;
+		}
+		if (iv.len != crypter->get_block_size(crypter))
+		{
+			DBG1("IV length %d is wrong", iv.len);
+			goto failed;
+		}
+		crypter->set_key(crypter, symmetric_key);
+		crypter->decrypt(crypter, encrypted_content, iv, data);
+		DBG4("decrypted content with padding: %B", data);
 	}
-	data->len -= padding;
 
-	while (padding-- > 0)
+	/* remove the padding */
 	{
-	    if (*pos-- != pattern)
-	    {
-		plog("wrong padding pattern");
-		goto failed;
-	    }
+		u_char *pos = data->ptr + data->len - 1;
+		u_char pattern = *pos;
+		size_t padding = pattern;
+
+		if (padding > data->len)
+		{
+			DBG1("padding greater than data length");
+			goto failed;
+		}
+		data->len -= padding;
+
+		while (padding-- > 0)
+		{
+			if (*pos-- != pattern)
+			{
+				DBG1("wrong padding pattern");
+				goto failed;
+			}
+		}
 	}
-    }
-    freeanychunk(symmetric_key);
-    return TRUE;
+	success = TRUE;
 
 failed:
-    freeanychunk(symmetric_key);
-    pfreeany(data->ptr);
-    return FALSE;
+	DESTROY_IF(crypter);
+	chunk_clear(&symmetric_key);
+	if (!success)
+	{
+		free(data->ptr);
+	}
+	return success;
 }
 
 /**
@@ -577,12 +576,11 @@ failed:
  *
  * @return ASN.1 encoded contentType attribute
  */
-chunk_t
-pkcs7_contentType_attribute(void)
+chunk_t pkcs7_contentType_attribute(void)
 {
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_contentType_oid
-		, asn1_simple_object(ASN1_SET, ASN1_pkcs7_data_oid));
+	return asn1_wrap(ASN1_SEQUENCE, "cm"
+				, ASN1_contentType_oid
+				, asn1_simple_object(ASN1_SET, ASN1_pkcs7_data_oid));
 }
 
 /**
@@ -594,269 +592,228 @@ pkcs7_contentType_attribute(void)
  * @return ASN.1 encoded messageDigest attribute
  * 
  */
-chunk_t
-pkcs7_messageDigest_attribute(chunk_t content, int digest_alg)
+chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg)
 {
-    u_char digest_buf[MAX_DIGEST_LEN];
-    chunk_t digest = { digest_buf, MAX_DIGEST_LEN };
-
-    compute_digest(content, digest_alg, &digest);
-
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_messageDigest_oid
-		, asn1_wrap(ASN1_SET, "m"
-		    , asn1_simple_object(ASN1_OCTET_STRING, digest)
-		  )
-	   );
+	chunk_t digest;
+	hash_algorithm_t hash_alg;
+	hasher_t *hasher;
+
+	hash_alg = hasher_algorithm_from_oid(digest_alg);
+	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+	hasher->allocate_hash(hasher, content, &digest);
+	hasher->destroy(hasher);
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+				ASN1_messageDigest_oid,
+					asn1_wrap(ASN1_SET, "m",
+						asn1_wrap(ASN1_OCTET_STRING, "m", digest)
+					)
+				);
 }
-/*
+
+/**
  * build a DER-encoded contentInfo object
  */
-static chunk_t
-pkcs7_build_contentInfo(contentInfo_t *cInfo)
+static chunk_t pkcs7_build_contentInfo(contentInfo_t *cInfo)
 {
-    chunk_t content_type;
-
-    /* select DER-encoded OID for pkcs7 contentInfo type */
-    switch(cInfo->type)
-    {
-    case OID_PKCS7_DATA:
-	content_type = ASN1_pkcs7_data_oid;
-	break;
-    case OID_PKCS7_SIGNED_DATA:
-	content_type = ASN1_pkcs7_signed_data_oid;
-	break;
-    case OID_PKCS7_ENVELOPED_DATA:
-	content_type = ASN1_pkcs7_enveloped_data_oid;
-	break;
-    case OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	content_type = ASN1_pkcs7_signed_enveloped_data_oid;
-	break;
-    case OID_PKCS7_DIGESTED_DATA:
-	content_type = ASN1_pkcs7_digested_data_oid;
-	break;
-    case OID_PKCS7_ENCRYPTED_DATA:
-	content_type = ASN1_pkcs7_encrypted_data_oid;
-	break;
-    case OID_UNKNOWN:
-    default:
-	fprintf(stderr, "invalid pkcs7 contentInfo type");
-	return empty_chunk;
-    }
-
-    return (cInfo->content.ptr == NULL)
-	? asn1_simple_object(ASN1_SEQUENCE, content_type)
-	: asn1_wrap(ASN1_SEQUENCE, "cm"
-	    , content_type
-	    , asn1_simple_object(ASN1_CONTEXT_C_0, cInfo->content)
-          );
+	chunk_t content_type;
+
+	/* select DER-encoded OID for pkcs7 contentInfo type */
+	switch(cInfo->type)
+	{
+	case OID_PKCS7_DATA:
+		content_type = ASN1_pkcs7_data_oid;
+		break;
+	case OID_PKCS7_SIGNED_DATA:
+		content_type = ASN1_pkcs7_signed_data_oid;
+		break;
+	case OID_PKCS7_ENVELOPED_DATA:
+		content_type = ASN1_pkcs7_enveloped_data_oid;
+		break;
+	case OID_PKCS7_SIGNED_ENVELOPED_DATA:
+		content_type = ASN1_pkcs7_signed_enveloped_data_oid;
+		break;
+	case OID_PKCS7_DIGESTED_DATA:
+		content_type = ASN1_pkcs7_digested_data_oid;
+		break;
+	case OID_PKCS7_ENCRYPTED_DATA:
+		content_type = ASN1_pkcs7_encrypted_data_oid;
+		break;
+	case OID_UNKNOWN:
+	default:
+		DBG1("invalid pkcs7 contentInfo type");
+		return chunk_empty;
+	}
+
+	return (cInfo->content.ptr == NULL)
+		? asn1_simple_object(ASN1_SEQUENCE, content_type)
+		: asn1_wrap(ASN1_SEQUENCE, "cm"
+			, content_type
+			, asn1_simple_object(ASN1_CONTEXT_C_0, cInfo->content)
+		  );
 }
 
-/*
+/**
  * build issuerAndSerialNumber object
  */
-chunk_t
-pkcs7_build_issuerAndSerialNumber(const x509cert_t *cert)
+chunk_t pkcs7_build_issuerAndSerialNumber(const x509cert_t *cert)
 {
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, cert->issuer
-		, asn1_simple_object(ASN1_INTEGER, cert->serialNumber));
+	return asn1_wrap(ASN1_SEQUENCE, "cm"
+				, cert->issuer
+				, asn1_integer("c", cert->serialNumber));
 }
 
-/*
+/**
  * create a signed pkcs7 contentInfo object
  */
-chunk_t
-pkcs7_build_signedData(chunk_t data, chunk_t attributes, const x509cert_t *cert
-, int digest_alg, const RSA_private_key_t *key)
+chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
+							   const x509cert_t *cert, int digest_alg,
+							   private_key_t *key)
 {
-    contentInfo_t pkcs7Data, signedData;
-    chunk_t authenticatedAttributes, encryptedDigest, signerInfo, cInfo;
-
-    chunk_t digestAlgorithm = asn1_algorithmIdentifier(digest_alg);
-
-    if (attributes.ptr != NULL)
-    {
-	encryptedDigest = pkcs1_build_signature(attributes, digest_alg
-				, key, FALSE);
-	clonetochunk(authenticatedAttributes, attributes.ptr, attributes.len
-	    , "authenticatedAttributes");
-	*authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
-    }
-    else
-    {
-	encryptedDigest = (data.ptr == NULL)? empty_chunk
-		: pkcs1_build_signature(data, digest_alg, key, FALSE);
-	authenticatedAttributes = empty_chunk;
-    }
-
-    signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmcmcm"
-		, ASN1_INTEGER_1
-		, pkcs7_build_issuerAndSerialNumber(cert)
-		, digestAlgorithm
-		, authenticatedAttributes
-		, ASN1_rsaEncryption_id
-		, encryptedDigest);
-
-    pkcs7Data.type    = OID_PKCS7_DATA;
-    pkcs7Data.content = (data.ptr == NULL)? empty_chunk
-		: asn1_simple_object(ASN1_OCTET_STRING, data);
-
-    signedData.type = OID_PKCS7_SIGNED_DATA;
-    signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm"
-		, ASN1_INTEGER_1
-		, asn1_simple_object(ASN1_SET, digestAlgorithm)
-		, pkcs7_build_contentInfo(&pkcs7Data)
-		, asn1_simple_object(ASN1_CONTEXT_C_0, cert->certificate)
-		, asn1_wrap(ASN1_SET, "m", signerInfo));
-
-    cInfo = pkcs7_build_contentInfo(&signedData);
-    DBG(DBG_RAW,
-	DBG_dump_chunk("signedData:\n", cInfo)
-    )
-
-    freeanychunk(pkcs7Data.content);
-    freeanychunk(signedData.content);
-    return cInfo;
+	contentInfo_t pkcs7Data, signedData;
+	chunk_t authenticatedAttributes, encryptedDigest, signerInfo, cInfo;
+
+	chunk_t digestAlgorithm = asn1_algorithmIdentifier(digest_alg);
+
+	if (attributes.ptr != NULL)
+	{
+		encryptedDigest = x509_build_signature(attributes, digest_alg, key,
+											   FALSE);
+		authenticatedAttributes = chunk_clone(attributes);
+		*authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
+	}
+	else
+	{
+		encryptedDigest = (data.ptr == NULL)? chunk_empty
+				: x509_build_signature(data, digest_alg, key, FALSE);
+		authenticatedAttributes = chunk_empty;
+	}
+
+	signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmcmcm"
+				, ASN1_INTEGER_1
+				, pkcs7_build_issuerAndSerialNumber(cert)
+				, digestAlgorithm
+				, authenticatedAttributes
+				, asn1_algorithmIdentifier(OID_RSA_ENCRYPTION)
+				, encryptedDigest);
+
+	pkcs7Data.type    = OID_PKCS7_DATA;
+	pkcs7Data.content = (data.ptr == NULL)? chunk_empty
+				: asn1_simple_object(ASN1_OCTET_STRING, data);
+
+	signedData.type = OID_PKCS7_SIGNED_DATA;
+	signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm"
+				, ASN1_INTEGER_1
+				, asn1_simple_object(ASN1_SET, digestAlgorithm)
+				, pkcs7_build_contentInfo(&pkcs7Data)
+				, asn1_simple_object(ASN1_CONTEXT_C_0, cert->certificate)
+				, asn1_wrap(ASN1_SET, "m", signerInfo));
+
+	cInfo = pkcs7_build_contentInfo(&signedData);
+	DBG3("signedData %B", &cInfo);
+
+	free(pkcs7Data.content.ptr);
+	free(signedData.content.ptr);
+	return cInfo;
 }
 
-/*
+/**
  * create a symmetrically encrypted pkcs7 contentInfo object
  */
-chunk_t
-pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int cipher)
+chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int enc_alg)
 {
-    bool des_check_key_save;
-    des_key_schedule ks[3];
-    des_cblock key[3], des_iv, des_iv_buf;
-
-    chunk_t iv = { (u_char *)des_iv_buf, DES_CBC_BLOCK_SIZE };
-    chunk_t out;
-    chunk_t cipher_oid;
-
-    u_int total_keys, i;
-    size_t padding = pad_up(data.len, DES_CBC_BLOCK_SIZE);
-
-    RSA_public_key_t public_key;
-
-    init_RSA_public_key(&public_key, cert->publicExponent
-				   , cert->modulus);
-
-    if (padding == 0)
-	padding += DES_CBC_BLOCK_SIZE;
-
-    out.len = data.len + padding;
-    out.ptr = alloc_bytes(out.len, "DES-encrypted output");
-
-    DBG(DBG_CONTROL,
-	DBG_log("padding %d bytes of data to multiple DES block size of %d bytes"
-		, (int)data.len, (int)out.len)
-    )
-
-    /* copy data */
-    memcpy(out.ptr, data.ptr, data.len);
-    /* append padding */
-    memset(out.ptr + data.len, padding, padding);
-
-    DBG(DBG_RAW,
-	DBG_dump_chunk("Padded unencrypted data:\n", out)
-    )
-
-    /* select OID and keylength for specified cipher */
-    switch (cipher)
-    {
-    case OID_DES_CBC:
-	 total_keys = 1;
-	 cipher_oid = ASN1_des_cbc_oid;
-	 break;
-    case OID_3DES_EDE_CBC:
-    default:
-	total_keys = 3;
-	cipher_oid = ASN1_3des_ede_cbc_oid;
-    }
-    DBG(DBG_CONTROLMORE,
-	DBG_log("pkcs7 encryption cipher: %s", oid_names[cipher].name)
-    )
-
-    /* generate a strong random key for DES/3DES */
-    des_check_key_save = des_check_key;
-    des_check_key = TRUE;
-    for (i = 0; i < total_keys;i++)
-    {
-	for (;;)
+	encryption_algorithm_t alg;
+	size_t alg_key_size;
+	chunk_t symmetricKey, protectedKey, iv, in, out;
+	crypter_t *crypter;
+
+	alg = encryption_algorithm_from_oid(enc_alg, &alg_key_size);
+	crypter = lib->crypto->create_crypter(lib->crypto, alg,
+										  alg_key_size/BITS_PER_BYTE);
+	if (crypter == NULL)
 	{
-	    get_rnd_bytes((char*)key[i], DES_CBC_BLOCK_SIZE);
-	    des_set_odd_parity(&key[i]);
-	    if (!des_set_key(&key[i], ks[i]))
-		break;
-	    plog("weak DES key discarded - we try again");
+		DBG1("crypter for %N not available", encryption_algorithm_names, alg);
+		return chunk_empty;
+	}
+
+	/* generate a true random symmetric encryption key and a pseudo-random iv */
+	{
+		rng_t *rng;
+		
+		rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+		rng->allocate_bytes(rng, crypter->get_key_size(crypter), &symmetricKey);
+		DBG4("symmetric encryption key %B", &symmetricKey);
+		rng->destroy(rng);
+
+		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		rng->allocate_bytes(rng, crypter->get_block_size(crypter), &iv);
+		DBG4("initialization vector: %B", &iv);
+		rng->destroy(rng);
+	}
+
+	/* pad the data to a multiple of the block size */
+	{
+		size_t block_size = crypter->get_block_size(crypter);
+		size_t padding = block_size - data.len % block_size;
+
+		in.len = data.len + padding;
+		in.ptr = malloc(in.len);
+
+		DBG2("padding %u bytes of data to multiple block size of %u bytes",
+		 	 data.len, in.len);
+
+		/* copy data */
+		memcpy(in.ptr, data.ptr, data.len);
+		/* append padding */
+		memset(in.ptr + data.len, padding, padding);
+	}
+	DBG3("padded unencrypted data %B", &in);
+
+	/* symmetric encryption of data object */
+	crypter->set_key(crypter, symmetricKey);
+	crypter->encrypt(crypter, in, iv, &out);
+	crypter->destroy(crypter);
+    DBG3("encrypted data %B", &out);
+
+	cert->public_key->encrypt(cert->public_key, symmetricKey, &protectedKey);
+
+	/* build pkcs7 enveloped data object */ 
+	{
+		
+		chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm"
+					, asn1_build_known_oid(enc_alg)
+					, asn1_simple_object(ASN1_OCTET_STRING, iv));
+		
+		chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm"
+					, ASN1_pkcs7_data_oid
+					, contentEncryptionAlgorithm
+					, asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
+
+		chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m"
+					, protectedKey);
+
+		chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmcm"
+					, ASN1_INTEGER_0
+					, pkcs7_build_issuerAndSerialNumber(cert)
+					, asn1_algorithmIdentifier(OID_RSA_ENCRYPTION)
+					, encryptedKey);
+
+		chunk_t cInfo;
+		contentInfo_t envelopedData;
+
+		envelopedData.type = OID_PKCS7_ENVELOPED_DATA;
+		envelopedData.content = asn1_wrap(ASN1_SEQUENCE, "cmm"
+					, ASN1_INTEGER_0
+					, asn1_wrap(ASN1_SET, "m", recipientInfo)
+					, encryptedContentInfo);
+
+		cInfo = pkcs7_build_contentInfo(&envelopedData);
+		DBG3("envelopedData %B", &cInfo);
+
+		free(envelopedData.content.ptr);
+		free(symmetricKey.ptr);
+		free(in.ptr);
+		free(iv.ptr);
+		return cInfo;
 	}
-	DBG(DBG_PRIVATE,
-	    DBG_dump("DES key:", key[i], 8)
-	)
-    }
-    des_check_key = des_check_key_save;
-
-    /* generate an iv for DES/3DES CBC */
-    get_rnd_bytes(des_iv, DES_CBC_BLOCK_SIZE);
-    memcpy(iv.ptr, des_iv, DES_CBC_BLOCK_SIZE);
-    DBG(DBG_RAW,
-	DBG_dump_chunk("DES IV :", iv)
-    )
-
-    /* encryption using specified cipher */
-    switch (cipher)
-    {
-    case OID_DES_CBC:
-	des_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
-		       , ks[0], &des_iv, DES_ENCRYPT);
-	break;
-    case OID_3DES_EDE_CBC:
-    default:
-	des_ede3_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
-			    , ks[0], ks[1], ks[2], &des_iv, DES_ENCRYPT);	
-    }
-    DBG(DBG_RAW,
-	DBG_dump_chunk("Encrypted data:\n", out));
-	
-    /* build pkcs7 enveloped data object */ 
-    {
-	chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "cm"
-		    , cipher_oid
-		    , asn1_simple_object(ASN1_OCTET_STRING, iv));
-	
-	chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm"
-		    , ASN1_pkcs7_data_oid
-		    , contentEncryptionAlgorithm
-		    , asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
-
-        chunk_t plainKey = { (u_char *)key, DES_CBC_BLOCK_SIZE * total_keys };
-
-	chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m"
-		    , RSA_encrypt(&public_key, plainKey));
-
-	chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmcm"
-		    , ASN1_INTEGER_0
-		    , pkcs7_build_issuerAndSerialNumber(cert)
-		    , ASN1_rsaEncryption_id
-		    , encryptedKey);
-
-        chunk_t cInfo;
-	contentInfo_t envelopedData;
-
-        envelopedData.type = OID_PKCS7_ENVELOPED_DATA;
-	envelopedData.content = asn1_wrap(ASN1_SEQUENCE, "cmm"
-		    , ASN1_INTEGER_0
-		    , asn1_wrap(ASN1_SET, "m", recipientInfo)
-		    , encryptedContentInfo);
-
-	cInfo = pkcs7_build_contentInfo(&envelopedData);
-	DBG(DBG_RAW,
-	    DBG_dump_chunk("envelopedData:\n", cInfo)
-	)
-
-	free_RSA_public_content(&public_key);
-	freeanychunk(envelopedData.content);
-	return cInfo;
-    }
 }
diff --git a/src/pluto/pkcs7.h b/src/pluto/pkcs7.h
index a577f8022..028822dfe 100644
--- a/src/pluto/pkcs7.h
+++ b/src/pluto/pkcs7.h
@@ -1,6 +1,7 @@
 /* Support of PKCS#7 data structures
  * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Copyright (C) 2002-2005 Andreas Steffen
+ * Copyright (C) 2002-2009 Andreas Steffen
+ *
  * Hochschule fuer Technik Rapperswil, Switzerland
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,15 +13,14 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: pkcs7.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _PKCS7_H
 #define _PKCS7_H
 
+#include <crypto/crypters/crypter.h>
+#include <credentials/keys/private_key.h>
 #include "defs.h"
-#include "pkcs1.h"
 #include "x509.h"
 
 /* Access structure for a PKCS#7 ContentInfo object */
@@ -28,24 +28,24 @@
 typedef struct contentInfo contentInfo_t;
 
 struct contentInfo {
-    int     type;
-    chunk_t content;
+	int     type;
+	chunk_t content;
 };
 
 extern const contentInfo_t empty_contentInfo;
 
-extern bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0
-    , contentInfo_t *cInfo);
-extern bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data
-    , x509cert_t **cert, chunk_t *attributes, const x509cert_t *cacert);
-extern bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data
-    , chunk_t serialNumber, const RSA_private_key_t *key);
+extern bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0,
+	contentInfo_t *cInfo);
+extern bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
+	x509cert_t **cert, chunk_t *attributes, const x509cert_t *cacert);
+extern bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
+	chunk_t serialNumber, private_key_t *key);
 extern chunk_t pkcs7_contentType_attribute(void);
 extern chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg);
 extern chunk_t pkcs7_build_issuerAndSerialNumber(const x509cert_t *cert);
-extern chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes
-    ,const x509cert_t *cert, int digest_alg, const RSA_private_key_t *key);
-extern chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert
-    , int cipher);
+extern chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
+	const x509cert_t *cert, int digest_alg, private_key_t *key);
+extern chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert,
+	int enc_alg);
 
 #endif /* _PKCS7_H */
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index a39934f1f..39367cafa 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -1,6 +1,7 @@
 /* Pluto main program
  * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -11,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: plutomain.c 4313 2008-08-29 09:24:14Z martin $
  */
 
 #include <stdio.h>
@@ -27,7 +26,7 @@
 #include <fcntl.h>
 #include <getopt.h>
 #include <resolv.h>
-#include <arpa/nameser.h>	/* missing from <resolv.h> on old systems */
+#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
 #include <sys/queue.h>
 #include <sys/prctl.h>
 #include <pwd.h>
@@ -39,6 +38,16 @@
 
 #include <freeswan.h>
 
+#include <library.h>
+#include <debug.h>
+#include <utils/enumerator.h>
+#include <utils/optionsfrom.h>
+
+#ifdef INTEGRITY_TEST
+#include <fips/fips.h>
+#include <fips/fips_signature.h>
+#endif /* INTEGRITY_TEST */
+
 #include <pfkeyv2.h>
 #include <pfkey.h>
 
@@ -51,91 +60,88 @@
 #include "connections.h"
 #include "foodgroups.h"
 #include "packet.h"
-#include "demux.h"	/* needs packet.h */
+#include "demux.h"      /* needs packet.h */
 #include "server.h"
 #include "kernel.h"
 #include "log.h"
 #include "keys.h"
-#include "adns.h"	/* needs <resolv.h> */
-#include "dnskey.h"	/* needs keys.h and adns.h */
-#include "rnd.h"
+#include "adns.h"       /* needs <resolv.h> */
+#include "dnskey.h"     /* needs keys.h and adns.h */
 #include "state.h"
-#include "ipsec_doi.h"	/* needs demux.h and state.h */
+#include "ipsec_doi.h"  /* needs demux.h and state.h */
 #include "ocsp.h"
 #include "crl.h"
 #include "fetch.h"
 #include "xauth.h"
-#include "sha1.h"
-#include "md5.h"
-#include "crypto.h"	/* requires sha1.h and md5.h */
+#include "crypto.h"
 #include "nat_traversal.h"
 #include "virtual.h"
+#include "timer.h"
+#include "vendor.h"
 
-static void
-usage(const char *mess)
+static void usage(const char *mess)
 {
-    if (mess != NULL && *mess != '\0')
-	fprintf(stderr, "%s\n", mess);
-    fprintf(stderr
-	, "Usage: pluto"
-	    " [--help]"
-	    " [--version]"
-	    " [--optionsfrom <filename>]"
-	    " \\\n\t"
-	    "[--nofork]"
-	    " [--stderrlog]"
-	    " [--noklips]"
-	    " [--nocrsend]"
-	    " \\\n\t"
-	    "[--strictcrlpolicy]"
-	    " [--crlcheckinterval <interval>]"
-	    " [--cachecrls]"
-	    " [--uniqueids]"
-	    " \\\n\t"
-	    "[--interface <ifname>]"
-	    " [--ikeport <port-number>]"
-	    " \\\n\t"
-	    "[--ctlbase <path>]"
-	    " \\\n\t"
-	    "[--perpeerlogbase <path>] [--perpeerlog]"
-	    " \\\n\t"
-	    "[--secretsfile <secrets-file>]"
-	    " [--policygroupsdir <policygroups-dir>]"
-	    " \\\n\t"
-	    "[--adns <pathname>]"
-	    "[--pkcs11module <path>]"
-	    "[--pkcs11keepstate]"
-	    "[--pkcs11initargs <string>]"
+	if (mess != NULL && *mess != '\0')
+		fprintf(stderr, "%s\n", mess);
+	fprintf(stderr
+		, "Usage: pluto"
+			" [--help]"
+			" [--version]"
+			" [--optionsfrom <filename>]"
+			" \\\n\t"
+			"[--nofork]"
+			" [--stderrlog]"
+			" [--noklips]"
+			" [--nocrsend]"
+			" \\\n\t"
+			"[--strictcrlpolicy]"
+			" [--crlcheckinterval <interval>]"
+			" [--cachecrls]"
+			" [--uniqueids]"
+			" \\\n\t"
+			"[--interface <ifname>]"
+			" [--ikeport <port-number>]"
+			" \\\n\t"
+			"[--ctlbase <path>]"
+			" \\\n\t"
+			"[--perpeerlogbase <path>] [--perpeerlog]"
+			" \\\n\t"
+			"[--secretsfile <secrets-file>]"
+			" [--policygroupsdir <policygroups-dir>]"
+			" \\\n\t"
+			"[--adns <pathname>]"
+			"[--pkcs11module <path>]"
+			"[--pkcs11keepstate]"
+			"[--pkcs11initargs <string>]"
 #ifdef DEBUG
-	    " \\\n\t"
-	    "[--debug-none]"
-	    " [--debug-all]"
-	    " \\\n\t"
-	    "[--debug-raw]"
-	    " [--debug-crypt]"
-	    " [--debug-parsing]"
-	    " [--debug-emitting]"
-	    " \\\n\t"
-	    "[--debug-control]"
-	    " [--debug-lifecycle]"
-	    " [--debug-klips]"
-	    " [--debug-dns]"
-	    " \\\n\t"
-	    "[--debug-oppo]"
-	    " [--debug-controlmore]"
-	    " [--debug-private]"
+			" \\\n\t"
+			"[--debug-none]"
+			" [--debug-all]"
+			" \\\n\t"
+			"[--debug-raw]"
+			" [--debug-crypt]"
+			" [--debug-parsing]"
+			" [--debug-emitting]"
+			" \\\n\t"
+			"[--debug-control]"
+			" [--debug-lifecycle]"
+			" [--debug-klips]"
+			" [--debug-dns]"
+			" \\\n\t"
+			"[--debug-oppo]"
+			" [--debug-controlmore]"
+			" [--debug-private]"
+			" [--debug-natt]"
 #endif
-	    " [ --debug-natt]"
-	    " \\\n\t"
-	    "[--nat_traversal] [--keep_alive <delay_sec>]"
-	    " \\\n\t"
-	    "[--force_keepalive] [--disable_port_floating]"
-	   " \\\n\t"
-	   "[--virtual_private <network_list>]"
-	    "\n"
-	"strongSwan %s\n"
-	, ipsec_version_code());
-    exit_pluto(mess == NULL? 0 : 1);
+ 		    " \\\n\t"
+			"[--nat_traversal] [--keep_alive <delay_sec>]"
+			" \\\n\t"
+			"[--force_keepalive] [--disable_port_floating]"
+		    " \\\n\t"
+		    "[--virtual_private <network_list>]"
+			"\n"
+		    "strongSwan "VERSION"\n");
+	exit_pluto(mess == NULL? 0 : 1);
 }
 
 
@@ -150,53 +156,51 @@ static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX;
 static bool pluto_lock_created = FALSE;
 
 /* create lockfile, or die in the attempt */
-static int
-create_lock(void)
+static int create_lock(void)
 {
-    int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC
-	, S_IRUSR | S_IRGRP | S_IROTH);
+	int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC
+		, S_IRUSR | S_IRGRP | S_IROTH);
 
-    if (fd < 0)
-    {
-	if (errno == EEXIST)
+	if (fd < 0)
 	{
-	    fprintf(stderr, "pluto: lock file \"%s\" already exists\n"
-		, pluto_lock);
-	    exit_pluto(10);
+		if (errno == EEXIST)
+		{
+			fprintf(stderr, "pluto: lock file \"%s\" already exists\n"
+				, pluto_lock);
+			exit_pluto(10);
+		}
+		else
+		{
+			fprintf(stderr
+				, "pluto: unable to create lock file \"%s\" (%d %s)\n"
+				, pluto_lock, errno, strerror(errno));
+			exit_pluto(1);
+		}
 	}
-	else
-	{
-	    fprintf(stderr
-		, "pluto: unable to create lock file \"%s\" (%d %s)\n"
-		, pluto_lock, errno, strerror(errno));
-	    exit_pluto(1);
-	}
-    }
-    pluto_lock_created = TRUE;
-    return fd;
+	pluto_lock_created = TRUE;
+	return fd;
 }
 
-static bool
-fill_lock(int lockfd, pid_t pid)
+static bool fill_lock(int lockfd, pid_t pid)
 {
-    char buf[30];	/* holds "<pid>\n" */
-    int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid);
-    bool ok = len > 0 && write(lockfd, buf, len) == len;
+	char buf[30];       /* holds "<pid>\n" */
+	int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid);
+	bool ok = len > 0 && write(lockfd, buf, len) == len;
 
-    close(lockfd);
-    return ok;
+	close(lockfd);
+	return ok;
 }
 
-static void
-delete_lock(void)
+static void delete_lock(void)
 {
-    if (pluto_lock_created)
-    {
-	delete_ctl_socket();
-	unlink(pluto_lock);	/* is noting failure useful? */
-    }
+	if (pluto_lock_created)
+	{
+		delete_ctl_socket();
+		unlink(pluto_lock);     /* is noting failure useful? */
+	}
 }
 
+
 /* by default pluto sends certificate requests to its peers */
 bool no_cr_send = FALSE;
 
@@ -223,459 +227,504 @@ bool pkcs11_proxy = FALSE;
  */
 static const char *pkcs11_init_args = NULL;
 
-int
-main(int argc, char **argv)
+/* options read by optionsfrom */
+options_t *options;
+
+/**
+ * Log loaded plugins
+ */
+static void print_plugins()
+{
+	char buf[BUF_LEN], *plugin;
+	int len = 0;
+	enumerator_t *enumerator;
+	
+	buf[0] = '\0';	
+	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
+	while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
+	{
+		len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
+	}
+	enumerator->destroy(enumerator);
+	DBG1("loaded plugins: %s", buf);
+}
+
+int main(int argc, char **argv)
 {
-    bool fork_desired = TRUE;
-    bool log_to_stderr_desired = FALSE;
-    bool nat_traversal = FALSE;
-    bool nat_t_spf = TRUE;  /* support port floating */
-    unsigned int keep_alive = 0;
-    bool force_keepalive = FALSE;
-    char *virtual_private = NULL;
-    int lockfd;
+	bool fork_desired = TRUE;
+	bool log_to_stderr_desired = FALSE;
+	bool nat_traversal = FALSE;
+	bool nat_t_spf = TRUE;  /* support port floating */
+	unsigned int keep_alive = 0;
+	bool force_keepalive = FALSE;
+	char *virtual_private = NULL;
+	int lockfd;
 #ifdef CAPABILITIES
-    cap_t caps;
-    int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
+	cap_t caps;
+	int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
 #endif /* CAPABILITIES */
 
-    /* handle arguments */
-    for (;;)
-    {
-#	define DBG_OFFSET 256
-	static const struct option long_opts[] = {
-	    /* name, has_arg, flag, val */
-	    { "help", no_argument, NULL, 'h' },
-	    { "version", no_argument, NULL, 'v' },
-	    { "optionsfrom", required_argument, NULL, '+' },
-	    { "nofork", no_argument, NULL, 'd' },
-	    { "stderrlog", no_argument, NULL, 'e' },
-	    { "noklips", no_argument, NULL, 'n' },
-	    { "nocrsend", no_argument, NULL, 'c' },
-	    { "strictcrlpolicy", no_argument, NULL, 'r' },
-	    { "crlcheckinterval", required_argument, NULL, 'x'},
-	    { "cachecrls", no_argument, NULL, 'C' },
-	    { "uniqueids", no_argument, NULL, 'u' },
-	    { "interface", required_argument, NULL, 'i' },
-	    { "ikeport", required_argument, NULL, 'p' },
-	    { "ctlbase", required_argument, NULL, 'b' },
-	    { "secretsfile", required_argument, NULL, 's' },
-	    { "foodgroupsdir", required_argument, NULL, 'f' },
-	    { "perpeerlogbase", required_argument, NULL, 'P' },
-	    { "perpeerlog", no_argument, NULL, 'l' },
-	    { "policygroupsdir", required_argument, NULL, 'f' },
+	/* initialize library and optionsfrom */
+	library_init(STRONGSWAN_CONF);
+	options = options_create();
+
+	/* handle arguments */
+	for (;;)
+	{
+#       define DBG_OFFSET 256
+		static const struct option long_opts[] = {
+			/* name, has_arg, flag, val */
+			{ "help", no_argument, NULL, 'h' },
+			{ "version", no_argument, NULL, 'v' },
+			{ "optionsfrom", required_argument, NULL, '+' },
+			{ "nofork", no_argument, NULL, 'd' },
+			{ "stderrlog", no_argument, NULL, 'e' },
+			{ "noklips", no_argument, NULL, 'n' },
+			{ "nocrsend", no_argument, NULL, 'c' },
+			{ "strictcrlpolicy", no_argument, NULL, 'r' },
+			{ "crlcheckinterval", required_argument, NULL, 'x'},
+			{ "cachecrls", no_argument, NULL, 'C' },
+			{ "uniqueids", no_argument, NULL, 'u' },
+			{ "interface", required_argument, NULL, 'i' },
+			{ "ikeport", required_argument, NULL, 'p' },
+			{ "ctlbase", required_argument, NULL, 'b' },
+			{ "secretsfile", required_argument, NULL, 's' },
+			{ "foodgroupsdir", required_argument, NULL, 'f' },
+			{ "perpeerlogbase", required_argument, NULL, 'P' },
+			{ "perpeerlog", no_argument, NULL, 'l' },
+			{ "policygroupsdir", required_argument, NULL, 'f' },
 #ifdef USE_LWRES
-	    { "lwdnsq", required_argument, NULL, 'a' },
+			{ "lwdnsq", required_argument, NULL, 'a' },
 #else /* !USE_LWRES */
-	    { "adns", required_argument, NULL, 'a' },
+			{ "adns", required_argument, NULL, 'a' },
 #endif /* !USE_LWRES */
-	    { "pkcs11module", required_argument, NULL, 'm' },
-	    { "pkcs11keepstate", no_argument, NULL, 'k' },
-	    { "pkcs11initargs", required_argument, NULL, 'z' },
-	    { "pkcs11proxy", no_argument, NULL, 'y' },
-	    { "nat_traversal", no_argument, NULL, '1' },
-	    { "keep_alive", required_argument, NULL, '2' },
-	    { "force_keepalive", no_argument, NULL, '3' },
-	    { "disable_port_floating", no_argument, NULL, '4' },
-	    { "debug-natt", no_argument, NULL, '5' },
-	    { "virtual_private", required_argument, NULL, '6' },
+			{ "pkcs11module", required_argument, NULL, 'm' },
+			{ "pkcs11keepstate", no_argument, NULL, 'k' },
+			{ "pkcs11initargs", required_argument, NULL, 'z' },
+			{ "pkcs11proxy", no_argument, NULL, 'y' },
+			{ "nat_traversal", no_argument, NULL, '1' },
+			{ "keep_alive", required_argument, NULL, '2' },
+			{ "force_keepalive", no_argument, NULL, '3' },
+			{ "disable_port_floating", no_argument, NULL, '4' },
+			{ "debug-natt", no_argument, NULL, '5' },
+			{ "virtual_private", required_argument, NULL, '6' },
 #ifdef DEBUG
-	    { "debug-none", no_argument, NULL, 'N' },
-	    { "debug-all", no_argument, NULL, 'A' },
-	    { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
-	    { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
-	    { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
-	    { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
-	    { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
-	    { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
-	    { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
-	    { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
-	    { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
-	    { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
-	    { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
-
-	    { "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
-	    { "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
-	    { "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
-	    { "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
+			{ "debug-none", no_argument, NULL, 'N' },
+			{ "debug-all", no_argument, NULL, 'A' },
+			{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
+			{ "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
+			{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
+			{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
+			{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
+			{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
+			{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
+			{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
+			{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
+			{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
+			{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
+
+			{ "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
+			{ "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
+			{ "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
+			{ "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
 #endif
-	    { 0,0,0,0 }
-	    };
-	/* Note: we don't like the way short options get parsed
-	 * by getopt_long, so we simply pass an empty string as
-	 * the list.  It could be "hvdenp:l:s:" "NARXPECK".
-	 */
-	int c = getopt_long(argc, argv, "", long_opts, NULL);
-
-	/* Note: "breaking" from case terminates loop */
-	switch (c)
-	{
-	case EOF:	/* end of flags */
-	    break;
-
-	case 0: /* long option already handled */
-	    continue;
-
-	case ':':	/* diagnostic already printed by getopt_long */
-	case '?':	/* diagnostic already printed by getopt_long */
-	    usage("");
-	    break;   /* not actually reached */
-
-	case 'h':	/* --help */
-	    usage(NULL);
-	    break;	/* not actually reached */
-
-	case 'v':	/* --version */
-	    {
-		const char **sp = ipsec_copyright_notice();
-
-		printf("%s%s\n", ipsec_version_string(),
-				 compile_time_interop_options);
-		for (; *sp != NULL; sp++)
-		    puts(*sp);
-	    }
-	    exit_pluto(0);
-	    break;	/* not actually reached */
-
-	case '+':	/* --optionsfrom <filename> */
-	    optionsfrom(optarg, &argc, &argv, optind, stderr);
-	    /* does not return on error */
-	    continue;
-
-	case 'd':	/* --nofork*/
-	    fork_desired = FALSE;
-	    continue;
-
-	case 'e':	/* --stderrlog */
-	    log_to_stderr_desired = TRUE;
-	    continue;
-
-	case 'n':	/* --noklips */
-	    no_klips = TRUE;
-	    continue;
-
-	case 'c':	/* --nocrsend */
-	    no_cr_send = TRUE;
-	    continue;
-
-	case 'r':	/* --strictcrlpolicy */
-	    strict_crl_policy = TRUE;
-	    continue;
-
-	case 'x':	/* --crlcheckinterval <time>*/
-            if (optarg == NULL || !isdigit(optarg[0]))
-                usage("missing interval time");
-
-            {
-                char *endptr;
-                long interval = strtol(optarg, &endptr, 0);
-
-                if (*endptr != '\0' || endptr == optarg
-                || interval <= 0)
-                    usage("<interval-time> must be a positive number");
-                crl_check_interval = interval;
-            }
-	    continue;
-
-	case 'C':	/* --cachecrls */
-	    cache_crls = TRUE;
-	    continue;
-
-	case 'u':	/* --uniqueids */
-	    uniqueIDs = TRUE;
-	    continue;
-
-	case 'i':	/* --interface <ifname> */
-	    if (!use_interface(optarg))
-		usage("too many --interface specifications");
-	    continue;
-
-	case 'p':	/* --port <portnumber> */
-	    if (optarg == NULL || !isdigit(optarg[0]))
-		usage("missing port number");
-
-	    {
-		char *endptr;
-		long port = strtol(optarg, &endptr, 0);
-
-		if (*endptr != '\0' || endptr == optarg
-		|| port <= 0 || port > 0x10000)
-		    usage("<port-number> must be a number between 1 and 65535");
-		pluto_port = port;
-	    }
-	    continue;
-
-	case 'b':	/* --ctlbase <path> */
-	    if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
-	    , "%s%s", optarg, CTL_SUFFIX) == -1)
-		usage("<path>" CTL_SUFFIX " too long for sun_path");
-	    if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
-	    , "%s%s", optarg, INFO_SUFFIX) == -1)
-		usage("<path>" INFO_SUFFIX " too long for sun_path");
-	    if (snprintf(pluto_lock, sizeof(pluto_lock)
-	    , "%s%s", optarg, LOCK_SUFFIX) == -1)
-		usage("<path>" LOCK_SUFFIX " must fit");
-	    continue;
-
-	case 's':	/* --secretsfile <secrets-file> */
-	    shared_secrets_file = optarg;
-	    continue;
-
-	case 'f':	/* --policygroupsdir <policygroups-dir> */
-	    policygroups_dir = optarg;
-	    continue;
-
-	case 'a':	/* --adns <pathname> */
-	    pluto_adns_option = optarg;
-	    continue;
-
-	case 'm':	/* --pkcs11module <pathname> */
-	    pkcs11_module_path = optarg;
-	    continue;
-
-	case 'k':	/* --pkcs11keepstate */
-	    pkcs11_keep_state = TRUE;
-	    continue;
-
-	case 'y':	/* --pkcs11proxy */
-	    pkcs11_proxy = TRUE;
-	    continue;
-
-	case 'z':	/* --pkcs11initargs */
-	    pkcs11_init_args = optarg;
-	    continue;
+			{ 0,0,0,0 }
+			};
+		/* Note: we don't like the way short options get parsed
+		 * by getopt_long, so we simply pass an empty string as
+		 * the list.  It could be "hvdenp:l:s:" "NARXPECK".
+		 */
+		int c = getopt_long(argc, argv, "", long_opts, NULL);
+
+		/* Note: "breaking" from case terminates loop */
+		switch (c)
+		{
+		case EOF:       /* end of flags */
+			break;
+
+		case 0: /* long option already handled */
+			continue;
+
+		case ':':       /* diagnostic already printed by getopt_long */
+		case '?':       /* diagnostic already printed by getopt_long */
+			usage("");
+			break;   /* not actually reached */
+
+		case 'h':       /* --help */
+			usage(NULL);
+			break;      /* not actually reached */
+
+		case 'v':       /* --version */
+			{
+				const char **sp = ipsec_copyright_notice();
+
+				printf("strongSwan "VERSION"%s\n", compile_time_interop_options);
+				for (; *sp != NULL; sp++)
+					puts(*sp);
+			}
+			exit_pluto(0);
+			break;      /* not actually reached */
+
+		case '+':       /* --optionsfrom <filename> */
+			if (!options->from(options, optarg, &argc, &argv, optind))
+			{
+				exit_pluto(1);
+			}
+			continue;
+
+		case 'd':       /* --nofork*/
+			fork_desired = FALSE;
+			continue;
+
+		case 'e':       /* --stderrlog */
+			log_to_stderr_desired = TRUE;
+			continue;
+
+		case 'n':       /* --noklips */
+			no_klips = TRUE;
+			continue;
+
+		case 'c':       /* --nocrsend */
+			no_cr_send = TRUE;
+			continue;
+
+		case 'r':       /* --strictcrlpolicy */
+			strict_crl_policy = TRUE;
+			continue;
+
+		case 'x':       /* --crlcheckinterval <time>*/
+			if (optarg == NULL || !isdigit(optarg[0]))
+				usage("missing interval time");
+
+			{
+				char *endptr;
+				long interval = strtol(optarg, &endptr, 0);
+
+				if (*endptr != '\0' || endptr == optarg
+				|| interval <= 0)
+					usage("<interval-time> must be a positive number");
+				crl_check_interval = interval;
+			}
+			continue;
+
+		case 'C':       /* --cachecrls */
+			cache_crls = TRUE;
+			continue;
+
+		case 'u':       /* --uniqueids */
+			uniqueIDs = TRUE;
+			continue;
+
+		case 'i':       /* --interface <ifname> */
+			if (!use_interface(optarg))
+				usage("too many --interface specifications");
+			continue;
+
+		case 'p':       /* --port <portnumber> */
+			if (optarg == NULL || !isdigit(optarg[0]))
+				usage("missing port number");
+
+			{
+				char *endptr;
+				long port = strtol(optarg, &endptr, 0);
+
+				if (*endptr != '\0' || endptr == optarg
+				|| port <= 0 || port > 0x10000)
+					usage("<port-number> must be a number between 1 and 65535");
+				pluto_port = port;
+			}
+			continue;
+
+		case 'b':       /* --ctlbase <path> */
+			if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
+			, "%s%s", optarg, CTL_SUFFIX) == -1)
+				usage("<path>" CTL_SUFFIX " too long for sun_path");
+			if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
+			, "%s%s", optarg, INFO_SUFFIX) == -1)
+				usage("<path>" INFO_SUFFIX " too long for sun_path");
+			if (snprintf(pluto_lock, sizeof(pluto_lock)
+			, "%s%s", optarg, LOCK_SUFFIX) == -1)
+				usage("<path>" LOCK_SUFFIX " must fit");
+			continue;
+
+		case 's':       /* --secretsfile <secrets-file> */
+			shared_secrets_file = optarg;
+			continue;
+
+		case 'f':       /* --policygroupsdir <policygroups-dir> */
+			policygroups_dir = optarg;
+			continue;
+
+		case 'a':       /* --adns <pathname> */
+			pluto_adns_option = optarg;
+			continue;
+
+		case 'm':       /* --pkcs11module <pathname> */
+			pkcs11_module_path = optarg;
+			continue;
+
+		case 'k':       /* --pkcs11keepstate */
+			pkcs11_keep_state = TRUE;
+			continue;
+
+		case 'y':       /* --pkcs11proxy */
+			pkcs11_proxy = TRUE;
+			continue;
+
+		case 'z':       /* --pkcs11initargs */
+			pkcs11_init_args = optarg;
+			continue;
 
 #ifdef DEBUG
-	case 'N':	/* --debug-none */
-	    base_debugging = DBG_NONE;
-	    continue;
+		case 'N':       /* --debug-none */
+			base_debugging = DBG_NONE;
+			continue;
 
-	case 'A':	/* --debug-all */
-	    base_debugging = DBG_ALL;
-	    continue;
+		case 'A':       /* --debug-all */
+			base_debugging = DBG_ALL;
+			continue;
 #endif
 
-	case 'P':       /* --perpeerlogbase */
-	    base_perpeer_logdir = optarg;
-	    continue;
-
-	case 'l':
-	    log_to_perpeer = TRUE;
-	    continue;
-
-	case '1':	/* --nat_traversal */
-	    nat_traversal = TRUE;
-	    continue;
-	case '2':	/* --keep_alive */
-	    keep_alive = atoi(optarg);
-	    continue;
-	case '3':	/* --force_keepalive */
-	    force_keepalive = TRUE;
-	    continue;
-	case '4':	/* --disable_port_floating */
-	    nat_t_spf = FALSE;
-	    continue;
-	case '5':	/* --debug-nat_t */
-	    base_debugging |= DBG_NATT;
-	    continue;
-	case '6':	/* --virtual_private */
-	    virtual_private = optarg;
-	    continue;
-
-	default:
+		case 'P':       /* --perpeerlogbase */
+			base_perpeer_logdir = optarg;
+			continue;
+
+		case 'l':
+			log_to_perpeer = TRUE;
+			continue;
+
+		case '1':       /* --nat_traversal */
+			nat_traversal = TRUE;
+			continue;
+		case '2':       /* --keep_alive */
+			keep_alive = atoi(optarg);
+			continue;
+		case '3':       /* --force_keepalive */
+			force_keepalive = TRUE;
+			continue;
+		case '4':       /* --disable_port_floating */
+			nat_t_spf = FALSE;
+			continue;
+		case '5':       /* --debug-nat_t */
+			base_debugging |= DBG_NATT;
+			continue;
+		case '6':       /* --virtual_private */
+			virtual_private = optarg;
+			continue;
+
+		default:
 #ifdef DEBUG
-	    if (c >= DBG_OFFSET)
-	    {
-		base_debugging |= c - DBG_OFFSET;
-		continue;
-	    }
-#	undef DBG_OFFSET
+			if (c >= DBG_OFFSET)
+			{
+				base_debugging |= c - DBG_OFFSET;
+				continue;
+			}
+#       undef DBG_OFFSET
 #endif
-	    bad_case(c);
+			bad_case(c);
+		}
+		break;
 	}
-	break;
-    }
-    if (optind != argc)
-	usage("unexpected argument");
-    reset_debugging();
-    lockfd = create_lock();
+	if (optind != argc)
+		usage("unexpected argument");
+	reset_debugging();
+	lockfd = create_lock();
 
-    /* select between logging methods */
+	/* select between logging methods */
 
-    if (log_to_stderr_desired)
-	log_to_syslog = FALSE;
-    else
-	log_to_stderr = FALSE;
+	if (log_to_stderr_desired)
+	{
+		log_to_syslog = FALSE;
+	}
+	else
+	{
+		log_to_stderr = FALSE;
+	}
 
-    /* set the logging function of pfkey debugging */
+	/* set the logging function of pfkey debugging */
 #ifdef DEBUG
-    pfkey_debug_func = DBG_log;
+	pfkey_debug_func = DBG_log;
 #else
-    pfkey_debug_func = NULL;
+	pfkey_debug_func = NULL;
 #endif
 
-    /* create control socket.
-     * We must create it before the parent process returns so that
-     * there will be no race condition in using it.  The easiest
-     * place to do this is before the daemon fork.
-     */
-    {
-	err_t ugh = init_ctl_socket();
-
-	if (ugh != NULL)
+	/* create control socket.
+	 * We must create it before the parent process returns so that
+	 * there will be no race condition in using it.  The easiest
+	 * place to do this is before the daemon fork.
+	 */
 	{
-	    fprintf(stderr, "pluto: %s", ugh);
-	    exit_pluto(1);
+		err_t ugh = init_ctl_socket();
+
+		if (ugh != NULL)
+		{
+			fprintf(stderr, "pluto: %s", ugh);
+			exit_pluto(1);
+		}
 	}
-    }
 
-    /* If not suppressed, do daemon fork */
+	/* If not suppressed, do daemon fork */
 
-    if (fork_desired)
-    {
+	if (fork_desired)
 	{
-	    pid_t pid = fork();
+		{
+			pid_t pid = fork();
+
+			if (pid < 0)
+			{
+				int e = errno;
+
+				fprintf(stderr, "pluto: fork failed (%d %s)\n",
+					errno, strerror(e));
+				exit_pluto(1);
+			}
+
+			if (pid != 0)
+			{
+				/* parent: die, after filling PID into lock file.
+				 * must not use exit_pluto: lock would be removed!
+				 */
+				exit(fill_lock(lockfd, pid)? 0 : 1);
+			}
+		}
+
+		if (setsid() < 0)
+		{
+			int e = errno;
+
+			fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
+				errno, strerror(e));
+			exit_pluto(1);
+		}
+	}
+	else
+	{
+		/* no daemon fork: we have to fill in lock file */
+		(void) fill_lock(lockfd, getpid());
+		fprintf(stdout, "Pluto initialized\n");
+		fflush(stdout);
+	}
 
-	    if (pid < 0)
-	    {
-		int e = errno;
+	/* Close everything but ctl_fd and (if needed) stderr.
+	 * There is some danger that a library that we don't know
+	 * about is using some fd that we don't know about.
+	 * I guess we'll soon find out.
+	 */
+	{
+		int i;
+
+		for (i = getdtablesize() - 1; i >= 0; i--)  /* Bad hack */
+		{
+			if ((!log_to_stderr || i != 2) && i != ctl_fd)
+				close(i);
+		}
+
+		/* make sure that stdin, stdout, stderr are reserved */
+		if (open("/dev/null", O_RDONLY) != 0)
+			abort();
+		if (dup2(0, 1) != 1)
+			abort();
+		if (!log_to_stderr && dup2(0, 2) != 2)
+			abort();
+	}
 
-		fprintf(stderr, "pluto: fork failed (%d %s)\n",
-		    errno, strerror(e));
-		exit_pluto(1);
-	    }
+	init_constants();
+	init_log("pluto");
 
-	    if (pid != 0)
-	    {
-		/* parent: die, after filling PID into lock file.
-		 * must not use exit_pluto: lock would be removed!
-		 */
-		exit(fill_lock(lockfd, pid)? 0 : 1);
-	    }
-	}
+	/* Note: some scripts may look for this exact message -- don't change
+	 * ipsec barf was one, but it no longer does.
+	 */
+	plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s",
+		 compile_time_interop_options);
 
-	if (setsid() < 0)
-	{
-	    int e = errno;
+	/* load plugins, further infrastructure may need it */
+	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
+		lib->settings->get_str(lib->settings, "pluto.load", PLUGINS));
+	print_plugins();
 
-	    fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
-		errno, strerror(e));
-	    exit_pluto(1);
+#ifdef INTEGRITY_TEST
+	DBG1("integrity test of libstrongswan code");
+	if (fips_verify_hmac_signature(hmac_key, hmac_signature))
+	{
+		DBG1("  integrity test passed");
 	}
-    }
-    else
-    {
-	/* no daemon fork: we have to fill in lock file */
-	(void) fill_lock(lockfd, getpid());
-	fprintf(stdout, "Pluto initialized\n");
-	fflush(stdout);
-    }
-
-    /* Close everything but ctl_fd and (if needed) stderr.
-     * There is some danger that a library that we don't know
-     * about is using some fd that we don't know about.
-     * I guess we'll soon find out.
-     */
-    {
-	int i;
-
-	for (i = getdtablesize() - 1; i >= 0; i--)  /* Bad hack */
+	else
 	{
-	    if ((!log_to_stderr || i != 2) && i != ctl_fd)
-		close(i);
+		DBG1("  integrity test failed");
+		abort();
 	}
-
-	/* make sure that stdin, stdout, stderr are reserved */
-	if (open("/dev/null", O_RDONLY) != 0)
-	    abort();
-	if (dup2(0, 1) != 1)
-	    abort();
-	if (!log_to_stderr && dup2(0, 2) != 2)
-	    abort();
-    }
-
-    init_constants();
-    init_log("pluto");
-
-    /* Note: some scripts may look for this exact message -- don't change
-     * ipsec barf was one, but it no longer does.
-     */
-    plog("Starting Pluto (strongSwan Version %s%s)"
-	, ipsec_version_code()
-	, compile_time_interop_options);
-
-    init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
-    init_virtual_ip(virtual_private);
-    scx_init(pkcs11_module_path, pkcs11_init_args);   /* load and initialize PKCS #11 module */
-    xauth_init();		    /* load and initialize XAUTH module */
-    init_rnd_pool();
-    init_secret();
-    init_states();
-    init_crypto();
-    init_demux();
-    init_kernel();
-    init_adns();
-    init_id();
-    init_fetch();
-
-    /* drop unneeded capabilities and change UID/GID */
-
-    prctl(PR_SET_KEEPCAPS, 1);
-	
+#endif /* INTEGRITY_TEST */
+
+	init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
+	init_virtual_ip(virtual_private);
+	scx_init(pkcs11_module_path, pkcs11_init_args);
+	xauth_init();
+	init_secret();
+	init_states();
+	init_crypto();
+	init_demux();
+	init_kernel();
+	init_adns();
+	init_id();
+	init_fetch();
+
+	/* drop unneeded capabilities and change UID/GID */
+	prctl(PR_SET_KEEPCAPS, 1);
+		
 #ifdef IPSEC_GROUP
-    {
-	struct group group, *grp;
-    char buf[1024];
-
-	if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
-		grp == NULL || setgid(grp->gr_gid) != 0)
 	{
-	    plog("unable to change daemon group");
-	    abort();
+		struct group group, *grp;
+	char buf[1024];
+
+		if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
+				grp == NULL || setgid(grp->gr_gid) != 0)
+		{
+			plog("unable to change daemon group");
+			abort();
+		}
 	}
-    }
 #endif
 #ifdef IPSEC_USER
-    {
-	struct passwd passwd, *pwp;
-    char buf[1024];
-
-	if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
-		pwp == NULL || setuid(pwp->pw_uid) != 0)
 	{
-	    plog("unable to change daemon user");
-	    abort();
-	}
-	}
+		struct passwd passwd, *pwp;
+	char buf[1024];
+
+		if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
+				pwp == NULL || setuid(pwp->pw_uid) != 0)
+		{
+			plog("unable to change daemon user");
+			abort();
+		}
+		}
 #endif
 
 #ifdef CAPABILITIES
-    caps = cap_init();
-    cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET);
-    cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET);
-    cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET);
-    if (cap_set_proc(caps) != 0)
-    {
-	plog("unable to drop daemon capabilities");
-	abort();
-    }
-    cap_free(caps);
+	caps = cap_init();
+	cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET);
+	cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET);
+	cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET);
+	if (cap_set_proc(caps) != 0)
+	{
+		plog("unable to drop daemon capabilities");
+		abort();
+	}
+	cap_free(caps);
 #endif /* CAPABILITIES */
 
-    /* loading X.509 CA certificates */
-    load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
-    /* loading X.509 AA certificates */
-    load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
-    /* loading X.509 OCSP certificates */
-    load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
-    /* loading X.509 CRLs */
-    load_crls();
-    /* loading attribute certificates (experimental) */
-    load_acerts();
-
-    daily_log_event();
-    call_server();
-    return -1;	/* Shouldn't ever reach this */
+	/* loading X.509 CA certificates */
+	load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
+	/* loading X.509 AA certificates */
+	load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
+	/* loading X.509 OCSP certificates */
+	load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
+	/* loading X.509 CRLs */
+	load_crls();
+	/* loading attribute certificates (experimental) */
+	load_acerts();
+
+	daily_log_event();
+	call_server();
+	return -1;  /* Shouldn't ever reach this */
 }
 
 /* leave pluto, with status.
@@ -686,31 +735,33 @@ main(int argc, char **argv)
  *  1 general discomfort
  * 10 lock file exists
  */
-void
-exit_pluto(int status)
+void exit_pluto(int status)
 {
-    reset_globals();	/* needed because we may be called in odd state */
-    free_preshared_secrets();
-    free_remembered_public_keys();
-    delete_every_connection();
-    free_crl_fetch();		/* free chain of crl fetch requests */
-    free_ocsp_fetch();		/* free chain of ocsp fetch requests */
-    free_authcerts();		/* free chain of X.509 authority certificates */
-    free_crls();		/* free chain of X.509 CRLs */
-    free_acerts();		/* free chain of X.509 attribute certificates */
-    free_ca_infos();		/* free chain of X.509 CA information records */
-    free_ocsp();		/* free ocsp cache */
-    free_ifaces();
-    scx_finalize();		/* finalize and unload PKCS #11 module */
-    xauth_finalize();		/* finalize and unload XAUTH module */
-    stop_adns();
-    free_md_pool();
-    delete_lock();
-#ifdef LEAK_DETECTIVE
-    report_leaks();
-#endif /* LEAK_DETECTIVE */
-    close_log();
-    exit(status);
+	reset_globals();    /* needed because we may be called in odd state */
+	free_preshared_secrets();
+	free_remembered_public_keys();
+	delete_every_connection();
+	free_crl_fetch();           /* free chain of crl fetch requests */
+	free_ocsp_fetch();          /* free chain of ocsp fetch requests */
+	free_authcerts();           /* free chain of X.509 authority certificates */
+	free_crls();                /* free chain of X.509 CRLs */
+	free_acerts();              /* free chain of X.509 attribute certificates */
+	free_ca_infos();            /* free chain of X.509 CA information records */
+	free_ocsp();                /* free ocsp cache */
+	free_ifaces();
+	scx_finalize();             /* finalize and unload PKCS #11 module */
+	xauth_finalize();           /* finalize and unload XAUTH module */
+	stop_adns();
+	free_md_pool();
+	free_crypto();
+	free_id();                  /* free myids */
+	free_events();              /* free remaining events */
+	free_vendorid();			/* free all vendor id records */
+	delete_lock();
+	options->destroy(options);
+	library_deinit();
+	close_log();
+	exit(status);
 }
 
 /*
diff --git a/src/pluto/primegen.c b/src/pluto/primegen.c
deleted file mode 100644
index 159490345..000000000
--- a/src/pluto/primegen.c
+++ /dev/null
@@ -1,593 +0,0 @@
-/* primegen.c - prime number generator
- *	Copyright (C) 1998 Free Software Foundation, Inc.
- *
- * This file is part of GnuPG.
- *
- * GnuPG is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * GnuPG is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
- *
- * ***********************************************************************
- * The algorithm used to generate practically save primes is due to
- * Lim and Lee as described in the CRYPTO '97 proceedings (ISBN3540633847)
- * page 260.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#ifdef PLUTO
-#include <gmp.h>
-#include <freeswan.h>
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "rnd.h"
-#include "gcryptfix.h"
-#else /*! PLUTO */
-/* #include <assert.h> */
-/* #include <config.h> */
-/* #include "util.h" */
-/* #include "mpi.h" */
-/* #include "cipher.h" */
-#endif /* !PLUTO */
-
-static int no_of_small_prime_numbers;
-static MPI gen_prime( unsigned	nbits, int mode, int randomlevel );
-static int check_prime( MPI prime, MPI val_2 );
-static int is_prime( MPI n, unsigned steps, int *count );
-static void m_out_of_n( char *array, int m, int n );
-
-
-static void
-progress( int c )
-{
-    fputc( c, stderr );
-}
-
-
-/****************
- * Generate a prime number (stored in secure memory)
- */
-MPI
-generate_secret_prime( unsigned  nbits )
-{
-    MPI prime;
-
-    prime = gen_prime( nbits, 1, 2 );
-    progress('\n');
-    return prime;
-}
-
-MPI
-generate_public_prime( unsigned  nbits )
-{
-    MPI prime;
-
-    prime = gen_prime( nbits, 0, 2 );
-    progress('\n');
-    return prime;
-}
-
-
-/****************
- * We do not need to use the strongest RNG because we gain no extra
- * security from it - The prime number is public and we could also
- * offer the factors for those who are willing to check that it is
- * indeed a strong prime.
- *
- * mode 0: Standard
- *	1: Make sure that at least one factor is of size qbits.
- */
-MPI
-generate_elg_prime( int mode, unsigned pbits, unsigned qbits,
-		    MPI g, MPI **ret_factors )
-{
-    int n;  /* number of factors */
-    int m;  /* number of primes in pool */
-    unsigned fbits; /* length of prime factors */
-    MPI *factors; /* current factors */
-    MPI *pool;	/* pool of primes */
-    MPI q;	/* first prime factor (variable)*/
-    MPI prime;	/* prime test value */
-    MPI q_factor; /* used for mode 1 */
-    byte *perms = NULL;
-    int i, j;
-    int count1, count2;
-    unsigned nprime;
-    unsigned req_qbits = qbits; /* the requested q bits size */
-    MPI val_2  = mpi_alloc_set_ui( 2 );
-
-    /* find number of needed prime factors */
-    for(n=1; (pbits - qbits - 1) / n  >= qbits; n++ )
-	;
-    n--;
-    if( !n || (mode==1 && n < 2) )
-	log_fatal("can't gen prime with pbits=%u qbits=%u\n", pbits, qbits );
-    if( mode == 1 ) {
-	n--;
-	fbits = (pbits - 2*req_qbits -1) / n;
-	qbits =  pbits - req_qbits - n*fbits;
-    }
-    else {
-	fbits = (pbits - req_qbits -1) / n;
-	qbits = pbits - n*fbits;
-    }
-    if( DBG_CIPHER )
-	log_debug("gen prime: pbits=%u qbits=%u fbits=%u/%u n=%d\n",
-		    pbits, req_qbits, qbits, fbits, n  );
-    prime = mpi_alloc( (pbits + BITS_PER_MPI_LIMB - 1) /  BITS_PER_MPI_LIMB );
-    q = gen_prime( qbits, 0, 1 );
-    q_factor = mode==1? gen_prime( req_qbits, 0, 1 ) : NULL;
-
-    /* allocate an array to hold the factors + 2 for later usage */
-#ifdef PLUTO
-    m_alloc_ptrs_clear(factors, n+2);
-#else
-    factors = m_alloc_clear( (n+2) * sizeof *factors );
-#endif
-
-    /* make a pool of 3n+5 primes (this is an arbitrary value) */
-    m = n*3+5;
-    if( mode == 1 )
-	m += 5; /* need some more for DSA */
-    if( m < 25 )
-	m = 25;
-#ifdef PLUTO
-    m_alloc_ptrs_clear(pool, m);
-#else
-    pool = m_alloc_clear( m * sizeof *pool );
-#endif
-
-    /* permutate over the pool of primes */
-    count1=count2=0;
-    do {
-      next_try:
-	if( !perms ) {
-	    /* allocate new primes */
-	    for(i=0; i < m; i++ ) {
-		mpi_free(pool[i]);
-		pool[i] = NULL;
-	    }
-	    /* init m_out_of_n() */
-#ifdef PLUTO
-	    perms = alloc_bytes( m, "perms" );
-#else
-	    perms = m_alloc_clear( m );
-#endif
-	    for(i=0; i < n; i++ ) {
-		perms[i] = 1;
-		pool[i] = gen_prime( fbits, 0, 1 );
-		factors[i] = pool[i];
-	    }
-	}
-	else {
-	    m_out_of_n( perms, n, m );
-	    for(i=j=0; i < m && j < n ; i++ )
-		if( perms[i] ) {
-		    if( !pool[i] )
-			pool[i] = gen_prime( fbits, 0, 1 );
-		    factors[j++] = pool[i];
-		}
-	    if( i == n ) {
-		m_free(perms); perms = NULL;
-		progress('!');
-		goto next_try;	/* allocate new primes */
-	    }
-	}
-
-	mpi_set( prime, q );
-	mpi_mul_ui( prime, prime, 2 );
-	if( mode == 1 )
-	    mpi_mul( prime, prime, q_factor );
-	for(i=0; i < n; i++ )
-	    mpi_mul( prime, prime, factors[i] );
-	mpi_add_ui( prime, prime, 1 );
-	nprime = mpi_get_nbits(prime);
-	if( nprime < pbits ) {
-	    if( ++count1 > 20 ) {
-		count1 = 0;
-		qbits++;
-		progress('>');
-		q = gen_prime( qbits, 0, 1 );
-		goto next_try;
-	    }
-	}
-	else
-	    count1 = 0;
-	if( nprime > pbits ) {
-	    if( ++count2 > 20 ) {
-		count2 = 0;
-		qbits--;
-		progress('<');
-		q = gen_prime( qbits, 0, 1 );
-		goto next_try;
-	    }
-	}
-	else
-	    count2 = 0;
-    } while( !(nprime == pbits && check_prime( prime, val_2 )) );
-
-    if( DBG_CIPHER ) {
-	progress('\n');
-	log_mpidump( "prime    : ", prime );
-	log_mpidump( "factor  q: ", q );
-	if( mode == 1 )
-	    log_mpidump( "factor q0: ", q_factor );
-	for(i=0; i < n; i++ )
-	    log_mpidump( "factor pi: ", factors[i] );
-	log_debug("bit sizes: prime=%u, q=%u", mpi_get_nbits(prime), mpi_get_nbits(q) );
-	if( mode == 1 )
-	    fprintf(stderr, ", q0=%u", mpi_get_nbits(q_factor) );
-	for(i=0; i < n; i++ )
-	    fprintf(stderr, ", p%d=%u", i, mpi_get_nbits(factors[i]) );
-	progress('\n');
-    }
-
-    if( ret_factors ) { /* caller wants the factors */
-#ifdef PLUTO
-	m_alloc_ptrs_clear(*ret_factors, n+2);
-#else
-	*ret_factors = m_alloc_clear( (n+2) * sizeof **ret_factors);
-#endif
-	if( mode == 1 ) {
-	    i = 0;
-	    (*ret_factors)[i++] = mpi_copy( q_factor );
-	    for(; i <= n; i++ )
-		(*ret_factors)[i] = mpi_copy( factors[i] );
-	}
-	else {
-	    for(; i < n; i++ )
-		(*ret_factors)[i] = mpi_copy( factors[i] );
-	}
-    }
-
-    if( g ) { /* create a generator (start with 3)*/
-	MPI tmp   = mpi_alloc( mpi_get_nlimbs(prime) );
-	MPI b	  = mpi_alloc( mpi_get_nlimbs(prime) );
-	MPI pmin1 = mpi_alloc( mpi_get_nlimbs(prime) );
-
-	if( mode == 1 )
-	    BUG(); /* not yet implemented */
-	factors[n] = q;
-	factors[n+1] = mpi_alloc_set_ui(2);
-	mpi_sub_ui( pmin1, prime, 1 );
-	mpi_set_ui(g,2);
-	do {
-	    mpi_add_ui(g, g, 1);
-	    if( DBG_CIPHER ) {
-#ifdef PLUTO
-		log_mpidump("checking g: ", g);
-#else
-		log_debug("checking g: ");
-		mpi_print( stderr, g, 1 );
-#endif
-	    }
-	    else
-		progress('^');
-	    for(i=0; i < n+2; i++ ) {
-		/*fputc('~', stderr);*/
-		mpi_fdiv_q(tmp, pmin1, factors[i] );
-		/* (no mpi_pow(), but it is okay to use this with mod prime) */
-		mpi_powm(b, g, tmp, prime );
-		if( !mpi_cmp_ui(b, 1) )
-		    break;
-	    }
-	    if( DBG_CIPHER )
-		progress('\n');
-	} while( i < n+2 );
-	mpi_free(factors[n+1]);
-	mpi_free(tmp);
-	mpi_free(b);
-	mpi_free(pmin1);
-    }
-    if( !DBG_CIPHER )
-	progress('\n');
-
-    m_free( factors );	/* (factors are shallow copies) */
-    for(i=0; i < m; i++ )
-	mpi_free( pool[i] );
-    m_free( pool );
-    m_free(perms);
-    mpi_free(val_2);
-    return prime;
-}
-
-
-
-static MPI
-gen_prime( unsigned  nbits, int secret, int randomlevel )
-{
-    unsigned  nlimbs;
-    MPI prime, ptest, pminus1, val_2, val_3, result;
-    int i;
-    unsigned x, step;
-    unsigned count1, count2;
-    int *mods;
-
-    if( 0 && DBG_CIPHER )
-	log_debug("generate a prime of %u bits ", nbits );
-
-    if( !no_of_small_prime_numbers ) {
-	for(i=0; small_prime_numbers[i]; i++ )
-	    no_of_small_prime_numbers++;
-    }
-    mods = m_alloc( no_of_small_prime_numbers * sizeof *mods );
-    /* make nbits fit into MPI implementation */
-    nlimbs = (nbits + BITS_PER_MPI_LIMB - 1) /	BITS_PER_MPI_LIMB;
-    val_2  = mpi_alloc_set_ui( 2 );
-    val_3 = mpi_alloc_set_ui( 3);
-    prime  = secret? mpi_alloc_secure( nlimbs ): mpi_alloc( nlimbs );
-    result = mpi_alloc_like( prime );
-    pminus1= mpi_alloc_like( prime );
-    ptest  = mpi_alloc_like( prime );
-    count1 = count2 = 0;
-    for(;;) {  /* try forvever */
-	int dotcount=0;
-
-	/* generate a random number */
-	{   char *p = get_random_bits( nbits, randomlevel, secret );
-	    mpi_set_buffer( prime, p, (nbits+7)/8, 0 );
-	    m_free(p);
-	}
-
-	/* set high order bit to 1, set low order bit to 1 */
-	mpi_set_highbit( prime, nbits-1 );
-	mpi_set_bit( prime, 0 );
-
-	/* calculate all remainders */
-	for(i=0; (x = small_prime_numbers[i]); i++ )
-	    mods[i] = mpi_fdiv_r_ui(NULL, prime, x);
-
-	/* now try some primes starting with prime */
-	for(step=0; step < 20000; step += 2 ) {
-	    /* check against all the small primes we have in mods */
-	    count1++;
-	    for(i=0; (x = small_prime_numbers[i]); i++ ) {
-		while( mods[i] + step >= x )
-		    mods[i] -= x;
-		if( !(mods[i] + step) )
-		    break;
-	    }
-	    if( x )
-		continue;   /* found a multiple of an already known prime */
-
-	    mpi_add_ui( ptest, prime, step );
-
-	    /* do a faster Fermat test */
-	    count2++;
-	    mpi_sub_ui( pminus1, ptest, 1);
-	    mpi_powm( result, val_2, pminus1, ptest );
-	    if( !mpi_cmp_ui( result, 1 ) ) { /* not composite */
-		/* perform stronger tests */
-		if( is_prime(ptest, 5, &count2 ) ) {
-		    if( !mpi_test_bit( ptest, nbits-1 ) ) {
-			progress('\n');
-			log_debug("overflow in prime generation\n");
-			break; /* step loop, continue with a new prime */
-		    }
-
-		    mpi_free(val_2);
-		    mpi_free(val_3);
-		    mpi_free(result);
-		    mpi_free(pminus1);
-		    mpi_free(prime);
-		    m_free(mods);
-		    return ptest;
-		}
-	    }
-	    if( ++dotcount == 10 ) {
-		progress('.');
-		dotcount = 0;
-	    }
-	}
-	progress(':'); /* restart with a new random value */
-    }
-}
-
-/****************
- * Returns: true if this may be a prime
- */
-static int
-check_prime( MPI prime, MPI val_2 )
-{
-    int i;
-    unsigned x;
-    int count=0;
-
-    /* check against small primes */
-    for(i=0; (x = small_prime_numbers[i]); i++ ) {
-	if( mpi_divisible_ui( prime, x ) )
-	    return 0;
-    }
-
-    /* a quick fermat test */
-    {
-	MPI result = mpi_alloc_like( prime );
-	MPI pminus1 = mpi_alloc_like( prime );
-	mpi_sub_ui( pminus1, prime, 1);
-	mpi_powm( result, val_2, pminus1, prime );
-	mpi_free( pminus1 );
-	if( mpi_cmp_ui( result, 1 ) ) { /* if composite */
-	    mpi_free( result );
-	    progress('.');
-	    return 0;
-	}
-	mpi_free( result );
-    }
-
-    /* perform stronger tests */
-    if( is_prime(prime, 5, &count ) )
-	return 1; /* is probably a prime */
-    progress('.');
-    return 0;
-}
-
-
-/****************
- * Return true if n is probably a prime
- */
-static int
-is_prime( MPI n, unsigned steps, int *count )
-{
-    MPI x = mpi_alloc( mpi_get_nlimbs( n ) );
-    MPI y = mpi_alloc( mpi_get_nlimbs( n ) );
-    MPI z = mpi_alloc( mpi_get_nlimbs( n ) );
-    MPI nminus1 = mpi_alloc( mpi_get_nlimbs( n ) );
-    MPI a2 = mpi_alloc_set_ui( 2 );
-    MPI q;
-    unsigned i, j, k;
-    int rc = 0;
-    unsigned nbits = mpi_get_nbits( n );
-
-    mpi_sub_ui( nminus1, n, 1 );
-
-    /* find q and k, so that n = 1 + 2^k * q */
-    q = mpi_copy( nminus1 );
-    k = mpi_trailing_zeros( q );
-    mpi_tdiv_q_2exp(q, q, k);
-
-    for(i=0 ; i < steps; i++ ) {
-	++*count;
-	if( !i ) {
-	    mpi_set_ui( x, 2 );
-	}
-	else {
-	    /*mpi_set_bytes( x, nbits-1, get_random_byte, 0 );*/
-	    {	char *p = get_random_bits( nbits, 0, 0 );
-		mpi_set_buffer( x, p, (nbits+7)/8, 0 );
-		m_free(p);
-	    }
-	    /* make sure that the number is smaller than the prime
-	     * and keep the randomness of the high bit */
-	    if( mpi_test_bit( x, nbits-2 ) ) {
-		mpi_set_highbit( x, nbits-2 ); /* clear all higher bits */
-	    }
-	    else {
-		mpi_set_highbit( x, nbits-2 );
-		mpi_clear_bit( x, nbits-2 );
-	    }
-	    assert( mpi_cmp( x, nminus1 ) < 0 && mpi_cmp_ui( x, 1 ) > 0 );
-	}
-	mpi_powm( y, x, q, n);
-	if( mpi_cmp_ui(y, 1) && mpi_cmp( y, nminus1 ) ) {
-	    for( j=1; j < k && mpi_cmp( y, nminus1 ); j++ ) {
-		mpi_powm(y, y, a2, n);
-		if( !mpi_cmp_ui( y, 1 ) )
-		    goto leave; /* not a prime */
-	    }
-	    if( mpi_cmp( y, nminus1 ) )
-		goto leave; /* not a prime */
-	}
-	progress('+');
-    }
-    rc = 1; /* may be a prime */
-
-  leave:
-    mpi_free( x );
-    mpi_free( y );
-    mpi_free( z );
-    mpi_free( nminus1 );
-    mpi_free( q );
-
-    return rc;
-}
-
-
-static void
-m_out_of_n( char *array, int m, int n )
-{
-    int i=0, i1=0, j=0, jp=0,  j1=0, k1=0, k2=0;
-
-    if( !m || m >= n )
-	return;
-
-    if( m == 1 ) { /* special case */
-	for(i=0; i < n; i++ )
-	    if( array[i] ) {
-		array[i++] = 0;
-		if( i >= n )
-		    i = 0;
-		array[i] = 1;
-		return;
-	    }
-	BUG();
-    }
-
-    for(j=1; j < n; j++ ) {
-	if( array[n-1] == array[n-j-1] )
-	    continue;
-	j1 = j;
-	break;
-    }
-
-    if( m & 1 ) { /* m is odd */
-	if( array[n-1] ) {
-	    if( j1 & 1 ) {
-		k1 = n - j1;
-		k2 = k1+2;
-		if( k2 > n )
-		    k2 = n;
-		goto leave;
-	    }
-	    goto scan;
-	}
-	k2 = n - j1 - 1;
-	if( k2 == 0 ) {
-	    k1 = i;
-	    k2 = n - j1;
-	}
-	else if( array[k2] && array[k2-1] )
-	    k1 = n;
-	else
-	    k1 = k2 + 1;
-    }
-    else { /* m is even */
-	if( !array[n-1] ) {
-	    k1 = n - j1;
-	    k2 = k1 + 1;
-	    goto leave;
-	}
-
-	if( !(j1 & 1) ) {
-	    k1 = n - j1;
-	    k2 = k1+2;
-	    if( k2 > n )
-		k2 = n;
-	    goto leave;
-	}
-      scan:
-	jp = n - j1 - 1;
-	for(i=1; i <= jp; i++ ) {
-	    i1 = jp + 2 - i;
-	    if( array[i1-1]  ) {
-		if( array[i1-2] ) {
-		    k1 = i1 - 1;
-		    k2 = n - j1;
-		}
-		else {
-		    k1 = i1 - 1;
-		    k2 = n + 1 - j1;
-		}
-		goto leave;
-	    }
-	}
-	k1 = 1;
-	k2 = n + 1 - m;
-    }
-  leave:
-    array[k1-1] = !array[k1-1];
-    array[k2-1] = !array[k2-1];
-}
-
diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c
index 00fed63ea..013deb446 100644
--- a/src/pluto/rcv_whack.c
+++ b/src/pluto/rcv_whack.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: rcv_whack.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdio.h>
@@ -27,7 +25,7 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <resolv.h>
-#include <arpa/nameser.h>	/* missing from <resolv.h> on old systems */
+#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
 #include <sys/queue.h>
 #include <fcntl.h>
 
@@ -42,17 +40,17 @@
 #include "smartcard.h"
 #include "connections.h"
 #include "foodgroups.h"
-#include "whack.h"	/* needs connections.h */
+#include "whack.h"      /* needs connections.h */
 #include "packet.h"
-#include "demux.h"	/* needs packet.h */
+#include "demux.h"      /* needs packet.h */
 #include "state.h"
-#include "ipsec_doi.h"	/* needs demux.h and state.h */
+#include "ipsec_doi.h"  /* needs demux.h and state.h */
 #include "kernel.h"
 #include "rcv_whack.h"
 #include "log.h"
 #include "keys.h"
-#include "adns.h"	/* needs <resolv.h> */
-#include "dnskey.h"	/* needs keys.h and adns.h */
+#include "adns.h"       /* needs <resolv.h> */
+#include "dnskey.h"     /* needs keys.h and adns.h */
 #include "server.h"
 #include "fetch.h"
 #include "ocsp.h"
@@ -63,186 +61,186 @@
 /* helper variables and function to decode strings from whack message */
 
 static char *next_str
-    , *str_roof;
+	, *str_roof;
 
 static bool
 unpack_str(char **p)
 {
-    char *end = memchr(next_str, '\0', str_roof - next_str);
-
-    if (end == NULL)
-    {
-	return FALSE;	/* fishy: no end found */
-    }
-    else
-    {
-	*p = next_str == end? NULL : next_str;
-	next_str = end + 1;
-	return TRUE;
-    }
+	char *end = memchr(next_str, '\0', str_roof - next_str);
+
+	if (end == NULL)
+	{
+		return FALSE;   /* fishy: no end found */
+	}
+	else
+	{
+		*p = next_str == end? NULL : next_str;
+		next_str = end + 1;
+		return TRUE;
+	}
 }
 
 /* bits loading keys from asynchronous DNS */
 
 enum key_add_attempt {
-    ka_TXT,
+	ka_TXT,
 #ifdef USE_KEYRR
-    ka_KEY,
+	ka_KEY,
 #endif
-    ka_roof	/* largest value + 1 */
+	ka_roof     /* largest value + 1 */
 };
 
 struct key_add_common {
-    int refCount;
-    char *diag[ka_roof];
-    int whack_fd;
-    bool success;
+	int refCount;
+	char *diag[ka_roof];
+	int whack_fd;
+	bool success;
 };
 
 struct key_add_continuation {
-    struct adns_continuation ac;	/* common prefix */
-    struct key_add_common *common;	/* common data */
-    enum key_add_attempt lookingfor;
+	struct adns_continuation ac;        /* common prefix */
+	struct key_add_common *common;      /* common data */
+	enum key_add_attempt lookingfor;
 };
 
 static void
 key_add_ugh(const struct id *keyid, err_t ugh)
 {
-    char name[BUF_LEN];	/* longer IDs will be truncated in message */
+	char name[BUF_LEN]; /* longer IDs will be truncated in message */
 
-    (void)idtoa(keyid, name, sizeof(name));
-    loglog(RC_NOKEY
-	, "failure to fetch key for %s from DNS: %s", name, ugh);
+	(void)idtoa(keyid, name, sizeof(name));
+	loglog(RC_NOKEY
+		, "failure to fetch key for %s from DNS: %s", name, ugh);
 }
 
 /* last one out: turn out the lights */
 static void
 key_add_merge(struct key_add_common *oc, const struct id *keyid)
 {
-    if (oc->refCount == 0)
-    {
-	enum key_add_attempt kaa;
-
-	/* if no success, print all diagnostics */
-	if (!oc->success)
-	    for (kaa = ka_TXT; kaa != ka_roof; kaa++)
-		key_add_ugh(keyid, oc->diag[kaa]);
+	if (oc->refCount == 0)
+	{
+		enum key_add_attempt kaa;
 
-	for (kaa = ka_TXT; kaa != ka_roof; kaa++)
-	    pfreeany(oc->diag[kaa]);
+		/* if no success, print all diagnostics */
+		if (!oc->success)
+			for (kaa = ka_TXT; kaa != ka_roof; kaa++)
+				key_add_ugh(keyid, oc->diag[kaa]);
 
-	close(oc->whack_fd);
-	pfree(oc);
-    }
+		for (kaa = ka_TXT; kaa != ka_roof; kaa++)
+		{
+			free(oc->diag[kaa]);
+		}
+		close(oc->whack_fd);
+		free(oc);
+	}
 }
 
 static void
 key_add_continue(struct adns_continuation *ac, err_t ugh)
 {
-    struct key_add_continuation *kc = (void *) ac;
-    struct key_add_common *oc = kc->common;
-
-    passert(whack_log_fd == NULL_FD);
-    whack_log_fd = oc->whack_fd;
-
-    if (ugh != NULL)
-    {
-	oc->diag[kc->lookingfor] = clone_str(ugh, "key add error");
-    }
-    else
-    {
-	oc->success = TRUE;
-	transfer_to_public_keys(kc->ac.gateways_from_dns
+	struct key_add_continuation *kc = (void *) ac;
+	struct key_add_common *oc = kc->common;
+
+	passert(whack_log_fd == NULL_FD);
+	whack_log_fd = oc->whack_fd;
+
+	if (ugh != NULL)
+	{
+		oc->diag[kc->lookingfor] = clone_str(ugh);
+	}
+	else
+	{
+		oc->success = TRUE;
+		transfer_to_public_keys(kc->ac.gateways_from_dns
 #ifdef USE_KEYRR
-	    , &kc->ac.keys_from_dns
+			, &kc->ac.keys_from_dns
 #endif /* USE_KEYRR */
-	    );
-    }
+			);
+	}
 
-    oc->refCount--;
-    key_add_merge(oc, &ac->id);
-    whack_log_fd = NULL_FD;
+	oc->refCount--;
+	key_add_merge(oc, &ac->id);
+	whack_log_fd = NULL_FD;
 }
 
 static void
 key_add_request(const whack_message_t *msg)
 {
-    struct id keyid;
-    err_t ugh = atoid(msg->keyid, &keyid, FALSE);
-
-    if (ugh != NULL)
-    {
-	loglog(RC_BADID, "bad --keyid \"%s\": %s", msg->keyid, ugh);
-    }
-    else
-    {
-	if (!msg->whack_addkey)
-	    delete_public_keys(&keyid, msg->pubkey_alg
-		, empty_chunk, empty_chunk);
-
-	if (msg->keyval.len == 0)
-	{
-	    struct key_add_common *oc
-		= alloc_thing(struct key_add_common
-			      , "key add common things");
-	    enum key_add_attempt kaa;
-
-	    /* initialize state shared by queries */
-	    oc->refCount = 0;
-	    oc->whack_fd = dup_any(whack_log_fd);
-	    oc->success = FALSE;
-
-	    for (kaa = ka_TXT; kaa != ka_roof; kaa++)
-	    {
-		struct key_add_continuation *kc
-		    = alloc_thing(struct key_add_continuation
-			, "key add continuation");
-
-		oc->diag[kaa] = NULL;
-		oc->refCount++;
-		kc->common = oc;
-		kc->lookingfor = kaa;
-		switch (kaa)
+	struct id keyid;
+	err_t ugh = atoid(msg->keyid, &keyid, FALSE);
+
+	if (ugh != NULL)
+	{
+		loglog(RC_BADID, "bad --keyid \"%s\": %s", msg->keyid, ugh);
+	}
+	else
+	{
+		if (!msg->whack_addkey)
+			delete_public_keys(&keyid, msg->pubkey_alg
+				, chunk_empty, chunk_empty);
+
+		if (msg->keyval.len == 0)
 		{
-		case ka_TXT:
-		    ugh = start_adns_query(&keyid
-			, &keyid	/* same */
-			, T_TXT
-			, key_add_continue
-			, &kc->ac);
-		    break;
+			struct key_add_common *oc = malloc_thing(struct key_add_common);
+			enum key_add_attempt kaa;
+
+			/* initialize state shared by queries */
+			oc->refCount = 0;
+			oc->whack_fd = dup_any(whack_log_fd);
+			oc->success = FALSE;
+
+			for (kaa = ka_TXT; kaa != ka_roof; kaa++)
+			{
+				struct key_add_continuation *kc;
+
+				oc->diag[kaa] = NULL;
+				oc->refCount++;
+				kc = malloc_thing(struct key_add_continuation);
+				kc->common = oc;
+				kc->lookingfor = kaa;
+
+				switch (kaa)
+				{
+				case ka_TXT:
+					ugh = start_adns_query(&keyid
+						, &keyid        /* same */
+						, T_TXT
+						, key_add_continue
+						, &kc->ac);
+					break;
 #ifdef USE_KEYRR
-		case ka_KEY:
-		    ugh = start_adns_query(&keyid
-			, NULL
-			, T_KEY
-			, key_add_continue
-			, &kc->ac);
-		    break;
+				case ka_KEY:
+					ugh = start_adns_query(&keyid
+						, NULL
+						, T_KEY
+						, key_add_continue
+						, &kc->ac);
+					break;
 #endif /* USE_KEYRR */
-		default:
-		    bad_case(kaa);	/* suppress gcc warning */
+				default:
+					bad_case(kaa);      /* suppress gcc warning */
+				}
+				if (ugh != NULL)
+				{
+					oc->diag[kaa] = clone_str(ugh);
+					oc->refCount--;
+				}
+			}
+
+			/* Done launching queries.
+			 * Handle total failure case.
+			 */
+			key_add_merge(oc, &keyid);
 		}
-		if (ugh != NULL)
+		else
 		{
-		    oc->diag[kaa] = clone_str(ugh, "early key add failure");
-		    oc->refCount--;
+			if (!add_public_key(&keyid, DAL_LOCAL, msg->pubkey_alg, msg->keyval,
+				&pubkeys))
+			{
+				loglog(RC_LOG_SERIOUS, "failed to add public key");
+			}
 		}
-	    }
-
-	    /* Done launching queries.
-	     * Handle total failure case.
-	     */
-	    key_add_merge(oc, &keyid);
 	}
-	else
-	{
-	    ugh = add_public_key(&keyid, DAL_LOCAL, msg->pubkey_alg
-		, &msg->keyval, &pubkeys);
-	    if (ugh != NULL)
-		loglog(RC_LOG_SERIOUS, "%s", ugh);
-	}
-    }
 }
 
 /* Handle a kernel request. Supposedly, there's a message in
@@ -251,430 +249,431 @@ key_add_request(const whack_message_t *msg)
 void
 whack_handle(int whackctlfd)
 {
-    whack_message_t msg;
-    struct sockaddr_un whackaddr;
-    int whackaddrlen = sizeof(whackaddr);
-    int whackfd = accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen);
-    /* Note: actual value in n should fit in int.  To print, cast to int. */
-    ssize_t n;
-
-    if (whackfd < 0)
-    {
-	log_errno((e, "accept() failed in whack_handle()"));
-	return;
-    }
-    if (fcntl(whackfd, F_SETFD, FD_CLOEXEC) < 0)
-    {
-	log_errno((e, "failed to set CLOEXEC in whack_handle()"));
-	close(whackfd);
-	return;
-    }
+	whack_message_t msg;
+	struct sockaddr_un whackaddr;
+	int whackaddrlen = sizeof(whackaddr);
+	int whackfd = accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen);
+	/* Note: actual value in n should fit in int.  To print, cast to int. */
+	ssize_t n;
+
+	if (whackfd < 0)
+	{
+		log_errno((e, "accept() failed in whack_handle()"));
+		return;
+	}
+	if (fcntl(whackfd, F_SETFD, FD_CLOEXEC) < 0)
+	{
+		log_errno((e, "failed to set CLOEXEC in whack_handle()"));
+		close(whackfd);
+		return;
+	}
 
-    n = read(whackfd, &msg, sizeof(msg));
+	n = read(whackfd, &msg, sizeof(msg));
 
-    if (n == -1)
-    {
-	log_errno((e, "read() failed in whack_handle()"));
-	close(whackfd);
-	return;
-    }
+	if (n == -1)
+	{
+		log_errno((e, "read() failed in whack_handle()"));
+		close(whackfd);
+		return;
+	}
 
-    whack_log_fd = whackfd;
+	whack_log_fd = whackfd;
 
-    /* sanity check message */
-    {
-	err_t ugh = NULL;
+	/* sanity check message */
+	{
+		err_t ugh = NULL;
 
-	next_str = msg.string;
-	str_roof = (char *)&msg + n;
+		next_str = msg.string;
+		str_roof = (char *)&msg + n;
 
-	if ((size_t)n < offsetof(whack_message_t, whack_shutdown) + sizeof(msg.whack_shutdown))
+		if ((size_t)n < offsetof(whack_message_t, whack_shutdown) + sizeof(msg.whack_shutdown))
+		{
+			ugh = builddiag("ignoring runt message from whack: got %d bytes", (int)n);
+		}
+		else if (msg.magic != WHACK_MAGIC)
+		{
+			if (msg.magic == WHACK_BASIC_MAGIC)
+			{
+				/* Only shutdown command.  Simpler inter-version compatability. */
+				if (msg.whack_shutdown)
+				{
+					plog("shutting down");
+					exit_pluto(0);      /* delete lock and leave, with 0 status */
+				}
+				ugh = "";       /* bail early, but without complaint */
+			}
+			else
+			{
+				ugh = builddiag("ignoring message from whack with bad magic %d; should be %d; probably wrong version"
+					, msg.magic, WHACK_MAGIC);
+			}
+		}
+		else if (next_str > str_roof)
+		{
+			ugh = builddiag("ignoring truncated message from whack: got %d bytes; expected %u"
+				, (int) n, (unsigned) sizeof(msg));
+		}
+		else if (!unpack_str(&msg.name)         /* string  1 */
+		|| !unpack_str(&msg.left.id)            /* string  2 */
+		|| !unpack_str(&msg.left.cert)          /* string  3 */
+		|| !unpack_str(&msg.left.ca)            /* string  4 */
+		|| !unpack_str(&msg.left.groups)        /* string  5 */
+		|| !unpack_str(&msg.left.updown)        /* string  6 */
+		|| !unpack_str(&msg.left.virt)          /* string  7 */
+		|| !unpack_str(&msg.right.id)           /* string  8 */
+		|| !unpack_str(&msg.right.cert)         /* string  9 */
+		|| !unpack_str(&msg.right.ca)           /* string 10 */
+		|| !unpack_str(&msg.right.groups)       /* string 11 */
+		|| !unpack_str(&msg.right.updown)       /* string 12 */
+		|| !unpack_str(&msg.right.virt)         /* string 13 */
+		|| !unpack_str(&msg.keyid)              /* string 14 */
+		|| !unpack_str(&msg.myid)               /* string 15 */
+		|| !unpack_str(&msg.cacert)             /* string 16 */
+		|| !unpack_str(&msg.ldaphost)           /* string 17 */
+		|| !unpack_str(&msg.ldapbase)           /* string 18 */
+		|| !unpack_str(&msg.crluri)             /* string 19 */
+		|| !unpack_str(&msg.crluri2)            /* string 20 */
+		|| !unpack_str(&msg.ocspuri)            /* string 21 */
+		|| !unpack_str(&msg.ike)                /* string 22 */
+		|| !unpack_str(&msg.esp)                /* string 23 */
+		|| !unpack_str(&msg.sc_data)            /* string 24 */
+		|| str_roof - next_str != (ptrdiff_t)msg.keyval.len)    /* check chunk */
+		{
+			ugh = "message from whack contains bad string";
+		}
+		else
+		{
+			msg.keyval.ptr = next_str;  /* grab chunk */
+		}
+
+		if (ugh != NULL)
+		{
+			if (*ugh != '\0')
+				loglog(RC_BADWHACKMESSAGE, "%s", ugh);
+			whack_log_fd = NULL_FD;
+			close(whackfd);
+			return;
+		}
+	}
+
+	if (msg.whack_options)
 	{
-	    ugh = builddiag("ignoring runt message from whack: got %d bytes", (int)n);
+#ifdef DEBUG
+		if (msg.name == NULL)
+		{
+			/* we do a two-step so that if either old or new would
+			 * cause the message to print, it will be printed.
+			 */
+			cur_debugging |= msg.debugging;
+			DBG(DBG_CONTROL
+				, DBG_log("base debugging = %s"
+					, bitnamesof(debug_bit_names, msg.debugging)));
+			cur_debugging = base_debugging = msg.debugging;
+		}
+		else if (!msg.whack_connection)
+		{
+			struct connection *c = con_by_name(msg.name, TRUE);
+
+			if (c != NULL)
+			{
+				c->extra_debugging = msg.debugging;
+				DBG(DBG_CONTROL
+					, DBG_log("\"%s\" extra_debugging = %s"
+						, c->name
+						, bitnamesof(debug_bit_names, c->extra_debugging)));
+			}
+		}
+#endif
+	}
+
+	if (msg.whack_myid)
+		set_myid(MYID_SPECIFIED, msg.myid);
+
+	/* Deleting combined with adding a connection works as replace.
+	 * To make this more useful, in only this combination,
+	 * delete will silently ignore the lack of the connection.
+	 */
+	if (msg.whack_delete)
+	{
+		if (msg.whack_ca)
+			find_ca_info_by_name(msg.name, TRUE);
+		else
+			delete_connections_by_name(msg.name, !msg.whack_connection);
 	}
-	else if (msg.magic != WHACK_MAGIC)
+
+	if (msg.whack_deletestate)
 	{
-	    if (msg.magic == WHACK_BASIC_MAGIC)
-	    {
-		/* Only shutdown command.  Simpler inter-version compatability. */
-		if (msg.whack_shutdown)
+		struct state *st = state_with_serialno(msg.whack_deletestateno);
+
+		if (st == NULL)
+		{
+			loglog(RC_UNKNOWN_NAME, "no state #%lu to delete"
+				, msg.whack_deletestateno);
+		}
+		else
 		{
-		    plog("shutting down");
-		    exit_pluto(0);	/* delete lock and leave, with 0 status */
+			delete_state(st);
 		}
-		ugh = "";	/* bail early, but without complaint */
-	    }
-	    else
-	    {
-		ugh = builddiag("ignoring message from whack with bad magic %d; should be %d; probably wrong version"
-		    , msg.magic, WHACK_MAGIC);
-	    }
-	}
-	else if (next_str > str_roof)
-	{
-	    ugh = builddiag("ignoring truncated message from whack: got %d bytes; expected %u"
-		, (int) n, (unsigned) sizeof(msg));
-	}
-	else if (!unpack_str(&msg.name)		/* string  1 */
-	|| !unpack_str(&msg.left.id)		/* string  2 */
-	|| !unpack_str(&msg.left.cert)		/* string  3 */
-	|| !unpack_str(&msg.left.ca)		/* string  4 */
-	|| !unpack_str(&msg.left.groups)	/* string  5 */
-	|| !unpack_str(&msg.left.updown)	/* string  6 */
-	|| !unpack_str(&msg.left.virt)		/* string  7 */
-	|| !unpack_str(&msg.right.id)		/* string  8 */
-	|| !unpack_str(&msg.right.cert)		/* string  9 */
-	|| !unpack_str(&msg.right.ca)		/* string 10 */
-	|| !unpack_str(&msg.right.groups)	/* string 11 */
-	|| !unpack_str(&msg.right.updown)	/* string 12 */
-	|| !unpack_str(&msg.right.virt)		/* string 13 */
-	|| !unpack_str(&msg.keyid)		/* string 14 */
-	|| !unpack_str(&msg.myid)		/* string 15 */
-	|| !unpack_str(&msg.cacert)		/* string 16 */
-	|| !unpack_str(&msg.ldaphost)		/* string 17 */
-	|| !unpack_str(&msg.ldapbase)		/* string 18 */
-	|| !unpack_str(&msg.crluri)		/* string 19 */
-	|| !unpack_str(&msg.crluri2)		/* string 20 */
-	|| !unpack_str(&msg.ocspuri)		/* string 21 */
-	|| !unpack_str(&msg.ike)		/* string 22 */
-	|| !unpack_str(&msg.esp)		/* string 23 */
-	|| !unpack_str(&msg.sc_data)		/* string 24 */
-	|| str_roof - next_str != (ptrdiff_t)msg.keyval.len)	/* check chunk */
-	{
-	    ugh = "message from whack contains bad string";
 	}
-	else
+
+	if (msg.whack_crash)
+		delete_states_by_peer(&msg.whack_crash_peer);
+
+	if (msg.whack_connection)
+		add_connection(&msg);
+
+	if (msg.whack_ca && msg.cacert != NULL)
+		add_ca_info(&msg);
+		
+	/* process "listen" before any operation that could require it */
+	if (msg.whack_listen)
+	{
+		close_peerlog();    /* close any open per-peer logs */
+		plog("listening for IKE messages");
+		listening = TRUE;
+		daily_log_reset();
+		reset_adns_restart_count();
+		set_myFQDN();
+		find_ifaces();
+		load_preshared_secrets(NULL_FD);
+		load_groups();
+	}
+	if (msg.whack_unlisten)
 	{
-	    msg.keyval.ptr = next_str;	/* grab chunk */
+		plog("no longer listening for IKE messages");
+		listening = FALSE;
 	}
 
-	if (ugh != NULL)
+	if (msg.whack_reread & REREAD_SECRETS)
 	{
-	    if (*ugh != '\0')
-		loglog(RC_BADWHACKMESSAGE, "%s", ugh);
-	    whack_log_fd = NULL_FD;
-	    close(whackfd);
-	    return;
+		load_preshared_secrets(whackfd);
 	}
-    }
 
-    if (msg.whack_options)
-    {
-#ifdef DEBUG
-	if (msg.name == NULL)
-	{
-	    /* we do a two-step so that if either old or new would
-	     * cause the message to print, it will be printed.
-	     */
-	    cur_debugging |= msg.debugging;
-	    DBG(DBG_CONTROL
-		, DBG_log("base debugging = %s"
-		    , bitnamesof(debug_bit_names, msg.debugging)));
-	    cur_debugging = base_debugging = msg.debugging;
-	}
-	else if (!msg.whack_connection)
-	{
-	    struct connection *c = con_by_name(msg.name, TRUE);
-
-	    if (c != NULL)
-	    {
-		c->extra_debugging = msg.debugging;
-		DBG(DBG_CONTROL
-		    , DBG_log("\"%s\" extra_debugging = %s"
-			, c->name
-			, bitnamesof(debug_bit_names, c->extra_debugging)));
-	    }
+	if (msg.whack_reread & REREAD_CACERTS)
+	{
+		load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
 	}
-#endif
-    }
-
-    if (msg.whack_myid)
-	set_myid(MYID_SPECIFIED, msg.myid);
-
-    /* Deleting combined with adding a connection works as replace.
-     * To make this more useful, in only this combination,
-     * delete will silently ignore the lack of the connection.
-     */
-    if (msg.whack_delete)
-    {
-    	if (msg.whack_ca)
-	    find_ca_info_by_name(msg.name, TRUE);
-	else
-	    delete_connections_by_name(msg.name, !msg.whack_connection);
-    }
 
-    if (msg.whack_deletestate)
-    {
-	struct state *st = state_with_serialno(msg.whack_deletestateno);
+	if (msg.whack_reread & REREAD_AACERTS)
+	{
+		load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
+	}
 
-	if (st == NULL)
+	if (msg.whack_reread & REREAD_OCSPCERTS)
 	{
-	    loglog(RC_UNKNOWN_NAME, "no state #%lu to delete"
-		, msg.whack_deletestateno);
+		load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
 	}
-	else
+
+	if (msg.whack_reread & REREAD_ACERTS)
 	{
-	    delete_state(st);
-	}
-    }
-
-    if (msg.whack_crash)
-	delete_states_by_peer(&msg.whack_crash_peer);
-
-    if (msg.whack_connection)
-	add_connection(&msg);
-
-    if (msg.whack_ca && msg.cacert != NULL)
-	add_ca_info(&msg);
-	
-    /* process "listen" before any operation that could require it */
-    if (msg.whack_listen)
-    {
-	close_peerlog();    /* close any open per-peer logs */
-	plog("listening for IKE messages");
-	listening = TRUE;
-	daily_log_reset();
-	reset_adns_restart_count();
-	set_myFQDN();
-	find_ifaces();
-	load_preshared_secrets(NULL_FD);
-	load_groups();
-    }
-    if (msg.whack_unlisten)
-    {
-	plog("no longer listening for IKE messages");
-	listening = FALSE;
-    }
-
-    if (msg.whack_reread & REREAD_SECRETS)
-    {
-	load_preshared_secrets(whackfd);
-    }
-
-    if (msg.whack_reread & REREAD_CACERTS)
-    {
-	load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
-    }
-
-    if (msg.whack_reread & REREAD_AACERTS)
-    {
-	load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
-    }
-
-    if (msg.whack_reread & REREAD_OCSPCERTS)
-    {
-	load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
-    }
-
-    if (msg.whack_reread & REREAD_ACERTS)
-    {
-	load_acerts();
-    }
-
-    if (msg.whack_reread & REREAD_CRLS)
-    {
-	load_crls();
-    }
-
-    if (msg.whack_purgeocsp)
-    {
-	free_ocsp_fetch();
-	free_ocsp_cache();
-    }
-
-    if (msg.whack_list & LIST_ALGS)
-    {
-	ike_alg_list();
-	kernel_alg_list();
-    }
+		load_acerts();
+	}
+
+	if (msg.whack_reread & REREAD_CRLS)
+	{
+		load_crls();
+	}
+
+	if (msg.whack_purgeocsp)
+	{
+		free_ocsp_fetch();
+		free_ocsp_cache();
+	}
+
    if (msg.whack_list & LIST_PUBKEYS)
-    {
-	list_public_keys(msg.whack_utc);
-    }
-
-    if (msg.whack_list & LIST_CERTS)
-    {
-	list_certs(msg.whack_utc);
-    }
-
-    if (msg.whack_list & LIST_CACERTS)
-    {
-	list_authcerts("CA", AUTH_CA, msg.whack_utc);
-    }
-
-    if (msg.whack_list & LIST_AACERTS)
-    {
-	list_authcerts("AA", AUTH_AA, msg.whack_utc);
-    }
-
-    if (msg.whack_list & LIST_OCSPCERTS)
-    {
-	list_authcerts("OCSP", AUTH_OCSP, msg.whack_utc);
-    }
-
-    if (msg.whack_list & LIST_ACERTS)
-    {
-	list_acerts(msg.whack_utc);
-    }
-
-    if (msg.whack_list & LIST_GROUPS)
-    {
-	list_groups(msg.whack_utc);
-    }
-
-    if (msg.whack_list & LIST_CAINFOS)
-    {
-	list_ca_infos(msg.whack_utc);
-    }
-
-    if (msg.whack_list & LIST_CRLS)
-    {
-	list_crls(msg.whack_utc, strict_crl_policy);
-	list_crl_fetch_requests(msg.whack_utc);
-    }
-
-    if (msg.whack_list & LIST_OCSP)
-    {
-	list_ocsp_cache(msg.whack_utc, strict_crl_policy);
-	list_ocsp_fetch_requests(msg.whack_utc);
-    }
-
-    if (msg.whack_list & LIST_CARDS)
-    {
-	scx_list(msg.whack_utc);
-    }
-
-    if (msg.whack_key)
-    {
-	/* add a public key */
-	key_add_request(&msg);
-    }
-
-    if (msg.whack_route)
-    {
-	if (!listening)
-	{
-	    whack_log(RC_DEAF, "need --listen before --route");
-	}
-	if (msg.name == NULL)
-	{
-	    whack_log(RC_UNKNOWN_NAME
-		, "whack --route requires a connection name");
+	{
+		list_public_keys(msg.whack_utc);
 	}
-	else
+
+	if (msg.whack_list & LIST_CERTS)
 	{
-	    struct connection *c = con_by_name(msg.name, TRUE);
+		list_certs(msg.whack_utc);
+	}
 
-	    if (c != NULL && c->ikev1)
-	    {
-		set_cur_connection(c);
-		if (!oriented(*c))
-		    whack_log(RC_ORIENT
-			, "we have no ipsecN interface for either end of this connection");
-		else if (c->policy & POLICY_GROUP)
-		    route_group(c);
-		else if (!trap_connection(c))
-		    whack_log(RC_ROUTE, "could not route");
-		reset_cur_connection();
-	    }
+	if (msg.whack_list & LIST_CACERTS)
+	{
+		list_authcerts("CA", AUTH_CA, msg.whack_utc);
 	}
-    }
 
-    if (msg.whack_unroute)
-    {
-	if (msg.name == NULL)
+	if (msg.whack_list & LIST_AACERTS)
 	{
-	    whack_log(RC_UNKNOWN_NAME
-		, "whack --unroute requires a connection name");
+		list_authcerts("AA", AUTH_AA, msg.whack_utc);
 	}
-	else
+
+	if (msg.whack_list & LIST_OCSPCERTS)
 	{
-	    struct connection *c = con_by_name(msg.name, TRUE);
+		list_authcerts("OCSP", AUTH_OCSP, msg.whack_utc);
+	}
 
-	    if (c != NULL && c->ikev1)
-	    {
-		struct spd_route *sr;
-		int fail = 0;
+	if (msg.whack_list & LIST_ACERTS)
+	{
+		list_acerts(msg.whack_utc);
+	}
 
-		set_cur_connection(c);
+	if (msg.whack_list & LIST_GROUPS)
+	{
+		list_groups(msg.whack_utc);
+	}
 
-		for (sr = &c->spd; sr != NULL; sr = sr->next)
-		{
-		    if (sr->routing >= RT_ROUTED_TUNNEL)
-			fail++;
-		}
-		if (fail > 0)
-		    whack_log(RC_RTBUSY, "cannot unroute: route busy");
-		else if (c->policy & POLICY_GROUP)
-		    unroute_group(c);
-		else
-		    unroute_connection(c);
-		reset_cur_connection();
-	    }
+	if (msg.whack_list & LIST_CAINFOS)
+	{
+		list_ca_infos(msg.whack_utc);
 	}
-    }
 
-    if (msg.whack_initiate)
-    {
-	if (!listening)
+	if (msg.whack_list & LIST_CRLS)
 	{
-	    whack_log(RC_DEAF, "need --listen before --initiate");
+		list_crls(msg.whack_utc, strict_crl_policy);
+		list_crl_fetch_requests(msg.whack_utc);
 	}
-	else if (msg.name == NULL)
+
+	if (msg.whack_list & LIST_OCSP)
 	{
-	    whack_log(RC_UNKNOWN_NAME
-		, "whack --initiate requires a connection name");
+		list_ocsp_cache(msg.whack_utc, strict_crl_policy);
+		list_ocsp_fetch_requests(msg.whack_utc);
 	}
-	else
+
+	if (msg.whack_list & LIST_CARDS)
 	{
-	    initiate_connection(msg.name
-		, msg.whack_async? NULL_FD : dup_any(whackfd));
+		scx_list(msg.whack_utc);
 	}
-    }
 
-    if (msg.whack_oppo_initiate)
-    {
-	if (!listening)
-	    whack_log(RC_DEAF, "need --listen before opportunistic initiation");
-	else
-	    initiate_opportunistic(&msg.oppo_my_client, &msg.oppo_peer_client, 0
-		, FALSE
-		, msg.whack_async? NULL_FD : dup_any(whackfd));
-    }
+	if (msg.whack_list & LIST_ALGS)
+	{
+		ike_alg_list();
+		kernel_alg_list();
+	}
 
-    if (msg.whack_terminate)
-    {
-	if (msg.name == NULL)
+	if (msg.whack_key)
 	{
-	    whack_log(RC_UNKNOWN_NAME
-		, "whack --terminate requires a connection name");
+		/* add a public key */
+		key_add_request(&msg);
 	}
-	else
+
+	if (msg.whack_route)
 	{
-	    terminate_connection(msg.name);
+		if (!listening)
+		{
+			whack_log(RC_DEAF, "need --listen before --route");
+		}
+		if (msg.name == NULL)
+		{
+			whack_log(RC_UNKNOWN_NAME
+				, "whack --route requires a connection name");
+		}
+		else
+		{
+			struct connection *c = con_by_name(msg.name, TRUE);
+
+			if (c != NULL && c->ikev1)
+			{
+				set_cur_connection(c);
+				if (!oriented(*c))
+					whack_log(RC_ORIENT
+						, "we have no ipsecN interface for either end of this connection");
+				else if (c->policy & POLICY_GROUP)
+					route_group(c);
+				else if (!trap_connection(c))
+					whack_log(RC_ROUTE, "could not route");
+				reset_cur_connection();
+			}
+		}
 	}
-    }
 
-    if (msg.whack_status)
-	show_status(msg.whack_statusall, msg.name);
+	if (msg.whack_unroute)
+	{
+		if (msg.name == NULL)
+		{
+			whack_log(RC_UNKNOWN_NAME
+				, "whack --unroute requires a connection name");
+		}
+		else
+		{
+			struct connection *c = con_by_name(msg.name, TRUE);
+
+			if (c != NULL && c->ikev1)
+			{
+				struct spd_route *sr;
+				int fail = 0;
+
+				set_cur_connection(c);
+
+				for (sr = &c->spd; sr != NULL; sr = sr->next)
+				{
+					if (sr->routing >= RT_ROUTED_TUNNEL)
+						fail++;
+				}
+				if (fail > 0)
+					whack_log(RC_RTBUSY, "cannot unroute: route busy");
+				else if (c->policy & POLICY_GROUP)
+					unroute_group(c);
+				else
+					unroute_connection(c);
+				reset_cur_connection();
+			}
+		}
+	}
 
-    if (msg.whack_shutdown)
-    {
-	plog("shutting down");
-	exit_pluto(0);	/* delete lock and leave, with 0 status */
-    }
+	if (msg.whack_initiate)
+	{
+		if (!listening)
+		{
+			whack_log(RC_DEAF, "need --listen before --initiate");
+		}
+		else if (msg.name == NULL)
+		{
+			whack_log(RC_UNKNOWN_NAME
+				, "whack --initiate requires a connection name");
+		}
+		else
+		{
+			initiate_connection(msg.name
+				, msg.whack_async? NULL_FD : dup_any(whackfd));
+		}
+	}
 
-    if (msg.whack_sc_op != SC_OP_NONE)
-    {
-	if (pkcs11_proxy)
-	    scx_op_via_whack(msg.sc_data, msg.inbase, msg.outbase
-			   , msg.whack_sc_op, msg.keyid, whackfd);
-	else
-	   plog("pkcs11 access to smartcard not allowed (set pkcs11proxy=yes)");
-    }
+	if (msg.whack_oppo_initiate)
+	{
+		if (!listening)
+			whack_log(RC_DEAF, "need --listen before opportunistic initiation");
+		else
+			initiate_opportunistic(&msg.oppo_my_client, &msg.oppo_peer_client, 0
+				, FALSE
+				, msg.whack_async? NULL_FD : dup_any(whackfd));
+	}
+
+	if (msg.whack_terminate)
+	{
+		if (msg.name == NULL)
+		{
+			whack_log(RC_UNKNOWN_NAME
+				, "whack --terminate requires a connection name");
+		}
+		else
+		{
+			terminate_connection(msg.name);
+		}
+	}
+
+	if (msg.whack_status)
+		show_status(msg.whack_statusall, msg.name);
+
+	if (msg.whack_shutdown)
+	{
+		plog("shutting down");
+		exit_pluto(0);  /* delete lock and leave, with 0 status */
+	}
 
-    whack_log_fd = NULL_FD;
-    close(whackfd);
+	if (msg.whack_sc_op != SC_OP_NONE)
+	{
+		if (pkcs11_proxy)
+			scx_op_via_whack(msg.sc_data, msg.inbase, msg.outbase
+						   , msg.whack_sc_op, msg.keyid, whackfd);
+		else
+		   plog("pkcs11 access to smartcard not allowed (set pkcs11proxy=yes)");
+	}
+
+	whack_log_fd = NULL_FD;
+	close(whackfd);
 }
 
 /*
diff --git a/src/pluto/rcv_whack.h b/src/pluto/rcv_whack.h
index e0582202f..66edaaf80 100644
--- a/src/pluto/rcv_whack.h
+++ b/src/pluto/rcv_whack.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: rcv_whack.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 extern void whack_handle(int kernelfd);
diff --git a/src/pluto/rnd.c b/src/pluto/rnd.c
deleted file mode 100644
index 7941034d8..000000000
--- a/src/pluto/rnd.c
+++ /dev/null
@@ -1,250 +0,0 @@
-/* randomness machinery
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: rnd.c 3252 2007-10-06 21:24:50Z andreas $
- */
-
-/* A true random number generator (we hope)
- *
- * Under LINUX ("linux" predefined), use /dev/urandom.
- * Under OpenBSD ("__OpenBSD__" predefined), use arc4random().
- * Otherwise use our own random number generator based on clock skew.
- *   I (ADK) first heard of the idea from John Ioannidis, who heard it
- *   from Matt Blaze and/or Jack Lacy.
- * ??? Why is mixing need for linux but not OpenBSD?
- */
-
-/* Pluto's uses of randomness:
- *
- * - Setting up the "secret_of_the_day".  This changes every hour!  20
- *   bytes a shot.  It is used in building responder cookies.
- *
- * - generating initiator cookies (8 bytes, once per Phase 1 initiation).
- *
- * - 32 bytes per DH local secret.  Once per Main Mode exchange and once
- *   per Quick Mode Exchange with PFS.  (Size is our choice, with
- *   tradeoffs.)
- *
- * - 16 bytes per nonce we generate.  Once per Main Mode exchange and
- *   once per Quick Mode exchange.  (Again, we choose the size.)
- *
- * - 4 bytes per SPI number that we generate.  We choose the SPIs for all
- *   inbound SPIs, one to three per IPSEC SA (one for AH (rare, probably)
- *   one for ESP (almost always), and one for tunnel (very common)).
- *   I don't actually know how the kernel would generate these numbers --
- *   currently Pluto generates them; this isn't the way things will be
- *   done in the future.
- *
- * - 4 bytes per Message ID we need to generate.  One per Quick Mode
- *   exchange.  Eventually, one per informational exchange.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <signal.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-#include <fcntl.h>
-
-#include <freeswan.h>
-
-#include "sha1.h"
-#include "constants.h"
-#include "defs.h"
-#include "rnd.h"
-#include "log.h"
-#include "timer.h"
-
-#ifdef linux
-# define USE_DEV_RANDOM	1
-# define RANDOM_PATH    DEV_URANDOM
-#else
-# ifdef __OpenBSD__
-#  define USE_ARC4RANDOM
-# else
-#   define USE_CLOCK_SLEW
-# endif
-#endif
-
-#ifdef USE_ARC4RANDOM
-
-#define get_rnd_byte() (arc4random() % 256)
-
-#else	/**** start of large #else ****/
-
-#ifdef USE_DEV_RANDOM
-static int random_fd = NULL_FD;
-#endif
-
-#define RANDOM_POOL_SIZE   SHA1_DIGEST_SIZE
-static u_char random_pool[RANDOM_POOL_SIZE];
-
-#ifdef USE_DEV_RANDOM
-
-/* Generate (what we hope is) a true random byte using /dev/urandom  */
-static u_char
-generate_rnd_byte(void)
-{
-    u_char c;
-
-    if (read(random_fd, &c, sizeof(c)) == -1)
-	exit_log_errno((e, "read() failed in get_rnd_byte()"));
-
-    return c;
-}
-
-#else /* !USE_DEV_RANDOM */
-
-/* Generate (what we hope is) a true random byte using the clock skew trick.
- * Note: this code is not maintained!  In particular, LINUX signal(2)
- * semantics changed with glibc2 (and not for the better).  It isn't clear
- * that this code will work.  We keep the code because someday it might
- * come in handy.
- */
-# error "This code is not maintained.  Please define USE_DEV_RANDOM."
-
-static volatile sig_atomic_t i, j, k;
-
-/* timer signal handler */
-static void
-rnd_handler(int ignore_me UNUSED)
-{
-    k <<= 1;	/* Shift left by 1 */
-    j++;
-    k |= (i & 0x1); /* Get lsbit of counter */
-
-    if (j != 8)
-	signal(SIGVTALRM, rnd_handler);
-}
-
-static u_char
-generate_rnd_byte(void)
-{
-    struct itimerval tmval, ntmval;
-
-# ifdef NEVER	/* ??? */
-#  ifdef linux
-    int mask = siggetmask();
-
-    mask |= SIGVTALRM;
-    sigsetmask(mask);
-#  endif
-# endif
-
-    i = 0;
-    j = 0;
-
-    ntmval.it_interval.tv_sec = 0;
-    ntmval.it_interval.tv_usec = 1;
-    ntmval.it_value.tv_sec = 0;
-    ntmval.it_value.tv_usec = 1;
-    signal(SIGVTALRM, rnd_handler);
-    setitimer(ITIMER_VIRTUAL, &ntmval, &tmval);
-
-    while (j != 8)
-	i++;
-
-    setitimer(ITIMER_VIRTUAL, &tmval, &ntmval);
-    signal(SIGVTALRM, SIG_IGN);
-
-# ifdef NEVER	/* ??? */
-#  ifdef linux
-    mask ^= SIGVTALRM;
-    sigsetmask(mask);
-#  endif
-# endif
-
-    return k;
-}
-
-#endif /* !USE_DEV_RANDOM */
-
-static void
-mix_pool(void)
-{
-    SHA1_CTX ctx;
-
-    SHA1Init(&ctx);
-    SHA1Update(&ctx, random_pool, RANDOM_POOL_SIZE);
-    SHA1Final(random_pool, &ctx);
-}
-
-/*
- * Get a single random byte.
- */
-static u_char
-get_rnd_byte(void)
-{
-    random_pool[RANDOM_POOL_SIZE - 1] = generate_rnd_byte();
-    random_pool[0] = generate_rnd_byte();
-    mix_pool();
-    return random_pool[0];
-}
-
-#endif /* !USE_ARC4RANDOM */	/**** end of large #else ****/
-
-void
-get_rnd_bytes(u_char *buffer, int length)
-{
-    int i;
-
-    for (i = 0; i < length; i++)
-	buffer[i] = get_rnd_byte();
-}
-
-/*
- * Initialize the random pool.
- */
-void
-init_rnd_pool(void)
-{
-#ifndef USE_ARC4RANDOM
-# ifdef USE_DEV_RANDOM
-    DBG(DBG_KLIPS, DBG_log("opening %s", RANDOM_PATH));
-    random_fd = open(RANDOM_PATH, O_RDONLY);
-    if (random_fd == -1)
-	exit_log_errno((e, "open of %s failed in init_rnd_pool()", RANDOM_PATH));
-    fcntl(random_fd, F_SETFD, FD_CLOEXEC);
-# endif
-
-    get_rnd_bytes(random_pool, RANDOM_POOL_SIZE);
-    mix_pool();
-#endif /* !USE_ARC4RANDOM */
-
-    /* start of rand(3) on the right foot */
-    {
-	unsigned int seed;
-
-	get_rnd_bytes((void *)&seed, sizeof(seed));
-	srand(seed);
-    }
-}
-
-u_char    secret_of_the_day[SHA1_DIGEST_SIZE];
-
-#ifndef NO_PLUTO
-
-void
-init_secret(void)
-{
-    /*
-     * Generate the secret value for responder cookies, and
-     * schedule an event for refresh.
-     */
-    get_rnd_bytes(secret_of_the_day, sizeof(secret_of_the_day));
-    event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL);
-}
-
-#endif /* NO_PLUTO */
diff --git a/src/pluto/rnd.h b/src/pluto/rnd.h
deleted file mode 100644
index e32b68b47..000000000
--- a/src/pluto/rnd.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* randomness machinery
- * Copyright (C) 1998, 1999  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: rnd.h 3252 2007-10-06 21:24:50Z andreas $
- */
-
-extern u_char    secret_of_the_day[SHA1_DIGEST_SIZE];
-
-extern void get_rnd_bytes(u_char *buffer, int length);
-extern void init_rnd_pool(void);
-extern void init_secret(void);
diff --git a/src/pluto/server.c b/src/pluto/server.c
index b0e158503..21f65f4f8 100644
--- a/src/pluto/server.c
+++ b/src/pluto/server.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: server.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdio.h>
@@ -27,7 +25,7 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #ifdef SOLARIS
-# include <sys/sockio.h>	/* for Solaris 2.6: defines SIOCGIFCONF */
+# include <sys/sockio.h>        /* for Solaris 2.6: defines SIOCGIFCONF */
 #endif
 #include <netinet/in.h>
 #include <arpa/inet.h>
@@ -38,7 +36,7 @@
 #include <net/if.h>
 #include <sys/ioctl.h>
 #include <resolv.h>
-#include <arpa/nameser.h>	/* missing from <resolv.h> on old systems */
+#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
 #include <sys/queue.h>
 
 #include <freeswan.h>
@@ -55,9 +53,9 @@
 #include "demux.h"  /* needs packet.h */
 #include "rcv_whack.h"
 #include "keys.h"
-#include "adns.h"	/* needs <resolv.h> */
-#include "dnskey.h"	/* needs keys.h and adns.h */
-#include "whack.h"	/* for RC_LOG_SERIOUS */
+#include "adns.h"       /* needs <resolv.h> */
+#include "dnskey.h"     /* needs keys.h and adns.h */
+#include "whack.h"      /* for RC_LOG_SERIOUS */
 
 #include <pfkeyv2.h>
 #include <pfkey.h>
@@ -68,10 +66,10 @@
  *  Server main loop and socket initialization routines.
  */
 
-static const int on = TRUE;	/* by-reference parameter; constant, we hope */
+static const int on = TRUE;     /* by-reference parameter; constant, we hope */
 
 /* control (whack) socket */
-int ctl_fd = NULL_FD;	/* file descriptor of control (whack) socket */
+int ctl_fd = NULL_FD;   /* file descriptor of control (whack) socket */
 struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
 
 /* info (showpolicy) socket */
@@ -86,121 +84,121 @@ struct sockaddr_un info_addr= { AF_UNIX, DEFAULT_CTLBASE INFO_SUFFIX };
 err_t
 init_ctl_socket(void)
 {
-    err_t failed = NULL;
-
-    delete_ctl_socket();	/* preventative medicine */
-    ctl_fd = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (ctl_fd == -1)
-	failed = "create";
-    else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1)
-	failed = "fcntl FD+CLOEXEC";
-    else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
-	failed = "setsockopt";
-    else
-    {
-	/* to keep control socket secure, use umask */
-	mode_t ou = umask(~S_IRWXU);
-
-	if (bind(ctl_fd, (struct sockaddr *)&ctl_addr
-	, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
-	    failed = "bind";
-	umask(ou);
-    }
-
-    /* 5 is a haphazardly chosen limit for the backlog.
-     * Rumour has it that this is the max on BSD systems.
-     */
-    if (failed == NULL && listen(ctl_fd, 5) < 0)
-	failed = "listen() on";
-
-    return failed == NULL? NULL : builddiag("could not %s control socket: %d %s"
-	    , failed, errno, strerror(errno));
+	err_t failed = NULL;
+
+	delete_ctl_socket();        /* preventative medicine */
+	ctl_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (ctl_fd == -1)
+		failed = "create";
+	else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1)
+		failed = "fcntl FD+CLOEXEC";
+	else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
+		failed = "setsockopt";
+	else
+	{
+		/* to keep control socket secure, use umask */
+		mode_t ou = umask(~S_IRWXU);
+
+		if (bind(ctl_fd, (struct sockaddr *)&ctl_addr
+		, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
+			failed = "bind";
+		umask(ou);
+	}
+
+	/* 5 is a haphazardly chosen limit for the backlog.
+	 * Rumour has it that this is the max on BSD systems.
+	 */
+	if (failed == NULL && listen(ctl_fd, 5) < 0)
+		failed = "listen() on";
+
+	return failed == NULL? NULL : builddiag("could not %s control socket: %d %s"
+			, failed, errno, strerror(errno));
 }
 
 void
 delete_ctl_socket(void)
 {
-    /* Is noting failure useful?  Not when used as preventative medicine. */
-    unlink(ctl_addr.sun_path);
+	/* Is noting failure useful?  Not when used as preventative medicine. */
+	unlink(ctl_addr.sun_path);
 }
 
-bool listening = FALSE;	/* should we pay attention to IKE messages? */
+bool listening = FALSE; /* should we pay attention to IKE messages? */
 
-struct iface *interfaces = NULL;	/* public interfaces */
+struct iface *interfaces = NULL;        /* public interfaces */
 
 /* Initialize the interface sockets. */
 
 static void
 mark_ifaces_dead(void)
 {
-    struct iface *p;
+	struct iface *p;
 
-    for (p = interfaces; p != NULL; p = p->next)
-	p->change = IFN_DELETE;
+	for (p = interfaces; p != NULL; p = p->next)
+		p->change = IFN_DELETE;
 }
 
 static void
 free_dead_ifaces(void)
 {
-    struct iface *p;
-    bool some_dead = FALSE
-	, some_new = FALSE;
+	struct iface *p;
+	bool some_dead = FALSE
+		, some_new = FALSE;
 
-    for (p = interfaces; p != NULL; p = p->next)
-    {
-	if (p->change == IFN_DELETE)
-	{
-	    plog("shutting down interface %s/%s %s"
-		, p->vname, p->rname, ip_str(&p->addr));
-	    some_dead = TRUE;
-	}
-	else if (p->change == IFN_ADD)
+	for (p = interfaces; p != NULL; p = p->next)
 	{
-	    some_new = TRUE;
+		if (p->change == IFN_DELETE)
+		{
+			plog("shutting down interface %s/%s %s"
+				, p->vname, p->rname, ip_str(&p->addr));
+			some_dead = TRUE;
+		}
+		else if (p->change == IFN_ADD)
+		{
+			some_new = TRUE;
+		}
 	}
-    }
-
-    if (some_dead)
-    {
-	struct iface **pp;
 
-	release_dead_interfaces();
-	for (pp = &interfaces; (p = *pp) != NULL; )
+	if (some_dead)
 	{
-	    if (p->change == IFN_DELETE)
-	    {
-		*pp = p->next;	/* advance *pp */
-		pfree(p->vname);
-		pfree(p->rname);
-		close(p->fd);
-		pfree(p);
-	    }
-	    else
-	    {
-		pp = &p->next;	/* advance pp */
-	    }
+		struct iface **pp;
+
+		release_dead_interfaces();
+		for (pp = &interfaces; (p = *pp) != NULL; )
+		{
+			if (p->change == IFN_DELETE)
+			{
+				*pp = p->next;  /* advance *pp */
+				free(p->vname);
+				free(p->rname);
+				close(p->fd);
+				free(p);
+			}
+			else
+			{
+				pp = &p->next;  /* advance pp */
+			}
+		}
 	}
-    }
-
-    /* this must be done after the release_dead_interfaces
-     * in case some to the newly unoriented connections can
-     * become oriented here.
-     */
-    if (some_dead || some_new)
-	check_orientations();
+
+	/* this must be done after the release_dead_interfaces
+	 * in case some to the newly unoriented connections can
+	 * become oriented here.
+	 */
+	if (some_dead || some_new)
+		check_orientations();
 }
 
 void
 free_ifaces(void)
 {
-    mark_ifaces_dead();
-    free_dead_ifaces();
+	mark_ifaces_dead();
+	free_dead_ifaces();
 }
 
 struct raw_iface {
-    ip_address addr;
-    char name[IFNAMSIZ + 20];	/* what would be a safe size? */
-    struct raw_iface *next;
+	ip_address addr;
+	char name[IFNAMSIZ + 20];   /* what would be a safe size? */
+	struct raw_iface *next;
 };
 
 /* Called to handle --interface <ifname>
@@ -212,15 +210,15 @@ static int pluto_ifn_roof = 0;
 bool
 use_interface(const char *rifn)
 {
-    if (pluto_ifn_roof >= (int)elemsof(pluto_ifn))
-    {
-	return FALSE;
-    }
-    else
-    {
-	pluto_ifn[pluto_ifn_roof++] = rifn;
-	return TRUE;
-    }
+	if (pluto_ifn_roof >= (int)countof(pluto_ifn))
+	{
+		return FALSE;
+	}
+	else
+	{
+		pluto_ifn[pluto_ifn_roof++] = rifn;
+		return TRUE;
+	}
 }
 
 #ifndef IPSECDEVPREFIX
@@ -230,538 +228,542 @@ use_interface(const char *rifn)
 static struct raw_iface *
 find_raw_ifaces4(void)
 {
-    int j;	/* index into buf */
-    struct ifconf ifconf;
-    struct ifreq buf[300];	/* for list of interfaces -- arbitrary limit */
-    struct raw_iface *rifaces = NULL;
-    int master_sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);    /* Get a UDP socket */
-
-    /* get list of interfaces with assigned IPv4 addresses from system */
-
-    if (master_sock == -1)
-	exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
-
-    if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
-    , (const void *)&on, sizeof(on)) < 0)
-	exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
-
-    /* bind the socket */
-    {
-	ip_address any;
-
-	happy(anyaddr(AF_INET, &any));
-	setportof(htons(pluto_port), &any);
-	if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
-	    exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
-    }
-
-    /* Get local interfaces.  See netdevice(7). */
-    ifconf.ifc_len = sizeof(buf);
-    ifconf.ifc_buf = (void *) buf;
-    zero(buf);
-
-    if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
-	exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
-
-    /* Add an entry to rifaces for each interesting interface. */
-    for (j = 0; (j+1) * sizeof(*buf) <= (size_t)ifconf.ifc_len; j++)
-    {
-	struct raw_iface ri;
-	const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
-	struct ifreq auxinfo;
-
-	/* ignore all but AF_INET interfaces */
-	if (rs->sin_family != AF_INET)
-	    continue;	/* not interesting */
-
-	/* build a NUL-terminated copy of the rname field */
-	memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
-	ri.name[IFNAMSIZ] = '\0';
-
-	/* ignore if our interface names were specified, and this isn't one */
-	if (pluto_ifn_roof != 0)
+	int j;      /* index into buf */
+	struct ifconf ifconf;
+	struct ifreq buf[300];      /* for list of interfaces -- arbitrary limit */
+	struct raw_iface *rifaces = NULL;
+	int master_sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);    /* Get a UDP socket */
+
+	/* get list of interfaces with assigned IPv4 addresses from system */
+
+	if (master_sock == -1)
+		exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
+
+	if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
+	, (const void *)&on, sizeof(on)) < 0)
+		exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
+
+	/* bind the socket */
 	{
-	    int i;
+		ip_address any;
 
-	    for (i = 0; i != pluto_ifn_roof; i++)
-		if (streq(ri.name, pluto_ifn[i]))
-		    break;
-	    if (i == pluto_ifn_roof)
-		continue;	/* not found -- skip */
+		happy(anyaddr(AF_INET, &any));
+		setportof(htons(pluto_port), &any);
+		if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
+			exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
 	}
 
-	/* Find out stuff about this interface.  See netdevice(7). */
-	zero(&auxinfo);	/* paranoia */
-	memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
-	if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
-	    exit_log_errno((e
-		, "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
-		, ri.name));
-	if (!(auxinfo.ifr_flags & IFF_UP))
-	    continue;	/* ignore an interface that isn't UP */
+	/* Get local interfaces.  See netdevice(7). */
+	ifconf.ifc_len = sizeof(buf);
+	ifconf.ifc_buf = (void *) buf;
+	zero(buf);
 
-	/* ignore unconfigured interfaces */
-	if (rs->sin_addr.s_addr == 0)
-	    continue;
+	if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
+		exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
 
-	happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
-	    , AF_INET, &ri.addr));
+	/* Add an entry to rifaces for each interesting interface. */
+	for (j = 0; (j+1) * sizeof(*buf) <= (size_t)ifconf.ifc_len; j++)
+	{
+		struct raw_iface ri;
+		const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
+		struct ifreq auxinfo;
 
-	DBG(DBG_CONTROL, DBG_log("found %s with address %s"
-	    , ri.name, ip_str(&ri.addr)));
-	ri.next = rifaces;
-	rifaces = clone_thing(ri, "struct raw_iface");
-    }
+		/* ignore all but AF_INET interfaces */
+		if (rs->sin_family != AF_INET)
+			continue;   /* not interesting */
 
-    close(master_sock);
+		/* build a NUL-terminated copy of the rname field */
+		memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
+		ri.name[IFNAMSIZ] = '\0';
 
-    return rifaces;
+		/* ignore if our interface names were specified, and this isn't one */
+		if (pluto_ifn_roof != 0)
+		{
+			int i;
+
+			for (i = 0; i != pluto_ifn_roof; i++)
+				if (streq(ri.name, pluto_ifn[i]))
+					break;
+			if (i == pluto_ifn_roof)
+				continue;       /* not found -- skip */
+		}
+
+		/* Find out stuff about this interface.  See netdevice(7). */
+		zero(&auxinfo); /* paranoia */
+		memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
+		if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
+			exit_log_errno((e
+				, "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
+				, ri.name));
+		if (!(auxinfo.ifr_flags & IFF_UP))
+			continue;   /* ignore an interface that isn't UP */
+
+		/* ignore unconfigured interfaces */
+		if (rs->sin_addr.s_addr == 0)
+			continue;
+
+		happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
+			, AF_INET, &ri.addr));
+
+		DBG(DBG_CONTROL, DBG_log("found %s with address %s"
+			, ri.name, ip_str(&ri.addr)));
+		ri.next = rifaces;
+		rifaces = clone_thing(ri);
+	}
+
+	close(master_sock);
+
+	return rifaces;
 }
 
 static struct raw_iface *
 find_raw_ifaces6(void)
 {
 
-    /* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
-     *
-     * Documentation of format?
-     * RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
-     *       linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
-     *
-     * Sample from Gerhard's laptop:
-     *	00000000000000000000000000000001 01 80 10 80       lo
-     *	30490009000000000000000000010002 02 40 00 80   ipsec0
-     *	30490009000000000000000000010002 07 40 00 80     eth0
-     *	fe80000000000000025004fffefd5484 02 0a 20 80   ipsec0
-     *	fe80000000000000025004fffefd5484 07 0a 20 80     eth0
-     *
-     * Each line contains:
-     * - IPv6 address: 16 bytes, in hex, no punctuation
-     * - ifindex: 1 byte, in hex
-     * - prefix_len: 1 byte, in hex
-     * - scope (e.g. global, link local): 1 byte, in hex
-     * - flags: 1 byte, in hex
-     * - device name: string, followed by '\n'
-     */
-    struct raw_iface *rifaces = NULL;
-    static const char proc_name[] = "/proc/net/if_inet6";
-    FILE *proc_sock = fopen(proc_name, "r");
-
-    if (proc_sock == NULL)
-    {
-	DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
-    }
-    else
-    {
-	for (;;)
+	/* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
+	 *
+	 * Documentation of format?
+	 * RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
+	 *       linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
+	 *
+	 * Sample from Gerhard's laptop:
+	 *  00000000000000000000000000000001 01 80 10 80       lo
+	 *  30490009000000000000000000010002 02 40 00 80   ipsec0
+	 *  30490009000000000000000000010002 07 40 00 80     eth0
+	 *  fe80000000000000025004fffefd5484 02 0a 20 80   ipsec0
+	 *  fe80000000000000025004fffefd5484 07 0a 20 80     eth0
+	 *
+	 * Each line contains:
+	 * - IPv6 address: 16 bytes, in hex, no punctuation
+	 * - ifindex: 1 byte, in hex
+	 * - prefix_len: 1 byte, in hex
+	 * - scope (e.g. global, link local): 1 byte, in hex
+	 * - flags: 1 byte, in hex
+	 * - device name: string, followed by '\n'
+	 */
+	struct raw_iface *rifaces = NULL;
+	static const char proc_name[] = "/proc/net/if_inet6";
+	FILE *proc_sock = fopen(proc_name, "r");
+
+	if (proc_sock == NULL)
 	{
-	    struct raw_iface ri;
-	    unsigned short xb[8];	/* IPv6 address as 8 16-bit chunks */
-	    char sb[8*5];	/* IPv6 address as string-with-colons */
-	    unsigned int if_idx;	/* proc field, not used */
-	    unsigned int plen;	/* proc field, not used */
-	    unsigned int scope;	/* proc field, used to exclude link-local */
-	    unsigned int dad_status;	/* proc field, not used */
-	    /* ??? I hate and distrust scanf -- DHR */
-	    int r = fscanf(proc_sock
-		, "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
-		  " %02x %02x %02x %02x %20s\n"
-		, xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
-		, &if_idx, &plen, &scope, &dad_status, ri.name);
-
-	    /* ??? we should diagnose any problems */
-	    if (r != 13)
-		break;
-
-	    /* ignore addresses with link local scope.
-	     * From linux-2.4.9-13/include/net/ipv6.h:
-	     * IPV6_ADDR_LINKLOCAL	0x0020U
-	     * IPV6_ADDR_SCOPE_MASK	0x00f0U
-	     */
-	    if ((scope & 0x00f0U) == 0x0020U)
-		continue;
-
-	    snprintf(sb, sizeof(sb)
-		, "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
-		, xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
-
-	    happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
-
-	    if (!isunspecaddr(&ri.addr))
-	    {
-		DBG(DBG_CONTROL
-		    , DBG_log("found %s with address %s"
-			, ri.name, sb));
-		ri.next = rifaces;
-		rifaces = clone_thing(ri, "struct raw_iface");
-	    }
+		DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
+	}
+	else
+	{
+		for (;;)
+		{
+			struct raw_iface ri;
+			unsigned short xb[8];       /* IPv6 address as 8 16-bit chunks */
+			char sb[8*5];       /* IPv6 address as string-with-colons */
+			unsigned int if_idx;        /* proc field, not used */
+			unsigned int plen;  /* proc field, not used */
+			unsigned int scope; /* proc field, used to exclude link-local */
+			unsigned int dad_status;    /* proc field, not used */
+			/* ??? I hate and distrust scanf -- DHR */
+			int r = fscanf(proc_sock
+				, "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
+				  " %02x %02x %02x %02x %20s\n"
+				, xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
+				, &if_idx, &plen, &scope, &dad_status, ri.name);
+
+			/* ??? we should diagnose any problems */
+			if (r != 13)
+				break;
+
+			/* ignore addresses with link local scope.
+			 * From linux-2.4.9-13/include/net/ipv6.h:
+			 * IPV6_ADDR_LINKLOCAL      0x0020U
+			 * IPV6_ADDR_SCOPE_MASK     0x00f0U
+			 */
+			if ((scope & 0x00f0U) == 0x0020U)
+				continue;
+
+			snprintf(sb, sizeof(sb)
+				, "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
+				, xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
+
+			happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
+
+			if (!isunspecaddr(&ri.addr))
+			{
+				DBG(DBG_CONTROL
+					, DBG_log("found %s with address %s"
+						, ri.name, sb));
+				ri.next = rifaces;
+				rifaces = clone_thing(ri);
+			}
+		}
+		fclose(proc_sock);
 	}
-	fclose(proc_sock);
-    }
 
-    return rifaces;
+	return rifaces;
 }
 
 #if 1
 static int
 create_socket(struct raw_iface *ifp, const char *v_name, int port)
 {
-    int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
-    int fcntl_flags;
+	int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
+	int fcntl_flags;
 
-    if (fd < 0)
-    {
-	log_errno((e, "socket() in process_raw_ifaces()"));
-	return -1;
-    }
+	if (fd < 0)
+	{
+		log_errno((e, "socket() in process_raw_ifaces()"));
+		return -1;
+	}
 
 #if 1
-    /* Set socket Nonblocking */
-    if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) {
-	if (!(fcntl_flags & O_NONBLOCK)) {
-	    fcntl_flags |= O_NONBLOCK;
-	    fcntl(fd, F_SETFL, fcntl_flags);
+	/* Set socket Nonblocking */
+	if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) {
+		if (!(fcntl_flags & O_NONBLOCK)) {
+			fcntl_flags |= O_NONBLOCK;
+			fcntl(fd, F_SETFL, fcntl_flags);
+		}
 	}
-    }
-#endif
-
-    if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
-    {
-	log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
-	close(fd);
-	return -1;
-    }
-
-    if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
-    , (const void *)&on, sizeof(on)) < 0)
-    {
-	log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
-	close(fd);
-	return -1;
-    }
-
-    /* To improve error reporting.  See ip(7). */
-#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
-    if (setsockopt(fd, SOL_IP, IP_RECVERR
-    , (const void *)&on, sizeof(on)) < 0)
-    {
-	log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
-	close(fd);
-	return -1;
-    }
-#endif
-
-    /* With IPv6, there is no fragmentation after
-     * it leaves our interface.  PMTU discovery
-     * is mandatory but doesn't work well with IKE (why?).
-     * So we must set the IPV6_USE_MIN_MTU option.
-     * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
-     */
-#ifdef IPV6_USE_MIN_MTU	/* YUCK: not always defined */
-    if (addrtypeof(&ifp->addr) == AF_INET6
-    && setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
-      , (const void *)&on, sizeof(on)) < 0)
-    {
-	log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
-	close(fd);
-	return -1;
-    }
 #endif
 
-#if defined(linux) && defined(KERNEL26_SUPPORT)
-    if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
-    {
-	struct sadb_x_policy policy;
-	int level, opt;
-
-	policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
-	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-	policy.sadb_x_policy_reserved = 0;
-	policy.sadb_x_policy_id = 0;
-	policy.sadb_x_policy_reserved2 = 0;
-
-	if (addrtypeof(&ifp->addr) == AF_INET6)
+	if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
 	{
-	    level = IPPROTO_IPV6;
-	    opt = IPV6_IPSEC_POLICY;
+		log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
+		close(fd);
+		return -1;
 	}
-	else
+
+	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
+	, (const void *)&on, sizeof(on)) < 0)
 	{
-	    level = IPPROTO_IP;
-	    opt = IP_IPSEC_POLICY;
+		log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
+		close(fd);
+		return -1;
 	}
 
-	if (setsockopt(fd, level, opt
-	  , &policy, sizeof(policy)) < 0)
+	/* To improve error reporting.  See ip(7). */
+#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
+	if (setsockopt(fd, SOL_IP, IP_RECVERR
+	, (const void *)&on, sizeof(on)) < 0)
 	{
-	    log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
-	    close(fd);
-	    return -1;
+		log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
+		close(fd);
+		return -1;
 	}
+#endif
 
-	policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+	/* With IPv6, there is no fragmentation after
+	 * it leaves our interface.  PMTU discovery
+	 * is mandatory but doesn't work well with IKE (why?).
+	 * So we must set the IPV6_USE_MIN_MTU option.
+	 * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
+	 */
+#ifdef IPV6_USE_MIN_MTU /* YUCK: not always defined */
+	if (addrtypeof(&ifp->addr) == AF_INET6
+	&& setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
+	  , (const void *)&on, sizeof(on)) < 0)
+	{
+		log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
+		close(fd);
+		return -1;
+	}
+#endif
 
-	if (setsockopt(fd, level, opt
-	  , &policy, sizeof(policy)) < 0)
+#if defined(linux) && defined(KERNEL26_SUPPORT)
+	if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
 	{
-	    log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
-	    close(fd);
-	    return -1;
+		struct sadb_x_policy policy;
+		int level, opt;
+
+		policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
+		policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+		policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+		policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+		policy.sadb_x_policy_reserved = 0;
+		policy.sadb_x_policy_id = 0;
+		policy.sadb_x_policy_reserved2 = 0;
+
+		if (addrtypeof(&ifp->addr) == AF_INET6)
+		{
+			level = IPPROTO_IPV6;
+			opt = IPV6_IPSEC_POLICY;
+		}
+		else
+		{
+			level = IPPROTO_IP;
+			opt = IP_IPSEC_POLICY;
+		}
+
+		if (setsockopt(fd, level, opt
+		  , &policy, sizeof(policy)) < 0)
+		{
+			log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
+			close(fd);
+			return -1;
+		}
+
+		policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+
+		if (setsockopt(fd, level, opt
+		  , &policy, sizeof(policy)) < 0)
+		{
+			log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
+			close(fd);
+			return -1;
+		}
 	}
-    }
 #endif
 
-    setportof(htons(port), &ifp->addr);
-    if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
-    {
-	log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
-	    , ifp->name, v_name
-	    , ip_str(&ifp->addr), (unsigned) port));
-	close(fd);
-	return -1;
-    }
-    setportof(htons(pluto_port), &ifp->addr);
-    return fd;
+	setportof(htons(port), &ifp->addr);
+	if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
+	{
+		log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
+			, ifp->name, v_name
+			, ip_str(&ifp->addr), (unsigned) port));
+		close(fd);
+		return -1;
+	}
+	setportof(htons(pluto_port), &ifp->addr);
+	return fd;
 }
 #endif
 
 static void
 process_raw_ifaces(struct raw_iface *rifaces)
 {
-    struct raw_iface *ifp;
-
-    /* Find all virtual/real interface pairs.
-     * For each real interface...
-     */
-    for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
-    {
-	struct raw_iface *v = NULL;	/* matching ipsecX interface */
-	struct raw_iface fake_v;
-	bool after = FALSE; /* has vfp passed ifp on the list? */
-	bool bad = FALSE;
-	struct raw_iface *vfp;
-
-	/* ignore if virtual (ipsec*) interface */
-	if (strncmp(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
-	    continue;
-
-	for (vfp = rifaces; vfp != NULL; vfp = vfp->next)
+	struct raw_iface *ifp;
+
+	/* Find all virtual/real interface pairs.
+	 * For each real interface...
+	 */
+	for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
 	{
-	    if (vfp == ifp)
-	    {
-		after = TRUE;
-	    }
-	    else if (sameaddr(&ifp->addr, &vfp->addr))
-	    {
-		/* Different entries with matching IP addresses.
-		 * Many interesting cases.
-		 */
-		if (strncmp(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
+		struct raw_iface *v = NULL;     /* matching ipsecX interface */
+		struct raw_iface fake_v;
+		bool after = FALSE; /* has vfp passed ifp on the list? */
+		bool bad = FALSE;
+		struct raw_iface *vfp;
+
+		/* ignore if virtual (ipsec*) interface */
+		if (strneq(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1))
 		{
-		    if (v != NULL  && !streq(v->name, vfp->name))
-		    {
-			loglog(RC_LOG_SERIOUS
-			    , "ipsec interfaces %s and %s share same address %s"
-			    , v->name, vfp->name, ip_str(&ifp->addr));
-			bad = TRUE;
-		    }
-		    else
-		    {
-			v = vfp;	/* current winner */
-		    }
+			continue;
 		}
-		else
+
+		for (vfp = rifaces; vfp != NULL; vfp = vfp->next)
 		{
-		    /* ugh: a second real interface with the same IP address
-		     * "after" allows us to avoid double reporting.
-		     */
-#if defined(linux) && defined(KERNEL26_SUPPORT)
-		    if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
-		    {
-			if (after)
+			if (vfp == ifp)
 			{
-			    bad = TRUE;
-			    break;
+				after = TRUE;
 			}
-			continue;
-		    }
+			else if (sameaddr(&ifp->addr, &vfp->addr))
+			{
+				/* Different entries with matching IP addresses.
+				 * Many interesting cases.
+				 */
+				if (strneq(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1))
+				{
+					if (v != NULL  && !streq(v->name, vfp->name))
+					{
+						loglog(RC_LOG_SERIOUS
+							, "ipsec interfaces %s and %s share same address %s"
+							, v->name, vfp->name, ip_str(&ifp->addr));
+						bad = TRUE;
+					}
+					else
+					{
+						v = vfp;        /* current winner */
+					}
+				}
+				else
+				{
+					/* ugh: a second real interface with the same IP address
+					 * "after" allows us to avoid double reporting.
+					 */
+#if defined(linux) && defined(KERNEL26_SUPPORT)
+					if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
+					{
+						if (after)
+						{
+							bad = TRUE;
+							break;
+						}
+						continue;
+					}
 #endif
-		    if (after)
-		    {
-			loglog(RC_LOG_SERIOUS
-			    , "IP interfaces %s and %s share address %s!"
-			    , ifp->name, vfp->name, ip_str(&ifp->addr));
-		    }
-		    bad = TRUE;
+					if (after)
+					{
+						loglog(RC_LOG_SERIOUS
+							, "IP interfaces %s and %s share address %s!"
+							, ifp->name, vfp->name, ip_str(&ifp->addr));
+					}
+					bad = TRUE;
+				}
+			}
 		}
-	    }
-	}
 
-	if (bad)
-	    continue;
+		if (bad)
+			continue;
 
 #if defined(linux) && defined(KERNEL26_SUPPORT)
-	if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
-	{
-	    v = ifp;
-	    goto add_entry;
-	}
+		if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
+		{
+			v = ifp;
+			goto add_entry;
+		}
 #endif
 
-	/* what if we didn't find a virtual interface? */
-	if (v == NULL)
-	{
-	    if (no_klips)
-	    {
-		/* kludge for testing: invent a virtual device */
-		static const char fvp[] = "virtual";
-		fake_v = *ifp;
-		passert(sizeof(fake_v.name) > sizeof(fvp));
-		strcpy(fake_v.name, fvp);
-		addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
-		    , sizeof(fake_v.name) - (sizeof(fvp) - 1));
-		v = &fake_v;
-	    }
-	    else
-	    {
-		DBG(DBG_CONTROL,
-			DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
-			    , ifp->name, ip_str(&ifp->addr)));
-		continue;
-	    }
-	}
+		/* what if we didn't find a virtual interface? */
+		if (v == NULL)
+		{
+			if (no_klips)
+			{
+				/* kludge for testing: invent a virtual device */
+				static const char fvp[] = "virtual";
+				fake_v = *ifp;
+				passert(sizeof(fake_v.name) > sizeof(fvp));
+				strcpy(fake_v.name, fvp);
+				addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
+					, sizeof(fake_v.name) - (sizeof(fvp) - 1));
+				v = &fake_v;
+			}
+			else
+			{
+				DBG(DBG_CONTROL,
+						DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
+							, ifp->name, ip_str(&ifp->addr)));
+				continue;
+			}
+		}
 
-	/* We've got all we need; see if this is a new thing:
-	 * search old interfaces list.
-	 */
+		/* We've got all we need; see if this is a new thing:
+		 * search old interfaces list.
+		 */
 #if defined(linux) && defined(KERNEL26_SUPPORT)
 add_entry:
 #endif
-	{
-	    struct iface **p = &interfaces;
-
-	    for (;;)
-	    {
-		struct iface *q = *p;
-
-		/* search is over if at end of list */
-		if (q == NULL)
 		{
-		    /* matches nothing -- create a new entry */
-		    int fd = create_socket(ifp, v->name, pluto_port);
-
-		    if (fd < 0)
-			break;
-
-		    if (nat_traversal_support_non_ike
-		    && addrtypeof(&ifp->addr) == AF_INET)
-		    {
-			nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
-		    }
-
-		    q = alloc_thing(struct iface, "struct iface");
-		    q->rname = clone_str(ifp->name, "real device name");
-		    q->vname = clone_str(v->name, "virtual device name");
-		    q->addr = ifp->addr;
-		    q->fd = fd;
-		    q->next = interfaces;
-		    q->change = IFN_ADD;
-		    interfaces = q;
-		    plog("adding interface %s/%s %s:%d"
-			, q->vname, q->rname, ip_str(&q->addr), pluto_port);
-
-		    if (nat_traversal_support_port_floating
-		    && addrtypeof(&ifp->addr) == AF_INET)
-		    {
-			fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
-			if (fd < 0)
-			    break;
-			nat_traversal_espinudp_socket(fd,
-			    ESPINUDP_WITH_NON_ESP);
-			q = alloc_thing(struct iface, "struct iface");
-			q->rname = clone_str(ifp->name, "real device name");
-			q->vname = clone_str(v->name, "virtual device name");
-			q->addr = ifp->addr;
-			setportof(htons(NAT_T_IKE_FLOAT_PORT), &q->addr);
-			q->fd = fd;
-			q->next = interfaces;
-			q->change = IFN_ADD;
-			q->ike_float = TRUE;
-			interfaces = q;
-			plog("adding interface %s/%s %s:%d",
-			q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
-		    }
-		    break;
-		}
+			struct iface **p = &interfaces;
 
-		/* search over if matching old entry found */
-		if (streq(q->rname, ifp->name)
-		&& streq(q->vname, v->name)
-		&& sameaddr(&q->addr, &ifp->addr))
-		{
-		    /* matches -- rejuvinate old entry */
-		    q->change = IFN_KEEP;
-
-		    /* look for other interfaces to keep (due to NAT-T) */
-		    for (q = q->next ; q ; q = q->next)
-		    {
-			if (streq(q->rname, ifp->name)
-			&& streq(q->vname, v->name)
-			&& sameaddr(&q->addr, &ifp->addr))
+			for (;;)
 			{
-			    q->change = IFN_KEEP;
-			}
-		    }
-		    break;
+				struct iface *q = *p;
+
+				/* search is over if at end of list */
+				if (q == NULL)
+				{
+					/* matches nothing -- create a new entry */
+					int fd = create_socket(ifp, v->name, pluto_port);
+
+					if (fd < 0)
+						break;
+
+					if (nat_traversal_support_non_ike
+					&& addrtypeof(&ifp->addr) == AF_INET)
+					{
+						nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
+					}
+
+					q = malloc_thing(struct iface);
+					zero(q);
+					q->rname = clone_str(ifp->name);
+					q->vname = clone_str(v->name);
+					q->addr = ifp->addr;
+					q->fd = fd;
+					q->next = interfaces;
+					q->change = IFN_ADD;
+					interfaces = q;
+					plog("adding interface %s/%s %s:%d"
+						, q->vname, q->rname, ip_str(&q->addr), pluto_port);
+
+					if (nat_traversal_support_port_floating
+					&& addrtypeof(&ifp->addr) == AF_INET)
+					{
+						fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
+						if (fd < 0)
+							break;
+						nat_traversal_espinudp_socket(fd,
+							ESPINUDP_WITH_NON_ESP);
+						q = malloc_thing(struct iface);
+						zero(q);
+						q->rname = clone_str(ifp->name);
+						q->vname = clone_str(v->name);
+						q->addr = ifp->addr;
+						setportof(htons(NAT_T_IKE_FLOAT_PORT), &q->addr);
+						q->fd = fd;
+						q->next = interfaces;
+						q->change = IFN_ADD;
+						q->ike_float = TRUE;
+						interfaces = q;
+						plog("adding interface %s/%s %s:%d",
+						q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
+					}
+					break;
+				}
+
+				/* search over if matching old entry found */
+				if (streq(q->rname, ifp->name)
+				&& streq(q->vname, v->name)
+				&& sameaddr(&q->addr, &ifp->addr))
+				{
+					/* matches -- rejuvinate old entry */
+					q->change = IFN_KEEP;
+
+					/* look for other interfaces to keep (due to NAT-T) */
+					for (q = q->next ; q ; q = q->next)
+					{
+						if (streq(q->rname, ifp->name)
+						&& streq(q->vname, v->name)
+						&& sameaddr(&q->addr, &ifp->addr))
+						{
+							q->change = IFN_KEEP;
+						}
+					}
+					break;
+				}
+
+				/* try again */
+				p = &q->next;
+			} /* for (;;) */
 		}
-
-		/* try again */
-		p = &q->next;
-	    } /* for (;;) */
 	}
-    }
 
-    /* delete the raw interfaces list */
-    while (rifaces != NULL)
-    {
-	struct raw_iface *t = rifaces;
+	/* delete the raw interfaces list */
+	while (rifaces != NULL)
+	{
+		struct raw_iface *t = rifaces;
 
-	rifaces = t->next;
-	pfree(t);
-    }
+		rifaces = t->next;
+		free(t);
+	}
 }
 
 void
 find_ifaces(void)
 {
-    mark_ifaces_dead();
-    process_raw_ifaces(find_raw_ifaces4());
-    process_raw_ifaces(find_raw_ifaces6());
+	mark_ifaces_dead();
+	process_raw_ifaces(find_raw_ifaces4());
+	process_raw_ifaces(find_raw_ifaces6());
 
-    free_dead_ifaces();	    /* ditch remaining old entries */
+	free_dead_ifaces();     /* ditch remaining old entries */
 
-    if (interfaces == NULL)
-	loglog(RC_LOG_SERIOUS, "no public interfaces found");
+	if (interfaces == NULL)
+		loglog(RC_LOG_SERIOUS, "no public interfaces found");
 }
 
 void
 show_ifaces_status(void)
 {
-    struct iface *p;
+	struct iface *p;
 
-    for (p = interfaces; p != NULL; p = p->next)
-	whack_log(RC_COMMENT, "interface %s/%s %s:%d"
-	    , p->vname, p->rname, ip_str(&p->addr), ntohs(portof(&p->addr)));
+	for (p = interfaces; p != NULL; p = p->next)
+		whack_log(RC_COMMENT, "interface %s/%s %s:%d"
+			, p->vname, p->rname, ip_str(&p->addr), ntohs(portof(&p->addr)));
 }
 
 void
 show_debug_status(void)
 {
 #ifdef DEBUG
-    whack_log(RC_COMMENT, "debug %s"
-	, bitnamesof(debug_bit_names, cur_debugging));
+	whack_log(RC_COMMENT, "debug options: %s"
+		, bitnamesof(debug_bit_names, cur_debugging));
 #endif
 }
 
@@ -770,7 +772,7 @@ static volatile sig_atomic_t sighupflag = FALSE;
 static void
 huphandler(int sig UNUSED)
 {
-    sighupflag = TRUE;
+	sighupflag = TRUE;
 }
 
 static volatile sig_atomic_t sigtermflag = FALSE;
@@ -778,7 +780,7 @@ static volatile sig_atomic_t sigtermflag = FALSE;
 static void
 termhandler(int sig UNUSED)
 {
-    sigtermflag = TRUE;
+	sigtermflag = TRUE;
 }
 
 /* call_server listens for incoming ISAKMP packets and Whack messages,
@@ -787,206 +789,206 @@ termhandler(int sig UNUSED)
 void
 call_server(void)
 {
-    struct iface *ifp;
+	struct iface *ifp;
 
-    /* catch SIGHUP and SIGTERM */
-    {
-	int r;
-	struct sigaction act;
+	/* catch SIGHUP and SIGTERM */
+	{
+		int r;
+		struct sigaction act;
+
+		act.sa_handler = &huphandler;
+		sigemptyset(&act.sa_mask);
+		act.sa_flags = 0;       /* no SA_ONESHOT, no SA_RESTART, no nothing */
+		r = sigaction(SIGHUP, &act, NULL);
+		passert(r == 0);
+
+		act.sa_handler = &termhandler;
+		r = sigaction(SIGTERM, &act, NULL);
+		passert(r == 0);
+	}
 
-	act.sa_handler = &huphandler;
-	sigemptyset(&act.sa_mask);
-	act.sa_flags = 0;	/* no SA_ONESHOT, no SA_RESTART, no nothing */
-	r = sigaction(SIGHUP, &act, NULL);
-	passert(r == 0);
+	for (;;)
+	{
+		fd_set readfds;
+		fd_set writefds;
+		int ndes;
 
-	act.sa_handler = &termhandler;
-	r = sigaction(SIGTERM, &act, NULL);
-	passert(r == 0);
-    }
+		/* wait for next interesting thing */
 
-    for (;;)
-    {
-	fd_set readfds;
-	fd_set writefds;
-	int ndes;
+		for (;;)
+		{
+			long next_time = next_event();   /* time to any pending timer event */
+			int maxfd = ctl_fd;
 
-	/* wait for next interesting thing */
+			if (sigtermflag)
+				exit_pluto(0);
 
-	for (;;)
-	{
-	    long next_time = next_event();   /* time to any pending timer event */
-	    int maxfd = ctl_fd;
-
-	    if (sigtermflag)
-		exit_pluto(0);
-
-	    if (sighupflag)
-	    {
-		/* Ignorant folks think poking any daemon with SIGHUP
-		 * is polite.  We catch it and tell them otherwise.
-		 * There is one use: unsticking a hung recvfrom.
-		 * This sticking happens sometimes -- kernel bug?
-		 */
-		sighupflag = FALSE;
-		plog("Pluto ignores SIGHUP -- perhaps you want \"whack --listen\"");
-	    }
-
-	    FD_ZERO(&readfds);
-	    FD_ZERO(&writefds);
-	    FD_SET(ctl_fd, &readfds);
-
-	    /* the only write file-descriptor of interest */
-	    if (adns_qfd != NULL_FD && unsent_ADNS_queries)
-	    {
-		if (maxfd < adns_qfd)
-		    maxfd = adns_qfd;
-		FD_SET(adns_qfd, &writefds);
-	    }
-
-	    if (adns_afd != NULL_FD)
-	    {
-		if (maxfd < adns_afd)
-		    maxfd = adns_afd;
-		FD_SET(adns_afd, &readfds);
-	    }
+			if (sighupflag)
+			{
+				/* Ignorant folks think poking any daemon with SIGHUP
+				 * is polite.  We catch it and tell them otherwise.
+				 * There is one use: unsticking a hung recvfrom.
+				 * This sticking happens sometimes -- kernel bug?
+				 */
+				sighupflag = FALSE;
+				plog("Pluto ignores SIGHUP -- perhaps you want \"whack --listen\"");
+			}
+
+			FD_ZERO(&readfds);
+			FD_ZERO(&writefds);
+			FD_SET(ctl_fd, &readfds);
+
+			/* the only write file-descriptor of interest */
+			if (adns_qfd != NULL_FD && unsent_ADNS_queries)
+			{
+				if (maxfd < adns_qfd)
+					maxfd = adns_qfd;
+				FD_SET(adns_qfd, &writefds);
+			}
+
+			if (adns_afd != NULL_FD)
+			{
+				if (maxfd < adns_afd)
+					maxfd = adns_afd;
+				FD_SET(adns_afd, &readfds);
+			}
 
 #ifdef KLIPS
-	    if (!no_klips)
-	    {
-		int fd = *kernel_ops->async_fdp;
-
-		if (kernel_ops->process_queue)
-		    kernel_ops->process_queue();
-		if (maxfd < fd)
-		    maxfd = fd;
-		passert(!FD_ISSET(fd, &readfds));
-		FD_SET(fd, &readfds);
-	    }
+			if (!no_klips)
+			{
+				int fd = *kernel_ops->async_fdp;
+
+				if (kernel_ops->process_queue)
+					kernel_ops->process_queue();
+				if (maxfd < fd)
+					maxfd = fd;
+				passert(!FD_ISSET(fd, &readfds));
+				FD_SET(fd, &readfds);
+			}
 #endif
 
-	    if (listening)
-	    {
-		for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
-		{
-		    if (maxfd < ifp->fd)
-			maxfd = ifp->fd;
-		    passert(!FD_ISSET(ifp->fd, &readfds));
-		    FD_SET(ifp->fd, &readfds);
-		}
-	    }
-
-	    if (next_time == -1)
-	    {
-		/* select without timer */
-
-		ndes = select(maxfd + 1, &readfds, &writefds, NULL, NULL);
-	    }
-	    else if (next_time == 0)
-	    {
-		/* timer without select: there is a timer event pending,
-		 * and it should fire now so don't bother to do the select.
-		 */
-		ndes = 0;	/* signify timer expiration */
-	    }
-	    else
-	    {
-		/* select with timer */
+			if (listening)
+			{
+				for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
+				{
+					if (maxfd < ifp->fd)
+						maxfd = ifp->fd;
+					passert(!FD_ISSET(ifp->fd, &readfds));
+					FD_SET(ifp->fd, &readfds);
+				}
+			}
 
-		struct timeval tm;
+			if (next_time == -1)
+			{
+				/* select without timer */
 
-		tm.tv_sec = next_time;
-		tm.tv_usec = 0;
-		ndes = select(maxfd + 1, &readfds, &writefds, NULL, &tm);
-	    }
+				ndes = select(maxfd + 1, &readfds, &writefds, NULL, NULL);
+			}
+			else if (next_time == 0)
+			{
+				/* timer without select: there is a timer event pending,
+				 * and it should fire now so don't bother to do the select.
+				 */
+				ndes = 0;       /* signify timer expiration */
+			}
+			else
+			{
+				/* select with timer */
 
-	    if (ndes != -1)
-		break;	/* success */
+				struct timeval tm;
 
-	    if (errno != EINTR)
-		exit_log_errno((e, "select() failed in call_server()"));
+				tm.tv_sec = next_time;
+				tm.tv_usec = 0;
+				ndes = select(maxfd + 1, &readfds, &writefds, NULL, &tm);
+			}
 
-	    /* retry if terminated by signal */
-	}
+			if (ndes != -1)
+				break;  /* success */
 
-	/* figure out what is interesting */
+			if (errno != EINTR)
+				exit_log_errno((e, "select() failed in call_server()"));
 
-	if (ndes == 0)
-	{
-	    /* timer event */
+			/* retry if terminated by signal */
+		}
 
-	    DBG(DBG_CONTROL,
-		DBG_log(BLANK_FORMAT);
-		DBG_log("*time to handle event"));
+		/* figure out what is interesting */
 
-	    handle_timer_event();
-	    passert(GLOBALS_ARE_RESET());
-	}
-	else
-	{
-	    /* at least one file descriptor is ready */
-
-	    if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
-	    {
-		passert(ndes > 0);
-		send_unsent_ADNS_queries();
-		passert(GLOBALS_ARE_RESET());
-		ndes--;
-	    }
-
-	    if (adns_afd != NULL_FD && FD_ISSET(adns_afd, &readfds))
-	    {
-		passert(ndes > 0);
-		DBG(DBG_CONTROL,
-		    DBG_log(BLANK_FORMAT);
-		    DBG_log("*received adns message"));
-		handle_adns_answer();
-		passert(GLOBALS_ARE_RESET());
-		ndes--;
-	    }
+		if (ndes == 0)
+		{
+			/* timer event */
+
+			DBG(DBG_CONTROL,
+				DBG_log(BLANK_FORMAT);
+				DBG_log("*time to handle event"));
+
+			handle_timer_event();
+			passert(GLOBALS_ARE_RESET());
+		}
+		else
+		{
+			/* at least one file descriptor is ready */
+
+			if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
+			{
+				passert(ndes > 0);
+				send_unsent_ADNS_queries();
+				passert(GLOBALS_ARE_RESET());
+				ndes--;
+			}
+
+			if (adns_afd != NULL_FD && FD_ISSET(adns_afd, &readfds))
+			{
+				passert(ndes > 0);
+				DBG(DBG_CONTROL,
+					DBG_log(BLANK_FORMAT);
+					DBG_log("*received adns message"));
+				handle_adns_answer();
+				passert(GLOBALS_ARE_RESET());
+				ndes--;
+			}
 
 #ifdef KLIPS
-	    if (!no_klips && FD_ISSET(*kernel_ops->async_fdp, &readfds))
-	    {
-		passert(ndes > 0);
-		DBG(DBG_CONTROL,
-		    DBG_log(BLANK_FORMAT);
-		    DBG_log("*received kernel message"));
-		kernel_ops->process_msg();
-		passert(GLOBALS_ARE_RESET());
-		ndes--;
-	    }
+			if (!no_klips && FD_ISSET(*kernel_ops->async_fdp, &readfds))
+			{
+				passert(ndes > 0);
+				DBG(DBG_CONTROL,
+					DBG_log(BLANK_FORMAT);
+					DBG_log("*received kernel message"));
+				kernel_ops->process_msg();
+				passert(GLOBALS_ARE_RESET());
+				ndes--;
+			}
 #endif
 
-	    for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
-	    {
-		if (FD_ISSET(ifp->fd, &readfds))
-		{
-		    /* comm_handle will print DBG_CONTROL intro,
-		     * with more info than we have here.
-		     */
-
-		    passert(ndes > 0);
-		    comm_handle(ifp);
-		    passert(GLOBALS_ARE_RESET());
-		    ndes--;
+			for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
+			{
+				if (FD_ISSET(ifp->fd, &readfds))
+				{
+					/* comm_handle will print DBG_CONTROL intro,
+					 * with more info than we have here.
+					 */
+
+					passert(ndes > 0);
+					comm_handle(ifp);
+					passert(GLOBALS_ARE_RESET());
+					ndes--;
+				}
+			}
+
+			if (FD_ISSET(ctl_fd, &readfds))
+			{
+				passert(ndes > 0);
+				DBG(DBG_CONTROL,
+					DBG_log(BLANK_FORMAT);
+					DBG_log("*received whack message"));
+				whack_handle(ctl_fd);
+				passert(GLOBALS_ARE_RESET());
+				ndes--;
+			}
+
+			passert(ndes == 0);
 		}
-	    }
-
-	    if (FD_ISSET(ctl_fd, &readfds))
-	    {
-		passert(ndes > 0);
-		DBG(DBG_CONTROL,
-		    DBG_log(BLANK_FORMAT);
-		    DBG_log("*received whack message"));
-		whack_handle(ctl_fd);
-		passert(GLOBALS_ARE_RESET());
-		ndes--;
-	    }
-
-	    passert(ndes == 0);
 	}
-    }
 }
 
 /*
diff --git a/src/pluto/server.h b/src/pluto/server.h
index d0d46a5f4..b8123f6dc 100644
--- a/src/pluto/server.h
+++ b/src/pluto/server.h
@@ -10,20 +10,18 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: server.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
-extern int ctl_fd;	/* file descriptor of control (whack) socket */
-extern struct sockaddr_un ctl_addr;	/* address of control (whack) socket */
+extern int ctl_fd;      /* file descriptor of control (whack) socket */
+extern struct sockaddr_un ctl_addr;     /* address of control (whack) socket */
 
-extern int info_fd;	/* file descriptor of control (info) socket */
-extern struct sockaddr_un info_addr;	/* address of control (info) socket */
+extern int info_fd;     /* file descriptor of control (info) socket */
+extern struct sockaddr_un info_addr;    /* address of control (info) socket */
 
 extern err_t init_ctl_socket(void);
 extern void delete_ctl_socket(void);
 
-extern bool listening;	/* should we pay attention to IKE messages? */
+extern bool listening;  /* should we pay attention to IKE messages? */
 
 
 /* interface: a terminal point for IKE traffic, IPsec transport mode
@@ -35,16 +33,16 @@ extern bool listening;	/* should we pay attention to IKE messages? */
  * Note: the port for IKE is always implicitly UDP/pluto_port.
  */
 struct iface {
-    char *vname;	/* virtual (ipsec) device name */
-    char *rname;	/* real device name */
-    ip_address addr;	/* interface IP address */
-    int fd;	/* file descriptor of socket for IKE UDP messages */
-    struct iface *next;
-    bool ike_float;
-    enum { IFN_ADD, IFN_KEEP, IFN_DELETE } change;
+	char *vname;        /* virtual (ipsec) device name */
+	char *rname;        /* real device name */
+	ip_address addr;    /* interface IP address */
+	int fd;     /* file descriptor of socket for IKE UDP messages */
+	struct iface *next;
+	bool ike_float;
+	enum { IFN_ADD, IFN_KEEP, IFN_DELETE } change;
 };
 
-extern struct iface *interfaces;	/* public interfaces */
+extern struct iface *interfaces;        /* public interfaces */
 
 extern bool use_interface(const char *rifn);
 extern void find_ifaces(void);
diff --git a/src/pluto/sha1.c b/src/pluto/sha1.c
deleted file mode 100644
index bbf062876..000000000
--- a/src/pluto/sha1.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
-SHA-1 in C
-By Steve Reid <steve@edmweb.com>
-100% Public Domain
-
-Test Vectors (from FIPS PUB 180-1)
-"abc"
-  A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
-"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
-  84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
-A million repetitions of "a"
-  34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
-*/
-
-/* #define LITTLE_ENDIAN * This should be #define'd already, if true. */
-/* #define SHA1HANDSOFF * Copies data before messing with it. */
-
-#define SHA1HANDSOFF
-
-#include <string.h>
-#include <sys/types.h>	/* for u_int*_t */
-#include <endian.h>    /* sets BYTE_ORDER, LITTLE_ENDIAN, and BIG_ENDIAN */
-
-#include "sha1.h"
-
-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
-
-/* blk0() and blk() perform the initial expand. */
-/* I got the idea of expanding during the round function from SSLeay */
-#if BYTE_ORDER == LITTLE_ENDIAN
-#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
-    |(rol(block->l[i],8)&0x00FF00FF))
-#elif BYTE_ORDER == BIG_ENDIAN
-#define blk0(i) block->l[i]
-#else
-#error "Endianness not defined!"
-#endif
-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
-    ^block->l[(i+2)&15]^block->l[i&15],1))
-
-/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
-#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
-#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
-#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
-#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
-#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
-
-
-/* Hash a single 512-bit block. This is the core of the algorithm. */
-
-void SHA1Transform(u_int32_t state[5], const unsigned char buffer[64])
-{
-u_int32_t a, b, c, d, e;
-typedef union {
-    unsigned char c[64];
-    u_int32_t l[16];
-} CHAR64LONG16;
-#ifdef SHA1HANDSOFF
-CHAR64LONG16 block[1];  /* use array to appear as a pointer */
-    memcpy(block, buffer, 64);
-#else
-    /* The following had better never be used because it causes the
-     * pointer-to-const buffer to be cast into a pointer to non-const.
-     * And the result is written through.  I threw a "const" in, hoping
-     * this will cause a diagnostic.
-     */
-CHAR64LONG16* block = (const CHAR64LONG16*)buffer;
-#endif
-    /* Copy context->state[] to working vars */
-    a = state[0];
-    b = state[1];
-    c = state[2];
-    d = state[3];
-    e = state[4];
-    /* 4 rounds of 20 operations each. Loop unrolled. */
-    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
-    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
-    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
-    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
-    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
-    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
-    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
-    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
-    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
-    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
-    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
-    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
-    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
-    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
-    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
-    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
-    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
-    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
-    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
-    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
-    /* Add the working vars back into context.state[] */
-    state[0] += a;
-    state[1] += b;
-    state[2] += c;
-    state[3] += d;
-    state[4] += e;
-    /* Wipe variables */
-    a = b = c = d = e = 0;
-#ifdef SHA1HANDSOFF
-    memset(block, '\0', sizeof(block));
-#endif
-}
-
-
-/* SHA1Init - Initialize new context */
-
-void SHA1Init(SHA1_CTX* context)
-{
-    /* SHA1 initialization constants */
-    context->state[0] = 0x67452301;
-    context->state[1] = 0xEFCDAB89;
-    context->state[2] = 0x98BADCFE;
-    context->state[3] = 0x10325476;
-    context->state[4] = 0xC3D2E1F0;
-    context->count[0] = context->count[1] = 0;
-}
-
-
-/* Run your data through this. */
-
-void SHA1Update(SHA1_CTX* context, const unsigned char* data, u_int32_t len)
-{
-u_int32_t i;
-u_int32_t j;
-
-    j = context->count[0];
-    if ((context->count[0] += len << 3) < j)
-	context->count[1]++;
-    context->count[1] += (len>>29);
-    j = (j >> 3) & 63;
-    if ((j + len) > 63) {
-        memcpy(&context->buffer[j], data, (i = 64-j));
-        SHA1Transform(context->state, context->buffer);
-        for ( ; i + 63 < len; i += 64) {
-            SHA1Transform(context->state, &data[i]);
-        }
-        j = 0;
-    }
-    else i = 0;
-    memcpy(&context->buffer[j], &data[i], len - i);
-}
-
-
-/* Add padding and return the message digest. */
-
-void SHA1Final(unsigned char digest[20], SHA1_CTX* context)
-{
-unsigned i;
-unsigned char finalcount[8];
-unsigned char c;
-
-#if 0	/* untested "improvement" by DHR */
-    /* Convert context->count to a sequence of bytes
-     * in finalcount.  Second element first, but
-     * big-endian order within element.
-     * But we do it all backwards.
-     */
-    unsigned char *fcp = &finalcount[8];
-
-    for (i = 0; i < 2; i++)
-    {
-	u_int32_t t = context->count[i];
-	int j;
-
-	for (j = 0; j < 4; t >>= 8, j++)
-	    *--fcp = (unsigned char) t
-    }
-#else
-    for (i = 0; i < 8; i++) {
-        finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
-         >> ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
-    }
-#endif
-    c = 0200;
-    SHA1Update(context, &c, 1);
-    while ((context->count[0] & 504) != 448) {
-	c = 0000;
-        SHA1Update(context, &c, 1);
-    }
-    SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform() */
-    for (i = 0; i < 20; i++) {
-        digest[i] = (unsigned char)
-         ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
-    }
-    /* Wipe variables */
-    memset(context, '\0', sizeof(*context));
-    memset(&finalcount, '\0', sizeof(finalcount));
-}
diff --git a/src/pluto/sha1.h b/src/pluto/sha1.h
deleted file mode 100644
index 64b3d2f5d..000000000
--- a/src/pluto/sha1.h
+++ /dev/null
@@ -1,16 +0,0 @@
-/*
-SHA-1 in C
-By Steve Reid <steve@edmweb.com>
-100% Public Domain
-*/
-
-typedef struct {
-    u_int32_t state[5];
-    u_int32_t count[2];
-    unsigned char buffer[64];
-} SHA1_CTX;
-
-void SHA1Transform(u_int32_t state[5], const unsigned char buffer[64]);
-void SHA1Init(SHA1_CTX* context);
-void SHA1Update(SHA1_CTX* context, const unsigned char* data, u_int32_t len);
-void SHA1Final(unsigned char digest[20], SHA1_CTX* context);
diff --git a/src/pluto/smallprime.c b/src/pluto/smallprime.c
deleted file mode 100644
index 87497d096..000000000
--- a/src/pluto/smallprime.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/* smallprime.c - List of small primes
- *	Copyright (C) 1998 Free Software Foundation, Inc.
- *
- * This file is part of GnuPG.
- *
- * GnuPG is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * GnuPG is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
- */
-
-#ifdef PLUTO
-#include <gmp.h>
-#include <freeswan.h>
-#include "constants.h"
-#include "defs.h"
-#include "gcryptfix.h"
-#else
-/* #include <config.h> */
-/* #include <stdio.h> */
-/* #include <stdlib.h> */
-/* #include "util.h" */
-/* #include "types.h" */
-#endif
-
-/* Note: 2 is not included because it can be tested more easily
- * by looking at bit 0. The last entry in this list is marked by a zero
- */
-ushort
-small_prime_numbers[] = {
-    3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43,
-    47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101,
-    103, 107, 109, 113, 127, 131, 137, 139, 149, 151,
-    157, 163, 167, 173, 179, 181, 191, 193, 197, 199,
-    211, 223, 227, 229, 233, 239, 241, 251, 257, 263,
-    269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
-    331, 337, 347, 349, 353, 359, 367, 373, 379, 383,
-    389, 397, 401, 409, 419, 421, 431, 433, 439, 443,
-    449, 457, 461, 463, 467, 479, 487, 491, 499, 503,
-    509, 521, 523, 541, 547, 557, 563, 569, 571, 577,
-    587, 593, 599, 601, 607, 613, 617, 619, 631, 641,
-    643, 647, 653, 659, 661, 673, 677, 683, 691, 701,
-    709, 719, 727, 733, 739, 743, 751, 757, 761, 769,
-    773, 787, 797, 809, 811, 821, 823, 827, 829, 839,
-    853, 857, 859, 863, 877, 881, 883, 887, 907, 911,
-    919, 929, 937, 941, 947, 953, 967, 971, 977, 983,
-    991, 997, 1009, 1013, 1019, 1021, 1031, 1033,
-    1039, 1049, 1051, 1061, 1063, 1069, 1087, 1091,
-    1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151,
-    1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
-    1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277,
-    1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307,
-    1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399,
-    1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451,
-    1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493,
-    1499, 1511, 1523, 1531, 1543, 1549, 1553, 1559,
-    1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609,
-    1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667,
-    1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733,
-    1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789,
-    1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
-    1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931,
-    1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997,
-    1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053,
-    2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111,
-    2113, 2129, 2131, 2137, 2141, 2143, 2153, 2161,
-    2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243,
-    2251, 2267, 2269, 2273, 2281, 2287, 2293, 2297,
-    2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357,
-    2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411,
-    2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473,
-    2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
-    2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633,
-    2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687,
-    2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729,
-    2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791,
-    2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851,
-    2857, 2861, 2879, 2887, 2897, 2903, 2909, 2917,
-    2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999,
-    3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061,
-    3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137,
-    3163, 3167, 3169, 3181, 3187, 3191, 3203, 3209,
-    3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
-    3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331,
-    3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391,
-    3407, 3413, 3433, 3449, 3457, 3461, 3463, 3467,
-    3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533,
-    3539, 3541, 3547, 3557, 3559, 3571, 3581, 3583,
-    3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643,
-    3659, 3671, 3673, 3677, 3691, 3697, 3701, 3709,
-    3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779,
-    3793, 3797, 3803, 3821, 3823, 3833, 3847, 3851,
-    3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917,
-    3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
-    4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049,
-    4051, 4057, 4073, 4079, 4091, 4093, 4099, 4111,
-    4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177,
-    4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243,
-    4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297,
-    4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391,
-    4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457,
-    4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519,
-    4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597,
-    4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657,
-    4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
-    4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799,
-    4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889,
-    4903, 4909, 4919, 4931, 4933, 4937, 4943, 4951,
-    4957, 4967, 4969, 4973, 4987, 4993, 4999,
-    0
-};
-
-
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
index 937c3f93a..7e4452d89 100644
--- a/src/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -6,7 +6,7 @@
  * Copyright (C) 2005 Michael Joosten
  *
  * Copyright (C) 2005 Andreas Steffen
- * Hochschule für Technik Rapperswil, Switzerland
+ * Hochschule fuer Technik Rapperswil, Switzerland
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -17,8 +17,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: smartcard.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 #include <stdio.h>
@@ -30,7 +28,9 @@
 #include <dlfcn.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
+
+#include <asn1/asn1.h>
+#include <credentials/keys/public_key.h>
 
 #include "constants.h"
 
@@ -40,7 +40,6 @@
 #endif
 
 #include "defs.h"
-#include "mp_defs.h"
 #include "log.h"
 #include "x509.h"
 #include "ca.h"
@@ -50,7 +49,7 @@
 #include "whack.h"
 #include "fetch.h"
 
-#define DEFAULT_BASE	16
+#define DEFAULT_BASE    16
 
 /* chained list of smartcard records */
 static smartcard_t *smartcards   = NULL;
@@ -59,30 +58,30 @@ static smartcard_t *smartcards   = NULL;
 static int sc_number = 0;
 
 const smartcard_t empty_sc = {
-      NULL		 , /* next */
-            0		 , /* last_load */
-    { CERT_NONE, {NULL} }, /* last_cert */
-            0		 , /* count */
-            0		 , /* number */
-       999999		 , /* slot */
-      NULL		 , /* id */
-      NULL		 , /* label */
-    { NULL, 0 }		 , /* pin */
-      FALSE		 , /* pinpad */
-      FALSE		 , /* valid */
-      FALSE		 , /* session_opened */
-      FALSE		 , /* logged_in */
-      TRUE		 , /* any_slot */
-	    0L		 , /* session */
+	  NULL               , /* next */
+			0            , /* last_load */
+	{ CERT_NONE, {NULL} }, /* last_cert */
+			0            , /* count */
+			0            , /* number */
+	   999999            , /* slot */
+	  NULL               , /* id */
+	  NULL               , /* label */
+	{ NULL, 0 }          , /* pin */
+	  FALSE              , /* pinpad */
+	  FALSE              , /* valid */
+	  FALSE              , /* session_opened */
+	  FALSE              , /* logged_in */
+	  TRUE               , /* any_slot */
+			0L           , /* session */
 };
 
-#ifdef SMARTCARD	/* compile with smartcard support */
+#ifdef SMARTCARD        /* compile with smartcard support */
 
-#define SCX_MAGIC	0xd00bed00
+#define SCX_MAGIC       0xd00bed00
 
 struct scx_pkcs11_module {
-        u_int _magic;
-        void *handle;
+		u_int _magic;
+		void *handle;
 };
 
 typedef struct scx_pkcs11_module scx_pkcs11_module_t;
@@ -95,292 +94,292 @@ static CK_FUNCTION_LIST_PTR pkcs11_functions = NULL_PTR;
 /* crytoki v2.11 - return values of PKCS #11 functions*/
 
 static const char *const pkcs11_return_name[] = {
-	"CKR_OK",
-	"CKR_CANCEL",
-	"CKR_HOST_MEMORY",
-	"CKR_SLOT_ID_INVALID",
-	"CKR_FLAGS_INVALID",
-	"CKR_GENERAL_ERROR",
-	"CKR_FUNCTION_FAILED",
-	"CKR_ARGUMENTS_BAD",
-	"CKR_NO_EVENT",
-	"CKR_NEED_TO_CREATE_THREADS",
-	"CKR_CANT_LOCK"
-    };
+		"CKR_OK",
+		"CKR_CANCEL",
+		"CKR_HOST_MEMORY",
+		"CKR_SLOT_ID_INVALID",
+		"CKR_FLAGS_INVALID",
+		"CKR_GENERAL_ERROR",
+		"CKR_FUNCTION_FAILED",
+		"CKR_ARGUMENTS_BAD",
+		"CKR_NO_EVENT",
+		"CKR_NEED_TO_CREATE_THREADS",
+		"CKR_CANT_LOCK"
+	};
 
 static const char *const pkcs11_return_name_10[] = {
-	"CKR_ATTRIBUTE_READ_ONLY",
-	"CKR_ATTRIBUTE_SENSITIVE",
-	"CKR_ATTRIBUTE_TYPE_INVALID",
-	"CKR_ATTRIBUTE_VALUE_INVALID"
-    };
+		"CKR_ATTRIBUTE_READ_ONLY",
+		"CKR_ATTRIBUTE_SENSITIVE",
+		"CKR_ATTRIBUTE_TYPE_INVALID",
+		"CKR_ATTRIBUTE_VALUE_INVALID"
+	};
 
 static const char *const pkcs11_return_name_20[] = {
-	"CKR_DATA_INVALID", 
-	"CKR_DATA_LEN_RANGE"
-    };
+		"CKR_DATA_INVALID", 
+		"CKR_DATA_LEN_RANGE"
+	};
 
 static const char *const pkcs11_return_name_30[] = {
-	"CKR_DEVICE_ERROR",
-	"CKR_DEVICE_MEMORY",
-	"CKR_DEVICE_REMOVED"
-    };
+		"CKR_DEVICE_ERROR",
+		"CKR_DEVICE_MEMORY",
+		"CKR_DEVICE_REMOVED"
+	};
 
 static const char *const pkcs11_return_name_40[] = {
-	"CKR_ENCRYPTED_DATA_INVALID",
-	"CKR_ENCRYPTED_DATA_LEN_RANGE"
-    };
+		"CKR_ENCRYPTED_DATA_INVALID",
+		"CKR_ENCRYPTED_DATA_LEN_RANGE"
+	};
 
 static const char *const pkcs11_return_name_50[] = {
-	"CKR_FUNCTION_CANCELED",
-	"CKR_FUNCTION_NOT_PARALLEL",
-	"CKR_0x52_UNDEFINED",
-	"CKR_0x53_UNDEFINED",
-	"CKR_FUNCTION_NOT_SUPPORTED"
-    };
+		"CKR_FUNCTION_CANCELED",
+		"CKR_FUNCTION_NOT_PARALLEL",
+		"CKR_0x52_UNDEFINED",
+		"CKR_0x53_UNDEFINED",
+		"CKR_FUNCTION_NOT_SUPPORTED"
+	};
 
 static const char *const pkcs11_return_name_60[] = {
-	"CKR_KEY_HANDLE_INVALID",
-	"CKR_KEY_SENSITIVE",
-	"CKR_KEY_SIZE_RANGE",
-	"CKR_KEY_TYPE_INCONSISTENT",
-	"CKR_KEY_NOT_NEEDED",
-	"CKR_KEY_CHANGED",
-	"CKR_KEY_NEEDED",
-	"CKR_KEY_INDIGESTIBLE",
-	"CKR_KEY_FUNCTION_NOT_PERMITTED",
-	"CKR_KEY_NOT_WRAPPABLE",
-	"CKR_KEY_UNEXTRACTABLE"
-     };
+		"CKR_KEY_HANDLE_INVALID",
+		"CKR_KEY_SENSITIVE",
+		"CKR_KEY_SIZE_RANGE",
+		"CKR_KEY_TYPE_INCONSISTENT",
+		"CKR_KEY_NOT_NEEDED",
+		"CKR_KEY_CHANGED",
+		"CKR_KEY_NEEDED",
+		"CKR_KEY_INDIGESTIBLE",
+		"CKR_KEY_FUNCTION_NOT_PERMITTED",
+		"CKR_KEY_NOT_WRAPPABLE",
+		"CKR_KEY_UNEXTRACTABLE"
+	 };
 
 static const char *const pkcs11_return_name_70[] = {
-	"CKR_MECHANISM_INVALID",
-	"CKR_MECHANISM_PARAM_INVALID"
-     };
+		"CKR_MECHANISM_INVALID",
+		"CKR_MECHANISM_PARAM_INVALID"
+	 };
 
 static const char *const pkcs11_return_name_80[] = {
-	"CKR_OBJECT_HANDLE_INVALID"
-     };
+		"CKR_OBJECT_HANDLE_INVALID"
+	 };
 
 static const char *const pkcs11_return_name_90[] = {
-	"CKR_OPERATION_ACTIVE",
-	"CKR_OPERATION_NOT_INITIALIZED"
-     };
+		"CKR_OPERATION_ACTIVE",
+		"CKR_OPERATION_NOT_INITIALIZED"
+	 };
 
 static const char *const pkcs11_return_name_A0[] = {
-	"CKR_PIN_INCORRECT",
-	"CKR_PIN_INVALID",
-	"CKR_PIN_LEN_RANGE",
-	"CKR_PIN_EXPIRED",
-	"CKR_PIN_LOCKED"
-     };
+		"CKR_PIN_INCORRECT",
+		"CKR_PIN_INVALID",
+		"CKR_PIN_LEN_RANGE",
+		"CKR_PIN_EXPIRED",
+		"CKR_PIN_LOCKED"
+	 };
 
 static const char *const pkcs11_return_name_B0[] = {
-	"CKR_SESSION_CLOSED",
-	"CKR_SESSION_COUNT",
-	"CKR_0xB2_UNDEFINED",
-	"CKR_SESSION_HANDLE_INVALID",
-	"CKR_SESSION_PARALLEL_NOT_SUPPORTED",
-	"CKR_SESSION_READ_ONLY",
-	"CKR_SESSION_EXISTS",
-	"CKR_SESSION_READ_ONLY_EXISTS",
-	"CKR_SESSION_READ_WRITE_SO_EXISTS"
-     };
+		"CKR_SESSION_CLOSED",
+		"CKR_SESSION_COUNT",
+		"CKR_0xB2_UNDEFINED",
+		"CKR_SESSION_HANDLE_INVALID",
+		"CKR_SESSION_PARALLEL_NOT_SUPPORTED",
+		"CKR_SESSION_READ_ONLY",
+		"CKR_SESSION_EXISTS",
+		"CKR_SESSION_READ_ONLY_EXISTS",
+		"CKR_SESSION_READ_WRITE_SO_EXISTS"
+	 };
 
 static const char *const pkcs11_return_name_C0[] = {
-	"CKR_SIGNATURE_INVALID",
-	"CKR_SIGNATURE_LEN_RANGE"
-     };
+		"CKR_SIGNATURE_INVALID",
+		"CKR_SIGNATURE_LEN_RANGE"
+	 };
 
 static const char *const pkcs11_return_name_D0[] = {
-	"CKR_TEMPLATE_INCOMPLETE",
-	"CKR_TEMPLATE_INCONSISTENT"
-     };
+		"CKR_TEMPLATE_INCOMPLETE",
+		"CKR_TEMPLATE_INCONSISTENT"
+	 };
 
 static const char *const pkcs11_return_name_E0[] = {
-	"CKR_TOKEN_NOT_PRESENT",
-	"CKR_TOKEN_NOT_RECOGNIZED",
-	"CKR_TOKEN_WRITE_PROTECTED"
-     };
+		"CKR_TOKEN_NOT_PRESENT",
+		"CKR_TOKEN_NOT_RECOGNIZED",
+		"CKR_TOKEN_WRITE_PROTECTED"
+	 };
 
 static const char *const pkcs11_return_name_F0[] = {
-	"CKR_UNWRAPPING_KEY_HANDLE_INVALID",
-	"CKR_UNWRAPPING_KEY_SIZE_RANGE",
-	"CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT"
-     };
+		"CKR_UNWRAPPING_KEY_HANDLE_INVALID",
+		"CKR_UNWRAPPING_KEY_SIZE_RANGE",
+		"CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT"
+	 };
 
 static const char *const pkcs11_return_name_100[] = {
-	"CKR_USER_ALREADY_LOGGED_IN",
-	"CKR_USER_NOT_LOGGED_IN",
-	"CKR_USER_PIN_NOT_INITIALIZED",
-	"CKR_USER_TYPE_INVALID",
-	"CKR_USER_ANOTHER_ALREADY_LOGGED_IN",
-	"CKR_USER_TOO_MANY_TYPES"
-     };
+		"CKR_USER_ALREADY_LOGGED_IN",
+		"CKR_USER_NOT_LOGGED_IN",
+		"CKR_USER_PIN_NOT_INITIALIZED",
+		"CKR_USER_TYPE_INVALID",
+		"CKR_USER_ANOTHER_ALREADY_LOGGED_IN",
+		"CKR_USER_TOO_MANY_TYPES"
+	 };
 
 static const char *const pkcs11_return_name_110[] = {
-	"CKR_WRAPPED_KEY_INVALID",
-	"CKR_0x111_UNDEFINED",
-	"CKR_WRAPPED_KEY_LEN_RANGE",
-	"CKR_WRAPPING_KEY_HANDLE_INVALID",
-	"CKR_WRAPPING_KEY_SIZE_RANGE",
-	"CKR_WRAPPING_KEY_TYPE_INCONSISTENT"
-     };
+		"CKR_WRAPPED_KEY_INVALID",
+		"CKR_0x111_UNDEFINED",
+		"CKR_WRAPPED_KEY_LEN_RANGE",
+		"CKR_WRAPPING_KEY_HANDLE_INVALID",
+		"CKR_WRAPPING_KEY_SIZE_RANGE",
+		"CKR_WRAPPING_KEY_TYPE_INCONSISTENT"
+	 };
 
 static const char *const pkcs11_return_name_120[] = {
-	"CKR_RANDOM_SEED_NOT_SUPPORTED",
-	"CKR_RANDOM_NO_RNG"
-     };
+		"CKR_RANDOM_SEED_NOT_SUPPORTED",
+		"CKR_RANDOM_NO_RNG"
+	 };
 
 static const char *const pkcs11_return_name_130[] = {
-	"CKR_DOMAIN_PARAMS_INVALID"
-     };
+		"CKR_DOMAIN_PARAMS_INVALID"
+	 };
 
 static const char *const pkcs11_return_name_150[] = {
-	"CKR_BUFFER_TOO_SMALL"
-     };
+		"CKR_BUFFER_TOO_SMALL"
+	 };
 
 static const char *const pkcs11_return_name_160[] = {
-	"CKR_SAVED_STATE_INVALID"
-     };
+		"CKR_SAVED_STATE_INVALID"
+	 };
 
 static const char *const pkcs11_return_name_170[] = {
-	"CKR_INFORMATION_SENSITIVE"
-     };
+		"CKR_INFORMATION_SENSITIVE"
+	 };
 
 static const char *const pkcs11_return_name_180[] = {
-	"CKR_STATE_UNSAVEABLE"
-     };
+		"CKR_STATE_UNSAVEABLE"
+	 };
 
 static const char *const pkcs11_return_name_190[] = {
-	"CKR_CRYPTOKI_NOT_INITIALIZED",
-	"CKR_CRYPTOKI_ALREADY_INITIALIZED"
-     };
+		"CKR_CRYPTOKI_NOT_INITIALIZED",
+		"CKR_CRYPTOKI_ALREADY_INITIALIZED"
+	 };
 
 static const char *const pkcs11_return_name_1A0[] = {
-	"CKR_MUTEX_BAD",
-	"CKR_MUTEX_NOT_LOCKED"
-     };
+		"CKR_MUTEX_BAD",
+		"CKR_MUTEX_NOT_LOCKED"
+	 };
 
 static const char *const pkcs11_return_name_200[] = {
-	"CKR_FUNCTION_REJECTED"
-     };
+		"CKR_FUNCTION_REJECTED"
+	 };
 
 static const char *const pkcs11_return_name_vendor[] = {
-	"CKR_VENDOR_DEFINED"
-     };
+		"CKR_VENDOR_DEFINED"
+	 };
 
 static enum_names pkcs11_return_names_vendor =
-    { CKR_VENDOR_DEFINED, CKR_VENDOR_DEFINED
-	, pkcs11_return_name_vendor, NULL };
+	{ CKR_VENDOR_DEFINED, CKR_VENDOR_DEFINED
+		, pkcs11_return_name_vendor, NULL };
 
 static enum_names pkcs11_return_names_200 =
-    { CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED
-	, pkcs11_return_name_200, &pkcs11_return_names_vendor };
+	{ CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED
+		, pkcs11_return_name_200, &pkcs11_return_names_vendor };
 
 static enum_names pkcs11_return_names_1A0 =
-    { CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED
-	, pkcs11_return_name_1A0, &pkcs11_return_names_200 };
+	{ CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED
+		, pkcs11_return_name_1A0, &pkcs11_return_names_200 };
 
 static enum_names pkcs11_return_names_190 =
-    { CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED
-	, pkcs11_return_name_190, &pkcs11_return_names_1A0 };
+	{ CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED
+		, pkcs11_return_name_190, &pkcs11_return_names_1A0 };
 
 static enum_names pkcs11_return_names_180 =
-    { CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE
-	, pkcs11_return_name_180, &pkcs11_return_names_190 };
+	{ CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE
+		, pkcs11_return_name_180, &pkcs11_return_names_190 };
 
 static enum_names pkcs11_return_names_170 =
-    { CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE
-	, pkcs11_return_name_170, &pkcs11_return_names_180 };
+	{ CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE
+		, pkcs11_return_name_170, &pkcs11_return_names_180 };
 
 static enum_names pkcs11_return_names_160 =
-    { CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID
-	, pkcs11_return_name_160, &pkcs11_return_names_170 };
+	{ CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID
+		, pkcs11_return_name_160, &pkcs11_return_names_170 };
 
 static enum_names pkcs11_return_names_150 =
-    { CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL
-	, pkcs11_return_name_150, &pkcs11_return_names_160 };
+	{ CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL
+		, pkcs11_return_name_150, &pkcs11_return_names_160 };
 
 static enum_names pkcs11_return_names_130 =
-    { CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID
-	, pkcs11_return_name_130, &pkcs11_return_names_150 };
+	{ CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID
+		, pkcs11_return_name_130, &pkcs11_return_names_150 };
 
 static enum_names pkcs11_return_names_120 =
-    { CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG
-	, pkcs11_return_name_120, &pkcs11_return_names_130 };
+	{ CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG
+		, pkcs11_return_name_120, &pkcs11_return_names_130 };
 
 static enum_names pkcs11_return_names_110 =
-    { CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT
-	, pkcs11_return_name_110, &pkcs11_return_names_120 };
+	{ CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT
+		, pkcs11_return_name_110, &pkcs11_return_names_120 };
 
 static enum_names pkcs11_return_names_100 =
-    { CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES
-	, pkcs11_return_name_100, &pkcs11_return_names_110 };
+	{ CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES
+		, pkcs11_return_name_100, &pkcs11_return_names_110 };
 
 static enum_names pkcs11_return_names_F0 =
-    { CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT
-	, pkcs11_return_name_F0, &pkcs11_return_names_100 };
+	{ CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT
+		, pkcs11_return_name_F0, &pkcs11_return_names_100 };
 
 static enum_names pkcs11_return_names_E0 =
-    { CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED
-	, pkcs11_return_name_E0, &pkcs11_return_names_F0 };
+	{ CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED
+		, pkcs11_return_name_E0, &pkcs11_return_names_F0 };
 
 static enum_names pkcs11_return_names_D0 =
-    { CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT
-	, pkcs11_return_name_D0,&pkcs11_return_names_E0 };
+	{ CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT
+		, pkcs11_return_name_D0,&pkcs11_return_names_E0 };
 
 static enum_names pkcs11_return_names_C0 =
-    { CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE
-	, pkcs11_return_name_C0, &pkcs11_return_names_D0 };
+	{ CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE
+		, pkcs11_return_name_C0, &pkcs11_return_names_D0 };
 
 static enum_names pkcs11_return_names_B0 =
-    { CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS
-	, pkcs11_return_name_B0, &pkcs11_return_names_C0 };
+	{ CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS
+		, pkcs11_return_name_B0, &pkcs11_return_names_C0 };
 
 static enum_names pkcs11_return_names_A0 =
-    { CKR_PIN_INCORRECT, CKR_PIN_LOCKED
-	, pkcs11_return_name_A0, &pkcs11_return_names_B0 };
+	{ CKR_PIN_INCORRECT, CKR_PIN_LOCKED
+		, pkcs11_return_name_A0, &pkcs11_return_names_B0 };
 
 static enum_names pkcs11_return_names_90 =
-    { CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED
-	, pkcs11_return_name_90, &pkcs11_return_names_A0 };
+	{ CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED
+		, pkcs11_return_name_90, &pkcs11_return_names_A0 };
 
 static enum_names pkcs11_return_names_80 =
-    { CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID
-	, pkcs11_return_name_80, &pkcs11_return_names_90 };
+	{ CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID
+		, pkcs11_return_name_80, &pkcs11_return_names_90 };
 
 static enum_names pkcs11_return_names_70 =
-    { CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID
-	, pkcs11_return_name_70, &pkcs11_return_names_80 };
+	{ CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID
+		, pkcs11_return_name_70, &pkcs11_return_names_80 };
 
 static enum_names pkcs11_return_names_60 =
-    { CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE
-	, pkcs11_return_name_60, &pkcs11_return_names_70 };
+	{ CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE
+		, pkcs11_return_name_60, &pkcs11_return_names_70 };
 
 static enum_names pkcs11_return_names_50 =
-    { CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED
-	, pkcs11_return_name_50, &pkcs11_return_names_60 };
+	{ CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED
+		, pkcs11_return_name_50, &pkcs11_return_names_60 };
 
 static enum_names pkcs11_return_names_40 =
-    { CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE
-	, pkcs11_return_name_40, &pkcs11_return_names_50 };
+	{ CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE
+		, pkcs11_return_name_40, &pkcs11_return_names_50 };
 
 static enum_names pkcs11_return_names_30 =
-    { CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED
-	, pkcs11_return_name_30, &pkcs11_return_names_40 };
+	{ CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED
+		, pkcs11_return_name_30, &pkcs11_return_names_40 };
 
 static enum_names pkcs11_return_names_20 =
-    { CKR_DATA_INVALID, CKR_DATA_LEN_RANGE
-	, pkcs11_return_name_20, &pkcs11_return_names_30 };
+	{ CKR_DATA_INVALID, CKR_DATA_LEN_RANGE
+		, pkcs11_return_name_20, &pkcs11_return_names_30 };
 
 static enum_names pkcs11_return_names_10 =
-    { CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID
-	, pkcs11_return_name_10, &pkcs11_return_names_20};
+	{ CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID
+		, pkcs11_return_name_10, &pkcs11_return_names_20};
 
 static enum_names pkcs11_return_names =
-    { CKR_OK, CKR_CANT_LOCK
-	, pkcs11_return_name, &pkcs11_return_names_10};
+	{ CKR_OK, CKR_CANT_LOCK
+		, pkcs11_return_name, &pkcs11_return_names_10};
 
 /*
  * Unload a PKCS#11 module.
@@ -390,49 +389,49 @@ static enum_names pkcs11_return_names =
 static CK_RV
 scx_unload_pkcs11_module(scx_pkcs11_module_t *mod)
 {
-    if (!mod || mod->_magic != SCX_MAGIC)
-	return CKR_ARGUMENTS_BAD;
+	if (!mod || mod->_magic != SCX_MAGIC)
+		return CKR_ARGUMENTS_BAD;
 
-    if (dlclose(mod->handle) < 0)
-	return CKR_FUNCTION_FAILED;
+	if (dlclose(mod->handle) < 0)
+		return CKR_FUNCTION_FAILED;
 
-    memset(mod, 0, sizeof(*mod));
-    pfree(mod);
-    return CKR_OK;
+	memset(mod, 0, sizeof(*mod));
+	free(mod);
+	return CKR_OK;
 }
 
 static scx_pkcs11_module_t*
 scx_load_pkcs11_module(const char *name, CK_FUNCTION_LIST_PTR_PTR funcs)
 {
-    CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR);
-    scx_pkcs11_module_t *mod;
-    void *handle;
-    int rv;
+	CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR);
+	scx_pkcs11_module_t *mod;
+	void *handle;
+	int rv;
 
-    if (name == NULL || *name == '\0')
-	return NULL;
+	if (name == NULL || *name == '\0')
+		return NULL;
 
-    /* Try to load PKCS#11 library module*/
-    handle = dlopen(name, RTLD_NOW);
-    if (handle == NULL)
-	return NULL;
+	/* Try to load PKCS#11 library module*/
+	handle = dlopen(name, RTLD_NOW);
+	if (handle == NULL)
+		return NULL;
 
-    mod = alloc_thing(scx_pkcs11_module_t, "scx_pkcs11_module");
-    mod->_magic = SCX_MAGIC;
-    mod->handle = handle;
+	mod = malloc_thing(scx_pkcs11_module_t);
+	mod->_magic = SCX_MAGIC;
+	mod->handle = handle;
 
    /* Get the list of function pointers */
-    c_get_function_list = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR))
-	    dlsym(mod->handle, "C_GetFunctionList");
-    if (!c_get_function_list)
-	goto failed;
+	c_get_function_list = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR))
+			dlsym(mod->handle, "C_GetFunctionList");
+	if (!c_get_function_list)
+		goto failed;
 
-    rv = c_get_function_list(funcs);
-    if (rv == CKR_OK)
-	return mod;
+	rv = c_get_function_list(funcs);
+	if (rv == CKR_OK)
+		return mod;
 
 failed: scx_unload_pkcs11_module(mod);
-	return NULL;
+		return NULL;
 }
 
 /*
@@ -442,78 +441,78 @@ static bool
 scx_find_cert_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object
 , smartcard_t *sc, cert_t *cert)
 {
-    size_t hex_len, label_len;
-    u_char *hex_id = NULL;
-    chunk_t blob;
-    x509cert_t *x509cert;
-
-    CK_ATTRIBUTE attr[] = {
-	{ CKA_ID,    NULL_PTR, 0L },
-	{ CKA_LABEL, NULL_PTR, 0L },
-	{ CKA_VALUE, NULL_PTR, 0L }
-    };
-
-    /* initialize the return argument */
-    *cert = empty_cert;
-
-    /* get the length of the attributes first */
-    CK_RV rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
-    if (rv != CKR_OK)
-    {
-	plog("couldn't read the attribute sizes: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	return FALSE;
-    }
-
-    pfreeany(sc->label);
-
-    hex_id    = alloc_bytes(attr[0].ulValueLen, "hex id");
-    hex_len   = attr[0].ulValueLen;
-    sc->label = alloc_bytes(attr[1].ulValueLen + 1, "sc label");
-    label_len = attr[1].ulValueLen;
-    blob.ptr  = alloc_bytes(attr[2].ulValueLen, "x509cert blob");
-    blob.len  = attr[2].ulValueLen;
-
-    attr[0].pValue = hex_id;
-    attr[1].pValue = sc->label;
-    attr[2].pValue = blob.ptr;
-
-    /* now get the attributes */
-    rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
-    if (rv != CKR_OK)
-    {
-	plog("couldn't read the attributes: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	pfree(hex_id);
-	pfreeany(sc->label);
-	pfree(blob.ptr);
-	return FALSE;
-    }
+	size_t hex_len, label_len;
+	u_char *hex_id = NULL;
+	chunk_t blob;
+	x509cert_t *x509cert;
+
+	CK_ATTRIBUTE attr[] = {
+		{ CKA_ID,    NULL_PTR, 0L },
+		{ CKA_LABEL, NULL_PTR, 0L },
+		{ CKA_VALUE, NULL_PTR, 0L }
+	};
+
+	/* initialize the return argument */
+	*cert = cert_empty;
+
+	/* get the length of the attributes first */
+	CK_RV rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
+	if (rv != CKR_OK)
+	{
+		plog("couldn't read the attribute sizes: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		return FALSE;
+	}
+
+	free(sc->label);
+
+	hex_id    = malloc(attr[0].ulValueLen);
+	hex_len   = attr[0].ulValueLen;
+	sc->label = malloc(attr[1].ulValueLen + 1);
+	label_len = attr[1].ulValueLen;
+	blob.ptr  = malloc(attr[2].ulValueLen);
+	blob.len  = attr[2].ulValueLen;
+
+	attr[0].pValue = hex_id;
+	attr[1].pValue = sc->label;
+	attr[2].pValue = blob.ptr;
+
+	/* now get the attributes */
+	rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
+	if (rv != CKR_OK)
+	{
+		plog("couldn't read the attributes: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		free(hex_id);
+		free(sc->label);
+		free(blob.ptr);
+		return FALSE;
+	}
 
-    pfreeany(sc->id);
+	free(sc->id);
 
-    /* convert id from hex to ASCII */
-    sc->id = alloc_bytes(2*hex_len + 1, " sc id");
-    datatot(hex_id, hex_len, 16, sc->id, 2*hex_len + 1);
-    pfree(hex_id);
+	/* convert id from hex to ASCII */
+	sc->id = malloc(2*hex_len + 1);
+	datatot(hex_id, hex_len, 16, sc->id, 2*hex_len + 1);
+	free(hex_id);
 
-    /* safeguard in case the label is not null terminated */
-    sc->label[label_len] = '\0';
+	/* safeguard in case the label is not null terminated */
+	sc->label[label_len] = '\0';
 
-    /* parse the retrieved cert */
-    x509cert = alloc_thing(x509cert_t, "x509cert");
-    *x509cert = empty_x509cert;
-    x509cert->smartcard = TRUE;
+	/* parse the retrieved cert */
+	x509cert = malloc_thing(x509cert_t);
+	*x509cert = empty_x509cert;
+	x509cert->smartcard = TRUE;
 
-    if (!parse_x509cert(blob, 0, x509cert))
-    {
-	plog("failed to load cert from smartcard, error in X.509 certificate");
-	free_x509cert(x509cert);
-	return FALSE;
-    }
-    cert->type = CERT_X509_SIGNATURE;
-    cert->u.x509 = x509cert;
-    return TRUE;
+	if (!parse_x509cert(blob, 0, x509cert))
+	{
+		plog("failed to load cert from smartcard, error in X.509 certificate");
+		free_x509cert(x509cert);
+		return FALSE;
+	}
+	cert->type = CERT_X509_SIGNATURE;
+	cert->u.x509 = x509cert;
+	return TRUE;
 }
 
 /*
@@ -522,96 +521,96 @@ scx_find_cert_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object
 static void
 scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 {
-    CK_RV rv;
-    CK_OBJECT_CLASS class = CKO_CERTIFICATE;
-    CK_ATTRIBUTE attr[] = {{ CKA_CLASS, &class, sizeof(class) }};
-
-    rv = pkcs11_functions->C_FindObjectsInit(session, attr, 1);
-    if (rv != CKR_OK)
-    {
-	plog("error in C_FindObjectsInit: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	return;
-    }
-
-    for (;;)
-    {
-	CK_OBJECT_HANDLE object;
-	CK_ULONG obj_count = 0;
-	err_t ugh;
-	time_t valid_until;
-	smartcard_t *sc;
-	x509cert_t *cert;
+	CK_RV rv;
+	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+	CK_ATTRIBUTE attr[] = {{ CKA_CLASS, &class, sizeof(class) }};
 
-	rv = pkcs11_functions->C_FindObjects(session, &object, 1, &obj_count);
+	rv = pkcs11_functions->C_FindObjectsInit(session, attr, 1);
 	if (rv != CKR_OK)
 	{
-	    plog("error in C_FindObjects: %s"
-		, enum_show(&pkcs11_return_names, rv));
-	    break;
-	}
-
-	/* no objects left */
-	if (obj_count == 0)
-	    break;
-
-	/* create and initialize a new smartcard object */
-	sc  = alloc_thing(smartcard_t, "smartcard");
-	*sc = empty_sc;
-	sc->any_slot = FALSE;
-	sc->slot  = slot;
-
-        if (!scx_find_cert_object(session, object, sc, &sc->last_cert))
-	{
-	    scx_free(sc);
-	    continue;
+		plog("error in C_FindObjectsInit: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		return;
 	}
- 	DBG(DBG_CONTROL,
-	    DBG_log("found cert in %s with id: %s, label: '%s'"
-		, scx_print_slot(sc, ""), sc->id, sc->label)
-	)
 
-	/* check validity of certificate */
-	cert = sc->last_cert.u.x509;
-	valid_until = cert->notAfter;
-	ugh = check_validity(cert, &valid_until);
-	if (ugh != NULL)
-	{
-	    plog("  %s", ugh);
-	    free_x509cert(cert);
-	    scx_free(sc);
-	    continue;
-	}
-	else
+	for (;;)
 	{
-	    DBG(DBG_CONTROL,
-	 	DBG_log("  certificate is valid")
-	    )
+		CK_OBJECT_HANDLE object;
+		CK_ULONG obj_count = 0;
+		err_t ugh;
+		time_t valid_until;
+		smartcard_t *sc;
+		x509cert_t *cert;
+
+		rv = pkcs11_functions->C_FindObjects(session, &object, 1, &obj_count);
+		if (rv != CKR_OK)
+		{
+			plog("error in C_FindObjects: %s"
+				, enum_show(&pkcs11_return_names, rv));
+			break;
+		}
+
+		/* no objects left */
+		if (obj_count == 0)
+			break;
+
+		/* create and initialize a new smartcard object */
+		sc  = malloc_thing(smartcard_t);
+		*sc = empty_sc;
+		sc->any_slot = FALSE;
+		sc->slot  = slot;
+
+		if (!scx_find_cert_object(session, object, sc, &sc->last_cert))
+		{
+			scx_free(sc);
+			continue;
+		}
+		DBG(DBG_CONTROL,
+			DBG_log("found cert in %s with id: %s, label: '%s'"
+				, scx_print_slot(sc, ""), sc->id, sc->label)
+		)
+
+		/* check validity of certificate */
+		cert = sc->last_cert.u.x509;
+		valid_until = cert->notAfter;
+		ugh = check_validity(cert, &valid_until);
+		if (ugh != NULL)
+		{
+			plog("  %s", ugh);
+			free_x509cert(cert);
+			scx_free(sc);
+			continue;
+		}
+		else
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("  certificate is valid")
+			)
+		}
+
+		sc = scx_add(sc);
+
+		/* put end entity and ca certificates into different chains */
+		if (cert->isCA)
+		{
+			sc->last_cert.u.x509 = add_authcert(cert, AUTH_CA);
+		}
+		else
+		{
+			add_x509_public_key(cert, valid_until, DAL_LOCAL);
+			sc->last_cert.u.x509 = add_x509cert(cert);
+		}
+
+		share_cert(sc->last_cert);
+		time(&sc->last_load);
 	}
 
-	sc = scx_add(sc);
-
-	/* put end entity and ca certificates into different chains */
-	if (cert->isCA)
-	{
-	    sc->last_cert.u.x509 = add_authcert(cert, AUTH_CA);
-	}
-	else
+	rv = pkcs11_functions->C_FindObjectsFinal(session);
+	if (rv != CKR_OK)
 	{
-	    add_x509_public_key(cert, valid_until, DAL_LOCAL);
-	    sc->last_cert.u.x509 = add_x509cert(cert);
+		plog("error in C_FindObjectsFinal: %s"
+				, enum_show(&pkcs11_return_names, rv));
 	}
-
-	share_cert(sc->last_cert);
-	time(&sc->last_load);
-    }
-
-    rv = pkcs11_functions->C_FindObjectsFinal(session);
-    if (rv != CKR_OK)
-    {
-	plog("error in C_FindObjectsFinal: %s"
-	        , enum_show(&pkcs11_return_names, rv));
-    }
 }
 
 /*
@@ -620,74 +619,74 @@ scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 static void
 scx_find_all_cert_objects(void)
 {
-    CK_RV rv;
-    CK_SLOT_ID_PTR slots = NULL_PTR;
-    CK_ULONG slot_count = 0;
-    CK_ULONG i;
-
-    if (!scx_initialized)
-    {
-	plog("pkcs11 module not initialized");
-	return;
-    }
-
-    /* read size, always returns CKR_OK ! */
-    rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
-
-    /* allocate memory for the slots */
-    slots = (CK_SLOT_ID *)alloc_bytes(slot_count * sizeof(CK_SLOT_ID), "slots");
-
-    rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count);
-    if (rv != CKR_OK)
-    {
-	plog("error in C_GetSlotList: %s", enum_show(&pkcs11_return_names, rv));
-	pfreeany(slots);
-	return;
-    }
-
-    /* look in every slot for certificate objects */
-    for (i = 0; i < slot_count; i++)
-    {
-	CK_SLOT_ID slot = slots[i];
-	CK_SLOT_INFO info;
-	CK_SESSION_HANDLE session;
-
-	rv = pkcs11_functions->C_GetSlotInfo(slot, &info);
+	CK_RV rv;
+	CK_SLOT_ID_PTR slots = NULL_PTR;
+	CK_ULONG slot_count = 0;
+	CK_ULONG i;
 
-	if (rv != CKR_OK)
+	if (!scx_initialized)
 	{
-	    plog("error in C_GetSlotInfo: %s"
-		, enum_show(&pkcs11_return_names, rv));
-	    continue;
-	}
-	
-	if (!(info.flags & CKF_TOKEN_PRESENT))
-	{
-	    plog("no token present in slot %lu", slot);
-	    continue;
+		plog("pkcs11 module not initialized");
+		return;
 	}
 
-	rv = pkcs11_functions->C_OpenSession(slot
-		, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session);
+	/* read size, always returns CKR_OK ! */
+	rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
+
+	/* allocate memory for the slots */
+	slots = (CK_SLOT_ID *)malloc(slot_count * sizeof(CK_SLOT_ID));
+
+	rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count);
 	if (rv != CKR_OK)
 	{
-	    plog("failed to open a session on slot %lu: %s"
-		, slot, enum_show(&pkcs11_return_names, rv));
-	    continue;
+		plog("error in C_GetSlotList: %s", enum_show(&pkcs11_return_names, rv));
+		free(slots);
+		return;
 	}
-	DBG(DBG_CONTROLMORE,
-	    DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot)
-	)
-	scx_find_cert_objects(slot, session);
 
-	rv = pkcs11_functions->C_CloseSession(session);
-	if (rv != CKR_OK)
+	/* look in every slot for certificate objects */
+	for (i = 0; i < slot_count; i++)
 	{
-	    plog("error in C_CloseSession: %s"
-		, enum_show(&pkcs11_return_names, rv));
+		CK_SLOT_ID slot = slots[i];
+		CK_SLOT_INFO info;
+		CK_SESSION_HANDLE session;
+
+		rv = pkcs11_functions->C_GetSlotInfo(slot, &info);
+
+		if (rv != CKR_OK)
+		{
+			plog("error in C_GetSlotInfo: %s"
+				, enum_show(&pkcs11_return_names, rv));
+			continue;
+		}
+		
+		if (!(info.flags & CKF_TOKEN_PRESENT))
+		{
+			plog("no token present in slot %lu", slot);
+			continue;
+		}
+
+		rv = pkcs11_functions->C_OpenSession(slot
+				, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session);
+		if (rv != CKR_OK)
+		{
+			plog("failed to open a session on slot %lu: %s"
+				, slot, enum_show(&pkcs11_return_names, rv));
+			continue;
+		}
+		DBG(DBG_CONTROLMORE,
+			DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot)
+		)
+		scx_find_cert_objects(slot, session);
+
+		rv = pkcs11_functions->C_CloseSession(session);
+		if (rv != CKR_OK)
+		{
+			plog("error in C_CloseSession: %s"
+				, enum_show(&pkcs11_return_names, rv));
+		}
 	}
-    }
-    pfreeany(slots);
+	free(slots);
 }
 #endif
 
@@ -701,52 +700,52 @@ void
 scx_init(const char* module, const char *init_args)
 {
 #ifdef SMARTCARD
-    CK_C_INITIALIZE_ARGS args = { .pReserved = (char *)init_args, };
-    CK_RV rv;
+	CK_C_INITIALIZE_ARGS args = { .pReserved = (char *)init_args, };
+	CK_RV rv;
 
-    if (scx_initialized)
-    {
-	plog("weird - pkcs11 module seems already to be initialized");
-	return;
-    }
+	if (scx_initialized)
+	{
+		plog("weird - pkcs11 module seems already to be initialized");
+		return;
+	}
 
-    if (module == NULL)
+	if (module == NULL)
 #ifdef PKCS11_DEFAULT_LIB
-	module = PKCS11_DEFAULT_LIB;
+		module = PKCS11_DEFAULT_LIB;
 #else
-    {
-	plog("no pkcs11 module defined");
-	return;
-    }
+	{
+		plog("no pkcs11 module defined");
+		return;
+	}
 #endif
 
-    DBG(DBG_CONTROL | DBG_CRYPT,
-	DBG_log("pkcs11 module '%s' loading...", module)
-    )
-    pkcs11_module = scx_load_pkcs11_module(module, &pkcs11_functions);
-    if (pkcs11_module == NULL)
-    {
-	 plog("failed to load pkcs11 module '%s'", module);
-	 return;
-    }
-
-    DBG(DBG_CONTROL | DBG_CRYPT,
-	DBG_log("pkcs11 module initializing...")
-    )
-    rv = pkcs11_functions->C_Initialize(init_args ? &args : NULL);
-    if (rv != CKR_OK)
-    {
-	plog("failed to initialize pkcs11 module: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	return;
-    }
-
-    scx_initialized = TRUE;
-    DBG(DBG_CONTROL | DBG_CRYPT,
-	DBG_log("pkcs11 module loaded and initialized")
-    )
-
-    scx_find_all_cert_objects();
+	DBG(DBG_CONTROL | DBG_CRYPT,
+		DBG_log("pkcs11 module '%s' loading...", module)
+	)
+	pkcs11_module = scx_load_pkcs11_module(module, &pkcs11_functions);
+	if (pkcs11_module == NULL)
+	{
+		 plog("failed to load pkcs11 module '%s'", module);
+		 return;
+	}
+
+	DBG(DBG_CONTROL | DBG_CRYPT,
+		DBG_log("pkcs11 module initializing...")
+	)
+	rv = pkcs11_functions->C_Initialize(init_args ? &args : NULL);
+	if (rv != CKR_OK)
+	{
+		plog("failed to initialize pkcs11 module: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		return;
+	}
+
+	scx_initialized = TRUE;
+	DBG(DBG_CONTROL | DBG_CRYPT,
+		DBG_log("pkcs11 module loaded and initialized")
+	)
+
+	scx_find_all_cert_objects();
 #endif
 }
 
@@ -757,27 +756,27 @@ void
 scx_finalize(void)
 {
 #ifdef SMARTCARD
-    while (smartcards != NULL)
-    {
-	scx_release(smartcards);
-    }
-
-    if (pkcs11_functions != NULL_PTR)
-    {
-	pkcs11_functions->C_Finalize(NULL_PTR);
-	pkcs11_functions = NULL_PTR;
-    }
-
-    if (pkcs11_module != NULL)
-    {
-	scx_unload_pkcs11_module(pkcs11_module);
-	pkcs11_module = NULL;
-    }
-
-    scx_initialized = FALSE;
-    DBG(DBG_CONTROL | DBG_CRYPT,
-	DBG_log("pkcs11 module finalized and unloaded")
-    )
+	while (smartcards != NULL)
+	{
+		scx_release(smartcards);
+	}
+
+	if (pkcs11_functions != NULL_PTR)
+	{
+		pkcs11_functions->C_Finalize(NULL_PTR);
+		pkcs11_functions = NULL_PTR;
+	}
+
+	if (pkcs11_module != NULL)
+	{
+		scx_unload_pkcs11_module(pkcs11_module);
+		pkcs11_module = NULL;
+	}
+
+	scx_initialized = FALSE;
+	DBG(DBG_CONTROL | DBG_CRYPT,
+		DBG_log("pkcs11 module finalized and unloaded")
+	)
 #endif
 }
 
@@ -787,7 +786,7 @@ scx_finalize(void)
 bool
 scx_on_smartcard(const char *filename)
 {
-    return strncmp(filename, SCX_TOKEN, strlen(SCX_TOKEN)) == 0;
+	return strneq(filename, SCX_TOKEN, strlen(SCX_TOKEN));
 }
 
 #ifdef SMARTCARD
@@ -795,55 +794,55 @@ scx_on_smartcard(const char *filename)
  * find a specific object on the smartcard 
  */
 static bool
-scx_pkcs11_find_object(	CK_SESSION_HANDLE session, 
-			CK_OBJECT_HANDLE_PTR object, 
-			CK_OBJECT_CLASS class, 
-			const char* id)
+scx_pkcs11_find_object( CK_SESSION_HANDLE session, 
+						CK_OBJECT_HANDLE_PTR object, 
+						CK_OBJECT_CLASS class, 
+						const char* id)
 {
-    size_t len;
-    char buf[BUF_LEN];
-    CK_RV rv;
-    CK_ULONG obj_count = 0;
-    CK_ULONG attr_count = 1;
-
-    CK_ATTRIBUTE attr[] = {
-	{ CKA_CLASS, &class, sizeof(class) },
-	{ CKA_ID, &buf, 0L }
-    };
-
-    if (id != NULL)
-    {
-	ttodata(id, strlen(id), 16, buf, BUF_LEN, &len);
-	attr[1].ulValueLen = len;
-	attr_count = 2;
-    }
-
-    /* get info for certificate with id */
-    rv = pkcs11_functions->C_FindObjectsInit(session, attr, attr_count);
-    if (rv != CKR_OK)
-    {
-	plog("error in C_FindObjectsInit: %s"
-	        , enum_show(&pkcs11_return_names, rv));
-	return FALSE;
-    }
+	size_t len;
+	char buf[BUF_LEN];
+	CK_RV rv;
+	CK_ULONG obj_count = 0;
+	CK_ULONG attr_count = 1;
 
-    rv = pkcs11_functions->C_FindObjects(session, object, 1,  &obj_count);
-    if (rv != CKR_OK)
-    {
-	plog("error in C_FindObjects: %s"
-	        , enum_show(&pkcs11_return_names, rv));
-	return FALSE;
-    }
+	CK_ATTRIBUTE attr[] = {
+		{ CKA_CLASS, &class, sizeof(class) },
+		{ CKA_ID, &buf, 0L }
+	};
 
-    rv = pkcs11_functions->C_FindObjectsFinal(session);
-    if (rv != CKR_OK)
-    {
-	plog("error in C_FindObjectsFinal: %s"
-	        , enum_show(&pkcs11_return_names, rv));
-	return FALSE;
-    }
+	if (id != NULL)
+	{
+		ttodata(id, strlen(id), 16, buf, BUF_LEN, &len);
+		attr[1].ulValueLen = len;
+		attr_count = 2;
+	}
+
+	/* get info for certificate with id */
+	rv = pkcs11_functions->C_FindObjectsInit(session, attr, attr_count);
+	if (rv != CKR_OK)
+	{
+		plog("error in C_FindObjectsInit: %s"
+				, enum_show(&pkcs11_return_names, rv));
+		return FALSE;
+	}
+
+	rv = pkcs11_functions->C_FindObjects(session, object, 1,  &obj_count);
+	if (rv != CKR_OK)
+	{
+		plog("error in C_FindObjects: %s"
+				, enum_show(&pkcs11_return_names, rv));
+		return FALSE;
+	}
 
-    return (obj_count != 0);
+	rv = pkcs11_functions->C_FindObjectsFinal(session);
+	if (rv != CKR_OK)
+	{
+		plog("error in C_FindObjectsFinal: %s"
+				, enum_show(&pkcs11_return_names, rv));
+		return FALSE;
+	}
+
+	return (obj_count != 0);
 }
 
 /*
@@ -852,54 +851,54 @@ scx_pkcs11_find_object(	CK_SESSION_HANDLE session,
 static bool
 scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot)
 {
-    CK_SESSION_HANDLE session;
-    CK_OBJECT_HANDLE object;
-    CK_SLOT_INFO info;
-
-    CK_RV rv = pkcs11_functions->C_GetSlotInfo(slot, &info);
-
-    if (rv != CKR_OK)
-    {
-	plog("error in C_GetSlotInfo: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	 return FALSE;
-    }
-	
-    if (!(info.flags & CKF_TOKEN_PRESENT))
-    {
-	plog("no token present in slot %lu", slot);
-	return FALSE;
-    }
-
-    rv = pkcs11_functions->C_OpenSession(slot
-		, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session);
-    if (rv != CKR_OK)
-    {
-	plog("failed to open a session on slot %lu: %s"
-	    , slot, enum_show(&pkcs11_return_names, rv));
+	CK_SESSION_HANDLE session;
+	CK_OBJECT_HANDLE object;
+	CK_SLOT_INFO info;
+
+	CK_RV rv = pkcs11_functions->C_GetSlotInfo(slot, &info);
+
+	if (rv != CKR_OK)
+	{
+		plog("error in C_GetSlotInfo: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		 return FALSE;
+	}
+		
+	if (!(info.flags & CKF_TOKEN_PRESENT))
+	{
+		plog("no token present in slot %lu", slot);
+		return FALSE;
+	}
+
+	rv = pkcs11_functions->C_OpenSession(slot
+				, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session);
+	if (rv != CKR_OK)
+	{
+		plog("failed to open a session on slot %lu: %s"
+			, slot, enum_show(&pkcs11_return_names, rv));
+		return FALSE;
+	}
+	DBG(DBG_CONTROLMORE,
+		DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot)
+	)
+
+	/* check if there is a certificate on the card in the specified slot */
+	if (scx_pkcs11_find_object(session, &object, CKO_CERTIFICATE, sc->id))
+	{
+		sc->slot = slot;
+		sc->any_slot = FALSE;
+		sc->session = session;
+		sc->session_opened = TRUE;
+		return TRUE;
+	}
+		
+	rv = pkcs11_functions->C_CloseSession(session);
+	if (rv != CKR_OK)
+	{
+		plog("error in C_CloseSession: %s"
+				, enum_show(&pkcs11_return_names, rv));
+	}
 	return FALSE;
-    }
-    DBG(DBG_CONTROLMORE,
-	DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot)
-    )
-
-    /* check if there is a certificate on the card in the specified slot */
-    if (scx_pkcs11_find_object(session, &object, CKO_CERTIFICATE, sc->id))
-    {
-	sc->slot = slot;
-	sc->any_slot = FALSE;
-	sc->session = session;
-	sc->session_opened = TRUE;
-	return TRUE;
-    }
-	
-    rv = pkcs11_functions->C_CloseSession(session);
-    if (rv != CKR_OK)
-    {
-	plog("error in C_CloseSession: %s"
-		, enum_show(&pkcs11_return_names, rv));
-    }
-    return FALSE;
 }
 #endif
 
@@ -910,74 +909,74 @@ bool
 scx_establish_context(smartcard_t *sc)
 {
 #ifdef SMARTCARD
-    bool id_found = FALSE;
-
-    if (!scx_initialized)
-    {
-	plog("pkcs11 module not initialized");
-	return FALSE;
-    }
+	bool id_found = FALSE;
 
-    if (sc->session_opened)
-    {
-	DBG(DBG_CONTROL | DBG_CRYPT,
-	    DBG_log("pkcs11 session #%ld already open", sc->session)
-	)
-	return TRUE;
-    }
-
-    if (!sc->any_slot)
-	id_found = scx_find_cert_id_in_slot(sc, sc->slot);
-
-    if (!id_found)
-    {
-	CK_RV rv;
-	CK_SLOT_ID slot;
-	CK_SLOT_ID_PTR slots = NULL_PTR;
-	CK_ULONG slot_count = 0;
-	CK_ULONG i;
+	if (!scx_initialized)
+	{
+		plog("pkcs11 module not initialized");
+		return FALSE;
+	}
 
-	/* read size, always returns CKR_OK ! */
-	rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
+	if (sc->session_opened)
+	{
+		DBG(DBG_CONTROL | DBG_CRYPT,
+			DBG_log("pkcs11 session #%ld already open", sc->session)
+		)
+		return TRUE;
+	}
 
-	/* allocate memory for the slots */
-	slots = (CK_SLOT_ID *)alloc_bytes(slot_count * sizeof(CK_SLOT_ID), "slots");
+	if (!sc->any_slot)
+		id_found = scx_find_cert_id_in_slot(sc, sc->slot);
 
-	rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count);
-	if (rv != CKR_OK)
+	if (!id_found)
 	{
-	    plog("error in C_GetSlotList: %s"
-		, enum_show(&pkcs11_return_names, rv));
-	    pfreeany(slots);
-	    return FALSE;
-        }
+		CK_RV rv;
+		CK_SLOT_ID slot;
+		CK_SLOT_ID_PTR slots = NULL_PTR;
+		CK_ULONG slot_count = 0;
+		CK_ULONG i;
+
+		/* read size, always returns CKR_OK ! */
+		rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
+
+		/* allocate memory for the slots */
+		slots = (CK_SLOT_ID *)malloc(slot_count * sizeof(CK_SLOT_ID));
+
+		rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count);
+		if (rv != CKR_OK)
+		{
+			plog("error in C_GetSlotList: %s"
+				, enum_show(&pkcs11_return_names, rv));
+			free(slots);
+			return FALSE;
+		}
+
+		/* look in every slot for a certificate with a given object ID */
+		for (i = 0; i < slot_count; i++)
+		{
+			slot = slots[i];
+			id_found = scx_find_cert_id_in_slot(sc, slot);
+			if (id_found)
+				break;
+		}
+		free(slots);
+	}
 
-        /* look in every slot for a certificate with a given object ID */
-	for (i = 0; i < slot_count; i++)
+	if (id_found)
 	{
-	    slot = slots[i];
-	    id_found = scx_find_cert_id_in_slot(sc, slot);
-	    if (id_found)
-	        break;
-        }
-	pfreeany(slots)
-    }
-
-    if (id_found)
-    {
-	DBG(DBG_CONTROL | DBG_CRYPT,
-	    DBG_log("found token with id %s in slot %lu", sc->id, sc->slot);
-	    DBG_log("pkcs11 session #%ld opened", sc->session)
-	)
-    }
-    else
-    {
-	plog("  no certificate with id %s found on smartcard", sc->id);
-    }
-    return id_found;
+		DBG(DBG_CONTROL | DBG_CRYPT,
+			DBG_log("found token with id %s in slot %lu", sc->id, sc->slot);
+			DBG_log("pkcs11 session #%ld opened", sc->session)
+		)
+	}
+	else
+	{
+		plog("  no certificate with id %s found on smartcard", sc->id);
+	}
+	return id_found;
 #else
-    plog("warning: SMARTCARD support is deactivated in pluto/Makefile!");
-    return FALSE;
+	plog("warning: SMARTCARD support is deactivated in pluto/Makefile!");
+	return FALSE;
 #endif
 }
 
@@ -988,41 +987,41 @@ bool
 scx_login(smartcard_t *sc)
 {
 #ifdef SMARTCARD
-    CK_RV rv;
+	CK_RV rv;
+
+	if (sc->logged_in)
+	{
+		DBG(DBG_CONTROL | DBG_CRYPT,
+			DBG_log("pkcs11 session #%ld login already done", sc->session)
+		)
+		return TRUE;
+	}
+		
+	if (sc->pin.ptr == NULL)
+	{
+		plog("unable to log in without PIN!");
+		return FALSE;
+	}
+
+	if (!sc->session_opened)
+	{
+		plog("session not opened");
+		return FALSE;
+	}
 
-    if (sc->logged_in)
-    {
+	rv = pkcs11_functions->C_Login(sc->session, CKU_USER 
+								, (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
+	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
+	{
+		plog("unable to login: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		return FALSE;
+	}
 	DBG(DBG_CONTROL | DBG_CRYPT,
-	    DBG_log("pkcs11 session #%ld login already done", sc->session)
+		DBG_log("pkcs11 session #%ld login successful", sc->session)
 	)
+	sc->logged_in = TRUE;
 	return TRUE;
-    }
-	
-    if (sc->pin.ptr == NULL)
-    {
-	plog("unable to log in without PIN!");
-	return FALSE;
-    }
-
-    if (!sc->session_opened)
-    {
-	plog("session not opened");
-	return FALSE;
-    }
-
-    rv = pkcs11_functions->C_Login(sc->session, CKU_USER 
-				, (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
-    if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
-    {
-	plog("unable to login: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	return FALSE;
-    }
-    DBG(DBG_CONTROL | DBG_CRYPT,
-	DBG_log("pkcs11 session #%ld login successful", sc->session)
-    )
-    sc->logged_in = TRUE;
-    return TRUE;
 #else
    return FALSE;
 #endif
@@ -1035,17 +1034,17 @@ scx_login(smartcard_t *sc)
 static void
 scx_logout(smartcard_t *sc)
 {
-    CK_RV rv;
-    
-    rv = pkcs11_functions->C_Logout(sc->session);
-    if (rv != CKR_OK)
-	plog("error in C_Logout: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-    else
-	DBG(DBG_CONTROL | DBG_CRYPT,
-	    DBG_log("pkcs11 session #%ld logout", sc->session)
-	)
-    sc->logged_in = FALSE;
+	CK_RV rv;
+	
+	rv = pkcs11_functions->C_Logout(sc->session);
+	if (rv != CKR_OK)
+		plog("error in C_Logout: %s"
+			, enum_show(&pkcs11_return_names, rv));
+	else
+		DBG(DBG_CONTROL | DBG_CRYPT,
+			DBG_log("pkcs11 session #%ld logout", sc->session)
+		)
+	sc->logged_in = FALSE;
 }
 #endif
 
@@ -1057,27 +1056,27 @@ void
 scx_release_context(smartcard_t *sc)
 {
 #ifdef SMARTCARD
-    CK_RV rv;
-
-    if (!scx_initialized)
-	return;
+	CK_RV rv;
 
-    if (sc->session_opened)
-    {
-	if (sc->logged_in)
-	    scx_logout(sc);
+	if (!scx_initialized)
+		return;
 
-	sc->session_opened = FALSE;
-	
-	rv = pkcs11_functions->C_CloseSession(sc->session);
-	if (rv != CKR_OK)
-	    plog("error in C_CloseSession: %s"
-		, enum_show(&pkcs11_return_names, rv));
-	else
-	    DBG(DBG_CONTROL | DBG_CRYPT,
-		DBG_log("pkcs11 session #%ld closed", sc->session)
-	    )
-    }
+	if (sc->session_opened)
+	{
+		if (sc->logged_in)
+			scx_logout(sc);
+
+		sc->session_opened = FALSE;
+		
+		rv = pkcs11_functions->C_CloseSession(sc->session);
+		if (rv != CKR_OK)
+			plog("error in C_CloseSession: %s"
+				, enum_show(&pkcs11_return_names, rv));
+		else
+			DBG(DBG_CONTROL | DBG_CRYPT,
+				DBG_log("pkcs11 session #%ld closed", sc->session)
+			)
+	}
 #endif
 }
 
@@ -1088,64 +1087,64 @@ bool
 scx_load_cert(const char *filename, smartcard_t **scp, cert_t *cert
 , bool *cached)
 {
-#ifdef SMARTCARD	/* compile with smartcard support */
-    CK_OBJECT_HANDLE object;
+#ifdef SMARTCARD        /* compile with smartcard support */
+	CK_OBJECT_HANDLE object;
 
-    const char *number_slot_id = filename + strlen(SCX_TOKEN);
+	const char *number_slot_id = filename + strlen(SCX_TOKEN);
 
-    smartcard_t *sc = scx_add(scx_parse_number_slot_id(number_slot_id));
+	smartcard_t *sc = scx_add(scx_parse_number_slot_id(number_slot_id));
 
-    /* return the smartcard object */
-    *scp = sc;
+	/* return the smartcard object */
+	*scp = sc;
 
-    /* is there a cached smartcard certificate? */
-    *cached = sc->last_cert.type != CERT_NONE
-	      && (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL;
+	/* is there a cached smartcard certificate? */
+	*cached = sc->last_cert.type != CERT_NONE
+			  && (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL;
 
-    if (*cached)
-    {
-	*cert = sc->last_cert;
-	plog("  using cached cert from smartcard #%d (%s, id: %s, label: '%s')"
-		, sc->number
-		, scx_print_slot(sc, "")
-		, sc->id
-		, sc->label);
-	return TRUE;
-    }
+	if (*cached)
+	{
+		*cert = sc->last_cert;
+		plog("  using cached cert from smartcard #%d (%s, id: %s, label: '%s')"
+				, sc->number
+				, scx_print_slot(sc, "")
+				, sc->id
+				, sc->label);
+		return TRUE;
+	}
 
-    if (!scx_establish_context(sc))
-    {
-	scx_release_context(sc);
-	return FALSE;
-    }
+	if (!scx_establish_context(sc))
+	{
+		scx_release_context(sc);
+		return FALSE;
+	}
 
-    /* find the certificate object */
-    if (!scx_pkcs11_find_object(sc->session, &object, CKO_CERTIFICATE, sc->id))
-    {
-	scx_release_context(sc);
-	return FALSE;
-    }
+	/* find the certificate object */
+	if (!scx_pkcs11_find_object(sc->session, &object, CKO_CERTIFICATE, sc->id))
+	{
+		scx_release_context(sc);
+		return FALSE;
+	}
 
-    /* retrieve the certificate object */
-    if (!scx_find_cert_object(sc->session, object, sc, cert))
-    {
-	scx_release_context(sc);
-	return FALSE;
-    }
+	/* retrieve the certificate object */
+	if (!scx_find_cert_object(sc->session, object, sc, cert))
+	{
+		scx_release_context(sc);
+		return FALSE;
+	}
 
-    if (!pkcs11_keep_state)
-	scx_release_context(sc);
+	if (!pkcs11_keep_state)
+		scx_release_context(sc);
 
-    plog("  loaded cert from smartcard #%d (%s, id: %s, label: '%s')"
-	, sc->number
-	, scx_print_slot(sc, "")
-	, sc->id
-	, sc->label);
+	plog("  loaded cert from smartcard #%d (%s, id: %s, label: '%s')"
+		, sc->number
+		, scx_print_slot(sc, "")
+		, sc->id
+		, sc->label);
 
-    return TRUE;
+	return TRUE;
 #else
-    plog("  warning: SMARTCARD support is deactivated in pluto/Makefile!");
-    return FALSE;
+	plog("  warning: SMARTCARD support is deactivated in pluto/Makefile!");
+	return FALSE;
 #endif
 }
 
@@ -1162,58 +1161,58 @@ scx_load_cert(const char *filename, smartcard_t **scp, cert_t *cert
 smartcard_t*
 scx_parse_number_slot_id(const char *number_slot_id)
 {
-    int len = strlen(number_slot_id);
-    smartcard_t *sc = alloc_thing(smartcard_t, "smartcard");
-
-    /* assign default values */
-    *sc = empty_sc;
-
-    if (len == 0)			/* default: use certificate #1 */
-    {
-	sc->number = 1;	
-    }
-    else if (*number_slot_id == '#')	/* #number scheme */
-    {
-	err_t ugh;
-	unsigned long ul;
-
-	ugh = atoul(number_slot_id+1, len-1 , 10, &ul);
-	if (ugh == NULL)
-	    sc->number = (int)ul;
-	else
-	    plog("error parsing smartcard number: %s", ugh);
-    }
-    else				/* slot:id scheme */
-    {
-	int slot_len = len;
-	char *p = strchr(number_slot_id, ':');
-
-	if (p != NULL)
-	{
-	    int id_len = len - (p + 1 - number_slot_id);
-	    slot_len -= (1 + id_len);
-
-	    if (id_len > 0)		/* we have an id */
-		sc->id = p + 1;
-	}
-	if (slot_len > 0)		/* we have a slot */
-	{
-	    err_t ugh = NULL;
-	    unsigned long ul;
-
-	    ugh = atoul(number_slot_id, slot_len, 10, &ul);
-	    if (ugh == NULL)
-	    {
-		sc->slot = ul;
-                sc->any_slot = FALSE;
-	    }
-	    else
-		plog("error parsing smartcard slot number: %s", ugh);
-	}
-    }
-    /* unshare the id string */
-    sc->id = clone_str(sc->id, "key id");
-    return sc;
+	int len = strlen(number_slot_id);
+	smartcard_t *sc = malloc_thing(smartcard_t);
+
+	/* assign default values */
+	*sc = empty_sc;
+
+	if (len == 0)                       /* default: use certificate #1 */
+	{
+		sc->number = 1; 
+	}
+	else if (*number_slot_id == '#')    /* #number scheme */
+	{
+		err_t ugh;
+		unsigned long ul;
+
+		ugh = atoul(number_slot_id+1, len-1 , 10, &ul);
+		if (ugh == NULL)
+			sc->number = (int)ul;
+		else
+			plog("error parsing smartcard number: %s", ugh);
+	}
+	else                                /* slot:id scheme */
+	{
+		int slot_len = len;
+		char *p = strchr(number_slot_id, ':');
+
+		if (p != NULL)
+		{
+			int id_len = len - (p + 1 - number_slot_id);
+			slot_len -= (1 + id_len);
+
+			if (id_len > 0)             /* we have an id */
+				sc->id = p + 1;
+		}
+		if (slot_len > 0)               /* we have a slot */
+		{
+			err_t ugh = NULL;
+			unsigned long ul;
+
+			ugh = atoul(number_slot_id, slot_len, 10, &ul);
+			if (ugh == NULL)
+			{
+				sc->slot = ul;
+				sc->any_slot = FALSE;
+			}
+			else
+				plog("error parsing smartcard slot number: %s", ugh);
+		}
+	}
+	/* unshare the id string */
+	sc->id = clone_str(sc->id);
+	return sc;
 }
 
 /*
@@ -1223,49 +1222,49 @@ bool
 scx_verify_pin(smartcard_t *sc)
 {
 #ifdef SMARTCARD
-    CK_RV rv;
-    
-    if (!sc->pinpad)
-	sc->valid = FALSE;
+	CK_RV rv;
+	
+	if (!sc->pinpad)
+		sc->valid = FALSE;
 
-    if (sc->pin.ptr == NULL)
-    {
-	plog("unable to verify without PIN");
-	return FALSE;
-    }
+	if (sc->pin.ptr == NULL)
+	{
+		plog("unable to verify without PIN");
+		return FALSE;
+	}
 
-    /* establish context */
-    if (!scx_establish_context(sc))
-    {
-	scx_release_context(sc);
-	return FALSE;
-    }
+	/* establish context */
+	if (!scx_establish_context(sc))
+	{
+		scx_release_context(sc);
+		return FALSE;
+	}
 
-    rv = pkcs11_functions->C_Login(sc->session, CKU_USER,
-			      (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
-    if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN)
-    {
-	sc->valid = TRUE;
-	sc->logged_in = TRUE;
-	DBG(DBG_CONTROL | DBG_CRYPT,
-	    DBG_log((rv == CKR_OK)
-		? "PIN code correct"
-		: "already logged in, no PIN entry required");
-	    DBG_log("pkcs11 session #%ld login successful", sc->session)
-        )
-    }
-    else
-    {
-	DBG(DBG_CONTROL | DBG_CRYPT,
-	    DBG_log("PIN code incorrect")
-        )
-    }
-    if (!pkcs11_keep_state)
-	scx_release_context(sc);
+	rv = pkcs11_functions->C_Login(sc->session, CKU_USER,
+							  (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
+	if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN)
+	{
+		sc->valid = TRUE;
+		sc->logged_in = TRUE;
+		DBG(DBG_CONTROL | DBG_CRYPT,
+			DBG_log((rv == CKR_OK)
+				? "PIN code correct"
+				: "already logged in, no PIN entry required");
+			DBG_log("pkcs11 session #%ld login successful", sc->session)
+		)
+	}
+	else
+	{
+		DBG(DBG_CONTROL | DBG_CRYPT,
+			DBG_log("PIN code incorrect")
+		)
+	}
+	if (!pkcs11_keep_state)
+		scx_release_context(sc);
 #else
-    sc->valid = FALSE;
+	sc->valid = FALSE;
 #endif
-    return sc->valid;
+	return sc->valid;
 }
 
 /*
@@ -1276,105 +1275,105 @@ scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen
 , u_char *out, size_t outlen)
 {
 #ifdef SMARTCARD
-    CK_RV rv;
-    CK_OBJECT_HANDLE object;
-    CK_ULONG siglen = (CK_ULONG)outlen;
-    CK_BBOOL sign_flag, decrypt_flag;
-    CK_ATTRIBUTE attr[] = {
-	{ CKA_SIGN,    &sign_flag,    sizeof(sign_flag) },
-	{ CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) }
-    };
-
-    if (!sc->logged_in)
-    	return FALSE;
-
-    if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
-    {
-	plog("unable to find private key with id '%s'", sc->id);
-	return FALSE;
-    }
+	CK_RV rv;
+	CK_OBJECT_HANDLE object;
+	CK_ULONG siglen = (CK_ULONG)outlen;
+	CK_BBOOL sign_flag, decrypt_flag;
+	CK_ATTRIBUTE attr[] = {
+		{ CKA_SIGN,    &sign_flag,    sizeof(sign_flag) },
+		{ CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) }
+	};
+
+	if (!sc->logged_in)
+		return FALSE;
 
-    rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2);
-    if (rv != CKR_OK)
-    {
-	plog("couldn't read the private key attributes: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	return FALSE;
-    }
-    DBG(DBG_CONTROL,
-	DBG_log("RSA key flags: sign = %s, decrypt = %s"
-	    , (sign_flag)?    "true":"false"
-	    , (decrypt_flag)? "true":"false")
-    )
-
-    if (sign_flag)
-    {
-	CK_MECHANISM mech  = { CKM_RSA_PKCS, NULL_PTR, 0 };
-
-	rv = pkcs11_functions->C_SignInit(sc->session, &mech, object);
-	if (rv != CKR_OK)
+	if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
 	{
-	    plog("error in C_SignInit: %s"
-		, enum_show(&pkcs11_return_names, rv));
-	    return FALSE;
+		plog("unable to find private key with id '%s'", sc->id);
+		return FALSE;
 	}
 
-	rv = pkcs11_functions->C_Sign(sc->session, (CK_BYTE_PTR)in, inlen
-		, out, &siglen);
+	rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2);
 	if (rv != CKR_OK)
 	{
-	    plog("error in C_Sign: %s"
-		, enum_show(&pkcs11_return_names, rv));
-	    return FALSE;
-    	}
-    }
-    else if (decrypt_flag)
-    {
-	CK_MECHANISM mech = { CKM_RSA_X_509, NULL_PTR, 0 };
-	size_t padlen;
-	u_char *p = out ;
-
-	/* PKCS#1 v1.5 8.1 encryption-block formatting */
-	*p++ = 0x00;
-	*p++ = 0x01;	/* BT (block type) 01 */
-	padlen = outlen - 3 - inlen;
-	memset(p, 0xFF, padlen);
-	p += padlen;
-	*p++ = 0x00;
-	memcpy(p, in, inlen);
+		plog("couldn't read the private key attributes: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		return FALSE;
+	}
+	DBG(DBG_CONTROL,
+		DBG_log("RSA key flags: sign = %s, decrypt = %s"
+			, (sign_flag)?    "true":"false"
+			, (decrypt_flag)? "true":"false")
+	)
 
-	rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object);
-	if (rv != CKR_OK)
+	if (sign_flag)
 	{
-	    plog("error in C_DecryptInit: %s"
-	        , enum_show(&pkcs11_return_names, rv));
-	    return FALSE;
-        }
-
-        rv = pkcs11_functions->C_Decrypt(sc->session, out, outlen
-		, out, &siglen);
-	if (rv != CKR_OK)
-        {
-	    plog("error in C_Decrypt: %s"
-	        , enum_show(&pkcs11_return_names, rv));
-	    return FALSE;
-        }
-    }
-    else
-    {
-	plog("private key has neither sign nor decrypt flag set");
-	return FALSE;
-    }
+		CK_MECHANISM mech  = { CKM_RSA_PKCS, NULL_PTR, 0 };
+
+		rv = pkcs11_functions->C_SignInit(sc->session, &mech, object);
+		if (rv != CKR_OK)
+		{
+			plog("error in C_SignInit: %s"
+				, enum_show(&pkcs11_return_names, rv));
+			return FALSE;
+		}
+
+		rv = pkcs11_functions->C_Sign(sc->session, (CK_BYTE_PTR)in, inlen
+				, out, &siglen);
+		if (rv != CKR_OK)
+		{
+			plog("error in C_Sign: %s"
+				, enum_show(&pkcs11_return_names, rv));
+			return FALSE;
+		}
+	}
+	else if (decrypt_flag)
+	{
+		CK_MECHANISM mech = { CKM_RSA_X_509, NULL_PTR, 0 };
+		size_t padlen;
+		u_char *p = out ;
+
+		/* PKCS#1 v1.5 8.1 encryption-block formatting */
+		*p++ = 0x00;
+		*p++ = 0x01;    /* BT (block type) 01 */
+		padlen = outlen - 3 - inlen;
+		memset(p, 0xFF, padlen);
+		p += padlen;
+		*p++ = 0x00;
+		memcpy(p, in, inlen);
+
+		rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object);
+		if (rv != CKR_OK)
+		{
+			plog("error in C_DecryptInit: %s"
+				, enum_show(&pkcs11_return_names, rv));
+			return FALSE;
+		}
+
+		rv = pkcs11_functions->C_Decrypt(sc->session, out, outlen
+				, out, &siglen);
+		if (rv != CKR_OK)
+		{
+			plog("error in C_Decrypt: %s"
+				, enum_show(&pkcs11_return_names, rv));
+			return FALSE;
+		}
+	}
+	else
+	{
+		plog("private key has neither sign nor decrypt flag set");
+		return FALSE;
+	}
 
-    if (siglen > (CK_ULONG)outlen)
-    {
-	plog("signature length (%lu) larger than allocated buffer (%d)"
-	    , siglen, (int)outlen);
-	return FALSE;
-    }
-    return TRUE;
+	if (siglen > (CK_ULONG)outlen)
+	{
+		plog("signature length (%lu) larger than allocated buffer (%d)"
+			, siglen, (int)outlen);
+		return FALSE;
+	}
+	return TRUE;
 #else
-    return FALSE;
+	return FALSE;
 #endif
 }
 
@@ -1386,132 +1385,146 @@ scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
 , u_char *out, size_t *outlen)
 {
 #ifdef SMARTCARD
-    CK_RV rv;
-    CK_OBJECT_HANDLE object;
-    CK_ULONG len = (CK_ULONG)(*outlen);
-    CK_BBOOL encrypt_flag;
-    CK_ATTRIBUTE attr[] = {
-	{ CKA_MODULUS,         NULL_PTR, 0L },
-	{ CKA_PUBLIC_EXPONENT, NULL_PTR, 0L },
-	{ CKA_ENCRYPT,         &encrypt_flag, sizeof(encrypt_flag) }
-    };
-    CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };
-
-    if (!scx_establish_context(sc))
-    {
-	scx_release_context(sc);
-	    return FALSE;
-    }
-
-    if (!scx_pkcs11_find_object(sc->session, &object, CKO_PUBLIC_KEY, sc->id))
-    {
-	plog("unable to find public key with id '%s'", sc->id);
-	return FALSE;
-    }
-
-    rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 3);
-    if (rv != CKR_OK)
-    {
-	plog("couldn't read the public key attributes: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	scx_release_context(sc);
-	return FALSE;
-    }
+	CK_RV rv;
+	CK_OBJECT_HANDLE object;
+	CK_ULONG len = (CK_ULONG)(*outlen);
+	CK_BBOOL encrypt_flag;
+	CK_ATTRIBUTE attr[] = {
+		{ CKA_MODULUS,         NULL_PTR, 0L },
+		{ CKA_PUBLIC_EXPONENT, NULL_PTR, 0L },
+		{ CKA_ENCRYPT,         &encrypt_flag, sizeof(encrypt_flag) }
+	};
+	CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };
+
+	if (!scx_establish_context(sc))
+	{
+		scx_release_context(sc);
+			return FALSE;
+	}
 
-    if (!encrypt_flag)
-    {
-	plog("public key cannot be used for encryption");
-	scx_release_context(sc);
-	return FALSE;
-    }
-	
-    /* there must be enough space left for the PKCS#1 v1.5 padding */
-    if (inlen > attr[0].ulValueLen - 11)
-    {
-	plog("smartcard input data length (%d) exceeds maximum of %lu bytes"
-		, (int)inlen, attr[0].ulValueLen - 11);
-	if (!pkcs11_keep_state)
-	    scx_release_context(sc);
-	return FALSE;
-    }
-
-    rv = pkcs11_functions->C_EncryptInit(sc->session, &mech, object);
-
-    if (rv != CKR_OK)
-    {
-	if (rv == CKR_FUNCTION_NOT_SUPPORTED)
-	{
-	    RSA_public_key_t rsa;
-	    chunk_t plain_text = {(u_char*)in, inlen};
-	    chunk_t cipher_text; 
-
-	    DBG(DBG_CONTROL,
-		DBG_log("doing RSA encryption in software")
-	    )
-	    attr[0].pValue = alloc_bytes(attr[0].ulValueLen, "modulus");
-	    attr[1].pValue = alloc_bytes(attr[1].ulValueLen, "exponent");
-
-	    rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2);
-	    if (rv != CKR_OK)
-	    {
-		plog("couldn't read modulus and public exponent: %s"
-		    , enum_show(&pkcs11_return_names, rv));
-		pfree(attr[0].pValue);
-		pfree(attr[1].pValue);
+	if (!scx_pkcs11_find_object(sc->session, &object, CKO_PUBLIC_KEY, sc->id))
+	{
+		plog("unable to find public key with id '%s'", sc->id);
+		return FALSE;
+	}
+
+	rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 3);
+	if (rv != CKR_OK)
+	{
+		plog("couldn't read the public key attributes: %s"
+			, enum_show(&pkcs11_return_names, rv));
 		scx_release_context(sc);
 		return FALSE;
-	    }
-	    rsa.k = attr[0].ulValueLen;
-	    n_to_mpz(&rsa.n, attr[0].pValue, attr[0].ulValueLen);
-	    n_to_mpz(&rsa.e, attr[1].pValue, attr[1].ulValueLen);
-	    pfree(attr[0].pValue);
-	    pfree(attr[1].pValue);
-
-	    cipher_text = RSA_encrypt(&rsa, plain_text);
-	    free_RSA_public_content(&rsa);
-	    if (cipher_text.ptr == NULL)
-	    {
-		plog("smartcard input data length is too large");
-		if (!pkcs11_keep_state)
-		    scx_release_context(sc);
-	        return FALSE;
-	    }
-
-	    memcpy(out, cipher_text.ptr, cipher_text.len);
-	    *outlen = cipher_text.len;
-	    freeanychunk(cipher_text);
-	    if (!pkcs11_keep_state)
+	}
+
+	if (!encrypt_flag)
+	{
+		plog("public key cannot be used for encryption");
 		scx_release_context(sc);
-	    return TRUE;
+		return FALSE;
 	}
-	else
+		
+	/* there must be enough space left for the PKCS#1 v1.5 padding */
+	if (inlen > attr[0].ulValueLen - 11)
 	{
-	    plog("error in C_EncryptInit: %s"
-		, enum_show(&pkcs11_return_names, rv));
-	    scx_release_context(sc);
-	    return FALSE;
-	}
-    }
-
-    DBG(DBG_CONTROL,
-	DBG_log("doing RSA encryption on smartcard")
-    )
-    rv = pkcs11_functions->C_Encrypt(sc->session, (u_char*)in, inlen
-		, out, &len);
-    if (rv != CKR_OK)
-    {
-	plog("error in C_Encrypt: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	scx_release_context(sc);
-	return FALSE;
-    }
-    if (!pkcs11_keep_state)
-	scx_release_context(sc);
+		plog("smartcard input data length (%d) exceeds maximum of %lu bytes"
+				, (int)inlen, attr[0].ulValueLen - 11);
+		if (!pkcs11_keep_state)
+			scx_release_context(sc);
+		return FALSE;
+	}
+
+	rv = pkcs11_functions->C_EncryptInit(sc->session, &mech, object);
+
+	if (rv != CKR_OK)
+	{
+		if (rv == CKR_FUNCTION_NOT_SUPPORTED)
+		{
+			public_key_t *key;
+			chunk_t rsa_modulus, rsa_exponent, rsa_key, cipher_text;
+			chunk_t plain_text = {(u_char*)in, inlen};
+
+			DBG(DBG_CONTROL,
+				DBG_log("doing RSA encryption in software")
+			)
+			attr[0].pValue = malloc(attr[0].ulValueLen);
+			attr[1].pValue = malloc(attr[1].ulValueLen);
+
+			rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2);
+			if (rv != CKR_OK)
+			{
+				plog("couldn't read modulus and public exponent: %s"
+					, enum_show(&pkcs11_return_names, rv));
+				free(attr[0].pValue);
+				free(attr[1].pValue);
+				scx_release_context(sc);
+				return FALSE;
+			}
+			rsa_modulus  = chunk_create((u_char*) attr[0].pValue,
+									    (size_t)  attr[0].ulValueLen);
+			rsa_exponent = chunk_create((u_char*) attr[1].pValue,
+									    (size_t)  attr[1].ulValueLen);
+			rsa_key = asn1_wrap(ASN1_SEQUENCE, "mm",
+								asn1_integer("m", rsa_modulus),
+								asn1_integer("m", rsa_exponent));
+			key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,	
+								BUILD_BLOB_ASN1_DER, rsa_key, BUILD_END);
+			free(rsa_key.ptr);
+			if (key == NULL)
+			{
+				return FALSE;
+			}
+			key->encrypt(key, plain_text, &cipher_text);
+			key->destroy(key);
+
+			if (cipher_text.ptr == NULL)
+			{
+				plog("smartcard input data length is too large");
+				if (!pkcs11_keep_state)
+				{
+					scx_release_context(sc);
+				}
+				return FALSE;
+			}
+
+			memcpy(out, cipher_text.ptr, cipher_text.len);
+			*outlen = cipher_text.len;
+			free(cipher_text.ptr);
+
+			if (!pkcs11_keep_state)
+			{
+				scx_release_context(sc);
+			}
+			return TRUE;
+		}
+		else
+		{
+			plog("error in C_EncryptInit: %s"
+				, enum_show(&pkcs11_return_names, rv));
+			scx_release_context(sc);
+			return FALSE;
+		}
+	}
 
-    *outlen = (size_t)len;
-    return TRUE;
+	DBG(DBG_CONTROL,
+		DBG_log("doing RSA encryption on smartcard")
+	)
+	rv = pkcs11_functions->C_Encrypt(sc->session, (u_char*)in, inlen
+				, out, &len);
+	if (rv != CKR_OK)
+	{
+		plog("error in C_Encrypt: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		scx_release_context(sc);
+		return FALSE;
+	}
+	if (!pkcs11_keep_state)
+		scx_release_context(sc);
+
+	*outlen = (size_t)len;
+	return TRUE;
 #else
-    return FALSE;
+	return FALSE;
 #endif
 }
 /* 
@@ -1522,70 +1535,70 @@ scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
 , u_char *out, size_t *outlen)
 {
 #ifdef SMARTCARD
-    CK_RV rv;
-    CK_OBJECT_HANDLE object;
-    CK_ULONG len = (CK_ULONG)(*outlen);
-    CK_BBOOL decrypt_flag;
-    CK_ATTRIBUTE attr[] = {
-	{ CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) }
-    };
-    CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };
-
-    if (!scx_establish_context(sc) || !scx_login(sc))
-    {
-	scx_release_context(sc);
-	    return FALSE;
-    }
-
-    if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
-    {
-	plog("unable to find private key with id '%s'", sc->id);
-	return FALSE;
-    }
+	CK_RV rv;
+	CK_OBJECT_HANDLE object;
+	CK_ULONG len = (CK_ULONG)(*outlen);
+	CK_BBOOL decrypt_flag;
+	CK_ATTRIBUTE attr[] = {
+		{ CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) }
+	};
+	CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };
+
+	if (!scx_establish_context(sc) || !scx_login(sc))
+	{
+		scx_release_context(sc);
+			return FALSE;
+	}
 
-    rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 1);
-    if (rv != CKR_OK)
-    {
-	plog("couldn't read the private key attributes: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	return FALSE;
-    }
+	if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
+	{
+		plog("unable to find private key with id '%s'", sc->id);
+		return FALSE;
+	}
 
-    if (!decrypt_flag)
-    {
-	plog("private key cannot be used for decryption");
-	scx_release_context(sc);
-	return FALSE;
-    }
-	
-    DBG(DBG_CONTROL,
-	DBG_log("doing RSA decryption on smartcard")
-    )
-    rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object);
-    if (rv != CKR_OK)
-    {
-	plog("error in C_DecryptInit: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	scx_release_context(sc);
-	return FALSE;
-    }
-
-    rv = pkcs11_functions->C_Decrypt(sc->session, (u_char*)in, inlen
-		, out, &len);
-    if (rv != CKR_OK)
-    {
-	plog("error in C_Decrypt: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	scx_release_context(sc);
-	return FALSE;
-    }
-    if (!pkcs11_keep_state)
-	scx_release_context(sc);
+	rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 1);
+	if (rv != CKR_OK)
+	{
+		plog("couldn't read the private key attributes: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		return FALSE;
+	}
 
-    *outlen = (size_t)len;
-    return TRUE;
+	if (!decrypt_flag)
+	{
+		plog("private key cannot be used for decryption");
+		scx_release_context(sc);
+		return FALSE;
+	}
+		
+	DBG(DBG_CONTROL,
+		DBG_log("doing RSA decryption on smartcard")
+	)
+	rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object);
+	if (rv != CKR_OK)
+	{
+		plog("error in C_DecryptInit: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		scx_release_context(sc);
+		return FALSE;
+	}
+
+	rv = pkcs11_functions->C_Decrypt(sc->session, (u_char*)in, inlen
+				, out, &len);
+	if (rv != CKR_OK)
+	{
+		plog("error in C_Decrypt: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		scx_release_context(sc);
+		return FALSE;
+	}
+	if (!pkcs11_keep_state)
+		scx_release_context(sc);
+
+	*outlen = (size_t)len;
+	return TRUE;
 #else
-    return FALSE;
+	return FALSE;
 #endif
 }
 
@@ -1597,92 +1610,92 @@ bool
 scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op
 , const char* keyid, int whackfd)
 {
-    char inbuf[RSA_MAX_OCTETS];
-    char outbuf[2*RSA_MAX_OCTETS + 1];
-    size_t outlen = sizeof(inbuf);
-    size_t inlen;
-    smartcard_t *sc,*sc_new;
+	char inbuf[RSA_MAX_OCTETS];
+	char outbuf[2*RSA_MAX_OCTETS + 1];
+	size_t outlen = sizeof(inbuf);
+	size_t inlen;
+	smartcard_t *sc,*sc_new;
 
-    const char *number_slot_id = "";
+	const char *number_slot_id = "";
 
-    err_t ugh = ttodata(msg, 0, inbase, inbuf, sizeof(inbuf), &inlen);
+	err_t ugh = ttodata(msg, 0, inbase, inbuf, sizeof(inbuf), &inlen);
 
-    /* no prefix - use default base */
-    if (ugh != NULL  && inbase == 0)
-       ugh = ttodata(msg, 0, DEFAULT_BASE, inbuf, sizeof(inbuf), &inlen);
+	/* no prefix - use default base */
+	if (ugh != NULL  && inbase == 0)
+	   ugh = ttodata(msg, 0, DEFAULT_BASE, inbuf, sizeof(inbuf), &inlen);
 
-    if (ugh != NULL)
-    {
-	plog("format error in smartcard input data: %s", ugh);
-	return FALSE;
-    }
-
-    if (keyid != NULL)
-    {
-	number_slot_id = (strncmp(keyid, SCX_TOKEN, strlen(SCX_TOKEN)) == 0)
-			 ? keyid + strlen(SCX_TOKEN) : keyid;
-    }
-
-    sc_new = scx_parse_number_slot_id(number_slot_id);
-    sc = scx_add(sc_new);
-    if (sc == sc_new)
-	scx_share(sc);
-
-    DBG((op == SC_OP_ENCRYPT)? DBG_PRIVATE:DBG_RAW,
-	DBG_dump("smartcard input data:\n", inbuf, inlen)
-    )
-
-    if (op == SC_OP_DECRYPT)
-    {
-	if (!sc->valid && whackfd != NULL_FD)
-	    scx_get_pin(sc, whackfd);
-
-	if (!sc->valid)
-	{
-	    loglog(RC_NOVALIDPIN, "cannot decrypt without valid PIN");
-	    return FALSE;
-        }
-    }
-
-    DBG(DBG_CONTROL | DBG_CRYPT,
-	DBG_log("using RSA key from smartcard (slot: %d, id: %s)"
-	    , (int)sc->slot, sc->id)
-    )
-
-    switch (op)
-    {
-    case SC_OP_ENCRYPT:
-	if (!scx_encrypt(sc, inbuf, inlen, inbuf, &outlen))
-	    return FALSE;
-	break;
-    case SC_OP_DECRYPT:
-	if (!scx_decrypt(sc, inbuf, inlen, inbuf, &outlen))
-	    return FALSE;
-	break;
-    default:
-	break;
-    }
-
-    DBG((op == SC_OP_DECRYPT)? DBG_PRIVATE:DBG_RAW,
-	DBG_dump("smartcard output data:\n", inbuf, outlen)
-    )
-
-    if (outbase == 0)  /* use default base */ 
-	outbase = DEFAULT_BASE;
-
-    if (outbase == 256) /* ascii plain text */
-	whack_log(RC_COMMENT, "%.*s", (int)outlen, inbuf);
-    else
-    {
-	outlen = datatot(inbuf, outlen, outbase, outbuf, sizeof(outbuf));
-	if (outlen == 0)
-	{
-	    plog("error in output format conversion");
-	    return FALSE;
-	}
-    	whack_log(RC_COMMENT, "%s", outbuf);
-    }
-    return TRUE;
+	if (ugh != NULL)
+	{
+		plog("format error in smartcard input data: %s", ugh);
+		return FALSE;
+	}
+
+	if (keyid != NULL)
+	{
+		number_slot_id = (strneq(keyid, SCX_TOKEN, strlen(SCX_TOKEN)))
+						 ? keyid + strlen(SCX_TOKEN) : keyid;
+	}
+
+	sc_new = scx_parse_number_slot_id(number_slot_id);
+	sc = scx_add(sc_new);
+	if (sc == sc_new)
+		scx_share(sc);
+
+	DBG((op == SC_OP_ENCRYPT)? DBG_PRIVATE:DBG_RAW,
+		DBG_dump("smartcard input data:\n", inbuf, inlen)
+	)
+
+	if (op == SC_OP_DECRYPT)
+	{
+		if (!sc->valid && whackfd != NULL_FD)
+			scx_get_pin(sc, whackfd);
+
+		if (!sc->valid)
+		{
+			loglog(RC_NOVALIDPIN, "cannot decrypt without valid PIN");
+			return FALSE;
+		}
+	}
+
+	DBG(DBG_CONTROL | DBG_CRYPT,
+		DBG_log("using RSA key from smartcard (slot: %d, id: %s)"
+			, (int)sc->slot, sc->id)
+	)
+
+	switch (op)
+	{
+	case SC_OP_ENCRYPT:
+		if (!scx_encrypt(sc, inbuf, inlen, inbuf, &outlen))
+			return FALSE;
+		break;
+	case SC_OP_DECRYPT:
+		if (!scx_decrypt(sc, inbuf, inlen, inbuf, &outlen))
+			return FALSE;
+		break;
+	default:
+		break;
+	}
+
+	DBG((op == SC_OP_DECRYPT)? DBG_PRIVATE:DBG_RAW,
+		DBG_dump("smartcard output data:\n", inbuf, outlen)
+	)
+
+	if (outbase == 0)  /* use default base */ 
+		outbase = DEFAULT_BASE;
+
+	if (outbase == 256) /* ascii plain text */
+		whack_log(RC_COMMENT, "%.*s", (int)outlen, inbuf);
+	else
+	{
+		outlen = datatot(inbuf, outlen, outbase, outbuf, sizeof(outbuf));
+		if (outlen == 0)
+		{
+			plog("error in output format conversion");
+			return FALSE;
+		}
+		whack_log(RC_COMMENT, "%s", outbuf);
+	}
+	return TRUE;
 }
 
  /*
@@ -1692,32 +1705,32 @@ size_t
 scx_get_keylength(smartcard_t *sc)
 {
 #ifdef SMARTCARD
-    CK_RV rv;
-    CK_OBJECT_HANDLE object;
-    CK_ATTRIBUTE attr[] = {{ CKA_MODULUS, NULL_PTR, 0}};
+	CK_RV rv;
+	CK_OBJECT_HANDLE object;
+	CK_ATTRIBUTE attr[] = {{ CKA_MODULUS, NULL_PTR, 0}};
 
-    if (!sc->logged_in)
-    	return FALSE;
+	if (!sc->logged_in)
+		return FALSE;
 
-    if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
-    {
-	plog("unable to find private key with id '%s'", sc->id);
-	return FALSE;
-    }
-
-    /* get the length of the private key */
-    rv = pkcs11_functions->C_GetAttributeValue(sc->session, object
-		, (CK_ATTRIBUTE_PTR)&attr, 1);
-    if (rv != CKR_OK)
-    {
-	plog("failed to get key length: %s"
-	    , enum_show(&pkcs11_return_names, rv));
-	return FALSE;
-    }
+	if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
+	{
+		plog("unable to find private key with id '%s'", sc->id);
+		return FALSE;
+	}
+
+	/* get the length of the private key */
+	rv = pkcs11_functions->C_GetAttributeValue(sc->session, object
+				, (CK_ATTRIBUTE_PTR)&attr, 1);
+	if (rv != CKR_OK)
+	{
+		plog("failed to get key length: %s"
+			, enum_show(&pkcs11_return_names, rv));
+		return FALSE;
+	}
 
-    return attr[0].ulValueLen;	/*Return key length in bytes */
+	return attr[0].ulValueLen;  /*Return key length in bytes */
 #else
-    return 0;
+	return 0;
 #endif
 }
 
@@ -1728,54 +1741,55 @@ bool
 scx_get_pin(smartcard_t *sc, int whackfd)
 {
 #ifdef SMARTCARD
-    char pin[BUF_LEN];
-    int i, n;
+	char pin[BUF_LEN];
+	int i, n;
 
-    whack_log(RC_ENTERSECRET, "need PIN for #%d (%s, id: %s, label: '%s')"
-	, sc->number, scx_print_slot(sc, ""), sc->id, sc->label);
+	whack_log(RC_ENTERSECRET, "need PIN for #%d (%s, id: %s, label: '%s')"
+		, sc->number, scx_print_slot(sc, ""), sc->id, sc->label);
 
-    for (i = 0; i < SCX_MAX_PIN_TRIALS; i++)
-    {
-	if (i > 0)
-	    whack_log(RC_ENTERSECRET, "invalid PIN, please try again");
-
-	n = read(whackfd, pin, BUF_LEN);
-
-	if (n == -1)
+	for (i = 0; i < SCX_MAX_PIN_TRIALS; i++)
 	{
-	    whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
-	    return FALSE;
+		if (i > 0)
+			whack_log(RC_ENTERSECRET, "invalid PIN, please try again");
+
+		n = read(whackfd, pin, BUF_LEN);
+
+		if (n == -1)
+		{
+			whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
+			return FALSE;
+		}
+
+		if (strlen(pin) == 0)
+		{
+			whack_log(RC_LOG_SERIOUS, "no PIN entered, aborted");
+			return FALSE;
+		}
+
+		sc->pin.ptr = pin;
+		sc->pin.len = strlen(pin);
+
+		/* verify the pin */
+		if (scx_verify_pin(sc))
+		{
+			sc->pin = chunk_create(pin, strlen(pin));
+			sc->pin = chunk_clone(sc->pin);
+			break;
+		}
+
+		/* wrong pin - we try another round */
+		sc->pin = chunk_empty;
 	}
 
-	if (strlen(pin) == 0)
-	{
-	    whack_log(RC_LOG_SERIOUS, "no PIN entered, aborted");
-	    return FALSE;
-	}
-
-	sc->pin.ptr = pin;
-	sc->pin.len = strlen(pin);
-
-	/* verify the pin */
-	if (scx_verify_pin(sc))
-	{
-	    clonetochunk(sc->pin, pin, strlen(pin), "pin");
-	    break;
-	}
-
-	/* wrong pin - we try another round */
-	sc->pin = empty_chunk;
-    }
-
-    if (sc->valid)
-	whack_log(RC_SUCCESS, "valid PIN");
-    else
-	whack_log(RC_LOG_SERIOUS, "invalid PIN, too many trials");
+	if (sc->valid)
+		whack_log(RC_SUCCESS, "valid PIN");
+	else
+		whack_log(RC_LOG_SERIOUS, "invalid PIN, too many trials");
 #else
-    sc->valid = FALSE;
-    whack_log(RC_LOG_SERIOUS, "SMARTCARD support is deactivated in pluto/Makefile!");
+	sc->valid = FALSE;
+	whack_log(RC_LOG_SERIOUS, "SMARTCARD support is deactivated in pluto/Makefile!");
 #endif
-    return sc->valid;
+	return sc->valid;
 }
 
 
@@ -1785,13 +1799,13 @@ scx_get_pin(smartcard_t *sc, int whackfd)
 void
 scx_free_pin(chunk_t *pin)
 {
-    if (pin->ptr != NULL)
-    {
-	/* clear pin field in memory */
-	memset(pin->ptr, '\0', pin->len);
-	pfree(pin->ptr);
-	*pin = empty_chunk;
-    }
+	if (pin->ptr != NULL)
+	{
+		/* clear pin field in memory */
+		memset(pin->ptr, '\0', pin->len);
+		free(pin->ptr);
+		*pin = chunk_empty;
+	}
 }
 
 /*
@@ -1800,14 +1814,14 @@ scx_free_pin(chunk_t *pin)
 void
 scx_free(smartcard_t *sc)
 {
-    if (sc != NULL)
-    {
-	scx_release_context(sc);
-	pfreeany(sc->id);
-	pfreeany(sc->label);
-	scx_free_pin(&sc->pin);
-	pfree(sc);
-    }
+	if (sc != NULL)
+	{
+		scx_release_context(sc);
+		free(sc->id);
+		free(sc->label);
+		scx_free_pin(&sc->pin);
+		free(sc);
+	}
 }
 
 /*  release of a smartcard record decreases the count by one
@@ -1816,15 +1830,15 @@ scx_free(smartcard_t *sc)
 void
 scx_release(smartcard_t *sc)
 {
-    if (sc != NULL && --sc->count == 0)
-    {
-	smartcard_t **pp = &smartcards;
-	while (*pp != sc)
-	    pp = &(*pp)->next;
-        *pp = sc->next;
-	release_cert(sc->last_cert);
-	scx_free(sc);
-    }
+	if (sc != NULL && --sc->count == 0)
+	{
+		smartcard_t **pp = &smartcards;
+		while (*pp != sc)
+			pp = &(*pp)->next;
+		*pp = sc->next;
+		release_cert(sc->last_cert);
+		scx_free(sc);
+	}
 }
 
 /*
@@ -1833,17 +1847,17 @@ scx_release(smartcard_t *sc)
 static bool
 scx_same(smartcard_t *a, smartcard_t *b)
 {
-    if  (a->number && b->number)
-    {
-	/* same number */
-	return a->number == b->number;
-    }
-    else
-    {
-	/* same id and/or same slot */
-        return (!a->id || (b->id && streq(a->id, b->id)))
-	    && (a->any_slot || b->any_slot || a->slot == b->slot);
-    }
+	if  (a->number && b->number)
+	{
+		/* same number */
+		return a->number == b->number;
+	}
+	else
+	{
+		/* same id and/or same slot */
+		return (!a->id || (b->id && streq(a->id, b->id)))
+			&& (a->any_slot || b->any_slot || a->slot == b->slot);
+	}
 }
 
 /*  for each link pointing to the smartcard record
@@ -1852,8 +1866,8 @@ scx_same(smartcard_t *a, smartcard_t *b)
 void
 scx_share(smartcard_t *sc)
 {
-    if (sc != NULL)
- 	sc->count++;
+	if (sc != NULL)
+		sc->count++;
 }
 
 /*
@@ -1862,28 +1876,28 @@ scx_share(smartcard_t *sc)
 smartcard_t*
 scx_add(smartcard_t *smartcard)
 {
-    smartcard_t *sc = smartcards;
-    smartcard_t **psc = &smartcards;
-
-    while (sc != NULL)
-    {
-	if (scx_same(smartcard, sc)) /* already in chain, free smartcard record */
-	{
-	    scx_free(smartcard);
-	    return sc;
-	}
-        psc = &sc->next;
-	sc = sc->next;
-    }
-
-    /* insert new smartcard record at the end of the chain */
-    *psc = smartcard;
-    smartcard->number = ++sc_number;
-    smartcard->count = 1;
-    DBG(DBG_CONTROL | DBG_PARSING,
-	DBG_log("  smartcard #%d added", sc_number)
-    )
-    return smartcard;
+	smartcard_t *sc = smartcards;
+	smartcard_t **psc = &smartcards;
+
+	while (sc != NULL)
+	{
+		if (scx_same(smartcard, sc)) /* already in chain, free smartcard record */
+		{
+			scx_free(smartcard);
+			return sc;
+		}
+		psc = &sc->next;
+		sc = sc->next;
+	}
+
+	/* insert new smartcard record at the end of the chain */
+	*psc = smartcard;
+	smartcard->number = ++sc_number;
+	smartcard->count = 1;
+	DBG(DBG_CONTROL | DBG_PARSING,
+		DBG_log("  smartcard #%d added", sc_number)
+	)
+	return smartcard;
 }
 
 /*
@@ -1892,15 +1906,15 @@ scx_add(smartcard_t *smartcard)
 smartcard_t*
 scx_get(x509cert_t *cert)
 {
-    smartcard_t *sc = smartcards;
-
-    while (sc != NULL)
-    {
-	if (sc->last_cert.u.x509 == cert)
-	    return sc;
-	sc = sc->next;
-    }
-    return NULL;
+	smartcard_t *sc = smartcards;
+
+	while (sc != NULL)
+	{
+		if (sc->last_cert.u.x509 == cert)
+			return sc;
+		sc = sc->next;
+	}
+	return NULL;
 }
 
 /*
@@ -1909,13 +1923,13 @@ scx_get(x509cert_t *cert)
 char *
 scx_print_slot(smartcard_t *sc, const char *whitespace)
 {
-    char *buf = temporary_cyclic_buffer();
+	char *buf = temporary_cyclic_buffer();
 
-    if (sc->any_slot)
-	snprintf(buf, BUF_LEN, "any slot");
-    else
-	snprintf(buf, BUF_LEN, "slot: %s%lu", whitespace, sc->slot);
-    return buf;
+	if (sc->any_slot)
+		snprintf(buf, BUF_LEN, "any slot");
+	else
+		snprintf(buf, BUF_LEN, "slot: %s%lu", whitespace, sc->slot);
+	return buf;
 }
 
 /*
@@ -1924,39 +1938,39 @@ scx_print_slot(smartcard_t *sc, const char *whitespace)
 void
 scx_list(bool utc)
 {
-    smartcard_t *sc = smartcards;
-
-    if (sc != NULL)
-    {
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of Smartcard Objects:");
-	whack_log(RC_COMMENT, " ");
-    }
-
-    while (sc != NULL)
-    {
-	whack_log(RC_COMMENT, "%s, #%d, count: %d"
-	    , timetoa(&sc->last_load, utc)
-	    , sc->number
-	    , sc->count);
-	whack_log(RC_COMMENT, "       %s, session %s, logged %s, has %s"
-	    , scx_print_slot(sc, "    ")
-	    , sc->session_opened? "opened" : "closed"
-	    , sc->logged_in? "in" : "out"
-	    , sc->pinpad? "pin pad" 
-		: ((sc->pin.ptr == NULL)? "no pin"
-		    : sc->valid? "valid pin" : "invalid pin"));
-	if (sc->id != NULL)
-	    whack_log(RC_COMMENT, "       id:       %s", sc->id);
-	if (sc->label != NULL)
-	    whack_log(RC_COMMENT, "       label:   '%s'", sc->label);
-	if (sc->last_cert.type == CERT_X509_SIGNATURE)
-	{
-	    char buf[BUF_LEN];
-
-	    dntoa(buf, BUF_LEN, sc->last_cert.u.x509->subject);
-	    whack_log(RC_COMMENT, "       subject: '%s'", buf);
-	}
-	sc = sc->next;
-    }
+	smartcard_t *sc = smartcards;
+
+	if (sc != NULL)
+	{
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "List of Smartcard Objects:");
+		whack_log(RC_COMMENT, " ");
+	}
+
+	while (sc != NULL)
+	{
+		whack_log(RC_COMMENT, "%T, #%d, count: %d"
+			, &sc->last_load, utc
+			, sc->number
+			, sc->count);
+		whack_log(RC_COMMENT, "       %s, session %s, logged %s, has %s"
+			, scx_print_slot(sc, "    ")
+			, sc->session_opened? "opened" : "closed"
+			, sc->logged_in? "in" : "out"
+			, sc->pinpad? "pin pad" 
+				: ((sc->pin.ptr == NULL)? "no pin"
+					: sc->valid? "valid pin" : "invalid pin"));
+		if (sc->id != NULL)
+			whack_log(RC_COMMENT, "       id:       %s", sc->id);
+		if (sc->label != NULL)
+			whack_log(RC_COMMENT, "       label:   '%s'", sc->label);
+		if (sc->last_cert.type == CERT_X509_SIGNATURE)
+		{
+			char buf[BUF_LEN];
+
+			dntoa(buf, BUF_LEN, sc->last_cert.u.x509->subject);
+			whack_log(RC_COMMENT, "       subject: '%s'", buf);
+		}
+		sc = sc->next;
+	}
 }
diff --git a/src/pluto/smartcard.h b/src/pluto/smartcard.h
index 69510171c..60a0fccfc 100644
--- a/src/pluto/smartcard.h
+++ b/src/pluto/smartcard.h
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: smartcard.h 4709 2008-11-27 10:20:25Z martin $
  */
 
 #ifndef _SMARTCARD_H
@@ -21,19 +19,19 @@
 
 #include "certs.h"
 
-#define SCX_TOKEN		  "%smartcard"
-#define SCX_CERT_CACHE_INTERVAL	  60 /* seconds */
-#define SCX_MAX_PIN_TRIALS	  3
+#define SCX_TOKEN                 "%smartcard"
+#define SCX_CERT_CACHE_INTERVAL   60 /* seconds */
+#define SCX_MAX_PIN_TRIALS        3
 
 /* smartcard operations, update copy in whack.h */
 
 #ifndef SC_OP_T
 #define SC_OP_T
 typedef enum {
-    SC_OP_NONE =    0,
-    SC_OP_ENCRYPT = 1,
-    SC_OP_DECRYPT = 2,
-    SC_OP_SIGN =    3,
+	SC_OP_NONE =    0,
+	SC_OP_ENCRYPT = 1,
+	SC_OP_DECRYPT = 2,
+	SC_OP_SIGN =    3,
 } sc_op_t;
 #endif /* SC_OP_T */
 
@@ -42,21 +40,21 @@ typedef enum {
 typedef struct smartcard smartcard_t;
 
 struct smartcard {
-    smartcard_t  *next;
-    time_t	  last_load;
-    cert_t	  last_cert;
-    int		  count;
-    int		  number;
-    unsigned long slot;
-    char	  *id;
-    char	 *label;
-    chunk_t	  pin;
-    bool	  pinpad;
-    bool	  valid;
-    bool	  session_opened;
-    bool	  logged_in;
-    bool	  any_slot;
-    long	  session;
+	smartcard_t  *next;
+	time_t        last_load;
+	cert_t        last_cert;
+	int           count;
+	int           number;
+	unsigned long slot;
+	char          *id;
+	char         *label;
+	chunk_t       pin;
+	bool          pinpad;
+	bool          valid;
+	bool          session_opened;
+	bool          logged_in;
+	bool          any_slot;
+	long          session;
 };
 
 extern const smartcard_t empty_sc;
@@ -78,17 +76,17 @@ extern bool scx_establish_context(smartcard_t *sc);
 extern bool scx_login(smartcard_t *sc);
 extern bool scx_on_smartcard(const char *filename);
 extern bool scx_load_cert(const char *filename, smartcard_t **scp
-    , cert_t *cert, bool *cached);
+	, cert_t *cert, bool *cached);
 extern bool scx_verify_pin(smartcard_t *sc);
 extern void scx_share(smartcard_t *sc);
 extern bool scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen
-    , u_char *out, size_t outlen);
+	, u_char *out, size_t outlen);
 extern bool scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
-    , u_char *out, size_t *outlen);
+	, u_char *out, size_t *outlen);
 extern bool scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
-    , u_char *out, size_t *outlen);
+	, u_char *out, size_t *outlen);
 extern bool scx_op_via_whack(const char* msg, int inbase, int outbase
-    , sc_op_t op, const char *keyid, int whackfd);
+	, sc_op_t op, const char *keyid, int whackfd);
 extern bool scx_get_pin(smartcard_t *sc, int whackfd);
 extern size_t scx_get_keylength(smartcard_t *sc);
 extern smartcard_t* scx_add(smartcard_t *sc);
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index 9d1bf8843..b8f4a3c23 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: spdb.c 3845 2008-04-18 17:00:30Z andreas $
  */
 
 #include <stdio.h>
@@ -23,7 +21,6 @@
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -36,16 +33,14 @@
 #include "log.h"
 #include "spdb.h"
 #include "whack.h"
-#include "sha1.h"
-#include "md5.h"
-#include "crypto.h" /* requires sha1.h and md5.h */
+#include "crypto.h"
 #include "alg_info.h"
 #include "kernel_alg.h"
 #include "ike_alg.h"
 #include "db_ops.h"
 #include "nat_traversal.h"
 
-#define AD(x) x, elemsof(x)	/* Array Description */
+#define AD(x) x, countof(x)     /* Array Description */
 #define AD_NULL NULL, 0
 
 /**************** Oakely (main mode) SA database ****************/
@@ -53,7 +48,7 @@
 /* array of proposals to be conjoined (can only be one for Oakley) */
 
 static struct db_prop oakley_pc[] =
-    { { PROTO_ISAKMP, AD_NULL } };
+	{ { PROTO_ISAKMP, AD_NULL } };
 
 /* array of proposal conjuncts (can only be one) */
 
@@ -67,131 +62,131 @@ struct db_sa oakley_sadb = { AD(oakley_props) };
 /* arrays of attributes for transforms */
 
 static struct db_attr espsha1_attr[] = {
-    { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
-    };
+	{ AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
+	};
 
 static struct db_attr ah_HMAC_SHA1_attr[] = {
-    { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
-    };
+	{ AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
+	};
 
 /* arrays of transforms, each in in preference order */
 
 static struct db_trans espa_trans[] = {
-    { ESP_3DES, AD(espsha1_attr) },
-    };
+	{ ESP_3DES, AD(espsha1_attr) },
+	};
 
 static struct db_trans esp_trans[] = {
-    { ESP_3DES, AD_NULL },
-    };
+	{ ESP_3DES, AD_NULL },
+	};
 
 #ifdef SUPPORT_ESP_NULL
 static struct db_trans espnull_trans[] = {
-    { ESP_NULL, AD(espsha1_attr) },
-    };
+	{ ESP_NULL, AD(espsha1_attr) },
+	};
 #endif /* SUPPORT_ESP_NULL */
 
 static struct db_trans ah_trans[] = {
-    { AH_SHA, AD(ah_HMAC_SHA1_attr) },
-    };
+	{ AH_SHA, AD(ah_HMAC_SHA1_attr) },
+	};
 
 static struct db_trans ipcomp_trans[] = {
-    { IPCOMP_DEFLATE, AD_NULL },
-    };
+	{ IPCOMP_DEFLATE, AD_NULL },
+	};
 
 /* arrays of proposals to be conjoined */
 
 static struct db_prop ah_pc[] = {
-    { PROTO_IPSEC_AH, AD(ah_trans) },
-    };
+	{ PROTO_IPSEC_AH, AD(ah_trans) },
+	};
 
 #ifdef SUPPORT_ESP_NULL
 static struct db_prop espnull_pc[] = {
-    { PROTO_IPSEC_ESP, AD(espnull_trans) },
-    };
+	{ PROTO_IPSEC_ESP, AD(espnull_trans) },
+	};
 #endif /* SUPPORT_ESP_NULL */
 
 static struct db_prop esp_pc[] = {
-    { PROTO_IPSEC_ESP, AD(espa_trans) },
-    };
+	{ PROTO_IPSEC_ESP, AD(espa_trans) },
+	};
 
 static struct db_prop ah_esp_pc[] = {
-    { PROTO_IPSEC_AH, AD(ah_trans) },
-    { PROTO_IPSEC_ESP, AD(esp_trans) },
-    };
+	{ PROTO_IPSEC_AH, AD(ah_trans) },
+	{ PROTO_IPSEC_ESP, AD(esp_trans) },
+	};
 
 static struct db_prop compress_pc[] = {
-    { PROTO_IPCOMP, AD(ipcomp_trans) },
-    };
+	{ PROTO_IPCOMP, AD(ipcomp_trans) },
+	};
 
 static struct db_prop ah_compress_pc[] = {
-    { PROTO_IPSEC_AH, AD(ah_trans) },
-    { PROTO_IPCOMP, AD(ipcomp_trans) },
-    };
+	{ PROTO_IPSEC_AH, AD(ah_trans) },
+	{ PROTO_IPCOMP, AD(ipcomp_trans) },
+	};
 
 #ifdef SUPPORT_ESP_NULL
 static struct db_prop espnull_compress_pc[] = {
-    { PROTO_IPSEC_ESP, AD(espnull_trans) },
-    { PROTO_IPCOMP, AD(ipcomp_trans) },
-    };
+	{ PROTO_IPSEC_ESP, AD(espnull_trans) },
+	{ PROTO_IPCOMP, AD(ipcomp_trans) },
+	};
 #endif /* SUPPORT_ESP_NULL */
 
 static struct db_prop esp_compress_pc[] = {
-    { PROTO_IPSEC_ESP, AD(espa_trans) },
-    { PROTO_IPCOMP, AD(ipcomp_trans) },
-    };
+	{ PROTO_IPSEC_ESP, AD(espa_trans) },
+	{ PROTO_IPCOMP, AD(ipcomp_trans) },
+	};
 
 static struct db_prop ah_esp_compress_pc[] = {
-    { PROTO_IPSEC_AH, AD(ah_trans) },
-    { PROTO_IPSEC_ESP, AD(esp_trans) },
-    { PROTO_IPCOMP, AD(ipcomp_trans) },
-    };
+	{ PROTO_IPSEC_AH, AD(ah_trans) },
+	{ PROTO_IPSEC_ESP, AD(esp_trans) },
+	{ PROTO_IPCOMP, AD(ipcomp_trans) },
+	};
 
 /* arrays of proposal alternatives (each element is a conjunction) */
 
 static struct db_prop_conj ah_props[] = {
-    { AD(ah_pc) },
+	{ AD(ah_pc) },
 #ifdef SUPPORT_ESP_NULL
-    { AD(espnull_pc) }
+	{ AD(espnull_pc) }
 #endif
-    };
+	};
 
 static struct db_prop_conj esp_props[] =
-    { { AD(esp_pc) } };
+	{ { AD(esp_pc) } };
 
 static struct db_prop_conj ah_esp_props[] =
-    { { AD(ah_esp_pc) } };
+	{ { AD(ah_esp_pc) } };
 
 static struct db_prop_conj compress_props[] = {
-    { AD(compress_pc) },
-    };
+	{ AD(compress_pc) },
+	};
 
 static struct db_prop_conj ah_compress_props[] = {
-    { AD(ah_compress_pc) },
+	{ AD(ah_compress_pc) },
 #ifdef SUPPORT_ESP_NULL
-    { AD(espnull_compress_pc) }
+	{ AD(espnull_compress_pc) }
 #endif
-    };
+	};
 
 static struct db_prop_conj esp_compress_props[] =
-    { { AD(esp_compress_pc) } };
+	{ { AD(esp_compress_pc) } };
 
 static struct db_prop_conj ah_esp_compress_props[] =
-    { { AD(ah_esp_compress_pc) } };
+	{ { AD(ah_esp_compress_pc) } };
 
 /* The IPsec sadb is subscripted by a bitset (subset of policy)
  * with members from { POLICY_ENCRYPT, POLICY_AUTHENTICATE, POLICY_COMPRESS }
  * shifted right by POLICY_IPSEC_SHIFT.
  */
 struct db_sa ipsec_sadb[1 << 3] = {
-    { AD_NULL },	/* none */
-    { AD(esp_props) },	/* POLICY_ENCRYPT */
-    { AD(ah_props) },	/* POLICY_AUTHENTICATE */
-    { AD(ah_esp_props) },	/* POLICY_ENCRYPT+POLICY_AUTHENTICATE */
-    { AD(compress_props) },	/* POLICY_COMPRESS */
-    { AD(esp_compress_props) },	/* POLICY_ENCRYPT+POLICY_COMPRESS */
-    { AD(ah_compress_props) },	/* POLICY_AUTHENTICATE+POLICY_COMPRESS */
-    { AD(ah_esp_compress_props) },	/* POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_COMPRESS */
-    };
+	{ AD_NULL },        /* none */
+	{ AD(esp_props) },  /* POLICY_ENCRYPT */
+	{ AD(ah_props) },   /* POLICY_AUTHENTICATE */
+	{ AD(ah_esp_props) },       /* POLICY_ENCRYPT+POLICY_AUTHENTICATE */
+	{ AD(compress_props) },     /* POLICY_COMPRESS */
+	{ AD(esp_compress_props) }, /* POLICY_ENCRYPT+POLICY_COMPRESS */
+	{ AD(ah_compress_props) },  /* POLICY_AUTHENTICATE+POLICY_COMPRESS */
+	{ AD(ah_esp_compress_props) },      /* POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_COMPRESS */
+	};
 
 #undef AD
 #undef AD_NULL
@@ -204,41 +199,41 @@ out_attr(int type
 , enum_names **attr_val_descs USED_BY_DEBUG
 , pb_stream *pbs)
 {
-    struct isakmp_attribute attr;
-
-    if (val >> 16 == 0)
-    {
-	/* short value: use TV form */
-	attr.isaat_af_type = type | ISAKMP_ATTR_AF_TV;
-	attr.isaat_lv = val;
-	if (!out_struct(&attr, attr_desc, pbs, NULL))
-	    return FALSE;
-    }
-    else
-    {
-	/* This is a real fudge!  Since we rarely use long attributes
-	 * and since this is the only place where we can cause an
-	 * ISAKMP message length to be other than a multiple of 4 octets,
-	 * we force the length of the value to be a multiple of 4 octets.
-	 * Furthermore, we only handle values up to 4 octets in length.
-	 * Voila: a fixed format!
-	 */
-	pb_stream val_pbs;
-	u_int32_t nval = htonl(val);
-
-	attr.isaat_af_type = type | ISAKMP_ATTR_AF_TLV;
-	if (!out_struct(&attr, attr_desc, pbs, &val_pbs)
-	|| !out_raw(&nval, sizeof(nval), &val_pbs, "long attribute value"))
-	    return FALSE;
-	close_output_pbs(&val_pbs);
-    }
-    DBG(DBG_EMITTING,
-	enum_names *d = attr_val_descs[type];
-
-	if (d != NULL)
-	    DBG_log("    [%lu is %s]"
-		, val, enum_show(d, val)));
-    return TRUE;
+	struct isakmp_attribute attr;
+
+	if (val >> 16 == 0)
+	{
+		/* short value: use TV form */
+		attr.isaat_af_type = type | ISAKMP_ATTR_AF_TV;
+		attr.isaat_lv = val;
+		if (!out_struct(&attr, attr_desc, pbs, NULL))
+			return FALSE;
+	}
+	else
+	{
+		/* This is a real fudge!  Since we rarely use long attributes
+		 * and since this is the only place where we can cause an
+		 * ISAKMP message length to be other than a multiple of 4 octets,
+		 * we force the length of the value to be a multiple of 4 octets.
+		 * Furthermore, we only handle values up to 4 octets in length.
+		 * Voila: a fixed format!
+		 */
+		pb_stream val_pbs;
+		u_int32_t nval = htonl(val);
+
+		attr.isaat_af_type = type | ISAKMP_ATTR_AF_TLV;
+		if (!out_struct(&attr, attr_desc, pbs, &val_pbs)
+		|| !out_raw(&nval, sizeof(nval), &val_pbs, "long attribute value"))
+			return FALSE;
+		close_output_pbs(&val_pbs);
+	}
+	DBG(DBG_EMITTING,
+		enum_names *d = attr_val_descs[type];
+
+		if (d != NULL)
+			DBG_log("    [%lu is %s]"
+				, val, enum_show(d, val)));
+	return TRUE;
 }
 #define return_on(var, val) do { var=val;goto return_out; } while(0);
 /* Output an SA, as described by a db_sa.
@@ -251,336 +246,336 @@ out_sa(pb_stream *outs
 , bool oakley_mode
 , u_int8_t np)
 {
-    pb_stream sa_pbs;
-    int pcn;
-    bool ret = FALSE;
-    bool ah_spi_generated = FALSE
-	, esp_spi_generated = FALSE
-	, ipcomp_cpi_generated = FALSE;
+	pb_stream sa_pbs;
+	int pcn;
+	bool ret = FALSE;
+	bool ah_spi_generated = FALSE
+		, esp_spi_generated = FALSE
+		, ipcomp_cpi_generated = FALSE;
 #if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
-    struct db_context *db_ctx = NULL;
+	struct db_context *db_ctx = NULL;
 #endif
 
-    /* SA header out */
-    {
-	struct isakmp_sa sa;
-
-	sa.isasa_np = np;
-	st->st_doi = sa.isasa_doi = ISAKMP_DOI_IPSEC;	/* all we know */
-	if (!out_struct(&sa, &isakmp_sa_desc, outs, &sa_pbs))
-	    return_on(ret, FALSE);
-    }
-
-    /* within SA: situation out */
-    st->st_situation = SIT_IDENTITY_ONLY;
-    if (!out_struct(&st->st_situation, &ipsec_sit_desc, &sa_pbs, NULL))
-	return_on(ret, FALSE);
-
-    /* within SA: Proposal Payloads
-     *
-     * Multiple Proposals with the same number are simultaneous
-     * (conjuncts) and must deal with different protocols (AH or ESP).
-     * Proposals with different numbers are alternatives (disjuncts),
-     * in preference order.
-     * Proposal numbers must be monotonic.
-     * See RFC 2408 "ISAKMP" 4.2
-     */
-
-    for (pcn = 0; pcn != sadb->prop_conj_cnt; pcn++)
-    {
-	struct db_prop_conj *pc = &sadb->prop_conjs[pcn];
-	int pn;
-
-	for (pn = 0; pn != pc->prop_cnt; pn++)
+	/* SA header out */
 	{
-	    struct db_prop *p = &pc->props[pn];
-	    pb_stream proposal_pbs;
-	    struct isakmp_proposal proposal;
-	    struct_desc *trans_desc = NULL;
-	    struct_desc *attr_desc = NULL;
-	    enum_names **attr_val_descs = NULL;
-	    int tn;
-	    bool tunnel_mode;
-
-	    tunnel_mode = (pn == pc->prop_cnt-1)
-		&& (st->st_policy & POLICY_TUNNEL);
-
-	    /* Proposal header */
-	    proposal.isap_np = pcn == sadb->prop_conj_cnt-1 && pn == pc->prop_cnt-1
-		? ISAKMP_NEXT_NONE : ISAKMP_NEXT_P;
-	    proposal.isap_proposal = pcn;
-	    proposal.isap_protoid = p->protoid;
-	    proposal.isap_spisize = oakley_mode ? 0
-		: p->protoid == PROTO_IPCOMP ? IPCOMP_CPI_SIZE
-		: IPSEC_DOI_SPI_SIZE;
-
-	    /* In quick mode ONLY, create proposal for runtime kernel algos.
-	     *  Replace ESP proposals with runtime created one
-	     */
-	    if (!oakley_mode && p->protoid == PROTO_IPSEC_ESP)
-	    {
-		DBG(DBG_CONTROL | DBG_CRYPT,
-		    if (st->st_connection->alg_info_esp)
-		    {
-			static char buf[256]="";
-
-			alg_info_snprint(buf, sizeof (buf),
-				(struct alg_info *)st->st_connection->alg_info_esp);
-			DBG_log(buf);
-		    }
-		)
-		db_ctx = kernel_alg_db_new(st->st_connection->alg_info_esp, st->st_policy);
-		p = db_prop_get(db_ctx);
-
-		if (!p || p->trans_cnt == 0)
-		{
-		    loglog(RC_LOG_SERIOUS,
-			"empty IPSEC SA proposal to send "
-			"(no kernel algorithms for esp selection)");
-		    return_on(ret, FALSE);
-		}
-	    }
-
-	    if (oakley_mode && p->protoid == PROTO_ISAKMP)
-	    {
-		DBG(DBG_CONTROL | DBG_CRYPT,
-		    if (st->st_connection->alg_info_ike)
-		    {
-			static char buf[256]="";
-
-			alg_info_snprint(buf, sizeof (buf),
-				(struct alg_info *)st->st_connection->alg_info_ike);
-			DBG_log(buf);
-		    }
-		)
-		db_ctx = ike_alg_db_new(st->st_connection->alg_info_ike, st->st_policy);
-		p = db_prop_get(db_ctx);
-
-		if (!p || p->trans_cnt == 0)
-		{
-		    loglog(RC_LOG_SERIOUS,
-			"empty ISAKMP SA proposal to send "
-			"(no algorithms for ike selection?)");
-		    return_on(ret, FALSE);
-		}
-	    }
-
-	    proposal.isap_notrans = p->trans_cnt;
-	    if (!out_struct(&proposal, &isakmp_proposal_desc, &sa_pbs, &proposal_pbs))
-		return_on(ret, FALSE);
+		struct isakmp_sa sa;
 
-	    /* Per-protocols stuff:
-	     * Set trans_desc.
-	     * Set attr_desc.
-	     * Set attr_val_descs.
-	     * If not oakley_mode, emit SPI.
-	     * We allocate SPIs on demand.
-	     * All ESPs in an SA will share a single SPI.
-	     * All AHs in an SAwill share a single SPI.
-	     * AHs' SPI will be distinct from ESPs'.
-	     * This latter is needed because KLIPS doesn't
-	     * use the protocol when looking up a (dest, protocol, spi).
-	     * ??? If multiple ESPs are composed, how should their SPIs
-	     * be allocated?
-	     */
-	    {
-		ipsec_spi_t *spi_ptr = NULL;
-		int proto = 0;
-		bool *spi_generated = NULL;
-
-		switch (p->protoid)
-		{
-		case PROTO_ISAKMP:
-		    passert(oakley_mode);
-		    trans_desc = &isakmp_isakmp_transform_desc;
-		    attr_desc = &isakmp_oakley_attribute_desc;
-		    attr_val_descs = oakley_attr_val_descs;
-		    /* no SPI needed */
-		    break;
-		case PROTO_IPSEC_AH:
-		    passert(!oakley_mode);
-		    trans_desc = &isakmp_ah_transform_desc;
-		    attr_desc = &isakmp_ipsec_attribute_desc;
-		    attr_val_descs = ipsec_attr_val_descs;
-		    spi_ptr = &st->st_ah.our_spi;
-		    spi_generated = &ah_spi_generated;
-		    proto = IPPROTO_AH;
-		    break;
-		case PROTO_IPSEC_ESP:
-		    passert(!oakley_mode);
-		    trans_desc = &isakmp_esp_transform_desc;
-		    attr_desc = &isakmp_ipsec_attribute_desc;
-		    attr_val_descs = ipsec_attr_val_descs;
-		    spi_ptr = &st->st_esp.our_spi;
-		    spi_generated = &esp_spi_generated;
-		    proto = IPPROTO_ESP;
-		    break;
-		case PROTO_IPCOMP:
-		    passert(!oakley_mode);
-		    trans_desc = &isakmp_ipcomp_transform_desc;
-		    attr_desc = &isakmp_ipsec_attribute_desc;
-		    attr_val_descs = ipsec_attr_val_descs;
-
-		    /* a CPI isn't quite the same as an SPI
-		     * so we use specialized code to emit it.
-		     */
-		    if (!ipcomp_cpi_generated)
-		    {
-			st->st_ipcomp.our_spi = get_my_cpi(
-			    &st->st_connection->spd, tunnel_mode);
-			if (st->st_ipcomp.our_spi == 0)
-			    return_on(ret, FALSE);	/* problem generating CPI */
-
-			ipcomp_cpi_generated = TRUE;
-		    }
-		    /* CPI is stored in network low order end of an
-		     * ipsec_spi_t.  So we start a couple of bytes in.
-		     */
-		    if (!out_raw((u_char *)&st->st_ipcomp.our_spi
-		     + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
-		    , IPCOMP_CPI_SIZE
-		    , &proposal_pbs, "CPI"))
-			return_on(ret, FALSE);
-		    break;
-		default:
-		    bad_case(p->protoid);
-		}
-		if (spi_ptr != NULL)
-		{
-		    if (!*spi_generated)
-		    {
-			*spi_ptr = get_ipsec_spi(0
-			    , proto
-			    , &st->st_connection->spd
-			    , tunnel_mode);
-			if (*spi_ptr == 0)
-			    return FALSE;
-			*spi_generated = TRUE;
-		    }
-		    if (!out_raw((u_char *)spi_ptr, IPSEC_DOI_SPI_SIZE
-		    , &proposal_pbs, "SPI"))
+		sa.isasa_np = np;
+		st->st_doi = sa.isasa_doi = ISAKMP_DOI_IPSEC;   /* all we know */
+		if (!out_struct(&sa, &isakmp_sa_desc, outs, &sa_pbs))
 			return_on(ret, FALSE);
-		}
-	    }
+	}
 
-	    /* within proposal: Transform Payloads */
-	    for (tn = 0; tn != p->trans_cnt; tn++)
-	    {
-		struct db_trans *t = &p->trans[tn];
-		pb_stream trans_pbs;
-		struct isakmp_transform trans;
-		int an;
+	/* within SA: situation out */
+	st->st_situation = SIT_IDENTITY_ONLY;
+	if (!out_struct(&st->st_situation, &ipsec_sit_desc, &sa_pbs, NULL))
+		return_on(ret, FALSE);
 
-		trans.isat_np = (tn == p->trans_cnt - 1)
-		    ? ISAKMP_NEXT_NONE : ISAKMP_NEXT_T;
-		trans.isat_transnum = tn;
-		trans.isat_transid = t->transid;
-		if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs))
-		    return_on(ret, FALSE);
+	/* within SA: Proposal Payloads
+	 *
+	 * Multiple Proposals with the same number are simultaneous
+	 * (conjuncts) and must deal with different protocols (AH or ESP).
+	 * Proposals with different numbers are alternatives (disjuncts),
+	 * in preference order.
+	 * Proposal numbers must be monotonic.
+	 * See RFC 2408 "ISAKMP" 4.2
+	 */
 
-		/* Within tranform: Attributes. */
+	for (pcn = 0; pcn != sadb->prop_conj_cnt; pcn++)
+	{
+		struct db_prop_conj *pc = &sadb->prop_conjs[pcn];
+		int pn;
 
-		/* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
-		 * automatically generated because it must be the same
-		 * in every transform.  Except IPCOMP.
-		 */
-		if (p->protoid != PROTO_IPCOMP
-		&& st->st_pfs_group != NULL)
+		for (pn = 0; pn != pc->prop_cnt; pn++)
 		{
-		    passert(!oakley_mode);
-		    passert(st->st_pfs_group != &unset_group);
-		    out_attr(GROUP_DESCRIPTION, st->st_pfs_group->group
-			, attr_desc, attr_val_descs
-			, &trans_pbs);
-		}
+			struct db_prop *p = &pc->props[pn];
+			pb_stream proposal_pbs;
+			struct isakmp_proposal proposal;
+			struct_desc *trans_desc = NULL;
+			struct_desc *attr_desc = NULL;
+			enum_names **attr_val_descs = NULL;
+			int tn;
+			bool tunnel_mode;
+
+			tunnel_mode = (pn == pc->prop_cnt-1)
+				&& (st->st_policy & POLICY_TUNNEL);
+
+			/* Proposal header */
+			proposal.isap_np = pcn == sadb->prop_conj_cnt-1 && pn == pc->prop_cnt-1
+				? ISAKMP_NEXT_NONE : ISAKMP_NEXT_P;
+			proposal.isap_proposal = pcn;
+			proposal.isap_protoid = p->protoid;
+			proposal.isap_spisize = oakley_mode ? 0
+				: p->protoid == PROTO_IPCOMP ? IPCOMP_CPI_SIZE
+				: IPSEC_DOI_SPI_SIZE;
+
+			/* In quick mode ONLY, create proposal for runtime kernel algos.
+			 *  Replace ESP proposals with runtime created one
+			 */
+			if (!oakley_mode && p->protoid == PROTO_IPSEC_ESP)
+			{
+				DBG(DBG_CONTROL | DBG_CRYPT,
+					if (st->st_connection->alg_info_esp)
+					{
+						static char buf[BUF_LEN]="";
+
+						alg_info_snprint(buf, sizeof (buf),
+								(struct alg_info *)st->st_connection->alg_info_esp);
+						DBG_log("esp proposal: %s", buf);
+					}
+				)
+				db_ctx = kernel_alg_db_new(st->st_connection->alg_info_esp, st->st_policy);
+				p = db_prop_get(db_ctx);
+
+				if (!p || p->trans_cnt == 0)
+				{
+					loglog(RC_LOG_SERIOUS,
+						"empty IPSEC SA proposal to send "
+						"(no kernel algorithms for esp selection)");
+					return_on(ret, FALSE);
+				}
+			}
 
-		/* automatically generate duration
-		 * and, for Phase 2 / Quick Mode, encapsulation.
-		 */
-		if (oakley_mode)
-		{
-		    out_attr(OAKLEY_LIFE_TYPE, OAKLEY_LIFE_SECONDS
-			, attr_desc, attr_val_descs
-			, &trans_pbs);
-		    out_attr(OAKLEY_LIFE_DURATION
-			, st->st_connection->sa_ike_life_seconds
-			, attr_desc, attr_val_descs
-			, &trans_pbs);
-		}
-		else
-		{
-		    /* RFC 2407 (IPSEC DOI) 4.5 specifies that
-		     * the default is "unspecified (host-dependent)".
-		     * This makes little sense, so we always specify it.
-		     *
-		     * Unlike other IPSEC transforms, IPCOMP defaults
-		     * to Transport Mode, so we can exploit the default
-		     * (draft-shacham-ippcp-rfc2393bis-05.txt 4.1).
-		     */
-		    if (p->protoid != PROTO_IPCOMP
-		    || st->st_policy & POLICY_TUNNEL)
-		    {
-#ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-			if ((st->nat_traversal & NAT_T_DETECTED)
-			&& !(st->st_policy & POLICY_TUNNEL))
+			if (oakley_mode && p->protoid == PROTO_ISAKMP)
 			{
-			    /* Inform user that we will not respect policy and only
-			     * propose Tunnel Mode
-			     */
-			    loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
-				"Transport Mode not allowed due to security concerns -- "
-				"using Tunnel mode");
+				DBG(DBG_CONTROL | DBG_CRYPT,
+					if (st->st_connection->alg_info_ike)
+					{
+						static char buf[BUF_LEN]="";
+
+						alg_info_snprint(buf, sizeof (buf),
+								(struct alg_info *)st->st_connection->alg_info_ike);
+						DBG_log("ike proposal: %s", buf);
+					}
+				)
+				db_ctx = ike_alg_db_new(st->st_connection, st->st_policy);
+				p = db_prop_get(db_ctx);
+
+				if (!p || p->trans_cnt == 0)
+				{
+					loglog(RC_LOG_SERIOUS,
+						"empty ISAKMP SA proposal to send "
+						"(no algorithms for ike selection?)");
+					return_on(ret, FALSE);
+				}
 			}
+
+			proposal.isap_notrans = p->trans_cnt;
+			if (!out_struct(&proposal, &isakmp_proposal_desc, &sa_pbs, &proposal_pbs))
+				return_on(ret, FALSE);
+
+			/* Per-protocols stuff:
+			 * Set trans_desc.
+			 * Set attr_desc.
+			 * Set attr_val_descs.
+			 * If not oakley_mode, emit SPI.
+			 * We allocate SPIs on demand.
+			 * All ESPs in an SA will share a single SPI.
+			 * All AHs in an SAwill share a single SPI.
+			 * AHs' SPI will be distinct from ESPs'.
+			 * This latter is needed because KLIPS doesn't
+			 * use the protocol when looking up a (dest, protocol, spi).
+			 * ??? If multiple ESPs are composed, how should their SPIs
+			 * be allocated?
+			 */
+			{
+				ipsec_spi_t *spi_ptr = NULL;
+				int proto = 0;
+				bool *spi_generated = NULL;
+
+				switch (p->protoid)
+				{
+				case PROTO_ISAKMP:
+					passert(oakley_mode);
+					trans_desc = &isakmp_isakmp_transform_desc;
+					attr_desc = &isakmp_oakley_attribute_desc;
+					attr_val_descs = oakley_attr_val_descs;
+					/* no SPI needed */
+					break;
+				case PROTO_IPSEC_AH:
+					passert(!oakley_mode);
+					trans_desc = &isakmp_ah_transform_desc;
+					attr_desc = &isakmp_ipsec_attribute_desc;
+					attr_val_descs = ipsec_attr_val_descs;
+					spi_ptr = &st->st_ah.our_spi;
+					spi_generated = &ah_spi_generated;
+					proto = IPPROTO_AH;
+					break;
+				case PROTO_IPSEC_ESP:
+					passert(!oakley_mode);
+					trans_desc = &isakmp_esp_transform_desc;
+					attr_desc = &isakmp_ipsec_attribute_desc;
+					attr_val_descs = ipsec_attr_val_descs;
+					spi_ptr = &st->st_esp.our_spi;
+					spi_generated = &esp_spi_generated;
+					proto = IPPROTO_ESP;
+					break;
+				case PROTO_IPCOMP:
+					passert(!oakley_mode);
+					trans_desc = &isakmp_ipcomp_transform_desc;
+					attr_desc = &isakmp_ipsec_attribute_desc;
+					attr_val_descs = ipsec_attr_val_descs;
+
+					/* a CPI isn't quite the same as an SPI
+					 * so we use specialized code to emit it.
+					 */
+					if (!ipcomp_cpi_generated)
+					{
+						st->st_ipcomp.our_spi = get_my_cpi(
+							&st->st_connection->spd, tunnel_mode);
+						if (st->st_ipcomp.our_spi == 0)
+							return_on(ret, FALSE);      /* problem generating CPI */
+
+						ipcomp_cpi_generated = TRUE;
+					}
+					/* CPI is stored in network low order end of an
+					 * ipsec_spi_t.  So we start a couple of bytes in.
+					 */
+					if (!out_raw((u_char *)&st->st_ipcomp.our_spi
+					 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
+					, IPCOMP_CPI_SIZE
+					, &proposal_pbs, "CPI"))
+						return_on(ret, FALSE);
+					break;
+				default:
+					bad_case(p->protoid);
+				}
+				if (spi_ptr != NULL)
+				{
+					if (!*spi_generated)
+					{
+						*spi_ptr = get_ipsec_spi(0
+							, proto
+							, &st->st_connection->spd
+							, tunnel_mode);
+						if (*spi_ptr == 0)
+							return FALSE;
+						*spi_generated = TRUE;
+					}
+					if (!out_raw((u_char *)spi_ptr, IPSEC_DOI_SPI_SIZE
+					, &proposal_pbs, "SPI"))
+						return_on(ret, FALSE);
+				}
+			}
+
+			/* within proposal: Transform Payloads */
+			for (tn = 0; tn != p->trans_cnt; tn++)
+			{
+				struct db_trans *t = &p->trans[tn];
+				pb_stream trans_pbs;
+				struct isakmp_transform trans;
+				int an;
+
+				trans.isat_np = (tn == p->trans_cnt - 1)
+					? ISAKMP_NEXT_NONE : ISAKMP_NEXT_T;
+				trans.isat_transnum = tn;
+				trans.isat_transid = t->transid;
+				if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs))
+					return_on(ret, FALSE);
+
+				/* Within tranform: Attributes. */
+
+				/* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
+				 * automatically generated because it must be the same
+				 * in every transform.  Except IPCOMP.
+				 */
+				if (p->protoid != PROTO_IPCOMP
+				&& st->st_pfs_group != NULL)
+				{
+					passert(!oakley_mode);
+					passert(st->st_pfs_group != &unset_group);
+					out_attr(GROUP_DESCRIPTION, st->st_pfs_group->algo_id
+						, attr_desc, attr_val_descs
+						, &trans_pbs);
+				}
+
+				/* automatically generate duration
+				 * and, for Phase 2 / Quick Mode, encapsulation.
+				 */
+				if (oakley_mode)
+				{
+					out_attr(OAKLEY_LIFE_TYPE, OAKLEY_LIFE_SECONDS
+						, attr_desc, attr_val_descs
+						, &trans_pbs);
+					out_attr(OAKLEY_LIFE_DURATION
+						, st->st_connection->sa_ike_life_seconds
+						, attr_desc, attr_val_descs
+						, &trans_pbs);
+				}
+				else
+				{
+					/* RFC 2407 (IPSEC DOI) 4.5 specifies that
+					 * the default is "unspecified (host-dependent)".
+					 * This makes little sense, so we always specify it.
+					 *
+					 * Unlike other IPSEC transforms, IPCOMP defaults
+					 * to Transport Mode, so we can exploit the default
+					 * (draft-shacham-ippcp-rfc2393bis-05.txt 4.1).
+					 */
+					if (p->protoid != PROTO_IPCOMP
+					|| st->st_policy & POLICY_TUNNEL)
+					{
+#ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+						if ((st->nat_traversal & NAT_T_DETECTED)
+						&& !(st->st_policy & POLICY_TUNNEL))
+						{
+							/* Inform user that we will not respect policy and only
+							 * propose Tunnel Mode
+							 */
+							loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
+								"Transport Mode not allowed due to security concerns -- "
+								"using Tunnel mode");
+						}
 #endif
-			out_attr(ENCAPSULATION_MODE
+						out_attr(ENCAPSULATION_MODE
 #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-			    , NAT_T_ENCAPSULATION_MODE(st, st->st_policy)
+							, NAT_T_ENCAPSULATION_MODE(st, st->st_policy)
 #else
-				/* If NAT-T is detected, use UDP_TUNNEL as long as Transport
-				 * Mode has security concerns.
-				 *
-				 * User has been informed of that
-				 */
-			    , NAT_T_ENCAPSULATION_MODE(st, POLICY_TUNNEL)
+								/* If NAT-T is detected, use UDP_TUNNEL as long as Transport
+								 * Mode has security concerns.
+								 *
+								 * User has been informed of that
+								 */
+							, NAT_T_ENCAPSULATION_MODE(st, POLICY_TUNNEL)
 #endif
-			    , attr_desc, attr_val_descs
-			    , &trans_pbs);
-		    }
-		    out_attr(SA_LIFE_TYPE, SA_LIFE_TYPE_SECONDS
-			, attr_desc, attr_val_descs
-			, &trans_pbs);
-		    out_attr(SA_LIFE_DURATION
-			, st->st_connection->sa_ipsec_life_seconds
-			, attr_desc, attr_val_descs
-			, &trans_pbs);
-		}
-
-		/* spit out attributes from table */
-		for (an = 0; an != t->attr_cnt; an++)
-		{
-		    struct db_attr *a = &t->attrs[an];
-
-		    out_attr(a->type, a->val
-			, attr_desc, attr_val_descs
-			, &trans_pbs);
+							, attr_desc, attr_val_descs
+							, &trans_pbs);
+					}
+					out_attr(SA_LIFE_TYPE, SA_LIFE_TYPE_SECONDS
+						, attr_desc, attr_val_descs
+						, &trans_pbs);
+					out_attr(SA_LIFE_DURATION
+						, st->st_connection->sa_ipsec_life_seconds
+						, attr_desc, attr_val_descs
+						, &trans_pbs);
+				}
+
+				/* spit out attributes from table */
+				for (an = 0; an != t->attr_cnt; an++)
+				{
+					struct db_attr *a = &t->attrs[an];
+
+					out_attr(a->type, a->val
+						, attr_desc, attr_val_descs
+						, &trans_pbs);
+				}
+
+				close_output_pbs(&trans_pbs);
+			}
+			close_output_pbs(&proposal_pbs);
 		}
-
-		close_output_pbs(&trans_pbs);
-	    }
-	    close_output_pbs(&proposal_pbs);
+		/* end of a conjunction of proposals */
 	}
-	/* end of a conjunction of proposals */
-    }
-    close_output_pbs(&sa_pbs);
-    ret = TRUE;
+	close_output_pbs(&sa_pbs);
+	ret = TRUE;
 
 return_out:
 
 #if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
-    if (db_ctx)
-	    db_destroy(db_ctx);
+	if (db_ctx)
+			db_destroy(db_ctx);
 #endif
-    return ret;
+	return ret;
 }
 
 /* Handle long form of duration attribute.
@@ -590,27 +585,27 @@ return_out:
 static u_int32_t
 decode_long_duration(pb_stream *pbs)
 {
-    u_int32_t val = 0;
-
-    /* ignore leading zeros */
-    while (pbs_left(pbs) != 0 && *pbs->cur == '\0')
-	pbs->cur++;
-
-    if (pbs_left(pbs) > sizeof(val))
-    {
-	/* "clamp" too large value to max representable value */
-	val -= 1;	/* portable way to get to maximum value */
-	DBG(DBG_PARSING, DBG_log("   too large duration clamped to: %lu"
-	    , (unsigned long)val));
-    }
-    else
-    {
-	/* decode number */
-	while (pbs_left(pbs) != 0)
-	    val = (val << BITS_PER_BYTE) | *pbs->cur++;
-	DBG(DBG_PARSING, DBG_log("   long duration: %lu", (unsigned long)val));
-    }
-    return val;
+	u_int32_t val = 0;
+
+	/* ignore leading zeros */
+	while (pbs_left(pbs) != 0 && *pbs->cur == '\0')
+		pbs->cur++;
+
+	if (pbs_left(pbs) > sizeof(val))
+	{
+		/* "clamp" too large value to max representable value */
+		val -= 1;       /* portable way to get to maximum value */
+		DBG(DBG_PARSING, DBG_log("   too large duration clamped to: %lu"
+			, (unsigned long)val));
+	}
+	else
+	{
+		/* decode number */
+		while (pbs_left(pbs) != 0)
+			val = (val << BITS_PER_BYTE) | *pbs->cur++;
+		DBG(DBG_PARSING, DBG_log("   long duration: %lu", (unsigned long)val));
+	}
+	return val;
 }
 
 /* Preparse the body of an ISAKMP SA Payload and
@@ -621,99 +616,99 @@ decode_long_duration(pb_stream *pbs)
  */
 notification_t
 preparse_isakmp_sa_body(const struct isakmp_sa *sa
-		      , pb_stream *sa_pbs
-		      , u_int32_t *ipsecdoisit
-		      , pb_stream *proposal_pbs
-		      , struct isakmp_proposal *proposal)
+					  , pb_stream *sa_pbs
+					  , u_int32_t *ipsecdoisit
+					  , pb_stream *proposal_pbs
+					  , struct isakmp_proposal *proposal)
 {
-    /* DOI */
-    if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
-    {
-	loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
-	/* XXX Could send notification back */
-	return DOI_NOT_SUPPORTED;
-    }
-
-    /* Situation */
-    if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
-	return SITUATION_NOT_SUPPORTED;
-
-    if (*ipsecdoisit != SIT_IDENTITY_ONLY)
-    {
-	loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
-	    , bitnamesof(sit_bit_names, *ipsecdoisit));
-	/* XXX Could send notification back */
-	return SITUATION_NOT_SUPPORTED;
-    }
-
-    /* The rules for ISAKMP SAs are scattered.
-     * RFC 2409 "IKE" section 5 says that there
-     * can only be one SA, and it can have only one proposal in it.
-     * There may well be multiple transforms.
-     */
-    if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
-	return PAYLOAD_MALFORMED;
-
-    if (proposal->isap_np != ISAKMP_NEXT_NONE)
-    {
-	loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
-	    , enum_show(&payload_names, proposal->isap_np));
-	return PAYLOAD_MALFORMED;
-    }
-
-    if (proposal->isap_protoid != PROTO_ISAKMP)
-    {
-	loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal"
-	    , enum_show(&protocol_names, proposal->isap_protoid));
-	return INVALID_PROTOCOL_ID;
-    }
-
-    /* Just what should we accept for the SPI field?
-     * The RFC is sort of contradictory.  We will ignore the SPI
-     * as long as it is of the proper size.
-     *
-     * From RFC2408 2.4 Identifying Security Associations:
-     *   During phase 1 negotiations, the initiator and responder cookies
-     *   determine the ISAKMP SA. Therefore, the SPI field in the Proposal
-     *   payload is redundant and MAY be set to 0 or it MAY contain the
-     *   transmitting entity's cookie.
-     *
-     * From RFC2408 3.5 Proposal Payload:
-     *    o  SPI Size (1 octet) - Length in octets of the SPI as defined by
-     *       the Protocol-Id.  In the case of ISAKMP, the Initiator and
-     *       Responder cookie pair from the ISAKMP Header is the ISAKMP SPI,
-     *       therefore, the SPI Size is irrelevant and MAY be from zero (0) to
-     *       sixteen (16).  If the SPI Size is non-zero, the content of the
-     *       SPI field MUST be ignored.  If the SPI Size is not a multiple of
-     *       4 octets it will have some impact on the SPI field and the
-     *       alignment of all payloads in the message.  The Domain of
-     *       Interpretation (DOI) will dictate the SPI Size for other
-     *       protocols.
-     */
-    if (proposal->isap_spisize == 0)
-    {
-	/* empty (0) SPI -- fine */
-    }
-    else if (proposal->isap_spisize <= MAX_ISAKMP_SPI_SIZE)
-    {
-	u_char junk_spi[MAX_ISAKMP_SPI_SIZE];
-
-	if (!in_raw(junk_spi, proposal->isap_spisize, proposal_pbs, "Oakley SPI"))
-	    return PAYLOAD_MALFORMED;
-    }
-    else
-    {
-	loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal"
-	    , (unsigned)proposal->isap_spisize);
-	return INVALID_SPI;
-    }
-    return NOTHING_WRONG;
+	/* DOI */
+	if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
+	{
+		loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
+		/* XXX Could send notification back */
+		return DOI_NOT_SUPPORTED;
+	}
+
+	/* Situation */
+	if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
+		return SITUATION_NOT_SUPPORTED;
+
+	if (*ipsecdoisit != SIT_IDENTITY_ONLY)
+	{
+		loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
+			, bitnamesof(sit_bit_names, *ipsecdoisit));
+		/* XXX Could send notification back */
+		return SITUATION_NOT_SUPPORTED;
+	}
+
+	/* The rules for ISAKMP SAs are scattered.
+	 * RFC 2409 "IKE" section 5 says that there
+	 * can only be one SA, and it can have only one proposal in it.
+	 * There may well be multiple transforms.
+	 */
+	if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
+		return PAYLOAD_MALFORMED;
+
+	if (proposal->isap_np != ISAKMP_NEXT_NONE)
+	{
+		loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
+			, enum_show(&payload_names, proposal->isap_np));
+		return PAYLOAD_MALFORMED;
+	}
+
+	if (proposal->isap_protoid != PROTO_ISAKMP)
+	{
+		loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal"
+			, enum_show(&protocol_names, proposal->isap_protoid));
+		return INVALID_PROTOCOL_ID;
+	}
+
+	/* Just what should we accept for the SPI field?
+	 * The RFC is sort of contradictory.  We will ignore the SPI
+	 * as long as it is of the proper size.
+	 *
+	 * From RFC2408 2.4 Identifying Security Associations:
+	 *   During phase 1 negotiations, the initiator and responder cookies
+	 *   determine the ISAKMP SA. Therefore, the SPI field in the Proposal
+	 *   payload is redundant and MAY be set to 0 or it MAY contain the
+	 *   transmitting entity's cookie.
+	 *
+	 * From RFC2408 3.5 Proposal Payload:
+	 *    o  SPI Size (1 octet) - Length in octets of the SPI as defined by
+	 *       the Protocol-Id.  In the case of ISAKMP, the Initiator and
+	 *       Responder cookie pair from the ISAKMP Header is the ISAKMP SPI,
+	 *       therefore, the SPI Size is irrelevant and MAY be from zero (0) to
+	 *       sixteen (16).  If the SPI Size is non-zero, the content of the
+	 *       SPI field MUST be ignored.  If the SPI Size is not a multiple of
+	 *       4 octets it will have some impact on the SPI field and the
+	 *       alignment of all payloads in the message.  The Domain of
+	 *       Interpretation (DOI) will dictate the SPI Size for other
+	 *       protocols.
+	 */
+	if (proposal->isap_spisize == 0)
+	{
+		/* empty (0) SPI -- fine */
+	}
+	else if (proposal->isap_spisize <= MAX_ISAKMP_SPI_SIZE)
+	{
+		u_char junk_spi[MAX_ISAKMP_SPI_SIZE];
+
+		if (!in_raw(junk_spi, proposal->isap_spisize, proposal_pbs, "Oakley SPI"))
+			return PAYLOAD_MALFORMED;
+	}
+	else
+	{
+		loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal"
+			, (unsigned)proposal->isap_spisize);
+		return INVALID_SPI;
+	}
+	return NOTHING_WRONG;
 }
 
 static struct {
-    u_int8_t *start;
-    u_int8_t *cur;
-    u_int8_t *roof;
+	u_int8_t *start;
+	u_int8_t *cur;
+	u_int8_t *roof;
 } backup;
 
 /*
@@ -722,9 +717,9 @@ static struct {
 void
 backup_pbs(pb_stream *pbs)
 {
-    backup.start = pbs->start;
-    backup.cur   = pbs->cur;
-    backup.roof  = pbs->roof;
+	backup.start = pbs->start;
+	backup.cur   = pbs->cur;
+	backup.roof  = pbs->roof;
 }
 
 /*
@@ -733,9 +728,9 @@ backup_pbs(pb_stream *pbs)
 void
 restore_pbs(pb_stream *pbs)
 {
-    pbs->start = backup.start;
-    pbs->cur   = backup.cur;
-    pbs->roof  = backup.roof;
+	pbs->start = backup.start;
+	pbs->cur   = backup.cur;
+	pbs->roof  = backup.roof;
 }
 
 /*
@@ -743,90 +738,93 @@ restore_pbs(pb_stream *pbs)
  */
 notification_t
 parse_isakmp_policy(pb_stream *proposal_pbs
-		  , u_int notrans
-		  , lset_t *policy)
+				  , u_int notrans
+				  , lset_t *policy)
 {
-    int last_transnum = -1;
+	int last_transnum = -1;
 
-    *policy = LEMPTY;
+	*policy = LEMPTY;
 
-    while (notrans--)
-    {
-	pb_stream trans_pbs;
-	u_char *attr_start;
-	size_t attr_len;
-	struct isakmp_transform trans;
+	while (notrans--)
+	{
+		pb_stream trans_pbs;
+		u_char *attr_start;
+		size_t attr_len;
+		struct isakmp_transform trans;
 
-	if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
-	    return BAD_PROPOSAL_SYNTAX;
+		if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
+			return BAD_PROPOSAL_SYNTAX;
 
-	if (trans.isat_transnum <= last_transnum)
-	{
-	    /* picky, picky, picky */
-	    loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing"
-		" in Oakley Proposal");
-	    return BAD_PROPOSAL_SYNTAX;
-	}
-	last_transnum = trans.isat_transnum;
+		if (trans.isat_transnum <= last_transnum)
+		{
+			/* picky, picky, picky */
+			loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing"
+				" in Oakley Proposal");
+			return BAD_PROPOSAL_SYNTAX;
+		}
+		last_transnum = trans.isat_transnum;
 
-	if (trans.isat_transid != KEY_IKE)
-	{
-	    loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform"
-		, enum_show(&isakmp_transformid_names, trans.isat_transid));
-	    return INVALID_TRANSFORM_ID;
-	}
+		if (trans.isat_transid != KEY_IKE)
+		{
+			loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform"
+				, enum_show(&isakmp_transformid_names, trans.isat_transid));
+			return INVALID_TRANSFORM_ID;
+		}
 
-	attr_start = trans_pbs.cur;
-	attr_len = pbs_left(&trans_pbs);
+		attr_start = trans_pbs.cur;
+		attr_len = pbs_left(&trans_pbs);
 
-	/* preprocess authentication attributes only */
-	while (pbs_left(&trans_pbs) != 0)
-	{
-	    struct isakmp_attribute a;
-	    pb_stream attr_pbs;
+		/* preprocess authentication attributes only */
+		while (pbs_left(&trans_pbs) != 0)
+		{
+			struct isakmp_attribute a;
+			pb_stream attr_pbs;
 
-	    if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
-		return BAD_PROPOSAL_SYNTAX;
+			if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
+				return BAD_PROPOSAL_SYNTAX;
 
-	    passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
+			passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
 
-	    switch (a.isaat_af_type)
-	    {
-	    case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
-		switch (a.isaat_lv)
-		{
-		case OAKLEY_PRESHARED_KEY:
-		    *policy |= POLICY_PSK;
-		    break;
-		case OAKLEY_RSA_SIG:
-		    *policy |= POLICY_RSASIG;
-		    break;
-		case XAUTHInitPreShared:
-		    *policy |= POLICY_XAUTH_SERVER;
-		    /* fall through */
-		case XAUTHRespPreShared:
-		    *policy |= POLICY_XAUTH_PSK;
-		    break;
-		case XAUTHInitRSA:
-		    *policy |= POLICY_XAUTH_SERVER;
-		    /* fall through */
-		case XAUTHRespRSA:
-		    *policy |= POLICY_XAUTH_RSASIG;
-		    break;
-		default:
-		    break;
+			switch (a.isaat_af_type)
+			{
+			case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
+				switch (a.isaat_lv)
+				{
+				case OAKLEY_PRESHARED_KEY:
+					*policy |= POLICY_PSK;
+					break;
+				case OAKLEY_RSA_SIG:
+				case OAKLEY_ECDSA_256:
+				case OAKLEY_ECDSA_384:
+				case OAKLEY_ECDSA_521:
+					*policy |= POLICY_PUBKEY;
+					break;
+				case XAUTHInitPreShared:
+					*policy |= POLICY_XAUTH_SERVER;
+					/* fall through */
+				case XAUTHRespPreShared:
+					*policy |= POLICY_XAUTH_PSK;
+					break;
+				case XAUTHInitRSA:
+					*policy |= POLICY_XAUTH_SERVER;
+					/* fall through */
+				case XAUTHRespRSA:
+					*policy |= POLICY_XAUTH_RSASIG;
+					break;
+				default:
+					break;
+				}
+				break;
+			default:
+				break;
+			}
 		}
-		break;
-	    default:
-		break;
-	    }
 	}
-    }
-    DBG(DBG_CONTROL|DBG_PARSING,
-	DBG_log("preparse_isakmp_policy: peer requests %s authentication"
-		, prettypolicy(*policy))
-    )
-    return NOTHING_WRONG;
+	DBG(DBG_CONTROL|DBG_PARSING,
+		DBG_log("preparse_isakmp_policy: peer requests %s authentication"
+				, prettypolicy(*policy))
+	)
+	return NOTHING_WRONG;
 }
 
 /* 
@@ -835,22 +833,22 @@ parse_isakmp_policy(pb_stream *proposal_pbs
 static err_t
 find_preshared_key(struct state* st)
 {
-    err_t ugh = NULL;
-    struct connection *c = st->st_connection;
+	err_t ugh = NULL;
+	struct connection *c = st->st_connection;
 
-    if (get_preshared_secret(c) == NULL)
-    {
-	char my_id[BUF_LEN], his_id[BUF_LEN];
+	if (get_preshared_secret(c) == NULL)
+	{
+		char my_id[BUF_LEN], his_id[BUF_LEN];
 
-	idtoa(&c->spd.this.id, my_id, sizeof(my_id));
-	if (his_id_was_instantiated(c))
-	    strcpy(his_id, "%any");
-	else
-	    idtoa(&c->spd.that.id, his_id, sizeof(his_id));
-	ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
-			, my_id, his_id);
-    }
-    return ugh;
+		idtoa(&c->spd.this.id, my_id, sizeof(my_id));
+		if (his_id_was_instantiated(c))
+			strcpy(his_id, "%any");
+		else
+			idtoa(&c->spd.that.id, his_id, sizeof(his_id));
+		ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
+						, my_id, his_id);
+	}
+	return ugh;
 }
 
 /* Parse the body of an ISAKMP SA Payload (i.e. Phase 1 / Main Mode).
@@ -864,429 +862,432 @@ find_preshared_key(struct state* st)
  */
 notification_t
 parse_isakmp_sa_body(u_int32_t ipsecdoisit
-		   , pb_stream *proposal_pbs
-		   , struct isakmp_proposal *proposal
-		   , pb_stream *r_sa_pbs
-		   , struct state *st
-		   , bool initiator)
+				   , pb_stream *proposal_pbs
+				   , struct isakmp_proposal *proposal
+				   , pb_stream *r_sa_pbs
+				   , struct state *st
+				   , bool initiator)
 {
-    struct connection *c = st->st_connection;
-    unsigned no_trans_left;
-
-    /* for each transform payload... */
-    no_trans_left = proposal->isap_notrans;
-
-    for (;;)
-    {
-	pb_stream trans_pbs;
-	u_char *attr_start;
-	size_t attr_len;
-	struct isakmp_transform trans;
-	lset_t seen_attrs = 0;
-	lset_t seen_durations = 0;
-	u_int16_t life_type = 0;
-	struct oakley_trans_attrs ta;
-	err_t ugh = NULL;	/* set to diagnostic when problem detected */
+	struct connection *c = st->st_connection;
+	unsigned no_trans_left;
 
-	/* initialize only optional field in ta */
-	ta.life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;	/* When this SA expires (seconds) */
+	/* for each transform payload... */
+	no_trans_left = proposal->isap_notrans;
 
-	if (no_trans_left == 0)
+	for (;;)
 	{
-	    loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
-	    return BAD_PROPOSAL_SYNTAX;
-	}
-
-	in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs);
-	attr_start = trans_pbs.cur;
-	attr_len = pbs_left(&trans_pbs);
-
-	/* process all the attributes that make up the transform */
+		pb_stream trans_pbs;
+		u_char *attr_start;
+		size_t attr_len;
+		struct isakmp_transform trans;
+		lset_t seen_attrs = 0;
+		lset_t seen_durations = 0;
+		u_int16_t life_type = 0;
+		struct oakley_trans_attrs ta;
+		err_t ugh = NULL;       /* set to diagnostic when problem detected */
 
-	while (pbs_left(&trans_pbs) != 0)
-	{
-	    struct isakmp_attribute a;
-	    pb_stream attr_pbs;
-	    u_int32_t val;	/* room for larger values */
+		/* initialize only optional field in ta */
+		ta.life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;    /* When this SA expires (seconds) */
 
-	    if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
-		return BAD_PROPOSAL_SYNTAX;
+		if (no_trans_left == 0)
+		{
+			loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
+			return BAD_PROPOSAL_SYNTAX;
+		}
 
-	    passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
+		in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs);
+		attr_start = trans_pbs.cur;
+		attr_len = pbs_left(&trans_pbs);
 
-	    if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
-	    {
-		loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u"
-		    , enum_show(&oakley_attr_names, a.isaat_af_type)
-		    , trans.isat_transnum);
-		return BAD_PROPOSAL_SYNTAX;
-	    }
+		/* process all the attributes that make up the transform */
 
-	    seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
+		while (pbs_left(&trans_pbs) != 0)
+		{
+			struct isakmp_attribute a;
+			pb_stream attr_pbs;
+			u_int32_t val;      /* room for larger values */
 
-	    val = a.isaat_lv;
+			if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
+				return BAD_PROPOSAL_SYNTAX;
 
-	    DBG(DBG_PARSING,
-	    {
-		enum_names *vdesc = oakley_attr_val_descs
-		    [a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
+			passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
 
-		if (vdesc != NULL)
-		{
-		    const char *nm = enum_name(vdesc, val);
+			if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
+			{
+				loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u"
+					, enum_show(&oakley_attr_names, a.isaat_af_type)
+					, trans.isat_transnum);
+				return BAD_PROPOSAL_SYNTAX;
+			}
 
-		    if (nm != NULL)
-			DBG_log("   [%u is %s]", (unsigned)val, nm);
-		}
-	    });
+			seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
 
-	    switch (a.isaat_af_type)
-	    {
-	    case OAKLEY_ENCRYPTION_ALGORITHM | ISAKMP_ATTR_AF_TV:
-		if (ike_alg_enc_present(val))
-		{
-		    ta.encrypt = val;
-		    ta.encrypter = ike_alg_get_encrypter(val);
-		    ta.enckeylen = ta.encrypter->keydeflen;
-		}
-		else
-		{
-		    ugh = builddiag("%s is not supported"
-			    , enum_show(&oakley_enc_names, val));
-		}
-		break;
+			val = a.isaat_lv;
 
-	    case OAKLEY_HASH_ALGORITHM | ISAKMP_ATTR_AF_TV:
-		if (ike_alg_hash_present(val))
-		{
-		    ta.hash = val;
-		    ta.hasher = ike_alg_get_hasher(val);
-		}
-		else
-		{
-		    ugh = builddiag("%s is not supported"
-			    , enum_show(&oakley_hash_names, val));
-		}
-		break;
+			DBG(DBG_PARSING,
+			{
+				enum_names *vdesc = oakley_attr_val_descs
+					[a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
 
-	    case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
-		{
-		    /* check that authentication method is acceptable */
-		    lset_t iap = st->st_policy & POLICY_ID_AUTH_MASK;
+				if (vdesc != NULL)
+				{
+					const char *nm = enum_name(vdesc, val);
 
-		    /* is the initiator the XAUTH client? */
-		    bool xauth_init = ( initiator && (st->st_policy & POLICY_XAUTH_SERVER) == LEMPTY)
-				   || (!initiator && (st->st_policy & POLICY_XAUTH_SERVER) != LEMPTY);
+					if (nm != NULL)
+						DBG_log("   [%u is %s]", (unsigned)val, nm);
+				}
+			});
 
-		    switch (val)
-		    {
-		    case OAKLEY_PRESHARED_KEY:
-			if ((iap & POLICY_PSK) == LEMPTY)
-			{
-			    ugh = "policy does not allow OAKLEY_PRESHARED_KEY authentication";
-			}
-			else
-			{
-			    ugh = find_preshared_key(st);
-			    ta.auth = OAKLEY_PRESHARED_KEY;
-			}
-			break;
-		    case XAUTHInitPreShared:
-			if ((iap & POLICY_XAUTH_PSK) == LEMPTY || !xauth_init)
-			{
-			    ugh = "policy does not allow XAUTHInitPreShared authentication";
-			}
-			else
-			{
-			    ugh = find_preshared_key(st);
-			    ta.auth = XAUTHInitPreShared;
-			}
-			break;
-		    case XAUTHRespPreShared:
-			if ((iap & POLICY_XAUTH_PSK) == LEMPTY || xauth_init)
-			{
-			    ugh = "policy does not allow XAUTHRespPreShared authentication";
-			}
-			else
-			{
-			    ugh = find_preshared_key(st);
-			    ta.auth = XAUTHRespPreShared;
-			}
-			break;
-		    case OAKLEY_RSA_SIG:
-			/* Accept if policy specifies RSASIG or is default */
-			if ((iap & POLICY_RSASIG) == LEMPTY)
-			{
-			    ugh = "policy does not allow OAKLEY_RSA_SIG authentication";
-			}
-			else
-			{
-			    ta.auth = OAKLEY_RSA_SIG;
-			}
-			break;
-		    case XAUTHInitRSA:
-			if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || !xauth_init)
+			switch (a.isaat_af_type)
 			{
-			    ugh = "policy does not allow XAUTHInitRSA authentication";
-			}
-			else
-			{
-			    ta.auth = XAUTHInitRSA;
-			}
-			break;
-		    case XAUTHRespRSA:
-			if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || xauth_init)
-			{
-			    ugh = "policy does not allow XAUTHRespRSA authentication";
+			case OAKLEY_ENCRYPTION_ALGORITHM | ISAKMP_ATTR_AF_TV:
+				if (ike_alg_get_crypter(val))
+				{
+					ta.encrypt = val;
+					ta.encrypter = ike_alg_get_crypter(val);
+					ta.enckeylen = ta.encrypter->keydeflen;
+				}
+				else
+				{
+					ugh = builddiag("%s is not supported"
+							, enum_show(&oakley_enc_names, val));
+				}
+				break;
+
+			case OAKLEY_HASH_ALGORITHM | ISAKMP_ATTR_AF_TV:
+				if (ike_alg_get_hasher(val))
+				{
+					ta.hash = val;
+					ta.hasher = ike_alg_get_hasher(val);
+				}
+				else
+				{
+					ugh = builddiag("%s is not supported"
+							, enum_show(&oakley_hash_names, val));
+				}
+				break;
+
+			case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
+				{
+					/* check that authentication method is acceptable */
+					lset_t iap = st->st_policy & POLICY_ID_AUTH_MASK;
+
+					/* is the initiator the XAUTH client? */
+					bool xauth_init = ( initiator && (st->st_policy & POLICY_XAUTH_SERVER) == LEMPTY)
+								   || (!initiator && (st->st_policy & POLICY_XAUTH_SERVER) != LEMPTY);
+
+					switch (val)
+					{
+					case OAKLEY_PRESHARED_KEY:
+						if ((iap & POLICY_PSK) == LEMPTY)
+						{
+							ugh = "policy does not allow pre-shared key authentication";
+						}
+						else
+						{
+							ugh = find_preshared_key(st);
+							ta.auth = OAKLEY_PRESHARED_KEY;
+						}
+						break;
+					case XAUTHInitPreShared:
+						if ((iap & POLICY_XAUTH_PSK) == LEMPTY || !xauth_init)
+						{
+							ugh = "policy does not allow XAUTHInitPreShared authentication";
+						}
+						else
+						{
+							ugh = find_preshared_key(st);
+							ta.auth = XAUTHInitPreShared;
+						}
+						break;
+					case XAUTHRespPreShared:
+						if ((iap & POLICY_XAUTH_PSK) == LEMPTY || xauth_init)
+						{
+							ugh = "policy does not allow XAUTHRespPreShared authentication";
+						}
+						else
+						{
+							ugh = find_preshared_key(st);
+							ta.auth = XAUTHRespPreShared;
+						}
+						break;
+					case OAKLEY_RSA_SIG:
+					case OAKLEY_ECDSA_256:
+					case OAKLEY_ECDSA_384:
+					case OAKLEY_ECDSA_521:
+						if ((iap & POLICY_PUBKEY) == LEMPTY)
+						{
+							ugh = "policy does not allow public key authentication";
+						}
+						else
+						{
+							ta.auth = val;
+						}
+						break;
+					case XAUTHInitRSA:
+						if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || !xauth_init)
+						{
+							ugh = "policy does not allow XAUTHInitRSA authentication";
+						}
+						else
+						{
+							ta.auth = XAUTHInitRSA;
+						}
+						break;
+					case XAUTHRespRSA:
+						if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || xauth_init)
+						{
+							ugh = "policy does not allow XAUTHRespRSA authentication";
+						}
+						else
+						{
+							ta.auth = XAUTHRespRSA;
+						}
+						break;
+					default:
+						ugh = builddiag("Pluto does not support %s authentication"
+							, enum_show(&oakley_auth_names, val));
+						break;
+					}
+				}
+				break;
+
+			case OAKLEY_GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
+				ta.group = ike_alg_get_dh_group(val);
+				if (ta.group == NULL)
+				{
+					ugh = builddiag("%s is not supported"
+							, enum_show(&oakley_group_names, val));
+				}
+				break;
+
+			case OAKLEY_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
+				switch (val)
+				{
+				case OAKLEY_LIFE_SECONDS:
+				case OAKLEY_LIFE_KILOBYTES:
+					if (LHAS(seen_durations, val))
+					{
+						loglog(RC_LOG_SERIOUS
+								, "attribute OAKLEY_LIFE_TYPE value %s repeated"
+								, enum_show(&oakley_lifetime_names, val));
+						return BAD_PROPOSAL_SYNTAX;
+					}
+					seen_durations |= LELEM(val);
+					life_type = val;
+					break;
+				default:
+					ugh = builddiag("unknown value %s"
+							, enum_show(&oakley_lifetime_names, val));
+					break;
+				}
+				break;
+
+			case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
+				val = decode_long_duration(&attr_pbs);
+				/* fall through */
+			case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
+				if (!LHAS(seen_attrs, OAKLEY_LIFE_TYPE))
+				{
+					ugh = "OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute";
+					break;
+				}
+				seen_attrs &= ~(LELEM(OAKLEY_LIFE_DURATION) | LELEM(OAKLEY_LIFE_TYPE));
+
+				switch (life_type)
+				{
+				case OAKLEY_LIFE_SECONDS:
+					if (val > OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM)
+					{
+#ifdef CISCO_QUIRKS
+						plog("peer requested %lu seconds"
+										" which exceeds our limit %d seconds"
+										, (long) val
+										, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
+						plog("lifetime reduced to %d seconds "
+										"(todo: IPSEC_RESPONDER_LIFETIME notification)"
+										, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
+						val = OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM;
+#else
+						ugh = builddiag("peer requested %lu seconds"
+										" which exceeds our limit %d seconds"
+										, (long) val
+										, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
+#endif
+					}   
+					ta.life_seconds = val;
+					break;
+				case OAKLEY_LIFE_KILOBYTES:
+					ta.life_kilobytes = val;
+					break;
+				default:
+					bad_case(life_type);
+				}
+				break;
+
+			case OAKLEY_KEY_LENGTH | ISAKMP_ATTR_AF_TV:
+				if ((seen_attrs & LELEM(OAKLEY_ENCRYPTION_ALGORITHM)) == 0)
+				{
+					ugh = "OAKLEY_KEY_LENGTH attribute not preceded by "
+						  "OAKLEY_ENCRYPTION_ALGORITHM attribute";
+					break;
+				}
+				if (ta.encrypter == NULL)
+				{
+					ugh = "NULL encrypter with seen OAKLEY_ENCRYPTION_ALGORITHM";
+					break;
+				}
+				/*
+				 * check if this keylen is compatible with specified algorithm
+				 */
+				if (val
+				&& (val < ta.encrypter->keyminlen || val > ta.encrypter->keymaxlen))
+				{
+					ugh = "peer proposed key length not valid for "
+						  "encryption algorithm specified";
+				}
+				ta.enckeylen = val;
+				break;
+#if 0 /* not yet supported */
+			case OAKLEY_GROUP_TYPE | ISAKMP_ATTR_AF_TV:
+			case OAKLEY_PRF | ISAKMP_ATTR_AF_TV:
+			case OAKLEY_FIELD_SIZE | ISAKMP_ATTR_AF_TV:
+
+			case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TV:
+			case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TLV:
+			case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TV:
+			case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TLV:
+			case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TV:
+			case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TLV:
+			case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TV:
+			case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TLV:
+			case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TV:
+			case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TLV:
+			case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TV:
+			case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TLV:
+#endif
+			default:
+				/* fix compiler warning */
+				memset(&ta, 0, sizeof(ta));
+				ugh = "unsupported OAKLEY attribute";
+				break;
 			}
-			else
+
+			if (ugh != NULL)
 			{
-			    ta.auth = XAUTHRespRSA;
+				loglog(RC_LOG_SERIOUS, "%s.  Attribute %s"
+					, ugh, enum_show(&oakley_attr_names, a.isaat_af_type));
+				break;
 			}
-			break;
-		    default:
-			ugh = builddiag("Pluto does not support %s authentication"
-			    , enum_show(&oakley_auth_names, val));
-			break;
-		    }
 		}
-		break;
 
-	    case OAKLEY_GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
-		ta.group = lookup_group(val);
-		if (ta.group == NULL)
+		/*
+		 * ML: at last check for allowed transforms in alg_info_ike
+		 *     (ALG_INFO_F_STRICT flag)
+		 */
+		if (ugh == NULL)
 		{
-		    ugh = "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported";
+			if (!ike_alg_ok_final(ta.encrypt, ta.enckeylen, ta.hash,
+				ta.group ? ta.group->algo_id : -1, c->alg_info_ike))
+			{
+				ugh = "OAKLEY proposal refused";
+			}
 		}
-		break;
 
-	    case OAKLEY_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
-		switch (val)
+		if (ugh == NULL)
 		{
-		case OAKLEY_LIFE_SECONDS:
-		case OAKLEY_LIFE_KILOBYTES:
-		    if (LHAS(seen_durations, val))
-		    {
-			loglog(RC_LOG_SERIOUS
-				, "attribute OAKLEY_LIFE_TYPE value %s repeated"
-				, enum_show(&oakley_lifetime_names, val));
-			return BAD_PROPOSAL_SYNTAX;
-		    }
-		    seen_durations |= LELEM(val);
-		    life_type = val;
-		    break;
-		default:
-		    ugh = builddiag("unknown value %s"
-			    , enum_show(&oakley_lifetime_names, val));
-		    break;
-		}
-		break;
+			/* a little more checking is in order */
+			{
+				lset_t missing
+					= ~seen_attrs
+					& (LELEM(OAKLEY_ENCRYPTION_ALGORITHM)
+					  | LELEM(OAKLEY_HASH_ALGORITHM)
+					  | LELEM(OAKLEY_AUTHENTICATION_METHOD)
+					  | LELEM(OAKLEY_GROUP_DESCRIPTION));
+
+				if (missing)
+				{
+					loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u"
+						, bitnamesof(oakley_attr_bit_names, missing)
+						, trans.isat_transnum);
+					return BAD_PROPOSAL_SYNTAX;
+				}
+			}
+			/* We must have liked this transform.
+			 * Lets finish early and leave.
+			 */
 
-	    case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
-		val = decode_long_duration(&attr_pbs);
-		/* fall through */
-	    case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
-		if (!LHAS(seen_attrs, OAKLEY_LIFE_TYPE))
-		{
-		    ugh = "OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute";
-		    break;
-		}
-		seen_attrs &= ~(LELEM(OAKLEY_LIFE_DURATION) | LELEM(OAKLEY_LIFE_TYPE));
+			DBG(DBG_PARSING | DBG_CRYPT
+				, DBG_log("Oakley Transform %u accepted", trans.isat_transnum));
 
-		switch (life_type)
-		{
-		case OAKLEY_LIFE_SECONDS:
-		    if (val > OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM)
-		    {
-#ifdef CISCO_QUIRKS
-			plog("peer requested %lu seconds"
-					" which exceeds our limit %d seconds"
-					, (long) val
-					, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
-			plog("lifetime reduced to %d seconds "
-                             		"(todo: IPSEC_RESPONDER_LIFETIME notification)"
-					, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
-			val = OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM;
-#else
-			ugh = builddiag("peer requested %lu seconds"
-					" which exceeds our limit %d seconds"
-					, (long) val
-					, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
-#endif
-		    }	
-		    ta.life_seconds = val;
-		    break;
-		case OAKLEY_LIFE_KILOBYTES:
-		    ta.life_kilobytes = val;
-		    break;
-		default:
-		    bad_case(life_type);
-		}
-		break;
-
-	    case OAKLEY_KEY_LENGTH | ISAKMP_ATTR_AF_TV:
-		if ((seen_attrs & LELEM(OAKLEY_ENCRYPTION_ALGORITHM)) == 0)
-		{
-		    ugh = "OAKLEY_KEY_LENGTH attribute not preceded by "
-			  "OAKLEY_ENCRYPTION_ALGORITHM attribute";
-		    break;
-		}
-		if (ta.encrypter == NULL)
-		{
-		    ugh = "NULL encrypter with seen OAKLEY_ENCRYPTION_ALGORITHM";
-		    break;
-		}
-		/*
-		 * check if this keylen is compatible with specified algorithm
-		 */
-		if (val
-		&& (val < ta.encrypter->keyminlen || val > ta.encrypter->keymaxlen))
-		{
-		    ugh = "peer proposed key length not valid for "
-			  "encryption algorithm specified";
-		}
-		ta.enckeylen = val;
-		break;
-#if 0 /* not yet supported */
-	    case OAKLEY_GROUP_TYPE | ISAKMP_ATTR_AF_TV:
-	    case OAKLEY_PRF | ISAKMP_ATTR_AF_TV:
-	    case OAKLEY_FIELD_SIZE | ISAKMP_ATTR_AF_TV:
-
-	    case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TV:
-	    case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TLV:
-	    case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TV:
-	    case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TLV:
-	    case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TV:
-	    case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TLV:
-	    case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TV:
-	    case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TLV:
-	    case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TV:
-	    case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TLV:
-	    case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TV:
-	    case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TLV:
-#endif
-	    default:
-		/* fix compiler warning */
-		memset(&ta, 0, sizeof(ta));
-		ugh = "unsupported OAKLEY attribute";
-		break;
-	    }
-
-	    if (ugh != NULL)
-	    {
-		loglog(RC_LOG_SERIOUS, "%s.  Attribute %s"
-		    , ugh, enum_show(&oakley_attr_names, a.isaat_af_type));
-		break;
-	    }
-	}
+			if (r_sa_pbs != NULL)
+			{
+				struct isakmp_proposal r_proposal = *proposal;
+				pb_stream r_proposal_pbs;
+				struct isakmp_transform r_trans = trans;
+				pb_stream r_trans_pbs;
 
-	/*
-	 * ML: at last check for allowed transforms in alg_info_ike
-	 *     (ALG_INFO_F_STRICT flag)
-	 */
-	if (ugh == NULL)
-	{
-	    if (!ike_alg_ok_final(ta.encrypt, ta.enckeylen, ta.hash,
-		ta.group ? ta.group->group : -1, c->alg_info_ike))
-	    {
-		ugh = "OAKLEY proposal refused";
-	    }
-	}
+				/* Situation */
+				if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
+					impossible();
 
-	if (ugh == NULL)
-	{
-	    /* a little more checking is in order */
-	    {
-		lset_t missing
-		    = ~seen_attrs
-		    & (LELEM(OAKLEY_ENCRYPTION_ALGORITHM)
-		      | LELEM(OAKLEY_HASH_ALGORITHM)
-		      | LELEM(OAKLEY_AUTHENTICATION_METHOD)
-		      | LELEM(OAKLEY_GROUP_DESCRIPTION));
-
-		if (missing)
-		{
-		    loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u"
-			, bitnamesof(oakley_attr_bit_names, missing)
-			, trans.isat_transnum);
-		    return BAD_PROPOSAL_SYNTAX;
-		}
-	    }
-	    /* We must have liked this transform.
-	     * Lets finish early and leave.
-	     */
-
-	    DBG(DBG_PARSING | DBG_CRYPT
-		, DBG_log("Oakley Transform %u accepted", trans.isat_transnum));
-
-	    if (r_sa_pbs != NULL)
-	    {
-		struct isakmp_proposal r_proposal = *proposal;
-		pb_stream r_proposal_pbs;
-		struct isakmp_transform r_trans = trans;
-		pb_stream r_trans_pbs;
-
-		/* Situation */
-		if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
-		    impossible();
-
-		/* Proposal */
+				/* Proposal */
 #ifdef EMIT_ISAKMP_SPI
-		r_proposal.isap_spisize = COOKIE_SIZE;
+				r_proposal.isap_spisize = COOKIE_SIZE;
 #else
-		r_proposal.isap_spisize = 0;
+				r_proposal.isap_spisize = 0;
 #endif
-		r_proposal.isap_notrans = 1;
-		if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
-		    impossible();
+				r_proposal.isap_notrans = 1;
+				if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
+					impossible();
 
-		/* SPI */
+				/* SPI */
 #ifdef EMIT_ISAKMP_SPI
-		if (!out_raw(my_cookie, COOKIE_SIZE, &r_proposal_pbs, "SPI"))
-		    impossible();
-		r_proposal.isap_spisize = COOKIE_SIZE;
+				if (!out_raw(my_cookie, COOKIE_SIZE, &r_proposal_pbs, "SPI"))
+					impossible();
+				r_proposal.isap_spisize = COOKIE_SIZE;
 #else
-		/* none (0) */
+				/* none (0) */
 #endif
 
-		/* Transform */
-		r_trans.isat_np = ISAKMP_NEXT_NONE;
-		if (!out_struct(&r_trans, &isakmp_isakmp_transform_desc, &r_proposal_pbs, &r_trans_pbs))
-		    impossible();
-
-		if (!out_raw(attr_start, attr_len, &r_trans_pbs, "attributes"))
-		    impossible();
-		close_output_pbs(&r_trans_pbs);
-		close_output_pbs(&r_proposal_pbs);
-		close_output_pbs(r_sa_pbs);
-	    }
-
-	    /* copy over the results */
-	    st->st_oakley = ta;
-	    return NOTHING_WRONG;
-	}
+				/* Transform */
+				r_trans.isat_np = ISAKMP_NEXT_NONE;
+				if (!out_struct(&r_trans, &isakmp_isakmp_transform_desc, &r_proposal_pbs, &r_trans_pbs))
+					impossible();
 
-	/* on to next transform */
-	no_trans_left--;
+				if (!out_raw(attr_start, attr_len, &r_trans_pbs, "attributes"))
+					impossible();
+				close_output_pbs(&r_trans_pbs);
+				close_output_pbs(&r_proposal_pbs);
+				close_output_pbs(r_sa_pbs);
+			}
 
-	if (trans.isat_np == ISAKMP_NEXT_NONE)
-	{
-	    if (no_trans_left != 0)
-	    {
-		loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
-		return BAD_PROPOSAL_SYNTAX;
-	    }
-	    break;
-	}
-	if (trans.isat_np != ISAKMP_NEXT_T)
-	{
-	    loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal"
-		, enum_show(&payload_names, proposal->isap_np));
-	    return BAD_PROPOSAL_SYNTAX;
+			/* copy over the results */
+			st->st_oakley = ta;
+			return NOTHING_WRONG;
+		}
+
+		/* on to next transform */
+		no_trans_left--;
+
+		if (trans.isat_np == ISAKMP_NEXT_NONE)
+		{
+			if (no_trans_left != 0)
+			{
+				loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
+				return BAD_PROPOSAL_SYNTAX;
+			}
+			break;
+		}
+		if (trans.isat_np != ISAKMP_NEXT_T)
+		{
+			loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal"
+				, enum_show(&payload_names, proposal->isap_np));
+			return BAD_PROPOSAL_SYNTAX;
+		}
 	}
-    }
-    loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform");
-    return NO_PROPOSAL_CHOSEN;
+	loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform");
+	return NO_PROPOSAL_CHOSEN;
 }
 
 /* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode).
@@ -1315,14 +1316,14 @@ parse_isakmp_sa_body(u_int32_t ipsecdoisit
  */
 
 static const struct ipsec_trans_attrs null_ipsec_trans_attrs = {
-    0,					/* transid (NULL, for now) */
-    0,					/* spi */
-    SA_LIFE_DURATION_DEFAULT,		/* life_seconds */
-    SA_LIFE_DURATION_K_DEFAULT,		/* life_kilobytes */
-    ENCAPSULATION_MODE_UNSPECIFIED,	/* encapsulation */
-    AUTH_ALGORITHM_NONE,		/* auth */
-    0,					/* key_len */
-    0,					/* key_rounds */
+	0,                                  /* transid (NULL, for now) */
+	0,                                  /* spi */
+	SA_LIFE_DURATION_DEFAULT,           /* life_seconds */
+	SA_LIFE_DURATION_K_DEFAULT,         /* life_kilobytes */
+	ENCAPSULATION_MODE_UNSPECIFIED,     /* encapsulation */
+	AUTH_ALGORITHM_NONE,                /* auth */
+	0,                                  /* key_len */
+	0,                                  /* key_rounds */
 };
 
 static bool
@@ -1331,988 +1332,988 @@ parse_ipsec_transform(struct isakmp_transform *trans
 , pb_stream *prop_pbs
 , pb_stream *trans_pbs
 , struct_desc *trans_desc
-, int previous_transnum	/* or -1 if none */
+, int previous_transnum /* or -1 if none */
 , bool selection
 , bool is_last
 , bool is_ipcomp
-, struct state *st)	/* current state object */
+, struct state *st)     /* current state object */
 {
-    lset_t seen_attrs = 0;
-    lset_t seen_durations = 0;
-    u_int16_t life_type = 0;
-    const struct oakley_group_desc *pfs_group = NULL;
-
-    if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
-	return FALSE;
-
-    if (trans->isat_transnum <= previous_transnum)
-    {
-	loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing");
-	return FALSE;
-    }
-
-    switch (trans->isat_np)
-    {
-	case ISAKMP_NEXT_T:
-	    if (is_last)
-	    {
-		loglog(RC_LOG_SERIOUS, "Proposal Payload has more Transforms than specified");
-		return FALSE;
-	    }
-	    break;
-	case ISAKMP_NEXT_NONE:
-	    if (!is_last)
-	    {
-		loglog(RC_LOG_SERIOUS, "Proposal Payload has fewer Transforms than specified");
-		return FALSE;
-	    }
-	    break;
-	default:
-	    loglog(RC_LOG_SERIOUS, "expecting Transform Payload, but found %s in Proposal"
-		, enum_show(&payload_names, trans->isat_np));
-	    return FALSE;
-    }
-
-    *attrs = null_ipsec_trans_attrs;
-    attrs->transid = trans->isat_transid;
-
-    while (pbs_left(trans_pbs) != 0)
-    {
-	struct isakmp_attribute a;
-	pb_stream attr_pbs;
-	enum_names *vdesc;
-	u_int32_t val;	/* room for larger value */
-	bool ipcomp_inappropriate = is_ipcomp;	/* will get reset if OK */
-
-	if (!in_struct(&a, &isakmp_ipsec_attribute_desc, trans_pbs, &attr_pbs))
-	    return FALSE;
-
-	passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
-
-	if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
-	{
-	    loglog(RC_LOG_SERIOUS, "repeated %s attribute in IPsec Transform %u"
-		, enum_show(&ipsec_attr_names, a.isaat_af_type)
-		, trans->isat_transnum);
-	    return FALSE;
-	}
-
-	seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
+	lset_t seen_attrs = 0;
+	lset_t seen_durations = 0;
+	u_int16_t life_type = 0;
+	const struct dh_desc *pfs_group = NULL;
 
-	val = a.isaat_lv;
+	if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
+		return FALSE;
 
-	vdesc  = ipsec_attr_val_descs[a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
-	if (vdesc != NULL)
+	if (trans->isat_transnum <= previous_transnum)
 	{
-	    if (enum_name(vdesc, val) == NULL)
-	    {
-		loglog(RC_LOG_SERIOUS, "invalid value %u for attribute %s in IPsec Transform"
-		    , (unsigned)val, enum_show(&ipsec_attr_names, a.isaat_af_type));
+		loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing");
 		return FALSE;
-	    }
-	    DBG(DBG_PARSING
-		, if ((a.isaat_af_type & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-		    DBG_log("   [%u is %s]"
-			, (unsigned)val, enum_show(vdesc, val)));
 	}
 
-	switch (a.isaat_af_type)
+	switch (trans->isat_np)
 	{
-	    case SA_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
-		ipcomp_inappropriate = FALSE;
-		if (LHAS(seen_durations, val))
-		{
-		    loglog(RC_LOG_SERIOUS, "attribute SA_LIFE_TYPE value %s repeated in message"
-			, enum_show(&sa_lifetime_names, val));
-		    return FALSE;
-		}
-		seen_durations |= LELEM(val);
-		life_type = val;
-		break;
-	    case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
-		val = decode_long_duration(&attr_pbs);
-		/* fall through */
-	    case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
-		ipcomp_inappropriate = FALSE;
-		if (!LHAS(seen_attrs, SA_LIFE_DURATION))
-		{
-		    loglog(RC_LOG_SERIOUS, "SA_LIFE_DURATION IPsec attribute not preceded by SA_LIFE_TYPE attribute");
-		    return FALSE;
-		}
-		seen_attrs &= ~(LELEM(SA_LIFE_DURATION) | LELEM(SA_LIFE_TYPE));
-
-		switch (life_type)
-		{
-		    case SA_LIFE_TYPE_SECONDS:
-			/* silently limit duration to our maximum */
-			attrs->life_seconds = val <= SA_LIFE_DURATION_MAXIMUM
-			    ? val : SA_LIFE_DURATION_MAXIMUM;
+		case ISAKMP_NEXT_T:
+			if (is_last)
+			{
+				loglog(RC_LOG_SERIOUS, "Proposal Payload has more Transforms than specified");
+				return FALSE;
+			}
 			break;
-		    case SA_LIFE_TYPE_KBYTES:
-			attrs->life_kilobytes = val;
+		case ISAKMP_NEXT_NONE:
+			if (!is_last)
+			{
+				loglog(RC_LOG_SERIOUS, "Proposal Payload has fewer Transforms than specified");
+				return FALSE;
+			}
 			break;
-		    default:
-			bad_case(life_type);
-		}
-		break;
-	    case GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
-		if (is_ipcomp)
+		default:
+			loglog(RC_LOG_SERIOUS, "expecting Transform Payload, but found %s in Proposal"
+				, enum_show(&payload_names, trans->isat_np));
+			return FALSE;
+	}
+
+	*attrs = null_ipsec_trans_attrs;
+	attrs->transid = trans->isat_transid;
+
+	while (pbs_left(trans_pbs) != 0)
+	{
+		struct isakmp_attribute a;
+		pb_stream attr_pbs;
+		enum_names *vdesc;
+		u_int32_t val;  /* room for larger value */
+		bool ipcomp_inappropriate = is_ipcomp;  /* will get reset if OK */
+
+		if (!in_struct(&a, &isakmp_ipsec_attribute_desc, trans_pbs, &attr_pbs))
+			return FALSE;
+
+		passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
+
+		if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
 		{
-		    /* Accept reluctantly.  Should not happen, according to
-		     * draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
-		     */
-		    ipcomp_inappropriate = FALSE;
-		    loglog(RC_COMMENT
-			, "IPCA (IPcomp SA) contains GROUP_DESCRIPTION."
-			"  Ignoring inapproprate attribute.");
+			loglog(RC_LOG_SERIOUS, "repeated %s attribute in IPsec Transform %u"
+				, enum_show(&ipsec_attr_names, a.isaat_af_type)
+				, trans->isat_transnum);
+			return FALSE;
 		}
-		pfs_group = lookup_group(val);
-		if (pfs_group == NULL)
+
+		seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
+
+		val = a.isaat_lv;
+
+		vdesc  = ipsec_attr_val_descs[a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
+		if (vdesc != NULL)
 		{
-		    loglog(RC_LOG_SERIOUS, "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS");
-		    return FALSE;
+			if (enum_name(vdesc, val) == NULL)
+			{
+				loglog(RC_LOG_SERIOUS, "invalid value %u for attribute %s in IPsec Transform"
+					, (unsigned)val, enum_show(&ipsec_attr_names, a.isaat_af_type));
+				return FALSE;
+			}
+			DBG(DBG_PARSING
+				, if ((a.isaat_af_type & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+					DBG_log("   [%u is %s]"
+						, (unsigned)val, enum_show(vdesc, val)));
 		}
-		break;
-	    case ENCAPSULATION_MODE | ISAKMP_ATTR_AF_TV:
-		ipcomp_inappropriate = FALSE;
-		switch (val)
+
+		switch (a.isaat_af_type)
 		{
-		case ENCAPSULATION_MODE_TUNNEL:
-		case ENCAPSULATION_MODE_TRANSPORT:
-		    if (st->nat_traversal & NAT_T_DETECTED)
-		    {
-			loglog(RC_LOG_SERIOUS
-			    , "%s must only be used if NAT-Traversal is not detected"
-			    , enum_name(&enc_mode_names, val));
-			/*
-			 * Accept it anyway because SSH-Sentinel does not
-			 * use UDP_TUNNEL or UDP_TRANSPORT for the diagnostic.
-			 *
-			 * remove when SSH-Sentinel is fixed
-			 */
+			case SA_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
+				ipcomp_inappropriate = FALSE;
+				if (LHAS(seen_durations, val))
+				{
+					loglog(RC_LOG_SERIOUS, "attribute SA_LIFE_TYPE value %s repeated in message"
+						, enum_show(&sa_lifetime_names, val));
+					return FALSE;
+				}
+				seen_durations |= LELEM(val);
+				life_type = val;
+				break;
+			case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
+				val = decode_long_duration(&attr_pbs);
+				/* fall through */
+			case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
+				ipcomp_inappropriate = FALSE;
+				if (!LHAS(seen_attrs, SA_LIFE_DURATION))
+				{
+					loglog(RC_LOG_SERIOUS, "SA_LIFE_DURATION IPsec attribute not preceded by SA_LIFE_TYPE attribute");
+					return FALSE;
+				}
+				seen_attrs &= ~(LELEM(SA_LIFE_DURATION) | LELEM(SA_LIFE_TYPE));
+
+				switch (life_type)
+				{
+					case SA_LIFE_TYPE_SECONDS:
+						/* silently limit duration to our maximum */
+						attrs->life_seconds = val <= SA_LIFE_DURATION_MAXIMUM
+							? val : SA_LIFE_DURATION_MAXIMUM;
+						break;
+					case SA_LIFE_TYPE_KBYTES:
+						attrs->life_kilobytes = val;
+						break;
+					default:
+						bad_case(life_type);
+				}
+				break;
+			case GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
+				if (is_ipcomp)
+				{
+					/* Accept reluctantly.  Should not happen, according to
+					 * draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
+					 */
+					ipcomp_inappropriate = FALSE;
+					loglog(RC_COMMENT
+						, "IPCA (IPcomp SA) contains GROUP_DESCRIPTION."
+						"  Ignoring inapproprate attribute.");
+				}
+				pfs_group = ike_alg_get_dh_group(val);
+				if (pfs_group == NULL)
+				{
+					loglog(RC_LOG_SERIOUS, "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS");
+					return FALSE;
+				}
+				break;
+			case ENCAPSULATION_MODE | ISAKMP_ATTR_AF_TV:
+				ipcomp_inappropriate = FALSE;
+				switch (val)
+				{
+				case ENCAPSULATION_MODE_TUNNEL:
+				case ENCAPSULATION_MODE_TRANSPORT:
+					if (st->nat_traversal & NAT_T_DETECTED)
+					{
+						loglog(RC_LOG_SERIOUS
+							, "%s must only be used if NAT-Traversal is not detected"
+							, enum_name(&enc_mode_names, val));
+						/*
+						 * Accept it anyway because SSH-Sentinel does not
+						 * use UDP_TUNNEL or UDP_TRANSPORT for the diagnostic.
+						 *
+						 * remove when SSH-Sentinel is fixed
+						 */
 #ifdef I_DONT_CARE_OF_SSH_SENTINEL
-			return FALSE;
+						return FALSE;
 #endif
-		    }
-		    attrs->encapsulation = val;
-		    break;
-		case ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS:
+					}
+					attrs->encapsulation = val;
+					break;
+				case ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS:
 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-		    loglog(RC_LOG_SERIOUS
-			, "NAT-Traversal: Transport mode disabled due to security concerns");
-		    return FALSE;
+					loglog(RC_LOG_SERIOUS
+						, "NAT-Traversal: Transport mode disabled due to security concerns");
+					return FALSE;
 #endif
-		case ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS:
-		    if (st->nat_traversal & NAT_T_WITH_RFC_VALUES)
-		    {
-			loglog(RC_LOG_SERIOUS
-			    , "%s must only be used with old IETF drafts"
-			    , enum_name(&enc_mode_names, val));
-			return FALSE;
-		    }
-		    else if (st->nat_traversal & NAT_T_DETECTED)
-		    {
-			attrs->encapsulation = val
-				- ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS
-				+ ENCAPSULATION_MODE_TUNNEL;
-		    }
-		    else
-		    {
-			loglog(RC_LOG_SERIOUS
-			    , "%s must only be used if NAT-Traversal is detected"
-			    , enum_name(&enc_mode_names, val));
-			return FALSE;
-		    }
-		    break;
-		    case ENCAPSULATION_MODE_UDP_TRANSPORT_RFC:
+				case ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS:
+					if (st->nat_traversal & NAT_T_WITH_RFC_VALUES)
+					{
+						loglog(RC_LOG_SERIOUS
+							, "%s must only be used with old IETF drafts"
+							, enum_name(&enc_mode_names, val));
+						return FALSE;
+					}
+					else if (st->nat_traversal & NAT_T_DETECTED)
+					{
+						attrs->encapsulation = val
+								- ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS
+								+ ENCAPSULATION_MODE_TUNNEL;
+					}
+					else
+					{
+						loglog(RC_LOG_SERIOUS
+							, "%s must only be used if NAT-Traversal is detected"
+							, enum_name(&enc_mode_names, val));
+						return FALSE;
+					}
+					break;
+					case ENCAPSULATION_MODE_UDP_TRANSPORT_RFC:
 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-			loglog(RC_LOG_SERIOUS
-			    , "NAT-Traversal: Transport mode disabled due "
-			      "to security concerns");
-			return FALSE;
+						loglog(RC_LOG_SERIOUS
+							, "NAT-Traversal: Transport mode disabled due "
+							  "to security concerns");
+						return FALSE;
 #endif
-		    case ENCAPSULATION_MODE_UDP_TUNNEL_RFC:
-			if ((st->nat_traversal & NAT_T_DETECTED)
-			&& (st->nat_traversal & NAT_T_WITH_RFC_VALUES))
-			{
-			    attrs->encapsulation = val
-					- ENCAPSULATION_MODE_UDP_TUNNEL_RFC
-					+ ENCAPSULATION_MODE_TUNNEL;
-			}
-			else if (st->nat_traversal & NAT_T_DETECTED)
-			{
-			    loglog(RC_LOG_SERIOUS
-				, "%s must only be used with NAT-T RFC"
-				, enum_name(&enc_mode_names, val));
-			    return FALSE;
-			}
-			else
-			{
-			    loglog(RC_LOG_SERIOUS
-				, "%s must only be used if NAT-Traversal is detected"
-				, enum_name(&enc_mode_names, val));
-			    return FALSE;
-			}
-			break;
-		    default:
-			loglog(RC_LOG_SERIOUS
-			    , "unknown ENCAPSULATION_MODE %d in IPSec SA", val);
-			return FALSE;
-		}
-		break;
-	    case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV:
-		attrs->auth = val;
-		break;
-	    case KEY_LENGTH | ISAKMP_ATTR_AF_TV:
-		attrs->key_len = val;
-		break;
-	    case KEY_ROUNDS | ISAKMP_ATTR_AF_TV:
-		attrs->key_rounds = val;
-		break;
+					case ENCAPSULATION_MODE_UDP_TUNNEL_RFC:
+						if ((st->nat_traversal & NAT_T_DETECTED)
+						&& (st->nat_traversal & NAT_T_WITH_RFC_VALUES))
+						{
+							attrs->encapsulation = val
+										- ENCAPSULATION_MODE_UDP_TUNNEL_RFC
+										+ ENCAPSULATION_MODE_TUNNEL;
+						}
+						else if (st->nat_traversal & NAT_T_DETECTED)
+						{
+							loglog(RC_LOG_SERIOUS
+								, "%s must only be used with NAT-T RFC"
+								, enum_name(&enc_mode_names, val));
+							return FALSE;
+						}
+						else
+						{
+							loglog(RC_LOG_SERIOUS
+								, "%s must only be used if NAT-Traversal is detected"
+								, enum_name(&enc_mode_names, val));
+							return FALSE;
+						}
+						break;
+					default:
+						loglog(RC_LOG_SERIOUS
+							, "unknown ENCAPSULATION_MODE %d in IPSec SA", val);
+						return FALSE;
+				}
+				break;
+			case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV:
+				attrs->auth = val;
+				break;
+			case KEY_LENGTH | ISAKMP_ATTR_AF_TV:
+				attrs->key_len = val;
+				break;
+			case KEY_ROUNDS | ISAKMP_ATTR_AF_TV:
+				attrs->key_rounds = val;
+				break;
 #if 0 /* not yet implemented */
-	    case COMPRESS_DICT_SIZE | ISAKMP_ATTR_AF_TV:
-		break;
-	    case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TV:
-		break;
-
-	    case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
-		break;
-	    case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TLV:
-		break;
+			case COMPRESS_DICT_SIZE | ISAKMP_ATTR_AF_TV:
+				break;
+			case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TV:
+				break;
+
+			case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
+				break;
+			case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TLV:
+				break;
 #endif
-	    default:
-		loglog(RC_LOG_SERIOUS, "unsupported IPsec attribute %s"
-		    , enum_show(&ipsec_attr_names, a.isaat_af_type));
-		return FALSE;
-	}
-	if (ipcomp_inappropriate)
-	{
-	    loglog(RC_LOG_SERIOUS, "IPsec attribute %s inappropriate for IPCOMP"
-		, enum_show(&ipsec_attr_names, a.isaat_af_type));
-	    return FALSE;
+			default:
+				loglog(RC_LOG_SERIOUS, "unsupported IPsec attribute %s"
+					, enum_show(&ipsec_attr_names, a.isaat_af_type));
+				return FALSE;
+		}
+		if (ipcomp_inappropriate)
+		{
+			loglog(RC_LOG_SERIOUS, "IPsec attribute %s inappropriate for IPCOMP"
+				, enum_show(&ipsec_attr_names, a.isaat_af_type));
+			return FALSE;
+		}
 	}
-    }
-
-    /* Although an IPCOMP SA (IPCA) ought not to have a pfs_group,
-     * if it does, demand that it be consistent.
-     * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
-     */
-    if (!is_ipcomp || pfs_group != NULL)
-    {
-	if (st->st_pfs_group == &unset_group)
-	    st->st_pfs_group = pfs_group;
-
-	if (st->st_pfs_group != pfs_group)
+
+	/* Although an IPCOMP SA (IPCA) ought not to have a pfs_group,
+	 * if it does, demand that it be consistent.
+	 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
+	 */
+	if (!is_ipcomp || pfs_group != NULL)
 	{
-	    loglog(RC_LOG_SERIOUS, "GROUP_DESCRIPTION inconsistent with that of %s in IPsec SA"
-		, selection? "the Proposal" : "a previous Transform");
-	    return FALSE;
-	}
-    }
+		if (st->st_pfs_group == &unset_group)
+			st->st_pfs_group = pfs_group;
 
-    if (LHAS(seen_attrs, SA_LIFE_DURATION))
-    {
-	loglog(RC_LOG_SERIOUS, "SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message");
-	return FALSE;
-    }
+		if (st->st_pfs_group != pfs_group)
+		{
+			loglog(RC_LOG_SERIOUS, "GROUP_DESCRIPTION inconsistent with that of %s in IPsec SA"
+				, selection? "the Proposal" : "a previous Transform");
+			return FALSE;
+		}
+	}
 
-    if (!LHAS(seen_attrs, ENCAPSULATION_MODE))
-    {
-	if (is_ipcomp)
+	if (LHAS(seen_attrs, SA_LIFE_DURATION))
 	{
-	    /* draft-shacham-ippcp-rfc2393bis-05.txt 4.1:
-	     * "If the Encapsulation Mode is unspecified,
-	     * the default value of Transport Mode is assumed."
-	     * This contradicts/overrides the DOI (quuoted below).
-	     */
-	    attrs->encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+		loglog(RC_LOG_SERIOUS, "SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message");
+		return FALSE;
 	}
-	else
+
+	if (!LHAS(seen_attrs, ENCAPSULATION_MODE))
 	{
-	    /* ??? Technically, RFC 2407 (IPSEC DOI) 4.5 specifies that
-	     * the default is "unspecified (host-dependent)".
-	     * This makes little sense, so we demand that it be specified.
-	     */
-	    loglog(RC_LOG_SERIOUS, "IPsec Transform must specify ENCAPSULATION_MODE");
-	    return FALSE;
+		if (is_ipcomp)
+		{
+			/* draft-shacham-ippcp-rfc2393bis-05.txt 4.1:
+			 * "If the Encapsulation Mode is unspecified,
+			 * the default value of Transport Mode is assumed."
+			 * This contradicts/overrides the DOI (quuoted below).
+			 */
+			attrs->encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+		}
+		else
+		{
+			/* ??? Technically, RFC 2407 (IPSEC DOI) 4.5 specifies that
+			 * the default is "unspecified (host-dependent)".
+			 * This makes little sense, so we demand that it be specified.
+			 */
+			loglog(RC_LOG_SERIOUS, "IPsec Transform must specify ENCAPSULATION_MODE");
+			return FALSE;
+		}
 	}
-    }
 
-    /* ??? should check for key_len and/or key_rounds if required */
+	/* ??? should check for key_len and/or key_rounds if required */
 
-    return TRUE;
+	return TRUE;
 }
 
 static void
 echo_proposal(
-    struct isakmp_proposal r_proposal,	/* proposal to emit */
-    struct isakmp_transform r_trans,	/* winning transformation within it */
-    u_int8_t np,			/* Next Payload for proposal */
-    pb_stream *r_sa_pbs,		/* SA PBS into which to emit */
-    struct ipsec_proto_info *pi,	/* info about this protocol instance */
-    struct_desc *trans_desc,		/* descriptor for this transformation */
-    pb_stream *trans_pbs,		/* PBS for incoming transform */
-    struct spd_route *sr,		/* host details for the association */
-    bool tunnel_mode)			/* true for inner most tunnel SA */
+	struct isakmp_proposal r_proposal,  /* proposal to emit */
+	struct isakmp_transform r_trans,    /* winning transformation within it */
+	u_int8_t np,                        /* Next Payload for proposal */
+	pb_stream *r_sa_pbs,                /* SA PBS into which to emit */
+	struct ipsec_proto_info *pi,        /* info about this protocol instance */
+	struct_desc *trans_desc,            /* descriptor for this transformation */
+	pb_stream *trans_pbs,               /* PBS for incoming transform */
+	struct spd_route *sr,               /* host details for the association */
+	bool tunnel_mode)                   /* true for inner most tunnel SA */
 {
-    pb_stream r_proposal_pbs;
-    pb_stream r_trans_pbs;
-
-    /* Proposal */
-    r_proposal.isap_np = np;
-    r_proposal.isap_notrans = 1;
-    if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
-	impossible();
-
-    /* allocate and emit our CPI/SPI */
-    if (r_proposal.isap_protoid == PROTO_IPCOMP)
-    {
-	/* CPI is stored in network low order end of an
-	 * ipsec_spi_t.  So we start a couple of bytes in.
-	 * Note: we may fail to generate a satisfactory CPI,
-	 * but we'll ignore that.
-	 */
-	pi->our_spi = get_my_cpi(sr, tunnel_mode);
-	out_raw((u_char *) &pi->our_spi
-	     + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
-	    , IPCOMP_CPI_SIZE
-	    , &r_proposal_pbs, "CPI");
-    }
-    else
-    {
-	pi->our_spi = get_ipsec_spi(pi->attrs.spi
-	    , r_proposal.isap_protoid == PROTO_IPSEC_AH ?
-		IPPROTO_AH : IPPROTO_ESP
-	    , sr
-	    , tunnel_mode);
-	/* XXX should check for errors */
-	out_raw((u_char *) &pi->our_spi, IPSEC_DOI_SPI_SIZE
-	    , &r_proposal_pbs, "SPI");
-    }
-
-    /* Transform */
-    r_trans.isat_np = ISAKMP_NEXT_NONE;
-    if (!out_struct(&r_trans, trans_desc, &r_proposal_pbs, &r_trans_pbs))
-	impossible();
-
-    /* Transform Attributes: pure echo */
-    trans_pbs->cur = trans_pbs->start + sizeof(struct isakmp_transform);
-    if (!out_raw(trans_pbs->cur, pbs_left(trans_pbs)
-    , &r_trans_pbs, "attributes"))
-	impossible();
-
-    close_output_pbs(&r_trans_pbs);
-    close_output_pbs(&r_proposal_pbs);
-}
+	pb_stream r_proposal_pbs;
+	pb_stream r_trans_pbs;
 
-notification_t
-parse_ipsec_sa_body(
-    pb_stream *sa_pbs,		/* body of input SA Payload */
-    const struct isakmp_sa *sa,	/* header of input SA Payload */
-    pb_stream *r_sa_pbs,	/* if non-NULL, where to emit body of winning SA */
-    bool selection,		/* if this SA is a selection, only one transform may appear */
-    struct state *st)		/* current state object */
-{
-    const struct connection *c = st->st_connection;
-    u_int32_t ipsecdoisit;
-    pb_stream next_proposal_pbs;
-
-    struct isakmp_proposal next_proposal;
-    ipsec_spi_t next_spi;
-
-    bool next_full = TRUE;
-
-    /* DOI */
-    if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
-    {
-	loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
-	/* XXX Could send notification back */
-	return DOI_NOT_SUPPORTED;
-    }
-
-    /* Situation */
-    if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
-	return SITUATION_NOT_SUPPORTED;
-
-    if (ipsecdoisit != SIT_IDENTITY_ONLY)
-    {
-	loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
-	    , bitnamesof(sit_bit_names, ipsecdoisit));
-	/* XXX Could send notification back */
-	return SITUATION_NOT_SUPPORTED;
-    }
-
-    /* The rules for IPsec SAs are scattered.
-     * RFC 2408 "ISAKMP" section 4.2 gives some info.
-     * There may be multiple proposals.  Those with identical proposal
-     * numbers must be considered as conjuncts.  Those with different
-     * numbers are disjuncts.
-     * Each proposal may have several transforms, each considered
-     * an alternative.
-     * Each transform may have several attributes, all applying.
-     *
-     * To handle the way proposals are combined, we need to do a
-     * look-ahead.
-     */
-
-    if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
-	return BAD_PROPOSAL_SYNTAX;
-
-    /* for each conjunction of proposals... */
-    while (next_full)
-    {
-	int propno = next_proposal.isap_proposal;
-	pb_stream ah_prop_pbs, esp_prop_pbs, ipcomp_prop_pbs;
-	struct isakmp_proposal ah_proposal = {0, 0, 0, 0, 0, 0, 0};
-	struct isakmp_proposal esp_proposal = {0, 0, 0, 0, 0, 0, 0};
-	struct isakmp_proposal ipcomp_proposal = {0, 0, 0, 0, 0, 0, 0};
-	ipsec_spi_t ah_spi = 0;
-	ipsec_spi_t esp_spi = 0;
-	ipsec_spi_t ipcomp_cpi = 0;
-	bool ah_seen = FALSE;
-	bool esp_seen = FALSE;
-	bool ipcomp_seen = FALSE;
-	bool tunnel_mode = FALSE;
-	int inner_proto = 0;
-	u_int16_t well_known_cpi = 0;
-
-	pb_stream ah_trans_pbs, esp_trans_pbs, ipcomp_trans_pbs;
-	struct isakmp_transform ah_trans, esp_trans, ipcomp_trans;
-	struct ipsec_trans_attrs ah_attrs, esp_attrs, ipcomp_attrs;
-
-	/* for each proposal in the conjunction */
-	do {
-
-	    if (next_proposal.isap_protoid == PROTO_IPCOMP)
-	    {
-		/* IPCOMP CPI */
-		if (next_proposal.isap_spisize == IPSEC_DOI_SPI_SIZE)
-		{
-		    /* This code is to accommodate those peculiar
-		     * implementations that send a CPI in the bottom of an
-		     * SPI-sized field.
-		     * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1
-		     */
-		    u_int8_t filler[IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE];
-
-		    if (!in_raw(filler, sizeof(filler)
-		     , &next_proposal_pbs, "CPI filler")
-		    || !all_zero(filler, sizeof(filler)))
-			return INVALID_SPI;
-		}
-		else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE)
-		{
-		    loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)"
-			, next_proposal.isap_spisize);
-		    return INVALID_SPI;
-		}
+	/* Proposal */
+	r_proposal.isap_np = np;
+	r_proposal.isap_notrans = 1;
+	if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
+		impossible();
 
-		/* We store CPI in the low order of a network order
+	/* allocate and emit our CPI/SPI */
+	if (r_proposal.isap_protoid == PROTO_IPCOMP)
+	{
+		/* CPI is stored in network low order end of an
 		 * ipsec_spi_t.  So we start a couple of bytes in.
+		 * Note: we may fail to generate a satisfactory CPI,
+		 * but we'll ignore that.
 		 */
-		zero(&next_spi);
-		if (!in_raw((u_char *)&next_spi
-		  + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
-		, IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI"))
-		    return INVALID_SPI;
-
-		/* If sanity ruled, CPIs would have to be such that
-		 * the SAID (the triple (CPI, IPCOM, destination IP))
-		 * would be unique, just like for SPIs.  But there is a
-		 * perversion where CPIs can be well-known and consequently
-		 * the triple is not unique.  We hide this fact from
-		 * ourselves by fudging the top 16 bits to make
-		 * the property true internally!
-		 */
-		switch (ntohl(next_spi))
-		{
-		case IPCOMP_DEFLATE:
-		    well_known_cpi = ntohl(next_spi);
-		    next_spi = uniquify_his_cpi(next_spi, st);
-		    if (next_spi == 0)
-		    {
-			loglog(RC_LOG_SERIOUS
-			    , "IPsec Proposal contains well-known CPI that I cannot uniquify");
-			return INVALID_SPI;
-		    }
-		    break;
-		default:
-		    if (ntohl(next_spi) < IPCOMP_FIRST_NEGOTIATED
-		    || ntohl(next_spi) > IPCOMP_LAST_NEGOTIATED)
-		    {
-			loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
-			    , (unsigned long) ntohl(next_spi));
-			return INVALID_SPI;
-		    }
-		    break;
-		}
-	    }
-	    else
-	    {
-		/* AH or ESP SPI */
-		if (next_proposal.isap_spisize != IPSEC_DOI_SPI_SIZE)
-		{
-		    loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)"
-			, next_proposal.isap_spisize);
-		    return INVALID_SPI;
-		}
-
-		if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI"))
-		    return INVALID_SPI;
+		pi->our_spi = get_my_cpi(sr, tunnel_mode);
+		out_raw((u_char *) &pi->our_spi
+			 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
+			, IPCOMP_CPI_SIZE
+			, &r_proposal_pbs, "CPI");
+	}
+	else
+	{
+		pi->our_spi = get_ipsec_spi(pi->attrs.spi
+			, r_proposal.isap_protoid == PROTO_IPSEC_AH ?
+				IPPROTO_AH : IPPROTO_ESP
+			, sr
+			, tunnel_mode);
+		/* XXX should check for errors */
+		out_raw((u_char *) &pi->our_spi, IPSEC_DOI_SPI_SIZE
+			, &r_proposal_pbs, "SPI");
+	}
 
-		/* SPI value 0 is invalid and values 1-255 are reserved to IANA.
-		 * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
-		 * IPCOMP???
-		 */
-		if (ntohl(next_spi) < IPSEC_DOI_SPI_MIN)
-		{
-		    loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)"
-			, (unsigned long) ntohl(next_spi));
-		    return INVALID_SPI;
-		}
-	    }
+	/* Transform */
+	r_trans.isat_np = ISAKMP_NEXT_NONE;
+	if (!out_struct(&r_trans, trans_desc, &r_proposal_pbs, &r_trans_pbs))
+		impossible();
 
-	    if (next_proposal.isap_notrans == 0)
-	    {
-		loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms");
-		return BAD_PROPOSAL_SYNTAX;
-	    }
+	/* Transform Attributes: pure echo */
+	trans_pbs->cur = trans_pbs->start + sizeof(struct isakmp_transform);
+	if (!out_raw(trans_pbs->cur, pbs_left(trans_pbs)
+	, &r_trans_pbs, "attributes"))
+		impossible();
 
-	    switch (next_proposal.isap_protoid)
-	    {
-	    case PROTO_IPSEC_AH:
-		if (ah_seen)
-		{
-		    loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals");
-		    return BAD_PROPOSAL_SYNTAX;
-		}
-		ah_seen = TRUE;
-		ah_prop_pbs = next_proposal_pbs;
-		ah_proposal = next_proposal;
-		ah_spi = next_spi;
-		break;
+	close_output_pbs(&r_trans_pbs);
+	close_output_pbs(&r_proposal_pbs);
+}
 
-	    case PROTO_IPSEC_ESP:
-		if (esp_seen)
-		{
-		    loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals");
-		    return BAD_PROPOSAL_SYNTAX;
-		}
-		esp_seen = TRUE;
-		esp_prop_pbs = next_proposal_pbs;
-		esp_proposal = next_proposal;
-		esp_spi = next_spi;
-		break;
+notification_t
+parse_ipsec_sa_body(
+	pb_stream *sa_pbs,          /* body of input SA Payload */
+	const struct isakmp_sa *sa, /* header of input SA Payload */
+	pb_stream *r_sa_pbs,        /* if non-NULL, where to emit body of winning SA */
+	bool selection,             /* if this SA is a selection, only one transform may appear */
+	struct state *st)           /* current state object */
+{
+	const struct connection *c = st->st_connection;
+	u_int32_t ipsecdoisit;
+	pb_stream next_proposal_pbs;
 
-	    case PROTO_IPCOMP:
-		if (ipcomp_seen)
-		{
-		    loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals");
-		    return BAD_PROPOSAL_SYNTAX;
-		}
-		ipcomp_seen = TRUE;
-		ipcomp_prop_pbs = next_proposal_pbs;
-		ipcomp_proposal = next_proposal;
-		ipcomp_cpi = next_spi;
-		break;
-
-	    default:
-		loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal"
-		    , enum_show(&protocol_names, next_proposal.isap_protoid));
-		return INVALID_PROTOCOL_ID;
-	    }
-
-	    /* refill next_proposal */
-	    if (next_proposal.isap_np == ISAKMP_NEXT_NONE)
-	    {
-		next_full = FALSE;
-		break;
-	    }
-	    else if (next_proposal.isap_np != ISAKMP_NEXT_P)
-	    {
-		loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s"
-		    , enum_show(&payload_names, next_proposal.isap_np));
-		return BAD_PROPOSAL_SYNTAX;
-	    }
+	struct isakmp_proposal next_proposal;
+	ipsec_spi_t next_spi;
 
-	    if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
-		return BAD_PROPOSAL_SYNTAX;
-	} while (next_proposal.isap_proposal == propno);
-
-	/* Now that we have all conjuncts, we should try
-	 * the Cartesian product of eachs tranforms!
-	 * At the moment, we take short-cuts on account of
-	 * our rudimentary hard-wired policy.
-	 * For now, we find an acceptable AH (if any)
-	 * and then an acceptable ESP.  The only interaction
-	 * is that the ESP acceptance can know whether there
-	 * was an acceptable AH and hence not require an AUTH.
-	 */
+	bool next_full = TRUE;
 
-	if (ah_seen)
+	/* DOI */
+	if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
 	{
-	    int previous_transnum = -1;
-	    int tn;
-
-	    for (tn = 0; tn != ah_proposal.isap_notrans; tn++)
-	    {
-		int ok_transid = 0;
-		bool ok_auth = FALSE;
-
-		if (!parse_ipsec_transform(&ah_trans
-		, &ah_attrs
-		, &ah_prop_pbs
-		, &ah_trans_pbs
-		, &isakmp_ah_transform_desc
-		, previous_transnum
-		, selection
-		, tn == ah_proposal.isap_notrans - 1
-		, FALSE
-		, st))
-		    return BAD_PROPOSAL_SYNTAX;
-
-		previous_transnum = ah_trans.isat_transnum;
-
-		/* we must understand ah_attrs.transid
-		 * COMBINED with ah_attrs.auth.
-		 * See RFC 2407 "IPsec DOI" section 4.4.3
-		 * The following combinations are legal,
-		 * but we don't implement all of them:
-		 * It seems as if each auth algorithm
-		 * only applies to one ah transid.
-		 * AH_MD5, AUTH_ALGORITHM_HMAC_MD5
-		 * AH_MD5, AUTH_ALGORITHM_KPDK (unimplemented)
-		 * AH_SHA, AUTH_ALGORITHM_HMAC_SHA1
-		 * AH_DES, AUTH_ALGORITHM_DES_MAC (unimplemented)
-		 */
-		switch (ah_attrs.auth)
-		{
-		    case AUTH_ALGORITHM_NONE:
-			loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform");
-			return BAD_PROPOSAL_SYNTAX;
+		loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
+		/* XXX Could send notification back */
+		return DOI_NOT_SUPPORTED;
+	}
 
-		    case AUTH_ALGORITHM_HMAC_MD5:
-			ok_auth = TRUE;
-			/* fall through */
-		    case AUTH_ALGORITHM_KPDK:
-			ok_transid = AH_MD5;
-			break;
+	/* Situation */
+	if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
+		return SITUATION_NOT_SUPPORTED;
 
-		    case AUTH_ALGORITHM_HMAC_SHA1:
-			ok_auth = TRUE;
-			ok_transid = AH_SHA;
-			break;
-
-		    case AUTH_ALGORITHM_DES_MAC:
-			ok_transid = AH_DES;
-			break;
-		}
-		if (ah_attrs.transid != ok_transid)
-		{
-		    loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
-			, enum_name(&auth_alg_names, ah_attrs.auth)
-			, enum_show(&ah_transformid_names, ah_attrs.transid));
-		    return BAD_PROPOSAL_SYNTAX;
-		}
-		if (!ok_auth)
-		{
-		    DBG(DBG_CONTROL | DBG_CRYPT
-			, DBG_log("%s attribute unsupported"
-			    " in %s Transform from %s"
-			    , enum_name(&auth_alg_names, ah_attrs.auth)
-			    , enum_show(&ah_transformid_names, ah_attrs.transid)
-			    , ip_str(&c->spd.that.host_addr)));
-		    continue;   /* try another */
-		}
-		break;	/* we seem to be happy */
-	    }
-	    if (tn == ah_proposal.isap_notrans)
-		continue;	/* we didn't find a nice one */
-	    ah_attrs.spi = ah_spi;
-	    inner_proto = IPPROTO_AH;
-	    if (ah_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-		tunnel_mode = TRUE;
+	if (ipsecdoisit != SIT_IDENTITY_ONLY)
+	{
+		loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
+			, bitnamesof(sit_bit_names, ipsecdoisit));
+		/* XXX Could send notification back */
+		return SITUATION_NOT_SUPPORTED;
 	}
 
-	if (esp_seen)
+	/* The rules for IPsec SAs are scattered.
+	 * RFC 2408 "ISAKMP" section 4.2 gives some info.
+	 * There may be multiple proposals.  Those with identical proposal
+	 * numbers must be considered as conjuncts.  Those with different
+	 * numbers are disjuncts.
+	 * Each proposal may have several transforms, each considered
+	 * an alternative.
+	 * Each transform may have several attributes, all applying.
+	 *
+	 * To handle the way proposals are combined, we need to do a
+	 * look-ahead.
+	 */
+
+	if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
+		return BAD_PROPOSAL_SYNTAX;
+
+	/* for each conjunction of proposals... */
+	while (next_full)
 	{
-	    int previous_transnum = -1;
-	    int tn;
-
-	    for (tn = 0; tn != esp_proposal.isap_notrans; tn++)
-	    {
-		if (!parse_ipsec_transform(&esp_trans
-		, &esp_attrs
-		, &esp_prop_pbs
-		, &esp_trans_pbs
-		, &isakmp_esp_transform_desc
-		, previous_transnum
-		, selection
-		, tn == esp_proposal.isap_notrans - 1
-		, FALSE
-		, st))
-		    return BAD_PROPOSAL_SYNTAX;
-
-		previous_transnum = esp_trans.isat_transnum;
-
-		/* set default key length for AES encryption */
-		if (!esp_attrs.key_len && esp_attrs.transid == ESP_AES)
-		{
-		    esp_attrs.key_len = 128; /* bits */
-		}
+		int propno = next_proposal.isap_proposal;
+		pb_stream ah_prop_pbs, esp_prop_pbs, ipcomp_prop_pbs;
+		struct isakmp_proposal ah_proposal = {0, 0, 0, 0, 0, 0, 0};
+		struct isakmp_proposal esp_proposal = {0, 0, 0, 0, 0, 0, 0};
+		struct isakmp_proposal ipcomp_proposal = {0, 0, 0, 0, 0, 0, 0};
+		ipsec_spi_t ah_spi = 0;
+		ipsec_spi_t esp_spi = 0;
+		ipsec_spi_t ipcomp_cpi = 0;
+		bool ah_seen = FALSE;
+		bool esp_seen = FALSE;
+		bool ipcomp_seen = FALSE;
+		bool tunnel_mode = FALSE;
+		int inner_proto = 0;
+		u_int16_t well_known_cpi = 0;
+
+		pb_stream ah_trans_pbs, esp_trans_pbs, ipcomp_trans_pbs;
+		struct isakmp_transform ah_trans, esp_trans, ipcomp_trans;
+		struct ipsec_trans_attrs ah_attrs, esp_attrs, ipcomp_attrs;
+
+		/* for each proposal in the conjunction */
+		do {
+
+			if (next_proposal.isap_protoid == PROTO_IPCOMP)
+			{
+				/* IPCOMP CPI */
+				if (next_proposal.isap_spisize == IPSEC_DOI_SPI_SIZE)
+				{
+					/* This code is to accommodate those peculiar
+					 * implementations that send a CPI in the bottom of an
+					 * SPI-sized field.
+					 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1
+					 */
+					u_int8_t filler[IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE];
+
+					if (!in_raw(filler, sizeof(filler)
+					 , &next_proposal_pbs, "CPI filler")
+					|| !all_zero(filler, sizeof(filler)))
+						return INVALID_SPI;
+				}
+				else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE)
+				{
+					loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)"
+						, next_proposal.isap_spisize);
+					return INVALID_SPI;
+				}
+
+				/* We store CPI in the low order of a network order
+				 * ipsec_spi_t.  So we start a couple of bytes in.
+				 */
+				zero(&next_spi);
+				if (!in_raw((u_char *)&next_spi
+				  + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
+				, IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI"))
+					return INVALID_SPI;
+
+				/* If sanity ruled, CPIs would have to be such that
+				 * the SAID (the triple (CPI, IPCOM, destination IP))
+				 * would be unique, just like for SPIs.  But there is a
+				 * perversion where CPIs can be well-known and consequently
+				 * the triple is not unique.  We hide this fact from
+				 * ourselves by fudging the top 16 bits to make
+				 * the property true internally!
+				 */
+				switch (ntohl(next_spi))
+				{
+				case IPCOMP_DEFLATE:
+					well_known_cpi = ntohl(next_spi);
+					next_spi = uniquify_his_cpi(next_spi, st);
+					if (next_spi == 0)
+					{
+						loglog(RC_LOG_SERIOUS
+							, "IPsec Proposal contains well-known CPI that I cannot uniquify");
+						return INVALID_SPI;
+					}
+					break;
+				default:
+					if (ntohl(next_spi) < IPCOMP_FIRST_NEGOTIATED
+					|| ntohl(next_spi) > IPCOMP_LAST_NEGOTIATED)
+					{
+						loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
+							, (unsigned long) ntohl(next_spi));
+						return INVALID_SPI;
+					}
+					break;
+				}
+			}
+			else
+			{
+				/* AH or ESP SPI */
+				if (next_proposal.isap_spisize != IPSEC_DOI_SPI_SIZE)
+				{
+					loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)"
+						, next_proposal.isap_spisize);
+					return INVALID_SPI;
+				}
+
+				if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI"))
+					return INVALID_SPI;
+
+				/* SPI value 0 is invalid and values 1-255 are reserved to IANA.
+				 * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
+				 * IPCOMP???
+				 */
+				if (ntohl(next_spi) < IPSEC_DOI_SPI_MIN)
+				{
+					loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)"
+						, (unsigned long) ntohl(next_spi));
+					return INVALID_SPI;
+				}
+			}
 
-		if (!kernel_alg_esp_enc_ok(esp_attrs.transid, esp_attrs.key_len
-		    ,c->alg_info_esp))
-		{
-		    switch (esp_attrs.transid)
-		    {
-		    case ESP_3DES:
-			break;
-#ifdef SUPPORT_ESP_NULL	/* should be about as secure as AH-only */
-		    case ESP_NULL:
-			if (esp_attrs.auth == AUTH_ALGORITHM_NONE)
+			if (next_proposal.isap_notrans == 0)
 			{
-			    loglog(RC_LOG_SERIOUS, "ESP_NULL requires auth algorithm");
-			    return BAD_PROPOSAL_SYNTAX;
+				loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms");
+				return BAD_PROPOSAL_SYNTAX;
 			}
-			if (st->st_policy & POLICY_ENCRYPT)
+
+			switch (next_proposal.isap_protoid)
 			{
-			    DBG(DBG_CONTROL | DBG_CRYPT
-				    , DBG_log("ESP_NULL Transform Proposal from %s"
-					" does not satisfy POLICY_ENCRYPT"
-					, ip_str(&c->spd.that.host_addr)));
-			    continue;   /* try another */
+			case PROTO_IPSEC_AH:
+				if (ah_seen)
+				{
+					loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals");
+					return BAD_PROPOSAL_SYNTAX;
+				}
+				ah_seen = TRUE;
+				ah_prop_pbs = next_proposal_pbs;
+				ah_proposal = next_proposal;
+				ah_spi = next_spi;
+				break;
+
+			case PROTO_IPSEC_ESP:
+				if (esp_seen)
+				{
+					loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals");
+					return BAD_PROPOSAL_SYNTAX;
+				}
+				esp_seen = TRUE;
+				esp_prop_pbs = next_proposal_pbs;
+				esp_proposal = next_proposal;
+				esp_spi = next_spi;
+				break;
+
+			case PROTO_IPCOMP:
+				if (ipcomp_seen)
+				{
+					loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals");
+					return BAD_PROPOSAL_SYNTAX;
+				}
+				ipcomp_seen = TRUE;
+				ipcomp_prop_pbs = next_proposal_pbs;
+				ipcomp_proposal = next_proposal;
+				ipcomp_cpi = next_spi;
+				break;
+
+			default:
+				loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal"
+					, enum_show(&protocol_names, next_proposal.isap_protoid));
+				return INVALID_PROTOCOL_ID;
 			}
-			break;
-#endif
-		    default:
-			DBG(DBG_CONTROL | DBG_CRYPT
-			    , DBG_log("unsupported ESP Transform %s from %s"
-				, enum_show(&esp_transformid_names, esp_attrs.transid)
-				, ip_str(&c->spd.that.host_addr)));
-			continue;   /* try another */
-		    }
-		}
 
-		if (!kernel_alg_esp_auth_ok(esp_attrs.auth, c->alg_info_esp))
-		{
-		    switch (esp_attrs.auth)
-		    {
-		    case AUTH_ALGORITHM_NONE:
-			if (!ah_seen)
+			/* refill next_proposal */
+			if (next_proposal.isap_np == ISAKMP_NEXT_NONE)
 			{
-			    DBG(DBG_CONTROL | DBG_CRYPT
-				, DBG_log("ESP from %s must either have AUTH or be combined with AH"
-				    , ip_str(&c->spd.that.host_addr)));
-			    continue;   /* try another */
+				next_full = FALSE;
+				break;
+			}
+			else if (next_proposal.isap_np != ISAKMP_NEXT_P)
+			{
+				loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s"
+					, enum_show(&payload_names, next_proposal.isap_np));
+				return BAD_PROPOSAL_SYNTAX;
 			}
-			break;
-		    case AUTH_ALGORITHM_HMAC_MD5:
-		    case AUTH_ALGORITHM_HMAC_SHA1:
-			break;
-		    default:
-			DBG(DBG_CONTROL | DBG_CRYPT
-			    , DBG_log("unsupported ESP auth alg %s from %s"
-				, enum_show(&auth_alg_names, esp_attrs.auth)
-				, ip_str(&c->spd.that.host_addr)));
-			continue;   /* try another */
-		    }
-		}
 
-		/* A last check for allowed transforms in alg_info_esp
-		 * (ALG_INFO_F_STRICT flag)
+			if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
+				return BAD_PROPOSAL_SYNTAX;
+		} while (next_proposal.isap_proposal == propno);
+
+		/* Now that we have all conjuncts, we should try
+		 * the Cartesian product of eachs tranforms!
+		 * At the moment, we take short-cuts on account of
+		 * our rudimentary hard-wired policy.
+		 * For now, we find an acceptable AH (if any)
+		 * and then an acceptable ESP.  The only interaction
+		 * is that the ESP acceptance can know whether there
+		 * was an acceptable AH and hence not require an AUTH.
 		 */
-		if (!kernel_alg_esp_ok_final(esp_attrs.transid, esp_attrs.key_len
-		    ,esp_attrs.auth, c->alg_info_esp))
-		{
-		    continue;
-		}
 
-		if (ah_seen && ah_attrs.encapsulation != esp_attrs.encapsulation)
+		if (ah_seen)
 		{
-		    /* ??? This should be an error, but is it? */
-		    DBG(DBG_CONTROL | DBG_CRYPT
-			, DBG_log("AH and ESP transforms disagree about encapsulation; TUNNEL presumed"));
+			int previous_transnum = -1;
+			int tn;
+
+			for (tn = 0; tn != ah_proposal.isap_notrans; tn++)
+			{
+				int ok_transid = 0;
+				bool ok_auth = FALSE;
+
+				if (!parse_ipsec_transform(&ah_trans
+				, &ah_attrs
+				, &ah_prop_pbs
+				, &ah_trans_pbs
+				, &isakmp_ah_transform_desc
+				, previous_transnum
+				, selection
+				, tn == ah_proposal.isap_notrans - 1
+				, FALSE
+				, st))
+					return BAD_PROPOSAL_SYNTAX;
+
+				previous_transnum = ah_trans.isat_transnum;
+
+				/* we must understand ah_attrs.transid
+				 * COMBINED with ah_attrs.auth.
+				 * See RFC 2407 "IPsec DOI" section 4.4.3
+				 * The following combinations are legal,
+				 * but we don't implement all of them:
+				 * It seems as if each auth algorithm
+				 * only applies to one ah transid.
+				 * AH_MD5, AUTH_ALGORITHM_HMAC_MD5
+				 * AH_MD5, AUTH_ALGORITHM_KPDK (unimplemented)
+				 * AH_SHA, AUTH_ALGORITHM_HMAC_SHA1
+				 * AH_DES, AUTH_ALGORITHM_DES_MAC (unimplemented)
+				 */
+				switch (ah_attrs.auth)
+				{
+					case AUTH_ALGORITHM_NONE:
+						loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform");
+						return BAD_PROPOSAL_SYNTAX;
+
+					case AUTH_ALGORITHM_HMAC_MD5:
+						ok_auth = TRUE;
+						/* fall through */
+					case AUTH_ALGORITHM_KPDK:
+						ok_transid = AH_MD5;
+						break;
+
+					case AUTH_ALGORITHM_HMAC_SHA1:
+						ok_auth = TRUE;
+						ok_transid = AH_SHA;
+						break;
+
+					case AUTH_ALGORITHM_DES_MAC:
+						ok_transid = AH_DES;
+						break;
+				}
+				if (ah_attrs.transid != ok_transid)
+				{
+					loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
+						, enum_name(&auth_alg_names, ah_attrs.auth)
+						, enum_show(&ah_transformid_names, ah_attrs.transid));
+					return BAD_PROPOSAL_SYNTAX;
+				}
+				if (!ok_auth)
+				{
+					DBG(DBG_CONTROL | DBG_CRYPT
+						, DBG_log("%s attribute unsupported"
+							" in %s Transform from %s"
+							, enum_name(&auth_alg_names, ah_attrs.auth)
+							, enum_show(&ah_transformid_names, ah_attrs.transid)
+							, ip_str(&c->spd.that.host_addr)));
+					continue;   /* try another */
+				}
+				break;  /* we seem to be happy */
+			}
+			if (tn == ah_proposal.isap_notrans)
+				continue;       /* we didn't find a nice one */
+			ah_attrs.spi = ah_spi;
+			inner_proto = IPPROTO_AH;
+			if (ah_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+				tunnel_mode = TRUE;
 		}
 
-		break;	/* we seem to be happy */
-	    }
-	    if (tn == esp_proposal.isap_notrans)
-		continue;	/* we didn't find a nice one */
-	    
-	    esp_attrs.spi = esp_spi;
-	    inner_proto = IPPROTO_ESP;
-	    if (esp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-		tunnel_mode = TRUE;
-	}
-	else if (st->st_policy & POLICY_ENCRYPT)
-	{
-	    DBG(DBG_CONTROL | DBG_CRYPT
-		, DBG_log("policy for \"%s\" requires encryption but ESP not in Proposal from %s"
-		    , c->name, ip_str(&c->spd.that.host_addr)));
-	    continue;	/* we needed encryption, but didn't find ESP */
-	}
-	else if ((st->st_policy & POLICY_AUTHENTICATE) && !ah_seen)
-	{
-	    DBG(DBG_CONTROL | DBG_CRYPT
-		, DBG_log("policy for \"%s\" requires authentication"
-		    " but none in Proposal from %s"
-		    , c->name, ip_str(&c->spd.that.host_addr)));
-	    continue;	/* we need authentication, but we found neither ESP nor AH */
-	}
+		if (esp_seen)
+		{
+			int previous_transnum = -1;
+			int tn;
 
-	if (ipcomp_seen)
-	{
-	    int previous_transnum = -1;
-	    int tn;
-
-#ifdef NEVER	/* we think IPcomp is working now */
-	    /**** FUDGE TO PREVENT UNREQUESTED IPCOMP:
-	     **** NEEDED BECAUSE OUR IPCOMP IS EXPERIMENTAL (UNSTABLE).
-	     ****/
-	    if (!(st->st_policy & POLICY_COMPRESS))
-	    {
-		plog("compression proposed by %s, but policy for \"%s\" forbids it"
-		    , ip_str(&c->spd.that.host_addr), c->name);
-		continue;	/* unwanted compression proposal */
-	    }
+			for (tn = 0; tn != esp_proposal.isap_notrans; tn++)
+			{
+				if (!parse_ipsec_transform(&esp_trans
+				, &esp_attrs
+				, &esp_prop_pbs
+				, &esp_trans_pbs
+				, &isakmp_esp_transform_desc
+				, previous_transnum
+				, selection
+				, tn == esp_proposal.isap_notrans - 1
+				, FALSE
+				, st))
+					return BAD_PROPOSAL_SYNTAX;
+
+				previous_transnum = esp_trans.isat_transnum;
+
+				/* set default key length for AES encryption */
+				if (!esp_attrs.key_len && esp_attrs.transid == ESP_AES)
+				{
+					esp_attrs.key_len = 128; /* bits */
+				}
+
+				if (!kernel_alg_esp_enc_ok(esp_attrs.transid, esp_attrs.key_len
+					,c->alg_info_esp))
+				{
+					switch (esp_attrs.transid)
+					{
+					case ESP_3DES:
+						break;
+#ifdef SUPPORT_ESP_NULL /* should be about as secure as AH-only */
+					case ESP_NULL:
+						if (esp_attrs.auth == AUTH_ALGORITHM_NONE)
+						{
+							loglog(RC_LOG_SERIOUS, "ESP_NULL requires auth algorithm");
+							return BAD_PROPOSAL_SYNTAX;
+						}
+						if (st->st_policy & POLICY_ENCRYPT)
+						{
+							DBG(DBG_CONTROL | DBG_CRYPT
+									, DBG_log("ESP_NULL Transform Proposal from %s"
+										" does not satisfy POLICY_ENCRYPT"
+										, ip_str(&c->spd.that.host_addr)));
+							continue;   /* try another */
+						}
+						break;
 #endif
-	    if (!can_do_IPcomp)
-	    {
-		plog("compression proposed by %s, but KLIPS is not configured with IPCOMP"
-		    , ip_str(&c->spd.that.host_addr));
-		continue;
-	    }
-
-	    if (well_known_cpi != 0 && !ah_seen && !esp_seen)
-	    {
-		plog("illegal proposal: bare IPCOMP used with well-known CPI");
-		return BAD_PROPOSAL_SYNTAX;
-	    }
-
-	    for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++)
-	    {
-		if (!parse_ipsec_transform(&ipcomp_trans
-		, &ipcomp_attrs
-		, &ipcomp_prop_pbs
-		, &ipcomp_trans_pbs
-		, &isakmp_ipcomp_transform_desc
-		, previous_transnum
-		, selection
-		, tn == ipcomp_proposal.isap_notrans - 1
-		, TRUE
-		, st))
-		    return BAD_PROPOSAL_SYNTAX;
-
-		previous_transnum = ipcomp_trans.isat_transnum;
-
-		if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi)
-		{
-		    plog("illegal proposal: IPCOMP well-known CPI disagrees with transform");
-		    return BAD_PROPOSAL_SYNTAX;
+					default:
+						DBG(DBG_CONTROL | DBG_CRYPT
+							, DBG_log("unsupported ESP Transform %s from %s"
+								, enum_show(&esp_transformid_names, esp_attrs.transid)
+								, ip_str(&c->spd.that.host_addr)));
+						continue;   /* try another */
+					}
+				}
+
+				if (!kernel_alg_esp_auth_ok(esp_attrs.auth, c->alg_info_esp))
+				{
+					switch (esp_attrs.auth)
+					{
+					case AUTH_ALGORITHM_NONE:
+						if (!ah_seen)
+						{
+							DBG(DBG_CONTROL | DBG_CRYPT
+								, DBG_log("ESP from %s must either have AUTH or be combined with AH"
+									, ip_str(&c->spd.that.host_addr)));
+							continue;   /* try another */
+						}
+						break;
+					case AUTH_ALGORITHM_HMAC_MD5:
+					case AUTH_ALGORITHM_HMAC_SHA1:
+						break;
+					default:
+						DBG(DBG_CONTROL | DBG_CRYPT
+							, DBG_log("unsupported ESP auth alg %s from %s"
+								, enum_show(&auth_alg_names, esp_attrs.auth)
+								, ip_str(&c->spd.that.host_addr)));
+						continue;   /* try another */
+					}
+				}
+
+				/* A last check for allowed transforms in alg_info_esp
+				 * (ALG_INFO_F_STRICT flag)
+				 */
+				if (!kernel_alg_esp_ok_final(esp_attrs.transid, esp_attrs.key_len
+					,esp_attrs.auth, c->alg_info_esp))
+				{
+					continue;
+				}
+
+				if (ah_seen && ah_attrs.encapsulation != esp_attrs.encapsulation)
+				{
+					/* ??? This should be an error, but is it? */
+					DBG(DBG_CONTROL | DBG_CRYPT
+						, DBG_log("AH and ESP transforms disagree about encapsulation; TUNNEL presumed"));
+				}
+
+				break;  /* we seem to be happy */
+			}
+			if (tn == esp_proposal.isap_notrans)
+				continue;       /* we didn't find a nice one */
+			
+			esp_attrs.spi = esp_spi;
+			inner_proto = IPPROTO_ESP;
+			if (esp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+				tunnel_mode = TRUE;
 		}
-
-		switch (ipcomp_attrs.transid)
+		else if (st->st_policy & POLICY_ENCRYPT)
 		{
-		    case IPCOMP_DEFLATE:    /* all we can handle! */
-			break;
-
-		    default:
 			DBG(DBG_CONTROL | DBG_CRYPT
-			    , DBG_log("unsupported IPCOMP Transform %s from %s"
-				, enum_show(&ipcomp_transformid_names, ipcomp_attrs.transid)
-				, ip_str(&c->spd.that.host_addr)));
-			continue;   /* try another */
+				, DBG_log("policy for \"%s\" requires encryption but ESP not in Proposal from %s"
+					, c->name, ip_str(&c->spd.that.host_addr)));
+			continue;   /* we needed encryption, but didn't find ESP */
 		}
-
-		if (ah_seen && ah_attrs.encapsulation != ipcomp_attrs.encapsulation)
-		{
-		    /* ??? This should be an error, but is it? */
-		    DBG(DBG_CONTROL | DBG_CRYPT
-			, DBG_log("AH and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
-		} else if (esp_seen && esp_attrs.encapsulation != ipcomp_attrs.encapsulation)
+		else if ((st->st_policy & POLICY_AUTHENTICATE) && !ah_seen)
 		{
-		    /* ??? This should be an error, but is it? */
-		    DBG(DBG_CONTROL | DBG_CRYPT
-			, DBG_log("ESP and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
+			DBG(DBG_CONTROL | DBG_CRYPT
+				, DBG_log("policy for \"%s\" requires authentication"
+					" but none in Proposal from %s"
+					, c->name, ip_str(&c->spd.that.host_addr)));
+			continue;   /* we need authentication, but we found neither ESP nor AH */
 		}
 
-		break;	/* we seem to be happy */
-	    }
-	    if (tn == ipcomp_proposal.isap_notrans)
-		continue;	/* we didn't find a nice one */
-	    ipcomp_attrs.spi = ipcomp_cpi;
-	    inner_proto = IPPROTO_COMP;
-	    if (ipcomp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-		tunnel_mode = TRUE;
-	}
+		if (ipcomp_seen)
+		{
+			int previous_transnum = -1;
+			int tn;
+
+#ifdef NEVER    /* we think IPcomp is working now */
+			/**** FUDGE TO PREVENT UNREQUESTED IPCOMP:
+			 **** NEEDED BECAUSE OUR IPCOMP IS EXPERIMENTAL (UNSTABLE).
+			 ****/
+			if (!(st->st_policy & POLICY_COMPRESS))
+			{
+				plog("compression proposed by %s, but policy for \"%s\" forbids it"
+					, ip_str(&c->spd.that.host_addr), c->name);
+				continue;       /* unwanted compression proposal */
+			}
+#endif
+			if (!can_do_IPcomp)
+			{
+				plog("compression proposed by %s, but KLIPS is not configured with IPCOMP"
+					, ip_str(&c->spd.that.host_addr));
+				continue;
+			}
 
-	/* Eureka: we liked what we saw -- accept it. */
+			if (well_known_cpi != 0 && !ah_seen && !esp_seen)
+			{
+				plog("illegal proposal: bare IPCOMP used with well-known CPI");
+				return BAD_PROPOSAL_SYNTAX;
+			}
 
-	if (r_sa_pbs != NULL)
-	{
-	    /* emit what we've accepted */
+			for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++)
+			{
+				if (!parse_ipsec_transform(&ipcomp_trans
+				, &ipcomp_attrs
+				, &ipcomp_prop_pbs
+				, &ipcomp_trans_pbs
+				, &isakmp_ipcomp_transform_desc
+				, previous_transnum
+				, selection
+				, tn == ipcomp_proposal.isap_notrans - 1
+				, TRUE
+				, st))
+					return BAD_PROPOSAL_SYNTAX;
+
+				previous_transnum = ipcomp_trans.isat_transnum;
+
+				if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi)
+				{
+					plog("illegal proposal: IPCOMP well-known CPI disagrees with transform");
+					return BAD_PROPOSAL_SYNTAX;
+				}
+
+				switch (ipcomp_attrs.transid)
+				{
+					case IPCOMP_DEFLATE:    /* all we can handle! */
+						break;
+
+					default:
+						DBG(DBG_CONTROL | DBG_CRYPT
+							, DBG_log("unsupported IPCOMP Transform %s from %s"
+								, enum_show(&ipcomp_transformid_names, ipcomp_attrs.transid)
+								, ip_str(&c->spd.that.host_addr)));
+						continue;   /* try another */
+				}
+
+				if (ah_seen && ah_attrs.encapsulation != ipcomp_attrs.encapsulation)
+				{
+					/* ??? This should be an error, but is it? */
+					DBG(DBG_CONTROL | DBG_CRYPT
+						, DBG_log("AH and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
+				} else if (esp_seen && esp_attrs.encapsulation != ipcomp_attrs.encapsulation)
+				{
+					/* ??? This should be an error, but is it? */
+					DBG(DBG_CONTROL | DBG_CRYPT
+						, DBG_log("ESP and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
+				}
+
+				break;  /* we seem to be happy */
+			}
+			if (tn == ipcomp_proposal.isap_notrans)
+				continue;       /* we didn't find a nice one */
+			ipcomp_attrs.spi = ipcomp_cpi;
+			inner_proto = IPPROTO_COMP;
+			if (ipcomp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+				tunnel_mode = TRUE;
+		}
 
-	    /* Situation */
-	    if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
-		impossible();
+		/* Eureka: we liked what we saw -- accept it. */
 
-	    /* AH proposal */
-	    if (ah_seen)
-		echo_proposal(ah_proposal
-		    , ah_trans
-		    , esp_seen || ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
-		    , r_sa_pbs
-		    , &st->st_ah
-		    , &isakmp_ah_transform_desc
-		    , &ah_trans_pbs
-		    , &st->st_connection->spd
-		    , tunnel_mode && inner_proto == IPPROTO_AH);
-
-	    /* ESP proposal */
-	    if (esp_seen)
-		echo_proposal(esp_proposal
-		    , esp_trans
-		    , ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
-		    , r_sa_pbs
-		    , &st->st_esp
-		    , &isakmp_esp_transform_desc
-		    , &esp_trans_pbs
-		    , &st->st_connection->spd
-		    , tunnel_mode && inner_proto == IPPROTO_ESP);
-
-	    /* IPCOMP proposal */
-	    if (ipcomp_seen)
-		echo_proposal(ipcomp_proposal
-		    , ipcomp_trans
-		    , ISAKMP_NEXT_NONE
-		    , r_sa_pbs
-		    , &st->st_ipcomp
-		    , &isakmp_ipcomp_transform_desc
-		    , &ipcomp_trans_pbs
-		    , &st->st_connection->spd
-		    , tunnel_mode && inner_proto == IPPROTO_COMP);
-
-	    close_output_pbs(r_sa_pbs);
-	}
+		if (r_sa_pbs != NULL)
+		{
+			/* emit what we've accepted */
+
+			/* Situation */
+			if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
+				impossible();
+
+			/* AH proposal */
+			if (ah_seen)
+				echo_proposal(ah_proposal
+					, ah_trans
+					, esp_seen || ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
+					, r_sa_pbs
+					, &st->st_ah
+					, &isakmp_ah_transform_desc
+					, &ah_trans_pbs
+					, &st->st_connection->spd
+					, tunnel_mode && inner_proto == IPPROTO_AH);
+
+			/* ESP proposal */
+			if (esp_seen)
+				echo_proposal(esp_proposal
+					, esp_trans
+					, ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
+					, r_sa_pbs
+					, &st->st_esp
+					, &isakmp_esp_transform_desc
+					, &esp_trans_pbs
+					, &st->st_connection->spd
+					, tunnel_mode && inner_proto == IPPROTO_ESP);
+
+			/* IPCOMP proposal */
+			if (ipcomp_seen)
+				echo_proposal(ipcomp_proposal
+					, ipcomp_trans
+					, ISAKMP_NEXT_NONE
+					, r_sa_pbs
+					, &st->st_ipcomp
+					, &isakmp_ipcomp_transform_desc
+					, &ipcomp_trans_pbs
+					, &st->st_connection->spd
+					, tunnel_mode && inner_proto == IPPROTO_COMP);
+
+			close_output_pbs(r_sa_pbs);
+		}
 
-	/* save decoded version of winning SA in state */
+		/* save decoded version of winning SA in state */
 
-	st->st_ah.present = ah_seen;
-	if (ah_seen)
-	    st->st_ah.attrs = ah_attrs;
+		st->st_ah.present = ah_seen;
+		if (ah_seen)
+			st->st_ah.attrs = ah_attrs;
 
-	st->st_esp.present = esp_seen;
-	if (esp_seen)
-	    st->st_esp.attrs = esp_attrs;
+		st->st_esp.present = esp_seen;
+		if (esp_seen)
+			st->st_esp.attrs = esp_attrs;
 
-	st->st_ipcomp.present = ipcomp_seen;
-	if (ipcomp_seen)
-	    st->st_ipcomp.attrs = ipcomp_attrs;
+		st->st_ipcomp.present = ipcomp_seen;
+		if (ipcomp_seen)
+			st->st_ipcomp.attrs = ipcomp_attrs;
 
-	return NOTHING_WRONG;
-    }
+		return NOTHING_WRONG;
+	}
 
-    loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA");
-    return NO_PROPOSAL_CHOSEN;
+	loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA");
+	return NO_PROPOSAL_CHOSEN;
 }
diff --git a/src/pluto/spdb.h b/src/pluto/spdb.h
index b098e247a..221cc00bb 100644
--- a/src/pluto/spdb.h
+++ b/src/pluto/spdb.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: spdb.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _SPDB_H
@@ -25,39 +23,39 @@
  * Note: only "basic" values are represented so far.
  */
 struct db_attr {
-    u_int16_t type;	/* ISAKMP_ATTR_AF_TV is implied; 0 for end */
-    u_int16_t val;
+	u_int16_t type;     /* ISAKMP_ATTR_AF_TV is implied; 0 for end */
+	u_int16_t val;
 };
 
 /* transform */
 struct db_trans {
-    u_int8_t transid;	/* Transform-Id */
-    struct db_attr *attrs;	/* array */
-    int attr_cnt;	/* number of elements */
+	u_int8_t transid;   /* Transform-Id */
+	struct db_attr *attrs;      /* array */
+	int attr_cnt;       /* number of elements */
 };
 
 /* proposal */
 struct db_prop {
-    u_int8_t protoid;	/* Protocol-Id */
-    struct db_trans *trans;	/* array (disjunction) */
-    int trans_cnt;	/* number of elements */
-    /* SPI size and value isn't part of DB */
+	u_int8_t protoid;   /* Protocol-Id */
+	struct db_trans *trans;     /* array (disjunction) */
+	int trans_cnt;      /* number of elements */
+	/* SPI size and value isn't part of DB */
 };
 
 /* conjunction of proposals */
 struct db_prop_conj {
-    struct db_prop *props;	/* array */
-    int prop_cnt;	/* number of elements */
+	struct db_prop *props;      /* array */
+	int prop_cnt;       /* number of elements */
 };
 
 /* security association */
 struct db_sa {
-    struct db_prop_conj *prop_conjs;	/* array */
-    int prop_conj_cnt;	/* number of elements */
-    /* Hardwired for now;
-     * DOI: ISAKMP_DOI_IPSEC
-     * Situation: SIT_IDENTITY_ONLY
-     */
+	struct db_prop_conj *prop_conjs;    /* array */
+	int prop_conj_cnt;  /* number of elements */
+	/* Hardwired for now;
+	 * DOI: ISAKMP_DOI_IPSEC
+	 * Situation: SIT_IDENTITY_ONLY
+	 */
 };
 
 /* The oakley sadb */
@@ -72,38 +70,38 @@ extern struct db_sa ipsec_sadb[1 << 3];
 struct state;
 
 extern bool out_sa(
-    pb_stream *outs,
-    struct db_sa *sadb,
-    struct state *st,
-    bool oakley_mode,
-    u_int8_t np);
+	pb_stream *outs,
+	struct db_sa *sadb,
+	struct state *st,
+	bool oakley_mode,
+	u_int8_t np);
 
 extern notification_t preparse_isakmp_sa_body(
-    const struct isakmp_sa *sa,	/* header of input SA Payload */
-    pb_stream *sa_pbs,		/* body of input SA Payload */
-    u_int32_t *ipsecdoisit,	/* IPsec DOI SIT bitset */
-    pb_stream *proposal_pbs,	/* body of proposal Payload */
-    struct isakmp_proposal *proposal);
+	const struct isakmp_sa *sa, /* header of input SA Payload */
+	pb_stream *sa_pbs,          /* body of input SA Payload */
+	u_int32_t *ipsecdoisit,     /* IPsec DOI SIT bitset */
+	pb_stream *proposal_pbs,    /* body of proposal Payload */
+	struct isakmp_proposal *proposal);
 
 extern notification_t parse_isakmp_policy(
-    pb_stream *proposal_pbs,	/* body of proposal Payload */
-    u_int notrans,		/* number of transforms */
-    lset_t *policy);		/* RSA, PSK or XAUTH policy */
+	pb_stream *proposal_pbs,    /* body of proposal Payload */
+	u_int notrans,              /* number of transforms */
+	lset_t *policy);            /* RSA, PSK or XAUTH policy */
 
 extern notification_t parse_isakmp_sa_body(
-    u_int32_t ipsecdoisit,	/* IPsec DOI SIT bitset */
-    pb_stream *proposal_pbs,	/* body of proposal Payload */
-    struct isakmp_proposal *proposal,
-    pb_stream *r_sa_pbs,	/* if non-NULL, where to emit winning SA */
-    struct state *st,		/* current state object */
-    bool initiator);		/* is caller initiator? */
+	u_int32_t ipsecdoisit,      /* IPsec DOI SIT bitset */
+	pb_stream *proposal_pbs,    /* body of proposal Payload */
+	struct isakmp_proposal *proposal,
+	pb_stream *r_sa_pbs,        /* if non-NULL, where to emit winning SA */
+	struct state *st,           /* current state object */
+	bool initiator);            /* is caller initiator? */
 
 extern notification_t parse_ipsec_sa_body(
-    pb_stream *sa_pbs,		/* body of input SA Payload */
-    const struct isakmp_sa *sa,	/* header of input SA Payload */
-    pb_stream *r_sa_pbs,	/* if non-NULL, where to emit winning SA */
-    bool selection,		/* if this SA is a selection, only one tranform can appear */
-    struct state *st);		/* current state object */
+	pb_stream *sa_pbs,          /* body of input SA Payload */
+	const struct isakmp_sa *sa, /* header of input SA Payload */
+	pb_stream *r_sa_pbs,        /* if non-NULL, where to emit winning SA */
+	bool selection,             /* if this SA is a selection, only one tranform can appear */
+	struct state *st);          /* current state object */
 
 extern void backup_pbs(pb_stream *pbs);
 extern void restore_pbs(pb_stream *pbs);
diff --git a/src/pluto/state.c b/src/pluto/state.c
index 5372e86f5..6ce0d50e5 100644
--- a/src/pluto/state.c
+++ b/src/pluto/state.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: state.c 4924 2009-03-10 21:13:18Z andreas $
  */
 
 #include <stdio.h>
@@ -28,29 +26,28 @@
 
 #include <freeswan.h>
 
+#include <library.h>
+#include <crypto/rngs/rng.h>
+
 #include "constants.h"
 #include "defs.h"
 #include "connections.h"
 #include "state.h"
 #include "kernel.h"
 #include "log.h"
-#include "packet.h"	/* so we can calculate sizeof(struct isakmp_hdr) */
-#include "keys.h"	/* for free_public_key */
-#include "rnd.h"
+#include "packet.h"     /* so we can calculate sizeof(struct isakmp_hdr) */
+#include "keys.h"       /* for free_public_key */
 #include "timer.h"
 #include "whack.h"
-#include "demux.h"	/* needs packet.h */
-#include "ipsec_doi.h"	/* needs demux.h and state.h */
-
-#include "sha1.h"
-#include "md5.h"
-#include "crypto.h" /* requires sha1.h and md5.h */
+#include "demux.h"      /* needs packet.h */
+#include "ipsec_doi.h"  /* needs demux.h and state.h */
+#include "crypto.h"
 
 /*
  * Global variables: had to go somewhere, might as well be this file.
  */
 
-u_int16_t pluto_port = IKE_UDP_PORT;	/* Pluto's port */
+u_int16_t pluto_port = IKE_UDP_PORT;    /* Pluto's port */
 
 /*
  * This file has the functions that handle the
@@ -79,51 +76,53 @@ u_int16_t pluto_port = IKE_UDP_PORT;	/* Pluto's port */
 
 struct msgid_list
 {
-    msgid_t               msgid; /* network order */
-    struct msgid_list     *next;
+	msgid_t               msgid; /* network order */
+	struct msgid_list     *next;
 };
 
-bool
-reserve_msgid(struct state *isakmp_sa, msgid_t msgid)
+bool reserve_msgid(struct state *isakmp_sa, msgid_t msgid)
 {
-    struct msgid_list *p;
+	struct msgid_list *p;
 
-    passert(msgid != MAINMODE_MSGID);
-    passert(IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state));
+	passert(msgid != MAINMODE_MSGID);
+	passert(IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state));
 
-    for (p = isakmp_sa->st_used_msgids; p != NULL; p = p->next)
-	if (p->msgid == msgid)
-	    return FALSE;
+	for (p = isakmp_sa->st_used_msgids; p != NULL; p = p->next)
+		if (p->msgid == msgid)
+			return FALSE;
 
-    p = alloc_thing(struct msgid_list, "msgid");
-    p->msgid = msgid;
-    p->next = isakmp_sa->st_used_msgids;
-    isakmp_sa->st_used_msgids = p;
-    return TRUE;
+	p = malloc_thing(struct msgid_list);
+	p->msgid = msgid;
+	p->next = isakmp_sa->st_used_msgids;
+	isakmp_sa->st_used_msgids = p;
+	return TRUE;
 }
 
-msgid_t
-generate_msgid(struct state *isakmp_sa)
+msgid_t generate_msgid(struct state *isakmp_sa)
 {
-    int timeout = 100;	/* only try so hard for unique msgid */
-    msgid_t msgid;
+	int timeout = 100;  /* only try so hard for unique msgid */
+	msgid_t msgid;
+	rng_t *rng;
 
-    passert(IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state));
+	passert(IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state));
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 
-    for (;;)
-    {
-	get_rnd_bytes((void *) &msgid, sizeof(msgid));
-	if (msgid != 0 && reserve_msgid(isakmp_sa, msgid))
-	    break;
-
-	if (--timeout == 0)
+	for (;;)
 	{
-	    plog("gave up looking for unique msgid; using 0x%08lx"
-		, (unsigned long) msgid);
-	    break;
+		rng->get_bytes(rng, sizeof(msgid), (void *) &msgid);
+		if (msgid != 0 && reserve_msgid(isakmp_sa, msgid))
+		{
+			break;
+		}
+		if (--timeout == 0)
+		{
+			plog("gave up looking for unique msgid; using 0x%08lx"
+				, (unsigned long) msgid);
+			break;
+		}
 	}
-    }
-    return msgid;
+	rng->destroy(rng);
+	return msgid;
 }
 
 
@@ -133,63 +132,61 @@ generate_msgid(struct state *isakmp_sa)
 
 static struct state *statetable[STATE_TABLE_SIZE];
 
-static struct state **
-state_hash(const u_char *icookie, const u_char *rcookie, const ip_address *peer)
+static struct state **state_hash(const u_char *icookie, const u_char *rcookie,
+								 const ip_address *peer)
 {
-    u_int i = 0, j;
-    const unsigned char *byte_ptr;
-    size_t length = addrbytesptr(peer, &byte_ptr);
+	u_int i = 0, j;
+	const unsigned char *byte_ptr;
+	size_t length = addrbytesptr(peer, &byte_ptr);
 
-    DBG(DBG_RAW | DBG_CONTROL,
-	DBG_dump("ICOOKIE:", icookie, COOKIE_SIZE);
-	DBG_dump("RCOOKIE:", rcookie, COOKIE_SIZE);
-	DBG_dump("peer:", byte_ptr, length));
+	DBG(DBG_RAW | DBG_CONTROL,
+		DBG_dump("ICOOKIE:", icookie, COOKIE_SIZE);
+		DBG_dump("RCOOKIE:", rcookie, COOKIE_SIZE);
+		DBG_dump("peer:", byte_ptr, length));
 
-    /* XXX the following hash is pretty pathetic */
+	/* XXX the following hash is pretty pathetic */
 
-    for (j = 0; j < COOKIE_SIZE; j++)
-	i = i * 407 + icookie[j] + rcookie[j];
+	for (j = 0; j < COOKIE_SIZE; j++)
+		i = i * 407 + icookie[j] + rcookie[j];
 
-    for (j = 0; j < length; j++)
-	i = i * 613 + byte_ptr[j];
+	for (j = 0; j < length; j++)
+		i = i * 613 + byte_ptr[j];
 
-    i = i % STATE_TABLE_SIZE;
+	i = i % STATE_TABLE_SIZE;
 
-    DBG(DBG_CONTROL, DBG_log("state hash entry %d", i));
+	DBG(DBG_CONTROL, DBG_log("state hash entry %d", i));
 
-    return &statetable[i];
+	return &statetable[i];
 }
 
 /* Get a state object.
  * Caller must schedule an event for this object so that it doesn't leak.
  * Caller must insert_state().
  */
-struct state *
-new_state(void)
+struct state *new_state(void)
 {
-    static const struct state blank_state;	/* initialized all to zero & NULL */
-    static so_serial_t next_so = SOS_FIRST;
-    struct state *st;
-
-    st = clone_thing(blank_state, "struct state in new_state()");
-    st->st_serialno = next_so++;
-    passert(next_so > SOS_FIRST);	/* overflow can't happen! */
-    st->st_whack_sock = NULL_FD;
-    DBG(DBG_CONTROL, DBG_log("creating state object #%lu at %p",
-	st->st_serialno, (void *) st));
-    return st;
+	static const struct state blank_state;      /* initialized all to zero & NULL */
+	static so_serial_t next_so = SOS_FIRST;
+	struct state *st;
+
+	st = clone_thing(blank_state);
+	st->st_serialno = next_so++;
+	passert(next_so > SOS_FIRST);       /* overflow can't happen! */
+	st->st_whack_sock = NULL_FD;
+	DBG(DBG_CONTROL, DBG_log("creating state object #%lu at %p",
+		st->st_serialno, (void *) st));
+	return st;
 }
 
 /*
  * Initialize the state table (and mask*).
  */
-void
-init_states(void)
+void init_states(void)
 {
-    int i;
+	int i;
 
-    for (i = 0; i < STATE_TABLE_SIZE; i++)
-	statetable[i] = (struct state *) NULL;
+	for (i = 0; i < STATE_TABLE_SIZE; i++)
+		statetable[i] = (struct state *) NULL;
 }
 
 /* Find the state object with this serial number.
@@ -199,627 +196,619 @@ init_states(void)
  * If this turns out to be a significant CPU hog, it could be
  * improved to use a hash table rather than sequential seartch.
  */
-struct state *
-state_with_serialno(so_serial_t sn)
+struct state *state_with_serialno(so_serial_t sn)
 {
-    if (sn >= SOS_FIRST)
-    {
-	struct state *st;
-	int i;
+	if (sn >= SOS_FIRST)
+	{
+		struct state *st;
+		int i;
 
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-	    for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-		if (st->st_serialno == sn)
-		    return st;
-    }
-    return NULL;
+		for (i = 0; i < STATE_TABLE_SIZE; i++)
+			for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+				if (st->st_serialno == sn)
+					return st;
+	}
+	return NULL;
 }
 
 /* Insert a state object in the hash table. The object is inserted
  * at the begining of list.
  * Needs cookies, connection, and msgid.
  */
-void
-insert_state(struct state *st)
+void insert_state(struct state *st)
 {
-    struct state **p = state_hash(st->st_icookie, st->st_rcookie
-	, &st->st_connection->spd.that.host_addr);
-
-    passert(st->st_hashchain_prev == NULL && st->st_hashchain_next == NULL);
-
-    if (*p != NULL)
-    {
-	passert((*p)->st_hashchain_prev == NULL);
-	(*p)->st_hashchain_prev = st;
-    }
-    st->st_hashchain_next = *p;
-    *p = st;
-
-    /* Ensure that somebody is in charge of killing this state:
-     * if no event is scheduled for it, schedule one to discard the state.
-     * If nothing goes wrong, this event will be replaced by
-     * a more appropriate one.
-     */
-    if (st->st_event == NULL)
-	event_schedule(EVENT_SO_DISCARD, 0, st);
+	struct state **p = state_hash(st->st_icookie, st->st_rcookie
+		, &st->st_connection->spd.that.host_addr);
+
+	passert(st->st_hashchain_prev == NULL && st->st_hashchain_next == NULL);
+
+	if (*p != NULL)
+	{
+		passert((*p)->st_hashchain_prev == NULL);
+		(*p)->st_hashchain_prev = st;
+	}
+	st->st_hashchain_next = *p;
+	*p = st;
+
+	/* Ensure that somebody is in charge of killing this state:
+	 * if no event is scheduled for it, schedule one to discard the state.
+	 * If nothing goes wrong, this event will be replaced by
+	 * a more appropriate one.
+	 */
+	if (st->st_event == NULL)
+		event_schedule(EVENT_SO_DISCARD, 0, st);
 }
 
 /* unlink a state object from the hash table, but don't free it
  */
-void
-unhash_state(struct state *st)
+void unhash_state(struct state *st)
 {
-    /* unlink from forward chain */
-    struct state **p = st->st_hashchain_prev == NULL
-	? state_hash(st->st_icookie, st->st_rcookie
-		     , &st->st_connection->spd.that.host_addr)
-	: &st->st_hashchain_prev->st_hashchain_next;
-
-    /* unlink from forward chain */
-    passert(*p == st);
-    *p = st->st_hashchain_next;
-
-    /* unlink from backward chain */
-    if (st->st_hashchain_next != NULL)
-    {
-	passert(st->st_hashchain_next->st_hashchain_prev == st);
-	st->st_hashchain_next->st_hashchain_prev = st->st_hashchain_prev;
-    }
-
-    st->st_hashchain_next = st->st_hashchain_prev = NULL;
+	/* unlink from forward chain */
+	struct state **p = st->st_hashchain_prev == NULL
+		? state_hash(st->st_icookie, st->st_rcookie
+					 , &st->st_connection->spd.that.host_addr)
+		: &st->st_hashchain_prev->st_hashchain_next;
+
+	/* unlink from forward chain */
+	passert(*p == st);
+	*p = st->st_hashchain_next;
+
+	/* unlink from backward chain */
+	if (st->st_hashchain_next != NULL)
+	{
+		passert(st->st_hashchain_next->st_hashchain_prev == st);
+		st->st_hashchain_next->st_hashchain_prev = st->st_hashchain_prev;
+	}
+
+	st->st_hashchain_next = st->st_hashchain_prev = NULL;
 }
 
 /* Free the Whack socket file descriptor.
  * This has the side effect of telling Whack that we're done.
  */
-void
-release_whack(struct state *st)
+void release_whack(struct state *st)
 {
-    close_any(st->st_whack_sock);
+	close_any(st->st_whack_sock);
 }
 
-/* delete a state object */
-void
-delete_state(struct state *st)
+/**
+ * Delete a state object
+ */
+void delete_state(struct state *st)
 {
-    struct connection *const c = st->st_connection;
-    struct state *old_cur_state = cur_state == st? NULL : cur_state;
-
-    set_cur_state(st);
+	struct connection *const c = st->st_connection;
+	struct state *old_cur_state = cur_state == st? NULL : cur_state;
 
-    /* If DPD is enabled on this state object, clear any pending events */
-    if(st->st_dpd_event != NULL)
-            delete_dpd_event(st);
+	set_cur_state(st);
 
-    /* if there is a suspended state transition, disconnect us */
-    if (st->st_suspended_md != NULL)
-    {
-	passert(st->st_suspended_md->st == st);
-	st->st_suspended_md->st = NULL;
-    }
+	/* If DPD is enabled on this state object, clear any pending events */
+	if(st->st_dpd_event != NULL)
+			delete_dpd_event(st);
 
-    /* tell the other side of any IPSEC SAs that are going down */
-    if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
-    || IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-	send_delete(st);
+	/* if there is a suspended state transition, disconnect us */
+	if (st->st_suspended_md != NULL)
+	{
+		passert(st->st_suspended_md->st == st);
+		st->st_suspended_md->st = NULL;
+	}
 
-    delete_event(st);	/* delete any pending timer event */
+	/* tell the other side of any IPSEC SAs that are going down */
+	if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
+	|| IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+		send_delete(st);
 
-    /* Ditch anything pending on ISAKMP SA being established.
-     * Note: this must be done before the unhash_state to prevent
-     * flush_pending_by_state inadvertently and prematurely
-     * deleting our connection.
-     */
-    flush_pending_by_state(st);
+	delete_event(st);   /* delete any pending timer event */
 
-    /* effectively, this deletes any ISAKMP SA that this state represents */
-    unhash_state(st);
+	/* Ditch anything pending on ISAKMP SA being established.
+	 * Note: this must be done before the unhash_state to prevent
+	 * flush_pending_by_state inadvertently and prematurely
+	 * deleting our connection.
+	 */
+	flush_pending_by_state(st);
 
-    /* tell kernel to delete any IPSEC SA
-     * ??? we ought to tell peer to delete IPSEC SAs
-     */
-    if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
-	delete_ipsec_sa(st, FALSE);
-    else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
-	delete_ipsec_sa(st, TRUE);
+	/* effectively, this deletes any ISAKMP SA that this state represents */
+	unhash_state(st);
 
-    if (c->newest_ipsec_sa == st->st_serialno)
-	c->newest_ipsec_sa = SOS_NOBODY;
+	/* tell kernel to delete any IPSEC SA
+	 * ??? we ought to tell peer to delete IPSEC SAs
+	 */
+	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+		delete_ipsec_sa(st, FALSE);
+	else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
+		delete_ipsec_sa(st, TRUE);
 
-    if (c->newest_isakmp_sa == st->st_serialno)
-	c->newest_isakmp_sa = SOS_NOBODY;
+	if (c->newest_ipsec_sa == st->st_serialno)
+		c->newest_ipsec_sa = SOS_NOBODY;
 
-    st->st_connection = NULL;	/* we might be about to free it */
-    cur_state = old_cur_state;	/* without st_connection, st isn't complete */
-    connection_discard(c);
+	if (c->newest_isakmp_sa == st->st_serialno)
+		c->newest_isakmp_sa = SOS_NOBODY;
 
-    release_whack(st);
+	st->st_connection = NULL;   /* we might be about to free it */
+	cur_state = old_cur_state;  /* without st_connection, st isn't complete */
+	connection_discard(c);
 
-    /* from here on we are just freeing RAM */
+	release_whack(st);
 
-    {
-	struct msgid_list *p = st->st_used_msgids;
+	/* from here on we are just freeing RAM */
 
-	while (p != NULL)
 	{
-	    struct msgid_list *q = p;
-	    p = p->next;
-	    pfree(q);
+		struct msgid_list *p = st->st_used_msgids;
+
+		while (p != NULL)
+		{
+			struct msgid_list *q = p;
+			p = p->next;
+			free(q);
+		}
 	}
-    }
-
-    unreference_key(&st->st_peer_pubkey);
-
-    if (st->st_sec_in_use)
-	mpz_clear(&(st->st_sec));
-
-    pfreeany(st->st_tpacket.ptr);
-    pfreeany(st->st_rpacket.ptr);
-    pfreeany(st->st_p1isa.ptr);
-    pfreeany(st->st_gi.ptr);
-    pfreeany(st->st_gr.ptr);
-    pfreeany(st->st_shared.ptr);
-    pfreeany(st->st_ni.ptr);
-    pfreeany(st->st_nr.ptr);
-    pfreeany(st->st_skeyid.ptr);
-    pfreeany(st->st_skeyid_d.ptr);
-    pfreeany(st->st_skeyid_a.ptr);
-    pfreeany(st->st_skeyid_e.ptr);
-    pfreeany(st->st_enc_key.ptr);
-    pfreeany(st->st_ah.our_keymat);
-    pfreeany(st->st_ah.peer_keymat);
-    pfreeany(st->st_esp.our_keymat);
-    pfreeany(st->st_esp.peer_keymat);
-
-    pfree(st);
+
+	unreference_key(&st->st_peer_pubkey);
+
+	DESTROY_IF(st->st_dh);
+
+	free(st->st_tpacket.ptr);
+	free(st->st_rpacket.ptr);
+	free(st->st_p1isa.ptr);
+	free(st->st_gi.ptr);
+	free(st->st_gr.ptr);
+	free(st->st_shared.ptr);
+	free(st->st_ni.ptr);
+	free(st->st_nr.ptr);
+	free(st->st_skeyid.ptr);
+	free(st->st_skeyid_d.ptr);
+	free(st->st_skeyid_a.ptr);
+	free(st->st_skeyid_e.ptr);
+	free(st->st_enc_key.ptr);
+	free(st->st_ah.our_keymat);
+	free(st->st_ah.peer_keymat);
+	free(st->st_esp.our_keymat);
+	free(st->st_esp.peer_keymat);
+
+	free(st);
 }
 
-/*
+/**
  * Is a connection in use by some state?
  */
-bool
-states_use_connection(struct connection *c)
+bool states_use_connection(struct connection *c)
 {
-    /* are there any states still using it? */
-    struct state *st = NULL;
-    int i;
+	/* are there any states still using it? */
+	struct state *st = NULL;
+	int i;
 
-    for (i = 0; st == NULL && i < STATE_TABLE_SIZE; i++)
-	for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-	    if (st->st_connection == c)
-		return TRUE;
+	for (i = 0; st == NULL && i < STATE_TABLE_SIZE; i++)
+		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+			if (st->st_connection == c)
+				return TRUE;
 
-    return FALSE;
+	return FALSE;
 }
 
-/*
- * delete all states that were created for a given connection.
+/**
+ * Delete all states that were created for a given connection.
  * if relations == TRUE, then also delete states that share
  * the same phase 1 SA.
  */
-void
-delete_states_by_connection(struct connection *c, bool relations)
+void delete_states_by_connection(struct connection *c, bool relations)
 {
-    int pass;
-    /* this kludge avoids an n^2 algorithm */
-    enum connection_kind ck = c->kind;
-    struct spd_route *sr;
-
-    /* save this connection's isakmp SA, since it will get set to later SOS_NOBODY */
-    so_serial_t parent_sa = c->newest_isakmp_sa;
-
-    if (ck == CK_INSTANCE)
-	c->kind = CK_GOING_AWAY;
-
-    /* We take two passes so that we delete any ISAKMP SAs last.
-     * This allows Delete Notifications to be sent.
-     * ?? We could probably double the performance by caching any
-     * ISAKMP SA states found in the first pass, avoiding a second.
-     */
-    for (pass = 0; pass != 2; pass++)
-    {
-	int i;
-
-	/* For each hash chain... */
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
+	int pass;
+	/* this kludge avoids an n^2 algorithm */
+	enum connection_kind ck = c->kind;
+	struct spd_route *sr;
+
+	/* save this connection's isakmp SA, since it will get set to later SOS_NOBODY */
+	so_serial_t parent_sa = c->newest_isakmp_sa;
+
+	if (ck == CK_INSTANCE)
+		c->kind = CK_GOING_AWAY;
+
+	/* We take two passes so that we delete any ISAKMP SAs last.
+	 * This allows Delete Notifications to be sent.
+	 * ?? We could probably double the performance by caching any
+	 * ISAKMP SA states found in the first pass, avoiding a second.
+	 */
+	for (pass = 0; pass != 2; pass++)
 	{
-	    struct state *st;
+		int i;
 
-	    /* For each state in the hash chain... */
-	    for (st = statetable[i]; st != NULL; )
-	    {
-		struct state *this = st;
+		/* For each hash chain... */
+		for (i = 0; i < STATE_TABLE_SIZE; i++)
+		{
+			struct state *st;
+
+			/* For each state in the hash chain... */
+			for (st = statetable[i]; st != NULL; )
+			{
+				struct state *this = st;
 
-		st = st->st_hashchain_next;	/* before this is deleted */
+				st = st->st_hashchain_next;     /* before this is deleted */
 
 
-                if ((this->st_connection == c
-			|| (relations && parent_sa != SOS_NOBODY
-			&& this->st_clonedfrom == parent_sa))
-			&& (pass == 1 || !IS_ISAKMP_SA_ESTABLISHED(this->st_state)))
-                {
-                    struct state *old_cur_state
-                        = cur_state == this? NULL : cur_state;
+				if ((this->st_connection == c
+						|| (relations && parent_sa != SOS_NOBODY
+						&& this->st_clonedfrom == parent_sa))
+						&& (pass == 1 || !IS_ISAKMP_SA_ESTABLISHED(this->st_state)))
+				{
+					struct state *old_cur_state
+						= cur_state == this? NULL : cur_state;
 #ifdef DEBUG
-		    lset_t old_cur_debugging = cur_debugging;
+					lset_t old_cur_debugging = cur_debugging;
 #endif
 
-		    set_cur_state(this);
-		    plog("deleting state (%s)"
-			, enum_show(&state_names, this->st_state));
-		    delete_state(this);
-		    cur_state = old_cur_state;
+					set_cur_state(this);
+					plog("deleting state (%s)"
+						, enum_show(&state_names, this->st_state));
+					delete_state(this);
+					cur_state = old_cur_state;
 #ifdef DEBUG
-		    cur_debugging = old_cur_debugging;
+					cur_debugging = old_cur_debugging;
 #endif
+				}
+			}
 		}
-	    }
 	}
-    }
-    
-    sr = &c->spd;
-    while (sr != NULL)
-    {
-	passert(sr->eroute_owner == SOS_NOBODY);
-	passert(sr->routing != RT_ROUTED_TUNNEL);
-	sr = sr->next;
-    }
-    c->kind = ck;
+	
+	sr = &c->spd;
+	while (sr != NULL)
+	{
+		passert(sr->eroute_owner == SOS_NOBODY);
+		passert(sr->routing != RT_ROUTED_TUNNEL);
+		sr = sr->next;
+	}
+	c->kind = ck;
 }
 
-/* Walk through the state table, and delete each state whose phase 1 (IKE)
+/**
+ * Walk through the state table, and delete each state whose phase 1 (IKE)
  * peer is among those given.
  */
-void
-delete_states_by_peer(ip_address *peer)
+void delete_states_by_peer(ip_address *peer)
 {
-    char peerstr[ADDRTOT_BUF];
-    int i;
-
-    addrtot(peer, 0, peerstr, sizeof(peerstr));
+	char peerstr[ADDRTOT_BUF];
+	int i;
 
-    /* For each hash chain... */
-    for (i = 0; i < STATE_TABLE_SIZE; i++)
-    {
-	struct state *st;
+	addrtot(peer, 0, peerstr, sizeof(peerstr));
 
-	/* For each state in the hash chain... */
-	for (st = statetable[i]; st != NULL; )
+	/* For each hash chain... */
+	for (i = 0; i < STATE_TABLE_SIZE; i++)
 	{
-	    struct state *this = st;
-	    struct spd_route *sr;
-	    struct connection *c = this->st_connection;
-
-	    st = st->st_hashchain_next;	/* before this is deleted */
+		struct state *st;
 
-	    /* ??? Is it not the case that the peer is the same for all spds? */
-	    for (sr = &c->spd; sr != NULL; sr = sr->next)
-	    {
-		if (sameaddr(&sr->that.host_addr, peer))
+		/* For each state in the hash chain... */
+		for (st = statetable[i]; st != NULL; )
 		{
-		    plog("peer %s for connection %s deleting - claimed to have crashed"
-			 , peerstr
-			 , c->name);
-		    delete_states_by_connection(c, TRUE);
-		    if (c->kind == CK_INSTANCE)
-	    		delete_connection(c, TRUE);
-		    break;	/* can only delete it once */
+			struct state *this = st;
+			struct spd_route *sr;
+			struct connection *c = this->st_connection;
+
+			st = st->st_hashchain_next; /* before this is deleted */
+
+			/* ??? Is it not the case that the peer is the same for all spds? */
+			for (sr = &c->spd; sr != NULL; sr = sr->next)
+			{
+				if (sameaddr(&sr->that.host_addr, peer))
+				{
+					plog("peer %s for connection %s deleting - claimed to have crashed"
+						 , peerstr
+						 , c->name);
+					delete_states_by_connection(c, TRUE);
+					if (c->kind == CK_INSTANCE)
+						delete_connection(c, TRUE);
+					break;      /* can only delete it once */
+				}
+			}
 		}
-	    }
 	}
-    }
 }
 
 /* Duplicate a Phase 1 state object, to create a Phase 2 object.
  * Caller must schedule an event for this object so that it doesn't leak.
  * Caller must insert_state().
  */
-struct state *
-duplicate_state(struct state *st)
+struct state *duplicate_state(struct state *st)
 {
-    struct state *nst;
-
-    DBG(DBG_CONTROL, DBG_log("duplicating state object #%lu",
-	st->st_serialno));
-
-    /* record use of the Phase 1 state */
-    st->st_outbound_count++;
-    st->st_outbound_time = now();
-
-    nst = new_state();
-
-    memcpy(nst->st_icookie, st->st_icookie, COOKIE_SIZE);
-    memcpy(nst->st_rcookie, st->st_rcookie, COOKIE_SIZE);
-    
-    nst->st_connection = st->st_connection;
-    nst->st_doi = st->st_doi;
-    nst->st_situation = st->st_situation;
-    nst->st_clonedfrom = st->st_serialno;
-    nst->st_oakley = st->st_oakley;
-    nst->st_modecfg = st->st_modecfg;
-
-#   define clone_chunk(ch, name) \
-	clonetochunk(nst->ch, st->ch.ptr, st->ch.len, name)
-
-    clone_chunk(st_skeyid_d, "st_skeyid_d in duplicate_state");
-    clone_chunk(st_skeyid_a, "st_skeyid_a in duplicate_state");
-    clone_chunk(st_skeyid_e, "st_skeyid_e in duplicate_state");
-    clone_chunk(st_enc_key, "st_enc_key in duplicate_state");
-
-#   undef clone_chunk
-
-    return nst;
+	struct state *nst;
+
+	DBG(DBG_CONTROL, DBG_log("duplicating state object #%lu",
+		st->st_serialno));
+
+	/* record use of the Phase 1 state */
+	st->st_outbound_count++;
+	st->st_outbound_time = now();
+
+	nst = new_state();
+
+	memcpy(nst->st_icookie, st->st_icookie, COOKIE_SIZE);
+	memcpy(nst->st_rcookie, st->st_rcookie, COOKIE_SIZE);
+	
+	nst->st_connection = st->st_connection;
+	nst->st_doi = st->st_doi;
+	nst->st_situation = st->st_situation;
+	nst->st_clonedfrom = st->st_serialno;
+	nst->st_oakley = st->st_oakley;
+	nst->st_modecfg = st->st_modecfg;
+	nst->st_skeyid_d = chunk_clone(st->st_skeyid_d);
+	nst->st_skeyid_a = chunk_clone(st->st_skeyid_a);
+	nst->st_skeyid_e = chunk_clone(st->st_skeyid_e);
+	nst->st_enc_key = chunk_clone(st->st_enc_key);
+
+	return nst;
 }
 
 #if 1
 void for_each_state(void *(f)(struct state *, void *data), void *data)
 {
-	struct state *st, *ocs = cur_state;
-	int i;
-	for (i=0; i<STATE_TABLE_SIZE; i++) {
-		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next) {
-			set_cur_state(st);
-			f(st, data);
+		struct state *st, *ocs = cur_state;
+		int i;
+		for (i=0; i<STATE_TABLE_SIZE; i++) {
+				for (st = statetable[i]; st != NULL; st = st->st_hashchain_next) {
+						set_cur_state(st);
+						f(st, data);
+				}
 		}
-	}
-	cur_state = ocs;
+		cur_state = ocs;
 }
 #endif
 
-/*
+/**
  * Find a state object.
  */
-struct state *
-find_state(const u_char *icookie
-, const u_char *rcookie
-, const ip_address *peer
-, msgid_t /*network order*/ msgid)
+struct state *find_state(const u_char *icookie, const u_char *rcookie,
+						 const ip_address *peer, msgid_t msgid)
 {
-    struct state *st = *state_hash(icookie, rcookie, peer);
-
-    while (st != (struct state *) NULL)
-	if (sameaddr(peer, &st->st_connection->spd.that.host_addr)
-	&& memcmp(icookie, st->st_icookie, COOKIE_SIZE) == 0
-	&& memcmp(rcookie, st->st_rcookie, COOKIE_SIZE) == 0
-	&& msgid == st->st_msgid)
-	    break;
-	else
-	    st = st->st_hashchain_next;
-
-    DBG(DBG_CONTROL,
-	if (st == NULL)
-	    DBG_log("state object not found");
-	else
-	    DBG_log("state object #%lu found, in %s"
-		, st->st_serialno
-		, enum_show(&state_names, st->st_state)));
+	struct state *st = *state_hash(icookie, rcookie, peer);
 
-    return st;
+	while (st != (struct state *) NULL)
+	{
+		if (sameaddr(peer, &st->st_connection->spd.that.host_addr)
+		&& memeq(icookie, st->st_icookie, COOKIE_SIZE)
+		&& memeq(rcookie, st->st_rcookie, COOKIE_SIZE)
+		&& msgid == st->st_msgid)
+		{
+			break;
+		}
+		else
+		{
+			st = st->st_hashchain_next;
+		}
+	}
+	DBG(DBG_CONTROL,
+		if (st == NULL)
+			DBG_log("state object not found");
+		else
+			DBG_log("state object #%lu found, in %s"
+				, st->st_serialno
+				, enum_show(&state_names, st->st_state)));
+
+	return st;
 }
 
-/* Find the state that sent a packet
+/**
+ * Find the state that sent a packet
  * ??? this could be expensive -- it should be rate-limited to avoid DoS
  */
-struct state *
-find_sender(size_t packet_len, u_char *packet)
+struct state *find_sender(size_t packet_len, u_char *packet)
 {
-    int i;
-    struct state *st;
-
-    if (packet_len >= sizeof(struct isakmp_hdr))
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-	    for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-		if (st->st_tpacket.ptr != NULL
-		&& st->st_tpacket.len == packet_len
-		&& memcmp(st->st_tpacket.ptr, packet, packet_len) == 0)
-		    return st;
+	int i;
+	struct state *st;
 
-    return NULL;
+	if (packet_len >= sizeof(struct isakmp_hdr))
+	{
+		for (i = 0; i < STATE_TABLE_SIZE; i++)
+		{
+			for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+			{
+				if (st->st_tpacket.ptr != NULL
+				&& st->st_tpacket.len == packet_len
+				&& memeq(st->st_tpacket.ptr, packet, packet_len))
+				{
+					return st;
+				}
+			}
+		}
+	}
+	return NULL;
 }
 
-struct state *
-find_phase2_state_to_delete(const struct state *p1st
-, u_int8_t protoid
-, ipsec_spi_t spi
-, bool *bogus)
+struct state *find_phase2_state_to_delete(const struct state *p1st,
+										  u_int8_t protoid, ipsec_spi_t spi,
+										  bool *bogus)
 {
-    struct state *st;
-    int i;
+	struct state *st;
+	int i;
 
-    *bogus = FALSE;
-    for (i = 0; i < STATE_TABLE_SIZE; i++)
-    {
-	for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+	*bogus = FALSE;
+	for (i = 0; i < STATE_TABLE_SIZE; i++)
 	{
-	    if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
-	    && p1st->st_connection->host_pair == st->st_connection->host_pair
-	    && same_peer_ids(p1st->st_connection, st->st_connection, NULL))
-	    {
-		struct ipsec_proto_info *pr = protoid == PROTO_IPSEC_AH
-		    ? &st->st_ah : &st->st_esp;
-
-		if (pr->present)
+		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
 		{
-		    if (pr->attrs.spi == spi)
-			return st;
-		    if (pr->our_spi == spi)
-			*bogus = TRUE;
+			if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
+			&& p1st->st_connection->host_pair == st->st_connection->host_pair
+			&& same_peer_ids(p1st->st_connection, st->st_connection, NULL))
+			{
+				struct ipsec_proto_info *pr = protoid == PROTO_IPSEC_AH
+					? &st->st_ah : &st->st_esp;
+
+				if (pr->present)
+				{
+					if (pr->attrs.spi == spi)
+						return st;
+					if (pr->our_spi == spi)
+						*bogus = TRUE;
+				}
+			}
 		}
-	    }
 	}
-    }
-    return NULL;
+	return NULL;
 }
 
-/* Find newest Phase 1 negotiation state object for suitable for connection c
+/**
+ * Find newest Phase 1 negotiation state object for suitable for connection c
  */
-struct state *
-find_phase1_state(const struct connection *c, lset_t ok_states)
+struct state *find_phase1_state(const struct connection *c, lset_t ok_states)
 {
-    struct state
-	*st,
-	*best = NULL;
-    int i;
-
-    for (i = 0; i < STATE_TABLE_SIZE; i++)
-	for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-	    if (LHAS(ok_states, st->st_state)
-	    && c->host_pair == st->st_connection->host_pair
-	    && same_peer_ids(c, st->st_connection, NULL)
-	    && (best == NULL || best->st_serialno < st->st_serialno))
-		best = st;
-
-    return best;
+	struct state
+		*st,
+		*best = NULL;
+	int i;
+
+	for (i = 0; i < STATE_TABLE_SIZE; i++)
+		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+			if (LHAS(ok_states, st->st_state)
+			&& c->host_pair == st->st_connection->host_pair
+			&& same_peer_ids(c, st->st_connection, NULL)
+			&& (best == NULL || best->st_serialno < st->st_serialno))
+				best = st;
+
+	return best;
 }
 
-void
-state_eroute_usage(ip_subnet *ours, ip_subnet *his
-, unsigned long count, time_t nw)
+void state_eroute_usage(ip_subnet *ours, ip_subnet *his, unsigned long count,
+						time_t nw)
 {
-    struct state *st;
-    int i;
+	struct state *st;
+	int i;
 
-    for (i = 0; i < STATE_TABLE_SIZE; i++)
-    {
-	for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+	for (i = 0; i < STATE_TABLE_SIZE; i++)
 	{
-	    struct connection *c = st->st_connection;
-
-	    /* XXX spd-enum */
-	    if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
-		&& c->spd.eroute_owner == st->st_serialno
-		&& c->spd.routing == RT_ROUTED_TUNNEL
-		&& samesubnet(&c->spd.this.client, ours)
-		&& samesubnet(&c->spd.that.client, his))
-	    {
-		if (st->st_outbound_count != count)
+		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
 		{
-		    st->st_outbound_count = count;
-		    st->st_outbound_time = nw;
+			struct connection *c = st->st_connection;
+
+			/* XXX spd-enum */
+			if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
+				&& c->spd.eroute_owner == st->st_serialno
+				&& c->spd.routing == RT_ROUTED_TUNNEL
+				&& samesubnet(&c->spd.this.client, ours)
+				&& samesubnet(&c->spd.that.client, his))
+			{
+				if (st->st_outbound_count != count)
+				{
+					st->st_outbound_count = count;
+					st->st_outbound_time = nw;
+				}
+				return;
+			}
 		}
-		return;
-	    }
 	}
-    }
-    DBG(DBG_CONTROL,
-	{
-	    char ourst[SUBNETTOT_BUF];
-	    char hist[SUBNETTOT_BUF];
-
-	    subnettot(ours, 0, ourst, sizeof(ourst));
-	    subnettot(his, 0, hist, sizeof(hist));
-	    DBG_log("unknown tunnel eroute %s -> %s found in scan"
-		, ourst, hist);
-	});
+	DBG(DBG_CONTROL,
+		{
+			char ourst[SUBNETTOT_BUF];
+			char hist[SUBNETTOT_BUF];
+
+			subnettot(ours, 0, ourst, sizeof(ourst));
+			subnettot(his, 0, hist, sizeof(hist));
+			DBG_log("unknown tunnel eroute %s -> %s found in scan"
+				, ourst, hist);
+		});
 }
 
-void fmt_state(bool all, struct state *st, time_t n
-, char *state_buf, size_t state_buf_len
-, char *state_buf2, size_t state_buf2_len)
+void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
+			   size_t state_buf_len, char *state_buf2, size_t state_buf2_len)
 {
-    /* what the heck is interesting about a state? */
-    const struct connection *c = st->st_connection;
-
-    long delta = st->st_event->ev_time >= n
-	? (long)(st->st_event->ev_time - n)
-	: -(long)(n - st->st_event->ev_time);
-
-    char inst[CONN_INST_BUF];
-    const char *np1 = c->newest_isakmp_sa == st->st_serialno
-	? "; newest ISAKMP" : "";
-    const char *np2 = c->newest_ipsec_sa == st->st_serialno
-	? "; newest IPSEC" : "";
-    /* XXX spd-enum */
-    const char *eo = c->spd.eroute_owner == st->st_serialno
-	? "; eroute owner" : "";
-    const char *dpd = (all && st->st_dpd && c->dpd_action != DPD_ACTION_NONE)
-		      ? "; DPD active" : "";
-    
-    passert(st->st_event != 0);
-
-    fmt_conn_instance(c, inst);
-
-    snprintf(state_buf, state_buf_len
-	, "#%lu: \"%s\"%s %s (%s); %s in %lds%s%s%s%s"
-	, st->st_serialno
-	, c->name, inst
-	, enum_name(&state_names, st->st_state)
-	, state_story[st->st_state - STATE_MAIN_R0]
-	, enum_name(&timer_event_names, st->st_event->ev_type)
-	, delta
-	, np1, np2, eo, dpd);
-
-    /* print out SPIs if SAs are established */
-    if (state_buf2_len != 0)
-	state_buf2[0] = '\0';	/* default to empty */
-    if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
-    {
-
-	bool tunnel;
-	char buf[SATOT_BUF*6 + 2*20 + 1];
-	const char *p_end = buf + sizeof(buf);
-	char *p = buf;
-
-#	define add_said(adst, aspi, aproto) { \
-	    ip_said s; \
-	    \
-	    initsaid(adst, aspi, aproto, &s); \
-	    if (p < p_end - 1) \
-	    { \
-		*p++ = ' '; \
-		p += satot(&s, 0, p, p_end - p) - 1; \
-	    } \
-	}
+	/* what the heck is interesting about a state? */
+	const struct connection *c = st->st_connection;
+
+	long delta = st->st_event->ev_time >= n
+		? (long)(st->st_event->ev_time - n)
+		: -(long)(n - st->st_event->ev_time);
+
+	char inst[CONN_INST_BUF];
+	const char *np1 = c->newest_isakmp_sa == st->st_serialno
+		? "; newest ISAKMP" : "";
+	const char *np2 = c->newest_ipsec_sa == st->st_serialno
+		? "; newest IPSEC" : "";
+	/* XXX spd-enum */
+	const char *eo = c->spd.eroute_owner == st->st_serialno
+		? "; eroute owner" : "";
+	const char *dpd = (all && st->st_dpd && c->dpd_action != DPD_ACTION_NONE)
+					  ? "; DPD active" : "";
+	
+	passert(st->st_event != 0);
+
+	fmt_conn_instance(c, inst);
+
+	snprintf(state_buf, state_buf_len
+		, "#%lu: \"%s\"%s %s (%s); %N in %lds%s%s%s%s"
+		, st->st_serialno
+		, c->name, inst
+		, enum_name(&state_names, st->st_state)
+		, state_story[st->st_state - STATE_MAIN_R0]
+		, timer_event_names, st->st_event->ev_type
+		, delta
+		, np1, np2, eo, dpd);
+
+	/* print out SPIs if SAs are established */
+	if (state_buf2_len != 0)
+		state_buf2[0] = '\0';   /* default to empty */
+	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+	{
 
-#	define add_sa_info(st, inbound) { \
-	    u_int bytes; \
-	    time_t use_time; \
-	    \
-	    if (get_sa_info(st, inbound, &bytes, &use_time)) \
-	    { \
-		p += snprintf(p, p_end - p, " (%'u bytes", bytes); \
-		if (bytes > 0 && use_time != UNDEFINED_TIME) \
-		    p += snprintf(p, p_end - p, ", %ds ago", (int)(now - use_time)); \
-		p += snprintf(p, p_end - p, ")"); \
-	    } \
-	}
+		bool tunnel;
+		char buf[SATOT_BUF*6 + 2*20 + 1];
+		const char *p_end = buf + sizeof(buf);
+		char *p = buf;
+
+#       define add_said(adst, aspi, aproto) { \
+			ip_said s; \
+			\
+			initsaid(adst, aspi, aproto, &s); \
+			if (p < p_end - 1) \
+			{ \
+				*p++ = ' '; \
+				p += satot(&s, 0, p, p_end - p) - 1; \
+			} \
+		}
 
-	*p = '\0';
-	if (st->st_ah.present)
-	{
-	    add_said(&c->spd.that.host_addr, st->st_ah.attrs.spi, SA_AH);
-	    add_said(&c->spd.this.host_addr, st->st_ah.our_spi, SA_AH);
-	}
-	if (st->st_esp.present)
-	{
-	    time_t now = time(NULL);
+#       define add_sa_info(st, inbound) { \
+			u_int bytes; \
+			time_t use_time; \
+			\
+			if (get_sa_info(st, inbound, &bytes, &use_time)) \
+			{ \
+				p += snprintf(p, p_end - p, " (%'u bytes", bytes); \
+				if (bytes > 0 && use_time != UNDEFINED_TIME) \
+					p += snprintf(p, p_end - p, ", %ds ago", (int)(now - use_time)); \
+				p += snprintf(p, p_end - p, ")"); \
+			} \
+		}
 
-	    add_said(&c->spd.that.host_addr, st->st_esp.attrs.spi, SA_ESP);
-	    add_sa_info(st, FALSE);
-	    add_said(&c->spd.this.host_addr, st->st_esp.our_spi, SA_ESP);
-	    add_sa_info(st, TRUE);
-	}
-	if (st->st_ipcomp.present)
-	{
-	    add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP);
-	    add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP);
-	}
+		*p = '\0';
+		if (st->st_ah.present)
+		{
+			add_said(&c->spd.that.host_addr, st->st_ah.attrs.spi, SA_AH);
+			add_said(&c->spd.this.host_addr, st->st_ah.our_spi, SA_AH);
+		}
+		if (st->st_esp.present)
+		{
+			time_t now = time(NULL);
+
+			add_said(&c->spd.that.host_addr, st->st_esp.attrs.spi, SA_ESP);
+			add_sa_info(st, FALSE);
+			add_said(&c->spd.this.host_addr, st->st_esp.our_spi, SA_ESP);
+			add_sa_info(st, TRUE);
+		}
+		if (st->st_ipcomp.present)
+		{
+			add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP);
+			add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP);
+		}
 #ifdef KLIPS
-	tunnel =  st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-	       || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-	       || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
-	p += snprintf(p, p_end - p, "; %s", tunnel? "tunnel":"transport");
+		tunnel =  st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+			   || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+			   || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
+		p += snprintf(p, p_end - p, "; %s", tunnel? "tunnel":"transport");
 #endif
 
-	snprintf(state_buf2, state_buf2_len
-	    , "#%lu: \"%s\"%s%s"
-	    , st->st_serialno
-	    , c->name, inst
-	    , buf);
+		snprintf(state_buf2, state_buf2_len
+			, "#%lu: \"%s\"%s%s"
+			, st->st_serialno
+			, c->name, inst
+			, buf);
 
-#	undef add_said
-#	undef add_sa_info
-    }
+#       undef add_said
+#       undef add_sa_info
+	}
 }
 
 /*
@@ -831,82 +820,80 @@ void fmt_state(bool all, struct state *st, time_t n
  *  isakmp_sa (XXX probably wrong)
  *
  */
-static int
-state_compare(const void *a, const void *b)
+static int state_compare(const void *a, const void *b)
 {
-    const struct state *sap = *(const struct state *const *)a;
-    struct connection *ca = sap->st_connection;
-    const struct state *sbp = *(const struct state *const *)b;
-    struct connection *cb = sbp->st_connection;
+	const struct state *sap = *(const struct state *const *)a;
+	struct connection *ca = sap->st_connection;
+	const struct state *sbp = *(const struct state *const *)b;
+	struct connection *cb = sbp->st_connection;
 
-    /* DBG_log("comparing %s to %s", ca->name, cb->name); */
+	/* DBG_log("comparing %s to %s", ca->name, cb->name); */
 
-    return connection_compare(ca, cb);
+	return connection_compare(ca, cb);
 }
 
-void
-show_states_status(bool all, const char *name)
+void show_states_status(bool all, const char *name)
 {
-    time_t n = now();
-    int i;
-    char state_buf[LOG_WIDTH];
-    char state_buf2[LOG_WIDTH];
-    int count;
-    struct state **array;
-
-    /* make count of states */
-    count = 0;
-    for (i = 0; i < STATE_TABLE_SIZE; i++)
-    {
-	struct state *st;
+	time_t n = now();
+	int i;
+	char state_buf[LOG_WIDTH];
+	char state_buf2[LOG_WIDTH];
+	int count;
+	struct state **array;
 
-	for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+	/* make count of states */
+	count = 0;
+	for (i = 0; i < STATE_TABLE_SIZE; i++)
 	{
-	    if (name == NULL || streq(name, st->st_connection->name))
-		count++;
-	}
-    }
+		struct state *st;
 
-    /* build the array */
-    array = alloc_bytes(sizeof(struct state *)*count, "state array");
-    count = 0;
-    for (i = 0; i < STATE_TABLE_SIZE; i++)
-    {
-	struct state *st;
+		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+		{
+			if (name == NULL || streq(name, st->st_connection->name))
+				count++;
+		}
+	}
 
-	for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+	/* build the array */
+	array = malloc(sizeof(struct state *)*count);
+	count = 0;
+	for (i = 0; i < STATE_TABLE_SIZE; i++)
 	{
-	    if (name == NULL || streq(name, st->st_connection->name))
-		array[count++]=st;
+		struct state *st;
+
+		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+		{
+			if (name == NULL || streq(name, st->st_connection->name))
+				array[count++]=st;
+		}
 	}
-    }
 
-    /* sort it! */
-    qsort(array, count, sizeof(struct state *), state_compare);
+	/* sort it! */
+	qsort(array, count, sizeof(struct state *), state_compare);
 
-    /* now print sorted results */
-    for (i = 0; i < count; i++)
-    {
-	struct state *st;
+	/* now print sorted results */
+	for (i = 0; i < count; i++)
+	{
+		struct state *st;
 
-	st = array[i];
+		st = array[i];
 
-	fmt_state(all, st, n
-		  , state_buf, sizeof(state_buf)
-		  , state_buf2, sizeof(state_buf2));
-	whack_log(RC_COMMENT, state_buf);
-	if (state_buf2[0] != '\0')
-	    whack_log(RC_COMMENT, state_buf2);
+		fmt_state(all, st, n
+				  , state_buf, sizeof(state_buf)
+				  , state_buf2, sizeof(state_buf2));
+		whack_log(RC_COMMENT, state_buf);
+		if (state_buf2[0] != '\0')
+			whack_log(RC_COMMENT, state_buf2);
 
-	/* show any associated pending Phase 2s */
-	if (IS_PHASE1(st->st_state))
-	    show_pending_phase2(st->st_connection->host_pair, st);
-    }
-    if (count > 0)
-	whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
+		/* show any associated pending Phase 2s */
+		if (IS_PHASE1(st->st_state))
+			show_pending_phase2(st->st_connection->host_pair, st);
+	}
+	if (count > 0)
+		whack_log(RC_COMMENT, BLANK_FORMAT);    /* spacer */
 
-    /* free the array */
-    pfree(array);
+	/* free the array */
+	free(array);
 }
 
 /* Given that we've used up a range of unused CPI's,
@@ -915,49 +902,48 @@ show_states_status(bool all, const char *name)
  * If we can't find one easily, choose 0 (a bad SPI,
  * no matter what order) indicating failure.
  */
-void
-find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi)
+void find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi)
 {
-    int tries = 0;
-    cpi_t base = *latest_cpi;
-    cpi_t closest;
-    int i;
+	int tries = 0;
+	cpi_t base = *latest_cpi;
+	cpi_t closest;
+	int i;
 
 startover:
-    closest = ~0;	/* not close at all */
-    for (i = 0; i < STATE_TABLE_SIZE; i++)
-    {
-	struct state *st;
-
-	for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+	closest = ~0;       /* not close at all */
+	for (i = 0; i < STATE_TABLE_SIZE; i++)
 	{
-	    if (st->st_ipcomp.present)
-	    {
-		cpi_t c = ntohl(st->st_ipcomp.our_spi) - base;
+		struct state *st;
 
-		if (c < closest)
+		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
 		{
-		    if (c == 0)
-		    {
-			/* oops: next spot is occupied; start over */
-			if (++tries == 20)
+			if (st->st_ipcomp.present)
 			{
-			    /* FAILURE */
-			    *latest_cpi = *first_busy_cpi = 0;
-			    return;
+				cpi_t c = ntohl(st->st_ipcomp.our_spi) - base;
+
+				if (c < closest)
+				{
+					if (c == 0)
+					{
+						/* oops: next spot is occupied; start over */
+						if (++tries == 20)
+						{
+							/* FAILURE */
+							*latest_cpi = *first_busy_cpi = 0;
+							return;
+						}
+						base++;
+						if (base > IPCOMP_LAST_NEGOTIATED)
+							base = IPCOMP_FIRST_NEGOTIATED;
+						goto startover; /* really a tail call */
+					}
+					closest = c;
+				}
 			}
-			base++;
-			if (base > IPCOMP_LAST_NEGOTIATED)
-			    base = IPCOMP_FIRST_NEGOTIATED;
-			goto startover;	/* really a tail call */
-		    }
-		    closest = c;
 		}
-	    }
 	}
-    }
-    *latest_cpi = base;	/* base is first in next free range */
-    *first_busy_cpi = closest + base;	/* and this is the roof */
+	*latest_cpi = base; /* base is first in next free range */
+	*first_busy_cpi = closest + base;   /* and this is the roof */
 }
 
 /* Muck with high-order 16 bits of this SPI in order to make
@@ -968,38 +954,42 @@ startover:
  * If we can't find one easily, return 0 (a bad SPI,
  * no matter what order) indicating failure.
  */
-ipsec_spi_t
-uniquify_his_cpi(ipsec_spi_t cpi, struct state *st)
+ipsec_spi_t uniquify_his_cpi(ipsec_spi_t cpi, struct state *st)
 {
-    int tries = 0;
-    int i;
+	int tries = 0;
+	int i;
+	rng_t *rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 
 startover:
 
-    /* network order makes first two bytes our target */
-    get_rnd_bytes((u_char *)&cpi, 2);
-
-    /* Make sure that the result is unique.
-     * Hard work.  If there is no unique value, we'll loop forever!
-     */
-    for (i = 0; i < STATE_TABLE_SIZE; i++)
-    {
-	struct state *s;
+	/* network order makes first two bytes our target */
+	rng->get_bytes(rng, 2, (u_char *)&cpi);
 
-	for (s = statetable[i]; s != NULL; s = s->st_hashchain_next)
+	/* Make sure that the result is unique.
+	 * Hard work.  If there is no unique value, we'll loop forever!
+	 */
+	for (i = 0; i < STATE_TABLE_SIZE; i++)
 	{
-	    if (s->st_ipcomp.present
-	    && sameaddr(&s->st_connection->spd.that.host_addr
-	      , &st->st_connection->spd.that.host_addr)
-	    && cpi == s->st_ipcomp.attrs.spi)
-	    {
-		if (++tries == 20)
-		    return 0;	/* FAILURE */
-		goto startover;
-	    }
+		struct state *s;
+
+		for (s = statetable[i]; s != NULL; s = s->st_hashchain_next)
+		{
+			if (s->st_ipcomp.present
+			&& sameaddr(&s->st_connection->spd.that.host_addr
+			  , &st->st_connection->spd.that.host_addr)
+			&& cpi == s->st_ipcomp.attrs.spi)
+			{
+				if (++tries == 20)
+				{
+					rng->destroy(rng);
+					return 0;   /* FAILURE */
+				}
+				goto startover;
+			}
+		}
 	}
-    }
-    return cpi;
+	rng->destroy(rng);
+	return cpi;
 }
 
 /*
diff --git a/src/pluto/state.h b/src/pluto/state.h
index 220dce341..a059c52b4 100644
--- a/src/pluto/state.h
+++ b/src/pluto/state.h
@@ -1,6 +1,7 @@
 /* state and event objects
  * Copyright (C) 1997 Angelos D. Keromytis.
  * Copyright (C) 1998-2001  D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -11,15 +12,14 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: state.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <time.h>
-#include <gmp.h>    /* GNU MP library */
+
+#include <crypto/diffie_hellman.h>
 
 #include "connections.h"
 
@@ -40,10 +40,10 @@
  * than specified by draft-jenkins-ipsec-rekeying-06.txt.
  */
 
-typedef u_int32_t msgid_t;	/* Network order! */
+typedef u_int32_t msgid_t;      /* Network order! */
 #define MAINMODE_MSGID    ((msgid_t) 0)
 
-struct state;	/* forward declaration of tag */
+struct state;   /* forward declaration of tag */
 extern bool reserve_msgid(struct state *isakmp_sa, msgid_t msgid);
 extern msgid_t generate_msgid(struct state *isakmp_sa);
 
@@ -54,17 +54,17 @@ extern msgid_t generate_msgid(struct state *isakmp_sa);
  * Names are chosen to match corresponding names in state.
  */
 struct oakley_trans_attrs {
-    u_int16_t encrypt;		/* Encryption algorithm */
-    u_int16_t enckeylen;	/* encryption key len (bits) */
-    const struct encrypt_desc *encrypter;	/* package of encryption routines */
-    u_int16_t hash;		/* Hash algorithm */
-    const struct hash_desc *hasher;	/* package of hashing routines */
-    u_int16_t auth;		/* Authentication method */
-    const struct oakley_group_desc *group;	/* Oakley group */
-    time_t life_seconds;	/* When this SA expires (seconds) */
-    u_int32_t life_kilobytes;	/* When this SA is exhausted (kilobytes) */
+	u_int16_t encrypt;          /* Encryption algorithm */
+	u_int16_t enckeylen;        /* encryption key len (bits) */
+	const struct encrypt_desc *encrypter;   /* package of encryption routines */
+	u_int16_t hash;             /* Hash algorithm */
+	const struct hash_desc *hasher;         /* package of hashing routines */
+	u_int16_t auth;             /* Authentication method */
+	const struct dh_desc *group;            /* Diffie-Hellman group */
+	time_t life_seconds;        /* When this SA expires (seconds) */
+	u_int32_t life_kilobytes;   /* When this SA is exhausted (kilobytes) */
 #if 0 /* not yet */
-    u_int16_t prf;		/* Pseudo Random Function */
+	u_int16_t prf;              /* Pseudo Random Function */
 #endif
 };
 
@@ -74,28 +74,28 @@ struct oakley_trans_attrs {
  * for ESP, and a funny one for IPCOMP.
  */
 struct ipsec_trans_attrs {
-    u_int8_t transid;	/* transform id */
-    ipsec_spi_t spi;	/* his SPI */
-    time_t life_seconds;		/* When this SA expires */
-    u_int32_t life_kilobytes;	/* When this SA expires */
-    u_int16_t encapsulation;
-    u_int16_t auth;
-    u_int16_t key_len;
-    u_int16_t key_rounds;
+	u_int8_t transid;   /* transform id */
+	ipsec_spi_t spi;    /* his SPI */
+	time_t life_seconds;                /* When this SA expires */
+	u_int32_t life_kilobytes;   /* When this SA expires */
+	u_int16_t encapsulation;
+	u_int16_t auth;
+	u_int16_t key_len;
+	u_int16_t key_rounds;
 #if 0 /* not implemented yet */
-    u_int16_t cmprs_dict_sz;
-    u_int32_t cmprs_alg;
+	u_int16_t cmprs_dict_sz;
+	u_int32_t cmprs_alg;
 #endif
 };
 
 /* IPsec per protocol state information */
 struct ipsec_proto_info {
-    bool present;	/* was this transform specified? */
-    struct ipsec_trans_attrs attrs;
-    ipsec_spi_t our_spi;
-    u_int16_t keymat_len;	/* same for both */
-    u_char *our_keymat;
-    u_char *peer_keymat;
+	bool present;       /* was this transform specified? */
+	struct ipsec_trans_attrs attrs;
+	ipsec_spi_t our_spi;
+	u_int16_t keymat_len;       /* same for both */
+	u_char *our_keymat;
+	u_char *peer_keymat;
 };
 
 /* state object: record the state of a (possibly nascent) SA
@@ -107,135 +107,133 @@ struct ipsec_proto_info {
  */
 struct state
 {
-    so_serial_t        st_serialno;            /* serial number (for seniority) */
-    so_serial_t        st_clonedfrom;          /* serial number of parent */
+	so_serial_t        st_serialno;            /* serial number (for seniority) */
+	so_serial_t        st_clonedfrom;          /* serial number of parent */
 
-    struct connection *st_connection;          /* connection for this SA */
+	struct connection *st_connection;          /* connection for this SA */
 
-    int                st_whack_sock;          /* fd for our Whack TCP socket.
-                                                * Single copy: close when freeing struct.
-                                                */
+	int                st_whack_sock;          /* fd for our Whack TCP socket.
+												* Single copy: close when freeing struct.
+												*/
 
-    struct msg_digest *st_suspended_md;        /* suspended state-transition */
+	struct msg_digest *st_suspended_md;        /* suspended state-transition */
 
-    struct oakley_trans_attrs st_oakley;
+	struct oakley_trans_attrs st_oakley;
 
-    struct ipsec_proto_info st_ah;
-    struct ipsec_proto_info st_esp;
-    struct ipsec_proto_info st_ipcomp;
+	struct ipsec_proto_info st_ah;
+	struct ipsec_proto_info st_esp;
+	struct ipsec_proto_info st_ipcomp;
 #ifdef KLIPS
-    ipsec_spi_t        st_tunnel_in_spi;          /* KLUDGE */
-    ipsec_spi_t        st_tunnel_out_spi;         /* KLUDGE */
+	ipsec_spi_t        st_tunnel_in_spi;          /* KLUDGE */
+	ipsec_spi_t        st_tunnel_out_spi;         /* KLUDGE */
 #endif
 
-    const struct oakley_group_desc *st_pfs_group;	/* group for Phase 2 PFS */
+	const struct dh_desc *st_pfs_group;        /* group for Phase 2 PFS */
 
-    u_int32_t          st_doi;                 /* Domain of Interpretation */
-    u_int32_t          st_situation;
+	u_int32_t          st_doi;                 /* Domain of Interpretation */
+	u_int32_t          st_situation;
 
-    lset_t             st_policy;              /* policy for IPsec SA */
+	lset_t             st_policy;              /* policy for IPsec SA */
 
-    msgid_t            st_msgid;               /* MSG-ID from header.  Network Order! */
+	msgid_t            st_msgid;               /* MSG-ID from header.  Network Order! */
 
-    /* only for a state representing an ISAKMP SA */
-    struct msgid_list  *st_used_msgids;        /* used-up msgids */
+	/* only for a state representing an ISAKMP SA */
+	struct msgid_list  *st_used_msgids;        /* used-up msgids */
 
 /* symmetric stuff */
 
   /* initiator stuff */
-    chunk_t            st_gi;                  /* Initiator public value */
-    u_int8_t           st_icookie[COOKIE_SIZE];/* Initiator Cookie */
-    chunk_t            st_ni;                  /* Ni nonce */
+	chunk_t            st_gi;                  /* Initiator public value */
+	u_int8_t           st_icookie[COOKIE_SIZE];/* Initiator Cookie */
+	chunk_t            st_ni;                  /* Ni nonce */
 
   /* responder stuff */
-    chunk_t            st_gr;                  /* Responder public value */
-    u_int8_t           st_rcookie[COOKIE_SIZE];/* Responder Cookie */
-    chunk_t            st_nr;                  /* Nr nonce */
+	chunk_t            st_gr;                  /* Responder public value */
+	u_int8_t           st_rcookie[COOKIE_SIZE];/* Responder Cookie */
+	chunk_t            st_nr;                  /* Nr nonce */
 
 
   /* my stuff */
 
-    chunk_t            st_tpacket;             /* Transmitted packet */
+	chunk_t            st_tpacket;             /* Transmitted packet */
 
-    /* Phase 2 ID payload info about my user */
-    u_int8_t           st_myuserprotoid;       /* IDcx.protoid */
-    u_int16_t          st_myuserport;
+	/* Phase 2 ID payload info about my user */
+	u_int8_t           st_myuserprotoid;       /* IDcx.protoid */
+	u_int16_t          st_myuserport;
 
   /* his stuff */
 
-    chunk_t            st_rpacket;             /* Received packet */
+	chunk_t            st_rpacket;             /* Received packet */
 
-    /* Phase 2 ID payload info about peer's user */
-    u_int8_t           st_peeruserprotoid;     /* IDcx.protoid */
-    u_int16_t          st_peeruserport;
+	/* Phase 2 ID payload info about peer's user */
+	u_int8_t           st_peeruserprotoid;     /* IDcx.protoid */
+	u_int16_t          st_peeruserport;
 
 /* end of symmetric stuff */
 
-    u_int8_t           st_sec_in_use;          /* bool: does st_sec hold a value */
-    MP_INT             st_sec;                 /* Our local secret value */
-
-    chunk_t            st_shared;              /* Derived shared secret
-                                                * Note: during Quick Mode,
-                                                * presence indicates PFS
-                                                * selected.
-                                                */
-
-    /* In a Phase 1 state, preserve peer's public key after authentication */
-    struct pubkey     *st_peer_pubkey;
-
-    enum state_kind    st_state;               /* State of exchange */
-    u_int8_t           st_retransmit;          /* Number of retransmits */
-    unsigned long      st_try;                 /* number of times rekeying attempted */
-                                               /* 0 means the only time */
-    time_t             st_margin;              /* life after EVENT_SA_REPLACE */
-    unsigned long      st_outbound_count;      /* traffic through eroute */
-    time_t             st_outbound_time;       /* time of last change to st_outbound_count */
-    chunk_t            st_p1isa;               /* Phase 1 initiator SA (Payload) for HASH */
-    chunk_t            st_skeyid;              /* Key material */
-    chunk_t            st_skeyid_d;            /* KM for non-ISAKMP key derivation */
-    chunk_t            st_skeyid_a;            /* KM for ISAKMP authentication */
-    chunk_t            st_skeyid_e;            /* KM for ISAKMP encryption */
-    u_char             st_iv[MAX_DIGEST_LEN];  /* IV for encryption */
-    u_char             st_new_iv[MAX_DIGEST_LEN];
-    u_char             st_ph1_iv[MAX_DIGEST_LEN]; /* IV at end if phase 1 */
-    unsigned int       st_iv_len;
-    unsigned int       st_new_iv_len;
-    unsigned int       st_ph1_iv_len;
-
-    chunk_t            st_enc_key;             /* Oakley Encryption key */
-
-    struct event      *st_event;               /* backpointer for certain events */
-    struct state      *st_hashchain_next;      /* Next in list */
-    struct state      *st_hashchain_prev;      /* Previous in list */
-
-    struct {
-	bool vars_set;
-	bool started;
-    } st_modecfg;
-
-    struct {
-	int attempt;
-	bool started;
-	bool status;
-    } st_xauth;
-
-    u_int32_t         nat_traversal;
-    ip_address        nat_oa;
-
-    /* RFC 3706 Dead Peer Detection */
-    bool                st_dpd;			/* Peer supports DPD */
-    time_t              st_last_dpd;		/* Time of last DPD transmit */
-    u_int32_t           st_dpd_seqno;		/* Next R_U_THERE to send */
-    u_int32_t           st_dpd_expectseqno;	/* Next R_U_THERE_ACK to receive */
-    u_int32_t           st_dpd_peerseqno;	/* global variables */
-    struct event        *st_dpd_event;		/* backpointer for DPD events */
-
-    u_int32_t	      st_seen_vendorid;		/* Bit field about recognized Vendor ID */
+	diffie_hellman_t  *st_dh;                  /* Our local DH secret value */
+	chunk_t            st_shared;              /* Derived shared secret
+												* Note: during Quick Mode,
+												* presence indicates PFS
+												* selected.
+												*/
+
+	/* In a Phase 1 state, preserve peer's public key after authentication */
+	struct pubkey     *st_peer_pubkey;
+
+	enum state_kind    st_state;               /* State of exchange */
+	u_int8_t           st_retransmit;          /* Number of retransmits */
+	unsigned long      st_try;                 /* number of times rekeying attempted */
+											   /* 0 means the only time */
+	time_t             st_margin;              /* life after EVENT_SA_REPLACE */
+	unsigned long      st_outbound_count;      /* traffic through eroute */
+	time_t             st_outbound_time;       /* time of last change to st_outbound_count */
+	chunk_t            st_p1isa;               /* Phase 1 initiator SA (Payload) for HASH */
+	chunk_t            st_skeyid;              /* Key material */
+	chunk_t            st_skeyid_d;            /* KM for non-ISAKMP key derivation */
+	chunk_t            st_skeyid_a;            /* KM for ISAKMP authentication */
+	chunk_t            st_skeyid_e;            /* KM for ISAKMP encryption */
+	u_char             st_iv[MAX_DIGEST_LEN];  /* IV for encryption */
+	u_char             st_new_iv[MAX_DIGEST_LEN];
+	u_char             st_ph1_iv[MAX_DIGEST_LEN]; /* IV at end if phase 1 */
+	unsigned int       st_iv_len;
+	unsigned int       st_new_iv_len;
+	unsigned int       st_ph1_iv_len;
+
+	chunk_t            st_enc_key;             /* Oakley Encryption key */
+
+	struct event      *st_event;               /* backpointer for certain events */
+	struct state      *st_hashchain_next;      /* Next in list */
+	struct state      *st_hashchain_prev;      /* Previous in list */
+
+	struct {
+		bool vars_set;
+		bool started;
+	} st_modecfg;
+
+	struct {
+		int attempt;
+		bool started;
+		bool status;
+	} st_xauth;
+
+	u_int32_t         nat_traversal;
+	ip_address        nat_oa;
+
+	/* RFC 3706 Dead Peer Detection */
+	bool                st_dpd;                 /* Peer supports DPD */
+	time_t              st_last_dpd;            /* Time of last DPD transmit */
+	u_int32_t           st_dpd_seqno;           /* Next R_U_THERE to send */
+	u_int32_t           st_dpd_expectseqno;     /* Next R_U_THERE_ACK to receive */
+	u_int32_t           st_dpd_peerseqno;       /* global variables */
+	struct event        *st_dpd_event;          /* backpointer for DPD events */
+
+	u_int32_t         st_seen_vendorid;         /* Bit field about recognized Vendor ID */
 };
 
 /* global variables */
 
-extern u_int16_t pluto_port;	/* Pluto's port */
+extern u_int16_t pluto_port;    /* Pluto's port */
 
 extern bool states_use_connection(struct connection *c);
 
@@ -247,27 +245,27 @@ extern void insert_state(struct state *st);
 extern void unhash_state(struct state *st);
 extern void release_whack(struct state *st);
 extern void state_eroute_usage(ip_subnet *ours, ip_subnet *his
-    , unsigned long count, time_t nw);
+	, unsigned long count, time_t nw);
 extern void delete_state(struct state *st);
 extern void delete_states_by_connection(struct connection *c, bool relations);
 
 extern struct state
-    *duplicate_state(struct state *st),
-    *find_state(const u_char *icookie
-	, const u_char *rcookie
-	, const ip_address *peer
-	, msgid_t msgid),
-    *state_with_serialno(so_serial_t sn),
-    *find_phase2_state_to_delete(const struct state *p1st, u_int8_t protoid
-	, ipsec_spi_t spi, bool *bogus),
-    *find_phase1_state(const struct connection *c, lset_t ok_states),
-    *find_sender(size_t packet_len, u_char *packet);
+	*duplicate_state(struct state *st),
+	*find_state(const u_char *icookie
+		, const u_char *rcookie
+		, const ip_address *peer
+		, msgid_t msgid),
+	*state_with_serialno(so_serial_t sn),
+	*find_phase2_state_to_delete(const struct state *p1st, u_int8_t protoid
+		, ipsec_spi_t spi, bool *bogus),
+	*find_phase1_state(const struct connection *c, lset_t ok_states),
+	*find_sender(size_t packet_len, u_char *packet);
 
 extern void show_states_status(bool all, const char *name);
 extern void for_each_state(void *(f)(struct state *, void *data), void *data);
 extern void find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi);
 extern ipsec_spi_t uniquify_his_cpi(ipsec_spi_t cpi, struct state *st);
 extern void fmt_state(bool all, struct state *st, time_t n
-		     , char *state_buf, size_t state_buf_len
-		     , char *state_buf2, size_t state_buf_len2);
+					 , char *state_buf, size_t state_buf_len
+					 , char *state_buf2, size_t state_buf_len2);
 extern void delete_states_by_peer(ip_address *peer);
diff --git a/src/pluto/timer.c b/src/pluto/timer.c
index aea293098..ecbee740f 100644
--- a/src/pluto/timer.c
+++ b/src/pluto/timer.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: timer.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdio.h>
@@ -26,36 +24,39 @@
 
 #include <freeswan.h>
 
+#include <library.h>
+#include <crypto/rngs/rng.h>
+
 #include "constants.h"
 #include "defs.h"
 #include "connections.h"
 #include "state.h"
 #include "demux.h"
-#include "ipsec_doi.h"	/* needs demux.h and state.h */
+#include "ipsec_doi.h"  /* needs demux.h and state.h */
 #include "kernel.h"
 #include "server.h"
 #include "log.h"
-#include "rnd.h"
 #include "timer.h"
 #include "whack.h"
 #include "nat_traversal.h"
 
-/* monotonic version of time(3) */
-time_t
-now(void)
+/**
+ * monotonic version of time(3)
+ */
+time_t now(void)
 {
-    static time_t delta = 0
-	, last_time = 0;
-    time_t n = time((time_t)NULL);
-
-    passert(n != (time_t)-1);
-    if (last_time > n)
-    {
-	plog("time moved backwards %ld seconds", (long)(last_time - n));
-	delta += last_time - n;
-    }
-    last_time = n;
-    return n + delta;
+	static time_t delta = 0
+		, last_time = 0;
+	time_t n = time((time_t)NULL);
+
+	passert(n != (time_t)-1);
+	if (last_time > n)
+	{
+		plog("time moved backwards %ld seconds", (long)(last_time - n));
+		delta += last_time - n;
+	}
+	last_time = n;
+	return n + delta;
 }
 
 /* This file has the event handling routines. Events are
@@ -66,467 +67,495 @@ now(void)
 
 static struct event *evlist = (struct event *) NULL;
 
-/*
+/**
  * This routine places an event in the event list.
  */
-void
-event_schedule(enum event_type type, time_t tm, struct state *st)
+void event_schedule(enum event_type type, time_t tm, struct state *st)
 {
-    struct event *ev = alloc_thing(struct event, "struct event in event_schedule()");
-
-    ev->ev_type = type;
-    ev->ev_time = tm + now();
-    ev->ev_state = st;
-
-    /* If the event is associated with a state, put a backpointer to the
-     * event in the state object, so we can find and delete the event
-     * if we need to (for example, if we receive a reply).
-     */
-    if (st != NULL)
-    {
-	if (type == EVENT_DPD || type == EVENT_DPD_TIMEOUT)
+	struct event *ev = malloc_thing(struct event);
+
+	ev->ev_type = type;
+	ev->ev_time = tm + now();
+	ev->ev_state = st;
+
+	/* If the event is associated with a state, put a backpointer to the
+	 * event in the state object, so we can find and delete the event
+	 * if we need to (for example, if we receive a reply).
+	 */
+	if (st != NULL)
+	{
+		if (type == EVENT_DPD || type == EVENT_DPD_TIMEOUT)
+		{
+			passert(st->st_dpd_event == NULL);
+			st->st_dpd_event = ev;
+		}
+		else
+		{
+			passert(st->st_event == NULL);
+			st->st_event = ev;
+		}
+	}
+
+	DBG(DBG_CONTROL,
+		if (st == NULL)
+			DBG_log("inserting event %N, timeout in %lu seconds"
+				, timer_event_names, type, (unsigned long)tm);
+		else
+			DBG_log("inserting event %N, timeout in %lu seconds for #%lu"
+				, timer_event_names, type, (unsigned long)tm
+				, ev->ev_state->st_serialno));
+
+	if (evlist == (struct event *) NULL
+	|| evlist->ev_time >= ev->ev_time)
 	{
-	    passert(st->st_dpd_event == NULL);
-	    st->st_dpd_event = ev;
+		ev->ev_next = evlist;
+		evlist = ev;
 	}
 	else
 	{
-	    passert(st->st_event == NULL);
-	    st->st_event = ev;
-	}
-    }
+		struct event *evt;
 
-    DBG(DBG_CONTROL,
-	if (st == NULL)
-	    DBG_log("inserting event %s, timeout in %lu seconds"
-		, enum_show(&timer_event_names, type), (unsigned long)tm);
-	else
-	    DBG_log("inserting event %s, timeout in %lu seconds for #%lu"
-		, enum_show(&timer_event_names, type), (unsigned long)tm
-		, ev->ev_state->st_serialno));
-
-    if (evlist == (struct event *) NULL
-    || evlist->ev_time >= ev->ev_time)
-    {
-	ev->ev_next = evlist;
-	evlist = ev;
-    }
-    else
-    {
-	struct event *evt;
-
-	for (evt = evlist; evt->ev_next != NULL; evt = evt->ev_next)
-	    if (evt->ev_next->ev_time >= ev->ev_time)
-		break;
-
-#ifdef NEVER	/* this seems to be overkill */
-	DBG(DBG_CONTROL,
-	    if (evt->ev_state == NULL)
-		DBG_log("event added after event %s"
-		    , enum_show(&timer_event_names, evt->ev_type));
-	    else
-		DBG_log("event added after event %s for #%lu"
-		    , enum_show(&timer_event_names, evt->ev_type)
-		    , evt->ev_state->st_serialno));
+		for (evt = evlist; evt->ev_next != NULL; evt = evt->ev_next)
+			if (evt->ev_next->ev_time >= ev->ev_time)
+				break;
+
+#ifdef NEVER    /* this seems to be overkill */
+		DBG(DBG_CONTROL,
+			if (evt->ev_state == NULL)
+				DBG_log("event added after event %N"
+					, timer_event_names, evt->ev_type);
+			else
+				DBG_log("event added after event %N for #%lu"
+					, timer_event_names, evt->ev_type,
+					, evt->ev_state->st_serialno));
 #endif /* NEVER */
 
-	ev->ev_next = evt->ev_next;
-	evt->ev_next = ev;
-    }
+		ev->ev_next = evt->ev_next;
+		evt->ev_next = ev;
+	}
+}
+
+/**
+ * Generate the secret value for responder cookies, and
+ * schedule an event for refresh.
+ */
+void init_secret(void)
+{
+	rng_t *rng;
+	 
+	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	rng->get_bytes(rng, sizeof(secret_of_the_day), secret_of_the_day);
+	rng->destroy(rng);
+    event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL);
 }
 
-/*
+/**
  * Handle the first event on the list.
  */
-void
-handle_timer_event(void)
+void handle_timer_event(void)
 {
-    time_t tm;
-    struct event *ev = evlist;
-    int type;
-    struct state *st;
-    struct connection *c = NULL;
-    ip_address peer;
-
-    if (ev == (struct event *) NULL)    /* Just paranoid */
-    {
-	DBG(DBG_CONTROL, DBG_log("empty event list, yet we're called"));
-	return;
-    }
-
-    type = ev->ev_type;
-    st = ev->ev_state;
-
-    tm = now();
-
-    if (tm < ev->ev_time)
-    {
-	DBG(DBG_CONTROL, DBG_log("called while no event expired (%lu/%lu, %s)"
-	    , (unsigned long)tm, (unsigned long)ev->ev_time
-	    , enum_show(&timer_event_names, type)));
-
-	/* This will happen if the most close-to-expire event was
-	 * a retransmission or cleanup, and we received a packet
-	 * at the same time as the event expired. Due to the processing
-	 * order in call_server(), the packet processing will happen first,
-	 * and the event will be removed.
-	 */
-	return;
-    }
-
-    evlist = evlist->ev_next;		/* Ok, we'll handle this event */
-
-    DBG(DBG_CONTROL,
-	if (evlist != (struct event *) NULL)
-	    DBG_log("event after this is %s in %ld seconds"
-		, enum_show(&timer_event_names, evlist->ev_type)
-		, (long) (evlist->ev_time - tm)));
-
-    /* for state-associated events, pick up the state pointer
-     * and remove the backpointer from the state object.
-     * We'll eventually either schedule a new event, or delete the state.
-     */
-    passert(GLOBALS_ARE_RESET());
-    if (st != NULL)
-    {
-	c = st->st_connection;
-	if (type  == EVENT_DPD || type == EVENT_DPD_TIMEOUT)
+	time_t tm;
+	struct event *ev = evlist;
+	int type;
+	struct state *st;
+	struct connection *c = NULL;
+	ip_address peer;
+
+	if (ev == (struct event *) NULL)    /* Just paranoid */
 	{
-	    passert(st->st_dpd_event == ev);
-	    st->st_dpd_event = NULL;
+		DBG(DBG_CONTROL, DBG_log("empty event list, yet we're called"));
+		return;
 	}
-	else 
+
+	type = ev->ev_type;
+	st = ev->ev_state;
+
+	tm = now();
+
+	if (tm < ev->ev_time)
 	{
-	    passert(st->st_event == ev);
-	    st->st_event = NULL;
+		DBG(DBG_CONTROL, DBG_log("called while no event expired (%lu/%lu, %N)"
+			, (unsigned long)tm, (unsigned long)ev->ev_time
+			, timer_event_names, type));
+
+		/* This will happen if the most close-to-expire event was
+		 * a retransmission or cleanup, and we received a packet
+		 * at the same time as the event expired. Due to the processing
+		 * order in call_server(), the packet processing will happen first,
+		 * and the event will be removed.
+		 */
+		return;
 	}
-	peer = c->spd.that.host_addr;
-	set_cur_state(st);
-    }
-
-    switch (type)
-    {
-	case EVENT_REINIT_SECRET:
-	    passert(st == NULL);
-	    DBG(DBG_CONTROL, DBG_log("event EVENT_REINIT_SECRET handled"));
-	    init_secret();
-	    break;
 
-#ifdef KLIPS
-	case EVENT_SHUNT_SCAN:
-	    passert(st == NULL);
-	    scan_proc_shunts();
-	    break;
-#endif
+	evlist = evlist->ev_next;           /* Ok, we'll handle this event */
 
-	case EVENT_LOG_DAILY:
-	    daily_log_event();
-	    break;
-
-	case EVENT_RETRANSMIT:
-	    /* Time to retransmit, or give up.
-	     *
-	     * Generally, we'll only try to send the message
-	     * MAXIMUM_RETRANSMISSIONS times.  Each time we double
-	     * our patience.
-	     *
-	     * As a special case, if this is the first initiating message
-	     * of a Main Mode exchange, and we have been directed to try
-	     * forever, we'll extend the number of retransmissions to
-	     * MAXIMUM_RETRANSMISSIONS_INITIAL times, with all these
-	     * extended attempts having the same patience.  The intention
-	     * is to reduce the bother when nobody is home.
-	     */
-	    {
-		time_t delay = 0;
-
-		DBG(DBG_CONTROL, DBG_log(
-		    "handling event EVENT_RETRANSMIT for %s \"%s\" #%lu"
-		    , ip_str(&peer), c->name, st->st_serialno));
-
-		if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
-		    delay = EVENT_RETRANSMIT_DELAY_0 << (st->st_retransmit + 1);
-		else if (st->st_state == STATE_MAIN_I1
-		&& c->sa_keying_tries == 0
-		&& st->st_retransmit < MAXIMUM_RETRANSMISSIONS_INITIAL)
-		    delay = EVENT_RETRANSMIT_DELAY_0 << MAXIMUM_RETRANSMISSIONS;
-
-		if (delay != 0)
+	DBG(DBG_CONTROL,
+		if (evlist != (struct event *) NULL)
+			DBG_log("event after this is %N in %ld seconds"
+				, timer_event_names, evlist->ev_type
+				, (long) (evlist->ev_time - tm)));
+
+	/* for state-associated events, pick up the state pointer
+	 * and remove the backpointer from the state object.
+	 * We'll eventually either schedule a new event, or delete the state.
+	 */
+	passert(GLOBALS_ARE_RESET());
+	if (st != NULL)
+	{
+		c = st->st_connection;
+		if (type  == EVENT_DPD || type == EVENT_DPD_TIMEOUT)
 		{
-		    st->st_retransmit++;
-		    whack_log(RC_RETRANSMISSION
-			, "%s: retransmission; will wait %lus for response"
-			, enum_name(&state_names, st->st_state)
-			, (unsigned long)delay);
-		    send_packet(st, "EVENT_RETRANSMIT");
-		    event_schedule(EVENT_RETRANSMIT, delay, st);
+			passert(st->st_dpd_event == ev);
+			st->st_dpd_event = NULL;
 		}
-		else
+		else 
 		{
-		    /* check if we've tried rekeying enough times.
-		     * st->st_try == 0 means that this should be the only try.
-		     * c->sa_keying_tries == 0 means that there is no limit.
-		     */
-		    unsigned long try = st->st_try;
-		    unsigned long try_limit = c->sa_keying_tries;
-		    const char *details = "";
-
-		    switch (st->st_state)
-		    {
-		    case STATE_MAIN_I3:
-			details = ".  Possible authentication failure:"
-			    " no acceptable response to our"
-			    " first encrypted message";
-			break;
-		    case STATE_MAIN_I1:
-			details = ".  No response (or no acceptable response) to our"
-			    " first IKE message";
-			break;
-		    case STATE_QUICK_I1:
-			if (c->newest_ipsec_sa == SOS_NOBODY)
-			    details = ".  No acceptable response to our"
-				" first Quick Mode message:"
-				" perhaps peer likes no proposal";
+			passert(st->st_event == ev);
+			st->st_event = NULL;
+		}
+		peer = c->spd.that.host_addr;
+		set_cur_state(st);
+	}
+
+	switch (type)
+	{
+		case EVENT_REINIT_SECRET:
+			passert(st == NULL);
+			DBG(DBG_CONTROL, DBG_log("event EVENT_REINIT_SECRET handled"));
+			init_secret();
 			break;
-		    default:
+
+#ifdef KLIPS
+		case EVENT_SHUNT_SCAN:
+			passert(st == NULL);
+			scan_proc_shunts();
 			break;
-		    }
-		    loglog(RC_NORETRANSMISSION
-			, "max number of retransmissions (%d) reached %s%s"
-			, st->st_retransmit
-			, enum_show(&state_names, st->st_state), details);
-		    if (try != 0 && try != try_limit)
-		    {
-			/* A lot like EVENT_SA_REPLACE, but over again.
-			 * Since we know that st cannot be in use,
-			 * we can delete it right away.
-			 */
-			char story[80];	/* arbitrary limit */
+#endif
 
-			try++;
-			snprintf(story, sizeof(story), try_limit == 0
-			    ? "starting keying attempt %ld of an unlimited number"
-			    : "starting keying attempt %ld of at most %ld"
-			    , try, try_limit);
+		case EVENT_LOG_DAILY:
+			daily_log_event();
+			break;
 
-			if (st->st_whack_sock != NULL_FD)
+		case EVENT_RETRANSMIT:
+			/* Time to retransmit, or give up.
+			 *
+			 * Generally, we'll only try to send the message
+			 * MAXIMUM_RETRANSMISSIONS times.  Each time we double
+			 * our patience.
+			 *
+			 * As a special case, if this is the first initiating message
+			 * of a Main Mode exchange, and we have been directed to try
+			 * forever, we'll extend the number of retransmissions to
+			 * MAXIMUM_RETRANSMISSIONS_INITIAL times, with all these
+			 * extended attempts having the same patience.  The intention
+			 * is to reduce the bother when nobody is home.
+			 */
 			{
-			    /* Release whack because the observer will get bored. */
-			    loglog(RC_COMMENT, "%s, but releasing whack"
-				, story);
-			    release_pending_whacks(st, story);
+				time_t delay = 0;
+
+				DBG(DBG_CONTROL, DBG_log(
+					"handling event EVENT_RETRANSMIT for %s \"%s\" #%lu"
+					, ip_str(&peer), c->name, st->st_serialno));
+
+				if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
+					delay = EVENT_RETRANSMIT_DELAY_0 << (st->st_retransmit + 1);
+				else if (st->st_state == STATE_MAIN_I1
+				&& c->sa_keying_tries == 0
+				&& st->st_retransmit < MAXIMUM_RETRANSMISSIONS_INITIAL)
+					delay = EVENT_RETRANSMIT_DELAY_0 << MAXIMUM_RETRANSMISSIONS;
+
+				if (delay != 0)
+				{
+					st->st_retransmit++;
+					whack_log(RC_RETRANSMISSION
+						, "%s: retransmission; will wait %lus for response"
+						, enum_name(&state_names, st->st_state)
+						, (unsigned long)delay);
+					send_packet(st, "EVENT_RETRANSMIT");
+					event_schedule(EVENT_RETRANSMIT, delay, st);
+				}
+				else
+				{
+					/* check if we've tried rekeying enough times.
+					 * st->st_try == 0 means that this should be the only try.
+					 * c->sa_keying_tries == 0 means that there is no limit.
+					 */
+					unsigned long try = st->st_try;
+					unsigned long try_limit = c->sa_keying_tries;
+					const char *details = "";
+
+					switch (st->st_state)
+					{
+					case STATE_MAIN_I3:
+						details = ".  Possible authentication failure:"
+							" no acceptable response to our"
+							" first encrypted message";
+						break;
+					case STATE_MAIN_I1:
+						details = ".  No response (or no acceptable response) to our"
+							" first IKE message";
+						break;
+					case STATE_QUICK_I1:
+						if (c->newest_ipsec_sa == SOS_NOBODY)
+							details = ".  No acceptable response to our"
+								" first Quick Mode message:"
+								" perhaps peer likes no proposal";
+						break;
+					default:
+						break;
+					}
+					loglog(RC_NORETRANSMISSION
+						, "max number of retransmissions (%d) reached %s%s"
+						, st->st_retransmit
+						, enum_show(&state_names, st->st_state), details);
+					if (try != 0 && try != try_limit)
+					{
+						/* A lot like EVENT_SA_REPLACE, but over again.
+						 * Since we know that st cannot be in use,
+						 * we can delete it right away.
+						 */
+						char story[80]; /* arbitrary limit */
+
+						try++;
+						snprintf(story, sizeof(story), try_limit == 0
+							? "starting keying attempt %ld of an unlimited number"
+							: "starting keying attempt %ld of at most %ld"
+							, try, try_limit);
+
+						if (st->st_whack_sock != NULL_FD)
+						{
+							/* Release whack because the observer will get bored. */
+							loglog(RC_COMMENT, "%s, but releasing whack"
+								, story);
+							release_pending_whacks(st, story);
+						}
+						else
+						{
+							/* no whack: just log to syslog */
+							plog("%s", story);
+						}
+						ipsecdoi_replace(st, try);
+					}
+					delete_state(st);
+				}
 			}
-			else
+			break;
+
+		case EVENT_SA_REPLACE:
+		case EVENT_SA_REPLACE_IF_USED:
 			{
-			    /* no whack: just log to syslog */
-			    plog("%s", story);
+				so_serial_t newest = IS_PHASE1(st->st_state)
+					? c->newest_isakmp_sa : c->newest_ipsec_sa;
+
+				if (newest != st->st_serialno
+				&& newest != SOS_NOBODY)
+				{
+					/* not very interesting: no need to replace */
+					DBG(DBG_LIFECYCLE
+						, plog("not replacing stale %s SA: #%lu will do"
+							, IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
+							, newest));
+				}
+				else if (type == EVENT_SA_REPLACE_IF_USED
+				&& st->st_outbound_time <= tm - c->sa_rekey_margin)
+				{
+					/* we observed no recent use: no need to replace
+					 *
+					 * The sampling effects mean that st_outbound_time
+					 * could be up to SHUNT_SCAN_INTERVAL more recent
+					 * than actual traffic because the sampler looks at change
+					 * over that interval.
+					 * st_outbound_time could also not yet reflect traffic
+					 * in the last SHUNT_SCAN_INTERVAL.
+					 * We expect that SHUNT_SCAN_INTERVAL is smaller than
+					 * c->sa_rekey_margin so that the effects of this will
+					 * be unimportant.
+					 * This is just an optimization: correctness is not
+					 * at stake.
+					 *
+					 * Note: we are abusing the DBG mechanism to control
+					 * normal log output.
+					 */
+					DBG(DBG_LIFECYCLE
+						, plog("not replacing stale %s SA: inactive for %lus"
+							, IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
+							, (unsigned long)(tm - st->st_outbound_time)));
+				}
+				else
+				{
+					DBG(DBG_LIFECYCLE
+						, plog("replacing stale %s SA"
+							, IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"));
+					ipsecdoi_replace(st, 1);
+				}
+				delete_dpd_event(st);
+				event_schedule(EVENT_SA_EXPIRE, st->st_margin, st);
 			}
-			ipsecdoi_replace(st, try);
-		    }
-		    delete_state(st);
-		}
-	    }
-	    break;
-
-	case EVENT_SA_REPLACE:
-	case EVENT_SA_REPLACE_IF_USED:
-	    {
-		so_serial_t newest = IS_PHASE1(st->st_state)
-		    ? c->newest_isakmp_sa : c->newest_ipsec_sa;
-
-		if (newest != st->st_serialno
-		&& newest != SOS_NOBODY)
-		{
-		    /* not very interesting: no need to replace */
-		    DBG(DBG_LIFECYCLE
-			, plog("not replacing stale %s SA: #%lu will do"
-			    , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
-			    , newest));
-		}
-		else if (type == EVENT_SA_REPLACE_IF_USED
-		&& st->st_outbound_time <= tm - c->sa_rekey_margin)
-		{
-		    /* we observed no recent use: no need to replace
-		     *
-		     * The sampling effects mean that st_outbound_time
-		     * could be up to SHUNT_SCAN_INTERVAL more recent
-		     * than actual traffic because the sampler looks at change
-		     * over that interval.
-		     * st_outbound_time could also not yet reflect traffic
-		     * in the last SHUNT_SCAN_INTERVAL.
-		     * We expect that SHUNT_SCAN_INTERVAL is smaller than
-		     * c->sa_rekey_margin so that the effects of this will
-		     * be unimportant.
-		     * This is just an optimization: correctness is not
-		     * at stake.
-		     *
-		     * Note: we are abusing the DBG mechanism to control
-		     * normal log output.
-		     */
-		    DBG(DBG_LIFECYCLE
-			, plog("not replacing stale %s SA: inactive for %lus"
-			    , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
-			    , (unsigned long)(tm - st->st_outbound_time)));
-		}
-		else
-		{
-		    DBG(DBG_LIFECYCLE
-			, plog("replacing stale %s SA"
-			    , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"));
-		    ipsecdoi_replace(st, 1);
-		}
-		delete_dpd_event(st);
-		event_schedule(EVENT_SA_EXPIRE, st->st_margin, st);
-	    }
-	    break;
+			break;
 
-	case EVENT_SA_EXPIRE:
-	    {
-		const char *satype;
-		so_serial_t latest;
+		case EVENT_SA_EXPIRE:
+			{
+				const char *satype;
+				so_serial_t latest;
+
+				if (IS_PHASE1(st->st_state))
+				{
+					satype = "ISAKMP";
+					latest = c->newest_isakmp_sa;
+				}
+				else
+				{
+					satype = "IPsec";
+					latest = c->newest_ipsec_sa;
+				}
+
+				if (st->st_serialno != latest)
+				{
+					/* not very interesting: already superseded */
+					DBG(DBG_LIFECYCLE
+						, plog("%s SA expired (superseded by #%lu)"
+							, satype, latest));
+				}
+				else
+				{
+					plog("%s SA expired (%s)", satype
+						, (c->policy & POLICY_DONT_REKEY)
+							? "--dontrekey"
+							: "LATEST!"
+						);
+				}
+			}
+			/* FALLTHROUGH */
+		case EVENT_SO_DISCARD:
+			/* Delete this state object.  It must be in the hash table. */
+			delete_state(st);
+			break;
 
-		if (IS_PHASE1(st->st_state))
-		{
-		    satype = "ISAKMP";
-		    latest = c->newest_isakmp_sa;
-		}
-		else
-		{
-		    satype = "IPsec";
-		    latest = c->newest_ipsec_sa;
-		}
+		case EVENT_DPD:
+			dpd_outI(st);
+			break;
+		case EVENT_DPD_TIMEOUT:
+			dpd_timeout(st);
+			break;
+		case EVENT_NAT_T_KEEPALIVE:
+			nat_traversal_ka_event();
+			break;
+		default:
+			loglog(RC_LOG_SERIOUS, "INTERNAL ERROR: ignoring unknown expiring event %N"
+				, timer_event_names, type);
+	}
 
-		if (st->st_serialno != latest)
-		{
-		    /* not very interesting: already superseded */
-		    DBG(DBG_LIFECYCLE
-			, plog("%s SA expired (superseded by #%lu)"
-			    , satype, latest));
-		}
-		else
-		{
-		    plog("%s SA expired (%s)", satype
-			, (c->policy & POLICY_DONT_REKEY)
-			    ? "--dontrekey"
-			    : "LATEST!"
-			);
-		}
-	    }
-	    /* FALLTHROUGH */
-	case EVENT_SO_DISCARD:
-	    /* Delete this state object.  It must be in the hash table. */
-	    delete_state(st);
-	    break;
-
-	case EVENT_DPD:
-	    dpd_outI(st);
-	    break;
-	case EVENT_DPD_TIMEOUT:
-	    dpd_timeout(st);
-	    break;
-	case EVENT_NAT_T_KEEPALIVE:
-	    nat_traversal_ka_event();
-	    break;
-	default:
-	    loglog(RC_LOG_SERIOUS, "INTERNAL ERROR: ignoring unknown expiring event %s"
-		, enum_show(&timer_event_names, type));
-    }
-
-    pfree(ev);
-    reset_cur_state();
+	free(ev);
+	reset_cur_state();
 }
 
-/*
+/**
  * Return the time until the next event in the queue
  * expires (never negative), or -1 if no jobs in queue.
  */
-long
-next_event(void)
+long next_event(void)
 {
-    time_t tm;
+	time_t tm;
+
+	if (evlist == (struct event *) NULL)
+		return -1;
 
-    if (evlist == (struct event *) NULL)
-	return -1;
+	tm = now();
 
-    tm = now();
+	DBG(DBG_CONTROL,
+		if (evlist->ev_state == NULL)
+			DBG_log("next event %N in %ld seconds"
+				, timer_event_names, evlist->ev_type
+				, (long)evlist->ev_time - (long)tm);
+		else
+			DBG_log("next event %N in %ld seconds for #%lu"
+				, timer_event_names, evlist->ev_type
+				, (long)evlist->ev_time - (long)tm
+				, evlist->ev_state->st_serialno));
 
-    DBG(DBG_CONTROL,
-	if (evlist->ev_state == NULL)
-	    DBG_log("next event %s in %ld seconds"
-		, enum_show(&timer_event_names, evlist->ev_type)
-		, (long)evlist->ev_time - (long)tm);
+	if (evlist->ev_time - tm <= 0)
+		return 0;
 	else
-	    DBG_log("next event %s in %ld seconds for #%lu"
-		, enum_show(&timer_event_names, evlist->ev_type)
-		, (long)evlist->ev_time - (long)tm
-		, evlist->ev_state->st_serialno));
-
-    if (evlist->ev_time - tm <= 0)
-	return 0;
-    else
-	return evlist->ev_time - tm;
+		return evlist->ev_time - tm;
 }
 
-/*
+/**
  * Delete an event.
  */
-void
-delete_event(struct state *st)
+void delete_event(struct state *st)
 {
-    if (st->st_event != (struct event *) NULL)
-    {
-	struct event **ev;
-
-	for (ev = &evlist; ; ev = &(*ev)->ev_next)
+	if (st->st_event != (struct event *) NULL)
 	{
-	    if (*ev == NULL)
-	    {
-		DBG(DBG_CONTROL, DBG_log("event %s to be deleted not found",
-		    enum_show(&timer_event_names, st->st_event->ev_type)));
-		break;
-	    }
-	    if ((*ev) == st->st_event)
-	    {
-		*ev = (*ev)->ev_next;
-
-		if (st->st_event->ev_type == EVENT_RETRANSMIT)
-		    st->st_retransmit = 0;
-		pfree(st->st_event);
-		st->st_event = (struct event *) NULL;
-
-		break;
-	    }
+		struct event **ev;
+
+		for (ev = &evlist; ; ev = &(*ev)->ev_next)
+		{
+			if (*ev == NULL)
+			{
+				DBG(DBG_CONTROL, DBG_log("event %N to be deleted not found",
+					timer_event_names, st->st_event->ev_type));
+				break;
+			}
+			if ((*ev) == st->st_event)
+			{
+				*ev = (*ev)->ev_next;
+
+				if (st->st_event->ev_type == EVENT_RETRANSMIT)
+				{
+					st->st_retransmit = 0;
+				}
+				free(st->st_event);
+				st->st_event = (struct event *) NULL;
+
+				break;
+			}
+		}
 	}
-    }
 }
 
-/*
+/**
  * Delete a DPD event.
  */
-void
-delete_dpd_event(struct state *st)
+void delete_dpd_event(struct state *st)
 {
-    if (st->st_dpd_event != (struct event *) NULL)
-    {
-        struct event **ev;
-
-        for (ev = &evlist; ; ev = &(*ev)->ev_next)
-        {
-            if (*ev == NULL)
-            {
-                DBG(DBG_CONTROL, DBG_log("event %s to be deleted not found",
-                    enum_show(&timer_event_names, st->st_dpd_event->ev_type)));
-                break;
-            }
-            if ((*ev) == st->st_dpd_event)
-            {
-                *ev = (*ev)->ev_next;
-                pfree(st->st_dpd_event);
-                st->st_dpd_event = (struct event *) NULL;
-                break;
-            }
-        }
-    }
+	if (st->st_dpd_event != (struct event *) NULL)
+	{
+		struct event **ev;
+
+		for (ev = &evlist; ; ev = &(*ev)->ev_next)
+		{
+			if (*ev == NULL)
+			{
+				DBG(DBG_CONTROL, DBG_log("event %N to be deleted not found",
+					timer_event_names, st->st_dpd_event->ev_type));
+				break;
+			}
+			if ((*ev) == st->st_dpd_event)
+			{
+				*ev = (*ev)->ev_next;
+				free(st->st_dpd_event);
+				st->st_dpd_event = (struct event *) NULL;
+				break;
+			}
+		}
+	}
 }
 
+/**
+ * Free remaining events
+ */
+void free_events(void)
+{
+	struct event *ev_tmp, *ev;
+
+	ev = evlist;
+	evlist = NULL;
+
+	while (ev)
+	{
+		ev_tmp = ev;
+		ev = ev->ev_next;
+		free(ev_tmp);
+	}
+}
 
diff --git a/src/pluto/timer.h b/src/pluto/timer.h
index c772d37f9..322aeba6a 100644
--- a/src/pluto/timer.h
+++ b/src/pluto/timer.h
@@ -10,20 +10,18 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: timer.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
-extern time_t now(void);	/* careful version of time(2) */
+extern time_t now(void);        /* careful version of time(2) */
 
-struct state;	/* forward declaration */
+struct state;   /* forward declaration */
 
 struct event
 {
-    time_t          ev_time;
-    int             ev_type;        /* Event type */
-    struct state   *ev_state;       /* Pointer to relevant state (if any) */
-    struct event   *ev_next;        /* Pointer to next event */
+	time_t          ev_time;
+	int             ev_type;        /* Event type */
+	struct state   *ev_state;       /* Pointer to relevant state (if any) */
+	struct event   *ev_next;        /* Pointer to next event */
 };
 
 extern void event_schedule(enum event_type type, time_t tm, struct state *st);
@@ -32,3 +30,5 @@ extern long next_event(void);
 extern void delete_event(struct state *st);
 extern void delete_dpd_event(struct state *st);
 extern void daily_log_event(void);
+extern void free_events(void);
+extern void init_secret(void);
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index f957bf39b..ff145eb38 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -1,5 +1,6 @@
 /* ISAKMP VendorID
  * Copyright (C) 2002-2005 Mathieu Lafon - Arkoon Network Security
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: vendor.c 5052 2009-03-30 03:47:14Z andreas $
  */
 
 #include <stdlib.h>
@@ -20,10 +19,12 @@
 #include <sys/queue.h>
 #include <freeswan.h>
 
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
-#include "md5.h"
 #include "connections.h"
 #include "packet.h"
 #include "demux.h"
@@ -88,232 +89,226 @@
 #define VID_SUBSTRING  (VID_SUBSTRING_DUMPHEXA | VID_SUBSTRING_DUMPASCII | VID_SUBSTRING_MATCH)
 
 struct vid_struct {
-	enum known_vendorid id;
-	unsigned short flags;
-	const char *data;
-	const char *descr;
-	const char *vid;
-	u_int vid_len;
+		enum known_vendorid id;
+		unsigned short flags;
+		const char *data;
+		const char *descr;
+		chunk_t vid;
 };
 
 #define DEC_MD5_VID_D(id,str,descr) \
-	{ VID_##id, VID_MD5HASH, str, descr, NULL, 0 },
+		{ VID_##id, VID_MD5HASH, str, descr, { NULL, 0 } },
 #define DEC_MD5_VID(id,str) \
-	{ VID_##id, VID_MD5HASH, str, NULL, NULL, 0 },
-#define DEC_FSWAN_VID(id,str,descr) \
-	{ VID_##id, VID_FSWAN_HASH, str, descr, NULL, 0 },
+		{ VID_##id, VID_MD5HASH, str, NULL, { NULL, 0 } },
 
 static struct vid_struct _vid_tab[] = {
 
-	/* Implementation names */
-
-	{ VID_OPENPGP, VID_STRING, "OpenPGP10171", "OpenPGP", NULL, 0 },
-
-	DEC_MD5_VID(KAME_RACOON, "KAME/racoon")
-
-	{ VID_MS_NT5, VID_MD5HASH | VID_SUBSTRING_DUMPHEXA,
-		"MS NT5 ISAKMPOAKLEY", NULL, NULL, 0 },
-
-	DEC_MD5_VID(SSH_SENTINEL, "SSH Sentinel")
-	DEC_MD5_VID(SSH_SENTINEL_1_1, "SSH Sentinel 1.1")
-	DEC_MD5_VID(SSH_SENTINEL_1_2, "SSH Sentinel 1.2")
-	DEC_MD5_VID(SSH_SENTINEL_1_3, "SSH Sentinel 1.3")
-	DEC_MD5_VID(SSH_SENTINEL_1_4, "SSH Sentinel 1.4")
-	DEC_MD5_VID(SSH_SENTINEL_1_4_1, "SSH Sentinel 1.4.1")
-
-	/* These ones come from SSH vendors.txt */
-	DEC_MD5_VID(SSH_IPSEC_1_1_0,
-		"Ssh Communications Security IPSEC Express version 1.1.0")
-	DEC_MD5_VID(SSH_IPSEC_1_1_1,
-		"Ssh Communications Security IPSEC Express version 1.1.1")
-	DEC_MD5_VID(SSH_IPSEC_1_1_2,
-		"Ssh Communications Security IPSEC Express version 1.1.2")
-	DEC_MD5_VID(SSH_IPSEC_1_2_1,
-		"Ssh Communications Security IPSEC Express version 1.2.1")
-	DEC_MD5_VID(SSH_IPSEC_1_2_2,
-		"Ssh Communications Security IPSEC Express version 1.2.2")
-	DEC_MD5_VID(SSH_IPSEC_2_0_0,
-		"SSH Communications Security IPSEC Express version 2.0.0")
-	DEC_MD5_VID(SSH_IPSEC_2_1_0,
-		"SSH Communications Security IPSEC Express version 2.1.0")
-	DEC_MD5_VID(SSH_IPSEC_2_1_1,
-		"SSH Communications Security IPSEC Express version 2.1.1")
-	DEC_MD5_VID(SSH_IPSEC_2_1_2,
-		"SSH Communications Security IPSEC Express version 2.1.2")
-	DEC_MD5_VID(SSH_IPSEC_3_0_0,
-		"SSH Communications Security IPSEC Express version 3.0.0")
-	DEC_MD5_VID(SSH_IPSEC_3_0_1,
-		"SSH Communications Security IPSEC Express version 3.0.1")
-	DEC_MD5_VID(SSH_IPSEC_4_0_0,
-		"SSH Communications Security IPSEC Express version 4.0.0")
-	DEC_MD5_VID(SSH_IPSEC_4_0_1,
-		"SSH Communications Security IPSEC Express version 4.0.1")
-	DEC_MD5_VID(SSH_IPSEC_4_1_0,
-		"SSH Communications Security IPSEC Express version 4.1.0")
-	DEC_MD5_VID(SSH_IPSEC_4_2_0,
-		"SSH Communications Security IPSEC Express version 4.2.0")
-
-	/* note: md5('CISCO-UNITY') = 12f5f28c457168a9702d9fe274cc02d4 */
-	{ VID_CISCO_UNITY, VID_KEEP, NULL, "Cisco-Unity",
-		"\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00",
-		16 },
-
-	{ VID_CISCO3K, VID_KEEP | VID_SUBSTRING_MATCH,
-          NULL, "Cisco VPN 3000 Series" , "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50", 14},
-
-	{ VID_CISCO_IOS, VID_KEEP | VID_SUBSTRING_MATCH, 
-	  NULL, "Cisco IOS Device", "\x3e\x98\x40\x48", 4},
-
-	/*
-	 * Timestep VID seen:
-	 *   - 54494d455354455020312053475720313532302033313520322e303145303133
-	 *     = 'TIMESTEP 1 SGW 1520 315 2.01E013'
-	 */
-	{ VID_TIMESTEP, VID_STRING | VID_SUBSTRING_DUMPASCII, "TIMESTEP",
-		NULL, NULL, 0 },
-
-	/*
-	 * Netscreen:
-	 * 4865617274426561745f4e6f74696679386b0100  (HeartBeat_Notify + 386b0100)
-	 */
-	{ VID_MISC_HEARTBEAT_NOTIFY, VID_STRING | VID_SUBSTRING_DUMPHEXA,
-		"HeartBeat_Notify", "HeartBeat Notify", NULL, 0 },
-
-	/*
-	 * MacOS X
-	 */
-	{ VID_MACOSX, VID_STRING|VID_SUBSTRING_DUMPHEXA, "Mac OSX 10.x",
-	  "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62", NULL, 0},
-
-	/*
-	 * Openswan
-	 */
-	DEC_FSWAN_VID(OPENSWAN2, "Openswan 2.2.0", "Openswan 2.2.0")
-	
-	/* NCP */
-	{ VID_NCP_SERVER, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Server",
-	    "\xc6\xf5\x7a\xc3\x98\xf4\x93\x20\x81\x45\xb7\x58", 12},
-	{ VID_NCP_CLIENT, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Client",
-	    "\xeb\x4c\x1b\x78\x8a\xfd\x4a\x9c\xb7\x73\x0a\x68", 12},
-
-	/*
-	 * Windows Vista (and Windows Server 2008?)
-	 */
-	DEC_MD5_VID(VISTA_AUTHIP, "MS-Negotiation Discovery Capable")
-	DEC_MD5_VID(VISTA_AUTHIP2, "IKE CGA version 1")
-	DEC_MD5_VID(VISTA_AUTHIP3, "MS-MamieExists")
-
-	/*
-	 * strongSwan
-	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.14")
-	DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13")
-	DEC_MD5_VID(STRONGSWAN_4_2_12,"strongSwan 4.2.12")
-	DEC_MD5_VID(STRONGSWAN_4_2_11,"strongSwan 4.2.11")
-	DEC_MD5_VID(STRONGSWAN_4_2_10,"strongSwan 4.2.10")
-	DEC_MD5_VID(STRONGSWAN_4_2_9, "strongSwan 4.2.9")
-	DEC_MD5_VID(STRONGSWAN_4_2_8, "strongSwan 4.2.8")
-	DEC_MD5_VID(STRONGSWAN_4_2_7, "strongSwan 4.2.7")
-	DEC_MD5_VID(STRONGSWAN_4_2_6, "strongSwan 4.2.6")
-	DEC_MD5_VID(STRONGSWAN_4_2_5, "strongSwan 4.2.5")
-	DEC_MD5_VID(STRONGSWAN_4_2_4, "strongSwan 4.2.4")
-	DEC_MD5_VID(STRONGSWAN_4_2_3, "strongSwan 4.2.3")
-	DEC_MD5_VID(STRONGSWAN_4_2_2, "strongSwan 4.2.2")
-	DEC_MD5_VID(STRONGSWAN_4_2_1, "strongSwan 4.2.1")
-	DEC_MD5_VID(STRONGSWAN_4_2_0, "strongSwan 4.2.0")
-	DEC_MD5_VID(STRONGSWAN_4_1_11,"strongSwan 4.1.11")
-	DEC_MD5_VID(STRONGSWAN_4_1_10,"strongSwan 4.1.10")
-	DEC_MD5_VID(STRONGSWAN_4_1_9, "strongSwan 4.1.9")
-	DEC_MD5_VID(STRONGSWAN_4_1_8, "strongSwan 4.1.8")
-	DEC_MD5_VID(STRONGSWAN_4_1_7, "strongSwan 4.1.7")
-	DEC_MD5_VID(STRONGSWAN_4_1_6, "strongSwan 4.1.6")
-	DEC_MD5_VID(STRONGSWAN_4_1_5, "strongSwan 4.1.5")
-	DEC_MD5_VID(STRONGSWAN_4_1_4, "strongSwan 4.1.4")
-	DEC_MD5_VID(STRONGSWAN_4_1_3, "strongSwan 4.1.3")
-	DEC_MD5_VID(STRONGSWAN_4_1_2, "strongSwan 4.1.2")
-	DEC_MD5_VID(STRONGSWAN_4_1_1, "strongSwan 4.1.1")
-	DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0")
-	DEC_MD5_VID(STRONGSWAN_4_0_7, "strongSwan 4.0.7")
-	DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6")
-	DEC_MD5_VID(STRONGSWAN_4_0_5, "strongSwan 4.0.5")
-	DEC_MD5_VID(STRONGSWAN_4_0_4, "strongSwan 4.0.4")
-	DEC_MD5_VID(STRONGSWAN_4_0_3, "strongSwan 4.0.3")
-	DEC_MD5_VID(STRONGSWAN_4_0_2, "strongSwan 4.0.2")
-	DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
-	DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
-
-	DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.9")
-	DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8")
-	DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7")
-	DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6")
-	DEC_MD5_VID(STRONGSWAN_2_8_5, "strongSwan 2.8.5")
-	DEC_MD5_VID(STRONGSWAN_2_8_4, "strongSwan 2.8.4")
-	DEC_MD5_VID(STRONGSWAN_2_8_3, "strongSwan 2.8.3")
-	DEC_MD5_VID(STRONGSWAN_2_8_2, "strongSwan 2.8.2")
-	DEC_MD5_VID(STRONGSWAN_2_8_1, "strongSwan 2.8.1")
-	DEC_MD5_VID(STRONGSWAN_2_8_0, "strongSwan 2.8.0")
-	DEC_MD5_VID(STRONGSWAN_2_7_3, "strongSwan 2.7.3")
-	DEC_MD5_VID(STRONGSWAN_2_7_2, "strongSwan 2.7.2")
-	DEC_MD5_VID(STRONGSWAN_2_7_1, "strongSwan 2.7.1")
-	DEC_MD5_VID(STRONGSWAN_2_7_0, "strongSwan 2.7.0")
-	DEC_MD5_VID(STRONGSWAN_2_6_4, "strongSwan 2.6.4")
-	DEC_MD5_VID(STRONGSWAN_2_6_3, "strongSwan 2.6.3")
-	DEC_MD5_VID(STRONGSWAN_2_6_2, "strongSwan 2.6.2")
-	DEC_MD5_VID(STRONGSWAN_2_6_1, "strongSwan 2.6.1")
-	DEC_MD5_VID(STRONGSWAN_2_6_0, "strongSwan 2.6.0")
-	DEC_MD5_VID(STRONGSWAN_2_5_7, "strongSwan 2.5.7")
-	DEC_MD5_VID(STRONGSWAN_2_5_6, "strongSwan 2.5.6")
-	DEC_MD5_VID(STRONGSWAN_2_5_5, "strongSwan 2.5.5")
-	DEC_MD5_VID(STRONGSWAN_2_5_4, "strongSwan 2.5.4")
-	DEC_MD5_VID(STRONGSWAN_2_5_3, "strongSwan 2.5.3")
-	DEC_MD5_VID(STRONGSWAN_2_5_2, "strongSwan 2.5.2")
-	DEC_MD5_VID(STRONGSWAN_2_5_1, "strongSwan 2.5.1")
-	DEC_MD5_VID(STRONGSWAN_2_5_0, "strongSwan 2.5.0")
-	DEC_MD5_VID(STRONGSWAN_2_4_4, "strongSwan 2.4.4")
-	DEC_MD5_VID(STRONGSWAN_2_4_3, "strongSwan 2.4.3")
-	DEC_MD5_VID(STRONGSWAN_2_4_2, "strongSwan 2.4.2")
-	DEC_MD5_VID(STRONGSWAN_2_4_1, "strongSwan 2.4.1")
-	DEC_MD5_VID(STRONGSWAN_2_4_0, "strongSwan 2.4.0")
-	DEC_MD5_VID(STRONGSWAN_2_3_2, "strongSwan 2.3.2")
-	DEC_MD5_VID(STRONGSWAN_2_3_1, "strongSwan 2.3.1")
-	DEC_MD5_VID(STRONGSWAN_2_3_0, "strongSwan 2.3.0")
-	DEC_MD5_VID(STRONGSWAN_2_2_2, "strongSwan 2.2.2")
-	DEC_MD5_VID(STRONGSWAN_2_2_1, "strongSwan 2.2.1")
-	DEC_MD5_VID(STRONGSWAN_2_2_0, "strongSwan 2.2.0")
-
-	/* NAT-Traversal */
-
-	DEC_MD5_VID(NATT_STENBERG_01, "draft-stenberg-ipsec-nat-traversal-01")
-	DEC_MD5_VID(NATT_STENBERG_02, "draft-stenberg-ipsec-nat-traversal-02")
-	DEC_MD5_VID(NATT_HUTTUNEN, "ESPThruNAT")
-	DEC_MD5_VID(NATT_HUTTUNEN_ESPINUDP, "draft-huttunen-ipsec-esp-in-udp-00.txt")
-	DEC_MD5_VID(NATT_IETF_00, "draft-ietf-ipsec-nat-t-ike-00")
-	DEC_MD5_VID(NATT_IETF_02, "draft-ietf-ipsec-nat-t-ike-02")
-	/* hash in draft-ietf-ipsec-nat-t-ike-02 contains '\n'... Accept both */
-	DEC_MD5_VID_D(NATT_IETF_02_N, "draft-ietf-ipsec-nat-t-ike-02\n", "draft-ietf-ipsec-nat-t-ike-02_n")
-	DEC_MD5_VID(NATT_IETF_03, "draft-ietf-ipsec-nat-t-ike-03")
-	DEC_MD5_VID(NATT_RFC, "RFC 3947")
-
-	/* misc */
-	
-	{ VID_MISC_XAUTH, VID_KEEP, NULL, "XAUTH",
-	    "\x09\x00\x26\x89\xdf\xd6\xb7\x12", 8 },
-
-	{ VID_MISC_DPD, VID_KEEP, NULL, "Dead Peer Detection",
-	    "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00", 16 },
-
-	DEC_MD5_VID(MISC_FRAGMENTATION, "FRAGMENTATION")
-	
-	DEC_MD5_VID(INITIAL_CONTACT, "Vid-Initial-Contact")
-
-	/**
-	 * Cisco VPN 3000
-	 */
-	{ VID_MISC_FRAGMENTATION, VID_MD5HASH | VID_SUBSTRING_DUMPHEXA,
-	    "FRAGMENTATION", NULL, NULL, 0 },
-
-	/* -- */
-	{ 0, 0, NULL, NULL, NULL, 0 }
+		/* Implementation names */
+
+		{ VID_OPENPGP, VID_STRING, "OpenPGP10171", "OpenPGP", { NULL, 0 } },
+
+		DEC_MD5_VID(KAME_RACOON, "KAME/racoon")
+
+		{ VID_MS_NT5, VID_MD5HASH | VID_SUBSTRING_DUMPHEXA,
+				"MS NT5 ISAKMPOAKLEY", NULL, { NULL, 0 } },
+
+		DEC_MD5_VID(SSH_SENTINEL, "SSH Sentinel")
+		DEC_MD5_VID(SSH_SENTINEL_1_1, "SSH Sentinel 1.1")
+		DEC_MD5_VID(SSH_SENTINEL_1_2, "SSH Sentinel 1.2")
+		DEC_MD5_VID(SSH_SENTINEL_1_3, "SSH Sentinel 1.3")
+		DEC_MD5_VID(SSH_SENTINEL_1_4, "SSH Sentinel 1.4")
+		DEC_MD5_VID(SSH_SENTINEL_1_4_1, "SSH Sentinel 1.4.1")
+
+		/* These ones come from SSH vendors.txt */
+		DEC_MD5_VID(SSH_IPSEC_1_1_0,
+				"Ssh Communications Security IPSEC Express version 1.1.0")
+		DEC_MD5_VID(SSH_IPSEC_1_1_1,
+				"Ssh Communications Security IPSEC Express version 1.1.1")
+		DEC_MD5_VID(SSH_IPSEC_1_1_2,
+				"Ssh Communications Security IPSEC Express version 1.1.2")
+		DEC_MD5_VID(SSH_IPSEC_1_2_1,
+				"Ssh Communications Security IPSEC Express version 1.2.1")
+		DEC_MD5_VID(SSH_IPSEC_1_2_2,
+				"Ssh Communications Security IPSEC Express version 1.2.2")
+		DEC_MD5_VID(SSH_IPSEC_2_0_0,
+				"SSH Communications Security IPSEC Express version 2.0.0")
+		DEC_MD5_VID(SSH_IPSEC_2_1_0,
+				"SSH Communications Security IPSEC Express version 2.1.0")
+		DEC_MD5_VID(SSH_IPSEC_2_1_1,
+				"SSH Communications Security IPSEC Express version 2.1.1")
+		DEC_MD5_VID(SSH_IPSEC_2_1_2,
+				"SSH Communications Security IPSEC Express version 2.1.2")
+		DEC_MD5_VID(SSH_IPSEC_3_0_0,
+				"SSH Communications Security IPSEC Express version 3.0.0")
+		DEC_MD5_VID(SSH_IPSEC_3_0_1,
+				"SSH Communications Security IPSEC Express version 3.0.1")
+		DEC_MD5_VID(SSH_IPSEC_4_0_0,
+				"SSH Communications Security IPSEC Express version 4.0.0")
+		DEC_MD5_VID(SSH_IPSEC_4_0_1,
+				"SSH Communications Security IPSEC Express version 4.0.1")
+		DEC_MD5_VID(SSH_IPSEC_4_1_0,
+				"SSH Communications Security IPSEC Express version 4.1.0")
+		DEC_MD5_VID(SSH_IPSEC_4_2_0,
+				"SSH Communications Security IPSEC Express version 4.2.0")
+
+		/* note: md5('CISCO-UNITY') = 12f5f28c457168a9702d9fe274cc02d4 */
+		{ VID_CISCO_UNITY, VID_KEEP, NULL, "Cisco-Unity",
+		  { "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00", 16 } },
+
+		{ VID_CISCO3K, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "Cisco VPN 3000 Series" ,
+		  { "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50", 14 } },
+
+		{ VID_CISCO_IOS, VID_KEEP | VID_SUBSTRING_MATCH, 
+		  NULL, "Cisco IOS Device", { "\x3e\x98\x40\x48", 4 } },
+
+		/*
+		 * Timestep VID seen:
+		 *   - 54494d455354455020312053475720313532302033313520322e303145303133
+		 *     = 'TIMESTEP 1 SGW 1520 315 2.01E013'
+		 */
+		{ VID_TIMESTEP, VID_STRING | VID_SUBSTRING_DUMPASCII, "TIMESTEP",
+				NULL, { NULL, 0 } },
+
+		/*
+		 * Netscreen:
+		 * 4865617274426561745f4e6f74696679386b0100  (HeartBeat_Notify + 386b0100)
+		 */
+		{ VID_MISC_HEARTBEAT_NOTIFY, VID_STRING | VID_SUBSTRING_DUMPHEXA,
+				"HeartBeat_Notify", "HeartBeat Notify", { NULL, 0 } },
+		/*
+		 * MacOS X
+		 */
+		{ VID_MACOSX, VID_STRING|VID_SUBSTRING_DUMPHEXA, "Mac OSX 10.x",
+		  "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62", { NULL, 0 } },
+
+		/* NCP */
+		{ VID_NCP_SERVER, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Server",
+			{ "\xc6\xf5\x7a\xc3\x98\xf4\x93\x20\x81\x45\xb7\x58", 12 } },
+		{ VID_NCP_CLIENT, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Client",
+			{ "\xeb\x4c\x1b\x78\x8a\xfd\x4a\x9c\xb7\x73\x0a\x68", 12 } },
+
+		/*
+		 * Windows Vista (and Windows Server 2008?)
+		 */
+		DEC_MD5_VID(VISTA_AUTHIP, "MS-Negotiation Discovery Capable")
+		DEC_MD5_VID(VISTA_AUTHIP2, "IKE CGA version 1")
+		DEC_MD5_VID(VISTA_AUTHIP3, "MS-MamieExists")
+
+		/*
+		 * strongSwan
+		 */
+		DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.3.2")
+		DEC_MD5_VID(STRONGSWAN_4_3_1, "strongSwan 4.3.1")
+		DEC_MD5_VID(STRONGSWAN_4_3_0, "strongSwan 4.3.0")
+		DEC_MD5_VID(STRONGSWAN_4_2_15,"strongSwan 4.2.15")
+		DEC_MD5_VID(STRONGSWAN_4_2_14,"strongSwan 4.2.14")
+		DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13")
+		DEC_MD5_VID(STRONGSWAN_4_2_12,"strongSwan 4.2.12")
+		DEC_MD5_VID(STRONGSWAN_4_2_11,"strongSwan 4.2.11")
+		DEC_MD5_VID(STRONGSWAN_4_2_10,"strongSwan 4.2.10")
+		DEC_MD5_VID(STRONGSWAN_4_2_9, "strongSwan 4.2.9")
+		DEC_MD5_VID(STRONGSWAN_4_2_8, "strongSwan 4.2.8")
+		DEC_MD5_VID(STRONGSWAN_4_2_7, "strongSwan 4.2.7")
+		DEC_MD5_VID(STRONGSWAN_4_2_6, "strongSwan 4.2.6")
+		DEC_MD5_VID(STRONGSWAN_4_2_5, "strongSwan 4.2.5")
+		DEC_MD5_VID(STRONGSWAN_4_2_4, "strongSwan 4.2.4")
+		DEC_MD5_VID(STRONGSWAN_4_2_3, "strongSwan 4.2.3")
+		DEC_MD5_VID(STRONGSWAN_4_2_2, "strongSwan 4.2.2")
+		DEC_MD5_VID(STRONGSWAN_4_2_1, "strongSwan 4.2.1")
+		DEC_MD5_VID(STRONGSWAN_4_2_0, "strongSwan 4.2.0")
+		DEC_MD5_VID(STRONGSWAN_4_1_11,"strongSwan 4.1.11")
+		DEC_MD5_VID(STRONGSWAN_4_1_10,"strongSwan 4.1.10")
+		DEC_MD5_VID(STRONGSWAN_4_1_9, "strongSwan 4.1.9")
+		DEC_MD5_VID(STRONGSWAN_4_1_8, "strongSwan 4.1.8")
+		DEC_MD5_VID(STRONGSWAN_4_1_7, "strongSwan 4.1.7")
+		DEC_MD5_VID(STRONGSWAN_4_1_6, "strongSwan 4.1.6")
+		DEC_MD5_VID(STRONGSWAN_4_1_5, "strongSwan 4.1.5")
+		DEC_MD5_VID(STRONGSWAN_4_1_4, "strongSwan 4.1.4")
+		DEC_MD5_VID(STRONGSWAN_4_1_3, "strongSwan 4.1.3")
+		DEC_MD5_VID(STRONGSWAN_4_1_2, "strongSwan 4.1.2")
+		DEC_MD5_VID(STRONGSWAN_4_1_1, "strongSwan 4.1.1")
+		DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0")
+		DEC_MD5_VID(STRONGSWAN_4_0_7, "strongSwan 4.0.7")
+		DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6")
+		DEC_MD5_VID(STRONGSWAN_4_0_5, "strongSwan 4.0.5")
+		DEC_MD5_VID(STRONGSWAN_4_0_4, "strongSwan 4.0.4")
+		DEC_MD5_VID(STRONGSWAN_4_0_3, "strongSwan 4.0.3")
+		DEC_MD5_VID(STRONGSWAN_4_0_2, "strongSwan 4.0.2")
+		DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
+		DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
+
+		DEC_MD5_VID(STRONGSWAN_2_8_9, "strongSwan 2.8.9")
+		DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8")
+		DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7")
+		DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6")
+		DEC_MD5_VID(STRONGSWAN_2_8_5, "strongSwan 2.8.5")
+		DEC_MD5_VID(STRONGSWAN_2_8_4, "strongSwan 2.8.4")
+		DEC_MD5_VID(STRONGSWAN_2_8_3, "strongSwan 2.8.3")
+		DEC_MD5_VID(STRONGSWAN_2_8_2, "strongSwan 2.8.2")
+		DEC_MD5_VID(STRONGSWAN_2_8_1, "strongSwan 2.8.1")
+		DEC_MD5_VID(STRONGSWAN_2_8_0, "strongSwan 2.8.0")
+		DEC_MD5_VID(STRONGSWAN_2_7_3, "strongSwan 2.7.3")
+		DEC_MD5_VID(STRONGSWAN_2_7_2, "strongSwan 2.7.2")
+		DEC_MD5_VID(STRONGSWAN_2_7_1, "strongSwan 2.7.1")
+		DEC_MD5_VID(STRONGSWAN_2_7_0, "strongSwan 2.7.0")
+		DEC_MD5_VID(STRONGSWAN_2_6_4, "strongSwan 2.6.4")
+		DEC_MD5_VID(STRONGSWAN_2_6_3, "strongSwan 2.6.3")
+		DEC_MD5_VID(STRONGSWAN_2_6_2, "strongSwan 2.6.2")
+		DEC_MD5_VID(STRONGSWAN_2_6_1, "strongSwan 2.6.1")
+		DEC_MD5_VID(STRONGSWAN_2_6_0, "strongSwan 2.6.0")
+		DEC_MD5_VID(STRONGSWAN_2_5_7, "strongSwan 2.5.7")
+		DEC_MD5_VID(STRONGSWAN_2_5_6, "strongSwan 2.5.6")
+		DEC_MD5_VID(STRONGSWAN_2_5_5, "strongSwan 2.5.5")
+		DEC_MD5_VID(STRONGSWAN_2_5_4, "strongSwan 2.5.4")
+		DEC_MD5_VID(STRONGSWAN_2_5_3, "strongSwan 2.5.3")
+		DEC_MD5_VID(STRONGSWAN_2_5_2, "strongSwan 2.5.2")
+		DEC_MD5_VID(STRONGSWAN_2_5_1, "strongSwan 2.5.1")
+		DEC_MD5_VID(STRONGSWAN_2_5_0, "strongSwan 2.5.0")
+		DEC_MD5_VID(STRONGSWAN_2_4_4, "strongSwan 2.4.4")
+		DEC_MD5_VID(STRONGSWAN_2_4_3, "strongSwan 2.4.3")
+		DEC_MD5_VID(STRONGSWAN_2_4_2, "strongSwan 2.4.2")
+		DEC_MD5_VID(STRONGSWAN_2_4_1, "strongSwan 2.4.1")
+		DEC_MD5_VID(STRONGSWAN_2_4_0, "strongSwan 2.4.0")
+		DEC_MD5_VID(STRONGSWAN_2_3_2, "strongSwan 2.3.2")
+		DEC_MD5_VID(STRONGSWAN_2_3_1, "strongSwan 2.3.1")
+		DEC_MD5_VID(STRONGSWAN_2_3_0, "strongSwan 2.3.0")
+		DEC_MD5_VID(STRONGSWAN_2_2_2, "strongSwan 2.2.2")
+		DEC_MD5_VID(STRONGSWAN_2_2_1, "strongSwan 2.2.1")
+		DEC_MD5_VID(STRONGSWAN_2_2_0, "strongSwan 2.2.0")
+
+		/* NAT-Traversal */
+
+		DEC_MD5_VID(NATT_STENBERG_01, "draft-stenberg-ipsec-nat-traversal-01")
+		DEC_MD5_VID(NATT_STENBERG_02, "draft-stenberg-ipsec-nat-traversal-02")
+		DEC_MD5_VID(NATT_HUTTUNEN, "ESPThruNAT")
+		DEC_MD5_VID(NATT_HUTTUNEN_ESPINUDP, "draft-huttunen-ipsec-esp-in-udp-00.txt")
+		DEC_MD5_VID(NATT_IETF_00, "draft-ietf-ipsec-nat-t-ike-00")
+		DEC_MD5_VID(NATT_IETF_02, "draft-ietf-ipsec-nat-t-ike-02")
+		/* hash in draft-ietf-ipsec-nat-t-ike-02 contains '\n'... Accept both */
+		DEC_MD5_VID_D(NATT_IETF_02_N, "draft-ietf-ipsec-nat-t-ike-02\n", "draft-ietf-ipsec-nat-t-ike-02_n")
+		DEC_MD5_VID(NATT_IETF_03, "draft-ietf-ipsec-nat-t-ike-03")
+		DEC_MD5_VID(NATT_RFC, "RFC 3947")
+
+		/* misc */
+		
+		{ VID_MISC_XAUTH, VID_KEEP, NULL, "XAUTH",
+			{ "\x09\x00\x26\x89\xdf\xd6\xb7\x12", 8 } },
+
+		{ VID_MISC_DPD, VID_KEEP, NULL, "Dead Peer Detection",
+			{ "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00", 16 } },
+
+		DEC_MD5_VID(MISC_FRAGMENTATION, "FRAGMENTATION")
+		
+		DEC_MD5_VID(INITIAL_CONTACT, "Vid-Initial-Contact")
+
+		/**
+		 * Cisco VPN 3000
+		 */
+		{ VID_MISC_FRAGMENTATION, VID_MD5HASH | VID_SUBSTRING_DUMPHEXA,
+			"FRAGMENTATION", NULL, { NULL, 0 } },
+
+		/* -- */
+		{ 0, 0, NULL, NULL, { NULL, 0 } }
 
 };
 
@@ -321,239 +316,211 @@ static const char _hexdig[] = "0123456789abcdef";
 
 static int _vid_struct_init = 0;
 
-void
-init_vendorid(void)
+void init_vendorid(void)
 {
-    struct vid_struct *vid;
-    MD5_CTX ctx;
-    int i;
+	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+	struct vid_struct *vid;
 
-    for (vid = _vid_tab; vid->id; vid++)
-    {
-	if (vid->flags & VID_STRING)
-	{
-	    /** VendorID is a string **/
-	    vid->vid = strdup(vid->data);
-	    vid->vid_len = strlen(vid->data);
-	}
-	else if (vid->flags & VID_MD5HASH)
+	for (vid = _vid_tab; vid->id; vid++)
 	{
-	    /** VendorID is a string to hash with MD5 **/
-	    char *vidm =  malloc(MD5_DIGEST_SIZE);
-
-	    vid->vid = vidm;
-	    if (vidm)
-	    {
-		MD5Init(&ctx);
-		MD5Update(&ctx, (const u_char *)vid->data, strlen(vid->data));
-		MD5Final(vidm, &ctx);
-		vid->vid_len = MD5_DIGEST_SIZE;
-	    }
-	}
-	else if (vid->flags & VID_FSWAN_HASH)
-	{
-	    /** FreeS/WAN 2.00+ specific hash **/
-#define FSWAN_VID_SIZE 12
-	    unsigned char hash[MD5_DIGEST_SIZE];
-	    char *vidm =  malloc(FSWAN_VID_SIZE);
-
-	    vid->vid = vidm;
-	    if (vidm)
-	    {
-		MD5Init(&ctx);
-		MD5Update(&ctx, (const u_char *)vid->data, strlen(vid->data));
-		MD5Final(hash, &ctx);
-		vidm[0] = 'O';
-		vidm[1] = 'E';
-#if FSWAN_VID_SIZE - 2 <= MD5_DIGEST_SIZE
-		memcpy(vidm + 2, hash, FSWAN_VID_SIZE - 2);
-#else
-		memcpy(vidm + 2, hash, MD5_DIGEST_SIZE);
-		memset(vidm + 2 + MD5_DIGEST_SIZE, '\0',
-			FSWAN_VID_SIZE - 2 - MD5_DIGEST_SIZE);
-#endif
-		for (i = 2; i < FSWAN_VID_SIZE; i++)
+		if (vid->flags & VID_STRING)
+		{
+			/** VendorID is a string **/
+			vid->vid = chunk_create((u_char *)vid->data, strlen(vid->data));
+			vid->vid = chunk_clone(vid->vid);
+		}
+		else if (vid->flags & VID_MD5HASH)
+		{
+			chunk_t vid_data = { (u_char *)vid->data, strlen(vid->data) };
+			
+			/** VendorID is a string to hash with MD5 **/
+		 	hasher->allocate_hash(hasher, vid_data, &vid->vid);
+		}
+
+		if (vid->descr == NULL)
 		{
-		    vidm[i] &= 0x7f;
-		    vidm[i] |= 0x40;
+			/** Find something to display **/
+			vid->descr = vid->data;
 		}
-		vid->vid_len = FSWAN_VID_SIZE;
-	    }
 	}
+	hasher->destroy(hasher);
+	_vid_struct_init = 1;
+}
+
+void free_vendorid(void)
+{
+	struct vid_struct *vid;
 
-	if (vid->descr == NULL)
+	for (vid = _vid_tab; vid->id; vid++)
 	{
-	    /** Find something to display **/
-	    vid->descr = vid->data;
+		if (vid->flags & (VID_STRING | VID_MD5HASH | VID_FSWAN_HASH))
+		{
+			free(vid->vid.ptr);
+		}
 	}
-    }
-    _vid_struct_init = 1;
 }
 
-static void
-handle_known_vendorid (struct msg_digest *md
-, const char *vidstr, size_t len, struct vid_struct *vid)
+static void handle_known_vendorid (struct msg_digest *md, const char *vidstr,
+								   size_t len, struct vid_struct *vid)
 {
-    char vid_dump[128];
-    bool vid_useful = FALSE;
-    size_t i, j;
-
-    switch (vid->id) {
-    /* Remote side supports OpenPGP certificates */
-    case VID_OPENPGP:
-	md->openpgp = TRUE;
-	vid_useful = TRUE;
-	break;
-
-    /*
-     * Use most recent supported NAT-Traversal method and ignore the
-     * other ones (implementations will send all supported methods but
-     * only one will be used)
-     *
-     * Note: most recent == higher id in vendor.h
-     */
-    case VID_NATT_IETF_00:
-	if (!nat_traversal_support_non_ike)
-	    break;
-	if ((nat_traversal_enabled) && (!md->nat_traversal_vid))
-	{
-	    md->nat_traversal_vid = vid->id;
-	    vid_useful = TRUE;
+	char vid_dump[128];
+	bool vid_useful = FALSE;
+	size_t i, j;
+
+	switch (vid->id) {
+	/* Remote side supports OpenPGP certificates */
+	case VID_OPENPGP:
+		md->openpgp = TRUE;
+		vid_useful = TRUE;
+		break;
+
+	/*
+	 * Use most recent supported NAT-Traversal method and ignore the
+	 * other ones (implementations will send all supported methods but
+	 * only one will be used)
+	 *
+	 * Note: most recent == higher id in vendor.h
+	 */
+	case VID_NATT_IETF_00:
+		if (!nat_traversal_support_non_ike)
+			break;
+		if ((nat_traversal_enabled) && (!md->nat_traversal_vid))
+		{
+			md->nat_traversal_vid = vid->id;
+			vid_useful = TRUE;
+		}
+		break;
+	case VID_NATT_IETF_02:
+	case VID_NATT_IETF_02_N:
+	case VID_NATT_IETF_03:
+	case VID_NATT_RFC:
+		if (nat_traversal_support_port_floating
+		&& md->nat_traversal_vid < vid->id)
+		{
+			md->nat_traversal_vid = vid->id;
+			vid_useful = TRUE;
+		}
+		break;
+
+	/* Remote side would like to do DPD with us on this connection */
+	case VID_MISC_DPD:
+		md->dpd = TRUE;
+		vid_useful = TRUE;
+		break;
+	case VID_MISC_XAUTH:
+		vid_useful = TRUE;
+		break;
+	default:
+		break;
 	}
-	break;
-    case VID_NATT_IETF_02:
-    case VID_NATT_IETF_02_N:
-    case VID_NATT_IETF_03:
-    case VID_NATT_RFC:
-	if (nat_traversal_support_port_floating
-	&& md->nat_traversal_vid < vid->id)
+
+	if (vid->flags & VID_SUBSTRING_DUMPHEXA)
 	{
-	    md->nat_traversal_vid = vid->id;
-	    vid_useful = TRUE;
+		/* Dump description + Hexa */
+		memset(vid_dump, 0, sizeof(vid_dump));
+		snprintf(vid_dump, sizeof(vid_dump), "%s ",
+				 vid->descr ? vid->descr : "");
+		for (i = strlen(vid_dump), j = vid->vid.len;
+			 j < len && i < sizeof(vid_dump) - 2;
+			 i += 2, j++)
+		{
+			vid_dump[i] = _hexdig[(vidstr[j] >> 4) & 0xF];
+			vid_dump[i+1] = _hexdig[vidstr[j] & 0xF];
+		}
 	}
-	break;
-
-    /* Remote side would like to do DPD with us on this connection */
-    case VID_MISC_DPD:
-	md->dpd = TRUE;
-	vid_useful = TRUE;
-	break;
-    case VID_MISC_XAUTH:
-	vid_useful = TRUE;
-	break;
-    default:
-	break;
-    }
-
-    if (vid->flags & VID_SUBSTRING_DUMPHEXA)
-    {
-	/* Dump description + Hexa */
-	memset(vid_dump, 0, sizeof(vid_dump));
-	snprintf(vid_dump, sizeof(vid_dump), "%s ",
-		 vid->descr ? vid->descr : "");
-	for (i = strlen(vid_dump), j = vid->vid_len;
-	     j < len && i < sizeof(vid_dump) - 2;
-	     i += 2, j++)
+	else if (vid->flags & VID_SUBSTRING_DUMPASCII)
 	{
-	    vid_dump[i] = _hexdig[(vidstr[j] >> 4) & 0xF];
-	    vid_dump[i+1] = _hexdig[vidstr[j] & 0xF];
+		/* Dump ASCII content */
+		memset(vid_dump, 0, sizeof(vid_dump));
+		for (i = 0; i < len && i < sizeof(vid_dump) - 1; i++)
+		{
+			vid_dump[i] = (isprint(vidstr[i])) ? vidstr[i] : '.';
+		}
 	}
-    }
-    else if (vid->flags & VID_SUBSTRING_DUMPASCII)
-    {
-	/* Dump ASCII content */
-	memset(vid_dump, 0, sizeof(vid_dump));
-	for (i = 0; i < len && i < sizeof(vid_dump) - 1; i++)
+	else
 	{
-	    vid_dump[i] = (isprint(vidstr[i])) ? vidstr[i] : '.';
+		/* Dump description (descr) */
+		snprintf(vid_dump, sizeof(vid_dump), "%s",
+				 vid->descr ? vid->descr : "");
 	}
-    }
-    else
-    {
-	/* Dump description (descr) */
-	snprintf(vid_dump, sizeof(vid_dump), "%s",
-		 vid->descr ? vid->descr : "");
-    }
-
-    loglog(RC_LOG_SERIOUS, "%s Vendor ID payload [%s]",
-	    vid_useful ? "received" : "ignoring", vid_dump);
+
+	loglog(RC_LOG_SERIOUS, "%s Vendor ID payload [%s]",
+			vid_useful ? "received" : "ignoring", vid_dump);
 }
 
-void
-handle_vendorid (struct msg_digest *md, const char *vid, size_t len)
+void handle_vendorid (struct msg_digest *md, const char *vid, size_t len)
 {
-    struct vid_struct *pvid;
+	struct vid_struct *pvid;
 
-    if (!_vid_struct_init)
-	init_vendorid();
+	if (!_vid_struct_init)
+		init_vendorid();
 
-    /*
-     * Find known VendorID in _vid_tab
-     */
-    for (pvid = _vid_tab; pvid->id; pvid++)
-    {
-	if (pvid->vid && vid && pvid->vid_len && len)
+	/*
+	 * Find known VendorID in _vid_tab
+	 */
+	for (pvid = _vid_tab; pvid->id; pvid++)
 	{
-	    if (pvid->vid_len == len)
-	    {
-		if (memcmp(pvid->vid, vid, len) == 0)
+		if (pvid->vid.ptr && vid && pvid->vid.len && len)
 		{
-		    handle_known_vendorid(md, vid, len, pvid);
-		    return;
+			if (pvid->vid.len == len)
+			{
+				if (memeq(pvid->vid.ptr, vid, len))
+				{
+					handle_known_vendorid(md, vid, len, pvid);
+					return;
+				}
+			}
+			else if ((pvid->vid.len < len) && (pvid->flags & VID_SUBSTRING))
+			{
+				if (memeq(pvid->vid.ptr, vid, pvid->vid.len))
+				{
+					handle_known_vendorid(md, vid, len, pvid);
+					return;
+				}
+			}
 		}
-	    }
-	    else if ((pvid->vid_len < len) && (pvid->flags & VID_SUBSTRING))
-	    {
-		if (memcmp(pvid->vid, vid, pvid->vid_len) == 0)
-		{
-		    handle_known_vendorid(md, vid, len, pvid);
-		    return;
-		}
-	    }
 	}
-    }
 
-    /*
-     * Unknown VendorID. Log the beginning.
-     */
-    {
-	char log_vid[2*MAX_LOG_VID_LEN+1];
-	size_t i;
+	/*
+	 * Unknown VendorID. Log the beginning.
+	 */
+	{
+		char log_vid[2*MAX_LOG_VID_LEN+1];
+		size_t i;
 
-	memset(log_vid, 0, sizeof(log_vid));
+		memset(log_vid, 0, sizeof(log_vid));
 
-	for (i = 0; i < len && i < MAX_LOG_VID_LEN; i++)
-	{
-	    log_vid[2*i] = _hexdig[(vid[i] >> 4) & 0xF];
-	    log_vid[2*i+1] = _hexdig[vid[i] & 0xF];
+		for (i = 0; i < len && i < MAX_LOG_VID_LEN; i++)
+		{
+			log_vid[2*i] = _hexdig[(vid[i] >> 4) & 0xF];
+			log_vid[2*i+1] = _hexdig[vid[i] & 0xF];
+		}
+		loglog(RC_LOG_SERIOUS, "ignoring Vendor ID payload [%s%s]",
+			   log_vid, (len>MAX_LOG_VID_LEN) ? "..." : "");
 	}
-	loglog(RC_LOG_SERIOUS, "ignoring Vendor ID payload [%s%s]",
-	       log_vid, (len>MAX_LOG_VID_LEN) ? "..." : "");
-    }
 }
 
 /**
  * Add a vendor id payload to the msg
  */
-bool
-out_vendorid (u_int8_t np, pb_stream *outs, enum known_vendorid vid)
+bool out_vendorid (u_int8_t np, pb_stream *outs, enum known_vendorid vid)
 {
-    struct vid_struct *pvid;
+	struct vid_struct *pvid;
 
-    if (!_vid_struct_init)
-	init_vendorid();
+	if (!_vid_struct_init)
+		init_vendorid();
 
-    for (pvid = _vid_tab; pvid->id && pvid->id != vid; pvid++);
+	for (pvid = _vid_tab; pvid->id && pvid->id != vid; pvid++);
 
-    if (pvid->id != vid)
-	return STF_INTERNAL_ERROR; /* not found */
-    if (!pvid->vid)
-	return STF_INTERNAL_ERROR; /* not initialized */
+	if (pvid->id != vid)
+		return STF_INTERNAL_ERROR; /* not found */
+	if (!pvid->vid.ptr)
+		return STF_INTERNAL_ERROR; /* not initialized */
 
-    DBG(DBG_EMITTING,
-	DBG_log("out_vendorid(): sending [%s]", pvid->descr)
-    )
-    return out_generic_raw(np, &isakmp_vendor_id_desc, outs,
-		pvid->vid, pvid->vid_len, "V_ID");
+	DBG(DBG_EMITTING,
+		DBG_log("out_vendorid(): sending [%s]", pvid->descr)
+	)
+	return out_generic_raw(np, &isakmp_vendor_id_desc, outs,
+				pvid->vid.ptr, pvid->vid.len, "V_ID");
 }
 
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 2c8c24b34..164c1aa6d 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: vendor.h 5052 2009-03-30 03:47:14Z andreas $
  */
 
 #ifndef _VENDOR_H_
@@ -19,140 +17,144 @@
 
 enum known_vendorid {
 /* 1 - 100 : Implementation names */
-  VID_OPENPGP			=  1,
-  VID_KAME_RACOON		=  2,
-  VID_MS_NT5			=  3,
-  VID_SSH_SENTINEL		=  4,
-  VID_SSH_SENTINEL_1_1		=  5,
-  VID_SSH_SENTINEL_1_2		=  6,
-  VID_SSH_SENTINEL_1_3		=  7,
-  VID_SSH_SENTINEL_1_4		=  8,
-  VID_SSH_SENTINEL_1_4_1	=  9,
-  VID_SSH_IPSEC_1_1_0		= 10,
-  VID_SSH_IPSEC_1_1_1		= 11,
-  VID_SSH_IPSEC_1_1_2		= 12,
-  VID_SSH_IPSEC_1_2_1		= 13,
-  VID_SSH_IPSEC_1_2_2		= 14,
-  VID_SSH_IPSEC_2_0_0		= 15,
-  VID_SSH_IPSEC_2_1_0		= 16,
-  VID_SSH_IPSEC_2_1_1		= 17,
-  VID_SSH_IPSEC_2_1_2		= 18,
-  VID_SSH_IPSEC_3_0_0		= 19,
-  VID_SSH_IPSEC_3_0_1		= 20,
-  VID_SSH_IPSEC_4_0_0		= 21,
-  VID_SSH_IPSEC_4_0_1		= 22,
-  VID_SSH_IPSEC_4_1_0		= 23,
-  VID_SSH_IPSEC_4_2_0		= 24,
-  VID_CISCO_UNITY		= 25,
-  VID_CISCO3K			= 26,
-  VID_CISCO_IOS			= 27,
-  VID_TIMESTEP			= 28,
-  VID_SAFENET			= 29,
-  VID_MACOSX			= 30,
-  VID_OPENSWAN2			= 31,
-  VID_NCP_SERVER		= 32,
-  VID_NCP_CLIENT		= 33,
-  VID_VISTA_AUTHIP		= 34,
-  VID_VISTA_AUTHIP2		= 35,
-  VID_VISTA_AUTHIP3		= 36,
+  VID_OPENPGP                   =  1,
+  VID_KAME_RACOON               =  2,
+  VID_MS_NT5                    =  3,
+  VID_SSH_SENTINEL              =  4,
+  VID_SSH_SENTINEL_1_1          =  5,
+  VID_SSH_SENTINEL_1_2          =  6,
+  VID_SSH_SENTINEL_1_3          =  7,
+  VID_SSH_SENTINEL_1_4          =  8,
+  VID_SSH_SENTINEL_1_4_1        =  9,
+  VID_SSH_IPSEC_1_1_0           = 10,
+  VID_SSH_IPSEC_1_1_1           = 11,
+  VID_SSH_IPSEC_1_1_2           = 12,
+  VID_SSH_IPSEC_1_2_1           = 13,
+  VID_SSH_IPSEC_1_2_2           = 14,
+  VID_SSH_IPSEC_2_0_0           = 15,
+  VID_SSH_IPSEC_2_1_0           = 16,
+  VID_SSH_IPSEC_2_1_1           = 17,
+  VID_SSH_IPSEC_2_1_2           = 18,
+  VID_SSH_IPSEC_3_0_0           = 19,
+  VID_SSH_IPSEC_3_0_1           = 20,
+  VID_SSH_IPSEC_4_0_0           = 21,
+  VID_SSH_IPSEC_4_0_1           = 22,
+  VID_SSH_IPSEC_4_1_0           = 23,
+  VID_SSH_IPSEC_4_2_0           = 24,
+  VID_CISCO_UNITY               = 25,
+  VID_CISCO3K                   = 26,
+  VID_CISCO_IOS                 = 27,
+  VID_TIMESTEP                  = 28,
+  VID_SAFENET                   = 29,
+  VID_MACOSX                    = 30,
+  VID_NCP_SERVER                = 31,
+  VID_NCP_CLIENT                = 32,
+  VID_VISTA_AUTHIP              = 33,
+  VID_VISTA_AUTHIP2             = 34,
+  VID_VISTA_AUTHIP3             = 35,
 
-  VID_STRONGSWAN		= 37,
-  VID_STRONGSWAN_2_2_0		= 38,
-  VID_STRONGSWAN_2_2_1		= 39,
-  VID_STRONGSWAN_2_2_2		= 40,
-  VID_STRONGSWAN_2_3_0		= 41,
-  VID_STRONGSWAN_2_3_1		= 42,
-  VID_STRONGSWAN_2_3_2		= 43,
-  VID_STRONGSWAN_2_4_0		= 44,
-  VID_STRONGSWAN_2_4_1		= 45,
-  VID_STRONGSWAN_2_4_2		= 46,
-  VID_STRONGSWAN_2_4_3		= 47,
-  VID_STRONGSWAN_2_4_4		= 48,
-  VID_STRONGSWAN_2_5_0		= 49,
-  VID_STRONGSWAN_2_5_1		= 50,
-  VID_STRONGSWAN_2_5_2		= 51,
-  VID_STRONGSWAN_2_5_3		= 52,
-  VID_STRONGSWAN_2_5_4		= 53,
-  VID_STRONGSWAN_2_5_5		= 54,
-  VID_STRONGSWAN_2_5_6		= 55,
-  VID_STRONGSWAN_2_5_7		= 56,
-  VID_STRONGSWAN_2_6_0		= 57,
-  VID_STRONGSWAN_2_6_1		= 58,
-  VID_STRONGSWAN_2_6_2		= 59,
-  VID_STRONGSWAN_2_6_3		= 60,
-  VID_STRONGSWAN_2_6_4		= 61,
-  VID_STRONGSWAN_2_7_0		= 62,
-  VID_STRONGSWAN_2_7_1		= 63,
-  VID_STRONGSWAN_2_7_2		= 64,
-  VID_STRONGSWAN_2_7_3		= 65,
-  VID_STRONGSWAN_2_8_0		= 66,
-  VID_STRONGSWAN_2_8_1		= 67,
-  VID_STRONGSWAN_2_8_2		= 68,
-  VID_STRONGSWAN_2_8_3		= 69,
-  VID_STRONGSWAN_2_8_4		= 70,
-  VID_STRONGSWAN_2_8_5		= 71,
-  VID_STRONGSWAN_2_8_6		= 72,
-  VID_STRONGSWAN_2_8_7		= 73,
-  VID_STRONGSWAN_2_8_8		= 74,
-  VID_STRONGSWAN_2_8_9		= 75,
+  VID_STRONGSWAN                = 37,
+  VID_STRONGSWAN_2_2_0          = 38,
+  VID_STRONGSWAN_2_2_1          = 39,
+  VID_STRONGSWAN_2_2_2          = 40,
+  VID_STRONGSWAN_2_3_0          = 41,
+  VID_STRONGSWAN_2_3_1          = 42,
+  VID_STRONGSWAN_2_3_2          = 43,
+  VID_STRONGSWAN_2_4_0          = 44,
+  VID_STRONGSWAN_2_4_1          = 45,
+  VID_STRONGSWAN_2_4_2          = 46,
+  VID_STRONGSWAN_2_4_3          = 47,
+  VID_STRONGSWAN_2_4_4          = 48,
+  VID_STRONGSWAN_2_5_0          = 49,
+  VID_STRONGSWAN_2_5_1          = 50,
+  VID_STRONGSWAN_2_5_2          = 51,
+  VID_STRONGSWAN_2_5_3          = 52,
+  VID_STRONGSWAN_2_5_4          = 53,
+  VID_STRONGSWAN_2_5_5          = 54,
+  VID_STRONGSWAN_2_5_6          = 55,
+  VID_STRONGSWAN_2_5_7          = 56,
+  VID_STRONGSWAN_2_6_0          = 57,
+  VID_STRONGSWAN_2_6_1          = 58,
+  VID_STRONGSWAN_2_6_2          = 59,
+  VID_STRONGSWAN_2_6_3          = 60,
+  VID_STRONGSWAN_2_6_4          = 61,
+  VID_STRONGSWAN_2_7_0          = 62,
+  VID_STRONGSWAN_2_7_1          = 63,
+  VID_STRONGSWAN_2_7_2          = 64,
+  VID_STRONGSWAN_2_7_3          = 65,
+  VID_STRONGSWAN_2_8_0          = 66,
+  VID_STRONGSWAN_2_8_1          = 67,
+  VID_STRONGSWAN_2_8_2          = 68,
+  VID_STRONGSWAN_2_8_3          = 69,
+  VID_STRONGSWAN_2_8_4          = 70,
+  VID_STRONGSWAN_2_8_5          = 71,
+  VID_STRONGSWAN_2_8_6          = 72,
+  VID_STRONGSWAN_2_8_7          = 73,
+  VID_STRONGSWAN_2_8_8          = 74,
+  VID_STRONGSWAN_2_8_9          = 75,
 
-  VID_STRONGSWAN_4_0_0		= 80,
-  VID_STRONGSWAN_4_0_1		= 81,
-  VID_STRONGSWAN_4_0_2		= 82,
-  VID_STRONGSWAN_4_0_3		= 83,
-  VID_STRONGSWAN_4_0_4		= 84,
-  VID_STRONGSWAN_4_0_5		= 85,
-  VID_STRONGSWAN_4_0_6		= 86,
-  VID_STRONGSWAN_4_0_7		= 87,
-  VID_STRONGSWAN_4_1_0		= 88,
-  VID_STRONGSWAN_4_1_1		= 89,
-  VID_STRONGSWAN_4_1_2		= 90,
-  VID_STRONGSWAN_4_1_3		= 91,
-  VID_STRONGSWAN_4_1_4		= 92,
-  VID_STRONGSWAN_4_1_5		= 93,
-  VID_STRONGSWAN_4_1_6		= 94,
-  VID_STRONGSWAN_4_1_7		= 95,
-  VID_STRONGSWAN_4_1_8		= 96,
-  VID_STRONGSWAN_4_1_9		= 97,
-  VID_STRONGSWAN_4_1_10		= 98,
-  VID_STRONGSWAN_4_1_11		= 99,
+  VID_STRONGSWAN_4_0_0          = 80,
+  VID_STRONGSWAN_4_0_1          = 81,
+  VID_STRONGSWAN_4_0_2          = 82,
+  VID_STRONGSWAN_4_0_3          = 83,
+  VID_STRONGSWAN_4_0_4          = 84,
+  VID_STRONGSWAN_4_0_5          = 85,
+  VID_STRONGSWAN_4_0_6          = 86,
+  VID_STRONGSWAN_4_0_7          = 87,
+  VID_STRONGSWAN_4_1_0          = 88,
+  VID_STRONGSWAN_4_1_1          = 89,
+  VID_STRONGSWAN_4_1_2          = 90,
+  VID_STRONGSWAN_4_1_3          = 91,
+  VID_STRONGSWAN_4_1_4          = 92,
+  VID_STRONGSWAN_4_1_5          = 93,
+  VID_STRONGSWAN_4_1_6          = 94,
+  VID_STRONGSWAN_4_1_7          = 95,
+  VID_STRONGSWAN_4_1_8          = 96,
+  VID_STRONGSWAN_4_1_9          = 97,
+  VID_STRONGSWAN_4_1_10         = 98,
+  VID_STRONGSWAN_4_1_11         = 99,
 
-  VID_STRONGSWAN_4_2_0		=100,
-  VID_STRONGSWAN_4_2_1		=101,
-  VID_STRONGSWAN_4_2_2		=102,
-  VID_STRONGSWAN_4_2_3		=103,
-  VID_STRONGSWAN_4_2_4		=104,
-  VID_STRONGSWAN_4_2_5		=105,
-  VID_STRONGSWAN_4_2_6		=106,
-  VID_STRONGSWAN_4_2_7		=107,
-  VID_STRONGSWAN_4_2_8		=108,
-  VID_STRONGSWAN_4_2_9		=109,
-  VID_STRONGSWAN_4_2_10		=110,
-  VID_STRONGSWAN_4_2_11		=111,
-  VID_STRONGSWAN_4_2_12		=112,
-  VID_STRONGSWAN_4_2_13		=113,
+  VID_STRONGSWAN_4_2_0          =100,
+  VID_STRONGSWAN_4_2_1          =101,
+  VID_STRONGSWAN_4_2_2          =102,
+  VID_STRONGSWAN_4_2_3          =103,
+  VID_STRONGSWAN_4_2_4          =104,
+  VID_STRONGSWAN_4_2_5          =105,
+  VID_STRONGSWAN_4_2_6          =106,
+  VID_STRONGSWAN_4_2_7          =107,
+  VID_STRONGSWAN_4_2_8          =108,
+  VID_STRONGSWAN_4_2_9          =109,
+  VID_STRONGSWAN_4_2_10         =110,
+  VID_STRONGSWAN_4_2_11         =111,
+  VID_STRONGSWAN_4_2_12         =112,
+  VID_STRONGSWAN_4_2_13         =113,
+  VID_STRONGSWAN_4_2_14         =114,
+  VID_STRONGSWAN_4_2_15         =115,
+  VID_STRONGSWAN_4_3_0          =116,
+  VID_STRONGSWAN_4_3_1          =117,
 
   /* 101 - 200 : NAT-Traversal */
-  VID_NATT_STENBERG_01		=151,
-  VID_NATT_STENBERG_02		=152,
-  VID_NATT_HUTTUNEN		=153,
-  VID_NATT_HUTTUNEN_ESPINUDP	=154,
-  VID_NATT_IETF_00		=155,
-  VID_NATT_IETF_02_N		=156,
-  VID_NATT_IETF_02		=157,
-  VID_NATT_IETF_03		=158,
-  VID_NATT_RFC			=159,
+  VID_NATT_STENBERG_01          =151,
+  VID_NATT_STENBERG_02          =152,
+  VID_NATT_HUTTUNEN             =153,
+  VID_NATT_HUTTUNEN_ESPINUDP    =154,
+  VID_NATT_IETF_00              =155,
+  VID_NATT_IETF_02_N            =156,
+  VID_NATT_IETF_02              =157,
+  VID_NATT_IETF_03              =158,
+  VID_NATT_RFC                  =159,
 
   /* 201 - 300 : Misc */
-  VID_MISC_XAUTH		=201,
-  VID_MISC_DPD			=202,
-  VID_MISC_HEARTBEAT_NOTIFY	=203,
-  VID_MISC_FRAGMENTATION	=204,
-  VID_INITIAL_CONTACT		=205,
-  VID_CISCO3K_FRAGMENTATION	=206
+  VID_MISC_XAUTH                =201,
+  VID_MISC_DPD                  =202,
+  VID_MISC_HEARTBEAT_NOTIFY     =203,
+  VID_MISC_FRAGMENTATION        =204,
+  VID_INITIAL_CONTACT           =205,
+  VID_CISCO3K_FRAGMENTATION     =206
 };
 
 void init_vendorid(void);
+void free_vendorid(void);
 
 struct msg_digest;
 void handle_vendorid (struct msg_digest *md, const char *vid, size_t len);
diff --git a/src/pluto/virtual.c b/src/pluto/virtual.c
index 4a81ee283..2067bde01 100644
--- a/src/pluto/virtual.c
+++ b/src/pluto/virtual.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: virtual.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <freeswan.h>
@@ -35,9 +33,9 @@
 #define F_VIRTUAL_HOST        32
 
 struct virtual_t {
-    unsigned short flags;
-    unsigned short n_net;
-    ip_subnet net[0];
+	unsigned short flags;
+	unsigned short n_net;
+	ip_subnet net[0];
 };
 
 static ip_subnet *private_net_ok=NULL, *private_net_ko=NULL;
@@ -49,123 +47,119 @@ static unsigned short private_net_ok_len=0, private_net_ko_len=0;
  */
 static bool
 _read_subnet(const char *src, size_t len, ip_subnet *dst, ip_subnet *dstko,
-    bool *isok)
+	bool *isok)
 {
-    bool ok;
-    int af;
-
-    if ((len > 4) && (strncmp(src, "%v4:", 4)==0))
-    {
-	af = AF_INET;
-    }
-    else if ((len > 4) && (strncmp(src, "%v6:", 4)==0))
-    {
-	af = AF_INET6;
-    }
-    else
-    {
-	return FALSE;
-    }
+	bool ok;
+	int af;
+
+	if ((len > 4) && (strneq(src, "%v4:", 4)))
+	{
+		af = AF_INET;
+	}
+	else if ((len > 4) && (strneq(src, "%v6:", 4)))
+	{
+		af = AF_INET6;
+	}
+	else
+	{
+		return FALSE;
+	}
 
-    ok = (src[4] != '!');
-    src += ok ? 4 : 5;
-    len -= ok ? 4 : 5;
+	ok = (src[4] != '!');
+	src += ok ? 4 : 5;
+	len -= ok ? 4 : 5;
 
-    if (!len)
-	return FALSE;
-    if (!ok && !dstko)
-	return FALSE;
+	if (!len)
+		return FALSE;
+	if (!ok && !dstko)
+		return FALSE;
 
-    passert ( ((ok)?(dst):(dstko))!=NULL );
+	passert ( ((ok)?(dst):(dstko))!=NULL );
 
-    if (ttosubnet(src, len, af, ((ok)?(dst):(dstko))))
-    {
-	return FALSE;
-    }
-    if (isok)
-	*isok = ok;
-    return TRUE;
+	if (ttosubnet(src, len, af, ((ok)?(dst):(dstko))))
+	{
+		return FALSE;
+	}
+	if (isok)
+		*isok = ok;
+	return TRUE;
 }
 
 void
 init_virtual_ip(const char *private_list)
 {
-    const char *next, *str=private_list;
-    unsigned short ign = 0, i_ok, i_ko;
-    ip_subnet sub;
-    bool ok;
-
-    /** Count **/
-    private_net_ok_len=0;
-    private_net_ko_len=0;
-
-    while (str)
-    {
-	next = strchr(str,',');
-	if (!next)
-	    next = str + strlen(str);
-	if (_read_subnet(str, next-str, &sub, &sub, &ok))
-	    if (ok)
-		private_net_ok_len++;
-	    else
-		private_net_ko_len++;
-	else
-	    ign++;
-	str = *next ? next+1 : NULL;
-    }
-
-    if (!ign)
-    {
-	/** Allocate **/
-	if (private_net_ok_len)
-	{
-	    private_net_ok = (ip_subnet *)alloc_bytes(
-		(private_net_ok_len*sizeof(ip_subnet)),
-		"private_net_ok subnets");
-	}
-	if (private_net_ko_len)
-	{
-	    private_net_ko = (ip_subnet *)alloc_bytes(
-		(private_net_ko_len*sizeof(ip_subnet)),
-		"private_net_ko subnets");
-	}
-	if ((private_net_ok_len && !private_net_ok)
-	||  (private_net_ko_len && !private_net_ko))
-	{
-	    loglog(RC_LOG_SERIOUS,
-		"can't alloc in init_virtual_ip");
-	    pfreeany(private_net_ok);
-	    private_net_ok = NULL;
-	    pfreeany(private_net_ko);
-	    private_net_ko = NULL;
-	}
-	else
-	{
-	    /** Fill **/
-	    str = private_list;
-	    i_ok = 0;
-	    i_ko = 0;
+	const char *next, *str=private_list;
+	unsigned short ign = 0, i_ok, i_ko;
+	ip_subnet sub;
+	bool ok;
 
-	    while (str)
-	    {
+	/** Count **/
+	private_net_ok_len=0;
+	private_net_ko_len=0;
+
+	while (str)
+	{
 		next = strchr(str,',');
 		if (!next)
-		    next = str + strlen(str);
-		if (_read_subnet(str, next-str,
-		   &(private_net_ok[i_ok]), &(private_net_ko[i_ko]), &ok))
+			next = str + strlen(str);
+		if (_read_subnet(str, next-str, &sub, &sub, &ok))
+			if (ok)
+				private_net_ok_len++;
+			else
+				private_net_ko_len++;
+		else
+			ign++;
+		str = *next ? next+1 : NULL;
+	}
+
+	if (!ign)
+	{
+		/** Allocate **/
+		if (private_net_ok_len)
 		{
-		    if (ok)
-			i_ok++;
-		    else
-			i_ko++;
+			private_net_ok = (ip_subnet *)malloc(private_net_ok_len * sizeof(ip_subnet));
+		}
+		if (private_net_ko_len)
+		{
+			private_net_ko = (ip_subnet *)malloc(private_net_ko_len * sizeof(ip_subnet));
+		}
+		if ((private_net_ok_len && !private_net_ok)
+		||  (private_net_ko_len && !private_net_ko))
+		{
+			loglog(RC_LOG_SERIOUS,
+				"can't alloc in init_virtual_ip");
+			free(private_net_ok);
+			private_net_ok = NULL;
+			free(private_net_ko);
+			private_net_ko = NULL;
+		}
+		else
+		{
+			/** Fill **/
+			str = private_list;
+			i_ok = 0;
+			i_ko = 0;
+
+			while (str)
+			{
+				next = strchr(str,',');
+				if (!next)
+					next = str + strlen(str);
+				if (_read_subnet(str, next-str,
+				   &(private_net_ok[i_ok]), &(private_net_ko[i_ko]), &ok))
+				{
+					if (ok)
+						i_ok++;
+					else
+						i_ko++;
+				}
+				str = *next ? next+1 : NULL;
+			}
 		}
-		str = *next ? next+1 : NULL;
-	    }
 	}
-    }
-    else
-	loglog(RC_LOG_SERIOUS,
-	    "%d bad entries in virtual_private - none loaded", ign);
+	else
+		loglog(RC_LOG_SERIOUS,
+			"%d bad entries in virtual_private - none loaded", ign);
 }
 
 /**
@@ -188,147 +182,146 @@ init_virtual_ip(const char *private_list)
 struct virtual_t
 *create_virtual(const struct connection *c, const char *string)
 {
-    unsigned short flags=0, n_net=0, i;
-    const char *str = string, *next, *first_net=NULL;
-    ip_subnet sub;
-    struct virtual_t *v;
+	unsigned short flags=0, n_net=0, i;
+	const char *str = string, *next, *first_net=NULL;
+	ip_subnet sub;
+	struct virtual_t *v;
 
-    if (!string || string[0] == '\0')
-	return NULL;
+	if (!string || string[0] == '\0')
+		return NULL;
 
-    if (strlen(string) >= 6 && strncmp(string,"vhost:",6) == 0)
-    {
-	flags |= F_VIRTUAL_HOST;
-	str += 6;
-    }
-    else if (strlen(string) >= 5 && strncmp(string,"vnet:",5) == 0)
-	str += 5;
-    else
-	goto fail;
-
-    /**
-     * Parse string : fill flags & count subnets
-     */
-    while ((str) && (*str))
-    {
-	next = strchr(str,',');
-	if (!next) next = str + strlen(str);
-	if (next-str == 3 && strncmp(str, "%no", 3) == 0)
-	    flags |= F_VIRTUAL_NO;
-#if 0
-	else if (next-str == 4 && strncmp(str, "%ike", 4) == 0)
-	    flags |= F_VIRTUAL_IKE_CONFIG;
-	else if (next-str == 5 && strncmp(str, "%dhcp", 5) == 0)
-	    flags |= F_VIRTUAL_DHCP;
-#endif
-	else if (next-str == 5 && strncmp(str, "%priv", 5) == 0)
-	    flags |= F_VIRTUAL_PRIVATE;
-	else if (next-str == 4 && strncmp(str, "%all", 4) == 0)
-	    flags |= F_VIRTUAL_ALL;
-	else if (_read_subnet(str, next-str, &sub, NULL, NULL))
+	if (strlen(string) >= 6 && strneq(string,"vhost:",6))
 	{
-	    n_net++;
-	    if (!first_net)
-		first_net = str;
+		flags |= F_VIRTUAL_HOST;
+		str += 6;
 	}
+	else if (strlen(string) >= 5 && strneq(string,"vnet:",5))
+		str += 5;
 	else
-	    goto fail;
-	
-	str = *next ? next+1 : NULL;
-    }
-
-    v = (struct virtual_t *)alloc_bytes(
-	sizeof(struct virtual_t) + (n_net*sizeof(ip_subnet)),
-	"virtual description");
-    if (!v) goto fail;
-
-    v->flags = flags;
-    v->n_net = n_net;
-    if (n_net && first_net)
-    {
+		goto fail;
+
 	/**
-	 * Save subnets in newly allocated struct
+	 * Parse string : fill flags & count subnets
 	 */
-	for (str = first_net, i = 0; str && *str; )
+	while ((str) && (*str))
 	{
-	    next = strchr(str,',');
-	    if (!next) next = str + strlen(str);
-	    if (_read_subnet(str, next-str, &(v->net[i]), NULL, NULL))
-		i++;
-	    str = *next ? next+1 : NULL;
+		next = strchr(str,',');
+		if (!next) next = str + strlen(str);
+		if (next-str == 3 && strneq(str, "%no", 3))
+			flags |= F_VIRTUAL_NO;
+#if 0
+		else if (next-str == 4 && strneq(str, "%ike", 4))
+			flags |= F_VIRTUAL_IKE_CONFIG;
+		else if (next-str == 5 && strneq(str, "%dhcp", 5))
+			flags |= F_VIRTUAL_DHCP;
+#endif
+		else if (next-str == 5 && strneq(str, "%priv", 5))
+			flags |= F_VIRTUAL_PRIVATE;
+		else if (next-str == 4 && strneq(str, "%all", 4))
+			flags |= F_VIRTUAL_ALL;
+		else if (_read_subnet(str, next-str, &sub, NULL, NULL))
+		{
+			n_net++;
+			if (!first_net)
+				first_net = str;
+		}
+		else
+			goto fail;
+		
+		str = *next ? next+1 : NULL;
 	}
-    }
 
-    return v;
+	v = (struct virtual_t *)malloc(sizeof(struct virtual_t) +
+								  (n_net * sizeof(ip_subnet)));
+	if (!v) goto fail;
+
+	v->flags = flags;
+	v->n_net = n_net;
+	if (n_net && first_net)
+	{
+		/**
+		 * Save subnets in newly allocated struct
+		 */
+		for (str = first_net, i = 0; str && *str; )
+		{
+			next = strchr(str,',');
+			if (!next) next = str + strlen(str);
+			if (_read_subnet(str, next-str, &(v->net[i]), NULL, NULL))
+				i++;
+			str = *next ? next+1 : NULL;
+		}
+	}
+
+	return v;
 
 fail:
-    plog("invalid virtual string [%s] - "
-	"virtual selection disabled for connection '%s'", string, c->name);
-    return NULL;
+	plog("invalid virtual string [%s] - "
+		"virtual selection disabled for connection '%s'", string, c->name);
+	return NULL;
 }
 
 bool
 is_virtual_end(const struct end *that)
 {
-    return ((that->virt)?TRUE:FALSE);
+	return ((that->virt)?TRUE:FALSE);
 }
 
 bool
 is_virtual_connection(const struct connection *c)
 {
-    return ((c->spd.that.virt)?TRUE:FALSE);
+	return ((c->spd.that.virt)?TRUE:FALSE);
 }
 
 static bool
 net_in_list(const ip_subnet *peer_net, const ip_subnet *list,
-    unsigned short len)
+	unsigned short len)
 {
-    unsigned short i;
+	unsigned short i;
 
-    if (!list || !len)
-	return FALSE;
+	if (!list || !len)
+		return FALSE;
 
-    for (i = 0; i < len; i++)
-    {
-	if (subnetinsubnet(peer_net, &(list[i])))
-	    return TRUE;
-    }
-    return FALSE;
+	for (i = 0; i < len; i++)
+	{
+		if (subnetinsubnet(peer_net, &(list[i])))
+			return TRUE;
+	}
+	return FALSE;
 }
 
 bool
 is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net,
-	const ip_address *his_addr)
+		const ip_address *his_addr)
 {
-    if (c->spd.that.virt == NULL)
-	return FALSE;
+	if (c->spd.that.virt == NULL)
+		return FALSE;
 
-    if ((c->spd.that.virt->flags & F_VIRTUAL_HOST)
-    &&  !subnetishost(peer_net))
-	return FALSE;
+	if ((c->spd.that.virt->flags & F_VIRTUAL_HOST)
+	&&  !subnetishost(peer_net))
+		return FALSE;
 
-    if ((c->spd.that.virt->flags & F_VIRTUAL_NO)
-    &&  subnetishost(peer_net) &&  addrinsubnet(his_addr, peer_net))
-	return TRUE;
+	if ((c->spd.that.virt->flags & F_VIRTUAL_NO)
+	&&  subnetishost(peer_net) &&  addrinsubnet(his_addr, peer_net))
+		return TRUE;
 
-    if ((c->spd.that.virt->flags & F_VIRTUAL_PRIVATE)
-    &&   net_in_list(peer_net, private_net_ok, private_net_ok_len)
-    &&  !net_in_list(peer_net, private_net_ko, private_net_ko_len))
-	return TRUE;
+	if ((c->spd.that.virt->flags & F_VIRTUAL_PRIVATE)
+	&&   net_in_list(peer_net, private_net_ok, private_net_ok_len)
+	&&  !net_in_list(peer_net, private_net_ko, private_net_ko_len))
+		return TRUE;
 
-    if (c->spd.that.virt->n_net
-    &&  net_in_list(peer_net, c->spd.that.virt->net, c->spd.that.virt->n_net))
-	return TRUE;
-    
-    if (c->spd.that.virt->flags & F_VIRTUAL_ALL)
-    {
-	/** %all must only be used for testing - log it **/
-	loglog(RC_LOG_SERIOUS, "Warning - "
-	    "v%s:%%all must only be used for testing",
-	    (c->spd.that.virt->flags & F_VIRTUAL_HOST) ? "host" : "net");
-	return TRUE;
-    }
+	if (c->spd.that.virt->n_net
+	&&  net_in_list(peer_net, c->spd.that.virt->net, c->spd.that.virt->n_net))
+		return TRUE;
+	
+	if (c->spd.that.virt->flags & F_VIRTUAL_ALL)
+	{
+		/** %all must only be used for testing - log it **/
+		loglog(RC_LOG_SERIOUS, "Warning - "
+			"v%s:%%all must only be used for testing",
+			(c->spd.that.virt->flags & F_VIRTUAL_HOST) ? "host" : "net");
+		return TRUE;
+	}
 
-    return FALSE;
+	return FALSE;
 }
 
diff --git a/src/pluto/virtual.h b/src/pluto/virtual.h
index 9fe9bdd8d..e64407c81 100644
--- a/src/pluto/virtual.h
+++ b/src/pluto/virtual.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: virtual.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _VIRTUAL_IP_H
@@ -20,12 +18,12 @@
 extern void init_virtual_ip(const char *private_list);
 
 extern struct virtual_t *create_virtual(const struct connection *c,
-    const char *string);
+	const char *string);
 
 extern bool is_virtual_end(const struct end *that);
 extern bool is_virtual_connection(const struct connection *c);
 extern bool is_virtual_net_allowed(const struct connection *c,
-    const ip_subnet *peer_net, const ip_address *his_addr);
+	const ip_subnet *peer_net, const ip_address *his_addr);
 
 #endif /* _VIRTUAL_IP_H */
 
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index c61de6edc..0953f18f5 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
  * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
  * Copyright (C) 2002 Mario Strasser
- * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2000-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: x509.c 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #include <stdlib.h>
@@ -26,16 +24,16 @@
 #include <sys/types.h>
 
 #include <freeswan.h>
-#include <ipsec_policy.h>
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <crypto/hashers/hasher.h>
 
 #include "constants.h"
 #include "defs.h"
-#include "mp_defs.h"
 #include "log.h"
 #include "id.h"
-#include "asn1.h"
-#include <asn1/oid.h>
-#include "pkcs1.h"
 #include "x509.h"
 #include "crl.h"
 #include "ca.h"
@@ -44,298 +42,243 @@
 #include "whack.h"
 #include "fetch.h"
 #include "ocsp.h"
-#include "sha1.h"
-
-/* chained lists of X.509 end certificates */
 
+/**
+ * Chained lists of X.509 end certificates
+ */
 static x509cert_t *x509certs     = NULL;
 
-/* ASN.1 definition of a basicConstraints extension */
-
+/**
+ * ASN.1 definition of a basicConstraints extension 
+ */
 static const asn1Object_t basicConstraintsObjects[] = {
-  { 0, "basicConstraints",		ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
-  { 1,   "CA",				ASN1_BOOLEAN,      ASN1_DEF |
-							   ASN1_BODY }, /*  1 */
-  { 1,   "pathLenConstraint",		ASN1_INTEGER,      ASN1_OPT |
-							   ASN1_BODY }, /*  2 */
-  { 1,   "end opt",			ASN1_EOC,          ASN1_END  }  /*  3 */
+	{ 0, "basicConstraints",	ASN1_SEQUENCE, ASN1_NONE          }, /*  0 */
+	{ 1,   "CA",				ASN1_BOOLEAN,  ASN1_DEF|ASN1_BODY }, /*  1 */
+	{ 1,   "pathLenConstraint",	ASN1_INTEGER,  ASN1_OPT|ASN1_BODY }, /*  2 */
+	{ 1,   "end opt",			ASN1_EOC,      ASN1_END           }, /*  3 */
+	{ 0, "exit",				ASN1_EOC,      ASN1_EXIT          }
 };
-
 #define BASIC_CONSTRAINTS_CA	1
-#define BASIC_CONSTRAINTS_ROOF	4
-
-/* ASN.1 definition of time */
-
-static const asn1Object_t timeObjects[] = {
-  { 0,   "utcTime",			ASN1_UTCTIME,         ASN1_OPT |
-							      ASN1_BODY }, /*  0 */
-  { 0,   "end opt",			ASN1_EOC,             ASN1_END  }, /*  1 */
-  { 0,   "generalizeTime",		ASN1_GENERALIZEDTIME, ASN1_OPT |
-							      ASN1_BODY }, /*  2 */
-  { 0,   "end opt",			ASN1_EOC,             ASN1_END  }  /*  3 */
-};
-
-#define TIME_UTC		0
-#define TIME_GENERALIZED	2
-#define TIME_ROOF		4
-
-/* ASN.1 definition of a keyIdentifier */
-
-static const asn1Object_t keyIdentifierObjects[] = {
-  { 0,   "keyIdentifier",		ASN1_OCTET_STRING, ASN1_BODY }  /*  0 */
-};
 
-/* ASN.1 definition of a authorityKeyIdentifier extension */
-
-static const asn1Object_t authorityKeyIdentifierObjects[] = {
-  { 0,   "authorityKeyIdentifier",	ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
-  { 1,     "keyIdentifier",		ASN1_CONTEXT_S_0,  ASN1_OPT |
-							   ASN1_OBJ  }, /*  1 */
-  { 1,     "end opt",			ASN1_EOC,          ASN1_END  }, /*  2 */
-  { 1,     "authorityCertIssuer",	ASN1_CONTEXT_C_1,  ASN1_OPT |
-							   ASN1_OBJ  }, /*  3 */
-  { 1,     "end opt",			ASN1_EOC,          ASN1_END  }, /*  4 */
-  { 1,     "authorityCertSerialNumber",	ASN1_CONTEXT_S_2,  ASN1_OPT |
-							   ASN1_BODY }, /*  5 */
-  { 1,     "end opt",			ASN1_EOC,          ASN1_END  }  /*  6 */
+/**
+ * ASN.1 definition of a authorityKeyIdentifier extension 
+ */
+static const asn1Object_t authKeyIdentifierObjects[] = {
+	{ 0, "authorityKeyIdentifier",		ASN1_SEQUENCE,	  ASN1_NONE          }, /* 0 */
+	{ 1,   "keyIdentifier",				ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
+	{ 1,   "end opt",					ASN1_EOC,		  ASN1_END           }, /* 2 */
+	{ 1,   "authorityCertIssuer",		ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ  }, /* 3 */
+	{ 1,   "end opt",					ASN1_EOC,		  ASN1_END           }, /* 4 */
+	{ 1,   "authorityCertSerialNumber",	ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
+	{ 1,   "end opt",					ASN1_EOC,		  ASN1_END           }, /* 6 */
+	{ 0, "exit",						ASN1_EOC,		  ASN1_EXIT          }
 };
-
-#define AUTH_KEY_ID_KEY_ID		1
+#define AUTH_KEY_ID_KEY_ID			1
 #define AUTH_KEY_ID_CERT_ISSUER		3
 #define AUTH_KEY_ID_CERT_SERIAL		5
-#define AUTH_KEY_ID_ROOF		7
 
-/* ASN.1 definition of a authorityInfoAccess extension */
-
-static const asn1Object_t authorityInfoAccessObjects[] = {
-  { 0,   "authorityInfoAccess",         ASN1_SEQUENCE,     ASN1_LOOP }, /*  0 */
-  { 1,     "accessDescription",         ASN1_SEQUENCE,     ASN1_NONE }, /*  1 */
-  { 2,       "accessMethod",            ASN1_OID,          ASN1_BODY }, /*  2 */
-  { 2,       "accessLocation",          ASN1_EOC,          ASN1_RAW  }, /*  3 */
-  { 0,   "end loop",                    ASN1_EOC,          ASN1_END  }  /*  4 */
+/**
+ * ASN.1 definition of a authorityInfoAccess extension 
+ */
+static const asn1Object_t authInfoAccessObjects[] = {
+	{ 0, "authorityInfoAccess",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
+	{ 1,   "accessDescription",	ASN1_SEQUENCE,	ASN1_NONE }, /* 1 */
+	{ 2,     "accessMethod",	ASN1_OID,		ASN1_BODY }, /* 2 */
+	{ 2,     "accessLocation",	ASN1_EOC,		ASN1_RAW  }, /* 3 */
+	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }, /* 4 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
 };
-
 #define AUTH_INFO_ACCESS_METHOD		2
 #define AUTH_INFO_ACCESS_LOCATION	3
-#define AUTH_INFO_ACCESS_ROOF		5
-
-/* ASN.1 definition of a extendedKeyUsage extension */
 
+/**
+ * ASN.1 definition of a extendedKeyUsage extension
+ */
 static const asn1Object_t extendedKeyUsageObjects[] = {
-  { 0, "extendedKeyUsage",		ASN1_SEQUENCE,     ASN1_LOOP }, /*  0 */
-  { 1,   "keyPurposeID",		ASN1_OID,     	   ASN1_BODY }, /*  1 */
-  { 0, "end loop",			ASN1_EOC,	   ASN1_END  }, /*  2 */
+	{ 0, "extendedKeyUsage",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
+	{ 1,   "keyPurposeID",		ASN1_OID,		ASN1_BODY }, /* 1 */
+	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }, /* 2 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
 };
-
 #define EXT_KEY_USAGE_PURPOSE_ID	1
-#define EXT_KEY_USAGE_ROOF		3
-
-/* ASN.1 definition of generalNames */
 
+/**
+ * ASN.1 definition of generalNames 
+ */
 static const asn1Object_t generalNamesObjects[] = {
-  { 0, "generalNames",			ASN1_SEQUENCE,     ASN1_LOOP }, /*  0 */
-  { 1,   "generalName",			ASN1_EOC,          ASN1_RAW  }, /*  1 */
-  { 0, "end loop",			ASN1_EOC,          ASN1_END  }  /*  2 */
+	{ 0, "generalNames",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
+	{ 1,   "generalName",	ASN1_EOC,		ASN1_RAW  }, /* 1 */
+	{ 0, "end loop",		ASN1_EOC,		ASN1_END  }, /* 2 */
+	{ 0, "exit",			ASN1_EOC,		ASN1_EXIT }
 };
-
 #define GENERAL_NAMES_GN	1
-#define GENERAL_NAMES_ROOF	3
-
-/* ASN.1 definition of generalName */
 
+/**
+ * ASN.1 definition of generalName 
+ */
 static const asn1Object_t generalNameObjects[] = {
-  { 0,   "otherName",			ASN1_CONTEXT_C_0,  ASN1_OPT |
-							   ASN1_BODY }, /*  0 */
-  { 0,   "end choice",			ASN1_EOC,          ASN1_END  }, /*  1 */
-  { 0,   "rfc822Name",			ASN1_CONTEXT_S_1,  ASN1_OPT |
-							   ASN1_BODY }, /*  2 */
-  { 0,   "end choice",			ASN1_EOC,          ASN1_END  }, /*  3 */
-  { 0,   "dnsName",			ASN1_CONTEXT_S_2,  ASN1_OPT |
-							   ASN1_BODY }, /*  4 */
-  { 0,   "end choice",			ASN1_EOC,          ASN1_END  }, /*  5 */
-  { 0,   "x400Address",			ASN1_CONTEXT_S_3,  ASN1_OPT |
-							   ASN1_BODY }, /*  6 */
-  { 0,   "end choice",			ASN1_EOC,          ASN1_END  }, /*  7 */
-  { 0,   "directoryName",		ASN1_CONTEXT_C_4,  ASN1_OPT |
-							   ASN1_BODY }, /*  8 */
-  { 0,   "end choice",			ASN1_EOC,          ASN1_END  }, /*  9 */
-  { 0,   "ediPartyName",		ASN1_CONTEXT_C_5,  ASN1_OPT |
-							   ASN1_BODY }, /* 10 */
-  { 0,   "end choice",			ASN1_EOC,          ASN1_END  }, /* 11 */
-  { 0,   "uniformResourceIdentifier",	ASN1_CONTEXT_S_6,  ASN1_OPT |
-							   ASN1_BODY }, /* 12 */
-  { 0,   "end choice",			ASN1_EOC,          ASN1_END  }, /* 13 */
-  { 0,   "ipAddress",			ASN1_CONTEXT_S_7,  ASN1_OPT |
-							   ASN1_BODY }, /* 14 */
-  { 0,   "end choice",			ASN1_EOC,          ASN1_END  }, /* 15 */
-  { 0,   "registeredID",		ASN1_CONTEXT_S_8,  ASN1_OPT |
-							   ASN1_BODY }, /* 16 */
-  { 0,   "end choice",			ASN1_EOC,          ASN1_END  }  /* 17 */
+	{ 0, "otherName",		ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_BODY	}, /*  0 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  1 */
+	{ 0, "rfc822Name",		ASN1_CONTEXT_S_1,  ASN1_OPT|ASN1_BODY	}, /*  2 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END 			}, /*  3 */
+	{ 0, "dnsName",			ASN1_CONTEXT_S_2,  ASN1_OPT|ASN1_BODY	}, /*  4 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  5 */
+	{ 0, "x400Address",		ASN1_CONTEXT_S_3,  ASN1_OPT|ASN1_BODY	}, /*  6 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  7 */
+	{ 0, "directoryName",	ASN1_CONTEXT_C_4,  ASN1_OPT|ASN1_BODY	}, /*  8 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  9 */
+	{ 0, "ediPartyName",	ASN1_CONTEXT_C_5,  ASN1_OPT|ASN1_BODY	}, /* 10 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 11 */
+	{ 0, "URI",				ASN1_CONTEXT_S_6,  ASN1_OPT|ASN1_BODY	}, /* 12 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 13 */
+	{ 0, "ipAddress",		ASN1_CONTEXT_S_7,  ASN1_OPT|ASN1_BODY	}, /* 14 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 15 */
+	{ 0, "registeredID",	ASN1_CONTEXT_S_8,  ASN1_OPT|ASN1_BODY	}, /* 16 */
+	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 17 */
+	{ 0, "exit",			ASN1_EOC,          ASN1_EXIT			}
 };
-
-#define GN_OBJ_OTHER_NAME	 0
-#define GN_OBJ_RFC822_NAME	 2
-#define GN_OBJ_DNS_NAME		 4
-#define GN_OBJ_X400_ADDRESS	 6
+#define GN_OBJ_OTHER_NAME	 	 0
+#define GN_OBJ_RFC822_NAME	 	 2
+#define GN_OBJ_DNS_NAME		 	 4
+#define GN_OBJ_X400_ADDRESS	 	 6
 #define GN_OBJ_DIRECTORY_NAME	 8
 #define GN_OBJ_EDI_PARTY_NAME	10
-#define GN_OBJ_URI		12
-#define GN_OBJ_IP_ADDRESS	14
+#define GN_OBJ_URI				12
+#define GN_OBJ_IP_ADDRESS		14
 #define GN_OBJ_REGISTERED_ID	16
-#define GN_OBJ_ROOF		18
-
-/* ASN.1 definition of otherName */
 
+/**
+ * ASN.1 definition of otherName 
+ */
 static const asn1Object_t otherNameObjects[] = {
-  {0, "type-id",			ASN1_OID,          ASN1_BODY }, /*  0 */
-  {0, "value",				ASN1_CONTEXT_C_0,  ASN1_BODY }  /*  1 */
+	{0, "type-id",	ASN1_OID,			ASN1_BODY	}, /* 0 */
+	{0, "value",	ASN1_CONTEXT_C_0,	ASN1_BODY	}, /* 1 */
+	{0, "exit",		ASN1_EOC,			ASN1_EXIT	}
 };
-
 #define ON_OBJ_ID_TYPE		0
 #define ON_OBJ_VALUE		1
-#define ON_OBJ_ROOF		2
-
-/* ASN.1 definition of crlDistributionPoints */
 
+/**
+ * ASN.1 definition of crlDistributionPoints
+ */
 static const asn1Object_t crlDistributionPointsObjects[] = {
-  { 0, "crlDistributionPoints",		ASN1_SEQUENCE,     ASN1_LOOP }, /*  0 */
-  { 1,   "DistributionPoint",		ASN1_SEQUENCE,     ASN1_NONE }, /*  1 */
-  { 2,     "distributionPoint",		ASN1_CONTEXT_C_0,  ASN1_OPT |
-							   ASN1_LOOP }, /*  2 */
-  { 3,       "fullName",		ASN1_CONTEXT_C_0,  ASN1_OPT |
-							   ASN1_OBJ  }, /*  3 */
-  { 3,       "end choice",		ASN1_EOC,          ASN1_END  }, /*  4 */
-  { 3,       "nameRelativeToCRLIssuer",	ASN1_CONTEXT_C_1,  ASN1_OPT |
-							   ASN1_BODY }, /*  5 */
-  { 3,       "end choice",		ASN1_EOC,          ASN1_END  }, /*  6 */
-  { 2,     "end opt",			ASN1_EOC,          ASN1_END  }, /*  7 */
-  { 2,     "reasons",			ASN1_CONTEXT_C_1,  ASN1_OPT |
-							   ASN1_BODY }, /*  8 */
-  { 2,     "end opt",			ASN1_EOC,          ASN1_END  }, /*  9 */
-  { 2,     "crlIssuer",			ASN1_CONTEXT_C_2,  ASN1_OPT |
-							   ASN1_BODY }, /* 10 */
-  { 2,     "end opt",			ASN1_EOC,          ASN1_END  }, /* 11 */
-  { 0, "end loop",			ASN1_EOC,          ASN1_END  }, /* 12 */
+	{ 0, "crlDistributionPoints",	ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
+	{ 1,   "DistributionPoint",		ASN1_SEQUENCE,		ASN1_NONE			}, /*  1 */
+	{ 2,     "distributionPoint",	ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_LOOP	}, /*  2 */
+	{ 3,       "fullName",			ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_OBJ	}, /*  3 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  4 */
+	{ 3,       "nameRelToCRLIssuer",ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_BODY	}, /*  5 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  6 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /*  7 */
+	{ 2,     "reasons",				ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_BODY	}, /*  8 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /*  9 */
+	{ 2,     "crlIssuer",			ASN1_CONTEXT_C_2,	ASN1_OPT|ASN1_BODY	}, /* 10 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 11 */
+	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /* 12 */
+	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
 };
-
 #define CRL_DIST_POINTS_FULLNAME	 3
-#define CRL_DIST_POINTS_ROOF		13
-
-/* ASN.1 definition of an X.509v3 certificate */
 
+/**
+ * ASN.1 definition of an X.509v3 x509_cert
+ */
 static const asn1Object_t certObjects[] = {
-  { 0, "certificate",			ASN1_SEQUENCE,     ASN1_OBJ  }, /*  0 */
-  { 1,   "tbsCertificate",		ASN1_SEQUENCE,     ASN1_OBJ  }, /*  1 */
-  { 2,     "DEFAULT v1",		ASN1_CONTEXT_C_0,  ASN1_DEF  }, /*  2 */
-  { 3,       "version",			ASN1_INTEGER,      ASN1_BODY }, /*  3 */
-  { 2,     "serialNumber",		ASN1_INTEGER,      ASN1_BODY }, /*  4 */
-  { 2,     "signature",			ASN1_EOC,          ASN1_RAW  }, /*  5 */
-  { 2,     "issuer",			ASN1_SEQUENCE,     ASN1_OBJ  }, /*  6 */
-  { 2,     "validity",			ASN1_SEQUENCE,     ASN1_NONE }, /*  7 */
-  { 3,       "notBefore",		ASN1_EOC,          ASN1_RAW  }, /*  8 */
-  { 3,       "notAfter",		ASN1_EOC,          ASN1_RAW  }, /*  9 */
-  { 2,     "subject",			ASN1_SEQUENCE,     ASN1_OBJ  }, /* 10 */
-  { 2,     "subjectPublicKeyInfo",	ASN1_SEQUENCE,     ASN1_NONE }, /* 11 */
-  { 3,       "algorithm",		ASN1_EOC,          ASN1_RAW  }, /* 12 */
-  { 3,       "subjectPublicKey",	ASN1_BIT_STRING,   ASN1_NONE }, /* 13 */
-  { 4,         "RSAPublicKey",		ASN1_SEQUENCE,     ASN1_OBJ  }, /* 14 */
-  { 5,           "modulus",		ASN1_INTEGER,      ASN1_BODY }, /* 15 */
-  { 5,           "publicExponent",	ASN1_INTEGER,      ASN1_BODY }, /* 16 */
-  { 2,     "issuerUniqueID",		ASN1_CONTEXT_C_1,  ASN1_OPT  }, /* 17 */
-  { 2,     "end opt",			ASN1_EOC,          ASN1_END  }, /* 18 */
-  { 2,     "subjectUniqueID",		ASN1_CONTEXT_C_2,  ASN1_OPT  }, /* 19 */
-  { 2,     "end opt",			ASN1_EOC,          ASN1_END  }, /* 20 */
-  { 2,     "optional extensions",	ASN1_CONTEXT_C_3,  ASN1_OPT  }, /* 21 */
-  { 3,       "extensions",		ASN1_SEQUENCE,     ASN1_LOOP }, /* 22 */
-  { 4,         "extension",		ASN1_SEQUENCE,     ASN1_NONE }, /* 23 */
-  { 5,           "extnID",		ASN1_OID,          ASN1_BODY }, /* 24 */
-  { 5,           "critical",		ASN1_BOOLEAN,      ASN1_DEF |
-							   ASN1_BODY }, /* 25 */
-  { 5,           "extnValue",		ASN1_OCTET_STRING, ASN1_BODY }, /* 26 */
-  { 3,       "end loop",		ASN1_EOC,          ASN1_END  }, /* 27 */
-  { 2,     "end opt",			ASN1_EOC,          ASN1_END  }, /* 28 */
-  { 1,   "signatureAlgorithm",		ASN1_EOC,          ASN1_RAW  }, /* 29 */
-  { 1,   "signatureValue",		ASN1_BIT_STRING,   ASN1_BODY }  /* 30 */
+	{ 0, "x509",					ASN1_SEQUENCE,     ASN1_OBJ           }, /*  0 */
+	{ 1,   "tbsCertificate",		ASN1_SEQUENCE,     ASN1_OBJ           }, /*  1 */
+	{ 2,     "DEFAULT v1",			ASN1_CONTEXT_C_0,  ASN1_DEF           }, /*  2 */
+	{ 3,       "version",			ASN1_INTEGER,      ASN1_BODY          }, /*  3 */
+	{ 2,     "serialNumber",		ASN1_INTEGER,      ASN1_BODY          }, /*  4 */
+	{ 2,     "signature",			ASN1_EOC,          ASN1_RAW           }, /*  5 */
+	{ 2,     "issuer",				ASN1_SEQUENCE,     ASN1_OBJ           }, /*  6 */
+	{ 2,     "validity",			ASN1_SEQUENCE,     ASN1_NONE          }, /*  7 */
+	{ 3,       "notBefore",			ASN1_EOC,          ASN1_RAW           }, /*  8 */
+	{ 3,       "notAfter",			ASN1_EOC,          ASN1_RAW           }, /*  9 */
+	{ 2,     "subject",				ASN1_SEQUENCE,     ASN1_OBJ           }, /* 10 */
+	{ 2,     "subjectPublicKeyInfo",ASN1_SEQUENCE,	   ASN1_RAW           }, /* 11 */
+	{ 2,     "issuerUniqueID",		ASN1_CONTEXT_C_1,  ASN1_OPT           }, /* 12 */
+	{ 2,     "end opt",				ASN1_EOC,          ASN1_END           }, /* 13 */
+	{ 2,     "subjectUniqueID",		ASN1_CONTEXT_C_2,  ASN1_OPT           }, /* 14 */
+	{ 2,     "end opt",				ASN1_EOC,          ASN1_END           }, /* 15 */
+	{ 2,     "optional extensions",	ASN1_CONTEXT_C_3,  ASN1_OPT           }, /* 16 */
+	{ 3,       "extensions",		ASN1_SEQUENCE,     ASN1_LOOP          }, /* 17 */
+	{ 4,         "extension",		ASN1_SEQUENCE,     ASN1_NONE          }, /* 18 */
+	{ 5,           "extnID",		ASN1_OID,          ASN1_BODY          }, /* 19 */
+	{ 5,           "critical",		ASN1_BOOLEAN,      ASN1_DEF|ASN1_BODY }, /* 20 */
+	{ 5,           "extnValue",		ASN1_OCTET_STRING, ASN1_BODY          }, /* 21 */
+	{ 3,       "end loop",			ASN1_EOC,          ASN1_END           }, /* 22 */
+	{ 2,     "end opt",				ASN1_EOC,          ASN1_END           }, /* 23 */
+	{ 1,   "signatureAlgorithm",	ASN1_EOC,          ASN1_RAW           }, /* 24 */
+	{ 1,   "signatureValue",		ASN1_BIT_STRING,   ASN1_BODY          }, /* 25 */
+	{ 0, "exit",					ASN1_EOC,          ASN1_EXIT          }
 };
-
-#define X509_OBJ_CERTIFICATE			 0
-#define X509_OBJ_TBS_CERTIFICATE		 1
-#define X509_OBJ_VERSION			 3
-#define X509_OBJ_SERIAL_NUMBER			 4
-#define X509_OBJ_SIG_ALG			 5
-#define X509_OBJ_ISSUER 			 6
-#define X509_OBJ_NOT_BEFORE			 8
-#define X509_OBJ_NOT_AFTER			 9
-#define X509_OBJ_SUBJECT			10
-#define X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM	12
-#define X509_OBJ_SUBJECT_PUBLIC_KEY		13
-#define X509_OBJ_RSA_PUBLIC_KEY			14
-#define X509_OBJ_MODULUS			15
-#define X509_OBJ_PUBLIC_EXPONENT		16
-#define X509_OBJ_EXTN_ID			24
-#define X509_OBJ_CRITICAL			25
-#define X509_OBJ_EXTN_VALUE			26
-#define X509_OBJ_ALGORITHM			29
-#define X509_OBJ_SIGNATURE			30
-#define X509_OBJ_ROOF				31
-
+#define X509_OBJ_CERTIFICATE                     0
+#define X509_OBJ_TBS_CERTIFICATE                 1
+#define X509_OBJ_VERSION                         3
+#define X509_OBJ_SERIAL_NUMBER                   4
+#define X509_OBJ_SIG_ALG                         5
+#define X509_OBJ_ISSUER                          6
+#define X509_OBJ_NOT_BEFORE                      8
+#define X509_OBJ_NOT_AFTER                       9
+#define X509_OBJ_SUBJECT                        10
+#define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO        11
+#define X509_OBJ_EXTN_ID                        19
+#define X509_OBJ_CRITICAL                       20
+#define X509_OBJ_EXTN_VALUE                     21
+#define X509_OBJ_ALGORITHM                      24
+#define X509_OBJ_SIGNATURE                      25
 
 const x509cert_t empty_x509cert = {
-      NULL        , /* *next */
-    UNDEFINED_TIME, /* installed */
-            0     , /* count */
-      FALSE       , /* smartcard */
-     AUTH_NONE    , /* authority_flags */
-    { NULL, 0 }   , /* certificate */
-    { NULL, 0 }   , /*   tbsCertificate */
-            1	  , /*     version */
-    { NULL, 0 }   , /*     serialNumber */
-    OID_UNKNOWN   , /*     sigAlg */
-    { NULL, 0 }   , /*     issuer */
-                    /*     validity */
-            0     , /*       notBefore */
-            0     , /*       notAfter */
-    { NULL, 0 }   , /*     subject */
-                    /*     subjectPublicKeyInfo */
-    OID_UNKNOWN   , /*       subjectPublicKeyAlgorithm */
-    { NULL, 0 }   , /*       subjectPublicKey */
-    { NULL, 0 }   , /*         modulus */
-    { NULL, 0 }   , /*         publicExponent */
-                    /*     issuerUniqueID */
-                    /*     subjectUniqueID */
-                    /*     extensions */
-                    /*       extension */
-                    /*         extnID */
-                    /*         critical */
-                    /*         extnValue */
-      FALSE       , /*           isCA */
-      FALSE       , /*           isOcspSigner */
-    { NULL, 0 }   , /*           subjectKeyID */
-    { NULL, 0 }   , /*           authKeyID */
-    { NULL, 0 }   , /*           authKeySerialNumber */
-    { NULL, 0 }   , /*           accessLocation */
-      NULL        , /*           subjectAltName */
-      NULL        , /*           crlDistributionPoints */
-    OID_UNKNOWN   , /*   algorithm */
-    { NULL, 0 }     /*   signature */
+	  NULL        , /* *next */
+	UNDEFINED_TIME, /* installed */
+			0     , /* count */
+	  FALSE       , /* smartcard */
+	 AUTH_NONE    , /* authority_flags */
+	{ NULL, 0 }   , /* certificate */
+	{ NULL, 0 }   , /*   tbsCertificate */
+			1     , /*     version */
+	{ NULL, 0 }   , /*     serialNumber */
+	OID_UNKNOWN   , /*     sigAlg */
+	{ NULL, 0 }   , /*     issuer */
+					/*     validity */
+			0     , /*       notBefore */
+			0     , /*       notAfter */
+	{ NULL, 0 }   , /*     subject */
+	  NULL        , /*     public_key */
+					/*     issuerUniqueID */
+					/*     subjectUniqueID */
+					/*     extensions */
+					/*       extension */
+					/*         extnID */
+					/*         critical */
+					/*         extnValue */
+	  FALSE       , /*           isCA */
+	  FALSE       , /*           isOcspSigner */
+	{ NULL, 0 }   , /*           subjectKeyID */
+	{ NULL, 0 }   , /*           authKeyID */
+	{ NULL, 0 }   , /*           authKeySerialNumber */
+	{ NULL, 0 }   , /*           accessLocation */
+	  NULL        , /*           subjectAltName */
+	  NULL        , /*           crlDistributionPoints */
+	OID_UNKNOWN   , /*   algorithm */
+	{ NULL, 0 }     /*   signature */
 };
 
 /* coding of X.501 distinguished name */
 
 typedef struct {
-    const u_char *name;
-    chunk_t oid;
-    u_char type;
+	const u_char *name;
+	chunk_t oid;
+	u_char type;
 } x501rdn_t;
 
 /* X.501 acronyms for well known object identifiers (OIDs) */
 
 static u_char oid_ND[]  = {0x02, 0x82, 0x06, 0x01,
-			   0x0A, 0x07, 0x14};
+						   0x0A, 0x07, 0x14};
 static u_char oid_UID[] = {0x09, 0x92, 0x26, 0x89, 0x93,
-			   0xF2, 0x2C, 0x64, 0x01, 0x01};
+						   0xF2, 0x2C, 0x64, 0x01, 0x01};
 static u_char oid_DC[]  = {0x09, 0x92, 0x26, 0x89, 0x93,
-			   0xF2, 0x2C, 0x64, 0x01, 0x19};
+						   0xF2, 0x2C, 0x64, 0x01, 0x19};
 static u_char oid_CN[]  = {0x55, 0x04, 0x03};
 static u_char oid_S[]   = {0x55, 0x04, 0x04};
 static u_char oid_SN[]  = {0x55, 0x04, 0x05};
@@ -351,13 +294,13 @@ static u_char oid_G[]   = {0x55, 0x04, 0x2A};
 static u_char oid_I[]   = {0x55, 0x04, 0x2B};
 static u_char oid_ID[]  = {0x55, 0x04, 0x2D};
 static u_char oid_EN[]  = {0x60, 0x86, 0x48, 0x01, 0x86,
-			   0xF8, 0x42, 0x03, 0x01, 0x03};
+						   0xF8, 0x42, 0x03, 0x01, 0x03};
 static u_char oid_E[]   = {0x2A, 0x86, 0x48, 0x86, 0xF7,
-			   0x0D, 0x01, 0x09, 0x01};
+						   0x0D, 0x01, 0x09, 0x01};
 static u_char oid_UN[]  = {0x2A, 0x86, 0x48, 0x86, 0xF7,
-			   0x0D, 0x01, 0x09, 0x02};
+						   0x0D, 0x01, 0x09, 0x02};
 static u_char oid_TCGID[] = {0x2B, 0x06, 0x01, 0x04, 0x01, 0x89,
-			     0x31, 0x01, 0x01, 0x02, 0x02, 0x4B};
+							 0x31, 0x01, 0x01, 0x02, 0x02, 0x4B};
 
 static const x501rdn_t x501rdns[] = {
   {"ND"              , {oid_ND,     7}, ASN1_PRINTABLESTRING},
@@ -391,1850 +334,1804 @@ static const x501rdn_t x501rdns[] = {
 #define X501_RDN_ROOF   26
 
 static u_char ASN1_subjectAltName_oid_str[] = {
-    0x06, 0x03, 0x55, 0x1D, 0x11
+	0x06, 0x03, 0x55, 0x1D, 0x11
 };
 
-static const chunk_t ASN1_subjectAltName_oid = strchunk(ASN1_subjectAltName_oid_str);
+static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_subjectAltName_oid_str);
 
-static void
-update_chunk(chunk_t *ch, int n)
+static void update_chunk(chunk_t *ch, int n)
 {
-    n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
-    ch->ptr += n; ch->len -= n;
+	n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
+	ch->ptr += n; ch->len -= n;
 }
 
 
-/*
+/**
  *  Pointer is set to the first RDN in a DN
  */
-static err_t
-init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
+static err_t init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
 {
-    *rdn = empty_chunk;
-    *attribute = empty_chunk;
+	*rdn = chunk_empty;
+	*attribute = chunk_empty;
 
-    /* a DN is a SEQUENCE OF RDNs */
+	/* a DN is a SEQUENCE OF RDNs */
 
-    if (*dn.ptr != ASN1_SEQUENCE)
-    {
-	return "DN is not a SEQUENCE";
-    }
-
-    rdn->len = asn1_length(&dn);
+	if (*dn.ptr != ASN1_SEQUENCE)
+	{
+		return "DN is not a SEQUENCE";
+	}
 
-    if (rdn->len == ASN1_INVALID_LENGTH)
-	return "Invalid RDN length";
+	rdn->len = asn1_length(&dn);
 
-    rdn->ptr = dn.ptr;
+	if (rdn->len == ASN1_INVALID_LENGTH)
+	{
+		return "Invalid RDN length";
+	}
+	rdn->ptr = dn.ptr;
 
-    /* are there any RDNs ? */
-    *next = rdn->len > 0;
+	/* are there any RDNs ? */
+	*next = rdn->len > 0;
 
-    return NULL;
+	return NULL;
 }
 
-/*
+/**
  *  Fetches the next RDN in a DN
  */
-static err_t
-get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, chunk_t *value
-, asn1_t *type, bool *next)
+static err_t get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid,
+						  chunk_t *value, asn1_t *type, bool *next)
 {
-    chunk_t body;
+	chunk_t body;
 
-    /* initialize return values */
-    *oid   = empty_chunk;
-    *value = empty_chunk;
+	/* initialize return values */
+	*oid   = chunk_empty;
+	*value = chunk_empty;
 
-    /* if all attributes have been parsed, get next rdn */
-    if (attribute->len <= 0)
-    {
-	/* an RDN is a SET OF attributeTypeAndValue */
-	if (*rdn->ptr != ASN1_SET)
-	    return "RDN is not a SET";
-
-	attribute->len = asn1_length(rdn);
-	
-	if (attribute->len == ASN1_INVALID_LENGTH)
-	    return "Invalid attribute length";
-
-	attribute->ptr = rdn->ptr;
-
-	/* advance to start of next RDN */
-	rdn->ptr += attribute->len;
-	rdn->len -= attribute->len;
-    }
-
-    /* an attributeTypeAndValue is a SEQUENCE */
-    if (*attribute->ptr != ASN1_SEQUENCE)
- 	return "attributeTypeAndValue is not a SEQUENCE";
-
-    /* extract the attribute body */
-    body.len = asn1_length(attribute);
-    
-    if (body.len == ASN1_INVALID_LENGTH)
-	return "Invalid attribute body length";
+	/* if all attributes have been parsed, get next rdn */
+	if (attribute->len <= 0)
+	{
+		/* an RDN is a SET OF attributeTypeAndValue */
+		if (*rdn->ptr != ASN1_SET)
+		{
+			return "RDN is not a SET";
+		}
+		attribute->len = asn1_length(rdn);
+		
+		if (attribute->len == ASN1_INVALID_LENGTH)
+		{
+			return "Invalid attribute length";
+		}
+		attribute->ptr = rdn->ptr;
 
-    body.ptr = attribute->ptr;
-    
-    /* advance to start of next attribute */
-    attribute->ptr += body.len;
-    attribute->len -= body.len;
+		/* advance to start of next RDN */
+		rdn->ptr += attribute->len;
+		rdn->len -= attribute->len;
+	}
 
-    /* attribute type is an OID */
-    if (*body.ptr != ASN1_OID)
-	return "attributeType is not an OID";
+	/* an attributeTypeAndValue is a SEQUENCE */
+	if (*attribute->ptr != ASN1_SEQUENCE)
+	{
+		return "attributeTypeAndValue is not a SEQUENCE";
+	}
 
-    /* extract OID */
-    oid->len = asn1_length(&body);
-    
-    if (oid->len == ASN1_INVALID_LENGTH)
-	return "Invalid attribute OID length";
+	/* extract the attribute body */
+	body.len = asn1_length(attribute);
+	
+	if (body.len == ASN1_INVALID_LENGTH)
+	{
+		return "Invalid attribute body length";
+	}
+	body.ptr = attribute->ptr;
+	
+	/* advance to start of next attribute */
+	attribute->ptr += body.len;
+	attribute->len -= body.len;
 
-    oid->ptr = body.ptr;
+	/* attribute type is an OID */
+	if (*body.ptr != ASN1_OID)
+	{
+		return "attributeType is not an OID";
+	}
 
-    /* advance to the attribute value */
-    body.ptr += oid->len;
-    body.len -= oid->len;
+	/* extract OID */
+	oid->len = asn1_length(&body);
+	
+	if (oid->len == ASN1_INVALID_LENGTH)  
+	{
+		return "Invalid attribute OID length";
+	}
+	oid->ptr = body.ptr;
 
-    /* extract string type */
-    *type = *body.ptr;
+	/* advance to the attribute value */
+	body.ptr += oid->len;
+	body.len -= oid->len;
 
-    /* extract string value */
-    value->len = asn1_length(&body);
-    
-    if (value->len == ASN1_INVALID_LENGTH)
-	return "Invalid attribute string length";
+	/* extract string type */
+	*type = *body.ptr;
 
-    value->ptr = body.ptr;
+	/* extract string value */
+	value->len = asn1_length(&body);
+	
+	if (value->len == ASN1_INVALID_LENGTH)
+	{
+		return "Invalid attribute string length";
+	}
+	value->ptr = body.ptr;
 
-    /* are there any RDNs left? */
-    *next = rdn->len > 0 || attribute->len > 0;
+	/* are there any RDNs left? */
+	*next = rdn->len > 0 || attribute->len > 0;
 
-    return NULL;
+	return NULL;
 }
 
-/*
+/**
  *  Parses an ASN.1 distinguished name int its OID/value pairs
  */
-static err_t
-dn_parse(chunk_t dn, chunk_t *str)
+static err_t dn_parse(chunk_t dn, chunk_t *str)
 {
-    chunk_t rdn, oid, attribute, value;
-    asn1_t type;
-    int oid_code;
-    bool next;
-    bool first = TRUE;
+	chunk_t rdn, oid, attribute, value;
+	asn1_t type;
+	int oid_code;
+	bool next;
+	bool first = TRUE;
 
-    err_t ugh = init_rdn(dn, &rdn, &attribute, &next);
+	err_t ugh = init_rdn(dn, &rdn, &attribute, &next);
 
-    if (ugh != NULL) /* a parsing error has occured */
-        return ugh;
+	if (ugh != NULL) /* a parsing error has occured */
+	{
+		return ugh;
+	}
 
-    while (next)
-    {
-	ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
+	while (next)
+	{
+		ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
 
-	if (ugh != NULL) /* a parsing error has occured */
-	    return ugh;
+		if (ugh != NULL) /* a parsing error has occured */
+		{
+			return ugh;
+		}
 
-	if (first)		/* first OID/value pair */
-	    first = FALSE;
-	else			/* separate OID/value pair by a comma */
-	    update_chunk(str, snprintf(str->ptr,str->len,", "));
+		if (first)              /* first OID/value pair */
+		{
+			first = FALSE;
+		}
+		else                    /* separate OID/value pair by a comma */
+		{
+			update_chunk(str, snprintf(str->ptr,str->len,", "));
+		}
 
-	/* print OID */
-	oid_code = known_oid(oid);
-	if (oid_code == OID_UNKNOWN)	/* OID not found in list */
-	    hex_str(oid, str);
-	else
-	    update_chunk(str, snprintf(str->ptr,str->len,"%s",
-			      oid_names[oid_code].name));
+		/* print OID */
+		oid_code = asn1_known_oid(oid);
+		if (oid_code == OID_UNKNOWN)    /* OID not found in list */
+		{
+			hex_str(oid, str);
+		}
+		else
+		{
+			update_chunk(str, snprintf(str->ptr,str->len,"%s",
+							  oid_names[oid_code].name));
+		}
 
-	/* print value */
-	update_chunk(str, snprintf(str->ptr,str->len,"=%.*s",
-			      (int)value.len,value.ptr));
-    }
-    return NULL;
+		/* print value */
+		update_chunk(str, snprintf(str->ptr,str->len,"=%.*s",
+							  (int)value.len,value.ptr));
+	}
+	return NULL;
 }
 
-/*
+/**
  *  Count the number of wildcard RDNs in a distinguished name
  */
-int
-dn_count_wildcards(chunk_t dn)
+int dn_count_wildcards(chunk_t dn)
 {
-    chunk_t rdn, attribute, oid, value;
-    asn1_t type;
-    bool next;
-    int wildcards = 0;
+	chunk_t rdn, attribute, oid, value;
+	asn1_t type;
+	bool next;
+	int wildcards = 0;
 
-    err_t ugh = init_rdn(dn, &rdn, &attribute, &next);
+	err_t ugh = init_rdn(dn, &rdn, &attribute, &next);
 
-    if (ugh != NULL) /* a parsing error has occured */
-        return -1;
+	if (ugh != NULL) /* a parsing error has occured */
+	{
+		return -1;
+	}
 
-    while (next)
-    {
-	ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
+	while (next)
+	{
+		ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
 
-	if (ugh != NULL) /* a parsing error has occured */
-	    return -1;
-	if (value.len == 1 && *value.ptr == '*')
-	    wildcards++; /* we have found a wildcard RDN */
-    }
-    return wildcards;
+		if (ugh != NULL) /* a parsing error has occured */
+		{
+			return -1;
+		}
+		if (value.len == 1 && *value.ptr == '*')
+		{
+			wildcards++; /* we have found a wildcard RDN */
+		}
+	}
+	return wildcards;
 }
 
-/*
+/**
  * Prints a binary string in hexadecimal form
  */
-void
-hex_str(chunk_t bin, chunk_t *str)
+void hex_str(chunk_t bin, chunk_t *str)
 {
-    u_int i;
-    update_chunk(str, snprintf(str->ptr,str->len,"0x"));
-    for (i=0; i < bin.len; i++)
-	update_chunk(str, snprintf(str->ptr,str->len,"%02X",*bin.ptr++));
+	u_int i;
+	update_chunk(str, snprintf(str->ptr,str->len,"0x"));
+	for (i=0; i < bin.len; i++)
+		update_chunk(str, snprintf(str->ptr,str->len,"%02X",*bin.ptr++));
 }
 
 
-/*  Converts a binary DER-encoded ASN.1 distinguished name
+/** Converts a binary DER-encoded ASN.1 distinguished name
  *  into LDAP-style human-readable ASCII format
  */
-int
-dntoa(char *dst, size_t dstlen, chunk_t dn)
+int dntoa(char *dst, size_t dstlen, chunk_t dn)
 {
-    err_t ugh = NULL;
-    chunk_t str;
-
-    str.ptr = dst;
-    str.len = dstlen;
-    ugh = dn_parse(dn, &str);
+	err_t ugh = NULL;
+	chunk_t str;
 
-    if (ugh != NULL) /* error, print DN as hex string */
-    {
-	DBG(DBG_PARSING,
-	    DBG_log("error in DN parsing: %s", ugh)
-	)
 	str.ptr = dst;
 	str.len = dstlen;
-	hex_str(dn, &str);
-    }
-    return (int)(dstlen - str.len);
+	ugh = dn_parse(dn, &str);
+
+	if (ugh != NULL) /* error, print DN as hex string */
+	{
+		DBG(DBG_PARSING,
+			DBG_log("error in DN parsing: %s", ugh)
+		)
+		str.ptr = dst;
+		str.len = dstlen;
+		hex_str(dn, &str);
+	}
+	return (int)(dstlen - str.len);
 }
 
-/*
+/**
  * Same as dntoa but prints a special string for a null dn
  */
-int
-dntoa_or_null(char *dst, size_t dstlen, chunk_t dn, const char* null_dn)
+int dntoa_or_null(char *dst, size_t dstlen, chunk_t dn, const char* null_dn)
+{
+	if (dn.ptr == NULL)
+	{
+		return snprintf(dst, dstlen, "%s", null_dn);
+	}
+	else
+	{
+		return dntoa(dst, dstlen, dn);
+	}
+}
+
+
+/**
+ * Codes ASN.1 lengths up to a size of 16'777'215 bytes
+ */
+static void code_asn1_length(size_t length, chunk_t *code)
 {
-    if (dn.ptr == NULL)
-	return snprintf(dst, dstlen, "%s", null_dn);
+    if (length < 128)
+    {
+	code->ptr[0] = length;
+	code->len = 1;
+    }
+    else if (length < 256)
+    {
+	code->ptr[0] = 0x81;
+	code->ptr[1] = (u_char) length;
+	code->len = 2;
+    }
+    else if (length < 65536)
+    {
+	code->ptr[0] = 0x82;
+	code->ptr[1] = length >> 8;
+	code->ptr[2] = length & 0x00ff;
+	code->len = 3;
+    }
     else
-	return dntoa(dst, dstlen, dn);
+    {
+	code->ptr[0] = 0x83;
+	code->ptr[1] = length >> 16;
+	code->ptr[2] = (length >> 8) & 0x00ff;
+	code->ptr[3] = length & 0x0000ff;
+	code->len = 4;
+    }
 }
 
-/*  Converts an LDAP-style human-readable ASCII-encoded
+/**
+ *  Converts an LDAP-style human-readable ASCII-encoded
  *  ASN.1 distinguished name into binary DER-encoded format
  */
-err_t
-atodn(char *src, chunk_t *dn)
+err_t atodn(char *src, chunk_t *dn)
 {
   /* finite state machine for atodn */
 
-    typedef enum {
-	SEARCH_OID =	0,
-	READ_OID =	1,
-	SEARCH_NAME =	2,
-	READ_NAME =	3,
-        UNKNOWN_OID =	4
-    } state_t;
-
-    u_char oid_len_buf[3];
-    u_char name_len_buf[3];
-    u_char rdn_seq_len_buf[3];
-    u_char rdn_set_len_buf[3];
-    u_char dn_seq_len_buf[3];
-
-    chunk_t asn1_oid_len     = { oid_len_buf,     0 };
-    chunk_t asn1_name_len    = { name_len_buf,    0 };
-    chunk_t asn1_rdn_seq_len = { rdn_seq_len_buf, 0 };
-    chunk_t asn1_rdn_set_len = { rdn_set_len_buf, 0 };
-    chunk_t asn1_dn_seq_len  = { dn_seq_len_buf,  0 };
-    chunk_t oid  = empty_chunk;
-    chunk_t name = empty_chunk;
-
-    int whitespace  = 0;
-    int rdn_seq_len = 0;
-    int rdn_set_len = 0;
-    int dn_seq_len  = 0;
-    int pos         = 0;
-
-    err_t ugh = NULL;
-
-    u_char *dn_ptr = dn->ptr + 4;
-
-    state_t state = SEARCH_OID;
-
-    do
-    {
-        switch (state)
+	typedef enum {
+		SEARCH_OID =    0,
+		READ_OID =      1,
+		SEARCH_NAME =   2,
+		READ_NAME =     3,
+		UNKNOWN_OID =   4
+	} state_t;
+
+	u_char oid_len_buf[3];
+	u_char name_len_buf[3];
+	u_char rdn_seq_len_buf[3];
+	u_char rdn_set_len_buf[3];
+	u_char dn_seq_len_buf[3];
+
+	chunk_t asn1_oid_len     = { oid_len_buf,     0 };
+	chunk_t asn1_name_len    = { name_len_buf,    0 };
+	chunk_t asn1_rdn_seq_len = { rdn_seq_len_buf, 0 };
+	chunk_t asn1_rdn_set_len = { rdn_set_len_buf, 0 };
+	chunk_t asn1_dn_seq_len  = { dn_seq_len_buf,  0 };
+	chunk_t oid  = chunk_empty;
+	chunk_t name = chunk_empty;
+
+	int whitespace  = 0;
+	int rdn_seq_len = 0;
+	int rdn_set_len = 0;
+	int dn_seq_len  = 0;
+	int pos         = 0;
+
+	err_t ugh = NULL;
+
+	u_char *dn_ptr = dn->ptr + 4;
+
+	state_t state = SEARCH_OID;
+
+	do
 	{
-	case SEARCH_OID:
-	    if (*src != ' ' && *src != '/' && *src !=  ',')
-	    {
-		oid.ptr = src;
-		oid.len = 1;
-		state = READ_OID;
-	    }
-	    break;
-	case READ_OID:
-	    if (*src != ' ' && *src != '=')
-		oid.len++;
-	    else
-	    {
-		for (pos = 0; pos < X501_RDN_ROOF; pos++)
+		switch (state)
 		{
-		    if (strlen(x501rdns[pos].name) == oid.len &&
-			strncasecmp(x501rdns[pos].name, oid.ptr, oid.len) == 0)
-			break; /* found a valid OID */
-		}
-		if (pos == X501_RDN_ROOF)
-		{
-		    ugh = "unknown OID in distinguished name";
-		    state = UNKNOWN_OID;
-		    break;
+		case SEARCH_OID:
+			if (*src != ' ' && *src != '/' && *src !=  ',')
+			{
+				oid.ptr = src;
+				oid.len = 1;
+				state = READ_OID;
+			}
+			break;
+		case READ_OID:
+			if (*src != ' ' && *src != '=')
+			{
+				oid.len++;
+			}
+			else
+			{
+				for (pos = 0; pos < X501_RDN_ROOF; pos++)
+				{
+					if (strlen(x501rdns[pos].name) == oid.len &&
+						strncasecmp(x501rdns[pos].name, oid.ptr, oid.len) == 0)
+					{
+						break; /* found a valid OID */
+					}
+				}
+				if (pos == X501_RDN_ROOF)
+				{
+					ugh = "unknown OID in distinguished name";
+					state = UNKNOWN_OID;
+					break;
+				}
+				code_asn1_length(x501rdns[pos].oid.len, &asn1_oid_len);
+
+				/* reset oid and change state */
+				oid = chunk_empty;
+				state = SEARCH_NAME;
+			}
+			break;
+		case SEARCH_NAME:
+			if (*src != ' ' && *src != '=')
+			{
+				name.ptr = src;
+				name.len = 1;
+				whitespace = 0;
+				state = READ_NAME;
+			}
+			break;
+		case READ_NAME:
+			if (*src != ',' && *src != '/' && *src != '\0')
+			{
+				name.len++;
+				if (*src == ' ')
+				{
+					whitespace++;
+				}
+				else
+				{
+					whitespace = 0;
+				}
+			}
+			else
+			{
+				name.len -= whitespace;
+				code_asn1_length(name.len, &asn1_name_len);
+
+				/* compute the length of the relative distinguished name sequence */
+				rdn_seq_len = 1 + asn1_oid_len.len + x501rdns[pos].oid.len +
+							  1 + asn1_name_len.len + name.len;
+				code_asn1_length(rdn_seq_len, &asn1_rdn_seq_len);
+
+				/* compute the length of the relative distinguished name set */
+				rdn_set_len = 1 + asn1_rdn_seq_len.len + rdn_seq_len;
+				code_asn1_length(rdn_set_len, &asn1_rdn_set_len);
+
+				/* encode the relative distinguished name */
+				*dn_ptr++ = ASN1_SET;
+				chunkcpy(dn_ptr, asn1_rdn_set_len);
+				*dn_ptr++ = ASN1_SEQUENCE;
+				chunkcpy(dn_ptr, asn1_rdn_seq_len);
+				*dn_ptr++ = ASN1_OID;
+				chunkcpy(dn_ptr, asn1_oid_len);
+				chunkcpy(dn_ptr, x501rdns[pos].oid);
+				/* encode the ASN.1 character string type of the name */
+				*dn_ptr++ = (x501rdns[pos].type == ASN1_PRINTABLESTRING
+					&& !asn1_is_printablestring(name))? ASN1_T61STRING : x501rdns[pos].type;
+				chunkcpy(dn_ptr, asn1_name_len);
+				chunkcpy(dn_ptr, name);
+
+				/* accumulate the length of the distinguished name sequence */
+				dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len;
+
+				/* reset name and change state */
+				name = chunk_empty;
+				state = SEARCH_OID;
+			}
+			break;
+		case UNKNOWN_OID:
+			break;
 		}
-		code_asn1_length(x501rdns[pos].oid.len, &asn1_oid_len);
-
-		/* reset oid and change state */
-		oid = empty_chunk;
-		state = SEARCH_NAME;
-	    }
-	    break;
-	case SEARCH_NAME:
-	    if (*src != ' ' && *src != '=')
-	    {
-		name.ptr = src;
-		name.len = 1;
-		whitespace = 0;
-		state = READ_NAME;
-	    }
-	    break;
-	case READ_NAME:
-	    if (*src != ',' && *src != '/' && *src != '\0')
-	    {
-		name.len++;
-		if (*src == ' ')
-		    whitespace++;
-		else
-		    whitespace = 0;
-	    }
-	    else
-	    {
-		name.len -= whitespace;
-		code_asn1_length(name.len, &asn1_name_len);
-
-		/* compute the length of the relative distinguished name sequence */
-		rdn_seq_len = 1 + asn1_oid_len.len + x501rdns[pos].oid.len +
-			      1 + asn1_name_len.len + name.len;
-		code_asn1_length(rdn_seq_len, &asn1_rdn_seq_len);
-
-		/* compute the length of the relative distinguished name set */
-		rdn_set_len = 1 + asn1_rdn_seq_len.len + rdn_seq_len;
-		code_asn1_length(rdn_set_len, &asn1_rdn_set_len);
-
-		/* encode the relative distinguished name */
-		*dn_ptr++ = ASN1_SET;
-		chunkcpy(dn_ptr, asn1_rdn_set_len);
-		*dn_ptr++ = ASN1_SEQUENCE;
-		chunkcpy(dn_ptr, asn1_rdn_seq_len);
-		*dn_ptr++ = ASN1_OID;
-		chunkcpy(dn_ptr, asn1_oid_len);
-		chunkcpy(dn_ptr, x501rdns[pos].oid);
-		/* encode the ASN.1 character string type of the name */
-		*dn_ptr++ = (x501rdns[pos].type == ASN1_PRINTABLESTRING
-		    && !is_printablestring(name))? ASN1_T61STRING : x501rdns[pos].type;
-		chunkcpy(dn_ptr, asn1_name_len);
-		chunkcpy(dn_ptr, name);
-
-		/* accumulate the length of the distinguished name sequence */
-		dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len;
-
-		/* reset name and change state */
-		name = empty_chunk;
-		state = SEARCH_OID;
-	    }
-	    break;
-	case UNKNOWN_OID:
-	    break;
-	}
-    } while (*src++ != '\0');
-
-    /* complete the distinguished name sequence*/
-    code_asn1_length(dn_seq_len, &asn1_dn_seq_len);
-    dn->ptr += 3 - asn1_dn_seq_len.len;
-    dn->len =  1 + asn1_dn_seq_len.len + dn_seq_len;
-    dn_ptr = dn->ptr;
-    *dn_ptr++ = ASN1_SEQUENCE;
-    chunkcpy(dn_ptr, asn1_dn_seq_len);
-    return ugh;
+	} while (*src++ != '\0');
+
+	/* complete the distinguished name sequence*/
+	code_asn1_length(dn_seq_len, &asn1_dn_seq_len);
+	dn->ptr += 3 - asn1_dn_seq_len.len;
+	dn->len =  1 + asn1_dn_seq_len.len + dn_seq_len;
+	dn_ptr = dn->ptr;
+	*dn_ptr++ = ASN1_SEQUENCE;
+	chunkcpy(dn_ptr, asn1_dn_seq_len);
+	return ugh;
 }
 
-/*  compare two distinguished names by
- *  comparing the individual RDNs
+/**
+ * compare two distinguished names by comparing the individual RDNs
  */
-bool
-same_dn(chunk_t a, chunk_t b)
+bool same_dn(chunk_t a, chunk_t b)
 {
-    chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
-    chunk_t oid_a, oid_b, value_a, value_b;
-    asn1_t type_a, type_b;
-    bool next_a, next_b;
+	chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
+	chunk_t oid_a, oid_b, value_a, value_b;
+	asn1_t type_a, type_b;
+	bool next_a, next_b;
 
-    /* same lengths for the DNs */
-    if (a.len != b.len)
-	return FALSE;
+	/* same lengths for the DNs */
+	if (a.len != b.len)
+	{
+		return FALSE;
+	}
 
-    /* try a binary comparison first */
-    if (memcmp(a.ptr, b.ptr, b.len) == 0)
-	return TRUE;
- 
-    /* initialize DN parsing */
-    if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL
-    ||  init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL)
-	return FALSE;
+	/* try a binary comparison first */
+	if (memeq(a.ptr, b.ptr, b.len))
+	{
+		return TRUE;
+	}
 
-    /* fetch next RDN pair */
-    while (next_a && next_b)
-    {
-	/* parse next RDNs and check for errors */
-	if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != NULL
-	||  get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != NULL)
+	/* initialize DN parsing */
+	if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL
+	||  init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL)
 	{
-	    return FALSE;
+		return FALSE;
 	}
 
-	/* OIDs must agree */
-	if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
-	    return FALSE;
+	/* fetch next RDN pair */
+	while (next_a && next_b)
+	{
+		/* parse next RDNs and check for errors */
+		if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != NULL
+		||  get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != NULL)
+		{
+			return FALSE;
+		}
+
+		/* OIDs must agree */
+		if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+		{
+			return FALSE;
+		}
 
-	/* same lengths for values */
-	if (value_a.len != value_b.len)
-	    return FALSE;
+		/* same lengths for values */
+		if (value_a.len != value_b.len)
+		{
+			return FALSE;
+		}
 
-	/* printableStrings and email RDNs require uppercase comparison */
-	if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
-	   (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
-	{
-	    if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
-		return FALSE;
+		/* printableStrings and email RDNs require uppercase comparison */
+		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
+		   (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
+		{
+			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+			{
+				return FALSE;
+			}
+		}
+		else
+		{
+			if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+			{
+				return FALSE;
+			}
+		}
 	}
-	else
+	/* both DNs must have same number of RDNs */
+	if (next_a || next_b)
 	{
-	    if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
 		return FALSE;
 	}
-    }
-    /* both DNs must have same number of RDNs */
-    if (next_a || next_b)
-	return FALSE;
 
-    /* the two DNs are equal! */
-    return TRUE;
+	/* the two DNs are equal! */
+	return TRUE;
 }
 
 
-/*  compare two distinguished names by comparing the individual RDNs.
+/**
+ *  Compare two distinguished names by comparing the individual RDNs.
  *  A single'*' character designates a wildcard RDN in DN b.
  */
-bool
-match_dn(chunk_t a, chunk_t b, int *wildcards)
+bool match_dn(chunk_t a, chunk_t b, int *wildcards)
 {
-    chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
-    chunk_t oid_a, oid_b, value_a, value_b;
-    asn1_t type_a,  type_b;
-    bool next_a, next_b;
+	chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
+	chunk_t oid_a, oid_b, value_a, value_b;
+	asn1_t type_a,  type_b;
+	bool next_a, next_b;
 
-    /* initialize wildcard counter */
-    *wildcards = 0;
+	/* initialize wildcard counter */
+	*wildcards = 0;
 
-    /* initialize DN parsing */
-    if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL
-    ||  init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL)
-    	return FALSE;
-
-    /* fetch next RDN pair */
-    while (next_a && next_b)
-    {
-	/* parse next RDNs and check for errors */
-	if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != NULL
-	||  get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != NULL)
+	/* initialize DN parsing */
+	if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL
+	||  init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL)
 	{
-	    return FALSE;
+		return FALSE;
 	}
 
-	/* OIDs must agree */
-	if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
-	    return FALSE;
-
-	/* does rdn_b contain a wildcard? */
-	if (value_b.len == 1 && *value_b.ptr == '*')
+	/* fetch next RDN pair */
+	while (next_a && next_b)
 	{
-	    (*wildcards)++;
-	    continue;
-	}
+		/* parse next RDNs and check for errors */
+		if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != NULL
+		||  get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != NULL)
+		{
+			return FALSE;
+		}
 
-	/* same lengths for values */
-	if (value_a.len != value_b.len)
-	    return FALSE;
+		/* OIDs must agree */
+		if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+		{
+			return FALSE;
+		}
 
-	/* printableStrings and email RDNs require uppercase comparison */
-	if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
-	   (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
-	{
-	    if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
-		return FALSE;
+		/* does rdn_b contain a wildcard? */
+		if (value_b.len == 1 && *value_b.ptr == '*')
+		{
+			(*wildcards)++;
+			continue;
+		}
+
+		/* same lengths for values */
+		if (value_a.len != value_b.len)
+		{
+			return FALSE;
+		}
+
+		/* printableStrings and email RDNs require uppercase comparison */
+		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
+		   (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
+		{
+			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+			{
+				return FALSE;
+			}
+		}
+		else
+		{
+			if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+			{
+				return FALSE;
+			}
+		}
 	}
-	else
+
+	/* both DNs must have same number of RDNs */
+	if (next_a || next_b)
 	{
-	    if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
 		return FALSE;
 	}
-    }
-    /* both DNs must have same number of RDNs */
-    if (next_a || next_b)
-	return FALSE;
 
-    /* the two DNs match! */
-    return TRUE;
+	/* the two DNs match! */
+	return TRUE;
 }
 
-/*
- *  compare two X.509 certificates by comparing their signatures
+/**
+ *  Compare two X.509 certificates by comparing their signatures
  */
-bool
-same_x509cert(const x509cert_t *a, const x509cert_t *b)
+bool same_x509cert(const x509cert_t *a, const x509cert_t *b)
 {
-    return same_chunk(a->signature, b->signature);
+	return chunk_equals(a->signature, b->signature);
 }
 
-/*  for each link pointing to the certificate
- "  increase the count by one
+/**
+ * For each link pointing to the certificate increase the count by one
  */
-void
-share_x509cert(x509cert_t *cert)
+void share_x509cert(x509cert_t *cert)
 {
-    if (cert != NULL)
- 	cert->count++;
+	if (cert != NULL)
+	{
+		cert->count++;
+	}
 }
 
-/*
- *  add a X.509 user/host certificate to the chained list
+/**
+ *  Add a X.509 user/host certificate to the chained list
  */
-x509cert_t*
-add_x509cert(x509cert_t *cert)
+x509cert_t* add_x509cert(x509cert_t *cert)
 {
-    x509cert_t *c = x509certs;
+	x509cert_t *c = x509certs;
 
-    while (c != NULL)
-    {
-	if (same_x509cert(c, cert)) /* already in chain, free cert */
+	while (c != NULL)
 	{
-	    free_x509cert(cert);
-	    return c;
+		if (same_x509cert(c, cert)) /* already in chain, free cert */
+		{
+			free_x509cert(cert);
+			return c;
+		}
+		c = c->next;
 	}
-	c = c->next;
-    }
 
-    /* insert new cert at the root of the chain */
-    lock_certs_and_keys("add_x509cert");
-    cert->next = x509certs;
-    x509certs = cert;
-    DBG(DBG_CONTROL | DBG_PARSING,
-	DBG_log("  x509 cert inserted")
-    )
-    unlock_certs_and_keys("add_x509cert");
-    return cert;
+	/* insert new cert at the root of the chain */
+	lock_certs_and_keys("add_x509cert");
+	cert->next = x509certs;
+	x509certs = cert;
+	DBG(DBG_CONTROL | DBG_PARSING,
+		DBG_log("  x509 cert inserted")
+	)
+	unlock_certs_and_keys("add_x509cert");
+	return cert;
 }
 
-/*
- * choose either subject DN or a subjectAltName as connection end ID
+/**
+ * Choose either subject DN or a subjectAltName as connection end ID
  */
-void
-select_x509cert_id(x509cert_t *cert, struct id *end_id)
+void select_x509cert_id(x509cert_t *cert, struct id *end_id)
 {
-    bool copy_subject_dn = TRUE;	 /* ID is subject DN */
-
-    if (end_id->kind != ID_NONE) /* check for matching subjectAltName */
-    {
-	generalName_t *gn = cert->subjectAltName;
+	bool copy_subject_dn = TRUE;         /* ID is subject DN */
 
-	while (gn != NULL)
+	if (end_id->kind != ID_ANY) /* check for matching subjectAltName */
 	{
-	    struct id id = empty_id;
+		generalName_t *gn = cert->subjectAltName;
 
-	    gntoid(&id, gn);
-	    if (same_id(&id, end_id))
-	    {
-		copy_subject_dn = FALSE; /* take subjectAltName instead */
-		break;
-	    }
-	    gn = gn->next;
+		while (gn != NULL)
+		{
+			struct id id = empty_id;
+
+			gntoid(&id, gn);
+			if (same_id(&id, end_id))
+			{
+				copy_subject_dn = FALSE; /* take subjectAltName instead */
+				break;
+			}
+			gn = gn->next;
+		}
 	}
-    }
 
-    if (copy_subject_dn)
-    {
-	if (end_id->kind != ID_NONE && end_id->kind != ID_DER_ASN1_DN)
+	if (copy_subject_dn)
 	{
-	     char buf[BUF_LEN];
+		if (end_id->kind != ID_ANY && end_id->kind != ID_DER_ASN1_DN)
+		{
+			 char buf[BUF_LEN];
 
-	     idtoa(end_id, buf, BUF_LEN);
-	     plog("  no subjectAltName matches ID '%s', replaced by subject DN", buf);
+			 idtoa(end_id, buf, BUF_LEN);
+			 plog("  no subjectAltName matches ID '%s', replaced by subject DN", buf);
+		}
+		end_id->kind = ID_DER_ASN1_DN;
+		end_id->name.len = cert->subject.len;
+		end_id->name.ptr = temporary_cyclic_buffer();
+		memcpy(end_id->name.ptr, cert->subject.ptr, cert->subject.len);
 	}
-	end_id->kind = ID_DER_ASN1_DN;
-	end_id->name.len = cert->subject.len;
-	end_id->name.ptr = temporary_cyclic_buffer();
-	memcpy(end_id->name.ptr, cert->subject.ptr, cert->subject.len);
-    }
 }
 
-/*
- * check for equality between two key identifiers
+/**
+ * Check for equality between two key identifiers
  */
-bool
-same_keyid(chunk_t a, chunk_t b)
+bool same_keyid(chunk_t a, chunk_t b)
 {
-    if (a.ptr == NULL || b.ptr == NULL)
-	return FALSE;
-
-    return same_chunk(a, b);
+	if (a.ptr == NULL || b.ptr == NULL)
+	{
+		return FALSE;
+	}
+	return chunk_equals(a, b);
 }
 
-/*
- * check for equality between two serial numbers
+/**
+ * Check for equality between two serial numbers
  */
-bool
-same_serial(chunk_t a, chunk_t b)
+bool same_serial(chunk_t a, chunk_t b)
 {
-    /* do not compare serial numbers if one of them is not defined */
-    if (a.ptr == NULL || b.ptr == NULL)
-	return TRUE;
-
-    return same_chunk(a, b);
+	/* do not compare serial numbers if one of them is not defined */
+	if (a.ptr == NULL || b.ptr == NULL)
+	{
+		return TRUE;
+	}
+	return chunk_equals(a, b);
 }
 
-/*
- *  get a X.509 certificate with a given issuer found at a certain position
+/**
+ * Get a X.509 certificate with a given issuer found at a certain position
  */
-x509cert_t*
-get_x509cert(chunk_t issuer, chunk_t serial, chunk_t keyid, x509cert_t *chain)
+x509cert_t* get_x509cert(chunk_t issuer, chunk_t serial, chunk_t keyid,
+						 x509cert_t *chain)
 {
-    x509cert_t *cert = (chain != NULL)? chain->next : x509certs;
+	x509cert_t *cert = (chain != NULL)? chain->next : x509certs;
 
-    while (cert != NULL)
-    {
-	if ((keyid.ptr != NULL) ? same_keyid(keyid, cert->authKeyID)
-	    : (same_dn(issuer, cert->issuer)
-	       && same_serial(serial, cert->authKeySerialNumber)))
+	while (cert != NULL)
 	{
-	    return cert;
+		if ((keyid.ptr != NULL) ? same_keyid(keyid, cert->authKeyID)
+			: (same_dn(issuer, cert->issuer)
+			   && same_serial(serial, cert->authKeySerialNumber)))
+		{
+			return cert;
+		}
+		cert = cert->next;
 	}
-	cert = cert->next;
-    }
-    return NULL;
+	return NULL;
 }
 
-/*
- * encode a linked list of subjectAltNames
+/**
+ * Encode a linked list of subjectAltNames
  */
-chunk_t
-build_subjectAltNames(generalName_t *subjectAltNames)
+chunk_t build_subjectAltNames(generalName_t *subjectAltNames)
 {
-    u_char *pos;
-    chunk_t names;
-    size_t len = 0;
-    generalName_t *gn = subjectAltNames;
-	
+	u_char *pos;
+	chunk_t names;
+	size_t len = 0;
+	generalName_t *gn = subjectAltNames;
+		
    /* compute the total size of the ASN.1 attributes object */
-    while (gn != NULL)
-    {
-	len += gn->name.len;
-	gn = gn->next;
-    }
+	while (gn != NULL)
+	{
+		len += gn->name.len;
+		gn = gn->next;
+	}
 
-    pos = build_asn1_object(&names, ASN1_SEQUENCE, len);
+	pos = asn1_build_object(&names, ASN1_SEQUENCE, len);
 
-    gn = subjectAltNames;
-    while (gn != NULL)
-    {
-	chunkcpy(pos, gn->name);
-	gn = gn->next;
-    }
+	gn = subjectAltNames;
+	while (gn != NULL)
+	{
+		chunkcpy(pos, gn->name);
+		gn = gn->next;
+	}
 
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_subjectAltName_oid
-		, asn1_wrap(ASN1_OCTET_STRING, "m", names));
+	return asn1_wrap(ASN1_SEQUENCE, "cm"
+				, ASN1_subjectAltName_oid
+				, asn1_wrap(ASN1_OCTET_STRING, "m", names));
 }
 
-/*
- * build a to-be-signed X.509 certificate body
+/**
+ * Build a to-be-signed X.509 certificate body
  */
-static chunk_t
-build_tbs_x509cert(x509cert_t *cert, const RSA_public_key_t *rsa)
+static chunk_t build_tbs_x509cert(x509cert_t *cert, public_key_t *rsa)
 {
-    /* version is always X.509v3 */
-    chunk_t version = asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2);
+	/* version is always X.509v3 */
+	chunk_t version = asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2);
 
-    chunk_t extensions = empty_chunk;
+	chunk_t extensions = chunk_empty;
 
-    if (cert->subjectAltName != NULL)
-    {
-	extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m"
-		, asn1_wrap(ASN1_SEQUENCE, "m"
-		, build_subjectAltNames(cert->subjectAltName)));
-    }
+	chunk_t key = rsa->get_encoding(rsa);
+
+	chunk_t keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
+							asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), 
+							asn1_bitstring("m", key));	
+
+	if (cert->subjectAltName != NULL)
+	{
+		extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m"
+				, asn1_wrap(ASN1_SEQUENCE, "m"
+				, build_subjectAltNames(cert->subjectAltName)));
+	}
 
-    return asn1_wrap(ASN1_SEQUENCE, "mmccmcmm"
-		, version
-		, asn1_simple_object(ASN1_INTEGER, cert->serialNumber)
-		, asn1_algorithmIdentifier(cert->sigAlg)
-		, cert->issuer
-		, asn1_wrap(ASN1_SEQUENCE, "mm"
-		    , timetoasn1(&cert->notBefore, ASN1_UTCTIME) 
-		    , timetoasn1(&cert->notAfter,  ASN1_UTCTIME)
-		  )
-		, cert->subject
-		, pkcs1_build_publicKeyInfo(rsa)
-		, extensions
-	   );
+	return asn1_wrap(ASN1_SEQUENCE, "mmccmcmm"
+				, version
+				, asn1_integer("c", cert->serialNumber)
+				, asn1_algorithmIdentifier(cert->sigAlg)
+				, cert->issuer
+				, asn1_wrap(ASN1_SEQUENCE, "mm"
+					, asn1_from_time(&cert->notBefore, ASN1_UTCTIME) 
+					, asn1_from_time(&cert->notAfter,  ASN1_UTCTIME)
+				  )
+				, cert->subject
+				, keyInfo
+				, extensions
+		   );
 }
 
-/*
- * build a DER-encoded X.509 certificate
+/**
+ * Build a DER-encoded X.509 certificate
  */
-void
-build_x509cert(x509cert_t *cert, const RSA_public_key_t *cert_key
-, const RSA_private_key_t *signer_key)
+void build_x509cert(x509cert_t *cert, public_key_t *cert_key,
+					private_key_t *signer_key)
 {
-    chunk_t tbs_cert = build_tbs_x509cert(cert, cert_key);
+	chunk_t tbs_cert = build_tbs_x509cert(cert, cert_key);
 
-    chunk_t signature = pkcs1_build_signature(tbs_cert, cert->sigAlg
-			    , signer_key, TRUE);
+	chunk_t signature = x509_build_signature(tbs_cert, cert->sigAlg
+								, signer_key, TRUE);
 
-    cert->certificate = asn1_wrap(ASN1_SEQUENCE, "mcm"
-				, tbs_cert
-				, asn1_algorithmIdentifier(cert->sigAlg)
-				, signature);
+	cert->certificate = asn1_wrap(ASN1_SEQUENCE, "mcm"
+								, tbs_cert
+								, asn1_algorithmIdentifier(cert->sigAlg)
+								, signature);
 }
 
-/*
- *  free the dynamic memory used to store generalNames
+/**
+ * Free the dynamic memory used to store generalNames
  */
-void
-free_generalNames(generalName_t* gn, bool free_name)
+void free_generalNames(generalName_t* gn, bool free_name)
 {
-    while (gn != NULL)
-    {
-	generalName_t *gn_top = gn;
-	if (free_name)
+	while (gn != NULL)
 	{
-	    pfree(gn->name.ptr);
+		generalName_t *gn_top = gn;
+		if (free_name)
+		{
+			free(gn->name.ptr);
+		}
+		gn = gn->next;
+		free(gn_top);
 	}
-	gn = gn->next;
-	pfree(gn_top);
-    }
 }
 
-/*
- *  free a X.509 certificate
+/**
+ *  Free a X.509 certificate
  */
-void
-free_x509cert(x509cert_t *cert)
+void free_x509cert(x509cert_t *cert)
 {
-    if (cert != NULL)
-    {
-	free_generalNames(cert->subjectAltName, FALSE);
-	free_generalNames(cert->crlDistributionPoints, FALSE);
-	pfreeany(cert->certificate.ptr);
-	pfree(cert);
-	cert = NULL;
-    }
+	if (cert != NULL)
+	{
+		DESTROY_IF(cert->public_key);
+		free_generalNames(cert->subjectAltName, FALSE);
+		free_generalNames(cert->crlDistributionPoints, FALSE);
+		free(cert->certificate.ptr);
+		free(cert);
+		cert = NULL;
+	}
 }
 
-/*  release of a certificate decreases the count by one
- "  the certificate is freed when the counter reaches zero
+/**
+ * Release of a certificate decreases the count by one
+ * the certificate is freed when the counter reaches zero
  */
-void
-release_x509cert(x509cert_t *cert)
+void release_x509cert(x509cert_t *cert)
 {
-    if (cert != NULL && --cert->count == 0)
-    {
-	x509cert_t **pp = &x509certs;
-	while (*pp != cert)
-	    pp = &(*pp)->next;
-        *pp = cert->next;
-	free_x509cert(cert);
-    }
+	if (cert != NULL && --cert->count == 0)
+	{
+		x509cert_t **pp = &x509certs;
+		while (*pp != cert)
+		{
+			pp = &(*pp)->next;
+		}
+		*pp = cert->next;
+		free_x509cert(cert);
+	}
 }
 
-
-/*
- * stores a chained list of end certs and CA certs
+/**
+ * Stores a chained list of end certs and CA certs
  */
-void
-store_x509certs(x509cert_t **firstcert, bool strict)
+void store_x509certs(x509cert_t **firstcert, bool strict)
 {
-    x509cert_t *cacerts = NULL;
-    x509cert_t **pp = firstcert;
+	x509cert_t *cacerts = NULL;
+	x509cert_t **pp = firstcert;
 
-    /* first extract CA certs, discarding root CA certs */
+	/* first extract CA certs, discarding root CA certs */
 
-    while (*pp != NULL)
-    {
-	x509cert_t *cert = *pp;
-
-	if (cert->isCA)
+	while (*pp != NULL)
 	{
-	    *pp = cert->next;
-	    
-	    /* we don't accept self-signed CA certs */
-	    if (same_dn(cert->issuer, cert->subject))
-	    {
-		plog("self-signed cacert rejected");
-		free_x509cert(cert);
-	    }
-	    else
-	    {
-		/* insertion into temporary chain of candidate CA certs */
-		cert->next = cacerts;
-		cacerts = cert;
-	    }
+		x509cert_t *cert = *pp;
+
+		if (cert->isCA)
+		{
+			*pp = cert->next;
+			
+			/* we don't accept self-signed CA certs */
+			if (same_dn(cert->issuer, cert->subject))
+			{
+				plog("self-signed cacert rejected");
+				free_x509cert(cert);
+			}
+			else
+			{
+				/* insertion into temporary chain of candidate CA certs */
+				cert->next = cacerts;
+				cacerts = cert;
+			}
+		}
+		else
+		{
+			pp = &cert->next;
+		}
 	}
-	else
-	    pp = &cert->next;
-    }
 
-    /* now verify the candidate CA certs */
-    
-    while (cacerts != NULL)
-    {
-	x509cert_t *cert = cacerts;
+	/* now verify the candidate CA certs */
 	
-	cacerts = cacerts->next;
-
-	if (trust_authcert_candidate(cert, cacerts))
-	{
-	    add_authcert(cert, AUTH_CA);
-	}
-	else
+	while (cacerts != NULL)
 	{
-	    plog("intermediate cacert rejected");
-	    free_x509cert(cert);
-	}
-    }
-    
-    /* now verify the end certificates */
+		x509cert_t *cert = cacerts;
+		
+		cacerts = cacerts->next;
 
-    pp = firstcert;
+		if (trust_authcert_candidate(cert, cacerts))
+		{
+			add_authcert(cert, AUTH_CA);
+		}
+		else
+		{
+			plog("intermediate cacert rejected");
+			free_x509cert(cert);
+		}
+	}
+	
+	/* now verify the end certificates */
 
-    while (*pp != NULL)
-    {
-	time_t valid_until;
-	x509cert_t *cert = *pp;
+	pp = firstcert;
 
-	if (verify_x509cert(cert, strict, &valid_until))
-	{
-	    DBG(DBG_CONTROL | DBG_PARSING,
-		DBG_log("public key validated")
-	    )
-	    add_x509_public_key(cert, valid_until, DAL_SIGNED);
-	}
-	else
+	while (*pp != NULL)
 	{
-	    plog("X.509 certificate rejected");
+		time_t valid_until;
+		x509cert_t *cert = *pp;
+
+		if (verify_x509cert(cert, strict, &valid_until))
+		{
+			DBG(DBG_CONTROL | DBG_PARSING,
+				DBG_log("public key validated")
+			)
+			add_x509_public_key(cert, valid_until, DAL_SIGNED);
+		}
+		else
+		{
+			plog("X.509 certificate rejected");
+		}
+		*pp = cert->next;
+		free_x509cert(cert);
 	}
-	*pp = cert->next;
-	free_x509cert(cert);
-    }
 }
 
-/*
- *  decrypts an RSA signature using the issuer's certificate
+/**
+ * Check if a signature over binary blob is genuine
  */
-static bool
-decrypt_sig(chunk_t sig, int alg, const x509cert_t *issuer_cert,
-	    chunk_t *digest)
+bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
+						  const x509cert_t *issuer_cert)
 {
-    switch (alg)
-    {
-	chunk_t decrypted;
-
-	case OID_RSA_ENCRYPTION:
-	case OID_MD2_WITH_RSA:
-	case OID_MD5_WITH_RSA:
-	case OID_SHA1_WITH_RSA:
-	case OID_SHA1_WITH_RSA_OIW:
-	case OID_SHA256_WITH_RSA:
-	case OID_SHA384_WITH_RSA:
-	case OID_SHA512_WITH_RSA:
+	public_key_t *key = issuer_cert->public_key;
+	signature_scheme_t scheme = signature_scheme_from_oid(algorithm);
+
+	if (scheme == SIGN_UNKNOWN)
 	{
-	    mpz_t s;
-	    RSA_public_key_t rsa;
-
-	    init_RSA_public_key(&rsa, issuer_cert->publicExponent
-				    , issuer_cert->modulus);
-
-	    /* decrypt the signature s = s^e mod n */
-	    n_to_mpz(s, sig.ptr, sig.len);
-	    mpz_powm(s, s, &rsa.e, &rsa.n);
-
-	    /* convert back to bytes */
-	    decrypted = mpz_to_n(s, rsa.k);
-	    DBG(DBG_PARSING,
-		DBG_dump_chunk("  decrypted signature: ", decrypted)
-	    )
-
-	    /*  copy the least significant bits of decrypted signature
-	     *  into the digest string
-	    */
-	    memcpy(digest->ptr, decrypted.ptr + decrypted.len - digest->len,
-		   digest->len);
-
-	    /* free memory */
-	    free_RSA_public_content(&rsa);
-	    pfree(decrypted.ptr);
-	    mpz_clear(s);
-	    return TRUE;
+		return FALSE;
 	}
-	default:
-	    digest->len = 0;
-	    return FALSE;
-    }
+	return key->verify(key, scheme, tbs, sig); 
 }
 
-/*
- *   Check if a signature over binary blob is genuine
+/**
+ * Build an ASN.1 encoded PKCS#1 signature over a binary blob
  */
-bool
-check_signature(chunk_t tbs, chunk_t sig, int digest_alg, int enc_alg
-, const x509cert_t *issuer_cert)
+chunk_t x509_build_signature(chunk_t tbs, int algorithm, private_key_t *key,
+							 bool bit_string)
 {
-    u_char digest_buf[MAX_DIGEST_LEN];
-    u_char decrypted_buf[MAX_DIGEST_LEN];
-    chunk_t digest = {digest_buf, MAX_DIGEST_LEN};
-    chunk_t decrypted = {decrypted_buf, MAX_DIGEST_LEN};
-
-    DBG(DBG_PARSING,
-	if (digest_alg != OID_UNKNOWN)
-	    DBG_log("signature digest algorithm: '%s'",oid_names[digest_alg].name);
-	else
-	    DBG_log("unknown signature digest algorithm");
-    )
-
-    if (!compute_digest(tbs, digest_alg, &digest))
-    {
-	plog("  digest algorithm not supported");
-	return FALSE;
-    }
-
-    DBG(DBG_PARSING,
-	DBG_dump_chunk("  digest:", digest)
-    )
-
-    decrypted.len = digest.len; /* we want the same digest length */
-
-    DBG(DBG_PARSING,
-	if (enc_alg != OID_UNKNOWN)
-	    DBG_log("signature encryption algorithm: '%s'",oid_names[enc_alg].name);
-	else
-	    DBG_log("unknown signature encryption algorithm");
-    )
-
-    if (!decrypt_sig(sig, enc_alg, issuer_cert, &decrypted))
-    {
-    	plog("  decryption algorithm not supported");
-	return FALSE;
-    }
+	chunk_t signature;
+	signature_scheme_t scheme = signature_scheme_from_oid(algorithm);
 
-    /* check if digests are equal */
-    return !memcmp(decrypted.ptr, digest.ptr, digest.len);
+	if (scheme == SIGN_UNKNOWN || !key->sign(key, scheme, tbs, &signature))
+	{
+		return chunk_empty;
+	} 
+	return (bit_string) ? asn1_bitstring("m", signature)
+						: asn1_wrap(ASN1_OCTET_STRING, "m", signature);
 }
 
-/*
- * extracts the basicConstraints extension
+/**
+ * Extracts the basicConstraints extension
  */
-static bool
-parse_basicConstraints(chunk_t blob, int level0)
+static bool parse_basicConstraints(chunk_t blob, int level0)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-    bool isCA = FALSE;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool isCA = FALSE;
 
-    while (objectID < BASIC_CONSTRAINTS_ROOF) {
+	parser = asn1_parser_create(basicConstraintsObjects, blob);
+	parser->set_top_level(parser, level0);
 
-	if (!extract_object(basicConstraintsObjects, &objectID,
-			    &object,&level, &ctx))
-	     break;
-
-	if (objectID == BASIC_CONSTRAINTS_CA)
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	    isCA = object.len && *object.ptr;
-	    DBG(DBG_PARSING,
-		DBG_log("  %s",(isCA)?"TRUE":"FALSE");
-	    )
+		if (objectID == BASIC_CONSTRAINTS_CA)
+		{
+			isCA = object.len && *object.ptr;
+			DBG(DBG_PARSING,
+				DBG_log("  %s",(isCA)?"TRUE":"FALSE");
+			)
+		}
 	}
-	objectID++;
-    }
-    return isCA;
+	parser->destroy(parser);
+
+	return isCA;
 }
 
-/*
+/**
  *  Converts a X.500 generalName into an ID
  */
-void
-gntoid(struct id *id, const generalName_t *gn)
+void gntoid(struct id *id, const generalName_t *gn)
 {
-    switch(gn->kind)
-    {
-    case GN_DNS_NAME:		/* ID type: ID_FQDN */
-	id->kind = ID_FQDN;
-	id->name = gn->name;
-	break;
-    case GN_IP_ADDRESS:		/* ID type: ID_IPV4_ADDR */
+	switch(gn->kind)
 	{
-	    const struct af_info *afi = &af_inet4_info;
-	    err_t ugh = NULL;
+	case GN_DNS_NAME:           /* ID type: ID_FQDN */
+		id->kind = ID_FQDN;
+		id->name = gn->name;
+		break;
+	case GN_IP_ADDRESS:         /* ID type: ID_IPV4_ADDR */
+		{
+			const struct af_info *afi = &af_inet4_info;
+			err_t ugh = NULL;
 
-	    id->kind = afi->id_addr;
-	    ugh = initaddr(gn->name.ptr, gn->name.len, afi->af, &id->ip_addr);
+			id->kind = afi->id_addr;
+			ugh = initaddr(gn->name.ptr, gn->name.len, afi->af, &id->ip_addr);
+		}
+		break;
+	case GN_RFC822_NAME:        /* ID type: ID_USER_FQDN */
+		id->kind = ID_USER_FQDN;
+		id->name = gn->name;
+		break;
+	default:
+		id->kind = ID_ANY;
+		id->name = chunk_empty;
 	}
-	break;
-    case GN_RFC822_NAME:	/* ID type: ID_USER_FQDN */
-	id->kind = ID_USER_FQDN;
-	id->name = gn->name;
-	break;
-    default:
-	id->kind = ID_NONE;
-	id->name = empty_chunk;
-    }
 }
 
-/* compute the subjectKeyIdentifier according to section 4.2.1.2 of RFC 3280
+/**
+ * Compute the subjectKeyIdentifier according to section 4.2.1.2 of RFC 3280
  * as the 160 bit SHA-1 hash of the public key
  */
-void
-compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID)
+bool compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID)
 {
-    SHA1_CTX context;
-
-    SHA1Init(&context);
-    SHA1Update(&context
-	      , cert->subjectPublicKey.ptr
-	      , cert->subjectPublicKey.len);
-    SHA1Final(subjectKeyID.ptr, &context);
-    subjectKeyID.len = SHA1_DIGEST_SIZE;
+	identification_t *keyid;
+	chunk_t encoding;
+
+	keyid = cert->public_key->get_id(cert->public_key, ID_PUBKEY_SHA1);
+	if (keyid == NULL)
+	{
+		plog("  unable to compute subjectKeyID");
+		return FALSE;
+	}
+	encoding = keyid->get_encoding(keyid);
+	memcpy(subjectKeyID.ptr, encoding.ptr, subjectKeyID.len);
+	return TRUE;
 }
 
-/*
- * extracts an otherName
+/**
+ * Extracts an otherName
  */
-static bool
-parse_otherName(chunk_t blob, int level0)
+static bool parse_otherName(chunk_t blob, int level0)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    int objectID = 0;
-    u_int level;
-    int oid = OID_UNKNOWN;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int oid = OID_UNKNOWN;
+	bool success = FALSE;
 
-    while (objectID < ON_OBJ_ROOF)
-    {
-	if (!extract_object(otherNameObjects, &objectID, &object, &level, &ctx))
-	     return FALSE;
+	parser = asn1_parser_create(otherNameObjects, blob);
+	parser->set_top_level(parser, level0);
 
-	switch (objectID)
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	case ON_OBJ_ID_TYPE:
-	    oid = known_oid(object);
-	    break;
-	case ON_OBJ_VALUE:
-	    if (oid == OID_XMPP_ADDR)
-	    {
-		if (!parse_asn1_simple_object(&object, ASN1_UTF8STRING
-					     , level + 1, "xmppAddr"))
+		switch (objectID)
 		{
-		    return FALSE;
+		case ON_OBJ_ID_TYPE:
+			oid = asn1_known_oid(object);
+			break;
+		case ON_OBJ_VALUE:
+			if (oid == OID_XMPP_ADDR)
+			{
+				if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
+							parser->get_level(parser) + 1, "xmppAddr"))
+				{
+					goto end;
+				}
+			}
+			break;
+		default:
+			break;
 		}
-	    }
-	    break;
-	default:
-	    break;
 	}
-	objectID++;
-    }
-    return TRUE;
+	success = parser->success(parser);
+	
+end:
+	parser->destroy(parser);
+	return success;
 }
 
 
-/*
- * extracts a generalName
+/**
+ * Extracts a generalName
  */
-static generalName_t*
-parse_generalName(chunk_t blob, int level0)
+static generalName_t* parse_generalName(chunk_t blob, int level0)
 {
-    u_char buf[BUF_LEN];
-    asn1_ctx_t ctx;
-    chunk_t object;
-    int objectID = 0;
-    u_int level;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+	u_char buf[BUF_LEN];
+	asn1_parser_t *parser;
+	chunk_t object;
+	generalName_t *gn = NULL;
+	int objectID;
 
-    while (objectID < GN_OBJ_ROOF)
-    {
-	bool valid_gn = FALSE;
+	parser = asn1_parser_create(generalNameObjects, blob);
+	parser->set_top_level(parser, level0);
 	
-	if (!extract_object(generalNameObjects, &objectID, &object, &level, &ctx))
-	     return NULL;
-
-	switch (objectID) {
-	case GN_OBJ_RFC822_NAME:
-	case GN_OBJ_DNS_NAME:
-	case GN_OBJ_URI:
-	    DBG(DBG_PARSING,
-		DBG_log("  '%.*s'", (int)object.len, object.ptr);
-	    )
-	    valid_gn = TRUE;
-	    break;
-	case GN_OBJ_DIRECTORY_NAME:
-	    DBG(DBG_PARSING,
-		dntoa(buf, BUF_LEN, object);
-		DBG_log("  '%s'", buf)
-	    )
-	    valid_gn = TRUE;
-	    break;
-	case GN_OBJ_IP_ADDRESS:
-	    DBG(DBG_PARSING,
-		DBG_log("  '%d.%d.%d.%d'", *object.ptr, *(object.ptr+1),
-				      *(object.ptr+2), *(object.ptr+3));
-	    )
-	    valid_gn = TRUE;
-	    break;
-	case GN_OBJ_OTHER_NAME:
-	    if (!parse_otherName(object, level + 1))
-		return NULL;
-	    break;
-	case GN_OBJ_X400_ADDRESS:
-	case GN_OBJ_EDI_PARTY_NAME:
-	case GN_OBJ_REGISTERED_ID:
-	    break;
-	default:
-	    break;
-	}
-
-	if (valid_gn)
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	    generalName_t *gn = alloc_thing(generalName_t, "generalName");
-	    gn->kind = (objectID - GN_OBJ_OTHER_NAME) / 2;
-	    gn->name = object;
-	    gn->next = NULL;
-	    return gn;
-        }
-	objectID++;
-    }
-    return NULL;
-}
-
-
-/*
- * extracts one or several GNs and puts them into a chained list
- */
-static generalName_t*
-parse_generalNames(chunk_t blob, int level0, bool implicit)
-{
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-
-    generalName_t *top_gn = NULL;
-
-    asn1_init(&ctx, blob, level0, implicit, DBG_RAW);
+		bool valid_gn = FALSE;
+		
+		switch (objectID) {
+		case GN_OBJ_RFC822_NAME:
+		case GN_OBJ_DNS_NAME:
+		case GN_OBJ_URI:
+			DBG(DBG_PARSING,
+				DBG_log("  '%.*s'", (int)object.len, object.ptr);
+			)
+			valid_gn = TRUE;
+			break;
+		case GN_OBJ_DIRECTORY_NAME:
+			DBG(DBG_PARSING,
+				dntoa(buf, BUF_LEN, object);
+				DBG_log("  '%s'", buf)
+			)
+			valid_gn = TRUE;
+			break;
+		case GN_OBJ_IP_ADDRESS:
+			DBG(DBG_PARSING,
+				DBG_log("  '%d.%d.%d.%d'", *object.ptr, *(object.ptr+1),
+									  *(object.ptr+2), *(object.ptr+3));
+			)
+			valid_gn = TRUE;
+			break;
+		case GN_OBJ_OTHER_NAME:
+			if (!parse_otherName(object, parser->get_level(parser)+1))
+			{
+				goto end;
+			}
+			break;
+		case GN_OBJ_X400_ADDRESS:
+		case GN_OBJ_EDI_PARTY_NAME:
+		case GN_OBJ_REGISTERED_ID:
+			break;
+		default:
+			break;
+		}
 
-    while (objectID < GENERAL_NAMES_ROOF)
-    {
-	if (!extract_object(generalNamesObjects, &objectID, &object, &level, &ctx))
-	     return NULL;
-	     
-	if (objectID == GENERAL_NAMES_GN)
-	{
-	    generalName_t *gn = parse_generalName(object, level+1);
-	    if (gn != NULL)
-	    {
-		gn->next = top_gn;
-		top_gn = gn;
-	    }
+		if (valid_gn)
+		{
+			gn = malloc_thing(generalName_t);
+			gn->kind = (objectID - GN_OBJ_OTHER_NAME) / 2;
+			gn->name = object;
+			gn->next = NULL;
+			goto end;
+		}
 	}
-	objectID++;
-    }
-    return top_gn;
+	
+end:
+	parser->destroy(parser);
+	return gn;
 }
 
-/*
- * returns a directoryName
+/**
+ * Extracts one or several GNs and puts them into a chained list
  */
-chunk_t get_directoryName(chunk_t blob, int level, bool implicit)
+static generalName_t* parse_generalNames(chunk_t blob, int level0, bool implicit)
 {
-    chunk_t name = empty_chunk;
-    generalName_t * gn = parse_generalNames(blob, level, implicit);
-
-    if (gn != NULL && gn->kind == GN_DIRECTORY_NAME)
-	name= gn->name;
-
-    free_generalNames(gn, FALSE);
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	generalName_t *top_gn = NULL;
+
+	parser = asn1_parser_create(generalNamesObjects, blob);
+	parser->set_top_level(parser, level0);
+	parser->set_flags(parser, implicit, FALSE);
+	
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == GENERAL_NAMES_GN)
+		{
+			generalName_t *gn = parse_generalName(object,
+										parser->get_level(parser)+1);
+			if (gn)
+			{
+				gn->next = top_gn;
+				top_gn = gn;
+			}
+		}
+	}
+	parser->destroy(parser);
 
-    return name;
+	return top_gn;
 }
 
-/*
- * extracts and converts a UTCTIME or GENERALIZEDTIME object
+/**
+ * Returns a directoryName
  */
-time_t
-parse_time(chunk_t blob, int level0)
+chunk_t get_directoryName(chunk_t blob, int level, bool implicit)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
+	chunk_t name = chunk_empty;
+	generalName_t * gn = parse_generalNames(blob, level, implicit);
 
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
-
-    while (objectID < TIME_ROOF)
-    {
-	if (!extract_object(timeObjects, &objectID, &object, &level, &ctx))
-	     return UNDEFINED_TIME;
-
-	if (objectID == TIME_UTC || objectID == TIME_GENERALIZED)
+	if (gn != NULL && gn->kind == GN_DIRECTORY_NAME)
 	{
-	    return asn1totime(&object, (objectID == TIME_UTC)
-			? ASN1_UTCTIME : ASN1_GENERALIZEDTIME);
+		name= gn->name;
 	}
-	objectID++;
-    }
-    return UNDEFINED_TIME;
- }
-
-/*
- * extracts a keyIdentifier
- */
-static chunk_t
-parse_keyIdentifier(chunk_t blob, int level0, bool implicit)
-{
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-
-    asn1_init(&ctx, blob, level0, implicit, DBG_RAW);
-
-    extract_object(keyIdentifierObjects, &objectID, &object, &level, &ctx);
-    return object;
+	free_generalNames(gn, FALSE);
+	return name;
 }
 
-/*
- * extracts an authoritykeyIdentifier
+/**
+ * Extracts an authoritykeyIdentifier
  */
-void
-parse_authorityKeyIdentifier(chunk_t blob, int level0
-    , chunk_t *authKeyID, chunk_t *authKeySerialNumber)
+void parse_authorityKeyIdentifier(chunk_t blob, int level0,
+								  chunk_t *authKeyID,
+								  chunk_t *authKeySerialNumber)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
 
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+	parser = asn1_parser_create(authKeyIdentifierObjects, blob);
+	parser->set_top_level(parser, level0);
+	
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+		case AUTH_KEY_ID_KEY_ID:
+			*authKeyID = object;
+			break;
+		case AUTH_KEY_ID_CERT_ISSUER:
+			{
+				generalName_t * gn = parse_generalNames(object,
+					 					parser->get_level(parser) + 1, TRUE);
 
-    while (objectID < AUTH_KEY_ID_ROOF)
-    {
-	if (!extract_object(authorityKeyIdentifierObjects, &objectID, &object, &level, &ctx))
-	     return;
-
-	switch (objectID) {
-	case AUTH_KEY_ID_KEY_ID:
-	    *authKeyID = parse_keyIdentifier(object, level+1, TRUE);
-	    break;
-	case AUTH_KEY_ID_CERT_ISSUER:
-	    {
-		generalName_t * gn = parse_generalNames(object, level+1, TRUE);
-
-		free_generalNames(gn, FALSE);
-	    }
-	    break;
-	case AUTH_KEY_ID_CERT_SERIAL:
-	    *authKeySerialNumber = object;
-	    break;
-	default:
-	    break;
+				free_generalNames(gn, FALSE);
+			}
+			break;
+		case AUTH_KEY_ID_CERT_SERIAL:
+			*authKeySerialNumber = object;
+			break;
+		default:
+			break;
+		}
 	}
-	objectID++;
-    }
+	parser->destroy(parser);
 }
 
-/*
- * extracts an authorityInfoAcess location
+/**
+ * Extracts an authorityInfoAcess location
  */
-static void
-parse_authorityInfoAccess(chunk_t blob, int level0, chunk_t *accessLocation)
+static void parse_authorityInfoAccess(chunk_t blob, int level0,
+									  chunk_t *accessLocation)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-    int accessMethod = OID_UNKNOWN;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int accessMethod = OID_UNKNOWN;
 
-    while (objectID < AUTH_INFO_ACCESS_ROOF)
-    {
-	if (!extract_object(authorityInfoAccessObjects, &objectID, &object, &level, &ctx))
-	     return;
-
-	switch (objectID) {
-	case AUTH_INFO_ACCESS_METHOD:
-	    accessMethod = known_oid(object);
-	    break;
-	case AUTH_INFO_ACCESS_LOCATION:
-	    {
-		switch (accessMethod)
+	parser = asn1_parser_create(authInfoAccessObjects, blob);
+	parser->set_top_level(parser, level0);
+	
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
 		{
-		case OID_OCSP:
-		    if (*object.ptr == ASN1_CONTEXT_S_6)
-		    {
-			if (asn1_length(&object) == ASN1_INVALID_LENGTH)
-			    return;
-
-			DBG(DBG_PARSING,
-			    DBG_log("  '%.*s'",(int)object.len, object.ptr)
-			)
-
-			/* only HTTP(S) URIs accepted */
-			if (strncasecmp(object.ptr, "http", 4) == 0)
+		case AUTH_INFO_ACCESS_METHOD:
+			accessMethod = asn1_known_oid(object);
+			break;
+		case AUTH_INFO_ACCESS_LOCATION:
 			{
-			    *accessLocation = object;
-			    return;
+				switch (accessMethod)
+				{
+				case OID_OCSP:
+					if (*object.ptr == ASN1_CONTEXT_S_6)
+					{
+						if (asn1_length(&object) == ASN1_INVALID_LENGTH)
+						{
+							goto end;
+						}
+						DBG(DBG_PARSING,
+							DBG_log("  '%.*s'",(int)object.len, object.ptr)
+						)
+
+						/* only HTTP(S) URIs accepted */
+						if (strncasecmp(object.ptr, "http", 4) == 0)
+						{
+							*accessLocation = object;
+							goto end;
+						}
+					}
+					plog("warning: ignoring OCSP InfoAccessLocation with unkown protocol");
+					break;
+				default:
+					/* unkown accessMethod, ignoring */
+					break;
+				}
 			}
-		    }
-		    plog("warning: ignoring OCSP InfoAccessLocation with unkown protocol");
-		    break;
+			break;
 		default:
-		    /* unkown accessMethod, ignoring */
-		    break;
+			break;
 		}
-	    }
-	    break;
-	default:
-	    break;
 	}
-	objectID++;
-    }
-
+	
+end:
+	parser->destroy(parser);
 }
 
-/*
- * extracts extendedKeyUsage OIDs
+/**
+ * Extracts extendedKeyUsage OIDs
  */
-static bool
-parse_extendedKeyUsage(chunk_t blob, int level0)
+static bool parse_extendedKeyUsage(chunk_t blob, int level0)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool ocsp_signing = FALSE;
 
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+	parser = asn1_parser_create(extendedKeyUsageObjects, blob);
+	parser->set_top_level(parser, level0);
+	
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == EXT_KEY_USAGE_PURPOSE_ID
+		&& asn1_known_oid(object) == OID_OCSP_SIGNING)
+		{
+			ocsp_signing = TRUE;
+		}
+	}
+	parser->destroy(parser);
 
-    while (objectID < EXT_KEY_USAGE_ROOF)
-    {
-	if (!extract_object(extendedKeyUsageObjects, &objectID
-			    , &object, &level, &ctx))
-	     return FALSE;
-
-	if (objectID == EXT_KEY_USAGE_PURPOSE_ID
-	&& known_oid(object) == OID_OCSP_SIGNING)
-	    return TRUE;
-	objectID++;
-    }
-    return FALSE;
+	return ocsp_signing;
 }
 
-/*  extracts one or several crlDistributionPoints and puts them into
- *  a chained list
+/**
+ * Extracts one or several crlDistributionPoints
+ * and puts them into a chained list
  */
-static generalName_t*
-parse_crlDistributionPoints(chunk_t blob, int level0)
+static generalName_t* parse_crlDistributionPoints(chunk_t blob, int level0)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
 
-    generalName_t *top_gn = NULL;      /* top of the chained list */
-    generalName_t **tail_gn = &top_gn; /* tail of the chained list */
+	generalName_t *top_gn = NULL;      /* top of the chained list */
+	generalName_t **tail_gn = &top_gn; /* tail of the chained list */
 
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
-
-    while (objectID < CRL_DIST_POINTS_ROOF)
-    {
-	if (!extract_object(crlDistributionPointsObjects, &objectID,
-			    &object, &level, &ctx))
-	     return NULL;
-
-	if (objectID == CRL_DIST_POINTS_FULLNAME)
+	parser = asn1_parser_create(crlDistributionPointsObjects, blob);
+	parser->set_top_level(parser, level0);
+	
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	    generalName_t *gn = parse_generalNames(object, level+1, TRUE);
-	    /* append extracted generalNames to existing chained list */
-	    *tail_gn = gn;
-	    /* find new tail of the chained list */
-            while (gn != NULL)
-	    {
-		tail_gn = &gn->next;  gn = gn->next;
-	    }
+		if (objectID == CRL_DIST_POINTS_FULLNAME)
+		{
+			generalName_t *gn;
+
+			gn = parse_generalNames(object, parser->get_level(parser)+1, TRUE);
+			/* append extracted generalNames to existing chained list */
+			*tail_gn = gn;
+			/* find new tail of the chained list */
+			while (gn != NULL)
+			{
+				tail_gn = &gn->next;  gn = gn->next;
+			}
+		}
 	}
-	objectID++;
-    }
-    return top_gn;
-}
+	parser->destroy(parser);
 
+	return top_gn;
+}
 
-/*
+/**
  *  Parses an X.509v3 certificate
  */
-bool
-parse_x509cert(chunk_t blob, u_int level0, x509cert_t *cert)
+bool parse_x509cert(chunk_t blob, u_int level0, x509cert_t *cert)
 {
-    u_char  buf[BUF_LEN];
-    asn1_ctx_t ctx;
-    bool critical;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-    int extn_oid = OID_UNKNOWN;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
-
-    while (objectID < X509_OBJ_ROOF)
-    {
-	if (!extract_object(certObjects, &objectID, &object, &level, &ctx))
-	     return FALSE;
-
-	/* those objects which will parsed further need the next higher level */
-	level++;
-
-	switch (objectID) {
-	case X509_OBJ_CERTIFICATE:
-	    cert->certificate = object;
-	    break;
-	case X509_OBJ_TBS_CERTIFICATE:
-	    cert->tbsCertificate = object;
-	    break;
-	case X509_OBJ_VERSION:
-	    cert->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
-	    DBG(DBG_PARSING,
-		DBG_log("  v%d", cert->version);
-	    )
-	    break;
-	case X509_OBJ_SERIAL_NUMBER:
-	    cert->serialNumber = object;
-	    break;
-	case X509_OBJ_SIG_ALG:
-	    cert->sigAlg = parse_algorithmIdentifier(object, level, NULL);
-	    break;
-	case X509_OBJ_ISSUER:
-	    cert->issuer = object;
-	    DBG(DBG_PARSING,
-		dntoa(buf, BUF_LEN, object);
-		DBG_log("  '%s'",buf)
-	    )
-	    break;
-	case X509_OBJ_NOT_BEFORE:
-	    cert->notBefore = parse_time(object, level);
-	    break;
-	case X509_OBJ_NOT_AFTER:
-	    cert->notAfter = parse_time(object, level);
-	    break;
-	case X509_OBJ_SUBJECT:
-	    cert->subject = object;
-	    DBG(DBG_PARSING,
-		dntoa(buf, BUF_LEN, object);
-		DBG_log("  '%s'",buf)
-	    )
-	    break;
-	case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM:
-	    if (parse_algorithmIdentifier(object, level, NULL) == OID_RSA_ENCRYPTION)
-		cert->subjectPublicKeyAlgorithm = PUBKEY_ALG_RSA;
-	    else
-	    {
-		plog("  unsupported public key algorithm");
-		return FALSE;
-	    }
-	    break;
-	case X509_OBJ_SUBJECT_PUBLIC_KEY:
-	    if (ctx.blobs[4].len > 0 && *ctx.blobs[4].ptr == 0x00)
-	    {
-		/* skip initial bit string octet defining 0 unused bits */
-		ctx.blobs[4].ptr++; ctx.blobs[4].len--;
-	    }
-	    else
-	    {
-		plog("  invalid RSA public key format");
-		return FALSE;
-	    }
-	    break;
-	case X509_OBJ_RSA_PUBLIC_KEY:
-	    cert->subjectPublicKey = object;
-	    break;
-	case X509_OBJ_MODULUS:
-	    if (object.len < RSA_MIN_OCTETS + 1)
-	    {
-		plog("  " RSA_MIN_OCTETS_UGH);
-		return FALSE;
-	    }
-	    if (object.len > RSA_MAX_OCTETS + (size_t)(*object.ptr == 0x00))
-	    {
-		plog("  " RSA_MAX_OCTETS_UGH);
-		return FALSE;
-	    }
-	    cert->modulus = object;
-	    break;
-	case X509_OBJ_PUBLIC_EXPONENT:
-	    cert->publicExponent = object;
-	    break;
-	case X509_OBJ_EXTN_ID:
-	    extn_oid = known_oid(object);
-	    break;
-	case X509_OBJ_CRITICAL:
-	    critical = object.len && *object.ptr;
-	    DBG(DBG_PARSING,
-		DBG_log("  %s",(critical)?"TRUE":"FALSE");
-	    )
-	    break;
-	case X509_OBJ_EXTN_VALUE:
-	    {
-		switch (extn_oid) {
-		case OID_SUBJECT_KEY_ID:
-		    cert->subjectKeyID =
-			parse_keyIdentifier(object, level, FALSE);
-		    break;
-		case OID_SUBJECT_ALT_NAME:
-		    cert->subjectAltName =
-			parse_generalNames(object, level, FALSE);
-		    break;
-		case OID_BASIC_CONSTRAINTS:
-		    cert->isCA =
-			parse_basicConstraints(object, level);
-		    break;
-		case OID_CRL_DISTRIBUTION_POINTS:
-		    cert->crlDistributionPoints =
-			parse_crlDistributionPoints(object, level);
-		    break;
-		 case OID_AUTHORITY_KEY_ID:
-		    parse_authorityKeyIdentifier(object, level
-			, &cert->authKeyID, &cert->authKeySerialNumber);
-		    break;
-		case OID_AUTHORITY_INFO_ACCESS:
-		    parse_authorityInfoAccess(object, level, &cert->accessLocation);
-		    break;
-		case OID_EXTENDED_KEY_USAGE:
-		    cert->isOcspSigner = parse_extendedKeyUsage(object, level);
-		    break;
-		case OID_NS_REVOCATION_URL:
-		case OID_NS_CA_REVOCATION_URL:
-		case OID_NS_CA_POLICY_URL:
-		case OID_NS_COMMENT:
-		    if (!parse_asn1_simple_object(&object, ASN1_IA5STRING
-		    , level, oid_names[extn_oid].name))
-		    {
-			return FALSE;
-		    }
-		    break;
+	u_char  buf[BUF_LEN];
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int extn_oid = OID_UNKNOWN;
+	bool critical;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(certObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser) + 1;
+		
+		switch (objectID) {
+		case X509_OBJ_CERTIFICATE:
+			cert->certificate = object;
+			break;
+		case X509_OBJ_TBS_CERTIFICATE:
+			cert->tbsCertificate = object;
+			break;
+		case X509_OBJ_VERSION:
+			cert->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
+			DBG(DBG_PARSING,
+				DBG_log("  v%d", cert->version);
+			)
+			break;
+		case X509_OBJ_SERIAL_NUMBER:
+			cert->serialNumber = object;
+			break;
+		case X509_OBJ_SIG_ALG:
+			cert->sigAlg = asn1_parse_algorithmIdentifier(object, level, NULL);
+			break;
+		case X509_OBJ_ISSUER:
+			cert->issuer = object;
+			DBG(DBG_PARSING,
+				dntoa(buf, BUF_LEN, object);
+				DBG_log("  '%s'",buf)
+			)
+			break;
+		case X509_OBJ_NOT_BEFORE:
+			cert->notBefore = asn1_parse_time(object, level);
+			break;
+		case X509_OBJ_NOT_AFTER:
+			cert->notAfter = asn1_parse_time(object, level);
+			break;
+		case X509_OBJ_SUBJECT:
+			cert->subject = object;
+			DBG(DBG_PARSING,
+				dntoa(buf, BUF_LEN, object);
+				DBG_log("  '%s'",buf)
+			)
+			break;
+		case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
+			cert->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+						KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
+			if (cert->public_key == NULL)
+			{
+				goto end;
+			}
+			break;
+		case X509_OBJ_EXTN_ID:
+			extn_oid = asn1_known_oid(object);
+			break;
+		case X509_OBJ_CRITICAL:
+			critical = object.len && *object.ptr;
+			DBG(DBG_PARSING,
+				DBG_log("  %s",(critical)?"TRUE":"FALSE");
+			)
+			break;
+		case X509_OBJ_EXTN_VALUE:
+			{
+				switch (extn_oid) {
+				case OID_SUBJECT_KEY_ID:
+					if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
+												  level, "keyIdentifier"))
+					{
+						goto end;
+					}
+					cert->subjectKeyID = object;
+					break;
+				case OID_SUBJECT_ALT_NAME:
+					cert->subjectAltName =
+						parse_generalNames(object, level, FALSE);
+					break;
+				case OID_BASIC_CONSTRAINTS:
+					cert->isCA =
+						parse_basicConstraints(object, level);
+					break;
+				case OID_CRL_DISTRIBUTION_POINTS:
+					cert->crlDistributionPoints =
+						parse_crlDistributionPoints(object, level);
+					break;
+				 case OID_AUTHORITY_KEY_ID:
+					parse_authorityKeyIdentifier(object, level
+						, &cert->authKeyID, &cert->authKeySerialNumber);
+					break;
+				case OID_AUTHORITY_INFO_ACCESS:
+					parse_authorityInfoAccess(object, level, &cert->accessLocation);
+					break;
+				case OID_EXTENDED_KEY_USAGE:
+					cert->isOcspSigner = parse_extendedKeyUsage(object, level);
+					break;
+				case OID_NS_REVOCATION_URL:
+				case OID_NS_CA_REVOCATION_URL:
+				case OID_NS_CA_POLICY_URL:
+				case OID_NS_COMMENT:
+					if (!asn1_parse_simple_object(&object, ASN1_IA5STRING
+					, level, oid_names[extn_oid].name))
+					{
+						goto end;
+					}
+					break;
+				default:
+					break;
+				}
+			}
+			break;
+		case X509_OBJ_ALGORITHM:
+			cert->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
+			break;
+		case X509_OBJ_SIGNATURE:
+			cert->signature = object;
+			break;
 		default:
-		    break;
+			break;
 		}
-	    }
-	    break;
-	case X509_OBJ_ALGORITHM:
-	    cert->algorithm = parse_algorithmIdentifier(object, level, NULL);
-	    break;
-	case X509_OBJ_SIGNATURE:
-	    cert->signature = object;
-	    break;
-	default:
-	    break;
 	}
-	objectID++;
-    }
-    time(&cert->installed);
-    return TRUE;
+	success = parser->success(parser);
+	time(&cert->installed);
+
+end:
+	parser->destroy(parser);
+	return success;
 }
 
-/* verify the validity of a certificate by
+/**
+ * Verify the validity of a certificate by
  * checking the notBefore and notAfter dates
  */
-err_t
-check_validity(const x509cert_t *cert, time_t *until)
+err_t check_validity(const x509cert_t *cert, time_t *until)
 {
-    time_t current_time;
-
-    time(&current_time);
-    DBG(DBG_CONTROL | DBG_PARSING ,
-	DBG_log("  not before  : %s", timetoa(&cert->notBefore, TRUE));
-	DBG_log("  current time: %s", timetoa(&current_time, TRUE));
-	DBG_log("  not after   : %s", timetoa(&cert->notAfter, TRUE));
-    )
+	time_t current_time;
 
-    if (cert->notAfter < *until) *until = cert->notAfter;
+	time(&current_time);
+	DBG(DBG_CONTROL | DBG_PARSING ,
+		DBG_log("  not before  : %T", &cert->notBefore, TRUE);
+		DBG_log("  current time: %T", &current_time, TRUE);
+		DBG_log("  not after   : %T", &cert->notAfter, TRUE);
+	)
 
-    if (current_time < cert->notBefore)
-	return "certificate is not valid yet";
-    if (current_time > cert->notAfter)
-	return "certificate has expired";
-    else
-	return NULL;
+	if (cert->notAfter < *until)
+	{
+		*until = cert->notAfter;
+	}
+	if (current_time < cert->notBefore)
+	{
+		return "certificate is not valid yet";
+	}
+	if (current_time > cert->notAfter)
+	{
+		return "certificate has expired";
+	}
+	else
+	{
+		return NULL;
+	}
 }
 
-/*
- *  verifies a X.509 certificate
+/**
+ * Verifies a X.509 certificate
  */
-bool
-verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
+bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 {
-    int pathlen;
-
-    *until = cert->notAfter;
+	int pathlen;
 
-    for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
-    {
-	x509cert_t *issuer_cert;
-	u_char buf[BUF_LEN];
-	err_t ugh = NULL;
+	*until = cert->notAfter;
 
-	DBG(DBG_CONTROL,
-	    dntoa(buf, BUF_LEN, cert->subject);
-	    DBG_log("subject: '%s'",buf);
-	    dntoa(buf, BUF_LEN, cert->issuer);
-	    DBG_log("issuer:  '%s'",buf);
-	    if (cert->authKeyID.ptr != NULL)
-	    {
-		datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
-		    , buf, BUF_LEN);
-		DBG_log("authkey:  %s", buf);
-	    }
-	)
+	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+	{
+		x509cert_t *issuer_cert;
+		u_char buf[BUF_LEN];
+		err_t ugh = NULL;
 
-	ugh = check_validity(cert, until);
+		DBG(DBG_CONTROL,
+			dntoa(buf, BUF_LEN, cert->subject);
+			DBG_log("subject: '%s'",buf);
+			dntoa(buf, BUF_LEN, cert->issuer);
+			DBG_log("issuer:  '%s'",buf);
+			if (cert->authKeyID.ptr != NULL)
+			{
+				datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
+					, buf, BUF_LEN);
+				DBG_log("authkey:  %s", buf);
+			}
+		)
 
-	if (ugh != NULL)
-	{
-	    plog("%s", ugh);
-	    return FALSE;
-	}
+		ugh = check_validity(cert, until);
 
-	DBG(DBG_CONTROL,
-	    DBG_log("certificate is valid")
-	)
+		if (ugh != NULL)
+		{
+			plog("%s", ugh);
+			return FALSE;
+		}
 
-	lock_authcert_list("verify_x509cert");
-	issuer_cert = get_authcert(cert->issuer, cert->authKeySerialNumber
-	    , cert->authKeyID, AUTH_CA);
+		DBG(DBG_CONTROL,
+			DBG_log("certificate is valid")
+		)
 
-	if (issuer_cert == NULL)
-	{
-	    plog("issuer cacert not found");
-	    unlock_authcert_list("verify_x509cert");
-	    return FALSE;
-	}
-	DBG(DBG_CONTROL,
-	    DBG_log("issuer cacert found")
-	)
+		lock_authcert_list("verify_x509cert");
+		issuer_cert = get_authcert(cert->issuer, cert->authKeySerialNumber
+			, cert->authKeyID, AUTH_CA);
 
-	if (!check_signature(cert->tbsCertificate, cert->signature
-			   , cert->algorithm, cert->algorithm, issuer_cert))
-	{
-	    plog("certificate signature is invalid");
-	    unlock_authcert_list("verify_x509cert");
-	    return FALSE;
-	}
-	DBG(DBG_CONTROL,
-	    DBG_log("certificate signature is valid")
-	)
-	unlock_authcert_list("verify_x509cert");
+		if (issuer_cert == NULL)
+		{
+			plog("issuer cacert not found");
+			unlock_authcert_list("verify_x509cert");
+			return FALSE;
+		}
+		DBG(DBG_CONTROL,
+			DBG_log("issuer cacert found")
+		)
 
-	/* check if cert is a self-signed root ca */
-	if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
-	{
-	    DBG(DBG_CONTROL,
-		DBG_log("reached self-signed root ca")
-	    )
-	    return TRUE;
-	}
-	else
-	{
-	    time_t nextUpdate = *until;
-	    time_t revocationDate = UNDEFINED_TIME;
-	    crl_reason_t revocationReason = REASON_UNSPECIFIED;
-
-	    /* first check certificate revocation using ocsp */
-	    cert_status_t status = verify_by_ocsp(cert, &nextUpdate
-		, &revocationDate, &revocationReason);
-
-	    /* if ocsp service is not available then fall back to crl */
-	    if ((status == CERT_UNDEFINED)
-	    ||  (status == CERT_UNKNOWN && strict))
-	    {
-		status = verify_by_crl(cert, &nextUpdate, &revocationDate
-		    , &revocationReason);
-	    }
- 
-	    switch (status)
-	    {
-	    case CERT_GOOD:
-		/* if status information is stale */
-		if (strict && nextUpdate < time(NULL))
+		if (!x509_check_signature(cert->tbsCertificate, cert->signature,
+								  cert->algorithm, issuer_cert))
 		{
-		    DBG(DBG_CONTROL,
-			DBG_log("certificate is good but status is stale")
-		    )
-		    remove_x509_public_key(cert);
-		    return FALSE;
+			plog("certificate signature is invalid");
+			unlock_authcert_list("verify_x509cert");
+			return FALSE;
 		}
 		DBG(DBG_CONTROL,
-		    DBG_log("certificate is good")
+			DBG_log("certificate signature is valid")
 		)
-		
-		/* with strict crl policy the public key must have the same
-		 * lifetime as the validity of the ocsp status or crl lifetime
-		 */
-		if (strict && nextUpdate < *until)
-		    *until = nextUpdate;
-		break;
-	    case CERT_REVOKED:
-		plog("certificate was revoked on %s, reason: %s"
-		    , timetoa(&revocationDate, TRUE)
-		    , enum_name(&crl_reason_names, revocationReason));
-		remove_x509_public_key(cert);
-		return FALSE;
-	    case CERT_UNKNOWN:
-	    case CERT_UNDEFINED:
-	    default:
-		plog("certificate status unknown");
-		if (strict)
+		unlock_authcert_list("verify_x509cert");
+
+		/* check if cert is a self-signed root ca */
+		if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
 		{
-		    remove_x509_public_key(cert);
-		    return FALSE;
+			DBG(DBG_CONTROL,
+				DBG_log("reached self-signed root ca")
+			)
+			return TRUE;
 		}
-		break;
-	    }
-	}
+		else
+		{
+			time_t nextUpdate = *until;
+			time_t revocationDate = UNDEFINED_TIME;
+			crl_reason_t revocationReason = REASON_UNSPECIFIED;
 
-	/* go up one step in the trust chain */
-	cert = issuer_cert;
-    }
-    plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
-    return FALSE;
+			/* first check certificate revocation using ocsp */
+			cert_status_t status = verify_by_ocsp(cert, &nextUpdate
+				, &revocationDate, &revocationReason);
+
+			/* if ocsp service is not available then fall back to crl */
+			if ((status == CERT_UNDEFINED)
+			||  (status == CERT_UNKNOWN && strict))
+			{
+				status = verify_by_crl(cert, &nextUpdate, &revocationDate
+					, &revocationReason);
+			}
+
+			switch (status)
+			{
+			case CERT_GOOD:
+				/* if status information is stale */
+				if (strict && nextUpdate < time(NULL))
+				{
+					DBG(DBG_CONTROL,
+						DBG_log("certificate is good but status is stale")
+					)
+					remove_x509_public_key(cert);
+					return FALSE;
+				}
+				DBG(DBG_CONTROL,
+					DBG_log("certificate is good")
+				)
+				
+				/* with strict crl policy the public key must have the same
+				 * lifetime as the validity of the ocsp status or crl lifetime
+				 */
+				if (strict && nextUpdate < *until)
+				{
+					*until = nextUpdate;
+				}
+				break;
+			case CERT_REVOKED:
+				plog("certificate was revoked on %T, reason: %N"
+					, &revocationDate, TRUE
+					, crl_reason_names, revocationReason);
+				remove_x509_public_key(cert);
+				return FALSE;
+			case CERT_UNKNOWN:
+			case CERT_UNDEFINED:
+			default:
+				plog("certificate status unknown");
+				if (strict)
+				{
+					remove_x509_public_key(cert);
+					return FALSE;
+				}
+				break;
+			}
+		}
+
+		/* go up one step in the trust chain */
+		cert = issuer_cert;
+	}
+	plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	return FALSE;
 }
 
-/*
- *  list all X.509 certs in a chained list
+/**
+ * List all X.509 certs in a chained list
  */
-void
-list_x509cert_chain(const char *caption, x509cert_t* cert, u_char auth_flags
- , bool utc)
+void list_x509cert_chain(const char *caption, x509cert_t* cert,
+						 u_char auth_flags, bool utc)
 {
-    bool first = TRUE;
-    time_t now;
+	bool first = TRUE;
+	time_t now;
 
-    /* determine the current time */
-    time(&now);
+	/* determine the current time */
+	time(&now);
 
-    while (cert != NULL)
-    {
-	if (auth_flags == AUTH_NONE || (auth_flags & cert->authority_flags))
+	while (cert != NULL)
 	{
-	    unsigned keysize;
-	    char keyid[KEYID_BUF];
-	    u_char buf[BUF_LEN];
-	    cert_t c;
-
-	    c.type = CERT_X509_SIGNATURE;
-	    c.u.x509 = cert;
-
-	    if (first)
-	    {
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of X.509 %s Certificates:", caption);
-		whack_log(RC_COMMENT, " ");
-		first = FALSE;
-	    }
-
-	    whack_log(RC_COMMENT, "%s, count: %d", timetoa(&cert->installed, utc),
-		cert->count);
-	    dntoa(buf, BUF_LEN, cert->subject);
-	    whack_log(RC_COMMENT, "       subject:  '%s'", buf);
-	    dntoa(buf, BUF_LEN, cert->issuer);
-	    whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
-	    datatot(cert->serialNumber.ptr, cert->serialNumber.len, ':'
-		, buf, BUF_LEN);
-	    whack_log(RC_COMMENT, "       serial:    %s", buf);
-	    form_keyid(cert->publicExponent, cert->modulus, keyid, &keysize);
-	    whack_log(RC_COMMENT, "       pubkey:    %4d RSA Key %s%s"
-		, 8*keysize, keyid
-		, cert->smartcard ? ", on smartcard" :
-		(has_private_key(c)? ", has private key" : ""));
-	    whack_log(RC_COMMENT, "       validity:  not before %s %s",
-		timetoa(&cert->notBefore, utc),
-		(cert->notBefore < now)?"ok":"fatal (not valid yet)");
-	    whack_log(RC_COMMENT, "                  not after  %s %s",
-		timetoa(&cert->notAfter, utc),
-		check_expiry(cert->notAfter, CA_CERT_WARNING_INTERVAL, TRUE));
-	    if (cert->subjectKeyID.ptr != NULL)
-	    {
-		datatot(cert->subjectKeyID.ptr, cert->subjectKeyID.len, ':'
-		    , buf, BUF_LEN);
-		whack_log(RC_COMMENT, "       subjkey:   %s", buf);
-	    }
-	    if (cert->authKeyID.ptr != NULL)
-	    {
-		datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
-		    , buf, BUF_LEN);
-		whack_log(RC_COMMENT, "       authkey:   %s", buf);
-	    }
-	    if (cert->authKeySerialNumber.ptr != NULL)
-	    {
-		datatot(cert->authKeySerialNumber.ptr, cert->authKeySerialNumber.len
-		    , ':', buf, BUF_LEN);
-		whack_log(RC_COMMENT, "       aserial:   %s", buf);
-	    }
+		if (auth_flags == AUTH_NONE || (auth_flags & cert->authority_flags))
+		{
+			u_char buf[BUF_LEN];
+			public_key_t *key = cert->public_key;
+			cert_t c;
+
+			c.type = CERT_X509_SIGNATURE;
+			c.u.x509 = cert;
+
+			if (first)
+			{
+				whack_log(RC_COMMENT, " ");
+				whack_log(RC_COMMENT, "List of X.509 %s Certificates:", caption);
+				whack_log(RC_COMMENT, " ");
+				first = FALSE;
+			}
+
+			whack_log(RC_COMMENT, "%T, count: %d", &cert->installed, utc,
+				cert->count);
+			dntoa(buf, BUF_LEN, cert->subject);
+			whack_log(RC_COMMENT, "       subject:  '%s'", buf);
+			dntoa(buf, BUF_LEN, cert->issuer);
+			whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
+			datatot(cert->serialNumber.ptr, cert->serialNumber.len, ':',
+				 buf, BUF_LEN);
+			whack_log(RC_COMMENT, "       serial:    %s", buf);
+			whack_log(RC_COMMENT, "       validity:  not before %T %s",
+				&cert->notBefore, utc,
+				(cert->notBefore < now)?"ok":"fatal (not valid yet)");
+			whack_log(RC_COMMENT, "                  not after  %T %s",
+				&cert->notAfter, utc,
+				check_expiry(cert->notAfter, CA_CERT_WARNING_INTERVAL, TRUE));
+			whack_log(RC_COMMENT, "       pubkey:    %N %4d bits%s",
+				key_type_names, key->get_type(key),
+				key->get_keysize(key) * BITS_PER_BYTE,				
+				cert->smartcard ? ", on smartcard" :
+				(has_private_key(c)? ", has private key" : ""));
+			whack_log(RC_COMMENT, "       keyid:     %Y",
+				key->get_id(key, ID_PUBKEY_INFO_SHA1));
+			if (cert->subjectKeyID.ptr != NULL)
+			{
+				datatot(cert->subjectKeyID.ptr, cert->subjectKeyID.len, ':',
+						buf, BUF_LEN);
+				whack_log(RC_COMMENT, "       subjkey:   %s", buf);
+			}
+			if (cert->authKeyID.ptr != NULL)
+			{
+				datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':',
+						buf, BUF_LEN);
+				whack_log(RC_COMMENT, "       authkey:   %s", buf);
+			}
+			if (cert->authKeySerialNumber.ptr != NULL)
+			{
+				datatot(cert->authKeySerialNumber.ptr,
+						cert->authKeySerialNumber.len, ':', buf, BUF_LEN);
+				whack_log(RC_COMMENT, "       aserial:   %s", buf);
+			}
+		}
+		cert = cert->next;
 	}
-	cert = cert->next;
-    }
 }
 
-/*
- *  list all X.509 end certificates in a chained list
+/**
+ * List all X.509 end certificates in a chained list
  */
-void
-list_x509_end_certs(bool utc)
+void list_x509_end_certs(bool utc)
 {
-    list_x509cert_chain("End", x509certs, AUTH_NONE, utc);
+	list_x509cert_chain("End", x509certs, AUTH_NONE, utc);
 }
diff --git a/src/pluto/x509.h b/src/pluto/x509.h
index 67730bbd0..ab0fbac9e 100644
--- a/src/pluto/x509.h
+++ b/src/pluto/x509.h
@@ -2,7 +2,7 @@
  * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
  * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
  * Copyright (C) 2002 Mario Strasser
- * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2000-2009 Andreas Steffen, Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,28 +13,29 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: x509.h 3252 2007-10-06 21:24:50Z andreas $
  */
 
 #ifndef _X509_H
 #define _X509_H
 
-#include "pkcs1.h"
+#include <credentials/keys/public_key.h>
+#include <credentials/keys/private_key.h>
+
+#include "constants.h"
 #include "id.h"
 
 /* Definition of generalNames kinds */
 
 typedef enum {
-    GN_OTHER_NAME =		0,
-    GN_RFC822_NAME =		1,
-    GN_DNS_NAME =		2,
-    GN_X400_ADDRESS =		3,
-    GN_DIRECTORY_NAME =		4,
-    GN_EDI_PARTY_NAME = 	5,
-    GN_URI =			6,
-    GN_IP_ADDRESS =		7,
-    GN_REGISTERED_ID =		8
+	GN_OTHER_NAME =             0,
+	GN_RFC822_NAME =            1,
+	GN_DNS_NAME =               2,
+	GN_X400_ADDRESS =           3,
+	GN_DIRECTORY_NAME =         4,
+	GN_EDI_PARTY_NAME =         5,
+	GN_URI =                    6,
+	GN_IP_ADDRESS =             7,
+	GN_REGISTERED_ID =          8
 } generalNames_t;
 
 /* access structure for a GeneralName */
@@ -42,9 +43,9 @@ typedef enum {
 typedef struct generalName generalName_t;
 
 struct generalName {
-    generalName_t   *next;
-    generalNames_t  kind;
-    chunk_t         name;
+	generalName_t   *next;
+	generalNames_t  kind;
+	chunk_t         name;
 };
 
 /* access structure for an X.509v3 certificate */
@@ -52,46 +53,42 @@ struct generalName {
 typedef struct x509cert x509cert_t;
 
 struct x509cert {
-  x509cert_t     *next;
-  time_t	 installed;
-  int		 count;
-  bool		 smartcard;
-  u_char	 authority_flags;
-  chunk_t	 certificate;
-  chunk_t          tbsCertificate;
-  u_int              version;
-  chunk_t            serialNumber;
-                /*   signature */
-  int                  sigAlg;
-  chunk_t            issuer;
-                /*   validity */
-  time_t               notBefore;
-  time_t               notAfter;
-  chunk_t            subject;
-                /*   subjectPublicKeyInfo */
-  enum pubkey_alg      subjectPublicKeyAlgorithm;
-  chunk_t              subjectPublicKey;
-  chunk_t                modulus;
-  chunk_t                publicExponent;
-                /*   issuerUniqueID */
-                /*   subjectUniqueID */
-                /*   v3 extensions */
-                /*   extension */
-                /*     extension */
-                /*       extnID */
-                /*       critical */
-                /*       extnValue */
-  bool			   isCA;
-  bool			   isOcspSigner; /* ocsp */
-  chunk_t		   subjectKeyID;
-  chunk_t		   authKeyID;
-  chunk_t		   authKeySerialNumber;
-  chunk_t		   accessLocation; /* ocsp */
-  generalName_t		   *subjectAltName;
-  generalName_t		   *crlDistributionPoints;
-		/* signatureAlgorithm */
-  int                algorithm;
-  chunk_t          signature;
+	x509cert_t     *next;
+	time_t         installed;
+	int            count;
+	bool           smartcard;
+	u_char         authority_flags;
+	chunk_t        certificate;
+	chunk_t          tbsCertificate;
+	u_int              version;
+	chunk_t            serialNumber;
+				  /*   signature */
+	int                  sigAlg;
+  	chunk_t            issuer;
+				  /*   validity */
+	time_t               notBefore;
+	time_t               notAfter;
+	chunk_t            subject;
+	public_key_t       *public_key;  
+				  /*   issuerUniqueID */
+				  /*   subjectUniqueID */
+				  /*   v3 extensions */
+				  /*   extension */
+				  /*     extension */
+				  /*       extnID */
+				  /*       critical */
+				  /*       extnValue */
+	bool                     isCA;
+	bool                     isOcspSigner; /* ocsp */
+	chunk_t                  subjectKeyID;
+	chunk_t                  authKeyID;
+	chunk_t                  authKeySerialNumber;
+	chunk_t                  accessLocation; /* ocsp */
+	generalName_t            *subjectAltName;
+	generalName_t            *crlDistributionPoints;
+				  /* signatureAlgorithm */
+	int                algorithm;
+	chunk_t          signature;
 };
 
 /* used for initialization */
@@ -105,33 +102,37 @@ extern bool same_x509cert(const x509cert_t *a, const x509cert_t *b);
 extern void hex_str(chunk_t bin, chunk_t *str);
 extern int dn_count_wildcards(chunk_t dn);
 extern int dntoa(char *dst, size_t dstlen, chunk_t dn);
-extern int dntoa_or_null(char *dst, size_t dstlen, chunk_t dn
-    , const char* null_dn);
+extern int dntoa_or_null(char *dst, size_t dstlen, chunk_t dn,
+						 const char* null_dn);
 extern err_t atodn(char *src, chunk_t *dn);
 extern void gntoid(struct id *id, const generalName_t *gn);
-extern void compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID);
+extern bool compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID);
 extern void select_x509cert_id(x509cert_t *cert, struct id *end_id);
 extern bool parse_x509cert(chunk_t blob, u_int level0, x509cert_t *cert);
 extern time_t parse_time(chunk_t blob, int level0);
 extern void parse_authorityKeyIdentifier(chunk_t blob, int level0
-    , chunk_t *authKeyID, chunk_t *authKeySerialNumber);
+	, chunk_t *authKeyID, chunk_t *authKeySerialNumber);
 extern chunk_t get_directoryName(chunk_t blob, int level, bool implicit);
 extern err_t check_validity(const x509cert_t *cert, time_t *until);
-extern bool check_signature(chunk_t tbs, chunk_t sig, int digest_alg
-    , int enc_alg, const x509cert_t *issuer_cert);
+
+extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
+								 const x509cert_t *issuer_cert);
+extern chunk_t x509_build_signature(chunk_t tbs, int algorithm,
+									private_key_t *key, bool bit_string);
+
 extern bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until);
 extern x509cert_t* add_x509cert(x509cert_t *cert);
-extern x509cert_t* get_x509cert(chunk_t issuer, chunk_t serial, chunk_t keyid
-    , x509cert_t* chain);
-extern void build_x509cert(x509cert_t *cert, const RSA_public_key_t *cert_key
-    , const RSA_private_key_t *signer_key);
+extern x509cert_t* get_x509cert(chunk_t issuer, chunk_t serial, chunk_t keyid,
+								x509cert_t* chain);
+extern void build_x509cert(x509cert_t *cert, public_key_t *cert_key,
+						   private_key_t *signer_key);
 extern chunk_t build_subjectAltNames(generalName_t *subjectAltNames);
 extern void share_x509cert(x509cert_t *cert);
 extern void release_x509cert(x509cert_t *cert);
 extern void free_x509cert(x509cert_t *cert);
 extern void store_x509certs(x509cert_t **firstcert, bool strict);
-extern void list_x509cert_chain(const char *caption, x509cert_t* cert
-    , u_char auth_flags, bool utc);
+extern void list_x509cert_chain(const char *caption, x509cert_t* cert,
+								u_char auth_flags, bool utc);
 extern void list_x509_end_certs(bool utc);
 extern void free_generalNames(generalName_t* gn, bool free_name);
 
diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c
index 8f4dc2460..af2d72d71 100644
--- a/src/pluto/xauth.c
+++ b/src/pluto/xauth.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: xauth.c 3738 2008-04-02 19:04:45Z andreas $
  */
 
 #include <dlfcn.h>
@@ -29,51 +27,51 @@ void
 xauth_init(void)
 {
 #ifdef XAUTH_DEFAULT_LIB
-    xauth_module.handle = dlopen(XAUTH_DEFAULT_LIB, RTLD_NOW);
+	xauth_module.handle = dlopen(XAUTH_DEFAULT_LIB, RTLD_NOW);
 
-    if (xauth_module.handle != NULL)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("xauth module '%s' loading'", XAUTH_DEFAULT_LIB)
-	)
-	xauth_module.get_secret = (bool (*) (const xauth_t*))
-			dlsym(xauth_module.handle, "get_secret");
-	DBG(DBG_CONTROL,
-	    if (xauth_module.get_secret != NULL)
-	    {
-		DBG_log("xauth module: found get_secret() function");
-	    }
-	)
-	xauth_module.verify_secret = (bool (*) (const xauth_peer_t*, const xauth_t*))
-			dlsym(xauth_module.handle, "verify_secret");
-	DBG(DBG_CONTROL,
-	    if (xauth_module.verify_secret != NULL)
-	    {
-		DBG_log("xauth module: found verify_secret() function");
-	    }
-	)
-    }
+	if (xauth_module.handle != NULL)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("xauth module '%s' loading'", XAUTH_DEFAULT_LIB)
+		)
+		xauth_module.get_secret = (bool (*) (const xauth_t*))
+						dlsym(xauth_module.handle, "get_secret");
+		DBG(DBG_CONTROL,
+			if (xauth_module.get_secret != NULL)
+			{
+				DBG_log("xauth module: found get_secret() function");
+			}
+		)
+		xauth_module.verify_secret = (bool (*) (const xauth_peer_t*, const xauth_t*))
+						dlsym(xauth_module.handle, "verify_secret");
+		DBG(DBG_CONTROL,
+			if (xauth_module.verify_secret != NULL)
+			{
+				DBG_log("xauth module: found verify_secret() function");
+			}
+		)
+	}
 #endif
-    /* any null function pointers will be filled in by default functions */
-    xauth_defaults();
+	/* any null function pointers will be filled in by default functions */
+	xauth_defaults();
 }
 
 void
 xauth_finalize(void)
 {
 #ifdef XAUTH_DEFAULT_LIB
-    if (xauth_module.handle != NULL)
-    {
-	if (dlclose(xauth_module.handle))
-	{
-	    plog("failed to unload xauth module");
-	}
-	else
+	if (xauth_module.handle != NULL)
 	{
-	    DBG(DBG_CONTROL,
-		DBG_log("xauth module unloaded")
-	    )
+		if (dlclose(xauth_module.handle))
+		{
+			plog("failed to unload xauth module");
+		}
+		else
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("xauth module unloaded")
+			)
+		}
 	}
-    }
 #endif
 }
diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h
index fd7e5399f..8ab125ac4 100644
--- a/src/pluto/xauth.h
+++ b/src/pluto/xauth.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: xauth.h 3738 2008-04-02 19:04:45Z andreas $
  */
 
 #ifndef _XAUTH_H
@@ -26,20 +24,20 @@
 struct chunk_t;
 
 typedef struct {
-    char *conn_name;
-    char id[BUF_LEN];
-    char ip_address[ADDRTOT_BUF];
+	char *conn_name;
+	char id[BUF_LEN];
+	char ip_address[ADDRTOT_BUF];
 } xauth_peer_t;
 
 typedef struct {
-    chunk_t user_name;
-    chunk_t user_password;
+	chunk_t user_name;
+	chunk_t user_password;
 } xauth_t;
 
 typedef struct {
-    void *handle;
-    bool (*get_secret) (xauth_t *xauth_secret);
-    bool (*verify_secret) (const xauth_peer_t *peer, const xauth_t *xauth_secret);
+	void *handle;
+	bool (*get_secret) (xauth_t *xauth_secret);
+	bool (*verify_secret) (const xauth_peer_t *peer, const xauth_t *xauth_secret);
 } xauth_module_t;
 
 extern xauth_module_t xauth_module;
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index 86220d71b..20bf76065 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -1,5 +1,5 @@
 ipsec_PROGRAMS = scepclient
-scepclient_SOURCES = scepclient.c rsakey.c rsakey.h pkcs10.c pkcs10.h scep.c scep.h loglite.c 
+scepclient_SOURCES = scepclient.c pkcs10.c pkcs10.h scep.c scep.h loglite.c 
 
 PLUTODIR=$(top_srcdir)/src/pluto
 OPENACDIR=$(top_srcdir)/src/openac
@@ -15,34 +15,30 @@ INCLUDES = \
 -I$(LIBCRYPTODIR) \
 -I$(WHACKDIR)
 
-AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\"
+AM_CFLAGS = \
+-DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_PLUGINDIR=\"${plugindir}\" \
+-DPLUGINS=\""${pluto_plugins}\"" \
+-DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
+-DDEBUG -DNO_PLUTO
 
+LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan
 LIBFREESWANBUILDDIR=$(top_builddir)/src/libfreeswan
-LIBCRYPTOBUILDDIR=$(top_builddir)/src/libcrypto
 
-scepclient_LDADD = asn1.o ca.o crl.o certs.o constants.o defs.o fetch.o id.o \
-                   keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o pem.o pgp.o \
-                   pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \
-                   $(LIBFREESWANBUILDDIR)/libfreeswan.a $(LIBCRYPTOBUILDDIR)/libcrypto.a \
-                   -lgmp
+scepclient_LDADD = \
+ca.o crl.o certs.o constants.o defs.o fetch.o id.o keys.o lex.o \
+ocsp.o pem.o pgpcert.o pkcs7.o smartcard.o x509.o \
+$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
+$(LIBFREESWANBUILDDIR)/libfreeswan.a
 
 # This compile option activates smartcard support
 if USE_SMARTCARD
   AM_CFLAGS += -DSMARTCARD
-  scepclient_LDADD += -ldl
-endif
-
-# This compile option activates dynamic URL fetching using libcurl
-if USE_CURL
-  AM_CFLAGS += -DLIBCURL
-  scepclient_LDADD += -lcurl
+  scepclient_LDADD += $(DLLIB)
 endif
 
 dist_man_MANS = scepclient.8
 
-asn1.o :	$(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 ca.o :		$(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
@@ -58,9 +54,6 @@ crl.o : 	$(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
 defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-mp_defs.o :	$(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 fetch.o : 	$(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
@@ -73,36 +66,18 @@ keys.o :	$(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
 lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-md2.o :		$(PLUTODIR)/md2.c $(PLUTODIR)/md2.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-md5.o :		$(PLUTODIR)/md5.c $(PLUTODIR)/md5.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 ocsp.o :	$(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-oid.o :		$(LIBSTRONGSWANDIR)/asn1/oid.c $(LIBSTRONGSWANDIR)/asn1/oid.h
-		$(COMPILE) -c -o $@ $<
-
 pem.o :		$(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-pgp.o :		$(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-pkcs1.o :	$(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h
+pgpcert.o :		$(PLUTODIR)/pgpcert.c $(PLUTODIR)/pgpcert.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
 pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-rnd.o :		$(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-sha1.o :	$(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 smartcard.o :	$(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index a15b65697..3919583ef 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -36,11 +36,7 @@ ipsec_PROGRAMS = scepclient$(EXEEXT)
 
 # This compile option activates smartcard support
 @USE_SMARTCARD_TRUE@am__append_1 = -DSMARTCARD
-@USE_SMARTCARD_TRUE@am__append_2 = -ldl
-
-# This compile option activates dynamic URL fetching using libcurl
-@USE_CURL_TRUE@am__append_3 = -DLIBCURL
-@USE_CURL_TRUE@am__append_4 = -lcurl
+@USE_SMARTCARD_TRUE@am__append_2 = $(DLLIB)
 subdir = src/scepclient
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
@@ -53,16 +49,15 @@ CONFIG_CLEAN_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
-am_scepclient_OBJECTS = scepclient.$(OBJEXT) rsakey.$(OBJEXT) \
-	pkcs10.$(OBJEXT) scep.$(OBJEXT) loglite.$(OBJEXT)
+am_scepclient_OBJECTS = scepclient.$(OBJEXT) pkcs10.$(OBJEXT) \
+	scep.$(OBJEXT) loglite.$(OBJEXT)
 scepclient_OBJECTS = $(am_scepclient_OBJECTS)
 am__DEPENDENCIES_1 =
-scepclient_DEPENDENCIES = asn1.o ca.o crl.o certs.o constants.o defs.o \
-	fetch.o id.o keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o \
-	pem.o pgp.o pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \
-	$(LIBFREESWANBUILDDIR)/libfreeswan.a \
-	$(LIBCRYPTOBUILDDIR)/libcrypto.a $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1)
+@USE_SMARTCARD_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1)
+scepclient_DEPENDENCIES = ca.o crl.o certs.o constants.o defs.o \
+	fetch.o id.o keys.o lex.o ocsp.o pem.o pgpcert.o pkcs7.o \
+	smartcard.o x509.o $(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
+	$(LIBFREESWANBUILDDIR)/libfreeswan.a $(am__DEPENDENCIES_2)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -98,6 +93,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -120,6 +116,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -131,6 +130,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -144,6 +144,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -204,6 +206,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -215,11 +218,12 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-scepclient_SOURCES = scepclient.c rsakey.c rsakey.h pkcs10.c pkcs10.h scep.c scep.h loglite.c 
+scepclient_SOURCES = scepclient.c pkcs10.c pkcs10.h scep.c scep.h loglite.c 
 PLUTODIR = $(top_srcdir)/src/pluto
 OPENACDIR = $(top_srcdir)/src/openac
 WHACKDIR = $(top_srcdir)/src/whack
@@ -233,16 +237,17 @@ INCLUDES = \
 -I$(LIBCRYPTODIR) \
 -I$(WHACKDIR)
 
-AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\" \
-	$(am__append_1) $(am__append_3)
+AM_CFLAGS = -DIPSEC_CONFDIR=\"${confdir}\" \
+	-DIPSEC_PLUGINDIR=\"${plugindir}\" \
+	-DPLUGINS=\""${pluto_plugins}\"" \
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DDEBUG -DNO_PLUTO \
+	$(am__append_1)
+LIBSTRONGSWANBUILDDIR = $(top_builddir)/src/libstrongswan
 LIBFREESWANBUILDDIR = $(top_builddir)/src/libfreeswan
-LIBCRYPTOBUILDDIR = $(top_builddir)/src/libcrypto
-scepclient_LDADD = asn1.o ca.o crl.o certs.o constants.o defs.o \
-	fetch.o id.o keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o \
-	pem.o pgp.o pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \
-	$(LIBFREESWANBUILDDIR)/libfreeswan.a \
-	$(LIBCRYPTOBUILDDIR)/libcrypto.a -lgmp $(am__append_2) \
-	$(am__append_4)
+scepclient_LDADD = ca.o crl.o certs.o constants.o defs.o fetch.o id.o \
+	keys.o lex.o ocsp.o pem.o pgpcert.o pkcs7.o smartcard.o x509.o \
+	$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
+	$(LIBFREESWANBUILDDIR)/libfreeswan.a $(am__append_2)
 dist_man_MANS = scepclient.8
 all: all-am
 
@@ -252,8 +257,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -317,7 +322,6 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs10.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsakey.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scep.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scepclient.Po@am__quote@
 
@@ -358,8 +362,8 @@ install-man8: $(man8_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    8*) ;; \
@@ -398,7 +402,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
@@ -576,9 +580,6 @@ uninstall-man: uninstall-man8
 	uninstall-man uninstall-man8
 
 
-asn1.o :	$(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 ca.o :		$(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
@@ -594,9 +595,6 @@ crl.o : 	$(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
 defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-mp_defs.o :	$(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 fetch.o : 	$(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
@@ -609,36 +607,18 @@ keys.o :	$(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
 lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-md2.o :		$(PLUTODIR)/md2.c $(PLUTODIR)/md2.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-md5.o :		$(PLUTODIR)/md5.c $(PLUTODIR)/md5.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 ocsp.o :	$(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-oid.o :		$(LIBSTRONGSWANDIR)/asn1/oid.c $(LIBSTRONGSWANDIR)/asn1/oid.h
-		$(COMPILE) -c -o $@ $<
-
 pem.o :		$(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-pgp.o :		$(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-pkcs1.o :	$(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h
+pgpcert.o :		$(PLUTODIR)/pgpcert.c $(PLUTODIR)/pgpcert.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
 pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-rnd.o :		$(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-sha1.o :	$(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 smartcard.o :	$(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c
index 4219eb707..b14e72ecb 100644
--- a/src/scepclient/loglite.c
+++ b/src/scepclient/loglite.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: loglite.c,v 1.2 2005/07/11 18:38:16 as Exp $
  */
 
 #include <stdio.h>
@@ -23,12 +21,13 @@
 #include <errno.h>
 #include <string.h>
 #include <unistd.h>
-#include <signal.h>	/* used only if MSG_NOSIGNAL not defined */
+#include <signal.h>     /* used only if MSG_NOSIGNAL not defined */
 #include <libgen.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
 #include <freeswan.h>
+#include <debug.h>
 
 #include <constants.h>
 #include <defs.h>
@@ -36,118 +35,179 @@
 #include <whack.h>
 
 bool
-    log_to_stderr = FALSE,	/* should log go to stderr? */
-    log_to_syslog = TRUE;	/* should log go to syslog? */
+	log_to_stderr = FALSE,      /* should log go to stderr? */
+	log_to_syslog = TRUE;       /* should log go to syslog? */
 
-void
-init_log(const char *program)
+/**
+ * @brief scepclient dbg function
+ */
+static void scepclient_dbg(int level, char *fmt, ...)
 {
-    if (log_to_stderr)
-	setbuf(stderr, NULL);
-    if (log_to_syslog)
-	openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+	int priority = LOG_INFO;
+	int debug_level;
+	char buffer[8192];
+	char *current = buffer, *next;
+	va_list args;
+
+	if (cur_debugging & DBG_PRIVATE)
+	{
+		debug_level = 4;
+	}
+	else if (cur_debugging & DBG_RAW)
+	{
+		debug_level = 3;
+	}	
+	else if (cur_debugging & DBG_PARSING)
+	{
+		debug_level = 2;
+	}
+	else 
+	{
+		debug_level = 1;
+	}
+
+	if (level <= debug_level)
+	{
+		va_start(args, fmt);
+
+		if (log_to_stderr)
+		{
+			if (level > 1)
+			{
+				fprintf(stderr, "| ");
+			}
+			vfprintf(stderr, fmt, args);
+			fprintf(stderr, "\n");
+		}
+		if (log_to_syslog)
+		{
+			/* write in memory buffer first */
+			vsnprintf(buffer, sizeof(buffer), fmt, args);
+
+			/* do a syslog with every line */
+			while (current)
+			{
+				next = strchr(current, '\n');
+				if (next)
+				{
+					*(next++) = '\0';
+				}
+				syslog(priority, "%s%s\n", (level > 1)? "| ":"", current);
+				current = next;
+			}
+		}
+		va_end(args);
+	}
 }
 
-void
-close_log(void)
+void init_log(const char *program)
 {
-    if (log_to_syslog)
-	closelog();
+	/* enable scepclient bugging hook */
+	dbg = scepclient_dbg;
+
+	if (log_to_stderr)
+	{
+		setbuf(stderr, NULL);
+	}
+	if (log_to_syslog)
+	{
+		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+	}
 }
 
-void
-plog(const char *message, ...)
+void close_log(void)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	if (log_to_syslog)
+		closelog();
+}
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+void plog(const char *message, ...)
+{
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    if (log_to_stderr)
-	fprintf(stderr, "%s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_WARNING, "%s", m);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
+
+	if (log_to_stderr)
+		fprintf(stderr, "%s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_WARNING, "%s", m);
 }
 
-void
-loglog(int mess_no, const char *message, ...)
+void loglog(int mess_no, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "%s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_WARNING, "%s", m);
+	if (log_to_stderr)
+		fprintf(stderr, "%s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_WARNING, "%s", m);
 }
 
-void
-log_errno_routine(int e, const char *message, ...)
+void log_errno_routine(int e, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-    if (log_to_syslog)
-	syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
+	if (log_to_stderr)
+		fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+	if (log_to_syslog)
+		syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
 }
 
-void
-exit_log(const char *message, ...)
+void exit_log(const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
-
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
-
-    if (log_to_stderr)
-	fprintf(stderr, "FATAL ERROR: %s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_ERR, "FATAL ERROR: %s", m);
-    exit(1);
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
+
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
+
+	if (log_to_stderr)
+		fprintf(stderr, "FATAL ERROR: %s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_ERR, "FATAL ERROR: %s", m);
+	exit(1);
 }
 
-void
-exit_log_errno_routine(int e, const char *message, ...)
+void exit_log_errno_routine(int e, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
-
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
-
-    if (log_to_stderr)
-	fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-    if (log_to_syslog)
-	syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
-    exit(1);
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
+
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
+
+	if (log_to_stderr)
+		fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+	if (log_to_syslog)
+		syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
+	exit(1);
 }
 
-void
-whack_log(int mess_no, const char *message, ...)
+void whack_log(int mess_no, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
 
-    fprintf(stderr, "%s\n", m);
+	fprintf(stderr, "%s\n", m);
 }
 
 /* Build up a diagnostic in a static buffer.
@@ -162,132 +222,126 @@ whack_log(int mess_no, const char *message, ...)
  */
 char diag_space[sizeof(diag_space)];
 
-err_t
-builddiag(const char *fmt, ...)
+err_t builddiag(const char *fmt, ...)
 {
-    static char diag_space[LOG_WIDTH];	/* longer messages will be truncated */
-    char t[sizeof(diag_space)];	/* build result here first */
-    va_list args;
-
-    va_start(args, fmt);
-    t[0] = '\0';	/* in case nothing terminates string */
-    vsnprintf(t, sizeof(t), fmt, args);
-    va_end(args);
-    strcpy(diag_space, t);
-    return diag_space;
+	static char diag_space[LOG_WIDTH];  /* longer messages will be truncated */
+	char t[sizeof(diag_space)]; /* build result here first */
+	va_list args;
+
+	va_start(args, fmt);
+	t[0] = '\0';        /* in case nothing terminates string */
+	vsnprintf(t, sizeof(t), fmt, args);
+	va_end(args);
+	strcpy(diag_space, t);
+	return diag_space;
 }
 
 /* Debugging message support */
 
 #ifdef DEBUG
 
-void
-switch_fail(int n, const char *file_str, unsigned long line_no)
+void switch_fail(int n, const char *file_str, unsigned long line_no)
 {
-    char buf[30];
+	char buf[30];
 
-    snprintf(buf, sizeof(buf), "case %d unexpected", n);
-    passert_fail(buf, file_str, line_no);
+	snprintf(buf, sizeof(buf), "case %d unexpected", n);
+	passert_fail(buf, file_str, line_no);
 }
 
-void
-passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
+void passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
 {
-    /* we will get a possibly unplanned prefix.  Hope it works */
-    loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-    abort();	/* exiting correctly doesn't always work */
+	/* we will get a possibly unplanned prefix.  Hope it works */
+	loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+	abort();    /* exiting correctly doesn't always work */
 }
 
 lset_t
-    base_debugging = DBG_NONE,	/* default to reporting nothing */
-    cur_debugging =  DBG_NONE;
+	base_debugging = DBG_NONE,  /* default to reporting nothing */
+	cur_debugging =  DBG_NONE;
 
-void
-pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
+void pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
 {
-    /* we will get a possibly unplanned prefix.  Hope it works */
-    loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+	/* we will get a possibly unplanned prefix.  Hope it works */
+	loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
 }
 
 /* log a debugging message (prefixed by "| ") */
 
-void
-DBG_log(const char *message, ...)
+void DBG_log(const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "| %s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_DEBUG, "| %s", m);
+	if (log_to_stderr)
+		fprintf(stderr, "| %s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_DEBUG, "| %s", m);
 }
 
 /* dump raw bytes in hex to stderr (for lack of any better destination) */
 
-void
-DBG_dump(const char *label, const void *p, size_t len)
+void DBG_dump(const char *label, const void *p, size_t len)
 {
-#   define DUMP_LABEL_WIDTH 20	/* arbitrary modest boundary */
-#   define DUMP_WIDTH	(4 * (1 + 4 * 3) + 1)
-    char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
-    char *bp;
-    const unsigned char *cp = p;
-
-    bp = buf;
+#   define DUMP_LABEL_WIDTH 20  /* arbitrary modest boundary */
+#   define DUMP_WIDTH   (4 * (1 + 4 * 3) + 1)
+	char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
+	char *bp;
+	const unsigned char *cp = p;
 
-    if (label != NULL && label[0] != '\0')
-    {
-	/* Handle the label.  Care must be taken to avoid buffer overrun. */
-	size_t llen = strlen(label);
+	bp = buf;
 
-	if (llen + 1 > sizeof(buf))
+	if (label != NULL && label[0] != '\0')
 	{
-	    DBG_log("%s", label);
+		/* Handle the label.  Care must be taken to avoid buffer overrun. */
+		size_t llen = strlen(label);
+
+		if (llen + 1 > sizeof(buf))
+		{
+			DBG_log("%s", label);
+		}
+		else
+		{
+			strcpy(buf, label);
+			if (buf[llen-1] == '\n')
+			{
+				buf[llen-1] = '\0';     /* get rid of newline */
+				DBG_log("%s", buf);
+			}
+			else if (llen < DUMP_LABEL_WIDTH)
+			{
+				bp = buf + llen;
+			}
+			else
+			{
+				DBG_log("%s", buf);
+			}
+		}
 	}
-	else
-	{
-	    strcpy(buf, label);
-	    if (buf[llen-1] == '\n')
-	    {
-		buf[llen-1] = '\0';	/* get rid of newline */
-		DBG_log("%s", buf);
-	    }
-	    else if (llen < DUMP_LABEL_WIDTH)
-	    {
-		bp = buf + llen;
-	    }
-	    else
-	    {
-		DBG_log("%s", buf);
-	    }
-	}
-    }
-
-    do {
-	int i, j;
 
-	for (i = 0; len!=0 && i!=4; i++)
-	{
-	    *bp++ = ' ';
-	    for (j = 0; len!=0 && j!=4; len--, j++)
-	    {
-		static const char hexdig[] = "0123456789abcdef";
-
-		*bp++ = ' ';
-		*bp++ = hexdig[(*cp >> 4) & 0xF];
-		*bp++ = hexdig[*cp & 0xF];
-		cp++;
-	    }
-	}
-	*bp = '\0';
-	DBG_log("%s", buf);
-	bp = buf;
-    } while (len != 0);
+	do {
+		int i, j;
+
+		for (i = 0; len!=0 && i!=4; i++)
+		{
+			*bp++ = ' ';
+			for (j = 0; len!=0 && j!=4; len--, j++)
+			{
+				static const char hexdig[] = "0123456789abcdef";
+
+				*bp++ = ' ';
+				*bp++ = hexdig[(*cp >> 4) & 0xF];
+				*bp++ = hexdig[*cp & 0xF];
+				cp++;
+			}
+		}
+		*bp = '\0';
+		DBG_log("%s", buf);
+		bp = buf;
+	} while (len != 0);
 #   undef DUMP_LABEL_WIDTH
 #   undef DUMP_WIDTH
 }
diff --git a/src/scepclient/pkcs10.c b/src/scepclient/pkcs10.c
index 86267f508..cdd68431e 100644
--- a/src/scepclient/pkcs10.c
+++ b/src/scepclient/pkcs10.c
@@ -26,12 +26,11 @@
 #include <arpa/inet.h>
 
 #include <freeswan.h>
+#include <asn1/asn1.h>
 #include <asn1/oid.h>
 
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
-#include "../pluto/asn1.h"
-#include "../pluto/pkcs1.h"
 #include "../pluto/log.h"
 #include "../pluto/x509.h"
 
@@ -40,66 +39,66 @@
 /* some pre-coded OIDs */
 
 static u_char ASN1_challengePassword_oid_str[] = {
-    0x06,0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x07
+	0x06,0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x07
 };
 
-static const chunk_t ASN1_challengePassword_oid = strchunk(ASN1_challengePassword_oid_str);
+static const chunk_t ASN1_challengePassword_oid = chunk_from_buf(ASN1_challengePassword_oid_str);
 
 static u_char ASN1_extensionRequest_oid_str[] = {
-    0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x0E
+	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x0E
 };
 
-static const chunk_t ASN1_extensionRequest_oid = strchunk(ASN1_extensionRequest_oid_str);
+static const chunk_t ASN1_extensionRequest_oid = chunk_from_buf(ASN1_extensionRequest_oid_str);
 
 /** 
  * @brief Adds a subjectAltName in DER-coded form to a linked list
  * 
- * @param[in,out]	subjectAltNames	head of the linked list of subjectAltNames
- * @param[in]		kind		type of the subjectAltName (which is a generalName)
- * @param[in]		value		value of the subjectAltName as an ASCII string
+ * @param[in,out]       subjectAltNames head of the linked list of subjectAltNames
+ * @param[in]           kind            type of the subjectAltName (which is a generalName)
+ * @param[in]           value           value of the subjectAltName as an ASCII string
  */
 void
 pkcs10_add_subjectAltName(generalName_t **subjectAltNames, generalNames_t kind
 , char *value) 
 {
-    generalName_t *gn;
-    asn1_t asn1_type = ASN1_EOC;
-    chunk_t name = { value, strlen(value) };
-
-    switch (kind)
-    {
-    case GN_RFC822_NAME:
-	asn1_type = ASN1_CONTEXT_S_1;
-	break;
-    case GN_DNS_NAME:
-	asn1_type = ASN1_CONTEXT_S_2;
-	break;
-    case GN_IP_ADDRESS:
+	generalName_t *gn;
+	asn1_t asn1_type = ASN1_EOC;
+	chunk_t name = { value, strlen(value) };
+
+	switch (kind)
 	{
-	    struct in_addr addr;
-
-	    /* convert an ASCII dotted IPv4 address (e.g. 123.456.78.90)
-             * to a byte representation in network order
-             */
-	    if (!inet_aton(value, &addr))
-	    {
-		fprintf(stderr, "error in IPv4 subjectAltName\n");
-		return;
-	    }
-	    asn1_type = ASN1_CONTEXT_S_7;
-	    name.ptr = (u_char *) &addr.s_addr;
-            name.len = sizeof(addr.s_addr);
-	    break;
-        }
-    default:
-	break;
-    }
-
-    gn = alloc_thing(generalName_t, "subjectAltName");
-    gn->kind = kind;
-    gn->name = asn1_simple_object(asn1_type, name);
-    gn->next = *subjectAltNames;
-    *subjectAltNames = gn;
+	case GN_RFC822_NAME:
+		asn1_type = ASN1_CONTEXT_S_1;
+		break;
+	case GN_DNS_NAME:
+		asn1_type = ASN1_CONTEXT_S_2;
+		break;
+	case GN_IP_ADDRESS:
+		{
+			struct in_addr addr;
+
+			/* convert an ASCII dotted IPv4 address (e.g. 123.456.78.90)
+			 * to a byte representation in network order
+			 */
+			if (!inet_aton(value, &addr))
+			{
+				fprintf(stderr, "error in IPv4 subjectAltName\n");
+				return;
+			}
+			asn1_type = ASN1_CONTEXT_S_7;
+			name.ptr = (u_char *) &addr.s_addr;
+			name.len = sizeof(addr.s_addr);
+			break;
+		}
+	default:
+		break;
+	}
+
+	gn = malloc_thing(generalName_t);
+	gn->kind = kind;
+	gn->name = asn1_simple_object(asn1_type, name);
+	gn->next = *subjectAltNames;
+	*subjectAltNames = gn;
 }
 
 /**
@@ -108,71 +107,75 @@ pkcs10_add_subjectAltName(generalName_t **subjectAltNames, generalNames_t kind
  * challenge password ans subjectAltNames are only included,
  * when avaiable in given #pkcs10_t structure
  *
- * @param[in]	pkcs10		Pointer to a #pkcs10_t structure
- * @return					1 if succeeded, 0 otherwise
+ * @param[in]   pkcs10          Pointer to a #pkcs10_t structure
+ * @return                                      1 if succeeded, 0 otherwise
  */
 static chunk_t
 build_req_info_attributes(pkcs10_t* pkcs10)
 {
 
-    chunk_t subjectAltNames   = empty_chunk;
-    chunk_t challengePassword = empty_chunk;
-
-    if (pkcs10->subjectAltNames != NULL) 
-    {
-
-	subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_extensionRequest_oid
-		, asn1_wrap(ASN1_SET, "m"
-		    , asn1_wrap(ASN1_SEQUENCE, "m"
-			, build_subjectAltNames(pkcs10->subjectAltNames)
-		      )
-		  )
-	    );
-    }
-
-    if (pkcs10->challengePassword.len > 0)
-    {
-	asn1_t type = is_printablestring(pkcs10->challengePassword)
-		      ? ASN1_PRINTABLESTRING : ASN1_T61STRING;
-
-	challengePassword = asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_challengePassword_oid
-		, asn1_wrap(ASN1_SET, "m"
-		    , asn1_simple_object(type, pkcs10->challengePassword)
-		  )
-	    );
-    }
-
-    return asn1_wrap(ASN1_CONTEXT_C_0, "mm"
-		, subjectAltNames
-	    	, challengePassword);
+	chunk_t subjectAltNames   = chunk_empty;
+	chunk_t challengePassword = chunk_empty;
+
+	if (pkcs10->subjectAltNames != NULL) 
+	{
+
+		subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "cm"
+				, ASN1_extensionRequest_oid
+				, asn1_wrap(ASN1_SET, "m"
+					, asn1_wrap(ASN1_SEQUENCE, "m"
+						, build_subjectAltNames(pkcs10->subjectAltNames)
+					  )
+				  )
+			);
+	}
+
+	if (pkcs10->challengePassword.len > 0)
+	{
+		asn1_t type = asn1_is_printablestring(pkcs10->challengePassword)
+					  ? ASN1_PRINTABLESTRING : ASN1_T61STRING;
+
+		challengePassword = asn1_wrap(ASN1_SEQUENCE, "cm"
+				, ASN1_challengePassword_oid
+				, asn1_wrap(ASN1_SET, "m"
+					, asn1_simple_object(type, pkcs10->challengePassword)
+				  )
+			);
+	}
+
+	return asn1_wrap(ASN1_CONTEXT_C_0, "mm"
+				, subjectAltNames
+				, challengePassword);
 }
 
 /**
  * @brief Builds a DER-code pkcs#10 certificate request
  *
- * @param[in]	pkcs10		pointer to a pkcs10_t struct
- * @return 			DER-code pkcs10 request
+ * @param[in]   pkcs10          pointer to a pkcs10_t struct
+ * @return                      DER-code pkcs10 request
  */
 static chunk_t
 pkcs10_build_request(pkcs10_t *pkcs10, int signature_alg)
 {
-    RSA_public_key_t *rsak = (RSA_public_key_t *) pkcs10->private_key;
+	chunk_t key = pkcs10->public_key->get_encoding(pkcs10->public_key);
+
+	chunk_t keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
+							asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), 
+							asn1_bitstring("m", key));	
 
-    chunk_t cert_req_info = asn1_wrap(ASN1_SEQUENCE, "ccmm"
-		, ASN1_INTEGER_0
-		, pkcs10->subject
-		, pkcs1_build_publicKeyInfo(rsak)
-		, build_req_info_attributes(pkcs10));
+	chunk_t cert_req_info = asn1_wrap(ASN1_SEQUENCE, "ccmm",
+								ASN1_INTEGER_0,
+								pkcs10->subject,
+								keyInfo,
+								build_req_info_attributes(pkcs10));
 
-    chunk_t signature = pkcs1_build_signature(cert_req_info
-		, signature_alg, pkcs10->private_key, TRUE);
+	chunk_t signature = x509_build_signature(cert_req_info, signature_alg,
+											 pkcs10->private_key, TRUE);
 
-    return asn1_wrap(ASN1_SEQUENCE, "mcm"
-		, cert_req_info
-		, asn1_algorithmIdentifier(signature_alg)
-		, signature);
+	return asn1_wrap(ASN1_SEQUENCE, "mcm",
+				cert_req_info,
+				asn1_algorithmIdentifier(signature_alg),
+				signature);
 }
 
 /**
@@ -183,38 +186,39 @@ pkcs10_build_request(pkcs10_t *pkcs10, int signature_alg)
  * (e.g. commonName, organization) are needed. An optional challenge
  * password or some subjectAltNames may be included.
  *
- * @param[in]	key			rsakey of type #rsakey_t
- * @param[in]	subject			DER-coded subject distinguished name
- * @param[in]	challengePassword	challenge password or empty_chunk
- * @param[in]	subjectAltNames		linked list of subjectAltNames or NULL
- * @return 				pointer to a #pkcs10_t object
+ * @param[in]   key                     rsakey of type #rsakey_t
+ * @param[in]   subject                 DER-coded subject distinguished name
+ * @param[in]   challengePassword       challenge password or chunk_empty
+ * @param[in]   subjectAltNames         linked list of subjectAltNames or NULL
+ * @return                              pointer to a #pkcs10_t object
  */
-pkcs10_t*
-pkcs10_build(RSA_private_key_t *key, chunk_t subject, chunk_t challengePassword
-, generalName_t *subjectAltNames, int signature_alg)
+pkcs10_t* pkcs10_build(private_key_t *private, public_key_t *public,
+					   chunk_t subject, chunk_t challengePassword,
+					   generalName_t *subjectAltNames, int signature_alg)
 {
-    pkcs10_t *pkcs10 = alloc_thing(pkcs10_t, "pkcs10_t");
+	pkcs10_t *pkcs10 = malloc_thing(pkcs10_t);
 
-    pkcs10->subject = subject;
-    pkcs10->private_key = key;
-    pkcs10->challengePassword = challengePassword;
-    pkcs10->subjectAltNames = subjectAltNames;
+	pkcs10->subject = subject;
+	pkcs10->private_key = private;
+	pkcs10->public_key = public;
+	pkcs10->challengePassword = challengePassword;
+	pkcs10->subjectAltNames = subjectAltNames;
 
-    pkcs10->request = pkcs10_build_request(pkcs10, signature_alg);
-    return pkcs10;
+	pkcs10->request = pkcs10_build_request(pkcs10, signature_alg);
+	return pkcs10;
 }
 
 /**
  * @brief Frees the resources used by an #pkcs10_t object
  *
- * @param[in]	pkcs10		#pkcs10_t to free
+ * @param[in]   pkcs10          #pkcs10_t to free
  */
 void
 pkcs10_free(pkcs10_t *pkcs10)
 {
-    if (pkcs10 != NULL)
-    {
-	freeanychunk(pkcs10->request);
-	pfree(pkcs10);
-    }
+	if (pkcs10 != NULL)
+	{
+		free(pkcs10->request.ptr);
+		free(pkcs10);
+	}
 }
diff --git a/src/scepclient/pkcs10.h b/src/scepclient/pkcs10.h
index c2a4c1b92..3f29f019a 100644
--- a/src/scepclient/pkcs10.h
+++ b/src/scepclient/pkcs10.h
@@ -4,7 +4,7 @@
  * 
  * Contains functions to build DER encoded pkcs#10 certificate requests
  */
- 
+
 /*
  * Copyright (C) 2005 Jan Hutter, Martin Willi
  * Hochschule fuer Technik Rapperswil
@@ -23,8 +23,10 @@
 #ifndef _PKCS10_H
 #define _PKCS10_H
 
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/public_key.h>
+
 #include "../pluto/defs.h"
-#include "../pluto/pkcs1.h"
 #include "../pluto/x509.h"
 
 typedef struct pkcs10_struct pkcs10_t;
@@ -38,20 +40,21 @@ typedef struct pkcs10_struct pkcs10_t;
  * The RSA private key is needed to compute the signature of the given request
  */
 struct pkcs10_struct {
-    RSA_private_key_t *private_key;
-    chunk_t            request;
-    chunk_t            subject;
-    chunk_t            challengePassword;
-    generalName_t     *subjectAltNames;
+	private_key_t  *private_key;
+	public_key_t   *public_key;
+	chunk_t         request;
+	chunk_t         subject;
+	chunk_t         challengePassword;
+	generalName_t  *subjectAltNames;
 };
 
 extern const pkcs10_t empty_pkcs10;
 
-extern void pkcs10_add_subjectAltName(generalName_t **subjectAltNames
-    , generalNames_t kind, char *value);
-extern pkcs10_t* pkcs10_build(RSA_private_key_t *key, chunk_t subject
-    , chunk_t challengePassword, generalName_t *subjectAltNames
-    , int signature_alg);
+extern void pkcs10_add_subjectAltName(generalName_t **subjectAltNames,
+									  generalNames_t kind, char *value);
+extern pkcs10_t* pkcs10_build(private_key_t *private, public_key_t *public,
+							  chunk_t subject, chunk_t challengePassword,
+							  generalName_t *subjectAltNames, int signature_alg);
 extern void pkcs10_free(pkcs10_t *pkcs10);
 
 #endif /* _PKCS10_H */
diff --git a/src/scepclient/rsakey.c b/src/scepclient/rsakey.c
deleted file mode 100644
index a7c6321f5..000000000
--- a/src/scepclient/rsakey.c
+++ /dev/null
@@ -1,349 +0,0 @@
-/**
- * @file rsakey.c
- * @brief Functions for RSA key generation 
- */
-
-/* 
- * Copyright (C) 1999, 2000, 2001  Henry Spencer.
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * $Id: rsakey.c,v 1.5 2006/01/04 21:16:30 as Exp $
- */
- 
-
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <assert.h>
-#include <gmp.h>
-
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/mp_defs.h"
-#include "../pluto/log.h"
-#include "../pluto/asn1.h"
-#include "../pluto/pkcs1.h"
-
-#include "rsakey.h"
-
-/* Number of times the probabilistic primality test is applied */
-#define PRIMECHECK_ROUNDS	30
-
-/* Public exponent used for signature key generation */
-#define PUBLIC_EXPONENT		0x10001
-
-#ifndef DEV_RANDOM
-#define	DEV_RANDOM	"/dev/random"
-#endif
-
-
-/**
- * @brief Reads a specific number of bytes from a given device/file
- * 
- * @param[in]		nbytes		number of bytes to read from random device
- * @param[out]		buf		pointer to buffer where to write the data in.
- * 					size of buffer has to be at least nbytes.
- * @return				TRUE, if succeeded, FALSE otherwise
- */
-
-static bool
-get_true_random_bytes(size_t nbytes, char *buf)
-{
-    size_t ndone;
-    size_t got;
-    char *device = DEV_RANDOM;
-
-    int dev = open(DEV_RANDOM, 0);
-
-    if (dev < 0)
-    {
-	fprintf(stderr, "could not open random device %s", device);
-	return FALSE;
-    }
-
-    DBG(DBG_CONTROL,
-	DBG_log("getting %d bytes from %s...", (int) nbytes, device)
-    )
-	
-    ndone = 0;
-    while (ndone < nbytes)
-    {
-	got = read(dev, buf + ndone, nbytes - ndone);
-	if (got < 0)
-	{
-	    fprintf(stderr, "read error on %s", device);
-	    return FALSE;
-	}
-	if (got == 0)
-	{
-	    fprintf(stderr, "eof on %s", device);
-	    return FALSE;
-	}
-	 ndone += got;
-    }
-    close(dev);
-    return TRUE;
-}
-
-/**
- * @brief initialize an mpz_t to a random number, specified bit count
- *
- * Converting the random value in a value of type mpz_t is done 
- * by creating a hexbuffer.
- * Converting via hex is a bit weird, but it's the best route GMP gives us.
- * Note that highmost and lowmost bits are forced on -- highmost to give a
- * number of exactly the specified length, lowmost so it is an odd number.
- *
- * @param[out] 	var uninitialized mpz_t to store th random number in
- * @param[in] 	nbits length of var in bits (known to be a multiple of BITS_PER_BYTE)
- * @return 	TRUE on success, FALSE otherwise
- */
-static bool
-init_random(mpz_t var, int nbits)
-{
-    size_t nbytes = (size_t)(nbits/BITS_PER_BYTE);
-    char random_buf[RSA_MAX_OCTETS/2];
-
-    assert(nbytes <= sizeof(random_buf));
-
-    if (!get_true_random_bytes(nbytes, random_buf))
-	return FALSE;
-	
-    random_buf[0] |= 01 << (BITS_PER_BYTE-1);	/* force high bit on */
-    random_buf[nbytes-1] |= 01;			/* force low bit on */
-    n_to_mpz(var, random_buf, nbytes);
-    return TRUE;
-}
-
-/**
- * @brief initialize an mpz_t to a random prime of specified size
- *
- * Efficiency tweak: we reject candidates that are 1 higher than a multiple
- * of e, since they will make the internal modulus not relatively prime to e.
- *
- * @param[out] 	var mpz_t variable to initialize
- * @param[in] 	nbits length of given prime in bits (known to be a multiple of BITS_PER_BYTE)
- * @param[in] 	eval E-Value, 0 means don't bother w. tweak
- * @return 		1 on success, 0 otherwise
- */
-static bool
-init_prime(mpz_t var, int nbits, int eval)
-{
-    unsigned long tries;
-    size_t len;
-
-    /* get a random value of nbits length */
-    if (!init_random(var, nbits))
-	return FALSE;
-
-    /* check if odd number */
-    assert(mpz_fdiv_ui(var, 2) == 1);
-    DBG(DBG_CONTROLMORE,
-	DBG_log("looking for a prime starting there (can take a while)...")
-    )
-
-    tries = 1;
-    while (mpz_fdiv_ui(var, eval) == 1
-       || !mpz_probab_prime_p(var, PRIMECHECK_ROUNDS))
-    {
-	/* not a prime, increase by 2 */
-	mpz_add_ui(var, var, 2);
-	tries++;
-    }
-
-    len = mpz_sizeinbase(var, 2);
-
-    /* check bit length of primee */
-    assert(len == (size_t)nbits || len == (size_t)(nbits+1));
-
-    if (len == (size_t)(nbits+1))
-    {
-	DBG(DBG_CONTROLMORE,
-	    DBG_log("carry out occurred (!), retrying...")
-	)
-	mpz_clear(var);
-	/* recursive call */
-	return init_prime(var, nbits, eval);
-    }
-    DBG(DBG_CONTROLMORE,
-	DBG_log("found it after %lu tries.",tries)
-    )
-    return TRUE;
-}
-
-/** 
- * @brief Generate a RSA key usable for encryption
- * 
- * Generate an RSA key usable for encryption. All the 
- * values of the RSA key are filled into mpz_t parameters.
- * These mpz_t parameters must not be initialized and have
- * to be cleared with mpz_clear after using.
- *
- * @param[in] 	nbits size of rsa key in bits
- * @return 	RSA_public_key_t containing the generated RSA key 
- */
-err_t
-generate_rsa_private_key(int nbits, RSA_private_key_t *key)
-{
-    mpz_t p, q, n, e, d, exp1, exp2, coeff;
-    mpz_t m, q1, t;	/* temporary variables*/
-
-     DBG(DBG_CONTROL,
-	DBG_log("generating %d bit RSA key:", nbits)
-    )
-
-    if (nbits <= 0) 
-	return "negative rsa key length!";
-
-    /* Get values of primes p and q */
-    DBG(DBG_CONTROLMORE,
-	DBG_log("initialize prime p")
-    )
-    if (!init_prime(p, nbits/2, PUBLIC_EXPONENT)) 
-	return "could not generate prime p";
-
-    DBG(DBG_CONTROLMORE,
-	DBG_log("initialize prime q")
-    )
-    if (!init_prime(q, nbits/2, PUBLIC_EXPONENT)) 
-	return "could not generate prime q";
-	
-    mpz_init(t);
-
-    /* Swapping primes so p is larger then q */
-    if (mpz_cmp(p, q) < 0) 
-    {
-	DBG(DBG_CONTROLMORE,
-	    DBG_log("swapping primes so p is the larger...")
-	);
-	mpz_set(t, p);
-	mpz_set(p, q);
-	mpz_set(q, t);
-    }
-	
-    DBG(DBG_CONTROLMORE,
-	DBG_log("computing modulus...")
-    )
-    mpz_init(n);
-    /* n = p*q */
-    mpz_mul(n, p, q);
-
-    /* Assign e the value of defined PUBLIC_EXPONENT */
-    mpz_init_set_ui(e, PUBLIC_EXPONENT);
-
-    DBG(DBG_CONTROLMORE,
-	DBG_log("computing lcm(p-1, q-1)...")
-    )
-    /* m = p */
-    mpz_init_set(m, p);
-    /* m = m-1 */
-    mpz_sub_ui(m, m, 1);
-    /* q1 = q */
-    mpz_init_set(q1, q);
-    /* q1 = q1-1 */
-    mpz_sub_ui(q1, q1, 1);
-    /* t = gcd(p-1, q-1) */
-    mpz_gcd(t, m, q1);
-    /* m = (p-1)*(q-1) */
-    mpz_mul(m, m, q1);
-    /* m = m / t */
-    mpz_divexact(m, m, t);
-    /* t = gcd(m, e) (greatest common divisor) */
-    mpz_gcd(t, m, e);
-    /* m and e relatively prime */
-    assert(mpz_cmp_ui(t, 1) == 0);
-
-    /* decryption key */
-    DBG(DBG_CONTROLMORE,
-	DBG_log("computing d...")
-    )
-    mpz_init(d);
-    /* e has an inverse mod m */
-    assert(mpz_invert(d, e, m));
-
-    /* make sure d is positive */
-    if (mpz_cmp_ui(d, 0) < 0)
-	mpz_add(d, d, m);
-
-    /* d has to be positive */	
-    assert(mpz_cmp(d, m) < 0);
-
-    /* the speedup hacks */
-    DBG(DBG_CONTROLMORE,
-	DBG_log("computing exp1, exp1, coeff...")
-    )
-    mpz_init(exp1);
-    /* t = p-1 */
-    mpz_sub_ui(t, p, 1);
-    /* exp1 = d mod p-1 */
-    mpz_mod(exp1, d, t);
-
-    mpz_init(exp2);
-    /* t = q-1 */
-    mpz_sub_ui(t, q, 1);
-    /* exp2 = d mod q-1 */
-    mpz_mod(exp2, d, t);
-
-    mpz_init(coeff);
-    /* coeff = q^-1 mod p */
-    mpz_invert(coeff, q, p);
-
-    /* make sure coeff is positive */
-    if (mpz_cmp_ui(coeff, 0) < 0)
-	mpz_add(coeff, coeff, p);
-
-    /* coeff has to be positive */
-    assert(mpz_cmp(coeff, p) < 0);
-
-    /* Clear temporary variables */
-	mpz_clear(q1);
-	mpz_clear(m);
-	mpz_clear(t);
-
-    /* form FreeS/WAN keyid */
-    {
-	size_t e_len = (mpz_sizeinbase(e,2)+BITS_PER_BYTE-1)/BITS_PER_BYTE;
-	size_t n_len = (mpz_sizeinbase(n,2)+BITS_PER_BYTE-1)/BITS_PER_BYTE;
-	chunk_t e_ch = mpz_to_n(e, e_len);
-	chunk_t n_ch = mpz_to_n(n, n_len);
-	form_keyid(e_ch, n_ch, key->pub.keyid, &key->pub.k);
-	freeanychunk(e_ch);
-	freeanychunk(n_ch);
-    }
-    /* fill in the elements of the RSA private key */
-    key->p = *p;
-    key->q = *q;
-    key->pub.n = *n;
-    key->pub.e = *e;
-    key->d = *d;
-    key->dP = *exp1;
-    key->dQ = *exp2;
-    key->qInv = *coeff;
-
-    DBG(DBG_CONTROL,
-	DBG_log("RSA key *%s generated with %d bits", key->pub.keyid
-	    , (int)mpz_sizeinbase(n,2))
-    )
-
-#ifdef DEBUG
-    DBG(DBG_PRIVATE,
-	RSA_show_private_key(key)
-    )
-#endif
-    return NULL;
-}
diff --git a/src/scepclient/rsakey.h b/src/scepclient/rsakey.h
deleted file mode 100644
index 3e3156d81..000000000
--- a/src/scepclient/rsakey.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/**
- * @file rsakey.h
- * @brief Functions for RSA key generation 
- */
-
-/* 
- * Copyright (C) 1999, 2000, 2001  Henry Spencer.
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * $Id: rsakey.h,v 1.2 2005/08/11 21:52:56 as Exp $
- */
- 
-#ifndef RSAKEY_H_
-#define RSAKEY_H_
-
-#include "../pluto/pkcs1.h"
-
-extern err_t generate_rsa_private_key(int nbits, RSA_private_key_t *key);
-
-#endif // RSAKEY_H_
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 1b01044df..a788c6f41 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -24,575 +24,533 @@
 #include <stdlib.h>
 
 #include <freeswan.h>
-#include <asn1/oid.h>
 
-#ifdef LIBCURL
-#include <curl/curl.h>
-#endif
+#include <library.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <crypto/rngs/rng.h>
+#include <crypto/hashers/hasher.h>
 
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
-#include "../pluto/rnd.h"
-#include "../pluto/asn1.h"
-#include "../pluto/pkcs1.h"
 #include "../pluto/fetch.h"
 #include "../pluto/log.h"
 
 #include "scep.h"
 
 static char ASN1_messageType_oid_str[] = {
-    0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02
+	0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02
 };
 
 static char ASN1_senderNonce_oid_str[] = {
-    0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05
+	0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05
 };
 
 static char ASN1_transId_oid_str[] = {
-    0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07
+	0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07
 };
 
 static const chunk_t ASN1_messageType_oid =
-			strchunk(ASN1_messageType_oid_str);
+						chunk_from_buf(ASN1_messageType_oid_str);
 static const chunk_t ASN1_senderNonce_oid =
-			strchunk(ASN1_senderNonce_oid_str);
+						chunk_from_buf(ASN1_senderNonce_oid_str);
 static const chunk_t ASN1_transId_oid =
-			strchunk(ASN1_transId_oid_str);
+						chunk_from_buf(ASN1_transId_oid_str);
 
 static const char *pkiStatus_values[] = { "0", "2", "3" };
 
 static const char *pkiStatus_names[] = {
-   "SUCCESS",
-   "FAILURE",
-   "PENDING",
-   "UNKNOWN"
+	"SUCCESS",
+	"FAILURE",
+	"PENDING",
+	"UNKNOWN"
 };
 
 static const char *msgType_values[] = { "3", "19", "20", "21", "22" };
 
 static const char *msgType_names[] = {
-  "CertRep",
-  "PKCSReq",
-  "GetCertInitial",
-  "GetCert",
-  "GetCRL",
-  "Unknown"
+	"CertRep",
+	"PKCSReq",
+	"GetCertInitial",
+	"GetCert",
+	"GetCRL",
+	"Unknown"
 };
 
 static const char *failInfo_reasons[] = {
-  "badAlg - unrecognized or unsupported algorithm identifier",
-  "badMessageCheck - integrity check failed",
-  "badRequest - transaction not permitted or supported",
-  "badTime - Message time field was not sufficiently close to the system time",
-  "badCertId - No certificate could be identified matching the provided criteria"
+	"badAlg - unrecognized or unsupported algorithm identifier",
+	"badMessageCheck - integrity check failed",
+	"badRequest - transaction not permitted or supported",
+	"badTime - Message time field was not sufficiently close to the system time",
+	"badCertId - No certificate could be identified matching the provided criteria"
 };
 
 const scep_attributes_t empty_scep_attributes = {
-  SCEP_Unknown_MSG   , /* msgType */
-  SCEP_UNKNOWN       , /* pkiStatus */
-  SCEP_unknown_REASON, /* failInfo */
-  { NULL, 0 }        , /* transID */
-  { NULL, 0 }        , /* senderNonce */
-  { NULL, 0 }        , /* recipientNonce */
+	SCEP_Unknown_MSG   , /* msgType */
+	SCEP_UNKNOWN       , /* pkiStatus */
+	SCEP_unknown_REASON, /* failInfo */
+	{ NULL, 0 }        , /* transID */
+	{ NULL, 0 }        , /* senderNonce */
+	{ NULL, 0 }        , /* recipientNonce */
 };
 
 /* ASN.1 definition of the X.501 atttribute type */
 
 static const asn1Object_t attributesObjects[] = {
-  { 0, "attributes",	ASN1_SET,	ASN1_LOOP }, /* 0 */
-  { 1,   "attribute",	ASN1_SEQUENCE,	ASN1_NONE }, /* 1 */
-  { 2,     "type", 	ASN1_OID,	ASN1_BODY }, /* 2 */
-  { 2,     "values", 	ASN1_SET,	ASN1_LOOP }, /* 3 */
-  { 3,       "value", 	ASN1_EOC,	ASN1_RAW  }, /* 4 */
-  { 2,     "end loop", 	ASN1_EOC,	ASN1_END  }, /* 5 */
-  { 0, "end loop", 	ASN1_EOC,	ASN1_END  }, /* 6 */
+	{ 0, "attributes",    ASN1_SET,       ASN1_LOOP }, /* 0 */
+	{ 1,   "attribute",   ASN1_SEQUENCE,  ASN1_NONE }, /* 1 */
+	{ 2,     "type",      ASN1_OID,       ASN1_BODY }, /* 2 */
+	{ 2,     "values",    ASN1_SET,       ASN1_LOOP }, /* 3 */
+	{ 3,       "value",   ASN1_EOC,       ASN1_RAW  }, /* 4 */
+	{ 2,     "end loop",  ASN1_EOC,       ASN1_END  }, /* 5 */
+	{ 0, "end loop",      ASN1_EOC,       ASN1_END  }, /* 6 */
+	{ 0, "exit",          ASN1_EOC,       ASN1_EXIT	}
 };
+#define ATTRIBUTE_OBJ_TYPE      2
+#define ATTRIBUTE_OBJ_VALUE     4
 
-#define ATTRIBUTE_OBJ_TYPE 	2
-#define ATTRIBUTE_OBJ_VALUE	4
-#define ATTRIBUTE_OBJ_ROOF	7
-
-/*
- * extract and store an attribute
+/**
+ * Extract and store an attribute
  */
-static bool
-extract_attribute(int oid, chunk_t object, u_int level
-, scep_attributes_t *attrs)
+static bool extract_attribute(int oid, chunk_t object, u_int level,
+							  scep_attributes_t *attrs)
 {
-    asn1_t type = ASN1_EOC;
-    const char *name = "none";
-
-    switch (oid)
-    {
-    case OID_PKCS9_CONTENT_TYPE:
-	type = ASN1_OID;
-	name = "contentType";
-	break;
-    case OID_PKCS9_SIGNING_TIME:
-	type = ASN1_UTCTIME;
-	name = "signingTime";
-	break;
-    case OID_PKCS9_MESSAGE_DIGEST:
-	type = ASN1_OCTET_STRING;
-	name = "messageDigest";
-	break;
-    case OID_PKI_MESSAGE_TYPE:
-	type = ASN1_PRINTABLESTRING;
-	name = "messageType";
-	break;
-    case OID_PKI_STATUS:
-	type = ASN1_PRINTABLESTRING;
-	name = "pkiStatus";
-	break;
-    case OID_PKI_FAIL_INFO:
-	type = ASN1_PRINTABLESTRING;
-	name = "failInfo";
-	break;
-    case OID_PKI_SENDER_NONCE:
-	type = ASN1_OCTET_STRING;
-	name = "senderNonce";
-	 break;
-    case OID_PKI_RECIPIENT_NONCE:
-	type = ASN1_OCTET_STRING;
-	name = "recipientNonce";
-	break;
-    case OID_PKI_TRANS_ID:
-	type = ASN1_PRINTABLESTRING;
-	name = "transID";
-	break;
-    default:
-	break;
-    }
-
-    if (type == ASN1_EOC)
-	return TRUE;
+	asn1_t type = ASN1_EOC;
+	const char *name = "none";
 
-    if (!parse_asn1_simple_object(&object, type, level+1, name))
-	return FALSE;
-
-    switch (oid)
-    {
-    case OID_PKCS9_CONTENT_TYPE:
-	break;
-    case OID_PKCS9_SIGNING_TIME:
-	break;
-    case OID_PKCS9_MESSAGE_DIGEST:
-	break;
-    case OID_PKI_MESSAGE_TYPE:
-	{
-	    scep_msg_t m;
-
-	    for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
-	    {
-		if (strncmp(msgType_values[m], object.ptr, object.len) == 0)
-		    attrs->msgType = m;
-	    }
-	    DBG(DBG_CONTROL,
-		DBG_log("messageType:  %s", msgType_names[attrs->msgType])
-	    )
-	}
-	break;
-    case OID_PKI_STATUS:
+	switch (oid)
 	{
-	    pkiStatus_t s;
-
-	    for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
-	    {
-		if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0)
-		    attrs->pkiStatus = s;
-	    }
-	    DBG(DBG_CONTROL,
-		DBG_log("pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus])
-	    )
+	case OID_PKCS9_CONTENT_TYPE:
+		type = ASN1_OID;
+		name = "contentType";
+		break;
+	case OID_PKCS9_SIGNING_TIME:
+		type = ASN1_UTCTIME;
+		name = "signingTime";
+		break;
+	case OID_PKCS9_MESSAGE_DIGEST:
+		type = ASN1_OCTET_STRING;
+		name = "messageDigest";
+		break;
+	case OID_PKI_MESSAGE_TYPE:
+		type = ASN1_PRINTABLESTRING;
+		name = "messageType";
+		break;
+	case OID_PKI_STATUS:
+		type = ASN1_PRINTABLESTRING;
+		name = "pkiStatus";
+		break;
+	case OID_PKI_FAIL_INFO:
+		type = ASN1_PRINTABLESTRING;
+		name = "failInfo";
+		break;
+	case OID_PKI_SENDER_NONCE:
+		type = ASN1_OCTET_STRING;
+		name = "senderNonce";
+		 break;
+	case OID_PKI_RECIPIENT_NONCE:
+		type = ASN1_OCTET_STRING;
+		name = "recipientNonce";
+		break;
+	case OID_PKI_TRANS_ID:
+		type = ASN1_PRINTABLESTRING;
+		name = "transID";
+		break;
+	default:
+		break;
 	}
-	break;
-    case OID_PKI_FAIL_INFO:
-	if (object.len == 1
-	&& *object.ptr >= '0' && *object.ptr <= '4')
+
+	if (type == ASN1_EOC)
+		return TRUE;
+
+	if (!asn1_parse_simple_object(&object, type, level+1, name))
+		return FALSE;
+
+	switch (oid)
 	{
-	    attrs->failInfo = (failInfo_t)(*object.ptr - '0');
+	case OID_PKCS9_CONTENT_TYPE:
+		break;
+	case OID_PKCS9_SIGNING_TIME:
+		break;
+	case OID_PKCS9_MESSAGE_DIGEST:
+		break;
+	case OID_PKI_MESSAGE_TYPE:
+		{
+			scep_msg_t m;
+
+			for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
+			{
+				if (strncmp(msgType_values[m], object.ptr, object.len) == 0)
+					attrs->msgType = m;
+			}
+			DBG(DBG_CONTROL,
+				DBG_log("messageType:  %s", msgType_names[attrs->msgType])
+			)
+		}
+		break;
+	case OID_PKI_STATUS:
+		{
+			pkiStatus_t s;
+
+			for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
+			{
+				if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0)
+					attrs->pkiStatus = s;
+			}
+			DBG(DBG_CONTROL,
+				DBG_log("pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus])
+			)
+		}
+		break;
+	case OID_PKI_FAIL_INFO:
+		if (object.len == 1
+		&& *object.ptr >= '0' && *object.ptr <= '4')
+		{
+			attrs->failInfo = (failInfo_t)(*object.ptr - '0');
+		}
+		if (attrs->failInfo != SCEP_unknown_REASON)
+			plog("failInfo:     %s", failInfo_reasons[attrs->failInfo]);
+		break;
+	case OID_PKI_SENDER_NONCE:
+		attrs->senderNonce = object;
+		break;
+	case OID_PKI_RECIPIENT_NONCE:
+		attrs->recipientNonce = object;
+		break;
+	case OID_PKI_TRANS_ID:
+		attrs->transID = object;
 	}
-        if (attrs->failInfo != SCEP_unknown_REASON)
-	    plog("failInfo:     %s", failInfo_reasons[attrs->failInfo]);
-	break;
-    case OID_PKI_SENDER_NONCE:
-	attrs->senderNonce = object;
-	break;
-    case OID_PKI_RECIPIENT_NONCE:
-	attrs->recipientNonce = object;
-	break;
-    case OID_PKI_TRANS_ID:
-	attrs->transID = object;
-    }
-    return TRUE;
+	return TRUE;
 }
 
-/*
- * parse X.501 attributes
+/**
+ * Parse X.501 attributes
  */
-bool
-parse_attributes(chunk_t blob, scep_attributes_t *attrs)
+bool parse_attributes(chunk_t blob, scep_attributes_t *attrs)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int oid = OID_UNKNOWN;
-    int objectID = 0;
-
-    asn1_init(&ctx, blob, 0, FALSE, DBG_RAW);
-
-    DBG(DBG_CONTROL | DBG_PARSING,
-	DBG_log("parsing attributes")
-    )
-    while (objectID < ATTRIBUTE_OBJ_ROOF)
-    {
-	if (!extract_object(attributesObjects, &objectID
-			   , &object, &level, &ctx))
-	     return FALSE;
-
-	switch (objectID)
+	asn1_parser_t *parser;
+	chunk_t object;
+	int oid = OID_UNKNOWN;
+	int objectID;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(attributesObjects, blob);
+	DBG(DBG_CONTROL | DBG_PARSING,
+		DBG_log("parsing attributes")
+	)
+	
+	while (parser->iterate(parser, &objectID, &object))
 	{
-	case ATTRIBUTE_OBJ_TYPE:
-	    oid = known_oid(object);
-	    break;
-	case ATTRIBUTE_OBJ_VALUE:
-	   if (!extract_attribute(oid, object, level, attrs))
-		return FALSE;
+		switch (objectID)
+		{
+		case ATTRIBUTE_OBJ_TYPE:
+			oid = asn1_known_oid(object);
+			break;
+		case ATTRIBUTE_OBJ_VALUE:
+			if (!extract_attribute(oid, object, parser->get_level(parser), attrs))
+			{
+				goto end;
+			}
+		}
 	}
-	objectID++;
-    }
-    return TRUE;
+	success = parser->success(parser);
+	
+end:
+	parser->destroy(parser);
+	return success;
 }
 
-/* generates a unique fingerprint of the pkcs10 request 
+/**
+ * Generates a unique fingerprint of the pkcs10 request 
  * by computing an MD5 hash over it
  */
-void
-scep_generate_pkcs10_fingerprint(chunk_t pkcs10, chunk_t *fingerprint)
+chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10)
 {
-    char buf[MD5_DIGEST_SIZE];
-    chunk_t digest = { buf, sizeof(buf) };
-
-    /* the fingerprint is the MD5 hash in hexadecimal format */
-    compute_digest(pkcs10, OID_MD5, &digest);
-    fingerprint->len = 2*digest.len;
-    fingerprint->ptr = alloc_bytes(fingerprint->len + 1, "fingerprint");
-    datatot(digest.ptr, digest.len, 16, fingerprint->ptr, fingerprint->len + 1);
+	char digest_buf[HASH_SIZE_MD5];
+	chunk_t digest = chunk_from_buf(digest_buf);
+	hasher_t *hasher;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+	hasher->get_hash(hasher, pkcs10, digest_buf);
+	hasher->destroy(hasher);
+
+	return chunk_to_hex(digest, NULL, FALSE);
 }
 
-/* generate a transaction id as the MD5 hash of an public key
+/**
+ * Generate a transaction id as the MD5 hash of an public key
  * the transaction id is also used as a unique serial number
  */
-void
-scep_generate_transaction_id(const RSA_public_key_t *rsak
-, chunk_t *transID, chunk_t *serialNumber)
+void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
+								  chunk_t *serialNumber)
 {
-    char buf[MD5_DIGEST_SIZE];
-
-    chunk_t digest = { buf, sizeof(buf) };
-    chunk_t public_key = pkcs1_build_publicKeyInfo(rsak);
+	char digest_buf[HASH_SIZE_MD5];
+	chunk_t digest = chunk_from_buf(digest_buf);
+	chunk_t keyEncoding, keyInfo;
+	hasher_t *hasher;
+	bool msb_set;
+	u_char *pos;
+	
+	keyEncoding = key->get_encoding(key);
 
-    bool msb_set;
-    u_char *pos;
+	keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
+						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), 
+						asn1_bitstring("m", keyEncoding));	
 
-    compute_digest(public_key, OID_MD5, &digest);
-    pfree(public_key.ptr);
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+	hasher->get_hash(hasher, keyInfo, digest_buf);
+	hasher->destroy(hasher);
+	free(keyInfo.ptr);
 
-    /* is the most significant bit of the digest set? */
-    msb_set = (*digest.ptr & 0x80) == 0x80;
+	/* is the most significant bit of the digest set? */
+	msb_set = (*digest.ptr & 0x80) == 0x80;
 
-    /* allocate space for the serialNumber */
-    serialNumber->len = msb_set + digest.len;
-    serialNumber->ptr = alloc_bytes(serialNumber->len, "serialNumber");
+	/* allocate space for the serialNumber */
+	serialNumber->len = msb_set + digest.len;
+	serialNumber->ptr = malloc(serialNumber->len);
 
-    /* the serial number as the two's complement of the digest */
-    pos = serialNumber->ptr;
-    if (msb_set)
-    {
-	*pos++ = 0x00;
-    }
-    memcpy(pos, digest.ptr, digest.len);
+	/* the serial number as the two's complement of the digest */
+	pos = serialNumber->ptr;
+	if (msb_set)
+	{
+		*pos++ = 0x00;
+	}
+	memcpy(pos, digest.ptr, digest.len);
 
-    /* the transaction id is the serial number in hex format */
-    transID->len = 2*digest.len;
-    transID->ptr = alloc_bytes(transID->len + 1, "transID");
-    datatot(digest.ptr, digest.len, 16, transID->ptr, transID->len + 1);
+	/* the transaction id is the serial number in hex format */
+	transID->len = 2*digest.len;
+	transID->ptr = malloc(transID->len + 1);
+	datatot(digest.ptr, digest.len, 16, transID->ptr, transID->len + 1);
 }
 
-/*
- * builds a transId attribute
+/**
+ * Builds a transId attribute
  */
-chunk_t
-scep_transId_attribute(chunk_t transID)
+chunk_t scep_transId_attribute(chunk_t transID)
 {
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_transId_oid
-		, asn1_wrap(ASN1_SET, "m"
-		    , asn1_simple_object(ASN1_PRINTABLESTRING, transID)
-		  )
-	      );
+	return asn1_wrap(ASN1_SEQUENCE, "cm"
+				, ASN1_transId_oid
+				, asn1_wrap(ASN1_SET, "m"
+					, asn1_simple_object(ASN1_PRINTABLESTRING, transID)
+				  )
+			  );
 }
 
-/*
- * builds a messageType attribute
+/**
+ * Builds a messageType attribute
  */
-chunk_t
-scep_messageType_attribute(scep_msg_t m)
+chunk_t scep_messageType_attribute(scep_msg_t m)
 {
-    chunk_t msgType = {
-	(u_char*)msgType_values[m],
-	strlen(msgType_values[m])
-    };
-
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_messageType_oid
-		, asn1_wrap(ASN1_SET, "m"
-		    , asn1_simple_object(ASN1_PRINTABLESTRING, msgType)
-		  )
-	      );
+	chunk_t msgType = {
+		(u_char*)msgType_values[m],
+		strlen(msgType_values[m])
+	};
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm"
+				, ASN1_messageType_oid
+				, asn1_wrap(ASN1_SET, "m"
+					, asn1_simple_object(ASN1_PRINTABLESTRING, msgType)
+				  )
+			  );
 }
 
-/*
- * builds a senderNonce attribute
+/**
+ * Builds a senderNonce attribute
  */
-chunk_t
-scep_senderNonce_attribute(void)
+chunk_t scep_senderNonce_attribute(void)
 {
-    const size_t nonce_len = 16;
-    u_char nonce_buf[nonce_len];
-    chunk_t senderNonce = { nonce_buf, nonce_len };
-
-    get_rnd_bytes(nonce_buf, nonce_len);
- 
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_senderNonce_oid
-		, asn1_wrap(ASN1_SET, "m"
-		    , asn1_simple_object(ASN1_OCTET_STRING, senderNonce)
-		  )
-	      );
+	const size_t nonce_len = 16;
+	u_char nonce_buf[nonce_len];
+	chunk_t senderNonce = { nonce_buf, nonce_len };
+	rng_t *rng;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	rng->get_bytes(rng, nonce_len, nonce_buf);
+	rng->destroy(rng);
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm"
+				, ASN1_senderNonce_oid
+				, asn1_wrap(ASN1_SET, "m"
+					, asn1_simple_object(ASN1_OCTET_STRING, senderNonce)
+				  )
+			  );
 }
 
-/*
- * builds a pkcs7 enveloped and signed scep request
+/**
+ * Builds a pkcs7 enveloped and signed scep request
  */
-chunk_t
-scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg
-, const x509cert_t *enc_cert, int enc_alg
-, const x509cert_t *signer_cert, int digest_alg
-, const RSA_private_key_t *private_key)
+chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
+						   const x509cert_t *enc_cert, int enc_alg,
+						   const x509cert_t *signer_cert, int digest_alg,
+						   private_key_t *private_key)
 {
-    chunk_t envelopedData, attributes, request;
-
-    envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg);
-
-    attributes = asn1_wrap(ASN1_SET, "mmmmm"
-		    , pkcs7_contentType_attribute()
-		    , pkcs7_messageDigest_attribute(envelopedData
-			, digest_alg)
-		    , scep_transId_attribute(transID)
-		    , scep_messageType_attribute(msg)
-		    , scep_senderNonce_attribute());
-
-    request = pkcs7_build_signedData(envelopedData, attributes
-		    , signer_cert, digest_alg, private_key);
-    freeanychunk(envelopedData);
-    freeanychunk(attributes);
-    return request;
+	chunk_t envelopedData, attributes, request;
+
+	envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg);
+
+	attributes = asn1_wrap(ASN1_SET, "mmmmm"
+					, pkcs7_contentType_attribute()
+					, pkcs7_messageDigest_attribute(envelopedData
+						, digest_alg)
+					, scep_transId_attribute(transID)
+					, scep_messageType_attribute(msg)
+					, scep_senderNonce_attribute());
+
+	request = pkcs7_build_signedData(envelopedData, attributes
+					, signer_cert, digest_alg, private_key);
+	free(envelopedData.ptr);
+	free(attributes.ptr);
+	return request;
 }
 
-#ifdef LIBCURL
-/* converts a binary request to base64 with 64 characters per line
+/**
+ * Converts a binary request to base64 with 64 characters per line
  * newline and '+' characters are escaped by %0A and %2B, respectively
  */
-static char*
-escape_http_request(chunk_t req)
+static char* escape_http_request(chunk_t req)
 {
-    char *escaped_req = NULL;
-    char *p1, *p2;
-    int lines = 0;
-    int plus  = 0;
-    int n     = 0;
-
-    /* compute and allocate the size of the base64-encoded request */
-    int len = 1 + 4*((req.len + 2)/3);
-    char *encoded_req = alloc_bytes(len, "encoded request");
-
-    /* do the base64 conversion */
-    len = datatot(req.ptr, req.len, 64, encoded_req, len);
-
-    /* compute newline characters to be inserted every 64 characters */
-    lines = (len - 2) / 64;
-
-    /* count number of + characters to be escaped */
-    p1 = encoded_req;
-    while (*p1 != '\0')
-    {
-	if (*p1++ == '+')
-	    plus++;
-    }
-
-    escaped_req = alloc_bytes(len + 3*(lines + plus), "escaped request");
-
-    /* escape special characters in the request */
-    p1 = encoded_req;
-    p2 = escaped_req;
-    while (*p1 != '\0')
-    {
-	if (n == 64)
-	{
-	    memcpy(p2, "%0A", 3);
-	    p2 += 3;
-	    n = 0;
-	}
-	if (*p1 == '+')
+	char *escaped_req = NULL;
+	char *p1, *p2;
+	int lines = 0;
+	int plus  = 0;
+	int n     = 0;
+
+	/* compute and allocate the size of the base64-encoded request */
+	int len = 1 + 4*((req.len + 2)/3);
+	char *encoded_req = malloc(len);
+
+	/* do the base64 conversion */
+	len = datatot(req.ptr, req.len, 64, encoded_req, len);
+
+	/* compute newline characters to be inserted every 64 characters */
+	lines = (len - 2) / 64;
+
+	/* count number of + characters to be escaped */
+	p1 = encoded_req;
+	while (*p1 != '\0')
 	{
-	    memcpy(p2, "%2B", 3);
-	    p2 += 3;
+		if (*p1++ == '+')
+			plus++;
 	}
-	else
+
+	escaped_req = malloc(len + 3*(lines + plus));
+
+	/* escape special characters in the request */
+	p1 = encoded_req;
+	p2 = escaped_req;
+	while (*p1 != '\0')
 	{
-	    *p2++ = *p1;
+		if (n == 64)
+		{
+			memcpy(p2, "%0A", 3);
+			p2 += 3;
+			n = 0;
+		}
+		if (*p1 == '+')
+		{
+			memcpy(p2, "%2B", 3);
+			p2 += 3;
+		}
+		else
+		{
+			*p2++ = *p1;
+		}
+		p1++;
+		n++;
 	}
-	p1++;
-	n++;
-    }
-    *p2 = '\0';
-    pfreeany(encoded_req);
-    return escaped_req;
+	*p2 = '\0';
+	free(encoded_req);
+	return escaped_req;
 }
-#endif
 
-/*
- * send a SCEP request via HTTP and wait for a response
+/**
+ * Send a SCEP request via HTTP and wait for a response
  */
-bool
-scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op
-, fetch_request_t req_type, chunk_t *response)
+bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+					   bool http_get_request, chunk_t *response)
 {
-#ifdef LIBCURL
-    char errorbuffer[CURL_ERROR_SIZE] = "";
-    char *complete_url = NULL;
-    struct curl_slist *headers = NULL;
-    CURL *curl;
-    CURLcode res;
-
-    /* initialize response */
-    *response = empty_chunk;
-
-    /* initialize curl context */
-    curl = curl_easy_init();
-    if (curl == NULL)
-    {
-	plog("could not initialize curl context");
-	return FALSE;
-    }
-
-    if (op == SCEP_PKI_OPERATION)
-    {
-	const char operation[] = "PKIOperation";
-
-	if (req_type == FETCH_GET)
+	int len;
+	status_t status;
+	char *complete_url = NULL;
+
+	/* initialize response */
+	*response = chunk_empty;
+
+	DBG(DBG_CONTROL,
+		DBG_log("sending scep request to '%s'", url)
+	)
+
+	if (op == SCEP_PKI_OPERATION)
 	{
-	    char *escaped_req = escape_http_request(pkcs7);
-
-	    /* form complete url */
-	    int len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
-
-	    complete_url = alloc_bytes(len, "complete url");
-	    snprintf(complete_url, len, "%s?operation=%s&message=%s"
-		    , url, operation, escaped_req);
-	    pfreeany(escaped_req);
-
-	    curl_easy_setopt(curl, CURLOPT_HTTPGET, TRUE);
-	    headers = curl_slist_append(headers, "Pragma:");
-	    headers = curl_slist_append(headers, "Host:");
-	    headers = curl_slist_append(headers, "Accept:");
-	    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); 
-	    curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
+		const char operation[] = "PKIOperation";
+
+		if (http_get_request)
+		{
+			char *escaped_req = escape_http_request(pkcs7);
+
+			/* form complete url */
+			len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
+			complete_url = malloc(len);
+			snprintf(complete_url, len, "%s?operation=%s&message=%s"
+					, url, operation, escaped_req);
+			free(escaped_req);
+
+			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+										 FETCH_HTTP_VERSION_1_0, 
+										 FETCH_REQUEST_HEADER, "Pragma:",
+										 FETCH_REQUEST_HEADER, "Host:",
+										 FETCH_REQUEST_HEADER, "Accept:",
+										 FETCH_END);
+		}
+		else /* HTTP_POST */
+		{
+			/* form complete url */
+			len = strlen(url) + 11 + strlen(operation) + 1;
+			complete_url = malloc(len);
+			snprintf(complete_url, len, "%s?operation=%s", url, operation);
+
+			status = lib->fetcher->fetch(lib->fetcher, complete_url, response, 
+										 FETCH_REQUEST_DATA, pkcs7,
+										 FETCH_REQUEST_TYPE, "",
+										 FETCH_REQUEST_HEADER, "Expect:",
+										 FETCH_END);
+		}
 	}
-	else /* HTTP_POST */
+	else  /* SCEP_GET_CA_CERT */
 	{
-	    /* form complete url */
-	    int len = strlen(url) + 11 + strlen(operation) + 1;
-
-	    complete_url = alloc_bytes(len, "complete url");
-	    snprintf(complete_url, len, "%s?operation=%s", url, operation);
-
-	    curl_easy_setopt(curl, CURLOPT_HTTPGET, FALSE);
-	    headers = curl_slist_append(headers, "Content-Type:");
-	    headers = curl_slist_append(headers, "Expect:");
-	    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); 
-	    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (char*)pkcs7.ptr);
-	    curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, pkcs7.len);
+		const char operation[] = "GetCACert";
+
+		/* form complete url */
+		len = strlen(url) + 32 + strlen(operation) + 1;
+		complete_url = malloc(len);
+		snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier"
+				, url, operation);
+
+		status = lib->fetcher->fetch(lib->fetcher, complete_url, response, 
+									 FETCH_END);
 	}
-    }
-    else  /* SCEP_GET_CA_CERT */
-    {
-	const char operation[] = "GetCACert";
-
-	/* form complete url */
-	int len = strlen(url) + 32 + strlen(operation) + 1;
-
-	complete_url = alloc_bytes(len, "complete url");
-	snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier"
-		, url, operation);
-
-	curl_easy_setopt(curl, CURLOPT_HTTPGET, TRUE);
-    }
-
-    curl_easy_setopt(curl, CURLOPT_URL, complete_url);
-    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
-    curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)response);
-    curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
-    curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE);
-    curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT);
-	
-    DBG(DBG_CONTROL,
-	DBG_log("sending scep request to '%s'", url)
-    )
-    res = curl_easy_perform(curl);
-	
-    if (res == CURLE_OK)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("received scep response")
-	)
-	DBG(DBG_RAW,
-	    DBG_dump_chunk("SCEP response:\n", *response)
-	)
-    }
-    else
-    {
-	plog("failed to fetch scep response from '%s': %s", url, errorbuffer);
-    }
-    curl_slist_free_all(headers);
-    curl_easy_cleanup(curl);
-    pfreeany(complete_url);
-
-    return (res == CURLE_OK);
-#else   /* !LIBCURL */
-    plog("scep error: pluto wasn't compiled with libcurl support");
-    return FALSE;
-#endif  /* !LIBCURL */
+
+	free(complete_url);
+	return (status == SUCCESS);
 }
 
-err_t
-scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data
-, scep_attributes_t *attrs, x509cert_t *signer_cert)
+err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data,
+						  scep_attributes_t *attrs, x509cert_t *signer_cert)
 {
-    chunk_t attributes;
-
-    if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert))
-    {
-	return "error parsing the scep response";
-    }
-    if (!parse_attributes(attributes, attrs))
-    {
-	return "error parsing the scep response attributes";
-    }
-    if (!same_chunk(transID, attrs->transID))
-    {
-	return "transaction ID of scep response does not match";
-    }
-    return NULL;
+	chunk_t attributes;
+
+	if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert))
+	{
+		return "error parsing the scep response";
+	}
+	if (!parse_attributes(attributes, attrs))
+	{
+		return "error parsing the scep response attributes";
+	}
+	if (!chunk_equals(transID, attrs->transID))
+	{
+		return "transaction ID of scep response does not match";
+	}
+	return NULL;
 }
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index 81e5d1a4b..e8dc87591 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -4,7 +4,7 @@
  * 
  * Contains functions to build and parse SCEP requests and replies
  */
- 
+
 /*
  * Copyright (C) 2005 Jan Hutter, Martin Willi
  * Hochschule fuer Technik Rapperswil
@@ -19,18 +19,17 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #ifndef _SCEP_H
 #define _SCEP_H
 
 #include "../pluto/defs.h"
-#include "../pluto/pkcs1.h"
 #include "../pluto/pkcs7.h"
 
 /* supported SCEP operation types */
 typedef enum {
-    SCEP_PKI_OPERATION,
-    SCEP_GET_CA_CERT
+	SCEP_PKI_OPERATION,
+	SCEP_GET_CA_CERT
 } scep_op_t;
 
 /* SCEP pkiStatus values */
@@ -63,31 +62,32 @@ typedef enum {
 
 /* SCEP attributes */
 typedef struct {
-    scep_msg_t  msgType;
-    pkiStatus_t pkiStatus;
-    failInfo_t  failInfo;
-    chunk_t     transID;
-    chunk_t     senderNonce;
-    chunk_t     recipientNonce;
+	scep_msg_t  msgType;
+	pkiStatus_t pkiStatus;
+	failInfo_t  failInfo;
+	chunk_t     transID;
+	chunk_t     senderNonce;
+	chunk_t     recipientNonce;
 } scep_attributes_t;
 
 extern const scep_attributes_t empty_scep_attributes;
 
 extern bool parse_attributes(chunk_t blob, scep_attributes_t *attrs);
-extern void scep_generate_pkcs10_fingerprint(chunk_t pkcs10
-    , chunk_t *fingerprint);
-extern void scep_generate_transaction_id(const RSA_public_key_t *rsak
-    , chunk_t *transID, chunk_t *serialNumber);
+extern void scep_generate_transaction_id(public_key_t *key,
+										 chunk_t *transID,
+										 chunk_t *serialNumber);
+extern chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10);
 extern chunk_t scep_transId_attribute(chunk_t transaction_id);
 extern chunk_t scep_messageType_attribute(scep_msg_t m);
 extern chunk_t scep_senderNonce_attribute(void);
-extern chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg
-    , const x509cert_t *enc_cert, int enc_alg
-    , const x509cert_t *signer_cert, int digest_alg
-    , const RSA_private_key_t *private_key);
-extern bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op
-    , fetch_request_t request_type, chunk_t *response);
-extern err_t scep_parse_response(chunk_t response, chunk_t transID
-    , contentInfo_t *data, scep_attributes_t *attrs, x509cert_t *signer_cert);
+extern chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
+								  const x509cert_t *enc_cert, int enc_alg,
+								  const x509cert_t *signer_cert, int digest_alg,
+								  private_key_t *private_key);
+extern bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+							  bool http_get_request, chunk_t *response);
+extern err_t scep_parse_response(chunk_t response, chunk_t transID,
+								 contentInfo_t *data, scep_attributes_t *attrs,
+								 x509cert_t *signer_cert);
 
 #endif /* _SCEP_H */
diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8
index 0d6364ef2..d9bf8e4cc 100644
--- a/src/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
@@ -152,7 +152,13 @@ Supported values for \fIalgo\fP:
 .IP "\fBdes\-cbc\fP" 12
 DES CBC encryption (key size = 56 bit).
 .IP "\fB3des\-cbc\fP" 12
-Triple DES CBC encryption (key size = 168 bit).
+Triple DES-EDE-CBC encryption (key size = 168 bit).
+.IP "\fBaes128\-cbc\fP" 12
+AES-CBC encryption (key size = 128 bit).
+.IP "\fBaes192\-cbc\fP" 12
+AES-CBC encryption (key size = 192 bit).
+.IP "\fBaes256\-cbc\fP" 12
+AES-CBC encryption (key size = 256 bit).
 .RE
 .PP 
 .B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index f4afe0b8f..0e7ae3e40 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -32,22 +32,24 @@
 #include <ctype.h>
 #include <unistd.h>
 #include <time.h>
-#include <gmp.h>
 
 #include <freeswan.h>
+
+#include <library.h>
+#include <debug.h>
+#include <asn1/asn1.h>
 #include <asn1/oid.h>
+#include <utils/optionsfrom.h>
+#include <utils/enumerator.h>
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/public_key.h>
 
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
 #include "../pluto/log.h"
-#include "../pluto/asn1.h"
-#include "../pluto/pkcs1.h"
 #include "../pluto/pkcs7.h"
 #include "../pluto/certs.h"
-#include "../pluto/fetch.h"
-#include "../pluto/rnd.h"
 
-#include "rsakey.h"
 #include "pkcs10.h"
 #include "scep.h"
 
@@ -56,37 +58,37 @@
  */
 
 /* default name of DER-encoded PKCS#1 private key file */
-#define DEFAULT_FILENAME_PKCS1		"myKey.der"
+#define DEFAULT_FILENAME_PKCS1          "myKey.der"
 
 /* default name of DER-encoded PKCS#10 certificate request file */
-#define DEFAULT_FILENAME_PKCS10		"myReq.der"
+#define DEFAULT_FILENAME_PKCS10         "myReq.der"
 
 /* default name of DER-encoded PKCS#7 file */
-#define DEFAULT_FILENAME_PKCS7		"pkcs7.der"
+#define DEFAULT_FILENAME_PKCS7          "pkcs7.der"
 
 /* default name of DER-encoded self-signed X.509 certificate file */
-#define DEFAULT_FILENAME_CERT_SELF	"selfCert.der"
+#define DEFAULT_FILENAME_CERT_SELF      "selfCert.der"
 
 /* default name of DER-encoded X.509 certificate file */
-#define DEFAULT_FILENAME_CERT		"myCert.der"
+#define DEFAULT_FILENAME_CERT           "myCert.der"
 
 /* default name of DER-encoded CA cert file used for key encipherment */
-#define DEFAULT_FILENAME_CACERT_ENC	"caCert.der"
+#define DEFAULT_FILENAME_CACERT_ENC     "caCert.der"
 
 /* default name of the der encoded CA cert file used for signature verification */
-#define DEFAULT_FILENAME_CACERT_SIG	"caCert.der"
+#define DEFAULT_FILENAME_CACERT_SIG     "caCert.der"
 
 /* default prefix of the der encoded CA certificates received from the SCEP server */
-#define DEFAULT_FILENAME_PREFIX_CACERT	"caCert.der"
+#define DEFAULT_FILENAME_PREFIX_CACERT  "caCert.der"
 
 /* default certificate validity */
-#define DEFAULT_CERT_VALIDITY	 5 * 3600 * 24 * 365  /* seconds */
+#define DEFAULT_CERT_VALIDITY    5 * 3600 * 24 * 365  /* seconds */
 
 /* default polling time interval in SCEP manual mode */
-#define DEFAULT_POLL_INTERVAL	 20	  /* seconds */
+#define DEFAULT_POLL_INTERVAL    20       /* seconds */
 
 /* default key length for self-generated RSA keys */
-#define DEFAULT_RSA_KEY_LENGTH 2048	  /* bits */
+#define DEFAULT_RSA_KEY_LENGTH 2048       /* bits */
 
 /* default distinguished name */
 #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
@@ -110,12 +112,15 @@ long crl_check_interval = 0;
 /* by default pluto logs out after every smartcard use */
 bool pkcs11_keep_state = FALSE;
 
+/* options read by optionsfrom */
+options_t *options;
 
 /*
  * Global variables
  */
 
-RSA_private_key_t *private_key = NULL;
+private_key_t *private_key = NULL;
+public_key_t *public_key = NULL;
 
 chunk_t pkcs1;
 chunk_t pkcs7;
@@ -138,58 +143,52 @@ pkcs10_t *pkcs10               = NULL;
 /**
  * @brief exit scepclient
  *
- * The log is closed and leaks are reported
- * if LEAK_DETECTIVE is activated
- *
  * @param status 0 = OK, 1 = general discomfort
  */
 static void
 exit_scepclient(err_t message, ...)
 {
-    if (private_key != NULL)
-    {
-	free_RSA_private_content(private_key);
-	pfree(private_key);
-    }
-    freeanychunk(pkcs1);
-    freeanychunk(pkcs7);
-    freeanychunk(subject);
-    freeanychunk(serialNumber);
-    freeanychunk(transID);
-    freeanychunk(fingerprint);
-    freeanychunk(issuerAndSubject);
-    freeanychunk(getCertInitial);
-    if (scep_response.ptr != NULL)
+	int status = 0;
+
+	DESTROY_IF(private_key);
+	DESTROY_IF(public_key);
+	free(pkcs1.ptr);
+	free(pkcs7.ptr);
+	free(subject.ptr);
+	free(serialNumber.ptr);
+	free(transID.ptr);
+	free(fingerprint.ptr);
+	free(issuerAndSubject.ptr);
+	free(getCertInitial.ptr);
 	free(scep_response.ptr);
 
-    free_generalNames(subjectAltNames, TRUE);
-    if (x509_signer != NULL)
-	x509_signer->subjectAltName = NULL;
-
-    free_x509cert(x509_signer);
-    free_x509cert(x509_ca_enc);
-    free_x509cert(x509_ca_sig);
-    pkcs10_free(pkcs10);
-
-#ifdef LEAK_DETECTIVE
-    report_leaks();
-#endif /* LEAK_DETECTIVE */
-    close_log();
-
-    /* print any error message to stderr */
-    if (message != NULL && *message != '\0')
-    {
-	va_list args;
-	char m[LOG_WIDTH];	/* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	fprintf(stderr, "error: %s\n", m);
-	exit(-1);
-    }
-    exit(0);
+	free_generalNames(subjectAltNames, TRUE);
+	if (x509_signer != NULL)
+	{
+		x509_signer->subjectAltName = NULL;
+	}
+	free_x509cert(x509_signer);
+	free_x509cert(x509_ca_enc);
+	free_x509cert(x509_ca_sig);
+	pkcs10_free(pkcs10);
+	options->destroy(options);
+
+	/* print any error message to stderr */
+	if (message != NULL && *message != '\0')
+	{
+		va_list args;
+		char m[LOG_WIDTH];      /* longer messages will be truncated */
+
+		va_start(args, message);
+		vsnprintf(m, sizeof(m), message, args);
+		va_end(args);
+
+		fprintf(stderr, "error: %s\n", m);
+		status = -1;
+	}
+	library_deinit();
+	close_log();
+	exit(status);
 }
 
 /**
@@ -199,8 +198,8 @@ exit_scepclient(err_t message, ...)
 static void
 version(void)
 {
-    printf("scepclient %s\n", scepclient_version);
-    exit_scepclient(NULL);
+	printf("scepclient %s\n", scepclient_version);
+	exit_scepclient(NULL);
 }
 
 /**
@@ -212,61 +211,81 @@ version(void)
 static void
 usage(const char *message)
 {
-    fprintf(stderr,
-	"Usage: scepclient\n"
-	" --help (-h)                       show usage and exit\n"
-	" --version (-v)                    show version and exit\n"
-	" --quiet (-q)                      do not write log output to stderr\n"
-	" --in (-i) <type>[=<filename>]     use <filename> of <type> for input \n"
-	"                                   <type> = pkcs1 | cacert-enc |  cacert-sig\n"
-	"                                   - if no pkcs1 input is defined, a \n"
-	"                                     RSA key will be generated\n"
-	"                                   - if no filename is given, default is used\n"
-	" --out (-o) <type>[=<filename>]    write output of <type> to <filename>\n"
-	"                                   multiple outputs are allowed\n"
-	"                                   <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
-	"                                   - type cacert defines filename prefix of\n"
-	"                                     received CA certificate(s)\n"
-	"                                   - if no filename is given, default is used\n"
-	" --optionsfrom (-+) <filename>     reads additional options from given file\n"
-	" --force (-f)                      force existing file(s)\n"
-	"\n"
-	"Options for key generation (pkcs1):\n"
-	" --keylength (-k) <bits>           key length for RSA key generation\n"
-					    "(default: 2048 bits)\n"
-	"\n"
-	"Options for validity:\n"
-	" --days (-D) <days>                validity in days\n"
-	" --startdate (-S) <YYMMDDHHMMSS>Z  not valid before date\n"
-	" --enddate   (-E) <YYMMDDHHMMSS>Z  not valid after date\n"
-	"\n"
-	"Options for request generation (pkcs10):\n"
-	" --dn (-d) <dn>                    comma separated list of distinguished names\n"
-	" --subjectAltName (-s) <t>=<v>     include subjectAltName in certificate request\n"
-	"                                   <t> =  email | dns | ip \n"
-	" --password (-p) <pw>              challenge password\n"
-	"                                   - if pw is '%%prompt', password gets prompted for\n"
-	" --algorithm (-a) <algo>           use specified algorithm for PKCS#7 encryption\n"
-	"                                   <algo> = des-cbc | 3des-cbc (default: 3des-cbc)\n"
-	"\n"
-	"Options for enrollment (cert):\n"
-	" --url (-u) <url>                  url of the SCEP server\n"
-	" --method (-m) post | get          http request type\n"
-	" --interval (-t) <seconds>         manual mode poll interval in seconds (default 20s)\n"
-	" --maxpolltime (-x) <seconds>      max poll time in seconds when in manual mode\n"
-	"                                   (default: unlimited)\n"
+	fprintf(stderr,
+		"Usage: scepclient\n"
+		" --help (-h)                       show usage and exit\n"
+		" --version (-v)                    show version and exit\n"
+		" --quiet (-q)                      do not write log output to stderr\n"
+		" --in (-i) <type>[=<filename>]     use <filename> of <type> for input \n"
+		"                                   <type> = pkcs1 | cacert-enc |  cacert-sig\n"
+		"                                   - if no pkcs1 input is defined, a \n"
+		"                                     RSA key will be generated\n"
+		"                                   - if no filename is given, default is used\n"
+		" --out (-o) <type>[=<filename>]    write output of <type> to <filename>\n"
+		"                                   multiple outputs are allowed\n"
+		"                                   <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
+		"                                   - type cacert defines filename prefix of\n"
+		"                                     received CA certificate(s)\n"
+		"                                   - if no filename is given, default is used\n"
+		" --optionsfrom (-+) <filename>     reads additional options from given file\n"
+		" --force (-f)                      force existing file(s)\n"
+		"\n"
+		"Options for key generation (pkcs1):\n"
+		" --keylength (-k) <bits>           key length for RSA key generation\n"
+											"(default: 2048 bits)\n"
+		"\n"
+		"Options for validity:\n"
+		" --days (-D) <days>                validity in days\n"
+		" --startdate (-S) <YYMMDDHHMMSS>Z  not valid before date\n"
+		" --enddate   (-E) <YYMMDDHHMMSS>Z  not valid after date\n"
+		"\n"
+		"Options for request generation (pkcs10):\n"
+		" --dn (-d) <dn>                    comma separated list of distinguished names\n"
+		" --subjectAltName (-s) <t>=<v>     include subjectAltName in certificate request\n"
+		"                                   <t> =  email | dns | ip \n"
+		" --password (-p) <pw>              challenge password\n"
+		"                                   - if pw is '%%prompt', password gets prompted for\n"
+		" --algorithm (-a) <algo>           use specified algorithm for PKCS#7 encryption\n"
+		"                                   <algo> = des-cbc | 3des-cbc (default) | \n"
+        "                                   aes128-cbc | aes192-cbc | aes256-cbc | \n"
+        "                                   camellia128-cbc | camellia192-cbc | camellia256-cbc\n"
+		"\n"
+		"Options for enrollment (cert):\n"
+		" --url (-u) <url>                  url of the SCEP server\n"
+		" --method (-m) post | get          http request type\n"
+		" --interval (-t) <seconds>         manual mode poll interval in seconds (default 20s)\n"
+		" --maxpolltime (-x) <seconds>      max poll time in seconds when in manual mode\n"
+		"                                   (default: unlimited)\n"
 #ifdef DEBUG
-	"\n"
-	"Debugging output:\n"
-	" --debug-all (-A)                  show everything except private\n"
-	" --debug-parsing (-P)              show parsing relevant stuff\n"
-	" --debug-raw (-R)                  show raw hex dumps\n"
-	" --debug-control (-C)              show control flow output\n"
-	" --debug-controlmore (-M)          show more control flow\n"
-	" --debug-private (-X)              show sensitive data (private keys, etc.)\n"
+		"\n"
+		"Debugging output:\n"
+		" --debug-all (-A)                  show everything except private\n"
+		" --debug-parsing (-P)              show parsing relevant stuff\n"
+		" --debug-raw (-R)                  show raw hex dumps\n"
+		" --debug-control (-C)              show control flow output\n"
+		" --debug-controlmore (-M)          show more control flow\n"
+		" --debug-private (-X)              show sensitive data (private keys, etc.)\n"
 #endif
-	);
-    exit_scepclient(message);
+		);
+	exit_scepclient(message);
+}
+
+/**
+ * Log loaded plugins
+ */
+static void print_plugins()
+{
+	char buf[BUF_LEN], *plugin;
+	int len = 0;
+	enumerator_t *enumerator;
+	
+	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
+	while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
+	{
+		len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
+	}
+	enumerator->destroy(enumerator);
+	DBG1("  loaded plugins: %s", buf);
 }
 
 /**
@@ -277,760 +296,842 @@ usage(const char *message)
  */
 int main(int argc, char **argv)
 {
-    /* external values */
-    extern char * optarg;
-    extern int optind;
-
-    /* type of input and output files */
-    typedef enum {
-	PKCS1      =  0x01,
-	PKCS10     =  0x02,
-	PKCS7      =  0x04,
-	CERT_SELF  =  0x08,
-	CERT       =  0x10,
-	CACERT_ENC =  0x20,
-	CACERT_SIG =  0x40
-    } scep_filetype_t;
-
-    /* filetype to read from, defaults to "generate a key" */
-    scep_filetype_t filetype_in = 0;
-
-    /* filetype to write to, no default here */
-    scep_filetype_t filetype_out = 0;
-
-    /* input files */
-    char *file_in_pkcs1      = DEFAULT_FILENAME_PKCS1;
-    char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
-    char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
-
-    /* output files */
-    char *file_out_pkcs1     = DEFAULT_FILENAME_PKCS1;
-    char *file_out_pkcs10    = DEFAULT_FILENAME_PKCS10;
-    char *file_out_pkcs7     = DEFAULT_FILENAME_PKCS7;
-    char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
-    char *file_out_cert      = DEFAULT_FILENAME_CERT;
-    char *file_out_prefix_cacert = DEFAULT_FILENAME_PREFIX_CACERT;
-
-    /* by default user certificate is requested */
-    bool request_ca_certificate = FALSE;
-
-    /* by default existing files are not overwritten */
-    bool force = FALSE;
-
-    /* length of RSA key in bits */
-    u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
-
-    /* validity of self-signed certificate */
-    time_t validity  = DEFAULT_CERT_VALIDITY;
-    time_t notBefore = 0;
-    time_t notAfter  = 0;
-
-    /* distinguished name for requested certificate, ASCII format */
-    char *distinguishedName = NULL;
-
-    /* challenge password */
-    char challenge_password_buffer[MAX_PASSWORD_LENGTH];
-
-    /* symmetric encryption algorithm used by pkcs7, default is 3DES */
-    int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
-
-    /* digest algorithm used by pkcs7, default is MD5 */
-    int pkcs7_digest_alg = OID_MD5;
-
-    /* signature algorithm used by pkcs10, default is MD5 with RSA encryption */
-    int pkcs10_signature_alg = OID_MD5;
-
-    /* URL of the SCEP-Server */
-    char *scep_url = NULL;
-
-    /* http request method, default is GET */
-    fetch_request_t request_type = FETCH_GET;
-
-    /* poll interval time in manual mode in seconds */
-    u_int poll_interval = DEFAULT_POLL_INTERVAL;
-
-    /* maximum poll time */
-    u_int max_poll_time = 0;
-
-    err_t ugh = NULL;
-
-    /* initialize global variables */
-    pkcs1             = empty_chunk;
-    pkcs7             = empty_chunk;
-    serialNumber      = empty_chunk;
-    transID           = empty_chunk;
-    fingerprint       = empty_chunk;
-    issuerAndSubject  = empty_chunk;
-    challengePassword = empty_chunk;
-    getCertInitial    = empty_chunk;
-    scep_response     = empty_chunk;
-    log_to_stderr     = TRUE;
-
-    for (;;)
-    {
-	static const struct option long_opts[] = {
-	    /* name, has_arg, flag, val */
-	    { "help", no_argument, NULL, 'h' },
-	    { "version", no_argument, NULL, 'v' },
-	    { "optionsfrom", required_argument, NULL, '+' },
-	    { "quiet", no_argument, NULL, 'q' },
-	    { "in", required_argument, NULL, 'i' },
-	    { "out", required_argument, NULL, 'o' },
-	    { "force", no_argument, NULL, 'f' },
-	    { "keylength", required_argument, NULL, 'k' },
-	    { "dn", required_argument, NULL, 'd' },
-	    { "days", required_argument, NULL, 'D' },
-	    { "startdate", required_argument, NULL, 'S' },
-	    { "enddate", required_argument, NULL, 'E' },
-	    { "subjectAltName", required_argument, NULL, 's' },
-	    { "password", required_argument, NULL, 'p' },
-	    { "algorithm", required_argument, NULL, 'a' },
-	    { "url", required_argument, NULL, 'u' },
-	    { "method", required_argument, NULL, 'm' },
-	    { "interval", required_argument, NULL, 't' },
-	    { "maxpolltime", required_argument, NULL, 'x' },
+	/* external values */
+	extern char * optarg;
+	extern int optind;
+
+	/* type of input and output files */
+	typedef enum {
+		PKCS1      =  0x01,
+		PKCS10     =  0x02,
+		PKCS7      =  0x04,
+		CERT_SELF  =  0x08,
+		CERT       =  0x10,
+		CACERT_ENC =  0x20,
+		CACERT_SIG =  0x40
+	} scep_filetype_t;
+
+	/* filetype to read from, defaults to "generate a key" */
+	scep_filetype_t filetype_in = 0;
+
+	/* filetype to write to, no default here */
+	scep_filetype_t filetype_out = 0;
+
+	/* input files */
+	char *file_in_pkcs1      = DEFAULT_FILENAME_PKCS1;
+	char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
+	char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
+
+	/* output files */
+	char *file_out_pkcs1     = DEFAULT_FILENAME_PKCS1;
+	char *file_out_pkcs10    = DEFAULT_FILENAME_PKCS10;
+	char *file_out_pkcs7     = DEFAULT_FILENAME_PKCS7;
+	char *file_out_cert_self = DEFAULT_FILENAME_CERT_SELF;
+	char *file_out_cert      = DEFAULT_FILENAME_CERT;
+	char *file_out_prefix_cacert = DEFAULT_FILENAME_PREFIX_CACERT;
+
+	/* by default user certificate is requested */
+	bool request_ca_certificate = FALSE;
+
+	/* by default existing files are not overwritten */
+	bool force = FALSE;
+
+	/* length of RSA key in bits */
+	u_int rsa_keylength = DEFAULT_RSA_KEY_LENGTH;
+
+	/* validity of self-signed certificate */
+	time_t validity  = DEFAULT_CERT_VALIDITY;
+	time_t notBefore = 0;
+	time_t notAfter  = 0;
+
+	/* distinguished name for requested certificate, ASCII format */
+	char *distinguishedName = NULL;
+
+	/* challenge password */
+	char challenge_password_buffer[MAX_PASSWORD_LENGTH];
+
+	/* symmetric encryption algorithm used by pkcs7, default is 3DES */
+	int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
+
+	/* digest algorithm used by pkcs7, default is SHA-1 */
+	int pkcs7_digest_alg = OID_SHA1;
+
+	/* signature algorithm used by pkcs10, default is SHA-1 with RSA encryption */
+	int pkcs10_signature_alg = OID_SHA1;
+
+	/* URL of the SCEP-Server */
+	char *scep_url = NULL;
+
+	/* http request method, default is GET */
+	bool http_get_request = TRUE;
+
+	/* poll interval time in manual mode in seconds */
+	u_int poll_interval = DEFAULT_POLL_INTERVAL;
+
+	/* maximum poll time */
+	u_int max_poll_time = 0;
+
+	err_t ugh = NULL;
+
+	/* initialize global variables */
+	pkcs1             = chunk_empty;
+	pkcs7             = chunk_empty;
+	serialNumber      = chunk_empty;
+	transID           = chunk_empty;
+	fingerprint       = chunk_empty;
+	issuerAndSubject  = chunk_empty;
+	challengePassword = chunk_empty;
+	getCertInitial    = chunk_empty;
+	scep_response     = chunk_empty;
+	log_to_stderr     = TRUE;
+
+	/* initialize library and optionsfrom */
+	library_init(STRONGSWAN_CONF);
+	options = options_create();
+
+	for (;;)
+	{
+		static const struct option long_opts[] = {
+			/* name, has_arg, flag, val */
+			{ "help", no_argument, NULL, 'h' },
+			{ "version", no_argument, NULL, 'v' },
+			{ "optionsfrom", required_argument, NULL, '+' },
+			{ "quiet", no_argument, NULL, 'q' },
+			{ "in", required_argument, NULL, 'i' },
+			{ "out", required_argument, NULL, 'o' },
+			{ "force", no_argument, NULL, 'f' },
+			{ "keylength", required_argument, NULL, 'k' },
+			{ "dn", required_argument, NULL, 'd' },
+			{ "days", required_argument, NULL, 'D' },
+			{ "startdate", required_argument, NULL, 'S' },
+			{ "enddate", required_argument, NULL, 'E' },
+			{ "subjectAltName", required_argument, NULL, 's' },
+			{ "password", required_argument, NULL, 'p' },
+			{ "algorithm", required_argument, NULL, 'a' },
+			{ "url", required_argument, NULL, 'u' },
+			{ "method", required_argument, NULL, 'm' },
+			{ "interval", required_argument, NULL, 't' },
+			{ "maxpolltime", required_argument, NULL, 'x' },
+#ifdef DEBUG
+			{ "debug-all", no_argument, NULL, 'A' },
+			{ "debug-parsing", no_argument, NULL, 'P'},
+			{ "debug-raw", no_argument, NULL, 'R'},
+			{ "debug-control", no_argument, NULL, 'C'},
+			{ "debug-controlmore", no_argument, NULL, 'M'},
+			{ "debug-private", no_argument, NULL, 'X'},
+#endif
+			{ 0,0,0,0 }
+		};
+
+		/* parse next option */
+		int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
+
+		switch (c)
+		{
+		case EOF:       /* end of flags */
+			break;
+
+		case 'h':       /* --help */
+			usage(NULL);
+
+		case 'v':       /* --version */
+			version();
+
+		case 'q':       /* --quiet */
+			log_to_stderr = FALSE;
+			continue;
+
+		case 'i':       /* --in <type> [= <filename>] */
+			{
+				char *filename = strstr(optarg, "=");
+
+				if (filename)
+				{
+					/* replace '=' by '\0' */
+					*filename = '\0';
+					/* set pointer to start of filename */
+					filename++;
+				}
+				if (strcaseeq("pkcs1", optarg))
+				{
+					filetype_in |= PKCS1;
+					if (filename)
+						file_in_pkcs1 = filename;
+				}
+				else if (strcaseeq("cacert-enc", optarg))
+				{
+					filetype_in |= CACERT_ENC;
+					if (filename)
+						file_in_cacert_enc = filename;
+				}
+				else if (strcaseeq("cacert-sig", optarg))
+				{
+					filetype_in |= CACERT_SIG;
+					if (filename)
+						 file_in_cacert_sig = filename;
+				}
+				else
+				{
+					usage("invalid --in file type");
+				}
+				continue;
+			}
+
+		case 'o':       /* --out <type> [= <filename>] */
+			{
+				char *filename = strstr(optarg, "=");
+
+				if (filename)
+				{
+					/* replace '=' by '\0' */
+					*filename = '\0';
+					/* set pointer to start of filename */
+					filename++;
+				}
+				if (strcaseeq("pkcs1", optarg))
+				{
+					filetype_out |= PKCS1;
+					if (filename)
+						file_out_pkcs1 = filename;
+				}
+				else if (strcaseeq("pkcs10", optarg))
+				{
+					filetype_out |= PKCS10;
+					if (filename)
+						file_out_pkcs10 = filename;
+				}
+				else if (strcaseeq("pkcs7", optarg))
+				{
+					filetype_out |= PKCS7;
+					if (filename)
+						file_out_pkcs7 = filename;
+				}
+				else if (strcaseeq("cert-self", optarg))
+				{
+					filetype_out |= CERT_SELF;
+					if (filename)
+						file_out_cert_self = filename;
+				}
+				else if (strcaseeq("cert", optarg))
+				{
+					filetype_out |= CERT;
+					if (filename)
+						file_out_cert = filename;
+				}
+				else if (strcaseeq("cacert", optarg))
+				{
+					request_ca_certificate = TRUE;
+					if (filename)
+						file_out_prefix_cacert = filename;
+				}
+				else
+				{
+					usage("invalid --out file type");
+				}
+				continue;
+			}
+		
+		case 'f':       /* --force */
+			force = TRUE;
+			continue;
+
+		case '+':       /* --optionsfrom <filename> */
+			if (!options->from(options, optarg, &argc, &argv, optind))
+			{
+				exit_scepclient("optionsfrom failed");
+			}
+			continue;
+
+		case 'k':        /* --keylength <length> */
+			{
+				div_t q;
+
+				rsa_keylength = atoi(optarg);
+				if (rsa_keylength == 0)
+					usage("invalid keylength");
+
+				/* check if key length is a multiple of 8 bits */
+				q = div(rsa_keylength, 2*BITS_PER_BYTE);
+				if (q.rem != 0)
+				{
+					exit_scepclient("keylength is not a multiple of %d bits!"
+						, 2*BITS_PER_BYTE);
+				}
+				continue;
+			}
+
+		case 'D':       /* --days */
+			if (optarg == NULL || !isdigit(optarg[0]))
+				usage("missing number of days");
+			{
+				char *endptr;
+				long days = strtol(optarg, &endptr, 0);
+
+				if (*endptr != '\0' || endptr == optarg
+				|| days <= 0)
+					usage("<days> must be a positive number");
+				validity = 24*3600*days;
+			}
+			continue;
+
+		case 'S':       /* --startdate */
+			if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
+				usage("date format must be YYMMDDHHMMSSZ");
+			{
+				chunk_t date = { optarg, 13 };
+				notBefore = asn1_to_time(&date, ASN1_UTCTIME);
+			}
+			continue;
+
+		case 'E':       /* --enddate */
+			if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
+				usage("date format must be YYMMDDHHMMSSZ");
+			{
+				chunk_t date = { optarg, 13 };
+				notAfter = asn1_to_time(&date, ASN1_UTCTIME);
+			}
+			continue;
+
+		case 'd':       /* --dn */
+			if (distinguishedName)
+				usage("only one distinguished name allowed");
+			distinguishedName = optarg;
+			continue;
+
+		case 's':       /* --subjectAltName */
+			{
+				generalNames_t kind;
+				char *value = strstr(optarg, "=");
+
+				if (value)
+				{
+					/* replace '=' by '\0' */
+					*value = '\0';
+					/* set pointer to start of value */
+					value++;
+				}
+
+				if (strcaseeq("email", optarg))
+				{       
+					kind = GN_RFC822_NAME;
+				}
+				else if (strcaseeq("dns", optarg))
+				{
+					kind = GN_DNS_NAME;
+				}
+				else if (strcaseeq("ip", optarg))
+				{
+					kind = GN_IP_ADDRESS;
+				}
+				else
+				{
+					usage("invalid --subjectAltName type");
+					continue;
+				}
+				pkcs10_add_subjectAltName(&subjectAltNames, kind, value);
+				continue;
+			}
+
+		case 'p':       /* --password */
+			if (challengePassword.len > 0)
+			{
+				usage("only one challenge password allowed");
+			}
+			if (strcaseeq("%prompt", optarg))
+			{
+				printf("Challenge password: ");
+				if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin))
+				{
+					challengePassword.ptr = challenge_password_buffer;
+					/* discard the terminating '\n' from the input */
+					challengePassword.len = strlen(challenge_password_buffer) - 1;
+				}
+				else
+				{
+					usage("challenge password could not be read");
+				}
+			}
+			else
+			{
+				challengePassword.ptr = optarg;
+				challengePassword.len = strlen(optarg);
+			}
+			continue;
+
+		case 'u':       /* -- url */
+			if (scep_url)
+			{
+				usage("only one URL argument allowed");
+			}
+			scep_url = optarg;
+			continue;
+
+		case 'm':       /* --method */
+			if (strcaseeq("get", optarg))
+			{
+				http_get_request = TRUE;
+			}
+			else if (strcaseeq("post", optarg))
+			{
+				http_get_request = FALSE;
+			}
+			else
+			{
+				usage("invalid http request method specified");
+			}
+			continue;
+
+		case 't':       /* --interval */
+			poll_interval = atoi(optarg);
+			if (poll_interval <= 0)
+			{
+				usage("invalid interval specified");
+			}
+			continue;
+
+		case 'x':       /* --maxpolltime */
+			max_poll_time = atoi(optarg);
+			if (max_poll_time < 0)
+			{
+				usage("invalid maxpolltime specified");
+			}
+			continue;
+
+		case 'a':       /*--algorithm */
+			if (strcaseeq("des-cbc", optarg))
+			{
+				pkcs7_symmetric_cipher = OID_DES_CBC;
+			}
+			else if (strcaseeq("3des-cbc", optarg))
+			{
+				pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
+			}
+			else if (strcaseeq("aes128-cbc", optarg))
+			{
+				pkcs7_symmetric_cipher = OID_AES128_CBC;
+			}
+			else if (strcaseeq("aes192-cbc", optarg))
+			{
+				pkcs7_symmetric_cipher = OID_AES192_CBC;
+			}
+			else if (strcaseeq("aes256-cbc", optarg))
+			{
+				pkcs7_symmetric_cipher = OID_AES256_CBC;
+			}
+			else if (strcaseeq("camellia128-cbc", optarg))
+			{
+				pkcs7_symmetric_cipher = OID_CAMELLIA128_CBC;
+			}
+			else if (strcaseeq("camellia192-cbc", optarg))
+			{
+				pkcs7_symmetric_cipher = OID_CAMELLIA192_CBC;
+			}
+			else if (strcaseeq("camellia256-cbc", optarg))
+			{
+				pkcs7_symmetric_cipher = OID_CAMELLIA256_CBC;
+			}
+			else
+			{
+				usage("invalid encryption algorithm specified");
+			}
+			continue;
 #ifdef DEBUG
-	    { "debug-all", no_argument, NULL, 'A' },
-	    { "debug-parsing", no_argument, NULL, 'P'},
-	    { "debug-raw", no_argument, NULL, 'R'},
-	    { "debug-control", no_argument, NULL, 'C'},
-	    { "debug-controlmore", no_argument, NULL, 'M'},
-	    { "debug-private", no_argument, NULL, 'X'},
+		case 'A':       /* --debug-all */
+			base_debugging |= DBG_ALL;
+			continue;
+		case 'P':       /* debug parsing */
+			base_debugging |= DBG_PARSING;
+			continue;
+		case 'R':       /* debug raw */
+			base_debugging |= DBG_RAW;
+			continue;
+		case 'C':       /* debug control */
+			base_debugging |= DBG_CONTROL;
+			continue;
+		case 'M':       /* debug control more */
+			base_debugging |= DBG_CONTROLMORE;
+			continue;
+		case 'X':       /* debug private */
+			base_debugging |= DBG_PRIVATE;
+			continue;
 #endif
-	    { 0,0,0,0 }
-	};
+		default: 
+			usage("unknown option");
+		}
+		/* break from loop */
+		break;
+	}
+	cur_debugging = base_debugging;
+
+	init_log("scepclient");
 
-	/* parse next option */
-	int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
+	/* load plugins, further infrastructure may need it */
+	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
+		lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS));
+	print_plugins();
 
-	switch (c)
+	if ((filetype_out == 0) && (!request_ca_certificate))
+	{
+		usage ("--out filetype required");
+	}
+	if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
 	{
-	case EOF:	/* end of flags */
-	    break;
+		usage("in CA certificate request, no other --in or --out option allowed");
+	}
 
-	case 'h':	/* --help */
-	    usage(NULL);
+	/* check if url is given, if cert output defined */
+	if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
+	{
+		usage("URL of SCEP server required");
+	}
 
-	case 'v':	/* --version */
-	    version();
+	/* check for sanity of --in/--out */
+	if (!filetype_in && (filetype_in > filetype_out))
+	{
+		usage("cannot generate --out of given --in!");
+	}
 
-	case 'q':	/* --quiet */
-	    log_to_stderr = FALSE;
-	    continue;
+	/*
+	 * input of PKCS#1 file
+	 */
+	if (filetype_in & PKCS1)    /* load an RSA key pair from file */ 
+	{
+		prompt_pass_t pass = { "", FALSE, STDIN_FILENO };
+		char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1);
 
-	case 'i':	/* --in <type> [= <filename>] */
-	    {
-		char *filename = strstr(optarg, "=");
+		private_key = load_private_key(path, &pass, KEY_RSA);
+	}
+	else                                /* generate an RSA key pair */
+	{
+		private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+										 BUILD_KEY_SIZE, rsa_keylength,
+ 										 BUILD_END);
+	}
+	if (private_key == NULL)
+	{
+		exit_scepclient("no RSA private key available");
+	}
+	public_key = private_key->get_public_key(private_key);
 
-		if (filename)
-		{
-		    /* replace '=' by '\0' */
-		    *filename = '\0';
-		    /* set pointer to start of filename */
-		    filename++;
-		}
-		if (strcasecmp("pkcs1", optarg) == 0)
-		{
-		    filetype_in |= PKCS1;
-		    if (filename)
-			file_in_pkcs1 = filename;
-		}
-		else if (strcasecmp("cacert-enc", optarg) == 0)
-		{
-		    filetype_in |= CACERT_ENC;
-		    if (filename)
-			file_in_cacert_enc = filename;
-		}
-		else if (strcasecmp("cacert-sig", optarg) == 0)
-		{
-		    filetype_in |= CACERT_SIG;
-		    if (filename)
-			 file_in_cacert_sig = filename;
-		}
-		else
-		{
-		    usage("invalid --in file type");
-		}
-		continue;
-	    }
+	/* check for minimum key length */
+	if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS)
+	{
+		exit_scepclient("length of RSA key has to be at least %d bits"
+			,RSA_MIN_OCTETS * BITS_PER_BYTE);
+	}
 
-	case 'o':	/* --out <type> [= <filename>] */
-	    {
-		char *filename = strstr(optarg, "=");
+	/*
+	 * input of PKCS#10 file
+	 */
+	if (filetype_in & PKCS10)
+	{
+		/* user wants to load a pkcs10 request
+		 * operation is not yet supported
+		 * would require a PKCS#10 parsing function
 
-		if (filename)
-		{
-		    /* replace '=' by '\0' */
-		    *filename = '\0';
-		    /* set pointer to start of filename */
-		    filename++;
-		}
-		if (strcasecmp("pkcs1", optarg) == 0)
-		{
-		    filetype_out |= PKCS1;
-		    if (filename)
-			file_out_pkcs1 = filename;
-		}
-		else if (strcasecmp("pkcs10", optarg) == 0)
-		{
-		    filetype_out |= PKCS10;
-		    if (filename)
-			file_out_pkcs10 = filename;
-		}
-		else if (strcasecmp("pkcs7", optarg) == 0)
-		{
-		    filetype_out |= PKCS7;
-		    if (filename)
-			file_out_pkcs7 = filename;
-		}
-		else if (strcasecmp("cert-self", optarg) == 0)
-		{
-		    filetype_out |= CERT_SELF;
-		    if (filename)
-			file_out_cert_self = filename;
-		}
-		else if (strcasecmp("cert", optarg) == 0)
-		{
-		    filetype_out |= CERT;
-		    if (filename)
-			file_out_cert = filename;
-		}
-		else if (strcasecmp("cacert", optarg) == 0)
-		{
-		    request_ca_certificate = TRUE;
-		    if (filename)
-			file_out_prefix_cacert = filename;
-		}
-		else
-		{
-		    usage("invalid --out file type");
-		}
-		continue;
-	    }
-	
-	case 'f':	/* --force */
-	    force = TRUE;
-	    continue;
-
-	case '+':	/* --optionsfrom <filename> */
-	    optionsfrom(optarg, &argc, &argv, optind, stderr);
-	    /* does not return on error */
-	    continue;
-
-	case 'k':	 /* --keylength <length> */
-	    {
-		div_t q;
-
-		rsa_keylength = atoi(optarg);
-		if (rsa_keylength == 0)
-		    usage("invalid keylength");
-
-		/* check if key length is a multiple of 8 bits */
-		q = div(rsa_keylength, 2*BITS_PER_BYTE);
-		if (q.rem != 0)
-		{
-		    exit_scepclient("keylength is not a multiple of %d bits!"
-			, 2*BITS_PER_BYTE);
-		}
-		continue;
-	    }
-
-	case 'D':	/* --days */
-	    if (optarg == NULL || !isdigit(optarg[0]))
-		usage("missing number of days");
-	    {
-		char *endptr;
-		long days = strtol(optarg, &endptr, 0);
-
-		if (*endptr != '\0' || endptr == optarg
-		|| days <= 0)
-		    usage("<days> must be a positive number");
-		validity = 24*3600*days;
-	    }
-	    continue;
-
-	case 'S':	/* --startdate */
-            if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
-                usage("date format must be YYMMDDHHMMSSZ");
-	    {
-		chunk_t date = { optarg, 13 };
-		notBefore = asn1totime(&date, ASN1_UTCTIME);
-	    }
-	    continue;
-
-	case 'E':	/* --enddate */
-            if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
-                usage("date format must be YYMMDDHHMMSSZ");
-	    {
-		chunk_t date = { optarg, 13 };
-		notAfter = asn1totime(&date, ASN1_UTCTIME);
-	    }
-	    continue;
-
-	case 'd':	/* --dn */
-	    if (distinguishedName)
-		usage("only one distinguished name allowed");
-	    distinguishedName = optarg;
-	    continue;
-
-	case 's':	/* --subjectAltName */
-	    {
-		generalNames_t kind;
-		char *value = strstr(optarg, "=");
-
-		if (value)
-		{
-		    /* replace '=' by '\0' */
-		    *value = '\0';
-		    /* set pointer to start of value */
-		    value++;
-		}
+		pkcs10 = pkcs10_read_from_file(file_in_pkcs10);
 
-		if (!strcasecmp("email", optarg))
-		    kind = GN_RFC822_NAME;
-		else if (!strcasecmp("dns", optarg))
-		    kind = GN_DNS_NAME;
-		else if (!strcasecmp("ip", optarg))
-		    kind = GN_IP_ADDRESS;
-		else
-		{
-		    usage("invalid --subjectAltName type");
-		    continue;
-		}
-		pkcs10_add_subjectAltName(&subjectAltNames, kind, value);
-		continue;
-	    }
-
-	case 'p':	/* --password */
-	    if (challengePassword.len > 0)
-		usage("only one challenge password allowed");
-
-	    if (strcasecmp("%prompt", optarg) == 0)
-	    {
-		printf("Challenge password: ");
-		if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin))
+		 */
+	}
+	else
+	{
+		char buf[IDTOA_BUF];
+		chunk_t dn = chunk_empty;
+
+		dn.ptr = buf;
+
+		if (distinguishedName == NULL)
 		{
-		    challengePassword.ptr = challenge_password_buffer;
-		    /* discard the terminating '\n' from the input */
-		    challengePassword.len = strlen(challenge_password_buffer) - 1;
+			char buf[BUF_LEN];
+			int n = sprintf(buf, DEFAULT_DN);
+
+			/* set the common name to the hostname */
+			if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
+			{
+				exit_scepclient("no hostname defined, use "
+								"--dn <distinguished name> option");
+			}
+			distinguishedName = buf;
 		}
-		else
+
+		DBG(DBG_CONTROL,
+			DBG_log("dn: '%s'", distinguishedName);
+		)
+		ugh = atodn(distinguishedName, &dn);
+		if (ugh != NULL)
 		{
-		    usage("challenge password could not be read");
+			exit_scepclient(ugh);
 		}
-	    }
-	    else
-	    {
-		challengePassword.ptr = optarg;
-		challengePassword.len = strlen(optarg);
-	    }
-	    continue;
-
-	case 'u':	/* -- url */
-	    if (scep_url)
-		usage("only one URL argument allowed");
-	    scep_url = optarg;
-	    continue;
-
-	case 'm':	/* --method */
-	    if (strcasecmp("post", optarg) == 0)
-		request_type = FETCH_POST;
-	    else if (strcasecmp("get", optarg) == 0)
-		request_type = FETCH_GET;
-	    else
-		usage("invalid http request method specified");
-	    continue;
-
-	case 't':	/* --interval */
-	    poll_interval = atoi(optarg);
-	    if (poll_interval <= 0)
-		usage("invalid interval specified");
-	    continue;
-
-	case 'x':	/* --maxpolltime */
-	    max_poll_time = atoi(optarg);
-	    if (max_poll_time < 0)
-		usage("invalid maxpolltime specified");
-	    continue;
-
-	case 'a':	/*--algorithm */
-	    if (strcasecmp("des-cbc", optarg) == 0)
-		pkcs7_symmetric_cipher = OID_DES_CBC;
-	    else if (strcasecmp("3des-cbc", optarg) == 0)
-		pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
-	    else
-		usage("invalid encryption algorithm specified");
-	    continue;
-#ifdef DEBUG
-	case 'A':	/* --debug-all */
-	    base_debugging |= DBG_ALL;
-	    continue;
-	case 'P':	/* debug parsing */
-	    base_debugging |= DBG_PARSING;
-	    continue;
-	case 'R':	/* debug raw */
-	    base_debugging |= DBG_RAW;
-	    continue;
-	case 'C':	/* debug control */
-	    base_debugging |= DBG_CONTROL;
-	    continue;
-	case 'M':	/* debug control more */
-	    base_debugging |= DBG_CONTROLMORE;
-	    continue;
-	case 'X':	/* debug private */
-	    base_debugging |= DBG_PRIVATE;
-	    continue;
-#endif
-	default: 
-	    usage("unknown option");
+
+		subject = chunk_clone(dn);
+
+		DBG(DBG_CONTROL,
+			DBG_log("building pkcs10 object:")
+		)
+		pkcs10 = pkcs10_build(private_key, public_key, subject,
+							  challengePassword, subjectAltNames,
+							  pkcs10_signature_alg);
+		fingerprint = scep_generate_pkcs10_fingerprint(pkcs10->request);
+		plog("  fingerprint:    %s", fingerprint.ptr);
 	}
-	/* break from loop */
-	break;
-    }
 
-    init_log("scepclient");
-    cur_debugging = base_debugging;
-    init_rnd_pool();
-    init_fetch();
+	/* 
+	 * output of PKCS#10 file
+	 */
+	if (filetype_out & PKCS10)
+	{
+		char *path = concatenate_paths(REQ_PATH, file_out_pkcs10);
 
-    if ((filetype_out == 0) && (!request_ca_certificate))
-	usage ("--out filetype required");
+		if (!chunk_write(pkcs10->request, path, "pkcs10",  0022, force))
+			exit_scepclient("could not write pkcs10 file '%s'", path);
 
-    if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
-	usage("in CA certificate request, no other --in or --out option allowed");
+		filetype_out &= ~PKCS10;   /* delete PKCS10 flag */
+	}
 
-    /* check if url is given, if cert output defined */
-    if (((filetype_out & CERT) || request_ca_certificate) && !scep_url)
-		usage("URL of SCEP server required");
+	if (!filetype_out)
+	{
+		exit_scepclient(NULL); /* no further output required */
+	}
 
-    /* check for sanity of --in/--out */
-    if (!filetype_in && (filetype_in > filetype_out))
-	usage("cannot generate --out of given --in!");
-
-    /*
-     * input of PKCS#1 file
-     */
-    private_key = alloc_thing(RSA_private_key_t, "RSA_private_key_t");
-
-    if (filetype_in & PKCS1)	/* load an RSA key pair from file */ 
-    {
-	prompt_pass_t pass = { "", FALSE, STDIN_FILENO };
-	const char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1);
-
-	ugh = load_rsa_private_key(path, &pass, private_key);
-    }
-    else	    			/* generate an RSA key pair */
-    {
-	ugh = generate_rsa_private_key(rsa_keylength, private_key);
-    }
-    if (ugh != NULL)
-	exit_scepclient(ugh);
-
-    /* check for minimum key length */
-    if ((private_key->pub.k) < RSA_MIN_OCTETS)
-    {
-	exit_scepclient("length of RSA key has to be at least %d bits"
-	    ,RSA_MIN_OCTETS * BITS_PER_BYTE);
-    }
-
-    /*
-     * input of PKCS#10 file
-     */
-    if (filetype_in & PKCS10)
-    {
-	/* user wants to load a pkcs10 request
-	 * operation is not yet supported
-	 * would require a PKCS#10 parsing function
-
-	pkcs10 = pkcs10_read_from_file(file_in_pkcs10);
-
-         */
-    }
-    else
-    {
-	char buf[IDTOA_BUF];
-	chunk_t dn = empty_chunk;
-
-        dn.ptr = buf;
-
-	if (distinguishedName == NULL)
+	/*
+	 * output of PKCS#1 file
+	 */
+	if (filetype_out & PKCS1)
 	{
-	    char buf[BUF_LEN];
-	    int n = sprintf(buf, DEFAULT_DN);
-
-	    /* set the common name to the hostname */
-	    if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n)
-	    {
-		exit_scepclient("no hostname defined, use "
-				"--dn <distinguished name> option");
-	    }
-	    distinguishedName = buf;
+		char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1);
+
+		DBG(DBG_CONTROL,
+			DBG_log("building pkcs1 object:")
+		)
+		pkcs1 = private_key->get_encoding(private_key);
+
+		if (!chunk_write(pkcs1, path, "pkcs1", 0066, force))
+			exit_scepclient("could not write pkcs1 file '%s'", path);
+
+		filetype_out &= ~PKCS1;   /* delete PKCS1 flag */
 	}
 
-	DBG(DBG_CONTROL,
-	    DBG_log("dn: '%s'", distinguishedName);
-	)
-	ugh = atodn(distinguishedName, &dn);
-	if (ugh != NULL)
-	    exit_scepclient(ugh);
-
-	clonetochunk(subject, dn.ptr, dn.len, "subject dn");
-
-	DBG(DBG_CONTROL,
-	    DBG_log("building pkcs10 object:")
-	)
-	pkcs10 = pkcs10_build(private_key, subject, challengePassword
-		    , subjectAltNames, pkcs10_signature_alg);
-	scep_generate_pkcs10_fingerprint(pkcs10->request, &fingerprint);
-	plog("  fingerprint:    %.*s", (int)fingerprint.len, fingerprint.ptr);
-    }
-
-    /* 
-     * output of PKCS#10 file
-     */
-    if (filetype_out & PKCS10)
-    {
-	const char *path = concatenate_paths(REQ_PATH, file_out_pkcs10);
-
-	if (!write_chunk(path, "pkcs10", pkcs10->request, 0022, force))
-	    exit_scepclient("could not write pkcs10 file '%s'", path);
-
-	filetype_out &= ~PKCS10;   /* delete PKCS10 flag */
-    }
-
-    if (!filetype_out)
-	exit_scepclient(NULL); /* no further output required */
-
-    /*
-     * output of PKCS#1 file
-     */
-    if (filetype_out & PKCS1)
-    {
-	const char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1);
-
-	DBG(DBG_CONTROL,
-	    DBG_log("building pkcs1 object:")
-	)
-	pkcs1 = pkcs1_build_private_key(private_key);
-
-	if (!write_chunk(path, "pkcs1", pkcs1, 0066, force))
-	    exit_scepclient("could not write pkcs1 file '%s'", path);
-
-	filetype_out &= ~PKCS1;   /* delete PKCS1 flag */
-    }
-
-    if (!filetype_out)
-	exit_scepclient(NULL); /* no further output required */
-
-    scep_generate_transaction_id((const RSA_public_key_t *)private_key
-	, &transID, &serialNumber);
-    plog("  transaction ID: %.*s", (int)transID.len, transID.ptr);
-
-    /* generate a self-signed X.509 certificate */
-    x509_signer = alloc_thing(x509cert_t, "signer cert");
-    *x509_signer = empty_x509cert;
-    x509_signer->serialNumber = serialNumber;
-    x509_signer->sigAlg = OID_SHA1_WITH_RSA;
-    x509_signer->issuer = subject;
-    x509_signer->notBefore = (notBefore)? notBefore
-					: time(NULL);
-    x509_signer->notAfter = (notAfter)? notAfter
-				      : x509_signer->notBefore + validity;
-    x509_signer->subject = subject;
-    x509_signer->subjectAltName = subjectAltNames;
-
-    build_x509cert(x509_signer, (const RSA_public_key_t *)private_key
-		 , private_key);
-
-    /*
-     * output of self-signed X.509 certificate file
-     */
-    if (filetype_out & CERT_SELF)
-    {
-	const char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
-
-	if (!write_chunk(path, "self-signed cert", x509_signer->certificate, 0022, force))
-	    exit_scepclient("could not write self-signed cert file '%s'", path);
-;
-	filetype_out &= ~CERT_SELF;   /* delete CERT_SELF flag */
-    }
-
-    if (!filetype_out)
-	exit_scepclient(NULL); /* no further output required */
-
-    /*
-     * load ca encryption certificate
-     */
-    {
-	const char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc);
-	cert_t cert;
-
-	if (!load_cert(path, "encryption cacert", &cert))
-	    exit_scepclient("could not load encryption cacert file '%s'", path);
-	x509_ca_enc = cert.u.x509;
-    }
-
-    /* 
-     * input of PKCS#7 file
-     */
-    if (filetype_in & PKCS7)
-    {
-	/* user wants to load a pkcs7 encrypted request
-         * operation is not yet supported!
-	 * would require additional parsing of transaction-id
-
-	   pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
+	if (!filetype_out)
+	{
+		exit_scepclient(NULL); /* no further output required */
+	}
 
+	scep_generate_transaction_id(public_key, &transID, &serialNumber);
+	plog("  transaction ID: %.*s", (int)transID.len, transID.ptr);
+
+	/* generate a self-signed X.509 certificate */
+	x509_signer = malloc_thing(x509cert_t);
+	*x509_signer = empty_x509cert;
+	x509_signer->serialNumber = serialNumber;
+	x509_signer->sigAlg = OID_SHA1_WITH_RSA;
+	x509_signer->issuer = subject;
+	x509_signer->notBefore = (notBefore)? notBefore
+										: time(NULL);
+	x509_signer->notAfter = (notAfter)? notAfter
+									  : x509_signer->notBefore + validity;
+	x509_signer->subject = subject;
+	x509_signer->subjectAltName = subjectAltNames;
+	build_x509cert(x509_signer, public_key, private_key);
+
+	/*
+	 * output of self-signed X.509 certificate file
 	 */
-    }
-    else
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("building pkcs7 request")
-	)
-	pkcs7 = scep_build_request(pkcs10->request
-		    , transID, SCEP_PKCSReq_MSG
-		    , x509_ca_enc, pkcs7_symmetric_cipher
-		    , x509_signer, pkcs7_digest_alg, private_key);
-    }
-
-    /*
-     * output pkcs7 encrypted and signed certificate request
-     */
-    if (filetype_out & PKCS7)
-    {
-	const char *path = concatenate_paths(REQ_PATH, file_out_pkcs7);
-
-	if (!write_chunk(path, "pkcs7 encrypted request", pkcs7, 0022, force))
-	    exit_scepclient("could not write pkcs7 file '%s'", path);
-;
-	filetype_out &= ~PKCS7;   /* delete PKCS7 flag */
-    }
-
-    if (!filetype_out)
-	exit_scepclient(NULL); /* no further output required */
-
-    /*
-     * output certificate fetch from SCEP server
-     */
-    if (filetype_out & CERT)
-    {
-	const char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig);
-	cert_t cert;
-	time_t poll_start;
-
-	x509cert_t       *certs         = NULL;
-	chunk_t           envelopedData = empty_chunk;
-	chunk_t           certData      = empty_chunk;
-	contentInfo_t     data          = empty_contentInfo;
-	scep_attributes_t attrs         = empty_scep_attributes;
-
-	if (!load_cert(path, "signature cacert", &cert))
-	    exit_scepclient("could not load signature cacert file '%s'", path);
-	x509_ca_sig = cert.u.x509;
-
-	if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION
-	    , request_type, &scep_response))
+	if (filetype_out & CERT_SELF)
 	{
-	    exit_scepclient("did not receive a valid scep response");
+		char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
+
+		if (!chunk_write(x509_signer->certificate, path, "self-signed cert", 0022, force))
+			exit_scepclient("could not write self-signed cert file '%s'", path);
+;
+		filetype_out &= ~CERT_SELF;   /* delete CERT_SELF flag */
 	}
-        ugh = scep_parse_response(scep_response, transID, &data, &attrs
-				 , x509_ca_sig);
-	if (ugh != NULL)
-	    exit_scepclient(ugh);
 
-	/* in case of manual mode, we are going into a polling loop */
-	if (attrs.pkiStatus == SCEP_PENDING)
+	if (!filetype_out)
 	{
-	    plog("  scep request pending, polling every %d seconds"
-		, poll_interval);
-            time(&poll_start);
-	    issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc"
-				   , x509_ca_sig->subject
-				   , subject);
+		exit_scepclient(NULL); /* no further output required */
 	}
-	while (attrs.pkiStatus == SCEP_PENDING)
+
+	/*
+	 * load ca encryption certificate
+	 */
 	{
-	    if (max_poll_time > 0
-	    && (time(NULL) - poll_start >= max_poll_time))
-	    {
-		exit_scepclient("maximum poll time reached: %d seconds"
-			       , max_poll_time);
-	    }
-	    DBG(DBG_CONTROL,
-		DBG_log("going to sleep for %d seconds", poll_interval)
-	    )
-	    sleep(poll_interval);
-	    free(scep_response.ptr);
-
-	    DBG(DBG_CONTROL,
-		DBG_log("fingerprint:    %.*s", (int)fingerprint.len, fingerprint.ptr);
-		DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr)
-	    )
-
-	    freeanychunk(getCertInitial);
-	    getCertInitial = scep_build_request(issuerAndSubject
-				, transID, SCEP_GetCertInitial_MSG
-				, x509_ca_enc, pkcs7_symmetric_cipher
-				, x509_signer, pkcs7_digest_alg, private_key);
-
-	    if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION
-	    , request_type, &scep_response))
-	    {
-		exit_scepclient("did not receive a valid scep response");
-	    }
-            ugh = scep_parse_response(scep_response, transID, &data, &attrs
-				     , x509_ca_sig);
-	    if (ugh != NULL)
-		exit_scepclient(ugh);
+		char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc);
+		cert_t cert;
+
+		if (!load_cert(path, "encryption cacert", &cert))
+		{
+			exit_scepclient("could not load encryption cacert file '%s'", path);
+		}
+		x509_ca_enc = cert.u.x509;
 	}
 
-	if (attrs.pkiStatus != SCEP_SUCCESS)
+	/* 
+	 * input of PKCS#7 file
+	 */
+	if (filetype_in & PKCS7)
 	{
-	    exit_scepclient("reply status is not 'SUCCESS'");
-	}
+		/* user wants to load a pkcs7 encrypted request
+		 * operation is not yet supported!
+		 * would require additional parsing of transaction-id
 
-	envelopedData = data.content;
+		   pkcs7 = pkcs7_read_from_file(file_in_pkcs7);
 
-	if (data.type != OID_PKCS7_DATA
-	|| !parse_asn1_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
+		 */
+	}
+	else
 	{
-	    exit_scepclient("contentInfo is not of type 'data'");
+		DBG(DBG_CONTROL,
+			DBG_log("building pkcs7 request")
+		)
+		pkcs7 = scep_build_request(pkcs10->request
+					, transID, SCEP_PKCSReq_MSG
+					, x509_ca_enc, pkcs7_symmetric_cipher
+					, x509_signer, pkcs7_digest_alg, private_key);
 	}
-	if (!pkcs7_parse_envelopedData(envelopedData, &certData
-	    , serialNumber, private_key))
+
+	/*
+	 * output pkcs7 encrypted and signed certificate request
+	 */
+	if (filetype_out & PKCS7)
 	{
-	    exit_scepclient("could not decrypt envelopedData");
+		char *path = concatenate_paths(REQ_PATH, file_out_pkcs7);
+
+		if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force))
+			exit_scepclient("could not write pkcs7 file '%s'", path);
+;
+		filetype_out &= ~PKCS7;   /* delete PKCS7 flag */
 	}
-	if (!pkcs7_parse_signedData(certData, NULL, &certs, NULL, NULL))
-        {
-	    exit_scepclient("error parsing the scep response");
+
+	if (!filetype_out)
+	{
+		exit_scepclient(NULL); /* no further output required */
 	}
-	freeanychunk(certData);
-
-	/* store the end entity certificate */
-	path = concatenate_paths(HOST_CERT_PATH, file_out_cert);
-	while (certs != NULL)
- 	{
-	    bool stored = FALSE;
-	    x509cert_t *cert = certs;
-
-	    if (!cert->isCA)
-	    {
-		if (stored)
-		    exit_scepclient("multiple certs received, only first stored");
-		if (!write_chunk(path, "requested cert", cert->certificate, 0022, force))
-		    exit_scepclient("could not write cert file '%s'", path);
-		stored = TRUE;
-	    }
-	    certs = certs->next;
-	    free_x509cert(cert);
+
+	/*
+	 * output certificate fetch from SCEP server
+	 */
+	if (filetype_out & CERT)
+	{
+		char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig);
+		cert_t cert;
+		time_t poll_start;
+
+		x509cert_t       *certs         = NULL;
+		chunk_t           envelopedData = chunk_empty;
+		chunk_t           certData      = chunk_empty;
+		contentInfo_t     data          = empty_contentInfo;
+		scep_attributes_t attrs         = empty_scep_attributes;
+
+		if (!load_cert(path, "signature cacert", &cert))
+			exit_scepclient("could not load signature cacert file '%s'", path);
+		x509_ca_sig = cert.u.x509;
+
+		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
+			http_get_request, &scep_response))
+		{
+			exit_scepclient("did not receive a valid scep response");
+		}
+		ugh = scep_parse_response(scep_response, transID, &data, &attrs
+								 , x509_ca_sig);
+		if (ugh != NULL)
+		{
+			exit_scepclient(ugh);
+		}
+
+		/* in case of manual mode, we are going into a polling loop */
+		if (attrs.pkiStatus == SCEP_PENDING)
+		{
+			plog("  scep request pending, polling every %d seconds"
+				, poll_interval);
+			time(&poll_start);
+			issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc"
+								   , x509_ca_sig->subject
+								   , subject);
+		}
+		while (attrs.pkiStatus == SCEP_PENDING)
+		{
+			if (max_poll_time > 0
+			&& (time(NULL) - poll_start >= max_poll_time))
+			{
+				exit_scepclient("maximum poll time reached: %d seconds"
+							   , max_poll_time);
+			}
+			DBG(DBG_CONTROL,
+				DBG_log("going to sleep for %d seconds", poll_interval)
+			)
+			sleep(poll_interval);
+			free(scep_response.ptr);
+
+			DBG(DBG_CONTROL,
+				DBG_log("fingerprint:    %.*s", (int)fingerprint.len, fingerprint.ptr);
+				DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr)
+			)
+
+			chunk_free(&getCertInitial);
+			getCertInitial = scep_build_request(issuerAndSubject
+								, transID, SCEP_GetCertInitial_MSG
+								, x509_ca_enc, pkcs7_symmetric_cipher
+								, x509_signer, pkcs7_digest_alg, private_key);
+
+			if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
+				http_get_request, &scep_response))
+			{
+				exit_scepclient("did not receive a valid scep response");
+			}
+			ugh = scep_parse_response(scep_response, transID, &data, &attrs
+									 , x509_ca_sig);
+			if (ugh != NULL)
+			{
+				exit_scepclient(ugh);
+			}
+		}
+
+		if (attrs.pkiStatus != SCEP_SUCCESS)
+		{
+			exit_scepclient("reply status is not 'SUCCESS'");
+		}
+
+		envelopedData = data.content;
+
+		if (data.type != OID_PKCS7_DATA
+		|| !asn1_parse_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
+		{
+			exit_scepclient("contentInfo is not of type 'data'");
+		}
+		if (!pkcs7_parse_envelopedData(envelopedData, &certData
+			, serialNumber, private_key))
+		{
+			exit_scepclient("could not decrypt envelopedData");
+		}
+		if (!pkcs7_parse_signedData(certData, NULL, &certs, NULL, NULL))
+		{
+			exit_scepclient("error parsing the scep response");
+		}
+		chunk_free(&certData);
+
+		/* store the end entity certificate */
+		path = concatenate_paths(HOST_CERT_PATH, file_out_cert);
+		while (certs != NULL)
+		{
+			bool stored = FALSE;
+			x509cert_t *cert = certs;
+
+			if (!cert->isCA)
+			{
+				if (stored)
+					exit_scepclient("multiple certs received, only first stored");
+				if (!chunk_write(cert->certificate, path, "requested cert", 0022, force))
+					exit_scepclient("could not write cert file '%s'", path);
+				stored = TRUE;
+			}
+			certs = certs->next;
+			free_x509cert(cert);
+		}
+		filetype_out &= ~CERT;   /* delete CERT flag */
 	}
-	filetype_out &= ~CERT;   /* delete CERT flag */
-    }
 
-    exit_scepclient(NULL);
-    return -1; /* should never be reached */
+	exit_scepclient(NULL);
+	return -1; /* should never be reached */
 }
 
 
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 8a9ba54c9..439a7785a 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -5,9 +5,22 @@ starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
 keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
 exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
 
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
-starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a
+INCLUDES = \
+-I${linuxdir} \
+-I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/pluto \
+-I$(top_srcdir)/src/whack \
+-I$(top_srcdir)/src/stroke
+
+AM_CFLAGS = \
+-DIPSEC_DIR=\"${ipsecdir}\" \
+-DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_PIDDIR=\"${piddir}\" \
+-DIPSEC_EAPDIR=\"${eapdir}\" \
+-DDEBUG
+
+starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
 dist_man_MANS = ipsec.conf.5 starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
@@ -23,20 +36,20 @@ if USE_CHARON
   AM_CFLAGS += -DSTART_CHARON
 endif
 
-lex.yy.c:	parser.l parser.y parser.h y.tab.c
-		$(LEX) --nounput $< 
+lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h
+		$(LEX) $(srcdir)/parser.l 
 
-y.tab.c:	parser.y parser.l parser.h
-		$(YACC) -v -d $<
+y.tab.c:	$(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
+		$(YACC) -v -d $(srcdir)/parser.y
 
-y.tab.h:	parser.y parser.l parser.h
-		$(YACC) -v -d $<
+y.tab.h:	$(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
+		$(YACC) -v -d $(srcdir)/parser.y
 
-keywords.c:	keywords.txt keywords.h
-		$(GPERF) -C -G -t < $< > $@
+keywords.c:	$(srcdir)/keywords.txt $(srcdir)/keywords.h
+		$(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
 
 defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-		$(COMPILE) -c -o $@ $<
+		$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
 
 install-exec-local :	
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 54fd28604..4e6bffdeb 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -56,7 +56,8 @@ am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
 	lex.yy.$(OBJEXT) loglite.$(OBJEXT) klips.$(OBJEXT)
 starter_OBJECTS = $(am_starter_OBJECTS)
 starter_DEPENDENCIES = defs.o \
-	$(top_builddir)/src/libfreeswan/libfreeswan.a
+	$(top_builddir)/src/libfreeswan/libfreeswan.a \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -93,6 +94,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -115,6 +117,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -126,6 +131,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -139,6 +145,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -199,6 +207,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -210,6 +219,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -220,11 +230,18 @@ starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
 keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
 exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
 
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
+INCLUDES = \
+-I${linuxdir} \
+-I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/pluto \
+-I$(top_srcdir)/src/whack \
+-I$(top_srcdir)/src/stroke
+
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \
 	-DDEBUG $(am__append_1) $(am__append_2)
-starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a
+starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
 dist_man_MANS = ipsec.conf.5 starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
@@ -238,8 +255,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -355,8 +372,8 @@ install-man5: $(man5_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    5*) ;; \
@@ -400,8 +417,8 @@ install-man8: $(man8_MANS) $(man_MANS)
 	  esac; \
 	done; \
 	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
+	  if test -f $$i; then file=$$i; \
+	  else file=$(srcdir)/$$i; fi; \
 	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
 	  case "$$ext" in \
 	    8*) ;; \
@@ -440,7 +457,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
@@ -620,20 +637,20 @@ uninstall-man: uninstall-man5 uninstall-man8
 	uninstall-man8
 
 
-lex.yy.c:	parser.l parser.y parser.h y.tab.c
-		$(LEX) --nounput $< 
+lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h
+		$(LEX) $(srcdir)/parser.l 
 
-y.tab.c:	parser.y parser.l parser.h
-		$(YACC) -v -d $<
+y.tab.c:	$(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
+		$(YACC) -v -d $(srcdir)/parser.y
 
-y.tab.h:	parser.y parser.l parser.h
-		$(YACC) -v -d $<
+y.tab.h:	$(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
+		$(YACC) -v -d $(srcdir)/parser.y
 
-keywords.c:	keywords.txt keywords.h
-		$(GPERF) -C -G -t < $< > $@
+keywords.c:	$(srcdir)/keywords.txt $(srcdir)/keywords.h
+		$(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
 
 defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-		$(COMPILE) -c -o $@ $<
+		$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
 
 install-exec-local :	
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
diff --git a/src/starter/args.c b/src/starter/args.c
index c09bea986..f9d1824d8 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: args.c 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #include <stddef.h>
@@ -33,276 +31,283 @@
 /* argument types */
 
 typedef enum {
-    ARG_NONE,
-    ARG_ENUM,
-    ARG_UINT,
-    ARG_TIME,
-    ARG_ULNG,
-    ARG_PCNT,
-    ARG_STR,
-    ARG_LST,
-    ARG_MISC
+	ARG_NONE,
+	ARG_ENUM,
+	ARG_UINT,
+	ARG_TIME,
+	ARG_ULNG,
+	ARG_PCNT,
+	ARG_STR,
+	ARG_LST,
+	ARG_MISC
 } arg_t;
 
 /* various keyword lists */
 
 static const char *LST_bool[] = {
-    "no",
-    "yes",
-     NULL
+	"no",
+	"yes",
+	 NULL
 };
 
 static const char *LST_sendcert[] = {
-    "always",
-    "ifasked",
-    "never",
-    "yes",
-    "no",
-     NULL
+	"always",
+	"ifasked",
+	"never",
+	"yes",
+	"no",
+	 NULL
 };
 
 static const char *LST_unique[] = {
-    "no",
-    "yes",
-    "replace",
-    "keep",
-     NULL
+	"no",
+	"yes",
+	"replace",
+	"keep",
+	 NULL
 };
 
 static const char *LST_strict[] = {
-    "no",
-    "yes",
-    "ifuri",
-     NULL
+	"no",
+	"yes",
+	"ifuri",
+	 NULL
 };
 static const char *LST_dpd_action[] = {
-    "none",
-    "clear",
-    "hold",
-    "restart",
-     NULL
+	"none",
+	"clear",
+	"hold",
+	"restart",
+	 NULL
 };
 
 static const char *LST_startup[] = {
-    "ignore",
-    "add",
-    "route",
-    "start",
-     NULL
+	"ignore",
+	"add",
+	"route",
+	"start",
+	 NULL
 };
 
 static const char *LST_packetdefault[] = {
-    "drop",
-    "reject",
-    "pass",
-     NULL
+	"drop",
+	"reject",
+	"pass",
+	 NULL
 };
 
 static const char *LST_keyexchange[] = {
-    "ike",
-    "ikev1",
-    "ikev2",
-     NULL
+	"ike",
+	"ikev1",
+	"ikev2",
+	 NULL
 };
 
 static const char *LST_pfsgroup[] = {
-    "modp1024",
-    "modp1536",
-    "modp2048",
-    "modp3072",
-    "modp4096",
-    "modp6144",
-    "modp8192",
-     NULL
+	"modp1024",
+	"modp1536",
+	"modp2048",
+	"modp3072",
+	"modp4096",
+	"modp6144",
+	"modp8192",
+	 NULL
 };
 
 static const char *LST_plutodebug[] = {
-    "none",
-    "all",
-    "raw",
-    "crypt",
-    "parsing",
-    "emitting",
-    "control",
-    "lifecycle",
-    "klips",
-    "dns",
-    "natt",
-    "oppo",
-    "controlmore",
-    "private",
-     NULL
+	"none",
+	"all",
+	"raw",
+	"crypt",
+	"parsing",
+	"emitting",
+	"control",
+	"lifecycle",
+	"klips",
+	"dns",
+	"natt",
+	"oppo",
+	"controlmore",
+	"private",
+	 NULL
 };
 
 static const char *LST_klipsdebug[] = {
-    "tunnel",
-    "tunnel-xmit",
-    "pfkey",
-    "xform",
-    "eroute",
-    "spi",
-    "radij",
-    "esp",
-    "ah",
-    "ipcomp",
-    "verbose",
-    "all",
-    "none",
-     NULL
+	"tunnel",
+	"tunnel-xmit",
+	"pfkey",
+	"xform",
+	"eroute",
+	"spi",
+	"radij",
+	"esp",
+	"ah",
+	"ipcomp",
+	"verbose",
+	"all",
+	"none",
+	 NULL
 };
 
 typedef struct {
-    arg_t       type;
-    size_t      offset;
-    const char  **list;
+	arg_t       type;
+	size_t      offset;
+	const char  **list;
 } token_info_t;
 
 static const token_info_t token_info[] =
 {
-    /* config setup keywords */
-    { ARG_LST,  offsetof(starter_config_t, setup.interfaces), NULL                 },
-    { ARG_STR,  offsetof(starter_config_t, setup.dumpdir), NULL                    },
-    { ARG_ENUM, offsetof(starter_config_t, setup.charonstart), LST_bool            },
-    { ARG_ENUM, offsetof(starter_config_t, setup.plutostart), LST_bool             },
-
-    /* pluto/charon keywords */
-    { ARG_LST,  offsetof(starter_config_t, setup.plutodebug), LST_plutodebug       },
-    { ARG_STR,  offsetof(starter_config_t, setup.charondebug),  NULL               },
-    { ARG_STR,  offsetof(starter_config_t, setup.prepluto), NULL                   },
-    { ARG_STR,  offsetof(starter_config_t, setup.postpluto), NULL                  },
-    { ARG_STR,  offsetof(starter_config_t, setup.plutostderrlog), NULL             },
-    { ARG_ENUM, offsetof(starter_config_t, setup.uniqueids), LST_unique            },
-    { ARG_UINT, offsetof(starter_config_t, setup.overridemtu), NULL                },
-    { ARG_TIME, offsetof(starter_config_t, setup.crlcheckinterval), NULL           },
-    { ARG_ENUM, offsetof(starter_config_t, setup.cachecrls), LST_bool              },
-    { ARG_ENUM, offsetof(starter_config_t, setup.strictcrlpolicy), LST_strict      },
-    { ARG_ENUM, offsetof(starter_config_t, setup.nocrsend), LST_bool               },
-    { ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool          },
-    { ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL                 },
-    { ARG_ENUM, offsetof(starter_config_t, setup.force_keepalive), LST_bool        },
-    { ARG_STR,  offsetof(starter_config_t, setup.virtual_private), NULL            },
-    { ARG_STR,  offsetof(starter_config_t, setup.pkcs11module), NULL               },
-    { ARG_STR,  offsetof(starter_config_t, setup.pkcs11initargs), NULL             },
-    { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool        },
-    { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool            },
-
-    /* KLIPS keywords */
-    { ARG_LST,  offsetof(starter_config_t, setup.klipsdebug), LST_klipsdebug       },
-    { ARG_ENUM, offsetof(starter_config_t, setup.fragicmp), LST_bool               },
-    { ARG_STR,  offsetof(starter_config_t, setup.packetdefault), LST_packetdefault },
-    { ARG_ENUM, offsetof(starter_config_t, setup.hidetos), LST_bool                },
-
-    /* conn section keywords */
-    { ARG_STR,  offsetof(starter_conn_t, name), NULL                               },
-    { ARG_ENUM, offsetof(starter_conn_t, startup), LST_startup                     },
-    { ARG_ENUM, offsetof(starter_conn_t, keyexchange), LST_keyexchange             },
-    { ARG_MISC, 0, NULL  /* KW_TYPE */                                             },
-    { ARG_MISC, 0, NULL  /* KW_PFS */                                              },
-    { ARG_MISC, 0, NULL  /* KW_COMPRESS */                                         },
-    { ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool                 },
-    { ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
-    { ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
-    { ARG_MISC, 0, NULL  /* KW_EAP */                                              },
-    { ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
-    { ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
-    { ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
-    { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
-    { ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
-    { ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
-    { ARG_MISC, 0, NULL  /* KW_KEYINGTRIES */                                      },
-    { ARG_PCNT, offsetof(starter_conn_t, sa_rekey_fuzz), NULL                      },
-    { ARG_MISC, 0, NULL  /* KW_REKEY */                                            },
-    { ARG_MISC, 0, NULL  /* KW_REAUTH */                                           },
-    { ARG_STR,  offsetof(starter_conn_t, ike), NULL                                },
-    { ARG_STR,  offsetof(starter_conn_t, esp), NULL                                },
-    { ARG_STR,  offsetof(starter_conn_t, pfsgroup), LST_pfsgroup                   },
-    { ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL                          },
-    { ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL                        },
-    { ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action               },
-    { ARG_MISC, 0, NULL  /* KW_MODECONFIG */                                       },
-    { ARG_MISC, 0, NULL  /* KW_XAUTH */                                            },
-    { ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool                   },
-    { ARG_STR,  offsetof(starter_conn_t, me_mediated_by), NULL                     },
-    { ARG_STR,  offsetof(starter_conn_t, me_peerid), NULL                          },
-
-    /* ca section keywords */
-    { ARG_STR,  offsetof(starter_ca_t, name), NULL                                 },
-    { ARG_ENUM, offsetof(starter_ca_t, startup), LST_startup                       },
-    { ARG_STR,  offsetof(starter_ca_t, cacert), NULL                               },
-    { ARG_STR,  offsetof(starter_ca_t, ldaphost), NULL                             },
-    { ARG_STR,  offsetof(starter_ca_t, ldapbase), NULL                             },
-    { ARG_STR,  offsetof(starter_ca_t, crluri), NULL                               },
-    { ARG_STR,  offsetof(starter_ca_t, crluri2), NULL                              },
-    { ARG_STR,  offsetof(starter_ca_t, ocspuri), NULL                              },
-    { ARG_STR,  offsetof(starter_ca_t, ocspuri2), NULL                             },
-    { ARG_STR,  offsetof(starter_ca_t, certuribase), NULL                          },
-
-    /* end keywords */
-    { ARG_MISC, 0, NULL  /* KW_HOST */                                             },
-    { ARG_MISC, 0, NULL  /* KW_NEXTHOP */                                          },
-    { ARG_STR, offsetof(starter_end_t, subnet), NULL                               },
-    { ARG_MISC, 0, NULL  /* KW_SUBNETWITHIN */                                     },
-    { ARG_MISC, 0, NULL  /* KW_PROTOPORT */                                        },
-    { ARG_STR, offsetof(starter_end_t, srcip), NULL                                },
-    { ARG_MISC, 0, NULL  /* KW_NATIP */                                            },
-    { ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool                        },
-    { ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool                      },
-    { ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool                       },
-    { ARG_STR,  offsetof(starter_end_t, updown), NULL                              },
-    { ARG_STR,  offsetof(starter_end_t, id), NULL                                  },
-    { ARG_STR,  offsetof(starter_end_t, rsakey), NULL                              },
-    { ARG_STR,  offsetof(starter_end_t, cert), NULL                                },
-    { ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert                    },
-    { ARG_STR,  offsetof(starter_end_t, ca), NULL                                  },
-    { ARG_STR,  offsetof(starter_end_t, groups), NULL                              },
-    { ARG_STR,  offsetof(starter_end_t, iface), NULL                               }
+	/* config setup keywords */
+	{ ARG_LST,  offsetof(starter_config_t, setup.interfaces), NULL                 },
+	{ ARG_STR,  offsetof(starter_config_t, setup.dumpdir), NULL                    },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.charonstart), LST_bool            },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.plutostart), LST_bool             },
+
+	/* pluto/charon keywords */
+	{ ARG_LST,  offsetof(starter_config_t, setup.plutodebug), LST_plutodebug       },
+	{ ARG_STR,  offsetof(starter_config_t, setup.charondebug),  NULL               },
+	{ ARG_STR,  offsetof(starter_config_t, setup.prepluto), NULL                   },
+	{ ARG_STR,  offsetof(starter_config_t, setup.postpluto), NULL                  },
+	{ ARG_STR,  offsetof(starter_config_t, setup.plutostderrlog), NULL             },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.uniqueids), LST_unique            },
+	{ ARG_UINT, offsetof(starter_config_t, setup.overridemtu), NULL                },
+	{ ARG_TIME, offsetof(starter_config_t, setup.crlcheckinterval), NULL           },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.cachecrls), LST_bool              },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.strictcrlpolicy), LST_strict      },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.nocrsend), LST_bool               },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool          },
+	{ ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL                 },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.force_keepalive), LST_bool        },
+	{ ARG_STR,  offsetof(starter_config_t, setup.virtual_private), NULL            },
+	{ ARG_STR,  offsetof(starter_config_t, setup.pkcs11module), NULL               },
+	{ ARG_STR,  offsetof(starter_config_t, setup.pkcs11initargs), NULL             },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool        },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool            },
+
+	/* KLIPS keywords */
+	{ ARG_LST,  offsetof(starter_config_t, setup.klipsdebug), LST_klipsdebug       },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.fragicmp), LST_bool               },
+	{ ARG_STR,  offsetof(starter_config_t, setup.packetdefault), LST_packetdefault },
+	{ ARG_ENUM, offsetof(starter_config_t, setup.hidetos), LST_bool                },
+
+	/* conn section keywords */
+	{ ARG_STR,  offsetof(starter_conn_t, name), NULL                               },
+	{ ARG_ENUM, offsetof(starter_conn_t, startup), LST_startup                     },
+	{ ARG_ENUM, offsetof(starter_conn_t, keyexchange), LST_keyexchange             },
+	{ ARG_MISC, 0, NULL  /* KW_TYPE */                                             },
+	{ ARG_MISC, 0, NULL  /* KW_PFS */                                              },
+	{ ARG_MISC, 0, NULL  /* KW_COMPRESS */                                         },
+	{ ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool                 },
+	{ ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
+	{ ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
+	{ ARG_MISC, 0, NULL  /* KW_EAP */                                              },
+	{ ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
+	{ ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
+	{ ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
+	{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
+	{ ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
+	{ ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
+	{ ARG_MISC, 0, NULL  /* KW_KEYINGTRIES */                                      },
+	{ ARG_PCNT, offsetof(starter_conn_t, sa_rekey_fuzz), NULL                      },
+	{ ARG_MISC, 0, NULL  /* KW_REKEY */                                            },
+	{ ARG_MISC, 0, NULL  /* KW_REAUTH */                                           },
+	{ ARG_STR,  offsetof(starter_conn_t, ike), NULL                                },
+	{ ARG_STR,  offsetof(starter_conn_t, esp), NULL                                },
+	{ ARG_STR,  offsetof(starter_conn_t, pfsgroup), LST_pfsgroup                   },
+	{ ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL                          },
+	{ ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL                        },
+	{ ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action               },
+	{ ARG_MISC, 0, NULL  /* KW_MODECONFIG */                                       },
+	{ ARG_MISC, 0, NULL  /* KW_XAUTH */                                            },
+	{ ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool                   },
+	{ ARG_STR,  offsetof(starter_conn_t, me_mediated_by), NULL                     },
+	{ ARG_STR,  offsetof(starter_conn_t, me_peerid), NULL                          },
+
+	/* ca section keywords */
+	{ ARG_STR,  offsetof(starter_ca_t, name), NULL                                 },
+	{ ARG_ENUM, offsetof(starter_ca_t, startup), LST_startup                       },
+	{ ARG_STR,  offsetof(starter_ca_t, cacert), NULL                               },
+	{ ARG_STR,  offsetof(starter_ca_t, ldaphost), NULL                             },
+	{ ARG_STR,  offsetof(starter_ca_t, ldapbase), NULL                             },
+	{ ARG_STR,  offsetof(starter_ca_t, crluri), NULL                               },
+	{ ARG_STR,  offsetof(starter_ca_t, crluri2), NULL                              },
+	{ ARG_STR,  offsetof(starter_ca_t, ocspuri), NULL                              },
+	{ ARG_STR,  offsetof(starter_ca_t, ocspuri2), NULL                             },
+	{ ARG_STR,  offsetof(starter_ca_t, certuribase), NULL                          },
+
+	/* end keywords */
+	{ ARG_MISC, 0, NULL  /* KW_HOST */                                             },
+	{ ARG_MISC, 0, NULL  /* KW_NEXTHOP */                                          },
+	{ ARG_STR, offsetof(starter_end_t, subnet), NULL                               },
+	{ ARG_MISC, 0, NULL  /* KW_SUBNETWITHIN */                                     },
+	{ ARG_MISC, 0, NULL  /* KW_PROTOPORT */                                        },
+	{ ARG_STR, offsetof(starter_end_t, srcip), NULL                                },
+	{ ARG_MISC, 0, NULL  /* KW_NATIP */                                            },
+	{ ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool                        },
+	{ ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool                      },
+	{ ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool                       },
+	{ ARG_STR,  offsetof(starter_end_t, updown), NULL                              },
+	{ ARG_STR,  offsetof(starter_end_t, auth), NULL                                },
+	{ ARG_STR,  offsetof(starter_end_t, auth2), NULL                               },
+	{ ARG_STR,  offsetof(starter_end_t, id), NULL                                  },
+	{ ARG_STR,  offsetof(starter_end_t, id2), NULL                                 },
+	{ ARG_STR,  offsetof(starter_end_t, rsakey), NULL                              },
+	{ ARG_STR,  offsetof(starter_end_t, cert), NULL                                },
+	{ ARG_STR,  offsetof(starter_end_t, cert2), NULL                               },
+	{ ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert                    },
+	{ ARG_STR,  offsetof(starter_end_t, ca), NULL                                  },
+	{ ARG_STR,  offsetof(starter_end_t, ca2), NULL                                 },
+	{ ARG_STR,  offsetof(starter_end_t, groups), NULL                              },
+	{ ARG_STR,  offsetof(starter_end_t, iface), NULL                               }
 };
 
 static void
 free_list(char **list)
 {
-    char **s;
+	char **s;
 
-    for (s = list; *s; s++)
-	pfree(*s);
-    pfree(list);
+	for (s = list; *s; s++)
+	{
+		free(*s);
+	}
+	free(list);
 }
 
 char **
 new_list(char *value)
 {
-    char *val, *b, *e, *end, **ret;
-    int count;
-
-    val = value ? clone_str(value, "list value") : NULL;
-    if (!val)
-	return NULL;
-    end = val + strlen(val);
-    for (b = val, count = 0; b < end;)
-    {
-	for (e = b; ((*e != ' ') && (*e != '\0')); e++);
-	*e = '\0';
-	if (e != b)
-	    count++;
-	b = e + 1;
-    }
-    if (count == 0)
-    {
-	pfree(val);
-	return NULL;
-    }
-    ret = (char **)alloc_bytes((count+1) * sizeof(char *), "list");
-
-    for (b = val, count = 0; b < end; )
-    {
-	for (e = b; (*e != '\0'); e++);
-	if (e != b)
-	    ret[count++] = clone_str(b, "list value");
-	b = e + 1;
-    }
-    ret[count] = NULL;
-    pfree(val);
-    return ret;
+	char *val, *b, *e, *end, **ret;
+	int count;
+
+	val = value ? clone_str(value) : NULL;
+	if (!val)
+		return NULL;
+	end = val + strlen(val);
+	for (b = val, count = 0; b < end;)
+	{
+		for (e = b; ((*e != ' ') && (*e != '\0')); e++);
+		*e = '\0';
+		if (e != b)
+			count++;
+		b = e + 1;
+	}
+	if (count == 0)
+	{
+		free(val);
+		return NULL;
+	}
+	ret = (char **)malloc((count+1) * sizeof(char *));
+
+	for (b = val, count = 0; b < end; )
+	{
+		for (e = b; (*e != '\0'); e++);
+		if (e != b)
+			ret[count++] = clone_str(b);
+		b = e + 1;
+	}
+	ret[count] = NULL;
+	free(val);
+	return ret;
 }
 
 
@@ -311,191 +316,199 @@ new_list(char *value)
  */
 bool
 assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base
-    , bool *assigned)
+	, bool *assigned)
 {
-    char *p = base + token_info[token].offset;
-    const char **list = token_info[token].list;
-
-    int index = -1;  /* used for enumeration arguments */
-
-    lset_t *seen = (lset_t *)base;    /* seen flags are at the top of the struct */
-    lset_t f = LELEM(token - first);  /* compute flag position of argument */
-
-    *assigned = FALSE;
+	char *p = base + token_info[token].offset;
+	const char **list = token_info[token].list;
 
-    DBG(DBG_CONTROLMORE,
-	DBG_log("  %s=%s", kw->entry->name, kw->value)
-    )
+	int index = -1;  /* used for enumeration arguments */
 
-    if (*seen & f)
-    {
-	plog("# duplicate '%s' option", kw->entry->name);
-	return FALSE;
-    }
+	lset_t *seen = (lset_t *)base;    /* seen flags are at the top of the struct */
+	lset_t f = LELEM(token - first);  /* compute flag position of argument */
 
-    /* set flag that this argument has been seen */
-    *seen |= f;
+	*assigned = FALSE;
 
-    /* is there a keyword list? */
-    if (list != NULL && token_info[token].type != ARG_LST)
-    {
-	bool match = FALSE;
+	DBG(DBG_CONTROLMORE,
+		DBG_log("  %s=%s", kw->entry->name, kw->value)
+	)
 
-	while (*list != NULL && !match)
-	{
-	    index++;
-	    match = streq(kw->value, *list++);
-	}
-	if (!match)
-	{
-	    plog("# bad value: %s=%s", kw->entry->name, kw->value);
-	    return FALSE;
-	}
-    }
-
-    switch (token_info[token].type)
-    {
-    case ARG_NONE:
-	plog("# option '%s' not supported yet", kw->entry->name);
-	return FALSE;
-    case ARG_ENUM:
+	if (*seen & f)
 	{
-	    int *i = (int *)p;
-
-	    if (index < 0)
-	    {
-		plog("# bad enumeration value: %s=%s (%d)"
-		    , kw->entry->name, kw->value, index);
+		plog("# duplicate '%s' option", kw->entry->name);
 		return FALSE;
-	    }
-	    *i = index;
 	}
-	break;
-
-    case ARG_UINT:
-	{
-	    char *endptr;
-	    u_int *u = (u_int *)p; 
 
-	    *u = strtoul(kw->value, &endptr, 10);
+	/* set flag that this argument has been seen */
+	*seen |= f;
 
-	    if (*endptr != '\0')
-	    {
-		plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
-		return FALSE;
-	    }
-	}
-	break;
-    case ARG_ULNG:
-    case ARG_PCNT:
+	/* is there a keyword list? */
+	if (list != NULL && token_info[token].type != ARG_LST)
 	{
-	    char *endptr;
-	    unsigned long *l = (unsigned long *)p;
+		bool match = FALSE;
 
-	    *l = strtoul(kw->value, &endptr, 10);
-
-	    if (token_info[token].type == ARG_ULNG)
-	    {
-		if (*endptr != '\0')
+		while (*list != NULL && !match)
 		{
-		    plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
-		    return FALSE;
+			index++;
+			match = streq(kw->value, *list++);
 		}
-	    }
-            else
-	    {
-		if ((*endptr != '%') || (endptr[1] != '\0') || endptr == kw->value)
+		if (!match)
 		{
-		    plog("# bad percent value: %s=%s", kw->entry->name, kw->value);
-		    return FALSE;
+			plog("# bad value: %s=%s", kw->entry->name, kw->value);
+			return FALSE;
 		}
-	    }
- 
 	}
-	break;
-    case ARG_TIME:
-	{
-	    char *endptr;
-	    time_t *t = (time_t *)p;
 
-	    *t = strtoul(kw->value, &endptr, 10);
-
-	    /* time in seconds? */
-	    if (*endptr == '\0' || (*endptr == 's' && endptr[1] == '\0'))
+	switch (token_info[token].type)
+	{
+	case ARG_NONE:
+		plog("# option '%s' not supported yet", kw->entry->name);
+		return FALSE;
+	case ARG_ENUM:
+		{
+			if (index < 0)
+			{
+				plog("# bad enumeration value: %s=%s (%d)"
+					, kw->entry->name, kw->value, index);
+				return FALSE;
+			}
+
+			if (token_info[token].list == LST_bool)
+			{
+				bool *b = (bool *)p;
+				*b = (index > 0);
+			}
+			else
+			{
+				int *i = (int *)p;
+				*i = index;
+			}
+		}
 		break;
 
-	    if (endptr[1] == '\0')
-	    {
-		if (*endptr == 'm')  /* time in minutes? */
+	case ARG_UINT:
 		{
-		    *t *= 60;
-		    break;
+			char *endptr;
+			u_int *u = (u_int *)p; 
+
+			*u = strtoul(kw->value, &endptr, 10);
+
+			if (*endptr != '\0')
+			{
+				plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+				return FALSE;
+			}
 		}
-		if (*endptr == 'h')  /* time in hours? */
+		break;
+	case ARG_ULNG:
+	case ARG_PCNT:
 		{
-		    *t *= 3600;
-		    break;
+			char *endptr;
+			unsigned long *l = (unsigned long *)p;
+
+			*l = strtoul(kw->value, &endptr, 10);
+
+			if (token_info[token].type == ARG_ULNG)
+			{
+				if (*endptr != '\0')
+				{
+					plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+					return FALSE;
+				}
+			}
+			else
+			{
+				if ((*endptr != '%') || (endptr[1] != '\0') || endptr == kw->value)
+				{
+					plog("# bad percent value: %s=%s", kw->entry->name, kw->value);
+					return FALSE;
+				}
+			}
+
 		}
-		if (*endptr == 'd')  /* time in days? */
+		break;
+	case ARG_TIME:
 		{
-		    *t *= 3600*24;
-		    break;
+			char *endptr;
+			time_t *t = (time_t *)p;
+
+			*t = strtoul(kw->value, &endptr, 10);
+
+			/* time in seconds? */
+			if (*endptr == '\0' || (*endptr == 's' && endptr[1] == '\0'))
+				break;
+
+			if (endptr[1] == '\0')
+			{
+				if (*endptr == 'm')  /* time in minutes? */
+				{
+					*t *= 60;
+					break;
+				}
+				if (*endptr == 'h')  /* time in hours? */
+				{
+					*t *= 3600;
+					break;
+				}
+				if (*endptr == 'd')  /* time in days? */
+				{
+					*t *= 3600*24;
+					break;
+				}
+			}
+			plog("# bad duration value: %s=%s", kw->entry->name, kw->value);
+			return FALSE;
 		}
-	    }
-	    plog("# bad duration value: %s=%s", kw->entry->name, kw->value);
-	    return FALSE;
-	}
-    case ARG_STR:
-	{
-	    char **cp = (char **)p;
-
-	    /* free any existing string */
-	    pfreeany(*cp);
-
-	    /* assign the new string */
-	    *cp = clone_str(kw->value, "str_value");
-	}
-	break;
-    case ARG_LST:
-	{
-	    char ***listp = (char ***)p;
-
-	    /* free any existing list */
-	    if (*listp != NULL)
-		free_list(*listp);
-
-	    /* create a new list and assign values */
-	    *listp = new_list(kw->value);
+	case ARG_STR:
+		{
+			char **cp = (char **)p;
 
-	    /* is there a keyword list? */
-	    if (list != NULL)
-	    {
-		char ** lst;
+			/* free any existing string */
+			free(*cp);
 
-		for (lst = *listp; lst && *lst; lst++) 
+			/* assign the new string */
+			*cp = clone_str(kw->value);
+		}
+		break;
+	case ARG_LST:
 		{
-		    bool match = FALSE;
-
-		    list = token_info[token].list;
-		
-		    while (*list != NULL && !match)
-		    {
-			match = streq(*lst, *list++);
-		    }
-		    if (!match)
-		    {
-			plog("# bad value: %s=%s", kw->entry->name, *lst);
-			return FALSE;
-		    }
+			char ***listp = (char ***)p;
+
+			/* free any existing list */
+			if (*listp != NULL)
+				free_list(*listp);
+
+			/* create a new list and assign values */
+			*listp = new_list(kw->value);
+
+			/* is there a keyword list? */
+			if (list != NULL)
+			{
+				char ** lst;
+
+				for (lst = *listp; lst && *lst; lst++) 
+				{
+					bool match = FALSE;
+
+					list = token_info[token].list;
+				
+					while (*list != NULL && !match)
+					{
+						match = streq(*lst, *list++);
+					}
+					if (!match)
+					{
+						plog("# bad value: %s=%s", kw->entry->name, *lst);
+						return FALSE;
+					}
+				}
+			}
 		}
-	    }
+	default:
+		return TRUE;
 	}
-    default:
-	return TRUE;
-    }
 
-    *assigned = TRUE;
-    return TRUE;
+	*assigned = TRUE;
+	return TRUE;
 }
 
 /*
@@ -504,37 +517,37 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base
 void
 free_args(kw_token_t first, kw_token_t last, char *base)
 {
-    kw_token_t token;
-
-    for (token = first; token <= last; token++)
-    {
-	char *p = base + token_info[token].offset;
+	kw_token_t token;
 
-	switch (token_info[token].type)
+	for (token = first; token <= last; token++)
 	{
-	case ARG_STR:
-	    {
-		char **cp = (char **)p;
+		char *p = base + token_info[token].offset;
 
-		pfreeany(*cp);
-		*cp = NULL;
-	    }
-	    break;
-	case ARG_LST:
-	    {
-		char ***listp = (char ***)p;
-
-		if (*listp != NULL)
+		switch (token_info[token].type)
 		{
-		    free_list(*listp);
-		    *listp = NULL;
-		 }
-	    }
-	    break;
-	default:
-	    break;
+		case ARG_STR:
+			{
+				char **cp = (char **)p;
+
+				free(*cp);
+				*cp = NULL;
+			}
+			break;
+		case ARG_LST:
+			{
+				char ***listp = (char ***)p;
+
+				if (*listp != NULL)
+				{
+					free_list(*listp);
+					*listp = NULL;
+				 }
+			}
+			break;
+		default:
+			break;
+		}
 	}
-    }
 }
 
 /*
@@ -543,38 +556,38 @@ free_args(kw_token_t first, kw_token_t last, char *base)
 void
 clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 {
-    kw_token_t token;
+	kw_token_t token;
 
-    for (token = first; token <= last; token++)
-    {
-	if (token_info[token].type == ARG_STR)
+	for (token = first; token <= last; token++)
 	{
-	    char **cp1 = (char **)(base1 + token_info[token].offset);
-	    char **cp2 = (char **)(base2 + token_info[token].offset);
+		if (token_info[token].type == ARG_STR)
+		{
+			char **cp1 = (char **)(base1 + token_info[token].offset);
+			char **cp2 = (char **)(base2 + token_info[token].offset);
 
-	    *cp1 = clone_str(*cp2, "cloned str");
+			*cp1 = clone_str(*cp2);
+		}
 	}
-    }
 }
 
 static bool
 cmp_list(char **list1, char **list2)
 {
-    if ((list1 == NULL) && (list2 == NULL))
-	return TRUE;
-    if ((list1 == NULL) || (list2 == NULL))
-	return FALSE;
+	if ((list1 == NULL) && (list2 == NULL))
+		return TRUE;
+	if ((list1 == NULL) || (list2 == NULL))
+		return FALSE;
 
-    for ( ; *list1 && *list2; list1++, list2++)
-    {
-	if (strcmp(*list1,*list2) != 0)
-	    return FALSE;
-    }
+	for ( ; *list1 && *list2; list1++, list2++)
+	{
+		if (strcmp(*list1,*list2) != 0)
+			return FALSE;
+	}
 
-    if ((*list1 != NULL) || (*list2 != NULL))
-	return FALSE;
+	if ((*list1 != NULL) || (*list2 != NULL))
+		return FALSE;
 
-    return TRUE;
+	return TRUE;
 }
 
 /*
@@ -583,75 +596,75 @@ cmp_list(char **list1, char **list2)
 bool
 cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 {
-    kw_token_t token;
-
-    for (token = first; token <= last; token++)
-    {
-	char *p1 = base1 + token_info[token].offset;
-	char *p2 = base2 + token_info[token].offset;
+	kw_token_t token;
 
-	switch (token_info[token].type)
+	for (token = first; token <= last; token++)
 	{
-	case ARG_ENUM:
-	    {
-		int *i1 = (int *)p1;
-		int *i2 = (int *)p2;
-
-		if (*i1 != *i2)
-		    return FALSE;
-	    }
-	    break;
-	case ARG_UINT:
-	    {
-		u_int *u1 = (u_int *)p1;
-		u_int *u2 = (u_int *)p2;
-
-		if (*u1 != *u2)
-		    return FALSE;
-	    }
-	    break;
-	case ARG_ULNG:
-	case ARG_PCNT:
-	    {
-		unsigned long *l1 = (unsigned long *)p1;
-		unsigned long *l2 = (unsigned long *)p2;
-
-		if (*l1 != *l2)
-		    return FALSE;
-	    }
-	    break;
-	case ARG_TIME:
-	    {
-		time_t *t1 = (time_t *)p1;
-		time_t *t2 = (time_t *)p2;
-
-		if (*t1 != *t2)
-		    return FALSE;
-	    }
-	    break;
-	case ARG_STR:
-	    {
-		char **cp1 = (char **)p1;
-		char **cp2 = (char **)p2;
-
-		if (*cp1 == NULL && *cp2 == NULL)
-		    break;
-		if (*cp1 == NULL || *cp2 == NULL || strcmp(*cp1, *cp2) != 0)
-		    return FALSE;
-	    }
-	    break;
-	case ARG_LST:
-	    {
-		char ***listp1 = (char ***)p1;
-		char ***listp2 = (char ***)p2;
-
-		if (!cmp_list(*listp1, *listp2))
-		    return FALSE;
-	    }
-	    break;
-	default:
-	    break;
+		char *p1 = base1 + token_info[token].offset;
+		char *p2 = base2 + token_info[token].offset;
+
+		switch (token_info[token].type)
+		{
+		case ARG_ENUM:
+			{
+				int *i1 = (int *)p1;
+				int *i2 = (int *)p2;
+
+				if (*i1 != *i2)
+					return FALSE;
+			}
+			break;
+		case ARG_UINT:
+			{
+				u_int *u1 = (u_int *)p1;
+				u_int *u2 = (u_int *)p2;
+
+				if (*u1 != *u2)
+					return FALSE;
+			}
+			break;
+		case ARG_ULNG:
+		case ARG_PCNT:
+			{
+				unsigned long *l1 = (unsigned long *)p1;
+				unsigned long *l2 = (unsigned long *)p2;
+
+				if (*l1 != *l2)
+					return FALSE;
+			}
+			break;
+		case ARG_TIME:
+			{
+				time_t *t1 = (time_t *)p1;
+				time_t *t2 = (time_t *)p2;
+
+				if (*t1 != *t2)
+					return FALSE;
+			}
+			break;
+		case ARG_STR:
+			{
+				char **cp1 = (char **)p1;
+				char **cp2 = (char **)p2;
+
+				if (*cp1 == NULL && *cp2 == NULL)
+					break;
+				if (*cp1 == NULL || *cp2 == NULL || strcmp(*cp1, *cp2) != 0)
+					return FALSE;
+			}
+			break;
+		case ARG_LST:
+			{
+				char ***listp1 = (char ***)p1;
+				char ***listp2 = (char ***)p2;
+
+				if (!cmp_list(*listp1, *listp2))
+					return FALSE;
+			}
+			break;
+		default:
+			break;
+		}
 	}
-    }
-    return TRUE;
+	return TRUE;
 }
diff --git a/src/starter/args.h b/src/starter/args.h
index 7bd55bb05..b003784c8 100644
--- a/src/starter/args.h
+++ b/src/starter/args.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: args.h 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #ifndef _ARGS_H_
@@ -23,12 +21,12 @@
 
 extern char **new_list(char *value);
 extern bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw
-    , char *base, bool *assigned);
+	, char *base, bool *assigned);
 extern void free_args(kw_token_t first, kw_token_t last, char *base);
 extern void clone_args(kw_token_t first, kw_token_t last, char *base1
-    , char *base2);
+	, char *base2);
 extern bool cmp_args(kw_token_t first, kw_token_t last, char *base1
-    , char *base2);
+	, char *base2);
 
 #endif /* _ARGS_H_ */
 
diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index 5abb8399b..8462a4819 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: cmp.c 3881 2008-04-27 11:04:13Z andreas $
  */
 
 #include <string.h>
@@ -34,79 +32,79 @@
 static bool
 starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
 {
-    if ((c1 == NULL) || (c2 == NULL))
-	return FALSE;
-
-    if (c2->dns_failed)
-    {
-	c2->addr = c1->addr;
-    }
-    else
-    {
-	ADDCMP(addr);
-    }
-    ADDCMP(nexthop);
-    VARCMP(has_client);
-    VARCMP(has_client_wildcard);
-    VARCMP(has_port_wildcard);
-    VARCMP(has_natip);
-    VARCMP(has_virt);
-    VARCMP(modecfg);
-    VARCMP(port);
-    VARCMP(protocol);
-
-    return cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);
+	if ((c1 == NULL) || (c2 == NULL))
+		return FALSE;
+
+	if (c2->dns_failed)
+	{
+		c2->addr = c1->addr;
+	}
+	else
+	{
+		ADDCMP(addr);
+	}
+	ADDCMP(nexthop);
+	VARCMP(has_client);
+	VARCMP(has_client_wildcard);
+	VARCMP(has_port_wildcard);
+	VARCMP(has_natip);
+	VARCMP(has_virt);
+	VARCMP(modecfg);
+	VARCMP(port);
+	VARCMP(protocol);
+
+	return cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);
  }
 
 bool
 starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
 {
-    if ((c1 == NULL) || (c2 == NULL))
-	return FALSE;
+	if ((c1 == NULL) || (c2 == NULL))
+		return FALSE;
 
-    VARCMP(policy);
-    VARCMP(addr_family);
-    VARCMP(tunnel_addr_family);
+	VARCMP(policy);
+	VARCMP(addr_family);
+	VARCMP(tunnel_addr_family);
 
-    if (!starter_cmp_end(&c1->left, &c2->left))
-	return FALSE;
-    if (!starter_cmp_end(&c1->right, &c2->right))
-	return FALSE;
+	if (!starter_cmp_end(&c1->left, &c2->left))
+		return FALSE;
+	if (!starter_cmp_end(&c1->right, &c2->right))
+		return FALSE;
 
-    return cmp_args(KW_CONN_NAME, KW_CONN_LAST, (char *)c1, (char *)c2);
+	return cmp_args(KW_CONN_NAME, KW_CONN_LAST, (char *)c1, (char *)c2);
 }
 
 bool
 starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2)
 {
-    if (c1 ==  NULL || c2 == NULL)
-	return FALSE;
+	if (c1 ==  NULL || c2 == NULL)
+		return FALSE;
 
-    return cmp_args(KW_CA_NAME, KW_CA_LAST, (char *)c1, (char *)c2);
+	return cmp_args(KW_CA_NAME, KW_CA_LAST, (char *)c1, (char *)c2);
 }
 
 bool
 starter_cmp_klips(starter_config_t *c1, starter_config_t *c2)
 {
-    if ((c1 == NULL) || (c2 == NULL))
-	return FALSE;
+	if ((c1 == NULL) || (c2 == NULL))
+		return FALSE;
 
-    return cmp_args(KW_KLIPS_FIRST, KW_KLIPS_LAST, (char *)c1, (char *)c2);
+	return cmp_args(KW_KLIPS_FIRST, KW_KLIPS_LAST, (char *)c1, (char *)c2);
 }
 
 bool
 starter_cmp_pluto(starter_config_t *c1, starter_config_t *c2)
 {
-    if ((c1 == NULL) || (c2 == NULL))
-	return FALSE;
+	if ((c1 == NULL) || (c2 == NULL))
+		return FALSE;
 
-    return cmp_args(KW_PLUTO_FIRST, KW_PLUTO_LAST, (char *)c1, (char *)c2);
+	return cmp_args(KW_PLUTO_FIRST, KW_PLUTO_LAST, (char *)c1, (char *)c2);
 }
 
 bool
 starter_cmp_defaultroute(defaultroute_t *d1, defaultroute_t *d2)
 {
-    if ((d1 == NULL) || (d2 == NULL))
-	return FALSE;
-    return memcmp(d1, d2, sizeof(defaultroute_t)) == 0;
+	if ((d1 == NULL) || (d2 == NULL))
+		return FALSE;
+	return memcmp(d1, d2, sizeof(defaultroute_t)) == 0;
 }
diff --git a/src/starter/cmp.h b/src/starter/cmp.h
index 24bd32ff6..cda6e44b9 100644
--- a/src/starter/cmp.h
+++ b/src/starter/cmp.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: cmp.h 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #ifndef _STARTER_CMP_H_
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 855d07b51..5fd2b9fbf 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: confread.c 5002 2009-03-24 15:02:12Z martin $
  */
 
 #include <stddef.h>
@@ -34,8 +32,8 @@
 /* strings containing a colon are interpreted as an IPv6 address */
 #define ip_version(string)	(strchr(string, '.') ? AF_INET : AF_INET6)
 
-static const char ike_defaults[] = "aes128-sha-modp2048";
-static const char esp_defaults[] = "aes128-sha1, 3des-md5";
+static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
+static const char esp_defaults[] = "aes128-sha1,3des-sha1";
 
 static const char firewall_defaults[] = "ipsec _updown iptables";
 
@@ -72,11 +70,11 @@ static void default_values(starter_config_t *cfg)
 	cfg->conn_default.seen    = LEMPTY;
 	cfg->conn_default.startup = STARTUP_NO;
 	cfg->conn_default.state   = STATE_IGNORE;
-	cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG |
+	cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_PUBKEY |
 								POLICY_PFS | POLICY_MOBIKE;
 
-	cfg->conn_default.ike                   = clone_str(ike_defaults, "ike_defaults");
-	cfg->conn_default.esp                   = clone_str(esp_defaults, "esp_defaults");
+	cfg->conn_default.ike                   = clone_str(ike_defaults);
+	cfg->conn_default.esp                   = clone_str(esp_defaults);
 	cfg->conn_default.sa_ike_life_seconds   = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
 	cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
 	cfg->conn_default.sa_rekey_margin       = SA_REPLACEMENT_MARGIN_DEFAULT;
@@ -144,7 +142,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 {
 	err_t ugh = NULL;
 	bool assigned = FALSE;
-	int has_port_wildcard;        /* set if port is %any */
+	bool has_port_wildcard;        /* set if port is %any */
 
 	char *name  = kw->entry->name;
 	char *value = kw->value;
@@ -193,7 +191,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 		if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
 			streq(value, "%config") || streq(value, "%cfg"))
 		{
-			pfree(end->srcip);
+			free(end->srcip);
 			end->srcip = NULL;
 			end->modecfg = TRUE;
 		}
@@ -336,7 +334,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 			plog("# bad subnet: %s=%s [%s]", name, value, ugh);
 			goto err;
 		}
-		end->subnet = clone_str(value, "subnetwithin");
+		end->subnet = clone_str(value);
 		break;
 	}
 	case KW_PROTOPORT:
@@ -356,7 +354,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 			if (cfg->defaultroute.defined)
 			{
 				addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
-				end->srcip = clone_str(buf, "natip");
+				end->srcip = clone_str(buf);
 			}
 			else
 			{
@@ -375,7 +373,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 				plog("# bad addr: %s=%s [%s]", name, value, ugh);
 				goto err;
 			}
-			end->srcip = clone_str(value, "srcip");
+			end->srcip = clone_str(value);
 		}
 		end->has_natip = TRUE;
 		conn->policy |= POLICY_TUNNEL;
@@ -426,7 +424,7 @@ handle_firewall( const char *label, starter_end_t *end, starter_config_t *cfg)
 		}
 		else
 		{
-			end->updown = clone_str(firewall_defaults, "firewall_defaults");
+			end->updown = clone_str(firewall_defaults);
 			end->firewall = FALSE;
 		}
 	}
@@ -467,9 +465,9 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 		{
 			if (cfg->parse_also)
 			{
-				also_t *also = alloc_thing(also_t, "also_t");
+				also_t *also = malloc_thing(also_t);
 
-				also->name = clone_str(kw->value, "also");
+				also->name = clone_str(kw->value);
 				also->next = conn->also;
 				conn->also = also;
 
@@ -557,18 +555,16 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 				/* also handles the cases secret|rsasig and rsasig|secret */
 				for (;;)
 				{
-					if (streq(value, "rsa") || streq(value, "rsasig"))
+					if (streq(value, "rsa")   || streq(value, "rsasig")   ||
+						streq(value, "ecdsa") || streq(value, "ecdsasig") ||
+						streq(value, "pubkey"))
 					{
-						conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT;
+						conn->policy |= POLICY_PUBKEY | POLICY_ENCRYPT;
 					}
 					else if (streq(value, "secret") || streq(value, "psk"))
 					{
 						conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
 					}
-					else if (streq(value, "ecdsa") || streq(value, "ecdsasig"))
-					{
-						conn->policy |= POLICY_ECDSASIG | POLICY_ENCRYPT;
-					}
 					else if (streq(value, "xauthrsasig"))
 					{
 						conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
@@ -698,7 +694,7 @@ static void
 conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
 {
 	memcpy(conn, def, sizeof(starter_conn_t));
-	conn->name = clone_str(name, "conn name");
+	conn->name = clone_str(name);
 
 	clone_args(KW_CONN_FIRST, KW_CONN_LAST, (char *)conn, (char *)def);
 	clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left, (char *)&def->left);
@@ -727,9 +723,9 @@ load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
 		{
 			if (cfg->parse_also)
 			{
-				also_t *also = alloc_thing(also_t, "also_t");
+				also_t *also = malloc_thing(also_t);
 
-				also->name = clone_str(kw->value, "also");
+				also->name = clone_str(kw->value);
 				also->next = ca->also;
 				ca->also = also;
 
@@ -766,7 +762,7 @@ static void
 ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
 {
 	memcpy(ca, def, sizeof(starter_ca_t));
-	ca->name = clone_str(name, "ca name");
+	ca->name = clone_str(name);
 
 	clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
 }
@@ -896,8 +892,8 @@ free_also(also_t *head)
 		also_t *also = head;
 
 		head = also->next;
-		pfree(also->name);
-		pfree(also);
+		free(also->name);
+		free(also);
 	}
 }
 
@@ -942,7 +938,7 @@ confread_free(starter_config_t *cfg)
 
 		conn = conn->next;
 		confread_free_conn(conn_aux);
-		pfree(conn_aux);
+		free(conn_aux);
 	}
 
 	confread_free_ca(&cfg->ca_default);
@@ -953,10 +949,10 @@ confread_free(starter_config_t *cfg)
 
 		ca = ca->next;
 		confread_free_ca(ca_aux);
-		pfree(ca_aux);
+		free(ca_aux);
 	}
 
-	pfree(cfg);
+	free(cfg);
 }
 
 /*
@@ -980,7 +976,7 @@ confread_load(const char *file)
 	{
 		return NULL;
 	}
-	cfg = (starter_config_t *)alloc_thing(starter_config_t, "starter_config_t");
+	cfg = malloc_thing(starter_config_t);
 
 	/* set default values */
 	default_values(cfg);
@@ -1021,7 +1017,7 @@ confread_load(const char *file)
 		DBG(DBG_CONTROL,
 			DBG_log("Loading ca '%s'", sca->name)
 		)
-		ca = (starter_ca_t *)alloc_thing(starter_ca_t, "starter_ca_t");
+		ca = malloc_thing(starter_ca_t);
 
 		ca_default(sca->name, ca, &cfg->ca_default);
 		ca->kw =  sca->kw;
@@ -1092,7 +1088,7 @@ confread_load(const char *file)
 		DBG(DBG_CONTROL,
 			DBG_log("Loading conn '%s'", sconn->name)
 		)
-		conn = (starter_conn_t *)alloc_thing(starter_conn_t, "starter_conn_t");
+		conn = malloc_thing(starter_conn_t);
 
 		conn_default(sconn->name, conn, &cfg->conn_default);
 		conn->kw =  sconn->kw;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 24a8d073e..b20c2e0d3 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: confread.h 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #ifndef _IPSEC_CONFREAD_H_
@@ -20,205 +18,209 @@
 
 #ifndef _FREESWAN_H
 #include <freeswan.h>
-#include "../pluto/constants.h"
 #endif
 
 #include "parser.h"
 #include "interfaces.h"
 
 typedef enum {
-	STARTUP_NO,
-	STARTUP_ADD,
-	STARTUP_ROUTE,
-	STARTUP_START
+		STARTUP_NO,
+		STARTUP_ADD,
+		STARTUP_ROUTE,
+		STARTUP_START
 } startup_t;
 
 typedef enum {
-	STATE_IGNORE,
-	STATE_TO_ADD,
-	STATE_ADDED,
-	STATE_REPLACED,
-	STATE_INVALID
+		STATE_IGNORE,
+		STATE_TO_ADD,
+		STATE_ADDED,
+		STATE_REPLACED,
+		STATE_INVALID
 } starter_state_t;
 
 typedef enum {
-	KEY_EXCHANGE_IKE,
-	KEY_EXCHANGE_IKEV1,
-	KEY_EXCHANGE_IKEV2
+		KEY_EXCHANGE_IKE,
+		KEY_EXCHANGE_IKEV1,
+		KEY_EXCHANGE_IKEV2
 } keyexchange_t;
 
 typedef enum {
-	STRICT_NO,
-	STRICT_YES,
-	STRICT_IFURI
+		STRICT_NO,
+		STRICT_YES,
+		STRICT_IFURI
 } strict_t;
 
 typedef struct starter_end starter_end_t;
 
 struct starter_end {
-	lset_t		seen;
-	char		*id;
-	char		*rsakey;
-	char		*cert;
-	char		*ca;
-	char		*groups;
-	char		*iface;
-	ip_address	addr;
-	ip_address	nexthop;
-	char 		*subnet;
-	bool		has_client;
-	bool		has_client_wildcard;
-	bool		has_port_wildcard;
-	bool		has_natip;
-	bool		has_virt;
-	bool		modecfg;
-	certpolicy_t	sendcert;
-	bool		firewall;
-	bool		hostaccess;
-	bool		allow_any;
-	bool		dns_failed;
-	char 		*updown;
-	u_int16_t	port;
-	u_int8_t	protocol;
-	char		*srcip;
+		lset_t          seen;
+		char            *auth;
+		char            *auth2;
+		char            *id;
+		char            *id2;
+		char            *rsakey;
+		char            *cert;
+		char            *cert2;
+		char            *ca;
+		char            *ca2;
+		char            *groups;
+		char            *iface;
+		ip_address      addr;
+		ip_address      nexthop;
+		char            *subnet;
+		bool            has_client;
+		bool            has_client_wildcard;
+		bool            has_port_wildcard;
+		bool            has_natip;
+		bool            has_virt;
+		bool            modecfg;
+		certpolicy_t    sendcert;
+		bool            firewall;
+		bool            hostaccess;
+		bool            allow_any;
+		bool            dns_failed;
+		char            *updown;
+		u_int16_t       port;
+		u_int8_t        protocol;
+		char            *srcip;
 };
 
 typedef struct also also_t;
 
 struct also {
-	char		*name;
-	bool		included;
-	also_t		*next;
+		char            *name;
+		bool            included;
+		also_t          *next;
 };
 
 typedef struct starter_conn starter_conn_t;
 
 struct starter_conn {
-	lset_t		seen;
-	char		*name;
-	also_t		*also;
-	kw_list_t	*kw;
-	u_int		visit;
-	startup_t	startup;
-	starter_state_t	state;
-
-	keyexchange_t	keyexchange;
-	u_int32_t	eap_type;
-	u_int32_t	eap_vendor;
-	char		*eap_identity;
-	lset_t 		policy;
-	time_t 		sa_ike_life_seconds;
-	time_t		sa_ipsec_life_seconds;
-	time_t		sa_rekey_margin;
-	unsigned long	sa_keying_tries;
-	unsigned long	sa_rekey_fuzz;
-	sa_family_t	addr_family;
-	sa_family_t	tunnel_addr_family;
-	bool		install_policy;
-	starter_end_t	left, right;
-
-	unsigned long	id;
-
-	char		*esp;
-	char 		*ike;
-	char 		*pfsgroup;
-	
-	time_t		dpd_delay;
-	time_t		dpd_timeout;
-	dpd_action_t	dpd_action;
-	int		dpd_count;
-	
-	bool		me_mediation;
-	char		*me_mediated_by;
-	char		*me_peerid;
-
-	starter_conn_t *next;
+		lset_t          seen;
+		char            *name;
+		also_t          *also;
+		kw_list_t       *kw;
+		u_int           visit;
+		startup_t       startup;
+		starter_state_t state;
+
+		keyexchange_t   keyexchange;
+		u_int32_t       eap_type;
+		u_int32_t       eap_vendor;
+		char            *eap_identity;
+		lset_t          policy;
+		time_t          sa_ike_life_seconds;
+		time_t          sa_ipsec_life_seconds;
+		time_t          sa_rekey_margin;
+		unsigned long   sa_keying_tries;
+		unsigned long   sa_rekey_fuzz;
+		sa_family_t     addr_family;
+		sa_family_t     tunnel_addr_family;
+		bool            install_policy;
+		starter_end_t   left, right;
+
+		unsigned long   id;
+
+		char            *esp;
+		char            *ike;
+		char            *pfsgroup;
+		
+		time_t          dpd_delay;
+		time_t          dpd_timeout;
+		dpd_action_t    dpd_action;
+		int             dpd_count;
+		
+		bool            me_mediation;
+		char            *me_mediated_by;
+		char            *me_peerid;
+
+		starter_conn_t *next;
 };
 
 typedef struct starter_ca starter_ca_t;
 
 struct starter_ca {
-	lset_t		seen;
-	char 		*name;
-	also_t		*also;
-	kw_list_t	*kw;
-	u_int		visit;
-	startup_t	startup;
-	starter_state_t	state;
-
-	char		*cacert;
-	char		*ldaphost;
-	char		*ldapbase;
-	char		*crluri;
-	char		*crluri2;
-	char		*ocspuri;
-	char		*ocspuri2;
-	char        *certuribase;
-
-	bool		strict;
-
-	starter_ca_t	*next;
+		lset_t          seen;
+		char            *name;
+		also_t          *also;
+		kw_list_t       *kw;
+		u_int           visit;
+		startup_t       startup;
+		starter_state_t state;
+
+		char            *cacert;
+		char            *ldaphost;
+		char            *ldapbase;
+		char            *crluri;
+		char            *crluri2;
+		char            *ocspuri;
+		char            *ocspuri2;
+		char        *certuribase;
+
+		bool            strict;
+
+		starter_ca_t    *next;
 };
 
 typedef struct starter_config starter_config_t;
 
 struct starter_config {
-	struct {
-		lset_t	seen;
-		char	**interfaces;
-		char	*dumpdir;
-		bool	charonstart;
-		bool	plutostart;
-
-		/* pluto/charon keywords */
-		char	 **plutodebug;
-		char	 *charondebug;
-		char	 *prepluto;
-		char	 *postpluto;
-		char	 *plutostderrlog;
-		bool	 uniqueids;
-		u_int	 overridemtu;
-		u_int	 crlcheckinterval;
-		bool	 cachecrls;
-		strict_t strictcrlpolicy;
-		bool	 nocrsend;
-		bool	 nat_traversal;
-		u_int	 keep_alive;
-		u_int	 force_keepalive;
-		char	 *virtual_private;
-		char	 *pkcs11module;
-		char	 *pkcs11initargs;
-		bool	 pkcs11keepstate;
-		bool	 pkcs11proxy;
-
-		/* KLIPS keywords */
-		char	**klipsdebug;
-		bool	fragicmp;
-		char	*packetdefault;
-		bool	hidetos;
-	} setup;
-
-	/* information about the default route */
-	defaultroute_t defaultroute;
-
-	/* number of encountered parsing errors */
-	u_int err;
-	u_int non_fatal_err;
-
-	/* do we parse also statements */
-	bool parse_also;
-
-	/* ca %default */
-	starter_ca_t ca_default;
-
-	/* connections list (without %default) */
-	starter_ca_t *ca_first, *ca_last;
-
-	/* conn %default */
-	starter_conn_t conn_default;
-
-	/* connections list (without %default) */
-	starter_conn_t *conn_first, *conn_last;
+		struct {
+				lset_t  seen;
+				char    **interfaces;
+				char    *dumpdir;
+				bool    charonstart;
+				bool    plutostart;
+
+				/* pluto/charon keywords */
+				char     **plutodebug;
+				char     *charondebug;
+				char     *prepluto;
+				char     *postpluto;
+				char     *plutostderrlog;
+				bool     uniqueids;
+				u_int    overridemtu;
+				u_int    crlcheckinterval;
+				bool     cachecrls;
+				strict_t strictcrlpolicy;
+				bool     nocrsend;
+				bool     nat_traversal;
+				u_int    keep_alive;
+				u_int    force_keepalive;
+				char     *virtual_private;
+				char     *pkcs11module;
+				char     *pkcs11initargs;
+				bool     pkcs11keepstate;
+				bool     pkcs11proxy;
+
+				/* KLIPS keywords */
+				char    **klipsdebug;
+				bool    fragicmp;
+				char    *packetdefault;
+				bool    hidetos;
+		} setup;
+
+		/* information about the default route */
+		defaultroute_t defaultroute;
+
+		/* number of encountered parsing errors */
+		u_int err;
+		u_int non_fatal_err;
+
+		/* do we parse also statements */
+		bool parse_also;
+
+		/* ca %default */
+		starter_ca_t ca_default;
+
+		/* connections list (without %default) */
+		starter_ca_t *ca_first, *ca_last;
+
+		/* conn %default */
+		starter_conn_t conn_default;
+
+		/* connections list (without %default) */
+		starter_conn_t *conn_first, *conn_last;
 };
 
 extern starter_config_t *confread_load(const char *file);
diff --git a/src/starter/exec.c b/src/starter/exec.c
index eed444c74..d4c4f0657 100644
--- a/src/starter/exec.c
+++ b/src/starter/exec.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: exec.c 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #include <stdlib.h>
@@ -37,18 +35,18 @@
 int
 starter_exec(const char *fmt, ...)
 {
-    va_list args;
-    static char buf[BUF_SIZE];
-    int r;
-
-    va_start (args, fmt);
-    vsnprintf(buf, BUF_SIZE-1, fmt, args);
-    buf[BUF_SIZE - 1] = '\0';
-    va_end(args);
-    r = system(buf);
-    DBG(DBG_CONTROL,
-	DBG_log("starter_exec(%s) = %d", buf, r)
-    )
-    return r;
+	va_list args;
+	static char buf[BUF_SIZE];
+	int r;
+
+	va_start (args, fmt);
+	vsnprintf(buf, BUF_SIZE-1, fmt, args);
+	buf[BUF_SIZE - 1] = '\0';
+	va_end(args);
+	r = system(buf);
+	DBG(DBG_CONTROL,
+		DBG_log("starter_exec(%s) = %d", buf, r)
+	)
+	return r;
 }
 
diff --git a/src/starter/exec.h b/src/starter/exec.h
index 49d795e1a..6a6414578 100644
--- a/src/starter/exec.h
+++ b/src/starter/exec.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: exec.h 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #ifndef _STARTER_EXEC_H_
diff --git a/src/starter/files.h b/src/starter/files.h
index a40574594..ec41c9f2e 100644
--- a/src/starter/files.h
+++ b/src/starter/files.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: files.h 4618 2008-11-11 09:22:00Z tobias $
  */
 
 #ifndef _STARTER_FILES_H_
@@ -19,18 +17,18 @@
 
 #define STARTER_PID_FILE IPSEC_PIDDIR "/starter.pid"
 
-#define PROC_NETKEY		"/proc/net/pfkey"
-#define PROC_KLIPS		"/proc/net/pf_key"
-#define PROC_MODULES	"/proc/modules"
+#define PROC_NETKEY             "/proc/net/pfkey"
+#define PROC_KLIPS              "/proc/net/pf_key"
+#define PROC_MODULES    "/proc/modules"
 
 #define CONFIG_FILE     IPSEC_CONFDIR "/ipsec.conf"
-#define SECRETS_FILE	IPSEC_CONFDIR "/ipsec.secrets"
+#define SECRETS_FILE    IPSEC_CONFDIR "/ipsec.secrets"
 
 #define PLUTO_CMD       IPSEC_DIR "/pluto"
 #define PLUTO_CTL_FILE  IPSEC_PIDDIR "/pluto.ctl"
 #define PLUTO_PID_FILE  IPSEC_PIDDIR "/pluto.pid"
 
-#define CHARON_CMD	IPSEC_DIR "/charon"
+#define CHARON_CMD      IPSEC_DIR "/charon"
 #define CHARON_CTL_FILE IPSEC_PIDDIR "/charon.ctl"
 #define CHARON_PID_FILE IPSEC_PIDDIR "/charon.pid"
 
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
index 5cec8a217..034eac317 100644
--- a/src/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -10,20 +10,16 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: interfaces.c 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #include <sys/socket.h>
 #include <sys/ioctl.h>
-#include <linux/if.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <errno.h>
 
 #include <freeswan.h>
-#include <ipsec_tunnel.h>
 
 #include <constants.h>
 #include <defs.h>
@@ -39,114 +35,114 @@
 void
 get_defaultroute(defaultroute_t *defaultroute)
 {
-    FILE *fd;
-    char line[BUF_LEN];
-    bool first = TRUE;
+	FILE *fd;
+	char line[BUF_LEN];
+	bool first = TRUE;
 
-    memset(defaultroute, 0, sizeof(defaultroute_t));
+	memset(defaultroute, 0, sizeof(defaultroute_t));
 
-    fd = fopen("/proc/net/route", "r");
+	fd = fopen("/proc/net/route", "r");
 
-    if (!fd)
-    {
-	plog("could not open 'proc/net/route'");
-	return;
-    }
-
-    while (fgets(line, sizeof(line), fd) != 0)
-    {
-	char iface[11];
-	char destination[9];
-	char gateway[11];
-	char flags[5];
-	char mask[9];
-
-	int refcnt;
-	int use;
-	int metric;
-	int items;
-
-	/* proc/net/route returns IP addresses in host order */
-	strcpy(gateway, "0h");
-
-	/* skip the header line */
-	if (first)
+	if (!fd)
 	{
-	    first = FALSE;
-	    continue;
+		plog("could not open 'proc/net/route'");
+		return;
 	}
 
-	/* parsing a single line of proc/net/route */
-	items = sscanf(line, "%10s\t%8s\t%8s\t%5s\t%d\t%d\t%d\t%8s\t"
-		     , iface, destination, gateway+2, flags, &refcnt, &use, &metric, mask);
-	if (items < 8)
+	while (fgets(line, sizeof(line), fd) != 0)
 	{
-	    plog("parsing error while scanning /proc/net/route");
-	    continue;
+		char iface[11];
+		char destination[9];
+		char gateway[11];
+		char flags[5];
+		char mask[9];
+
+		int refcnt;
+		int use;
+		int metric;
+		int items;
+
+		/* proc/net/route returns IP addresses in host order */
+		strcpy(gateway, "0h");
+
+		/* skip the header line */
+		if (first)
+		{
+			first = FALSE;
+			continue;
+		}
+
+		/* parsing a single line of proc/net/route */
+		items = sscanf(line, "%10s\t%8s\t%8s\t%5s\t%d\t%d\t%d\t%8s\t"
+					 , iface, destination, gateway+2, flags, &refcnt, &use, &metric, mask);
+		if (items < 8)
+		{
+			plog("parsing error while scanning /proc/net/route");
+			continue;
+		}
+
+		/* check for defaultroute (destination 0.0.0.0 and mask 0.0.0.0) */
+		if (streq(destination, "00000000") && streq(mask, "00000000"))
+		{
+			if (defaultroute->defined)
+			{
+				plog("multiple default routes - cannot cope with %%defaultroute!!!");
+				defaultroute->defined = FALSE;
+				fclose(fd);
+				return;
+			}
+			ttoaddr(gateway, strlen(gateway), AF_INET, &defaultroute->nexthop);
+			strncpy(defaultroute->iface, iface, IFNAMSIZ);
+			defaultroute->defined = TRUE;
+		}
 	}
+	fclose(fd);
 
-	/* check for defaultroute (destination 0.0.0.0 and mask 0.0.0.0) */
-	if (streq(destination, "00000000") && streq(mask, "00000000"))
+	if (!defaultroute->defined)
 	{
-	    if (defaultroute->defined)
-	    {
-		plog("multiple default routes - cannot cope with %%defaultroute!!!");
-		defaultroute->defined = FALSE;
-		fclose(fd);
-		return;
-	    }
-	    ttoaddr(gateway, strlen(gateway), AF_INET, &defaultroute->nexthop);
-	    strncpy(defaultroute->iface, iface, IFNAMSIZ);
-	    defaultroute->defined = TRUE;
+		plog("no default route - cannot cope with %%defaultroute!!!");
 	}
-    }
-    fclose(fd);
-
-    if (!defaultroute->defined)
-    {
-	plog("no default route - cannot cope with %%defaultroute!!!");
-    }
-    else
-    {
-	char addr_buf[20], nexthop_buf[20];
-	struct ifreq physreq;
-
-	int sock = socket(AF_INET, SOCK_DGRAM, 0);
-
-	/* determine IP address of iface */
-	if (sock < 0)
+	else
 	{
-	    plog("could not open SOCK_DGRAM socket");
-	    defaultroute->defined = FALSE;
-	    return;
+		char addr_buf[20], nexthop_buf[20];
+		struct ifreq physreq;
+
+		int sock = socket(AF_INET, SOCK_DGRAM, 0);
+
+		/* determine IP address of iface */
+		if (sock < 0)
+		{
+			plog("could not open SOCK_DGRAM socket");
+			defaultroute->defined = FALSE;
+			return;
+		}
+		memset ((void*)&physreq, 0, sizeof(physreq));
+		strncpy(physreq.ifr_name, defaultroute->iface, IFNAMSIZ);
+		ioctl(sock, SIOCGIFADDR, &physreq);
+		close(sock);
+		defaultroute->addr.u.v4 = *((struct sockaddr_in *)&physreq.ifr_addr);
+
+		addrtot(&defaultroute->addr, 0, addr_buf, sizeof(addr_buf));
+		addrtot(&defaultroute->nexthop, 0, nexthop_buf, sizeof(nexthop_buf));
+
+		DBG(DBG_CONTROL,
+			DBG_log("Default route found: iface=%s, addr=%s, nexthop=%s"
+				, defaultroute->iface, addr_buf, nexthop_buf)
+		)
+
+		/* for backwards-compatibility with the awk shell scripts
+		 * store the defaultroute in /var/run/ipsec.info
+		 */
+		fd = fopen(INFO_FILE, "w");
+
+		if (fd)
+		{
+			fprintf(fd, "defaultroutephys=%s\n", defaultroute->iface );
+			fprintf(fd, "defaultroutevirt=ipsec0\n");
+			fprintf(fd, "defaultrouteaddr=%s\n", addr_buf);
+			fprintf(fd, "defaultroutenexthop=%s\n", nexthop_buf);
+			fclose(fd);
+		}
 	}
-	memset ((void*)&physreq, 0, sizeof(physreq));
-	strncpy(physreq.ifr_name, defaultroute->iface, IFNAMSIZ);
-	ioctl(sock, SIOCGIFADDR, &physreq);
-	close(sock);
-	defaultroute->addr.u.v4 = *((struct sockaddr_in *)&physreq.ifr_addr);
-
-	addrtot(&defaultroute->addr, 0, addr_buf, sizeof(addr_buf));
-	addrtot(&defaultroute->nexthop, 0, nexthop_buf, sizeof(nexthop_buf));
-
-	DBG(DBG_CONTROL,
-	    DBG_log("Default route found: iface=%s, addr=%s, nexthop=%s"
-		, defaultroute->iface, addr_buf, nexthop_buf)
-	)
-
-	/* for backwards-compatibility with the awk shell scripts
-	 * store the defaultroute in /var/run/ipsec.info
-	 */
-	fd = fopen(INFO_FILE, "w");
-
-	if (fd)
-	{
-	    fprintf(fd, "defaultroutephys=%s\n", defaultroute->iface );
-	    fprintf(fd, "defaultroutevirt=ipsec0\n");
-	    fprintf(fd, "defaultrouteaddr=%s\n", addr_buf);
-	    fprintf(fd, "defaultroutenexthop=%s\n", nexthop_buf);
-	    fclose(fd);
-	}
-    }
-    return;
+	return;
 }
diff --git a/src/starter/interfaces.h b/src/starter/interfaces.h
index 299113669..abe4c8f9c 100644
--- a/src/starter/interfaces.h
+++ b/src/starter/interfaces.h
@@ -10,22 +10,22 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: interfaces.h 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #ifndef _STARTER_INTERFACES_H_
 #define _STARTER_INTERFACES_H_
 
-#include <linux/if.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
 
 #include "../pluto/constants.h"
 
 typedef struct {
-    bool defined;
-    char iface[IFNAMSIZ];
-    ip_address addr;
-    ip_address nexthop;
+	bool defined;
+	char iface[IFNAMSIZ];
+	ip_address addr;
+	ip_address nexthop;
 } defaultroute_t;
 
 extern void get_defaultroute(defaultroute_t *defaultroute);
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index dd3f5f018..804467cea 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: invokecharon.c 5050 2009-03-27 16:14:59Z andreas $
  */
 
 #include <sys/types.h>
@@ -41,190 +39,197 @@ static int _stop_requested;
 pid_t
 starter_charon_pid(void)
 {
-    return _charon_pid;
+	return _charon_pid;
 }
 
 void
 starter_charon_sigchild(pid_t pid)
 {
-	if (pid == _charon_pid)
-    {
-		_charon_pid = 0;
-	if (!_stop_requested)
+		if (pid == _charon_pid)
 	{
-	    plog("charon has died -- restart scheduled (%dsec)"
-		, CHARON_RESTART_DELAY);
-	    alarm(CHARON_RESTART_DELAY);   // restart in 5 sec
+				_charon_pid = 0;
+		if (!_stop_requested)
+		{
+			plog("charon has died -- restart scheduled (%dsec)"
+				, CHARON_RESTART_DELAY);
+			alarm(CHARON_RESTART_DELAY);   // restart in 5 sec
+		}
+		unlink(CHARON_PID_FILE);
 	}
-	unlink(CHARON_PID_FILE);
-    }
 }
 
 int
 starter_stop_charon (void)
 {
-    int i;
-    pid_t pid = _charon_pid;
+	int i;
+	pid_t pid = _charon_pid;
 
-    if (pid)
-    {
-	_stop_requested = 1;
-
-	/* be more and more aggressive */
-	for (i = 0; i < 50 && (pid = _charon_pid) != 0; i++)
+	if (pid)
 	{
-	    if (i == 0)
-	    {
-		kill(pid, SIGINT);
-	    }
-	    else if (i < 40)
-	    {
-		kill(pid, SIGTERM);
-	    }
-	    else if (i == 40)
-	    {
-		kill(pid, SIGKILL);
-		plog("starter_stop_charon(): charon does not respond, sending KILL");
-	    }
-	    else
-	    {
-		kill(pid, SIGKILL);
-	    }
-	    usleep(200000); /* sleep for 200 ms */
+		_stop_requested = 1;
+
+		/* be more and more aggressive */
+		for (i = 0; i < 50 && (pid = _charon_pid) != 0; i++)
+		{
+			if (i == 0)
+			{
+				kill(pid, SIGINT);
+			}
+			else if (i < 40)
+			{
+				kill(pid, SIGTERM);
+			}
+			else if (i == 40)
+			{
+				kill(pid, SIGKILL);
+				plog("starter_stop_charon(): charon does not respond, sending KILL");
+			}
+			else
+			{
+				kill(pid, SIGKILL);
+			}
+			usleep(200000); /* sleep for 200 ms */
+		}
+		if (_charon_pid == 0)
+		{
+			plog("charon stopped after %d ms", 200*i);
+			return 0;
+		}
+		plog("starter_stop_charon(): can't stop charon !!!");
+		return -1;
 	}
-	if (_charon_pid == 0)
+	else
 	{
-	    plog("charon stopped after %d ms", 200*i);
-	    return 0;
+		plog("stater_stop_charon(): charon was not started...");
 	}
-	plog("starter_stop_charon(): can't stop charon !!!");
 	return -1;
-    }
-    else
-    {
-	plog("stater_stop_charon(): charon was not started...");
-    }
-    return -1;
 }
 
 
 int
-starter_start_charon (starter_config_t *cfg, bool no_fork)
+starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 {
-    struct stat stb;
-    int pid, i;
-    char buffer[BUF_LEN];
-    int argc = 1;
-    char *arg[] = {
-	CHARON_CMD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-    };
-
-    if (!no_fork)
-    {
-	arg[argc++] = "--use-syslog";
-    }
-
-    /* parse debug string */
-    {
-	int level;
-	char type[4];
-	char *pos = cfg->setup.charondebug;
-	char *buf_pos = buffer;
-
-	while (pos && sscanf(pos, "%4s %d,", type, &level) == 2)
-	{
-	    snprintf(buf_pos, buffer + sizeof(buffer) - buf_pos, "--debug-%s", type);
-	    arg[argc++] = buf_pos;
-	    buf_pos += strlen(buf_pos) + 1;
-	    if (buf_pos >= buffer + sizeof(buffer))
-	    {
-		break;
-	    }
-	    snprintf(buf_pos, buffer + sizeof(buffer) - buf_pos, "%d", level);
-	    arg[argc++] = buf_pos;
-	    buf_pos += strlen(buf_pos) + 1;
-	    if (buf_pos >= buffer + sizeof(buffer))
-	    {
-		break;
-	    }
+	struct stat stb;
+	int pid, i;
+	char buffer[BUF_LEN];
+	int argc = 1;
+	char *arg[] = {
+		CHARON_CMD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+	};
 	
-	    /* get next */
-	    pos = strchr(pos, ',');
-	    if (pos)
-	    {
-		pos++;
-	    }
+	if (attach_gdb)
+	{
+		argc = 0;
+		arg[argc++] = "/usr/bin/gdb";
+		arg[argc++] = "--args";
+		arg[argc++] = CHARON_CMD;
+		}
+	if (!no_fork)
+	{
+		arg[argc++] = "--use-syslog";
 	}
-    }
 
-    if (_charon_pid)
-    {
-	plog("starter_start_charon(): charon already started...");
-	return -1;
-    }
-    else
-    {
-	unlink(CHARON_CTL_FILE);
-	_stop_requested = 0;
-
-	pid = fork();
-	switch (pid)
+	/* parse debug string */
 	{
-	case -1:
-	    plog("can't fork(): %s", strerror(errno));
-	    return -1;
-	case 0:
-	    /* child */
-	    setsid();
-	    sigprocmask(SIG_SETMASK, 0, NULL);
-	    /* disable glibc's malloc checker, conflicts with leak detective */
-	    setenv("MALLOC_CHECK_", "0", 1);
-	    execv(arg[0], arg);
-	    plog("can't execv(%s,...): %s", arg[0], strerror(errno));
-	    exit(1);
-	default:
-	    /* father */
-		_charon_pid = pid;
-		for (i = 0; i < 500 && _charon_pid; i++)
-	    {
-		/* wait for charon for a maximum of 500 x 20 ms = 10 s */
-		usleep(20000);
-		if (stat(CHARON_PID_FILE, &stb) == 0)
+		int level;
+		char type[4];
+		char *pos = cfg->setup.charondebug;
+		char *buf_pos = buffer;
+
+		while (pos && sscanf(pos, "%4s %d,", type, &level) == 2)
 		{
-		    plog("charon (%d) started after %d ms", _charon_pid, 20*(i+1));
-		    return 0;
+			snprintf(buf_pos, buffer + sizeof(buffer) - buf_pos, "--debug-%s", type);
+			arg[argc++] = buf_pos;
+			buf_pos += strlen(buf_pos) + 1;
+			if (buf_pos >= buffer + sizeof(buffer))
+			{
+				break;
+			}
+			snprintf(buf_pos, buffer + sizeof(buffer) - buf_pos, "%d", level);
+			arg[argc++] = buf_pos;
+			buf_pos += strlen(buf_pos) + 1;
+			if (buf_pos >= buffer + sizeof(buffer))
+			{
+				break;
+			}
+		
+			/* get next */
+			pos = strchr(pos, ',');
+			if (pos)
+			{
+				pos++;
+			}
 		}
-	    }
-	    if (_charon_pid)
-	    {
-		/* If charon is started but with no ctl file, stop it */
-		plog("charon too long to start... - kill kill");
-		for (i = 0; i < 20 && (pid = _charon_pid) != 0; i++)
+	}
+
+	if (_charon_pid)
+	{
+		plog("starter_start_charon(): charon already started...");
+		return -1;
+	}
+	else
+	{
+		unlink(CHARON_CTL_FILE);
+		_stop_requested = 0;
+
+		pid = fork();
+		switch (pid)
 		{
-		    if (i == 0)
-		    {
-			kill(pid, SIGINT);
-		    }
-		    else if (i < 10)
-		    {
-			kill(pid, SIGTERM);
-		    }
-		    else
-		    {
-			kill(pid, SIGKILL);
-		    }
-		    usleep(20000); /* sleep for 20 ms */
+		case -1:
+			plog("can't fork(): %s", strerror(errno));
+			return -1;
+		case 0:
+			/* child */
+			setsid();
+			sigprocmask(SIG_SETMASK, 0, NULL);
+			/* disable glibc's malloc checker, conflicts with leak detective */
+			setenv("MALLOC_CHECK_", "0", 1);
+			execv(arg[0], arg);
+			plog("can't execv(%s,...): %s", arg[0], strerror(errno));
+			exit(1);
+		default:
+			/* father */
+				_charon_pid = pid;
+				for (i = 0; i < 500 && _charon_pid; i++)
+			{
+				/* wait for charon for a maximum of 500 x 20 ms = 10 s */
+				usleep(20000);
+				if (stat(CHARON_PID_FILE, &stb) == 0)
+				{
+					plog("charon (%d) started after %d ms", _charon_pid, 20*(i+1));
+					return 0;
+				}
+			}
+			if (_charon_pid)
+			{
+				/* If charon is started but with no ctl file, stop it */
+				plog("charon too long to start... - kill kill");
+				for (i = 0; i < 20 && (pid = _charon_pid) != 0; i++)
+				{
+					if (i == 0)
+					{
+						kill(pid, SIGINT);
+					}
+					else if (i < 10)
+					{
+						kill(pid, SIGTERM);
+					}
+					else
+					{
+						kill(pid, SIGKILL);
+					}
+					usleep(20000); /* sleep for 20 ms */
+				}
+			}
+			else
+			{
+				plog("charon refused to be started");
+			}
+			return -1;
 		}
-	    }
-	    else
-	    {
-		plog("charon refused to be started");
-	    }
-	    return -1;
 	}
-    }
-    return -1;
+	return -1;
 }
diff --git a/src/starter/invokecharon.h b/src/starter/invokecharon.h
index c24d9bdb4..f0f470a8d 100644
--- a/src/starter/invokecharon.h
+++ b/src/starter/invokecharon.h
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: invokecharon.h 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #ifndef _STARTER_CHARON_H_
@@ -25,7 +23,7 @@
 extern void starter_charon_sigchild (pid_t pid);
 extern pid_t starter_charon_pid (void);
 extern int starter_stop_charon (void);
-extern int starter_start_charon(struct starter_config *cfg, bool debug);
+extern int starter_start_charon(struct starter_config *cfg, bool no_fork, bool attach_gdb);
 
 #endif /* _STARTER_CHARON_H_ */
 
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index edc587124..28bd93c5d 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: invokepluto.c 5050 2009-03-27 16:14:59Z andreas $
  */
 
 #include <sys/types.h>
@@ -40,267 +38,277 @@ static int _stop_requested;
 pid_t
 starter_pluto_pid(void)
 {
-    return _pluto_pid;
+	return _pluto_pid;
 }
 
 void
 starter_pluto_sigchild(pid_t pid)
 {
-    if (pid == _pluto_pid)
-    {
-	_pluto_pid = 0;
-	if (!_stop_requested)
+	if (pid == _pluto_pid)
 	{
-	    plog("pluto has died -- restart scheduled (%dsec)"
-		, PLUTO_RESTART_DELAY);
-	    alarm(PLUTO_RESTART_DELAY);   // restart in 5 sec
+		_pluto_pid = 0;
+		if (!_stop_requested)
+		{
+			plog("pluto has died -- restart scheduled (%dsec)"
+				, PLUTO_RESTART_DELAY);
+			alarm(PLUTO_RESTART_DELAY);   // restart in 5 sec
+		}
+		unlink(PLUTO_PID_FILE);
 	}
-	unlink(PLUTO_PID_FILE);
-    }
 }
 
 int
 starter_stop_pluto (void)
 {
-    int i;
-    pid_t pid = _pluto_pid;
-
-    if (pid)
-    {
-	_stop_requested = 1;
+	int i;
+	pid_t pid = _pluto_pid;
 
-	if (starter_whack_shutdown() == 0)
+	if (pid)
 	{
-	    for (i = 0; i < 400; i++)
-	    {
-		usleep(20000); /* sleep for 20 ms */
+		_stop_requested = 1;
+
+		if (starter_whack_shutdown() == 0)
+		{
+			for (i = 0; i < 400; i++)
+			{
+				usleep(20000); /* sleep for 20 ms */
+				if (_pluto_pid == 0)
+				{
+					plog("pluto stopped after %d ms", 20*(i+1));
+					return 0;
+				}
+			}
+		}
+		/* be more and more aggressive */
+		for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
+		{
+			
+			if (i < 10)
+			{
+				kill(pid, SIGTERM);
+			}
+			if (i == 10)
+			{
+				kill(pid, SIGKILL);
+				plog("starter_stop_pluto(): pluto does not respond, sending KILL");
+			}           
+			else
+			{
+				kill(pid, SIGKILL);
+			}
+			usleep(100000); /* sleep for 100 ms */
+		}
 		if (_pluto_pid == 0)
 		{
-		    plog("pluto stopped after %d ms", 20*(i+1));
-		    return 0;
+			plog("pluto stopped after %d ms", 8000 + 100*i);
+			return 0;
 		}
-	    }
-	}
-	/* be more and more aggressive */
-	for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
-	{
-	    
-	    if (i < 10)
-	    {
-		kill(pid, SIGTERM);
-	    }
-	    if (i == 10)
-	    {
-		kill(pid, SIGKILL);
-		plog("starter_stop_pluto(): pluto does not respond, sending KILL");
-	    }		
-	    else
-	    {
-		kill(pid, SIGKILL);
-	    }
-	    usleep(100000); /* sleep for 100 ms */
+		plog("starter_stop_pluto(): can't stop pluto !!!");
+		return -1;
 	}
-	if (_pluto_pid == 0)
+	else
 	{
-	    plog("pluto stopped after %d ms", 8000 + 100*i);
-	    return 0;
+		plog("stater_stop_pluto(): pluto is not started...");
 	}
-	plog("starter_stop_pluto(): can't stop pluto !!!");
 	return -1;
-    }
-    else
-    {
-	plog("stater_stop_pluto(): pluto is not started...");
-    }
-    return -1;
 }
 
 #define ADD_DEBUG(v) { \
-	for (l = cfg->setup.plutodebug; l && *l; l++) if (streq(*l, v)) \
-		arg[argc++] = "--debug-" v; \
-	}
+		for (l = cfg->setup.plutodebug; l && *l; l++) if (streq(*l, v)) \
+				arg[argc++] = "--debug-" v; \
+		}
 
 int
-starter_start_pluto (starter_config_t *cfg, bool no_fork)
+starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 {
-    struct stat stb;
-    int i;
-    pid_t pid;
-    char **l;
-    int argc = 2;
-    char *arg[] = {
-	      PLUTO_CMD, "--nofork"
-	    , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-	    , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-	    , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-	    , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-	};
-
-    printf ("starter_start_pluto entered\n");
+	struct stat stb;
+	int i;
+	pid_t pid;
+	char **l;
+	int argc = 2;
+	char *arg[] = {
+			  PLUTO_CMD, "--nofork"
+			, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+			, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+			, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+			, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+		};
 
-    if (cfg->setup.plutostderrlog || no_fork)
-    {
-	arg[argc++] = "--stderrlog";
-    }
-    if (cfg->setup.uniqueids)
-    {
-	arg[argc++] = "--uniqueids";
-    }
-    ADD_DEBUG("none")
-    ADD_DEBUG("all")
-    ADD_DEBUG("raw")
-    ADD_DEBUG("crypt")
-    ADD_DEBUG("parsing")
-    ADD_DEBUG("emitting")
-    ADD_DEBUG("control")
-    ADD_DEBUG("lifecycle")
-    ADD_DEBUG("klips")
-    ADD_DEBUG("dns")
-    ADD_DEBUG("natt")
-    ADD_DEBUG("oppo")
-    ADD_DEBUG("controlmore")
-    ADD_DEBUG("private")
-    if (cfg->setup.crlcheckinterval > 0)
-    {
-	static char buf1[15];
-
-	arg[argc++] = "--crlcheckinterval";
-	snprintf(buf1, sizeof(buf1), "%u", cfg->setup.crlcheckinterval);
-	arg[argc++] = buf1;
-    }
-    if (cfg->setup.cachecrls)
-    {
-	arg[argc++] = "--cachecrls";
-    }
-    if (cfg->setup.strictcrlpolicy)
-    {
-	arg[argc++] = "--strictcrlpolicy";
-    }
-    if (cfg->setup.nocrsend)
-    {
-	arg[argc++] = "--nocrsend";
-    }
-    if (cfg->setup.nat_traversal)
-    {
-	arg[argc++] = "--nat_traversal";
-    }
-    if (cfg->setup.force_keepalive)
-    {
-	arg[argc++] = "--force_keepalive";
-    }
-    if (cfg->setup.keep_alive)
-    {
-	static char buf2[15];
-
-	arg[argc++] = "--keep_alive";
-	snprintf(buf2, sizeof(buf2), "%u", cfg->setup.keep_alive);
-	arg[argc++] = buf2;
-    }
-    if (cfg->setup.virtual_private)
-    {
-	arg[argc++] = "--virtual_private";
-	arg[argc++] = cfg->setup.virtual_private;
-    }
-    if (cfg->setup.pkcs11module)
-    {
-	arg[argc++] = "--pkcs11module";
-	arg[argc++] = cfg->setup.pkcs11module;
-    }
-    if (cfg->setup.pkcs11initargs)
-    {
-	arg[argc++] = "--pkcs11initargs";
-	arg[argc++] = cfg->setup.pkcs11initargs;
-    }
-    if (cfg->setup.pkcs11keepstate)
-    {
-	arg[argc++] = "--pkcs11keepstate";
-    }
-    if (cfg->setup.pkcs11proxy)
-    {
-	arg[argc++] = "--pkcs11proxy";
-    }
+	printf ("starter_start_pluto entered\n");
+	
+	if (attach_gdb)
+	{
+		argc = 0;
+		arg[argc++] = "/usr/bin/gdb";
+		arg[argc++] = "--args";
+		arg[argc++] = PLUTO_CMD;
+		arg[argc++] = "--nofork";
+		}
+	if (cfg->setup.plutostderrlog || no_fork)
+	{
+		arg[argc++] = "--stderrlog";
+	}
+	if (cfg->setup.uniqueids)
+	{
+		arg[argc++] = "--uniqueids";
+	}
+	ADD_DEBUG("none")
+	ADD_DEBUG("all")
+	ADD_DEBUG("raw")
+	ADD_DEBUG("crypt")
+	ADD_DEBUG("parsing")
+	ADD_DEBUG("emitting")
+	ADD_DEBUG("control")
+	ADD_DEBUG("lifecycle")
+	ADD_DEBUG("klips")
+	ADD_DEBUG("dns")
+	ADD_DEBUG("natt")
+	ADD_DEBUG("oppo")
+	ADD_DEBUG("controlmore")
+	ADD_DEBUG("private")
+	if (cfg->setup.crlcheckinterval > 0)
+	{
+		static char buf1[15];
 
-    if (_pluto_pid)
-    {
-	plog("starter_start_pluto(): pluto already started...");
-	return -1;
-    }
-    else
-    {
-	unlink(PLUTO_CTL_FILE);
-	_stop_requested = 0;
+		arg[argc++] = "--crlcheckinterval";
+		snprintf(buf1, sizeof(buf1), "%u", cfg->setup.crlcheckinterval);
+		arg[argc++] = buf1;
+	}
+	if (cfg->setup.cachecrls)
+	{
+		arg[argc++] = "--cachecrls";
+	}
+	if (cfg->setup.strictcrlpolicy)
+	{
+		arg[argc++] = "--strictcrlpolicy";
+	}
+	if (cfg->setup.nocrsend)
+	{
+		arg[argc++] = "--nocrsend";
+	}
+	if (cfg->setup.nat_traversal)
+	{
+		arg[argc++] = "--nat_traversal";
+	}
+	if (cfg->setup.force_keepalive)
+	{
+		arg[argc++] = "--force_keepalive";
+	}
+	if (cfg->setup.keep_alive)
+	{
+		static char buf2[15];
 
-	if (cfg->setup.prepluto)
-	    ignore_result(system(cfg->setup.prepluto));
+		arg[argc++] = "--keep_alive";
+		snprintf(buf2, sizeof(buf2), "%u", cfg->setup.keep_alive);
+		arg[argc++] = buf2;
+	}
+	if (cfg->setup.virtual_private)
+	{
+		arg[argc++] = "--virtual_private";
+		arg[argc++] = cfg->setup.virtual_private;
+	}
+	if (cfg->setup.pkcs11module)
+	{
+		arg[argc++] = "--pkcs11module";
+		arg[argc++] = cfg->setup.pkcs11module;
+	}
+	if (cfg->setup.pkcs11initargs)
+	{
+		arg[argc++] = "--pkcs11initargs";
+		arg[argc++] = cfg->setup.pkcs11initargs;
+	}
+	if (cfg->setup.pkcs11keepstate)
+	{
+		arg[argc++] = "--pkcs11keepstate";
+	}
+	if (cfg->setup.pkcs11proxy)
+	{
+		arg[argc++] = "--pkcs11proxy";
+	}
 
-	pid = fork();
-	switch (pid)
+	if (_pluto_pid)
+	{
+		plog("starter_start_pluto(): pluto already started...");
+		return -1;
+	}
+	else
 	{
-	case -1:
-	    plog("can't fork(): %s", strerror(errno));
-	    return -1;
-	case 0:
-	    /* child */
-	    if (cfg->setup.plutostderrlog)
-	    {
-		int f = creat(cfg->setup.plutostderrlog, 00644);
+		unlink(PLUTO_CTL_FILE);
+		_stop_requested = 0;
 
-   		/* redirect stderr to file */
-		if (f < 0)
-		{
-		    plog("couldn't open stderr redirection file '%s'",
-			  cfg->setup.plutostderrlog);
-		}
-		else
-		{
-		    dup2(f, 2);
-		}
-	    }
-	    setsid();
-	    sigprocmask(SIG_SETMASK, 0, NULL);
-	    execv(arg[0], arg);
-	    plog("can't execv(%s,...): %s", arg[0], strerror(errno));
-	    exit(1);
-	default:
-	    /* father */
-	    _pluto_pid = pid;
-	    for (i = 0; i < 500 && _pluto_pid; i++)
-	    {
-		/* wait for pluto for a maximum of 500 x 20 ms = 10 s */
-		usleep(20000);
-		if (stat(PLUTO_CTL_FILE, &stb) == 0)
-		{
-		    plog("pluto (%d) started after %d ms", _pluto_pid, 20*(i+1));
-		    if (cfg->setup.postpluto)
-		    {
-			ignore_result(system(cfg->setup.postpluto));
-		    }
-		    return 0;
-		}
-	    }
-	    if (_pluto_pid)
-	    {
-		/* If pluto is started but with no ctl file, stop it */
-		plog("pluto too long to start... - kill kill");
-		for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
+		if (cfg->setup.prepluto)
+			ignore_result(system(cfg->setup.prepluto));
+
+		pid = fork();
+		switch (pid)
 		{
-		    if (i < 10)
-		    {
-			kill(pid, SIGTERM);
-		    }
-		    else
-		    {
-			kill(pid, SIGKILL);
-		    }
-		    usleep(20000); /* sleep for 20 ms */
+		case -1:
+			plog("can't fork(): %s", strerror(errno));
+			return -1;
+		case 0:
+			/* child */
+			if (cfg->setup.plutostderrlog)
+			{
+				int f = creat(cfg->setup.plutostderrlog, 00644);
+
+				/* redirect stderr to file */
+				if (f < 0)
+				{
+					plog("couldn't open stderr redirection file '%s'",
+						  cfg->setup.plutostderrlog);
+				}
+				else
+				{
+					dup2(f, 2);
+				}
+			}
+			setsid();
+			sigprocmask(SIG_SETMASK, 0, NULL);
+			/* disable glibc's malloc checker, conflicts with leak detective */
+			setenv("MALLOC_CHECK_", "0", 1);
+			execv(arg[0], arg);
+			plog("can't execv(%s,...): %s", arg[0], strerror(errno));
+			exit(1);
+		default:
+			/* father */
+			_pluto_pid = pid;
+			for (i = 0; i < 500 && _pluto_pid; i++)
+			{
+				/* wait for pluto for a maximum of 500 x 20 ms = 10 s */
+				usleep(20000);
+				if (stat(PLUTO_CTL_FILE, &stb) == 0)
+				{
+					plog("pluto (%d) started after %d ms", _pluto_pid, 20*(i+1));
+					if (cfg->setup.postpluto)
+					{
+						ignore_result(system(cfg->setup.postpluto));
+					}
+					return 0;
+				}
+			}
+			if (_pluto_pid)
+			{
+				/* If pluto is started but with no ctl file, stop it */
+				plog("pluto too long to start... - kill kill");
+				for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
+				{
+					if (i < 10)
+					{
+						kill(pid, SIGTERM);
+					}
+					else
+					{
+						kill(pid, SIGKILL);
+					}
+					usleep(20000); /* sleep for 20 ms */
+				}
+			}
+			else
+			{
+				plog("pluto refused to be started");
+			}
+			return -1;
 		}
-	    }
-	    else
-	    {
-		plog("pluto refused to be started");
-	    }
-	    return -1;
 	}
-    }
-    return -1;
+	return -1;
 }
diff --git a/src/starter/invokepluto.h b/src/starter/invokepluto.h
index 589a036ee..b0c89b1f1 100644
--- a/src/starter/invokepluto.h
+++ b/src/starter/invokepluto.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: invokepluto.h 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #ifndef _STARTER_PLUTO_H_
@@ -22,7 +20,7 @@
 extern void starter_pluto_sigchild (pid_t pid);
 extern pid_t starter_pluto_pid (void);
 extern int starter_stop_pluto (void);
-extern int starter_start_pluto (struct starter_config *cfg, bool debug);
+extern int starter_start_pluto (struct starter_config *cfg, bool no_fork, bool attach_gdb);
 
 #endif /* _STARTER_PLUTO_H_ */
 
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 565f15c66..31e676324 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -1,5 +1,4 @@
 .TH IPSEC.CONF 5 "27 Jun 2007"
-.\" RCSID $Id: ipsec.conf.5 5002 2009-03-24 15:02:12Z martin $
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -239,27 +238,27 @@ acceptable values are
 .B secret
 or
 .B psk
-for shared secrets,
+for pre-shared secrets,
+.B pubkey
+(the default) for public key signatures as well as the synonyms
 .B rsasig
-for RSA digital signatures (the default),
-.B secret|rsasig
-for either, and
+for RSA digital signatures and
+.B ecdsasig
+for Elliptic Curve DSA signatures.
 .B never
-if negotiation is never to be attempted or accepted (useful for shunt-only conns).
-Digital signatures are superior in every way to shared secrets. In IKEv2, the
-two ends must not agree on this parameter, it is relevant for the
-outbound authentication method only.
+can be used if negotiation is never to be attempted or accepted (useful for
+shunt-only conns).
+Digital signatures are superior in every way to shared secrets. 
 IKEv1 additionally supports the values
 .B xauthpsk
 and
 .B xauthrsasig
 that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
 based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.B eap,
-which indicates an initiator to request EAP authentication. The EAP method to 
-use is selected by the server (see
-.B eap).
+This parameter is deprecated for IKEv2 connections, as two peers do not need
+to agree on an authentication method. Use the 
+.B leftauth
+parameter instead to define authentication methods in IKEv2.
 .TP
 .B auto
 what operation, if any, should be done automatically at IPsec startup;
@@ -350,25 +349,9 @@ in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
 .TP
 .B eap
-defines the EAP type to propose as server if the client has 
-.B authby=eap
-selected. Acceptable values are
-.B aka
-for EAP-AKA,
-.B sim
-for EAP-SIM,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5, and
-.B mschapv2
-for EAP-MS-CHAPv2.
-Additionally, IANA assigned EAP method numbers are accepted, or a definition
-in the form
-.B eap=type-vendor
-(e.g.
-.B eap=7-12345
-) can be used to specify vendor specific EAP types.
+defines the EAP type to propose as server if the client requests EAP
+authentication. This parameter is deprecated in the favour of
+.B leftauth.
 
 To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
 set 
@@ -509,11 +492,46 @@ and
 .B no
 (the default).
 .TP
+.B leftauth
+Authentication method to use (local) or require (remote) in this connection.
+This parameter is supported in IKEv2 only. Acceptable values are 
+.B pubkey
+for public key authentication (RSA/ECDSA), 
+.B psk
+for pre-shared key authentication and
+.B eap
+to (require the) use of the Extensible Authentication Protocol. In the case
+of 
+.B eap,
+an optional EAP method can be appended. Currently defined methods are
+.B eap-aka, eap-sim, eap-gtc, eap-md5
+and
+.B eap-mschapv2.
+Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
+EAP methods are defined in the form
+.B eap-type-vendor
+(e.g.
+.B eap-7-12345
+).
+.TP
+.B leftauth2
+Same as 
+.B leftauth,
+but defines an additional authentication exchange. IKEv2 supports multiple
+authentication rounds using "Multiple Authentication Exchanges" defined
+in RFC4739. This allows, for example, separated authentication
+of host and user (IKEv2 only).
+.TP
 .B leftca
 the distinguished name of a certificate authority which is required to
 lie in the trust path going from the left participant's certificate up
 to the root certification authority. 
 .TP
+.B leftca2
+Same as
+.B leftca,
+but for the second authentication round (IKEv2 only).
+.TP
 .B leftcert
 the path to the left participant's X.509 certificate. The file can be coded either in
 PEM or DER format. OpenPGP certificates are supported as well.
@@ -529,6 +547,11 @@ The left participant's ID can be overriden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
 .TP
+.B leftcert2
+Same as
+.B leftcert,
+but for the second authentication round (IKEv2 only).
+.TP
 .B leftfirewall
 whether the left participant is doing forwarding-firewalling
 (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
@@ -594,6 +617,11 @@ or a fully-qualified domain name preceded by
 .B @
 (which is used as a literal string and not resolved).
 .TP
+.B leftid2
+identity to use for a second authentication for the left participant
+(IKEv2 only); defaults to
+.BR leftid .
+.TP
 .B leftnexthop
 this parameter is not needed any more because the NETKEY IPsec stack does
 not require explicit routing entries for the traffic to be tunneled.
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index e51780dc1..3ca7a92f6 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -1,6 +1,6 @@
 /* C code produced by gperf version 3.0.3 */
-/* Command-line: /usr/bin/gperf -C -G -t  */
-/* Computed positions: -k'1-2,$' */
+/* Command-line: /usr/bin/gperf -m 10 -C -G -D -t  */
+/* Computed positions: -k'1-2,6,$' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
       && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
@@ -43,8 +43,6 @@ error "gperf generated tables don't work with this execution character set. Plea
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: keywords.txt 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #include <string.h>
@@ -56,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 102
+#define TOTAL_KEYWORDS 112
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 6
-#define MAX_HASH_VALUE 248
-/* maximum key range = 243, duplicates = 0 */
+#define MIN_HASH_VALUE 13
+#define MAX_HASH_VALUE 200
+/* maximum key range = 188, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -77,198 +75,192 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249,  25,
-       10, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 110, 249,   0,
-      100,   5,  75,  65,  90,   0, 249,  60,  10,  15,
-       80,  60,  15, 249,   0,  50,  35,  15,  30, 249,
-        0,  75,   0, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249, 249, 249, 249, 249,
-      249, 249, 249, 249, 249, 249
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201,   3,
+       42, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201,   1, 201,   9, 201,   5,
+       39,   1,  64,  47,  62,   1, 201,  88,   5,  83,
+       39,  30,  21, 201,   1,  10,   6,  44,  14, 201,
+        4,  54,   4, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
+      201, 201, 201, 201, 201, 201
     };
-  return len + asso_values[(unsigned char)str[1]] + asso_values[(unsigned char)str[0]] + asso_values[(unsigned char)str[len - 1]];
+  register int hval = len;
+
+  switch (hval)
+    {
+      default:
+        hval += asso_values[(unsigned char)str[5]];
+      /*FALLTHROUGH*/
+      case 5:
+      case 4:
+      case 3:
+      case 2:
+        hval += asso_values[(unsigned char)str[1]];
+      /*FALLTHROUGH*/
+      case 1:
+        hval += asso_values[(unsigned char)str[0]];
+        break;
+    }
+  return hval + asso_values[(unsigned char)str[len - 1]];
 }
 
 static const struct kw_entry wordlist[] =
   {
-    {""}, {""}, {""}, {""}, {""}, {""},
+    {"right",             KW_RIGHT},
     {"crluri",            KW_CRLURI},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
-    {""}, {""},
-    {"crluri2",           KW_CRLURI2},
-    {""}, {""}, {""},
-    {"certuribase",       KW_CERTURIBASE},
-    {""},
-    {"rightfirewall",     KW_RIGHTFIREWALL},
-    {""},
-    {"rightnatip",        KW_RIGHTNATIP},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
-    {"rightnexthop",      KW_RIGHTNEXTHOP},
-    {"rightsourceip",     KW_RIGHTSOURCEIP},
-    {""}, {""}, {""},
+    {"left",              KW_LEFT},
     {"crluri1",           KW_CRLURI},
-    {""}, {""}, {""}, {""},
-    {"leftfirewall",      KW_LEFTFIREWALL},
-    {""},
-    {"leftnatip",         KW_LEFTNATIP},
-    {"right",             KW_RIGHT},
-    {"leftnexthop",       KW_LEFTNEXTHOP},
-    {"leftsourceip",      KW_LEFTSOURCEIP},
-    {""},
+    {"certuribase",       KW_CERTURIBASE},
+    {"leftcert",          KW_LEFTCERT,},
     {"rightcert",         KW_RIGHTCERT},
-    {""},
+    {"rightca",           KW_RIGHTCA},
+    {"leftfirewall",      KW_LEFTFIREWALL},
+    {"leftsendcert",      KW_LEFTSENDCERT},
+    {"leftprotoport",     KW_LEFTPROTOPORT},
+    {"leftgroups",        KW_LEFTGROUPS},
+    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
     {"rightsubnet",       KW_RIGHTSUBNET},
-    {""},
+    {"leftca",            KW_LEFTCA},
     {"rightsendcert",     KW_RIGHTSENDCERT},
-    {"rightprotoport",    KW_RIGHTPROTOPORT},
+    {"cacert",            KW_CACERT},
+    {"eap",               KW_EAP},
+    {"esp",               KW_ESP},
+    {"cachecrls",         KW_CACHECRLS},
+    {"leftnexthop",       KW_LEFTNEXTHOP},
     {"virtual_private",   KW_VIRTUAL_PRIVATE},
-    {""}, {""}, {""},
-    {"left",              KW_LEFT},
-    {""}, {""}, {""},
-    {"leftcert",          KW_LEFTCERT,},
-    {""},
-    {"leftsubnet",        KW_LEFTSUBNET},
-    {"rightgroups",       KW_RIGHTGROUPS},
-    {"leftsendcert",      KW_LEFTSENDCERT},
-    {"leftprotoport",     KW_LEFTPROTOPORT},
-    {""},
-    {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {""},
+    {"rightprotoport",    KW_RIGHTPROTOPORT},
     {"ocspuri",           KW_OCSPURI},
-    {"ike",               KW_IKE},
-    {""},
+    {"leftnatip",         KW_LEFTNATIP},
+    {"rightsourceip",     KW_RIGHTSOURCEIP},
+    {"ocspuri1",          KW_OCSPURI},
+    {"also",              KW_ALSO},
+    {"rightid",           KW_RIGHTID},
     {"plutostart",        KW_PLUTOSTART},
-    {""}, {""},
-    {"esp",               KW_ESP},
-    {""},
-    {"leftgroups",        KW_LEFTGROUPS},
-    {"ikelifetime",       KW_IKELIFETIME},
-    {"keylife",           KW_KEYLIFE},
-    {"ocspuri2",          KW_OCSPURI2},
+    {"rightid2",          KW_RIGHTID2},
+    {"compress",          KW_COMPRESS},
+    {"packetdefault",     KW_PACKETDEFAULT},
+    {"crluri2",           KW_CRLURI2},
+    {"rightca2",          KW_RIGHTCA2},
+    {"leftcert2",         KW_LEFTCERT2,},
+    {"rightcert2",        KW_RIGHTCERT2},
     {"lefthostaccess",    KW_LEFTHOSTACCESS},
-    {"keep_alive",        KW_KEEP_ALIVE},
-    {"keyexchange",       KW_KEYEXCHANGE},
-    {""},
-    {"prepluto",          KW_PREPLUTO},
-    {""},
     {"rekey",             KW_REKEY},
-    {"mobike",	           KW_MOBIKE},
-    {""},
-    {"rightallowany",     KW_RIGHTALLOWANY},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
-    {""},
-    {"rightupdown",       KW_RIGHTUPDOWN},
-    {"pkcs11module",      KW_PKCS11MODULE},
-    {"ocspuri1",          KW_OCSPURI},
-    {""},
-    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
-    {"rekeymargin",       KW_REKEYMARGIN},
+    {"ldapbase",          KW_LDAPBASE},
+    {"rightauth2",        KW_RIGHTAUTH2},
+    {"leftca2",           KW_LEFTCA2},
+    {"type",              KW_TYPE},
+    {"leftsubnet",        KW_LEFTSUBNET},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
     {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
-    {"fragicmp",          KW_FRAGICMP},
-    {""},
-    {"plutodebug",        KW_PLUTODEBUG},
-    {"reauth",            KW_REAUTH},
+    {"leftsourceip",      KW_LEFTSOURCEIP},
+    {"rightgroups",       KW_RIGHTGROUPS},
+    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"rightnatip",        KW_RIGHTNATIP},
+    {"rightnexthop",      KW_RIGHTNEXTHOP},
+    {"leftupdown",        KW_LEFTUPDOWN},
     {"leftallowany",      KW_LEFTALLOWANY},
+    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"xauth",             KW_XAUTH},
+    {"rightauth",         KW_RIGHTAUTH},
     {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
-    {"leftupdown",        KW_LEFTUPDOWN},
-    {"mediated_by",       KW_MEDIATED_BY},
-    {"rightid",           KW_RIGHTID},
-    {""},
-    {"mediation",         KW_MEDIATION},
-    {""},
-    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {""},
-    {"pfsgroup",          KW_PFSGROUP},
-    {""}, {""},
-    {"overridemtu",       KW_OVERRIDEMTU},
-    {"rightca",           KW_RIGHTCA},
-    {"compress",          KW_COMPRESS},
-    {"type",              KW_TYPE},
-    {""},
+    {"rightfirewall",     KW_RIGHTFIREWALL},
+    {"ocspuri2",          KW_OCSPURI2},
+    {"auto",              KW_AUTO},
+    {"ldaphost",          KW_LDAPHOST},
+    {"righthostaccess",   KW_RIGHTHOSTACCESS},
     {"leftid",            KW_LEFTID},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
     {"dumpdir",           KW_DUMPDIR},
-    {"ldapbase",          KW_LDAPBASE},
-    {""}, {""},
-    {"keyingtries",       KW_KEYINGTRIES},
-    {""}, {""},
-    {"me_peerid",         KW_ME_PEERID},
-    {""},
-    {"leftca",            KW_LEFTCA},
-    {""},
-    {"eap",               KW_EAP},
-    {""}, {""},
-    {"charonstart",       KW_CHARONSTART},
-    {""}, {""},
-    {"pkcs11initargs",    KW_PKCS11INITARGS},
-    {"interfaces",        KW_INTERFACES},
-    {""}, {""},
-    {"pfs",               KW_PFS},
+    {"ike",               KW_IKE},
+    {"leftid2",           KW_LEFTID2},
     {"postpluto",         KW_POSTPLUTO},
-    {"klipsdebug",        KW_KLIPSDEBUG},
-    {""},
-    {"hidetos",           KW_HIDETOS},
-    {""}, {""},
-    {"modeconfig",        KW_MODECONFIG},
-    {"cacert",            KW_CACERT},
-    {""},
-    {"ldaphost",          KW_LDAPHOST},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
+    {"pfs",               KW_PFS},
+    {"fragicmp",          KW_FRAGICMP},
+    {"overridemtu",       KW_OVERRIDEMTU},
+    {"leftauth2",         KW_LEFTAUTH2},
     {"uniqueids",         KW_UNIQUEIDS},
+    {"prepluto",          KW_PREPLUTO},
+    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
+    {"keyexchange",       KW_KEYEXCHANGE},
+    {"keep_alive",        KW_KEEP_ALIVE},
+    {"hidetos",           KW_HIDETOS},
     {"force_keepalive",   KW_FORCE_KEEPALIVE},
-    {""}, {""}, {""}, {""},
-    {"dpdtimeout",        KW_DPDTIMEOUT},
-    {"pkcs11proxy",       KW_PKCS11PROXY},
-    {""}, {""}, {""}, {""},
-    {"charondebug",       KW_CHARONDEBUG},
-    {""},
     {"installpolicy",     KW_INSTALLPOLICY},
-    {"cachecrls",         KW_CACHECRLS},
-    {""}, {""}, {""},
-    {"packetdefault",     KW_PACKETDEFAULT},
-    {""},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {"also",              KW_ALSO},
-    {""}, {""}, {""}, {""},
-    {"auto",              KW_AUTO},
-    {""}, {""}, {""}, {""}, {""}, {""},
+    {"dpdaction",         KW_DPDACTION},
+    {"eap_identity",      KW_EAP_IDENTITY},
     {"forceencaps",       KW_FORCEENCAPS},
-    {""},
+    {"nocrsend",          KW_NOCRSEND},
+    {"auth",              KW_AUTH},
+    {"leftauth",          KW_LEFTAUTH},
+    {"mobike",	           KW_MOBIKE},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"charonstart",       KW_CHARONSTART},
+    {"interfaces",        KW_INTERFACES},
+    {"pkcs11module",      KW_PKCS11MODULE},
     {"dpddelay",          KW_DPDDELAY},
-    {""}, {""}, {""},
-    {"eap_identity",      KW_EAP_IDENTITY},
-    {""},
-    {"dpdaction",         KW_DPDACTION},
-    {"xauth",             KW_XAUTH},
+    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
+    {"reauth",            KW_REAUTH},
+    {"me_peerid",         KW_ME_PEERID},
+    {"rekeymargin",       KW_REKEYMARGIN},
+    {"pkcs11initargs",    KW_PKCS11INITARGS},
+    {"mediation",         KW_MEDIATION},
+    {"pfsgroup",          KW_PFSGROUP},
+    {"mediated_by",       KW_MEDIATED_BY},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"dpdtimeout",        KW_DPDTIMEOUT},
+    {"keylife",           KW_KEYLIFE},
+    {"charondebug",       KW_CHARONDEBUG},
+    {"ikelifetime",       KW_IKELIFETIME},
     {"authby",            KW_AUTHBY},
-    {""}, {""}, {""}, {""}, {""}, {""},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {""}, {""}, {""}, {""}, {""},
-    {"auth",              KW_AUTH},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {""},
-    {"nocrsend",          KW_NOCRSEND}
+    {"pkcs11proxy",       KW_PKCS11PROXY},
+    {"klipsdebug",        KW_KLIPSDEBUG},
+    {"modeconfig",        KW_MODECONFIG}
+  };
+
+static const short lookup[] =
+  {
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,   0,   1,  -1,   2,   3,  -1,   4,
+     -1,   5,   6,   7,   8,   9,  10,  11,  12,  13,
+     14,  15,  16,  -1,  17,  18,  -1,  -1,  19,  20,
+     21,  -1,  -1,  22,  23,  24,  25,  26,  27,  28,
+     -1,  -1,  29,  30,  31,  32,  33,  34,  35,  36,
+     37,  38,  39,  40,  41,  42,  43,  44,  45,  46,
+     47,  48,  49,  -1,  50,  -1,  51,  52,  53,  54,
+     55,  -1,  56,  57,  58,  -1,  59,  60,  61,  62,
+     63,  64,  65,  66,  67,  68,  69,  70,  71,  72,
+     73,  74,  -1,  75,  76,  77,  78,  -1,  -1,  79,
+     80,  81,  82,  -1,  83,  84,  85,  86,  -1,  87,
+     88,  89,  90,  91,  92,  93,  -1,  94,  95,  -1,
+     -1,  -1,  96,  97,  -1,  98,  99,  -1, 100,  -1,
+     -1,  -1,  -1,  -1, 101,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1, 102,  -1, 103,  -1, 104,
+     -1, 105,  -1,  -1, 106, 107,  -1, 108,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1, 109,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 110,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+    111
   };
 
 #ifdef __GNUC__
@@ -288,10 +280,15 @@ in_word_set (str, len)
 
       if (key <= MAX_HASH_VALUE && key >= 0)
         {
-          register const char *s = wordlist[key].name;
+          register int index = lookup[key];
+
+          if (index >= 0)
+            {
+              register const char *s = wordlist[index].name;
 
-          if (*str == *s && !strcmp (str + 1, s + 1))
-            return &wordlist[key];
+              if (*str == *s && !strcmp (str + 1, s + 1))
+                return &wordlist[index];
+            }
         }
     }
   return 0;
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 756c33075..ae9a6d15f 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -11,177 +11,185 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: keywords.h 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #ifndef _KEYWORDS_H_
 #define _KEYWORDS_H_
 
 typedef enum {
-    /* config setup keywords */
-    KW_INTERFACES,
-    KW_DUMPDIR,
-    KW_CHARONSTART,
-    KW_PLUTOSTART,
-
-    /* pluto/charon keywords */
-    KW_PLUTODEBUG,
-    KW_CHARONDEBUG,
-    KW_PREPLUTO,
-    KW_POSTPLUTO,
-    KW_PLUTOSTDERRLOG,
-    KW_UNIQUEIDS,
-    KW_OVERRIDEMTU,
-    KW_CRLCHECKINTERVAL,
-    KW_CACHECRLS,
-    KW_STRICTCRLPOLICY,
-    KW_NOCRSEND,
-    KW_NAT_TRAVERSAL,
-    KW_KEEP_ALIVE,
-    KW_FORCE_KEEPALIVE,
-    KW_VIRTUAL_PRIVATE,
-    KW_PKCS11MODULE,
-    KW_PKCS11INITARGS,
-    KW_PKCS11KEEPSTATE,
-    KW_PKCS11PROXY,
-
-#define KW_PLUTO_FIRST	KW_PLUTODEBUG
-#define KW_PLUTO_LAST	KW_PKCS11PROXY
-
-    /* KLIPS keywords */
-    KW_KLIPSDEBUG,
-    KW_FRAGICMP,
-    KW_PACKETDEFAULT,
-    KW_HIDETOS,
-
-#define KW_KLIPS_FIRST	KW_KLIPSDEBUG
-#define KW_KLIPS_LAST	KW_HIDETOS
-
-#define KW_SETUP_FIRST	KW_INTERFACES
-#define KW_SETUP_LAST	KW_HIDETOS
-
-    /* conn section keywords */
-    KW_CONN_NAME,
-    KW_CONN_SETUP,
-    KW_KEYEXCHANGE,
-    KW_TYPE,
-    KW_PFS,
-    KW_COMPRESS,
-	KW_INSTALLPOLICY,
-    KW_AUTH,
-    KW_AUTHBY,
-    KW_EAP,
-    KW_EAP_IDENTITY,
-    KW_MOBIKE,
-    KW_FORCEENCAPS,
-    KW_IKELIFETIME,
-    KW_KEYLIFE,
-    KW_REKEYMARGIN,
-    KW_KEYINGTRIES,
-    KW_REKEYFUZZ,
-    KW_REKEY,
-    KW_REAUTH,
-    KW_IKE,
-    KW_ESP,
-    KW_PFSGROUP,
-    KW_DPDDELAY,
-    KW_DPDTIMEOUT,
-    KW_DPDACTION,
-    KW_MODECONFIG,
-    KW_XAUTH,
-    KW_MEDIATION,
-    KW_MEDIATED_BY,
-    KW_ME_PEERID,
-
-#define KW_CONN_FIRST	KW_CONN_SETUP
-#define KW_CONN_LAST	KW_ME_PEERID
+	/* config setup keywords */
+	KW_INTERFACES,
+	KW_DUMPDIR,
+	KW_CHARONSTART,
+	KW_PLUTOSTART,
+
+	/* pluto/charon keywords */
+	KW_PLUTODEBUG,
+	KW_CHARONDEBUG,
+	KW_PREPLUTO,
+	KW_POSTPLUTO,
+	KW_PLUTOSTDERRLOG,
+	KW_UNIQUEIDS,
+	KW_OVERRIDEMTU,
+	KW_CRLCHECKINTERVAL,
+	KW_CACHECRLS,
+	KW_STRICTCRLPOLICY,
+	KW_NOCRSEND,
+	KW_NAT_TRAVERSAL,
+	KW_KEEP_ALIVE,
+	KW_FORCE_KEEPALIVE,
+	KW_VIRTUAL_PRIVATE,
+	KW_PKCS11MODULE,
+	KW_PKCS11INITARGS,
+	KW_PKCS11KEEPSTATE,
+	KW_PKCS11PROXY,
+
+#define KW_PLUTO_FIRST  KW_PLUTODEBUG
+#define KW_PLUTO_LAST   KW_PKCS11PROXY
+
+	/* KLIPS keywords */
+	KW_KLIPSDEBUG,
+	KW_FRAGICMP,
+	KW_PACKETDEFAULT,
+	KW_HIDETOS,
+
+#define KW_KLIPS_FIRST  KW_KLIPSDEBUG
+#define KW_KLIPS_LAST   KW_HIDETOS
+
+#define KW_SETUP_FIRST  KW_INTERFACES
+#define KW_SETUP_LAST   KW_HIDETOS
+
+	/* conn section keywords */
+	KW_CONN_NAME,
+	KW_CONN_SETUP,
+	KW_KEYEXCHANGE,
+	KW_TYPE,
+	KW_PFS,
+	KW_COMPRESS,
+		KW_INSTALLPOLICY,
+	KW_AUTH,
+	KW_AUTHBY,
+	KW_EAP,
+	KW_EAP_IDENTITY,
+	KW_MOBIKE,
+	KW_FORCEENCAPS,
+	KW_IKELIFETIME,
+	KW_KEYLIFE,
+	KW_REKEYMARGIN,
+	KW_KEYINGTRIES,
+	KW_REKEYFUZZ,
+	KW_REKEY,
+	KW_REAUTH,
+	KW_IKE,
+	KW_ESP,
+	KW_PFSGROUP,
+	KW_DPDDELAY,
+	KW_DPDTIMEOUT,
+	KW_DPDACTION,
+	KW_MODECONFIG,
+	KW_XAUTH,
+	KW_MEDIATION,
+	KW_MEDIATED_BY,
+	KW_ME_PEERID,
+
+#define KW_CONN_FIRST   KW_CONN_SETUP
+#define KW_CONN_LAST    KW_ME_PEERID
 
    /* ca section keywords */
-    KW_CA_NAME,
-    KW_CA_SETUP,
-    KW_CACERT,
-    KW_LDAPHOST,
-    KW_LDAPBASE,
-    KW_CRLURI,
-    KW_CRLURI2,
-    KW_OCSPURI,
-    KW_OCSPURI2,
-    KW_CERTURIBASE,
-
-#define KW_CA_FIRST	KW_CA_SETUP
-#define KW_CA_LAST	KW_CERTURIBASE
+	KW_CA_NAME,
+	KW_CA_SETUP,
+	KW_CACERT,
+	KW_LDAPHOST,
+	KW_LDAPBASE,
+	KW_CRLURI,
+	KW_CRLURI2,
+	KW_OCSPURI,
+	KW_OCSPURI2,
+	KW_CERTURIBASE,
+
+#define KW_CA_FIRST     KW_CA_SETUP
+#define KW_CA_LAST      KW_CERTURIBASE
 
    /* end keywords */
-    KW_HOST,
-    KW_NEXTHOP,
-    KW_SUBNET,
-    KW_SUBNETWITHIN,
-    KW_PROTOPORT,
-    KW_SOURCEIP,
-    KW_NATIP,
-    KW_FIREWALL,
-    KW_HOSTACCESS,
-    KW_ALLOWANY,
-    KW_UPDOWN,
-    KW_ID,
-    KW_RSASIGKEY,
-    KW_CERT,
-    KW_SENDCERT,
-    KW_CA,
-    KW_GROUPS,
-    KW_IFACE,
-
-#define KW_END_FIRST	KW_HOST
-#define KW_END_LAST	KW_IFACE
+	KW_HOST,
+	KW_NEXTHOP,
+	KW_SUBNET,
+	KW_SUBNETWITHIN,
+	KW_PROTOPORT,
+	KW_SOURCEIP,
+	KW_NATIP,
+	KW_FIREWALL,
+	KW_HOSTACCESS,
+	KW_ALLOWANY,
+	KW_UPDOWN,
+	KW_ID,
+	KW_RSASIGKEY,
+	KW_CERT,
+	KW_SENDCERT,
+	KW_CA,
+	KW_GROUPS,
+	KW_IFACE,
+
+#define KW_END_FIRST    KW_HOST
+#define KW_END_LAST     KW_IFACE
 
    /* left end keywords */
-    KW_LEFT,
-    KW_LEFTNEXTHOP,
-    KW_LEFTSUBNET,
-    KW_LEFTSUBNETWITHIN,
-    KW_LEFTPROTOPORT,
-    KW_LEFTSOURCEIP,
-    KW_LEFTNATIP,
-    KW_LEFTFIREWALL,
-    KW_LEFTHOSTACCESS,
-    KW_LEFTALLOWANY,
-    KW_LEFTUPDOWN,
-    KW_LEFTID,
-    KW_LEFTRSASIGKEY,
-    KW_LEFTCERT,
-    KW_LEFTSENDCERT,
-    KW_LEFTCA,
-    KW_LEFTGROUPS,
-
-#define KW_LEFT_FIRST	KW_LEFT
-#define KW_LEFT_LAST	KW_LEFTGROUPS
+	KW_LEFT,
+	KW_LEFTNEXTHOP,
+	KW_LEFTSUBNET,
+	KW_LEFTSUBNETWITHIN,
+	KW_LEFTPROTOPORT,
+	KW_LEFTSOURCEIP,
+	KW_LEFTNATIP,
+	KW_LEFTFIREWALL,
+	KW_LEFTHOSTACCESS,
+	KW_LEFTALLOWANY,
+	KW_LEFTUPDOWN,
+	KW_LEFTAUTH,
+	KW_LEFTAUTH2,
+	KW_LEFTID,
+	KW_LEFTID2,
+	KW_LEFTRSASIGKEY,
+	KW_LEFTCERT,
+	KW_LEFTCERT2,
+	KW_LEFTSENDCERT,
+	KW_LEFTCA,
+	KW_LEFTCA2,
+	KW_LEFTGROUPS,
+
+#define KW_LEFT_FIRST   KW_LEFT
+#define KW_LEFT_LAST    KW_LEFTGROUPS
 
    /* right end keywords */
-    KW_RIGHT,
-    KW_RIGHTNEXTHOP,
-    KW_RIGHTSUBNET,
-    KW_RIGHTSUBNETWITHIN,
-    KW_RIGHTPROTOPORT,
-    KW_RIGHTSOURCEIP,
-    KW_RIGHTNATIP,
-    KW_RIGHTFIREWALL,
-    KW_RIGHTHOSTACCESS,
-    KW_RIGHTALLOWANY,
-    KW_RIGHTUPDOWN,
-    KW_RIGHTID,
-    KW_RIGHTRSASIGKEY,
-    KW_RIGHTCERT,
-    KW_RIGHTSENDCERT,
-    KW_RIGHTCA,
-    KW_RIGHTGROUPS,
-
-#define KW_RIGHT_FIRST	KW_RIGHT
-#define KW_RIGHT_LAST	KW_RIGHTGROUPS
-
-    /* general section keywords */
-    KW_ALSO,
-    KW_AUTO
+	KW_RIGHT,
+	KW_RIGHTNEXTHOP,
+	KW_RIGHTSUBNET,
+	KW_RIGHTSUBNETWITHIN,
+	KW_RIGHTPROTOPORT,
+	KW_RIGHTSOURCEIP,
+	KW_RIGHTNATIP,
+	KW_RIGHTFIREWALL,
+	KW_RIGHTHOSTACCESS,
+	KW_RIGHTALLOWANY,
+	KW_RIGHTUPDOWN,
+	KW_RIGHTAUTH,
+	KW_RIGHTAUTH2,
+	KW_RIGHTID,
+	KW_RIGHTID2,
+	KW_RIGHTRSASIGKEY,
+	KW_RIGHTCERT,
+	KW_RIGHTCERT2,
+	KW_RIGHTSENDCERT,
+	KW_RIGHTCA,
+	KW_RIGHTCA2,
+	KW_RIGHTGROUPS,
+
+#define KW_RIGHT_FIRST  KW_RIGHT
+#define KW_RIGHT_LAST   KW_RIGHTGROUPS
+
+	/* general section keywords */
+	KW_ALSO,
+	KW_AUTO
 
 } kw_token_t;
 
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 8dfa03325..66c894850 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: keywords.txt 4612 2008-11-11 06:37:37Z andreas $
  */
 
 #include <string.h>
@@ -104,10 +102,15 @@ lefthostaccess,    KW_LEFTHOSTACCESS
 leftallowany,      KW_LEFTALLOWANY
 leftupdown,        KW_LEFTUPDOWN
 leftid,            KW_LEFTID
+leftid2,           KW_LEFTID2
+leftauth,          KW_LEFTAUTH
+leftauth2,         KW_LEFTAUTH2
 leftrsasigkey,     KW_LEFTRSASIGKEY
 leftcert,          KW_LEFTCERT,
+leftcert2,         KW_LEFTCERT2,
 leftsendcert,      KW_LEFTSENDCERT
 leftca,            KW_LEFTCA
+leftca2,           KW_LEFTCA2
 leftgroups,        KW_LEFTGROUPS
 right,             KW_RIGHT
 rightnexthop,      KW_RIGHTNEXTHOP
@@ -121,10 +124,15 @@ righthostaccess,   KW_RIGHTHOSTACCESS
 rightallowany,     KW_RIGHTALLOWANY
 rightupdown,       KW_RIGHTUPDOWN
 rightid,           KW_RIGHTID
+rightid2,          KW_RIGHTID2
+rightauth,         KW_RIGHTAUTH
+rightauth2,        KW_RIGHTAUTH2
 rightrsasigkey,    KW_RIGHTRSASIGKEY
 rightcert,         KW_RIGHTCERT
+rightcert2,        KW_RIGHTCERT2
 rightsendcert,     KW_RIGHTSENDCERT
 rightca,           KW_RIGHTCA
+rightca2,          KW_RIGHTCA2
 rightgroups,       KW_RIGHTGROUPS
 also,              KW_ALSO
 auto,              KW_AUTO
diff --git a/src/starter/klips.c b/src/starter/klips.c
index 5c8164419..061dee50c 100644
--- a/src/starter/klips.c
+++ b/src/starter/klips.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: klips.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <sys/types.h>
@@ -29,54 +27,54 @@
 bool
 starter_klips_init(void)
 {
-    struct stat stb;
-
-    if (stat(PROC_KLIPS, &stb) != 0)
-    {
-	/* ipsec module makes the pf_key proc interface visible */
-	if (stat(PROC_MODULES, &stb) == 0)
-	{
-	    ignore_result(system("modprobe -qv ipsec"));
-	}
+	struct stat stb;
 
-	/* now test again */
 	if (stat(PROC_KLIPS, &stb) != 0)
 	{
-	    DBG(DBG_CONTROL,
-		DBG_log("kernel appears to lack the KLIPS IPsec stack")
-	    )
-	    return FALSE;
+		/* ipsec module makes the pf_key proc interface visible */
+		if (stat(PROC_MODULES, &stb) == 0)
+		{
+			ignore_result(system("modprobe -qv ipsec"));
+		}
+
+		/* now test again */
+		if (stat(PROC_KLIPS, &stb) != 0)
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("kernel appears to lack the KLIPS IPsec stack")
+			)
+			return FALSE;
+		}
 	}
-    }
-    
-    /* load crypto algorithm modules */
-    ignore_result(system("modprobe -qv ipsec_aes"));
-    ignore_result(system("modprobe -qv ipsec_blowfish"));
-    ignore_result(system("modprobe -qv ipsec_sha2"));
+	
+	/* load crypto algorithm modules */
+	ignore_result(system("modprobe -qv ipsec_aes"));
+	ignore_result(system("modprobe -qv ipsec_blowfish"));
+	ignore_result(system("modprobe -qv ipsec_sha2"));
 
-    DBG(DBG_CONTROL,
-	DBG_log("Found KLIPS IPsec stack")
-    )
-    
-    return TRUE;
+	DBG(DBG_CONTROL,
+		DBG_log("Found KLIPS IPsec stack")
+	)
+	
+	return TRUE;
 }
 
 void
 starter_klips_cleanup(void)
 {
-    if (system("type eroute > /dev/null 2>&1") == 0)
-    {
-	ignore_result(system("spi --clear"));
-	ignore_result(system("eroute --clear"));
-    }
-	else if (system("type setkey > /dev/null 2>&1") == 0)
-    {
-	ignore_result(system("setkey -F"));
-	ignore_result(system("setkey -FP"));
-    }
-    else
-    {
-	plog("WARNING: cannot flush IPsec state/policy database");
-    }
+	if (system("type eroute > /dev/null 2>&1") == 0)
+	{
+		ignore_result(system("spi --clear"));
+		ignore_result(system("eroute --clear"));
+	}
+		else if (system("type setkey > /dev/null 2>&1") == 0)
+	{
+		ignore_result(system("setkey -F"));
+		ignore_result(system("setkey -FP"));
+	}
+	else
+	{
+		plog("WARNING: cannot flush IPsec state/policy database");
+	}
 }
 
diff --git a/src/starter/klips.h b/src/starter/klips.h
index 60055b4f1..e93348df1 100644
--- a/src/starter/klips.h
+++ b/src/starter/klips.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: klips.h 4618 2008-11-11 09:22:00Z tobias $
  */
 
 #ifndef _STARTER_KLIPS_H_
diff --git a/src/starter/lex.yy.c b/src/starter/lex.yy.c
index 8edb9e3e6..4596c0cc3 100644
--- a/src/starter/lex.yy.c
+++ b/src/starter/lex.yy.c
@@ -141,7 +141,15 @@ typedef unsigned int flex_uint32_t;
 
 /* Size of default input buffer. */
 #ifndef YY_BUF_SIZE
+#ifdef __ia64__
+/* On IA-64, the buffer size is 16k, not 8k.
+ * Moreover, YY_BUF_SIZE is 2*YY_READ_BUF_SIZE in the general case.
+ * Ditto for the __ia64__ case accordingly.
+ */
+#define YY_BUF_SIZE 32768
+#else
 #define YY_BUF_SIZE 16384
+#endif /* __ia64__ */
 #endif
 
 /* The state buf must be large enough to hold one state per character in the main buffer.
@@ -479,8 +487,9 @@ int yy_flex_debug = 0;
 #define YY_MORE_ADJ 0
 #define YY_RESTORE_YY_MORE_OFFSET
 char *yytext;
-#line 1 "parser.l"
-#line 2 "parser.l"
+#line 1 "./parser.l"
+#define YY_NO_INPUT 1
+#line 4 "./parser.l"
 /* FreeS/WAN config file parser (parser.l)
  * Copyright (C) 2001 Mathieu Lafon - Arkoon Network Security
  *
@@ -493,8 +502,6 @@ char *yytext;
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: parser.l 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <string.h>
@@ -505,8 +512,6 @@ char *yytext;
 
 #define MAX_INCLUDE_DEPTH  20
 
-#define YY_NO_INPUT
-#define YY_NO_UNPUT
 extern void yyerror(const char *);
 extern int yylex (void);
 
@@ -525,94 +530,94 @@ int _parser_y_include (const char *filename);
 
 void _parser_y_error(char *b, int size, const char *s)
 {
-    extern char *yytext; // was: char yytext[];
+	extern char *yytext; // was: char yytext[];
 
-    snprintf(b, size, "%s:%d: %s [%s]",
-	    __parser_y_private.filename[__parser_y_private.stack_ptr],
-	    __parser_y_private.line[__parser_y_private.stack_ptr],
-	    s, yytext);
+	snprintf(b, size, "%s:%d: %s [%s]",
+			__parser_y_private.filename[__parser_y_private.stack_ptr],
+			__parser_y_private.line[__parser_y_private.stack_ptr],
+			s, yytext);
 }
 
 void _parser_y_init (const char *f)
 {
-    memset(&__parser_y_private, 0, sizeof(__parser_y_private));
-    __parser_y_private.line[0] = 1;
-    __parser_y_private.filename[0] = strdup(f);
+	memset(&__parser_y_private, 0, sizeof(__parser_y_private));
+	__parser_y_private.line[0] = 1;
+	__parser_y_private.filename[0] = strdup(f);
 }
 
 void _parser_y_fini (void)
 {
-    unsigned int i;
-
-    for (i = 0; i < MAX_INCLUDE_DEPTH; i++)
-    {
-	if (__parser_y_private.filename[i])
-	    free(__parser_y_private.filename[i]);
-	if (__parser_y_private.file[i])
-	    fclose(__parser_y_private.file[i]);
-    }
-    memset(&__parser_y_private, 0, sizeof(__parser_y_private));
+	unsigned int i;
+
+	for (i = 0; i < MAX_INCLUDE_DEPTH; i++)
+	{
+		if (__parser_y_private.filename[i])
+			free(__parser_y_private.filename[i]);
+		if (__parser_y_private.file[i])
+			fclose(__parser_y_private.file[i]);
+	}
+	memset(&__parser_y_private, 0, sizeof(__parser_y_private));
 }
 
 int _parser_y_include (const char *filename)
 {
-    glob_t files;
-    int i, ret;
-
-    ret = glob(filename, GLOB_ERR, NULL, &files);
-    if (ret)
-    {
-	const char *err;
+	glob_t files;
+	int i, ret;
 
-	switch (ret)
+	ret = glob(filename, GLOB_ERR, NULL, &files);
+	if (ret)
 	{
-	case GLOB_NOSPACE:
-	    err = "include files ran out of memory";
-	    break;
-	case GLOB_ABORTED:
-	    err = "include files aborted due to read error";
-	    break;
-	case GLOB_NOMATCH:
-	    err = "include files found no matches";
-	    break;
-	default:
-	    err = "unknown include files error";
-	}
-	yyerror(err);
-	return 1;
-    }
-
-    for (i = 0; i < files.gl_pathc; i++)
-    {
-	FILE *f;
-	unsigned int p = __parser_y_private.stack_ptr + 1;
+		const char *err;
 
-	if (p >= MAX_INCLUDE_DEPTH)
-	{
-	    yyerror("max inclusion depth reached");
-	    return 1;
+		switch (ret)
+		{
+		case GLOB_NOSPACE:
+			err = "include files ran out of memory";
+			break;
+		case GLOB_ABORTED:
+			err = "include files aborted due to read error";
+			break;
+		case GLOB_NOMATCH:
+			err = "include files found no matches";
+			break;
+		default:
+			err = "unknown include files error";
+		}
+		yyerror(err);
+		return 1;
 	}
 
-	f = fopen(files.gl_pathv[i], "r");
-	if (!f)
+	for (i = 0; i < files.gl_pathc; i++)
 	{
-	    yyerror("can't open include filename");
-	    continue;
-	}
+		FILE *f;
+		unsigned int p = __parser_y_private.stack_ptr + 1;
 
-	__parser_y_private.stack_ptr++;
-	__parser_y_private.file[p] = f;
-	__parser_y_private.stack[p] = YY_CURRENT_BUFFER;
-	__parser_y_private.line[p] = 1;
-	__parser_y_private.filename[p] = strdup(files.gl_pathv[i]);
+		if (p >= MAX_INCLUDE_DEPTH)
+		{
+			yyerror("max inclusion depth reached");
+			return 1;
+		}
 
-	yy_switch_to_buffer(yy_create_buffer(f,YY_BUF_SIZE));
-    }
-    globfree(&files);
-    return 0;
+		f = fopen(files.gl_pathv[i], "r");
+		if (!f)
+		{
+			yyerror("can't open include filename");
+			continue;
+		}
+
+		__parser_y_private.stack_ptr++;
+		__parser_y_private.file[p] = f;
+		__parser_y_private.stack[p] = YY_CURRENT_BUFFER;
+		__parser_y_private.line[p] = 1;
+		__parser_y_private.filename[p] = strdup(files.gl_pathv[i]);
+
+		yy_switch_to_buffer(yy_create_buffer(f,YY_BUF_SIZE));
+	}
+	globfree(&files);
+	return 0;
 }
 
-#line 616 "lex.yy.c"
+#line 621 "lex.yy.c"
 
 #define INITIAL 0
 
@@ -691,7 +696,12 @@ static int input (void );
 
 /* Amount of stuff to slurp up with each read. */
 #ifndef YY_READ_BUF_SIZE
+#ifdef __ia64__
+/* On IA-64, the buffer size is 16k, not 8k */
+#define YY_READ_BUF_SIZE 16384
+#else
 #define YY_READ_BUF_SIZE 8192
+#endif /* __ia64__ */
 #endif
 
 /* Copy whatever the last rule matched to the standard output. */
@@ -795,10 +805,10 @@ YY_DECL
 	register char *yy_cp, *yy_bp;
 	register int yy_act;
     
-#line 135 "parser.l"
+#line 133 "./parser.l"
 
 
-#line 802 "lex.yy.c"
+#line 812 "lex.yy.c"
 
 	if ( !(yy_init) )
 		{
@@ -883,106 +893,106 @@ do_action:	/* This label is used only to access EOF actions. */
 			goto yy_find_action;
 
 case YY_STATE_EOF(INITIAL):
-#line 137 "parser.l"
+#line 135 "./parser.l"
 {
-	if (__parser_y_private.filename[__parser_y_private.stack_ptr]) {
-		free(__parser_y_private.filename[__parser_y_private.stack_ptr]);
-		__parser_y_private.filename[__parser_y_private.stack_ptr] = NULL;
-	}
-	if (__parser_y_private.file[__parser_y_private.stack_ptr]) {
-		fclose(__parser_y_private.file[__parser_y_private.stack_ptr]);
-		__parser_y_private.file[__parser_y_private.stack_ptr] = NULL;
-		yy_delete_buffer (YY_CURRENT_BUFFER);
-		yy_switch_to_buffer
-			(__parser_y_private.stack[__parser_y_private.stack_ptr]);
-	}
-	if (--__parser_y_private.stack_ptr < 0) {
-		yyterminate();
-	}
+		if (__parser_y_private.filename[__parser_y_private.stack_ptr]) {
+				free(__parser_y_private.filename[__parser_y_private.stack_ptr]);
+				__parser_y_private.filename[__parser_y_private.stack_ptr] = NULL;
+		}
+		if (__parser_y_private.file[__parser_y_private.stack_ptr]) {
+				fclose(__parser_y_private.file[__parser_y_private.stack_ptr]);
+				__parser_y_private.file[__parser_y_private.stack_ptr] = NULL;
+				yy_delete_buffer (YY_CURRENT_BUFFER);
+				yy_switch_to_buffer
+						(__parser_y_private.stack[__parser_y_private.stack_ptr]);
+		}
+		if (--__parser_y_private.stack_ptr < 0) {
+				yyterminate();
+		}
 }
 	YY_BREAK
 case 1:
 YY_RULE_SETUP
-#line 154 "parser.l"
+#line 152 "./parser.l"
 return FIRST_SPACES;
 	YY_BREAK
 case 2:
 YY_RULE_SETUP
-#line 156 "parser.l"
+#line 154 "./parser.l"
 /* ignore spaces in line */ ;
 	YY_BREAK
 case 3:
 YY_RULE_SETUP
-#line 158 "parser.l"
+#line 156 "./parser.l"
 return EQUAL;
 	YY_BREAK
 case 4:
 /* rule 4 can match eol */
 YY_RULE_SETUP
-#line 160 "parser.l"
+#line 158 "./parser.l"
 {
-					__parser_y_private.line[__parser_y_private.stack_ptr]++;
-					return EOL;
-				}
+										__parser_y_private.line[__parser_y_private.stack_ptr]++;
+										return EOL;
+								}
 	YY_BREAK
 case 5:
 YY_RULE_SETUP
-#line 165 "parser.l"
+#line 163 "./parser.l"
 return CONFIG;
 	YY_BREAK
 case 6:
 YY_RULE_SETUP
-#line 166 "parser.l"
+#line 164 "./parser.l"
 return SETUP;
 	YY_BREAK
 case 7:
 YY_RULE_SETUP
-#line 167 "parser.l"
+#line 165 "./parser.l"
 return CONN;
 	YY_BREAK
 case 8:
 YY_RULE_SETUP
-#line 168 "parser.l"
+#line 166 "./parser.l"
 return CA;
 	YY_BREAK
 case 9:
 YY_RULE_SETUP
-#line 169 "parser.l"
+#line 167 "./parser.l"
 return INCLUDE;
 	YY_BREAK
 case 10:
 YY_RULE_SETUP
-#line 170 "parser.l"
+#line 168 "./parser.l"
 return FILE_VERSION;
 	YY_BREAK
 case 11:
 YY_RULE_SETUP
-#line 172 "parser.l"
+#line 170 "./parser.l"
 {
-					yylval.s = strdup(yytext);
-					return STRING;
-				}
+										yylval.s = strdup(yytext);
+										return STRING;
+								}
 	YY_BREAK
 case 12:
 YY_RULE_SETUP
-#line 177 "parser.l"
+#line 175 "./parser.l"
 {
-					yylval.s = strdup(yytext+1);
-					if (yylval.s) yylval.s[strlen(yylval.s)-1]='\0';
-					return STRING;
-				}
+										yylval.s = strdup(yytext+1);
+										if (yylval.s) yylval.s[strlen(yylval.s)-1]='\0';
+										return STRING;
+								}
 	YY_BREAK
 case 13:
 YY_RULE_SETUP
-#line 183 "parser.l"
+#line 181 "./parser.l"
 yyerror(yytext);
 	YY_BREAK
 case 14:
 YY_RULE_SETUP
-#line 185 "parser.l"
+#line 183 "./parser.l"
 ECHO;
 	YY_BREAK
-#line 986 "lex.yy.c"
+#line 996 "lex.yy.c"
 
 	case YY_END_OF_BUFFER:
 		{
@@ -1704,8 +1714,8 @@ YY_BUFFER_STATE yy_scan_string (yyconst char * yystr )
 
 /** Setup the input buffer state to scan the given bytes. The next call to yylex() will
  * scan from a @e copy of @a bytes.
- * @param bytes the byte buffer to scan
- * @param len the number of bytes in the buffer pointed to by @a bytes.
+ * @param yybytes the byte buffer to scan
+ * @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes.
  * 
  * @return the newly allocated buffer state object.
  */
@@ -1944,13 +1954,13 @@ void yyfree (void * ptr )
 
 #define YYTABLES_NAME "yytables"
 
-#line 185 "parser.l"
+#line 183 "./parser.l"
 
 
 
 int yywrap(void)
 {
-    return 1;
+	return 1;
 }
 
 
diff --git a/src/starter/loglite.c b/src/starter/loglite.c
index 94d9b79bb..415cf931c 100644
--- a/src/starter/loglite.c
+++ b/src/starter/loglite.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: loglite.c 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #include <stdio.h>
@@ -23,7 +21,7 @@
 #include <errno.h>
 #include <string.h>
 #include <unistd.h>
-#include <signal.h>	/* used only if MSG_NOSIGNAL not defined */
+#include <signal.h>     /* used only if MSG_NOSIGNAL not defined */
 #include <libgen.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -36,118 +34,118 @@
 #include <whack.h>
 
 bool
-    log_to_stderr = FALSE,	/* should log go to stderr? */
-    log_to_syslog = TRUE;	/* should log go to syslog? */
+	log_to_stderr = FALSE,      /* should log go to stderr? */
+	log_to_syslog = TRUE;       /* should log go to syslog? */
 
 void
 init_log(const char *program)
 {
-    if (log_to_stderr)
-	setbuf(stderr, NULL);
-    if (log_to_syslog)
-	openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+	if (log_to_stderr)
+		setbuf(stderr, NULL);
+	if (log_to_syslog)
+		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
 }
 
 void
 close_log(void)
 {
-    if (log_to_syslog)
-	closelog();
+	if (log_to_syslog)
+		closelog();
 }
 
 void
 plog(const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "%s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_WARNING, "%s", m);
+	if (log_to_stderr)
+		fprintf(stderr, "%s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_WARNING, "%s", m);
 }
 
 void
 loglog(int mess_no, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "%s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_WARNING, "%s", m);
+	if (log_to_stderr)
+		fprintf(stderr, "%s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_WARNING, "%s", m);
 }
 
 void
 log_errno_routine(int e, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-    if (log_to_syslog)
-	syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
+	if (log_to_stderr)
+		fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+	if (log_to_syslog)
+		syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
 }
 
 void
 exit_log(const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
-
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
-
-    if (log_to_stderr)
-	fprintf(stderr, "FATAL ERROR: %s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_ERR, "FATAL ERROR: %s", m);
-    exit(1);
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
+
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
+
+	if (log_to_stderr)
+		fprintf(stderr, "FATAL ERROR: %s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_ERR, "FATAL ERROR: %s", m);
+	exit(1);
 }
 
 void
 exit_log_errno_routine(int e, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
-
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
-
-    if (log_to_stderr)
-	fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-    if (log_to_syslog)
-	syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
-    exit(1);
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
+
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
+
+	if (log_to_stderr)
+		fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+	if (log_to_syslog)
+		syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
+	exit(1);
 }
 
 void
 whack_log(int mess_no, const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
 
-    fprintf(stderr, "%s\n", m);
+	fprintf(stderr, "%s\n", m);
 }
 
 /* Build up a diagnostic in a static buffer.
@@ -165,16 +163,16 @@ char diag_space[sizeof(diag_space)];
 err_t
 builddiag(const char *fmt, ...)
 {
-    static char diag_space[LOG_WIDTH];	/* longer messages will be truncated */
-    char t[sizeof(diag_space)];	/* build result here first */
-    va_list args;
-
-    va_start(args, fmt);
-    t[0] = '\0';	/* in case nothing terminates string */
-    vsnprintf(t, sizeof(t), fmt, args);
-    va_end(args);
-    strcpy(diag_space, t);
-    return diag_space;
+	static char diag_space[LOG_WIDTH];  /* longer messages will be truncated */
+	char t[sizeof(diag_space)]; /* build result here first */
+	va_list args;
+
+	va_start(args, fmt);
+	t[0] = '\0';        /* in case nothing terminates string */
+	vsnprintf(t, sizeof(t), fmt, args);
+	va_end(args);
+	strcpy(diag_space, t);
+	return diag_space;
 }
 
 /* Debugging message support */
@@ -184,29 +182,29 @@ builddiag(const char *fmt, ...)
 void
 switch_fail(int n, const char *file_str, unsigned long line_no)
 {
-    char buf[30];
+	char buf[30];
 
-    snprintf(buf, sizeof(buf), "case %d unexpected", n);
-    passert_fail(buf, file_str, line_no);
+	snprintf(buf, sizeof(buf), "case %d unexpected", n);
+	passert_fail(buf, file_str, line_no);
 }
 
 void
 passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
 {
-    /* we will get a possibly unplanned prefix.  Hope it works */
-    loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-    abort();	/* exiting correctly doesn't always work */
+	/* we will get a possibly unplanned prefix.  Hope it works */
+	loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+	abort();    /* exiting correctly doesn't always work */
 }
 
 lset_t
-    base_debugging = DBG_NONE,	/* default to reporting nothing */
-    cur_debugging =  DBG_NONE;
+	base_debugging = DBG_NONE,  /* default to reporting nothing */
+	cur_debugging =  DBG_NONE;
 
 void
 pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
 {
-    /* we will get a possibly unplanned prefix.  Hope it works */
-    loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+	/* we will get a possibly unplanned prefix.  Hope it works */
+	loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
 }
 
 /* log a debugging message (prefixed by "| ") */
@@ -214,17 +212,17 @@ pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
 void
 DBG_log(const char *message, ...)
 {
-    va_list args;
-    char m[LOG_WIDTH];	/* longer messages will be truncated */
+	va_list args;
+	char m[LOG_WIDTH];  /* longer messages will be truncated */
 
-    va_start(args, message);
-    vsnprintf(m, sizeof(m), message, args);
-    va_end(args);
+	va_start(args, message);
+	vsnprintf(m, sizeof(m), message, args);
+	va_end(args);
 
-    if (log_to_stderr)
-	fprintf(stderr, "| %s\n", m);
-    if (log_to_syslog)
-	syslog(LOG_DEBUG, "| %s", m);
+	if (log_to_stderr)
+		fprintf(stderr, "| %s\n", m);
+	if (log_to_syslog)
+		syslog(LOG_DEBUG, "| %s", m);
 }
 
 /* dump raw bytes in hex to stderr (for lack of any better destination) */
@@ -232,62 +230,62 @@ DBG_log(const char *message, ...)
 void
 DBG_dump(const char *label, const void *p, size_t len)
 {
-#   define DUMP_LABEL_WIDTH 20	/* arbitrary modest boundary */
-#   define DUMP_WIDTH	(4 * (1 + 4 * 3) + 1)
-    char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
-    char *bp;
-    const unsigned char *cp = p;
+#   define DUMP_LABEL_WIDTH 20  /* arbitrary modest boundary */
+#   define DUMP_WIDTH   (4 * (1 + 4 * 3) + 1)
+	char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
+	char *bp;
+	const unsigned char *cp = p;
 
-    bp = buf;
-
-    if (label != NULL && label[0] != '\0')
-    {
-	/* Handle the label.  Care must be taken to avoid buffer overrun. */
-	size_t llen = strlen(label);
+	bp = buf;
 
-	if (llen + 1 > sizeof(buf))
+	if (label != NULL && label[0] != '\0')
 	{
-	    DBG_log("%s", label);
+		/* Handle the label.  Care must be taken to avoid buffer overrun. */
+		size_t llen = strlen(label);
+
+		if (llen + 1 > sizeof(buf))
+		{
+			DBG_log("%s", label);
+		}
+		else
+		{
+			strcpy(buf, label);
+			if (buf[llen-1] == '\n')
+			{
+				buf[llen-1] = '\0';     /* get rid of newline */
+				DBG_log("%s", buf);
+			}
+			else if (llen < DUMP_LABEL_WIDTH)
+			{
+				bp = buf + llen;
+			}
+			else
+			{
+				DBG_log("%s", buf);
+			}
+		}
 	}
-	else
-	{
-	    strcpy(buf, label);
-	    if (buf[llen-1] == '\n')
-	    {
-		buf[llen-1] = '\0';	/* get rid of newline */
-		DBG_log("%s", buf);
-	    }
-	    else if (llen < DUMP_LABEL_WIDTH)
-	    {
-		bp = buf + llen;
-	    }
-	    else
-	    {
-		DBG_log("%s", buf);
-	    }
-	}
-    }
 
-    do {
-	int i, j;
-
-	for (i = 0; len!=0 && i!=4; i++)
-	{
-	    *bp++ = ' ';
-	    for (j = 0; len!=0 && j!=4; len--, j++)
-	    {
-		static const char hexdig[] = "0123456789abcdef";
-
-		*bp++ = ' ';
-		*bp++ = hexdig[(*cp >> 4) & 0xF];
-		*bp++ = hexdig[*cp & 0xF];
-		cp++;
-	    }
-	}
-	*bp = '\0';
-	DBG_log("%s", buf);
-	bp = buf;
-    } while (len != 0);
+	do {
+		int i, j;
+
+		for (i = 0; len!=0 && i!=4; i++)
+		{
+			*bp++ = ' ';
+			for (j = 0; len!=0 && j!=4; len--, j++)
+			{
+				static const char hexdig[] = "0123456789abcdef";
+
+				*bp++ = ' ';
+				*bp++ = hexdig[(*cp >> 4) & 0xF];
+				*bp++ = hexdig[*cp & 0xF];
+				cp++;
+			}
+		}
+		*bp = '\0';
+		DBG_log("%s", buf);
+		bp = buf;
+	} while (len != 0);
 #   undef DUMP_LABEL_WIDTH
 #   undef DUMP_WIDTH
 }
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index 1490abf29..e0449f0b2 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: netkey.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <sys/types.h>
@@ -29,57 +27,57 @@
 bool
 starter_netkey_init(void)
 {
-    struct stat stb;
+	struct stat stb;
 
-    if (stat(PROC_NETKEY, &stb) != 0)
-    {
-	/* af_key module makes the netkey proc interface visible */
-	if (stat(PROC_MODULES, &stb) == 0)
+	if (stat(PROC_NETKEY, &stb) != 0)
 	{
-	    ignore_result(system("modprobe -qv af_key"));
+		/* af_key module makes the netkey proc interface visible */
+		if (stat(PROC_MODULES, &stb) == 0)
+		{
+			ignore_result(system("modprobe -qv af_key"));
+		}
+
+		/* now test again */
+		if (stat(PROC_NETKEY, &stb) != 0)
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("kernel appears to lack the native netkey IPsec stack")
+			)
+			return FALSE;
+		}
 	}
 
-	/* now test again */
-	if (stat(PROC_NETKEY, &stb) != 0)
+	/* make sure that all required IPsec modules are loaded */
+	if (stat(PROC_MODULES, &stb) == 0)
 	{
-	    DBG(DBG_CONTROL,
-		DBG_log("kernel appears to lack the native netkey IPsec stack")
-	    )
-	    return FALSE;
+		ignore_result(system("modprobe -qv ah4"));
+		ignore_result(system("modprobe -qv esp4"));
+		ignore_result(system("modprobe -qv ipcomp"));
+		ignore_result(system("modprobe -qv xfrm4_tunnel"));
+		ignore_result(system("modprobe -qv xfrm_user"));
 	}
-    }
-
-    /* make sure that all required IPsec modules are loaded */
-    if (stat(PROC_MODULES, &stb) == 0)
-    {
-	ignore_result(system("modprobe -qv ah4"));
-	ignore_result(system("modprobe -qv esp4"));
-	ignore_result(system("modprobe -qv ipcomp"));
-	ignore_result(system("modprobe -qv xfrm4_tunnel"));
-	ignore_result(system("modprobe -qv xfrm_user"));
-    }
 
-    DBG(DBG_CONTROL,
-	DBG_log("Found netkey IPsec stack")
-    )
-    return TRUE;
+	DBG(DBG_CONTROL,
+		DBG_log("Found netkey IPsec stack")
+	)
+	return TRUE;
 }
 
 void
 starter_netkey_cleanup(void)
 {
-    if (system("ip xfrm state > /dev/null 2>&1") == 0)
-    {
-	ignore_result(system("ip xfrm state flush"));
-	ignore_result(system("ip xfrm policy flush"));
-    }
-    else if (system("type setkey > /dev/null 2>&1") == 0)
-    {
-	ignore_result(system("setkey -F"));
-	ignore_result(system("setkey -FP"));
-    }
-    else
-    {
-        plog("WARNING: cannot flush IPsec state/policy database");
-    }
+	if (system("ip xfrm state > /dev/null 2>&1") == 0)
+	{
+		ignore_result(system("ip xfrm state flush"));
+		ignore_result(system("ip xfrm policy flush"));
+	}
+	else if (system("type setkey > /dev/null 2>&1") == 0)
+	{
+		ignore_result(system("setkey -F"));
+		ignore_result(system("setkey -FP"));
+	}
+	else
+	{
+		plog("WARNING: cannot flush IPsec state/policy database");
+	}
 }
diff --git a/src/starter/netkey.h b/src/starter/netkey.h
index dc9cacbf8..55f6a7c47 100644
--- a/src/starter/netkey.h
+++ b/src/starter/netkey.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: netkey.h 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #ifndef _STARTER_NETKEY_H_
diff --git a/src/starter/parser.h b/src/starter/parser.h
index 3af20b60e..1c6cf20ef 100644
--- a/src/starter/parser.h
+++ b/src/starter/parser.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: parser.h 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #ifndef _IPSEC_PARSER_H_
@@ -22,32 +20,32 @@
 typedef struct kw_entry kw_entry_t;
 
 struct kw_entry {
-    char *name;
-    kw_token_t token;
+	char *name;
+	kw_token_t token;
 };
 
 typedef struct kw_list kw_list_t;
 
 struct kw_list {
-	kw_entry_t *entry;
-	char *value;
-	kw_list_t *next;
+		kw_entry_t *entry;
+		char *value;
+		kw_list_t *next;
 };
 
 typedef struct section_list section_list_t;
 
 struct section_list {
-	char *name;
-	kw_list_t *kw;
-	section_list_t *next;
+		char *name;
+		kw_list_t *kw;
+		section_list_t *next;
 };
 
 typedef struct config_parsed config_parsed_t;
 
 struct config_parsed {
-	kw_list_t *config_setup;
-	section_list_t *conn_first, *conn_last;
-	section_list_t *ca_first, *ca_last;
+		kw_list_t *config_setup;
+		section_list_t *conn_first, *conn_last;
+		section_list_t *ca_first, *ca_last;
 };
 
 config_parsed_t *parser_load_conf (const char *file);
diff --git a/src/starter/parser.l b/src/starter/parser.l
index e51d655df..5857c0815 100644
--- a/src/starter/parser.l
+++ b/src/starter/parser.l
@@ -1,3 +1,5 @@
+%option noinput
+%option nounput
 %{
 /* FreeS/WAN config file parser (parser.l)
  * Copyright (C) 2001 Mathieu Lafon - Arkoon Network Security
@@ -11,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: parser.l 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <string.h>
@@ -23,8 +23,6 @@
 
 #define MAX_INCLUDE_DEPTH  20
 
-#define YY_NO_INPUT
-#define YY_NO_UNPUT
 extern void yyerror(const char *);
 extern int yylex (void);
 
@@ -43,149 +41,149 @@ int _parser_y_include (const char *filename);
 
 void _parser_y_error(char *b, int size, const char *s)
 {
-    extern char *yytext; // was: char yytext[];
+	extern char *yytext; // was: char yytext[];
 
-    snprintf(b, size, "%s:%d: %s [%s]",
-	    __parser_y_private.filename[__parser_y_private.stack_ptr],
-	    __parser_y_private.line[__parser_y_private.stack_ptr],
-	    s, yytext);
+	snprintf(b, size, "%s:%d: %s [%s]",
+			__parser_y_private.filename[__parser_y_private.stack_ptr],
+			__parser_y_private.line[__parser_y_private.stack_ptr],
+			s, yytext);
 }
 
 void _parser_y_init (const char *f)
 {
-    memset(&__parser_y_private, 0, sizeof(__parser_y_private));
-    __parser_y_private.line[0] = 1;
-    __parser_y_private.filename[0] = strdup(f);
+	memset(&__parser_y_private, 0, sizeof(__parser_y_private));
+	__parser_y_private.line[0] = 1;
+	__parser_y_private.filename[0] = strdup(f);
 }
 
 void _parser_y_fini (void)
 {
-    unsigned int i;
-
-    for (i = 0; i < MAX_INCLUDE_DEPTH; i++)
-    {
-	if (__parser_y_private.filename[i])
-	    free(__parser_y_private.filename[i]);
-	if (__parser_y_private.file[i])
-	    fclose(__parser_y_private.file[i]);
-    }
-    memset(&__parser_y_private, 0, sizeof(__parser_y_private));
-}
-
-int _parser_y_include (const char *filename)
-{
-    glob_t files;
-    int i, ret;
-
-    ret = glob(filename, GLOB_ERR, NULL, &files);
-    if (ret)
-    {
-	const char *err;
+	unsigned int i;
 
-	switch (ret)
+	for (i = 0; i < MAX_INCLUDE_DEPTH; i++)
 	{
-	case GLOB_NOSPACE:
-	    err = "include files ran out of memory";
-	    break;
-	case GLOB_ABORTED:
-	    err = "include files aborted due to read error";
-	    break;
-	case GLOB_NOMATCH:
-	    err = "include files found no matches";
-	    break;
-	default:
-	    err = "unknown include files error";
+		if (__parser_y_private.filename[i])
+			free(__parser_y_private.filename[i]);
+		if (__parser_y_private.file[i])
+			fclose(__parser_y_private.file[i]);
 	}
-	yyerror(err);
-	return 1;
-    }
+	memset(&__parser_y_private, 0, sizeof(__parser_y_private));
+}
 
-    for (i = 0; i < files.gl_pathc; i++)
-    {
-	FILE *f;
-	unsigned int p = __parser_y_private.stack_ptr + 1;
+int _parser_y_include (const char *filename)
+{
+	glob_t files;
+	int i, ret;
 
-	if (p >= MAX_INCLUDE_DEPTH)
+	ret = glob(filename, GLOB_ERR, NULL, &files);
+	if (ret)
 	{
-	    yyerror("max inclusion depth reached");
-	    return 1;
+		const char *err;
+
+		switch (ret)
+		{
+		case GLOB_NOSPACE:
+			err = "include files ran out of memory";
+			break;
+		case GLOB_ABORTED:
+			err = "include files aborted due to read error";
+			break;
+		case GLOB_NOMATCH:
+			err = "include files found no matches";
+			break;
+		default:
+			err = "unknown include files error";
+		}
+		yyerror(err);
+		return 1;
 	}
 
-	f = fopen(files.gl_pathv[i], "r");
-	if (!f)
+	for (i = 0; i < files.gl_pathc; i++)
 	{
-	    yyerror("can't open include filename");
-	    continue;
+		FILE *f;
+		unsigned int p = __parser_y_private.stack_ptr + 1;
+
+		if (p >= MAX_INCLUDE_DEPTH)
+		{
+			yyerror("max inclusion depth reached");
+			return 1;
+		}
+
+		f = fopen(files.gl_pathv[i], "r");
+		if (!f)
+		{
+			yyerror("can't open include filename");
+			continue;
+		}
+
+		__parser_y_private.stack_ptr++;
+		__parser_y_private.file[p] = f;
+		__parser_y_private.stack[p] = YY_CURRENT_BUFFER;
+		__parser_y_private.line[p] = 1;
+		__parser_y_private.filename[p] = strdup(files.gl_pathv[i]);
+
+		yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE));
 	}
-
-	__parser_y_private.stack_ptr++;
-	__parser_y_private.file[p] = f;
-	__parser_y_private.stack[p] = YY_CURRENT_BUFFER;
-	__parser_y_private.line[p] = 1;
-	__parser_y_private.filename[p] = strdup(files.gl_pathv[i]);
-
-	yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE));
-    }
-    globfree(&files);
-    return 0;
+	globfree(&files);
+	return 0;
 }
 
 %}
 
 %%
 
-<<EOF>>	{
-	if (__parser_y_private.filename[__parser_y_private.stack_ptr]) {
-		free(__parser_y_private.filename[__parser_y_private.stack_ptr]);
-		__parser_y_private.filename[__parser_y_private.stack_ptr] = NULL;
-	}
-	if (__parser_y_private.file[__parser_y_private.stack_ptr]) {
-		fclose(__parser_y_private.file[__parser_y_private.stack_ptr]);
-		__parser_y_private.file[__parser_y_private.stack_ptr] = NULL;
-		yy_delete_buffer (YY_CURRENT_BUFFER);
-		yy_switch_to_buffer
-			(__parser_y_private.stack[__parser_y_private.stack_ptr]);
-	}
-	if (--__parser_y_private.stack_ptr < 0) {
-		yyterminate();
-	}
+<<EOF>> {
+		if (__parser_y_private.filename[__parser_y_private.stack_ptr]) {
+				free(__parser_y_private.filename[__parser_y_private.stack_ptr]);
+				__parser_y_private.filename[__parser_y_private.stack_ptr] = NULL;
+		}
+		if (__parser_y_private.file[__parser_y_private.stack_ptr]) {
+				fclose(__parser_y_private.file[__parser_y_private.stack_ptr]);
+				__parser_y_private.file[__parser_y_private.stack_ptr] = NULL;
+				yy_delete_buffer (YY_CURRENT_BUFFER);
+				yy_switch_to_buffer
+						(__parser_y_private.stack[__parser_y_private.stack_ptr]);
+		}
+		if (--__parser_y_private.stack_ptr < 0) {
+				yyterminate();
+		}
 }
 
-^[\t ]+			return FIRST_SPACES;
+^[\t ]+                 return FIRST_SPACES;
 
-[\t ]+			/* ignore spaces in line */ ;
+[\t ]+                  /* ignore spaces in line */ ;
 
-=				return EQUAL;
+=                               return EQUAL;
 
-\n|#.*\n		{
-					__parser_y_private.line[__parser_y_private.stack_ptr]++;
-					return EOL;
-				}
+\n|#.*\n                {
+										__parser_y_private.line[__parser_y_private.stack_ptr]++;
+										return EOL;
+								}
 
-config			return CONFIG;
-setup			return SETUP;
-conn			return CONN;
-ca			return CA;
-include			return INCLUDE;
-version			return FILE_VERSION;
+config                  return CONFIG;
+setup                   return SETUP;
+conn                    return CONN;
+ca                      return CA;
+include                 return INCLUDE;
+version                 return FILE_VERSION;
 
-[^\"= \t\n]+	{
-					yylval.s = strdup(yytext);
-					return STRING;
-				}
+[^\"= \t\n]+    {
+										yylval.s = strdup(yytext);
+										return STRING;
+								}
 
-\"[^\"\n]*\"	{
-					yylval.s = strdup(yytext+1);
-					if (yylval.s) yylval.s[strlen(yylval.s)-1]='\0';
-					return STRING;
-				}
+\"[^\"\n]*\"    {
+										yylval.s = strdup(yytext+1);
+										if (yylval.s) yylval.s[strlen(yylval.s)-1]='\0';
+										return STRING;
+								}
 
-.				yyerror(yytext);
+.                               yyerror(yytext);
 
 %%
 
 int yywrap(void)
 {
-    return 1;
+	return 1;
 }
 
diff --git a/src/starter/parser.y b/src/starter/parser.y
index 14148d965..4533228c2 100644
--- a/src/starter/parser.y
+++ b/src/starter/parser.y
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: parser.y 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #include <stdio.h>
@@ -27,7 +25,7 @@
 #include "parser.h"
 
 #define YYERROR_VERBOSE
-#define ERRSTRING_LEN	256
+#define ERRSTRING_LEN   256
 
 /**
  * Bison
@@ -64,220 +62,215 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
  */
 
 config_file:
-    config_file section_or_include
-    | /* NULL */		
-    ;
+	config_file section_or_include
+	| /* NULL */                
+	;
 
 section_or_include:
-    FILE_VERSION STRING EOL
-    {
-	free($2);
-    }
-    | CONFIG SETUP EOL
-    {
-	_parser_kw = &(_parser_cfg->config_setup);
-	_parser_kw_last = NULL;
-    } kw_section
-    | CONN STRING EOL
-    {
-	section_list_t *section = (section_list_t *)alloc_thing(section_list_t
-							     , "section_list_t");
-	
-	section->name = clone_str($2, "conn section name");
-	section->kw = NULL;
-	section->next = NULL;
-	_parser_kw = &(section->kw);
-	if (!_parser_cfg->conn_first)
-	    _parser_cfg->conn_first = section;
-	if (_parser_cfg->conn_last)
-	    _parser_cfg->conn_last->next = section;
-	_parser_cfg->conn_last = section;
-	_parser_kw_last = NULL;
-	free($2);
-    } kw_section
-    | CA STRING EOL
-    {
-	section_list_t *section = (section_list_t *)alloc_thing(section_list_t
-							     , "section_list_t");
-	section->name = clone_str($2, "ca section name");
-	section->kw = NULL;
-	section->next = NULL;
-	_parser_kw = &(section->kw);
-	if (!_parser_cfg->ca_first)
-	    _parser_cfg->ca_first = section;
-	if (_parser_cfg->ca_last)
-	    _parser_cfg->ca_last->next = section;
-	_parser_cfg->ca_last = section;
-	_parser_kw_last = NULL;
-	free($2);
-    } kw_section
-    | INCLUDE STRING
-    {
-	extern void _parser_y_include (const char *f);
-	_parser_y_include($2);
-	free($2);
-    } EOL
-    | EOL
-    ;
+	FILE_VERSION STRING EOL
+	{
+		free($2);
+	}
+	| CONFIG SETUP EOL
+	{
+		_parser_kw = &(_parser_cfg->config_setup);
+		_parser_kw_last = NULL;
+	} kw_section
+	| CONN STRING EOL
+	{
+		section_list_t *section = malloc_thing(section_list_t);
+		
+		section->name = clone_str($2);
+		section->kw = NULL;
+		section->next = NULL;
+		_parser_kw = &(section->kw);
+		if (!_parser_cfg->conn_first)
+			_parser_cfg->conn_first = section;
+		if (_parser_cfg->conn_last)
+			_parser_cfg->conn_last->next = section;
+		_parser_cfg->conn_last = section;
+		_parser_kw_last = NULL;
+		free($2);
+	} kw_section
+	| CA STRING EOL
+	{
+		section_list_t *section = malloc_thing(section_list_t);
+		section->name = clone_str($2);
+		section->kw = NULL;
+		section->next = NULL;
+		_parser_kw = &(section->kw);
+		if (!_parser_cfg->ca_first)
+			_parser_cfg->ca_first = section;
+		if (_parser_cfg->ca_last)
+			_parser_cfg->ca_last->next = section;
+		_parser_cfg->ca_last = section;
+		_parser_kw_last = NULL;
+		free($2);
+	} kw_section
+	| INCLUDE STRING
+	{
+		extern void _parser_y_include (const char *f);
+		_parser_y_include($2);
+		free($2);
+	} EOL
+	| EOL
+	;
 
 kw_section:
-    FIRST_SPACES statement_kw EOL kw_section
-    |
-    ;
+	FIRST_SPACES statement_kw EOL kw_section
+	|
+	;
 
 statement_kw:
-    STRING EQUAL STRING
-    {
-	kw_list_t  *new;
-	kw_entry_t *entry = in_word_set($1, strlen($1));
-
-	if (entry == NULL)
-	{
-	    snprintf(errbuf, ERRSTRING_LEN, "unknown keyword '%s'", $1);
-	    yyerror(errbuf);
-	}
-	else if (_parser_kw)
+	STRING EQUAL STRING
 	{
-	    new = (kw_list_t *)alloc_thing(kw_list_t, "kw_list_t");
-	    new->entry = entry;
-	    new->value = clone_str($3, "kw_list value");
-	    new->next = NULL;
-	    if (_parser_kw_last)
-		_parser_kw_last->next = new;
-	    _parser_kw_last = new;
-	    if (!*_parser_kw)
-		*_parser_kw = new;
+		kw_list_t  *new;
+		kw_entry_t *entry = in_word_set($1, strlen($1));
+
+		if (entry == NULL)
+		{
+			snprintf(errbuf, ERRSTRING_LEN, "unknown keyword '%s'", $1);
+			yyerror(errbuf);
+		}
+		else if (_parser_kw)
+		{
+			new = (kw_list_t *)malloc_thing(kw_list_t);
+			new->entry = entry;
+			new->value = clone_str($3);
+			new->next = NULL;
+			if (_parser_kw_last)
+				_parser_kw_last->next = new;
+			_parser_kw_last = new;
+			if (!*_parser_kw)
+				*_parser_kw = new;
+		}
+		free($1);
+		free($3);
 	}
-	free($1);
-	free($3);
-    }
-    | STRING EQUAL
-      {
-	free($1);
-      }
-    |
-    ;
+	| STRING EQUAL
+	  {
+		free($1);
+	  }
+	|
+	;
 
 %%
 
 void
 yyerror(const char *s)
 {
-    if (_save_errors_)
-	_parser_y_error(parser_errstring, ERRSTRING_LEN, s);
+	if (_save_errors_)
+		_parser_y_error(parser_errstring, ERRSTRING_LEN, s);
 }
 
 config_parsed_t *
 parser_load_conf(const char *file)
 {
-    config_parsed_t *cfg = NULL;
-    int err = 0;
-    FILE *f;
+	config_parsed_t *cfg = NULL;
+	int err = 0;
+	FILE *f;
 
-    extern void _parser_y_init (const char *f);
-    extern FILE *yyin;
+	extern void _parser_y_init (const char *f);
+	extern FILE *yyin;
 
-    memset(parser_errstring, 0, ERRSTRING_LEN+1);
+	memset(parser_errstring, 0, ERRSTRING_LEN+1);
 
-    cfg = (config_parsed_t *)alloc_thing(config_parsed_t, "config_parsed_t");
-    if (cfg)
-    {
-	memset(cfg, 0, sizeof(config_parsed_t));
-	f = fopen(file, "r");
-	if (f)
+	cfg = (config_parsed_t *)malloc_thing(config_parsed_t);
+	if (cfg)
 	{
-	    yyin = f;
-	    _parser_y_init(file);
-	    _save_errors_ = 1;
-	    _parser_cfg = cfg;
+		memset(cfg, 0, sizeof(config_parsed_t));
+		f = fopen(file, "r");
+		if (f)
+		{
+			yyin = f;
+			_parser_y_init(file);
+			_save_errors_ = 1;
+			_parser_cfg = cfg;
+
+			if (yyparse() !=0 )
+			{
+				if (parser_errstring[0] == '\0')
+				{
+					snprintf(parser_errstring, ERRSTRING_LEN, "Unknown error...");
+				}
+				_save_errors_ = 0;
+				while (yyparse() != 0);
+				err++;
+			}
+			else if (parser_errstring[0] != '\0')
+			{
+				err++;
+			}
+			else
+			{
+				/**
+				 * Config valid
+				 */
+			}
 
-	    if (yyparse() !=0 )
-	    {
-		if (parser_errstring[0] == '\0')
+			fclose(f);
+		}
+		else
 		{
-		    snprintf(parser_errstring, ERRSTRING_LEN, "Unknown error...");
+			snprintf(parser_errstring, ERRSTRING_LEN, "can't load file '%s'", file);
+			err++;
 		}
-		_save_errors_ = 0;
-		while (yyparse() != 0);
-		err++;
-	    }
-	    else if (parser_errstring[0] != '\0')
-	    {
-		err++;
-	    }
-	    else
-	    {
-		/**
-		 * Config valid
-		 */
-	    }
-
-	    fclose(f);
 	}
 	else
 	{
-	    snprintf(parser_errstring, ERRSTRING_LEN, "can't load file '%s'", file);
-	    err++;
+		snprintf(parser_errstring, ERRSTRING_LEN, "can't allocate memory");
+		err++;
 	}
-    }
-    else
-    {
-	snprintf(parser_errstring, ERRSTRING_LEN, "can't allocate memory");
-	err++;
-    }
 
-    if (err)
-    {
-	plog("%s", parser_errstring);
+	if (err)
+	{
+		plog("%s", parser_errstring);
 
-	if (cfg)
-	    parser_free_conf(cfg);
-	cfg = NULL;
-    }
+		if (cfg)
+			parser_free_conf(cfg);
+		cfg = NULL;
+	}
 
-    return cfg;
+	return cfg;
 }
 
 static void
 parser_free_kwlist(kw_list_t *list)
 {
-    kw_list_t *elt;
+	kw_list_t *elt;
 
-    while (list)
-    {
-	elt = list;
-	list = list->next;
-	if (elt->value)
-	    pfree(elt->value);
-	pfree(elt);
-    }
+	while (list)
+	{
+		elt = list;
+		list = list->next;
+		free(elt->value);
+		free(elt);
+	}
 }
 
 void
 parser_free_conf(config_parsed_t *cfg)
 {
-    section_list_t *sec;
-    if (cfg)
-    {
-	parser_free_kwlist(cfg->config_setup);
-	while (cfg->conn_first)
-	{
-	    sec = cfg->conn_first;
-	    cfg->conn_first = cfg->conn_first->next;
-	    if (sec->name)
-		pfree(sec->name);
-	    parser_free_kwlist(sec->kw);
-	    pfree(sec);
-	}
-	while (cfg->ca_first)
+	section_list_t *sec;
+	if (cfg)
 	{
-	    sec = cfg->ca_first;
-	    cfg->ca_first = cfg->ca_first->next;
-	    if (sec->name)
-		pfree(sec->name);
-	    parser_free_kwlist(sec->kw);
-	    pfree(sec);
+		parser_free_kwlist(cfg->config_setup);
+		while (cfg->conn_first)
+		{
+			sec = cfg->conn_first;
+			cfg->conn_first = cfg->conn_first->next;
+			free(sec->name);
+			parser_free_kwlist(sec->kw);
+			free(sec);
+		}
+		while (cfg->ca_first)
+		{
+			sec = cfg->ca_first;
+			cfg->ca_first = cfg->ca_first->next;
+			free(sec->name);
+			parser_free_kwlist(sec->kw);
+			free(sec);
+		}
+		free(cfg);
 	}
-	pfree(cfg);
-    }
 }
diff --git a/src/starter/starter.c b/src/starter/starter.c
index e4ad5286c..2d2f452b5 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: starter.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <sys/types.h>
@@ -71,662 +69,666 @@ static unsigned int _action_ = 0;
 static void
 fsig(int signal)
 {
-    switch (signal)
-    {
-	case SIGCHLD:
+	switch (signal)
 	{
-	    int status;
-	    pid_t pid;
-	    char *name = NULL;
-
-	    while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
-	    {
-		if (pid == starter_pluto_pid())
-		    name = " (Pluto)";
-		if (pid == starter_charon_pid())
-		    name = " (Charon)";
-		if (WIFSIGNALED(status))
-		    DBG(DBG_CONTROL,
-			DBG_log("child %d%s has been killed by sig %d\n",
-				pid, name?name:"", WTERMSIG(status))
-		       )
-		else if (WIFSTOPPED(status))
-		    DBG(DBG_CONTROL,
-			DBG_log("child %d%s has been stopped by sig %d\n",
-				pid, name?name:"", WSTOPSIG(status))
-		       )
-		else if (WIFEXITED(status))
-		    DBG(DBG_CONTROL,
-			DBG_log("child %d%s has quit (exit code %d)\n",
-				pid, name?name:"", WEXITSTATUS(status))
-		       )
-		else
-		    DBG(DBG_CONTROL,
-			DBG_log("child %d%s has quit", pid, name?name:"")
-		       )
-		if (pid == starter_pluto_pid())
-		    starter_pluto_sigchild(pid);
-		if (pid == starter_charon_pid())
-		    starter_charon_sigchild(pid);
-	    }
+		case SIGCHLD:
+		{
+			int status;
+			pid_t pid;
+			char *name = NULL;
+
+			while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
+			{
+				if (pid == starter_pluto_pid())
+					name = " (Pluto)";
+				if (pid == starter_charon_pid())
+					name = " (Charon)";
+				if (WIFSIGNALED(status))
+					DBG(DBG_CONTROL,
+						DBG_log("child %d%s has been killed by sig %d\n",
+								pid, name?name:"", WTERMSIG(status))
+					   )
+				else if (WIFSTOPPED(status))
+					DBG(DBG_CONTROL,
+						DBG_log("child %d%s has been stopped by sig %d\n",
+								pid, name?name:"", WSTOPSIG(status))
+					   )
+				else if (WIFEXITED(status))
+					DBG(DBG_CONTROL,
+						DBG_log("child %d%s has quit (exit code %d)\n",
+								pid, name?name:"", WEXITSTATUS(status))
+					   )
+				else
+					DBG(DBG_CONTROL,
+						DBG_log("child %d%s has quit", pid, name?name:"")
+					   )
+				if (pid == starter_pluto_pid())
+					starter_pluto_sigchild(pid);
+				if (pid == starter_charon_pid())
+					starter_charon_sigchild(pid);
+			}
+		}
+		break;
+
+		case SIGPIPE:
+			/** ignore **/
+			break;
+
+		case SIGALRM:
+			_action_ |= FLAG_ACTION_START_PLUTO;
+			_action_ |= FLAG_ACTION_START_CHARON;
+			break;
+
+		case SIGHUP:
+			_action_ |= FLAG_ACTION_UPDATE;
+			break;
+
+		case SIGTERM:
+		case SIGQUIT:
+		case SIGINT:
+			_action_ |= FLAG_ACTION_QUIT;
+			break;
+
+		case SIGUSR1:
+			_action_ |= FLAG_ACTION_RELOAD;
+			_action_ |= FLAG_ACTION_UPDATE;
+			break;
+
+		default:
+			plog("fsig(): unknown signal %d -- investigate", signal);
+			break;
 	}
-	break;
-
-	case SIGPIPE:
-	    /** ignore **/
-	    break;
-
-	case SIGALRM:
-	    _action_ |= FLAG_ACTION_START_PLUTO;
-	    _action_ |= FLAG_ACTION_START_CHARON;
-	    break;
-
-	case SIGHUP:
-	    _action_ |= FLAG_ACTION_UPDATE;
-	    break;
-
-	case SIGTERM:
-	case SIGQUIT:
-	case SIGINT:
-	    _action_ |= FLAG_ACTION_QUIT;
-	    break;
-
-	case SIGUSR1:
-	    _action_ |= FLAG_ACTION_RELOAD;
-	    _action_ |= FLAG_ACTION_UPDATE;
-	    break;
-
-	default:
-	    plog("fsig(): unknown signal %d -- investigate", signal);
-	    break;
-    }
 }
 
 static void generate_selfcert()
 {
-    struct stat stb;
-    
-	/* if ipsec.secrets file is missing then generate RSA default key pair */
-	if (stat(SECRETS_FILE, &stb) != 0)
-	{
-	    mode_t oldmask;
-	    FILE *f;
-	    uid_t uid = 0;
-	    gid_t gid = 0;
+	struct stat stb;
+	
+		/* if ipsec.secrets file is missing then generate RSA default key pair */
+		if (stat(SECRETS_FILE, &stb) != 0)
+		{
+			mode_t oldmask;
+			FILE *f;
+			uid_t uid = 0;
+			gid_t gid = 0;
 
 #ifdef IPSEC_GROUP
-		{
-			char buf[1024];
-			struct group group, *grp;
-		
-			if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 &&
-				grp)
 			{
-				gid = grp->gr_gid;
+				char buf[1024];
+				struct group group, *grp;
+				
+				if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 &&	grp)
+				{
+					gid = grp->gr_gid;
+				}
 			}
-		}
 #endif
 #ifdef IPSEC_USER
-		{
-			char buf[1024];
-			struct passwd passwd, *pwp;
-		
-			if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 &&
-				pwp)
 			{
-				uid = pwp->pw_uid;
+				char buf[1024];
+				struct passwd passwd, *pwp;
+				
+				if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 &&	pwp)
+				{
+					uid = pwp->pw_uid;
+				}
+			}
+#endif
+			setegid(gid);
+			seteuid(uid);
+			ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
+			seteuid(0);
+			setegid(0);
+
+			/* ipsec.secrets is root readable only */
+			oldmask = umask(0066);
+
+			f = fopen(SECRETS_FILE, "w");
+			if (f)
+			{
+				fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
+				fprintf(f, "\n");
+				fprintf(f, ": RSA myKey.der\n");
+				fclose(f);
 			}
+			ignore_result(chown(SECRETS_FILE, uid, gid));
+			umask(oldmask);
 		}
-#endif
-	    setegid(gid);
-	    seteuid(uid);
-	    ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
-	    seteuid(0);
-	    setegid(0);
-
-	    /* ipsec.secrets is root readable only */
-	    oldmask = umask(0066);
-
-	    f = fopen(SECRETS_FILE, "w");
-	    if (f)
-	    {
-		fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
-		fprintf(f, "\n");
-		fprintf(f, ": RSA myKey.der\n");
-		fclose(f);
-	    }
-	    ignore_result(chown(SECRETS_FILE, uid, gid));
-	    umask(oldmask);
-	}
 }
 
 static void
 usage(char *name)
 {
-    fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
-	    "[--debug|--debug-more|--debug-all]\n");
-    exit(LSB_RC_INVALID_ARGUMENT);
+	fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
+			"[--debug|--debug-more|--debug-all]\n");
+	exit(LSB_RC_INVALID_ARGUMENT);
 }
 
 int main (int argc, char **argv)
 {
-    starter_config_t *cfg = NULL;
-    starter_config_t *new_cfg;
-    starter_conn_t *conn, *conn2;
-    starter_ca_t *ca, *ca2;
-
-    struct stat stb;
-
-    char *err = NULL;
-    int i;
-    int id = 1;
-    struct timeval tv;
-    unsigned long auto_update = 0;
-    time_t last_reload;
-    bool no_fork = FALSE;
-
-    /* global variables defined in log.h */
-    log_to_stderr = TRUE;
-    base_debugging = DBG_NONE;
-
-    /* parse command line */
-    for (i = 1; i < argc; i++)
-    {
-	if (streq(argv[i], "--debug"))
+	starter_config_t *cfg = NULL;
+	starter_config_t *new_cfg;
+	starter_conn_t *conn, *conn2;
+	starter_ca_t *ca, *ca2;
+
+	struct stat stb;
+
+	char *err = NULL;
+	int i;
+	int id = 1;
+	struct timeval tv;
+	unsigned long auto_update = 0;
+	time_t last_reload;
+	bool no_fork = FALSE;
+	bool attach_gdb = FALSE;
+
+	/* global variables defined in log.h */
+	log_to_stderr = TRUE;
+	base_debugging = DBG_NONE;
+
+	/* parse command line */
+	for (i = 1; i < argc; i++)
 	{
-	    base_debugging |= DBG_CONTROL;
+		if (streq(argv[i], "--debug"))
+		{
+			base_debugging |= DBG_CONTROL;
+		}
+		else if (streq(argv[i], "--debug-more"))
+		{
+			base_debugging |= DBG_CONTROLMORE;
+		}
+		else if (streq(argv[i], "--debug-all"))
+		{
+			base_debugging |= DBG_ALL;
+		}
+		else if (streq(argv[i], "--nofork"))
+		{
+			no_fork = TRUE;
+		}
+		else if (streq(argv[i], "--attach-gdb"))
+		{
+			no_fork = TRUE;
+			attach_gdb = TRUE;
+		}
+		else if (streq(argv[i], "--auto-update") && i+1 < argc)
+		{
+			auto_update = atoi(argv[++i]);
+			if (!auto_update)
+				usage(argv[0]);
+		}
+		else
+		{
+			usage(argv[0]);
+		}
 	}
-	else if (streq(argv[i], "--debug-more"))
+
+	/* Init */
+	init_log("ipsec_starter");
+	cur_debugging = base_debugging;
+
+	signal(SIGHUP,  fsig);
+	signal(SIGCHLD, fsig);
+	signal(SIGPIPE, fsig);
+	signal(SIGINT,  fsig);
+	signal(SIGTERM, fsig);
+	signal(SIGQUIT, fsig);
+	signal(SIGALRM, fsig);
+	signal(SIGUSR1, fsig);
+
+	plog("Starting strongSwan "VERSION" IPsec [starter]...");
+
+	/* verify that we can start */
+	if (getuid() != 0)
 	{
-	    base_debugging |= DBG_CONTROLMORE;
+		plog("permission denied (must be superuser)");
+		exit(LSB_RC_NOT_ALLOWED);
 	}
-	else if (streq(argv[i], "--debug-all"))
+
+	if (stat(PLUTO_PID_FILE, &stb) == 0)
 	{
-	    base_debugging |= DBG_ALL;
+		plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
 	}
-	else if (streq(argv[i], "--nofork"))
+	else
 	{
-	    no_fork = TRUE;
+		_action_ |= FLAG_ACTION_START_PLUTO;
 	}
-	else if (streq(argv[i], "--auto-update") && i+1 < argc)
+	if (stat(CHARON_PID_FILE, &stb) == 0)
 	{
-	    auto_update = atoi(argv[++i]);
-	    if (!auto_update)
-		usage(argv[0]);
+		plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
 	}
 	else
 	{
-	    usage(argv[0]);
+		_action_ |= FLAG_ACTION_START_CHARON;
 	}
-    }
-
-    /* Init */
-    init_log("ipsec_starter");
-    cur_debugging = base_debugging;
-
-    signal(SIGHUP,  fsig);
-    signal(SIGCHLD, fsig);
-    signal(SIGPIPE, fsig);
-    signal(SIGINT,  fsig);
-    signal(SIGTERM, fsig);
-    signal(SIGQUIT, fsig);
-    signal(SIGALRM, fsig);
-    signal(SIGUSR1, fsig);
-
-    plog("Starting strongSwan %s IPsec [starter]...", ipsec_version_code());
-
-    /* verify that we can start */
-    if (getuid() != 0)
-    {
-	plog("permission denied (must be superuser)");
-	exit(LSB_RC_NOT_ALLOWED);
-    }
-
-    if (stat(PLUTO_PID_FILE, &stb) == 0)
-    {
-	plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
-    }
-    else
-    {
-	_action_ |= FLAG_ACTION_START_PLUTO;
-    }
-    if (stat(CHARON_PID_FILE, &stb) == 0)
-    {
-	plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
-    }
-    else
-    {
-	_action_ |= FLAG_ACTION_START_CHARON;
-    }
-    if (stat(DEV_RANDOM, &stb) != 0)
-    {
-	plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
-	exit(LSB_RC_FAILURE);
-    }
-
-    if (stat(DEV_URANDOM, &stb)!= 0)
-    {
-	plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
-	exit(LSB_RC_FAILURE);
-    }
-
-    cfg = confread_load(CONFIG_FILE);
-    if (cfg == NULL || cfg->err > 0)
-    {
-	plog("unable to start strongSwan -- fatal errors in config");
-	if (cfg)
+	if (stat(DEV_RANDOM, &stb) != 0)
 	{
-	    confread_free(cfg);
+		plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
+		exit(LSB_RC_FAILURE);
 	}
-	exit(LSB_RC_INVALID_ARGUMENT);
-    }
 
-    /* determine if we have a native netkey IPsec stack */
-    if (!starter_netkey_init())
-    {
-	plog("no netkey IPSec stack detected");
-	if (!starter_klips_init())
+	if (stat(DEV_URANDOM, &stb)!= 0)
 	{
-	    plog("no KLIPS IPSec stack detected");
-	    exit(LSB_RC_FAILURE);
+		plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
+		exit(LSB_RC_FAILURE);
 	}
-    }
-
-    last_reload = time(NULL);
-
-    if (stat(STARTER_PID_FILE, &stb) == 0)
-    {
-	plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
-	exit(LSB_RC_SUCCESS);
-    }
-    
-    generate_selfcert();
-
-    /* fork if we're not debugging stuff */
-    if (!no_fork)
-    {
-	log_to_stderr = FALSE;
 
-	switch (fork())
+	cfg = confread_load(CONFIG_FILE);
+	if (cfg == NULL || cfg->err > 0)
 	{
-	    case 0:
-	    {
-		int fnull = open("/dev/null", O_RDWR);
-
-		if (fnull >= 0)
+		plog("unable to start strongSwan -- fatal errors in config");
+		if (cfg)
 		{
-		    dup2(fnull, STDIN_FILENO);
-		    dup2(fnull, STDOUT_FILENO);
-		    dup2(fnull, STDERR_FILENO);
-		    close(fnull);
+			confread_free(cfg);
 		}
-		setsid(); 
-	    }
-	    break;
-	    case -1:
-		plog("can't fork: %s", strerror(errno));
-		break;
-	    default:
-		exit(LSB_RC_SUCCESS);
+		exit(LSB_RC_INVALID_ARGUMENT);
 	}
-    }
 
-    /* save pid file in /var/run/starter.pid */
-    {
-	FILE *fd = fopen(STARTER_PID_FILE, "w");
-
-	if (fd)
+	/* determine if we have a native netkey IPsec stack */
+	if (!starter_netkey_init())
 	{
-	    fprintf(fd, "%u\n", getpid());
-	    fclose(fd);
+		plog("no netkey IPsec stack detected");
+		if (!starter_klips_init())
+		{
+			plog("no KLIPS IPsec stack detected");
+			plog("no known IPsec stack detected, ignoring!");
+		}
 	}
-    }
-
-    for (;;)
-    {
-	/*
-	 * Stop pluto/charon (if started) and exit
-	 */
-	if (_action_ & FLAG_ACTION_QUIT)
+
+	last_reload = time(NULL);
+
+	if (stat(STARTER_PID_FILE, &stb) == 0)
 	{
-	    if (starter_pluto_pid())
-		starter_stop_pluto();
-	    if (starter_charon_pid())
-		starter_stop_charon();
-	    starter_netkey_cleanup();
-	    confread_free(cfg);
-	    unlink(STARTER_PID_FILE);
-	    unlink(INFO_FILE);
-#ifdef LEAK_DETECTIVE
-	    report_leaks();
-#endif /* LEAK_DETECTIVE */
-	    close_log();
-	    plog("ipsec starter stopped");
-	    exit(LSB_RC_SUCCESS);
+		plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
+		exit(LSB_RC_SUCCESS);
 	}
+	
+	generate_selfcert();
 
-	/*
-	 * Delete all connections. Will be added below
-	 */
-	if (_action_ & FLAG_ACTION_RELOAD)
+	/* fork if we're not debugging stuff */
+	if (!no_fork)
 	{
-	    if (starter_pluto_pid() || starter_charon_pid())
-	    {
-		for (conn = cfg->conn_first; conn; conn = conn->next)
+		log_to_stderr = FALSE;
+
+		switch (fork())
 		{
-		    if (conn->state == STATE_ADDED)
-		    {
-			if (starter_charon_pid())
-			{
-			    starter_stroke_del_conn(conn);
-			}
-			if (starter_pluto_pid())
+			case 0:
 			{
-			    starter_whack_del_conn(conn);
+				int fnull = open("/dev/null", O_RDWR);
+
+				if (fnull >= 0)
+				{
+					dup2(fnull, STDIN_FILENO);
+					dup2(fnull, STDOUT_FILENO);
+					dup2(fnull, STDERR_FILENO);
+					close(fnull);
+				}
+				setsid(); 
 			}
-			conn->state = STATE_TO_ADD;
-		    }
+			break;
+			case -1:
+				plog("can't fork: %s", strerror(errno));
+				break;
+			default:
+				exit(LSB_RC_SUCCESS);
 		}
-		for (ca = cfg->ca_first; ca; ca = ca->next)
+	}
+
+	/* save pid file in /var/run/starter.pid */
+	{
+		FILE *fd = fopen(STARTER_PID_FILE, "w");
+
+		if (fd)
 		{
-		    if (ca->state == STATE_ADDED)
-		    {
-			if (starter_charon_pid())
-			{
-			    starter_stroke_del_ca(ca);
-			}
-			if (starter_pluto_pid())
-			{
-			    starter_whack_del_ca(ca);
-			}
-			ca->state = STATE_TO_ADD;
-		    }
+			fprintf(fd, "%u\n", getpid());
+			fclose(fd);
 		}
-	    }
-	    _action_ &= ~FLAG_ACTION_RELOAD;
 	}
 
-	/*
-	 * Update configuration
-	 */
-	if (_action_ & FLAG_ACTION_UPDATE)
+	for (;;)
 	{
-	    err = NULL;
-	    DBG(DBG_CONTROL,
-		DBG_log("Reloading config...")
-	       );
-	    new_cfg = confread_load(CONFIG_FILE);
-
-	    if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
-	    {
-		/* Switch to new config. New conn will be loaded below */
-		if (!starter_cmp_defaultroute(&new_cfg->defaultroute
-				   , &cfg->defaultroute))
+		/*
+		 * Stop pluto/charon (if started) and exit
+		 */
+		if (_action_ & FLAG_ACTION_QUIT)
 		{
-		    _action_ |= FLAG_ACTION_LISTEN;
+			if (starter_pluto_pid())
+				starter_stop_pluto();
+			if (starter_charon_pid())
+				starter_stop_charon();
+			starter_netkey_cleanup();
+			confread_free(cfg);
+			unlink(STARTER_PID_FILE);
+			unlink(INFO_FILE);
+#ifdef LEAK_DETECTIVE
+			report_leaks();
+#endif /* LEAK_DETECTIVE */
+			close_log();
+			plog("ipsec starter stopped");
+			exit(LSB_RC_SUCCESS);
 		}
 
-		if (!starter_cmp_pluto(cfg, new_cfg)) 
+		/*
+		 * Delete all connections. Will be added below
+		 */
+		if (_action_ & FLAG_ACTION_RELOAD)
 		{
-		    plog("Pluto has changed");
-		    if (starter_pluto_pid())
-			starter_stop_pluto();
-		    _action_ &= ~FLAG_ACTION_LISTEN;
-		    _action_ |= FLAG_ACTION_START_PLUTO;
+			if (starter_pluto_pid() || starter_charon_pid())
+			{
+				for (conn = cfg->conn_first; conn; conn = conn->next)
+				{
+					if (conn->state == STATE_ADDED)
+					{
+						if (starter_charon_pid())
+						{
+							starter_stroke_del_conn(conn);
+						}
+						if (starter_pluto_pid())
+						{
+							starter_whack_del_conn(conn);
+						}
+						conn->state = STATE_TO_ADD;
+					}
+				}
+				for (ca = cfg->ca_first; ca; ca = ca->next)
+				{
+					if (ca->state == STATE_ADDED)
+					{
+						if (starter_charon_pid())
+						{
+							starter_stroke_del_ca(ca);
+						}
+						if (starter_pluto_pid())
+						{
+							starter_whack_del_ca(ca);
+						}
+						ca->state = STATE_TO_ADD;
+					}
+				}
+			}
+			_action_ &= ~FLAG_ACTION_RELOAD;
 		}
-		else
+
+		/*
+		 * Update configuration
+		 */
+		if (_action_ & FLAG_ACTION_UPDATE)
 		{
-		    /* Only reload conn and ca sections if pluto is not killed */
+			err = NULL;
+			DBG(DBG_CONTROL,
+				DBG_log("Reloading config...")
+			   );
+			new_cfg = confread_load(CONFIG_FILE);
 
-		    /* Look for new connections that are already loaded */
-		    for (conn = cfg->conn_first; conn; conn = conn->next)
-		    {
-			if (conn->state == STATE_ADDED)
+			if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
 			{
-			    for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
-			    {
-				if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
+				/* Switch to new config. New conn will be loaded below */
+				if (!starter_cmp_defaultroute(&new_cfg->defaultroute
+								   , &cfg->defaultroute))
 				{
-				    conn->state = STATE_REPLACED;
-				    conn2->state = STATE_ADDED;
-				    conn2->id = conn->id;
-				    break;
+					_action_ |= FLAG_ACTION_LISTEN;
 				}
-			    }
-			}
-		    }
 
-		    /* Remove conn sections that have become unused */
-		    for (conn = cfg->conn_first; conn; conn = conn->next)
-		    {
-			if (conn->state == STATE_ADDED)
+				if (!starter_cmp_pluto(cfg, new_cfg)) 
+				{
+					plog("Pluto has changed");
+					if (starter_pluto_pid())
+						starter_stop_pluto();
+					_action_ &= ~FLAG_ACTION_LISTEN;
+					_action_ |= FLAG_ACTION_START_PLUTO;
+				}
+				else
+				{
+					/* Only reload conn and ca sections if pluto is not killed */
+
+					/* Look for new connections that are already loaded */
+					for (conn = cfg->conn_first; conn; conn = conn->next)
+					{
+						if (conn->state == STATE_ADDED)
+						{
+							for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
+							{
+								if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
+								{
+									conn->state = STATE_REPLACED;
+									conn2->state = STATE_ADDED;
+									conn2->id = conn->id;
+									break;
+								}
+							}
+						}
+					}
+
+					/* Remove conn sections that have become unused */
+					for (conn = cfg->conn_first; conn; conn = conn->next)
+					{
+						if (conn->state == STATE_ADDED)
+						{
+							if (starter_charon_pid())
+							{
+								starter_stroke_del_conn(conn);
+							}
+							if (starter_pluto_pid())
+							{
+								starter_whack_del_conn(conn);
+							}
+						}
+					}
+
+					/* Look for new ca sections that are already loaded */
+					for (ca = cfg->ca_first; ca; ca = ca->next)
+					{
+						if (ca->state == STATE_ADDED)
+						{
+							for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
+							{
+								if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
+								{
+									ca->state = STATE_REPLACED;
+									ca2->state = STATE_ADDED;
+									break;
+								}
+							}
+						}
+					}
+
+					/* Remove ca sections that have become unused */
+					for (ca = cfg->ca_first; ca; ca = ca->next)
+					{
+						if (ca->state == STATE_ADDED)
+						{
+							if (starter_charon_pid())
+							{
+								starter_stroke_del_ca(ca);
+							}
+							if (starter_pluto_pid())
+							{
+								starter_whack_del_ca(ca);
+							}
+						}
+					}
+				}
+				confread_free(cfg);
+				cfg = new_cfg;
+			}
+			else
 			{
-			    if (starter_charon_pid())
-			    {
-				starter_stroke_del_conn(conn);
-			    }
-			    if (starter_pluto_pid())
-			    {
-				starter_whack_del_conn(conn);
-			    }
+				plog("can't reload config file due to errors -- keeping old one");
+				if (new_cfg)
+				{
+					confread_free(new_cfg);
+				}
 			}
-		    }
+			_action_ &= ~FLAG_ACTION_UPDATE;
+			last_reload = time(NULL);
+		}
 
-		    /* Look for new ca sections that are already loaded */
-		    for (ca = cfg->ca_first; ca; ca = ca->next)
-		    {
-			if (ca->state == STATE_ADDED)
+		/*
+		 * Start pluto
+		 */
+		if (_action_ & FLAG_ACTION_START_PLUTO)
+		{
+			if (cfg->setup.plutostart && !starter_pluto_pid())
 			{
-			    for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
-			    {
-				if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
+				DBG(DBG_CONTROL,
+					DBG_log("Attempting to start pluto...")
+				   );
+
+				if (starter_start_pluto(cfg, no_fork, attach_gdb) == 0)
+				{
+					starter_whack_listen();
+				}
+				else
 				{
-				    ca->state = STATE_REPLACED;
-				    ca2->state = STATE_ADDED;
-				    break;
+					/* schedule next try */
+					alarm(PLUTO_RESTART_DELAY);
 				}
-			    }
 			}
-		    }
+			_action_ &= ~FLAG_ACTION_START_PLUTO;
 
-		    /* Remove ca sections that have become unused */
-		    for (ca = cfg->ca_first; ca; ca = ca->next)
-		    {
-			if (ca->state == STATE_ADDED)
+			for (ca = cfg->ca_first; ca; ca = ca->next)
 			{
-			    if (starter_charon_pid())
-			    {
-				starter_stroke_del_ca(ca);
-			    }
-			    if (starter_pluto_pid())
-			    {
-				starter_whack_del_ca(ca);
-			    }
+				if (ca->state == STATE_ADDED)
+					ca->state = STATE_TO_ADD;
 			}
-		    }
-		}
-		confread_free(cfg);
-		cfg = new_cfg;
-	    }
-	    else
-	    {
-		plog("can't reload config file due to errors -- keeping old one");
-		if (new_cfg)
-		{
-		    confread_free(new_cfg);
-		}
-	    }
-	    _action_ &= ~FLAG_ACTION_UPDATE;
-	    last_reload = time(NULL);
-	}
 
-	/*
-	 * Start pluto
-	 */
-	if (_action_ & FLAG_ACTION_START_PLUTO)
-	{
-	    if (cfg->setup.plutostart && !starter_pluto_pid())
-	    {
-		DBG(DBG_CONTROL,
-		    DBG_log("Attempting to start pluto...")
-		   );
-
-		if (starter_start_pluto(cfg, no_fork) == 0)
-		{
-		    starter_whack_listen();
-		}
-		else
-		{
-		    /* schedule next try */
-		    alarm(PLUTO_RESTART_DELAY);
+			for (conn = cfg->conn_first; conn; conn = conn->next)
+			{
+				if (conn->state == STATE_ADDED)
+					conn->state = STATE_TO_ADD;
+			}
 		}
-	    }
-	    _action_ &= ~FLAG_ACTION_START_PLUTO;
-
-	    for (ca = cfg->ca_first; ca; ca = ca->next)
-	    {
-		if (ca->state == STATE_ADDED)
-		    ca->state = STATE_TO_ADD;
-	    }
-
-	    for (conn = cfg->conn_first; conn; conn = conn->next)
-	    {
-		if (conn->state == STATE_ADDED)
-		    conn->state = STATE_TO_ADD;
-	    }
-	}
-	
-	/*
-	 * Start charon
-	 */
-	if (_action_ & FLAG_ACTION_START_CHARON)
-	{
-	    if (cfg->setup.charonstart && !starter_charon_pid())
-	    {
-		DBG(DBG_CONTROL,
-		    DBG_log("Attempting to start charon...")
-		   );
-		if (starter_start_charon(cfg, no_fork))
+		
+		/*
+		 * Start charon
+		 */
+		if (_action_ & FLAG_ACTION_START_CHARON)
 		{
-		    /* schedule next try */
-		    alarm(PLUTO_RESTART_DELAY);
+			if (cfg->setup.charonstart && !starter_charon_pid())
+			{
+				DBG(DBG_CONTROL,
+					DBG_log("Attempting to start charon...")
+				   );
+				if (starter_start_charon(cfg, no_fork, attach_gdb))
+				{
+					/* schedule next try */
+					alarm(PLUTO_RESTART_DELAY);
+				}
+				starter_stroke_configure(cfg);
+			}
+			_action_ &= ~FLAG_ACTION_START_CHARON;
 		}
-		starter_stroke_configure(cfg);
-	    }
-	    _action_ &= ~FLAG_ACTION_START_CHARON;
-	}
-
-	/*
-	 * Tell pluto to reread its interfaces
-	 */
-	if (_action_ & FLAG_ACTION_LISTEN)
-	{
-	    if (starter_pluto_pid())
-	    {
-		starter_whack_listen();
-		_action_ &= ~FLAG_ACTION_LISTEN;
-	    }
-	}
 
-	/*
-	 * Add stale conn and ca sections
-	 */
-	if (starter_pluto_pid() || starter_charon_pid())
-	{
-	    for (ca = cfg->ca_first; ca; ca = ca->next)
-	    {
-		if (ca->state == STATE_TO_ADD)
+		/*
+		 * Tell pluto to reread its interfaces
+		 */
+		if (_action_ & FLAG_ACTION_LISTEN)
 		{
-		    if (starter_charon_pid())
-		    {
-			starter_stroke_add_ca(ca);
-		    }
-		    if (starter_pluto_pid())
-		    {
-			starter_whack_add_ca(ca);
-		    }
-		    ca->state = STATE_ADDED;
+			if (starter_pluto_pid())
+			{
+				starter_whack_listen();
+				_action_ &= ~FLAG_ACTION_LISTEN;
+			}
 		}
-	    }
 
-	    for (conn = cfg->conn_first; conn; conn = conn->next)
-	    {
-		if (conn->state == STATE_TO_ADD)
+		/*
+		 * Add stale conn and ca sections
+		 */
+		if (starter_pluto_pid() || starter_charon_pid())
 		{
-		    if (conn->id == 0)
-		    {
-			/* affect new unique id */
-			conn->id = id++;
-		    }
-		    if (starter_charon_pid())
-		    {
-			starter_stroke_add_conn(cfg, conn);
-		    }
-		    if (starter_pluto_pid())
-		    {
-			starter_whack_add_conn(conn);
-		    }
-		    conn->state = STATE_ADDED;
-
-		    if (conn->startup == STARTUP_START)
-		    {
-			if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
+			for (ca = cfg->ca_first; ca; ca = ca->next)
 			{
-			    if (starter_charon_pid())
-			    {
-				starter_stroke_initiate_conn(conn);
-			    }
-			}
-			else
-			{
-			    if (starter_pluto_pid())
-			    {
-				starter_whack_initiate_conn(conn);
-			    }
-			}
-		    }
-		    else if (conn->startup == STARTUP_ROUTE)
-		    {
-			if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-			{
-			    if (starter_charon_pid())
-			    {
-				starter_stroke_route_conn(conn);
-			    }
+				if (ca->state == STATE_TO_ADD)
+				{
+					if (starter_charon_pid())
+					{
+						starter_stroke_add_ca(ca);
+					}
+					if (starter_pluto_pid())
+					{
+						starter_whack_add_ca(ca);
+					}
+					ca->state = STATE_ADDED;
+				}
 			}
-			else
+
+			for (conn = cfg->conn_first; conn; conn = conn->next)
 			{
-			    if (starter_pluto_pid())
-			    {
-				starter_whack_route_conn(conn);
-			    }
+				if (conn->state == STATE_TO_ADD)
+				{
+					if (conn->id == 0)
+					{
+						/* affect new unique id */
+						conn->id = id++;
+					}
+					if (starter_charon_pid())
+					{
+						starter_stroke_add_conn(cfg, conn);
+					}
+					if (starter_pluto_pid())
+					{
+						starter_whack_add_conn(conn);
+					}
+					conn->state = STATE_ADDED;
+
+					if (conn->startup == STARTUP_START)
+					{
+						if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
+						{
+							if (starter_charon_pid())
+							{
+								starter_stroke_initiate_conn(conn);
+							}
+						}
+						else
+						{
+							if (starter_pluto_pid())
+							{
+								starter_whack_initiate_conn(conn);
+							}
+						}
+					}
+					else if (conn->startup == STARTUP_ROUTE)
+					{
+						if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
+						{
+							if (starter_charon_pid())
+							{
+								starter_stroke_route_conn(conn);
+							}
+						}
+						else
+						{
+							if (starter_pluto_pid())
+							{
+								starter_whack_route_conn(conn);
+							}
+						}
+					}
+				}
 			}
-		    }
 		}
-	    }
-	}
 
-	/*
-	 * If auto_update activated, when to stop select
-	 */
-	if (auto_update)
-	{
-	    time_t now = time(NULL);
+		/*
+		 * If auto_update activated, when to stop select
+		 */
+		if (auto_update)
+		{
+			time_t now = time(NULL);
 
-	    tv.tv_sec = (now < last_reload + auto_update)
-		    ? (last_reload + auto_update-now) : 0;
-	    tv.tv_usec = 0;
-	}
+			tv.tv_sec = (now < last_reload + auto_update)
+					? (last_reload + auto_update-now) : 0;
+			tv.tv_usec = 0;
+		}
 
-	/*
-	 * Wait for something to happen
-	 */
-	if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
-	{
-	    /* timeout -> auto_update */
-	    _action_ |= FLAG_ACTION_UPDATE;
+		/*
+		 * Wait for something to happen
+		 */
+		if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
+		{
+			/* timeout -> auto_update */
+			_action_ |= FLAG_ACTION_UPDATE;
+		}
 	}
-    }
-    exit(LSB_RC_SUCCESS);
+	exit(LSB_RC_SUCCESS);
 }
 
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index a1339f2a5..054e37fa7 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: starterstroke.c 4856 2009-02-05 22:13:48Z andreas $
  */
 
 #include <sys/types.h>
@@ -21,10 +19,10 @@
 #include <stddef.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include <string.h>
 #include <errno.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
-#include <linux/xfrm.h>
 
 #include <freeswan.h>
 
@@ -41,6 +39,15 @@
 #define IPV4_LEN	 4
 #define IPV6_LEN	16
 
+/**
+ * Mode of an IPsec SA, must be the same as in charons kernel_ipsec.h
+ */
+enum ipsec_mode_t {
+	MODE_TRANSPORT = 1,
+	MODE_TUNNEL,
+	MODE_BEET
+};
+
 /**
  * Authentication methods, must be the same as in charons authenticator.h
  */
@@ -68,9 +75,12 @@ static char* push_string(stroke_msg_t *msg, char *string)
 
 static int send_stroke_msg (stroke_msg_t *msg)
 {
-	struct sockaddr_un ctl_addr = { AF_UNIX, CHARON_CTL_FILE };
+	struct sockaddr_un ctl_addr;
 	int byte_count;
 	char buffer[64];
+
+	ctl_addr.sun_family = AF_UNIX;
+	strcpy(ctl_addr.sun_path, CHARON_CTL_FILE);
 	
 	/* starter is not called from commandline, and therefore absolutely silent */
 	msg->output_verbosity = -1;
@@ -164,9 +174,14 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 {
 	char buffer[INET6_ADDRSTRLEN];
 	
+	msg_end->auth = push_string(msg, conn_end->auth);
+	msg_end->auth2 = push_string(msg, conn_end->auth2);
 	msg_end->id = push_string(msg, conn_end->id);
+	msg_end->id2 = push_string(msg, conn_end->id2);
 	msg_end->cert = push_string(msg, conn_end->cert);
+	msg_end->cert2 = push_string(msg, conn_end->cert2);
 	msg_end->ca = push_string(msg, conn_end->ca);
+	msg_end->ca2 = push_string(msg, conn_end->ca2);
 	msg_end->groups = push_string(msg, conn_end->groups);
 	msg_end->updown = push_string(msg, conn_end->updown);
 	ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
@@ -224,7 +239,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.name = push_string(&msg, connection_name(conn));
 	
 	/* PUBKEY is preferred to PSK and EAP */
-	if (conn->policy & POLICY_RSASIG || conn->policy & POLICY_ECDSASIG)
+	if (conn->policy & POLICY_PUBKEY)
 	{
 		msg.add_conn.auth_method = AUTH_PUBKEY;
 	}
@@ -242,20 +257,20 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	
 	if (conn->policy & POLICY_TUNNEL)
 	{
-		msg.add_conn.mode = XFRM_MODE_TUNNEL;
+		msg.add_conn.mode = MODE_TUNNEL;
 	}
 	else if (conn->policy & POLICY_BEET)
 	{
-		msg.add_conn.mode = XFRM_MODE_BEET;
+		msg.add_conn.mode = MODE_BEET;
 	}
 	else if (conn->policy & POLICY_PROXY)
 	{
-		msg.add_conn.mode = XFRM_MODE_TRANSPORT;
+		msg.add_conn.mode = MODE_TRANSPORT;
 		msg.add_conn.proxy_mode = TRUE;
 	} 
 	else
 	{
-		msg.add_conn.mode = XFRM_MODE_TRANSPORT;
+		msg.add_conn.mode = MODE_TRANSPORT;
 	}
 
 	if (!(conn->policy & POLICY_DONT_REKEY))
diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h
index e6b9e5504..f9b01c99a 100644
--- a/src/starter/starterstroke.h
+++ b/src/starter/starterstroke.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: starterstroke.h 3825 2008-04-17 15:01:57Z martin $
  */
 
 #ifndef _STARTER_STROKE_H_
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 8b7d500b8..44b442ae2 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: starterwhack.c 3880 2008-04-27 10:49:31Z andreas $
  */
 
 #include <sys/types.h>
@@ -19,6 +17,7 @@
 #include <sys/un.h>
 #include <stddef.h>
 #include <unistd.h>
+#include <string.h>
 #include <errno.h>
 
 #include <freeswan.h>
@@ -32,386 +31,389 @@
 #include "confread.h"
 #include "files.h"
 
-#define ip_version(string)	(strchr(string, '.') ? AF_INET : AF_INET6)
+#define ip_version(string)      (strchr(string, '.') ? AF_INET : AF_INET6)
 
 static int
 pack_str (char **p, char **next, char **roof)
 {
-    const char *s = (*p==NULL) ? "" : *p;    /* note: NULL becomes ""! */
-    size_t len = strlen(s) + 1;
-
-    if ((*roof - *next) < len)
-    {
-	return 0;	/* not enough space */
-    }
-    else
-    {
-	strcpy(*next, s);
-	*next += len;
-	*p = NULL;   /* don't send pointers on the wire! */
-	return 1;
-    }
+	const char *s = (*p==NULL) ? "" : *p;    /* note: NULL becomes ""! */
+	size_t len = strlen(s) + 1;
+
+	if ((*roof - *next) < len)
+	{
+		return 0;       /* not enough space */
+	}
+	else
+	{
+		strcpy(*next, s);
+		*next += len;
+		*p = NULL;   /* don't send pointers on the wire! */
+		return 1;
+	}
 }
 
 static int
 send_whack_msg (whack_message_t *msg)
 {
-    struct sockaddr_un ctl_addr = { AF_UNIX, PLUTO_CTL_FILE };
-    int sock;
-    ssize_t len;
-    char *str_next, *str_roof;
-
-    /* pack strings */
-    str_next = (char *)msg->string;
-    str_roof = (char *)&msg->string[sizeof(msg->string)];
-
-    if (!pack_str(&msg->name,         &str_next, &str_roof)
-    ||  !pack_str(&msg->left.id,      &str_next, &str_roof)
-    ||  !pack_str(&msg->left.cert,    &str_next, &str_roof)
-    ||  !pack_str(&msg->left.ca,      &str_next, &str_roof)
-    ||  !pack_str(&msg->left.groups,  &str_next, &str_roof)
-    ||  !pack_str(&msg->left.updown,  &str_next, &str_roof)
-    ||  !pack_str(&msg->left.virt,    &str_next, &str_roof)
-    ||  !pack_str(&msg->right.id,     &str_next, &str_roof)
-    ||  !pack_str(&msg->right.cert,   &str_next, &str_roof)
-    ||  !pack_str(&msg->right.ca,     &str_next, &str_roof)
-    ||  !pack_str(&msg->right.groups, &str_next, &str_roof)
-    ||  !pack_str(&msg->right.updown, &str_next, &str_roof)
-    || !pack_str(&msg->right.virt,    &str_next, &str_roof)
-    || !pack_str(&msg->keyid,         &str_next, &str_roof)
-    || !pack_str(&msg->myid,          &str_next, &str_roof)
-    || !pack_str(&msg->cacert,        &str_next, &str_roof)
-    || !pack_str(&msg->ldaphost,      &str_next, &str_roof)
-    || !pack_str(&msg->ldapbase,      &str_next, &str_roof)
-    || !pack_str(&msg->crluri,        &str_next, &str_roof)
-    || !pack_str(&msg->crluri2,       &str_next, &str_roof)
-    || !pack_str(&msg->ocspuri,       &str_next, &str_roof)
-    || !pack_str(&msg->ike,           &str_next, &str_roof)
-    || !pack_str(&msg->esp,           &str_next, &str_roof)
-    || !pack_str(&msg->sc_data,       &str_next, &str_roof)
-    || (str_roof - str_next < msg->keyval.len))
-    {
-	plog("send_wack_msg(): can't pack strings");
-	return -1;
-    }
-    if (msg->keyval.ptr)
-	memcpy(str_next, msg->keyval.ptr, msg->keyval.len);
-    msg->keyval.ptr = NULL;
-    str_next += msg->keyval.len;
-    len = str_next - (char *)msg;
-
-    /* connect to pluto ctl */
-    sock = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (sock < 0)
-    {
-	plog("socket() failed: %s", strerror(errno));
-	return -1;
-    }
-    if (connect(sock, (struct sockaddr *)&ctl_addr,
-	offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
-    {
-	plog("connect(pluto_ctl) failed: %s", strerror(errno));
-	close(sock);
-	return -1;
-    }
+	struct sockaddr_un ctl_addr;
+	int sock;
+	ssize_t len;
+	char *str_next, *str_roof;
+
+	ctl_addr.sun_family = AF_UNIX;
+	strcpy(ctl_addr.sun_path, PLUTO_CTL_FILE);
+
+	/* pack strings */
+	str_next = (char *)msg->string;
+	str_roof = (char *)&msg->string[sizeof(msg->string)];
+
+	if (!pack_str(&msg->name,         &str_next, &str_roof)
+	||  !pack_str(&msg->left.id,      &str_next, &str_roof)
+	||  !pack_str(&msg->left.cert,    &str_next, &str_roof)
+	||  !pack_str(&msg->left.ca,      &str_next, &str_roof)
+	||  !pack_str(&msg->left.groups,  &str_next, &str_roof)
+	||  !pack_str(&msg->left.updown,  &str_next, &str_roof)
+	||  !pack_str(&msg->left.virt,    &str_next, &str_roof)
+	||  !pack_str(&msg->right.id,     &str_next, &str_roof)
+	||  !pack_str(&msg->right.cert,   &str_next, &str_roof)
+	||  !pack_str(&msg->right.ca,     &str_next, &str_roof)
+	||  !pack_str(&msg->right.groups, &str_next, &str_roof)
+	||  !pack_str(&msg->right.updown, &str_next, &str_roof)
+	|| !pack_str(&msg->right.virt,    &str_next, &str_roof)
+	|| !pack_str(&msg->keyid,         &str_next, &str_roof)
+	|| !pack_str(&msg->myid,          &str_next, &str_roof)
+	|| !pack_str(&msg->cacert,        &str_next, &str_roof)
+	|| !pack_str(&msg->ldaphost,      &str_next, &str_roof)
+	|| !pack_str(&msg->ldapbase,      &str_next, &str_roof)
+	|| !pack_str(&msg->crluri,        &str_next, &str_roof)
+	|| !pack_str(&msg->crluri2,       &str_next, &str_roof)
+	|| !pack_str(&msg->ocspuri,       &str_next, &str_roof)
+	|| !pack_str(&msg->ike,           &str_next, &str_roof)
+	|| !pack_str(&msg->esp,           &str_next, &str_roof)
+	|| !pack_str(&msg->sc_data,       &str_next, &str_roof)
+	|| (str_roof - str_next < msg->keyval.len))
+	{
+		plog("send_wack_msg(): can't pack strings");
+		return -1;
+	}
+	if (msg->keyval.ptr)
+		memcpy(str_next, msg->keyval.ptr, msg->keyval.len);
+	msg->keyval.ptr = NULL;
+	str_next += msg->keyval.len;
+	len = str_next - (char *)msg;
+
+	/* connect to pluto ctl */
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (sock < 0)
+	{
+		plog("socket() failed: %s", strerror(errno));
+		return -1;
+	}
+	if (connect(sock, (struct sockaddr *)&ctl_addr,
+		offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
+	{
+		plog("connect(pluto_ctl) failed: %s", strerror(errno));
+		close(sock);
+		return -1;
+	}
 
-    /* send message */
-    if (write(sock, msg, len) != len)
-    {
-	plog("write(pluto_ctl) failed: %s", strerror(errno));
-	close(sock);
-	return -1;
-    }
+	/* send message */
+	if (write(sock, msg, len) != len)
+	{
+		plog("write(pluto_ctl) failed: %s", strerror(errno));
+		close(sock);
+		return -1;
+	}
 
-    /* TODO: read reply */
-    close(sock);
-    return 0;
+	/* TODO: read reply */
+	close(sock);
+	return 0;
 }
 
 static void
 init_whack_msg(whack_message_t *msg)
 {
-    memset(msg, 0, sizeof(whack_message_t));
-    msg->magic = WHACK_MAGIC;
+	memset(msg, 0, sizeof(whack_message_t));
+	msg->magic = WHACK_MAGIC;
 }
 
 static char *
 connection_name(starter_conn_t *conn)
 {
-    /* if connection name is '%auto', create a new name like conn_xxxxx */
-    static char buf[32];
-
-    if (streq(conn->name, "%auto"))
-    {
-	sprintf(buf, "conn_%ld", conn->id);
-	return buf;
-    }
-    return conn->name;
+	/* if connection name is '%auto', create a new name like conn_xxxxx */
+	static char buf[32];
+
+	if (streq(conn->name, "%auto"))
+	{
+		sprintf(buf, "conn_%ld", conn->id);
+		return buf;
+	}
+	return conn->name;
 }
 
 static void
 set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
 {   
-    if (end->srcip && end->srcip[0] != '%')
-    {
-	int len = 0;
-	char *pos;
+	if (end->srcip && end->srcip[0] != '%')
+	{
+		int len = 0;
+		char *pos;
+
+		pos = strchr(end->srcip, '/');
+		if (pos)
+		{
+			/* use first address only for pluto */
+			len = pos - end->srcip;
+		}
+		w->has_srcip = !end->has_natip;
+		ttoaddr(end->srcip, len, ip_version(end->srcip), &w->host_srcip);
+	}
+	else
+	{
+		anyaddr(AF_INET, &w->host_srcip);       
+	}
+	
+	w->id                  = end->id;
+	w->cert                = end->cert;
+	w->ca                  = end->ca;
+	w->groups              = end->groups;
+	w->host_addr           = end->addr;
+	w->has_client          = end->has_client;
+
+	if (family == AF_INET6 && isanyaddr(&end->nexthop))
+	{
+		anyaddr(AF_INET6, &end->nexthop);
+	}
+	w->host_nexthop        = end->nexthop;
 
-	pos = strchr(end->srcip, '/');
-	if (pos)
+	if (w->has_client)
 	{
-	    /* use first address only for pluto */
-	    len = pos - end->srcip;
+		char *pos;
+		int len = 0;
+
+		pos = strchr(end->subnet, ',');
+		if (pos)
+		{
+			len = pos - end->subnet;
+		}
+		ttosubnet(end->subnet, len, ip_version(end->subnet), &w->client);
 	}
-	w->has_srcip = !end->has_natip;
-	ttoaddr(end->srcip, len, ip_version(end->srcip), &w->host_srcip);
-    }
-    else
-    {
-	anyaddr(AF_INET, &w->host_srcip);	
-    }
-    
-    w->id                  = end->id;
-    w->cert                = end->cert;
-    w->ca                  = end->ca;
-    w->groups              = end->groups;
-    w->host_addr           = end->addr;
-    w->has_client          = end->has_client;
-
-    if (family == AF_INET6 && isanyaddr(&end->nexthop))
-    {
-	anyaddr(AF_INET6, &end->nexthop);
-    }
-    w->host_nexthop        = end->nexthop;
-
-    if (w->has_client)
-    {
-	char *pos;
-	int len = 0;
-
-	pos = strchr(end->subnet, ',');
-	if (pos)
+	else
 	{
-	    len = pos - end->subnet;
+		if (end->has_virt)
+		{
+			w->virt = end->subnet;
+		}
+		w->client.addr.u.v4.sin_family = addrtypeof(&w->host_addr);
 	}
-	ttosubnet(end->subnet, len, ip_version(end->subnet), &w->client);
-    }
-    else
-    {
-	if (end->has_virt)
+
+	w->has_client_wildcard = end->has_client_wildcard;
+	w->has_port_wildcard   = end->has_port_wildcard;
+	w->has_natip           = end->has_natip;
+	w->allow_any           = end->allow_any && !end->dns_failed;
+	w->modecfg             = end->modecfg;
+	w->hostaccess          = end->hostaccess;
+	w->sendcert            = end->sendcert;
+	w->updown              = end->updown;
+	w->host_port           = IKE_UDP_PORT;
+	w->port                = end->port;
+	w->protocol            = end->protocol;
+
+	if (w->port != 0)
 	{
-	    w->virt = end->subnet;
+		int port = htons(w->port);
+
+		setportof(port, &w->host_addr);
+		setportof(port, &w->client.addr);
 	}
-	w->client.addr.u.v4.sin_family = addrtypeof(&w->host_addr);
-    }
-
-    w->has_client_wildcard = end->has_client_wildcard;
-    w->has_port_wildcard   = end->has_port_wildcard;
-    w->has_natip           = end->has_natip;
-    w->allow_any           = end->allow_any && !end->dns_failed;
-    w->modecfg             = end->modecfg;
-    w->hostaccess          = end->hostaccess;
-    w->sendcert            = end->sendcert;
-    w->updown              = end->updown;
-    w->host_port           = IKE_UDP_PORT;
-    w->port                = end->port;
-    w->protocol            = end->protocol;
-
-    if (w->port != 0)
-    {
-	int port = htons(w->port);
-
-	setportof(port, &w->host_addr);
-	setportof(port, &w->client.addr);
-    }
 }
 
 static int
 starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end
 , const char *lr)
 {
-    const char *err;
-    static char keyspace[1024 + 4];
-    whack_message_t msg;
-
-    init_whack_msg(&msg);
-
-    msg.whack_key = TRUE;
-    msg.pubkey_alg = PUBKEY_ALG_RSA;
-    if (end->id && end->rsakey)
-    {
-	/* special values to ignore */
-	if (streq(end->rsakey, "")
-	||  streq(end->rsakey, "%none")
-	||  streq(end->rsakey, "%cert")
-	||  streq(end->rsakey, "0x00"))
-	{
-	    return 0;
-	}
-	msg.keyid = end->id;
-	err = atobytes(end->rsakey, 0, keyspace, sizeof(keyspace), &msg.keyval.len);
-	if (err)
-	{
-	    plog("conn %s/%s: rsakey malformed [%s]", connection_name(conn), lr, err);
-	    return 1;
-	}
-	else
+	const char *err;
+	static char keyspace[1024 + 4];
+	whack_message_t msg;
+
+	init_whack_msg(&msg);
+
+	msg.whack_key = TRUE;
+	msg.pubkey_alg = PUBKEY_ALG_RSA;
+	if (end->id && end->rsakey)
 	{
-	    msg.keyval.ptr = keyspace;
-	    return send_whack_msg(&msg);
+		/* special values to ignore */
+		if (streq(end->rsakey, "")
+		||  streq(end->rsakey, "%none")
+		||  streq(end->rsakey, "%cert")
+		||  streq(end->rsakey, "0x00"))
+		{
+			return 0;
+		}
+		msg.keyid = end->id;
+		err = atobytes(end->rsakey, 0, keyspace, sizeof(keyspace), &msg.keyval.len);
+		if (err)
+		{
+			plog("conn %s/%s: rsakey malformed [%s]", connection_name(conn), lr, err);
+			return 1;
+		}
+		else
+		{
+			msg.keyval.ptr = keyspace;
+			return send_whack_msg(&msg);
+		}
 	}
-    }
-    return 0;
+	return 0;
 }
 
 int
 starter_whack_add_conn(starter_conn_t *conn)
 {
-    whack_message_t msg;
-    int r;
-
-    init_whack_msg(&msg);
-
-    msg.whack_connection = TRUE;
-    msg.name = connection_name(conn);
-
-    msg.ikev1                 = conn->keyexchange != KEY_EXCHANGE_IKEV2;
-    msg.addr_family           = conn->addr_family;
-    msg.tunnel_addr_family    = conn->tunnel_addr_family;
-    msg.sa_ike_life_seconds   = conn->sa_ike_life_seconds;
-    msg.sa_ipsec_life_seconds = conn->sa_ipsec_life_seconds;
-    msg.sa_rekey_margin       = conn->sa_rekey_margin;
-    msg.sa_rekey_fuzz         = conn->sa_rekey_fuzz;
-    msg.sa_keying_tries       = conn->sa_keying_tries;
-    msg.policy                = conn->policy;
-
-    /*
-     * Make sure the IKEv2-only policy bits are unset for IKEv1 connections
-     */
-    msg.policy &= ~POLICY_DONT_REAUTH;
-    msg.policy &= ~POLICY_BEET;
-    msg.policy &= ~POLICY_MOBIKE;
-    msg.policy &= ~POLICY_FORCE_ENCAP;
-
-    set_whack_end(&msg.left, &conn->left, conn->addr_family);
-    set_whack_end(&msg.right, &conn->right, conn->addr_family);
-
-    msg.esp = conn->esp;
-    msg.ike = conn->ike;
-    msg.pfsgroup = conn->pfsgroup;
-
-    /* taken from pluto/whack.c */
-    if (msg.pfsgroup)
-    {
-	char esp_buf[256];
-
-	snprintf(esp_buf, sizeof (esp_buf), "%s;%s"
-		   , msg.esp ? msg.esp : ""
-		   , msg.pfsgroup ? msg.pfsgroup : "");
-	msg.esp = esp_buf;
-
-	DBG(DBG_CONTROL,
-	    DBG_log("Setting --esp=%s", msg.esp)
-	)
-    }
-    msg.dpd_delay   = conn->dpd_delay;
-    msg.dpd_timeout = conn->dpd_timeout;
-    msg.dpd_action  = conn->dpd_action;
+	whack_message_t msg;
+	int r;
+
+	init_whack_msg(&msg);
+
+	msg.whack_connection = TRUE;
+	msg.name = connection_name(conn);
+
+	msg.ikev1                 = conn->keyexchange != KEY_EXCHANGE_IKEV2;
+	msg.addr_family           = conn->addr_family;
+	msg.tunnel_addr_family    = conn->tunnel_addr_family;
+	msg.sa_ike_life_seconds   = conn->sa_ike_life_seconds;
+	msg.sa_ipsec_life_seconds = conn->sa_ipsec_life_seconds;
+	msg.sa_rekey_margin       = conn->sa_rekey_margin;
+	msg.sa_rekey_fuzz         = conn->sa_rekey_fuzz;
+	msg.sa_keying_tries       = conn->sa_keying_tries;
+	msg.policy                = conn->policy;
+
+	/*
+	 * Make sure the IKEv2-only policy bits are unset for IKEv1 connections
+	 */
+	msg.policy &= ~POLICY_DONT_REAUTH;
+	msg.policy &= ~POLICY_BEET;
+	msg.policy &= ~POLICY_MOBIKE;
+	msg.policy &= ~POLICY_FORCE_ENCAP;
+
+	set_whack_end(&msg.left, &conn->left, conn->addr_family);
+	set_whack_end(&msg.right, &conn->right, conn->addr_family);
+
+	msg.esp = conn->esp;
+	msg.ike = conn->ike;
+	msg.pfsgroup = conn->pfsgroup;
+
+	/* taken from pluto/whack.c */
+	if (msg.pfsgroup)
+	{
+		char esp_buf[256];
+
+		snprintf(esp_buf, sizeof (esp_buf), "%s;%s"
+				   , msg.esp ? msg.esp : ""
+				   , msg.pfsgroup ? msg.pfsgroup : "");
+		msg.esp = esp_buf;
+
+		DBG(DBG_CONTROL,
+			DBG_log("Setting --esp=%s", msg.esp)
+		)
+	}
+	msg.dpd_delay   = conn->dpd_delay;
+	msg.dpd_timeout = conn->dpd_timeout;
+	msg.dpd_action  = conn->dpd_action;
 /*  msg.dpd_count = conn->dpd_count; not supported yet by strongSwan */
 
-    r =  send_whack_msg(&msg);
+	r =  send_whack_msg(&msg);
 
-    if (r == 0 && (conn->policy & POLICY_RSASIG))
-    {
-	r += starter_whack_add_pubkey (conn, &conn->left, "left");
-	r += starter_whack_add_pubkey (conn, &conn->right, "right");
-    }
+	if (r == 0 && (conn->policy & POLICY_PUBKEY))
+	{
+		r += starter_whack_add_pubkey (conn, &conn->left, "left");
+		r += starter_whack_add_pubkey (conn, &conn->right, "right");
+	}
 
-    return r;
+	return r;
 }
 
 int
 starter_whack_del_conn(starter_conn_t *conn)
 {
-    whack_message_t msg;
+	whack_message_t msg;
 
-    init_whack_msg(&msg);
-    msg.whack_delete = TRUE;
-    msg.name = connection_name(conn);
-    return send_whack_msg(&msg);
+	init_whack_msg(&msg);
+	msg.whack_delete = TRUE;
+	msg.name = connection_name(conn);
+	return send_whack_msg(&msg);
 }
 
 int
 starter_whack_route_conn(starter_conn_t *conn)
 {
-    whack_message_t msg;
+	whack_message_t msg;
 
-    init_whack_msg(&msg);
-    msg.whack_route = TRUE;
-    msg.name = connection_name(conn);
-    return send_whack_msg(&msg);
+	init_whack_msg(&msg);
+	msg.whack_route = TRUE;
+	msg.name = connection_name(conn);
+	return send_whack_msg(&msg);
 }
 
 int
 starter_whack_initiate_conn(starter_conn_t *conn)
 {
-    whack_message_t msg;
+	whack_message_t msg;
 
-    init_whack_msg(&msg);
-    msg.whack_initiate = TRUE;
-    msg.whack_async = TRUE;
-    msg.name = connection_name(conn);
-    return send_whack_msg(&msg);
+	init_whack_msg(&msg);
+	msg.whack_initiate = TRUE;
+	msg.whack_async = TRUE;
+	msg.name = connection_name(conn);
+	return send_whack_msg(&msg);
 }
 
 int
 starter_whack_listen(void)
 {
-    whack_message_t msg;
-    init_whack_msg(&msg);
-    msg.whack_listen = TRUE;
-    return send_whack_msg(&msg);
+	whack_message_t msg;
+	init_whack_msg(&msg);
+	msg.whack_listen = TRUE;
+	return send_whack_msg(&msg);
 }
 
 int starter_whack_shutdown(void)
 {
-    whack_message_t msg;
+	whack_message_t msg;
 
-    init_whack_msg(&msg);
-    msg.whack_shutdown = TRUE;
-    return send_whack_msg(&msg);
+	init_whack_msg(&msg);
+	msg.whack_shutdown = TRUE;
+	return send_whack_msg(&msg);
 }
 
 int
 starter_whack_add_ca(starter_ca_t *ca)
 {
-    whack_message_t msg;
+	whack_message_t msg;
 
-    init_whack_msg(&msg);
+	init_whack_msg(&msg);
 
-    msg.whack_ca     = TRUE;
-    msg.name         = ca->name;
-    msg.cacert       = ca->cacert;
-    msg.ldaphost     = ca->ldaphost;
-    msg.ldapbase     = ca->ldapbase;
-    msg.crluri       = ca->crluri;
-    msg.crluri2      = ca->crluri2;
-    msg.ocspuri      = ca->ocspuri;
-    msg.whack_strict = ca->strict;
+	msg.whack_ca     = TRUE;
+	msg.name         = ca->name;
+	msg.cacert       = ca->cacert;
+	msg.ldaphost     = ca->ldaphost;
+	msg.ldapbase     = ca->ldapbase;
+	msg.crluri       = ca->crluri;
+	msg.crluri2      = ca->crluri2;
+	msg.ocspuri      = ca->ocspuri;
+	msg.whack_strict = ca->strict;
 
-    return send_whack_msg(&msg);
+	return send_whack_msg(&msg);
 }
 
 int
 starter_whack_del_ca(starter_ca_t *ca)
 {
-    whack_message_t msg;
+	whack_message_t msg;
 
-    init_whack_msg(&msg);
+	init_whack_msg(&msg);
 
-    msg.whack_delete = TRUE;
-    msg.whack_ca     = TRUE;
-    msg.name         = ca->name;
+	msg.whack_delete = TRUE;
+	msg.whack_ca     = TRUE;
+	msg.name         = ca->name;
 
-    return send_whack_msg(&msg);
+	return send_whack_msg(&msg);
 }
diff --git a/src/starter/starterwhack.h b/src/starter/starterwhack.h
index 7acc75ec0..d56b02421 100644
--- a/src/starter/starterwhack.h
+++ b/src/starter/starterwhack.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: starterwhack.h 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #ifndef _STARTER_WHACK_H_
diff --git a/src/starter/y.tab.c b/src/starter/y.tab.c
index 87abc5c33..b78c1b1f9 100644
--- a/src/starter/y.tab.c
+++ b/src/starter/y.tab.c
@@ -94,7 +94,7 @@
 
 
 /* Copy the first part of user declarations.  */
-#line 1 "parser.y"
+#line 1 "./parser.y"
 
 /* strongSwan config file parser (parser.y)
  * Copyright (C) 2001 Mathieu Lafon - Arkoon Network Security
@@ -108,8 +108,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: parser.y 3267 2007-10-08 19:57:54Z andreas $
  */
 
 #include <stdio.h>
@@ -124,7 +122,7 @@
 #include "parser.h"
 
 #define YYERROR_VERBOSE
-#define ERRSTRING_LEN	256
+#define ERRSTRING_LEN   256
 
 /**
  * Bison
@@ -170,10 +168,10 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef union YYSTYPE
-#line 56 "parser.y"
+#line 54 "./parser.y"
 { char *s; }
 /* Line 187 of yacc.c.  */
-#line 177 "y.tab.c"
+#line 175 "y.tab.c"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
@@ -186,7 +184,7 @@ typedef union YYSTYPE
 
 
 /* Line 216 of yacc.c.  */
-#line 190 "y.tab.c"
+#line 188 "y.tab.c"
 
 #ifdef short
 # undef short
@@ -474,8 +472,8 @@ static const yytype_int8 yyrhs[] =
 /* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
 static const yytype_uint8 yyrline[] =
 {
-       0,    67,    67,    68,    72,    77,    76,    82,    81,    99,
-      98,   115,   114,   120,   124,   125,   129,   154,   158
+       0,    65,    65,    66,    70,    75,    74,    80,    79,    96,
+      95,   111,   110,   116,   120,   121,   125,   150,   154
 };
 #endif
 
@@ -1390,106 +1388,104 @@ yyreduce:
   switch (yyn)
     {
         case 4:
-#line 73 "parser.y"
+#line 71 "./parser.y"
     {
-	free((yyvsp[(2) - (3)].s));
-    }
+		free((yyvsp[(2) - (3)].s));
+	}
     break;
 
   case 5:
-#line 77 "parser.y"
+#line 75 "./parser.y"
     {
-	_parser_kw = &(_parser_cfg->config_setup);
-	_parser_kw_last = NULL;
-    }
+		_parser_kw = &(_parser_cfg->config_setup);
+		_parser_kw_last = NULL;
+	}
     break;
 
   case 7:
-#line 82 "parser.y"
+#line 80 "./parser.y"
     {
-	section_list_t *section = (section_list_t *)alloc_thing(section_list_t
-							     , "section_list_t");
-	
-	section->name = clone_str((yyvsp[(2) - (3)].s), "conn section name");
-	section->kw = NULL;
-	section->next = NULL;
-	_parser_kw = &(section->kw);
-	if (!_parser_cfg->conn_first)
-	    _parser_cfg->conn_first = section;
-	if (_parser_cfg->conn_last)
-	    _parser_cfg->conn_last->next = section;
-	_parser_cfg->conn_last = section;
-	_parser_kw_last = NULL;
-	free((yyvsp[(2) - (3)].s));
-    }
+		section_list_t *section = malloc_thing(section_list_t);
+		
+		section->name = clone_str((yyvsp[(2) - (3)].s));
+		section->kw = NULL;
+		section->next = NULL;
+		_parser_kw = &(section->kw);
+		if (!_parser_cfg->conn_first)
+			_parser_cfg->conn_first = section;
+		if (_parser_cfg->conn_last)
+			_parser_cfg->conn_last->next = section;
+		_parser_cfg->conn_last = section;
+		_parser_kw_last = NULL;
+		free((yyvsp[(2) - (3)].s));
+	}
     break;
 
   case 9:
-#line 99 "parser.y"
+#line 96 "./parser.y"
     {
-	section_list_t *section = (section_list_t *)alloc_thing(section_list_t
-							     , "section_list_t");
-	section->name = clone_str((yyvsp[(2) - (3)].s), "ca section name");
-	section->kw = NULL;
-	section->next = NULL;
-	_parser_kw = &(section->kw);
-	if (!_parser_cfg->ca_first)
-	    _parser_cfg->ca_first = section;
-	if (_parser_cfg->ca_last)
-	    _parser_cfg->ca_last->next = section;
-	_parser_cfg->ca_last = section;
-	_parser_kw_last = NULL;
-	free((yyvsp[(2) - (3)].s));
-    }
+		section_list_t *section = malloc_thing(section_list_t);
+		section->name = clone_str((yyvsp[(2) - (3)].s));
+		section->kw = NULL;
+		section->next = NULL;
+		_parser_kw = &(section->kw);
+		if (!_parser_cfg->ca_first)
+			_parser_cfg->ca_first = section;
+		if (_parser_cfg->ca_last)
+			_parser_cfg->ca_last->next = section;
+		_parser_cfg->ca_last = section;
+		_parser_kw_last = NULL;
+		free((yyvsp[(2) - (3)].s));
+	}
     break;
 
   case 11:
-#line 115 "parser.y"
+#line 111 "./parser.y"
     {
-	extern void _parser_y_include (const char *f);
-	_parser_y_include((yyvsp[(2) - (2)].s));
-	free((yyvsp[(2) - (2)].s));
-    }
+		extern void _parser_y_include (const char *f);
+		_parser_y_include((yyvsp[(2) - (2)].s));
+		free((yyvsp[(2) - (2)].s));
+	}
     break;
 
   case 16:
-#line 130 "parser.y"
+#line 126 "./parser.y"
     {
-	kw_list_t  *new;
-	kw_entry_t *entry = in_word_set((yyvsp[(1) - (3)].s), strlen((yyvsp[(1) - (3)].s)));
+		kw_list_t  *new;
+		kw_entry_t *entry = in_word_set((yyvsp[(1) - (3)].s), strlen((yyvsp[(1) - (3)].s)));
 
-	if (entry == NULL)
-	{
-	    snprintf(errbuf, ERRSTRING_LEN, "unknown keyword '%s'", (yyvsp[(1) - (3)].s));
-	    yyerror(errbuf);
-	}
-	else if (_parser_kw)
-	{
-	    new = (kw_list_t *)alloc_thing(kw_list_t, "kw_list_t");
-	    new->entry = entry;
-	    new->value = clone_str((yyvsp[(3) - (3)].s), "kw_list value");
-	    new->next = NULL;
-	    if (_parser_kw_last)
-		_parser_kw_last->next = new;
-	    _parser_kw_last = new;
-	    if (!*_parser_kw)
-		*_parser_kw = new;
+		if (entry == NULL)
+		{
+			snprintf(errbuf, ERRSTRING_LEN, "unknown keyword '%s'", (yyvsp[(1) - (3)].s));
+			yyerror(errbuf);
+		}
+		else if (_parser_kw)
+		{
+			new = (kw_list_t *)malloc_thing(kw_list_t);
+			new->entry = entry;
+			new->value = clone_str((yyvsp[(3) - (3)].s));
+			new->next = NULL;
+			if (_parser_kw_last)
+				_parser_kw_last->next = new;
+			_parser_kw_last = new;
+			if (!*_parser_kw)
+				*_parser_kw = new;
+		}
+		free((yyvsp[(1) - (3)].s));
+		free((yyvsp[(3) - (3)].s));
 	}
-	free((yyvsp[(1) - (3)].s));
-	free((yyvsp[(3) - (3)].s));
-    }
     break;
 
   case 17:
-#line 155 "parser.y"
+#line 151 "./parser.y"
     {
-	free((yyvsp[(1) - (2)].s));
-      }
+		free((yyvsp[(1) - (2)].s));
+	  }
     break;
 
 
 /* Line 1267 of yacc.c.  */
-#line 1493 "y.tab.c"
+#line 1489 "y.tab.c"
       default: break;
     }
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@@ -1703,128 +1699,125 @@ yyreturn:
 }
 
 
-#line 161 "parser.y"
+#line 157 "./parser.y"
 
 
 void
 yyerror(const char *s)
 {
-    if (_save_errors_)
-	_parser_y_error(parser_errstring, ERRSTRING_LEN, s);
+	if (_save_errors_)
+		_parser_y_error(parser_errstring, ERRSTRING_LEN, s);
 }
 
 config_parsed_t *
 parser_load_conf(const char *file)
 {
-    config_parsed_t *cfg = NULL;
-    int err = 0;
-    FILE *f;
+	config_parsed_t *cfg = NULL;
+	int err = 0;
+	FILE *f;
 
-    extern void _parser_y_init (const char *f);
-    extern FILE *yyin;
+	extern void _parser_y_init (const char *f);
+	extern FILE *yyin;
 
-    memset(parser_errstring, 0, ERRSTRING_LEN+1);
+	memset(parser_errstring, 0, ERRSTRING_LEN+1);
 
-    cfg = (config_parsed_t *)alloc_thing(config_parsed_t, "config_parsed_t");
-    if (cfg)
-    {
-	memset(cfg, 0, sizeof(config_parsed_t));
-	f = fopen(file, "r");
-	if (f)
+	cfg = (config_parsed_t *)malloc_thing(config_parsed_t);
+	if (cfg)
 	{
-	    yyin = f;
-	    _parser_y_init(file);
-	    _save_errors_ = 1;
-	    _parser_cfg = cfg;
-
-	    if (yyparse() !=0 )
-	    {
-		if (parser_errstring[0] == '\0')
+		memset(cfg, 0, sizeof(config_parsed_t));
+		f = fopen(file, "r");
+		if (f)
 		{
-		    snprintf(parser_errstring, ERRSTRING_LEN, "Unknown error...");
+			yyin = f;
+			_parser_y_init(file);
+			_save_errors_ = 1;
+			_parser_cfg = cfg;
+
+			if (yyparse() !=0 )
+			{
+				if (parser_errstring[0] == '\0')
+				{
+					snprintf(parser_errstring, ERRSTRING_LEN, "Unknown error...");
+				}
+				_save_errors_ = 0;
+				while (yyparse() != 0);
+				err++;
+			}
+			else if (parser_errstring[0] != '\0')
+			{
+				err++;
+			}
+			else
+			{
+				/**
+				 * Config valid
+				 */
+			}
+
+			fclose(f);
+		}
+		else
+		{
+			snprintf(parser_errstring, ERRSTRING_LEN, "can't load file '%s'", file);
+			err++;
 		}
-		_save_errors_ = 0;
-		while (yyparse() != 0);
-		err++;
-	    }
-	    else if (parser_errstring[0] != '\0')
-	    {
-		err++;
-	    }
-	    else
-	    {
-		/**
-		 * Config valid
-		 */
-	    }
-
-	    fclose(f);
 	}
 	else
 	{
-	    snprintf(parser_errstring, ERRSTRING_LEN, "can't load file '%s'", file);
-	    err++;
+		snprintf(parser_errstring, ERRSTRING_LEN, "can't allocate memory");
+		err++;
 	}
-    }
-    else
-    {
-	snprintf(parser_errstring, ERRSTRING_LEN, "can't allocate memory");
-	err++;
-    }
 
-    if (err)
-    {
-	plog("%s", parser_errstring);
+	if (err)
+	{
+		plog("%s", parser_errstring);
 
-	if (cfg)
-	    parser_free_conf(cfg);
-	cfg = NULL;
-    }
+		if (cfg)
+			parser_free_conf(cfg);
+		cfg = NULL;
+	}
 
-    return cfg;
+	return cfg;
 }
 
 static void
 parser_free_kwlist(kw_list_t *list)
 {
-    kw_list_t *elt;
+	kw_list_t *elt;
 
-    while (list)
-    {
-	elt = list;
-	list = list->next;
-	if (elt->value)
-	    pfree(elt->value);
-	pfree(elt);
-    }
+	while (list)
+	{
+		elt = list;
+		list = list->next;
+		free(elt->value);
+		free(elt);
+	}
 }
 
 void
 parser_free_conf(config_parsed_t *cfg)
 {
-    section_list_t *sec;
-    if (cfg)
-    {
-	parser_free_kwlist(cfg->config_setup);
-	while (cfg->conn_first)
-	{
-	    sec = cfg->conn_first;
-	    cfg->conn_first = cfg->conn_first->next;
-	    if (sec->name)
-		pfree(sec->name);
-	    parser_free_kwlist(sec->kw);
-	    pfree(sec);
-	}
-	while (cfg->ca_first)
+	section_list_t *sec;
+	if (cfg)
 	{
-	    sec = cfg->ca_first;
-	    cfg->ca_first = cfg->ca_first->next;
-	    if (sec->name)
-		pfree(sec->name);
-	    parser_free_kwlist(sec->kw);
-	    pfree(sec);
+		parser_free_kwlist(cfg->config_setup);
+		while (cfg->conn_first)
+		{
+			sec = cfg->conn_first;
+			cfg->conn_first = cfg->conn_first->next;
+			free(sec->name);
+			parser_free_kwlist(sec->kw);
+			free(sec);
+		}
+		while (cfg->ca_first)
+		{
+			sec = cfg->ca_first;
+			cfg->ca_first = cfg->ca_first->next;
+			free(sec->name);
+			parser_free_kwlist(sec->kw);
+			free(sec);
+		}
+		free(cfg);
 	}
-	pfree(cfg);
-    }
 }
 
diff --git a/src/starter/y.tab.h b/src/starter/y.tab.h
index 1cf56de3a..871de1e97 100644
--- a/src/starter/y.tab.h
+++ b/src/starter/y.tab.h
@@ -68,7 +68,7 @@
 
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef union YYSTYPE
-#line 56 "parser.y"
+#line 54 "./parser.y"
 { char *s; }
 /* Line 1489 of yacc.c.  */
 #line 75 "y.tab.h"
diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am
index df20252e2..afca95fce 100644
--- a/src/stroke/Makefile.am
+++ b/src/stroke/Makefile.am
@@ -3,8 +3,9 @@ ipsec_PROGRAMS = stroke
 stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 EXTRA_DIST = stroke_keywords.txt
+BUILT_SOURCES = stroke_keywords.c
 MAINTAINERCLEANFILES = stroke_keywords.c
 AM_CFLAGS = -DIPSEC_PIDDIR=\"${piddir}\"
 
-stroke_keywords.c:	stroke_keywords.txt stroke_keywords.h
-		$(GPERF) -C -G -t < $< > $@
+stroke_keywords.c:	$(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h
+		$(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 0d78d9425..dde80348e 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -79,6 +79,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -101,6 +102,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -112,6 +116,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -125,6 +130,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +192,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -196,6 +204,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -203,9 +212,11 @@ xml_LIBS = @xml_LIBS@
 stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 EXTRA_DIST = stroke_keywords.txt
+BUILT_SOURCES = stroke_keywords.c
 MAINTAINERCLEANFILES = stroke_keywords.c
 AM_CFLAGS = -DIPSEC_PIDDIR=\"${piddir}\"
-all: all-am
+all: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-am
 
 .SUFFIXES:
 .SUFFIXES: .c .lo .o .obj
@@ -213,8 +224,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -311,7 +322,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
@@ -380,13 +391,15 @@ distdir: $(DISTFILES)
 	  fi; \
 	done
 check-am: all-am
-check: check-am
+check: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) check-am
 all-am: Makefile $(PROGRAMS)
 installdirs:
 	for dir in "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
-install: install-am
+install: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) install-am
 install-exec: install-exec-am
 install-data: install-data-am
 uninstall: uninstall-am
@@ -410,6 +423,7 @@ distclean-generic:
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
 	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
 clean: clean-am
 
@@ -487,8 +501,8 @@ uninstall-am: uninstall-ipsecPROGRAMS
 	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
 
 
-stroke_keywords.c:	stroke_keywords.txt stroke_keywords.h
-		$(GPERF) -C -G -t < $< > $@
+stroke_keywords.c:	$(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h
+		$(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 01cbcb5b0..c27a8ca3e 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: stroke.c 4783 2008-12-10 13:00:02Z martin $
  */
 
 #include <stdlib.h>
@@ -27,6 +25,7 @@
 #include <errno.h>
 #include <stdio.h>
 #include <stddef.h>
+#include <string.h>
 
 #include "stroke_msg.h"
 #include "stroke_keywords.h"
@@ -54,10 +53,13 @@ static char* push_string(stroke_msg_t *msg, char *string)
 
 static int send_stroke_msg (stroke_msg_t *msg)
 {
-	struct sockaddr_un ctl_addr = { AF_UNIX, STROKE_SOCKET };
+	struct sockaddr_un ctl_addr;
 	int sock;
 	char buffer[64];
 	int byte_count;
+
+	ctl_addr.sun_family = AF_UNIX;
+	strcpy(ctl_addr.sun_path, STROKE_SOCKET);
 	
 	msg->output_verbosity = 1; /* CONTROL */
 	
@@ -246,7 +248,8 @@ static int reread(stroke_keyword_t kw)
 }
 
 static int purge_flags[] = {
-	PURGE_OCSP
+	PURGE_OCSP,
+	PURGE_IKE,
 };
 
 static int purge(stroke_keyword_t kw)
@@ -330,6 +333,8 @@ static void exit_usage(char *error)
 	printf("    stroke rereadsecrets|rereadcrls|rereadall\n");
 	printf("  Purge ocsp cache entries:\n");
 	printf("    stroke purgeocsp\n");
+	printf("  Purge IKE_SAs without a CHILD_SA:\n");
+	printf("    stroke purgeike\n");
 	printf("  Show leases of a pool:\n");
 	printf("    stroke leases [POOL [ADDRESS]]\n");
 	exit_error(error);
@@ -441,6 +446,7 @@ int main(int argc, char *argv[])
 			res = reread(token->kw);
 			break;
 		case STROKE_PURGE_OCSP:
+		case STROKE_PURGE_IKE:
 			res = purge(token->kw);
 			break;
 		case STROKE_LEASES:
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index a5d17edc2..bb9705743 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -1,5 +1,5 @@
 /* C code produced by gperf version 3.0.3 */
-/* Command-line: /usr/bin/gperf -C -G -t  */
+/* Command-line: /usr/bin/gperf -m 10 -D -C -G -t  */
 /* Computed positions: -k'1,5,7' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
@@ -43,8 +43,6 @@ error "gperf generated tables don't work with this execution character set. Plea
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: stroke_keywords.txt 4783 2008-12-10 13:00:02Z martin $
  */
 
 #include <string.h>
@@ -56,12 +54,12 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 32
+#define TOTAL_KEYWORDS 33
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
 #define MIN_HASH_VALUE 3
-#define MAX_HASH_VALUE 65
-/* maximum key range = 63, duplicates = 0 */
+#define MAX_HASH_VALUE 39
+/* maximum key range = 37, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -77,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66,  0, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66,  0,  0,  5,
-      45,  0, 66, 10, 66, 15, 66, 66,  0, 66,
-      66, 20,  0, 66, 10, 10,  0, 10, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
-      66, 66, 66, 66, 66, 66
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 17, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40,  0,  4,  1,
+       1,  0, 40, 17, 40, 18, 40,  4,  0, 40,
+      40, 12, 17, 40,  6,  3, 19, 12, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 40
     };
   register int hval = len;
 
@@ -127,53 +125,46 @@ hash (str, len)
 
 static const struct stroke_token wordlist[] =
   {
-    {""}, {""}, {""},
     {"add",             STROKE_ADD},
-    {""}, {""},
+    {"del",             STROKE_DEL},
+    {"down",            STROKE_DOWN},
     {"leases",          STROKE_LEASES},
     {"listall",         STROKE_LIST_ALL},
     {"loglevel",        STROKE_LOGLEVEL},
-    {""},
-    {"listacerts",      STROKE_LIST_ACERTS},
-    {"listpubkeys",     STROKE_LIST_PUBKEYS},
-    {"up",              STROKE_UP},
     {"listcrls",        STROKE_LIST_CRLS},
-    {"purgeocsp",       STROKE_PURGE_OCSP},
+    {"listacerts",      STROKE_LIST_ACERTS},
     {"route",           STROKE_ROUTE},
     {"listaacerts",     STROKE_LIST_AACERTS},
-    {""},
-    {"listalgs",        STROKE_LIST_ALGS},
-    {"rereadall",       STROKE_REREAD_ALL},
-    {""},
     {"listcacerts",     STROKE_LIST_CACERTS},
-    {"rereadacerts",    STROKE_REREAD_ACERTS},
-    {"rereadaacerts",   STROKE_REREAD_AACERTS},
+    {"up",              STROKE_UP},
+    {"rereadall",       STROKE_REREAD_ALL},
     {"listcerts",       STROKE_LIST_CERTS},
     {"rereadcrls",      STROKE_REREAD_CRLS},
-    {"status",          STROKE_STATUS},
-    {"unroute",         STROKE_UNROUTE},
+    {"rereadacerts",    STROKE_REREAD_ACERTS},
+    {"rereadaacerts",   STROKE_REREAD_AACERTS},
     {"rereadcacerts",   STROKE_REREAD_CACERTS},
-    {"statusall",       STROKE_STATUSALL},
-    {""},
-    {"listcainfos",     STROKE_LIST_CAINFOS},
-    {""},
+    {"status",          STROKE_STATUS},
     {"rereadsecrets",   STROKE_REREAD_SECRETS},
-    {""}, {""}, {""}, {""},
     {"listocsp",        STROKE_LIST_OCSP},
-    {""},
-    {"listgroups",      STROKE_LIST_GROUPS},
-    {""}, {""},
+    {"statusall",       STROKE_STATUSALL},
+    {"listalgs",        STROKE_LIST_ALGS},
+    {"delete",          STROKE_DELETE},
+    {"purgeocsp",       STROKE_PURGE_OCSP},
     {"listocspcerts",   STROKE_LIST_OCSPCERTS},
-    {""},
+    {"purgeike",        STROKE_PURGE_IKE},
+    {"listcainfos",     STROKE_LIST_CAINFOS},
+    {"unroute",         STROKE_UNROUTE},
+    {"listpubkeys",     STROKE_LIST_PUBKEYS},
     {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
-    {""}, {""},
-    {"del",             STROKE_DEL},
-    {"down",            STROKE_DOWN},
-    {""},
-    {"delete",          STROKE_DELETE},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {""}, {""}, {""}, {""},
-    {"down-srcip",      STROKE_DOWN_SRCIP}
+    {"down-srcip",      STROKE_DOWN_SRCIP},
+    {"listgroups",      STROKE_LIST_GROUPS}
+  };
+
+static const short lookup[] =
+  {
+    -1, -1, -1,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10,
+    11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
+    25, 26, 27, 28, 29, 30, 31, -1, -1, -1, -1, 32
   };
 
 #ifdef __GNUC__
@@ -193,10 +184,15 @@ in_word_set (str, len)
 
       if (key <= MAX_HASH_VALUE && key >= 0)
         {
-          register const char *s = wordlist[key].name;
+          register int index = lookup[key];
+
+          if (index >= 0)
+            {
+              register const char *s = wordlist[index].name;
 
-          if (*str == *s && !strcmp (str + 1, s + 1))
-            return &wordlist[key];
+              if (*str == *s && !strcmp (str + 1, s + 1))
+                return &wordlist[index];
+            }
         }
     }
   return 0;
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index e089b5660..6332000db 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: stroke_keywords.h 4783 2008-12-10 13:00:02Z martin $
  */
 
 #ifndef _STROKE_KEYWORDS_H_
@@ -50,6 +48,7 @@ typedef enum {
 	STROKE_REREAD_CRLS,
 	STROKE_REREAD_ALL,
 	STROKE_PURGE_OCSP,
+	STROKE_PURGE_IKE,
 	STROKE_LEASES
 } stroke_keyword_t;
 
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 3ec259a24..96fa0bf3a 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -12,8 +12,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: stroke_keywords.txt 4783 2008-12-10 13:00:02Z martin $
  */
 
 #include <string.h>
@@ -57,4 +55,5 @@ rereadacerts,    STROKE_REREAD_ACERTS
 rereadcrls,      STROKE_REREAD_CRLS
 rereadall,       STROKE_REREAD_ALL
 purgeocsp,       STROKE_PURGE_OCSP
+purgeike,        STROKE_PURGE_IKE
 leases,          STROKE_LEASES
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 81ad2e397..704c88c58 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -18,8 +18,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: stroke_msg.h 4783 2008-12-10 13:00:02Z martin $
  */
 
 #ifndef STROKE_MSG_H_
@@ -105,6 +103,8 @@ enum purge_flag_t {
 	PURGE_NONE =		0x0000,
 	/** purge ocsp cache entries */
 	PURGE_OCSP =		0x0001,
+	/** purge IKE_SAs without a CHILD_SA */
+	PURGE_IKE =			0x0002,
 };
 
 /**
@@ -123,9 +123,15 @@ typedef struct stroke_end_t stroke_end_t;
  * definition of a peer in a stroke message
  */
 struct stroke_end_t {
+	char *auth;
+	char *auth2;
 	char *id;
+	char *id2;
+	char *eap_id;
 	char *cert;
+	char *cert2;
 	char *ca;
+	char *ca2;
 	char *groups;
 	char *updown;
 	char *address;
@@ -206,6 +212,7 @@ struct stroke_msg_t {
 		struct {
 			char *name;
 			int ikev2;
+			/* next three are deprecated, use stroke_end_t.auth instead */
 			int auth_method;
 			u_int32_t eap_type;
 			u_int32_t eap_vendor;
diff --git a/src/strongswan.conf b/src/strongswan.conf
index 661792a67..0ec4ae9ef 100644
--- a/src/strongswan.conf
+++ b/src/strongswan.conf
@@ -6,12 +6,11 @@ charon {
 	threads = 16
 	
 	# plugins to load in charon
-	# load = aes des gmp hmac md5 random sha1 sha2 pubkey xcbc x509 stroke
+	# load = aes des sha1 md5 sha2 hmac gmp random pubkey xcbc x509 stroke
 	
 	plugins {
-	
+
 		sql {
-		
 			# loglevel to log into sql database
 			loglevel = -1
 			
@@ -23,3 +22,16 @@ charon {
 	
 	# ...
 }
+
+pluto {
+
+	# plugins to load in pluto
+	# load = aes des sha1 md5 sha2 hmac gmp random pubkey
+	
+}
+
+libstrongswan {
+
+	#  set to no, the DH exponent size is optimized
+	#  dh_exponent_ansi_x9_42 = no
+}
diff --git a/src/whack/Makefile.am b/src/whack/Makefile.am
index 985245026..27f856231 100644
--- a/src/whack/Makefile.am
+++ b/src/whack/Makefile.am
@@ -1,8 +1,15 @@
 ipsec_PROGRAMS = whack
 
 whack_SOURCES = whack.c whack.h
-INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto
-whack_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a
+
+INCLUDES = \
+-I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/pluto
+
+whack_LDADD = \
+$(top_builddir)/src/libstrongswan/libstrongswan.la \
+$(top_builddir)/src/libfreeswan/libfreeswan.a
 
 AM_CFLAGS = -DDEBUG
 
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index 5c9762cd3..7e2be4d1b 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -46,7 +46,9 @@ ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am_whack_OBJECTS = whack.$(OBJEXT)
 whack_OBJECTS = $(am_whack_OBJECTS)
-whack_DEPENDENCIES = $(top_builddir)/src/libfreeswan/libfreeswan.a
+whack_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libfreeswan/libfreeswan.a
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -79,6 +81,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -101,6 +104,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -112,6 +118,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -125,6 +132,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +194,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -196,13 +206,21 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 whack_SOURCES = whack.c whack.h
-INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto
-whack_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a
+INCLUDES = \
+-I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/pluto
+
+whack_LDADD = \
+$(top_builddir)/src/libstrongswan/libstrongswan.la \
+$(top_builddir)/src/libfreeswan/libfreeswan.a
+
 AM_CFLAGS = -DDEBUG
 all: all-am
 
@@ -212,8 +230,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -309,7 +327,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
diff --git a/src/whack/whack.c b/src/whack/whack.c
index a4236a8b4..28112500e 100644
--- a/src/whack/whack.c
+++ b/src/whack/whack.c
@@ -11,8 +11,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: whack.c 4632 2008-11-11 18:37:19Z martin $
  */
 
 #include <stdio.h>
@@ -32,248 +30,263 @@
 
 #include <freeswan.h>
 
+#include <utils/optionsfrom.h>
+
 #include "constants.h"
 #include "defs.h"
 #include "whack.h"
 
-static void
-help(void)
+static void help(void)
 {
-    fprintf(stderr
-	, "Usage:\n\n"
-	"all forms:"
-	    " [--optionsfrom <filename>]"
-	    " [--ctlbase <path>]"
-	    " [--label <string>]"
-	    "\n\n"
-	"help: whack"
-	    " [--help]"
-	    " [--version]"
-	    "\n\n"
-	"connection: whack"
-	    " --name <connection_name>"
-	    " \\\n   "
-	    " [--ipv4 | --ipv6]"
-	    " [--tunnelipv4 | --tunnelipv6]"
-	    " \\\n   "
-	    " (--host <ip-address> | --id <identity>)"
-	    " \\\n   "
-	    " [--cert <path>]"
-	    " [--ca <distinguished name>]"
-	    " [--sendcert <policy>]"
-	    " \\\n   "
-	    " [--groups <access control groups>]"
-	    " \\\n   "
-	    " [--ikeport <port-number>]"
-	    " [--nexthop <ip-address>]"
-	    " [--srcip <ip-address>]"
-	    " \\\n   "
-	    " [--client <subnet> | --clientwithin <address range>]"
-	    " [--clientprotoport <protocol>/<port>]"
-	    " \\\n   "
-	    " [--dnskeyondemand]"
-	    " [--updown <updown>]"
-	    " \\\n   "
-	    " --to"
-	    " (--host <ip-address> | --id <identity>)"
-	    " \\\n   "
-	    " [--cert <path>]"
-	    " [--ca <distinguished name>]"
-	    " [--sendcert <policy>]"
-	    " \\\n   "
-	    " [--ikeport <port-number>]"
-	    " [--nexthop <ip-address>]"
-	    " [--srcip <ip-address>]"
-	    " \\\n   "
-	    " [--client <subnet> | --clientwithin <address range>]"
-	    " [--clientprotoport <protocol>/<port>]"
-	    " \\\n   "
-	    " [--dnskeyondemand]"
-	    " [--updown <updown>]"
-	    " [--psk]"
-	    " [--rsasig]"
-	    " \\\n   "
-	    " [--encrypt]"
-	    " [--authenticate]"
-	    " [--compress]"
-	    " [--tunnel]"
-	    " [--pfs]"
-	    " \\\n   "
-	    " [--ikelifetime <seconds>]"
-	    " [--ipseclifetime <seconds>]"
-	    " \\\n   "
-	    " [--reykeymargin <seconds>]"
-	    " [--reykeyfuzz <percentage>]"
-	    " \\\n   "
-	    " [--keyingtries <count>]"
-	    " \\\n   "
-	    " [--esp <esp-algos>]"
-	    " \\\n   "
-	    " [--dontrekey]"
-
-            " [--dpdaction (none|clear|hold|restart)]"
-	    " \\\n   "
-            " [--dpddelay <seconds> --dpdtimeout <seconds>]"
-            " \\\n   "
-	    " [--initiateontraffic|--pass|--drop|--reject]"
-	    " \\\n   "
-	    " [--failnone|--failpass|--faildrop|--failreject]"
-	    "\n\n"
-	"routing: whack"
-	    " (--route | --unroute)"
-	    " --name <connection_name>"
-	    "\n\n"
-	"initiation:"
-	    "\n "
-	    " whack"
-	    " (--initiate | --terminate)"
-	    " --name <connection_name>"
-	    " [--asynchronous]"
-	    "\n\n"
-	"opportunistic initiation: whack"
-	    " [--tunnelipv4 | --tunnelipv6]"
-	    " \\\n   "
-	    " --oppohere <ip-address>"
-	    " --oppothere <ip-address>"
-	    "\n\n"
-	"delete: whack"
-	    " --delete"
-	    " (--name <connection_name> | --caname <ca name>)"
-	    "\n\n"
-	"deletestate: whack"
-	    " --deletestate <state_object_number>"
-            " --crash <ip-address>"
-	    "\n\n"
-	"pubkey: whack"
-	    " --keyid <id>"
-	    " [--addkey]"
-	    " [--pubkeyrsa <key>]"
-	    "\n\n"
-	"myid: whack"
-	    " --myid <id>"
-	    "\n\n"
-	"ca: whack"
-	    " --caname <name>"
-	    " --cacert <path>"
-	    " \\\n   "
-	    " [--ldaphost <hostname>]"
-	    " [--ldapbase <base>]"
-	    " \\\n   "
-	    " [--crluri <uri>]"
-	    " [--crluri2 <uri>]"
-	    " [--ocspuri <uri>]"
-	    " [--strictcrlpolicy]"
-	    "\n\n"
+	fprintf(stderr
+		, "Usage:\n\n"
+		"all forms:"
+			" [--optionsfrom <filename>]"
+			" [--ctlbase <path>]"
+			" [--label <string>]"
+			"\n\n"
+		"help: whack"
+			" [--help]"
+			" [--version]"
+			"\n\n"
+		"connection: whack"
+			" --name <connection_name>"
+			" \\\n   "
+			" [--ipv4 | --ipv6]"
+			" [--tunnelipv4 | --tunnelipv6]"
+			" \\\n   "
+			" (--host <ip-address> | --id <identity>)"
+			" \\\n   "
+			" [--cert <path>]"
+			" [--ca <distinguished name>]"
+			" [--sendcert <policy>]"
+			" \\\n   "
+			" [--groups <access control groups>]"
+			" \\\n   "
+			" [--ikeport <port-number>]"
+			" [--nexthop <ip-address>]"
+			" [--srcip <ip-address>]"
+			" \\\n   "
+			" [--client <subnet> | --clientwithin <address range>]"
+			" [--clientprotoport <protocol>/<port>]"
+			" \\\n   "
+			" [--dnskeyondemand]"
+			" [--updown <updown>]"
+			" \\\n   "
+			" --to"
+			" (--host <ip-address> | --id <identity>)"
+			" \\\n   "
+			" [--cert <path>]"
+			" [--ca <distinguished name>]"
+			" [--sendcert <policy>]"
+			" \\\n   "
+			" [--ikeport <port-number>]"
+			" [--nexthop <ip-address>]"
+			" [--srcip <ip-address>]"
+			" \\\n   "
+			" [--client <subnet> | --clientwithin <address range>]"
+			" [--clientprotoport <protocol>/<port>]"
+			" \\\n   "
+			" [--dnskeyondemand]"
+			" [--updown <updown>]"
+			" [--psk]"
+			" [--rsasig]"
+			" \\\n   "
+			" [--encrypt]"
+			" [--authenticate]"
+			" [--compress]"
+			" [--tunnel]"
+			" [--pfs]"
+			" \\\n   "
+			" [--ikelifetime <seconds>]"
+			" [--ipseclifetime <seconds>]"
+			" \\\n   "
+			" [--reykeymargin <seconds>]"
+			" [--reykeyfuzz <percentage>]"
+			" \\\n   "
+			" [--keyingtries <count>]"
+			" \\\n   "
+			" [--esp <esp-algos>]"
+			" \\\n   "
+			" [--dontrekey]"
+
+			" [--dpdaction (none|clear|hold|restart)]"
+			" \\\n   "
+			" [--dpddelay <seconds> --dpdtimeout <seconds>]"
+			" \\\n   "
+			" [--initiateontraffic|--pass|--drop|--reject]"
+			" \\\n   "
+			" [--failnone|--failpass|--faildrop|--failreject]"
+			"\n\n"
+		"routing: whack"
+			" (--route | --unroute)"
+			" --name <connection_name>"
+			"\n\n"
+		"initiation:"
+			"\n "
+			" whack"
+			" (--initiate | --terminate)"
+			" --name <connection_name>"
+			" [--asynchronous]"
+			"\n\n"
+		"opportunistic initiation: whack"
+			" [--tunnelipv4 | --tunnelipv6]"
+			" \\\n   "
+			" --oppohere <ip-address>"
+			" --oppothere <ip-address>"
+			"\n\n"
+		"delete: whack"
+			" --delete"
+			" (--name <connection_name> | --caname <ca name>)"
+			"\n\n"
+		"deletestate: whack"
+			" --deletestate <state_object_number>"
+			" --crash <ip-address>"
+			"\n\n"
+		"pubkey: whack"
+			" --keyid <id>"
+			" [--addkey]"
+			" [--pubkeyrsa <key>]"
+			"\n\n"
+		"myid: whack"
+			" --myid <id>"
+			"\n\n"
+		"ca: whack"
+			" --caname <name>"
+			" --cacert <path>"
+			" \\\n   "
+			" [--ldaphost <hostname>]"
+			" [--ldapbase <base>]"
+			" \\\n   "
+			" [--crluri <uri>]"
+			" [--crluri2 <uri>]"
+			" [--ocspuri <uri>]"
+			" [--strictcrlpolicy]"
+			"\n\n"
 #ifdef DEBUG
-	"debug: whack [--name <connection_name>]"
-	    " \\\n   "
-	    " [--debug-none]"
-	    " [--debug-all]"
-	    " \\\n   "
-	    " [--debug-raw]"
-	    " [--debug-crypt]"
-	    " [--debug-parsing]"
-	    " [--debug-emitting]"
-	    " \\\n   "
-	    " [--debug-control]"
-	    " [--debug-lifecycle]"
-	    " [--debug-klips]"
-	    " [--debug-dns]"
-	    " \\\n   "
-	    " [--debug-natt]"
-	    " [--debug-oppo]"
-	    " [--debug-controlmore]"
-	    " [--debug-private]"
-	    "\n\n"
+		"debug: whack [--name <connection_name>]"
+			" \\\n   "
+			" [--debug-none]"
+			" [--debug-all]"
+			" \\\n   "
+			" [--debug-raw]"
+			" [--debug-crypt]"
+			" [--debug-parsing]"
+			" [--debug-emitting]"
+			" \\\n   "
+			" [--debug-control]"
+			" [--debug-lifecycle]"
+			" [--debug-klips]"
+			" [--debug-dns]"
+			" \\\n   "
+			" [--debug-natt]"
+			" [--debug-oppo]"
+			" [--debug-controlmore]"
+			" [--debug-private]"
+			"\n\n"
 #endif
-	"listen: whack"
-	    " (--listen | --unlisten)"
-	    "\n\n"
-	"list: whack [--utc]"
-	    " [--listalgs]"
-	    " [--listpubkeys]"
-	    " [--listcerts]"
-	    " [--listcacerts]"
-	    " \\\n   "
-	    " [--listacerts]"
-	    " [--listaacerts]"
-	    " [--listocspcerts]"
-	    " [--listgroups]"
-	    " \\\n   "
-	    " [--listcainfos]"
-	    " [--listcrls]"
-	    " [--listocsp]"
-	    " [--listcards]"
-	    " [--listall]"
-	    "\n\n"
-	"purge: whack"
-	    " [--purgeocsp]"
-	    "\n\n"
-	"reread: whack"
-	    " [--rereadsecrets]"
-	    " [--rereadcacerts]"
-	    " [--rereadaacerts]"
-	    " \\\n   "
-	    " [--rereadocspcerts]"
-	    " [--rereadacerts]"
-	    " [--rereadcrls]"
-	    " [--rereadall]"
-	    "\n\n"
-	"status: whack"
-	    " [--name <connection_name>] --status|--statusall"
-	    "\n\n"
-	"scdecrypt: whack"
-	    " --scencrypt|scdecrypt <value>"
-	    " [--inbase <base>]"
-	    " [--outbase <base>]"
-	    " [--keyid <id>]"
-	    "\n\n"
-	"shutdown: whack"
-	    " --shutdown"
-	    "\n\n"
-	"strongSwan %s\n"
-	, ipsec_version_code());
+		"listen: whack"
+			" (--listen | --unlisten)"
+			"\n\n"
+		"list: whack [--utc]"
+			" [--listalgs]"
+			" [--listpubkeys]"
+			" [--listcerts]"
+			" [--listcacerts]"
+			" \\\n   "
+			" [--listacerts]"
+			" [--listaacerts]"
+			" [--listocspcerts]"
+			" [--listgroups]"
+			" \\\n   "
+			" [--listcainfos]"
+			" [--listcrls]"
+			" [--listocsp]"
+			" [--listcards]"
+			" [--listall]"
+			"\n\n"
+		"purge: whack"
+			" [--purgeocsp]"
+			"\n\n"
+		"reread: whack"
+			" [--rereadsecrets]"
+			" [--rereadcacerts]"
+			" [--rereadaacerts]"
+			" \\\n   "
+			" [--rereadocspcerts]"
+			" [--rereadacerts]"
+			" [--rereadcrls]"
+			" [--rereadall]"
+			"\n\n"
+		"status: whack"
+			" [--name <connection_name>] --status|--statusall"
+			"\n\n"
+		"scdecrypt: whack"
+			" --scencrypt|scdecrypt <value>"
+			" [--inbase <base>]"
+			" [--outbase <base>]"
+			" [--keyid <id>]"
+			"\n\n"
+		"shutdown: whack"
+			" --shutdown"
+			"\n\n"
+		"strongSwan "VERSION"\n");
 }
 
-static const char *label = NULL;	/* --label operand, saved for diagnostics */
+static const char *label = NULL;        /* --label operand, saved for diagnostics */
 
-static const char *name = NULL;	/* --name operand, saved for diagnostics */
+static const char *name = NULL; /* --name operand, saved for diagnostics */
 
-/* print a string as a diagnostic, then exit whack unhappily */
-static void
-diag(const char *mess)
+/* options read by optionsfrom */
+options_t *options;
+
+/**
+ * exit whack after cleaning up
+ */
+static void whack_exit(int status)
 {
-    if (mess != NULL)
-    {
-	fprintf(stderr, "whack error: ");
-	if (label != NULL)
-	    fprintf(stderr, "%s ", label);
-	if (name != NULL)
-	    fprintf(stderr, "\"%s\" ", name);
-	fprintf(stderr, "%s\n", mess);
-    }
-
-    exit(RC_WHACK_PROBLEM);
+	options->destroy(options);
+	exit(status);
 }
 
-/* conditially calls diag; prints second arg, if non-NULL, as quoted string */
-static void
-diagq(err_t ugh, const char *this)
+/**
+ * print a string as a diagnostic, then exit whack unhappily
+ */
+static void diag(const char *mess)
 {
-    if (ugh != NULL)
-    {
-	if (this == NULL)
+	if (mess != NULL)
 	{
-	    diag(ugh);
+		fprintf(stderr, "whack error: ");
+		if (label != NULL)
+		{
+			fprintf(stderr, "%s ", label);
+		}
+		if (name != NULL)
+		{
+			fprintf(stderr, "\"%s\" ", name);
+		}
+		fprintf(stderr, "%s\n", mess);
 	}
-	else
+	whack_exit(RC_WHACK_PROBLEM);
+}
+
+/* conditially calls diag; prints second arg, if non-NULL, as quoted string */
+static void diagq(err_t ugh, const char *this)
+{
+	if (ugh != NULL)
 	{
-	    char buf[120];	/* arbitrary limit */
+		if (this == NULL)
+		{
+			diag(ugh);
+		}
+		else
+		{
+			char buf[120];      /* arbitrary limit */
 
-	    snprintf(buf, sizeof(buf), "%s \"%s\"", ugh, this);
-	    diag(buf);
+			snprintf(buf, sizeof(buf), "%s \"%s\"", ugh, this);
+			diag(buf);
+		}
 	}
-    }
 }
 
 /* complex combined operands return one of these enumerated values
@@ -287,181 +300,181 @@ diagq(err_t ugh, const char *this)
  * - CA_* options (CA description options)
  */
 enum {
-#   define OPT_FIRST	OPT_CTLBASE
-    OPT_CTLBASE,
-    OPT_NAME,
+#   define OPT_FIRST    OPT_CTLBASE
+	OPT_CTLBASE,
+	OPT_NAME,
 
-    OPT_CD,
+	OPT_CD,
 
-    OPT_KEYID,
-    OPT_ADDKEY,
-    OPT_PUBKEYRSA,
+	OPT_KEYID,
+	OPT_ADDKEY,
+	OPT_PUBKEYRSA,
 
-    OPT_MYID,
+	OPT_MYID,
 
-    OPT_ROUTE,
-    OPT_UNROUTE,
+	OPT_ROUTE,
+	OPT_UNROUTE,
 
-    OPT_INITIATE,
-    OPT_TERMINATE,
-    OPT_DELETE,
-    OPT_DELETESTATE,
-    OPT_LISTEN,
-    OPT_UNLISTEN,
+	OPT_INITIATE,
+	OPT_TERMINATE,
+	OPT_DELETE,
+	OPT_DELETESTATE,
+	OPT_LISTEN,
+	OPT_UNLISTEN,
 
-    OPT_PURGEOCSP,
+	OPT_PURGEOCSP,
 
-    OPT_REREADSECRETS,
-    OPT_REREADCACERTS,
-    OPT_REREADAACERTS,
-    OPT_REREADOCSPCERTS,
-    OPT_REREADACERTS,
-    OPT_REREADCRLS,
-    OPT_REREADALL,
+	OPT_REREADSECRETS,
+	OPT_REREADCACERTS,
+	OPT_REREADAACERTS,
+	OPT_REREADOCSPCERTS,
+	OPT_REREADACERTS,
+	OPT_REREADCRLS,
+	OPT_REREADALL,
 
-    OPT_STATUS,
-    OPT_STATUSALL,
-    OPT_SHUTDOWN,
+	OPT_STATUS,
+	OPT_STATUSALL,
+	OPT_SHUTDOWN,
 
-    OPT_OPPO_HERE,
-    OPT_OPPO_THERE,
+	OPT_OPPO_HERE,
+	OPT_OPPO_THERE,
 
-    OPT_ASYNC,
-    OPT_DELETECRASH,
+	OPT_ASYNC,
+	OPT_DELETECRASH,
 
-#   define OPT_LAST OPT_ASYNC	/* last "normal" option */
+#   define OPT_LAST OPT_ASYNC   /* last "normal" option */
 
 /* Smartcard options */
 
-#   define SC_FIRST SC_ENCRYPT	/* first smartcard option */
+#   define SC_FIRST SC_ENCRYPT  /* first smartcard option */
 
-    SC_ENCRYPT,
-    SC_DECRYPT,
-    SC_INBASE,
-    SC_OUTBASE,
+	SC_ENCRYPT,
+	SC_DECRYPT,
+	SC_INBASE,
+	SC_OUTBASE,
 
-#   define SC_LAST SC_OUTBASE	/* last "smartcard" option */
+#   define SC_LAST SC_OUTBASE   /* last "smartcard" option */
 
 /* List options */
 
-#   define LST_FIRST LST_UTC	/* first list option */
-    LST_UTC,
-    LST_ALGS,
-    LST_PUBKEYS,
-    LST_CERTS,
-    LST_CACERTS,
-    LST_ACERTS,
-    LST_AACERTS,
-    LST_OCSPCERTS,
-    LST_GROUPS,
-    LST_CAINFOS,
-    LST_CRLS,
-    LST_OCSP,
-    LST_CARDS,
-    LST_ALL,
-
-#   define LST_LAST LST_ALL	/* last list option */
+#   define LST_FIRST LST_UTC    /* first list option */
+	LST_UTC,
+	LST_ALGS,
+	LST_PUBKEYS,
+	LST_CERTS,
+	LST_CACERTS,
+	LST_ACERTS,
+	LST_AACERTS,
+	LST_OCSPCERTS,
+	LST_GROUPS,
+	LST_CAINFOS,
+	LST_CRLS,
+	LST_OCSP,
+	LST_CARDS,
+	LST_ALL,
+
+#   define LST_LAST LST_ALL     /* last list option */
 
 /* Connection End Description options */
 
-#   define END_FIRST END_HOST	/* first end description */
-    END_HOST,
-    END_ID,
-    END_CERT,
-    END_CA,
-    END_SENDCERT,
-    END_GROUPS,
-    END_IKEPORT,
-    END_NEXTHOP,
-    END_CLIENT,
-    END_CLIENTWITHIN,
-    END_CLIENTPROTOPORT,
-    END_DNSKEYONDEMAND,
-    END_SRCIP,
-    END_HOSTACCESS,
-    END_UPDOWN,
-    	
-#define END_LAST  END_UPDOWN	/* last end description*/
+#   define END_FIRST END_HOST   /* first end description */
+	END_HOST,
+	END_ID,
+	END_CERT,
+	END_CA,
+	END_SENDCERT,
+	END_GROUPS,
+	END_IKEPORT,
+	END_NEXTHOP,
+	END_CLIENT,
+	END_CLIENTWITHIN,
+	END_CLIENTPROTOPORT,
+	END_DNSKEYONDEMAND,
+	END_SRCIP,
+	END_HOSTACCESS,
+	END_UPDOWN,
+		
+#define END_LAST  END_UPDOWN    /* last end description*/
 
 /* Connection Description options -- segregated */
 
-#   define CD_FIRST CD_TO	/* first connection description */
-    CD_TO,
+#   define CD_FIRST CD_TO       /* first connection description */
+	CD_TO,
 
 #   define CD_POLICY_FIRST  CD_PSK
-    CD_PSK,	/* same order as POLICY_* */
-    CD_RSASIG,	/* same order as POLICY_* */
-    CD_ENCRYPT,	/* same order as POLICY_* */
-    CD_AUTHENTICATE,	/* same order as POLICY_* */
-    CD_COMPRESS,	/* same order as POLICY_* */
-    CD_TUNNEL,	/* same order as POLICY_* */
-    CD_PFS,	/* same order as POLICY_* */
-    CD_DISABLEARRIVALCHECK,	/* same order as POLICY_* */
-    CD_SHUNT0,	/* same order as POLICY_* */
-    CD_SHUNT1,	/* same order as POLICY_* */
-    CD_FAIL0,	/* same order as POLICY_* */
-    CD_FAIL1,	/* same order as POLICY_* */
-    CD_DONT_REKEY,	/* same order as POLICY_* */
-
-    CD_TUNNELIPV4,
-    CD_TUNNELIPV6,
-    CD_CONNIPV4,
-    CD_CONNIPV6,
-
-    CD_IKELIFETIME,
-    CD_IPSECLIFETIME,
-    CD_RKMARGIN,
-    CD_RKFUZZ,
-    CD_KTRIES,
-    CD_DPDACTION,
-    CD_DPDDELAY,
-    CD_DPDTIMEOUT,
-    CD_IKE,
-    CD_PFSGROUP,
-    CD_ESP,	
-
-#   define CD_LAST CD_ESP	/* last connection description */
+	CD_PSK,     /* same order as POLICY_* */
+	CD_RSASIG,  /* same order as POLICY_* */
+	CD_ENCRYPT, /* same order as POLICY_* */
+	CD_AUTHENTICATE,    /* same order as POLICY_* */
+	CD_COMPRESS,        /* same order as POLICY_* */
+	CD_TUNNEL,  /* same order as POLICY_* */
+	CD_PFS,     /* same order as POLICY_* */
+	CD_DISABLEARRIVALCHECK,     /* same order as POLICY_* */
+	CD_SHUNT0,  /* same order as POLICY_* */
+	CD_SHUNT1,  /* same order as POLICY_* */
+	CD_FAIL0,   /* same order as POLICY_* */
+	CD_FAIL1,   /* same order as POLICY_* */
+	CD_DONT_REKEY,      /* same order as POLICY_* */
+
+	CD_TUNNELIPV4,
+	CD_TUNNELIPV6,
+	CD_CONNIPV4,
+	CD_CONNIPV6,
+
+	CD_IKELIFETIME,
+	CD_IPSECLIFETIME,
+	CD_RKMARGIN,
+	CD_RKFUZZ,
+	CD_KTRIES,
+	CD_DPDACTION,
+	CD_DPDDELAY,
+	CD_DPDTIMEOUT,
+	CD_IKE,
+	CD_PFSGROUP,
+	CD_ESP,     
+
+#   define CD_LAST CD_ESP       /* last connection description */
 
 /* Certificate Authority (CA) description options */
 
-#   define CA_FIRST CA_NAME	/* first ca description */
+#   define CA_FIRST CA_NAME     /* first ca description */
 
-    CA_NAME,
-    CA_CERT,
-    CA_LDAPHOST,
-    CA_LDAPBASE,
-    CA_CRLURI,
-    CA_CRLURI2,
-    CA_OCSPURI,
-    CA_STRICT
+	CA_NAME,
+	CA_CERT,
+	CA_LDAPHOST,
+	CA_LDAPBASE,
+	CA_CRLURI,
+	CA_CRLURI2,
+	CA_OCSPURI,
+	CA_STRICT
 
-#   define CA_LAST CA_STRICT	/* last ca description */
+#   define CA_LAST CA_STRICT    /* last ca description */
 
-#ifdef DEBUG	/* must be last so others are less than 32 to fit in lset_t */
+#ifdef DEBUG    /* must be last so others are less than 32 to fit in lset_t */
 #   define DBGOPT_FIRST DBGOPT_NONE
-    ,
-    /* NOTE: these definitions must match DBG_* and IMPAIR_* in constants.h */
-    DBGOPT_NONE,
-    DBGOPT_ALL,
-
-    DBGOPT_RAW,		/* same order as DBG_* */
-    DBGOPT_CRYPT,	/* same order as DBG_* */
-    DBGOPT_PARSING,	/* same order as DBG_* */
-    DBGOPT_EMITTING,	/* same order as DBG_* */
-    DBGOPT_CONTROL,	/* same order as DBG_* */
-    DBGOPT_LIFECYCLE,	/* same order as DBG_* */
-    DBGOPT_KLIPS,	/* same order as DBG_* */
-    DBGOPT_DNS,		/* same order as DBG_* */
-    DBGOPT_NATT,	/* same order as DBG_* */
-    DBGOPT_OPPO,	/* same order as DBG_* */
-    DBGOPT_CONTROLMORE,	/* same order as DBG_* */
-
-    DBGOPT_PRIVATE,	/* same order as DBG_* */
-
-    DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER,	/* same order as IMPAIR_* */
-    DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER,	/* same order as IMPAIR_* */
-    DBGOPT_IMPAIR_BUST_MI2,	/* same order as IMPAIR_* */
-    DBGOPT_IMPAIR_BUST_MR2	/* same order as IMPAIR_* */
+	,
+	/* NOTE: these definitions must match DBG_* and IMPAIR_* in constants.h */
+	DBGOPT_NONE,
+	DBGOPT_ALL,
+
+	DBGOPT_RAW,         /* same order as DBG_* */
+	DBGOPT_CRYPT,       /* same order as DBG_* */
+	DBGOPT_PARSING,     /* same order as DBG_* */
+	DBGOPT_EMITTING,    /* same order as DBG_* */
+	DBGOPT_CONTROL,     /* same order as DBG_* */
+	DBGOPT_LIFECYCLE,   /* same order as DBG_* */
+	DBGOPT_KLIPS,       /* same order as DBG_* */
+	DBGOPT_DNS,         /* same order as DBG_* */
+	DBGOPT_NATT,        /* same order as DBG_* */
+	DBGOPT_OPPO,        /* same order as DBG_* */
+	DBGOPT_CONTROLMORE, /* same order as DBG_* */
+
+	DBGOPT_PRIVATE,     /* same order as DBG_* */
+
+	DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER,        /* same order as IMPAIR_* */
+	DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER,        /* same order as IMPAIR_* */
+	DBGOPT_IMPAIR_BUST_MI2,     /* same order as IMPAIR_* */
+	DBGOPT_IMPAIR_BUST_MR2      /* same order as IMPAIR_* */
 
 #   define DBGOPT_LAST DBGOPT_IMPAIR_BUST_MR2
 #endif
@@ -473,1433 +486,1430 @@ enum {
  * Numeric arg is bit immediately left of basic value.
  *
  */
-#define OPTION_OFFSET	256	/* to get out of the way of letter options */
-#define NUMERIC_ARG (1 << 9)	/* expect a numeric argument */
-#define AUX_SHIFT   10	/* amount to shift for aux information */
+#define OPTION_OFFSET   256     /* to get out of the way of letter options */
+#define NUMERIC_ARG (1 << 9)    /* expect a numeric argument */
+#define AUX_SHIFT   10  /* amount to shift for aux information */
 
 static const struct option long_opts[] = {
-#   define OO	OPTION_OFFSET
-    /* name, has_arg, flag, val */
-
-    { "help", no_argument, NULL, 'h' },
-    { "version", no_argument, NULL, 'v' },
-    { "optionsfrom", required_argument, NULL, '+' },
-    { "label", required_argument, NULL, 'l' },
-
-    { "ctlbase", required_argument, NULL, OPT_CTLBASE + OO },
-    { "name", required_argument, NULL, OPT_NAME + OO },
-
-    { "keyid", required_argument, NULL, OPT_KEYID + OO },
-    { "addkey", no_argument, NULL, OPT_ADDKEY + OO },
-    { "pubkeyrsa", required_argument, NULL, OPT_PUBKEYRSA + OO },
-
-    { "myid", required_argument, NULL, OPT_MYID + OO },
-
-    { "route", no_argument, NULL, OPT_ROUTE + OO },
-    { "unroute", no_argument, NULL, OPT_UNROUTE + OO },
-
-    { "initiate", no_argument, NULL, OPT_INITIATE + OO },
-    { "terminate", no_argument, NULL, OPT_TERMINATE + OO },
-    { "delete", no_argument, NULL, OPT_DELETE + OO },
-    { "deletestate", required_argument, NULL, OPT_DELETESTATE + OO + NUMERIC_ARG },
-    { "crash", required_argument, NULL, OPT_DELETECRASH + OO },
-    { "listen", no_argument, NULL, OPT_LISTEN + OO },
-    { "unlisten", no_argument, NULL, OPT_UNLISTEN + OO },
-
-    { "purgeocsp", no_argument, NULL, OPT_PURGEOCSP + OO },
-
-    { "rereadsecrets", no_argument, NULL, OPT_REREADSECRETS + OO },
-    { "rereadcacerts", no_argument, NULL, OPT_REREADCACERTS + OO },
-    { "rereadaacerts", no_argument, NULL, OPT_REREADAACERTS + OO },
-    { "rereadocspcerts", no_argument, NULL, OPT_REREADOCSPCERTS + OO },
-    { "rereadacerts", no_argument, NULL, OPT_REREADACERTS + OO },
-    { "rereadcrls", no_argument, NULL, OPT_REREADCRLS + OO },
-    { "rereadall", no_argument, NULL, OPT_REREADALL + OO },
-    { "status", no_argument, NULL, OPT_STATUS + OO },
-    { "statusall", no_argument, NULL, OPT_STATUSALL + OO },
-    { "shutdown", no_argument, NULL, OPT_SHUTDOWN + OO },
-
-    { "oppohere", required_argument, NULL, OPT_OPPO_HERE + OO },
-    { "oppothere", required_argument, NULL, OPT_OPPO_THERE + OO },
-
-    { "asynchronous", no_argument, NULL, OPT_ASYNC + OO },
-
-    /* smartcard options */
-
-    { "scencrypt", required_argument, NULL, SC_ENCRYPT + OO },
-    { "scdecrypt", required_argument, NULL, SC_DECRYPT + OO },
-    { "inbase", required_argument, NULL, SC_INBASE + OO },
-    { "outbase", required_argument, NULL, SC_OUTBASE + OO },
-
-    /* list options */
-
-    { "utc", no_argument, NULL, LST_UTC + OO },
-    { "listalgs", no_argument, NULL, LST_ALGS + OO },
-    { "listpubkeys", no_argument, NULL, LST_PUBKEYS + OO },
-    { "listcerts", no_argument, NULL, LST_CERTS + OO },
-    { "listcacerts", no_argument, NULL, LST_CACERTS + OO },
-    { "listacerts", no_argument, NULL, LST_ACERTS + OO },
-    { "listaacerts", no_argument, NULL, LST_AACERTS + OO },
-    { "listocspcerts", no_argument, NULL, LST_OCSPCERTS + OO },
-    { "listgroups", no_argument, NULL, LST_GROUPS + OO },
-    { "listcainfos", no_argument, NULL, LST_CAINFOS + OO },
-    { "listcrls", no_argument, NULL, LST_CRLS + OO },
-    { "listocsp", no_argument, NULL, LST_OCSP + OO },
-    { "listcards", no_argument, NULL, LST_CARDS + OO },
-    { "listall", no_argument, NULL, LST_ALL + OO },
-
-    /* options for an end description */
-
-    { "host", required_argument, NULL, END_HOST + OO },
-    { "id", required_argument, NULL, END_ID + OO },
-    { "cert", required_argument, NULL, END_CERT + OO },
-    { "ca", required_argument, NULL, END_CA + OO },
-    { "sendcert", required_argument, NULL, END_SENDCERT + OO },
-    { "groups", required_argument, NULL, END_GROUPS + OO },
-    { "ikeport", required_argument, NULL, END_IKEPORT + OO + NUMERIC_ARG },
-    { "nexthop", required_argument, NULL, END_NEXTHOP + OO },
-    { "client", required_argument, NULL, END_CLIENT + OO },
-    { "clientwithin", required_argument, NULL, END_CLIENTWITHIN + OO },
-    { "clientprotoport", required_argument, NULL, END_CLIENTPROTOPORT + OO },
-    { "dnskeyondemand", no_argument, NULL, END_DNSKEYONDEMAND + OO },
-    { "srcip",  required_argument, NULL, END_SRCIP + OO },
-    { "hostaccess", no_argument, NULL, END_HOSTACCESS + OO },
-    { "updown", required_argument, NULL, END_UPDOWN + OO },
-
-    /* options for a connection description */
-
-    { "to", no_argument, NULL, CD_TO + OO },
-
-    { "psk", no_argument, NULL, CD_PSK + OO },
-    { "rsasig", no_argument, NULL, CD_RSASIG + OO },
-
-    { "encrypt", no_argument, NULL, CD_ENCRYPT + OO },
-    { "authenticate", no_argument, NULL, CD_AUTHENTICATE + OO },
-    { "compress", no_argument, NULL, CD_COMPRESS + OO },
-    { "tunnel", no_argument, NULL, CD_TUNNEL + OO },
-    { "tunnelipv4", no_argument, NULL, CD_TUNNELIPV4 + OO },
-    { "tunnelipv6", no_argument, NULL, CD_TUNNELIPV6 + OO },
-    { "pfs", no_argument, NULL, CD_PFS + OO },
-    { "disablearrivalcheck", no_argument, NULL, CD_DISABLEARRIVALCHECK + OO },
-    { "initiateontraffic", no_argument, NULL
-	, CD_SHUNT0 + (POLICY_SHUNT_TRAP >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
-    { "pass", no_argument, NULL
-	, CD_SHUNT0 + (POLICY_SHUNT_PASS >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
-    { "drop", no_argument, NULL
-	, CD_SHUNT0 + (POLICY_SHUNT_DROP >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
-    { "reject", no_argument, NULL
-	, CD_SHUNT0 + (POLICY_SHUNT_REJECT >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
-    { "failnone", no_argument, NULL
-	, CD_FAIL0 + (POLICY_FAIL_NONE >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
-    { "failpass", no_argument, NULL
-	, CD_FAIL0 + (POLICY_FAIL_PASS >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
-    { "faildrop", no_argument, NULL
-	, CD_FAIL0 + (POLICY_FAIL_DROP >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
-    { "failreject", no_argument, NULL
-	, CD_FAIL0 + (POLICY_FAIL_REJECT >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
-    { "dontrekey", no_argument, NULL, CD_DONT_REKEY + OO },
-    { "ipv4", no_argument, NULL, CD_CONNIPV4 + OO },
-    { "ipv6", no_argument, NULL, CD_CONNIPV6 + OO },
-
-    { "ikelifetime", required_argument, NULL, CD_IKELIFETIME + OO + NUMERIC_ARG },
-    { "ipseclifetime", required_argument, NULL, CD_IPSECLIFETIME + OO + NUMERIC_ARG },
-    { "rekeymargin", required_argument, NULL, CD_RKMARGIN + OO + NUMERIC_ARG },
-    { "rekeywindow", required_argument, NULL, CD_RKMARGIN + OO + NUMERIC_ARG },	/* OBSOLETE */
-    { "rekeyfuzz", required_argument, NULL, CD_RKFUZZ + OO + NUMERIC_ARG },
-    { "keyingtries", required_argument, NULL, CD_KTRIES + OO + NUMERIC_ARG },
-    { "dpdaction", required_argument, NULL, CD_DPDACTION + OO },
-    { "dpddelay", required_argument, NULL, CD_DPDDELAY + OO + NUMERIC_ARG },
-    { "dpdtimeout", required_argument, NULL, CD_DPDTIMEOUT + OO + NUMERIC_ARG },
-    { "ike", required_argument, NULL, CD_IKE + OO },
-    { "pfsgroup", required_argument, NULL, CD_PFSGROUP + OO },
-    { "esp", required_argument, NULL, CD_ESP + OO },
-
-    /* options for a ca description */
-
-    { "caname", required_argument, NULL, CA_NAME + OO },
-    { "cacert", required_argument, NULL, CA_CERT + OO },
-    { "ldaphost", required_argument, NULL, CA_LDAPHOST + OO },
-    { "ldapbase", required_argument, NULL, CA_LDAPBASE + OO },
-    { "crluri", required_argument, NULL, CA_CRLURI + OO },
-    { "crluri2", required_argument, NULL, CA_CRLURI2 + OO },
-    { "ocspuri", required_argument, NULL, CA_OCSPURI + OO },
-    { "strictcrlpolicy", no_argument, NULL, CA_STRICT + OO },
+#   define OO   OPTION_OFFSET
+	/* name, has_arg, flag, val */
+
+	{ "help", no_argument, NULL, 'h' },
+	{ "version", no_argument, NULL, 'v' },
+	{ "optionsfrom", required_argument, NULL, '+' },
+	{ "label", required_argument, NULL, 'l' },
+
+	{ "ctlbase", required_argument, NULL, OPT_CTLBASE + OO },
+	{ "name", required_argument, NULL, OPT_NAME + OO },
+
+	{ "keyid", required_argument, NULL, OPT_KEYID + OO },
+	{ "addkey", no_argument, NULL, OPT_ADDKEY + OO },
+	{ "pubkeyrsa", required_argument, NULL, OPT_PUBKEYRSA + OO },
+
+	{ "myid", required_argument, NULL, OPT_MYID + OO },
+
+	{ "route", no_argument, NULL, OPT_ROUTE + OO },
+	{ "unroute", no_argument, NULL, OPT_UNROUTE + OO },
+
+	{ "initiate", no_argument, NULL, OPT_INITIATE + OO },
+	{ "terminate", no_argument, NULL, OPT_TERMINATE + OO },
+	{ "delete", no_argument, NULL, OPT_DELETE + OO },
+	{ "deletestate", required_argument, NULL, OPT_DELETESTATE + OO + NUMERIC_ARG },
+	{ "crash", required_argument, NULL, OPT_DELETECRASH + OO },
+	{ "listen", no_argument, NULL, OPT_LISTEN + OO },
+	{ "unlisten", no_argument, NULL, OPT_UNLISTEN + OO },
+
+	{ "purgeocsp", no_argument, NULL, OPT_PURGEOCSP + OO },
+
+	{ "rereadsecrets", no_argument, NULL, OPT_REREADSECRETS + OO },
+	{ "rereadcacerts", no_argument, NULL, OPT_REREADCACERTS + OO },
+	{ "rereadaacerts", no_argument, NULL, OPT_REREADAACERTS + OO },
+	{ "rereadocspcerts", no_argument, NULL, OPT_REREADOCSPCERTS + OO },
+	{ "rereadacerts", no_argument, NULL, OPT_REREADACERTS + OO },
+	{ "rereadcrls", no_argument, NULL, OPT_REREADCRLS + OO },
+	{ "rereadall", no_argument, NULL, OPT_REREADALL + OO },
+	{ "status", no_argument, NULL, OPT_STATUS + OO },
+	{ "statusall", no_argument, NULL, OPT_STATUSALL + OO },
+	{ "shutdown", no_argument, NULL, OPT_SHUTDOWN + OO },
+
+	{ "oppohere", required_argument, NULL, OPT_OPPO_HERE + OO },
+	{ "oppothere", required_argument, NULL, OPT_OPPO_THERE + OO },
+
+	{ "asynchronous", no_argument, NULL, OPT_ASYNC + OO },
+
+	/* smartcard options */
+
+	{ "scencrypt", required_argument, NULL, SC_ENCRYPT + OO },
+	{ "scdecrypt", required_argument, NULL, SC_DECRYPT + OO },
+	{ "inbase", required_argument, NULL, SC_INBASE + OO },
+	{ "outbase", required_argument, NULL, SC_OUTBASE + OO },
+
+	/* list options */
+
+	{ "utc", no_argument, NULL, LST_UTC + OO },
+	{ "listalgs", no_argument, NULL, LST_ALGS + OO },
+	{ "listpubkeys", no_argument, NULL, LST_PUBKEYS + OO },
+	{ "listcerts", no_argument, NULL, LST_CERTS + OO },
+	{ "listcacerts", no_argument, NULL, LST_CACERTS + OO },
+	{ "listacerts", no_argument, NULL, LST_ACERTS + OO },
+	{ "listaacerts", no_argument, NULL, LST_AACERTS + OO },
+	{ "listocspcerts", no_argument, NULL, LST_OCSPCERTS + OO },
+	{ "listgroups", no_argument, NULL, LST_GROUPS + OO },
+	{ "listcainfos", no_argument, NULL, LST_CAINFOS + OO },
+	{ "listcrls", no_argument, NULL, LST_CRLS + OO },
+	{ "listocsp", no_argument, NULL, LST_OCSP + OO },
+	{ "listcards", no_argument, NULL, LST_CARDS + OO },
+	{ "listall", no_argument, NULL, LST_ALL + OO },
+
+	/* options for an end description */
+
+	{ "host", required_argument, NULL, END_HOST + OO },
+	{ "id", required_argument, NULL, END_ID + OO },
+	{ "cert", required_argument, NULL, END_CERT + OO },
+	{ "ca", required_argument, NULL, END_CA + OO },
+	{ "sendcert", required_argument, NULL, END_SENDCERT + OO },
+	{ "groups", required_argument, NULL, END_GROUPS + OO },
+	{ "ikeport", required_argument, NULL, END_IKEPORT + OO + NUMERIC_ARG },
+	{ "nexthop", required_argument, NULL, END_NEXTHOP + OO },
+	{ "client", required_argument, NULL, END_CLIENT + OO },
+	{ "clientwithin", required_argument, NULL, END_CLIENTWITHIN + OO },
+	{ "clientprotoport", required_argument, NULL, END_CLIENTPROTOPORT + OO },
+	{ "dnskeyondemand", no_argument, NULL, END_DNSKEYONDEMAND + OO },
+	{ "srcip",  required_argument, NULL, END_SRCIP + OO },
+	{ "hostaccess", no_argument, NULL, END_HOSTACCESS + OO },
+	{ "updown", required_argument, NULL, END_UPDOWN + OO },
+
+	/* options for a connection description */
+
+	{ "to", no_argument, NULL, CD_TO + OO },
+
+	{ "psk", no_argument, NULL, CD_PSK + OO },
+	{ "rsasig", no_argument, NULL, CD_RSASIG + OO },
+
+	{ "encrypt", no_argument, NULL, CD_ENCRYPT + OO },
+	{ "authenticate", no_argument, NULL, CD_AUTHENTICATE + OO },
+	{ "compress", no_argument, NULL, CD_COMPRESS + OO },
+	{ "tunnel", no_argument, NULL, CD_TUNNEL + OO },
+	{ "tunnelipv4", no_argument, NULL, CD_TUNNELIPV4 + OO },
+	{ "tunnelipv6", no_argument, NULL, CD_TUNNELIPV6 + OO },
+	{ "pfs", no_argument, NULL, CD_PFS + OO },
+	{ "disablearrivalcheck", no_argument, NULL, CD_DISABLEARRIVALCHECK + OO },
+	{ "initiateontraffic", no_argument, NULL
+		, CD_SHUNT0 + (POLICY_SHUNT_TRAP >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
+	{ "pass", no_argument, NULL
+		, CD_SHUNT0 + (POLICY_SHUNT_PASS >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
+	{ "drop", no_argument, NULL
+		, CD_SHUNT0 + (POLICY_SHUNT_DROP >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
+	{ "reject", no_argument, NULL
+		, CD_SHUNT0 + (POLICY_SHUNT_REJECT >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
+	{ "failnone", no_argument, NULL
+		, CD_FAIL0 + (POLICY_FAIL_NONE >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
+	{ "failpass", no_argument, NULL
+		, CD_FAIL0 + (POLICY_FAIL_PASS >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
+	{ "faildrop", no_argument, NULL
+		, CD_FAIL0 + (POLICY_FAIL_DROP >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
+	{ "failreject", no_argument, NULL
+		, CD_FAIL0 + (POLICY_FAIL_REJECT >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
+	{ "dontrekey", no_argument, NULL, CD_DONT_REKEY + OO },
+	{ "ipv4", no_argument, NULL, CD_CONNIPV4 + OO },
+	{ "ipv6", no_argument, NULL, CD_CONNIPV6 + OO },
+
+	{ "ikelifetime", required_argument, NULL, CD_IKELIFETIME + OO + NUMERIC_ARG },
+	{ "ipseclifetime", required_argument, NULL, CD_IPSECLIFETIME + OO + NUMERIC_ARG },
+	{ "rekeymargin", required_argument, NULL, CD_RKMARGIN + OO + NUMERIC_ARG },
+	{ "rekeywindow", required_argument, NULL, CD_RKMARGIN + OO + NUMERIC_ARG }, /* OBSOLETE */
+	{ "rekeyfuzz", required_argument, NULL, CD_RKFUZZ + OO + NUMERIC_ARG },
+	{ "keyingtries", required_argument, NULL, CD_KTRIES + OO + NUMERIC_ARG },
+	{ "dpdaction", required_argument, NULL, CD_DPDACTION + OO },
+	{ "dpddelay", required_argument, NULL, CD_DPDDELAY + OO + NUMERIC_ARG },
+	{ "dpdtimeout", required_argument, NULL, CD_DPDTIMEOUT + OO + NUMERIC_ARG },
+	{ "ike", required_argument, NULL, CD_IKE + OO },
+	{ "pfsgroup", required_argument, NULL, CD_PFSGROUP + OO },
+	{ "esp", required_argument, NULL, CD_ESP + OO },
+
+	/* options for a ca description */
+
+	{ "caname", required_argument, NULL, CA_NAME + OO },
+	{ "cacert", required_argument, NULL, CA_CERT + OO },
+	{ "ldaphost", required_argument, NULL, CA_LDAPHOST + OO },
+	{ "ldapbase", required_argument, NULL, CA_LDAPBASE + OO },
+	{ "crluri", required_argument, NULL, CA_CRLURI + OO },
+	{ "crluri2", required_argument, NULL, CA_CRLURI2 + OO },
+	{ "ocspuri", required_argument, NULL, CA_OCSPURI + OO },
+	{ "strictcrlpolicy", no_argument, NULL, CA_STRICT + OO },
 
 #ifdef DEBUG
-    { "debug-none", no_argument, NULL, DBGOPT_NONE + OO },
-    { "debug-all]", no_argument, NULL, DBGOPT_ALL + OO },
-    { "debug-raw", no_argument, NULL, DBGOPT_RAW + OO },
-    { "debug-crypt", no_argument, NULL, DBGOPT_CRYPT + OO },
-    { "debug-parsing", no_argument, NULL, DBGOPT_PARSING + OO },
-    { "debug-emitting", no_argument, NULL, DBGOPT_EMITTING + OO },
-    { "debug-control", no_argument, NULL, DBGOPT_CONTROL + OO },
-    { "debug-lifecycle", no_argument, NULL, DBGOPT_LIFECYCLE + OO },
-    { "debug-klips", no_argument, NULL, DBGOPT_KLIPS + OO },
-    { "debug-dns", no_argument, NULL, DBGOPT_DNS + OO },
-    { "debug-natt", no_argument, NULL, DBGOPT_NATT + OO },
-    { "debug-oppo", no_argument, NULL, DBGOPT_OPPO + OO },
-    { "debug-controlmore", no_argument, NULL, DBGOPT_CONTROLMORE + OO },
-    { "debug-private", no_argument, NULL, DBGOPT_PRIVATE + OO },
-
-    { "impair-delay-adns-key-answer", no_argument, NULL, DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER + OO },
-    { "impair-delay-adns-txt-answer", no_argument, NULL, DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER + OO },
-    { "impair-bust-mi2", no_argument, NULL, DBGOPT_IMPAIR_BUST_MI2 + OO },
-    { "impair-bust-mr2", no_argument, NULL, DBGOPT_IMPAIR_BUST_MR2 + OO },
+	{ "debug-none", no_argument, NULL, DBGOPT_NONE + OO },
+	{ "debug-all]", no_argument, NULL, DBGOPT_ALL + OO },
+	{ "debug-raw", no_argument, NULL, DBGOPT_RAW + OO },
+	{ "debug-crypt", no_argument, NULL, DBGOPT_CRYPT + OO },
+	{ "debug-parsing", no_argument, NULL, DBGOPT_PARSING + OO },
+	{ "debug-emitting", no_argument, NULL, DBGOPT_EMITTING + OO },
+	{ "debug-control", no_argument, NULL, DBGOPT_CONTROL + OO },
+	{ "debug-lifecycle", no_argument, NULL, DBGOPT_LIFECYCLE + OO },
+	{ "debug-klips", no_argument, NULL, DBGOPT_KLIPS + OO },
+	{ "debug-dns", no_argument, NULL, DBGOPT_DNS + OO },
+	{ "debug-natt", no_argument, NULL, DBGOPT_NATT + OO },
+	{ "debug-oppo", no_argument, NULL, DBGOPT_OPPO + OO },
+	{ "debug-controlmore", no_argument, NULL, DBGOPT_CONTROLMORE + OO },
+	{ "debug-private", no_argument, NULL, DBGOPT_PRIVATE + OO },
+
+	{ "impair-delay-adns-key-answer", no_argument, NULL, DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER + OO },
+	{ "impair-delay-adns-txt-answer", no_argument, NULL, DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER + OO },
+	{ "impair-bust-mi2", no_argument, NULL, DBGOPT_IMPAIR_BUST_MI2 + OO },
+	{ "impair-bust-mr2", no_argument, NULL, DBGOPT_IMPAIR_BUST_MR2 + OO },
 #endif
 #   undef OO
-    { 0,0,0,0 }
+	{ 0,0,0,0 }
 };
 
 struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
 
 /* helper variables and function to encode strings from whack message */
 
-static char
-    *next_str,
-    *str_roof;
+static char	*next_str,*str_roof;
 
-static bool
-pack_str(char **p)
+static bool pack_str(char **p)
 {
-    const char *s = *p == NULL? "" : *p;	/* note: NULL becomes ""! */
-    size_t len = strlen(s) + 1;
-
-    if (str_roof - next_str < (ptrdiff_t)len)
-    {
-	return FALSE;	/* fishy: no end found */
-    }
-    else
-    {
-	strcpy(next_str, s);
-	next_str += len;
-	*p = NULL;	/* don't send pointers on the wire! */
-	return TRUE;
-    }
+	const char *s = *p == NULL? "" : *p;        /* note: NULL becomes ""! */
+	size_t len = strlen(s) + 1;
+
+	if (str_roof - next_str < (ptrdiff_t)len)
+	{
+		return FALSE;   /* fishy: no end found */
+	}
+	else
+	{
+		strcpy(next_str, s);
+		next_str += len;
+		*p = NULL;      /* don't send pointers on the wire! */
+		return TRUE;
+	}
 }
 
-static void
-check_life_time(time_t life, time_t limit, const char *which
-, const whack_message_t *msg)
+static void check_life_time(time_t life, time_t limit, const char *which,
+							const whack_message_t *msg)
 {
-    time_t mint = msg->sa_rekey_margin * (100 + msg->sa_rekey_fuzz) / 100;
-
-    if (life > limit)
-    {
-	char buf[200];	/* arbitrary limit */
-
-	snprintf(buf, sizeof(buf)
-	    , "%s [%lu seconds] must be less than %lu seconds"
-	    , which, (unsigned long)life, (unsigned long)limit);
-	diag(buf);
-    }
-    if ((msg->policy & POLICY_DONT_REKEY) == LEMPTY && life <= mint)
-    {
-	char buf[200];	/* arbitrary limit */
-
-	snprintf(buf, sizeof(buf)
-	    , "%s [%lu] must be greater than"
-	    " rekeymargin*(100+rekeyfuzz)/100 [%lu*(100+%lu)/100 = %lu]"
-	    , which
-	    , (unsigned long)life
-	    , (unsigned long)msg->sa_rekey_margin
-	    , (unsigned long)msg->sa_rekey_fuzz
-	    , (unsigned long)mint);
-	diag(buf);
-    }
+	time_t mint = msg->sa_rekey_margin * (100 + msg->sa_rekey_fuzz) / 100;
+
+	if (life > limit)
+	{
+		char buf[200];  /* arbitrary limit */
+
+		snprintf(buf, sizeof(buf)
+			, "%s [%lu seconds] must be less than %lu seconds"
+			, which, (unsigned long)life, (unsigned long)limit);
+		diag(buf);
+	}
+	if ((msg->policy & POLICY_DONT_REKEY) == LEMPTY && life <= mint)
+	{
+		char buf[200];  /* arbitrary limit */
+
+		snprintf(buf, sizeof(buf)
+			, "%s [%lu] must be greater than"
+			" rekeymargin*(100+rekeyfuzz)/100 [%lu*(100+%lu)/100 = %lu]"
+			, which
+			, (unsigned long)life
+			, (unsigned long)msg->sa_rekey_margin
+			, (unsigned long)msg->sa_rekey_fuzz
+			, (unsigned long)mint);
+		diag(buf);
+	}
 }
 
-static void
-clear_end(whack_end_t *e)
+static void clear_end(whack_end_t *e)
 {
-    zero(e);
-    e->id = NULL;
-    e->cert = NULL;
-    e->ca = NULL;
-    e->updown = NULL;
-    e->host_port = IKE_UDP_PORT;
+	zero(e);
+	e->id = NULL;
+	e->cert = NULL;
+	e->ca = NULL;
+	e->updown = NULL;
+	e->host_port = IKE_UDP_PORT;
 }
 
-static void
-update_ports(whack_message_t *m)
+static void update_ports(whack_message_t *m)
 {
-    int port;
-
-    if (m->left.port != 0) {
-        port = htons(m->left.port);
-        setportof(port, &m->left.host_addr);
-        setportof(port, &m->left.client.addr);
-    }
-    if (m->right.port != 0) {
-        port = htons(m->right.port);
-        setportof(port, &m->right.host_addr);
-        setportof(port, &m->right.client.addr);
-    }
+	int port;
+
+	if (m->left.port != 0) {
+		port = htons(m->left.port);
+		setportof(port, &m->left.host_addr);
+		setportof(port, &m->left.client.addr);
+	}
+	if (m->right.port != 0) {
+		port = htons(m->right.port);
+		setportof(port, &m->right.host_addr);
+		setportof(port, &m->right.client.addr);
+	}
 }
 
-static void
-check_end(whack_end_t *this, whack_end_t *that
-, bool default_nexthop, sa_family_t caf, sa_family_t taf)
+static void check_end(whack_end_t *this, whack_end_t *that,
+					  bool default_nexthop, sa_family_t caf, sa_family_t taf)
 {
-    if (caf != addrtypeof(&this->host_addr))
-	diag("address family of host inconsistent");
-
-    if (default_nexthop)
-    {
-	if (isanyaddr(&that->host_addr))
-	    diag("our nexthop must be specified when other host is a %any or %opportunistic");
-	this->host_nexthop = that->host_addr;
-    }
-
-    if (caf != addrtypeof(&this->host_nexthop))
-	diag("address family of nexthop inconsistent");
-
-    if (this->has_client)
-    {
-	if (taf != subnettypeof(&this->client))
-	    diag("address family of client subnet inconsistent");
-    }
-    else
-    {
-	/* fill in anyaddr-anyaddr as (missing) client subnet */
-	ip_address cn;
-
-	diagq(anyaddr(caf, &cn), NULL);
-	diagq(rangetosubnet(&cn, &cn, &this->client), NULL);
-    }
-
-    /* fill in anyaddr if source IP is not defined */
-    if (!this->has_srcip)
-	diagq(anyaddr(caf, &this->host_srcip), optarg);
+	if (caf != addrtypeof(&this->host_addr))
+		diag("address family of host inconsistent");
+
+	if (default_nexthop)
+	{
+		if (isanyaddr(&that->host_addr))
+			diag("our nexthop must be specified when other host is a %any or %opportunistic");
+		this->host_nexthop = that->host_addr;
+	}
+
+	if (caf != addrtypeof(&this->host_nexthop))
+		diag("address family of nexthop inconsistent");
+
+	if (this->has_client)
+	{
+		if (taf != subnettypeof(&this->client))
+			diag("address family of client subnet inconsistent");
+	}
+	else
+	{
+		/* fill in anyaddr-anyaddr as (missing) client subnet */
+		ip_address cn;
+
+		diagq(anyaddr(caf, &cn), NULL);
+		diagq(rangetosubnet(&cn, &cn, &this->client), NULL);
+	}
+
+	/* fill in anyaddr if source IP is not defined */
+	if (!this->has_srcip)
+		diagq(anyaddr(caf, &this->host_srcip), optarg);
 
    /* check protocol */
-    if (this->protocol != that->protocol)
-	diag("the protocol for leftprotoport and rightprotoport must be the same");
+	if (this->protocol != that->protocol)
+		diag("the protocol for leftprotoport and rightprotoport must be the same");
 }
 
-static void
-get_secret(int sock)
+static void get_secret(int sock)
 {
-    const char *buf, *secret;
-    int len;
-
-    fflush(stdout);
-    usleep(20000); /* give fflush time for flushing */
-    buf = getpass("Enter: ");
-    secret = (buf == NULL)? "" : buf;
-
-    /* send the secret to pluto */
-    len = strlen(secret) + 1;
-    if (write(sock, secret, len) != len)
-    {
-	int e = errno;
-
-	fprintf(stderr, "whack: write() failed (%d %s)\n", e, strerror(e));
-	exit(RC_WHACK_PROBLEM);
-    }
+	const char *buf, *secret;
+	int len;
+
+	fflush(stdout);
+	usleep(20000); /* give fflush time for flushing */
+	buf = getpass("Enter: ");
+	secret = (buf == NULL)? "" : buf;
+
+	/* send the secret to pluto */
+	len = strlen(secret) + 1;
+	if (write(sock, secret, len) != len)
+	{
+		int e = errno;
+
+		fprintf(stderr, "whack: write() failed (%d %s)\n", e, strerror(e));
+		exit(RC_WHACK_PROBLEM);
+	}
 }
 
 /* This is a hack for initiating ISAKMP exchanges. */
 
-int
-main(int argc, char **argv)
+int main(int argc, char **argv)
 {
-    whack_message_t msg;
-    char esp_buf[256];	/* uses snprintf */
-    lset_t
-	opts_seen = LEMPTY,
-	sc_seen = LEMPTY,
-	lst_seen = LEMPTY,
-	cd_seen = LEMPTY,
-	ca_seen = LEMPTY,
-	end_seen = LEMPTY,
-	end_seen_before_to = LEMPTY;
-    const char
-	*af_used_by = NULL,
-	*tunnel_af_used_by = NULL;
-
-    /* check division of numbering space */
+	whack_message_t msg;
+	char esp_buf[256];  /* uses snprintf */
+	lset_t
+		opts_seen = LEMPTY,
+		sc_seen = LEMPTY,
+		lst_seen = LEMPTY,
+		cd_seen = LEMPTY,
+		ca_seen = LEMPTY,
+		end_seen = LEMPTY,
+		end_seen_before_to = LEMPTY;
+	const char
+		*af_used_by = NULL,
+		*tunnel_af_used_by = NULL;
+
+	/* check division of numbering space */
 #ifdef DEBUG
-    assert(OPTION_OFFSET + DBGOPT_LAST < NUMERIC_ARG);
+	assert(OPTION_OFFSET + DBGOPT_LAST < NUMERIC_ARG);
 #else
-    assert(OPTION_OFFSET + CA_LAST < NUMERIC_ARG);
+	assert(OPTION_OFFSET + CA_LAST < NUMERIC_ARG);
 #endif
-    assert(OPT_LAST - OPT_FIRST < (sizeof opts_seen * BITS_PER_BYTE));
-    assert(SC_LAST  - SC_FIRST  < (sizeof sc_seen   * BITS_PER_BYTE));
-    assert(LST_LAST - LST_FIRST < (sizeof lst_seen  * BITS_PER_BYTE));
-    assert(END_LAST - END_FIRST < (sizeof end_seen  * BITS_PER_BYTE));
-    assert(CD_LAST  - CD_FIRST  < (sizeof cd_seen   * BITS_PER_BYTE));
-    assert(CA_LAST  - CA_FIRST  < (sizeof ca_seen   * BITS_PER_BYTE));
-#ifdef DEBUG	/* must be last so others are less than (sizeof cd_seen * BITS_PER_BYTE) to fit in lset_t */
-    assert(DBGOPT_LAST - DBGOPT_FIRST < (sizeof cd_seen * BITS_PER_BYTE));
+	assert(OPT_LAST - OPT_FIRST < (sizeof opts_seen * BITS_PER_BYTE));
+	assert(SC_LAST  - SC_FIRST  < (sizeof sc_seen   * BITS_PER_BYTE));
+	assert(LST_LAST - LST_FIRST < (sizeof lst_seen  * BITS_PER_BYTE));
+	assert(END_LAST - END_FIRST < (sizeof end_seen  * BITS_PER_BYTE));
+	assert(CD_LAST  - CD_FIRST  < (sizeof cd_seen   * BITS_PER_BYTE));
+	assert(CA_LAST  - CA_FIRST  < (sizeof ca_seen   * BITS_PER_BYTE));
+#ifdef DEBUG    /* must be last so others are less than (sizeof cd_seen * BITS_PER_BYTE) to fit in lset_t */
+	assert(DBGOPT_LAST - DBGOPT_FIRST < (sizeof cd_seen * BITS_PER_BYTE));
 #endif
-    /* check that POLICY bit assignment matches with CD_ */
-    assert(LELEM(CD_DONT_REKEY - CD_POLICY_FIRST) == POLICY_DONT_REKEY);
+	/* check that POLICY bit assignment matches with CD_ */
+	assert(LELEM(CD_DONT_REKEY - CD_POLICY_FIRST) == POLICY_DONT_REKEY);
 
-    zero(&msg);
+	zero(&msg);
 
-    clear_end(&msg.right);	/* left set from this after --to */
+	clear_end(&msg.right);      /* left set from this after --to */
 
-    msg.name = NULL;
-    msg.keyid = NULL;
-    msg.keyval.ptr = NULL;
-    msg.esp = NULL;
-    msg.ike = NULL;
-    msg.pfsgroup = NULL;
+	msg.name = NULL;
+	msg.keyid = NULL;
+	msg.keyval.ptr = NULL;
+	msg.esp = NULL;
+	msg.ike = NULL;
+	msg.pfsgroup = NULL;
 
    /* if a connection is added via whack then we assume IKEv1 */
-    msg.ikev1 = TRUE;
-
-    msg.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
-    msg.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
-    msg.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
-    msg.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
-    msg.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
-
-    msg.addr_family = AF_INET;
-    msg.tunnel_addr_family = AF_INET;
-    
-    msg.cacert = NULL;
-    msg.ldaphost = NULL;
-    msg.ldapbase = NULL;
-    msg.crluri = NULL;
-    msg.crluri2 = NULL;
-    msg.ocspuri = NULL;
-
-    for (;;)
-    {
-	int long_index;
-	unsigned long opt_whole = 0;  /* numeric argument for some flags */
-
-	/* Note: we don't like the way short options get parsed
-	 * by getopt_long, so we simply pass an empty string as
-	 * the list.  It could be "hp:d:c:o:eatfs" "NARXPECK".
-	 */
-	int c = getopt_long(argc, argv, "", long_opts, &long_index) - OPTION_OFFSET;
-	int aux = 0;
+	msg.ikev1 = TRUE;
 
-	/* decode a numeric argument, if expected */
-	if (0 <= c)
-	{
-	    if (c & NUMERIC_ARG)
-	    {
-		char *endptr;
-
-		c -= NUMERIC_ARG;
-		opt_whole = strtoul(optarg, &endptr, 0);
-
-		if (*endptr != '\0' || endptr == optarg)
-		    diagq("badly formed numeric argument", optarg);
-	    }
-	    if (c >= (1 << AUX_SHIFT))
-	    {
-		aux = c >> AUX_SHIFT;
-		c -= aux << AUX_SHIFT;
-	    }
-	}
+	msg.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
+	msg.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
+	msg.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
+	msg.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
+	msg.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
 
-	/* per-class option processing */
-	if (0 <= c && c <= OPT_LAST)
-	{
-	    /* OPT_* options get added to opts_seen.
-	     * Reject repeated options (unless later code intervenes).
-	     */
-	    lset_t f = LELEM(c);
-
-	    if (opts_seen & f)
-		diagq("duplicated flag", long_opts[long_index].name);
-	    opts_seen |= f;
-	}
-	else if (SC_FIRST <= c && c <= SC_LAST)
-	{
-	    /* SC_* options get added to sc_seen.
-	     * Reject repeated options (unless later code intervenes).
-	     */
-	    lset_t f = LELEM(c - SC_FIRST);
-
-	    if (sc_seen & f)
-		diagq("duplicated flag", long_opts[long_index].name);
-	    sc_seen |= f;
-	}
-	else if (LST_FIRST <= c && c <= LST_LAST)
+	msg.addr_family = AF_INET;
+	msg.tunnel_addr_family = AF_INET;
+	
+	msg.cacert = NULL;
+	msg.ldaphost = NULL;
+	msg.ldapbase = NULL;
+	msg.crluri = NULL;
+	msg.crluri2 = NULL;
+	msg.ocspuri = NULL;
+
+	options = options_create();
+
+	for (;;)
 	{
-	    /* LST_* options get added to lst_seen.
-	     * Reject repeated options (unless later code intervenes).
-	     */
-	    lset_t f = LELEM(c - LST_FIRST);
-
-	    if (lst_seen & f)
-		diagq("duplicated flag", long_opts[long_index].name);
-	    lst_seen |= f;
-	}
+		int long_index;
+		unsigned long opt_whole = 0;  /* numeric argument for some flags */
+
+		/* Note: we don't like the way short options get parsed
+		 * by getopt_long, so we simply pass an empty string as
+		 * the list.  It could be "hp:d:c:o:eatfs" "NARXPECK".
+		 */
+		int c = getopt_long(argc, argv, "", long_opts, &long_index) - OPTION_OFFSET;
+		int aux = 0;
+
+		/* decode a numeric argument, if expected */
+		if (0 <= c)
+		{
+			if (c & NUMERIC_ARG)
+			{
+				char *endptr;
+
+				c -= NUMERIC_ARG;
+				opt_whole = strtoul(optarg, &endptr, 0);
+
+				if (*endptr != '\0' || endptr == optarg)
+					diagq("badly formed numeric argument", optarg);
+			}
+			if (c >= (1 << AUX_SHIFT))
+			{
+				aux = c >> AUX_SHIFT;
+				c -= aux << AUX_SHIFT;
+			}
+		}
+
+		/* per-class option processing */
+		if (0 <= c && c <= OPT_LAST)
+		{
+			/* OPT_* options get added to opts_seen.
+			 * Reject repeated options (unless later code intervenes).
+			 */
+			lset_t f = LELEM(c);
+
+			if (opts_seen & f)
+				diagq("duplicated flag", long_opts[long_index].name);
+			opts_seen |= f;
+		}
+		else if (SC_FIRST <= c && c <= SC_LAST)
+		{
+			/* SC_* options get added to sc_seen.
+			 * Reject repeated options (unless later code intervenes).
+			 */
+			lset_t f = LELEM(c - SC_FIRST);
+
+			if (sc_seen & f)
+				diagq("duplicated flag", long_opts[long_index].name);
+			sc_seen |= f;
+		}
+		else if (LST_FIRST <= c && c <= LST_LAST)
+		{
+			/* LST_* options get added to lst_seen.
+			 * Reject repeated options (unless later code intervenes).
+			 */
+			lset_t f = LELEM(c - LST_FIRST);
+
+			if (lst_seen & f)
+				diagq("duplicated flag", long_opts[long_index].name);
+			lst_seen |= f;
+		}
 #ifdef DEBUG
-	else if (DBGOPT_FIRST <= c && c <= DBGOPT_LAST)
-	{
-	    msg.whack_options = TRUE;
-	}
+		else if (DBGOPT_FIRST <= c && c <= DBGOPT_LAST)
+		{
+			msg.whack_options = TRUE;
+		}
 #endif
-	else if (END_FIRST <= c && c <= END_LAST)
-	{
-	    /* END_* options are added to end_seen.
-	     * Reject repeated options (unless later code intervenes).
-	     */
-	    lset_t f = LELEM(c - END_FIRST);
-
-	    if (end_seen & f)
-		diagq("duplicated flag", long_opts[long_index].name);
-	    end_seen |= f;
-	    opts_seen |= LELEM(OPT_CD);
-	}
-	else if (CD_FIRST <= c && c <= CD_LAST)
-	{
-	    /* CD_* options are added to cd_seen.
-	     * Reject repeated options (unless later code intervenes).
-	     */
-	    lset_t f = LELEM(c - CD_FIRST);
-
-	    if (cd_seen & f)
-		diagq("duplicated flag", long_opts[long_index].name);
-	    cd_seen |= f;
-	    opts_seen |= LELEM(OPT_CD);
-	}
-	else if (CA_FIRST <= c && c <= CA_LAST)
-	{
-	    /* CA_* options are added to ca_seen.
-	     * Reject repeated options (unless later code intervenes).
-	     */
-	    lset_t f = LELEM(c - CA_FIRST);
-
-	    if (ca_seen & f)
-		diagq("duplicated flag", long_opts[long_index].name);
-	    ca_seen |= f;
-	}
+		else if (END_FIRST <= c && c <= END_LAST)
+		{
+			/* END_* options are added to end_seen.
+			 * Reject repeated options (unless later code intervenes).
+			 */
+			lset_t f = LELEM(c - END_FIRST);
+
+			if (end_seen & f)
+				diagq("duplicated flag", long_opts[long_index].name);
+			end_seen |= f;
+			opts_seen |= LELEM(OPT_CD);
+		}
+		else if (CD_FIRST <= c && c <= CD_LAST)
+		{
+			/* CD_* options are added to cd_seen.
+			 * Reject repeated options (unless later code intervenes).
+			 */
+			lset_t f = LELEM(c - CD_FIRST);
+
+			if (cd_seen & f)
+				diagq("duplicated flag", long_opts[long_index].name);
+			cd_seen |= f;
+			opts_seen |= LELEM(OPT_CD);
+		}
+		else if (CA_FIRST <= c && c <= CA_LAST)
+		{
+			/* CA_* options are added to ca_seen.
+			 * Reject repeated options (unless later code intervenes).
+			 */
+			lset_t f = LELEM(c - CA_FIRST);
+
+			if (ca_seen & f)
+				diagq("duplicated flag", long_opts[long_index].name);
+			ca_seen |= f;
+		}
 
-	/* Note: "break"ing from switch terminates loop.
-	 * most cases should end with "continue".
-	 */
-	switch (c)
-	{
-	case EOF - OPTION_OFFSET:	/* end of flags */
-	    break;
-
-	case 0 - OPTION_OFFSET: /* long option already handled */
-	    continue;
-
-	case ':' - OPTION_OFFSET:	/* diagnostic already printed by getopt_long */
-	case '?' - OPTION_OFFSET:	/* diagnostic already printed by getopt_long */
-	    diag(NULL);	/* print no additional diagnostic, but exit sadly */
-	    break;	/* not actually reached */
-
-	case 'h' - OPTION_OFFSET:	/* --help */
-	    help();
-	    return 0;	/* GNU coding standards say to stop here */
-
-	case 'v' - OPTION_OFFSET:	/* --version */
-	    {
-		const char **sp = ipsec_copyright_notice();
-
-		printf("%s\n", ipsec_version_string());
-		for (; *sp != NULL; sp++)
-		    puts(*sp);
-	    }
-	    return 0;	/* GNU coding standards say to stop here */
-
-	case 'l' - OPTION_OFFSET:	/* --label <string> */
-	    label = optarg;	/* remember for diagnostics */
-	    continue;
-
-	case '+' - OPTION_OFFSET:	/* --optionsfrom <filename> */
-	    optionsfrom(optarg, &argc, &argv, optind, stderr);
-	    /* does not return on error */
-	    continue;
-
-	/* the rest of the options combine in complex ways */
-
-	case OPT_CTLBASE:	/* --port <ctlbase> */
-	    if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
-	    , "%s%s", optarg, CTL_SUFFIX) == -1)
-		diag("<ctlbase>" CTL_SUFFIX " must be fit in a sun_addr");
-	    continue;
-
-	case OPT_NAME:	/* --name <connection-name> */
-	    name = optarg;
-	    msg.name = optarg;
-	    continue;
-
-	case OPT_KEYID:	/* --keyid <identity> */
-	    msg.whack_key = !msg.whack_sc_op;
-	    msg.keyid = optarg;	/* decoded by Pluto */
-	    continue;
-
-	case OPT_MYID:	/* --myid <identity> */
-	    msg.whack_myid = TRUE;
-	    msg.myid = optarg;	/* decoded by Pluto */
-	    continue;
-
-	case OPT_ADDKEY:	/* --addkey */
-	    msg.whack_addkey = TRUE;
-	    continue;
-
-	case OPT_PUBKEYRSA:	/* --pubkeyrsa <key> */
-	    {
-		static char keyspace[RSA_MAX_ENCODING_BYTES];	/* room for 8K bit key */
-		char diag_space[TTODATAV_BUF];
-		const char *ugh = ttodatav(optarg, 0, 0
-		    , keyspace, sizeof(keyspace)
-		    , &msg.keyval.len, diag_space, sizeof(diag_space)
-		    , TTODATAV_SPACECOUNTS);
-
-		if (ugh != NULL)
+		/* Note: "break"ing from switch terminates loop.
+		 * most cases should end with "continue".
+		 */
+		switch (c)
 		{
-		    char ugh_space[80];	/* perhaps enough space */
+		case EOF - OPTION_OFFSET:       /* end of flags */
+			break;
 
-		    snprintf(ugh_space, sizeof(ugh_space)
-			, "RSA public-key data malformed (%s)", ugh);
-		    diagq(ugh_space, optarg);
-		}
-		msg.pubkey_alg = PUBKEY_ALG_RSA;
-		msg.keyval.ptr = keyspace;
-	    }
-	    continue;
-
-	case OPT_ROUTE:	/* --route */
-	    msg.whack_route = TRUE;
-	    continue;
-
-	case OPT_UNROUTE:	/* --unroute */
-	    msg.whack_unroute = TRUE;
-	    continue;
-
-	case OPT_INITIATE:	/* --initiate */
-	    msg.whack_initiate = TRUE;
-	    continue;
-
-	case OPT_TERMINATE:	/* --terminate */
-	    msg.whack_terminate = TRUE;
-	    continue;
-
-	case OPT_DELETE:	/* --delete */
-	    msg.whack_delete = TRUE;
-	    continue;
-
-	case OPT_DELETESTATE:	/* --deletestate <state_object_number> */
-	    msg.whack_deletestate = TRUE;
-	    msg.whack_deletestateno = opt_whole;
-	    continue;
-
-	case OPT_DELETECRASH:   /* --crash <ip-address> */
-	    msg.whack_crash = TRUE;
-	    tunnel_af_used_by = long_opts[long_index].name;
-	    diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.whack_crash_peer), optarg);
-	    if (isanyaddr(&msg.whack_crash_peer))
-		diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
-	    continue;
-
-	case OPT_LISTEN:	/* --listen */
-	    msg.whack_listen = TRUE;
-	    continue;
-
-	case OPT_UNLISTEN:	/* --unlisten */
-	    msg.whack_unlisten = TRUE;
-	    continue;
-
-	case OPT_PURGEOCSP:	/* --purgeocsp */
-	    msg.whack_purgeocsp = TRUE;
-	    continue;
-
-	case OPT_REREADSECRETS:	  /* --rereadsecrets */
-	case OPT_REREADCACERTS:	  /* --rereadcacerts */
-	case OPT_REREADAACERTS:	  /* --rereadaacerts */
-	case OPT_REREADOCSPCERTS: /* --rereadocspcerts */
-	case OPT_REREADACERTS:    /* --rereadacerts */
-	case OPT_REREADCRLS:	  /* --rereadcrls */
-	    msg.whack_reread |= LELEM(c-OPT_REREADSECRETS);
-	    continue;
-
-	case OPT_REREADALL:	/* --rereadall */
-	    msg.whack_reread = REREAD_ALL;
-	    continue;
-
-	case OPT_STATUSALL:	/* --statusall */
-	    msg.whack_statusall = TRUE;
-
-	case OPT_STATUS:	/* --status */
-	    msg.whack_status = TRUE;
-	    continue;
-	
-	case OPT_SHUTDOWN:	/* --shutdown */
-	    msg.whack_shutdown = TRUE;
-	    continue;
-
-	case OPT_OPPO_HERE:	/* --oppohere <ip-address> */
-	    tunnel_af_used_by = long_opts[long_index].name;
-	    diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.oppo_my_client), optarg);
-	    if (isanyaddr(&msg.oppo_my_client))
-		diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
-	    continue;
-
-	case OPT_OPPO_THERE:	/* --oppohere <ip-address> */
-	    tunnel_af_used_by = long_opts[long_index].name;
-	    diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.oppo_peer_client), optarg);
-	    if (isanyaddr(&msg.oppo_peer_client))
-		diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
-	    continue;
-
-	case OPT_ASYNC:
-	    msg.whack_async = TRUE;
-	    continue;
-
-	/* Smartcard options */
-
-	case SC_ENCRYPT:	/* --scencrypt <plaintext data> */
-	case SC_DECRYPT:	/* --scdecrypt <encrypted data> */
-	    msg.whack_sc_op = 1 + c - SC_ENCRYPT;
-            msg.whack_key = FALSE;
-	    msg.sc_data = optarg;
-	    continue;
-
-	case SC_INBASE:		/* --inform  <format> */
-	case SC_OUTBASE:	/* --outform <format> */
-	   {
-		int base = 0;
-
-		if (streq(optarg, "16") || strcaseeq(optarg, "hex"))
-		    base = 16;
-		else if (streq(optarg, "64") || strcaseeq(optarg, "base64"))
-		    base = 64;
-		else if (streq(optarg, "256") || strcaseeq(optarg, "text")
-		      || strcaseeq(optarg, "ascii"))
-		    base = 256;
-		else
-		    diagq("not a valid base", optarg);
+		case 0 - OPTION_OFFSET: /* long option already handled */
+			continue;
+
+		case ':' - OPTION_OFFSET:       /* diagnostic already printed by getopt_long */
+		case '?' - OPTION_OFFSET:       /* diagnostic already printed by getopt_long */
+			diag(NULL); /* print no additional diagnostic, but exit sadly */
+			break;      /* not actually reached */
+
+		case 'h' - OPTION_OFFSET:       /* --help */
+			help();
+			whack_exit(0);              /* GNU coding standards say to stop here */
+
+		case 'v' - OPTION_OFFSET:       /* --version */
+			{
+				const char **sp = ipsec_copyright_notice();
+
+				printf("strongSwan "VERSION"\n");
+				for (; *sp != NULL; sp++)
+					puts(*sp);
+			}
+			whack_exit(0);   /* GNU coding standards say to stop here */
+
+		case 'l' - OPTION_OFFSET:       /* --label <string> */
+			label = optarg;             /* remember for diagnostics */
+			continue;
+
+		case '+' - OPTION_OFFSET:       /* --optionsfrom <filename> */
+			if (!options->from(options, optarg, &argc, &argv, optind))
+			{
+				fprintf(stderr, "optionsfrom failed");
+				whack_exit(RC_WHACK_PROBLEM);				
+			}
+			continue;
+
+		/* the rest of the options combine in complex ways */
+
+		case OPT_CTLBASE:       /* --port <ctlbase> */
+			if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
+			, "%s%s", optarg, CTL_SUFFIX) == -1)
+				diag("<ctlbase>" CTL_SUFFIX " must be fit in a sun_addr");
+			continue;
+
+		case OPT_NAME:  /* --name <connection-name> */
+			name = optarg;
+			msg.name = optarg;
+			continue;
+
+		case OPT_KEYID: /* --keyid <identity> */
+			msg.whack_key = !msg.whack_sc_op;
+			msg.keyid = optarg; /* decoded by Pluto */
+			continue;
+
+		case OPT_MYID:  /* --myid <identity> */
+			msg.whack_myid = TRUE;
+			msg.myid = optarg;  /* decoded by Pluto */
+			continue;
+
+		case OPT_ADDKEY:        /* --addkey */
+			msg.whack_addkey = TRUE;
+			continue;
+
+		case OPT_PUBKEYRSA:     /* --pubkeyrsa <key> */
+			{
+				static char keyspace[RSA_MAX_ENCODING_BYTES];   /* room for 8K bit key */
+				char diag_space[TTODATAV_BUF];
+				const char *ugh = ttodatav(optarg, 0, 0
+					, keyspace, sizeof(keyspace)
+					, &msg.keyval.len, diag_space, sizeof(diag_space)
+					, TTODATAV_SPACECOUNTS);
+
+				if (ugh != NULL)
+				{
+					char ugh_space[80]; /* perhaps enough space */
+
+					snprintf(ugh_space, sizeof(ugh_space)
+						, "RSA public-key data malformed (%s)", ugh);
+					diagq(ugh_space, optarg);
+				}
+				msg.pubkey_alg = PUBKEY_ALG_RSA;
+				msg.keyval.ptr = keyspace;
+			}
+			continue;
+
+		case OPT_ROUTE: /* --route */
+			msg.whack_route = TRUE;
+			continue;
+
+		case OPT_UNROUTE:       /* --unroute */
+			msg.whack_unroute = TRUE;
+			continue;
+
+		case OPT_INITIATE:      /* --initiate */
+			msg.whack_initiate = TRUE;
+			continue;
+
+		case OPT_TERMINATE:     /* --terminate */
+			msg.whack_terminate = TRUE;
+			continue;
+
+		case OPT_DELETE:        /* --delete */
+			msg.whack_delete = TRUE;
+			continue;
+
+		case OPT_DELETESTATE:   /* --deletestate <state_object_number> */
+			msg.whack_deletestate = TRUE;
+			msg.whack_deletestateno = opt_whole;
+			continue;
+
+		case OPT_DELETECRASH:   /* --crash <ip-address> */
+			msg.whack_crash = TRUE;
+			tunnel_af_used_by = long_opts[long_index].name;
+			diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.whack_crash_peer), optarg);
+			if (isanyaddr(&msg.whack_crash_peer))
+				diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
+			continue;
+
+		case OPT_LISTEN:        /* --listen */
+			msg.whack_listen = TRUE;
+			continue;
+
+		case OPT_UNLISTEN:      /* --unlisten */
+			msg.whack_unlisten = TRUE;
+			continue;
+
+		case OPT_PURGEOCSP:     /* --purgeocsp */
+			msg.whack_purgeocsp = TRUE;
+			continue;
+
+		case OPT_REREADSECRETS:   /* --rereadsecrets */
+		case OPT_REREADCACERTS:   /* --rereadcacerts */
+		case OPT_REREADAACERTS:   /* --rereadaacerts */
+		case OPT_REREADOCSPCERTS: /* --rereadocspcerts */
+		case OPT_REREADACERTS:    /* --rereadacerts */
+		case OPT_REREADCRLS:      /* --rereadcrls */
+			msg.whack_reread |= LELEM(c-OPT_REREADSECRETS);
+			continue;
+
+		case OPT_REREADALL:     /* --rereadall */
+			msg.whack_reread = REREAD_ALL;
+			continue;
+
+		case OPT_STATUSALL:     /* --statusall */
+			msg.whack_statusall = TRUE;
+
+		case OPT_STATUS:        /* --status */
+			msg.whack_status = TRUE;
+			continue;
 		
-		if (c == SC_INBASE)
-		    msg.inbase = base;
-		else
-		    msg.outbase = base;
-	    }
-	    continue;
-
-	/* List options */
-
-        case LST_UTC:   	/* --utc */
-            msg.whack_utc = TRUE;
-            continue;
-
-	case LST_ALGS:		/* --listalgs */
-	case LST_PUBKEYS:	/* --listpubkeys */
-	case LST_CERTS:		/* --listcerts */
-	case LST_CACERTS:	/* --listcacerts */
-	case LST_ACERTS:	/* --listacerts */
-	case LST_AACERTS:	/* --listaacerts */
-	case LST_OCSPCERTS:	/* --listocspcerts */
-	case LST_GROUPS:	/* --listgroups */
-	case LST_CAINFOS:	/* --listcainfos */
-	case LST_CRLS:		/* --listcrls */
-	case LST_OCSP:		/* --listocsp */
-	case LST_CARDS:		/* --listcards */
-	    msg.whack_list |= LELEM(c - LST_ALGS);
-	    continue;
-
-	case LST_ALL:	/* --listall */
-	    msg.whack_list = LIST_ALL;
-	    continue;
-
-	/* Connection Description options */
-
-	case END_HOST:	/* --host <ip-address> */
-	{
-	    lset_t new_policy = LEMPTY;
-
-	    af_used_by = long_opts[long_index].name;
-	    diagq(anyaddr(msg.addr_family, &msg.right.host_addr), optarg);
-	    if (streq(optarg, "%any"))
-	    {
-	    }
-	    else if (streq(optarg, "%opportunistic"))
-	    {
-		/* always use tunnel mode; mark as opportunistic */
-		new_policy |= POLICY_TUNNEL | POLICY_OPPO;
-	    }
-	    else if (streq(optarg, "%group"))
-	    {
-		/* always use tunnel mode; mark as group */
-		new_policy |= POLICY_TUNNEL | POLICY_GROUP;
-	    }
-	    else if (streq(optarg, "%opportunisticgroup"))
-	    {
-		/* always use tunnel mode; mark as opportunistic */
-		new_policy |= POLICY_TUNNEL | POLICY_OPPO | POLICY_GROUP;
-	    }
-	    else
-	    {
-		diagq(ttoaddr(optarg, 0, msg.addr_family
-		    , &msg.right.host_addr), optarg);
-	    }
-
-	    msg.policy |= new_policy;
-
-	    if (new_policy & (POLICY_OPPO | POLICY_GROUP))
-	    {
-		if (!LHAS(end_seen, END_CLIENT - END_FIRST))
+		case OPT_SHUTDOWN:      /* --shutdown */
+			msg.whack_shutdown = TRUE;
+			continue;
+
+		case OPT_OPPO_HERE:     /* --oppohere <ip-address> */
+			tunnel_af_used_by = long_opts[long_index].name;
+			diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.oppo_my_client), optarg);
+			if (isanyaddr(&msg.oppo_my_client))
+				diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
+			continue;
+
+		case OPT_OPPO_THERE:    /* --oppohere <ip-address> */
+			tunnel_af_used_by = long_opts[long_index].name;
+			diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.oppo_peer_client), optarg);
+			if (isanyaddr(&msg.oppo_peer_client))
+				diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
+			continue;
+
+		case OPT_ASYNC:
+			msg.whack_async = TRUE;
+			continue;
+
+		/* Smartcard options */
+
+		case SC_ENCRYPT:        /* --scencrypt <plaintext data> */
+		case SC_DECRYPT:        /* --scdecrypt <encrypted data> */
+			msg.whack_sc_op = 1 + c - SC_ENCRYPT;
+			msg.whack_key = FALSE;
+			msg.sc_data = optarg;
+			continue;
+
+		case SC_INBASE:         /* --inform  <format> */
+		case SC_OUTBASE:        /* --outform <format> */
+		   {
+				int base = 0;
+
+				if (streq(optarg, "16") || strcaseeq(optarg, "hex"))
+					base = 16;
+				else if (streq(optarg, "64") || strcaseeq(optarg, "base64"))
+					base = 64;
+				else if (streq(optarg, "256") || strcaseeq(optarg, "text")
+					  || strcaseeq(optarg, "ascii"))
+					base = 256;
+				else
+					diagq("not a valid base", optarg);
+				
+				if (c == SC_INBASE)
+					msg.inbase = base;
+				else
+					msg.outbase = base;
+			}
+			continue;
+
+		/* List options */
+
+		case LST_UTC:           /* --utc */
+			msg.whack_utc = TRUE;
+			continue;
+
+		case LST_ALGS:          /* --listalgs */
+		case LST_PUBKEYS:       /* --listpubkeys */
+		case LST_CERTS:         /* --listcerts */
+		case LST_CACERTS:       /* --listcacerts */
+		case LST_ACERTS:        /* --listacerts */
+		case LST_AACERTS:       /* --listaacerts */
+		case LST_OCSPCERTS:     /* --listocspcerts */
+		case LST_GROUPS:        /* --listgroups */
+		case LST_CAINFOS:       /* --listcainfos */
+		case LST_CRLS:          /* --listcrls */
+		case LST_OCSP:          /* --listocsp */
+		case LST_CARDS:         /* --listcards */
+			msg.whack_list |= LELEM(c - LST_ALGS);
+			continue;
+
+		case LST_ALL:   /* --listall */
+			msg.whack_list = LIST_ALL;
+			continue;
+
+		/* Connection Description options */
+
+		case END_HOST:  /* --host <ip-address> */
 		{
-		    /* set host to 0.0.0 and --client to 0.0.0.0/0
-		     * or IPV6 equivalent
-		     */
-		    ip_address any;
-
-		    tunnel_af_used_by = optarg;
-		    diagq(anyaddr(msg.tunnel_addr_family, &any), optarg);
-		    diagq(initsubnet(&any, 0, '0', &msg.right.client), optarg);
+			lset_t new_policy = LEMPTY;
+
+			af_used_by = long_opts[long_index].name;
+			diagq(anyaddr(msg.addr_family, &msg.right.host_addr), optarg);
+			if (streq(optarg, "%any"))
+			{
+			}
+			else if (streq(optarg, "%opportunistic"))
+			{
+				/* always use tunnel mode; mark as opportunistic */
+				new_policy |= POLICY_TUNNEL | POLICY_OPPO;
+			}
+			else if (streq(optarg, "%group"))
+			{
+				/* always use tunnel mode; mark as group */
+				new_policy |= POLICY_TUNNEL | POLICY_GROUP;
+			}
+			else if (streq(optarg, "%opportunisticgroup"))
+			{
+				/* always use tunnel mode; mark as opportunistic */
+				new_policy |= POLICY_TUNNEL | POLICY_OPPO | POLICY_GROUP;
+			}
+			else
+			{
+				diagq(ttoaddr(optarg, 0, msg.addr_family
+					, &msg.right.host_addr), optarg);
+			}
+
+			msg.policy |= new_policy;
+
+			if (new_policy & (POLICY_OPPO | POLICY_GROUP))
+			{
+				if (!LHAS(end_seen, END_CLIENT - END_FIRST))
+				{
+					/* set host to 0.0.0 and --client to 0.0.0.0/0
+					 * or IPV6 equivalent
+					 */
+					ip_address any;
+
+					tunnel_af_used_by = optarg;
+					diagq(anyaddr(msg.tunnel_addr_family, &any), optarg);
+					diagq(initsubnet(&any, 0, '0', &msg.right.client), optarg);
+				}
+				msg.right.has_client = TRUE;
+			}
+			if (new_policy & POLICY_GROUP)
+			{
+				/* client subnet must not be specified by user:
+				 * it will come from the group's file.
+				 */
+				if (LHAS(end_seen, END_CLIENT - END_FIRST))
+					diag("--host %group clashes with --client");
+
+				end_seen |= LELEM(END_CLIENT - END_FIRST);
+			}
+			if (new_policy & POLICY_OPPO)
+				msg.right.key_from_DNS_on_demand = TRUE;
+			continue;
 		}
-		msg.right.has_client = TRUE;
-	    }
-	    if (new_policy & POLICY_GROUP)
-	    {
-		/* client subnet must not be specified by user:
-		 * it will come from the group's file.
+		case END_ID:    /* --id <identity> */
+			msg.right.id = optarg;      /* decoded by Pluto */
+			continue;
+
+		case END_CERT:  /* --cert <path> */
+			msg.right.cert = optarg;    /* decoded by Pluto */
+			continue;
+
+		case END_CA:    /* --ca <distinguished name> */
+			msg.right.ca = optarg;      /* decoded by Pluto */
+			continue;
+
+		case END_SENDCERT:
+			if (streq(optarg, "yes") || streq(optarg, "always"))
+			{
+				msg.right.sendcert = CERT_ALWAYS_SEND;
+			}
+			else if (streq(optarg, "no") || streq(optarg, "never"))
+			{
+				msg.right.sendcert = CERT_NEVER_SEND;
+			}
+			else if (streq(optarg, "ifasked"))
+			{
+				msg.right.sendcert = CERT_SEND_IF_ASKED;
+			}
+			else
+			{
+				diagq("whack sendcert value is not legal", optarg);
+			}
+			continue;
+
+		case END_GROUPS:/* --groups <access control groups> */
+			msg.right.groups = optarg;  /* decoded by Pluto */
+			continue;
+
+		case END_IKEPORT:       /* --ikeport <port-number> */
+			if (opt_whole<=0 || opt_whole >= 0x10000)
+				diagq("<port-number> must be a number between 1 and 65535", optarg);
+			msg.right.host_port = opt_whole;
+			continue;
+
+		case END_NEXTHOP:       /* --nexthop <ip-address> */
+			af_used_by = long_opts[long_index].name;
+			if (streq(optarg, "%direct"))
+				diagq(anyaddr(msg.addr_family
+					, &msg.right.host_nexthop), optarg);
+			else
+				diagq(ttoaddr(optarg, 0, msg.addr_family
+					, &msg.right.host_nexthop), optarg);
+			continue;
+
+		case END_SRCIP:        /* --srcip <ip-address> */
+			af_used_by = long_opts[long_index].name;
+			if (streq(optarg, "%modeconfig") || streq(optarg, "%modecfg"))
+			{
+				msg.right.modecfg = TRUE;
+			}
+			else
+			{
+				diagq(ttoaddr(optarg, 0, msg.addr_family
+					, &msg.right.host_srcip), optarg);
+				msg.right.has_srcip = TRUE;
+			}
+			msg.policy |= POLICY_TUNNEL;        /* srcip => tunnel */
+			continue;
+
+		case END_CLIENT:        /* --client <subnet> */
+			if (end_seen & LELEM(END_CLIENTWITHIN - END_FIRST))
+				diag("--client conflicts with --clientwithin");
+			tunnel_af_used_by = long_opts[long_index].name;
+			if ((strlen(optarg) >= 6 && strncmp(optarg,"vhost:",6) == 0)
+			||  (strlen(optarg) >= 5 && strncmp(optarg,"vnet:",5) == 0))
+			{
+				msg.right.virt = optarg;
+			}
+			else
+			{
+				diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg);
+				msg.right.has_client = TRUE;
+			}
+			msg.policy |= POLICY_TUNNEL;        /* client => tunnel */
+			continue;
+
+		case END_CLIENTWITHIN:  /* --clienwithin <address range> */
+			if (end_seen & LELEM(END_CLIENT - END_FIRST))
+				diag("--clientwithin conflicts with --client");
+			tunnel_af_used_by = long_opts[long_index].name;
+			diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg);
+			msg.right.has_client = TRUE;
+			msg.policy |= POLICY_TUNNEL;        /* client => tunnel */
+			msg.right.has_client_wildcard = TRUE;
+			continue;
+
+		case END_CLIENTPROTOPORT: /* --clientprotoport <protocol>/<port> */
+			diagq(ttoprotoport(optarg, 0, &msg.right.protocol, &msg.right.port
+				, &msg.right.has_port_wildcard), optarg);
+			continue;
+
+		case END_DNSKEYONDEMAND:        /* --dnskeyondemand */
+			msg.right.key_from_DNS_on_demand = TRUE;
+			continue;
+
+		case END_HOSTACCESS:    /* --hostaccess */
+			msg.right.hostaccess = TRUE;
+			continue;
+
+		case END_UPDOWN:        /* --updown <updown> */
+			msg.right.updown = optarg;
+			continue;
+
+		case CD_TO:             /* --to */
+			/* process right end, move it to left, reset it */
+			if (!LHAS(end_seen, END_HOST - END_FIRST))
+				diag("connection missing --host before --to");
+			msg.left = msg.right;
+			clear_end(&msg.right);
+			end_seen_before_to = end_seen;
+			end_seen = LEMPTY;
+			continue;
+
+		case CD_PSK:            /* --psk */
+		case CD_RSASIG:         /* --rsasig */
+		case CD_ENCRYPT:        /* --encrypt */
+		case CD_AUTHENTICATE:   /* --authenticate */
+		case CD_COMPRESS:       /* --compress */
+		case CD_TUNNEL:         /* --tunnel */
+		case CD_PFS:            /* --pfs */
+		case CD_DISABLEARRIVALCHECK:    /* --disablearrivalcheck */
+		case CD_DONT_REKEY:     /* --donotrekey */
+			msg.policy |= LELEM(c - CD_POLICY_FIRST);
+			continue;
+
+		/* --initiateontraffic
+		 * --pass
+		 * --drop
+		 * --reject
 		 */
-		if (LHAS(end_seen, END_CLIENT - END_FIRST))
-		    diag("--host %group clashes with --client");
-
-		end_seen |= LELEM(END_CLIENT - END_FIRST);
-	    }
-	    if (new_policy & POLICY_OPPO)
-		msg.right.key_from_DNS_on_demand = TRUE;
-	    continue;
-	}
-	case END_ID:	/* --id <identity> */
-	    msg.right.id = optarg;	/* decoded by Pluto */
-	    continue;
-
-	case END_CERT:	/* --cert <path> */
-	    msg.right.cert = optarg;	/* decoded by Pluto */
-	    continue;
-
-	case END_CA:	/* --ca <distinguished name> */
-	    msg.right.ca = optarg;	/* decoded by Pluto */
-	    continue;
-
-	case END_SENDCERT:
-   	    if (streq(optarg, "yes") || streq(optarg, "always"))
-	    {
-		msg.right.sendcert = CERT_ALWAYS_SEND;
-	    }
-	    else if (streq(optarg, "no") || streq(optarg, "never"))
-	    {
-		msg.right.sendcert = CERT_NEVER_SEND;
-	    }
-	    else if (streq(optarg, "ifasked"))
-	    {
-		msg.right.sendcert = CERT_SEND_IF_ASKED;
-	    }
-	    else
-	    {
-		diagq("whack sendcert value is not legal", optarg);
-	    }
-	    continue;
-
-	case END_GROUPS:/* --groups <access control groups> */
-	    msg.right.groups = optarg;	/* decoded by Pluto */
-	    continue;
-
-	case END_IKEPORT:	/* --ikeport <port-number> */
-	    if (opt_whole<=0 || opt_whole >= 0x10000)
-		diagq("<port-number> must be a number between 1 and 65535", optarg);
-	    msg.right.host_port = opt_whole;
-	    continue;
-
-	case END_NEXTHOP:	/* --nexthop <ip-address> */
-	    af_used_by = long_opts[long_index].name;
-	    if (streq(optarg, "%direct"))
-		diagq(anyaddr(msg.addr_family
-		    , &msg.right.host_nexthop), optarg);
-	    else
-		diagq(ttoaddr(optarg, 0, msg.addr_family
-		    , &msg.right.host_nexthop), optarg);
-	    continue;
-
-	case END_SRCIP:	       /* --srcip <ip-address> */
-	    af_used_by = long_opts[long_index].name;
-	    if (streq(optarg, "%modeconfig") || streq(optarg, "%modecfg"))
-	    {
-		msg.right.modecfg = TRUE;
-	    }
-	    else
-	    {
-		diagq(ttoaddr(optarg, 0, msg.addr_family
-		    , &msg.right.host_srcip), optarg);
-		msg.right.has_srcip = TRUE;
-	    }
-	    msg.policy |= POLICY_TUNNEL;	/* srcip => tunnel */
-	    continue;
-
-	case END_CLIENT:	/* --client <subnet> */
-	    if (end_seen & LELEM(END_CLIENTWITHIN - END_FIRST))
-		diag("--client conflicts with --clientwithin");
-	    tunnel_af_used_by = long_opts[long_index].name;
-	    if ((strlen(optarg) >= 6 && strncmp(optarg,"vhost:",6) == 0)
-	    ||  (strlen(optarg) >= 5 && strncmp(optarg,"vnet:",5) == 0))
-	    {
-		msg.right.virt = optarg;
-	    }
-	    else
-	    {
-		diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg);
-		msg.right.has_client = TRUE;
-	    }
-	    msg.policy |= POLICY_TUNNEL;	/* client => tunnel */
-	    continue;
-
-	case END_CLIENTWITHIN:	/* --clienwithin <address range> */
-	    if (end_seen & LELEM(END_CLIENT - END_FIRST))
-		diag("--clientwithin conflicts with --client");
-	    tunnel_af_used_by = long_opts[long_index].name;
-	    diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg);
-	    msg.right.has_client = TRUE;
-	    msg.policy |= POLICY_TUNNEL;	/* client => tunnel */
-	    msg.right.has_client_wildcard = TRUE;
-	    continue;
-
-	case END_CLIENTPROTOPORT: /* --clientprotoport <protocol>/<port> */
-	    diagq(ttoprotoport(optarg, 0, &msg.right.protocol, &msg.right.port
-	    	, &msg.right.has_port_wildcard), optarg);
-	    continue;
-
-	case END_DNSKEYONDEMAND:	/* --dnskeyondemand */
-	    msg.right.key_from_DNS_on_demand = TRUE;
-	    continue;
-
-	case END_HOSTACCESS:	/* --hostaccess */
-	    msg.right.hostaccess = TRUE;
-	    continue;
-
-	case END_UPDOWN:	/* --updown <updown> */
-	    msg.right.updown = optarg;
-	    continue;
-
-	case CD_TO:		/* --to */
-	    /* process right end, move it to left, reset it */
-	    if (!LHAS(end_seen, END_HOST - END_FIRST))
-		diag("connection missing --host before --to");
-	    msg.left = msg.right;
-	    clear_end(&msg.right);
-	    end_seen_before_to = end_seen;
-	    end_seen = LEMPTY;
-	    continue;
-
-	case CD_PSK:		/* --psk */
-	case CD_RSASIG:		/* --rsasig */
-	case CD_ENCRYPT:	/* --encrypt */
-	case CD_AUTHENTICATE:	/* --authenticate */
-	case CD_COMPRESS:	/* --compress */
-	case CD_TUNNEL:		/* --tunnel */
-	case CD_PFS:		/* --pfs */
-	case CD_DISABLEARRIVALCHECK:	/* --disablearrivalcheck */
-	case CD_DONT_REKEY:	/* --donotrekey */
-	    msg.policy |= LELEM(c - CD_POLICY_FIRST);
-	    continue;
-
-	/* --initiateontraffic
-	 * --pass
-	 * --drop
-	 * --reject
-	 */
-	case CD_SHUNT0:
-	    msg.policy = (msg.policy & ~POLICY_SHUNT_MASK)
-		| ((lset_t)aux << POLICY_SHUNT_SHIFT);
-	    continue;
-
-	/* --failnone
-	 * --failpass
-	 * --faildrop
-	 * --failreject
-	 */
-	case CD_FAIL0:
-	    msg.policy = (msg.policy & ~POLICY_FAIL_MASK)
-		| ((lset_t)aux << POLICY_FAIL_SHIFT);
-	    continue;
-
-	case CD_IKELIFETIME:	/* --ikelifetime <seconds> */
-	    msg.sa_ike_life_seconds = opt_whole;
-	    continue;
-
-	case CD_IPSECLIFETIME:	/* --ipseclifetime <seconds> */
-	    msg.sa_ipsec_life_seconds = opt_whole;
-	    continue;
-
-	case CD_RKMARGIN:	/* --rekeymargin <seconds> */
-	    msg.sa_rekey_margin = opt_whole;
-	    continue;
-
-	case CD_RKFUZZ:	/* --rekeyfuzz <percentage> */
-	    msg.sa_rekey_fuzz = opt_whole;
-	    continue;
-
-	case CD_KTRIES:	/* --keyingtries <count> */
-	    msg.sa_keying_tries = opt_whole;
-	    continue;
-
-	case CD_DPDACTION:
-	    if (streq(optarg, "none"))
-		msg.dpd_action = DPD_ACTION_NONE;
-	    else if (streq(optarg, "clear"))
-		msg.dpd_action = DPD_ACTION_CLEAR;
-	    else if (streq(optarg, "hold"))
-		msg.dpd_action = DPD_ACTION_HOLD;
-	    else if (streq(optarg, "restart"))
-		msg.dpd_action = DPD_ACTION_RESTART;
-	    else
-	    	msg.dpd_action = DPD_ACTION_UNKNOWN;
-	    continue;
-
-	case CD_DPDDELAY:
-	    msg.dpd_delay = opt_whole;
-	    continue;
-
-	case CD_DPDTIMEOUT:
-	    msg.dpd_timeout = opt_whole;
-	    continue;
-
-	case CD_IKE:	/* --ike <ike_alg1,ike_alg2,...> */
-	    msg.ike = optarg;
-	    continue;
-	    
-	case CD_PFSGROUP:	/* --pfsgroup modpXXXX */
-	    msg.pfsgroup = optarg;
-	    continue;
-
-	case CD_ESP:	/* --esp <esp_alg1,esp_alg2,...> */
-	    msg.esp = optarg;
-	    continue;
-
-	case CD_CONNIPV4:
-	    if (LHAS(cd_seen, CD_CONNIPV6 - CD_FIRST))
-		diag("--ipv4 conflicts with --ipv6");
-
-	    /* Since this is the default, the flag is redundant.
-	     * So we don't need to set msg.addr_family
-	     * and we don't need to check af_used_by
-	     * and we don't have to consider defaulting tunnel_addr_family.
-	     */
-	    continue;
-
-	case CD_CONNIPV6:
-	    if (LHAS(cd_seen, CD_CONNIPV4 - CD_FIRST))
-		diag("--ipv6 conflicts with --ipv4");
-
-	    if (af_used_by != NULL)
-		diagq("--ipv6 must precede", af_used_by);
-
-	    af_used_by = long_opts[long_index].name;
-	    msg.addr_family = AF_INET6;
-
-	    /* Consider defaulting tunnel_addr_family to AF_INET6.
-	     * Do so only if it hasn't yet been specified or used.
-	     */
-	    if (LDISJOINT(cd_seen, LELEM(CD_TUNNELIPV4 - CD_FIRST) | LELEM(CD_TUNNELIPV6 - CD_FIRST))
-	    && tunnel_af_used_by == NULL)
-		msg.tunnel_addr_family = AF_INET6;
-	    continue;
-
-	case CD_TUNNELIPV4:
-	    if (LHAS(cd_seen, CD_TUNNELIPV6 - CD_FIRST))
-		diag("--tunnelipv4 conflicts with --tunnelipv6");
-
-	    if (tunnel_af_used_by != NULL)
-		diagq("--tunnelipv4 must precede", af_used_by);
-
-	    msg.tunnel_addr_family = AF_INET;
-	    continue;
-
-	case CD_TUNNELIPV6:
-	    if (LHAS(cd_seen, CD_TUNNELIPV4 - CD_FIRST))
-		diag("--tunnelipv6 conflicts with --tunnelipv4");
-
-	    if (tunnel_af_used_by != NULL)
-		diagq("--tunnelipv6 must precede", af_used_by);
-
-	    msg.tunnel_addr_family = AF_INET6;
-	    continue;
-
-	case CA_NAME:		/* --caname <name> */
-	    msg.name = optarg;
-	    msg.whack_ca = TRUE;
-	    continue;
-	case CA_CERT:		/* --cacert <path> */
-	    msg.cacert = optarg;
-	    continue;
-	case CA_LDAPHOST:	/* --ldaphost <hostname> */
-	    msg.ldaphost = optarg;
-	    continue;
-	case CA_LDAPBASE:	/* --ldapbase <base> */
-	    msg.ldapbase = optarg;
-	    continue;
-	case CA_CRLURI:		/* --crluri <uri> */
-	    msg.crluri = optarg;
-	    continue;
-	case CA_CRLURI2:	/* --crluri2 <uri> */
-	    msg.crluri2 = optarg;
-	    continue;
-	case CA_OCSPURI:	/* --ocspuri <uri> */
-	    msg.ocspuri = optarg;
-	    continue;
-	case CA_STRICT:		/* --strictcrlpolicy */
-	    msg.whack_strict = TRUE;
-	    continue;
+		case CD_SHUNT0:
+			msg.policy = (msg.policy & ~POLICY_SHUNT_MASK)
+				| ((lset_t)aux << POLICY_SHUNT_SHIFT);
+			continue;
+
+		/* --failnone
+		 * --failpass
+		 * --faildrop
+		 * --failreject
+		 */
+		case CD_FAIL0:
+			msg.policy = (msg.policy & ~POLICY_FAIL_MASK)
+				| ((lset_t)aux << POLICY_FAIL_SHIFT);
+			continue;
+
+		case CD_IKELIFETIME:    /* --ikelifetime <seconds> */
+			msg.sa_ike_life_seconds = opt_whole;
+			continue;
+
+		case CD_IPSECLIFETIME:  /* --ipseclifetime <seconds> */
+			msg.sa_ipsec_life_seconds = opt_whole;
+			continue;
+
+		case CD_RKMARGIN:       /* --rekeymargin <seconds> */
+			msg.sa_rekey_margin = opt_whole;
+			continue;
+
+		case CD_RKFUZZ: /* --rekeyfuzz <percentage> */
+			msg.sa_rekey_fuzz = opt_whole;
+			continue;
+
+		case CD_KTRIES: /* --keyingtries <count> */
+			msg.sa_keying_tries = opt_whole;
+			continue;
+
+		case CD_DPDACTION:
+			if (streq(optarg, "none"))
+				msg.dpd_action = DPD_ACTION_NONE;
+			else if (streq(optarg, "clear"))
+				msg.dpd_action = DPD_ACTION_CLEAR;
+			else if (streq(optarg, "hold"))
+				msg.dpd_action = DPD_ACTION_HOLD;
+			else if (streq(optarg, "restart"))
+				msg.dpd_action = DPD_ACTION_RESTART;
+			else
+				msg.dpd_action = DPD_ACTION_UNKNOWN;
+			continue;
+
+		case CD_DPDDELAY:
+			msg.dpd_delay = opt_whole;
+			continue;
+
+		case CD_DPDTIMEOUT:
+			msg.dpd_timeout = opt_whole;
+			continue;
+
+		case CD_IKE:    /* --ike <ike_alg1,ike_alg2,...> */
+			msg.ike = optarg;
+			continue;
+			
+		case CD_PFSGROUP:       /* --pfsgroup modpXXXX */
+			msg.pfsgroup = optarg;
+			continue;
+
+		case CD_ESP:    /* --esp <esp_alg1,esp_alg2,...> */
+			msg.esp = optarg;
+			continue;
+
+		case CD_CONNIPV4:
+			if (LHAS(cd_seen, CD_CONNIPV6 - CD_FIRST))
+				diag("--ipv4 conflicts with --ipv6");
+
+			/* Since this is the default, the flag is redundant.
+			 * So we don't need to set msg.addr_family
+			 * and we don't need to check af_used_by
+			 * and we don't have to consider defaulting tunnel_addr_family.
+			 */
+			continue;
+
+		case CD_CONNIPV6:
+			if (LHAS(cd_seen, CD_CONNIPV4 - CD_FIRST))
+				diag("--ipv6 conflicts with --ipv4");
+
+			if (af_used_by != NULL)
+				diagq("--ipv6 must precede", af_used_by);
+
+			af_used_by = long_opts[long_index].name;
+			msg.addr_family = AF_INET6;
+
+			/* Consider defaulting tunnel_addr_family to AF_INET6.
+			 * Do so only if it hasn't yet been specified or used.
+			 */
+			if (LDISJOINT(cd_seen, LELEM(CD_TUNNELIPV4 - CD_FIRST) | LELEM(CD_TUNNELIPV6 - CD_FIRST))
+			&& tunnel_af_used_by == NULL)
+				msg.tunnel_addr_family = AF_INET6;
+			continue;
+
+		case CD_TUNNELIPV4:
+			if (LHAS(cd_seen, CD_TUNNELIPV6 - CD_FIRST))
+				diag("--tunnelipv4 conflicts with --tunnelipv6");
+
+			if (tunnel_af_used_by != NULL)
+				diagq("--tunnelipv4 must precede", af_used_by);
+
+			msg.tunnel_addr_family = AF_INET;
+			continue;
+
+		case CD_TUNNELIPV6:
+			if (LHAS(cd_seen, CD_TUNNELIPV4 - CD_FIRST))
+				diag("--tunnelipv6 conflicts with --tunnelipv4");
+
+			if (tunnel_af_used_by != NULL)
+				diagq("--tunnelipv6 must precede", af_used_by);
+
+			msg.tunnel_addr_family = AF_INET6;
+			continue;
+
+		case CA_NAME:           /* --caname <name> */
+			msg.name = optarg;
+			msg.whack_ca = TRUE;
+			continue;
+		case CA_CERT:           /* --cacert <path> */
+			msg.cacert = optarg;
+			continue;
+		case CA_LDAPHOST:       /* --ldaphost <hostname> */
+			msg.ldaphost = optarg;
+			continue;
+		case CA_LDAPBASE:       /* --ldapbase <base> */
+			msg.ldapbase = optarg;
+			continue;
+		case CA_CRLURI:         /* --crluri <uri> */
+			msg.crluri = optarg;
+			continue;
+		case CA_CRLURI2:        /* --crluri2 <uri> */
+			msg.crluri2 = optarg;
+			continue;
+		case CA_OCSPURI:        /* --ocspuri <uri> */
+			msg.ocspuri = optarg;
+			continue;
+		case CA_STRICT:         /* --strictcrlpolicy */
+			msg.whack_strict = TRUE;
+			continue;
 
 #ifdef DEBUG
-	case DBGOPT_NONE:	/* --debug-none */
-	    msg.debugging = DBG_NONE;
-	    continue;
-
-	case DBGOPT_ALL:	/* --debug-all */
-	    msg.debugging |= DBG_ALL;	/* note: does not include PRIVATE */
-	    continue;
-
-	case DBGOPT_RAW:	/* --debug-raw */
-	case DBGOPT_CRYPT:	/* --debug-crypt */
-	case DBGOPT_PARSING:	/* --debug-parsing */
-	case DBGOPT_EMITTING:	/* --debug-emitting */
-	case DBGOPT_CONTROL:	/* --debug-control */
-	case DBGOPT_LIFECYCLE:	/* --debug-lifecycle */
-	case DBGOPT_KLIPS:	/* --debug-klips */
-	case DBGOPT_DNS:	/* --debug-dns */
-	case DBGOPT_NATT:	/* --debug-natt */
-	case DBGOPT_OPPO:	/* --debug-oppo */
-	case DBGOPT_CONTROLMORE: /* --debug-controlmore */
-	case DBGOPT_PRIVATE:	/* --debug-private */
-	case DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER:	/* --impair-delay-adns-key-answer */
-	case DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER:	/* --impair-delay-adns-txt-answer */
-	case DBGOPT_IMPAIR_BUST_MI2:	/* --impair_bust_mi2 */
-	case DBGOPT_IMPAIR_BUST_MR2:	/* --impair_bust_mr2 */
-	    msg.debugging |= LELEM(c-DBGOPT_RAW);
-	    continue;
+		case DBGOPT_NONE:       /* --debug-none */
+			msg.debugging = DBG_NONE;
+			continue;
+
+		case DBGOPT_ALL:        /* --debug-all */
+			msg.debugging |= DBG_ALL;   /* note: does not include PRIVATE */
+			continue;
+
+		case DBGOPT_RAW:        /* --debug-raw */
+		case DBGOPT_CRYPT:      /* --debug-crypt */
+		case DBGOPT_PARSING:    /* --debug-parsing */
+		case DBGOPT_EMITTING:   /* --debug-emitting */
+		case DBGOPT_CONTROL:    /* --debug-control */
+		case DBGOPT_LIFECYCLE:  /* --debug-lifecycle */
+		case DBGOPT_KLIPS:      /* --debug-klips */
+		case DBGOPT_DNS:        /* --debug-dns */
+		case DBGOPT_NATT:       /* --debug-natt */
+		case DBGOPT_OPPO:       /* --debug-oppo */
+		case DBGOPT_CONTROLMORE: /* --debug-controlmore */
+		case DBGOPT_PRIVATE:    /* --debug-private */
+		case DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER:       /* --impair-delay-adns-key-answer */
+		case DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER:       /* --impair-delay-adns-txt-answer */
+		case DBGOPT_IMPAIR_BUST_MI2:    /* --impair_bust_mi2 */
+		case DBGOPT_IMPAIR_BUST_MR2:    /* --impair_bust_mr2 */
+			msg.debugging |= LELEM(c-DBGOPT_RAW);
+			continue;
 #endif
-	default:
-	    assert(FALSE);	/* unknown return value */
+		default:
+			assert(FALSE);      /* unknown return value */
+		}
+		break;
 	}
-	break;
-    }
-
-    if (optind != argc)
-    {
-	/* If you see this message unexpectedly, perhaps the
-	 * case for the previous option ended with "break"
-	 * instead of "continue"
-	 */
-	diagq("unexpected argument", argv[optind]);
-    }
-
-    /* For each possible form of the command, figure out if an argument
-     * suggests whether that form was intended, and if so, whether all
-     * required information was supplied.
-     */
-
-    /* check opportunistic initiation simulation request */
-    switch (opts_seen & (LELEM(OPT_OPPO_HERE) | LELEM(OPT_OPPO_THERE)))
-    {
-    case LELEM(OPT_OPPO_HERE):
-    case LELEM(OPT_OPPO_THERE):
-	diag("--oppohere and --oppothere must be used together");
-	/*NOTREACHED*/
-    case LELEM(OPT_OPPO_HERE) | LELEM(OPT_OPPO_THERE):
-	msg.whack_oppo_initiate = TRUE;
-	if (LIN(cd_seen, LELEM(CD_TUNNELIPV4 - CD_FIRST) | LELEM(CD_TUNNELIPV6 - CD_FIRST)))
-	    opts_seen &= ~LELEM(OPT_CD);
-	break;
-    }
-
-    /* check connection description */
-    if (LHAS(opts_seen, OPT_CD))
-    {
-	if (!LHAS(cd_seen, CD_TO-CD_FIRST))
-	    diag("connection description option, but no --to");
-
-	if (!LHAS(end_seen, END_HOST-END_FIRST))
-	    diag("connection missing --host after --to");
-
-	if (isanyaddr(&msg.left.host_addr)
-	&& isanyaddr(&msg.right.host_addr))
-	    diag("hosts cannot both be 0.0.0.0 or 0::0");
-
-	if (msg.policy & POLICY_OPPO)
+
+	if (optind != argc)
 	{
-	    if ((msg.policy & (POLICY_PSK | POLICY_RSASIG)) != POLICY_RSASIG)
-		diag("only RSASIG is supported for opportunism");
-	    if ((msg.policy & POLICY_PFS) == 0)
-		diag("PFS required for opportunism");
-	    if ((msg.policy & POLICY_ENCRYPT) == 0)
-		diag("encryption required for opportunism");
+		/* If you see this message unexpectedly, perhaps the
+		 * case for the previous option ended with "break"
+		 * instead of "continue"
+		 */
+		diagq("unexpected argument", argv[optind]);
 	}
 
-	check_end(&msg.left, &msg.right, !LHAS(end_seen_before_to, END_NEXTHOP-END_FIRST)
-	    , msg.addr_family, msg.tunnel_addr_family);
-
-	check_end(&msg.right, &msg.left, !LHAS(end_seen, END_NEXTHOP-END_FIRST)
-	    , msg.addr_family, msg.tunnel_addr_family);
-
-	if (subnettypeof(&msg.left.client) != subnettypeof(&msg.right.client))
-	    diag("endpoints clash: one is IPv4 and the other is IPv6");
+	/* For each possible form of the command, figure out if an argument
+	 * suggests whether that form was intended, and if so, whether all
+	 * required information was supplied.
+	 */
 
-	if (NEVER_NEGOTIATE(msg.policy))
+	/* check opportunistic initiation simulation request */
+	switch (opts_seen & (LELEM(OPT_OPPO_HERE) | LELEM(OPT_OPPO_THERE)))
 	{
-	    /* we think this is just a shunt (because he didn't specify
-	     * a host authentication method).  If he didn't specify a
-	     * shunt type, he's probably gotten it wrong.
-	     */
-	    if ((msg.policy & POLICY_SHUNT_MASK) == POLICY_SHUNT_TRAP)
-		diag("non-shunt connection must have --psk or --rsasig or both");
+	case LELEM(OPT_OPPO_HERE):
+	case LELEM(OPT_OPPO_THERE):
+		diag("--oppohere and --oppothere must be used together");
+		/*NOTREACHED*/
+	case LELEM(OPT_OPPO_HERE) | LELEM(OPT_OPPO_THERE):
+		msg.whack_oppo_initiate = TRUE;
+		if (LIN(cd_seen, LELEM(CD_TUNNELIPV4 - CD_FIRST) | LELEM(CD_TUNNELIPV6 - CD_FIRST)))
+			opts_seen &= ~LELEM(OPT_CD);
+		break;
 	}
-	else
+
+	/* check connection description */
+	if (LHAS(opts_seen, OPT_CD))
 	{
-	    /* not just a shunt: a real ipsec connection */
-	    if ((msg.policy & POLICY_ID_AUTH_MASK) == LEMPTY)
-		diag("must specify --rsasig or --psk for a connection");
+		if (!LHAS(cd_seen, CD_TO-CD_FIRST))
+			diag("connection description option, but no --to");
+
+		if (!LHAS(end_seen, END_HOST-END_FIRST))
+			diag("connection missing --host after --to");
+
+		if (isanyaddr(&msg.left.host_addr)
+		&& isanyaddr(&msg.right.host_addr))
+			diag("hosts cannot both be 0.0.0.0 or 0::0");
 
-	    if (!HAS_IPSEC_POLICY(msg.policy)
-	    && (msg.left.has_client || msg.right.has_client))
-		diag("must not specify clients for ISAKMP-only connection");
+		if (msg.policy & POLICY_OPPO)
+		{
+			if ((msg.policy & (POLICY_PSK | POLICY_PUBKEY)) != POLICY_PUBKEY)
+				diag("only PUBKEY is supported for opportunism");
+			if ((msg.policy & POLICY_PFS) == 0)
+				diag("PFS required for opportunism");
+			if ((msg.policy & POLICY_ENCRYPT) == 0)
+				diag("encryption required for opportunism");
+		}
+
+		check_end(&msg.left, &msg.right, !LHAS(end_seen_before_to, END_NEXTHOP-END_FIRST)
+			, msg.addr_family, msg.tunnel_addr_family);
+
+		check_end(&msg.right, &msg.left, !LHAS(end_seen, END_NEXTHOP-END_FIRST)
+			, msg.addr_family, msg.tunnel_addr_family);
+
+		if (subnettypeof(&msg.left.client) != subnettypeof(&msg.right.client))
+			diag("endpoints clash: one is IPv4 and the other is IPv6");
+
+		if (NEVER_NEGOTIATE(msg.policy))
+		{
+			/* we think this is just a shunt (because he didn't specify
+			 * a host authentication method).  If he didn't specify a
+			 * shunt type, he's probably gotten it wrong.
+			 */
+			if ((msg.policy & POLICY_SHUNT_MASK) == POLICY_SHUNT_TRAP)
+				diag("non-shunt connection must have --psk or --rsasig or both");
+		}
+		else
+		{
+			/* not just a shunt: a real ipsec connection */
+			if ((msg.policy & POLICY_ID_AUTH_MASK) == LEMPTY)
+				diag("must specify --rsasig or --psk for a connection");
+
+			if (!HAS_IPSEC_POLICY(msg.policy)
+			&& (msg.left.has_client || msg.right.has_client))
+				diag("must not specify clients for ISAKMP-only connection");
+		}
+
+		msg.whack_connection = TRUE;
 	}
 
-	msg.whack_connection = TRUE;
-    }
-
-    /* decide whether --name is mandatory or forbidden */
-    if (!LDISJOINT(opts_seen
-    , LELEM(OPT_ROUTE) | LELEM(OPT_UNROUTE)
-    | LELEM(OPT_INITIATE) | LELEM(OPT_TERMINATE)
-    | LELEM(OPT_DELETE) | LELEM(OPT_CD)))
-    {
-	if (!LHAS(opts_seen, OPT_NAME) && !msg.whack_ca)
-	    diag("missing --name <connection_name>");
-    }
-    else if (!msg.whack_options && !msg.whack_status)
-    {
-	if (LHAS(opts_seen, OPT_NAME))
-	    diag("no reason for --name");
-    }
-
-    if (!LDISJOINT(opts_seen, LELEM(OPT_PUBKEYRSA) | LELEM(OPT_ADDKEY)))
-    {
-	if (!LHAS(opts_seen, OPT_KEYID))
-	    diag("--addkey and --pubkeyrsa require --keyid");
-    }
-
-    if (!(msg.whack_connection || msg.whack_key || msg.whack_myid
-    || msg.whack_delete || msg.whack_deletestate
-    || msg.whack_initiate || msg.whack_oppo_initiate || msg.whack_terminate
-    || msg.whack_route || msg.whack_unroute || msg.whack_listen
-    || msg.whack_unlisten || msg.whack_list || msg.whack_purgeocsp || msg.whack_reread
-    || msg.whack_ca || msg.whack_status || msg.whack_options || msg.whack_shutdown
-    || msg.whack_sc_op))
-    {
-	diag("no action specified; try --help for hints");
-    }
-
-    update_ports(&msg);
-
-    /* tricky quick and dirty check for wild values */
-    if (msg.sa_rekey_margin != 0
-    && msg.sa_rekey_fuzz * msg.sa_rekey_margin * 4 / msg.sa_rekey_margin / 4
-     != msg.sa_rekey_fuzz)
-	diag("rekeymargin or rekeyfuzz values are so large that they cause oveflow");
-
-    check_life_time (msg.sa_ike_life_seconds, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
-	, "ikelifetime", &msg);
-
-    check_life_time(msg.sa_ipsec_life_seconds, SA_LIFE_DURATION_MAXIMUM
-	, "ipseclifetime", &msg);
-
-    if (msg.dpd_action == DPD_ACTION_UNKNOWN)
-	diag("dpdaction must be \"none\", \"clear\", \"hold\" or \"restart\"");
-
-    if (msg.dpd_action != DPD_ACTION_NONE)
-    {
-	if (msg.dpd_delay <= 0)
-	    diag("dpddelay must be larger than zero");
-	
-	if (msg.dpd_timeout <= 0)
-	    diag("dpdtimeout must be larger than zero");
-	
-	if (msg.dpd_timeout <= msg.dpd_delay)
-	    diag("dpdtimeout must be larger than dpddelay");
-    }
-
-    /* pack strings for inclusion in message */
-    next_str = msg.string;
-    str_roof = &msg.string[sizeof(msg.string)];
-
-    /* build esp message as esp="<esp>;<pfsgroup>" */
-    if (msg.pfsgroup) {
-	    snprintf(esp_buf, sizeof (esp_buf), "%s;%s", 
-		    msg.esp ? msg.esp : "",
-		    msg.pfsgroup ? msg.pfsgroup : "");
-	    msg.esp=esp_buf;
-    }
-    if (!pack_str(&msg.name)		/* string  1 */
-    || !pack_str(&msg.left.id)		/* string  2 */
-    || !pack_str(&msg.left.cert)	/* string  3 */
-    || !pack_str(&msg.left.ca)		/* string  4 */
-    || !pack_str(&msg.left.groups)	/* string  5 */
-    || !pack_str(&msg.left.updown)	/* string  6 */
-    || !pack_str(&msg.left.virt)	/* string  7 */
-    || !pack_str(&msg.right.id)		/* string  8 */
-    || !pack_str(&msg.right.cert)	/* string  9 */
-    || !pack_str(&msg.right.ca)		/* string 10 */
-    || !pack_str(&msg.right.groups)	/* string 11 */
-    || !pack_str(&msg.right.updown)	/* string 12 */
-    || !pack_str(&msg.right.virt)	/* string 13 */
-    || !pack_str(&msg.keyid)		/* string 14 */
-    || !pack_str(&msg.myid)		/* string 15 */
-    || !pack_str(&msg.cacert)		/* string 16 */
-    || !pack_str(&msg.ldaphost)		/* string 17 */
-    || !pack_str(&msg.ldapbase)		/* string 18 */
-    || !pack_str(&msg.crluri)		/* string 19 */
-    || !pack_str(&msg.crluri2)		/* string 20 */
-    || !pack_str(&msg.ocspuri)		/* string 21 */
-    || !pack_str(&msg.ike)		/* string 22 */
-    || !pack_str(&msg.esp)		/* string 23 */
-    || !pack_str(&msg.sc_data)		/* string 24 */
-    || str_roof - next_str < (ptrdiff_t)msg.keyval.len)    /* chunk (sort of string 5) */
-	diag("too many bytes of strings to fit in message to pluto");
-
-    memcpy(next_str, msg.keyval.ptr, msg.keyval.len);
-    msg.keyval.ptr = NULL;
-    next_str += msg.keyval.len;
-
-    msg.magic = ((opts_seen & ~LELEM(OPT_SHUTDOWN))
-		| sc_seen | lst_seen | cd_seen | ca_seen) != LEMPTY
-	    || msg.whack_options
-	? WHACK_MAGIC : WHACK_BASIC_MAGIC;
-
-    /* send message to Pluto */
-    if (access(ctl_addr.sun_path, R_OK | W_OK) < 0)
-    {
-	int e = errno;
-
-	switch (e)
+	/* decide whether --name is mandatory or forbidden */
+	if (!LDISJOINT(opts_seen
+	, LELEM(OPT_ROUTE) | LELEM(OPT_UNROUTE)
+	| LELEM(OPT_INITIATE) | LELEM(OPT_TERMINATE)
+	| LELEM(OPT_DELETE) | LELEM(OPT_CD)))
 	{
-	case EACCES:
-	    fprintf(stderr, "whack: no right to communicate with pluto (access(\"%s\"))\n"
-		, ctl_addr.sun_path);
-	    break;
-	case ENOENT:
-	    fprintf(stderr, "whack: Pluto is not running (no \"%s\")\n"
-		, ctl_addr.sun_path);
-	    break;
-	default:
-	    fprintf(stderr, "whack: access(\"%s\") failed with %d %s\n"
-		, ctl_addr.sun_path, errno, strerror(e));
-	    break;
+		if (!LHAS(opts_seen, OPT_NAME) && !msg.whack_ca)
+			diag("missing --name <connection_name>");
 	}
-	exit(RC_WHACK_PROBLEM);
-    }
-    else
-    {
-	int sock = socket(AF_UNIX, SOCK_STREAM, 0);
-	int exit_status = 0;
-	ssize_t len = next_str - (char *)&msg;
-
-	if (sock == -1)
+	else if (!msg.whack_options && !msg.whack_status)
 	{
-	    int e = errno;
-
-	    fprintf(stderr, "whack: socket() failed (%d %s)\n", e, strerror(e));
-	    exit(RC_WHACK_PROBLEM);
+		if (LHAS(opts_seen, OPT_NAME))
+			diag("no reason for --name");
 	}
 
-	if (connect(sock, (struct sockaddr *)&ctl_addr
-	, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
+	if (!LDISJOINT(opts_seen, LELEM(OPT_PUBKEYRSA) | LELEM(OPT_ADDKEY)))
 	{
-	    int e = errno;
-
-	    fprintf(stderr, "whack:%s connect() for \"%s\" failed (%d %s)\n"
-		, e == ECONNREFUSED? " is Pluto running? " : ""
-		, ctl_addr.sun_path, e, strerror(e));
-	    exit(RC_WHACK_PROBLEM);
+		if (!LHAS(opts_seen, OPT_KEYID))
+			diag("--addkey and --pubkeyrsa require --keyid");
 	}
 
-	if (write(sock, &msg, len) != len)
+	if (!(msg.whack_connection || msg.whack_key || msg.whack_myid
+	|| msg.whack_delete || msg.whack_deletestate
+	|| msg.whack_initiate || msg.whack_oppo_initiate || msg.whack_terminate
+	|| msg.whack_route || msg.whack_unroute || msg.whack_listen
+	|| msg.whack_unlisten || msg.whack_list || msg.whack_purgeocsp || msg.whack_reread
+	|| msg.whack_ca || msg.whack_status || msg.whack_options || msg.whack_shutdown
+	|| msg.whack_sc_op))
 	{
-	    int e = errno;
+		diag("no action specified; try --help for hints");
+	}
+
+	update_ports(&msg);
+
+	/* tricky quick and dirty check for wild values */
+	if (msg.sa_rekey_margin != 0
+	&& msg.sa_rekey_fuzz * msg.sa_rekey_margin * 4 / msg.sa_rekey_margin / 4
+	 != msg.sa_rekey_fuzz)
+		diag("rekeymargin or rekeyfuzz values are so large that they cause oveflow");
+
+	check_life_time (msg.sa_ike_life_seconds, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
+		, "ikelifetime", &msg);
 
-	    fprintf(stderr, "whack: write() failed (%d %s)\n", e, strerror(e));
-	    exit(RC_WHACK_PROBLEM);
+	check_life_time(msg.sa_ipsec_life_seconds, SA_LIFE_DURATION_MAXIMUM
+		, "ipseclifetime", &msg);
+
+	if (msg.dpd_action == DPD_ACTION_UNKNOWN)
+		diag("dpdaction must be \"none\", \"clear\", \"hold\" or \"restart\"");
+
+	if (msg.dpd_action != DPD_ACTION_NONE)
+	{
+		if (msg.dpd_delay <= 0)
+			diag("dpddelay must be larger than zero");
+		
+		if (msg.dpd_timeout <= 0)
+			diag("dpdtimeout must be larger than zero");
+		
+		if (msg.dpd_timeout <= msg.dpd_delay)
+			diag("dpdtimeout must be larger than dpddelay");
 	}
 
-	/* for now, just copy reply back to stdout */
+	/* pack strings for inclusion in message */
+	next_str = msg.string;
+	str_roof = &msg.string[sizeof(msg.string)];
 
+	/* build esp message as esp="<esp>;<pfsgroup>" */
+	if (msg.pfsgroup) {
+			snprintf(esp_buf, sizeof (esp_buf), "%s;%s", 
+					msg.esp ? msg.esp : "",
+					msg.pfsgroup ? msg.pfsgroup : "");
+			msg.esp=esp_buf;
+	}
+	if (!pack_str(&msg.name)            /* string  1 */
+	|| !pack_str(&msg.left.id)          /* string  2 */
+	|| !pack_str(&msg.left.cert)        /* string  3 */
+	|| !pack_str(&msg.left.ca)          /* string  4 */
+	|| !pack_str(&msg.left.groups)      /* string  5 */
+	|| !pack_str(&msg.left.updown)      /* string  6 */
+	|| !pack_str(&msg.left.virt)        /* string  7 */
+	|| !pack_str(&msg.right.id)         /* string  8 */
+	|| !pack_str(&msg.right.cert)       /* string  9 */
+	|| !pack_str(&msg.right.ca)         /* string 10 */
+	|| !pack_str(&msg.right.groups)     /* string 11 */
+	|| !pack_str(&msg.right.updown)     /* string 12 */
+	|| !pack_str(&msg.right.virt)       /* string 13 */
+	|| !pack_str(&msg.keyid)            /* string 14 */
+	|| !pack_str(&msg.myid)             /* string 15 */
+	|| !pack_str(&msg.cacert)           /* string 16 */
+	|| !pack_str(&msg.ldaphost)         /* string 17 */
+	|| !pack_str(&msg.ldapbase)         /* string 18 */
+	|| !pack_str(&msg.crluri)           /* string 19 */
+	|| !pack_str(&msg.crluri2)          /* string 20 */
+	|| !pack_str(&msg.ocspuri)          /* string 21 */
+	|| !pack_str(&msg.ike)              /* string 22 */
+	|| !pack_str(&msg.esp)              /* string 23 */
+	|| !pack_str(&msg.sc_data)          /* string 24 */
+	|| str_roof - next_str < (ptrdiff_t)msg.keyval.len)    /* chunk (sort of string 5) */
+		diag("too many bytes of strings to fit in message to pluto");
+
+	memcpy(next_str, msg.keyval.ptr, msg.keyval.len);
+	msg.keyval.ptr = NULL;
+	next_str += msg.keyval.len;
+
+	msg.magic = ((opts_seen & ~LELEM(OPT_SHUTDOWN))
+				| sc_seen | lst_seen | cd_seen | ca_seen) != LEMPTY
+			|| msg.whack_options
+		? WHACK_MAGIC : WHACK_BASIC_MAGIC;
+
+	/* send message to Pluto */
+	if (access(ctl_addr.sun_path, R_OK | W_OK) < 0)
 	{
-	    char buf[4097];	/* arbitrary limit on log line length */
-	    char *be = buf;
+		int e = errno;
 
-	    for (;;)
-	    {
-		char *ls = buf;
-		ssize_t rl = read(sock, be, (buf + sizeof(buf)-1) - be);
+		switch (e)
+		{
+		case EACCES:
+			fprintf(stderr, "whack: no right to communicate with pluto (access(\"%s\"))\n"
+				, ctl_addr.sun_path);
+			break;
+		case ENOENT:
+			fprintf(stderr, "whack: Pluto is not running (no \"%s\")\n"
+				, ctl_addr.sun_path);
+			break;
+		default:
+			fprintf(stderr, "whack: access(\"%s\") failed with %d %s\n"
+				, ctl_addr.sun_path, errno, strerror(e));
+			break;
+		}
+		whack_exit(RC_WHACK_PROBLEM);
+	}
+	else
+	{
+		int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+		int exit_status = 0;
+		ssize_t len = next_str - (char *)&msg;
 
-		if (rl < 0)
+		if (sock == -1)
 		{
-		    int e = errno;
+			int e = errno;
 
-		    fprintf(stderr, "whack: read() failed (%d %s)\n", e, strerror(e));
-		    exit(RC_WHACK_PROBLEM);
+			fprintf(stderr, "whack: socket() failed (%d %s)\n", e, strerror(e));
+			whack_exit(RC_WHACK_PROBLEM);
 		}
-		if (rl == 0)
+
+		if (connect(sock, (struct sockaddr *)&ctl_addr
+		, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
 		{
-		    if (be != buf)
-			fprintf(stderr, "whack: last line from pluto too long or unterminated\n");
-		    break;
-		}
+			int e = errno;
 
-		be += rl;
-		*be = '\0';
+			fprintf(stderr, "whack:%s connect() for \"%s\" failed (%d %s)\n"
+				, e == ECONNREFUSED? " is Pluto running? " : ""
+				, ctl_addr.sun_path, e, strerror(e));
+			whack_exit(RC_WHACK_PROBLEM);
+		}
 
-		for (;;)
+		if (write(sock, &msg, len) != len)
 		{
-		    char *le = strchr(ls, '\n');
+			int e = errno;
 
-		    if (le == NULL)
-		    {
-			/* move last, partial line to start of buffer */
-			memmove(buf, ls, be-ls);
-			be -= ls - buf;
-			break;
-		    }
+			fprintf(stderr, "whack: write() failed (%d %s)\n", e, strerror(e));
+			whack_exit(RC_WHACK_PROBLEM);
+		}
 
-		    le++;	/* include NL in line */
-		    ignore_result(write(1, ls, le - ls));
+		/* for now, just copy reply back to stdout */
 
-		    /* figure out prefix number
-		     * and how it should affect our exit status
-		     */
-		    {
-			unsigned long s = strtoul(ls, NULL, 10);
+		{
+			char buf[4097];     /* arbitrary limit on log line length */
+			char *be = buf;
 
-			switch (s)
+			for (;;)
 			{
-			case RC_COMMENT:
-			case RC_LOG:
-			    /* ignore */
-			    break;
-			case RC_SUCCESS:
-			    /* be happy */
-			    exit_status = 0;
-			    break;
-			case RC_ENTERSECRET:
-			    get_secret(sock);
-			    break;
-			/* case RC_LOG_SERIOUS: */
-			default:
-			    /* pass through */
-			    exit_status = s;
-			    break;
+				char *ls = buf;
+				ssize_t rl = read(sock, be, (buf + sizeof(buf)-1) - be);
+
+				if (rl < 0)
+				{
+					int e = errno;
+
+					fprintf(stderr, "whack: read() failed (%d %s)\n", e, strerror(e));
+					whack_exit(RC_WHACK_PROBLEM);
+				}
+				if (rl == 0)
+				{
+					if (be != buf)
+						fprintf(stderr, "whack: last line from pluto too long or unterminated\n");
+					break;
+				}
+
+				be += rl;
+				*be = '\0';
+
+				for (;;)
+				{
+					char *le = strchr(ls, '\n');
+
+					if (le == NULL)
+					{
+						/* move last, partial line to start of buffer */
+						memmove(buf, ls, be-ls);
+						be -= ls - buf;
+						break;
+					}
+
+					le++;       /* include NL in line */
+					ignore_result(write(1, ls, le - ls));
+
+					/* figure out prefix number
+					 * and how it should affect our exit status
+					 */
+					{
+						unsigned long s = strtoul(ls, NULL, 10);
+
+						switch (s)
+						{
+						case RC_COMMENT:
+						case RC_LOG:
+							/* ignore */
+							break;
+						case RC_SUCCESS:
+							/* be happy */
+							exit_status = 0;
+							break;
+						case RC_ENTERSECRET:
+							get_secret(sock);
+							break;
+						/* case RC_LOG_SERIOUS: */
+						default:
+							/* pass through */
+							exit_status = s;
+							break;
+						}
+					}
+					ls = le;
+				}
 			}
-		    }
-		    ls = le;
 		}
-	    }
+		whack_exit(exit_status);
 	}
-	return exit_status;
-    }
+	return -1; /* should never be reached */
 }
diff --git a/src/whack/whack.h b/src/whack/whack.h
index 8e0e7c3af..79d115262 100644
--- a/src/whack/whack.h
+++ b/src/whack/whack.h
@@ -10,8 +10,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: whack.h 4709 2008-11-27 10:20:25Z martin $
  */
 
 #ifndef _WHACK_H
@@ -23,10 +21,10 @@
 #ifndef SC_OP_T
 #define SC_OP_T
 typedef enum {
-    SC_OP_NONE =    0,
-    SC_OP_ENCRYPT = 1,
-    SC_OP_DECRYPT = 2,
-    SC_OP_SIGN =    3,
+	SC_OP_NONE =    0,
+	SC_OP_ENCRYPT = 1,
+	SC_OP_DECRYPT = 2,
+	SC_OP_SIGN =    3,
 } sc_op_t;
 #endif /* SC_OP_T */
 
@@ -56,187 +54,187 @@ typedef struct whack_end whack_end_t;
  * and because whack is a separate program from pluto.
  */
 struct whack_end {
-    char *id;		/* id string (if any) -- decoded by pluto */
-    char *cert;		/* path string (if any) -- loaded by pluto  */
-    char *ca;		/* distinguished name string (if any) -- parsed by pluto */
-    char *groups;	/* access control groups (if any) -- parsed by pluto */
-    ip_address
-	host_addr,
-	host_nexthop,
-	host_srcip;
-    ip_subnet client;
-
-    bool key_from_DNS_on_demand;
-    bool has_client;
-    bool has_client_wildcard;
-    bool has_port_wildcard;
-    bool has_srcip;
-    bool has_natip;
-    bool modecfg;
-    bool hostaccess;
-    bool allow_any;
-    certpolicy_t sendcert;
-    char *updown;		/* string */
-    u_int16_t host_port;	/* host order */
-    u_int16_t port;		/* host order */
-    u_int8_t protocol;
-    char *virt;
+	char *id;           /* id string (if any) -- decoded by pluto */
+	char *cert;         /* path string (if any) -- loaded by pluto  */
+	char *ca;           /* distinguished name string (if any) -- parsed by pluto */
+	char *groups;       /* access control groups (if any) -- parsed by pluto */
+	ip_address
+		host_addr,
+		host_nexthop,
+		host_srcip;
+	ip_subnet client;
+
+	bool key_from_DNS_on_demand;
+	bool has_client;
+	bool has_client_wildcard;
+	bool has_port_wildcard;
+	bool has_srcip;
+	bool has_natip;
+	bool modecfg;
+	bool hostaccess;
+	bool allow_any;
+	certpolicy_t sendcert;
+	char *updown;               /* string */
+	u_int16_t host_port;        /* host order */
+	u_int16_t port;             /* host order */
+	u_int8_t protocol;
+	char *virt;
  };
 
 typedef struct whack_message whack_message_t;
 
 struct whack_message {
-    unsigned int magic;
+	unsigned int magic;
 
-    /* for WHACK_STATUS: */
-    bool whack_status;
-    bool whack_statusall;
+	/* for WHACK_STATUS: */
+	bool whack_status;
+	bool whack_statusall;
 
 
-    /* for WHACK_SHUTDOWN */
-    bool whack_shutdown;
+	/* for WHACK_SHUTDOWN */
+	bool whack_shutdown;
 
-    /* END OF BASIC COMMANDS
-     * If you change anything earlier in this struct, update WHACK_BASIC_MAGIC.
-     */
+	/* END OF BASIC COMMANDS
+	 * If you change anything earlier in this struct, update WHACK_BASIC_MAGIC.
+	 */
 
-    /* name is used in connection, ca and initiate */
-    size_t name_len;	/* string 1 */
-    char *name;
+	/* name is used in connection, ca and initiate */
+	size_t name_len;    /* string 1 */
+	char *name;
 
-    /* for WHACK_OPTIONS: */
+	/* for WHACK_OPTIONS: */
 
-    bool whack_options;
+	bool whack_options;
 
-    lset_t debugging;	/* only used #ifdef DEBUG, but don't want layout to change */
+	lset_t debugging;   /* only used #ifdef DEBUG, but don't want layout to change */
 
-    /* for WHACK_CONNECTION */
+	/* for WHACK_CONNECTION */
 
-    bool whack_connection;
-    bool whack_async;
-    bool ikev1;
+	bool whack_connection;
+	bool whack_async;
+	bool ikev1;
 
-    lset_t policy;
-    time_t sa_ike_life_seconds;
-    time_t sa_ipsec_life_seconds;
-    time_t sa_rekey_margin;
-    unsigned long sa_rekey_fuzz;
-    unsigned long sa_keying_tries;
-
-    /* For DPD 3706 - Dead Peer Detection */
-    time_t dpd_delay;
-    time_t dpd_timeout;
-    dpd_action_t dpd_action;
-
-    /*  note that each end contains string 2/5.id, string 3/6 cert,
-     *  and string 4/7 updown
-     */
-    whack_end_t left;
-    whack_end_t right;
-
-    /* note: if the client is the gateway, the following must be equal */
-    sa_family_t addr_family;	/* between gateways */
-    sa_family_t tunnel_addr_family;	/* between clients */
-
-    char *ike;		/* ike algo string (separated by commas) */
-    char *pfsgroup;	/* pfsgroup will be "encapsulated" in esp string for pluto */
-    char *esp;		/* esp algo string (separated by commas) */
-
-    /* for WHACK_KEY: */
-    bool whack_key;
-    bool whack_addkey;
-    char *keyid;	/* string 8 */
-    enum pubkey_alg pubkey_alg;
-    chunk_t keyval;	/* chunk */
-
-    /* for WHACK_MYID: */
-    bool whack_myid;
-    char *myid;	/* string 7 */
-
-    /* for WHACK_ROUTE: */
-    bool whack_route;
-
-    /* for WHACK_UNROUTE: */
-    bool whack_unroute;
-
-    /* for WHACK_INITIATE: */
-    bool whack_initiate;
-
-    /* for WHACK_OPINITIATE */
-    bool whack_oppo_initiate;
-    ip_address oppo_my_client, oppo_peer_client;
-
-    /* for WHACK_TERMINATE: */
-    bool whack_terminate;
-
-    /* for WHACK_DELETE: */
-    bool whack_delete;
-
-    /* for WHACK_DELETESTATE: */
-    bool whack_deletestate;
-    so_serial_t whack_deletestateno;
-
-    /* for WHACK_LISTEN: */
-    bool whack_listen, whack_unlisten;
-
-    /* for WHACK_CRASH - note if a remote peer is known to have rebooted */
-    bool whack_crash;
-    ip_address whack_crash_peer;
-
-    /* for WHACK_LIST */
-    bool whack_utc;
-    lset_t whack_list;
-
-    /* for WHACK_PURGEOCSP */
-    bool whack_purgeocsp;
-
-    /* for WHACK_REREAD */
-    u_char whack_reread;
-
-    /* for WHACK_CA */
-    bool whack_ca;
-    bool whack_strict;
-
-    char *cacert;
-    char *ldaphost;
-    char *ldapbase;
-    char *crluri;
-    char *crluri2;
-    char *ocspuri;
-
-    /* for WHACK_SC_OP */
-    sc_op_t whack_sc_op;
-    int inbase, outbase;
-    char *sc_data;
-
-    /* space for strings (hope there is enough room):
-     * Note that pointers don't travel on wire.
-     *  1 connection name [name_len]
-     *  2 left's name [left.host.name.len]
-     *  3 left's cert
-     *  4 left's ca
-     *  5 left's groups
-     *  6 left's updown
-     *  7 right's name [left.host.name.len]
-     *  8 right's cert
-     *  9 right's ca
-     * 10 right's groups
-     * 11 right's updown
-     * 12 keyid
-     * 13 myid
-     * 14 cacert
-     * 15 ldaphost
-     * 16 ldapbase
-     * 17 crluri
-     * 18 crluri2
-     * 19 ocspuri
-     * 20 ike
-     " 21 esp
-     * 22 rsa_data
-     * plus keyval (limit: 8K bits + overhead), a chunk.
-     */
-    size_t str_size;
-    char string[2048];
+	lset_t policy;
+	time_t sa_ike_life_seconds;
+	time_t sa_ipsec_life_seconds;
+	time_t sa_rekey_margin;
+	unsigned long sa_rekey_fuzz;
+	unsigned long sa_keying_tries;
+
+	/* For DPD 3706 - Dead Peer Detection */
+	time_t dpd_delay;
+	time_t dpd_timeout;
+	dpd_action_t dpd_action;
+
+	/*  note that each end contains string 2/5.id, string 3/6 cert,
+	 *  and string 4/7 updown
+	 */
+	whack_end_t left;
+	whack_end_t right;
+
+	/* note: if the client is the gateway, the following must be equal */
+	sa_family_t addr_family;    /* between gateways */
+	sa_family_t tunnel_addr_family;     /* between clients */
+
+	char *ike;          /* ike algo string (separated by commas) */
+	char *pfsgroup;     /* pfsgroup will be "encapsulated" in esp string for pluto */
+	char *esp;          /* esp algo string (separated by commas) */
+
+	/* for WHACK_KEY: */
+	bool whack_key;
+	bool whack_addkey;
+	char *keyid;        /* string 8 */
+	enum pubkey_alg pubkey_alg;
+	chunk_t keyval;     /* chunk */
+
+	/* for WHACK_MYID: */
+	bool whack_myid;
+	char *myid; /* string 7 */
+
+	/* for WHACK_ROUTE: */
+	bool whack_route;
+
+	/* for WHACK_UNROUTE: */
+	bool whack_unroute;
+
+	/* for WHACK_INITIATE: */
+	bool whack_initiate;
+
+	/* for WHACK_OPINITIATE */
+	bool whack_oppo_initiate;
+	ip_address oppo_my_client, oppo_peer_client;
+
+	/* for WHACK_TERMINATE: */
+	bool whack_terminate;
+
+	/* for WHACK_DELETE: */
+	bool whack_delete;
+
+	/* for WHACK_DELETESTATE: */
+	bool whack_deletestate;
+	so_serial_t whack_deletestateno;
+
+	/* for WHACK_LISTEN: */
+	bool whack_listen, whack_unlisten;
+
+	/* for WHACK_CRASH - note if a remote peer is known to have rebooted */
+	bool whack_crash;
+	ip_address whack_crash_peer;
+
+	/* for WHACK_LIST */
+	bool whack_utc;
+	lset_t whack_list;
+
+	/* for WHACK_PURGEOCSP */
+	bool whack_purgeocsp;
+
+	/* for WHACK_REREAD */
+	u_char whack_reread;
+
+	/* for WHACK_CA */
+	bool whack_ca;
+	bool whack_strict;
+
+	char *cacert;
+	char *ldaphost;
+	char *ldapbase;
+	char *crluri;
+	char *crluri2;
+	char *ocspuri;
+
+	/* for WHACK_SC_OP */
+	sc_op_t whack_sc_op;
+	int inbase, outbase;
+	char *sc_data;
+
+	/* space for strings (hope there is enough room):
+	 * Note that pointers don't travel on wire.
+	 *  1 connection name [name_len]
+	 *  2 left's name [left.host.name.len]
+	 *  3 left's cert
+	 *  4 left's ca
+	 *  5 left's groups
+	 *  6 left's updown
+	 *  7 right's name [left.host.name.len]
+	 *  8 right's cert
+	 *  9 right's ca
+	 * 10 right's groups
+	 * 11 right's updown
+	 * 12 keyid
+	 * 13 myid
+	 * 14 cacert
+	 * 15 ldaphost
+	 * 16 ldapbase
+	 * 17 crluri
+	 * 18 crluri2
+	 * 19 ocspuri
+	 * 20 ike
+	 " 21 esp
+	 * 22 rsa_data
+	 * plus keyval (limit: 8K bits + overhead), a chunk.
+	 */
+	size_t str_size;
+	char string[2048];
 };
 
 /* Codes for status messages returned to whack.
@@ -247,82 +245,82 @@ struct whack_message {
  * NOTE: ipsec_auto(8) knows about some of these numbers -- change carefully.
  */
 enum rc_type {
-    RC_COMMENT,		/* non-commital utterance (does not affect exit status) */
-    RC_WHACK_PROBLEM,	/* whack-detected problem */
-    RC_LOG,		/* message aimed at log (does not affect exit status) */
-    RC_LOG_SERIOUS,	/* serious message aimed at log (does not affect exit status) */
-    RC_SUCCESS,		/* success (exit status 0) */
-
-    /* failure, but not definitive */
-
-    RC_RETRANSMISSION = 10,
-
-    /* improper request */
-
-    RC_DUPNAME = 20,	/* attempt to reuse a connection name */
-    RC_UNKNOWN_NAME,	/* connection name unknown or state number */
-    RC_ORIENT,		/* cannot orient connection: neither end is us */
-    RC_CLASH,		/* clash between two Road Warrior connections OVERLOADED */
-    RC_DEAF,		/* need --listen before --initiate */
-    RC_ROUTE,		/* cannot route */
-    RC_RTBUSY,		/* cannot unroute: route busy */
-    RC_BADID,		/* malformed --id */
-    RC_NOKEY,		/* no key found through DNS */
-    RC_NOPEERIP,	/* cannot initiate when peer IP is unknown */
-    RC_INITSHUNT,	/* cannot initiate a shunt-oly connection */
-    RC_WILDCARD,	/* cannot initiate when ID has wildcards */
-    RC_NOVALIDPIN,	/* cannot initiate without valid PIN */
-
-    /* permanent failure */
-
-    RC_BADWHACKMESSAGE = 30,
-    RC_NORETRANSMISSION,
-    RC_INTERNALERR,
-    RC_OPPOFAILURE,	/* Opportunism failed */
-
-    /* entry of secrets */
-    RC_ENTERSECRET = 40,
-    
-    /* progress: start of range for successful state transition.
-     * Actual value is RC_NEW_STATE plus the new state code.
-     */
-    RC_NEW_STATE = 100,
-
-    /* start of range for notification.
-     * Actual value is RC_NOTIFICATION plus code for notification
-     * that should be generated by this Pluto.
-     */
-    RC_NOTIFICATION = 200	/* as per IKE notification messages */
+	RC_COMMENT,         /* non-commital utterance (does not affect exit status) */
+	RC_WHACK_PROBLEM,   /* whack-detected problem */
+	RC_LOG,             /* message aimed at log (does not affect exit status) */
+	RC_LOG_SERIOUS,     /* serious message aimed at log (does not affect exit status) */
+	RC_SUCCESS,         /* success (exit status 0) */
+
+	/* failure, but not definitive */
+
+	RC_RETRANSMISSION = 10,
+
+	/* improper request */
+
+	RC_DUPNAME = 20,    /* attempt to reuse a connection name */
+	RC_UNKNOWN_NAME,    /* connection name unknown or state number */
+	RC_ORIENT,          /* cannot orient connection: neither end is us */
+	RC_CLASH,           /* clash between two Road Warrior connections OVERLOADED */
+	RC_DEAF,            /* need --listen before --initiate */
+	RC_ROUTE,           /* cannot route */
+	RC_RTBUSY,          /* cannot unroute: route busy */
+	RC_BADID,           /* malformed --id */
+	RC_NOKEY,           /* no key found through DNS */
+	RC_NOPEERIP,        /* cannot initiate when peer IP is unknown */
+	RC_INITSHUNT,       /* cannot initiate a shunt-oly connection */
+	RC_WILDCARD,        /* cannot initiate when ID has wildcards */
+	RC_NOVALIDPIN,      /* cannot initiate without valid PIN */
+
+	/* permanent failure */
+
+	RC_BADWHACKMESSAGE = 30,
+	RC_NORETRANSMISSION,
+	RC_INTERNALERR,
+	RC_OPPOFAILURE,     /* Opportunism failed */
+
+	/* entry of secrets */
+	RC_ENTERSECRET = 40,
+	
+	/* progress: start of range for successful state transition.
+	 * Actual value is RC_NEW_STATE plus the new state code.
+	 */
+	RC_NEW_STATE = 100,
+
+	/* start of range for notification.
+	 * Actual value is RC_NOTIFICATION plus code for notification
+	 * that should be generated by this Pluto.
+	 */
+	RC_NOTIFICATION = 200       /* as per IKE notification messages */
 };
 
 /* options of whack --list*** command */
 
-#define LIST_NONE	0x0000	/* don't list anything */
-#define LIST_ALGS	0x0001	/* list all registered IKE algorithms */
-#define LIST_PUBKEYS	0x0002	/* list all public keys */
-#define LIST_CERTS	0x0004	/* list all host/user certs */
-#define LIST_CACERTS	0x0008	/* list all ca certs */
-#define LIST_ACERTS	0x0010	/* list all attribute certs */
-#define LIST_AACERTS	0x0020	/* list all aa certs */
-#define LIST_OCSPCERTS	0x0040	/* list all ocsp certs */
-#define LIST_GROUPS	0x0080	/* list all access control groups */
-#define LIST_CAINFOS	0x0100	/* list all ca information records */
-#define LIST_CRLS	0x0200	/* list all crls */
-#define LIST_OCSP	0x0400	/* list all ocsp cache entries */
-#define LIST_CARDS	0x0800	/* list all smartcard records */
-
-#define LIST_ALL	LRANGES(LIST_ALGS, LIST_CARDS)  /* all list options */
+#define LIST_NONE       0x0000  /* don't list anything */
+#define LIST_ALGS       0x0001  /* list all registered IKE algorithms */
+#define LIST_PUBKEYS    0x0002  /* list all public keys */
+#define LIST_CERTS      0x0004  /* list all host/user certs */
+#define LIST_CACERTS    0x0008  /* list all ca certs */
+#define LIST_ACERTS     0x0010  /* list all attribute certs */
+#define LIST_AACERTS    0x0020  /* list all aa certs */
+#define LIST_OCSPCERTS  0x0040  /* list all ocsp certs */
+#define LIST_GROUPS     0x0080  /* list all access control groups */
+#define LIST_CAINFOS    0x0100  /* list all ca information records */
+#define LIST_CRLS       0x0200  /* list all crls */
+#define LIST_OCSP       0x0400  /* list all ocsp cache entries */
+#define LIST_CARDS      0x0800  /* list all smartcard records */
+
+#define LIST_ALL        LRANGES(LIST_ALGS, LIST_CARDS)  /* all list options */
 
 /* options of whack --reread*** command */
 
-#define REREAD_NONE	  0x00	/* don't reread anything */
-#define REREAD_SECRETS	  0x01	/* reread /etc/ipsec.secrets */
-#define REREAD_CACERTS	  0x02	/* reread certs in /etc/ipsec.d/cacerts */
-#define REREAD_AACERTS	  0x04	/* reread certs in /etc/ipsec.d/aacerts */
-#define REREAD_OCSPCERTS  0x08	/* reread certs in /etc/ipsec.d/ocspcerts */
-#define REREAD_ACERTS     0x10	/* reread certs in /etc/ipsec.d/acerts */
-#define REREAD_CRLS	  0x20	/* reread crls in /etc/ipsec.d/crls */
+#define REREAD_NONE       0x00  /* don't reread anything */
+#define REREAD_SECRETS    0x01  /* reread /etc/ipsec.secrets */
+#define REREAD_CACERTS    0x02  /* reread certs in /etc/ipsec.d/cacerts */
+#define REREAD_AACERTS    0x04  /* reread certs in /etc/ipsec.d/aacerts */
+#define REREAD_OCSPCERTS  0x08  /* reread certs in /etc/ipsec.d/ocspcerts */
+#define REREAD_ACERTS     0x10  /* reread certs in /etc/ipsec.d/acerts */
+#define REREAD_CRLS       0x20  /* reread crls in /etc/ipsec.d/crls */
 
-#define REREAD_ALL	LRANGES(REREAD_SECRETS, REREAD_CRLS)  /* all reread options */
+#define REREAD_ALL      LRANGES(REREAD_SECRETS, REREAD_CRLS)  /* all reread options */
 
 #endif /* _WHACK_H */
diff --git a/testing/INSTALL b/testing/INSTALL
index cdf51ab35..87bb787c8 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,22 +53,22 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.8.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.29.4.tar.bz2
 
-    * The Linux kernel 2.6.28 does not require any patches for the uml guest kernel
+    * The Linux kernel 2.6.29 does not require any patches for the uml guest kernel
       to successfully start up.
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.28
+      http://download.strongswan.org/uml/.config-2.6.29
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
-      http://download.strongswan.org/uml/gentoo-fs-20080407.tar.bz2
+      http://download.strongswan.org/uml/gentoo-fs-20090325.tar.bz2
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.2.14.tar.bz2
+      http://download.strongswan.org/strongswan-4.3.2.tar.bz2
 
 
 3. Creating the environment
@@ -143,5 +143,3 @@ README document.
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: INSTALL 4990 2009-03-22 14:37:03Z andreas $
-
diff --git a/testing/Makefile.am b/testing/Makefile.am
index 2ce6f2cd0..ad8d5042a 100644
--- a/testing/Makefile.am
+++ b/testing/Makefile.am
@@ -6,6 +6,6 @@ EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
 do-tests : do-tests.in
 	sed \
 	-e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \
-	$< > $@
+	$(srcdir)/$@.in > $@
 	chmod +x $@
 
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 83825043f..c242c9d7f 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -60,6 +60,7 @@ CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -82,6 +83,9 @@ LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -93,6 +97,7 @@ MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -106,6 +111,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -166,6 +173,7 @@ oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
 plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -177,6 +185,7 @@ srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
@@ -193,8 +202,8 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
@@ -357,7 +366,7 @@ uninstall-am:
 do-tests : do-tests.in
 	sed \
 	-e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \
-	$< > $@
+	$(srcdir)/$@.in > $@
 	chmod +x $@
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/testing/README b/testing/README
index e594b7865..097b4264d 100644
--- a/testing/README
+++ b/testing/README
@@ -156,5 +156,3 @@ restored with the command
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: README 3273 2007-10-08 20:18:34Z andreas $
-
diff --git a/testing/do-tests.in b/testing/do-tests.in
index 2996b5500..3a66f4548 100755
--- a/testing/do-tests.in
+++ b/testing/do-tests.in
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: do-tests.in 4114 2008-06-26 09:41:22Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/hosts/alice/etc/strongswan.conf b/testing/hosts/alice/etc/strongswan.conf
index e79fe2c92..4e52c6a6b 100644
--- a/testing/hosts/alice/etc/strongswan.conf
+++ b/testing/hosts/alice/etc/strongswan.conf
@@ -1 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/hosts/bob/etc/strongswan.conf b/testing/hosts/bob/etc/strongswan.conf
index e79fe2c92..4e52c6a6b 100644
--- a/testing/hosts/bob/etc/strongswan.conf
+++ b/testing/hosts/bob/etc/strongswan.conf
@@ -1 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/hosts/carol/etc/strongswan.conf b/testing/hosts/carol/etc/strongswan.conf
index e79fe2c92..4e52c6a6b 100644
--- a/testing/hosts/carol/etc/strongswan.conf
+++ b/testing/hosts/carol/etc/strongswan.conf
@@ -1 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/hosts/dave/etc/strongswan.conf b/testing/hosts/dave/etc/strongswan.conf
index e79fe2c92..4e52c6a6b 100644
--- a/testing/hosts/dave/etc/strongswan.conf
+++ b/testing/hosts/dave/etc/strongswan.conf
@@ -1 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/hosts/moon/etc/strongswan.conf b/testing/hosts/moon/etc/strongswan.conf
index e79fe2c92..4e52c6a6b 100644
--- a/testing/hosts/moon/etc/strongswan.conf
+++ b/testing/hosts/moon/etc/strongswan.conf
@@ -1 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/hosts/sun/etc/strongswan.conf b/testing/hosts/sun/etc/strongswan.conf
index e79fe2c92..4e52c6a6b 100644
--- a/testing/hosts/sun/etc/strongswan.conf
+++ b/testing/hosts/sun/etc/strongswan.conf
@@ -1 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/hosts/venus/etc/strongswan.conf b/testing/hosts/venus/etc/strongswan.conf
index e79fe2c92..4e52c6a6b 100644
--- a/testing/hosts/venus/etc/strongswan.conf
+++ b/testing/hosts/venus/etc/strongswan.conf
@@ -1 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt
index 1e0540f94..358e0fd3a 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt
@@ -2,3 +2,5 @@ V	130621144307Z		01	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 521 bit/CN=moon.st
 R	130621161252Z	080622162459Z	02	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
 V	130621161359Z		03	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=dave@strongswan.org
 V	130621162918Z		04	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
+V	140611160633Z		05	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=moon.strongswan.org
+V	140611160706Z		06	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=moon.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.old b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.old
index a41b4599f..bb87bbd13 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.old
@@ -1,3 +1,5 @@
 V	130621144307Z		01	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 521 bit/CN=moon.strongswan.org
 R	130621161252Z	080622162459Z	02	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
 V	130621161359Z		03	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=dave@strongswan.org
+V	130621162918Z		04	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
+V	140611160633Z		05	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=moon.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/05.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/05.pem
new file mode 100644
index 000000000..d5e61558e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/05.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7DCCAk+gAwIBAgIBBTAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDkwNjEyMTYwNjMzWhcNMTQwNjExMTYwNjMzWjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABIU/UvJ7ro2AYsFWXZKH9K4FD9O5kNfi3/H3+10kAy6s
+eQUab8qaAhTahBHuywzanVTiJPK5caQSvnpt+z1RJDqjggETMIIBDzAJBgNVHRME
+AjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUq1PybZZ+RZuJICuoDUhXdLy/iacw
+eAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYT
+AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
+d2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9u
+Z3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dh
+bi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCQYHKoZIzj0EAQOBiwAwgYcCQWYZnZLl
+iimVcAs5p7SXpHmcnlIX9C4EFzNtY+zoDfPM9Qx/vGY2hKa65tyhepn5RFyNqH6d
+slr5EBqoT5Vt86kJAkIAx/dyiLLqT0+lJiyxjLQuAaLRWHwlgq7jaUhoQusxno62
+dIfe0U1QjgumA+zXoAnbLBF3KnnrKvHByv7ejeH0Ys4=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/06.pem
new file mode 100644
index 000000000..45224b09b
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/06.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCjCCAmygAwIBAgIBBjAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDkwNjEyMTYwNzA2WhcNMTQwNjExMTYwNzA2WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+Mzg0IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABK4TajAd1pgzhJJsmyjw1Zb/CdEe0eWKmEyP1OjmwRwS37Tx
+3wV9C9ZzCYBsJlvbH53kyeZYoAojUL5sXDVBq8qu23jSjBCesypSiNt/8akt+4bg
+a4qMN2zutd/U1fC5C6OCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
+A1UdDgQWBBT43sZUBjwcO+QW4PXk7KoOxxkm3jB4BgNVHSMEcTBvgBS6XflxthO1
+atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
+dX4i76aJMB4GA1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
+MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
+LmNybDAJBgcqhkjOPQQBA4GMADCBiAJCAUfrzEnQUA0dqpo9I2YaFh3Y+QnFosTg
+b46jcbxm/LbIeWDxwU2HK3Qfo+tGsXJnh73lKo8B0o+OsXt4gP+GQutCAkIBu7Aw
+0iUx8d84SqHiBZBDIk/X6NV62YZXVhO9rPON0r/kdmeZ8OvPD53JgE64irFf6Wp+
+3ictLD61ItW0nxNHlcE=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
index 6da2682b3..7f1a4d70b 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf
@@ -1,7 +1,5 @@
 # openssl.cnf -  OpenSSL configuration file for the ZHW PKI
 # Mario Strasser <mario.strasser@zhwin.ch>
-#
-# $Id: openssl.cnf,v 1.2 2005/08/15 21:25:22 as Exp $
 #	
 
 # This definitions were set by the ca_init script DO NOT change
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/serial b/testing/hosts/winnetou/etc/openssl/ecdsa/serial
index eeee65ec4..2c7456e3e 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/serial
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/serial
@@ -1 +1 @@
-05
+07
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/serial.old b/testing/hosts/winnetou/etc/openssl/ecdsa/serial.old
index 64969239d..cd672a533 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/serial.old
@@ -1 +1 @@
-04
+06
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 78e91bdd6..7776876c1 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: generate-crl,v 1.2 2005/03/24 11:19:38 as Exp $
 
 export COMMON_NAME=strongSwan
 
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 64b725536..9e5194ebc 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -18,3 +18,4 @@ V	111007121250Z		11	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongs
 V	111007122112Z		12	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
 V	120224075857Z		13	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
 V	120425210745Z		14	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
+V	140406120117Z		15	unknown	/C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index 12025d75c..64b725536 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -11,9 +11,10 @@ V	091231214318Z		0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strong
 V	100216084430Z		0B	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 R	140321062536Z	050621195214Z	0C	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	140321062916Z		0D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
-V	100607191714Z		0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
+R	100607191714Z	070427213122Z	0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
 V	100620195806Z		0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	111007105811Z		10	unknown	/C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
 V	111007121250Z		11	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
 V	111007122112Z		12	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
 V	120224075857Z		13	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
+V	120425210745Z		14	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
index e5a716f28..12cc5d078 100644
--- a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf
@@ -1,7 +1,5 @@
 # openssl.cnf -  OpenSSL configuration file for the ZHW PKI
 # Mario Strasser <mario.strasser@zhwin.ch>
-#
-# $Id: openssl.cnf,v 1.2 2005/08/15 21:25:22 as Exp $
 #	
 
 # This definitions were set by the ca_init script DO NOT change
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/15.pem b/testing/hosts/winnetou/etc/openssl/newcerts/15.pem
new file mode 100644
index 000000000..4ebebba5a
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/15.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMDCCAxigAwIBAgIBFTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDQwNzEyMDExN1oXDTE0MDQwNjEyMDExN1owaDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMQwwCgYDVQQFEwMwMDIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3Jn
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXtFcjNbEEK76mVv1j3c
+6YWBeunBl7V9Qf1bPpzwTTUIKFDkg6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH
+8DKE1MaBOgvnW01vh2p1j8jW3VXSwBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1
+XaJSGAvwG3Jap9/gChClAv65zg34mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3n
+hgxJ7+3q9vX+z5EqUQB59WBzVz7fU9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq9
+0k/+Z3gKIHbi6YIoIXDs7bOSaw8myvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/
+rQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE
+FABqD2vvGFgP2xX2Qqjx26Mz1RR5MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl
+4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25n
+U3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaB
+FGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9j
+cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEFBQAD
+ggEBAGuatpu8jxc22Iqglx5UIa8fkNSjfyLgO0RugCB+kPPilGttGWly+raLggQM
+Hu1qdt4l0cj60pe03Dc4GuUwJCW9J4ntVvCp1/SLcifvd3pMTtlrdSMpj105L5ma
+/nVksJ7UZPzcBLMq/8FtEg68H2WM+ixrmlm2cZiFDytMODEuAPCwWHOSP4WJNDzS
+KKc95ONxwTsD1VDm/ShcKw083XgvT7oHoei2RRDYp70CkatWOOJ7eMxdKdICl8nu
+9RlBLG8CJqcy7cJ4V7GOk6EOtGpGL/GR2gpLpvUnmWP9MUHYu8rVTzKQdW9A2Wjx
+fmSZH0LzbAm+7XFrP71rBSJUaUI=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
index 56a9061f6..4a4027072 100644
--- a/testing/hosts/winnetou/etc/openssl/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -1,7 +1,5 @@
 # openssl.cnf -  OpenSSL configuration file for the ZHW PKI
 # Mario Strasser <mario.strasser@zhwin.ch>
-#
-# $Id: openssl.cnf,v 1.2 2005/08/15 21:25:22 as Exp $
 #	
 
 # This definitions were set by the ca_init script DO NOT change
diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
index 2d2765650..693af7c28 100644
--- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
@@ -1,7 +1,5 @@
 # openssl.cnf -  OpenSSL configuration file for the ZHW PKI
 # Mario Strasser <mario.strasser@zhwin.ch>
-#
-# $Id: openssl.cnf,v 1.1 2005/03/24 11:24:07 as Exp $
 #	
 
 # This definitions were set by the ca_init script DO NOT change
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
index b9287377d..75816c432 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -1,7 +1,5 @@
 # openssl.cnf -  OpenSSL configuration file for the ZHW PKI
 # Mario Strasser <mario.strasser@zhwin.ch>
-#
-# $Id: openssl.cnf,v 1.1 2005/03/24 11:24:07 as Exp $
 #	
 
 # This definitions were set by the ca_init script DO NOT change
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index 60d3b2f4a..b6a7d89c6 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-15
+16
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index 8351c1939..60d3b2f4a 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-14
+15
diff --git a/testing/make-testing b/testing/make-testing
index 7d38af69e..7cd3324e0 100755
--- a/testing/make-testing
+++ b/testing/make-testing
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: make-testing 3517 2008-03-01 10:25:52Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/build-hostconfig b/testing/scripts/build-hostconfig
index 5d1c83060..0ebbc5264 100755
--- a/testing/scripts/build-hostconfig
+++ b/testing/scripts/build-hostconfig
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: build-hostconfig 3273 2007-10-08 20:18:34Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/build-sshkeys b/testing/scripts/build-sshkeys
index a26f0162c..799078557 100755
--- a/testing/scripts/build-sshkeys
+++ b/testing/scripts/build-sshkeys
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: build-sshkeys 3273 2007-10-08 20:18:34Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/build-umlhostfs b/testing/scripts/build-umlhostfs
index 7cbfe9c97..75feaa4ed 100755
--- a/testing/scripts/build-umlhostfs
+++ b/testing/scripts/build-umlhostfs
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: build-umlhostfs 3935 2008-05-12 20:06:58Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/build-umlkernel b/testing/scripts/build-umlkernel
index 61dee8ff5..7a98fc6c1 100755
--- a/testing/scripts/build-umlkernel
+++ b/testing/scripts/build-umlkernel
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: build-umlkernel 3273 2007-10-08 20:18:34Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index 4eeebe54f..30dfc00ef 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: build-umlrootfs 5006 2009-03-25 07:26:53Z andreas $
 
 DIR=`dirname $0`
 
@@ -187,6 +185,11 @@ then
     echo -n " --enable-openssl" >> $INSTALLSHELL
 fi
 
+if [ "$USE_BLOWFISH" = "yes" ]
+then
+    echo -n " --enable-blowfish" >> $INSTALLSHELL
+fi
+
 if [ "$USE_KERNEL_PFKEY" = "yes" ]
 then
     echo -n " --enable-kernel-pfkey" >> $INSTALLSHELL
@@ -207,6 +210,16 @@ then
     echo -n " --enable-load-tests" >> $INSTALLSHELL
 fi
 
+if [ "$USE_TEST_VECTORS" = "yes" ]
+then
+    echo -n " --enable-test-vectors" >> $INSTALLSHELL
+fi
+
+if [ "$USE_GCRYPT" = "yes" ]
+then
+    echo -n " --enable-gcrypt" >> $INSTALLSHELL
+fi
+
 echo "" >> $INSTALLSHELL
 echo "make" >> $INSTALLSHELL
 echo "make install" >> $INSTALLSHELL
diff --git a/testing/scripts/function.sh b/testing/scripts/function.sh
index f147e782e..e7ecbcf83 100755
--- a/testing/scripts/function.sh
+++ b/testing/scripts/function.sh
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: function.sh 3273 2007-10-08 20:18:34Z andreas $
 
 
 ############################################
@@ -83,3 +81,47 @@ function searchandreplace {
     rm -f "$TMPFILE"
 
 }
+
+#############################################
+# add a bridge
+#
+
+function umlbr_add {
+	brctl addbr     "umlbr$1"
+	brctl setfd     "umlbr$1" 0
+	brctl setageing "umlbr$1" 3600
+	brctl stp       "umlbr$1" off
+	ifconfig        "umlbr$1" "$2" netmask "$3" up 
+}
+
+#############################################
+# delete a bridge
+#
+
+function umlbr_del {
+	ifconfig    "umlbr$1" down                     &> /dev/null 2>&1
+	brctl delbr "umlbr$1"                          &> /dev/null 2>&1
+}
+
+#############################################
+# add a tap interface to a bridge
+#
+
+function umlbr_add_tap {
+	tunctl -t "tap$1_$2"                           &> /dev/null 2>&1
+	ifconfig "tap$1_$2" 0.0.0.0 promisc up         &> /dev/null 2>&1
+	brctl addif "umlbr$1" "tap$1_$2"               &> /dev/null 2>&1
+	cecho-n "$2.."
+ }
+
+#############################################
+# delete a tap interface from a bridge
+#
+
+function umlbr_del_tap {
+	ifconfig "umlbr$2" down                        &> /dev/null 2>&1
+	brctl delif "umlbr$1" "tap$1_$2"               &> /dev/null 2>&1
+	tunctl -d "tap$1_$2"                           &> /dev/null 2>&1
+	cecho-n "$2.."
+ }
+
diff --git a/testing/scripts/gstart-umls b/testing/scripts/gstart-umls
index e5e993661..624db8d8b 100755
--- a/testing/scripts/gstart-umls
+++ b/testing/scripts/gstart-umls
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: gstart-umls 4370 2008-10-07 04:56:50Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls
index b67382a25..486955a69 100755
--- a/testing/scripts/kstart-umls
+++ b/testing/scripts/kstart-umls
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: kstart-umls 4370 2008-10-07 04:56:50Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig
index 873e4d1ee..8dd3069f6 100755
--- a/testing/scripts/load-testconfig
+++ b/testing/scripts/load-testconfig
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: load-testconfig 3935 2008-05-12 20:06:58Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults
index 3af0ec665..b26be9936 100755
--- a/testing/scripts/restore-defaults
+++ b/testing/scripts/restore-defaults
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: restore-defaults 3935 2008-05-12 20:06:58Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/start-bridges b/testing/scripts/start-bridges
new file mode 100755
index 000000000..1e09d6e7d
--- /dev/null
+++ b/testing/scripts/start-bridges
@@ -0,0 +1,64 @@
+#!/bin/bash
+# start the UML bridges in the kernel using the brctl command
+#
+# Copyright (C) 2009  Andreas Steffen
+# HSR Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+# create umlbr1 and its taps 
+#
+if [ `brctl show | grep umlbr1 | wc -l` -eq 1 ]
+then
+	cecho " * Great, umlbr1 is already running!"
+else
+	cecho-n " * Starting umlbr1 with taps.."
+	umlbr_add     1 10.1.0.254 255.255.0.0
+	umlbr_add_tap 1 alice
+	umlbr_add_tap 1 venus
+	umlbr_add_tap 1 moon
+	cgecho "done"
+fi
+
+# create umlbr0 and its taps
+#
+if [ `brctl show | grep umlbr0 | wc -l` -eq 1 ]
+then
+	cecho " * Great, umlbr0 is already running!"
+else
+	cecho-n " * Starting umlbr0 with taps.."
+	umlbr_add     0 192.168.0.254 255.255.255.0
+	umlbr_add_tap 0 alice
+	umlbr_add_tap 0 moon
+	umlbr_add_tap 0 carol
+	umlbr_add_tap 0 winnetou
+	umlbr_add_tap 0 dave
+	umlbr_add_tap 0 sun
+	cgecho "done"
+fi
+
+# create umlbr2 and its taps
+#
+if [ `brctl show | grep umlbr2 | wc -l` -eq 1 ]
+then
+	cecho " * Great, umlbr2 is already running!"
+else
+	cecho-n " * Starting umlbr2 with taps.."
+	umlbr_add     2 10.2.0.254 255.255.0.0
+	umlbr_add_tap 2 sun
+	umlbr_add_tap 2 bob
+	cgecho "done"
+fi
+
diff --git a/testing/scripts/start-switches b/testing/scripts/start-switches
deleted file mode 100755
index eb3fa4742..000000000
--- a/testing/scripts/start-switches
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-# starts the UML switches
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: start-switches 3590 2008-03-13 14:20:20Z martin $
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-for n in 0 1 2
-do
-    if [ `ps aux | grep uml_switch | grep umlswitch$n | wc -l` -eq 1 ]
-    then
-	cecho " * Great, umlswitch$n is already running!"
-    else
-	cecho-n " * Starting umlswitch$n.."
-	uml_switch -tap tap$n -unix /tmp/umlswitch$n -daemon >/dev/null 2>&1 </dev/null
-	sleep 2
-	eval ifconfig "tap$n \$IFCONFIG_$n up"
-	cgecho "done"
-    fi
-done
diff --git a/testing/scripts/start-umls b/testing/scripts/start-umls
index 823a53f5b..878494370 100755
--- a/testing/scripts/start-umls
+++ b/testing/scripts/start-umls
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: start-umls 4370 2008-10-07 04:56:50Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/stop-bridges b/testing/scripts/stop-bridges
new file mode 100755
index 000000000..eb92bd0eb
--- /dev/null
+++ b/testing/scripts/stop-bridges
@@ -0,0 +1,49 @@
+#!/bin/bash
+# stop the UML bridges in the kernel using the brctl command
+#
+# Copyright (C) 2009  Andreas Steffen
+# HSR Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+# stop umlbr1 and its taps 
+#
+cecho-n " * Stopping umlbr1 with taps.."
+umlbr_del_tap 1 alice
+umlbr_del_tap 1 venus
+umlbr_del_tap 1 moon
+umlbr_del     1
+cgecho "done"
+
+# stop umlbr0 and its taps
+#
+cecho-n " * Stopping umlbr0 with taps.."
+umlbr_del_tap 0 alice
+umlbr_del_tap 0 moon
+umlbr_del_tap 0 carol
+umlbr_del_tap 0 winnetou
+umlbr_del_tap 0 dave
+umlbr_del_tap 0 sun
+umlbr_del     0
+cgecho "done"
+
+# stop umlbr2 and its taps
+#
+cecho-n " * Stopping umlbr2 with taps.."
+umlbr_del_tap 2 sun
+umlbr_del_tap 2 bob
+umlbr_del     2
+cgecho "done"
+
diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls
index f03452844..717199606 100755
--- a/testing/scripts/xstart-umls
+++ b/testing/scripts/xstart-umls
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: xstart-umls 4370 2008-10-07 04:56:50Z andreas $
 
 DIR=`dirname $0`
 
diff --git a/testing/start-testing b/testing/start-testing
index 3f8cf718e..278500e6f 100755
--- a/testing/start-testing
+++ b/testing/start-testing
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: start-testing 3517 2008-03-01 10:25:52Z andreas $
 
 DIR=`dirname $0`
 
@@ -33,10 +31,10 @@ else
 fi
 
 #####################################################
-# start the uml switches
+# start the uml bridges
 #
-cecho "Start the uml switches  (scripts/start-switches)"
-$DIR/scripts/start-switches
+cecho "Start the uml bridges  (scripts/start-bridges)"
+$DIR/scripts/start-bridges
 
 
 #####################################################
diff --git a/testing/stop-testing b/testing/stop-testing
index c870a8b0b..023a5b39e 100755
--- a/testing/stop-testing
+++ b/testing/stop-testing
@@ -13,8 +13,6 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: stop-testing 3517 2008-03-01 10:25:52Z andreas $
 
 DIR=`dirname $0`
 
@@ -42,10 +40,9 @@ done
 cgecho "done"
 
 #####################################################
-# Shutting down the uml switches
+# Shutting down the uml bridhges
 #
-cecho-n " * Stopping the UML switches.."
-killall uml_switch &> /dev/null
-rm -f /tmp/umlswitch[012] &> /dev/null 2>&1
-cgecho "done"
+cecho "Stop the uml bridges  (scripts/stop-bridges)"
+$DIR/scripts/stop-bridges
+
 
diff --git a/testing/testing.conf b/testing/testing.conf
index 548f5b530..39bff6805 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -13,27 +13,25 @@
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
-#
-# RCSID $Id: testing.conf 5051 2009-03-28 15:08:47Z andreas $
 
 # Root directory of testing
 UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.29.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.30.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.29
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.30
 
 # Bzipped uml patch for kernel
-#UMLPATCH=$UMLTESTDIR/uml-2.6.26.patch.bz2
+#UMLPATCH=$UMLTESTDIR/aead_init.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.2.14.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.3.2.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -47,9 +45,13 @@ USE_EAP_RADIUS="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"
 USE_OPENSSL="yes"
+USE_BLOWFISH="yes"
 USE_KERNEL_PFKEY="yes"
 USE_INTEGRITY_TEST="yes"
 USE_LEAK_DETECTIVE="yes"
+USE_LOAD_TESTS="yes"
+USE_TEST_VECTORS="yes"
+USE_GCRYPT="yes"
 
 # Gentoo linux root filesystem
 ROOTFS=$UMLTESTDIR/gentoo-fs-20090325.tar.bz2
@@ -74,7 +76,7 @@ TESTRESULTSDIR=$UMLTESTDIR/testresults
 # Path to a full strongswan tree on the host system, which is
 # mounted into /root/strongswan-shared. This gives us an easy
 # way to apply and test changes instantly.
-SHAREDTREE=/home/martin/strongswan/trunk
+#SHAREDTREE=/home/martin/strongswan/trunk
 
 # Timezone for the UMLs, look in /usr/share/zoneinfo!
 TZUML="Europe/Zurich"
@@ -89,13 +91,13 @@ ENABLE_BUILD_HOSTCONFIG="yes"
 ENABLE_BUILD_UMLROOTFS="yes"
 ENABLE_BUILD_UMLHOSTFS="yes"
 ENABLE_START_TESTING="yes"
-ENABLE_DO_TESTS="yes"
+ENABLE_DO_TESTS="no"
 ENABLE_STOP_TESTING="no"
 
 ##############################################################
 # How to start the UMLs?
 #
-# Start the UML instance in a KDE konsole (requires KDE)
+# Start the UML instance in KDE konsole (requires KDE)
 # UMLSTARTMODE="konsole"
 # Start the UML instance in a gnome-terminal (requires gnome)
 UMLSTARTMODE="gnome-terminal"
@@ -166,14 +168,14 @@ IFCONFIG_2="10.2.0.254 netmask 255.255.0.0"
 ##############################################################
 # Network interfaces of the UML instances
 #
-SWITCH_alice="eth0=daemon,fe:fd:0a:01:00:0a,unix,/tmp/umlswitch1 \
-              eth1=daemon,fe:fd:c0:a8:00:32,unix,/tmp/umlswitch0"
-SWITCH_venus="eth0=daemon,fe:fd:0a:01:00:14,unix,/tmp/umlswitch1"
-SWITCH_moon="eth0=daemon,fe:fd:c0:a8:00:01,unix,/tmp/umlswitch0 \
-             eth1=daemon,fe:fd:0a:01:00:01,unix,/tmp/umlswitch1"
-SWITCH_carol="eth0=daemon,fe:fd:c0:a8:00:64,unix,/tmp/umlswitch0"
-SWITCH_winnetou="eth0=daemon,fe:fd:c0:a8:00:96,unix,/tmp/umlswitch0"
-SWITCH_dave="eth0=daemon,fe:fd:c0:a8:00:c8,unix,/tmp/umlswitch0"
-SWITCH_sun="eth0=daemon,fe:fd:c0:a8:00:02,unix,/tmp/umlswitch0 \
-            eth1=daemon,fe:fd:0a:02:00:01,unix,/tmp/umlswitch2"
-SWITCH_bob="eth0=daemon,fe:fd:0a:02:00:0a,unix,/tmp/umlswitch2"
+SWITCH_alice="eth0=tuntap,tap1_alice,fe:fd:0a:01:00:0a \
+              eth1=tuntap,tap0_alice,fe:fd:c0:a8:00:32"
+SWITCH_venus="eth0=tuntap,tap1_venus,fe:fd:0a:01:00:14"
+SWITCH_moon="eth0=tuntap,tap0_moon,fe:fd:c0:a8:00:01 \
+             eth1=tuntap,tap1_moon,fe:fd:0a:01:00:01"
+SWITCH_carol="eth0=tuntap,tap0_carol,fe:fd:c0:a8:00:64"
+SWITCH_winnetou="eth0=tuntap,tap0_winnetou,fe:fd:c0:a8:00:96"
+SWITCH_dave="eth0=tuntap,tap0_dave,fe:fd:c0:a8:00:c8"
+SWITCH_sun="eth0=tuntap,tap0_sun,fe:fd:c0:a8:00:02 \
+            eth1=tuntap,tap2_sun,fe:fd:0a:02:00:01"
+SWITCH_bob="eth0=tuntap,tap2_bob,fe:fd:0a:02:00:0a"
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt
new file mode 100644
index 000000000..604fb45df
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
+<b>SERPENT_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
+<b>SERPENT_CBC_256 / HMAC_SHA2_256 </b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
new file mode 100644
index 000000000..2be8f675f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+moon::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_256::YES
+carol::ip xfrm state::enc cbc(serpent)::YES
+moon::ip xfrm state::enc cbc(serpent)::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b050f022a
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=serpent256-sha2_512-modp4096!
+	esp=serpent256-sha2_256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0c6fd2c9f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = gcrypt hmac pubkey curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..75830f043
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+       
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=serpent256-sha2_512-modp4096!
+	esp=serpent256-sha2_256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0c6fd2c9f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = gcrypt hmac pubkey curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
new file mode 100644
index 000000000..6d2eeb5f9
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
new file mode 100644
index 000000000..b65ea7b8d
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
+<b>TWOFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
+<b>TWOFISH_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
new file mode 100644
index 000000000..34c9d1c65
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+moon::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_256::YES
+carol::ip xfrm state::enc cbc(twofish)::YES
+moon::ip xfrm state::enc cbc(twofish)::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..71ed47519
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=twofish256-sha2_512-modp4096!
+	esp=twofish256-sha2_256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0c6fd2c9f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = gcrypt hmac pubkey curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ba739f887
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=twofish256-sha2_512-modp4096!
+	esp=twofish256-sha2_256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0c6fd2c9f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = gcrypt hmac pubkey curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
new file mode 100644
index 000000000..a6c8f026c
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/description.txt b/testing/tests/gcrypt-ikev1/rw-cert/description.txt
new file mode 100644
index 000000000..f60f5b1ad
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>gcrypt</b>
+plugin based on the <b>GNU Libgcrypt</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b>.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat
new file mode 100644
index 000000000..1a9b9159f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IPsec SA established::YES
+dave::ipsec statusall::IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..80dae3719
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=3des-sha1-modp1536!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0840260c3
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = test-vectors gcrypt pubkey hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..73167caad
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha256-modp2048!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..fdfb0003f
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = test-vectors aes des sha1 sha2 md5 gmp pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  crypto_test {
+    required = yes
+    on_add = yes
+  } 
+}
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f365b07da
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0840260c3
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = test-vectors gcrypt pubkey hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/test.conf b/testing/tests/gcrypt-ikev1/rw-cert/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/description.txt b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt
new file mode 100644
index 000000000..b3515c333
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
+HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
+the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
+in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
new file mode 100644
index 000000000..aad3becc7
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..37f8a7ecf
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=camellia256-sha512-modp2048!
+	esp=camellia192-sha1!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..70c473005
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl gcrypt x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f8d7e3fe9
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=camellia256-sha512-modp2048!
+	esp=camellia192-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..70c473005
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl gcrypt x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
new file mode 100644
index 000000000..3c3df0196
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/description.txt b/testing/tests/gcrypt-ikev2/rw-cert/description.txt
new file mode 100644
index 000000000..f60f5b1ad
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>gcrypt</b>
+plugin based on the <b>GNU Libgcrypt</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b>.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4a8baa3ae
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=3des-sha1-modp1536!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..edb7e40d1
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors gcrypt x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..42f03aab3
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha256-modp2048!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f4b6dfdb9
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+}
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2e84f2e6a
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..edb7e40d1
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors gcrypt x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/test.conf b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..304ef99e0
--- /dev/null
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
index ef63f7262..f1dcd52e9 100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index ef63f7262..7133aef00 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,15 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random pubkey hmac x509 xcbc stroke kernel-netlink
+}
+
+pluto {
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random pubkey hmac
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index ef63f7262..8dcb265b7 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 gmp random pubkey hmac x509 xcbc stroke kernel-netlink
+}
+
+pluto {
+  load = curl aes des sha1 sha2 md5 gmp random pubkey hmac
 }
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
index 392a4b51e..d55638907 100755
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
+	plutodebug=control
+	crlcheckinterval=180
 	strictcrlpolicy=no
 	charonstart=no
 
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 40eb84b8a..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
-}
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
index e56090f48..94517ecbe 100755
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
+	plutodebug=control
+	crlcheckinterval=180
 	strictcrlpolicy=no
 	charonstart=no
 
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 40eb84b8a..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
-}
diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt
index cff0a1915..7d8f245ab 100644
--- a/testing/tests/ikev1/alg-blowfish/description.txt
+++ b/testing/tests/ikev1/alg-blowfish/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
-<b>BLOWFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and 
-<b>BLOWFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>BLOWFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
+<b>BLOWFISH_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
 <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat
index a2ae3ff6b..fd46cdb9d 100644
--- a/testing/tests/ikev1/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat
@@ -1,9 +1,9 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES
-moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES
-carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES
+carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+moon::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_256::YES
 carol::ip xfrm state::enc cbc(blowfish)::YES
 moon::ip xfrm state::enc cbc(blowfish)::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f5401f260
--- /dev/null
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des blowfish hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f5401f260
--- /dev/null
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des blowfish hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/alg-serpent/description.txt b/testing/tests/ikev1/alg-serpent/description.txt
deleted file mode 100644
index f49c0a1c0..000000000
--- a/testing/tests/ikev1/alg-serpent/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
-<b>SERPENT_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and 
-<b>SERPENT_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-serpent/evaltest.dat b/testing/tests/ikev1/alg-serpent/evaltest.dat
deleted file mode 100644
index ffca0e7a0..000000000
--- a/testing/tests/ikev1/alg-serpent/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES
-moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES
-carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES
-carol::ip xfrm state::enc cbc(serpent)::YES
-moon::ip xfrm state::enc cbc(serpent)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
diff --git a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index b050f022a..000000000
--- a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=serpent256-sha2_512-modp4096!
-	esp=serpent256-sha2_256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 75830f043..000000000
--- a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-       
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=serpent256-sha2_512-modp4096!
-	esp=serpent256-sha2_256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/alg-serpent/posttest.dat b/testing/tests/ikev1/alg-serpent/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/alg-serpent/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-serpent/pretest.dat b/testing/tests/ikev1/alg-serpent/pretest.dat
deleted file mode 100644
index 6d2eeb5f9..000000000
--- a/testing/tests/ikev1/alg-serpent/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-serpent/test.conf b/testing/tests/ikev1/alg-serpent/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/alg-serpent/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/description.txt b/testing/tests/ikev1/alg-sha-equals-sha1/description.txt
deleted file mode 100644
index aeb2e1a88..000000000
--- a/testing/tests/ikev1/alg-sha-equals-sha1/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the syntactically
-incorrect cipher suites <b>ike=aes128-sha1-modp1536</b> for the
-IKE protocol and <b>esp=aes128-sha</b> for ESP packets. Since <b>sha</b> and
-<b>sha1</b> are treated as synonyms the proposal is neverless correctly parsed.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat
deleted file mode 100644
index c3656c690..000000000
--- a/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA-MODP1536::YES
-carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA-MODP1536::YES
-moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
-carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 40d31c0ac..000000000
--- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=aes128-sha1-modp1536!
-	esp=aes128-sha!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1461f7933..000000000
--- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=aes128-sha1-modp1536!
-	esp=aes128-sha!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
-
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/test.conf b/testing/tests/ikev1/alg-sha-equals-sha1/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/alg-sha-equals-sha1/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/alg-sha2_256/description.txt b/testing/tests/ikev1/alg-sha2_256/description.txt
index 900fcf017..e0af2e2f7 100644
--- a/testing/tests/ikev1/alg-sha2_256/description.txt
+++ b/testing/tests/ikev1/alg-sha2_256/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the rather strong cipher suite
-<b>AES_CBC_128-SHA2_256-MODP1536</b> for the IKE protocol and 
-<b>AES_128-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_1536</b> for the IKE protocol and 
+<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
 <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha2_256/evaltest.dat b/testing/tests/ikev1/alg-sha2_256/evaltest.dat
index 42d0099eb..b8a83e0fb 100644
--- a/testing/tests/ikev1/alg-sha2_256/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha2_256/evaltest.dat
@@ -1,10 +1,10 @@
 
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES
-moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES
-carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_1536::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_1536::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
 carol::ip xfrm state::auth hmac(sha256)::YES
 moon::ip xfrm state::auth hmac(sha256)::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/alg-twofish/description.txt b/testing/tests/ikev1/alg-twofish/description.txt
deleted file mode 100644
index 0015561ee..000000000
--- a/testing/tests/ikev1/alg-twofish/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
-<b>TWOFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and 
-<b>TWOFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-twofish/evaltest.dat b/testing/tests/ikev1/alg-twofish/evaltest.dat
deleted file mode 100644
index 69e9267c3..000000000
--- a/testing/tests/ikev1/alg-twofish/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES
-moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES
-carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES
-carol::ip xfrm state::enc cbc(twofish)::YES
-moon::ip xfrm state::enc cbc(twofish)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
diff --git a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 71ed47519..000000000
--- a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=twofish256-sha2_512-modp4096!
-	esp=twofish256-sha2_256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index ba739f887..000000000
--- a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=twofish256-sha2_512-modp4096!
-	esp=twofish256-sha2_256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/alg-twofish/posttest.dat b/testing/tests/ikev1/alg-twofish/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/alg-twofish/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-twofish/pretest.dat b/testing/tests/ikev1/alg-twofish/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/alg-twofish/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-twofish/test.conf b/testing/tests/ikev1/alg-twofish/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/alg-twofish/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
index 5a360543c..343221385 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
@@ -1,3 +1,13 @@
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
 openac {
   load = sha1 sha2 md5 gmp random x509 pubkey
 }
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat
index 2b98e086a..730614c66 100644
--- a/testing/tests/ikev1/crl-ldap/evaltest.dat
+++ b/testing/tests/ikev1/crl-ldap/evaltest.dat
@@ -6,8 +6,8 @@ moon::cat /var/log/auth.log::X.509 certificate rejected::YES
 carol::cat /var/log/auth.log::X.509 certificate rejected::YES
 moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
 carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::Trying LDAP URL::YES
-carol::cat /var/log/auth.log::Trying LDAP URL::YES
+moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
+carol::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::cat /var/log/auth.log::written crl file::YES
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b15cf2d3f
--- /dev/null
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b15cf2d3f
--- /dev/null
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat
index 016524dd9..c35a8019e 100644
--- a/testing/tests/ikev1/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev1/dpd-restart/evaltest.dat
@@ -6,5 +6,5 @@ moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
 moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
 moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
 moon::cat /var/log/auth.log::DPD: Restarting connection::YES
-moon::sleep 5::no output expected::NO
+moon::sleep 10::no output expected::NO
 moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
diff --git a/testing/tests/ikev1/esp-ah-transport/description.txt b/testing/tests/ikev1/esp-ah-transport/description.txt
index c7918fa38..f8ffce6e6 100644
--- a/testing/tests/ikev1/esp-ah-transport/description.txt
+++ b/testing/tests/ikev1/esp-ah-transport/description.txt
@@ -1,5 +1,5 @@
 In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication.
+the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication.
 In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
 marks all incoming AH packets with the ESP mark. The transport mode connection is
 tested by <b>carol</b> sending a ping to gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-ah-transport/evaltest.dat b/testing/tests/ikev1/esp-ah-transport/evaltest.dat
index 7c498ad83..526e0d96e 100644
--- a/testing/tests/ikev1/esp-ah-transport/evaltest.dat
+++ b/testing/tests/ikev1/esp-ah-transport/evaltest.dat
@@ -1,7 +1,7 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES
-moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
+moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES
 carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
 moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
diff --git a/testing/tests/ikev1/esp-ah-tunnel/description.txt b/testing/tests/ikev1/esp-ah-tunnel/description.txt
index 809f28c57..332f8177a 100644
--- a/testing/tests/ikev1/esp-ah-tunnel/description.txt
+++ b/testing/tests/ikev1/esp-ah-tunnel/description.txt
@@ -1,5 +1,5 @@
 In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication.
+the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication.
 In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
 marks all incoming AH packets with the ESP mark. The tunnel mode connection is
 tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind 
diff --git a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
index 8f4a99641..5103a6318 100644
--- a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
+++ b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
@@ -1,7 +1,7 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES
-moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES
+carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
+moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
 moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt
index fef0ac2dd..0c39352d9 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>AES_256/AES_XCBC_MAC</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
+<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc</b>
 in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
 the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
index f464bda65..872962de4 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
@@ -1,8 +1,8 @@
 
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES
-moon::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
 carol::ip xfrm state::auth xcbc(aes)::YES
 moon::ip xfrm state::auth xcbc(aes)::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-camellia/description.txt b/testing/tests/ikev1/esp-alg-camellia/description.txt
index ead39f580..b679d03ec 100644
--- a/testing/tests/ikev1/esp-alg-camellia/description.txt
+++ b/testing/tests/ikev1/esp-alg-camellia/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>CAMELLIA_192/HMAC_SHA2_256</b> by defining <b>esp=camellia192-sha2_256-modp2048</b>
+<b>CAMELLIA_CBC_192 / HMAC_SHA2_256</b> by defining <b>esp=camellia192-sha2_256</b>
 in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
 the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat
index b2871dabd..1b0f3a12b 100644
--- a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat
@@ -1,7 +1,7 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_256::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
 moon::ip xfrm state::enc cbc(camellia)::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat
index 8e06392f1..57d09a488 100644
--- a/testing/tests/ikev1/esp-alg-des/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-des/evaltest.dat
@@ -1,6 +1,8 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES
-carol::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES
+moon::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
+carol::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
+moon::ip xfrm state::enc cbc(des)::YES
+carol::ip xfrm state::enc cbc(des)::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 
diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat
index de2f2a571..8c748a54c 100644
--- a/testing/tests/ikev1/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat
@@ -1,5 +1,7 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES
-carol::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES
+moon::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
+carol::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
+moon::ip xfrm state::enc ecb(cipher_null)::YES
+carol::ip xfrm state::enc ecb(cipher_null)::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index b939e4fda..3c9fdbb71 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	ike=aes-128-sha
+	ike=aes-sha1
 	esp=null-sha1!
 
 conn home
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index 9ca761cb5..62f17df49 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	ike=aes128-sha!
+	ike=aes-sha1!
 	esp=null-sha1!
 
 conn rw
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/description.txt b/testing/tests/ikev1/esp-alg-strict-fail/description.txt
index 03c655480..252080e80 100644
--- a/testing/tests/ikev1/esp-alg-strict-fail/description.txt
+++ b/testing/tests/ikev1/esp-alg-strict-fail/description.txt
@@ -1,5 +1,5 @@
-The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication
+The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication
 as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
-<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer,
+<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer,
 leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
-<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
+<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
index 6f2024ff9..83d99bea1 100644
--- a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
@@ -1,9 +1,9 @@
 carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES
-carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
 moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES
-moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
+moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
 carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO
-moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES
+moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
 moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
index f61cfc6bb..21997940b 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	ike=3des-sha
+	ike=3des-sha1
 	esp=3des-sha1
 
 conn home
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 5bf53b8bc..14f58ccc3 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	ike=aes128-sha
+	ike=aes128-sha1
 	esp=aes128-sha1!
 
 conn rw
diff --git a/testing/tests/ikev1/esp-alg-strict/description.txt b/testing/tests/ikev1/esp-alg-strict/description.txt
index b4fc08253..149a1e013 100644
--- a/testing/tests/ikev1/esp-alg-strict/description.txt
+++ b/testing/tests/ikev1/esp-alg-strict/description.txt
@@ -1,7 +1,7 @@
-Roadwarrior <b>carol</b> proposes <b>3DES</b> encryption (together with
-SHA-1 authentication) in the first place and <b>AES-128</b> encryption in
+Roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption (together with
+HMAC_SHA1 authentication) in the first place and <b>AES_CBC_128</b> encryption in
 second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines
-<b>ike=aes-128-sha</b> but will accept any other supported algorithm proposed
+<b>ike=aes128-sha1</b> but will accept any other supported algorithm proposed
 by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces
-<b>esp=aes-128-sha1!</b> by applying the strict flag '!'.
+<b>esp=aes128-sha1!</b> by applying the strict flag '!'.
 
diff --git a/testing/tests/ikev1/esp-alg-strict/evaltest.dat b/testing/tests/ikev1/esp-alg-strict/evaltest.dat
index d5dd12d4e..912a8d830 100644
--- a/testing/tests/ikev1/esp-alg-strict/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-strict/evaltest.dat
@@ -1,7 +1,7 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES
-moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
-moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
-carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES
-carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES
+moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
+moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES
+carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
index 0ae6b0693..7e2de30cd 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
@@ -11,8 +11,8 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	ike=3des-sha,aes-128-sha
-	esp=3des-sha1,aes-128-sha1
+	ike=3des-sha,aes128-sha1
+	esp=3des-sha1,aes128-sha1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
index 5bf53b8bc..14f58ccc3 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	ike=aes128-sha
+	ike=aes128-sha1
 	esp=aes128-sha1!
 
 conn rw
diff --git a/testing/tests/ikev1/esp-alg-weak/description.txt b/testing/tests/ikev1/esp-alg-weak/description.txt
index ffb6882f5..e49b6c620 100644
--- a/testing/tests/ikev1/esp-alg-weak/description.txt
+++ b/testing/tests/ikev1/esp-alg-weak/description.txt
@@ -1,4 +1,4 @@
-The roadwarrior <b>carol</b> proposes <b>1DES</b> encryption with MD5 authentication
+The roadwarrior <b>carol</b> proposes <b>DES_CBC</b> encryption with HMAC_MD5 authentication
 as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does
 not use an explicit <b>esp</b> statement any strong encryption algorithm will be
 accepted but any weak key length will be rejected by default and thus the ISAKMP SA
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/description.txt b/testing/tests/ikev1/ike-alg-sha2_384/description.txt
index a347a3fed..a0bda209c 100644
--- a/testing/tests/ikev1/ike-alg-sha2_384/description.txt
+++ b/testing/tests/ikev1/ike-alg-sha2_384/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
-<b>AES_CBC_192-SHA2_384-MODP4096</b> for the IKE protocol and
-<b>AES_192-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>AES_CBC_192 / HMAC_SHA2_384 / MODP4096</b> for the IKE protocol and
+<b>AES_CBC_192 /HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
 <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
index 31959f53a..a4cc39150 100644
--- a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
@@ -1,8 +1,8 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::IKE algorithm newest: AES_CBC_192-SHA2_384-MODP4096::YES
-carol::ipsec statusall::IKE algorithm newest: AES_CBC_192-SHA2_384-MODP4096::YES
-moon::ipsec statusall::ESP algorithm newest: AES_192-HMAC_SHA2_256::YES
-carol::ipsec statusall::ESP algorithm newest: AES_192-HMAC_SHA2_256::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_4096::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_4096::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_256::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/description.txt b/testing/tests/ikev1/ike-alg-sha2_512/description.txt
index 1bec4b8c6..240b8f2b0 100644
--- a/testing/tests/ikev1/ike-alg-sha2_512/description.txt
+++ b/testing/tests/ikev1/ike-alg-sha2_512/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the paranoid cipher suite
-<b>AES_CBC_256-SHA2_512-MODP8192</b> for the IKE protocol and
-<b>AES_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>AES_CBC_256 / HMAC_SHA2_512 / MODP_8192</b> for the IKE protocol and
+<b>AES_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
 <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
index dbd35429c..10929457f 100644
--- a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
@@ -1,8 +1,8 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES
-carol::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES
-moon::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES
-carol::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_8192::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_8192::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_256::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_256::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/description.txt b/testing/tests/ikev1/ike-alg-strict-fail/description.txt
index 03c655480..252080e80 100644
--- a/testing/tests/ikev1/ike-alg-strict-fail/description.txt
+++ b/testing/tests/ikev1/ike-alg-strict-fail/description.txt
@@ -1,5 +1,5 @@
-The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication
+The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication
 as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
-<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer,
+<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer,
 leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
-<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
+<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
index 931b8855a..0c6bc7f7e 100644
--- a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
@@ -1,5 +1,5 @@
 carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
 moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
 carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES
+moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
 moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
index cbe5469f0..63ad1c01d 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	ike=3des-sha
+	ike=3des-sha1
 	esp=3des-sha1
 
 conn home
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 42e5f8404..1ea5fe7a5 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	ike=aes128-sha!
+	ike=aes128-sha1!
 	esp=aes128-sha1
 
 conn rw
diff --git a/testing/tests/ikev1/ike-alg-strict/description.txt b/testing/tests/ikev1/ike-alg-strict/description.txt
index 35d266e20..af93b95c3 100644
--- a/testing/tests/ikev1/ike-alg-strict/description.txt
+++ b/testing/tests/ikev1/ike-alg-strict/description.txt
@@ -1,5 +1,5 @@
-The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with <b>SHA-1</b> authentication in the first place
-and <b>AES-128</b> encryption with <b>SHA-1</b> authentication in the second place for both the ISAKMP and IPsec SA.
-The gateway <b>moon</b> enforces <b>ike=aes-128-sha!</b> for Phase 1 by using the strict flag '!', 
+The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with <b>HMAC_SHA1</b> authentication in the first place
+and <b>AES_CBC_128</b> encryption with <b>HMAC_SHA1</b> authentication in the second place for both the ISAKMP and IPsec SA.
+The gateway <b>moon</b> enforces <b>ike=aes128-sha!</b> for Phase 1 by using the strict flag '!', 
 but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b>
-defines itself <b>esp=aes-128-sha1</b> only.
+defines itself <b>esp=aes128-sha1</b> only.
diff --git a/testing/tests/ikev1/ike-alg-strict/evaltest.dat b/testing/tests/ikev1/ike-alg-strict/evaltest.dat
index 46140be8a..8acd0d039 100644
--- a/testing/tests/ikev1/ike-alg-strict/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-strict/evaltest.dat
@@ -1,7 +1,7 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES
-moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES
-moon::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES
-carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES
-carol::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES
+moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1::YES
+moon::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA::YES
+carol::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
index b8e2257c4..9272bdc7f 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
@@ -11,8 +11,8 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	ike=3des-sha,aes-128-sha
-	esp=3des-sha1,aes-128-sha1
+	ike=3des-sha1,aes128-sha1
+	esp=3des-sha1,aes128-sha1
 conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
index 42e5f8404..1ea5fe7a5 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	ike=aes128-sha!
+	ike=aes128-sha1!
 	esp=aes128-sha1
 
 conn rw
diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat
index 9d60cf7b0..69f77946e 100644
--- a/testing/tests/ikev1/mode-config/evaltest.dat
+++ b/testing/tests/ikev1/mode-config/evaltest.dat
@@ -1,4 +1,6 @@
 carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
+carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
+carol::cat /var/log/auth.log::received IPv6 DNS server address fec1\:\:20::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3e950c81d
--- /dev/null
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP6_VENUS
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
index f504706e2..9cfa502aa 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
@@ -2,7 +2,7 @@ moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES
 carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
 moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES
 dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::Trying LDAP URL::YES
+moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
 carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b15cf2d3f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b15cf2d3f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b15cf2d3f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/no-priv-key/evaltest.dat b/testing/tests/ikev1/no-priv-key/evaltest.dat
index 9bd85ba12..c2612167a 100644
--- a/testing/tests/ikev1/no-priv-key/evaltest.dat
+++ b/testing/tests/ikev1/no-priv-key/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/auth.log::unable to locate my private key for RSA Signature::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type AUTHENTICATION_FAILED::YES
+carol::cat /var/log/auth.log::unable to locate my private key::YES
+carol::cat /var/log/auth.log::empty ISAKMP SA proposal to send::YES
 moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
 carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/protoport-route/evaltest.dat b/testing/tests/ikev1/protoport-route/evaltest.dat
index 759295675..b266d86d8 100644
--- a/testing/tests/ikev1/protoport-route/evaltest.dat
+++ b/testing/tests/ikev1/protoport-route/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping -c 2 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 2 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
 carol::cat /var/log/auth.log::initiate on demand::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
diff --git a/testing/tests/ikev1/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat
index f233ad48f..b1fc81827 100644
--- a/testing/tests/ikev1/protoport-route/pretest.dat
+++ b/testing/tests/ikev1/protoport-route/pretest.dat
@@ -2,5 +2,7 @@ moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 carol::ipsec start
+carol::sleep 1
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname
+carol::ping -c 1 PH_IP_ALICE > /dev/null
 carol::sleep 2
-carol::ssh PH_IP_ALICE hostname
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..304ef99e0
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..304ef99e0
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
index 9e1354121..5ab6632cc 100644
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
@@ -2,6 +2,6 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::cat /var/log/auth.log::peer requests PSK authentication::YES
 moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES
+moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES
 moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES
 
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
index 188b7bbb5..849ae5d66 100644
--- a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
+++ b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
@@ -1,5 +1,5 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES
-moon::cat /var/log/auth.log::but no connection has been authorized with policy=RSASIG::YES
+moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES
+moon::cat /var/log/auth.log::but no connection has been authorized with policy=PUBKEY::YES
 moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO
 
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..52fd0c788
--- /dev/null
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+}
+
+scepclient {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85e5f1aee
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/alg-aes-xcbc/description.txt b/testing/tests/ikev2/alg-aes-xcbc/description.txt
index 24a4afe57..cce0e1cd6 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/description.txt
+++ b/testing/tests/ikev2/alg-aes-xcbc/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
+<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
 in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>.
 A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
index 853746cd4..5217c18df 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
@@ -1,9 +1,9 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
-moon::ipsec statusall::rw.*AES_CBC-256/AES_XCBC_96,::YES
-carol::ipsec statusall::home.*AES_CBC-256/AES_XCBC_96,::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+moon::ipsec statusall::rw.*AES_CBC_256/AES_XCBC_96,::YES
+carol::ipsec statusall::home.*AES_CBC_256/AES_XCBC_96,::YES
 moon::ip xfrm state::auth xcbc(aes)::YES
 carol::ip xfrm state::auth xcbc(aes)::YES
 carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/alg-blowfish/description.txt b/testing/tests/ikev2/alg-blowfish/description.txt
new file mode 100644
index 000000000..24b50b909
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
+encryption.  Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat
new file mode 100644
index 000000000..a1f9f6a8e
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/evaltest.dat
@@ -0,0 +1,16 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256::YES
+carol::ipsec statusall::BLOWFISH_CBC_192.*,::YES
+carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128::YES
+dave::ipsec statusall::BLOWFISH_CBC_128.*,::YES
+dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a78724926
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="cfg 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=blowfish256-sha512-modp2048!
+	esp=blowfish192-sha256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e9829d508
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  dh_exponent_ansi_x9_42 = no
+  load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..26f3f3a04
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=blowfish128-sha256-modp1536!
+	esp=blowfish128-sha1!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..e9829d508
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  dh_exponent_ansi_x9_42 = no
+  load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..5183e26d2
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="cfg 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
+	esp=blowfish192-sha256,blowfish128-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e9829d508
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  dh_exponent_ansi_x9_42 = no
+  load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-blowfish/posttest.dat b/testing/tests/ikev2/alg-blowfish/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/alg-blowfish/test.conf b/testing/tests/ikev2/alg-blowfish/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/alg-blowfish/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
index ef63f7262..66a6137cb 100644
--- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
index ef63f7262..66a6137cb 100644
--- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
index ef63f7262..66a6137cb 100644
--- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
index ef63f7262..66a6137cb 100644
--- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
index 40eb84b8a..ae5e4f72b 100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
index 40eb84b8a..ae5e4f72b 100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index 9068f9dcf..a6036a5da 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown attr
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat
index 2242746db..62ed8676a 100644
--- a/testing/tests/ikev2/crl-revoked/evaltest.dat
+++ b/testing/tests/ikev2/crl-revoked/evaltest.dat
@@ -1,5 +1,4 @@
 moon::cat /var/log/daemon.log::certificate was revoked::YES
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 moon::ipsec status::rw.*ESTABLISHED::NO
 carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/crl-strict/description.txt b/testing/tests/ikev2/crl-strict/description.txt
deleted file mode 100644
index b2b70906f..000000000
--- a/testing/tests/ikev2/crl-strict/description.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/crl-strict/evaltest.dat b/testing/tests/ikev2/crl-strict/evaltest.dat
deleted file mode 100644
index ac70750c5..000000000
--- a/testing/tests/ikev2/crl-strict/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index fbb9cd7e9..000000000
--- a/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 072c57c5b..000000000
--- a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/crl-strict/posttest.dat b/testing/tests/ikev2/crl-strict/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev2/crl-strict/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev2/crl-strict/pretest.dat b/testing/tests/ikev2/crl-strict/pretest.dat
deleted file mode 100644
index 8984dcbcf..000000000
--- a/testing/tests/ikev2/crl-strict/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1 
-carol::ipsec up home
diff --git a/testing/tests/ikev2/crl-strict/test.conf b/testing/tests/ikev2/crl-strict/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev2/crl-strict/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat
index 00489436e..afc8f67e4 100644
--- a/testing/tests/ikev2/crl-to-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat
@@ -1,4 +1,4 @@
 moon::ipsec status::rw.*ESTABLISHED::YES
 carol::ipsec status::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
-carol::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+moon::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
index 40eb84b8a..6cb8c1369 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
@@ -3,3 +3,7 @@
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
+
+scepclient {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
index 40eb84b8a..6cb8c1369 100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
@@ -3,3 +3,7 @@
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
 }
+
+scepclient {
+  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
index cb08a9312..9fe03b010 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CCM_12-128</b> by defining <b>esp=aes128gcm12-modp2048</b> or alternatively
-<b>esp=aes128gcm96-modp2048</b> in ipsec.conf.
+<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-modp2048</b> or alternatively
+<b>esp=aes128ccm96-modp2048</b> in ipsec.conf.
 A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
index dc5032133..9a1c6b8e9 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
@@ -1,5 +1,5 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::AES_CCM_12-128::YES
-carol::ipsec statusall::AES_CCM_12-128::YES
+moon::ipsec statusall::AES_CCM_12_128::YES
+carol::ipsec statusall::AES_CCM_12_128::YES
 carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
index 721f3c64b..bd9521e0d 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_GCM_16-256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively
+<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively
 <b>esp=aes256gcm128-modp2048</b> in ipsec.conf.
 A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
index 8f007b900..12a2dab3c 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
@@ -1,5 +1,5 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::AES_GCM_16-256::YES
-carol::ipsec statusall::AES_GCM_16-256::YES
+moon::ipsec statusall::AES_GCM_16_256::YES
+carol::ipsec statusall::AES_GCM_16_256::YES
 carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-camellia/description.txt b/testing/tests/ikev2/esp-alg-camellia/description.txt
new file mode 100644
index 000000000..e79bc4f87
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/description.txt
@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-camellia/evaltest.dat b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat
new file mode 100644
index 000000000..a8a78e25b
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..74562cd3c
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha1-modp2048!
+	esp=camellia192-sha1!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a9ce15802
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha1-modp2048!
+	esp=camellia192-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/esp-alg-camellia/posttest.dat b/testing/tests/ikev2/esp-alg-camellia/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-camellia/pretest.dat b/testing/tests/ikev2/esp-alg-camellia/pretest.dat
new file mode 100644
index 000000000..3c3df0196
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/esp-alg-camellia/test.conf b/testing/tests/ikev2/esp-alg-camellia/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-null/description.txt b/testing/tests/ikev2/esp-alg-null/description.txt
index 3f1b35e6c..8fd203098 100644
--- a/testing/tests/ikev2/esp-alg-null/description.txt
+++ b/testing/tests/ikev2/esp-alg-null/description.txt
@@ -1,3 +1,3 @@
 Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>NULL/HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf.
+<b>NULL / HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf.
 A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt
new file mode 100644
index 000000000..3641d09ff
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>
+using multiple authentication exchanges (RFC 4739). In a first round 
+both <b>carol</b> and <b>moon</b> authenticate themselves by sending 
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<p>
+In a second round <b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with a <i>GSM Subscriber Identity Module</i> (<b>EAP-SIM</b>) to
+authenticate herself against the remote RADIUS server <b>alice</b>. 
+In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
+are used instead of a physical SIM card on the client <b>carol</b>.
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses a static triplets file.
+<p>
+The roadwarrior <b>dave</b> also uses multiple authentication and succeeds
+in the first round but sends wrong EAP-SIM triplets in the second round.
+As a consequence the radius server <b>alice</b> returns an <b>Access-Reject</b>
+message and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. 	
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
new file mode 100644
index 000000000..d64b3da7d
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -0,0 +1,21 @@
+moon::cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
+moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+moon::cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
+moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES
+carol::ipsec statusall::home.*ESTABLISHED.*228060123456001@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES
+dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
+moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES
+moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..a2020424e
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim 
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..d77b818fe
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,123 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+  sim_files {
+    simtriplets = "/etc/raddb/triplets.dat"
+  }
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..dfceb037d
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,62 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
new file mode 100644
index 000000000..002ee94d1
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
@@ -0,0 +1,7 @@
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
+228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
+228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
+228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
+
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..e69de29bb
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..26cc0cd92
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftauth=pubkey
+	leftid=carol@strongswan.org
+	leftcert=carolCert.pem
+	leftauth2=eap
+	leftid2=228060123456001@strongswan.org
+	eap_identity=228060123456001
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..c167ba940
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..6a2aea811
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..cc451fc8d
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..f8c52be78
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=eap
+
+conn home
+	left=PH_IP_DAVE
+	leftfirewall=yes
+	leftauth=pubkey
+	leftid=dave@strongswan.org
+	leftcert=daveCert.pem
+	leftauth2=eap
+	leftid2=228060123456002@strongswan.org
+	eap_identity=228060123456002
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..b8b86c875
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+228060123456002,33000000000000000000000000000000,33112244,335566778899AABB
+228060123456002,34000000000000000000000000000000,34112244,345566778899AABB
+228060123456002,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..9031f323a
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA daveKey.pem
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..cc451fc8d
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..37d23b1f5
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-mult
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	leftauth=pubkey
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	right=%any
+	rightauth=pubkey
+	rightid=*@strongswan.org
+	rightauth2=eap-radius
+	eap_identity=%any
+	auto=add
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..10414b29a
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown
+  plugins {
+    eap_radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
new file mode 100644
index 000000000..dbe56013a
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
new file mode 100644
index 000000000..b3fd4cbf1
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::cat /etc/raddb/clients.conf
+alice::cat /etc/raddb/eap.conf
+alice::cat /etc/raddb/proxy.conf
+alice::cat /etc/raddb/triplets.dat
+alice::/etc/init.d/radiusd start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt
index 0ace25731..602d026c2 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt
@@ -1,8 +1,6 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The hosts <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates from
+the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess
 copies of the Research and Sales CA certificates and must therefore request them from
-the initiators <b>carol</b> and <b>dave</b>, respectively.
+the responders <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
index 12f0c95bf..4c84d183b 100755
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
@@ -25,12 +25,12 @@ conn alice
 	leftsubnet=PH_IP_ALICE/32
 	right=PH_IP_CAROL
 	rightid=carol@strongswan.org
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 	auto=add
 	
 conn venus
 	leftsubnet=PH_IP_VENUS/32
 	right=PH_IP_DAVE
 	rightid=dave@strongswan.org
-	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt
index b26c8c5d0..06f9f6b91 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt
@@ -1,8 +1,6 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates from
+the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
 copies of the Research and Sales CA certificates and must therefore request them from
-the initiators <b>carol</b> and <b>dave</b>.
+the initiators <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
index d2453bbee..4b827b4dd 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
@@ -7,6 +7,6 @@ moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
 moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
 moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
 carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::alice.*INSTALLED::YES
 dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
+moon::ipsec status::venus.*INSTALLED::YES
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
index d0240a333..75138581e 100755
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
@@ -24,11 +24,11 @@ conn %default
 conn alice
 	leftsubnet=PH_IP_ALICE/32
 	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 	auto=add
 	
 conn venus
 	leftsubnet=PH_IP_VENUS/32
 	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
index 8656c8e3a..4a1c7208b 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
@@ -8,11 +8,12 @@ carol::ipsec status::alice.*INSTALLED::YES
 moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
 carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 carol::ipsec status::venus.*INSTALLED::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES
 moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
+moon::cat /var/log/daemon.log::switching to peer config.*venus::YES
 dave::ipsec status::venus.*INSTALLED::YES
 moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
 dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 dave::ipsec status::alice.*INSTALLED::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
 moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
index c60f722ec..0b7b02801 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
@@ -1,4 +1,4 @@
 moon::cat /var/log/daemon.log::maximum ca path length of 7 levels reached::YES
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 carol::ipsec status::alice.*INSTALLED::NO
 moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
index 3ac0adbb5..182f9e0fc 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
@@ -1,5 +1,4 @@
 moon::cat /var/log/daemon.log::certificate was revoked::YES
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 moon::ipsec status::alice.*ESTABLISHED::NO
 carol::ipsec status::home.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-strict/description.txt b/testing/tests/ikev2/multi-level-ca-strict/description.txt
index 86cbbc58b..6467d5222 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/description.txt
+++ b/testing/tests/ikev2/multi-level-ca-strict/description.txt
@@ -2,6 +2,6 @@ By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced
 on all peers.
 The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
 <b>venus</b> to anyone presenting a certificate belonging to a trust
-chain anchored in strongSwan Root CA. Therefore both road warriors
+chain anchored in the strongSwan Root CA. Therefore both road warriors
 <b>carol</b> and <b>dave</b>, holding certificates from the Research CA
 and Sales CA, respectively, can reach both <b>alice</b> and <b>venus</b>.
diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat
index 8ba69ff9b..b0814556d 100644
--- a/testing/tests/ikev2/multi-level-ca/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat
@@ -8,11 +8,12 @@ carol::ipsec status::alice.*INSTALLED::YES
 moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
 carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 carol::ipsec status::venus.*INSTALLED::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES
 moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
+moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
+moon::cat /var/log/daemon.log::switching to peer config.*venus::YES
 dave::ipsec status::venus.*INSTALLED::YES
 moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
 dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 dave::ipsec status::alice.*INSTALLED::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
 moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
index 20c58007c..454aed12c 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
index 20c58007c..454aed12c 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4731a81d2 100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index 939817d58..a0a045ce8 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,6 +1,7 @@
 moon::cat /var/log/daemon.log::requesting ocsp status from::YES
 moon::cat /var/log/daemon.log::ocsp response verification failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
 moon::ipsec status::rw.*ESTABLISHED::NO
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index 9f20ee81c..2e0f059c6 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,7 +1,7 @@
 moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
 moon::cat /var/log/daemon.log::libcurl http request failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_SKIPPED::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
 moon::ipsec status::ESTABLISHED.*carol::YES
 moon::ipsec status::ESTABLISHED.*dave::NO
 carol::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index b47403756..45c6ce7c5 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES
 moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
 moon::cat /var/log/daemon.log::ocsp response verification failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
 moon::ipsec status::rw.*ESTABLISHED::NO
 carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat
index 7ce2bf147..7f083a05e 100644
--- a/testing/tests/ikev2/reauth-late/evaltest.dat
+++ b/testing/tests/ikev2/reauth-late/evaltest.dat
@@ -1,7 +1,7 @@
 moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES
 carol::ipsec statusall::home\[2\].*ESTABLISHED::YES
-carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, scheduling reauthentication in 3595s::YES
 carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES
+carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, reauthentication already scheduled in 2[0-5]s::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 40eb84b8a..de122acff 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 40eb84b8a..de122acff 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 40eb84b8a..de122acff 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
index d5cbbdbf7..661e6cfe7 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -1,6 +1,7 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::using EAP identity.*carol::YES
+moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
index 8cffbe3b3..22bba57a7 100755
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
@@ -9,15 +9,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
+	leftauth=eap
 	eap_identity=carol
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
index b239e7718..16171feb3 100755
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
@@ -12,15 +12,15 @@ conn %default
 	keyexchange=ikev2
 
 conn rw-eap
-	authby=rsasig
-	eap=aka
-	eap_identity=%identity
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftcert=moonCert.pem
+	leftauth=pubkey
 	leftfirewall=yes
+	right=%any
 	rightid=*@strongswan.org
 	rightsendcert=never
-	right=%any
+	rightauth=eap-aka
+	eap_identity=%any	
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index 5de841c03..e12643ef7 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -1,4 +1,5 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index 2af93a313..ba9294f6a 100755
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_CAROL
 	leftnexthop=%direct
 	leftid=carol@strongswan.org
+	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
index 140e88912..459414516 100755
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
@@ -12,14 +12,14 @@ conn %default
 	keyexchange=ikev2
 
 conn rw-eapaka
-	authby=rsasig
-	eap=aka
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftcert=moonCert.pem
+	leftauth=pubkey
 	leftfirewall=yes
+	right=%any
 	rightid=*@strongswan.org
 	rightsendcert=never
-	right=%any
+	rightauth=eap-aka
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
index 6c73054d7..2ee440cdb 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::using EAP identity .*carol"::YES
-carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
index 8cffbe3b3..5f779d1af 100755
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
@@ -9,15 +9,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_CAROL
 	leftnexthop=%direct
 	leftid=carol@strongswan.org
+	leftauth=eap
 	leftfirewall=yes
 	eap_identity=carol
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
index 08b920afd..11ff84400 100755
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
@@ -12,15 +12,15 @@ conn %default
 	keyexchange=ikev2
 
 conn rw-eap
-	authby=rsasig
-	eap=radius
-	eap_identity=%identity
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftcert=moonCert.pem
+	leftauth=pubkey
 	leftfirewall=yes
 	rightid=*@strongswan.org
 	rightsendcert=never
+	rightauth=eap-radius
+	eap_identity=%any
 	right=%any
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
index 444362a86..5e8dce9cf 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -1,5 +1,5 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
index 2af93a313..ba9294f6a 100755
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_CAROL
 	leftnexthop=%direct
 	leftid=carol@strongswan.org
+	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
index 825994278..4a885babc 100755
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
@@ -12,14 +12,14 @@ conn %default
 	keyexchange=ikev2
 
 conn rw-eap
-	authby=rsasig
-	eap=radius
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftcert=moonCert.pem
+	leftauth=pubkey
 	leftfirewall=yes
 	rightid=*@strongswan.org
+	rightauth=eap-radius
 	rightsendcert=never
 	right=%any
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
index 2af93a313..ba9294f6a 100755
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_CAROL
 	leftnexthop=%direct
 	leftid=carol@strongswan.org
+	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
index 7777e914b..28d52b9eb 100755
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
@@ -12,14 +12,14 @@ conn %default
 	keyexchange=ikev2
 
 conn rw-eap
-	authby=rsasig
-	eap=md5
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftcert=moonCert.pem
+	leftauth=pubkey
 	leftfirewall=yes
 	rightid=*@strongswan.org
+	rightauth=eap-md5
 	rightsendcert=never
 	right=%any
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
index d8708d122..5b632bfe8 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -1,7 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::using EAP identity.*carol::YES
-moon::cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
index ec09a3375..c1497ca0e 100755
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftfirewall=yes
+	leftauth=eap
 	eap_identity=carol
 	right=PH_IP_MOON
+	rightauth=pubkey
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
index 57a89966a..a4a45f06c 100755
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
@@ -12,15 +12,14 @@ conn %default
 	keyexchange=ikev2
 
 conn rw-eap
-	authby=rsasig
-	eap=mschapv2
-	eap_identity=%identity
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftcert=moonCert.pem
+	leftauth=pubkey
 	leftfirewall=yes
-	rightid=%any
-	rightsendcert=never
 	right=%any
+	rightauth=eap-mschapv2
+	rightsendcert=never
+	eap_identity=%any
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
index 887d3f467..0531a559f 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt
@@ -9,5 +9,5 @@ are used instead of a physical SIM card on the client <b>carol</b> and
 the gateway forwards all EAP messages to the RADIUS server <b>alice</b>
 which also uses static triplets. In addition to her IKEv2 identity
 <b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
-identity <b>232420100000015</b>.
+identity <b>228060123456001</b>.
 
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
index 4e7cbcc4c..4305a1400 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -1,6 +1,6 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::using EAP identity .*232420100000015::YES
-carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES
+moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
index 2a750029f..c167ba940 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
@@ -1,3 +1,3 @@
-232420100000015,30000000000000000000000000000000,30112233,305566778899AABB
-232420100000015,31000000000000000000000000000000,31112233,315566778899AABB
-232420100000015,32000000000000000000000000000000,32112233,325566778899AABB
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
index 404589348..d3a99fe41 100755
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
@@ -9,15 +9,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_CAROL
 	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	eap_identity=232420100000015
+	leftauth=eap
+	eap_identity=228060123456001
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
index 08b920afd..a86bb3d73 100755
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
@@ -12,15 +12,15 @@ conn %default
 	keyexchange=ikev2
 
 conn rw-eap
-	authby=rsasig
-	eap=radius
-	eap_identity=%identity
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftcert=moonCert.pem
+	leftauth=pubkey
 	leftfirewall=yes
 	rightid=*@strongswan.org
+	rightauth=eap-radius
+        eap_identity=%any
 	rightsendcert=never
 	right=%any
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index cd4b43cca..5fae7ecd5 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -1,5 +1,5 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
@@ -8,7 +8,7 @@ carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 dave::ipsec statusall::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
index 2af93a313..ba9294f6a 100755
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
@@ -9,14 +9,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_CAROL
 	leftnexthop=%direct
 	leftid=carol@strongswan.org
+	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
index 509deb945..53ecb4d70 100755
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
@@ -12,14 +12,14 @@ conn %default
 	keyexchange=ikev2
 
 conn rw-eapsim
-	authby=rsasig
-	eap=sim
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftcert=moonCert.pem
+	leftauth=pubkey
 	leftfirewall=yes
 	rightid=*@strongswan.org
+	rightauth=eap-sim
 	right=%any
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/two-certs/description.txt b/testing/tests/ikev2/two-certs/description.txt
index 46ca8fec1..94ffaa487 100644
--- a/testing/tests/ikev2/two-certs/description.txt
+++ b/testing/tests/ikev2/two-certs/description.txt
@@ -1,6 +1,7 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Gateway <b>moon</b> has already loaded a revoked certificate for <b>carol</b>
-and a self-signed certificate for <b>dave</b> locally but gets actual certificates
-as CERT payloads from both peers. The RSA signature verification process tries all
-candidate peer certificates until it finds a valid one with a matching public key.
+The roadwarrior <b>carol</b> possesses two different X.509 certificates plus
+matching RSA private keys. With the first certificate <b>carol</b> authenticates
+a tunnel connection to gateway <b>moon</b> in order to reach client <b>alice</b>
+and presents the second certificate in order to reach client <b>venus</b> using
+the identity <b>carol@strongswan.org</b> for both IKE security associations.
+Therefore the RSA signature verification process on <b>moon</b> tries all
+candidate peer certificates until it finds the correct RSA public key.
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat
index 0598e1fb2..d32e32660 100644
--- a/testing/tests/ikev2/two-certs/evaltest.dat
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -1,15 +1,12 @@
-moon::cat /var/log/daemon.log::certificate was revoked::YES
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature successful::YES
-moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES
-moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA signature successful::YES
-moon::ipsec statusall::carol.*ESTABLISHED::YES
-moon::ipsec statusall::dave.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES
+moon::ipsec statusall::alice.*INSTALLED::YES
+carol::ipsec statusall::alice.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES
+moon::cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
+moon::ipsec statusall::venus.*INSTALLED::YES
+carol::ipsec statusall::venus.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
index bcdb8641b..9129f160b 100755
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
         crlcheckinterval=180
-	strictcrlpolicy=no
+	strictcrlpolicy=yes
 	plutostart=no
 
 conn %default
@@ -10,14 +10,20 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-
-conn home
+	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
+
+conn alice 
+	leftcert=carolCert.pem
+	rightsubnet=10.1.0.10/32
+	auto=add
+
+conn venus
+	leftcert=carolCert-002.pem
+	rightsubnet=10.1.0.20/32
 	auto=add
+
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem
new file mode 100644
index 000000000..4ebebba5a
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMDCCAxigAwIBAgIBFTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDQwNzEyMDExN1oXDTE0MDQwNjEyMDExN1owaDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMQwwCgYDVQQFEwMwMDIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3Jn
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXtFcjNbEEK76mVv1j3c
+6YWBeunBl7V9Qf1bPpzwTTUIKFDkg6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH
+8DKE1MaBOgvnW01vh2p1j8jW3VXSwBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1
+XaJSGAvwG3Jap9/gChClAv65zg34mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3n
+hgxJ7+3q9vX+z5EqUQB59WBzVz7fU9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq9
+0k/+Z3gKIHbi6YIoIXDs7bOSaw8myvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/
+rQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE
+FABqD2vvGFgP2xX2Qqjx26Mz1RR5MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl
+4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25n
+U3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaB
+FGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9j
+cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEFBQAD
+ggEBAGuatpu8jxc22Iqglx5UIa8fkNSjfyLgO0RugCB+kPPilGttGWly+raLggQM
+Hu1qdt4l0cj60pe03Dc4GuUwJCW9J4ntVvCp1/SLcifvd3pMTtlrdSMpj105L5ma
+/nVksJ7UZPzcBLMq/8FtEg68H2WM+ixrmlm2cZiFDytMODEuAPCwWHOSP4WJNDzS
+KKc95ONxwTsD1VDm/ShcKw083XgvT7oHoei2RRDYp70CkatWOOJ7eMxdKdICl8nu
+9RlBLG8CJqcy7cJ4V7GOk6EOtGpGL/GR2gpLpvUnmWP9MUHYu8rVTzKQdW9A2Wjx
+fmSZH0LzbAm+7XFrP71rBSJUaUI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem
new file mode 100644
index 000000000..aec8e7a33
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAtXtFcjNbEEK76mVv1j3c6YWBeunBl7V9Qf1bPpzwTTUIKFDk
+g6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH8DKE1MaBOgvnW01vh2p1j8jW3VXS
+wBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1XaJSGAvwG3Jap9/gChClAv65zg34
+mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3nhgxJ7+3q9vX+z5EqUQB59WBzVz7f
+U9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq90k/+Z3gKIHbi6YIoIXDs7bOSaw8m
+yvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/rQIDAQABAoIBAFekBUCGPobWw2sJ
+u32J+IIpgAL8mgoKkkfo80SEg6O1ZZAaqJBNBZNRSRs+0zs+L+b2U4m88lg9Jf5Y
+EZqhgd3kd7NNfaCrmPnFpoONzOI4ClNvG8y5VcwMaNezcAmCQ+bFxd6J04IGjZhP
+/HYWLJVgSybjtPt8OP1zJv2VVirgSb1rHOzI9j1CsaIl6m1gcXU2hA3A2/BIOd6Y
+UgCxJKu8G7NsmW14TSbJshcI1tUFOfbxFlAhmeAD57Kw6eC2GVwuBhghAYCNbpx0
+TYcQeTsBUjubna30K7+8lU1uiblKNLDqAzWynHz8xm1QEo0Z7txP9RRJUZDzlpmx
+u9iCMp0CgYEA6ZSexI3igJ68bdTOBwdbFtA9wqUTbYj6MULfUkFwqGLswLpNhhGv
+Y9X8YHUjcWEEoLXZb9QftmQc1R/nFCWC2slBBrKw9oERUUVYoczNpbkqJI1fjVfJ
+lNFgPXqQlRGIgSzSZr0CdBVs2VZKp19izQRQQI8d3ATD+Q4503dorgMCgYEAxuaC
+jow+vgcNt0DxlVWiV9rYGR7sDPJhdDyWgZ+yfaG0lVaX/81cEVxalUKTGHeHrhFs
+tIrZbRaIo9+XINzqCBNqfgauAZRFCvDv/BQPoGW+XKe+nH7DcC5PH8lcH6k1uGlq
+1KaRPymLRF8/PMmQ92o5Gk6H+Ah523hOJSv5BI8CgYBXH91cmUO8D/leyjqS+pZq
+WwA+Yw5tE+Omjjf4WXppBIUkmhkigeQ2y/FYFTlEKBjuzQWupaOyh4MNp9msdRVr
+ABhmJC7Hs3q/IqudpmOqhfeHLMhQU0dYYASSye21/JU7AXn1YljQ7dDs/DfaWETl
+Dc/VVMyhbZGfi0PccbS0+wKBgQC686+DjQ7sTnT16nUoiHUvXuP/uLDm+mvfdZOC
+AzkiHPw/4kS8i6oeJ1B9OzZHqRI+6uHiUSBNCQEmBuNmYD8ZmCZgjqa/lT3QKudn
+aPPHL9rd/E2NixjoOJ7mob2VhNaZn3xqpKWhWMsuWNh3qn44D//cWjQzTsQ7JblN
+9yb4wQKBgQCUs7wKhD/c45ST7bWH3C/iXBXsUwJrVPLKrCxl5vzkKTiDevMDVndo
+/jRAVk5UQEGO+R2eaqsgEujsS+ypGG1EWAdDyQ/6v8/34I7UF/bh5lZYOh1dXr6F
+PIROdfotGWYq2ituq1IbJMKFwhZLM7CRqnr0qsb9UaZeeuhqB3PAKQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..2181f94ce
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
+
+: RSA carolKey-002.pem 
diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index ea8bc92a7..000000000
--- a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
-	auto=add
diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 40eb84b8a..000000000
--- a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
-}
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
index 8800c7ad5..a93ccbc9a 100755
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -3,8 +3,14 @@
 config setup
         crlcheckinterval=180
 	strictcrlpolicy=yes
+	uniqueids=no
 	plutostart=no
 
+ca strongswan
+        cacert=strongswanCert.pem
+        crluri=http://crl.strongswan.org/strongswan.crl
+        auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
@@ -13,19 +19,16 @@ conn %default
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
+	rightid=carol@strongswan.org
 	keyexchange=ikev2
 
-conn carol
-	rightid=carol@strongswan.org
-	rightcert=carolRevokedCert.pem
+conn alice 
+	leftsubnet=10.1.0.10/32
 	auto=add
 
-conn dave
-	rightid=dave@strongswan.org
-	rightcert=daveCert.der
-	rightca=%any
+conn venus 
+	leftsubnet=10.1.0.20/32
 	auto=add
 
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem
deleted file mode 100644
index 5b742fc9e..000000000
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
-mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
-5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
-VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
-IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
-K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
-OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
-56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
-2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
-O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
-LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
-wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
-9IcgYi5x
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der
deleted file mode 100644
index 6c4f37c27..000000000
Binary files a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der and /dev/null differ
diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat
index 195065a5f..a1f067838 100644
--- a/testing/tests/ikev2/two-certs/posttest.dat
+++ b/testing/tests/ikev2/two-certs/posttest.dat
@@ -1,7 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-dave::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat
index 42e9d7c24..716cf71e8 100644
--- a/testing/tests/ikev2/two-certs/pretest.dat
+++ b/testing/tests/ikev2/two-certs/pretest.dat
@@ -1,9 +1,8 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 carol::ipsec start
-dave::ipsec start
 carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
+carol::ipsec up alice
+carol::ipsec up venus
+carol::sleep 1
diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf
index 70416826e..d0306cd25 100644
--- a/testing/tests/ikev2/two-certs/test.conf
+++ b/testing/tests/ikev2/two-certs/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+UMLHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-v-m-c-w-d.png"
 
 # UML instances on which tcpdump is to be started
 #
@@ -18,4 +18,4 @@ TCPDUMPHOSTS="moon"
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
new file mode 100644
index 000000000..b8efbe87e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for 
+the Elliptic Curve Diffie-Hellman groups only.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
+ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
+fall back to ECP_384 and ECP_521, respectively.
+<p>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
new file mode 100644
index 000000000..6a6802780
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
@@ -0,0 +1,13 @@
+moon::cat /var/log/auth.log::ECP_256.*refused due to strict flag::YES
+moon::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384::YES
+dave::ipsec statusall::IPsec SA established::YES
+dave::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/ECP_521::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..432fa52ea
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..9836736c3
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..28304eb41
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c4211619b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d6737f6e0
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9836736c3
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
new file mode 100644
index 000000000..4f043e7d9
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for 
+the Elliptic Curve Diffie-Hellman groups only.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
+ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
+fall back to ECP_224 and ECP_256, respectively.
+<p>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
new file mode 100644
index 000000000..3c5ae4138
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
@@ -0,0 +1,13 @@
+moon::cat /var/log/auth.log::ECP_192.*refused due to strict flag::YES
+moon::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_224::YES
+dave::ipsec statusall::IPsec SA established::YES
+dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5a4d82699
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..668998653
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = openssl pubkey random hmac curl 
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ac828c182
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c4211619b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..870271c87
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..668998653
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = openssl pubkey random hmac curl 
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
new file mode 100644
index 000000000..2c098d898
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
@@ -0,0 +1,11 @@
+The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
+based on the <b>OpenSSL</b> library for all cryptographical functions.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
+using <b>Elliptic Curve certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
new file mode 100644
index 000000000..2aea10135
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
@@ -0,0 +1,15 @@
+moon::cat /var/log/auth.log::ECDSA-256 signature check passed::YES
+moon::cat /var/log/auth.log::ECDSA-384 signature check passed::YES 
+carol::cat /var/log/auth.log::ECDSA-256 signature check passed::YES
+dave::cat /var/log/auth.log::ECDSA-384 signature check passed::YES 
+moon::ipsec statusall::carol.*IPsec SA established::YES
+moon::ipsec statusall::dave.*IPsec SA established::YES
+carol::ipsec statusall::home.*IPsec SA established::YES
+dave::ipsec statusall::home.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b0b6ff738
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	plutodebug=control
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..29709926a
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
+4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
+BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
+MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
+sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
+ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
+s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5f21c1012
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+
+Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
+KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
+RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..4e53ef91a
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..9836736c3
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..23813b20b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	plutodebug=control
+	charonstart=no
+	
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..075d8f1e5
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
+IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
+zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
+A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
+atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
+dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
+MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
+LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
+ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
+wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
+g+Z+grJzTppAqpwRpg==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..f628f88e5
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
++BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
+t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
+JDBocD1n1eCSwM67KOfouuPmOML0QgU=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c4211619b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f22a4ac4c
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	plutodebug=control
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn carol
+	also=moon
+	leftcert=moon_ec256_Cert.pem
+	rightid=carol@strongswan.org
+	auto=add
+
+conn dave
+	also=moon
+	leftcert=moon_ec384_Cert.pem
+	rightid=dave@strongswan.org
+	auto=add
+
+conn moon 
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem
new file mode 100644
index 000000000..d5e61558e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7DCCAk+gAwIBAgIBBTAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDkwNjEyMTYwNjMzWhcNMTQwNjExMTYwNjMzWjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABIU/UvJ7ro2AYsFWXZKH9K4FD9O5kNfi3/H3+10kAy6s
+eQUab8qaAhTahBHuywzanVTiJPK5caQSvnpt+z1RJDqjggETMIIBDzAJBgNVHRME
+AjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUq1PybZZ+RZuJICuoDUhXdLy/iacw
+eAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYT
+AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
+d2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9u
+Z3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dh
+bi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCQYHKoZIzj0EAQOBiwAwgYcCQWYZnZLl
+iimVcAs5p7SXpHmcnlIX9C4EFzNtY+zoDfPM9Qx/vGY2hKa65tyhepn5RFyNqH6d
+slr5EBqoT5Vt86kJAkIAx/dyiLLqT0+lJiyxjLQuAaLRWHwlgq7jaUhoQusxno62
+dIfe0U1QjgumA+zXoAnbLBF3KnnrKvHByv7ejeH0Ys4=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem
new file mode 100644
index 000000000..45224b09b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCjCCAmygAwIBAgIBBjAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDkwNjEyMTYwNzA2WhcNMTQwNjExMTYwNzA2WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+Mzg0IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABK4TajAd1pgzhJJsmyjw1Zb/CdEe0eWKmEyP1OjmwRwS37Tx
+3wV9C9ZzCYBsJlvbH53kyeZYoAojUL5sXDVBq8qu23jSjBCesypSiNt/8akt+4bg
+a4qMN2zutd/U1fC5C6OCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
+A1UdDgQWBBT43sZUBjwcO+QW4PXk7KoOxxkm3jB4BgNVHSMEcTBvgBS6XflxthO1
+atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
+dX4i76aJMB4GA1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
+MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
+LmNybDAJBgcqhkjOPQQBA4GMADCBiAJCAUfrzEnQUA0dqpo9I2YaFh3Y+QnFosTg
+b46jcbxm/LbIeWDxwU2HK3Qfo+tGsXJnh73lKo8B0o+OsXt4gP+GQutCAkIBu7Aw
+0iUx8d84SqHiBZBDIk/X6NV62YZXVhO9rPON0r/kdmeZ8OvPD53JgE64irFf6Wp+
+3ictLD61ItW0nxNHlcE=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem
new file mode 100644
index 000000000..66b6315f9
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIE+rz/5axOOEvTVs9nnmKyF1v/rgmdIvam+BfSSS1SGpoAoGCCqGSM49
+AwEHoUQDQgAEhT9S8nuujYBiwVZdkof0rgUP07mQ1+Lf8ff7XSQDLqx5BRpvypoC
+FNqEEe7LDNqdVOIk8rlxpBK+em37PVEkOg==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem
new file mode 100644
index 000000000..64f7fcfd1
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDvvge4iZDHIaL0IDBs4gVesErZZWOud3NysAEayGW4iTb6wjQLtIVF
+1i7d8lV6Uc2gBwYFK4EEACKhZANiAASuE2owHdaYM4SSbJso8NWW/wnRHtHliphM
+j9To5sEcEt+08d8FfQvWcwmAbCZb2x+d5MnmWKAKI1C+bFw1QavKrtt40owQnrMq
+Uojbf/GpLfuG4GuKjDds7rXf1NXwuQs=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..8a8812e0f
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moon_ec256_Key.pem
+
+: ECDSA moon_ec384_Key.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9836736c3
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
new file mode 100644
index 000000000..73fe3096d
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/rw-cert/description.txt b/testing/tests/openssl-ikev1/rw-cert/description.txt
new file mode 100644
index 000000000..0f721c52b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b>.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev1/rw-cert/evaltest.dat b/testing/tests/openssl-ikev1/rw-cert/evaltest.dat
new file mode 100644
index 000000000..1a9b9159f
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IPsec SA established::YES
+dave::ipsec statusall::IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..80dae3719
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=3des-sha1-modp1536!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e2a83185b
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = test-vectors openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..73167caad
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha256-modp2048!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..2ba85bb98
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = test-vectors aes des sha1 sha2 md5 gmp pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+}
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f365b07da
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..28d9ab3ba
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = test-vectors openssl pubkey random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  crypto_test {
+    on_add = yes
+  }
+}
+
diff --git a/testing/tests/openssl-ikev1/rw-cert/posttest.dat b/testing/tests/openssl-ikev1/rw-cert/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/rw-cert/pretest.dat b/testing/tests/openssl-ikev1/rw-cert/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/rw-cert/test.conf b/testing/tests/openssl-ikev1/rw-cert/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev1/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/description.txt b/testing/tests/openssl-ikev2/alg-blowfish/description.txt
new file mode 100644
index 000000000..d30d9d2da
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> as well as the gateway <b>moon</b>
+use the <b>openssl</b> plugin based on the <b>OpenSSL</b> library for all
+cryptographical functions, thus making the <b>Blowfish</b> available as an IKEv2 cipher.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
+encryption.  Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
new file mode 100644
index 000000000..a1f9f6a8e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
@@ -0,0 +1,16 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256::YES
+carol::ipsec statusall::BLOWFISH_CBC_192.*,::YES
+carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128::YES
+dave::ipsec statusall::BLOWFISH_CBC_128.*,::YES
+dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..62e181012
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=blowfish256-sha512-modp2048!
+	esp=blowfish192-sha256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..26f3f3a04
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=blowfish128-sha256-modp1536!
+	esp=blowfish128-sha1!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..31a00f7fb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
+	esp=blowfish192-sha256,blowfish128-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
new file mode 100644
index 000000000..b8efbe87e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for 
+the Elliptic Curve Diffie-Hellman groups only.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
+ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
+fall back to ECP_384 and ECP_521, respectively.
+<p>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
new file mode 100644
index 000000000..009936466
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
+dave::cat /var/log/daemon.log::ECP_256.*ECP_521::YES
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..0550a09b4
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..22026fc36
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..7ffdcc204
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ffe13d259
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
new file mode 100644
index 000000000..4f043e7d9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for 
+the Elliptic Curve Diffie-Hellman groups only.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
+ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
+fall back to ECP_224 and ECP_256, respectively.
+<p>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
new file mode 100644
index 000000000..e2073d9be
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
+dave::cat /var/log/daemon.log::ECP_192.*ECP_256::YES
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..6a15b3f54
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..b4bdf456f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..7ffdcc204
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..64ec0f12c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
new file mode 100644
index 000000000..2c098d898
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
@@ -0,0 +1,11 @@
+The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
+based on the <b>OpenSSL</b> library for all cryptographical functions.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
+using <b>Elliptic Curve certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
new file mode 100644
index 000000000..868da5776
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -0,0 +1,14 @@
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c75d6b2a1
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..29709926a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
+4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
+BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
+MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
+sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
+ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
+s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5f21c1012
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+
+Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
+KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
+RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..4e53ef91a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..080ce9bce
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..075d8f1e5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
+IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
+zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
+A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
+atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
+dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
+MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
+LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
+ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
+wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
+g+Z+grJzTppAqpwRpg==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..f628f88e5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
++BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
+t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
+JDBocD1n1eCSwM67KOfouuPmOML0QgU=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..c932101d2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..5178c7f38
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
+PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
+5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
+BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
+Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
+Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
+j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
+VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
+SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
+l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
+mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
+CI9WpQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..beab0485f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
+yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
+1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
+tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
+pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e10230384
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt
new file mode 100644
index 000000000..0f721c52b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical functions
+whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b>.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4a8baa3ae
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=3des-sha1-modp1536!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..195bcf046
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
+}
+
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..42f03aab3
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha256-modp2048!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f4b6dfdb9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2e84f2e6a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..166e24e7c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors openssl random x509 pubkey hmac stroke kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl/ecdsa-certs/description.txt b/testing/tests/openssl/ecdsa-certs/description.txt
deleted file mode 100644
index 2c098d898..000000000
--- a/testing/tests/openssl/ecdsa-certs/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
-based on the <b>OpenSSL</b> library for all cryptographical functions.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
-using <b>Elliptic Curve certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl/ecdsa-certs/evaltest.dat b/testing/tests/openssl/ecdsa-certs/evaltest.dat
deleted file mode 100644
index a7243ce70..000000000
--- a/testing/tests/openssl/ecdsa-certs/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful
-moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 4f6fdc567..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	authby=ecdsasig
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index 3480a434a..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
-Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
-YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
-BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
-/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
-h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
-t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
-ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
-cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
-3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 29709926a..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 5f21c1012..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
-
-Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
-KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
-RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 4e53ef91a..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e10230384..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 3138458ed..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	authby=ecdsasig
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index 3480a434a..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
-Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
-YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
-BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
-/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
-h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
-t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
-ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
-cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
-3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
deleted file mode 100644
index 075d8f1e5..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
deleted file mode 100644
index f628f88e5..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
-+BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
-t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
-JDBocD1n1eCSwM67KOfouuPmOML0QgU=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ebd3a2839..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA daveKey.pem
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index e10230384..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 892e0c39b..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	authby=ecdsasig
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index 3480a434a..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
-Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
-YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
-BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
-/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
-h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
-t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
-ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
-ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
-cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
-3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index 5178c7f38..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
------END CERTIFICATE-----
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index beab0485f..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
-yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
-1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
-tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
-pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ef3eccb5..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: ECDSA moonKey.pem
diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index e10230384..000000000
--- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/ecdsa-certs/posttest.dat b/testing/tests/openssl/ecdsa-certs/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/openssl/ecdsa-certs/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl/ecdsa-certs/pretest.dat b/testing/tests/openssl/ecdsa-certs/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/openssl/ecdsa-certs/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/openssl/ecdsa-certs/test.conf b/testing/tests/openssl/ecdsa-certs/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/openssl/ecdsa-certs/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl/ike-alg-ecp-high/description.txt b/testing/tests/openssl/ike-alg-ecp-high/description.txt
deleted file mode 100644
index b8efbe87e..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/description.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for 
-the Elliptic Curve Diffie-Hellman groups only.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
-ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
-fall back to ECP_384 and ECP_521, respectively.
-<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat b/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat
deleted file mode 100644
index c9055f89c..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-carol::cat /var/log/daemon.log::ECP_256_BIT.*ECP_384_BIT::YES
-dave::cat /var/log/daemon.log::ECP_256_BIT.*ECP_521_BIT::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC-192/AUTH_HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BIT::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC-256/AUTH_HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521_BIT::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 0550a09b4..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e10230384..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 22026fc36..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 7ffdcc204..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index ffe13d259..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index e10230384..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/ike-alg-ecp-high/posttest.dat b/testing/tests/openssl/ike-alg-ecp-high/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl/ike-alg-ecp-high/pretest.dat b/testing/tests/openssl/ike-alg-ecp-high/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/openssl/ike-alg-ecp-high/test.conf b/testing/tests/openssl/ike-alg-ecp-high/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/openssl/ike-alg-ecp-high/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl/ike-alg-ecp-low/description.txt b/testing/tests/openssl/ike-alg-ecp-low/description.txt
deleted file mode 100644
index 4f043e7d9..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/description.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for 
-the Elliptic Curve Diffie-Hellman groups only.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
-ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
-fall back to ECP_224 and ECP_256, respectively.
-<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat b/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat
deleted file mode 100644
index dc417c21f..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-carol::cat /var/log/daemon.log::ECP_192_BIT.*ECP_224_BIT::YES
-dave::cat /var/log/daemon.log::ECP_192_BIT.*ECP_256_BIT::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC-128/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BIT::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC-128/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BIT::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 6a15b3f54..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e10230384..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index b4bdf456f..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 7ffdcc204..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 64ec0f12c..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index e10230384..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/ike-alg-ecp-low/posttest.dat b/testing/tests/openssl/ike-alg-ecp-low/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl/ike-alg-ecp-low/pretest.dat b/testing/tests/openssl/ike-alg-ecp-low/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/openssl/ike-alg-ecp-low/test.conf b/testing/tests/openssl/ike-alg-ecp-low/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/openssl/ike-alg-ecp-low/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl/rw-cert/description.txt b/testing/tests/openssl/rw-cert/description.txt
deleted file mode 100644
index 0f721c52b..000000000
--- a/testing/tests/openssl/rw-cert/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b>.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl/rw-cert/evaltest.dat b/testing/tests/openssl/rw-cert/evaltest.dat
deleted file mode 100644
index 06a0f8cda..000000000
--- a/testing/tests/openssl/rw-cert/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 4a8baa3ae..000000000
--- a/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=3des-sha1-modp1536!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e10230384..000000000
--- a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 42f03aab3..000000000
--- a/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256-sha256-modp2048!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index d46082bdd..000000000
--- a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 2e84f2e6a..000000000
--- a/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index e10230384..000000000
--- a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
-}
diff --git a/testing/tests/openssl/rw-cert/posttest.dat b/testing/tests/openssl/rw-cert/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/openssl/rw-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl/rw-cert/pretest.dat b/testing/tests/openssl/rw-cert/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/openssl/rw-cert/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/openssl/rw-cert/test.conf b/testing/tests/openssl/rw-cert/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/openssl/rw-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/pfkey/alg-aes-xcbc/description.txt b/testing/tests/pfkey/alg-aes-xcbc/description.txt
index 24a4afe57..cce0e1cd6 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/description.txt
+++ b/testing/tests/pfkey/alg-aes-xcbc/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
+<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
 in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>.
 A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
index 853746cd4..5217c18df 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
@@ -1,9 +1,9 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES
-moon::ipsec statusall::rw.*AES_CBC-256/AES_XCBC_96,::YES
-carol::ipsec statusall::home.*AES_CBC-256/AES_XCBC_96,::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+moon::ipsec statusall::rw.*AES_CBC_256/AES_XCBC_96,::YES
+carol::ipsec statusall::home.*AES_CBC_256/AES_XCBC_96,::YES
 moon::ip xfrm state::auth xcbc(aes)::YES
 carol::ip xfrm state::auth xcbc(aes)::YES
 carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index db6fa7486..2f3bc449a 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index db6fa7486..2f3bc449a 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index db6fa7486..2f3bc449a 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index 29e2395e8..329498d28 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,11 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index 29e2395e8..329498d28 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,11 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index 29e2395e8..329498d28 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,11 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
+
+libstrongswan {
+  crypto_test {
+    on_add = yes
+  }
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
index f160fe1d7..2ea4f598f 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -24,18 +24,6 @@ INSERT INTO identities (
   2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
  );
 
-INSERT INTO identities (
-  type, data
-) VALUES ( /* carol@strongswan.org as an EAP identity */
-  205, X'6361726f6c407374726f6e677377616e2e6f7267'
- );
-
-INSERT INTO identities (
-  type, data
-) VALUES ( /* moon.strongswan.org as an EAP identity */
-  205, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
- );
-
 /* Certificates */
 
 INSERT INTO certificates (
@@ -67,13 +55,13 @@ INSERT INTO shared_secrets (
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 5
+  1, 3 
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 6
+  1, 4 
 );
 
 /* Configurations */
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
index 153c454a9..5d262877f 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -32,14 +32,8 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* moon.strongswan.org as an EAP identity */
-  205, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
- );
-
-INSERT INTO identities (
-  type, data
-) VALUES ( /* carol@strongswan.org as an EAP identity */
-  205, X'6361726f6c407374726f6e677377616e2e6f7267'
+) VALUES ( /* carol@strongswan.org */
+  3, X'6361726f6c407374726f6e677377616e2e6f7267'
  );
 
 /* Certificates */
@@ -111,13 +105,13 @@ INSERT INTO shared_secrets (
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 6
+  1, 3 
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 7
+  1, 6 
 );
 
 /* Configurations */
-- 
cgit v1.2.3


From 7410d3c6d6a9a1cd7aa55083c938946af6ff9498 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Wed, 21 Oct 2009 11:14:02 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.3.4)

---
 Makefile.am                                        |   10 +-
 Makefile.in                                        |   40 +-
 NEWS                                               |   34 +
 aclocal.m4                                         |  186 +++
 configure                                          | 1685 ++++++++++++++++----
 configure.in                                       |  105 +-
 scripts/Makefile.in                                |    5 +
 src/Makefile.am                                    |    6 +-
 src/Makefile.in                                    |   12 +-
 src/_copyright/Makefile.in                         |    5 +
 src/_updown/Makefile.in                            |    5 +
 src/_updown_espmark/Makefile.in                    |    5 +
 src/charon/Makefile.am                             |    7 +-
 src/charon/Makefile.in                             |  152 +-
 src/charon/bus/bus.c                               |  187 ++-
 src/charon/bus/bus.h                               |  148 +-
 src/charon/bus/listeners/file_logger.h             |    4 +-
 src/charon/bus/listeners/listener.h                |  179 +++
 src/charon/bus/listeners/sys_logger.c              |    1 -
 src/charon/bus/listeners/sys_logger.h              |    6 +-
 src/charon/config/attributes/attribute_manager.c   |    2 +-
 src/charon/config/backend_manager.c                |    2 +-
 src/charon/config/child_cfg.c                      |   30 -
 src/charon/config/child_cfg.h                      |   12 -
 src/charon/config/peer_cfg.c                       |   70 +-
 src/charon/config/proposal.c                       |    3 +
 src/charon/credentials/credential_manager.c        |    2 +-
 src/charon/credentials/sets/cert_cache.c           |    2 +-
 src/charon/daemon.c                                |   46 +-
 src/charon/kernel/kernel_interface.c               |   14 +
 src/charon/kernel/kernel_interface.h               |   13 +
 src/charon/kernel/kernel_ipsec.h                   |   13 +
 src/charon/network/sender.c                        |    6 +-
 src/charon/network/socket.c                        |   35 +-
 src/charon/plugins/attr/Makefile.am                |    2 +-
 src/charon/plugins/attr/Makefile.in                |    7 +-
 src/charon/plugins/eap_aka/Makefile.am             |    2 +-
 src/charon/plugins/eap_aka/Makefile.in             |    7 +-
 src/charon/plugins/eap_gtc/Makefile.am             |    2 +-
 src/charon/plugins/eap_gtc/Makefile.in             |    7 +-
 src/charon/plugins/eap_identity/Makefile.am        |    2 +-
 src/charon/plugins/eap_identity/Makefile.in        |    7 +-
 src/charon/plugins/eap_md5/Makefile.am             |    2 +-
 src/charon/plugins/eap_md5/Makefile.in             |    7 +-
 src/charon/plugins/eap_mschapv2/Makefile.am        |    2 +-
 src/charon/plugins/eap_mschapv2/Makefile.in        |    7 +-
 src/charon/plugins/eap_radius/Makefile.am          |    2 +-
 src/charon/plugins/eap_radius/Makefile.in          |    7 +-
 src/charon/plugins/eap_radius/eap_radius.c         |   21 +-
 src/charon/plugins/eap_radius/radius_client.c      |    5 +-
 src/charon/plugins/eap_sim/Makefile.am             |    2 +-
 src/charon/plugins/eap_sim/Makefile.in             |    7 +-
 src/charon/plugins/eap_sim_file/Makefile.am        |    2 +-
 src/charon/plugins/eap_sim_file/Makefile.in        |    7 +-
 .../plugins/eap_sim_file/eap_sim_file_triplets.c   |    2 +-
 src/charon/plugins/kernel_klips/Makefile.am        |    2 +-
 src/charon/plugins/kernel_klips/Makefile.in        |    7 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.c      |   15 +-
 src/charon/plugins/kernel_netlink/Makefile.am      |    2 +-
 src/charon/plugins/kernel_netlink/Makefile.in      |    7 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |   87 +-
 .../plugins/kernel_netlink/kernel_netlink_net.c    |    4 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.c |    2 +-
 src/charon/plugins/kernel_pfkey/Makefile.am        |    2 +-
 src/charon/plugins/kernel_pfkey/Makefile.in        |    7 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |  192 ++-
 src/charon/plugins/kernel_pfroute/Makefile.am      |    2 +-
 src/charon/plugins/kernel_pfroute/Makefile.in      |    7 +-
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |    4 +-
 src/charon/plugins/load_tester/Makefile.am         |    2 +-
 src/charon/plugins/load_tester/Makefile.in         |    7 +-
 src/charon/plugins/load_tester/load_tester_ipsec.c |   11 +
 .../plugins/load_tester/load_tester_plugin.c       |    4 +-
 src/charon/plugins/medcli/Makefile.am              |    2 +-
 src/charon/plugins/medcli/Makefile.in              |    7 +-
 src/charon/plugins/medsrv/Makefile.am              |    2 +-
 src/charon/plugins/medsrv/Makefile.in              |    7 +-
 src/charon/plugins/nm/Makefile.am                  |    2 +-
 src/charon/plugins/nm/Makefile.in                  |    7 +-
 src/charon/plugins/nm/nm_creds.c                   |    2 +-
 src/charon/plugins/nm/nm_service.c                 |  179 ++-
 src/charon/plugins/resolv_conf/Makefile.am         |    2 +-
 src/charon/plugins/resolv_conf/Makefile.in         |    7 +-
 .../plugins/resolv_conf/resolv_conf_handler.c      |    2 +-
 src/charon/plugins/smp/Makefile.am                 |    2 +-
 src/charon/plugins/smp/Makefile.in                 |    7 +-
 src/charon/plugins/sql/Makefile.am                 |    2 +-
 src/charon/plugins/sql/Makefile.in                 |    7 +-
 src/charon/plugins/sql/pool.c                      |   13 +-
 src/charon/plugins/sql/sql_attribute.c             |  149 +-
 src/charon/plugins/sql/sql_config.c                |    4 +-
 src/charon/plugins/stroke/Makefile.am              |    2 +-
 src/charon/plugins/stroke/Makefile.in              |    7 +-
 src/charon/plugins/stroke/stroke_attribute.c       |    2 +-
 src/charon/plugins/stroke/stroke_ca.c              |    2 +-
 src/charon/plugins/stroke/stroke_config.c          |    2 +-
 src/charon/plugins/stroke/stroke_cred.c            |   96 +-
 src/charon/plugins/stroke/stroke_list.c            |   37 +-
 src/charon/plugins/stroke/stroke_socket.c          |    1 +
 src/charon/plugins/uci/Makefile.am                 |    2 +-
 src/charon/plugins/uci/Makefile.in                 |    7 +-
 src/charon/plugins/unit_tester/Makefile.am         |    2 +-
 src/charon/plugins/unit_tester/Makefile.in         |    7 +-
 src/charon/plugins/unit_tester/tests.h             |    3 +
 src/charon/plugins/unit_tester/tests/test_id.c     |  180 +++
 src/charon/plugins/unit_tester/tests/test_mutex.c  |    2 +-
 src/charon/plugins/updown/Makefile.am              |    2 +-
 src/charon/plugins/updown/Makefile.in              |    7 +-
 src/charon/processing/jobs/callback_job.c          |    2 +-
 src/charon/processing/processor.c                  |    6 +-
 src/charon/processing/scheduler.c                  |    4 +-
 src/charon/sa/authenticators/eap/eap_manager.c     |    2 +-
 src/charon/sa/child_sa.c                           |  135 +-
 src/charon/sa/child_sa.h                           |   34 +-
 src/charon/sa/connect_manager.c                    |    2 +-
 src/charon/sa/ike_sa.c                             |   45 +-
 src/charon/sa/ike_sa.h                             |    5 +
 src/charon/sa/ike_sa_manager.c                     |   40 +-
 src/charon/sa/keymat.c                             |    3 +
 src/charon/sa/mediation_manager.c                  |    2 +-
 src/charon/sa/task_manager.c                       |   30 +-
 src/charon/sa/tasks/child_create.c                 |   39 +-
 src/charon/sa/tasks/child_create.h                 |    4 +-
 src/charon/sa/tasks/child_delete.c                 |   29 +-
 src/charon/sa/tasks/child_rekey.c                  |   15 +-
 src/charon/sa/tasks/ike_auth.c                     |    2 +
 src/charon/sa/tasks/ike_delete.c                   |   36 +-
 src/charon/sa/tasks/ike_rekey.c                    |    2 +
 src/charon/sa/tasks/task.h                         |    4 +-
 src/charon/sa/trap_manager.c                       |    6 +-
 src/checksum/Makefile.am                           |   36 +
 src/checksum/Makefile.in                           |  550 +++++++
 src/checksum/checksum_builder.c                    |  135 ++
 src/dumm/Makefile.in                               |    5 +
 src/dumm/mconsole.c                                |    2 +-
 src/include/Makefile.in                            |    5 +
 src/ipsec/Makefile.in                              |    5 +
 src/libfast/Makefile.in                            |    5 +
 src/libfreeswan/Makefile.in                        |    5 +
 src/libfreeswan/anyaddr.c                          |   13 +-
 src/libfreeswan/atoaddr.3                          |   10 +-
 src/libfreeswan/atoaddr.c                          |   37 +-
 src/libfreeswan/freeswan.h                         |    5 -
 src/libfreeswan/pfkeyv2.h                          |   33 +-
 src/libfreeswan/ttoaddr.3                          |   12 +-
 src/libfreeswan/ttoaddr.c                          |   77 +-
 src/libstrongswan/Makefile.am                      |   19 +-
 src/libstrongswan/Makefile.in                      |  347 ++--
 src/libstrongswan/asn1/asn1.c                      |   72 +-
 src/libstrongswan/asn1/asn1.h                      |   13 +-
 src/libstrongswan/asn1/oid.c                       |  440 ++---
 src/libstrongswan/asn1/oid.h                       |  245 +--
 src/libstrongswan/asn1/oid.txt                     |    6 +
 src/libstrongswan/chunk.c                          |   27 +
 src/libstrongswan/chunk.h                          |   22 +-
 src/libstrongswan/credentials/credential_factory.c |    2 +-
 src/libstrongswan/credentials/keys/public_key.c    |   10 +
 src/libstrongswan/credentials/keys/public_key.h    |    2 +
 src/libstrongswan/crypto/crypto_factory.c          |    2 +-
 src/libstrongswan/crypto/crypto_tester.c           |   22 +-
 src/libstrongswan/crypto/hashers/hasher.c          |   10 +
 src/libstrongswan/crypto/hashers/hasher.h          |    8 +-
 src/libstrongswan/database/database_factory.c      |    2 +-
 src/libstrongswan/fetcher/fetcher_manager.c        |    2 +-
 src/libstrongswan/fips/Makefile.am                 |   19 -
 src/libstrongswan/fips/Makefile.in                 |  484 ------
 src/libstrongswan/fips/fips.c                      |   96 --
 src/libstrongswan/fips/fips.h                      |   44 -
 src/libstrongswan/fips/fips_canister_end.c         |  166 --
 src/libstrongswan/fips/fips_canister_start.c       |  167 --
 src/libstrongswan/fips/fips_signer.c               |   68 -
 src/libstrongswan/integrity_checker.c              |  332 ++++
 src/libstrongswan/integrity_checker.h              |  111 ++
 src/libstrongswan/library.c                        |   27 +-
 src/libstrongswan/library.h                        |   23 +-
 src/libstrongswan/plugins/aes/Makefile.am          |    2 +-
 src/libstrongswan/plugins/aes/Makefile.in          |    7 +-
 src/libstrongswan/plugins/agent/Makefile.am        |    2 +-
 src/libstrongswan/plugins/agent/Makefile.in        |    7 +-
 src/libstrongswan/plugins/blowfish/Makefile.am     |    2 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |    7 +-
 src/libstrongswan/plugins/curl/Makefile.am         |    2 +-
 src/libstrongswan/plugins/curl/Makefile.in         |    7 +-
 src/libstrongswan/plugins/des/Makefile.am          |    2 +-
 src/libstrongswan/plugins/des/Makefile.in          |    7 +-
 src/libstrongswan/plugins/fips_prf/Makefile.am     |    2 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |    7 +-
 src/libstrongswan/plugins/gcrypt/Makefile.am       |    2 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |    7 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c   |    3 +
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c   |    4 +-
 .../plugins/gcrypt/gcrypt_rsa_private_key.c        |   61 +-
 .../plugins/gcrypt/gcrypt_rsa_public_key.c         |   14 +-
 src/libstrongswan/plugins/gmp/Makefile.am          |    2 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |    7 +-
 .../plugins/gmp/gmp_rsa_private_key.c              |    2 +
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |    4 +-
 src/libstrongswan/plugins/hmac/Makefile.am         |    2 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |    7 +-
 src/libstrongswan/plugins/ldap/Makefile.am         |    2 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |    7 +-
 src/libstrongswan/plugins/md4/Makefile.am          |    2 +-
 src/libstrongswan/plugins/md4/Makefile.in          |    7 +-
 src/libstrongswan/plugins/md5/Makefile.am          |    2 +-
 src/libstrongswan/plugins/md5/Makefile.in          |    7 +-
 src/libstrongswan/plugins/mysql/Makefile.am        |    2 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |    7 +-
 src/libstrongswan/plugins/mysql/mysql_database.c   |    2 +-
 src/libstrongswan/plugins/openssl/Makefile.am      |    2 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |    7 +-
 .../plugins/openssl/openssl_crypter.c              |   18 +
 .../plugins/openssl/openssl_ec_diffie_hellman.c    |   20 +-
 src/libstrongswan/plugins/openssl/openssl_hasher.c |    1 +
 src/libstrongswan/plugins/openssl/openssl_plugin.c |    8 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |    2 +
 .../plugins/openssl/openssl_rsa_public_key.c       |    2 +
 src/libstrongswan/plugins/openssl/openssl_util.c   |   15 +-
 src/libstrongswan/plugins/padlock/Makefile.am      |    2 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |    7 +-
 src/libstrongswan/plugins/padlock/padlock_plugin.c |    2 +-
 src/libstrongswan/plugins/plugin_loader.c          |   27 +-
 src/libstrongswan/plugins/pubkey/Makefile.am       |    2 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |    7 +-
 src/libstrongswan/plugins/random/Makefile.am       |    2 +-
 src/libstrongswan/plugins/random/Makefile.in       |    7 +-
 src/libstrongswan/plugins/sha1/Makefile.am         |    2 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |    7 +-
 src/libstrongswan/plugins/sha2/Makefile.am         |    2 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |    7 +-
 src/libstrongswan/plugins/sha2/sha2_hasher.c       |   64 +
 src/libstrongswan/plugins/sha2/sha2_plugin.c       |    2 +
 src/libstrongswan/plugins/sqlite/Makefile.am       |    2 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |    7 +-
 src/libstrongswan/plugins/sqlite/sqlite_database.c |    2 +-
 src/libstrongswan/plugins/test_vectors/Makefile.am |    2 +-
 src/libstrongswan/plugins/test_vectors/Makefile.in |    7 +-
 .../plugins/test_vectors/test_vectors.h            |    3 +
 .../plugins/test_vectors/test_vectors/sha2.c       |   35 +
 src/libstrongswan/plugins/x509/Makefile.am         |    2 +-
 src/libstrongswan/plugins/x509/Makefile.in         |    7 +-
 src/libstrongswan/plugins/xcbc/Makefile.am         |    2 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |    7 +-
 src/libstrongswan/utils.c                          |   42 +-
 src/libstrongswan/utils.h                          |   23 +
 src/libstrongswan/utils/enumerator.c               |    6 +-
 src/libstrongswan/utils/host.c                     |  139 +-
 src/libstrongswan/utils/identification.c           |  878 ++++------
 src/libstrongswan/utils/mutex.c                    |    8 +-
 src/libstrongswan/utils/mutex.h                    |   35 +-
 src/manager/Makefile.in                            |    5 +
 src/medsrv/Makefile.in                             |    5 +
 src/medsrv/controller/peer_controller.c            |    2 +
 src/openac/Makefile.in                             |    5 +
 src/openac/openac.c                                |   37 +-
 src/pluto/Makefile.am                              |    5 -
 src/pluto/Makefile.in                              |   17 +-
 src/pluto/alg_info.c                               |   32 +-
 src/pluto/connections.c                            |    1 +
 src/pluto/constants.c                              |    3 +-
 src/pluto/crypto.c                                 |   15 +-
 src/pluto/crypto.h                                 |    2 +-
 src/pluto/ipsec_doi.c                              |  122 +-
 src/pluto/kernel.c                                 |  187 ++-
 src/pluto/kernel_alg.c                             |   54 +-
 src/pluto/kernel_netlink.c                         |  357 +++--
 src/pluto/keys.c                                   |    3 +-
 src/pluto/ocsp.c                                   |    2 +-
 src/pluto/pem.c                                    |    1 +
 src/pluto/pgpcert.c                                |   62 +-
 src/pluto/plutomain.c                              |   41 +-
 src/pluto/spdb.c                                   |   88 +-
 src/pluto/state.c                                  |    1 +
 src/pluto/timer.c                                  |   10 +-
 src/pluto/timer.h                                  |    2 +-
 src/pluto/vendor.c                                 |    8 +-
 src/pluto/vendor.h                                 |   10 +-
 src/scepclient/Makefile.in                         |    5 +
 src/scepclient/loglite.c                           |    7 +-
 src/scepclient/scepclient.8                        |   18 +-
 src/scepclient/scepclient.c                        |   67 +-
 src/starter/Makefile.am                            |   22 +-
 src/starter/Makefile.in                            |   31 +-
 src/starter/args.c                                 |   68 +-
 src/starter/interfaces.c                           |    4 +
 src/starter/invokecharon.c                         |   28 +-
 src/starter/invokecharon.h                         |    2 +-
 src/starter/invokepluto.c                          |   14 +-
 src/starter/invokepluto.h                          |    2 +-
 src/starter/keywords.h                             |    5 +
 src/starter/loglite.c                              |    4 +
 src/starter/starter.c                              |   39 +-
 src/stroke/Makefile.am                             |    1 +
 src/stroke/Makefile.in                             |   11 +-
 src/stroke/stroke_msg.h                            |    2 +
 src/whack/Makefile.in                              |    5 +
 testing/INSTALL                                    |    8 +-
 testing/Makefile.in                                |    5 +
 testing/testing.conf                               |    6 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    1 +
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    1 +
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    1 +
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    1 +
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    1 +
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    1 +
 .../ike/rw-cert/hosts/carol/etc/strongswan.conf    |    1 +
 .../ike/rw-cert/hosts/dave/etc/strongswan.conf     |    1 +
 .../ike/rw-cert/hosts/moon/etc/strongswan.conf     |    1 +
 .../tests/ikev1/esp-alg-aes-ccm/description.txt    |    4 +
 testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat   |    5 +
 .../esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf     |   26 +
 .../esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf      |   25 +
 testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat   |    4 +
 testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat    |    6 +
 testing/tests/ikev1/esp-alg-aes-ccm/test.conf      |   21 +
 .../tests/ikev1/esp-alg-aes-ctr/description.txt    |    3 +
 testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat   |    7 +
 .../esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf     |   26 +
 .../esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf      |   25 +
 testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat   |    4 +
 testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat    |    6 +
 testing/tests/ikev1/esp-alg-aes-ctr/test.conf      |   21 +
 .../tests/ikev1/esp-alg-aes-gcm/description.txt    |    4 +
 testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat   |    5 +
 .../esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf     |   26 +
 .../esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf      |   25 +
 testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat   |    4 +
 testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat    |    6 +
 testing/tests/ikev1/esp-alg-aes-gcm/test.conf      |   21 +
 .../esp-alg-camellia/hosts/carol/etc/ipsec.conf    |    2 +-
 .../esp-alg-camellia/hosts/moon/etc/ipsec.conf     |    2 +-
 testing/tests/ikev1/net2net-pgp-v3/description.txt |    6 +
 testing/tests/ikev1/net2net-pgp-v3/evaltest.dat    |    5 +
 .../ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf |   22 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.asc      |   15 +
 .../hosts/moon/etc/ipsec.d/certs/sunCert.asc       |   15 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.asc     |   19 +
 .../net2net-pgp-v3/hosts/moon/etc/ipsec.secrets    |    3 +
 .../ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf  |   22 +
 .../hosts/sun/etc/ipsec.d/certs/moonCert.asc       |   15 +
 .../hosts/sun/etc/ipsec.d/certs/sunCert.asc        |   15 +
 .../hosts/sun/etc/ipsec.d/private/sunKey.asc       |   19 +
 .../net2net-pgp-v3/hosts/sun/etc/ipsec.secrets     |    3 +
 testing/tests/ikev1/net2net-pgp-v3/posttest.dat    |    8 +
 testing/tests/ikev1/net2net-pgp-v3/pretest.dat     |    8 +
 testing/tests/ikev1/net2net-pgp-v3/test.conf       |   21 +
 testing/tests/ikev1/net2net-pgp-v4/description.txt |    6 +
 testing/tests/ikev1/net2net-pgp-v4/evaltest.dat    |    5 +
 .../ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf |   22 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.asc      |   24 +
 .../hosts/moon/etc/ipsec.d/certs/sunCert.asc       |   24 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.asc     |   32 +
 .../net2net-pgp-v4/hosts/moon/etc/ipsec.secrets    |    3 +
 .../ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf  |   22 +
 .../hosts/sun/etc/ipsec.d/certs/moonCert.asc       |   24 +
 .../hosts/sun/etc/ipsec.d/certs/sunCert.asc        |   24 +
 .../hosts/sun/etc/ipsec.d/private/sunKey.asc       |   32 +
 .../net2net-pgp-v4/hosts/sun/etc/ipsec.secrets     |    3 +
 testing/tests/ikev1/net2net-pgp-v4/posttest.dat    |    8 +
 testing/tests/ikev1/net2net-pgp-v4/pretest.dat     |    8 +
 testing/tests/ikev1/net2net-pgp-v4/test.conf       |   21 +
 testing/tests/ikev1/net2net-pgp/description.txt    |    6 -
 testing/tests/ikev1/net2net-pgp/evaltest.dat       |    5 -
 .../ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf    |   22 -
 .../hosts/moon/etc/ipsec.d/certs/moonCert.asc      |   15 -
 .../hosts/moon/etc/ipsec.d/certs/sunCert.asc       |   15 -
 .../hosts/moon/etc/ipsec.d/private/moonKey.asc     |   19 -
 .../ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets |    3 -
 .../ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf     |   22 -
 .../hosts/sun/etc/ipsec.d/certs/moonCert.asc       |   15 -
 .../hosts/sun/etc/ipsec.d/certs/sunCert.asc        |   15 -
 .../hosts/sun/etc/ipsec.d/private/sunKey.asc       |   19 -
 .../ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets  |    3 -
 testing/tests/ikev1/net2net-pgp/posttest.dat       |    8 -
 testing/tests/ikev1/net2net-pgp/pretest.dat        |    8 -
 testing/tests/ikev1/net2net-pgp/test.conf          |   21 -
 .../ikev1/rw-cert/hosts/carol/etc/strongswan.conf  |    1 +
 .../ikev1/rw-cert/hosts/moon/etc/strongswan.conf   |    1 +
 .../tests/ikev2/esp-alg-aes-ctr/description.txt    |    3 +
 testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat   |    7 +
 .../esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf     |   25 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf      |   24 +
 .../esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf |    5 +
 testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat   |    4 +
 testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat    |    6 +
 testing/tests/ikev2/esp-alg-aes-ctr/test.conf      |   21 +
 .../tests/ikev2/ip-split-pools-db/description.txt  |    6 +
 testing/tests/ikev2/ip-split-pools-db/evaltest.dat |   15 +
 .../ip-split-pools-db/hosts/carol/etc/ipsec.conf   |   24 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../ip-split-pools-db/hosts/dave/etc/ipsec.conf    |   24 +
 .../hosts/dave/etc/strongswan.conf                 |    5 +
 .../ip-split-pools-db/hosts/moon/etc/ipsec.conf    |   23 +
 .../hosts/moon/etc/strongswan.conf                 |   14 +
 testing/tests/ikev2/ip-split-pools-db/posttest.dat |    6 +
 testing/tests/ikev2/ip-split-pools-db/pretest.dat  |   12 +
 testing/tests/ikev2/ip-split-pools-db/test.conf    |   21 +
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |    1 +
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |    1 +
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |    1 +
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    1 +
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    1 +
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    1 +
 .../openssl-ikev2/alg-camellia/description.txt     |    4 +
 .../tests/openssl-ikev2/alg-camellia/evaltest.dat  |    9 +
 .../alg-camellia/hosts/carol/etc/ipsec.conf        |   25 +
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    5 +
 .../alg-camellia/hosts/moon/etc/ipsec.conf         |   24 +
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    5 +
 .../tests/openssl-ikev2/alg-camellia/posttest.dat  |    4 +
 .../tests/openssl-ikev2/alg-camellia/pretest.dat   |    7 +
 testing/tests/openssl-ikev2/alg-camellia/test.conf |   21 +
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |    4 +
 .../alg-ecp-high/hosts/dave/etc/strongswan.conf    |    4 +
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |    4 +
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |    4 +
 .../alg-ecp-low/hosts/dave/etc/strongswan.conf     |    4 +
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |    4 +
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    1 +
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    1 +
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    1 +
 .../pfkey/rw-cert/hosts/carol/etc/strongswan.conf  |    1 +
 .../pfkey/rw-cert/hosts/dave/etc/strongswan.conf   |    1 +
 .../pfkey/rw-cert/hosts/moon/etc/strongswan.conf   |    1 +
 .../sql/ip-split-pools-db-restart/description.txt  |    6 +
 .../sql/ip-split-pools-db-restart/evaltest.dat     |   14 +
 .../hosts/carol/etc/ipsec.conf                     |    8 +
 .../hosts/carol/etc/ipsec.d/data.sql               |  140 ++
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |   10 +
 .../hosts/dave/etc/ipsec.conf                      |    8 +
 .../hosts/dave/etc/ipsec.d/data.sql                |  140 ++
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |   10 +
 .../hosts/moon/etc/ipsec.conf                      |    8 +
 .../hosts/moon/etc/ipsec.d/data.sql                |  204 +++
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   14 +
 .../sql/ip-split-pools-db-restart/posttest.dat     |    7 +
 .../sql/ip-split-pools-db-restart/pretest.dat      |   18 +
 .../tests/sql/ip-split-pools-db-restart/test.conf  |   21 +
 .../tests/sql/ip-split-pools-db/description.txt    |    6 +
 testing/tests/sql/ip-split-pools-db/evaltest.dat   |   15 +
 .../ip-split-pools-db/hosts/carol/etc/ipsec.conf   |    8 +
 .../hosts/carol/etc/ipsec.d/data.sql               |  140 ++
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |   10 +
 .../ip-split-pools-db/hosts/dave/etc/ipsec.conf    |    8 +
 .../hosts/dave/etc/ipsec.d/data.sql                |  140 ++
 .../ip-split-pools-db/hosts/dave/etc/ipsec.secrets |    3 +
 .../hosts/dave/etc/strongswan.conf                 |   10 +
 .../ip-split-pools-db/hosts/moon/etc/ipsec.conf    |    8 +
 .../hosts/moon/etc/ipsec.d/data.sql                |  166 ++
 .../ip-split-pools-db/hosts/moon/etc/ipsec.secrets |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   14 +
 testing/tests/sql/ip-split-pools-db/posttest.dat   |    7 +
 testing/tests/sql/ip-split-pools-db/pretest.dat    |   17 +
 testing/tests/sql/ip-split-pools-db/test.conf      |   21 +
 .../sql/rw-cert/hosts/carol/etc/strongswan.conf    |    1 +
 .../sql/rw-cert/hosts/dave/etc/strongswan.conf     |    1 +
 .../sql/rw-cert/hosts/moon/etc/strongswan.conf     |    1 +
 461 files changed, 9860 insertions(+), 4172 deletions(-)
 create mode 100644 src/charon/bus/listeners/listener.h
 create mode 100644 src/checksum/Makefile.am
 create mode 100644 src/checksum/Makefile.in
 create mode 100644 src/checksum/checksum_builder.c
 delete mode 100644 src/libstrongswan/fips/Makefile.am
 delete mode 100644 src/libstrongswan/fips/Makefile.in
 delete mode 100644 src/libstrongswan/fips/fips.c
 delete mode 100644 src/libstrongswan/fips/fips.h
 delete mode 100644 src/libstrongswan/fips/fips_canister_end.c
 delete mode 100644 src/libstrongswan/fips/fips_canister_start.c
 delete mode 100644 src/libstrongswan/fips/fips_signer.c
 create mode 100644 src/libstrongswan/integrity_checker.c
 create mode 100644 src/libstrongswan/integrity_checker.h
 create mode 100644 testing/tests/ikev1/esp-alg-aes-ccm/description.txt
 create mode 100644 testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
 create mode 100755 testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
 create mode 100644 testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
 create mode 100644 testing/tests/ikev1/esp-alg-aes-ccm/test.conf
 create mode 100644 testing/tests/ikev1/esp-alg-aes-ctr/description.txt
 create mode 100644 testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
 create mode 100755 testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
 create mode 100644 testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
 create mode 100644 testing/tests/ikev1/esp-alg-aes-ctr/test.conf
 create mode 100644 testing/tests/ikev1/esp-alg-aes-gcm/description.txt
 create mode 100644 testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
 create mode 100755 testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
 create mode 100644 testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
 create mode 100644 testing/tests/ikev1/esp-alg-aes-gcm/test.conf
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/description.txt
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/evaltest.dat
 create mode 100755 testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
 create mode 100755 testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/posttest.dat
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/pretest.dat
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/test.conf
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/description.txt
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/evaltest.dat
 create mode 100755 testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets
 create mode 100755 testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/posttest.dat
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/pretest.dat
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/test.conf
 delete mode 100644 testing/tests/ikev1/net2net-pgp/description.txt
 delete mode 100644 testing/tests/ikev1/net2net-pgp/evaltest.dat
 delete mode 100755 testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc
 delete mode 100644 testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc
 delete mode 100644 testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc
 delete mode 100644 testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets
 delete mode 100755 testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc
 delete mode 100644 testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc
 delete mode 100644 testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc
 delete mode 100644 testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev1/net2net-pgp/posttest.dat
 delete mode 100644 testing/tests/ikev1/net2net-pgp/pretest.dat
 delete mode 100644 testing/tests/ikev1/net2net-pgp/test.conf
 create mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/description.txt
 create mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
 create mode 100755 testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat
 create mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat
 create mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/test.conf
 create mode 100644 testing/tests/ikev2/ip-split-pools-db/description.txt
 create mode 100644 testing/tests/ikev2/ip-split-pools-db/evaltest.dat
 create mode 100755 testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/ip-split-pools-db/posttest.dat
 create mode 100644 testing/tests/ikev2/ip-split-pools-db/pretest.dat
 create mode 100644 testing/tests/ikev2/ip-split-pools-db/test.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-camellia/description.txt
 create mode 100644 testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/alg-camellia/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-camellia/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/alg-camellia/test.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/description.txt
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
 create mode 100755 testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/posttest.dat
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/pretest.dat
 create mode 100644 testing/tests/sql/ip-split-pools-db-restart/test.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db/description.txt
 create mode 100644 testing/tests/sql/ip-split-pools-db/evaltest.dat
 create mode 100755 testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/sql/ip-split-pools-db/posttest.dat
 create mode 100644 testing/tests/sql/ip-split-pools-db/pretest.dat
 create mode 100644 testing/tests/sql/ip-split-pools-db/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/Makefile.am b/Makefile.am
index 95eb8d95e..172949977 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,9 @@
-SUBDIRS = src testing scripts
+SUBDIRS = src testing
+
+if USE_SCRIPTS
+  SUBDIRS += scripts
+endif
+
 EXTRA_DIST = Doxyfile.in CREDITS
 CLEANFILES = apidoc Doxyfile
 
@@ -10,6 +15,3 @@ Doxyfile :	Doxyfile.in
 
 apidoc :	Doxyfile
 		doxygen
-
-dist-hook :
-		rm -rf `find $(distdir)/testing -name .svn`
diff --git a/Makefile.in b/Makefile.in
index 8755056b2..bc83e3d31 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -31,6 +31,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+@USE_SCRIPTS_TRUE@am__append_1 = scripts
 subdir = .
 DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(top_srcdir)/configure \
@@ -58,7 +59,7 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = $(SUBDIRS)
+DIST_SUBDIRS = src testing scripts
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -71,12 +72,14 @@ GZIP_ENV = --best
 distuninstallcheck_listfiles = find . -type f -print
 distcleancheck_listfiles = find . -type f -print
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -141,6 +144,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -181,7 +185,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -215,7 +221,7 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-SUBDIRS = src testing scripts
+SUBDIRS = src testing $(am__append_1)
 EXTRA_DIST = Doxyfile.in CREDITS
 CLEANFILES = apidoc Doxyfile
 all: all-recursive
@@ -441,9 +447,6 @@ distdir: $(DISTFILES)
 	      || exit 1; \
 	  fi; \
 	done
-	$(MAKE) $(AM_MAKEFLAGS) \
-	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
-	  dist-hook
 	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
 	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
 	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
@@ -641,18 +644,18 @@ uninstall-am:
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am am--refresh check check-am clean clean-generic \
 	clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
-	dist-gzip dist-hook dist-lzma dist-shar dist-tarZ dist-zip \
-	distcheck distclean distclean-generic distclean-libtool \
-	distclean-tags distcleancheck distdir distuninstallcheck dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs installdirs-am \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am
+	dist-gzip dist-lzma dist-shar dist-tarZ dist-zip distcheck \
+	distclean distclean-generic distclean-libtool distclean-tags \
+	distcleancheck distdir distuninstallcheck dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am
 
 
 Doxyfile :	Doxyfile.in
@@ -663,9 +666,6 @@ Doxyfile :	Doxyfile.in
 
 apidoc :	Doxyfile
 		doxygen
-
-dist-hook :
-		rm -rf `find $(distdir)/testing -name .svn`
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/NEWS b/NEWS
index d38e9fe67..6cf4d080d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,37 @@
+strongswan-4.3.4
+----------------
+
+- IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation details can
+  be found on wiki.strongswan.org.
+
+- ipsec statusall shows the number of bytes transmitted and received over
+  ESP connections configured by the IKEv2 charon daemon.
+
+- The IKEv2 charon daemon supports include files in ipsec.secrets.
+
+
+strongswan-4.3.3
+----------------
+
+- The configuration option --enable-integrity-test plus the strongswan.conf
+  option libstrongswan.integrity_test = yes activate integrity tests
+  of the IKE daemons charon and pluto, libstrongswan and all loaded
+  plugins. Thus dynamic library misconfigurations and non-malicious file
+  manipulations can be reliably detected.
+
+- The new default setting libstrongswan.ecp_x_coordinate_only=yes allows
+  IKEv1 interoperability with MS Windows using the ECP DH groups 19 and 20.
+
+- The IKEv1 pluto daemon now supports the AES-CCM and AES-GCM ESP
+  authenticated encryption algorithms.
+
+- The IKEv1 pluto daemon now supports V4 OpenPGP keys.
+
+- The RDN parser vulnerability discovered by Orange Labs research team
+  was not completely fixed in version 4.3.2. Some more modifications
+  had to be applied to the asn1_length() function to make it robust.
+
+
 strongswan-4.3.2
 ----------------
 
diff --git a/aclocal.m4 b/aclocal.m4
index b547a212b..9e6e86249 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -19,6 +19,192 @@ You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
 
+# lib-prefix.m4 serial 5 (gettext-0.15)
+dnl Copyright (C) 2001-2005 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+
+dnl From Bruno Haible.
+
+dnl AC_LIB_ARG_WITH is synonymous to AC_ARG_WITH in autoconf-2.13, and
+dnl similar to AC_ARG_WITH in autoconf 2.52...2.57 except that is doesn't
+dnl require excessive bracketing.
+ifdef([AC_HELP_STRING],
+[AC_DEFUN([AC_LIB_ARG_WITH], [AC_ARG_WITH([$1],[[$2]],[$3],[$4])])],
+[AC_DEFUN([AC_][LIB_ARG_WITH], [AC_ARG_WITH([$1],[$2],[$3],[$4])])])
+
+dnl AC_LIB_PREFIX adds to the CPPFLAGS and LDFLAGS the flags that are needed
+dnl to access previously installed libraries. The basic assumption is that
+dnl a user will want packages to use other packages he previously installed
+dnl with the same --prefix option.
+dnl This macro is not needed if only AC_LIB_LINKFLAGS is used to locate
+dnl libraries, but is otherwise very convenient.
+AC_DEFUN([AC_LIB_PREFIX],
+[
+  AC_BEFORE([$0], [AC_LIB_LINKFLAGS])
+  AC_REQUIRE([AC_PROG_CC])
+  AC_REQUIRE([AC_CANONICAL_HOST])
+  AC_REQUIRE([AC_LIB_PREPARE_MULTILIB])
+  AC_REQUIRE([AC_LIB_PREPARE_PREFIX])
+  dnl By default, look in $includedir and $libdir.
+  use_additional=yes
+  AC_LIB_WITH_FINAL_PREFIX([
+    eval additional_includedir=\"$includedir\"
+    eval additional_libdir=\"$libdir\"
+  ])
+  AC_LIB_ARG_WITH([lib-prefix],
+[  --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib
+  --without-lib-prefix    don't search for libraries in includedir and libdir],
+[
+    if test "X$withval" = "Xno"; then
+      use_additional=no
+    else
+      if test "X$withval" = "X"; then
+        AC_LIB_WITH_FINAL_PREFIX([
+          eval additional_includedir=\"$includedir\"
+          eval additional_libdir=\"$libdir\"
+        ])
+      else
+        additional_includedir="$withval/include"
+        additional_libdir="$withval/$acl_libdirstem"
+      fi
+    fi
+])
+  if test $use_additional = yes; then
+    dnl Potentially add $additional_includedir to $CPPFLAGS.
+    dnl But don't add it
+    dnl   1. if it's the standard /usr/include,
+    dnl   2. if it's already present in $CPPFLAGS,
+    dnl   3. if it's /usr/local/include and we are using GCC on Linux,
+    dnl   4. if it doesn't exist as a directory.
+    if test "X$additional_includedir" != "X/usr/include"; then
+      haveit=
+      for x in $CPPFLAGS; do
+        AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"])
+        if test "X$x" = "X-I$additional_includedir"; then
+          haveit=yes
+          break
+        fi
+      done
+      if test -z "$haveit"; then
+        if test "X$additional_includedir" = "X/usr/local/include"; then
+          if test -n "$GCC"; then
+            case $host_os in
+              linux* | gnu* | k*bsd*-gnu) haveit=yes;;
+            esac
+          fi
+        fi
+        if test -z "$haveit"; then
+          if test -d "$additional_includedir"; then
+            dnl Really add $additional_includedir to $CPPFLAGS.
+            CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir"
+          fi
+        fi
+      fi
+    fi
+    dnl Potentially add $additional_libdir to $LDFLAGS.
+    dnl But don't add it
+    dnl   1. if it's the standard /usr/lib,
+    dnl   2. if it's already present in $LDFLAGS,
+    dnl   3. if it's /usr/local/lib and we are using GCC on Linux,
+    dnl   4. if it doesn't exist as a directory.
+    if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then
+      haveit=
+      for x in $LDFLAGS; do
+        AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"])
+        if test "X$x" = "X-L$additional_libdir"; then
+          haveit=yes
+          break
+        fi
+      done
+      if test -z "$haveit"; then
+        if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then
+          if test -n "$GCC"; then
+            case $host_os in
+              linux*) haveit=yes;;
+            esac
+          fi
+        fi
+        if test -z "$haveit"; then
+          if test -d "$additional_libdir"; then
+            dnl Really add $additional_libdir to $LDFLAGS.
+            LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir"
+          fi
+        fi
+      fi
+    fi
+  fi
+])
+
+dnl AC_LIB_PREPARE_PREFIX creates variables acl_final_prefix,
+dnl acl_final_exec_prefix, containing the values to which $prefix and
+dnl $exec_prefix will expand at the end of the configure script.
+AC_DEFUN([AC_LIB_PREPARE_PREFIX],
+[
+  dnl Unfortunately, prefix and exec_prefix get only finally determined
+  dnl at the end of configure.
+  if test "X$prefix" = "XNONE"; then
+    acl_final_prefix="$ac_default_prefix"
+  else
+    acl_final_prefix="$prefix"
+  fi
+  if test "X$exec_prefix" = "XNONE"; then
+    acl_final_exec_prefix='${prefix}'
+  else
+    acl_final_exec_prefix="$exec_prefix"
+  fi
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  eval acl_final_exec_prefix=\"$acl_final_exec_prefix\"
+  prefix="$acl_save_prefix"
+])
+
+dnl AC_LIB_WITH_FINAL_PREFIX([statement]) evaluates statement, with the
+dnl variables prefix and exec_prefix bound to the values they will have
+dnl at the end of the configure script.
+AC_DEFUN([AC_LIB_WITH_FINAL_PREFIX],
+[
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+  $1
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+])
+
+dnl AC_LIB_PREPARE_MULTILIB creates a variable acl_libdirstem, containing
+dnl the basename of the libdir, either "lib" or "lib64".
+AC_DEFUN([AC_LIB_PREPARE_MULTILIB],
+[
+  dnl There is no formal standard regarding lib and lib64. The current
+  dnl practice is that on a system supporting 32-bit and 64-bit instruction
+  dnl sets or ABIs, 64-bit libraries go under $prefix/lib64 and 32-bit
+  dnl libraries go under $prefix/lib. We determine the compiler's default
+  dnl mode by looking at the compiler's library search path. If at least
+  dnl of its elements ends in /lib64 or points to a directory whose absolute
+  dnl pathname ends in /lib64, we assume a 64-bit ABI. Otherwise we use the
+  dnl default, namely "lib".
+  acl_libdirstem=lib
+  searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
+  if test -n "$searchpath"; then
+    acl_save_IFS="${IFS= 	}"; IFS=":"
+    for searchdir in $searchpath; do
+      if test -d "$searchdir"; then
+        case "$searchdir" in
+          */lib64/ | */lib64 ) acl_libdirstem=lib64 ;;
+          *) searchdir=`cd "$searchdir" && pwd`
+             case "$searchdir" in
+               */lib64 ) acl_libdirstem=lib64 ;;
+             esac ;;
+        esac
+      fi
+    done
+    IFS="$acl_save_IFS"
+  fi
+])
+
 dnl Autoconf macros for libgcrypt
 dnl       Copyright (C) 2002, 2004 Free Software Foundation, Inc.
 dnl
diff --git a/configure b/configure
index 540aad3aa..8142a2378 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.63 for strongSwan 4.3.2.
+# Generated by GNU Autoconf 2.63 for strongSwan 4.3.4.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
 # 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
@@ -743,8 +743,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.3.2'
-PACKAGE_STRING='strongSwan 4.3.2'
+PACKAGE_VERSION='4.3.4'
+PACKAGE_STRING='strongSwan 4.3.4'
 PACKAGE_BUGREPORT=''
 
 # Factoring default headers for most tests.
@@ -791,6 +791,8 @@ USE_FILE_CONFIG_FALSE
 USE_FILE_CONFIG_TRUE
 USE_LIBSTRONGSWAN_FALSE
 USE_LIBSTRONGSWAN_TRUE
+USE_SCRIPTS_FALSE
+USE_SCRIPTS_TRUE
 USE_TOOLS_FALSE
 USE_TOOLS_TRUE
 USE_CHARON_FALSE
@@ -932,9 +934,14 @@ gtk_LIBS
 gtk_CFLAGS
 xml_LIBS
 xml_CFLAGS
+SOCKLIB
+BTLIB
 DLLIB
-PERL
+ALLOCA
+ipsecgid
+ipsecuid
 GPERF
+PERL
 YFLAGS
 YACC
 LEXLIB
@@ -956,6 +963,10 @@ DUMPBIN
 LD
 FGREP
 SED
+LIBTOOL
+EGREP
+GREP
+CPP
 host_os
 host_vendor
 host_cpu
@@ -964,10 +975,6 @@ build_os
 build_vendor
 build_cpu
 build
-LIBTOOL
-EGREP
-GREP
-CPP
 am__fastdepCC_FALSE
 am__fastdepCC_TRUE
 CCDEPMODE
@@ -982,8 +989,8 @@ EXEEXT
 ac_ct_CC
 CPPFLAGS
 LDFLAGS
-CC
 CFLAGS
+CC
 ipsecgroup
 ipsecuser
 IPSEC_ROUTING_TABLE_PRIO
@@ -1133,6 +1140,7 @@ enable_pluto
 enable_threads
 enable_charon
 enable_tools
+enable_scripts
 enable_updown
 enable_attr
 enable_resolv_conf
@@ -1144,6 +1152,7 @@ enable_uci
 enable_nm
 enable_vstr
 enable_dependency_tracking
+with_lib_prefix
 enable_shared
 enable_static
 with_pic
@@ -1722,7 +1731,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.3.2 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.3.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1792,7 +1801,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.3.2:";;
+     short | recursive ) echo "Configuration of strongSwan 4.3.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1891,8 +1900,8 @@ Optional Features:
                           templates (default is NO).
   --enable-manager        build web management console (default is NO).
   --enable-mediation      enable IKEv2 Mediation Extension (default is NO).
-  --enable-integrity-test enable the integrity test of the crypto library
-                          (default is NO).
+  --enable-integrity-test enable integrity testing of libstrongswan and
+                          plugins (default is NO).
   --disable-pluto         disable the IKEv1 keying daemon pluto. (default is
                           NO).
   --disable-threads       disable the use of threads in pluto. Charon always
@@ -1901,6 +1910,8 @@ Optional Features:
                           NO).
   --disable-tools         disable additional utilities (openac and
                           scepclient). (default is NO).
+  --disable-scripts       disable additional utilities (found in directory
+                          scripts). (default is NO).
   --disable-updown        disable updown firewall script plugin. (default is
                           NO).
   --disable-attr          disable strongswan.conf based configuration
@@ -1961,12 +1972,14 @@ Optional Packages:
                           priority for IPsec routing table (default: 220)
 
   --with-user=user        change user of the daemons to "user" after startup
-                          (default is 0).
+                          (default is "root").
   --with-group=group      change group of the daemons to "group" after startup
-                          (default is 0).
+                          (default is "root").
   --with-capabilities=libcap
                           capability dropping using libcap. Currenlty only the
                           value "libcap" is supported (default is NO).
+  --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib
+  --without-lib-prefix    don't search for libraries in includedir and libdir
   --with-pic              try to use only PIC/non-PIC objects [default=use
                           both]
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
@@ -2060,7 +2073,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.3.2
+strongSwan configure 4.3.4
 generated by GNU Autoconf 2.63
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -2074,7 +2087,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.3.2, which was
+It was created by strongSwan $as_me 4.3.4, which was
 generated by GNU Autoconf 2.63.  Invocation command line was
 
   $ $0 $@
@@ -2790,7 +2803,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.3.2'
+ VERSION='4.3.4'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3940,6 +3953,19 @@ else
 fi
 
 
+# Check whether --enable-scripts was given.
+if test "${enable_scripts+set}" = set; then
+  enableval=$enable_scripts; if test x$enableval = xyes; then
+		scripts=true
+	 else
+		scripts=false
+	fi
+else
+  scripts=true
+
+fi
+
+
 # Check whether --enable-updown was given.
 if test "${enable_updown+set}" = set; then
   enableval=$enable_updown; if test x$enableval = xyes; then
@@ -4049,7 +4075,6 @@ fi
 
 if test -z "$CFLAGS"; then
 	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign -Wno-strict-aliasing"
-
 fi
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
@@ -5154,6 +5179,238 @@ else
 fi
 
 
+# Make sure we can run config.sub.
+$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
+  { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
+$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
+   { (exit 1); exit 1; }; }
+
+{ $as_echo "$as_me:$LINENO: checking build system type" >&5
+$as_echo_n "checking build system type... " >&6; }
+if test "${ac_cv_build+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_build_alias=$build_alias
+test "x$ac_build_alias" = x &&
+  ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
+test "x$ac_build_alias" = x &&
+  { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
+$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
+   { (exit 1); exit 1; }; }
+ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
+  { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
+$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+$as_echo "$ac_cv_build" >&6; }
+case $ac_cv_build in
+*-*-*) ;;
+*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
+$as_echo "$as_me: error: invalid value of canonical build" >&2;}
+   { (exit 1); exit 1; }; };;
+esac
+build=$ac_cv_build
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_build
+shift
+build_cpu=$1
+build_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+build_os=$*
+IFS=$ac_save_IFS
+case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
+
+
+{ $as_echo "$as_me:$LINENO: checking host system type" >&5
+$as_echo_n "checking host system type... " >&6; }
+if test "${ac_cv_host+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if test "x$host_alias" = x; then
+  ac_cv_host=$ac_cv_build
+else
+  ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
+    { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
+$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+$as_echo "$ac_cv_host" >&6; }
+case $ac_cv_host in
+*-*-*) ;;
+*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
+$as_echo "$as_me: error: invalid value of canonical host" >&2;}
+   { (exit 1); exit 1; }; };;
+esac
+host=$ac_cv_host
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_host
+shift
+host_cpu=$1
+host_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+host_os=$*
+IFS=$ac_save_IFS
+case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
+
+
+
+                  acl_libdirstem=lib
+  searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
+  if test -n "$searchpath"; then
+    acl_save_IFS="${IFS= 	}"; IFS=":"
+    for searchdir in $searchpath; do
+      if test -d "$searchdir"; then
+        case "$searchdir" in
+          */lib64/ | */lib64 ) acl_libdirstem=lib64 ;;
+          *) searchdir=`cd "$searchdir" && pwd`
+             case "$searchdir" in
+               */lib64 ) acl_libdirstem=lib64 ;;
+             esac ;;
+        esac
+      fi
+    done
+    IFS="$acl_save_IFS"
+  fi
+
+
+      if test "X$prefix" = "XNONE"; then
+    acl_final_prefix="$ac_default_prefix"
+  else
+    acl_final_prefix="$prefix"
+  fi
+  if test "X$exec_prefix" = "XNONE"; then
+    acl_final_exec_prefix='${prefix}'
+  else
+    acl_final_exec_prefix="$exec_prefix"
+  fi
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  eval acl_final_exec_prefix=\"$acl_final_exec_prefix\"
+  prefix="$acl_save_prefix"
+
+
+
+
+
+
+
+    use_additional=yes
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+
+    eval additional_includedir=\"$includedir\"
+    eval additional_libdir=\"$libdir\"
+
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+
+# Check whether --with-lib-prefix was given.
+if test "${with_lib_prefix+set}" = set; then
+  withval=$with_lib_prefix;
+    if test "X$withval" = "Xno"; then
+      use_additional=no
+    else
+      if test "X$withval" = "X"; then
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+
+          eval additional_includedir=\"$includedir\"
+          eval additional_libdir=\"$libdir\"
+
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+      else
+        additional_includedir="$withval/include"
+        additional_libdir="$withval/$acl_libdirstem"
+      fi
+    fi
+
+fi
+
+  if test $use_additional = yes; then
+                            if test "X$additional_includedir" != "X/usr/include"; then
+      haveit=
+      for x in $CPPFLAGS; do
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+  eval x=\"$x\"
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+        if test "X$x" = "X-I$additional_includedir"; then
+          haveit=yes
+          break
+        fi
+      done
+      if test -z "$haveit"; then
+        if test "X$additional_includedir" = "X/usr/local/include"; then
+          if test -n "$GCC"; then
+            case $host_os in
+              linux* | gnu* | k*bsd*-gnu) haveit=yes;;
+            esac
+          fi
+        fi
+        if test -z "$haveit"; then
+          if test -d "$additional_includedir"; then
+                        CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir"
+          fi
+        fi
+      fi
+    fi
+                            if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then
+      haveit=
+      for x in $LDFLAGS; do
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+  eval x=\"$x\"
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+        if test "X$x" = "X-L$additional_libdir"; then
+          haveit=yes
+          break
+        fi
+      done
+      if test -z "$haveit"; then
+        if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then
+          if test -n "$GCC"; then
+            case $host_os in
+              linux*) haveit=yes;;
+            esac
+          fi
+        fi
+        if test -z "$haveit"; then
+          if test -d "$additional_libdir"; then
+                        LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir"
+          fi
+        fi
+      fi
+    fi
+  fi
+
 
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
@@ -6303,89 +6560,6 @@ macro_revision='1.3012'
 
 ltmain="$ac_aux_dir/ltmain.sh"
 
-# Make sure we can run config.sub.
-$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
-  { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
-$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
-   { (exit 1); exit 1; }; }
-
-{ $as_echo "$as_me:$LINENO: checking build system type" >&5
-$as_echo_n "checking build system type... " >&6; }
-if test "${ac_cv_build+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_build_alias=$build_alias
-test "x$ac_build_alias" = x &&
-  ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
-test "x$ac_build_alias" = x &&
-  { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
-$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
-   { (exit 1); exit 1; }; }
-ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
-  { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
-$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
-   { (exit 1); exit 1; }; }
-
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5
-$as_echo "$ac_cv_build" >&6; }
-case $ac_cv_build in
-*-*-*) ;;
-*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
-$as_echo "$as_me: error: invalid value of canonical build" >&2;}
-   { (exit 1); exit 1; }; };;
-esac
-build=$ac_cv_build
-ac_save_IFS=$IFS; IFS='-'
-set x $ac_cv_build
-shift
-build_cpu=$1
-build_vendor=$2
-shift; shift
-# Remember, the first character of IFS is used to create $*,
-# except with old shells:
-build_os=$*
-IFS=$ac_save_IFS
-case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
-
-
-{ $as_echo "$as_me:$LINENO: checking host system type" >&5
-$as_echo_n "checking host system type... " >&6; }
-if test "${ac_cv_host+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  if test "x$host_alias" = x; then
-  ac_cv_host=$ac_cv_build
-else
-  ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
-    { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
-$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5
-$as_echo "$ac_cv_host" >&6; }
-case $ac_cv_host in
-*-*-*) ;;
-*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
-$as_echo "$as_me: error: invalid value of canonical host" >&2;}
-   { (exit 1); exit 1; }; };;
-esac
-host=$ac_cv_host
-ac_save_IFS=$IFS; IFS='-'
-set x $ac_cv_host
-shift
-host_cpu=$1
-host_vendor=$2
-shift; shift
-# Remember, the first character of IFS is used to create $*,
-# except with old shells:
-host_os=$*
-IFS=$ac_save_IFS
-case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
-
-
 { $as_echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
 $as_echo_n "checking for a sed that does not truncate output... " >&6; }
 if test "${ac_cv_path_SED+set}" = set; then
@@ -6846,13 +7020,13 @@ if test "${lt_cv_nm_interface+set}" = set; then
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6849: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:7023: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6852: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:7026: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6855: output\"" >&5)
+  (eval echo "\"\$as_me:7029: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -8057,7 +8231,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8060 "configure"' > conftest.$ac_ext
+  echo '#line 8234 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9422,11 +9596,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9425: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9599: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9429: \$? = $ac_status" >&5
+   echo "$as_me:9603: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9761,11 +9935,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9764: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9938: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9768: \$? = $ac_status" >&5
+   echo "$as_me:9942: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9866,11 +10040,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9869: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10043: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9873: \$? = $ac_status" >&5
+   echo "$as_me:10047: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9921,11 +10095,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9924: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10098: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9928: \$? = $ac_status" >&5
+   echo "$as_me:10102: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12734,7 +12908,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12737 "configure"
+#line 12911 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12830,7 +13004,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12833 "configure"
+#line 13007 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13057,25 +13231,136 @@ CC="$lt_save_CC"
 # Only expand once:
 
 
-for ac_prog in flex lex
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_LEX+set}" = set; then
+{ $as_echo "$as_me:$LINENO: checking for egrep" >&5
+$as_echo_n "checking for egrep... " >&6; }
+if test "${ac_cv_path_EGREP+set}" = set; then
   $as_echo_n "(cached) " >&6
 else
-  if test -n "$LEX"; then
-  ac_cv_prog_LEX="$LEX" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
+   then ac_cv_path_EGREP="$GREP -E"
+   else
+     if test -z "$EGREP"; then
+  ac_path_EGREP_found=false
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in egrep; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+# Check for GNU ac_path_EGREP and select it if it is found.
+  # Check for GNU $ac_path_EGREP
+case `"$ac_path_EGREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
+*)
+  ac_count=0
+  $as_echo_n 0123456789 >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    $as_echo 'EGREP' >> "conftest.nl"
+    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_EGREP="$ac_path_EGREP"
+      ac_path_EGREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+      $ac_path_EGREP_found && break 3
+    done
+  done
+done
+IFS=$as_save_IFS
+  if test -z "$ac_cv_path_EGREP"; then
+    { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+else
+  ac_cv_path_EGREP=$EGREP
+fi
+
+   fi
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+$as_echo "$ac_cv_path_EGREP" >&6; }
+ EGREP="$ac_cv_path_EGREP"
+
+
+for ac_prog in gawk mawk nawk awk
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_AWK+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_AWK="$ac_prog"
+    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+  { $as_echo "$as_me:$LINENO: result: $AWK" >&5
+$as_echo "$AWK" >&6; }
+else
+  { $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$AWK" && break
+done
+
+for ac_prog in flex lex
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_LEX+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$LEX"; then
+  ac_cv_prog_LEX="$LEX" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_LEX="$ac_prog"
     $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -13313,16 +13598,16 @@ fi
 done
 test -n "$YACC" || YACC="yacc"
 
-# Extract the first word of "gperf", so it can be a program name with args.
-set dummy gperf; ac_word=$2
+# Extract the first word of "perl", so it can be a program name with args.
+set dummy perl; ac_word=$2
 { $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_GPERF+set}" = set; then
+if test "${ac_cv_path_PERL+set}" = set; then
   $as_echo_n "(cached) " >&6
 else
-  case $GPERF in
+  case $PERL in
   [\\/]* | ?:[\\/]*)
-  ac_cv_path_GPERF="$GPERF" # Let the user override the test with a path.
+  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
   ;;
   *)
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -13333,7 +13618,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext"
+    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -13344,26 +13629,26 @@ IFS=$as_save_IFS
   ;;
 esac
 fi
-GPERF=$ac_cv_path_GPERF
-if test -n "$GPERF"; then
-  { $as_echo "$as_me:$LINENO: result: $GPERF" >&5
-$as_echo "$GPERF" >&6; }
+PERL=$ac_cv_path_PERL
+if test -n "$PERL"; then
+  { $as_echo "$as_me:$LINENO: result: $PERL" >&5
+$as_echo "$PERL" >&6; }
 else
   { $as_echo "$as_me:$LINENO: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
 
-# Extract the first word of "perl", so it can be a program name with args.
-set dummy perl; ac_word=$2
+# Extract the first word of "gperf", so it can be a program name with args.
+set dummy gperf; ac_word=$2
 { $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_PERL+set}" = set; then
+if test "${ac_cv_path_GPERF+set}" = set; then
   $as_echo_n "(cached) " >&6
 else
-  case $PERL in
+  case $GPERF in
   [\\/]* | ?:[\\/]*)
-  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
+  ac_cv_path_GPERF="$GPERF" # Let the user override the test with a path.
   ;;
   *)
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -13374,7 +13659,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
+    ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -13385,10 +13670,10 @@ IFS=$as_save_IFS
   ;;
 esac
 fi
-PERL=$ac_cv_path_PERL
-if test -n "$PERL"; then
-  { $as_echo "$as_me:$LINENO: result: $PERL" >&5
-$as_echo "$PERL" >&6; }
+GPERF=$ac_cv_path_GPERF
+if test -n "$GPERF"; then
+  { $as_echo "$as_me:$LINENO: result: $GPERF" >&5
+$as_echo "$GPERF" >&6; }
 else
   { $as_echo "$as_me:$LINENO: result: no" >&5
 $as_echo "no" >&6; }
@@ -13396,6 +13681,46 @@ fi
 
 
 
+{ $as_echo "$as_me:$LINENO: checking gperf version >= 3.0.0" >&5
+$as_echo_n "checking gperf version >= 3.0.0... " >&6; }
+if test -x "$GPERF"; then
+	if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then
+		{ $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
+	else
+		{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+	fi
+else
+	{ $as_echo "$as_me:$LINENO: result: not found" >&5
+$as_echo "not found" >&6; }
+fi
+
+{ $as_echo "$as_me:$LINENO: checking for uid of user \"$ipsecuser\"" >&5
+$as_echo_n "checking for uid of user \"$ipsecuser\"... " >&6; }
+ipsecuid=`id -u $ipsecuser 2>/dev/null`
+if test -n "$ipsecuid"; then
+	{ $as_echo "$as_me:$LINENO: result: $ipsecuid" >&5
+$as_echo "$ipsecuid" >&6; }
+
+else
+	{ { $as_echo "$as_me:$LINENO: error: not found" >&5
+$as_echo "$as_me: error: not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+{ $as_echo "$as_me:$LINENO: checking for gid of group \"$ipsecgroup\"" >&5
+$as_echo_n "checking for gid of group \"$ipsecgroup\"... " >&6; }
+ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'`
+if test -n "$ipsecgid"; then
+	{ $as_echo "$as_me:$LINENO: result: $ipsecgid" >&5
+$as_echo "$ipsecgid" >&6; }
+
+else
+	{ { $as_echo "$as_me:$LINENO: error: not found" >&5
+$as_echo "$as_me: error: not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
 
 if test x$eap_aka = xtrue; then
 	gmp=true;
@@ -13663,45 +13988,30 @@ _ACEOF
 
 fi
 
-
-saved_LIBS=$LIBS
-LIBS=""
-{ $as_echo "$as_me:$LINENO: checking for library containing dlopen" >&5
-$as_echo_n "checking for library containing dlopen... " >&6; }
-if test "${ac_cv_search_dlopen+set}" = set; then
+# The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
+# for constant arguments.  Useless!
+{ $as_echo "$as_me:$LINENO: checking for working alloca.h" >&5
+$as_echo_n "checking for working alloca.h... " >&6; }
+if test "${ac_cv_working_alloca_h+set}" = set; then
   $as_echo_n "(cached) " >&6
 else
-  ac_func_search_save_LIBS=$LIBS
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
+#include <alloca.h>
 int
 main ()
 {
-return dlopen ();
+char *p = (char *) alloca (2 * sizeof (int));
+			  if (p) return 0;
   ;
   return 0;
 }
 _ACEOF
-for ac_lib in '' dl; do
-  if test -z "$ac_lib"; then
-    ac_res="none required"
-  else
-    ac_res=-l$ac_lib
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-  fi
-  rm -f conftest.$ac_objext conftest$ac_exeext
+rm -f conftest.$ac_objext conftest$ac_exeext
 if { (ac_try="$ac_link"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
@@ -13722,68 +14032,477 @@ $as_echo "$ac_try_echo") >&5
 	 test "$cross_compiling" = yes ||
 	 $as_test_x conftest$ac_exeext
        }; then
-  ac_cv_search_dlopen=$ac_res
+  ac_cv_working_alloca_h=yes
 else
   $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-
+	ac_cv_working_alloca_h=no
 fi
 
 rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext
-  if test "${ac_cv_search_dlopen+set}" = set; then
-  break
-fi
-done
-if test "${ac_cv_search_dlopen+set}" = set; then
-  :
-else
-  ac_cv_search_dlopen=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_dlopen" >&5
-$as_echo "$ac_cv_search_dlopen" >&6; }
-ac_res=$ac_cv_search_dlopen
-if test "$ac_res" != no; then
-  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-  DLLIB=$LIBS
+      conftest$ac_exeext conftest.$ac_ext
 fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_working_alloca_h" >&5
+$as_echo "$ac_cv_working_alloca_h" >&6; }
+if test $ac_cv_working_alloca_h = yes; then
 
-LIBS=$saved_LIBS
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_ALLOCA_H 1
+_ACEOF
 
+fi
 
-{ $as_echo "$as_me:$LINENO: checking for dladdr" >&5
-$as_echo_n "checking for dladdr... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
+{ $as_echo "$as_me:$LINENO: checking for alloca" >&5
+$as_echo_n "checking for alloca... " >&6; }
+if test "${ac_cv_func_alloca_works+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#define _GNU_SOURCE
-	 #include <dlfcn.h>
+#ifdef __GNUC__
+# define alloca __builtin_alloca
+#else
+# ifdef _MSC_VER
+#  include <malloc.h>
+#  define alloca _alloca
+# else
+#  ifdef HAVE_ALLOCA_H
+#   include <alloca.h>
+#  else
+#   ifdef _AIX
+ #pragma alloca
+#   else
+#    ifndef alloca /* predefined by HP cc +Olibcalls */
+char *alloca ();
+#    endif
+#   endif
+#  endif
+# endif
+#endif
+
 int
 main ()
 {
-Dl_info* info = 0;
-	 dladdr(0, info);
+char *p = (char *) alloca (1);
+				    if (p) return 0;
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  ac_cv_func_alloca_works=yes
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_alloca_works=no
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_alloca_works" >&5
+$as_echo "$ac_cv_func_alloca_works" >&6; }
+
+if test $ac_cv_func_alloca_works = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_ALLOCA 1
+_ACEOF
+
+else
+  # The SVR3 libPW and SVR4 libucb both contain incompatible functions
+# that cause trouble.  Some versions do not even contain alloca or
+# contain a buggy version.  If you still want to use their alloca,
+# use ar to extract alloca.o from them instead of compiling alloca.c.
+
+ALLOCA=\${LIBOBJDIR}alloca.$ac_objext
+
+cat >>confdefs.h <<\_ACEOF
+#define C_ALLOCA 1
+_ACEOF
+
+
+{ $as_echo "$as_me:$LINENO: checking whether \`alloca.c' needs Cray hooks" >&5
+$as_echo_n "checking whether \`alloca.c' needs Cray hooks... " >&6; }
+if test "${ac_cv_os_cray+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#if defined CRAY && ! defined CRAY2
+webecray
+#else
+wenotbecray
+#endif
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "webecray" >/dev/null 2>&1; then
+  ac_cv_os_cray=yes
+else
+  ac_cv_os_cray=no
+fi
+rm -f conftest*
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_os_cray" >&5
+$as_echo "$ac_cv_os_cray" >&6; }
+if test $ac_cv_os_cray = yes; then
+  for ac_func in _getb67 GETB67 getb67; do
+    as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+$as_echo_n "checking for $ac_func... " >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  eval "$as_ac_var=yes"
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval 'as_val=${'$as_ac_var'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+as_val=`eval 'as_val=${'$as_ac_var'}
+		 $as_echo "$as_val"'`
+   if test "x$as_val" = x""yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define CRAY_STACKSEG_END $ac_func
+_ACEOF
+
+    break
+fi
+
+  done
+fi
+
+{ $as_echo "$as_me:$LINENO: checking stack direction for C alloca" >&5
+$as_echo_n "checking stack direction for C alloca... " >&6; }
+if test "${ac_cv_c_stack_direction+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  if test "$cross_compiling" = yes; then
+  ac_cv_c_stack_direction=0
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+int
+find_stack_direction ()
+{
+  static char *addr = 0;
+  auto char dummy;
+  if (addr == 0)
+    {
+      addr = &dummy;
+      return find_stack_direction ();
+    }
+  else
+    return (&dummy > addr) ? 1 : -1;
+}
+
+int
+main ()
+{
+  return find_stack_direction () < 0;
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_c_stack_direction=1
+else
+  $as_echo "$as_me: program exited with status $ac_status" >&5
+$as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+ac_cv_c_stack_direction=-1
+fi
+rm -rf conftest.dSYM
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_stack_direction" >&5
+$as_echo "$ac_cv_c_stack_direction" >&6; }
+
+cat >>confdefs.h <<_ACEOF
+#define STACK_DIRECTION $ac_cv_c_stack_direction
+_ACEOF
+
+
+fi
+
+
+saved_LIBS=$LIBS
+
+LIBS=""
+{ $as_echo "$as_me:$LINENO: checking for library containing dlopen" >&5
+$as_echo_n "checking for library containing dlopen... " >&6; }
+if test "${ac_cv_search_dlopen+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' dl; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  ac_cv_search_dlopen=$ac_res
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext
+  if test "${ac_cv_search_dlopen+set}" = set; then
+  break
+fi
+done
+if test "${ac_cv_search_dlopen+set}" = set; then
+  :
+else
+  ac_cv_search_dlopen=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_dlopen" >&5
+$as_echo "$ac_cv_search_dlopen" >&6; }
+ac_res=$ac_cv_search_dlopen
+if test "$ac_res" != no; then
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+  DLLIB=$LIBS
+fi
+
+
+
+LIBS=""
+{ $as_echo "$as_me:$LINENO: checking for library containing backtrace" >&5
+$as_echo_n "checking for library containing backtrace... " >&6; }
+if test "${ac_cv_search_backtrace+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char backtrace ();
+int
+main ()
+{
+return backtrace ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' execinfo; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
 eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
 $as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
@@ -13792,22 +14511,40 @@ $as_echo "$ac_try_echo") >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
-#define HAVE_DLADDR 1
-_ACEOF
-
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  ac_cv_search_backtrace=$ac_res
 else
   $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
 
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext
+  if test "${ac_cv_search_backtrace+set}" = set; then
+  break
+fi
+done
+if test "${ac_cv_search_backtrace+set}" = set; then
+  :
+else
+  ac_cv_search_backtrace=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_backtrace" >&5
+$as_echo "$ac_cv_search_backtrace" >&6; }
+ac_res=$ac_cv_search_backtrace
+if test "$ac_res" != no; then
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+  BTLIB=$LIBS
+fi
 
 
 for ac_func in backtrace
@@ -13911,6 +14648,224 @@ fi
 done
 
 
+
+LIBS=""
+{ $as_echo "$as_me:$LINENO: checking for library containing socket" >&5
+$as_echo_n "checking for library containing socket... " >&6; }
+if test "${ac_cv_search_socket+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char socket ();
+int
+main ()
+{
+return socket ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' socket; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  ac_cv_search_socket=$ac_res
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext
+  if test "${ac_cv_search_socket+set}" = set; then
+  break
+fi
+done
+if test "${ac_cv_search_socket+set}" = set; then
+  :
+else
+  ac_cv_search_socket=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_socket" >&5
+$as_echo "$ac_cv_search_socket" >&6; }
+ac_res=$ac_cv_search_socket
+if test "$ac_res" != no; then
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+  SOCKLIB=$LIBS
+else
+  { $as_echo "$as_me:$LINENO: checking for socket in -lnsl" >&5
+$as_echo_n "checking for socket in -lnsl... " >&6; }
+if test "${ac_cv_lib_nsl_socket+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lnsl -lsocket $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char socket ();
+int
+main ()
+{
+return socket ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  ac_cv_lib_nsl_socket=yes
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_nsl_socket=no
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_socket" >&5
+$as_echo "$ac_cv_lib_nsl_socket" >&6; }
+if test "x$ac_cv_lib_nsl_socket" = x""yes; then
+  SOCKLIB="-lsocket -lnsl"
+fi
+
+
+fi
+
+
+
+LIBS=$saved_LIBS
+
+{ $as_echo "$as_me:$LINENO: checking for dladdr" >&5
+$as_echo_n "checking for dladdr... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#define _GNU_SOURCE
+	 #include <dlfcn.h>
+int
+main ()
+{
+Dl_info* info = 0;
+	 dladdr(0, info);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
+#define HAVE_DLADDR 1
+_ACEOF
+
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
 for ac_func in prctl
 do
 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
@@ -14012,111 +14967,157 @@ fi
 done
 
 
-for ac_func in gethostbyname_r
+
+for ac_header in sys/sockio.h
 do
-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
-$as_echo_n "checking for $ac_func... " >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   $as_echo_n "(cached) " >&6
+fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
 else
-  cat >conftest.$ac_ext <<_ACEOF
+  # Is the header compilable?
+{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
+$as_echo_n "checking $ac_header usability... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-#undef $ac_func
+	ac_header_compiler=no
+fi
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
 
-int
-main ()
-{
-return $ac_func ();
-  ;
-  return 0;
-}
+# Is the header present?
+{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
+$as_echo_n "checking $ac_header presence... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
 eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
 $as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
        }; then
-  eval "$as_ac_var=yes"
+  ac_header_preproc=yes
 else
   $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	eval "$as_ac_var=no"
+  ac_header_preproc=no
 fi
 
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f conftest.err conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
 fi
-ac_res=`eval 'as_val=${'$as_ac_var'}
+ac_res=`eval 'as_val=${'$as_ac_Header'}
 		 $as_echo "$as_val"'`
 	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-as_val=`eval 'as_val=${'$as_ac_var'}
+
+fi
+as_val=`eval 'as_val=${'$as_ac_Header'}
 		 $as_echo "$as_val"'`
    if test "x$as_val" = x""yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
+
 done
 
 
 
 
 
-for ac_header in net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h
+for ac_header in net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h
 do
 as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
@@ -17838,6 +18839,111 @@ fi
 
 fi
 
+if test x$integrity_test = xtrue; then
+	{ $as_echo "$as_me:$LINENO: checking for dladdr()" >&5
+$as_echo_n "checking for dladdr()... " >&6; }
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#define _GNU_SOURCE
+		 #include <dlfcn.h>
+int
+main ()
+{
+Dl_info info; dladdr(main, &info);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; };
+		 { { $as_echo "$as_me:$LINENO: error: dladdr() not supported, required by integrity-test!" >&5
+$as_echo "$as_me: error: dladdr() not supported, required by integrity-test!" >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	{ $as_echo "$as_me:$LINENO: checking for dl_iterate_phdr()" >&5
+$as_echo_n "checking for dl_iterate_phdr()... " >&6; }
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#define _GNU_SOURCE
+		 #include <link.h>
+int
+main ()
+{
+dl_iterate_phdr((void*)0, (void*)0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { $as_echo "$as_me:$LINENO: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	{ $as_echo "$as_me:$LINENO: result: no" >&5
+$as_echo "no" >&6; };
+		 { { $as_echo "$as_me:$LINENO: error: dl_iterate_phdr() not supported, required by integrity-test!" >&5
+$as_echo "$as_me: error: dl_iterate_phdr() not supported, required by integrity-test!" >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
 
 libstrongswan_plugins=
 pluto_plugins=
@@ -18445,6 +19551,14 @@ else
   USE_TOOLS_FALSE=
 fi
 
+ if test x$scripts = xtrue; then
+  USE_SCRIPTS_TRUE=
+  USE_SCRIPTS_FALSE='#'
+else
+  USE_SCRIPTS_TRUE='#'
+  USE_SCRIPTS_FALSE=
+fi
+
  if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue; then
   USE_LIBSTRONGSWAN_TRUE=
   USE_LIBSTRONGSWAN_FALSE='#'
@@ -18485,7 +19599,7 @@ _ACEOF
 fi
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/fips/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/eap_radius/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_pfroute/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/attr/Makefile src/charon/plugins/resolv_conf/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/eap_radius/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_pfroute/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/attr/Makefile src/charon/plugins/resolv_conf/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -19083,6 +20197,13 @@ $as_echo "$as_me: error: conditional \"USE_TOOLS\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_SCRIPTS_TRUE}" && test -z "${USE_SCRIPTS_FALSE}"; then
+  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SCRIPTS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+$as_echo "$as_me: error: conditional \"USE_SCRIPTS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then
   { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -19426,7 +20547,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.3.2, which was
+This file was extended by strongSwan $as_me 4.3.4, which was
 generated by GNU Autoconf 2.63.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -19480,7 +20601,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_version="\\
-strongSwan config.status 4.3.2
+strongSwan config.status 4.3.4
 configured by $0, generated by GNU Autoconf 2.63,
   with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
@@ -19875,7 +20996,6 @@ do
     "src/libstrongswan/plugins/gcrypt/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcrypt/Makefile" ;;
     "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
-    "src/libstrongswan/fips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/fips/Makefile" ;;
     "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
     "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
     "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
@@ -19917,6 +21037,7 @@ do
     "src/libfast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfast/Makefile" ;;
     "src/manager/Makefile") CONFIG_FILES="$CONFIG_FILES src/manager/Makefile" ;;
     "src/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/medsrv/Makefile" ;;
+    "src/checksum/Makefile") CONFIG_FILES="$CONFIG_FILES src/checksum/Makefile" ;;
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
diff --git a/configure.in b/configure.in
index e97e69139..f677cb622 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.3.2)
+AC_INIT(strongSwan,4.3.4)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_SUBST(confdir, '${sysconfdir}')
 PKG_PROG_PKG_CONFIG
@@ -125,14 +125,14 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
 	[user],
-	AS_HELP_STRING([--with-user=user],[change user of the daemons to "user" after startup (default is 0).]),
+	AS_HELP_STRING([--with-user=user],[change user of the daemons to "user" after startup (default is "root").]),
 	[AC_DEFINE_UNQUOTED(IPSEC_USER, "$withval") AC_SUBST(ipsecuser, "$withval")],
 	[AC_SUBST(ipsecuser, "root")]
 )
 
 AC_ARG_WITH(
 	[group],
-	AS_HELP_STRING([--with-group=group],[change group of the daemons to "group" after startup (default is 0).]),
+	AS_HELP_STRING([--with-group=group],[change group of the daemons to "group" after startup (default is "root").]),
 	[AC_DEFINE_UNQUOTED(IPSEC_GROUP, "$withval") AC_SUBST(ipsecgroup, "$withval")],
 	[AC_SUBST(ipsecgroup, "root")]
 )
@@ -588,7 +588,7 @@ AC_ARG_ENABLE(
 
 AC_ARG_ENABLE(
 	[integrity-test],
-	AS_HELP_STRING([--enable-integrity-test],[enable the integrity test of the crypto library (default is NO).]),
+	AS_HELP_STRING([--enable-integrity-test],[enable integrity testing of libstrongswan and plugins (default is NO).]),
 	[if test x$enableval = xyes; then
 		integrity_test=true 
 	fi]
@@ -638,6 +638,17 @@ AC_ARG_ENABLE(
 	tools=true
 )
 
+AC_ARG_ENABLE(
+	[scripts],
+	AS_HELP_STRING([--disable-scripts],[disable additional utilities (found in directory scripts). (default is NO).]),
+	[if test x$enableval = xyes; then
+		scripts=true
+	 else
+		scripts=false
+	fi],
+	scripts=true
+)
+
 AC_ARG_ENABLE(
 	[updown],
 	AS_HELP_STRING([--disable-updown],[disable updown firewall script plugin. (default is NO).]),
@@ -740,9 +751,10 @@ dnl  set up compiler and flags
 dnl =========================
 
 if test -z "$CFLAGS"; then
-	AC_SUBST(CFLAGS, "-g -O2 -Wall -Wno-format -Wno-pointer-sign -Wno-strict-aliasing")
+	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign -Wno-strict-aliasing"
 fi
 AC_PROG_CC
+AC_LIB_PREFIX
 AC_C_BIGENDIAN
 
 dnl =========================
@@ -751,10 +763,42 @@ dnl =========================
 
 AC_PROG_INSTALL
 AC_PROG_LIBTOOL
+AC_PROG_EGREP
+AC_PROG_AWK
 AC_PROG_LEX
 AC_PROG_YACC
-AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+
+dnl because gperf is not needed by end-users we just report it but do not abort on failure
+AC_MSG_CHECKING([gperf version >= 3.0.0])
+if test -x "$GPERF"; then
+	if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then
+		AC_MSG_RESULT([yes])
+	else
+		AC_MSG_RESULT([no])
+	fi
+else
+	AC_MSG_RESULT([not found])
+fi
+
+dnl translate user/group to numercial ids
+AC_MSG_CHECKING([for uid of user "$ipsecuser"])
+ipsecuid=`id -u $ipsecuser 2>/dev/null`
+if test -n "$ipsecuid"; then
+	AC_MSG_RESULT([$ipsecuid])
+	AC_SUBST(ipsecuid)
+else
+	AC_MSG_ERROR([not found])
+fi
+AC_MSG_CHECKING([for gid of group "$ipsecgroup"])
+ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'`
+if test -n "$ipsecgid"; then
+	AC_MSG_RESULT([$ipsecgid])
+	AC_SUBST(ipsecgid)
+else
+	AC_MSG_ERROR([not found])
+fi
 
 dnl =========================
 dnl  dependency calculation
@@ -800,13 +844,33 @@ dnl  check required libraries and header files
 dnl ===========================================
 
 AC_HEADER_STDBOOL
+AC_FUNC_ALLOCA
 
+dnl libraries needed on some platforms but not on others
+dnl ====================================================
 saved_LIBS=$LIBS
+
+dnl FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
 LIBS=""
 AC_SEARCH_LIBS(dlopen, dl, [DLLIB=$LIBS])
-LIBS=$saved_LIBS
 AC_SUBST(DLLIB)
 
+dnl glibc's backtrace() can be replicated on FreeBSD with libexecinfo
+LIBS=""
+AC_SEARCH_LIBS(backtrace, execinfo, [BTLIB=$LIBS])
+AC_CHECK_FUNCS(backtrace)
+AC_SUBST(BTLIB)
+
+dnl OpenSolaris needs libsocket and libnsl for socket()
+LIBS=""
+AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS],
+	[AC_CHECK_LIB(nsl, socket, [SOCKLIB="-lsocket -lnsl"], [], [-lsocket])]
+)
+AC_SUBST(SOCKLIB)
+
+LIBS=$saved_LIBS
+dnl ======================
+
 AC_MSG_CHECKING(for dladdr)
 AC_TRY_COMPILE(
 	[#define _GNU_SOURCE
@@ -817,11 +881,10 @@ AC_TRY_COMPILE(
 	[AC_MSG_RESULT([no])]
 )
 
-AC_CHECK_FUNCS(backtrace)
 AC_CHECK_FUNCS(prctl)
-AC_CHECK_FUNCS(gethostbyname_r)
 
-AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h)
+AC_CHECK_HEADERS(sys/sockio.h)
+AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
 
 AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [],
 [
@@ -1039,6 +1102,25 @@ if test x$capabilities = xlibcap; then
 	AC_CHECK_HEADER([sys/capability.h],,[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
 fi
 
+if test x$integrity_test = xtrue; then
+	AC_MSG_CHECKING([for dladdr()])
+	AC_TRY_COMPILE(
+		[#define _GNU_SOURCE
+		 #include <dlfcn.h>],
+		[Dl_info info; dladdr(main, &info);], 
+		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
+		 AC_MSG_ERROR([dladdr() not supported, required by integrity-test!])]
+	)
+	AC_MSG_CHECKING([for dl_iterate_phdr()])
+	AC_TRY_COMPILE(
+		[#define _GNU_SOURCE
+		 #include <link.h>],
+		[dl_iterate_phdr((void*)0, (void*)0);], 
+		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
+		 AC_MSG_ERROR([dl_iterate_phdr() not supported, required by integrity-test!])]
+	)
+fi
+
 dnl ======================================
 dnl  collect all plugins for libstrongswan
 dnl ======================================
@@ -1210,6 +1292,7 @@ AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
 AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
+AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
 AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
 AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
@@ -1257,7 +1340,6 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/gcrypt/Makefile
 	src/libstrongswan/plugins/agent/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
-	src/libstrongswan/fips/Makefile
 	src/libfreeswan/Makefile
 	src/pluto/Makefile
 	src/whack/Makefile
@@ -1299,6 +1381,7 @@ AC_OUTPUT(
 	src/libfast/Makefile
 	src/manager/Makefile
 	src/medsrv/Makefile
+	src/checksum/Makefile
 	scripts/Makefile
 	testing/Makefile
 )
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 9cd2baa88..63f0242fe 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -96,12 +96,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -166,6 +168,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -206,7 +209,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/Makefile.am b/src/Makefile.am
index 09eb13fe3..ebdaa6a63 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -44,8 +44,12 @@ if USE_MEDSRV
   SUBDIRS += medsrv
 endif
 
+if USE_INTEGRITY_TEST
+  SUBDIRS += checksum
+endif
+
 EXTRA_DIST = strongswan.conf
 
 install-exec-local :	
 		test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
-		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 640 strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
diff --git a/src/Makefile.in b/src/Makefile.in
index 26046e6a1..18da06f7b 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -42,6 +42,7 @@ host_triplet = @host@
 @USE_FAST_TRUE@am__append_9 = libfast
 @USE_MANAGER_TRUE@am__append_10 = manager
 @USE_MEDSRV_TRUE@am__append_11 = medsrv
+@USE_INTEGRITY_TEST_TRUE@am__append_12 = checksum
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -65,15 +66,17 @@ ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . include libstrongswan libfreeswan starter ipsec \
 	_copyright pluto whack charon stroke _updown _updown_espmark \
-	openac scepclient dumm libfast manager medsrv
+	openac scepclient dumm libfast manager medsrv checksum
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -138,6 +141,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -178,7 +182,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -215,7 +221,7 @@ xml_LIBS = @xml_LIBS@
 SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5) $(am__append_6) \
 	$(am__append_7) $(am__append_8) $(am__append_9) \
-	$(am__append_10) $(am__append_11)
+	$(am__append_10) $(am__append_11) $(am__append_12)
 EXTRA_DIST = strongswan.conf
 all: all-recursive
 
@@ -532,7 +538,7 @@ uninstall-am:
 
 install-exec-local :	
 		test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
-		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 640 strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 9f178fdfa..fabc84a29 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -71,12 +71,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -141,6 +143,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -181,7 +184,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 3db887ef0..60755da69 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -51,12 +51,14 @@ NROFF = nroff
 MANS = $(dist_man8_MANS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -161,7 +164,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 2852b7e67..55d3c6b4d 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -51,12 +51,14 @@ NROFF = nroff
 MANS = $(dist_man8_MANS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -161,7 +164,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 3b5b9c068..dd51555c0 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -2,6 +2,7 @@ ipsec_PROGRAMS = charon
 
 charon_SOURCES = \
 bus/bus.c bus/bus.h \
+bus/listeners/listener.h \
 bus/listeners/file_logger.c bus/listeners/file_logger.h \
 bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
 config/backend_manager.c config/backend_manager.h config/backend.h \
@@ -107,7 +108,7 @@ AM_CFLAGS = -rdynamic \
   -DIPSEC_PIDDIR=\"${piddir}\" \
   -DIPSEC_PLUGINDIR=\"${plugindir}\" \
   -DSTRONGSWAN_CONF=\"${strongswan_conf}\"
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB)
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB) $(SOCKLIB)
 
 # compile options
 #################
@@ -128,10 +129,6 @@ if USE_ME
     sa/tasks/ike_me.c sa/tasks/ike_me.h
 endif
 
-if USE_INTEGRITY_TEST
-  AM_CFLAGS += -DINTEGRITY_TEST
-endif
-
 if USE_CAPABILITIES
   charon_LDADD += -lcap
 endif
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 77884d50e..59c0228f8 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -47,56 +47,55 @@ ipsec_PROGRAMS = charon$(EXEEXT)
 @USE_ME_TRUE@    sa/mediation_manager.c sa/mediation_manager.h \
 @USE_ME_TRUE@    sa/tasks/ike_me.c sa/tasks/ike_me.h
 
-@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
-@USE_CAPABILITIES_TRUE@am__append_5 = -lcap
-@USE_LOAD_TESTS_TRUE@am__append_6 = plugins/load_tester
-@USE_LOAD_TESTS_TRUE@am__append_7 = load-tester
-@USE_KERNEL_PFKEY_TRUE@am__append_8 = plugins/kernel_pfkey
-@USE_KERNEL_PFKEY_TRUE@am__append_9 = kernel-pfkey
-@USE_KERNEL_PFROUTE_TRUE@am__append_10 = plugins/kernel_pfroute
-@USE_KERNEL_PFROUTE_TRUE@am__append_11 = kernel-pfroute
-@USE_KERNEL_KLIPS_TRUE@am__append_12 = plugins/kernel_klips
-@USE_KERNEL_KLIPS_TRUE@am__append_13 = kernel-klips
-@USE_KERNEL_NETLINK_TRUE@am__append_14 = plugins/kernel_netlink
-@USE_KERNEL_NETLINK_TRUE@am__append_15 = kernel-netlink
-@USE_STROKE_TRUE@am__append_16 = plugins/stroke
-@USE_STROKE_TRUE@am__append_17 = stroke
-@USE_SMP_TRUE@am__append_18 = plugins/smp
-@USE_SMP_TRUE@am__append_19 = smp
-@USE_SQL_TRUE@am__append_20 = plugins/sql
-@USE_SQL_TRUE@am__append_21 = sql
-@USE_UPDOWN_TRUE@am__append_22 = plugins/updown
-@USE_UPDOWN_TRUE@am__append_23 = updown
-@USE_ATTR_TRUE@am__append_24 = plugins/attr
-@USE_ATTR_TRUE@am__append_25 = attr
-@USE_EAP_IDENTITY_TRUE@am__append_26 = plugins/eap_identity
-@USE_EAP_IDENTITY_TRUE@am__append_27 = eapidentity
-@USE_EAP_SIM_TRUE@am__append_28 = plugins/eap_sim
-@USE_EAP_SIM_TRUE@am__append_29 = eapsim
-@USE_EAP_SIM_FILE_TRUE@am__append_30 = plugins/eap_sim_file
-@USE_EAP_SIM_FILE_TRUE@am__append_31 = eapsim-file
-@USE_EAP_MD5_TRUE@am__append_32 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_33 = eapmd5
-@USE_EAP_GTC_TRUE@am__append_34 = plugins/eap_gtc
-@USE_EAP_GTC_TRUE@am__append_35 = eapgtc
-@USE_EAP_AKA_TRUE@am__append_36 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_37 = eapaka
-@USE_EAP_MSCHAPV2_TRUE@am__append_38 = plugins/eap_mschapv2
-@USE_EAP_MSCHAPV2_TRUE@am__append_39 = eapmschapv2
-@USE_EAP_RADIUS_TRUE@am__append_40 = plugins/eap_radius
-@USE_EAP_RADIUS_TRUE@am__append_41 = eapradius
-@USE_MEDSRV_TRUE@am__append_42 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_43 = medsrv
-@USE_MEDCLI_TRUE@am__append_44 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_45 = medcli
-@USE_NM_TRUE@am__append_46 = plugins/nm
-@USE_NM_TRUE@am__append_47 = nm
-@USE_RESOLV_CONF_TRUE@am__append_48 = plugins/resolv_conf
-@USE_RESOLV_CONF_TRUE@am__append_49 = resolv-conf
-@USE_UCI_TRUE@am__append_50 = plugins/uci
-@USE_UCI_TRUE@am__append_51 = uci
-@USE_UNIT_TESTS_TRUE@am__append_52 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_53 = unit-tester
+@USE_CAPABILITIES_TRUE@am__append_4 = -lcap
+@USE_LOAD_TESTS_TRUE@am__append_5 = plugins/load_tester
+@USE_LOAD_TESTS_TRUE@am__append_6 = load-tester
+@USE_KERNEL_PFKEY_TRUE@am__append_7 = plugins/kernel_pfkey
+@USE_KERNEL_PFKEY_TRUE@am__append_8 = kernel-pfkey
+@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute
+@USE_KERNEL_PFROUTE_TRUE@am__append_10 = kernel-pfroute
+@USE_KERNEL_KLIPS_TRUE@am__append_11 = plugins/kernel_klips
+@USE_KERNEL_KLIPS_TRUE@am__append_12 = kernel-klips
+@USE_KERNEL_NETLINK_TRUE@am__append_13 = plugins/kernel_netlink
+@USE_KERNEL_NETLINK_TRUE@am__append_14 = kernel-netlink
+@USE_STROKE_TRUE@am__append_15 = plugins/stroke
+@USE_STROKE_TRUE@am__append_16 = stroke
+@USE_SMP_TRUE@am__append_17 = plugins/smp
+@USE_SMP_TRUE@am__append_18 = smp
+@USE_SQL_TRUE@am__append_19 = plugins/sql
+@USE_SQL_TRUE@am__append_20 = sql
+@USE_UPDOWN_TRUE@am__append_21 = plugins/updown
+@USE_UPDOWN_TRUE@am__append_22 = updown
+@USE_ATTR_TRUE@am__append_23 = plugins/attr
+@USE_ATTR_TRUE@am__append_24 = attr
+@USE_EAP_IDENTITY_TRUE@am__append_25 = plugins/eap_identity
+@USE_EAP_IDENTITY_TRUE@am__append_26 = eapidentity
+@USE_EAP_SIM_TRUE@am__append_27 = plugins/eap_sim
+@USE_EAP_SIM_TRUE@am__append_28 = eapsim
+@USE_EAP_SIM_FILE_TRUE@am__append_29 = plugins/eap_sim_file
+@USE_EAP_SIM_FILE_TRUE@am__append_30 = eapsim-file
+@USE_EAP_MD5_TRUE@am__append_31 = plugins/eap_md5
+@USE_EAP_MD5_TRUE@am__append_32 = eapmd5
+@USE_EAP_GTC_TRUE@am__append_33 = plugins/eap_gtc
+@USE_EAP_GTC_TRUE@am__append_34 = eapgtc
+@USE_EAP_AKA_TRUE@am__append_35 = plugins/eap_aka
+@USE_EAP_AKA_TRUE@am__append_36 = eapaka
+@USE_EAP_MSCHAPV2_TRUE@am__append_37 = plugins/eap_mschapv2
+@USE_EAP_MSCHAPV2_TRUE@am__append_38 = eapmschapv2
+@USE_EAP_RADIUS_TRUE@am__append_39 = plugins/eap_radius
+@USE_EAP_RADIUS_TRUE@am__append_40 = eapradius
+@USE_MEDSRV_TRUE@am__append_41 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_42 = medsrv
+@USE_MEDCLI_TRUE@am__append_43 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_44 = medcli
+@USE_NM_TRUE@am__append_45 = plugins/nm
+@USE_NM_TRUE@am__append_46 = nm
+@USE_RESOLV_CONF_TRUE@am__append_47 = plugins/resolv_conf
+@USE_RESOLV_CONF_TRUE@am__append_48 = resolv-conf
+@USE_UCI_TRUE@am__append_49 = plugins/uci
+@USE_UCI_TRUE@am__append_50 = uci
+@USE_UNIT_TESTS_TRUE@am__append_51 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_52 = unit-tester
 subdir = src/charon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -108,7 +107,7 @@ CONFIG_CLEAN_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
 ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
-am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
+am__charon_SOURCES_DIST = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	bus/listeners/file_logger.c bus/listeners/file_logger.h \
 	bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
 	config/backend_manager.c config/backend_manager.h \
@@ -289,7 +288,8 @@ charon_OBJECTS = $(am_charon_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -325,12 +325,14 @@ DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
 	plugins/resolv_conf plugins/uci plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -395,6 +397,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -435,7 +438,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -469,14 +474,15 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
-	bus/listeners/file_logger.h bus/listeners/sys_logger.c \
-	bus/listeners/sys_logger.h config/backend_manager.c \
-	config/backend_manager.h config/backend.h config/child_cfg.c \
-	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
-	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
-	config/proposal.h config/auth_cfg.c config/auth_cfg.h \
-	config/traffic_selector.c config/traffic_selector.h \
+charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
+	bus/listeners/file_logger.c bus/listeners/file_logger.h \
+	bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
+	config/backend_manager.c config/backend_manager.h \
+	config/backend.h config/child_cfg.c config/child_cfg.h \
+	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
+	config/peer_cfg.h config/proposal.c config/proposal.h \
+	config/auth_cfg.c config/auth_cfg.h config/traffic_selector.c \
+	config/traffic_selector.h \
 	config/attributes/attribute_provider.h \
 	config/attributes/attribute_handler.h \
 	config/attributes/attribute_manager.c \
@@ -593,30 +599,30 @@ INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/c
 AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
 	-DIPSEC_PLUGINDIR=\"${plugindir}\" \
-	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_4) \
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
 	-DPLUGINS=\""${PLUGINS}\""
 charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-	-lpthread -lm $(DLLIB) $(am__append_5)
+	-lpthread -lm $(DLLIB) $(SOCKLIB) $(am__append_4)
 
 # build optional plugins
 ########################
-SUBDIRS = . $(am__append_6) $(am__append_8) $(am__append_10) \
-	$(am__append_12) $(am__append_14) $(am__append_16) \
-	$(am__append_18) $(am__append_20) $(am__append_22) \
-	$(am__append_24) $(am__append_26) $(am__append_28) \
-	$(am__append_30) $(am__append_32) $(am__append_34) \
-	$(am__append_36) $(am__append_38) $(am__append_40) \
-	$(am__append_42) $(am__append_44) $(am__append_46) \
-	$(am__append_48) $(am__append_50) $(am__append_52)
-PLUGINS = ${libstrongswan_plugins} $(am__append_7) $(am__append_9) \
+SUBDIRS = . $(am__append_5) $(am__append_7) $(am__append_9) \
 	$(am__append_11) $(am__append_13) $(am__append_15) \
 	$(am__append_17) $(am__append_19) $(am__append_21) \
 	$(am__append_23) $(am__append_25) $(am__append_27) \
 	$(am__append_29) $(am__append_31) $(am__append_33) \
 	$(am__append_35) $(am__append_37) $(am__append_39) \
 	$(am__append_41) $(am__append_43) $(am__append_45) \
-	$(am__append_47) $(am__append_49) $(am__append_51) \
-	$(am__append_53)
+	$(am__append_47) $(am__append_49) $(am__append_51)
+PLUGINS = ${libstrongswan_plugins} $(am__append_6) $(am__append_8) \
+	$(am__append_10) $(am__append_12) $(am__append_14) \
+	$(am__append_16) $(am__append_18) $(am__append_20) \
+	$(am__append_22) $(am__append_24) $(am__append_26) \
+	$(am__append_28) $(am__append_30) $(am__append_32) \
+	$(am__append_34) $(am__append_36) $(am__append_38) \
+	$(am__append_40) $(am__append_42) $(am__append_44) \
+	$(am__append_46) $(am__append_48) $(am__append_50) \
+	$(am__append_52)
 all: all-recursive
 
 .SUFFIXES:
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
index bb7014b0b..2671f848e 100644
--- a/src/charon/bus/bus.c
+++ b/src/charon/bus/bus.c
@@ -117,7 +117,7 @@ static entry_t *entry_create(listener_t *listener, bool blocker)
 	this->listener = listener;
 	this->blocker = blocker;
 	this->calling = 0;
-	this->condvar = condvar_create(CONDVAR_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
 	
 	return this;
 }
@@ -350,6 +350,41 @@ static void unregister_listener(private_bus_t *this, entry_t *entry,
 	this->listeners->remove_at(this->listeners, enumerator);
 }
 
+/**
+ * Implementation of bus_t.alert
+ */
+static void alert(private_bus_t *this, alert_t alert, ...)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	va_list args;
+	bool keep;
+	
+	ike_sa = pthread_getspecific(this->thread_sa);
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->alert)
+		{
+			continue;
+		}
+		entry->calling++;
+		va_start(args, alert);
+		keep = entry->listener->alert(entry->listener, ike_sa, alert, args);
+		va_end(args);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
 /**
  * Implementation of bus_t.ike_state_change
  */
@@ -374,7 +409,6 @@ static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa,
 		if (!keep)
 		{
 			unregister_listener(this, entry, enumerator);
-			break;
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -409,7 +443,6 @@ static void child_state_change(private_bus_t *this, child_sa_t *child_sa,
 		if (!keep)
 		{
 			unregister_listener(this, entry, enumerator);
-			break;
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -443,7 +476,6 @@ static void message(private_bus_t *this, message_t *message, bool incoming)
 		if (!keep)
 		{
 			unregister_listener(this, entry, enumerator);
-			break;
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -476,7 +508,6 @@ static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa,
 		if (!keep)
 		{
 			unregister_listener(this, entry, enumerator);
-			break;
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -511,7 +542,143 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa,
 		if (!keep)
 		{
 			unregister_listener(this, entry, enumerator);
-			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_updown
+ */
+static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+	
+	ike_sa = pthread_getspecific(this->thread_sa);
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->child_updown)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->child_updown(entry->listener,
+											 ike_sa, child_sa, up);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_rekey
+ */
+static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+	
+	ike_sa = pthread_getspecific(this->thread_sa);
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->child_rekey)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->child_rekey(entry->listener, ike_sa, old, new);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.ike_updown
+ */
+static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_updown)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_updown(entry->listener, ike_sa, up);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+	
+	/* a down event for IKE_SA implicitly downs all CHILD_SAs */
+	if (!up)
+	{
+		iterator_t *iterator;
+		child_sa_t *child_sa;
+		
+		iterator = ike_sa->create_child_sa_iterator(ike_sa);
+		while (iterator->iterate(iterator, (void**)&child_sa))
+		{
+			child_updown(this, child_sa, FALSE);
+		}
+		iterator->destroy(iterator);
+	}
+}
+
+/**
+ * Implementation of bus_t.ike_rekey
+ */
+static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_rekey)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_rekey(entry->listener, old, new);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -545,7 +712,6 @@ static bool authorize(private_bus_t *this, linked_list_t *auth, bool final)
 		if (!keep)
 		{
 			unregister_listener(this, entry, enumerator);
-			break;
 		}
 		if (!success)
 		{
@@ -580,16 +746,21 @@ bus_t *bus_create()
 	this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa;
 	this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_;
 	this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog;
+	this->public.alert = (void(*)(bus_t*, alert_t alert, ...))alert;
 	this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change;
 	this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change;
 	this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
 	this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
 	this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
+	this->public.ike_updown = (void(*)(bus_t*, ike_sa_t *ike_sa, bool up))ike_updown;
+	this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey;
+	this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown;
+	this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey;
 	this->public.authorize = (bool(*)(bus_t*, linked_list_t *auth, bool final))authorize;
 	this->public.destroy = (void(*)(bus_t*)) destroy;
 	
 	this->listeners = linked_list_create();
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
 	pthread_key_create(&this->thread_id, NULL);
 	pthread_key_create(&this->thread_sa, NULL);
 	
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index 5faea088f..9c90db6f9 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 typedef enum debug_t debug_t;
 typedef enum level_t level_t;
-typedef struct listener_t listener_t;
+typedef enum alert_t alert_t;
 typedef struct bus_t bus_t;
 
 #include <stdarg.h>
@@ -31,6 +31,7 @@ typedef struct bus_t bus_t;
 #include <sa/ike_sa.h>
 #include <sa/child_sa.h>
 #include <processing/jobs/job.h>
+#include <bus/listeners/listener.h>
 
 /**
  * Debug message group.
@@ -126,105 +127,12 @@ enum level_t {
 # define DBG4(...) {}
 #endif /* DBG4 */
 
-
 /**
- * Listener interface, listens to events if registered to the bus.
+ * Kind of alerts to raise.
  */
-struct listener_t {
-	
-	/**
-	 * Log a debugging message.
-	 *
-	 * The implementing signal function returns TRUE to stay registered
-	 * to the bus, or FALSE to unregister itself.
-	 * Calling bus_t.log() inside of a registered listener is possible,
-	 * but the bus does not invoke listeners recursively.
-	 *
-	 * @param singal	kind of the signal (up, down, rekeyed, ...)
-	 * @param level		verbosity level of the signal
-	 * @param thread	ID of the thread raised this signal
-	 * @param ike_sa	IKE_SA associated to the event
-	 * @param format	printf() style format string
-	 * @param args		vprintf() style va_list argument list
-	 " @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*log) (listener_t *this, debug_t group, level_t level, int thread,
-				 ike_sa_t *ike_sa, char* format, va_list args);
-	
-	/**
-	 * Handle state changes in an IKE_SA.
-	 *
-	 * @param ike_sa	IKE_SA which changes its state
-	 * @param state		new IKE_SA state this IKE_SA changes to
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa,
-							 ike_sa_state_t state);
-	
-	/**
-	 * Handle state changes in a CHILD_SA.
-	 *
-	 * @param ike_sa	IKE_SA containing the affected CHILD_SA
-	 * @param child_sa	CHILD_SA which changes its state
-	 * @param state		new CHILD_SA state this CHILD_SA changes to
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa,
-							   child_sa_t *child_sa, child_sa_state_t state);
-	
-	/**
-	 * Hook called for received/sent messages of an IKE_SA.
-	 *
-	 * @param ike_sa	IKE_SA sending/receving a message
-	 * @param message	message object
-	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
-					bool incoming);
-	
-	/**
-	 * Hook called with IKE_SA key material.
-	 *
-	 * @param ike_sa	IKE_SA this keymat belongs to
-	 * @param dh		diffie hellman shared secret
-	 * @param nonce_i	initiators nonce
-	 * @param nonce_r	responders nonce
-	 * @param rekey		IKE_SA we are rekeying, if any
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
-					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
-	
-	/**
-	 * Hook called with CHILD_SA key material.
-	 *
-	 * @param ike_sa	IKE_SA the child sa belongs to
-	 * @param child_sa	CHILD_SA this keymat is used for
-	 * @param dh		diffie hellman shared secret
-	 * @param nonce_i	initiators nonce
-	 * @param nonce_r	responders nonce
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
-	
-	/**
-	 * Hook called to invoke additional authorization rules.
-	 *
-	 * An authorization hook gets invoked several times: After each
-	 * authentication round, the hook gets invoked with with final = FALSE.
-	 * After authentication is complete and the peer configuration is selected,
-	 * it is invoked again, but with final = TRUE.
-	 *
-	 * @param ike_sa	IKE_SA to authorize
-	 * @param auth		list of auth_cfg_t, done in peers authentication rounds
-	 * @param final		TRUE if this is the final hook invocation
-	 * @param success	set to TRUE to complete IKE_SA, FALSE abort
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth,
-					  bool final, bool *success);
+enum alert_t {
+	/* a RADIUS server did not respond, no additional arguments */
+	ALERT_RADIUS_NOT_RESPONDING,
 };
 
 /**
@@ -307,6 +215,15 @@ struct bus_t {
 	 */
 	void (*vlog)(bus_t *this, debug_t group, level_t level,
 				 char* format, va_list args);
+	
+	/**
+	 * Raise an alert over the bus.
+	 *
+	 * @param alert		kind of alert
+	 * @param ...		alert specific attributes
+	 */
+	void (*alert)(bus_t *this, alert_t alert, ...);
+	
 	/**
 	 * Send a IKE_SA state change event to the bus.
 	 *
@@ -361,6 +278,39 @@ struct bus_t {
 	 */
 	void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
 					   chunk_t nonce_i, chunk_t nonce_r);
+	
+	/**
+	 * IKE_SA up/down hook.
+	 *
+	 * @param ike_sa	IKE_SA coming up/going down
+	 * @param up		TRUE for an up event, FALSE for a down event
+	 */
+	void (*ike_updown)(bus_t *this, ike_sa_t *ike_sa, bool up);
+	
+	/**
+	 * IKE_SA rekeying hook.
+	 *
+	 * @param old		rekeyed and obsolete IKE_SA
+	 * @param new		new IKE_SA replacing old
+	 */
+	void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
+	
+	/**
+	 * CHILD_SA up/down hook.
+	 *
+	 * @param child_sa	CHILD_SA coming up/going down
+	 * @param up		TRUE for an up event, FALSE for a down event
+	 */
+	void (*child_updown)(bus_t *this, child_sa_t *child_sa, bool up);
+	
+	/**
+	 * CHILD_SA rekeying hook.
+	 *
+	 * @param old		rekeyed and obsolete CHILD_SA
+	 * @param new		new CHILD_SA replacing old
+	 */
+	void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new);
+	
 	/**
 	 * Destroy the event bus.
 	 */
diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h
index 7282224a5..a69374f23 100644
--- a/src/charon/bus/listeners/file_logger.h
+++ b/src/charon/bus/listeners/file_logger.h
@@ -21,9 +21,9 @@
 #ifndef FILE_LOGGER_H_
 #define FILE_LOGGER_H_
 
-typedef struct file_logger_t file_logger_t;
+#include <bus/listeners/listener.h>
 
-#include <bus/bus.h>
+typedef struct file_logger_t file_logger_t;
 
 /**
  * Logger to files which implements listener_t.
diff --git a/src/charon/bus/listeners/listener.h b/src/charon/bus/listeners/listener.h
new file mode 100644
index 000000000..578f08ebe
--- /dev/null
+++ b/src/charon/bus/listeners/listener.h
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup listener listener
+ * @{ @ingroup listeners
+ */
+
+#ifndef LISTENER_H_
+#define LISTENER_H_
+
+typedef struct listener_t listener_t;
+
+#include <bus/bus.h>
+
+/**
+ * Listener interface, listens to events if registered to the bus.
+ */
+struct listener_t {
+	
+	/**
+	 * Log a debugging message.
+	 *
+	 * The implementing signal function returns TRUE to stay registered
+	 * to the bus, or FALSE to unregister itself.
+	 * Calling bus_t.log() inside of a registered listener is possible,
+	 * but the bus does not invoke listeners recursively.
+	 *
+	 * @param group		kind of the signal (up, down, rekeyed, ...)
+	 * @param level		verbosity level of the signal
+	 * @param thread	ID of the thread raised this signal
+	 * @param ike_sa	IKE_SA associated to the event
+	 * @param format	printf() style format string
+	 * @param args		vprintf() style va_list argument list
+	 " @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*log)(listener_t *this, debug_t group, level_t level, int thread,
+				ike_sa_t *ike_sa, char* format, va_list args);
+	
+	/**
+	 * Hook called if a critical alert is risen.
+	 *
+	 * @param ike_sa	IKE_SA associated to the alert, if any
+	 * @param alert		kind of alert
+	 * @param ...		alert specific argument list
+	 " @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*alert)(listener_t *this, ike_sa_t *ike_sa,
+				  alert_t alert, va_list args);
+	
+	/**
+	 * Handle state changes in an IKE_SA.
+	 *
+	 * @param ike_sa	IKE_SA which changes its state
+	 * @param state		new IKE_SA state this IKE_SA changes to
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa,
+							 ike_sa_state_t state);
+	
+	/**
+	 * Handle state changes in a CHILD_SA.
+	 *
+	 * @param ike_sa	IKE_SA containing the affected CHILD_SA
+	 * @param child_sa	CHILD_SA which changes its state
+	 * @param state		new CHILD_SA state this CHILD_SA changes to
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa,
+							   child_sa_t *child_sa, child_sa_state_t state);
+	
+	/**
+	 * Hook called for received/sent messages of an IKE_SA.
+	 *
+	 * @param ike_sa	IKE_SA sending/receving a message
+	 * @param message	message object
+	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
+					bool incoming);
+	
+	/**
+	 * Hook called with IKE_SA key material.
+	 *
+	 * @param ike_sa	IKE_SA this keymat belongs to
+	 * @param dh		diffie hellman shared secret
+	 * @param nonce_i	initiators nonce
+	 * @param nonce_r	responders nonce
+	 * @param rekey		IKE_SA we are rekeying, if any
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+	
+	/**
+	 * Hook called with CHILD_SA key material.
+	 *
+	 * @param ike_sa	IKE_SA the child sa belongs to
+	 * @param child_sa	CHILD_SA this keymat is used for
+	 * @param dh		diffie hellman shared secret
+	 * @param nonce_i	initiators nonce
+	 * @param nonce_r	responders nonce
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
+	
+	/**
+	 * Hook called if an IKE_SA gets up or down.
+	 *
+	 * @param ike_sa	IKE_SA coming up/going down
+	 * @param up		TRUE for an up event, FALSE for a down event
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_updown)(listener_t *this, ike_sa_t *ike_sa, bool up);
+	
+	/**
+	 * Hook called when an IKE_SA gets rekeyed.
+	 *
+	 * @param old		rekeyed IKE_SA getting obsolete
+	 * @param new		new IKE_SA replacing old
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
+	
+	/**
+	 * Hook called when a CHILD_SA gets up or down.
+	 *
+	 * @param ike_sa	IKE_SA containing the handled CHILD_SA
+	 * @param child_sa	CHILD_SA coming up/going down
+	 * @param up		TRUE for an up event, FALSE for a down event
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*child_updown)(listener_t *this, ike_sa_t *ike_sa,
+						 child_sa_t *child_sa, bool up);
+	
+	/**
+	 * Hook called when an CHILD_SA gets rekeyed.
+	 *
+	 * @param ike_sa	IKE_SA containing the rekeyed CHILD_SA
+	 * @param old		rekeyed CHILD_SA getting obsolete
+	 * @param new		new CHILD_SA replacing old
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*child_rekey)(listener_t *this, ike_sa_t *ike_sa,
+						child_sa_t *old, child_sa_t *new);
+	
+	/**
+	 * Hook called to invoke additional authorization rules.
+	 *
+	 * An authorization hook gets invoked several times: After each
+	 * authentication round, the hook gets invoked with with final = FALSE.
+	 * After authentication is complete and the peer configuration is selected,
+	 * it is invoked again, but with final = TRUE.
+	 *
+	 * @param ike_sa	IKE_SA to authorize
+	 * @param auth		list of auth_cfg_t, done in peers authentication rounds
+	 * @param final		TRUE if this is the final hook invocation
+	 * @param success	set to TRUE to complete IKE_SA, FALSE abort
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth,
+					  bool final, bool *success);
+};
+
+#endif /* LISTENER_ @}*/
diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c
index 5bcf28f24..0b579ce92 100644
--- a/src/charon/bus/listeners/sys_logger.c
+++ b/src/charon/bus/listeners/sys_logger.c
@@ -15,7 +15,6 @@
 
 #include <stdio.h>
 #include <string.h>
-#include <pthread.h>
 
 #include "sys_logger.h"
 
diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h
index 6eda096a9..3ed0f02fa 100644
--- a/src/charon/bus/listeners/sys_logger.h
+++ b/src/charon/bus/listeners/sys_logger.h
@@ -21,11 +21,11 @@
 #ifndef SYS_LOGGER_H_
 #define SYS_LOGGER_H_
 
-typedef struct sys_logger_t sys_logger_t;
-
 #include <syslog.h>
 
-#include <bus/bus.h>
+#include <bus/listeners/listener.h>
+
+typedef struct sys_logger_t sys_logger_t;
 
 /**
  * Logger for syslog which implements listener_t.
diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c
index 83e431c43..bf45fdb42 100644
--- a/src/charon/config/attributes/attribute_manager.c
+++ b/src/charon/config/attributes/attribute_manager.c
@@ -260,7 +260,7 @@ attribute_manager_t *attribute_manager_create()
 	
 	this->providers = linked_list_create();
 	this->handlers = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index 3a3a78466..cfd611858 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -438,7 +438,7 @@ backend_manager_t *backend_manager_create()
 	this->public.destroy = (void (*)(backend_manager_t*))destroy;
 	
 	this->backends = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index 43e41671a..990ee3fd6 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -344,35 +344,6 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 	return result;
 }
 
-/**
- * Implementation of child_cfg_t.equal_traffic_selectors.
- */
-bool equal_traffic_selectors(private_child_cfg_t *this, bool local,
-							 linked_list_t *ts_list, host_t *host)
-{
-	linked_list_t *this_list;
-	traffic_selector_t *this_ts, *ts;
-	bool result;
-
-	this_list = (local) ? this->my_ts : this->other_ts;
-
-	/* currently equality is established for single traffic selectors only */
-	if (this_list->get_count(this_list) != 1 || ts_list->get_count(ts_list) != 1)
-	{
-		return FALSE;
-	}
-
-	this_list->get_first(this_list, (void**)&this_ts);
-	this_ts = this_ts->clone(this_ts);
-	this_ts->set_address(this_ts, host);
-	ts_list->get_first(ts_list, (void**)&ts);
-
-	result = ts->equals(ts, this_ts);
-
-	this_ts->destroy(this_ts);
-	return result;
-}
-
 /**
  * Implementation of child_cfg_t.get_updown.
  */
@@ -525,7 +496,6 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 	this->public.get_name = (char* (*) (child_cfg_t*))get_name;
 	this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector;
 	this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
-	this->public.equal_traffic_selectors = (bool (*)(child_cfg_t*,bool,linked_list_t*,host_t*))equal_traffic_selectors;
 	this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
 	this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
 	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 185fee3da..33c75701c 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -150,18 +150,6 @@ struct child_cfg_t {
 	linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
 											linked_list_t *supplied,
 											host_t *host);
-
-	/**
-	 * Checks [single] traffic selectors for equality 
-	 *
-	 * @param local			TRUE for TS on local side, FALSE for remote
-	 * @param ts			list with single traffic selector to compare with
-	 * @param host			address to use for narrowing "dynamic" TS', or NULL
-	 * @return				TRUE if TS are equal, FALSE otherwise
-	 */ 
-	bool (*equal_traffic_selectors)(child_cfg_t *this, bool local,
-								   linked_list_t *ts_list, host_t *host);
-
 	/**
 	 * Get the updown script to run for the CHILD_SA.
 	 * 
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index da796d6a2..f096f269e 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -250,22 +250,46 @@ static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this)
 }
 
 /**
- * Check if child_cfg contains traffic selectors
+ * Check how good a list of TS matches a given child config
  */
-static int contains_ts(child_cfg_t *child, bool mine, linked_list_t *ts,
-						host_t *host)
+static int get_ts_match(child_cfg_t *cfg, bool local,
+						linked_list_t *sup_list, host_t *host)
 {
-	linked_list_t *selected;
-	int prio;
+	linked_list_t *cfg_list;
+	enumerator_t *sup_enum, *cfg_enum;
+	traffic_selector_t *sup_ts, *cfg_ts;
+	int match = 0, round;
 	
-	if (child->equal_traffic_selectors(child, mine, ts, host))
+	/* fetch configured TS list, narrowing dynamic TS */
+	cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host);
+	
+	/* use a round counter to rate leading TS with higher priority */
+	round = sup_list->get_count(sup_list);
+	
+	sup_enum = sup_list->create_enumerator(sup_list);
+	while (sup_enum->enumerate(sup_enum, &sup_ts))
 	{
-		return 2;
+		cfg_enum = cfg_list->create_enumerator(cfg_list);
+		while (cfg_enum->enumerate(cfg_enum, &cfg_ts))
+		{
+			if (cfg_ts->equals(cfg_ts, sup_ts))
+			{	/* equality is honored better than matches */
+				match += round * 5;
+			}
+			else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) ||
+					 sup_ts->is_contained_in(sup_ts, cfg_ts))
+			{
+				match += round * 1;
+			}
+		}
+		cfg_enum->destroy(cfg_enum);
+		round--;
 	}
-	selected = child->get_traffic_selectors(child, mine, ts, host);
-	prio = selected->get_count(selected) ? 1 : 0;
-	selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy));
-	return prio;
+	sup_enum->destroy(sup_enum);
+	
+	cfg_list->destroy_offset(cfg_list, offsetof(traffic_selector_t, destroy));
+	
+	return match;
 }
 
 /**
@@ -279,21 +303,23 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this,
 	child_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
 	int best = 0;
-
-	DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);	
+	
+	DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);
 	enumerator = create_child_cfg_enumerator(this);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		int prio = contains_ts(current, TRUE, my_ts, my_host) +
-				   contains_ts(current, FALSE, other_ts, other_host);
-
-		if (prio)
+		int my_prio, other_prio;
+		
+		my_prio = get_ts_match(current, TRUE, my_ts, my_host);
+		other_prio = get_ts_match(current, FALSE, other_ts, other_host);
+		
+		if (my_prio && other_prio)
 		{
-			DBG2(DBG_CFG, "  candidate \"%s\" with prio %d",
-				 current->get_name(current), prio);
-			if (prio > best)
+			DBG2(DBG_CFG, "  candidate \"%s\" with prio %d+%d",
+				 current->get_name(current), my_prio, other_prio);
+			if (my_prio + other_prio > best)
 			{
-				best = prio;
+				best = my_prio + other_prio;
 				DESTROY_IF(found);
 				found = current->get_ref(current);
 			}
@@ -637,7 +663,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->ike_version = ike_version;
 	this->ike_cfg = ike_cfg;
 	this->child_cfgs = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->cert_policy = cert_policy;
 	this->unique = unique;
 	this->keyingtries = keyingtries;
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index e2dfcca4f..cf7e19605 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -266,6 +266,9 @@ static bool is_authenticated_encryption(u_int16_t alg)
 		case ENCR_AES_GCM_ICV8:
 		case ENCR_AES_GCM_ICV12:
 		case ENCR_AES_GCM_ICV16:
+		case ENCR_CAMELLIA_CCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV16:
 			return TRUE;
 	}
 	return FALSE;
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 776dbe599..0967cbc81 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -1591,7 +1591,7 @@ credential_manager_t *credential_manager_create()
 	this->cache = cert_cache_create();
 	this->cache_queue = linked_list_create();
 	this->sets->insert_first(this->sets, this->cache);
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
index 907f5072f..dee0463e6 100644
--- a/src/charon/credentials/sets/cert_cache.c
+++ b/src/charon/credentials/sets/cert_cache.c
@@ -383,7 +383,7 @@ cert_cache_t *cert_cache_create()
 		this->relations[i].subject = NULL;
 		this->relations[i].issuer = NULL;
 		this->relations[i].hits = 0;
-		this->relations[i].lock = rwlock_create(RWLOCK_DEFAULT);
+		this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	}
 	return &this->public;
 }
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index c646ef9b4..0689c448e 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -20,7 +20,9 @@
 #ifdef HAVE_PRCTL
 #include <sys/prctl.h>
 #endif
+#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */
 #include <signal.h>
+#undef _POSIX_PTHREAD_SEMANTICS
 #include <pthread.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -42,10 +44,9 @@
 #include <config/traffic_selector.h>
 #include <config/proposal.h>
 
-#ifdef INTEGRITY_TEST
-#include <fips/fips.h>
-#include <fips/fips_signature.h>
-#endif /* INTEGRITY_TEST */
+#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
 
 typedef struct private_daemon_t private_daemon_t;
 
@@ -469,6 +470,13 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	
 	DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")");
 
+	if (lib->integrity)
+	{
+		DBG1(DBG_DMN, "integrity tests enabled:");
+		DBG1(DBG_DMN, "lib    'libstrongswan': passed file and segment integrity tests");
+		DBG1(DBG_DMN, "daemon 'charon': passed file integrity test");
+	}
+
 	/* load secrets, ca certificates and crls */
 	this->public.processor = processor_create();
 	this->public.scheduler = scheduler_create();
@@ -487,19 +495,6 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 		lib->settings->get_str(lib->settings, "charon.load", PLUGINS));
 	
 	print_plugins();
-	
-#ifdef INTEGRITY_TEST
-	DBG1(DBG_DMN, "integrity test of libstrongswan code");
-	if (fips_verify_hmac_signature(hmac_key, hmac_signature))
-	{
-		DBG1(DBG_DMN, "  integrity test passed");
-	}
-	else
-	{
-		DBG1(DBG_DMN, "  integrity test failed");
-		return FALSE;
-	}
-#endif /* INTEGRITY_TEST */
 
 	this->public.ike_sa_manager = ike_sa_manager_create();
 	if (this->public.ike_sa_manager == NULL)
@@ -686,7 +681,20 @@ int main(int argc, char *argv[])
 	dbg = dbg_stderr;
 	
 	/* initialize library */
-	library_init(STRONGSWAN_CONF);
+	if (!library_init(STRONGSWAN_CONF))
+	{
+		library_deinit();
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "charon", argv[0]))
+	{
+		dbg_stderr(1, "integrity check of charon failed");
+		library_deinit();
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
+	
 	lib->printf_hook->add_handler(lib->printf_hook, 'R',
 								  traffic_selector_printf_hook,
 								  PRINTF_HOOK_ARGTYPE_POINTER,
@@ -757,7 +765,7 @@ int main(int argc, char *argv[])
 	{
 		DBG1(DBG_DMN, "initialization failed - aborting charon");
 		destroy(private_charon);
-		exit(-1);
+		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 	
 	if (check_pidfile())
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index 5188b79fe..53ae1d200 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -103,6 +103,19 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
 			new_src, new_dst, encap, new_encap);
 }
 
+/**
+ * Implementation of kernel_interface_t.query_sa
+ */
+static status_t query_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
+						 u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, bytes);
+}
+
 /**
  * Implementation of kernel_interface_t.del_sa
  */
@@ -387,6 +400,7 @@ kernel_interface_t *kernel_interface_create()
 	this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index 8c58c959a..c4a273a34 100644
--- a/src/charon/kernel/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -140,6 +140,19 @@ struct kernel_interface_t {
 						  host_t *new_src, host_t *new_dst,
 						  bool encap, bool new_encap);
 	
+	/**
+	 * Query the number of bytes processed by an SA from the SAD.
+	 * 
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param[out] bytes	the number of bytes processed by SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+						  u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
+	
 	/**
 	 * Delete a previously installed SA from the SAD.
 	 * 
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
index 6e8c5bc63..d6438c197 100644
--- a/src/charon/kernel/kernel_ipsec.h
+++ b/src/charon/kernel/kernel_ipsec.h
@@ -170,6 +170,19 @@ struct kernel_ipsec_t {
 						  host_t *new_src, host_t *new_dst,
 						  bool encap, bool new_encap);
 	
+	/**
+	 * Query the number of bytes processed by an SA from the SAD.
+	 * 
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param[out] bytes	the number of bytes processed by SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+						  u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
+	
 	/**
 	 * Delete a previusly installed SA from the SAD.
 	 * 
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
index 4910fe2e8..19f589115 100644
--- a/src/charon/network/sender.c
+++ b/src/charon/network/sender.c
@@ -139,9 +139,9 @@ sender_t * sender_create()
 	this->public.destroy = (void(*)(sender_t*)) destroy;
 	
 	this->list = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
-	this->got = condvar_create(CONDVAR_DEFAULT);
-	this->sent = condvar_create(CONDVAR_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->got = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->sent = condvar_create(CONDVAR_TYPE_DEFAULT);
 	
 	this->job = callback_job_create((callback_job_cb_t)send_packets,
 									this, NULL, NULL);
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index 8627ca76d..97c88be79 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -18,6 +18,10 @@
 
 /* for struct in6_pktinfo */
 #define _GNU_SOURCE
+#ifdef __sun
+#define _XPG4_2
+#define __EXTENSIONS__
+#endif
 
 #include <pthread.h>
 #include <sys/types.h>
@@ -34,6 +38,9 @@
 #include <netinet/ip6.h>
 #include <netinet/udp.h>
 #include <net/if.h>
+#ifdef __APPLE__
+#include <sys/sysctl.h>
+#endif
 
 #include "socket.h"
 
@@ -431,7 +438,6 @@ status_t sender(private_socket_t *this, packet_t *packet)
 static int open_socket(private_socket_t *this, int family, u_int16_t port)
 {
 	int on = TRUE;
-	int type = UDP_ENCAP_ESPINUDP;
 	struct sockaddr_storage addr;
 	socklen_t addrlen;
 	u_int sol, pktinfo = 0;
@@ -502,13 +508,18 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 			return 0;
 		}
 	}
-	
-	/* enable UDP decapsulation globally, only for one socket needed */
-	if (family == AF_INET && port == IKEV2_NATT_PORT &&
-		setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+
+#ifndef __APPLE__
 	{
-		DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
+		/* enable UDP decapsulation globally, only for one socket needed */
+		int type = UDP_ENCAP_ESPINUDP;
+		if (family == AF_INET && port == IKEV2_NATT_PORT &&
+			setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+		{
+			DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
+		}
 	}
+#endif
 	return skt;
 }
 
@@ -611,6 +622,18 @@ socket_t *socket_create()
 	this->ipv6 = 0;
 	this->ipv4_natt = 0;
 	this->ipv6_natt = 0;
+
+#ifdef __APPLE__
+	{
+		int natt_port = IKEV2_NATT_PORT;
+		if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &natt_port,
+						 sizeof(natt_port)) != 0)
+		{
+			DBG1(DBG_NET, "could not set net.inet.ipsec.esp_port to %d: %s",
+				 natt_port, strerror(errno));
+		}
+	}
+#endif
 	
 	this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
 	if (this->ipv4 == 0)
diff --git a/src/charon/plugins/attr/Makefile.am b/src/charon/plugins/attr/Makefile.am
index d5eb99d9f..b4b3b7da6 100644
--- a/src/charon/plugins/attr/Makefile.am
+++ b/src/charon/plugins/attr/Makefile.am
@@ -6,4 +6,4 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-attr.la
 libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
   attr_provider.h attr_provider.c
-libstrongswan_attr_la_LDFLAGS = -module
+libstrongswan_attr_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/attr/Makefile.in b/src/charon/plugins/attr/Makefile.in
index c0467054e..5c94771e1 100644
--- a/src/charon/plugins/attr/Makefile.in
+++ b/src/charon/plugins/attr/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-attr.la
 libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
   attr_provider.h attr_provider.c
 
-libstrongswan_attr_la_LDFLAGS = -module
+libstrongswan_attr_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/eap_aka/Makefile.am b/src/charon/plugins/eap_aka/Makefile.am
index e1ad1eaf9..1a3ea1857 100644
--- a/src/charon/plugins/eap_aka/Makefile.am
+++ b/src/charon/plugins/eap_aka/Makefile.am
@@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-eapaka.la
 
 libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c
-libstrongswan_eapaka_la_LDFLAGS = -module
+libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version
 libstrongswan_eapaka_la_LIBADD = -lgmp
 
diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in
index 74d49ac73..2d2405379 100644
--- a/src/charon/plugins/eap_aka/Makefile.in
+++ b/src/charon/plugins/eap_aka/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-eapaka.la
 libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c
-libstrongswan_eapaka_la_LDFLAGS = -module
+libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version
 libstrongswan_eapaka_la_LIBADD = -lgmp
 all: all-am
 
diff --git a/src/charon/plugins/eap_gtc/Makefile.am b/src/charon/plugins/eap_gtc/Makefile.am
index 1057bd506..547a8dfc5 100644
--- a/src/charon/plugins/eap_gtc/Makefile.am
+++ b/src/charon/plugins/eap_gtc/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-eapgtc.la
 
 libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
-libstrongswan_eapgtc_la_LDFLAGS = -module -lpam
+libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam
 
diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in
index 19d648bbd..46d438a97 100644
--- a/src/charon/plugins/eap_gtc/Makefile.in
+++ b/src/charon/plugins/eap_gtc/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-eapgtc.la
 libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
-libstrongswan_eapgtc_la_LDFLAGS = -module -lpam
+libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/eap_identity/Makefile.am b/src/charon/plugins/eap_identity/Makefile.am
index dbf66e74b..79ddee3e8 100644
--- a/src/charon/plugins/eap_identity/Makefile.am
+++ b/src/charon/plugins/eap_identity/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-eapidentity.la
 libstrongswan_eapidentity_la_SOURCES = \
   eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
-libstrongswan_eapidentity_la_LDFLAGS = -module
+libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in
index f275cd770..0adb9ce10 100644
--- a/src/charon/plugins/eap_identity/Makefile.in
+++ b/src/charon/plugins/eap_identity/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-eapidentity.la
 libstrongswan_eapidentity_la_SOURCES = \
   eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
 
-libstrongswan_eapidentity_la_LDFLAGS = -module
+libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/eap_md5/Makefile.am b/src/charon/plugins/eap_md5/Makefile.am
index d7964fee9..8bad64368 100644
--- a/src/charon/plugins/eap_md5/Makefile.am
+++ b/src/charon/plugins/eap_md5/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-eapmd5.la
 
 libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
-libstrongswan_eapmd5_la_LDFLAGS = -module
+libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in
index 372b80b3e..c11837b91 100644
--- a/src/charon/plugins/eap_md5/Makefile.in
+++ b/src/charon/plugins/eap_md5/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-eapmd5.la
 libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
-libstrongswan_eapmd5_la_LDFLAGS = -module
+libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.am b/src/charon/plugins/eap_mschapv2/Makefile.am
index 6ab931905..179da70fc 100644
--- a/src/charon/plugins/eap_mschapv2/Makefile.am
+++ b/src/charon/plugins/eap_mschapv2/Makefile.am
@@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-eapmschapv2.la
 libstrongswan_eapmschapv2_la_SOURCES = \
 	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
 	eap_mschapv2.h eap_mschapv2.c
-libstrongswan_eapmschapv2_la_LDFLAGS = -module
+libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.in b/src/charon/plugins/eap_mschapv2/Makefile.in
index 5ae41d896..d6dd74b88 100644
--- a/src/charon/plugins/eap_mschapv2/Makefile.in
+++ b/src/charon/plugins/eap_mschapv2/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -227,7 +232,7 @@ libstrongswan_eapmschapv2_la_SOURCES = \
 	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
 	eap_mschapv2.h eap_mschapv2.c
 
-libstrongswan_eapmschapv2_la_LDFLAGS = -module
+libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/eap_radius/Makefile.am b/src/charon/plugins/eap_radius/Makefile.am
index f7de2f14f..df5c94656 100644
--- a/src/charon/plugins/eap_radius/Makefile.am
+++ b/src/charon/plugins/eap_radius/Makefile.am
@@ -10,5 +10,5 @@ libstrongswan_eapradius_la_SOURCES = \
   eap_radius.h eap_radius.c \
   radius_client.h radius_client.c \
   radius_message.h radius_message.c
-libstrongswan_eapradius_la_LDFLAGS = -module
+libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_radius/Makefile.in b/src/charon/plugins/eap_radius/Makefile.in
index e7a4cd0f8..c30111fad 100644
--- a/src/charon/plugins/eap_radius/Makefile.in
+++ b/src/charon/plugins/eap_radius/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -229,7 +234,7 @@ libstrongswan_eapradius_la_SOURCES = \
   radius_client.h radius_client.c \
   radius_message.h radius_message.c
 
-libstrongswan_eapradius_la_LDFLAGS = -module
+libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c
index ee2477440..deb3b648b 100644
--- a/src/charon/plugins/eap_radius/eap_radius.c
+++ b/src/charon/plugins/eap_radius/eap_radius.c
@@ -66,6 +66,11 @@ struct private_eap_radius_t {
 	 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
 	 */
 	bool eap_start;
+	
+	/**
+	 * Prefix to prepend to EAP identity
+	 */
+	char *id_prefix;
 };
 
 /**
@@ -86,18 +91,20 @@ static void add_eap_identity(private_eap_radius_t *this,
 		/** identity data */
 		u_int8_t data[];
 	} __attribute__((__packed__)) *hdr;
-	chunk_t id;
+	chunk_t id, prefix;
 	size_t len;
 	
 	id = this->peer->get_encoding(this->peer);
-	len = sizeof(*hdr) + id.len;
+	prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
+	len = sizeof(*hdr) + prefix.len + id.len;
 	
 	hdr = alloca(len);
 	hdr->code = EAP_RESPONSE;
 	hdr->identifier = 0;
 	hdr->length = htons(len);
 	hdr->type = EAP_IDENTITY;
-	memcpy(hdr->data, id.ptr, id.len);
+	memcpy(hdr->data, prefix.ptr, prefix.len);
+	memcpy(hdr->data + prefix.len, id.ptr, id.len);
 	
 	request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
 }
@@ -136,9 +143,12 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
 {
 	radius_message_t *request, *response;
 	status_t status = FAILED;
+	chunk_t username;
 	
 	request = radius_message_create_request();
-	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
+	username = chunk_create(this->id_prefix, strlen(this->id_prefix));
+	username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
+	request->add(request, RAT_USER_NAME, username);
 	
 	if (this->eap_start)
 	{
@@ -283,7 +293,8 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 	this->msk = chunk_empty;
 	this->eap_start = lib->settings->get_bool(lib->settings, 
 								"charon.plugins.eap_radius.eap_start", FALSE);
-	
+	this->id_prefix = lib->settings->get_str(lib->settings,
+								"charon.plugins.eap_radius.id_prefix", "");
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c
index 57d3f8f21..de1bafc6d 100644
--- a/src/charon/plugins/eap_radius/radius_client.c
+++ b/src/charon/plugins/eap_radius/radius_client.c
@@ -161,8 +161,8 @@ bool radius_client_init()
 					"charon.plugins.eap_radius.sockets", 1);
 	
 	sockets = linked_list_create();
-	mutex = mutex_create(MUTEX_DEFAULT);
-	condvar = condvar_create(CONDVAR_DEFAULT);
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
 	for (i = 0; i < count; i++)
 	{
 		fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP);
@@ -353,6 +353,7 @@ static radius_message_t* request(private_radius_client_t *this,
 	}
 	DBG1(DBG_CFG, "RADIUS server is not responding");
 	put_socket(socket);
+	charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
 	return NULL;
 }
 
diff --git a/src/charon/plugins/eap_sim/Makefile.am b/src/charon/plugins/eap_sim/Makefile.am
index 6cb53ebb5..e503bddab 100644
--- a/src/charon/plugins/eap_sim/Makefile.am
+++ b/src/charon/plugins/eap_sim/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-eapsim.la
 
 libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \
   eap_sim_plugin.h eap_sim_plugin.c
-libstrongswan_eapsim_la_LDFLAGS = -module
+libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in
index 2374567bc..8f6daacad 100644
--- a/src/charon/plugins/eap_sim/Makefile.in
+++ b/src/charon/plugins/eap_sim/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-eapsim.la
 libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \
   eap_sim_plugin.h eap_sim_plugin.c
 
-libstrongswan_eapsim_la_LDFLAGS = -module
+libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/eap_sim_file/Makefile.am b/src/charon/plugins/eap_sim_file/Makefile.am
index fc3a0fa14..1cd1dd9e2 100644
--- a/src/charon/plugins/eap_sim_file/Makefile.am
+++ b/src/charon/plugins/eap_sim_file/Makefile.am
@@ -10,5 +10,5 @@ libstrongswan_eapsim_file_la_SOURCES = \
   eap_sim_file_card.h eap_sim_file_card.c \
   eap_sim_file_provider.h eap_sim_file_provider.c \
   eap_sim_file_triplets.h eap_sim_file_triplets.c
-libstrongswan_eapsim_file_la_LDFLAGS = -module
+libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in
index 554b3a7bc..b19cc839f 100644
--- a/src/charon/plugins/eap_sim_file/Makefile.in
+++ b/src/charon/plugins/eap_sim_file/Makefile.in
@@ -77,12 +77,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -187,7 +190,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -230,7 +235,7 @@ libstrongswan_eapsim_file_la_SOURCES = \
   eap_sim_file_provider.h eap_sim_file_provider.c \
   eap_sim_file_triplets.h eap_sim_file_triplets.c
 
-libstrongswan_eapsim_file_la_LDFLAGS = -module
+libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
index d093851c2..e27ed6860 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -251,7 +251,7 @@ eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file)
 	this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy;
 	
 	this->triplets = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	
 	read_triplets(this, file);
 	
diff --git a/src/charon/plugins/kernel_klips/Makefile.am b/src/charon/plugins/kernel_klips/Makefile.am
index dc0234775..0c0987cca 100644
--- a/src/charon/plugins/kernel_klips/Makefile.am
+++ b/src/charon/plugins/kernel_klips/Makefile.am
@@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
 
 libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
 	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
-libstrongswan_kernel_klips_la_LDFLAGS = -module
+libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in
index a1efe9d5a..4b1c27352 100644
--- a/src/charon/plugins/kernel_klips/Makefile.in
+++ b/src/charon/plugins/kernel_klips/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
 libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
 	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
 
-libstrongswan_kernel_klips_la_LDFLAGS = -module
+libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
index c69ce4c9a..9a903d027 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1933,6 +1933,16 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
 	return SUCCESS;
 }
 
+/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_kernel_klips_ipsec_t *this, host_t *src,
+						 host_t *dst, u_int32_t spi, protocol_id_t protocol,
+						 u_int64_t *bytes)
+{
+	return NOT_SUPPORTED;  /* TODO */
+}
+
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
@@ -2609,6 +2619,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
@@ -2621,8 +2632,8 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 	this->allocated_spis = linked_list_create();
 	this->installed_sas = linked_list_create();
 	this->ipsec_devices = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
-	this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE);
 	this->seq = 0;
 	
diff --git a/src/charon/plugins/kernel_netlink/Makefile.am b/src/charon/plugins/kernel_netlink/Makefile.am
index e0efe5779..6351280d6 100644
--- a/src/charon/plugins/kernel_netlink/Makefile.am
+++ b/src/charon/plugins/kernel_netlink/Makefile.am
@@ -8,4 +8,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
 libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \
 	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
 	kernel_netlink_shared.h kernel_netlink_shared.c
-libstrongswan_kernel_netlink_la_LDFLAGS = -module
+libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in
index b97738bff..46d2a1c65 100644
--- a/src/charon/plugins/kernel_netlink/Makefile.in
+++ b/src/charon/plugins/kernel_netlink/Makefile.in
@@ -77,12 +77,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -187,7 +190,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -228,7 +233,7 @@ libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink
 	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
 	kernel_netlink_shared.h kernel_netlink_shared.c
 
-libstrongswan_kernel_netlink_la_LDFLAGS = -module
+libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 9322d8dfe..2051316f6 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -984,16 +984,20 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 			break;
 		case ENCR_AES_CCM_ICV16:
 		case ENCR_AES_GCM_ICV16:
+		case ENCR_CAMELLIA_CCM_ICV16:
 			icv_size += 32;
 			/* FALL */
 		case ENCR_AES_CCM_ICV12:
 		case ENCR_AES_GCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV12:
 			icv_size += 32;
 			/* FALL */
 		case ENCR_AES_CCM_ICV8:
 		case ENCR_AES_GCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV8:
 		{
-			rthdr->rta_type = XFRMA_ALG_AEAD;
+			struct xfrm_algo_aead *algo;
+
 			alg_name = lookup_algorithm(encryption_algs, enc_alg);
 			if (alg_name == NULL)
 			{
@@ -1004,6 +1008,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
 				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
 			
+			rthdr->rta_type = XFRMA_ALG_AEAD;
 			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
 			hdr->nlmsg_len += rthdr->rta_len;
 			if (hdr->nlmsg_len > sizeof(request))
@@ -1011,7 +1016,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 				return FAILED;
 			}
 			
-			struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
+			algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
 			algo->alg_key_len = enc_key.len * 8;
 			algo->alg_icv_len = icv_size;
 			strcpy(algo->alg_name, alg_name);
@@ -1022,7 +1027,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 		}
 		default:
 		{
-			rthdr->rta_type = XFRMA_ALG_CRYPT;
+			struct xfrm_algo *algo;
+
 			alg_name = lookup_algorithm(encryption_algs, enc_alg);
 			if (alg_name == NULL)
 			{
@@ -1033,6 +1039,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
 				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
 			
+			rthdr->rta_type = XFRMA_ALG_CRYPT;
 			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
 			hdr->nlmsg_len += rthdr->rta_len;
 			if (hdr->nlmsg_len > sizeof(request))
@@ -1040,13 +1047,12 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 				return FAILED;
 			}
 			
-			struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
 			algo->alg_key_len = enc_key.len * 8;
 			strcpy(algo->alg_name, alg_name);
 			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
 			
 			rthdr = XFRM_RTA_NEXT(rthdr);
-			break;
 		}
 	}
 		
@@ -1229,6 +1235,74 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 	return FAILED;
 }
 
+/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
+						 host_t *dst, u_int32_t spi, protocol_id_t protocol,
+						 u_int64_t *bytes)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *out = NULL, *hdr;
+	struct xfrm_usersa_id *sa_id;
+	struct xfrm_usersa_info *sa = NULL;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->family = dst->get_family(dst);
+	
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)",
+						 ntohl(spi), strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+	
+	if (sa == NULL)
+	{
+		DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	*bytes = sa->curlft.bytes;
+	
+	free(out);
+	return SUCCESS;
+}
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
@@ -1888,6 +1962,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
@@ -1897,7 +1972,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	/* private members */
 	this->policies = hashtable_create((hashtable_hash_t)policy_hash,
 									  (hashtable_equals_t)policy_equals, 32);
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->install_routes = lib->settings->get_bool(lib->settings,
 					"charon.install_routes", TRUE);
 	
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
index 32154a7ea..e5c0b5da7 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1370,8 +1370,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 
 	/* private members */
 	this->ifaces = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
-	this->condvar = condvar_create(CONDVAR_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
 	timerclear(&this->last_roam);
 	this->routing_table = lib->settings->get_int(lib->settings,
 					"charon.routing_table", IPSEC_ROUTING_TABLE);
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
index 7ef7cc56e..ec1187083 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -255,7 +255,7 @@ netlink_socket_t *netlink_socket_create(int protocol) {
 
 	/* private members */
 	this->seq = 200;
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	
 	memset(&addr, 0, sizeof(addr));
 	addr.nl_family = AF_NETLINK;
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.am b/src/charon/plugins/kernel_pfkey/Makefile.am
index c9d66b5de..e03a0ca02 100644
--- a/src/charon/plugins/kernel_pfkey/Makefile.am
+++ b/src/charon/plugins/kernel_pfkey/Makefile.am
@@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
 
 libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
 	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
-libstrongswan_kernel_pfkey_la_LDFLAGS = -module
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in
index df2492ef7..e01510127 100644
--- a/src/charon/plugins/kernel_pfkey/Makefile.in
+++ b/src/charon/plugins/kernel_pfkey/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
 libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
 	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
 
-libstrongswan_kernel_pfkey_la_LDFLAGS = -module
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 56f0320dc..1f83e8f39 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -17,6 +17,10 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 
+#ifdef __FreeBSD__
+#include <limits.h> /* for LONG_MAX */
+#endif
+
 #ifdef HAVE_NET_PFKEYV2_H
 #include <net/pfkeyv2.h>
 #else
@@ -37,11 +41,11 @@
 #endif
 
 #ifdef HAVE_NATT
-#ifdef HAVE_NETINET_UDP_H
-#include <netinet/udp.h>
-#else
+#ifdef HAVE_LINUX_UDP_H
 #include <linux/udp.h>
-#endif /*HAVE_NETINET_UDP_H*/
+#else
+#include <netinet/udp.h>
+#endif /*HAVE_LINUX_UDP_H*/
 #endif /*HAVE_NATT*/
 
 #include <unistd.h>
@@ -89,7 +93,7 @@
 #define IP_IPSEC_POLICY 16
 #endif
 
-/* missing on uclibc */
+/** missing on uclibc */
 #ifndef IPV6_IPSEC_POLICY
 #define IPV6_IPSEC_POLICY 34
 #endif
@@ -98,6 +102,17 @@
 #define PRIO_LOW 3000
 #define PRIO_HIGH 2000
 
+#ifdef __APPLE__
+/** from xnu/bsd/net/pfkeyv2.h */
+#define SADB_X_EXT_NATT 0x002
+	struct sadb_sa_2 {
+		struct sadb_sa	sa;
+		u_int16_t		sadb_sa_natt_port;
+		u_int16_t		sadb_reserved0;
+		u_int32_t		sadb_reserved1;
+	};
+#endif
+
 /** buffer size for PF_KEY messages */
 #define PFKEY_BUFFER_SIZE 4096
 
@@ -467,7 +482,7 @@ static u_int8_t dir2kernel(policy_dir_t dir)
 			return IPSEC_DIR_FWD;
 #endif
 		default:
-			return dir;
+			return IPSEC_DIR_INVALID;
 	}
 }
 
@@ -693,7 +708,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
 	
 	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
 	{
-		DBG2(DBG_KNL, "  %N", sadb_ext_type_names, ext->sadb_ext_type);
+		DBG3(DBG_KNL, "  %N", sadb_ext_type_names, ext->sadb_ext_type);
 		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
 			ext->sadb_ext_len > len)
 		{
@@ -740,6 +755,8 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 	
 	this->mutex_pfkey->lock(this->mutex_pfkey);
 
+	/* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
+	 * in particular the behavior in response to an SADB_ACQUIRE. */
 	in->sadb_msg_seq = ++this->seq;
 	in->sadb_msg_pid = getpid();
 
@@ -801,14 +818,23 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 		}
 		if (msg->sadb_msg_seq != this->seq)
 		{
-			DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
-					"was %d expected %d", msg->sadb_msg_seq, this->seq);
-			if (msg->sadb_msg_seq < this->seq)
+			DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
+				 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
+			if (msg->sadb_msg_seq == 0)
+			{
+				/* FreeBSD and Mac OS X do this for the response to
+				 * SADB_X_SPDGET (but not for the response to SADB_GET).
+				 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
+			}
+			else if (msg->sadb_msg_seq < this->seq)
 			{
 				continue;
 			}
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			return FAILED;
+			else
+			{
+				this->mutex_pfkey->unlock(this->mutex_pfkey);
+				return FAILED;
+			}
 		}
 		if (msg->sadb_msg_type != in->sadb_msg_type)
 		{
@@ -1223,10 +1249,25 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 	msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
 	msg->sadb_msg_satype = proto_ike2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+
+#ifdef __APPLE__
+	if (encap)
+	{
+		struct sadb_sa_2 *sa_2;
+		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+		sa_2->sadb_sa_natt_port = dst->get_port(dst);
+		sa = &sa_2->sa;
+		sa->sadb_sa_flags |= SADB_X_EXT_NATT;
+		len = sizeof(struct sadb_sa_2);
+	}
+	else
+#endif
+	{
+		sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+		len = sizeof(struct sadb_sa);
+	}
 	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_len = PFKEY_LEN(len);
 	sa->sadb_sa_spi = spi;
 	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
 	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
@@ -1403,7 +1444,21 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 	msg->sadb_msg_satype = proto_ike2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 	
+#ifdef __APPLE__
+	{
+		struct sadb_sa_2 *sa_2;
+		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+		sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
+		memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
+		if (encap)
+		{
+			sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
+			sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
+		}
+	}
+#else
 	PFKEY_EXT_COPY(msg, response.sa);
+#endif
 	PFKEY_EXT_COPY(msg, response.x_sa2);
 	
 	PFKEY_EXT_COPY(msg, response.src);
@@ -1421,7 +1476,7 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 	{
 		PFKEY_EXT_COPY(msg, response.key_auth);
 	}
-
+	
 #ifdef HAVE_NATT
 	if (new_encap)
 	{
@@ -1448,6 +1503,65 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 	return SUCCESS;
 }
 
+/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
+						 host_t *dst, u_int32_t spi, protocol_id_t protocol,
+						 u_int64_t *bytes)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	pfkey_msg_t response;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+	
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_GET;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+	
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+	
+	/* the Linux Kernel doesn't care for the src address, but other systems do
+	 * (e.g. FreeBSD)
+	 */
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+	
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	*bytes = response.lft_current->sadb_lifetime_bytes;
+
+	free(out);
+	return SUCCESS;
+}
+
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
@@ -1476,7 +1590,9 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
 	sa->sadb_sa_spi = spi;
 	PFKEY_EXT_ADD(msg, sa);
 	
-	/* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */
+	/* the Linux Kernel doesn't care for the src address, but other systems do
+	 * (e.g. FreeBSD)
+	 */
 	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
 	
@@ -1518,6 +1634,12 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 	pfkey_msg_t response;
 	size_t len;
 	
+	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	{
+		/* FWD policies are not supported on all platforms */
+		return SUCCESS;
+	}
+	
 	/* create a policy */
 	policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
 	
@@ -1594,6 +1716,18 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
 				 policy->dst.mask);
 	
+#ifdef __FreeBSD__
+	{	/* on FreeBSD a lifetime has to be defined to be able to later query
+		 * the current use time. */
+		struct sadb_lifetime *lft;
+		lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+		lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+		lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+		lft->sadb_lifetime_addtime = LONG_MAX;
+		PFKEY_EXT_ADD(msg, lft);
+	}
+#endif
+	
 	this->mutex->unlock(this->mutex);
 	
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
@@ -1700,6 +1834,12 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
 	pfkey_msg_t response;
 	size_t len;
 	
+	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	{
+		/* FWD policies are not supported on all platforms */
+		return NOT_FOUND;
+	}
+	
 	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
 
@@ -1764,6 +1904,13 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
+	else if (response.lft_current == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
+			 "use time", src_ts, dst_ts, policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
 	
 	*use_time = response.lft_current->sadb_lifetime_usetime;
 	
@@ -1787,6 +1934,12 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 	route_entry_t *route;
 	size_t len;
 	
+	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	{
+		/* FWD policies are not supported on all platforms */
+		return SUCCESS;
+	}
+	
 	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
 	
@@ -1995,6 +2148,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
@@ -2004,8 +2158,8 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 
 	/* private members */
 	this->policies = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
-	this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->install_routes = lib->settings->get_bool(lib->settings,
 												"charon.install_routes", TRUE);
 	this->seq = 0;
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am
index 3ad445c09..b6e6587a7 100644
--- a/src/charon/plugins/kernel_pfroute/Makefile.am
+++ b/src/charon/plugins/kernel_pfroute/Makefile.am
@@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
 
 libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
 	kernel_pfroute_net.h kernel_pfroute_net.c
-libstrongswan_kernel_pfroute_la_LDFLAGS = -module
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.in b/src/charon/plugins/kernel_pfroute/Makefile.in
index e585a7db2..05da8e271 100644
--- a/src/charon/plugins/kernel_pfroute/Makefile.in
+++ b/src/charon/plugins/kernel_pfroute/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
 libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
 	kernel_pfroute_net.h kernel_pfroute_net.c
 
-libstrongswan_kernel_pfroute_la_LDFLAGS = -module
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
index c2b35a5ce..d5a864b1c 100644
--- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -681,8 +681,8 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 	
 	/* private members */
 	this->ifaces = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
-	this->mutex_pfroute = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT);
 	
 	this->seq = 0;
 	
diff --git a/src/charon/plugins/load_tester/Makefile.am b/src/charon/plugins/load_tester/Makefile.am
index 121f0b080..e6e04229a 100644
--- a/src/charon/plugins/load_tester/Makefile.am
+++ b/src/charon/plugins/load_tester/Makefile.am
@@ -13,5 +13,5 @@ libstrongswan_load_tester_la_SOURCES = \
   load_tester_listener.c load_tester_listener.h \
   load_tester_diffie_hellman.c load_tester_diffie_hellman.h
 
-libstrongswan_load_tester_la_LDFLAGS = -module
+libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in
index 056ac16d3..3b494cea2 100644
--- a/src/charon/plugins/load_tester/Makefile.in
+++ b/src/charon/plugins/load_tester/Makefile.in
@@ -78,12 +78,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -188,7 +191,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -233,7 +238,7 @@ libstrongswan_load_tester_la_SOURCES = \
   load_tester_listener.c load_tester_listener.h \
   load_tester_diffie_hellman.c load_tester_diffie_hellman.h
 
-libstrongswan_load_tester_la_LDFLAGS = -module
+libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c
index d37f7a7bd..e463d2adc 100644
--- a/src/charon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.c
@@ -83,6 +83,16 @@ static status_t update_sa(private_load_tester_ipsec_t *this,
 	return SUCCESS;
 }
 
+/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_load_tester_ipsec_t *this, host_t *src,
+						 host_t *dst, u_int32_t spi, protocol_id_t protocol,
+						 u_int64_t *bytes)
+{
+	return NOT_SUPPORTED;
+}
+
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
@@ -151,6 +161,7 @@ load_tester_ipsec_t *load_tester_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c
index 12ac7b090..93ed2e3c5 100644
--- a/src/charon/plugins/load_tester/load_tester_plugin.c
+++ b/src/charon/plugins/load_tester/load_tester_plugin.c
@@ -202,8 +202,8 @@ plugin_t *plugin_create()
 		shutdown_on = this->iterations * this->initiators;
 	}
 	
-	this->mutex = mutex_create(MUTEX_DEFAULT);
-	this->condvar = condvar_create(CONDVAR_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
 	this->config = load_tester_config_create();
 	this->creds = load_tester_creds_create();
 	this->listener = load_tester_listener_create(shutdown_on);
diff --git a/src/charon/plugins/medcli/Makefile.am b/src/charon/plugins/medcli/Makefile.am
index f15950af9..a5f018f82 100644
--- a/src/charon/plugins/medcli/Makefile.am
+++ b/src/charon/plugins/medcli/Makefile.am
@@ -8,5 +8,5 @@ libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \
 			      medcli_creds.h medcli_creds.c \
 			      medcli_config.h medcli_config.c \
 			      medcli_listener.h medcli_listener.c
-libstrongswan_medcli_la_LDFLAGS = -module
+libstrongswan_medcli_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in
index cef486411..9a2b3f889 100644
--- a/src/charon/plugins/medcli/Makefile.in
+++ b/src/charon/plugins/medcli/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -227,7 +232,7 @@ libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \
 			      medcli_config.h medcli_config.c \
 			      medcli_listener.h medcli_listener.c
 
-libstrongswan_medcli_la_LDFLAGS = -module
+libstrongswan_medcli_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/medsrv/Makefile.am b/src/charon/plugins/medsrv/Makefile.am
index 476da1878..f3611a79e 100644
--- a/src/charon/plugins/medsrv/Makefile.am
+++ b/src/charon/plugins/medsrv/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-medsrv.la
 libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \
 			      medsrv_creds.h medsrv_creds.c \
 			      medsrv_config.h medsrv_config.c
-libstrongswan_medsrv_la_LDFLAGS = -module
+libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in
index ec537e505..ba599499b 100644
--- a/src/charon/plugins/medsrv/Makefile.in
+++ b/src/charon/plugins/medsrv/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \
 			      medsrv_creds.h medsrv_creds.c \
 			      medsrv_config.h medsrv_config.c
 
-libstrongswan_medsrv_la_LDFLAGS = -module
+libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
index 9a0b48cd2..b74a4e46f 100644
--- a/src/charon/plugins/nm/Makefile.am
+++ b/src/charon/plugins/nm/Makefile.am
@@ -9,5 +9,5 @@ libstrongswan_nm_la_SOURCES = \
   nm_service.h nm_service.c \
   nm_creds.h nm_creds.c \
   nm_handler.h nm_handler.c
-libstrongswan_nm_la_LDFLAGS = -module
+libstrongswan_nm_la_LDFLAGS = -module -avoid-version
 libstrongswan_nm_la_LIBADD = ${nm_LIBS}
diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in
index a75af8a0f..c7c428c2a 100644
--- a/src/charon/plugins/nm/Makefile.in
+++ b/src/charon/plugins/nm/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -228,7 +233,7 @@ libstrongswan_nm_la_SOURCES = \
   nm_creds.h nm_creds.c \
   nm_handler.h nm_handler.c
 
-libstrongswan_nm_la_LDFLAGS = -module
+libstrongswan_nm_la_LDFLAGS = -module -avoid-version
 libstrongswan_nm_la_LIBADD = ${nm_LIBS}
 all: all-am
 
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c
index d93b81c9a..4ea2c36dd 100644
--- a/src/charon/plugins/nm/nm_creds.c
+++ b/src/charon/plugins/nm/nm_creds.c
@@ -322,7 +322,7 @@ nm_creds_t *nm_creds_create()
 	this->public.clear = (void(*)(nm_creds_t*))clear;
 	this->public.destroy = (void(*)(nm_creds_t*))destroy;
 	
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	
 	this->cert = NULL;
 	this->user = NULL;
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index bca4d9e09..88a3cc95e 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -14,6 +14,7 @@
  */
 
 #include <nm-setting-vpn.h>
+#include <nm-setting-connection.h>
 #include "nm_service.h"
 
 #include <daemon.h>
@@ -25,8 +26,6 @@
 
 #include <stdio.h>
 
-#define CONFIG_NAME "NetworkManager"
-
 G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
 
 /**
@@ -43,6 +42,8 @@ typedef struct {
 	nm_creds_t *creds;
 	/* attribute handler for DNS/NBNS server information */
 	nm_handler_t *handler;
+	/* name of the connection */
+	char *name;
 } NMStrongswanPluginPrivate;
 
 #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
@@ -121,14 +122,14 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
 /**
  * signal failure to NM, connecting failed
  */
-static void signal_failure(NMVPNPlugin *plugin)
+static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure)
 {
 	nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
 	
 	handler->reset(handler);
 	
 	/* TODO: NM does not handle this failure!? */
-	nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); 
+	nm_vpn_plugin_failure(plugin, failure); 
 	nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
 }
 
@@ -140,16 +141,10 @@ static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
 {
 	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
 	
-	if (private->ike_sa == ike_sa)
+	if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
 	{
-		switch (state)
-		{
-			case IKE_DESTROYING:
-				signal_failure(private->plugin);
-				return FALSE;
-			default:
-				break;
-		}
+		signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
+		return FALSE;
 	}
 	return TRUE;
 }
@@ -161,32 +156,63 @@ static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
 							   child_sa_t *child_sa, child_sa_state_t state)
 {
 	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+	
+	if (private->ike_sa == ike_sa && state == CHILD_DESTROYING)
+	{
+		signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
+		return FALSE;
+	}
+	return TRUE;
+}
 
+/**
+ * Implementation of listener_t.child_updown
+ */
+static bool child_updown(listener_t *listener, ike_sa_t *ike_sa,
+						 child_sa_t *child_sa, bool up)
+{
+	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+	
 	if (private->ike_sa == ike_sa)
 	{
-		switch (state)
+		if (up)
+		{	/* disable initiate-failure-detection hooks */
+			private->listener.ike_state_change = NULL;
+			private->listener.child_state_change = NULL;
+			signal_ipv4_config(private->plugin, ike_sa, child_sa);
+		}
+		else
 		{
-			case CHILD_INSTALLED:
-				signal_ipv4_config(private->plugin, ike_sa, child_sa);
-				return FALSE;
-			case CHILD_DESTROYING:
-				signal_failure(private->plugin);
-				return FALSE;
-			default:
-				break;
+			signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
+			return FALSE;
 		}
 	}
 	return TRUE;
 }
 
+/**
+ * Implementation of listener_t.ike_rekey
+ */
+static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
+{
+	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+	
+	if (private->ike_sa == old)
+	{	/* follow a rekeyed IKE_SA */
+		private->ike_sa = new;
+	}
+	return TRUE;
+}
+
 /**
  * Connect function called from NM via DBUS
  */
 static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 						 GError **err)
 {
-	nm_creds_t *creds;
-	NMSettingVPN *settings;
+	NMStrongswanPluginPrivate *priv;
+	NMSettingConnection *conn;
+	NMSettingVPN *vpn;
 	identification_t *user = NULL, *gateway;
 	const char *address, *str;
 	bool virtual, encap, ipcomp;
@@ -204,25 +230,34 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	/**
 	 * Read parameters
 	 */
-	settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
-														NM_TYPE_SETTING_VPN));
-	
-	DBG4(DBG_CFG, "received NetworkManager connection: %s",
-		 nm_setting_to_string(NM_SETTING(settings)));
-	address = nm_setting_vpn_get_data_item(settings, "address");
+	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+	conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection,
+												NM_TYPE_SETTING_CONNECTION));
+	vpn = NM_SETTING_VPN(nm_connection_get_setting(connection,
+												NM_TYPE_SETTING_VPN));
+	if (priv->name)
+	{
+		free(priv->name);
+	}
+	priv->name = strdup(nm_setting_connection_get_id(conn));
+	DBG1(DBG_CFG, "received initiate for NetworkManager connection %s",
+		 priv->name);
+	DBG4(DBG_CFG, "%s",
+		 nm_setting_to_string(NM_SETTING(vpn)));
+	address = nm_setting_vpn_get_data_item(vpn, "address");
 	if (!address || !*address)
 	{
 		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
 				    "Gateway address missing.");
 		return FALSE;
 	}
-	str = nm_setting_vpn_get_data_item(settings, "virtual");
+	str = nm_setting_vpn_get_data_item(vpn, "virtual");
 	virtual = str && streq(str, "yes");
-	str = nm_setting_vpn_get_data_item(settings, "encap");
+	str = nm_setting_vpn_get_data_item(vpn, "encap");
 	encap = str && streq(str, "yes");
-	str = nm_setting_vpn_get_data_item(settings, "ipcomp");
+	str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
 	ipcomp = str && streq(str, "yes");
-	str = nm_setting_vpn_get_data_item(settings, "method");
+	str = nm_setting_vpn_get_data_item(vpn, "method");
 	if (str)
 	{
 		if (streq(str, "psk"))
@@ -243,16 +278,15 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	/**
 	 * Register credentials
 	 */
-	creds = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds;
-	creds->clear(creds);
+	priv->creds->clear(priv->creds);
 	
 	/* gateway/CA cert */
-	str = nm_setting_vpn_get_data_item(settings, "certificate");
+	str = nm_setting_vpn_get_data_item(vpn, "certificate");
 	if (str)
 	{
 		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 								  BUILD_FROM_FILE, str, BUILD_END);
-		creds->set_certificate(creds, cert);
+		priv->creds->set_certificate(priv->creds, cert);
 	}
 	if (!cert)
 	{
@@ -279,19 +313,19 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	if (auth_class == AUTH_CLASS_EAP)
 	{
 		/* username/password authentication ... */
-		str = nm_setting_vpn_get_data_item(settings, "user");
+		str = nm_setting_vpn_get_data_item(vpn, "user");
 		if (str)
 		{
 			user = identification_create_from_string((char*)str);
-			str = nm_setting_vpn_get_secret(settings, "password");
-			creds->set_username_password(creds, user, (char*)str);
+			str = nm_setting_vpn_get_secret(vpn, "password");
+			priv->creds->set_username_password(priv->creds, user, (char*)str);
 		}
 	}
 	
 	if (auth_class == AUTH_CLASS_PUBKEY)
 	{
 		/* ... or certificate/private key authenitcation */
-		str = nm_setting_vpn_get_data_item(settings, "usercert");
+		str = nm_setting_vpn_get_data_item(vpn, "usercert");
 		if (str)
 		{
 			public_key_t *public;
@@ -308,7 +342,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 				return FALSE;
 			}
 			/* try agent */  
-			str = nm_setting_vpn_get_secret(settings, "agent");
+			str = nm_setting_vpn_get_secret(vpn, "agent");
 			if (agent && str)
 			{
 				public = cert->get_public_key(cert);
@@ -329,14 +363,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 				}
 			}
 			/* ... or key file */  
-			str = nm_setting_vpn_get_data_item(settings, "userkey");
+			str = nm_setting_vpn_get_data_item(vpn, "userkey");
 			if (!agent && str)
 			{
 				chunk_t secret, chunk;
 				bool pgp = FALSE;
 				
-				secret.ptr = (char*)nm_setting_vpn_get_secret(settings,
-																 "password");
+				secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
 				if (secret.ptr)
 				{
 					secret.len = strlen(secret.ptr);
@@ -358,7 +391,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			{
 				user = cert->get_subject(cert);
 				user = user->clone(user);
-				creds->set_cert_and_key(creds, cert, private);
+				priv->creds->set_cert_and_key(priv->creds, cert, private);
 			}
 			else
 			{
@@ -382,7 +415,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	 */
 	ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg,
+	peer_cfg = peer_cfg_create(priv->name, 2, ike_cfg,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
 					36000, 0, /* rekey 10h, reauth none */
 					600, 600, /* jitter, over 10min */
@@ -398,11 +431,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 	
-	child_cfg = child_cfg_create(CONFIG_NAME,
+	child_cfg = child_cfg_create(priv->name,
 								 10800, 10200, /* lifetime 3h, rekey 2h50min */
 								 300, /* jitter 5min */
 								 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
-								 ACTION_NONE, ACTION_RESTART, ipcomp);
+								 ACTION_NONE, ACTION_NONE, ipcomp);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@@ -413,7 +446,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
 	
 	/**
-	 * Start to initiate
+	 * Prepare IKE_SA
 	 */
 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 														peer_cfg);
@@ -425,21 +458,27 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	{
 		peer_cfg->destroy(peer_cfg);
 	}
+	
+	/**
+	 * Register listener, enable  initiate-failure-detection hooks
+	 */
+	priv->ike_sa = ike_sa;
+	priv->listener.ike_state_change = ike_state_change;
+	priv->listener.child_state_change = child_state_change;
+	charon->bus->add_listener(charon->bus, &priv->listener);
+	
+	/**
+	 * Initiate
+	 */
 	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
 	{
+		charon->bus->remove_listener(charon->bus, &priv->listener);
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
 		
 		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
 				    "Initiating failed.");
 		return FALSE;
 	}
-	
-	/**
-	 * Register listener
-	 */
-	NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->ike_sa = ike_sa;
-	charon->bus->add_listener(charon->bus, 
-							&NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->listener);
 	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	return TRUE;
 }
@@ -501,14 +540,16 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
  */
 static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
 {
+	NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
 	u_int id;
 	
+	/* our ike_sa pointer might be invalid, lookup sa */
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 	while (enumerator->enumerate(enumerator, &ike_sa))
 	{
-		if (streq(CONFIG_NAME, ike_sa->get_name(ike_sa)))
+		if (priv->ike_sa == ike_sa)
 		{
 			id = ike_sa->get_unique_id(ike_sa);
 			enumerator->destroy(enumerator);
@@ -529,13 +570,13 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
  */
 static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
 {
-	NMStrongswanPluginPrivate *private;
+	NMStrongswanPluginPrivate *priv;
 	
-	private = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
-	private->plugin = NM_VPN_PLUGIN(plugin);
-	memset(&private->listener.log, 0, sizeof(listener_t));
-	private->listener.ike_state_change = ike_state_change;
-	private->listener.child_state_change = child_state_change;
+	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+	priv->plugin = NM_VPN_PLUGIN(plugin);
+	memset(&priv->listener.log, 0, sizeof(listener_t));
+	priv->listener.child_updown = child_updown;
+	priv->listener.ike_rekey = ike_rekey;
 }
 
 /**
@@ -565,8 +606,12 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
 					NULL);
 	if (plugin)
 	{
-		NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds = creds;
-		NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler = handler;
+		NMStrongswanPluginPrivate *priv;
+		
+		priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+		priv->creds = creds;
+		priv->handler = handler;
+		priv->name = NULL;
 	}
 	return plugin;
 }
diff --git a/src/charon/plugins/resolv_conf/Makefile.am b/src/charon/plugins/resolv_conf/Makefile.am
index 917964f93..be7f862f2 100644
--- a/src/charon/plugins/resolv_conf/Makefile.am
+++ b/src/charon/plugins/resolv_conf/Makefile.am
@@ -8,6 +8,6 @@ plugin_LTLIBRARIES = libstrongswan-resolv-conf.la
 libstrongswan_resolv_conf_la_SOURCES = \
   resolv_conf_plugin.h resolv_conf_plugin.c \
   resolv_conf_handler.h resolv_conf_handler.c 
-libstrongswan_resolv_conf_la_LDFLAGS = -module
+libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version
 
 
diff --git a/src/charon/plugins/resolv_conf/Makefile.in b/src/charon/plugins/resolv_conf/Makefile.in
index 91ddae582..19c20467a 100644
--- a/src/charon/plugins/resolv_conf/Makefile.in
+++ b/src/charon/plugins/resolv_conf/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -229,7 +234,7 @@ libstrongswan_resolv_conf_la_SOURCES = \
   resolv_conf_plugin.h resolv_conf_plugin.c \
   resolv_conf_handler.h resolv_conf_handler.c 
 
-libstrongswan_resolv_conf_la_LDFLAGS = -module
+libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
index 19e3b3275..749cfbc5b 100644
--- a/src/charon/plugins/resolv_conf/resolv_conf_handler.c
+++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
@@ -183,7 +183,7 @@ resolv_conf_handler_t *resolv_conf_handler_create()
 	this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))release;
 	this->public.destroy = (void(*)(resolv_conf_handler_t*))destroy;
 	
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->file = lib->settings->get_str(lib->settings,
 								"charon.plugins.resolv-conf.file", RESOLV_CONF);
 	
diff --git a/src/charon/plugins/smp/Makefile.am b/src/charon/plugins/smp/Makefile.am
index 1679f1c68..a434b388b 100644
--- a/src/charon/plugins/smp/Makefile.am
+++ b/src/charon/plugins/smp/Makefile.am
@@ -5,6 +5,6 @@ AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
 
 plugin_LTLIBRARIES = libstrongswan-smp.la
 libstrongswan_smp_la_SOURCES = smp.h smp.c
-libstrongswan_smp_la_LDFLAGS = -module
+libstrongswan_smp_la_LDFLAGS = -module -avoid-version
 libstrongswan_smp_la_LIBADD = ${xml_LIBS}
 
diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in
index f06321ba7..d23d2d001 100644
--- a/src/charon/plugins/smp/Makefile.in
+++ b/src/charon/plugins/smp/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${xml_CF
 AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
 plugin_LTLIBRARIES = libstrongswan-smp.la
 libstrongswan_smp_la_SOURCES = smp.h smp.c
-libstrongswan_smp_la_LDFLAGS = -module
+libstrongswan_smp_la_LDFLAGS = -module -avoid-version
 libstrongswan_smp_la_LIBADD = ${xml_LIBS}
 all: all-am
 
diff --git a/src/charon/plugins/sql/Makefile.am b/src/charon/plugins/sql/Makefile.am
index ea39ce0d5..bf4963f29 100644
--- a/src/charon/plugins/sql/Makefile.am
+++ b/src/charon/plugins/sql/Makefile.am
@@ -10,7 +10,7 @@ plugin_LTLIBRARIES = libstrongswan-sql.la
 libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
   sql_config.h sql_config.c sql_cred.h sql_cred.c \
   sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c
-libstrongswan_sql_la_LDFLAGS = -module
+libstrongswan_sql_la_LDFLAGS = -module -avoid-version
 
 ipsec_PROGRAMS = pool
 pool_SOURCES = pool.c
diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in
index 0848ea0dd..f6fd8e4f7 100644
--- a/src/charon/plugins/sql/Makefile.in
+++ b/src/charon/plugins/sql/Makefile.in
@@ -82,12 +82,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -152,6 +154,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -192,7 +195,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -237,7 +242,7 @@ libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
   sql_config.h sql_config.c sql_cred.h sql_cred.c \
   sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c
 
-libstrongswan_sql_la_LDFLAGS = -module
+libstrongswan_sql_la_LDFLAGS = -module -avoid-version
 pool_SOURCES = pool.c
 pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index 7d393b6f7..ebcc9adc7 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -637,8 +637,19 @@ int main(int argc, char *argv[])
 	} operation = OP_USAGE;
 
 	dbg = dbg_stderr;
-	library_init(STRONGSWAN_CONF);
 	atexit(library_deinit);
+
+	/* initialize library */
+	if (!library_init(STRONGSWAN_CONF))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "pool", argv[0]))
+	{
+		fprintf(stderr, "integrity check of pool failed\n");
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
 	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
 		lib->settings->get_str(lib->settings, "pool.load", PLUGINS));
 	
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index 95d0d30d4..77601e612 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -92,25 +92,18 @@ static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
 }
 
 /**
- * Lookup a lease
+ * Look up an existing lease
  */
-static host_t *get_address(private_sql_attribute_t *this, char *name,
-						   u_int pool, u_int timeout, u_int identity)
+static host_t* check_lease(private_sql_attribute_t *this, char *name,
+						   u_int pool, u_int identity)
 {
-	enumerator_t *e;
-	u_int id;
-	chunk_t address;
-	host_t *host;
-	time_t now = time(NULL);
-	
-	/* We check for leases for that identity first and for other expired
-	 * leases afterwards. We select an address as a candidate, but double
-	 * check if it is still valid in the update. This allows us to work
-	 * without locking. */
-	
-	/* check for an existing lease for that identity  */
 	while (TRUE)
 	{
+		u_int id;
+		chunk_t address;
+		enumerator_t *e;
+		time_t now = time(NULL);
+
 		e = this->db->query(this->db,
 				"SELECT id, address FROM addresses "
 				"WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1",
@@ -122,11 +115,14 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
 		}
 		address = chunk_clonea(address);
 		e->destroy(e);
+
 		if (this->db->execute(this->db, NULL,
 				"UPDATE addresses SET acquired = ?, released = 0 "
 				"WHERE id = ? AND identity = ? AND released != 0",
 				DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0)
 		{
+			host_t *host;
+
 			host = host_create_from_chunk(AF_UNSPEC, address, 0);
 			if (host)
 			{
@@ -136,14 +132,43 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
 			}
 		}
 	}
-	
-	/* check for an expired lease */
+	return NULL;
+}
+
+/**
+ * We check for unallocated addresses or expired leases. First we select an
+ * address as a candidate, but double check later on if it is still available
+ * during the update operation. This allows us to work without locking.
+ */
+static host_t* get_lease(private_sql_attribute_t *this, char *name,
+						 u_int pool, u_int timeout, u_int identity)
+{
 	while (TRUE)
 	{
-		e = this->db->query(this->db,
+		u_int id;
+		chunk_t address;
+		enumerator_t *e;
+		time_t now = time(NULL);
+		int hits;
+
+		if (timeout)
+		{
+			/* check for an expired lease */
+			e = this->db->query(this->db,
 				"SELECT id, address FROM addresses "
 				"WHERE pool = ? AND released != 0 AND released < ? LIMIT 1",
 				DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB);
+		}
+		else
+		{
+			/* with static leases, check for an unallocated address */
+			e = this->db->query(this->db,
+				"SELECT id, address FROM addresses "
+				"WHERE pool = ? AND identity = 0 LIMIT 1",
+				DB_UINT, pool, DB_UINT, DB_BLOB);
+
+		}
+
 		if (!e || !e->enumerate(e, &id, &address))
 		{
 			DESTROY_IF(e);
@@ -152,13 +177,27 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
 		address = chunk_clonea(address);
 		e->destroy(e);
 			
-		if (this->db->execute(this->db, NULL,
-				"UPDATE addresses SET "
-				"acquired = ?, released = 0, identity = ? "
-				"WHERE id = ? AND released != 0 AND released < ?",
-				DB_UINT, now, DB_UINT, identity,
-				DB_UINT, id, DB_UINT, now - timeout) > 0)
+		if (timeout)
+		{
+			hits = this->db->execute(this->db, NULL,
+						"UPDATE addresses SET "
+						"acquired = ?, released = 0, identity = ? "
+						"WHERE id = ? AND released != 0 AND released < ?",
+						DB_UINT, now, DB_UINT, identity,
+						DB_UINT, id, DB_UINT, now - timeout);
+		}
+		else
 		{
+			hits = this->db->execute(this->db, NULL,
+						"UPDATE addresses SET "
+						"acquired = ?, released = 0, identity = ? "
+						"WHERE id = ? AND identity = 0",
+						DB_UINT, now, DB_UINT, identity, DB_UINT, id);
+		}
+		if (hits > 0)
+		{
+			host_t *host;
+
 			host = host_create_from_chunk(AF_UNSPEC, address, 0);
 			if (host)
 			{
@@ -169,37 +208,75 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
 		}
 	}
 	DBG1(DBG_CFG, "no available address found in pool '%s'", name);
-	return 0;
+	return NULL;
 }
 
 /**
  * Implementation of attribute_provider_t.acquire_address
  */
 static host_t* acquire_address(private_sql_attribute_t *this,
-							   char *name, identification_t *id,
+							   char *names, identification_t *id,
 							   host_t *requested)
 {
-	enumerator_t *enumerator;
-	u_int pool, timeout, identity;
 	host_t *address = NULL;
-	
+	u_int identity, pool, timeout;
+
 	identity = get_identity(this, id);
 	if (identity)
 	{
-		enumerator = enumerator_create_token(name, ",", " ");
-		while (enumerator->enumerate(enumerator, &name))
+		/* check for a single pool first (no concatenation and enumeration) */
+		if (strchr(names, ',') == NULL)
 		{
-			pool = get_pool(this, name, &timeout);
+			pool = get_pool(this, names, &timeout);
 			if (pool)
 			{
-				address = get_address(this, name, pool, timeout, identity);
-				if (address)
+				/* check for an existing lease */
+				address = check_lease(this, names, pool, identity);
+				if (address == NULL)
+				{
+					/* get an unallocated address or expired lease */
+					address = get_lease(this, names, pool, timeout, identity);
+				}
+			}
+		}
+		else
+		{
+			enumerator_t *enumerator;
+			char *name;
+
+			/* in a first step check for an existing lease over all pools */
+			enumerator = enumerator_create_token(names, ",", " ");
+			while (enumerator->enumerate(enumerator, &name))
+			{
+				pool = get_pool(this, name, &timeout);
+				if (pool)
+				{
+					address = check_lease(this, name, pool, identity);
+					if (address)
+					{
+						enumerator->destroy(enumerator);
+						return address;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			/* in a second step get an unallocated address or expired lease */
+			enumerator = enumerator_create_token(names, ",", " ");
+			while (enumerator->enumerate(enumerator, &name))
+			{
+				pool = get_pool(this, name, &timeout);
+				if (pool)
 				{
-					break;
+					address = get_lease(this, name, pool, timeout, identity);
+					if (address)
+					{
+						break;
+					}
 				}
 			}
+			enumerator->destroy(enumerator);
 		}
-		enumerator->destroy(enumerator);
 	}
 	return address;
 }
diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c
index 3e5efce34..e7dfe573b 100644
--- a/src/charon/plugins/sql/sql_config.c
+++ b/src/charon/plugins/sql/sql_config.c
@@ -295,10 +295,10 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 					mediation, mediated_cfg, peer_id);
 			auth = auth_cfg_create();
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
-			auth->add(auth, AUTH_RULE_IDENTITY, local_id->clone(local_id));
+			auth->add(auth, AUTH_RULE_IDENTITY, local_id);
 			peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
 			auth = auth_cfg_create();
-			auth->add(auth, AUTH_RULE_IDENTITY, remote_id->clone(remote_id));
+			auth->add(auth, AUTH_RULE_IDENTITY, remote_id);
 			if (eap_type)
 			{
 				auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am
index fb58ba62b..79a63f2c2 100644
--- a/src/charon/plugins/stroke/Makefile.am
+++ b/src/charon/plugins/stroke/Makefile.am
@@ -18,5 +18,5 @@ libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \
   stroke_list.h stroke_list.c \
   stroke_shared_key.h stroke_shared_key.c
 
-libstrongswan_stroke_la_LDFLAGS = -module
+libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in
index f246286a0..19822ebc8 100644
--- a/src/charon/plugins/stroke/Makefile.in
+++ b/src/charon/plugins/stroke/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -237,7 +242,7 @@ libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \
   stroke_list.h stroke_list.c \
   stroke_shared_key.h stroke_shared_key.c
 
-libstrongswan_stroke_la_LDFLAGS = -module
+libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
index a7925ce3e..d3211fd67 100644
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ b/src/charon/plugins/stroke/stroke_attribute.c
@@ -539,7 +539,7 @@ stroke_attribute_t *stroke_attribute_create()
 	this->public.destroy = (void(*)(stroke_attribute_t*))destroy;
 	
 	this->pools = linked_list_create();
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
 	
 	return &this->public;
 }
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index fab06e6c5..c354d8cb8 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -447,7 +447,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
 	this->public.destroy = (void(*)(stroke_ca_t*))destroy;
 	
 	this->sections = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	this->cred = cred;
 	
 	return &this->public;
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index 028e71e71..0b6a4ac31 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -924,7 +924,7 @@ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred)
 	this->public.destroy = (void(*)(stroke_config_t*))destroy;
 	
 	this->list = linked_list_create();
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
 	this->ca = ca;
 	this->cred = cred;
 	
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index dc73299b8..31bcfe9f4 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -16,6 +16,8 @@
 
 #include <sys/stat.h>
 #include <limits.h>
+#include <glob.h>
+#include <libgen.h>
 
 #include "stroke_cred.h"
 #include "stroke_shared_key.h"
@@ -41,6 +43,8 @@
 #define CRL_DIR IPSEC_D_DIR "/crls"
 #define SECRETS_FILE CONFIG_DIR "/ipsec.secrets"
 
+#define MAX_SECRETS_RECURSION 10
+
 typedef struct private_stroke_cred_t private_stroke_cred_t;
 
 /**
@@ -691,7 +695,7 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line)
 /**
  * reload ipsec.secrets
  */
-static void load_secrets(private_stroke_cred_t *this)
+static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 {
 	size_t bytes;
 	int line_nr = 0;
@@ -700,9 +704,9 @@ static void load_secrets(private_stroke_cred_t *this)
 	private_key_t *private;
 	shared_key_t *shared;
 
-	DBG1(DBG_CFG, "loading secrets from '%s'", SECRETS_FILE);
+	DBG1(DBG_CFG, "loading secrets from '%s'", file);
 
-	fd = fopen(SECRETS_FILE, "r");
+	fd = fopen(file, "r");
 	if (fd == NULL)
 	{
 		DBG1(DBG_CFG, "opening secrets file '%s' failed");
@@ -719,15 +723,19 @@ static void load_secrets(private_stroke_cred_t *this)
 	src = chunk;
 
 	this->lock->write_lock(this->lock);
-	while (this->shared->remove_last(this->shared,
-		 								   (void**)&shared) == SUCCESS)
-	{
-		shared->destroy(shared);
-	}
-	while (this->private->remove_last(this->private,
-		 								    (void**)&private) == SUCCESS)
+	if (level == 0)
 	{
-		private->destroy(private);
+		/* flush secrets on non-recursive invocation */
+		while (this->shared->remove_last(this->shared,
+										 (void**)&shared) == SUCCESS)
+		{
+			shared->destroy(shared);
+		}
+		while (this->private->remove_last(this->private,
+										  (void**)&private) == SUCCESS)
+		{
+			private->destroy(private);
+		}
 	}
 	
 	while (fetchline(&src, &line))
@@ -741,6 +749,66 @@ static void load_secrets(private_stroke_cred_t *this)
 		{
 			continue;
 		}
+		if (line.len > strlen("include ") &&
+			strneq(line.ptr, "include ", strlen("include ")))
+		{
+			glob_t buf;
+			char **expanded, *dir, pattern[PATH_MAX];
+			u_char *pos;
+			
+			if (level > MAX_SECRETS_RECURSION)
+			{
+				DBG1(DBG_CFG, "maximum level of %d includes reached, ignored",
+					 MAX_SECRETS_RECURSION);
+				continue;
+			}
+			/* terminate filename by space */
+			line = chunk_skip(line, strlen("include "));
+			pos = memchr(line.ptr, ' ', line.len);
+			if (pos)
+			{
+				line.len = pos - line.ptr;
+			}
+			if (line.len && line.ptr[0] == '/')
+			{
+				if (line.len + 1 > sizeof(pattern))
+				{
+					DBG1(DBG_CFG, "include pattern too long, ignored");
+					continue;
+				}
+				snprintf(pattern, sizeof(pattern), "%.*s", line.len, line.ptr);
+			}
+			else
+			{	/* use directory of current file if relative */
+				dir = strdup(file);
+				dir = dirname(dir);
+				
+				if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern))
+				{
+					DBG1(DBG_CFG, "include pattern too long, ignored");
+					free(dir);
+					continue;
+				}
+				snprintf(pattern, sizeof(pattern), "%s/%.*s",
+						 dir, line.len, line.ptr);
+				free(dir);
+			}
+			if (glob(pattern, GLOB_ERR, NULL, &buf) != 0)
+			{
+				DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern);
+				globfree(&buf);
+			}
+			else
+			{
+				for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
+				{
+					load_secrets(this, *expanded, level + 1);
+				}
+			}
+			globfree(&buf);
+			continue;
+		}
+		
 		if (line.len > 2 && strneq(": ", line.ptr, 2))
 		{
 			/* no ids, skip the ':' */
@@ -989,7 +1057,7 @@ static void reread(private_stroke_cred_t *this, stroke_msg_t *msg)
 	if (msg->reread.flags & REREAD_SECRETS)
 	{
 		DBG1(DBG_CFG, "rereading secrets");
-		load_secrets(this);
+		load_secrets(this, SECRETS_FILE, 0);
 	}
 	if (msg->reread.flags & REREAD_CACERTS)
 	{
@@ -1057,10 +1125,10 @@ stroke_cred_t *stroke_cred_create()
 	this->certs = linked_list_create();
 	this->shared = linked_list_create();
 	this->private = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 
 	load_certs(this);
-	load_secrets(this);
+	load_secrets(this, SECRETS_FILE, 0);
 	
 	this->cachecrl = FALSE;
 	
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 564a511a1..6f421bd30 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -146,8 +146,8 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
  */
 static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 {
-	u_int32_t rekey, now = time(NULL);
-	u_int32_t use_in, use_out;
+	time_t use_in, use_out, rekey, now = time(NULL);
+	u_int64_t bytes_in, bytes_out;
 	proposal_t *proposal;
 	child_cfg_t *config = child_sa->get_config(child_sa);
 	
@@ -205,6 +205,20 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 					}
 				}
 			}
+
+			child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in);
+			fprintf(out, ", %llu bytes_i", bytes_in);
+			if (use_in)
+			{
+				fprintf(out, " (%ds ago)", now - use_in);
+			}
+
+			child_sa->get_usestats(child_sa, FALSE, &use_out, &bytes_out);
+			fprintf(out, ", %llu bytes_o", bytes_out);
+			if (use_out)
+			{
+				fprintf(out, " (%ds ago)", now - use_out);
+			}
 			fprintf(out, ", rekeying ");
 			
 			rekey = child_sa->get_lifetime(child_sa, FALSE);
@@ -224,25 +238,6 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 				fprintf(out, "disabled");
 			}
 			
-			fprintf(out, ", last use: ");
-			use_in = child_sa->get_usetime(child_sa, TRUE);
-			if (use_in)
-			{
-				fprintf(out, "%ds_i ", now - use_in);
-			}
-			else
-			{
-				fprintf(out, "no_i ");
-			}
-			use_out = child_sa->get_usetime(child_sa, FALSE);
-			if (use_out)
-			{
-				fprintf(out, "%ds_o ", now - use_out);
-			}
-			else
-			{
-				fprintf(out, "no_o ");
-			}
 		}
 	}
 	
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index f61171e22..9b6a8a3a7 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -27,6 +27,7 @@
 
 #include <processing/jobs/callback_job.h>
 #include <daemon.h>
+#include <utils/mutex.h> /* for Mac OS X compatible accept */
 
 #include "stroke_config.h"
 #include "stroke_control.h"
diff --git a/src/charon/plugins/uci/Makefile.am b/src/charon/plugins/uci/Makefile.am
index 0136bf5e9..9fdbfb709 100644
--- a/src/charon/plugins/uci/Makefile.am
+++ b/src/charon/plugins/uci/Makefile.am
@@ -8,7 +8,7 @@ libstrongswan_uci_la_SOURCES = \
   uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \
   uci_config.h uci_config.c uci_creds.h uci_creds.c \
   uci_control.h uci_control.c
-libstrongswan_uci_la_LDFLAGS = -module
+libstrongswan_uci_la_LDFLAGS = -module -avoid-version
 libstrongswan_uci_la_LIBADD = -luci
 
 
diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in
index e599135cb..c4fb335d7 100644
--- a/src/charon/plugins/uci/Makefile.in
+++ b/src/charon/plugins/uci/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_uci_la_SOURCES = \
   uci_config.h uci_config.c uci_creds.h uci_creds.c \
   uci_control.h uci_control.c
 
-libstrongswan_uci_la_LDFLAGS = -module
+libstrongswan_uci_la_LDFLAGS = -module -avoid-version
 libstrongswan_uci_la_LIBADD = -luci
 all: all-am
 
diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am
index 50c5e0362..64846f995 100644
--- a/src/charon/plugins/unit_tester/Makefile.am
+++ b/src/charon/plugins/unit_tester/Makefile.am
@@ -20,5 +20,5 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
   tests/test_agent.c \
   tests/test_id.c
 
-libstrongswan_unit_tester_la_LDFLAGS = -module
+libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in
index 2ee5e48d8..0bf0cf301 100644
--- a/src/charon/plugins/unit_tester/Makefile.in
+++ b/src/charon/plugins/unit_tester/Makefile.in
@@ -79,12 +79,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -189,7 +192,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -241,7 +246,7 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
   tests/test_agent.c \
   tests/test_id.c
 
-libstrongswan_unit_tester_la_LDFLAGS = -module
+libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h
index dcf2a5d18..b99940c1a 100644
--- a/src/charon/plugins/unit_tester/tests.h
+++ b/src/charon/plugins/unit_tester/tests.h
@@ -36,5 +36,8 @@ DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
 DEFINE_TEST("IP pool", test_pool, FALSE)
 DEFINE_TEST("SSH agent", test_agent, FALSE)
 DEFINE_TEST("ID parts", test_id_parts, FALSE)
+DEFINE_TEST("ID wildcards", test_id_wildcards, FALSE)
+DEFINE_TEST("ID equals", test_id_equals, FALSE)
+DEFINE_TEST("ID matches", test_id_matches, FALSE)
 
 /** @}*/
diff --git a/src/charon/plugins/unit_tester/tests/test_id.c b/src/charon/plugins/unit_tester/tests/test_id.c
index 56dab2421..a1ef76be8 100644
--- a/src/charon/plugins/unit_tester/tests/test_id.c
+++ b/src/charon/plugins/unit_tester/tests/test_id.c
@@ -67,3 +67,183 @@ bool test_id_parts()
 	return TRUE;
 }
 
+/*******************************************************************************
+ * identification contains_wildcards() test
+ ******************************************************************************/
+
+static bool test_id_wildcards_has(char *string)
+{
+	identification_t *id;
+	bool contains;
+	
+	id = identification_create_from_string(string);
+	contains = id->contains_wildcards(id);
+	id->destroy(id);
+	return contains;
+}
+
+bool test_id_wildcards()
+{
+	if (!test_id_wildcards_has("C=*, O=strongSwan, CN=gw"))
+	{
+		return FALSE;
+	}
+	if (!test_id_wildcards_has("C=CH, O=strongSwan, CN=*"))
+	{
+		return FALSE;
+	}
+	if (test_id_wildcards_has("C=**, O=a*, CN=*a"))
+	{
+		return FALSE;
+	}
+	if (!test_id_wildcards_has("*@strongswan.org"))
+	{
+		return FALSE;
+	}
+	if (!test_id_wildcards_has("*.strongswan.org"))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/*******************************************************************************
+ * identification equals test
+ ******************************************************************************/
+
+static bool test_id_equals_one(identification_t *a, char *b_str)
+{
+	identification_t *b;
+	bool equals;
+	
+	b = identification_create_from_string(b_str);
+	equals = a->equals(a, b);
+	b->destroy(b);
+	return equals;
+}
+
+bool test_id_equals()
+{
+	identification_t *a;
+	chunk_t encoding, fuzzed;
+	int i;
+	
+	a = identification_create_from_string(
+							   "C=CH, E=martin@strongswan.org, CN=martin");
+	
+	if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
+	{
+		return FALSE;
+	}
+	if (!test_id_equals_one(a, "C=ch, E=martin@STRONGSWAN.ORG, CN=Martin"))
+	{
+		return FALSE;
+	}
+	if (test_id_equals_one(a, "C=CN, E=martin@strongswan.org, CN=martin"))
+	{
+		return FALSE;
+	}
+	if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
+	{
+		return FALSE;
+	}
+	if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
+	{
+		return FALSE;
+	}
+	encoding = chunk_clone(a->get_encoding(a));
+	a->destroy(a);
+	
+	/* simple fuzzing, increment each byte of encoding */
+	for (i = 0; i < encoding.len; i++)
+	{
+		if (i == 11 || i == 30 || i == 62)
+		{	/* skip ASN.1 type fields, as equals() handles them graceful */
+			continue;
+		}
+		fuzzed = chunk_clone(encoding);
+		fuzzed.ptr[i]++;
+		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
+		if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
+		{
+			return FALSE;
+		}
+		a->destroy(a);
+		free(fuzzed.ptr);
+	}
+	
+	/* and decrement each byte of encoding */
+	for (i = 0; i < encoding.len; i++)
+	{
+		if (i == 11 || i == 30 || i == 62)
+		{
+			continue;
+		}
+		fuzzed = chunk_clone(encoding);
+		fuzzed.ptr[i]--;
+		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
+		if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
+		{
+			return FALSE;
+		}
+		a->destroy(a);
+		free(fuzzed.ptr);
+	}
+	free(encoding.ptr);
+	return TRUE;
+}
+
+/*******************************************************************************
+ * identification matches test
+ ******************************************************************************/
+
+static id_match_t test_id_matches_one(identification_t *a, char *b_str)
+{
+	identification_t *b;
+	id_match_t match;
+	
+	b = identification_create_from_string(b_str);
+	match = a->matches(a, b);
+	b->destroy(b);
+	return match;
+}
+
+bool test_id_matches()
+{
+	identification_t *a;
+	
+	a = identification_create_from_string(
+							   "C=CH, E=martin@strongswan.org, CN=martin");
+	
+	if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin")
+															!= ID_MATCH_PERFECT)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=CH, E=*, CN=martin") != ID_MATCH_ONE_WILDCARD)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=CH, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 1)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=*, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 2)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=*, E=*, CN=*, O=BADInc") != ID_MATCH_NONE)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=*, E=*") != ID_MATCH_NONE)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=*, E=a@b.c, CN=*") != ID_MATCH_NONE)
+	{
+		return FALSE;
+	}
+	a->destroy(a);
+	return TRUE;
+}
diff --git a/src/charon/plugins/unit_tester/tests/test_mutex.c b/src/charon/plugins/unit_tester/tests/test_mutex.c
index a305d5082..cb315276b 100644
--- a/src/charon/plugins/unit_tester/tests/test_mutex.c
+++ b/src/charon/plugins/unit_tester/tests/test_mutex.c
@@ -65,7 +65,7 @@ bool test_mutex()
 	int i;
 	pthread_t threads[THREADS];
 	
-	mutex = mutex_create(MUTEX_RECURSIVE);
+	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
 	
 	for (i = 0; i < 10; i++)
 	{
diff --git a/src/charon/plugins/updown/Makefile.am b/src/charon/plugins/updown/Makefile.am
index de60d9fbf..fe6e0bb52 100644
--- a/src/charon/plugins/updown/Makefile.am
+++ b/src/charon/plugins/updown/Makefile.am
@@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-updown.la
 libstrongswan_updown_la_SOURCES = \
   updown_plugin.h updown_plugin.c \
   updown_listener.h updown_listener.c 
-libstrongswan_updown_la_LDFLAGS = -module
+libstrongswan_updown_la_LDFLAGS = -module -avoid-version
 
 
diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in
index d0aac79f9..b1b6fb497 100644
--- a/src/charon/plugins/updown/Makefile.in
+++ b/src/charon/plugins/updown/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_updown_la_SOURCES = \
   updown_plugin.h updown_plugin.c \
   updown_listener.h updown_listener.c 
 
-libstrongswan_updown_la_LDFLAGS = -module
+libstrongswan_updown_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/charon/processing/jobs/callback_job.c b/src/charon/processing/jobs/callback_job.c
index 82b4643eb..f4beb5abd 100644
--- a/src/charon/processing/jobs/callback_job.c
+++ b/src/charon/processing/jobs/callback_job.c
@@ -182,7 +182,7 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
 	this->public.cancel = (void(*)(callback_job_t*))cancel;
 
 	/* private variables */
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->callback = cb;
 	this->data = data;
 	this->cleanup = cleanup;
diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c
index eb1db331b..4a3943323 100644
--- a/src/charon/processing/processor.c
+++ b/src/charon/processing/processor.c
@@ -240,9 +240,9 @@ processor_t *processor_create(size_t pool_size)
 	this->public.destroy = (void(*)(processor_t*))destroy;
 	
 	this->list = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
-	this->job_added = condvar_create(CONDVAR_DEFAULT);
-	this->thread_terminated = condvar_create(CONDVAR_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT);
 	this->total_threads = 0;
 	this->desired_threads = 0;
 	this->idle_threads = 0;
diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c
index b3633f263..1f59205af 100644
--- a/src/charon/processing/scheduler.c
+++ b/src/charon/processing/scheduler.c
@@ -347,8 +347,8 @@ scheduler_t * scheduler_create()
 	this->heap_size = HEAP_SIZE_DEFAULT;
 	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
 	
-	this->mutex = mutex_create(MUTEX_DEFAULT);
-	this->condvar = condvar_create(CONDVAR_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
 	
 	this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c
index b8316036e..24a4fd6ed 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.c
+++ b/src/charon/sa/authenticators/eap/eap_manager.c
@@ -163,7 +163,7 @@ eap_manager_t *eap_manager_create()
 	this->public.destroy = (void(*)(eap_manager_t*))destroy;
 	
 	this->methods = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 9202e972e..14d174ab5 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -136,6 +136,26 @@ struct private_child_sa_t {
 	 * config used to create this child
 	 */
 	child_cfg_t *config;
+
+	/**
+	 * time of last use in seconds (inbound)
+	 */
+	u_int32_t my_usetime;
+
+	/**
+	 * time of last use in seconds (outbound)
+	 */
+	u_int32_t other_usetime;
+
+	/**
+	 * last number of inbound bytes
+	 */
+	u_int64_t my_usebytes;
+
+	/**
+	 * last number of outbound bytes
+	 */
+	u_int64_t other_usebytes;
 };
 
 /**
@@ -355,20 +375,72 @@ static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
 }
 
 /**
- * Implementation of child_sa_t.get_usetime
+ * update the cached usebytes
+ * returns SUCCESS if the usebytes have changed, FAILED if not or no SPIs
+ * are available, and NOT_SUPPORTED if the kernel interface does not support
+ * querying the usebytes.
+ */
+static status_t update_usebytes(private_child_sa_t *this, bool inbound)
+{
+	status_t status = FAILED;
+	u_int64_t bytes;
+	
+	if (inbound)
+	{
+		if (this->my_spi)
+		{
+			status = charon->kernel_interface->query_sa(
+									charon->kernel_interface,
+									this->other_addr, this->my_addr,
+									this->my_spi, this->protocol, &bytes);
+			if (status == SUCCESS)
+			{
+				if (bytes > this->my_usebytes)
+				{
+					this->my_usebytes = bytes;
+					return SUCCESS;
+				}
+				return FAILED;
+			}
+		}
+	}
+	else
+	{
+		if (this->other_spi)
+		{
+			status = charon->kernel_interface->query_sa(
+									charon->kernel_interface,
+									this->my_addr, this->other_addr,
+									this->other_spi, this->protocol, &bytes);
+			if (status == SUCCESS)
+			{
+				if (bytes > this->other_usebytes)
+				{
+					this->other_usebytes = bytes;
+					return SUCCESS;
+				}
+				return FAILED;
+			}
+		}
+	}
+	return status;
+}
+
+/**
+ * updates the cached usetime
  */
-static u_int32_t get_usetime(private_child_sa_t *this, bool inbound)
+static void update_usetime(private_child_sa_t *this, bool inbound)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
 	u_int32_t last_use = 0;
-
+	
 	enumerator = create_policy_enumerator(this);
 	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 	{
 		u_int32_t in, out, fwd;
 		
-		if (inbound) 
+		if (inbound)
 		{
 			if (charon->kernel_interface->query_policy(charon->kernel_interface,
 								other_ts, my_ts, POLICY_IN, &in) == SUCCESS)
@@ -394,7 +466,42 @@ static u_int32_t get_usetime(private_child_sa_t *this, bool inbound)
 		}
 	}
 	enumerator->destroy(enumerator);
-	return last_use;
+
+	if (last_use == 0)
+	{
+		return;
+	}
+	if (inbound)
+	{
+		this->my_usetime = last_use;
+	}
+	else
+	{
+		this->other_usetime = last_use;
+	}
+}
+
+/**
+ * Implementation of child_sa_t.get_usestats
+ */
+static void get_usestats(private_child_sa_t *this, bool inbound,
+						 time_t *time, u_int64_t *bytes)
+{
+	if (update_usebytes(this, inbound) != FAILED)
+	{
+		/* there was traffic since last update or the kernel interface
+		 * does not support querying the number of usebytes.
+		 */
+		update_usetime(this, inbound);
+	}
+	if (time)
+	{
+		*time = inbound ? this->my_usetime : this->other_usetime;
+	}
+	if (bytes)
+	{
+		*bytes = inbound ? this->my_usebytes : this->other_usebytes;
+	}
 }
 
 /**
@@ -566,13 +673,13 @@ static status_t add_policies(private_child_sa_t *this,
  * Implementation of child_sa_t.update.
  */
 static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
-					   host_t *vip, bool encap) 
+					   host_t *vip, bool encap)
 {
 	child_sa_state_t old;
 	bool transport_proxy_mode;
 	
 	/* anything changed at all? */
-	if (me->equals(me, this->my_addr) && 
+	if (me->equals(me, this->my_addr) &&
 		other->equals(other, this->other_addr) && this->encap == encap)
 	{
 		return SUCCESS;
@@ -661,7 +768,7 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 						me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
 						this->protocol, this->reqid, this->mode, this->ipcomp,
 						this->other_cpi, FALSE);
-				charon->kernel_interface->add_policy(charon->kernel_interface, 
+				charon->kernel_interface->add_policy(charon->kernel_interface,
 						other, me, other_ts, my_ts, POLICY_IN, this->my_spi,
 						this->protocol, this->reqid, this->mode, this->ipcomp,
 						this->my_cpi, FALSE);
@@ -775,7 +882,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal;
 	this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal;
 	this->public.get_lifetime = (u_int32_t(*)(child_sa_t*, bool))get_lifetime;
-	this->public.get_usetime = (u_int32_t(*)(child_sa_t*, bool))get_usetime;
+	this->public.get_usestats = (void(*)(child_sa_t*,bool,time_t*,u_int64_t*))get_usestats;
 	this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
 	this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
 	this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp;
@@ -798,6 +905,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->encap = encap;
 	this->ipcomp = IPCOMP_NONE;
 	this->state = CHILD_CREATED;
+	this->my_usetime = 0;
+	this->other_usetime = 0;
+	this->my_usebytes = 0;
+	this->other_usebytes = 0;
 	/* reuse old reqid if we are rekeying an existing CHILD_SA */
 	this->reqid = rekey ? rekey : ++reqid;
 	this->my_ts = linked_list_create();
@@ -810,7 +921,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->config = config;
 	config->get_ref(config);
 	
-	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */	
+	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
 	if (config->get_mode(config) == MODE_TRANSPORT &&
 	    config->use_proxy_mode(config))
 	{
@@ -837,7 +948,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 				host = host_create_from_chunk(family, addr, 0);
 				free(addr.ptr);
 				DBG1(DBG_CHD, "my address: %H is a transport mode proxy for %H",
-							   this->my_addr, host); 
+							   this->my_addr, host);
 				this->my_addr->destroy(this->my_addr);
 				this->my_addr = host;
 			}
@@ -858,7 +969,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 				host = host_create_from_chunk(family, addr, 0);
 				free(addr.ptr);
 				DBG1(DBG_CHD, "other address: %H is a transport mode proxy for %H",
-							   this->other_addr, host); 
+							   this->other_addr, host);
 				this->other_addr->destroy(this->other_addr);
 				this->other_addr = host;
 			}
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index ec9b36dab..698da8bc7 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -85,11 +85,11 @@ extern enum_name_t *child_sa_state_names;
 
 /**
  * Represents an IPsec SAs between two hosts.
- * 
+ *
  * A child_sa_t contains two SAs. SAs for both
  * directions are managed in one child_sa_t object. Both
  * SAs and the policies have the same reqid.
- * 
+ *
  * The procedure for child sa setup is as follows:
  * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc
  * - A send the proposals with the allocated SPIs to B
@@ -98,7 +98,7 @@ extern enum_name_t *child_sa_state_names;
  * - B calls child_sa_t.install for both, the allocated and received SPI
  * - B sends the proposal with the allocated SPI to A
  * - A calls child_sa_t.install for both, the allocated and recevied SPI
- * 
+ *
  * Once SAs are set up, policies can be added using add_policies.
  */
 struct child_sa_t {
@@ -112,7 +112,7 @@ struct child_sa_t {
 	
 	/**
 	 * Get the reqid of the CHILD SA.
-	 * 
+	 *
 	 * Every CHILD_SA has a reqid. The kernel uses this ID to
 	 * identify it.
 	 *
@@ -131,19 +131,19 @@ struct child_sa_t {
 	 * Get the state of the CHILD_SA.
 	 *
 	 * @return 			CHILD_SA state
-	 */	
+	 */
 	child_sa_state_t (*get_state) (child_sa_t *this);
 	
 	/**
 	 * Set the state of the CHILD_SA.
 	 *
 	 * @param state		state to set on CHILD_SA
-	 */	
+	 */
 	void (*set_state) (child_sa_t *this, child_sa_state_t state);
 	
 	/**
 	 * Get the SPI of this CHILD_SA.
-	 * 
+	 *
 	 * Set the boolean parameter inbound to TRUE to
 	 * get the SPI for which we receive packets, use
 	 * FALSE to get those we use for sending packets.
@@ -155,7 +155,7 @@ struct child_sa_t {
 	
 	/**
 	 * Get the CPI of this CHILD_SA.
-	 * 
+	 *
 	 * Set the boolean parameter inbound to TRUE to
 	 * get the CPI for which we receive packets, use
 	 * FALSE to get those we use for sending packets.
@@ -202,7 +202,7 @@ struct child_sa_t {
 	
 	/**
 	 * Set the IPComp algorithm to use.
-	 * 
+	 *
 	 * @param ipcomp	the IPComp transform to use
 	 */
 	void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
@@ -219,7 +219,7 @@ struct child_sa_t {
 	 *
 	 * @param proposal	selected proposal
 	 */
-	void (*set_proposal)(child_sa_t *this, proposal_t *proposal);	
+	void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
 	
 	/**
 	 * Check if this CHILD_SA uses UDP encapsulation.
@@ -237,19 +237,21 @@ struct child_sa_t {
 	u_int32_t (*get_lifetime)(child_sa_t *this, bool hard);
 	
 	/**
-	 * Get last use time of the CHILD_SA.
+	 * Get last use time and the number of bytes processed.
 	 *
-	 * @param inbound	TRUE for inbound traffic, FALSE for outbound
-	 * @return			time of last use in seconds
+	 * @param inbound		TRUE for inbound traffic, FALSE for outbound
+	 * @param[out] time		time of last use in seconds (NULL to ignore)
+	 * @param[out] bytes	number of processed bytes (NULL to ignore)
 	 */
-	u_int32_t (*get_usetime)(child_sa_t *this, bool inbound);
+	void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
+						 u_int64_t *bytes);
 	
 	/**
 	 * Get the traffic selectors list added for one side.
 	 *
 	 * @param local		TRUE for own traffic selectors, FALSE for remote
 	 * @return			list of traffic selectors
-	 */	
+	 */
 	linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
 	
 	/**
@@ -296,7 +298,7 @@ struct child_sa_t {
 	 * @param my_ts		traffic selectors for local site
 	 * @param other_ts	traffic selectors for remote site
 	 * @return			SUCCESS or FAILED
-	 */	
+	 */
 	status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
 							 linked_list_t *other_ts_list);
 	/**
diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c
index a1b037de4..f26cf9405 100644
--- a/src/charon/sa/connect_manager.c
+++ b/src/charon/sa/connect_manager.c
@@ -1568,7 +1568,7 @@ connect_manager_t *connect_manager_create()
 	this->checklists = linked_list_create();
 	this->initiated = linked_list_create();
 	
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	
 	return (connect_manager_t*)this;
 }
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 6b7fa3582..be973a2ce 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -260,7 +260,7 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 {
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
-	time_t use_time;
+	time_t use_time, current;
 	
 	if (inbound)
 	{
@@ -273,7 +273,8 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 	enumerator = this->child_sas->create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, &child_sa))
 	{
-		use_time = max(use_time, child_sa->get_usetime(child_sa, inbound));
+		child_sa->get_usestats(child_sa, inbound, &current, NULL);
+		use_time = max(use_time, current);
 	}
 	enumerator->destroy(enumerator);
 	
@@ -1169,7 +1170,8 @@ static status_t initiate(private_ike_sa_t *this,
 #endif /* ME */
 	{
 		/* normal IKE_SA with CHILD_SA */
-		task = (task_t*)child_create_create(&this->public, child_cfg, tsi, tsr);
+		task = (task_t*)child_create_create(&this->public, child_cfg, FALSE,
+											tsi, tsr);
 		child_cfg->destroy(child_cfg);
 		if (reqid)
 		{
@@ -1747,6 +1749,7 @@ static status_t roam(private_ike_sa_t *this, bool address)
 	{
 		case IKE_CREATED:
 		case IKE_DELETING:
+		case IKE_DESTROYING:
 		case IKE_PASSIVE:
 			return SUCCESS;
 		default:
@@ -1775,10 +1778,46 @@ static status_t roam(private_ike_sa_t *this, bool address)
 			DBG2(DBG_IKE, "keeping connection path %H - %H",
 				 src, this->other_host);
 			src->destroy(src);
+			set_condition(this, COND_STALE, FALSE);
+			return SUCCESS;
+		}
+		src->destroy(src);
+		
+	}
+	else
+	{
+		/* check if we find a route at all */
+		enumerator_t *enumerator;
+		host_t *addr;
+		
+		src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+														this->other_host, NULL);
+		if (!src)
+		{
+			enumerator = this->additional_addresses->create_enumerator(
+													this->additional_addresses);
+			while (enumerator->enumerate(enumerator, &addr))
+			{
+				DBG1(DBG_IKE, "looking for a route to %H ...", addr);
+				src = charon->kernel_interface->get_source_addr(
+										charon->kernel_interface, addr, NULL);
+				if (src)
+				{
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		if (!src)
+		{
+			DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
+				 this->other_host);
+			set_condition(this, COND_STALE, TRUE);
 			return SUCCESS;
 		}
 		src->destroy(src);
 	}
+	set_condition(this, COND_STALE, FALSE);
 	
 	/* update addresses with mobike, if supported ... */
 	if (supports_extension(this, EXT_MOBIKE))
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index b751bda0c..41d7a7976 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -127,6 +127,11 @@ enum ike_condition_t {
 	 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
 	 */
 	COND_ORIGINAL_INITIATOR = (1<<6),
+	
+	/**
+	 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
+	 */
+	COND_STALE = (1<<7),
 };
 
 /**
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index efe7c228c..ec1a7f741 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -133,7 +133,7 @@ static entry_t *entry_create()
 	entry_t *this = malloc_thing(entry_t);
 	
 	this->waiting_threads = 0;
-	this->condvar = condvar_create(CONDVAR_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
 	
 	/* we set checkout flag when we really give it out */
 	this->checked_out = FALSE;
@@ -1050,7 +1050,8 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 	enumerator_t *enumerator;
 	entry_t *entry;
 	ike_sa_t *ike_sa = NULL;
-	peer_cfg_t *current_cfg;
+	peer_cfg_t *current_peer;
+	ike_cfg_t *current_ike;
 	u_int segment;
 	
 	if (!this->reuse_ikesa)
@@ -1072,14 +1073,18 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 			continue;
 		}
 		
-		current_cfg = entry->ike_sa->get_peer_cfg(entry->ike_sa);
-		if (current_cfg && current_cfg->equals(current_cfg, peer_cfg))
+		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+		if (current_peer && current_peer->equals(current_peer, peer_cfg))
 		{
-			DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config",
-				 current_cfg->get_name(current_cfg));
-			entry->checked_out = TRUE;
-			ike_sa = entry->ike_sa;
-			break;
+			current_ike = current_peer->get_ike_cfg(current_peer);
+			if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
+			{
+				DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config",
+					 current_peer->get_name(current_peer));
+				entry->checked_out = TRUE;
+				ike_sa = entry->ike_sa;
+				break;
+			}
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -1554,6 +1559,17 @@ static void flush(private_ike_sa_manager_t *this)
 	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
 		charon->bus->set_sa(charon->bus, entry->ike_sa);
+		/* as the delete never gets processed, fire down events */
+		switch (entry->ike_sa->get_state(entry->ike_sa))
+		{
+			case IKE_ESTABLISHED:
+			case IKE_REKEYING:
+			case IKE_DELETING:
+				charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE);
+				break;
+			default:
+				break;
+		}
 		entry->ike_sa->delete(entry->ike_sa);
 	}
 	enumerator->destroy(enumerator);
@@ -1695,7 +1711,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 	this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
 	for (i = 0; i < this->segment_count; ++i)
 	{
-		this->segments[i].mutex = mutex_create(MUTEX_RECURSIVE);
+		this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
 		this->segments[i].count = 0;
 	}
 	
@@ -1704,7 +1720,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 	this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
 	for (i = 0; i < this->segment_count; ++i)
 	{
-		this->half_open_segments[i].lock = rwlock_create(RWLOCK_DEFAULT);
+		this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 		this->half_open_segments[i].count = 0;
 	}
 	
@@ -1713,7 +1729,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 	this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
 	for (i = 0; i < this->segment_count; ++i)
 	{
-		this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_DEFAULT);
+		this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 		this->connected_peers_segments[i].count = 0;
 	}
 	
diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c
index 117d260ba..46fb79587 100644
--- a/src/charon/sa/keymat.c
+++ b/src/charon/sa/keymat.c
@@ -419,6 +419,9 @@ static bool derive_child_keys(private_keymat_t *this,
 			case ENCR_AES_CCM_ICV8:
 			case ENCR_AES_CCM_ICV12:
 			case ENCR_AES_CCM_ICV16:
+			case ENCR_CAMELLIA_CCM_ICV8:
+			case ENCR_CAMELLIA_CCM_ICV12:
+			case ENCR_CAMELLIA_CCM_ICV16:
 				enc_size += 3;
 				break;
 			case ENCR_AES_GCM_ICV8:
diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c
index 890e567c7..a69c00173 100644
--- a/src/charon/sa/mediation_manager.c
+++ b/src/charon/sa/mediation_manager.c
@@ -331,7 +331,7 @@ mediation_manager_t *mediation_manager_create()
 	this->public.check_and_register = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*,identification_t*))check_and_register;
 	
 	this->peers = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	
 	return (mediation_manager_t*)this;
 }
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
index 2cd9532eb..f33fcd6d4 100644
--- a/src/charon/sa/task_manager.c
+++ b/src/charon/sa/task_manager.c
@@ -220,6 +220,10 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
 			{
 				DBG1(DBG_IKE, "giving up after %d retransmits",
 					 this->initiating.retransmitted - 1);
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				{
+					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				}
 				return DESTROY_ME;
 			}
 			
@@ -240,6 +244,7 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
 			{
 				DBG1(DBG_IKE, "giving up after %d path probings",
 					 this->initiating.retransmitted - 1);
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 				return DESTROY_ME;
 			}
 			
@@ -431,6 +436,12 @@ static status_t build_request(private_task_manager_t *this)
 				break;
 			case FAILED:
 			default:
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				{
+					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				}
+				/* FALL */
+			case DESTROY_ME:
 				/* critical failure, destroy IKE_SA */
 				iterator->destroy(iterator);
 				message->destroy(message);
@@ -451,6 +462,7 @@ static status_t build_request(private_task_manager_t *this)
 		 * close the SA */
 		message->destroy(message);
 		flush(this);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 		return DESTROY_ME;
 	}
 	
@@ -474,6 +486,7 @@ static status_t process_response(private_task_manager_t *this,
 		DBG1(DBG_IKE, "received %N response, but expected %N",
 			 exchange_type_names, message->get_exchange_type(message),
 			 exchange_type_names, this->initiating.type);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 		return DESTROY_ME;
 	}
 	
@@ -494,6 +507,9 @@ static status_t process_response(private_task_manager_t *this,
 				break;
 			case FAILED:
 			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
 				/* critical failure, destroy IKE_SA */
 				iterator->remove(iterator);
 				iterator->destroy(iterator);
@@ -604,6 +620,9 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 				break;
 			case FAILED:
 			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
 				/* destroy IKE_SA, but SEND response first */
 				delete = TRUE;
 				break;
@@ -631,6 +650,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	message->destroy(message);
 	if (status != SUCCESS)
 	{
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 		return DESTROY_ME;
 	}
 	
@@ -678,7 +698,8 @@ static status_t process_request(private_task_manager_t *this,
 				this->passive_tasks->insert_last(this->passive_tasks, task);
 				task = (task_t*)ike_config_create(this->ike_sa, FALSE);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)child_create_create(this->ike_sa, NULL, NULL, NULL);
+				task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
+													NULL, NULL);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
 				task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
@@ -726,8 +747,8 @@ static status_t process_request(private_task_manager_t *this,
 					}
 					else
 					{
-						task = (task_t*)child_create_create(this->ike_sa,
-															NULL, NULL, NULL);
+						task = (task_t*)child_create_create(this->ike_sa, NULL,
+															FALSE, NULL, NULL);
 					}
 				}
 				else
@@ -831,6 +852,9 @@ static status_t process_request(private_task_manager_t *this,
 				break;
 			case FAILED:
 			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
 				/* critical failure, destroy IKE_SA */
 				iterator->remove(iterator);
 				iterator->destroy(iterator);
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index f51443738..558938f2e 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -158,6 +158,11 @@ struct private_child_create_t {
 	 * successfully established the CHILD?
 	 */
 	bool established;
+	
+	/**
+	 * whether the CHILD_SA rekeys an existing one
+	 */
+	bool rekey;
 };
 
 /**
@@ -249,7 +254,7 @@ static bool allocate_spi(private_child_create_t *this)
  */
 static status_t select_and_install(private_child_create_t *this, bool no_dh)
 {
-	status_t status;
+	status_t status, status_i, status_o;
 	chunk_t nonce_i, nonce_r;
 	chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
 	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
@@ -401,22 +406,22 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		this->my_cpi = this->other_cpi = 0;
 		this->ipcomp = IPCOMP_NONE;
 	}
-	status = FAILED;
+	status_i = status_o = FAILED;
 	if (this->keymat->derive_child_keys(this->keymat, this->proposal,
 			this->dh, nonce_i, nonce_r,	&encr_i, &integ_i, &encr_r, &integ_r))
 	{
 		if (this->initiator)
 		{
-			status = this->child_sa->install(this->child_sa, encr_r, integ_r,
+			status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
 										this->my_spi, this->my_cpi, TRUE);
-			status = this->child_sa->install(this->child_sa, encr_i, integ_i,
+			status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
 										this->other_spi, this->other_cpi, FALSE);
 		}
 		else
 		{
-			status = this->child_sa->install(this->child_sa, encr_i, integ_i,
+			status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
 										this->my_spi, this->my_cpi, TRUE);
-			status = this->child_sa->install(this->child_sa, encr_r, integ_r,
+			status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
 										this->other_spi, this->other_cpi, FALSE);
 		}
 	}
@@ -425,9 +430,12 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	chunk_clear(&encr_i);
 	chunk_clear(&encr_r);
 	
-	if (status != SUCCESS)
+	if (status_i != SUCCESS || status_o != SUCCESS)
 	{
-		DBG1(DBG_IKE, "unable to install IPsec SA (SAD) in kernel");
+		DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
+			(status_i != SUCCESS) ? "inbound " : "",
+			(status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
+			(status_o != SUCCESS) ? "outbound " : "");
 		return FAILED;
 	}
 	
@@ -939,7 +947,11 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
 		 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
 		 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-
+	
+	if (!this->rekey)
+	{	/* invoke the child_up() hook if we are not rekeying */
+		charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+	}
 	return SUCCESS;
 }
 
@@ -1052,6 +1064,11 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 			 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
 			 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
 			 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+		
+		if (!this->rekey)
+		{	/* invoke the child_up() hook if we are not rekeying */
+			charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+		}
 	}
 	else
 	{
@@ -1174,7 +1191,8 @@ static void destroy(private_child_create_t *this)
 /*
  * Described in header.
  */
-child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config,
+child_create_t *child_create_create(ike_sa_t *ike_sa,
+							child_cfg_t *config, bool rekey,
 							traffic_selector_t *tsi, traffic_selector_t *tsr)
 {
 	private_child_create_t *this = malloc_thing(private_child_create_t);
@@ -1222,6 +1240,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config,
 	this->other_cpi = 0;
 	this->reqid = 0;
 	this->established = FALSE;
+	this->rekey = rekey;
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h
index ce2829a9a..41f4fe2c8 100644
--- a/src/charon/sa/tasks/child_create.h
+++ b/src/charon/sa/tasks/child_create.h
@@ -71,11 +71,13 @@ struct child_create_t {
  *
  * @param ike_sa		IKE_SA this task works for
  * @param config		child_cfg if task initiator, NULL if responder
+ * @param rekey			whether we do a rekey or not
  * @param tsi			source of triggering packet, or NULL
  * @param tsr			destination of triggering packet, or NULL
  * @return				child_create task to handle by the task_manager
  */
-child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config,
+child_create_t *child_create_create(ike_sa_t *ike_sa,
+							child_cfg_t *config, bool rekey,
 							traffic_selector_t *tsi, traffic_selector_t *tsr);
 
 #endif /** CHILD_CREATE_H_ @}*/
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
index 0d89c148e..7abb07a84 100644
--- a/src/charon/sa/tasks/child_delete.c
+++ b/src/charon/sa/tasks/child_delete.c
@@ -52,10 +52,15 @@ struct private_child_delete_t {
 	u_int32_t spi;
 	
 	/**
-	 * wheter to enforce delete action policy
+	 * whether to enforce delete action policy
 	 */
 	bool check_delete_action;
 	
+	/**
+	 * is this delete exchange following a rekey?
+	 */
+	bool rekeyed;
+	
 	/**
 	 * CHILD_SAs which get deleted
 	 */
@@ -148,6 +153,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 				switch (child_sa->get_state(child_sa))
 				{
 					case CHILD_REKEYING:
+						this->rekeyed = TRUE;
 						/* we reply as usual, rekeying will fail */
 						break;
 					case CHILD_DELETING:
@@ -190,6 +196,11 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
+		/* signal child down event if we are not rekeying */
+		if (!this->rekeyed)
+		{
+			charon->bus->child_updown(charon->bus, child_sa, FALSE);
+		}
 		spi = child_sa->get_spi(child_sa, TRUE);
 		protocol = child_sa->get_protocol(child_sa);
 		child_cfg = child_sa->get_config(child_sa);
@@ -229,15 +240,19 @@ static void log_children(private_child_delete_t *this)
 {
 	iterator_t *iterator;
 	child_sa_t *child_sa;
+	u_int64_t bytes_in, bytes_out;
 	
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
+		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
+		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
+		
 		DBG0(DBG_IKE, "closing CHILD_SA %s{%d} "
-			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+			 "with SPIs %.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
 			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
-			 ntohl(child_sa->get_spi(child_sa, TRUE)),
-			 ntohl(child_sa->get_spi(child_sa, FALSE)),
+			 ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
+			 ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
 			 child_sa->get_traffic_selectors(child_sa, TRUE),
 			 child_sa->get_traffic_selectors(child_sa, FALSE));
 	}
@@ -258,7 +273,10 @@ static status_t build_i(private_child_delete_t *this, message_t *message)
 		return SUCCESS;
 	}
 	this->child_sas->insert_last(this->child_sas, child_sa);
-	
+	if (child_sa->get_state(child_sa) == CHILD_REKEYING)
+	{
+		this->rekeyed = TRUE;
+	}
 	log_children(this);
 	build_payloads(this, message);
 	return NEED_MORE;
@@ -359,6 +377,7 @@ child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 	this->child_sas = linked_list_create();
 	this->protocol = protocol;
 	this->spi = spi;
+	this->rekeyed = FALSE;
 	
 	if (protocol != PROTO_NONE)
 	{
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
index 6ab00dc5b..601e054ea 100644
--- a/src/charon/sa/tasks/child_rekey.c
+++ b/src/charon/sa/tasks/child_rekey.c
@@ -157,7 +157,8 @@ static status_t build_i(private_child_rekey_t *this, message_t *message)
 	
 	/* ... our CHILD_CREATE task does the hard work for us. */
 	reqid = this->child_sa->get_reqid(this->child_sa);
-	this->child_create = child_create_create(this->ike_sa, config, NULL, NULL);
+	this->child_create = child_create_create(this->ike_sa, config, TRUE,
+											 NULL, NULL);
 	this->child_create->use_reqid(this->child_create, reqid);
 	this->child_create->task.build(&this->child_create->task, message);
 	
@@ -207,6 +208,10 @@ static status_t build_r(private_child_rekey_t *this, message_t *message)
 	}
 	
 	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
+	
+	/* invoke rekey hook */
+	charon->bus->child_rekey(charon->bus, this->child_sa,
+							 this->child_create->get_child(this->child_create));
 	return SUCCESS;
 }
 
@@ -303,6 +308,12 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 		}
 	}
 	
+	if (to_delete != this->child_create->get_child(this->child_create))
+	{	/* invoke rekey hook if rekeying successful */
+		charon->bus->child_rekey(charon->bus, this->child_sa,
+							this->child_create->get_child(this->child_create));
+	}
+	
 	spi = to_delete->get_spi(to_delete, TRUE);
 	protocol = to_delete->get_protocol(to_delete);
 	
@@ -416,7 +427,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 		this->initiator = FALSE;
-		this->child_create = child_create_create(ike_sa, NULL, NULL, NULL);
+		this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL);
 	}
 	
 	this->ike_sa = ike_sa;
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 8d6cd56bd..d0b2a7e91 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -738,6 +738,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 			 this->ike_sa->get_my_id(this->ike_sa), 
 			 this->ike_sa->get_other_host(this->ike_sa),
 			 this->ike_sa->get_other_id(this->ike_sa));
+		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
 		return SUCCESS;
 	}
 	return NEED_MORE;
@@ -916,6 +917,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 			 this->ike_sa->get_my_id(this->ike_sa), 
 			 this->ike_sa->get_other_host(this->ike_sa),
 			 this->ike_sa->get_other_id(this->ike_sa));
+		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
 		return SUCCESS;
 	}
 	return NEED_MORE;
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
index f308a6358..cde117934 100644
--- a/src/charon/sa/tasks/ike_delete.c
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -21,7 +21,7 @@
 
 typedef struct private_ike_delete_t private_ike_delete_t;
 
-/**file
+/**
  * Private members of a ike_delete_t task.
  */
 struct private_ike_delete_t {
@@ -41,6 +41,11 @@ struct private_ike_delete_t {
 	 */
 	bool initiator;
 	
+	/**
+	 * are we deleting a rekeyed SA?
+	 */
+	bool rekeyed;
+	
 	/**
 	 * are we responding to a delete, but have initated our own?
 	 */
@@ -64,6 +69,11 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
 
 	delete_payload = delete_payload_create(PROTO_IKE);
 	message->add_payload(message, (payload_t*)delete_payload);
+	
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
+	{
+		this->rekeyed = TRUE;
+	}
 	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
 
 	DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]",
@@ -79,8 +89,12 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
 static status_t process_i(private_ike_delete_t *this, message_t *message)
 {
 	DBG0(DBG_IKE, "IKE_SA deleted");
-	/* completed, delete IKE_SA by returning FAILED */
-	return FAILED;
+	if (!this->rekeyed)
+	{	/* invoke ike_down() hook if SA has not been rekeyed */
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+	}
+	/* completed, delete IKE_SA by returning DESTROY_ME */
+	return DESTROY_ME;
 }
 
 /**
@@ -106,14 +120,17 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
 		case IKE_ESTABLISHED:
 			this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
 			this->ike_sa->reestablish(this->ike_sa);
+			return NEED_MORE;
+		case IKE_REKEYING:
+			this->rekeyed = TRUE;
 			break;
 		case IKE_DELETING:
 			this->simultaneous = TRUE;
-			/* FALL */
+			break;
 		default:
-			this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
 			break;
 	}
+	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
 	return NEED_MORE;
 }
 
@@ -129,8 +146,12 @@ static status_t build_r(private_ike_delete_t *this, message_t *message)
 		/* wait for peer's response for our delete request, but set a timeout */
 		return SUCCESS;
 	}
-	/* completed, delete IKE_SA by returning FAILED */
-	return FAILED;
+	if (!this->rekeyed)
+	{	/* invoke ike_down() hook if SA has not been rekeyed */
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+	}
+	/* completed, delete IKE_SA by returning DESTROY_ME */
+	return DESTROY_ME;
 }
 
 /**
@@ -182,6 +203,7 @@ ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator)
 	
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
+	this->rekeyed = FALSE;
 	this->simultaneous = FALSE;
 	
 	return &this->public;
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index bead408a6..3a049b566 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -367,6 +367,8 @@ static void destroy(private_ike_rekey_t *this)
 		if (this->new_sa->get_state(this->new_sa) == IKE_ESTABLISHED &&
 			this->new_sa->inherit(this->new_sa, this->ike_sa) != DESTROY_ME)
 		{
+			/* invoke hook if rekeying was successful */
+			charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
 		}
 		else
diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h
index f9b409f35..3d2014599 100644
--- a/src/charon/sa/tasks/task.h
+++ b/src/charon/sa/tasks/task.h
@@ -100,7 +100,8 @@ struct task_t {
 	 * 
 	 * @param message		message to add payloads to
 	 * @return
-	 * 						- FAILED if a critical error occured
+	 *						- FAILED if a critical error occured
+	 *						- DESTROY_ME if IKE_SA has been properly deleted
 	 *						- NEED_MORE if another call to build/process needed
 	 *						- SUCCESS if task completed
 	 */
@@ -112,6 +113,7 @@ struct task_t {
 	 * @param message		message to read payloads from
 	 * @return
 	 * 						- FAILED if a critical error occured
+	 *						- DESTROY_ME if IKE_SA has been properly deleted
 	 *						- NEED_MORE if another call to build/process needed
 	 *						- SUCCESS if task completed
 	 */
diff --git a/src/charon/sa/trap_manager.c b/src/charon/sa/trap_manager.c
index a74fab93f..570335eb4 100644
--- a/src/charon/sa/trap_manager.c
+++ b/src/charon/sa/trap_manager.c
@@ -156,6 +156,10 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
 	me->destroy(me);
 	other->destroy(other);
 	
+	/* while we don't know the finally negotiated protocol (ESP|AH), we
+	 * could iterate all proposals for a best guest (TODO). But as we
+	 * support ESP only for now, we set here. */
+	child_sa->set_protocol(child_sa, PROTO_ESP);
 	child_sa->set_mode(child_sa, child->get_mode(child));
 	status = child_sa->add_policies(child_sa, my_ts, other_ts);
 	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
@@ -358,7 +362,7 @@ trap_manager_t *trap_manager_create()
 	this->public.destroy = (void(*)(trap_manager_t*))destroy;
 	
 	this->traps = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	
 	/* register listener for IKE state changes */
 	this->listener.traps = this;
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
new file mode 100644
index 000000000..bd42c231f
--- /dev/null
+++ b/src/checksum/Makefile.am
@@ -0,0 +1,36 @@
+ipsec_LTLIBRARIES = libchecksum.la
+noinst_PROGRAMS = checksum_builder
+
+nodist_libchecksum_la_SOURCES = checksum.c
+libchecksum_la_LDFLAGS = -module -avoid-version
+
+checksum_builder_SOURCES = checksum_builder.c
+checksum_builder_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+
+BUILT_SOURCES = checksum.c
+CLEANFILES = checksum.c
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+
+libs =	$(shell find $(top_builddir)/src/libstrongswan $(top_builddir)/src/charon \
+			-name 'libstrongswan*.so')
+
+if USE_CHARON
+  libs += $(top_builddir)/src/charon/.libs/charon
+endif
+
+if USE_PLUTO
+  libs += $(top_builddir)/src/pluto/.libs/pluto
+endif
+
+if USE_TOOLS
+  libs += $(top_builddir)/src/openac/.libs/openac
+  libs += $(top_builddir)/src/scepclient/.libs/scepclient
+endif
+
+if USE_SQL
+  libs += $(top_builddir)/src/charon/plugins/sql/.libs/pool
+endif
+
+checksum.c : checksum_builder $(libs)
+		./checksum_builder $(libs) > checksum.c
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
new file mode 100644
index 000000000..4d38df2dd
--- /dev/null
+++ b/src/checksum/Makefile.in
@@ -0,0 +1,550 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+noinst_PROGRAMS = checksum_builder$(EXEEXT)
+@USE_CHARON_TRUE@am__append_1 = $(top_builddir)/src/charon/.libs/charon
+@USE_PLUTO_TRUE@am__append_2 = $(top_builddir)/src/pluto/.libs/pluto
+@USE_TOOLS_TRUE@am__append_3 =  \
+@USE_TOOLS_TRUE@	$(top_builddir)/src/openac/.libs/openac \
+@USE_TOOLS_TRUE@	$(top_builddir)/src/scepclient/.libs/scepclient
+@USE_SQL_TRUE@am__append_4 = $(top_builddir)/src/charon/plugins/sql/.libs/pool
+subdir = src/checksum
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
+ipsecLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(ipsec_LTLIBRARIES)
+libchecksum_la_LIBADD =
+nodist_libchecksum_la_OBJECTS = checksum.lo
+libchecksum_la_OBJECTS = $(nodist_libchecksum_la_OBJECTS)
+libchecksum_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libchecksum_la_LDFLAGS) $(LDFLAGS) -o $@
+PROGRAMS = $(noinst_PROGRAMS)
+am_checksum_builder_OBJECTS = checksum_builder.$(OBJEXT)
+checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS)
+checksum_builder_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(nodist_libchecksum_la_SOURCES) $(checksum_builder_SOURCES)
+DIST_SOURCES = $(checksum_builder_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+ipsec_LTLIBRARIES = libchecksum.la
+nodist_libchecksum_la_SOURCES = checksum.c
+libchecksum_la_LDFLAGS = -module -avoid-version
+checksum_builder_SOURCES = checksum_builder.c
+checksum_builder_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+BUILT_SOURCES = checksum.c
+CLEANFILES = checksum.c
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+libs = $(shell find $(top_builddir)/src/libstrongswan \
+	$(top_builddir)/src/charon -name 'libstrongswan*.so') \
+	$(am__append_1) $(am__append_2) $(am__append_3) \
+	$(am__append_4)
+all: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/checksum/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/checksum/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecLTLIBRARIES: $(ipsec_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(ipsecdir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-ipsecLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipsecdir)/$$p'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipsecdir)/$$p"; \
+	done
+
+clean-ipsecLTLIBRARIES:
+	-test -z "$(ipsec_LTLIBRARIES)" || rm -f $(ipsec_LTLIBRARIES)
+	@list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) 
+	$(libchecksum_la_LINK) -rpath $(ipsecdir) $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) 
+	@rm -f checksum_builder$(EXEEXT)
+	$(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/checksum.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/checksum_builder.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecLTLIBRARIES clean-libtool \
+	clean-noinstPROGRAMS mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecLTLIBRARIES clean-libtool clean-noinstPROGRAMS \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-ipsecLTLIBRARIES install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-ipsecLTLIBRARIES
+
+
+checksum.c : checksum_builder $(libs)
+		./checksum_builder $(libs) > checksum.c
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
new file mode 100644
index 000000000..a713eb526
--- /dev/null
+++ b/src/checksum/checksum_builder.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <dlfcn.h>
+
+#include <library.h>
+
+/* we need to fake some charon symbols to dlopen() its plugins */
+void *charon, *eap_type_names, *auth_class_names, *protocol_id_names,
+*action_names, *ipsec_mode_names, *ike_sa_state_names, *child_sa_state_names,
+*policy_dir_names, *ipcomp_transform_names, *debug_names, *controller_cb_empty;
+
+int main(int argc, char* argv[])
+{
+	int i;
+	integrity_checker_t *integrity;
+	
+	/* avoid confusing leak reports in build process */
+	setenv("LEAK_DETECTIVE_DISABLE", "1", 0);
+	library_init(NULL);
+	atexit(library_deinit);
+	
+	integrity = integrity_checker_create(NULL);
+	
+	printf("/**\n");
+	printf(" * checksums of files and loaded code segments.\n");
+	printf(" * created by %s\n", argv[0]);
+	printf(" */\n");
+	printf("\n");
+	printf("#include <library.h>\n");
+	printf("\n");
+	printf("integrity_checksum_t checksums[] = {\n");
+	fprintf(stderr, "integrity test data:\n");
+	fprintf(stderr, "module name,       file size / checksum   segment size / checksum\n");
+	for (i = 1; i < argc; i++)
+	{
+		char *name, *path, *sname = NULL;
+		void *handle, *symbol;
+		u_int32_t fsum, ssum;
+		size_t fsize = 0;
+		size_t ssize = 0;
+
+		path = argv[i];
+		
+		if ((name = strstr(path, "libstrongswan-")))
+		{
+			name = strdup(name + strlen("libstrongswan-"));
+			name[strlen(name) - 3] = '"';
+			name[strlen(name) - 2] = ',';
+			name[strlen(name) - 1] = '\0';
+			sname = "plugin_create";
+		}
+		else if (strstr(path, "libstrongswan.so"))
+		{
+			name = strdup("libstrongswan\",");
+			sname = "library_init";
+		}
+		else if (strstr(path, "pool"))
+		{
+			name = strdup("pool\",");
+		}
+		else if (strstr(path, "charon"))
+		{
+			name = strdup("charon\",");
+		}
+		else if (strstr(path, "pluto"))
+		{
+			name = strdup("pluto\",");
+		}
+		else if (strstr(path, "openac"))
+		{
+			name = strdup("openac\",");
+		}
+		else if (strstr(path, "scepclient"))
+		{
+			name = strdup("scepclient\",");
+		}
+		else
+		{
+			fprintf(stderr, "don't know how to handle '%s', ignored", path);
+			continue;
+		}
+		
+		fsum = integrity->build_file(integrity, path, &fsize);
+		ssum = 0;
+		if (sname)
+		{
+			handle = dlopen(path, RTLD_LAZY);
+			if (handle)
+			{
+				symbol = dlsym(handle, sname);
+				if (symbol)
+				{
+					ssum = integrity->build_segment(integrity, symbol, &ssize);
+				}
+				else
+				{
+					fprintf(stderr, "symbol lookup failed: %s\n", dlerror());
+				}
+				dlclose(handle);
+			}
+			else
+			{
+				fprintf(stderr, "dlopen failed: %s\n", dlerror());
+			}
+		}
+		printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n",
+			   name, fsize, fsum, ssize, ssum);
+		fprintf(stderr, "\"%-20s%7u / 0x%08x       %6u / 0x%08x\n", 
+				name, fsize, fsum, ssize, ssum);
+		free(name);
+	}
+	printf("};\n");
+	printf("\n");
+	printf("int checksum_count = countof(checksums);\n");
+	printf("\n");
+	integrity->destroy(integrity);
+	
+	exit(0);
+}
+
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index fdbf41f47..817e31104 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -83,12 +83,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -153,6 +155,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -193,7 +196,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c
index 72d6d1b5e..2ed96d562 100644
--- a/src/dumm/mconsole.c
+++ b/src/dumm/mconsole.c
@@ -149,7 +149,7 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
 			{
 				if (reply.len && *reply.data)
 				{
-					DBG1("received mconsole error %d: %*.s",
+					DBG1("received mconsole error %d: %.*s",
 						 reply.err, reply.len, reply.data);
 				}
 				break;
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 7ee0793ec..495d02cc2 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -43,12 +43,14 @@ SOURCES =
 DIST_SOURCES =
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -113,6 +115,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -153,7 +156,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index d5a6dc82f..de069b928 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -51,12 +51,14 @@ NROFF = nroff
 MANS = $(dist_man8_MANS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -161,7 +164,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 98f5ddd88..266898984 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -71,12 +71,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -141,6 +143,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -181,7 +184,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index 37c32b9fa..31ea3a634 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -83,12 +83,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -153,6 +155,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -193,7 +196,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/libfreeswan/anyaddr.c b/src/libfreeswan/anyaddr.c
index 2e9fa2787..f2eb8d07a 100644
--- a/src/libfreeswan/anyaddr.c
+++ b/src/libfreeswan/anyaddr.c
@@ -17,12 +17,13 @@
 #include "internal.h"
 #include "freeswan.h"
 
-/* these are mostly fallbacks for the no-IPv6-support-in-library case */
-#ifndef IN6ADDR_ANY_INIT
-#define	IN6ADDR_ANY_INIT	{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}
-#endif
-#ifndef IN6ADDR_LOOPBACK_INIT
-#define	IN6ADDR_LOOPBACK_INIT	{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}
+/* OpenSolaris defines strange versions of these macros */
+#ifdef __sun
+#undef	IN6ADDR_ANY_INIT
+#define	IN6ADDR_ANY_INIT		{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
+
+#undef	IN6ADDR_LOOPBACK_INIT
+#define	IN6ADDR_LOOPBACK_INIT	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
 #endif
 
 static struct in6_addr v6any = IN6ADDR_ANY_INIT;
diff --git a/src/libfreeswan/atoaddr.3 b/src/libfreeswan/atoaddr.3
index fce8884e4..10da2691c 100644
--- a/src/libfreeswan/atoaddr.3
+++ b/src/libfreeswan/atoaddr.3
@@ -54,7 +54,7 @@ on a big-endian host and
 .B 4.3.2.1
 on a little-endian host),
 a DNS name to be looked up via
-.IR gethostbyname (3),
+.IR getaddrinfo (3),
 or an old-style network name to be looked up via
 .IR getnetbyname (3).
 .PP
@@ -91,10 +91,8 @@ DNS names may be complete (optionally terminated with a ``.'')
 or incomplete, and are looked up as specified by local system configuration
 (see
 .IR resolver (5)).
-The
-.I h_addr
-value returned by
-.IR gethostbyname (3)
+The first value returned by
+.IR getaddrinfo (3)
 is used,
 so with current DNS implementations,
 the result when the name corresponds to more than one address is
@@ -102,7 +100,7 @@ difficult to predict.
 Name lookup resorts to
 .IR getnetbyname (3)
 only if
-.IR gethostbyname (3)
+.IR getaddrinfo (3)
 fails.
 .PP
 A subnet specification is of the form \fInetwork\fB/\fImask\fR.
diff --git a/src/libfreeswan/atoaddr.c b/src/libfreeswan/atoaddr.c
index dd73be7f3..cbda541d3 100644
--- a/src/libfreeswan/atoaddr.c
+++ b/src/libfreeswan/atoaddr.c
@@ -12,6 +12,8 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
  * License for more details.
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
@@ -41,7 +43,7 @@ const char *src;
 size_t srclen;			/* 0 means "apply strlen" */
 struct in_addr *addrp;
 {
-	struct hostent *h;
+	struct addrinfo hints, *res;
 	struct netent *ne = NULL;
 	const char *oops;
 #	define	HEXLEN	10	/* strlen("0x11223344") */
@@ -51,6 +53,7 @@ struct in_addr *addrp;
 	char namebuf[ATOADDRBUF];
 	char *p = namebuf;
 	char *q;
+	int error;
 
 	if (srclen == 0)
 		srclen = strlen(src);
@@ -87,18 +90,34 @@ struct in_addr *addrp;
 		return "illegal (non-DNS-name) character in name";
 
 	/* try as host name, failing that as /etc/networks network name */
-	h = gethostbyname(p);
-	if (h == NULL)
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_INET;
+	error = getaddrinfo(p, NULL, &hints, &res);
+	if (error != 0)
+	{
 		ne = getnetbyname(p);
+		if (ne == NULL)
+		{
+			if (p != namebuf)
+			{
+				FREE(p);
+			}
+			return "name lookup failed";
+		}
+		addrp->s_addr = htonl(ne->n_net);
+	}
+	else
+	{
+		struct sockaddr_in *in = (struct sockaddr_in*)res->ai_addr;
+		memcpy(&addrp->s_addr, &in->sin_addr.s_addr, sizeof(addrp->s_addr));
+		freeaddrinfo(res);
+	}
+
 	if (p != namebuf)
+	{
 		FREE(p);
-	if (h == NULL && ne == NULL)
-		return "name lookup failed";
+	}
 
-	if (h != NULL)
-		memcpy(&addrp->s_addr, h->h_addr, sizeof(addrp->s_addr));
-	else
-		addrp->s_addr = htonl(ne->n_net);
 	return NULL;
 }
 
diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h
index cb14cd678..77ce8f2be 100644
--- a/src/libfreeswan/freeswan.h
+++ b/src/libfreeswan/freeswan.h
@@ -20,11 +20,6 @@
 #  include <stdio.h>
 #  include <netinet/in.h>
 
-#  define uint8_t u_int8_t
-#  define uint16_t u_int16_t 
-#  define uint32_t u_int32_t 
-#  define uint64_t u_int64_t 
-
 #  define DEBUG_NO_STATIC static
 
 #include <ipsec_param.h>
diff --git a/src/libfreeswan/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h
index 5ef5e747c..461299c78 100644
--- a/src/libfreeswan/pfkeyv2.h
+++ b/src/libfreeswan/pfkeyv2.h
@@ -303,33 +303,40 @@ struct sadb_protocol {
 #define SADB_SASTATE_DEAD     3
 #define SADB_SASTATE_MAX      3
 
-#define SADB_SAFLAGS_PFS		1
+#define SADB_SAFLAGS_PFS			1
 #define SADB_X_SAFLAGS_REPLACEFLOW	2
 #define SADB_X_SAFLAGS_CLEARFLOW	4
 #define SADB_X_SAFLAGS_INFLOW		8
 
 /* Authentication algorithms */
-#define SADB_AALG_NONE			0
-#define SADB_AALG_MD5HMAC		2
-#define SADB_AALG_SHA1HMAC		3
+#define SADB_AALG_NONE				0
+#define SADB_AALG_MD5HMAC			2
+#define SADB_AALG_SHA1HMAC			3
 #define SADB_X_AALG_SHA2_256HMAC	5
 #define SADB_X_AALG_SHA2_384HMAC	6
 #define SADB_X_AALG_SHA2_512HMAC	7
 #define SADB_X_AALG_RIPEMD160HMAC	8
 #define SADB_X_AALG_AES_XCBC_MAC	9
-#define SADB_X_AALG_NULL		251	/* kame */
-#define SADB_AALG_MAX			251
+#define SADB_X_AALG_NULL			251	/* kame */
+#define SADB_AALG_MAX				251
 
 /* Encryption algorithms */
-#define SADB_EALG_NONE			0
-#define SADB_EALG_DESCBC		2
-#define SADB_EALG_3DESCBC		3
-#define SADB_X_EALG_CASTCBC		6
+#define SADB_EALG_NONE				0
+#define SADB_EALG_DESCBC			2
+#define SADB_EALG_3DESCBC			3
+#define SADB_X_EALG_CASTCBC			6
 #define SADB_X_EALG_BLOWFISHCBC		7
-#define SADB_EALG_NULL			11
-#define SADB_X_EALG_AESCBC		12
+#define SADB_EALG_NULL				11
+#define SADB_X_EALG_AESCBC			12
+#define SADB_X_EALG_AESCTR			13
+#define SADB_X_EALG_AES_CCM_ICV8	14
+#define SADB_X_EALG_AES_CCM_ICV12	15
+#define SADB_X_EALG_AES_CCM_ICV16	16
+#define SADB_X_EALG_AES_GCM_ICV8	18
+#define SADB_X_EALG_AES_GCM_ICV12	19
+#define SADB_X_EALG_AES_GCM_ICV16	20
 #define SADB_X_EALG_CAMELLIACBC		22
-#define SADB_EALG_MAX                   253 /* last EALG */
+#define SADB_EALG_MAX			253 /* last EALG */
 /* private allocations should use 249-255 (RFC2407) */
 #define SADB_X_EALG_SERPENTCBC  252     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
 #define SADB_X_EALG_TWOFISHCBC  253     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
diff --git a/src/libfreeswan/ttoaddr.3 b/src/libfreeswan/ttoaddr.3
index 70671145e..d43d2b16f 100644
--- a/src/libfreeswan/ttoaddr.3
+++ b/src/libfreeswan/ttoaddr.3
@@ -59,7 +59,7 @@ on a big-endian host and
 .B 4.3.2.1
 on a little-endian host),
 a DNS name to be looked up via
-.IR gethostbyname (3),
+.IR getaddrinfo (3),
 or an old-style network name to be looked up via
 .IR getnetbyname (3).
 .PP
@@ -100,7 +100,7 @@ abbreviating at most one subsequence of multiple zeros (e.g.
 which is synonymous with
 .BR 99:ab:0:0:0:0:54:68 ),
 or a DNS name to be looked up via
-.IR gethostbyname (3).
+.IR getaddrinfo (3).
 The result of applying
 .I addrtot
 to an IPv6 address will use
@@ -115,10 +115,8 @@ DNS names may be complete (optionally terminated with a ``.'')
 or incomplete, and are looked up as specified by local system configuration
 (see
 .IR resolver (5)).
-The
-.I h_addr
-value returned by
-.IR gethostbyname2 (3)
+The first value returned by
+.IR getaddrinfo (3)
 is used,
 so with current DNS implementations,
 the result when the name corresponds to more than one address is
@@ -126,7 +124,7 @@ difficult to predict.
 IPv4 name lookup resorts to
 .IR getnetbyname (3)
 only if
-.IR gethostbyname2 (3)
+.IR getaddrinfo (3)
 fails.
 .PP
 A subnet specification is of the form \fInetwork\fB/\fImask\fR.
diff --git a/src/libfreeswan/ttoaddr.c b/src/libfreeswan/ttoaddr.c
index e4ceec863..bda2be5ed 100644
--- a/src/libfreeswan/ttoaddr.c
+++ b/src/libfreeswan/ttoaddr.c
@@ -157,12 +157,15 @@ int nultermd;			/* is it known to be NUL-terminated? */
 int af;
 ip_address *dst;
 {
-	struct hostent *h;
+	struct addrinfo hints, *res;
 	struct netent *ne = NULL;
 	char namebuf[100];	/* enough for most DNS names */
 	const char *cp;
 	char *p = namebuf;
+	unsigned char *addr = NULL;
 	size_t n;
+	int error;
+	err_t err = NULL;
 
 	for (cp = src, n = srclen; n > 0; cp++, n--)
 		if (ISASCII(*cp) && strchr(namechars, *cp) == NULL)
@@ -181,25 +184,67 @@ ip_address *dst;
 		cp = (const char *)p;
 	}
 
-	h = gethostbyname2(cp, af);
-	if (h == NULL && af == AF_INET)
-		ne = getnetbyname(cp);
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = af;
+	error = getaddrinfo(cp, NULL, &hints, &res);
+	if (error != 0)
+	{	/* getaddrinfo failed, try getnetbyname */
+		if (af == AF_INET)
+		{
+			ne = getnetbyname(cp);
+			if (ne != NULL)
+			{
+				ne->n_net = htonl(ne->n_net);
+				addr = (unsigned char*)&ne->n_net;
+				err = initaddr(addr, sizeof(ne->n_net), af, dst);
+			}
+		}
+	}
+	else
+	{
+		struct addrinfo *r = res;
+		while (r)
+		{
+			size_t addr_len;
+			switch (r->ai_family)
+			{
+				case AF_INET:
+				{
+					struct sockaddr_in *in = (struct sockaddr_in*)r->ai_addr;
+					addr_len = 4;
+					addr = (unsigned char*)&in->sin_addr.s_addr;
+					break;
+				}
+				case AF_INET6:
+				{
+					struct sockaddr_in6 *in6 = (struct sockaddr_in6*)r->ai_addr;
+					addr_len = 16;
+					addr = (unsigned char*)&in6->sin6_addr.s6_addr;
+					break;
+				}
+				default:
+				{	/* unknown family, try next result */
+					r = r->ai_next;
+					continue;
+				}
+			}
+			err = initaddr(addr, addr_len, r->ai_family, dst);
+			break;
+		}
+		freeaddrinfo(res);
+	}
+
 	if (p != namebuf)
+	{
 		FREE(p);
-	if (h == NULL && ne == NULL)
-		return "does not look numeric and name lookup failed";
+	}
 
-	if (h != NULL) {
-		if (h->h_addrtype != af)
-			return "address-type mismatch from gethostbyname2!!!";
-		return initaddr((unsigned char *)h->h_addr, h->h_length, af, dst);
-	} else {
-		if (ne->n_addrtype != af)
-			return "address-type mismatch from getnetbyname!!!";
-		ne->n_net = htonl(ne->n_net);
-		return initaddr((unsigned char *)&ne->n_net, sizeof(ne->n_net),
-								af, dst);
+	if (addr == NULL)
+	{
+		return "does not look numeric and name lookup failed";
 	}
+
+	return err;
 }
 
 /*
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 212b9547d..ee6996558 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -1,14 +1,6 @@
 lib_LTLIBRARIES = libstrongswan.la
 
-if USE_INTEGRITY_TEST
-  libstrongswan_la_SOURCES = \
-  fips/fips_canister_start.c \
-  fips/fips.c fips/fips.h
-else
-  libstrongswan_la_SOURCES =
-endif
-
-libstrongswan_la_SOURCES += \
+libstrongswan_la_SOURCES = \
 library.c library.h \
 chunk.c chunk.h \
 debug.c debug.h \
@@ -58,7 +50,7 @@ utils/mutex.c utils/mutex.h \
 utils/backtrace.c utils/backtrace.h \
 plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
 
-libstrongswan_la_LIBADD = -lpthread $(DLLIB)
+libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB)
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
@@ -76,8 +68,9 @@ if USE_LOCK_PROFILER
 endif
 
 if USE_INTEGRITY_TEST
+  AM_CFLAGS += -DINTEGRITY_TEST
   libstrongswan_la_SOURCES += \
-  fips/fips_canister_end.c
+    integrity_checker.c integrity_checker.h
 endif
 
 if USE_VSTR
@@ -204,7 +197,3 @@ endif
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 endif
-
-if USE_INTEGRITY_TEST
-  SUBDIRS += fips
-endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index dd25f0526..ae751c098 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -37,31 +37,34 @@ host_triplet = @host@
 @USE_LEAK_DETECTIVE_TRUE@    utils/leak_detective.c utils/leak_detective.h
 
 @USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER
-@USE_VSTR_TRUE@am__append_4 = -lvstr
-@USE_AES_TRUE@am__append_5 = plugins/aes
-@USE_DES_TRUE@am__append_6 = plugins/des
-@USE_BLOWFISH_TRUE@am__append_7 = plugins/blowfish
-@USE_MD4_TRUE@am__append_8 = plugins/md4
-@USE_MD5_TRUE@am__append_9 = plugins/md5
-@USE_SHA1_TRUE@am__append_10 = plugins/sha1
-@USE_SHA2_TRUE@am__append_11 = plugins/sha2
-@USE_FIPS_PRF_TRUE@am__append_12 = plugins/fips_prf
-@USE_GMP_TRUE@am__append_13 = plugins/gmp
-@USE_RANDOM_TRUE@am__append_14 = plugins/random
-@USE_HMAC_TRUE@am__append_15 = plugins/hmac
-@USE_XCBC_TRUE@am__append_16 = plugins/xcbc
-@USE_X509_TRUE@am__append_17 = plugins/x509
-@USE_PUBKEY_TRUE@am__append_18 = plugins/pubkey
-@USE_CURL_TRUE@am__append_19 = plugins/curl
-@USE_LDAP_TRUE@am__append_20 = plugins/ldap
-@USE_MYSQL_TRUE@am__append_21 = plugins/mysql
-@USE_SQLITE_TRUE@am__append_22 = plugins/sqlite
-@USE_PADLOCK_TRUE@am__append_23 = plugins/padlock
-@USE_OPENSSL_TRUE@am__append_24 = plugins/openssl
-@USE_GCRYPT_TRUE@am__append_25 = plugins/gcrypt
-@USE_AGENT_TRUE@am__append_26 = plugins/agent
-@USE_TEST_VECTORS_TRUE@am__append_27 = plugins/test_vectors
-@USE_INTEGRITY_TEST_TRUE@am__append_28 = fips
+@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
+@USE_INTEGRITY_TEST_TRUE@am__append_5 = \
+@USE_INTEGRITY_TEST_TRUE@    integrity_checker.c integrity_checker.h
+
+@USE_VSTR_TRUE@am__append_6 = -lvstr
+@USE_AES_TRUE@am__append_7 = plugins/aes
+@USE_DES_TRUE@am__append_8 = plugins/des
+@USE_BLOWFISH_TRUE@am__append_9 = plugins/blowfish
+@USE_MD4_TRUE@am__append_10 = plugins/md4
+@USE_MD5_TRUE@am__append_11 = plugins/md5
+@USE_SHA1_TRUE@am__append_12 = plugins/sha1
+@USE_SHA2_TRUE@am__append_13 = plugins/sha2
+@USE_FIPS_PRF_TRUE@am__append_14 = plugins/fips_prf
+@USE_GMP_TRUE@am__append_15 = plugins/gmp
+@USE_RANDOM_TRUE@am__append_16 = plugins/random
+@USE_HMAC_TRUE@am__append_17 = plugins/hmac
+@USE_XCBC_TRUE@am__append_18 = plugins/xcbc
+@USE_X509_TRUE@am__append_19 = plugins/x509
+@USE_PUBKEY_TRUE@am__append_20 = plugins/pubkey
+@USE_CURL_TRUE@am__append_21 = plugins/curl
+@USE_LDAP_TRUE@am__append_22 = plugins/ldap
+@USE_MYSQL_TRUE@am__append_23 = plugins/mysql
+@USE_SQLITE_TRUE@am__append_24 = plugins/sqlite
+@USE_PADLOCK_TRUE@am__append_25 = plugins/padlock
+@USE_OPENSSL_TRUE@am__append_26 = plugins/openssl
+@USE_GCRYPT_TRUE@am__append_27 = plugins/gcrypt
+@USE_AGENT_TRUE@am__append_28 = plugins/agent
+@USE_TEST_VECTORS_TRUE@am__append_29 = plugins/test_vectors
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -81,6 +84,7 @@ libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
 am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
@@ -123,51 +127,20 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	utils/backtrace.h plugins/plugin_loader.c \
 	plugins/plugin_loader.h plugins/plugin.h \
 	utils/leak_detective.c utils/leak_detective.h \
-	fips/fips_canister_start.c fips/fips.c fips/fips.h \
-	fips/fips_canister_end.c
+	integrity_checker.c integrity_checker.h
 @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo
-@USE_INTEGRITY_TEST_FALSE@am_libstrongswan_la_OBJECTS = library.lo \
-@USE_INTEGRITY_TEST_FALSE@	chunk.lo debug.lo enum.lo \
-@USE_INTEGRITY_TEST_FALSE@	settings.lo printf_hook.lo asn1.lo \
-@USE_INTEGRITY_TEST_FALSE@	asn1_parser.lo oid.lo pem.lo \
-@USE_INTEGRITY_TEST_FALSE@	crypter.lo hasher.lo pkcs9.lo \
-@USE_INTEGRITY_TEST_FALSE@	proposal_keywords.lo prf.lo rng.lo \
-@USE_INTEGRITY_TEST_FALSE@	prf_plus.lo signer.lo \
-@USE_INTEGRITY_TEST_FALSE@	crypto_factory.lo crypto_tester.lo \
-@USE_INTEGRITY_TEST_FALSE@	diffie_hellman.lo transform.lo \
-@USE_INTEGRITY_TEST_FALSE@	credential_factory.lo builder.lo \
-@USE_INTEGRITY_TEST_FALSE@	private_key.lo public_key.lo \
-@USE_INTEGRITY_TEST_FALSE@	shared_key.lo certificate.lo x509.lo \
-@USE_INTEGRITY_TEST_FALSE@	crl.lo ocsp_response.lo \
-@USE_INTEGRITY_TEST_FALSE@	database_factory.lo \
-@USE_INTEGRITY_TEST_FALSE@	fetcher_manager.lo pgp.lo utils.lo \
-@USE_INTEGRITY_TEST_FALSE@	host.lo identification.lo \
-@USE_INTEGRITY_TEST_FALSE@	lexparser.lo linked_list.lo \
-@USE_INTEGRITY_TEST_FALSE@	hashtable.lo enumerator.lo \
-@USE_INTEGRITY_TEST_FALSE@	optionsfrom.lo mutex.lo backtrace.lo \
-@USE_INTEGRITY_TEST_FALSE@	plugin_loader.lo $(am__objects_1)
-@USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS =  \
-@USE_INTEGRITY_TEST_TRUE@	fips_canister_start.lo fips.lo \
-@USE_INTEGRITY_TEST_TRUE@	library.lo chunk.lo debug.lo enum.lo \
-@USE_INTEGRITY_TEST_TRUE@	settings.lo printf_hook.lo asn1.lo \
-@USE_INTEGRITY_TEST_TRUE@	asn1_parser.lo oid.lo pem.lo \
-@USE_INTEGRITY_TEST_TRUE@	crypter.lo hasher.lo pkcs9.lo \
-@USE_INTEGRITY_TEST_TRUE@	proposal_keywords.lo prf.lo rng.lo \
-@USE_INTEGRITY_TEST_TRUE@	prf_plus.lo signer.lo \
-@USE_INTEGRITY_TEST_TRUE@	crypto_factory.lo crypto_tester.lo \
-@USE_INTEGRITY_TEST_TRUE@	diffie_hellman.lo transform.lo \
-@USE_INTEGRITY_TEST_TRUE@	credential_factory.lo builder.lo \
-@USE_INTEGRITY_TEST_TRUE@	private_key.lo public_key.lo \
-@USE_INTEGRITY_TEST_TRUE@	shared_key.lo certificate.lo x509.lo \
-@USE_INTEGRITY_TEST_TRUE@	crl.lo ocsp_response.lo \
-@USE_INTEGRITY_TEST_TRUE@	database_factory.lo \
-@USE_INTEGRITY_TEST_TRUE@	fetcher_manager.lo pgp.lo utils.lo \
-@USE_INTEGRITY_TEST_TRUE@	host.lo identification.lo \
-@USE_INTEGRITY_TEST_TRUE@	lexparser.lo linked_list.lo \
-@USE_INTEGRITY_TEST_TRUE@	hashtable.lo enumerator.lo \
-@USE_INTEGRITY_TEST_TRUE@	optionsfrom.lo mutex.lo backtrace.lo \
-@USE_INTEGRITY_TEST_TRUE@	plugin_loader.lo $(am__objects_1) \
-@USE_INTEGRITY_TEST_TRUE@	fips_canister_end.lo
+@USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
+am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
+	settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \
+	pem.lo crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo \
+	prf.lo rng.lo prf_plus.lo signer.lo crypto_factory.lo \
+	crypto_tester.lo diffie_hellman.lo transform.lo \
+	credential_factory.lo builder.lo private_key.lo public_key.lo \
+	shared_key.lo certificate.lo x509.lo crl.lo ocsp_response.lo \
+	database_factory.lo fetcher_manager.lo pgp.lo utils.lo host.lo \
+	identification.lo lexparser.lo linked_list.lo hashtable.lo \
+	enumerator.lo optionsfrom.lo mutex.lo backtrace.lo \
+	plugin_loader.lo $(am__objects_1) $(am__objects_2)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -199,15 +172,17 @@ DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \
 	plugins/gmp plugins/random plugins/hmac plugins/xcbc \
 	plugins/x509 plugins/pubkey plugins/curl plugins/ldap \
 	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
-	plugins/gcrypt plugins/agent plugins/test_vectors fips
+	plugins/gcrypt plugins/agent plugins/test_vectors
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -272,6 +247,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -312,7 +288,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -347,154 +325,52 @@ top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 lib_LTLIBRARIES = libstrongswan.la
-@USE_INTEGRITY_TEST_FALSE@libstrongswan_la_SOURCES = library.c \
-@USE_INTEGRITY_TEST_FALSE@	library.h chunk.c chunk.h debug.c \
-@USE_INTEGRITY_TEST_FALSE@	debug.h enum.c enum.h settings.h \
-@USE_INTEGRITY_TEST_FALSE@	settings.c printf_hook.c \
-@USE_INTEGRITY_TEST_FALSE@	printf_hook.h asn1/asn1.c \
-@USE_INTEGRITY_TEST_FALSE@	asn1/asn1.h asn1/asn1_parser.c \
-@USE_INTEGRITY_TEST_FALSE@	asn1/asn1_parser.h asn1/oid.c \
-@USE_INTEGRITY_TEST_FALSE@	asn1/oid.h asn1/pem.c asn1/pem.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/crypters/crypter.c \
-@USE_INTEGRITY_TEST_FALSE@	crypto/crypters/crypter.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/hashers/hasher.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/hashers/hasher.c \
-@USE_INTEGRITY_TEST_FALSE@	crypto/pkcs9.c crypto/pkcs9.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/proposal/proposal_keywords.c \
-@USE_INTEGRITY_TEST_FALSE@	crypto/proposal/proposal_keywords.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/prfs/prf.c crypto/prfs/prf.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/rngs/rng.c crypto/rngs/rng.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/prf_plus.h crypto/prf_plus.c \
-@USE_INTEGRITY_TEST_FALSE@	crypto/signers/signer.c \
-@USE_INTEGRITY_TEST_FALSE@	crypto/signers/signer.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/crypto_factory.c \
-@USE_INTEGRITY_TEST_FALSE@	crypto/crypto_factory.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/crypto_tester.c \
-@USE_INTEGRITY_TEST_FALSE@	crypto/crypto_tester.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/diffie_hellman.c \
-@USE_INTEGRITY_TEST_FALSE@	crypto/diffie_hellman.h \
-@USE_INTEGRITY_TEST_FALSE@	crypto/transform.c \
-@USE_INTEGRITY_TEST_FALSE@	crypto/transform.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/credential_factory.c \
-@USE_INTEGRITY_TEST_FALSE@	credentials/credential_factory.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/builder.c \
-@USE_INTEGRITY_TEST_FALSE@	credentials/builder.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/keys/private_key.c \
-@USE_INTEGRITY_TEST_FALSE@	credentials/keys/private_key.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/keys/public_key.c \
-@USE_INTEGRITY_TEST_FALSE@	credentials/keys/public_key.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/keys/shared_key.c \
-@USE_INTEGRITY_TEST_FALSE@	credentials/keys/shared_key.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/certificates/certificate.c \
-@USE_INTEGRITY_TEST_FALSE@	credentials/certificates/certificate.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/certificates/x509.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/certificates/x509.c \
-@USE_INTEGRITY_TEST_FALSE@	credentials/certificates/ac.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/certificates/crl.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/certificates/crl.c \
-@USE_INTEGRITY_TEST_FALSE@	credentials/certificates/ocsp_request.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/certificates/ocsp_response.h \
-@USE_INTEGRITY_TEST_FALSE@	credentials/certificates/ocsp_response.c \
-@USE_INTEGRITY_TEST_FALSE@	database/database.h \
-@USE_INTEGRITY_TEST_FALSE@	database/database_factory.h \
-@USE_INTEGRITY_TEST_FALSE@	database/database_factory.c \
-@USE_INTEGRITY_TEST_FALSE@	fetcher/fetcher.h \
-@USE_INTEGRITY_TEST_FALSE@	fetcher/fetcher_manager.h \
-@USE_INTEGRITY_TEST_FALSE@	fetcher/fetcher_manager.c pgp/pgp.c \
-@USE_INTEGRITY_TEST_FALSE@	pgp/pgp.h utils.h utils.c \
-@USE_INTEGRITY_TEST_FALSE@	utils/host.c utils/host.h \
-@USE_INTEGRITY_TEST_FALSE@	utils/identification.c \
-@USE_INTEGRITY_TEST_FALSE@	utils/identification.h \
-@USE_INTEGRITY_TEST_FALSE@	utils/iterator.h utils/lexparser.c \
-@USE_INTEGRITY_TEST_FALSE@	utils/lexparser.h \
-@USE_INTEGRITY_TEST_FALSE@	utils/linked_list.c \
-@USE_INTEGRITY_TEST_FALSE@	utils/linked_list.h \
-@USE_INTEGRITY_TEST_FALSE@	utils/hashtable.c utils/hashtable.h \
-@USE_INTEGRITY_TEST_FALSE@	utils/enumerator.c \
-@USE_INTEGRITY_TEST_FALSE@	utils/enumerator.h \
-@USE_INTEGRITY_TEST_FALSE@	utils/optionsfrom.c \
-@USE_INTEGRITY_TEST_FALSE@	utils/optionsfrom.h utils/mutex.c \
-@USE_INTEGRITY_TEST_FALSE@	utils/mutex.h utils/backtrace.c \
-@USE_INTEGRITY_TEST_FALSE@	utils/backtrace.h \
-@USE_INTEGRITY_TEST_FALSE@	plugins/plugin_loader.c \
-@USE_INTEGRITY_TEST_FALSE@	plugins/plugin_loader.h \
-@USE_INTEGRITY_TEST_FALSE@	plugins/plugin.h $(am__append_2)
-@USE_INTEGRITY_TEST_TRUE@libstrongswan_la_SOURCES =  \
-@USE_INTEGRITY_TEST_TRUE@	fips/fips_canister_start.c \
-@USE_INTEGRITY_TEST_TRUE@	fips/fips.c fips/fips.h library.c \
-@USE_INTEGRITY_TEST_TRUE@	library.h chunk.c chunk.h debug.c \
-@USE_INTEGRITY_TEST_TRUE@	debug.h enum.c enum.h settings.h \
-@USE_INTEGRITY_TEST_TRUE@	settings.c printf_hook.c \
-@USE_INTEGRITY_TEST_TRUE@	printf_hook.h asn1/asn1.c asn1/asn1.h \
-@USE_INTEGRITY_TEST_TRUE@	asn1/asn1_parser.c asn1/asn1_parser.h \
-@USE_INTEGRITY_TEST_TRUE@	asn1/oid.c asn1/oid.h asn1/pem.c \
-@USE_INTEGRITY_TEST_TRUE@	asn1/pem.h crypto/crypters/crypter.c \
-@USE_INTEGRITY_TEST_TRUE@	crypto/crypters/crypter.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/hashers/hasher.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/hashers/hasher.c \
-@USE_INTEGRITY_TEST_TRUE@	crypto/pkcs9.c crypto/pkcs9.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/proposal/proposal_keywords.c \
-@USE_INTEGRITY_TEST_TRUE@	crypto/proposal/proposal_keywords.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/prfs/prf.c crypto/prfs/prf.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/rngs/rng.c crypto/rngs/rng.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/prf_plus.h crypto/prf_plus.c \
-@USE_INTEGRITY_TEST_TRUE@	crypto/signers/signer.c \
-@USE_INTEGRITY_TEST_TRUE@	crypto/signers/signer.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/crypto_factory.c \
-@USE_INTEGRITY_TEST_TRUE@	crypto/crypto_factory.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/crypto_tester.c \
-@USE_INTEGRITY_TEST_TRUE@	crypto/crypto_tester.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/diffie_hellman.c \
-@USE_INTEGRITY_TEST_TRUE@	crypto/diffie_hellman.h \
-@USE_INTEGRITY_TEST_TRUE@	crypto/transform.c crypto/transform.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/credential_factory.c \
-@USE_INTEGRITY_TEST_TRUE@	credentials/credential_factory.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/builder.c \
-@USE_INTEGRITY_TEST_TRUE@	credentials/builder.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/keys/private_key.c \
-@USE_INTEGRITY_TEST_TRUE@	credentials/keys/private_key.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/keys/public_key.c \
-@USE_INTEGRITY_TEST_TRUE@	credentials/keys/public_key.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/keys/shared_key.c \
-@USE_INTEGRITY_TEST_TRUE@	credentials/keys/shared_key.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/certificates/certificate.c \
-@USE_INTEGRITY_TEST_TRUE@	credentials/certificates/certificate.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/certificates/x509.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/certificates/x509.c \
-@USE_INTEGRITY_TEST_TRUE@	credentials/certificates/ac.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/certificates/crl.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/certificates/crl.c \
-@USE_INTEGRITY_TEST_TRUE@	credentials/certificates/ocsp_request.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/certificates/ocsp_response.h \
-@USE_INTEGRITY_TEST_TRUE@	credentials/certificates/ocsp_response.c \
-@USE_INTEGRITY_TEST_TRUE@	database/database.h \
-@USE_INTEGRITY_TEST_TRUE@	database/database_factory.h \
-@USE_INTEGRITY_TEST_TRUE@	database/database_factory.c \
-@USE_INTEGRITY_TEST_TRUE@	fetcher/fetcher.h \
-@USE_INTEGRITY_TEST_TRUE@	fetcher/fetcher_manager.h \
-@USE_INTEGRITY_TEST_TRUE@	fetcher/fetcher_manager.c pgp/pgp.c \
-@USE_INTEGRITY_TEST_TRUE@	pgp/pgp.h utils.h utils.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/host.c utils/host.h \
-@USE_INTEGRITY_TEST_TRUE@	utils/identification.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/identification.h \
-@USE_INTEGRITY_TEST_TRUE@	utils/iterator.h utils/lexparser.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/lexparser.h utils/linked_list.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/linked_list.h utils/hashtable.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/hashtable.h utils/enumerator.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/enumerator.h \
-@USE_INTEGRITY_TEST_TRUE@	utils/optionsfrom.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/optionsfrom.h utils/mutex.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/mutex.h utils/backtrace.c \
-@USE_INTEGRITY_TEST_TRUE@	utils/backtrace.h \
-@USE_INTEGRITY_TEST_TRUE@	plugins/plugin_loader.c \
-@USE_INTEGRITY_TEST_TRUE@	plugins/plugin_loader.h \
-@USE_INTEGRITY_TEST_TRUE@	plugins/plugin.h $(am__append_2) \
-@USE_INTEGRITY_TEST_TRUE@	fips/fips_canister_end.c
-libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(am__append_4)
+libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
+	debug.h enum.c enum.h settings.h settings.c printf_hook.c \
+	printf_hook.h asn1/asn1.c asn1/asn1.h asn1/asn1_parser.c \
+	asn1/asn1_parser.h asn1/oid.c asn1/oid.h asn1/pem.c asn1/pem.h \
+	crypto/crypters/crypter.c crypto/crypters/crypter.h \
+	crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \
+	crypto/pkcs9.h crypto/proposal/proposal_keywords.c \
+	crypto/proposal/proposal_keywords.h crypto/prfs/prf.c \
+	crypto/prfs/prf.h crypto/rngs/rng.c crypto/rngs/rng.h \
+	crypto/prf_plus.h crypto/prf_plus.c crypto/signers/signer.c \
+	crypto/signers/signer.h crypto/crypto_factory.c \
+	crypto/crypto_factory.h crypto/crypto_tester.c \
+	crypto/crypto_tester.h crypto/diffie_hellman.c \
+	crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
+	credentials/credential_factory.c \
+	credentials/credential_factory.h credentials/builder.c \
+	credentials/builder.h credentials/keys/private_key.c \
+	credentials/keys/private_key.h credentials/keys/public_key.c \
+	credentials/keys/public_key.h credentials/keys/shared_key.c \
+	credentials/keys/shared_key.h \
+	credentials/certificates/certificate.c \
+	credentials/certificates/certificate.h \
+	credentials/certificates/x509.h \
+	credentials/certificates/x509.c credentials/certificates/ac.h \
+	credentials/certificates/crl.h credentials/certificates/crl.c \
+	credentials/certificates/ocsp_request.h \
+	credentials/certificates/ocsp_response.h \
+	credentials/certificates/ocsp_response.c database/database.h \
+	database/database_factory.h database/database_factory.c \
+	fetcher/fetcher.h fetcher/fetcher_manager.h \
+	fetcher/fetcher_manager.c pgp/pgp.c pgp/pgp.h utils.h utils.c \
+	utils/host.c utils/host.h utils/identification.c \
+	utils/identification.h utils/iterator.h utils/lexparser.c \
+	utils/lexparser.h utils/linked_list.c utils/linked_list.h \
+	utils/hashtable.c utils/hashtable.h utils/enumerator.c \
+	utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \
+	utils/mutex.c utils/mutex.h utils/backtrace.c \
+	utils/backtrace.h plugins/plugin_loader.c \
+	plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \
+	$(am__append_5)
+libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB) \
+	$(am__append_6)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \
-	$(am__append_3)
+	$(am__append_3) $(am__append_4)
 EXTRA_DIST = \
 asn1/oid.txt asn1/oid.pl \
 crypto/proposal/proposal_keywords.txt
@@ -510,14 +386,14 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
 
 # build plugins with their own Makefile
 #######################################
-SUBDIRS = . $(am__append_5) $(am__append_6) $(am__append_7) \
-	$(am__append_8) $(am__append_9) $(am__append_10) \
-	$(am__append_11) $(am__append_12) $(am__append_13) \
-	$(am__append_14) $(am__append_15) $(am__append_16) \
-	$(am__append_17) $(am__append_18) $(am__append_19) \
-	$(am__append_20) $(am__append_21) $(am__append_22) \
-	$(am__append_23) $(am__append_24) $(am__append_25) \
-	$(am__append_26) $(am__append_27) $(am__append_28)
+SUBDIRS = . $(am__append_7) $(am__append_8) $(am__append_9) \
+	$(am__append_10) $(am__append_11) $(am__append_12) \
+	$(am__append_13) $(am__append_14) $(am__append_15) \
+	$(am__append_16) $(am__append_17) $(am__append_18) \
+	$(am__append_19) $(am__append_20) $(am__append_21) \
+	$(am__append_22) $(am__append_23) $(am__append_24) \
+	$(am__append_25) $(am__append_26) $(am__append_27) \
+	$(am__append_28) $(am__append_29)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -605,13 +481,11 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher_manager.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_end.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_start.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@
@@ -932,27 +806,6 @@ leak_detective.lo: utils/leak_detective.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
 
-fips_canister_start.lo: fips/fips_canister_start.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_start.lo -MD -MP -MF $(DEPDIR)/fips_canister_start.Tpo -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_canister_start.Tpo $(DEPDIR)/fips_canister_start.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fips/fips_canister_start.c' object='fips_canister_start.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c
-
-fips.lo: fips/fips.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips.lo -MD -MP -MF $(DEPDIR)/fips.Tpo -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips.Tpo $(DEPDIR)/fips.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fips/fips.c' object='fips.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c
-
-fips_canister_end.lo: fips/fips_canister_end.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_end.lo -MD -MP -MF $(DEPDIR)/fips_canister_end.Tpo -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_canister_end.Tpo $(DEPDIR)/fips_canister_end.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fips/fips_canister_end.c' object='fips_canister_end.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index d2078cbbc..ec46b165b 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -260,25 +260,32 @@ size_t asn1_length(chunk_t *blob)
 	u_char n;
 	size_t len;
 	
-	/* advance from tag field on to length field */
-	blob->ptr++;
-	blob->len--;
+	if (blob->len < 2)
+	{
+		DBG2("insufficient number of octets to parse ASN.1 length");
+		return ASN1_INVALID_LENGTH;
+	}
 	
-	/* read first octet of length field */
-	n = *blob->ptr++;
-	blob->len--;
+	/* read length field, skip tag and length */
+	n = blob->ptr[1];
+	*blob = chunk_skip(*blob, 2);
 	
 	if ((n & 0x80) == 0) 
-	{/* single length octet */
+	{	/* single length octet */
+		if (n > blob->len)
+		{
+			DBG2("length is larger than remaining blob size");
+			return ASN1_INVALID_LENGTH;
+		}
 		return n;
 	}
 	
 	/* composite length, determine number of length octets */
 	n &= 0x7f;
 	
-	if (n > blob->len)
+	if (n == 0 || n > blob->len)
 	{
-		DBG2("number of length octets is larger than ASN.1 object");
+		DBG2("number of length octets invalid");
 		return ASN1_INVALID_LENGTH;
 	}
 	
@@ -304,6 +311,53 @@ size_t asn1_length(chunk_t *blob)
 	return len;
 }
 
+/*
+ * See header.
+ */
+int asn1_unwrap(chunk_t *blob, chunk_t *inner)
+{
+	chunk_t res;
+	u_char len;
+	int type;
+	
+	if (blob->len < 2)
+	{
+		return ASN1_INVALID;
+	}
+	type = blob->ptr[0];
+	len = blob->ptr[1];
+	*blob = chunk_skip(*blob, 2);
+	
+	if ((len & 0x80) == 0)
+	{	/* single length octet */
+		res.len = len;
+	}
+	else
+	{	/* composite length, determine number of length octets */
+		len &= 0x7f;
+		if (len == 0 || len > sizeof(res.len))
+		{
+			return ASN1_INVALID;
+		}
+		res.len = 0;
+		while (len-- > 0)
+		{
+			res.len = 256 * res.len + blob->ptr[0];
+			*blob = chunk_skip(*blob, 1);
+		}
+	}
+	if (res.len > blob->len)
+	{
+		return ASN1_INVALID;
+	}
+	res.ptr = blob->ptr;
+	*blob = chunk_skip(*blob, res.len);
+	/* updating inner not before we are finished allows a caller to pass
+	 * blob = inner */
+	*inner = res;
+	return type;
+}
+
 #define TIME_MAX	0x7fffffff
 
 static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 };
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 6a2b594c0..8072d62d6 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -74,7 +74,9 @@ typedef enum {
     ASN1_CONTEXT_C_2 =		0xA2,
     ASN1_CONTEXT_C_3 =		0xA3,
     ASN1_CONTEXT_C_4 =		0xA4,
-    ASN1_CONTEXT_C_5 =		0xA5
+    ASN1_CONTEXT_C_5 =		0xA5,
+
+    ASN1_INVALID = 			0x100,
 } asn1_t;
 
 #define ASN1_INVALID_LENGTH	0xffffffff
@@ -122,6 +124,15 @@ chunk_t asn1_build_known_oid(int n);
  */
 size_t asn1_length(chunk_t *blob);
 
+/**
+ * Unwrap the inner content of an ASN.1 type/length wrapped object.
+ *
+ * @param blob		blob to parse header from, moved behind parsed content
+ * @param content	inner content
+ * @return			parsed type, ASN1_INVALID if length parsing failed
+ */
+int asn1_unwrap(chunk_t *blob, chunk_t *content);
+
 /**
  * Parses an ASN.1 algorithmIdentifier object
  *
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 53657b514..391d65e89 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -62,7 +62,7 @@ const oid_t oid_names[] = {
  {    0x25,                  50, 0,  2, "extendedKeyUsage"          }, /*  49 */
  {    0x37,                  51, 0,  2, "targetInformation"         }, /*  50 */
  {    0x38,                   0, 0,  2, "noRevAvail"                }, /*  51 */
- {0x2A,                     143, 1,  0, ""                          }, /*  52 */
+ {0x2A,                     149, 1,  0, ""                          }, /*  52 */
  {  0x83,                    65, 1,  1, ""                          }, /*  53 */
  {    0x08,                   0, 1,  2, "jp"                        }, /*  54 */
  {      0x8C,                 0, 1,  3, ""                          }, /*  55 */
@@ -77,7 +77,7 @@ const oid_t oid_names[] = {
  {                    0x04,   0, 0, 10, "camellia256-cbc"           }, /*  64 */
  {  0x86,                     0, 1,  1, ""                          }, /*  65 */
  {    0x48,                   0, 1,  2, "us"                        }, /*  66 */
- {      0x86,               107, 1,  3, ""                          }, /*  67 */
+ {      0x86,               108, 1,  3, ""                          }, /*  67 */
  {        0xF6,              73, 1,  4, ""                          }, /*  68 */
  {          0x7D,             0, 1,  5, "NortelNetworks"            }, /*  69 */
  {            0x07,           0, 1,  6, "Entrust"                   }, /*  70 */
@@ -85,225 +85,231 @@ const oid_t oid_names[] = {
  {                0x00,       0, 0,  8, "entrustVersInfo"           }, /*  72 */
  {        0xF7,               0, 1,  4, ""                          }, /*  73 */
  {          0x0D,             0, 1,  5, "RSADSI"                    }, /*  74 */
- {            0x01,         102, 1,  6, "PKCS"                      }, /*  75 */
- {              0x01,        84, 1,  7, "PKCS-1"                    }, /*  76 */
+ {            0x01,         103, 1,  6, "PKCS"                      }, /*  75 */
+ {              0x01,        85, 1,  7, "PKCS-1"                    }, /*  76 */
  {                0x01,      78, 0,  8, "rsaEncryption"             }, /*  77 */
  {                0x02,      79, 0,  8, "md2WithRSAEncryption"      }, /*  78 */
  {                0x04,      80, 0,  8, "md5WithRSAEncryption"      }, /*  79 */
  {                0x05,      81, 0,  8, "sha-1WithRSAEncryption"    }, /*  80 */
  {                0x0B,      82, 0,  8, "sha256WithRSAEncryption"   }, /*  81 */
  {                0x0C,      83, 0,  8, "sha384WithRSAEncryption"   }, /*  82 */
- {                0x0D,       0, 0,  8, "sha512WithRSAEncryption"   }, /*  83 */
- {              0x07,        91, 1,  7, "PKCS-7"                    }, /*  84 */
- {                0x01,      86, 0,  8, "data"                      }, /*  85 */
- {                0x02,      87, 0,  8, "signedData"                }, /*  86 */
- {                0x03,      88, 0,  8, "envelopedData"             }, /*  87 */
- {                0x04,      89, 0,  8, "signedAndEnvelopedData"    }, /*  88 */
- {                0x05,      90, 0,  8, "digestedData"              }, /*  89 */
- {                0x06,       0, 0,  8, "encryptedData"             }, /*  90 */
- {              0x09,         0, 1,  7, "PKCS-9"                    }, /*  91 */
- {                0x01,      93, 0,  8, "E"                         }, /*  92 */
- {                0x02,      94, 0,  8, "unstructuredName"          }, /*  93 */
- {                0x03,      95, 0,  8, "contentType"               }, /*  94 */
- {                0x04,      96, 0,  8, "messageDigest"             }, /*  95 */
- {                0x05,      97, 0,  8, "signingTime"               }, /*  96 */
- {                0x06,      98, 0,  8, "counterSignature"          }, /*  97 */
- {                0x07,      99, 0,  8, "challengePassword"         }, /*  98 */
- {                0x08,     100, 0,  8, "unstructuredAddress"       }, /*  99 */
- {                0x0E,     101, 0,  8, "extensionRequest"          }, /* 100 */
- {                0x0F,       0, 0,  8, "S/MIME Capabilities"       }, /* 101 */
- {            0x02,         105, 1,  6, "digestAlgorithm"           }, /* 102 */
- {              0x02,       104, 0,  7, "md2"                       }, /* 103 */
- {              0x05,         0, 0,  7, "md5"                       }, /* 104 */
- {            0x03,           0, 1,  6, "encryptionAlgorithm"       }, /* 105 */
- {              0x07,         0, 0,  7, "3des-ede-cbc"              }, /* 106 */
- {      0xCE,                 0, 1,  3, ""                          }, /* 107 */
- {        0x3D,               0, 1,  4, "ansi-X9-62"                }, /* 108 */
- {          0x02,           111, 1,  5, "id-publicKeyType"          }, /* 109 */
- {            0x01,           0, 0,  6, "id-ecPublicKey"            }, /* 110 */
- {          0x03,           141, 1,  5, "ellipticCurve"             }, /* 111 */
- {            0x00,         133, 1,  6, "c-TwoCurve"                }, /* 112 */
- {              0x01,       114, 0,  7, "c2pnb163v1"                }, /* 113 */
- {              0x02,       115, 0,  7, "c2pnb163v2"                }, /* 114 */
- {              0x03,       116, 0,  7, "c2pnb163v3"                }, /* 115 */
- {              0x04,       117, 0,  7, "c2pnb176w1"                }, /* 116 */
- {              0x05,       118, 0,  7, "c2tnb191v1"                }, /* 117 */
- {              0x06,       119, 0,  7, "c2tnb191v2"                }, /* 118 */
- {              0x07,       120, 0,  7, "c2tnb191v3"                }, /* 119 */
- {              0x08,       121, 0,  7, "c2onb191v4"                }, /* 120 */
- {              0x09,       122, 0,  7, "c2onb191v5"                }, /* 121 */
- {              0x0A,       123, 0,  7, "c2pnb208w1"                }, /* 122 */
- {              0x0B,       124, 0,  7, "c2tnb239v1"                }, /* 123 */
- {              0x0C,       125, 0,  7, "c2tnb239v2"                }, /* 124 */
- {              0x0D,       126, 0,  7, "c2tnb239v3"                }, /* 125 */
- {              0x0E,       127, 0,  7, "c2onb239v4"                }, /* 126 */
- {              0x0F,       128, 0,  7, "c2onb239v5"                }, /* 127 */
- {              0x10,       129, 0,  7, "c2pnb272w1"                }, /* 128 */
- {              0x11,       130, 0,  7, "c2pnb304w1"                }, /* 129 */
- {              0x12,       131, 0,  7, "c2tnb359v1"                }, /* 130 */
- {              0x13,       132, 0,  7, "c2pnb368w1"                }, /* 131 */
- {              0x14,         0, 0,  7, "c2tnb431r1"                }, /* 132 */
- {            0x01,           0, 1,  6, "primeCurve"                }, /* 133 */
- {              0x01,       135, 0,  7, "prime192v1"                }, /* 134 */
- {              0x02,       136, 0,  7, "prime192v2"                }, /* 135 */
- {              0x03,       137, 0,  7, "prime192v3"                }, /* 136 */
- {              0x04,       138, 0,  7, "prime239v1"                }, /* 137 */
- {              0x05,       139, 0,  7, "prime239v2"                }, /* 138 */
- {              0x06,       140, 0,  7, "prime239v3"                }, /* 139 */
- {              0x07,         0, 0,  7, "prime256v1"                }, /* 140 */
- {          0x04,             0, 1,  5, "id-ecSigType"              }, /* 141 */
- {            0x01,           0, 0,  6, "ecdsa-with-SHA1"           }, /* 142 */
- {0x2B,                     243, 1,  0, ""                          }, /* 143 */
- {  0x06,                   196, 1,  1, "dod"                       }, /* 144 */
- {    0x01,                   0, 1,  2, "internet"                  }, /* 145 */
- {      0x04,               164, 1,  3, "private"                   }, /* 146 */
- {        0x01,               0, 1,  4, "enterprise"                }, /* 147 */
- {          0x82,           157, 1,  5, ""                          }, /* 148 */
- {            0x37,           0, 1,  6, "Microsoft"                 }, /* 149 */
- {              0x0A,       154, 1,  7, ""                          }, /* 150 */
- {                0x03,       0, 1,  8, ""                          }, /* 151 */
- {                  0x03,   153, 0,  9, "msSGC"                     }, /* 152 */
- {                  0x04,     0, 0,  9, "msEncryptingFileSystem"    }, /* 153 */
- {              0x14,         0, 1,  7, "msEnrollmentInfrastructure"}, /* 154 */
- {                0x02,       0, 1,  8, "msCertificateTypeExtension"}, /* 155 */
- {                  0x02,     0, 0,  9, "msSmartcardLogon"          }, /* 156 */
- {          0x89,             0, 1,  5, ""                          }, /* 157 */
- {            0x31,           0, 1,  6, ""                          }, /* 158 */
- {              0x01,         0, 1,  7, ""                          }, /* 159 */
- {                0x01,       0, 1,  8, ""                          }, /* 160 */
- {                  0x02,     0, 1,  9, ""                          }, /* 161 */
- {                    0x02, 163, 0, 10, ""                          }, /* 162 */
- {                    0x4B,   0, 0, 10, "TCGID"                     }, /* 163 */
- {      0x05,                 0, 1,  3, "security"                  }, /* 164 */
- {        0x05,               0, 1,  4, "mechanisms"                }, /* 165 */
- {          0x07,             0, 1,  5, "id-pkix"                   }, /* 166 */
- {            0x01,         169, 1,  6, "id-pe"                     }, /* 167 */
- {              0x01,         0, 0,  7, "authorityInfoAccess"       }, /* 168 */
- {            0x03,         179, 1,  6, "id-kp"                     }, /* 169 */
- {              0x01,       171, 0,  7, "serverAuth"                }, /* 170 */
- {              0x02,       172, 0,  7, "clientAuth"                }, /* 171 */
- {              0x03,       173, 0,  7, "codeSigning"               }, /* 172 */
- {              0x04,       174, 0,  7, "emailProtection"           }, /* 173 */
- {              0x05,       175, 0,  7, "ipsecEndSystem"            }, /* 174 */
- {              0x06,       176, 0,  7, "ipsecTunnel"               }, /* 175 */
- {              0x07,       177, 0,  7, "ipsecUser"                 }, /* 176 */
- {              0x08,       178, 0,  7, "timeStamping"              }, /* 177 */
- {              0x09,         0, 0,  7, "ocspSigning"               }, /* 178 */
- {            0x08,         181, 1,  6, "id-otherNames"             }, /* 179 */
- {              0x05,         0, 0,  7, "xmppAddr"                  }, /* 180 */
- {            0x0A,         186, 1,  6, "id-aca"                    }, /* 181 */
- {              0x01,       183, 0,  7, "authenticationInfo"        }, /* 182 */
- {              0x02,       184, 0,  7, "accessIdentity"            }, /* 183 */
- {              0x03,       185, 0,  7, "chargingIdentity"          }, /* 184 */
- {              0x04,         0, 0,  7, "group"                     }, /* 185 */
- {            0x30,           0, 1,  6, "id-ad"                     }, /* 186 */
- {              0x01,       195, 1,  7, "ocsp"                      }, /* 187 */
- {                0x01,     189, 0,  8, "basic"                     }, /* 188 */
- {                0x02,     190, 0,  8, "nonce"                     }, /* 189 */
- {                0x03,     191, 0,  8, "crl"                       }, /* 190 */
- {                0x04,     192, 0,  8, "response"                  }, /* 191 */
- {                0x05,     193, 0,  8, "noCheck"                   }, /* 192 */
- {                0x06,     194, 0,  8, "archiveCutoff"             }, /* 193 */
- {                0x07,       0, 0,  8, "serviceLocator"            }, /* 194 */
- {              0x02,         0, 0,  7, "caIssuers"                 }, /* 195 */
- {  0x0E,                   202, 1,  1, "oiw"                       }, /* 196 */
- {    0x03,                   0, 1,  2, "secsig"                    }, /* 197 */
- {      0x02,                 0, 1,  3, "algorithms"                }, /* 198 */
- {        0x07,             200, 0,  4, "des-cbc"                   }, /* 199 */
- {        0x1A,             201, 0,  4, "sha-1"                     }, /* 200 */
- {        0x1D,               0, 0,  4, "sha-1WithRSASignature"     }, /* 201 */
- {  0x24,                   209, 1,  1, "TeleTrusT"                 }, /* 202 */
- {    0x03,                   0, 1,  2, "algorithm"                 }, /* 203 */
- {      0x03,                 0, 1,  3, "signatureAlgorithm"        }, /* 204 */
- {        0x01,               0, 1,  4, "rsaSignature"              }, /* 205 */
- {          0x02,           207, 0,  5, "rsaSigWithripemd160"       }, /* 206 */
- {          0x03,           208, 0,  5, "rsaSigWithripemd128"       }, /* 207 */
- {          0x04,             0, 0,  5, "rsaSigWithripemd256"       }, /* 208 */
- {  0x81,                     0, 1,  1, ""                          }, /* 209 */
- {    0x04,                   0, 1,  2, "Certicom"                  }, /* 210 */
- {      0x00,                 0, 1,  3, "curve"                     }, /* 211 */
- {        0x01,             213, 0,  4, "sect163k1"                 }, /* 212 */
- {        0x02,             214, 0,  4, "sect163r1"                 }, /* 213 */
- {        0x03,             215, 0,  4, "sect239k1"                 }, /* 214 */
- {        0x04,             216, 0,  4, "sect113r1"                 }, /* 215 */
- {        0x05,             217, 0,  4, "sect113r2"                 }, /* 216 */
- {        0x06,             218, 0,  4, "secp112r1"                 }, /* 217 */
- {        0x07,             219, 0,  4, "secp112r2"                 }, /* 218 */
- {        0x08,             220, 0,  4, "secp160r1"                 }, /* 219 */
- {        0x09,             221, 0,  4, "secp160k1"                 }, /* 220 */
- {        0x0A,             222, 0,  4, "secp256k1"                 }, /* 221 */
- {        0x0F,             223, 0,  4, "sect163r2"                 }, /* 222 */
- {        0x10,             224, 0,  4, "sect283k1"                 }, /* 223 */
- {        0x11,             225, 0,  4, "sect283r1"                 }, /* 224 */
- {        0x16,             226, 0,  4, "sect131r1"                 }, /* 225 */
- {        0x17,             227, 0,  4, "sect131r2"                 }, /* 226 */
- {        0x18,             228, 0,  4, "sect193r1"                 }, /* 227 */
- {        0x19,             229, 0,  4, "sect193r2"                 }, /* 228 */
- {        0x1A,             230, 0,  4, "sect233k1"                 }, /* 229 */
- {        0x1B,             231, 0,  4, "sect233r1"                 }, /* 230 */
- {        0x1C,             232, 0,  4, "secp128r1"                 }, /* 231 */
- {        0x1D,             233, 0,  4, "secp128r2"                 }, /* 232 */
- {        0x1E,             234, 0,  4, "secp160r2"                 }, /* 233 */
- {        0x1F,             235, 0,  4, "secp192k1"                 }, /* 234 */
- {        0x20,             236, 0,  4, "secp224k1"                 }, /* 235 */
- {        0x21,             237, 0,  4, "secp224r1"                 }, /* 236 */
- {        0x22,             238, 0,  4, "secp384r1"                 }, /* 237 */
- {        0x23,             239, 0,  4, "secp521r1"                 }, /* 238 */
- {        0x24,             240, 0,  4, "sect409k1"                 }, /* 239 */
- {        0x25,             241, 0,  4, "sect409r1"                 }, /* 240 */
- {        0x26,             242, 0,  4, "sect571k1"                 }, /* 241 */
- {        0x27,               0, 0,  4, "sect571r1"                 }, /* 242 */
- {0x60,                       0, 1,  0, ""                          }, /* 243 */
- {  0x86,                     0, 1,  1, ""                          }, /* 244 */
- {    0x48,                   0, 1,  2, ""                          }, /* 245 */
- {      0x01,               289, 1,  3, "organization"              }, /* 246 */
- {        0x65,             265, 1,  4, "gov"                       }, /* 247 */
- {          0x03,             0, 1,  5, "csor"                      }, /* 248 */
- {            0x04,           0, 1,  6, "nistalgorithm"             }, /* 249 */
- {              0x01,       260, 1,  7, "aes"                       }, /* 250 */
- {                0x02,     252, 0,  8, "id-aes128-CBC"             }, /* 251 */
- {                0x06,     253, 0,  8, "id-aes128-GCM"             }, /* 252 */
- {                0x07,     254, 0,  8, "id-aes128-CCM"             }, /* 253 */
- {                0x16,     255, 0,  8, "id-aes192-CBC"             }, /* 254 */
- {                0x1A,     256, 0,  8, "id-aes192-GCM"             }, /* 255 */
- {                0x1B,     257, 0,  8, "id-aes192-CCM"             }, /* 256 */
- {                0x2A,     258, 0,  8, "id-aes256-CBC"             }, /* 257 */
- {                0x2E,     259, 0,  8, "id-aes256-GCM"             }, /* 258 */
- {                0x2F,       0, 0,  8, "id-aes256-CCM"             }, /* 259 */
- {              0x02,         0, 1,  7, "hashalgs"                  }, /* 260 */
- {                0x01,     262, 0,  8, "id-SHA-256"                }, /* 261 */
- {                0x02,     263, 0,  8, "id-SHA-384"                }, /* 262 */
- {                0x03,     264, 0,  8, "id-SHA-512"                }, /* 263 */
- {                0x04,       0, 0,  8, "id-SHA-224"                }, /* 264 */
- {        0x86,               0, 1,  4, ""                          }, /* 265 */
- {          0xf8,             0, 1,  5, ""                          }, /* 266 */
- {            0x42,         279, 1,  6, "netscape"                  }, /* 267 */
- {              0x01,       274, 1,  7, ""                          }, /* 268 */
- {                0x01,     270, 0,  8, "nsCertType"                }, /* 269 */
- {                0x03,     271, 0,  8, "nsRevocationUrl"           }, /* 270 */
- {                0x04,     272, 0,  8, "nsCaRevocationUrl"         }, /* 271 */
- {                0x08,     273, 0,  8, "nsCaPolicyUrl"             }, /* 272 */
- {                0x0d,       0, 0,  8, "nsComment"                 }, /* 273 */
- {              0x03,       277, 1,  7, "directory"                 }, /* 274 */
- {                0x01,       0, 1,  8, ""                          }, /* 275 */
- {                  0x03,     0, 0,  9, "employeeNumber"            }, /* 276 */
- {              0x04,         0, 1,  7, "policy"                    }, /* 277 */
- {                0x01,       0, 0,  8, "nsSGC"                     }, /* 278 */
- {            0x45,           0, 1,  6, "verisign"                  }, /* 279 */
- {              0x01,         0, 1,  7, "pki"                       }, /* 280 */
- {                0x09,       0, 1,  8, "attributes"                }, /* 281 */
- {                  0x02,   283, 0,  9, "messageType"               }, /* 282 */
- {                  0x03,   284, 0,  9, "pkiStatus"                 }, /* 283 */
- {                  0x04,   285, 0,  9, "failInfo"                  }, /* 284 */
- {                  0x05,   286, 0,  9, "senderNonce"               }, /* 285 */
- {                  0x06,   287, 0,  9, "recipientNonce"            }, /* 286 */
- {                  0x07,   288, 0,  9, "transID"                   }, /* 287 */
- {                  0x08,     0, 0,  9, "extensionReq"              }, /* 288 */
- {      0x86,                 0, 1,  3, "old-netscape"              }, /* 289 */
- {        0xF7,               0, 1,  4, ""                          }, /* 290 */
- {          0x0D,             0, 1,  5, ""                          }, /* 291 */
- {            0x01,           0, 1,  6, ""                          }, /* 292 */
- {              0x09,         0, 1,  7, ""                          }, /* 293 */
- {                0x01,     295, 0,  8, "emailAddress"              }, /* 294 */
- {                0x02,       0, 0,  8, "unstructuredName"          }  /* 295 */
+ {                0x0D,      84, 0,  8, "sha512WithRSAEncryption"   }, /*  83 */
+ {                0x0E,       0, 0,  8, "sha224WithRSAEncryption"   }, /*  84 */
+ {              0x07,        92, 1,  7, "PKCS-7"                    }, /*  85 */
+ {                0x01,      87, 0,  8, "data"                      }, /*  86 */
+ {                0x02,      88, 0,  8, "signedData"                }, /*  87 */
+ {                0x03,      89, 0,  8, "envelopedData"             }, /*  88 */
+ {                0x04,      90, 0,  8, "signedAndEnvelopedData"    }, /*  89 */
+ {                0x05,      91, 0,  8, "digestedData"              }, /*  90 */
+ {                0x06,       0, 0,  8, "encryptedData"             }, /*  91 */
+ {              0x09,         0, 1,  7, "PKCS-9"                    }, /*  92 */
+ {                0x01,      94, 0,  8, "E"                         }, /*  93 */
+ {                0x02,      95, 0,  8, "unstructuredName"          }, /*  94 */
+ {                0x03,      96, 0,  8, "contentType"               }, /*  95 */
+ {                0x04,      97, 0,  8, "messageDigest"             }, /*  96 */
+ {                0x05,      98, 0,  8, "signingTime"               }, /*  97 */
+ {                0x06,      99, 0,  8, "counterSignature"          }, /*  98 */
+ {                0x07,     100, 0,  8, "challengePassword"         }, /*  99 */
+ {                0x08,     101, 0,  8, "unstructuredAddress"       }, /* 100 */
+ {                0x0E,     102, 0,  8, "extensionRequest"          }, /* 101 */
+ {                0x0F,       0, 0,  8, "S/MIME Capabilities"       }, /* 102 */
+ {            0x02,         106, 1,  6, "digestAlgorithm"           }, /* 103 */
+ {              0x02,       105, 0,  7, "md2"                       }, /* 104 */
+ {              0x05,         0, 0,  7, "md5"                       }, /* 105 */
+ {            0x03,           0, 1,  6, "encryptionAlgorithm"       }, /* 106 */
+ {              0x07,         0, 0,  7, "3des-ede-cbc"              }, /* 107 */
+ {      0xCE,                 0, 1,  3, ""                          }, /* 108 */
+ {        0x3D,               0, 1,  4, "ansi-X9-62"                }, /* 109 */
+ {          0x02,           112, 1,  5, "id-publicKeyType"          }, /* 110 */
+ {            0x01,           0, 0,  6, "id-ecPublicKey"            }, /* 111 */
+ {          0x03,           142, 1,  5, "ellipticCurve"             }, /* 112 */
+ {            0x00,         134, 1,  6, "c-TwoCurve"                }, /* 113 */
+ {              0x01,       115, 0,  7, "c2pnb163v1"                }, /* 114 */
+ {              0x02,       116, 0,  7, "c2pnb163v2"                }, /* 115 */
+ {              0x03,       117, 0,  7, "c2pnb163v3"                }, /* 116 */
+ {              0x04,       118, 0,  7, "c2pnb176w1"                }, /* 117 */
+ {              0x05,       119, 0,  7, "c2tnb191v1"                }, /* 118 */
+ {              0x06,       120, 0,  7, "c2tnb191v2"                }, /* 119 */
+ {              0x07,       121, 0,  7, "c2tnb191v3"                }, /* 120 */
+ {              0x08,       122, 0,  7, "c2onb191v4"                }, /* 121 */
+ {              0x09,       123, 0,  7, "c2onb191v5"                }, /* 122 */
+ {              0x0A,       124, 0,  7, "c2pnb208w1"                }, /* 123 */
+ {              0x0B,       125, 0,  7, "c2tnb239v1"                }, /* 124 */
+ {              0x0C,       126, 0,  7, "c2tnb239v2"                }, /* 125 */
+ {              0x0D,       127, 0,  7, "c2tnb239v3"                }, /* 126 */
+ {              0x0E,       128, 0,  7, "c2onb239v4"                }, /* 127 */
+ {              0x0F,       129, 0,  7, "c2onb239v5"                }, /* 128 */
+ {              0x10,       130, 0,  7, "c2pnb272w1"                }, /* 129 */
+ {              0x11,       131, 0,  7, "c2pnb304w1"                }, /* 130 */
+ {              0x12,       132, 0,  7, "c2tnb359v1"                }, /* 131 */
+ {              0x13,       133, 0,  7, "c2pnb368w1"                }, /* 132 */
+ {              0x14,         0, 0,  7, "c2tnb431r1"                }, /* 133 */
+ {            0x01,           0, 1,  6, "primeCurve"                }, /* 134 */
+ {              0x01,       136, 0,  7, "prime192v1"                }, /* 135 */
+ {              0x02,       137, 0,  7, "prime192v2"                }, /* 136 */
+ {              0x03,       138, 0,  7, "prime192v3"                }, /* 137 */
+ {              0x04,       139, 0,  7, "prime239v1"                }, /* 138 */
+ {              0x05,       140, 0,  7, "prime239v2"                }, /* 139 */
+ {              0x06,       141, 0,  7, "prime239v3"                }, /* 140 */
+ {              0x07,         0, 0,  7, "prime256v1"                }, /* 141 */
+ {          0x04,             0, 1,  5, "id-ecSigType"              }, /* 142 */
+ {            0x01,         144, 0,  6, "ecdsa-with-SHA1"           }, /* 143 */
+ {            0x03,           0, 1,  6, "ecdsa-with-Specified"      }, /* 144 */
+ {              0x01,       146, 0,  7, "ecdsa-with-SHA224"         }, /* 145 */
+ {              0x02,       147, 0,  7, "ecdsa-with-SHA256"         }, /* 146 */
+ {              0x03,       148, 0,  7, "ecdsa-with-SHA384"         }, /* 147 */
+ {              0x04,         0, 0,  7, "ecdsa-with-SHA512"         }, /* 148 */
+ {0x2B,                     249, 1,  0, ""                          }, /* 149 */
+ {  0x06,                   202, 1,  1, "dod"                       }, /* 150 */
+ {    0x01,                   0, 1,  2, "internet"                  }, /* 151 */
+ {      0x04,               170, 1,  3, "private"                   }, /* 152 */
+ {        0x01,               0, 1,  4, "enterprise"                }, /* 153 */
+ {          0x82,           163, 1,  5, ""                          }, /* 154 */
+ {            0x37,           0, 1,  6, "Microsoft"                 }, /* 155 */
+ {              0x0A,       160, 1,  7, ""                          }, /* 156 */
+ {                0x03,       0, 1,  8, ""                          }, /* 157 */
+ {                  0x03,   159, 0,  9, "msSGC"                     }, /* 158 */
+ {                  0x04,     0, 0,  9, "msEncryptingFileSystem"    }, /* 159 */
+ {              0x14,         0, 1,  7, "msEnrollmentInfrastructure"}, /* 160 */
+ {                0x02,       0, 1,  8, "msCertificateTypeExtension"}, /* 161 */
+ {                  0x02,     0, 0,  9, "msSmartcardLogon"          }, /* 162 */
+ {          0x89,             0, 1,  5, ""                          }, /* 163 */
+ {            0x31,           0, 1,  6, ""                          }, /* 164 */
+ {              0x01,         0, 1,  7, ""                          }, /* 165 */
+ {                0x01,       0, 1,  8, ""                          }, /* 166 */
+ {                  0x02,     0, 1,  9, ""                          }, /* 167 */
+ {                    0x02, 169, 0, 10, ""                          }, /* 168 */
+ {                    0x4B,   0, 0, 10, "TCGID"                     }, /* 169 */
+ {      0x05,                 0, 1,  3, "security"                  }, /* 170 */
+ {        0x05,               0, 1,  4, "mechanisms"                }, /* 171 */
+ {          0x07,             0, 1,  5, "id-pkix"                   }, /* 172 */
+ {            0x01,         175, 1,  6, "id-pe"                     }, /* 173 */
+ {              0x01,         0, 0,  7, "authorityInfoAccess"       }, /* 174 */
+ {            0x03,         185, 1,  6, "id-kp"                     }, /* 175 */
+ {              0x01,       177, 0,  7, "serverAuth"                }, /* 176 */
+ {              0x02,       178, 0,  7, "clientAuth"                }, /* 177 */
+ {              0x03,       179, 0,  7, "codeSigning"               }, /* 178 */
+ {              0x04,       180, 0,  7, "emailProtection"           }, /* 179 */
+ {              0x05,       181, 0,  7, "ipsecEndSystem"            }, /* 180 */
+ {              0x06,       182, 0,  7, "ipsecTunnel"               }, /* 181 */
+ {              0x07,       183, 0,  7, "ipsecUser"                 }, /* 182 */
+ {              0x08,       184, 0,  7, "timeStamping"              }, /* 183 */
+ {              0x09,         0, 0,  7, "ocspSigning"               }, /* 184 */
+ {            0x08,         187, 1,  6, "id-otherNames"             }, /* 185 */
+ {              0x05,         0, 0,  7, "xmppAddr"                  }, /* 186 */
+ {            0x0A,         192, 1,  6, "id-aca"                    }, /* 187 */
+ {              0x01,       189, 0,  7, "authenticationInfo"        }, /* 188 */
+ {              0x02,       190, 0,  7, "accessIdentity"            }, /* 189 */
+ {              0x03,       191, 0,  7, "chargingIdentity"          }, /* 190 */
+ {              0x04,         0, 0,  7, "group"                     }, /* 191 */
+ {            0x30,           0, 1,  6, "id-ad"                     }, /* 192 */
+ {              0x01,       201, 1,  7, "ocsp"                      }, /* 193 */
+ {                0x01,     195, 0,  8, "basic"                     }, /* 194 */
+ {                0x02,     196, 0,  8, "nonce"                     }, /* 195 */
+ {                0x03,     197, 0,  8, "crl"                       }, /* 196 */
+ {                0x04,     198, 0,  8, "response"                  }, /* 197 */
+ {                0x05,     199, 0,  8, "noCheck"                   }, /* 198 */
+ {                0x06,     200, 0,  8, "archiveCutoff"             }, /* 199 */
+ {                0x07,       0, 0,  8, "serviceLocator"            }, /* 200 */
+ {              0x02,         0, 0,  7, "caIssuers"                 }, /* 201 */
+ {  0x0E,                   208, 1,  1, "oiw"                       }, /* 202 */
+ {    0x03,                   0, 1,  2, "secsig"                    }, /* 203 */
+ {      0x02,                 0, 1,  3, "algorithms"                }, /* 204 */
+ {        0x07,             206, 0,  4, "des-cbc"                   }, /* 205 */
+ {        0x1A,             207, 0,  4, "sha-1"                     }, /* 206 */
+ {        0x1D,               0, 0,  4, "sha-1WithRSASignature"     }, /* 207 */
+ {  0x24,                   215, 1,  1, "TeleTrusT"                 }, /* 208 */
+ {    0x03,                   0, 1,  2, "algorithm"                 }, /* 209 */
+ {      0x03,                 0, 1,  3, "signatureAlgorithm"        }, /* 210 */
+ {        0x01,               0, 1,  4, "rsaSignature"              }, /* 211 */
+ {          0x02,           213, 0,  5, "rsaSigWithripemd160"       }, /* 212 */
+ {          0x03,           214, 0,  5, "rsaSigWithripemd128"       }, /* 213 */
+ {          0x04,             0, 0,  5, "rsaSigWithripemd256"       }, /* 214 */
+ {  0x81,                     0, 1,  1, ""                          }, /* 215 */
+ {    0x04,                   0, 1,  2, "Certicom"                  }, /* 216 */
+ {      0x00,                 0, 1,  3, "curve"                     }, /* 217 */
+ {        0x01,             219, 0,  4, "sect163k1"                 }, /* 218 */
+ {        0x02,             220, 0,  4, "sect163r1"                 }, /* 219 */
+ {        0x03,             221, 0,  4, "sect239k1"                 }, /* 220 */
+ {        0x04,             222, 0,  4, "sect113r1"                 }, /* 221 */
+ {        0x05,             223, 0,  4, "sect113r2"                 }, /* 222 */
+ {        0x06,             224, 0,  4, "secp112r1"                 }, /* 223 */
+ {        0x07,             225, 0,  4, "secp112r2"                 }, /* 224 */
+ {        0x08,             226, 0,  4, "secp160r1"                 }, /* 225 */
+ {        0x09,             227, 0,  4, "secp160k1"                 }, /* 226 */
+ {        0x0A,             228, 0,  4, "secp256k1"                 }, /* 227 */
+ {        0x0F,             229, 0,  4, "sect163r2"                 }, /* 228 */
+ {        0x10,             230, 0,  4, "sect283k1"                 }, /* 229 */
+ {        0x11,             231, 0,  4, "sect283r1"                 }, /* 230 */
+ {        0x16,             232, 0,  4, "sect131r1"                 }, /* 231 */
+ {        0x17,             233, 0,  4, "sect131r2"                 }, /* 232 */
+ {        0x18,             234, 0,  4, "sect193r1"                 }, /* 233 */
+ {        0x19,             235, 0,  4, "sect193r2"                 }, /* 234 */
+ {        0x1A,             236, 0,  4, "sect233k1"                 }, /* 235 */
+ {        0x1B,             237, 0,  4, "sect233r1"                 }, /* 236 */
+ {        0x1C,             238, 0,  4, "secp128r1"                 }, /* 237 */
+ {        0x1D,             239, 0,  4, "secp128r2"                 }, /* 238 */
+ {        0x1E,             240, 0,  4, "secp160r2"                 }, /* 239 */
+ {        0x1F,             241, 0,  4, "secp192k1"                 }, /* 240 */
+ {        0x20,             242, 0,  4, "secp224k1"                 }, /* 241 */
+ {        0x21,             243, 0,  4, "secp224r1"                 }, /* 242 */
+ {        0x22,             244, 0,  4, "secp384r1"                 }, /* 243 */
+ {        0x23,             245, 0,  4, "secp521r1"                 }, /* 244 */
+ {        0x24,             246, 0,  4, "sect409k1"                 }, /* 245 */
+ {        0x25,             247, 0,  4, "sect409r1"                 }, /* 246 */
+ {        0x26,             248, 0,  4, "sect571k1"                 }, /* 247 */
+ {        0x27,               0, 0,  4, "sect571r1"                 }, /* 248 */
+ {0x60,                       0, 1,  0, ""                          }, /* 249 */
+ {  0x86,                     0, 1,  1, ""                          }, /* 250 */
+ {    0x48,                   0, 1,  2, ""                          }, /* 251 */
+ {      0x01,               295, 1,  3, "organization"              }, /* 252 */
+ {        0x65,             271, 1,  4, "gov"                       }, /* 253 */
+ {          0x03,             0, 1,  5, "csor"                      }, /* 254 */
+ {            0x04,           0, 1,  6, "nistalgorithm"             }, /* 255 */
+ {              0x01,       266, 1,  7, "aes"                       }, /* 256 */
+ {                0x02,     258, 0,  8, "id-aes128-CBC"             }, /* 257 */
+ {                0x06,     259, 0,  8, "id-aes128-GCM"             }, /* 258 */
+ {                0x07,     260, 0,  8, "id-aes128-CCM"             }, /* 259 */
+ {                0x16,     261, 0,  8, "id-aes192-CBC"             }, /* 260 */
+ {                0x1A,     262, 0,  8, "id-aes192-GCM"             }, /* 261 */
+ {                0x1B,     263, 0,  8, "id-aes192-CCM"             }, /* 262 */
+ {                0x2A,     264, 0,  8, "id-aes256-CBC"             }, /* 263 */
+ {                0x2E,     265, 0,  8, "id-aes256-GCM"             }, /* 264 */
+ {                0x2F,       0, 0,  8, "id-aes256-CCM"             }, /* 265 */
+ {              0x02,         0, 1,  7, "hashalgs"                  }, /* 266 */
+ {                0x01,     268, 0,  8, "id-SHA-256"                }, /* 267 */
+ {                0x02,     269, 0,  8, "id-SHA-384"                }, /* 268 */
+ {                0x03,     270, 0,  8, "id-SHA-512"                }, /* 269 */
+ {                0x04,       0, 0,  8, "id-SHA-224"                }, /* 270 */
+ {        0x86,               0, 1,  4, ""                          }, /* 271 */
+ {          0xf8,             0, 1,  5, ""                          }, /* 272 */
+ {            0x42,         285, 1,  6, "netscape"                  }, /* 273 */
+ {              0x01,       280, 1,  7, ""                          }, /* 274 */
+ {                0x01,     276, 0,  8, "nsCertType"                }, /* 275 */
+ {                0x03,     277, 0,  8, "nsRevocationUrl"           }, /* 276 */
+ {                0x04,     278, 0,  8, "nsCaRevocationUrl"         }, /* 277 */
+ {                0x08,     279, 0,  8, "nsCaPolicyUrl"             }, /* 278 */
+ {                0x0d,       0, 0,  8, "nsComment"                 }, /* 279 */
+ {              0x03,       283, 1,  7, "directory"                 }, /* 280 */
+ {                0x01,       0, 1,  8, ""                          }, /* 281 */
+ {                  0x03,     0, 0,  9, "employeeNumber"            }, /* 282 */
+ {              0x04,         0, 1,  7, "policy"                    }, /* 283 */
+ {                0x01,       0, 0,  8, "nsSGC"                     }, /* 284 */
+ {            0x45,           0, 1,  6, "verisign"                  }, /* 285 */
+ {              0x01,         0, 1,  7, "pki"                       }, /* 286 */
+ {                0x09,       0, 1,  8, "attributes"                }, /* 287 */
+ {                  0x02,   289, 0,  9, "messageType"               }, /* 288 */
+ {                  0x03,   290, 0,  9, "pkiStatus"                 }, /* 289 */
+ {                  0x04,   291, 0,  9, "failInfo"                  }, /* 290 */
+ {                  0x05,   292, 0,  9, "senderNonce"               }, /* 291 */
+ {                  0x06,   293, 0,  9, "recipientNonce"            }, /* 292 */
+ {                  0x07,   294, 0,  9, "transID"                   }, /* 293 */
+ {                  0x08,     0, 0,  9, "extensionReq"              }, /* 294 */
+ {      0x86,                 0, 1,  3, "old-netscape"              }, /* 295 */
+ {        0xF7,               0, 1,  4, ""                          }, /* 296 */
+ {          0x0D,             0, 1,  5, ""                          }, /* 297 */
+ {            0x01,           0, 1,  6, ""                          }, /* 298 */
+ {              0x09,         0, 1,  7, ""                          }, /* 299 */
+ {                0x01,     301, 0,  8, "emailAddress"              }, /* 300 */
+ {                0x02,       0, 0,  8, "unstructuredName"          }  /* 301 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 477789b62..b7241af8d 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -60,126 +60,131 @@ extern const oid_t oid_names[];
 #define OID_SHA256_WITH_RSA					81
 #define OID_SHA384_WITH_RSA					82
 #define OID_SHA512_WITH_RSA					83
-#define OID_PKCS7_DATA						85
-#define OID_PKCS7_SIGNED_DATA				86
-#define OID_PKCS7_ENVELOPED_DATA			87
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA		88
-#define OID_PKCS7_DIGESTED_DATA				89
-#define OID_PKCS7_ENCRYPTED_DATA			90
-#define OID_PKCS9_EMAIL						92
-#define OID_PKCS9_CONTENT_TYPE				94
-#define OID_PKCS9_MESSAGE_DIGEST			95
-#define OID_PKCS9_SIGNING_TIME				96
-#define OID_MD2								103
-#define OID_MD5								104
-#define OID_3DES_EDE_CBC					106
-#define OID_EC_PUBLICKEY					110
-#define OID_C2PNB163V1						113
-#define OID_C2PNB163V2						114
-#define OID_C2PNB163V3						115
-#define OID_C2PNB176W1						116
-#define OID_C2PNB191V1						117
-#define OID_C2PNB191V2						118
-#define OID_C2PNB191V3						119
-#define OID_C2PNB191V4						120
-#define OID_C2PNB191V5						121
-#define OID_C2PNB208W1						122
-#define OID_C2PNB239V1						123
-#define OID_C2PNB239V2						124
-#define OID_C2PNB239V3						125
-#define OID_C2PNB239V4						126
-#define OID_C2PNB239V5						127
-#define OID_C2PNB272W1						128
-#define OID_C2PNB304W1						129
-#define OID_C2PNB359V1						130
-#define OID_C2PNB368W1						131
-#define OID_C2PNB431R1						132
-#define OID_PRIME192V1						134
-#define OID_PRIME192V2						135
-#define OID_PRIME192V3						136
-#define OID_PRIME239V1						137
-#define OID_PRIME239V2						138
-#define OID_PRIME239V3						139
-#define OID_PRIME256V1						140
-#define OID_ECDSA_WITH_SHA1					142
-#define OID_TCGID							163
-#define OID_AUTHORITY_INFO_ACCESS			168
-#define OID_OCSP_SIGNING					178
-#define OID_XMPP_ADDR						180
-#define OID_AUTHENTICATION_INFO				182
-#define OID_ACCESS_IDENTITY					183
-#define OID_CHARGING_IDENTITY				184
-#define OID_GROUP							185
-#define OID_OCSP							187
-#define OID_BASIC							188
-#define OID_NONCE							189
-#define OID_CRL								190
-#define OID_RESPONSE						191
-#define OID_NO_CHECK						192
-#define OID_ARCHIVE_CUTOFF					193
-#define OID_SERVICE_LOCATOR					194
-#define OID_CA_ISSUERS						195
-#define OID_DES_CBC							199
-#define OID_SHA1							200
-#define OID_SHA1_WITH_RSA_OIW				201
-#define OID_SECT163K1						212
-#define OID_SECT163R1						213
-#define OID_SECT239K1						214
-#define OID_SECT113R1						215
-#define OID_SECT113R2						216
-#define OID_SECT112R1						217
-#define OID_SECT112R2						218
-#define OID_SECT160R1						219
-#define OID_SECT160K1						220
-#define OID_SECT256K1						221
-#define OID_SECT163R2						222
-#define OID_SECT283K1						223
-#define OID_SECT283R1						224
-#define OID_SECT131R1						225
-#define OID_SECT131R2						226
-#define OID_SECT193R1						227
-#define OID_SECT193R2						228
-#define OID_SECT233K1						229
-#define OID_SECT233R1						230
-#define OID_SECT128R1						231
-#define OID_SECT128R2						232
-#define OID_SECT160R2						233
-#define OID_SECT192K1						234
-#define OID_SECT224K1						235
-#define OID_SECT224R1						236
-#define OID_SECT384R1						237
-#define OID_SECT521R1						238
-#define OID_SECT409K1						239
-#define OID_SECT409R1						240
-#define OID_SECT571K1						241
-#define OID_SECT571R1						242
-#define OID_AES128_CBC						251
-#define OID_AES128_GCM						252
-#define OID_AES128_CCM						253
-#define OID_AES192_CBC						254
-#define OID_AES192_GCM						255
-#define OID_AES192_CCM						256
-#define OID_AES256_CBC						257
-#define OID_AES256_GCM						258
-#define OID_AES256_CCM						259
-#define OID_SHA256							261
-#define OID_SHA384							262
-#define OID_SHA512							263
-#define OID_SHA224							264
-#define OID_NS_REVOCATION_URL				270
-#define OID_NS_CA_REVOCATION_URL			271
-#define OID_NS_CA_POLICY_URL				272
-#define OID_NS_COMMENT						273
-#define OID_EMPLOYEE_NUMBER					276
-#define OID_PKI_MESSAGE_TYPE				282
-#define OID_PKI_STATUS						283
-#define OID_PKI_FAIL_INFO					284
-#define OID_PKI_SENDER_NONCE				285
-#define OID_PKI_RECIPIENT_NONCE				286
-#define OID_PKI_TRANS_ID					287
-#define OID_EMAIL_ADDRESS					294
-#define OID_UNSTRUCTURED_NAME				295
+#define OID_SHA224_WITH_RSA					84
+#define OID_PKCS7_DATA						86
+#define OID_PKCS7_SIGNED_DATA				87
+#define OID_PKCS7_ENVELOPED_DATA			88
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA		89
+#define OID_PKCS7_DIGESTED_DATA				90
+#define OID_PKCS7_ENCRYPTED_DATA			91
+#define OID_PKCS9_EMAIL						93
+#define OID_PKCS9_CONTENT_TYPE				95
+#define OID_PKCS9_MESSAGE_DIGEST			96
+#define OID_PKCS9_SIGNING_TIME				97
+#define OID_MD2								104
+#define OID_MD5								105
+#define OID_3DES_EDE_CBC					107
+#define OID_EC_PUBLICKEY					111
+#define OID_C2PNB163V1						114
+#define OID_C2PNB163V2						115
+#define OID_C2PNB163V3						116
+#define OID_C2PNB176W1						117
+#define OID_C2PNB191V1						118
+#define OID_C2PNB191V2						119
+#define OID_C2PNB191V3						120
+#define OID_C2PNB191V4						121
+#define OID_C2PNB191V5						122
+#define OID_C2PNB208W1						123
+#define OID_C2PNB239V1						124
+#define OID_C2PNB239V2						125
+#define OID_C2PNB239V3						126
+#define OID_C2PNB239V4						127
+#define OID_C2PNB239V5						128
+#define OID_C2PNB272W1						129
+#define OID_C2PNB304W1						130
+#define OID_C2PNB359V1						131
+#define OID_C2PNB368W1						132
+#define OID_C2PNB431R1						133
+#define OID_PRIME192V1						135
+#define OID_PRIME192V2						136
+#define OID_PRIME192V3						137
+#define OID_PRIME239V1						138
+#define OID_PRIME239V2						139
+#define OID_PRIME239V3						140
+#define OID_PRIME256V1						141
+#define OID_ECDSA_WITH_SHA1					143
+#define OID_ECDSA_WITH_SHA224				145
+#define OID_ECDSA_WITH_SHA256				146
+#define OID_ECDSA_WITH_SHA384				147
+#define OID_ECDSA_WITH_SHA512				148
+#define OID_TCGID							169
+#define OID_AUTHORITY_INFO_ACCESS			174
+#define OID_OCSP_SIGNING					184
+#define OID_XMPP_ADDR						186
+#define OID_AUTHENTICATION_INFO				188
+#define OID_ACCESS_IDENTITY					189
+#define OID_CHARGING_IDENTITY				190
+#define OID_GROUP							191
+#define OID_OCSP							193
+#define OID_BASIC							194
+#define OID_NONCE							195
+#define OID_CRL								196
+#define OID_RESPONSE						197
+#define OID_NO_CHECK						198
+#define OID_ARCHIVE_CUTOFF					199
+#define OID_SERVICE_LOCATOR					200
+#define OID_CA_ISSUERS						201
+#define OID_DES_CBC							205
+#define OID_SHA1							206
+#define OID_SHA1_WITH_RSA_OIW				207
+#define OID_SECT163K1						218
+#define OID_SECT163R1						219
+#define OID_SECT239K1						220
+#define OID_SECT113R1						221
+#define OID_SECT113R2						222
+#define OID_SECT112R1						223
+#define OID_SECT112R2						224
+#define OID_SECT160R1						225
+#define OID_SECT160K1						226
+#define OID_SECT256K1						227
+#define OID_SECT163R2						228
+#define OID_SECT283K1						229
+#define OID_SECT283R1						230
+#define OID_SECT131R1						231
+#define OID_SECT131R2						232
+#define OID_SECT193R1						233
+#define OID_SECT193R2						234
+#define OID_SECT233K1						235
+#define OID_SECT233R1						236
+#define OID_SECT128R1						237
+#define OID_SECT128R2						238
+#define OID_SECT160R2						239
+#define OID_SECT192K1						240
+#define OID_SECT224K1						241
+#define OID_SECT224R1						242
+#define OID_SECT384R1						243
+#define OID_SECT521R1						244
+#define OID_SECT409K1						245
+#define OID_SECT409R1						246
+#define OID_SECT571K1						247
+#define OID_SECT571R1						248
+#define OID_AES128_CBC						257
+#define OID_AES128_GCM						258
+#define OID_AES128_CCM						259
+#define OID_AES192_CBC						260
+#define OID_AES192_GCM						261
+#define OID_AES192_CCM						262
+#define OID_AES256_CBC						263
+#define OID_AES256_GCM						264
+#define OID_AES256_CCM						265
+#define OID_SHA256							267
+#define OID_SHA384							268
+#define OID_SHA512							269
+#define OID_SHA224							270
+#define OID_NS_REVOCATION_URL				276
+#define OID_NS_CA_REVOCATION_URL			277
+#define OID_NS_CA_POLICY_URL				278
+#define OID_NS_COMMENT						279
+#define OID_EMPLOYEE_NUMBER					282
+#define OID_PKI_MESSAGE_TYPE				288
+#define OID_PKI_STATUS						289
+#define OID_PKI_FAIL_INFO					290
+#define OID_PKI_SENDER_NONCE				291
+#define OID_PKI_RECIPIENT_NONCE				292
+#define OID_PKI_TRANS_ID					293
+#define OID_EMAIL_ADDRESS					300
+#define OID_UNSTRUCTURED_NAME				301
 
-#define OID_MAX								296
+#define OID_MAX								302
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 1514f179f..5adca6289 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -82,6 +82,7 @@
                 0x0B         "sha256WithRSAEncryption"	OID_SHA256_WITH_RSA
                 0x0C         "sha384WithRSAEncryption"	OID_SHA384_WITH_RSA
                 0x0D         "sha512WithRSAEncryption"	OID_SHA512_WITH_RSA
+                0x0E         "sha224WithRSAEncryption"	OID_SHA224_WITH_RSA
               0x07           "PKCS-7"
                 0x01         "data"						OID_PKCS7_DATA
                 0x02         "signedData"				OID_PKCS7_SIGNED_DATA
@@ -141,6 +142,11 @@
               0x07           "prime256v1"				OID_PRIME256V1
           0x04               "id-ecSigType"
             0x01             "ecdsa-with-SHA1"			OID_ECDSA_WITH_SHA1
+            0x03             "ecdsa-with-Specified"
+              0x01           "ecdsa-with-SHA224"		OID_ECDSA_WITH_SHA224
+              0x02           "ecdsa-with-SHA256"		OID_ECDSA_WITH_SHA256
+              0x03           "ecdsa-with-SHA384"		OID_ECDSA_WITH_SHA384
+              0x04           "ecdsa-with-SHA512"		OID_ECDSA_WITH_SHA512
 0x2B                         ""
   0x06                       "dod"
     0x01                     "internet"
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index c9c181f87..40a93e21a 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -19,6 +19,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <errno.h>
+#include <ctype.h>
 
 #include "chunk.h"
 
@@ -441,6 +442,32 @@ int chunk_compare(chunk_t a, chunk_t b)
 	return memcmp(a.ptr, b.ptr, len);
 };
 
+/**
+ * Remove non-printable characters from a chunk.
+ */
+bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
+{
+	bool printable = TRUE;
+	int i;
+	
+	if (sane)
+	{
+		*sane = chunk_clone(chunk);
+	}
+	for (i = 0; i < chunk.len; i++)
+	{
+		if (!isprint(chunk.ptr[i]))
+		{
+			if (sane)
+			{
+				sane->ptr[i] = replace;
+			}
+			printable = FALSE;
+		}
+	}
+	return printable;
+}
+
 /**
  * Described in header.
  * 
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 3d8c360c5..66c3f26a2 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -26,6 +26,9 @@
 #include <string.h>
 #include <stdarg.h>
 #include <sys/types.h>
+#ifdef HAVE_ALLOCA_H
+#include <alloca.h>
+#endif
 
 typedef struct chunk_t chunk_t;
 
@@ -83,8 +86,9 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...);
 void chunk_split(chunk_t chunk, const char *mode, ...);
 
 /**
-  * Write the binary contents of a chunk_t to a file
-  *
+ * Write the binary contents of a chunk_t to a file
+ *
+ * @param chunk			contents to write to file
  * @param path			path where file is written to
  * @param label			label specifying file type 
  * @param mask			file mode creation mask
@@ -99,6 +103,7 @@ bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force
  * The resulting string is '\\0' terminated, but the chunk does not include
  * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1).
  *
+ * @param chunk			data to convert to hex encoding
  * @param buf			buffer to write to, NULL to malloc
  * @param uppercase		TRUE to use uppercase letters
  * @return				chunk of encoded data
@@ -231,6 +236,19 @@ static inline bool chunk_equals(chunk_t a, chunk_t b)
 			a.len == b.len && memeq(a.ptr, b.ptr, a.len);
 }
 
+/**
+ * Check if a chunk has printable characters only.
+ *
+ * If sane is given, chunk is cloned into sane and all non printable characters
+ * get replaced by "replace".
+ *
+ * @param chunk			chunk to check for printability
+ * @param sane			pointer where sane version is allocated, or NULL
+ * @param replace		character to use for replaceing unprintable characters
+ * @return				TRUE if all characters in chunk are printable
+ */
+bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace);
+
 /**
  * Computes a 32 bit hash of the given chunk.
  * Note: This hash is only intended for hash tables not for cryptographic purposes.
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 2e9a541d4..e55df0398 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -234,7 +234,7 @@ credential_factory_t *credential_factory_create()
 	
 	this->constructors = linked_list_create();
 	
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index c94c27f0a..a5f547038 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -28,6 +28,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
 	"RSA_EMSA_PKCS1_NULL",
 	"RSA_EMSA_PKCS1_MD5",
 	"RSA_EMSA_PKCS1_SHA1",
+	"RSA_EMSA_PKCS1_SHA224",
 	"RSA_EMSA_PKCS1_SHA256",
 	"RSA_EMSA_PKCS1_SHA384",
 	"RSA_EMSA_PKCS1_SHA512",
@@ -51,6 +52,9 @@ signature_scheme_t signature_scheme_from_oid(int oid)
 		case OID_SHA1_WITH_RSA:
 		case OID_SHA1:
 			return SIGN_RSA_EMSA_PKCS1_SHA1;
+		case OID_SHA224_WITH_RSA:
+		case OID_SHA224:
+			return SIGN_RSA_EMSA_PKCS1_SHA224;
 		case OID_SHA256_WITH_RSA:
 		case OID_SHA256:
 			return SIGN_RSA_EMSA_PKCS1_SHA256;
@@ -63,6 +67,12 @@ signature_scheme_t signature_scheme_from_oid(int oid)
 		case OID_ECDSA_WITH_SHA1:
 		case OID_EC_PUBLICKEY:
 			return SIGN_ECDSA_WITH_SHA1;
+		case OID_ECDSA_WITH_SHA256:
+			return SIGN_ECDSA_256;
+		case OID_ECDSA_WITH_SHA384:
+			return SIGN_ECDSA_384;
+		case OID_ECDSA_WITH_SHA512:
+			return SIGN_ECDSA_521;
 		default:
 			return SIGN_UNKNOWN;
 	}
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index c58531b73..be5f3bde6 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -66,6 +66,8 @@ enum signature_scheme_t {
 	SIGN_RSA_EMSA_PKCS1_MD5,
 	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-1     */
 	SIGN_RSA_EMSA_PKCS1_SHA1,
+	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-224   */
+	SIGN_RSA_EMSA_PKCS1_SHA224,
 	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-256   */
 	SIGN_RSA_EMSA_PKCS1_SHA256,
 	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-384   */
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index fea8d0793..e928e8cdf 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -746,7 +746,7 @@ crypto_factory_t *crypto_factory_create()
 	this->prfs = linked_list_create();
 	this->rngs = linked_list_create();
 	this->dhs = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	this->tester = crypto_tester_create();
 	this->test_on_add = lib->settings->get_bool(lib->settings,
 								"libstrongswan.crypto_test.on_add", FALSE);
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index b0b5aa969..4d13474a1 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -136,7 +136,7 @@ static bool test_crypter(private_crypto_tester_t *this,
 		crypter->destroy(crypter);
 		if (failed)
 		{
-			DBG1("disabled %N: test vector %d failed",
+			DBG1("disabled %N: test vector %u failed",
 				 encryption_algorithm_names, alg, tested);
 			break;
 		}
@@ -151,7 +151,7 @@ static bool test_crypter(private_crypto_tester_t *this,
 	}
 	if (!failed)
 	{
-		DBG1("enabled  %N: successfully passed %d test vectors",
+		DBG1("enabled  %N: passed %u test vectors",
 			 encryption_algorithm_names, alg, tested);
 	}
 	return !failed;
@@ -240,7 +240,7 @@ static bool test_signer(private_crypto_tester_t *this,
 		signer->destroy(signer);
 		if (failed)
 		{
-			DBG1("disabled %N: test vector %d failed",
+			DBG1("disabled %N: test vector %u failed",
 				 integrity_algorithm_names, alg, tested);
 			break;
 		}
@@ -255,7 +255,7 @@ static bool test_signer(private_crypto_tester_t *this,
 	}
 	if (!failed)
 	{
-		DBG1("enabled  %N: successfully passed %d test vectors",
+		DBG1("enabled  %N: passed %u test vectors",
 			 integrity_algorithm_names, alg, tested);
 	}
 	return !failed;
@@ -330,8 +330,8 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 		hasher->destroy(hasher);
 		if (failed)
 		{
-			DBG1("disabled %N: test vector %d failed",
-				 hash_algorithm_names, alg), tested;
+			DBG1("disabled %N: test vector %u failed",
+				 hash_algorithm_names, alg, tested);
 			break;
 		}
 	}
@@ -345,7 +345,7 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 	}
 	if (!failed)
 	{
-		DBG1("enabled  %N: successfully passed %d test vectors",
+		DBG1("enabled  %N: passed %u test vectors",
 			 hash_algorithm_names, alg, tested);
 	}
 	return !failed;
@@ -431,7 +431,7 @@ static bool test_prf(private_crypto_tester_t *this,
 		prf->destroy(prf);
 		if (failed)
 		{
-			DBG1("disabled %N: test vector %d failed",
+			DBG1("disabled %N: test vector %u failed",
 				 pseudo_random_function_names, alg, tested);
 			break;
 		}
@@ -446,7 +446,7 @@ static bool test_prf(private_crypto_tester_t *this,
 	}
 	if (!failed)
 	{
-		DBG1("enabled  %N: successfully passed %d test vectors",
+		DBG1("enabled  %N: passed %u test vectors",
 			 pseudo_random_function_names, alg, tested);
 	}
 	return !failed;
@@ -515,7 +515,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 		rng->destroy(rng);
 		if (failed)
 		{
-			DBG1("disabled %N: test vector %d failed",
+			DBG1("disabled %N: test vector %u failed",
 				 rng_quality_names, quality, tested);
 			break;
 		}
@@ -530,7 +530,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 	}
 	if (!failed)
 	{
-		DBG1("enabled  %N: successfully passed %d test vectors",
+		DBG1("enabled  %N: passed %u test vectors",
 			 rng_quality_names, quality, tested);
 	}
 	return !failed;
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index c58c2ad42..4d6904e47 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -26,6 +26,7 @@ ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512,
 	"HASH_MD4",
 	"HASH_MD5",
 	"HASH_SHA1",
+	"HASH_SHA224",
 	"HASH_SHA256",
 	"HASH_SHA384",
 	"HASH_SHA512"
@@ -47,6 +48,9 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
 		case OID_SHA1:
 		case OID_SHA1_WITH_RSA:
 			return HASH_SHA1;
+		case OID_SHA224:
+		case OID_SHA224_WITH_RSA:
+			return HASH_SHA224;
 		case OID_SHA256:
 		case OID_SHA256_WITH_RSA:
 			return HASH_SHA256;
@@ -79,6 +83,9 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg)
 		case HASH_SHA1:
 			oid = OID_SHA1;
 			break;
+		case HASH_SHA224:
+			oid = OID_SHA224;
+			break;
 		case HASH_SHA256:
 			oid = OID_SHA256;
 			break;
@@ -112,6 +119,9 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg)
 		case HASH_SHA1:
 			oid = OID_SHA1_WITH_RSA;
 			break;
+		case HASH_SHA224:
+			oid = OID_SHA224_WITH_RSA;
+			break;
 		case HASH_SHA256:
 			oid = OID_SHA256_WITH_RSA;
 			break;
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 098739fa3..6deed37ab 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -40,15 +40,17 @@ enum hash_algorithm_t {
 	HASH_MD4			= 3,
 	HASH_MD5 			= 4,
 	HASH_SHA1 			= 5,
-	HASH_SHA256 		= 6,
-	HASH_SHA384 		= 7,
-	HASH_SHA512 		= 8
+	HASH_SHA224			= 6,
+	HASH_SHA256 		= 7,
+	HASH_SHA384 		= 8,
+	HASH_SHA512 		= 9
 };
 
 #define HASH_SIZE_MD2		16
 #define HASH_SIZE_MD4		16
 #define HASH_SIZE_MD5		16
 #define HASH_SIZE_SHA1		20
+#define HASH_SIZE_SHA224	28
 #define HASH_SIZE_SHA256	32
 #define HASH_SIZE_SHA384	48
 #define HASH_SIZE_SHA512	64
diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c
index 76e0a4e89..ef6927874 100644
--- a/src/libstrongswan/database/database_factory.c
+++ b/src/libstrongswan/database/database_factory.c
@@ -110,7 +110,7 @@ database_factory_t *database_factory_create()
 	this->public.destroy = (void(*)(database_factory_t*))destroy;
 	
 	this->databases = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index a30012bb1..1f87412c8 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -201,7 +201,7 @@ fetcher_manager_t *fetcher_manager_create()
 	this->public.destroy = (void(*)(fetcher_manager_t*))destroy;
 	
 	this->fetchers = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/libstrongswan/fips/Makefile.am b/src/libstrongswan/fips/Makefile.am
deleted file mode 100644
index 22a35701b..000000000
--- a/src/libstrongswan/fips/Makefile.am
+++ /dev/null
@@ -1,19 +0,0 @@
-noinst_PROGRAMS = fips_signer
-fips_signer_SOURCES = fips_signer.c
-fips_signer_LDADD = ../libstrongswan.la
-
-BUILT_SOURCES = fips_signature.h
-CLEANFILES = fips_signature.h fips_signer
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-            -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\"
-if USE_SHA1
-  AM_CFLAGS += -DUSE_SHA1
-endif
-
-if USE_OPENSSL
-  AM_CFLAGS += -DUSE_OPENSSL
-endif
-
-fips_signature.h : fips_signer
-		   ./fips_signer
diff --git a/src/libstrongswan/fips/Makefile.in b/src/libstrongswan/fips/Makefile.in
deleted file mode 100644
index cdced9423..000000000
--- a/src/libstrongswan/fips/Makefile.in
+++ /dev/null
@@ -1,484 +0,0 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-noinst_PROGRAMS = fips_signer$(EXEEXT)
-@USE_SHA1_TRUE@am__append_1 = -DUSE_SHA1
-@USE_OPENSSL_TRUE@am__append_2 = -DUSE_OPENSSL
-subdir = src/libstrongswan/fips
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-PROGRAMS = $(noinst_PROGRAMS)
-am_fips_signer_OBJECTS = fips_signer.$(OBJEXT)
-fips_signer_OBJECTS = $(am_fips_signer_OBJECTS)
-fips_signer_DEPENDENCIES = ../libstrongswan.la
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(fips_signer_SOURCES)
-DIST_SOURCES = $(fips_signer_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-RANLIB = @RANLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-confdir = @confdir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-resolv_conf = @resolv_conf@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-simreader = @simreader@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-fips_signer_SOURCES = fips_signer.c
-fips_signer_LDADD = ../libstrongswan.la
-BUILT_SOURCES = fips_signature.h
-CLEANFILES = fips_signature.h fips_signer
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-	-DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\" \
-	$(am__append_1) $(am__append_2)
-all: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/fips/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/fips/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-clean-noinstPROGRAMS:
-	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
-fips_signer$(EXEEXT): $(fips_signer_OBJECTS) $(fips_signer_DEPENDENCIES) 
-	@rm -f fips_signer$(EXEEXT)
-	$(LINK) $(fips_signer_OBJECTS) $(fips_signer_LDADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_signer.Po@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
-	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
-	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) check-am
-all-am: Makefile $(PROGRAMS)
-installdirs:
-install: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-info: info-am
-
-info-am:
-
-install-data-am:
-
-install-dvi: install-dvi-am
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-info: install-info-am
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-ps: install-ps-am
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am:
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstPROGRAMS ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am
-
-
-fips_signature.h : fips_signer
-		   ./fips_signer
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c
deleted file mode 100644
index d2296e5e9..000000000
--- a/src/libstrongswan/fips/fips.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-
-#include <debug.h>
-#include <crypto/signers/signer.h>
-#include "fips.h"
-
-extern const u_char FIPS_rodata_start[];
-extern const u_char FIPS_rodata_end[];
-extern const void *FIPS_text_start();
-extern const void *FIPS_text_end();
-
-/**
- * Described in header
- */
-bool fips_compute_hmac_signature(const char *key, char *signature)
-{
-	u_char *text_start = (u_char *)FIPS_text_start();
-	u_char *text_end   = (u_char *)FIPS_text_end();
-	size_t text_len, rodata_len;
-	signer_t *signer;
-
-	if (text_start > text_end)
-	{
-		DBG1("  TEXT start (%p) > TEXT end (%p",
-				text_start, text_end);
-		return FALSE;
-	}
-	text_len = text_end - text_start;
-    DBG1("  TEXT:   %p + %6d = %p",
-			text_start, (int)text_len, text_end);
-
-	if (FIPS_rodata_start > FIPS_rodata_end)
-	{
-		DBG1("  RODATA start (%p) > RODATA end (%p",
-				FIPS_rodata_start, FIPS_rodata_end);
-		return FALSE;
-	}
-	rodata_len = FIPS_rodata_end - FIPS_rodata_start;
-    DBG1("  RODATA: %p + %6d = %p",
-			FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end);
-
-    signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128);
-	if (signer == NULL)
-	{
-	    DBG1("  SHA-1 HMAC signer could not be created");
-		return FALSE;
-	}
-	else
-	{
-		chunk_t hmac_key = { (u_char *)key, strlen(key) };
-		chunk_t text_chunk = { text_start, text_len };
-		chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len };
-		chunk_t signature_chunk = chunk_empty;
-
-		signer->set_key(signer, hmac_key);
-		signer->allocate_signature(signer, text_chunk, NULL);
-		signer->allocate_signature(signer, rodata_chunk, &signature_chunk);
-		signer->destroy(signer);
-
-		sprintf(signature, "%#B", &signature_chunk);
-		DBG1("  SHA-1 HMAC key: %s", key);
-		DBG1("  SHA-1 HMAC sig: %s", signature);
-		free(signature_chunk.ptr);
-		return TRUE;
-	}
-}
-
-/**
- * Described in header
- */
-bool fips_verify_hmac_signature(const char *key,
-								const char *signature)
-{
-	char current_signature[BUF_LEN];
-
-	if (!fips_compute_hmac_signature(key, current_signature))
-	{
-		return FALSE;
-	}
-	return streq(signature, current_signature);
-}
diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h
deleted file mode 100644
index aae18e3b2..000000000
--- a/src/libstrongswan/fips/fips.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
- 
-/**
- * @defgroup fips1 fips
- * @{ @ingroup fips
- */
-
-#ifndef FIPS_H_
-#define FIPS_H_
-
-#include <library.h>
-
-/**
- * compute HMAC signature over RODATA and TEXT sections of libstrongswan
- *
- * @param key		key used for HMAC signature in ASCII string format
- * @param signature	HMAC signature in HEX string format
- * @return 			TRUE if HMAC signature computation was successful
- */
-bool fips_compute_hmac_signature(const char *key, char *signature);
-
-/**
- * verify HMAC signature over RODATA and TEXT sections of libstrongswan
- *
- * @param key		key used for HMAC signature in ASCII string format
- * @param signature	signature value from fips_signature.h in HEX string format
- * @return			TRUE if signatures agree
- */
-bool fips_verify_hmac_signature(const char *key, const char *signature);
-
-#endif /** FIPS_H_ @}*/
diff --git a/src/libstrongswan/fips/fips_canister_end.c b/src/libstrongswan/fips/fips_canister_end.c
deleted file mode 100644
index 247d48927..000000000
--- a/src/libstrongswan/fips/fips_canister_end.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/* ====================================================================
- * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
- * and usage in source and binary forms are granted according to the
- * OpenSSL license.
- */
-
-#include <stdio.h>
-#if defined(__DECC)
-# include <c_asm.h>
-# pragma __nostandard
-#endif
-
-#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-# if	(defined(__sun) && (defined(__sparc) || defined(__sparcv9)))	|| \
-	(defined(__sgi) && (defined(__mips) || defined(mips)))		|| \
-	(defined(__osf__) && defined(__alpha))				|| \
-	(defined(__linux) && (defined(__arm) || defined(__arm__)))	|| \
-	(defined(__i386) || defined(__i386__))				|| \
-	(defined(__x86_64) || defined(__x86_64__))			|| \
-	(defined(vax) || defined(__vax__))
-#  define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
-# endif
-#endif
-
-#define FIPS_ref_point FIPS_text_end
-/* Some compilers put string literals into a separate segment. As we
- * are mostly interested to hash AES tables in .rodata, we declare
- * reference points accordingly. In case you wonder, the values are
- * big-endian encoded variable names, just to prevent these arrays
- * from being merged by linker. */
-const unsigned int FIPS_rodata_end[]=
-	{ 0x46495053, 0x5f726f64, 0x6174615f, 0x656e645b };
-
-
-/*
- * I declare reference function as static in order to avoid certain
- * pitfalls in -dynamic linker behaviour...
- */
-static void *instruction_pointer(void)
-{
-  void *ret = NULL;
-
-/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means
- * that they are designed to work under any OS running on particular
- * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in
- * this function. */
-#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
-    INSTRUCTION_POINTER_IMPLEMENTED(ret);
-#elif	defined(__GNUC__) && __GNUC__>=2
-# if	defined(__alpha) || defined(__alpha__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"br	%0,1f\n1:" : "=r"(ret) );
-# elif	defined(__i386) || defined(__i386__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"call 1f\n1:	popl %0" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# elif	defined(__ia64) || defined(__ia64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"mov	%0=ip" : "=r"(ret) );
-# elif	defined(__hppa) || defined(__hppa__) || defined(__pa_risc)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"blr	%%r0,%0\n\tnop" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* mask privilege level */
-# elif	defined(__mips) || defined(__mips__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"move	%1,$31\n\t"	/* save ra */
-			"bal	.+8; nop\n\t"
-			"move	%0,$31\n\t"
-			"move	$31,%1"		/* restore ra */
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
-	defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
-	defined(__PPC64__) || defined(__powerpc64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"mfspr	%1,8\n\t"	/* save lr */
-			"bl	.+4\n\t"
-			"mfspr	%0,8\n\t"	/* mflr ret */
-			"mtspr	8,%1"		/* restore lr */
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"mov	%%o7,%1\n\t"
-			"call	.+8; nop\n\t"
-		  	"mov	%%o7,%0\n\t"
-			"mov	%1,%%o7"
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__x86_64) || defined(__x86_64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"leaq	0(%%rip),%0" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# endif
-#elif	defined(__DECC) && defined(__alpha)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    ret = (void *)(size_t)asm("br %v0,1f\n1:");
-#elif   defined(_MSC_VER) && defined(_M_IX86)
-#   undef INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    _asm {
-            call    self
-    self:   pop     eax
-            mov     scratch,eax
-         }
-    ret = (void *)((size_t)scratch&~3UL);
-#endif
-  return ret;
-}
-
-/*
- * This function returns pointer to an instruction in the vicinity of
- * its entry point, but not outside this object module. This guarantees
- * that sequestered code is covered...
- */
-void *FIPS_ref_point()
-{
-#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
-    return instruction_pointer();
-/* Below we essentially cover vendor compilers which do not support
- * inline assembler... */
-#elif	defined(_AIX)
-    struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer;
-    return p->ip;
-#elif	defined(_HPUX_SOURCE)
-# if	defined(__hppa) || defined(__hppa__)
-    struct { void *i[4]; } *p = (void *)FIPS_ref_point;
-
-    if (sizeof(p) == 8)	/* 64-bit */
-	return p->i[2];
-    else if ((size_t)p & 2)
-    {	p = (void *)((size_t)p&~3UL);
-	return p->i[0];
-    }
-    else
-	return (void *)p;
-# elif	defined(__ia64) || defined(__ia64__)
-    struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer;
-    return (void *)(size_t)p->ip;
-# endif
-#elif	(defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__))
-    /* applies to both alpha and ia64 */
-    struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer;
-    return (void *)(size_t)p->ip;
-#elif	defined(__VOS__)
-    /* applies to both pa-risc and ia32 */
-    struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer;
-    return p->ip;
-#elif	defined(_WIN32)
-# if	defined(_WIN64) && defined(_M_IA64)
-    struct { void *ip,*gp; } *p = (void *)FIPS_ref_point;
-    return p->ip;
-# else
-    return (void *)FIPS_ref_point;
-# endif
-/*
- * In case you wonder why there is no #ifdef __linux. All Linux targets
- * are GCC-based and therefore are covered by instruction_pointer above
- * [well, some are covered by by the one below]...
- */ 
-#elif	defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-    return (void *)instruction_pointer;
-#else
-    return NULL;
-#endif
-}
diff --git a/src/libstrongswan/fips/fips_canister_start.c b/src/libstrongswan/fips/fips_canister_start.c
deleted file mode 100644
index 4a5528a94..000000000
--- a/src/libstrongswan/fips/fips_canister_start.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/* ====================================================================
- * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
- * and usage in source and binary forms are granted according to the
- * OpenSSL license.
- */
-
-#include <stdio.h>
-#if defined(__DECC)
-# include <c_asm.h>
-# pragma __nostandard
-#endif
-
-#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-# if	(defined(__sun) && (defined(__sparc) || defined(__sparcv9)))	|| \
-	(defined(__sgi) && (defined(__mips) || defined(mips)))		|| \
-	(defined(__osf__) && defined(__alpha))				|| \
-	(defined(__linux) && (defined(__arm) || defined(__arm__)))	|| \
-	(defined(__i386) || defined(__i386__))				|| \
-	(defined(__x86_64) || defined(__x86_64__))			|| \
-	(defined(vax) || defined(__vax__))
-#  define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
-# endif
-#endif
-
-
-#define FIPS_ref_point FIPS_text_start
-/* Some compilers put string literals into a separate segment. As we
- * are mostly interested to hash AES tables in .rodata, we declare
- * reference points accordingly. In case you wonder, the values are
- * big-endian encoded variable names, just to prevent these arrays
- * from being merged by linker. */
-const unsigned int FIPS_rodata_start[]=
-	{ 0x46495053, 0x5f726f64, 0x6174615f, 0x73746172 };
-
-
-/*
- * I declare reference function as static in order to avoid certain
- * pitfalls in -dynamic linker behaviour...
- */
-static void *instruction_pointer(void)
-{
-  void *ret = NULL;
-
-/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means
- * that they are designed to work under any OS running on particular
- * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in
- * this function. */
-#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
-    INSTRUCTION_POINTER_IMPLEMENTED(ret);
-#elif	defined(__GNUC__) && __GNUC__>=2
-# if	defined(__alpha) || defined(__alpha__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"br	%0,1f\n1:" : "=r"(ret) );
-# elif	defined(__i386) || defined(__i386__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"call 1f\n1:	popl %0" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# elif	defined(__ia64) || defined(__ia64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"mov	%0=ip" : "=r"(ret) );
-# elif	defined(__hppa) || defined(__hppa__) || defined(__pa_risc)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"blr	%%r0,%0\n\tnop" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* mask privilege level */
-# elif	defined(__mips) || defined(__mips__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"move	%1,$31\n\t"	/* save ra */
-			"bal	.+8; nop\n\t"
-			"move	%0,$31\n\t"
-			"move	$31,%1"		/* restore ra */
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
-	defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
-	defined(__PPC64__) || defined(__powerpc64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"mfspr	%1,8\n\t"	/* save lr */
-			"bl	.+4\n\t"
-			"mfspr	%0,8\n\t"	/* mflr ret */
-			"mtspr	8,%1"		/* restore lr */
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    __asm __volatile (	"mov	%%o7,%1\n\t"
-			"call	.+8; nop\n\t"
-		  	"mov	%%o7,%0\n\t"
-			"mov	%1,%%o7"
-			: "=r"(ret),"=r"(scratch) );
-# elif	defined(__x86_64) || defined(__x86_64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    __asm __volatile (	"leaq	0(%%rip),%0" : "=r"(ret) );
-    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# endif
-#elif	defined(__DECC) && defined(__alpha)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
-    ret = (void *)(size_t)asm("br %v0,1f\n1:");
-#elif   defined(_MSC_VER) && defined(_M_IX86)
-#   undef INSTRUCTION_POINTER_IMPLEMENTED
-    void *scratch;
-    _asm {
-            call    self
-    self:   pop     eax
-            mov     scratch,eax
-         }
-    ret = (void *)((size_t)scratch&~3UL);
-#endif
-  return ret;
-}
-
-/*
- * This function returns pointer to an instruction in the vicinity of
- * its entry point, but not outside this object module. This guarantees
- * that sequestered code is covered...
- */
-void *FIPS_ref_point()
-{
-#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
-    return instruction_pointer();
-/* Below we essentially cover vendor compilers which do not support
- * inline assembler... */
-#elif	defined(_AIX)
-    struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer;
-    return p->ip;
-#elif	defined(_HPUX_SOURCE)
-# if	defined(__hppa) || defined(__hppa__)
-    struct { void *i[4]; } *p = (void *)FIPS_ref_point;
-
-    if (sizeof(p) == 8)	/* 64-bit */
-	return p->i[2];
-    else if ((size_t)p & 2)
-    {	p = (void *)((size_t)p&~3UL);
-	return p->i[0];
-    }
-    else
-	return (void *)p;
-# elif	defined(__ia64) || defined(__ia64__)
-    struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer;
-    return (void *)(size_t)p->ip;
-# endif
-#elif	(defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__))
-    /* applies to both alpha and ia64 */
-    struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer;
-    return (void *)(size_t)p->ip;
-#elif	defined(__VOS__)
-    /* applies to both pa-risc and ia32 */
-    struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer;
-    return p->ip;
-#elif	defined(_WIN32)
-# if	defined(_WIN64) && defined(_M_IA64)
-    struct { void *ip,*gp; } *p = (void *)FIPS_ref_point;
-    return p->ip;
-# else
-    return (void *)FIPS_ref_point;
-# endif
-/*
- * In case you wonder why there is no #ifdef __linux. All Linux targets
- * are GCC-based and therefore are covered by instruction_pointer above
- * [well, some are covered by by the one below]...
- */ 
-#elif	defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-    return (void *)instruction_pointer;
-#else
-    return NULL;
-#endif
-}
diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c
deleted file mode 100644
index 6f5fdcecf..000000000
--- a/src/libstrongswan/fips/fips_signer.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-
-#include <crypto/hashers/hasher.h>
-#include "fips.h"
-
-int main(int argc, char* argv[])
-{
-	FILE *f;
-	char *hmac_key = "strongSwan Version " VERSION;
-	char  hmac_signature[BUF_LEN];
-
-	/* initialize library */
-	library_init(STRONGSWAN_CONF);
-#ifdef USE_SHA1
-	lib->plugins->load(lib->plugins, PLUGINDIR "/sha1/.libs", "sha1");
-#endif
-#ifdef USE_OPENSSL
-	lib->plugins->load(lib->plugins, PLUGINDIR "/openssl/.libs", "openssl");
-#endif
-	lib->plugins->load(lib->plugins, PLUGINDIR "/hmac/.libs", "hmac");
-
-	if (!fips_compute_hmac_signature(hmac_key, hmac_signature))
-	{
-		exit(1);
-	}
-	
-	/**
-     * write computed HMAC signature to fips_signature.h
-	 */
-	f = fopen("fips_signature.h", "wt");
-
-	if (f == NULL)
-	{
-		exit(1);
-	}
-	fprintf(f, "/* SHA-1 HMAC signature computed over TEXT and RODATA of libstrongswan\n");
-	fprintf(f, " *\n");
-	fprintf(f, " * This file has been automatically generated by fips_signer\n");
-	fprintf(f, " * Do not edit manually!\n");
-	fprintf(f, " */\n");
-	fprintf(f, "\n");
-	fprintf(f, "#ifndef FIPS_SIGNATURE_H_\n");
-	fprintf(f, "#define FIPS_SIGNATURE_H_\n");
-	fprintf(f, "\n");
-	fprintf(f, "const char *hmac_key = \"%s\";\n", hmac_key);
-	fprintf(f, "const char *hmac_signature = \"%s\";\n", hmac_signature);
-	fprintf(f, "\n");
-	fprintf(f, "#endif /* FIPS_SIGNATURE_H_ @} */\n");
-	fclose(f);
-
-	library_deinit();
-	exit(0);
-}
diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c
new file mode 100644
index 000000000..32a296d79
--- /dev/null
+++ b/src/libstrongswan/integrity_checker.c
@@ -0,0 +1,332 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include "integrity_checker.h"
+
+#include <dlfcn.h>
+#include <link.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <debug.h>
+#include <library.h>
+
+typedef struct private_integrity_checker_t private_integrity_checker_t;
+
+/**
+ * Private data of an integrity_checker_t object.
+ */
+struct private_integrity_checker_t {
+	
+	/**
+	 * Public integrity_checker_t interface.
+	 */
+	integrity_checker_t public;
+	
+	/**
+	 * dlopen handle to checksum library
+	 */
+	void *handle;
+	
+	/**
+	 * checksum array
+	 */
+	integrity_checksum_t *checksums;
+	
+	/**
+	 * number of checksums in array
+	 */
+	int checksum_count;
+};
+
+/**
+ * Implementation of integrity_checker_t.build_file
+ */
+static u_int32_t build_file(private_integrity_checker_t *this, char *file,
+							size_t *len)
+{
+	u_int32_t checksum;
+	chunk_t contents;
+	struct stat sb;
+	void *addr;
+	int fd;
+	
+	fd = open(file, O_RDONLY);
+	if (fd == -1)
+	{
+		DBG1("  opening '%s' failed: %s", file, strerror(errno));
+		return 0;
+	}
+	
+	if (fstat(fd, &sb) == -1)
+	{
+		DBG1("  getting file size of '%s' failed: %s", file, strerror(errno));
+		close(fd);
+		return 0;
+	}
+	
+	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+	if (addr == MAP_FAILED)
+	{
+		DBG1("  mapping '%s' failed: %s", file, strerror(errno));
+		close(fd);
+		return 0;
+	}
+
+	*len = sb.st_size;	
+	contents = chunk_create(addr, sb.st_size);
+	checksum = chunk_hash(contents);
+	
+	munmap(addr, sb.st_size);
+	close(fd);
+	
+	return checksum;
+}
+
+/**
+ * dl_iterate_phdr callback function
+ */
+static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli)
+{
+	/* We are looking for the dlpi_addr matching the address of our dladdr().
+	 * dl_iterate_phdr() returns such an address for other (unknown) objects
+	 * in very rare cases (e.g. in a chrooted gentoo, but only if
+	 * the checksum_builder is invoked by 'make'). As a workaround, we filter
+	 * objects by dlpi_name; valid objects have a library name.
+	 */
+	if (dli->dli_fbase == (void*)dlpi->dlpi_addr &&
+		dlpi->dlpi_name && *dlpi->dlpi_name)
+	{
+		int i;
+		
+		for (i = 0; i < dlpi->dlpi_phnum; i++)
+		{
+			const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i];
+			
+			/* we are interested in the executable LOAD segment */
+			if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X))
+			{
+				/* safe begin of segment in dli_fbase */
+				dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr;
+				/* safe end of segment in dli_saddr */
+				dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz;
+				return 1;
+			}
+		}
+	}
+	return 0;
+}
+
+/**
+ * Implementation of integrity_checker_t.build_segment
+ */
+static u_int32_t build_segment(private_integrity_checker_t *this, void *sym,
+							   size_t *len)
+{
+	chunk_t segment;
+	Dl_info dli;
+	
+	if (dladdr(sym, &dli) == 0)
+	{
+		DBG1("  unable to locate symbol: %s", dlerror());
+		return 0;
+	}
+	/* we reuse the Dl_info struct as in/out parameter */
+	if (!dl_iterate_phdr((void*)callback, &dli))
+	{
+		DBG1("  executable section not found");
+		return 0;
+	}
+	
+	segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
+	*len = segment.len;
+	return chunk_hash(segment);
+}
+
+/**
+ * Find a checksum by its name
+ */
+static integrity_checksum_t *find_checksum(private_integrity_checker_t *this,
+										   char *name)
+{
+	int i;
+	
+	for (i = 0; i < this->checksum_count; i++)
+	{
+		if (streq(this->checksums[i].name, name))
+		{
+			return &this->checksums[i];
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Implementation of integrity_checker_t.check_file
+ */
+static bool check_file(private_integrity_checker_t *this,
+					   char *name, char *file)
+{
+	integrity_checksum_t *cs;
+	u_int32_t sum;
+	size_t len = 0;
+	
+	cs = find_checksum(this, name);
+	if (!cs)
+	{
+		DBG1("  '%s' file checksum not found", name);
+		return FALSE;
+	}
+	sum = build_file(this, file, &len);
+	if (!sum)
+	{
+		return FALSE;
+	}
+	if (cs->file_len != len)
+	{
+		DBG1("  invalid '%s' file size: %u bytes, expected %u bytes",
+			 name, len, cs->file_len);
+		return FALSE;
+	}
+	if (cs->file != sum)
+	{
+		DBG1("  invalid '%s' file checksum: %08x, expected %08x",
+			 name, sum, cs->file);
+		return FALSE;
+	}
+	DBG2("  valid '%s' file checksum: %08x", name, sum);
+	return TRUE;
+}
+
+/**
+ * Implementation of integrity_checker_t.check_segment
+ */
+static bool check_segment(private_integrity_checker_t *this,
+						  char *name, void *sym)
+{
+	integrity_checksum_t *cs;
+	u_int32_t sum;
+	size_t len = 0;
+	
+	cs = find_checksum(this, name);
+	if (!cs)
+	{
+		DBG1("  '%s' segment checksum not found", name);
+		return FALSE;
+	}
+	sum = build_segment(this, sym, &len);
+	if (!sum)
+	{
+		return FALSE;
+	}
+	if (cs->segment_len != len)
+	{
+		DBG1("  invalid '%s' segment size: %u bytes, expected %u bytes",
+			 name, len, cs->segment_len);
+		return FALSE;
+	}
+	if (cs->segment != sum)
+	{
+		DBG1("  invalid '%s' segment checksum: %08x, expected %08x",
+			 name, sum, cs->segment);
+		return FALSE;
+	}
+	DBG2("  valid '%s' segment checksum: %08x", name, sum);
+	return TRUE;
+}
+
+/**
+ * Implementation of integrity_checker_t.check
+ */
+static bool check(private_integrity_checker_t *this, char *name, void *sym)
+{
+	Dl_info dli;
+	
+	if (dladdr(sym, &dli) == 0)
+	{
+		DBG1("unable to locate symbol: %s", dlerror());
+		return FALSE;
+	}
+	if (!check_file(this, name, (char*)dli.dli_fname))
+	{
+		return FALSE;
+	}
+	if (!check_segment(this, name, sym))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of integrity_checker_t.destroy.
+ */
+static void destroy(private_integrity_checker_t *this)
+{
+	if (this->handle)
+	{
+		dlclose(this->handle);
+	}
+	free(this);
+}
+
+/**
+ * See header
+ */
+integrity_checker_t *integrity_checker_create(char *checksum_library)
+{
+	private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t);
+	
+	this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file;
+	this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file;
+	this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment;
+	this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment;
+	this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check;
+	this->public.destroy = (void(*)(integrity_checker_t*))destroy;
+	
+	this->checksum_count = 0;
+	this->handle = NULL;
+	if (checksum_library)
+	{
+		this->handle = dlopen(checksum_library, RTLD_LAZY);
+		if (this->handle)
+		{
+			int *checksum_count;
+		
+			this->checksums = dlsym(this->handle, "checksums");
+			checksum_count = dlsym(this->handle, "checksum_count");
+			if (this->checksums && checksum_count)
+			{
+				this->checksum_count = *checksum_count;
+			}
+			else
+			{
+				DBG1("checksum library '%s' invalid", checksum_library);
+			}
+		}
+		else
+		{
+			DBG1("loading checksum library '%s' failed", checksum_library);
+		}
+	}
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/integrity_checker.h
new file mode 100644
index 000000000..d078dd6fb
--- /dev/null
+++ b/src/libstrongswan/integrity_checker.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup integrity_checker integrity_checker
+ * @{ @ingroup libstrongswan
+ */
+
+#ifndef INTEGRITY_CHECKER_H_
+#define INTEGRITY_CHECKER_H_
+
+#include <utils.h>
+#include <plugins/plugin.h>
+
+typedef struct integrity_checker_t integrity_checker_t;
+typedef struct integrity_checksum_t integrity_checksum_t;
+
+/**
+ * Struct to hold a precalculated checksum, implemented in the checksum library.
+ */
+struct integrity_checksum_t {
+	/* name of the checksum */
+	char *name;
+	/* size in bytes of the file on disk */
+	size_t file_len; 
+	/* checksum of the file on disk */
+	u_int32_t file;
+	/* size in bytes of executable segment in memory */
+	size_t segment_len; 
+	/* checksum of the executable segment in memory */
+	u_int32_t segment;
+};
+
+/**
+ * Code integrity checker to detect non-malicious file manipulation.
+ *
+ * The integrity checker reads the checksums from a separate library
+ * libchecksum.so to compare the checksums.
+ */
+struct integrity_checker_t {
+
+	/**
+	 * Check the integrity of a file on disk.
+	 *
+	 * @param name		name to lookup checksum
+	 * @param file		path to file
+	 * @return			TRUE if integrity tested successfully
+	 */
+	bool (*check_file)(integrity_checker_t *this, char *name, char *file);
+	
+	/**
+	 * Build the integrity checksum of a file on disk.
+	 *
+	 * @param file		path to file
+	 * @param len		return length in bytes of file
+	 * @return			checksum, 0 on error
+	 */
+	u_int32_t (*build_file)(integrity_checker_t *this, char *file, size_t *len);
+	
+	/**
+	 * Check the integrity of the code segment in memory.
+	 *
+	 * @param name		name to lookup checksum
+	 * @param sym		a symbol in the segment to check
+	 * @return			TRUE if integrity tested successfully
+	 */
+	bool (*check_segment)(integrity_checker_t *this, char *name, void *sym);
+	/**
+	 * Build the integrity checksum of a code segment in memory.
+	 *
+	 * @param sym		a symbol in the segment to check
+	 * @param len		return length in bytes of code segment in memory
+	 * @return			checksum, 0 on error
+	 */
+	u_int32_t (*build_segment)(integrity_checker_t *this, void *sym, size_t *len);
+	
+	/**
+	 * Check both, on disk file integrity and loaded segment.
+	 *
+	 * @param name		name to lookup checksum
+	 * @param sym		a symbol to look up library and segment
+	 * @return			TRUE if integrity tested successfully
+	 */
+	bool (*check)(integrity_checker_t *this, char *name, void *sym);
+	
+	/**
+	 * Destroy a integrity_checker_t.
+	 */
+	void (*destroy)(integrity_checker_t *this);
+};
+
+/**
+ * Create a integrity_checker instance.
+ *
+ * @param checksum_library		library containing checksums
+ */
+integrity_checker_t *integrity_checker_create(char *checksum_library);
+
+#endif /* INTEGRITY_CHECKER_H_ @}*/
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 8e5a8a611..832c8b607 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -20,12 +20,15 @@
 
 #include <utils.h>
 #include <chunk.h>
+#include <debug.h>
 #include <utils/identification.h>
 #include <utils/host.h>
 #ifdef LEAK_DETECTIVE
 #include <utils/leak_detective.h>
 #endif
 
+#define CHECKSUM_LIBRARY IPSEC_DIR"/libchecksum.so"
+
 typedef struct private_library_t private_library_t;
 
 /**
@@ -65,6 +68,10 @@ void library_deinit()
 	this->public.fetcher->destroy(this->public.fetcher);
 	this->public.db->destroy(this->public.db);
 	this->public.printf_hook->destroy(this->public.printf_hook);
+	if (this->public.integrity)
+	{
+		this->public.integrity->destroy(this->public.integrity);
+	}
 	
 #ifdef LEAK_DETECTIVE
 	if (this->detective)
@@ -79,7 +86,7 @@ void library_deinit()
 /*
  * see header file
  */
-void library_init(char *settings)
+bool library_init(char *settings)
 {
 	printf_hook_t *pfh;
 	private_library_t *this = malloc_thing(private_library_t);
@@ -119,5 +126,23 @@ void library_init(char *settings)
 	this->public.fetcher = fetcher_manager_create();
 	this->public.db = database_factory_create();
 	this->public.plugins = plugin_loader_create();
+	this->public.integrity = NULL;
+	
+	if (lib->settings->get_bool(lib->settings,
+								"libstrongswan.integrity_test", FALSE))
+	{
+#ifdef INTEGRITY_TEST
+		this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY);
+		if (!lib->integrity->check(lib->integrity, "libstrongswan", library_init))
+		{
+			DBG1("integrity check of libstrongswan failed");
+			return FALSE;
+		}
+#else /* !INTEGRITY_TEST */
+		DBG1("integrity test enabled, but not supported");
+		return FALSE;
+#endif /* INTEGRITY_TEST */
+	}
+	return TRUE;
 }
 
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 35c6b686a..df4121803 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -19,6 +19,9 @@
  * @defgroup asn1 asn1
  * @ingroup libstrongswan
  *
+ * @defgroup pgp pgp
+ * @ingroup libstrongswan
+ *
  * @defgroup credentials credentials
  * @ingroup libstrongswan
  *
@@ -30,19 +33,16 @@
  *
  * @defgroup crypto crypto
  * @ingroup libstrongswan
- 
+ *
  * @defgroup database database
  * @ingroup libstrongswan
- 
+ *
  * @defgroup fetcher fetcher
  * @ingroup libstrongswan
- 
- * @defgroup fips fips
- * @ingroup libstrongswan
- 
+ *
  * @defgroup plugins plugins
  * @ingroup libstrongswan
- 
+ *
  * @defgroup utils utils
  * @ingroup libstrongswan
  */
@@ -59,6 +59,7 @@
 #include <utils.h>
 #include <chunk.h>
 #include <settings.h>
+#include <integrity_checker.h>
 #include <plugins/plugin_loader.h>
 #include <crypto/crypto_factory.h>
 #include <fetcher/fetcher_manager.h>
@@ -107,6 +108,11 @@ struct library_t {
 	 */
 	settings_t *settings;
 	
+	/**
+	 * integrity checker to verify code integrity
+	 */
+	integrity_checker_t *integrity;
+	
 	/**
 	 * is leak detective running?
 	 */
@@ -117,8 +123,9 @@ struct library_t {
  * Initialize library, creates "lib" instance.
  *
  * @param settings		file to read settings from, may be NULL for none
+ * @return				FALSE if integrity check failed
  */
-void library_init(char *settings);
+bool library_init(char *settings);
 
 /**
  * Deinitialize library, destroys "lib" instance.
diff --git a/src/libstrongswan/plugins/aes/Makefile.am b/src/libstrongswan/plugins/aes/Makefile.am
index e73040f27..a3101172f 100644
--- a/src/libstrongswan/plugins/aes/Makefile.am
+++ b/src/libstrongswan/plugins/aes/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-aes.la
 
 libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
-libstrongswan_aes_la_LDFLAGS = -module
+libstrongswan_aes_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 19d3249b5..4414b2ede 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-aes.la
 libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
-libstrongswan_aes_la_LDFLAGS = -module
+libstrongswan_aes_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am
index bc022aa26..e1000e562 100644
--- a/src/libstrongswan/plugins/agent/Makefile.am
+++ b/src/libstrongswan/plugins/agent/Makefile.am
@@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-agent.la
 libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
   agent_private_key.c agent_private_key.h
 
-libstrongswan_agent_la_LDFLAGS = -module
+libstrongswan_agent_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 5a5202262..a73edb362 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-agent.la
 libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
   agent_private_key.c agent_private_key.h
 
-libstrongswan_agent_la_LDFLAGS = -module
+libstrongswan_agent_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am
index 6bb82169e..3fbc5893b 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.am
+++ b/src/libstrongswan/plugins/blowfish/Makefile.am
@@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-blowfish.la
 libstrongswan_blowfish_la_SOURCES = \
 blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
 bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c 
-libstrongswan_blowfish_la_LDFLAGS = -module
+libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 25cea73df..e536b5fc6 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -227,7 +232,7 @@ libstrongswan_blowfish_la_SOURCES = \
 blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
 bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c 
 
-libstrongswan_blowfish_la_LDFLAGS = -module
+libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/curl/Makefile.am b/src/libstrongswan/plugins/curl/Makefile.am
index 1b44516b2..f0a41e4ad 100644
--- a/src/libstrongswan/plugins/curl/Makefile.am
+++ b/src/libstrongswan/plugins/curl/Makefile.am
@@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-curl.la
 
 libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
-libstrongswan_curl_la_LDFLAGS = -module
+libstrongswan_curl_la_LDFLAGS = -module -avoid-version
 libstrongswan_curl_la_LIBADD  = -lcurl
 
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index b413e035e..21d77ac8f 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-curl.la
 libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
-libstrongswan_curl_la_LDFLAGS = -module
+libstrongswan_curl_la_LDFLAGS = -module -avoid-version
 libstrongswan_curl_la_LIBADD = -lcurl
 all: all-am
 
diff --git a/src/libstrongswan/plugins/des/Makefile.am b/src/libstrongswan/plugins/des/Makefile.am
index ea94eda8a..76cfbc419 100644
--- a/src/libstrongswan/plugins/des/Makefile.am
+++ b/src/libstrongswan/plugins/des/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-des.la
 
 libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
-libstrongswan_des_la_LDFLAGS = -module
+libstrongswan_des_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index bbca6a032..19da339fe 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-des.la
 libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
-libstrongswan_des_la_LDFLAGS = -module
+libstrongswan_des_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.am b/src/libstrongswan/plugins/fips_prf/Makefile.am
index 73f28825a..d9431947e 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.am
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-fips-prf.la
 
 libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
-libstrongswan_fips_prf_la_LDFLAGS = -module
+libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 881d7a36e..5dcae7f27 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -223,7 +228,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-fips-prf.la
 libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
-libstrongswan_fips_prf_la_LDFLAGS = -module
+libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am
index 72cc409fc..7394676e2 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.am
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.am
@@ -13,5 +13,5 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
 	gcrypt_crypter.h gcrypt_crypter.c \
 	gcrypt_hasher.h gcrypt_hasher.c
 
-libstrongswan_gcrypt_la_LDFLAGS = -module
+libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
 libstrongswan_gcrypt_la_LIBADD  = $(LIBGCRYPT_LIBS)
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 49994c593..e3d27f7f8 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -77,12 +77,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -187,7 +190,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -232,7 +237,7 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
 	gcrypt_crypter.h gcrypt_crypter.c \
 	gcrypt_hasher.h gcrypt_hasher.c
 
-libstrongswan_gcrypt_la_LDFLAGS = -module
+libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
 libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS)
 all: all-am
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 785ebda90..41e17c897 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -116,6 +116,9 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 		case HASH_SHA1:
 			gcrypt_alg = GCRY_MD_SHA1;
 			break;
+		case HASH_SHA224:
+			gcrypt_alg = GCRY_MD_SHA224;
+			break;
 		case HASH_SHA256:
 			gcrypt_alg = GCRY_MD_SHA256;
 			break;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 547329dde..939e0886c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -47,7 +47,7 @@ struct private_gcrypt_plugin_t {
  */
 static int mutex_init(void **lock)
 {
-	*lock = mutex_create(MUTEX_DEFAULT);
+	*lock = mutex_create(MUTEX_TYPE_DEFAULT);
 	return 0;
 }
 
@@ -148,6 +148,8 @@ plugin_t *plugin_create()
 					(hasher_constructor_t)gcrypt_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
 					(hasher_constructor_t)gcrypt_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+					(hasher_constructor_t)gcrypt_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
 					(hasher_constructor_t)gcrypt_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index 611ab2467..e0e8015db 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -61,12 +61,14 @@ struct private_gcrypt_rsa_private_key_t {
 public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key);
 
 /**
- * find a token in a S-expression
+ * find a token in a S-expression. If a key is given, its length is used to
+ * pad the output to a given length.
  */
-chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name)
+chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key)
 {
 	gcry_sexp_t token;
-	chunk_t data = chunk_empty;
+	chunk_t data = chunk_empty, tmp;
+	size_t len = 0;
 	
 	token = gcry_sexp_find_token(sexp, name, 1);
 	if (token)
@@ -76,7 +78,36 @@ chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name)
 		{
 			data.len = 0;
 		}
-		data = chunk_clone(data);
+		else
+		{
+			if (key)
+			{
+				/* gcrypt might return more bytes than necessary. Truncate
+				 * to key lenght if key given, or prepend zeros if needed  */
+				len = gcry_pk_get_nbits(key);
+				len = len / 8 + (len % 8 ? 1 : 0);
+				if (len > data.len)
+				{
+					tmp = chunk_alloc(len);
+					len -= data.len;
+					memset(tmp.ptr, 0, tmp.len - len);
+					memcpy(tmp.ptr + len, data.ptr, data.len);
+					data = tmp;
+				}
+				else if (len < data.len)
+				{
+					data = chunk_clone(chunk_skip(data, data.len - len));
+				}
+				else
+				{
+					data = chunk_clone(data);
+				}
+			}
+			else
+			{
+				data = chunk_clone(data);
+			}
+		}
 		gcry_sexp_release(token);
 	}
 	return data;
@@ -124,7 +155,7 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this,
 		DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
-	*signature = gcrypt_rsa_find_token(out, "s");
+	*signature = gcrypt_rsa_find_token(out, "s", this->key);
 	gcry_sexp_release(out);
 	return !!signature->len;
 }
@@ -170,7 +201,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 		DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
-	*signature = gcrypt_rsa_find_token(out, "s");
+	*signature = gcrypt_rsa_find_token(out, "s", this->key);
 	gcry_sexp_release(out);
 	return !!signature->len;
 }
@@ -195,6 +226,8 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche
 			return sign_raw(this, data, sig);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig);
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+			return sign_pkcs1(this, HASH_SHA224, "sha224", data, sig);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
 			return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig);
 		case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -353,9 +386,9 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
 	gcry_error_t err;
 	
 	/* p and q are swapped, gcrypt expects p < q */
-	cp = gcrypt_rsa_find_token(this->key, "q");
-	cq = gcrypt_rsa_find_token(this->key, "p");
-	cd = gcrypt_rsa_find_token(this->key, "d");
+	cp = gcrypt_rsa_find_token(this->key, "q", NULL);
+	cq = gcrypt_rsa_find_token(this->key, "p", NULL);
+	cd = gcrypt_rsa_find_token(this->key, "d", NULL);
 	
 	err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL)
 		| gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL)
@@ -401,14 +434,14 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
 	}
 	
 	return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", ASN1_INTEGER_0,
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")),
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)),
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)),
 			asn1_integer("m", cd),
 			asn1_integer("m", cp),
 			asn1_integer("m", cq),
 			asn1_integer("m", cexp1),
 			asn1_integer("m", cexp2),
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "u")));
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "u", NULL)));
 }
 
 /**
@@ -477,8 +510,8 @@ bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
 		return FALSE;
 	}
 	publicKey = asn1_wrap(ASN1_SEQUENCE, "mm",
-				 asn1_integer("m", gcrypt_rsa_find_token(key, "n")),
-				 asn1_integer("m", gcrypt_rsa_find_token(key, "e")));
+				 asn1_integer("m", gcrypt_rsa_find_token(key, "n", NULL)),
+				 asn1_integer("m", gcrypt_rsa_find_token(key, "e", NULL)));
 	hasher->allocate_hash(hasher, publicKey, &hash);
 	*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
 	chunk_free(&hash);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 8024f58a7..4d9c88c6d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -60,7 +60,7 @@ struct private_gcrypt_rsa_public_key_t {
 /**
  * Implemented in gcrypt_rsa_private_key.c
  */
-chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name);
+chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key);
 bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
 							 identification_t **keyid_info);
 
@@ -188,6 +188,8 @@ static bool verify(private_gcrypt_rsa_public_key_t *this,
 			return verify_pkcs1(this, HASH_MD5, "md5", data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+			return verify_pkcs1(this, HASH_SHA224, "sha224", data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
 			return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -226,7 +228,7 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
 		DBG1("encrypting data using pkcs1 failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
-	*encrypted = gcrypt_rsa_find_token(out, "a");
+	*encrypted = gcrypt_rsa_find_token(out, "a", this->key);
 	gcry_sexp_release(out);
 	return !!encrypted->len;
 }
@@ -290,8 +292,8 @@ static identification_t *get_id(private_gcrypt_rsa_public_key_t *this,
 static chunk_t get_encoding(private_gcrypt_rsa_public_key_t *this)
 {
 	return asn1_wrap(ASN1_SEQUENCE, "mm",
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")));
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)),
+			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)));
 }
 
 /**
@@ -352,8 +354,8 @@ public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key)
 	chunk_t n, e;
 	
 	this = gcrypt_rsa_public_key_create_empty();
-	n = gcrypt_rsa_find_token(key, "n");
-	e = gcrypt_rsa_find_token(key, "e");
+	n = gcrypt_rsa_find_token(key, "n", NULL);
+	e = gcrypt_rsa_find_token(key, "e", NULL);
 	
 	err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
 						  n.len, n.ptr, e.len, e.ptr);
diff --git a/src/libstrongswan/plugins/gmp/Makefile.am b/src/libstrongswan/plugins/gmp/Makefile.am
index f073b5d48..1ab358328 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.am
+++ b/src/libstrongswan/plugins/gmp/Makefile.am
@@ -10,6 +10,6 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \
   gmp_rsa_private_key.c gmp_rsa_private_key.h \
   gmp_rsa_public_key.c gmp_rsa_public_key.h
 
-libstrongswan_gmp_la_LDFLAGS = -module
+libstrongswan_gmp_la_LDFLAGS = -module -avoid-version
 libstrongswan_gmp_la_LIBADD = -lgmp
 
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index a60cd998c..8d5dff34b 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \
   gmp_rsa_private_key.c gmp_rsa_private_key.h \
   gmp_rsa_public_key.c gmp_rsa_public_key.h
 
-libstrongswan_gmp_la_LDFLAGS = -module
+libstrongswan_gmp_la_LDFLAGS = -module -avoid-version
 libstrongswan_gmp_la_LIBADD = -lgmp
 all: all-am
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index cbc112762..259c8e9ad 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -301,6 +301,8 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
 			return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+			return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
 			return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA384:
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 1f3e3072f..c26187c64 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -301,6 +301,8 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
 			return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+			return verify_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
 			return verify_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -417,7 +419,7 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this)
 
 /**
  * Build the PGP version 3 RSA key identifier from n and e using
- * MD5 hashed modulus and exponent. Also used in rsa_private_key.c.
+ * MD5 hashed modulus and exponent.
  */
 static identification_t* gmp_rsa_build_pgp_v3_keyid(mpz_t n, mpz_t e)
 {
diff --git a/src/libstrongswan/plugins/hmac/Makefile.am b/src/libstrongswan/plugins/hmac/Makefile.am
index 89e0638f3..1856cad2d 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.am
+++ b/src/libstrongswan/plugins/hmac/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la
 
 libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
 	hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
-libstrongswan_hmac_la_LDFLAGS = -module
+libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index fc36bd9fa..389bde8f9 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la
 libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
 	hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
 
-libstrongswan_hmac_la_LDFLAGS = -module
+libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/ldap/Makefile.am b/src/libstrongswan/plugins/ldap/Makefile.am
index ac6b4be00..6ad073d97 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.am
+++ b/src/libstrongswan/plugins/ldap/Makefile.am
@@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-ldap.la
 
 libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
-libstrongswan_ldap_la_LDFLAGS = -module
+libstrongswan_ldap_la_LDFLAGS = -module -avoid-version
 libstrongswan_ldap_la_LIBADD  = -lldap -llber
 
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 6eefc8546..93fc9a0c1 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-ldap.la
 libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
-libstrongswan_ldap_la_LDFLAGS = -module
+libstrongswan_ldap_la_LDFLAGS = -module -avoid-version
 libstrongswan_ldap_la_LIBADD = -lldap -llber
 all: all-am
 
diff --git a/src/libstrongswan/plugins/md4/Makefile.am b/src/libstrongswan/plugins/md4/Makefile.am
index f984322a6..a47da2e8e 100644
--- a/src/libstrongswan/plugins/md4/Makefile.am
+++ b/src/libstrongswan/plugins/md4/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-md4.la
 
 libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
-libstrongswan_md4_la_LDFLAGS = -module
+libstrongswan_md4_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index efdb64e90..7ca6a20cc 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-md4.la
 libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
-libstrongswan_md4_la_LDFLAGS = -module
+libstrongswan_md4_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/md5/Makefile.am b/src/libstrongswan/plugins/md5/Makefile.am
index 0a9c5cbf4..ce0611c13 100644
--- a/src/libstrongswan/plugins/md5/Makefile.am
+++ b/src/libstrongswan/plugins/md5/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-md5.la
 
 libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
-libstrongswan_md5_la_LDFLAGS = -module
+libstrongswan_md5_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 15c98aba4..fb9bc4b4d 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-md5.la
 libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
-libstrongswan_md5_la_LDFLAGS = -module
+libstrongswan_md5_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am
index ec94b8fda..0daf7655b 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.am
+++ b/src/libstrongswan/plugins/mysql/Makefile.am
@@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la
 
 libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c  \
 	mysql_database.h mysql_database.c
-libstrongswan_mysql_la_LDFLAGS = -module
+libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
 libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
 
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 26b514ad6..21fe61923 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la
 libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c  \
 	mysql_database.h mysql_database.c
 
-libstrongswan_mysql_la_LDFLAGS = -module
+libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
 libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
 all: all-am
 
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index d0d5a3d15..341217dd4 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -686,7 +686,7 @@ mysql_database_t *mysql_database_create(char *uri)
 		free(this);
 		return NULL;
 	}
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->pool = linked_list_create();
 	
 	/* check connectivity */
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index f331a78eb..25cc5aa1d 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -16,6 +16,6 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
 	openssl_ec_private_key.c openssl_ec_private_key.h \
 	openssl_ec_public_key.c openssl_ec_public_key.h
 
-libstrongswan_openssl_la_LDFLAGS = -module
+libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD  = -lcrypto
 
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 0ebb5acf0..e6d7b479b 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -78,12 +78,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -188,7 +191,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -236,7 +241,7 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
 	openssl_ec_private_key.c openssl_ec_private_key.h \
 	openssl_ec_public_key.c openssl_ec_public_key.h
 
-libstrongswan_openssl_la_LDFLAGS = -module
+libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD = -lcrypto
 all: all-am
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index 7f48f1009..424fec60a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -83,6 +83,7 @@ static openssl_algorithm_t encryption_algs[] = {
 /*	{ENCR_DES_IV32, 	"***",			0,	0}, */
 /*	{ENCR_NULL, 		"***",			0,	0}, */ /* handled separately */
 /*	{ENCR_AES_CBC, 		"***",			0,	0}, */ /* handled separately */
+/*	{ENCR_CAMELLIA_CBC,	"***",			0,	0}, */ /* handled separately */
 /*	{ENCR_AES_CTR, 		"***",			0,	0}, */ /* disabled in evp.h */
 	{END_OF_LIST, 		NULL,			0,	0},
 };
@@ -224,6 +225,23 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 					return NULL;
 			}
 			break;
+		case ENCR_CAMELLIA_CBC:
+			switch (key_size)
+			{
+				case 16:        /* CAMELLIA 128 */
+					this->cipher = EVP_get_cipherbyname("camellia128");
+					break;
+				case 24:        /* CAMELLIA 192 */
+					this->cipher = EVP_get_cipherbyname("camellia192");
+					break;
+				case 32:        /* CAMELLIA 256 */
+					this->cipher = EVP_get_cipherbyname("camellia256"); 
+					break;
+				default:
+					free(this);
+					return NULL;
+			}
+			break;
 		case ENCR_DES_ECB:
 			this->cipher = EVP_des_ecb();
 			break;
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index c93acb75c..082aed9ca 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -108,7 +108,8 @@ error:
  * Convert an EC_POINT to a chunk by concatenating the x and y coordinates of
  * the point. This function allocates memory for the chunk.
  */
-static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chunk)
+static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point,
+					  chunk_t *chunk, bool x_coordinate_only)
 {
 	BN_CTX *ctx;
 	BIGNUM *x, *y;
@@ -133,6 +134,10 @@ static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chu
 		goto error;
 	}
 	
+	if (x_coordinate_only)
+	{
+		y = NULL;
+	}
 	if (!openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), x, y, chunk))
 	{
 		goto error;
@@ -160,7 +165,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_
 {
 	const BIGNUM *priv_key;
 	EC_POINT *secret = NULL;
-	bool ret = FALSE;
+	bool x_coordinate_only, ret = FALSE;
 	
 	priv_key = EC_KEY_get0_private_key(this->key);
 	if (!priv_key)
@@ -179,7 +184,14 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_
 		goto error;
 	}
 	
-	if (!ecp2chunk(this->ec_group, secret, shared_secret))
+	/*
+	 * The default setting ecp_x_coordinate_only = TRUE
+	 * applies the following errata for RFC 4753:
+	 * http://www.rfc-editor.org/errata_search.php?eid=9
+	 */
+	x_coordinate_only = lib->settings->get_bool(lib->settings,
+							"libstrongswan.ecp_x_coordinate_only", TRUE);
+	if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only))
 	{
 		goto error;
 	}
@@ -219,7 +231,7 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
  */
 static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
 {
-	ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value);
+	ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE);
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
index ed3e57957..90a5229d5 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -65,6 +65,7 @@ static openssl_algorithm_t integrity_algs[] = {
 	{HASH_MD2,		"md2"},
 	{HASH_MD5,		"md5"},
 	{HASH_SHA1,		"sha1"},
+	{HASH_SHA224,	"sha224"},
 	{HASH_SHA256,	"sha256"},
 	{HASH_SHA384,	"sha384"},
 	{HASH_SHA512,	"sha512"},
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index a90dff7f1..ce6716f5a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -84,7 +84,7 @@ static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
 	struct CRYPTO_dynlock_value *lock;
 	
 	lock = malloc_thing(struct CRYPTO_dynlock_value);
-	lock->mutex = mutex_create(MUTEX_DEFAULT);
+	lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	return lock;
 }
 
@@ -140,7 +140,7 @@ static void threading_init()
 	mutex = malloc(sizeof(mutex_t*) * num_locks);
 	for (i = 0; i < num_locks; i++)
 	{
-		mutex[i] = mutex_create(MUTEX_DEFAULT);
+		mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT);
 	}
 }
 
@@ -212,6 +212,8 @@ plugin_t *plugin_create()
 	/* crypter */
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)openssl_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
+					(crypter_constructor_t)openssl_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
 					(crypter_constructor_t)openssl_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_RC5,
@@ -238,6 +240,8 @@ plugin_t *plugin_create()
 					(hasher_constructor_t)openssl_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
 					(hasher_constructor_t)openssl_hasher_create);
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+					(hasher_constructor_t)openssl_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
 					(hasher_constructor_t)openssl_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index c5d4142da..95c0ffdc8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -165,6 +165,8 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
 			return build_emsa_pkcs1_signature(this, NID_undef, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return build_emsa_pkcs1_signature(this, NID_sha1, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+			return build_emsa_pkcs1_signature(this, NID_sha224, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
 			return build_emsa_pkcs1_signature(this, NID_sha256, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA384:
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 89912f24c..bc1ba35b6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -143,6 +143,8 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 			return verify_emsa_pkcs1_signature(this, NID_undef, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
 			return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature);
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+			return verify_emsa_pkcs1_signature(this, NID_sha224, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA256:
 			return verify_emsa_pkcs1_signature(this, NID_sha256, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA384:
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index bb0c296e1..c8c453f64 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -71,21 +71,26 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk)
 {
 	int offset;
 	
-	chunk->len = len * 2;
+	chunk->len = len + (b ? len : 0);
 	chunk->ptr = malloc(chunk->len);
 	memset(chunk->ptr, 0, chunk->len);
 	
+	/* convert a */
 	offset = len - BN_num_bytes(a);
 	if (!BN_bn2bin(a, chunk->ptr + offset))
 	{
 		goto error;
 	}
 	
-	offset = len - BN_num_bytes(b);
-	if (!BN_bn2bin(b, chunk->ptr + len + offset))
+	/* optionally convert and concatenate b */
+	if (b)
 	{
-		goto error;
-	}
+		offset = len - BN_num_bytes(b);
+		if (!BN_bn2bin(b, chunk->ptr + len + offset))
+		{
+			goto error;
+		}
+	}	
 	
 	return TRUE;
 error:
diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am
index e7c3ba486..b2b1f9d85 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.am
+++ b/src/libstrongswan/plugins/padlock/Makefile.am
@@ -9,5 +9,5 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
 	padlock_aes_crypter.c padlock_aes_crypter.h \
 	padlock_sha1_hasher.c padlock_sha1_hasher.h \
 	padlock_rng.c padlock_rng.h
-libstrongswan_padlock_la_LDFLAGS = -module
+libstrongswan_padlock_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 7fe0cc198..44f533744 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -227,7 +232,7 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
 	padlock_sha1_hasher.c padlock_sha1_hasher.h \
 	padlock_rng.c padlock_rng.h
 
-libstrongswan_padlock_la_LDFLAGS = -module
+libstrongswan_padlock_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index dddb73551..e241b59be 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -97,7 +97,7 @@ static padlock_feature_t get_padlock_features()
 			return d;
 		}
 	}
-	DBG1("Padlock not found, CPU is %s\n", vendor);
+	DBG1("Padlock not found, CPU is %s", vendor);
 	return 0;
 }
 
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index ad5a9e240..459ba9ba9 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -22,6 +22,7 @@
 #include <stdio.h>
 
 #include <debug.h>
+#include <integrity_checker.h>
 #include <utils/linked_list.h>
 #include <plugins/plugin.h>
 
@@ -61,27 +62,45 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
 	
 	snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name);
 	
+	if (lib->integrity)
+	{
+		if (!lib->integrity->check_file(lib->integrity, name, file))
+		{
+			DBG1("plugin '%s': failed file integrity test of '%s'", name, file);
+			return NULL;
+		}
+	}
 	handle = dlopen(file, RTLD_LAZY);
 	if (handle == NULL)
 	{
-		DBG1("loading plugin '%s' failed: %s", name, dlerror());
+		DBG1("plugin '%s': failed to load '%s' - %s", name, file, dlerror());
 		return NULL;
 	}
 	constructor = dlsym(handle, "plugin_create");
 	if (constructor == NULL)
 	{
-		DBG1("loading plugin '%s' failed: no plugin_create() function", name);
+		DBG1("plugin '%s': failed to load - no plugin_create() function", name);
 		dlclose(handle);
 		return NULL;
 	}
+	if (lib->integrity)
+	{
+		if (!lib->integrity->check_segment(lib->integrity, name, constructor))
+		{
+			DBG1("plugin '%s': failed segment integrity test", name);
+			dlclose(handle);
+			return NULL;
+		}
+		DBG1("plugin '%s': passed file and segment integrity tests", name);
+	}
 	plugin = constructor();
 	if (plugin == NULL)
 	{
-		DBG1("loading plugin '%s' failed: plugin_create() returned NULL", name);
+		DBG1("plugin '%s': failed to load - plugin_create() returned NULL", name);
 		dlclose(handle);
 		return NULL;
 	}
-	DBG2("plugin '%s' loaded successfully", name);
+	DBG2("plugin '%s': loaded successfully", name);
 	
 	/* we do not store or free dlopen() handles, leak_detective requires
 	 * the modules to keep loaded until leak report */
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am
index 3b512614f..9423e6689 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.am
+++ b/src/libstrongswan/plugins/pubkey/Makefile.am
@@ -9,5 +9,5 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
   pubkey_cert.h pubkey_cert.c\
   pubkey_public_key.h pubkey_public_key.c
 
-libstrongswan_pubkey_la_LDFLAGS = -module
+libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 4514424f2..a672e2ea8 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
   pubkey_cert.h pubkey_cert.c\
   pubkey_public_key.h pubkey_public_key.c
 
-libstrongswan_pubkey_la_LDFLAGS = -module
+libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am
index 8b61d7094..9a11b8567 100644
--- a/src/libstrongswan/plugins/random/Makefile.am
+++ b/src/libstrongswan/plugins/random/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-random.la
 
 libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
   random_rng.c random_rng.h
-libstrongswan_random_la_LDFLAGS = -module
+libstrongswan_random_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 0bed27468..a2869fb51 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-random.la
 libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
   random_rng.c random_rng.h
 
-libstrongswan_random_la_LDFLAGS = -module
+libstrongswan_random_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am
index 5de45e4e8..ead51a45a 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.am
+++ b/src/libstrongswan/plugins/sha1/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la
 
 libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
 	sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
-libstrongswan_sha1_la_LDFLAGS = -module
+libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index c8b8905bb..f1f5807ab 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la
 libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
 	sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
 
-libstrongswan_sha1_la_LDFLAGS = -module
+libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/sha2/Makefile.am b/src/libstrongswan/plugins/sha2/Makefile.am
index 066e49476..5422e1d4e 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.am
+++ b/src/libstrongswan/plugins/sha2/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-sha2.la
 
 libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
-libstrongswan_sha2_la_LDFLAGS = -module
+libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index f37c93502..b34286813 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-sha2.la
 libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
-libstrongswan_sha2_la_LDFLAGS = -module
+libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.c b/src/libstrongswan/plugins/sha2/sha2_hasher.c
index 0e8811cca..645f4d786 100644
--- a/src/libstrongswan/plugins/sha2/sha2_hasher.c
+++ b/src/libstrongswan/plugins/sha2/sha2_hasher.c
@@ -58,6 +58,11 @@ struct private_sha256_hasher_t {
 };
 
 
+static const u_int32_t sha224_hashInit[8] = {
+	0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511,
+	0x64f98fa7, 0xbefa4fa4 
+};
+
 static const u_int32_t sha256_hashInit[8] = {
 	0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c,
 	0x1f83d9ab, 0x5be0cd19
@@ -421,6 +426,21 @@ static void sha512_final(private_sha512_hasher_t *ctx)
 	} while(++j < 8);
 }
 
+/**
+ * Implementation of hasher_t.get_hash for SHA224.
+ */
+static void get_hash224(private_sha256_hasher_t *this, 
+						chunk_t chunk, u_int8_t *buffer)
+{
+	sha256_write(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		sha256_final(this);
+		memcpy(buffer, this->sha_out, HASH_SIZE_SHA224);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
 /**
  * Implementation of hasher_t.get_hash for SHA256.
  */
@@ -466,6 +486,25 @@ static void get_hash512(private_sha512_hasher_t *this,
 	}
 }
 
+/**
+ * Implementation of hasher_t.allocate_hash for SHA224.
+ */
+static void allocate_hash224(private_sha256_hasher_t *this, 
+							 chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	sha256_write(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{
+		sha256_final(this);
+		allocated_hash = chunk_alloc(HASH_SIZE_SHA224);
+		memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA224);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		*hash = allocated_hash;
+	}
+}
+
 /**
  * Implementation of hasher_t.allocate_hash for SHA256.
  */
@@ -523,6 +562,14 @@ static void allocate_hash512(private_sha512_hasher_t *this,
 	}
 }
 
+/**
+ * Implementation of hasher_t.get_hash_size for SHA224.
+ */
+static size_t get_hash_size224(private_sha256_hasher_t *this)
+{
+	return HASH_SIZE_SHA224;
+}
+
 /**
  * Implementation of hasher_t.get_hash_size for SHA256.
  */
@@ -547,6 +594,16 @@ static size_t get_hash_size512(private_sha512_hasher_t *this)
 	return HASH_SIZE_SHA512;
 }
 
+/**
+ * Implementation of hasher_t.reset for SHA224
+ */
+static void reset224(private_sha256_hasher_t *ctx)
+{
+	memcpy(&ctx->sha_H[0], &sha224_hashInit[0], sizeof(ctx->sha_H));
+	ctx->sha_blocks = 0;
+	ctx->sha_bufCnt = 0;
+}
+
 /**
  * Implementation of hasher_t.reset for SHA256
  */
@@ -596,6 +653,13 @@ sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm)
 	
 	switch (algorithm)
 	{
+		case HASH_SHA224:
+			this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t);
+			this->hasher_interface.reset = (void(*)(hasher_t*))reset224;
+			this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size224;
+			this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash224;
+			this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash224;
+			break;
 		case HASH_SHA256:
 			this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t);
 			this->hasher_interface.reset = (void(*)(hasher_t*))reset256;
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c
index 21bc592dc..0743f7b1a 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.c
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c
@@ -50,6 +50,8 @@ plugin_t *plugin_create()
 	
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 	
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+							(hasher_constructor_t)sha2_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
 							(hasher_constructor_t)sha2_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.am b/src/libstrongswan/plugins/sqlite/Makefile.am
index 7c3017abf..f26e31294 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.am
+++ b/src/libstrongswan/plugins/sqlite/Makefile.am
@@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la
 
 libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c  \
 	sqlite_database.h sqlite_database.c
-libstrongswan_sqlite_la_LDFLAGS = -module
+libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
 libstrongswan_sqlite_la_LIBADD = -lsqlite3
 
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 547548bd7..b59a1c343 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -225,7 +230,7 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la
 libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c  \
 	sqlite_database.h sqlite_database.c
 
-libstrongswan_sqlite_la_LDFLAGS = -module
+libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
 libstrongswan_sqlite_la_LIBADD = -lsqlite3
 all: all-am
 
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index ce873b714..6e4951f2d 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -333,7 +333,7 @@ sqlite_database_t *sqlite_database_create(char *uri)
 	this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
 	this->public.db.destroy = (void(*)(database_t*))destroy;
 	
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
 	
 	if (sqlite3_open(file, &this->db) != SQLITE_OK)
 	{
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 27d17c084..6028805c4 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -29,5 +29,5 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/sha2_hmac.c \
 	test_vectors/fips_prf.c \
 	test_vectors/rng.c
-libstrongswan_test_vectors_la_LDFLAGS = -module
+libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index bb877620c..0e408ba7e 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -79,12 +79,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -189,7 +192,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -251,7 +256,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/fips_prf.c \
 	test_vectors/rng.c
 
-libstrongswan_test_vectors_la_LDFLAGS = -module
+libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index df5a9c9a8..b182dd829 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -98,6 +98,9 @@ TEST_VECTOR_HASHER(md5_7)
 TEST_VECTOR_HASHER(sha1_1)
 TEST_VECTOR_HASHER(sha1_2)
 TEST_VECTOR_HASHER(sha1_3)
+TEST_VECTOR_HASHER(sha224_1)
+TEST_VECTOR_HASHER(sha224_2)
+TEST_VECTOR_HASHER(sha224_3)
 TEST_VECTOR_HASHER(sha256_1)
 TEST_VECTOR_HASHER(sha256_2)
 TEST_VECTOR_HASHER(sha256_3)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
index e2bd42240..4679c26b3 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
@@ -15,6 +15,41 @@
 
 #include <crypto/crypto_tester.h>
 
+/**
+ * SHA-224 vectors from "The Secure Hash Algorithm Validation System (SHAVS)"
+ */
+hasher_test_vector_t sha224_1 = {
+	.alg = HASH_SHA224, .len = 1,
+	.data	= "\x07",
+	.hash	= "\x00\xec\xd5\xf1\x38\x42\x2b\x8a\xd7\x4c\x97\x99\xfd\x82\x6c\x53"
+			  "\x1b\xad\x2f\xca\xbc\x74\x50\xbe\xe2\xaa\x8c\x2a"
+
+};
+
+hasher_test_vector_t sha224_2 = {
+	.alg = HASH_SHA224, .len = 16,
+	.data	= "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62",
+	.hash	= "\xdf\x90\xd7\x8a\xa7\x88\x21\xc9\x9b\x40\xba\x4c\x96\x69\x21\xac"
+			  "\xcd\x8f\xfb\x1e\x98\xac\x38\x8e\x56\x19\x1d\xb1"
+};
+
+hasher_test_vector_t sha224_3 = {
+	.alg = HASH_SHA224, .len = 163,
+	.data	= "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5"
+			  "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab"
+			  "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37"
+			  "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a"
+			  "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74"
+			  "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47"
+			  "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14"
+			  "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b"
+			  "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d"
+			  "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c"
+			  "\x87\x82\x73",
+	.hash	= "\x0b\x31\x89\x4e\xc8\x93\x7a\xd9\xb9\x1b\xdf\xbc\xba\x29\x4d\x9a"
+			  "\xde\xfa\xa1\x8e\x09\x30\x5e\x9f\x20\xd5\xc3\xa4"
+};
+
 /**
  * SHA-256 vectors from "The Secure Hash Algorithm Validation System (SHAVS)"
  */
diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am
index 3f9f85c36..e9668b4e4 100644
--- a/src/libstrongswan/plugins/x509/Makefile.am
+++ b/src/libstrongswan/plugins/x509/Makefile.am
@@ -12,5 +12,5 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
   x509_ocsp_request.h x509_ocsp_request.c \
   x509_ocsp_response.h x509_ocsp_response.c \
   ietf_attr_list.h ietf_attr_list.c
-libstrongswan_x509_la_LDFLAGS = -module
+libstrongswan_x509_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 0c62ad3b3..56cb04769 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -230,7 +235,7 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
   x509_ocsp_response.h x509_ocsp_response.c \
   ietf_attr_list.h ietf_attr_list.c
 
-libstrongswan_x509_la_LDFLAGS = -module
+libstrongswan_x509_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.am b/src/libstrongswan/plugins/xcbc/Makefile.am
index 1b10d21f8..515b75031 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.am
+++ b/src/libstrongswan/plugins/xcbc/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la
 
 libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
 	xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
-libstrongswan_xcbc_la_LDFLAGS = -module
+libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 82ef55bd5..1d4e39586 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la
 libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
 	xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
 
-libstrongswan_xcbc_la_LDFLAGS = -module
+libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index 4a0eff45f..305841172 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -20,6 +20,7 @@
 #include <string.h>
 #include <stdio.h>
 #include <unistd.h>
+#include <stdint.h>
 #include <limits.h>
 #include <dirent.h>
 #include <time.h>
@@ -58,20 +59,43 @@ void *clalloc(void * pointer, size_t size)
 /**
  * Described in header.
  */
-void memxor(u_int8_t dest[], u_int8_t src[], size_t n)
+void memxor(u_int8_t dst[], u_int8_t src[], size_t n)
 {
-	int i = 0, m;
+	int m, i;
 	
-	m = n - sizeof(long);
-	while (i < m)
+	/* byte wise XOR until dst aligned */
+	for (i = 0; (uintptr_t)&dst[i] % sizeof(long); i++)
 	{
-		*(long*)(dest + i) ^= *(long*)(src + i);
-		i += sizeof(long);
+		dst[i] ^= src[i];
 	}
-	while (i < n)
+	/* try to use words if src shares an aligment with dst */
+	switch (((uintptr_t)&src[i] % sizeof(long)))
 	{
-		dest[i] ^= src[i];
-		i++;
+		case 0:
+			for (m = n - sizeof(long); i <= m; i += sizeof(long))
+			{
+				*(long*)&dst[i] ^= *(long*)&src[i];
+			}
+			break;
+		case sizeof(int):
+			for (m = n - sizeof(int); i <= m; i += sizeof(int))
+			{
+				*(int*)&dst[i] ^= *(int*)&src[i];
+			}
+			break;
+		case sizeof(short):
+			for (m = n - sizeof(short); i <= m; i += sizeof(short))
+			{
+				*(short*)&dst[i] ^= *(short*)&src[i];
+			}
+			break;
+		default:
+			break;
+	}
+	/* byte wise XOR of the rest */
+	for (; i < n; i++)
+	{
+		dst[i] ^= src[i];
 	}
 }
 
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index debd0145b..5d273d272 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -28,6 +28,16 @@
 
 #include <enum.h>
 
+/**
+ * strongSwan program return codes
+ */
+#define SS_RC_LIBSTRONGSWAN_INTEGRITY	64
+#define SS_RC_DAEMON_INTEGRITY			65
+#define SS_RC_INITIALIZATION_FAILED		66
+
+#define SS_RC_FIRST	SS_RC_LIBSTRONGSWAN_INTEGRITY
+#define SS_RC_LAST	SS_RC_INITIALIZATION_FAILED
+
 /**
  * Number of bits in a byte
  */
@@ -134,6 +144,19 @@
 # define TRUE  true
 #endif /* TRUE */
 
+/**
+ * define some missing fixed width int types on OpenSolaris.
+ * TODO: since the uintXX_t types are defined by the C99 standard we should
+ * probably use those anyway
+ */
+#ifdef __sun
+        #include <stdint.h>
+        typedef uint8_t         u_int8_t;
+        typedef uint16_t        u_int16_t;
+        typedef uint32_t        u_int32_t;
+        typedef uint64_t        u_int64_t;
+#endif
+
 typedef enum status_t status_t;
 
 /**
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c
index 24bafe66a..08522b8d5 100644
--- a/src/libstrongswan/utils/enumerator.c
+++ b/src/libstrongswan/utils/enumerator.c
@@ -408,7 +408,7 @@ typedef struct {
 /**
  * Implementation of enumerator_create_filter().destroy
  */
-void destroy_filter(filter_enumerator_t *this)
+static void destroy_filter(filter_enumerator_t *this)
 {
 	if (this->destructor)
 	{
@@ -421,8 +421,8 @@ void destroy_filter(filter_enumerator_t *this)
 /**
  * Implementation of enumerator_create_filter().enumerate
  */
-bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2,
-					  void *o3, void *o4, void *o5)
+static bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2,
+							 void *o3, void *o4, void *o5)
 {
 	void *i1, *i2, *i3, *i4, *i5;
 
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index 484de5e54..661bec315 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -17,6 +17,7 @@
  */
 
 #define _GNU_SOURCE
+#include <sys/socket.h>
 #include <netdb.h>
 #include <string.h>
 
@@ -430,19 +431,43 @@ host_t *host_create_from_string(char *string, u_int16_t port)
 	return NULL;
 }
 
+/*
+ * Described in header.
+ */
+host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
+{
+	private_host_t *this = host_create_empty();
+	
+	switch (sockaddr->sa_family)
+	{
+		case AF_INET:
+		{
+			memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in));
+			this->socklen = sizeof(struct sockaddr_in);
+			return &this->public;
+		}
+		case AF_INET6:
+		{
+			memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6));
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	free(this);
+	return NULL;
+}
+
 /*
  * Described in header.
  */
 host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 {
 	private_host_t *this;
-	struct hostent *ptr;
-	int ret = 0, err;
-#ifdef HAVE_GETHOSTBYNAME_R
-	struct hostent host;
-	char buf[512];
-#endif
-
+	struct addrinfo hints, *result;
+	int error;
+	
 	if (streq(string, "%any"))
 	{
 		return host_create_any_port(af ? af : AF_INET, port);
@@ -451,62 +476,32 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 	{
 		return host_create_any_port(af ? af : AF_INET6, port);
 	}
-	else if (strchr(string, ':'))
-	{
-		/* gethostbyname does not like IPv6 addresses - fallback */
-		return host_create_from_string(string, port);
-	}
-
-#ifdef HAVE_GETHOSTBYNAME_R
-	if (af)
-	{
-		ret = gethostbyname2_r(string, af, &host, buf, sizeof(buf), &ptr, &err);
-	}
-	else
-	{
-		ret = gethostbyname_r(string, &host, buf, sizeof(buf), &ptr, &err);
-	}
-#else
-	/* Some systems (e.g. Mac OS X) do not support gethostbyname_r */
-	if (af)
-	{
-		ptr = gethostbyname2(string, af);
-	}
-	else
-	{
-		ptr = gethostbyname(string);
-	}
-	if (ptr == NULL)
-	{
-		err = h_errno;
-	}
-#endif
-	if (ret != 0 || ptr == NULL)
+	
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = af;
+	error = getaddrinfo(string, NULL, &hints, &result);
+	if (error != 0)
 	{
-		DBG1("resolving '%s' failed: %s", string, hstrerror(err));
+		DBG1("resolving '%s' failed: %s", string, gai_strerror(error));
 		return NULL;
 	}
-	this = host_create_empty();
-	this->address.sa_family = ptr->h_addrtype;
-	switch (this->address.sa_family)
+	/* result is a linked list, but we use only the first address */
+	this = (private_host_t*)host_create_from_sockaddr(result->ai_addr);
+	freeaddrinfo(result);
+	if (this)
 	{
-		case AF_INET:
-			memcpy(&this->address4.sin_addr.s_addr,
-				   ptr->h_addr_list[0], ptr->h_length);
-			this->address4.sin_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in);
-			break;
-		case AF_INET6:
-			memcpy(&this->address6.sin6_addr.s6_addr,
-				   ptr->h_addr_list[0], ptr->h_length);
-			this->address6.sin6_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in6);
-			break;
-		default:
-			free(this);
-			return NULL;
+		switch (this->address.sa_family)
+		{
+			case AF_INET:
+				this->address4.sin_port = htons(port);
+				break;
+			case AF_INET6:
+				this->address6.sin6_port = htons(port);
+				break;
+		}
+		return &this->public;
 	}
-	return &this->public;
+	return NULL;
 }
 
 /*
@@ -566,34 +561,6 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
 	return &this->public;
 }
 
-/*
- * Described in header.
- */
-host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
-{
-	private_host_t *this = host_create_empty();
-	
-	switch (sockaddr->sa_family)
-	{
-		case AF_INET:
-		{
-			memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in));
-			this->socklen = sizeof(struct sockaddr_in);
-			return &this->public;
-		}
-		case AF_INET6:
-		{
-			memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6));
-			this->socklen = sizeof(struct sockaddr_in6);
-			return &this->public;
-		}
-		default:
-			break;
-	}
-	free(this);
-	return NULL;
-}
-
 /*
  * Described in header.
  */
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 1c04c97ef..10daf4679 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -21,7 +21,6 @@
 #include <arpa/inet.h>
 #include <string.h>
 #include <stdio.h>
-#include <ctype.h>
 
 #include "identification.h"
 
@@ -122,365 +121,216 @@ struct private_identification_t {
 	id_type_t type;
 };
 
-static private_identification_t *identification_create(void);
-
 /**
- * updates a chunk (!????)
- * TODO: We should reconsider this stuff, its not really clear
+ * Enumerator over RDNs
  */
-static void update_chunk(chunk_t *ch, int n)
-{
-	n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
-	ch->ptr += n; ch->len -= n;
-}
+typedef struct {
+	/* implements enumerator interface */
+	enumerator_t public;
+	/* next set to parse, if any */
+	chunk_t sets;
+	/* next sequence in set, if any */
+	chunk_t seqs;
+} rdn_enumerator_t;
 
 /**
- * Remove any malicious characters from a chunk. We are very restrictive, but
- * whe use these strings only to present it to the user.
+ * Implementation of rdn_enumerator_t.enumerate
  */
-static bool sanitize_chunk(chunk_t chunk, chunk_t *clone)
+static bool rdn_enumerate(rdn_enumerator_t *this, chunk_t *oid,
+						  u_char *type, chunk_t *data)
 {
-	char *pos;
-	bool all_printable = TRUE;
-	
-	*clone = chunk_clone(chunk);
+	chunk_t rdn;
 	
-	for (pos = clone->ptr; pos < (char*)(clone->ptr + clone->len); pos++)
+	/* a DN contains one or more SET, each containing one or more SEQUENCES,
+	 * each containing a OID/value RDN */
+	if (!this->seqs.len)
 	{
-		if (!isprint(*pos))
+		/* no SEQUENCEs in current SET, parse next SET */
+		if (asn1_unwrap(&this->sets, &this->seqs) != ASN1_SET)
 		{
-			*pos = '?';
-			all_printable = FALSE;
+			return FALSE;
+		}
+	}
+	if (asn1_unwrap(&this->seqs, &rdn) == ASN1_SEQUENCE &&
+		asn1_unwrap(&rdn, oid) == ASN1_OID)
+	{
+		int t = asn1_unwrap(&rdn, data);
+		
+		if (t != ASN1_INVALID)
+		{
+			*type = t;
+			return TRUE;
 		}
 	}
-	return all_printable;
+	return FALSE;
 }
 
 /**
- * Pointer is set to the first RDN in a DN
+ * Create an enumerator over all RDNs (oid, string type, data) of a DN
  */
-static bool init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
+static enumerator_t* create_rdn_enumerator(chunk_t dn)
 {
-	*rdn = chunk_empty;
-	*attribute = chunk_empty;
+	rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t);
 	
-	/* a DN is a SEQUENCE OF RDNs */
-	if (*dn.ptr != ASN1_SEQUENCE)
-	{
-		/* DN is not a SEQUENCE */
-		return FALSE;
-	}
+	e->public.enumerate = (void*)rdn_enumerate;
+	e->public.destroy = (void*)free;
 	
-	rdn->len = asn1_length(&dn);
-	
-	if (rdn->len == ASN1_INVALID_LENGTH)
+	/* a DN is a SEQUENCE, get the first SET of it */
+	if (asn1_unwrap(&dn, &e->sets) == ASN1_SEQUENCE)
 	{
-		/* Invalid RDN length */
-		return FALSE;
+		e->seqs = chunk_empty;
+		return &e->public;
 	}
-	
-	rdn->ptr = dn.ptr;
-	
-	/* are there any RDNs ? */
-	*next = rdn->len > 0;
-	
-	return TRUE;
+	free(e);
+	return enumerator_create_empty();
 }
 
 /**
- * Fetches the next RDN in a DN
+ * Part enumerator over RDNs
+ */
+typedef struct {
+	/* implements enumerator interface */
+	enumerator_t public;
+	/* inner RDN enumerator */
+	enumerator_t *inner;
+} rdn_part_enumerator_t;
+
+/**
+ * Implementation of rdn_part_enumerator_t.enumerate().
  */
-static bool get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid,
-						 chunk_t *value, asn1_t *type, bool *next)
+static bool rdn_part_enumerate(rdn_part_enumerator_t *this,
+							   id_part_t *type, chunk_t *data)
 {
-	chunk_t body;
+	int i, known_oid, strtype;
+	chunk_t oid, inner_data;
+	static const struct {
+		int oid;
+		id_part_t type;
+	} oid2part[] = {
+		{OID_COMMON_NAME,		ID_PART_RDN_CN},
+		{OID_SURNAME,			ID_PART_RDN_S},
+		{OID_SERIAL_NUMBER,		ID_PART_RDN_SN},
+		{OID_COUNTRY,			ID_PART_RDN_C},
+		{OID_LOCALITY,			ID_PART_RDN_L},
+		{OID_STATE_OR_PROVINCE,	ID_PART_RDN_ST},
+		{OID_ORGANIZATION,		ID_PART_RDN_O},
+		{OID_ORGANIZATION_UNIT,	ID_PART_RDN_OU},
+		{OID_TITLE,				ID_PART_RDN_T},
+		{OID_DESCRIPTION,		ID_PART_RDN_D},
+		{OID_NAME,				ID_PART_RDN_N},
+		{OID_GIVEN_NAME,		ID_PART_RDN_G},
+		{OID_INITIALS,			ID_PART_RDN_I},
+		{OID_UNIQUE_IDENTIFIER,	ID_PART_RDN_ID},
+		{OID_EMAIL_ADDRESS,		ID_PART_RDN_E},
+		{OID_EMPLOYEE_NUMBER,	ID_PART_RDN_EN},
+	};
 	
-	/* initialize return values */
-	*oid   = chunk_empty;
-	*value = chunk_empty;
-	
-	/* if all attributes have been parsed, get next rdn */
-	if (attribute->len <= 0)
+	while (this->inner->enumerate(this->inner, &oid, &strtype, &inner_data))
 	{
-		/* an RDN is a SET OF attributeTypeAndValue */
-		if (*rdn->ptr != ASN1_SET)
+		known_oid = asn1_known_oid(oid);
+		for (i = 0; i < countof(oid2part); i++)
 		{
-			/* RDN is not a SET */
-			return FALSE;
-		}
-		attribute->len = asn1_length(rdn);
-		if (attribute->len == ASN1_INVALID_LENGTH)
-		{
-			/* Invalid attribute length */
-			return FALSE;
+			if (oid2part[i].oid == known_oid)
+			{
+				*type = oid2part[i].type;
+				*data = inner_data;
+				return TRUE;
+			}
 		}
-		attribute->ptr = rdn->ptr;
-		/* advance to start of next RDN */
-		rdn->ptr += attribute->len;
-		rdn->len -= attribute->len;
-	}
-	
-	/* an attributeTypeAndValue is a SEQUENCE */
-	if (*attribute->ptr != ASN1_SEQUENCE)
-	{
-		/* attributeTypeAndValue is not a SEQUENCE */
-		return FALSE;
 	}
-	
-	/* extract the attribute body */
-	body.len = asn1_length(attribute);
-	
-	if (body.len == ASN1_INVALID_LENGTH)
-	{
-		/* Invalid attribute body length */
-		return FALSE;
-	}
-	
-	body.ptr = attribute->ptr;
-	
-	/* advance to start of next attribute */
-	attribute->ptr += body.len;
-	attribute->len -= body.len;
-	
-	/* attribute type is an OID */
-	if (*body.ptr != ASN1_OID)
-	{
-		/* attributeType is not an OID */
-		return FALSE;
-	}
-	/* extract OID */
-	oid->len = asn1_length(&body);
-	
-	if (oid->len == ASN1_INVALID_LENGTH)
-	{
-		/* Invalid attribute OID length */
-		return FALSE;
-	}
-	oid->ptr = body.ptr;
-	
-	/* advance to the attribute value */
-	body.ptr += oid->len;
-	body.len -= oid->len;
-
-	/* extract string type */
-	*type = *body.ptr;
-	
-	/* extract string value */
-	value->len = asn1_length(&body);
-	
-	if (value->len == ASN1_INVALID_LENGTH)
-	{
-		/* Invalid attribute string length */
-		return FALSE;
-	}
-	value->ptr = body.ptr;
-	
-	/* are there any RDNs left? */
-	*next = rdn->len > 0 || attribute->len > 0;
-	return TRUE;
+	return FALSE;
 }
 
 /**
- * Parses an ASN.1 distinguished name int its OID/value pairs
+ * Implementation of rdn_part_enumerator_t.destroy().
  */
-static bool dntoa(chunk_t dn, chunk_t *str)
+static void rdn_part_enumerator_destroy(rdn_part_enumerator_t *this)
 {
-	chunk_t rdn, oid, attribute, value, proper;
-	asn1_t type;
-	int oid_code;
-	bool next;
-	bool first = TRUE;
-	
-	if (!init_rdn(dn, &rdn, &attribute, &next))
-	{
-		return FALSE;
-	}
-	
-	while (next)
-	{
-		if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next))
-		{
-			return FALSE;
-		}
-		
-		if (first) 
-		{ /* first OID/value pair */
-			first = FALSE;
-		}
-		else
-		{ /* separate OID/value pair by a comma */
-			update_chunk(str, snprintf(str->ptr,str->len,", "));
-		}
-		
-		/* print OID */
-		oid_code = asn1_known_oid(oid);
-		if (oid_code == OID_UNKNOWN)
-		{
-			update_chunk(str, snprintf(str->ptr,str->len,"0x#B", &oid));
-		}
-		else
-		{
-			update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name));
-		}
-		/* print value */
-		sanitize_chunk(value, &proper);
-		update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr));
-		chunk_free(&proper);
-	}
-	return TRUE;
+	this->inner->destroy(this->inner);
+	free(this);
 }
 
 /**
- * compare two distinguished names by
- * comparing the individual RDNs
+ * Implementation of identification_t.create_part_enumerator
  */
-static bool same_dn(chunk_t a, chunk_t b)
+static enumerator_t* create_part_enumerator(private_identification_t *this)
 {
-	chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
-	chunk_t oid_a, oid_b, value_a, value_b;
-	asn1_t type_a, type_b;
-	bool next_a, next_b;
-	
-	/* same lengths for the DNs */
-	if (a.len != b.len)
-	{
-		return FALSE;
-	}
-	/* try a binary comparison first */
-	if (memeq(a.ptr, b.ptr, b.len))
-	{
-		return TRUE;
-	}
-	/* initialize DN parsing */
-	if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) ||
-		!init_rdn(b, &rdn_b, &attribute_b, &next_b))
-	{
-		return FALSE;
-	}
-	
-	/* fetch next RDN pair */
-	while (next_a && next_b)
+	switch (this->type)
 	{
-		/* parse next RDNs and check for errors */
-		if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) || 
-			!get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b))
-		{
-			return FALSE;
-		}
-		
-		/* OIDs must agree */
-		if (oid_a.len != oid_b.len || !memeq(oid_a.ptr, oid_b.ptr, oid_b.len))
-		{
-			return FALSE;
-		}
-		
-		/* same lengths for values */
-		if (value_a.len != value_b.len)
-		{
-			return FALSE;
-		}
-		
-		/* printableStrings and email RDNs require uppercase comparison */
-		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
-			(type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
-		{
-			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
-			{
-				return FALSE;
-			}
-		}
-		else
+		case ID_DER_ASN1_DN:
 		{
-			if (!strneq(value_a.ptr, value_b.ptr, value_b.len))
-			{
-				return FALSE;	
-			}
+			rdn_part_enumerator_t *e = malloc_thing(rdn_part_enumerator_t);
+			
+			e->inner = create_rdn_enumerator(this->encoded);
+			e->public.enumerate = (void*)rdn_part_enumerate;
+			e->public.destroy = (void*)rdn_part_enumerator_destroy;
+			
+			return &e->public;
 		}
+		case ID_RFC822_ADDR:
+			/* TODO */
+		case ID_FQDN:
+			/* TODO */
+		default:
+			return enumerator_create_empty();
 	}
-	/* both DNs must have same number of RDNs */
-	if (next_a || next_b)
-	{
-		return FALSE;
-	}
-	/* the two DNs are equal! */
-	return TRUE;
 }
 
-
 /**
- * compare two distinguished names by comparing the individual RDNs.
- * A single'*' character designates a wildcard RDN in DN b.
- * TODO: Add support for different RDN order in DN !!
+ * Print a DN with all its RDN in a buffer to present it to the user
  */
-bool match_dn(chunk_t a, chunk_t b, int *wildcards)
+static void dntoa(chunk_t dn, char *buf, size_t len)
 {
-	chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
-	chunk_t oid_a, oid_b, value_a, value_b;
-	asn1_t type_a,  type_b;
-	bool next_a, next_b;
-	
-	/* initialize wildcard counter */
-	*wildcards = 0;
-	
-	/* initialize DN parsing */
-	if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) ||
-		!init_rdn(b, &rdn_b, &attribute_b, &next_b))
-	{
-		return FALSE;
-	}
+	enumerator_t *e;
+	chunk_t oid_data, data;
+	u_char type;
+	int oid, written;
+	bool finished = FALSE;
 	
-	/* fetch next RDN pair */
-	while (next_a && next_b)
+	e = create_rdn_enumerator(dn);
+	while (e->enumerate(e, &oid_data, &type, &data))
 	{
-		/* parse next RDNs and check for errors */
-		if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) ||
-			!get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b))
+		oid = asn1_known_oid(oid_data);
+		
+		if (oid == OID_UNKNOWN)
 		{
-			return FALSE;
+			written = snprintf(buf, len, "%#B=", &oid_data);
 		}
-		/* OIDs must agree */
-		if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+		else
 		{
-			return FALSE;
+			written = snprintf(buf, len,"%s=", oid_names[oid].name);
 		}
+		buf += written;
+		len -= written;
 		
-		/* does rdn_b contain a wildcard? */
-		if (value_b.len == 1 && *value_b.ptr == '*')
+		if (chunk_printable(data, NULL, '?'))
 		{
-			(*wildcards)++;
-			continue;
+			written = snprintf(buf, len, "%.*s", data.len, data.ptr);
 		}
-		/* same lengths for values */
-		if (value_a.len != value_b.len)
+		else
 		{
-			return FALSE;
+			written = snprintf(buf, len, "%#B", &data);
 		}
+		buf += written;
+		len -= written;
 		
-		/* printableStrings and email RDNs require uppercase comparison */
-		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
-			(type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
+		if (data.ptr + data.len != dn.ptr + dn.len)
 		{
-			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
-			{
-				return FALSE;
-			}
+			written = snprintf(buf, len, ", ");
+			buf += written;
+			len -= written;
 		}
 		else
 		{
-			if (!strneq(value_a.ptr, value_b.ptr, value_b.len))
-			{
-				return FALSE;
-			}
+			finished = TRUE;
+			break;
 		}
 	}
-	/* both DNs must have same number of RDNs */
-	if (next_a || next_b)
+	if (!finished)
 	{
-		return FALSE;
+		snprintf(buf, len, "(invalid ID_DER_ASN1_DN)");
 	}
-	/* the two DNs match! */
-	*wildcards = min(*wildcards, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS);
-	return TRUE;
+	e->destroy(e);
 }
 
 /**
@@ -648,53 +498,34 @@ static id_type_t get_type(private_identification_t *this)
 }
 
 /**
- * Implementation of identification_t.contains_wildcards fro ID_DER_ASN1_DN.
+ * Implementation of identification_t.contains_wildcards for ID_DER_ASN1_DN.
  */
 static bool contains_wildcards_dn(private_identification_t *this)
 {
-	chunk_t rdn, attribute;
-	chunk_t oid, value;
-	asn1_t type;
-	bool next;
+	enumerator_t *enumerator;
+	bool contains = FALSE;
+	id_part_t type;
+	chunk_t data;
 	
-	if (!init_rdn(this->encoded, &rdn, &attribute, &next))
-	{
-		return FALSE;
-	}	
-	/* fetch next RDN */
-	while (next)
+	enumerator = create_part_enumerator(this);
+	while (enumerator->enumerate(enumerator, &type, &data))
 	{
-		/* parse next RDN and check for errors */
-		if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next))
-		{
-			return FALSE;
-		}
-		/* check if RDN is a wildcard */
-		if (value.len == 1 && *value.ptr == '*')
+		if (data.len == 1 && data.ptr[0] == '*')
 		{
-			return TRUE;
+			contains = TRUE;
+			break;
 		}
 	}
-	return FALSE;
+	enumerator->destroy(enumerator);
+	return contains;
 }
 
 /**
- * Implementation of identification_t.contains_wildcards.
+ * Implementation of identification_t.contains_wildcards using memchr(*).
  */
-static bool contains_wildcards(private_identification_t *this)
+static bool contains_wildcards_memchr(private_identification_t *this)
 {
-	switch (this->type)
-	{
-		case ID_ANY:
-			return TRUE;
-		case ID_FQDN:
-		case ID_RFC822_ADDR:
-			return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
-		case ID_DER_ASN1_DN:
-			return contains_wildcards_dn(this);
-		default:
-			return FALSE;
-	}
+	return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
 }
 
 /**
@@ -711,7 +542,96 @@ static bool equals_binary(private_identification_t *this, private_identification
 		}
 		return chunk_equals(this->encoded, other->encoded);
 	}
-	return FALSE;						
+	return FALSE;
+}
+
+/**
+ * Compare to DNs, for equality if wc == NULL, for match otherwise
+ */
+static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc)
+{
+	enumerator_t *t, *o;
+	chunk_t t_oid, o_oid, t_data, o_data;
+	u_char t_type, o_type;
+	bool t_next, o_next, finished = FALSE;
+	
+	if (wc)
+	{
+		*wc = 0;
+	}
+	else
+	{
+		if (t_dn.len != o_dn.len)
+		{
+			return FALSE;
+		}
+	}
+	/* try a binary compare */
+	if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len))
+	{
+		return TRUE;
+	}
+	
+	t = create_rdn_enumerator(t_dn);
+	o = create_rdn_enumerator(o_dn);
+	while (TRUE)
+	{
+		t_next = t->enumerate(t, &t_oid, &t_type, &t_data);
+		o_next = o->enumerate(o, &o_oid, &o_type, &o_data);
+		
+		if (!o_next && !t_next)
+		{
+			break;
+		}
+		finished = FALSE;
+		if (o_next != t_next)
+		{
+			break;
+		}
+		if (!chunk_equals(t_oid, o_oid))
+		{
+			break;
+		}
+		if (wc && o_data.len == 1 && o_data.ptr[0] == '*')
+		{
+			(*wc)++;
+		}
+		else
+		{
+			if (t_data.len != o_data.len)
+			{
+				break;
+			}
+			if (t_type == o_type &&
+				(t_type == ASN1_PRINTABLESTRING ||
+				 (t_type == ASN1_IA5STRING &&
+				  (asn1_known_oid(t_oid) == OID_PKCS9_EMAIL ||
+				   asn1_known_oid(t_oid) == OID_EMAIL_ADDRESS))))
+			{	/* ignore case for printableStrings and email RDNs */
+				if (strncasecmp(t_data.ptr, o_data.ptr, t_data.len) != 0)
+				{
+					break;
+				}
+			}
+			else
+			{	/* respect case and length for everything else */
+				if (!memeq(t_data.ptr, o_data.ptr, t_data.len))
+				{
+					break;
+				}
+			}
+		}
+		/* the enumerator returns FALSE on parse error, we are finished
+		 * if we have reached the end of the DN only */
+		if ((t_data.ptr + t_data.len == t_dn.ptr + t_dn.len) &&
+			(o_data.ptr + o_data.len == o_dn.ptr + o_dn.len))
+		{
+			finished = TRUE;
+		}
+	}
+	t->destroy(t);
+	o->destroy(o);
+	return finished;
 }
 
 /**
@@ -720,7 +640,7 @@ static bool equals_binary(private_identification_t *this, private_identification
 static bool equals_dn(private_identification_t *this,
 					  private_identification_t *other)
 {
-	return same_dn(this->encoded, other->encoded);
+	return compare_dn(this->encoded, other->encoded, NULL);
 }
 
 /**
@@ -764,7 +684,7 @@ static id_match_t matches_binary(private_identification_t *this,
  * Checks for a wildcard in other-string, and compares it against this-string.
  */
 static id_match_t matches_string(private_identification_t *this,
-						   private_identification_t *other)
+								 private_identification_t *other)
 {
 	u_int len = other->encoded.len;
 	
@@ -824,7 +744,7 @@ static id_match_t matches_dn(private_identification_t *this,
 							 private_identification_t *other)
 {
 	int wc;
-
+	
 	if (other->type == ID_ANY)
 	{
 		return ID_MATCH_ANY;
@@ -832,8 +752,9 @@ static id_match_t matches_dn(private_identification_t *this,
 	
 	if (this->type == other->type)
 	{
-		if (match_dn(this->encoded, other->encoded, &wc))
+		if (compare_dn(this->encoded, other->encoded, &wc))
 		{
+			wc = min(wc, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS);
 			return ID_MATCH_PERFECT - wc;
 		}
 	}
@@ -847,8 +768,8 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 							   const void *const *args)
 {
 	private_identification_t *this = *((private_identification_t**)(args[0]));
-	char buf[BUF_LEN];
-	chunk_t proper, buf_chunk = chunk_from_buf(buf);
+	chunk_t proper;
+	char buf[512];
 	
 	if (this == NULL)
 	{
@@ -878,29 +799,26 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
 		case ID_IETF_ATTR_STRING:
-			sanitize_chunk(this->encoded, &proper);
+			chunk_printable(this->encoded, &proper, '?');
 			snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
 			chunk_free(&proper);
 			break;
 		case ID_DER_ASN1_DN:
-			if (!dntoa(this->encoded, &buf_chunk))
-			{
-				snprintf(buf, sizeof(buf), "(invalid ID_DER_ASN1_DN)");
-			}
+			dntoa(this->encoded, buf, sizeof(buf));
 			break;
 		case ID_DER_ASN1_GN:
 			snprintf(buf, sizeof(buf), "(ASN.1 general Name");
 			break;
 		case ID_KEY_ID:
-			if (sanitize_chunk(this->encoded, &proper))
+			if (chunk_printable(this->encoded, NULL, '?'))
 			{	/* fully printable, use ascii version */
-				snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
+				snprintf(buf, sizeof(buf), "%.*s",
+						 this->encoded.len, this->encoded.ptr);
 			}
 			else
 			{	/* not printable, hex dump */
 				snprintf(buf, sizeof(buf), "%#B", &this->encoded);
 			}
-			chunk_free(&proper);
 			break;
 		case ID_PUBKEY_INFO_SHA1:
 		case ID_PUBKEY_SHA1:
@@ -917,140 +835,18 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	}
 	return print_in_hook(dst, len, "%*s", spec->width, buf);
 }
-
-/**
- * Enumerator over RDNs
- */
-typedef struct {
-	/* implements enumerator interface */
-	enumerator_t public;
-	/* current RDN */
-	chunk_t rdn;
-	/* current attribute */
-	chunk_t attr;
-	/** have another RDN? */
-	bool next;
-} rdn_enumerator_t;
-
-/**
- * Implementation of rdn_enumerator_t.enumerate
- */
-static bool rdn_enumerate(rdn_enumerator_t *this,
-						  id_part_t *type, chunk_t *data)
-{
-	chunk_t oid, value;
-	asn1_t asn1_type;
-	
-	while (this->next)
-	{
-		if (!get_next_rdn(&this->rdn, &this->attr, &oid,
-						  &value, &asn1_type, &this->next))
-		{
-			return FALSE;
-		}
-		switch (asn1_known_oid(oid))
-		{
-			case OID_COMMON_NAME:
-				 *type = ID_PART_RDN_CN;
-				break;
-			case OID_SURNAME:
-				 *type = ID_PART_RDN_S;
-				break;
-			case OID_SERIAL_NUMBER:
-				 *type = ID_PART_RDN_SN;
-				break;
-			case OID_COUNTRY:
-				 *type = ID_PART_RDN_C;
-				break;
-			case OID_LOCALITY:
-				 *type = ID_PART_RDN_L;
-				break;
-			case OID_STATE_OR_PROVINCE:
-				 *type = ID_PART_RDN_ST;
-				break;
-			case OID_ORGANIZATION:
-				 *type = ID_PART_RDN_O;
-				break;
-			case OID_ORGANIZATION_UNIT:
-				 *type = ID_PART_RDN_OU;
-				break;
-			case OID_TITLE:
-				 *type = ID_PART_RDN_T;
-				break;
-			case OID_DESCRIPTION:
-				 *type = ID_PART_RDN_D;
-				break;
-			case OID_NAME:
-				 *type = ID_PART_RDN_N;
-				break;
-			case OID_GIVEN_NAME:
-				 *type = ID_PART_RDN_G;
-				break;
-			case OID_INITIALS:
-				 *type = ID_PART_RDN_I;
-				break;
-			case OID_UNIQUE_IDENTIFIER:
-				 *type = ID_PART_RDN_ID;
-				break;
-			case OID_EMAIL_ADDRESS:
-				*type = ID_PART_RDN_E;
-				break;
-			case OID_EMPLOYEE_NUMBER:
-				*type = ID_PART_RDN_EN;
-				break;
-			default:
-				continue;
-		}
-		*data = value;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of identification_t.create_part_enumerator
- */
-static enumerator_t* create_part_enumerator(private_identification_t *this)
-{
-	switch (this->type)
-	{
-		case ID_DER_ASN1_DN:
-		{
-			rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t);
-			
-			e->public.enumerate = (void*)rdn_enumerate;
-			e->public.destroy = (void*)free;
-			if (init_rdn(this->encoded, &e->rdn, &e->attr, &e->next))
-			{
-				return &e->public;
-			}
-			free(e);
-			/* FALL */
-		}
-		case ID_RFC822_ADDR:
-			/* TODO */
-		case ID_FQDN:
-			/* TODO */
-		default:
-			return enumerator_create_empty();
-	}
-}
-
 /**
  * Implementation of identification_t.clone.
  */
 static identification_t *clone_(private_identification_t *this)
 {
-	private_identification_t *clone = identification_create();
+	private_identification_t *clone = malloc_thing(private_identification_t);
 	
-	clone->type = this->type;
+	memcpy(clone, this, sizeof(private_identification_t));
 	if (this->encoded.len)
 	{
 		clone->encoded = chunk_clone(this->encoded);
 	}
-	clone->public.equals = this->public.equals;
-	clone->public.matches = this->public.matches;
-	
 	return &clone->public;
 }
 
@@ -1066,20 +862,42 @@ static void destroy(private_identification_t *this)
 /**
  * Generic constructor used for the other constructors.
  */
-static private_identification_t *identification_create(void)
+static private_identification_t *identification_create(id_type_t type)
 {
 	private_identification_t *this = malloc_thing(private_identification_t);
 	
 	this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
 	this->public.get_type = (id_type_t (*) (identification_t*))get_type;
-	this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards;
 	this->public.create_part_enumerator = (enumerator_t*(*)(identification_t*))create_part_enumerator;
 	this->public.clone = (identification_t* (*) (identification_t*))clone_;
 	this->public.destroy = (void (*) (identification_t*))destroy;
-	/* we use these as defaults, the may be overloaded for special ID types */
-	this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
-	this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary;
 	
+	switch (type)
+	{
+		case ID_ANY:
+			this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_any;
+			this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
+			this->public.contains_wildcards = (bool (*) (identification_t *this))return_true;
+			break;
+		case ID_FQDN:
+		case ID_RFC822_ADDR:
+			this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_string;
+			this->public.equals = (bool (*)(identification_t*,identification_t*))equals_strcasecmp;
+			this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_memchr;
+			break;
+		case ID_DER_ASN1_DN:
+			this->public.equals = (bool (*)(identification_t*,identification_t*))equals_dn;
+			this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_dn;
+			this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_dn;
+			break;
+		default:
+			this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
+			this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary;
+			this->public.contains_wildcards = (bool (*) (identification_t *this))return_false;
+			break;
+	}
+	
+	this->type = type;
 	this->encoded = chunk_empty;
 	
 	return this;
@@ -1090,8 +908,9 @@ static private_identification_t *identification_create(void)
  */
 identification_t *identification_create_from_string(char *string)
 {
-	private_identification_t *this = identification_create();
-
+	private_identification_t *this;
+	chunk_t encoded;
+	
 	if (string == NULL)
 	{
 		string = "%any";
@@ -1101,15 +920,16 @@ identification_t *identification_create_from_string(char *string)
 		/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN.
 		 * convert from LDAP style or openssl x509 -subject style to ASN.1 DN
 		 */
-		if (atodn(string, &this->encoded) != SUCCESS)
+		if (atodn(string, &encoded) == SUCCESS)
+		{
+			this = identification_create(ID_DER_ASN1_DN);
+			this->encoded = encoded;
+		}
+		else
 		{
-			this->type = ID_KEY_ID;
+			this = identification_create(ID_KEY_ID);
 			this->encoded = chunk_clone(chunk_create(string, strlen(string)));
-			return &this->public;
 		}
-		this->type = ID_DER_ASN1_DN;
-		this->public.equals = (bool (*) (identification_t*,identification_t*))equals_dn;
-		this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_dn;
 		return &this->public;
 	}
 	else if (strchr(string, '@') == NULL)
@@ -1122,50 +942,43 @@ identification_t *identification_create_from_string(char *string)
 		||	streq(string, "0::0"))
 		{
 			/* any ID will be accepted */
-			this->type = ID_ANY;
-			this->public.matches = (id_match_t (*)
-					(identification_t*,identification_t*))matches_any;
+			this = identification_create(ID_ANY);
 			return &this->public;
 		}
 		else
 		{
 			if (strchr(string, ':') == NULL)
 			{
-				/* try IPv4 */
 				struct in_addr address;
 				chunk_t chunk = {(void*)&address, sizeof(address)};
 				
-				if (inet_pton(AF_INET, string, &address) <= 0)
-				{
-					/* not IPv4, mostly FQDN */
-					this->type = ID_FQDN;
-					this->encoded.ptr = strdup(string);
-					this->encoded.len = strlen(string);
-					this->public.matches = (id_match_t (*) 
-						(identification_t*,identification_t*))matches_string;
-					this->public.equals = (bool (*)
-						(identification_t*,identification_t*))equals_strcasecmp;
-					return &this->public;
+				if (inet_pton(AF_INET, string, &address) > 0)
+				{	/* is IPv4 */
+					this = identification_create(ID_IPV4_ADDR);
+					this->encoded = chunk_clone(chunk);
+				}
+				else
+				{	/* not IPv4, mostly FQDN */
+					this = identification_create(ID_FQDN);
+					this->encoded = chunk_create(strdup(string), strlen(string));
 				}
-				this->encoded = chunk_clone(chunk);
-				this->type = ID_IPV4_ADDR;
 				return &this->public;
 			}
 			else
 			{
-				/* try IPv6 */
 				struct in6_addr address;
 				chunk_t chunk = {(void*)&address, sizeof(address)};
 				
-				if (inet_pton(AF_INET6, string, &address) <= 0)
-				{
-					this->type = ID_KEY_ID;
-					this->encoded = chunk_clone(chunk_create(string,
-															 strlen(string)));
-					return &this->public;
+				if (inet_pton(AF_INET6, string, &address) > 0)
+				{	/* is IPv6 */
+					this = identification_create(ID_IPV6_ADDR);
+					this->encoded = chunk_clone(chunk);
+				}
+				else
+				{	/* not IPv4/6 fallback to KEY_ID */
+					this = identification_create(ID_KEY_ID);
+					this->encoded = chunk_create(strdup(string), strlen(string));
 				}
-				this->encoded = chunk_clone(chunk);
-				this->type = ID_IPV6_ADDR;
 				return &this->public;
 			}
 		}
@@ -1176,33 +989,24 @@ identification_t *identification_create_from_string(char *string)
 		{
 			if (*(string + 1) == '#')
 			{
+				this = identification_create(ID_KEY_ID);
 				string += 2;
-				this->type = ID_KEY_ID;
 				this->encoded = chunk_from_hex(
 									chunk_create(string, strlen(string)), NULL);
 				return &this->public;
 			}
 			else
 			{
-				this->type = ID_FQDN;
-				this->encoded.ptr = strdup(string + 1);
-				this->encoded.len = strlen(string + 1);
-				this->public.matches = (id_match_t (*) 
-						(identification_t*,identification_t*))matches_string;
-				this->public.equals = (bool (*)
-							(identification_t*,identification_t*))equals_strcasecmp;
+				this = identification_create(ID_FQDN);
+				string += 1;
+				this->encoded = chunk_create(strdup(string), strlen(string));
 				return &this->public;
 			}
 		}
 		else
 		{
-			this->type = ID_RFC822_ADDR;
-			this->encoded.ptr = strdup(string);
-			this->encoded.len = strlen(string);
-			this->public.matches = (id_match_t (*) 
-					(identification_t*,identification_t*))matches_string;
-			this->public.equals = (bool (*)
-						(identification_t*,identification_t*))equals_strcasecmp;
+			this = identification_create(ID_RFC822_ADDR);
+			this->encoded = chunk_create(strdup(string), strlen(string));
 			return &this->public;
 		}
 	}
@@ -1211,42 +1015,10 @@ identification_t *identification_create_from_string(char *string)
 /*
  * Described in header.
  */
-identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded)
+identification_t *identification_create_from_encoding(id_type_t type,
+													  chunk_t encoded)
 {
-	private_identification_t *this = identification_create();
-
-	this->type = type;
-	switch (type)
-	{
-		case ID_ANY:
-			this->public.matches = (id_match_t (*)
-					(identification_t*,identification_t*))matches_any;
-			break;
-		case ID_FQDN:
-		case ID_RFC822_ADDR:
-			this->public.matches = (id_match_t (*)
-					(identification_t*,identification_t*))matches_string;
-			this->public.equals = (bool (*)
-						(identification_t*,identification_t*))equals_strcasecmp;
-			break;
-		case ID_DER_ASN1_DN:
-			this->public.equals = (bool (*)
-					(identification_t*,identification_t*))equals_dn;
-			this->public.matches = (id_match_t (*)
-					(identification_t*,identification_t*))matches_dn;
-			break;
-		case ID_IPV4_ADDR:
-		case ID_IPV6_ADDR:
-		case ID_DER_ASN1_GN:
-		case ID_KEY_ID:
-		case ID_DER_ASN1_GN_URI:
-		case ID_PUBKEY_INFO_SHA1:
-		case ID_PUBKEY_SHA1:
-		case ID_CERT_DER_SHA1:
-		case ID_IETF_ATTR_STRING:
-		default:
-			break;
-	}
+	private_identification_t *this = identification_create(type);
 	
 	/* apply encoded chunk */
 	if (type != ID_ANY)
diff --git a/src/libstrongswan/utils/mutex.c b/src/libstrongswan/utils/mutex.c
index 8b3a25201..a6c39e94c 100644
--- a/src/libstrongswan/utils/mutex.c
+++ b/src/libstrongswan/utils/mutex.c
@@ -276,7 +276,7 @@ mutex_t *mutex_create(mutex_type_t type)
 {
 	switch (type)
 	{
-		case MUTEX_RECURSIVE:
+		case MUTEX_TYPE_RECURSIVE:
 		{
 			private_r_mutex_t *this = malloc_thing(private_r_mutex_t);
 			
@@ -292,7 +292,7 @@ mutex_t *mutex_create(mutex_type_t type)
 			
 			return &this->generic.public;
 		}
-		case MUTEX_DEFAULT:
+		case MUTEX_TYPE_DEFAULT:
 		default:
 		{
 			private_mutex_t *this = malloc_thing(private_mutex_t);
@@ -416,7 +416,7 @@ condvar_t *condvar_create(condvar_type_t type)
 {
 	switch (type)
 	{
-		case CONDVAR_DEFAULT:
+		case CONDVAR_TYPE_DEFAULT:
 		default:
 		{
 			private_condvar_t *this = malloc_thing(private_condvar_t);
@@ -488,7 +488,7 @@ rwlock_t *rwlock_create(rwlock_type_t type)
 {
 	switch (type)
 	{
-		case RWLOCK_DEFAULT:
+		case RWLOCK_TYPE_DEFAULT:
 		default:
 		{
 			private_rwlock_t *this = malloc_thing(private_rwlock_t);
diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h
index c5c667992..273f56b47 100644
--- a/src/libstrongswan/utils/mutex.h
+++ b/src/libstrongswan/utils/mutex.h
@@ -31,14 +31,41 @@ typedef enum rwlock_type_t rwlock_type_t;
 
 #include <library.h>
 
+#ifdef __APPLE__
+/* on Mac OS X 10.5 several system calls we use are no cancellation points.
+ * fortunately, select isn't one of them, so we wrap some of the others with
+ * calls to select(2).
+ */
+#include <sys/socket.h>
+#include <sys/select.h>
+
+#define WRAP_WITH_SELECT(func, socket, ...)\
+	fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\
+	if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\
+	return func(socket, __VA_ARGS__)
+
+static inline int cancellable_accept(int socket, struct sockaddr *address,
+									 socklen_t *address_len)
+{
+	WRAP_WITH_SELECT(accept, socket, address, address_len);
+}
+#define accept cancellable_accept
+static inline int cancellable_recvfrom(int socket, void *buffer, size_t length,
+				int flags, struct sockaddr *address, socklen_t *address_len)
+{
+	WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len);
+}
+#define recvfrom cancellable_recvfrom
+#endif /* __APPLE__ */
+
 /**
  * Type of mutex.
  */
 enum mutex_type_t {
 	/** default mutex */
-	MUTEX_DEFAULT	= 0,
+	MUTEX_TYPE_DEFAULT	= 0,
 	/** allow recursive locking of the mutex */
-	MUTEX_RECURSIVE	= 1,
+	MUTEX_TYPE_RECURSIVE	= 1,
 };
 
 /**
@@ -46,7 +73,7 @@ enum mutex_type_t {
  */
 enum condvar_type_t {
 	/** default condvar */
-	CONDVAR_DEFAULT	= 0,
+	CONDVAR_TYPE_DEFAULT	= 0,
 };
 
 /**
@@ -54,7 +81,7 @@ enum condvar_type_t {
  */
 enum rwlock_type_t {
 	/** default condvar */
-	RWLOCK_DEFAULT	= 0,
+	RWLOCK_TYPE_DEFAULT	= 0,
 };
 
 /**
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 49376379e..2252f57ec 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -98,12 +98,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -168,6 +170,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -208,7 +211,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index a9ef57922..239923c40 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -84,12 +84,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -154,6 +156,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -194,7 +197,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c
index 0dec27698..01ba0c8cc 100755
--- a/src/medsrv/controller/peer_controller.c
+++ b/src/medsrv/controller/peer_controller.c
@@ -23,6 +23,8 @@
 #include <debug.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
+#include <utils/identification.h>
+#include <credentials/keys/public_key.h>
 
 typedef struct private_peer_controller_t private_peer_controller_t;
 
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 7bf71b08f..d8d590eb2 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -70,12 +70,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -140,6 +142,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -180,7 +183,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 3686c07ac..a8f75e093 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -40,11 +40,6 @@
 #include <credentials/keys/private_key.h>
 #include <utils/optionsfrom.h>
 
-#ifdef INTEGRITY_TEST
-#include <fips/fips.h>
-#include <fips_signature.h>
-#endif /* INTEGRITY_TEST */
-
 #define OPENAC_PATH   		IPSEC_CONFDIR "/openac"
 #define OPENAC_SERIAL 		IPSEC_CONFDIR "/openac/serial"
 
@@ -223,15 +218,16 @@ static void openac_dbg(int level, char *fmt, ...)
 	
 	if (level <= debug_level)
 	{
-		va_start(args, fmt);
-
 		if (!stderr_quiet)
 		{
+			va_start(args, fmt);
 			vfprintf(stderr, fmt, args);
 			fprintf(stderr, "\n");
+			va_end(args);
 		}
 
 		/* write in memory buffer first */
+		va_start(args, fmt);
 		vsnprintf(buffer, sizeof(buffer), fmt, args);
 		va_end(args);
 
@@ -287,7 +283,18 @@ int main(int argc, char **argv)
 	openlog("openac", 0, LOG_AUTHPRIV);
 
 	/* initialize library */
-	library_init(STRONGSWAN_CONF);
+	if (!library_init(STRONGSWAN_CONF))
+	{
+		library_deinit();
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "openac", argv[0]))
+	{
+		fprintf(stderr, "integrity check of openac failed\n");
+		library_deinit();
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
 	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
 		lib->settings->get_str(lib->settings, "openac.load", PLUGINS));
 
@@ -482,20 +489,6 @@ int main(int argc, char **argv)
 
 	DBG1("starting openac (strongSwan Version %s)", VERSION);
 
-#ifdef INTEGRITY_TEST
-	DBG1("integrity test of libstrongswan code");
-	if (fips_verify_hmac_signature(hmac_key, hmac_signature))
-	{
-		DBG1("  integrity test passed");
-	}
-	else
-	{
-		DBG1("  integrity test failed");
-		status = 3;
-		goto end;
-	}
-#endif /* INTEGRITY_TEST */
-
 	/* load the signer's RSA private key */
 	if (keyfile != NULL)
 	{
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 01237305b..c9cb6651f 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -110,11 +110,6 @@ if USE_SMARTCARD
   AM_CFLAGS += -DSMARTCARD
 endif
 
-# This compile option activates the integrity test of libstrongswan
-if USE_INTEGRITY_TEST
-  AM_CFLAGS += -DINTEGRITY_TEST
-endif
-
 if USE_CAPABILITIES
   pluto_LDADD += -lcap
 endif
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 01bda8540..871f0c905 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -52,11 +52,8 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
 
 # This compile option activates smartcard support
 @USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD
-
-# This compile option activates the integrity test of libstrongswan
-@USE_INTEGRITY_TEST_TRUE@am__append_6 = -DINTEGRITY_TEST
-@USE_CAPABILITIES_TRUE@am__append_7 = -lcap
-@USE_THREADS_TRUE@am__append_8 = -DTHREADS
+@USE_CAPABILITIES_TRUE@am__append_6 = -lcap
+@USE_THREADS_TRUE@am__append_7 = -DTHREADS
 subdir = src/pluto
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
@@ -116,12 +113,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -186,6 +185,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -226,7 +226,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -325,11 +327,10 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
 	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DKERNEL26_SUPPORT \
 	-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \
 	$(am__append_1) $(am__append_2) $(am__append_3) \
-	$(am__append_4) $(am__append_5) $(am__append_6) \
-	$(am__append_8)
+	$(am__append_4) $(am__append_5) $(am__append_7)
 pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \
 	$(LIBFREESWANDIR)/libfreeswan.a -lresolv -lpthread $(DLLIB) \
-	$(am__append_7)
+	$(am__append_6)
 _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index a85a18905..c25418fc1 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -139,6 +139,24 @@ static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id,
 	)
 }
 
+/**
+ * Returns true if the given alg is an authenticated encryption algorithm
+ */
+static bool is_authenticated_encryption(int ealg_id)
+{
+	switch (ealg_id)
+	{
+		case ESP_AES_CCM_8:
+		case ESP_AES_CCM_12:
+		case ESP_AES_CCM_16:
+		case ESP_AES_GCM_8:
+		case ESP_AES_GCM_12:
+		case ESP_AES_GCM_16:
+			return TRUE;
+	}
+	return FALSE;
+}
+
 /*
  * Add ESP alg info _with_ logic (policy):
  */
@@ -152,7 +170,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id,
 	}
 	if (ealg_id > 0)
 	{
-		if (aalg_id > 0)
+		if (is_authenticated_encryption(ealg_id))
+		{
+			__alg_info_esp_add((struct alg_info_esp *)alg_info,
+								ealg_id, ek_bits,
+								AUTH_ALGORITHM_NONE, 0);
+		}
+		else if (aalg_id > 0)
 		{
 			__alg_info_esp_add((struct alg_info_esp *)alg_info,
 								ealg_id, ek_bits,
@@ -160,13 +184,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id,
 		}
 		else
 		{
-			/* Policy: default to MD5 and SHA1 */
+			/* Policy: default to SHA-1 and MD5 */
 			__alg_info_esp_add((struct alg_info_esp *)alg_info,
 								ealg_id, ek_bits,
-								AUTH_ALGORITHM_HMAC_MD5, ak_bits);
+								AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
 			__alg_info_esp_add((struct alg_info_esp *)alg_info,
 								ealg_id, ek_bits,
-								AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
+								AUTH_ALGORITHM_HMAC_MD5, ak_bits);
 		}
 	}
 }
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 4deb722f7..b800b1665 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -1,5 +1,6 @@
 /* information about connections between hosts and clients
  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index adcd77131..e46728d84 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -663,6 +663,7 @@ enum_names enc_mode_names =
 /* Auth Algorithm attribute */
 
 static const char *const auth_alg_name[] = {
+    "AUTH_NONE",
 	"HMAC_MD5",
 	"HMAC_SHA1",
 	"DES_MAC",
@@ -683,7 +684,7 @@ enum_names extended_auth_alg_names =
 	{ AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL };
 
 enum_names auth_alg_names =
-	{ AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
+	{ AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
 		, &extended_auth_alg_names };
 
 /* From draft-beaulieu-ike-xauth */
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index 1adccc74e..f47ad1eeb 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -235,7 +235,7 @@ static struct dh_desc dh_desc_ecp_224 = {
 	ke_size:    2*224 / BITS_PER_BYTE
 };
 
-void init_crypto(void)
+bool init_crypto(void)
 {
 	enumerator_t *enumerator;
 	encryption_algorithm_t encryption_alg;
@@ -275,13 +275,13 @@ void init_crypto(void)
 	}
 	enumerator->destroy(enumerator);
 
-	if (no_sha1)
+	if (no_sha1 || no_md5)
 	{
-		exit_log("pluto cannot run without a SHA-1 hasher");
-	}
-	if (no_md5)
-	{
-		exit_log("pluto cannot run without an MD5 hasher");
+		plog("pluto cannot run without a %s%s%s hasher",
+			 (no_sha1) ? "SHA-1" : "",
+			 (no_sha1 && no_md5) ? " and " : "",
+			 (no_md5) ? "MD5" : "");
+		return FALSE;
 	}
 		
 	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
@@ -363,6 +363,7 @@ void init_crypto(void)
 		ike_alg_add((struct ike_alg *)desc);
 	}
 	enumerator->destroy(enumerator);
+	return TRUE;
 }
 
 void free_crypto(void)
diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h
index 06c4e1d1a..019ba5764 100644
--- a/src/pluto/crypto.h
+++ b/src/pluto/crypto.h
@@ -20,7 +20,7 @@
 
 #include "ike_alg.h"
 
-extern void init_crypto(void);
+extern bool init_crypto(void);
 extern void free_crypto(void);
 
 extern const struct dh_desc unset_group;      /* magic signifier */
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 929768ee9..57f4fb54b 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -2639,77 +2639,78 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid,
 	 */
 	switch (protoid)
 	{
-	case PROTO_IPSEC_ESP:
+		case PROTO_IPSEC_ESP:
+		{
+			needed_len = kernel_alg_esp_enc_keylen(pi->attrs.transid);
+
+			if (needed_len && pi->attrs.key_len)
+			{
+				needed_len = pi->attrs.key_len / BITS_PER_BYTE;
+			}	
+
 			switch (pi->attrs.transid)
 			{
-			case ESP_NULL:
-				needed_len = 0;
-				break;
-			case ESP_DES:
-				needed_len = DES_CBC_BLOCK_SIZE;
-				break;
-			case ESP_3DES:
-				needed_len = DES_CBC_BLOCK_SIZE * 3;
-				break;
-			default:
-#ifndef NO_KERNEL_ALG
-				if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) {
-						/* XXX: check key_len "coupling with kernel.c's */
-						if (pi->attrs.key_len) {
-								needed_len=pi->attrs.key_len/8;
-								DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
-												"key_len=%d from peer",
-												(int)needed_len));
-						}
-						break;
-				}
-#endif
-				bad_case(pi->attrs.transid);
+				case ESP_NULL:
+					needed_len = 0;
+					break;
+				case ESP_AES_CCM_8:
+				case ESP_AES_CCM_12:
+				case ESP_AES_CCM_16:
+					needed_len += 3;
+					break;
+				case ESP_AES_GCM_8:
+				case ESP_AES_GCM_12:
+				case ESP_AES_GCM_16:
+				case ESP_AES_CTR:
+					needed_len += 4;
+					break;
+				default:
+					if (needed_len == 0)
+					{
+						bad_case(pi->attrs.transid);
+					}
 			}
 
-#ifndef NO_KERNEL_ALG
-			DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
-									"needed_len (after ESP enc)=%d",
-									(int)needed_len));
-			if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) {
+			if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL))
+			{
 				needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth);
-			} else
-#endif
-			switch (pi->attrs.auth)
+			}
+			else
 			{
-			case AUTH_ALGORITHM_NONE:
-				break;
-			case AUTH_ALGORITHM_HMAC_MD5:
-				needed_len += HMAC_MD5_KEY_LEN;
-				break;
-			case AUTH_ALGORITHM_HMAC_SHA1:
-				needed_len += HMAC_SHA1_KEY_LEN;
-				break;
-			case AUTH_ALGORITHM_DES_MAC:
-			default:
-				bad_case(pi->attrs.auth);
+				switch (pi->attrs.auth)
+				{
+					case AUTH_ALGORITHM_NONE:
+						break;
+					case AUTH_ALGORITHM_HMAC_MD5:
+						needed_len += HMAC_MD5_KEY_LEN;
+						break;
+					case AUTH_ALGORITHM_HMAC_SHA1:
+						needed_len += HMAC_SHA1_KEY_LEN;
+						break;
+					case AUTH_ALGORITHM_DES_MAC:
+					default:
+						bad_case(pi->attrs.auth);
+				}
 			}
-			DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
-									"needed_len (after ESP auth)=%d",
-									(int)needed_len));
 			break;
-
-	case PROTO_IPSEC_AH:
+		}
+		case PROTO_IPSEC_AH:
+		{
 			switch (pi->attrs.transid)
 			{
-			case AH_MD5:
-				needed_len = HMAC_MD5_KEY_LEN;
-				break;
-			case AH_SHA:
-				needed_len = HMAC_SHA1_KEY_LEN;
-				break;
-			default:
-				bad_case(pi->attrs.transid);
+				case AH_MD5:
+					needed_len = HMAC_MD5_KEY_LEN;
+					break;
+				case AH_SHA:
+					needed_len = HMAC_SHA1_KEY_LEN;
+					break;
+				default:
+					bad_case(pi->attrs.transid);
 			}
 			break;
-
-	default:
-		bad_case(protoid);
+		}
+		default:
+			bad_case(protoid);
 	}
 
 	pi->keymat_len = needed_len;
@@ -5444,7 +5445,8 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
 	if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno)
 	{
 		loglog(RC_LOG_SERIOUS
-			, "DPD: R_U_THERE_ACK has unexpected sequence number");
+			, "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)"
+			, seqno, st->st_dpd_expectseqno);
 		return STF_FAIL + PAYLOAD_MALFORMED;
 	}
 
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index f698de2c8..46edac1cd 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1,6 +1,7 @@
 /* routines that interface with the kernel's IPsec mechanism
  * Copyright (C) 1997 Angelos D. Keromytis.
  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -1849,7 +1850,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 		if (st->nat_traversal & NAT_T_DETECTED)
 		{
 			natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
-				ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
+						 ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
 			natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
 			natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
 			natt_oa = st->nat_oa;
@@ -1860,12 +1861,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 			if (ei == &esp_info[countof(esp_info)])
 			{
 				/* Check for additional kernel alg */
-#ifndef NO_KERNEL_ALG
 				if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid, 
-										st->st_esp.attrs.auth))!=NULL) {
-						break;
+										st->st_esp.attrs.auth))!=NULL)
+				{
+					break;
 				}
-#endif
 
 				/* note: enum_show may use a static buffer, so two
 				 * calls in one printf would be a mistake.
@@ -1878,9 +1878,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 				goto fail;
 			}
 
-			if (st->st_esp.attrs.transid == ei->transid
-			&& st->st_esp.attrs.auth == ei->auth)
+			if (st->st_esp.attrs.transid == ei->transid &&
+				st->st_esp.attrs.auth == ei->auth)
+			{
 				break;
+			}
 		}
 
 		key_len = st->st_esp.attrs.key_len/8;
@@ -1899,40 +1901,52 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 		{
 			key_len = ei->enckeylen;
 		}
-		/* Grrrrr.... f*cking 7 bits jurassic algos  */
-
-		/* 168 bits in kernel, need 192 bits for keymat_len */
-		if (ei->transid == ESP_3DES && key_len == 21) 
-			key_len = 24;
 
-		/* 56 bits in kernel, need 64 bits for keymat_len */
-		if (ei->transid == ESP_DES && key_len == 7) 
-			key_len = 8;
+		switch (ei->transid)
+		{
+			case ESP_3DES:
+				/* 168 bits in kernel, need 192 bits for keymat_len */
+				if (key_len == 21) 
+				{
+					key_len = 24;
+				}
+				break;
+			case ESP_DES:
+				/* 56 bits in kernel, need 64 bits for keymat_len */
+				if (key_len == 7)
+				{ 
+					key_len = 8;
+				}
+				break;
+			case ESP_AES_CCM_8:
+			case ESP_AES_CCM_12:
+			case ESP_AES_CCM_16:
+				key_len += 3;
+				break;
+			case ESP_AES_GCM_8:
+			case ESP_AES_GCM_12:
+			case ESP_AES_GCM_16:
+			case ESP_AES_CTR:
+				key_len += 4;
+				break;
+			default:
+				break;			
+		}
 
 		/* divide up keying material */
-		/* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */
-		DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING, 
-			if(st->st_esp.keymat_len != key_len + ei->authkeylen)
-				DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
-						st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
-		)
-		passert(st->st_esp.keymat_len == key_len + ei->authkeylen);
-
 		set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
-
 		said_next->src = &src.addr;
 		said_next->dst = &dst.addr;
 		said_next->src_client = &src_client;
 		said_next->dst_client = &dst_client;
 		said_next->spi = esp_spi;
 		said_next->satype = SADB_SATYPE_ESP;
-		said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
+		said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
+									REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
 		said_next->authalg = ei->authalg;
 		said_next->authkeylen = ei->authkeylen;
-		/* said_next->authkey = esp_dst_keymat + ei->enckeylen; */
 		said_next->authkey = esp_dst_keymat + key_len;
 		said_next->encalg = ei->encryptalg;
-		/* said_next->enckeylen = ei->enckeylen; */
 		said_next->enckeylen = key_len;
 		said_next->enckey = esp_dst_keymat;
 		said_next->encapsulation = encapsulation;
@@ -1945,10 +1959,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 		said_next->text_said = text_said;
 
 		if (!kernel_ops->add_sa(said_next, replace))
+		{
 			goto fail;
-
+		}
 		said_next++;
-
 		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
 	}
 
@@ -1963,29 +1977,27 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 
 		switch (st->st_ah.attrs.auth)
 		{
-		case AUTH_ALGORITHM_HMAC_MD5:
-			authalg = SADB_AALG_MD5HMAC;
-			break;
-
-		case AUTH_ALGORITHM_HMAC_SHA1:
-			authalg = SADB_AALG_SHA1HMAC;
-			break;
-
-		default:
-			loglog(RC_LOG_SERIOUS, "%s not implemented yet"
-				, enum_show(&auth_alg_names, st->st_ah.attrs.auth));
+			case AUTH_ALGORITHM_HMAC_MD5:
+				authalg = SADB_AALG_MD5HMAC;
+				break;
+			case AUTH_ALGORITHM_HMAC_SHA1:
+				authalg = SADB_AALG_SHA1HMAC;
+				break;
+			default:
+				loglog(RC_LOG_SERIOUS, "%s not implemented yet",
+					   enum_show(&auth_alg_names, st->st_ah.attrs.auth));
 			goto fail;
 		}
 
 		set_text_said(text_said, &dst.addr, ah_spi, SA_AH);
-
 		said_next->src = &src.addr;
 		said_next->dst = &dst.addr;
 		said_next->src_client = &src_client;
 		said_next->dst_client = &dst_client;
 		said_next->spi = ah_spi;
 		said_next->satype = SADB_SATYPE_AH;
-		said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
+		said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
+									REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
 		said_next->authalg = authalg;
 		said_next->authkeylen = st->st_ah.keymat_len;
 		said_next->authkey = ah_dst_keymat;
@@ -1994,10 +2006,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 		said_next->text_said = text_said;
 
 		if (!kernel_ops->add_sa(said_next, replace))
+		{
 			goto fail;
-
+		}
 		said_next++;
-
 		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
 	}
 
@@ -2093,7 +2105,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 			s[1].text_said = text_said1;
 			
 			if (!kernel_ops->grp_sa(s + 1, s))
+			{
 				goto fail;
+			}
 		}
 		/* could update said, but it will not be used */
 	}
@@ -2104,8 +2118,10 @@ fail:
 	{
 		/* undo the done SPIs */
 		while (said_next-- != said)
-			(void) del_spi(said_next->spi, said_next->proto
-				, &src.addr, said_next->dst);
+		{
+			(void) del_spi(said_next->spi, said_next->proto, &src.addr,
+						   said_next->dst);
+		}
 		return FALSE;
 	}
 }
@@ -2216,8 +2232,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
 	*use_time = UNDEFINED_TIME;
 
 	if (kernel_ops->get_sa == NULL || !st->st_esp.present)
+	{
 		return FALSE;
-
+	}
 	memset(&sa, 0, sizeof(sa));
 	sa.proto = SA_ESP;
 
@@ -2241,7 +2258,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
 		DBG_log("get %s", text_said)
 	)
 	if (!kernel_ops->get_sa(&sa, bytes))
+	{
 		return FALSE;
+	}
 	DBG(DBG_KLIPS,
 		DBG_log("  current: %d bytes", *bytes)
 	)
@@ -2266,7 +2285,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
 			sa.dst_client = &c->spd.that.client;
 		}
 		if (!kernel_ops->get_policy(&sa, inbound, use_time))
+		{
 			return FALSE;
+		}
 		DBG(DBG_KLIPS,
 			DBG_log("  use_time: %T", use_time, FALSE)
 		)
@@ -2349,15 +2370,21 @@ bool install_inbound_ipsec_sa(struct state *st)
 			struct connection *o = route_owner(c, &esr, NULL, NULL);
 
 			if (o == NULL)
+			{
 				break;  /* nobody has a route */
+			}
 
 			/* note: we ignore the client addresses at this end */
-			if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr)
-			&& o->interface == c->interface)
+			if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) &&
+				o->interface == c->interface)
+			{
 				break;  /* existing route is compatible */
+			}
 
 			if (o->kind == CK_TEMPLATE && streq(o->name, c->name))
+			{
 				break;  /* ??? is this good enough?? */
+			}
 
 			loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route"
 				, o->name, ip_str(&o->spd.that.host_addr));
@@ -2369,12 +2396,11 @@ bool install_inbound_ipsec_sa(struct state *st)
 	/* check that we will be able to route and eroute */
 	switch (could_route(c))
 	{
-	case route_easy:
-	case route_nearconflict:
-		break;
-
-	default:
-		return FALSE;
+		case route_easy:
+		case route_nearconflict:
+			break;
+		default:
+			return FALSE;
 	}
 
 #ifdef KLIPS
@@ -2471,10 +2497,14 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
 
 		/* if no state provided, then install a shunt for later */
 		if (st == NULL)
+		{
 			eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
 											, ERO_ADD, "add");
+		}
 		else
+		{
 			eroute_installed = sag_eroute(st, sr, ERO_ADD, "add");
+		}
 	}
 
 	/* notify the firewall of a new tunnel */
@@ -2507,8 +2537,7 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
 		(void) do_command(c, sr, "prepare");    /* just in case; ignore failure */
 		route_installed = do_command(c, sr, "route");
 	}
-	else if (routed(sr->routing)
-	|| routes_agree(ro, c))
+	else if (routed(sr->routing) || routes_agree(ro, c))
 	{
 		route_installed = TRUE; /* nothing to be done */
 	}
@@ -2658,11 +2687,13 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
 			{
 				/* there was no previous eroute: delete whatever we installed */
 				if (st == NULL)
-					(void) shunt_eroute(c, sr
-										, sr->routing, ERO_DELETE, "delete");
+				{
+					(void) shunt_eroute(c, sr, sr->routing, ERO_DELETE, "delete");
+				}
 				else
-					(void) sag_eroute(st, sr
-									  , ERO_DELETE, "delete");
+				{
+					(void) sag_eroute(st, sr, ERO_DELETE, "delete");
+				}
 			}
 		}
 
@@ -2685,18 +2716,19 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
 
 	switch (could_route(st->st_connection))
 	{
-	case route_easy:
-	case route_nearconflict:
-		break;
-
-	default:
-		return FALSE;
+		case route_easy:
+		case route_nearconflict:
+			break;
+		default:
+			return FALSE;
 	}
 
 	/* (attempt to) actually set up the SA group */
-	if ((inbound_also && !setup_half_ipsec_sa(st, TRUE))
-	|| !setup_half_ipsec_sa(st, FALSE))
+	if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) ||
+		!setup_half_ipsec_sa(st, FALSE))
+	{
 		return FALSE;
+	}
 
 	for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next)
 	{
@@ -2730,12 +2762,11 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
 
 	switch (could_route(st->st_connection))
 	{
-	case route_easy:
-	case route_nearconflict:
-		break;
-
-	default:
-		return FALSE;
+		case route_easy:
+		case route_nearconflict:
+			break;
+		default:
+			return FALSE;
 	}
 
 
@@ -2778,8 +2809,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
 					? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
 
 				(void) do_command(c, sr, "down");
-				if ((c->policy & POLICY_DONT_REKEY)
-				&& c->kind == CK_INSTANCE)
+				if ((c->policy & POLICY_DONT_REKEY)	&& c->kind == CK_INSTANCE)
 				{
 					/* in this special case, even if the connection
 					 * is still alive (due to an ISAKMP SA),
@@ -2888,8 +2918,7 @@ bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
 		/* Can't open the file, perhaps were are on 26sec? */
 		time_t use_time;
 
-		if (get_sa_info(st, TRUE, &bytes, &use_time)
-		&& use_time != UNDEFINED_TIME)
+		if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
 		{
 			*idle_time = time(NULL) - use_time;
 			ret = *idle_time >= idle_max;
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index 1590bdf02..7e7d25872 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -341,7 +341,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 
 	sadb.msg++;
 
-	while(msglen)
+	while (msglen)
 	{
 		int supp_exttype = sadb.supported->sadb_supported_exttype;
 		int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN;
@@ -361,14 +361,14 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 			 supp_len;
 			 supp_len -= sizeof(struct sadb_alg), sadb.alg++,i++)
 		{
-			int ret = kernel_alg_add(satype, supp_exttype, sadb.alg);
+			kernel_alg_add(satype, supp_exttype, sadb.alg);
 
 			DBG(DBG_KLIPS,
 				DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
 						"alg[%d], exttype=%d, satype=%d, alg_id=%d, "
 						"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
-						"res=%d, ret=%d"
-						, satype==SADB_SATYPE_ESP? "ESP" : "AH"
+						"res=%d"
+						, satype == SADB_SATYPE_ESP? "ESP" : "AH"
 						, i
 						, supp_exttype
 						, satype
@@ -376,9 +376,25 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 						, sadb.alg->sadb_alg_ivlen
 						, sadb.alg->sadb_alg_minbits
 						, sadb.alg->sadb_alg_maxbits
-						, sadb.alg->sadb_alg_reserved
-						, ret)
+						, sadb.alg->sadb_alg_reserved)
 			)
+			/* if AES_CBC is registered then also register AES_CCM and AES_GCM */
+			if (satype == SADB_SATYPE_ESP &&
+				sadb.alg->sadb_alg_id == SADB_X_EALG_AESCBC)
+			{
+				struct sadb_alg alg = *sadb.alg;
+				int alg_id;
+
+				for (alg_id = SADB_X_EALG_AES_CCM_ICV8;
+					 alg_id <= SADB_X_EALG_AES_GCM_ICV16; alg_id++)
+				{
+					if (alg_id != ESP_UNASSIGNED_17)
+					{
+						alg.sadb_alg_id = alg_id;
+						kernel_alg_add(satype, supp_exttype, &alg);
+					}
+				}
+			}
 		}
 	}
 }
@@ -388,8 +404,9 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id)
 	u_int keylen = 0;
 
 	if (!ESP_EALG_PRESENT(alg_id))
+	{
 		goto none;
-
+	}
 	keylen = esp_ealg[alg_id].sadb_alg_maxbits/BITS_PER_BYTE;
 
 	switch (alg_id)
@@ -407,8 +424,7 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id)
 
 none:   
 	DBG(DBG_KLIPS,
-		DBG_log("kernel_alg_esp_enc_keylen():"
-				"alg_id=%d, keylen=%d",
+		DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d",
 				alg_id, keylen)
 	)
 	return keylen;
@@ -515,7 +531,7 @@ void kernel_alg_show_connection(struct connection *c, const char *instance)
 }
 
 bool kernel_alg_esp_auth_ok(u_int auth,
-					struct alg_info_esp *alg_info __attribute__((unused)))
+							struct alg_info_esp *alg_info __attribute__((unused)))
 {
 	return ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth));
 }
@@ -619,14 +635,15 @@ static bool kernel_alg_db_add(struct db_context *db_ctx,
 		return FALSE;
 	}
 	
-	if (!(policy & POLICY_AUTHENTICATE))    /* skip ESP auth attrs for AH */
+	if (!(policy & POLICY_AUTHENTICATE) &&    /* skip ESP auth attrs for AH */
+		esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE)
 	{
 		aalg_id = alg_info_esp_aa2sadb(esp_info->esp_aalg_id);
 
 		if (!ESP_AALG_PRESENT(aalg_id))
 		{
-			DBG_log("kernel_alg_db_add() kernel auth "
-					"aalg_id=%d not present", aalg_id);
+			DBG_log("kernel_alg_db_add() kernel auth aalg_id=%d not present",
+					aalg_id);
 			return FALSE;
 		}
 	}
@@ -637,13 +654,18 @@ static bool kernel_alg_db_add(struct db_context *db_ctx,
 	/*  open new transformation */
 	db_trans_add(db_ctx, ealg_id);
 
-	/* add ESP auth attr */
-	if (!(policy & POLICY_AUTHENTICATE))
+	/* add ESP auth attr if not AH or AEAD */
+	if (!(policy & POLICY_AUTHENTICATE) &&
+		esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE)
+	{
 		db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id);
+	}
 
-	/* add keylegth if specified in esp= string */
+	/* add keylength if specified in esp= string */
 	if (esp_info->esp_ealg_keylen)
+	{
 		db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen);
+	}
 		
 	return TRUE;
 }
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index b4b4774c7..0376e817b 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -49,69 +49,76 @@ static int netlink_bcast_fd = NULL_FD;
 #define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */
 
 static sparse_names xfrm_type_names = {
-		NE(NLMSG_NOOP),
-		NE(NLMSG_ERROR),
-		NE(NLMSG_DONE),
-		NE(NLMSG_OVERRUN),
+	NE(NLMSG_NOOP),
+	NE(NLMSG_ERROR),
+	NE(NLMSG_DONE),
+	NE(NLMSG_OVERRUN),
 
-		NE(XFRM_MSG_NEWSA),
-		NE(XFRM_MSG_DELSA),
-		NE(XFRM_MSG_GETSA),
+	NE(XFRM_MSG_NEWSA),
+	NE(XFRM_MSG_DELSA),
+	NE(XFRM_MSG_GETSA),
 
-		NE(XFRM_MSG_NEWPOLICY),
-		NE(XFRM_MSG_DELPOLICY),
-		NE(XFRM_MSG_GETPOLICY),
+	NE(XFRM_MSG_NEWPOLICY),
+	NE(XFRM_MSG_DELPOLICY),
+	NE(XFRM_MSG_GETPOLICY),
 
-		NE(XFRM_MSG_ALLOCSPI),
-		NE(XFRM_MSG_ACQUIRE),
-		NE(XFRM_MSG_EXPIRE),
+	NE(XFRM_MSG_ALLOCSPI),
+	NE(XFRM_MSG_ACQUIRE),
+	NE(XFRM_MSG_EXPIRE),
 
-		NE(XFRM_MSG_UPDPOLICY),
-		NE(XFRM_MSG_UPDSA),
+	NE(XFRM_MSG_UPDPOLICY),
+	NE(XFRM_MSG_UPDSA),
 
-		NE(XFRM_MSG_POLEXPIRE),
+	NE(XFRM_MSG_POLEXPIRE),
 
-		NE(XFRM_MSG_MAX),
+	NE(XFRM_MSG_MAX),
 
-		{ 0, sparse_end }
+	{ 0, sparse_end }
 };
 
 #undef NE
 
 /* Authentication algorithms */
 static sparse_names aalg_list = {
-		{ SADB_X_AALG_NULL, "digest_null" },
-		{ SADB_AALG_MD5HMAC, "md5" },
-		{ SADB_AALG_SHA1HMAC, "sha1" },
-		{ SADB_X_AALG_SHA2_256HMAC, "sha256" },
-		{ SADB_X_AALG_SHA2_384HMAC, "sha384" },
-		{ SADB_X_AALG_SHA2_512HMAC, "sha512" },
-		{ SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
-		{ SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"},
-		{ SADB_X_AALG_NULL, "null" },
-		{ 0, sparse_end }
+	{ SADB_X_AALG_NULL,          "digest_null" },
+	{ SADB_AALG_MD5HMAC,         "md5" },
+	{ SADB_AALG_SHA1HMAC,        "sha1" },
+	{ SADB_X_AALG_SHA2_256HMAC,  "sha256" },
+	{ SADB_X_AALG_SHA2_384HMAC,  "sha384" },
+	{ SADB_X_AALG_SHA2_512HMAC,  "sha512" },
+	{ SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
+	{ SADB_X_AALG_AES_XCBC_MAC,  "xcbc(aes)"},
+	{ SADB_X_AALG_NULL,          "null" },
+	{ 0, sparse_end }
 };
 
 /* Encryption algorithms */
 static sparse_names ealg_list = {
-		{ SADB_EALG_NULL, "cipher_null" },
-		{ SADB_EALG_DESCBC, "des" },
-		{ SADB_EALG_3DESCBC, "des3_ede" },
-		{ SADB_X_EALG_CASTCBC, "cast128" },
-		{ SADB_X_EALG_BLOWFISHCBC, "blowfish" },
-		{ SADB_X_EALG_AESCBC, "aes" },
-		{ SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" },
-		{ SADB_X_EALG_SERPENTCBC, "serpent" },
-		{ SADB_X_EALG_TWOFISHCBC, "twofish" },
-		{ 0, sparse_end }
+	{ SADB_EALG_NULL,            "cipher_null" },
+	{ SADB_EALG_DESCBC,          "des" },
+	{ SADB_EALG_3DESCBC,         "des3_ede" },
+	{ SADB_X_EALG_CASTCBC,       "cast128" },
+	{ SADB_X_EALG_BLOWFISHCBC,   "blowfish" },
+	{ SADB_X_EALG_AESCBC,        "aes" },
+	{ SADB_X_EALG_AESCTR,        "rfc3686(ctr(aes))" },
+	{ SADB_X_EALG_AES_CCM_ICV8,  "rfc4309(ccm(aes))" },
+	{ SADB_X_EALG_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
+	{ SADB_X_EALG_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
+	{ SADB_X_EALG_AES_GCM_ICV8,  "rfc4106(gcm(aes))" },
+	{ SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
+	{ SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
+	{ SADB_X_EALG_CAMELLIACBC,   "cbc(camellia)" },
+	{ SADB_X_EALG_SERPENTCBC,    "serpent" },
+	{ SADB_X_EALG_TWOFISHCBC,    "twofish" },
+	{ 0, sparse_end }
 };
 
 /* Compression algorithms */
 static sparse_names calg_list = {
-		{ SADB_X_CALG_DEFLATE, "deflate" },
-		{ SADB_X_CALG_LZS, "lzs" },
-		{ SADB_X_CALG_LZJH, "lzjh" },
-		{ 0, sparse_end }
+	{ SADB_X_CALG_DEFLATE, "deflate" },
+	{ SADB_X_CALG_LZS,     "lzs" },
+	{ SADB_X_CALG_LZJH,    "lzjh" },
+	{ 0, sparse_end }
 };
 
 /** ip2xfrm - Take an IP address and convert to an xfrm.
@@ -119,8 +126,7 @@ static sparse_names calg_list = {
  * @param addr ip_address
  * @param xaddr xfrm_address_t - IPv[46] Address from addr is copied here.
  */
-static void
-ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
+static void ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
 {
 	if (addr->u.v4.sin_family == AF_INET)
 	{
@@ -135,35 +141,41 @@ ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
 /** init_netlink - Initialize the netlink inferface.  Opens the sockets and
  * then binds to the broadcast socket.
  */
-static void
-init_netlink(void)
+static void init_netlink(void)
 {
 	struct sockaddr_nl addr;
 
 	netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
 
 	if (netlinkfd < 0)
+	{
 		exit_log_errno((e, "socket() in init_netlink()"));
-
+	}
 	if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0)
+	{
 		exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()"));
-
+	}
 	netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
 
 	if (netlink_bcast_fd < 0)
+	{
 		exit_log_errno((e, "socket() for bcast in init_netlink()"));
-
+	}
 	if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0)
+	{
 		exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()"));
-
+	}
 	if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0)
+	{
 		exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()"));
-
+	}
 	addr.nl_family = AF_NETLINK;
 	addr.nl_pid = getpid();
 	addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
 	if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0)
+	{
 		exit_log_errno((e, "Failed to bind bcast socket in init_netlink()"));
+	}
 }
 
 /** send_netlink_msg
@@ -176,9 +188,9 @@ init_netlink(void)
  * @param text_said - String
  * @return bool True if the message was succesfully sent.
  */
-static bool
-send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
-, const char *description, const char *text_said)
+static bool send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf,
+							 size_t rbuf_len, const char *description,
+							 const char *text_said)
 {
 	struct {
 		struct nlmsghdr n;
@@ -200,7 +212,9 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
 	len = hdr->nlmsg_len;
 	do {
 		r = write(netlinkfd, hdr, len);
-	} while (r < 0 && errno == EINTR);
+	}
+	while (r < 0 && errno == EINTR);
+
 	if (r < 0)
 	{
 		log_errno((e
@@ -221,7 +235,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
 		return FALSE;
 	}
 
-	for (;;) {
+	for (;;)
+	{
 		socklen_t alen;
 
 		alen = sizeof(addr);
@@ -322,8 +337,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
  * @param text_said - String
  * @return boolean
  */
-static bool
-netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said)
+static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok,
+						   const char *text_said)
 {
 	struct {
 		struct nlmsghdr n;
@@ -372,18 +387,17 @@ netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said)
  * @param ip int
  * @return boolean True if successful
  */
-static bool
-netlink_raw_eroute(const ip_address *this_host
-				 , const ip_subnet *this_client
-				 , const ip_address *that_host
-				 , const ip_subnet *that_client
-				 , ipsec_spi_t spi
-				 , unsigned int satype
-				 , unsigned int transport_proto
-				 , const struct pfkey_proto_info *proto_info
-				 , time_t use_lifetime UNUSED
-				 , unsigned int op
-				 , const char *text_said)
+static bool netlink_raw_eroute(const ip_address *this_host
+							 , const ip_subnet *this_client
+							 , const ip_address *that_host
+							 , const ip_subnet *that_client
+							 , ipsec_spi_t spi
+							 , unsigned int satype
+							 , unsigned int transport_proto
+							 , const struct pfkey_proto_info *proto_info
+							 , time_t use_lifetime UNUSED
+							 , unsigned int op
+							 , const char *text_said)
 {
 	struct {
 		struct nlmsghdr n;
@@ -568,8 +582,7 @@ netlink_raw_eroute(const ip_address *this_host
  * @param replace boolean - true if this replaces an existing SA
  * @return bool True if successfull
  */
-static bool
-netlink_add_sa(const struct kernel_sa *sa, bool replace)
+static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 {
 	struct {
 		struct nlmsghdr n;
@@ -577,6 +590,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
 		char data[1024];
 	} req;
 	struct rtattr *attr;
+	u_int16_t icv_size = 64;	
 
 	memset(&req, 0, sizeof(req));
 	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
@@ -606,11 +620,17 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
 		const char *name;
 
 		name = sparse_name(aalg_list, sa->authalg);
-		if (!name) {
+		if (!name)
+		{
 			loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u"
 				, sa->authalg);
 			return FALSE;
 		}
+		DBG(DBG_CRYPT,
+			DBG_log("configured authentication algorithm %s with key size %d",
+					enum_show(&auth_alg_names, sa->authalg),
+					sa->authkeylen * BITS_PER_BYTE)
+			)
 
 		strcpy(algo.alg_name, name);
 		algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
@@ -626,30 +646,78 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
 		attr = (struct rtattr *)((char *)attr + attr->rta_len);
 	}
 
-	if (sa->encalg)
+	switch (sa->encalg)
 	{
-		struct xfrm_algo algo;
-		const char *name;
+		case SADB_EALG_NONE:
+			/* no encryption */
+			break;
+		case SADB_X_EALG_AES_CCM_ICV16:
+		case SADB_X_EALG_AES_GCM_ICV16:
+			icv_size += 32;
+			/* FALL */
+		case SADB_X_EALG_AES_CCM_ICV12:
+		case SADB_X_EALG_AES_GCM_ICV12:
+			icv_size += 32;
+			/* FALL */
+		case SADB_X_EALG_AES_CCM_ICV8:
+		case SADB_X_EALG_AES_GCM_ICV8:
+		{
+			struct xfrm_algo_aead *algo;
+			const char *name;
 
-		name = sparse_name(ealg_list, sa->encalg);
-		if (!name) {
-			loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u"
-				, sa->encalg);
-			return FALSE;
+			name = sparse_name(ealg_list, sa->encalg);
+			if (!name)
+			{
+				loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u",
+					   sa->encalg);
+				return FALSE;
+			}
+			DBG(DBG_CRYPT,
+				DBG_log("configured esp encryption algorithm %s with key size %d",
+						enum_show(&esp_transformid_names, sa->encalg),
+						sa->enckeylen * BITS_PER_BYTE)
+			)
+			attr->rta_type = XFRMA_ALG_AEAD;
+			attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen);
+			req.n.nlmsg_len += attr->rta_len;
+			
+			algo = (struct xfrm_algo_aead*)RTA_DATA(attr);
+			algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
+			algo->alg_icv_len = icv_size;
+			strcpy(algo->alg_name, name);
+			memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
+			
+			attr = (struct rtattr *)((char *)attr + attr->rta_len);
+			break;
 		}
+		default:
+		{
+			struct xfrm_algo *algo;
+			const char *name;
 
-		strcpy(algo.alg_name, name);
-		algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE;
-
-		attr->rta_type = XFRMA_ALG_CRYPT;
-		attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen);
-
-		memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-		memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->enckey
-			, sa->enckeylen);
-
-		req.n.nlmsg_len += attr->rta_len;
-		attr = (struct rtattr *)((char *)attr + attr->rta_len);
+			name = sparse_name(ealg_list, sa->encalg);
+			if (!name)
+			{
+				loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u",
+					   sa->encalg);
+				return FALSE;
+			}
+			DBG(DBG_CRYPT,
+				DBG_log("configured esp encryption algorithm %s with key size %d",
+						enum_show(&esp_transformid_names, sa->encalg),
+						sa->enckeylen * BITS_PER_BYTE)
+			)
+			attr->rta_type = XFRMA_ALG_CRYPT;
+			attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + sa->enckeylen);
+			req.n.nlmsg_len += attr->rta_len;
+
+			algo = (struct xfrm_algo*)RTA_DATA(attr);
+			algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
+			strcpy(algo->alg_name, name);
+			memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
+
+			attr = (struct rtattr *)((char *)attr + attr->rta_len);
+		}
 	}
 
 	if (sa->compalg)
@@ -658,7 +726,8 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
 		const char *name;
 
 		name = sparse_name(calg_list, sa->compalg);
-		if (!name) {
+		if (!name)
+		{
 			loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u"
 				, sa->compalg);
 			return FALSE;
@@ -702,8 +771,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
  * @param sa Kernel SA to be deleted
  * @return bool True if successfull
  */
-static bool
-netlink_del_sa(const struct kernel_sa *sa)
+static bool netlink_del_sa(const struct kernel_sa *sa)
 {
 	struct {
 		struct nlmsghdr n;
@@ -726,9 +794,8 @@ netlink_del_sa(const struct kernel_sa *sa)
 	return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said);
 }
 
-static bool
-netlink_error(const char *req_type, const struct nlmsghdr *n
-, const struct nlmsgerr *e, int rsp_size)
+static bool netlink_error(const char *req_type, const struct nlmsghdr *n,
+						  const struct nlmsgerr *e, int rsp_size)
 {
 	if (n->nlmsg_type == NLMSG_ERROR)
 	{
@@ -751,8 +818,8 @@ netlink_error(const char *req_type, const struct nlmsghdr *n
 	return FALSE;
 }
 
-static bool
-netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
+static bool netlink_get_policy(const struct kernel_sa *sa, bool inbound,
+							   time_t *use_time)
 {
 	struct {
 		struct nlmsghdr n;
@@ -789,11 +856,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
 	req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT;
 
 	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+	{
 		return FALSE;
-
+	}
 	if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+	{
 		return FALSE;
-
+	}
 	*use_time = (time_t)rsp.u.info.curlft.use_time;
 
 	if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
@@ -803,11 +872,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
 		req.id.dir = XFRM_POLICY_FWD;
 
 		if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+		{
 			return FALSE;
-
+		}
 		if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+		{
 			return FALSE;
-
+		}
 		use_time_fwd = (time_t)rsp.u.info.curlft.use_time;
 		*use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd;
 	}
@@ -820,8 +891,7 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
  * @param sa Kernel SA to be queried
  * @return bool True if successfull
  */
-static bool
-netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
+static bool netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
 {
 	struct {
 		struct nlmsghdr n;
@@ -851,18 +921,18 @@ netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
 	rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
 
 	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said))
+	{
 		return FALSE;
-
+	}
 	if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+	{
 		return FALSE;
-
+	}
 	*bytes = (u_int) rsp.u.info.curlft.bytes;
-
 	return TRUE;
 }
 
-static void
-linux_pfkey_register_response(const struct sadb_msg *msg)
+static void linux_pfkey_register_response(const struct sadb_msg *msg)
 {
 	switch (msg->sadb_msg_satype)
 	{
@@ -882,8 +952,7 @@ linux_pfkey_register_response(const struct sadb_msg *msg)
 /** linux_pfkey_register - Register via PFKEY our capabilities
  *
  */
-static void
-linux_pfkey_register(void)
+static void linux_pfkey_register(void)
 {
 	pfkey_register_proto(SADB_SATYPE_AH, "AH");
 	pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
@@ -898,8 +967,8 @@ linux_pfkey_register(void)
  * @param dst ip_address formatted destination
  * @return err_t NULL if okay, otherwise an error
  */
-static err_t
-xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst)
+static err_t xfrm_to_ip_address(unsigned family, const xfrm_address_t *src,
+								ip_address *dst)
 {
 	switch (family)
 	{
@@ -922,10 +991,8 @@ xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst)
  * @param dst ip_address formatted destination
  * @return err_t NULL if okay, otherwise an error
  */
-static err_t
-xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
-					, ip_address *src
-					, ip_address *dst)
+static err_t xfrm_sel_to_ip_pair(const struct xfrm_selector *sel,
+								 ip_address *src, ip_address *dst)
 {
 	int family;
 	err_t ugh;
@@ -934,7 +1001,9 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
 
 	if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src))
 		|| (ugh = xfrm_to_ip_address(family, &sel->daddr, dst)))
+	{	
 		return ugh;
+	}
 
 	/* family has been verified in xfrm_to_ip_address. */
 	if (family == AF_INET)
@@ -951,8 +1020,7 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
    return NULL;
 }
 
-static void
-netlink_acquire(struct nlmsghdr *n)
+static void netlink_acquire(struct nlmsghdr *n)
 {
 	struct xfrm_user_acquire *acquire;
 	ip_address src, dst;
@@ -978,15 +1046,17 @@ netlink_acquire(struct nlmsghdr *n)
 	if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst))
 	&& !(ugh = addrtosubnet(&src, &ours))
 	&& !(ugh = addrtosubnet(&dst, &his)))
+	{
 		record_and_initiate_opportunistic(&ours, &his, transport_proto
 			, "%acquire-netlink");
-
+	}
 	if (ugh != NULL)
+	{
 		plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh);
+	}
 }
 
-static void
-netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
+static void netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
 {
 	ip_address src, dst;
 	unsigned transport_proto;
@@ -1004,8 +1074,7 @@ netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
 		, "delete expired bare shunt");
 }
 
-static void
-netlink_policy_expire(struct nlmsghdr *n)
+static void netlink_policy_expire(struct nlmsghdr *n)
 {
 	struct xfrm_user_polexpire *upe;
 	struct {
@@ -1040,11 +1109,13 @@ netlink_policy_expire(struct nlmsghdr *n)
 	rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
 
 	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+	{
 		return;
-
+	}
 	if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol)))
+	{
 		return;
-
+	}
 	if (req.id.index != rsp.u.pol.index)
 	{
 		DBG(DBG_KLIPS,
@@ -1072,8 +1143,7 @@ netlink_policy_expire(struct nlmsghdr *n)
 	}
 }
 
-static bool
-netlink_get(void)
+static bool netlink_get(void)
 {
 	struct {
 		struct nlmsghdr n;
@@ -1137,22 +1207,15 @@ netlink_get(void)
 	return TRUE;
 }
 
-static void
-netlink_process_msg(void)
+static void netlink_process_msg(void)
 {
-	while (netlink_get())
-		;
+	while (netlink_get());
 }
 
-static ipsec_spi_t
-netlink_get_spi(const ip_address *src
-, const ip_address *dst
-, int proto
-, bool tunnel_mode
-, unsigned reqid
-, ipsec_spi_t min
-, ipsec_spi_t max
-, const char *text_said)
+static ipsec_spi_t netlink_get_spi(const ip_address *src, const ip_address *dst,
+								  int proto, bool tunnel_mode, unsigned reqid,
+								  ipsec_spi_t min, ipsec_spi_t max,
+								  const char *text_said)
 {
 	struct {
 		struct nlmsghdr n;
@@ -1185,11 +1248,13 @@ netlink_get_spi(const ip_address *src
 	rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
 
 	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said))
+	{
 		return 0;
-
+	}
 	if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa)))
+	{
 		return 0;
-
+	}
 	DBG(DBG_KLIPS,
 		DBG_log("netlink_get_spi: allocated 0x%x for %s"
 			, ntohl(rsp.u.sa.id.spi), text_said));
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index 6dfbd6732..516872e8e 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -1,5 +1,6 @@
 /* mechanisms for preshared keys (public, private, and preshared secrets)
  * Copyright (C) 1998-2001  D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -551,7 +552,7 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd)
 	}
 	*key = load_private_key(filename, &pass, type);
 
-	return key ? NULL : "Private key file -- could not be loaded";
+	return *key ? NULL : "Private key file -- could not be loaded";
 }
 
 /**
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index 80164fa1d..8e428a759 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -1,6 +1,6 @@
 /* Support of the Online Certificate Status Protocol (OCSP)
  * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
- * Zuercher Hochschule Winterthur
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
diff --git a/src/pluto/pem.c b/src/pluto/pem.c
index 646447c1a..1a4a99af7 100644
--- a/src/pluto/pem.c
+++ b/src/pluto/pem.c
@@ -1,5 +1,6 @@
 /* Loading of PEM encoded files with optional encryption
  * Copyright (C) 2001-2009 Andreas Steffen
+ *
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
diff --git a/src/pluto/pgpcert.c b/src/pluto/pgpcert.c
index 7fb8232d5..1d5b14b26 100644
--- a/src/pluto/pgpcert.c
+++ b/src/pluto/pgpcert.c
@@ -85,7 +85,7 @@ static u_char pgp_version(chunk_t *blob)
 }
 
 /**
- * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440
+ * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 4880
  */
 static bool parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert)
 {
@@ -171,8 +171,8 @@ static bool parse_pgp_pubkey_version_validity(chunk_t *packet, pgpcert_t *cert)
  */
 static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
 {
-	pgp_pubkey_alg_t pubkey_alg;
-	public_key_t *key;
+	chunk_t pubkey_packet = *packet;
+ 	pgp_pubkey_alg_t pubkey_alg;
 
 	if (!parse_pgp_pubkey_version_validity(packet, cert))
 	{
@@ -190,33 +190,51 @@ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
 	{
 		case PGP_PUBKEY_ALG_RSA:
 		case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
-			key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-												 BUILD_BLOB_PGP, *packet,
-												 BUILD_END);
-			if (key == NULL)
+			cert->public_key = lib->creds->create(lib->creds,
+									CRED_PUBLIC_KEY, KEY_RSA,
+									BUILD_BLOB_PGP, *packet,
+									BUILD_END);
+			if (cert->public_key == NULL)
 			{
 				return FALSE;
 			}
-			cert->public_key = key;
-
-			if (cert->version == 3)
-			{
-				cert->fingerprint = key->get_id(key, ID_KEY_ID);
-				if (cert->fingerprint == NULL)
-				{
-					return FALSE;
-				}
-			}
-			else
-			{
-				plog("  computation of V4 key ID not implemented yet");
-				return FALSE;
-			}
 			break;
 	 	default:
 			plog("  non RSA public keys not supported");
 			return FALSE;
 	}
+
+	/* compute V4 or V3 fingerprint according to section 12.2 of RFC 4880 */
+	if (cert->version == 4)
+	{
+		char pubkey_packet_header_buf[] = {
+				0x99, pubkey_packet.len / 256, pubkey_packet.len % 256
+			 };
+		chunk_t pubkey_packet_header = chunk_from_buf(pubkey_packet_header_buf);
+		chunk_t hash;
+		hasher_t *hasher;
+
+		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+		if (hasher == NULL)
+		{
+			plog("no SHA-1 hasher available");
+			return FALSE;
+		}
+		hasher->allocate_hash(hasher, pubkey_packet_header, NULL);
+		hasher->allocate_hash(hasher, pubkey_packet, &hash);
+		hasher->destroy(hasher);
+		cert->fingerprint = identification_create_from_encoding(ID_KEY_ID, hash);
+		free(hash.ptr);
+	}
+	else
+	{
+		/* V3 fingerprint is computed by public_key_t class */
+		cert->fingerprint = cert->public_key->get_id(cert->public_key, ID_KEY_ID);
+		if (cert->fingerprint == NULL)
+		{
+			return FALSE;
+		}
+	}
 	return TRUE;
 }
 
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index 39367cafa..5d0e008f3 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -43,11 +43,6 @@
 #include <utils/enumerator.h>
 #include <utils/optionsfrom.h>
 
-#ifdef INTEGRITY_TEST
-#include <fips/fips.h>
-#include <fips/fips_signature.h>
-#endif /* INTEGRITY_TEST */
-
 #include <pfkeyv2.h>
 #include <pfkey.h>
 
@@ -265,7 +260,18 @@ int main(int argc, char **argv)
 #endif /* CAPABILITIES */
 
 	/* initialize library and optionsfrom */
-	library_init(STRONGSWAN_CONF);
+	if (!library_init(STRONGSWAN_CONF))
+	{
+		library_deinit();
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "pluto", argv[0]))
+	{
+		fprintf(stderr, "integrity check of pluto failed\n");
+		library_deinit();
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
 	options = options_create();
 
 	/* handle arguments */
@@ -637,31 +643,28 @@ int main(int argc, char **argv)
 	plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s",
 		 compile_time_interop_options);
 
+	if (lib->integrity)
+	{
+		plog("integrity tests enabled:");
+		plog("lib    'libstrongswan': passed file and segment integrity tests");
+		plog("daemon 'pluto': passed file integrity test");
+	}
+
 	/* load plugins, further infrastructure may need it */
 	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
 		lib->settings->get_str(lib->settings, "pluto.load", PLUGINS));
 	print_plugins();
 
-#ifdef INTEGRITY_TEST
-	DBG1("integrity test of libstrongswan code");
-	if (fips_verify_hmac_signature(hmac_key, hmac_signature))
-	{
-		DBG1("  integrity test passed");
-	}
-	else
+	if (!init_secret() || !init_crypto())
 	{
-		DBG1("  integrity test failed");
-		abort();
+		plog("initialization failed - aborting pluto");
+		exit_pluto(SS_RC_INITIALIZATION_FAILED);
 	}
-#endif /* INTEGRITY_TEST */
-
 	init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
 	init_virtual_ip(virtual_private);
 	scx_init(pkcs11_module_path, pkcs11_init_args);
 	xauth_init();
-	init_secret();
 	init_states();
-	init_crypto();
 	init_demux();
 	init_kernel();
 	init_adns();
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index b8f4a3c23..a86c9f215 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -473,14 +473,13 @@ out_sa(pb_stream *outs
 				if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs))
 					return_on(ret, FALSE);
 
-				/* Within tranform: Attributes. */
+				/* Within transform: Attributes. */
 
 				/* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
 				 * automatically generated because it must be the same
 				 * in every transform.  Except IPCOMP.
 				 */
-				if (p->protoid != PROTO_IPCOMP
-				&& st->st_pfs_group != NULL)
+				if (p->protoid != PROTO_IPCOMP && st->st_pfs_group != NULL)
 				{
 					passert(!oakley_mode);
 					passert(st->st_pfs_group != &unset_group);
@@ -582,8 +581,7 @@ return_out:
  * The code is can only handle values that can fit in unsigned long.
  * "Clamping" is probably an acceptable way to impose this limitation.
  */
-static u_int32_t
-decode_long_duration(pb_stream *pbs)
+static u_int32_t decode_long_duration(pb_stream *pbs)
 {
 	u_int32_t val = 0;
 
@@ -631,8 +629,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
 
 	/* Situation */
 	if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
+	{
 		return SITUATION_NOT_SUPPORTED;
-
+	}
 	if (*ipsecdoisit != SIT_IDENTITY_ONLY)
 	{
 		loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
@@ -647,8 +646,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
 	 * There may well be multiple transforms.
 	 */
 	if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
+	{
 		return PAYLOAD_MALFORMED;
-
+	}
 	if (proposal->isap_np != ISAKMP_NEXT_NONE)
 	{
 		loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
@@ -711,35 +711,31 @@ static struct {
 	u_int8_t *roof;
 } backup;
 
-/*
- * backup the pointer into a pb_stream
+/**
+ * Backup the pointer into a pb_stream
  */
-void
-backup_pbs(pb_stream *pbs)
+void backup_pbs(pb_stream *pbs)
 {
 	backup.start = pbs->start;
 	backup.cur   = pbs->cur;
 	backup.roof  = pbs->roof;
 }
 
-/*
- * restore the pointer into a pb_stream
+/**
+ * Restore the pointer into a pb_stream
  */
-void
-restore_pbs(pb_stream *pbs)
+void restore_pbs(pb_stream *pbs)
 {
 	pbs->start = backup.start;
 	pbs->cur   = backup.cur;
 	pbs->roof  = backup.roof;
 }
 
-/*
+/**
  * Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies
  */
-notification_t
-parse_isakmp_policy(pb_stream *proposal_pbs
-				  , u_int notrans
-				  , lset_t *policy)
+notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
+								   lset_t *policy)
 {
 	int last_transnum = -1;
 
@@ -753,8 +749,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs
 		struct isakmp_transform trans;
 
 		if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
+		{
 			return BAD_PROPOSAL_SYNTAX;
-
+		}
 		if (trans.isat_transnum <= last_transnum)
 		{
 			/* picky, picky, picky */
@@ -781,8 +778,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs
 			pb_stream attr_pbs;
 
 			if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
+			{
 				return BAD_PROPOSAL_SYNTAX;
-
+			}
 			passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
 
 			switch (a.isaat_af_type)
@@ -827,11 +825,10 @@ parse_isakmp_policy(pb_stream *proposal_pbs
 	return NOTHING_WRONG;
 }
 
-/* 
- * check that we can find a preshared secret
+/**
+ * Check that we can find a preshared secret
  */
-static err_t
-find_preshared_key(struct state* st)
+static err_t find_preshared_key(struct state* st)
 {
 	err_t ugh = NULL;
 	struct connection *c = st->st_connection;
@@ -842,9 +839,13 @@ find_preshared_key(struct state* st)
 
 		idtoa(&c->spd.this.id, my_id, sizeof(my_id));
 		if (his_id_was_instantiated(c))
+		{
 			strcpy(his_id, "%any");
+		}
 		else
+		{
 			idtoa(&c->spd.that.id, his_id, sizeof(his_id));
+		}
 		ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
 						, my_id, his_id);
 	}
@@ -860,13 +861,12 @@ find_preshared_key(struct state* st)
  *
  * This routine is used by main_inI1_outR1() and main_inR1_outI2().
  */
-notification_t
-parse_isakmp_sa_body(u_int32_t ipsecdoisit
-				   , pb_stream *proposal_pbs
-				   , struct isakmp_proposal *proposal
-				   , pb_stream *r_sa_pbs
-				   , struct state *st
-				   , bool initiator)
+notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
+									pb_stream *proposal_pbs,
+									struct isakmp_proposal *proposal,
+									pb_stream *r_sa_pbs,
+									struct state *st,
+									bool initiator)
 {
 	struct connection *c = st->st_connection;
 	unsigned no_trans_left;
@@ -1326,17 +1326,14 @@ static const struct ipsec_trans_attrs null_ipsec_trans_attrs = {
 	0,                                  /* key_rounds */
 };
 
-static bool
-parse_ipsec_transform(struct isakmp_transform *trans
-, struct ipsec_trans_attrs *attrs
-, pb_stream *prop_pbs
-, pb_stream *trans_pbs
-, struct_desc *trans_desc
-, int previous_transnum /* or -1 if none */
-, bool selection
-, bool is_last
-, bool is_ipcomp
-, struct state *st)     /* current state object */
+static bool parse_ipsec_transform(struct isakmp_transform *trans,
+								  struct ipsec_trans_attrs *attrs,
+								  pb_stream *prop_pbs,
+								  pb_stream *trans_pbs,
+								  struct_desc *trans_desc,
+								  int previous_transnum, /* or -1 if none */
+								  bool selection, bool is_last, bool is_ipcomp,
+								  struct state *st)  /* current state object */
 {
 	lset_t seen_attrs = 0;
 	lset_t seen_durations = 0;
@@ -1344,8 +1341,9 @@ parse_ipsec_transform(struct isakmp_transform *trans
 	const struct dh_desc *pfs_group = NULL;
 
 	if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
+	{
 		return FALSE;
-
+	}
 	if (trans->isat_transnum <= previous_transnum)
 	{
 		loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing");
diff --git a/src/pluto/state.c b/src/pluto/state.c
index 6ce0d50e5..5bef36c5c 100644
--- a/src/pluto/state.c
+++ b/src/pluto/state.c
@@ -1,6 +1,7 @@
 /* routines for state objects
  * Copyright (C) 1997 Angelos D. Keromytis.
  * Copyright (C) 1998-2001  D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
diff --git a/src/pluto/timer.c b/src/pluto/timer.c
index ecbee740f..89082f88e 100644
--- a/src/pluto/timer.c
+++ b/src/pluto/timer.c
@@ -1,6 +1,7 @@
 /* timer event handling
  * Copyright (C) 1997 Angelos D. Keromytis.
  * Copyright (C) 1998-2001  D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -139,14 +140,21 @@ void event_schedule(enum event_type type, time_t tm, struct state *st)
  * Generate the secret value for responder cookies, and
  * schedule an event for refresh.
  */
-void init_secret(void)
+bool init_secret(void)
 {
 	rng_t *rng;
 	 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+
+	if (rng == NULL)
+	{
+		plog("secret initialization failed, no RNG supported");
+		return FALSE;
+	}
 	rng->get_bytes(rng, sizeof(secret_of_the_day), secret_of_the_day);
 	rng->destroy(rng);
     event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL);
+	return true;
 }
 
 /**
diff --git a/src/pluto/timer.h b/src/pluto/timer.h
index 322aeba6a..c8e9b727c 100644
--- a/src/pluto/timer.h
+++ b/src/pluto/timer.h
@@ -31,4 +31,4 @@ extern void delete_event(struct state *st);
 extern void delete_dpd_event(struct state *st);
 extern void daily_log_event(void);
 extern void free_events(void);
-extern void init_secret(void);
+extern bool init_secret(void);
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index ff145eb38..a532e50f2 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -197,9 +197,13 @@ static struct vid_struct _vid_tab[] = {
 		/*
 		 * strongSwan
 		 */
-		DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.3.2")
+		DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.3.4")
+		DEC_MD5_VID(STRONGSWAN_4_3_3, "strongSwan 4.3.3")
+		DEC_MD5_VID(STRONGSWAN_4_3_2, "strongSwan 4.3.2")
 		DEC_MD5_VID(STRONGSWAN_4_3_1, "strongSwan 4.3.1")
 		DEC_MD5_VID(STRONGSWAN_4_3_0, "strongSwan 4.3.0")
+		DEC_MD5_VID(STRONGSWAN_4_2_17,"strongSwan 4.2.17")
+		DEC_MD5_VID(STRONGSWAN_4_2_16,"strongSwan 4.2.16")
 		DEC_MD5_VID(STRONGSWAN_4_2_15,"strongSwan 4.2.15")
 		DEC_MD5_VID(STRONGSWAN_4_2_14,"strongSwan 4.2.14")
 		DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13")
@@ -237,6 +241,8 @@ static struct vid_struct _vid_tab[] = {
 		DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
 		DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
 
+		DEC_MD5_VID(STRONGSWAN_2_8_11,"strongSwan 2.8.11")
+		DEC_MD5_VID(STRONGSWAN_2_8_10,"strongSwan 2.8.10")
 		DEC_MD5_VID(STRONGSWAN_2_8_9, "strongSwan 2.8.9")
 		DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8")
 		DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 164c1aa6d..8aa2f6348 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -92,6 +92,8 @@ enum known_vendorid {
   VID_STRONGSWAN_2_8_7          = 73,
   VID_STRONGSWAN_2_8_8          = 74,
   VID_STRONGSWAN_2_8_9          = 75,
+  VID_STRONGSWAN_2_8_10         = 76,
+  VID_STRONGSWAN_2_8_11         = 77,
 
   VID_STRONGSWAN_4_0_0          = 80,
   VID_STRONGSWAN_4_0_1          = 81,
@@ -130,8 +132,12 @@ enum known_vendorid {
   VID_STRONGSWAN_4_2_13         =113,
   VID_STRONGSWAN_4_2_14         =114,
   VID_STRONGSWAN_4_2_15         =115,
-  VID_STRONGSWAN_4_3_0          =116,
-  VID_STRONGSWAN_4_3_1          =117,
+  VID_STRONGSWAN_4_2_16         =116,
+  VID_STRONGSWAN_4_2_17         =117,
+  VID_STRONGSWAN_4_3_0          =118,
+  VID_STRONGSWAN_4_3_1          =119,
+  VID_STRONGSWAN_4_3_2          =120,
+  VID_STRONGSWAN_4_3_3          =121,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01          =151,
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 3919583ef..72cefb3b6 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -79,12 +79,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -189,7 +192,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c
index b14e72ecb..87041f114 100644
--- a/src/scepclient/loglite.c
+++ b/src/scepclient/loglite.c
@@ -68,21 +68,23 @@ static void scepclient_dbg(int level, char *fmt, ...)
 
 	if (level <= debug_level)
 	{
-		va_start(args, fmt);
-
 		if (log_to_stderr)
 		{
 			if (level > 1)
 			{
 				fprintf(stderr, "| ");
 			}
+			va_start(args, fmt);
 			vfprintf(stderr, fmt, args);
+			va_end(args);
 			fprintf(stderr, "\n");
 		}
 		if (log_to_syslog)
 		{
 			/* write in memory buffer first */
+			va_start(args, fmt);
 			vsnprintf(buffer, sizeof(buffer), fmt, args);
+			va_end(args);
 
 			/* do a syslog with every line */
 			while (current)
@@ -96,7 +98,6 @@ static void scepclient_dbg(int level, char *fmt, ...)
 				current = next;
 			}
 		}
-		va_end(args);
 	}
 }
 
diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8
index d9bf8e4cc..4b5234da2 100644
--- a/src/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
@@ -149,16 +149,22 @@ Change symmetric algorithm to use for encryption of certificate Request.
 The default is \fB3des\-cbc\fP.
 .PP 
 Supported values for \fIalgo\fP:
-.IP "\fBdes\-cbc\fP" 12
-DES CBC encryption (key size = 56 bit).
-.IP "\fB3des\-cbc\fP" 12
+.IP "\fBdes\fP" 12
+DES-CBC encryption (key size = 56 bit).
+.IP "\fB3des\fP" 12
 Triple DES-EDE-CBC encryption (key size = 168 bit).
-.IP "\fBaes128\-cbc\fP" 12
+.IP "\fBaes128\fP" 12
 AES-CBC encryption (key size = 128 bit).
-.IP "\fBaes192\-cbc\fP" 12
+.IP "\fBaes192\fP" 12
 AES-CBC encryption (key size = 192 bit).
-.IP "\fBaes256\-cbc\fP" 12
+.IP "\fBaes256\fP" 12
 AES-CBC encryption (key size = 256 bit).
+.IP "\fBcamellia128\fP" 12
+Camellia-CBC encryption (key size = 128 bit).
+.IP "\fBcamellia192\fP" 12
+Camelllia-CBC encryption (key size = 192 bit).
+.IP "\fBcamellia256\fP" 12
+Camellia-CBC encryption (key size = 256 bit).
 .RE
 .PP 
 .B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 0e7ae3e40..6c0166d66 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -41,6 +41,8 @@
 #include <asn1/oid.h>
 #include <utils/optionsfrom.h>
 #include <utils/enumerator.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/proposal/proposal_keywords.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
 
@@ -246,9 +248,8 @@ usage(const char *message)
 		" --password (-p) <pw>              challenge password\n"
 		"                                   - if pw is '%%prompt', password gets prompted for\n"
 		" --algorithm (-a) <algo>           use specified algorithm for PKCS#7 encryption\n"
-		"                                   <algo> = des-cbc | 3des-cbc (default) | \n"
-        "                                   aes128-cbc | aes192-cbc | aes256-cbc | \n"
-        "                                   camellia128-cbc | camellia192-cbc | camellia256-cbc\n"
+		"                                   <algo> = des | 3des (default) | aes128| aes192 | \n"
+		"                                   aes256 | camellia128 | camellia192 | camellia256\n"
 		"\n"
 		"Options for enrollment (cert):\n"
 		" --url (-u) <url>                  url of the SCEP server\n"
@@ -385,8 +386,21 @@ int main(int argc, char **argv)
 	scep_response     = chunk_empty;
 	log_to_stderr     = TRUE;
 
-	/* initialize library and optionsfrom */
-	library_init(STRONGSWAN_CONF);
+	/* initialize library */
+	if (!library_init(STRONGSWAN_CONF))
+	{
+		library_deinit();
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
+	{
+		fprintf(stderr, "integrity check of scepclient failed\n");
+		library_deinit();
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
+
+	/* initialize optionsfrom */
 	options = options_create();
 
 	for (;;)
@@ -698,43 +712,22 @@ int main(int argc, char **argv)
 			continue;
 
 		case 'a':       /*--algorithm */
-			if (strcaseeq("des-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_DES_CBC;
-			}
-			else if (strcaseeq("3des-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
-			}
-			else if (strcaseeq("aes128-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_AES128_CBC;
-			}
-			else if (strcaseeq("aes192-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_AES192_CBC;
-			}
-			else if (strcaseeq("aes256-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_AES256_CBC;
-			}
-			else if (strcaseeq("camellia128-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_CAMELLIA128_CBC;
-			}
-			else if (strcaseeq("camellia192-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_CAMELLIA192_CBC;
-			}
-			else if (strcaseeq("camellia256-cbc", optarg))
+		{
+			const proposal_token_t *token;
+
+			token = proposal_get_token(optarg, strlen(optarg));
+			if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
 			{
-				pkcs7_symmetric_cipher = OID_CAMELLIA256_CBC;
+				usage("invalid algorithm specified");
 			}
-			else
+			pkcs7_symmetric_cipher = encryption_algorithm_to_oid(
+										token->algorithm, token->keysize);
+			if (pkcs7_symmetric_cipher == OID_UNKNOWN)
 			{
-				usage("invalid encryption algorithm specified");
+				usage("unsupported encryption algorithm specified");
 			}
 			continue;
+		}
 #ifdef DEBUG
 		case 'A':       /* --debug-all */
 			base_debugging |= DBG_ALL;
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 439a7785a..3355b3afb 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -20,7 +20,7 @@ AM_CFLAGS = \
 -DIPSEC_EAPDIR=\"${eapdir}\" \
 -DDEBUG
 
-starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la
+starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
 dist_man_MANS = ipsec.conf.5 starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
@@ -52,14 +52,14 @@ defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
 
 install-exec-local :	
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
-		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 644 ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
+		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 4e6bffdeb..a839c20b1 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -55,9 +55,11 @@ am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
 	starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \
 	lex.yy.$(OBJEXT) loglite.$(OBJEXT) klips.$(OBJEXT)
 starter_OBJECTS = $(am_starter_OBJECTS)
+am__DEPENDENCIES_1 =
 starter_DEPENDENCIES = defs.o \
 	$(top_builddir)/src/libfreeswan/libfreeswan.a \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -80,12 +82,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -150,6 +154,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -190,7 +195,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -241,7 +248,7 @@ INCLUDES = \
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \
 	-DDEBUG $(am__append_1) $(am__append_2)
-starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la
+starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
 dist_man_MANS = ipsec.conf.5 starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
@@ -653,16 +660,16 @@ defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
 
 install-exec-local :	
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
-		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 644 ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
+		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/starter/args.c b/src/starter/args.c
index f9d1824d8..990d7588b 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -261,8 +261,7 @@ static const token_info_t token_info[] =
 	{ ARG_STR,  offsetof(starter_end_t, iface), NULL                               }
 };
 
-static void
-free_list(char **list)
+static void free_list(char **list)
 {
 	char **s;
 
@@ -273,22 +272,25 @@ free_list(char **list)
 	free(list);
 }
 
-char **
-new_list(char *value)
+char** new_list(char *value)
 {
 	char *val, *b, *e, *end, **ret;
 	int count;
 
 	val = value ? clone_str(value) : NULL;
 	if (!val)
+	{
 		return NULL;
+	}
 	end = val + strlen(val);
 	for (b = val, count = 0; b < end;)
 	{
 		for (e = b; ((*e != ' ') && (*e != '\0')); e++);
 		*e = '\0';
 		if (e != b)
+		{
 			count++;
+		}
 		b = e + 1;
 	}
 	if (count == 0)
@@ -302,7 +304,9 @@ new_list(char *value)
 	{
 		for (e = b; (*e != '\0'); e++);
 		if (e != b)
+		{
 			ret[count++] = clone_str(b);
+		}
 		b = e + 1;
 	}
 	ret[count] = NULL;
@@ -314,9 +318,8 @@ new_list(char *value)
 /*
  * assigns an argument value to a struct field
  */
-bool
-assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base
-	, bool *assigned)
+bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
+				bool *assigned)
 {
 	char *p = base + token_info[token].offset;
 	const char **list = token_info[token].list;
@@ -435,8 +438,9 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base
 
 			/* time in seconds? */
 			if (*endptr == '\0' || (*endptr == 's' && endptr[1] == '\0'))
+			{
 				break;
-
+			}
 			if (endptr[1] == '\0')
 			{
 				if (*endptr == 'm')  /* time in minutes? */
@@ -475,8 +479,9 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base
 
 			/* free any existing list */
 			if (*listp != NULL)
+			{
 				free_list(*listp);
-
+			}
 			/* create a new list and assign values */
 			*listp = new_list(kw->value);
 
@@ -514,8 +519,7 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base
 /*
  *  frees all dynamically allocated arguments in a struct
  */
-void
-free_args(kw_token_t first, kw_token_t last, char *base)
+void free_args(kw_token_t first, kw_token_t last, char *base)
 {
 	kw_token_t token;
 
@@ -553,8 +557,7 @@ free_args(kw_token_t first, kw_token_t last, char *base)
 /*
  *  clone all dynamically allocated arguments in a struct
  */
-void
-clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
+void clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 {
 	kw_token_t token;
 
@@ -570,22 +573,29 @@ clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 	}
 }
 
-static bool
-cmp_list(char **list1, char **list2)
+static bool cmp_list(char **list1, char **list2)
 {
 	if ((list1 == NULL) && (list2 == NULL))
+	{
 		return TRUE;
+	}
 	if ((list1 == NULL) || (list2 == NULL))
+	{
 		return FALSE;
+	}
 
 	for ( ; *list1 && *list2; list1++, list2++)
 	{
 		if (strcmp(*list1,*list2) != 0)
+		{
 			return FALSE;
+		}
 	}
 
 	if ((*list1 != NULL) || (*list2 != NULL))
+	{
 		return FALSE;
+	}
 
 	return TRUE;
 }
@@ -593,8 +603,7 @@ cmp_list(char **list1, char **list2)
 /*
  *  compare all arguments in a struct
  */
-bool
-cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
+bool cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 {
 	kw_token_t token;
 
@@ -606,12 +615,25 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 		switch (token_info[token].type)
 		{
 		case ARG_ENUM:
+			if (token_info[token].list == LST_bool)
+			{
+				bool *b1 = (bool *)p1;
+				bool *b2 = (bool *)p2;
+
+				if (*b1 != *b2)
+				{
+					return FALSE;
+				}
+			}
+			else
 			{
 				int *i1 = (int *)p1;
 				int *i2 = (int *)p2;
 
 				if (*i1 != *i2)
+				{
 					return FALSE;
+				}
 			}
 			break;
 		case ARG_UINT:
@@ -620,7 +642,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 				u_int *u2 = (u_int *)p2;
 
 				if (*u1 != *u2)
+				{
 					return FALSE;
+				}
 			}
 			break;
 		case ARG_ULNG:
@@ -630,7 +654,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 				unsigned long *l2 = (unsigned long *)p2;
 
 				if (*l1 != *l2)
+				{
 					return FALSE;
+				}
 			}
 			break;
 		case ARG_TIME:
@@ -639,7 +665,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 				time_t *t2 = (time_t *)p2;
 
 				if (*t1 != *t2)
+				{
 					return FALSE;
+				}
 			}
 			break;
 		case ARG_STR:
@@ -648,9 +676,13 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 				char **cp2 = (char **)p2;
 
 				if (*cp1 == NULL && *cp2 == NULL)
+				{
 					break;
+				}
 				if (*cp1 == NULL || *cp2 == NULL || strcmp(*cp1, *cp2) != 0)
+				{
 					return FALSE;
+				}
 			}
 			break;
 		case ARG_LST:
@@ -659,7 +691,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 				char ***listp2 = (char ***)p2;
 
 				if (!cmp_list(*listp1, *listp2))
+				{
 					return FALSE;
+				}
 			}
 			break;
 		default:
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
index 034eac317..3fff65be7 100644
--- a/src/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -14,6 +14,10 @@
 
 #include <sys/socket.h>
 #include <sys/ioctl.h>
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif
+
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 804467cea..1eb2a0332 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -36,18 +36,28 @@
 static int _charon_pid = 0;
 static int _stop_requested;
 
-pid_t
-starter_charon_pid(void)
+pid_t starter_charon_pid(void)
 {
 	return _charon_pid;
 }
 
-void
-starter_charon_sigchild(pid_t pid)
+void starter_charon_sigchild(pid_t pid, int status)
 {
-		if (pid == _charon_pid)
+	if (pid == _charon_pid)
 	{
-				_charon_pid = 0;
+		_charon_pid = 0;
+		if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY ||
+			status == SS_RC_DAEMON_INTEGRITY)
+		{
+			plog("charon has quit: integrity test of %s failed",
+				  (status == 64) ? "libstrongswan" : "charon");
+			_stop_requested = 1;
+		}
+		else if (status == SS_RC_INITIALIZATION_FAILED)
+		{
+			plog("charon has quit: initialization failed");
+			_stop_requested = 1;
+		}
 		if (!_stop_requested)
 		{
 			plog("charon has died -- restart scheduled (%dsec)"
@@ -58,8 +68,7 @@ starter_charon_sigchild(pid_t pid)
 	}
 }
 
-int
-starter_stop_charon (void)
+int starter_stop_charon (void)
 {
 	int i;
 	pid_t pid = _charon_pid;
@@ -106,8 +115,7 @@ starter_stop_charon (void)
 }
 
 
-int
-starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
+int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 {
 	struct stat stb;
 	int pid, i;
diff --git a/src/starter/invokecharon.h b/src/starter/invokecharon.h
index f0f470a8d..aaf913c9b 100644
--- a/src/starter/invokecharon.h
+++ b/src/starter/invokecharon.h
@@ -20,7 +20,7 @@
 
 #define CHARON_RESTART_DELAY    5
 
-extern void starter_charon_sigchild (pid_t pid);
+extern void starter_charon_sigchild (pid_t pid, int status);
 extern pid_t starter_charon_pid (void);
 extern int starter_stop_charon (void);
 extern int starter_start_charon(struct starter_config *cfg, bool no_fork, bool attach_gdb);
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index 28bd93c5d..08fb0657a 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -42,11 +42,23 @@ starter_pluto_pid(void)
 }
 
 void
-starter_pluto_sigchild(pid_t pid)
+starter_pluto_sigchild(pid_t pid, int status)
 {
 	if (pid == _pluto_pid)
 	{
 		_pluto_pid = 0;
+		if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY ||
+			status == SS_RC_DAEMON_INTEGRITY)
+		{
+			plog("pluto has quit: integrity test of %s failed",
+				  (status == 64) ? "libstrongswan" : "pluto");
+			_stop_requested = 1;
+		}
+		else if (status == SS_RC_INITIALIZATION_FAILED)
+		{
+			plog("pluto has quit: initialization failed");
+			_stop_requested = 1;
+		}
 		if (!_stop_requested)
 		{
 			plog("pluto has died -- restart scheduled (%dsec)"
diff --git a/src/starter/invokepluto.h b/src/starter/invokepluto.h
index b0c89b1f1..c87f50c2a 100644
--- a/src/starter/invokepluto.h
+++ b/src/starter/invokepluto.h
@@ -17,7 +17,7 @@
 
 #define PLUTO_RESTART_DELAY    5
 
-extern void starter_pluto_sigchild (pid_t pid);
+extern void starter_pluto_sigchild (pid_t pid, int status);
 extern pid_t starter_pluto_pid (void);
 extern int starter_stop_pluto (void);
 extern int starter_start_pluto (struct starter_config *cfg, bool no_fork, bool attach_gdb);
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index ae9a6d15f..3a115d15d 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -122,11 +122,16 @@ typedef enum {
 	KW_HOSTACCESS,
 	KW_ALLOWANY,
 	KW_UPDOWN,
+	KW_AUTH1,
+	KW_AUTH2,
 	KW_ID,
+	KW_ID2,
 	KW_RSASIGKEY,
 	KW_CERT,
+	KW_CERT2,
 	KW_SENDCERT,
 	KW_CA,
+	KW_CA2,
 	KW_GROUPS,
 	KW_IFACE,
 
diff --git a/src/starter/loglite.c b/src/starter/loglite.c
index 415cf931c..c88b33bfd 100644
--- a/src/starter/loglite.c
+++ b/src/starter/loglite.c
@@ -33,6 +33,10 @@
 #include <log.h>
 #include <whack.h>
 
+#ifndef LOG_AUTHPRIV
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+
 bool
 	log_to_stderr = FALSE,      /* should log go to stderr? */
 	log_to_syslog = TRUE;       /* should log go to syslog? */
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 2d2f452b5..b675ccf1c 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -66,46 +66,66 @@
 
 static unsigned int _action_ = 0;
 
-static void
-fsig(int signal)
+static void fsig(int signal)
 {
 	switch (signal)
 	{
 		case SIGCHLD:
 		{
-			int status;
+			int status, exit_status = 0;
 			pid_t pid;
 			char *name = NULL;
 
 			while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
 			{
 				if (pid == starter_pluto_pid())
+				{
 					name = " (Pluto)";
+				}
 				if (pid == starter_charon_pid())
+				{
 					name = " (Charon)";
+				}
 				if (WIFSIGNALED(status))
+				{
 					DBG(DBG_CONTROL,
 						DBG_log("child %d%s has been killed by sig %d\n",
 								pid, name?name:"", WTERMSIG(status))
 					   )
+				}
 				else if (WIFSTOPPED(status))
+				{
 					DBG(DBG_CONTROL,
 						DBG_log("child %d%s has been stopped by sig %d\n",
 								pid, name?name:"", WSTOPSIG(status))
 					   )
+				}
 				else if (WIFEXITED(status))
+				{
+					exit_status =  WEXITSTATUS(status);
+					if (exit_status >= SS_RC_FIRST && exit_status <= SS_RC_LAST)
+					{
+						_action_ =  FLAG_ACTION_QUIT;
+					}
 					DBG(DBG_CONTROL,
 						DBG_log("child %d%s has quit (exit code %d)\n",
-								pid, name?name:"", WEXITSTATUS(status))
+								pid, name?name:"", exit_status)
 					   )
+				}
 				else
+				{
 					DBG(DBG_CONTROL,
 						DBG_log("child %d%s has quit", pid, name?name:"")
 					   )
+				}
 				if (pid == starter_pluto_pid())
-					starter_pluto_sigchild(pid);
+				{
+					starter_pluto_sigchild(pid, exit_status);
+				}
 				if (pid == starter_charon_pid())
-					starter_charon_sigchild(pid);
+				{
+					starter_charon_sigchild(pid, exit_status);
+				}
 			}
 		}
 		break;
@@ -196,8 +216,7 @@ static void generate_selfcert()
 		}
 }
 
-static void
-usage(char *name)
+static void usage(char *name)
 {
 	fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
 			"[--debug|--debug-more|--debug-all]\n");
@@ -392,9 +411,13 @@ int main (int argc, char **argv)
 		if (_action_ & FLAG_ACTION_QUIT)
 		{
 			if (starter_pluto_pid())
+			{
 				starter_stop_pluto();
+			}
 			if (starter_charon_pid())
+			{
 				starter_stop_charon();
+			}
 			starter_netkey_cleanup();
 			confread_free(cfg);
 			unlink(STARTER_PID_FILE);
diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am
index afca95fce..363cde717 100644
--- a/src/stroke/Makefile.am
+++ b/src/stroke/Makefile.am
@@ -1,6 +1,7 @@
 ipsec_PROGRAMS = stroke
 
 stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
+stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 EXTRA_DIST = stroke_keywords.txt
 BUILT_SOURCES = stroke_keywords.c
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index dde80348e..e2ed28afe 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -46,7 +46,10 @@ ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am_stroke_OBJECTS = stroke.$(OBJEXT) stroke_keywords.$(OBJEXT)
 stroke_OBJECTS = $(am_stroke_OBJECTS)
-stroke_LDADD = $(LDADD)
+am__DEPENDENCIES_1 =
+stroke_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -65,12 +68,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -135,6 +140,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -175,7 +181,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -210,6 +218,7 @@ top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
+stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 EXTRA_DIST = stroke_keywords.txt
 BUILT_SOURCES = stroke_keywords.c
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 704c88c58..abf285a86 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -25,6 +25,8 @@
 
 #include <sys/types.h>
 
+#include <library.h>
+
 /**
  * Socket which is used to communicate between charon and stroke
  */
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index 7e2be4d1b..88b066379 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -67,12 +67,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -137,6 +139,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -177,7 +180,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/testing/INSTALL b/testing/INSTALL
index 87bb787c8..e70edf44f 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,22 +53,22 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.29.4.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.30.2.tar.bz2
 
     * The Linux kernel 2.6.29 does not require any patches for the uml guest kernel
       to successfully start up.
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.29
+      http://download.strongswan.org/uml/.config-2.6.30
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
-      http://download.strongswan.org/uml/gentoo-fs-20090325.tar.bz2
+      http://download.strongswan.org/uml/gentoo-fs-20090615.tar.bz2
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.3.2.tar.bz2
+      http://download.strongswan.org/strongswan-4.3.4.tar.bz2
 
 
 3. Creating the environment
diff --git a/testing/Makefile.in b/testing/Makefile.in
index c242c9d7f..3ace3a55f 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -46,12 +46,14 @@ SOURCES =
 DIST_SOURCES =
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -116,6 +118,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -156,7 +159,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/testing/testing.conf b/testing/testing.conf
index 39bff6805..1a62d7cac 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -19,7 +19,7 @@ UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.30.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.30.2.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
@@ -31,7 +31,7 @@ KERNELCONFIG=$UMLTESTDIR/.config-2.6.30
 #UMLPATCH=$UMLTESTDIR/aead_init.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.3.2.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.3.4.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -54,7 +54,7 @@ USE_TEST_VECTORS="yes"
 USE_GCRYPT="yes"
 
 # Gentoo linux root filesystem
-ROOTFS=$UMLTESTDIR/gentoo-fs-20090325.tar.bz2
+ROOTFS=$UMLTESTDIR/gentoo-fs-20090615.tar.bz2
 
 # Size of the finished root filesystem in MB
 ROOTFSSIZE=600
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 0840260c3..9536a85be 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -8,6 +8,7 @@ pluto {
 
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index fdfb0003f..80952cb41 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -8,6 +8,7 @@ pluto {
 
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
   crypto_test {
     required = yes
     on_add = yes
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 0840260c3..9536a85be 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -8,6 +8,7 @@ pluto {
 
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index edb7e40d1..6cf472ed3 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index f4b6dfdb9..b946aa004 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     required = yes
     on_add = yes
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index edb7e40d1..6cf472ed3 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
index 304ef99e0..ac4b8d589 100644
--- a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
@@ -8,6 +8,7 @@ pluto {
 
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
index f1dcd52e9..263978c99 100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index 7133aef00..147e381b1 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -9,6 +9,7 @@ pluto {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/description.txt b/testing/tests/ikev1/esp-alg-aes-ccm/description.txt
new file mode 100644
index 000000000..9fe03b010
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-modp2048</b> or alternatively
+<b>esp=aes128ccm96-modp2048</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
new file mode 100644
index 000000000..27a5207a1
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::AES_CCM_12_128::YES
+carol::ipsec statusall::AES_CCM_12_128::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..f8baa00e1
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutodebug="control crypt"
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes128-sha256-modp2048!
+	esp=aes128ccm96-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d4f0c3adc
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutodebug="control crypt"
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes128-sha256-modp2048!
+	esp=aes128ccm12-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/description.txt b/testing/tests/ikev1/esp-alg-aes-ctr/description.txt
new file mode 100644
index 000000000..fbcc48022
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/description.txt
@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CTR_256 / AES_XCBC_96</b> by defining <b>esp=aes256ctr-aesxcbc-modp2048</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
new file mode 100644
index 000000000..6f1cd4c49
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
@@ -0,0 +1,7 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES
+carol::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES
+moon::ip xfrm state::rfc3686(ctr(aes))::YES
+carol::ip xfrm state::rfc3686(ctr(aes))::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..acb4126cf
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutodebug="control crypt"
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha512-modp2048!
+	esp=aes256ctr-aesxcbc-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b5baa2b5d
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutodebug="control crypt"
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha512-modp2048!
+	esp=aes256ctr-aesxcbc-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/description.txt b/testing/tests/ikev1/esp-alg-aes-gcm/description.txt
new file mode 100644
index 000000000..bd9521e0d
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively
+<b>esp=aes256gcm128-modp2048</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
new file mode 100644
index 000000000..d7d4666ed
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
@@ -0,0 +1,5 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::AES_GCM_16_256::YES
+carol::ipsec statusall::AES_GCM_16_256::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5026e0d9e
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutodebug="control crypt"
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha512-modp2048!
+	esp=aes256gcm128-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..5fa07962e
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutodebug="control crypt"
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha512-modp2048!
+	esp=aes256gcm16-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf
index fe74cc285..9af94a18e 100755
--- a/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
+	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	charonstart=no
diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf
index 33871d484..3501319a5 100755
--- a/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
+	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	charonstart=no
diff --git a/testing/tests/ikev1/net2net-pgp-v3/description.txt b/testing/tests/ikev1/net2net-pgp-v3/description.txt
new file mode 100644
index 000000000..bd680b57a
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat
new file mode 100644
index 000000000..7cbf92687
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a54482489
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	nocrsend=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.asc
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightcert=sunCert.asc
+	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..135cfaec0
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
+vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
+f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
+t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
+=oaBj
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..32f204b10
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
+A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
+0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
+lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
+=lLvB
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
new file mode 100644
index 000000000..6524773e0
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
@@ -0,0 +1,19 @@
+Type Bits/KeyID    Date       User ID
+sec  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP SECRET KEY BLOCK-----
+Version: 2.6.3i
+
+lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
+JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
+FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
+7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
+0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
+8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
+QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
+biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
+=YFQm
+-----END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..afb1ff927
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.asc
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..419adc2f2
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	nocrsend=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftcert=sunCert.asc
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightcert=moonCert.asc
+	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..135cfaec0
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
+vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
+f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
+t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
+=oaBj
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..32f204b10
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
+A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
+0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
+lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
+=lLvB
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
new file mode 100644
index 000000000..de2393649
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
@@ -0,0 +1,19 @@
+Type Bits/KeyID    Date       User ID
+sec  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP SECRET KEY BLOCK-----
+Version: 2.6.3i
+
+lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
+Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
+GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
+vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
+LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
+2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
+xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
+IDxzdW4uc3Ryb25nc3dhbi5vcmc+
+=DwEu
+-----END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..ee98b1611
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.asc
diff --git a/testing/tests/ikev1/net2net-pgp-v3/posttest.dat b/testing/tests/ikev1/net2net-pgp-v3/posttest.dat
new file mode 100644
index 000000000..fafcde975
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+sun::rm /etc/ipsec.d/certs/*
+sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/net2net-pgp-v3/pretest.dat b/testing/tests/ikev1/net2net-pgp-v3/pretest.dat
new file mode 100644
index 000000000..9e40684ab
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-pgp-v3/test.conf b/testing/tests/ikev1/net2net-pgp-v3/test.conf
new file mode 100644
index 000000000..f74d0f7d6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-pgp-v4/description.txt b/testing/tests/ikev1/net2net-pgp-v4/description.txt
new file mode 100644
index 000000000..c82eec9ba
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>OpenPGP V4 keys</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat
new file mode 100644
index 000000000..7cbf92687
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a54482489
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	nocrsend=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.asc
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightcert=sunCert.asc
+	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..a512f8f52
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
+UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
+nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
+6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
+I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
+JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh
+bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA
+CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K
+N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K
+1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y
+D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk
+/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv
+1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK
+CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc
+ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt
+21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX
+mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb
+G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D
+spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz
+=j2hu
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..5117cbb04
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
+QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
+/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
+CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
+B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
+4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu
+Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK
+CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g
+0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0
+eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D
+RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG
+6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j
+vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ
+EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg
+Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t
+mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m
+t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT
+gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf
+lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o=
+=tAh4
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
new file mode 100644
index 000000000..59de821d6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
@@ -0,0 +1,32 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+lQOYBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
+UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
+nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
+6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
+I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
+JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAEAB/42Vsa7NTpAgwe92+gx
+nscTQsjTs9xf5VSQV6gRKWmUAQYNZoNDue2Ot5AeBJFWV8x++fWAZfrrkLJUkwu/
+Z8UcPbSuJhEsrG4F5B3owTy8cBPbNYd9c6JZAKFPBY8W5l9M5OQyUF1amiuk/1jX
+BNPEN6SBK3j0IhZvQ2bIgCJrxUH9igvOig2HmfOYv11UMzOErSA/eGRSA+TrM+QK
+BDCG1ae3dLe/pXtIuh1/jkLo7Byk0ofgv2+Ty/LSwBCj0vtUjtMHHRNZFRYFrNiN
+S6FyrS7+Q9BJolNkuXT83i4dm208+6bKQBPxV3ZaLgf2y19/g5av8f745ercygQI
+MdGBBADaWGKpev55Oom2gNV4jaQFaAc4K4OqW1IbsXk8QSl1iaoHmt9VlGP+A+8O
+GG+h0cfIlUHnAC29Hs5lDnlByqdTnG9zTyOrnzZEY1+jFGGgs+O/ehS3riGI5dB8
+mwReZfY/aqp7naLkkymHuIAizmxkYORPZtTugyi99Zha4m8j4QQA+39fTOthVIYi
+RXMzGknEjh9fMLvCkx33ghapCtc4ftJRACfaatQJVBG2li7LHbPg9fboIyG/x/Ey
+iyGtPxwBLo7MJige6xpzVB4Qk+zLDCKouca29uY1rGQzZ0FTmMMtu3Rm+dKh9lLv
+vg7ZJNTfhxldC+R/L/gOIBWEzy/iXaMD/2A+wQuKDLDRb9/sOiq/6z7Ryl6FPbTC
+AvvNU3hJtRImfmHodob//zzYYgOY7exY/qubC6FsDW4AN+2iHesCdIzCrAG7v9X3
+Rn1WPq96FfY2y5b6qEl8Tx+a71TZi5RJRtoWPe3IolausE0T3IjRbWI4XgMu/T5o
+Rmv/f5gyc5OxPpG0E21vb24uc3Ryb25nc3dhbi5vcmeJATcEEwECACEFAkpg0UQC
+GwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AACgkQ9djQiWs7dNHHNQf/UiwJPioL
+ef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8KN2yl6/L8djIdox0jw3yCYhCWxf94
+N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K1niLPYmJf5sMWXPAmetT6tNEHNhk
+mE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1YD4HulHK0nfMxf1gVmFhRFtGpzrGS
+26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk/EoRdO7hDOAEk80Gp23bDX6ygnvs
+AqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv1I5GZ96wAo+s+KZAXaHlxFvq7r6O
+MzxgEWTtyNTtGw==
+=Vb4y
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..afb1ff927
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.asc
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..419adc2f2
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	nocrsend=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftcert=sunCert.asc
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightcert=moonCert.asc
+	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..a512f8f52
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
+UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
+nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
+6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
+I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
+JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh
+bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA
+CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K
+N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K
+1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y
+D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk
+/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv
+1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK
+CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc
+ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt
+21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX
+mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb
+G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D
+spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz
+=j2hu
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..5117cbb04
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
+QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
+/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
+CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
+B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
+4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu
+Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK
+CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g
+0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0
+eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D
+RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG
+6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j
+vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ
+EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg
+Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t
+mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m
+t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT
+gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf
+lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o=
+=tAh4
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
new file mode 100644
index 000000000..68899ae37
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
@@ -0,0 +1,32 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+lQOYBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
+QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
+/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
+CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
+B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
+4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAEAB/0XU57hkU9R6mSoALnt
+Qh+aqsDjOEvEllPTGmH+icFipJP9g0lr+B8EQ0egCUyj3Kb36mS7Yw+0Bv4WDxlh
+9bm7Iohhn7vIWz9Y4HvjSWi+vGJLiWI+TkkqLz0zUAGemTjU2snKzNfwDrd3WFRn
+VsZxKxpiBAITzk+nWSHGp+yCfl3NVaA/MYAI+FgiQlq/qTCRreEsexAJ09weDLGN
+P95V4E6LACRy+wiy7X0lRzS1047UUtTcZUF6c5ERfgAGT5NKT/ZA4THZy5pPrSOw
+bRIHbozSlWbnrZNz8DNa4iyHsEw/42IvjU/LflmGWL2hvVxA40ezlxGVi5ea5gFV
+5q9dBADWGXToEaHMqie/HAC4+1/VCTmAvqIKcegNWHCL1PGYBBfRonF/TDcbkawy
+0ATlk+rkyTaRvkapb1LdqE1qThGQWC6iLb3v8E2UEizCM1VFo2EqcKxbCoJdsEtR
+mrK/zIqZ/h/4iEu/ekLPeDwdIWWdBlfYTtTwdMH40eoPOLyo/QQA7+dSOQcAUp8H
+1NuNpyK+9M3/mkpXRF3cqdiY7AnHIf4WWDtgDUHugtO8HlAkq4cL27QYBojVHCqB
+P+NLJo6A35nNbt2IPqAotCgk8NlgtsA+oJ9tvWGarOLMnIt0eBv80blqa5PGeoFt
+EuYxYO2bRAE2cQtMXPMLKpl3VKSRMR8EAKINBJ81zq2twDG1qvRg40XAz2LOKkFd
+B+fNAd0JSC8+qx4MMdn0iL6WaCIN6t1wzI7l1whLUc7f3MPF2dwrsrB9j3MgHppr
+GBLl0A3a1tIkWPAejMcpSgFR63ooQQgoX+XH0woST3wgHTZT6fF+zFn3eaGJ3wqv
+JNcE4vcbJf1COoi0EnN1bi5zdHJvbmdzd2FuLm9yZ4kBNwQTAQIAIQUCSmDRuAIb
+AwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAKCRCXegSsjRY407LCCACqHrnT1xqs
+QRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g0P+Scnu84xj1o5bRWX2WyPYZUgDY
+6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0eNYmehGoIes4JfQm08UM7roywGaa
+WAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/DRLu5rvCB6m5u62RncmppraAYuQWR
+jZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG6XXcCnBr/34g/bQXWRxBhbf91ewV
+aDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97jvnvvZKUwbd/TRFJkorkhkRpA1wSr
+J0tAsvODgc8b
+=QOF4
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..ee98b1611
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.asc
diff --git a/testing/tests/ikev1/net2net-pgp-v4/posttest.dat b/testing/tests/ikev1/net2net-pgp-v4/posttest.dat
new file mode 100644
index 000000000..fafcde975
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+sun::rm /etc/ipsec.d/certs/*
+sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/net2net-pgp-v4/pretest.dat b/testing/tests/ikev1/net2net-pgp-v4/pretest.dat
new file mode 100644
index 000000000..9e40684ab
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-pgp-v4/test.conf b/testing/tests/ikev1/net2net-pgp-v4/test.conf
new file mode 100644
index 000000000..f74d0f7d6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-pgp/description.txt b/testing/tests/ikev1/net2net-pgp/description.txt
deleted file mode 100644
index c85f2e5d0..000000000
--- a/testing/tests/ikev1/net2net-pgp/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>OpenPGP keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-pgp/evaltest.dat b/testing/tests/ikev1/net2net-pgp/evaltest.dat
deleted file mode 100644
index 7cbf92687..000000000
--- a/testing/tests/ikev1/net2net-pgp/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index a54482489..000000000
--- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	
-conn net-net
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.asc
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightcert=sunCert.asc
-	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc
deleted file mode 100644
index 6524773e0..000000000
--- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID    Date       User ID
-sec  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
-JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
-FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
-7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
-0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
-8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
-QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
-biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
-=YFQm
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index afb1ff927..000000000
--- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.asc
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 419adc2f2..000000000
--- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	
-conn net-net
-	left=PH_IP_SUN
-	leftsubnet=10.2.0.0/16
-	leftcert=sunCert.asc
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightcert=moonCert.asc
-	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc
deleted file mode 100644
index de2393649..000000000
--- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID    Date       User ID
-sec  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
-Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
-GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
-vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
-LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
-2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
-xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
-IDxzdW4uc3Ryb25nc3dhbi5vcmc+
-=DwEu
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index ee98b1611..000000000
--- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA sunKey.asc
diff --git a/testing/tests/ikev1/net2net-pgp/posttest.dat b/testing/tests/ikev1/net2net-pgp/posttest.dat
deleted file mode 100644
index fafcde975..000000000
--- a/testing/tests/ikev1/net2net-pgp/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-sun::rm /etc/ipsec.d/certs/*
-sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/net2net-pgp/pretest.dat b/testing/tests/ikev1/net2net-pgp/pretest.dat
deleted file mode 100644
index 9e40684ab..000000000
--- a/testing/tests/ikev1/net2net-pgp/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-pgp/test.conf b/testing/tests/ikev1/net2net-pgp/test.conf
deleted file mode 100644
index f74d0f7d6..000000000
--- a/testing/tests/ikev1/net2net-pgp/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 304ef99e0..ac4b8d589 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -8,6 +8,7 @@ pluto {
 
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 304ef99e0..ac4b8d589 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -8,6 +8,7 @@ pluto {
 
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/description.txt b/testing/tests/ikev2/esp-alg-aes-ctr/description.txt
new file mode 100644
index 000000000..6443a348f
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/description.txt
@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CTR_128 / AES_XCBC_96</b> by defining <b>esp=aes128ctr-aesxcbc-modp2048</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
new file mode 100644
index 000000000..d5260da68
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES
+carol::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES
+moon::ip xfrm state::rfc3686(ctr(aes))::YES
+carol::ip xfrm state::rfc3686(ctr(aes))::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..02ca66b75
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-aesxcbc-modp2048!
+	esp=aes128ctr-aesxcbc-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..1c19714b9
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-aesxcbc-modp2048!
+	esp=aes128ctr-aesxcbc-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf b/testing/tests/ikev2/esp-alg-aes-ctr/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-split-pools-db/description.txt b/testing/tests/ikev2/ip-split-pools-db/description.txt
new file mode 100644
index 000000000..0c11c7eed
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration
+payload. The gateway moon assigns virtual IP addresses from two disjoint pools named
+<b>pool0</b> comprising the single address <b>10.3.0.1</b> and <b>pool1</b> comprising the
+single address <b>10.3.1.1</b> predefined in the SQL database. 
diff --git a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat
new file mode 100644
index 000000000..8fd47dc34
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat
@@ -0,0 +1,15 @@
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::ipsec status::home.*INSTALLED::YES
+dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
+dave::ipsec status::home.*INSTALLED::YES
+moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
+moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
+moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES
+moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
+moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
+moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES
+moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES
+moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
+moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a19f6cfae
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..1a89f4e5d
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..40eb84b8a
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..c0f9756e4
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsourceip=%pool0,pool1
+	auto=add
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b77ff97fb
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql updown
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2/ip-split-pools-db/posttest.dat
new file mode 100644
index 000000000..32b445090
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec pool --del pool0 2> /dev/null
+moon::ipsec pool --del pool1 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-split-pools-db/pretest.dat b/testing/tests/ikev2/ip-split-pools-db/pretest.dat
new file mode 100644
index 000000000..5691f0f0d
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/pretest.dat
@@ -0,0 +1,12 @@
+moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add pool0 --start 10.3.0.1 --end 10.3.0.1 --timeout 48 2> /dev/null
+moon::ipsec pool --add pool1 --start 10.3.1.1 --end 10.3.1.1 --timeout 48 2> /dev/null
+moon::ipsec pool --status 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev2/ip-split-pools-db/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index de122acff..da8d70ed7 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index de122acff..da8d70ed7 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index de122acff..da8d70ed7 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index e2a83185b..ef1b92f3c 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -8,6 +8,7 @@ pluto {
 
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 2ba85bb98..825f6fee8 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -8,6 +8,7 @@ pluto {
 
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
   crypto_test {
     required = yes
     on_add = yes
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 28d9ab3ba..a3ad70a45 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -8,6 +8,7 @@ pluto {
 
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/description.txt b/testing/tests/openssl-ikev2/alg-camellia/description.txt
new file mode 100644
index 000000000..b3515c333
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
+HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
+the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
+in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
new file mode 100644
index 000000000..aad3becc7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..37f8a7ecf
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=camellia256-sha512-modp2048!
+	esp=camellia192-sha1!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c110dd516
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f8d7e3fe9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=camellia256-sha512-modp2048!
+	esp=camellia192-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c110dd516
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
new file mode 100644
index 000000000..3c3df0196
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index e10230384..81dfac334 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -3,3 +3,7 @@
 charon {
   load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
+
+libstrongswan {
+  ecp_x_coordinate_only = no
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 7ffdcc204..eb0ba532d 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -3,3 +3,7 @@
 charon {
   load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
+
+libstrongswan {
+  ecp_x_coordinate_only = no
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index e10230384..81dfac334 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -3,3 +3,7 @@
 charon {
   load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
+
+libstrongswan {
+  ecp_x_coordinate_only = no
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
index e10230384..81dfac334 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -3,3 +3,7 @@
 charon {
   load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
+
+libstrongswan {
+  ecp_x_coordinate_only = no
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 7ffdcc204..eb0ba532d 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -3,3 +3,7 @@
 charon {
   load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
+
+libstrongswan {
+  ecp_x_coordinate_only = no
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
index e10230384..81dfac334 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -3,3 +3,7 @@
 charon {
   load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
 }
+
+libstrongswan {
+  ecp_x_coordinate_only = no
+}
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 195bcf046..4e8a1219d 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index f4b6dfdb9..b946aa004 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     required = yes
     on_add = yes
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 166e24e7c..ebecace94 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index 2f3bc449a..8ee0ad955 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index 2f3bc449a..8ee0ad955 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index 2f3bc449a..8ee0ad955 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -5,6 +5,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/description.txt b/testing/tests/sql/ip-split-pools-db-restart/description.txt
new file mode 100644
index 000000000..7005c810d
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> restart a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration
+payload. The gateway moon reassigns the static and reserved virtual IP addresses
+from two disjoint pools named <b>pool0</b> and <b>pool1</b> predefined in the SQL database.
+
diff --git a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
new file mode 100644
index 000000000..6c912eb47
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
@@ -0,0 +1,14 @@
+dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
+dave::ipsec status::home.*INSTALLED::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::ipsec status::home.*INSTALLED::YES
+moon::cat /var/log/daemon.log::acquired existing lease for address 10.3.1.1 in pool.*pool1::YES
+moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
+moon::cat /var/log/daemon.log::acquired existing lease for address 10.3.0.1 in pool.*pool0::YES
+moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
+moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.2.*static.*2 .*1 .*1 ::YES
+moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.2.*static.*2 .*1 .*1 ::YES
+moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
+moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..ca813d44f
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
@@ -0,0 +1,140 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org */
+  3, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
+  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */
+  1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
+  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_CAROL', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, virtual
+) VALUES (
+  'home', 1, 3, 5, '0.0.0.0'
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..29e2395e8
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..5233806c7
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
@@ -0,0 +1,140 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* dave@strongswan.org */
+  3, X'64617665407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
+  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */
+  1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
+  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_DAVE', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, virtual
+) VALUES (
+  'home', 1, 3, 5, '0.0.0.0'
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..29e2395e8
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..2170e41af
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
@@ -0,0 +1,204 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* %any */
+  0, '%any'
+);
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org */
+  3, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* dave@strongswan.org */
+  3, X'64617665407374726f6e677377616e2e6f7267'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
+  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_MOON', '0.0.0.0'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, pool
+) VALUES (
+  'rw', 1, 3, 5, 'pool0,pool1'
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'rw', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 3
+);
+
+/* Pools */
+
+INSERT INTO pools (
+  name, start, end, timeout
+) VALUES (
+  'pool0', X'0a030001', X'0a030002', 0 
+);
+
+INSERT INTO pools (
+  name, start, end, timeout
+) VALUES (
+  'pool1', X'0a030101', X'0a030102', 0 
+);
+
+INSERT INTO addresses (
+  pool, address, identity, acquired, released
+) VALUES (
+  1, X'0a030001', 6, 1247817255, 1247817277 
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030002'
+);
+
+INSERT INTO addresses (
+  pool, address, identity, acquired, released
+) VALUES (
+  2, X'0a030101', 7, 1247817257, 1247817278
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  2, X'0a030102'
+);
+
+INSERT INTO leases (
+  address, identity, acquired, released
+) VALUES (
+  1, 6, 1247817255, 1247817277
+);
+
+INSERT INTO leases (
+  address, identity, acquired, released
+) VALUES (
+  3, 7, 1247817257, 1247817278
+);
+
+
+
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..a747a6cb1
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
new file mode 100644
index 000000000..5ff7b9d47
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/ipsec.*
+carol::rm /etc/ipsec.d/ipsec.*
+dave::rm /etc/ipsec.d/ipsec.*
+~
diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
new file mode 100644
index 000000000..8b30de8c4
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
@@ -0,0 +1,18 @@
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --status 2> /dev/null
+moon::ipsec pool --leases 2> /dev/null
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf
new file mode 100644
index 000000000..75510b295
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-split-pools-db/description.txt b/testing/tests/sql/ip-split-pools-db/description.txt
new file mode 100644
index 000000000..0c11c7eed
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration
+payload. The gateway moon assigns virtual IP addresses from two disjoint pools named
+<b>pool0</b> comprising the single address <b>10.3.0.1</b> and <b>pool1</b> comprising the
+single address <b>10.3.1.1</b> predefined in the SQL database. 
diff --git a/testing/tests/sql/ip-split-pools-db/evaltest.dat b/testing/tests/sql/ip-split-pools-db/evaltest.dat
new file mode 100644
index 000000000..f358b62c8
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/evaltest.dat
@@ -0,0 +1,15 @@
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::ipsec status::home.*INSTALLED::YES
+dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
+dave::ipsec status::home.*INSTALLED::YES
+moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
+moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
+moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES
+moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
+moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
+moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*static.*1 .*1 .*1 ::YES
+moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*static.*1 .*1 .*1 ::YES
+moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
+moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..ca813d44f
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
@@ -0,0 +1,140 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org */
+  3, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
+  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */
+  1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
+  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_CAROL', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, virtual
+) VALUES (
+  'home', 1, 3, 5, '0.0.0.0'
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..29e2395e8
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..5233806c7
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
@@ -0,0 +1,140 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* dave@strongswan.org */
+  3, X'64617665407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
+  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */
+  1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
+  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_DAVE', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, virtual
+) VALUES (
+  'home', 1, 3, 5, '0.0.0.0'
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..29e2395e8
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..51704fc98
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
@@ -0,0 +1,166 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* %any */
+  0, '%any'
+);
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
+  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_MOON', '0.0.0.0'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, pool
+) VALUES (
+  'rw', 1, 3, 5, 'pool0,pool1'
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'rw', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 3
+);
+
+/* Pools */
+
+INSERT INTO pools (
+  name, start, end, timeout
+) VALUES (
+  'pool0', X'0a030001', X'0a030001', 0 
+);
+
+INSERT INTO pools (
+  name, start, end, timeout
+) VALUES (
+  'pool1', X'0a030101', X'0a030101', 0 
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  1, X'0a030001'
+);
+
+INSERT INTO addresses (
+  pool, address
+) VALUES (
+  2, X'0a030101'
+);
+
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..a747a6cb1
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat
new file mode 100644
index 000000000..5ff7b9d47
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/ipsec.*
+carol::rm /etc/ipsec.d/ipsec.*
+dave::rm /etc/ipsec.d/ipsec.*
+~
diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat
new file mode 100644
index 000000000..e1dcb9d51
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/pretest.dat
@@ -0,0 +1,17 @@
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --status 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf
new file mode 100644
index 000000000..75510b295
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index 329498d28..afbc20ab0 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -10,6 +10,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index 329498d28..afbc20ab0 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -10,6 +10,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index 329498d28..afbc20ab0 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -10,6 +10,7 @@ charon {
 }
 
 libstrongswan {
+  integrity_test = yes
   crypto_test {
     on_add = yes
   }
-- 
cgit v1.2.3


From ed7d79f96177044949744da10f4431c1d6242241 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Tue, 23 Feb 2010 10:34:14 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.3.6)

---
 Doxyfile.in                                        |  1180 +-
 Makefile.am                                        |     3 +
 Makefile.in                                        |   224 +-
 NEWS                                               |   305 +-
 aclocal.m4                                         |  8270 +------------
 config.guess                                       |    51 +-
 config.sub                                         |    54 +-
 configure                                          | 11724 +++++++------------
 configure.in                                       |   977 +-
 depcomp                                            |    87 +-
 install-sh                                         |     5 +-
 ltmain.sh                                          |    25 +-
 m4/config/libtool.m4                               |  7376 ++++++++++++
 m4/config/ltoptions.m4                             |   368 +
 m4/config/ltsugar.m4                               |   123 +
 m4/config/ltversion.m4                             |    23 +
 m4/config/lt~obsolete.m4                           |    92 +
 m4/macros/enable-disable.m4                        |    32 +
 m4/macros/with.m4                                  |    24 +
 missing                                            |    49 +-
 scripts/Makefile.am                                |     3 +-
 scripts/Makefile.in                                |   118 +-
 scripts/bin2array.c                                |     2 +-
 scripts/bin2sql.c                                  |     2 +-
 scripts/dh_speed.c                                 |    28 +-
 scripts/id2sql.c                                   |     4 +-
 scripts/key2keyid.c                                |    50 +-
 scripts/keyid2sql.c                                |    49 +-
 scripts/pubkey_speed.c                             |    43 +-
 scripts/thread_analysis.c                          |    22 +-
 src/Makefile.am                                    |     8 +-
 src/Makefile.in                                    |   196 +-
 src/_copyright/Makefile.in                         |   262 +-
 src/_copyright/_copyright.c                        |     4 +-
 src/_updown/Makefile.am                            |     6 +-
 src/_updown/Makefile.in                            |   222 +-
 src/_updown/_updown.in                             |    26 +-
 src/_updown_espmark/Makefile.in                    |   216 +-
 src/charon/Makefile.am                             |    55 +-
 src/charon/Makefile.in                             |   839 +-
 src/charon/bus/bus.c                               |   164 +-
 src/charon/bus/bus.h                               |    49 +-
 src/charon/bus/listeners/file_logger.c             |    16 +-
 src/charon/bus/listeners/file_logger.h             |     6 +-
 src/charon/bus/listeners/listener.h                |    29 +-
 src/charon/bus/listeners/sys_logger.c              |    16 +-
 src/charon/bus/listeners/sys_logger.h              |     6 +-
 src/charon/config/attributes/attribute_handler.h   |    58 -
 src/charon/config/attributes/attribute_manager.c   |   267 -
 src/charon/config/attributes/attribute_manager.h   |   135 -
 src/charon/config/attributes/attribute_provider.h  |    67 -
 src/charon/config/auth_cfg.c                       |    56 +-
 src/charon/config/auth_cfg.h                       |    24 +-
 src/charon/config/backend_manager.c                |    67 +-
 src/charon/config/backend_manager.h                |    14 +-
 src/charon/config/child_cfg.c                      |   143 +-
 src/charon/config/child_cfg.h                      |   146 +-
 src/charon/config/ike_cfg.c                        |    44 +-
 src/charon/config/ike_cfg.h                        |    48 +-
 src/charon/config/peer_cfg.c                       |    90 +-
 src/charon/config/peer_cfg.h                       |    90 +-
 src/charon/config/proposal.c                       |   131 +-
 src/charon/config/proposal.h                       |    63 +-
 src/charon/config/traffic_selector.c               |   856 --
 src/charon/config/traffic_selector.h               |   304 -
 src/charon/control/controller.c                    |    62 +-
 src/charon/control/controller.h                    |    12 +-
 src/charon/credentials/credential_manager.c        |   337 +-
 src/charon/credentials/credential_manager.h        |    36 +-
 src/charon/credentials/credential_set.h            |    12 +-
 src/charon/credentials/sets/auth_cfg_wrapper.c     |    24 +-
 src/charon/credentials/sets/auth_cfg_wrapper.h     |     8 +-
 src/charon/credentials/sets/cert_cache.c           |    46 +-
 src/charon/credentials/sets/cert_cache.h           |     6 +-
 .../credentials/sets/ocsp_response_wrapper.c       |    14 +-
 .../credentials/sets/ocsp_response_wrapper.h       |     8 +-
 src/charon/daemon.c                                |   160 +-
 src/charon/daemon.h                                |   119 +-
 src/charon/encoding/generator.c                    |   172 +-
 src/charon/encoding/generator.h                    |    10 +-
 src/charon/encoding/message.c                      |   480 +-
 src/charon/encoding/message.h                      |   114 +-
 src/charon/encoding/parser.c                       |    44 +-
 src/charon/encoding/parser.h                       |    16 +-
 src/charon/encoding/payloads/auth_payload.c        |    30 +-
 src/charon/encoding/payloads/auth_payload.h        |    20 +-
 src/charon/encoding/payloads/cert_payload.c        |    43 +-
 src/charon/encoding/payloads/cert_payload.h        |    30 +-
 src/charon/encoding/payloads/certreq_payload.c     |    26 +-
 src/charon/encoding/payloads/certreq_payload.h     |    10 +-
 .../encoding/payloads/configuration_attribute.c    |   217 +-
 .../encoding/payloads/configuration_attribute.h    |    99 +-
 src/charon/encoding/payloads/cp_payload.c          |   159 +-
 src/charon/encoding/payloads/cp_payload.h          |    61 +-
 src/charon/encoding/payloads/delete_payload.c      |    34 +-
 src/charon/encoding/payloads/delete_payload.h      |    10 +-
 src/charon/encoding/payloads/eap_payload.c         |   197 +-
 src/charon/encoding/payloads/eap_payload.h         |    16 +-
 src/charon/encoding/payloads/encodings.h           |   378 +-
 src/charon/encoding/payloads/encryption_payload.c  |   132 +-
 src/charon/encoding/payloads/encryption_payload.h  |    44 +-
 src/charon/encoding/payloads/endpoint_notify.c     |    90 +-
 src/charon/encoding/payloads/endpoint_notify.h     |    62 +-
 src/charon/encoding/payloads/id_payload.c          |    34 +-
 src/charon/encoding/payloads/id_payload.h          |    26 +-
 src/charon/encoding/payloads/ike_header.c          |    83 +-
 src/charon/encoding/payloads/ike_header.h          |    41 +-
 src/charon/encoding/payloads/ke_payload.c          |    54 +-
 src/charon/encoding/payloads/ke_payload.h          |    22 +-
 src/charon/encoding/payloads/nonce_payload.c       |    48 +-
 src/charon/encoding/payloads/nonce_payload.h       |    10 +-
 src/charon/encoding/payloads/notify_payload.c      |    96 +-
 src/charon/encoding/payloads/notify_payload.h      |    54 +-
 src/charon/encoding/payloads/payload.h             |    64 +-
 .../encoding/payloads/proposal_substructure.c      |   106 +-
 .../encoding/payloads/proposal_substructure.h      |    36 +-
 src/charon/encoding/payloads/sa_payload.c          |    74 +-
 src/charon/encoding/payloads/sa_payload.h          |    26 +-
 .../payloads/traffic_selector_substructure.c       |    46 +-
 .../payloads/traffic_selector_substructure.h       |    48 +-
 src/charon/encoding/payloads/transform_attribute.c |    50 +-
 src/charon/encoding/payloads/transform_attribute.h |    34 +-
 .../encoding/payloads/transform_substructure.c     |    80 +-
 .../encoding/payloads/transform_substructure.h     |    50 +-
 src/charon/encoding/payloads/ts_payload.c          |    54 +-
 src/charon/encoding/payloads/ts_payload.h          |    32 +-
 src/charon/encoding/payloads/unknown_payload.c     |    28 +-
 src/charon/encoding/payloads/unknown_payload.h     |    14 +-
 src/charon/encoding/payloads/vendor_id_payload.c   |    99 +-
 src/charon/encoding/payloads/vendor_id_payload.h   |    49 +-
 src/charon/kernel/kernel_interface.c               |    53 +-
 src/charon/kernel/kernel_interface.h               |   106 +-
 src/charon/kernel/kernel_ipsec.c                   |     2 -
 src/charon/kernel/kernel_ipsec.h                   |    82 +-
 src/charon/kernel/kernel_net.h                     |    26 +-
 src/charon/network/packet.c                        |    16 +-
 src/charon/network/packet.h                        |    46 +-
 src/charon/network/receiver.c                      |    84 +-
 src/charon/network/receiver.h                      |    12 +-
 src/charon/network/sender.c                        |    39 +-
 src/charon/network/sender.h                        |    10 +-
 src/charon/network/socket-raw.c                    |   106 +-
 src/charon/network/socket.c                        |    93 +-
 src/charon/network/socket.h                        |    28 +-
 src/charon/plugins/attr/Makefile.in                |   143 +-
 src/charon/plugins/attr/attr_plugin.c              |    14 +-
 src/charon/plugins/attr/attr_plugin.h              |     2 +-
 src/charon/plugins/attr/attr_provider.c            |   118 +-
 src/charon/plugins/attr/attr_provider.h            |     6 +-
 src/charon/plugins/eap_aka/Makefile.am             |    13 +-
 src/charon/plugins/eap_aka/Makefile.in             |   183 +-
 src/charon/plugins/eap_aka/eap_aka.c               |  1553 ---
 src/charon/plugins/eap_aka/eap_aka.h               |    81 -
 src/charon/plugins/eap_aka/eap_aka_peer.c          |   583 +
 src/charon/plugins/eap_aka/eap_aka_peer.h          |    49 +
 src/charon/plugins/eap_aka/eap_aka_plugin.c        |    19 +-
 src/charon/plugins/eap_aka/eap_aka_plugin.h        |     7 +-
 src/charon/plugins/eap_aka/eap_aka_server.c        |   700 ++
 src/charon/plugins/eap_aka/eap_aka_server.h        |    49 +
 src/charon/plugins/eap_aka_3gpp2/Makefile.am       |    15 +
 src/charon/plugins/eap_aka_3gpp2/Makefile.in       |   579 +
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c     |   178 +
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h     |    53 +
 .../eap_aka_3gpp2/eap_aka_3gpp2_functions.c        |   394 +
 .../eap_aka_3gpp2/eap_aka_3gpp2_functions.h        |   125 +
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c   |    87 +
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h   |    62 +
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c |   204 +
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h |    52 +
 src/charon/plugins/eap_gtc/Makefile.am             |     6 +-
 src/charon/plugins/eap_gtc/Makefile.in             |   169 +-
 src/charon/plugins/eap_gtc/eap_gtc.c               |    54 +-
 src/charon/plugins/eap_gtc/eap_gtc_plugin.c        |     8 +-
 src/charon/plugins/eap_identity/Makefile.am        |     6 +-
 src/charon/plugins/eap_identity/Makefile.in        |   171 +-
 src/charon/plugins/eap_identity/eap_identity.c     |    32 +-
 .../plugins/eap_identity/eap_identity_plugin.c     |     6 +-
 src/charon/plugins/eap_md5/Makefile.am             |     6 +-
 src/charon/plugins/eap_md5/Makefile.in             |   169 +-
 src/charon/plugins/eap_md5/eap_md5.c               |    52 +-
 src/charon/plugins/eap_md5/eap_md5_plugin.c        |     6 +-
 src/charon/plugins/eap_mschapv2/Makefile.am        |     6 +-
 src/charon/plugins/eap_mschapv2/Makefile.in        |   171 +-
 src/charon/plugins/eap_mschapv2/eap_mschapv2.c     |   317 +-
 .../plugins/eap_mschapv2/eap_mschapv2_plugin.c     |     6 +-
 src/charon/plugins/eap_radius/Makefile.am          |     6 +-
 src/charon/plugins/eap_radius/Makefile.in          |   169 +-
 src/charon/plugins/eap_radius/eap_radius.c         |    76 +-
 src/charon/plugins/eap_radius/eap_radius_plugin.c  |     8 +-
 src/charon/plugins/eap_radius/radius_client.c      |    69 +-
 src/charon/plugins/eap_radius/radius_client.h      |     8 +-
 src/charon/plugins/eap_radius/radius_message.c     |    33 +-
 src/charon/plugins/eap_radius/radius_message.h     |    20 +-
 src/charon/plugins/eap_sim/Makefile.am             |    15 +-
 src/charon/plugins/eap_sim/Makefile.in             |   184 +-
 src/charon/plugins/eap_sim/eap_sim.c               |  1149 --
 src/charon/plugins/eap_sim/eap_sim.h               |    61 -
 src/charon/plugins/eap_sim/eap_sim_peer.c          |   654 ++
 src/charon/plugins/eap_sim/eap_sim_peer.h          |    57 +
 src/charon/plugins/eap_sim/eap_sim_plugin.c        |    19 +-
 src/charon/plugins/eap_sim/eap_sim_server.c        |   611 +
 src/charon/plugins/eap_sim/eap_sim_server.h        |    57 +
 src/charon/plugins/eap_sim_file/Makefile.am        |     8 +-
 src/charon/plugins/eap_sim_file/Makefile.in        |   173 +-
 .../plugins/eap_sim_file/eap_sim_file_card.c       |    71 +-
 .../plugins/eap_sim_file/eap_sim_file_card.h       |     4 +-
 .../plugins/eap_sim_file/eap_sim_file_plugin.c     |    24 +-
 .../plugins/eap_sim_file/eap_sim_file_provider.c   |    43 +-
 .../plugins/eap_sim_file/eap_sim_file_provider.h   |     6 +-
 .../plugins/eap_sim_file/eap_sim_file_triplets.c   |    58 +-
 .../plugins/eap_sim_file/eap_sim_file_triplets.h   |    20 +-
 .../plugins/eap_simaka_pseudonym/Makefile.am       |    13 +
 .../plugins/eap_simaka_pseudonym/Makefile.in       |   577 +
 .../eap_simaka_pseudonym_card.c                    |   154 +
 .../eap_simaka_pseudonym_card.h                    |    49 +
 .../eap_simaka_pseudonym_plugin.c                  |    81 +
 .../eap_simaka_pseudonym_plugin.h                  |    47 +
 .../eap_simaka_pseudonym_provider.c                |   182 +
 .../eap_simaka_pseudonym_provider.h                |    49 +
 src/charon/plugins/eap_simaka_reauth/Makefile.am   |    13 +
 src/charon/plugins/eap_simaka_reauth/Makefile.in   |   576 +
 .../eap_simaka_reauth/eap_simaka_reauth_card.c     |   170 +
 .../eap_simaka_reauth/eap_simaka_reauth_card.h     |    49 +
 .../eap_simaka_reauth/eap_simaka_reauth_plugin.c   |    79 +
 .../eap_simaka_reauth/eap_simaka_reauth_plugin.h   |    47 +
 .../eap_simaka_reauth/eap_simaka_reauth_provider.c |   209 +
 .../eap_simaka_reauth/eap_simaka_reauth_provider.h |    49 +
 src/charon/plugins/kernel_klips/Makefile.am        |     2 +-
 src/charon/plugins/kernel_klips/Makefile.in        |   145 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.c      |   618 +-
 .../plugins/kernel_klips/kernel_klips_plugin.c     |     6 +-
 src/charon/plugins/kernel_klips/pfkeyv2.h          |     4 +-
 src/charon/plugins/kernel_netlink/Makefile.am      |     6 +-
 src/charon/plugins/kernel_netlink/Makefile.in      |   150 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |   591 +-
 .../plugins/kernel_netlink/kernel_netlink_net.c    |   384 +-
 .../plugins/kernel_netlink/kernel_netlink_plugin.c |     6 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.c |    58 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.h |    12 +-
 src/charon/plugins/kernel_pfkey/Makefile.am        |     2 +-
 src/charon/plugins/kernel_pfkey/Makefile.in        |   145 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |   392 +-
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.c     |     6 +-
 src/charon/plugins/kernel_pfroute/Makefile.am      |     2 +-
 src/charon/plugins/kernel_pfroute/Makefile.in      |   145 +-
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |   131 +-
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.c |     6 +-
 src/charon/plugins/load_tester/Makefile.in         |   143 +-
 .../plugins/load_tester/load_tester_config.c       |    75 +-
 .../plugins/load_tester/load_tester_config.h       |     4 +-
 src/charon/plugins/load_tester/load_tester_creds.c |    65 +-
 src/charon/plugins/load_tester/load_tester_creds.h |     4 +-
 .../load_tester/load_tester_diffie_hellman.c       |     8 +-
 .../load_tester/load_tester_diffie_hellman.h       |     6 +-
 src/charon/plugins/load_tester/load_tester_ipsec.c |    29 +-
 .../plugins/load_tester/load_tester_listener.c     |    20 +-
 .../plugins/load_tester/load_tester_listener.h     |     4 +-
 .../plugins/load_tester/load_tester_plugin.c       |    59 +-
 .../plugins/load_tester/load_tester_plugin.h       |     2 +-
 src/charon/plugins/medcli/Makefile.in              |   143 +-
 src/charon/plugins/medcli/medcli_config.c          |    85 +-
 src/charon/plugins/medcli/medcli_config.h          |     4 +-
 src/charon/plugins/medcli/medcli_creds.c           |    18 +-
 src/charon/plugins/medcli/medcli_creds.h           |     4 +-
 src/charon/plugins/medcli/medcli_listener.c        |    10 +-
 src/charon/plugins/medcli/medcli_listener.h        |     4 +-
 src/charon/plugins/medcli/medcli_plugin.c          |    20 +-
 src/charon/plugins/medsrv/Makefile.in              |   143 +-
 src/charon/plugins/medsrv/medsrv_config.c          |    20 +-
 src/charon/plugins/medsrv/medsrv_config.h          |     4 +-
 src/charon/plugins/medsrv/medsrv_creds.c           |    12 +-
 src/charon/plugins/medsrv/medsrv_creds.h           |     4 +-
 src/charon/plugins/medsrv/medsrv_plugin.c          |    18 +-
 src/charon/plugins/nm/Makefile.am                  |     3 +-
 src/charon/plugins/nm/Makefile.in                  |   147 +-
 src/charon/plugins/nm/nm_creds.c                   |   240 +-
 src/charon/plugins/nm/nm_creds.h                   |    15 +-
 src/charon/plugins/nm/nm_handler.c                 |    69 +-
 src/charon/plugins/nm/nm_handler.h                 |    10 +-
 src/charon/plugins/nm/nm_plugin.c                  |    26 +-
 src/charon/plugins/nm/nm_service.c                 |   168 +-
 src/charon/plugins/resolv_conf/Makefile.am         |    13 -
 src/charon/plugins/resolv_conf/Makefile.in         |   518 -
 .../plugins/resolv_conf/resolv_conf_handler.c      |   192 -
 .../plugins/resolv_conf/resolv_conf_handler.h      |    49 -
 .../plugins/resolv_conf/resolv_conf_plugin.c       |    64 -
 .../plugins/resolv_conf/resolv_conf_plugin.h       |    47 -
 src/charon/plugins/resolve/Makefile.am             |    13 +
 src/charon/plugins/resolve/Makefile.in             |   574 +
 src/charon/plugins/resolve/resolve_handler.c       |   251 +
 src/charon/plugins/resolve/resolve_handler.h       |    49 +
 src/charon/plugins/resolve/resolve_plugin.c        |    62 +
 src/charon/plugins/resolve/resolve_plugin.h        |    47 +
 src/charon/plugins/smp/Makefile.in                 |   143 +-
 src/charon/plugins/smp/smp.c                       |   156 +-
 src/charon/plugins/sql/Makefile.am                 |    11 +-
 src/charon/plugins/sql/Makefile.in                 |   240 +-
 src/charon/plugins/sql/pool.c                      |   797 --
 src/charon/plugins/sql/sql_attribute.c             |   363 -
 src/charon/plugins/sql/sql_attribute.h             |    49 -
 src/charon/plugins/sql/sql_config.c                |    49 +-
 src/charon/plugins/sql/sql_config.h                |     4 +-
 src/charon/plugins/sql/sql_cred.c                  |    20 +-
 src/charon/plugins/sql/sql_cred.h                  |     4 +-
 src/charon/plugins/sql/sql_logger.c                |    20 +-
 src/charon/plugins/sql/sql_logger.h                |     4 +-
 src/charon/plugins/sql/sql_plugin.c                |    30 +-
 src/charon/plugins/stroke/Makefile.am              |     2 +-
 src/charon/plugins/stroke/Makefile.in              |   145 +-
 src/charon/plugins/stroke/stroke_attribute.c       |    68 +-
 src/charon/plugins/stroke/stroke_attribute.h       |    14 +-
 src/charon/plugins/stroke/stroke_ca.c              |    77 +-
 src/charon/plugins/stroke/stroke_ca.h              |    18 +-
 src/charon/plugins/stroke/stroke_config.c          |   142 +-
 src/charon/plugins/stroke/stroke_config.h          |    12 +-
 src/charon/plugins/stroke/stroke_control.c         |    52 +-
 src/charon/plugins/stroke/stroke_control.h         |    12 +-
 src/charon/plugins/stroke/stroke_cred.c            |   357 +-
 src/charon/plugins/stroke/stroke_cred.h            |    21 +-
 src/charon/plugins/stroke/stroke_list.c            |   385 +-
 src/charon/plugins/stroke/stroke_list.h            |     6 +-
 src/charon/plugins/stroke/stroke_plugin.c          |     6 +-
 src/charon/plugins/stroke/stroke_plugin.h          |     2 +-
 src/charon/plugins/stroke/stroke_shared_key.c      |    12 +-
 src/charon/plugins/stroke/stroke_shared_key.h      |     6 +-
 src/charon/plugins/stroke/stroke_socket.c          |    95 +-
 src/charon/plugins/stroke/stroke_socket.h          |     8 +-
 src/charon/plugins/uci/Makefile.in                 |   143 +-
 src/charon/plugins/uci/uci_config.c                |    47 +-
 src/charon/plugins/uci/uci_config.h                |     4 +-
 src/charon/plugins/uci/uci_control.c               |    35 +-
 src/charon/plugins/uci/uci_control.h               |     2 +-
 src/charon/plugins/uci/uci_creds.c                 |    14 +-
 src/charon/plugins/uci/uci_creds.h                 |     4 +-
 src/charon/plugins/uci/uci_parser.c                |    24 +-
 src/charon/plugins/uci/uci_parser.h                |     4 +-
 src/charon/plugins/uci/uci_plugin.c                |    12 +-
 src/charon/plugins/unit_tester/Makefile.in         |   221 +-
 src/charon/plugins/unit_tester/tests.h             |     2 +-
 src/charon/plugins/unit_tester/tests/test_agent.c  |    14 +-
 .../plugins/unit_tester/tests/test_auth_info.c     |    17 +-
 src/charon/plugins/unit_tester/tests/test_cert.c   |    12 +-
 src/charon/plugins/unit_tester/tests/test_chunk.c  |    20 +-
 src/charon/plugins/unit_tester/tests/test_curl.c   |     4 +-
 .../plugins/unit_tester/tests/test_enumerator.c    |    34 +-
 src/charon/plugins/unit_tester/tests/test_id.c     |    22 +-
 src/charon/plugins/unit_tester/tests/test_med_db.c |    16 +-
 src/charon/plugins/unit_tester/tests/test_mutex.c  |    16 +-
 src/charon/plugins/unit_tester/tests/test_mysql.c  |     5 +-
 src/charon/plugins/unit_tester/tests/test_pool.c   |    21 +-
 .../plugins/unit_tester/tests/test_rsa_gen.c       |    55 +-
 src/charon/plugins/unit_tester/tests/test_sqlite.c |     5 +-
 src/charon/plugins/unit_tester/unit_tester.c       |    16 +-
 src/charon/plugins/unit_tester/unit_tester.h       |     2 +-
 src/charon/plugins/updown/Makefile.am              |     2 +-
 src/charon/plugins/updown/Makefile.in              |   145 +-
 src/charon/plugins/updown/updown_listener.c        |   102 +-
 src/charon/plugins/updown/updown_listener.h        |     6 +-
 src/charon/plugins/updown/updown_plugin.c          |     8 +-
 src/charon/processing/jobs/acquire_job.c           |    12 +-
 src/charon/processing/jobs/acquire_job.h           |     4 +-
 src/charon/processing/jobs/callback_job.c          |   178 +-
 src/charon/processing/jobs/callback_job.h          |    13 +-
 src/charon/processing/jobs/delete_child_sa_job.c   |    20 +-
 src/charon/processing/jobs/delete_child_sa_job.h   |     6 +-
 src/charon/processing/jobs/delete_ike_sa_job.c     |    14 +-
 src/charon/processing/jobs/delete_ike_sa_job.h     |     8 +-
 src/charon/processing/jobs/inactivity_job.c        |   150 +
 src/charon/processing/jobs/inactivity_job.h        |    53 +
 .../processing/jobs/initiate_mediation_job.c       |    78 +-
 .../processing/jobs/initiate_mediation_job.h       |    11 +-
 src/charon/processing/jobs/job.h                   |     2 +-
 src/charon/processing/jobs/mediation_job.c         |    34 +-
 src/charon/processing/jobs/mediation_job.h         |    10 +-
 src/charon/processing/jobs/migrate_job.c           |    12 +-
 src/charon/processing/jobs/migrate_job.h           |    18 +-
 src/charon/processing/jobs/process_message_job.c   |    12 +-
 src/charon/processing/jobs/process_message_job.h   |     2 +-
 src/charon/processing/jobs/rekey_child_sa_job.c    |    20 +-
 src/charon/processing/jobs/rekey_child_sa_job.h    |     2 +-
 src/charon/processing/jobs/rekey_ike_sa_job.c      |    16 +-
 src/charon/processing/jobs/rekey_ike_sa_job.h      |     2 +-
 src/charon/processing/jobs/retransmit_job.c        |    10 +-
 src/charon/processing/jobs/retransmit_job.h        |     2 +-
 src/charon/processing/jobs/roam_job.c              |    16 +-
 src/charon/processing/jobs/roam_job.h              |     4 +-
 src/charon/processing/jobs/send_dpd_job.c          |    12 +-
 src/charon/processing/jobs/send_dpd_job.h          |     4 +-
 src/charon/processing/jobs/send_keepalive_job.c    |    10 +-
 src/charon/processing/jobs/send_keepalive_job.h    |     4 +-
 src/charon/processing/jobs/update_sa_job.c         |    14 +-
 src/charon/processing/jobs/update_sa_job.h         |     2 +-
 src/charon/processing/processor.c                  |    87 +-
 src/charon/processing/processor.h                  |    16 +-
 src/charon/processing/scheduler.c                  |    86 +-
 src/charon/processing/scheduler.h                  |    15 +-
 src/charon/sa/authenticators/authenticator.c       |     2 +-
 src/charon/sa/authenticators/authenticator.h       |    34 +-
 src/charon/sa/authenticators/eap/eap_manager.c     |    26 +-
 src/charon/sa/authenticators/eap/eap_manager.h     |    12 +-
 src/charon/sa/authenticators/eap/eap_method.c      |    28 +-
 src/charon/sa/authenticators/eap/eap_method.h      |    24 +-
 src/charon/sa/authenticators/eap/sim_manager.c     |   462 +-
 src/charon/sa/authenticators/eap/sim_manager.h     |   459 +-
 src/charon/sa/authenticators/eap_authenticator.c   |   175 +-
 src/charon/sa/authenticators/eap_authenticator.h   |     2 +-
 src/charon/sa/authenticators/psk_authenticator.c   |    30 +-
 src/charon/sa/authenticators/psk_authenticator.h   |     2 +-
 .../sa/authenticators/pubkey_authenticator.c       |    34 +-
 .../sa/authenticators/pubkey_authenticator.h       |     2 +-
 src/charon/sa/child_sa.c                           |   185 +-
 src/charon/sa/child_sa.h                           |    71 +-
 src/charon/sa/connect_manager.c                    |   663 +-
 src/charon/sa/connect_manager.h                    |   105 +-
 src/charon/sa/ike_sa.c                             |   453 +-
 src/charon/sa/ike_sa.h                             |   351 +-
 src/charon/sa/ike_sa_id.h                          |    12 +-
 src/charon/sa/ike_sa_manager.c                     |   256 +-
 src/charon/sa/ike_sa_manager.h                     |    56 +-
 src/charon/sa/keymat.c                             |   113 +-
 src/charon/sa/keymat.h                             |    14 +-
 src/charon/sa/mediation_manager.c                  |    78 +-
 src/charon/sa/mediation_manager.h                  |    43 +-
 src/charon/sa/task_manager.c                       |   170 +-
 src/charon/sa/task_manager.h                       |    26 +-
 src/charon/sa/tasks/child_create.c                 |   325 +-
 src/charon/sa/tasks/child_create.h                 |    10 +-
 src/charon/sa/tasks/child_delete.c                 |    63 +-
 src/charon/sa/tasks/child_delete.h                 |     2 +-
 src/charon/sa/tasks/child_rekey.c                  |   173 +-
 src/charon/sa/tasks/child_rekey.h                  |     4 +-
 src/charon/sa/tasks/ike_auth.c                     |   363 +-
 src/charon/sa/tasks/ike_auth_lifetime.c            |    44 +-
 src/charon/sa/tasks/ike_auth_lifetime.h            |     4 +-
 src/charon/sa/tasks/ike_cert_post.c                |   100 +-
 src/charon/sa/tasks/ike_cert_post.h                |     2 +-
 src/charon/sa/tasks/ike_cert_pre.c                 |   101 +-
 src/charon/sa/tasks/ike_cert_pre.h                 |     2 +-
 src/charon/sa/tasks/ike_config.c                   |   276 +-
 src/charon/sa/tasks/ike_config.h                   |     2 +-
 src/charon/sa/tasks/ike_delete.c                   |    18 +-
 src/charon/sa/tasks/ike_dpd.c                      |     6 +-
 src/charon/sa/tasks/ike_init.c                     |   168 +-
 src/charon/sa/tasks/ike_init.h                     |     2 +-
 src/charon/sa/tasks/ike_me.c                       |   316 +-
 src/charon/sa/tasks/ike_me.h                       |    40 +-
 src/charon/sa/tasks/ike_mobike.c                   |    74 +-
 src/charon/sa/tasks/ike_mobike.h                   |    16 +-
 src/charon/sa/tasks/ike_natd.c                     |    80 +-
 src/charon/sa/tasks/ike_natd.h                     |     2 +-
 src/charon/sa/tasks/ike_reauth.c                   |    26 +-
 src/charon/sa/tasks/ike_rekey.c                    |    89 +-
 src/charon/sa/tasks/ike_rekey.h                    |     4 +-
 src/charon/sa/tasks/ike_vendor.c                   |   139 +
 src/charon/sa/tasks/ike_vendor.h                   |    49 +
 src/charon/sa/tasks/task.c                         |     2 +
 src/charon/sa/tasks/task.h                         |    12 +-
 src/charon/sa/trap_manager.c                       |   112 +-
 src/charon/sa/trap_manager.h                       |    12 +-
 src/checksum/Makefile.am                           |     5 +-
 src/checksum/Makefile.in                           |   160 +-
 src/checksum/checksum_builder.c                    |    18 +-
 src/dumm/Makefile.in                               |   199 +-
 src/dumm/bridge.c                                  |     6 +-
 src/dumm/bridge.h                                  |    12 +-
 src/dumm/cowfs.c                                   |   115 +-
 src/dumm/cowfs.h                                   |     4 +-
 src/dumm/dumm.c                                    |    44 +-
 src/dumm/dumm.h                                    |    18 +-
 src/dumm/ext/dumm.c                                |    93 +-
 src/dumm/guest.c                                   |    76 +-
 src/dumm/guest.h                                   |    40 +-
 src/dumm/iface.c                                   |    18 +-
 src/dumm/iface.h                                   |    20 +-
 src/dumm/irdumm.c                                  |     8 +-
 src/dumm/main.c                                    |   134 +-
 src/dumm/mconsole.c                                |    42 +-
 src/dumm/mconsole.h                                |     8 +-
 src/include/Makefile.in                            |    73 +-
 src/include/linux/netlink.h                        |     6 +-
 src/include/linux/rtnetlink.h                      |    18 +-
 src/include/linux/udp.h                            |     2 +-
 src/include/linux/xfrm.h                           |    10 +-
 src/ipsec/Makefile.in                              |   216 +-
 src/libfast/Makefile.am                            |     2 +-
 src/libfast/Makefile.in                            |   149 +-
 src/libfast/context.h                              |     2 +-
 src/libfast/controller.h                           |     6 +-
 src/libfast/dispatcher.c                           |   261 +-
 src/libfast/dispatcher.h                           |    34 +-
 src/libfast/filter.h                               |     4 +-
 src/libfast/request.c                              |    82 +-
 src/libfast/request.h                              |    36 +-
 src/libfast/session.c                              |    54 +-
 src/libfast/session.h                              |    12 +-
 src/libfreeswan/Makefile.in                        |   206 +-
 src/libfreeswan/addrtoa.c                          |     4 +-
 src/libfreeswan/addrtot.c                          |    10 +-
 src/libfreeswan/addrtypeof.c                       |     4 +-
 src/libfreeswan/anyaddr.c                          |     4 +-
 src/libfreeswan/atoaddr.c                          |     4 +-
 src/libfreeswan/atoasr.c                           |     4 +-
 src/libfreeswan/atosa.c                            |     4 +-
 src/libfreeswan/atosubnet.c                        |     4 +-
 src/libfreeswan/atoul.c                            |     4 +-
 src/libfreeswan/datatot.c                          |     4 +-
 src/libfreeswan/freeswan.h                         |     6 +-
 src/libfreeswan/goodmask.c                         |     6 +-
 src/libfreeswan/initaddr.c                         |     4 +-
 src/libfreeswan/initsaid.c                         |     4 +-
 src/libfreeswan/initsubnet.c                       |     4 +-
 src/libfreeswan/internal.h                         |     4 +-
 src/libfreeswan/ipsec_param.h                      |    16 +-
 src/libfreeswan/keyblobtoid.c                      |     4 +-
 src/libfreeswan/pfkey.h                            |     4 +-
 src/libfreeswan/pfkey_v2_build.c                   |   118 +-
 src/libfreeswan/pfkey_v2_debug.c                   |     6 +-
 src/libfreeswan/pfkey_v2_ext_bits.c                |     4 +-
 src/libfreeswan/pfkey_v2_parse.c                   |   156 +-
 src/libfreeswan/pfkeyv2.h                          |     7 +-
 src/libfreeswan/portof.c                           |     4 +-
 src/libfreeswan/prng.c                             |     4 +-
 src/libfreeswan/rangetoa.c                         |     4 +-
 src/libfreeswan/rangetosubnet.c                    |     4 +-
 src/libfreeswan/sameaddr.c                         |     4 +-
 src/libfreeswan/satoa.c                            |     4 +-
 src/libfreeswan/satot.c                            |     6 +-
 src/libfreeswan/subnetof.c                         |     4 +-
 src/libfreeswan/subnettoa.c                        |     4 +-
 src/libfreeswan/subnettot.c                        |     4 +-
 src/libfreeswan/subnettypeof.c                     |     4 +-
 src/libfreeswan/ttoaddr.c                          |    10 +-
 src/libfreeswan/ttodata.c                          |    10 +-
 src/libfreeswan/ttoprotoport.c                     |     2 +-
 src/libfreeswan/ttosa.c                            |     4 +-
 src/libfreeswan/ttosubnet.c                        |     4 +-
 src/libfreeswan/ttoul.c                            |     4 +-
 src/libfreeswan/ultoa.c                            |     4 +-
 src/libfreeswan/ultot.c                            |     4 +-
 src/libsimaka/Makefile.am                          |     6 +
 src/libsimaka/Makefile.in                          |   516 +
 src/libsimaka/simaka_crypto.c                      |   241 +
 src/libsimaka/simaka_crypto.h                      |   110 +
 src/libsimaka/simaka_message.c                     |   909 ++
 src/libsimaka/simaka_message.h                     |   273 +
 src/libstrongswan/Makefile.am                      |    41 +-
 src/libstrongswan/Makefile.in                      |   650 +-
 src/libstrongswan/asn1/asn1.c                      |   311 +-
 src/libstrongswan/asn1/asn1.h                      |   110 +-
 src/libstrongswan/asn1/asn1_parser.c               |    38 +-
 src/libstrongswan/asn1/asn1_parser.h               |    16 +-
 src/libstrongswan/asn1/oid.c                       |   566 +-
 src/libstrongswan/asn1/oid.h                       |   296 +-
 src/libstrongswan/asn1/oid.txt                     |    78 +-
 src/libstrongswan/asn1/pem.c                       |   393 -
 src/libstrongswan/asn1/pem.h                       |    29 -
 src/libstrongswan/attributes/attribute_handler.h   |    72 +
 src/libstrongswan/attributes/attribute_manager.c   |   374 +
 src/libstrongswan/attributes/attribute_manager.h   |   149 +
 src/libstrongswan/attributes/attribute_provider.h  |    67 +
 src/libstrongswan/attributes/attributes.c          |    43 +
 src/libstrongswan/attributes/attributes.h          |    62 +
 src/libstrongswan/chunk.c                          |    87 +-
 src/libstrongswan/chunk.h                          |    34 +-
 src/libstrongswan/credentials/builder.c            |    31 +-
 src/libstrongswan/credentials/builder.h            |   105 +-
 src/libstrongswan/credentials/certificates/ac.h    |    24 +-
 .../credentials/certificates/certificate.c         |     7 +-
 .../credentials/certificates/certificate.h         |    42 +-
 src/libstrongswan/credentials/certificates/crl.c   |     2 +-
 src/libstrongswan/credentials/certificates/crl.h   |    28 +-
 .../credentials/certificates/ocsp_response.h       |    10 +-
 .../credentials/certificates/pgp_certificate.h     |    46 +
 .../credentials/certificates/pkcs10.h              |    57 +
 src/libstrongswan/credentials/certificates/x509.c  |     6 +-
 src/libstrongswan/credentials/certificates/x509.h  |    56 +-
 src/libstrongswan/credentials/credential_factory.c |   159 +-
 src/libstrongswan/credentials/credential_factory.h |    39 +-
 .../credentials/ietf_attributes/ietf_attributes.c  |   533 +
 .../credentials/ietf_attributes/ietf_attributes.h  |    92 +
 src/libstrongswan/credentials/keys/key_encoding.c  |   299 +
 src/libstrongswan/credentials/keys/key_encoding.h  |   203 +
 src/libstrongswan/credentials/keys/private_key.c   |    62 +
 src/libstrongswan/credentials/keys/private_key.h   |    89 +-
 src/libstrongswan/credentials/keys/public_key.c    |    56 +-
 src/libstrongswan/credentials/keys/public_key.h    |    87 +-
 src/libstrongswan/credentials/keys/shared_key.c    |    12 +-
 src/libstrongswan/credentials/keys/shared_key.h    |    18 +-
 src/libstrongswan/crypto/crypters/crypter.h        |    25 +-
 src/libstrongswan/crypto/crypto_factory.c          |    62 +-
 src/libstrongswan/crypto/crypto_factory.h          |    46 +-
 src/libstrongswan/crypto/crypto_tester.c           |    90 +-
 src/libstrongswan/crypto/crypto_tester.h           |    10 +-
 src/libstrongswan/crypto/diffie_hellman.h          |    28 +-
 src/libstrongswan/crypto/hashers/hasher.c          |    64 +-
 src/libstrongswan/crypto/hashers/hasher.h          |    34 +-
 src/libstrongswan/crypto/pkcs9.c                   |    56 +-
 src/libstrongswan/crypto/pkcs9.h                   |    12 +-
 src/libstrongswan/crypto/prf_plus.c                |    34 +-
 src/libstrongswan/crypto/prf_plus.h                |    18 +-
 src/libstrongswan/crypto/prfs/prf.h                |    22 +-
 .../crypto/proposal/proposal_keywords.c            |    91 +-
 .../crypto/proposal/proposal_keywords.h            |     6 +-
 .../crypto/proposal/proposal_keywords.txt          |     4 +-
 src/libstrongswan/crypto/rngs/rng.h                |     8 +-
 src/libstrongswan/crypto/signers/signer.c          |     7 +-
 src/libstrongswan/crypto/signers/signer.h          |    28 +-
 src/libstrongswan/database/database.h              |    58 +-
 src/libstrongswan/database/database_factory.c      |    14 +-
 src/libstrongswan/database/database_factory.h      |    12 +-
 src/libstrongswan/debug.c                          |    43 +-
 src/libstrongswan/debug.h                          |    14 +-
 src/libstrongswan/enum.h                           |     6 +-
 src/libstrongswan/fetcher/fetcher.h                |    22 +-
 src/libstrongswan/fetcher/fetcher_manager.c        |    22 +-
 src/libstrongswan/fetcher/fetcher_manager.h        |    12 +-
 src/libstrongswan/integrity_checker.c              |    42 +-
 src/libstrongswan/integrity_checker.h              |    14 +-
 src/libstrongswan/library.c                        |    22 +-
 src/libstrongswan/library.h                        |    34 +-
 src/libstrongswan/pgp/pgp.c                        |    93 -
 src/libstrongswan/pgp/pgp.h                        |   115 -
 src/libstrongswan/plugins/aes/Makefile.in          |   143 +-
 src/libstrongswan/plugins/aes/aes_crypter.c        |   136 +-
 src/libstrongswan/plugins/aes/aes_crypter.h        |     4 +-
 src/libstrongswan/plugins/aes/aes_plugin.c         |     6 +-
 src/libstrongswan/plugins/agent/Makefile.in        |   143 +-
 src/libstrongswan/plugins/agent/agent_plugin.c     |    10 +-
 src/libstrongswan/plugins/agent/agent_plugin.h     |     2 +-
 .../plugins/agent/agent_private_key.c              |   368 +-
 .../plugins/agent/agent_private_key.h              |    15 +-
 src/libstrongswan/plugins/attr_sql/Makefile.am     |    15 +
 src/libstrongswan/plugins/attr_sql/Makefile.in     |   633 +
 .../plugins/attr_sql/attr_sql_plugin.c             |    88 +
 .../plugins/attr_sql/attr_sql_plugin.h             |    47 +
 src/libstrongswan/plugins/attr_sql/pool.c          |  1050 ++
 src/libstrongswan/plugins/attr_sql/sql_attribute.c |   384 +
 src/libstrongswan/plugins/attr_sql/sql_attribute.h |    50 +
 src/libstrongswan/plugins/blowfish/Makefile.am     |     2 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |   145 +-
 src/libstrongswan/plugins/blowfish/bf_enc.c        |    12 +-
 src/libstrongswan/plugins/blowfish/bf_locl.h       |    12 +-
 src/libstrongswan/plugins/blowfish/bf_pi.h         |   524 +-
 src/libstrongswan/plugins/blowfish/bf_skey.c       |    12 +-
 src/libstrongswan/plugins/blowfish/blowfish.h      |    16 +-
 .../plugins/blowfish/blowfish_crypter.c            |    32 +-
 .../plugins/blowfish/blowfish_crypter.h            |     4 +-
 .../plugins/blowfish/blowfish_plugin.c             |     6 +-
 src/libstrongswan/plugins/curl/Makefile.in         |   143 +-
 src/libstrongswan/plugins/curl/curl_fetcher.c      |    56 +-
 src/libstrongswan/plugins/curl/curl_fetcher.h      |     5 -
 src/libstrongswan/plugins/curl/curl_plugin.c       |    18 +-
 src/libstrongswan/plugins/des/Makefile.in          |   143 +-
 src/libstrongswan/plugins/des/des_crypter.c        |    52 +-
 src/libstrongswan/plugins/des/des_crypter.h        |     4 +-
 src/libstrongswan/plugins/des/des_plugin.c         |     6 +-
 src/libstrongswan/plugins/dnskey/Makefile.am       |    12 +
 src/libstrongswan/plugins/dnskey/Makefile.in       |   571 +
 src/libstrongswan/plugins/dnskey/dnskey_builder.c  |   142 +
 src/libstrongswan/plugins/dnskey/dnskey_builder.h  |    51 +
 src/libstrongswan/plugins/dnskey/dnskey_plugin.c   |    60 +
 src/libstrongswan/plugins/dnskey/dnskey_plugin.h   |    47 +
 src/libstrongswan/plugins/fips_prf/Makefile.in     |   143 +-
 src/libstrongswan/plugins/fips_prf/fips_prf.c      |    33 +-
 src/libstrongswan/plugins/fips_prf/fips_prf.h      |     4 +-
 .../plugins/fips_prf/fips_prf_plugin.c             |     6 +-
 src/libstrongswan/plugins/gcrypt/Makefile.am       |     4 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |   150 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c  |    26 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h  |     4 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_dh.c       |    52 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_dh.h       |     4 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c   |    16 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h   |     4 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c   |    62 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_rng.c      |    12 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_rng.h      |     6 +-
 .../plugins/gcrypt/gcrypt_rsa_private_key.c        |   496 +-
 .../plugins/gcrypt/gcrypt_rsa_private_key.h        |    25 +-
 .../plugins/gcrypt/gcrypt_rsa_public_key.c         |   315 +-
 .../plugins/gcrypt/gcrypt_rsa_public_key.h         |    15 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |   143 +-
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c |    78 +-
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h |     4 +-
 src/libstrongswan/plugins/gmp/gmp_plugin.c         |    36 +-
 src/libstrongswan/plugins/gmp/gmp_plugin.h         |     2 +-
 .../plugins/gmp/gmp_rsa_private_key.c              |   746 +-
 .../plugins/gmp/gmp_rsa_private_key.h              |    24 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |   544 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h |    14 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |   143 +-
 src/libstrongswan/plugins/hmac/hmac.c              |    50 +-
 src/libstrongswan/plugins/hmac/hmac.h              |    30 +-
 src/libstrongswan/plugins/hmac/hmac_plugin.c       |    32 +-
 src/libstrongswan/plugins/hmac/hmac_prf.c          |    14 +-
 src/libstrongswan/plugins/hmac/hmac_prf.h          |     6 +-
 src/libstrongswan/plugins/hmac/hmac_signer.c       |    22 +-
 src/libstrongswan/plugins/hmac/hmac_signer.h       |     2 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |   143 +-
 src/libstrongswan/plugins/ldap/ldap_fetcher.c      |    14 +-
 src/libstrongswan/plugins/ldap/ldap_plugin.c       |     6 +-
 src/libstrongswan/plugins/md4/Makefile.in          |   143 +-
 src/libstrongswan/plugins/md4/md4_hasher.c         |    28 +-
 src/libstrongswan/plugins/md4/md4_hasher.h         |     4 +-
 src/libstrongswan/plugins/md4/md4_plugin.c         |     6 +-
 src/libstrongswan/plugins/md5/Makefile.in          |   143 +-
 src/libstrongswan/plugins/md5/md5_hasher.c         |    34 +-
 src/libstrongswan/plugins/md5/md5_hasher.h         |     4 +-
 src/libstrongswan/plugins/md5/md5_plugin.c         |     6 +-
 src/libstrongswan/plugins/mysql/Makefile.am        |     4 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |   150 +-
 src/libstrongswan/plugins/mysql/mysql_database.c   |   135 +-
 src/libstrongswan/plugins/mysql/mysql_plugin.c     |     6 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |   143 +-
 .../plugins/openssl/openssl_crypter.c              |    42 +-
 .../plugins/openssl/openssl_crypter.h              |     4 +-
 .../plugins/openssl/openssl_diffie_hellman.c       |    46 +-
 .../plugins/openssl/openssl_diffie_hellman.h       |     4 +-
 .../plugins/openssl/openssl_ec_diffie_hellman.c    |    64 +-
 .../plugins/openssl/openssl_ec_diffie_hellman.h    |     4 +-
 .../plugins/openssl/openssl_ec_private_key.c       |   461 +-
 .../plugins/openssl/openssl_ec_private_key.h       |    23 +-
 .../plugins/openssl/openssl_ec_public_key.c        |   413 +-
 .../plugins/openssl/openssl_ec_public_key.h        |    11 +-
 src/libstrongswan/plugins/openssl/openssl_hasher.c |    28 +-
 src/libstrongswan/plugins/openssl/openssl_hasher.h |     4 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |   106 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |   462 +-
 .../plugins/openssl/openssl_rsa_private_key.h      |    36 +-
 .../plugins/openssl/openssl_rsa_public_key.c       |   356 +-
 .../plugins/openssl/openssl_rsa_public_key.h       |    10 +-
 src/libstrongswan/plugins/openssl/openssl_util.c   |    33 +-
 src/libstrongswan/plugins/openssl/openssl_util.h   |    10 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |   143 +-
 .../plugins/padlock/padlock_aes_crypter.c          |    28 +-
 .../plugins/padlock/padlock_aes_crypter.h          |     4 +-
 src/libstrongswan/plugins/padlock/padlock_plugin.c |    12 +-
 src/libstrongswan/plugins/padlock/padlock_rng.c    |    18 +-
 src/libstrongswan/plugins/padlock/padlock_rng.h    |     4 +-
 .../plugins/padlock/padlock_sha1_hasher.c          |    24 +-
 .../plugins/padlock/padlock_sha1_hasher.h          |     2 +-
 src/libstrongswan/plugins/pem/Makefile.am          |    12 +
 src/libstrongswan/plugins/pem/Makefile.in          |   569 +
 src/libstrongswan/plugins/pem/pem_builder.c        |   566 +
 src/libstrongswan/plugins/pem/pem_builder.h        |    57 +
 src/libstrongswan/plugins/pem/pem_plugin.c         |   105 +
 src/libstrongswan/plugins/pem/pem_plugin.h         |    47 +
 src/libstrongswan/plugins/pgp/Makefile.am          |    15 +
 src/libstrongswan/plugins/pgp/Makefile.in          |   576 +
 src/libstrongswan/plugins/pgp/pgp_builder.c        |   275 +
 src/libstrongswan/plugins/pgp/pgp_builder.h        |    45 +
 src/libstrongswan/plugins/pgp/pgp_cert.c           |   501 +
 src/libstrongswan/plugins/pgp/pgp_cert.h           |    48 +
 src/libstrongswan/plugins/pgp/pgp_encoder.c        |    68 +
 src/libstrongswan/plugins/pgp/pgp_encoder.h        |    32 +
 src/libstrongswan/plugins/pgp/pgp_plugin.c         |    79 +
 src/libstrongswan/plugins/pgp/pgp_plugin.h         |    47 +
 src/libstrongswan/plugins/pgp/pgp_utils.c          |   180 +
 src/libstrongswan/plugins/pgp/pgp_utils.h          |   130 +
 src/libstrongswan/plugins/pkcs1/Makefile.am        |    13 +
 src/libstrongswan/plugins/pkcs1/Makefile.in        |   572 +
 src/libstrongswan/plugins/pkcs1/pkcs1_builder.c    |   299 +
 src/libstrongswan/plugins/pkcs1/pkcs1_builder.h    |    45 +
 src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c    |   160 +
 src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h    |    32 +
 src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c     |    70 +
 src/libstrongswan/plugins/pkcs1/pkcs1_plugin.h     |    47 +
 src/libstrongswan/plugins/plugin.h                 |     8 +-
 src/libstrongswan/plugins/plugin_loader.c          |    64 +-
 src/libstrongswan/plugins/plugin_loader.h          |    26 +-
 src/libstrongswan/plugins/pubkey/Makefile.am       |     3 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |   150 +-
 src/libstrongswan/plugins/pubkey/pubkey_cert.c     |   175 +-
 src/libstrongswan/plugins/pubkey/pubkey_cert.h     |    10 +-
 src/libstrongswan/plugins/pubkey/pubkey_plugin.c   |    11 +-
 .../plugins/pubkey/pubkey_public_key.c             |   184 -
 .../plugins/pubkey/pubkey_public_key.h             |    34 -
 src/libstrongswan/plugins/random/Makefile.am       |     4 +-
 src/libstrongswan/plugins/random/Makefile.in       |   148 +-
 src/libstrongswan/plugins/random/random_plugin.c   |    10 +-
 src/libstrongswan/plugins/random/random_plugin.h   |     2 +-
 src/libstrongswan/plugins/random/random_rng.c      |    10 +-
 src/libstrongswan/plugins/random/random_rng.h      |     6 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |   143 +-
 src/libstrongswan/plugins/sha1/sha1_hasher.c       |   190 +-
 src/libstrongswan/plugins/sha1/sha1_hasher.h       |     2 +-
 src/libstrongswan/plugins/sha1/sha1_plugin.c       |     6 +-
 src/libstrongswan/plugins/sha1/sha1_prf.c          |    12 +-
 src/libstrongswan/plugins/sha1/sha1_prf.h          |     2 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |   143 +-
 src/libstrongswan/plugins/sha2/sha2_hasher.c       |    62 +-
 src/libstrongswan/plugins/sha2/sha2_hasher.h       |     4 +-
 src/libstrongswan/plugins/sha2/sha2_plugin.c       |     6 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |   143 +-
 src/libstrongswan/plugins/sqlite/sqlite_database.c |    26 +-
 src/libstrongswan/plugins/sqlite/sqlite_plugin.c   |     4 +-
 src/libstrongswan/plugins/test_vectors/Makefile.in |   275 +-
 .../plugins/test_vectors/test_vectors/blowfish.c   |     2 +-
 .../plugins/test_vectors/test_vectors/rng.c        |    18 +-
 .../plugins/test_vectors/test_vectors_plugin.c     |     6 +-
 src/libstrongswan/plugins/x509/Makefile.am         |     4 +-
 src/libstrongswan/plugins/x509/Makefile.in         |   153 +-
 src/libstrongswan/plugins/x509/ietf_attr_list.c    |   396 -
 src/libstrongswan/plugins/x509/ietf_attr_list.h    |    79 -
 src/libstrongswan/plugins/x509/x509_ac.c           |   416 +-
 src/libstrongswan/plugins/x509/x509_ac.h           |    30 +-
 src/libstrongswan/plugins/x509/x509_cert.c         |  1143 +-
 src/libstrongswan/plugins/x509/x509_cert.h         |    27 +-
 src/libstrongswan/plugins/x509/x509_crl.c          |   233 +-
 src/libstrongswan/plugins/x509/x509_crl.h          |    11 +-
 src/libstrongswan/plugins/x509/x509_ocsp_request.c |   221 +-
 src/libstrongswan/plugins/x509/x509_ocsp_request.h |    12 +-
 .../plugins/x509/x509_ocsp_response.c              |   212 +-
 .../plugins/x509/x509_ocsp_response.h              |    11 +-
 src/libstrongswan/plugins/x509/x509_pkcs10.c       |   707 ++
 src/libstrongswan/plugins/x509/x509_pkcs10.h       |    65 +
 src/libstrongswan/plugins/x509/x509_plugin.c       |    41 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |   143 +-
 src/libstrongswan/plugins/xcbc/xcbc.c              |    54 +-
 src/libstrongswan/plugins/xcbc/xcbc.h              |    20 +-
 src/libstrongswan/plugins/xcbc/xcbc_plugin.c       |     8 +-
 src/libstrongswan/plugins/xcbc/xcbc_prf.c          |    12 +-
 src/libstrongswan/plugins/xcbc/xcbc_prf.h          |     6 +-
 src/libstrongswan/plugins/xcbc/xcbc_signer.c       |    22 +-
 src/libstrongswan/plugins/xcbc/xcbc_signer.h       |     2 +-
 src/libstrongswan/printf_hook.c                    |    77 +-
 src/libstrongswan/printf_hook.h                    |    19 +-
 src/libstrongswan/selectors/traffic_selector.c     |   916 ++
 src/libstrongswan/selectors/traffic_selector.h     |   315 +
 src/libstrongswan/settings.c                       |   175 +-
 src/libstrongswan/settings.h                       |    56 +-
 src/libstrongswan/threading/condvar.h              |    96 +
 src/libstrongswan/threading/lock_profiler.h        |   102 +
 src/libstrongswan/threading/mutex.c                |   375 +
 src/libstrongswan/threading/mutex.h                |    68 +
 src/libstrongswan/threading/rwlock.c               |   327 +
 src/libstrongswan/threading/rwlock.h               |    80 +
 src/libstrongswan/threading/thread.c               |   440 +
 src/libstrongswan/threading/thread.h               |   187 +
 src/libstrongswan/threading/thread_value.c         |    78 +
 src/libstrongswan/threading/thread_value.h         |    68 +
 src/libstrongswan/utils.c                          |    70 +-
 src/libstrongswan/utils.h                          |   160 +-
 src/libstrongswan/utils/backtrace.c                |    22 +-
 src/libstrongswan/utils/backtrace.h                |     6 +-
 src/libstrongswan/utils/enumerator.c               |    44 +-
 src/libstrongswan/utils/enumerator.h               |    16 +-
 src/libstrongswan/utils/hashtable.c                |   152 +-
 src/libstrongswan/utils/hashtable.h                |    28 +-
 src/libstrongswan/utils/host.c                     |    44 +-
 src/libstrongswan/utils/host.h                     |    80 +-
 src/libstrongswan/utils/identification.c           |   382 +-
 src/libstrongswan/utils/identification.h           |    96 +-
 src/libstrongswan/utils/iterator.h                 |    34 +-
 src/libstrongswan/utils/leak_detective.c           |   131 +-
 src/libstrongswan/utils/leak_detective.h           |     8 +-
 src/libstrongswan/utils/lexparser.c                |    24 +-
 src/libstrongswan/utils/lexparser.h                |     2 +-
 src/libstrongswan/utils/linked_list.c              |    64 +-
 src/libstrongswan/utils/linked_list.h              |    76 +-
 src/libstrongswan/utils/mutex.c                    |   509 -
 src/libstrongswan/utils/mutex.h                    |   213 -
 src/libstrongswan/utils/optionsfrom.c              |     4 +-
 src/libstrongswan/utils/optionsfrom.h              |     4 +-
 src/manager/Makefile.am                            |     2 -
 src/manager/Makefile.in                            |   352 +-
 src/manager/controller/auth_controller.c           |    12 +-
 src/manager/controller/config_controller.c         |    10 +-
 src/manager/controller/control_controller.c        |    12 +-
 src/manager/controller/gateway_controller.c        |    14 +-
 src/manager/controller/ikesa_controller.c          |    10 +-
 src/manager/gateway.c                              |    38 +-
 src/manager/gateway.h                              |    12 +-
 src/manager/main.c                                 |    25 +-
 src/manager/manager.c                              |    20 +-
 src/manager/manager.h                              |    10 +-
 src/manager/storage.c                              |    16 +-
 src/manager/storage.h                              |    10 +-
 src/manager/xml.c                                  |    20 +-
 src/manager/xml.h                                  |     2 +-
 src/medsrv/Makefile.am                             |     6 +-
 src/medsrv/Makefile.in                             |   280 +-
 src/medsrv/controller/peer_controller.c            |    50 +-
 src/medsrv/controller/user_controller.c            |    26 +-
 src/medsrv/filter/auth_filter.c                    |     4 +-
 src/medsrv/main.c                                  |    23 +-
 src/medsrv/user.h                                  |     6 +-
 src/openac/Makefile.am                             |     6 +-
 src/openac/Makefile.in                             |   272 +-
 src/openac/openac.c                                |   146 +-
 src/pki/Makefile.am                                |    15 +
 src/pki/Makefile.in                                |   673 ++
 src/pki/command.c                                  |   256 +
 src/pki/command.h                                  |    95 +
 src/pki/commands/gen.c                             |   125 +
 src/pki/commands/issue.c                           |   370 +
 src/pki/commands/keyid.c                           |   164 +
 src/pki/commands/pub.c                             |   157 +
 src/pki/commands/req.c                             |   184 +
 src/pki/commands/self.c                            |   238 +
 src/pki/commands/verify.c                          |   136 +
 src/pki/pki.c                                      |   101 +
 src/pki/pki.h                                      |    39 +
 src/pluto/Makefile.am                              |    16 +-
 src/pluto/Makefile.in                              |   382 +-
 src/pluto/ac.c                                     |   994 +-
 src/pluto/ac.h                                     |    90 +-
 src/pluto/alg_info.c                               |    59 +-
 src/pluto/alg_info.h                               |     4 +-
 src/pluto/builder.c                                |   150 +
 src/pluto/builder.h                                |    24 +
 src/pluto/ca.c                                     |   486 +-
 src/pluto/ca.h                                     |    56 +-
 src/pluto/certs.c                                  |   408 +-
 src/pluto/certs.h                                  |    47 +-
 src/pluto/connections.c                            |  1392 +--
 src/pluto/connections.h                            |   190 +-
 src/pluto/constants.c                              |    80 +-
 src/pluto/constants.h                              |   258 +-
 src/pluto/crl.c                                    |   756 +-
 src/pluto/crl.h                                    |    55 +-
 src/pluto/crypto.c                                 |   111 +-
 src/pluto/db_ops.c                                 |    72 +-
 src/pluto/demux.c                                  |    68 +-
 src/pluto/dnskey.c                                 |   292 +-
 src/pluto/dnskey.h                                 |    40 +-
 src/pluto/fetch.c                                  |   331 +-
 src/pluto/fetch.h                                  |    33 +-
 src/pluto/foodgroups.c                             |    36 +-
 src/pluto/id.c                                     |   523 -
 src/pluto/id.h                                     |    65 -
 src/pluto/ike_alg.c                                |    47 +-
 src/pluto/ipsec_doi.c                              |  1165 +-
 src/pluto/ipsec_doi.h                              |     8 +-
 src/pluto/kernel.c                                 |   189 +-
 src/pluto/kernel_alg.c                             |    79 +-
 src/pluto/kernel_netlink.c                         |    90 +-
 src/pluto/kernel_noklips.c                         |     2 +-
 src/pluto/kernel_pfkey.c                           |     4 +-
 src/pluto/keys.c                                   |   353 +-
 src/pluto/keys.h                                   |    30 +-
 src/pluto/log.c                                    |    23 +-
 src/pluto/modecfg.c                                |   252 +-
 src/pluto/modecfg.h                                |     2 +-
 src/pluto/myid.c                                   |   121 +
 src/pluto/myid.h                                   |    38 +
 src/pluto/nat_traversal.c                          |    18 +-
 src/pluto/ocsp.c                                   |   441 +-
 src/pluto/ocsp.h                                   |    17 +-
 src/pluto/packet.c                                 |     6 +-
 src/pluto/pem.c                                    |   127 -
 src/pluto/pem.h                                    |    18 -
 src/pluto/pgpcert.c                                |   514 -
 src/pluto/pgpcert.h                                |    56 -
 src/pluto/pkcs7.c                                  |   349 +-
 src/pluto/pkcs7.h                                  |    20 +-
 src/pluto/plutomain.c                              |    42 +-
 src/pluto/rcv_whack.c                              |   204 +-
 src/pluto/rsaref/pkcs11.h                          |     6 +-
 src/pluto/rsaref/pkcs11f.h                         |    16 +-
 src/pluto/smartcard.c                              |   310 +-
 src/pluto/smartcard.h                              |     7 +-
 src/pluto/spdb.c                                   |   130 +-
 src/pluto/state.c                                  |    24 +-
 src/pluto/state.h                                  |     1 +
 src/pluto/timer.c                                  |     6 +-
 src/pluto/vendor.c                                 |    14 +-
 src/pluto/vendor.h                                 |     2 +
 src/pluto/virtual.c                                |    18 +-
 src/pluto/x509.c                                   |  2072 +---
 src/pluto/x509.h                                   |   117 +-
 src/pluto/xauth.c                                  |     4 +-
 src/pluto/xauth.h                                  |     2 +-
 src/scepclient/Makefile.am                         |    41 +-
 src/scepclient/Makefile.in                         |   318 +-
 src/scepclient/loglite.c                           |     4 +-
 src/scepclient/pkcs10.c                            |   224 -
 src/scepclient/pkcs10.h                            |    60 -
 src/scepclient/scep.c                              |    63 +-
 src/scepclient/scep.h                              |    10 +-
 src/scepclient/scepclient.c                        |   274 +-
 src/starter/Makefile.am                            |    10 +-
 src/starter/Makefile.in                            |   353 +-
 src/starter/args.c                                 |    44 +-
 src/starter/confread.c                             |    96 +-
 src/starter/confread.h                             |    13 +-
 src/starter/interfaces.c                           |   246 +-
 src/starter/interfaces.h                           |     1 +
 src/starter/invokecharon.c                         |     4 +-
 src/starter/invokepluto.c                          |     6 +-
 src/starter/ipsec.conf.5                           |   163 +-
 src/starter/keywords.c                             |   262 +-
 src/starter/keywords.h                             |     7 +-
 src/starter/keywords.txt                           |     7 +
 src/starter/klips.c                                |     4 +-
 src/starter/klips.h                                |     2 +-
 src/starter/netkey.h                               |     2 +-
 src/starter/starter.c                              |    20 +-
 src/starter/starterstroke.c                        |    59 +-
 src/starter/starterwhack.c                         |   137 +-
 src/stroke/Makefile.in                             |   161 +-
 src/stroke/stroke.c                                |    66 +-
 src/stroke/stroke_msg.h                            |    13 +-
 src/whack/Makefile.in                              |   159 +-
 src/whack/whack.c                                  |    72 +-
 src/whack/whack.h                                  |    15 +-
 testing/INSTALL                                    |     8 +-
 testing/Makefile.am                                |     2 +-
 testing/Makefile.in                                |    75 +-
 testing/do-tests.in                                |    29 +-
 .../alice/etc/ipsec.d/cacerts/strongswanCert.pem   |    24 +-
 .../hosts/alice/etc/ipsec.d/certs/aliceCert.pem    |    34 +-
 .../hosts/alice/etc/ipsec.d/private/aliceKey.pem   |    50 +-
 testing/hosts/alice/etc/strongswan.conf            |     2 +-
 .../bob/etc/ipsec.d/cacerts/strongswanCert.pem     |    24 +-
 testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem    |    34 +-
 testing/hosts/bob/etc/ipsec.d/private/bobKey.pem   |    50 +-
 testing/hosts/bob/etc/strongswan.conf              |     2 +-
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |    24 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |    34 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    52 +-
 testing/hosts/carol/etc/strongswan.conf            |     2 +-
 .../dave/etc/ipsec.d/cacerts/strongswanCert.pem    |    24 +-
 testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem  |    34 +-
 testing/hosts/dave/etc/ipsec.d/private/daveKey.pem |    50 +-
 testing/hosts/dave/etc/strongswan.conf             |     2 +-
 testing/hosts/default/etc/ipsec.d/tables.sql       |     7 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |    24 +-
 testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem  |    37 +-
 testing/hosts/moon/etc/ipsec.d/private/moonKey.pem |    50 +-
 testing/hosts/moon/etc/strongswan.conf             |     2 +-
 .../sun/etc/ipsec.d/cacerts/strongswanCert.pem     |    24 +-
 testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem    |    37 +-
 testing/hosts/sun/etc/ipsec.d/private/sunKey.pem   |    50 +-
 testing/hosts/sun/etc/strongswan.conf              |     2 +-
 .../venus/etc/ipsec.d/cacerts/strongswanCert.pem   |    24 +-
 .../hosts/venus/etc/ipsec.d/certs/venusCert.pem    |    30 +-
 .../hosts/venus/etc/ipsec.d/private/venusKey.pem   |    50 +-
 testing/hosts/venus/etc/strongswan.conf            |     2 +-
 .../certs/160769ece9ead9c1c4d89c34aa004c3b66402081 |   Bin 0 -> 1062 bytes
 .../certs/442b7162c7a4c27bd0f1076e345c5664bed53c7c |   Bin 0 -> 1060 bytes
 .../certs/45b967b2f9b4a8855235b2d01249cd1e079348aa |   Bin 0 -> 1062 bytes
 .../certs/644c5cc8c42a6c8cfe62f6a83bb0dbb43f0f0fb4 |   Bin 0 -> 1059 bytes
 .../certs/c45be2b38883548967f4f959fd5ec0822f65237b |   Bin 0 -> 1058 bytes
 .../certs/dbb808e4f319d815aadd8dab6f6ae5b717800e83 |   Bin 0 -> 1043 bytes
 .../certs/de106e5254cbafddb683117f90174910f43b5ae3 |   Bin 0 -> 1062 bytes
 .../certs/de216601f06d10a41171392fdfc9127f0bb9d5b0 |   Bin 0 -> 1062 bytes
 .../certs/edde495f4fb6db4e3eff85bcaecda2a3ccc58fcf |   Bin 0 -> 1076 bytes
 .../0b5362afd8838bafb66c854732b490d5d8318261       |   Bin 0 -> 1190 bytes
 .../533394399c61128c957881790d70511537798da1       |   Bin 0 -> 1212 bytes
 .../6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da       |   Bin 0 -> 1188 bytes
 .../b8a73c3433f4e341cc7c4ae42989f0a23a956488       |   Bin 0 -> 1210 bytes
 testing/hosts/winnetou/etc/openssl/crlnumber       |     2 +-
 testing/hosts/winnetou/etc/openssl/crlnumber.old   |     2 +-
 testing/hosts/winnetou/etc/openssl/duck/.rand      |   Bin 0 -> 1024 bytes
 testing/hosts/winnetou/etc/openssl/duck/crlnumber  |     1 +
 .../hosts/winnetou/etc/openssl/duck/duckCert.pem   |    23 +
 .../hosts/winnetou/etc/openssl/duck/duckKey.pem    |    27 +
 .../hosts/winnetou/etc/openssl/duck/duckReq.pem    |    16 +
 testing/hosts/winnetou/etc/openssl/duck/index.txt  |     1 +
 .../hosts/winnetou/etc/openssl/duck/index.txt.attr |     1 +
 .../hosts/winnetou/etc/openssl/duck/index.txt.old  |     0
 .../winnetou/etc/openssl/duck/newcerts/01.pem      |    24 +
 .../hosts/winnetou/etc/openssl/duck/openssl.cnf    |   178 +
 testing/hosts/winnetou/etc/openssl/duck/serial     |     1 +
 testing/hosts/winnetou/etc/openssl/duck/serial.old |     1 +
 testing/hosts/winnetou/etc/openssl/generate-crl    |     4 +
 .../winnetou/etc/openssl/generate-hash-and-url     |    13 +
 testing/hosts/winnetou/etc/openssl/index.txt       |    33 +-
 testing/hosts/winnetou/etc/openssl/index.txt.old   |    33 +-
 testing/hosts/winnetou/etc/openssl/newcerts/16.pem |    25 +
 testing/hosts/winnetou/etc/openssl/newcerts/17.pem |    25 +
 testing/hosts/winnetou/etc/openssl/newcerts/18.pem |    24 +
 testing/hosts/winnetou/etc/openssl/newcerts/19.pem |    25 +
 testing/hosts/winnetou/etc/openssl/newcerts/1A.pem |    25 +
 testing/hosts/winnetou/etc/openssl/newcerts/1B.pem |    25 +
 testing/hosts/winnetou/etc/openssl/newcerts/1C.pem |    25 +
 testing/hosts/winnetou/etc/openssl/newcerts/1D.pem |    25 +
 testing/hosts/winnetou/etc/openssl/newcerts/1E.pem |    25 +
 testing/hosts/winnetou/etc/openssl/ocspCert.pem    |    30 +-
 testing/hosts/winnetou/etc/openssl/ocspKey.pem     |    50 +-
 testing/hosts/winnetou/etc/openssl/openssl.cnf     |     9 +-
 .../hosts/winnetou/etc/openssl/research/index.txt  |     1 +
 .../winnetou/etc/openssl/research/index.txt.old    |     1 +
 .../winnetou/etc/openssl/research/newcerts/05.pem  |    23 +
 testing/hosts/winnetou/etc/openssl/research/serial |     2 +-
 .../hosts/winnetou/etc/openssl/research/serial.old |     2 +-
 testing/hosts/winnetou/etc/openssl/rfc3779/.rand   |   Bin 0 -> 1024 bytes
 testing/hosts/winnetou/etc/openssl/rfc3779/crl.pem |    15 +
 .../hosts/winnetou/etc/openssl/rfc3779/crlnumber   |     1 +
 .../winnetou/etc/openssl/rfc3779/crlnumber.old     |     1 +
 .../hosts/winnetou/etc/openssl/rfc3779/index.txt   |     4 +
 .../winnetou/etc/openssl/rfc3779/index.txt.attr    |     1 +
 .../etc/openssl/rfc3779/index.txt.attr.old         |     1 +
 .../winnetou/etc/openssl/rfc3779/index.txt.old     |     3 +
 .../winnetou/etc/openssl/rfc3779/newcerts/01.pem   |    28 +
 .../winnetou/etc/openssl/rfc3779/newcerts/02.pem   |    28 +
 .../winnetou/etc/openssl/rfc3779/newcerts/03.pem   |    27 +
 .../winnetou/etc/openssl/rfc3779/newcerts/04.pem   |    27 +
 .../hosts/winnetou/etc/openssl/rfc3779/openssl.cnf |   214 +
 testing/hosts/winnetou/etc/openssl/rfc3779/serial  |     1 +
 .../hosts/winnetou/etc/openssl/rfc3779/serial.old  |     1 +
 .../etc/openssl/rfc3779/strongswanCert.pem         |    26 +
 .../winnetou/etc/openssl/rfc3779/strongswanKey.pem |    27 +
 testing/hosts/winnetou/etc/openssl/serial          |     2 +-
 testing/hosts/winnetou/etc/openssl/serial.old      |     2 +-
 .../hosts/winnetou/etc/openssl/strongswanCert.pem  |    24 +-
 testing/scripts/build-umlrootfs                    |     1 +
 testing/testing.conf                               |     6 +-
 .../gcrypt-ikev1/alg-camellia/description.txt      |     4 +
 .../tests/gcrypt-ikev1/alg-camellia/evaltest.dat   |    11 +
 .../alg-camellia/hosts/carol/etc/ipsec.conf        |    24 +
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    11 +
 .../alg-camellia/hosts/moon/etc/ipsec.conf         |    24 +
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    11 +
 .../tests/gcrypt-ikev1/alg-camellia/posttest.dat   |     2 +
 .../tests/gcrypt-ikev1/alg-camellia/pretest.dat    |     5 +
 testing/tests/gcrypt-ikev1/alg-camellia/test.conf  |    22 +
 .../tests/gcrypt-ikev1/alg-serpent/description.txt |     2 +-
 .../tests/gcrypt-ikev1/alg-serpent/evaltest.dat    |     9 +-
 .../alg-serpent/hosts/carol/etc/ipsec.conf         |     2 +-
 .../alg-serpent/hosts/carol/etc/strongswan.conf    |     2 +-
 .../alg-serpent/hosts/moon/etc/ipsec.conf          |     2 +-
 .../alg-serpent/hosts/moon/etc/strongswan.conf     |     2 +-
 testing/tests/gcrypt-ikev1/alg-serpent/test.conf   |     2 +-
 .../tests/gcrypt-ikev1/alg-twofish/description.txt |     2 +-
 .../tests/gcrypt-ikev1/alg-twofish/evaltest.dat    |     9 +-
 .../alg-twofish/hosts/carol/etc/ipsec.conf         |     2 +-
 .../alg-twofish/hosts/carol/etc/strongswan.conf    |     2 +-
 .../alg-twofish/hosts/moon/etc/ipsec.conf          |     2 +-
 .../alg-twofish/hosts/moon/etc/strongswan.conf     |     2 +-
 testing/tests/gcrypt-ikev1/alg-twofish/test.conf   |     2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |     2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |     2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |     2 +-
 .../tests/gcrypt-ikev2/alg-camellia/evaltest.dat   |     4 +-
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |     2 +-
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/gcrypt-ikev2/alg-camellia/test.conf  |     2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |     2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |     2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |     2 +-
 .../ike/rw-cert/hosts/carol/etc/strongswan.conf    |     2 +-
 .../ike/rw-cert/hosts/dave/etc/strongswan.conf     |     2 +-
 .../ike/rw-cert/hosts/moon/etc/strongswan.conf     |     4 +-
 .../rw_v1-net_v2/hosts/moon/etc/strongswan.conf    |     4 +-
 .../ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf |     2 +-
 testing/tests/ikev1/alg-blowfish/description.txt   |     2 +-
 testing/tests/ikev1/alg-blowfish/evaltest.dat      |     9 +-
 .../ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf  |     2 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |     2 +-
 .../ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf   |     2 +-
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/ikev1/alg-blowfish/pretest.dat       |     1 +
 testing/tests/ikev1/alg-blowfish/test.conf         |     2 +-
 testing/tests/ikev1/alg-sha256-96/description.txt  |     5 +
 testing/tests/ikev1/alg-sha256-96/evaltest.dat     |    12 +
 .../ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf |    24 +
 .../ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf  |    24 +
 testing/tests/ikev1/alg-sha256-96/posttest.dat     |     2 +
 testing/tests/ikev1/alg-sha256-96/pretest.dat      |     5 +
 testing/tests/ikev1/alg-sha256-96/test.conf        |    22 +
 testing/tests/ikev1/alg-sha256/description.txt     |     4 +
 testing/tests/ikev1/alg-sha256/evaltest.dat        |    12 +
 .../ikev1/alg-sha256/hosts/carol/etc/ipsec.conf    |    24 +
 .../ikev1/alg-sha256/hosts/moon/etc/ipsec.conf     |    24 +
 testing/tests/ikev1/alg-sha256/posttest.dat        |     2 +
 testing/tests/ikev1/alg-sha256/pretest.dat         |     5 +
 testing/tests/ikev1/alg-sha256/test.conf           |    22 +
 testing/tests/ikev1/alg-sha2_256/description.txt   |     4 -
 testing/tests/ikev1/alg-sha2_256/evaltest.dat      |    11 -
 .../ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf  |    24 -
 .../ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf   |    24 -
 testing/tests/ikev1/alg-sha2_256/posttest.dat      |     2 -
 testing/tests/ikev1/alg-sha2_256/pretest.dat       |     5 -
 testing/tests/ikev1/alg-sha2_256/test.conf         |    22 -
 testing/tests/ikev1/alg-sha384/description.txt     |     4 +
 testing/tests/ikev1/alg-sha384/evaltest.dat        |    12 +
 .../ikev1/alg-sha384/hosts/carol/etc/ipsec.conf    |    24 +
 .../ikev1/alg-sha384/hosts/moon/etc/ipsec.conf     |    24 +
 testing/tests/ikev1/alg-sha384/posttest.dat        |     2 +
 testing/tests/ikev1/alg-sha384/pretest.dat         |     5 +
 testing/tests/ikev1/alg-sha384/test.conf           |    22 +
 testing/tests/ikev1/alg-sha512/description.txt     |     4 +
 testing/tests/ikev1/alg-sha512/evaltest.dat        |    12 +
 .../ikev1/alg-sha512/hosts/carol/etc/ipsec.conf    |    24 +
 .../ikev1/alg-sha512/hosts/moon/etc/ipsec.conf     |    24 +
 testing/tests/ikev1/alg-sha512/posttest.dat        |     2 +
 testing/tests/ikev1/alg-sha512/pretest.dat         |     5 +
 testing/tests/ikev1/alg-sha512/test.conf           |    22 +
 testing/tests/ikev1/attr-cert/evaltest.dat         |     8 +-
 .../attr-cert/hosts/moon/etc/openac/carolCert.pem  |    34 +-
 .../attr-cert/hosts/moon/etc/openac/daveCert.pem   |    34 +-
 .../ikev1/attr-cert/hosts/moon/etc/strongswan.conf |     4 +-
 testing/tests/ikev1/crl-from-cache/evaltest.dat    |     4 +-
 testing/tests/ikev1/crl-ldap/evaltest.dat          |     8 +-
 .../ikev1/crl-ldap/hosts/carol/etc/strongswan.conf |     2 +-
 .../ikev1/crl-ldap/hosts/moon/etc/strongswan.conf  |     2 +-
 .../carol/etc/ipsec.d/certs/carolRevokedCert.pem   |    34 +-
 .../carol/etc/ipsec.d/private/carolRevokedKey.pem  |    50 +-
 .../default-keys/hosts/carol/etc/strongswan.conf   |     4 +-
 .../default-keys/hosts/moon/etc/strongswan.conf    |     4 +-
 .../hosts/dave/etc/ipsec.d/certs/carolCert.pem     |    34 +-
 .../hosts/dave/etc/ipsec.d/private/carolKey.pem    |    52 +-
 .../hosts/dave/etc/ipsec.d/certs/carolCert.pem     |    34 +-
 .../hosts/dave/etc/ipsec.d/private/carolKey.pem    |    52 +-
 testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat   |     4 +-
 testing/tests/ikev1/esp-alg-aes-ccm/test.conf      |     2 +-
 testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat   |     4 +-
 testing/tests/ikev1/esp-alg-aes-ctr/test.conf      |     2 +-
 testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat   |     4 +-
 testing/tests/ikev1/esp-alg-aes-gcm/test.conf      |     2 +-
 testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat   |     5 +-
 testing/tests/ikev1/esp-alg-aesxcbc/test.conf      |     2 +-
 .../tests/ikev1/esp-alg-camellia/description.txt   |     4 -
 testing/tests/ikev1/esp-alg-camellia/evaltest.dat  |     8 -
 .../esp-alg-camellia/hosts/carol/etc/ipsec.conf    |    24 -
 .../esp-alg-camellia/hosts/moon/etc/ipsec.conf     |    24 -
 testing/tests/ikev1/esp-alg-camellia/posttest.dat  |     2 -
 testing/tests/ikev1/esp-alg-camellia/pretest.dat   |     5 -
 testing/tests/ikev1/esp-alg-camellia/test.conf     |    22 -
 testing/tests/ikev1/esp-alg-des/evaltest.dat       |     5 +-
 testing/tests/ikev1/esp-alg-des/test.conf          |     2 +-
 testing/tests/ikev1/esp-alg-null/evaltest.dat      |     4 +-
 testing/tests/ikev1/esp-alg-null/test.conf         |     2 +-
 .../tests/ikev1/ike-alg-sha2_384/description.txt   |     4 -
 testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat  |     8 -
 .../ike-alg-sha2_384/hosts/carol/etc/ipsec.conf    |    23 -
 .../ike-alg-sha2_384/hosts/moon/etc/ipsec.conf     |    24 -
 testing/tests/ikev1/ike-alg-sha2_384/posttest.dat  |     2 -
 testing/tests/ikev1/ike-alg-sha2_384/pretest.dat   |     5 -
 testing/tests/ikev1/ike-alg-sha2_384/test.conf     |    22 -
 .../tests/ikev1/ike-alg-sha2_512/description.txt   |     4 -
 testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat  |     8 -
 .../ike-alg-sha2_512/hosts/carol/etc/ipsec.conf    |    23 -
 .../ike-alg-sha2_512/hosts/moon/etc/ipsec.conf     |    24 -
 testing/tests/ikev1/ike-alg-sha2_512/posttest.dat  |     2 -
 testing/tests/ikev1/ike-alg-sha2_512/pretest.dat   |     5 -
 testing/tests/ikev1/ike-alg-sha2_512/test.conf     |    22 -
 .../tests/ikev1/ip-pool-db-push/description.txt    |     4 +
 testing/tests/ikev1/ip-pool-db-push/evaltest.dat   |    33 +
 .../ip-pool-db-push/hosts/carol/etc/ipsec.conf     |    26 +
 .../hosts/carol/etc/strongswan.conf                |     5 +
 .../ip-pool-db-push/hosts/dave/etc/ipsec.conf      |    26 +
 .../ip-pool-db-push/hosts/dave/etc/strongswan.conf |     5 +
 .../ip-pool-db-push/hosts/moon/etc/ipsec.conf      |    26 +
 .../ip-pool-db-push/hosts/moon/etc/strongswan.conf |    17 +
 testing/tests/ikev1/ip-pool-db-push/posttest.dat   |    12 +
 testing/tests/ikev1/ip-pool-db-push/pretest.dat    |    16 +
 testing/tests/ikev1/ip-pool-db-push/test.conf      |    21 +
 testing/tests/ikev1/ip-pool-db/description.txt     |    10 +
 testing/tests/ikev1/ip-pool-db/evaltest.dat        |    33 +
 .../ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf    |    25 +
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |     5 +
 .../ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf     |    25 +
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |     5 +
 .../ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf     |    25 +
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    17 +
 testing/tests/ikev1/ip-pool-db/posttest.dat        |    12 +
 testing/tests/ikev1/ip-pool-db/pretest.dat         |    16 +
 testing/tests/ikev1/ip-pool-db/test.conf           |    21 +
 .../ikev1/mode-config-multiple/description.txt     |     6 +
 .../tests/ikev1/mode-config-multiple/evaltest.dat  |    29 +
 .../hosts/carol/etc/ipsec.conf                     |    32 +
 .../mode-config-multiple/hosts/dave/etc/ipsec.conf |    32 +
 .../mode-config-multiple/hosts/moon/etc/ipsec.conf |    49 +
 .../hosts/moon/etc/strongswan.conf                 |    13 +
 .../tests/ikev1/mode-config-multiple/posttest.dat  |     8 +
 .../tests/ikev1/mode-config-multiple/pretest.dat   |    12 +
 testing/tests/ikev1/mode-config-multiple/test.conf |    21 +
 .../mode-config/hosts/moon/etc/strongswan.conf     |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../tests/ikev1/multi-level-ca-loop/evaltest.dat   |     2 +-
 .../ikev1/multi-level-ca-pathlen/description.txt   |     5 +
 .../ikev1/multi-level-ca-pathlen/evaltest.dat      |     4 +
 .../hosts/carol/etc/ipsec.conf                     |    24 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |    24 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    27 +
 .../hosts/carol/etc/ipsec.secrets                  |     3 +
 .../hosts/moon/etc/ipsec.conf                      |    23 +
 .../hosts/moon/etc/ipsec.d/cacerts/duckCert.pem    |    23 +
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |    23 +
 .../ikev1/multi-level-ca-pathlen/posttest.dat      |     3 +
 .../tests/ikev1/multi-level-ca-pathlen/pretest.dat |     5 +
 .../tests/ikev1/multi-level-ca-pathlen/test.conf   |    21 +
 testing/tests/ikev1/nat-two-rw/evaltest.dat        |     2 +-
 .../ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf |     3 +-
 .../net2net-pgp-v3/hosts/moon/etc/strongswan.conf  |    11 +
 .../ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf  |     1 +
 .../net2net-pgp-v3/hosts/sun/etc/strongswan.conf   |    11 +
 .../ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf |     3 +-
 .../net2net-pgp-v4/hosts/moon/etc/strongswan.conf  |    11 +
 .../ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf  |     1 +
 .../net2net-pgp-v4/hosts/sun/etc/strongswan.conf   |    11 +
 .../net2net-rsa/hosts/moon/etc/strongswan.conf     |    11 +
 .../net2net-rsa/hosts/sun/etc/strongswan.conf      |    11 +
 testing/tests/ikev1/no-priv-key/evaltest.dat       |     1 -
 .../carol/etc/ipsec.d/certs/carolRevokedCert.pem   |    34 +-
 .../carol/etc/ipsec.d/private/carolRevokedKey.pem  |    50 +-
 .../req-pkcs10/hosts/carol/etc/strongswan.conf     |     4 +-
 .../req-pkcs10/hosts/moon/etc/strongswan.conf      |     4 +-
 .../ikev1/rw-cert/hosts/carol/etc/strongswan.conf  |     2 +-
 .../ikev1/rw-cert/hosts/moon/etc/strongswan.conf   |     2 +-
 .../self-signed/hosts/carol/etc/strongswan.conf    |     4 +-
 .../self-signed/hosts/moon/etc/strongswan.conf     |     4 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 testing/tests/ikev2/alg-3des-md5/description.txt   |     4 +
 testing/tests/ikev2/alg-3des-md5/evaltest.dat      |    13 +
 .../ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf  |    25 +
 .../alg-3des-md5/hosts/carol/etc/strongswan.conf   |     5 +
 .../ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf   |    24 +
 .../alg-3des-md5/hosts/moon/etc/strongswan.conf    |     5 +
 testing/tests/ikev2/alg-3des-md5/posttest.dat      |     4 +
 testing/tests/ikev2/alg-3des-md5/pretest.dat       |     6 +
 testing/tests/ikev2/alg-3des-md5/test.conf         |    21 +
 testing/tests/ikev2/alg-aes-xcbc/description.txt   |     4 +-
 testing/tests/ikev2/alg-aes-xcbc/evaltest.dat      |    13 +-
 .../ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf  |     4 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |     2 +-
 .../ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf   |     4 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/ikev2/alg-aes-xcbc/test.conf         |     2 +-
 testing/tests/ikev2/alg-blowfish/evaltest.dat      |    20 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |     2 +-
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |     2 +-
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/ikev2/alg-sha256-96/description.txt  |     5 +
 testing/tests/ikev2/alg-sha256-96/evaltest.dat     |    13 +
 .../ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf |    25 +
 .../alg-sha256-96/hosts/carol/etc/strongswan.conf  |     6 +
 .../ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf  |    24 +
 .../alg-sha256-96/hosts/moon/etc/strongswan.conf   |     6 +
 testing/tests/ikev2/alg-sha256-96/posttest.dat     |     4 +
 testing/tests/ikev2/alg-sha256-96/pretest.dat      |     6 +
 testing/tests/ikev2/alg-sha256-96/test.conf        |    21 +
 testing/tests/ikev2/alg-sha256/description.txt     |     4 +
 testing/tests/ikev2/alg-sha256/evaltest.dat        |    11 +
 .../ikev2/alg-sha256/hosts/carol/etc/ipsec.conf    |    25 +
 .../alg-sha256/hosts/carol/etc/strongswan.conf     |     5 +
 .../ikev2/alg-sha256/hosts/moon/etc/ipsec.conf     |    24 +
 .../alg-sha256/hosts/moon/etc/strongswan.conf      |     5 +
 testing/tests/ikev2/alg-sha256/posttest.dat        |     4 +
 testing/tests/ikev2/alg-sha256/pretest.dat         |     6 +
 testing/tests/ikev2/alg-sha256/test.conf           |    21 +
 testing/tests/ikev2/alg-sha384/description.txt     |     4 +
 testing/tests/ikev2/alg-sha384/evaltest.dat        |    11 +
 .../ikev2/alg-sha384/hosts/carol/etc/ipsec.conf    |    25 +
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |     5 +
 .../ikev2/alg-sha384/hosts/moon/etc/ipsec.conf     |    24 +
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |     5 +
 testing/tests/ikev2/alg-sha384/posttest.dat        |     4 +
 testing/tests/ikev2/alg-sha384/pretest.dat         |     6 +
 testing/tests/ikev2/alg-sha384/test.conf           |    21 +
 testing/tests/ikev2/alg-sha512/description.txt     |     4 +
 testing/tests/ikev2/alg-sha512/evaltest.dat        |    11 +
 .../ikev2/alg-sha512/hosts/carol/etc/ipsec.conf    |    25 +
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |     5 +
 .../ikev2/alg-sha512/hosts/moon/etc/ipsec.conf     |    24 +
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |     5 +
 testing/tests/ikev2/alg-sha512/posttest.dat        |     4 +
 testing/tests/ikev2/alg-sha512/pretest.dat         |     6 +
 testing/tests/ikev2/alg-sha512/test.conf           |    21 +
 .../any-interface/hosts/alice/etc/strongswan.conf  |     2 +-
 .../any-interface/hosts/bob/etc/strongswan.conf    |     2 +-
 .../any-interface/hosts/moon/etc/strongswan.conf   |     2 +-
 .../any-interface/hosts/sun/etc/strongswan.conf    |     2 +-
 .../ikev2/compress/hosts/carol/etc/strongswan.conf |     2 +-
 .../ikev2/compress/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 testing/tests/ikev2/config-payload/evaltest.dat    |     4 +-
 .../config-payload/hosts/carol/etc/strongswan.conf |     2 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |     2 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |     2 +-
 testing/tests/ikev2/crl-from-cache/evaltest.dat    |     4 +-
 .../crl-from-cache/hosts/carol/etc/strongswan.conf |     2 +-
 .../crl-from-cache/hosts/moon/etc/strongswan.conf  |     2 +-
 testing/tests/ikev2/crl-ldap/evaltest.dat          |     4 +-
 .../ikev2/crl-ldap/hosts/carol/etc/strongswan.conf |     2 +-
 .../ikev2/crl-ldap/hosts/moon/etc/strongswan.conf  |     2 +-
 .../carol/etc/ipsec.d/certs/carolRevokedCert.pem   |    34 +-
 .../carol/etc/ipsec.d/private/carolRevokedKey.pem  |    50 +-
 .../crl-revoked/hosts/carol/etc/strongswan.conf    |     2 +-
 .../crl-revoked/hosts/moon/etc/strongswan.conf     |     2 +-
 .../crl-to-cache/hosts/carol/etc/strongswan.conf   |     2 +-
 .../crl-to-cache/hosts/moon/etc/strongswan.conf    |     2 +-
 .../default-keys/hosts/carol/etc/strongswan.conf   |     4 +-
 .../default-keys/hosts/moon/etc/strongswan.conf    |     4 +-
 .../double-nat-net/hosts/alice/etc/strongswan.conf |     2 +-
 .../double-nat-net/hosts/bob/etc/strongswan.conf   |     2 +-
 .../double-nat/hosts/alice/etc/strongswan.conf     |     2 +-
 .../ikev2/double-nat/hosts/bob/etc/strongswan.conf |     2 +-
 .../dpd-clear/hosts/carol/etc/strongswan.conf      |     2 +-
 .../ikev2/dpd-clear/hosts/moon/etc/strongswan.conf |     2 +-
 .../ikev2/dpd-hold/hosts/carol/etc/strongswan.conf |     2 +-
 .../ikev2/dpd-hold/hosts/moon/etc/strongswan.conf  |     2 +-
 .../dpd-restart/hosts/carol/etc/strongswan.conf    |     2 +-
 .../dpd-restart/hosts/moon/etc/strongswan.conf     |     2 +-
 testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat   |     4 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf |     2 +-
 testing/tests/ikev2/esp-alg-aes-ccm/test.conf      |     2 +-
 testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat   |     5 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf |     2 +-
 testing/tests/ikev2/esp-alg-aes-ctr/test.conf      |     2 +-
 testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat   |     4 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf |     2 +-
 testing/tests/ikev2/esp-alg-aes-gcm/test.conf      |     2 +-
 .../tests/ikev2/esp-alg-camellia/description.txt   |     3 -
 testing/tests/ikev2/esp-alg-camellia/evaltest.dat  |     7 -
 .../esp-alg-camellia/hosts/carol/etc/ipsec.conf    |    25 -
 .../hosts/carol/etc/strongswan.conf                |     5 -
 .../esp-alg-camellia/hosts/moon/etc/ipsec.conf     |    24 -
 .../hosts/moon/etc/strongswan.conf                 |     5 -
 testing/tests/ikev2/esp-alg-camellia/posttest.dat  |     4 -
 testing/tests/ikev2/esp-alg-camellia/pretest.dat   |     7 -
 testing/tests/ikev2/esp-alg-camellia/test.conf     |    21 -
 testing/tests/ikev2/esp-alg-null/evaltest.dat      |     4 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |     2 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/ikev2/esp-alg-null/pretest.dat       |     1 +
 testing/tests/ikev2/esp-alg-null/test.conf         |     2 +-
 .../hosts/alice/etc/strongswan.conf                |     2 +-
 .../force-udp-encaps/hosts/sun/etc/strongswan.conf |     2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |     2 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/sun/etc/strongswan.conf                  |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/sun/etc/strongswan.conf                  |     2 +-
 .../tests/ikev2/inactivity-timeout/description.txt |     3 +
 .../tests/ikev2/inactivity-timeout/evaltest.dat    |     8 +
 .../inactivity-timeout/hosts/carol/etc/ipsec.conf  |    24 +
 .../hosts/carol/etc/strongswan.conf                |     5 +
 .../inactivity-timeout/hosts/moon/etc/ipsec.conf   |    22 +
 .../hosts/moon/etc/strongswan.conf                 |     5 +
 .../tests/ikev2/inactivity-timeout/posttest.dat    |     4 +
 testing/tests/ikev2/inactivity-timeout/pretest.dat |     7 +
 testing/tests/ikev2/inactivity-timeout/test.conf   |    21 +
 testing/tests/ikev2/ip-pool-db/evaltest.dat        |     8 +
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |     2 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |     2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |     9 +-
 testing/tests/ikev2/ip-pool-db/posttest.dat        |     2 +
 testing/tests/ikev2/ip-pool-db/pretest.dat         |     3 +
 .../ip-pool-wish/hosts/carol/etc/strongswan.conf   |     2 +-
 .../ip-pool-wish/hosts/dave/etc/strongswan.conf    |     2 +-
 .../ip-pool-wish/hosts/moon/etc/strongswan.conf    |     2 +-
 .../ikev2/ip-pool/hosts/carol/etc/strongswan.conf  |     2 +-
 .../ikev2/ip-pool/hosts/dave/etc/strongswan.conf   |     2 +-
 .../ikev2/ip-pool/hosts/moon/etc/strongswan.conf   |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     9 +-
 .../hosts/alice/etc/strongswan.conf                |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../ip-two-pools-db/hosts/dave/etc/strongswan.conf |     2 +-
 .../ip-two-pools-db/hosts/moon/etc/strongswan.conf |     9 +-
 .../hosts/venus/etc/strongswan.conf                |     2 +-
 .../hosts/alice/etc/strongswan.conf                |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     9 +-
 .../ip-two-pools/hosts/alice/etc/strongswan.conf   |     2 +-
 .../ip-two-pools/hosts/carol/etc/strongswan.conf   |     2 +-
 .../ip-two-pools/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/ikev2/mobike-nat/description.txt     |     2 +-
 .../mobike-nat/hosts/alice/etc/init.d/iptables     |     4 +
 .../ikev2/mobike-nat/hosts/alice/etc/ipsec.conf    |     1 -
 .../mobike-nat/hosts/alice/etc/strongswan.conf     |     2 +-
 .../ikev2/mobike-nat/hosts/sun/etc/init.d/iptables |    84 +
 .../ikev2/mobike-nat/hosts/sun/etc/ipsec.conf      |     1 -
 .../ikev2/mobike-nat/hosts/sun/etc/strongswan.conf |     2 +-
 .../hosts/alice/etc/init.d/iptables                |     4 +
 .../mobike-virtual-ip/hosts/alice/etc/ipsec.conf   |     1 -
 .../hosts/alice/etc/strongswan.conf                |     2 +-
 .../hosts/sun/etc/init.d/iptables                  |    84 +
 .../mobike-virtual-ip/hosts/sun/etc/ipsec.conf     |     1 -
 .../hosts/sun/etc/strongswan.conf                  |     2 +-
 .../ikev2/mobike/hosts/alice/etc/strongswan.conf   |     2 +-
 .../ikev2/mobike/hosts/sun/etc/init.d/iptables     |    90 +
 .../tests/ikev2/mobike/hosts/sun/etc/ipsec.conf    |     1 -
 .../ikev2/mobike/hosts/sun/etc/strongswan.conf     |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     6 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../tests/ikev2/multi-level-ca-loop/evaltest.dat   |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../ikev2/multi-level-ca-pathlen/description.txt   |     5 +
 .../ikev2/multi-level-ca-pathlen/evaltest.dat      |     4 +
 .../hosts/carol/etc/ipsec.conf                     |    23 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |    24 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    27 +
 .../hosts/carol/etc/ipsec.secrets                  |     3 +
 .../hosts/carol/etc/strongswan.conf                |     5 +
 .../hosts/moon/etc/ipsec.conf                      |    22 +
 .../hosts/moon/etc/ipsec.d/cacerts/duckCert.pem    |    23 +
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |    23 +
 .../hosts/moon/etc/strongswan.conf                 |     5 +
 .../ikev2/multi-level-ca-pathlen/posttest.dat      |     3 +
 .../tests/ikev2/multi-level-ca-pathlen/pretest.dat |     5 +
 .../tests/ikev2/multi-level-ca-pathlen/test.conf   |    21 +
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../multi-level-ca/hosts/carol/etc/strongswan.conf |     2 +-
 .../multi-level-ca/hosts/dave/etc/strongswan.conf  |     2 +-
 .../multi-level-ca/hosts/moon/etc/strongswan.conf  |     2 +-
 .../nat-one-rw/hosts/alice/etc/strongswan.conf     |     2 +-
 .../ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf |     2 +-
 .../nat-two-rw-psk/hosts/alice/etc/strongswan.conf |     2 +-
 .../nat-two-rw-psk/hosts/sun/etc/strongswan.conf   |     2 +-
 .../nat-two-rw-psk/hosts/venus/etc/strongswan.conf |     2 +-
 .../nat-two-rw/hosts/alice/etc/strongswan.conf     |     2 +-
 .../ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf |     2 +-
 .../nat-two-rw/hosts/venus/etc/strongswan.conf     |     2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |     2 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |     2 +-
 testing/tests/ikev2/net2net-pgp-v3/description.txt |     6 +
 testing/tests/ikev2/net2net-pgp-v3/evaltest.dat    |     5 +
 .../ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf |    22 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.asc      |    15 +
 .../hosts/moon/etc/ipsec.d/certs/sunCert.asc       |    15 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.asc     |    19 +
 .../net2net-pgp-v3/hosts/moon/etc/ipsec.secrets    |     3 +
 .../net2net-pgp-v3/hosts/moon/etc/strongswan.conf  |     6 +
 .../ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf  |    22 +
 .../hosts/sun/etc/ipsec.d/certs/moonCert.asc       |    15 +
 .../hosts/sun/etc/ipsec.d/certs/sunCert.asc        |    15 +
 .../hosts/sun/etc/ipsec.d/private/sunKey.asc       |    19 +
 .../net2net-pgp-v3/hosts/sun/etc/ipsec.secrets     |     3 +
 .../net2net-pgp-v3/hosts/sun/etc/strongswan.conf   |     6 +
 testing/tests/ikev2/net2net-pgp-v3/posttest.dat    |     8 +
 testing/tests/ikev2/net2net-pgp-v3/pretest.dat     |     8 +
 testing/tests/ikev2/net2net-pgp-v3/test.conf       |    21 +
 testing/tests/ikev2/net2net-pgp-v4/description.txt |     6 +
 testing/tests/ikev2/net2net-pgp-v4/evaltest.dat    |     5 +
 .../ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf |    22 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.asc      |    24 +
 .../hosts/moon/etc/ipsec.d/certs/sunCert.asc       |    24 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.asc     |    32 +
 .../net2net-pgp-v4/hosts/moon/etc/ipsec.secrets    |     3 +
 .../net2net-pgp-v4/hosts/moon/etc/strongswan.conf  |     6 +
 .../ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf  |    22 +
 .../hosts/sun/etc/ipsec.d/certs/moonCert.asc       |    24 +
 .../hosts/sun/etc/ipsec.d/certs/sunCert.asc        |    24 +
 .../hosts/sun/etc/ipsec.d/private/sunKey.asc       |    32 +
 .../net2net-pgp-v4/hosts/sun/etc/ipsec.secrets     |     3 +
 .../net2net-pgp-v4/hosts/sun/etc/strongswan.conf   |     6 +
 testing/tests/ikev2/net2net-pgp-v4/posttest.dat    |     8 +
 testing/tests/ikev2/net2net-pgp-v4/pretest.dat     |     8 +
 testing/tests/ikev2/net2net-pgp-v4/test.conf       |    21 +
 .../net2net-psk/hosts/moon/etc/strongswan.conf     |     2 +-
 .../net2net-psk/hosts/sun/etc/strongswan.conf      |     2 +-
 .../tests/ikev2/net2net-rfc3779/description.txt    |    11 +
 testing/tests/ikev2/net2net-rfc3779/evaltest.dat   |    15 +
 .../net2net-rfc3779/hosts/moon/etc/ipsec.conf      |    26 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |    26 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |    28 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |    27 +
 .../net2net-rfc3779/hosts/moon/etc/strongswan.conf |     6 +
 .../ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf |    26 +
 .../sun/etc/ipsec.d/cacerts/strongswanCert.pem     |    26 +
 .../hosts/sun/etc/ipsec.d/certs/sunCert.pem        |    28 +
 .../hosts/sun/etc/ipsec.d/private/sunKey.pem       |    27 +
 .../net2net-rfc3779/hosts/sun/etc/strongswan.conf  |     6 +
 testing/tests/ikev2/net2net-rfc3779/posttest.dat   |     5 +
 testing/tests/ikev2/net2net-rfc3779/pretest.dat    |     7 +
 testing/tests/ikev2/net2net-rfc3779/test.conf      |    21 +
 .../net2net-route/hosts/moon/etc/strongswan.conf   |     2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |     2 +-
 .../net2net-start/hosts/moon/etc/strongswan.conf   |     2 +-
 .../net2net-start/hosts/sun/etc/strongswan.conf    |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../ocsp-local-cert/hosts/moon/etc/strongswan.conf |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf  |     2 +-
 .../carol/etc/ipsec.d/certs/carolCert-revoked.pem  |    25 -
 .../carol/etc/ipsec.d/certs/carolRevokedCert.pem   |    25 +
 .../carol/etc/ipsec.d/private/carolKey-revoked.pem |    27 -
 .../carol/etc/ipsec.d/private/carolRevokedKey.pem  |    27 +
 .../ocsp-revoked/hosts/carol/etc/ipsec.secrets     |     2 +-
 .../ocsp-revoked/hosts/carol/etc/strongswan.conf   |     2 +-
 .../ocsp-revoked/hosts/moon/etc/strongswan.conf    |     2 +-
 .../ocsp-root-cert/hosts/carol/etc/strongswan.conf |     2 +-
 .../ocsp-root-cert/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |     2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |     2 +-
 .../reauth-early/hosts/carol/etc/strongswan.conf   |     2 +-
 .../reauth-early/hosts/moon/etc/strongswan.conf    |     2 +-
 .../reauth-late/hosts/carol/etc/strongswan.conf    |     2 +-
 .../reauth-late/hosts/moon/etc/strongswan.conf     |     2 +-
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |     2 +-
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |     2 +-
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat    |     2 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |     2 +-
 .../ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf |     2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     6 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     4 +-
 .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf |     2 +-
 .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/ipsec.d/triplets.dat           |     6 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     6 +-
 .../ikev2/rw-eap-sim-only-radius/description.txt   |    14 +
 .../ikev2/rw-eap-sim-only-radius/evaltest.dat      |    15 +
 .../hosts/alice/etc/raddb/clients.conf             |     4 +
 .../hosts/alice/etc/raddb/eap.conf                 |     5 +
 .../hosts/alice/etc/raddb/proxy.conf               |     5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |   123 +
 .../hosts/alice/etc/raddb/sites-available/default  |    62 +
 .../hosts/alice/etc/raddb/triplets.dat             |     7 +
 .../hosts/alice/etc/raddb/users                    |     0
 .../hosts/carol/etc/ipsec.conf                     |    21 +
 .../hosts/carol/etc/ipsec.d/triplets.dat           |     3 +
 .../hosts/carol/etc/ipsec.secrets                  |     1 +
 .../hosts/carol/etc/strongswan.conf                |     6 +
 .../hosts/dave/etc/ipsec.conf                      |    21 +
 .../hosts/dave/etc/ipsec.d/triplets.dat            |     3 +
 .../hosts/dave/etc/ipsec.secrets                   |     1 +
 .../hosts/dave/etc/strongswan.conf                 |     6 +
 .../hosts/moon/etc/init.d/iptables                 |    84 +
 .../hosts/moon/etc/ipsec.conf                      |    25 +
 .../hosts/moon/etc/ipsec.secrets                   |     1 +
 .../hosts/moon/etc/strongswan.conf                 |    12 +
 .../ikev2/rw-eap-sim-only-radius/posttest.dat      |     7 +
 .../tests/ikev2/rw-eap-sim-only-radius/pretest.dat |    18 +
 .../tests/ikev2/rw-eap-sim-only-radius/test.conf   |    21 +
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     4 +-
 testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat    |     2 +-
 .../hosts/carol/etc/ipsec.d/triplets.dat           |     6 +-
 .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf |     2 +-
 .../ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf |     2 +-
 .../hosts/moon/etc/ipsec.d/triplets.dat            |     6 +-
 .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../rw-hash-and-url/hosts/dave/etc/strongswan.conf |     2 +-
 .../rw-hash-and-url/hosts/moon/etc/strongswan.conf |     2 +-
 .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf    |     2 +-
 .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf     |     2 +-
 .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf     |     2 +-
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |     2 +-
 .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf     |     2 +-
 .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf     |     2 +-
 .../rw-psk-no-idr/hosts/carol/etc/strongswan.conf  |     2 +-
 .../rw-psk-no-idr/hosts/dave/etc/strongswan.conf   |     2 +-
 .../rw-psk-no-idr/hosts/moon/etc/strongswan.conf   |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../two-certs/hosts/carol/etc/strongswan.conf      |     2 +-
 .../ikev2/two-certs/hosts/moon/etc/strongswan.conf |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../virtual-ip/hosts/carol/etc/strongswan.conf     |     2 +-
 .../virtual-ip/hosts/dave/etc/strongswan.conf      |     2 +-
 .../virtual-ip/hosts/moon/etc/strongswan.conf      |     2 +-
 .../wildcards/hosts/carol/etc/strongswan.conf      |     2 +-
 .../ikev2/wildcards/hosts/dave/etc/strongswan.conf |     2 +-
 .../ikev2/wildcards/hosts/moon/etc/strongswan.conf |     2 +-
 .../host2host-ikev2/hosts/moon/etc/init.d/iptables |     9 +-
 .../ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf |     6 +
 .../host2host-ikev2/hosts/moon/etc/strongswan.conf |     3 +-
 .../host2host-ikev2/hosts/sun/etc/init.d/iptables  |     9 +-
 .../ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf  |     6 +
 .../host2host-ikev2/hosts/sun/etc/strongswan.conf  |     3 +-
 testing/tests/ipv6/host2host-ikev2/pretest.dat     |     1 +
 .../net2net-ikev2/hosts/moon/etc/init.d/iptables   |     9 +-
 .../ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf   |     6 +
 .../net2net-ikev2/hosts/moon/etc/strongswan.conf   |     3 +-
 .../net2net-ikev2/hosts/sun/etc/init.d/iptables    |     9 +-
 .../ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf    |     6 +
 .../net2net-ikev2/hosts/sun/etc/strongswan.conf    |     3 +-
 testing/tests/ipv6/net2net-ikev2/pretest.dat       |     1 +
 .../ipv6/net2net-ip4-in-ip6-ikev1/description.txt  |     4 +
 .../ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat     |     5 +
 .../hosts/moon/etc/init.d/iptables                 |   107 +
 .../hosts/moon/etc/ipsec.conf                      |    28 +
 .../hosts/sun/etc/init.d/iptables                  |   107 +
 .../hosts/sun/etc/ipsec.conf                       |    28 +
 .../ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat     |     2 +
 .../ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat      |     7 +
 .../tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf  |    21 +
 .../hosts/moon/etc/init.d/iptables                 |     9 +-
 .../hosts/moon/etc/ipsec.conf                      |     7 +
 .../hosts/moon/etc/strongswan.conf                 |     3 +-
 .../hosts/sun/etc/init.d/iptables                  |     9 +-
 .../hosts/sun/etc/ipsec.conf                       |     7 +
 .../hosts/sun/etc/strongswan.conf                  |     3 +-
 .../ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat     |     2 +
 .../ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat      |     5 +-
 .../ipv6/net2net-ip6-in-ip4-ikev1/description.txt  |     6 +
 .../ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat     |     5 +
 .../hosts/moon/etc/init.d/iptables                 |   107 +
 .../hosts/moon/etc/ipsec.conf                      |    25 +
 .../hosts/moon/etc/strongswan.conf                 |     5 +
 .../hosts/sun/etc/init.d/iptables                  |   107 +
 .../hosts/sun/etc/ipsec.conf                       |    25 +
 .../hosts/sun/etc/strongswan.conf                  |     5 +
 .../ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat     |     6 +
 .../ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat      |    11 +
 .../tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf  |    21 +
 .../hosts/moon/etc/init.d/iptables                 |    31 +-
 .../hosts/moon/etc/ipsec.conf                      |     1 +
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/sun/etc/init.d/iptables                  |    35 +-
 .../hosts/sun/etc/ipsec.conf                       |     1 +
 .../hosts/sun/etc/strongswan.conf                  |     2 +-
 .../ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat     |     2 +
 .../ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat      |     5 +-
 .../ipv6/net2net-rfc3779-ikev2/description.txt     |    11 +
 .../tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat  |     7 +
 .../hosts/moon/etc/init.d/iptables                 |   104 +
 .../hosts/moon/etc/ipsec.conf                      |    34 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |    26 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |    28 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |    27 +
 .../hosts/moon/etc/strongswan.conf                 |     6 +
 .../hosts/sun/etc/init.d/iptables                  |   104 +
 .../net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf |    34 +
 .../sun/etc/ipsec.d/cacerts/strongswanCert.pem     |    26 +
 .../hosts/sun/etc/ipsec.d/certs/sunCert.pem        |    28 +
 .../hosts/sun/etc/ipsec.d/private/sunKey.pem       |    27 +
 .../hosts/sun/etc/strongswan.conf                  |     6 +
 .../tests/ipv6/net2net-rfc3779-ikev2/posttest.dat  |     8 +
 .../tests/ipv6/net2net-rfc3779-ikev2/pretest.dat   |    11 +
 testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf |    21 +
 .../ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables  |     9 +-
 .../tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf |     6 +
 .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf  |     3 +-
 .../ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables   |     9 +-
 .../tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf  |     6 +
 .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf   |     3 +-
 .../ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables   |     9 +-
 .../tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf  |     6 +
 .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf   |     3 +-
 testing/tests/ipv6/rw-ikev2/pretest.dat            |     1 +
 .../rw-psk-ikev2/hosts/carol/etc/init.d/iptables   |     7 -
 .../rw-psk-ikev2/hosts/carol/etc/strongswan.conf   |     2 +-
 .../rw-psk-ikev2/hosts/dave/etc/init.d/iptables    |     7 -
 .../rw-psk-ikev2/hosts/dave/etc/strongswan.conf    |     2 +-
 .../rw-psk-ikev2/hosts/moon/etc/init.d/iptables    |     7 -
 .../rw-psk-ikev2/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/ipv6/rw-psk-ikev2/pretest.dat        |     1 +
 .../tests/ipv6/rw-rfc3779-ikev2/description.txt    |    12 +
 testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat   |    14 +
 .../hosts/carol/etc/init.d/iptables                |   104 +
 .../rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf    |    29 +
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |    26 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |    27 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    27 +
 .../rw-rfc3779-ikev2/hosts/carol/etc/ipsec.secrets |     3 +
 .../hosts/carol/etc/strongswan.conf                |     6 +
 .../hosts/dave/etc/init.d/iptables                 |   104 +
 .../rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf     |    29 +
 .../dave/etc/ipsec.d/cacerts/strongswanCert.pem    |    26 +
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |    27 +
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |    27 +
 .../hosts/dave/etc/strongswan.conf                 |     6 +
 .../hosts/moon/etc/init.d/iptables                 |   104 +
 .../rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf     |    28 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |    26 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |    28 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |    27 +
 .../hosts/moon/etc/strongswan.conf                 |     6 +
 testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat   |     9 +
 testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat    |    13 +
 testing/tests/ipv6/rw-rfc3779-ikev2/test.conf      |    21 +
 .../transport-ikev2/hosts/moon/etc/init.d/iptables |     9 +-
 .../ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf |     6 +
 .../transport-ikev2/hosts/moon/etc/strongswan.conf |     3 +-
 .../transport-ikev2/hosts/sun/etc/init.d/iptables  |     9 +-
 .../ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf  |     6 +
 .../transport-ikev2/hosts/sun/etc/strongswan.conf  |     3 +-
 testing/tests/ipv6/transport-ikev2/pretest.dat     |     1 +
 .../openssl-ikev1/alg-camellia/description.txt     |     4 +
 .../tests/openssl-ikev1/alg-camellia/evaltest.dat  |    11 +
 .../alg-camellia/hosts/carol/etc/ipsec.conf        |    24 +
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    11 +
 .../alg-camellia/hosts/moon/etc/ipsec.conf         |    24 +
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    11 +
 .../tests/openssl-ikev1/alg-camellia/posttest.dat  |     2 +
 .../tests/openssl-ikev1/alg-camellia/pretest.dat   |     5 +
 testing/tests/openssl-ikev1/alg-camellia/test.conf |    22 +
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |     2 +-
 .../alg-ecp-high/hosts/dave/etc/strongswan.conf    |     2 +-
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |     2 +-
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |     2 +-
 .../alg-ecp-low/hosts/dave/etc/strongswan.conf     |     2 +-
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |     2 +-
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |     2 +-
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |     2 +-
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |     2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |     2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |     2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |     2 +-
 .../tests/openssl-ikev2/alg-blowfish/evaltest.dat  |    20 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |     2 +-
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |     2 +-
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |     2 +-
 .../tests/openssl-ikev2/alg-camellia/evaltest.dat  |     4 +-
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |     2 +-
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/openssl-ikev2/alg-camellia/test.conf |     2 +-
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |     2 +-
 .../alg-ecp-high/hosts/dave/etc/strongswan.conf    |     2 +-
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |     2 +-
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |     2 +-
 .../alg-ecp-low/hosts/dave/etc/strongswan.conf     |     2 +-
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |     2 +-
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |     2 +-
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |     2 +-
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |     2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |     2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |     2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |     2 +-
 .../hosts/alice/etc/strongswan.conf                |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/venus/etc/strongswan.conf                |     2 +-
 .../medsrv-psk/hosts/alice/etc/strongswan.conf     |     2 +-
 .../medsrv-psk/hosts/bob/etc/strongswan.conf       |     2 +-
 .../medsrv-psk/hosts/carol/etc/strongswan.conf     |     2 +-
 testing/tests/pfkey/alg-aes-xcbc/description.txt   |     4 +-
 testing/tests/pfkey/alg-aes-xcbc/evaltest.dat      |    13 +-
 .../pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf  |     4 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |     2 +-
 .../pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf   |     4 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/pfkey/alg-aes-xcbc/test.conf         |     2 +-
 testing/tests/pfkey/alg-sha384/description.txt     |     4 +
 testing/tests/pfkey/alg-sha384/evaltest.dat        |    11 +
 .../pfkey/alg-sha384/hosts/carol/etc/ipsec.conf    |    25 +
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |     5 +
 .../pfkey/alg-sha384/hosts/moon/etc/ipsec.conf     |    24 +
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |     5 +
 testing/tests/pfkey/alg-sha384/posttest.dat        |     4 +
 testing/tests/pfkey/alg-sha384/pretest.dat         |     6 +
 testing/tests/pfkey/alg-sha384/test.conf           |    21 +
 testing/tests/pfkey/alg-sha512/description.txt     |     4 +
 testing/tests/pfkey/alg-sha512/evaltest.dat        |    11 +
 .../pfkey/alg-sha512/hosts/carol/etc/ipsec.conf    |    25 +
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |     5 +
 .../pfkey/alg-sha512/hosts/moon/etc/ipsec.conf     |    24 +
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |     5 +
 testing/tests/pfkey/alg-sha512/posttest.dat        |     4 +
 testing/tests/pfkey/alg-sha512/pretest.dat         |     6 +
 testing/tests/pfkey/alg-sha512/test.conf           |    21 +
 testing/tests/pfkey/esp-alg-null/evaltest.dat      |     4 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |     2 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |     2 +-
 testing/tests/pfkey/esp-alg-null/test.conf         |     2 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 .../hosts/sun/etc/strongswan.conf                  |     2 +-
 .../nat-two-rw/hosts/alice/etc/strongswan.conf     |     2 +-
 .../pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf |     2 +-
 .../nat-two-rw/hosts/venus/etc/strongswan.conf     |     2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |     2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |     2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |     2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |     2 +-
 .../pfkey/rw-cert/hosts/carol/etc/strongswan.conf  |     2 +-
 .../pfkey/rw-cert/hosts/dave/etc/strongswan.conf   |     2 +-
 .../pfkey/rw-cert/hosts/moon/etc/strongswan.conf   |     2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |     8 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |     8 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |     8 +-
 .../hosts/moon/etc/strongswan.conf                 |    10 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |     8 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |     8 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |     8 +-
 .../hosts/moon/etc/strongswan.conf                 |    10 +-
 testing/tests/sql/ip-pool-db/evaltest.dat          |    11 +
 .../ip-pool-db/hosts/carol/etc/ipsec.d/data.sql    |     8 +-
 .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf |     2 +-
 .../sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql |     8 +-
 .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf  |     2 +-
 .../sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql |    33 +-
 .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf  |    10 +-
 testing/tests/sql/ip-pool-db/pretest.dat           |     1 +
 .../hosts/carol/etc/ipsec.d/data.sql               |     8 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |     8 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |     8 +-
 .../hosts/moon/etc/strongswan.conf                 |    10 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |     8 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |     8 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |     8 +-
 .../hosts/moon/etc/strongswan.conf                 |    10 +-
 .../net2net-cert/hosts/moon/etc/ipsec.d/data.sql   |     8 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |     2 +-
 .../net2net-cert/hosts/sun/etc/ipsec.d/data.sql    |    10 +-
 .../sql/net2net-cert/hosts/sun/etc/strongswan.conf |     2 +-
 .../sql/net2net-psk/hosts/moon/etc/strongswan.conf |     2 +-
 .../sql/net2net-psk/hosts/sun/etc/strongswan.conf  |     2 +-
 .../sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql   |     8 +-
 .../sql/rw-cert/hosts/carol/etc/strongswan.conf    |     2 +-
 .../sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql    |     8 +-
 .../sql/rw-cert/hosts/dave/etc/strongswan.conf     |     2 +-
 .../sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql    |     8 +-
 .../sql/rw-cert/hosts/moon/etc/strongswan.conf     |     2 +-
 testing/tests/sql/rw-eap-aka-rsa/evaltest.dat      |     2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |     2 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |     4 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql |    18 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |     4 +-
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |     2 +-
 .../sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf |     2 +-
 .../sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf |     2 +-
 .../rw-psk-ipv6/hosts/carol/etc/strongswan.conf    |     2 +-
 .../sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf |     2 +-
 .../sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf |     2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |     2 +-
 .../hosts/carol/etc/strongswan.conf                |     2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |     2 +-
 .../hosts/dave/etc/strongswan.conf                 |     2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |     8 +-
 .../hosts/moon/etc/strongswan.conf                 |     2 +-
 testing/tests/sql/rw-rsa-keyid/evaltest.dat        |     8 +-
 .../rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql  |    10 +-
 .../rw-rsa-keyid/hosts/carol/etc/strongswan.conf   |     2 +-
 .../rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql   |    13 +-
 .../rw-rsa-keyid/hosts/dave/etc/strongswan.conf    |     2 +-
 .../rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql   |    14 +-
 .../rw-rsa-keyid/hosts/moon/etc/strongswan.conf    |     2 +-
 .../sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql    |    10 +-
 .../sql/rw-rsa/hosts/carol/etc/strongswan.conf     |     2 +-
 .../sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql     |    10 +-
 .../sql/rw-rsa/hosts/dave/etc/strongswan.conf      |     2 +-
 .../sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql     |    14 +-
 .../sql/rw-rsa/hosts/moon/etc/strongswan.conf      |     2 +-
 1990 files changed, 82586 insertions(+), 60030 deletions(-)
 create mode 100644 m4/config/libtool.m4
 create mode 100644 m4/config/ltoptions.m4
 create mode 100644 m4/config/ltsugar.m4
 create mode 100644 m4/config/ltversion.m4
 create mode 100644 m4/config/lt~obsolete.m4
 create mode 100644 m4/macros/enable-disable.m4
 create mode 100644 m4/macros/with.m4
 delete mode 100644 src/charon/config/attributes/attribute_handler.h
 delete mode 100644 src/charon/config/attributes/attribute_manager.c
 delete mode 100644 src/charon/config/attributes/attribute_manager.h
 delete mode 100644 src/charon/config/attributes/attribute_provider.h
 delete mode 100644 src/charon/config/traffic_selector.c
 delete mode 100644 src/charon/config/traffic_selector.h
 delete mode 100644 src/charon/plugins/eap_aka/eap_aka.c
 delete mode 100644 src/charon/plugins/eap_aka/eap_aka.h
 create mode 100644 src/charon/plugins/eap_aka/eap_aka_peer.c
 create mode 100644 src/charon/plugins/eap_aka/eap_aka_peer.h
 create mode 100644 src/charon/plugins/eap_aka/eap_aka_server.c
 create mode 100644 src/charon/plugins/eap_aka/eap_aka_server.h
 create mode 100644 src/charon/plugins/eap_aka_3gpp2/Makefile.am
 create mode 100644 src/charon/plugins/eap_aka_3gpp2/Makefile.in
 create mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
 create mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h
 create mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
 create mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
 create mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
 create mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h
 create mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
 create mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h
 delete mode 100644 src/charon/plugins/eap_sim/eap_sim.c
 delete mode 100644 src/charon/plugins/eap_sim/eap_sim.h
 create mode 100644 src/charon/plugins/eap_sim/eap_sim_peer.c
 create mode 100644 src/charon/plugins/eap_sim/eap_sim_peer.h
 create mode 100644 src/charon/plugins/eap_sim/eap_sim_server.c
 create mode 100644 src/charon/plugins/eap_sim/eap_sim_server.h
 create mode 100644 src/charon/plugins/eap_simaka_pseudonym/Makefile.am
 create mode 100644 src/charon/plugins/eap_simaka_pseudonym/Makefile.in
 create mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
 create mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h
 create mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
 create mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h
 create mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
 create mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h
 create mode 100644 src/charon/plugins/eap_simaka_reauth/Makefile.am
 create mode 100644 src/charon/plugins/eap_simaka_reauth/Makefile.in
 create mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
 create mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h
 create mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
 create mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h
 create mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
 create mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h
 delete mode 100644 src/charon/plugins/resolv_conf/Makefile.am
 delete mode 100644 src/charon/plugins/resolv_conf/Makefile.in
 delete mode 100644 src/charon/plugins/resolv_conf/resolv_conf_handler.c
 delete mode 100644 src/charon/plugins/resolv_conf/resolv_conf_handler.h
 delete mode 100644 src/charon/plugins/resolv_conf/resolv_conf_plugin.c
 delete mode 100644 src/charon/plugins/resolv_conf/resolv_conf_plugin.h
 create mode 100644 src/charon/plugins/resolve/Makefile.am
 create mode 100644 src/charon/plugins/resolve/Makefile.in
 create mode 100644 src/charon/plugins/resolve/resolve_handler.c
 create mode 100644 src/charon/plugins/resolve/resolve_handler.h
 create mode 100644 src/charon/plugins/resolve/resolve_plugin.c
 create mode 100644 src/charon/plugins/resolve/resolve_plugin.h
 delete mode 100644 src/charon/plugins/sql/pool.c
 delete mode 100644 src/charon/plugins/sql/sql_attribute.c
 delete mode 100644 src/charon/plugins/sql/sql_attribute.h
 create mode 100644 src/charon/processing/jobs/inactivity_job.c
 create mode 100644 src/charon/processing/jobs/inactivity_job.h
 create mode 100644 src/charon/sa/tasks/ike_vendor.c
 create mode 100644 src/charon/sa/tasks/ike_vendor.h
 create mode 100644 src/libsimaka/Makefile.am
 create mode 100644 src/libsimaka/Makefile.in
 create mode 100644 src/libsimaka/simaka_crypto.c
 create mode 100644 src/libsimaka/simaka_crypto.h
 create mode 100644 src/libsimaka/simaka_message.c
 create mode 100644 src/libsimaka/simaka_message.h
 delete mode 100755 src/libstrongswan/asn1/pem.c
 delete mode 100755 src/libstrongswan/asn1/pem.h
 create mode 100644 src/libstrongswan/attributes/attribute_handler.h
 create mode 100644 src/libstrongswan/attributes/attribute_manager.c
 create mode 100644 src/libstrongswan/attributes/attribute_manager.h
 create mode 100644 src/libstrongswan/attributes/attribute_provider.h
 create mode 100644 src/libstrongswan/attributes/attributes.c
 create mode 100644 src/libstrongswan/attributes/attributes.h
 create mode 100644 src/libstrongswan/credentials/certificates/pgp_certificate.h
 create mode 100644 src/libstrongswan/credentials/certificates/pkcs10.h
 create mode 100644 src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
 create mode 100644 src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h
 create mode 100644 src/libstrongswan/credentials/keys/key_encoding.c
 create mode 100644 src/libstrongswan/credentials/keys/key_encoding.h
 delete mode 100644 src/libstrongswan/pgp/pgp.c
 delete mode 100644 src/libstrongswan/pgp/pgp.h
 create mode 100644 src/libstrongswan/plugins/attr_sql/Makefile.am
 create mode 100644 src/libstrongswan/plugins/attr_sql/Makefile.in
 create mode 100644 src/libstrongswan/plugins/attr_sql/attr_sql_plugin.c
 create mode 100644 src/libstrongswan/plugins/attr_sql/attr_sql_plugin.h
 create mode 100644 src/libstrongswan/plugins/attr_sql/pool.c
 create mode 100644 src/libstrongswan/plugins/attr_sql/sql_attribute.c
 create mode 100644 src/libstrongswan/plugins/attr_sql/sql_attribute.h
 create mode 100644 src/libstrongswan/plugins/dnskey/Makefile.am
 create mode 100644 src/libstrongswan/plugins/dnskey/Makefile.in
 create mode 100644 src/libstrongswan/plugins/dnskey/dnskey_builder.c
 create mode 100644 src/libstrongswan/plugins/dnskey/dnskey_builder.h
 create mode 100644 src/libstrongswan/plugins/dnskey/dnskey_plugin.c
 create mode 100644 src/libstrongswan/plugins/dnskey/dnskey_plugin.h
 create mode 100644 src/libstrongswan/plugins/pem/Makefile.am
 create mode 100644 src/libstrongswan/plugins/pem/Makefile.in
 create mode 100644 src/libstrongswan/plugins/pem/pem_builder.c
 create mode 100644 src/libstrongswan/plugins/pem/pem_builder.h
 create mode 100644 src/libstrongswan/plugins/pem/pem_plugin.c
 create mode 100644 src/libstrongswan/plugins/pem/pem_plugin.h
 create mode 100644 src/libstrongswan/plugins/pgp/Makefile.am
 create mode 100644 src/libstrongswan/plugins/pgp/Makefile.in
 create mode 100644 src/libstrongswan/plugins/pgp/pgp_builder.c
 create mode 100644 src/libstrongswan/plugins/pgp/pgp_builder.h
 create mode 100644 src/libstrongswan/plugins/pgp/pgp_cert.c
 create mode 100644 src/libstrongswan/plugins/pgp/pgp_cert.h
 create mode 100644 src/libstrongswan/plugins/pgp/pgp_encoder.c
 create mode 100644 src/libstrongswan/plugins/pgp/pgp_encoder.h
 create mode 100644 src/libstrongswan/plugins/pgp/pgp_plugin.c
 create mode 100644 src/libstrongswan/plugins/pgp/pgp_plugin.h
 create mode 100644 src/libstrongswan/plugins/pgp/pgp_utils.c
 create mode 100644 src/libstrongswan/plugins/pgp/pgp_utils.h
 create mode 100644 src/libstrongswan/plugins/pkcs1/Makefile.am
 create mode 100644 src/libstrongswan/plugins/pkcs1/Makefile.in
 create mode 100644 src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
 create mode 100644 src/libstrongswan/plugins/pkcs1/pkcs1_builder.h
 create mode 100644 src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
 create mode 100644 src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h
 create mode 100644 src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
 create mode 100644 src/libstrongswan/plugins/pkcs1/pkcs1_plugin.h
 delete mode 100644 src/libstrongswan/plugins/pubkey/pubkey_public_key.c
 delete mode 100644 src/libstrongswan/plugins/pubkey/pubkey_public_key.h
 delete mode 100644 src/libstrongswan/plugins/x509/ietf_attr_list.c
 delete mode 100644 src/libstrongswan/plugins/x509/ietf_attr_list.h
 create mode 100644 src/libstrongswan/plugins/x509/x509_pkcs10.c
 create mode 100644 src/libstrongswan/plugins/x509/x509_pkcs10.h
 create mode 100644 src/libstrongswan/selectors/traffic_selector.c
 create mode 100644 src/libstrongswan/selectors/traffic_selector.h
 create mode 100644 src/libstrongswan/threading/condvar.h
 create mode 100644 src/libstrongswan/threading/lock_profiler.h
 create mode 100644 src/libstrongswan/threading/mutex.c
 create mode 100644 src/libstrongswan/threading/mutex.h
 create mode 100644 src/libstrongswan/threading/rwlock.c
 create mode 100644 src/libstrongswan/threading/rwlock.h
 create mode 100644 src/libstrongswan/threading/thread.c
 create mode 100644 src/libstrongswan/threading/thread.h
 create mode 100644 src/libstrongswan/threading/thread_value.c
 create mode 100644 src/libstrongswan/threading/thread_value.h
 delete mode 100644 src/libstrongswan/utils/mutex.c
 delete mode 100644 src/libstrongswan/utils/mutex.h
 create mode 100644 src/pki/Makefile.am
 create mode 100644 src/pki/Makefile.in
 create mode 100644 src/pki/command.c
 create mode 100644 src/pki/command.h
 create mode 100644 src/pki/commands/gen.c
 create mode 100644 src/pki/commands/issue.c
 create mode 100644 src/pki/commands/keyid.c
 create mode 100644 src/pki/commands/pub.c
 create mode 100644 src/pki/commands/req.c
 create mode 100644 src/pki/commands/self.c
 create mode 100644 src/pki/commands/verify.c
 create mode 100644 src/pki/pki.c
 create mode 100644 src/pki/pki.h
 create mode 100644 src/pluto/builder.c
 create mode 100644 src/pluto/builder.h
 delete mode 100644 src/pluto/id.c
 delete mode 100644 src/pluto/id.h
 create mode 100644 src/pluto/myid.c
 create mode 100644 src/pluto/myid.h
 delete mode 100644 src/pluto/pem.c
 delete mode 100644 src/pluto/pem.h
 delete mode 100644 src/pluto/pgpcert.c
 delete mode 100644 src/pluto/pgpcert.h
 delete mode 100644 src/scepclient/pkcs10.c
 delete mode 100644 src/scepclient/pkcs10.h
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/160769ece9ead9c1c4d89c34aa004c3b66402081
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/442b7162c7a4c27bd0f1076e345c5664bed53c7c
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/45b967b2f9b4a8855235b2d01249cd1e079348aa
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/644c5cc8c42a6c8cfe62f6a83bb0dbb43f0f0fb4
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/c45be2b38883548967f4f959fd5ec0822f65237b
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/dbb808e4f319d815aadd8dab6f6ae5b717800e83
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/de106e5254cbafddb683117f90174910f43b5ae3
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/de216601f06d10a41171392fdfc9127f0bb9d5b0
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/edde495f4fb6db4e3eff85bcaecda2a3ccc58fcf
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da
 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/.rand
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/crlnumber
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/duckReq.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/index.txt
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/index.txt.attr
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/index.txt.old
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/serial
 create mode 100644 testing/hosts/winnetou/etc/openssl/duck/serial.old
 create mode 100755 testing/hosts/winnetou/etc/openssl/generate-hash-and-url
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/16.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/17.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/18.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/19.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/1A.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/1B.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/1C.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/1D.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/1E.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/research/newcerts/05.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/.rand
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/crl.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/crlnumber
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/crlnumber.old
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.attr
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.attr.old
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/01.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/02.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/03.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/04.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/serial
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/strongswanCert.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/strongswanKey.pem
 create mode 100644 testing/tests/gcrypt-ikev1/alg-camellia/description.txt
 create mode 100644 testing/tests/gcrypt-ikev1/alg-camellia/evaltest.dat
 create mode 100755 testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/gcrypt-ikev1/alg-camellia/posttest.dat
 create mode 100644 testing/tests/gcrypt-ikev1/alg-camellia/pretest.dat
 create mode 100644 testing/tests/gcrypt-ikev1/alg-camellia/test.conf
 create mode 100644 testing/tests/ikev1/alg-sha256-96/description.txt
 create mode 100644 testing/tests/ikev1/alg-sha256-96/evaltest.dat
 create mode 100755 testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/alg-sha256-96/posttest.dat
 create mode 100644 testing/tests/ikev1/alg-sha256-96/pretest.dat
 create mode 100644 testing/tests/ikev1/alg-sha256-96/test.conf
 create mode 100644 testing/tests/ikev1/alg-sha256/description.txt
 create mode 100644 testing/tests/ikev1/alg-sha256/evaltest.dat
 create mode 100755 testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/alg-sha256/posttest.dat
 create mode 100644 testing/tests/ikev1/alg-sha256/pretest.dat
 create mode 100644 testing/tests/ikev1/alg-sha256/test.conf
 delete mode 100644 testing/tests/ikev1/alg-sha2_256/description.txt
 delete mode 100644 testing/tests/ikev1/alg-sha2_256/evaltest.dat
 delete mode 100755 testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
 delete mode 100755 testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/alg-sha2_256/posttest.dat
 delete mode 100644 testing/tests/ikev1/alg-sha2_256/pretest.dat
 delete mode 100644 testing/tests/ikev1/alg-sha2_256/test.conf
 create mode 100644 testing/tests/ikev1/alg-sha384/description.txt
 create mode 100644 testing/tests/ikev1/alg-sha384/evaltest.dat
 create mode 100755 testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/alg-sha384/posttest.dat
 create mode 100644 testing/tests/ikev1/alg-sha384/pretest.dat
 create mode 100644 testing/tests/ikev1/alg-sha384/test.conf
 create mode 100644 testing/tests/ikev1/alg-sha512/description.txt
 create mode 100644 testing/tests/ikev1/alg-sha512/evaltest.dat
 create mode 100755 testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/alg-sha512/posttest.dat
 create mode 100644 testing/tests/ikev1/alg-sha512/pretest.dat
 create mode 100644 testing/tests/ikev1/alg-sha512/test.conf
 delete mode 100644 testing/tests/ikev1/esp-alg-camellia/description.txt
 delete mode 100644 testing/tests/ikev1/esp-alg-camellia/evaltest.dat
 delete mode 100755 testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf
 delete mode 100755 testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/esp-alg-camellia/posttest.dat
 delete mode 100644 testing/tests/ikev1/esp-alg-camellia/pretest.dat
 delete mode 100644 testing/tests/ikev1/esp-alg-camellia/test.conf
 delete mode 100644 testing/tests/ikev1/ike-alg-sha2_384/description.txt
 delete mode 100644 testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
 delete mode 100755 testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
 delete mode 100755 testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/ike-alg-sha2_384/posttest.dat
 delete mode 100644 testing/tests/ikev1/ike-alg-sha2_384/pretest.dat
 delete mode 100644 testing/tests/ikev1/ike-alg-sha2_384/test.conf
 delete mode 100644 testing/tests/ikev1/ike-alg-sha2_512/description.txt
 delete mode 100644 testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
 delete mode 100755 testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
 delete mode 100755 testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/ike-alg-sha2_512/posttest.dat
 delete mode 100644 testing/tests/ikev1/ike-alg-sha2_512/pretest.dat
 delete mode 100644 testing/tests/ikev1/ike-alg-sha2_512/test.conf
 create mode 100644 testing/tests/ikev1/ip-pool-db-push/description.txt
 create mode 100644 testing/tests/ikev1/ip-pool-db-push/evaltest.dat
 create mode 100755 testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/ip-pool-db-push/posttest.dat
 create mode 100644 testing/tests/ikev1/ip-pool-db-push/pretest.dat
 create mode 100644 testing/tests/ikev1/ip-pool-db-push/test.conf
 create mode 100644 testing/tests/ikev1/ip-pool-db/description.txt
 create mode 100644 testing/tests/ikev1/ip-pool-db/evaltest.dat
 create mode 100755 testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/ip-pool-db/posttest.dat
 create mode 100644 testing/tests/ikev1/ip-pool-db/pretest.dat
 create mode 100644 testing/tests/ikev1/ip-pool-db/test.conf
 create mode 100644 testing/tests/ikev1/mode-config-multiple/description.txt
 create mode 100644 testing/tests/ikev1/mode-config-multiple/evaltest.dat
 create mode 100755 testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/mode-config-multiple/posttest.dat
 create mode 100644 testing/tests/ikev1/mode-config-multiple/pretest.dat
 create mode 100644 testing/tests/ikev1/mode-config-multiple/test.conf
 create mode 100644 testing/tests/ikev1/multi-level-ca-pathlen/description.txt
 create mode 100644 testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat
 create mode 100755 testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets
 create mode 100755 testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
 create mode 100644 testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
 create mode 100644 testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat
 create mode 100644 testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat
 create mode 100644 testing/tests/ikev1/multi-level-ca-pathlen/test.conf
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-3des-md5/description.txt
 create mode 100644 testing/tests/ikev2/alg-3des-md5/evaltest.dat
 create mode 100755 testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-3des-md5/posttest.dat
 create mode 100644 testing/tests/ikev2/alg-3des-md5/pretest.dat
 create mode 100644 testing/tests/ikev2/alg-3des-md5/test.conf
 create mode 100644 testing/tests/ikev2/alg-sha256-96/description.txt
 create mode 100644 testing/tests/ikev2/alg-sha256-96/evaltest.dat
 create mode 100755 testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-sha256-96/posttest.dat
 create mode 100644 testing/tests/ikev2/alg-sha256-96/pretest.dat
 create mode 100644 testing/tests/ikev2/alg-sha256-96/test.conf
 create mode 100644 testing/tests/ikev2/alg-sha256/description.txt
 create mode 100644 testing/tests/ikev2/alg-sha256/evaltest.dat
 create mode 100755 testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-sha256/posttest.dat
 create mode 100644 testing/tests/ikev2/alg-sha256/pretest.dat
 create mode 100644 testing/tests/ikev2/alg-sha256/test.conf
 create mode 100644 testing/tests/ikev2/alg-sha384/description.txt
 create mode 100644 testing/tests/ikev2/alg-sha384/evaltest.dat
 create mode 100755 testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-sha384/posttest.dat
 create mode 100644 testing/tests/ikev2/alg-sha384/pretest.dat
 create mode 100644 testing/tests/ikev2/alg-sha384/test.conf
 create mode 100644 testing/tests/ikev2/alg-sha512/description.txt
 create mode 100644 testing/tests/ikev2/alg-sha512/evaltest.dat
 create mode 100755 testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-sha512/posttest.dat
 create mode 100644 testing/tests/ikev2/alg-sha512/pretest.dat
 create mode 100644 testing/tests/ikev2/alg-sha512/test.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-camellia/description.txt
 delete mode 100644 testing/tests/ikev2/esp-alg-camellia/evaltest.dat
 delete mode 100755 testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf
 delete mode 100755 testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-camellia/posttest.dat
 delete mode 100644 testing/tests/ikev2/esp-alg-camellia/pretest.dat
 delete mode 100644 testing/tests/ikev2/esp-alg-camellia/test.conf
 create mode 100644 testing/tests/ikev2/inactivity-timeout/description.txt
 create mode 100644 testing/tests/ikev2/inactivity-timeout/evaltest.dat
 create mode 100755 testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/inactivity-timeout/posttest.dat
 create mode 100644 testing/tests/ikev2/inactivity-timeout/pretest.dat
 create mode 100644 testing/tests/ikev2/inactivity-timeout/test.conf
 create mode 100755 testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/description.txt
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat
 create mode 100755 testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/posttest.dat
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
 create mode 100644 testing/tests/ikev2/multi-level-ca-pathlen/test.conf
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/description.txt
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
 create mode 100755 testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/posttest.dat
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/pretest.dat
 create mode 100644 testing/tests/ikev2/net2net-pgp-v3/test.conf
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/description.txt
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
 create mode 100755 testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/posttest.dat
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/pretest.dat
 create mode 100644 testing/tests/ikev2/net2net-pgp-v4/test.conf
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/description.txt
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/evaltest.dat
 create mode 100755 testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/posttest.dat
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/pretest.dat
 create mode 100644 testing/tests/ikev2/net2net-rfc3779/test.conf
 delete mode 100644 testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert-revoked.pem
 create mode 100644 testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
 delete mode 100644 testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey-revoked.pem
 create mode 100644 testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users
 create mode 100755 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/description.txt
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
 create mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
 create mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
 create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
 create mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
 create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
 create mode 100755 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
 create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/description.txt
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
 create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
 create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-camellia/description.txt
 create mode 100644 testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev1/alg-camellia/posttest.dat
 create mode 100644 testing/tests/openssl-ikev1/alg-camellia/pretest.dat
 create mode 100644 testing/tests/openssl-ikev1/alg-camellia/test.conf
 create mode 100644 testing/tests/pfkey/alg-sha384/description.txt
 create mode 100644 testing/tests/pfkey/alg-sha384/evaltest.dat
 create mode 100755 testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/pfkey/alg-sha384/posttest.dat
 create mode 100644 testing/tests/pfkey/alg-sha384/pretest.dat
 create mode 100644 testing/tests/pfkey/alg-sha384/test.conf
 create mode 100644 testing/tests/pfkey/alg-sha512/description.txt
 create mode 100644 testing/tests/pfkey/alg-sha512/evaltest.dat
 create mode 100755 testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/pfkey/alg-sha512/posttest.dat
 create mode 100644 testing/tests/pfkey/alg-sha512/pretest.dat
 create mode 100644 testing/tests/pfkey/alg-sha512/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/Doxyfile.in b/Doxyfile.in
index 54f6596f0..8cb6e50a5 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -14,211 +14,204 @@
 # Project related configuration options
 #---------------------------------------------------------------------------
 
-# This tag specifies the encoding used for all characters in the config file 
-# that follow. The default is UTF-8 which is also the encoding used for all 
-# text before the first occurrence of this tag. Doxygen uses libiconv (or the 
-# iconv built into libc) for the transcoding. See 
+# This tag specifies the encoding used for all characters in the config file
+# that follow. The default is UTF-8 which is also the encoding used for all
+# text before the first occurrence of this tag. Doxygen uses libiconv (or the
+# iconv built into libc) for the transcoding. See
 # http://www.gnu.org/software/libiconv for the list of possible encodings.
 
 DOXYFILE_ENCODING      = UTF-8
 
-# The PROJECT_NAME tag is a single word (or a sequence of words surrounded 
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded
 # by quotes) that should identify the project.
 
 PROJECT_NAME           = "@PACKAGE_NAME@"
 
-# The PROJECT_NUMBER tag can be used to enter a project or revision number. 
-# This could be handy for archiving the generated documentation or 
+# The PROJECT_NUMBER tag can be used to enter a project or revision number.
+# This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
 PROJECT_NUMBER         = "@PACKAGE_VERSION@"
 
-# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
-# base path where the generated documentation will be put. 
-# If a relative path is entered, it will be relative to the location 
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
+# base path where the generated documentation will be put.
+# If a relative path is entered, it will be relative to the location
 # where doxygen was started. If left blank the current directory will be used.
 
 OUTPUT_DIRECTORY       = apidoc
 
-# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 
-# 4096 sub-directories (in 2 levels) under the output directory of each output 
-# format and will distribute the generated files over these directories. 
-# Enabling this option can be useful when feeding doxygen a huge amount of 
-# source files, where putting all generated files in the same directory would 
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create
+# 4096 sub-directories (in 2 levels) under the output directory of each output
+# format and will distribute the generated files over these directories.
+# Enabling this option can be useful when feeding doxygen a huge amount of
+# source files, where putting all generated files in the same directory would
 # otherwise cause performance problems for the file system.
 
 CREATE_SUBDIRS         = NO
 
-# The OUTPUT_LANGUAGE tag is used to specify the language in which all 
-# documentation generated by doxygen is written. Doxygen will use this 
-# information to generate all constant output in the proper language. 
-# The default language is English, other supported languages are: 
-# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, 
-# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek, 
-# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages), 
-# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish, 
-# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, 
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all
+# documentation generated by doxygen is written. Doxygen will use this
+# information to generate all constant output in the proper language.
+# The default language is English, other supported languages are:
+# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional,
+# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek,
+# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages),
+# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish,
+# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish,
 # and Ukrainian.
 
 OUTPUT_LANGUAGE        = English
 
-# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will 
-# include brief member descriptions after the members that are listed in 
-# the file and class documentation (similar to JavaDoc). 
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will
+# include brief member descriptions after the members that are listed in
+# the file and class documentation (similar to JavaDoc).
 # Set to NO to disable this.
 
 BRIEF_MEMBER_DESC      = YES
 
-# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend 
-# the brief description of a member or function before the detailed description. 
-# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend
+# the brief description of a member or function before the detailed description.
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
 # brief descriptions will be completely suppressed.
 
 REPEAT_BRIEF           = YES
 
-# This tag implements a quasi-intelligent brief description abbreviator 
-# that is used to form the text in various listings. Each string 
-# in this list, if found as the leading text of the brief description, will be 
-# stripped from the text and the result after processing the whole list, is 
-# used as the annotated text. Otherwise, the brief description is used as-is. 
-# If left blank, the following values are used ("$name" is automatically 
-# replaced with the name of the entity): "The $name class" "The $name widget" 
-# "The $name file" "is" "provides" "specifies" "contains" 
+# This tag implements a quasi-intelligent brief description abbreviator
+# that is used to form the text in various listings. Each string
+# in this list, if found as the leading text of the brief description, will be
+# stripped from the text and the result after processing the whole list, is
+# used as the annotated text. Otherwise, the brief description is used as-is.
+# If left blank, the following values are used ("$name" is automatically
+# replaced with the name of the entity): "The $name class" "The $name widget"
+# "The $name file" "is" "provides" "specifies" "contains"
 # "represents" "a" "an" "the"
 
-ABBREVIATE_BRIEF       = 
+ABBREVIATE_BRIEF       =
 
-# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then 
-# Doxygen will generate a detailed section even if there is only a brief 
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
+# Doxygen will generate a detailed section even if there is only a brief
 # description.
 
 ALWAYS_DETAILED_SEC    = NO
 
-# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all 
-# inherited members of a class in the documentation of that class as if those 
-# members were ordinary class members. Constructors, destructors and assignment 
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
+# inherited members of a class in the documentation of that class as if those
+# members were ordinary class members. Constructors, destructors and assignment
 # operators of the base classes will not be shown.
 
 INLINE_INHERITED_MEMB  = NO
 
-# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full 
-# path before files name in the file list and in the header files. If set 
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full
+# path before files name in the file list and in the header files. If set
 # to NO the shortest path that makes the file name unique will be used.
 
 FULL_PATH_NAMES        = YES
 
-# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag 
-# can be used to strip a user-defined part of the path. Stripping is 
-# only done if one of the specified strings matches the left-hand part of 
-# the path. The tag can be used to show relative paths in the file list. 
-# If left blank the directory from which doxygen is run is used as the 
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag
+# can be used to strip a user-defined part of the path. Stripping is
+# only done if one of the specified strings matches the left-hand part of
+# the path. The tag can be used to show relative paths in the file list.
+# If left blank the directory from which doxygen is run is used as the
 # path to strip.
 
-STRIP_FROM_PATH        = 
+STRIP_FROM_PATH        =
 
-# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of 
-# the path mentioned in the documentation of a class, which tells 
-# the reader which header file to include in order to use a class. 
-# If left blank only the name of the header file containing the class 
-# definition is used. Otherwise one should specify the include paths that 
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of
+# the path mentioned in the documentation of a class, which tells
+# the reader which header file to include in order to use a class.
+# If left blank only the name of the header file containing the class
+# definition is used. Otherwise one should specify the include paths that
 # are normally passed to the compiler using the -I flag.
 
-STRIP_FROM_INC_PATH    = 
+STRIP_FROM_INC_PATH    =
 
-# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter 
-# (but less readable) file names. This can be useful is your file systems 
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter
+# (but less readable) file names. This can be useful is your file systems
 # doesn't support long names like on DOS, Mac, or CD-ROM.
 
 SHORT_NAMES            = NO
 
-# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen 
-# will interpret the first line (until the first dot) of a JavaDoc-style 
-# comment as the brief description. If set to NO, the JavaDoc 
-# comments will behave just like regular Qt-style comments 
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen
+# will interpret the first line (until the first dot) of a JavaDoc-style
+# comment as the brief description. If set to NO, the JavaDoc
+# comments will behave just like regular Qt-style comments
 # (thus requiring an explicit @brief command for a brief description.)
 
 JAVADOC_AUTOBRIEF      = YES
 
-# If the QT_AUTOBRIEF tag is set to YES then Doxygen will 
-# interpret the first line (until the first dot) of a Qt-style 
-# comment as the brief description. If set to NO, the comments 
-# will behave just like regular Qt-style comments (thus requiring 
+# If the QT_AUTOBRIEF tag is set to YES then Doxygen will
+# interpret the first line (until the first dot) of a Qt-style
+# comment as the brief description. If set to NO, the comments
+# will behave just like regular Qt-style comments (thus requiring
 # an explicit \brief command for a brief description.)
 
 QT_AUTOBRIEF           = NO
 
-# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen 
-# treat a multi-line C++ special comment block (i.e. a block of //! or /// 
-# comments) as a brief description. This used to be the default behaviour. 
-# The new default is to treat a multi-line C++ comment block as a detailed 
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen
+# treat a multi-line C++ special comment block (i.e. a block of //! or ///
+# comments) as a brief description. This used to be the default behaviour.
+# The new default is to treat a multi-line C++ comment block as a detailed
 # description. Set this tag to YES if you prefer the old behaviour instead.
 
 MULTILINE_CPP_IS_BRIEF = NO
 
-# If the DETAILS_AT_TOP tag is set to YES then Doxygen 
-# will output the detailed description near the top, like JavaDoc.
-# If set to NO, the detailed description appears after the member 
-# documentation.
-
-DETAILS_AT_TOP         = YES
-
-# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented 
-# member inherits the documentation from any documented member that it 
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented
+# member inherits the documentation from any documented member that it
 # re-implements.
 
 INHERIT_DOCS           = YES
 
-# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce 
-# a new page for each member. If set to NO, the documentation of a member will 
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce
+# a new page for each member. If set to NO, the documentation of a member will
 # be part of the file/class/namespace that contains it.
 
 SEPARATE_MEMBER_PAGES  = NO
 
-# The TAB_SIZE tag can be used to set the number of spaces in a tab. 
+# The TAB_SIZE tag can be used to set the number of spaces in a tab.
 # Doxygen uses this value to replace tabs by spaces in code fragments.
 
 TAB_SIZE               = 4
 
-# This tag can be used to specify a number of aliases that acts 
-# as commands in the documentation. An alias has the form "name=value". 
-# For example adding "sideeffect=\par Side Effects:\n" will allow you to 
-# put the command \sideeffect (or @sideeffect) in the documentation, which 
-# will result in a user-defined paragraph with heading "Side Effects:". 
+# This tag can be used to specify a number of aliases that acts
+# as commands in the documentation. An alias has the form "name=value".
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to
+# put the command \sideeffect (or @sideeffect) in the documentation, which
+# will result in a user-defined paragraph with heading "Side Effects:".
 # You can put \n's in the value part of an alias to insert newlines.
 
-ALIASES                = 
+ALIASES                =
 
-# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C 
-# sources only. Doxygen will then generate output that is more tailored for C. 
-# For instance, some of the names that are used will be different. The list 
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C
+# sources only. Doxygen will then generate output that is more tailored for C.
+# For instance, some of the names that are used will be different. The list
 # of all members will be omitted, etc.
 
 OPTIMIZE_OUTPUT_FOR_C  = NO
 
-# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java 
-# sources only. Doxygen will then generate output that is more tailored for 
-# Java. For instance, namespaces will be presented as packages, qualified 
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java
+# sources only. Doxygen will then generate output that is more tailored for
+# Java. For instance, namespaces will be presented as packages, qualified
 # scopes will look different, etc.
 
 OPTIMIZE_OUTPUT_JAVA   = NO
 
-# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran 
-# sources only. Doxygen will then generate output that is more tailored for 
+# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran
+# sources only. Doxygen will then generate output that is more tailored for
 # Fortran.
 
 OPTIMIZE_FOR_FORTRAN   = NO
 
-# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL 
-# sources. Doxygen will then generate output that is tailored for 
+# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL
+# sources. Doxygen will then generate output that is tailored for
 # VHDL.
 
 OPTIMIZE_OUTPUT_VHDL   = NO
 
-# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want 
-# to include (a tag file for) the STL sources as input, then you should 
-# set this tag to YES in order to let doxygen match functions declarations and 
-# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. 
-# func(std::string) {}). This also make the inheritance and collaboration 
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
+# to include (a tag file for) the STL sources as input, then you should
+# set this tag to YES in order to let doxygen match functions declarations and
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s.
+# func(std::string) {}). This also make the inheritance and collaboration
 # diagrams that involve STL classes more complete and accurate.
 
 BUILTIN_STL_SUPPORT    = NO
@@ -228,42 +221,42 @@ BUILTIN_STL_SUPPORT    = NO
 
 CPP_CLI_SUPPORT        = NO
 
-# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. 
-# Doxygen will parse them like normal C++ but will assume all classes use public 
+# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only.
+# Doxygen will parse them like normal C++ but will assume all classes use public
 # instead of private inheritance when no explicit protection keyword is present.
 
 SIP_SUPPORT            = NO
 
-# For Microsoft's IDL there are propget and propput attributes to indicate getter 
-# and setter methods for a property. Setting this option to YES (the default) 
-# will make doxygen to replace the get and set methods by a property in the 
-# documentation. This will only work if the methods are indeed getting or 
-# setting a simple type. If this is not the case, or you want to show the 
+# For Microsoft's IDL there are propget and propput attributes to indicate getter
+# and setter methods for a property. Setting this option to YES (the default)
+# will make doxygen to replace the get and set methods by a property in the
+# documentation. This will only work if the methods are indeed getting or
+# setting a simple type. If this is not the case, or you want to show the
 # methods anyway, you should set this option to NO.
 
 IDL_PROPERTY_SUPPORT   = YES
 
-# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC 
-# tag is set to YES, then doxygen will reuse the documentation of the first 
-# member in the group (if any) for the other members of the group. By default 
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
+# tag is set to YES, then doxygen will reuse the documentation of the first
+# member in the group (if any) for the other members of the group. By default
 # all members of a group must be documented explicitly.
 
 DISTRIBUTE_GROUP_DOC   = NO
 
-# Set the SUBGROUPING tag to YES (the default) to allow class member groups of 
-# the same type (for instance a group of public functions) to be put as a 
-# subgroup of that type (e.g. under the Public Functions section). Set it to 
-# NO to prevent subgrouping. Alternatively, this can be done per class using 
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of
+# the same type (for instance a group of public functions) to be put as a
+# subgroup of that type (e.g. under the Public Functions section). Set it to
+# NO to prevent subgrouping. Alternatively, this can be done per class using
 # the \nosubgrouping command.
 
 SUBGROUPING            = YES
 
-# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum 
-# is documented as struct, union, or enum with the name of the typedef. So 
-# typedef struct TypeS {} TypeT, will appear in the documentation as a struct 
-# with name TypeT. When disabled the typedef will appear as a member of a file, 
-# namespace, or class. And the struct will be named TypeS. This can typically 
-# be useful for C code in case the coding convention dictates that all compound 
+# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum
+# is documented as struct, union, or enum with the name of the typedef. So
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
+# with name TypeT. When disabled the typedef will appear as a member of a file,
+# namespace, or class. And the struct will be named TypeS. This can typically
+# be useful for C code in case the coding convention dictates that all compound
 # types are typedef'ed and only the typedef is referenced, never the tag name.
 
 TYPEDEF_HIDES_STRUCT   = YES
@@ -272,371 +265,372 @@ TYPEDEF_HIDES_STRUCT   = YES
 # Build related configuration options
 #---------------------------------------------------------------------------
 
-# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in 
-# documentation are documented, even if no documentation was available. 
-# Private class members and static file members will be hidden unless 
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
+# documentation are documented, even if no documentation was available.
+# Private class members and static file members will be hidden unless
 # the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
 
 EXTRACT_ALL            = NO
 
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class 
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class
 # will be included in the documentation.
 
 EXTRACT_PRIVATE        = NO
 
-# If the EXTRACT_STATIC tag is set to YES all static members of a file 
+# If the EXTRACT_STATIC tag is set to YES all static members of a file
 # will be included in the documentation.
 
 EXTRACT_STATIC         = NO
 
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) 
-# defined locally in source files will be included in the documentation. 
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs)
+# defined locally in source files will be included in the documentation.
 # If set to NO only classes defined in header files are included.
 
 EXTRACT_LOCAL_CLASSES  = NO
 
-# This flag is only useful for Objective-C code. When set to YES local 
-# methods, which are defined in the implementation section but not in 
-# the interface are included in the documentation. 
+# This flag is only useful for Objective-C code. When set to YES local
+# methods, which are defined in the implementation section but not in
+# the interface are included in the documentation.
 # If set to NO (the default) only methods in the interface are included.
 
 EXTRACT_LOCAL_METHODS  = NO
 
-# If this flag is set to YES, the members of anonymous namespaces will be 
-# extracted and appear in the documentation as a namespace called 
-# 'anonymous_namespace{file}', where file will be replaced with the base 
-# name of the file that contains the anonymous namespace. By default 
+# If this flag is set to YES, the members of anonymous namespaces will be
+# extracted and appear in the documentation as a namespace called
+# 'anonymous_namespace{file}', where file will be replaced with the base
+# name of the file that contains the anonymous namespace. By default
 # anonymous namespace are hidden.
 
 EXTRACT_ANON_NSPACES   = NO
 
-# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all 
-# undocumented members of documented classes, files or namespaces. 
-# If set to NO (the default) these members will be included in the 
-# various overviews, but no documentation section is generated. 
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all
+# undocumented members of documented classes, files or namespaces.
+# If set to NO (the default) these members will be included in the
+# various overviews, but no documentation section is generated.
 # This option has no effect if EXTRACT_ALL is enabled.
 
 HIDE_UNDOC_MEMBERS     = NO
 
-# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all 
-# undocumented classes that are normally visible in the class hierarchy. 
-# If set to NO (the default) these classes will be included in the various 
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all
+# undocumented classes that are normally visible in the class hierarchy.
+# If set to NO (the default) these classes will be included in the various
 # overviews. This option has no effect if EXTRACT_ALL is enabled.
 
 HIDE_UNDOC_CLASSES     = NO
 
-# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all 
-# friend (class|struct|union) declarations. 
-# If set to NO (the default) these declarations will be included in the 
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all
+# friend (class|struct|union) declarations.
+# If set to NO (the default) these declarations will be included in the
 # documentation.
 
 HIDE_FRIEND_COMPOUNDS  = NO
 
-# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any 
-# documentation blocks found inside the body of a function. 
-# If set to NO (the default) these blocks will be appended to the 
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any
+# documentation blocks found inside the body of a function.
+# If set to NO (the default) these blocks will be appended to the
 # function's detailed documentation block.
 
 HIDE_IN_BODY_DOCS      = NO
 
-# The INTERNAL_DOCS tag determines if documentation 
-# that is typed after a \internal command is included. If the tag is set 
-# to NO (the default) then the documentation will be excluded. 
+# The INTERNAL_DOCS tag determines if documentation
+# that is typed after a \internal command is included. If the tag is set
+# to NO (the default) then the documentation will be excluded.
 # Set it to YES to include the internal documentation.
 
 INTERNAL_DOCS          = NO
 
-# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate 
-# file names in lower-case letters. If set to YES upper-case letters are also 
-# allowed. This is useful if you have classes or files whose names only differ 
-# in case and if your file system supports case sensitive file names. Windows 
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate
+# file names in lower-case letters. If set to YES upper-case letters are also
+# allowed. This is useful if you have classes or files whose names only differ
+# in case and if your file system supports case sensitive file names. Windows
 # and Mac users are advised to set this option to NO.
 
 CASE_SENSE_NAMES       = YES
 
-# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen 
-# will show members with their full class and namespace scopes in the 
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen
+# will show members with their full class and namespace scopes in the
 # documentation. If set to YES the scope will be hidden.
 
 HIDE_SCOPE_NAMES       = NO
 
-# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen 
-# will put a list of the files that are included by a file in the documentation 
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen
+# will put a list of the files that are included by a file in the documentation
 # of that file.
 
 SHOW_INCLUDE_FILES     = NO
 
-# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] 
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline]
 # is inserted in the documentation for inline members.
 
 INLINE_INFO            = YES
 
-# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen 
-# will sort the (detailed) documentation of file and class members 
-# alphabetically by member name. If set to NO the members will appear in 
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen
+# will sort the (detailed) documentation of file and class members
+# alphabetically by member name. If set to NO the members will appear in
 # declaration order.
 
 SORT_MEMBER_DOCS       = NO
 
-# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the 
-# brief documentation of file, namespace and class members alphabetically 
-# by member name. If set to NO (the default) the members will appear in 
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the
+# brief documentation of file, namespace and class members alphabetically
+# by member name. If set to NO (the default) the members will appear in
 # declaration order.
 
 SORT_BRIEF_DOCS        = NO
 
-# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the 
-# hierarchy of group names into alphabetical order. If set to NO (the default) 
+# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the
+# hierarchy of group names into alphabetical order. If set to NO (the default)
 # the group names will appear in their defined order.
 
 SORT_GROUP_NAMES       = NO
 
-# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be 
-# sorted by fully-qualified names, including namespaces. If set to 
-# NO (the default), the class list will be sorted only by class name, 
-# not including the namespace part. 
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be
+# sorted by fully-qualified names, including namespaces. If set to
+# NO (the default), the class list will be sorted only by class name,
+# not including the namespace part.
 # Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
-# Note: This option applies only to the class list, not to the 
+# Note: This option applies only to the class list, not to the
 # alphabetical list.
 
 SORT_BY_SCOPE_NAME     = NO
 
-# The GENERATE_TODOLIST tag can be used to enable (YES) or 
-# disable (NO) the todo list. This list is created by putting \todo 
+# The GENERATE_TODOLIST tag can be used to enable (YES) or
+# disable (NO) the todo list. This list is created by putting \todo
 # commands in the documentation.
 
 GENERATE_TODOLIST      = NO
 
-# The GENERATE_TESTLIST tag can be used to enable (YES) or 
-# disable (NO) the test list. This list is created by putting \test 
+# The GENERATE_TESTLIST tag can be used to enable (YES) or
+# disable (NO) the test list. This list is created by putting \test
 # commands in the documentation.
 
 GENERATE_TESTLIST      = NO
 
-# The GENERATE_BUGLIST tag can be used to enable (YES) or 
-# disable (NO) the bug list. This list is created by putting \bug 
+# The GENERATE_BUGLIST tag can be used to enable (YES) or
+# disable (NO) the bug list. This list is created by putting \bug
 # commands in the documentation.
 
 GENERATE_BUGLIST       = NO
 
-# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or 
-# disable (NO) the deprecated list. This list is created by putting 
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or
+# disable (NO) the deprecated list. This list is created by putting
 # \deprecated commands in the documentation.
 
 GENERATE_DEPRECATEDLIST= NO
 
-# The ENABLED_SECTIONS tag can be used to enable conditional 
+# The ENABLED_SECTIONS tag can be used to enable conditional
 # documentation sections, marked by \if sectionname ... \endif.
 
-ENABLED_SECTIONS       = 
+ENABLED_SECTIONS       =
 
-# The MAX_INITIALIZER_LINES tag determines the maximum number of lines 
-# the initial value of a variable or define consists of for it to appear in 
-# the documentation. If the initializer consists of more lines than specified 
-# here it will be hidden. Use a value of 0 to hide initializers completely. 
-# The appearance of the initializer of individual variables and defines in the 
-# documentation can be controlled using \showinitializer or \hideinitializer 
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines
+# the initial value of a variable or define consists of for it to appear in
+# the documentation. If the initializer consists of more lines than specified
+# here it will be hidden. Use a value of 0 to hide initializers completely.
+# The appearance of the initializer of individual variables and defines in the
+# documentation can be controlled using \showinitializer or \hideinitializer
 # command in the documentation regardless of this setting.
 
 MAX_INITIALIZER_LINES  = 30
 
-# Set the SHOW_USED_FILES tag to NO to disable the list of files generated 
-# at the bottom of the documentation of classes and structs. If set to YES the 
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated
+# at the bottom of the documentation of classes and structs. If set to YES the
 # list will mention the files that were used to generate the documentation.
 
 SHOW_USED_FILES        = NO
 
-# If the sources in your project are distributed over multiple directories 
-# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
+# If the sources in your project are distributed over multiple directories
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy
 # in the documentation. The default is NO.
 
 SHOW_DIRECTORIES       = YES
 
 # Set the SHOW_FILES tag to NO to disable the generation of the Files page.
-# This will remove the Files entry from the Quick Index and from the 
+# This will remove the Files entry from the Quick Index and from the
 # Folder Tree View (if specified). The default is YES.
 
 SHOW_FILES             = NO
 
-# Set the SHOW_NAMESPACES tag to NO to disable the generation of the 
+# Set the SHOW_NAMESPACES tag to NO to disable the generation of the
 # Namespaces page.  This will remove the Namespaces entry from the Quick Index
 # and from the Folder Tree View (if specified). The default is YES.
 
 SHOW_NAMESPACES        = YES
 
-# The FILE_VERSION_FILTER tag can be used to specify a program or script that 
-# doxygen should invoke to get the current version for each file (typically from 
-# the version control system). Doxygen will invoke the program by executing (via 
-# popen()) the command <command> <input-file>, where <command> is the value of 
-# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file 
-# provided by doxygen. Whatever the program writes to standard output 
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that
+# doxygen should invoke to get the current version for each file (typically from
+# the version control system). Doxygen will invoke the program by executing (via
+# popen()) the command <command> <input-file>, where <command> is the value of
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file
+# provided by doxygen. Whatever the program writes to standard output
 # is used as the file version. See the manual for examples.
 
-FILE_VERSION_FILTER    = 
+FILE_VERSION_FILTER    =
 
 #---------------------------------------------------------------------------
 # configuration options related to warning and progress messages
 #---------------------------------------------------------------------------
 
-# The QUIET tag can be used to turn on/off the messages that are generated 
+# The QUIET tag can be used to turn on/off the messages that are generated
 # by doxygen. Possible values are YES and NO. If left blank NO is used.
 
 QUIET                  = NO
 
-# The WARNINGS tag can be used to turn on/off the warning messages that are 
-# generated by doxygen. Possible values are YES and NO. If left blank 
+# The WARNINGS tag can be used to turn on/off the warning messages that are
+# generated by doxygen. Possible values are YES and NO. If left blank
 # NO is used.
 
 WARNINGS               = YES
 
-# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings 
-# for undocumented members. If EXTRACT_ALL is set to YES then this flag will 
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will
 # automatically be disabled.
 
 WARN_IF_UNDOCUMENTED   = NO
 
-# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for 
-# potential errors in the documentation, such as not documenting some 
-# parameters in a documented function, or documenting parameters that 
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for
+# potential errors in the documentation, such as not documenting some
+# parameters in a documented function, or documenting parameters that
 # don't exist or using markup commands wrongly.
 
 WARN_IF_DOC_ERROR      = YES
 
-# This WARN_NO_PARAMDOC option can be abled to get warnings for 
-# functions that are documented, but have no documentation for their parameters 
-# or return value. If set to NO (the default) doxygen will only warn about 
-# wrong or incomplete parameter documentation, but not about the absence of 
+# This WARN_NO_PARAMDOC option can be abled to get warnings for
+# functions that are documented, but have no documentation for their parameters
+# or return value. If set to NO (the default) doxygen will only warn about
+# wrong or incomplete parameter documentation, but not about the absence of
 # documentation.
 
 WARN_NO_PARAMDOC       = NO
 
-# The WARN_FORMAT tag determines the format of the warning messages that 
-# doxygen can produce. The string should contain the $file, $line, and $text 
-# tags, which will be replaced by the file and line number from which the 
-# warning originated and the warning text. Optionally the format may contain 
-# $version, which will be replaced by the version of the file (if it could 
+# The WARN_FORMAT tag determines the format of the warning messages that
+# doxygen can produce. The string should contain the $file, $line, and $text
+# tags, which will be replaced by the file and line number from which the
+# warning originated and the warning text. Optionally the format may contain
+# $version, which will be replaced by the version of the file (if it could
 # be obtained via FILE_VERSION_FILTER)
 
 WARN_FORMAT            = "$file:$line: $text"
 
-# The WARN_LOGFILE tag can be used to specify a file to which warning 
-# and error messages should be written. If left blank the output is written 
+# The WARN_LOGFILE tag can be used to specify a file to which warning
+# and error messages should be written. If left blank the output is written
 # to stderr.
 
-WARN_LOGFILE           = 
+WARN_LOGFILE           =
 
 #---------------------------------------------------------------------------
 # configuration options related to the input files
 #---------------------------------------------------------------------------
 
-# The INPUT tag can be used to specify the files and/or directories that contain 
-# documented source files. You may enter file names like "myfile.cpp" or 
-# directories like "/usr/src/myproject". Separate the files or directories 
+# The INPUT tag can be used to specify the files and/or directories that contain
+# documented source files. You may enter file names like "myfile.cpp" or
+# directories like "/usr/src/myproject". Separate the files or directories
 # with spaces.
 
-INPUT                  = src/libstrongswan \
-                         src/charon \
-                         src/libfast \
-                         src/manager
+INPUT                  = @SRC_DIR@/src/libstrongswan \
+                         @SRC_DIR@/src/charon \
+                         @SRC_DIR@/src/libsimaka \
+                         @SRC_DIR@/src/libfast \
+                         @SRC_DIR@/src/manager
 
-# This tag can be used to specify the character encoding of the source files 
-# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is 
-# also the default input encoding. Doxygen uses libiconv (or the iconv built 
-# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for 
+# This tag can be used to specify the character encoding of the source files
+# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is
+# also the default input encoding. Doxygen uses libiconv (or the iconv built
+# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for
 # the list of possible encodings.
 
 INPUT_ENCODING         = UTF-8
 
-# If the value of the INPUT tag contains directories, you can use the 
-# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
-# and *.h) to filter out the source-files in the directories. If left 
-# blank the following patterns are tested: 
-# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx 
+# If the value of the INPUT tag contains directories, you can use the
+# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
+# and *.h) to filter out the source-files in the directories. If left
+# blank the following patterns are tested:
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx
 # *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
 
 FILE_PATTERNS          = *.h
 
-# The RECURSIVE tag can be used to turn specify whether or not subdirectories 
-# should be searched for input files as well. Possible values are YES and NO. 
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories
+# should be searched for input files as well. Possible values are YES and NO.
 # If left blank NO is used.
 
 RECURSIVE              = YES
 
-# The EXCLUDE tag can be used to specify files and/or directories that should 
-# excluded from the INPUT source files. This way you can easily exclude a 
+# The EXCLUDE tag can be used to specify files and/or directories that should
+# excluded from the INPUT source files. This way you can easily exclude a
 # subdirectory from a directory tree whose root is specified with the INPUT tag.
 
-EXCLUDE                = 
+EXCLUDE                =
 
-# The EXCLUDE_SYMLINKS tag can be used select whether or not files or 
-# directories that are symbolic links (a Unix filesystem feature) are excluded 
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
+# directories that are symbolic links (a Unix filesystem feature) are excluded
 # from the input.
 
 EXCLUDE_SYMLINKS       = NO
 
-# If the value of the INPUT tag contains directories, you can use the 
-# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude 
-# certain files from those directories. Note that the wildcards are matched 
-# against the file with absolute path, so to exclude all test directories 
+# If the value of the INPUT tag contains directories, you can use the
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
+# certain files from those directories. Note that the wildcards are matched
+# against the file with absolute path, so to exclude all test directories
 # for example use the pattern */test/*
 
 EXCLUDE_PATTERNS       = */.svn/*
 
-# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names 
-# (namespaces, classes, functions, etc.) that should be excluded from the 
-# output. The symbol name can be a fully qualified name, a word, or if the 
-# wildcard * is used, a substring. Examples: ANamespace, AClass, 
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
+# (namespaces, classes, functions, etc.) that should be excluded from the
+# output. The symbol name can be a fully qualified name, a word, or if the
+# wildcard * is used, a substring. Examples: ANamespace, AClass,
 # AClass::ANamespace, ANamespace::*Test
 
-EXCLUDE_SYMBOLS        = 
+EXCLUDE_SYMBOLS        =
 
-# The EXAMPLE_PATH tag can be used to specify one or more files or 
-# directories that contain example code fragments that are included (see 
+# The EXAMPLE_PATH tag can be used to specify one or more files or
+# directories that contain example code fragments that are included (see
 # the \include command).
 
-EXAMPLE_PATH           = 
+EXAMPLE_PATH           =
 
-# If the value of the EXAMPLE_PATH tag contains directories, you can use the 
-# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
-# and *.h) to filter out the source-files in the directories. If left 
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
+# and *.h) to filter out the source-files in the directories. If left
 # blank all files are included.
 
-EXAMPLE_PATTERNS       = 
+EXAMPLE_PATTERNS       =
 
-# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be 
-# searched for input files to be used with the \include or \dontinclude 
-# commands irrespective of the value of the RECURSIVE tag. 
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
+# searched for input files to be used with the \include or \dontinclude
+# commands irrespective of the value of the RECURSIVE tag.
 # Possible values are YES and NO. If left blank NO is used.
 
 EXAMPLE_RECURSIVE      = NO
 
-# The IMAGE_PATH tag can be used to specify one or more files or 
-# directories that contain image that are included in the documentation (see 
+# The IMAGE_PATH tag can be used to specify one or more files or
+# directories that contain image that are included in the documentation (see
 # the \image command).
 
-IMAGE_PATH             = 
+IMAGE_PATH             =
 
-# The INPUT_FILTER tag can be used to specify a program that doxygen should 
-# invoke to filter for each input file. Doxygen will invoke the filter program 
-# by executing (via popen()) the command <filter> <input-file>, where <filter> 
-# is the value of the INPUT_FILTER tag, and <input-file> is the name of an 
-# input file. Doxygen will then use the output that the filter program writes 
-# to standard output.  If FILTER_PATTERNS is specified, this tag will be 
+# The INPUT_FILTER tag can be used to specify a program that doxygen should
+# invoke to filter for each input file. Doxygen will invoke the filter program
+# by executing (via popen()) the command <filter> <input-file>, where <filter>
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an
+# input file. Doxygen will then use the output that the filter program writes
+# to standard output.  If FILTER_PATTERNS is specified, this tag will be
 # ignored.
 
-INPUT_FILTER           = 
+INPUT_FILTER           =
 
-# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern 
-# basis.  Doxygen will compare the file name with each pattern and apply the 
-# filter if there is a match.  The filters are a list of the form: 
-# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further 
-# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER 
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
+# basis.  Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match.  The filters are a list of the form:
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER
 # is applied to all files.
 
-FILTER_PATTERNS        = 
+FILTER_PATTERNS        =
 
-# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using 
-# INPUT_FILTER) will be used to filter the input files when producing source 
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
+# INPUT_FILTER) will be used to filter the input files when producing source
 # files to browse (i.e. when SOURCE_BROWSER is set to YES).
 
 FILTER_SOURCE_FILES    = NO
@@ -645,32 +639,32 @@ FILTER_SOURCE_FILES    = NO
 # configuration options related to source browsing
 #---------------------------------------------------------------------------
 
-# If the SOURCE_BROWSER tag is set to YES then a list of source files will 
-# be generated. Documented entities will be cross-referenced with these sources. 
-# Note: To get rid of all source code in the generated output, make sure also 
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will
+# be generated. Documented entities will be cross-referenced with these sources.
+# Note: To get rid of all source code in the generated output, make sure also
 # VERBATIM_HEADERS is set to NO.
 
 SOURCE_BROWSER         = NO
 
-# Setting the INLINE_SOURCES tag to YES will include the body 
+# Setting the INLINE_SOURCES tag to YES will include the body
 # of functions and classes directly in the documentation.
 
 INLINE_SOURCES         = NO
 
-# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct 
-# doxygen to hide any special comment blocks from generated source code 
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct
+# doxygen to hide any special comment blocks from generated source code
 # fragments. Normal C and C++ comments will always remain visible.
 
 STRIP_CODE_COMMENTS    = NO
 
-# If the REFERENCED_BY_RELATION tag is set to YES 
-# then for each documented function all documented 
+# If the REFERENCED_BY_RELATION tag is set to YES
+# then for each documented function all documented
 # functions referencing it will be listed.
 
 REFERENCED_BY_RELATION = NO
 
-# If the REFERENCES_RELATION tag is set to YES 
-# then for each documented function all documented entities 
+# If the REFERENCES_RELATION tag is set to YES
+# then for each documented function all documented entities
 # called/used by that function will be listed.
 
 REFERENCES_RELATION    = NO
@@ -682,16 +676,16 @@ REFERENCES_RELATION    = NO
 
 REFERENCES_LINK_SOURCE = YES
 
-# If the USE_HTAGS tag is set to YES then the references to source code 
-# will point to the HTML generated by the htags(1) tool instead of doxygen 
-# built-in source browser. The htags tool is part of GNU's global source 
-# tagging system (see http://www.gnu.org/software/global/global.html). You 
+# If the USE_HTAGS tag is set to YES then the references to source code
+# will point to the HTML generated by the htags(1) tool instead of doxygen
+# built-in source browser. The htags tool is part of GNU's global source
+# tagging system (see http://www.gnu.org/software/global/global.html). You
 # will need version 4.8.6 or higher.
 
 USE_HTAGS              = NO
 
-# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen 
-# will generate a verbatim copy of the header file for each class for 
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen
+# will generate a verbatim copy of the header file for each class for
 # which an include is specified. Set to NO to disable this.
 
 VERBATIM_HEADERS       = YES
@@ -700,129 +694,129 @@ VERBATIM_HEADERS       = YES
 # configuration options related to the alphabetical class index
 #---------------------------------------------------------------------------
 
-# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index 
-# of all compounds will be generated. Enable this if the project 
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index
+# of all compounds will be generated. Enable this if the project
 # contains a lot of classes, structs, unions or interfaces.
 
 ALPHABETICAL_INDEX     = NO
 
-# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then 
-# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns 
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
 # in which this list will be split (can be a number in the range [1..20])
 
 COLS_IN_ALPHA_INDEX    = 5
 
-# In case all classes in a project start with a common prefix, all 
-# classes will be put under the same header in the alphabetical index. 
-# The IGNORE_PREFIX tag can be used to specify one or more prefixes that 
+# In case all classes in a project start with a common prefix, all
+# classes will be put under the same header in the alphabetical index.
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that
 # should be ignored while generating the index headers.
 
-IGNORE_PREFIX          = 
+IGNORE_PREFIX          =
 
 #---------------------------------------------------------------------------
 # configuration options related to the HTML output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_HTML tag is set to YES (the default) Doxygen will 
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will
 # generate HTML output.
 
 GENERATE_HTML          = YES
 
-# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
 # put in front of it. If left blank `html' will be used as the default path.
 
 HTML_OUTPUT            = .
 
-# The HTML_FILE_EXTENSION tag can be used to specify the file extension for 
-# each generated HTML page (for example: .htm,.php,.asp). If it is left blank 
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank
 # doxygen will generate files with .html extension.
 
 HTML_FILE_EXTENSION    = .html
 
-# The HTML_HEADER tag can be used to specify a personal HTML header for 
-# each generated HTML page. If it is left blank doxygen will generate a 
+# The HTML_HEADER tag can be used to specify a personal HTML header for
+# each generated HTML page. If it is left blank doxygen will generate a
 # standard header.
 
-HTML_HEADER            = 
+HTML_HEADER            =
 
-# The HTML_FOOTER tag can be used to specify a personal HTML footer for 
-# each generated HTML page. If it is left blank doxygen will generate a 
+# The HTML_FOOTER tag can be used to specify a personal HTML footer for
+# each generated HTML page. If it is left blank doxygen will generate a
 # standard footer.
 
-HTML_FOOTER            = 
+HTML_FOOTER            =
 
-# The HTML_STYLESHEET tag can be used to specify a user-defined cascading 
-# style sheet that is used by each HTML page. It can be used to 
-# fine-tune the look of the HTML output. If the tag is left blank doxygen 
-# will generate a default style sheet. Note that doxygen will try to copy 
-# the style sheet file to the HTML output directory, so don't put your own 
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading
+# style sheet that is used by each HTML page. It can be used to
+# fine-tune the look of the HTML output. If the tag is left blank doxygen
+# will generate a default style sheet. Note that doxygen will try to copy
+# the style sheet file to the HTML output directory, so don't put your own
 # stylesheet in the HTML output directory as well, or it will be erased!
 
-HTML_STYLESHEET        = 
+HTML_STYLESHEET        =
 
-# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
-# files or namespaces will be aligned in HTML using tables. If set to 
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
+# files or namespaces will be aligned in HTML using tables. If set to
 # NO a bullet list will be used.
 
 HTML_ALIGN_MEMBERS     = YES
 
-# If the GENERATE_HTMLHELP tag is set to YES, additional index files 
-# will be generated that can be used as input for tools like the 
-# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) 
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files
+# will be generated that can be used as input for tools like the
+# Microsoft HTML help workshop to generate a compiled HTML help file (.chm)
 # of the generated HTML documentation.
 
 GENERATE_HTMLHELP      = NO
 
-# If the GENERATE_DOCSET tag is set to YES, additional index files 
-# will be generated that can be used as input for Apple's Xcode 3 
-# integrated development environment, introduced with OSX 10.5 (Leopard). 
-# To create a documentation set, doxygen will generate a Makefile in the 
-# HTML output directory. Running make will produce the docset in that 
-# directory and running "make install" will install the docset in 
-# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find 
+# If the GENERATE_DOCSET tag is set to YES, additional index files
+# will be generated that can be used as input for Apple's Xcode 3
+# integrated development environment, introduced with OSX 10.5 (Leopard).
+# To create a documentation set, doxygen will generate a Makefile in the
+# HTML output directory. Running make will produce the docset in that
+# directory and running "make install" will install the docset in
+# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find
 # it at startup.
 
 GENERATE_DOCSET        = NO
 
-# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the 
-# feed. A documentation feed provides an umbrella under which multiple 
-# documentation sets from a single provider (such as a company or product suite) 
+# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the
+# feed. A documentation feed provides an umbrella under which multiple
+# documentation sets from a single provider (such as a company or product suite)
 # can be grouped.
 
 DOCSET_FEEDNAME        = "Doxygen generated docs"
 
-# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that 
-# should uniquely identify the documentation set bundle. This should be a 
-# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen 
+# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that
+# should uniquely identify the documentation set bundle. This should be a
+# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen
 # will append .docset to the name.
 
 DOCSET_BUNDLE_ID       = org.doxygen.Project
 
-# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML 
-# documentation will contain sections that can be hidden and shown after the 
-# page has loaded. For this to work a browser that supports 
-# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox 
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
+# documentation will contain sections that can be hidden and shown after the
+# page has loaded. For this to work a browser that supports
+# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox
 # Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
 
 HTML_DYNAMIC_SECTIONS  = NO
 
-# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can 
-# be used to specify the file name of the resulting .chm file. You 
-# can add a path in front of the file if the result should not be 
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can
+# be used to specify the file name of the resulting .chm file. You
+# can add a path in front of the file if the result should not be
 # written to the html output directory.
 
-CHM_FILE               = 
+CHM_FILE               =
 
-# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can 
-# be used to specify the location (absolute path including file name) of 
-# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run 
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can
+# be used to specify the location (absolute path including file name) of
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run
 # the HTML help compiler on the generated index.hhp.
 
-HHC_LOCATION           = 
+HHC_LOCATION           =
 
-# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag 
-# controls if a separate .chi index file is generated (YES) or that 
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag
+# controls if a separate .chi index file is generated (YES) or that
 # it should be included in the master .chm file (NO).
 
 GENERATE_CHI           = NO
@@ -831,26 +825,26 @@ GENERATE_CHI           = NO
 # is used to encode HtmlHelp index (hhk), content (hhc) and project file
 # content.
 
-CHM_INDEX_ENCODING     = 
+CHM_INDEX_ENCODING     =
 
-# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag 
-# controls whether a binary table of contents is generated (YES) or a 
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag
+# controls whether a binary table of contents is generated (YES) or a
 # normal table of contents (NO) in the .chm file.
 
 BINARY_TOC             = NO
 
-# The TOC_EXPAND flag can be set to YES to add extra items for group members 
+# The TOC_EXPAND flag can be set to YES to add extra items for group members
 # to the contents of the HTML help documentation and to the tree view.
 
 TOC_EXPAND             = NO
 
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index at 
-# top of each HTML page. The value NO (the default) enables the index and 
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
+# top of each HTML page. The value NO (the default) enables the index and
 # the value YES disables it.
 
 DISABLE_INDEX          = YES
 
-# This tag can be used to set the number of enum values (range [1..20]) 
+# This tag can be used to set the number of enum values (range [1..20])
 # that doxygen will group on one line in the generated HTML documentation.
 
 ENUM_VALUES_PER_LINE   = 1
@@ -858,11 +852,11 @@ ENUM_VALUES_PER_LINE   = 1
 # The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
 # structure should be generated to display hierarchical information.
 # If the tag value is set to FRAME, a side panel will be generated
-# containing a tree-like index structure (just like the one that 
-# is generated for HTML Help). For this to work a browser that supports 
-# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, 
-# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are 
-# probably better off using the HTML help feature. Other possible values 
+# containing a tree-like index structure (just like the one that
+# is generated for HTML Help). For this to work a browser that supports
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+,
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are
+# probably better off using the HTML help feature. Other possible values
 # for this tag are: HIERARCHIES, which will generate the Groups, Directories,
 # and Class Hiererachy pages using a tree view instead of an ordered list;
 # ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which
@@ -872,16 +866,16 @@ ENUM_VALUES_PER_LINE   = 1
 
 GENERATE_TREEVIEW      = YES
 
-# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be 
-# used to set the initial width (in pixels) of the frame in which the tree 
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
+# used to set the initial width (in pixels) of the frame in which the tree
 # is shown.
 
 TREEVIEW_WIDTH         = 250
 
-# Use this tag to change the font size of Latex formulas included 
-# as images in the HTML documentation. The default is 10. Note that 
-# when you change the font size after a successful doxygen run you need 
-# to manually remove any form_*.png images from the HTML output directory 
+# Use this tag to change the font size of Latex formulas included
+# as images in the HTML documentation. The default is 10. Note that
+# when you change the font size after a successful doxygen run you need
+# to manually remove any form_*.png images from the HTML output directory
 # to force them to be regenerated.
 
 FORMULA_FONTSIZE       = 10
@@ -890,74 +884,74 @@ FORMULA_FONTSIZE       = 10
 # configuration options related to the LaTeX output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will 
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will
 # generate Latex output.
 
 GENERATE_LATEX         = NO
 
-# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
 # put in front of it. If left blank `latex' will be used as the default path.
 
 LATEX_OUTPUT           = latex
 
-# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be 
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
 # invoked. If left blank `latex' will be used as the default command name.
 
 LATEX_CMD_NAME         = latex
 
-# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to 
-# generate index for LaTeX. If left blank `makeindex' will be used as the 
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to
+# generate index for LaTeX. If left blank `makeindex' will be used as the
 # default command name.
 
 MAKEINDEX_CMD_NAME     = makeindex
 
-# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact 
-# LaTeX documents. This may be useful for small projects and may help to 
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact
+# LaTeX documents. This may be useful for small projects and may help to
 # save some trees in general.
 
 COMPACT_LATEX          = NO
 
-# The PAPER_TYPE tag can be used to set the paper type that is used 
-# by the printer. Possible values are: a4, a4wide, letter, legal and 
+# The PAPER_TYPE tag can be used to set the paper type that is used
+# by the printer. Possible values are: a4, a4wide, letter, legal and
 # executive. If left blank a4wide will be used.
 
 PAPER_TYPE             = a4wide
 
-# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX 
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX
 # packages that should be included in the LaTeX output.
 
-EXTRA_PACKAGES         = 
+EXTRA_PACKAGES         =
 
-# The LATEX_HEADER tag can be used to specify a personal LaTeX header for 
-# the generated latex document. The header should contain everything until 
-# the first chapter. If it is left blank doxygen will generate a 
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for
+# the generated latex document. The header should contain everything until
+# the first chapter. If it is left blank doxygen will generate a
 # standard header. Notice: only use this tag if you know what you are doing!
 
-LATEX_HEADER           = 
+LATEX_HEADER           =
 
-# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated 
-# is prepared for conversion to pdf (using ps2pdf). The pdf file will 
-# contain links (just like the HTML output) instead of page references 
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will
+# contain links (just like the HTML output) instead of page references
 # This makes the output suitable for online browsing using a pdf viewer.
 
 PDF_HYPERLINKS         = NO
 
-# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of 
-# plain latex in the generated Makefile. Set this option to YES to get a 
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of
+# plain latex in the generated Makefile. Set this option to YES to get a
 # higher quality PDF documentation.
 
 USE_PDFLATEX           = NO
 
-# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. 
-# command to the generated LaTeX files. This will instruct LaTeX to keep 
-# running if errors occur, instead of asking the user for help. 
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode.
+# command to the generated LaTeX files. This will instruct LaTeX to keep
+# running if errors occur, instead of asking the user for help.
 # This option is also used when generating formulas in HTML.
 
 LATEX_BATCHMODE        = NO
 
-# If LATEX_HIDE_INDICES is set to YES then doxygen will not 
-# include the index chapters (such as File Index, Compound Index, etc.) 
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not
+# include the index chapters (such as File Index, Compound Index, etc.)
 # in the output.
 
 LATEX_HIDE_INDICES     = NO
@@ -966,68 +960,68 @@ LATEX_HIDE_INDICES     = NO
 # configuration options related to the RTF output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output 
-# The RTF output is optimized for Word 97 and may not look very pretty with 
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output
+# The RTF output is optimized for Word 97 and may not look very pretty with
 # other RTF readers or editors.
 
 GENERATE_RTF           = NO
 
-# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
 # put in front of it. If left blank `rtf' will be used as the default path.
 
 RTF_OUTPUT             = rtf
 
-# If the COMPACT_RTF tag is set to YES Doxygen generates more compact 
-# RTF documents. This may be useful for small projects and may help to 
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact
+# RTF documents. This may be useful for small projects and may help to
 # save some trees in general.
 
 COMPACT_RTF            = NO
 
-# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated 
-# will contain hyperlink fields. The RTF file will 
-# contain links (just like the HTML output) instead of page references. 
-# This makes the output suitable for online browsing using WORD or other 
-# programs which support those fields. 
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated
+# will contain hyperlink fields. The RTF file will
+# contain links (just like the HTML output) instead of page references.
+# This makes the output suitable for online browsing using WORD or other
+# programs which support those fields.
 # Note: wordpad (write) and others do not support links.
 
 RTF_HYPERLINKS         = NO
 
-# Load stylesheet definitions from file. Syntax is similar to doxygen's 
-# config file, i.e. a series of assignments. You only have to provide 
+# Load stylesheet definitions from file. Syntax is similar to doxygen's
+# config file, i.e. a series of assignments. You only have to provide
 # replacements, missing definitions are set to their default value.
 
-RTF_STYLESHEET_FILE    = 
+RTF_STYLESHEET_FILE    =
 
-# Set optional variables used in the generation of an rtf document. 
+# Set optional variables used in the generation of an rtf document.
 # Syntax is similar to doxygen's config file.
 
-RTF_EXTENSIONS_FILE    = 
+RTF_EXTENSIONS_FILE    =
 
 #---------------------------------------------------------------------------
 # configuration options related to the man page output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_MAN tag is set to YES (the default) Doxygen will 
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will
 # generate man pages
 
 GENERATE_MAN           = NO
 
-# The MAN_OUTPUT tag is used to specify where the man pages will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# The MAN_OUTPUT tag is used to specify where the man pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
 # put in front of it. If left blank `man' will be used as the default path.
 
 MAN_OUTPUT             = man
 
-# The MAN_EXTENSION tag determines the extension that is added to 
+# The MAN_EXTENSION tag determines the extension that is added to
 # the generated man pages (default is the subroutine's section .3)
 
 MAN_EXTENSION          = .3
 
-# If the MAN_LINKS tag is set to YES and Doxygen generates man output, 
-# then it will generate one additional man file for each entity 
-# documented in the real man page(s). These additional files 
-# only source the real man page, but without them the man command 
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output,
+# then it will generate one additional man file for each entity
+# documented in the real man page(s). These additional files
+# only source the real man page, but without them the man command
 # would be unable to find the correct page. The default is NO.
 
 MAN_LINKS              = YES
@@ -1036,33 +1030,33 @@ MAN_LINKS              = YES
 # configuration options related to the XML output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_XML tag is set to YES Doxygen will 
-# generate an XML file that captures the structure of 
+# If the GENERATE_XML tag is set to YES Doxygen will
+# generate an XML file that captures the structure of
 # the code including all documentation.
 
 GENERATE_XML           = NO
 
-# The XML_OUTPUT tag is used to specify where the XML pages will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# The XML_OUTPUT tag is used to specify where the XML pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
 # put in front of it. If left blank `xml' will be used as the default path.
 
 XML_OUTPUT             = xml
 
-# The XML_SCHEMA tag can be used to specify an XML schema, 
-# which can be used by a validating XML parser to check the 
+# The XML_SCHEMA tag can be used to specify an XML schema,
+# which can be used by a validating XML parser to check the
 # syntax of the XML files.
 
-XML_SCHEMA             = 
+XML_SCHEMA             =
 
-# The XML_DTD tag can be used to specify an XML DTD, 
-# which can be used by a validating XML parser to check the 
+# The XML_DTD tag can be used to specify an XML DTD,
+# which can be used by a validating XML parser to check the
 # syntax of the XML files.
 
-XML_DTD                = 
+XML_DTD                =
 
-# If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
-# dump the program listings (including syntax highlighting 
-# and cross-referencing information) to the XML output. Note that 
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will
+# dump the program listings (including syntax highlighting
+# and cross-referencing information) to the XML output. Note that
 # enabling this will significantly increase the size of the XML output.
 
 XML_PROGRAMLISTING     = YES
@@ -1071,10 +1065,10 @@ XML_PROGRAMLISTING     = YES
 # configuration options for the AutoGen Definitions output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will 
-# generate an AutoGen Definitions (see autogen.sf.net) file 
-# that captures the structure of the code including all 
-# documentation. Note that this feature is still experimental 
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will
+# generate an AutoGen Definitions (see autogen.sf.net) file
+# that captures the structure of the code including all
+# documentation. Note that this feature is still experimental
 # and incomplete at the moment.
 
 GENERATE_AUTOGEN_DEF   = NO
@@ -1083,338 +1077,338 @@ GENERATE_AUTOGEN_DEF   = NO
 # configuration options related to the Perl module output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_PERLMOD tag is set to YES Doxygen will 
-# generate a Perl module file that captures the structure of 
-# the code including all documentation. Note that this 
-# feature is still experimental and incomplete at the 
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will
+# generate a Perl module file that captures the structure of
+# the code including all documentation. Note that this
+# feature is still experimental and incomplete at the
 # moment.
 
 GENERATE_PERLMOD       = NO
 
-# If the PERLMOD_LATEX tag is set to YES Doxygen will generate 
-# the necessary Makefile rules, Perl scripts and LaTeX code to be able 
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able
 # to generate PDF and DVI output from the Perl module output.
 
 PERLMOD_LATEX          = NO
 
-# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be 
-# nicely formatted so it can be parsed by a human reader.  This is useful 
-# if you want to understand what is going on.  On the other hand, if this 
-# tag is set to NO the size of the Perl module output will be much smaller 
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be
+# nicely formatted so it can be parsed by a human reader.  This is useful
+# if you want to understand what is going on.  On the other hand, if this
+# tag is set to NO the size of the Perl module output will be much smaller
 # and Perl will parse it just the same.
 
 PERLMOD_PRETTY         = YES
 
-# The names of the make variables in the generated doxyrules.make file 
-# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. 
-# This is useful so different doxyrules.make files included by the same 
+# The names of the make variables in the generated doxyrules.make file
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX.
+# This is useful so different doxyrules.make files included by the same
 # Makefile don't overwrite each other's variables.
 
-PERLMOD_MAKEVAR_PREFIX = 
+PERLMOD_MAKEVAR_PREFIX =
 
 #---------------------------------------------------------------------------
-# Configuration options related to the preprocessor   
+# Configuration options related to the preprocessor
 #---------------------------------------------------------------------------
 
-# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will 
-# evaluate all C-preprocessor directives found in the sources and include 
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will
+# evaluate all C-preprocessor directives found in the sources and include
 # files.
 
 ENABLE_PREPROCESSING   = YES
 
-# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro 
-# names in the source code. If set to NO (the default) only conditional 
-# compilation will be performed. Macro expansion can be done in a controlled 
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro
+# names in the source code. If set to NO (the default) only conditional
+# compilation will be performed. Macro expansion can be done in a controlled
 # way by setting EXPAND_ONLY_PREDEF to YES.
 
 MACRO_EXPANSION        = YES
 
-# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES 
-# then the macro expansion is limited to the macros specified with the 
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES
+# then the macro expansion is limited to the macros specified with the
 # PREDEFINED and EXPAND_AS_DEFINED tags.
 
 EXPAND_ONLY_PREDEF     = NO
 
-# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files 
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
 # in the INCLUDE_PATH (see below) will be search if a #include is found.
 
 SEARCH_INCLUDES        = YES
 
-# The INCLUDE_PATH tag can be used to specify one or more directories that 
-# contain include files that are not input files but should be processed by 
+# The INCLUDE_PATH tag can be used to specify one or more directories that
+# contain include files that are not input files but should be processed by
 # the preprocessor.
 
-INCLUDE_PATH           = 
+INCLUDE_PATH           =
 
-# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard 
-# patterns (like *.h and *.hpp) to filter out the header-files in the 
-# directories. If left blank, the patterns specified with FILE_PATTERNS will 
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
+# patterns (like *.h and *.hpp) to filter out the header-files in the
+# directories. If left blank, the patterns specified with FILE_PATTERNS will
 # be used.
 
-INCLUDE_FILE_PATTERNS  = 
+INCLUDE_FILE_PATTERNS  =
 
-# The PREDEFINED tag can be used to specify one or more macro names that 
-# are defined before the preprocessor is started (similar to the -D option of 
-# gcc). The argument of the tag is a list of macros of the form: name 
-# or name=definition (no spaces). If the definition and the = are 
-# omitted =1 is assumed. To prevent a macro definition from being 
-# undefined via #undef or recursively expanded use the := operator 
+# The PREDEFINED tag can be used to specify one or more macro names that
+# are defined before the preprocessor is started (similar to the -D option of
+# gcc). The argument of the tag is a list of macros of the form: name
+# or name=definition (no spaces). If the definition and the = are
+# omitted =1 is assumed. To prevent a macro definition from being
+# undefined via #undef or recursively expanded use the := operator
 # instead of the = operator.
 
 PREDEFINED             = LEAK_DETECTIVE
 
-# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then 
-# this tag can be used to specify a list of macro names that should be expanded. 
-# The macro definition that is found in the sources will be used. 
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
+# this tag can be used to specify a list of macro names that should be expanded.
+# The macro definition that is found in the sources will be used.
 # Use the PREDEFINED tag if you want to use a different macro definition.
 
-EXPAND_AS_DEFINED      = 
+EXPAND_AS_DEFINED      =
 
-# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then 
-# doxygen's preprocessor will remove all function-like macros that are alone 
-# on a line, have an all uppercase name, and do not end with a semicolon. Such 
-# function macros are typically used for boiler-plate code, and will confuse 
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then
+# doxygen's preprocessor will remove all function-like macros that are alone
+# on a line, have an all uppercase name, and do not end with a semicolon. Such
+# function macros are typically used for boiler-plate code, and will confuse
 # the parser if not removed.
 
 SKIP_FUNCTION_MACROS   = YES
 
 #---------------------------------------------------------------------------
-# Configuration::additions related to external references   
+# Configuration::additions related to external references
 #---------------------------------------------------------------------------
 
-# The TAGFILES option can be used to specify one or more tagfiles. 
-# Optionally an initial location of the external documentation 
-# can be added for each tagfile. The format of a tag file without 
-# this location is as follows: 
-#   TAGFILES = file1 file2 ... 
-# Adding location for the tag files is done as follows: 
-#   TAGFILES = file1=loc1 "file2 = loc2" ... 
-# where "loc1" and "loc2" can be relative or absolute paths or 
-# URLs. If a location is present for each tag, the installdox tool 
+# The TAGFILES option can be used to specify one or more tagfiles.
+# Optionally an initial location of the external documentation
+# can be added for each tagfile. The format of a tag file without
+# this location is as follows:
+#   TAGFILES = file1 file2 ...
+# Adding location for the tag files is done as follows:
+#   TAGFILES = file1=loc1 "file2 = loc2" ...
+# where "loc1" and "loc2" can be relative or absolute paths or
+# URLs. If a location is present for each tag, the installdox tool
 # does not have to be run to correct the links.
 # Note that each tag file must have a unique name
 # (where the name does NOT include the path)
-# If a tag file is not located in the directory in which doxygen 
+# If a tag file is not located in the directory in which doxygen
 # is run, you must also specify the path to the tagfile here.
 
-TAGFILES               = 
+TAGFILES               =
 
-# When a file name is specified after GENERATE_TAGFILE, doxygen will create 
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create
 # a tag file that is based on the input files it reads.
 
-GENERATE_TAGFILE       = 
+GENERATE_TAGFILE       =
 
-# If the ALLEXTERNALS tag is set to YES all external classes will be listed 
-# in the class index. If set to NO only the inherited external classes 
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed
+# in the class index. If set to NO only the inherited external classes
 # will be listed.
 
 ALLEXTERNALS           = NO
 
-# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed 
-# in the modules index. If set to NO, only the current project's groups will 
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will
 # be listed.
 
 EXTERNAL_GROUPS        = YES
 
-# The PERL_PATH should be the absolute path and name of the perl script 
+# The PERL_PATH should be the absolute path and name of the perl script
 # interpreter (i.e. the result of `which perl').
 
 PERL_PATH              = /usr/bin/perl
 
 #---------------------------------------------------------------------------
-# Configuration options related to the dot tool   
+# Configuration options related to the dot tool
 #---------------------------------------------------------------------------
 
-# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will 
-# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base 
-# or super classes. Setting the tag to NO turns the diagrams off. Note that 
-# this option is superseded by the HAVE_DOT option below. This is only a 
-# fallback. It is recommended to install and use dot, since it yields more 
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base
+# or super classes. Setting the tag to NO turns the diagrams off. Note that
+# this option is superseded by the HAVE_DOT option below. This is only a
+# fallback. It is recommended to install and use dot, since it yields more
 # powerful graphs.
 
 CLASS_DIAGRAMS         = YES
 
-# You can define message sequence charts within doxygen comments using the \msc 
-# command. Doxygen will then run the mscgen tool (see 
-# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the 
-# documentation. The MSCGEN_PATH tag allows you to specify the directory where 
-# the mscgen tool resides. If left empty the tool is assumed to be found in the 
+# You can define message sequence charts within doxygen comments using the \msc
+# command. Doxygen will then run the mscgen tool (see
+# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the
+# documentation. The MSCGEN_PATH tag allows you to specify the directory where
+# the mscgen tool resides. If left empty the tool is assumed to be found in the
 # default search path.
 
-MSCGEN_PATH            = 
+MSCGEN_PATH            =
 
-# If set to YES, the inheritance and collaboration graphs will hide 
-# inheritance and usage relations if the target is undocumented 
+# If set to YES, the inheritance and collaboration graphs will hide
+# inheritance and usage relations if the target is undocumented
 # or is not a class.
 
 HIDE_UNDOC_RELATIONS   = YES
 
-# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is 
-# available from the path. This tool is part of Graphviz, a graph visualization 
-# toolkit from AT&T and Lucent Bell Labs. The other options in this section 
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
+# available from the path. This tool is part of Graphviz, a graph visualization
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section
 # have no effect if this option is set to NO (the default)
 
 HAVE_DOT               = NO
 
-# By default doxygen will write a font called FreeSans.ttf to the output 
-# directory and reference it in all dot files that doxygen generates. This 
-# font does not include all possible unicode characters however, so when you need 
-# these (or just want a differently looking font) you can specify the font name 
-# using DOT_FONTNAME. You need need to make sure dot is able to find the font, 
-# which can be done by putting it in a standard location or by setting the 
-# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory 
+# By default doxygen will write a font called FreeSans.ttf to the output
+# directory and reference it in all dot files that doxygen generates. This
+# font does not include all possible unicode characters however, so when you need
+# these (or just want a differently looking font) you can specify the font name
+# using DOT_FONTNAME. You need need to make sure dot is able to find the font,
+# which can be done by putting it in a standard location or by setting the
+# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory
 # containing the font.
 
 DOT_FONTNAME           = FreeSans
 
-# By default doxygen will tell dot to use the output directory to look for the 
-# FreeSans.ttf font (which doxygen will put there itself). If you specify a 
-# different font using DOT_FONTNAME you can set the path where dot 
+# By default doxygen will tell dot to use the output directory to look for the
+# FreeSans.ttf font (which doxygen will put there itself). If you specify a
+# different font using DOT_FONTNAME you can set the path where dot
 # can find it using this tag.
 
-DOT_FONTPATH           = 
+DOT_FONTPATH           =
 
-# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen 
-# will generate a graph for each documented class showing the direct and 
-# indirect inheritance relations. Setting this tag to YES will force the 
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for each documented class showing the direct and
+# indirect inheritance relations. Setting this tag to YES will force the
 # the CLASS_DIAGRAMS tag to NO.
 
 CLASS_GRAPH            = YES
 
-# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen 
-# will generate a graph for each documented class showing the direct and 
-# indirect implementation dependencies (inheritance, containment, and 
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for each documented class showing the direct and
+# indirect implementation dependencies (inheritance, containment, and
 # class references variables) of the class with other documented classes.
 
 COLLABORATION_GRAPH    = YES
 
-# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen 
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen
 # will generate a graph for groups, showing the direct groups dependencies
 
 GROUP_GRAPHS           = YES
 
-# If the UML_LOOK tag is set to YES doxygen will generate inheritance and 
-# collaboration diagrams in a style similar to the OMG's Unified Modeling 
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
+# collaboration diagrams in a style similar to the OMG's Unified Modeling
 # Language.
 
 UML_LOOK               = NO
 
-# If set to YES, the inheritance and collaboration graphs will show the 
+# If set to YES, the inheritance and collaboration graphs will show the
 # relations between templates and their instances.
 
 TEMPLATE_RELATIONS     = NO
 
-# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT 
-# tags are set to YES then doxygen will generate a graph for each documented 
-# file showing the direct and indirect include dependencies of the file with 
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT
+# tags are set to YES then doxygen will generate a graph for each documented
+# file showing the direct and indirect include dependencies of the file with
 # other documented files.
 
 INCLUDE_GRAPH          = YES
 
-# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and 
-# HAVE_DOT tags are set to YES then doxygen will generate a graph for each 
-# documented header file showing the documented files that directly or 
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each
+# documented header file showing the documented files that directly or
 # indirectly include this file.
 
 INCLUDED_BY_GRAPH      = YES
 
-# If the CALL_GRAPH and HAVE_DOT options are set to YES then 
-# doxygen will generate a call dependency graph for every global function 
-# or class method. Note that enabling this option will significantly increase 
-# the time of a run. So in most cases it will be better to enable call graphs 
+# If the CALL_GRAPH and HAVE_DOT options are set to YES then
+# doxygen will generate a call dependency graph for every global function
+# or class method. Note that enabling this option will significantly increase
+# the time of a run. So in most cases it will be better to enable call graphs
 # for selected functions only using the \callgraph command.
 
 CALL_GRAPH             = NO
 
-# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then 
-# doxygen will generate a caller dependency graph for every global function 
-# or class method. Note that enabling this option will significantly increase 
-# the time of a run. So in most cases it will be better to enable caller 
+# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then
+# doxygen will generate a caller dependency graph for every global function
+# or class method. Note that enabling this option will significantly increase
+# the time of a run. So in most cases it will be better to enable caller
 # graphs for selected functions only using the \callergraph command.
 
 CALLER_GRAPH           = NO
 
-# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen 
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen
 # will graphical hierarchy of all classes instead of a textual one.
 
 GRAPHICAL_HIERARCHY    = YES
 
-# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES 
-# then doxygen will show the dependencies a directory has on other directories 
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES
+# then doxygen will show the dependencies a directory has on other directories
 # in a graphical way. The dependency relations are determined by the #include
 # relations between the files in the directories.
 
 DIRECTORY_GRAPH        = YES
 
-# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images 
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
 # generated by dot. Possible values are png, jpg, or gif
 # If left blank png will be used.
 
 DOT_IMAGE_FORMAT       = png
 
-# The tag DOT_PATH can be used to specify the path where the dot tool can be 
+# The tag DOT_PATH can be used to specify the path where the dot tool can be
 # found. If left blank, it is assumed the dot tool can be found in the path.
 
-DOT_PATH               = 
+DOT_PATH               =
 
-# The DOTFILE_DIRS tag can be used to specify one or more directories that 
-# contain dot files that are included in the documentation (see the 
+# The DOTFILE_DIRS tag can be used to specify one or more directories that
+# contain dot files that are included in the documentation (see the
 # \dotfile command).
 
-DOTFILE_DIRS           = 
+DOTFILE_DIRS           =
 
-# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of 
-# nodes that will be shown in the graph. If the number of nodes in a graph 
-# becomes larger than this value, doxygen will truncate the graph, which is 
-# visualized by representing a node as a red box. Note that doxygen if the 
-# number of direct children of the root node in a graph is already larger than 
-# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note 
+# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of
+# nodes that will be shown in the graph. If the number of nodes in a graph
+# becomes larger than this value, doxygen will truncate the graph, which is
+# visualized by representing a node as a red box. Note that doxygen if the
+# number of direct children of the root node in a graph is already larger than
+# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note
 # that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
 
 DOT_GRAPH_MAX_NODES    = 50
 
-# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the 
-# graphs generated by dot. A depth value of 3 means that only nodes reachable 
-# from the root by following a path via at most 3 edges will be shown. Nodes 
-# that lay further from the root node will be omitted. Note that setting this 
-# option to 1 or 2 may greatly reduce the computation time needed for large 
-# code bases. Also note that the size of a graph can be further restricted by 
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the
+# graphs generated by dot. A depth value of 3 means that only nodes reachable
+# from the root by following a path via at most 3 edges will be shown. Nodes
+# that lay further from the root node will be omitted. Note that setting this
+# option to 1 or 2 may greatly reduce the computation time needed for large
+# code bases. Also note that the size of a graph can be further restricted by
 # DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
 
 MAX_DOT_GRAPH_DEPTH    = 0
 
-# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent 
-# background. This is enabled by default, which results in a transparent 
-# background. Warning: Depending on the platform used, enabling this option 
-# may lead to badly anti-aliased labels on the edges of a graph (i.e. they 
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
+# background. This is enabled by default, which results in a transparent
+# background. Warning: Depending on the platform used, enabling this option
+# may lead to badly anti-aliased labels on the edges of a graph (i.e. they
 # become hard to read).
 
 DOT_TRANSPARENT        = NO
 
-# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output 
-# files in one run (i.e. multiple -o and -T options on the command line). This 
-# makes dot run faster, but since only newer versions of dot (>1.8.10) 
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
+# files in one run (i.e. multiple -o and -T options on the command line). This
+# makes dot run faster, but since only newer versions of dot (>1.8.10)
 # support this, this feature is disabled by default.
 
 DOT_MULTI_TARGETS      = NO
 
-# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will 
-# generate a legend page explaining the meaning of the various boxes and 
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will
+# generate a legend page explaining the meaning of the various boxes and
 # arrows in the dot generated graphs.
 
 GENERATE_LEGEND        = YES
 
-# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will 
-# remove the intermediate dot files that are used to generate 
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will
+# remove the intermediate dot files that are used to generate
 # the various graphs.
 
 DOT_CLEANUP            = YES
 
 #---------------------------------------------------------------------------
-# Configuration::additions related to the search engine   
+# Configuration::additions related to the search engine
 #---------------------------------------------------------------------------
 
-# The SEARCHENGINE tag specifies whether or not a search engine should be 
+# The SEARCHENGINE tag specifies whether or not a search engine should be
 # used. If set to NO the values of all tags below this one will be ignored.
 
 SEARCHENGINE           = NO
diff --git a/Makefile.am b/Makefile.am
index 172949977..fcb2f2e7a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,6 +4,8 @@ if USE_SCRIPTS
   SUBDIRS += scripts
 endif
 
+ACLOCAL_AMFLAGS = -I m4/config
+
 EXTRA_DIST = Doxyfile.in CREDITS
 CLEANFILES = apidoc Doxyfile
 
@@ -11,6 +13,7 @@ Doxyfile :	Doxyfile.in
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
+		-e "s:\@SRC_DIR\@:$(srcdir):" \
 		$(srcdir)/$@.in > $@
 
 apidoc :	Doxyfile
diff --git a/Makefile.in b/Makefile.in
index bc83e3d31..6e97ac768 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,8 +16,9 @@
 @SET_MAKE@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -39,13 +41,21 @@ DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
 	ChangeLog INSTALL NEWS TODO config.guess config.sub depcomp \
 	install-sh ltmain.sh missing
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
  configure.lineno config.status.lineno
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES = src/dumm/ext/extconf.rb
+CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -57,6 +67,9 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	ps-recursive uninstall-recursive
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
+AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
+	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
+	distdir dist dist-all distcheck
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = src testing scripts
@@ -64,9 +77,34 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
 am__remove_distdir = \
-  { test ! -d $(distdir) \
-    || { find $(distdir) -type d ! -perm -200 -exec chmod u+w {} ';' \
-         && rm -fr $(distdir); }; }
+  { test ! -d "$(distdir)" \
+    || { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
+         && rm -fr "$(distdir)"; }; }
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
 DIST_ARCHIVES = $(distdir).tar.gz
 GZIP_ENV = --best
 distuninstallcheck_listfiles = find . -type f -print
@@ -104,25 +142,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -134,11 +169,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -167,9 +205,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -192,7 +230,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -200,6 +238,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -208,10 +247,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -219,9 +260,11 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 SUBDIRS = src testing $(am__append_1)
+ACLOCAL_AMFLAGS = -I m4/config
 EXTRA_DIST = Doxyfile.in CREDITS
 CLEANFILES = apidoc Doxyfile
 all: all-recursive
@@ -233,15 +276,15 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      echo ' cd $(srcdir) && $(AUTOMAKE) --gnu '; \
-	      cd $(srcdir) && $(AUTOMAKE) --gnu  \
+	      echo ' cd $(srcdir) && $(AUTOMAKE) --gnu'; \
+	      $(am__cd) $(srcdir) && $(AUTOMAKE) --gnu \
 		&& exit 0; \
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -257,9 +300,10 @@ $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENC
 	$(SHELL) ./config.status --recheck
 
 $(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(srcdir) && $(AUTOCONF)
+	$(am__cd) $(srcdir) && $(AUTOCONF)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
+	$(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
+$(am__aclocal_m4_deps):
 src/dumm/ext/extconf.rb: $(top_builddir)/config.status $(top_srcdir)/src/dumm/ext/extconf.rb.in
 	cd $(top_builddir) && $(SHELL) ./config.status $@
 
@@ -296,7 +340,7 @@ $(RECURSIVE_TARGETS):
 	  else \
 	    local_target="$$target"; \
 	  fi; \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
 	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
@@ -330,16 +374,16 @@ $(RECURSIVE_CLEAN_TARGETS):
 	  else \
 	    local_target="$$target"; \
 	  fi; \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
 	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
 	done
 ctags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
 	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
@@ -354,7 +398,7 @@ tags: TAGS
 
 TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
@@ -366,7 +410,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test ! -f $$subdir/TAGS || \
-	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
@@ -375,36 +419,41 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
 	$(am__remove_distdir)
-	test -d $(distdir) || mkdir $(distdir)
+	test -d "$(distdir)" || mkdir "$(distdir)"
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -420,38 +469,54 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
-	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
 	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
-	    distdir=`$(am__cd) $(distdir) && pwd`; \
-	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
-	    (cd $$subdir && \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$top_distdir" \
-	        distdir="$$distdir/$$subdir" \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
 		am__remove_distdir=: \
 		am__skip_length_check=: \
+		am__skip_mode_fix=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
 	done
-	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	-test -n "$(am__skip_mode_fix)" \
+	|| find "$(distdir)" -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
 	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
 	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
 	  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
-	|| chmod -R a+r $(distdir)
+	|| chmod -R a+r "$(distdir)"
 dist-gzip: distdir
 	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
 	$(am__remove_distdir)
@@ -464,6 +529,10 @@ dist-lzma: distdir
 	tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma
 	$(am__remove_distdir)
 
+dist-xz: distdir
+	tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
+	$(am__remove_distdir)
+
 dist-tarZ: distdir
 	tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
 	$(am__remove_distdir)
@@ -492,6 +561,8 @@ distcheck: dist
 	  bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\
 	*.tar.lzma*) \
 	  unlzma -c $(distdir).tar.lzma | $(am__untar) ;;\
+	*.tar.xz*) \
+	  xz -dc $(distdir).tar.xz | $(am__untar) ;;\
 	*.tar.Z*) \
 	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
 	*.shar.gz*) \
@@ -503,9 +574,11 @@ distcheck: dist
 	mkdir $(distdir)/_build
 	mkdir $(distdir)/_inst
 	chmod a-w $(distdir)
+	test -d $(distdir)/_build || exit 0; \
 	dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
 	  && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
-	  && cd $(distdir)/_build \
+	  && am__cwd=`pwd` \
+	  && $(am__cd) $(distdir)/_build \
 	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
 	    $(DISTCHECK_CONFIGURE_FLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
@@ -527,13 +600,15 @@ distcheck: dist
 	  && rm -rf "$$dc_destdir" \
 	  && $(MAKE) $(AM_MAKEFLAGS) dist \
 	  && rm -rf $(DIST_ARCHIVES) \
-	  && $(MAKE) $(AM_MAKEFLAGS) distcleancheck
+	  && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
+	  && cd "$$am__cwd" \
+	  || exit 1
 	$(am__remove_distdir)
 	@(echo "$(distdir) archives ready for distribution: "; \
 	  list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
 	  sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
 distuninstallcheck:
-	@cd $(distuninstallcheck_dir) \
+	@$(am__cd) '$(distuninstallcheck_dir)' \
 	&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
 	   || { echo "ERROR: files left after uninstall:" ; \
 	        if test -n "$(DESTDIR)"; then \
@@ -576,6 +651,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -596,6 +672,8 @@ dvi-am:
 
 html: html-recursive
 
+html-am:
+
 info: info-recursive
 
 info-am:
@@ -604,18 +682,28 @@ install-data-am:
 
 install-dvi: install-dvi-recursive
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-recursive
 
+install-html-am:
+
 install-info: install-info-recursive
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-recursive
 
+install-pdf-am:
+
 install-ps: install-ps-recursive
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -638,34 +726,36 @@ ps-am:
 
 uninstall-am:
 
-.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
-	install-strip
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
+	install-am install-strip tags-recursive
 
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am am--refresh check check-am clean clean-generic \
 	clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
-	dist-gzip dist-lzma dist-shar dist-tarZ dist-zip distcheck \
-	distclean distclean-generic distclean-libtool distclean-tags \
-	distcleancheck distdir distuninstallcheck dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs installdirs-am maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
-	uninstall uninstall-am
+	dist-gzip dist-lzma dist-shar dist-tarZ dist-xz dist-zip \
+	distcheck distclean distclean-generic distclean-libtool \
+	distclean-tags distcleancheck distdir distuninstallcheck dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-recursive uninstall uninstall-am
 
 
 Doxyfile :	Doxyfile.in
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
+		-e "s:\@SRC_DIR\@:$(srcdir):" \
 		$(srcdir)/$@.in > $@
 
 apidoc :	Doxyfile
 		doxygen
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/NEWS b/NEWS
index 6cf4d080d..1ba8b7c49 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,116 @@
+strongswan-4.3.6
+----------------
+
+- The IKEv2 daemon supports RFC 3779 IP address block constraints
+  carried as a critical X.509v3 extension in the peer certificate.
+
+- The ipsec pool --add|del dns|nbns command manages DNS and NBNS name
+  server entries that are sent via the IKEv1 Mode Config or IKEv2
+  Configuration Payload to remote clients.
+
+- The Camellia cipher can be used as an IKEv1 encryption algorithm.
+
+- The IKEv1 and IKEV2 daemons now check certificate path length constraints.
+
+- The new ipsec.conf conn option "inactivity" closes a CHILD_SA if no traffic
+  was sent or received within the given interval. To close the complete IKE_SA
+  if its only CHILD_SA was inactive, set the global strongswan.conf option
+  "charon.inactivity_close_ike" to yes.
+
+- More detailed IKEv2 EAP payload information in debug output
+
+- IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
+
+- Added required userland changes for proper SHA256 and SHA384/512 in ESP that
+  will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now
+  configures the kernel with 128 bit truncation, not the non-standard 96
+  bit truncation used by previous releases. To use the old 96 bit truncation
+  scheme, the new "sha256_96" proposal keyword has been introduced.
+
+- Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This
+  change makes IPcomp tunnel mode connections incompatible with previous
+  releases; disable compression on such tunnels.
+
+- Fixed BEET mode connections on recent kernels by installing SAs with
+  appropriate traffic selectors, based on a patch by Michael Rossberg.
+
+- Using extensions (such as BEET mode) and crypto algorithms (such as twofish,
+  serpent, sha256_96) allocated in the private use space now require that we
+  know its meaning, i.e. we are talking to strongSwan. Use the new
+  "charon.send_vendor_id" option in strongswan.conf to let the remote peer know
+  this is the case.
+
+- Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the
+  responder omits public key authentication in favor of a mutual authentication
+  method. To enable EAP-only authentication, set rightauth=eap on the responder
+  to rely only on the MSK constructed AUTH payload. This not-yet standardized
+  extension requires the strongSwan vendor ID introduced above.
+
+- The IKEv1 daemon ignores the Juniper SRX notification type 40001, thus
+  allowing interoperability.
+
+
+strongswan-4.3.5
+----------------
+
+- The IKEv1 pluto daemon can now use SQL-based address pools to deal out
+  virtual IP addresses as a Mode Config server. The pool capability has been
+  migrated from charon's sql plugin to a new attr-sql plugin which is loaded
+  by libstrongswan and which can be used by both daemons either with a SQLite
+  or MySQL database and the corresponding plugin.
+
+- Plugin names have been streamlined: EAP plugins now have a dash after eap
+  (e.g. eap-sim), as it is used with the --enable-eap-sim ./configure option.
+  Plugin configuration sections in strongswan.conf now use the same name as the
+  plugin itself (i.e. with a dash). Make sure to update "load" directives and
+  the affected plugin sections in existing strongswan.conf files.
+
+- The private/public key parsing and encoding has been split up into
+  separate pkcs1, pgp, pem and dnskey plugins. The public key implementation
+  plugins gmp, gcrypt and openssl can all make use of them.
+
+- The EAP-AKA plugin can use different backends for USIM/quintuplet
+  calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 software
+  implementation has been migrated to a separate plugin.
+
+- The IKEv2 daemon charon gained basic PGP support. It can use locally installed
+  peer certificates and can issue signatures based on RSA private keys.
+
+- The new 'ipsec pki' tool provides a set of commands to maintain a public
+  key infrastructure. It currently supports operations to create RSA and ECDSA
+  private/public keys, calculate fingerprints and issue or verify certificates.
+
+- Charon uses a monotonic time source for statistics and job queueing, behaving
+  correctly if the system time changes (e.g. when using NTP).
+
+- In addition to time based rekeying, charon supports IPsec SA lifetimes based
+  on processed volume or number of packets. They new ipsec.conf paramaters
+  'lifetime' (an alias to 'keylife'), 'lifebytes' and 'lifepackets' handle
+  SA timeouts, while the parameters 'margintime' (an alias to rekeymargin),
+  'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires.
+  The existing parameter 'rekeyfuzz' affects all margins.
+
+- If no CA/Gateway certificate is specified in the NetworkManager plugin,
+  charon uses a set of trusted root certificates preinstalled by distributions.
+  The directory containing CA certificates can be specified using the
+  --with-nm-ca-dir=path configure option.
+
+- Fixed the encoding of the Email relative distinguished name in left|rightid
+  statements.
+
+- Fixed the broken parsing of PKCS#7 wrapped certificates by the pluto daemon.
+
+- Fixed smartcard-based authentication in the pluto daemon which was broken by
+  the ECDSA support introduced with the 4.3.2 release.
+
+- A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and vice versa
+  tunnels established with the IKEv1 pluto daemon.
+
+- The pluto daemon now uses the libstrongswan x509 plugin for certificates and
+  CRls and the struct id type was replaced by identification_t used by charon
+  and the libstrongswan library.
+
+
 strongswan-4.3.4
 ----------------
 
@@ -51,7 +164,7 @@ strongswan-4.3.2
   another two DoS vulnerabilities, one in the rather old ASN.1 parser of Relative
   Distinguished Names (RDNs) and a second one in the conversion of ASN.1 UTCTIME
   and GENERALIZEDTIME strings to a time_t value.
-  
+
 
 strongswan-4.3.1
 ----------------
@@ -88,7 +201,7 @@ strongswan-4.3.1
   incomplete state which caused a null pointer dereference if a subsequent
   CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
   a missing TSi or TSr payload caused a null pointer derefence because the
-  checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was 
+  checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was
   developped by the Orange Labs vulnerability research team. The tool was
   initially written by Gabriel Campana and is now maintained by Laurent Butti.
 
@@ -148,7 +261,7 @@ strongswan-4.2.14
   time, i.e. Jan 19 03:14:07 UTC 2038.
 
 - Distinguished Names containing wildcards (*) are not sent in the
-  IDr payload anymore. 
+  IDr payload anymore.
 
 
 strongswan-4.2.13
@@ -158,7 +271,7 @@ strongswan-4.2.13
   IKEv1 pluto daemon which sporadically caused a segfault.
 
 - Fixed a crash in the IKEv2 charon daemon occuring with
-  mixed RAM-based and SQL-based virtual IP address pools. 
+  mixed RAM-based and SQL-based virtual IP address pools.
 
 - Fixed ASN.1 parsing of algorithmIdentifier objects where the
   parameters field is optional.
@@ -174,13 +287,13 @@ strongswan-4.2.12
   either by --enable-md4 or --enable-openssl.
 
 - Assignment of up to two DNS and up to two WINS servers to peers via
-  the IKEv2 Configuration Payload (CP). The IPv4 or IPv6 nameserver 
+  the IKEv2 Configuration Payload (CP). The IPv4 or IPv6 nameserver
   addresses are defined in strongswan.conf.
 
 - The strongSwan applet for the Gnome NetworkManager is now built and
   distributed as a separate tarball under the name NetworkManager-strongswan.
 
- 
+
 strongswan-4.2.11
 -----------------
 
@@ -278,9 +391,9 @@ strongswan-4.2.7
   a KE payload containing zeroes only can cause a crash of the IKEv2 charon
   daemon due to a NULL pointer returned by the mpz_export() function of the
   GNU Multiprecision Library (GMP). Thanks go to Mu Dynamics Research Labs
-  for making us aware of this problem. 
+  for making us aware of this problem.
 
-- The new agent plugin provides a private key implementation on top of an 
+- The new agent plugin provides a private key implementation on top of an
   ssh-agent.
 
 - The NetworkManager plugin has been extended to support certificate client
@@ -304,7 +417,7 @@ strongswan-4.2.6
 
 - A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt and allows
   username/password authentication against any PAM service on the gateway.
-  The new EAP method interacts nicely with the NetworkManager plugin and allows 
+  The new EAP method interacts nicely with the NetworkManager plugin and allows
   client authentication against e.g. LDAP.
 
 - Improved support for the EAP-Identity method. The new ipsec.conf eap_identity
@@ -324,7 +437,7 @@ strongswan-4.2.6
 strongswan-4.2.5
 ----------------
 
-- Consistent logging of IKE and CHILD SAs at the audit (AUD) level. 
+- Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
 
 - Improved the performance of the SQL-based virtual IP address pool
   by introducing an additional addresses table. The leases table
@@ -338,12 +451,12 @@ strongswan-4.2.5
 - management of different virtual IP pools for different
   network interfaces have become possible.
 
-- fixed a bug which prevented the assignment of more than 256 
+- fixed a bug which prevented the assignment of more than 256
   virtual IP addresses from a pool managed by an sql database.
 
 - fixed a bug which did not delete own IPCOMP SAs in the kernel.
 
- 
+
 strongswan-4.2.4
 ----------------
 
@@ -361,7 +474,7 @@ strongswan-4.2.4
 
 - Fixed a bug in stroke which caused multiple charon threads to close
   the file descriptors during packet transfers over the stroke socket.
- 
+
 - ESP sequence numbers are now migrated in IPsec SA updates handled by
   MOBIKE. Works only with Linux kernels >= 2.6.17.
 
@@ -369,7 +482,7 @@ strongswan-4.2.4
 strongswan-4.2.3
 ----------------
 
-- Fixed the strongswan.conf path configuration problem that occurred when 
+- Fixed the strongswan.conf path configuration problem that occurred when
   --sysconfig was not set explicitly in ./configure.
 
 - Fixed a number of minor bugs that where discovered during the 4th
@@ -391,7 +504,7 @@ strongswan-4.2.2
   the pool database. See ipsec pool --help for the available options
 
 - The Authenticated Encryption Algorithms AES-CCM-8/12/16 and AES-GCM-8/12/16
-  for ESP are now supported starting with the Linux 2.6.25 kernel. The 
+  for ESP are now supported starting with the Linux 2.6.25 kernel. The
   syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16.
 
 
@@ -409,12 +522,12 @@ strongswan-4.2.1
   IKE_SAs with the same peer. The option value "keep" prefers existing
   connection setups over new ones, where the value "replace" replaces existing
   connections.
-  
-- The crypto factory in libstrongswan additionaly supports random number 
+
+- The crypto factory in libstrongswan additionaly supports random number
   generators, plugins may provide other sources of randomness. The default
   plugin reads raw random data from /dev/(u)random.
 
-- Extended the credential framework by a caching option to allow plugins 
+- Extended the credential framework by a caching option to allow plugins
   persistent caching of fetched credentials. The "cachecrl" option has been
   re-implemented.
 
@@ -469,10 +582,10 @@ strongswan-4.2.0
   refactored to support modular credential providers, proper
   CERTREQ/CERT payload exchanges and extensible authorization rules.
 
-- The framework of strongSwan Manager has envolved to the web application 
+- The framework of strongSwan Manager has envolved to the web application
   framework libfast (FastCGI Application Server w/ Templates) and is usable
   by other applications.
-	
+
 
 strongswan-4.1.11
 -----------------
@@ -482,7 +595,7 @@ strongswan-4.1.11
   the next CHILD_SA rekeying.
 
 - Wrong type definition of the next_payload variable in id_payload.c
-  caused an INVALID_SYNTAX error on PowerPC platforms. 
+  caused an INVALID_SYNTAX error on PowerPC platforms.
 
 - Implemented IKEv2 EAP-SIM server and client test modules that use
   triplets stored in a file. For details on the configuration see
@@ -493,7 +606,7 @@ strongswan-4.1.10
 -----------------
 
 - Fixed error in the ordering of the certinfo_t records in the ocsp cache that
-  caused multiple entries of the same serial number to be created. 
+  caused multiple entries of the same serial number to be created.
 
 - Implementation of a simple EAP-MD5 module which provides CHAP
   authentication. This may be interesting in conjunction with certificate
@@ -506,7 +619,7 @@ strongswan-4.1.10
   before using it.
 
 - Support for vendor specific EAP methods using Expanded EAP types. The
-  interface to EAP modules has been slightly changed, so make sure to 
+  interface to EAP modules has been slightly changed, so make sure to
   check the changes if you're already rolling your own modules.
 
 
@@ -527,7 +640,7 @@ strongswan-4.1.9
 - Fixes and improvements to multithreading code.
 
 - IKEv2 plugins have been renamed to libcharon-* to avoid naming conflicts.
-  Make sure to remove the old plugins in $libexecdir/ipsec, otherwise they get 
+  Make sure to remove the old plugins in $libexecdir/ipsec, otherwise they get
   loaded twice.
 
 
@@ -573,18 +686,18 @@ strongswan-4.1.6
 - the default ipsec routing table plus its corresponding priority
   used for inserting source routes has been changed from 100 to 220.
   It can be configured using the --with-ipsec-routing-table and
-  --with-ipsec-routing-table-prio options. 
-  
+  --with-ipsec-routing-table-prio options.
+
 - the --enable-integrity-test configure option tests the
   integrity of the libstrongswan crypto code during the charon
   startup.
-  
+
 - the --disable-xauth-vid configure option disables the sending
   of the XAUTH vendor ID. This can be used as a workaround when
   interoperating with some Windows VPN clients that get into
   trouble upon reception of an XAUTH VID without eXtended
   AUTHentication having been configured.
-  
+
 - ipsec stroke now supports the rereadsecrets, rereadaacerts,
   rereadacerts, and listacerts options.
 
@@ -647,7 +760,7 @@ strongswan-4.1.4
   of an argument string that is used with the PKCS#11 C_Initialize()
   function. This non-standard feature is required by the NSS softoken
   library. This patch was contributed by Robert Varga.
-	
+
 - Fixed a bug in ipsec starter introduced by strongswan-2.8.5
   which caused a segmentation fault in the presence of unknown
   or misspelt keywords in ipsec.conf. This bug fix was contributed
@@ -660,7 +773,7 @@ strongswan-4.1.4
 strongswan-4.1.3
 ----------------
 
-- IKEv2 peer configuration selection now can be based on a given 
+- IKEv2 peer configuration selection now can be based on a given
   certification authority using the rightca= statement.
 
 - IKEv2 authentication based on RSA signatures now can handle multiple
@@ -677,11 +790,11 @@ strongswan-4.1.3
   improves the systems security, as a possible intruder may only get the
   CAP_NET_ADMIN capability.
 
-- Further modularization of charon: Pluggable control interface and 
+- Further modularization of charon: Pluggable control interface and
   configuration backend modules provide extensibility. The control interface
   for stroke is included, and further interfaces using DBUS (NetworkManager)
   or XML are on the way. A backend for storing configurations in the daemon
-  is provided and more advanced backends (using e.g. a database) are trivial 
+  is provided and more advanced backends (using e.g. a database) are trivial
   to implement.
 
  - Fixed a compilation failure in libfreeswan occuring with Linux kernel
@@ -705,7 +818,7 @@ strongswan-4.1.2
 
 - Removed the dependencies from the /usr/include/linux/ headers by
   including xfrm.h, ipsec.h, and pfkeyv2.h in the distribution.
-  
+
 - crlNumber is now listed by ipsec listcrls
 
 - The xauth_modules.verify_secret() function now passes the
@@ -754,7 +867,7 @@ strongswan-4.1.0
 - Support for SHA2-256/384/512 PRF and HMAC functions in IKEv2.
 
 - Full support of CA information sections. ipsec listcainfos
-  now shows all collected crlDistributionPoints and OCSP 
+  now shows all collected crlDistributionPoints and OCSP
   accessLocations.
 
 - Support of the Online Certificate Status Protocol (OCSP) for IKEv2.
@@ -805,8 +918,8 @@ strongswan-4.0.6
   with ISAKMP Main Mode RSA or PSK authentication. Both client and
   server side were implemented. Handling of user credentials can
   be done by a run-time loadable XAUTH module. By default user
-  credentials are stored in ipsec.secrets. 
-	  
+  credentials are stored in ipsec.secrets.
+
 - IKEv2: Support for reauthentication when rekeying
 
 - IKEv2: Support for transport mode
@@ -878,8 +991,8 @@ strongswan-4.0.3
 ----------------
 
 - Added support for the auto=route ipsec.conf parameter and the
-  ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and 
-  CHILD_SAs dynamically on demand when traffic is detected by the 
+  ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and
+  CHILD_SAs dynamically on demand when traffic is detected by the
   kernel.
 
 - Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter.
@@ -899,9 +1012,9 @@ strongswan-4.0.2
   default is leftsendcert=always, since CERTREQ payloads are not supported
   yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls.
 
-- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2 
+- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2
   would offer more possibilities for traffic selection, but the Linux kernel
-  currently does not support it. That's why we stick with these simple 
+  currently does not support it. That's why we stick with these simple
   ipsec.conf rules for now.
 
 - Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
@@ -913,8 +1026,8 @@ strongswan-4.0.2
   to port 4500, uses UDP encapsulated ESP packets, handles peer address
   changes gracefully and sends keep alive message periodically.
 
-- Reimplemented IKE_SA state machine for charon, which allows simultaneous 
-  rekeying, more shared code, cleaner design, proper retransmission 
+- Reimplemented IKE_SA state machine for charon, which allows simultaneous
+  rekeying, more shared code, cleaner design, proper retransmission
   and a more extensible code base.
 
 - The mixed PSK/RSA roadwarrior detection capability introduced by the
@@ -929,22 +1042,22 @@ strongswan-4.0.2
 strongswan-4.0.1
 ----------------
 
-- Added algorithm selection to charon: New default algorithms for 
+- Added algorithm selection to charon: New default algorithms for
   ike=aes128-sha-modp2048, as both daemons support it. The default
   for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles
   the ike/esp parameter the same way as pluto. As this syntax does
-  not allow specification of a pseudo random function, the same 
+  not allow specification of a pseudo random function, the same
   algorithm as for integrity is used (currently sha/md5). Supported
   algorithms for IKE:
     Encryption: aes128, aes192, aes256
     Integrity/PRF: md5, sha (using hmac)
     DH-Groups: modp768, 1024, 1536, 2048, 4096, 8192
   and for ESP:
-    Encryption: aes128, aes192, aes256, 3des, blowfish128, 
+    Encryption: aes128, aes192, aes256, 3des, blowfish128,
                 blowfish192, blowfish256
     Integrity: md5, sha1
   More IKE encryption algorithms will come after porting libcrypto into
-  libstrongswan. 
+  libstrongswan.
 
 - initial support for rekeying CHILD_SAs using IKEv2. Currently no
   perfect forward secrecy is used. The rekeying parameters rekey,
@@ -959,7 +1072,7 @@ strongswan-4.0.1
 
 - new build environment featuring autotools. Features such
   as HTTP, LDAP and smartcard support may be enabled using
-  the ./configure script. Changing install directories 
+  the ./configure script. Changing install directories
   is possible, too. See ./configure --help for more details.
 
 - better integration of charon with ipsec starter, which allows
@@ -973,7 +1086,7 @@ strongswan-4.0.0
 ----------------
 
 - initial support of the IKEv2 protocol. Connections in
-  ipsec.conf designated by keyexchange=ikev2 are negotiated 
+  ipsec.conf designated by keyexchange=ikev2 are negotiated
   by the new IKEv2 charon keying daemon whereas those marked
   by keyexchange=ikev1 or the default keyexchange=ike are
   handled thy the IKEv1 pluto keying daemon. Currently only
@@ -1009,7 +1122,7 @@ strongswan-2.7.0
   internal network interface which is part of the client subnet
   because an iptables INPUT and OUTPUT rule would be required.
   lefthostaccess=yes will cause this additional ACCEPT rules to
-  be inserted. 
+  be inserted.
 
 - mixed PSK|RSA roadwarriors are now supported. The ISAKMP proposal
   payload is preparsed in order to find out whether the roadwarrior
@@ -1023,7 +1136,7 @@ strongswan-2.6.4
 - the new _updown_policy template allows ipsec policy based
   iptables firewall rules. Required are iptables version
   >= 1.3.5 and linux kernel >= 2.6.16. This script obsoletes
-  the _updown_espmark template, so that no INPUT mangle rules 
+  the _updown_espmark template, so that no INPUT mangle rules
   are required any more.
 
 - added support of DPD restart mode
@@ -1039,13 +1152,13 @@ strongswan-2.6.4
 strongswan-2.6.3
 ----------------
 
-- /etc/init.d/ipsec or /etc/rc.d/ipsec is now a copy of the ipsec 
+- /etc/init.d/ipsec or /etc/rc.d/ipsec is now a copy of the ipsec
   command and not of ipsec setup any more.
 
 - ipsec starter now supports AH authentication in conjunction with
   ESP encryption. AH authentication is configured in ipsec.conf
   via the auth=ah parameter.
-  
+
 - The command ipsec scencrypt|scdecrypt <args> is now an alias for
   ipsec whack --scencrypt|scdecrypt <args>.
 
@@ -1053,7 +1166,7 @@ strongswan-2.6.3
   the exact time of the last use of an active eroute. This information
   is used by the Dead Peer Detection algorithm and is also displayed by
   the ipsec status command.
-  
+
 
 strongswan-2.6.2
 ----------------
@@ -1117,7 +1230,7 @@ strongswan-2.6.0
   accelerated tremedously.
 
 - Added support of %defaultroute to the ipsec starter. If the IP address
-  changes, a HUP signal to the ipsec starter will automatically 
+  changes, a HUP signal to the ipsec starter will automatically
   reload pluto's connections.
 
 - moved most compile time configurations from pluto/Makefile to
@@ -1149,7 +1262,7 @@ strongswan-2.5.6
   function (e.g. OpenSC), the RSA encryption is done in
   software using the public key fetched from the smartcard.
 
-- The scepclient function now allows to define the 
+- The scepclient function now allows to define the
   validity of a self-signed certificate using the --days,
   --startdate, and --enddate options. The default validity
   has been changed from one year to five years.
@@ -1172,7 +1285,7 @@ strongswan-2.5.5
              [--outbase 16|hex|64|base64|256|text|ascii]
              [--keyid <keyid>]
 
-  The default setting for inbase and outbase is hex. 
+  The default setting for inbase and outbase is hex.
 
   The new proxy interface can be used for securing symmetric
   encryption keys required by the cryptoloop or dm-crypt
@@ -1218,7 +1331,7 @@ strongswan-2.5.3
   always|yes (the default, always send a cert)
   ifasked    (send the cert only upon a cert request)
   never|no   (never send a cert, used for raw RSA keys and
-              self-signed certs) 
+              self-signed certs)
 
 - fixed the initialization of the ESP key length to a default of
   128 bits in the case that the peer does not send a key length
@@ -1310,7 +1423,7 @@ strongswan-2.5.0
   of ipsec.conf. The dynamically fetched CRLs are stored under
   a unique file name containing the issuer's subjectKeyID
   in /etc/ipsec.d/crls.
-  
+
 - Applied a one-line patch courtesy of Michael Richardson
   from the Openswan project which fixes the kernel-oops
   in KLIPS when an snmp daemon is running on the same box.
@@ -1347,19 +1460,19 @@ strongswan-2.4.2
 - Added the _updown_espmark template which requires all
   incoming ESP traffic to be marked with a default mark
   value of 50.
-  
+
 - Introduced the pkcs11keepstate parameter in the config setup
   section of ipsec.conf. With pkcs11keepstate=yes the PKCS#11
-  session and login states are kept as long as possible during 
+  session and login states are kept as long as possible during
   the lifetime of pluto. This means that a PIN entry via a key
   pad has to be done only once.
 
 - Introduced the pkcs11module parameter in the config setup
   section of ipsec.conf which specifies the PKCS#11 module
   to be used with smart cards. Example:
-  
+
     pkcs11module=/usr/lib/pkcs11/opensc-pkcs11.lo
-  
+
 - Added support of smartcard readers equipped with a PIN pad.
 
 - Added patch by Jay Pfeifer which detects when netkey
@@ -1368,7 +1481,7 @@ strongswan-2.4.2
 - Added two patches by Herbert Xu. The first uses ip xfrm
   instead of setkey to flush the IPsec policy database. The
   second sets the optional flag in inbound IPComp SAs only.
-    
+
 - Applied Ulrich Weber's patch which fixes an interoperability
   problem between native IPsec and KLIPS systems caused by
   setting the replay window to 32 instead of 0 for ipcomp.
@@ -1391,8 +1504,8 @@ strongswan-2.4.0a
 
 - updated copyright statement to include David Buechi and
   Michael Meier
-  
-  
+
+
 strongswan-2.4.0
 ----------------
 
@@ -1409,10 +1522,10 @@ strongswan-2.4.0
   always?] returns an XFRM_ACQUIRE message with an undefined
   protocol family field and the connection setup fails.
   As a workaround IPv4 (AF_INET) is now assumed.
-  
-- the results of the UML test scenarios are now enhanced 
+
+- the results of the UML test scenarios are now enhanced
   with block diagrams of the virtual network topology used
-  in a particular test. 
+  in a particular test.
 
 
 strongswan-2.3.2
@@ -1420,13 +1533,13 @@ strongswan-2.3.2
 
 - fixed IV used to decrypt informational messages.
   This bug was introduced with Mode Config functionality.
- 
+
 - fixed NCP Vendor ID.
 
 - undid one of Ulrich Weber's maximum udp size patches
   because it caused a segmentation fault with NAT-ed
   Delete SA messages.
-  
+
 - added UML scenarios wildcards and attr-cert which
   demonstrate the implementation of IPsec policies based
   on wildcard parameters contained in Distinguished Names and
@@ -1440,15 +1553,15 @@ strongswan-2.3.1
 
 - Added Mathieu Lafon's patch which upgrades the status of
   the NAT-Traversal implementation to RFC 3947.
- 
+
 - The _startklips script now also loads the xfrm4_tunnel
   module.
-  
+
 - Added Ulrich Weber's netlink replay window size and
   maximum udp size patches.
 
 - UML testing now uses the Linux 2.6.10 UML kernel by default.
-   
+
 
 strongswan-2.3.0
 ----------------
@@ -1460,22 +1573,22 @@ strongswan-2.3.0
   subdirectory.
 
 - Full support of group attributes based on X.509 attribute
-  certificates. Attribute certificates can be generated 
+  certificates. Attribute certificates can be generated
   using the openac facility. For more details see
-   
+
   man ipsec_openac.
- 
+
   The group attributes can be used in connection definitions
   in order to give IPsec access to specific user groups.
   This is done with the new parameter left|rightgroups as in
-  
+
   rightgroups="Research, Sales"
 
   giving access to users possessing the group attributes
   Research or Sales, only.
 
 - In Quick Mode clients with subnet mask /32 are now
-  coded as IP_V4_ADDRESS or IP_V6_ADDRESS. This should 
+  coded as IP_V4_ADDRESS or IP_V6_ADDRESS. This should
   fix rekeying problems with the SafeNet/SoftRemote and NCP
   Secure Entry Clients.
 
@@ -1489,7 +1602,7 @@ strongswan-2.3.0
 - Public RSA keys can now have identical IDs if either the
   issuing CA or the serial number is different. The serial
   number of a certificate is now shown by the command
-  
+
   ipsec auto --listpubkeys
 
 
@@ -1504,7 +1617,7 @@ strongswan-2.2.2
 - Fixed a bug occuring with NAT-Traversal enabled when the responder
   suddenly turns initiator and the initiator cannot find a matching
   connection because of the floated IKE port 4500.
-  
+
 - Removed misleading ipsec verify command from barf.
 
 - Running under the native IP stack, ipsec --version now shows
@@ -1519,12 +1632,12 @@ strongswan-2.2.1
 
 - Fixed a bug in the ESP algorithm selection occuring when the strict flag
   is set and the first proposed transform does not match.
-  
+
 - Fixed another deadlock in the use of the lock_certs_and_keys() mutex,
   occuring when a smartcard is present.
 
 - Prevented that a superseded Phase1 state can trigger a DPD_TIMEOUT event.
-  
+
 - Fixed the printing of the notification names (null)
 
 - Applied another of Herbert Xu's Netlink patches.
@@ -1536,15 +1649,15 @@ strongswan-2.2.0
 - Support of Dead Peer Detection. The connection parameter
 
     dpdaction=clear|hold
-     
+
   activates DPD for the given connection.
 
 - The default Opportunistic Encryption (OE) policy groups are not
   automatically included anymore. Those wishing to activate OE can include
   the policy group with the following statement in ipsec.conf:
-  
+
     include /etc/ipsec.d/examples/oe.conf
-  
+
   The default for [right|left]rsasigkey is now set to %cert.
 
 - strongSwan now has a Vendor ID of its own which can be activated
@@ -1558,12 +1671,12 @@ strongswan-2.2.0
 
 - Reapplied one of Herbert Xu's NAT-Traversal patches which got
   lost during the migration from SuperFreeS/WAN.
-  
+
 - Fixed a deadlock in the use of the lock_certs_and_keys() mutex.
 
 - Fixed the unsharing of alg parameters when instantiating group
   connection.
-  
+
 
 strongswan-2.1.5
 ----------------
@@ -1605,7 +1718,7 @@ strongswan-2.1.3
 
 - Fixed another PKCS#7 vulnerability which could lead to an
   endless loop while following the X.509 trust chain.
-  
+
 
 strongswan-2.1.2
 ----------------
@@ -1613,7 +1726,7 @@ strongswan-2.1.2
 - Fixed the PKCS#7 vulnerability discovered by Thomas Walpuski
   that accepted end certificates having identical issuer and subject
   distinguished names in a multi-tier X.509 trust chain.
-  
+
 
 strongswan-2.1.1
 ----------------
@@ -1633,9 +1746,9 @@ strongswan-2.1.0
      crluri=http://www.kool.net/kool.crl # crl distribution point
      crluri2="ldap:///O=Kool, C= .."     # crl distribution point #2
      auto=add                            # add, ignore
-     
+
   The ca definitions can be monitored via the command
-  
+
      ipsec auto --listcainfos
 
 - Fixed cosmetic corruption of /proc filesystem by integrating
@@ -1647,10 +1760,10 @@ strongswan-2.0.2
 
 - Added support for the 818043 NAT-Traversal update of Microsoft's
   Windows 2000/XP IPsec client which sends an ID_FQDN during Quick Mode.
-  
-- A symbolic link to libcrypto is now added in the kernel sources 
+
+- A symbolic link to libcrypto is now added in the kernel sources
   during kernel compilation
-  
+
 - Fixed a couple of 64 bit issues (mostly casts to int).
   Thanks to Ken Bantoft who checked my sources on a 64 bit platform.
 
@@ -1669,8 +1782,8 @@ strongswan-2.0.1
 
 - applied Herbert Xu's NAT-T patches which fixes NAT-T under the native
   Linux 2.6 IPsec stack.
-  
-  
+
+
 strongswan-2.0.0
 ----------------
 
diff --git a/aclocal.m4 b/aclocal.m4
index 9e6e86249..dea9d6f31 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,7 +1,7 @@
-# generated automatically by aclocal 1.10.2 -*- Autoconf -*-
+# generated automatically by aclocal 1.11 -*- Autoconf -*-
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-# 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2005, 2006, 2007, 2008, 2009  Free Software Foundation, Inc.
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -13,8 +13,8 @@
 
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.63],,
-[m4_warning([this file was generated for autoconf 2.63.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.64],,
+[m4_warning([this file was generated for autoconf 2.64.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
@@ -205,8077 +205,6 @@ AC_DEFUN([AC_LIB_PREPARE_MULTILIB],
   fi
 ])
 
-dnl Autoconf macros for libgcrypt
-dnl       Copyright (C) 2002, 2004 Free Software Foundation, Inc.
-dnl
-dnl This file is free software; as a special exception the author gives
-dnl unlimited permission to copy and/or distribute it, with or without
-dnl modifications, as long as this notice is preserved.
-dnl
-dnl This file is distributed in the hope that it will be useful, but
-dnl WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
-dnl implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-
-
-dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION,
-dnl                   [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
-dnl Test for libgcrypt and define LIBGCRYPT_CFLAGS and LIBGCRYPT_LIBS.
-dnl MINIMUN-VERSION is a string with the version number optionalliy prefixed
-dnl with the API version to also check the API compatibility. Example:
-dnl a MINIMUN-VERSION of 1:1.2.5 won't pass the test unless the installed 
-dnl version of libgcrypt is at least 1.2.5 *and* the API number is 1.  Using
-dnl this features allows to prevent build against newer versions of libgcrypt
-dnl with a changed API.
-dnl
-AC_DEFUN([AM_PATH_LIBGCRYPT],
-[ AC_ARG_WITH(libgcrypt-prefix,
-            AC_HELP_STRING([--with-libgcrypt-prefix=PFX],
-                           [prefix where LIBGCRYPT is installed (optional)]),
-     libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="")
-  if test x$libgcrypt_config_prefix != x ; then
-     if test x${LIBGCRYPT_CONFIG+set} != xset ; then
-        LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
-     fi
-  fi
-
-  AC_PATH_PROG(LIBGCRYPT_CONFIG, libgcrypt-config, no)
-  tmp=ifelse([$1], ,1:1.2.0,$1)
-  if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then
-     req_libgcrypt_api=`echo "$tmp"     | sed 's/\(.*\):\(.*\)/\1/'`
-     min_libgcrypt_version=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\2/'`
-  else
-     req_libgcrypt_api=0
-     min_libgcrypt_version="$tmp"
-  fi
-
-  AC_MSG_CHECKING(for LIBGCRYPT - version >= $min_libgcrypt_version)
-  ok=no
-  if test "$LIBGCRYPT_CONFIG" != "no" ; then
-    req_major=`echo $min_libgcrypt_version | \
-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\1/'`
-    req_minor=`echo $min_libgcrypt_version | \
-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\2/'`
-    req_micro=`echo $min_libgcrypt_version | \
-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'`
-    libgcrypt_config_version=`$LIBGCRYPT_CONFIG --version`
-    major=`echo $libgcrypt_config_version | \
-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'`
-    minor=`echo $libgcrypt_config_version | \
-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\2/'`
-    micro=`echo $libgcrypt_config_version | \
-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'`
-    if test "$major" -gt "$req_major"; then
-        ok=yes
-    else 
-        if test "$major" -eq "$req_major"; then
-            if test "$minor" -gt "$req_minor"; then
-               ok=yes
-            else
-               if test "$minor" -eq "$req_minor"; then
-                   if test "$micro" -ge "$req_micro"; then
-                     ok=yes
-                   fi
-               fi
-            fi
-        fi
-    fi
-  fi
-  if test $ok = yes; then
-    AC_MSG_RESULT([yes ($libgcrypt_config_version)])
-  else
-    AC_MSG_RESULT(no)
-  fi
-  if test $ok = yes; then
-     # If we have a recent libgcrypt, we should also check that the
-     # API is compatible
-     if test "$req_libgcrypt_api" -gt 0 ; then
-        tmp=`$LIBGCRYPT_CONFIG --api-version 2>/dev/null || echo 0`
-        if test "$tmp" -gt 0 ; then
-           AC_MSG_CHECKING([LIBGCRYPT API version])
-           if test "$req_libgcrypt_api" -eq "$tmp" ; then
-             AC_MSG_RESULT([okay])
-           else
-             ok=no
-             AC_MSG_RESULT([does not match. want=$req_libgcrypt_api got=$tmp])
-           fi
-        fi
-     fi
-  fi
-  if test $ok = yes; then
-    LIBGCRYPT_CFLAGS=`$LIBGCRYPT_CONFIG --cflags`
-    LIBGCRYPT_LIBS=`$LIBGCRYPT_CONFIG --libs`
-    ifelse([$2], , :, [$2])
-  else
-    LIBGCRYPT_CFLAGS=""
-    LIBGCRYPT_LIBS=""
-    ifelse([$3], , :, [$3])
-  fi
-  AC_SUBST(LIBGCRYPT_CFLAGS)
-  AC_SUBST(LIBGCRYPT_LIBS)
-])
-
-# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
-#
-#   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
-#   Written by Gordon Matzigkeit, 1996
-#
-# This file is free software; the Free Software Foundation gives
-# unlimited permission to copy and/or distribute it, with or without
-# modifications, as long as this notice is preserved.
-
-m4_define([_LT_COPYING], [dnl
-#   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
-#   Written by Gordon Matzigkeit, 1996
-#
-#   This file is part of GNU Libtool.
-#
-# GNU Libtool is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# As a special exception to the GNU General Public License,
-# if you distribute this file as part of a program or library that
-# is built using GNU Libtool, you may include this file under the
-# same distribution terms that you use for the rest of that program.
-#
-# GNU Libtool is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with GNU Libtool; see the file COPYING.  If not, a copy
-# can be downloaded from http://www.gnu.org/licenses/gpl.html, or
-# obtained by writing to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-])
-
-# serial 56 LT_INIT
-
-
-# LT_PREREQ(VERSION)
-# ------------------
-# Complain and exit if this libtool version is less that VERSION.
-m4_defun([LT_PREREQ],
-[m4_if(m4_version_compare(m4_defn([LT_PACKAGE_VERSION]), [$1]), -1,
-       [m4_default([$3],
-		   [m4_fatal([Libtool version $1 or higher is required],
-		             63)])],
-       [$2])])
-
-
-# _LT_CHECK_BUILDDIR
-# ------------------
-# Complain if the absolute build directory name contains unusual characters
-m4_defun([_LT_CHECK_BUILDDIR],
-[case `pwd` in
-  *\ * | *\	*)
-    AC_MSG_WARN([Libtool does not cope well with whitespace in `pwd`]) ;;
-esac
-])
-
-
-# LT_INIT([OPTIONS])
-# ------------------
-AC_DEFUN([LT_INIT],
-[AC_PREREQ([2.58])dnl We use AC_INCLUDES_DEFAULT
-AC_BEFORE([$0], [LT_LANG])dnl
-AC_BEFORE([$0], [LT_OUTPUT])dnl
-AC_BEFORE([$0], [LTDL_INIT])dnl
-m4_require([_LT_CHECK_BUILDDIR])dnl
-
-dnl Autoconf doesn't catch unexpanded LT_ macros by default:
-m4_pattern_forbid([^_?LT_[A-Z_]+$])dnl
-m4_pattern_allow([^(_LT_EOF|LT_DLGLOBAL|LT_DLLAZY_OR_NOW|LT_MULTI_MODULE)$])dnl
-dnl aclocal doesn't pull ltoptions.m4, ltsugar.m4, or ltversion.m4
-dnl unless we require an AC_DEFUNed macro:
-AC_REQUIRE([LTOPTIONS_VERSION])dnl
-AC_REQUIRE([LTSUGAR_VERSION])dnl
-AC_REQUIRE([LTVERSION_VERSION])dnl
-AC_REQUIRE([LTOBSOLETE_VERSION])dnl
-m4_require([_LT_PROG_LTMAIN])dnl
-
-dnl Parse OPTIONS
-_LT_SET_OPTIONS([$0], [$1])
-
-# This can be used to rebuild libtool when needed
-LIBTOOL_DEPS="$ltmain"
-
-# Always use our own libtool.
-LIBTOOL='$(SHELL) $(top_builddir)/libtool'
-AC_SUBST(LIBTOOL)dnl
-
-_LT_SETUP
-
-# Only expand once:
-m4_define([LT_INIT])
-])# LT_INIT
-
-# Old names:
-AU_ALIAS([AC_PROG_LIBTOOL], [LT_INIT])
-AU_ALIAS([AM_PROG_LIBTOOL], [LT_INIT])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_PROG_LIBTOOL], [])
-dnl AC_DEFUN([AM_PROG_LIBTOOL], [])
-
-
-# _LT_CC_BASENAME(CC)
-# -------------------
-# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
-m4_defun([_LT_CC_BASENAME],
-[for cc_temp in $1""; do
-  case $cc_temp in
-    compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
-    distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
-])
-
-
-# _LT_FILEUTILS_DEFAULTS
-# ----------------------
-# It is okay to use these file commands and assume they have been set
-# sensibly after `m4_require([_LT_FILEUTILS_DEFAULTS])'.
-m4_defun([_LT_FILEUTILS_DEFAULTS],
-[: ${CP="cp -f"}
-: ${MV="mv -f"}
-: ${RM="rm -f"}
-])# _LT_FILEUTILS_DEFAULTS
-
-
-# _LT_SETUP
-# ---------
-m4_defun([_LT_SETUP],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-_LT_DECL([], [host_alias], [0], [The host system])dnl
-_LT_DECL([], [host], [0])dnl
-_LT_DECL([], [host_os], [0])dnl
-dnl
-_LT_DECL([], [build_alias], [0], [The build system])dnl
-_LT_DECL([], [build], [0])dnl
-_LT_DECL([], [build_os], [0])dnl
-dnl
-AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([LT_PATH_LD])dnl
-AC_REQUIRE([LT_PATH_NM])dnl
-dnl
-AC_REQUIRE([AC_PROG_LN_S])dnl
-test -z "$LN_S" && LN_S="ln -s"
-_LT_DECL([], [LN_S], [1], [Whether we need soft or hard links])dnl
-dnl
-AC_REQUIRE([LT_CMD_MAX_LEN])dnl
-_LT_DECL([objext], [ac_objext], [0], [Object file suffix (normally "o")])dnl
-_LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl
-dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_CHECK_SHELL_FEATURES])dnl
-m4_require([_LT_CMD_RELOAD])dnl
-m4_require([_LT_CHECK_MAGIC_METHOD])dnl
-m4_require([_LT_CMD_OLD_ARCHIVE])dnl
-m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
-
-_LT_CONFIG_LIBTOOL_INIT([
-# See if we are running on zsh, and set the options which allow our
-# commands through without removal of \ escapes INIT.
-if test -n "\${ZSH_VERSION+set}" ; then
-   setopt NO_GLOB_SUBST
-fi
-])
-if test -n "${ZSH_VERSION+set}" ; then
-   setopt NO_GLOB_SUBST
-fi
-
-_LT_CHECK_OBJDIR
-
-m4_require([_LT_TAG_COMPILER])dnl
-_LT_PROG_ECHO_BACKSLASH
-
-case $host_os in
-aix3*)
-  # AIX sometimes has problems with the GCC collect2 program.  For some
-  # reason, if we set the COLLECT_NAMES environment variable, the problems
-  # vanish in a puff of smoke.
-  if test "X${COLLECT_NAMES+set}" != Xset; then
-    COLLECT_NAMES=
-    export COLLECT_NAMES
-  fi
-  ;;
-esac
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\([["`\\]]\)/\\\1/g'
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to delay expansion of an escaped single quote.
-delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
-# Global variables:
-ofile=libtool
-can_build_shared=yes
-
-# All known linkers require a `.a' archive for static linking (except MSVC,
-# which needs '.lib').
-libext=a
-
-with_gnu_ld="$lt_cv_prog_gnu_ld"
-
-old_CC="$CC"
-old_CFLAGS="$CFLAGS"
-
-# Set sane defaults for various variables
-test -z "$CC" && CC=cc
-test -z "$LTCC" && LTCC=$CC
-test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
-test -z "$LD" && LD=ld
-test -z "$ac_objext" && ac_objext=o
-
-_LT_CC_BASENAME([$compiler])
-
-# Only perform the check for file, if the check method requires it
-test -z "$MAGIC_CMD" && MAGIC_CMD=file
-case $deplibs_check_method in
-file_magic*)
-  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    _LT_PATH_MAGIC
-  fi
-  ;;
-esac
-
-# Use C for the default configuration in the libtool script
-LT_SUPPORTED_TAG([CC])
-_LT_LANG_C_CONFIG
-_LT_LANG_DEFAULT_CONFIG
-_LT_CONFIG_COMMANDS
-])# _LT_SETUP
-
-
-# _LT_PROG_LTMAIN
-# ---------------
-# Note that this code is called both from `configure', and `config.status'
-# now that we use AC_CONFIG_COMMANDS to generate libtool.  Notably,
-# `config.status' has no value for ac_aux_dir unless we are using Automake,
-# so we pass a copy along to make sure it has a sensible value anyway.
-m4_defun([_LT_PROG_LTMAIN],
-[m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([ltmain.sh])])dnl
-_LT_CONFIG_LIBTOOL_INIT([ac_aux_dir='$ac_aux_dir'])
-ltmain="$ac_aux_dir/ltmain.sh"
-])# _LT_PROG_LTMAIN
-
-
-
-# So that we can recreate a full libtool script including additional
-# tags, we accumulate the chunks of code to send to AC_CONFIG_COMMANDS
-# in macros and then make a single call at the end using the `libtool'
-# label.
-
-
-# _LT_CONFIG_LIBTOOL_INIT([INIT-COMMANDS])
-# ----------------------------------------
-# Register INIT-COMMANDS to be passed to AC_CONFIG_COMMANDS later.
-m4_define([_LT_CONFIG_LIBTOOL_INIT],
-[m4_ifval([$1],
-          [m4_append([_LT_OUTPUT_LIBTOOL_INIT],
-                     [$1
-])])])
-
-# Initialize.
-m4_define([_LT_OUTPUT_LIBTOOL_INIT])
-
-
-# _LT_CONFIG_LIBTOOL([COMMANDS])
-# ------------------------------
-# Register COMMANDS to be passed to AC_CONFIG_COMMANDS later.
-m4_define([_LT_CONFIG_LIBTOOL],
-[m4_ifval([$1],
-          [m4_append([_LT_OUTPUT_LIBTOOL_COMMANDS],
-                     [$1
-])])])
-
-# Initialize.
-m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS])
-
-
-# _LT_CONFIG_SAVE_COMMANDS([COMMANDS], [INIT_COMMANDS])
-# -----------------------------------------------------
-m4_defun([_LT_CONFIG_SAVE_COMMANDS],
-[_LT_CONFIG_LIBTOOL([$1])
-_LT_CONFIG_LIBTOOL_INIT([$2])
-])
-
-
-# _LT_FORMAT_COMMENT([COMMENT])
-# -----------------------------
-# Add leading comment marks to the start of each line, and a trailing
-# full-stop to the whole comment if one is not present already.
-m4_define([_LT_FORMAT_COMMENT],
-[m4_ifval([$1], [
-m4_bpatsubst([m4_bpatsubst([$1], [^ *], [# ])],
-              [['`$\]], [\\\&])]m4_bmatch([$1], [[!?.]$], [], [.])
-)])
-
-
-
-
-
-# _LT_DECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION], [IS-TAGGED?])
-# -------------------------------------------------------------------
-# CONFIGNAME is the name given to the value in the libtool script.
-# VARNAME is the (base) name used in the configure script.
-# VALUE may be 0, 1 or 2 for a computed quote escaped value based on
-# VARNAME.  Any other value will be used directly.
-m4_define([_LT_DECL],
-[lt_if_append_uniq([lt_decl_varnames], [$2], [, ],
-    [lt_dict_add_subkey([lt_decl_dict], [$2], [libtool_name],
-	[m4_ifval([$1], [$1], [$2])])
-    lt_dict_add_subkey([lt_decl_dict], [$2], [value], [$3])
-    m4_ifval([$4],
-	[lt_dict_add_subkey([lt_decl_dict], [$2], [description], [$4])])
-    lt_dict_add_subkey([lt_decl_dict], [$2],
-	[tagged?], [m4_ifval([$5], [yes], [no])])])
-])
-
-
-# _LT_TAGDECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION])
-# --------------------------------------------------------
-m4_define([_LT_TAGDECL], [_LT_DECL([$1], [$2], [$3], [$4], [yes])])
-
-
-# lt_decl_tag_varnames([SEPARATOR], [VARNAME1...])
-# ------------------------------------------------
-m4_define([lt_decl_tag_varnames],
-[_lt_decl_filter([tagged?], [yes], $@)])
-
-
-# _lt_decl_filter(SUBKEY, VALUE, [SEPARATOR], [VARNAME1..])
-# ---------------------------------------------------------
-m4_define([_lt_decl_filter],
-[m4_case([$#],
-  [0], [m4_fatal([$0: too few arguments: $#])],
-  [1], [m4_fatal([$0: too few arguments: $#: $1])],
-  [2], [lt_dict_filter([lt_decl_dict], [$1], [$2], [], lt_decl_varnames)],
-  [3], [lt_dict_filter([lt_decl_dict], [$1], [$2], [$3], lt_decl_varnames)],
-  [lt_dict_filter([lt_decl_dict], $@)])[]dnl
-])
-
-
-# lt_decl_quote_varnames([SEPARATOR], [VARNAME1...])
-# --------------------------------------------------
-m4_define([lt_decl_quote_varnames],
-[_lt_decl_filter([value], [1], $@)])
-
-
-# lt_decl_dquote_varnames([SEPARATOR], [VARNAME1...])
-# ---------------------------------------------------
-m4_define([lt_decl_dquote_varnames],
-[_lt_decl_filter([value], [2], $@)])
-
-
-# lt_decl_varnames_tagged([SEPARATOR], [VARNAME1...])
-# ---------------------------------------------------
-m4_define([lt_decl_varnames_tagged],
-[m4_assert([$# <= 2])dnl
-_$0(m4_quote(m4_default([$1], [[, ]])),
-    m4_ifval([$2], [[$2]], [m4_dquote(lt_decl_tag_varnames)]),
-    m4_split(m4_normalize(m4_quote(_LT_TAGS)), [ ]))])
-m4_define([_lt_decl_varnames_tagged],
-[m4_ifval([$3], [lt_combine([$1], [$2], [_], $3)])])
-
-
-# lt_decl_all_varnames([SEPARATOR], [VARNAME1...])
-# ------------------------------------------------
-m4_define([lt_decl_all_varnames],
-[_$0(m4_quote(m4_default([$1], [[, ]])),
-     m4_if([$2], [],
-	   m4_quote(lt_decl_varnames),
-	m4_quote(m4_shift($@))))[]dnl
-])
-m4_define([_lt_decl_all_varnames],
-[lt_join($@, lt_decl_varnames_tagged([$1],
-			lt_decl_tag_varnames([[, ]], m4_shift($@))))dnl
-])
-
-
-# _LT_CONFIG_STATUS_DECLARE([VARNAME])
-# ------------------------------------
-# Quote a variable value, and forward it to `config.status' so that its
-# declaration there will have the same value as in `configure'.  VARNAME
-# must have a single quote delimited value for this to work.
-m4_define([_LT_CONFIG_STATUS_DECLARE],
-[$1='`$ECHO "X$][$1" | $Xsed -e "$delay_single_quote_subst"`'])
-
-
-# _LT_CONFIG_STATUS_DECLARATIONS
-# ------------------------------
-# We delimit libtool config variables with single quotes, so when
-# we write them to config.status, we have to be sure to quote all
-# embedded single quotes properly.  In configure, this macro expands
-# each variable declared with _LT_DECL (and _LT_TAGDECL) into:
-#
-#    <var>='`$ECHO "X$<var>" | $Xsed -e "$delay_single_quote_subst"`'
-m4_defun([_LT_CONFIG_STATUS_DECLARATIONS],
-[m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames),
-    [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])])
-
-
-# _LT_LIBTOOL_TAGS
-# ----------------
-# Output comment and list of tags supported by the script
-m4_defun([_LT_LIBTOOL_TAGS],
-[_LT_FORMAT_COMMENT([The names of the tagged configurations supported by this script])dnl
-available_tags="_LT_TAGS"dnl
-])
-
-
-# _LT_LIBTOOL_DECLARE(VARNAME, [TAG])
-# -----------------------------------
-# Extract the dictionary values for VARNAME (optionally with TAG) and
-# expand to a commented shell variable setting:
-#
-#    # Some comment about what VAR is for.
-#    visible_name=$lt_internal_name
-m4_define([_LT_LIBTOOL_DECLARE],
-[_LT_FORMAT_COMMENT(m4_quote(lt_dict_fetch([lt_decl_dict], [$1],
-					   [description])))[]dnl
-m4_pushdef([_libtool_name],
-    m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [libtool_name])))[]dnl
-m4_case(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [value])),
-    [0], [_libtool_name=[$]$1],
-    [1], [_libtool_name=$lt_[]$1],
-    [2], [_libtool_name=$lt_[]$1],
-    [_libtool_name=lt_dict_fetch([lt_decl_dict], [$1], [value])])[]dnl
-m4_ifval([$2], [_$2])[]m4_popdef([_libtool_name])[]dnl
-])
-
-
-# _LT_LIBTOOL_CONFIG_VARS
-# -----------------------
-# Produce commented declarations of non-tagged libtool config variables
-# suitable for insertion in the LIBTOOL CONFIG section of the `libtool'
-# script.  Tagged libtool config variables (even for the LIBTOOL CONFIG
-# section) are produced by _LT_LIBTOOL_TAG_VARS.
-m4_defun([_LT_LIBTOOL_CONFIG_VARS],
-[m4_foreach([_lt_var],
-    m4_quote(_lt_decl_filter([tagged?], [no], [], lt_decl_varnames)),
-    [m4_n([_LT_LIBTOOL_DECLARE(_lt_var)])])])
-
-
-# _LT_LIBTOOL_TAG_VARS(TAG)
-# -------------------------
-m4_define([_LT_LIBTOOL_TAG_VARS],
-[m4_foreach([_lt_var], m4_quote(lt_decl_tag_varnames),
-    [m4_n([_LT_LIBTOOL_DECLARE(_lt_var, [$1])])])])
-
-
-# _LT_TAGVAR(VARNAME, [TAGNAME])
-# ------------------------------
-m4_define([_LT_TAGVAR], [m4_ifval([$2], [$1_$2], [$1])])
-
-
-# _LT_CONFIG_COMMANDS
-# -------------------
-# Send accumulated output to $CONFIG_STATUS.  Thanks to the lists of
-# variables for single and double quote escaping we saved from calls
-# to _LT_DECL, we can put quote escaped variables declarations
-# into `config.status', and then the shell code to quote escape them in
-# for loops in `config.status'.  Finally, any additional code accumulated
-# from calls to _LT_CONFIG_LIBTOOL_INIT is expanded.
-m4_defun([_LT_CONFIG_COMMANDS],
-[AC_PROVIDE_IFELSE([LT_OUTPUT],
-	dnl If the libtool generation code has been placed in $CONFIG_LT,
-	dnl instead of duplicating it all over again into config.status,
-	dnl then we will have config.status run $CONFIG_LT later, so it
-	dnl needs to know what name is stored there:
-        [AC_CONFIG_COMMANDS([libtool],
-            [$SHELL $CONFIG_LT || AS_EXIT(1)], [CONFIG_LT='$CONFIG_LT'])],
-    dnl If the libtool generation code is destined for config.status,
-    dnl expand the accumulated commands and init code now:
-    [AC_CONFIG_COMMANDS([libtool],
-        [_LT_OUTPUT_LIBTOOL_COMMANDS], [_LT_OUTPUT_LIBTOOL_COMMANDS_INIT])])
-])#_LT_CONFIG_COMMANDS
-
-
-# Initialize.
-m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS_INIT],
-[
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-sed_quote_subst='$sed_quote_subst'
-double_quote_subst='$double_quote_subst'
-delay_variable_subst='$delay_variable_subst'
-_LT_CONFIG_STATUS_DECLARATIONS
-LTCC='$LTCC'
-LTCFLAGS='$LTCFLAGS'
-compiler='$compiler_DEFAULT'
-
-# Quote evaled strings.
-for var in lt_decl_all_varnames([[ \
-]], lt_decl_quote_varnames); do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
-    *[[\\\\\\\`\\"\\\$]]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
-      ;;
-    *)
-      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
-      ;;
-    esac
-done
-
-# Double-quote double-evaled strings.
-for var in lt_decl_all_varnames([[ \
-]], lt_decl_dquote_varnames); do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
-    *[[\\\\\\\`\\"\\\$]]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
-      ;;
-    *)
-      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
-      ;;
-    esac
-done
-
-# Fix-up fallback echo if it was mangled by the above quoting rules.
-case \$lt_ECHO in
-*'\\\[$]0 --fallback-echo"')dnl "
-  lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\[$]0 --fallback-echo"\[$]/\[$]0 --fallback-echo"/'\`
-  ;;
-esac
-
-_LT_OUTPUT_LIBTOOL_INIT
-])
-
-
-# LT_OUTPUT
-# ---------
-# This macro allows early generation of the libtool script (before
-# AC_OUTPUT is called), incase it is used in configure for compilation
-# tests.
-AC_DEFUN([LT_OUTPUT],
-[: ${CONFIG_LT=./config.lt}
-AC_MSG_NOTICE([creating $CONFIG_LT])
-cat >"$CONFIG_LT" <<_LTEOF
-#! $SHELL
-# Generated by $as_me.
-# Run this file to recreate a libtool stub with the current configuration.
-
-lt_cl_silent=false
-SHELL=\${CONFIG_SHELL-$SHELL}
-_LTEOF
-
-cat >>"$CONFIG_LT" <<\_LTEOF
-AS_SHELL_SANITIZE
-_AS_PREPARE
-
-exec AS_MESSAGE_FD>&1
-exec AS_MESSAGE_LOG_FD>>config.log
-{
-  echo
-  AS_BOX([Running $as_me.])
-} >&AS_MESSAGE_LOG_FD
-
-lt_cl_help="\
-\`$as_me' creates a local libtool stub from the current configuration,
-for use in further configure time tests before the real libtool is
-generated.
-
-Usage: $[0] [[OPTIONS]]
-
-  -h, --help      print this help, then exit
-  -V, --version   print version number, then exit
-  -q, --quiet     do not print progress messages
-  -d, --debug     don't remove temporary files
-
-Report bugs to <bug-libtool@gnu.org>."
-
-lt_cl_version="\
-m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
-m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
-configured by $[0], generated by m4_PACKAGE_STRING.
-
-Copyright (C) 2008 Free Software Foundation, Inc.
-This config.lt script is free software; the Free Software Foundation
-gives unlimited permision to copy, distribute and modify it."
-
-while test $[#] != 0
-do
-  case $[1] in
-    --version | --v* | -V )
-      echo "$lt_cl_version"; exit 0 ;;
-    --help | --h* | -h )
-      echo "$lt_cl_help"; exit 0 ;;
-    --debug | --d* | -d )
-      debug=: ;;
-    --quiet | --q* | --silent | --s* | -q )
-      lt_cl_silent=: ;;
-
-    -*) AC_MSG_ERROR([unrecognized option: $[1]
-Try \`$[0] --help' for more information.]) ;;
-
-    *) AC_MSG_ERROR([unrecognized argument: $[1]
-Try \`$[0] --help' for more information.]) ;;
-  esac
-  shift
-done
-
-if $lt_cl_silent; then
-  exec AS_MESSAGE_FD>/dev/null
-fi
-_LTEOF
-
-cat >>"$CONFIG_LT" <<_LTEOF
-_LT_OUTPUT_LIBTOOL_COMMANDS_INIT
-_LTEOF
-
-cat >>"$CONFIG_LT" <<\_LTEOF
-AC_MSG_NOTICE([creating $ofile])
-_LT_OUTPUT_LIBTOOL_COMMANDS
-AS_EXIT(0)
-_LTEOF
-chmod +x "$CONFIG_LT"
-
-# configure is writing to config.log, but config.lt does its own redirection,
-# appending to config.log, which fails on DOS, as config.log is still kept
-# open by configure.  Here we exec the FD to /dev/null, effectively closing
-# config.log, so it can be properly (re)opened and appended to by config.lt.
-if test "$no_create" != yes; then
-  lt_cl_success=:
-  test "$silent" = yes &&
-    lt_config_lt_args="$lt_config_lt_args --quiet"
-  exec AS_MESSAGE_LOG_FD>/dev/null
-  $SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
-  exec AS_MESSAGE_LOG_FD>>config.log
-  $lt_cl_success || AS_EXIT(1)
-fi
-])# LT_OUTPUT
-
-
-# _LT_CONFIG(TAG)
-# ---------------
-# If TAG is the built-in tag, create an initial libtool script with a
-# default configuration from the untagged config vars.  Otherwise add code
-# to config.status for appending the configuration named by TAG from the
-# matching tagged config vars.
-m4_defun([_LT_CONFIG],
-[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-_LT_CONFIG_SAVE_COMMANDS([
-  m4_define([_LT_TAG], m4_if([$1], [], [C], [$1]))dnl
-  m4_if(_LT_TAG, [C], [
-    # See if we are running on zsh, and set the options which allow our
-    # commands through without removal of \ escapes.
-    if test -n "${ZSH_VERSION+set}" ; then
-      setopt NO_GLOB_SUBST
-    fi
-
-    cfgfile="${ofile}T"
-    trap "$RM \"$cfgfile\"; exit 1" 1 2 15
-    $RM "$cfgfile"
-
-    cat <<_LT_EOF >> "$cfgfile"
-#! $SHELL
-
-# `$ECHO "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
-# Generated automatically by $as_me ($PACKAGE$TIMESTAMP) $VERSION
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-# NOTE: Changes made to this file will be lost: look at ltmain.sh.
-#
-_LT_COPYING
-_LT_LIBTOOL_TAGS
-
-# ### BEGIN LIBTOOL CONFIG
-_LT_LIBTOOL_CONFIG_VARS
-_LT_LIBTOOL_TAG_VARS
-# ### END LIBTOOL CONFIG
-
-_LT_EOF
-
-  case $host_os in
-  aix3*)
-    cat <<\_LT_EOF >> "$cfgfile"
-# AIX sometimes has problems with the GCC collect2 program.  For some
-# reason, if we set the COLLECT_NAMES environment variable, the problems
-# vanish in a puff of smoke.
-if test "X${COLLECT_NAMES+set}" != Xset; then
-  COLLECT_NAMES=
-  export COLLECT_NAMES
-fi
-_LT_EOF
-    ;;
-  esac
-
-  _LT_PROG_LTMAIN
-
-  # We use sed instead of cat because bash on DJGPP gets confused if
-  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
-  # text mode, it properly converts lines to CR/LF.  This bash problem
-  # is reportedly fixed, but why not run on old versions too?
-  sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  _LT_PROG_XSI_SHELLFNS
-
-  sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  mv -f "$cfgfile" "$ofile" ||
-    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
-  chmod +x "$ofile"
-],
-[cat <<_LT_EOF >> "$ofile"
-
-dnl Unfortunately we have to use $1 here, since _LT_TAG is not expanded
-dnl in a comment (ie after a #).
-# ### BEGIN LIBTOOL TAG CONFIG: $1
-_LT_LIBTOOL_TAG_VARS(_LT_TAG)
-# ### END LIBTOOL TAG CONFIG: $1
-_LT_EOF
-])dnl /m4_if
-],
-[m4_if([$1], [], [
-    PACKAGE='$PACKAGE'
-    VERSION='$VERSION'
-    TIMESTAMP='$TIMESTAMP'
-    RM='$RM'
-    ofile='$ofile'], [])
-])dnl /_LT_CONFIG_SAVE_COMMANDS
-])# _LT_CONFIG
-
-
-# LT_SUPPORTED_TAG(TAG)
-# ---------------------
-# Trace this macro to discover what tags are supported by the libtool
-# --tag option, using:
-#    autoconf --trace 'LT_SUPPORTED_TAG:$1'
-AC_DEFUN([LT_SUPPORTED_TAG], [])
-
-
-# C support is built-in for now
-m4_define([_LT_LANG_C_enabled], [])
-m4_define([_LT_TAGS], [])
-
-
-# LT_LANG(LANG)
-# -------------
-# Enable libtool support for the given language if not already enabled.
-AC_DEFUN([LT_LANG],
-[AC_BEFORE([$0], [LT_OUTPUT])dnl
-m4_case([$1],
-  [C],			[_LT_LANG(C)],
-  [C++],		[_LT_LANG(CXX)],
-  [Java],		[_LT_LANG(GCJ)],
-  [Fortran 77],		[_LT_LANG(F77)],
-  [Fortran],		[_LT_LANG(FC)],
-  [Windows Resource],	[_LT_LANG(RC)],
-  [m4_ifdef([_LT_LANG_]$1[_CONFIG],
-    [_LT_LANG($1)],
-    [m4_fatal([$0: unsupported language: "$1"])])])dnl
-])# LT_LANG
-
-
-# _LT_LANG(LANGNAME)
-# ------------------
-m4_defun([_LT_LANG],
-[m4_ifdef([_LT_LANG_]$1[_enabled], [],
-  [LT_SUPPORTED_TAG([$1])dnl
-  m4_append([_LT_TAGS], [$1 ])dnl
-  m4_define([_LT_LANG_]$1[_enabled], [])dnl
-  _LT_LANG_$1_CONFIG($1)])dnl
-])# _LT_LANG
-
-
-# _LT_LANG_DEFAULT_CONFIG
-# -----------------------
-m4_defun([_LT_LANG_DEFAULT_CONFIG],
-[AC_PROVIDE_IFELSE([AC_PROG_CXX],
-  [LT_LANG(CXX)],
-  [m4_define([AC_PROG_CXX], defn([AC_PROG_CXX])[LT_LANG(CXX)])])
-
-AC_PROVIDE_IFELSE([AC_PROG_F77],
-  [LT_LANG(F77)],
-  [m4_define([AC_PROG_F77], defn([AC_PROG_F77])[LT_LANG(F77)])])
-
-AC_PROVIDE_IFELSE([AC_PROG_FC],
-  [LT_LANG(FC)],
-  [m4_define([AC_PROG_FC], defn([AC_PROG_FC])[LT_LANG(FC)])])
-
-dnl The call to [A][M_PROG_GCJ] is quoted like that to stop aclocal
-dnl pulling things in needlessly.
-AC_PROVIDE_IFELSE([AC_PROG_GCJ],
-  [LT_LANG(GCJ)],
-  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
-    [LT_LANG(GCJ)],
-    [AC_PROVIDE_IFELSE([LT_PROG_GCJ],
-      [LT_LANG(GCJ)],
-      [m4_ifdef([AC_PROG_GCJ],
-	[m4_define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[LT_LANG(GCJ)])])
-       m4_ifdef([A][M_PROG_GCJ],
-	[m4_define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[LT_LANG(GCJ)])])
-       m4_ifdef([LT_PROG_GCJ],
-	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
-
-AC_PROVIDE_IFELSE([LT_PROG_RC],
-  [LT_LANG(RC)],
-  [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
-])# _LT_LANG_DEFAULT_CONFIG
-
-# Obsolete macros:
-AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)])
-AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)])
-AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)])
-AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_CXX], [])
-dnl AC_DEFUN([AC_LIBTOOL_F77], [])
-dnl AC_DEFUN([AC_LIBTOOL_FC], [])
-dnl AC_DEFUN([AC_LIBTOOL_GCJ], [])
-
-
-# _LT_TAG_COMPILER
-# ----------------
-m4_defun([_LT_TAG_COMPILER],
-[AC_REQUIRE([AC_PROG_CC])dnl
-
-_LT_DECL([LTCC], [CC], [1], [A C compiler])dnl
-_LT_DECL([LTCFLAGS], [CFLAGS], [1], [LTCC compiler flags])dnl
-_LT_TAGDECL([CC], [compiler], [1], [A language specific compiler])dnl
-_LT_TAGDECL([with_gcc], [GCC], [0], [Is the compiler the GNU compiler?])dnl
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-])# _LT_TAG_COMPILER
-
-
-# _LT_COMPILER_BOILERPLATE
-# ------------------------
-# Check for compiler boilerplate output or warnings with
-# the simple compiler test code.
-m4_defun([_LT_COMPILER_BOILERPLATE],
-[m4_require([_LT_DECL_SED])dnl
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$RM conftest*
-])# _LT_COMPILER_BOILERPLATE
-
-
-# _LT_LINKER_BOILERPLATE
-# ----------------------
-# Check for linker boilerplate output or warnings with
-# the simple link test code.
-m4_defun([_LT_LINKER_BOILERPLATE],
-[m4_require([_LT_DECL_SED])dnl
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$RM -r conftest*
-])# _LT_LINKER_BOILERPLATE
-
-# _LT_REQUIRED_DARWIN_CHECKS
-# -------------------------
-m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
-  case $host_os in
-    rhapsody* | darwin*)
-    AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:])
-    AC_CHECK_TOOL([NMEDIT], [nmedit], [:])
-    AC_CHECK_TOOL([LIPO], [lipo], [:])
-    AC_CHECK_TOOL([OTOOL], [otool], [:])
-    AC_CHECK_TOOL([OTOOL64], [otool64], [:])
-    _LT_DECL([], [DSYMUTIL], [1],
-      [Tool to manipulate archived DWARF debug symbol files on Mac OS X])
-    _LT_DECL([], [NMEDIT], [1],
-      [Tool to change global to local symbols on Mac OS X])
-    _LT_DECL([], [LIPO], [1],
-      [Tool to manipulate fat objects and archives on Mac OS X])
-    _LT_DECL([], [OTOOL], [1],
-      [ldd/readelf like tool for Mach-O binaries on Mac OS X])
-    _LT_DECL([], [OTOOL64], [1],
-      [ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4])
-
-    AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod],
-      [lt_cv_apple_cc_single_mod=no
-      if test -z "${LT_MULTI_MODULE}"; then
-	# By default we will add the -single_module flag. You can override
-	# by either setting the environment variable LT_MULTI_MODULE
-	# non-empty at configure time, or by adding -multi_module to the
-	# link flags.
-	rm -rf libconftest.dylib*
-	echo "int foo(void){return 1;}" > conftest.c
-	echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
--dynamiclib -Wl,-single_module conftest.c" >&AS_MESSAGE_LOG_FD
-	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
-	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
-        _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
-	  lt_cv_apple_cc_single_mod=yes
-	else
-	  cat conftest.err >&AS_MESSAGE_LOG_FD
-	fi
-	rm -rf libconftest.dylib*
-	rm -f conftest.*
-      fi])
-    AC_CACHE_CHECK([for -exported_symbols_list linker flag],
-      [lt_cv_ld_exported_symbols_list],
-      [lt_cv_ld_exported_symbols_list=no
-      save_LDFLAGS=$LDFLAGS
-      echo "_main" > conftest.sym
-      LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
-      AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
-	[lt_cv_ld_exported_symbols_list=yes],
-	[lt_cv_ld_exported_symbols_list=no])
-	LDFLAGS="$save_LDFLAGS"
-    ])
-    case $host_os in
-    rhapsody* | darwin1.[[012]])
-      _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
-    darwin1.*)
-      _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-    darwin*) # darwin 5.x on
-      # if running on 10.5 or later, the deployment target defaults
-      # to the OS version, if on x86, and 10.4, the deployment
-      # target defaults to 10.4. Don't you love it?
-      case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
-	10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
-	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
-	10.[[012]]*)
-	  _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-	10.*)
-	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
-      esac
-    ;;
-  esac
-    if test "$lt_cv_apple_cc_single_mod" = "yes"; then
-      _lt_dar_single_mod='$single_module'
-    fi
-    if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
-      _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
-    else
-      _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    fi
-    if test "$DSYMUTIL" != ":"; then
-      _lt_dsymutil='~$DSYMUTIL $lib || :'
-    else
-      _lt_dsymutil=
-    fi
-    ;;
-  esac
-])
-
-
-# _LT_DARWIN_LINKER_FEATURES
-# --------------------------
-# Checks for linker and compiler features on darwin
-m4_defun([_LT_DARWIN_LINKER_FEATURES],
-[
-  m4_require([_LT_REQUIRED_DARWIN_CHECKS])
-  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-  _LT_TAGVAR(hardcode_direct, $1)=no
-  _LT_TAGVAR(hardcode_automatic, $1)=yes
-  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-  _LT_TAGVAR(whole_archive_flag_spec, $1)=''
-  _LT_TAGVAR(link_all_deplibs, $1)=yes
-  _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
-  case $cc_basename in
-     ifort*) _lt_dar_can_shared=yes ;;
-     *) _lt_dar_can_shared=$GCC ;;
-  esac
-  if test "$_lt_dar_can_shared" = "yes"; then
-    output_verbose_link_cmd=echo
-    _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-    _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-    _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-    _LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-    m4_if([$1], [CXX],
-[   if test "$lt_cv_apple_cc_single_mod" != "yes"; then
-      _LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
-      _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
-    fi
-],[])
-  else
-  _LT_TAGVAR(ld_shlibs, $1)=no
-  fi
-])
-
-# _LT_SYS_MODULE_PATH_AIX
-# -----------------------
-# Links a minimal program and checks the executable
-# for the system default hardcoded library path. In most cases,
-# this is /usr/lib:/lib, but when the MPI compilers are used
-# the location of the communication and MPI libs are included too.
-# If we don't find anything, use the default library path according
-# to the aix ld manual.
-m4_defun([_LT_SYS_MODULE_PATH_AIX],
-[m4_require([_LT_DECL_SED])dnl
-AC_LINK_IFELSE(AC_LANG_PROGRAM,[
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi],[])
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-])# _LT_SYS_MODULE_PATH_AIX
-
-
-# _LT_SHELL_INIT(ARG)
-# -------------------
-m4_define([_LT_SHELL_INIT],
-[ifdef([AC_DIVERSION_NOTICE],
-	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
-	 [AC_DIVERT_PUSH(NOTICE)])
-$1
-AC_DIVERT_POP
-])# _LT_SHELL_INIT
-
-
-# _LT_PROG_ECHO_BACKSLASH
-# -----------------------
-# Add some code to the start of the generated configure script which
-# will find an echo command which doesn't interpret backslashes.
-m4_defun([_LT_PROG_ECHO_BACKSLASH],
-[_LT_SHELL_INIT([
-# Check that we are running under the correct shell.
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-case X$lt_ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$lt_ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
-  ;;
-esac
-
-ECHO=${lt_ECHO-echo}
-if test "X[$]1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X[$]1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $ECHO works!
-  :
-else
-  # Restart under the correct shell.
-  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
-fi
-
-if test "X[$]1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<_LT_EOF
-[$]*
-_LT_EOF
-  exit 0
-fi
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$lt_ECHO"; then
-  if test "X${echo_test_string+set}" != Xset; then
-    # find a string as large as possible, as long as the shell can cope with it
-    for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
-      # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-      if { echo_test_string=`eval $cmd`; } 2>/dev/null &&
-	 { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null
-      then
-        break
-      fi
-    done
-  fi
-
-  if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-     echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-     test "X$echo_testing_string" = "X$echo_test_string"; then
-    :
-  else
-    # The Solaris, AIX, and Digital Unix default echo programs unquote
-    # backslashes.  This makes it impossible to quote backslashes using
-    #   echo "$something" | sed 's/\\/\\\\/g'
-    #
-    # So, first we look for a working echo in the user's PATH.
-
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for dir in $PATH /usr/ucb; do
-      IFS="$lt_save_ifs"
-      if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-         test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        ECHO="$dir/echo"
-        break
-      fi
-    done
-    IFS="$lt_save_ifs"
-
-    if test "X$ECHO" = Xecho; then
-      # We didn't find a better echo, so look for alternatives.
-      if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        # This shell has a builtin print -r that does the trick.
-        ECHO='print -r'
-      elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } &&
-	   test "X$CONFIG_SHELL" != X/bin/ksh; then
-        # If we have ksh, try running configure again with it.
-        ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-        export ORIGINAL_CONFIG_SHELL
-        CONFIG_SHELL=/bin/ksh
-        export CONFIG_SHELL
-        exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
-      else
-        # Try using printf.
-        ECHO='printf %s\n'
-        if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-	   echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	  # Cool, printf works
-	  :
-        elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	  export CONFIG_SHELL
-	  SHELL="$CONFIG_SHELL"
-	  export SHELL
-	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
-        elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
-        else
-	  # maybe with a smaller string...
-	  prev=:
-
-	  for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
-	    if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null
-	    then
-	      break
-	    fi
-	    prev="$cmd"
-	  done
-
-	  if test "$prev" != 'sed 50q "[$]0"'; then
-	    echo_test_string=`eval $prev`
-	    export echo_test_string
-	    exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
-	  else
-	    # Oops.  We lost completely, so just stick with echo.
-	    ECHO=echo
-	  fi
-        fi
-      fi
-    fi
-  fi
-fi
-
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-lt_ECHO=$ECHO
-if test "X$lt_ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
-   lt_ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
-fi
-
-AC_SUBST(lt_ECHO)
-])
-_LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts])
-_LT_DECL([], [ECHO], [1],
-    [An echo program that does not interpret backslashes])
-])# _LT_PROG_ECHO_BACKSLASH
-
-
-# _LT_ENABLE_LOCK
-# ---------------
-m4_defun([_LT_ENABLE_LOCK],
-[AC_ARG_ENABLE([libtool-lock],
-  [AS_HELP_STRING([--disable-libtool-lock],
-    [avoid locking (might break parallel builds)])])
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
-
-# Some flags need to be propagated to the compiler or linker for good
-# libtool support.
-case $host in
-ia64-*-hpux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case `/usr/bin/file conftest.$ac_objext` in
-      *ELF-32*)
-	HPUX_IA64_MODE="32"
-	;;
-      *ELF-64*)
-	HPUX_IA64_MODE="64"
-	;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-*-*-irix6*)
-  # Find out which ABI we are using.
-  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    if test "$lt_cv_prog_gnu_ld" = yes; then
-      case `/usr/bin/file conftest.$ac_objext` in
-	*32-bit*)
-	  LD="${LD-ld} -melf32bsmip"
-	  ;;
-	*N32*)
-	  LD="${LD-ld} -melf32bmipn32"
-	  ;;
-	*64-bit*)
-	  LD="${LD-ld} -melf64bmip"
-	;;
-      esac
-    else
-      case `/usr/bin/file conftest.$ac_objext` in
-	*32-bit*)
-	  LD="${LD-ld} -32"
-	  ;;
-	*N32*)
-	  LD="${LD-ld} -n32"
-	  ;;
-	*64-bit*)
-	  LD="${LD-ld} -64"
-	  ;;
-      esac
-    fi
-  fi
-  rm -rf conftest*
-  ;;
-
-x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
-s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case `/usr/bin/file conftest.o` in
-      *32-bit*)
-	case $host in
-	  x86_64-*kfreebsd*-gnu)
-	    LD="${LD-ld} -m elf_i386_fbsd"
-	    ;;
-	  x86_64-*linux*)
-	    LD="${LD-ld} -m elf_i386"
-	    ;;
-	  ppc64-*linux*|powerpc64-*linux*)
-	    LD="${LD-ld} -m elf32ppclinux"
-	    ;;
-	  s390x-*linux*)
-	    LD="${LD-ld} -m elf_s390"
-	    ;;
-	  sparc64-*linux*)
-	    LD="${LD-ld} -m elf32_sparc"
-	    ;;
-	esac
-	;;
-      *64-bit*)
-	case $host in
-	  x86_64-*kfreebsd*-gnu)
-	    LD="${LD-ld} -m elf_x86_64_fbsd"
-	    ;;
-	  x86_64-*linux*)
-	    LD="${LD-ld} -m elf_x86_64"
-	    ;;
-	  ppc*-*linux*|powerpc*-*linux*)
-	    LD="${LD-ld} -m elf64ppc"
-	    ;;
-	  s390*-*linux*|s390*-*tpf*)
-	    LD="${LD-ld} -m elf64_s390"
-	    ;;
-	  sparc*-*linux*)
-	    LD="${LD-ld} -m elf64_sparc"
-	    ;;
-	esac
-	;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-
-*-*-sco3.2v5*)
-  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
-  SAVE_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS -belf"
-  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
-    [AC_LANG_PUSH(C)
-     AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],[[]])],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
-     AC_LANG_POP])
-  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
-    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
-    CFLAGS="$SAVE_CFLAGS"
-  fi
-  ;;
-sparc*-*solaris*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case `/usr/bin/file conftest.o` in
-    *64-bit*)
-      case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
-      *)
-	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
-	  LD="${LD-ld} -64"
-	fi
-	;;
-      esac
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-esac
-
-need_locks="$enable_libtool_lock"
-])# _LT_ENABLE_LOCK
-
-
-# _LT_CMD_OLD_ARCHIVE
-# -------------------
-m4_defun([_LT_CMD_OLD_ARCHIVE],
-[AC_CHECK_TOOL(AR, ar, false)
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
-_LT_DECL([], [AR], [1], [The archiver])
-_LT_DECL([], [AR_FLAGS], [1])
-
-AC_CHECK_TOOL(STRIP, strip, :)
-test -z "$STRIP" && STRIP=:
-_LT_DECL([], [STRIP], [1], [A symbol stripping program])
-
-AC_CHECK_TOOL(RANLIB, ranlib, :)
-test -z "$RANLIB" && RANLIB=:
-_LT_DECL([], [RANLIB], [1],
-    [Commands used to install an old-style archive])
-
-# Determine commands to create old-style static archives.
-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
-old_postinstall_cmds='chmod 644 $oldlib'
-old_postuninstall_cmds=
-
-if test -n "$RANLIB"; then
-  case $host_os in
-  openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
-    ;;
-  *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
-    ;;
-  esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
-fi
-_LT_DECL([], [old_postinstall_cmds], [2])
-_LT_DECL([], [old_postuninstall_cmds], [2])
-_LT_TAGDECL([], [old_archive_cmds], [2],
-    [Commands used to build an old-style archive])
-])# _LT_CMD_OLD_ARCHIVE
-
-
-# _LT_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
-#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
-# ----------------------------------------------------------------
-# Check whether the given compiler option works
-AC_DEFUN([_LT_COMPILER_OPTION],
-[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_DECL_SED])dnl
-AC_CACHE_CHECK([$1], [$2],
-  [$2=no
-   m4_if([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$3"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       $2=yes
-     fi
-   fi
-   $RM conftest*
-])
-
-if test x"[$]$2" = xyes; then
-    m4_if([$5], , :, [$5])
-else
-    m4_if([$6], , :, [$6])
-fi
-])# _LT_COMPILER_OPTION
-
-# Old name:
-AU_ALIAS([AC_LIBTOOL_COMPILER_OPTION], [_LT_COMPILER_OPTION])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], [])
-
-
-# _LT_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
-#                  [ACTION-SUCCESS], [ACTION-FAILURE])
-# ----------------------------------------------------
-# Check whether the given linker option works
-AC_DEFUN([_LT_LINKER_OPTION],
-[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_DECL_SED])dnl
-AC_CACHE_CHECK([$1], [$2],
-  [$2=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $3"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&AS_MESSAGE_LOG_FD
-       $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         $2=yes
-       fi
-     else
-       $2=yes
-     fi
-   fi
-   $RM -r conftest*
-   LDFLAGS="$save_LDFLAGS"
-])
-
-if test x"[$]$2" = xyes; then
-    m4_if([$4], , :, [$4])
-else
-    m4_if([$5], , :, [$5])
-fi
-])# _LT_LINKER_OPTION
-
-# Old name:
-AU_ALIAS([AC_LIBTOOL_LINKER_OPTION], [_LT_LINKER_OPTION])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], [])
-
-
-# LT_CMD_MAX_LEN
-#---------------
-AC_DEFUN([LT_CMD_MAX_LEN],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-# find the maximum length of command line arguments
-AC_MSG_CHECKING([the maximum length of command line arguments])
-AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
-  i=0
-  teststring="ABCD"
-
-  case $build_os in
-  msdosdjgpp*)
-    # On DJGPP, this test can blow up pretty badly due to problems in libc
-    # (any single argument exceeding 2000 bytes causes a buffer overrun
-    # during glob expansion).  Even if it were fixed, the result of this
-    # check would be larger than it should be.
-    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
-    ;;
-
-  gnu*)
-    # Under GNU Hurd, this test is not required because there is
-    # no limit to the length of command line arguments.
-    # Libtool will interpret -1 as no limit whatsoever
-    lt_cv_sys_max_cmd_len=-1;
-    ;;
-
-  cygwin* | mingw* | cegcc*)
-    # On Win9x/ME, this test blows up -- it succeeds, but takes
-    # about 5 minutes as the teststring grows exponentially.
-    # Worse, since 9x/ME are not pre-emptively multitasking,
-    # you end up with a "frozen" computer, even though with patience
-    # the test eventually succeeds (with a max line length of 256k).
-    # Instead, let's just punt: use the minimum linelength reported by
-    # all of the supported platforms: 8192 (on NT/2K/XP).
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  amigaos*)
-    # On AmigaOS with pdksh, this test takes hours, literally.
-    # So we just punt and use a minimum line length of 8192.
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
-    # This has been around since 386BSD, at least.  Likely further.
-    if test -x /sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
-    elif test -x /usr/sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
-    else
-      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
-    fi
-    # And add a safety zone
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
-    ;;
-
-  interix*)
-    # We know the value 262144 and hardcode it with a safety zone (like BSD)
-    lt_cv_sys_max_cmd_len=196608
-    ;;
-
-  osf*)
-    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
-    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
-    # nice to cause kernel panics so lets avoid the loop below.
-    # First set a reasonable default.
-    lt_cv_sys_max_cmd_len=16384
-    #
-    if test -x /sbin/sysconfig; then
-      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
-        *1*) lt_cv_sys_max_cmd_len=-1 ;;
-      esac
-    fi
-    ;;
-  sco3.2v5*)
-    lt_cv_sys_max_cmd_len=102400
-    ;;
-  sysv5* | sco5v6* | sysv4.2uw2*)
-    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
-    if test -n "$kargmax"; then
-      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[	 ]]//'`
-    else
-      lt_cv_sys_max_cmd_len=32768
-    fi
-    ;;
-  *)
-    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
-    if test -n "$lt_cv_sys_max_cmd_len"; then
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
-    else
-      # Make teststring a little bigger before we do anything with it.
-      # a 1K string should be a reasonable start.
-      for i in 1 2 3 4 5 6 7 8 ; do
-        teststring=$teststring$teststring
-      done
-      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-      # If test is not a shell built-in, we'll probably end up computing a
-      # maximum length that is only half of the actual maximum length, but
-      # we can't tell.
-      while { test "X"`$SHELL [$]0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \
-	         = "XX$teststring$teststring"; } >/dev/null 2>&1 &&
-	      test $i != 17 # 1/2 MB should be enough
-      do
-        i=`expr $i + 1`
-        teststring=$teststring$teststring
-      done
-      # Only check the string length outside the loop.
-      lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1`
-      teststring=
-      # Add a significant safety factor because C++ compilers can tack on
-      # massive amounts of additional arguments before passing them to the
-      # linker.  It appears as though 1/2 is a usable value.
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
-    fi
-    ;;
-  esac
-])
-if test -n $lt_cv_sys_max_cmd_len ; then
-  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
-else
-  AC_MSG_RESULT(none)
-fi
-max_cmd_len=$lt_cv_sys_max_cmd_len
-_LT_DECL([], [max_cmd_len], [0],
-    [What is the maximum length of a command?])
-])# LT_CMD_MAX_LEN
-
-# Old name:
-AU_ALIAS([AC_LIBTOOL_SYS_MAX_CMD_LEN], [LT_CMD_MAX_LEN])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], [])
-
-
-# _LT_HEADER_DLFCN
-# ----------------
-m4_defun([_LT_HEADER_DLFCN],
-[AC_CHECK_HEADERS([dlfcn.h], [], [], [AC_INCLUDES_DEFAULT])dnl
-])# _LT_HEADER_DLFCN
-
-
-# _LT_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
-#                      ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
-# ----------------------------------------------------------------
-m4_defun([_LT_TRY_DLOPEN_SELF],
-[m4_require([_LT_HEADER_DLFCN])dnl
-if test "$cross_compiling" = yes; then :
-  [$4]
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<_LT_EOF
-[#line __oline__ "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-  else
-    puts (dlerror ());
-
-  return status;
-}]
-_LT_EOF
-  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) $1 ;;
-      x$lt_dlneed_uscore) $2 ;;
-      x$lt_dlunknown|x*) $3 ;;
-    esac
-  else :
-    # compilation failed
-    $3
-  fi
-fi
-rm -fr conftest*
-])# _LT_TRY_DLOPEN_SELF
-
-
-# LT_SYS_DLOPEN_SELF
-# ------------------
-AC_DEFUN([LT_SYS_DLOPEN_SELF],
-[m4_require([_LT_HEADER_DLFCN])dnl
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
-
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
-
-  mingw* | pw32* | cegcc*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-    ;;
-
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-    ;;
-
-  darwin*)
-  # if libdl is installed we need to link against it
-    AC_CHECK_LIB([dl], [dlopen],
-		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ])
-    ;;
-
-  *)
-    AC_CHECK_FUNC([shl_load],
-	  [lt_cv_dlopen="shl_load"],
-      [AC_CHECK_LIB([dld], [shl_load],
-	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"],
-	[AC_CHECK_FUNC([dlopen],
-	      [lt_cv_dlopen="dlopen"],
-	  [AC_CHECK_LIB([dl], [dlopen],
-		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],
-	    [AC_CHECK_LIB([svld], [dlopen],
-		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
-	      [AC_CHECK_LIB([dld], [dld_link],
-		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"])
-	      ])
-	    ])
-	  ])
-	])
-      ])
-    ;;
-  esac
-
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
-
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
-
-    save_LDFLAGS="$LDFLAGS"
-    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
-
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
-
-    AC_CACHE_CHECK([whether a program can dlopen itself],
-	  lt_cv_dlopen_self, [dnl
-	  _LT_TRY_DLOPEN_SELF(
-	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
-	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
-    ])
-
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
-      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
-	  lt_cv_dlopen_self_static, [dnl
-	  _LT_TRY_DLOPEN_SELF(
-	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
-	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
-      ])
-    fi
-
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
-
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
-
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
-_LT_DECL([dlopen_support], [enable_dlopen], [0],
-	 [Whether dlopen is supported])
-_LT_DECL([dlopen_self], [enable_dlopen_self], [0],
-	 [Whether dlopen of programs is supported])
-_LT_DECL([dlopen_self_static], [enable_dlopen_self_static], [0],
-	 [Whether dlopen of statically linked programs is supported])
-])# LT_SYS_DLOPEN_SELF
-
-# Old name:
-AU_ALIAS([AC_LIBTOOL_DLOPEN_SELF], [LT_SYS_DLOPEN_SELF])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], [])
-
-
-# _LT_COMPILER_C_O([TAGNAME])
-# ---------------------------
-# Check to see if options -c and -o are simultaneously supported by compiler.
-# This macro does not hard code the compiler like AC_PROG_CC_C_O.
-m4_defun([_LT_COMPILER_C_O],
-[m4_require([_LT_DECL_SED])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_TAG_COMPILER])dnl
-AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
-  [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
-  [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
-   $RM -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
-     fi
-   fi
-   chmod u+w . 2>&AS_MESSAGE_LOG_FD
-   $RM conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files
-   $RM out/* && rmdir out
-   cd ..
-   $RM -r conftest
-   $RM conftest*
-])
-_LT_TAGDECL([compiler_c_o], [lt_cv_prog_compiler_c_o], [1],
-	[Does compiler simultaneously support -c and -o options?])
-])# _LT_COMPILER_C_O
-
-
-# _LT_COMPILER_FILE_LOCKS([TAGNAME])
-# ----------------------------------
-# Check to see if we can do hard links to lock some files if needed
-m4_defun([_LT_COMPILER_FILE_LOCKS],
-[m4_require([_LT_ENABLE_LOCK])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-_LT_COMPILER_C_O([$1])
-
-hard_links="nottested"
-if test "$_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  AC_MSG_CHECKING([if we can lock with hard links])
-  hard_links=yes
-  $RM conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  AC_MSG_RESULT([$hard_links])
-  if test "$hard_links" = no; then
-    AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe])
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-_LT_DECL([], [need_locks], [1], [Must we lock files when doing compilation?])
-])# _LT_COMPILER_FILE_LOCKS
-
-
-# _LT_CHECK_OBJDIR
-# ----------------
-m4_defun([_LT_CHECK_OBJDIR],
-[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
-[rm -f .libs 2>/dev/null
-mkdir .libs 2>/dev/null
-if test -d .libs; then
-  lt_cv_objdir=.libs
-else
-  # MS-DOS does not allow filenames that begin with a dot.
-  lt_cv_objdir=_libs
-fi
-rmdir .libs 2>/dev/null])
-objdir=$lt_cv_objdir
-_LT_DECL([], [objdir], [0],
-         [The name of the directory that contains temporary libtool files])dnl
-m4_pattern_allow([LT_OBJDIR])dnl
-AC_DEFINE_UNQUOTED(LT_OBJDIR, "$lt_cv_objdir/",
-  [Define to the sub-directory in which libtool stores uninstalled libraries.])
-])# _LT_CHECK_OBJDIR
-
-
-# _LT_LINKER_HARDCODE_LIBPATH([TAGNAME])
-# --------------------------------------
-# Check hardcoding attributes.
-m4_defun([_LT_LINKER_HARDCODE_LIBPATH],
-[AC_MSG_CHECKING([how to hardcode library paths into programs])
-_LT_TAGVAR(hardcode_action, $1)=
-if test -n "$_LT_TAGVAR(hardcode_libdir_flag_spec, $1)" ||
-   test -n "$_LT_TAGVAR(runpath_var, $1)" ||
-   test "X$_LT_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
-
-  # We can hardcode non-existent directories.
-  if test "$_LT_TAGVAR(hardcode_direct, $1)" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
-     test "$_LT_TAGVAR(hardcode_minus_L, $1)" != no; then
-    # Linking always hardcodes the temporary library directory.
-    _LT_TAGVAR(hardcode_action, $1)=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    _LT_TAGVAR(hardcode_action, $1)=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  _LT_TAGVAR(hardcode_action, $1)=unsupported
-fi
-AC_MSG_RESULT([$_LT_TAGVAR(hardcode_action, $1)])
-
-if test "$_LT_TAGVAR(hardcode_action, $1)" = relink ||
-   test "$_LT_TAGVAR(inherit_rpath, $1)" = yes; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-_LT_TAGDECL([], [hardcode_action], [0],
-    [How to hardcode a shared library path into an executable])
-])# _LT_LINKER_HARDCODE_LIBPATH
-
-
-# _LT_CMD_STRIPLIB
-# ----------------
-m4_defun([_LT_CMD_STRIPLIB],
-[m4_require([_LT_DECL_EGREP])
-striplib=
-old_striplib=
-AC_MSG_CHECKING([whether stripping libraries is possible])
-if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  AC_MSG_RESULT([yes])
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-  darwin*)
-    if test -n "$STRIP" ; then
-      striplib="$STRIP -x"
-      old_striplib="$STRIP -S"
-      AC_MSG_RESULT([yes])
-    else
-      AC_MSG_RESULT([no])
-    fi
-    ;;
-  *)
-    AC_MSG_RESULT([no])
-    ;;
-  esac
-fi
-_LT_DECL([], [old_striplib], [1], [Commands to strip libraries])
-_LT_DECL([], [striplib], [1])
-])# _LT_CMD_STRIPLIB
-
-
-# _LT_SYS_DYNAMIC_LINKER([TAG])
-# -----------------------------
-# PORTME Fill in your ld.so characteristics
-m4_defun([_LT_SYS_DYNAMIC_LINKER],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-m4_require([_LT_DECL_EGREP])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_DECL_OBJDUMP])dnl
-m4_require([_LT_DECL_SED])dnl
-AC_MSG_CHECKING([dynamic linker characteristics])
-m4_if([$1],
-	[], [
-if test "$GCC" = yes; then
-  case $host_os in
-    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
-    *) lt_awk_arg="/^libraries:/" ;;
-  esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-  # Ok, now we have the path, separated by spaces, we can step through it
-  # and add multilib dir if necessary.
-  lt_tmp_lt_search_path_spec=
-  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
-  for lt_sys_path in $lt_search_path_spec; do
-    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
-      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
-    else
-      test -d "$lt_sys_path" && \
-	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
-    fi
-  done
-  lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk '
-BEGIN {RS=" "; FS="/|\n";} {
-  lt_foo="";
-  lt_count=0;
-  for (lt_i = NF; lt_i > 0; lt_i--) {
-    if ($lt_i != "" && $lt_i != ".") {
-      if ($lt_i == "..") {
-        lt_count++;
-      } else {
-        if (lt_count == 0) {
-          lt_foo="/" $lt_i lt_foo;
-        } else {
-          lt_count--;
-        }
-      }
-    }
-  }
-  if (lt_foo != "") { lt_freq[[lt_foo]]++; }
-  if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
-}'`
-  sys_lib_search_path_spec=`$ECHO $lt_search_path_spec`
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi])
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix[[4-9]]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[[01]] | aix4.[[01]].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | $GREP yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  case $host_cpu in
-  powerpc)
-    # Since July 2007 AmigaOS4 officially supports .so libraries.
-    # When compiling the executable, add -use-dynld -Lsobjs: to the compileline.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    ;;
-  m68k)
-    library_names_spec='$libname.ixlibrary $libname.a'
-    # Create ${libname}_ixlibrary.a entries in /sys/libs.
-    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-    ;;
-  esac
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[[45]]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32* | cegcc*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname~
-      if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then
-        eval '\''$striplib \$dldir/$dlname'\'' || exit \$?;
-      fi'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $RM \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw* | cegcc*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-m4_if([$1], [],[
-  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"])
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
-  else
-    case $host_os in
-    freebsd[[123]]*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
-  fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[[01]]* | freebsdelf3.[[01]]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \
-  freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-  hppa*64*)
-    shrext_cmds='.sl'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-  *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-interix[[3-9]]*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # Some binutils ld are patched to set DT_RUNPATH
-  save_LDFLAGS=$LDFLAGS
-  save_libdir=$libdir
-  eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
-       LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
-  AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
-    [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
-       [shlibpath_overrides_runpath=yes])])
-  LDFLAGS=$save_LDFLAGS
-  libdir=$save_libdir
-
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-netbsdelf*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='NetBSD ld.elf_so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-*nto* | *qnx*)
-  version_type=qnx
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='ldqnx.so'
-  ;;
-
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*)	need_version=yes ;;
-    *)				need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[[89]] | openbsd2.[[89]].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-rdos*)
-  dynamic_linker=no
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
-  fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
-
-tpf*)
-  # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-AC_MSG_RESULT([$dynamic_linker])
-test "$dynamic_linker" = no && can_build_shared=no
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-fi
-if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
-fi
-
-_LT_DECL([], [variables_saved_for_relink], [1],
-    [Variables whose values should be saved in libtool wrapper scripts and
-    restored at link time])
-_LT_DECL([], [need_lib_prefix], [0],
-    [Do we need the "lib" prefix for modules?])
-_LT_DECL([], [need_version], [0], [Do we need a version for libraries?])
-_LT_DECL([], [version_type], [0], [Library versioning type])
-_LT_DECL([], [runpath_var], [0],  [Shared library runtime path variable])
-_LT_DECL([], [shlibpath_var], [0],[Shared library path variable])
-_LT_DECL([], [shlibpath_overrides_runpath], [0],
-    [Is shlibpath searched before the hard-coded library search path?])
-_LT_DECL([], [libname_spec], [1], [Format of library name prefix])
-_LT_DECL([], [library_names_spec], [1],
-    [[List of archive names.  First name is the real one, the rest are links.
-    The last name is the one that the linker finds with -lNAME]])
-_LT_DECL([], [soname_spec], [1],
-    [[The coded name of the library, if different from the real name]])
-_LT_DECL([], [postinstall_cmds], [2],
-    [Command to use after installation of a shared archive])
-_LT_DECL([], [postuninstall_cmds], [2],
-    [Command to use after uninstallation of a shared archive])
-_LT_DECL([], [finish_cmds], [2],
-    [Commands used to finish a libtool library installation in a directory])
-_LT_DECL([], [finish_eval], [1],
-    [[As "finish_cmds", except a single script fragment to be evaled but
-    not shown]])
-_LT_DECL([], [hardcode_into_libs], [0],
-    [Whether we should hardcode library paths into libraries])
-_LT_DECL([], [sys_lib_search_path_spec], [2],
-    [Compile-time system search path for libraries])
-_LT_DECL([], [sys_lib_dlsearch_path_spec], [2],
-    [Run-time system search path for libraries])
-])# _LT_SYS_DYNAMIC_LINKER
-
-
-# _LT_PATH_TOOL_PREFIX(TOOL)
-# --------------------------
-# find a file program which can recognize shared library
-AC_DEFUN([_LT_PATH_TOOL_PREFIX],
-[m4_require([_LT_DECL_EGREP])dnl
-AC_MSG_CHECKING([for $1])
-AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
-[case $MAGIC_CMD in
-[[\\/*] |  ?:[\\/]*])
-  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
-  ;;
-*)
-  lt_save_MAGIC_CMD="$MAGIC_CMD"
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-dnl $ac_dummy forces splitting on constant user-supplied paths.
-dnl POSIX.2 word splitting is done only on the output of word expansions,
-dnl not every word.  This closes a longstanding sh security hole.
-  ac_dummy="m4_if([$2], , $PATH, [$2])"
-  for ac_dir in $ac_dummy; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$1; then
-      lt_cv_path_MAGIC_CMD="$ac_dir/$1"
-      if test -n "$file_magic_test_file"; then
-	case $deplibs_check_method in
-	"file_magic "*)
-	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
-	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
-	    $EGREP "$file_magic_regex" > /dev/null; then
-	    :
-	  else
-	    cat <<_LT_EOF 1>&2
-
-*** Warning: the command libtool uses to detect shared libraries,
-*** $file_magic_cmd, produces output that libtool cannot recognize.
-*** The result is that libtool may fail to recognize shared libraries
-*** as such.  This will affect the creation of libtool libraries that
-*** depend on shared libraries, but programs linked with such libtool
-*** libraries will work regardless of this problem.  Nevertheless, you
-*** may want to report the problem to your system manager and/or to
-*** bug-libtool@gnu.org
-
-_LT_EOF
-	  fi ;;
-	esac
-      fi
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-  MAGIC_CMD="$lt_save_MAGIC_CMD"
-  ;;
-esac])
-MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-if test -n "$MAGIC_CMD"; then
-  AC_MSG_RESULT($MAGIC_CMD)
-else
-  AC_MSG_RESULT(no)
-fi
-_LT_DECL([], [MAGIC_CMD], [0],
-	 [Used to examine libraries when file_magic_cmd begins with "file"])dnl
-])# _LT_PATH_TOOL_PREFIX
-
-# Old name:
-AU_ALIAS([AC_PATH_TOOL_PREFIX], [_LT_PATH_TOOL_PREFIX])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_PATH_TOOL_PREFIX], [])
-
-
-# _LT_PATH_MAGIC
-# --------------
-# find a file program which can recognize a shared library
-m4_defun([_LT_PATH_MAGIC],
-[_LT_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
-if test -z "$lt_cv_path_MAGIC_CMD"; then
-  if test -n "$ac_tool_prefix"; then
-    _LT_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
-  else
-    MAGIC_CMD=:
-  fi
-fi
-])# _LT_PATH_MAGIC
-
-
-# LT_PATH_LD
-# ----------
-# find the pathname to the GNU or non-GNU linker
-AC_DEFUN([LT_PATH_LD],
-[AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-m4_require([_LT_DECL_SED])dnl
-m4_require([_LT_DECL_EGREP])dnl
-
-AC_ARG_WITH([gnu-ld],
-    [AS_HELP_STRING([--with-gnu-ld],
-	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
-    [test "$withval" = no || with_gnu_ld=yes],
-    [with_gnu_ld=no])dnl
-
-ac_prog=ld
-if test "$GCC" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  AC_MSG_CHECKING([for ld used by $CC])
-  case $host in
-  *-*-mingw*)
-    # gcc leaves a trailing carriage return which upsets mingw
-    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
-  *)
-    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
-  esac
-  case $ac_prog in
-    # Accept absolute paths.
-    [[\\/]]* | ?:[[\\/]]*)
-      re_direlt='/[[^/]][[^/]]*/\.\./'
-      # Canonicalize the pathname of ld
-      ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'`
-      while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  AC_MSG_CHECKING([for GNU ld])
-else
-  AC_MSG_CHECKING([for non-GNU ld])
-fi
-AC_CACHE_VAL(lt_cv_path_LD,
-[if test -z "$LD"; then
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      lt_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some variants of GNU ld only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
-      *GNU* | *'with BFD'*)
-	test "$with_gnu_ld" != no && break
-	;;
-      *)
-	test "$with_gnu_ld" != yes && break
-	;;
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-else
-  lt_cv_path_LD="$LD" # Let the user override the test with a path.
-fi])
-LD="$lt_cv_path_LD"
-if test -n "$LD"; then
-  AC_MSG_RESULT($LD)
-else
-  AC_MSG_RESULT(no)
-fi
-test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
-_LT_PATH_LD_GNU
-AC_SUBST([LD])
-
-_LT_TAGDECL([], [LD], [1], [The linker used to build libraries])
-])# LT_PATH_LD
-
-# Old names:
-AU_ALIAS([AM_PROG_LD], [LT_PATH_LD])
-AU_ALIAS([AC_PROG_LD], [LT_PATH_LD])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AM_PROG_LD], [])
-dnl AC_DEFUN([AC_PROG_LD], [])
-
-
-# _LT_PATH_LD_GNU
-#- --------------
-m4_defun([_LT_PATH_LD_GNU],
-[AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
-[# I'd rather use --version here, but apparently some GNU lds only accept -v.
-case `$LD -v 2>&1 </dev/null` in
-*GNU* | *'with BFD'*)
-  lt_cv_prog_gnu_ld=yes
-  ;;
-*)
-  lt_cv_prog_gnu_ld=no
-  ;;
-esac])
-with_gnu_ld=$lt_cv_prog_gnu_ld
-])# _LT_PATH_LD_GNU
-
-
-# _LT_CMD_RELOAD
-# --------------
-# find reload flag for linker
-#   -- PORTME Some linkers may need a different reload flag.
-m4_defun([_LT_CMD_RELOAD],
-[AC_CACHE_CHECK([for $LD option to reload object files],
-  lt_cv_ld_reload_flag,
-  [lt_cv_ld_reload_flag='-r'])
-reload_flag=$lt_cv_ld_reload_flag
-case $reload_flag in
-"" | " "*) ;;
-*) reload_flag=" $reload_flag" ;;
-esac
-reload_cmds='$LD$reload_flag -o $output$reload_objs'
-case $host_os in
-  darwin*)
-    if test "$GCC" = yes; then
-      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
-    else
-      reload_cmds='$LD$reload_flag -o $output$reload_objs'
-    fi
-    ;;
-esac
-_LT_DECL([], [reload_flag], [1], [How to create reloadable object files])dnl
-_LT_DECL([], [reload_cmds], [2])dnl
-])# _LT_CMD_RELOAD
-
-
-# _LT_CHECK_MAGIC_METHOD
-# ----------------------
-# how to check for library dependencies
-#  -- PORTME fill in with the dynamic library characteristics
-m4_defun([_LT_CHECK_MAGIC_METHOD],
-[m4_require([_LT_DECL_EGREP])
-m4_require([_LT_DECL_OBJDUMP])
-AC_CACHE_CHECK([how to recognize dependent libraries],
-lt_cv_deplibs_check_method,
-[lt_cv_file_magic_cmd='$MAGIC_CMD'
-lt_cv_file_magic_test_file=
-lt_cv_deplibs_check_method='unknown'
-# Need to set the preceding variable on all platforms that support
-# interlibrary dependencies.
-# 'none' -- dependencies not supported.
-# `unknown' -- same as none, but documents that we really don't know.
-# 'pass_all' -- all dependencies passed with no checks.
-# 'test_compile' -- check by making test program.
-# 'file_magic [[regex]]' -- check by looking for files in library path
-# which responds to the $file_magic_cmd with a given extended regex.
-# If you have `file' or equivalent on your system and you're not sure
-# whether `pass_all' will *always* work, you probably want this one.
-
-case $host_os in
-aix[[4-9]]*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-beos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-bsdi[[45]]*)
-  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
-  lt_cv_file_magic_cmd='/usr/bin/file -L'
-  lt_cv_file_magic_test_file=/shlib/libc.so
-  ;;
-
-cygwin*)
-  # func_win32_libid is a shell function defined in ltmain.sh
-  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='func_win32_libid'
-  ;;
-
-mingw* | pw32*)
-  # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump',
-  # unless we find 'file', for example because we are cross-compiling.
-  if ( file / ) >/dev/null 2>&1; then
-    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-    lt_cv_file_magic_cmd='func_win32_libid'
-  else
-    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
-    lt_cv_file_magic_cmd='$OBJDUMP -f'
-  fi
-  ;;
-
-cegcc)
-  # use the weaker test based on 'objdump'. See mingw*.
-  lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
-  lt_cv_file_magic_cmd='$OBJDUMP -f'
-  ;;
-
-darwin* | rhapsody*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-freebsd* | dragonfly*)
-  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
-    case $host_cpu in
-    i*86 )
-      # Not sure whether the presence of OpenBSD here was a mistake.
-      # Let's accept both of them until this is cleared up.
-      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library'
-      lt_cv_file_magic_cmd=/usr/bin/file
-      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
-      ;;
-    esac
-  else
-    lt_cv_deplibs_check_method=pass_all
-  fi
-  ;;
-
-gnu*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-hpux10.20* | hpux11*)
-  lt_cv_file_magic_cmd=/usr/bin/file
-  case $host_cpu in
-  ia64*)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
-    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
-    ;;
-  hppa*64*)
-    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
-    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
-    ;;
-  *)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
-    lt_cv_file_magic_test_file=/usr/lib/libc.sl
-    ;;
-  esac
-  ;;
-
-interix[[3-9]]*)
-  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
-  lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$'
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $LD in
-  *-32|*"-32 ") libmagic=32-bit;;
-  *-n32|*"-n32 ") libmagic=N32;;
-  *-64|*"-64 ") libmagic=64-bit;;
-  *) libmagic=never-match;;
-  esac
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-# This must be Linux ELF.
-linux* | k*bsd*-gnu)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-netbsd* | netbsdelf*-gnu)
-  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
-  fi
-  ;;
-
-newos6*)
-  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
-  lt_cv_file_magic_cmd=/usr/bin/file
-  lt_cv_file_magic_test_file=/usr/lib/libnls.so
-  ;;
-
-*nto* | *qnx*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-openbsd*)
-  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
-  fi
-  ;;
-
-osf3* | osf4* | osf5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-rdos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-solaris*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-sysv4 | sysv4.3*)
-  case $host_vendor in
-  motorola)
-    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
-    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
-    ;;
-  ncr)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  sequent)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
-    ;;
-  sni)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
-    lt_cv_file_magic_test_file=/lib/libc.so
-    ;;
-  siemens)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  pc)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  esac
-  ;;
-
-tpf*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-esac
-])
-file_magic_cmd=$lt_cv_file_magic_cmd
-deplibs_check_method=$lt_cv_deplibs_check_method
-test -z "$deplibs_check_method" && deplibs_check_method=unknown
-
-_LT_DECL([], [deplibs_check_method], [1],
-    [Method to check whether dependent libraries are shared objects])
-_LT_DECL([], [file_magic_cmd], [1],
-    [Command to use when deplibs_check_method == "file_magic"])
-])# _LT_CHECK_MAGIC_METHOD
-
-
-# LT_PATH_NM
-# ----------
-# find the pathname to a BSD- or MS-compatible name lister
-AC_DEFUN([LT_PATH_NM],
-[AC_REQUIRE([AC_PROG_CC])dnl
-AC_CACHE_CHECK([for BSD- or MS-compatible name lister (nm)], lt_cv_path_NM,
-[if test -n "$NM"; then
-  # Let the user override the test.
-  lt_cv_path_NM="$NM"
-else
-  lt_nm_to_check="${ac_tool_prefix}nm"
-  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
-    lt_nm_to_check="$lt_nm_to_check nm"
-  fi
-  for lt_tmp_nm in $lt_nm_to_check; do
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
-      IFS="$lt_save_ifs"
-      test -z "$ac_dir" && ac_dir=.
-      tmp_nm="$ac_dir/$lt_tmp_nm"
-      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
-	# Check to see if the nm accepts a BSD-compat flag.
-	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
-	#   nm: unknown option "B" ignored
-	# Tru64's nm complains that /dev/null is an invalid object file
-	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
-	*/dev/null* | *'Invalid file or object type'*)
-	  lt_cv_path_NM="$tmp_nm -B"
-	  break
-	  ;;
-	*)
-	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
-	  */dev/null*)
-	    lt_cv_path_NM="$tmp_nm -p"
-	    break
-	    ;;
-	  *)
-	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
-	    continue # so that we can try to find one that supports BSD flags
-	    ;;
-	  esac
-	  ;;
-	esac
-      fi
-    done
-    IFS="$lt_save_ifs"
-  done
-  : ${lt_cv_path_NM=no}
-fi])
-if test "$lt_cv_path_NM" != "no"; then
-  NM="$lt_cv_path_NM"
-else
-  # Didn't find any BSD compatible name lister, look for dumpbin.
-  AC_CHECK_TOOLS(DUMPBIN, ["dumpbin -symbols" "link -dump -symbols"], :)
-  AC_SUBST([DUMPBIN])
-  if test "$DUMPBIN" != ":"; then
-    NM="$DUMPBIN"
-  fi
-fi
-test -z "$NM" && NM=nm
-AC_SUBST([NM])
-_LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl
-
-AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface],
-  [lt_cv_nm_interface="BSD nm"
-  echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:__oline__: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
-  (eval "$ac_compile" 2>conftest.err)
-  cat conftest.err >&AS_MESSAGE_LOG_FD
-  (eval echo "\"\$as_me:__oline__: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
-  (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
-  cat conftest.err >&AS_MESSAGE_LOG_FD
-  (eval echo "\"\$as_me:__oline__: output\"" >&AS_MESSAGE_LOG_FD)
-  cat conftest.out >&AS_MESSAGE_LOG_FD
-  if $GREP 'External.*some_variable' conftest.out > /dev/null; then
-    lt_cv_nm_interface="MS dumpbin"
-  fi
-  rm -f conftest*])
-])# LT_PATH_NM
-
-# Old names:
-AU_ALIAS([AM_PROG_NM], [LT_PATH_NM])
-AU_ALIAS([AC_PROG_NM], [LT_PATH_NM])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AM_PROG_NM], [])
-dnl AC_DEFUN([AC_PROG_NM], [])
-
-
-# LT_LIB_M
-# --------
-# check for math library
-AC_DEFUN([LT_LIB_M],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-LIBM=
-case $host in
-*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
-  # These system don't have libm, or don't need it
-  ;;
-*-ncr-sysv4.3*)
-  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
-  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
-  ;;
-*)
-  AC_CHECK_LIB(m, cos, LIBM="-lm")
-  ;;
-esac
-AC_SUBST([LIBM])
-])# LT_LIB_M
-
-# Old name:
-AU_ALIAS([AC_CHECK_LIBM], [LT_LIB_M])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_CHECK_LIBM], [])
-
-
-# _LT_COMPILER_NO_RTTI([TAGNAME])
-# -------------------------------
-m4_defun([_LT_COMPILER_NO_RTTI],
-[m4_require([_LT_TAG_COMPILER])dnl
-
-_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
-
-if test "$GCC" = yes; then
-  _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
-
-  _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
-    lt_cv_prog_compiler_rtti_exceptions,
-    [-fno-rtti -fno-exceptions], [],
-    [_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
-fi
-_LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1],
-	[Compiler flag to turn off builtin functions])
-])# _LT_COMPILER_NO_RTTI
-
-
-# _LT_CMD_GLOBAL_SYMBOLS
-# ----------------------
-m4_defun([_LT_CMD_GLOBAL_SYMBOLS],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([LT_PATH_NM])dnl
-AC_REQUIRE([LT_PATH_LD])dnl
-m4_require([_LT_DECL_SED])dnl
-m4_require([_LT_DECL_EGREP])dnl
-m4_require([_LT_TAG_COMPILER])dnl
-
-# Check for command to grab the raw symbol name followed by C symbol from nm.
-AC_MSG_CHECKING([command to parse $NM output from $compiler object])
-AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
-[
-# These are sane defaults that work on at least a few old systems.
-# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
-
-# Character class describing NM global symbol codes.
-symcode='[[BCDEGRST]]'
-
-# Regexp to match symbols that can be accessed directly from C.
-sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
-
-# Define system-specific variables.
-case $host_os in
-aix*)
-  symcode='[[BCDT]]'
-  ;;
-cygwin* | mingw* | pw32* | cegcc*)
-  symcode='[[ABCDGISTW]]'
-  ;;
-hpux*)
-  if test "$host_cpu" = ia64; then
-    symcode='[[ABCDEGRST]]'
-  fi
-  ;;
-irix* | nonstopux*)
-  symcode='[[BCDEGRST]]'
-  ;;
-osf*)
-  symcode='[[BCDEGQRST]]'
-  ;;
-solaris*)
-  symcode='[[BDRT]]'
-  ;;
-sco3.2v5*)
-  symcode='[[DT]]'
-  ;;
-sysv4.2uw2*)
-  symcode='[[DT]]'
-  ;;
-sysv5* | sco5v6* | unixware* | OpenUNIX*)
-  symcode='[[ABDT]]'
-  ;;
-sysv4)
-  symcode='[[DFNSTU]]'
-  ;;
-esac
-
-# If we're using GNU nm, then use its standard symbol codes.
-case `$NM -V 2>&1` in
-*GNU* | *'with BFD'*)
-  symcode='[[ABCDGIRSTW]]' ;;
-esac
-
-# Transform an extracted symbol line into a proper C declaration.
-# Some systems (esp. on ia64) link data and code symbols differently,
-# so use this general approach.
-lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-
-# Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p'"
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
-
-# Handle CRLF in mingw tool chain
-opt_cr=
-case $build_os in
-mingw*)
-  opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp
-  ;;
-esac
-
-# Try without a prefix underscore, then with it.
-for ac_symprfx in "" "_"; do
-
-  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
-  symxfrm="\\1 $ac_symprfx\\2 \\2"
-
-  # Write the raw and C identifiers.
-  if test "$lt_cv_nm_interface" = "MS dumpbin"; then
-    # Fake it for dumpbin and say T for any non-static function
-    # and D for any global variable.
-    # Also find C++ and __fastcall symbols from MSVC++,
-    # which start with @ or ?.
-    lt_cv_sys_global_symbol_pipe="$AWK ['"\
-"     {last_section=section; section=\$ 3};"\
-"     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
-"     \$ 0!~/External *\|/{next};"\
-"     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
-"     {if(hide[section]) next};"\
-"     {f=0}; \$ 0~/\(\).*\|/{f=1}; {printf f ? \"T \" : \"D \"};"\
-"     {split(\$ 0, a, /\||\r/); split(a[2], s)};"\
-"     s[1]~/^[@?]/{print s[1], s[1]; next};"\
-"     s[1]~prfx {split(s[1],t,\"@\"); print t[1], substr(t[1],length(prfx))}"\
-"     ' prfx=^$ac_symprfx]"
-  else
-    lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[	 ]]\($symcode$symcode*\)[[	 ]][[	 ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
-  fi
-
-  # Check to see that the pipe works correctly.
-  pipe_works=no
-
-  rm -f conftest*
-  cat > conftest.$ac_ext <<_LT_EOF
-#ifdef __cplusplus
-extern "C" {
-#endif
-char nm_test_var;
-void nm_test_func(void);
-void nm_test_func(void){}
-#ifdef __cplusplus
-}
-#endif
-int main(){nm_test_var='a';nm_test_func();return(0);}
-_LT_EOF
-
-  if AC_TRY_EVAL(ac_compile); then
-    # Now try to grab the symbols.
-    nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
-      # Try sorting and uniquifying the output.
-      if sort "$nlist" | uniq > "$nlist"T; then
-	mv -f "$nlist"T "$nlist"
-      else
-	rm -f "$nlist"T
-      fi
-
-      # Make sure that we snagged all the symbols we need.
-      if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
-	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
-	  cat <<_LT_EOF > conftest.$ac_ext
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-_LT_EOF
-	  # Now generate the symbol file.
-	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext'
-
-	  cat <<_LT_EOF >> conftest.$ac_ext
-
-/* The mapping between symbol names and symbols.  */
-const struct {
-  const char *name;
-  void       *address;
-}
-lt__PROGRAM__LTX_preloaded_symbols[[]] =
-{
-  { "@PROGRAM@", (void *) 0 },
-_LT_EOF
-	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (void *) \&\2},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext
-	  cat <<\_LT_EOF >> conftest.$ac_ext
-  {0, (void *) 0}
-};
-
-/* This works around a problem in FreeBSD linker */
-#ifdef FREEBSD_WORKAROUND
-static const void *lt_preloaded_setup() {
-  return lt__PROGRAM__LTX_preloaded_symbols;
-}
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-_LT_EOF
-	  # Now try linking the two files.
-	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
-	  LIBS="conftstm.$ac_objext"
-	  CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
-	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
-	    pipe_works=yes
-	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
-	else
-	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
-	fi
-      else
-	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
-      fi
-    else
-      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
-    fi
-  else
-    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
-    cat conftest.$ac_ext >&5
-  fi
-  rm -rf conftest* conftst*
-
-  # Do not use the global_symbol_pipe unless it works.
-  if test "$pipe_works" = yes; then
-    break
-  else
-    lt_cv_sys_global_symbol_pipe=
-  fi
-done
-])
-if test -z "$lt_cv_sys_global_symbol_pipe"; then
-  lt_cv_sys_global_symbol_to_cdecl=
-fi
-if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  AC_MSG_RESULT(failed)
-else
-  AC_MSG_RESULT(ok)
-fi
-
-_LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1],
-    [Take the output of nm and produce a listing of raw symbols and C names])
-_LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1],
-    [Transform the output of nm in a proper C declaration])
-_LT_DECL([global_symbol_to_c_name_address],
-    [lt_cv_sys_global_symbol_to_c_name_address], [1],
-    [Transform the output of nm in a C name address pair])
-_LT_DECL([global_symbol_to_c_name_address_lib_prefix],
-    [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1],
-    [Transform the output of nm in a C name address pair when lib prefix is needed])
-]) # _LT_CMD_GLOBAL_SYMBOLS
-
-
-# _LT_COMPILER_PIC([TAGNAME])
-# ---------------------------
-m4_defun([_LT_COMPILER_PIC],
-[m4_require([_LT_TAG_COMPILER])dnl
-_LT_TAGVAR(lt_prog_compiler_wl, $1)=
-_LT_TAGVAR(lt_prog_compiler_pic, $1)=
-_LT_TAGVAR(lt_prog_compiler_static, $1)=
-
-AC_MSG_CHECKING([for $compiler option to produce PIC])
-m4_if([$1], [CXX], [
-  # C++ specific cases for pic, static, wl, etc.
-  if test "$GXX" = yes; then
-    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-
-    case $host_os in
-    aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      case $host_cpu in
-      powerpc)
-            # see comment about AmigaOS4 .so support
-            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-        ;;
-      m68k)
-            # FIXME: we need at least 68020 code to build shared libraries, but
-            # adding the `-m68020' flag to GCC prevents building anything better,
-            # like `-m68040'.
-            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
-        ;;
-      esac
-      ;;
-
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-    mingw* | cygwin* | os2* | pw32* | cegcc*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      m4_if([$1], [GCJ], [],
-	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
-      ;;
-    *djgpp*)
-      # DJGPP does not support shared libraries at all
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)=
-      ;;
-    interix[[3-9]]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
-      fi
-      ;;
-    hpux*)
-      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
-      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
-      # sets the default TLS model and affects inlining.
-      case $host_cpu in
-      hppa*64*)
-	;;
-      *)
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	;;
-      esac
-      ;;
-    *qnx* | *nto*)
-      # QNX uses GNU C++, but need to define -shared option too, otherwise
-      # it will coredump.
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
-      ;;
-    *)
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-      ;;
-    esac
-  else
-    case $host_os in
-      aix[[4-9]]*)
-	# All AIX code is PIC.
-	if test "$host_cpu" = ia64; then
-	  # AIX 5 now supports IA64 processor
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	else
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
-	fi
-	;;
-      chorus*)
-	case $cc_basename in
-	cxch68*)
-	  # Green Hills C++ Compiler
-	  # _LT_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
-	  ;;
-	esac
-	;;
-      dgux*)
-	case $cc_basename in
-	  ec++*)
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    ;;
-	  ghcx*)
-	    # Green Hills C++ Compiler
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      freebsd* | dragonfly*)
-	# FreeBSD uses GNU C++
-	;;
-      hpux9* | hpux10* | hpux11*)
-	case $cc_basename in
-	  CC*)
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-	    if test "$host_cpu" != ia64; then
-	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	    fi
-	    ;;
-	  aCC*)
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-	    case $host_cpu in
-	    hppa*64*|ia64*)
-	      # +Z the default
-	      ;;
-	    *)
-	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	      ;;
-	    esac
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      interix*)
-	# This is c89, which is MS Visual C++ (no shared libs)
-	# Anyone wants to do a port?
-	;;
-      irix5* | irix6* | nonstopux*)
-	case $cc_basename in
-	  CC*)
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    # CC pic flag -KPIC is the default.
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      linux* | k*bsd*-gnu)
-	case $cc_basename in
-	  KCC*)
-	    # KAI C++ Compiler
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	    ;;
-	  ecpc* )
-	    # old Intel C++ for x86_64 which still supported -KPIC.
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-	    ;;
-	  icpc* )
-	    # Intel C++, used to be incompatible with GCC.
-	    # ICC 10 doesn't accept -KPIC any more.
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-	    ;;
-	  pgCC* | pgcpp*)
-	    # Portland Group C++ compiler
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	  cxx*)
-	    # Compaq C++
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    ;;
-	  xlc* | xlC*)
-	    # IBM XL 8.0 on PPC
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
-	    ;;
-	  *)
-	    case `$CC -V 2>&1 | sed 5q` in
-	    *Sun\ C*)
-	      # Sun C++ 5.9
-	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-	      ;;
-	    esac
-	    ;;
-	esac
-	;;
-      lynxos*)
-	;;
-      m88k*)
-	;;
-      mvs*)
-	case $cc_basename in
-	  cxx*)
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      netbsd* | netbsdelf*-gnu)
-	;;
-      *qnx* | *nto*)
-        # QNX uses GNU C++, but need to define -shared option too, otherwise
-        # it will coredump.
-        _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
-        ;;
-      osf3* | osf4* | osf5*)
-	case $cc_basename in
-	  KCC*)
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
-	    ;;
-	  RCC*)
-	    # Rational C++ 2.4.1
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  cxx*)
-	    # Digital/Compaq C++
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      psos*)
-	;;
-      solaris*)
-	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.2, 5.x and Centerline C++
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-	    ;;
-	  gcx*)
-	    # Green Hills C++ Compiler
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sunos4*)
-	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.x
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	  lcc*)
-	    # Lucid
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-	case $cc_basename in
-	  CC*)
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	esac
-	;;
-      tandem*)
-	case $cc_basename in
-	  NCC*)
-	    # NonStop-UX NCC 3.20
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      vxworks*)
-	;;
-      *)
-	_LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-	;;
-    esac
-  fi
-],
-[
-  if test "$GCC" = yes; then
-    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      case $host_cpu in
-      powerpc)
-            # see comment about AmigaOS4 .so support
-            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-        ;;
-      m68k)
-            # FIXME: we need at least 68020 code to build shared libraries, but
-            # adding the `-m68020' flag to GCC prevents building anything better,
-            # like `-m68040'.
-            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
-        ;;
-      esac
-      ;;
-
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-
-    mingw* | cygwin* | pw32* | os2* | cegcc*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      m4_if([$1], [GCJ], [],
-	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
-
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
-      ;;
-
-    hpux*)
-      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
-      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
-      # sets the default TLS model and affects inlining.
-      case $host_cpu in
-      hppa*64*)
-	# +Z the default
-	;;
-      *)
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	;;
-      esac
-      ;;
-
-    interix[[3-9]]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      enable_shared=no
-      ;;
-
-    *nto* | *qnx*)
-      # QNX uses GNU C++, but need to define -shared option too, otherwise
-      # it will coredump.
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
-      fi
-      ;;
-
-    *)
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      else
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-
-    mingw* | cygwin* | pw32* | os2* | cegcc*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      m4_if([$1], [GCJ], [],
-	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # PIC (with -KPIC) is the default.
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    linux* | k*bsd*-gnu)
-      case $cc_basename in
-      # old Intel for x86_64 which still supported -KPIC.
-      ecc*)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-        ;;
-      # icc used to be incompatible with GCC.
-      # ICC 10 doesn't accept -KPIC any more.
-      icc* | ifort*)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-        ;;
-      # Lahey Fortran 8.1.
-      lf95*)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='--static'
-	;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
-        # Portland Group compilers (*not* the Pentium gcc compiler,
-	# which looks to be a dead project)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-        ;;
-      ccc*)
-        _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-        # All Alpha code is PIC.
-        _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-        ;;
-      xl*)
-	# IBM XL C 8.0/Fortran 10.1 on PPC
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
-	;;
-      *)
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)
-	  # Sun C 5.9
-	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
-	  ;;
-	esac
-	;;
-      esac
-      ;;
-
-    newsos6)
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    *nto* | *qnx*)
-      # QNX uses GNU C++, but need to define -shared option too, otherwise
-      # it will coredump.
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
-      ;;
-
-    osf3* | osf4* | osf5*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # All OSF/1 code is PIC.
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    rdos*)
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    solaris*)
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      case $cc_basename in
-      f77* | f90* | f95*)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
-      *)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
-      esac
-      ;;
-
-    sunos4*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    unicos*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      ;;
-
-    uts4*)
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    *)
-      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      ;;
-    esac
-  fi
-])
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
-    ;;
-  *)
-    _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])"
-    ;;
-esac
-AC_MSG_RESULT([$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
-_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
-	[How to pass a linker flag through the compiler])
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
-  _LT_COMPILER_OPTION([if $compiler PIC flag $_LT_TAGVAR(lt_prog_compiler_pic, $1) works],
-    [_LT_TAGVAR(lt_cv_prog_compiler_pic_works, $1)],
-    [$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])], [],
-    [case $_LT_TAGVAR(lt_prog_compiler_pic, $1) in
-     "" | " "*) ;;
-     *) _LT_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_TAGVAR(lt_prog_compiler_pic, $1)" ;;
-     esac],
-    [_LT_TAGVAR(lt_prog_compiler_pic, $1)=
-     _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
-fi
-_LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1],
-	[Additional compiler flags for building library objects])
-
-#
-# Check to make sure the static flag actually works.
-#
-wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_TAGVAR(lt_prog_compiler_static, $1)\"
-_LT_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
-  _LT_TAGVAR(lt_cv_prog_compiler_static_works, $1),
-  $lt_tmp_static_flag,
-  [],
-  [_LT_TAGVAR(lt_prog_compiler_static, $1)=])
-_LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1],
-	[Compiler flag to prevent dynamic linking])
-])# _LT_COMPILER_PIC
-
-
-# _LT_LINKER_SHLIBS([TAGNAME])
-# ----------------------------
-# See if the linker supports building shared libraries.
-m4_defun([_LT_LINKER_SHLIBS],
-[AC_REQUIRE([LT_PATH_LD])dnl
-AC_REQUIRE([LT_PATH_NM])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_DECL_EGREP])dnl
-m4_require([_LT_DECL_SED])dnl
-m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
-m4_require([_LT_TAG_COMPILER])dnl
-AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
-m4_if([$1], [CXX], [
-  _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  case $host_os in
-  aix[[4-9]]*)
-    # If we're using GNU nm, then we don't want the "-C" option.
-    # -C means demangle to AIX nm, but means don't demangle with GNU nm
-    if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
-    else
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
-    fi
-    ;;
-  pw32*)
-    _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
-  ;;
-  cygwin* | mingw* | cegcc*)
-    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  linux* | k*bsd*-gnu)
-    _LT_TAGVAR(link_all_deplibs, $1)=no
-  ;;
-  *)
-    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  esac
-  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
-], [
-  runpath_var=
-  _LT_TAGVAR(allow_undefined_flag, $1)=
-  _LT_TAGVAR(always_export_symbols, $1)=no
-  _LT_TAGVAR(archive_cmds, $1)=
-  _LT_TAGVAR(archive_expsym_cmds, $1)=
-  _LT_TAGVAR(compiler_needs_object, $1)=no
-  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-  _LT_TAGVAR(export_dynamic_flag_spec, $1)=
-  _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  _LT_TAGVAR(hardcode_automatic, $1)=no
-  _LT_TAGVAR(hardcode_direct, $1)=no
-  _LT_TAGVAR(hardcode_direct_absolute, $1)=no
-  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-  _LT_TAGVAR(hardcode_libdir_separator, $1)=
-  _LT_TAGVAR(hardcode_minus_L, $1)=no
-  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-  _LT_TAGVAR(inherit_rpath, $1)=no
-  _LT_TAGVAR(link_all_deplibs, $1)=unknown
-  _LT_TAGVAR(module_cmds, $1)=
-  _LT_TAGVAR(module_expsym_cmds, $1)=
-  _LT_TAGVAR(old_archive_from_new_cmds, $1)=
-  _LT_TAGVAR(old_archive_from_expsyms_cmds, $1)=
-  _LT_TAGVAR(thread_safe_flag_spec, $1)=
-  _LT_TAGVAR(whole_archive_flag_spec, $1)=
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  _LT_TAGVAR(include_expsyms, $1)=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  # Exclude shared library initialization/finalization symbols.
-dnl Note also adjust exclude_expsyms for C++ above.
-  extract_expsyms_cmds=
-
-  case $host_os in
-  cygwin* | mingw* | pw32* | cegcc*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
-
-  _LT_TAGVAR(ld_shlibs, $1)=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
-
-    # Set some defaults for GNU ld with shared library support. These
-    # are reset later if shared libraries are not supported. Putting them
-    # here allows them to be overridden if necessary.
-    runpath_var=LD_RUN_PATH
-    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
-      _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    else
-      _LT_TAGVAR(whole_archive_flag_spec, $1)=
-    fi
-    supports_anon_versioning=no
-    case `$LD -v 2>&1` in
-      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
-      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-      *\ 2.11.*) ;; # other 2.11 versions
-      *) supports_anon_versioning=yes ;;
-    esac
-
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix[[3-9]]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	_LT_TAGVAR(ld_shlibs, $1)=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
-
-_LT_EOF
-      fi
-      ;;
-
-    amigaos*)
-      case $host_cpu in
-      powerpc)
-            # see comment about AmigaOS4 .so support
-            _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-            _LT_TAGVAR(archive_expsym_cmds, $1)=''
-        ;;
-      m68k)
-            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-            _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-            _LT_TAGVAR(hardcode_minus_L, $1)=yes
-        ;;
-      esac
-      ;;
-
-    beos*)
-      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	_LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	_LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    cygwin* | mingw* | pw32* | cegcc*)
-      # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-      # as there is no search path for DLLs.
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_TAGVAR(always_export_symbols, $1)=no
-      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
-        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	_LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      else
-	_LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    interix[[3-9]]*)
-      _LT_TAGVAR(hardcode_direct, $1)=no
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-      # Instead, shared libraries are loaded at an image base (0x10000000 by
-      # default) and relocated if they conflict, which is a slow very memory
-      # consuming and fragmenting process.  To avoid this, we pick a random,
-      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      ;;
-
-    gnu* | linux* | tpf* | k*bsd*-gnu)
-      tmp_diet=no
-      if test "$host_os" = linux-dietlibc; then
-	case $cc_basename in
-	  diet\ *) tmp_diet=yes;;	# linux-dietlibc with static linking (!diet-dyn)
-	esac
-      fi
-      if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
-	 && test "$tmp_diet" = no
-      then
-	tmp_addflag=
-	tmp_sharedflag='-shared'
-	case $cc_basename,$host_cpu in
-        pgcc*)				# Portland Group C compiler
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag'
-	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag -Mnomain' ;;
-	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
-	  tmp_addflag=' -i_dynamic' ;;
-	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
-	  tmp_addflag=' -i_dynamic -nofor_main' ;;
-	ifc* | ifort*)			# Intel Fortran compiler
-	  tmp_addflag=' -nofor_main' ;;
-	lf95*)				# Lahey Fortran 8.1
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)=
-	  tmp_sharedflag='--shared' ;;
-	xl[[cC]]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
-	  tmp_sharedflag='-qmkshrobj'
-	  tmp_addflag= ;;
-	esac
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)			# Sun C 5.9
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
-	  _LT_TAGVAR(compiler_needs_object, $1)=yes
-	  tmp_sharedflag='-G' ;;
-	*Sun\ F*)			# Sun Fortran 8.3
-	  tmp_sharedflag='-G' ;;
-	esac
-	_LT_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-
-        if test "x$supports_anon_versioning" = xyes; then
-          _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
-	    cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-	    echo "local: *; };" >> $output_objdir/$libname.ver~
-	    $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-        fi
-
-	case $cc_basename in
-	xlf*)
-	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-	  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib'
-	  if test "x$supports_anon_versioning" = xyes; then
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
-	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-	      echo "local: *; };" >> $output_objdir/$libname.ver~
-	      $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
-	  fi
-	  ;;
-	esac
-      else
-        _LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris*)
-      if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then
-	_LT_TAGVAR(ld_shlibs, $1)=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-_LT_EOF
-      elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	_LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
-	_LT_TAGVAR(ld_shlibs, $1)=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
-*** reliably create shared libraries on SCO systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-_LT_EOF
-	;;
-	*)
-	  # For security reasons, it is highly recommended that you always
-	  # use absolute paths for naming shared libraries, and exclude the
-	  # DT_RUNPATH tag from executables and libraries.  But doing so
-	  # requires that you compile everything twice, which is a pain.
-	  if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  else
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	  fi
-	;;
-      esac
-      ;;
-
-    sunos4*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    *)
-      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	_LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-    esac
-
-    if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then
-      runpath_var=
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)=
-      _LT_TAGVAR(whole_archive_flag_spec, $1)=
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_TAGVAR(always_export_symbols, $1)=yes
-      _LT_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      _LT_TAGVAR(hardcode_minus_L, $1)=yes
-      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	_LT_TAGVAR(hardcode_direct, $1)=unsupported
-      fi
-      ;;
-
-    aix[[4-9]]*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
-	else
-	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
-	  for ld_flag in $LDFLAGS; do
-	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-	    aix_use_runtimelinking=yes
-	    break
-	  fi
-	  done
-	  ;;
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      _LT_TAGVAR(archive_cmds, $1)=''
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
-      _LT_TAGVAR(link_all_deplibs, $1)=yes
-      _LT_TAGVAR(file_list_spec, $1)='${wl}-f,'
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[[012]]|aix4.[[012]].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" &&
-	   strings "$collect2name" | $GREP resolve_lib_name >/dev/null
-	  then
-	  # We have reworked collect2
-	  :
-	  else
-	  # We have old collect2
-	  _LT_TAGVAR(hardcode_direct, $1)=unsupported
-	  # It fails to find uninstalled libraries when the uninstalled
-	  # path is not listed in the libpath.  Setting hardcode_minus_L
-	  # to unsupported forces relinking
-	  _LT_TAGVAR(hardcode_minus_L, $1)=yes
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	  _LT_TAGVAR(hardcode_libdir_separator, $1)=
-	  fi
-	  ;;
-	esac
-	shared_flag='-shared'
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag="$shared_flag "'${wl}-G'
-	fi
-	_LT_TAGVAR(link_all_deplibs, $1)=no
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-	  fi
-	fi
-      fi
-
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall'
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      _LT_TAGVAR(always_export_symbols, $1)=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	_LT_TAGVAR(allow_undefined_flag, $1)='-berok'
-        # Determine the default libpath from the value encoded in an
-        # empty executable.
-        _LT_SYS_MODULE_PATH_AIX
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-      else
-	if test "$host_cpu" = ia64; then
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
-	  _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an
-	 # empty executable.
-	 _LT_SYS_MODULE_PATH_AIX
-	 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
-	  _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
-	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-	  # This is similar to how AIX traditionally builds its shared libraries.
-	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      case $host_cpu in
-      powerpc)
-            # see comment about AmigaOS4 .so support
-            _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-            _LT_TAGVAR(archive_expsym_cmds, $1)=''
-        ;;
-      m68k)
-            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-            _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-            _LT_TAGVAR(hardcode_minus_L, $1)=yes
-        ;;
-      esac
-      ;;
-
-    bsdi[[45]]*)
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
-      ;;
-
-    cygwin* | mingw* | pw32* | cegcc*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
-      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      _LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
-      # FIXME: Should let the user specify the lib program.
-      _LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      _LT_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
-      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      ;;
-
-    darwin* | rhapsody*)
-      _LT_DARWIN_LINKER_FEATURES($1)
-      ;;
-
-    dgux*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    freebsd1*)
-      _LT_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | dragonfly*)
-      _LT_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    hpux9*)
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      _LT_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      ;;
-
-    hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      if test "$with_gnu_ld" = no; then
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
-	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
-	_LT_TAGVAR(hardcode_direct, $1)=yes
-	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	# hardcode_minus_L: Not really in the search PATH,
-	# but as the default location of the library.
-	_LT_TAGVAR(hardcode_minus_L, $1)=yes
-      fi
-      ;;
-
-    hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case $host_cpu in
-	hppa*64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case $host_cpu in
-	hppa*64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	case $host_cpu in
-	hppa*64*|ia64*)
-	  _LT_TAGVAR(hardcode_direct, $1)=no
-	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	  ;;
-	*)
-	  _LT_TAGVAR(hardcode_direct, $1)=yes
-	  _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  _LT_TAGVAR(hardcode_minus_L, $1)=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	# Try to use the -exported_symbol ld option, if it does not
-	# work, assume that -exports_file does not work either and
-	# implicitly export all symbols.
-        save_LDFLAGS="$LDFLAGS"
-        LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
-        AC_LINK_IFELSE(int foo(void) {},
-          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
-        )
-        LDFLAGS="$save_LDFLAGS"
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
-      fi
-      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_TAGVAR(inherit_rpath, $1)=yes
-      _LT_TAGVAR(link_all_deplibs, $1)=yes
-      ;;
-
-    netbsd* | netbsdelf*-gnu)
-      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    newsos6)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    *nto* | *qnx*)
-      ;;
-
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-	_LT_TAGVAR(hardcode_direct, $1)=yes
-	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-	if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	else
-	  case $host_os in
-	   openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
-	     _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	     _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	     ;;
-	   *)
-	     _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	     _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	     ;;
-	  esac
-	fi
-      else
-	_LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    os2*)
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      _LT_TAGVAR(old_archive_from_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      else
-	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
-	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-      fi
-      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-      ;;
-
-    solaris*)
-      _LT_TAGVAR(no_undefined_flag, $1)=' -z defs'
-      if test "$GCC" = yes; then
-	wlarc='${wl}'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
-      else
-	case `$CC -V 2>&1` in
-	*"Compilers 5.0"*)
-	  wlarc=''
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp'
-	  ;;
-	*)
-	  wlarc='${wl}'
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $compiler_flags'
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $CC -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
-	  ;;
-	esac
-      fi
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      case $host_os in
-      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-      *)
-	# The compiler driver will combine and reorder linker options,
-	# but understands `-z linker_flag'.  GCC discards it without `$wl',
-	# but is careful enough not to reorder.
-	# Supported since Solaris 2.6 (maybe 2.5.1?)
-	if test "$GCC" = yes; then
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	else
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
-	fi
-	;;
-      esac
-      _LT_TAGVAR(link_all_deplibs, $1)=yes
-      ;;
-
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    sysv4)
-      case $host_vendor in
-	sni)
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_TAGVAR(hardcode_direct, $1)=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
-	  _LT_TAGVAR(hardcode_direct, $1)=no
-        ;;
-	motorola)
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    sysv4.3*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	_LT_TAGVAR(ld_shlibs, $1)=yes
-      fi
-      ;;
-
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
-      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6*)
-      # Note: We can NOT use -z defs as we might desire, because we do not
-      # link with -lc, and that would cause any symbols used from libc to
-      # always be unresolved, which means just about no library would
-      # ever link correctly.  If we're not using GNU ld we use -z text
-      # though, which does catch some bad symbols but isn't as heavy-handed
-      # as -z defs.
-      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-      _LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
-      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
-      _LT_TAGVAR(link_all_deplibs, $1)=yes
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    uts4*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    *)
-      _LT_TAGVAR(ld_shlibs, $1)=no
-      ;;
-    esac
-
-    if test x$host_vendor = xsni; then
-      case $host in
-      sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Blargedynsym'
-	;;
-      esac
-    fi
-  fi
-])
-AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)])
-test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
-_LT_TAGVAR(with_gnu_ld, $1)=$with_gnu_ld
-
-_LT_DECL([], [libext], [0], [Old archive suffix (normally "a")])dnl
-_LT_DECL([], [shrext_cmds], [1], [Shared library suffix (normally ".so")])dnl
-_LT_DECL([], [extract_expsyms_cmds], [2],
-    [The commands to extract the exported symbol list from a shared archive])
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$_LT_TAGVAR(archive_cmds_need_lc, $1)" in
-x|xyes)
-  # Assume -lc should be added
-  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $_LT_TAGVAR(archive_cmds, $1) in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
-      $RM conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
-	pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
-        _LT_TAGVAR(allow_undefined_flag, $1)=
-        if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
-        then
-	  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-        else
-	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-        fi
-        _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $RM conftest*
-      AC_MSG_RESULT([$_LT_TAGVAR(archive_cmds_need_lc, $1)])
-      ;;
-    esac
-  fi
-  ;;
-esac
-
-_LT_TAGDECL([build_libtool_need_lc], [archive_cmds_need_lc], [0],
-    [Whether or not to add -lc for building shared libraries])
-_LT_TAGDECL([allow_libtool_libs_with_static_runtimes],
-    [enable_shared_with_static_runtimes], [0],
-    [Whether or not to disallow shared libs when runtime libs are static])
-_LT_TAGDECL([], [export_dynamic_flag_spec], [1],
-    [Compiler flag to allow reflexive dlopens])
-_LT_TAGDECL([], [whole_archive_flag_spec], [1],
-    [Compiler flag to generate shared objects directly from archives])
-_LT_TAGDECL([], [compiler_needs_object], [1],
-    [Whether the compiler copes with passing no objects directly])
-_LT_TAGDECL([], [old_archive_from_new_cmds], [2],
-    [Create an old-style archive from a shared archive])
-_LT_TAGDECL([], [old_archive_from_expsyms_cmds], [2],
-    [Create a temporary old-style archive to link instead of a shared archive])
-_LT_TAGDECL([], [archive_cmds], [2], [Commands used to build a shared archive])
-_LT_TAGDECL([], [archive_expsym_cmds], [2])
-_LT_TAGDECL([], [module_cmds], [2],
-    [Commands used to build a loadable module if different from building
-    a shared archive.])
-_LT_TAGDECL([], [module_expsym_cmds], [2])
-_LT_TAGDECL([], [with_gnu_ld], [1],
-    [Whether we are building with GNU ld or not])
-_LT_TAGDECL([], [allow_undefined_flag], [1],
-    [Flag that allows shared libraries with undefined symbols to be built])
-_LT_TAGDECL([], [no_undefined_flag], [1],
-    [Flag that enforces no undefined symbols])
-_LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
-    [Flag to hardcode $libdir into a binary during linking.
-    This must work even if $libdir does not exist])
-_LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1],
-    [[If ld is used when linking, flag to hardcode $libdir into a binary
-    during linking.  This must work even if $libdir does not exist]])
-_LT_TAGDECL([], [hardcode_libdir_separator], [1],
-    [Whether we need a single "-rpath" flag with a separated argument])
-_LT_TAGDECL([], [hardcode_direct], [0],
-    [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes
-    DIR into the resulting binary])
-_LT_TAGDECL([], [hardcode_direct_absolute], [0],
-    [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes
-    DIR into the resulting binary and the resulting library dependency is
-    "absolute", i.e impossible to change by setting ${shlibpath_var} if the
-    library is relocated])
-_LT_TAGDECL([], [hardcode_minus_L], [0],
-    [Set to "yes" if using the -LDIR flag during linking hardcodes DIR
-    into the resulting binary])
-_LT_TAGDECL([], [hardcode_shlibpath_var], [0],
-    [Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR
-    into the resulting binary])
-_LT_TAGDECL([], [hardcode_automatic], [0],
-    [Set to "yes" if building a shared library automatically hardcodes DIR
-    into the library and all subsequent libraries and executables linked
-    against it])
-_LT_TAGDECL([], [inherit_rpath], [0],
-    [Set to yes if linker adds runtime paths of dependent libraries
-    to runtime path list])
-_LT_TAGDECL([], [link_all_deplibs], [0],
-    [Whether libtool must link a program against all its dependency libraries])
-_LT_TAGDECL([], [fix_srcfile_path], [1],
-    [Fix the shell variable $srcfile for the compiler])
-_LT_TAGDECL([], [always_export_symbols], [0],
-    [Set to "yes" if exported symbols are required])
-_LT_TAGDECL([], [export_symbols_cmds], [2],
-    [The commands to list exported symbols])
-_LT_TAGDECL([], [exclude_expsyms], [1],
-    [Symbols that should not be listed in the preloaded symbols])
-_LT_TAGDECL([], [include_expsyms], [1],
-    [Symbols that must always be exported])
-_LT_TAGDECL([], [prelink_cmds], [2],
-    [Commands necessary for linking programs (against libraries) with templates])
-_LT_TAGDECL([], [file_list_spec], [1],
-    [Specify filename containing input files])
-dnl FIXME: Not yet implemented
-dnl _LT_TAGDECL([], [thread_safe_flag_spec], [1],
-dnl    [Compiler flag to generate thread safe objects])
-])# _LT_LINKER_SHLIBS
-
-
-# _LT_LANG_C_CONFIG([TAG])
-# ------------------------
-# Ensure that the configuration variables for a C compiler are suitably
-# defined.  These variables are subsequently used by _LT_CONFIG to write
-# the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_C_CONFIG],
-[m4_require([_LT_DECL_EGREP])dnl
-lt_save_CC="$CC"
-AC_LANG_PUSH(C)
-
-# Source file extension for C test sources.
-ac_ext=c
-
-# Object file extension for compiled C test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}'
-
-_LT_TAG_COMPILER
-# Save the default compiler, since it gets overwritten when the other
-# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP.
-compiler_DEFAULT=$CC
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-if test -n "$compiler"; then
-  _LT_COMPILER_NO_RTTI($1)
-  _LT_COMPILER_PIC($1)
-  _LT_COMPILER_C_O($1)
-  _LT_COMPILER_FILE_LOCKS($1)
-  _LT_LINKER_SHLIBS($1)
-  _LT_SYS_DYNAMIC_LINKER($1)
-  _LT_LINKER_HARDCODE_LIBPATH($1)
-  LT_SYS_DLOPEN_SELF
-  _LT_CMD_STRIPLIB
-
-  # Report which library types will actually be built
-  AC_MSG_CHECKING([if libtool supports shared libraries])
-  AC_MSG_RESULT([$can_build_shared])
-
-  AC_MSG_CHECKING([whether to build shared libraries])
-  test "$can_build_shared" = "no" && enable_shared=no
-
-  # On AIX, shared libraries and static libraries use the same namespace, and
-  # are all built from PIC.
-  case $host_os in
-  aix3*)
-    test "$enable_shared" = yes && enable_static=no
-    if test -n "$RANLIB"; then
-      archive_cmds="$archive_cmds~\$RANLIB \$lib"
-      postinstall_cmds='$RANLIB $lib'
-    fi
-    ;;
-
-  aix[[4-9]]*)
-    if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-      test "$enable_shared" = yes && enable_static=no
-    fi
-    ;;
-  esac
-  AC_MSG_RESULT([$enable_shared])
-
-  AC_MSG_CHECKING([whether to build static libraries])
-  # Make sure either enable_shared or enable_static is yes.
-  test "$enable_shared" = yes || enable_static=yes
-  AC_MSG_RESULT([$enable_static])
-
-  _LT_CONFIG($1)
-fi
-AC_LANG_POP
-CC="$lt_save_CC"
-])# _LT_LANG_C_CONFIG
-
-
-# _LT_PROG_CXX
-# ------------
-# Since AC_PROG_CXX is broken, in that it returns g++ if there is no c++
-# compiler, we have our own version here.
-m4_defun([_LT_PROG_CXX],
-[
-pushdef([AC_MSG_ERROR], [_lt_caught_CXX_error=yes])
-AC_PROG_CXX
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  AC_PROG_CXXCPP
-else
-  _lt_caught_CXX_error=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_CXX
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_CXX], [])
-
-
-# _LT_LANG_CXX_CONFIG([TAG])
-# --------------------------
-# Ensure that the configuration variables for a C++ compiler are suitably
-# defined.  These variables are subsequently used by _LT_CONFIG to write
-# the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_CXX_CONFIG],
-[AC_REQUIRE([_LT_PROG_CXX])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_DECL_EGREP])dnl
-
-AC_LANG_PUSH(C++)
-_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_TAGVAR(allow_undefined_flag, $1)=
-_LT_TAGVAR(always_export_symbols, $1)=no
-_LT_TAGVAR(archive_expsym_cmds, $1)=
-_LT_TAGVAR(compiler_needs_object, $1)=no
-_LT_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_TAGVAR(hardcode_direct, $1)=no
-_LT_TAGVAR(hardcode_direct_absolute, $1)=no
-_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-_LT_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_TAGVAR(hardcode_minus_L, $1)=no
-_LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-_LT_TAGVAR(hardcode_automatic, $1)=no
-_LT_TAGVAR(inherit_rpath, $1)=no
-_LT_TAGVAR(module_cmds, $1)=
-_LT_TAGVAR(module_expsym_cmds, $1)=
-_LT_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_TAGVAR(no_undefined_flag, $1)=
-_LT_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Source file extension for C++ test sources.
-ac_ext=cpp
-
-# Object file extension for compiled C++ test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# No sense in running all these tests if we already determined that
-# the CXX compiler isn't working.  Some variables (like enable_shared)
-# are currently assumed to apply to all compilers on this platform,
-# and will be corrupted by setting them based on a non-working compiler.
-if test "$_lt_caught_CXX_error" != yes; then
-  # Code to be used in simple compile tests
-  lt_simple_compile_test_code="int some_variable = 0;"
-
-  # Code to be used in simple link tests
-  lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }'
-
-  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
-  _LT_TAG_COMPILER
-
-  # save warnings/boilerplate of simple test code
-  _LT_COMPILER_BOILERPLATE
-  _LT_LINKER_BOILERPLATE
-
-  # Allow CC to be a program name with arguments.
-  lt_save_CC=$CC
-  lt_save_LD=$LD
-  lt_save_GCC=$GCC
-  GCC=$GXX
-  lt_save_with_gnu_ld=$with_gnu_ld
-  lt_save_path_LD=$lt_cv_path_LD
-  if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
-    lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
-  else
-    $as_unset lt_cv_prog_gnu_ld
-  fi
-  if test -n "${lt_cv_path_LDCXX+set}"; then
-    lt_cv_path_LD=$lt_cv_path_LDCXX
-  else
-    $as_unset lt_cv_path_LD
-  fi
-  test -z "${LDCXX+set}" || LD=$LDCXX
-  CC=${CXX-"c++"}
-  compiler=$CC
-  _LT_TAGVAR(compiler, $1)=$CC
-  _LT_CC_BASENAME([$compiler])
-
-  if test -n "$compiler"; then
-    # We don't want -fno-exception when compiling C++ code, so set the
-    # no_builtin_flag separately
-    if test "$GXX" = yes; then
-      _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
-    else
-      _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
-    fi
-
-    if test "$GXX" = yes; then
-      # Set up default GNU C++ configuration
-
-      LT_PATH_LD
-
-      # Check if GNU C++ uses GNU ld as the underlying linker, since the
-      # archiving commands below assume that GNU ld is being used.
-      if test "$with_gnu_ld" = yes; then
-        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-
-        # If archive_cmds runs LD, not CC, wlarc should be empty
-        # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
-        #     investigate it a little bit more. (MM)
-        wlarc='${wl}'
-
-        # ancient GNU ld didn't support --whole-archive et. al.
-        if eval "`$CC -print-prog-name=ld` --help 2>&1" |
-	  $GREP 'no-whole-archive' > /dev/null; then
-          _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-        else
-          _LT_TAGVAR(whole_archive_flag_spec, $1)=
-        fi
-      else
-        with_gnu_ld=no
-        wlarc=
-
-        # A generic and very simple default shared library creation
-        # command for GNU C++ for the case where it uses the native
-        # linker, instead of GNU ld.  If possible, this setting should
-        # overridden to take advantage of the native linker features on
-        # the platform it is being used on.
-        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-      fi
-
-      # Commands to make compiler produce verbose output that lists
-      # what "hidden" libraries, object files and flags are used when
-      # linking a shared library.
-      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
-
-    else
-      GXX=no
-      with_gnu_ld=no
-      wlarc=
-    fi
-
-    # PORTME: fill in a description of your system's C++ link characteristics
-    AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
-    _LT_TAGVAR(ld_shlibs, $1)=yes
-    case $host_os in
-      aix3*)
-        # FIXME: insert proper C++ library support
-        _LT_TAGVAR(ld_shlibs, $1)=no
-        ;;
-      aix[[4-9]]*)
-        if test "$host_cpu" = ia64; then
-          # On IA64, the linker does run time linking by default, so we don't
-          # have to do anything special.
-          aix_use_runtimelinking=no
-          exp_sym_flag='-Bexport'
-          no_entry_flag=""
-        else
-          aix_use_runtimelinking=no
-
-          # Test if we are trying to use run time linking or normal
-          # AIX style linking. If -brtl is somewhere in LDFLAGS, we
-          # need to do runtime linking.
-          case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
-	    for ld_flag in $LDFLAGS; do
-	      case $ld_flag in
-	      *-brtl*)
-	        aix_use_runtimelinking=yes
-	        break
-	        ;;
-	      esac
-	    done
-	    ;;
-          esac
-
-          exp_sym_flag='-bexport'
-          no_entry_flag='-bnoentry'
-        fi
-
-        # When large executables or shared objects are built, AIX ld can
-        # have problems creating the table of contents.  If linking a library
-        # or program results in "error TOC overflow" add -mminimal-toc to
-        # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-        # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-        _LT_TAGVAR(archive_cmds, $1)=''
-        _LT_TAGVAR(hardcode_direct, $1)=yes
-        _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-        _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
-        _LT_TAGVAR(link_all_deplibs, $1)=yes
-        _LT_TAGVAR(file_list_spec, $1)='${wl}-f,'
-
-        if test "$GXX" = yes; then
-          case $host_os in aix4.[[012]]|aix4.[[012]].*)
-          # We only want to do this on AIX 4.2 and lower, the check
-          # below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" &&
-	     strings "$collect2name" | $GREP resolve_lib_name >/dev/null
-	  then
-	    # We have reworked collect2
-	    :
-	  else
-	    # We have old collect2
-	    _LT_TAGVAR(hardcode_direct, $1)=unsupported
-	    # It fails to find uninstalled libraries when the uninstalled
-	    # path is not listed in the libpath.  Setting hardcode_minus_L
-	    # to unsupported forces relinking
-	    _LT_TAGVAR(hardcode_minus_L, $1)=yes
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	    _LT_TAGVAR(hardcode_libdir_separator, $1)=
-	  fi
-          esac
-          shared_flag='-shared'
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag="$shared_flag "'${wl}-G'
-	  fi
-        else
-          # not using gcc
-          if test "$host_cpu" = ia64; then
-	  # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-	  # chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-          else
-	    if test "$aix_use_runtimelinking" = yes; then
-	      shared_flag='${wl}-G'
-	    else
-	      shared_flag='${wl}-bM:SRE'
-	    fi
-          fi
-        fi
-
-        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall'
-        # It seems that -bexpall does not export symbols beginning with
-        # underscore (_), so it is better to generate a list of symbols to
-	# export.
-        _LT_TAGVAR(always_export_symbols, $1)=yes
-        if test "$aix_use_runtimelinking" = yes; then
-          # Warning - without using the other runtime loading flags (-brtl),
-          # -berok will link without error, but may produce a broken library.
-          _LT_TAGVAR(allow_undefined_flag, $1)='-berok'
-          # Determine the default libpath from the value encoded in an empty
-          # executable.
-          _LT_SYS_MODULE_PATH_AIX
-          _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-
-          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-        else
-          if test "$host_cpu" = ia64; then
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
-	    _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	    _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-          else
-	    # Determine the default libpath from the value encoded in an
-	    # empty executable.
-	    _LT_SYS_MODULE_PATH_AIX
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	    # Warning - without using the other run time loading flags,
-	    # -berok will link without error, but may produce a broken library.
-	    _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
-	    _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	    # Exported symbols can be pulled into shared objects from archives
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
-	    _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-	    # This is similar to how AIX traditionally builds its shared
-	    # libraries.
-	    _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-          fi
-        fi
-        ;;
-
-      beos*)
-	if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-	  # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	  # support --undefined.  This deserves some investigation.  FIXME
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	else
-	  _LT_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-
-      chorus*)
-        case $cc_basename in
-          *)
-	  # FIXME: insert proper C++ library support
-	  _LT_TAGVAR(ld_shlibs, $1)=no
-	  ;;
-        esac
-        ;;
-
-      cygwin* | mingw* | pw32* | cegcc*)
-        # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-        # as there is no search path for DLLs.
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-        _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-        _LT_TAGVAR(always_export_symbols, $1)=no
-        _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-
-        if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
-          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-          # If the export-symbols file already is a .def file (1st line
-          # is EXPORTS), use it as is; otherwise, prepend...
-          _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	    cp $export_symbols $output_objdir/$soname.def;
-          else
-	    echo EXPORTS > $output_objdir/$soname.def;
-	    cat $export_symbols >> $output_objdir/$soname.def;
-          fi~
-          $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-        else
-          _LT_TAGVAR(ld_shlibs, $1)=no
-        fi
-        ;;
-      darwin* | rhapsody*)
-        _LT_DARWIN_LINKER_FEATURES($1)
-	;;
-
-      dgux*)
-        case $cc_basename in
-          ec++*)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          ghcx*)
-	    # Green Hills C++ Compiler
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          *)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-        esac
-        ;;
-
-      freebsd[[12]]*)
-        # C++ shared libraries reported to be fairly broken before
-	# switch to ELF
-        _LT_TAGVAR(ld_shlibs, $1)=no
-        ;;
-
-      freebsd-elf*)
-        _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-        ;;
-
-      freebsd* | dragonfly*)
-        # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
-        # conventions
-        _LT_TAGVAR(ld_shlibs, $1)=yes
-        ;;
-
-      gnu*)
-        ;;
-
-      hpux9*)
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-        _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-        _LT_TAGVAR(hardcode_direct, $1)=yes
-        _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-				             # but as the default
-				             # location of the library.
-
-        case $cc_basename in
-          CC*)
-            # FIXME: insert proper C++ library support
-            _LT_TAGVAR(ld_shlibs, $1)=no
-            ;;
-          aCC*)
-            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-            # Commands to make compiler produce verbose output that lists
-            # what "hidden" libraries, object files and flags are used when
-            # linking a shared library.
-            #
-            # There doesn't appear to be a way to prevent this compiler from
-            # explicitly linking system object files so we need to strip them
-            # from the output so that they don't get included in the library
-            # dependencies.
-            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
-            ;;
-          *)
-            if test "$GXX" = yes; then
-              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-            else
-              # FIXME: insert proper C++ library support
-              _LT_TAGVAR(ld_shlibs, $1)=no
-            fi
-            ;;
-        esac
-        ;;
-
-      hpux10*|hpux11*)
-        if test $with_gnu_ld = no; then
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	  _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-          case $host_cpu in
-            hppa*64*|ia64*)
-              ;;
-            *)
-	      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-              ;;
-          esac
-        fi
-        case $host_cpu in
-          hppa*64*|ia64*)
-            _LT_TAGVAR(hardcode_direct, $1)=no
-            _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-            ;;
-          *)
-            _LT_TAGVAR(hardcode_direct, $1)=yes
-            _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-            _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-					         # but as the default
-					         # location of the library.
-            ;;
-        esac
-
-        case $cc_basename in
-          CC*)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          aCC*)
-	    case $host_cpu in
-	      hppa*64*)
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	        ;;
-	      ia64*)
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	        ;;
-	      *)
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	        ;;
-	    esac
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    #
-	    # There doesn't appear to be a way to prevent this compiler from
-	    # explicitly linking system object files so we need to strip them
-	    # from the output so that they don't get included in the library
-	    # dependencies.
-	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
-	    ;;
-          *)
-	    if test "$GXX" = yes; then
-	      if test $with_gnu_ld = no; then
-	        case $host_cpu in
-	          hppa*64*)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	            ;;
-	          ia64*)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	            ;;
-	          *)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	            ;;
-	        esac
-	      fi
-	    else
-	      # FIXME: insert proper C++ library support
-	      _LT_TAGVAR(ld_shlibs, $1)=no
-	    fi
-	    ;;
-        esac
-        ;;
-
-      interix[[3-9]]*)
-	_LT_TAGVAR(hardcode_direct, $1)=no
-	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	# Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-	# Instead, shared libraries are loaded at an image base (0x10000000 by
-	# default) and relocated if they conflict, which is a slow very memory
-	# consuming and fragmenting process.  To avoid this, we pick a random,
-	# 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-	# time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-	;;
-      irix5* | irix6*)
-        case $cc_basename in
-          CC*)
-	    # SGI C++
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-
-	    # Archives containing C++ object files must be created using
-	    # "CC -ar", where "CC" is the IRIX C++ compiler.  This is
-	    # necessary to make sure instantiated templates are included
-	    # in the archive.
-	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
-	    ;;
-          *)
-	    if test "$GXX" = yes; then
-	      if test "$with_gnu_ld" = no; then
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	      else
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` -o $lib'
-	      fi
-	    fi
-	    _LT_TAGVAR(link_all_deplibs, $1)=yes
-	    ;;
-        esac
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-        _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-        _LT_TAGVAR(inherit_rpath, $1)=yes
-        ;;
-
-      linux* | k*bsd*-gnu)
-        case $cc_basename in
-          KCC*)
-	    # Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	    # KCC will only create a shared library if the output file
-	    # ends with ".so" (or ".sl" for HP-UX), so rename the library
-	    # to its proper name (with version) after linking.
-	    _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    #
-	    # There doesn't appear to be a way to prevent this compiler from
-	    # explicitly linking system object files so we need to strip them
-	    # from the output so that they don't get included in the library
-	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
-
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-
-	    # Archives containing C++ object files must be created using
-	    # "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
-	    ;;
-	  icpc* | ecpc* )
-	    # Intel C++
-	    with_gnu_ld=yes
-	    # version 8.0 and above of icpc choke on multiply defined symbols
-	    # if we add $predep_objects and $postdep_objects, however 7.1 and
-	    # earlier do not add the objects themselves.
-	    case `$CC -V 2>&1` in
-	      *"Version 7."*)
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-		_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-		;;
-	      *)  # Version 8.0 or newer
-	        tmp_idyn=
-	        case $host_cpu in
-		  ia64*) tmp_idyn=' -i_dynamic';;
-		esac
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-		_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-		;;
-	    esac
-	    _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
-	    ;;
-          pgCC* | pgcpp*)
-            # Portland Group C++ compiler
-	    case `$CC -V` in
-	    *pgCC\ [[1-5]]* | *pgcpp\ [[1-5]]*)
-	      _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
-		rm -rf $tpldir~
-		$CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
-		compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
-	      _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
-		rm -rf $tpldir~
-		$CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
-		$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
-		$RANLIB $oldlib'
-	      _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
-		rm -rf $tpldir~
-		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
-		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
-	      _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
-		rm -rf $tpldir~
-		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
-		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
-	      ;;
-	    *) # Version 6 will use weak symbols
-	      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
-	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
-	      ;;
-	    esac
-
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
-            ;;
-	  cxx*)
-	    # Compaq C++
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
-
-	    runpath_var=LD_RUN_PATH
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    #
-	    # There doesn't appear to be a way to prevent this compiler from
-	    # explicitly linking system object files so we need to strip them
-	    # from the output so that they don't get included in the library
-	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
-	    ;;
-	  xl*)
-	    # IBM XL 8.0 on PPC, with GNU ld
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	    if test "x$supports_anon_versioning" = xyes; then
-	      _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
-		cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-		echo "local: *; };" >> $output_objdir/$libname.ver~
-		$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-	    fi
-	    ;;
-	  *)
-	    case `$CC -V 2>&1 | sed 5q` in
-	    *Sun\ C*)
-	      # Sun C++ 5.9
-	      _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	      _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
-	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
-	      _LT_TAGVAR(compiler_needs_object, $1)=yes
-
-	      # Not sure whether something based on
-	      # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
-	      # would be better.
-	      output_verbose_link_cmd='echo'
-
-	      # Archives containing C++ object files must be created using
-	      # "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	      # necessary to make sure instantiated templates are included
-	      # in the archive.
-	      _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
-	      ;;
-	    esac
-	    ;;
-	esac
-	;;
-
-      lynxos*)
-        # FIXME: insert proper C++ library support
-	_LT_TAGVAR(ld_shlibs, $1)=no
-	;;
-
-      m88k*)
-        # FIXME: insert proper C++ library support
-        _LT_TAGVAR(ld_shlibs, $1)=no
-	;;
-
-      mvs*)
-        case $cc_basename in
-          cxx*)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-	  *)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-	esac
-	;;
-
-      netbsd*)
-        if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
-	  wlarc=
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	  _LT_TAGVAR(hardcode_direct, $1)=yes
-	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	fi
-	# Workaround some broken pre-1.5 toolchains
-	output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
-	;;
-
-      *nto* | *qnx*)
-        _LT_TAGVAR(ld_shlibs, $1)=yes
-	;;
-
-      openbsd2*)
-        # C++ shared libraries are fairly broken
-	_LT_TAGVAR(ld_shlibs, $1)=no
-	;;
-
-      openbsd*)
-	if test -f /usr/libexec/ld.so; then
-	  _LT_TAGVAR(hardcode_direct, $1)=yes
-	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	  _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-	  fi
-	  output_verbose_link_cmd=echo
-	else
-	  _LT_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-
-      osf3* | osf4* | osf5*)
-        case $cc_basename in
-          KCC*)
-	    # Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	    # KCC will only create a shared library if the output file
-	    # ends with ".so" (or ".sl" for HP-UX), so rename the library
-	    # to its proper name (with version) after linking.
-	    _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo "$lib" | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	    # Archives containing C++ object files must be created using
-	    # the KAI C++ compiler.
-	    case $host in
-	      osf3*) _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;;
-	      *) _LT_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' ;;
-	    esac
-	    ;;
-          RCC*)
-	    # Rational C++ 2.4.1
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          cxx*)
-	    case $host in
-	      osf3*)
-	        _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && $ECHO "X${wl}-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-		;;
-	      *)
-	        _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-	        _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
-	          echo "-hidden">> $lib.exp~
-	          $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp  `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~
-	          $RM $lib.exp'
-	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-		;;
-	    esac
-
-	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    #
-	    # There doesn't appear to be a way to prevent this compiler from
-	    # explicitly linking system object files so we need to strip them
-	    # from the output so that they don't get included in the library
-	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
-	    ;;
-	  *)
-	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	      _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	      case $host in
-	        osf3*)
-	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-		  ;;
-	        *)
-	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-		  ;;
-	      esac
-
-	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	      # Commands to make compiler produce verbose output that lists
-	      # what "hidden" libraries, object files and flags are used when
-	      # linking a shared library.
-	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
-
-	    else
-	      # FIXME: insert proper C++ library support
-	      _LT_TAGVAR(ld_shlibs, $1)=no
-	    fi
-	    ;;
-        esac
-        ;;
-
-      psos*)
-        # FIXME: insert proper C++ library support
-        _LT_TAGVAR(ld_shlibs, $1)=no
-        ;;
-
-      sunos4*)
-        case $cc_basename in
-          CC*)
-	    # Sun C++ 4.x
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          lcc*)
-	    # Lucid
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          *)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-        esac
-        ;;
-
-      solaris*)
-        case $cc_basename in
-          CC*)
-	    # Sun C++ 4.2, 5.x and Centerline C++
-            _LT_TAGVAR(archive_cmds_need_lc,$1)=yes
-	    _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	      $CC -G${allow_undefined_flag} ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
-
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	    _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	    case $host_os in
-	      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-	      *)
-		# The compiler driver will combine and reorder linker options,
-		# but understands `-z linker_flag'.
-	        # Supported since Solaris 2.6 (maybe 2.5.1?)
-		_LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
-	        ;;
-	    esac
-	    _LT_TAGVAR(link_all_deplibs, $1)=yes
-
-	    output_verbose_link_cmd='echo'
-
-	    # Archives containing C++ object files must be created using
-	    # "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	    # necessary to make sure instantiated templates are included
-	    # in the archive.
-	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
-	    ;;
-          gcx*)
-	    # Green Hills C++ Compiler
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-
-	    # The C++ compiler must be used to create the archive.
-	    _LT_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
-	    ;;
-          *)
-	    # GNU C++ compiler with Solaris linker
-	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	      _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
-	      if $CC --version | $GREP -v '^2\.7' > /dev/null; then
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-		  $CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
-
-	        # Commands to make compiler produce verbose output that lists
-	        # what "hidden" libraries, object files and flags are used when
-	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
-	      else
-	        # g++ 2.7 appears to require `-G' NOT `-shared' on this
-	        # platform.
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-		  $CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
-
-	        # Commands to make compiler produce verbose output that lists
-	        # what "hidden" libraries, object files and flags are used when
-	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
-	      fi
-
-	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
-	      case $host_os in
-		solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-		*)
-		  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-		  ;;
-	      esac
-	    fi
-	    ;;
-        esac
-        ;;
-
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
-      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      runpath_var='LD_RUN_PATH'
-
-      case $cc_basename in
-        CC*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-      esac
-      ;;
-
-      sysv5* | sco3.2v5* | sco5v6*)
-	# Note: We can NOT use -z defs as we might desire, because we do not
-	# link with -lc, and that would cause any symbols used from libc to
-	# always be unresolved, which means just about no library would
-	# ever link correctly.  If we're not using GNU ld we use -z text
-	# though, which does catch some bad symbols but isn't as heavy-handed
-	# as -z defs.
-	_LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-	_LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
-	_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir'
-	_LT_TAGVAR(hardcode_libdir_separator, $1)=':'
-	_LT_TAGVAR(link_all_deplibs, $1)=yes
-	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-	runpath_var='LD_RUN_PATH'
-
-	case $cc_basename in
-          CC*)
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	    ;;
-	  *)
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	    ;;
-	esac
-      ;;
-
-      tandem*)
-        case $cc_basename in
-          NCC*)
-	    # NonStop-UX NCC 3.20
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          *)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-        esac
-        ;;
-
-      vxworks*)
-        # FIXME: insert proper C++ library support
-        _LT_TAGVAR(ld_shlibs, $1)=no
-        ;;
-
-      *)
-        # FIXME: insert proper C++ library support
-        _LT_TAGVAR(ld_shlibs, $1)=no
-        ;;
-    esac
-
-    AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)])
-    test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
-    _LT_TAGVAR(GCC, $1)="$GXX"
-    _LT_TAGVAR(LD, $1)="$LD"
-
-    ## CAVEAT EMPTOR:
-    ## There is no encapsulation within the following macros, do not change
-    ## the running order or otherwise move them around unless you know exactly
-    ## what you are doing...
-    _LT_SYS_HIDDEN_LIBDEPS($1)
-    _LT_COMPILER_PIC($1)
-    _LT_COMPILER_C_O($1)
-    _LT_COMPILER_FILE_LOCKS($1)
-    _LT_LINKER_SHLIBS($1)
-    _LT_SYS_DYNAMIC_LINKER($1)
-    _LT_LINKER_HARDCODE_LIBPATH($1)
-
-    _LT_CONFIG($1)
-  fi # test -n "$compiler"
-
-  CC=$lt_save_CC
-  LDCXX=$LD
-  LD=$lt_save_LD
-  GCC=$lt_save_GCC
-  with_gnu_ld=$lt_save_with_gnu_ld
-  lt_cv_path_LDCXX=$lt_cv_path_LD
-  lt_cv_path_LD=$lt_save_path_LD
-  lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
-  lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
-fi # test "$_lt_caught_CXX_error" != yes
-
-AC_LANG_POP
-])# _LT_LANG_CXX_CONFIG
-
-
-# _LT_SYS_HIDDEN_LIBDEPS([TAGNAME])
-# ---------------------------------
-# Figure out "hidden" library dependencies from verbose
-# compiler output when linking a shared library.
-# Parse the compiler output and extract the necessary
-# objects, libraries and library flags.
-m4_defun([_LT_SYS_HIDDEN_LIBDEPS],
-[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-# Dependencies to place before and after the object being linked:
-_LT_TAGVAR(predep_objects, $1)=
-_LT_TAGVAR(postdep_objects, $1)=
-_LT_TAGVAR(predeps, $1)=
-_LT_TAGVAR(postdeps, $1)=
-_LT_TAGVAR(compiler_lib_search_path, $1)=
-
-dnl we can't use the lt_simple_compile_test_code here,
-dnl because it contains code intended for an executable,
-dnl not a library.  It's possible we should let each
-dnl tag define a new lt_????_link_test_code variable,
-dnl but it's only used here...
-m4_if([$1], [], [cat > conftest.$ac_ext <<_LT_EOF
-int a;
-void foo (void) { a = 0; }
-_LT_EOF
-], [$1], [CXX], [cat > conftest.$ac_ext <<_LT_EOF
-class Foo
-{
-public:
-  Foo (void) { a = 0; }
-private:
-  int a;
-};
-_LT_EOF
-], [$1], [F77], [cat > conftest.$ac_ext <<_LT_EOF
-      subroutine foo
-      implicit none
-      integer*4 a
-      a=0
-      return
-      end
-_LT_EOF
-], [$1], [FC], [cat > conftest.$ac_ext <<_LT_EOF
-      subroutine foo
-      implicit none
-      integer a
-      a=0
-      return
-      end
-_LT_EOF
-], [$1], [GCJ], [cat > conftest.$ac_ext <<_LT_EOF
-public class foo {
-  private int a;
-  public void bar (void) {
-    a = 0;
-  }
-};
-_LT_EOF
-])
-dnl Parse the compiler output and extract the necessary
-dnl objects, libraries and library flags.
-if AC_TRY_EVAL(ac_compile); then
-  # Parse the compiler output and extract the necessary
-  # objects, libraries and library flags.
-
-  # Sentinel used to keep track of whether or not we are before
-  # the conftest object file.
-  pre_test_object_deps_done=no
-
-  for p in `eval "$output_verbose_link_cmd"`; do
-    case $p in
-
-    -L* | -R* | -l*)
-       # Some compilers place space between "-{L,R}" and the path.
-       # Remove the space.
-       if test $p = "-L" ||
-          test $p = "-R"; then
-	 prev=$p
-	 continue
-       else
-	 prev=
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 case $p in
-	 -L* | -R*)
-	   # Internal compiler library paths should come after those
-	   # provided the user.  The postdeps already come after the
-	   # user supplied libs so there is no need to process them.
-	   if test -z "$_LT_TAGVAR(compiler_lib_search_path, $1)"; then
-	     _LT_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
-	   else
-	     _LT_TAGVAR(compiler_lib_search_path, $1)="${_LT_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
-	   fi
-	   ;;
-	 # The "-l" case would never come before the object being
-	 # linked, so don't bother handling this case.
-	 esac
-       else
-	 if test -z "$_LT_TAGVAR(postdeps, $1)"; then
-	   _LT_TAGVAR(postdeps, $1)="${prev}${p}"
-	 else
-	   _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} ${prev}${p}"
-	 fi
-       fi
-       ;;
-
-    *.$objext)
-       # This assumes that the test object file only shows up
-       # once in the compiler output.
-       if test "$p" = "conftest.$objext"; then
-	 pre_test_object_deps_done=yes
-	 continue
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 if test -z "$_LT_TAGVAR(predep_objects, $1)"; then
-	   _LT_TAGVAR(predep_objects, $1)="$p"
-	 else
-	   _LT_TAGVAR(predep_objects, $1)="$_LT_TAGVAR(predep_objects, $1) $p"
-	 fi
-       else
-	 if test -z "$_LT_TAGVAR(postdep_objects, $1)"; then
-	   _LT_TAGVAR(postdep_objects, $1)="$p"
-	 else
-	   _LT_TAGVAR(postdep_objects, $1)="$_LT_TAGVAR(postdep_objects, $1) $p"
-	 fi
-       fi
-       ;;
-
-    *) ;; # Ignore the rest.
-
-    esac
-  done
-
-  # Clean up.
-  rm -f a.out a.exe
-else
-  echo "libtool.m4: error: problem compiling $1 test program"
-fi
-
-$RM -f confest.$objext
-
-# PORTME: override above test on systems where it is broken
-m4_if([$1], [CXX],
-[case $host_os in
-interix[[3-9]]*)
-  # Interix 3.5 installs completely hosed .la files for C++, so rather than
-  # hack all around it, let's just trust "g++" to DTRT.
-  _LT_TAGVAR(predep_objects,$1)=
-  _LT_TAGVAR(postdep_objects,$1)=
-  _LT_TAGVAR(postdeps,$1)=
-  ;;
-
-linux*)
-  case `$CC -V 2>&1 | sed 5q` in
-  *Sun\ C*)
-    # Sun C++ 5.9
-
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
-      ;;
-    esac
-
-    if test "$solaris_use_stlport4" != yes; then
-      _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
-  ;;
-
-solaris*)
-  case $cc_basename in
-  CC*)
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
-      ;;
-    esac
-
-    # Adding this requires a known-good setup of shared libraries for
-    # Sun compiler versions before 5.6, else PIC objects from an old
-    # archive will be linked into the output, leading to subtle bugs.
-    if test "$solaris_use_stlport4" != yes; then
-      _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
-  ;;
-esac
-])
-
-case " $_LT_TAGVAR(postdeps, $1) " in
-*" -lc "*) _LT_TAGVAR(archive_cmds_need_lc, $1)=no ;;
-esac
- _LT_TAGVAR(compiler_lib_search_dirs, $1)=
-if test -n "${_LT_TAGVAR(compiler_lib_search_path, $1)}"; then
- _LT_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
-fi
-_LT_TAGDECL([], [compiler_lib_search_dirs], [1],
-    [The directories searched by this compiler when creating a shared library])
-_LT_TAGDECL([], [predep_objects], [1],
-    [Dependencies to place before and after the objects being linked to
-    create a shared library])
-_LT_TAGDECL([], [postdep_objects], [1])
-_LT_TAGDECL([], [predeps], [1])
-_LT_TAGDECL([], [postdeps], [1])
-_LT_TAGDECL([], [compiler_lib_search_path], [1],
-    [The library search path used internally by the compiler when linking
-    a shared library])
-])# _LT_SYS_HIDDEN_LIBDEPS
-
-
-# _LT_PROG_F77
-# ------------
-# Since AC_PROG_F77 is broken, in that it returns the empty string
-# if there is no fortran compiler, we have our own version here.
-m4_defun([_LT_PROG_F77],
-[
-pushdef([AC_MSG_ERROR], [_lt_disable_F77=yes])
-AC_PROG_F77
-if test -z "$F77" || test "X$F77" = "Xno"; then
-  _lt_disable_F77=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_F77
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_F77], [])
-
-
-# _LT_LANG_F77_CONFIG([TAG])
-# --------------------------
-# Ensure that the configuration variables for a Fortran 77 compiler are
-# suitably defined.  These variables are subsequently used by _LT_CONFIG
-# to write the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_F77_CONFIG],
-[AC_REQUIRE([_LT_PROG_F77])dnl
-AC_LANG_PUSH(Fortran 77)
-
-_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_TAGVAR(allow_undefined_flag, $1)=
-_LT_TAGVAR(always_export_symbols, $1)=no
-_LT_TAGVAR(archive_expsym_cmds, $1)=
-_LT_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_TAGVAR(hardcode_direct, $1)=no
-_LT_TAGVAR(hardcode_direct_absolute, $1)=no
-_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-_LT_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_TAGVAR(hardcode_minus_L, $1)=no
-_LT_TAGVAR(hardcode_automatic, $1)=no
-_LT_TAGVAR(inherit_rpath, $1)=no
-_LT_TAGVAR(module_cmds, $1)=
-_LT_TAGVAR(module_expsym_cmds, $1)=
-_LT_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_TAGVAR(no_undefined_flag, $1)=
-_LT_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Source file extension for f77 test sources.
-ac_ext=f
-
-# Object file extension for compiled f77 test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# No sense in running all these tests if we already determined that
-# the F77 compiler isn't working.  Some variables (like enable_shared)
-# are currently assumed to apply to all compilers on this platform,
-# and will be corrupted by setting them based on a non-working compiler.
-if test "$_lt_disable_F77" != yes; then
-  # Code to be used in simple compile tests
-  lt_simple_compile_test_code="\
-      subroutine t
-      return
-      end
-"
-
-  # Code to be used in simple link tests
-  lt_simple_link_test_code="\
-      program t
-      end
-"
-
-  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
-  _LT_TAG_COMPILER
-
-  # save warnings/boilerplate of simple test code
-  _LT_COMPILER_BOILERPLATE
-  _LT_LINKER_BOILERPLATE
-
-  # Allow CC to be a program name with arguments.
-  lt_save_CC="$CC"
-  lt_save_GCC=$GCC
-  CC=${F77-"f77"}
-  compiler=$CC
-  _LT_TAGVAR(compiler, $1)=$CC
-  _LT_CC_BASENAME([$compiler])
-  GCC=$G77
-  if test -n "$compiler"; then
-    AC_MSG_CHECKING([if libtool supports shared libraries])
-    AC_MSG_RESULT([$can_build_shared])
-
-    AC_MSG_CHECKING([whether to build shared libraries])
-    test "$can_build_shared" = "no" && enable_shared=no
-
-    # On AIX, shared libraries and static libraries use the same namespace, and
-    # are all built from PIC.
-    case $host_os in
-      aix3*)
-        test "$enable_shared" = yes && enable_static=no
-        if test -n "$RANLIB"; then
-          archive_cmds="$archive_cmds~\$RANLIB \$lib"
-          postinstall_cmds='$RANLIB $lib'
-        fi
-        ;;
-      aix[[4-9]]*)
-	if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-	  test "$enable_shared" = yes && enable_static=no
-	fi
-        ;;
-    esac
-    AC_MSG_RESULT([$enable_shared])
-
-    AC_MSG_CHECKING([whether to build static libraries])
-    # Make sure either enable_shared or enable_static is yes.
-    test "$enable_shared" = yes || enable_static=yes
-    AC_MSG_RESULT([$enable_static])
-
-    _LT_TAGVAR(GCC, $1)="$G77"
-    _LT_TAGVAR(LD, $1)="$LD"
-
-    ## CAVEAT EMPTOR:
-    ## There is no encapsulation within the following macros, do not change
-    ## the running order or otherwise move them around unless you know exactly
-    ## what you are doing...
-    _LT_COMPILER_PIC($1)
-    _LT_COMPILER_C_O($1)
-    _LT_COMPILER_FILE_LOCKS($1)
-    _LT_LINKER_SHLIBS($1)
-    _LT_SYS_DYNAMIC_LINKER($1)
-    _LT_LINKER_HARDCODE_LIBPATH($1)
-
-    _LT_CONFIG($1)
-  fi # test -n "$compiler"
-
-  GCC=$lt_save_GCC
-  CC="$lt_save_CC"
-fi # test "$_lt_disable_F77" != yes
-
-AC_LANG_POP
-])# _LT_LANG_F77_CONFIG
-
-
-# _LT_PROG_FC
-# -----------
-# Since AC_PROG_FC is broken, in that it returns the empty string
-# if there is no fortran compiler, we have our own version here.
-m4_defun([_LT_PROG_FC],
-[
-pushdef([AC_MSG_ERROR], [_lt_disable_FC=yes])
-AC_PROG_FC
-if test -z "$FC" || test "X$FC" = "Xno"; then
-  _lt_disable_FC=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_FC
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_FC], [])
-
-
-# _LT_LANG_FC_CONFIG([TAG])
-# -------------------------
-# Ensure that the configuration variables for a Fortran compiler are
-# suitably defined.  These variables are subsequently used by _LT_CONFIG
-# to write the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_FC_CONFIG],
-[AC_REQUIRE([_LT_PROG_FC])dnl
-AC_LANG_PUSH(Fortran)
-
-_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_TAGVAR(allow_undefined_flag, $1)=
-_LT_TAGVAR(always_export_symbols, $1)=no
-_LT_TAGVAR(archive_expsym_cmds, $1)=
-_LT_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_TAGVAR(hardcode_direct, $1)=no
-_LT_TAGVAR(hardcode_direct_absolute, $1)=no
-_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-_LT_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_TAGVAR(hardcode_minus_L, $1)=no
-_LT_TAGVAR(hardcode_automatic, $1)=no
-_LT_TAGVAR(inherit_rpath, $1)=no
-_LT_TAGVAR(module_cmds, $1)=
-_LT_TAGVAR(module_expsym_cmds, $1)=
-_LT_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_TAGVAR(no_undefined_flag, $1)=
-_LT_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Source file extension for fc test sources.
-ac_ext=${ac_fc_srcext-f}
-
-# Object file extension for compiled fc test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# No sense in running all these tests if we already determined that
-# the FC compiler isn't working.  Some variables (like enable_shared)
-# are currently assumed to apply to all compilers on this platform,
-# and will be corrupted by setting them based on a non-working compiler.
-if test "$_lt_disable_FC" != yes; then
-  # Code to be used in simple compile tests
-  lt_simple_compile_test_code="\
-      subroutine t
-      return
-      end
-"
-
-  # Code to be used in simple link tests
-  lt_simple_link_test_code="\
-      program t
-      end
-"
-
-  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
-  _LT_TAG_COMPILER
-
-  # save warnings/boilerplate of simple test code
-  _LT_COMPILER_BOILERPLATE
-  _LT_LINKER_BOILERPLATE
-
-  # Allow CC to be a program name with arguments.
-  lt_save_CC="$CC"
-  lt_save_GCC=$GCC
-  CC=${FC-"f95"}
-  compiler=$CC
-  GCC=$ac_cv_fc_compiler_gnu
-
-  _LT_TAGVAR(compiler, $1)=$CC
-  _LT_CC_BASENAME([$compiler])
-
-  if test -n "$compiler"; then
-    AC_MSG_CHECKING([if libtool supports shared libraries])
-    AC_MSG_RESULT([$can_build_shared])
-
-    AC_MSG_CHECKING([whether to build shared libraries])
-    test "$can_build_shared" = "no" && enable_shared=no
-
-    # On AIX, shared libraries and static libraries use the same namespace, and
-    # are all built from PIC.
-    case $host_os in
-      aix3*)
-        test "$enable_shared" = yes && enable_static=no
-        if test -n "$RANLIB"; then
-          archive_cmds="$archive_cmds~\$RANLIB \$lib"
-          postinstall_cmds='$RANLIB $lib'
-        fi
-        ;;
-      aix[[4-9]]*)
-	if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-	  test "$enable_shared" = yes && enable_static=no
-	fi
-        ;;
-    esac
-    AC_MSG_RESULT([$enable_shared])
-
-    AC_MSG_CHECKING([whether to build static libraries])
-    # Make sure either enable_shared or enable_static is yes.
-    test "$enable_shared" = yes || enable_static=yes
-    AC_MSG_RESULT([$enable_static])
-
-    _LT_TAGVAR(GCC, $1)="$ac_cv_fc_compiler_gnu"
-    _LT_TAGVAR(LD, $1)="$LD"
-
-    ## CAVEAT EMPTOR:
-    ## There is no encapsulation within the following macros, do not change
-    ## the running order or otherwise move them around unless you know exactly
-    ## what you are doing...
-    _LT_SYS_HIDDEN_LIBDEPS($1)
-    _LT_COMPILER_PIC($1)
-    _LT_COMPILER_C_O($1)
-    _LT_COMPILER_FILE_LOCKS($1)
-    _LT_LINKER_SHLIBS($1)
-    _LT_SYS_DYNAMIC_LINKER($1)
-    _LT_LINKER_HARDCODE_LIBPATH($1)
-
-    _LT_CONFIG($1)
-  fi # test -n "$compiler"
-
-  GCC=$lt_save_GCC
-  CC="$lt_save_CC"
-fi # test "$_lt_disable_FC" != yes
-
-AC_LANG_POP
-])# _LT_LANG_FC_CONFIG
-
-
-# _LT_LANG_GCJ_CONFIG([TAG])
-# --------------------------
-# Ensure that the configuration variables for the GNU Java Compiler compiler
-# are suitably defined.  These variables are subsequently used by _LT_CONFIG
-# to write the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_GCJ_CONFIG],
-[AC_REQUIRE([LT_PROG_GCJ])dnl
-AC_LANG_SAVE
-
-# Source file extension for Java test sources.
-ac_ext=java
-
-# Object file extension for compiled Java test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_TAG_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-lt_save_GCC=$GCC
-GCC=yes
-CC=${GCJ-"gcj"}
-compiler=$CC
-_LT_TAGVAR(compiler, $1)=$CC
-_LT_TAGVAR(LD, $1)="$LD"
-_LT_CC_BASENAME([$compiler])
-
-# GCJ did not exist at the time GCC didn't implicitly link libc in.
-_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-
-_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-
-if test -n "$compiler"; then
-  _LT_COMPILER_NO_RTTI($1)
-  _LT_COMPILER_PIC($1)
-  _LT_COMPILER_C_O($1)
-  _LT_COMPILER_FILE_LOCKS($1)
-  _LT_LINKER_SHLIBS($1)
-  _LT_LINKER_HARDCODE_LIBPATH($1)
-
-  _LT_CONFIG($1)
-fi
-
-AC_LANG_RESTORE
-
-GCC=$lt_save_GCC
-CC="$lt_save_CC"
-])# _LT_LANG_GCJ_CONFIG
-
-
-# _LT_LANG_RC_CONFIG([TAG])
-# -------------------------
-# Ensure that the configuration variables for the Windows resource compiler
-# are suitably defined.  These variables are subsequently used by _LT_CONFIG
-# to write the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_RC_CONFIG],
-[AC_REQUIRE([LT_PROG_RC])dnl
-AC_LANG_SAVE
-
-# Source file extension for RC test sources.
-ac_ext=rc
-
-# Object file extension for compiled RC test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="$lt_simple_compile_test_code"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_TAG_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-lt_save_GCC=$GCC
-GCC=
-CC=${RC-"windres"}
-compiler=$CC
-_LT_TAGVAR(compiler, $1)=$CC
-_LT_CC_BASENAME([$compiler])
-_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
-
-if test -n "$compiler"; then
-  :
-  _LT_CONFIG($1)
-fi
-
-GCC=$lt_save_GCC
-AC_LANG_RESTORE
-CC="$lt_save_CC"
-])# _LT_LANG_RC_CONFIG
-
-
-# LT_PROG_GCJ
-# -----------
-AC_DEFUN([LT_PROG_GCJ],
-[m4_ifdef([AC_PROG_GCJ], [AC_PROG_GCJ],
-  [m4_ifdef([A][M_PROG_GCJ], [A][M_PROG_GCJ],
-    [AC_CHECK_TOOL(GCJ, gcj,)
-      test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
-      AC_SUBST(GCJFLAGS)])])[]dnl
-])
-
-# Old name:
-AU_ALIAS([LT_AC_PROG_GCJ], [LT_PROG_GCJ])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
-
-
-# LT_PROG_RC
-# ----------
-AC_DEFUN([LT_PROG_RC],
-[AC_CHECK_TOOL(RC, windres,)
-])
-
-# Old name:
-AU_ALIAS([LT_AC_PROG_RC], [LT_PROG_RC])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([LT_AC_PROG_RC], [])
-
-
-# _LT_DECL_EGREP
-# --------------
-# If we don't have a new enough Autoconf to choose the best grep
-# available, choose the one first in the user's PATH.
-m4_defun([_LT_DECL_EGREP],
-[AC_REQUIRE([AC_PROG_EGREP])dnl
-AC_REQUIRE([AC_PROG_FGREP])dnl
-test -z "$GREP" && GREP=grep
-_LT_DECL([], [GREP], [1], [A grep program that handles long lines])
-_LT_DECL([], [EGREP], [1], [An ERE matcher])
-_LT_DECL([], [FGREP], [1], [A literal string matcher])
-dnl Non-bleeding-edge autoconf doesn't subst GREP, so do it here too
-AC_SUBST([GREP])
-])
-
-
-# _LT_DECL_OBJDUMP
-# --------------
-# If we don't have a new enough Autoconf to choose the best objdump
-# available, choose the one first in the user's PATH.
-m4_defun([_LT_DECL_OBJDUMP],
-[AC_CHECK_TOOL(OBJDUMP, objdump, false)
-test -z "$OBJDUMP" && OBJDUMP=objdump
-_LT_DECL([], [OBJDUMP], [1], [An object symbol dumper])
-AC_SUBST([OBJDUMP])
-])
-
-
-# _LT_DECL_SED
-# ------------
-# Check for a fully-functional sed program, that truncates
-# as few characters as possible.  Prefer GNU sed if found.
-m4_defun([_LT_DECL_SED],
-[AC_PROG_SED
-test -z "$SED" && SED=sed
-Xsed="$SED -e 1s/^X//"
-_LT_DECL([], [SED], [1], [A sed program that does not truncate output])
-_LT_DECL([], [Xsed], ["\$SED -e 1s/^X//"],
-    [Sed that helps us avoid accidentally triggering echo(1) options like -n])
-])# _LT_DECL_SED
-
-m4_ifndef([AC_PROG_SED], [
-# NOTE: This macro has been submitted for inclusion into   #
-#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
-#  a released version of Autoconf we should remove this    #
-#  macro and use it instead.                               #
-
-m4_defun([AC_PROG_SED],
-[AC_MSG_CHECKING([for a sed that does not truncate output])
-AC_CACHE_VAL(lt_cv_path_SED,
-[# Loop through the user's path and test for sed and gsed.
-# Then use that list of sed's as ones to test for truncation.
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for lt_ac_prog in sed gsed; do
-    for ac_exec_ext in '' $ac_executable_extensions; do
-      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
-        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
-      fi
-    done
-  done
-done
-IFS=$as_save_IFS
-lt_ac_max=0
-lt_ac_count=0
-# Add /usr/xpg4/bin/sed as it is typically found on Solaris
-# along with /bin/sed that truncates output.
-for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && continue
-  cat /dev/null > conftest.in
-  lt_ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
-  # Check for GNU sed and select it if it is found.
-  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
-    lt_cv_path_SED=$lt_ac_sed
-    break
-  fi
-  while true; do
-    cat conftest.in conftest.in >conftest.tmp
-    mv conftest.tmp conftest.in
-    cp conftest.in conftest.nl
-    echo >>conftest.nl
-    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
-    cmp -s conftest.out conftest.nl || break
-    # 10000 chars as input seems more than enough
-    test $lt_ac_count -gt 10 && break
-    lt_ac_count=`expr $lt_ac_count + 1`
-    if test $lt_ac_count -gt $lt_ac_max; then
-      lt_ac_max=$lt_ac_count
-      lt_cv_path_SED=$lt_ac_sed
-    fi
-  done
-done
-])
-SED=$lt_cv_path_SED
-AC_SUBST([SED])
-AC_MSG_RESULT([$SED])
-])#AC_PROG_SED
-])#m4_ifndef
-
-# Old name:
-AU_ALIAS([LT_AC_PROG_SED], [AC_PROG_SED])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([LT_AC_PROG_SED], [])
-
-
-# _LT_CHECK_SHELL_FEATURES
-# ------------------------
-# Find out whether the shell is Bourne or XSI compatible,
-# or has some other useful features.
-m4_defun([_LT_CHECK_SHELL_FEATURES],
-[AC_MSG_CHECKING([whether the shell understands some XSI constructs])
-# Try some XSI features
-xsi_shell=no
-( _lt_dummy="a/b/c"
-  test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \
-      = c,a/b,, \
-    && eval 'test $(( 1 + 1 )) -eq 2 \
-    && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
-  && xsi_shell=yes
-AC_MSG_RESULT([$xsi_shell])
-_LT_CONFIG_LIBTOOL_INIT([xsi_shell='$xsi_shell'])
-
-AC_MSG_CHECKING([whether the shell understands "+="])
-lt_shell_append=no
-( foo=bar; set foo baz; eval "$[1]+=\$[2]" && test "$foo" = barbaz ) \
-    >/dev/null 2>&1 \
-  && lt_shell_append=yes
-AC_MSG_RESULT([$lt_shell_append])
-_LT_CONFIG_LIBTOOL_INIT([lt_shell_append='$lt_shell_append'])
-
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  lt_unset=unset
-else
-  lt_unset=false
-fi
-_LT_DECL([], [lt_unset], [0], [whether the shell understands "unset"])dnl
-
-# test EBCDIC or ASCII
-case `echo X|tr X '\101'` in
- A) # ASCII based system
-    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
-  lt_SP2NL='tr \040 \012'
-  lt_NL2SP='tr \015\012 \040\040'
-  ;;
- *) # EBCDIC based system
-  lt_SP2NL='tr \100 \n'
-  lt_NL2SP='tr \r\n \100\100'
-  ;;
-esac
-_LT_DECL([SP2NL], [lt_SP2NL], [1], [turn spaces into newlines])dnl
-_LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl
-])# _LT_CHECK_SHELL_FEATURES
-
-
-# _LT_PROG_XSI_SHELLFNS
-# ---------------------
-# Bourne and XSI compatible variants of some useful shell functions.
-m4_defun([_LT_PROG_XSI_SHELLFNS],
-[case $xsi_shell in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result="${1##*/}"
-}
-
-# func_dirname_and_basename file append nondir_replacement
-# perform func_basename and func_dirname in a single function
-# call:
-#   dirname:  Compute the dirname of FILE.  If nonempty,
-#             add APPEND to the result, otherwise set result
-#             to NONDIR_REPLACEMENT.
-#             value returned in "$func_dirname_result"
-#   basename: Compute filename of FILE.
-#             value retuned in "$func_basename_result"
-# Implementation must be kept synchronized with func_dirname
-# and func_basename. For efficiency, we do not delegate to
-# those functions but instead duplicate the functionality here.
-func_dirname_and_basename ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-  func_basename_result="${1##*/}"
-}
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-func_stripname ()
-{
-  # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
-  # positional parameters, so assign one to ordinary parameter first.
-  func_stripname_result=${3}
-  func_stripname_result=${func_stripname_result#"${1}"}
-  func_stripname_result=${func_stripname_result%"${2}"}
-}
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=${1%%=*}
-  func_opt_split_arg=${1#*=}
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  case ${1} in
-    *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
-    *)    func_lo2o_result=${1} ;;
-  esac
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=${1%.*}.lo
-}
-
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=$(( $[*] ))
-}
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=${#1}
-}
-
-_LT_EOF
-    ;;
-  *) # Bourne compatible functions.
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  # Extract subdirectory from the argument.
-  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
-  if test "X$func_dirname_result" = "X${1}"; then
-    func_dirname_result="${3}"
-  else
-    func_dirname_result="$func_dirname_result${2}"
-  fi
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
-}
-
-dnl func_dirname_and_basename
-dnl A portable version of this function is already defined in general.m4sh
-dnl so there is no need for it here.
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-# func_strip_suffix prefix name
-func_stripname ()
-{
-  case ${2} in
-    .*) func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;;
-    *)  func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;;
-  esac
-}
-
-# sed scripts:
-my_sed_long_opt='1s/^\(-[[^=]]*\)=.*/\1/;q'
-my_sed_long_arg='1s/^-[[^=]]*=//'
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"`
-  func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"`
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"`
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[[^.]]*$/.lo/'`
-}
-
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=`expr "$[@]"`
-}
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=`expr "$[1]" : ".*" 2>/dev/null || echo $max_cmd_len`
-}
-
-_LT_EOF
-esac
-
-case $lt_shell_append in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$[1]+=\$[2]"
-}
-_LT_EOF
-    ;;
-  *)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$[1]=\$$[1]\$[2]"
-}
-
-_LT_EOF
-    ;;
-  esac
-])
-
-# Helper functions for option handling.                    -*- Autoconf -*-
-#
-#   Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
-#   Written by Gary V. Vaughan, 2004
-#
-# This file is free software; the Free Software Foundation gives
-# unlimited permission to copy and/or distribute it, with or without
-# modifications, as long as this notice is preserved.
-
-# serial 6 ltoptions.m4
-
-# This is to help aclocal find these macros, as it can't see m4_define.
-AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
-
-
-# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME)
-# ------------------------------------------
-m4_define([_LT_MANGLE_OPTION],
-[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])])
-
-
-# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME)
-# ---------------------------------------
-# Set option OPTION-NAME for macro MACRO-NAME, and if there is a
-# matching handler defined, dispatch to it.  Other OPTION-NAMEs are
-# saved as a flag.
-m4_define([_LT_SET_OPTION],
-[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl
-m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]),
-        _LT_MANGLE_DEFUN([$1], [$2]),
-    [m4_warning([Unknown $1 option `$2'])])[]dnl
-])
-
-
-# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET])
-# ------------------------------------------------------------
-# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
-m4_define([_LT_IF_OPTION],
-[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])])
-
-
-# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET)
-# -------------------------------------------------------
-# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME
-# are set.
-m4_define([_LT_UNLESS_OPTIONS],
-[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
-	    [m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option),
-		      [m4_define([$0_found])])])[]dnl
-m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3
-])[]dnl
-])
-
-
-# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST)
-# ----------------------------------------
-# OPTION-LIST is a space-separated list of Libtool options associated
-# with MACRO-NAME.  If any OPTION has a matching handler declared with
-# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about
-# the unknown option and exit.
-m4_defun([_LT_SET_OPTIONS],
-[# Set options
-m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
-    [_LT_SET_OPTION([$1], _LT_Option)])
-
-m4_if([$1],[LT_INIT],[
-  dnl
-  dnl Simply set some default values (i.e off) if boolean options were not
-  dnl specified:
-  _LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no
-  ])
-  _LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no
-  ])
-  dnl
-  dnl If no reference was made to various pairs of opposing options, then
-  dnl we run the default mode handler for the pair.  For example, if neither
-  dnl `shared' nor `disable-shared' was passed, we enable building of shared
-  dnl archives by default:
-  _LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED])
-  _LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC])
-  _LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC])
-  _LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install],
-  		   [_LT_ENABLE_FAST_INSTALL])
-  ])
-])# _LT_SET_OPTIONS
-
-
-
-# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME)
-# -----------------------------------------
-m4_define([_LT_MANGLE_DEFUN],
-[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])])
-
-
-# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE)
-# -----------------------------------------------
-m4_define([LT_OPTION_DEFINE],
-[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl
-])# LT_OPTION_DEFINE
-
-
-# dlopen
-# ------
-LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes
-])
-
-AU_DEFUN([AC_LIBTOOL_DLOPEN],
-[_LT_SET_OPTION([LT_INIT], [dlopen])
-AC_DIAGNOSE([obsolete],
-[$0: Remove this warning and the call to _LT_SET_OPTION when you
-put the `dlopen' option into LT_INIT's first parameter.])
-])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], [])
-
-
-# win32-dll
-# ---------
-# Declare package support for building win32 dll's.
-LT_OPTION_DEFINE([LT_INIT], [win32-dll],
-[enable_win32_dll=yes
-
-case $host in
-*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
-  AC_CHECK_TOOL(AS, as, false)
-  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
-  AC_CHECK_TOOL(OBJDUMP, objdump, false)
-  ;;
-esac
-
-test -z "$AS" && AS=as
-_LT_DECL([], [AS],      [0], [Assembler program])dnl
-
-test -z "$DLLTOOL" && DLLTOOL=dlltool
-_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
-
-test -z "$OBJDUMP" && OBJDUMP=objdump
-_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
-])# win32-dll
-
-AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-_LT_SET_OPTION([LT_INIT], [win32-dll])
-AC_DIAGNOSE([obsolete],
-[$0: Remove this warning and the call to _LT_SET_OPTION when you
-put the `win32-dll' option into LT_INIT's first parameter.])
-])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], [])
-
-
-# _LT_ENABLE_SHARED([DEFAULT])
-# ----------------------------
-# implement the --enable-shared flag, and supports the `shared' and
-# `disable-shared' LT_INIT options.
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-m4_define([_LT_ENABLE_SHARED],
-[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl
-AC_ARG_ENABLE([shared],
-    [AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
-	[build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_shared=yes ;;
-    no) enable_shared=no ;;
-    *)
-      enable_shared=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_shared=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_shared=]_LT_ENABLE_SHARED_DEFAULT)
-
-    _LT_DECL([build_libtool_libs], [enable_shared], [0],
-	[Whether or not to build shared libraries])
-])# _LT_ENABLE_SHARED
-
-LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])])
-LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])])
-
-# Old names:
-AC_DEFUN([AC_ENABLE_SHARED],
-[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared])
-])
-
-AC_DEFUN([AC_DISABLE_SHARED],
-[_LT_SET_OPTION([LT_INIT], [disable-shared])
-])
-
-AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)])
-AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AM_ENABLE_SHARED], [])
-dnl AC_DEFUN([AM_DISABLE_SHARED], [])
-
-
-
-# _LT_ENABLE_STATIC([DEFAULT])
-# ----------------------------
-# implement the --enable-static flag, and support the `static' and
-# `disable-static' LT_INIT options.
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-m4_define([_LT_ENABLE_STATIC],
-[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl
-AC_ARG_ENABLE([static],
-    [AS_HELP_STRING([--enable-static@<:@=PKGS@:>@],
-	[build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_static=yes ;;
-    no) enable_static=no ;;
-    *)
-     enable_static=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_static=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_static=]_LT_ENABLE_STATIC_DEFAULT)
-
-    _LT_DECL([build_old_libs], [enable_static], [0],
-	[Whether or not to build static libraries])
-])# _LT_ENABLE_STATIC
-
-LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])])
-LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])])
-
-# Old names:
-AC_DEFUN([AC_ENABLE_STATIC],
-[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static])
-])
-
-AC_DEFUN([AC_DISABLE_STATIC],
-[_LT_SET_OPTION([LT_INIT], [disable-static])
-])
-
-AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)])
-AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AM_ENABLE_STATIC], [])
-dnl AC_DEFUN([AM_DISABLE_STATIC], [])
-
-
-
-# _LT_ENABLE_FAST_INSTALL([DEFAULT])
-# ----------------------------------
-# implement the --enable-fast-install flag, and support the `fast-install'
-# and `disable-fast-install' LT_INIT options.
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-m4_define([_LT_ENABLE_FAST_INSTALL],
-[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl
-AC_ARG_ENABLE([fast-install],
-    [AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
-    [optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_fast_install=yes ;;
-    no) enable_fast_install=no ;;
-    *)
-      enable_fast_install=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_fast_install=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT)
-
-_LT_DECL([fast_install], [enable_fast_install], [0],
-	 [Whether or not to optimize for fast installation])dnl
-])# _LT_ENABLE_FAST_INSTALL
-
-LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])])
-LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])])
-
-# Old names:
-AU_DEFUN([AC_ENABLE_FAST_INSTALL],
-[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install])
-AC_DIAGNOSE([obsolete],
-[$0: Remove this warning and the call to _LT_SET_OPTION when you put
-the `fast-install' option into LT_INIT's first parameter.])
-])
-
-AU_DEFUN([AC_DISABLE_FAST_INSTALL],
-[_LT_SET_OPTION([LT_INIT], [disable-fast-install])
-AC_DIAGNOSE([obsolete],
-[$0: Remove this warning and the call to _LT_SET_OPTION when you put
-the `disable-fast-install' option into LT_INIT's first parameter.])
-])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], [])
-dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
-
-
-# _LT_WITH_PIC([MODE])
-# --------------------
-# implement the --with-pic flag, and support the `pic-only' and `no-pic'
-# LT_INIT options.
-# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
-m4_define([_LT_WITH_PIC],
-[AC_ARG_WITH([pic],
-    [AS_HELP_STRING([--with-pic],
-	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [pic_mode="$withval"],
-    [pic_mode=default])
-
-test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
-
-_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl
-])# _LT_WITH_PIC
-
-LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])])
-LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])])
-
-# Old name:
-AU_DEFUN([AC_LIBTOOL_PICMODE],
-[_LT_SET_OPTION([LT_INIT], [pic-only])
-AC_DIAGNOSE([obsolete],
-[$0: Remove this warning and the call to _LT_SET_OPTION when you
-put the `pic-only' option into LT_INIT's first parameter.])
-])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_PICMODE], [])
-
-
-m4_define([_LTDL_MODE], [])
-LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive],
-		 [m4_define([_LTDL_MODE], [nonrecursive])])
-LT_OPTION_DEFINE([LTDL_INIT], [recursive],
-		 [m4_define([_LTDL_MODE], [recursive])])
-LT_OPTION_DEFINE([LTDL_INIT], [subproject],
-		 [m4_define([_LTDL_MODE], [subproject])])
-
-m4_define([_LTDL_TYPE], [])
-LT_OPTION_DEFINE([LTDL_INIT], [installable],
-		 [m4_define([_LTDL_TYPE], [installable])])
-LT_OPTION_DEFINE([LTDL_INIT], [convenience],
-		 [m4_define([_LTDL_TYPE], [convenience])])
-
-# ltsugar.m4 -- libtool m4 base layer.                         -*-Autoconf-*-
-#
-# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
-# Written by Gary V. Vaughan, 2004
-#
-# This file is free software; the Free Software Foundation gives
-# unlimited permission to copy and/or distribute it, with or without
-# modifications, as long as this notice is preserved.
-
-# serial 6 ltsugar.m4
-
-# This is to help aclocal find these macros, as it can't see m4_define.
-AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])])
-
-
-# lt_join(SEP, ARG1, [ARG2...])
-# -----------------------------
-# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their
-# associated separator.
-# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier
-# versions in m4sugar had bugs.
-m4_define([lt_join],
-[m4_if([$#], [1], [],
-       [$#], [2], [[$2]],
-       [m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])])
-m4_define([_lt_join],
-[m4_if([$#$2], [2], [],
-       [m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])])
-
-
-# lt_car(LIST)
-# lt_cdr(LIST)
-# ------------
-# Manipulate m4 lists.
-# These macros are necessary as long as will still need to support
-# Autoconf-2.59 which quotes differently.
-m4_define([lt_car], [[$1]])
-m4_define([lt_cdr],
-[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
-       [$#], 1, [],
-       [m4_dquote(m4_shift($@))])])
-m4_define([lt_unquote], $1)
-
-
-# lt_append(MACRO-NAME, STRING, [SEPARATOR])
-# ------------------------------------------
-# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'.
-# Note that neither SEPARATOR nor STRING are expanded; they are appended
-# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked).
-# No SEPARATOR is output if MACRO-NAME was previously undefined (different
-# than defined and empty).
-#
-# This macro is needed until we can rely on Autoconf 2.62, since earlier
-# versions of m4sugar mistakenly expanded SEPARATOR but not STRING.
-m4_define([lt_append],
-[m4_define([$1],
-	   m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])])
-
-
-
-# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...])
-# ----------------------------------------------------------
-# Produce a SEP delimited list of all paired combinations of elements of
-# PREFIX-LIST with SUFFIX1 through SUFFIXn.  Each element of the list
-# has the form PREFIXmINFIXSUFFIXn.
-# Needed until we can rely on m4_combine added in Autoconf 2.62.
-m4_define([lt_combine],
-[m4_if(m4_eval([$# > 3]), [1],
-       [m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl
-[[m4_foreach([_Lt_prefix], [$2],
-	     [m4_foreach([_Lt_suffix],
-		]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[,
-	[_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])])
-
-
-# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ])
-# -----------------------------------------------------------------------
-# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited
-# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ.
-m4_define([lt_if_append_uniq],
-[m4_ifdef([$1],
-	  [m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1],
-		 [lt_append([$1], [$2], [$3])$4],
-		 [$5])],
-	  [lt_append([$1], [$2], [$3])$4])])
-
-
-# lt_dict_add(DICT, KEY, VALUE)
-# -----------------------------
-m4_define([lt_dict_add],
-[m4_define([$1($2)], [$3])])
-
-
-# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE)
-# --------------------------------------------
-m4_define([lt_dict_add_subkey],
-[m4_define([$1($2:$3)], [$4])])
-
-
-# lt_dict_fetch(DICT, KEY, [SUBKEY])
-# ----------------------------------
-m4_define([lt_dict_fetch],
-[m4_ifval([$3],
-	m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]),
-    m4_ifdef([$1($2)], [m4_defn([$1($2)])]))])
-
-
-# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE])
-# -----------------------------------------------------------------
-m4_define([lt_if_dict_fetch],
-[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4],
-	[$5],
-    [$6])])
-
-
-# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...])
-# --------------------------------------------------------------
-m4_define([lt_dict_filter],
-[m4_if([$5], [], [],
-  [lt_join(m4_quote(m4_default([$4], [[, ]])),
-           lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]),
-		      [lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl
-])
-
-# ltversion.m4 -- version numbers			-*- Autoconf -*-
-#
-#   Copyright (C) 2004 Free Software Foundation, Inc.
-#   Written by Scott James Remnant, 2004
-#
-# This file is free software; the Free Software Foundation gives
-# unlimited permission to copy and/or distribute it, with or without
-# modifications, as long as this notice is preserved.
-
-# Generated from ltversion.in.
-
-# serial 3012 ltversion.m4
-# This file is part of GNU Libtool
-
-m4_define([LT_PACKAGE_VERSION], [2.2.6])
-m4_define([LT_PACKAGE_REVISION], [1.3012])
-
-AC_DEFUN([LTVERSION_VERSION],
-[macro_version='2.2.6'
-macro_revision='1.3012'
-_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
-_LT_DECL(, macro_revision, 0)
-])
-
-# lt~obsolete.m4 -- aclocal satisfying obsolete definitions.    -*-Autoconf-*-
-#
-#   Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
-#   Written by Scott James Remnant, 2004.
-#
-# This file is free software; the Free Software Foundation gives
-# unlimited permission to copy and/or distribute it, with or without
-# modifications, as long as this notice is preserved.
-
-# serial 4 lt~obsolete.m4
-
-# These exist entirely to fool aclocal when bootstrapping libtool.
-#
-# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN)
-# which have later been changed to m4_define as they aren't part of the
-# exported API, or moved to Autoconf or Automake where they belong.
-#
-# The trouble is, aclocal is a bit thick.  It'll see the old AC_DEFUN
-# in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us
-# using a macro with the same name in our local m4/libtool.m4 it'll
-# pull the old libtool.m4 in (it doesn't see our shiny new m4_define
-# and doesn't know about Autoconf macros at all.)
-#
-# So we provide this file, which has a silly filename so it's always
-# included after everything else.  This provides aclocal with the
-# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything
-# because those macros already exist, or will be overwritten later.
-# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6. 
-#
-# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here.
-# Yes, that means every name once taken will need to remain here until
-# we give up compatibility with versions before 1.7, at which point
-# we need to keep only those names which we still refer to.
-
-# This is to help aclocal find these macros, as it can't see m4_define.
-AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])])
-
-m4_ifndef([AC_LIBTOOL_LINKER_OPTION],	[AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])])
-m4_ifndef([AC_PROG_EGREP],		[AC_DEFUN([AC_PROG_EGREP])])
-m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH],	[AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])])
-m4_ifndef([_LT_AC_SHELL_INIT],		[AC_DEFUN([_LT_AC_SHELL_INIT])])
-m4_ifndef([_LT_AC_SYS_LIBPATH_AIX],	[AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])])
-m4_ifndef([_LT_PROG_LTMAIN],		[AC_DEFUN([_LT_PROG_LTMAIN])])
-m4_ifndef([_LT_AC_TAGVAR],		[AC_DEFUN([_LT_AC_TAGVAR])])
-m4_ifndef([AC_LTDL_ENABLE_INSTALL],	[AC_DEFUN([AC_LTDL_ENABLE_INSTALL])])
-m4_ifndef([AC_LTDL_PREOPEN],		[AC_DEFUN([AC_LTDL_PREOPEN])])
-m4_ifndef([_LT_AC_SYS_COMPILER],	[AC_DEFUN([_LT_AC_SYS_COMPILER])])
-m4_ifndef([_LT_AC_LOCK],		[AC_DEFUN([_LT_AC_LOCK])])
-m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE],	[AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])])
-m4_ifndef([_LT_AC_TRY_DLOPEN_SELF],	[AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])])
-m4_ifndef([AC_LIBTOOL_PROG_CC_C_O],	[AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])])
-m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])])
-m4_ifndef([AC_LIBTOOL_OBJDIR],		[AC_DEFUN([AC_LIBTOOL_OBJDIR])])
-m4_ifndef([AC_LTDL_OBJDIR],		[AC_DEFUN([AC_LTDL_OBJDIR])])
-m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])])
-m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP],	[AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])])
-m4_ifndef([AC_PATH_MAGIC],		[AC_DEFUN([AC_PATH_MAGIC])])
-m4_ifndef([AC_PROG_LD_GNU],		[AC_DEFUN([AC_PROG_LD_GNU])])
-m4_ifndef([AC_PROG_LD_RELOAD_FLAG],	[AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])])
-m4_ifndef([AC_DEPLIBS_CHECK_METHOD],	[AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])])
-m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])])
-m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])])
-m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])])
-m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS],	[AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])])
-m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP],	[AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])])
-m4_ifndef([LT_AC_PROG_EGREP],		[AC_DEFUN([LT_AC_PROG_EGREP])])
-m4_ifndef([LT_AC_PROG_SED],		[AC_DEFUN([LT_AC_PROG_SED])])
-m4_ifndef([_LT_CC_BASENAME],		[AC_DEFUN([_LT_CC_BASENAME])])
-m4_ifndef([_LT_COMPILER_BOILERPLATE],	[AC_DEFUN([_LT_COMPILER_BOILERPLATE])])
-m4_ifndef([_LT_LINKER_BOILERPLATE],	[AC_DEFUN([_LT_LINKER_BOILERPLATE])])
-m4_ifndef([_AC_PROG_LIBTOOL],		[AC_DEFUN([_AC_PROG_LIBTOOL])])
-m4_ifndef([AC_LIBTOOL_SETUP],		[AC_DEFUN([AC_LIBTOOL_SETUP])])
-m4_ifndef([_LT_AC_CHECK_DLFCN],		[AC_DEFUN([_LT_AC_CHECK_DLFCN])])
-m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER],	[AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])])
-m4_ifndef([_LT_AC_TAGCONFIG],		[AC_DEFUN([_LT_AC_TAGCONFIG])])
-m4_ifndef([AC_DISABLE_FAST_INSTALL],	[AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
-m4_ifndef([_LT_AC_LANG_CXX],		[AC_DEFUN([_LT_AC_LANG_CXX])])
-m4_ifndef([_LT_AC_LANG_F77],		[AC_DEFUN([_LT_AC_LANG_F77])])
-m4_ifndef([_LT_AC_LANG_GCJ],		[AC_DEFUN([_LT_AC_LANG_GCJ])])
-m4_ifndef([AC_LIBTOOL_RC],		[AC_DEFUN([AC_LIBTOOL_RC])])
-m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
-m4_ifndef([_LT_AC_LANG_C_CONFIG],	[AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
-m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
-m4_ifndef([_LT_AC_LANG_CXX_CONFIG],	[AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])])
-m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])])
-m4_ifndef([_LT_AC_LANG_F77_CONFIG],	[AC_DEFUN([_LT_AC_LANG_F77_CONFIG])])
-m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])])
-m4_ifndef([_LT_AC_LANG_GCJ_CONFIG],	[AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])])
-m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
-m4_ifndef([_LT_AC_LANG_RC_CONFIG],	[AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
-m4_ifndef([AC_LIBTOOL_CONFIG],		[AC_DEFUN([AC_LIBTOOL_CONFIG])])
-m4_ifndef([_LT_AC_FILE_LTDLL_C],	[AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
-
 # pkg.m4 - Macros to locate and utilise pkg-config.            -*- Autoconf -*-
 # 
 # Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
@@ -8446,10 +375,10 @@ fi[]dnl
 # generated from the m4 files accompanying Automake X.Y.
 # (This private macro should not be called outside this file.)
 AC_DEFUN([AM_AUTOMAKE_VERSION],
-[am__api_version='1.10'
+[am__api_version='1.11'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.10.2], [],
+m4_if([$1], [1.11], [],
       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
 
@@ -8465,7 +394,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.10.2])dnl
+[AM_AUTOMAKE_VERSION([1.11])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
@@ -8525,14 +454,14 @@ am_aux_dir=`cd $ac_aux_dir && pwd`
 
 # AM_CONDITIONAL                                            -*- Autoconf -*-
 
-# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006
+# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006, 2008
 # Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 8
+# serial 9
 
 # AM_CONDITIONAL(NAME, SHELL-CONDITION)
 # -------------------------------------
@@ -8545,6 +474,7 @@ AC_SUBST([$1_TRUE])dnl
 AC_SUBST([$1_FALSE])dnl
 _AM_SUBST_NOTMAKE([$1_TRUE])dnl
 _AM_SUBST_NOTMAKE([$1_FALSE])dnl
+m4_define([_AM_COND_VALUE_$1], [$2])dnl
 if $2; then
   $1_TRUE=
   $1_FALSE='#'
@@ -8558,14 +488,14 @@ AC_CONFIG_COMMANDS_PRE(
 Usually this means the macro was only invoked conditionally.]])
 fi])])
 
-# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009
 # Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 9
+# serial 10
 
 # There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
 # written in clear, in which case automake, when reading aclocal.m4,
@@ -8622,6 +552,16 @@ AC_CACHE_CHECK([dependency style of $depcc],
   if test "$am_compiler_list" = ""; then
      am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp`
   fi
+  am__universal=false
+  m4_case([$1], [CC],
+    [case " $depcc " in #(
+     *\ -arch\ *\ -arch\ *) am__universal=true ;;
+     esac],
+    [CXX],
+    [case " $depcc " in #(
+     *\ -arch\ *\ -arch\ *) am__universal=true ;;
+     esac])
+
   for depmode in $am_compiler_list; do
     # Setup a source with many dependencies, because some compilers
     # like to wrap large dependency lists on column 80 (with \), and
@@ -8639,7 +579,17 @@ AC_CACHE_CHECK([dependency style of $depcc],
     done
     echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
 
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.  Also, some Intel
+    # versions had trouble with output in subdirs
+    am__obj=sub/conftest.${OBJEXT-o}
+    am__minus_obj="-o $am__obj"
     case $depmode in
+    gcc)
+      # This depmode causes a compiler race in universal mode.
+      test "$am__universal" = false || continue
+      ;;
     nosideeffect)
       # after this tag, mechanisms are not by side-effect, so they'll
       # only be used when explicitly requested
@@ -8649,19 +599,23 @@ AC_CACHE_CHECK([dependency style of $depcc],
 	break
       fi
       ;;
+    msvisualcpp | msvcmsys)
+      # This compiler won't grok `-c -o', but also, the minuso test has
+      # not run yet.  These depmodes are late enough in the game, and
+      # so weak that their functioning should not be impacted.
+      am__obj=conftest.${OBJEXT-o}
+      am__minus_obj=
+      ;;
     none) break ;;
     esac
-    # We check with `-c' and `-o' for the sake of the "dashmstdout"
-    # mode.  It turns out that the SunPro C++ compiler does not properly
-    # handle `-M -o', and we need to detect this.
     if depmode=$depmode \
-       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       source=sub/conftest.c object=$am__obj \
        depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
-       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+       $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \
          >/dev/null 2>conftest.err &&
        grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
        grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       grep $am__obj sub/conftest.Po > /dev/null 2>&1 &&
        ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
       # icc doesn't choke on unknown options, it will just issue warnings
       # or remarks (even with -Werror).  So we grep stderr for any message
@@ -8799,13 +753,13 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
 # Do all the work for Automake.                             -*- Autoconf -*-
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-# 2005, 2006, 2008 Free Software Foundation, Inc.
+# 2005, 2006, 2008, 2009 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 13
+# serial 16
 
 # This macro actually does too much.  Some checks are only needed if
 # your package does certain things.  But this isn't really a big deal.
@@ -8822,7 +776,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
 # arguments mandatory, and then we can depend on a new Autoconf
 # release and drop the old call support.
 AC_DEFUN([AM_INIT_AUTOMAKE],
-[AC_PREREQ([2.60])dnl
+[AC_PREREQ([2.62])dnl
 dnl Autoconf wants to disallow AM_ names.  We explicitly allow
 dnl the ones we care about.
 m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl
@@ -8873,8 +827,8 @@ AM_MISSING_PROG(AUTOCONF, autoconf)
 AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version})
 AM_MISSING_PROG(AUTOHEADER, autoheader)
 AM_MISSING_PROG(MAKEINFO, makeinfo)
-AM_PROG_INSTALL_SH
-AM_PROG_INSTALL_STRIP
+AC_REQUIRE([AM_PROG_INSTALL_SH])dnl
+AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl
 AC_REQUIRE([AM_PROG_MKDIR_P])dnl
 # We need awk for the "check" target.  The system "awk" is bad on
 # some platforms.
@@ -8882,24 +836,37 @@ AC_REQUIRE([AC_PROG_AWK])dnl
 AC_REQUIRE([AC_PROG_MAKE_SET])dnl
 AC_REQUIRE([AM_SET_LEADING_DOT])dnl
 _AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])],
-              [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])],
-	      		     [_AM_PROG_TAR([v7])])])
+	      [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])],
+			     [_AM_PROG_TAR([v7])])])
 _AM_IF_OPTION([no-dependencies],,
 [AC_PROVIDE_IFELSE([AC_PROG_CC],
-                  [_AM_DEPENDENCIES(CC)],
-                  [define([AC_PROG_CC],
-                          defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl
+		  [_AM_DEPENDENCIES(CC)],
+		  [define([AC_PROG_CC],
+			  defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl
 AC_PROVIDE_IFELSE([AC_PROG_CXX],
-                  [_AM_DEPENDENCIES(CXX)],
-                  [define([AC_PROG_CXX],
-                          defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl
+		  [_AM_DEPENDENCIES(CXX)],
+		  [define([AC_PROG_CXX],
+			  defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl
 AC_PROVIDE_IFELSE([AC_PROG_OBJC],
-                  [_AM_DEPENDENCIES(OBJC)],
-                  [define([AC_PROG_OBJC],
-                          defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl
+		  [_AM_DEPENDENCIES(OBJC)],
+		  [define([AC_PROG_OBJC],
+			  defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl
 ])
+_AM_IF_OPTION([silent-rules], [AC_REQUIRE([AM_SILENT_RULES])])dnl
+dnl The `parallel-tests' driver may need to know about EXEEXT, so add the
+dnl `am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen.  This macro
+dnl is hooked onto _AC_COMPILER_EXEEXT early, see below.
+AC_CONFIG_COMMANDS_PRE(dnl
+[m4_provide_if([_AM_COMPILER_EXEEXT],
+  [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl
 ])
 
+dnl Hook into `_AC_COMPILER_EXEEXT' early to learn its expansion.  Do not
+dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further
+dnl mangled by Autoconf and run in a shell conditional statement.
+m4_define([_AC_COMPILER_EXEEXT],
+m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])])
+
 
 # When config.status generates a header, we must update the stamp-h file.
 # This file resides in the same directory as the config header
@@ -8922,7 +889,7 @@ for _am_header in $config_headers :; do
 done
 echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
 
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2008  Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -8933,7 +900,14 @@ echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_co
 # Define $install_sh.
 AC_DEFUN([AM_PROG_INSTALL_SH],
 [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
-install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"}
+if test x"${install_sh}" != xset; then
+  case $am_aux_dir in
+  *\ * | *\	*)
+    install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;;
+  *)
+    install_sh="\${SHELL} $am_aux_dir/install-sh"
+  esac
+fi
 AC_SUBST(install_sh)])
 
 # Copyright (C) 2003, 2005  Free Software Foundation, Inc.
@@ -8959,13 +933,13 @@ AC_SUBST([am__leading_dot])])
 
 # Check to see how 'make' treats includes.	            -*- Autoconf -*-
 
-# Copyright (C) 2001, 2002, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2002, 2003, 2005, 2009  Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 3
+# serial 4
 
 # AM_MAKE_INCLUDE()
 # -----------------
@@ -8974,7 +948,7 @@ AC_DEFUN([AM_MAKE_INCLUDE],
 [am_make=${MAKE-make}
 cat > confinc << 'END'
 am__doit:
-	@echo done
+	@echo this is the am__doit target
 .PHONY: am__doit
 END
 # If we don't find an include directive, just comment out the code.
@@ -8984,24 +958,24 @@ am__quote=
 _am_result=none
 # First try GNU make style include.
 echo "include confinc" > confmf
-# We grep out `Entering directory' and `Leaving directory'
-# messages which can occur if `w' ends up in MAKEFLAGS.
-# In particular we don't look at `^make:' because GNU make might
-# be invoked under some other name (usually "gmake"), in which
-# case it prints its new name instead of `make'.
-if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then
-   am__include=include
-   am__quote=
-   _am_result=GNU
-fi
+# Ignore all kinds of additional output from `make'.
+case `$am_make -s -f confmf 2> /dev/null` in #(
+*the\ am__doit\ target*)
+  am__include=include
+  am__quote=
+  _am_result=GNU
+  ;;
+esac
 # Now try BSD make style include.
 if test "$am__include" = "#"; then
    echo '.include "confinc"' > confmf
-   if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then
-      am__include=.include
-      am__quote="\""
-      _am_result=BSD
-   fi
+   case `$am_make -s -f confmf 2> /dev/null` in #(
+   *the\ am__doit\ target*)
+     am__include=.include
+     am__quote="\""
+     _am_result=BSD
+     ;;
+   esac
 fi
 AC_SUBST([am__include])
 AC_SUBST([am__quote])
@@ -9011,14 +985,14 @@ rm -f confinc confmf
 
 # Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
 
-# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005
+# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005, 2008
 # Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 5
+# serial 6
 
 # AM_MISSING_PROG(NAME, PROGRAM)
 # ------------------------------
@@ -9035,7 +1009,14 @@ AC_SUBST($1)])
 AC_DEFUN([AM_MISSING_HAS_RUN],
 [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
 AC_REQUIRE_AUX_FILE([missing])dnl
-test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
+if test x"${MISSING+set}" != xset; then
+  case $am_aux_dir in
+  *\ * | *\	*)
+    MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;;
+  *)
+    MISSING="\${SHELL} $am_aux_dir/missing" ;;
+  esac
+fi
 # Use eval to expand $SHELL
 if eval "$MISSING --run true"; then
   am_missing_run="$MISSING --run "
@@ -9123,14 +1104,14 @@ AC_DEFUN([AM_RUN_LOG],
 
 # Check to make sure that the build environment is sane.    -*- Autoconf -*-
 
-# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005
+# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005, 2008
 # Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 4
+# serial 5
 
 # AM_SANITY_CHECK
 # ---------------
@@ -9139,16 +1120,29 @@ AC_DEFUN([AM_SANITY_CHECK],
 # Just in case
 sleep 1
 echo timestamp > conftest.file
+# Reject unsafe characters in $srcdir or the absolute working directory
+# name.  Accept space and tab only in the latter.
+am_lf='
+'
+case `pwd` in
+  *[[\\\"\#\$\&\'\`$am_lf]]*)
+    AC_MSG_ERROR([unsafe absolute working directory name]);;
+esac
+case $srcdir in
+  *[[\\\"\#\$\&\'\`$am_lf\ \	]]*)
+    AC_MSG_ERROR([unsafe srcdir value: `$srcdir']);;
+esac
+
 # Do `set' in a subshell so we don't clobber the current shell's
 # arguments.  Must try -L first in case configure is actually a
 # symlink; some systems play weird games with the mod time of symlinks
 # (eg FreeBSD returns the mod time of the symlink's containing
 # directory).
 if (
-   set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null`
+   set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null`
    if test "$[*]" = "X"; then
       # -L didn't work.
-      set X `ls -t $srcdir/configure conftest.file`
+      set X `ls -t "$srcdir/configure" conftest.file`
    fi
    rm -f conftest.file
    if test "$[*]" != "X $srcdir/configure conftest.file" \
@@ -9201,18 +1195,25 @@ fi
 INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 AC_SUBST([INSTALL_STRIP_PROGRAM])])
 
-# Copyright (C) 2006  Free Software Foundation, Inc.
+# Copyright (C) 2006, 2008  Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 2
+
 # _AM_SUBST_NOTMAKE(VARIABLE)
 # ---------------------------
 # Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
 # This macro is traced by Automake.
 AC_DEFUN([_AM_SUBST_NOTMAKE])
 
+# AM_SUBST_NOTMAKE(VARIABLE)
+# ---------------------------
+# Public sister of _AM_SUBST_NOTMAKE.
+AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
+
 # Check how to create a tarball.                            -*- Autoconf -*-
 
 # Copyright (C) 2004, 2005  Free Software Foundation, Inc.
@@ -9309,3 +1310,8 @@ AC_SUBST([am__tar])
 AC_SUBST([am__untar])
 ]) # _AM_PROG_TAR
 
+m4_include([m4/config/libtool.m4])
+m4_include([m4/config/ltoptions.m4])
+m4_include([m4/config/ltsugar.m4])
+m4_include([m4/config/ltversion.m4])
+m4_include([m4/config/lt~obsolete.m4])
diff --git a/config.guess b/config.guess
index f32079abd..da8331460 100755
--- a/config.guess
+++ b/config.guess
@@ -4,7 +4,7 @@
 #   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
 #   Free Software Foundation, Inc.
 
-timestamp='2008-01-23'
+timestamp='2009-04-27'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -324,6 +324,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	case `/usr/bin/uname -p` in
 	    sparc) echo sparc-icl-nx7; exit ;;
 	esac ;;
+    s390x:SunOS:*:*)
+	echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
     sun4H:SunOS:5.*:*)
 	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
 	exit ;;
@@ -331,7 +334,20 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
 	exit ;;
     i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
-	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	eval $set_cc_for_build
+	SUN_ARCH="i386"
+	# If there is a compiler, see if it is configured for 64-bit objects.
+	# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
+	# This test works for both compilers.
+	if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+	    if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
+		(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+		grep IS_64BIT_ARCH >/dev/null
+	    then
+		SUN_ARCH="x86_64"
+	    fi
+	fi
+	echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
 	exit ;;
     sun4*:SunOS:6*:*)
 	# According to config.sub, this is the proper way to canonicalize
@@ -796,7 +812,7 @@ EOF
 	    x86)
 		echo i586-pc-interix${UNAME_RELEASE}
 		exit ;;
-	    EM64T | authenticamd)
+	    EM64T | authenticamd | genuineintel)
 		echo x86_64-unknown-interix${UNAME_RELEASE}
 		exit ;;
 	    IA64)
@@ -935,6 +951,9 @@ EOF
 	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
 	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
 	exit ;;
+    padre:Linux:*:*)
+	echo sparc-unknown-linux-gnu
+	exit ;;
     parisc:Linux:*:* | hppa:Linux:*:*)
 	# Look for CPU level
 	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
@@ -985,9 +1004,6 @@ EOF
 	  a.out-i386-linux)
 		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
 		exit ;;
-	  coff-i386)
-		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
-		exit ;;
 	  "")
 		# Either a pre-BFD a.out linker (linux-gnuoldld) or
 		# one that does not give us useful --help.
@@ -1102,8 +1118,11 @@ EOF
     pc:*:*:*)
 	# Left here for compatibility:
         # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i386.
-	echo i386-pc-msdosdjgpp
+        # the processor, so we play safe by assuming i586.
+	# Note: whatever this is, it MUST be the same as what config.sub
+	# prints for the "djgpp" host, or else GDB configury will decide that
+	# this is a cross-build.
+	echo i586-pc-msdosdjgpp
         exit ;;
     Intel:Mach:3*:*)
 	echo i386-pc-mach3
@@ -1141,6 +1160,16 @@ EOF
     3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
         /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
           && { echo i486-ncr-sysv4; exit; } ;;
+    NCR*:*:4.2:* | MPRAS*:*:4.2:*)
+	OS_REL='.3'
+	test -r /etc/.relid \
+	    && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	    && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	    && { echo i586-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \
+	    && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
     m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
 	echo m68k-unknown-lynxos${UNAME_RELEASE}
 	exit ;;
@@ -1216,6 +1245,9 @@ EOF
     BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
 	echo i586-pc-beos
 	exit ;;
+    BePC:Haiku:*:*)	# Haiku running on Intel PC compatible.
+	echo i586-pc-haiku
+	exit ;;
     SX-4:SUPER-UX:*:*)
 	echo sx4-nec-superux${UNAME_RELEASE}
 	exit ;;
@@ -1324,6 +1356,9 @@ EOF
     i*86:rdos:*:*)
 	echo ${UNAME_MACHINE}-pc-rdos
 	exit ;;
+    i*86:AROS:*:*)
+	echo ${UNAME_MACHINE}-pc-aros
+	exit ;;
 esac
 
 #echo '(No uname command or uname output not recognized.)' 1>&2
diff --git a/config.sub b/config.sub
index 6759825a5..a39437d01 100755
--- a/config.sub
+++ b/config.sub
@@ -4,7 +4,7 @@
 #   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
 #   Free Software Foundation, Inc.
 
-timestamp='2008-01-16'
+timestamp='2009-04-17'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -122,6 +122,7 @@ maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
   nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \
   uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \
+  kopensolaris*-gnu* | \
   storm-chaos* | os2-emx* | rtmk-nova*)
     os=-$maybe_os
     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
@@ -249,13 +250,16 @@ case $basic_machine in
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
 	| i370 | i860 | i960 | ia64 \
 	| ip2k | iq2000 \
+	| lm32 \
 	| m32c | m32r | m32rle | m68000 | m68k | m88k \
-	| maxq | mb | microblaze | mcore | mep \
+	| maxq | mb | microblaze | mcore | mep | metag \
 	| mips | mipsbe | mipseb | mipsel | mipsle \
 	| mips16 \
 	| mips64 | mips64el \
-	| mips64vr | mips64vrel \
+	| mips64octeon | mips64octeonel \
 	| mips64orion | mips64orionel \
+	| mips64r5900 | mips64r5900el \
+	| mips64vr | mips64vrel \
 	| mips64vr4100 | mips64vr4100el \
 	| mips64vr4300 | mips64vr4300el \
 	| mips64vr5000 | mips64vr5000el \
@@ -268,6 +272,7 @@ case $basic_machine in
 	| mipsisa64sr71k | mipsisa64sr71kel \
 	| mipstx39 | mipstx39el \
 	| mn10200 | mn10300 \
+	| moxie \
 	| mt \
 	| msp430 \
 	| nios | nios2 \
@@ -277,7 +282,7 @@ case $basic_machine in
 	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
 	| pyramid \
 	| score \
-	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
+	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
 	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
 	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
@@ -286,7 +291,7 @@ case $basic_machine in
 	| v850 | v850e \
 	| we32k \
 	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
-	| z8k)
+	| z8k | z80)
 		basic_machine=$basic_machine-unknown
 		;;
 	m6811 | m68hc11 | m6812 | m68hc12)
@@ -329,14 +334,17 @@ case $basic_machine in
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
 	| i*86-* | i860-* | i960-* | ia64-* \
 	| ip2k-* | iq2000-* \
+	| lm32-* \
 	| m32c-* | m32r-* | m32rle-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-	| m88110-* | m88k-* | maxq-* | mcore-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
 	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
 	| mips16-* \
 	| mips64-* | mips64el-* \
-	| mips64vr-* | mips64vrel-* \
+	| mips64octeon-* | mips64octeonel-* \
 	| mips64orion-* | mips64orionel-* \
+	| mips64r5900-* | mips64r5900el-* \
+	| mips64vr-* | mips64vrel-* \
 	| mips64vr4100-* | mips64vr4100el-* \
 	| mips64vr4300-* | mips64vr4300el-* \
 	| mips64vr5000-* | mips64vr5000el-* \
@@ -358,20 +366,20 @@ case $basic_machine in
 	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
 	| pyramid-* \
 	| romp-* | rs6000-* \
-	| sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
+	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
 	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
 	| sparclite-* \
 	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
 	| tahoe-* | thumb-* \
-	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* | tile-* \
 	| tron-* \
 	| v850-* | v850e-* | vax-* \
 	| we32k-* \
 	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
 	| xstormy16-* | xtensa*-* \
 	| ymp-* \
-	| z8k-*)
+	| z8k-* | z80-*)
 		;;
 	# Recognize the basic CPU types without company name, with glob match.
 	xtensa*)
@@ -439,6 +447,10 @@ case $basic_machine in
 		basic_machine=m68k-apollo
 		os=-bsd
 		;;
+	aros)
+		basic_machine=i386-pc
+		os=-aros
+		;;
 	aux)
 		basic_machine=m68k-apple
 		os=-aux
@@ -459,6 +471,10 @@ case $basic_machine in
 		basic_machine=c90-cray
 		os=-unicos
 		;;
+        cegcc)
+		basic_machine=arm-unknown
+		os=-cegcc
+		;;
 	convex-c1)
 		basic_machine=c1-convex
 		os=-bsd
@@ -526,6 +542,10 @@ case $basic_machine in
 		basic_machine=m88k-motorola
 		os=-sysv3
 		;;
+	dicos)
+		basic_machine=i686-pc
+		os=-dicos
+		;;
 	djgpp)
 		basic_machine=i586-pc
 		os=-msdosdjgpp
@@ -1128,6 +1148,10 @@ case $basic_machine in
 		basic_machine=z8k-unknown
 		os=-sim
 		;;
+	z80-*-coff)
+		basic_machine=z80-unknown
+		os=-sim
+		;;
 	none)
 		basic_machine=none-none
 		os=-none
@@ -1166,7 +1190,7 @@ case $basic_machine in
 	we32k)
 		basic_machine=we32k-att
 		;;
-	sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
+	sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele)
 		basic_machine=sh-unknown
 		;;
 	sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
@@ -1238,8 +1262,9 @@ case $os in
 	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
 	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
 	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -kopensolaris* \
 	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
-	      | -aos* \
+	      | -aos* | -aros* \
 	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
 	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
 	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
@@ -1248,7 +1273,7 @@ case $os in
 	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
-	      | -chorusos* | -chorusrdb* \
+	      | -chorusos* | -chorusrdb* | -cegcc* \
 	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
 	      | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \
 	      | -uxpv* | -beos* | -mpeix* | -udk* \
@@ -1388,6 +1413,9 @@ case $os in
 	-zvmoe)
 		os=-zvmoe
 		;;
+	-dicos*)
+		os=-dicos
+		;;
 	-none)
 		;;
 	*)
diff --git a/configure b/configure
index 8142a2378..e36ba904c 100755
--- a/configure
+++ b/configure
@@ -1,18 +1,20 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.63 for strongSwan 4.3.4.
+# Generated by GNU Autoconf 2.64 for strongSwan 4.3.6.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software
+# Foundation, Inc.
+#
 # This configure script is free software; the Free Software Foundation
 # gives unlimited permission to copy, distribute and modify it.
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
+## -------------------- ##
+## M4sh Initialization. ##
+## -------------------- ##
 
 # Be more Bourne compatible
 DUALCASE=1; export DUALCASE # for MKS sh
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
   NULLCMD=:
   # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
@@ -20,23 +22,15 @@ if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
 else
-  case `(set -o) 2>/dev/null` in
-  *posix*) set -o posix ;;
+  case `(set -o) 2>/dev/null` in #(
+  *posix*) :
+    set -o posix ;; #(
+  *) :
+     ;;
 esac
-
 fi
 
 
-
-
-# PATH needs CR
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
 as_nl='
 '
 export as_nl
@@ -44,7 +38,13 @@ export as_nl
 as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
 as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
 as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
-if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+# Prefer a ksh shell builtin over an external printf program on Solaris,
+# but without wasting forks for bash or zsh.
+if test -z "$BASH_VERSION$ZSH_VERSION" \
+    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='print -r --'
+  as_echo_n='print -rn --'
+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
   as_echo='printf %s\n'
   as_echo_n='printf %s'
 else
@@ -55,7 +55,7 @@ else
     as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
     as_echo_n_body='eval
       arg=$1;
-      case $arg in
+      case $arg in #(
       *"$as_nl"*)
 	expr "X$arg" : "X\\(.*\\)$as_nl";
 	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
@@ -78,13 +78,6 @@ if test "${PATH_SEPARATOR+set}" != set; then
   }
 fi
 
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
-
 
 # IFS
 # We need space, tab and new line, in precisely that order.  Quoting is
@@ -94,15 +87,15 @@ fi
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
-case $0 in
+case $0 in #((
   *[\\/]* ) as_myself=$0 ;;
   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
+    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+  done
 IFS=$as_save_IFS
 
      ;;
@@ -114,12 +107,16 @@ if test "x$as_myself" = x; then
 fi
 if test ! -f "$as_myself"; then
   $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-  { (exit 1); exit 1; }
+  exit 1
 fi
 
-# Work around bugs in pre-3.0 UWIN ksh.
-for as_var in ENV MAIL MAILPATH
-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+# Unset variables that we do not need and which cause bugs (e.g. in
+# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
+# suppresses any "Segmentation fault" message there.  '((' could
+# trigger a bug in pdksh 5.2.14.
+for as_var in BASH_ENV ENV MAIL MAILPATH
+do eval test x\${$as_var+set} = xset \
+  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
 done
 PS1='$ '
 PS2='> '
@@ -131,7 +128,248 @@ export LC_ALL
 LANGUAGE=C
 export LANGUAGE
 
-# Required to use basename.
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+if test "x$CONFIG_SHELL" = x; then
+  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
+  emulate sh
+  NULLCMD=:
+  # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '\${1+\"\$@\"}'='\"\$@\"'
+  setopt NO_GLOB_SUBST
+else
+  case \`(set -o) 2>/dev/null\` in #(
+  *posix*) :
+    set -o posix ;; #(
+  *) :
+     ;;
+esac
+fi
+"
+  as_required="as_fn_return () { (exit \$1); }
+as_fn_success () { as_fn_return 0; }
+as_fn_failure () { as_fn_return 1; }
+as_fn_ret_success () { return 0; }
+as_fn_ret_failure () { return 1; }
+
+exitcode=0
+as_fn_success || { exitcode=1; echo as_fn_success failed.; }
+as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
+as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
+as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
+if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
+
+else
+  exitcode=1; echo positional parameters were not saved.
+fi
+test x\$exitcode = x0 || exit 1"
+  as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
+  as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
+  eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
+  test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
+test \$(( 1 + 1 )) = 2 || exit 1"
+  if (eval "$as_required") 2>/dev/null; then :
+  as_have_required=yes
+else
+  as_have_required=no
+fi
+  if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :
+
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_found=false
+for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  as_found=:
+  case $as_dir in #(
+	 /*)
+	   for as_base in sh bash ksh sh5; do
+	     # Try only shells that exist, to save several forks.
+	     as_shell=$as_dir/$as_base
+	     if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+		    { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
+  CONFIG_SHELL=$as_shell as_have_required=yes
+		   if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
+  break 2
+fi
+fi
+	   done;;
+       esac
+  as_found=false
+done
+$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
+	      { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
+  CONFIG_SHELL=$SHELL as_have_required=yes
+fi; }
+IFS=$as_save_IFS
+
+
+      if test "x$CONFIG_SHELL" != x; then :
+  # We cannot yet assume a decent shell, so we have to provide a
+	# neutralization value for shells without unset; and this also
+	# works around shells that cannot unset nonexistent variables.
+	BASH_ENV=/dev/null
+	ENV=/dev/null
+	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+	export CONFIG_SHELL
+	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+fi
+
+    if test x$as_have_required = xno; then :
+  $as_echo "$0: This script requires a shell more modern than all"
+  $as_echo "$0: the shells that I found on your system."
+  if test x${ZSH_VERSION+set} = xset ; then
+    $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
+    $as_echo "$0: be upgraded to zsh 4.3.4 or later."
+  else
+    $as_echo "$0: Please tell bug-autoconf@gnu.org about your system,
+$0: including any error possibly output before this
+$0: message. Then install a modern shell, or manually run
+$0: the script under such a shell if you do have one."
+  fi
+  exit 1
+fi
+fi
+fi
+SHELL=${CONFIG_SHELL-/bin/sh}
+export SHELL
+# Unset more variables known to interfere with behavior of common tools.
+CLICOLOR_FORCE= GREP_OPTIONS=
+unset CLICOLOR_FORCE GREP_OPTIONS
+
+## --------------------- ##
+## M4sh Shell Functions. ##
+## --------------------- ##
+# as_fn_unset VAR
+# ---------------
+# Portably unset VAR.
+as_fn_unset ()
+{
+  { eval $1=; unset $1;}
+}
+as_unset=as_fn_unset
+
+# as_fn_set_status STATUS
+# -----------------------
+# Set $? to STATUS, without forking.
+as_fn_set_status ()
+{
+  return $1
+} # as_fn_set_status
+
+# as_fn_exit STATUS
+# -----------------
+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
+as_fn_exit ()
+{
+  set +e
+  as_fn_set_status $1
+  exit $1
+} # as_fn_exit
+
+# as_fn_mkdir_p
+# -------------
+# Create "$as_dir" as a directory, including parents if necessary.
+as_fn_mkdir_p ()
+{
+
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || eval $as_mkdir_p || {
+    as_dirs=
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
+    done
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || as_fn_error "cannot create directory $as_dir"
+
+
+} # as_fn_mkdir_p
+# as_fn_append VAR VALUE
+# ----------------------
+# Append the text in VALUE to the end of the definition contained in VAR. Take
+# advantage of any shell optimizations that allow amortized linear growth over
+# repeated appends, instead of the typical quadratic growth present in naive
+# implementations.
+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
+  eval 'as_fn_append ()
+  {
+    eval $1+=\$2
+  }'
+else
+  as_fn_append ()
+  {
+    eval $1=\$$1\$2
+  }
+fi # as_fn_append
+
+# as_fn_arith ARG...
+# ------------------
+# Perform arithmetic evaluation on the ARGs, and store the result in the
+# global $as_val. Take advantage of shells that can avoid forks. The arguments
+# must be portable across $(()) and expr.
+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
+  eval 'as_fn_arith ()
+  {
+    as_val=$(( $* ))
+  }'
+else
+  as_fn_arith ()
+  {
+    as_val=`expr "$@" || test $? -eq 1`
+  }
+fi # as_fn_arith
+
+
+# as_fn_error ERROR [LINENO LOG_FD]
+# ---------------------------------
+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
+# script with status $?, using 1 if that was 0.
+as_fn_error ()
+{
+  as_status=$?; test $as_status -eq 0 && as_status=1
+  if test "$3"; then
+    as_lineno=${as_lineno-"$2"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+    $as_echo "$as_me:${as_lineno-$LINENO}: error: $1" >&$3
+  fi
+  $as_echo "$as_me: error: $1" >&2
+  as_fn_exit $as_status
+} # as_fn_error
+
 if expr a : '\(a\)' >/dev/null 2>&1 &&
    test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
@@ -145,8 +383,12 @@ else
   as_basename=false
 fi
 
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
 
-# Name of the executable.
 as_me=`$as_basename -- "$0" ||
 $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
 	 X"$0" : 'X\(//\)$' \| \
@@ -166,409 +408,120 @@ $as_echo X/"$0" |
 	  }
 	  s/.*/./; q'`
 
-# CDPATH.
-$as_unset CDPATH
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
 
 
-if test "x$CONFIG_SHELL" = x; then
-  if (eval ":") 2>/dev/null; then
-  as_have_required=yes
-else
-  as_have_required=no
-fi
+  as_lineno_1=$LINENO as_lineno_1a=$LINENO
+  as_lineno_2=$LINENO as_lineno_2a=$LINENO
+  eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
+  test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
+  # Blame Lee E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
+    sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
+      N
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+      t loop
+      s/-\n.*//
+    ' >$as_me.lineno &&
+  chmod +x "$as_me.lineno" ||
+    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
 
-  if test $as_have_required = yes &&	 (eval ":
-(as_func_return () {
-  (exit \$1)
-}
-as_func_success () {
-  as_func_return 0
-}
-as_func_failure () {
-  as_func_return 1
-}
-as_func_ret_success () {
-  return 0
-}
-as_func_ret_failure () {
-  return 1
+  # Don't try to exec as it changes $[0], causing all sort of problems
+  # (the dirname of $[0] is not the place where we might find the
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
+  # Exit status is that of the last command.
+  exit
 }
 
-exitcode=0
-if as_func_success; then
-  :
-else
-  exitcode=1
-  echo as_func_success failed.
-fi
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in #(((((
+-n*)
+  case `echo 'xy\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  xy)  ECHO_C='\c';;
+  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
+       ECHO_T='	';;
+  esac;;
+*)
+  ECHO_N='-n';;
+esac
 
-if as_func_failure; then
-  exitcode=1
-  echo as_func_failure succeeded.
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir 2>/dev/null
 fi
-
-if as_func_ret_success; then
-  :
+if (echo >conf$$.file) 2>/dev/null; then
+  if ln -s conf$$.file conf$$ 2>/dev/null; then
+    as_ln_s='ln -s'
+    # ... but there are two gotchas:
+    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+    # In both cases, we have to default to `cp -p'.
+    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+      as_ln_s='cp -p'
+  elif ln conf$$.file conf$$ 2>/dev/null; then
+    as_ln_s=ln
+  else
+    as_ln_s='cp -p'
+  fi
 else
-  exitcode=1
-  echo as_func_ret_success failed.
+  as_ln_s='cp -p'
 fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
 
-if as_func_ret_failure; then
-  exitcode=1
-  echo as_func_ret_failure succeeded.
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p='mkdir -p "$as_dir"'
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
 fi
 
-if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
-  :
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
 else
-  exitcode=1
-  echo positional parameters were not saved.
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+	test -d "$1/.";
+      else
+	case $1 in #(
+	-*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
 fi
+as_executable_p=$as_test_x
 
-test \$exitcode = 0) || { (exit 1); exit 1; }
-
-(
-  as_lineno_1=\$LINENO
-  as_lineno_2=\$LINENO
-  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
-  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
-") 2> /dev/null; then
-  :
-else
-  as_candidate_shells=
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  case $as_dir in
-	 /*)
-	   for as_base in sh bash ksh sh5; do
-	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
-	   done;;
-       esac
-done
-IFS=$as_save_IFS
-
-
-      for as_shell in $as_candidate_shells $SHELL; do
-	 # Try only shells that exist, to save several forks.
-	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
-		{ ("$as_shell") 2> /dev/null <<\_ASEOF
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-  setopt NO_GLOB_SUBST
-else
-  case `(set -o) 2>/dev/null` in
-  *posix*) set -o posix ;;
-esac
-
-fi
-
-
-:
-_ASEOF
-}; then
-  CONFIG_SHELL=$as_shell
-	       as_have_required=yes
-	       if { "$as_shell" 2> /dev/null <<\_ASEOF
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-  setopt NO_GLOB_SUBST
-else
-  case `(set -o) 2>/dev/null` in
-  *posix*) set -o posix ;;
-esac
-
-fi
-
-
-:
-(as_func_return () {
-  (exit $1)
-}
-as_func_success () {
-  as_func_return 0
-}
-as_func_failure () {
-  as_func_return 1
-}
-as_func_ret_success () {
-  return 0
-}
-as_func_ret_failure () {
-  return 1
-}
-
-exitcode=0
-if as_func_success; then
-  :
-else
-  exitcode=1
-  echo as_func_success failed.
-fi
-
-if as_func_failure; then
-  exitcode=1
-  echo as_func_failure succeeded.
-fi
-
-if as_func_ret_success; then
-  :
-else
-  exitcode=1
-  echo as_func_ret_success failed.
-fi
-
-if as_func_ret_failure; then
-  exitcode=1
-  echo as_func_ret_failure succeeded.
-fi
-
-if ( set x; as_func_ret_success y && test x = "$1" ); then
-  :
-else
-  exitcode=1
-  echo positional parameters were not saved.
-fi
-
-test $exitcode = 0) || { (exit 1); exit 1; }
-
-(
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
-
-_ASEOF
-}; then
-  break
-fi
-
-fi
-
-      done
-
-      if test "x$CONFIG_SHELL" != x; then
-  for as_var in BASH_ENV ENV
-	do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-	done
-	export CONFIG_SHELL
-	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
-fi
-
-
-    if test $as_have_required = no; then
-  echo This script requires a shell more modern than all the
-      echo shells that I found on your system.  Please install a
-      echo modern shell, or manually run the script under such a
-      echo shell if you do have one.
-      { (exit 1); exit 1; }
-fi
-
-
-fi
-
-fi
-
-
-
-(eval "as_func_return () {
-  (exit \$1)
-}
-as_func_success () {
-  as_func_return 0
-}
-as_func_failure () {
-  as_func_return 1
-}
-as_func_ret_success () {
-  return 0
-}
-as_func_ret_failure () {
-  return 1
-}
-
-exitcode=0
-if as_func_success; then
-  :
-else
-  exitcode=1
-  echo as_func_success failed.
-fi
-
-if as_func_failure; then
-  exitcode=1
-  echo as_func_failure succeeded.
-fi
-
-if as_func_ret_success; then
-  :
-else
-  exitcode=1
-  echo as_func_ret_success failed.
-fi
-
-if as_func_ret_failure; then
-  exitcode=1
-  echo as_func_ret_failure succeeded.
-fi
-
-if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
-  :
-else
-  exitcode=1
-  echo positional parameters were not saved.
-fi
-
-test \$exitcode = 0") || {
-  echo No shell found that supports shell functions.
-  echo Please tell bug-autoconf@gnu.org about your system,
-  echo including any error possibly output before this message.
-  echo This can help us improve future autoconf versions.
-  echo Configuration will now proceed without shell functions.
-}
-
-
-
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
-
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line after each line using $LINENO; the second 'sed'
-  # does the real work.  The second script uses 'N' to pair each
-  # line-number line with the line containing $LINENO, and appends
-  # trailing '-' during substitution so that $LINENO is not a special
-  # case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
-  # E. McMahon (1931-1989) for sed's syntax.  :-)
-  sed -n '
-    p
-    /[$]LINENO/=
-  ' <$as_myself |
-    sed '
-      s/[$]LINENO.*/&-/
-      t lineno
-      b
-      :lineno
-      N
-      :loop
-      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
-      t loop
-      s/-\n.*//
-    ' >$as_me.lineno &&
-  chmod +x "$as_me.lineno" ||
-    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-   { (exit 1); exit 1; }; }
-
-  # Don't try to exec as it changes $[0], causing all sort of problems
-  # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensitive to this).
-  . "./$as_me.lineno"
-  # Exit status is that of the last command.
-  exit
-}
-
-
-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-  as_dirname=dirname
-else
-  as_dirname=false
-fi
-
-ECHO_C= ECHO_N= ECHO_T=
-case `echo -n x` in
--n*)
-  case `echo 'x\c'` in
-  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
-  *)   ECHO_C='\c';;
-  esac;;
-*)
-  ECHO_N='-n';;
-esac
-if expr a : '\(a\)' >/dev/null 2>&1 &&
-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-rm -f conf$$ conf$$.exe conf$$.file
-if test -d conf$$.dir; then
-  rm -f conf$$.dir/conf$$.file
-else
-  rm -f conf$$.dir
-  mkdir conf$$.dir 2>/dev/null
-fi
-if (echo >conf$$.file) 2>/dev/null; then
-  if ln -s conf$$.file conf$$ 2>/dev/null; then
-    as_ln_s='ln -s'
-    # ... but there are two gotchas:
-    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
-    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
-  elif ln conf$$.file conf$$ 2>/dev/null; then
-    as_ln_s=ln
-  else
-    as_ln_s='cp -p'
-  fi
-else
-  as_ln_s='cp -p'
-fi
-rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
-rmdir conf$$.dir 2>/dev/null
-
-if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
-else
-  test -d ./-p && rmdir ./-p
-  as_mkdir_p=false
-fi
-
-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
-
-# Sed expression to map a string onto a valid CPP name.
-as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
-
-# Sed expression to map a string onto a valid variable name.
-as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
 
 
@@ -738,14 +691,14 @@ cross_compiling=no
 subdirs=
 MFLAGS=
 MAKEFLAGS=
-SHELL=${CONFIG_SHELL-/bin/sh}
 
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.3.4'
-PACKAGE_STRING='strongSwan 4.3.4'
+PACKAGE_VERSION='4.3.6'
+PACKAGE_STRING='strongSwan 4.3.6'
 PACKAGE_BUGREPORT=''
+PACKAGE_URL=''
 
 # Factoring default headers for most tests.
 ac_includes_default="\
@@ -783,8 +736,12 @@ ac_includes_default="\
 # include <unistd.h>
 #endif"
 
-ac_subst_vars='LTLIBOBJS
+ac_subst_vars='am__EXEEXT_FALSE
+am__EXEEXT_TRUE
+LTLIBOBJS
 LIBOBJS
+USE_SIMAKA_FALSE
+USE_SIMAKA_TRUE
 USE_VSTR_FALSE
 USE_VSTR_TRUE
 USE_FILE_CONFIG_FALSE
@@ -839,6 +796,8 @@ USE_EAP_RADIUS_FALSE
 USE_EAP_RADIUS_TRUE
 USE_EAP_MSCHAPV2_FALSE
 USE_EAP_MSCHAPV2_TRUE
+USE_EAP_AKA_3GPP2_FALSE
+USE_EAP_AKA_3GPP2_TRUE
 USE_EAP_AKA_FALSE
 USE_EAP_AKA_TRUE
 USE_EAP_GTC_FALSE
@@ -847,16 +806,20 @@ USE_EAP_MD5_FALSE
 USE_EAP_MD5_TRUE
 USE_EAP_IDENTITY_FALSE
 USE_EAP_IDENTITY_TRUE
+USE_EAP_SIMAKA_REAUTH_FALSE
+USE_EAP_SIMAKA_REAUTH_TRUE
+USE_EAP_SIMAKA_PSEUDONYM_FALSE
+USE_EAP_SIMAKA_PSEUDONYM_TRUE
 USE_EAP_SIM_FILE_FALSE
 USE_EAP_SIM_FILE_TRUE
 USE_EAP_SIM_FALSE
 USE_EAP_SIM_TRUE
-USE_LOAD_TESTS_FALSE
-USE_LOAD_TESTS_TRUE
+USE_LOAD_TESTER_FALSE
+USE_LOAD_TESTER_TRUE
 USE_UNIT_TESTS_FALSE
 USE_UNIT_TESTS_TRUE
-USE_RESOLV_CONF_FALSE
-USE_RESOLV_CONF_TRUE
+USE_RESOLVE_FALSE
+USE_RESOLVE_TRUE
 USE_ATTR_FALSE
 USE_ATTR_TRUE
 USE_UPDOWN_FALSE
@@ -883,6 +846,8 @@ USE_OPENSSL_FALSE
 USE_OPENSSL_TRUE
 USE_PADLOCK_FALSE
 USE_PADLOCK_TRUE
+USE_ATTR_SQL_FALSE
+USE_ATTR_SQL_TRUE
 USE_SQLITE_FALSE
 USE_SQLITE_TRUE
 USE_MYSQL_FALSE
@@ -891,6 +856,14 @@ USE_XCBC_FALSE
 USE_XCBC_TRUE
 USE_HMAC_FALSE
 USE_HMAC_TRUE
+USE_PEM_FALSE
+USE_PEM_TRUE
+USE_DNSKEY_FALSE
+USE_DNSKEY_TRUE
+USE_PGP_FALSE
+USE_PGP_TRUE
+USE_PKCS1_FALSE
+USE_PKCS1_TRUE
 USE_PUBKEY_FALSE
 USE_PUBKEY_TRUE
 USE_X509_FALSE
@@ -925,15 +898,17 @@ pluto_plugins
 libstrongswan_plugins
 nm_LIBS
 nm_CFLAGS
-LIBGCRYPT_LIBS
-LIBGCRYPT_CFLAGS
-LIBGCRYPT_CONFIG
+MYSQLCFLAG
+MYSQLLIB
+MYSQLCONFIG
 RUBYINCLUDE
 RUBY
 gtk_LIBS
 gtk_CFLAGS
 xml_LIBS
 xml_CFLAGS
+PTHREADLIB
+RTLIB
 SOCKLIB
 BTLIB
 DLLIB
@@ -993,18 +968,19 @@ CFLAGS
 CC
 ipsecgroup
 ipsecuser
-IPSEC_ROUTING_TABLE_PRIO
-IPSEC_ROUTING_TABLE
-LINUX_HEADERS
-linuxdir
-simreader
+routing_table_prio
+routing_table
+linux_headers
+nm_ca_dir
 plugindir
 ipsecdir
 piddir
-strongswan_conf
 resolv_conf
+strongswan_conf
+urandom_device
+random_device
+default_pkcs11
 PKG_CONFIG
-confdir
 am__untar
 am__tar
 AMTAR
@@ -1058,6 +1034,7 @@ bindir
 program_transform_name
 prefix
 exec_prefix
+PACKAGE_URL
 PACKAGE_BUGREPORT
 PACKAGE_STRING
 PACKAGE_VERSION
@@ -1069,23 +1046,21 @@ ac_subst_files=''
 ac_user_opts='
 enable_option_checking
 with_default_pkcs11
-with_xauth_module
 with_random_device
-with_resolv_conf
-with_strongswan_conf
 with_urandom_device
+with_strongswan_conf
+with_resolv_conf
 with_piddir
 with_ipsecdir
 with_plugindir
-with_sim_reader
+with_nm_ca_dir
 with_linux_headers
 with_routing_table
 with_routing_table_prio
-with_uid
-with_gid
+with_capabilities
+with_xauth_module
 with_user
 with_group
-with_capabilities
 enable_curl
 enable_ldap
 enable_aes
@@ -1100,6 +1075,10 @@ enable_gmp
 enable_random
 enable_x509
 enable_pubkey
+enable_pkcs1
+enable_pgp
+enable_dnskey
+enable_pem
 enable_hmac
 enable_xcbc
 enable_test_vectors
@@ -1115,13 +1094,16 @@ enable_cisco_quirks
 enable_leak_detective
 enable_lock_profiler
 enable_unit_tests
-enable_load_tests
+enable_load_tester
 enable_eap_sim
 enable_eap_sim_file
+enable_eap_simaka_pseudonym
+enable_eap_simaka_reauth
 enable_eap_identity
 enable_eap_md5
 enable_eap_gtc
 enable_eap_aka
+enable_eap_aka_3gpp2
 enable_eap_mschapv2
 enable_eap_radius
 enable_kernel_netlink
@@ -1143,7 +1125,8 @@ enable_tools
 enable_scripts
 enable_updown
 enable_attr
-enable_resolv_conf
+enable_attr_sql
+enable_resolve
 enable_padlock
 enable_openssl
 enable_gcrypt
@@ -1159,7 +1142,6 @@ with_pic
 enable_fast_install
 with_gnu_ld
 enable_libtool_lock
-with_libgcrypt_prefix
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1287,8 +1269,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2
-   { (exit 1); exit 1; }; }
+      as_fn_error "invalid feature name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1314,8 +1295,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2
-   { (exit 1); exit 1; }; }
+      as_fn_error "invalid feature name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1519,8 +1499,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2
-   { (exit 1); exit 1; }; }
+      as_fn_error "invalid package name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1536,8 +1515,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2
-   { (exit 1); exit 1; }; }
+      as_fn_error "invalid package name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1567,17 +1545,17 @@ do
   | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
     x_libraries=$ac_optarg ;;
 
-  -*) { $as_echo "$as_me: error: unrecognized option: $ac_option
-Try \`$0 --help' for more information." >&2
-   { (exit 1); exit 1; }; }
+  -*) as_fn_error "unrecognized option: \`$ac_option'
+Try \`$0 --help' for more information."
     ;;
 
   *=*)
     ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
-      { $as_echo "$as_me: error: invalid variable name: $ac_envvar" >&2
-   { (exit 1); exit 1; }; }
+    case $ac_envvar in #(
+      '' | [0-9]* | *[!_$as_cr_alnum]* )
+      as_fn_error "invalid variable name: \`$ac_envvar'" ;;
+    esac
     eval $ac_envvar=\$ac_optarg
     export $ac_envvar ;;
 
@@ -1594,15 +1572,13 @@ done
 
 if test -n "$ac_prev"; then
   ac_option=--`echo $ac_prev | sed 's/_/-/g'`
-  { $as_echo "$as_me: error: missing argument to $ac_option" >&2
-   { (exit 1); exit 1; }; }
+  as_fn_error "missing argument to $ac_option"
 fi
 
 if test -n "$ac_unrecognized_opts"; then
   case $enable_option_checking in
     no) ;;
-    fatal) { $as_echo "$as_me: error: unrecognized options: $ac_unrecognized_opts" >&2
-   { (exit 1); exit 1; }; } ;;
+    fatal) as_fn_error "unrecognized options: $ac_unrecognized_opts" ;;
     *)     $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
   esac
 fi
@@ -1625,8 +1601,7 @@ do
     [\\/$]* | ?:[\\/]* )  continue;;
     NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
   esac
-  { $as_echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; }
+  as_fn_error "expected an absolute directory name for --$ac_var: $ac_val"
 done
 
 # There might be people who depend on the old broken behavior: `$host'
@@ -1656,11 +1631,9 @@ test "$silent" = yes && exec 6>/dev/null
 ac_pwd=`pwd` && test -n "$ac_pwd" &&
 ac_ls_di=`ls -di .` &&
 ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
-  { $as_echo "$as_me: error: working directory cannot be determined" >&2
-   { (exit 1); exit 1; }; }
+  as_fn_error "working directory cannot be determined"
 test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
-  { $as_echo "$as_me: error: pwd does not report name of working directory" >&2
-   { (exit 1); exit 1; }; }
+  as_fn_error "pwd does not report name of working directory"
 
 
 # Find the source files, if location was not specified.
@@ -1699,13 +1672,11 @@ else
 fi
 if test ! -r "$srcdir/$ac_unique_file"; then
   test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
-  { $as_echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
-   { (exit 1); exit 1; }; }
+  as_fn_error "cannot find sources ($ac_unique_file) in $srcdir"
 fi
 ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
 ac_abs_confdir=`(
-	cd "$srcdir" && test -r "./$ac_unique_file" || { $as_echo "$as_me: error: $ac_msg" >&2
-   { (exit 1); exit 1; }; }
+	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error "$ac_msg"
 	pwd)`
 # When building in place, set srcdir=.
 if test "$ac_abs_confdir" = "$ac_pwd"; then
@@ -1731,7 +1702,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.3.4 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.3.6 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1801,7 +1772,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.3.4:";;
+     short | recursive ) echo "Configuration of strongSwan 4.3.6:";;
    esac
   cat <<\_ACEOF
 
@@ -1810,124 +1781,101 @@ Optional Features:
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-curl           enable CURL fetcher plugin to fetch files via
-                          libcurl (default is NO). Requires libcurl.
+                          libcurl. Requires libcurl.
   --enable-ldap           enable LDAP fetching plugin to fetch files via
-                          libldap (default is NO). Requires openLDAP.
-  --disable-aes           disable own AES software implementation plugin.
-                          (default is NO).
-  --disable-des           disable own DES/3DES software implementation plugin.
-                          (default is NO).
-  --enable-blowfish       enable Blowfish software implementation plugin
-                          (default is NO).
-  --enable-md4            enable MD4 software implementation plugin (default
-                          is NO).
-  --disable-md5           disable own MD5 software implementation plugin.
-                          (default is NO).
-  --disable-sha1          disable own SHA1 software implementation plugin.
-                          (default is NO).
-  --disable-sha2          disable own SHA256/SHA384/SHA512 software
-                          implementation plugin. (default is NO).
+                          libldap. Requires openLDAP.
+  --disable-aes           disable AES software implementation plugin.
+  --disable-des           disable DES/3DES software implementation plugin.
+  --enable-blowfish       enable Blowfish software implementation plugin.
+  --enable-md4            enable MD4 software implementation plugin.
+  --disable-md5           disable MD5 software implementation plugin.
+  --disable-sha1          disable SHA1 software implementation plugin.
+  --disable-sha2          disable SHA256/SHA384/SHA512 software implementation
+                          plugin.
   --disable-fips-prf      disable FIPS PRF software implementation plugin.
-                          (default is NO).
-  --disable-gmp           disable own GNU MP (libgmp) based crypto
-                          implementation plugin. (default is NO).
+  --disable-gmp           disable GNU MP (libgmp) based crypto implementation
+                          plugin.
   --disable-random        disable RNG implementation on top of /dev/(u)random.
-                          (default is NO).
-  --disable-x509          disable own X509 certificate implementation plugin.
-                          (default is NO).
-  --disable-pubkey        disable RAW public key support plugin. (default is
-                          NO).
-  --disable-hmac          disable HMAC crypto implementation plugin. (default
-                          is NO).
-  --disable-xcbc          disable xcbc crypto implementation plugin. (default
-                          is NO).
-  --enable-test-vectors   enable plugin providing crypto test vectors (default
-                          is NO).
-  --enable-mysql          enable MySQL database support (default is NO).
-                          Requires libmysqlclient_r.
-  --enable-sqlite         enable SQLite database support (default is NO).
-                          Requires libsqlite3.
+  --disable-x509          disable X509 certificate implementation plugin.
+  --disable-pubkey        disable RAW public key support plugin.
+  --disable-pkcs1         disable PKCS1 key decoding plugin.
+  --disable-pgp           disable PGP key decoding plugin.
+  --disable-dnskey        disable DNS RR key decoding plugin.
+  --disable-pem           disable PEM decoding plugin.
+  --disable-hmac          disable HMAC crypto implementation plugin.
+  --disable-xcbc          disable xcbc crypto implementation plugin.
+  --enable-test-vectors   enable plugin providing crypto test vectors.
+  --enable-mysql          enable MySQL database support. Requires
+                          libmysqlclient_r.
+  --enable-sqlite         enable SQLite database support. Requires libsqlite3.
   --disable-stroke        disable charons stroke (pluto compatibility)
-                          configuration backend. (default is NO).
+                          configuration backend.
   --enable-medsrv         enable mediation server web frontend and daemon
-                          plugin (default is NO).
+                          plugin.
   --enable-medcli         enable mediation client configuration database
-                          plugin (default is NO).
-  --enable-smp            enable SMP configuration and control interface
-                          (default is NO). Requires libxml.
-  --enable-sql            enable SQL database configuration backend (default
-                          is NO).
-  --enable-smartcard      enable smartcard support (default is NO).
-  --enable-cisco-quirks   enable support of Cisco VPN client (default is NO).
-  --enable-leak-detective enable malloc hooks to find memory leaks (default is
-                          NO).
-  --enable-lock-profiler  enable lock/mutex profiling code (default is NO).
-  --enable-unit-tests     enable unit tests on IKEv2 daemon startup (default
-                          is NO).
-  --enable-load-tests     enable load testing plugin for IKEv2 daemon (default
-                          is NO).
-  --enable-eap-sim        build SIM authenication module for EAP (default is
-                          NO).
-  --enable-eap-sim-file   build EAP-SIM backend based on a triplet file
-                          (default is NO).
-  --enable-eap-identity   build EAP module providing EAP-Identity helper
-                          (default is NO).
-  --enable-eap-md5        build MD5 (CHAP) authenication module for EAP
-                          (default is NO).
-  --enable-eap-gtc        build PAM based GTC authenication module for EAP
-                          (default is NO).
-  --enable-eap-aka        build AKA authentication module for EAP (default is
-                          NO).
-  --enable-eap-mschapv2   build MS-CHAPv2 authenication module for EAP
-                          (default is NO).
-  --enable-eap-radius     build RADIUS proxy authenication module for EAP
-                          (default is NO).
+                          plugin.
+  --enable-smp            enable SMP configuration and control interface.
+                          Requires libxml.
+  --enable-sql            enable SQL database configuration backend.
+  --enable-smartcard      enable smartcard support.
+  --enable-cisco-quirks   enable support of Cisco VPN client.
+  --enable-leak-detective enable malloc hooks to find memory leaks.
+  --enable-lock-profiler  enable lock/mutex profiling code.
+  --enable-unit-tests     enable unit tests on IKEv2 daemon startup.
+  --enable-load-tester    enable load testing plugin for IKEv2 daemon.
+  --enable-eap-sim        enable SIM authenication module for EAP.
+  --enable-eap-sim-file   enable EAP-SIM backend based on a triplet file.
+  --enable-eap-simaka-pseudonym
+                          enable EAP-SIM/AKA pseudonym storage plugin.
+  --enable-eap-simaka-reauth
+                          enable EAP-SIM/AKA reauthentication data storage
+                          plugin.
+  --enable-eap-identity   enable EAP module providing EAP-Identity helper.
+  --enable-eap-md5        enable EAP MD5 (CHAP) authenication module.
+  --enable-eap-gtc        enable PAM based EAP GTC authenication module.
+  --enable-eap-aka        enable EAP AKA authentication module.
+  --enable-eap-aka-3gpp2  enable EAP AKA backend implementing 3GPP2 algorithms
+                          in software. Requires libgmp.
+  --enable-eap-mschapv2   enable EAP MS-CHAPv2 authenication module.
+  --enable-eap-radius     enable RADIUS proxy authenication module.
   --disable-kernel-netlink
-                          disable the netlink kernel interface. (default is
-                          NO).
-  --enable-kernel-pfkey   enable the PF_KEY kernel interface. (default is NO).
-  --enable-kernel-pfroute enable the PF_ROUTE kernel interface. (default is
-                          NO).
-  --enable-kernel-klips   enable the KLIPS kernel interface. (default is NO).
-  --enable-nat-transport  enable NAT traversal with IPsec transport mode
-                          (default is NO).
-  --disable-vendor-id     disable the sending of the strongSwan vendor ID
-                          (default is NO).
-  --disable-xauth-vid     disable the sending of the XAUTH vendor ID (default
-                          is NO).
-  --enable-dumm           build the DUMM UML test framework (default is NO).
-  --enable-fast           build libfast (FastCGI Application Server w/
-                          templates (default is NO).
-  --enable-manager        build web management console (default is NO).
-  --enable-mediation      enable IKEv2 Mediation Extension (default is NO).
+                          disable the netlink kernel interface.
+  --enable-kernel-pfkey   enable the PF_KEY kernel interface.
+  --enable-kernel-pfroute enable the PF_ROUTE kernel interface.
+  --enable-kernel-klips   enable the KLIPS kernel interface.
+  --enable-nat-transport  enable NAT traversal with IPsec transport mode in
+                          pluto.
+  --disable-vendor-id     disable the sending of the strongSwan vendor ID in
+                          pluto.
+  --disable-xauth-vid     disable the sending of the XAUTH vendor ID.
+  --enable-dumm           enable the DUMM UML test framework.
+  --enable-fast           enable libfast (FastCGI Application Server w/
+                          templates.
+  --enable-manager        enable web management console (proof of concept).
+  --enable-mediation      enable IKEv2 Mediation Extension.
   --enable-integrity-test enable integrity testing of libstrongswan and
-                          plugins (default is NO).
-  --disable-pluto         disable the IKEv1 keying daemon pluto. (default is
-                          NO).
+                          plugins.
+  --disable-pluto         disable the IKEv1 keying daemon pluto.
   --disable-threads       disable the use of threads in pluto. Charon always
-                          uses threads. (default is NO).
-  --disable-charon        disable the IKEv2 keying daemon charon. (default is
-                          NO).
-  --disable-tools         disable additional utilities (openac and
-                          scepclient). (default is NO).
+                          uses threads.
+  --disable-charon        disable the IKEv2 keying daemon charon.
+  --disable-tools         disable additional utilities (openac, scepclient and
+                          pki).
   --disable-scripts       disable additional utilities (found in directory
-                          scripts). (default is NO).
-  --disable-updown        disable updown firewall script plugin. (default is
-                          NO).
+                          scripts).
+  --disable-updown        disable updown firewall script plugin.
   --disable-attr          disable strongswan.conf based configuration
-                          attribute plugin. (default is NO).
-  --disable-resolv-conf   disable resolv.conf DNS handler plugin. (default is
-                          NO).
-  --enable-padlock        enables VIA Padlock crypto plugin. (default is NO).
-  --enable-openssl        enables the OpenSSL crypto plugin. (default is NO).
-  --enable-gcrypt         enables the libgcrypt plugin. (default is NO).
-  --enable-agent          enables the ssh-agent signing plugin. (default is
-                          NO).
-  --enable-uci            enable OpenWRT UCI configuration plugin (default is
-                          NO).
-  --enable-nm             enable NetworkManager plugin (default is NO).
+                          attribute plugin.
+  --enable-attr-sql       enable SQL based configuration attribute plugin.
+  --disable-resolve       disable resolve DNS handler plugin.
+  --enable-padlock        enables VIA Padlock crypto plugin.
+  --enable-openssl        enables the OpenSSL crypto plugin.
+  --enable-gcrypt         enables the libgcrypt plugin.
+  --enable-agent          enables the ssh-agent signing plugin.
+  --enable-uci            enable OpenWRT UCI configuration plugin.
+  --enable-nm             enable NetworkManager plugin.
   --enable-vstr           enforce using the Vstr string library to replace
-                          glibc-like printf hooks (default is NO).
+                          glibc-like printf hooks.
   --disable-dependency-tracking  speeds up one-time build
   --enable-dependency-tracking   do not reject slow dependency extractors
   --enable-shared[=PKGS]  build shared libraries [default=yes]
@@ -1939,52 +1887,48 @@ Optional Features:
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
   --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
-  --with-default-pkcs11=lib
-                          set the default PKCS11 library other than
-                          "/usr/lib/opensc-pkcs11.so"
+  --with-default-pkcs11=arg
+                          set the default PKCS11 library (default:
+                          /usr/lib/opensc-pkcs11.so).
+  --with-random-device=arg
+                          set the device to read real random data from
+                          (default: /dev/random).
+  --with-urandom-device=arg
+                          set the device to read pseudo random data from
+                          (default: /dev/urandom).
+  --with-strongswan-conf=arg
+                          set the strongswan.conf file location (default:
+                          ${sysconfdir}/strongswan.conf).
+  --with-resolv-conf=arg  set the file to use in DNS handler plugin (default:
+                          ${sysconfdir}/resolv.conf).
+  --with-piddir=arg       set path for PID and UNIX socket files (default:
+                          /var/run).
+  --with-ipsecdir=arg     set installation path for ipsec tools (default:
+                          ${libexecdir%/}/ipsec).
+  --with-plugindir=arg    set the installation path of plugins (default:
+                          ${ipsecdir%/}/plugins).
+  --with-nm-ca-dir=arg    directory the NM plugin uses to look up trusted root
+                          certificates (default: /usr/share/ca-certificates).
+  --with-linux-headers=arg
+                          set directory of linux header files to use (default:
+                          \${top_srcdir}/src/include).
+  --with-routing-table=arg
+                          set routing table to use for IPsec routes (default:
+                          220).
+  --with-routing-table-prio=arg
+                          set priority for IPsec routing table (default: 220).
+  --with-capabilities=arg set capability dropping library. Currently only the
+                          value "libcap" is supported (default: no).
   --with-xauth-module=lib set the path to the XAUTH module
-  --with-random-device=dev
-                          set the device for real random data other than
-                          "/dev/random"
-  --with-resolv-conf=file set the file to use in DNS handler plugin other than
-                          "sysconfdir/resolv.conf"
-  --with-strongswan-conf=file
-                          strongswan.conf file other than
-                          "sysconfdir/strongswan.conf"
-  --with-urandom-device=dev
-                          set the device for pseudo random data other than
-                          "/dev/urandom"
-  --with-piddir=dir       path for PID and UNIX socket files other than
-                          "/var/run"
-  --with-ipsecdir=dir     installation path for ipsec tools other than
-                          "libexecdir/ipsec"
-  --with-plugindir=dir    installation path for plugins other than
-                          "ipsecdir/plugins"
-  --with-sim-reader=library.so
-                          library containing the
-                          sim_run_alg()/sim_get_triplet() function for EAP-SIM
-  --with-linux-headers=dir
-                          use the linux header files in dir instead of the
-                          supplied ones in "src/include"
-  --with-routing-table=num
-                          use routing table for IPsec routes (default: 220)
-  --with-routing-table-prio=prio
-                          priority for IPsec routing table (default: 220)
-
   --with-user=user        change user of the daemons to "user" after startup
                           (default is "root").
   --with-group=group      change group of the daemons to "group" after startup
                           (default is "root").
-  --with-capabilities=libcap
-                          capability dropping using libcap. Currenlty only the
-                          value "libcap" is supported (default is NO).
   --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib
   --without-lib-prefix    don't search for libraries in includedir and libdir
   --with-pic              try to use only PIC/non-PIC objects [default=use
                           both]
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
-  --with-libgcrypt-prefix=PFX
-                          prefix where LIBGCRYPT is installed (optional)
 
 Some influential environment variables:
   PKG_CONFIG  path to pkg-config utility
@@ -2011,6 +1955,7 @@ Some influential environment variables:
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
 
+Report bugs to the package provider.
 _ACEOF
 ac_status=$?
 fi
@@ -2073,59 +2018,521 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.3.4
-generated by GNU Autoconf 2.63
+strongSwan configure 4.3.6
+generated by GNU Autoconf 2.64
 
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+Copyright (C) 2009 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
   exit
 fi
-cat >config.log <<_ACEOF
-This file contains any messages produced by compilers while
-running configure, to aid debugging if configure makes a mistake.
-
-It was created by strongSwan $as_me 4.3.4, which was
-generated by GNU Autoconf 2.63.  Invocation command line was
 
-  $ $0 $@
+## ------------------------ ##
+## Autoconf initialization. ##
+## ------------------------ ##
 
-_ACEOF
-exec 5>>config.log
+# ac_fn_c_try_compile LINENO
+# --------------------------
+# Try to compile conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_compile ()
 {
-cat <<_ASUNAME
-## --------- ##
-## Platform. ##
-## --------- ##
-
-hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
-uname -m = `(uname -m) 2>/dev/null || echo unknown`
-uname -r = `(uname -r) 2>/dev/null || echo unknown`
-uname -s = `(uname -s) 2>/dev/null || echo unknown`
-uname -v = `(uname -v) 2>/dev/null || echo unknown`
-
-/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
-/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  rm -f conftest.$ac_objext
+  if { { ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_compile") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
-/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
-/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
-/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
-/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
-/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
-/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
+	ac_retval=1
+fi
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  return $ac_retval
 
-_ASUNAME
+} # ac_fn_c_try_compile
 
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
+# ac_fn_c_try_run LINENO
+# ----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes
+# that executables *can* be run.
+ac_fn_c_try_run ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  if { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && { ac_try='./conftest$ac_exeext'
+  { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: program exited with status $ac_status" >&5
+       $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+       ac_retval=$ac_status
+fi
+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  return $ac_retval
+
+} # ac_fn_c_try_run
+
+# ac_fn_c_try_cpp LINENO
+# ----------------------
+# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_cpp ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  if { { ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+    ac_retval=1
+fi
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  return $ac_retval
+
+} # ac_fn_c_try_cpp
+
+# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
+# -------------------------------------------------------
+# Tests whether HEADER exists and can be compiled using the include files in
+# INCLUDES, setting the cache variable VAR accordingly.
+ac_fn_c_check_header_compile ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+#include <$2>
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$3=yes"
+else
+  eval "$3=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+
+} # ac_fn_c_check_header_compile
+
+# ac_fn_c_try_link LINENO
+# -----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_link ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  rm -f conftest.$ac_objext conftest$ac_exeext
+  if { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_retval=1
+fi
+  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
+  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
+  # interfere with the next link command; also delete a directory that is
+  # left behind by Apple's compiler.  We do this before executing the actions.
+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  return $ac_retval
+
+} # ac_fn_c_try_link
+
+# ac_fn_c_check_func LINENO FUNC VAR
+# ----------------------------------
+# Tests whether FUNC exists, setting the cache variable VAR accordingly
+ac_fn_c_check_func ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+/* Define $2 to an innocuous variant, in case <limits.h> declares $2.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $2 innocuous_$2
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $2 (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $2
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $2 ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$2 || defined __stub___$2
+choke me
+#endif
+
+int
+main ()
+{
+return $2 ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  eval "$3=yes"
+else
+  eval "$3=no"
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+
+} # ac_fn_c_check_func
+
+# ac_fn_c_check_type LINENO TYPE VAR INCLUDES
+# -------------------------------------------
+# Tests whether TYPE exists after having included INCLUDES, setting cache
+# variable VAR accordingly.
+ac_fn_c_check_type ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+  $as_echo_n "(cached) " >&6
+else
+  eval "$3=no"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+if (sizeof ($2))
+	 return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+if (sizeof (($2)))
+	    return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+else
+  eval "$3=yes"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+
+} # ac_fn_c_check_type
+
+# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES
+# -------------------------------------------------------
+# Tests whether HEADER exists, giving a warning if it cannot be compiled using
+# the include files in INCLUDES and setting the cache variable VAR
+# accordingly.
+ac_fn_c_check_header_mongrel ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+  $as_echo_n "(cached) " >&6
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5
+$as_echo_n "checking $2 usability... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+#include <$2>
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_header_compiler=yes
+else
+  ac_header_compiler=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5
+$as_echo_n "checking $2 presence... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <$2>
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
+  ac_header_preproc=yes
+else
+  ac_header_preproc=no
+fi
+rm -f conftest.err conftest.$ac_ext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #((
+  yes:no: )
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
+    ;;
+  no:yes:* )
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: $2:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
+    ;;
+esac
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+  $as_echo_n "(cached) " >&6
+else
+  eval "$3=\$ac_header_compiler"
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+fi
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+
+} # ac_fn_c_check_header_mongrel
+
+# ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES
+# ----------------------------------------------------
+# Tries to find if the field MEMBER exists in type AGGR, after including
+# INCLUDES, setting cache variable VAR accordingly.
+ac_fn_c_check_member ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
+$as_echo_n "checking for $2.$3... " >&6; }
+if { as_var=$4; eval "test \"\${$as_var+set}\" = set"; }; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$5
+int
+main ()
+{
+static $2 ac_aggr;
+if (ac_aggr.$3)
+return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$4=yes"
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$5
+int
+main ()
+{
+static $2 ac_aggr;
+if (sizeof ac_aggr.$3)
+return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$4=yes"
+else
+  eval "$4=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$4
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+
+} # ac_fn_c_check_member
+cat >config.log <<_ACEOF
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+
+It was created by strongSwan $as_me 4.3.6, which was
+generated by GNU Autoconf 2.64.  Invocation command line was
+
+  $ $0 $@
+
+_ACEOF
+exec 5>>config.log
+{
+cat <<_ASUNAME
+## --------- ##
+## Platform. ##
+## --------- ##
+
+hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`
+
+/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
+/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
+/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
+/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
+
+_ASUNAME
+
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  $as_echo "PATH: $as_dir"
-done
+    $as_echo "PATH: $as_dir"
+  done
 IFS=$as_save_IFS
 
 } >&5
@@ -2162,9 +2569,9 @@ do
       ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
     esac
     case $ac_pass in
-    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
+    1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
     2)
-      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
+      as_fn_append ac_configure_args1 " '$ac_arg'"
       if test $ac_must_keep_next = true; then
 	ac_must_keep_next=false # Got value, back to normal.
       else
@@ -2180,13 +2587,13 @@ do
 	  -* ) ac_must_keep_next=true ;;
 	esac
       fi
-      ac_configure_args="$ac_configure_args '$ac_arg'"
+      as_fn_append ac_configure_args " '$ac_arg'"
       ;;
     esac
   done
 done
-$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
-$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
+{ ac_configure_args0=; unset ac_configure_args0;}
+{ ac_configure_args1=; unset ac_configure_args1;}
 
 # When interrupted or exit'd, cleanup temporary files, and complete
 # config.log.  We remove comments because anyway the quotes in there
@@ -2211,13 +2618,13 @@ _ASBOX
     case $ac_val in #(
     *${as_nl}*)
       case $ac_var in #(
-      *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: cache variable $ac_var contains a newline" >&5
+      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
       esac
       case $ac_var in #(
       _ | IFS | as_nl) ;; #(
       BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
-      *) $as_unset $ac_var ;;
+      *) { eval $ac_var=; unset $ac_var;} ;;
       esac ;;
     esac
   done
@@ -2289,39 +2696,41 @@ _ASBOX
     exit $exit_status
 ' 0
 for ac_signal in 1 2 13 15; do
-  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
+  trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
 done
 ac_signal=0
 
 # confdefs.h avoids OS command line length limits that DEFS can exceed.
 rm -f -r conftest* confdefs.h
 
+$as_echo "/* confdefs.h */" > confdefs.h
+
 # Predefined preprocessor variables.
 
 cat >>confdefs.h <<_ACEOF
 #define PACKAGE_NAME "$PACKAGE_NAME"
 _ACEOF
 
-
 cat >>confdefs.h <<_ACEOF
 #define PACKAGE_TARNAME "$PACKAGE_TARNAME"
 _ACEOF
 
-
 cat >>confdefs.h <<_ACEOF
 #define PACKAGE_VERSION "$PACKAGE_VERSION"
 _ACEOF
 
-
 cat >>confdefs.h <<_ACEOF
 #define PACKAGE_STRING "$PACKAGE_STRING"
 _ACEOF
 
-
 cat >>confdefs.h <<_ACEOF
 #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
 _ACEOF
 
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_URL "$PACKAGE_URL"
+_ACEOF
+
 
 # Let the site file select an alternate cache file if it wants to.
 # Prefer an explicitly selected file to automatically selected ones.
@@ -2340,7 +2749,7 @@ for ac_site_file in "$ac_site_file1" "$ac_site_file2"
 do
   test "x$ac_site_file" = xNONE && continue
   if test -r "$ac_site_file"; then
-    { $as_echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
 $as_echo "$as_me: loading site script $ac_site_file" >&6;}
     sed 's/^/| /' "$ac_site_file" >&5
     . "$ac_site_file"
@@ -2351,7 +2760,7 @@ if test -r "$cache_file"; then
   # Some versions of bash will fail to source /dev/null (special
   # files actually), so we avoid doing that.
   if test -f "$cache_file"; then
-    { $as_echo "$as_me:$LINENO: loading cache $cache_file" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
 $as_echo "$as_me: loading cache $cache_file" >&6;}
     case $cache_file in
       [\\/]* | ?:[\\/]* ) . "$cache_file";;
@@ -2359,7 +2768,7 @@ $as_echo "$as_me: loading cache $cache_file" >&6;}
     esac
   fi
 else
-  { $as_echo "$as_me:$LINENO: creating cache $cache_file" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
 $as_echo "$as_me: creating cache $cache_file" >&6;}
   >$cache_file
 fi
@@ -2374,11 +2783,11 @@ for ac_var in $ac_precious_vars; do
   eval ac_new_val=\$ac_env_${ac_var}_value
   case $ac_old_set,$ac_new_set in
     set,)
-      { $as_echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
 $as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
       ac_cache_corrupted=: ;;
     ,set)
-      { $as_echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
 $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
       ac_cache_corrupted=: ;;
     ,);;
@@ -2388,17 +2797,17 @@ $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
 	ac_old_val_w=`echo x $ac_old_val`
 	ac_new_val_w=`echo x $ac_new_val`
 	if test "$ac_old_val_w" != "$ac_new_val_w"; then
-	  { $as_echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
 $as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
 	  ac_cache_corrupted=:
 	else
-	  { $as_echo "$as_me:$LINENO: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
 $as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
 	  eval $ac_var=\$ac_old_val
 	fi
-	{ $as_echo "$as_me:$LINENO:   former value:  \`$ac_old_val'" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}:   former value:  \`$ac_old_val'" >&5
 $as_echo "$as_me:   former value:  \`$ac_old_val'" >&2;}
-	{ $as_echo "$as_me:$LINENO:   current value: \`$ac_new_val'" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}:   current value: \`$ac_new_val'" >&5
 $as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
       fi;;
   esac
@@ -2410,43 +2819,20 @@ $as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
     esac
     case " $ac_configure_args " in
       *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
-      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
+      *) as_fn_append ac_configure_args " '$ac_arg'" ;;
     esac
   fi
 done
 if $ac_cache_corrupted; then
-  { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-  { $as_echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
 $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-  { { $as_echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
-$as_echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
 fi
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+## -------------------- ##
+## Main body of script. ##
+## -------------------- ##
 
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
@@ -2455,28 +2841,20 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-am__api_version='1.10'
+am__api_version='1.11'
 
 ac_aux_dir=
 for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
-  if test -f "$ac_dir/install-sh"; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install-sh -c"
-    break
-  elif test -f "$ac_dir/install.sh"; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install.sh -c"
-    break
-  elif test -f "$ac_dir/shtool"; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/shtool install -c"
-    break
-  fi
+  for ac_t in install-sh install.sh shtool; do
+    if test -f "$ac_dir/$ac_t"; then
+      ac_aux_dir=$ac_dir
+      ac_install_sh="$ac_aux_dir/$ac_t -c"
+      break 2
+    fi
+  done
 done
 if test -z "$ac_aux_dir"; then
-  { { $as_echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5
-$as_echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5
 fi
 
 # These three variables are undocumented and unsupported,
@@ -2502,10 +2880,10 @@ ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
 # OS/2's system install, which has a completely different semantic
 # ./install, which can be erroneously created by make from ./install.sh.
 # Reject install programs that cannot install multiple files.
-{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5
 $as_echo_n "checking for a BSD-compatible install... " >&6; }
 if test -z "$INSTALL"; then
-if test "${ac_cv_path_install+set}" = set; then
+if test "${ac_cv_path_install+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -2513,11 +2891,11 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  # Account for people who put trailing slashes in PATH elements.
-case $as_dir/ in
-  ./ | .// | /cC/* | \
+    # Account for people who put trailing slashes in PATH elements.
+case $as_dir/ in #((
+  ./ | .// | /[cC]/* | \
   /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
-  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
+  ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \
   /usr/ucb/* ) ;;
   *)
     # OSF1 and SCO ODT 3.0 have their own names for install.
@@ -2554,7 +2932,7 @@ case $as_dir/ in
     ;;
 esac
 
-done
+  done
 IFS=$as_save_IFS
 
 rm -rf conftest.one conftest.two conftest.dir
@@ -2570,7 +2948,7 @@ fi
     INSTALL=$ac_install_sh
   fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5
 $as_echo "$INSTALL" >&6; }
 
 # Use test -z because SunOS4 sh mishandles braces in ${var-val}.
@@ -2581,21 +2959,34 @@ test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
 
 test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
 
-{ $as_echo "$as_me:$LINENO: checking whether build environment is sane" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether build environment is sane" >&5
 $as_echo_n "checking whether build environment is sane... " >&6; }
 # Just in case
 sleep 1
 echo timestamp > conftest.file
+# Reject unsafe characters in $srcdir or the absolute working directory
+# name.  Accept space and tab only in the latter.
+am_lf='
+'
+case `pwd` in
+  *[\\\"\#\$\&\'\`$am_lf]*)
+    as_fn_error "unsafe absolute working directory name" "$LINENO" 5;;
+esac
+case $srcdir in
+  *[\\\"\#\$\&\'\`$am_lf\ \	]*)
+    as_fn_error "unsafe srcdir value: \`$srcdir'" "$LINENO" 5;;
+esac
+
 # Do `set' in a subshell so we don't clobber the current shell's
 # arguments.  Must try -L first in case configure is actually a
 # symlink; some systems play weird games with the mod time of symlinks
 # (eg FreeBSD returns the mod time of the symlink's containing
 # directory).
 if (
-   set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null`
+   set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null`
    if test "$*" = "X"; then
       # -L didn't work.
-      set X `ls -t $srcdir/configure conftest.file`
+      set X `ls -t "$srcdir/configure" conftest.file`
    fi
    rm -f conftest.file
    if test "$*" != "X $srcdir/configure conftest.file" \
@@ -2605,11 +2996,8 @@ if (
       # if, for instance, CONFIG_SHELL is bash and it inherits a
       # broken ls alias from the environment.  This has actually
       # happened.  Such a system could not be considered "sane".
-      { { $as_echo "$as_me:$LINENO: error: ls -t appears to fail.  Make sure there is not a broken
-alias in your environment" >&5
-$as_echo "$as_me: error: ls -t appears to fail.  Make sure there is not a broken
-alias in your environment" >&2;}
-   { (exit 1); exit 1; }; }
+      as_fn_error "ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" "$LINENO" 5
    fi
 
    test "$2" = conftest.file
@@ -2618,13 +3006,10 @@ then
    # Ok.
    :
 else
-   { { $as_echo "$as_me:$LINENO: error: newly created file is older than distributed files!
-Check your system clock" >&5
-$as_echo "$as_me: error: newly created file is older than distributed files!
-Check your system clock" >&2;}
-   { (exit 1); exit 1; }; }
+   as_fn_error "newly created file is older than distributed files!
+Check your system clock" "$LINENO" 5
 fi
-{ $as_echo "$as_me:$LINENO: result: yes" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 test "$program_prefix" != NONE &&
   program_transform_name="s&^&$program_prefix&;$program_transform_name"
@@ -2639,20 +3024,136 @@ program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"`
 # expand $ac_aux_dir to an absolute path
 am_aux_dir=`cd $ac_aux_dir && pwd`
 
-test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
+if test x"${MISSING+set}" != xset; then
+  case $am_aux_dir in
+  *\ * | *\	*)
+    MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;;
+  *)
+    MISSING="\${SHELL} $am_aux_dir/missing" ;;
+  esac
+fi
 # Use eval to expand $SHELL
 if eval "$MISSING --run true"; then
   am_missing_run="$MISSING --run "
 else
   am_missing_run=
-  { $as_echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: \`missing' script is too old or missing" >&5
 $as_echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;}
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for a thread-safe mkdir -p" >&5
+if test x"${install_sh}" != xset; then
+  case $am_aux_dir in
+  *\ * | *\	*)
+    install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;;
+  *)
+    install_sh="\${SHELL} $am_aux_dir/install-sh"
+  esac
+fi
+
+# Installed binaries are usually stripped using `strip' when the user
+# run `make install-strip'.  However `strip' might not be the right
+# tool to use in cross-compilation environments, therefore Automake
+# will honor the `STRIP' environment variable to overrule this program.
+if test "$cross_compiling" != no; then
+  if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_STRIP+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5
+$as_echo "$STRIP" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_STRIP="strip"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5
+$as_echo "$ac_ct_STRIP" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_STRIP" = x; then
+    STRIP=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    STRIP=$ac_ct_STRIP
+  fi
+else
+  STRIP="$ac_cv_prog_STRIP"
+fi
+
+fi
+INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5
 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; }
 if test -z "$MKDIR_P"; then
-  if test "${ac_cv_path_mkdir+set}" = set; then
+  if test "${ac_cv_path_mkdir+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -2660,7 +3161,7 @@ for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_prog in mkdir gmkdir; do
+    for ac_prog in mkdir gmkdir; do
 	 for ac_exec_ext in '' $ac_executable_extensions; do
 	   { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue
 	   case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
@@ -2672,7 +3173,7 @@ do
 	   esac
 	 done
        done
-done
+  done
 IFS=$as_save_IFS
 
 fi
@@ -2688,7 +3189,7 @@ fi
     MKDIR_P="$ac_install_sh -d"
   fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $MKDIR_P" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5
 $as_echo "$MKDIR_P" >&6; }
 
 mkdir_p="$MKDIR_P"
@@ -2701,9 +3202,9 @@ for ac_prog in gawk mawk nawk awk
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AWK+set}" = set; then
+if test "${ac_cv_prog_AWK+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AWK"; then
@@ -2714,24 +3215,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_AWK="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 AWK=$ac_cv_prog_AWK
 if test -n "$AWK"; then
-  { $as_echo "$as_me:$LINENO: result: $AWK" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5
 $as_echo "$AWK" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -2739,11 +3240,11 @@ fi
   test -n "$AWK" && break
 done
 
-{ $as_echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5
 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; }
 set x ${MAKE-make}
 ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
-if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then
+if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then :
   $as_echo_n "(cached) " >&6
 else
   cat >conftest.make <<\_ACEOF
@@ -2761,11 +3262,11 @@ esac
 rm -f conftest.make
 fi
 if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
   SET_MAKE=
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
   SET_MAKE="MAKE=${MAKE-make}"
 fi
@@ -2785,9 +3286,7 @@ if test "`cd $srcdir && pwd`" != "`pwd`"; then
   am__isrc=' -I$(srcdir)'
   # test to see if srcdir already configured
   if test -f $srcdir/config.status; then
-    { { $as_echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5
-$as_echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;}
-   { (exit 1); exit 1; }; }
+    as_fn_error "source directory already configured; run \"make distclean\" there first" "$LINENO" 5
   fi
 fi
 
@@ -2803,7 +3302,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.3.4'
+ VERSION='4.3.6'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -2831,108 +3330,6 @@ AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"}
 
 MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
 
-install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"}
-
-# Installed binaries are usually stripped using `strip' when the user
-# run `make install-strip'.  However `strip' might not be the right
-# tool to use in cross-compilation environments, therefore Automake
-# will honor the `STRIP' environment variable to overrule this program.
-if test "$cross_compiling" != no; then
-  if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
-set dummy ${ac_tool_prefix}strip; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  if test -n "$STRIP"; then
-  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-STRIP=$ac_cv_prog_STRIP
-if test -n "$STRIP"; then
-  { $as_echo "$as_me:$LINENO: result: $STRIP" >&5
-$as_echo "$STRIP" >&6; }
-else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_prog_STRIP"; then
-  ac_ct_STRIP=$STRIP
-  # Extract the first word of "strip", so it can be a program name with args.
-set dummy strip; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  if test -n "$ac_ct_STRIP"; then
-  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_STRIP="strip"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
-if test -n "$ac_ct_STRIP"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
-$as_echo "$ac_ct_STRIP" >&6; }
-else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-  if test "x$ac_ct_STRIP" = x; then
-    STRIP=":"
-  else
-    case $cross_compiling:$ac_tool_warned in
-yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
-$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
-ac_tool_warned=yes ;;
-esac
-    STRIP=$ac_ct_STRIP
-  fi
-else
-  STRIP="$ac_cv_prog_STRIP"
-fi
-
-fi
-INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
-
 # We need awk for the "check" target.  The system "awk" is bad on
 # some platforms.
 # Always define AMTAR for backward compatibility.
@@ -2940,7 +3337,7 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 AMTAR=${AMTAR-"${am_missing_run}tar"}
 
 
-{ $as_echo "$as_me:$LINENO: checking how to create a ustar tar archive" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to create a ustar tar archive" >&5
 $as_echo_n "checking how to create a ustar tar archive... " >&6; }
 # Loop over all known methods to create a tar archive until one works.
 _am_tools='gnutar plaintar pax cpio none'
@@ -3013,20 +3410,19 @@ do
 done
 rm -rf conftest.dir
 
-if test "${am_cv_prog_tar_ustar+set}" = set; then
+if test "${am_cv_prog_tar_ustar+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   am_cv_prog_tar_ustar=$_am_tool
 fi
 
-{ $as_echo "$as_me:$LINENO: result: $am_cv_prog_tar_ustar" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_tar_ustar" >&5
 $as_echo "$am_cv_prog_tar_ustar" >&6; }
 
 
 
 
 
-confdir='${sysconfdir}'
 
 
 
@@ -3034,9 +3430,9 @@ if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
 	if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
 set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_PKG_CONFIG+set}" = set; then
+if test "${ac_cv_path_PKG_CONFIG+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   case $PKG_CONFIG in
@@ -3049,14 +3445,14 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
   ;;
@@ -3064,10 +3460,10 @@ esac
 fi
 PKG_CONFIG=$ac_cv_path_PKG_CONFIG
 if test -n "$PKG_CONFIG"; then
-  { $as_echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
 $as_echo "$PKG_CONFIG" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -3077,9 +3473,9 @@ if test -z "$ac_cv_path_PKG_CONFIG"; then
   ac_pt_PKG_CONFIG=$PKG_CONFIG
   # Extract the first word of "pkg-config", so it can be a program name with args.
 set dummy pkg-config; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then
+if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   case $ac_pt_PKG_CONFIG in
@@ -3092,14 +3488,14 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
   ;;
@@ -3107,10 +3503,10 @@ esac
 fi
 ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
 if test -n "$ac_pt_PKG_CONFIG"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_pt_PKG_CONFIG" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
 $as_echo "$ac_pt_PKG_CONFIG" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -3119,7 +3515,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -3132,13 +3528,13 @@ fi
 fi
 if test -n "$PKG_CONFIG"; then
 	_pkg_min_version=0.9.0
-	{ $as_echo "$as_me:$LINENO: checking pkg-config is at least version $_pkg_min_version" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
 $as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
 	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
-		{ $as_echo "$as_me:$LINENO: result: yes" >&5
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 	else
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 		PKG_CONFIG=""
 	fi
@@ -3147,53 +3543,48 @@ fi
 
 
 
-# Check whether --with-default-pkcs11 was given.
-if test "${with_default_pkcs11+set}" = set; then
-  withval=$with_default_pkcs11; cat >>confdefs.h <<_ACEOF
-#define PKCS11_DEFAULT_LIB "$withval"
-_ACEOF
+# ARG_WITH_SUBST(option, default, help)
+# -----------------------------------
+# Create a --with-$1 option with helptext, AC_SUBST($1) to $withval/default
 
-else
-  cat >>confdefs.h <<_ACEOF
-#define PKCS11_DEFAULT_LIB "/usr/lib/opensc-pkcs11.so"
-_ACEOF
 
+# ARG_WITH_SET(option, default, help)
+# -----------------------------------
+# Create a --with-$1 option with helptext, set a variable $1 to $withval/default
 
-fi
 
 
 
-# Check whether --with-xauth-module was given.
-if test "${with_xauth_module+set}" = set; then
-  withval=$with_xauth_module; cat >>confdefs.h <<_ACEOF
-#define XAUTH_DEFAULT_LIB "$withval"
-_ACEOF
+# Check whether --with-default-pkcs11 was given.
+if test "${with_default_pkcs11+set}" = set; then :
+  withval=$with_default_pkcs11; default_pkcs11="$withval"
+
+else
+  default_pkcs11="/usr/lib/opensc-pkcs11.so"
+
 
 fi
 
 
 
 # Check whether --with-random-device was given.
-if test "${with_random_device+set}" = set; then
-  withval=$with_random_device; cat >>confdefs.h <<_ACEOF
-#define DEV_RANDOM "$withval"
-_ACEOF
+if test "${with_random_device+set}" = set; then :
+  withval=$with_random_device; random_device="$withval"
 
 else
-  cat >>confdefs.h <<_ACEOF
-#define DEV_RANDOM "/dev/random"
-_ACEOF
+  random_device="/dev/random"
 
 
 fi
 
 
-# Check whether --with-resolv-conf was given.
-if test "${with_resolv_conf+set}" = set; then
-  withval=$with_resolv_conf; resolv_conf="$withval"
+
+# Check whether --with-urandom-device was given.
+if test "${with_urandom_device+set}" = set; then :
+  withval=$with_urandom_device; urandom_device="$withval"
 
 else
-  resolv_conf="${sysconfdir}/resolv.conf"
+  urandom_device="/dev/urandom"
 
 
 fi
@@ -3201,7 +3592,7 @@ fi
 
 
 # Check whether --with-strongswan-conf was given.
-if test "${with_strongswan_conf+set}" = set; then
+if test "${with_strongswan_conf+set}" = set; then :
   withval=$with_strongswan_conf; strongswan_conf="$withval"
 
 else
@@ -3212,16 +3603,12 @@ fi
 
 
 
-# Check whether --with-urandom-device was given.
-if test "${with_urandom_device+set}" = set; then
-  withval=$with_urandom_device; cat >>confdefs.h <<_ACEOF
-#define DEV_URANDOM "$withval"
-_ACEOF
+# Check whether --with-resolv-conf was given.
+if test "${with_resolv_conf+set}" = set; then :
+  withval=$with_resolv_conf; resolv_conf="$withval"
 
 else
-  cat >>confdefs.h <<_ACEOF
-#define DEV_URANDOM "/dev/urandom"
-_ACEOF
+  resolv_conf="${sysconfdir}/resolv.conf"
 
 
 fi
@@ -3229,7 +3616,7 @@ fi
 
 
 # Check whether --with-piddir was given.
-if test "${with_piddir+set}" = set; then
+if test "${with_piddir+set}" = set; then :
   withval=$with_piddir; piddir="$withval"
 
 else
@@ -3241,7 +3628,7 @@ fi
 
 
 # Check whether --with-ipsecdir was given.
-if test "${with_ipsecdir+set}" = set; then
+if test "${with_ipsecdir+set}" = set; then :
   withval=$with_ipsecdir; ipsecdir="$withval"
 
 else
@@ -3250,12 +3637,10 @@ else
 
 fi
 
-plugindir="${ipsecdir%/}/plugins"
-
 
 
 # Check whether --with-plugindir was given.
-if test "${with_plugindir+set}" = set; then
+if test "${with_plugindir+set}" = set; then :
   withval=$with_plugindir; plugindir="$withval"
 
 else
@@ -3266,12 +3651,12 @@ fi
 
 
 
-# Check whether --with-sim-reader was given.
-if test "${with_sim_reader+set}" = set; then
-  withval=$with_sim_reader; simreader="$withval"
+# Check whether --with-nm-ca-dir was given.
+if test "${with_nm_ca_dir+set}" = set; then :
+  withval=$with_nm_ca_dir; nm_ca_dir="$withval"
 
 else
-  simreader="${plugindir%/}/libeapsim-file.so"
+  nm_ca_dir="/usr/share/ca-certificates"
 
 
 fi
@@ -3279,30 +3664,23 @@ fi
 
 
 # Check whether --with-linux-headers was given.
-if test "${with_linux_headers+set}" = set; then
-  withval=$with_linux_headers; linuxdir="$withval"
+if test "${with_linux_headers+set}" = set; then :
+  withval=$with_linux_headers; linux_headers="$withval"
 
 else
-  linuxdir="\${top_srcdir}/src/include"
+  linux_headers="\${top_srcdir}/src/include"
 
 
 fi
 
 
 
-
 # Check whether --with-routing-table was given.
-if test "${with_routing_table+set}" = set; then
-  withval=$with_routing_table; cat >>confdefs.h <<_ACEOF
-#define IPSEC_ROUTING_TABLE $withval
-_ACEOF
- IPSEC_ROUTING_TABLE="$withval"
+if test "${with_routing_table+set}" = set; then :
+  withval=$with_routing_table; routing_table="$withval"
 
 else
-  cat >>confdefs.h <<_ACEOF
-#define IPSEC_ROUTING_TABLE 220
-_ACEOF
- IPSEC_ROUTING_TABLE="220"
+  routing_table="220"
 
 
 fi
@@ -3310,45 +3688,41 @@ fi
 
 
 # Check whether --with-routing-table-prio was given.
-if test "${with_routing_table_prio+set}" = set; then
-  withval=$with_routing_table_prio; cat >>confdefs.h <<_ACEOF
-#define IPSEC_ROUTING_TABLE_PRIO $withval
-_ACEOF
- IPSEC_ROUTING_TABLE_PRIO="$withval"
+if test "${with_routing_table_prio+set}" = set; then :
+  withval=$with_routing_table_prio; routing_table_prio="$withval"
 
 else
-  cat >>confdefs.h <<_ACEOF
-#define IPSEC_ROUTING_TABLE_PRIO 220
-_ACEOF
- IPSEC_ROUTING_TABLE_PRIO="220"
+  routing_table_prio="220"
 
 
 fi
 
 
 
-# Check whether --with-uid was given.
-if test "${with_uid+set}" = set; then
-  withval=$with_uid; { { $as_echo "$as_me:$LINENO: error: --with-uid is gone, use --with-user instead!" >&5
-$as_echo "$as_me: error: --with-uid is gone, use --with-user instead!" >&2;}
-   { (exit 1); exit 1; }; }
+
+# Check whether --with-capabilities was given.
+if test "${with_capabilities+set}" = set; then :
+  withval=$with_capabilities; capabilities="$withval"
+else
+  capabilities=no
 
 fi
 
 
 
-# Check whether --with-gid was given.
-if test "${with_gid+set}" = set; then
-  withval=$with_gid; { { $as_echo "$as_me:$LINENO: error: --with-gid is gone, use --with-group instead!" >&5
-$as_echo "$as_me: error: --with-gid is gone, use --with-group instead!" >&2;}
-   { (exit 1); exit 1; }; }
+
+# Check whether --with-xauth-module was given.
+if test "${with_xauth_module+set}" = set; then :
+  withval=$with_xauth_module; cat >>confdefs.h <<_ACEOF
+#define XAUTH_DEFAULT_LIB "$withval"
+_ACEOF
 
 fi
 
 
 
 # Check whether --with-user was given.
-if test "${with_user+set}" = set; then
+if test "${with_user+set}" = set; then :
   withval=$with_user; cat >>confdefs.h <<_ACEOF
 #define IPSEC_USER "$withval"
 _ACEOF
@@ -3363,7 +3737,7 @@ fi
 
 
 # Check whether --with-group was given.
-if test "${with_group+set}" = set; then
+if test "${with_group+set}" = set; then :
   withval=$with_group; cat >>confdefs.h <<_ACEOF
 #define IPSEC_GROUP "$withval"
 _ACEOF
@@ -3377,40 +3751,50 @@ fi
 
 
 
-# Check whether --with-capabilities was given.
-if test "${with_capabilities+set}" = set; then
-  withval=$with_capabilities; capabilities="$withval"
-else
-  capabilities=no
+# ARG_ENABL_SET(option, help)
+# ---------------------------
+# Create a --enable-$1 option with helptext, set a variable $1 to true/false
+
+
+# ARG_DISBL_SET(option, help)
+# ---------------------------
+# Create a --disable-$1 option with helptext, set a variable $1 to true/false
 
-fi
 
 
 # Check whether --enable-curl was given.
-if test "${enable_curl+set}" = set; then
+if test "${enable_curl+set}" = set; then :
   enableval=$enable_curl; if test x$enableval = xyes; then
-		curl=true
-	fi
+			curl=true
+		 else
+			curl=false
+		fi
+else
+  curl=false
 
 fi
 
 
 # Check whether --enable-ldap was given.
-if test "${enable_ldap+set}" = set; then
+if test "${enable_ldap+set}" = set; then :
   enableval=$enable_ldap; if test x$enableval = xyes; then
-		ldap=true
-	fi
+			ldap=true
+		 else
+			ldap=false
+		fi
+else
+  ldap=false
 
 fi
 
 
 # Check whether --enable-aes was given.
-if test "${enable_aes+set}" = set; then
+if test "${enable_aes+set}" = set; then :
   enableval=$enable_aes; if test x$enableval = xyes; then
-		aes=true
-	 else
-		aes=false
-	fi
+			aes=true
+		 else
+			aes=false
+		fi
 else
   aes=true
 
@@ -3418,12 +3802,12 @@ fi
 
 
 # Check whether --enable-des was given.
-if test "${enable_des+set}" = set; then
+if test "${enable_des+set}" = set; then :
   enableval=$enable_des; if test x$enableval = xyes; then
-		des=true
-	 else
-		des=false
-	fi
+			des=true
+		 else
+			des=false
+		fi
 else
   des=true
 
@@ -3431,30 +3815,38 @@ fi
 
 
 # Check whether --enable-blowfish was given.
-if test "${enable_blowfish+set}" = set; then
+if test "${enable_blowfish+set}" = set; then :
   enableval=$enable_blowfish; if test x$enableval = xyes; then
-		blowfish=true
-	fi
+			blowfish=true
+		 else
+			blowfish=false
+		fi
+else
+  blowfish=false
 
 fi
 
 
 # Check whether --enable-md4 was given.
-if test "${enable_md4+set}" = set; then
+if test "${enable_md4+set}" = set; then :
   enableval=$enable_md4; if test x$enableval = xyes; then
-		md4=true
-	fi
+			md4=true
+		 else
+			md4=false
+		fi
+else
+  md4=false
 
 fi
 
 
 # Check whether --enable-md5 was given.
-if test "${enable_md5+set}" = set; then
+if test "${enable_md5+set}" = set; then :
   enableval=$enable_md5; if test x$enableval = xyes; then
-		md5=true
-	 else
-		md5=false
-	fi
+			md5=true
+		 else
+			md5=false
+		fi
 else
   md5=true
 
@@ -3462,12 +3854,12 @@ fi
 
 
 # Check whether --enable-sha1 was given.
-if test "${enable_sha1+set}" = set; then
+if test "${enable_sha1+set}" = set; then :
   enableval=$enable_sha1; if test x$enableval = xyes; then
-		sha1=true
-	 else
-		sha1=false
-	fi
+			sha1=true
+		 else
+			sha1=false
+		fi
 else
   sha1=true
 
@@ -3475,12 +3867,12 @@ fi
 
 
 # Check whether --enable-sha2 was given.
-if test "${enable_sha2+set}" = set; then
+if test "${enable_sha2+set}" = set; then :
   enableval=$enable_sha2; if test x$enableval = xyes; then
-		sha2=true
-	 else
-		sha2=false
-	fi
+			sha2=true
+		 else
+			sha2=false
+		fi
 else
   sha2=true
 
@@ -3488,12 +3880,12 @@ fi
 
 
 # Check whether --enable-fips-prf was given.
-if test "${enable_fips_prf+set}" = set; then
+if test "${enable_fips_prf+set}" = set; then :
   enableval=$enable_fips_prf; if test x$enableval = xyes; then
-		fips_prf=true
-	 else
-		fips_prf=false
-	fi
+			fips_prf=true
+		 else
+			fips_prf=false
+		fi
 else
   fips_prf=true
 
@@ -3501,12 +3893,12 @@ fi
 
 
 # Check whether --enable-gmp was given.
-if test "${enable_gmp+set}" = set; then
+if test "${enable_gmp+set}" = set; then :
   enableval=$enable_gmp; if test x$enableval = xyes; then
-		gmp=true
-	 else
-		gmp=false
-	fi
+			gmp=true
+		 else
+			gmp=false
+		fi
 else
   gmp=true
 
@@ -3514,12 +3906,12 @@ fi
 
 
 # Check whether --enable-random was given.
-if test "${enable_random+set}" = set; then
+if test "${enable_random+set}" = set; then :
   enableval=$enable_random; if test x$enableval = xyes; then
-		random=true
-	 else
-		random=false
-	fi
+			random=true
+		 else
+			random=false
+		fi
 else
   random=true
 
@@ -3527,12 +3919,12 @@ fi
 
 
 # Check whether --enable-x509 was given.
-if test "${enable_x509+set}" = set; then
+if test "${enable_x509+set}" = set; then :
   enableval=$enable_x509; if test x$enableval = xyes; then
-		x509=true
-	 else
-		x509=false
-	fi
+			x509=true
+		 else
+			x509=false
+		fi
 else
   x509=true
 
@@ -3540,25 +3932,77 @@ fi
 
 
 # Check whether --enable-pubkey was given.
-if test "${enable_pubkey+set}" = set; then
+if test "${enable_pubkey+set}" = set; then :
   enableval=$enable_pubkey; if test x$enableval = xyes; then
-		pubkey=true
-	 else
-		pubkey=false
-	fi
+			pubkey=true
+		 else
+			pubkey=false
+		fi
 else
   pubkey=true
 
 fi
 
 
+# Check whether --enable-pkcs1 was given.
+if test "${enable_pkcs1+set}" = set; then :
+  enableval=$enable_pkcs1; if test x$enableval = xyes; then
+			pkcs1=true
+		 else
+			pkcs1=false
+		fi
+else
+  pkcs1=true
+
+fi
+
+
+# Check whether --enable-pgp was given.
+if test "${enable_pgp+set}" = set; then :
+  enableval=$enable_pgp; if test x$enableval = xyes; then
+			pgp=true
+		 else
+			pgp=false
+		fi
+else
+  pgp=true
+
+fi
+
+
+# Check whether --enable-dnskey was given.
+if test "${enable_dnskey+set}" = set; then :
+  enableval=$enable_dnskey; if test x$enableval = xyes; then
+			dnskey=true
+		 else
+			dnskey=false
+		fi
+else
+  dnskey=true
+
+fi
+
+
+# Check whether --enable-pem was given.
+if test "${enable_pem+set}" = set; then :
+  enableval=$enable_pem; if test x$enableval = xyes; then
+			pem=true
+		 else
+			pem=false
+		fi
+else
+  pem=true
+
+fi
+
+
 # Check whether --enable-hmac was given.
-if test "${enable_hmac+set}" = set; then
+if test "${enable_hmac+set}" = set; then :
   enableval=$enable_hmac; if test x$enableval = xyes; then
-		hmac=true
-	 else
-		hmac=false
-	fi
+			hmac=true
+		 else
+			hmac=false
+		fi
 else
   hmac=true
 
@@ -3566,12 +4010,12 @@ fi
 
 
 # Check whether --enable-xcbc was given.
-if test "${enable_xcbc+set}" = set; then
+if test "${enable_xcbc+set}" = set; then :
   enableval=$enable_xcbc; if test x$enableval = xyes; then
-		xcbc=true
-	 else
-		xcbc=false
-	fi
+			xcbc=true
+		 else
+			xcbc=false
+		fi
 else
   xcbc=true
 
@@ -3579,39 +4023,51 @@ fi
 
 
 # Check whether --enable-test-vectors was given.
-if test "${enable_test_vectors+set}" = set; then
+if test "${enable_test_vectors+set}" = set; then :
   enableval=$enable_test_vectors; if test x$enableval = xyes; then
-		test_vectors=true
-	fi
+			test_vectors=true
+		 else
+			test_vectors=false
+		fi
+else
+  test_vectors=false
 
 fi
 
 
 # Check whether --enable-mysql was given.
-if test "${enable_mysql+set}" = set; then
+if test "${enable_mysql+set}" = set; then :
   enableval=$enable_mysql; if test x$enableval = xyes; then
-		mysql=true
-	fi
+			mysql=true
+		 else
+			mysql=false
+		fi
+else
+  mysql=false
 
 fi
 
 
 # Check whether --enable-sqlite was given.
-if test "${enable_sqlite+set}" = set; then
+if test "${enable_sqlite+set}" = set; then :
   enableval=$enable_sqlite; if test x$enableval = xyes; then
-		sqlite=true
-	fi
+			sqlite=true
+		 else
+			sqlite=false
+		fi
+else
+  sqlite=false
 
 fi
 
 
 # Check whether --enable-stroke was given.
-if test "${enable_stroke+set}" = set; then
+if test "${enable_stroke+set}" = set; then :
   enableval=$enable_stroke; if test x$enableval = xyes; then
-		stroke=true
-	 else
-		stroke=false
-	fi
+			stroke=true
+		 else
+			stroke=false
+		fi
 else
   stroke=true
 
@@ -3619,174 +4075,285 @@ fi
 
 
 # Check whether --enable-medsrv was given.
-if test "${enable_medsrv+set}" = set; then
+if test "${enable_medsrv+set}" = set; then :
   enableval=$enable_medsrv; if test x$enableval = xyes; then
-		medsrv=true
-	fi
+			medsrv=true
+		 else
+			medsrv=false
+		fi
+else
+  medsrv=false
 
 fi
 
 
 # Check whether --enable-medcli was given.
-if test "${enable_medcli+set}" = set; then
+if test "${enable_medcli+set}" = set; then :
   enableval=$enable_medcli; if test x$enableval = xyes; then
-		medcli=true
-	fi
+			medcli=true
+		 else
+			medcli=false
+		fi
+else
+  medcli=false
 
 fi
 
 
 # Check whether --enable-smp was given.
-if test "${enable_smp+set}" = set; then
+if test "${enable_smp+set}" = set; then :
   enableval=$enable_smp; if test x$enableval = xyes; then
-		smp=true
-	fi
+			smp=true
+		 else
+			smp=false
+		fi
+else
+  smp=false
 
 fi
 
 
 # Check whether --enable-sql was given.
-if test "${enable_sql+set}" = set; then
+if test "${enable_sql+set}" = set; then :
   enableval=$enable_sql; if test x$enableval = xyes; then
-		sql=true
-	fi
+			sql=true
+		 else
+			sql=false
+		fi
+else
+  sql=false
 
 fi
 
 
 # Check whether --enable-smartcard was given.
-if test "${enable_smartcard+set}" = set; then
+if test "${enable_smartcard+set}" = set; then :
   enableval=$enable_smartcard; if test x$enableval = xyes; then
-		smartcard=true
-	fi
+			smartcard=true
+		 else
+			smartcard=false
+		fi
+else
+  smartcard=false
 
 fi
 
 
 # Check whether --enable-cisco-quirks was given.
-if test "${enable_cisco_quirks+set}" = set; then
+if test "${enable_cisco_quirks+set}" = set; then :
   enableval=$enable_cisco_quirks; if test x$enableval = xyes; then
-		cisco_quirks=true
-	fi
+			cisco_quirks=true
+		 else
+			cisco_quirks=false
+		fi
+else
+  cisco_quirks=false
 
 fi
 
 
 # Check whether --enable-leak-detective was given.
-if test "${enable_leak_detective+set}" = set; then
+if test "${enable_leak_detective+set}" = set; then :
   enableval=$enable_leak_detective; if test x$enableval = xyes; then
-		leak_detective=true
-	fi
+			leak_detective=true
+		 else
+			leak_detective=false
+		fi
+else
+  leak_detective=false
 
 fi
 
 
 # Check whether --enable-lock-profiler was given.
-if test "${enable_lock_profiler+set}" = set; then
+if test "${enable_lock_profiler+set}" = set; then :
   enableval=$enable_lock_profiler; if test x$enableval = xyes; then
-		lock_profiler=true
-	fi
+			lock_profiler=true
+		 else
+			lock_profiler=false
+		fi
+else
+  lock_profiler=false
 
 fi
 
 
 # Check whether --enable-unit-tests was given.
-if test "${enable_unit_tests+set}" = set; then
+if test "${enable_unit_tests+set}" = set; then :
   enableval=$enable_unit_tests; if test x$enableval = xyes; then
-		unittest=true
-	fi
+			unit_tests=true
+		 else
+			unit_tests=false
+		fi
+else
+  unit_tests=false
 
 fi
 
 
-# Check whether --enable-load-tests was given.
-if test "${enable_load_tests+set}" = set; then
-  enableval=$enable_load_tests; if test x$enableval = xyes; then
-		loadtest=true
-	fi
+# Check whether --enable-load-tester was given.
+if test "${enable_load_tester+set}" = set; then :
+  enableval=$enable_load_tester; if test x$enableval = xyes; then
+			load_tester=true
+		 else
+			load_tester=false
+		fi
+else
+  load_tester=false
 
 fi
 
 
 # Check whether --enable-eap-sim was given.
-if test "${enable_eap_sim+set}" = set; then
+if test "${enable_eap_sim+set}" = set; then :
   enableval=$enable_eap_sim; if test x$enableval = xyes; then
-		eap_sim=true
-	fi
+			eap_sim=true
+		 else
+			eap_sim=false
+		fi
+else
+  eap_sim=false
 
 fi
 
 
 # Check whether --enable-eap-sim-file was given.
-if test "${enable_eap_sim_file+set}" = set; then
+if test "${enable_eap_sim_file+set}" = set; then :
   enableval=$enable_eap_sim_file; if test x$enableval = xyes; then
-		eap_sim_file=true
-	fi
+			eap_sim_file=true
+		 else
+			eap_sim_file=false
+		fi
+else
+  eap_sim_file=false
+
+fi
+
+
+# Check whether --enable-eap-simaka-pseudonym was given.
+if test "${enable_eap_simaka_pseudonym+set}" = set; then :
+  enableval=$enable_eap_simaka_pseudonym; if test x$enableval = xyes; then
+			eap_simaka_pseudonym=true
+		 else
+			eap_simaka_pseudonym=false
+		fi
+else
+  eap_simaka_pseudonym=false
+
+fi
+
+
+# Check whether --enable-eap-simaka-reauth was given.
+if test "${enable_eap_simaka_reauth+set}" = set; then :
+  enableval=$enable_eap_simaka_reauth; if test x$enableval = xyes; then
+			eap_simaka_reauth=true
+		 else
+			eap_simaka_reauth=false
+		fi
+else
+  eap_simaka_reauth=false
 
 fi
 
 
 # Check whether --enable-eap-identity was given.
-if test "${enable_eap_identity+set}" = set; then
+if test "${enable_eap_identity+set}" = set; then :
   enableval=$enable_eap_identity; if test x$enableval = xyes; then
-		eap_identity=true
-	fi
+			eap_identity=true
+		 else
+			eap_identity=false
+		fi
+else
+  eap_identity=false
 
 fi
 
 
 # Check whether --enable-eap-md5 was given.
-if test "${enable_eap_md5+set}" = set; then
+if test "${enable_eap_md5+set}" = set; then :
   enableval=$enable_eap_md5; if test x$enableval = xyes; then
-		eap_md5=true
-	fi
+			eap_md5=true
+		 else
+			eap_md5=false
+		fi
+else
+  eap_md5=false
 
 fi
 
 
 # Check whether --enable-eap-gtc was given.
-if test "${enable_eap_gtc+set}" = set; then
+if test "${enable_eap_gtc+set}" = set; then :
   enableval=$enable_eap_gtc; if test x$enableval = xyes; then
-		eap_gtc=true
-	fi
+			eap_gtc=true
+		 else
+			eap_gtc=false
+		fi
+else
+  eap_gtc=false
 
 fi
 
 
 # Check whether --enable-eap-aka was given.
-if test "${enable_eap_aka+set}" = set; then
+if test "${enable_eap_aka+set}" = set; then :
   enableval=$enable_eap_aka; if test x$enableval = xyes; then
-		eap_aka=true
-	fi
+			eap_aka=true
+		 else
+			eap_aka=false
+		fi
+else
+  eap_aka=false
+
+fi
+
+
+# Check whether --enable-eap-aka-3gpp2 was given.
+if test "${enable_eap_aka_3gpp2+set}" = set; then :
+  enableval=$enable_eap_aka_3gpp2; if test x$enableval = xyes; then
+			eap_aka_3gpp2=true
+		 else
+			eap_aka_3gpp2=false
+		fi
+else
+  eap_aka_3gpp2=false
 
 fi
 
 
 # Check whether --enable-eap-mschapv2 was given.
-if test "${enable_eap_mschapv2+set}" = set; then
+if test "${enable_eap_mschapv2+set}" = set; then :
   enableval=$enable_eap_mschapv2; if test x$enableval = xyes; then
-		eap_mschapv2=true
-	fi
+			eap_mschapv2=true
+		 else
+			eap_mschapv2=false
+		fi
+else
+  eap_mschapv2=false
 
 fi
 
 
 # Check whether --enable-eap-radius was given.
-if test "${enable_eap_radius+set}" = set; then
+if test "${enable_eap_radius+set}" = set; then :
   enableval=$enable_eap_radius; if test x$enableval = xyes; then
-		eap_radius=true
-	fi
+			eap_radius=true
+		 else
+			eap_radius=false
+		fi
+else
+  eap_radius=false
 
 fi
 
 
 # Check whether --enable-kernel-netlink was given.
-if test "${enable_kernel_netlink+set}" = set; then
+if test "${enable_kernel_netlink+set}" = set; then :
   enableval=$enable_kernel_netlink; if test x$enableval = xyes; then
-		kernel_netlink=true
-	 else
-		kernel_netlink=false
-	fi
+			kernel_netlink=true
+		 else
+			kernel_netlink=false
+		fi
 else
   kernel_netlink=true
 
@@ -3794,48 +4361,64 @@ fi
 
 
 # Check whether --enable-kernel-pfkey was given.
-if test "${enable_kernel_pfkey+set}" = set; then
+if test "${enable_kernel_pfkey+set}" = set; then :
   enableval=$enable_kernel_pfkey; if test x$enableval = xyes; then
-		kernel_pfkey=true
-	fi
+			kernel_pfkey=true
+		 else
+			kernel_pfkey=false
+		fi
+else
+  kernel_pfkey=false
 
 fi
 
 
 # Check whether --enable-kernel-pfroute was given.
-if test "${enable_kernel_pfroute+set}" = set; then
+if test "${enable_kernel_pfroute+set}" = set; then :
   enableval=$enable_kernel_pfroute; if test x$enableval = xyes; then
-		kernel_pfroute=true
-	fi
+			kernel_pfroute=true
+		 else
+			kernel_pfroute=false
+		fi
+else
+  kernel_pfroute=false
 
 fi
 
 
 # Check whether --enable-kernel-klips was given.
-if test "${enable_kernel_klips+set}" = set; then
+if test "${enable_kernel_klips+set}" = set; then :
   enableval=$enable_kernel_klips; if test x$enableval = xyes; then
-		kernel_klips=true
-	fi
+			kernel_klips=true
+		 else
+			kernel_klips=false
+		fi
+else
+  kernel_klips=false
 
 fi
 
 
 # Check whether --enable-nat-transport was given.
-if test "${enable_nat_transport+set}" = set; then
+if test "${enable_nat_transport+set}" = set; then :
   enableval=$enable_nat_transport; if test x$enableval = xyes; then
-		nat_transport=true
-	fi
+			nat_transport=true
+		 else
+			nat_transport=false
+		fi
+else
+  nat_transport=false
 
 fi
 
 
 # Check whether --enable-vendor-id was given.
-if test "${enable_vendor_id+set}" = set; then
+if test "${enable_vendor_id+set}" = set; then :
   enableval=$enable_vendor_id; if test x$enableval = xyes; then
-		vendor_id=true
-	 else
-		vendor_id=false
-	fi
+			vendor_id=true
+		 else
+			vendor_id=false
+		fi
 else
   vendor_id=true
 
@@ -3843,12 +4426,12 @@ fi
 
 
 # Check whether --enable-xauth-vid was given.
-if test "${enable_xauth_vid+set}" = set; then
+if test "${enable_xauth_vid+set}" = set; then :
   enableval=$enable_xauth_vid; if test x$enableval = xyes; then
-		xauth_vid=true
-	 else
-		xauth_vid=false
-	fi
+			xauth_vid=true
+		 else
+			xauth_vid=false
+		fi
 else
   xauth_vid=true
 
@@ -3856,58 +4439,77 @@ fi
 
 
 # Check whether --enable-dumm was given.
-if test "${enable_dumm+set}" = set; then
+if test "${enable_dumm+set}" = set; then :
   enableval=$enable_dumm; if test x$enableval = xyes; then
-		dumm=true
-	fi
+			dumm=true
+		 else
+			dumm=false
+		fi
+else
+  dumm=false
 
 fi
 
 
 # Check whether --enable-fast was given.
-if test "${enable_fast+set}" = set; then
+if test "${enable_fast+set}" = set; then :
   enableval=$enable_fast; if test x$enableval = xyes; then
-		fast=true
-	fi
+			fast=true
+		 else
+			fast=false
+		fi
+else
+  fast=false
 
 fi
 
 
 # Check whether --enable-manager was given.
-if test "${enable_manager+set}" = set; then
+if test "${enable_manager+set}" = set; then :
   enableval=$enable_manager; if test x$enableval = xyes; then
-		manager=true
-		xml=true
-	fi
+			manager=true
+		 else
+			manager=false
+		fi
+else
+  manager=false
 
 fi
 
 
 # Check whether --enable-mediation was given.
-if test "${enable_mediation+set}" = set; then
+if test "${enable_mediation+set}" = set; then :
   enableval=$enable_mediation; if test x$enableval = xyes; then
-		me=true
-	fi
+			mediation=true
+		 else
+			mediation=false
+		fi
+else
+  mediation=false
 
 fi
 
 
 # Check whether --enable-integrity-test was given.
-if test "${enable_integrity_test+set}" = set; then
+if test "${enable_integrity_test+set}" = set; then :
   enableval=$enable_integrity_test; if test x$enableval = xyes; then
-		integrity_test=true
-	fi
+			integrity_test=true
+		 else
+			integrity_test=false
+		fi
+else
+  integrity_test=false
 
 fi
 
 
 # Check whether --enable-pluto was given.
-if test "${enable_pluto+set}" = set; then
+if test "${enable_pluto+set}" = set; then :
   enableval=$enable_pluto; if test x$enableval = xyes; then
-		pluto=true
-	 else
-		pluto=false
-	fi
+			pluto=true
+		 else
+			pluto=false
+		fi
 else
   pluto=true
 
@@ -3915,12 +4517,12 @@ fi
 
 
 # Check whether --enable-threads was given.
-if test "${enable_threads+set}" = set; then
+if test "${enable_threads+set}" = set; then :
   enableval=$enable_threads; if test x$enableval = xyes; then
-		threads=true
-	 else
-		threads=false
-	fi
+			threads=true
+		 else
+			threads=false
+		fi
 else
   threads=true
 
@@ -3928,12 +4530,12 @@ fi
 
 
 # Check whether --enable-charon was given.
-if test "${enable_charon+set}" = set; then
+if test "${enable_charon+set}" = set; then :
   enableval=$enable_charon; if test x$enableval = xyes; then
-		charon=true
-	 else
-		charon=false
-	fi
+			charon=true
+		 else
+			charon=false
+		fi
 else
   charon=true
 
@@ -3941,12 +4543,12 @@ fi
 
 
 # Check whether --enable-tools was given.
-if test "${enable_tools+set}" = set; then
+if test "${enable_tools+set}" = set; then :
   enableval=$enable_tools; if test x$enableval = xyes; then
-		tools=true
-	 else
-		tools=false
-	fi
+			tools=true
+		 else
+			tools=false
+		fi
 else
   tools=true
 
@@ -3954,12 +4556,12 @@ fi
 
 
 # Check whether --enable-scripts was given.
-if test "${enable_scripts+set}" = set; then
+if test "${enable_scripts+set}" = set; then :
   enableval=$enable_scripts; if test x$enableval = xyes; then
-		scripts=true
-	 else
-		scripts=false
-	fi
+			scripts=true
+		 else
+			scripts=false
+		fi
 else
   scripts=true
 
@@ -3967,12 +4569,12 @@ fi
 
 
 # Check whether --enable-updown was given.
-if test "${enable_updown+set}" = set; then
+if test "${enable_updown+set}" = set; then :
   enableval=$enable_updown; if test x$enableval = xyes; then
-		updown=true
-	 else
-		updown=false
-	fi
+			updown=true
+		 else
+			updown=false
+		fi
 else
   updown=true
 
@@ -3980,99 +4582,137 @@ fi
 
 
 # Check whether --enable-attr was given.
-if test "${enable_attr+set}" = set; then
+if test "${enable_attr+set}" = set; then :
   enableval=$enable_attr; if test x$enableval = xyes; then
-		attr=true
-	 else
-		attr=false
-	fi
+			attr=true
+		 else
+			attr=false
+		fi
 else
   attr=true
 
 fi
 
 
-# Check whether --enable-resolv-conf was given.
-if test "${enable_resolv_conf+set}" = set; then
-  enableval=$enable_resolv_conf; if test x$enableval = xyes; then
-		resolvconf=true
-	 else
-		resolvconf=false
-	fi
+# Check whether --enable-attr-sql was given.
+if test "${enable_attr_sql+set}" = set; then :
+  enableval=$enable_attr_sql; if test x$enableval = xyes; then
+			attr_sql=true
+		 else
+			attr_sql=false
+		fi
+else
+  attr_sql=false
+
+fi
+
+
+# Check whether --enable-resolve was given.
+if test "${enable_resolve+set}" = set; then :
+  enableval=$enable_resolve; if test x$enableval = xyes; then
+			resolve=true
+		 else
+			resolve=false
+		fi
 else
-  resolvconf=true
+  resolve=true
 
 fi
 
 
 # Check whether --enable-padlock was given.
-if test "${enable_padlock+set}" = set; then
+if test "${enable_padlock+set}" = set; then :
   enableval=$enable_padlock; if test x$enableval = xyes; then
-		padlock=true
-	 else
-		padlock=false
-	fi
+			padlock=true
+		 else
+			padlock=false
+		fi
+else
+  padlock=false
+
 fi
 
 
 # Check whether --enable-openssl was given.
-if test "${enable_openssl+set}" = set; then
+if test "${enable_openssl+set}" = set; then :
   enableval=$enable_openssl; if test x$enableval = xyes; then
-		openssl=true
-	 else
-		openssl=false
-	fi
+			openssl=true
+		 else
+			openssl=false
+		fi
+else
+  openssl=false
+
 fi
 
 
 # Check whether --enable-gcrypt was given.
-if test "${enable_gcrypt+set}" = set; then
+if test "${enable_gcrypt+set}" = set; then :
   enableval=$enable_gcrypt; if test x$enableval = xyes; then
-		gcrypt=true
-	 else
-		gcrypt=false
-	fi
+			gcrypt=true
+		 else
+			gcrypt=false
+		fi
+else
+  gcrypt=false
+
 fi
 
 
 # Check whether --enable-agent was given.
-if test "${enable_agent+set}" = set; then
+if test "${enable_agent+set}" = set; then :
   enableval=$enable_agent; if test x$enableval = xyes; then
-		agent=true
-	 else
-		agent=false
-	fi
+			agent=true
+		 else
+			agent=false
+		fi
+else
+  agent=false
+
 fi
 
 
 # Check whether --enable-uci was given.
-if test "${enable_uci+set}" = set; then
+if test "${enable_uci+set}" = set; then :
   enableval=$enable_uci; if test x$enableval = xyes; then
-		uci=true
-	fi
+			uci=true
+		 else
+			uci=false
+		fi
+else
+  uci=false
 
 fi
 
 
 # Check whether --enable-nm was given.
-if test "${enable_nm+set}" = set; then
+if test "${enable_nm+set}" = set; then :
   enableval=$enable_nm; if test x$enableval = xyes; then
-		nm=true
-	fi
+			nm=true
+		 else
+			nm=false
+		fi
+else
+  nm=false
 
 fi
 
 
 # Check whether --enable-vstr was given.
-if test "${enable_vstr+set}" = set; then
+if test "${enable_vstr+set}" = set; then :
   enableval=$enable_vstr; if test x$enableval = xyes; then
-	 	vstr=true
-	fi
+			vstr=true
+		 else
+			vstr=false
+		fi
+else
+  vstr=false
 
 fi
 
 
 
+
 if test -z "$CFLAGS"; then
 	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign -Wno-strict-aliasing"
 fi
@@ -4084,9 +4724,9 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}gcc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
+if test "${ac_cv_prog_CC+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -4097,24 +4737,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="${ac_tool_prefix}gcc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
 $as_echo "$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -4124,9 +4764,9 @@ if test -z "$ac_cv_prog_CC"; then
   ac_ct_CC=$CC
   # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_CC"; then
@@ -4137,24 +4777,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="gcc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
 $as_echo "$ac_ct_CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -4163,7 +4803,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -4177,9 +4817,9 @@ if test -z "$CC"; then
           if test -n "$ac_tool_prefix"; then
     # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}cc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
+if test "${ac_cv_prog_CC+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -4190,24 +4830,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="${ac_tool_prefix}cc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
 $as_echo "$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -4217,9 +4857,9 @@ fi
 if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
+if test "${ac_cv_prog_CC+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -4231,18 +4871,18 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
        ac_prog_rejected=yes
        continue
      fi
     ac_cv_prog_CC="cc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 if test $ac_prog_rejected = yes; then
@@ -4261,10 +4901,10 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
 $as_echo "$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -4276,9 +4916,9 @@ if test -z "$CC"; then
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then
+if test "${ac_cv_prog_CC+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -4289,24 +4929,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
 $as_echo "$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -4320,9 +4960,9 @@ if test -z "$CC"; then
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_CC"; then
@@ -4333,24 +4973,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
 $as_echo "$ac_ct_CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -4363,7 +5003,7 @@ done
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -4374,73 +5014,55 @@ fi
 fi
 
 
-test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&5
-$as_echo "$as_me: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }; }
+as_fn_error "no acceptable C compiler found in \$PATH
+See \`config.log' for more details." "$LINENO" 5; }
 
 # Provide some information about the compiler.
-$as_echo "$as_me:$LINENO: checking for C compiler version" >&5
+$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
 set X $ac_compile
 ac_compiler=$2
-{ (ac_try="$ac_compiler --version >&5"
+for ac_option in --version -v -V -qversion; do
+  { { ac_try="$ac_compiler $ac_option >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compiler --version >&5") 2>&5
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_compiler $ac_option >&5") 2>conftest.err
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -v >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compiler -v >&5") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (ac_try="$ac_compiler -V >&5"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compiler -V >&5") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
+  if test -s conftest.err; then
+    sed '10a\
+... rest of stderr output deleted ...
+         10q' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    rm -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+done
 
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-
+#include <stdio.h>
 int
 main ()
 {
+FILE *f = fopen ("conftest.out", "w");
+ return ferror (f) || fclose (f) != 0;
 
   ;
   return 0;
 }
 _ACEOF
 ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out conftest.out"
 # Try to create an executable without -o first, disregard a.out.
 # It will help us diagnose broken compilers, and finding out an intuition
 # of exeext.
-{ $as_echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
 $as_echo_n "checking for C compiler default output file name... " >&6; }
 ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
 
@@ -4457,17 +5079,17 @@ do
 done
 rm -f $ac_rmfiles
 
-if { (ac_try="$ac_link_default"
+if { { ac_try="$ac_link_default"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
   (eval "$ac_link_default") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then :
   # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
 # So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
 # in a Makefile.  We should not override ac_cv_exeext if it was cached,
@@ -4484,7 +5106,7 @@ do
 	# certainly right.
 	break;;
     *.* )
-        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+	if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
 	then :; else
 	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
 	fi
@@ -4503,84 +5125,75 @@ test "$ac_cv_exeext" = no && ac_cv_exeext=
 else
   ac_file=''
 fi
-
-{ $as_echo "$as_me:$LINENO: result: $ac_file" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
 $as_echo "$ac_file" >&6; }
-if test -z "$ac_file"; then
+if test -z "$ac_file"; then :
   $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ { $as_echo "$as_me:$LINENO: error: C compiler cannot create executables
-See \`config.log' for more details." >&5
-$as_echo "$as_me: error: C compiler cannot create executables
-See \`config.log' for more details." >&2;}
-   { (exit 77); exit 77; }; }; }
+{ as_fn_set_status 77
+as_fn_error "C compiler cannot create executables
+See \`config.log' for more details." "$LINENO" 5; }; }
 fi
-
 ac_exeext=$ac_cv_exeext
 
 # Check that the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-{ $as_echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
 $as_echo_n "checking whether the C compiler works... " >&6; }
-# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
 # If not cross compiling, check that we can run a simple program.
 if test "$cross_compiling" != yes; then
   if { ac_try='./$ac_file'
-  { (case "(($ac_try" in
+  { { case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then
     cross_compiling=no
   else
     if test "$cross_compiling" = maybe; then
 	cross_compiling=yes
     else
-	{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ { $as_echo "$as_me:$LINENO: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." >&5
-$as_echo "$as_me: error: cannot run C compiled programs.
+as_fn_error "cannot run C compiled programs.
 If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }; }
+See \`config.log' for more details." "$LINENO" 5; }
     fi
   fi
 fi
-{ $as_echo "$as_me:$LINENO: result: yes" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
-rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out conftest.out
 ac_clean_files=$ac_clean_files_save
 # Check that the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-{ $as_echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
 $as_echo_n "checking whether we are cross compiling... " >&6; }
-{ $as_echo "$as_me:$LINENO: result: $cross_compiling" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
 $as_echo "$cross_compiling" >&6; }
 
-{ $as_echo "$as_me:$LINENO: checking for suffix of executables" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
 $as_echo_n "checking for suffix of executables... " >&6; }
-if { (ac_try="$ac_link"
+if { { ac_try="$ac_link"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then :
   # If both `conftest.exe' and `conftest' are `present' (well, observable)
 # catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
 # work properly (i.e., refer to `conftest.exe'), while it won't with
@@ -4595,32 +5208,24 @@ for ac_file in conftest.exe conftest conftest.*; do
   esac
 done
 else
-  { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&5
-$as_echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }; }
+as_fn_error "cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." "$LINENO" 5; }
 fi
-
 rm -f conftest$ac_cv_exeext
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
 $as_echo "$ac_cv_exeext" >&6; }
 
 rm -f conftest.$ac_ext
 EXEEXT=$ac_cv_exeext
 ac_exeext=$EXEEXT
-{ $as_echo "$as_me:$LINENO: checking for suffix of object files" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
 $as_echo_n "checking for suffix of object files... " >&6; }
-if test "${ac_cv_objext+set}" = set; then
+if test "${ac_cv_objext+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -4632,17 +5237,17 @@ main ()
 }
 _ACEOF
 rm -f conftest.o conftest.obj
-if { (ac_try="$ac_compile"
+if { { ac_try="$ac_compile"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
   (eval "$ac_compile") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then :
   for ac_file in conftest.o conftest.obj conftest.*; do
   test -f "$ac_file" || continue;
   case $ac_file in
@@ -4655,31 +5260,23 @@ else
   $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&5
-$as_echo "$as_me: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }; }
+as_fn_error "cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." "$LINENO" 5; }
 fi
-
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5
 $as_echo "$ac_cv_objext" >&6; }
 OBJEXT=$ac_cv_objext
 ac_objext=$OBJEXT
-{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
-if test "${ac_cv_c_compiler_gnu+set}" = set; then
+if test "${ac_cv_c_compiler_gnu+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -4693,37 +5290,16 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
   ac_compiler_gnu=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_compiler_gnu=no
+  ac_compiler_gnu=no
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_cv_c_compiler_gnu=$ac_compiler_gnu
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
 $as_echo "$ac_cv_c_compiler_gnu" >&6; }
 if test $ac_compiler_gnu = yes; then
   GCC=yes
@@ -4732,20 +5308,16 @@ else
 fi
 ac_test_CFLAGS=${CFLAGS+set}
 ac_save_CFLAGS=$CFLAGS
-{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
 $as_echo_n "checking whether $CC accepts -g... " >&6; }
-if test "${ac_cv_prog_cc_g+set}" = set; then
+if test "${ac_cv_prog_cc_g+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_save_c_werror_flag=$ac_c_werror_flag
    ac_c_werror_flag=yes
    ac_cv_prog_cc_g=no
    CFLAGS="-g"
-   cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -4756,35 +5328,11 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
   ac_cv_prog_cc_g=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	CFLAGS=""
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  CFLAGS=""
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -4795,36 +5343,12 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  :
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+if ac_fn_c_try_compile "$LINENO"; then :
 
-	ac_c_werror_flag=$ac_save_c_werror_flag
+else
+  ac_c_werror_flag=$ac_save_c_werror_flag
 	 CFLAGS="-g"
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -4835,42 +5359,17 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
   ac_cv_prog_cc_g=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
    ac_c_werror_flag=$ac_save_c_werror_flag
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
 $as_echo "$ac_cv_prog_cc_g" >&6; }
 if test "$ac_test_CFLAGS" = set; then
   CFLAGS=$ac_save_CFLAGS
@@ -4887,18 +5386,14 @@ else
     CFLAGS=
   fi
 fi
-{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
-if test "${ac_cv_prog_cc_c89+set}" = set; then
+if test "${ac_cv_prog_cc_c89+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_cv_prog_cc_c89=no
 ac_save_CC=$CC
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdarg.h>
 #include <stdio.h>
@@ -4955,32 +5450,9 @@ for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
 	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
 do
   CC="$ac_save_CC $ac_arg"
-  rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+  if ac_fn_c_try_compile "$LINENO"; then :
   ac_cv_prog_cc_c89=$ac_arg
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
 rm -f core conftest.err conftest.$ac_objext
   test "x$ac_cv_prog_cc_c89" != "xno" && break
 done
@@ -4991,17 +5463,19 @@ fi
 # AC_CACHE_VAL
 case "x$ac_cv_prog_cc_c89" in
   x)
-    { $as_echo "$as_me:$LINENO: result: none needed" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
 $as_echo "none needed" >&6; } ;;
   xno)
-    { $as_echo "$as_me:$LINENO: result: unsupported" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
 $as_echo "unsupported" >&6; } ;;
   *)
     CC="$CC $ac_cv_prog_cc_c89"
-    { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
 esac
+if test "x$ac_cv_prog_cc_c89" != xno; then :
 
+fi
 
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
@@ -5016,44 +5490,44 @@ ac_config_commands="$ac_config_commands depfiles"
 am_make=${MAKE-make}
 cat > confinc << 'END'
 am__doit:
-	@echo done
+	@echo this is the am__doit target
 .PHONY: am__doit
 END
 # If we don't find an include directive, just comment out the code.
-{ $as_echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5
 $as_echo_n "checking for style of include used by $am_make... " >&6; }
 am__include="#"
 am__quote=
 _am_result=none
 # First try GNU make style include.
 echo "include confinc" > confmf
-# We grep out `Entering directory' and `Leaving directory'
-# messages which can occur if `w' ends up in MAKEFLAGS.
-# In particular we don't look at `^make:' because GNU make might
-# be invoked under some other name (usually "gmake"), in which
-# case it prints its new name instead of `make'.
-if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then
-   am__include=include
-   am__quote=
-   _am_result=GNU
-fi
+# Ignore all kinds of additional output from `make'.
+case `$am_make -s -f confmf 2> /dev/null` in #(
+*the\ am__doit\ target*)
+  am__include=include
+  am__quote=
+  _am_result=GNU
+  ;;
+esac
 # Now try BSD make style include.
 if test "$am__include" = "#"; then
    echo '.include "confinc"' > confmf
-   if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then
-      am__include=.include
-      am__quote="\""
-      _am_result=BSD
-   fi
+   case `$am_make -s -f confmf 2> /dev/null` in #(
+   *the\ am__doit\ target*)
+     am__include=.include
+     am__quote="\""
+     _am_result=BSD
+     ;;
+   esac
 fi
 
 
-{ $as_echo "$as_me:$LINENO: result: $_am_result" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5
 $as_echo "$_am_result" >&6; }
 rm -f confinc confmf
 
 # Check whether --enable-dependency-tracking was given.
-if test "${enable_dependency_tracking+set}" = set; then
+if test "${enable_dependency_tracking+set}" = set; then :
   enableval=$enable_dependency_tracking;
 fi
 
@@ -5073,9 +5547,9 @@ fi
 
 depcc="$CC"   am_compiler_list=
 
-{ $as_echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5
 $as_echo_n "checking dependency style of $depcc... " >&6; }
-if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
+if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
@@ -5101,6 +5575,11 @@ else
   if test "$am_compiler_list" = ""; then
      am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
   fi
+  am__universal=false
+  case " $depcc " in #(
+     *\ -arch\ *\ -arch\ *) am__universal=true ;;
+     esac
+
   for depmode in $am_compiler_list; do
     # Setup a source with many dependencies, because some compilers
     # like to wrap large dependency lists on column 80 (with \), and
@@ -5118,7 +5597,17 @@ else
     done
     echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
 
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.  Also, some Intel
+    # versions had trouble with output in subdirs
+    am__obj=sub/conftest.${OBJEXT-o}
+    am__minus_obj="-o $am__obj"
     case $depmode in
+    gcc)
+      # This depmode causes a compiler race in universal mode.
+      test "$am__universal" = false || continue
+      ;;
     nosideeffect)
       # after this tag, mechanisms are not by side-effect, so they'll
       # only be used when explicitly requested
@@ -5128,19 +5617,23 @@ else
 	break
       fi
       ;;
+    msvisualcpp | msvcmsys)
+      # This compiler won't grok `-c -o', but also, the minuso test has
+      # not run yet.  These depmodes are late enough in the game, and
+      # so weak that their functioning should not be impacted.
+      am__obj=conftest.${OBJEXT-o}
+      am__minus_obj=
+      ;;
     none) break ;;
     esac
-    # We check with `-c' and `-o' for the sake of the "dashmstdout"
-    # mode.  It turns out that the SunPro C++ compiler does not properly
-    # handle `-M -o', and we need to detect this.
     if depmode=$depmode \
-       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       source=sub/conftest.c object=$am__obj \
        depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
-       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+       $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \
          >/dev/null 2>conftest.err &&
        grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
        grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
-       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       grep $am__obj sub/conftest.Po > /dev/null 2>&1 &&
        ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
       # icc doesn't choke on unknown options, it will just issue warnings
       # or remarks (even with -Werror).  So we grep stderr for any message
@@ -5164,7 +5657,7 @@ else
 fi
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_CC_dependencies_compiler_type" >&5
 $as_echo "$am_cv_CC_dependencies_compiler_type" >&6; }
 CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type
 
@@ -5181,35 +5674,27 @@ fi
 
 # Make sure we can run config.sub.
 $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
-  { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
-$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5
 
-{ $as_echo "$as_me:$LINENO: checking build system type" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5
 $as_echo_n "checking build system type... " >&6; }
-if test "${ac_cv_build+set}" = set; then
+if test "${ac_cv_build+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_build_alias=$build_alias
 test "x$ac_build_alias" = x &&
   ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
 test "x$ac_build_alias" = x &&
-  { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
-$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "cannot guess build type; you must specify one" "$LINENO" 5
 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
-  { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
-$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5
 $as_echo "$ac_cv_build" >&6; }
 case $ac_cv_build in
 *-*-*) ;;
-*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
-$as_echo "$as_me: error: invalid value of canonical build" >&2;}
-   { (exit 1); exit 1; }; };;
+*) as_fn_error "invalid value of canonical build" "$LINENO" 5;;
 esac
 build=$ac_cv_build
 ac_save_IFS=$IFS; IFS='-'
@@ -5225,28 +5710,24 @@ IFS=$ac_save_IFS
 case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
 
 
-{ $as_echo "$as_me:$LINENO: checking host system type" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5
 $as_echo_n "checking host system type... " >&6; }
-if test "${ac_cv_host+set}" = set; then
+if test "${ac_cv_host+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test "x$host_alias" = x; then
   ac_cv_host=$ac_cv_build
 else
   ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
-    { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
-$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
-   { (exit 1); exit 1; }; }
+    as_fn_error "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5
 fi
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5
 $as_echo "$ac_cv_host" >&6; }
 case $ac_cv_host in
 *-*-*) ;;
-*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
-$as_echo "$as_me: error: invalid value of canonical host" >&2;}
-   { (exit 1); exit 1; }; };;
+*) as_fn_error "invalid value of canonical host" "$LINENO" 5;;
 esac
 host=$ac_cv_host
 ac_save_IFS=$IFS; IFS='-'
@@ -5318,7 +5799,7 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
 
 
 # Check whether --with-lib-prefix was given.
-if test "${with_lib_prefix+set}" = set; then
+if test "${with_lib_prefix+set}" = set; then :
   withval=$with_lib_prefix;
     if test "X$withval" = "Xno"; then
       use_additional=no
@@ -5417,14 +5898,14 @@ ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
-{ $as_echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
 $as_echo_n "checking how to run the C preprocessor... " >&6; }
 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
   CPP=
 fi
 if test -z "$CPP"; then
-  if test "${ac_cv_prog_CPP+set}" = set; then
+  if test "${ac_cv_prog_CPP+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
       # Double quotes because CPP needs to be expanded
@@ -5439,11 +5920,7 @@ do
   # <limits.h> exists even on freestanding compilers.
   # On the NeXT, cc -E runs the code through the compiler's parser,
   # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #ifdef __STDC__
 # include <limits.h>
@@ -5452,78 +5929,34 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 		     Syntax error
 _ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  :
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+if ac_fn_c_try_cpp "$LINENO"; then :
 
+else
   # Broken: fails on valid input.
 continue
 fi
-
 rm -f conftest.err conftest.$ac_ext
 
   # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <ac_nonexistent.h>
 _ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
+if ac_fn_c_try_cpp "$LINENO"; then :
   # Broken: success on invalid input.
 continue
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
   # Passes both tests.
 ac_preproc_ok=:
 break
 fi
-
 rm -f conftest.err conftest.$ac_ext
 
 done
 # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
 rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
+if $ac_preproc_ok; then :
   break
 fi
 
@@ -5535,7 +5968,7 @@ fi
 else
   ac_cv_prog_CPP=$CPP
 fi
-{ $as_echo "$as_me:$LINENO: result: $CPP" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
 $as_echo "$CPP" >&6; }
 ac_preproc_ok=false
 for ac_c_preproc_warn_flag in '' yes
@@ -5546,11 +5979,7 @@ do
   # <limits.h> exists even on freestanding compilers.
   # On the NeXT, cc -E runs the code through the compiler's parser,
   # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #ifdef __STDC__
 # include <limits.h>
@@ -5559,87 +5988,40 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 		     Syntax error
 _ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  :
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+if ac_fn_c_try_cpp "$LINENO"; then :
 
+else
   # Broken: fails on valid input.
 continue
 fi
-
 rm -f conftest.err conftest.$ac_ext
 
   # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <ac_nonexistent.h>
 _ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
+if ac_fn_c_try_cpp "$LINENO"; then :
   # Broken: success on invalid input.
 continue
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
   # Passes both tests.
 ac_preproc_ok=:
 break
 fi
-
 rm -f conftest.err conftest.$ac_ext
 
 done
 # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
 rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  :
+if $ac_preproc_ok; then :
+
 else
-  { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ { $as_echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&5
-$as_echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }; }
+as_fn_error "C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." "$LINENO" 5; }
 fi
 
 ac_ext=c
@@ -5649,9 +6031,9 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-{ $as_echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
 $as_echo_n "checking for grep that handles long lines and -e... " >&6; }
-if test "${ac_cv_path_GREP+set}" = set; then
+if test "${ac_cv_path_GREP+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$GREP"; then
@@ -5662,7 +6044,7 @@ for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_prog in grep ggrep; do
+    for ac_prog in grep ggrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
       { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
@@ -5682,7 +6064,7 @@ case `"$ac_path_GREP" --version 2>&1` in
     $as_echo 'GREP' >> "conftest.nl"
     "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
     diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-    ac_count=`expr $ac_count + 1`
+    as_fn_arith $ac_count + 1 && ac_count=$as_val
     if test $ac_count -gt ${ac_path_GREP_max-0}; then
       # Best one so far, save it but keep looking for a better one
       ac_cv_path_GREP="$ac_path_GREP"
@@ -5697,26 +6079,24 @@ esac
       $ac_path_GREP_found && break 3
     done
   done
-done
+  done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_GREP"; then
-    { { $as_echo "$as_me:$LINENO: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-$as_echo "$as_me: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
-   { (exit 1); exit 1; }; }
+    as_fn_error "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_GREP=$GREP
 fi
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5
 $as_echo "$ac_cv_path_GREP" >&6; }
  GREP="$ac_cv_path_GREP"
 
 
-{ $as_echo "$as_me:$LINENO: checking for egrep" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
 $as_echo_n "checking for egrep... " >&6; }
-if test "${ac_cv_path_EGREP+set}" = set; then
+if test "${ac_cv_path_EGREP+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
@@ -5730,7 +6110,7 @@ for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_prog in egrep; do
+    for ac_prog in egrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
       { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
@@ -5750,7 +6130,7 @@ case `"$ac_path_EGREP" --version 2>&1` in
     $as_echo 'EGREP' >> "conftest.nl"
     "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
     diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-    ac_count=`expr $ac_count + 1`
+    as_fn_arith $ac_count + 1 && ac_count=$as_val
     if test $ac_count -gt ${ac_path_EGREP_max-0}; then
       # Best one so far, save it but keep looking for a better one
       ac_cv_path_EGREP="$ac_path_EGREP"
@@ -5765,12 +6145,10 @@ esac
       $ac_path_EGREP_found && break 3
     done
   done
-done
+  done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_EGREP"; then
-    { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
-   { (exit 1); exit 1; }; }
+    as_fn_error "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_EGREP=$EGREP
@@ -5778,21 +6156,17 @@ fi
 
    fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5
 $as_echo "$ac_cv_path_EGREP" >&6; }
  EGREP="$ac_cv_path_EGREP"
 
 
-{ $as_echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
 $as_echo_n "checking for ANSI C header files... " >&6; }
-if test "${ac_cv_header_stdc+set}" = set; then
+if test "${ac_cv_header_stdc+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdlib.h>
 #include <stdarg.h>
@@ -5807,48 +6181,23 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
   ac_cv_header_stdc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_header_stdc=no
+  ac_cv_header_stdc=no
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <string.h>
 
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "memchr" >/dev/null 2>&1; then
-  :
+  $EGREP "memchr" >/dev/null 2>&1; then :
+
 else
   ac_cv_header_stdc=no
 fi
@@ -5858,18 +6207,14 @@ fi
 
 if test $ac_cv_header_stdc = yes; then
   # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdlib.h>
 
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "free" >/dev/null 2>&1; then
-  :
+  $EGREP "free" >/dev/null 2>&1; then :
+
 else
   ac_cv_header_stdc=no
 fi
@@ -5879,14 +6224,10 @@ fi
 
 if test $ac_cv_header_stdc = yes; then
   # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-  if test "$cross_compiling" = yes; then
+  if test "$cross_compiling" = yes; then :
   :
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <ctype.h>
 #include <stdlib.h>
@@ -5913,187 +6254,86 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
-else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+if ac_fn_c_try_run "$LINENO"; then :
 
-( exit $ac_status )
-ac_cv_header_stdc=no
+else
+  ac_cv_header_stdc=no
 fi
-rm -rf conftest.dSYM
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
 
-
 fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5
 $as_echo "$ac_cv_header_stdc" >&6; }
 if test $ac_cv_header_stdc = yes; then
 
-cat >>confdefs.h <<\_ACEOF
-#define STDC_HEADERS 1
-_ACEOF
+$as_echo "#define STDC_HEADERS 1" >>confdefs.h
 
 fi
 
 # On IRIX 5.3, sys/types and inttypes.h are conflicting.
+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
+		  inttypes.h stdint.h unistd.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
+"
+eval as_val=\$$as_ac_Header
+   if test "x$as_val" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
 
+fi
 
+done
 
 
-
-
-
-
-
-for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
-		  inttypes.h stdint.h unistd.h
-do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5
+$as_echo_n "checking whether byte ordering is bigendian... " >&6; }
+if test "${ac_cv_c_bigendian+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  ac_cv_c_bigendian=unknown
+    # See if we're dealing with a universal compiler.
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-$ac_includes_default
+#ifndef __APPLE_CC__
+	       not a universal capable compiler
+	     #endif
+	     typedef int dummy;
 
-#include <$ac_header>
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  eval "$as_ac_Header=yes"
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_Header=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-as_val=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-   if test "x$as_val" = x""yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-
-
- { $as_echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
-$as_echo_n "checking whether byte ordering is bigendian... " >&6; }
-if test "${ac_cv_c_bigendian+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_cv_c_bigendian=unknown
-    # See if we're dealing with a universal compiler.
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifndef __APPLE_CC__
-	       not a universal capable compiler
-	     #endif
-	     typedef int dummy;
-
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
 
 	# Check for potential -arch flags.  It is not universal unless
-	# there are some -arch flags.  Note that *ppc* also matches
-	# ppc64.  This check is also rather less than ideal.
-	case "${CC} ${CFLAGS} ${CPPFLAGS} ${LDFLAGS}" in  #(
-	  *-arch*ppc*|*-arch*i386*|*-arch*x86_64*) ac_cv_c_bigendian=universal;;
-	esac
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
+	# there are at least two -arch flags with different values.
+	ac_arch=
+	ac_prev=
+	for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do
+	 if test -n "$ac_prev"; then
+	   case $ac_word in
+	     i?86 | x86_64 | ppc | ppc64)
+	       if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then
+		 ac_arch=$ac_word
+	       else
+		 ac_cv_c_bigendian=universal
+		 break
+	       fi
+	       ;;
+	   esac
+	   ac_prev=
+	 elif test "x$ac_word" = "x-arch"; then
+	   ac_prev=arch
+	 fi
+       done
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     if test $ac_cv_c_bigendian = unknown; then
       # See if sys/param.h defines the BYTE_ORDER macro.
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
 	     #include <sys/param.h>
@@ -6111,30 +6351,9 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
   # It does; now see whether it defined to BIG_ENDIAN or not.
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
 		#include <sys/param.h>
@@ -6150,49 +6369,18 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
   ac_cv_c_bigendian=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_c_bigendian=no
+  ac_cv_c_bigendian=no
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     fi
     if test $ac_cv_c_bigendian = unknown; then
       # See if <limits.h> defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris).
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <limits.h>
 
@@ -6207,30 +6395,9 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
   # It does; now see whether it defined to _BIG_ENDIAN or not.
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <limits.h>
 
@@ -6245,51 +6412,20 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
   ac_cv_c_bigendian=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_c_bigendian=no
+  ac_cv_c_bigendian=no
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     fi
     if test $ac_cv_c_bigendian = unknown; then
       # Compile a test program.
-      if test "$cross_compiling" = yes; then
+      if test "$cross_compiling" = yes; then :
   # Try to guess by grepping values from an object file.
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 short int ascii_mm[] =
 		  { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 };
@@ -6315,24 +6451,7 @@ return use_ascii (foo) == use_ebcdic (foo);
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
   if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then
 	      ac_cv_c_bigendian=yes
 	    fi
@@ -6344,20 +6463,10 @@ $as_echo "$ac_try_echo") >&5
 		ac_cv_c_bigendian=unknown
 	      fi
 	    fi
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 $ac_includes_default
 int
@@ -6377,167 +6486,41 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+if ac_fn_c_try_run "$LINENO"; then :
   ac_cv_c_bigendian=no
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_c_bigendian=yes
+  ac_cv_c_bigendian=yes
 fi
-rm -rf conftest.dSYM
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
 
-
     fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5
 $as_echo "$ac_cv_c_bigendian" >&6; }
  case $ac_cv_c_bigendian in #(
    yes)
-     cat >>confdefs.h <<\_ACEOF
-#define WORDS_BIGENDIAN 1
-_ACEOF
+     $as_echo "#define WORDS_BIGENDIAN 1" >>confdefs.h
 ;; #(
    no)
       ;; #(
    universal)
 
-cat >>confdefs.h <<\_ACEOF
-#define AC_APPLE_UNIVERSAL_BUILD 1
-_ACEOF
+$as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h
 
      ;; #(
    *)
-     { { $as_echo "$as_me:$LINENO: error: unknown endianness
- presetting ac_cv_c_bigendian=no (or yes) will help" >&5
-$as_echo "$as_me: error: unknown endianness
- presetting ac_cv_c_bigendian=no (or yes) will help" >&2;}
-   { (exit 1); exit 1; }; } ;;
+     as_fn_error "unknown endianness
+ presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;;
  esac
 
 
 
-# Find a good install program.  We prefer a C program (faster),
-# so one script is as good as another.  But avoid the broken or
-# incompatible versions:
-# SysV /etc/install, /usr/sbin/install
-# SunOS /usr/etc/install
-# IRIX /sbin/install
-# AIX /bin/install
-# AmigaOS /C/install, which installs bootblocks on floppy discs
-# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
-# AFS /usr/afsws/bin/install, which mishandles nonexistent args
-# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
-# OS/2's system install, which has a completely different semantic
-# ./install, which can be erroneously created by make from ./install.sh.
-# Reject install programs that cannot install multiple files.
-{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
-$as_echo_n "checking for a BSD-compatible install... " >&6; }
-if test -z "$INSTALL"; then
-if test "${ac_cv_path_install+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  # Account for people who put trailing slashes in PATH elements.
-case $as_dir/ in
-  ./ | .// | /cC/* | \
-  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
-  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
-  /usr/ucb/* ) ;;
-  *)
-    # OSF1 and SCO ODT 3.0 have their own names for install.
-    # Don't use installbsd from OSF since it installs stuff as root
-    # by default.
-    for ac_prog in ginstall scoinst install; do
-      for ac_exec_ext in '' $ac_executable_extensions; do
-	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
-	  if test $ac_prog = install &&
-	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # AIX install.  It has an incompatible calling convention.
-	    :
-	  elif test $ac_prog = install &&
-	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # program-specific install script used by HP pwplus--don't use.
-	    :
-	  else
-	    rm -rf conftest.one conftest.two conftest.dir
-	    echo one > conftest.one
-	    echo two > conftest.two
-	    mkdir conftest.dir
-	    if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" &&
-	      test -s conftest.one && test -s conftest.two &&
-	      test -s conftest.dir/conftest.one &&
-	      test -s conftest.dir/conftest.two
-	    then
-	      ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
-	      break 3
-	    fi
-	  fi
-	fi
-      done
-    done
-    ;;
-esac
-
-done
-IFS=$as_save_IFS
-
-rm -rf conftest.one conftest.two conftest.dir
-
-fi
-  if test "${ac_cv_path_install+set}" = set; then
-    INSTALL=$ac_cv_path_install
-  else
-    # As a last resort, use the slow shell script.  Don't cache a
-    # value for INSTALL within a source directory, because that will
-    # break other packages using the cache if that directory is
-    # removed, or if the value is a relative name.
-    INSTALL=$ac_install_sh
-  fi
-fi
-{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5
-$as_echo "$INSTALL" >&6; }
-
-# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
-# It thinks the first close brace ends the variable substitution.
-test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
-
-test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
-
-test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
 
 case `pwd` in
   *\ * | *\	*)
-    { $as_echo "$as_me:$LINENO: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5
 $as_echo "$as_me: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&2;} ;;
 esac
 
@@ -6560,9 +6543,9 @@ macro_revision='1.3012'
 
 ltmain="$ac_aux_dir/ltmain.sh"
 
-{ $as_echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5
 $as_echo_n "checking for a sed that does not truncate output... " >&6; }
-if test "${ac_cv_path_SED+set}" = set; then
+if test "${ac_cv_path_SED+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
             ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/
@@ -6570,7 +6553,7 @@ else
        ac_script="$ac_script$as_nl$ac_script"
      done
      echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed
-     $as_unset ac_script || ac_script=
+     { ac_script=; unset ac_script;}
      if test -z "$SED"; then
   ac_path_SED_found=false
   # Loop through the user's path and test for each of PROGNAME-LIST
@@ -6579,7 +6562,7 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_prog in sed gsed; do
+    for ac_prog in sed gsed; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_SED="$as_dir/$ac_prog$ac_exec_ext"
       { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue
@@ -6599,7 +6582,7 @@ case `"$ac_path_SED" --version 2>&1` in
     $as_echo '' >> "conftest.nl"
     "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break
     diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-    ac_count=`expr $ac_count + 1`
+    as_fn_arith $ac_count + 1 && ac_count=$as_val
     if test $ac_count -gt ${ac_path_SED_max-0}; then
       # Best one so far, save it but keep looking for a better one
       ac_cv_path_SED="$ac_path_SED"
@@ -6614,19 +6597,17 @@ esac
       $ac_path_SED_found && break 3
     done
   done
-done
+  done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_SED"; then
-    { { $as_echo "$as_me:$LINENO: error: no acceptable sed could be found in \$PATH" >&5
-$as_echo "$as_me: error: no acceptable sed could be found in \$PATH" >&2;}
-   { (exit 1); exit 1; }; }
+    as_fn_error "no acceptable sed could be found in \$PATH" "$LINENO" 5
   fi
 else
   ac_cv_path_SED=$SED
 fi
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_SED" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_SED" >&5
 $as_echo "$ac_cv_path_SED" >&6; }
  SED="$ac_cv_path_SED"
   rm -f conftest.sed
@@ -6644,9 +6625,9 @@ Xsed="$SED -e 1s/^X//"
 
 
 
-{ $as_echo "$as_me:$LINENO: checking for fgrep" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5
 $as_echo_n "checking for fgrep... " >&6; }
-if test "${ac_cv_path_FGREP+set}" = set; then
+if test "${ac_cv_path_FGREP+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1
@@ -6660,7 +6641,7 @@ for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_prog in fgrep; do
+    for ac_prog in fgrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext"
       { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue
@@ -6680,7 +6661,7 @@ case `"$ac_path_FGREP" --version 2>&1` in
     $as_echo 'FGREP' >> "conftest.nl"
     "$ac_path_FGREP" FGREP < "conftest.nl" >"conftest.out" 2>/dev/null || break
     diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-    ac_count=`expr $ac_count + 1`
+    as_fn_arith $ac_count + 1 && ac_count=$as_val
     if test $ac_count -gt ${ac_path_FGREP_max-0}; then
       # Best one so far, save it but keep looking for a better one
       ac_cv_path_FGREP="$ac_path_FGREP"
@@ -6695,12 +6676,10 @@ esac
       $ac_path_FGREP_found && break 3
     done
   done
-done
+  done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_FGREP"; then
-    { { $as_echo "$as_me:$LINENO: error: no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-$as_echo "$as_me: error: no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
-   { (exit 1); exit 1; }; }
+    as_fn_error "no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_FGREP=$FGREP
@@ -6708,7 +6687,7 @@ fi
 
    fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_FGREP" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_FGREP" >&5
 $as_echo "$ac_cv_path_FGREP" >&6; }
  FGREP="$ac_cv_path_FGREP"
 
@@ -6734,7 +6713,7 @@ test -z "$GREP" && GREP=grep
 
 
 # Check whether --with-gnu-ld was given.
-if test "${with_gnu_ld+set}" = set; then
+if test "${with_gnu_ld+set}" = set; then :
   withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
 else
   with_gnu_ld=no
@@ -6743,7 +6722,7 @@ fi
 ac_prog=ld
 if test "$GCC" = yes; then
   # Check if gcc -print-prog-name=ld gives a path.
-  { $as_echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ld used by $CC" >&5
 $as_echo_n "checking for ld used by $CC... " >&6; }
   case $host in
   *-*-mingw*)
@@ -6773,13 +6752,13 @@ $as_echo_n "checking for ld used by $CC... " >&6; }
     ;;
   esac
 elif test "$with_gnu_ld" = yes; then
-  { $as_echo "$as_me:$LINENO: checking for GNU ld" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU ld" >&5
 $as_echo_n "checking for GNU ld... " >&6; }
 else
-  { $as_echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5
 $as_echo_n "checking for non-GNU ld... " >&6; }
 fi
-if test "${lt_cv_path_LD+set}" = set; then
+if test "${lt_cv_path_LD+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$LD"; then
@@ -6810,18 +6789,16 @@ fi
 
 LD="$lt_cv_path_LD"
 if test -n "$LD"; then
-  { $as_echo "$as_me:$LINENO: result: $LD" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LD" >&5
 $as_echo "$LD" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
-test -z "$LD" && { { $as_echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
-$as_echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
-   { (exit 1); exit 1; }; }
-{ $as_echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+test -z "$LD" && as_fn_error "no acceptable ld found in \$PATH" "$LINENO" 5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5
 $as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; }
-if test "${lt_cv_prog_gnu_ld+set}" = set; then
+if test "${lt_cv_prog_gnu_ld+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   # I'd rather use --version here, but apparently some GNU lds only accept -v.
@@ -6834,7 +6811,7 @@ case `$LD -v 2>&1 </dev/null` in
   ;;
 esac
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_gnu_ld" >&5
 $as_echo "$lt_cv_prog_gnu_ld" >&6; }
 with_gnu_ld=$lt_cv_prog_gnu_ld
 
@@ -6846,9 +6823,9 @@ with_gnu_ld=$lt_cv_prog_gnu_ld
 
 
 
-{ $as_echo "$as_me:$LINENO: checking for BSD- or MS-compatible name lister (nm)" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD- or MS-compatible name lister (nm)" >&5
 $as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; }
-if test "${lt_cv_path_NM+set}" = set; then
+if test "${lt_cv_path_NM+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$NM"; then
@@ -6895,7 +6872,7 @@ else
   : ${lt_cv_path_NM=no}
 fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_NM" >&5
 $as_echo "$lt_cv_path_NM" >&6; }
 if test "$lt_cv_path_NM" != "no"; then
   NM="$lt_cv_path_NM"
@@ -6906,9 +6883,9 @@ else
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_DUMPBIN+set}" = set; then
+if test "${ac_cv_prog_DUMPBIN+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$DUMPBIN"; then
@@ -6919,24 +6896,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 DUMPBIN=$ac_cv_prog_DUMPBIN
 if test -n "$DUMPBIN"; then
-  { $as_echo "$as_me:$LINENO: result: $DUMPBIN" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DUMPBIN" >&5
 $as_echo "$DUMPBIN" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -6950,9 +6927,9 @@ if test -z "$DUMPBIN"; then
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then
+if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_DUMPBIN"; then
@@ -6963,24 +6940,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_DUMPBIN="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_DUMPBIN=$ac_cv_prog_ac_ct_DUMPBIN
 if test -n "$ac_ct_DUMPBIN"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_DUMPBIN" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DUMPBIN" >&5
 $as_echo "$ac_ct_DUMPBIN" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -6993,7 +6970,7 @@ done
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -7013,44 +6990,44 @@ test -z "$NM" && NM=nm
 
 
 
-{ $as_echo "$as_me:$LINENO: checking the name lister ($NM) interface" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the name lister ($NM) interface" >&5
 $as_echo_n "checking the name lister ($NM) interface... " >&6; }
-if test "${lt_cv_nm_interface+set}" = set; then
+if test "${lt_cv_nm_interface+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:7023: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:7000: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7026: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:7003: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7029: output\"" >&5)
+  (eval echo "\"\$as_me:7006: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
   fi
   rm -f conftest*
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_nm_interface" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_nm_interface" >&5
 $as_echo "$lt_cv_nm_interface" >&6; }
 
-{ $as_echo "$as_me:$LINENO: checking whether ln -s works" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5
 $as_echo_n "checking whether ln -s works... " >&6; }
 LN_S=$as_ln_s
 if test "$LN_S" = "ln -s"; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no, using $LN_S" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5
 $as_echo "no, using $LN_S" >&6; }
 fi
 
 # find the maximum length of command line arguments
-{ $as_echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the maximum length of command line arguments" >&5
 $as_echo_n "checking the maximum length of command line arguments... " >&6; }
-if test "${lt_cv_sys_max_cmd_len+set}" = set; then
+if test "${lt_cv_sys_max_cmd_len+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
     i=0
@@ -7168,10 +7145,10 @@ else
 fi
 
 if test -n $lt_cv_sys_max_cmd_len ; then
-  { $as_echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sys_max_cmd_len" >&5
 $as_echo "$lt_cv_sys_max_cmd_len" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: none" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: none" >&5
 $as_echo "none" >&6; }
 fi
 max_cmd_len=$lt_cv_sys_max_cmd_len
@@ -7185,7 +7162,7 @@ max_cmd_len=$lt_cv_sys_max_cmd_len
 : ${MV="mv -f"}
 : ${RM="rm -f"}
 
-{ $as_echo "$as_me:$LINENO: checking whether the shell understands some XSI constructs" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the shell understands some XSI constructs" >&5
 $as_echo_n "checking whether the shell understands some XSI constructs... " >&6; }
 # Try some XSI features
 xsi_shell=no
@@ -7195,17 +7172,17 @@ xsi_shell=no
     && eval 'test $(( 1 + 1 )) -eq 2 \
     && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
   && xsi_shell=yes
-{ $as_echo "$as_me:$LINENO: result: $xsi_shell" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $xsi_shell" >&5
 $as_echo "$xsi_shell" >&6; }
 
 
-{ $as_echo "$as_me:$LINENO: checking whether the shell understands \"+=\"" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the shell understands \"+=\"" >&5
 $as_echo_n "checking whether the shell understands \"+=\"... " >&6; }
 lt_shell_append=no
 ( foo=bar; set foo baz; eval "$1+=\$2" && test "$foo" = barbaz ) \
     >/dev/null 2>&1 \
   && lt_shell_append=yes
-{ $as_echo "$as_me:$LINENO: result: $lt_shell_append" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_shell_append" >&5
 $as_echo "$lt_shell_append" >&6; }
 
 
@@ -7240,14 +7217,14 @@ esac
 
 
 
-{ $as_echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5
 $as_echo_n "checking for $LD option to reload object files... " >&6; }
-if test "${lt_cv_ld_reload_flag+set}" = set; then
+if test "${lt_cv_ld_reload_flag+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_ld_reload_flag='-r'
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_reload_flag" >&5
 $as_echo "$lt_cv_ld_reload_flag" >&6; }
 reload_flag=$lt_cv_ld_reload_flag
 case $reload_flag in
@@ -7276,9 +7253,9 @@ esac
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args.
 set dummy ${ac_tool_prefix}objdump; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OBJDUMP+set}" = set; then
+if test "${ac_cv_prog_OBJDUMP+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OBJDUMP"; then
@@ -7289,24 +7266,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 OBJDUMP=$ac_cv_prog_OBJDUMP
 if test -n "$OBJDUMP"; then
-  { $as_echo "$as_me:$LINENO: result: $OBJDUMP" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OBJDUMP" >&5
 $as_echo "$OBJDUMP" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -7316,9 +7293,9 @@ if test -z "$ac_cv_prog_OBJDUMP"; then
   ac_ct_OBJDUMP=$OBJDUMP
   # Extract the first word of "objdump", so it can be a program name with args.
 set dummy objdump; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then
+if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OBJDUMP"; then
@@ -7329,24 +7306,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_OBJDUMP="objdump"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP
 if test -n "$ac_ct_OBJDUMP"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_OBJDUMP" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OBJDUMP" >&5
 $as_echo "$ac_ct_OBJDUMP" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -7355,7 +7332,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -7375,9 +7352,9 @@ test -z "$OBJDUMP" && OBJDUMP=objdump
 
 
 
-{ $as_echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to recognize dependent libraries" >&5
 $as_echo_n "checking how to recognize dependent libraries... " >&6; }
-if test "${lt_cv_deplibs_check_method+set}" = set; then
+if test "${lt_cv_deplibs_check_method+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_file_magic_cmd='$MAGIC_CMD'
@@ -7571,7 +7548,7 @@ tpf*)
 esac
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_deplibs_check_method" >&5
 $as_echo "$lt_cv_deplibs_check_method" >&6; }
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
@@ -7591,9 +7568,9 @@ test -z "$deplibs_check_method" && deplibs_check_method=unknown
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
 set dummy ${ac_tool_prefix}ar; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AR+set}" = set; then
+if test "${ac_cv_prog_AR+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AR"; then
@@ -7604,24 +7581,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_AR="${ac_tool_prefix}ar"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 AR=$ac_cv_prog_AR
 if test -n "$AR"; then
-  { $as_echo "$as_me:$LINENO: result: $AR" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5
 $as_echo "$AR" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -7631,9 +7608,9 @@ if test -z "$ac_cv_prog_AR"; then
   ac_ct_AR=$AR
   # Extract the first word of "ar", so it can be a program name with args.
 set dummy ar; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
+if test "${ac_cv_prog_ac_ct_AR+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_AR"; then
@@ -7644,24 +7621,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_AR="ar"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_AR=$ac_cv_prog_ac_ct_AR
 if test -n "$ac_ct_AR"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5
 $as_echo "$ac_ct_AR" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -7670,7 +7647,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -7696,9 +7673,9 @@ test -z "$AR_FLAGS" && AR_FLAGS=cru
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
 set dummy ${ac_tool_prefix}strip; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then
+if test "${ac_cv_prog_STRIP+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$STRIP"; then
@@ -7709,24 +7686,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 STRIP=$ac_cv_prog_STRIP
 if test -n "$STRIP"; then
-  { $as_echo "$as_me:$LINENO: result: $STRIP" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5
 $as_echo "$STRIP" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -7736,9 +7713,9 @@ if test -z "$ac_cv_prog_STRIP"; then
   ac_ct_STRIP=$STRIP
   # Extract the first word of "strip", so it can be a program name with args.
 set dummy strip; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_STRIP"; then
@@ -7749,24 +7726,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_STRIP="strip"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
 if test -n "$ac_ct_STRIP"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5
 $as_echo "$ac_ct_STRIP" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -7775,7 +7752,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -7795,9 +7772,9 @@ test -z "$STRIP" && STRIP=:
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
 set dummy ${ac_tool_prefix}ranlib; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_RANLIB+set}" = set; then
+if test "${ac_cv_prog_RANLIB+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$RANLIB"; then
@@ -7808,24 +7785,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 RANLIB=$ac_cv_prog_RANLIB
 if test -n "$RANLIB"; then
-  { $as_echo "$as_me:$LINENO: result: $RANLIB" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5
 $as_echo "$RANLIB" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -7835,9 +7812,9 @@ if test -z "$ac_cv_prog_RANLIB"; then
   ac_ct_RANLIB=$RANLIB
   # Extract the first word of "ranlib", so it can be a program name with args.
 set dummy ranlib; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
+if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_RANLIB"; then
@@ -7848,24 +7825,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_RANLIB="ranlib"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
 if test -n "$ac_ct_RANLIB"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5
 $as_echo "$ac_ct_RANLIB" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -7874,7 +7851,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -7952,9 +7929,9 @@ compiler=$CC
 
 
 # Check for command to grab the raw symbol name followed by C symbol from nm.
-{ $as_echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking command to parse $NM output from $compiler object" >&5
 $as_echo_n "checking command to parse $NM output from $compiler object... " >&6; }
-if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then
+if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -8070,18 +8047,18 @@ void nm_test_func(void){}
 int main(){nm_test_var='a';nm_test_func();return(0);}
 _LT_EOF
 
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5
+    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\""; } >&5
   (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s "$nlist"; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@@ -8134,11 +8111,11 @@ _LT_EOF
 	  lt_save_CFLAGS="$CFLAGS"
 	  LIBS="conftstm.$ac_objext"
 	  CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag"
-	  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+	  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5
   (eval $ac_link) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext}; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && test -s conftest${ac_exeext}; then
 	    pipe_works=yes
 	  fi
 	  LIBS="$lt_save_LIBS"
@@ -8172,10 +8149,10 @@ if test -z "$lt_cv_sys_global_symbol_pipe"; then
   lt_cv_sys_global_symbol_to_cdecl=
 fi
 if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  { $as_echo "$as_me:$LINENO: result: failed" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5
 $as_echo "failed" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: ok" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
 $as_echo "ok" >&6; }
 fi
 
@@ -8201,7 +8178,7 @@ fi
 
 
 # Check whether --enable-libtool-lock was given.
-if test "${enable_libtool_lock+set}" = set; then
+if test "${enable_libtool_lock+set}" = set; then :
   enableval=$enable_libtool_lock;
 fi
 
@@ -8213,11 +8190,11 @@ case $host in
 ia64-*-hpux*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
     case `/usr/bin/file conftest.$ac_objext` in
       *ELF-32*)
 	HPUX_IA64_MODE="32"
@@ -8231,12 +8208,12 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8234 "configure"' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  echo '#line 8211 "configure"' > conftest.$ac_ext
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
     if test "$lt_cv_prog_gnu_ld" = yes; then
       case `/usr/bin/file conftest.$ac_objext` in
 	*32-bit*)
@@ -8270,11 +8247,11 @@ x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
 s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
     case `/usr/bin/file conftest.o` in
       *32-bit*)
 	case $host in
@@ -8323,9 +8300,9 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
   # On SCO OpenServer 5, we need -belf to get full-featured binaries.
   SAVE_CFLAGS="$CFLAGS"
   CFLAGS="$CFLAGS -belf"
-  { $as_echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler needs -belf" >&5
 $as_echo_n "checking whether the C compiler needs -belf... " >&6; }
-if test "${lt_cv_cc_needs_belf+set}" = set; then
+if test "${lt_cv_cc_needs_belf+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_ext=c
@@ -8334,11 +8311,7 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-     cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -8349,38 +8322,13 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   lt_cv_cc_needs_belf=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	lt_cv_cc_needs_belf=no
+  lt_cv_cc_needs_belf=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
      ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -8388,7 +8336,7 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_cc_needs_belf" >&5
 $as_echo "$lt_cv_cc_needs_belf" >&6; }
   if test x"$lt_cv_cc_needs_belf" != x"yes"; then
     # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
@@ -8398,11 +8346,11 @@ $as_echo "$lt_cv_cc_needs_belf" >&6; }
 sparc*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
@@ -8428,9 +8376,9 @@ need_locks="$enable_libtool_lock"
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args.
 set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_DSYMUTIL+set}" = set; then
+if test "${ac_cv_prog_DSYMUTIL+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$DSYMUTIL"; then
@@ -8441,24 +8389,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 DSYMUTIL=$ac_cv_prog_DSYMUTIL
 if test -n "$DSYMUTIL"; then
-  { $as_echo "$as_me:$LINENO: result: $DSYMUTIL" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DSYMUTIL" >&5
 $as_echo "$DSYMUTIL" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -8468,9 +8416,9 @@ if test -z "$ac_cv_prog_DSYMUTIL"; then
   ac_ct_DSYMUTIL=$DSYMUTIL
   # Extract the first word of "dsymutil", so it can be a program name with args.
 set dummy dsymutil; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then
+if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_DSYMUTIL"; then
@@ -8481,24 +8429,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL
 if test -n "$ac_ct_DSYMUTIL"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DSYMUTIL" >&5
 $as_echo "$ac_ct_DSYMUTIL" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -8507,7 +8455,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -8520,9 +8468,9 @@ fi
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args.
 set dummy ${ac_tool_prefix}nmedit; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_NMEDIT+set}" = set; then
+if test "${ac_cv_prog_NMEDIT+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$NMEDIT"; then
@@ -8533,24 +8481,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 NMEDIT=$ac_cv_prog_NMEDIT
 if test -n "$NMEDIT"; then
-  { $as_echo "$as_me:$LINENO: result: $NMEDIT" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NMEDIT" >&5
 $as_echo "$NMEDIT" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -8560,9 +8508,9 @@ if test -z "$ac_cv_prog_NMEDIT"; then
   ac_ct_NMEDIT=$NMEDIT
   # Extract the first word of "nmedit", so it can be a program name with args.
 set dummy nmedit; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then
+if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_NMEDIT"; then
@@ -8573,24 +8521,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_NMEDIT="nmedit"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT
 if test -n "$ac_ct_NMEDIT"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_NMEDIT" >&5
 $as_echo "$ac_ct_NMEDIT" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -8599,7 +8547,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -8612,9 +8560,9 @@ fi
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}lipo", so it can be a program name with args.
 set dummy ${ac_tool_prefix}lipo; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_LIPO+set}" = set; then
+if test "${ac_cv_prog_LIPO+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$LIPO"; then
@@ -8625,24 +8573,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_LIPO="${ac_tool_prefix}lipo"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 LIPO=$ac_cv_prog_LIPO
 if test -n "$LIPO"; then
-  { $as_echo "$as_me:$LINENO: result: $LIPO" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIPO" >&5
 $as_echo "$LIPO" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -8652,9 +8600,9 @@ if test -z "$ac_cv_prog_LIPO"; then
   ac_ct_LIPO=$LIPO
   # Extract the first word of "lipo", so it can be a program name with args.
 set dummy lipo; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then
+if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_LIPO"; then
@@ -8665,24 +8613,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_LIPO="lipo"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_LIPO=$ac_cv_prog_ac_ct_LIPO
 if test -n "$ac_ct_LIPO"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_LIPO" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_LIPO" >&5
 $as_echo "$ac_ct_LIPO" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -8691,7 +8639,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -8704,9 +8652,9 @@ fi
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}otool", so it can be a program name with args.
 set dummy ${ac_tool_prefix}otool; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OTOOL+set}" = set; then
+if test "${ac_cv_prog_OTOOL+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OTOOL"; then
@@ -8717,24 +8665,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_OTOOL="${ac_tool_prefix}otool"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 OTOOL=$ac_cv_prog_OTOOL
 if test -n "$OTOOL"; then
-  { $as_echo "$as_me:$LINENO: result: $OTOOL" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5
 $as_echo "$OTOOL" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -8744,9 +8692,9 @@ if test -z "$ac_cv_prog_OTOOL"; then
   ac_ct_OTOOL=$OTOOL
   # Extract the first word of "otool", so it can be a program name with args.
 set dummy otool; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then
+if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OTOOL"; then
@@ -8757,24 +8705,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_OTOOL="otool"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_OTOOL=$ac_cv_prog_ac_ct_OTOOL
 if test -n "$ac_ct_OTOOL"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_OTOOL" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL" >&5
 $as_echo "$ac_ct_OTOOL" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -8783,7 +8731,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -8796,9 +8744,9 @@ fi
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}otool64", so it can be a program name with args.
 set dummy ${ac_tool_prefix}otool64; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OTOOL64+set}" = set; then
+if test "${ac_cv_prog_OTOOL64+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OTOOL64"; then
@@ -8809,24 +8757,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 OTOOL64=$ac_cv_prog_OTOOL64
 if test -n "$OTOOL64"; then
-  { $as_echo "$as_me:$LINENO: result: $OTOOL64" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL64" >&5
 $as_echo "$OTOOL64" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -8836,9 +8784,9 @@ if test -z "$ac_cv_prog_OTOOL64"; then
   ac_ct_OTOOL64=$OTOOL64
   # Extract the first word of "otool64", so it can be a program name with args.
 set dummy otool64; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then
+if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OTOOL64"; then
@@ -8849,24 +8797,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_OTOOL64="otool64"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_OTOOL64=$ac_cv_prog_ac_ct_OTOOL64
 if test -n "$ac_ct_OTOOL64"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_OTOOL64" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL64" >&5
 $as_echo "$ac_ct_OTOOL64" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -8875,7 +8823,7 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 ac_tool_warned=yes ;;
 esac
@@ -8911,9 +8859,9 @@ fi
 
 
 
-    { $as_echo "$as_me:$LINENO: checking for -single_module linker flag" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -single_module linker flag" >&5
 $as_echo_n "checking for -single_module linker flag... " >&6; }
-if test "${lt_cv_apple_cc_single_mod+set}" = set; then
+if test "${lt_cv_apple_cc_single_mod+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_apple_cc_single_mod=no
@@ -8938,22 +8886,18 @@ else
 	rm -f conftest.*
       fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5
 $as_echo "$lt_cv_apple_cc_single_mod" >&6; }
-    { $as_echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5
 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; }
-if test "${lt_cv_ld_exported_symbols_list+set}" = set; then
+if test "${lt_cv_ld_exported_symbols_list+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_ld_exported_symbols_list=no
       save_LDFLAGS=$LDFLAGS
       echo "_main" > conftest.sym
       LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -8964,42 +8908,17 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   lt_cv_ld_exported_symbols_list=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	lt_cv_ld_exported_symbols_list=no
+  lt_cv_ld_exported_symbols_list=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 	LDFLAGS="$save_LDFLAGS"
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5
 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
     case $host_os in
     rhapsody* | darwin1.[012])
@@ -9036,62 +8955,13 @@ $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
     ;;
   esac
 
-
 for ac_header in dlfcn.h
-do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  eval "$as_ac_Header=yes"
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_Header=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-as_val=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-   if test "x$as_val" = x""yes; then
+do :
+  ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default
+"
+if test "x$ac_cv_header_dlfcn_h" = x""yes; then :
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define HAVE_DLFCN_H 1
 _ACEOF
 
 fi
@@ -9111,7 +8981,7 @@ done
 
 
             # Check whether --enable-shared was given.
-if test "${enable_shared+set}" = set; then
+if test "${enable_shared+set}" = set; then :
   enableval=$enable_shared; p=${PACKAGE-default}
     case $enableval in
     yes) enable_shared=yes ;;
@@ -9142,7 +9012,7 @@ fi
 
 
   # Check whether --enable-static was given.
-if test "${enable_static+set}" = set; then
+if test "${enable_static+set}" = set; then :
   enableval=$enable_static; p=${PACKAGE-default}
     case $enableval in
     yes) enable_static=yes ;;
@@ -9174,7 +9044,7 @@ fi
 
 
 # Check whether --with-pic was given.
-if test "${with_pic+set}" = set; then
+if test "${with_pic+set}" = set; then :
   withval=$with_pic; pic_mode="$withval"
 else
   pic_mode=default
@@ -9190,7 +9060,7 @@ test -z "$pic_mode" && pic_mode=default
 
 
   # Check whether --enable-fast-install was given.
-if test "${enable_fast_install+set}" = set; then
+if test "${enable_fast_install+set}" = set; then :
   enableval=$enable_fast_install; p=${PACKAGE-default}
     case $enableval in
     yes) enable_fast_install=yes ;;
@@ -9271,9 +9141,9 @@ if test -n "${ZSH_VERSION+set}" ; then
    setopt NO_GLOB_SUBST
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for objdir" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for objdir" >&5
 $as_echo_n "checking for objdir... " >&6; }
-if test "${lt_cv_objdir+set}" = set; then
+if test "${lt_cv_objdir+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   rm -f .libs 2>/dev/null
@@ -9286,7 +9156,7 @@ else
 fi
 rmdir .libs 2>/dev/null
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_objdir" >&5
 $as_echo "$lt_cv_objdir" >&6; }
 objdir=$lt_cv_objdir
 
@@ -9379,9 +9249,9 @@ test -z "$MAGIC_CMD" && MAGIC_CMD=file
 case $deplibs_check_method in
 file_magic*)
   if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    { $as_echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${ac_tool_prefix}file" >&5
 $as_echo_n "checking for ${ac_tool_prefix}file... " >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+if test "${lt_cv_path_MAGIC_CMD+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   case $MAGIC_CMD in
@@ -9432,10 +9302,10 @@ fi
 
 MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 if test -n "$MAGIC_CMD"; then
-  { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5
 $as_echo "$MAGIC_CMD" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -9445,9 +9315,9 @@ fi
 
 if test -z "$lt_cv_path_MAGIC_CMD"; then
   if test -n "$ac_tool_prefix"; then
-    { $as_echo "$as_me:$LINENO: checking for file" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for file" >&5
 $as_echo_n "checking for file... " >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+if test "${lt_cv_path_MAGIC_CMD+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   case $MAGIC_CMD in
@@ -9498,10 +9368,10 @@ fi
 
 MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 if test -n "$MAGIC_CMD"; then
-  { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5
 $as_echo "$MAGIC_CMD" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -9571,6 +9441,10 @@ _lt_linker_boilerplate=`cat conftest.err`
 $RM -r conftest*
 
 
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
 if test -n "$compiler"; then
 
 lt_prog_compiler_no_builtin_flag=
@@ -9578,9 +9452,9 @@ lt_prog_compiler_no_builtin_flag=
 if test "$GCC" = yes; then
   lt_prog_compiler_no_builtin_flag=' -fno-builtin'
 
-  { $as_echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
 $as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; }
-if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
+if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_rtti_exceptions=no
@@ -9596,11 +9470,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9599: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9473: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9603: \$? = $ac_status" >&5
+   echo "$as_me:9477: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9613,7 +9487,7 @@ else
    $RM conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
 $as_echo "$lt_cv_prog_compiler_rtti_exceptions" >&6; }
 
 if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
@@ -9633,7 +9507,7 @@ fi
 lt_prog_compiler_pic=
 lt_prog_compiler_static=
 
-{ $as_echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5
 $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
 
   if test "$GCC" = yes; then
@@ -9905,7 +9779,7 @@ case $host_os in
     lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_prog_compiler_pic" >&5
 $as_echo "$lt_prog_compiler_pic" >&6; }
 
 
@@ -9917,9 +9791,9 @@ $as_echo "$lt_prog_compiler_pic" >&6; }
 # Check to make sure the PIC flag actually works.
 #
 if test -n "$lt_prog_compiler_pic"; then
-  { $as_echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
 $as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; }
-if test "${lt_cv_prog_compiler_pic_works+set}" = set; then
+if test "${lt_cv_prog_compiler_pic_works+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_pic_works=no
@@ -9935,11 +9809,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9938: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9812: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9942: \$? = $ac_status" >&5
+   echo "$as_me:9816: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9952,7 +9826,7 @@ else
    $RM conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic_works" >&5
 $as_echo "$lt_cv_prog_compiler_pic_works" >&6; }
 
 if test x"$lt_cv_prog_compiler_pic_works" = xyes; then
@@ -9976,9 +9850,9 @@ fi
 # Check to make sure the static flag actually works.
 #
 wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
-{ $as_echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler static flag $lt_tmp_static_flag works" >&5
 $as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; }
-if test "${lt_cv_prog_compiler_static_works+set}" = set; then
+if test "${lt_cv_prog_compiler_static_works+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_static_works=no
@@ -10004,7 +9878,7 @@ else
    LDFLAGS="$save_LDFLAGS"
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_static_works" >&5
 $as_echo "$lt_cv_prog_compiler_static_works" >&6; }
 
 if test x"$lt_cv_prog_compiler_static_works" = xyes; then
@@ -10019,9 +9893,9 @@ fi
 
 
 
-  { $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5
 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then
+if test "${lt_cv_prog_compiler_c_o+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_c_o=no
@@ -10040,11 +9914,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10043: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9917: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10047: \$? = $ac_status" >&5
+   echo "$as_me:9921: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10066,7 +9940,7 @@ else
    $RM conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5
 $as_echo "$lt_cv_prog_compiler_c_o" >&6; }
 
 
@@ -10074,9 +9948,9 @@ $as_echo "$lt_cv_prog_compiler_c_o" >&6; }
 
 
 
-  { $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5
 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then
+if test "${lt_cv_prog_compiler_c_o+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_c_o=no
@@ -10095,11 +9969,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10098: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9972: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10102: \$? = $ac_status" >&5
+   echo "$as_me:9976: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10121,7 +9995,7 @@ else
    $RM conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5
 $as_echo "$lt_cv_prog_compiler_c_o" >&6; }
 
 
@@ -10130,7 +10004,7 @@ $as_echo "$lt_cv_prog_compiler_c_o" >&6; }
 hard_links="nottested"
 if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
-  { $as_echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we can lock with hard links" >&5
 $as_echo_n "checking if we can lock with hard links... " >&6; }
   hard_links=yes
   $RM conftest*
@@ -10138,10 +10012,10 @@ $as_echo_n "checking if we can lock with hard links... " >&6; }
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { $as_echo "$as_me:$LINENO: result: $hard_links" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $hard_links" >&5
 $as_echo "$hard_links" >&6; }
   if test "$hard_links" = no; then
-    { $as_echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
 $as_echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
     need_locks=warn
   fi
@@ -10154,7 +10028,7 @@ fi
 
 
 
-  { $as_echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $compiler linker ($LD) supports shared libraries" >&5
 $as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; }
 
   runpath_var=
@@ -10214,6 +10088,9 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   openbsd*)
     with_gnu_ld=no
     ;;
+  linux* | k*bsd*-gnu)
+    link_all_deplibs=no
+    ;;
   esac
 
   ld_shlibs=yes
@@ -10597,11 +10474,7 @@ _LT_EOF
 	allow_undefined_flag='-berok'
         # Determine the default libpath from the value encoded in an
         # empty executable.
-        cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -10612,27 +10485,7 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -10646,16 +10499,9 @@ aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpat
 if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
         hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
@@ -10668,11 +10514,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	else
 	 # Determine the default libpath from the value encoded in an
 	 # empty executable.
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -10683,27 +10525,7 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -10717,16 +10539,9 @@ aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpat
 if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
 	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
@@ -10938,42 +10753,16 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	# implicitly export all symbols.
         save_LDFLAGS="$LDFLAGS"
         LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
-        cat >conftest.$ac_ext <<_ACEOF
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 int foo(void) {}
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
 
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
         LDFLAGS="$save_LDFLAGS"
       else
 	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
@@ -11229,7 +11018,7 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
     fi
   fi
 
-{ $as_echo "$as_me:$LINENO: result: $ld_shlibs" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ld_shlibs" >&5
 $as_echo "$ld_shlibs" >&6; }
 test "$ld_shlibs" = no && can_build_shared=no
 
@@ -11266,16 +11055,16 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      { $as_echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -lc should be explicitly linked in" >&5
 $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
       $RM conftest*
       echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+      if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } 2>conftest.err; then
         soname=conftest
         lib=conftest
         libobjs=conftest.$ac_objext
@@ -11289,11 +11078,11 @@ $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
         libname=conftest
         lt_save_allow_undefined_flag=$allow_undefined_flag
         allow_undefined_flag=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\"") >&5
+        if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5
   (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
         then
 	  archive_cmds_need_lc=no
         else
@@ -11304,7 +11093,7 @@ $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
         cat conftest.err 1>&5
       fi
       $RM conftest*
-      { $as_echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
+      { $as_echo "$as_me:${as_lineno-$LINENO}: result: $archive_cmds_need_lc" >&5
 $as_echo "$archive_cmds_need_lc" >&6; }
       ;;
     esac
@@ -11468,7 +11257,7 @@ esac
 
 
 
-  { $as_echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking dynamic linker characteristics" >&5
 $as_echo_n "checking dynamic linker characteristics... " >&6; }
 
 if test "$GCC" = yes; then
@@ -11890,11 +11679,7 @@ linux* | k*bsd*-gnu)
   save_libdir=$libdir
   eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \
        LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\""
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -11905,41 +11690,13 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  if  ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then
+if ac_fn_c_try_link "$LINENO"; then :
+  if  ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then :
   shlibpath_overrides_runpath=yes
 fi
-
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
   LDFLAGS=$save_LDFLAGS
   libdir=$save_libdir
 
@@ -12163,7 +11920,7 @@ uts4*)
   dynamic_linker=no
   ;;
 esac
-{ $as_echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $dynamic_linker" >&5
 $as_echo "$dynamic_linker" >&6; }
 test "$dynamic_linker" = no && can_build_shared=no
 
@@ -12265,7 +12022,7 @@ fi
 
 
 
-  { $as_echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to hardcode library paths into programs" >&5
 $as_echo_n "checking how to hardcode library paths into programs... " >&6; }
 hardcode_action=
 if test -n "$hardcode_libdir_flag_spec" ||
@@ -12290,7 +12047,7 @@ else
   # directories.
   hardcode_action=unsupported
 fi
-{ $as_echo "$as_me:$LINENO: result: $hardcode_action" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $hardcode_action" >&5
 $as_echo "$hardcode_action" >&6; }
 
 if test "$hardcode_action" = relink ||
@@ -12335,18 +12092,14 @@ else
 
   darwin*)
   # if libdl is installed we need to link against it
-    { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
 $as_echo_n "checking for dlopen in -ldl... " >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 /* Override any GCC internal prototype to avoid an error.
@@ -12364,43 +12117,18 @@ return dlopen ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_dl_dlopen=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_dl_dlopen=no
+  ac_cv_lib_dl_dlopen=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5
 $as_echo "$ac_cv_lib_dl_dlopen" >&6; }
-if test "x$ac_cv_lib_dl_dlopen" = x""yes; then
+if test "x$ac_cv_lib_dl_dlopen" = x""yes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
 
@@ -12413,33 +12141,19 @@ fi
     ;;
 
   *)
-    { $as_echo "$as_me:$LINENO: checking for shl_load" >&5
-$as_echo_n "checking for shl_load... " >&6; }
-if test "${ac_cv_func_shl_load+set}" = set; then
+    ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load"
+if test "x$ac_cv_func_shl_load" = x""yes; then :
+  lt_cv_dlopen="shl_load"
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5
+$as_echo_n "checking for shl_load in -ldld... " >&6; }
+if test "${ac_cv_lib_dld_shl_load+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define shl_load innocuous_shl_load
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char shl_load (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef shl_load
 
 /* Override any GCC internal prototype to avoid an error.
    Use char because int might match the return type of a GCC
@@ -12448,13 +12162,6 @@ cat >>conftest.$ac_ext <<_ACEOF
 extern "C"
 #endif
 char shl_load ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_shl_load || defined __stub___shl_load
-choke me
-#endif
-
 int
 main ()
 {
@@ -12463,56 +12170,32 @@ return shl_load ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  ac_cv_func_shl_load=yes
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_dld_shl_load=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_func_shl_load=no
+  ac_cv_lib_dld_shl_load=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-$as_echo "$ac_cv_func_shl_load" >&6; }
-if test "x$ac_cv_func_shl_load" = x""yes; then
-  lt_cv_dlopen="shl_load"
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5
+$as_echo "$ac_cv_lib_dld_shl_load" >&6; }
+if test "x$ac_cv_lib_dld_shl_load" = x""yes; then :
+  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
 else
-  { $as_echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-$as_echo_n "checking for shl_load in -ldld... " >&6; }
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then
+  ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen"
+if test "x$ac_cv_func_dlopen" = x""yes; then :
+  lt_cv_dlopen="dlopen"
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
+$as_echo_n "checking for dlopen in -ldl... " >&6; }
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+LIBS="-ldl  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 /* Override any GCC internal prototype to avoid an error.
@@ -12521,222 +12204,37 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef __cplusplus
 extern "C"
 #endif
-char shl_load ();
+char dlopen ();
 int
 main ()
 {
-return shl_load ();
+return dlopen ();
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  ac_cv_lib_dld_shl_load=yes
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_dl_dlopen=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_dld_shl_load=no
-fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-$as_echo "$ac_cv_lib_dld_shl_load" >&6; }
-if test "x$ac_cv_lib_dld_shl_load" = x""yes; then
-  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
-else
-  { $as_echo "$as_me:$LINENO: checking for dlopen" >&5
-$as_echo_n "checking for dlopen... " >&6; }
-if test "${ac_cv_func_dlopen+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define dlopen innocuous_dlopen
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char dlopen (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef dlopen
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_dlopen || defined __stub___dlopen
-choke me
-#endif
-
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  ac_cv_func_dlopen=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_func_dlopen=no
-fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-$as_echo "$ac_cv_func_dlopen" >&6; }
-if test "x$ac_cv_func_dlopen" = x""yes; then
-  lt_cv_dlopen="dlopen"
-else
-  { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-$as_echo_n "checking for dlopen in -ldl... " >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_dl_dlopen=no
+  ac_cv_lib_dl_dlopen=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5
 $as_echo "$ac_cv_lib_dl_dlopen" >&6; }
-if test "x$ac_cv_lib_dl_dlopen" = x""yes; then
+if test "x$ac_cv_lib_dl_dlopen" = x""yes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
-  { $as_echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5
 $as_echo_n "checking for dlopen in -lsvld... " >&6; }
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then
+if test "${ac_cv_lib_svld_dlopen+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lsvld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 /* Override any GCC internal prototype to avoid an error.
@@ -12754,57 +12252,28 @@ return dlopen ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_svld_dlopen=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_svld_dlopen=no
+  ac_cv_lib_svld_dlopen=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5
 $as_echo "$ac_cv_lib_svld_dlopen" >&6; }
-if test "x$ac_cv_lib_svld_dlopen" = x""yes; then
+if test "x$ac_cv_lib_svld_dlopen" = x""yes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
 else
-  { $as_echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5
 $as_echo_n "checking for dld_link in -ldld... " >&6; }
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then
+if test "${ac_cv_lib_dld_dld_link+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 /* Override any GCC internal prototype to avoid an error.
@@ -12822,43 +12291,18 @@ return dld_link ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_dld_dld_link=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_dld_dld_link=no
+  ac_cv_lib_dld_dld_link=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5
 $as_echo "$ac_cv_lib_dld_dld_link" >&6; }
-if test "x$ac_cv_lib_dld_dld_link" = x""yes; then
+if test "x$ac_cv_lib_dld_dld_link" = x""yes; then :
   lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
 fi
 
@@ -12897,9 +12341,9 @@ fi
     save_LIBS="$LIBS"
     LIBS="$lt_cv_dlopen_libs $LIBS"
 
-    { $as_echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a program can dlopen itself" >&5
 $as_echo_n "checking whether a program can dlopen itself... " >&6; }
-if test "${lt_cv_dlopen_self+set}" = set; then
+if test "${lt_cv_dlopen_self+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   	  if test "$cross_compiling" = yes; then :
@@ -12908,7 +12352,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12911 "configure"
+#line 12355 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12967,11 +12411,11 @@ int main ()
   return status;
 }
 _LT_EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5
   (eval $ac_link) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && test -s conftest${ac_exeext} 2>/dev/null; then
     (./conftest; exit; ) >&5 2>/dev/null
     lt_status=$?
     case x$lt_status in
@@ -12988,14 +12432,14 @@ rm -fr conftest*
 
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self" >&5
 $as_echo "$lt_cv_dlopen_self" >&6; }
 
     if test "x$lt_cv_dlopen_self" = xyes; then
       wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
-      { $as_echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
+      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a statically linked program can dlopen itself" >&5
 $as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; }
-if test "${lt_cv_dlopen_self_static+set}" = set; then
+if test "${lt_cv_dlopen_self_static+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   	  if test "$cross_compiling" = yes; then :
@@ -13004,7 +12448,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 13007 "configure"
+#line 12451 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13063,11 +12507,11 @@ int main ()
   return status;
 }
 _LT_EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5
   (eval $ac_link) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && test -s conftest${ac_exeext} 2>/dev/null; then
     (./conftest; exit; ) >&5 2>/dev/null
     lt_status=$?
     case x$lt_status in
@@ -13084,7 +12528,7 @@ rm -fr conftest*
 
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self_static" >&5
 $as_echo "$lt_cv_dlopen_self_static" >&6; }
     fi
 
@@ -13123,12 +12567,12 @@ fi
 
 striplib=
 old_striplib=
-{ $as_echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether stripping libraries is possible" >&5
 $as_echo_n "checking whether stripping libraries is possible... " >&6; }
 if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
   test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
   test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 else
 # FIXME - insert some real tests, host_os isn't really good enough
@@ -13137,15 +12581,15 @@ else
     if test -n "$STRIP" ; then
       striplib="$STRIP -x"
       old_striplib="$STRIP -S"
-      { $as_echo "$as_me:$LINENO: result: yes" >&5
+      { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
     else
-      { $as_echo "$as_me:$LINENO: result: no" >&5
+      { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
     fi
     ;;
   *)
-    { $as_echo "$as_me:$LINENO: result: no" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
     ;;
   esac
@@ -13163,12 +12607,12 @@ fi
 
 
   # Report which library types will actually be built
-  { $as_echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libtool supports shared libraries" >&5
 $as_echo_n "checking if libtool supports shared libraries... " >&6; }
-  { $as_echo "$as_me:$LINENO: result: $can_build_shared" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $can_build_shared" >&5
 $as_echo "$can_build_shared" >&6; }
 
-  { $as_echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build shared libraries" >&5
 $as_echo_n "checking whether to build shared libraries... " >&6; }
   test "$can_build_shared" = "no" && enable_shared=no
 
@@ -13189,14 +12633,14 @@ $as_echo_n "checking whether to build shared libraries... " >&6; }
     fi
     ;;
   esac
-  { $as_echo "$as_me:$LINENO: result: $enable_shared" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_shared" >&5
 $as_echo "$enable_shared" >&6; }
 
-  { $as_echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build static libraries" >&5
 $as_echo_n "checking whether to build static libraries... " >&6; }
   # Make sure either enable_shared or enable_static is yes.
   test "$enable_shared" = yes || enable_static=yes
-  { $as_echo "$as_me:$LINENO: result: $enable_static" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_static" >&5
 $as_echo "$enable_static" >&6; }
 
 
@@ -13231,9 +12675,9 @@ CC="$lt_save_CC"
 # Only expand once:
 
 
-{ $as_echo "$as_me:$LINENO: checking for egrep" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
 $as_echo_n "checking for egrep... " >&6; }
-if test "${ac_cv_path_EGREP+set}" = set; then
+if test "${ac_cv_path_EGREP+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
@@ -13247,7 +12691,7 @@ for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_prog in egrep; do
+    for ac_prog in egrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
       { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
@@ -13267,7 +12711,7 @@ case `"$ac_path_EGREP" --version 2>&1` in
     $as_echo 'EGREP' >> "conftest.nl"
     "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
     diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
-    ac_count=`expr $ac_count + 1`
+    as_fn_arith $ac_count + 1 && ac_count=$as_val
     if test $ac_count -gt ${ac_path_EGREP_max-0}; then
       # Best one so far, save it but keep looking for a better one
       ac_cv_path_EGREP="$ac_path_EGREP"
@@ -13282,12 +12726,10 @@ esac
       $ac_path_EGREP_found && break 3
     done
   done
-done
+  done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_EGREP"; then
-    { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
-   { (exit 1); exit 1; }; }
+    as_fn_error "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_EGREP=$EGREP
@@ -13295,7 +12737,7 @@ fi
 
    fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5
 $as_echo "$ac_cv_path_EGREP" >&6; }
  EGREP="$ac_cv_path_EGREP"
 
@@ -13304,9 +12746,9 @@ for ac_prog in gawk mawk nawk awk
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AWK+set}" = set; then
+if test "${ac_cv_prog_AWK+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AWK"; then
@@ -13317,24 +12759,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_AWK="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 AWK=$ac_cv_prog_AWK
 if test -n "$AWK"; then
-  { $as_echo "$as_me:$LINENO: result: $AWK" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5
 $as_echo "$AWK" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -13346,9 +12788,9 @@ for ac_prog in flex lex
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_LEX+set}" = set; then
+if test "${ac_cv_prog_LEX+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$LEX"; then
@@ -13359,24 +12801,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_LEX="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 LEX=$ac_cv_prog_LEX
 if test -n "$LEX"; then
-  { $as_echo "$as_me:$LINENO: result: $LEX" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LEX" >&5
 $as_echo "$LEX" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -13405,20 +12847,20 @@ main (void)
   return ! yylex () + ! yywrap ();
 }
 _ACEOF
-{ (ac_try="$LEX conftest.l"
+{ { ac_try="$LEX conftest.l"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
   (eval "$LEX conftest.l") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ $as_echo "$as_me:$LINENO: checking lex output file root" >&5
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking lex output file root" >&5
 $as_echo_n "checking lex output file root... " >&6; }
-if test "${ac_cv_prog_lex_root+set}" = set; then
+if test "${ac_cv_prog_lex_root+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -13427,19 +12869,17 @@ if test -f lex.yy.c; then
 elif test -f lexyy.c; then
   ac_cv_prog_lex_root=lexyy
 else
-  { { $as_echo "$as_me:$LINENO: error: cannot find output from $LEX; giving up" >&5
-$as_echo "$as_me: error: cannot find output from $LEX; giving up" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "cannot find output from $LEX; giving up" "$LINENO" 5
 fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_lex_root" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_lex_root" >&5
 $as_echo "$ac_cv_prog_lex_root" >&6; }
 LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
 
 if test -z "${LEXLIB+set}"; then
-  { $as_echo "$as_me:$LINENO: checking lex library" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking lex library" >&5
 $as_echo_n "checking lex library... " >&6; }
-if test "${ac_cv_lib_lex+set}" = set; then
+if test "${ac_cv_lib_lex+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -13447,55 +12887,29 @@ else
     ac_cv_lib_lex='none needed'
     for ac_lib in '' -lfl -ll; do
       LIBS="$ac_lib $ac_save_LIBS"
-      cat >conftest.$ac_ext <<_ACEOF
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 `cat $LEX_OUTPUT_ROOT.c`
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_lex=$ac_lib
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
       test "$ac_cv_lib_lex" != 'none needed' && break
     done
     LIBS=$ac_save_LIBS
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_lex" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lex" >&5
 $as_echo "$ac_cv_lib_lex" >&6; }
   test "$ac_cv_lib_lex" != 'none needed' && LEXLIB=$ac_cv_lib_lex
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking whether yytext is a pointer" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether yytext is a pointer" >&5
 $as_echo_n "checking whether yytext is a pointer... " >&6; }
-if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then
+if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   # POSIX says lex can declare yytext either as a pointer or an array; the
@@ -13504,52 +12918,24 @@ else
 ac_cv_prog_lex_yytext_pointer=no
 ac_save_LIBS=$LIBS
 LIBS="$LEXLIB $ac_save_LIBS"
-cat >conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 #define YYTEXT_POINTER 1
 `cat $LEX_OUTPUT_ROOT.c`
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_prog_lex_yytext_pointer=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_save_LIBS
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_lex_yytext_pointer" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_lex_yytext_pointer" >&5
 $as_echo "$ac_cv_prog_lex_yytext_pointer" >&6; }
 if test $ac_cv_prog_lex_yytext_pointer = yes; then
 
-cat >>confdefs.h <<\_ACEOF
-#define YYTEXT_POINTER 1
-_ACEOF
+$as_echo "#define YYTEXT_POINTER 1" >>confdefs.h
 
 fi
 rm -f conftest.l $LEX_OUTPUT_ROOT.c
@@ -13559,9 +12945,9 @@ for ac_prog in 'bison -y' byacc
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_YACC+set}" = set; then
+if test "${ac_cv_prog_YACC+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$YACC"; then
@@ -13572,24 +12958,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_YACC="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 YACC=$ac_cv_prog_YACC
 if test -n "$YACC"; then
-  { $as_echo "$as_me:$LINENO: result: $YACC" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $YACC" >&5
 $as_echo "$YACC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -13600,9 +12986,9 @@ test -n "$YACC" || YACC="yacc"
 
 # Extract the first word of "perl", so it can be a program name with args.
 set dummy perl; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_PERL+set}" = set; then
+if test "${ac_cv_path_PERL+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   case $PERL in
@@ -13616,14 +13002,14 @@ for as_dir in $as_dummy
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
   ;;
@@ -13631,19 +13017,19 @@ esac
 fi
 PERL=$ac_cv_path_PERL
 if test -n "$PERL"; then
-  { $as_echo "$as_me:$LINENO: result: $PERL" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PERL" >&5
 $as_echo "$PERL" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
 
 # Extract the first word of "gperf", so it can be a program name with args.
 set dummy gperf; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_GPERF+set}" = set; then
+if test "${ac_cv_path_GPERF+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   case $GPERF in
@@ -13657,14 +13043,14 @@ for as_dir in $as_dummy
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
   ;;
@@ -13672,74 +13058,71 @@ esac
 fi
 GPERF=$ac_cv_path_GPERF
 if test -n "$GPERF"; then
-  { $as_echo "$as_me:$LINENO: result: $GPERF" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GPERF" >&5
 $as_echo "$GPERF" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
 
 
-{ $as_echo "$as_me:$LINENO: checking gperf version >= 3.0.0" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking gperf version >= 3.0.0" >&5
 $as_echo_n "checking gperf version >= 3.0.0... " >&6; }
 if test -x "$GPERF"; then
 	if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then
-		{ $as_echo "$as_me:$LINENO: result: yes" >&5
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 	else
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 	fi
 else
-	{ $as_echo "$as_me:$LINENO: result: not found" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
 $as_echo "not found" >&6; }
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for uid of user \"$ipsecuser\"" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid of user \"$ipsecuser\"" >&5
 $as_echo_n "checking for uid of user \"$ipsecuser\"... " >&6; }
 ipsecuid=`id -u $ipsecuser 2>/dev/null`
 if test -n "$ipsecuid"; then
-	{ $as_echo "$as_me:$LINENO: result: $ipsecuid" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ipsecuid" >&5
 $as_echo "$ipsecuid" >&6; }
 
 else
-	{ { $as_echo "$as_me:$LINENO: error: not found" >&5
-$as_echo "$as_me: error: not found" >&2;}
-   { (exit 1); exit 1; }; }
+	as_fn_error "not found" "$LINENO" 5
 fi
-{ $as_echo "$as_me:$LINENO: checking for gid of group \"$ipsecgroup\"" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gid of group \"$ipsecgroup\"" >&5
 $as_echo_n "checking for gid of group \"$ipsecgroup\"... " >&6; }
 ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'`
 if test -n "$ipsecgid"; then
-	{ $as_echo "$as_me:$LINENO: result: $ipsecgid" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ipsecgid" >&5
 $as_echo "$ipsecgid" >&6; }
 
 else
-	{ { $as_echo "$as_me:$LINENO: error: not found" >&5
-$as_echo "$as_me: error: not found" >&2;}
-   { (exit 1); exit 1; }; }
+	as_fn_error "not found" "$LINENO" 5
 fi
 
 
-if test x$eap_aka = xtrue; then
+if test x$eap_aka_3gpp2 = xtrue; then
 	gmp=true;
+fi
+
+if test x$eap_aka = xtrue; then
 	fips_prf=true;
 	sha1=true;
+	simaka=true;
 fi
 
 if test x$eap_sim = xtrue; then
 	fips_prf=true;
+	simaka=true;
 fi
 
 if test x$fips_prf = xtrue; then
 	sha1=true;
 fi
 
-if test x$tools = xtrue; then
-	gmp=true;
-fi
-
 if test x$smp = xtrue; then
 	xml=true
 fi
@@ -13749,25 +13132,21 @@ if test x$manager = xtrue; then
 fi
 
 if test x$medsrv = xtrue; then
-	me=true
+	mediation=true
 	fast=true
 fi
 
 if test x$medcli = xtrue; then
-	me=true
+	mediation=true
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking for stdbool.h that conforms to C99" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdbool.h that conforms to C99" >&5
 $as_echo_n "checking for stdbool.h that conforms to C99... " >&6; }
-if test "${ac_cv_header_stdbool_h+set}" = set; then
+if test "${ac_cv_header_stdbool_h+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 #include <stdbool.h>
@@ -13847,223 +13226,72 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+if ac_fn_c_try_compile "$LINENO"; then :
   ac_cv_header_stdbool_h=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_header_stdbool_h=no
+  ac_cv_header_stdbool_h=no
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdbool_h" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdbool_h" >&5
 $as_echo "$ac_cv_header_stdbool_h" >&6; }
-{ $as_echo "$as_me:$LINENO: checking for _Bool" >&5
-$as_echo_n "checking for _Bool... " >&6; }
-if test "${ac_cv_type__Bool+set}" = set; then
+ac_fn_c_check_type "$LINENO" "_Bool" "ac_cv_type__Bool" "$ac_includes_default"
+if test "x$ac_cv_type__Bool" = x""yes; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE__BOOL 1
+_ACEOF
+
+
+fi
+
+if test $ac_cv_header_stdbool_h = yes; then
+
+$as_echo "#define HAVE_STDBOOL_H 1" >>confdefs.h
+
+fi
+
+# The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
+# for constant arguments.  Useless!
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5
+$as_echo_n "checking for working alloca.h... " >&6; }
+if test "${ac_cv_working_alloca_h+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  ac_cv_type__Bool=no
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if (sizeof (_Bool))
-       return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-$ac_includes_default
+#include <alloca.h>
 int
 main ()
 {
-if (sizeof ((_Bool)))
-	  return 0;
+char *p = (char *) alloca (2 * sizeof (int));
+			  if (p) return 0;
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  :
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_type__Bool=yes
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_type__Bool" >&5
-$as_echo "$ac_cv_type__Bool" >&6; }
-if test "x$ac_cv_type__Bool" = x""yes; then
-
-cat >>confdefs.h <<_ACEOF
-#define HAVE__BOOL 1
-_ACEOF
-
-
-fi
-
-if test $ac_cv_header_stdbool_h = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_STDBOOL_H 1
-_ACEOF
-
-fi
-
-# The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
-# for constant arguments.  Useless!
-{ $as_echo "$as_me:$LINENO: checking for working alloca.h" >&5
-$as_echo_n "checking for working alloca.h... " >&6; }
-if test "${ac_cv_working_alloca_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <alloca.h>
-int
-main ()
-{
-char *p = (char *) alloca (2 * sizeof (int));
-			  if (p) return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_working_alloca_h=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_working_alloca_h=no
+  ac_cv_working_alloca_h=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_working_alloca_h" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_working_alloca_h" >&5
 $as_echo "$ac_cv_working_alloca_h" >&6; }
 if test $ac_cv_working_alloca_h = yes; then
 
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_ALLOCA_H 1
-_ACEOF
+$as_echo "#define HAVE_ALLOCA_H 1" >>confdefs.h
 
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for alloca" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5
 $as_echo_n "checking for alloca... " >&6; }
-if test "${ac_cv_func_alloca_works+set}" = set; then
+if test "${ac_cv_func_alloca_works+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #ifdef __GNUC__
 # define alloca __builtin_alloca
@@ -14095,47 +13323,20 @@ char *p = (char *) alloca (1);
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_func_alloca_works=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_func_alloca_works=no
+  ac_cv_func_alloca_works=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_alloca_works" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_alloca_works" >&5
 $as_echo "$ac_cv_func_alloca_works" >&6; }
 
 if test $ac_cv_func_alloca_works = yes; then
 
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_ALLOCA 1
-_ACEOF
+$as_echo "#define HAVE_ALLOCA 1" >>confdefs.h
 
 else
   # The SVR3 libPW and SVR4 libucb both contain incompatible functions
@@ -14145,21 +13346,15 @@ else
 
 ALLOCA=\${LIBOBJDIR}alloca.$ac_objext
 
-cat >>confdefs.h <<\_ACEOF
-#define C_ALLOCA 1
-_ACEOF
+$as_echo "#define C_ALLOCA 1" >>confdefs.h
 
 
-{ $as_echo "$as_me:$LINENO: checking whether \`alloca.c' needs Cray hooks" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`alloca.c' needs Cray hooks" >&5
 $as_echo_n "checking whether \`alloca.c' needs Cray hooks... " >&6; }
-if test "${ac_cv_os_cray+set}" = set; then
+if test "${ac_cv_os_cray+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #if defined CRAY && ! defined CRAY2
 webecray
@@ -14169,7 +13364,7 @@ wenotbecray
 
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "webecray" >/dev/null 2>&1; then
+  $EGREP "webecray" >/dev/null 2>&1; then :
   ac_cv_os_cray=yes
 else
   ac_cv_os_cray=no
@@ -14177,101 +13372,14 @@ fi
 rm -f conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_os_cray" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_os_cray" >&5
 $as_echo "$ac_cv_os_cray" >&6; }
 if test $ac_cv_os_cray = yes; then
   for ac_func in _getb67 GETB67 getb67; do
     as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
-$as_echo_n "checking for $ac_func... " >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
-
-int
-main ()
-{
-return $ac_func ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  eval "$as_ac_var=yes"
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_var=no"
-fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-as_val=`eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'`
-   if test "x$as_val" = x""yes; then
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+eval as_val=\$$as_ac_var
+   if test "x$as_val" = x""yes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define CRAY_STACKSEG_END $ac_func
@@ -14283,19 +13391,15 @@ fi
   done
 fi
 
-{ $as_echo "$as_me:$LINENO: checking stack direction for C alloca" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5
 $as_echo_n "checking stack direction for C alloca... " >&6; }
-if test "${ac_cv_c_stack_direction+set}" = set; then
+if test "${ac_cv_c_stack_direction+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  if test "$cross_compiling" = yes; then
+  if test "$cross_compiling" = yes; then :
   ac_cv_c_stack_direction=0
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 $ac_includes_default
 int
@@ -14318,46 +13422,18 @@ main ()
   return find_stack_direction () < 0;
 }
 _ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+if ac_fn_c_try_run "$LINENO"; then :
   ac_cv_c_stack_direction=1
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_c_stack_direction=-1
+  ac_cv_c_stack_direction=-1
 fi
-rm -rf conftest.dSYM
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
 
-
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_stack_direction" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_stack_direction" >&5
 $as_echo "$ac_cv_c_stack_direction" >&6; }
-
 cat >>confdefs.h <<_ACEOF
 #define STACK_DIRECTION $ac_cv_c_stack_direction
 _ACEOF
@@ -14369,17 +13445,13 @@ fi
 saved_LIBS=$LIBS
 
 LIBS=""
-{ $as_echo "$as_me:$LINENO: checking for library containing dlopen" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
 $as_echo_n "checking for library containing dlopen... " >&6; }
-if test "${ac_cv_search_dlopen+set}" = set; then
+if test "${ac_cv_search_dlopen+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 /* Override any GCC internal prototype to avoid an error.
@@ -14404,54 +13476,27 @@ for ac_lib in '' dl; do
     ac_res=-l$ac_lib
     LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
   fi
-  rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+  if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_search_dlopen=$ac_res
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext
-  if test "${ac_cv_search_dlopen+set}" = set; then
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if test "${ac_cv_search_dlopen+set}" = set; then :
   break
 fi
 done
-if test "${ac_cv_search_dlopen+set}" = set; then
-  :
+if test "${ac_cv_search_dlopen+set}" = set; then :
+
 else
   ac_cv_search_dlopen=no
 fi
 rm conftest.$ac_ext
 LIBS=$ac_func_search_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_dlopen" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5
 $as_echo "$ac_cv_search_dlopen" >&6; }
 ac_res=$ac_cv_search_dlopen
-if test "$ac_res" != no; then
+if test "$ac_res" != no; then :
   test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
   DLLIB=$LIBS
 fi
@@ -14459,17 +13504,13 @@ fi
 
 
 LIBS=""
-{ $as_echo "$as_me:$LINENO: checking for library containing backtrace" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing backtrace" >&5
 $as_echo_n "checking for library containing backtrace... " >&6; }
-if test "${ac_cv_search_backtrace+set}" = set; then
+if test "${ac_cv_search_backtrace+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 /* Override any GCC internal prototype to avoid an error.
@@ -14494,89 +13535,53 @@ for ac_lib in '' execinfo; do
     ac_res=-l$ac_lib
     LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
   fi
-  rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+  if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_search_backtrace=$ac_res
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext
-  if test "${ac_cv_search_backtrace+set}" = set; then
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if test "${ac_cv_search_backtrace+set}" = set; then :
   break
 fi
 done
-if test "${ac_cv_search_backtrace+set}" = set; then
-  :
+if test "${ac_cv_search_backtrace+set}" = set; then :
+
 else
   ac_cv_search_backtrace=no
 fi
 rm conftest.$ac_ext
 LIBS=$ac_func_search_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_backtrace" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_backtrace" >&5
 $as_echo "$ac_cv_search_backtrace" >&6; }
 ac_res=$ac_cv_search_backtrace
-if test "$ac_res" != no; then
+if test "$ac_res" != no; then :
   test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
   BTLIB=$LIBS
 fi
 
-
 for ac_func in backtrace
-do
-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
-$as_echo_n "checking for $ac_func... " >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
+do :
+  ac_fn_c_check_func "$LINENO" "backtrace" "ac_cv_func_backtrace"
+if test "x$ac_cv_func_backtrace" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_BACKTRACE 1
 _ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
 
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
+fi
+done
 
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 
-#undef $ac_func
+
+LIBS=""
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing socket" >&5
+$as_echo_n "checking for library containing socket... " >&6; }
+if test "${ac_cv_search_socket+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
 /* Override any GCC internal prototype to avoid an error.
    Use char because int might match the return type of a GCC
@@ -14584,96 +13589,11 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef __cplusplus
 extern "C"
 #endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
-
+char socket ();
 int
 main ()
 {
-return $ac_func ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  eval "$as_ac_var=yes"
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_var=no"
-fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-as_val=`eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'`
-   if test "x$as_val" = x""yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-
-
-LIBS=""
-{ $as_echo "$as_me:$LINENO: checking for library containing socket" >&5
-$as_echo_n "checking for library containing socket... " >&6; }
-if test "${ac_cv_search_socket+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_func_search_save_LIBS=$LIBS
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char socket ();
-int
-main ()
-{
-return socket ();
+return socket ();
   ;
   return 0;
 }
@@ -14685,69 +13605,38 @@ for ac_lib in '' socket; do
     ac_res=-l$ac_lib
     LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
   fi
-  rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+  if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_search_socket=$ac_res
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext
-  if test "${ac_cv_search_socket+set}" = set; then
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if test "${ac_cv_search_socket+set}" = set; then :
   break
 fi
 done
-if test "${ac_cv_search_socket+set}" = set; then
-  :
+if test "${ac_cv_search_socket+set}" = set; then :
+
 else
   ac_cv_search_socket=no
 fi
 rm conftest.$ac_ext
 LIBS=$ac_func_search_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_socket" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_socket" >&5
 $as_echo "$ac_cv_search_socket" >&6; }
 ac_res=$ac_cv_search_socket
-if test "$ac_res" != no; then
+if test "$ac_res" != no; then :
   test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
   SOCKLIB=$LIBS
 else
-  { $as_echo "$as_me:$LINENO: checking for socket in -lnsl" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lnsl" >&5
 $as_echo_n "checking for socket in -lnsl... " >&6; }
-if test "${ac_cv_lib_nsl_socket+set}" = set; then
+if test "${ac_cv_lib_nsl_socket+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lnsl -lsocket $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 /* Override any GCC internal prototype to avoid an error.
@@ -14765,43 +13654,18 @@ return socket ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_nsl_socket=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_nsl_socket=no
+  ac_cv_lib_nsl_socket=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_socket" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nsl_socket" >&5
 $as_echo "$ac_cv_lib_nsl_socket" >&6; }
-if test "x$ac_cv_lib_nsl_socket" = x""yes; then
+if test "x$ac_cv_lib_nsl_socket" = x""yes; then :
   SOCKLIB="-lsocket -lnsl"
 fi
 
@@ -14810,92 +13674,85 @@ fi
 
 
 
-LIBS=$saved_LIBS
-
-{ $as_echo "$as_me:$LINENO: checking for dladdr" >&5
-$as_echo_n "checking for dladdr... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+LIBS=""
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
+$as_echo_n "checking for library containing clock_gettime... " >&6; }
+if test "${ac_cv_search_clock_gettime+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-#define _GNU_SOURCE
-	 #include <dlfcn.h>
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char clock_gettime ();
 int
 main ()
 {
-Dl_info* info = 0;
-	 dladdr(0, info);
+return clock_gettime ();
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
-#define HAVE_DLADDR 1
-_ACEOF
+for ac_lib in '' rt; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_clock_gettime=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if test "${ac_cv_search_clock_gettime+set}" = set; then :
+  break
+fi
+done
+if test "${ac_cv_search_clock_gettime+set}" = set; then :
 
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  ac_cv_search_clock_gettime=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_clock_gettime" >&5
+$as_echo "$ac_cv_search_clock_gettime" >&6; }
+ac_res=$ac_cv_search_clock_gettime
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+  RTLIB=$LIBS
+fi
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+for ac_func in clock_gettime
+do :
+  ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
+if test "x$ac_cv_func_clock_gettime" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_CLOCK_GETTIME 1
+_ACEOF
 
 fi
+done
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-for ac_func in prctl
-do
-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
-$as_echo_n "checking for $ac_func... " >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+LIBS=""
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing pthread_create" >&5
+$as_echo_n "checking for library containing pthread_create... " >&6; }
+if test "${ac_cv_search_pthread_create+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
 
 /* Override any GCC internal prototype to avoid an error.
    Use char because int might match the return type of a GCC
@@ -14903,470 +13760,209 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef __cplusplus
 extern "C"
 #endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
-
+char pthread_create ();
 int
 main ()
 {
-return $ac_func ();
+return pthread_create ();
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  eval "$as_ac_var=yes"
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	eval "$as_ac_var=no"
+for ac_lib in '' pthread; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_pthread_create=$ac_res
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if test "${ac_cv_search_pthread_create+set}" = set; then :
+  break
 fi
-ac_res=`eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-as_val=`eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'`
-   if test "x$as_val" = x""yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+done
+if test "${ac_cv_search_pthread_create+set}" = set; then :
 
+else
+  ac_cv_search_pthread_create=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_pthread_create" >&5
+$as_echo "$ac_cv_search_pthread_create" >&6; }
+ac_res=$ac_cv_search_pthread_create
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+  PTHREADLIB=$LIBS
 fi
-done
 
 
 
-for ac_header in sys/sockio.h
-do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
-fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+LIBS=$saved_LIBS
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for dladdr" >&5
+$as_echo_n "checking for dladdr... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
+#define _GNU_SOURCE
+	 #include <dlfcn.h>
+int
+main ()
+{
+Dl_info* info = 0;
+	 dladdr(0, info);
+  ;
+  return 0;
+}
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; $as_echo "#define HAVE_DLADDR 1" >>confdefs.h
+
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
-	ac_header_compiler=no
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
 
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
+saved_LIBS=$LIBS
+LIBS=$PTHREADLIB
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_condattr_setclock(CLOCK_MONOTONE)" >&5
+$as_echo_n "checking for pthread_condattr_setclock(CLOCK_MONOTONE)... " >&6; }
+if test "$cross_compiling" = yes; then :
+  	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
+$as_echo "unknown" >&6; };
+	 for ac_func in pthread_condattr_setclock
+do :
+  ac_fn_c_check_func "$LINENO" "pthread_condattr_setclock" "ac_cv_func_pthread_condattr_setclock"
+if test "x$ac_cv_func_pthread_condattr_setclock" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PTHREAD_CONDATTR_SETCLOCK 1
 _ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+ $as_echo "#define HAVE_CONDATTR_CLOCK_MONOTONIC 1" >>confdefs.h
+
 
-  ac_header_preproc=no
 fi
+done
 
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
 
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <pthread.h>
+	 int main() { pthread_condattr_t attr;
+		pthread_condattr_init(&attr);
+		return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; $as_echo "#define HAVE_CONDATTR_CLOCK_MONOTONIC 1" >>confdefs.h
 
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
 else
-  eval "$as_ac_Header=\$ac_header_preproc"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
-as_val=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-   if test "x$as_val" = x""yes; then
+
+for ac_func in pthread_condattr_init
+do :
+  ac_fn_c_check_func "$LINENO" "pthread_condattr_init" "ac_cv_func_pthread_condattr_init"
+if test "x$ac_cv_func_pthread_condattr_init" = x""yes; then :
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define HAVE_PTHREAD_CONDATTR_INIT 1
 _ACEOF
 
 fi
-
 done
 
+for ac_func in pthread_cond_timedwait_monotonic
+do :
+  ac_fn_c_check_func "$LINENO" "pthread_cond_timedwait_monotonic" "ac_cv_func_pthread_cond_timedwait_monotonic"
+if test "x$ac_cv_func_pthread_cond_timedwait_monotonic" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC 1
+_ACEOF
 
+fi
+done
 
+for ac_func in pthread_cancel
+do :
+  ac_fn_c_check_func "$LINENO" "pthread_cancel" "ac_cv_func_pthread_cancel"
+if test "x$ac_cv_func_pthread_cancel" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PTHREAD_CANCEL 1
+_ACEOF
 
+fi
+done
 
-for ac_header in net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h
-do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
-fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
+for ac_func in pthread_rwlock_init
+do :
+  ac_fn_c_check_func "$LINENO" "pthread_rwlock_init" "ac_cv_func_pthread_rwlock_init"
+if test "x$ac_cv_func_pthread_rwlock_init" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PTHREAD_RWLOCK_INIT 1
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-	ac_header_compiler=no
 fi
+done
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+LIBS=$saved_LIBS
 
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
+for ac_func in prctl
+do :
+  ac_fn_c_check_func "$LINENO" "prctl" "ac_cv_func_prctl"
+if test "x$ac_cv_func_prctl" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PRCTL 1
 _ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-  ac_header_preproc=no
 fi
+done
 
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
-else
-  eval "$as_ac_Header=\$ac_header_preproc"
-fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
 
-fi
-as_val=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-   if test "x$as_val" = x""yes; then
+for ac_header in sys/sockio.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "sys/sockio.h" "ac_cv_header_sys_sockio_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_sockio_h" = x""yes; then :
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define HAVE_SYS_SOCKIO_H 1
 _ACEOF
 
 fi
 
 done
 
-
-{ $as_echo "$as_me:$LINENO: checking for struct sockaddr.sa_len" >&5
-$as_echo_n "checking for struct sockaddr.sa_len... " >&6; }
-if test "${ac_cv_member_struct_sockaddr_sa_len+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
+for ac_header in net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+eval as_val=\$$as_ac_Header
+   if test "x$as_val" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-	#include <sys/types.h>
-	#include <sys/socket.h>
 
+fi
 
-int
-main ()
-{
-static struct sockaddr ac_aggr;
-if (ac_aggr.sa_len)
-return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_member_struct_sockaddr_sa_len=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+done
 
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
+ac_fn_c_check_member "$LINENO" "struct sockaddr" "sa_len" "ac_cv_member_struct_sockaddr_sa_len" "
 	#include <sys/types.h>
 	#include <sys/socket.h>
 
-
-int
-main ()
-{
-static struct sockaddr ac_aggr;
-if (sizeof ac_aggr.sa_len)
-return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_member_struct_sockaddr_sa_len=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_member_struct_sockaddr_sa_len=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_member_struct_sockaddr_sa_len" >&5
-$as_echo "$ac_cv_member_struct_sockaddr_sa_len" >&6; }
-if test "x$ac_cv_member_struct_sockaddr_sa_len" = x""yes; then
+"
+if test "x$ac_cv_member_struct_sockaddr_sa_len" = x""yes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_STRUCT_SOCKADDR_SA_LEN 1
@@ -15376,18 +13972,7 @@ _ACEOF
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking for struct sadb_x_policy.sadb_x_policy_priority" >&5
-$as_echo_n "checking for struct sadb_x_policy.sadb_x_policy_priority... " >&6; }
-if test "${ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
+ac_fn_c_check_member "$LINENO" "struct sadb_x_policy" "sadb_x_policy_priority" "ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" "
 	#include <sys/types.h>
 	#ifdef HAVE_NET_PFKEYV2_H
 	#include <net/pfkeyv2.h>
@@ -15396,116 +13981,78 @@ cat >>conftest.$ac_ext <<_ACEOF
 	#include <linux/pfkeyv2.h>
 	#endif
 
+"
+if test "x$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" = x""yes; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY 1
+_ACEOF
+
 
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for in6addr_any" >&5
+$as_echo_n "checking for in6addr_any... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+	#include <sys/socket.h>
+	#include <netinet/in.h>
 int
 main ()
 {
-static struct sadb_x_policy ac_aggr;
-if (ac_aggr.sadb_x_policy_priority)
-return 0;
+struct in6_addr in6;
+	in6 = in6addr_any;
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority=yes
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; $as_echo "#define HAVE_IN6ADDR_ANY 1" >>confdefs.h
+
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for in6_pktinfo" >&5
+$as_echo_n "checking for in6_pktinfo... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#define _GNU_SOURCE
 	#include <sys/types.h>
-	#ifdef HAVE_NET_PFKEYV2_H
-	#include <net/pfkeyv2.h>
-	#else
-	#include <stdint.h>
-	#include <linux/pfkeyv2.h>
-	#endif
-
-
+	#include <sys/socket.h>
+	#include <netinet/in.h>
 int
 main ()
 {
-static struct sadb_x_policy ac_aggr;
-if (sizeof ac_aggr.sadb_x_policy_priority)
-return 0;
+struct in6_pktinfo pi;
+	if (pi.ipi6_ifindex)
+	{
+		return 0;
+	}
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; $as_echo "#define HAVE_IN6_PKTINFO 1" >>confdefs.h
 
-	ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority=no
-fi
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" >&5
-$as_echo "$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" >&6; }
-if test "x$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" = x""yes; then
-
-cat >>confdefs.h <<_ACEOF
-#define HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY 1
-_ACEOF
-
-
-fi
 
-
-{ $as_echo "$as_me:$LINENO: checking for IPSEC_MODE_BEET" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for IPSEC_MODE_BEET" >&5
 $as_echo_n "checking for IPSEC_MODE_BEET... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
 	#ifdef HAVE_NETIPSEC_IPSEC_H
@@ -15525,47 +14072,20 @@ int mode = IPSEC_MODE_BEET;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
-#define HAVE_IPSEC_MODE_BEET 1
-_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; $as_echo "#define HAVE_IPSEC_MODE_BEET 1" >>confdefs.h
 
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
-{ $as_echo "$as_me:$LINENO: checking for IPSEC_DIR_FWD" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for IPSEC_DIR_FWD" >&5
 $as_echo_n "checking for IPSEC_DIR_FWD... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
 	#ifdef HAVE_NETIPSEC_IPSEC_H
@@ -15585,51 +14105,24 @@ int dir = IPSEC_DIR_FWD;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
-#define HAVE_IPSEC_DIR_FWD 1
-_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; $as_echo "#define HAVE_IPSEC_DIR_FWD 1" >>confdefs.h
 
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
-{ $as_echo "$as_me:$LINENO: checking for gcc atomic operations" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc atomic operations" >&5
 $as_echo_n "checking for gcc atomic operations... " >&6; }
-if test "$cross_compiling" = yes; then
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+if test "$cross_compiling" = yes; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 	int main() {
@@ -15642,161 +14135,50 @@ cat >>conftest.$ac_ext <<_ACEOF
 	}
 
 _ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
-#define HAVE_GCC_ATOMIC_OPERATIONS 1
-_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; $as_echo "#define HAVE_GCC_ATOMIC_OPERATIONS 1" >>confdefs.h
 
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-{ $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
-rm -rf conftest.dSYM
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
 
 
+ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier"
+if test "x$ac_cv_func_register_printf_specifier" = x""yes; then :
+  $as_echo "#define HAVE_PRINTF_SPECIFIER 1" >>confdefs.h
 
-{ $as_echo "$as_me:$LINENO: checking for register_printf_function" >&5
-$as_echo_n "checking for register_printf_function... " >&6; }
-if test "${ac_cv_func_register_printf_function+set}" = set; then
-  $as_echo_n "(cached) " >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define register_printf_function to an innocuous variant, in case <limits.h> declares register_printf_function.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define register_printf_function innocuous_register_printf_function
+  ac_fn_c_check_func "$LINENO" "register_printf_function" "ac_cv_func_register_printf_function"
+if test "x$ac_cv_func_register_printf_function" = x""yes; then :
+  $as_echo "#define HAVE_PRINTF_FUNCTION 1" >>confdefs.h
 
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char register_printf_function (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
+else
 
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: printf does not support custom format specifiers!" >&5
+$as_echo "$as_me: printf does not support custom format specifiers!" >&6;}
+			vstr=true
 
-#undef register_printf_function
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char register_printf_function ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_register_printf_function || defined __stub___register_printf_function
-choke me
-#endif
-
-int
-main ()
-{
-return register_printf_function ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  ac_cv_func_register_printf_function=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_func_register_printf_function=no
-fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_register_printf_function" >&5
-$as_echo "$ac_cv_func_register_printf_function" >&6; }
-if test "x$ac_cv_func_register_printf_function" = x""yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_PRINTF_HOOKS 1
-_ACEOF
-
-else
-
-		{ $as_echo "$as_me:$LINENO: printf does not support custom format specifiers!" >&5
-$as_echo "$as_me: printf does not support custom format specifiers!" >&6;}
-		vstr=true
 
 
 fi
 
 
 if test x$vstr = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -lvstr" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lvstr" >&5
 $as_echo_n "checking for main in -lvstr... " >&6; }
-if test "${ac_cv_lib_vstr_main+set}" = set; then
+if test "${ac_cv_lib_vstr_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lvstr  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -15808,70 +14190,37 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_vstr_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_vstr_main=no
+  ac_cv_lib_vstr_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_vstr_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_vstr_main" >&5
 $as_echo "$ac_cv_lib_vstr_main" >&6; }
-if test "x$ac_cv_lib_vstr_main" = x""yes; then
+if test "x$ac_cv_lib_vstr_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: Vstr string library not found" >&5
-$as_echo "$as_me: error: Vstr string library not found" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "Vstr string library not found" "$LINENO" 5
 fi
 ac_cv_lib_vstr=ac_cv_lib_vstr_main
 
-	cat >>confdefs.h <<\_ACEOF
-#define USE_VSTR 1
-_ACEOF
+	$as_echo "#define USE_VSTR 1" >>confdefs.h
 
 fi
 
 if test x$gmp = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -lgmp" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgmp" >&5
 $as_echo_n "checking for main in -lgmp... " >&6; }
-if test "${ac_cv_lib_gmp_main+set}" = set; then
+if test "${ac_cv_lib_gmp_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lgmp  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -15883,58 +14232,27 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_gmp_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_gmp_main=no
+  ac_cv_lib_gmp_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_gmp_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp_main" >&5
 $as_echo "$ac_cv_lib_gmp_main" >&6; }
-if test "x$ac_cv_lib_gmp_main" = x""yes; then
+if test "x$ac_cv_lib_gmp_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: GNU Multi Precision library gmp not found" >&5
-$as_echo "$as_me: error: GNU Multi Precision library gmp not found" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "GNU Multi Precision library gmp not found" "$LINENO" 5
 fi
 ac_cv_lib_gmp=ac_cv_lib_gmp_main
 
-	{ $as_echo "$as_me:$LINENO: checking gmp.h version >= 4.1.4" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking gmp.h version >= 4.1.4" >&5
 $as_echo_n "checking gmp.h version >= 4.1.4... " >&6; }
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include "gmp.h"
 int
@@ -15949,53 +14267,26 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }; { { $as_echo "$as_me:$LINENO: error: No usable gmp.h found!" >&5
-$as_echo "$as_me: error: No usable gmp.h found!" >&2;}
-   { (exit 1); exit 1; }; }
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }; as_fn_error "No usable gmp.h found!" "$LINENO" 5
 
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test x$ldap = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -lldap" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lldap" >&5
 $as_echo_n "checking for main in -lldap... " >&6; }
-if test "${ac_cv_lib_ldap_main+set}" = set; then
+if test "${ac_cv_lib_ldap_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lldap  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -16007,63 +14298,32 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_ldap_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_ldap_main=no
+  ac_cv_lib_ldap_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_ldap_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_main" >&5
 $as_echo "$ac_cv_lib_ldap_main" >&6; }
-if test "x$ac_cv_lib_ldap_main" = x""yes; then
+if test "x$ac_cv_lib_ldap_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: LDAP library ldap not found" >&5
-$as_echo "$as_me: error: LDAP library ldap not found" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "LDAP library ldap not found" "$LINENO" 5
 fi
 ac_cv_lib_ldap=ac_cv_lib_ldap_main
 
-	{ $as_echo "$as_me:$LINENO: checking for main in -llber" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -llber" >&5
 $as_echo_n "checking for main in -llber... " >&6; }
-if test "${ac_cv_lib_lber_main+set}" = set; then
+if test "${ac_cv_lib_lber_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-llber  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -16075,202 +14335,43 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_lber_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_lber_main=no
+  ac_cv_lib_lber_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_lber_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lber_main" >&5
 $as_echo "$ac_cv_lib_lber_main" >&6; }
-if test "x$ac_cv_lib_lber_main" = x""yes; then
+if test "x$ac_cv_lib_lber_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: LDAP library lber not found" >&5
-$as_echo "$as_me: error: LDAP library lber not found" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "LDAP library lber not found" "$LINENO" 5
 fi
 ac_cv_lib_lber=ac_cv_lib_lber_main
 
-	if test "${ac_cv_header_ldap_h+set}" = set; then
-  { $as_echo "$as_me:$LINENO: checking for ldap.h" >&5
-$as_echo_n "checking for ldap.h... " >&6; }
-if test "${ac_cv_header_ldap_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
-$as_echo "$ac_cv_header_ldap_h" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking ldap.h usability" >&5
-$as_echo_n "checking ldap.h usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <ldap.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking ldap.h presence" >&5
-$as_echo_n "checking ldap.h presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ldap.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: ldap.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: ldap.h: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: ldap.h:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: ldap.h:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: ldap.h: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: ldap.h: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: ldap.h: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: ldap.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for ldap.h" >&5
-$as_echo_n "checking for ldap.h... " >&6; }
-if test "${ac_cv_header_ldap_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_cv_header_ldap_h=$ac_header_preproc
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
-$as_echo "$ac_cv_header_ldap_h" >&6; }
+	ac_fn_c_check_header_mongrel "$LINENO" "ldap.h" "ac_cv_header_ldap_h" "$ac_includes_default"
+if test "x$ac_cv_header_ldap_h" = x""yes; then :
 
-fi
-if test "x$ac_cv_header_ldap_h" = x""yes; then
-  :
 else
-  { { $as_echo "$as_me:$LINENO: error: LDAP header ldap.h not found!" >&5
-$as_echo "$as_me: error: LDAP header ldap.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "LDAP header ldap.h not found!" "$LINENO" 5
 fi
 
 
 fi
 
 if test x$curl = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -lcurl" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcurl" >&5
 $as_echo_n "checking for main in -lcurl... " >&6; }
-if test "${ac_cv_lib_curl_main+set}" = set; then
+if test "${ac_cv_lib_curl_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lcurl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -16282,184 +14383,29 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_curl_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_curl_main=no
+  ac_cv_lib_curl_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_curl_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_main" >&5
 $as_echo "$ac_cv_lib_curl_main" >&6; }
-if test "x$ac_cv_lib_curl_main" = x""yes; then
+if test "x$ac_cv_lib_curl_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: CURL library curl not found" >&5
-$as_echo "$as_me: error: CURL library curl not found" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "CURL library curl not found" "$LINENO" 5
 fi
 ac_cv_lib_curl=ac_cv_lib_curl_main
 
-	if test "${ac_cv_header_curl_curl_h+set}" = set; then
-  { $as_echo "$as_me:$LINENO: checking for curl/curl.h" >&5
-$as_echo_n "checking for curl/curl.h... " >&6; }
-if test "${ac_cv_header_curl_curl_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
-$as_echo "$ac_cv_header_curl_curl_h" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking curl/curl.h usability" >&5
-$as_echo_n "checking curl/curl.h usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <curl/curl.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking curl/curl.h presence" >&5
-$as_echo_n "checking curl/curl.h presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <curl/curl.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: curl/curl.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: curl/curl.h: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: curl/curl.h: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for curl/curl.h" >&5
-$as_echo_n "checking for curl/curl.h... " >&6; }
-if test "${ac_cv_header_curl_curl_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_cv_header_curl_curl_h=$ac_header_preproc
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
-$as_echo "$ac_cv_header_curl_curl_h" >&6; }
+	ac_fn_c_check_header_mongrel "$LINENO" "curl/curl.h" "ac_cv_header_curl_curl_h" "$ac_includes_default"
+if test "x$ac_cv_header_curl_curl_h" = x""yes; then :
 
-fi
-if test "x$ac_cv_header_curl_curl_h" = x""yes; then
-  :
 else
-  { { $as_echo "$as_me:$LINENO: error: CURL header curl/curl.h not found!" >&5
-$as_echo "$as_me: error: CURL header curl/curl.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "CURL header curl/curl.h not found!" "$LINENO" 5
 fi
 
 
@@ -16468,7 +14414,7 @@ fi
 if test x$xml = xtrue; then
 
 pkg_failed=no
-{ $as_echo "$as_me:$LINENO: checking for xml" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for xml" >&5
 $as_echo_n "checking for xml... " >&6; }
 
 if test -n "$PKG_CONFIG"; then
@@ -16476,11 +14422,11 @@ if test -n "$PKG_CONFIG"; then
         pkg_cv_xml_CFLAGS="$xml_CFLAGS"
     else
         if test -n "$PKG_CONFIG" && \
-    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\""; } >&5
   ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
   pkg_cv_xml_CFLAGS=`$PKG_CONFIG --cflags "libxml-2.0" 2>/dev/null`
 else
   pkg_failed=yes
@@ -16494,11 +14440,11 @@ if test -n "$PKG_CONFIG"; then
         pkg_cv_xml_LIBS="$xml_LIBS"
     else
         if test -n "$PKG_CONFIG" && \
-    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\""; } >&5
   ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
   pkg_cv_xml_LIBS=`$PKG_CONFIG --libs "libxml-2.0" 2>/dev/null`
 else
   pkg_failed=yes
@@ -16525,7 +14471,7 @@ fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$xml_PKG_ERRORS" >&5
 
-	{ { $as_echo "$as_me:$LINENO: error: Package requirements (libxml-2.0) were not met:
+	as_fn_error "Package requirements (libxml-2.0) were not met:
 
 $xml_PKG_ERRORS
 
@@ -16535,23 +14481,11 @@ installed software in a non-standard prefix.
 Alternatively, you may set the environment variables xml_CFLAGS
 and xml_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
-" >&5
-$as_echo "$as_me: error: Package requirements (libxml-2.0) were not met:
-
-$xml_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables xml_CFLAGS
-and xml_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
+" "$LINENO" 5
 elif test $pkg_failed = untried; then
-	{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ { $as_echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -16560,22 +14494,11 @@ and xml_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-$as_echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables xml_CFLAGS
-and xml_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }; }
+See \`config.log' for more details." "$LINENO" 5; }
 else
 	xml_CFLAGS=$pkg_cv_xml_CFLAGS
 	xml_LIBS=$pkg_cv_xml_LIBS
-        { $as_echo "$as_me:$LINENO: result: yes" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 	:
 fi
@@ -16586,7 +14509,7 @@ fi
 if test x$dumm = xtrue; then
 
 pkg_failed=no
-{ $as_echo "$as_me:$LINENO: checking for gtk" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gtk" >&5
 $as_echo_n "checking for gtk... " >&6; }
 
 if test -n "$PKG_CONFIG"; then
@@ -16594,11 +14517,11 @@ if test -n "$PKG_CONFIG"; then
         pkg_cv_gtk_CFLAGS="$gtk_CFLAGS"
     else
         if test -n "$PKG_CONFIG" && \
-    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\"") >&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5
   ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
   pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null`
 else
   pkg_failed=yes
@@ -16612,11 +14535,11 @@ if test -n "$PKG_CONFIG"; then
         pkg_cv_gtk_LIBS="$gtk_LIBS"
     else
         if test -n "$PKG_CONFIG" && \
-    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\"") >&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5
   ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
   pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null`
 else
   pkg_failed=yes
@@ -16643,18 +14566,7 @@ fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$gtk_PKG_ERRORS" >&5
 
-	{ { $as_echo "$as_me:$LINENO: error: Package requirements (gtk+-2.0 vte) were not met:
-
-$gtk_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables gtk_CFLAGS
-and gtk_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-$as_echo "$as_me: error: Package requirements (gtk+-2.0 vte) were not met:
+	as_fn_error "Package requirements (gtk+-2.0 vte) were not met:
 
 $gtk_PKG_ERRORS
 
@@ -16664,22 +14576,11 @@ installed software in a non-standard prefix.
 Alternatively, you may set the environment variables gtk_CFLAGS
 and gtk_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
+" "$LINENO" 5
 elif test $pkg_failed = untried; then
-	{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ { $as_echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables gtk_CFLAGS
-and gtk_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-$as_echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -16688,12 +14589,11 @@ and gtk_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }; }
+See \`config.log' for more details." "$LINENO" 5; }
 else
 	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
 	gtk_LIBS=$pkg_cv_gtk_LIBS
-        { $as_echo "$as_me:$LINENO: result: yes" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 	:
 fi
@@ -16703,9 +14603,9 @@ fi
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_RUBY+set}" = set; then
+if test "${ac_cv_prog_RUBY+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$RUBY"; then
@@ -16716,24 +14616,24 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_RUBY="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
-done
+  done
 IFS=$as_save_IFS
 
 fi
 fi
 RUBY=$ac_cv_prog_RUBY
 if test -n "$RUBY"; then
-  { $as_echo "$as_me:$LINENO: result: $RUBY" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBY" >&5
 $as_echo "$RUBY" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -16741,7 +14641,7 @@ fi
   test -n "$RUBY" && break
 done
 
-	{ $as_echo "$as_me:$LINENO: checking for Ruby header files" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ruby header files" >&5
 $as_echo_n "checking for Ruby header files... " >&6; }
 	if test -n "$RUBY"; then
 		RUBYDIR=`($RUBY -rmkmf -e 'print Config::CONFIG["archdir"] || $archdir') 2>/dev/null`
@@ -16750,43 +14650,33 @@ $as_echo_n "checking for Ruby header files... " >&6; }
 			RUBYINCLUDE=none
 			for i in $dirs; do
 				if test -r $i/ruby.h; then
-					{ $as_echo "$as_me:$LINENO: result: $i" >&5
+					{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $i" >&5
 $as_echo "$i" >&6; }
 					RUBYINCLUDE="-I$i"
 					break;
 				fi
 			done
 			if test x"$RUBYINCLUDE" = xnone; then
-				{ { $as_echo "$as_me:$LINENO: error: ruby.h not found" >&5
-$as_echo "$as_me: error: ruby.h not found" >&2;}
-   { (exit 1); exit 1; }; }
+				as_fn_error "ruby.h not found" "$LINENO" 5
 			fi
 
 		else
-			{ { $as_echo "$as_me:$LINENO: error: unable to determine ruby configuration" >&5
-$as_echo "$as_me: error: unable to determine ruby configuration" >&2;}
-   { (exit 1); exit 1; }; }
+			as_fn_error "unable to determine ruby configuration" "$LINENO" 5
 		fi
 	else
-		{ { $as_echo "$as_me:$LINENO: error: don't know how to run ruby" >&5
-$as_echo "$as_me: error: don't know how to run ruby" >&2;}
-   { (exit 1); exit 1; }; }
+		as_fn_error "don't know how to run ruby" "$LINENO" 5
 	fi
 fi
 
 if test x$fast = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -lneo_cgi" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_cgi" >&5
 $as_echo_n "checking for main in -lneo_cgi... " >&6; }
-if test "${ac_cv_lib_neo_cgi_main+set}" = set; then
+if test "${ac_cv_lib_neo_cgi_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lneo_cgi  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -16798,63 +14688,32 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_neo_cgi_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_neo_cgi_main=no
+  ac_cv_lib_neo_cgi_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_neo_cgi_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_cgi_main" >&5
 $as_echo "$ac_cv_lib_neo_cgi_main" >&6; }
-if test "x$ac_cv_lib_neo_cgi_main" = x""yes; then
+if test "x$ac_cv_lib_neo_cgi_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: ClearSilver library neo_cgi not found!" >&5
-$as_echo "$as_me: error: ClearSilver library neo_cgi not found!" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "ClearSilver library neo_cgi not found!" "$LINENO" 5
 fi
 ac_cv_lib_neo_cgi=ac_cv_lib_neo_cgi_main
 
-	{ $as_echo "$as_me:$LINENO: checking for main in -lneo_utl" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_utl" >&5
 $as_echo_n "checking for main in -lneo_utl... " >&6; }
-if test "${ac_cv_lib_neo_utl_main+set}" = set; then
+if test "${ac_cv_lib_neo_utl_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lneo_utl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -16866,63 +14725,32 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_neo_utl_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_neo_utl_main=no
+  ac_cv_lib_neo_utl_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_neo_utl_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_utl_main" >&5
 $as_echo "$ac_cv_lib_neo_utl_main" >&6; }
-if test "x$ac_cv_lib_neo_utl_main" = x""yes; then
+if test "x$ac_cv_lib_neo_utl_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: ClearSilver library neo_utl not found!" >&5
-$as_echo "$as_me: error: ClearSilver library neo_utl not found!" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "ClearSilver library neo_utl not found!" "$LINENO" 5
 fi
 ac_cv_lib_neo_utl=ac_cv_lib_neo_utl_main
 
-	{ $as_echo "$as_me:$LINENO: checking for main in -lz" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lz" >&5
 $as_echo_n "checking for main in -lz... " >&6; }
-if test "${ac_cv_lib_z_main+set}" = set; then
+if test "${ac_cv_lib_z_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lz  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -16934,64 +14762,33 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_z_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_z_main=no
+  ac_cv_lib_z_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_z_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_main" >&5
 $as_echo "$ac_cv_lib_z_main" >&6; }
-if test "x$ac_cv_lib_z_main" = x""yes; then
+if test "x$ac_cv_lib_z_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: ClearSilver dependency zlib not found!" >&5
-$as_echo "$as_me: error: ClearSilver dependency zlib not found!" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "ClearSilver dependency zlib not found!" "$LINENO" 5
 fi
 ac_cv_lib_z=ac_cv_lib_z_main
 
 
-	{ $as_echo "$as_me:$LINENO: checking for main in -lfcgi" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lfcgi" >&5
 $as_echo_n "checking for main in -lfcgi... " >&6; }
-if test "${ac_cv_lib_fcgi_main+set}" = set; then
+if test "${ac_cv_lib_fcgi_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lfcgi  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -17003,409 +14800,94 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_fcgi_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_fcgi_main=no
+  ac_cv_lib_fcgi_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_fcgi_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_fcgi_main" >&5
 $as_echo "$ac_cv_lib_fcgi_main" >&6; }
-if test "x$ac_cv_lib_fcgi_main" = x""yes; then
+if test "x$ac_cv_lib_fcgi_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: FastCGI library fcgi not found!" >&5
-$as_echo "$as_me: error: FastCGI library fcgi not found!" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "FastCGI library fcgi not found!" "$LINENO" 5
 fi
 ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 
-	if test "${ac_cv_header_fcgiapp_h+set}" = set; then
-  { $as_echo "$as_me:$LINENO: checking for fcgiapp.h" >&5
-$as_echo_n "checking for fcgiapp.h... " >&6; }
-if test "${ac_cv_header_fcgiapp_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_fcgiapp_h" >&5
-$as_echo "$ac_cv_header_fcgiapp_h" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking fcgiapp.h usability" >&5
-$as_echo_n "checking fcgiapp.h usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <fcgiapp.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking fcgiapp.h presence" >&5
-$as_echo_n "checking fcgiapp.h presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <fcgiapp.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
+	ac_fn_c_check_header_mongrel "$LINENO" "fcgiapp.h" "ac_cv_header_fcgiapp_h" "$ac_includes_default"
+if test "x$ac_cv_header_fcgiapp_h" = x""yes; then :
 
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: fcgiapp.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: fcgiapp.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: fcgiapp.h: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: fcgiapp.h:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: fcgiapp.h: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: fcgiapp.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: fcgiapp.h: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: fcgiapp.h: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: fcgiapp.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for fcgiapp.h" >&5
-$as_echo_n "checking for fcgiapp.h... " >&6; }
-if test "${ac_cv_header_fcgiapp_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_cv_header_fcgiapp_h=$ac_header_preproc
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_fcgiapp_h" >&5
-$as_echo "$ac_cv_header_fcgiapp_h" >&6; }
-
-fi
-if test "x$ac_cv_header_fcgiapp_h" = x""yes; then
-  :
 else
-  { { $as_echo "$as_me:$LINENO: error: FastCGI header file fcgiapp.h not found!" >&5
-$as_echo "$as_me: error: FastCGI header file fcgiapp.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "FastCGI header file fcgiapp.h not found!" "$LINENO" 5
 fi
 
 
 fi
 
 if test x$mysql = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -lmysqlclient_r" >&5
-$as_echo_n "checking for main in -lmysqlclient_r... " >&6; }
-if test "${ac_cv_lib_mysqlclient_r_main+set}" = set; then
+	# Extract the first word of "mysql_config", so it can be a program name with args.
+set dummy mysql_config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_path_MYSQLCONFIG+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lmysqlclient_r  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  ac_cv_lib_mysqlclient_r_main=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_mysqlclient_r_main=no
-fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_mysqlclient_r_main" >&5
-$as_echo "$ac_cv_lib_mysqlclient_r_main" >&6; }
-if test "x$ac_cv_lib_mysqlclient_r_main" = x""yes; then
-  LIBS="$LIBS"
-else
-  { { $as_echo "$as_me:$LINENO: error: MySQL library mysqlclient_r not found" >&5
-$as_echo "$as_me: error: MySQL library mysqlclient_r not found" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_cv_lib_mysqlclient_r=ac_cv_lib_mysqlclient_r_main
+  case $MYSQLCONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_MYSQLCONFIG="$MYSQLCONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_MYSQLCONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
 
-	if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
-  { $as_echo "$as_me:$LINENO: checking for mysql/mysql.h" >&5
-$as_echo_n "checking for mysql/mysql.h... " >&6; }
-if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_mysql_mysql_h" >&5
-$as_echo "$ac_cv_header_mysql_mysql_h" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking mysql/mysql.h usability" >&5
-$as_echo_n "checking mysql/mysql.h usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <mysql/mysql.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
+  ;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
 fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking mysql/mysql.h presence" >&5
-$as_echo_n "checking mysql/mysql.h presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <mysql/mysql.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
+MYSQLCONFIG=$ac_cv_path_MYSQLCONFIG
+if test -n "$MYSQLCONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MYSQLCONFIG" >&5
+$as_echo "$MYSQLCONFIG" >&6; }
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: mysql/mysql.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: mysql/mysql.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: mysql/mysql.h: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: mysql/mysql.h:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: mysql/mysql.h: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: mysql/mysql.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: mysql/mysql.h: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: mysql/mysql.h: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: mysql/mysql.h: in the future, the compiler will take precedence" >&2;}
 
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for mysql/mysql.h" >&5
-$as_echo_n "checking for mysql/mysql.h... " >&6; }
-if test "${ac_cv_header_mysql_mysql_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_cv_header_mysql_mysql_h=$ac_header_preproc
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_mysql_mysql_h" >&5
-$as_echo "$ac_cv_header_mysql_mysql_h" >&6; }
-
-fi
-if test "x$ac_cv_header_mysql_mysql_h" = x""yes; then
-  :
-else
-  { { $as_echo "$as_me:$LINENO: error: MySQL header mysql/mysql.h not found!" >&5
-$as_echo "$as_me: error: MySQL header mysql/mysql.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
+	if test x$MYSQLCONFIG = x; then
+		as_fn_error "mysql_config not found!" "$LINENO" 5
+	fi
+	MYSQLLIB=`$MYSQLCONFIG --libs_r`
 
+	MYSQLCFLAG=`$MYSQLCONFIG --cflags`
 
 fi
 
 if test x$sqlite = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -lsqlite3" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lsqlite3" >&5
 $as_echo_n "checking for main in -lsqlite3... " >&6; }
-if test "${ac_cv_lib_sqlite3_main+set}" = set; then
+if test "${ac_cv_lib_sqlite3_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lsqlite3  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -17417,194 +14899,35 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_sqlite3_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_sqlite3_main=no
+  ac_cv_lib_sqlite3_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_sqlite3_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sqlite3_main" >&5
 $as_echo "$ac_cv_lib_sqlite3_main" >&6; }
-if test "x$ac_cv_lib_sqlite3_main" = x""yes; then
+if test "x$ac_cv_lib_sqlite3_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: SQLite library sqlite3 not found" >&5
-$as_echo "$as_me: error: SQLite library sqlite3 not found" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "SQLite library sqlite3 not found" "$LINENO" 5
 fi
 ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 
-	if test "${ac_cv_header_sqlite3_h+set}" = set; then
-  { $as_echo "$as_me:$LINENO: checking for sqlite3.h" >&5
-$as_echo_n "checking for sqlite3.h... " >&6; }
-if test "${ac_cv_header_sqlite3_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_sqlite3_h" >&5
-$as_echo "$ac_cv_header_sqlite3_h" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking sqlite3.h usability" >&5
-$as_echo_n "checking sqlite3.h usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <sqlite3.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+	ac_fn_c_check_header_mongrel "$LINENO" "sqlite3.h" "ac_cv_header_sqlite3_h" "$ac_includes_default"
+if test "x$ac_cv_header_sqlite3_h" = x""yes; then :
 
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking sqlite3.h presence" >&5
-$as_echo_n "checking sqlite3.h presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sqlite3.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
+  as_fn_error "SQLite header sqlite3.h not found!" "$LINENO" 5
 fi
 
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
 
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: sqlite3.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: sqlite3.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: sqlite3.h: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: sqlite3.h:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: sqlite3.h: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: sqlite3.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: sqlite3.h: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sqlite3.h: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: sqlite3.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for sqlite3.h" >&5
-$as_echo_n "checking for sqlite3.h... " >&6; }
-if test "${ac_cv_header_sqlite3_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_cv_header_sqlite3_h=$ac_header_preproc
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_sqlite3_h" >&5
-$as_echo "$ac_cv_header_sqlite3_h" >&6; }
-
-fi
-if test "x$ac_cv_header_sqlite3_h" = x""yes; then
-  :
-else
-  { { $as_echo "$as_me:$LINENO: error: SQLite header sqlite3.h not found!" >&5
-$as_echo "$as_me: error: SQLite header sqlite3.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-	{ $as_echo "$as_me:$LINENO: checking sqlite3_prepare_v2" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking sqlite3_prepare_v2" >&5
 $as_echo_n "checking sqlite3_prepare_v2... " >&6; }
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sqlite3.h>
 int
@@ -17617,45 +14940,20 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }; cat >>confdefs.h <<_ACEOF
 #define HAVE_SQLITE3_PREPARE_V2 1
 _ACEOF
 
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-	{ $as_echo "$as_me:$LINENO: checking sqlite3.h version >= 3.3.1" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking sqlite3.h version >= 3.3.1" >&5
 $as_echo_n "checking sqlite3.h version >= 3.3.1... " >&6; }
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sqlite3.h>
 int
@@ -17670,52 +14968,25 @@ main ()
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }; { { $as_echo "$as_me:$LINENO: error: SQLite version >= 3.3.1 required!" >&5
-$as_echo "$as_me: error: SQLite version >= 3.3.1 required!" >&2;}
-   { (exit 1); exit 1; }; }
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }; as_fn_error "SQLite version >= 3.3.1 required!" "$LINENO" 5
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test x$openssl = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -lcrypto" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcrypto" >&5
 $as_echo_n "checking for main in -lcrypto... " >&6; }
-if test "${ac_cv_lib_crypto_main+set}" = set; then
+if test "${ac_cv_lib_crypto_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lcrypto  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -17727,334 +14998,83 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_crypto_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_crypto_main=no
+  ac_cv_lib_crypto_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_crypto_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_main" >&5
 $as_echo "$ac_cv_lib_crypto_main" >&6; }
-if test "x$ac_cv_lib_crypto_main" = x""yes; then
+if test "x$ac_cv_lib_crypto_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: OpenSSL crypto library not found" >&5
-$as_echo "$as_me: error: OpenSSL crypto library not found" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "OpenSSL crypto library not found" "$LINENO" 5
 fi
 ac_cv_lib_crypto=ac_cv_lib_crypto_main
 
-	if test "${ac_cv_header_openssl_evp_h+set}" = set; then
-  { $as_echo "$as_me:$LINENO: checking for openssl/evp.h" >&5
-$as_echo_n "checking for openssl/evp.h... " >&6; }
-if test "${ac_cv_header_openssl_evp_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_openssl_evp_h" >&5
-$as_echo "$ac_cv_header_openssl_evp_h" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking openssl/evp.h usability" >&5
-$as_echo_n "checking openssl/evp.h usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <openssl/evp.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+	ac_fn_c_check_header_mongrel "$LINENO" "openssl/evp.h" "ac_cv_header_openssl_evp_h" "$ac_includes_default"
+if test "x$ac_cv_header_openssl_evp_h" = x""yes; then :
 
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking openssl/evp.h presence" >&5
-$as_echo_n "checking openssl/evp.h presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <openssl/evp.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
+  as_fn_error "OpenSSL header openssl/evp.h not found!" "$LINENO" 5
 fi
 
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
 
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: openssl/evp.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: openssl/evp.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: openssl/evp.h: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: openssl/evp.h:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: openssl/evp.h: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: openssl/evp.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: openssl/evp.h: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: openssl/evp.h: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: openssl/evp.h: in the future, the compiler will take precedence" >&2;}
+fi
 
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for openssl/evp.h" >&5
-$as_echo_n "checking for openssl/evp.h... " >&6; }
-if test "${ac_cv_header_openssl_evp_h+set}" = set; then
+if test x$gcrypt = xtrue; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgcrypt" >&5
+$as_echo_n "checking for main in -lgcrypt... " >&6; }
+if test "${ac_cv_lib_gcrypt_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
-  ac_cv_header_openssl_evp_h=$ac_header_preproc
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_openssl_evp_h" >&5
-$as_echo "$ac_cv_header_openssl_evp_h" >&6; }
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lgcrypt  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
-fi
-if test "x$ac_cv_header_openssl_evp_h" = x""yes; then
-  :
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_gcrypt_main=yes
 else
-  { { $as_echo "$as_me:$LINENO: error: OpenSSL header openssl/evp.h not found!" >&5
-$as_echo "$as_me: error: OpenSSL header openssl/evp.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
+  ac_cv_lib_gcrypt_main=no
 fi
-
-
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
 fi
-
-if test x$gcrypt = xtrue; then
-
-# Check whether --with-libgcrypt-prefix was given.
-if test "${with_libgcrypt_prefix+set}" = set; then
-  withval=$with_libgcrypt_prefix; libgcrypt_config_prefix="$withval"
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gcrypt_main" >&5
+$as_echo "$ac_cv_lib_gcrypt_main" >&6; }
+if test "x$ac_cv_lib_gcrypt_main" = x""yes; then :
+  LIBS="$LIBS"
 else
-  libgcrypt_config_prefix=""
+  as_fn_error "gcrypt library not found" "$LINENO" 5
 fi
+ac_cv_lib_gcrypt=ac_cv_lib_gcrypt_main
 
-  if test x$libgcrypt_config_prefix != x ; then
-     if test x${LIBGCRYPT_CONFIG+set} != xset ; then
-        LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
-     fi
-  fi
-
-  # Extract the first word of "libgcrypt-config", so it can be a program name with args.
-set dummy libgcrypt-config; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_LIBGCRYPT_CONFIG+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  case $LIBGCRYPT_CONFIG in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_LIBGCRYPT_CONFIG="$LIBGCRYPT_CONFIG" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_LIBGCRYPT_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-IFS=$as_save_IFS
+	ac_fn_c_check_header_mongrel "$LINENO" "gcrypt.h" "ac_cv_header_gcrypt_h" "$ac_includes_default"
+if test "x$ac_cv_header_gcrypt_h" = x""yes; then :
 
-  test -z "$ac_cv_path_LIBGCRYPT_CONFIG" && ac_cv_path_LIBGCRYPT_CONFIG="no"
-  ;;
-esac
-fi
-LIBGCRYPT_CONFIG=$ac_cv_path_LIBGCRYPT_CONFIG
-if test -n "$LIBGCRYPT_CONFIG"; then
-  { $as_echo "$as_me:$LINENO: result: $LIBGCRYPT_CONFIG" >&5
-$as_echo "$LIBGCRYPT_CONFIG" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  as_fn_error "gcrypt header gcrypt.h not found!" "$LINENO" 5
 fi
 
 
-  tmp=1:1.2.0
-  if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then
-     req_libgcrypt_api=`echo "$tmp"     | sed 's/\(.*\):\(.*\)/\1/'`
-     min_libgcrypt_version=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\2/'`
-  else
-     req_libgcrypt_api=0
-     min_libgcrypt_version="$tmp"
-  fi
-
-  { $as_echo "$as_me:$LINENO: checking for LIBGCRYPT - version >= $min_libgcrypt_version" >&5
-$as_echo_n "checking for LIBGCRYPT - version >= $min_libgcrypt_version... " >&6; }
-  ok=no
-  if test "$LIBGCRYPT_CONFIG" != "no" ; then
-    req_major=`echo $min_libgcrypt_version | \
-               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\1/'`
-    req_minor=`echo $min_libgcrypt_version | \
-               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\2/'`
-    req_micro=`echo $min_libgcrypt_version | \
-               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\3/'`
-    libgcrypt_config_version=`$LIBGCRYPT_CONFIG --version`
-    major=`echo $libgcrypt_config_version | \
-               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\).*/\1/'`
-    minor=`echo $libgcrypt_config_version | \
-               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\).*/\2/'`
-    micro=`echo $libgcrypt_config_version | \
-               sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\).*/\3/'`
-    if test "$major" -gt "$req_major"; then
-        ok=yes
-    else
-        if test "$major" -eq "$req_major"; then
-            if test "$minor" -gt "$req_minor"; then
-               ok=yes
-            else
-               if test "$minor" -eq "$req_minor"; then
-                   if test "$micro" -ge "$req_micro"; then
-                     ok=yes
-                   fi
-               fi
-            fi
-        fi
-    fi
-  fi
-  if test $ok = yes; then
-    { $as_echo "$as_me:$LINENO: result: yes ($libgcrypt_config_version)" >&5
-$as_echo "yes ($libgcrypt_config_version)" >&6; }
-  else
-    { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
-  fi
-  if test $ok = yes; then
-     # If we have a recent libgcrypt, we should also check that the
-     # API is compatible
-     if test "$req_libgcrypt_api" -gt 0 ; then
-        tmp=`$LIBGCRYPT_CONFIG --api-version 2>/dev/null || echo 0`
-        if test "$tmp" -gt 0 ; then
-           { $as_echo "$as_me:$LINENO: checking LIBGCRYPT API version" >&5
-$as_echo_n "checking LIBGCRYPT API version... " >&6; }
-           if test "$req_libgcrypt_api" -eq "$tmp" ; then
-             { $as_echo "$as_me:$LINENO: result: okay" >&5
-$as_echo "okay" >&6; }
-           else
-             ok=no
-             { $as_echo "$as_me:$LINENO: result: does not match. want=$req_libgcrypt_api got=$tmp" >&5
-$as_echo "does not match. want=$req_libgcrypt_api got=$tmp" >&6; }
-           fi
-        fi
-     fi
-  fi
-  if test $ok = yes; then
-    LIBGCRYPT_CFLAGS=`$LIBGCRYPT_CONFIG --cflags`
-    LIBGCRYPT_LIBS=`$LIBGCRYPT_CONFIG --libs`
-    :
-  else
-    LIBGCRYPT_CFLAGS=""
-    LIBGCRYPT_LIBS=""
-    { { $as_echo "$as_me:$LINENO: error: libgcrypt not found!" >&5
-$as_echo "$as_me: error: libgcrypt not found!" >&2;}
-   { (exit 1); exit 1; }; }
-  fi
-
-
-
-	{ $as_echo "$as_me:$LINENO: checking gcrypt CAMELLIA cipher" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking gcrypt CAMELLIA cipher" >&5
 $as_echo_n "checking gcrypt CAMELLIA cipher... " >&6; }
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <gcrypt.h>
 int
@@ -18065,54 +15085,27 @@ enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF
-#define HAVE_GCRY_CIPHER_CAMELLIA 1
-_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; $as_echo "#define HAVE_GCRY_CIPHER_CAMELLIA 1" >>confdefs.h
 
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test x$uci = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -luci" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5
 $as_echo_n "checking for main in -luci... " >&6; }
-if test "${ac_cv_lib_uci_main+set}" = set; then
+if test "${ac_cv_lib_uci_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-luci  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -18124,193 +15117,135 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_uci_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_uci_main=no
+  ac_cv_lib_uci_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_uci_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_uci_main" >&5
 $as_echo "$ac_cv_lib_uci_main" >&6; }
-if test "x$ac_cv_lib_uci_main" = x""yes; then
+if test "x$ac_cv_lib_uci_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: UCI library libuci not found" >&5
-$as_echo "$as_me: error: UCI library libuci not found" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "UCI library libuci not found" "$LINENO" 5
 fi
 ac_cv_lib_uci=ac_cv_lib_uci_main
 
-	if test "${ac_cv_header_uci_h+set}" = set; then
-  { $as_echo "$as_me:$LINENO: checking for uci.h" >&5
-$as_echo_n "checking for uci.h... " >&6; }
-if test "${ac_cv_header_uci_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_uci_h" >&5
-$as_echo "$ac_cv_header_uci_h" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking uci.h usability" >&5
-$as_echo_n "checking uci.h usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <uci.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
+	ac_fn_c_check_header_mongrel "$LINENO" "uci.h" "ac_cv_header_uci_h" "$ac_includes_default"
+if test "x$ac_cv_header_uci_h" = x""yes; then :
+
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  as_fn_error "UCI header uci.h not found!" "$LINENO" 5
+fi
+
 
-	ac_header_compiler=no
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+if test x$nm = xtrue; then
+	if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnm-glib\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libnm-glib") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
 
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking uci.h presence" >&5
-$as_echo_n "checking uci.h presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <uci.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for nm" >&5
+$as_echo_n "checking for nm... " >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$nm_CFLAGS"; then
+        pkg_cv_nm_CFLAGS="$nm_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn") 2>&5
   ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>/dev/null`
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$nm_LIBS"; then
+        pkg_cv_nm_LIBS="$nm_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
 fi
 
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
 
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: uci.h: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: uci.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: uci.h: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: uci.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: uci.h: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: uci.h: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: uci.h:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: uci.h:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: uci.h: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: uci.h: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: uci.h:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: uci.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: uci.h: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: uci.h: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: uci.h: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: uci.h: in the future, the compiler will take precedence" >&2;}
 
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for uci.h" >&5
-$as_echo_n "checking for uci.h... " >&6; }
-if test "${ac_cv_header_uci_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
 else
-  ac_cv_header_uci_h=$ac_header_preproc
+        _pkg_short_errors_supported=no
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_uci_h" >&5
-$as_echo "$ac_cv_header_uci_h" >&6; }
+        if test $_pkg_short_errors_supported = yes; then
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn"`
+        else
+	        nm_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$nm_PKG_ERRORS" >&5
 
-fi
-if test "x$ac_cv_header_uci_h" = x""yes; then
-  :
-else
-  { { $as_echo "$as_me:$LINENO: error: UCI header uci.h not found!" >&5
-$as_echo "$as_me: error: UCI header uci.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
-fi
+	as_fn_error "Package requirements (NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn) were not met:
 
+$nm_PKG_ERRORS
 
-fi
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
 
-if test x$nm = xtrue; then
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+" "$LINENO" 5
+elif test $pkg_failed = untried; then
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details." "$LINENO" 5; }
+else
+	nm_CFLAGS=$pkg_cv_nm_CFLAGS
+	nm_LIBS=$pkg_cv_nm_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	:
+fi
+else
 
 pkg_failed=no
-{ $as_echo "$as_me:$LINENO: checking for nm" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for nm" >&5
 $as_echo_n "checking for nm... " >&6; }
 
 if test -n "$PKG_CONFIG"; then
@@ -18318,12 +15253,12 @@ if test -n "$PKG_CONFIG"; then
         pkg_cv_nm_CFLAGS="$nm_CFLAGS"
     else
         if test -n "$PKG_CONFIG" && \
-    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager libnm_glib_vpn gthread-2.0") 2>&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager libnm_glib_vpn gthread-2.0" 2>/dev/null`
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn" 2>/dev/null`
 else
   pkg_failed=yes
 fi
@@ -18336,12 +15271,12 @@ if test -n "$PKG_CONFIG"; then
         pkg_cv_nm_LIBS="$nm_LIBS"
     else
         if test -n "$PKG_CONFIG" && \
-    { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"NetworkManager libnm_glib_vpn gthread-2.0\"") >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager libnm_glib_vpn gthread-2.0") 2>&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager libnm_glib_vpn gthread-2.0" 2>/dev/null`
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn" 2>/dev/null`
 else
   pkg_failed=yes
 fi
@@ -18360,25 +15295,14 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager libnm_glib_vpn gthread-2.0"`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn"`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager libnm_glib_vpn gthread-2.0"`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn"`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
 
-	{ { $as_echo "$as_me:$LINENO: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
-
-$nm_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables nm_CFLAGS
-and nm_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" >&5
-$as_echo "$as_me: error: Package requirements (NetworkManager libnm_glib_vpn gthread-2.0) were not met:
+	as_fn_error "Package requirements (NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn) were not met:
 
 $nm_PKG_ERRORS
 
@@ -18388,22 +15312,11 @@ installed software in a non-standard prefix.
 Alternatively, you may set the environment variables nm_CFLAGS
 and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
-" >&2;}
-   { (exit 1); exit 1; }; }
+" "$LINENO" 5
 elif test $pkg_failed = untried; then
-	{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ { $as_echo "$as_me:$LINENO: error: The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables nm_CFLAGS
-and nm_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&5
-$as_echo "$as_me: error: The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -18412,32 +15325,29 @@ and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }; }
+See \`config.log' for more details." "$LINENO" 5; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
-        { $as_echo "$as_me:$LINENO: result: yes" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 	:
 fi
 
+fi
+
 
 fi
 
 if test x$eap_gtc = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -lpam" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpam" >&5
 $as_echo_n "checking for main in -lpam... " >&6; }
-if test "${ac_cv_lib_pam_main+set}" = set; then
+if test "${ac_cv_lib_pam_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lpam  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -18449,202 +15359,43 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_pam_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_pam_main=no
+  ac_cv_lib_pam_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pam_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_main" >&5
 $as_echo "$ac_cv_lib_pam_main" >&6; }
-if test "x$ac_cv_lib_pam_main" = x""yes; then
+if test "x$ac_cv_lib_pam_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: PAM library not found" >&5
-$as_echo "$as_me: error: PAM library not found" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "PAM library not found" "$LINENO" 5
 fi
 ac_cv_lib_pam=ac_cv_lib_pam_main
 
-	if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
-  { $as_echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
-$as_echo_n "checking for security/pam_appl.h... " >&6; }
-if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
-$as_echo "$ac_cv_header_security_pam_appl_h" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking security/pam_appl.h usability" >&5
-$as_echo_n "checking security/pam_appl.h usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <security/pam_appl.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking security/pam_appl.h presence" >&5
-$as_echo_n "checking security/pam_appl.h presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <security/pam_appl.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: security/pam_appl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: security/pam_appl.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: security/pam_appl.h: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: security/pam_appl.h:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: security/pam_appl.h: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: security/pam_appl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: security/pam_appl.h: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: security/pam_appl.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for security/pam_appl.h" >&5
-$as_echo_n "checking for security/pam_appl.h... " >&6; }
-if test "${ac_cv_header_security_pam_appl_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_cv_header_security_pam_appl_h=$ac_header_preproc
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_security_pam_appl_h" >&5
-$as_echo "$ac_cv_header_security_pam_appl_h" >&6; }
+	ac_fn_c_check_header_mongrel "$LINENO" "security/pam_appl.h" "ac_cv_header_security_pam_appl_h" "$ac_includes_default"
+if test "x$ac_cv_header_security_pam_appl_h" = x""yes; then :
 
-fi
-if test "x$ac_cv_header_security_pam_appl_h" = x""yes; then
-  :
 else
-  { { $as_echo "$as_me:$LINENO: error: PAM header security/pam_appl.h not found!" >&5
-$as_echo "$as_me: error: PAM header security/pam_appl.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "PAM header security/pam_appl.h not found!" "$LINENO" 5
 fi
 
 
 fi
 
 if test x$capabilities = xlibcap; then
-	{ $as_echo "$as_me:$LINENO: checking for main in -lcap" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcap" >&5
 $as_echo_n "checking for main in -lcap... " >&6; }
-if test "${ac_cv_lib_cap_main+set}" = set; then
+if test "${ac_cv_lib_cap_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lcap  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 
@@ -18656,197 +15407,38 @@ return main ();
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+if ac_fn_c_try_link "$LINENO"; then :
   ac_cv_lib_cap_main=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_lib_cap_main=no
+  ac_cv_lib_cap_main=no
 fi
-
-rm -rf conftest.dSYM
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_cap_main" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_main" >&5
 $as_echo "$ac_cv_lib_cap_main" >&6; }
-if test "x$ac_cv_lib_cap_main" = x""yes; then
+if test "x$ac_cv_lib_cap_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  { { $as_echo "$as_me:$LINENO: error: libcap library not found" >&5
-$as_echo "$as_me: error: libcap library not found" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "libcap library not found" "$LINENO" 5
 fi
 ac_cv_lib_cap=ac_cv_lib_cap_main
 
-	if test "${ac_cv_header_sys_capability_h+set}" = set; then
-  { $as_echo "$as_me:$LINENO: checking for sys/capability.h" >&5
-$as_echo_n "checking for sys/capability.h... " >&6; }
-if test "${ac_cv_header_sys_capability_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
-$as_echo "$ac_cv_header_sys_capability_h" >&6; }
-else
-  # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking sys/capability.h usability" >&5
-$as_echo_n "checking sys/capability.h usability... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <sys/capability.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ $as_echo "$as_me:$LINENO: checking sys/capability.h presence" >&5
-$as_echo_n "checking sys/capability.h presence... " >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/capability.h>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;}
-
-    ;;
-esac
-{ $as_echo "$as_me:$LINENO: checking for sys/capability.h" >&5
-$as_echo_n "checking for sys/capability.h... " >&6; }
-if test "${ac_cv_header_sys_capability_h+set}" = set; then
-  $as_echo_n "(cached) " >&6
-else
-  ac_cv_header_sys_capability_h=$ac_header_preproc
-fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
-$as_echo "$ac_cv_header_sys_capability_h" >&6; }
+	ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
 
-fi
-if test "x$ac_cv_header_sys_capability_h" = x""yes; then
-  :
 else
-  { { $as_echo "$as_me:$LINENO: error: libcap header sys/capability.h not found!" >&5
-$as_echo "$as_me: error: libcap header sys/capability.h not found!" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "libcap header sys/capability.h not found!" "$LINENO" 5
 fi
 
 
 fi
 
 if test x$integrity_test = xtrue; then
-	{ $as_echo "$as_me:$LINENO: checking for dladdr()" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for dladdr()" >&5
 $as_echo_n "checking for dladdr()... " >&6; }
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
 		 #include <dlfcn.h>
@@ -18858,46 +15450,19 @@ Dl_info info; dladdr(main, &info);
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; };
-		 { { $as_echo "$as_me:$LINENO: error: dladdr() not supported, required by integrity-test!" >&5
-$as_echo "$as_me: error: dladdr() not supported, required by integrity-test!" >&2;}
-   { (exit 1); exit 1; }; }
+		 as_fn_error "dladdr() not supported, required by integrity-test!" "$LINENO" 5
 
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-	{ $as_echo "$as_me:$LINENO: checking for dl_iterate_phdr()" >&5
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for dl_iterate_phdr()" >&5
 $as_echo_n "checking for dl_iterate_phdr()... " >&6; }
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
 		 #include <link.h>
@@ -18909,38 +15474,15 @@ dl_iterate_phdr((void*)0, (void*)0);
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; };
-		 { { $as_echo "$as_me:$LINENO: error: dl_iterate_phdr() not supported, required by integrity-test!" >&5
-$as_echo "$as_me: error: dl_iterate_phdr() not supported, required by integrity-test!" >&2;}
-   { (exit 1); exit 1; }; }
+		 as_fn_error "dl_iterate_phdr() not supported, required by integrity-test!" "$LINENO" 5
 
 fi
-
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
@@ -18996,16 +15538,39 @@ if test x$random = xtrue; then
 fi
 if test x$x509 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" x509"
+	pluto_plugins=${pluto_plugins}" x509"
 fi
 if test x$pubkey = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
 	pluto_plugins=${pluto_plugins}" pubkey"
 fi
+if test x$pkcs1 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" pkcs1"
+	pluto_plugins=${pluto_plugins}" pkcs1"
+fi
+if test x$pgp = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" pgp"
+	pluto_plugins=${pluto_plugins}" pgp"
+fi
+if test x$dnskey = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" dnskey"
+	pluto_plugins=${pluto_plugins}" dnskey"
+fi
+if test x$pem = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" pem"
+	pluto_plugins=${pluto_plugins}" pem"
+fi
 if test x$mysql = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
+	pluto_plugins=${pluto_plugins}" mysql"
 fi
 if test x$sqlite = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
+	pluto_plugins=${pluto_plugins}" sqlite"
+fi
+if test x$attr_sql = xtrue -o x$sql = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" attr-sql"
+	pluto_plugins=${pluto_plugins}" attr-sql"
 fi
 if test x$padlock = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
@@ -19149,12 +15714,44 @@ else
   USE_X509_FALSE=
 fi
 
- if test x$pubkey = xtrue; then
-  USE_PUBKEY_TRUE=
-  USE_PUBKEY_FALSE='#'
+ if test x$pubkey = xtrue; then
+  USE_PUBKEY_TRUE=
+  USE_PUBKEY_FALSE='#'
+else
+  USE_PUBKEY_TRUE='#'
+  USE_PUBKEY_FALSE=
+fi
+
+ if test x$pkcs1 = xtrue; then
+  USE_PKCS1_TRUE=
+  USE_PKCS1_FALSE='#'
+else
+  USE_PKCS1_TRUE='#'
+  USE_PKCS1_FALSE=
+fi
+
+ if test x$pgp = xtrue; then
+  USE_PGP_TRUE=
+  USE_PGP_FALSE='#'
+else
+  USE_PGP_TRUE='#'
+  USE_PGP_FALSE=
+fi
+
+ if test x$dnskey = xtrue; then
+  USE_DNSKEY_TRUE=
+  USE_DNSKEY_FALSE='#'
+else
+  USE_DNSKEY_TRUE='#'
+  USE_DNSKEY_FALSE=
+fi
+
+ if test x$pem = xtrue; then
+  USE_PEM_TRUE=
+  USE_PEM_FALSE='#'
 else
-  USE_PUBKEY_TRUE='#'
-  USE_PUBKEY_FALSE=
+  USE_PEM_TRUE='#'
+  USE_PEM_FALSE=
 fi
 
  if test x$hmac = xtrue; then
@@ -19189,6 +15786,14 @@ else
   USE_SQLITE_FALSE=
 fi
 
+ if test x$attr_sql = xtrue -o x$sql = xtrue; then
+  USE_ATTR_SQL_TRUE=
+  USE_ATTR_SQL_FALSE='#'
+else
+  USE_ATTR_SQL_TRUE='#'
+  USE_ATTR_SQL_FALSE=
+fi
+
  if test x$padlock = xtrue; then
   USE_PADLOCK_TRUE=
   USE_PADLOCK_FALSE='#'
@@ -19294,15 +15899,15 @@ else
   USE_ATTR_FALSE=
 fi
 
- if test x$resolvconf = xtrue; then
-  USE_RESOLV_CONF_TRUE=
-  USE_RESOLV_CONF_FALSE='#'
+ if test x$resolve = xtrue; then
+  USE_RESOLVE_TRUE=
+  USE_RESOLVE_FALSE='#'
 else
-  USE_RESOLV_CONF_TRUE='#'
-  USE_RESOLV_CONF_FALSE=
+  USE_RESOLVE_TRUE='#'
+  USE_RESOLVE_FALSE=
 fi
 
- if test x$unittest = xtrue; then
+ if test x$unit_tests = xtrue; then
   USE_UNIT_TESTS_TRUE=
   USE_UNIT_TESTS_FALSE='#'
 else
@@ -19310,12 +15915,12 @@ else
   USE_UNIT_TESTS_FALSE=
 fi
 
- if test x$loadtest = xtrue; then
-  USE_LOAD_TESTS_TRUE=
-  USE_LOAD_TESTS_FALSE='#'
+ if test x$load_tester = xtrue; then
+  USE_LOAD_TESTER_TRUE=
+  USE_LOAD_TESTER_FALSE='#'
 else
-  USE_LOAD_TESTS_TRUE='#'
-  USE_LOAD_TESTS_FALSE=
+  USE_LOAD_TESTER_TRUE='#'
+  USE_LOAD_TESTER_FALSE=
 fi
 
  if test x$eap_sim = xtrue; then
@@ -19334,6 +15939,22 @@ else
   USE_EAP_SIM_FILE_FALSE=
 fi
 
+ if test x$eap_simaka_pseudonym = xtrue; then
+  USE_EAP_SIMAKA_PSEUDONYM_TRUE=
+  USE_EAP_SIMAKA_PSEUDONYM_FALSE='#'
+else
+  USE_EAP_SIMAKA_PSEUDONYM_TRUE='#'
+  USE_EAP_SIMAKA_PSEUDONYM_FALSE=
+fi
+
+ if test x$eap_simaka_reauth = xtrue; then
+  USE_EAP_SIMAKA_REAUTH_TRUE=
+  USE_EAP_SIMAKA_REAUTH_FALSE='#'
+else
+  USE_EAP_SIMAKA_REAUTH_TRUE='#'
+  USE_EAP_SIMAKA_REAUTH_FALSE=
+fi
+
  if test x$eap_identity = xtrue; then
   USE_EAP_IDENTITY_TRUE=
   USE_EAP_IDENTITY_FALSE='#'
@@ -19366,6 +15987,14 @@ else
   USE_EAP_AKA_FALSE=
 fi
 
+ if test x$eap_aka_3gpp2 = xtrue; then
+  USE_EAP_AKA_3GPP2_TRUE=
+  USE_EAP_AKA_3GPP2_FALSE='#'
+else
+  USE_EAP_AKA_3GPP2_TRUE='#'
+  USE_EAP_AKA_3GPP2_FALSE=
+fi
+
  if test x$eap_mschapv2 = xtrue; then
   USE_EAP_MSCHAPV2_TRUE=
   USE_EAP_MSCHAPV2_FALSE='#'
@@ -19495,7 +16124,7 @@ else
   USE_MANAGER_FALSE=
 fi
 
- if test x$me = xtrue; then
+ if test x$mediation = xtrue; then
   USE_ME_TRUE=
   USE_ME_FALSE='#'
 else
@@ -19583,23 +16212,27 @@ else
   USE_VSTR_FALSE=
 fi
 
+ if test x$simaka = xtrue; then
+  USE_SIMAKA_TRUE=
+  USE_SIMAKA_FALSE='#'
+else
+  USE_SIMAKA_TRUE='#'
+  USE_SIMAKA_FALSE=
+fi
 
 
-if test x$me = xtrue; then
-	cat >>confdefs.h <<\_ACEOF
-#define ME 1
-_ACEOF
+
+if test x$mediation = xtrue; then
+	$as_echo "#define ME 1" >>confdefs.h
 
 fi
 if test x$capabilities = xlibcap; then
-	cat >>confdefs.h <<\_ACEOF
-#define CAPABILITIES 1
-_ACEOF
+	$as_echo "#define CAPABILITIES 1" >>confdefs.h
 
 fi
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/eap_radius/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_pfroute/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/attr/Makefile src/charon/plugins/resolv_conf/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/attr_sql/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_aka_3gpp2/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_simaka_pseudonym/Makefile src/charon/plugins/eap_simaka_reauth/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/eap_radius/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_pfroute/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/attr/Makefile src/charon/plugins/resolve/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -19628,13 +16261,13 @@ _ACEOF
     case $ac_val in #(
     *${as_nl}*)
       case $ac_var in #(
-      *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: cache variable $ac_var contains a newline" >&5
+      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
       esac
       case $ac_var in #(
       _ | IFS | as_nl) ;; #(
       BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
-      *) $as_unset $ac_var ;;
+      *) { eval $ac_var=; unset $ac_var;} ;;
       esac ;;
     esac
   done
@@ -19642,8 +16275,8 @@ $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
   (set) 2>&1 |
     case $as_nl`(ac_space=' '; set) 2>&1` in #(
     *${as_nl}ac_space=\ *)
-      # `set' does not quote correctly, so add quotes (double-quote
-      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      # `set' does not quote correctly, so add quotes: double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \.
       sed -n \
 	"s/'/'\\\\''/g;
 	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
@@ -19666,11 +16299,11 @@ $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
 if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
   if test -w "$cache_file"; then
     test "x$cache_file" != "x/dev/null" &&
-      { $as_echo "$as_me:$LINENO: updating cache $cache_file" >&5
+      { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
 $as_echo "$as_me: updating cache $cache_file" >&6;}
     cat confcache >$cache_file
   else
-    { $as_echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
   fi
 fi
@@ -19726,513 +16359,348 @@ for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
   ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
   # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
   #    will be set to the directory where LIBOBJS objects are built.
-  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
-  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
+  as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+  as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
 done
 LIBOBJS=$ac_libobjs
 
 LTLIBOBJS=$ac_ltlibobjs
 
 
+ if test -n "$EXEEXT"; then
+  am__EXEEXT_TRUE=
+  am__EXEEXT_FALSE='#'
+else
+  am__EXEEXT_TRUE='#'
+  am__EXEEXT_FALSE=
+fi
+
 if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"AMDEP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"AMDEP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 
 if test -z "${USE_TEST_VECTORS_TRUE}" && test -z "${USE_TEST_VECTORS_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_TEST_VECTORS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_TEST_VECTORS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_TEST_VECTORS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_CURL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_CURL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_CURL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LDAP_TRUE}" && test -z "${USE_LDAP_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LDAP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_LDAP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_LDAP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_AES_TRUE}" && test -z "${USE_AES_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_AES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_AES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_AES\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_DES_TRUE}" && test -z "${USE_DES_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_DES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_DES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_DES\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_BLOWFISH_TRUE}" && test -z "${USE_BLOWFISH_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_BLOWFISH\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_BLOWFISH\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_BLOWFISH\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MD4_TRUE}" && test -z "${USE_MD4_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MD4\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_MD4\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_MD4\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MD5_TRUE}" && test -z "${USE_MD5_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MD5\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_MD5\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_MD5\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SHA1_TRUE}" && test -z "${USE_SHA1_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SHA1\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_SHA1\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_SHA1\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SHA2_TRUE}" && test -z "${USE_SHA2_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SHA2\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_SHA2\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_SHA2\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FIPS_PRF_TRUE}" && test -z "${USE_FIPS_PRF_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_FIPS_PRF\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_FIPS_PRF\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_FIPS_PRF\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_GMP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_GMP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_GMP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_RANDOM_TRUE}" && test -z "${USE_RANDOM_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_RANDOM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_RANDOM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_RANDOM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_X509_TRUE}" && test -z "${USE_X509_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_X509\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_X509\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_X509\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_PUBKEY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_PUBKEY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_PUBKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_PKCS1_TRUE}" && test -z "${USE_PKCS1_FALSE}"; then
+  as_fn_error "conditional \"USE_PKCS1\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_PGP_TRUE}" && test -z "${USE_PGP_FALSE}"; then
+  as_fn_error "conditional \"USE_PGP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_DNSKEY_TRUE}" && test -z "${USE_DNSKEY_FALSE}"; then
+  as_fn_error "conditional \"USE_DNSKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_PEM_TRUE}" && test -z "${USE_PEM_FALSE}"; then
+  as_fn_error "conditional \"USE_PEM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_HMAC_TRUE}" && test -z "${USE_HMAC_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_HMAC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_HMAC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_HMAC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_XCBC_TRUE}" && test -z "${USE_XCBC_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_XCBC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_XCBC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_XCBC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MYSQL_TRUE}" && test -z "${USE_MYSQL_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MYSQL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_MYSQL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_MYSQL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SQLITE_TRUE}" && test -z "${USE_SQLITE_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SQLITE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_SQLITE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_SQLITE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then
+  as_fn_error "conditional \"USE_ATTR_SQL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PADLOCK_TRUE}" && test -z "${USE_PADLOCK_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_PADLOCK\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_PADLOCK\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_PADLOCK\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_OPENSSL_TRUE}" && test -z "${USE_OPENSSL_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_OPENSSL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_OPENSSL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_OPENSSL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_GCRYPT_TRUE}" && test -z "${USE_GCRYPT_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_GCRYPT\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_GCRYPT\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_GCRYPT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_AGENT_TRUE}" && test -z "${USE_AGENT_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_AGENT\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_AGENT\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_AGENT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_STROKE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_STROKE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_STROKE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MEDSRV_TRUE}" && test -z "${USE_MEDSRV_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MEDSRV\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_MEDSRV\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_MEDSRV\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MEDCLI_TRUE}" && test -z "${USE_MEDCLI_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MEDCLI\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_MEDCLI\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_MEDCLI\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_NM_TRUE}" && test -z "${USE_NM_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_NM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_NM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_NM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_UCI\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_UCI\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_UCI\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SMP_TRUE}" && test -z "${USE_SMP_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SMP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_SMP\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_SMP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SQL_TRUE}" && test -z "${USE_SQL_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SQL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_SQL\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_SQL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_UPDOWN\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_UPDOWN\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_UPDOWN\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_ATTR\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_ATTR\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_RESOLV_CONF_TRUE}" && test -z "${USE_RESOLV_CONF_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_RESOLV_CONF\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_RESOLV_CONF\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_ATTR\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
+  as_fn_error "conditional \"USE_RESOLVE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_UNIT_TESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_UNIT_TESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-if test -z "${USE_LOAD_TESTS_TRUE}" && test -z "${USE_LOAD_TESTS_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LOAD_TESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_LOAD_TESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_UNIT_TESTS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_LOAD_TESTER_TRUE}" && test -z "${USE_LOAD_TESTER_FALSE}"; then
+  as_fn_error "conditional \"USE_LOAD_TESTER\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIM_TRUE}" && test -z "${USE_EAP_SIM_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_EAP_SIM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_EAP_SIM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIM_FILE_TRUE}" && test -z "${USE_EAP_SIM_FILE_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_EAP_SIM_FILE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_EAP_SIM_FILE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_EAP_SIMAKA_PSEUDONYM_TRUE}" && test -z "${USE_EAP_SIMAKA_PSEUDONYM_FALSE}"; then
+  as_fn_error "conditional \"USE_EAP_SIMAKA_PSEUDONYM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_EAP_SIMAKA_REAUTH_TRUE}" && test -z "${USE_EAP_SIMAKA_REAUTH_FALSE}"; then
+  as_fn_error "conditional \"USE_EAP_SIMAKA_REAUTH\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_IDENTITY_TRUE}" && test -z "${USE_EAP_IDENTITY_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_IDENTITY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_EAP_IDENTITY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_EAP_IDENTITY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_MD5_TRUE}" && test -z "${USE_EAP_MD5_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_MD5\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_EAP_MD5\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_EAP_MD5\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_GTC_TRUE}" && test -z "${USE_EAP_GTC_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_GTC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_EAP_GTC\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_EAP_GTC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_AKA_TRUE}" && test -z "${USE_EAP_AKA_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_AKA\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_EAP_AKA\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_EAP_AKA\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_EAP_AKA_3GPP2_TRUE}" && test -z "${USE_EAP_AKA_3GPP2_FALSE}"; then
+  as_fn_error "conditional \"USE_EAP_AKA_3GPP2\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_MSCHAPV2_TRUE}" && test -z "${USE_EAP_MSCHAPV2_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_MSCHAPV2\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_EAP_MSCHAPV2\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_EAP_MSCHAPV2\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_RADIUS_TRUE}" && test -z "${USE_EAP_RADIUS_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_EAP_RADIUS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_EAP_RADIUS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_EAP_RADIUS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_KERNEL_NETLINK\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_KERNEL_NETLINK\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_KERNEL_PFKEY\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_KERNEL_PFKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_PFROUTE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_KERNEL_PFROUTE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_KERNEL_PFROUTE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_KERNEL_KLIPS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_KERNEL_KLIPS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SMARTCARD\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_SMARTCARD\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_SMARTCARD\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_CISCO_QUIRKS_TRUE}" && test -z "${USE_CISCO_QUIRKS_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_CISCO_QUIRKS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_LEAK_DETECTIVE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LOCK_PROFILER_TRUE}" && test -z "${USE_LOCK_PROFILER_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LOCK_PROFILER\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_LOCK_PROFILER\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_LOCK_PROFILER\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_NAT_TRANSPORT_TRUE}" && test -z "${USE_NAT_TRANSPORT_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_NAT_TRANSPORT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_VENDORID_TRUE}" && test -z "${USE_VENDORID_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_VENDORID\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_VENDORID\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_VENDORID\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_XAUTH_VID_TRUE}" && test -z "${USE_XAUTH_VID_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_XAUTH_VID\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_XAUTH_VID\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_XAUTH_VID\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_DUMM_TRUE}" && test -z "${USE_DUMM_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_DUMM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_DUMM\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_DUMM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FAST_TRUE}" && test -z "${USE_FAST_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_FAST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_FAST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_FAST\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MANAGER_TRUE}" && test -z "${USE_MANAGER_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_MANAGER\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_MANAGER\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_MANAGER\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ME_TRUE}" && test -z "${USE_ME_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_ME\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_ME\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_ME\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_INTEGRITY_TEST_TRUE}" && test -z "${USE_INTEGRITY_TEST_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_INTEGRITY_TEST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_INTEGRITY_TEST\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_INTEGRITY_TEST\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_CAPABILITIES_TRUE}" && test -z "${USE_CAPABILITIES_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_CAPABILITIES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_CAPABILITIES\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_CAPABILITIES\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PLUTO_TRUE}" && test -z "${USE_PLUTO_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_PLUTO\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_PLUTO\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_PLUTO\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_THREADS_TRUE}" && test -z "${USE_THREADS_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_THREADS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_THREADS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_THREADS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_CHARON_TRUE}" && test -z "${USE_CHARON_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_CHARON\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_CHARON\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_CHARON\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_TOOLS_TRUE}" && test -z "${USE_TOOLS_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_TOOLS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_TOOLS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_TOOLS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SCRIPTS_TRUE}" && test -z "${USE_SCRIPTS_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SCRIPTS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_SCRIPTS\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_SCRIPTS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_LIBSTRONGSWAN\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_LIBSTRONGSWAN\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_FILE_CONFIG\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_FILE_CONFIG\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_FILE_CONFIG\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_VSTR_TRUE}" && test -z "${USE_VSTR_FALSE}"; then
-  { { $as_echo "$as_me:$LINENO: error: conditional \"USE_VSTR\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-$as_echo "$as_me: error: conditional \"USE_VSTR\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "conditional \"USE_VSTR\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_SIMAKA_TRUE}" && test -z "${USE_SIMAKA_FALSE}"; then
+  as_fn_error "conditional \"USE_SIMAKA\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 
 : ${CONFIG_STATUS=./config.status}
 ac_write_fail=0
 ac_clean_files_save=$ac_clean_files
 ac_clean_files="$ac_clean_files $CONFIG_STATUS"
-{ $as_echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
 $as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
-cat >$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+as_write_fail=0
+cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
 #! $SHELL
 # Generated by $as_me.
 # Run this file to recreate the current configuration.
@@ -20242,17 +16710,18 @@ cat >$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 debug=false
 ac_cs_recheck=false
 ac_cs_silent=false
-SHELL=\${CONFIG_SHELL-$SHELL}
-_ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
+SHELL=\${CONFIG_SHELL-$SHELL}
+export SHELL
+_ASEOF
+cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
+## -------------------- ##
+## M4sh Initialization. ##
+## -------------------- ##
 
 # Be more Bourne compatible
 DUALCASE=1; export DUALCASE # for MKS sh
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
   NULLCMD=:
   # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
@@ -20260,23 +16729,15 @@ if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
 else
-  case `(set -o) 2>/dev/null` in
-  *posix*) set -o posix ;;
+  case `(set -o) 2>/dev/null` in #(
+  *posix*) :
+    set -o posix ;; #(
+  *) :
+     ;;
 esac
-
 fi
 
 
-
-
-# PATH needs CR
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
 as_nl='
 '
 export as_nl
@@ -20284,7 +16745,13 @@ export as_nl
 as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
 as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
 as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
-if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+# Prefer a ksh shell builtin over an external printf program on Solaris,
+# but without wasting forks for bash or zsh.
+if test -z "$BASH_VERSION$ZSH_VERSION" \
+    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='print -r --'
+  as_echo_n='print -rn --'
+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
   as_echo='printf %s\n'
   as_echo_n='printf %s'
 else
@@ -20295,7 +16762,7 @@ else
     as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
     as_echo_n_body='eval
       arg=$1;
-      case $arg in
+      case $arg in #(
       *"$as_nl"*)
 	expr "X$arg" : "X\\(.*\\)$as_nl";
 	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
@@ -20318,13 +16785,6 @@ if test "${PATH_SEPARATOR+set}" != set; then
   }
 fi
 
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
-
 
 # IFS
 # We need space, tab and new line, in precisely that order.  Quoting is
@@ -20334,15 +16794,15 @@ fi
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
-case $0 in
+case $0 in #((
   *[\\/]* ) as_myself=$0 ;;
   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
+    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+  done
 IFS=$as_save_IFS
 
      ;;
@@ -20354,12 +16814,16 @@ if test "x$as_myself" = x; then
 fi
 if test ! -f "$as_myself"; then
   $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
-  { (exit 1); exit 1; }
+  exit 1
 fi
 
-# Work around bugs in pre-3.0 UWIN ksh.
-for as_var in ENV MAIL MAILPATH
-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+# Unset variables that we do not need and which cause bugs (e.g. in
+# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
+# suppresses any "Segmentation fault" message there.  '((' could
+# trigger a bug in pdksh 5.2.14.
+for as_var in BASH_ENV ENV MAIL MAILPATH
+do eval test x\${$as_var+set} = xset \
+  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
 done
 PS1='$ '
 PS2='> '
@@ -20371,7 +16835,89 @@ export LC_ALL
 LANGUAGE=C
 export LANGUAGE
 
-# Required to use basename.
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+
+# as_fn_error ERROR [LINENO LOG_FD]
+# ---------------------------------
+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
+# script with status $?, using 1 if that was 0.
+as_fn_error ()
+{
+  as_status=$?; test $as_status -eq 0 && as_status=1
+  if test "$3"; then
+    as_lineno=${as_lineno-"$2"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+    $as_echo "$as_me:${as_lineno-$LINENO}: error: $1" >&$3
+  fi
+  $as_echo "$as_me: error: $1" >&2
+  as_fn_exit $as_status
+} # as_fn_error
+
+
+# as_fn_set_status STATUS
+# -----------------------
+# Set $? to STATUS, without forking.
+as_fn_set_status ()
+{
+  return $1
+} # as_fn_set_status
+
+# as_fn_exit STATUS
+# -----------------
+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
+as_fn_exit ()
+{
+  set +e
+  as_fn_set_status $1
+  exit $1
+} # as_fn_exit
+
+# as_fn_unset VAR
+# ---------------
+# Portably unset VAR.
+as_fn_unset ()
+{
+  { eval $1=; unset $1;}
+}
+as_unset=as_fn_unset
+# as_fn_append VAR VALUE
+# ----------------------
+# Append the text in VALUE to the end of the definition contained in VAR. Take
+# advantage of any shell optimizations that allow amortized linear growth over
+# repeated appends, instead of the typical quadratic growth present in naive
+# implementations.
+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
+  eval 'as_fn_append ()
+  {
+    eval $1+=\$2
+  }'
+else
+  as_fn_append ()
+  {
+    eval $1=\$$1\$2
+  }
+fi # as_fn_append
+
+# as_fn_arith ARG...
+# ------------------
+# Perform arithmetic evaluation on the ARGs, and store the result in the
+# global $as_val. Take advantage of shells that can avoid forks. The arguments
+# must be portable across $(()) and expr.
+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
+  eval 'as_fn_arith ()
+  {
+    as_val=$(( $* ))
+  }'
+else
+  as_fn_arith ()
+  {
+    as_val=`expr "$@" || test $? -eq 1`
+  }
+fi # as_fn_arith
+
+
 if expr a : '\(a\)' >/dev/null 2>&1 &&
    test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
@@ -20385,8 +16931,12 @@ else
   as_basename=false
 fi
 
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
 
-# Name of the executable.
 as_me=`$as_basename -- "$0" ||
 $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
 	 X"$0" : 'X\(//\)$' \| \
@@ -20406,76 +16956,25 @@ $as_echo X/"$0" |
 	  }
 	  s/.*/./; q'`
 
-# CDPATH.
-$as_unset CDPATH
-
-
-
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
-
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line after each line using $LINENO; the second 'sed'
-  # does the real work.  The second script uses 'N' to pair each
-  # line-number line with the line containing $LINENO, and appends
-  # trailing '-' during substitution so that $LINENO is not a special
-  # case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
-  # E. McMahon (1931-1989) for sed's syntax.  :-)
-  sed -n '
-    p
-    /[$]LINENO/=
-  ' <$as_myself |
-    sed '
-      s/[$]LINENO.*/&-/
-      t lineno
-      b
-      :lineno
-      N
-      :loop
-      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
-      t loop
-      s/-\n.*//
-    ' >$as_me.lineno &&
-  chmod +x "$as_me.lineno" ||
-    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-   { (exit 1); exit 1; }; }
-
-  # Don't try to exec as it changes $[0], causing all sort of problems
-  # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensitive to this).
-  . "./$as_me.lineno"
-  # Exit status is that of the last command.
-  exit
-}
-
-
-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
-  as_dirname=dirname
-else
-  as_dirname=false
-fi
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
 
 ECHO_C= ECHO_N= ECHO_T=
-case `echo -n x` in
+case `echo -n x` in #(((((
 -n*)
-  case `echo 'x\c'` in
+  case `echo 'xy\c'` in
   *c*) ECHO_T='	';;	# ECHO_T is single tab character.
-  *)   ECHO_C='\c';;
+  xy)  ECHO_C='\c';;
+  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
+       ECHO_T='	';;
   esac;;
 *)
   ECHO_N='-n';;
 esac
-if expr a : '\(a\)' >/dev/null 2>&1 &&
-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
-  as_expr=expr
-else
-  as_expr=false
-fi
 
 rm -f conf$$ conf$$.exe conf$$.file
 if test -d conf$$.dir; then
@@ -20504,8 +17003,56 @@ fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
 
+
+# as_fn_mkdir_p
+# -------------
+# Create "$as_dir" as a directory, including parents if necessary.
+as_fn_mkdir_p ()
+{
+
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || eval $as_mkdir_p || {
+    as_dirs=
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
+    done
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || as_fn_error "cannot create directory $as_dir"
+
+
+} # as_fn_mkdir_p
 if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
+  as_mkdir_p='mkdir -p "$as_dir"'
 else
   test -d ./-p && rmdir ./-p
   as_mkdir_p=false
@@ -20524,10 +17071,10 @@ else
       if test -d "$1"; then
 	test -d "$1/.";
       else
-	case $1 in
+	case $1 in #(
 	-*)set "./$1";;
 	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
 	???[sx]*):;;*)false;;esac;fi
     '\'' sh
   '
@@ -20542,13 +17089,19 @@ as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
 
 exec 6>&1
+## ----------------------------------- ##
+## Main body of $CONFIG_STATUS script. ##
+## ----------------------------------- ##
+_ASEOF
+test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
 
-# Save the log message, to keep $[0] and so on meaningful, and to
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+# Save the log message, to keep $0 and so on meaningful, and to
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.3.4, which was
-generated by GNU Autoconf 2.63.  Invocation command line was
+This file was extended by strongSwan $as_me 4.3.6, which was
+generated by GNU Autoconf 2.64.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -20576,10 +17129,11 @@ _ACEOF
 
 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 ac_cs_usage="\
-\`$as_me' instantiates files from templates according to the
-current configuration.
+\`$as_me' instantiates files and other configuration actions
+from templates according to the current configuration.  Unless the files
+and actions are specified as TAGs, all are instantiated by default.
 
-Usage: $0 [OPTION]... [FILE]...
+Usage: $0 [OPTION]... [TAG]...
 
   -h, --help       print this help, then exit
   -V, --version    print version number and configuration settings, then exit
@@ -20596,16 +17150,16 @@ $config_files
 Configuration commands:
 $config_commands
 
-Report bugs to <bug-autoconf@gnu.org>."
+Report bugs to the package provider."
 
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_version="\\
-strongSwan config.status 4.3.4
-configured by $0, generated by GNU Autoconf 2.63,
+strongSwan config.status 4.3.6
+configured by $0, generated by GNU Autoconf 2.64,
   with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
-Copyright (C) 2008 Free Software Foundation, Inc.
+Copyright (C) 2009 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 
@@ -20648,7 +17202,7 @@ do
     case $ac_optarg in
     *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
     esac
-    CONFIG_FILES="$CONFIG_FILES '$ac_optarg'"
+    as_fn_append CONFIG_FILES " '$ac_optarg'"
     ac_need_defaults=false;;
   --he | --h |  --help | --hel | -h )
     $as_echo "$ac_cs_usage"; exit ;;
@@ -20657,11 +17211,10 @@ do
     ac_cs_silent=: ;;
 
   # This is an error.
-  -*) { $as_echo "$as_me: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&2
-   { (exit 1); exit 1; }; } ;;
+  -*) as_fn_error "unrecognized option: \`$1'
+Try \`$0 --help' for more information." ;;
 
-  *) ac_config_targets="$ac_config_targets $1"
+  *) as_fn_append ac_config_targets " $1"
      ac_need_defaults=false ;;
 
   esac
@@ -20987,25 +17540,34 @@ do
     "src/libstrongswan/plugins/xcbc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/xcbc/Makefile" ;;
     "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;;
     "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;;
+    "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;;
+    "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;;
+    "src/libstrongswan/plugins/dnskey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/dnskey/Makefile" ;;
+    "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;;
     "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;;
     "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;;
     "src/libstrongswan/plugins/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mysql/Makefile" ;;
     "src/libstrongswan/plugins/sqlite/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sqlite/Makefile" ;;
+    "src/libstrongswan/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/attr_sql/Makefile" ;;
     "src/libstrongswan/plugins/padlock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/padlock/Makefile" ;;
     "src/libstrongswan/plugins/openssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/openssl/Makefile" ;;
     "src/libstrongswan/plugins/gcrypt/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcrypt/Makefile" ;;
     "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
     "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
+    "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
     "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
     "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
     "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
     "src/charon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_aka/Makefile" ;;
+    "src/charon/plugins/eap_aka_3gpp2/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_aka_3gpp2/Makefile" ;;
     "src/charon/plugins/eap_identity/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_identity/Makefile" ;;
     "src/charon/plugins/eap_md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_md5/Makefile" ;;
     "src/charon/plugins/eap_gtc/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_gtc/Makefile" ;;
     "src/charon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim/Makefile" ;;
     "src/charon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim_file/Makefile" ;;
+    "src/charon/plugins/eap_simaka_pseudonym/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_simaka_pseudonym/Makefile" ;;
+    "src/charon/plugins/eap_simaka_reauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_simaka_reauth/Makefile" ;;
     "src/charon/plugins/eap_mschapv2/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_mschapv2/Makefile" ;;
     "src/charon/plugins/eap_radius/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_radius/Makefile" ;;
     "src/charon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_netlink/Makefile" ;;
@@ -21021,7 +17583,7 @@ do
     "src/charon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/stroke/Makefile" ;;
     "src/charon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/updown/Makefile" ;;
     "src/charon/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/attr/Makefile" ;;
-    "src/charon/plugins/resolv_conf/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/resolv_conf/Makefile" ;;
+    "src/charon/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/resolve/Makefile" ;;
     "src/charon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/unit_tester/Makefile" ;;
     "src/charon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/load_tester/Makefile" ;;
     "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
@@ -21032,6 +17594,7 @@ do
     "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
     "src/openac/Makefile") CONFIG_FILES="$CONFIG_FILES src/openac/Makefile" ;;
     "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
+    "src/pki/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/Makefile" ;;
     "src/dumm/Makefile") CONFIG_FILES="$CONFIG_FILES src/dumm/Makefile" ;;
     "src/dumm/ext/extconf.rb") CONFIG_FILES="$CONFIG_FILES src/dumm/ext/extconf.rb" ;;
     "src/libfast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfast/Makefile" ;;
@@ -21041,9 +17604,7 @@ do
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
-  *) { { $as_echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
-$as_echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
-   { (exit 1); exit 1; }; };;
+  *) as_fn_error "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
 done
 
@@ -21069,7 +17630,7 @@ $debug ||
   trap 'exit_status=$?
   { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
 ' 0
-  trap '{ (exit 1); exit 1; }' 1 2 13 15
+  trap 'as_fn_exit 1' 1 2 13 15
 }
 # Create a (secure) tmp directory for tmp files.
 
@@ -21080,11 +17641,7 @@ $debug ||
 {
   tmp=./conf$$-$RANDOM
   (umask 077 && mkdir "$tmp")
-} ||
-{
-   $as_echo "$as_me: cannot create a temporary directory in ." >&2
-   { (exit 1); exit 1; }
-}
+} || as_fn_error "cannot create a temporary directory in ." "$LINENO" 5
 
 # Set up the scripts for CONFIG_FILES section.
 # No need to generate them if there are no CONFIG_FILES.
@@ -21092,10 +17649,16 @@ $debug ||
 if test -n "$CONFIG_FILES"; then
 
 
-ac_cr='
'
+ac_cr=`echo X | tr X '\015'`
+# On cygwin, bash can eat \r inside `` if the user requested igncr.
+# But we know of no other shell where ac_cr would be empty at this
+# point, so we can use a bashism as a fallback.
+if test "x$ac_cr" = x; then
+  eval ac_cr=\$\'\\r\'
+fi
 ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
 if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
-  ac_cs_awk_cr='\\r'
+  ac_cs_awk_cr='\r'
 else
   ac_cs_awk_cr=$ac_cr
 fi
@@ -21109,24 +17672,18 @@ _ACEOF
   echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
   echo "_ACEOF"
 } >conf$$subs.sh ||
-  { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5
 ac_delim_num=`echo "$ac_subst_vars" | grep -c '$'`
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   . ./conf$$subs.sh ||
-    { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
+    as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5
 
   ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
   if test $ac_delim_n = $ac_delim_num; then
     break
   elif $ac_last_try; then
-    { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
+    as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5
   else
     ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
   fi
@@ -21215,9 +17772,7 @@ if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
 else
   cat
 fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
-  || { { $as_echo "$as_me:$LINENO: error: could not setup config files machinery" >&5
-$as_echo "$as_me: error: could not setup config files machinery" >&2;}
-   { (exit 1); exit 1; }; }
+  || as_fn_error "could not setup config files machinery" "$LINENO" 5
 _ACEOF
 
 # VPATH may cause trouble with some makes, so we remove $(srcdir),
@@ -21248,9 +17803,7 @@ do
   esac
   case $ac_mode$ac_tag in
   :[FHL]*:*);;
-  :L* | :C*:*) { { $as_echo "$as_me:$LINENO: error: invalid tag $ac_tag" >&5
-$as_echo "$as_me: error: invalid tag $ac_tag" >&2;}
-   { (exit 1); exit 1; }; };;
+  :L* | :C*:*) as_fn_error "invalid tag \`$ac_tag'" "$LINENO" 5;;
   :[FH]-) ac_tag=-:-;;
   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
   esac
@@ -21278,12 +17831,10 @@ $as_echo "$as_me: error: invalid tag $ac_tag" >&2;}
 	   [\\/$]*) false;;
 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
 	   esac ||
-	   { { $as_echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
-$as_echo "$as_me: error: cannot find input file: $ac_f" >&2;}
-   { (exit 1); exit 1; }; };;
+	   as_fn_error "cannot find input file: \`$ac_f'" "$LINENO" 5;;
       esac
       case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
-      ac_file_inputs="$ac_file_inputs '$ac_f'"
+      as_fn_append ac_file_inputs " '$ac_f'"
     done
 
     # Let's still pretend it is `configure' which instantiates (i.e., don't
@@ -21294,7 +17845,7 @@ $as_echo "$as_me: error: cannot find input file: $ac_f" >&2;}
 	`' by configure.'
     if test x"$ac_file" != x-; then
       configure_input="$ac_file.  $configure_input"
-      { $as_echo "$as_me:$LINENO: creating $ac_file" >&5
+      { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
 $as_echo "$as_me: creating $ac_file" >&6;}
     fi
     # Neutralize special characters interpreted by sed in replacement strings.
@@ -21307,9 +17858,7 @@ $as_echo "$as_me: creating $ac_file" >&6;}
 
     case $ac_tag in
     *:-:* | *:-) cat >"$tmp/stdin" \
-      || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
-$as_echo "$as_me: error: could not create $ac_file" >&2;}
-   { (exit 1); exit 1; }; } ;;
+      || as_fn_error "could not create $ac_file" "$LINENO" 5 ;;
     esac
     ;;
   esac
@@ -21337,47 +17886,7 @@ $as_echo X"$ac_file" |
 	    q
 	  }
 	  s/.*/./; q'`
-  { as_dir="$ac_dir"
-  case $as_dir in #(
-  -*) as_dir=./$as_dir;;
-  esac
-  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
-    as_dirs=
-    while :; do
-      case $as_dir in #(
-      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
-      *) as_qdir=$as_dir;;
-      esac
-      as_dirs="'$as_qdir' $as_dirs"
-      as_dir=`$as_dirname -- "$as_dir" ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-      test -d "$as_dir" && break
-    done
-    test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
-$as_echo "$as_me: error: cannot create directory $as_dir" >&2;}
-   { (exit 1); exit 1; }; }; }
+  as_dir="$ac_dir"; as_fn_mkdir_p
   ac_builddir=.
 
 case "$ac_dir" in
@@ -21434,7 +17943,6 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # If the template does not know about datarootdir, expand it.
 # FIXME: This hack should be removed a few years after 2.60.
 ac_datarootdir_hack=; ac_datarootdir_seen=
-
 ac_sed_dataroot='
 /datarootdir/ {
   p
@@ -21444,12 +17952,11 @@ ac_sed_dataroot='
 /@docdir@/p
 /@infodir@/p
 /@localedir@/p
-/@mandir@/p
-'
+/@mandir@/p'
 case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
 *datarootdir*) ac_datarootdir_seen=yes;;
 *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
-  { $as_echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
 $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
@@ -21459,7 +17966,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
   s&@infodir@&$infodir&g
   s&@localedir@&$localedir&g
   s&@mandir@&$mandir&g
-    s&\\\${datarootdir}&$datarootdir&g' ;;
+  s&\\\${datarootdir}&$datarootdir&g' ;;
 esac
 _ACEOF
 
@@ -21488,14 +17995,12 @@ s&@MKDIR_P@&$ac_MKDIR_P&;t t
 $ac_datarootdir_hack
 "
 eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
-  || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
-$as_echo "$as_me: error: could not create $ac_file" >&2;}
-   { (exit 1); exit 1; }; }
+  || as_fn_error "could not create $ac_file" "$LINENO" 5
 
 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
   { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
-  { $as_echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined." >&5
 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined." >&2;}
@@ -21505,13 +18010,11 @@ which seems to be undefined.  Please make sure it is defined." >&2;}
   -) cat "$tmp/out" && rm -f "$tmp/out";;
   *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
   esac \
-  || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
-$as_echo "$as_me: error: could not create $ac_file" >&2;}
-   { (exit 1); exit 1; }; }
+  || as_fn_error "could not create $ac_file" "$LINENO" 5
  ;;
 
 
-  :C)  { $as_echo "$as_me:$LINENO: executing $ac_file commands" >&5
+  :C)  { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5
 $as_echo "$as_me: executing $ac_file commands" >&6;}
  ;;
   esac
@@ -21606,47 +18109,7 @@ $as_echo X"$file" |
 	    q
 	  }
 	  s/.*/./; q'`
-      { as_dir=$dirpart/$fdir
-  case $as_dir in #(
-  -*) as_dir=./$as_dir;;
-  esac
-  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
-    as_dirs=
-    while :; do
-      case $as_dir in #(
-      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
-      *) as_qdir=$as_dir;;
-      esac
-      as_dirs="'$as_qdir' $as_dirs"
-      as_dir=`$as_dirname -- "$as_dir" ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)[^/].*/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\/\)$/{
-	    s//\1/
-	    q
-	  }
-	  /^X\(\/\).*/{
-	    s//\1/
-	    q
-	  }
-	  s/.*/./; q'`
-      test -d "$as_dir" && break
-    done
-    test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
-$as_echo "$as_me: error: cannot create directory $as_dir" >&2;}
-   { (exit 1); exit 1; }; }; }
+      as_dir=$dirpart/$fdir; as_fn_mkdir_p
       # echo "creating $dirpart/$file"
       echo '# dummy' > "$dirpart/$file"
     done
@@ -22293,15 +18756,12 @@ _LT_EOF
 done # for ac_tag
 
 
-{ (exit 0); exit 0; }
+as_fn_exit 0
 _ACEOF
-chmod +x $CONFIG_STATUS
 ac_clean_files=$ac_clean_files_save
 
 test $ac_write_fail = 0 ||
-  { { $as_echo "$as_me:$LINENO: error: write failure creating $CONFIG_STATUS" >&5
-$as_echo "$as_me: error: write failure creating $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
+  as_fn_error "write failure creating $CONFIG_STATUS" "$LINENO" 5
 
 
 # configure is writing to config.log, and then calls config.status.
@@ -22322,10 +18782,10 @@ if test "$no_create" != yes; then
   exec 5>>config.log
   # Use ||, not &&, to avoid exiting from the if with $? = 1, which
   # would make configure fail if this is the last instruction.
-  $ac_cs_success || { (exit 1); exit 1; }
+  $ac_cs_success || as_fn_exit $?
 fi
 if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
-  { $as_echo "$as_me:$LINENO: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
 fi
 
diff --git a/configure.in b/configure.in
index f677cb622..8ba844e9b 100644
--- a/configure.in
+++ b/configure.in
@@ -1,12 +1,12 @@
 dnl  configure.in for linux strongSwan
 dnl  Copyright (C) 2006 Martin Willi
 dnl  Hochschule fuer Technik Rapperswil
-dnl 
+dnl
 dnl  This program is free software; you can redistribute it and/or modify it
 dnl  under the terms of the GNU General Public License as published by the
 dnl  Free Software Foundation; either version 2 of the License, or (at your
 dnl  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-dnl 
+dnl
 dnl  This program is distributed in the hope that it will be useful, but
 dnl  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 dnl  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
@@ -16,21 +16,31 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.3.4)
+AC_INIT(strongSwan,4.3.6)
 AM_INIT_AUTOMAKE(tar-ustar)
-AC_SUBST(confdir, '${sysconfdir}')
+AC_CONFIG_MACRO_DIR([m4/config])
 PKG_PROG_PKG_CONFIG
 
 dnl =================================
 dnl  check --enable-xxx & --with-xxx
 dnl =================================
 
-AC_ARG_WITH(
-	[default-pkcs11],
-	AS_HELP_STRING([--with-default-pkcs11=lib],[set the default PKCS11 library other than "/usr/lib/opensc-pkcs11.so"]),
-	[AC_DEFINE_UNQUOTED(PKCS11_DEFAULT_LIB, "$withval")],
-	[AC_DEFINE_UNQUOTED(PKCS11_DEFAULT_LIB, "/usr/lib/opensc-pkcs11.so")]
-)
+m4_include(m4/macros/with.m4)
+
+ARG_WITH_SUBST([default-pkcs11],     [/usr/lib/opensc-pkcs11.so], [set the default PKCS11 library])
+ARG_WITH_SUBST([random-device],      [/dev/random], [set the device to read real random data from])
+ARG_WITH_SUBST([urandom-device],     [/dev/urandom], [set the device to read pseudo random data from])
+ARG_WITH_SUBST([strongswan-conf],    [${sysconfdir}/strongswan.conf], [set the strongswan.conf file location])
+ARG_WITH_SUBST([resolv-conf],        [${sysconfdir}/resolv.conf], [set the file to use in DNS handler plugin])
+ARG_WITH_SUBST([piddir],             [/var/run], [set path for PID and UNIX socket files])
+ARG_WITH_SUBST([ipsecdir],           [${libexecdir%/}/ipsec], [set installation path for ipsec tools])
+ARG_WITH_SUBST([plugindir],          [${ipsecdir%/}/plugins], [set the installation path of plugins])
+ARG_WITH_SUBST([nm-ca-dir],          [/usr/share/ca-certificates], [directory the NM plugin uses to look up trusted root certificates])
+ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set directory of linux header files to use])
+ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
+ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
+
+ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently only the value "libcap" is supported])
 
 AC_ARG_WITH(
 	[xauth-module],
@@ -38,91 +48,6 @@ AC_ARG_WITH(
 	[AC_DEFINE_UNQUOTED(XAUTH_DEFAULT_LIB, "$withval")],
 )
 
-AC_ARG_WITH(
-	[random-device],
-	AS_HELP_STRING([--with-random-device=dev],[set the device for real random data other than "/dev/random"]),
-	[AC_DEFINE_UNQUOTED(DEV_RANDOM, "$withval")],
-	[AC_DEFINE_UNQUOTED(DEV_RANDOM, "/dev/random")]
-)
-AC_ARG_WITH(
-	[resolv-conf],
-	AS_HELP_STRING([--with-resolv-conf=file],[set the file to use in DNS handler plugin other than "sysconfdir/resolv.conf"]),
-	[AC_SUBST(resolv_conf, "$withval")],
-	[AC_SUBST(resolv_conf, "${sysconfdir}/resolv.conf")]
-)
-
-AC_ARG_WITH(
-	[strongswan-conf],
-	AS_HELP_STRING([--with-strongswan-conf=file],[strongswan.conf file other than "sysconfdir/strongswan.conf"]),
-	[AC_SUBST(strongswan_conf, "$withval")],
-	[AC_SUBST(strongswan_conf, "${sysconfdir}/strongswan.conf")]
-)
-
-AC_ARG_WITH(
-	[urandom-device],
-	AS_HELP_STRING([--with-urandom-device=dev],[set the device for pseudo random data other than "/dev/urandom"]),
-	[AC_DEFINE_UNQUOTED(DEV_URANDOM, "$withval")],
-	[AC_DEFINE_UNQUOTED(DEV_URANDOM, "/dev/urandom")]
-)
-
-AC_ARG_WITH(
-	[piddir],
-	AS_HELP_STRING([--with-piddir=dir],[path for PID and UNIX socket files other than "/var/run"]),
-	[AC_SUBST(piddir, "$withval")],
-	[AC_SUBST(piddir, "/var/run")]
-)
-
-AC_ARG_WITH(
-	[ipsecdir],
-	AS_HELP_STRING([--with-ipsecdir=dir],[installation path for ipsec tools other than "libexecdir/ipsec"]),
-	[AC_SUBST(ipsecdir, "$withval")],
-	[AC_SUBST(ipsecdir, "${libexecdir%/}/ipsec")]
-)
-AC_SUBST(plugindir, "${ipsecdir%/}/plugins")
-
-AC_ARG_WITH(
-	[plugindir],
-	AS_HELP_STRING([--with-plugindir=dir],[installation path for plugins other than "ipsecdir/plugins"]),
-	[AC_SUBST(plugindir, "$withval")],
-	[AC_SUBST(plugindir, "${ipsecdir%/}/plugins")]
-)
-
-AC_ARG_WITH(
-	[sim-reader],
-	AS_HELP_STRING([--with-sim-reader=library.so],[library containing the sim_run_alg()/sim_get_triplet() function for EAP-SIM]),
-	[AC_SUBST(simreader, "$withval")],
-	[AC_SUBST(simreader, "${plugindir%/}/libeapsim-file.so")]
-)
-
-AC_ARG_WITH(
-	[linux-headers],
-	AS_HELP_STRING([--with-linux-headers=dir],[use the linux header files in dir instead of the supplied ones in "src/include"]),
-	[AC_SUBST(linuxdir, "$withval")], [AC_SUBST(linuxdir, "\${top_srcdir}/src/include")]
-)
-AC_SUBST(LINUX_HEADERS)
-
-AC_ARG_WITH(
-	[routing-table],
-	AS_HELP_STRING([--with-routing-table=num],[use routing table for IPsec routes (default: 220)]),
-	[AC_DEFINE_UNQUOTED(IPSEC_ROUTING_TABLE, $withval) AC_SUBST(IPSEC_ROUTING_TABLE, "$withval")], 
-	[AC_DEFINE_UNQUOTED(IPSEC_ROUTING_TABLE, 220) AC_SUBST(IPSEC_ROUTING_TABLE, "220")]
-)
-
-AC_ARG_WITH(
-	[routing-table-prio],
-	AS_HELP_STRING([--with-routing-table-prio=prio],[priority for IPsec routing table (default: 220)]),
-	[AC_DEFINE_UNQUOTED(IPSEC_ROUTING_TABLE_PRIO, $withval) AC_SUBST(IPSEC_ROUTING_TABLE_PRIO, "$withval")], 
-	[AC_DEFINE_UNQUOTED(IPSEC_ROUTING_TABLE_PRIO, 220) AC_SUBST(IPSEC_ROUTING_TABLE_PRIO, "220")]
-)
-
-AC_ARG_WITH(
-	[uid],,[AC_MSG_ERROR([--with-uid is gone, use --with-user instead!])]
-)
-
-AC_ARG_WITH(
-	[gid],,[AC_MSG_ERROR([--with-gid is gone, use --with-group instead!])]
-)
-
 AC_ARG_WITH(
 	[user],
 	AS_HELP_STRING([--with-user=user],[change user of the daemons to "user" after startup (default is "root").]),
@@ -137,614 +62,81 @@ AC_ARG_WITH(
 	[AC_SUBST(ipsecgroup, "root")]
 )
 
-dnl Will be extended to --with-capabilities=libcap|libcap2
-AC_ARG_WITH(
-	[capabilities],
-	AS_HELP_STRING([--with-capabilities=libcap],[capability dropping using libcap. Currenlty only the value "libcap" is supported (default is NO).]),
-	[capabilities="$withval"],
-	[capabilities=no]
-)
-
-AC_ARG_ENABLE(
-	[curl],
-	AS_HELP_STRING([--enable-curl],[enable CURL fetcher plugin to fetch files via libcurl (default is NO). Requires libcurl.]),
-	[if test x$enableval = xyes; then
-		curl=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[ldap],
-	AS_HELP_STRING([--enable-ldap],[enable LDAP fetching plugin to fetch files via libldap (default is NO). Requires openLDAP.]),
-	[if test x$enableval = xyes; then
-		ldap=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[aes],
-	AS_HELP_STRING([--disable-aes],[disable own AES software implementation plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		aes=true
-	 else
-		aes=false
-	fi],
-	aes=true
-)
-
-AC_ARG_ENABLE(
-	[des],
-	AS_HELP_STRING([--disable-des],[disable own DES/3DES software implementation plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		des=true
-	 else
-		des=false
-	fi],
-	des=true
-)
-
-AC_ARG_ENABLE(
-	[blowfish],
-	AS_HELP_STRING([--enable-blowfish],[enable Blowfish software implementation plugin (default is NO).]),
-	[if test x$enableval = xyes; then
-		blowfish=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[md4],
-	AS_HELP_STRING([--enable-md4],[enable MD4 software implementation plugin (default is NO).]),
-	[if test x$enableval = xyes; then
-		md4=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[md5],
-	AS_HELP_STRING([--disable-md5],[disable own MD5 software implementation plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		md5=true
-	 else
-		md5=false
-	fi],
-	md5=true
-)
-
-AC_ARG_ENABLE(
-	[sha1],
-	AS_HELP_STRING([--disable-sha1],[disable own SHA1 software implementation plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		sha1=true
-	 else
-		sha1=false
-	fi],
-	sha1=true
-)
-
-AC_ARG_ENABLE(
-	[sha2],
-	AS_HELP_STRING([--disable-sha2],[disable own SHA256/SHA384/SHA512 software implementation plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		sha2=true
-	 else
-		sha2=false
-	fi],
-	sha2=true
-)
-
-AC_ARG_ENABLE(
-	[fips-prf],
-	AS_HELP_STRING([--disable-fips-prf],[disable FIPS PRF software implementation plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		fips_prf=true
-	 else
-		fips_prf=false
-	fi],
-	fips_prf=true
-)
-
-AC_ARG_ENABLE(
-	[gmp],
-	AS_HELP_STRING([--disable-gmp],[disable own GNU MP (libgmp) based crypto implementation plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		gmp=true
-	 else
-		gmp=false
-	fi],
-	gmp=true
-)
-
-AC_ARG_ENABLE(
-	[random],
-	AS_HELP_STRING([--disable-random],[disable RNG implementation on top of /dev/(u)random. (default is NO).]),
-	[if test x$enableval = xyes; then
-		random=true
-	 else
-		random=false
-	fi],
-	random=true
-)
-
-AC_ARG_ENABLE(
-	[x509],
-	AS_HELP_STRING([--disable-x509],[disable own X509 certificate implementation plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		x509=true
-	 else
-		x509=false
-	fi],
-	x509=true
-)
-
-AC_ARG_ENABLE(
-	[pubkey],
-	AS_HELP_STRING([--disable-pubkey],[disable RAW public key support plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		pubkey=true
-	 else
-		pubkey=false
-	fi],
-	pubkey=true
-)
-
-AC_ARG_ENABLE(
-	[hmac],
-	AS_HELP_STRING([--disable-hmac],[disable HMAC crypto implementation plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		hmac=true
-	 else
-		hmac=false
-	fi],
-	hmac=true
-)
-
-AC_ARG_ENABLE(
-	[xcbc],
-	AS_HELP_STRING([--disable-xcbc],[disable xcbc crypto implementation plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		xcbc=true
-	 else
-		xcbc=false
-	fi],
-	xcbc=true
-)
-
-AC_ARG_ENABLE(
-	[test-vectors],
-	AS_HELP_STRING([--enable-test-vectors],[enable plugin providing crypto test vectors (default is NO).]),
-	[if test x$enableval = xyes; then
-		test_vectors=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[mysql],
-	AS_HELP_STRING([--enable-mysql],[enable MySQL database support (default is NO). Requires libmysqlclient_r.]),
-	[if test x$enableval = xyes; then
-		mysql=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[sqlite],
-	AS_HELP_STRING([--enable-sqlite],[enable SQLite database support (default is NO). Requires libsqlite3.]),
-	[if test x$enableval = xyes; then
-		sqlite=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[stroke],
-	AS_HELP_STRING([--disable-stroke],[disable charons stroke (pluto compatibility) configuration backend. (default is NO).]),
-	[if test x$enableval = xyes; then
-		stroke=true
-	 else
-		stroke=false
-	fi],
-	stroke=true
-)
-
-AC_ARG_ENABLE(
-	[medsrv],
-	AS_HELP_STRING([--enable-medsrv],[enable mediation server web frontend and daemon plugin (default is NO).]),
-	[if test x$enableval = xyes; then
-		medsrv=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[medcli],
-	AS_HELP_STRING([--enable-medcli],[enable mediation client configuration database plugin (default is NO).]),
-	[if test x$enableval = xyes; then
-		medcli=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[smp],
-	AS_HELP_STRING([--enable-smp],[enable SMP configuration and control interface (default is NO). Requires libxml.]),
-	[if test x$enableval = xyes; then
-		smp=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[sql],
-	AS_HELP_STRING([--enable-sql],[enable SQL database configuration backend (default is NO).]),
-	[if test x$enableval = xyes; then
-		sql=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[smartcard],
-	AS_HELP_STRING([--enable-smartcard],[enable smartcard support (default is NO).]),
-	[if test x$enableval = xyes; then
-		smartcard=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[cisco-quirks],
-	AS_HELP_STRING([--enable-cisco-quirks],[enable support of Cisco VPN client (default is NO).]),
-	[if test x$enableval = xyes; then
-		cisco_quirks=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[leak-detective],
-	AS_HELP_STRING([--enable-leak-detective],[enable malloc hooks to find memory leaks (default is NO).]),
-	[if test x$enableval = xyes; then
-		leak_detective=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[lock-profiler],
-	AS_HELP_STRING([--enable-lock-profiler],[enable lock/mutex profiling code (default is NO).]),
-	[if test x$enableval = xyes; then
-		lock_profiler=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[unit-tests],
-	AS_HELP_STRING([--enable-unit-tests],[enable unit tests on IKEv2 daemon startup (default is NO).]),
-	[if test x$enableval = xyes; then
-		unittest=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[load-tests],
-	AS_HELP_STRING([--enable-load-tests],[enable load testing plugin for IKEv2 daemon (default is NO).]),
-	[if test x$enableval = xyes; then
-		loadtest=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[eap-sim],
-	AS_HELP_STRING([--enable-eap-sim],[build SIM authenication module for EAP (default is NO).]),
-	[if test x$enableval = xyes; then
-		eap_sim=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[eap-sim-file],
-	AS_HELP_STRING([--enable-eap-sim-file],[build EAP-SIM backend based on a triplet file (default is NO).]),
-	[if test x$enableval = xyes; then
-		eap_sim_file=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[eap-identity],
-	AS_HELP_STRING([--enable-eap-identity],[build EAP module providing EAP-Identity helper (default is NO).]),
-	[if test x$enableval = xyes; then
-		eap_identity=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[eap-md5],
-	AS_HELP_STRING([--enable-eap-md5],[build MD5 (CHAP) authenication module for EAP (default is NO).]),
-	[if test x$enableval = xyes; then
-		eap_md5=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[eap-gtc],
-	AS_HELP_STRING([--enable-eap-gtc],[build PAM based GTC authenication module for EAP (default is NO).]),
-	[if test x$enableval = xyes; then
-		eap_gtc=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[eap-aka],
-	AS_HELP_STRING([--enable-eap-aka],[build AKA authentication module for EAP (default is NO).]),
-	[if test x$enableval = xyes; then
-		eap_aka=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[eap-mschapv2],
-	AS_HELP_STRING([--enable-eap-mschapv2],[build MS-CHAPv2 authenication module for EAP (default is NO).]),
-	[if test x$enableval = xyes; then
-		eap_mschapv2=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[eap-radius],
-	AS_HELP_STRING([--enable-eap-radius],[build RADIUS proxy authenication module for EAP (default is NO).]),
-	[if test x$enableval = xyes; then
-		eap_radius=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[kernel-netlink],
-	AS_HELP_STRING([--disable-kernel-netlink],[disable the netlink kernel interface. (default is NO).]),
-	[if test x$enableval = xyes; then
-		kernel_netlink=true
-	 else
-		kernel_netlink=false
-	fi],
-	kernel_netlink=true
-)
-
-AC_ARG_ENABLE(
-	[kernel-pfkey],
-	AS_HELP_STRING([--enable-kernel-pfkey],[enable the PF_KEY kernel interface. (default is NO).]),
-	[if test x$enableval = xyes; then
-		kernel_pfkey=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[kernel-pfroute],
-	AS_HELP_STRING([--enable-kernel-pfroute],[enable the PF_ROUTE kernel interface. (default is NO).]),
-	[if test x$enableval = xyes; then
-		kernel_pfroute=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[kernel-klips],
-	AS_HELP_STRING([--enable-kernel-klips],[enable the KLIPS kernel interface. (default is NO).]),
-	[if test x$enableval = xyes; then
-		kernel_klips=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[nat-transport],
-	AS_HELP_STRING([--enable-nat-transport],[enable NAT traversal with IPsec transport mode (default is NO).]),
-	[if test x$enableval = xyes; then
-		nat_transport=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[vendor-id],
-	AS_HELP_STRING([--disable-vendor-id],[disable the sending of the strongSwan vendor ID (default is NO).]),
-	[if test x$enableval = xyes; then
-		vendor_id=true
-	 else
-		vendor_id=false
-	fi],
-	vendor_id=true
-)
-
-AC_ARG_ENABLE(
-	[xauth-vid],
-	AS_HELP_STRING([--disable-xauth-vid],[disable the sending of the XAUTH vendor ID (default is NO).]),
-	[if test x$enableval = xyes; then
-		xauth_vid=true
-	 else
-		xauth_vid=false
-	fi],
-	xauth_vid=true
-)
-
-AC_ARG_ENABLE(
-	[dumm],
-	AS_HELP_STRING([--enable-dumm],[build the DUMM UML test framework (default is NO).]),
-	[if test x$enableval = xyes; then
-		dumm=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[fast],
-	AS_HELP_STRING([--enable-fast],[build libfast (FastCGI Application Server w/ templates (default is NO).]),
-	[if test x$enableval = xyes; then
-		fast=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[manager],
-	AS_HELP_STRING([--enable-manager],[build web management console (default is NO).]),
-	[if test x$enableval = xyes; then
-		manager=true
-		xml=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[mediation],
-	AS_HELP_STRING([--enable-mediation],[enable IKEv2 Mediation Extension (default is NO).]),
-	[if test x$enableval = xyes; then
-		me=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[integrity-test],
-	AS_HELP_STRING([--enable-integrity-test],[enable integrity testing of libstrongswan and plugins (default is NO).]),
-	[if test x$enableval = xyes; then
-		integrity_test=true 
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[pluto],
-	AS_HELP_STRING([--disable-pluto],[disable the IKEv1 keying daemon pluto. (default is NO).]),
-	[if test x$enableval = xyes; then
-		pluto=true
-	 else
-		pluto=false
-	fi],
-	pluto=true
-)
-
-AC_ARG_ENABLE(
-	[threads],
-	AS_HELP_STRING([--disable-threads],[disable the use of threads in pluto. Charon always uses threads. (default is NO).]),
-	[if test x$enableval = xyes; then
-		threads=true
-	 else
-		threads=false
-	fi],
-	threads=true
-)
-
-AC_ARG_ENABLE(
-	[charon],
-	AS_HELP_STRING([--disable-charon],[disable the IKEv2 keying daemon charon. (default is NO).]),
-	[if test x$enableval = xyes; then
-		charon=true
-	 else
-		charon=false
-	fi],
-	charon=true
-)
-
-AC_ARG_ENABLE(
-	[tools],
-	AS_HELP_STRING([--disable-tools],[disable additional utilities (openac and scepclient). (default is NO).]),
-	[if test x$enableval = xyes; then
-		tools=true
-	 else
-		tools=false
-	fi],
-	tools=true
-)
-
-AC_ARG_ENABLE(
-	[scripts],
-	AS_HELP_STRING([--disable-scripts],[disable additional utilities (found in directory scripts). (default is NO).]),
-	[if test x$enableval = xyes; then
-		scripts=true
-	 else
-		scripts=false
-	fi],
-	scripts=true
-)
-
-AC_ARG_ENABLE(
-	[updown],
-	AS_HELP_STRING([--disable-updown],[disable updown firewall script plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		updown=true
-	 else
-		updown=false
-	fi],
-	updown=true
-)
-
-AC_ARG_ENABLE(
-	[attr],
-	AS_HELP_STRING([--disable-attr],[disable strongswan.conf based configuration attribute plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		attr=true
-	 else
-		attr=false
-	fi],
-	attr=true
-)
-
-AC_ARG_ENABLE(
-	[resolv-conf],
-	AS_HELP_STRING([--disable-resolv-conf],[disable resolv.conf DNS handler plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		resolvconf=true
-	 else
-		resolvconf=false
-	fi],
-	resolvconf=true
-)
-
-AC_ARG_ENABLE(
-	[padlock],
-	AS_HELP_STRING([--enable-padlock],[enables VIA Padlock crypto plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		padlock=true
-	 else
-		padlock=false
-	fi],
-)
-
-AC_ARG_ENABLE(
-	[openssl],
-	AS_HELP_STRING([--enable-openssl],[enables the OpenSSL crypto plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		openssl=true
-	 else
-		openssl=false
-	fi],
-)
-
-AC_ARG_ENABLE(
-	[gcrypt],
-	AS_HELP_STRING([--enable-gcrypt],[enables the libgcrypt plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		gcrypt=true
-	 else
-		gcrypt=false
-	fi],
-)
-
-AC_ARG_ENABLE(
-	[agent],
-	AS_HELP_STRING([--enable-agent],[enables the ssh-agent signing plugin. (default is NO).]),
-	[if test x$enableval = xyes; then
-		agent=true
-	 else
-		agent=false
-	fi],
-)
-
-AC_ARG_ENABLE(
-	[uci],
-	AS_HELP_STRING([--enable-uci],[enable OpenWRT UCI configuration plugin (default is NO).]),
-	[if test x$enableval = xyes; then
-		uci=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[nm],
-	AS_HELP_STRING([--enable-nm],[enable NetworkManager plugin (default is NO).]),
-	[if test x$enableval = xyes; then
-		nm=true
-	fi]
-)
-
-AC_ARG_ENABLE(
-	[vstr],
-	AS_HELP_STRING([--enable-vstr],[enforce using the Vstr string library to replace glibc-like printf hooks (default is NO).]),
-	[if test x$enableval = xyes; then
-	 	vstr=true
-	fi]
-)
+m4_include(m4/macros/enable-disable.m4)
+
+ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
+ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
+ARG_DISBL_SET([des],            [disable DES/3DES software implementation plugin.])
+ARG_ENABL_SET([blowfish],       [enable Blowfish software implementation plugin.])
+ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
+ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
+ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
+ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
+ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
+ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
+ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
+ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
+ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
+ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
+ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
+ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
+ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
+ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
+ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
+ARG_ENABL_SET([mysql],          [enable MySQL database support. Requires libmysqlclient_r.])
+ARG_ENABL_SET([sqlite],         [enable SQLite database support. Requires libsqlite3.])
+ARG_DISBL_SET([stroke],         [disable charons stroke (pluto compatibility) configuration backend.])
+ARG_ENABL_SET([medsrv],         [enable mediation server web frontend and daemon plugin.])
+ARG_ENABL_SET([medcli],         [enable mediation client configuration database plugin.])
+ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
+ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
+ARG_ENABL_SET([smartcard],      [enable smartcard support.])
+ARG_ENABL_SET([cisco-quirks],   [enable support of Cisco VPN client.])
+ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
+ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
+ARG_ENABL_SET([unit-tests],     [enable unit tests on IKEv2 daemon startup.])
+ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
+ARG_ENABL_SET([eap-sim],        [enable SIM authenication module for EAP.])
+ARG_ENABL_SET([eap-sim-file],   [enable EAP-SIM backend based on a triplet file.])
+ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
+ARG_ENABL_SET([eap-simaka-reauth],    [enable EAP-SIM/AKA reauthentication data storage plugin.])
+ARG_ENABL_SET([eap-identity],   [enable EAP module providing EAP-Identity helper.])
+ARG_ENABL_SET([eap-md5],        [enable EAP MD5 (CHAP) authenication module.])
+ARG_ENABL_SET([eap-gtc],        [enable PAM based EAP GTC authenication module.])
+ARG_ENABL_SET([eap-aka],        [enable EAP AKA authentication module.])
+ARG_ENABL_SET([eap-aka-3gpp2],  [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.])
+ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authenication module.])
+ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authenication module.])
+ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
+ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
+ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
+ARG_ENABL_SET([kernel-klips],   [enable the KLIPS kernel interface.])
+ARG_ENABL_SET([nat-transport],  [enable NAT traversal with IPsec transport mode in pluto.])
+ARG_DISBL_SET([vendor-id],      [disable the sending of the strongSwan vendor ID in pluto.])
+ARG_DISBL_SET([xauth-vid],      [disable the sending of the XAUTH vendor ID.])
+ARG_ENABL_SET([dumm],           [enable the DUMM UML test framework.])
+ARG_ENABL_SET([fast],           [enable libfast (FastCGI Application Server w/ templates.])
+ARG_ENABL_SET([manager],        [enable web management console (proof of concept).])
+ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
+ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
+ARG_DISBL_SET([pluto],          [disable the IKEv1 keying daemon pluto.])
+ARG_DISBL_SET([threads],        [disable the use of threads in pluto. Charon always uses threads.])
+ARG_DISBL_SET([charon],         [disable the IKEv2 keying daemon charon.])
+ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
+ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
+ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
+ARG_DISBL_SET([attr],           [disable strongswan.conf based configuration attribute plugin.])
+ARG_ENABL_SET([attr-sql],       [enable SQL based configuration attribute plugin.])
+ARG_DISBL_SET([resolve],        [disable resolve DNS handler plugin.])
+ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
+ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
+ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
+ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
+ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
+ARG_ENABL_SET([nm],             [enable NetworkManager plugin.])
+ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
 
 dnl =========================
 dnl  set up compiler and flags
@@ -804,24 +196,25 @@ dnl =========================
 dnl  dependency calculation
 dnl =========================
 
-if test x$eap_aka = xtrue; then
+if test x$eap_aka_3gpp2 = xtrue; then
 	gmp=true;
+fi
+
+if test x$eap_aka = xtrue; then
 	fips_prf=true;
 	sha1=true;
+	simaka=true;
 fi
 
 if test x$eap_sim = xtrue; then
 	fips_prf=true;
+	simaka=true;
 fi
 
 if test x$fips_prf = xtrue; then
 	sha1=true;
 fi
 
-if test x$tools = xtrue; then
-	gmp=true;
-fi
-
 if test x$smp = xtrue; then
 	xml=true
 fi
@@ -831,12 +224,12 @@ if test x$manager = xtrue; then
 fi
 
 if test x$medsrv = xtrue; then
-	me=true
+	mediation=true
 	fast=true
 fi
 
 if test x$medcli = xtrue; then
-	me=true
+	mediation=true
 fi
 
 dnl ===========================================
@@ -868,6 +261,17 @@ AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS],
 )
 AC_SUBST(SOCKLIB)
 
+dnl FreeBSD has clock_gettime in libc, Linux needs librt
+LIBS=""
+AC_SEARCH_LIBS(clock_gettime, rt, [RTLIB=$LIBS])
+AC_CHECK_FUNCS(clock_gettime)
+AC_SUBST(RTLIB)
+
+dnl Android has pthread_* functions in bionic (libc), others need libpthread
+LIBS=""
+AC_SEARCH_LIBS(pthread_create, pthread, [PTHREADLIB=$LIBS])
+AC_SUBST(PTHREADLIB)
+
 LIBS=$saved_LIBS
 dnl ======================
 
@@ -881,6 +285,33 @@ AC_TRY_COMPILE(
 	[AC_MSG_RESULT([no])]
 )
 
+dnl check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
+saved_LIBS=$LIBS
+LIBS=$PTHREADLIB
+AC_MSG_CHECKING([for pthread_condattr_setclock(CLOCK_MONOTONE)])
+AC_TRY_RUN(
+	[#include <pthread.h>
+	 int main() { pthread_condattr_t attr;
+		pthread_condattr_init(&attr);
+		return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}],
+	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC])],
+	[AC_MSG_RESULT([no])],
+	dnl Check existence of pthread_condattr_setclock if cross-compiling
+	[AC_MSG_RESULT([unknown]);
+	 AC_CHECK_FUNCS(pthread_condattr_setclock,
+		[AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC])]
+	)]
+)
+dnl check if we actually are able to configure attributes on cond vars
+AC_CHECK_FUNCS(pthread_condattr_init)
+dnl instead of pthread_condattr_setclock Android has this function
+AC_CHECK_FUNCS(pthread_cond_timedwait_monotonic)
+dnl check if we can cancel threads
+AC_CHECK_FUNCS(pthread_cancel)
+dnl check if native rwlocks are available
+AC_CHECK_FUNCS(pthread_rwlock_init)
+LIBS=$saved_LIBS
+
 AC_CHECK_FUNCS(prctl)
 
 AC_CHECK_HEADERS(sys/sockio.h)
@@ -903,6 +334,32 @@ AC_CHECK_MEMBERS([struct sadb_x_policy.sadb_x_policy_priority], [], [],
 	#endif
 ])
 
+AC_MSG_CHECKING([for in6addr_any])
+AC_TRY_COMPILE(
+	[#include <sys/types.h>
+	#include <sys/socket.h>
+	#include <netinet/in.h>],
+	[struct in6_addr in6;
+	in6 = in6addr_any;],
+	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_IN6ADDR_ANY])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for in6_pktinfo])
+AC_TRY_COMPILE(
+	[#define _GNU_SOURCE
+	#include <sys/types.h>
+	#include <sys/socket.h>
+	#include <netinet/in.h>],
+	[struct in6_pktinfo pi;
+	if (pi.ipi6_ifindex)
+	{
+		return 0;
+	}],
+	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_IN6_PKTINFO])],
+	[AC_MSG_RESULT([no])]
+)
+
 AC_MSG_CHECKING([for IPSEC_MODE_BEET])
 AC_TRY_COMPILE(
 	[#include <sys/types.h>
@@ -953,13 +410,19 @@ AC_TRY_RUN(
 [AC_MSG_RESULT([no])],
 [AC_MSG_RESULT([no])])
 
+dnl check for the new register_printf_specifier function with len argument,
+dnl or the deprecated register_printf_function without
 AC_CHECK_FUNC(
-	[register_printf_function],
-	[AC_DEFINE(HAVE_PRINTF_HOOKS)],
-	[
-		AC_MSG_NOTICE([printf does not support custom format specifiers!])
-		vstr=true
-	]
+	[register_printf_specifier],
+	[AC_DEFINE(HAVE_PRINTF_SPECIFIER)],
+	[AC_CHECK_FUNC(
+		[register_printf_function],
+		[AC_DEFINE(HAVE_PRINTF_FUNCTION)],
+		[
+			AC_MSG_NOTICE([printf does not support custom format specifiers!])
+			vstr=true
+		]
+	)]
 )
 
 if test x$vstr = xtrue; then
@@ -976,7 +439,7 @@ if test x$gmp = xtrue; then
 			#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
 				#error bad gmp
 			#endif
-		], 
+		],
 		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
 	)
 fi
@@ -1034,14 +497,18 @@ if test x$fast = xtrue; then
 	AC_HAVE_LIBRARY([z],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver dependency zlib not found!])])
 dnl autoconf does not like CamelCase!? How to fix this?
 dnl	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
-	
+
 	AC_HAVE_LIBRARY([fcgi],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])])
 	AC_CHECK_HEADER([fcgiapp.h],,[AC_MSG_ERROR([FastCGI header file fcgiapp.h not found!])])
 fi
 
 if test x$mysql = xtrue; then
-	AC_HAVE_LIBRARY([mysqlclient_r],[LIBS="$LIBS"],[AC_MSG_ERROR([MySQL library mysqlclient_r not found])])
-	AC_CHECK_HEADER([mysql/mysql.h],,[AC_MSG_ERROR([MySQL header mysql/mysql.h not found!])])
+	AC_PATH_PROG([MYSQLCONFIG], [mysql_config], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+	if test x$MYSQLCONFIG = x; then
+		AC_MSG_ERROR([mysql_config not found!])
+	fi
+	AC_SUBST(MYSQLLIB, `$MYSQLCONFIG --libs_r`)
+	AC_SUBST(MYSQLCFLAG, `$MYSQLCONFIG --cflags`)
 fi
 
 if test x$sqlite = xtrue; then
@@ -1052,7 +519,7 @@ if test x$sqlite = xtrue; then
 		[#include <sqlite3.h>],
 		[
 			void *test = sqlite3_prepare_v2;
-		], 
+		],
 		[AC_MSG_RESULT([yes])]; AC_DEFINE_UNQUOTED(HAVE_SQLITE3_PREPARE_V2, 1), [AC_MSG_RESULT([no])])
 	AC_MSG_CHECKING([sqlite3.h version >= 3.3.1])
 	AC_TRY_COMPILE(
@@ -1061,7 +528,7 @@ if test x$sqlite = xtrue; then
 			#if SQLITE_VERSION_NUMBER < 3003001
 				#error bad sqlite
 			#endif
-		], 
+		],
 		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])])
 fi
 
@@ -1071,7 +538,8 @@ if test x$openssl = xtrue; then
 fi
 
 if test x$gcrypt = xtrue; then
-	AM_PATH_LIBGCRYPT(,,[AC_MSG_ERROR([libgcrypt not found!])])
+	AC_HAVE_LIBRARY([gcrypt],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])])
+	AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
 	AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
 	AC_TRY_COMPILE(
 		[#include <gcrypt.h>],
@@ -1087,7 +555,10 @@ if test x$uci = xtrue; then
 fi
 
 if test x$nm = xtrue; then
-	PKG_CHECK_MODULES(nm, [NetworkManager libnm_glib_vpn gthread-2.0])
+	PKG_CHECK_EXISTS([libnm-glib],
+		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn])],
+		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn])]
+	)
 	AC_SUBST(nm_CFLAGS)
 	AC_SUBST(nm_LIBS)
 fi
@@ -1107,7 +578,7 @@ if test x$integrity_test = xtrue; then
 	AC_TRY_COMPILE(
 		[#define _GNU_SOURCE
 		 #include <dlfcn.h>],
-		[Dl_info info; dladdr(main, &info);], 
+		[Dl_info info; dladdr(main, &info);],
 		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
 		 AC_MSG_ERROR([dladdr() not supported, required by integrity-test!])]
 	)
@@ -1115,7 +586,7 @@ if test x$integrity_test = xtrue; then
 	AC_TRY_COMPILE(
 		[#define _GNU_SOURCE
 		 #include <link.h>],
-		[dl_iterate_phdr((void*)0, (void*)0);], 
+		[dl_iterate_phdr((void*)0, (void*)0);],
 		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
 		 AC_MSG_ERROR([dl_iterate_phdr() not supported, required by integrity-test!])]
 	)
@@ -1176,16 +647,39 @@ if test x$random = xtrue; then
 fi
 if test x$x509 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" x509"
+	pluto_plugins=${pluto_plugins}" x509"
 fi
 if test x$pubkey = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
 	pluto_plugins=${pluto_plugins}" pubkey"
 fi
+if test x$pkcs1 = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" pkcs1"
+	pluto_plugins=${pluto_plugins}" pkcs1"
+fi
+if test x$pgp = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" pgp"
+	pluto_plugins=${pluto_plugins}" pgp"
+fi
+if test x$dnskey = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" dnskey"
+	pluto_plugins=${pluto_plugins}" dnskey"
+fi
+if test x$pem = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" pem"
+	pluto_plugins=${pluto_plugins}" pem"
+fi
 if test x$mysql = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
+	pluto_plugins=${pluto_plugins}" mysql"
 fi
 if test x$sqlite = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
+	pluto_plugins=${pluto_plugins}" sqlite"
+fi
+if test x$attr_sql = xtrue -o x$sql = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" attr-sql"
+	pluto_plugins=${pluto_plugins}" attr-sql"
 fi
 if test x$padlock = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
@@ -1237,10 +731,15 @@ AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
 AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
 AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
 AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
+AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
+AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
+AM_CONDITIONAL(USE_DNSKEY, test x$dnskey = xtrue)
+AM_CONDITIONAL(USE_PEM, test x$pem = xtrue)
 AM_CONDITIONAL(USE_HMAC, test x$hmac = xtrue)
 AM_CONDITIONAL(USE_XCBC, test x$xcbc = xtrue)
 AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue)
 AM_CONDITIONAL(USE_SQLITE, test x$sqlite = xtrue)
+AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue)
 AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
 AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
 AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
@@ -1257,15 +756,18 @@ AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
 AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
 AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
-AM_CONDITIONAL(USE_RESOLV_CONF, test x$resolvconf = xtrue)
-AM_CONDITIONAL(USE_UNIT_TESTS, test x$unittest = xtrue)
-AM_CONDITIONAL(USE_LOAD_TESTS, test x$loadtest = xtrue)
+AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
+AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tests = xtrue)
+AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
+AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue)
+AM_CONDITIONAL(USE_EAP_SIMAKA_REAUTH, test x$eap_simaka_reauth = xtrue)
 AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
 AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
 AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
 AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
+AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue)
 AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
 AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
 AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
@@ -1285,7 +787,7 @@ AM_CONDITIONAL(USE_XAUTH_VID, test x$xauth_vid = xtrue)
 AM_CONDITIONAL(USE_DUMM, test x$dumm = xtrue)
 AM_CONDITIONAL(USE_FAST, test x$fast = xtrue)
 AM_CONDITIONAL(USE_MANAGER, test x$manager = xtrue)
-AM_CONDITIONAL(USE_ME, test x$me = xtrue)
+AM_CONDITIONAL(USE_ME, test x$mediation = xtrue)
 AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
 AM_CONDITIONAL(USE_CAPABILITIES, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
@@ -1296,12 +798,13 @@ AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
 AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
 AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
+AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
 
 dnl ==============================
 dnl  set global definitions
 dnl ==============================
 
-if test x$me = xtrue; then
+if test x$mediation = xtrue; then
 	AC_DEFINE(ME)
 fi
 if test x$capabilities = xlibcap; then
@@ -1331,25 +834,34 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/xcbc/Makefile
 	src/libstrongswan/plugins/x509/Makefile
 	src/libstrongswan/plugins/pubkey/Makefile
+	src/libstrongswan/plugins/pkcs1/Makefile
+	src/libstrongswan/plugins/pgp/Makefile
+	src/libstrongswan/plugins/dnskey/Makefile
+	src/libstrongswan/plugins/pem/Makefile
 	src/libstrongswan/plugins/curl/Makefile
 	src/libstrongswan/plugins/ldap/Makefile
 	src/libstrongswan/plugins/mysql/Makefile
 	src/libstrongswan/plugins/sqlite/Makefile
+	src/libstrongswan/plugins/attr_sql/Makefile
 	src/libstrongswan/plugins/padlock/Makefile
 	src/libstrongswan/plugins/openssl/Makefile
 	src/libstrongswan/plugins/gcrypt/Makefile
 	src/libstrongswan/plugins/agent/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libfreeswan/Makefile
+	src/libsimaka/Makefile
 	src/pluto/Makefile
 	src/whack/Makefile
 	src/charon/Makefile
 	src/charon/plugins/eap_aka/Makefile
+	src/charon/plugins/eap_aka_3gpp2/Makefile
 	src/charon/plugins/eap_identity/Makefile
 	src/charon/plugins/eap_md5/Makefile
 	src/charon/plugins/eap_gtc/Makefile
 	src/charon/plugins/eap_sim/Makefile
 	src/charon/plugins/eap_sim_file/Makefile
+	src/charon/plugins/eap_simaka_pseudonym/Makefile
+	src/charon/plugins/eap_simaka_reauth/Makefile
 	src/charon/plugins/eap_mschapv2/Makefile
 	src/charon/plugins/eap_radius/Makefile
 	src/charon/plugins/kernel_netlink/Makefile
@@ -1365,7 +877,7 @@ AC_OUTPUT(
 	src/charon/plugins/stroke/Makefile
 	src/charon/plugins/updown/Makefile
 	src/charon/plugins/attr/Makefile
-	src/charon/plugins/resolv_conf/Makefile
+	src/charon/plugins/resolve/Makefile
 	src/charon/plugins/unit_tester/Makefile
 	src/charon/plugins/load_tester/Makefile
 	src/stroke/Makefile
@@ -1376,6 +888,7 @@ AC_OUTPUT(
 	src/_copyright/Makefile
 	src/openac/Makefile
 	src/scepclient/Makefile
+	src/pki/Makefile
 	src/dumm/Makefile
 	src/dumm/ext/extconf.rb
 	src/libfast/Makefile
diff --git a/depcomp b/depcomp
index e5f9736c7..df8eea7e4 100755
--- a/depcomp
+++ b/depcomp
@@ -1,10 +1,10 @@
 #! /bin/sh
 # depcomp - compile a program generating dependencies as side-effects
 
-scriptversion=2007-03-29.01
+scriptversion=2009-04-28.21; # UTC
 
-# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software
-# Foundation, Inc.
+# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009 Free
+# Software Foundation, Inc.
 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,9 +17,7 @@ scriptversion=2007-03-29.01
 # GNU General Public License for more details.
 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -87,6 +85,15 @@ if test "$depmode" = dashXmstdout; then
    depmode=dashmstdout
 fi
 
+cygpath_u="cygpath -u -f -"
+if test "$depmode" = msvcmsys; then
+   # This is just like msvisualcpp but w/o cygpath translation.
+   # Just convert the backslash-escaped backslashes to single forward
+   # slashes to satisfy depend.m4
+   cygpath_u="sed s,\\\\\\\\,/,g"
+   depmode=msvisualcpp
+fi
+
 case "$depmode" in
 gcc3)
 ## gcc 3 implements dependency tracking that does exactly what
@@ -192,14 +199,14 @@ sgi)
 ' < "$tmpdepfile" \
     | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
     tr '
-' ' ' >> $depfile
-    echo >> $depfile
+' ' ' >> "$depfile"
+    echo >> "$depfile"
 
     # The second pass generates a dummy entry for each header file.
     tr ' ' '
 ' < "$tmpdepfile" \
    | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
-   >> $depfile
+   >> "$depfile"
   else
     # The sourcefile does not contain any dependencies, so just
     # store a dummy comment line, to avoid errors with the Makefile
@@ -328,7 +335,12 @@ hp2)
   if test -f "$tmpdepfile"; then
     sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
     # Add `dependent.h:' lines.
-    sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile"
+    sed -ne '2,${
+	       s/^ *//
+	       s/ \\*$//
+	       s/$/:/
+	       p
+	     }' "$tmpdepfile" >> "$depfile"
   else
     echo "#dummy" > "$depfile"
   fi
@@ -404,7 +416,7 @@ dashmstdout)
 
   # Remove the call to Libtool.
   if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
+    while test "X$1" != 'X--mode=compile'; do
       shift
     done
     shift
@@ -455,32 +467,39 @@ makedepend)
   "$@" || exit $?
   # Remove any Libtool call
   if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
+    while test "X$1" != 'X--mode=compile'; do
       shift
     done
     shift
   fi
   # X makedepend
   shift
-  cleared=no
-  for arg in "$@"; do
+  cleared=no eat=no
+  for arg
+  do
     case $cleared in
     no)
       set ""; shift
       cleared=yes ;;
     esac
+    if test $eat = yes; then
+      eat=no
+      continue
+    fi
     case "$arg" in
     -D*|-I*)
       set fnord "$@" "$arg"; shift ;;
     # Strip any option that makedepend may not understand.  Remove
     # the object too, otherwise makedepend will parse it as a source file.
+    -arch)
+      eat=yes ;;
     -*|$object)
       ;;
     *)
       set fnord "$@" "$arg"; shift ;;
     esac
   done
-  obj_suffix="`echo $object | sed 's/^.*\././'`"
+  obj_suffix=`echo "$object" | sed 's/^.*\././'`
   touch "$tmpdepfile"
   ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
   rm -f "$depfile"
@@ -500,7 +519,7 @@ cpp)
 
   # Remove the call to Libtool.
   if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
+    while test "X$1" != 'X--mode=compile'; do
       shift
     done
     shift
@@ -538,13 +557,27 @@ cpp)
 
 msvisualcpp)
   # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout, regardless of -o,
-  # because we must use -o when running libtool.
+  # always write the preprocessed file to stdout.
   "$@" || exit $?
+
+  # Remove the call to Libtool.
+  if test "$libtool" = yes; then
+    while test "X$1" != 'X--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+
   IFS=" "
   for arg
   do
     case "$arg" in
+    -o)
+      shift
+      ;;
+    $object)
+      shift
+      ;;
     "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
 	set fnord "$@"
 	shift
@@ -557,16 +590,23 @@ msvisualcpp)
 	;;
     esac
   done
-  "$@" -E |
-  sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
+  "$@" -E 2>/dev/null |
+  sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
   rm -f "$depfile"
   echo "$object : \\" > "$depfile"
-  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::	\1 \\:p' >> "$depfile"
+  sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::	\1 \\:p' >> "$depfile"
   echo "	" >> "$depfile"
-  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
+  sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
+msvcmsys)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
 none)
   exec "$@"
   ;;
@@ -585,5 +625,6 @@ exit 0
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
 # End:
diff --git a/install-sh b/install-sh
index a5897de6e..6781b987b 100755
--- a/install-sh
+++ b/install-sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # install - install a program, script, or datafile
 
-scriptversion=2006-12-25.00
+scriptversion=2009-04-28.21; # UTC
 
 # This originates from X11R5 (mit/util/scripts/install.sh), which was
 # later released in X11R6 (xc/config/util/install.sh) with the
@@ -515,5 +515,6 @@ done
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
 # End:
diff --git a/ltmain.sh b/ltmain.sh
index b612e9a6d..3506ead39 100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -65,7 +65,7 @@
 #       compiler:		$LTCC
 #       compiler flags:		$LTCFLAGS
 #       linker:		$LD (gnu? $with_gnu_ld)
-#       $progname:		(GNU libtool) 2.2.6 Debian-2.2.6a-1ubuntu1
+#       $progname:		(GNU libtool) 2.2.6 Debian-2.2.6a-4
 #       automake:		$automake_version
 #       autoconf:		$autoconf_version
 #
@@ -73,7 +73,7 @@
 
 PROGRAM=ltmain.sh
 PACKAGE=libtool
-VERSION="2.2.6 Debian-2.2.6a-1ubuntu1"
+VERSION="2.2.6 Debian-2.2.6a-4"
 TIMESTAMP=""
 package_revision=1.3012
 
@@ -5347,19 +5347,19 @@ func_mode_link ()
 	    # It is a libtool convenience library, so add in its objects.
 	    convenience="$convenience $ladir/$objdir/$old_library"
 	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+	      if $opt_duplicate_deps ; then
+		case "$tmp_libs " in
+		*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+		esac
+	      fi
+	      tmp_libs="$tmp_libs $deplib"
+	    done
 	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
 	    func_fatal_error "\`$lib' is not a convenience library"
 	  fi
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    deplibs="$deplib $deplibs"
-	    if $opt_duplicate_deps ; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	      esac
-	    fi
-	    tmp_libs="$tmp_libs $deplib"
-	  done
 	  continue
 	fi # $pass = conv
 
@@ -5896,6 +5896,7 @@ func_mode_link ()
 	  if test "$link_all_deplibs" != no; then
 	    # Add the search paths of all dependency libraries
 	    for deplib in $dependency_libs; do
+	      path=
 	      case $deplib in
 	      -L*) path="$deplib" ;;
 	      *.la)
diff --git a/m4/config/libtool.m4 b/m4/config/libtool.m4
new file mode 100644
index 000000000..1e7ea47c0
--- /dev/null
+++ b/m4/config/libtool.m4
@@ -0,0 +1,7376 @@
+# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
+#
+#   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
+#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#   Written by Gordon Matzigkeit, 1996
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+m4_define([_LT_COPYING], [dnl
+#   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
+#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#   Written by Gordon Matzigkeit, 1996
+#
+#   This file is part of GNU Libtool.
+#
+# GNU Libtool is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# As a special exception to the GNU General Public License,
+# if you distribute this file as part of a program or library that
+# is built using GNU Libtool, you may include this file under the
+# same distribution terms that you use for the rest of that program.
+#
+# GNU Libtool is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GNU Libtool; see the file COPYING.  If not, a copy
+# can be downloaded from http://www.gnu.org/licenses/gpl.html, or
+# obtained by writing to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+])
+
+# serial 56 LT_INIT
+
+
+# LT_PREREQ(VERSION)
+# ------------------
+# Complain and exit if this libtool version is less that VERSION.
+m4_defun([LT_PREREQ],
+[m4_if(m4_version_compare(m4_defn([LT_PACKAGE_VERSION]), [$1]), -1,
+       [m4_default([$3],
+		   [m4_fatal([Libtool version $1 or higher is required],
+		             63)])],
+       [$2])])
+
+
+# _LT_CHECK_BUILDDIR
+# ------------------
+# Complain if the absolute build directory name contains unusual characters
+m4_defun([_LT_CHECK_BUILDDIR],
+[case `pwd` in
+  *\ * | *\	*)
+    AC_MSG_WARN([Libtool does not cope well with whitespace in `pwd`]) ;;
+esac
+])
+
+
+# LT_INIT([OPTIONS])
+# ------------------
+AC_DEFUN([LT_INIT],
+[AC_PREREQ([2.58])dnl We use AC_INCLUDES_DEFAULT
+AC_BEFORE([$0], [LT_LANG])dnl
+AC_BEFORE([$0], [LT_OUTPUT])dnl
+AC_BEFORE([$0], [LTDL_INIT])dnl
+m4_require([_LT_CHECK_BUILDDIR])dnl
+
+dnl Autoconf doesn't catch unexpanded LT_ macros by default:
+m4_pattern_forbid([^_?LT_[A-Z_]+$])dnl
+m4_pattern_allow([^(_LT_EOF|LT_DLGLOBAL|LT_DLLAZY_OR_NOW|LT_MULTI_MODULE)$])dnl
+dnl aclocal doesn't pull ltoptions.m4, ltsugar.m4, or ltversion.m4
+dnl unless we require an AC_DEFUNed macro:
+AC_REQUIRE([LTOPTIONS_VERSION])dnl
+AC_REQUIRE([LTSUGAR_VERSION])dnl
+AC_REQUIRE([LTVERSION_VERSION])dnl
+AC_REQUIRE([LTOBSOLETE_VERSION])dnl
+m4_require([_LT_PROG_LTMAIN])dnl
+
+dnl Parse OPTIONS
+_LT_SET_OPTIONS([$0], [$1])
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ltmain"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+_LT_SETUP
+
+# Only expand once:
+m4_define([LT_INIT])
+])# LT_INIT
+
+# Old names:
+AU_ALIAS([AC_PROG_LIBTOOL], [LT_INIT])
+AU_ALIAS([AM_PROG_LIBTOOL], [LT_INIT])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_PROG_LIBTOOL], [])
+dnl AC_DEFUN([AM_PROG_LIBTOOL], [])
+
+
+# _LT_CC_BASENAME(CC)
+# -------------------
+# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
+m4_defun([_LT_CC_BASENAME],
+[for cc_temp in $1""; do
+  case $cc_temp in
+    compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
+    distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+])
+
+
+# _LT_FILEUTILS_DEFAULTS
+# ----------------------
+# It is okay to use these file commands and assume they have been set
+# sensibly after `m4_require([_LT_FILEUTILS_DEFAULTS])'.
+m4_defun([_LT_FILEUTILS_DEFAULTS],
+[: ${CP="cp -f"}
+: ${MV="mv -f"}
+: ${RM="rm -f"}
+])# _LT_FILEUTILS_DEFAULTS
+
+
+# _LT_SETUP
+# ---------
+m4_defun([_LT_SETUP],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+_LT_DECL([], [host_alias], [0], [The host system])dnl
+_LT_DECL([], [host], [0])dnl
+_LT_DECL([], [host_os], [0])dnl
+dnl
+_LT_DECL([], [build_alias], [0], [The build system])dnl
+_LT_DECL([], [build], [0])dnl
+_LT_DECL([], [build_os], [0])dnl
+dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([LT_PATH_LD])dnl
+AC_REQUIRE([LT_PATH_NM])dnl
+dnl
+AC_REQUIRE([AC_PROG_LN_S])dnl
+test -z "$LN_S" && LN_S="ln -s"
+_LT_DECL([], [LN_S], [1], [Whether we need soft or hard links])dnl
+dnl
+AC_REQUIRE([LT_CMD_MAX_LEN])dnl
+_LT_DECL([objext], [ac_objext], [0], [Object file suffix (normally "o")])dnl
+_LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl
+dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_CHECK_SHELL_FEATURES])dnl
+m4_require([_LT_CMD_RELOAD])dnl
+m4_require([_LT_CHECK_MAGIC_METHOD])dnl
+m4_require([_LT_CMD_OLD_ARCHIVE])dnl
+m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
+
+_LT_CONFIG_LIBTOOL_INIT([
+# See if we are running on zsh, and set the options which allow our
+# commands through without removal of \ escapes INIT.
+if test -n "\${ZSH_VERSION+set}" ; then
+   setopt NO_GLOB_SUBST
+fi
+])
+if test -n "${ZSH_VERSION+set}" ; then
+   setopt NO_GLOB_SUBST
+fi
+
+_LT_CHECK_OBJDIR
+
+m4_require([_LT_TAG_COMPILER])dnl
+_LT_PROG_ECHO_BACKSLASH
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\([["`\\]]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+# Global variables:
+ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a `.a' archive for static linking (except MSVC,
+# which needs '.lib').
+libext=a
+
+with_gnu_ld="$lt_cv_prog_gnu_ld"
+
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+
+# Set sane defaults for various variables
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
+test -z "$LD" && LD=ld
+test -z "$ac_objext" && ac_objext=o
+
+_LT_CC_BASENAME([$compiler])
+
+# Only perform the check for file, if the check method requires it
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    _LT_PATH_MAGIC
+  fi
+  ;;
+esac
+
+# Use C for the default configuration in the libtool script
+LT_SUPPORTED_TAG([CC])
+_LT_LANG_C_CONFIG
+_LT_LANG_DEFAULT_CONFIG
+_LT_CONFIG_COMMANDS
+])# _LT_SETUP
+
+
+# _LT_PROG_LTMAIN
+# ---------------
+# Note that this code is called both from `configure', and `config.status'
+# now that we use AC_CONFIG_COMMANDS to generate libtool.  Notably,
+# `config.status' has no value for ac_aux_dir unless we are using Automake,
+# so we pass a copy along to make sure it has a sensible value anyway.
+m4_defun([_LT_PROG_LTMAIN],
+[m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([ltmain.sh])])dnl
+_LT_CONFIG_LIBTOOL_INIT([ac_aux_dir='$ac_aux_dir'])
+ltmain="$ac_aux_dir/ltmain.sh"
+])# _LT_PROG_LTMAIN
+
+
+## ------------------------------------- ##
+## Accumulate code for creating libtool. ##
+## ------------------------------------- ##
+
+# So that we can recreate a full libtool script including additional
+# tags, we accumulate the chunks of code to send to AC_CONFIG_COMMANDS
+# in macros and then make a single call at the end using the `libtool'
+# label.
+
+
+# _LT_CONFIG_LIBTOOL_INIT([INIT-COMMANDS])
+# ----------------------------------------
+# Register INIT-COMMANDS to be passed to AC_CONFIG_COMMANDS later.
+m4_define([_LT_CONFIG_LIBTOOL_INIT],
+[m4_ifval([$1],
+          [m4_append([_LT_OUTPUT_LIBTOOL_INIT],
+                     [$1
+])])])
+
+# Initialize.
+m4_define([_LT_OUTPUT_LIBTOOL_INIT])
+
+
+# _LT_CONFIG_LIBTOOL([COMMANDS])
+# ------------------------------
+# Register COMMANDS to be passed to AC_CONFIG_COMMANDS later.
+m4_define([_LT_CONFIG_LIBTOOL],
+[m4_ifval([$1],
+          [m4_append([_LT_OUTPUT_LIBTOOL_COMMANDS],
+                     [$1
+])])])
+
+# Initialize.
+m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS])
+
+
+# _LT_CONFIG_SAVE_COMMANDS([COMMANDS], [INIT_COMMANDS])
+# -----------------------------------------------------
+m4_defun([_LT_CONFIG_SAVE_COMMANDS],
+[_LT_CONFIG_LIBTOOL([$1])
+_LT_CONFIG_LIBTOOL_INIT([$2])
+])
+
+
+# _LT_FORMAT_COMMENT([COMMENT])
+# -----------------------------
+# Add leading comment marks to the start of each line, and a trailing
+# full-stop to the whole comment if one is not present already.
+m4_define([_LT_FORMAT_COMMENT],
+[m4_ifval([$1], [
+m4_bpatsubst([m4_bpatsubst([$1], [^ *], [# ])],
+              [['`$\]], [\\\&])]m4_bmatch([$1], [[!?.]$], [], [.])
+)])
+
+
+
+## ------------------------ ##
+## FIXME: Eliminate VARNAME ##
+## ------------------------ ##
+
+
+# _LT_DECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION], [IS-TAGGED?])
+# -------------------------------------------------------------------
+# CONFIGNAME is the name given to the value in the libtool script.
+# VARNAME is the (base) name used in the configure script.
+# VALUE may be 0, 1 or 2 for a computed quote escaped value based on
+# VARNAME.  Any other value will be used directly.
+m4_define([_LT_DECL],
+[lt_if_append_uniq([lt_decl_varnames], [$2], [, ],
+    [lt_dict_add_subkey([lt_decl_dict], [$2], [libtool_name],
+	[m4_ifval([$1], [$1], [$2])])
+    lt_dict_add_subkey([lt_decl_dict], [$2], [value], [$3])
+    m4_ifval([$4],
+	[lt_dict_add_subkey([lt_decl_dict], [$2], [description], [$4])])
+    lt_dict_add_subkey([lt_decl_dict], [$2],
+	[tagged?], [m4_ifval([$5], [yes], [no])])])
+])
+
+
+# _LT_TAGDECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION])
+# --------------------------------------------------------
+m4_define([_LT_TAGDECL], [_LT_DECL([$1], [$2], [$3], [$4], [yes])])
+
+
+# lt_decl_tag_varnames([SEPARATOR], [VARNAME1...])
+# ------------------------------------------------
+m4_define([lt_decl_tag_varnames],
+[_lt_decl_filter([tagged?], [yes], $@)])
+
+
+# _lt_decl_filter(SUBKEY, VALUE, [SEPARATOR], [VARNAME1..])
+# ---------------------------------------------------------
+m4_define([_lt_decl_filter],
+[m4_case([$#],
+  [0], [m4_fatal([$0: too few arguments: $#])],
+  [1], [m4_fatal([$0: too few arguments: $#: $1])],
+  [2], [lt_dict_filter([lt_decl_dict], [$1], [$2], [], lt_decl_varnames)],
+  [3], [lt_dict_filter([lt_decl_dict], [$1], [$2], [$3], lt_decl_varnames)],
+  [lt_dict_filter([lt_decl_dict], $@)])[]dnl
+])
+
+
+# lt_decl_quote_varnames([SEPARATOR], [VARNAME1...])
+# --------------------------------------------------
+m4_define([lt_decl_quote_varnames],
+[_lt_decl_filter([value], [1], $@)])
+
+
+# lt_decl_dquote_varnames([SEPARATOR], [VARNAME1...])
+# ---------------------------------------------------
+m4_define([lt_decl_dquote_varnames],
+[_lt_decl_filter([value], [2], $@)])
+
+
+# lt_decl_varnames_tagged([SEPARATOR], [VARNAME1...])
+# ---------------------------------------------------
+m4_define([lt_decl_varnames_tagged],
+[m4_assert([$# <= 2])dnl
+_$0(m4_quote(m4_default([$1], [[, ]])),
+    m4_ifval([$2], [[$2]], [m4_dquote(lt_decl_tag_varnames)]),
+    m4_split(m4_normalize(m4_quote(_LT_TAGS)), [ ]))])
+m4_define([_lt_decl_varnames_tagged],
+[m4_ifval([$3], [lt_combine([$1], [$2], [_], $3)])])
+
+
+# lt_decl_all_varnames([SEPARATOR], [VARNAME1...])
+# ------------------------------------------------
+m4_define([lt_decl_all_varnames],
+[_$0(m4_quote(m4_default([$1], [[, ]])),
+     m4_if([$2], [],
+	   m4_quote(lt_decl_varnames),
+	m4_quote(m4_shift($@))))[]dnl
+])
+m4_define([_lt_decl_all_varnames],
+[lt_join($@, lt_decl_varnames_tagged([$1],
+			lt_decl_tag_varnames([[, ]], m4_shift($@))))dnl
+])
+
+
+# _LT_CONFIG_STATUS_DECLARE([VARNAME])
+# ------------------------------------
+# Quote a variable value, and forward it to `config.status' so that its
+# declaration there will have the same value as in `configure'.  VARNAME
+# must have a single quote delimited value for this to work.
+m4_define([_LT_CONFIG_STATUS_DECLARE],
+[$1='`$ECHO "X$][$1" | $Xsed -e "$delay_single_quote_subst"`'])
+
+
+# _LT_CONFIG_STATUS_DECLARATIONS
+# ------------------------------
+# We delimit libtool config variables with single quotes, so when
+# we write them to config.status, we have to be sure to quote all
+# embedded single quotes properly.  In configure, this macro expands
+# each variable declared with _LT_DECL (and _LT_TAGDECL) into:
+#
+#    <var>='`$ECHO "X$<var>" | $Xsed -e "$delay_single_quote_subst"`'
+m4_defun([_LT_CONFIG_STATUS_DECLARATIONS],
+[m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames),
+    [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])])
+
+
+# _LT_LIBTOOL_TAGS
+# ----------------
+# Output comment and list of tags supported by the script
+m4_defun([_LT_LIBTOOL_TAGS],
+[_LT_FORMAT_COMMENT([The names of the tagged configurations supported by this script])dnl
+available_tags="_LT_TAGS"dnl
+])
+
+
+# _LT_LIBTOOL_DECLARE(VARNAME, [TAG])
+# -----------------------------------
+# Extract the dictionary values for VARNAME (optionally with TAG) and
+# expand to a commented shell variable setting:
+#
+#    # Some comment about what VAR is for.
+#    visible_name=$lt_internal_name
+m4_define([_LT_LIBTOOL_DECLARE],
+[_LT_FORMAT_COMMENT(m4_quote(lt_dict_fetch([lt_decl_dict], [$1],
+					   [description])))[]dnl
+m4_pushdef([_libtool_name],
+    m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [libtool_name])))[]dnl
+m4_case(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [value])),
+    [0], [_libtool_name=[$]$1],
+    [1], [_libtool_name=$lt_[]$1],
+    [2], [_libtool_name=$lt_[]$1],
+    [_libtool_name=lt_dict_fetch([lt_decl_dict], [$1], [value])])[]dnl
+m4_ifval([$2], [_$2])[]m4_popdef([_libtool_name])[]dnl
+])
+
+
+# _LT_LIBTOOL_CONFIG_VARS
+# -----------------------
+# Produce commented declarations of non-tagged libtool config variables
+# suitable for insertion in the LIBTOOL CONFIG section of the `libtool'
+# script.  Tagged libtool config variables (even for the LIBTOOL CONFIG
+# section) are produced by _LT_LIBTOOL_TAG_VARS.
+m4_defun([_LT_LIBTOOL_CONFIG_VARS],
+[m4_foreach([_lt_var],
+    m4_quote(_lt_decl_filter([tagged?], [no], [], lt_decl_varnames)),
+    [m4_n([_LT_LIBTOOL_DECLARE(_lt_var)])])])
+
+
+# _LT_LIBTOOL_TAG_VARS(TAG)
+# -------------------------
+m4_define([_LT_LIBTOOL_TAG_VARS],
+[m4_foreach([_lt_var], m4_quote(lt_decl_tag_varnames),
+    [m4_n([_LT_LIBTOOL_DECLARE(_lt_var, [$1])])])])
+
+
+# _LT_TAGVAR(VARNAME, [TAGNAME])
+# ------------------------------
+m4_define([_LT_TAGVAR], [m4_ifval([$2], [$1_$2], [$1])])
+
+
+# _LT_CONFIG_COMMANDS
+# -------------------
+# Send accumulated output to $CONFIG_STATUS.  Thanks to the lists of
+# variables for single and double quote escaping we saved from calls
+# to _LT_DECL, we can put quote escaped variables declarations
+# into `config.status', and then the shell code to quote escape them in
+# for loops in `config.status'.  Finally, any additional code accumulated
+# from calls to _LT_CONFIG_LIBTOOL_INIT is expanded.
+m4_defun([_LT_CONFIG_COMMANDS],
+[AC_PROVIDE_IFELSE([LT_OUTPUT],
+	dnl If the libtool generation code has been placed in $CONFIG_LT,
+	dnl instead of duplicating it all over again into config.status,
+	dnl then we will have config.status run $CONFIG_LT later, so it
+	dnl needs to know what name is stored there:
+        [AC_CONFIG_COMMANDS([libtool],
+            [$SHELL $CONFIG_LT || AS_EXIT(1)], [CONFIG_LT='$CONFIG_LT'])],
+    dnl If the libtool generation code is destined for config.status,
+    dnl expand the accumulated commands and init code now:
+    [AC_CONFIG_COMMANDS([libtool],
+        [_LT_OUTPUT_LIBTOOL_COMMANDS], [_LT_OUTPUT_LIBTOOL_COMMANDS_INIT])])
+])#_LT_CONFIG_COMMANDS
+
+
+# Initialize.
+m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS_INIT],
+[
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+sed_quote_subst='$sed_quote_subst'
+double_quote_subst='$double_quote_subst'
+delay_variable_subst='$delay_variable_subst'
+_LT_CONFIG_STATUS_DECLARATIONS
+LTCC='$LTCC'
+LTCFLAGS='$LTCFLAGS'
+compiler='$compiler_DEFAULT'
+
+# Quote evaled strings.
+for var in lt_decl_all_varnames([[ \
+]], lt_decl_quote_varnames); do
+    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    *[[\\\\\\\`\\"\\\$]]*)
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
+      ;;
+    *)
+      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
+      ;;
+    esac
+done
+
+# Double-quote double-evaled strings.
+for var in lt_decl_all_varnames([[ \
+]], lt_decl_dquote_varnames); do
+    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    *[[\\\\\\\`\\"\\\$]]*)
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
+      ;;
+    *)
+      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
+      ;;
+    esac
+done
+
+# Fix-up fallback echo if it was mangled by the above quoting rules.
+case \$lt_ECHO in
+*'\\\[$]0 --fallback-echo"')dnl "
+  lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\[$]0 --fallback-echo"\[$]/\[$]0 --fallback-echo"/'\`
+  ;;
+esac
+
+_LT_OUTPUT_LIBTOOL_INIT
+])
+
+
+# LT_OUTPUT
+# ---------
+# This macro allows early generation of the libtool script (before
+# AC_OUTPUT is called), incase it is used in configure for compilation
+# tests.
+AC_DEFUN([LT_OUTPUT],
+[: ${CONFIG_LT=./config.lt}
+AC_MSG_NOTICE([creating $CONFIG_LT])
+cat >"$CONFIG_LT" <<_LTEOF
+#! $SHELL
+# Generated by $as_me.
+# Run this file to recreate a libtool stub with the current configuration.
+
+lt_cl_silent=false
+SHELL=\${CONFIG_SHELL-$SHELL}
+_LTEOF
+
+cat >>"$CONFIG_LT" <<\_LTEOF
+AS_SHELL_SANITIZE
+_AS_PREPARE
+
+exec AS_MESSAGE_FD>&1
+exec AS_MESSAGE_LOG_FD>>config.log
+{
+  echo
+  AS_BOX([Running $as_me.])
+} >&AS_MESSAGE_LOG_FD
+
+lt_cl_help="\
+\`$as_me' creates a local libtool stub from the current configuration,
+for use in further configure time tests before the real libtool is
+generated.
+
+Usage: $[0] [[OPTIONS]]
+
+  -h, --help      print this help, then exit
+  -V, --version   print version number, then exit
+  -q, --quiet     do not print progress messages
+  -d, --debug     don't remove temporary files
+
+Report bugs to <bug-libtool@gnu.org>."
+
+lt_cl_version="\
+m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
+m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
+configured by $[0], generated by m4_PACKAGE_STRING.
+
+Copyright (C) 2008 Free Software Foundation, Inc.
+This config.lt script is free software; the Free Software Foundation
+gives unlimited permision to copy, distribute and modify it."
+
+while test $[#] != 0
+do
+  case $[1] in
+    --version | --v* | -V )
+      echo "$lt_cl_version"; exit 0 ;;
+    --help | --h* | -h )
+      echo "$lt_cl_help"; exit 0 ;;
+    --debug | --d* | -d )
+      debug=: ;;
+    --quiet | --q* | --silent | --s* | -q )
+      lt_cl_silent=: ;;
+
+    -*) AC_MSG_ERROR([unrecognized option: $[1]
+Try \`$[0] --help' for more information.]) ;;
+
+    *) AC_MSG_ERROR([unrecognized argument: $[1]
+Try \`$[0] --help' for more information.]) ;;
+  esac
+  shift
+done
+
+if $lt_cl_silent; then
+  exec AS_MESSAGE_FD>/dev/null
+fi
+_LTEOF
+
+cat >>"$CONFIG_LT" <<_LTEOF
+_LT_OUTPUT_LIBTOOL_COMMANDS_INIT
+_LTEOF
+
+cat >>"$CONFIG_LT" <<\_LTEOF
+AC_MSG_NOTICE([creating $ofile])
+_LT_OUTPUT_LIBTOOL_COMMANDS
+AS_EXIT(0)
+_LTEOF
+chmod +x "$CONFIG_LT"
+
+# configure is writing to config.log, but config.lt does its own redirection,
+# appending to config.log, which fails on DOS, as config.log is still kept
+# open by configure.  Here we exec the FD to /dev/null, effectively closing
+# config.log, so it can be properly (re)opened and appended to by config.lt.
+if test "$no_create" != yes; then
+  lt_cl_success=:
+  test "$silent" = yes &&
+    lt_config_lt_args="$lt_config_lt_args --quiet"
+  exec AS_MESSAGE_LOG_FD>/dev/null
+  $SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
+  exec AS_MESSAGE_LOG_FD>>config.log
+  $lt_cl_success || AS_EXIT(1)
+fi
+])# LT_OUTPUT
+
+
+# _LT_CONFIG(TAG)
+# ---------------
+# If TAG is the built-in tag, create an initial libtool script with a
+# default configuration from the untagged config vars.  Otherwise add code
+# to config.status for appending the configuration named by TAG from the
+# matching tagged config vars.
+m4_defun([_LT_CONFIG],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+_LT_CONFIG_SAVE_COMMANDS([
+  m4_define([_LT_TAG], m4_if([$1], [], [C], [$1]))dnl
+  m4_if(_LT_TAG, [C], [
+    # See if we are running on zsh, and set the options which allow our
+    # commands through without removal of \ escapes.
+    if test -n "${ZSH_VERSION+set}" ; then
+      setopt NO_GLOB_SUBST
+    fi
+
+    cfgfile="${ofile}T"
+    trap "$RM \"$cfgfile\"; exit 1" 1 2 15
+    $RM "$cfgfile"
+
+    cat <<_LT_EOF >> "$cfgfile"
+#! $SHELL
+
+# `$ECHO "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $as_me ($PACKAGE$TIMESTAMP) $VERSION
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+_LT_COPYING
+_LT_LIBTOOL_TAGS
+
+# ### BEGIN LIBTOOL CONFIG
+_LT_LIBTOOL_CONFIG_VARS
+_LT_LIBTOOL_TAG_VARS
+# ### END LIBTOOL CONFIG
+
+_LT_EOF
+
+  case $host_os in
+  aix3*)
+    cat <<\_LT_EOF >> "$cfgfile"
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+_LT_EOF
+    ;;
+  esac
+
+  _LT_PROG_LTMAIN
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \
+    || (rm -f "$cfgfile"; exit 1)
+
+  _LT_PROG_XSI_SHELLFNS
+
+  sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \
+    || (rm -f "$cfgfile"; exit 1)
+
+  mv -f "$cfgfile" "$ofile" ||
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+],
+[cat <<_LT_EOF >> "$ofile"
+
+dnl Unfortunately we have to use $1 here, since _LT_TAG is not expanded
+dnl in a comment (ie after a #).
+# ### BEGIN LIBTOOL TAG CONFIG: $1
+_LT_LIBTOOL_TAG_VARS(_LT_TAG)
+# ### END LIBTOOL TAG CONFIG: $1
+_LT_EOF
+])dnl /m4_if
+],
+[m4_if([$1], [], [
+    PACKAGE='$PACKAGE'
+    VERSION='$VERSION'
+    TIMESTAMP='$TIMESTAMP'
+    RM='$RM'
+    ofile='$ofile'], [])
+])dnl /_LT_CONFIG_SAVE_COMMANDS
+])# _LT_CONFIG
+
+
+# LT_SUPPORTED_TAG(TAG)
+# ---------------------
+# Trace this macro to discover what tags are supported by the libtool
+# --tag option, using:
+#    autoconf --trace 'LT_SUPPORTED_TAG:$1'
+AC_DEFUN([LT_SUPPORTED_TAG], [])
+
+
+# C support is built-in for now
+m4_define([_LT_LANG_C_enabled], [])
+m4_define([_LT_TAGS], [])
+
+
+# LT_LANG(LANG)
+# -------------
+# Enable libtool support for the given language if not already enabled.
+AC_DEFUN([LT_LANG],
+[AC_BEFORE([$0], [LT_OUTPUT])dnl
+m4_case([$1],
+  [C],			[_LT_LANG(C)],
+  [C++],		[_LT_LANG(CXX)],
+  [Java],		[_LT_LANG(GCJ)],
+  [Fortran 77],		[_LT_LANG(F77)],
+  [Fortran],		[_LT_LANG(FC)],
+  [Windows Resource],	[_LT_LANG(RC)],
+  [m4_ifdef([_LT_LANG_]$1[_CONFIG],
+    [_LT_LANG($1)],
+    [m4_fatal([$0: unsupported language: "$1"])])])dnl
+])# LT_LANG
+
+
+# _LT_LANG(LANGNAME)
+# ------------------
+m4_defun([_LT_LANG],
+[m4_ifdef([_LT_LANG_]$1[_enabled], [],
+  [LT_SUPPORTED_TAG([$1])dnl
+  m4_append([_LT_TAGS], [$1 ])dnl
+  m4_define([_LT_LANG_]$1[_enabled], [])dnl
+  _LT_LANG_$1_CONFIG($1)])dnl
+])# _LT_LANG
+
+
+# _LT_LANG_DEFAULT_CONFIG
+# -----------------------
+m4_defun([_LT_LANG_DEFAULT_CONFIG],
+[AC_PROVIDE_IFELSE([AC_PROG_CXX],
+  [LT_LANG(CXX)],
+  [m4_define([AC_PROG_CXX], defn([AC_PROG_CXX])[LT_LANG(CXX)])])
+
+AC_PROVIDE_IFELSE([AC_PROG_F77],
+  [LT_LANG(F77)],
+  [m4_define([AC_PROG_F77], defn([AC_PROG_F77])[LT_LANG(F77)])])
+
+AC_PROVIDE_IFELSE([AC_PROG_FC],
+  [LT_LANG(FC)],
+  [m4_define([AC_PROG_FC], defn([AC_PROG_FC])[LT_LANG(FC)])])
+
+dnl The call to [A][M_PROG_GCJ] is quoted like that to stop aclocal
+dnl pulling things in needlessly.
+AC_PROVIDE_IFELSE([AC_PROG_GCJ],
+  [LT_LANG(GCJ)],
+  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
+    [LT_LANG(GCJ)],
+    [AC_PROVIDE_IFELSE([LT_PROG_GCJ],
+      [LT_LANG(GCJ)],
+      [m4_ifdef([AC_PROG_GCJ],
+	[m4_define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[LT_LANG(GCJ)])])
+       m4_ifdef([A][M_PROG_GCJ],
+	[m4_define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[LT_LANG(GCJ)])])
+       m4_ifdef([LT_PROG_GCJ],
+	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
+
+AC_PROVIDE_IFELSE([LT_PROG_RC],
+  [LT_LANG(RC)],
+  [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
+])# _LT_LANG_DEFAULT_CONFIG
+
+# Obsolete macros:
+AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)])
+AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)])
+AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)])
+AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_CXX], [])
+dnl AC_DEFUN([AC_LIBTOOL_F77], [])
+dnl AC_DEFUN([AC_LIBTOOL_FC], [])
+dnl AC_DEFUN([AC_LIBTOOL_GCJ], [])
+
+
+# _LT_TAG_COMPILER
+# ----------------
+m4_defun([_LT_TAG_COMPILER],
+[AC_REQUIRE([AC_PROG_CC])dnl
+
+_LT_DECL([LTCC], [CC], [1], [A C compiler])dnl
+_LT_DECL([LTCFLAGS], [CFLAGS], [1], [LTCC compiler flags])dnl
+_LT_TAGDECL([CC], [compiler], [1], [A language specific compiler])dnl
+_LT_TAGDECL([with_gcc], [GCC], [0], [Is the compiler the GNU compiler?])dnl
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+])# _LT_TAG_COMPILER
+
+
+# _LT_COMPILER_BOILERPLATE
+# ------------------------
+# Check for compiler boilerplate output or warnings with
+# the simple compiler test code.
+m4_defun([_LT_COMPILER_BOILERPLATE],
+[m4_require([_LT_DECL_SED])dnl
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$RM conftest*
+])# _LT_COMPILER_BOILERPLATE
+
+
+# _LT_LINKER_BOILERPLATE
+# ----------------------
+# Check for linker boilerplate output or warnings with
+# the simple link test code.
+m4_defun([_LT_LINKER_BOILERPLATE],
+[m4_require([_LT_DECL_SED])dnl
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$RM -r conftest*
+])# _LT_LINKER_BOILERPLATE
+
+# _LT_REQUIRED_DARWIN_CHECKS
+# -------------------------
+m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
+  case $host_os in
+    rhapsody* | darwin*)
+    AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:])
+    AC_CHECK_TOOL([NMEDIT], [nmedit], [:])
+    AC_CHECK_TOOL([LIPO], [lipo], [:])
+    AC_CHECK_TOOL([OTOOL], [otool], [:])
+    AC_CHECK_TOOL([OTOOL64], [otool64], [:])
+    _LT_DECL([], [DSYMUTIL], [1],
+      [Tool to manipulate archived DWARF debug symbol files on Mac OS X])
+    _LT_DECL([], [NMEDIT], [1],
+      [Tool to change global to local symbols on Mac OS X])
+    _LT_DECL([], [LIPO], [1],
+      [Tool to manipulate fat objects and archives on Mac OS X])
+    _LT_DECL([], [OTOOL], [1],
+      [ldd/readelf like tool for Mach-O binaries on Mac OS X])
+    _LT_DECL([], [OTOOL64], [1],
+      [ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4])
+
+    AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod],
+      [lt_cv_apple_cc_single_mod=no
+      if test -z "${LT_MULTI_MODULE}"; then
+	# By default we will add the -single_module flag. You can override
+	# by either setting the environment variable LT_MULTI_MODULE
+	# non-empty at configure time, or by adding -multi_module to the
+	# link flags.
+	rm -rf libconftest.dylib*
+	echo "int foo(void){return 1;}" > conftest.c
+	echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+-dynamiclib -Wl,-single_module conftest.c" >&AS_MESSAGE_LOG_FD
+	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
+        _lt_result=$?
+	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	  lt_cv_apple_cc_single_mod=yes
+	else
+	  cat conftest.err >&AS_MESSAGE_LOG_FD
+	fi
+	rm -rf libconftest.dylib*
+	rm -f conftest.*
+      fi])
+    AC_CACHE_CHECK([for -exported_symbols_list linker flag],
+      [lt_cv_ld_exported_symbols_list],
+      [lt_cv_ld_exported_symbols_list=no
+      save_LDFLAGS=$LDFLAGS
+      echo "_main" > conftest.sym
+      LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
+      AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
+	[lt_cv_ld_exported_symbols_list=yes],
+	[lt_cv_ld_exported_symbols_list=no])
+	LDFLAGS="$save_LDFLAGS"
+    ])
+    case $host_os in
+    rhapsody* | darwin1.[[012]])
+      _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
+    darwin1.*)
+      _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+    darwin*) # darwin 5.x on
+      # if running on 10.5 or later, the deployment target defaults
+      # to the OS version, if on x86, and 10.4, the deployment
+      # target defaults to 10.4. Don't you love it?
+      case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
+	10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
+	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+	10.[[012]]*)
+	  _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+	10.*)
+	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+      esac
+    ;;
+  esac
+    if test "$lt_cv_apple_cc_single_mod" = "yes"; then
+      _lt_dar_single_mod='$single_module'
+    fi
+    if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
+      _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
+    else
+      _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    fi
+    if test "$DSYMUTIL" != ":"; then
+      _lt_dsymutil='~$DSYMUTIL $lib || :'
+    else
+      _lt_dsymutil=
+    fi
+    ;;
+  esac
+])
+
+
+# _LT_DARWIN_LINKER_FEATURES
+# --------------------------
+# Checks for linker and compiler features on darwin
+m4_defun([_LT_DARWIN_LINKER_FEATURES],
+[
+  m4_require([_LT_REQUIRED_DARWIN_CHECKS])
+  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+  _LT_TAGVAR(hardcode_direct, $1)=no
+  _LT_TAGVAR(hardcode_automatic, $1)=yes
+  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  _LT_TAGVAR(whole_archive_flag_spec, $1)=''
+  _LT_TAGVAR(link_all_deplibs, $1)=yes
+  _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
+  case $cc_basename in
+     ifort*) _lt_dar_can_shared=yes ;;
+     *) _lt_dar_can_shared=$GCC ;;
+  esac
+  if test "$_lt_dar_can_shared" = "yes"; then
+    output_verbose_link_cmd=echo
+    _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+    _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+    _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+    _LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
+    m4_if([$1], [CXX],
+[   if test "$lt_cv_apple_cc_single_mod" != "yes"; then
+      _LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
+      _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
+    fi
+],[])
+  else
+  _LT_TAGVAR(ld_shlibs, $1)=no
+  fi
+])
+
+# _LT_SYS_MODULE_PATH_AIX
+# -----------------------
+# Links a minimal program and checks the executable
+# for the system default hardcoded library path. In most cases,
+# this is /usr/lib:/lib, but when the MPI compilers are used
+# the location of the communication and MPI libs are included too.
+# If we don't find anything, use the default library path according
+# to the aix ld manual.
+m4_defun([_LT_SYS_MODULE_PATH_AIX],
+[m4_require([_LT_DECL_SED])dnl
+AC_LINK_IFELSE(AC_LANG_PROGRAM,[
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi],[])
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+])# _LT_SYS_MODULE_PATH_AIX
+
+
+# _LT_SHELL_INIT(ARG)
+# -------------------
+m4_define([_LT_SHELL_INIT],
+[ifdef([AC_DIVERSION_NOTICE],
+	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
+	 [AC_DIVERT_PUSH(NOTICE)])
+$1
+AC_DIVERT_POP
+])# _LT_SHELL_INIT
+
+
+# _LT_PROG_ECHO_BACKSLASH
+# -----------------------
+# Add some code to the start of the generated configure script which
+# will find an echo command which doesn't interpret backslashes.
+m4_defun([_LT_PROG_ECHO_BACKSLASH],
+[_LT_SHELL_INIT([
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+case X$lt_ECHO in
+X*--fallback-echo)
+  # Remove one level of quotation (which was required for Make).
+  ECHO=`echo "$lt_ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
+  ;;
+esac
+
+ECHO=${lt_ECHO-echo}
+if test "X[$]1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X[$]1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $ECHO works!
+  :
+else
+  # Restart under the correct shell.
+  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
+fi
+
+if test "X[$]1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<_LT_EOF
+[$]*
+_LT_EOF
+  exit 0
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+if test -z "$lt_ECHO"; then
+  if test "X${echo_test_string+set}" != Xset; then
+    # find a string as large as possible, as long as the shell can cope with it
+    for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
+      # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+      if { echo_test_string=`eval $cmd`; } 2>/dev/null &&
+	 { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null
+      then
+        break
+      fi
+    done
+  fi
+
+  if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
+     echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
+     test "X$echo_testing_string" = "X$echo_test_string"; then
+    :
+  else
+    # The Solaris, AIX, and Digital Unix default echo programs unquote
+    # backslashes.  This makes it impossible to quote backslashes using
+    #   echo "$something" | sed 's/\\/\\\\/g'
+    #
+    # So, first we look for a working echo in the user's PATH.
+
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for dir in $PATH /usr/ucb; do
+      IFS="$lt_save_ifs"
+      if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+         test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+         echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+         test "X$echo_testing_string" = "X$echo_test_string"; then
+        ECHO="$dir/echo"
+        break
+      fi
+    done
+    IFS="$lt_save_ifs"
+
+    if test "X$ECHO" = Xecho; then
+      # We didn't find a better echo, so look for alternatives.
+      if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' &&
+         echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` &&
+         test "X$echo_testing_string" = "X$echo_test_string"; then
+        # This shell has a builtin print -r that does the trick.
+        ECHO='print -r'
+      elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } &&
+	   test "X$CONFIG_SHELL" != X/bin/ksh; then
+        # If we have ksh, try running configure again with it.
+        ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+        export ORIGINAL_CONFIG_SHELL
+        CONFIG_SHELL=/bin/ksh
+        export CONFIG_SHELL
+        exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
+      else
+        # Try using printf.
+        ECHO='printf %s\n'
+        if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
+	   echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	  # Cool, printf works
+	  :
+        elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	     test "X$echo_testing_string" = 'X\t' &&
+	     echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	     test "X$echo_testing_string" = "X$echo_test_string"; then
+	  CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	  export CONFIG_SHELL
+	  SHELL="$CONFIG_SHELL"
+	  export SHELL
+	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
+        elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	     test "X$echo_testing_string" = 'X\t' &&
+	     echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	     test "X$echo_testing_string" = "X$echo_test_string"; then
+	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
+        else
+	  # maybe with a smaller string...
+	  prev=:
+
+	  for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
+	    if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null
+	    then
+	      break
+	    fi
+	    prev="$cmd"
+	  done
+
+	  if test "$prev" != 'sed 50q "[$]0"'; then
+	    echo_test_string=`eval $prev`
+	    export echo_test_string
+	    exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
+	  else
+	    # Oops.  We lost completely, so just stick with echo.
+	    ECHO=echo
+	  fi
+        fi
+      fi
+    fi
+  fi
+fi
+
+# Copy echo and quote the copy suitably for passing to libtool from
+# the Makefile, instead of quoting the original, which is used later.
+lt_ECHO=$ECHO
+if test "X$lt_ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
+   lt_ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
+fi
+
+AC_SUBST(lt_ECHO)
+])
+_LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts])
+_LT_DECL([], [ECHO], [1],
+    [An echo program that does not interpret backslashes])
+])# _LT_PROG_ECHO_BACKSLASH
+
+
+# _LT_ENABLE_LOCK
+# ---------------
+m4_defun([_LT_ENABLE_LOCK],
+[AC_ARG_ENABLE([libtool-lock],
+  [AS_HELP_STRING([--disable-libtool-lock],
+    [avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.$ac_objext` in
+      *ELF-32*)
+	HPUX_IA64_MODE="32"
+	;;
+      *ELF-64*)
+	HPUX_IA64_MODE="64"
+	;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    if test "$lt_cv_prog_gnu_ld" = yes; then
+      case `/usr/bin/file conftest.$ac_objext` in
+	*32-bit*)
+	  LD="${LD-ld} -melf32bsmip"
+	  ;;
+	*N32*)
+	  LD="${LD-ld} -melf32bmipn32"
+	  ;;
+	*64-bit*)
+	  LD="${LD-ld} -melf64bmip"
+	;;
+      esac
+    else
+      case `/usr/bin/file conftest.$ac_objext` in
+	*32-bit*)
+	  LD="${LD-ld} -32"
+	  ;;
+	*N32*)
+	  LD="${LD-ld} -n32"
+	  ;;
+	*64-bit*)
+	  LD="${LD-ld} -64"
+	  ;;
+      esac
+    fi
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
+s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.o` in
+      *32-bit*)
+	case $host in
+	  x86_64-*kfreebsd*-gnu)
+	    LD="${LD-ld} -m elf_i386_fbsd"
+	    ;;
+	  x86_64-*linux*)
+	    LD="${LD-ld} -m elf_i386"
+	    ;;
+	  ppc64-*linux*|powerpc64-*linux*)
+	    LD="${LD-ld} -m elf32ppclinux"
+	    ;;
+	  s390x-*linux*)
+	    LD="${LD-ld} -m elf_s390"
+	    ;;
+	  sparc64-*linux*)
+	    LD="${LD-ld} -m elf32_sparc"
+	    ;;
+	esac
+	;;
+      *64-bit*)
+	case $host in
+	  x86_64-*kfreebsd*-gnu)
+	    LD="${LD-ld} -m elf_x86_64_fbsd"
+	    ;;
+	  x86_64-*linux*)
+	    LD="${LD-ld} -m elf_x86_64"
+	    ;;
+	  ppc*-*linux*|powerpc*-*linux*)
+	    LD="${LD-ld} -m elf64ppc"
+	    ;;
+	  s390*-*linux*|s390*-*tpf*)
+	    LD="${LD-ld} -m elf64_s390"
+	    ;;
+	  sparc*-*linux*)
+	    LD="${LD-ld} -m elf64_sparc"
+	    ;;
+	esac
+	;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
+    [AC_LANG_PUSH(C)
+     AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],[[]])],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
+     AC_LANG_POP])
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+sparc*-*solaris*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      *)
+	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
+	  LD="${LD-ld} -64"
+	fi
+	;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+esac
+
+need_locks="$enable_libtool_lock"
+])# _LT_ENABLE_LOCK
+
+
+# _LT_CMD_OLD_ARCHIVE
+# -------------------
+m4_defun([_LT_CMD_OLD_ARCHIVE],
+[AC_CHECK_TOOL(AR, ar, false)
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+_LT_DECL([], [AR], [1], [The archiver])
+_LT_DECL([], [AR_FLAGS], [1])
+
+AC_CHECK_TOOL(STRIP, strip, :)
+test -z "$STRIP" && STRIP=:
+_LT_DECL([], [STRIP], [1], [A symbol stripping program])
+
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+test -z "$RANLIB" && RANLIB=:
+_LT_DECL([], [RANLIB], [1],
+    [Commands used to install an old-style archive])
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    ;;
+  *)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+fi
+_LT_DECL([], [old_postinstall_cmds], [2])
+_LT_DECL([], [old_postuninstall_cmds], [2])
+_LT_TAGDECL([], [old_archive_cmds], [2],
+    [Commands used to build an old-style archive])
+])# _LT_CMD_OLD_ARCHIVE
+
+
+# _LT_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
+# ----------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([_LT_COMPILER_OPTION],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_SED])dnl
+AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+   m4_if([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$3"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       $2=yes
+     fi
+   fi
+   $RM conftest*
+])
+
+if test x"[$]$2" = xyes; then
+    m4_if([$5], , :, [$5])
+else
+    m4_if([$6], , :, [$6])
+fi
+])# _LT_COMPILER_OPTION
+
+# Old name:
+AU_ALIAS([AC_LIBTOOL_COMPILER_OPTION], [_LT_COMPILER_OPTION])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], [])
+
+
+# _LT_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#                  [ACTION-SUCCESS], [ACTION-FAILURE])
+# ----------------------------------------------------
+# Check whether the given linker option works
+AC_DEFUN([_LT_LINKER_OPTION],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_SED])dnl
+AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $3"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&AS_MESSAGE_LOG_FD
+       $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         $2=yes
+       fi
+     else
+       $2=yes
+     fi
+   fi
+   $RM -r conftest*
+   LDFLAGS="$save_LDFLAGS"
+])
+
+if test x"[$]$2" = xyes; then
+    m4_if([$4], , :, [$4])
+else
+    m4_if([$5], , :, [$5])
+fi
+])# _LT_LINKER_OPTION
+
+# Old name:
+AU_ALIAS([AC_LIBTOOL_LINKER_OPTION], [_LT_LINKER_OPTION])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], [])
+
+
+# LT_CMD_MAX_LEN
+#---------------
+AC_DEFUN([LT_CMD_MAX_LEN],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+# find the maximum length of command line arguments
+AC_MSG_CHECKING([the maximum length of command line arguments])
+AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
+  i=0
+  teststring="ABCD"
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw* | cegcc*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
+    # This has been around since 386BSD, at least.  Likely further.
+    if test -x /sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
+    elif test -x /usr/sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
+    else
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
+    fi
+    # And add a safety zone
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    ;;
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
+    ;;
+
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
+    ;;
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
+    ;;
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[	 ]]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
+    ;;
+  *)
+    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
+    if test -n "$lt_cv_sys_max_cmd_len"; then
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    else
+      # Make teststring a little bigger before we do anything with it.
+      # a 1K string should be a reasonable start.
+      for i in 1 2 3 4 5 6 7 8 ; do
+        teststring=$teststring$teststring
+      done
+      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+      # If test is not a shell built-in, we'll probably end up computing a
+      # maximum length that is only half of the actual maximum length, but
+      # we can't tell.
+      while { test "X"`$SHELL [$]0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \
+	         = "XX$teststring$teststring"; } >/dev/null 2>&1 &&
+	      test $i != 17 # 1/2 MB should be enough
+      do
+        i=`expr $i + 1`
+        teststring=$teststring$teststring
+      done
+      # Only check the string length outside the loop.
+      lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1`
+      teststring=
+      # Add a significant safety factor because C++ compilers can tack on
+      # massive amounts of additional arguments before passing them to the
+      # linker.  It appears as though 1/2 is a usable value.
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    fi
+    ;;
+  esac
+])
+if test -n $lt_cv_sys_max_cmd_len ; then
+  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
+else
+  AC_MSG_RESULT(none)
+fi
+max_cmd_len=$lt_cv_sys_max_cmd_len
+_LT_DECL([], [max_cmd_len], [0],
+    [What is the maximum length of a command?])
+])# LT_CMD_MAX_LEN
+
+# Old name:
+AU_ALIAS([AC_LIBTOOL_SYS_MAX_CMD_LEN], [LT_CMD_MAX_LEN])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], [])
+
+
+# _LT_HEADER_DLFCN
+# ----------------
+m4_defun([_LT_HEADER_DLFCN],
+[AC_CHECK_HEADERS([dlfcn.h], [], [], [AC_INCLUDES_DEFAULT])dnl
+])# _LT_HEADER_DLFCN
+
+
+# _LT_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
+#                      ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
+# ----------------------------------------------------------------
+m4_defun([_LT_TRY_DLOPEN_SELF],
+[m4_require([_LT_HEADER_DLFCN])dnl
+if test "$cross_compiling" = yes; then :
+  [$4]
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<_LT_EOF
+[#line __oline__ "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
+
+  return status;
+}]
+_LT_EOF
+  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) $1 ;;
+      x$lt_dlneed_uscore) $2 ;;
+      x$lt_dlunknown|x*) $3 ;;
+    esac
+  else :
+    # compilation failed
+    $3
+  fi
+fi
+rm -fr conftest*
+])# _LT_TRY_DLOPEN_SELF
+
+
+# LT_SYS_DLOPEN_SELF
+# ------------------
+AC_DEFUN([LT_SYS_DLOPEN_SELF],
+[m4_require([_LT_HEADER_DLFCN])dnl
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32* | cegcc*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+    ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+    ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ])
+    ;;
+
+  *)
+    AC_CHECK_FUNC([shl_load],
+	  [lt_cv_dlopen="shl_load"],
+      [AC_CHECK_LIB([dld], [shl_load],
+	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"],
+	[AC_CHECK_FUNC([dlopen],
+	      [lt_cv_dlopen="dlopen"],
+	  [AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],
+	    [AC_CHECK_LIB([svld], [dlopen],
+		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
+	      [AC_CHECK_LIB([dld], [dld_link],
+		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"])
+	      ])
+	    ])
+	  ])
+	])
+      ])
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    AC_CACHE_CHECK([whether a program can dlopen itself],
+	  lt_cv_dlopen_self, [dnl
+	  _LT_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
+	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
+    ])
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
+      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
+	  lt_cv_dlopen_self_static, [dnl
+	  _LT_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
+	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
+      ])
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+_LT_DECL([dlopen_support], [enable_dlopen], [0],
+	 [Whether dlopen is supported])
+_LT_DECL([dlopen_self], [enable_dlopen_self], [0],
+	 [Whether dlopen of programs is supported])
+_LT_DECL([dlopen_self_static], [enable_dlopen_self_static], [0],
+	 [Whether dlopen of statically linked programs is supported])
+])# LT_SYS_DLOPEN_SELF
+
+# Old name:
+AU_ALIAS([AC_LIBTOOL_DLOPEN_SELF], [LT_SYS_DLOPEN_SELF])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], [])
+
+
+# _LT_COMPILER_C_O([TAGNAME])
+# ---------------------------
+# Check to see if options -c and -o are simultaneously supported by compiler.
+# This macro does not hard code the compiler like AC_PROG_CC_C_O.
+m4_defun([_LT_COMPILER_C_O],
+[m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_TAG_COMPILER])dnl
+AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
+  [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
+  [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
+   $RM -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+     fi
+   fi
+   chmod u+w . 2>&AS_MESSAGE_LOG_FD
+   $RM conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files
+   $RM out/* && rmdir out
+   cd ..
+   $RM -r conftest
+   $RM conftest*
+])
+_LT_TAGDECL([compiler_c_o], [lt_cv_prog_compiler_c_o], [1],
+	[Does compiler simultaneously support -c and -o options?])
+])# _LT_COMPILER_C_O
+
+
+# _LT_COMPILER_FILE_LOCKS([TAGNAME])
+# ----------------------------------
+# Check to see if we can do hard links to lock some files if needed
+m4_defun([_LT_COMPILER_FILE_LOCKS],
+[m4_require([_LT_ENABLE_LOCK])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+_LT_COMPILER_C_O([$1])
+
+hard_links="nottested"
+if test "$_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  AC_MSG_CHECKING([if we can lock with hard links])
+  hard_links=yes
+  $RM conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  AC_MSG_RESULT([$hard_links])
+  if test "$hard_links" = no; then
+    AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe])
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+_LT_DECL([], [need_locks], [1], [Must we lock files when doing compilation?])
+])# _LT_COMPILER_FILE_LOCKS
+
+
+# _LT_CHECK_OBJDIR
+# ----------------
+m4_defun([_LT_CHECK_OBJDIR],
+[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
+[rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null])
+objdir=$lt_cv_objdir
+_LT_DECL([], [objdir], [0],
+         [The name of the directory that contains temporary libtool files])dnl
+m4_pattern_allow([LT_OBJDIR])dnl
+AC_DEFINE_UNQUOTED(LT_OBJDIR, "$lt_cv_objdir/",
+  [Define to the sub-directory in which libtool stores uninstalled libraries.])
+])# _LT_CHECK_OBJDIR
+
+
+# _LT_LINKER_HARDCODE_LIBPATH([TAGNAME])
+# --------------------------------------
+# Check hardcoding attributes.
+m4_defun([_LT_LINKER_HARDCODE_LIBPATH],
+[AC_MSG_CHECKING([how to hardcode library paths into programs])
+_LT_TAGVAR(hardcode_action, $1)=
+if test -n "$_LT_TAGVAR(hardcode_libdir_flag_spec, $1)" ||
+   test -n "$_LT_TAGVAR(runpath_var, $1)" ||
+   test "X$_LT_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
+
+  # We can hardcode non-existent directories.
+  if test "$_LT_TAGVAR(hardcode_direct, $1)" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
+     test "$_LT_TAGVAR(hardcode_minus_L, $1)" != no; then
+    # Linking always hardcodes the temporary library directory.
+    _LT_TAGVAR(hardcode_action, $1)=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    _LT_TAGVAR(hardcode_action, $1)=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  _LT_TAGVAR(hardcode_action, $1)=unsupported
+fi
+AC_MSG_RESULT([$_LT_TAGVAR(hardcode_action, $1)])
+
+if test "$_LT_TAGVAR(hardcode_action, $1)" = relink ||
+   test "$_LT_TAGVAR(inherit_rpath, $1)" = yes; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+_LT_TAGDECL([], [hardcode_action], [0],
+    [How to hardcode a shared library path into an executable])
+])# _LT_LINKER_HARDCODE_LIBPATH
+
+
+# _LT_CMD_STRIPLIB
+# ----------------
+m4_defun([_LT_CMD_STRIPLIB],
+[m4_require([_LT_DECL_EGREP])
+striplib=
+old_striplib=
+AC_MSG_CHECKING([whether stripping libraries is possible])
+if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  AC_MSG_RESULT([yes])
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+  darwin*)
+    if test -n "$STRIP" ; then
+      striplib="$STRIP -x"
+      old_striplib="$STRIP -S"
+      AC_MSG_RESULT([yes])
+    else
+      AC_MSG_RESULT([no])
+    fi
+    ;;
+  *)
+    AC_MSG_RESULT([no])
+    ;;
+  esac
+fi
+_LT_DECL([], [old_striplib], [1], [Commands to strip libraries])
+_LT_DECL([], [striplib], [1])
+])# _LT_CMD_STRIPLIB
+
+
+# _LT_SYS_DYNAMIC_LINKER([TAG])
+# -----------------------------
+# PORTME Fill in your ld.so characteristics
+m4_defun([_LT_SYS_DYNAMIC_LINKER],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_OBJDUMP])dnl
+m4_require([_LT_DECL_SED])dnl
+AC_MSG_CHECKING([dynamic linker characteristics])
+m4_if([$1],
+	[], [
+if test "$GCC" = yes; then
+  case $host_os in
+    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
+    *) lt_awk_arg="/^libraries:/" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+  # Ok, now we have the path, separated by spaces, we can step through it
+  # and add multilib dir if necessary.
+  lt_tmp_lt_search_path_spec=
+  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
+  for lt_sys_path in $lt_search_path_spec; do
+    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
+      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
+    else
+      test -d "$lt_sys_path" && \
+	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
+    fi
+  done
+  lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk '
+BEGIN {RS=" "; FS="/|\n";} {
+  lt_foo="";
+  lt_count=0;
+  for (lt_i = NF; lt_i > 0; lt_i--) {
+    if ($lt_i != "" && $lt_i != ".") {
+      if ($lt_i == "..") {
+        lt_count++;
+      } else {
+        if (lt_count == 0) {
+          lt_foo="/" $lt_i lt_foo;
+        } else {
+          lt_count--;
+        }
+      }
+    }
+  }
+  if (lt_foo != "") { lt_freq[[lt_foo]]++; }
+  if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
+}'`
+  sys_lib_search_path_spec=`$ECHO $lt_search_path_spec`
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi])
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix[[4-9]]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[[01]] | aix4.[[01]].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | $GREP yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  case $host_cpu in
+  powerpc)
+    # Since July 2007 AmigaOS4 officially supports .so libraries.
+    # When compiling the executable, add -use-dynld -Lsobjs: to the compileline.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    ;;
+  m68k)
+    library_names_spec='$libname.ixlibrary $libname.a'
+    # Create ${libname}_ixlibrary.a entries in /sys/libs.
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    ;;
+  esac
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[[45]]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32* | cegcc*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname~
+      if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then
+        eval '\''$striplib \$dldir/$dlname'\'' || exit \$?;
+      fi'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw* | cegcc*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+m4_if([$1], [],[
+  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"])
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[[123]]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[[01]]* | freebsdelf3.[[01]]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \
+  freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  *) # from 4.6 on, and DragonFly
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+  hppa*64*)
+    shrext_cmds='.sl'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+  *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix[[3-9]]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # Some binutils ld are patched to set DT_RUNPATH
+  save_LDFLAGS=$LDFLAGS
+  save_libdir=$libdir
+  eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
+       LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
+  AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
+    [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
+       [shlibpath_overrides_runpath=yes])])
+  LDFLAGS=$save_LDFLAGS
+  libdir=$save_libdir
+
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+*nto* | *qnx*)
+  version_type=qnx
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='ldqnx.so'
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*)	need_version=yes ;;
+    *)				need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[[89]] | openbsd2.[[89]].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+rdos*)
+  dynamic_linker=no
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+tpf*)
+  # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+AC_MSG_RESULT([$dynamic_linker])
+test "$dynamic_linker" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
+  sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
+fi
+if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
+  sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
+fi
+
+_LT_DECL([], [variables_saved_for_relink], [1],
+    [Variables whose values should be saved in libtool wrapper scripts and
+    restored at link time])
+_LT_DECL([], [need_lib_prefix], [0],
+    [Do we need the "lib" prefix for modules?])
+_LT_DECL([], [need_version], [0], [Do we need a version for libraries?])
+_LT_DECL([], [version_type], [0], [Library versioning type])
+_LT_DECL([], [runpath_var], [0],  [Shared library runtime path variable])
+_LT_DECL([], [shlibpath_var], [0],[Shared library path variable])
+_LT_DECL([], [shlibpath_overrides_runpath], [0],
+    [Is shlibpath searched before the hard-coded library search path?])
+_LT_DECL([], [libname_spec], [1], [Format of library name prefix])
+_LT_DECL([], [library_names_spec], [1],
+    [[List of archive names.  First name is the real one, the rest are links.
+    The last name is the one that the linker finds with -lNAME]])
+_LT_DECL([], [soname_spec], [1],
+    [[The coded name of the library, if different from the real name]])
+_LT_DECL([], [postinstall_cmds], [2],
+    [Command to use after installation of a shared archive])
+_LT_DECL([], [postuninstall_cmds], [2],
+    [Command to use after uninstallation of a shared archive])
+_LT_DECL([], [finish_cmds], [2],
+    [Commands used to finish a libtool library installation in a directory])
+_LT_DECL([], [finish_eval], [1],
+    [[As "finish_cmds", except a single script fragment to be evaled but
+    not shown]])
+_LT_DECL([], [hardcode_into_libs], [0],
+    [Whether we should hardcode library paths into libraries])
+_LT_DECL([], [sys_lib_search_path_spec], [2],
+    [Compile-time system search path for libraries])
+_LT_DECL([], [sys_lib_dlsearch_path_spec], [2],
+    [Run-time system search path for libraries])
+])# _LT_SYS_DYNAMIC_LINKER
+
+
+# _LT_PATH_TOOL_PREFIX(TOOL)
+# --------------------------
+# find a file program which can recognize shared library
+AC_DEFUN([_LT_PATH_TOOL_PREFIX],
+[m4_require([_LT_DECL_EGREP])dnl
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
+[case $MAGIC_CMD in
+[[\\/*] |  ?:[\\/]*])
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+dnl $ac_dummy forces splitting on constant user-supplied paths.
+dnl POSIX.2 word splitting is done only on the output of word expansions,
+dnl not every word.  This closes a longstanding sh security hole.
+  ac_dummy="m4_if([$2], , $PATH, [$2])"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$1; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/$1"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<_LT_EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+_LT_EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac])
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  AC_MSG_RESULT($MAGIC_CMD)
+else
+  AC_MSG_RESULT(no)
+fi
+_LT_DECL([], [MAGIC_CMD], [0],
+	 [Used to examine libraries when file_magic_cmd begins with "file"])dnl
+])# _LT_PATH_TOOL_PREFIX
+
+# Old name:
+AU_ALIAS([AC_PATH_TOOL_PREFIX], [_LT_PATH_TOOL_PREFIX])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_PATH_TOOL_PREFIX], [])
+
+
+# _LT_PATH_MAGIC
+# --------------
+# find a file program which can recognize a shared library
+m4_defun([_LT_PATH_MAGIC],
+[_LT_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    _LT_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
+  else
+    MAGIC_CMD=:
+  fi
+fi
+])# _LT_PATH_MAGIC
+
+
+# LT_PATH_LD
+# ----------
+# find the pathname to the GNU or non-GNU linker
+AC_DEFUN([LT_PATH_LD],
+[AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_DECL_EGREP])dnl
+
+AC_ARG_WITH([gnu-ld],
+    [AS_HELP_STRING([--with-gnu-ld],
+	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
+    [test "$withval" = no || with_gnu_ld=yes],
+    [with_gnu_ld=no])dnl
+
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  AC_MSG_CHECKING([for ld used by $CC])
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [[\\/]]* | ?:[[\\/]]*)
+      re_direlt='/[[^/]][[^/]]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'`
+      while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  AC_MSG_CHECKING([for GNU ld])
+else
+  AC_MSG_CHECKING([for non-GNU ld])
+fi
+AC_CACHE_VAL(lt_cv_path_LD,
+[if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some variants of GNU ld only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi])
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  AC_MSG_RESULT($LD)
+else
+  AC_MSG_RESULT(no)
+fi
+test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
+_LT_PATH_LD_GNU
+AC_SUBST([LD])
+
+_LT_TAGDECL([], [LD], [1], [The linker used to build libraries])
+])# LT_PATH_LD
+
+# Old names:
+AU_ALIAS([AM_PROG_LD], [LT_PATH_LD])
+AU_ALIAS([AC_PROG_LD], [LT_PATH_LD])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_PROG_LD], [])
+dnl AC_DEFUN([AC_PROG_LD], [])
+
+
+# _LT_PATH_LD_GNU
+#- --------------
+m4_defun([_LT_PATH_LD_GNU],
+[AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
+[# I'd rather use --version here, but apparently some GNU lds only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac])
+with_gnu_ld=$lt_cv_prog_gnu_ld
+])# _LT_PATH_LD_GNU
+
+
+# _LT_CMD_RELOAD
+# --------------
+# find reload flag for linker
+#   -- PORTME Some linkers may need a different reload flag.
+m4_defun([_LT_CMD_RELOAD],
+[AC_CACHE_CHECK([for $LD option to reload object files],
+  lt_cv_ld_reload_flag,
+  [lt_cv_ld_reload_flag='-r'])
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+case $host_os in
+  darwin*)
+    if test "$GCC" = yes; then
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
+    else
+      reload_cmds='$LD$reload_flag -o $output$reload_objs'
+    fi
+    ;;
+esac
+_LT_DECL([], [reload_flag], [1], [How to create reloadable object files])dnl
+_LT_DECL([], [reload_cmds], [2])dnl
+])# _LT_CMD_RELOAD
+
+
+# _LT_CHECK_MAGIC_METHOD
+# ----------------------
+# how to check for library dependencies
+#  -- PORTME fill in with the dynamic library characteristics
+m4_defun([_LT_CHECK_MAGIC_METHOD],
+[m4_require([_LT_DECL_EGREP])
+m4_require([_LT_DECL_OBJDUMP])
+AC_CACHE_CHECK([how to recognize dependent libraries],
+lt_cv_deplibs_check_method,
+[lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given extended regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix[[4-9]]*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi[[45]]*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # func_win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='func_win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # func_win32_libid shell function, so use a weaker test based on 'objdump',
+  # unless we find 'file', for example because we are cross-compiling.
+  if ( file / ) >/dev/null 2>&1; then
+    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+    lt_cv_file_magic_cmd='func_win32_libid'
+  else
+    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    lt_cv_file_magic_cmd='$OBJDUMP -f'
+  fi
+  ;;
+
+cegcc)
+  # use the weaker test based on 'objdump'. See mingw*.
+  lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | dragonfly*)
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case $host_cpu in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+interix[[3-9]]*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux* | k*bsd*-gnu)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd* | netbsdelf*-gnu)
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+*nto* | *qnx*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+openbsd*)
+  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+rdos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.3*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+tpf*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+])
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+
+_LT_DECL([], [deplibs_check_method], [1],
+    [Method to check whether dependent libraries are shared objects])
+_LT_DECL([], [file_magic_cmd], [1],
+    [Command to use when deplibs_check_method == "file_magic"])
+])# _LT_CHECK_MAGIC_METHOD
+
+
+# LT_PATH_NM
+# ----------
+# find the pathname to a BSD- or MS-compatible name lister
+AC_DEFUN([LT_PATH_NM],
+[AC_REQUIRE([AC_PROG_CC])dnl
+AC_CACHE_CHECK([for BSD- or MS-compatible name lister (nm)], lt_cv_path_NM,
+[if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM="$NM"
+else
+  lt_nm_to_check="${ac_tool_prefix}nm"
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
+    lt_nm_to_check="$lt_nm_to_check nm"
+  fi
+  for lt_tmp_nm in $lt_nm_to_check; do
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
+      IFS="$lt_save_ifs"
+      test -z "$ac_dir" && ac_dir=.
+      tmp_nm="$ac_dir/$lt_tmp_nm"
+      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+	# Check to see if the nm accepts a BSD-compat flag.
+	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
+	#   nm: unknown option "B" ignored
+	# Tru64's nm complains that /dev/null is an invalid object file
+	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+	*/dev/null* | *'Invalid file or object type'*)
+	  lt_cv_path_NM="$tmp_nm -B"
+	  break
+	  ;;
+	*)
+	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	  */dev/null*)
+	    lt_cv_path_NM="$tmp_nm -p"
+	    break
+	    ;;
+	  *)
+	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	    continue # so that we can try to find one that supports BSD flags
+	    ;;
+	  esac
+	  ;;
+	esac
+      fi
+    done
+    IFS="$lt_save_ifs"
+  done
+  : ${lt_cv_path_NM=no}
+fi])
+if test "$lt_cv_path_NM" != "no"; then
+  NM="$lt_cv_path_NM"
+else
+  # Didn't find any BSD compatible name lister, look for dumpbin.
+  AC_CHECK_TOOLS(DUMPBIN, ["dumpbin -symbols" "link -dump -symbols"], :)
+  AC_SUBST([DUMPBIN])
+  if test "$DUMPBIN" != ":"; then
+    NM="$DUMPBIN"
+  fi
+fi
+test -z "$NM" && NM=nm
+AC_SUBST([NM])
+_LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl
+
+AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface],
+  [lt_cv_nm_interface="BSD nm"
+  echo "int some_variable = 0;" > conftest.$ac_ext
+  (eval echo "\"\$as_me:__oline__: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
+  (eval "$ac_compile" 2>conftest.err)
+  cat conftest.err >&AS_MESSAGE_LOG_FD
+  (eval echo "\"\$as_me:__oline__: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
+  (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
+  cat conftest.err >&AS_MESSAGE_LOG_FD
+  (eval echo "\"\$as_me:__oline__: output\"" >&AS_MESSAGE_LOG_FD)
+  cat conftest.out >&AS_MESSAGE_LOG_FD
+  if $GREP 'External.*some_variable' conftest.out > /dev/null; then
+    lt_cv_nm_interface="MS dumpbin"
+  fi
+  rm -f conftest*])
+])# LT_PATH_NM
+
+# Old names:
+AU_ALIAS([AM_PROG_NM], [LT_PATH_NM])
+AU_ALIAS([AC_PROG_NM], [LT_PATH_NM])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_PROG_NM], [])
+dnl AC_DEFUN([AC_PROG_NM], [])
+
+
+# LT_LIB_M
+# --------
+# check for math library
+AC_DEFUN([LT_LIB_M],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+LIBM=
+case $host in
+*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
+  # These system don't have libm, or don't need it
+  ;;
+*-ncr-sysv4.3*)
+  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
+  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
+  ;;
+*)
+  AC_CHECK_LIB(m, cos, LIBM="-lm")
+  ;;
+esac
+AC_SUBST([LIBM])
+])# LT_LIB_M
+
+# Old name:
+AU_ALIAS([AC_CHECK_LIBM], [LT_LIB_M])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_CHECK_LIBM], [])
+
+
+# _LT_COMPILER_NO_RTTI([TAGNAME])
+# -------------------------------
+m4_defun([_LT_COMPILER_NO_RTTI],
+[m4_require([_LT_TAG_COMPILER])dnl
+
+_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+
+if test "$GCC" = yes; then
+  _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+
+  _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
+    lt_cv_prog_compiler_rtti_exceptions,
+    [-fno-rtti -fno-exceptions], [],
+    [_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
+fi
+_LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1],
+	[Compiler flag to turn off builtin functions])
+])# _LT_COMPILER_NO_RTTI
+
+
+# _LT_CMD_GLOBAL_SYMBOLS
+# ----------------------
+m4_defun([_LT_CMD_GLOBAL_SYMBOLS],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([LT_PATH_NM])dnl
+AC_REQUIRE([LT_PATH_LD])dnl
+m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_TAG_COMPILER])dnl
+
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+AC_MSG_CHECKING([command to parse $NM output from $compiler object])
+AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
+[
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[[BCDEGRST]]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[[BCDT]]'
+  ;;
+cygwin* | mingw* | pw32* | cegcc*)
+  symcode='[[ABCDGISTW]]'
+  ;;
+hpux*)
+  if test "$host_cpu" = ia64; then
+    symcode='[[ABCDEGRST]]'
+  fi
+  ;;
+irix* | nonstopux*)
+  symcode='[[BCDEGRST]]'
+  ;;
+osf*)
+  symcode='[[BCDEGQRST]]'
+  ;;
+solaris*)
+  symcode='[[BDRT]]'
+  ;;
+sco3.2v5*)
+  symcode='[[DT]]'
+  ;;
+sysv4.2uw2*)
+  symcode='[[DT]]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[[ABDT]]'
+  ;;
+sysv4)
+  symcode='[[DFNSTU]]'
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[[ABCDGIRSTW]]' ;;
+esac
+
+# Transform an extracted symbol line into a proper C declaration.
+# Some systems (esp. on ia64) link data and code symbols differently,
+# so use this general approach.
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# Try without a prefix underscore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
+
+  # Write the raw and C identifiers.
+  if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+    # Fake it for dumpbin and say T for any non-static function
+    # and D for any global variable.
+    # Also find C++ and __fastcall symbols from MSVC++,
+    # which start with @ or ?.
+    lt_cv_sys_global_symbol_pipe="$AWK ['"\
+"     {last_section=section; section=\$ 3};"\
+"     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
+"     \$ 0!~/External *\|/{next};"\
+"     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
+"     {if(hide[section]) next};"\
+"     {f=0}; \$ 0~/\(\).*\|/{f=1}; {printf f ? \"T \" : \"D \"};"\
+"     {split(\$ 0, a, /\||\r/); split(a[2], s)};"\
+"     s[1]~/^[@?]/{print s[1], s[1]; next};"\
+"     s[1]~prfx {split(s[1],t,\"@\"); print t[1], substr(t[1],length(prfx))}"\
+"     ' prfx=^$ac_symprfx]"
+  else
+    lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[	 ]]\($symcode$symcode*\)[[	 ]][[	 ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+  fi
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<_LT_EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(void);
+void nm_test_func(void){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+_LT_EOF
+
+  if AC_TRY_EVAL(ac_compile); then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
+	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<_LT_EOF > conftest.$ac_ext
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+_LT_EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext'
+
+	  cat <<_LT_EOF >> conftest.$ac_ext
+
+/* The mapping between symbol names and symbols.  */
+const struct {
+  const char *name;
+  void       *address;
+}
+lt__PROGRAM__LTX_preloaded_symbols[[]] =
+{
+  { "@PROGRAM@", (void *) 0 },
+_LT_EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (void *) \&\2},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext
+	  cat <<\_LT_EOF >> conftest.$ac_ext
+  {0, (void *) 0}
+};
+
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt__PROGRAM__LTX_preloaded_symbols;
+}
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+_LT_EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_save_LIBS="$LIBS"
+	  lt_save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$ac_objext"
+	  CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
+	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
+	    pipe_works=yes
+	  fi
+	  LIBS="$lt_save_LIBS"
+	  CFLAGS="$lt_save_CFLAGS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
+    fi
+  else
+    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
+    cat conftest.$ac_ext >&5
+  fi
+  rm -rf conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+])
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  AC_MSG_RESULT(failed)
+else
+  AC_MSG_RESULT(ok)
+fi
+
+_LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1],
+    [Take the output of nm and produce a listing of raw symbols and C names])
+_LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1],
+    [Transform the output of nm in a proper C declaration])
+_LT_DECL([global_symbol_to_c_name_address],
+    [lt_cv_sys_global_symbol_to_c_name_address], [1],
+    [Transform the output of nm in a C name address pair])
+_LT_DECL([global_symbol_to_c_name_address_lib_prefix],
+    [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1],
+    [Transform the output of nm in a C name address pair when lib prefix is needed])
+]) # _LT_CMD_GLOBAL_SYMBOLS
+
+
+# _LT_COMPILER_PIC([TAGNAME])
+# ---------------------------
+m4_defun([_LT_COMPILER_PIC],
+[m4_require([_LT_TAG_COMPILER])dnl
+_LT_TAGVAR(lt_prog_compiler_wl, $1)=
+_LT_TAGVAR(lt_prog_compiler_pic, $1)=
+_LT_TAGVAR(lt_prog_compiler_static, $1)=
+
+AC_MSG_CHECKING([for $compiler option to produce PIC])
+m4_if([$1], [CXX], [
+  # C++ specific cases for pic, static, wl, etc.
+  if test "$GXX" = yes; then
+    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+        ;;
+      m68k)
+            # FIXME: we need at least 68020 code to build shared libraries, but
+            # adding the `-m68020' flag to GCC prevents building anything better,
+            # like `-m68040'.
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+        ;;
+      esac
+      ;;
+
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | cygwin* | os2* | pw32* | cegcc*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      m4_if([$1], [GCJ], [],
+	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+      ;;
+    interix[[3-9]]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
+      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
+      # sets the default TLS model and affects inlining.
+      case $host_cpu in
+      hppa*64*)
+	;;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+    *qnx* | *nto*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+      ;;
+    *)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    case $host_os in
+      aix[[4-9]]*)
+	# All AIX code is PIC.
+	if test "$host_cpu" = ia64; then
+	  # AIX 5 now supports IA64 processor
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	else
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+	fi
+	;;
+      chorus*)
+	case $cc_basename in
+	cxch68*)
+	  # Green Hills C++ Compiler
+	  # _LT_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
+	  ;;
+	esac
+	;;
+      dgux*)
+	case $cc_basename in
+	  ec++*)
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  ghcx*)
+	    # Green Hills C++ Compiler
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | dragonfly*)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+	    if test "$host_cpu" != ia64; then
+	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	    fi
+	    ;;
+	  aCC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+	    case $host_cpu in
+	    hppa*64*|ia64*)
+	      # +Z the default
+	      ;;
+	    *)
+	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	      ;;
+	    esac
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      interix*)
+	# This is c89, which is MS Visual C++ (no shared libs)
+	# Anyone wants to do a port?
+	;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      linux* | k*bsd*-gnu)
+	case $cc_basename in
+	  KCC*)
+	    # KAI C++ Compiler
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  ecpc* )
+	    # old Intel C++ for x86_64 which still supported -KPIC.
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
+	  icpc* )
+	    # Intel C++, used to be incompatible with GCC.
+	    # ICC 10 doesn't accept -KPIC any more.
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
+	  pgCC* | pgcpp*)
+	    # Portland Group C++ compiler
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  cxx*)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  xlc* | xlC*)
+	    # IBM XL 8.0 on PPC
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
+	    ;;
+	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	      ;;
+	    esac
+	    ;;
+	esac
+	;;
+      lynxos*)
+	;;
+      m88k*)
+	;;
+      mvs*)
+	case $cc_basename in
+	  cxx*)
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      netbsd* | netbsdelf*-gnu)
+	;;
+      *qnx* | *nto*)
+        # QNX uses GNU C++, but need to define -shared option too, otherwise
+        # it will coredump.
+        _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+        ;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    ;;
+	  RCC*)
+	    # Rational C++ 2.4.1
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  cxx*)
+	    # Digital/Compaq C++
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      psos*)
+	;;
+      solaris*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	    ;;
+	  gcx*)
+	    # Green Hills C++ Compiler
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sunos4*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.x
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  lcc*)
+	    # Lucid
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+	case $cc_basename in
+	  CC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	esac
+	;;
+      tandem*)
+	case $cc_basename in
+	  NCC*)
+	    # NonStop-UX NCC 3.20
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      vxworks*)
+	;;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+	;;
+    esac
+  fi
+],
+[
+  if test "$GCC" = yes; then
+    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+        ;;
+      m68k)
+            # FIXME: we need at least 68020 code to build shared libraries, but
+            # adding the `-m68020' flag to GCC prevents building anything better,
+            # like `-m68040'.
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+        ;;
+      esac
+      ;;
+
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      m4_if([$1], [GCJ], [],
+	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+
+    hpux*)
+      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
+      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
+      # sets the default TLS model and affects inlining.
+      case $host_cpu in
+      hppa*64*)
+	# +Z the default
+	;;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+
+    interix[[3-9]]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      enable_shared=no
+      ;;
+
+    *nto* | *qnx*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+
+    *)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      else
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      m4_if([$1], [GCJ], [],
+	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC (with -KPIC) is the default.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    linux* | k*bsd*-gnu)
+      case $cc_basename in
+      # old Intel for x86_64 which still supported -KPIC.
+      ecc*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      # icc used to be incompatible with GCC.
+      # ICC 10 doesn't accept -KPIC any more.
+      icc* | ifort*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      # Lahey Fortran 8.1.
+      lf95*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='--static'
+	;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+        ;;
+      ccc*)
+        _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+        # All Alpha code is PIC.
+        _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+        ;;
+      xl*)
+	# IBM XL C 8.0/Fortran 10.1 on PPC
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
+	;;
+      *)
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
+	  ;;
+	esac
+	;;
+      esac
+      ;;
+
+    newsos6)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    *nto* | *qnx*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+      ;;
+
+    osf3* | osf4* | osf5*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # All OSF/1 code is PIC.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    rdos*)
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    solaris*)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    unicos*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+
+    uts4*)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    *)
+      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+    esac
+  fi
+])
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+    ;;
+  *)
+    _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])"
+    ;;
+esac
+AC_MSG_RESULT([$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
+_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
+	[How to pass a linker flag through the compiler])
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
+  _LT_COMPILER_OPTION([if $compiler PIC flag $_LT_TAGVAR(lt_prog_compiler_pic, $1) works],
+    [_LT_TAGVAR(lt_cv_prog_compiler_pic_works, $1)],
+    [$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])], [],
+    [case $_LT_TAGVAR(lt_prog_compiler_pic, $1) in
+     "" | " "*) ;;
+     *) _LT_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_TAGVAR(lt_prog_compiler_pic, $1)" ;;
+     esac],
+    [_LT_TAGVAR(lt_prog_compiler_pic, $1)=
+     _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
+fi
+_LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1],
+	[Additional compiler flags for building library objects])
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_TAGVAR(lt_prog_compiler_static, $1)\"
+_LT_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
+  _LT_TAGVAR(lt_cv_prog_compiler_static_works, $1),
+  $lt_tmp_static_flag,
+  [],
+  [_LT_TAGVAR(lt_prog_compiler_static, $1)=])
+_LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1],
+	[Compiler flag to prevent dynamic linking])
+])# _LT_COMPILER_PIC
+
+
+# _LT_LINKER_SHLIBS([TAGNAME])
+# ----------------------------
+# See if the linker supports building shared libraries.
+m4_defun([_LT_LINKER_SHLIBS],
+[AC_REQUIRE([LT_PATH_LD])dnl
+AC_REQUIRE([LT_PATH_NM])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
+m4_require([_LT_TAG_COMPILER])dnl
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+m4_if([$1], [CXX], [
+  _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  case $host_os in
+  aix[[4-9]]*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+    else
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
+  ;;
+  cygwin* | mingw* | cegcc*)
+    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  linux* | k*bsd*-gnu)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+  ;;
+  *)
+    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  esac
+  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
+], [
+  runpath_var=
+  _LT_TAGVAR(allow_undefined_flag, $1)=
+  _LT_TAGVAR(always_export_symbols, $1)=no
+  _LT_TAGVAR(archive_cmds, $1)=
+  _LT_TAGVAR(archive_expsym_cmds, $1)=
+  _LT_TAGVAR(compiler_needs_object, $1)=no
+  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+  _LT_TAGVAR(export_dynamic_flag_spec, $1)=
+  _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  _LT_TAGVAR(hardcode_automatic, $1)=no
+  _LT_TAGVAR(hardcode_direct, $1)=no
+  _LT_TAGVAR(hardcode_direct_absolute, $1)=no
+  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+  _LT_TAGVAR(hardcode_libdir_separator, $1)=
+  _LT_TAGVAR(hardcode_minus_L, $1)=no
+  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  _LT_TAGVAR(inherit_rpath, $1)=no
+  _LT_TAGVAR(link_all_deplibs, $1)=unknown
+  _LT_TAGVAR(module_cmds, $1)=
+  _LT_TAGVAR(module_expsym_cmds, $1)=
+  _LT_TAGVAR(old_archive_from_new_cmds, $1)=
+  _LT_TAGVAR(old_archive_from_expsyms_cmds, $1)=
+  _LT_TAGVAR(thread_safe_flag_spec, $1)=
+  _LT_TAGVAR(whole_archive_flag_spec, $1)=
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  _LT_TAGVAR(include_expsyms, $1)=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  # Exclude shared library initialization/finalization symbols.
+dnl Note also adjust exclude_expsyms for C++ above.
+  extract_expsyms_cmds=
+
+  case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  linux* | k*bsd*-gnu)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+    ;;
+  esac
+
+  _LT_TAGVAR(ld_shlibs, $1)=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
+      _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      _LT_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>&1` in
+      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix[[3-9]]*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+_LT_EOF
+      fi
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+            _LT_TAGVAR(archive_expsym_cmds, $1)=''
+        ;;
+      m68k)
+            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+            _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+            _LT_TAGVAR(hardcode_minus_L, $1)=yes
+        ;;
+      esac
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	_LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32* | cegcc*)
+      # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+      # as there is no search path for DLLs.
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_TAGVAR(always_export_symbols, $1)=no
+      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	_LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    interix[[3-9]]*)
+      _LT_TAGVAR(hardcode_direct, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    gnu* | linux* | tpf* | k*bsd*-gnu)
+      tmp_diet=no
+      if test "$host_os" = linux-dietlibc; then
+	case $cc_basename in
+	  diet\ *) tmp_diet=yes;;	# linux-dietlibc with static linking (!diet-dyn)
+	esac
+      fi
+      if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
+	 && test "$tmp_diet" = no
+      then
+	tmp_addflag=
+	tmp_sharedflag='-shared'
+	case $cc_basename,$host_cpu in
+        pgcc*)				# Portland Group C compiler
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	lf95*)				# Lahey Fortran 8.1
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)=
+	  tmp_sharedflag='--shared' ;;
+	xl[[cC]]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
+	  tmp_sharedflag='-qmkshrobj'
+	  tmp_addflag= ;;
+	esac
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(compiler_needs_object, $1)=yes
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	esac
+	_LT_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+        if test "x$supports_anon_versioning" = xyes; then
+          _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
+	    cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+	    echo "local: *; };" >> $output_objdir/$libname.ver~
+	    $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+        fi
+
+	case $cc_basename in
+	xlf*)
+	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+	  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib'
+	  if test "x$supports_anon_versioning" = xyes; then
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
+	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+	      echo "local: *; };" >> $output_objdir/$libname.ver~
+	      $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	  fi
+	  ;;
+	esac
+      else
+        _LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+      elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  # For security reasons, it is highly recommended that you always
+	  # use absolute paths for naming shared libraries, and exclude the
+	  # DT_RUNPATH tag from executables and libraries.  But doing so
+	  # requires that you compile everything twice, which is a pain.
+	  if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  else
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+
+    if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then
+      runpath_var=
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)=
+      _LT_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_TAGVAR(always_export_symbols, $1)=yes
+      _LT_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	_LT_TAGVAR(hardcode_direct, $1)=unsupported
+      fi
+      ;;
+
+    aix[[4-9]]*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
+	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	else
+	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
+	  for ld_flag in $LDFLAGS; do
+	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+	    aix_use_runtimelinking=yes
+	    break
+	  fi
+	  done
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      _LT_TAGVAR(archive_cmds, $1)=''
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_TAGVAR(file_list_spec, $1)='${wl}-f,'
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[[012]]|aix4.[[012]].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" &&
+	   strings "$collect2name" | $GREP resolve_lib_name >/dev/null
+	  then
+	  # We have reworked collect2
+	  :
+	  else
+	  # We have old collect2
+	  _LT_TAGVAR(hardcode_direct, $1)=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  _LT_TAGVAR(hardcode_minus_L, $1)=yes
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+	_LT_TAGVAR(link_all_deplibs, $1)=no
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
+
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall'
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      _LT_TAGVAR(always_export_symbols, $1)=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	_LT_TAGVAR(allow_undefined_flag, $1)='-berok'
+        # Determine the default libpath from the value encoded in an
+        # empty executable.
+        _LT_SYS_MODULE_PATH_AIX
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+      else
+	if test "$host_cpu" = ia64; then
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	  _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an
+	 # empty executable.
+	 _LT_SYS_MODULE_PATH_AIX
+	 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	  _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+            _LT_TAGVAR(archive_expsym_cmds, $1)=''
+        ;;
+      m68k)
+            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+            _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+            _LT_TAGVAR(hardcode_minus_L, $1)=yes
+        ;;
+      esac
+      ;;
+
+    bsdi[[45]]*)
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32* | cegcc*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      _LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+      # FIXME: Should let the user specify the lib program.
+      _LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
+      _LT_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
+      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      ;;
+
+    darwin* | rhapsody*)
+      _LT_DARWIN_LINKER_FEATURES($1)
+      ;;
+
+    dgux*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    freebsd1*)
+      _LT_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | dragonfly*)
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      ;;
+
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
+	_LT_TAGVAR(hardcode_direct, $1)=yes
+	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	_LT_TAGVAR(hardcode_minus_L, $1)=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  _LT_TAGVAR(hardcode_direct, $1)=no
+	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  ;;
+	*)
+	  _LT_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	# Try to use the -exported_symbol ld option, if it does not
+	# work, assume that -exports_file does not work either and
+	# implicitly export all symbols.
+        save_LDFLAGS="$LDFLAGS"
+        LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
+        AC_LINK_IFELSE(int foo(void) {},
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
+        )
+        LDFLAGS="$save_LDFLAGS"
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
+      fi
+      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_TAGVAR(inherit_rpath, $1)=yes
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    newsos6)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *nto* | *qnx*)
+      ;;
+
+    openbsd*)
+      if test -f /usr/libexec/ld.so; then
+	_LT_TAGVAR(hardcode_direct, $1)=yes
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	else
+	  case $host_os in
+	   openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
+	     _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	     _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	     ;;
+	   *)
+	     _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	     _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	     ;;
+	  esac
+	fi
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    os2*)
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      _LT_TAGVAR(old_archive_from_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      else
+	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
+	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+      fi
+      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    solaris*)
+      _LT_TAGVAR(no_undefined_flag, $1)=' -z defs'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+      else
+	case `$CC -V 2>&1` in
+	*"Compilers 5.0"*)
+	  wlarc=''
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	  $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp'
+	  ;;
+	*)
+	  wlarc='${wl}'
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	  $CC -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  ;;
+	esac
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      case $host_os in
+      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+      *)
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
+	# Supported since Solaris 2.6 (maybe 2.5.1?)
+	if test "$GCC" = yes; then
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+	fi
+	;;
+      esac
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(hardcode_direct, $1)=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
+	  _LT_TAGVAR(hardcode_direct, $1)=no
+        ;;
+	motorola)
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4.3*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	_LT_TAGVAR(ld_shlibs, $1)=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      _LT_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    esac
+
+    if test x$host_vendor = xsni; then
+      case $host in
+      sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Blargedynsym'
+	;;
+      esac
+    fi
+  fi
+])
+AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)])
+test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+_LT_TAGVAR(with_gnu_ld, $1)=$with_gnu_ld
+
+_LT_DECL([], [libext], [0], [Old archive suffix (normally "a")])dnl
+_LT_DECL([], [shrext_cmds], [1], [Shared library suffix (normally ".so")])dnl
+_LT_DECL([], [extract_expsyms_cmds], [2],
+    [The commands to extract the exported symbol list from a shared archive])
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$_LT_TAGVAR(archive_cmds_need_lc, $1)" in
+x|xyes)
+  # Assume -lc should be added
+  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $_LT_TAGVAR(archive_cmds, $1) in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
+      $RM conftest*
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
+	pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
+        _LT_TAGVAR(allow_undefined_flag, $1)=
+        if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
+        then
+	  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+        else
+	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+        fi
+        _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $RM conftest*
+      AC_MSG_RESULT([$_LT_TAGVAR(archive_cmds_need_lc, $1)])
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+_LT_TAGDECL([build_libtool_need_lc], [archive_cmds_need_lc], [0],
+    [Whether or not to add -lc for building shared libraries])
+_LT_TAGDECL([allow_libtool_libs_with_static_runtimes],
+    [enable_shared_with_static_runtimes], [0],
+    [Whether or not to disallow shared libs when runtime libs are static])
+_LT_TAGDECL([], [export_dynamic_flag_spec], [1],
+    [Compiler flag to allow reflexive dlopens])
+_LT_TAGDECL([], [whole_archive_flag_spec], [1],
+    [Compiler flag to generate shared objects directly from archives])
+_LT_TAGDECL([], [compiler_needs_object], [1],
+    [Whether the compiler copes with passing no objects directly])
+_LT_TAGDECL([], [old_archive_from_new_cmds], [2],
+    [Create an old-style archive from a shared archive])
+_LT_TAGDECL([], [old_archive_from_expsyms_cmds], [2],
+    [Create a temporary old-style archive to link instead of a shared archive])
+_LT_TAGDECL([], [archive_cmds], [2], [Commands used to build a shared archive])
+_LT_TAGDECL([], [archive_expsym_cmds], [2])
+_LT_TAGDECL([], [module_cmds], [2],
+    [Commands used to build a loadable module if different from building
+    a shared archive.])
+_LT_TAGDECL([], [module_expsym_cmds], [2])
+_LT_TAGDECL([], [with_gnu_ld], [1],
+    [Whether we are building with GNU ld or not])
+_LT_TAGDECL([], [allow_undefined_flag], [1],
+    [Flag that allows shared libraries with undefined symbols to be built])
+_LT_TAGDECL([], [no_undefined_flag], [1],
+    [Flag that enforces no undefined symbols])
+_LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
+    [Flag to hardcode $libdir into a binary during linking.
+    This must work even if $libdir does not exist])
+_LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1],
+    [[If ld is used when linking, flag to hardcode $libdir into a binary
+    during linking.  This must work even if $libdir does not exist]])
+_LT_TAGDECL([], [hardcode_libdir_separator], [1],
+    [Whether we need a single "-rpath" flag with a separated argument])
+_LT_TAGDECL([], [hardcode_direct], [0],
+    [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes
+    DIR into the resulting binary])
+_LT_TAGDECL([], [hardcode_direct_absolute], [0],
+    [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes
+    DIR into the resulting binary and the resulting library dependency is
+    "absolute", i.e impossible to change by setting ${shlibpath_var} if the
+    library is relocated])
+_LT_TAGDECL([], [hardcode_minus_L], [0],
+    [Set to "yes" if using the -LDIR flag during linking hardcodes DIR
+    into the resulting binary])
+_LT_TAGDECL([], [hardcode_shlibpath_var], [0],
+    [Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR
+    into the resulting binary])
+_LT_TAGDECL([], [hardcode_automatic], [0],
+    [Set to "yes" if building a shared library automatically hardcodes DIR
+    into the library and all subsequent libraries and executables linked
+    against it])
+_LT_TAGDECL([], [inherit_rpath], [0],
+    [Set to yes if linker adds runtime paths of dependent libraries
+    to runtime path list])
+_LT_TAGDECL([], [link_all_deplibs], [0],
+    [Whether libtool must link a program against all its dependency libraries])
+_LT_TAGDECL([], [fix_srcfile_path], [1],
+    [Fix the shell variable $srcfile for the compiler])
+_LT_TAGDECL([], [always_export_symbols], [0],
+    [Set to "yes" if exported symbols are required])
+_LT_TAGDECL([], [export_symbols_cmds], [2],
+    [The commands to list exported symbols])
+_LT_TAGDECL([], [exclude_expsyms], [1],
+    [Symbols that should not be listed in the preloaded symbols])
+_LT_TAGDECL([], [include_expsyms], [1],
+    [Symbols that must always be exported])
+_LT_TAGDECL([], [prelink_cmds], [2],
+    [Commands necessary for linking programs (against libraries) with templates])
+_LT_TAGDECL([], [file_list_spec], [1],
+    [Specify filename containing input files])
+dnl FIXME: Not yet implemented
+dnl _LT_TAGDECL([], [thread_safe_flag_spec], [1],
+dnl    [Compiler flag to generate thread safe objects])
+])# _LT_LINKER_SHLIBS
+
+
+# _LT_LANG_C_CONFIG([TAG])
+# ------------------------
+# Ensure that the configuration variables for a C compiler are suitably
+# defined.  These variables are subsequently used by _LT_CONFIG to write
+# the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_C_CONFIG],
+[m4_require([_LT_DECL_EGREP])dnl
+lt_save_CC="$CC"
+AC_LANG_PUSH(C)
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}'
+
+_LT_TAG_COMPILER
+# Save the default compiler, since it gets overwritten when the other
+# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP.
+compiler_DEFAULT=$CC
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_SYS_DYNAMIC_LINKER($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+  LT_SYS_DLOPEN_SELF
+  _LT_CMD_STRIPLIB
+
+  # Report which library types will actually be built
+  AC_MSG_CHECKING([if libtool supports shared libraries])
+  AC_MSG_RESULT([$can_build_shared])
+
+  AC_MSG_CHECKING([whether to build shared libraries])
+  test "$can_build_shared" = "no" && enable_shared=no
+
+  # On AIX, shared libraries and static libraries use the same namespace, and
+  # are all built from PIC.
+  case $host_os in
+  aix3*)
+    test "$enable_shared" = yes && enable_static=no
+    if test -n "$RANLIB"; then
+      archive_cmds="$archive_cmds~\$RANLIB \$lib"
+      postinstall_cmds='$RANLIB $lib'
+    fi
+    ;;
+
+  aix[[4-9]]*)
+    if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+      test "$enable_shared" = yes && enable_static=no
+    fi
+    ;;
+  esac
+  AC_MSG_RESULT([$enable_shared])
+
+  AC_MSG_CHECKING([whether to build static libraries])
+  # Make sure either enable_shared or enable_static is yes.
+  test "$enable_shared" = yes || enable_static=yes
+  AC_MSG_RESULT([$enable_static])
+
+  _LT_CONFIG($1)
+fi
+AC_LANG_POP
+CC="$lt_save_CC"
+])# _LT_LANG_C_CONFIG
+
+
+# _LT_PROG_CXX
+# ------------
+# Since AC_PROG_CXX is broken, in that it returns g++ if there is no c++
+# compiler, we have our own version here.
+m4_defun([_LT_PROG_CXX],
+[
+pushdef([AC_MSG_ERROR], [_lt_caught_CXX_error=yes])
+AC_PROG_CXX
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  AC_PROG_CXXCPP
+else
+  _lt_caught_CXX_error=yes
+fi
+popdef([AC_MSG_ERROR])
+])# _LT_PROG_CXX
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([_LT_PROG_CXX], [])
+
+
+# _LT_LANG_CXX_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for a C++ compiler are suitably
+# defined.  These variables are subsequently used by _LT_CONFIG to write
+# the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_CXX_CONFIG],
+[AC_REQUIRE([_LT_PROG_CXX])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_EGREP])dnl
+
+AC_LANG_PUSH(C++)
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_TAGVAR(allow_undefined_flag, $1)=
+_LT_TAGVAR(always_export_symbols, $1)=no
+_LT_TAGVAR(archive_expsym_cmds, $1)=
+_LT_TAGVAR(compiler_needs_object, $1)=no
+_LT_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_TAGVAR(hardcode_direct, $1)=no
+_LT_TAGVAR(hardcode_direct_absolute, $1)=no
+_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_TAGVAR(hardcode_minus_L, $1)=no
+_LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+_LT_TAGVAR(hardcode_automatic, $1)=no
+_LT_TAGVAR(inherit_rpath, $1)=no
+_LT_TAGVAR(module_cmds, $1)=
+_LT_TAGVAR(module_expsym_cmds, $1)=
+_LT_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(no_undefined_flag, $1)=
+_LT_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for C++ test sources.
+ac_ext=cpp
+
+# Object file extension for compiled C++ test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# No sense in running all these tests if we already determined that
+# the CXX compiler isn't working.  Some variables (like enable_shared)
+# are currently assumed to apply to all compilers on this platform,
+# and will be corrupted by setting them based on a non-working compiler.
+if test "$_lt_caught_CXX_error" != yes; then
+  # Code to be used in simple compile tests
+  lt_simple_compile_test_code="int some_variable = 0;"
+
+  # Code to be used in simple link tests
+  lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }'
+
+  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
+  _LT_TAG_COMPILER
+
+  # save warnings/boilerplate of simple test code
+  _LT_COMPILER_BOILERPLATE
+  _LT_LINKER_BOILERPLATE
+
+  # Allow CC to be a program name with arguments.
+  lt_save_CC=$CC
+  lt_save_LD=$LD
+  lt_save_GCC=$GCC
+  GCC=$GXX
+  lt_save_with_gnu_ld=$with_gnu_ld
+  lt_save_path_LD=$lt_cv_path_LD
+  if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+    lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+  else
+    $as_unset lt_cv_prog_gnu_ld
+  fi
+  if test -n "${lt_cv_path_LDCXX+set}"; then
+    lt_cv_path_LD=$lt_cv_path_LDCXX
+  else
+    $as_unset lt_cv_path_LD
+  fi
+  test -z "${LDCXX+set}" || LD=$LDCXX
+  CC=${CXX-"c++"}
+  compiler=$CC
+  _LT_TAGVAR(compiler, $1)=$CC
+  _LT_CC_BASENAME([$compiler])
+
+  if test -n "$compiler"; then
+    # We don't want -fno-exception when compiling C++ code, so set the
+    # no_builtin_flag separately
+    if test "$GXX" = yes; then
+      _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+    else
+      _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+    fi
+
+    if test "$GXX" = yes; then
+      # Set up default GNU C++ configuration
+
+      LT_PATH_LD
+
+      # Check if GNU C++ uses GNU ld as the underlying linker, since the
+      # archiving commands below assume that GNU ld is being used.
+      if test "$with_gnu_ld" = yes; then
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+        # If archive_cmds runs LD, not CC, wlarc should be empty
+        # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+        #     investigate it a little bit more. (MM)
+        wlarc='${wl}'
+
+        # ancient GNU ld didn't support --whole-archive et. al.
+        if eval "`$CC -print-prog-name=ld` --help 2>&1" |
+	  $GREP 'no-whole-archive' > /dev/null; then
+          _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+        else
+          _LT_TAGVAR(whole_archive_flag_spec, $1)=
+        fi
+      else
+        with_gnu_ld=no
+        wlarc=
+
+        # A generic and very simple default shared library creation
+        # command for GNU C++ for the case where it uses the native
+        # linker, instead of GNU ld.  If possible, this setting should
+        # overridden to take advantage of the native linker features on
+        # the platform it is being used on.
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+      fi
+
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+
+    else
+      GXX=no
+      with_gnu_ld=no
+      wlarc=
+    fi
+
+    # PORTME: fill in a description of your system's C++ link characteristics
+    AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+    _LT_TAGVAR(ld_shlibs, $1)=yes
+    case $host_os in
+      aix3*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+      aix[[4-9]]*)
+        if test "$host_cpu" = ia64; then
+          # On IA64, the linker does run time linking by default, so we don't
+          # have to do anything special.
+          aix_use_runtimelinking=no
+          exp_sym_flag='-Bexport'
+          no_entry_flag=""
+        else
+          aix_use_runtimelinking=no
+
+          # Test if we are trying to use run time linking or normal
+          # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+          # need to do runtime linking.
+          case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
+	    for ld_flag in $LDFLAGS; do
+	      case $ld_flag in
+	      *-brtl*)
+	        aix_use_runtimelinking=yes
+	        break
+	        ;;
+	      esac
+	    done
+	    ;;
+          esac
+
+          exp_sym_flag='-bexport'
+          no_entry_flag='-bnoentry'
+        fi
+
+        # When large executables or shared objects are built, AIX ld can
+        # have problems creating the table of contents.  If linking a library
+        # or program results in "error TOC overflow" add -mminimal-toc to
+        # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+        # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+        _LT_TAGVAR(archive_cmds, $1)=''
+        _LT_TAGVAR(hardcode_direct, $1)=yes
+        _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+        _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+        _LT_TAGVAR(link_all_deplibs, $1)=yes
+        _LT_TAGVAR(file_list_spec, $1)='${wl}-f,'
+
+        if test "$GXX" = yes; then
+          case $host_os in aix4.[[012]]|aix4.[[012]].*)
+          # We only want to do this on AIX 4.2 and lower, the check
+          # below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" &&
+	     strings "$collect2name" | $GREP resolve_lib_name >/dev/null
+	  then
+	    # We have reworked collect2
+	    :
+	  else
+	    # We have old collect2
+	    _LT_TAGVAR(hardcode_direct, $1)=unsupported
+	    # It fails to find uninstalled libraries when the uninstalled
+	    # path is not listed in the libpath.  Setting hardcode_minus_L
+	    # to unsupported forces relinking
+	    _LT_TAGVAR(hardcode_minus_L, $1)=yes
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+          esac
+          shared_flag='-shared'
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag="$shared_flag "'${wl}-G'
+	  fi
+        else
+          # not using gcc
+          if test "$host_cpu" = ia64; then
+	  # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	  # chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+          else
+	    if test "$aix_use_runtimelinking" = yes; then
+	      shared_flag='${wl}-G'
+	    else
+	      shared_flag='${wl}-bM:SRE'
+	    fi
+          fi
+        fi
+
+        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall'
+        # It seems that -bexpall does not export symbols beginning with
+        # underscore (_), so it is better to generate a list of symbols to
+	# export.
+        _LT_TAGVAR(always_export_symbols, $1)=yes
+        if test "$aix_use_runtimelinking" = yes; then
+          # Warning - without using the other runtime loading flags (-brtl),
+          # -berok will link without error, but may produce a broken library.
+          _LT_TAGVAR(allow_undefined_flag, $1)='-berok'
+          # Determine the default libpath from the value encoded in an empty
+          # executable.
+          _LT_SYS_MODULE_PATH_AIX
+          _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+        else
+          if test "$host_cpu" = ia64; then
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	    _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	    _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+          else
+	    # Determine the default libpath from the value encoded in an
+	    # empty executable.
+	    _LT_SYS_MODULE_PATH_AIX
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	    # Warning - without using the other run time loading flags,
+	    # -berok will link without error, but may produce a broken library.
+	    _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	    _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	    # Exported symbols can be pulled into shared objects from archives
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	    _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+	    # This is similar to how AIX traditionally builds its shared
+	    # libraries.
+	    _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+          fi
+        fi
+        ;;
+
+      beos*)
+	if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	  # support --undefined.  This deserves some investigation.  FIXME
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	else
+	  _LT_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+
+      chorus*)
+        case $cc_basename in
+          *)
+	  # FIXME: insert proper C++ library support
+	  _LT_TAGVAR(ld_shlibs, $1)=no
+	  ;;
+        esac
+        ;;
+
+      cygwin* | mingw* | pw32* | cegcc*)
+        # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+        # as there is no search path for DLLs.
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+        _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+        _LT_TAGVAR(always_export_symbols, $1)=no
+        _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+        if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+          # If the export-symbols file already is a .def file (1st line
+          # is EXPORTS), use it as is; otherwise, prepend...
+          _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	    cp $export_symbols $output_objdir/$soname.def;
+          else
+	    echo EXPORTS > $output_objdir/$soname.def;
+	    cat $export_symbols >> $output_objdir/$soname.def;
+          fi~
+          $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+        else
+          _LT_TAGVAR(ld_shlibs, $1)=no
+        fi
+        ;;
+      darwin* | rhapsody*)
+        _LT_DARWIN_LINKER_FEATURES($1)
+	;;
+
+      dgux*)
+        case $cc_basename in
+          ec++*)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          ghcx*)
+	    # Green Hills C++ Compiler
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+        esac
+        ;;
+
+      freebsd[[12]]*)
+        # C++ shared libraries reported to be fairly broken before
+	# switch to ELF
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+
+      freebsd-elf*)
+        _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+        ;;
+
+      freebsd* | dragonfly*)
+        # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+        # conventions
+        _LT_TAGVAR(ld_shlibs, $1)=yes
+        ;;
+
+      gnu*)
+        ;;
+
+      hpux9*)
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+        _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+        _LT_TAGVAR(hardcode_direct, $1)=yes
+        _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+				             # but as the default
+				             # location of the library.
+
+        case $cc_basename in
+          CC*)
+            # FIXME: insert proper C++ library support
+            _LT_TAGVAR(ld_shlibs, $1)=no
+            ;;
+          aCC*)
+            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+            # Commands to make compiler produce verbose output that lists
+            # what "hidden" libraries, object files and flags are used when
+            # linking a shared library.
+            #
+            # There doesn't appear to be a way to prevent this compiler from
+            # explicitly linking system object files so we need to strip them
+            # from the output so that they don't get included in the library
+            # dependencies.
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+            ;;
+          *)
+            if test "$GXX" = yes; then
+              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+            else
+              # FIXME: insert proper C++ library support
+              _LT_TAGVAR(ld_shlibs, $1)=no
+            fi
+            ;;
+        esac
+        ;;
+
+      hpux10*|hpux11*)
+        if test $with_gnu_ld = no; then
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	  _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+          case $host_cpu in
+            hppa*64*|ia64*)
+              ;;
+            *)
+	      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+              ;;
+          esac
+        fi
+        case $host_cpu in
+          hppa*64*|ia64*)
+            _LT_TAGVAR(hardcode_direct, $1)=no
+            _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+            ;;
+          *)
+            _LT_TAGVAR(hardcode_direct, $1)=yes
+            _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+            _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					         # but as the default
+					         # location of the library.
+            ;;
+        esac
+
+        case $cc_basename in
+          CC*)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          aCC*)
+	    case $host_cpu in
+	      hppa*64*)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	        ;;
+	      ia64*)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	        ;;
+	      *)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	        ;;
+	    esac
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    ;;
+          *)
+	    if test "$GXX" = yes; then
+	      if test $with_gnu_ld = no; then
+	        case $host_cpu in
+	          hppa*64*)
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            ;;
+	          ia64*)
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            ;;
+	          *)
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            ;;
+	        esac
+	      fi
+	    else
+	      # FIXME: insert proper C++ library support
+	      _LT_TAGVAR(ld_shlibs, $1)=no
+	    fi
+	    ;;
+        esac
+        ;;
+
+      interix[[3-9]]*)
+	_LT_TAGVAR(hardcode_direct, $1)=no
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	# Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+	# Instead, shared libraries are loaded at an image base (0x10000000 by
+	# default) and relocated if they conflict, which is a slow very memory
+	# consuming and fragmenting process.  To avoid this, we pick a random,
+	# 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+	# time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+	;;
+      irix5* | irix6*)
+        case $cc_basename in
+          CC*)
+	    # SGI C++
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+
+	    # Archives containing C++ object files must be created using
+	    # "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	    # necessary to make sure instantiated templates are included
+	    # in the archive.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	    ;;
+          *)
+	    if test "$GXX" = yes; then
+	      if test "$with_gnu_ld" = no; then
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	      else
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` -o $lib'
+	      fi
+	    fi
+	    _LT_TAGVAR(link_all_deplibs, $1)=yes
+	    ;;
+        esac
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+        _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+        _LT_TAGVAR(inherit_rpath, $1)=yes
+        ;;
+
+      linux* | k*bsd*-gnu)
+        case $cc_basename in
+          KCC*)
+	    # Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	    # KCC will only create a shared library if the output file
+	    # ends with ".so" (or ".sl" for HP-UX), so rename the library
+	    # to its proper name (with version) after linking.
+	    _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+	    # Archives containing C++ object files must be created using
+	    # "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+	    ;;
+	  icpc* | ecpc* )
+	    # Intel C++
+	    with_gnu_ld=yes
+	    # version 8.0 and above of icpc choke on multiply defined symbols
+	    # if we add $predep_objects and $postdep_objects, however 7.1 and
+	    # earlier do not add the objects themselves.
+	    case `$CC -V 2>&1` in
+	      *"Version 7."*)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+		_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+		;;
+	      *)  # Version 8.0 or newer
+	        tmp_idyn=
+	        case $host_cpu in
+		  ia64*) tmp_idyn=' -i_dynamic';;
+		esac
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+		_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+		;;
+	    esac
+	    _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	    ;;
+          pgCC* | pgcpp*)
+            # Portland Group C++ compiler
+	    case `$CC -V` in
+	    *pgCC\ [[1-5]]* | *pgcpp\ [[1-5]]*)
+	      _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
+		rm -rf $tpldir~
+		$CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+		compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
+	      _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
+		rm -rf $tpldir~
+		$CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+		$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
+		$RANLIB $oldlib'
+	      _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
+		rm -rf $tpldir~
+		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
+		rm -rf $tpldir~
+		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+	      ;;
+	    *) # Version 6 will use weak symbols
+	      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+	      ;;
+	    esac
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+            ;;
+	  cxx*)
+	    # Compaq C++
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
+
+	    runpath_var=LD_RUN_PATH
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    ;;
+	  xl*)
+	    # IBM XL 8.0 on PPC, with GNU ld
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	    if test "x$supports_anon_versioning" = xyes; then
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
+		cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+		echo "local: *; };" >> $output_objdir/$libname.ver~
+		$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	    fi
+	    ;;
+	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	      _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
+	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	      _LT_TAGVAR(compiler_needs_object, $1)=yes
+
+	      # Not sure whether something based on
+	      # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
+	      # would be better.
+	      output_verbose_link_cmd='echo'
+
+	      # Archives containing C++ object files must be created using
+	      # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	      # necessary to make sure instantiated templates are included
+	      # in the archive.
+	      _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	      ;;
+	    esac
+	    ;;
+	esac
+	;;
+
+      lynxos*)
+        # FIXME: insert proper C++ library support
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	;;
+
+      m88k*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+	;;
+
+      mvs*)
+        case $cc_basename in
+          cxx*)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+	  *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+	esac
+	;;
+
+      netbsd*)
+        if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+	  wlarc=
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	  _LT_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	fi
+	# Workaround some broken pre-1.5 toolchains
+	output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+	;;
+
+      *nto* | *qnx*)
+        _LT_TAGVAR(ld_shlibs, $1)=yes
+	;;
+
+      openbsd2*)
+        # C++ shared libraries are fairly broken
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	;;
+
+      openbsd*)
+	if test -f /usr/libexec/ld.so; then
+	  _LT_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+	  fi
+	  output_verbose_link_cmd=echo
+	else
+	  _LT_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+
+      osf3* | osf4* | osf5*)
+        case $cc_basename in
+          KCC*)
+	    # Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	    # KCC will only create a shared library if the output file
+	    # ends with ".so" (or ".sl" for HP-UX), so rename the library
+	    # to its proper name (with version) after linking.
+	    _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo "$lib" | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	    # Archives containing C++ object files must be created using
+	    # the KAI C++ compiler.
+	    case $host in
+	      osf3*) _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;;
+	      *) _LT_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' ;;
+	    esac
+	    ;;
+          RCC*)
+	    # Rational C++ 2.4.1
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          cxx*)
+	    case $host in
+	      osf3*)
+	        _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && $ECHO "X${wl}-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+		;;
+	      *)
+	        _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+	          echo "-hidden">> $lib.exp~
+	          $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp  `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~
+	          $RM $lib.exp'
+	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+		;;
+	    esac
+
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    ;;
+	  *)
+	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	      _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	      case $host in
+	        osf3*)
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+		  ;;
+	        *)
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+		  ;;
+	      esac
+
+	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	      # Commands to make compiler produce verbose output that lists
+	      # what "hidden" libraries, object files and flags are used when
+	      # linking a shared library.
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+
+	    else
+	      # FIXME: insert proper C++ library support
+	      _LT_TAGVAR(ld_shlibs, $1)=no
+	    fi
+	    ;;
+        esac
+        ;;
+
+      psos*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+
+      sunos4*)
+        case $cc_basename in
+          CC*)
+	    # Sun C++ 4.x
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          lcc*)
+	    # Lucid
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+        esac
+        ;;
+
+      solaris*)
+        case $cc_basename in
+          CC*)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+            _LT_TAGVAR(archive_cmds_need_lc,$1)=yes
+	    _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+	      $CC -G${allow_undefined_flag} ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	    _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	    case $host_os in
+	      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+	      *)
+		# The compiler driver will combine and reorder linker options,
+		# but understands `-z linker_flag'.
+	        # Supported since Solaris 2.6 (maybe 2.5.1?)
+		_LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+	        ;;
+	    esac
+	    _LT_TAGVAR(link_all_deplibs, $1)=yes
+
+	    output_verbose_link_cmd='echo'
+
+	    # Archives containing C++ object files must be created using
+	    # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	    # necessary to make sure instantiated templates are included
+	    # in the archive.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	    ;;
+          gcx*)
+	    # Green Hills C++ Compiler
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+
+	    # The C++ compiler must be used to create the archive.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	    ;;
+          *)
+	    # GNU C++ compiler with Solaris linker
+	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	      _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
+	      if $CC --version | $GREP -v '^2\.7' > /dev/null; then
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+		  $CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+
+	        # Commands to make compiler produce verbose output that lists
+	        # what "hidden" libraries, object files and flags are used when
+	        # linking a shared library.
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	      else
+	        # g++ 2.7 appears to require `-G' NOT `-shared' on this
+	        # platform.
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+		  $CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+
+	        # Commands to make compiler produce verbose output that lists
+	        # what "hidden" libraries, object files and flags are used when
+	        # linking a shared library.
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	      fi
+
+	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
+	      case $host_os in
+		solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+		*)
+		  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+		  ;;
+	      esac
+	    fi
+	    ;;
+        esac
+        ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
+
+      case $cc_basename in
+        CC*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+      esac
+      ;;
+
+      sysv5* | sco3.2v5* | sco5v6*)
+	# Note: We can NOT use -z defs as we might desire, because we do not
+	# link with -lc, and that would cause any symbols used from libc to
+	# always be unresolved, which means just about no library would
+	# ever link correctly.  If we're not using GNU ld we use -z text
+	# though, which does catch some bad symbols but isn't as heavy-handed
+	# as -z defs.
+	_LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+	_LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+	_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir'
+	_LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+	_LT_TAGVAR(link_all_deplibs, $1)=yes
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+	runpath_var='LD_RUN_PATH'
+
+	case $cc_basename in
+          CC*)
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    ;;
+	  *)
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    ;;
+	esac
+      ;;
+
+      tandem*)
+        case $cc_basename in
+          NCC*)
+	    # NonStop-UX NCC 3.20
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+        esac
+        ;;
+
+      vxworks*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+
+      *)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+    esac
+
+    AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)])
+    test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+    _LT_TAGVAR(GCC, $1)="$GXX"
+    _LT_TAGVAR(LD, $1)="$LD"
+
+    ## CAVEAT EMPTOR:
+    ## There is no encapsulation within the following macros, do not change
+    ## the running order or otherwise move them around unless you know exactly
+    ## what you are doing...
+    _LT_SYS_HIDDEN_LIBDEPS($1)
+    _LT_COMPILER_PIC($1)
+    _LT_COMPILER_C_O($1)
+    _LT_COMPILER_FILE_LOCKS($1)
+    _LT_LINKER_SHLIBS($1)
+    _LT_SYS_DYNAMIC_LINKER($1)
+    _LT_LINKER_HARDCODE_LIBPATH($1)
+
+    _LT_CONFIG($1)
+  fi # test -n "$compiler"
+
+  CC=$lt_save_CC
+  LDCXX=$LD
+  LD=$lt_save_LD
+  GCC=$lt_save_GCC
+  with_gnu_ld=$lt_save_with_gnu_ld
+  lt_cv_path_LDCXX=$lt_cv_path_LD
+  lt_cv_path_LD=$lt_save_path_LD
+  lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+  lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+fi # test "$_lt_caught_CXX_error" != yes
+
+AC_LANG_POP
+])# _LT_LANG_CXX_CONFIG
+
+
+# _LT_SYS_HIDDEN_LIBDEPS([TAGNAME])
+# ---------------------------------
+# Figure out "hidden" library dependencies from verbose
+# compiler output when linking a shared library.
+# Parse the compiler output and extract the necessary
+# objects, libraries and library flags.
+m4_defun([_LT_SYS_HIDDEN_LIBDEPS],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+# Dependencies to place before and after the object being linked:
+_LT_TAGVAR(predep_objects, $1)=
+_LT_TAGVAR(postdep_objects, $1)=
+_LT_TAGVAR(predeps, $1)=
+_LT_TAGVAR(postdeps, $1)=
+_LT_TAGVAR(compiler_lib_search_path, $1)=
+
+dnl we can't use the lt_simple_compile_test_code here,
+dnl because it contains code intended for an executable,
+dnl not a library.  It's possible we should let each
+dnl tag define a new lt_????_link_test_code variable,
+dnl but it's only used here...
+m4_if([$1], [], [cat > conftest.$ac_ext <<_LT_EOF
+int a;
+void foo (void) { a = 0; }
+_LT_EOF
+], [$1], [CXX], [cat > conftest.$ac_ext <<_LT_EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+_LT_EOF
+], [$1], [F77], [cat > conftest.$ac_ext <<_LT_EOF
+      subroutine foo
+      implicit none
+      integer*4 a
+      a=0
+      return
+      end
+_LT_EOF
+], [$1], [FC], [cat > conftest.$ac_ext <<_LT_EOF
+      subroutine foo
+      implicit none
+      integer a
+      a=0
+      return
+      end
+_LT_EOF
+], [$1], [GCJ], [cat > conftest.$ac_ext <<_LT_EOF
+public class foo {
+  private int a;
+  public void bar (void) {
+    a = 0;
+  }
+};
+_LT_EOF
+])
+dnl Parse the compiler output and extract the necessary
+dnl objects, libraries and library flags.
+if AC_TRY_EVAL(ac_compile); then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  for p in `eval "$output_verbose_link_cmd"`; do
+    case $p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test $p = "-L" ||
+          test $p = "-R"; then
+	 prev=$p
+	 continue
+       else
+	 prev=
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 case $p in
+	 -L* | -R*)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$_LT_TAGVAR(compiler_lib_search_path, $1)"; then
+	     _LT_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
+	   else
+	     _LT_TAGVAR(compiler_lib_search_path, $1)="${_LT_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$_LT_TAGVAR(postdeps, $1)"; then
+	   _LT_TAGVAR(postdeps, $1)="${prev}${p}"
+	 else
+	   _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} ${prev}${p}"
+	 fi
+       fi
+       ;;
+
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 if test -z "$_LT_TAGVAR(predep_objects, $1)"; then
+	   _LT_TAGVAR(predep_objects, $1)="$p"
+	 else
+	   _LT_TAGVAR(predep_objects, $1)="$_LT_TAGVAR(predep_objects, $1) $p"
+	 fi
+       else
+	 if test -z "$_LT_TAGVAR(postdep_objects, $1)"; then
+	   _LT_TAGVAR(postdep_objects, $1)="$p"
+	 else
+	   _LT_TAGVAR(postdep_objects, $1)="$_LT_TAGVAR(postdep_objects, $1) $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling $1 test program"
+fi
+
+$RM -f confest.$objext
+
+# PORTME: override above test on systems where it is broken
+m4_if([$1], [CXX],
+[case $host_os in
+interix[[3-9]]*)
+  # Interix 3.5 installs completely hosed .la files for C++, so rather than
+  # hack all around it, let's just trust "g++" to DTRT.
+  _LT_TAGVAR(predep_objects,$1)=
+  _LT_TAGVAR(postdep_objects,$1)=
+  _LT_TAGVAR(postdeps,$1)=
+  ;;
+
+linux*)
+  case `$CC -V 2>&1 | sed 5q` in
+  *Sun\ C*)
+    # Sun C++ 5.9
+
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+
+    if test "$solaris_use_stlport4" != yes; then
+      _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+
+solaris*)
+  case $cc_basename in
+  CC*)
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+
+    # Adding this requires a known-good setup of shared libraries for
+    # Sun compiler versions before 5.6, else PIC objects from an old
+    # archive will be linked into the output, leading to subtle bugs.
+    if test "$solaris_use_stlport4" != yes; then
+      _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+esac
+])
+
+case " $_LT_TAGVAR(postdeps, $1) " in
+*" -lc "*) _LT_TAGVAR(archive_cmds_need_lc, $1)=no ;;
+esac
+ _LT_TAGVAR(compiler_lib_search_dirs, $1)=
+if test -n "${_LT_TAGVAR(compiler_lib_search_path, $1)}"; then
+ _LT_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
+fi
+_LT_TAGDECL([], [compiler_lib_search_dirs], [1],
+    [The directories searched by this compiler when creating a shared library])
+_LT_TAGDECL([], [predep_objects], [1],
+    [Dependencies to place before and after the objects being linked to
+    create a shared library])
+_LT_TAGDECL([], [postdep_objects], [1])
+_LT_TAGDECL([], [predeps], [1])
+_LT_TAGDECL([], [postdeps], [1])
+_LT_TAGDECL([], [compiler_lib_search_path], [1],
+    [The library search path used internally by the compiler when linking
+    a shared library])
+])# _LT_SYS_HIDDEN_LIBDEPS
+
+
+# _LT_PROG_F77
+# ------------
+# Since AC_PROG_F77 is broken, in that it returns the empty string
+# if there is no fortran compiler, we have our own version here.
+m4_defun([_LT_PROG_F77],
+[
+pushdef([AC_MSG_ERROR], [_lt_disable_F77=yes])
+AC_PROG_F77
+if test -z "$F77" || test "X$F77" = "Xno"; then
+  _lt_disable_F77=yes
+fi
+popdef([AC_MSG_ERROR])
+])# _LT_PROG_F77
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([_LT_PROG_F77], [])
+
+
+# _LT_LANG_F77_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for a Fortran 77 compiler are
+# suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_F77_CONFIG],
+[AC_REQUIRE([_LT_PROG_F77])dnl
+AC_LANG_PUSH(Fortran 77)
+
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_TAGVAR(allow_undefined_flag, $1)=
+_LT_TAGVAR(always_export_symbols, $1)=no
+_LT_TAGVAR(archive_expsym_cmds, $1)=
+_LT_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_TAGVAR(hardcode_direct, $1)=no
+_LT_TAGVAR(hardcode_direct_absolute, $1)=no
+_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_TAGVAR(hardcode_minus_L, $1)=no
+_LT_TAGVAR(hardcode_automatic, $1)=no
+_LT_TAGVAR(inherit_rpath, $1)=no
+_LT_TAGVAR(module_cmds, $1)=
+_LT_TAGVAR(module_expsym_cmds, $1)=
+_LT_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(no_undefined_flag, $1)=
+_LT_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# No sense in running all these tests if we already determined that
+# the F77 compiler isn't working.  Some variables (like enable_shared)
+# are currently assumed to apply to all compilers on this platform,
+# and will be corrupted by setting them based on a non-working compiler.
+if test "$_lt_disable_F77" != yes; then
+  # Code to be used in simple compile tests
+  lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
+
+  # Code to be used in simple link tests
+  lt_simple_link_test_code="\
+      program t
+      end
+"
+
+  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
+  _LT_TAG_COMPILER
+
+  # save warnings/boilerplate of simple test code
+  _LT_COMPILER_BOILERPLATE
+  _LT_LINKER_BOILERPLATE
+
+  # Allow CC to be a program name with arguments.
+  lt_save_CC="$CC"
+  lt_save_GCC=$GCC
+  CC=${F77-"f77"}
+  compiler=$CC
+  _LT_TAGVAR(compiler, $1)=$CC
+  _LT_CC_BASENAME([$compiler])
+  GCC=$G77
+  if test -n "$compiler"; then
+    AC_MSG_CHECKING([if libtool supports shared libraries])
+    AC_MSG_RESULT([$can_build_shared])
+
+    AC_MSG_CHECKING([whether to build shared libraries])
+    test "$can_build_shared" = "no" && enable_shared=no
+
+    # On AIX, shared libraries and static libraries use the same namespace, and
+    # are all built from PIC.
+    case $host_os in
+      aix3*)
+        test "$enable_shared" = yes && enable_static=no
+        if test -n "$RANLIB"; then
+          archive_cmds="$archive_cmds~\$RANLIB \$lib"
+          postinstall_cmds='$RANLIB $lib'
+        fi
+        ;;
+      aix[[4-9]]*)
+	if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+	  test "$enable_shared" = yes && enable_static=no
+	fi
+        ;;
+    esac
+    AC_MSG_RESULT([$enable_shared])
+
+    AC_MSG_CHECKING([whether to build static libraries])
+    # Make sure either enable_shared or enable_static is yes.
+    test "$enable_shared" = yes || enable_static=yes
+    AC_MSG_RESULT([$enable_static])
+
+    _LT_TAGVAR(GCC, $1)="$G77"
+    _LT_TAGVAR(LD, $1)="$LD"
+
+    ## CAVEAT EMPTOR:
+    ## There is no encapsulation within the following macros, do not change
+    ## the running order or otherwise move them around unless you know exactly
+    ## what you are doing...
+    _LT_COMPILER_PIC($1)
+    _LT_COMPILER_C_O($1)
+    _LT_COMPILER_FILE_LOCKS($1)
+    _LT_LINKER_SHLIBS($1)
+    _LT_SYS_DYNAMIC_LINKER($1)
+    _LT_LINKER_HARDCODE_LIBPATH($1)
+
+    _LT_CONFIG($1)
+  fi # test -n "$compiler"
+
+  GCC=$lt_save_GCC
+  CC="$lt_save_CC"
+fi # test "$_lt_disable_F77" != yes
+
+AC_LANG_POP
+])# _LT_LANG_F77_CONFIG
+
+
+# _LT_PROG_FC
+# -----------
+# Since AC_PROG_FC is broken, in that it returns the empty string
+# if there is no fortran compiler, we have our own version here.
+m4_defun([_LT_PROG_FC],
+[
+pushdef([AC_MSG_ERROR], [_lt_disable_FC=yes])
+AC_PROG_FC
+if test -z "$FC" || test "X$FC" = "Xno"; then
+  _lt_disable_FC=yes
+fi
+popdef([AC_MSG_ERROR])
+])# _LT_PROG_FC
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([_LT_PROG_FC], [])
+
+
+# _LT_LANG_FC_CONFIG([TAG])
+# -------------------------
+# Ensure that the configuration variables for a Fortran compiler are
+# suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_FC_CONFIG],
+[AC_REQUIRE([_LT_PROG_FC])dnl
+AC_LANG_PUSH(Fortran)
+
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_TAGVAR(allow_undefined_flag, $1)=
+_LT_TAGVAR(always_export_symbols, $1)=no
+_LT_TAGVAR(archive_expsym_cmds, $1)=
+_LT_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_TAGVAR(hardcode_direct, $1)=no
+_LT_TAGVAR(hardcode_direct_absolute, $1)=no
+_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_TAGVAR(hardcode_minus_L, $1)=no
+_LT_TAGVAR(hardcode_automatic, $1)=no
+_LT_TAGVAR(inherit_rpath, $1)=no
+_LT_TAGVAR(module_cmds, $1)=
+_LT_TAGVAR(module_expsym_cmds, $1)=
+_LT_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(no_undefined_flag, $1)=
+_LT_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for fc test sources.
+ac_ext=${ac_fc_srcext-f}
+
+# Object file extension for compiled fc test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# No sense in running all these tests if we already determined that
+# the FC compiler isn't working.  Some variables (like enable_shared)
+# are currently assumed to apply to all compilers on this platform,
+# and will be corrupted by setting them based on a non-working compiler.
+if test "$_lt_disable_FC" != yes; then
+  # Code to be used in simple compile tests
+  lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
+
+  # Code to be used in simple link tests
+  lt_simple_link_test_code="\
+      program t
+      end
+"
+
+  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
+  _LT_TAG_COMPILER
+
+  # save warnings/boilerplate of simple test code
+  _LT_COMPILER_BOILERPLATE
+  _LT_LINKER_BOILERPLATE
+
+  # Allow CC to be a program name with arguments.
+  lt_save_CC="$CC"
+  lt_save_GCC=$GCC
+  CC=${FC-"f95"}
+  compiler=$CC
+  GCC=$ac_cv_fc_compiler_gnu
+
+  _LT_TAGVAR(compiler, $1)=$CC
+  _LT_CC_BASENAME([$compiler])
+
+  if test -n "$compiler"; then
+    AC_MSG_CHECKING([if libtool supports shared libraries])
+    AC_MSG_RESULT([$can_build_shared])
+
+    AC_MSG_CHECKING([whether to build shared libraries])
+    test "$can_build_shared" = "no" && enable_shared=no
+
+    # On AIX, shared libraries and static libraries use the same namespace, and
+    # are all built from PIC.
+    case $host_os in
+      aix3*)
+        test "$enable_shared" = yes && enable_static=no
+        if test -n "$RANLIB"; then
+          archive_cmds="$archive_cmds~\$RANLIB \$lib"
+          postinstall_cmds='$RANLIB $lib'
+        fi
+        ;;
+      aix[[4-9]]*)
+	if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+	  test "$enable_shared" = yes && enable_static=no
+	fi
+        ;;
+    esac
+    AC_MSG_RESULT([$enable_shared])
+
+    AC_MSG_CHECKING([whether to build static libraries])
+    # Make sure either enable_shared or enable_static is yes.
+    test "$enable_shared" = yes || enable_static=yes
+    AC_MSG_RESULT([$enable_static])
+
+    _LT_TAGVAR(GCC, $1)="$ac_cv_fc_compiler_gnu"
+    _LT_TAGVAR(LD, $1)="$LD"
+
+    ## CAVEAT EMPTOR:
+    ## There is no encapsulation within the following macros, do not change
+    ## the running order or otherwise move them around unless you know exactly
+    ## what you are doing...
+    _LT_SYS_HIDDEN_LIBDEPS($1)
+    _LT_COMPILER_PIC($1)
+    _LT_COMPILER_C_O($1)
+    _LT_COMPILER_FILE_LOCKS($1)
+    _LT_LINKER_SHLIBS($1)
+    _LT_SYS_DYNAMIC_LINKER($1)
+    _LT_LINKER_HARDCODE_LIBPATH($1)
+
+    _LT_CONFIG($1)
+  fi # test -n "$compiler"
+
+  GCC=$lt_save_GCC
+  CC="$lt_save_CC"
+fi # test "$_lt_disable_FC" != yes
+
+AC_LANG_POP
+])# _LT_LANG_FC_CONFIG
+
+
+# _LT_LANG_GCJ_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for the GNU Java Compiler compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_GCJ_CONFIG],
+[AC_REQUIRE([LT_PROG_GCJ])dnl
+AC_LANG_SAVE
+
+# Source file extension for Java test sources.
+ac_ext=java
+
+# Object file extension for compiled Java test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+lt_save_GCC=$GCC
+GCC=yes
+CC=${GCJ-"gcj"}
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_TAGVAR(LD, $1)="$LD"
+_LT_CC_BASENAME([$compiler])
+
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+
+  _LT_CONFIG($1)
+fi
+
+AC_LANG_RESTORE
+
+GCC=$lt_save_GCC
+CC="$lt_save_CC"
+])# _LT_LANG_GCJ_CONFIG
+
+
+# _LT_LANG_RC_CONFIG([TAG])
+# -------------------------
+# Ensure that the configuration variables for the Windows resource compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_RC_CONFIG],
+[AC_REQUIRE([LT_PROG_RC])dnl
+AC_LANG_SAVE
+
+# Source file extension for RC test sources.
+ac_ext=rc
+
+# Object file extension for compiled RC test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="$lt_simple_compile_test_code"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+lt_save_GCC=$GCC
+GCC=
+CC=${RC-"windres"}
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+
+if test -n "$compiler"; then
+  :
+  _LT_CONFIG($1)
+fi
+
+GCC=$lt_save_GCC
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# _LT_LANG_RC_CONFIG
+
+
+# LT_PROG_GCJ
+# -----------
+AC_DEFUN([LT_PROG_GCJ],
+[m4_ifdef([AC_PROG_GCJ], [AC_PROG_GCJ],
+  [m4_ifdef([A][M_PROG_GCJ], [A][M_PROG_GCJ],
+    [AC_CHECK_TOOL(GCJ, gcj,)
+      test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
+      AC_SUBST(GCJFLAGS)])])[]dnl
+])
+
+# Old name:
+AU_ALIAS([LT_AC_PROG_GCJ], [LT_PROG_GCJ])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
+
+
+# LT_PROG_RC
+# ----------
+AC_DEFUN([LT_PROG_RC],
+[AC_CHECK_TOOL(RC, windres,)
+])
+
+# Old name:
+AU_ALIAS([LT_AC_PROG_RC], [LT_PROG_RC])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([LT_AC_PROG_RC], [])
+
+
+# _LT_DECL_EGREP
+# --------------
+# If we don't have a new enough Autoconf to choose the best grep
+# available, choose the one first in the user's PATH.
+m4_defun([_LT_DECL_EGREP],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_REQUIRE([AC_PROG_FGREP])dnl
+test -z "$GREP" && GREP=grep
+_LT_DECL([], [GREP], [1], [A grep program that handles long lines])
+_LT_DECL([], [EGREP], [1], [An ERE matcher])
+_LT_DECL([], [FGREP], [1], [A literal string matcher])
+dnl Non-bleeding-edge autoconf doesn't subst GREP, so do it here too
+AC_SUBST([GREP])
+])
+
+
+# _LT_DECL_OBJDUMP
+# --------------
+# If we don't have a new enough Autoconf to choose the best objdump
+# available, choose the one first in the user's PATH.
+m4_defun([_LT_DECL_OBJDUMP],
+[AC_CHECK_TOOL(OBJDUMP, objdump, false)
+test -z "$OBJDUMP" && OBJDUMP=objdump
+_LT_DECL([], [OBJDUMP], [1], [An object symbol dumper])
+AC_SUBST([OBJDUMP])
+])
+
+
+# _LT_DECL_SED
+# ------------
+# Check for a fully-functional sed program, that truncates
+# as few characters as possible.  Prefer GNU sed if found.
+m4_defun([_LT_DECL_SED],
+[AC_PROG_SED
+test -z "$SED" && SED=sed
+Xsed="$SED -e 1s/^X//"
+_LT_DECL([], [SED], [1], [A sed program that does not truncate output])
+_LT_DECL([], [Xsed], ["\$SED -e 1s/^X//"],
+    [Sed that helps us avoid accidentally triggering echo(1) options like -n])
+])# _LT_DECL_SED
+
+m4_ifndef([AC_PROG_SED], [
+############################################################
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+############################################################
+
+m4_defun([AC_PROG_SED],
+[AC_MSG_CHECKING([for a sed that does not truncate output])
+AC_CACHE_VAL(lt_cv_path_SED,
+[# Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+IFS=$as_save_IFS
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f $lt_ac_sed && continue
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test $lt_ac_count -gt 10 && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test $lt_ac_count -gt $lt_ac_max; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+])
+SED=$lt_cv_path_SED
+AC_SUBST([SED])
+AC_MSG_RESULT([$SED])
+])#AC_PROG_SED
+])#m4_ifndef
+
+# Old name:
+AU_ALIAS([LT_AC_PROG_SED], [AC_PROG_SED])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([LT_AC_PROG_SED], [])
+
+
+# _LT_CHECK_SHELL_FEATURES
+# ------------------------
+# Find out whether the shell is Bourne or XSI compatible,
+# or has some other useful features.
+m4_defun([_LT_CHECK_SHELL_FEATURES],
+[AC_MSG_CHECKING([whether the shell understands some XSI constructs])
+# Try some XSI features
+xsi_shell=no
+( _lt_dummy="a/b/c"
+  test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \
+      = c,a/b,, \
+    && eval 'test $(( 1 + 1 )) -eq 2 \
+    && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
+  && xsi_shell=yes
+AC_MSG_RESULT([$xsi_shell])
+_LT_CONFIG_LIBTOOL_INIT([xsi_shell='$xsi_shell'])
+
+AC_MSG_CHECKING([whether the shell understands "+="])
+lt_shell_append=no
+( foo=bar; set foo baz; eval "$[1]+=\$[2]" && test "$foo" = barbaz ) \
+    >/dev/null 2>&1 \
+  && lt_shell_append=yes
+AC_MSG_RESULT([$lt_shell_append])
+_LT_CONFIG_LIBTOOL_INIT([lt_shell_append='$lt_shell_append'])
+
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  lt_unset=unset
+else
+  lt_unset=false
+fi
+_LT_DECL([], [lt_unset], [0], [whether the shell understands "unset"])dnl
+
+# test EBCDIC or ASCII
+case `echo X|tr X '\101'` in
+ A) # ASCII based system
+    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
+  lt_SP2NL='tr \040 \012'
+  lt_NL2SP='tr \015\012 \040\040'
+  ;;
+ *) # EBCDIC based system
+  lt_SP2NL='tr \100 \n'
+  lt_NL2SP='tr \r\n \100\100'
+  ;;
+esac
+_LT_DECL([SP2NL], [lt_SP2NL], [1], [turn spaces into newlines])dnl
+_LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl
+])# _LT_CHECK_SHELL_FEATURES
+
+
+# _LT_PROG_XSI_SHELLFNS
+# ---------------------
+# Bourne and XSI compatible variants of some useful shell functions.
+m4_defun([_LT_PROG_XSI_SHELLFNS],
+[case $xsi_shell in
+  yes)
+    cat << \_LT_EOF >> "$cfgfile"
+
+# func_dirname file append nondir_replacement
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+func_dirname ()
+{
+  case ${1} in
+    */*) func_dirname_result="${1%/*}${2}" ;;
+    *  ) func_dirname_result="${3}" ;;
+  esac
+}
+
+# func_basename file
+func_basename ()
+{
+  func_basename_result="${1##*/}"
+}
+
+# func_dirname_and_basename file append nondir_replacement
+# perform func_basename and func_dirname in a single function
+# call:
+#   dirname:  Compute the dirname of FILE.  If nonempty,
+#             add APPEND to the result, otherwise set result
+#             to NONDIR_REPLACEMENT.
+#             value returned in "$func_dirname_result"
+#   basename: Compute filename of FILE.
+#             value retuned in "$func_basename_result"
+# Implementation must be kept synchronized with func_dirname
+# and func_basename. For efficiency, we do not delegate to
+# those functions but instead duplicate the functionality here.
+func_dirname_and_basename ()
+{
+  case ${1} in
+    */*) func_dirname_result="${1%/*}${2}" ;;
+    *  ) func_dirname_result="${3}" ;;
+  esac
+  func_basename_result="${1##*/}"
+}
+
+# func_stripname prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+func_stripname ()
+{
+  # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
+  # positional parameters, so assign one to ordinary parameter first.
+  func_stripname_result=${3}
+  func_stripname_result=${func_stripname_result#"${1}"}
+  func_stripname_result=${func_stripname_result%"${2}"}
+}
+
+# func_opt_split
+func_opt_split ()
+{
+  func_opt_split_opt=${1%%=*}
+  func_opt_split_arg=${1#*=}
+}
+
+# func_lo2o object
+func_lo2o ()
+{
+  case ${1} in
+    *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
+    *)    func_lo2o_result=${1} ;;
+  esac
+}
+
+# func_xform libobj-or-source
+func_xform ()
+{
+  func_xform_result=${1%.*}.lo
+}
+
+# func_arith arithmetic-term...
+func_arith ()
+{
+  func_arith_result=$(( $[*] ))
+}
+
+# func_len string
+# STRING may not start with a hyphen.
+func_len ()
+{
+  func_len_result=${#1}
+}
+
+_LT_EOF
+    ;;
+  *) # Bourne compatible functions.
+    cat << \_LT_EOF >> "$cfgfile"
+
+# func_dirname file append nondir_replacement
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+func_dirname ()
+{
+  # Extract subdirectory from the argument.
+  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
+  if test "X$func_dirname_result" = "X${1}"; then
+    func_dirname_result="${3}"
+  else
+    func_dirname_result="$func_dirname_result${2}"
+  fi
+}
+
+# func_basename file
+func_basename ()
+{
+  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
+}
+
+dnl func_dirname_and_basename
+dnl A portable version of this function is already defined in general.m4sh
+dnl so there is no need for it here.
+
+# func_stripname prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+# func_strip_suffix prefix name
+func_stripname ()
+{
+  case ${2} in
+    .*) func_stripname_result=`$ECHO "X${3}" \
+           | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;;
+    *)  func_stripname_result=`$ECHO "X${3}" \
+           | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;;
+  esac
+}
+
+# sed scripts:
+my_sed_long_opt='1s/^\(-[[^=]]*\)=.*/\1/;q'
+my_sed_long_arg='1s/^-[[^=]]*=//'
+
+# func_opt_split
+func_opt_split ()
+{
+  func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"`
+  func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"`
+}
+
+# func_lo2o object
+func_lo2o ()
+{
+  func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"`
+}
+
+# func_xform libobj-or-source
+func_xform ()
+{
+  func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[[^.]]*$/.lo/'`
+}
+
+# func_arith arithmetic-term...
+func_arith ()
+{
+  func_arith_result=`expr "$[@]"`
+}
+
+# func_len string
+# STRING may not start with a hyphen.
+func_len ()
+{
+  func_len_result=`expr "$[1]" : ".*" 2>/dev/null || echo $max_cmd_len`
+}
+
+_LT_EOF
+esac
+
+case $lt_shell_append in
+  yes)
+    cat << \_LT_EOF >> "$cfgfile"
+
+# func_append var value
+# Append VALUE to the end of shell variable VAR.
+func_append ()
+{
+  eval "$[1]+=\$[2]"
+}
+_LT_EOF
+    ;;
+  *)
+    cat << \_LT_EOF >> "$cfgfile"
+
+# func_append var value
+# Append VALUE to the end of shell variable VAR.
+func_append ()
+{
+  eval "$[1]=\$$[1]\$[2]"
+}
+
+_LT_EOF
+    ;;
+  esac
+])
diff --git a/m4/config/ltoptions.m4 b/m4/config/ltoptions.m4
new file mode 100644
index 000000000..34151a3ba
--- /dev/null
+++ b/m4/config/ltoptions.m4
@@ -0,0 +1,368 @@
+# Helper functions for option handling.                    -*- Autoconf -*-
+#
+#   Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
+#   Written by Gary V. Vaughan, 2004
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# serial 6 ltoptions.m4
+
+# This is to help aclocal find these macros, as it can't see m4_define.
+AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
+
+
+# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME)
+# ------------------------------------------
+m4_define([_LT_MANGLE_OPTION],
+[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])])
+
+
+# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME)
+# ---------------------------------------
+# Set option OPTION-NAME for macro MACRO-NAME, and if there is a
+# matching handler defined, dispatch to it.  Other OPTION-NAMEs are
+# saved as a flag.
+m4_define([_LT_SET_OPTION],
+[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl
+m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]),
+        _LT_MANGLE_DEFUN([$1], [$2]),
+    [m4_warning([Unknown $1 option `$2'])])[]dnl
+])
+
+
+# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET])
+# ------------------------------------------------------------
+# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
+m4_define([_LT_IF_OPTION],
+[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])])
+
+
+# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET)
+# -------------------------------------------------------
+# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME
+# are set.
+m4_define([_LT_UNLESS_OPTIONS],
+[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
+	    [m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option),
+		      [m4_define([$0_found])])])[]dnl
+m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3
+])[]dnl
+])
+
+
+# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST)
+# ----------------------------------------
+# OPTION-LIST is a space-separated list of Libtool options associated
+# with MACRO-NAME.  If any OPTION has a matching handler declared with
+# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about
+# the unknown option and exit.
+m4_defun([_LT_SET_OPTIONS],
+[# Set options
+m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
+    [_LT_SET_OPTION([$1], _LT_Option)])
+
+m4_if([$1],[LT_INIT],[
+  dnl
+  dnl Simply set some default values (i.e off) if boolean options were not
+  dnl specified:
+  _LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no
+  ])
+  _LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no
+  ])
+  dnl
+  dnl If no reference was made to various pairs of opposing options, then
+  dnl we run the default mode handler for the pair.  For example, if neither
+  dnl `shared' nor `disable-shared' was passed, we enable building of shared
+  dnl archives by default:
+  _LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED])
+  _LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC])
+  _LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC])
+  _LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install],
+  		   [_LT_ENABLE_FAST_INSTALL])
+  ])
+])# _LT_SET_OPTIONS
+
+
+## --------------------------------- ##
+## Macros to handle LT_INIT options. ##
+## --------------------------------- ##
+
+# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME)
+# -----------------------------------------
+m4_define([_LT_MANGLE_DEFUN],
+[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])])
+
+
+# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE)
+# -----------------------------------------------
+m4_define([LT_OPTION_DEFINE],
+[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl
+])# LT_OPTION_DEFINE
+
+
+# dlopen
+# ------
+LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes
+])
+
+AU_DEFUN([AC_LIBTOOL_DLOPEN],
+[_LT_SET_OPTION([LT_INIT], [dlopen])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you
+put the `dlopen' option into LT_INIT's first parameter.])
+])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], [])
+
+
+# win32-dll
+# ---------
+# Declare package support for building win32 dll's.
+LT_OPTION_DEFINE([LT_INIT], [win32-dll],
+[enable_win32_dll=yes
+
+case $host in
+*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+  ;;
+esac
+
+test -z "$AS" && AS=as
+_LT_DECL([], [AS],      [0], [Assembler program])dnl
+
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
+
+test -z "$OBJDUMP" && OBJDUMP=objdump
+_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
+])# win32-dll
+
+AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+_LT_SET_OPTION([LT_INIT], [win32-dll])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you
+put the `win32-dll' option into LT_INIT's first parameter.])
+])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], [])
+
+
+# _LT_ENABLE_SHARED([DEFAULT])
+# ----------------------------
+# implement the --enable-shared flag, and supports the `shared' and
+# `disable-shared' LT_INIT options.
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+m4_define([_LT_ENABLE_SHARED],
+[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl
+AC_ARG_ENABLE([shared],
+    [AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
+	[build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_shared=]_LT_ENABLE_SHARED_DEFAULT)
+
+    _LT_DECL([build_libtool_libs], [enable_shared], [0],
+	[Whether or not to build shared libraries])
+])# _LT_ENABLE_SHARED
+
+LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])])
+LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])])
+
+# Old names:
+AC_DEFUN([AC_ENABLE_SHARED],
+[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared])
+])
+
+AC_DEFUN([AC_DISABLE_SHARED],
+[_LT_SET_OPTION([LT_INIT], [disable-shared])
+])
+
+AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)])
+AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_ENABLE_SHARED], [])
+dnl AC_DEFUN([AM_DISABLE_SHARED], [])
+
+
+
+# _LT_ENABLE_STATIC([DEFAULT])
+# ----------------------------
+# implement the --enable-static flag, and support the `static' and
+# `disable-static' LT_INIT options.
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+m4_define([_LT_ENABLE_STATIC],
+[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl
+AC_ARG_ENABLE([static],
+    [AS_HELP_STRING([--enable-static@<:@=PKGS@:>@],
+	[build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_static=]_LT_ENABLE_STATIC_DEFAULT)
+
+    _LT_DECL([build_old_libs], [enable_static], [0],
+	[Whether or not to build static libraries])
+])# _LT_ENABLE_STATIC
+
+LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])])
+LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])])
+
+# Old names:
+AC_DEFUN([AC_ENABLE_STATIC],
+[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static])
+])
+
+AC_DEFUN([AC_DISABLE_STATIC],
+[_LT_SET_OPTION([LT_INIT], [disable-static])
+])
+
+AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)])
+AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_ENABLE_STATIC], [])
+dnl AC_DEFUN([AM_DISABLE_STATIC], [])
+
+
+
+# _LT_ENABLE_FAST_INSTALL([DEFAULT])
+# ----------------------------------
+# implement the --enable-fast-install flag, and support the `fast-install'
+# and `disable-fast-install' LT_INIT options.
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+m4_define([_LT_ENABLE_FAST_INSTALL],
+[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl
+AC_ARG_ENABLE([fast-install],
+    [AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
+    [optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT)
+
+_LT_DECL([fast_install], [enable_fast_install], [0],
+	 [Whether or not to optimize for fast installation])dnl
+])# _LT_ENABLE_FAST_INSTALL
+
+LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])])
+LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])])
+
+# Old names:
+AU_DEFUN([AC_ENABLE_FAST_INSTALL],
+[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you put
+the `fast-install' option into LT_INIT's first parameter.])
+])
+
+AU_DEFUN([AC_DISABLE_FAST_INSTALL],
+[_LT_SET_OPTION([LT_INIT], [disable-fast-install])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you put
+the `disable-fast-install' option into LT_INIT's first parameter.])
+])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], [])
+dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
+
+
+# _LT_WITH_PIC([MODE])
+# --------------------
+# implement the --with-pic flag, and support the `pic-only' and `no-pic'
+# LT_INIT options.
+# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
+m4_define([_LT_WITH_PIC],
+[AC_ARG_WITH([pic],
+    [AS_HELP_STRING([--with-pic],
+	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
+    [pic_mode="$withval"],
+    [pic_mode=default])
+
+test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
+
+_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl
+])# _LT_WITH_PIC
+
+LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])])
+LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])])
+
+# Old name:
+AU_DEFUN([AC_LIBTOOL_PICMODE],
+[_LT_SET_OPTION([LT_INIT], [pic-only])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you
+put the `pic-only' option into LT_INIT's first parameter.])
+])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_PICMODE], [])
+
+## ----------------- ##
+## LTDL_INIT Options ##
+## ----------------- ##
+
+m4_define([_LTDL_MODE], [])
+LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive],
+		 [m4_define([_LTDL_MODE], [nonrecursive])])
+LT_OPTION_DEFINE([LTDL_INIT], [recursive],
+		 [m4_define([_LTDL_MODE], [recursive])])
+LT_OPTION_DEFINE([LTDL_INIT], [subproject],
+		 [m4_define([_LTDL_MODE], [subproject])])
+
+m4_define([_LTDL_TYPE], [])
+LT_OPTION_DEFINE([LTDL_INIT], [installable],
+		 [m4_define([_LTDL_TYPE], [installable])])
+LT_OPTION_DEFINE([LTDL_INIT], [convenience],
+		 [m4_define([_LTDL_TYPE], [convenience])])
diff --git a/m4/config/ltsugar.m4 b/m4/config/ltsugar.m4
new file mode 100644
index 000000000..9000a057d
--- /dev/null
+++ b/m4/config/ltsugar.m4
@@ -0,0 +1,123 @@
+# ltsugar.m4 -- libtool m4 base layer.                         -*-Autoconf-*-
+#
+# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
+# Written by Gary V. Vaughan, 2004
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# serial 6 ltsugar.m4
+
+# This is to help aclocal find these macros, as it can't see m4_define.
+AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])])
+
+
+# lt_join(SEP, ARG1, [ARG2...])
+# -----------------------------
+# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their
+# associated separator.
+# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier
+# versions in m4sugar had bugs.
+m4_define([lt_join],
+[m4_if([$#], [1], [],
+       [$#], [2], [[$2]],
+       [m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])])
+m4_define([_lt_join],
+[m4_if([$#$2], [2], [],
+       [m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])])
+
+
+# lt_car(LIST)
+# lt_cdr(LIST)
+# ------------
+# Manipulate m4 lists.
+# These macros are necessary as long as will still need to support
+# Autoconf-2.59 which quotes differently.
+m4_define([lt_car], [[$1]])
+m4_define([lt_cdr],
+[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
+       [$#], 1, [],
+       [m4_dquote(m4_shift($@))])])
+m4_define([lt_unquote], $1)
+
+
+# lt_append(MACRO-NAME, STRING, [SEPARATOR])
+# ------------------------------------------
+# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'.
+# Note that neither SEPARATOR nor STRING are expanded; they are appended
+# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked).
+# No SEPARATOR is output if MACRO-NAME was previously undefined (different
+# than defined and empty).
+#
+# This macro is needed until we can rely on Autoconf 2.62, since earlier
+# versions of m4sugar mistakenly expanded SEPARATOR but not STRING.
+m4_define([lt_append],
+[m4_define([$1],
+	   m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])])
+
+
+
+# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...])
+# ----------------------------------------------------------
+# Produce a SEP delimited list of all paired combinations of elements of
+# PREFIX-LIST with SUFFIX1 through SUFFIXn.  Each element of the list
+# has the form PREFIXmINFIXSUFFIXn.
+# Needed until we can rely on m4_combine added in Autoconf 2.62.
+m4_define([lt_combine],
+[m4_if(m4_eval([$# > 3]), [1],
+       [m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl
+[[m4_foreach([_Lt_prefix], [$2],
+	     [m4_foreach([_Lt_suffix],
+		]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[,
+	[_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])])
+
+
+# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ])
+# -----------------------------------------------------------------------
+# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited
+# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ.
+m4_define([lt_if_append_uniq],
+[m4_ifdef([$1],
+	  [m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1],
+		 [lt_append([$1], [$2], [$3])$4],
+		 [$5])],
+	  [lt_append([$1], [$2], [$3])$4])])
+
+
+# lt_dict_add(DICT, KEY, VALUE)
+# -----------------------------
+m4_define([lt_dict_add],
+[m4_define([$1($2)], [$3])])
+
+
+# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE)
+# --------------------------------------------
+m4_define([lt_dict_add_subkey],
+[m4_define([$1($2:$3)], [$4])])
+
+
+# lt_dict_fetch(DICT, KEY, [SUBKEY])
+# ----------------------------------
+m4_define([lt_dict_fetch],
+[m4_ifval([$3],
+	m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]),
+    m4_ifdef([$1($2)], [m4_defn([$1($2)])]))])
+
+
+# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE])
+# -----------------------------------------------------------------
+m4_define([lt_if_dict_fetch],
+[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4],
+	[$5],
+    [$6])])
+
+
+# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...])
+# --------------------------------------------------------------
+m4_define([lt_dict_filter],
+[m4_if([$5], [], [],
+  [lt_join(m4_quote(m4_default([$4], [[, ]])),
+           lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]),
+		      [lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl
+])
diff --git a/m4/config/ltversion.m4 b/m4/config/ltversion.m4
new file mode 100644
index 000000000..b8e154fe6
--- /dev/null
+++ b/m4/config/ltversion.m4
@@ -0,0 +1,23 @@
+# ltversion.m4 -- version numbers			-*- Autoconf -*-
+#
+#   Copyright (C) 2004 Free Software Foundation, Inc.
+#   Written by Scott James Remnant, 2004
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# Generated from ltversion.in.
+
+# serial 3012 ltversion.m4
+# This file is part of GNU Libtool
+
+m4_define([LT_PACKAGE_VERSION], [2.2.6])
+m4_define([LT_PACKAGE_REVISION], [1.3012])
+
+AC_DEFUN([LTVERSION_VERSION],
+[macro_version='2.2.6'
+macro_revision='1.3012'
+_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
+_LT_DECL(, macro_revision, 0)
+])
diff --git a/m4/config/lt~obsolete.m4 b/m4/config/lt~obsolete.m4
new file mode 100644
index 000000000..637bb2066
--- /dev/null
+++ b/m4/config/lt~obsolete.m4
@@ -0,0 +1,92 @@
+# lt~obsolete.m4 -- aclocal satisfying obsolete definitions.    -*-Autoconf-*-
+#
+#   Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
+#   Written by Scott James Remnant, 2004.
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# serial 4 lt~obsolete.m4
+
+# These exist entirely to fool aclocal when bootstrapping libtool.
+#
+# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN)
+# which have later been changed to m4_define as they aren't part of the
+# exported API, or moved to Autoconf or Automake where they belong.
+#
+# The trouble is, aclocal is a bit thick.  It'll see the old AC_DEFUN
+# in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us
+# using a macro with the same name in our local m4/libtool.m4 it'll
+# pull the old libtool.m4 in (it doesn't see our shiny new m4_define
+# and doesn't know about Autoconf macros at all.)
+#
+# So we provide this file, which has a silly filename so it's always
+# included after everything else.  This provides aclocal with the
+# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything
+# because those macros already exist, or will be overwritten later.
+# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6. 
+#
+# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here.
+# Yes, that means every name once taken will need to remain here until
+# we give up compatibility with versions before 1.7, at which point
+# we need to keep only those names which we still refer to.
+
+# This is to help aclocal find these macros, as it can't see m4_define.
+AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])])
+
+m4_ifndef([AC_LIBTOOL_LINKER_OPTION],	[AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])])
+m4_ifndef([AC_PROG_EGREP],		[AC_DEFUN([AC_PROG_EGREP])])
+m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH],	[AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])])
+m4_ifndef([_LT_AC_SHELL_INIT],		[AC_DEFUN([_LT_AC_SHELL_INIT])])
+m4_ifndef([_LT_AC_SYS_LIBPATH_AIX],	[AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])])
+m4_ifndef([_LT_PROG_LTMAIN],		[AC_DEFUN([_LT_PROG_LTMAIN])])
+m4_ifndef([_LT_AC_TAGVAR],		[AC_DEFUN([_LT_AC_TAGVAR])])
+m4_ifndef([AC_LTDL_ENABLE_INSTALL],	[AC_DEFUN([AC_LTDL_ENABLE_INSTALL])])
+m4_ifndef([AC_LTDL_PREOPEN],		[AC_DEFUN([AC_LTDL_PREOPEN])])
+m4_ifndef([_LT_AC_SYS_COMPILER],	[AC_DEFUN([_LT_AC_SYS_COMPILER])])
+m4_ifndef([_LT_AC_LOCK],		[AC_DEFUN([_LT_AC_LOCK])])
+m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE],	[AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])])
+m4_ifndef([_LT_AC_TRY_DLOPEN_SELF],	[AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])])
+m4_ifndef([AC_LIBTOOL_PROG_CC_C_O],	[AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])])
+m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])])
+m4_ifndef([AC_LIBTOOL_OBJDIR],		[AC_DEFUN([AC_LIBTOOL_OBJDIR])])
+m4_ifndef([AC_LTDL_OBJDIR],		[AC_DEFUN([AC_LTDL_OBJDIR])])
+m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])])
+m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP],	[AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])])
+m4_ifndef([AC_PATH_MAGIC],		[AC_DEFUN([AC_PATH_MAGIC])])
+m4_ifndef([AC_PROG_LD_GNU],		[AC_DEFUN([AC_PROG_LD_GNU])])
+m4_ifndef([AC_PROG_LD_RELOAD_FLAG],	[AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])])
+m4_ifndef([AC_DEPLIBS_CHECK_METHOD],	[AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])])
+m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])])
+m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])])
+m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])])
+m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS],	[AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])])
+m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP],	[AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])])
+m4_ifndef([LT_AC_PROG_EGREP],		[AC_DEFUN([LT_AC_PROG_EGREP])])
+m4_ifndef([LT_AC_PROG_SED],		[AC_DEFUN([LT_AC_PROG_SED])])
+m4_ifndef([_LT_CC_BASENAME],		[AC_DEFUN([_LT_CC_BASENAME])])
+m4_ifndef([_LT_COMPILER_BOILERPLATE],	[AC_DEFUN([_LT_COMPILER_BOILERPLATE])])
+m4_ifndef([_LT_LINKER_BOILERPLATE],	[AC_DEFUN([_LT_LINKER_BOILERPLATE])])
+m4_ifndef([_AC_PROG_LIBTOOL],		[AC_DEFUN([_AC_PROG_LIBTOOL])])
+m4_ifndef([AC_LIBTOOL_SETUP],		[AC_DEFUN([AC_LIBTOOL_SETUP])])
+m4_ifndef([_LT_AC_CHECK_DLFCN],		[AC_DEFUN([_LT_AC_CHECK_DLFCN])])
+m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER],	[AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])])
+m4_ifndef([_LT_AC_TAGCONFIG],		[AC_DEFUN([_LT_AC_TAGCONFIG])])
+m4_ifndef([AC_DISABLE_FAST_INSTALL],	[AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
+m4_ifndef([_LT_AC_LANG_CXX],		[AC_DEFUN([_LT_AC_LANG_CXX])])
+m4_ifndef([_LT_AC_LANG_F77],		[AC_DEFUN([_LT_AC_LANG_F77])])
+m4_ifndef([_LT_AC_LANG_GCJ],		[AC_DEFUN([_LT_AC_LANG_GCJ])])
+m4_ifndef([AC_LIBTOOL_RC],		[AC_DEFUN([AC_LIBTOOL_RC])])
+m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
+m4_ifndef([_LT_AC_LANG_C_CONFIG],	[AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
+m4_ifndef([_LT_AC_LANG_CXX_CONFIG],	[AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])])
+m4_ifndef([_LT_AC_LANG_F77_CONFIG],	[AC_DEFUN([_LT_AC_LANG_F77_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])])
+m4_ifndef([_LT_AC_LANG_GCJ_CONFIG],	[AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
+m4_ifndef([_LT_AC_LANG_RC_CONFIG],	[AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
+m4_ifndef([AC_LIBTOOL_CONFIG],		[AC_DEFUN([AC_LIBTOOL_CONFIG])])
+m4_ifndef([_LT_AC_FILE_LTDLL_C],	[AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
diff --git a/m4/macros/enable-disable.m4 b/m4/macros/enable-disable.m4
new file mode 100644
index 000000000..6d7959e4e
--- /dev/null
+++ b/m4/macros/enable-disable.m4
@@ -0,0 +1,32 @@
+
+# ARG_ENABL_SET(option, help)
+# ---------------------------
+# Create a --enable-$1 option with helptext, set a variable $1 to true/false
+AC_DEFUN([ARG_ENABL_SET],
+	[AC_ARG_ENABLE(
+		[$1],
+		AS_HELP_STRING([--enable-$1], [$2]),
+		[if test x$enableval = xyes; then
+			patsubst([$1], [-], [_])=true
+		 else
+			patsubst([$1], [-], [_])=false
+		fi],
+		patsubst([$1], [-], [_])=false
+	)]
+)
+
+# ARG_DISBL_SET(option, help)
+# ---------------------------
+# Create a --disable-$1 option with helptext, set a variable $1 to true/false
+AC_DEFUN([ARG_DISBL_SET],
+	[AC_ARG_ENABLE(
+		[$1],
+		AS_HELP_STRING([--disable-$1], [$2]),
+		[if test x$enableval = xyes; then
+			patsubst([$1], [-], [_])=true
+		 else
+			patsubst([$1], [-], [_])=false
+		fi],
+		patsubst([$1], [-], [_])=true
+	)]
+)
diff --git a/m4/macros/with.m4 b/m4/macros/with.m4
new file mode 100644
index 000000000..908333b47
--- /dev/null
+++ b/m4/macros/with.m4
@@ -0,0 +1,24 @@
+
+# ARG_WITH_SUBST(option, default, help)
+# -----------------------------------
+# Create a --with-$1 option with helptext, AC_SUBST($1) to $withval/default
+AC_DEFUN([ARG_WITH_SUBST],
+	[AC_ARG_WITH(
+		[$1],
+		AS_HELP_STRING([--with-$1=arg], [$3 (default: $2).]),
+		[AC_SUBST(patsubst([$1], [-], [_]), ["$withval"])],
+		[AC_SUBST(patsubst([$1], [-], [_]), ["$2"])]
+	)]
+)
+
+# ARG_WITH_SET(option, default, help)
+# -----------------------------------
+# Create a --with-$1 option with helptext, set a variable $1 to $withval/default
+AC_DEFUN([ARG_WITH_SET],
+	[AC_ARG_WITH(
+		[$1],
+		AS_HELP_STRING([--with-$1=arg], [$3 (default: $2).]),
+		patsubst([$1], [-], [_])="$withval",
+		patsubst([$1], [-], [_])=$2
+	)]
+)
diff --git a/missing b/missing
index 1c8ff7049..28055d2ae 100755
--- a/missing
+++ b/missing
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Common stub for a few missing GNU programs while installing.
 
-scriptversion=2006-05-10.23
+scriptversion=2009-04-28.21; # UTC
 
-# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
-#   Free Software Foundation, Inc.
+# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006,
+# 2008, 2009 Free Software Foundation, Inc.
 # Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
 
 # This program is free software; you can redistribute it and/or modify
@@ -18,9 +18,7 @@ scriptversion=2006-05-10.23
 # GNU General Public License for more details.
 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -89,6 +87,9 @@ Supported PROGRAM values:
   tar          try tar, gnutar, gtar, then tar without non-portable flags
   yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
 
+Version suffixes to PROGRAM as well as the prefixes \`gnu-', \`gnu', and
+\`g' are ignored when checking the name.
+
 Send bug reports to <bug-automake@gnu.org>."
     exit $?
     ;;
@@ -106,15 +107,22 @@ Send bug reports to <bug-automake@gnu.org>."
 
 esac
 
+# normalize program name to check for.
+program=`echo "$1" | sed '
+  s/^gnu-//; t
+  s/^gnu//; t
+  s/^g//; t'`
+
 # Now exit if we have it, but it failed.  Also exit now if we
 # don't have it and --version was passed (most likely to detect
-# the program).
+# the program).  This is about non-GNU programs, so use $1 not
+# $program.
 case $1 in
-  lex|yacc)
+  lex*|yacc*)
     # Not GNU programs, they don't have --version.
     ;;
 
-  tar)
+  tar*)
     if test -n "$run"; then
        echo 1>&2 "ERROR: \`tar' requires --run"
        exit 1
@@ -138,7 +146,7 @@ esac
 
 # If it does not exist, or fails to run (possibly an outdated version),
 # try to emulate it.
-case $1 in
+case $program in
   aclocal*)
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
@@ -148,7 +156,7 @@ WARNING: \`$1' is $msg.  You should only need it if
     touch aclocal.m4
     ;;
 
-  autoconf)
+  autoconf*)
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
          you modified \`${configure_ac}'.  You might want to install the
@@ -157,7 +165,7 @@ WARNING: \`$1' is $msg.  You should only need it if
     touch configure
     ;;
 
-  autoheader)
+  autoheader*)
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
          you modified \`acconfig.h' or \`${configure_ac}'.  You might want
@@ -187,7 +195,7 @@ WARNING: \`$1' is $msg.  You should only need it if
 	   while read f; do touch "$f"; done
     ;;
 
-  autom4te)
+  autom4te*)
     echo 1>&2 "\
 WARNING: \`$1' is needed, but is $msg.
          You might have modified some files without having the
@@ -210,7 +218,7 @@ WARNING: \`$1' is needed, but is $msg.
     fi
     ;;
 
-  bison|yacc)
+  bison*|yacc*)
     echo 1>&2 "\
 WARNING: \`$1' $msg.  You should only need it if
          you modified a \`.y' file.  You may need the \`Bison' package
@@ -240,7 +248,7 @@ WARNING: \`$1' $msg.  You should only need it if
     fi
     ;;
 
-  lex|flex)
+  lex*|flex*)
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
          you modified a \`.l' file.  You may need the \`Flex' package
@@ -263,7 +271,7 @@ WARNING: \`$1' is $msg.  You should only need it if
     fi
     ;;
 
-  help2man)
+  help2man*)
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
 	 you modified a dependency of a manual page.  You may need the
@@ -277,11 +285,11 @@ WARNING: \`$1' is $msg.  You should only need it if
     else
 	test -z "$file" || exec >$file
 	echo ".ab help2man is required to generate this page"
-	exit 1
+	exit $?
     fi
     ;;
 
-  makeinfo)
+  makeinfo*)
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
          you modified a \`.texi' or \`.texinfo' file, or any other file
@@ -310,7 +318,7 @@ WARNING: \`$1' is $msg.  You should only need it if
     touch $file
     ;;
 
-  tar)
+  tar*)
     shift
 
     # We have already tried tar in the generic part.
@@ -363,5 +371,6 @@ exit 0
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
 # End:
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index f8d62b3bc..24e3cd164 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -1,7 +1,6 @@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
--DIPSEC_PLUGINDIR=\"${plugindir}\" \
--DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+-DPLUGINS="\"${libstrongswan_plugins}\""
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql \
 	thread_analysis dh_speed pubkey_speed
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 63f0242fe..7d1af0803 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -38,11 +40,19 @@ noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
 subdir = scripts
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 PROGRAMS = $(noinst_PROGRAMS)
 am_bin2array_OBJECTS = bin2array.$(OBJEXT)
 bin2array_OBJECTS = $(am_bin2array_OBJECTS)
@@ -76,6 +86,7 @@ thread_analysis_LDADD = $(LDADD)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -128,25 +139,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -158,11 +166,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -191,9 +202,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -216,7 +227,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -224,6 +235,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -232,10 +244,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -243,12 +257,12 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
--DIPSEC_PLUGINDIR=\"${plugindir}\" \
--DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+-DPLUGINS="\"${libstrongswan_plugins}\""
 
 bin2array_SOURCES = bin2array.c
 bin2sql_SOURCES = bin2sql.c
@@ -276,9 +290,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  scripts/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  scripts/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu scripts/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu scripts/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -296,13 +310,16 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 
 clean-noinstPROGRAMS:
-	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES) 
 	@rm -f bin2array$(EXEEXT)
 	$(LINK) $(bin2array_OBJECTS) $(bin2array_LDADD) $(LIBS)
@@ -345,21 +362,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -382,7 +399,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -390,29 +407,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -433,13 +455,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -467,6 +493,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -488,6 +515,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -496,18 +525,28 @@ install-data-am:
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -545,6 +584,7 @@ uninstall-am:
 	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
 	pdf pdf-am ps ps-am tags uninstall uninstall-am
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/scripts/bin2array.c b/scripts/bin2array.c
index 4778b446a..5e0ad7c74 100644
--- a/scripts/bin2array.c
+++ b/scripts/bin2array.c
@@ -27,7 +27,7 @@ int main(int argc, char *argv[])
 		{
 			break;
 		}
-	}	
+	}
 	printf("};\n");
 	return 0;
 }
diff --git a/scripts/bin2sql.c b/scripts/bin2sql.c
index 4f83dd3f2..8bc72f842 100644
--- a/scripts/bin2sql.c
+++ b/scripts/bin2sql.c
@@ -18,7 +18,7 @@ int main(int argc, char *argv[])
 			break;
 		}
 		printf("%02x", (unsigned int)byte);
-	}	
+	}
 	printf("'\n");
 	return 0;
 }
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index 76dafe752..b85bf1ad8 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -38,7 +38,7 @@ static void start_timing(struct timespec *start)
 static double end_timing(struct timespec *start)
 {
 	struct timespec end;
-	
+
 	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
 	return (end.tv_nsec - start->tv_nsec) / 1000000000.0 +
 			(end.tv_sec - start->tv_sec) * 1.0;
@@ -50,7 +50,7 @@ static void run_test(diffie_hellman_group_t group, int rounds)
 	chunk_t chunk;
 	struct timespec timing;
 	int round;
-	
+
 	r = lib->crypto->create_dh(lib->crypto, group);
 	if (!r)
 	{
@@ -58,24 +58,24 @@ static void run_test(diffie_hellman_group_t group, int rounds)
 				diffie_hellman_group_names, group);
 		return;
 	}
-	
+
 	printf("%N:\t",
 			diffie_hellman_group_names, group);
-	
+
 	start_timing(&timing);
 	for (round = 0; round < rounds; round++)
 	{
 		l[round] = lib->crypto->create_dh(lib->crypto, group);
 	}
 	printf("A = g^a/s: %8.1f", rounds / end_timing(&timing));
-	
+
 	for (round = 0; round < rounds; round++)
 	{
 		l[round]->get_my_public_value(l[round], &chunk);
 		r->set_other_public_value(r, chunk);
 		chunk_free(&chunk);
 	}
-	
+
 	r->get_my_public_value(r, &chunk);
 	start_timing(&timing);
 	for (round = 0; round < rounds; round++)
@@ -84,7 +84,7 @@ static void run_test(diffie_hellman_group_t group, int rounds)
 	}
 	printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing));
 	chunk_free(&chunk);
-	
+
 	for (round = 0; round < rounds; round++)
 	{
 		l[round]->destroy(l[round]);
@@ -95,22 +95,22 @@ static void run_test(diffie_hellman_group_t group, int rounds)
 int main(int argc, char *argv[])
 {
 	int rounds, i, j;
-	
+
 	if (argc < 4)
 	{
 		usage();
 	}
-	
-	library_init(STRONGSWAN_CONF);
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, argv[1]);
+
+	library_init(NULL);
+	lib->plugins->load(lib->plugins, NULL, argv[1]);
 	atexit(library_deinit);
-	
+
 	rounds = atoi(argv[2]);
-	
+
 	for (i = 3; i < argc; i++)
 	{
 		bool found = FALSE;
-		
+
 		for (j = 0; j < countof(groups); j++)
 		{
 			if (streq(groups[j].name, argv[i]))
diff --git a/scripts/id2sql.c b/scripts/id2sql.c
index 5b0bd1d7d..5bc94f5b6 100644
--- a/scripts/id2sql.c
+++ b/scripts/id2sql.c
@@ -10,7 +10,7 @@ int main(int argc, char *argv[])
 	identification_t *id;
 	chunk_t enc;
 	int i;
-	
+
 	if (argc < 2)
 	{
 		return -1;
@@ -29,7 +29,7 @@ int main(int argc, char *argv[])
 	for (i = 0; i < enc.len; i++)
 	{
 		printf("%02x", (unsigned int)enc.ptr[i]);
-	}	
+	}
 	printf("'\n");
 	return 0;
 }
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
index 201670e43..cd6ebc1ed 100644
--- a/scripts/key2keyid.c
+++ b/scripts/key2keyid.c
@@ -15,9 +15,9 @@ int main(int argc, char *argv[])
 	chunk_t chunk;
 	char buf[8096];
 	int read;
-	
+
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, "gmp pubkey sha1");
+	lib->plugins->load(lib->plugins, NULL, PLUGINS);
 	atexit(library_deinit);
 
 	read = fread(buf, 1, sizeof(buf), stdin);
@@ -26,32 +26,40 @@ int main(int argc, char *argv[])
 		fprintf(stderr, "reading key failed.\n");
 		return -1;
 	}
-	
+
 	chunk = chunk_create(buf, read);
-	
+
 	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-								 BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+								 BUILD_BLOB_PEM, chunk_clone(chunk),
 								 BUILD_END);
 	if (private)
 	{
 		printf("parsed %d bits %N private key.\n",
 			   private->get_keysize(private)*8,
 			   key_type_names, private->get_type(private));
-		printf("%N is:\t %D\n", id_type_names, ID_PUBKEY_INFO_SHA1,
-			   private->get_id(private, ID_PUBKEY_INFO_SHA1));
-		printf("%N is:\t %D\n", id_type_names, ID_PUBKEY_SHA1,
-			   private->get_id(private, ID_PUBKEY_SHA1));
+		if (private->get_fingerprint(private, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
+		{
+			printf("subjectPublicKeyInfo keyid: %#B\n", &chunk);
+		}
+		if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &chunk))
+		{
+			printf("subjectPublicKey keyid:     %#B\n", &chunk);
+		}
+		if (private->get_fingerprint(private, KEY_ID_PGPV3, &chunk))
+		{
+			printf("PGP verison 3 keyid:        %#B\n", &chunk);
+		}
 		private->destroy(private);
 		return 0;
 	}
-	
+
 	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-								BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+								BUILD_BLOB_PEM, chunk_clone(chunk),
 								BUILD_END);
 	if (!public)
 	{
 		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-									BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+									BUILD_BLOB_PEM, chunk_clone(chunk),
 									BUILD_END);
 	}
 	if (public)
@@ -59,14 +67,22 @@ int main(int argc, char *argv[])
 		printf("parsed %d bits %N public key.\n",
 			   public->get_keysize(public)*8,
 			   key_type_names, public->get_type(public));
-		printf("%N is:\t %D\n", id_type_names, ID_PUBKEY_INFO_SHA1,
-			   public->get_id(public, ID_PUBKEY_INFO_SHA1));
-		printf("%N is:\t %D\n", id_type_names, ID_PUBKEY_SHA1,
-			   public->get_id(public, ID_PUBKEY_SHA1));
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
+		{
+			printf("subjectPublicKeyInfo keyid: %#B\n", &chunk);
+		}
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+		{
+			printf("subjectPublicKey keyid:     %#B\n", &chunk);
+		}
+		if (public->get_fingerprint(public, KEY_ID_PGPV3, &chunk))
+		{
+			printf("PGP verison 3 keyid:        %#B\n", &chunk);
+		}
 		public->destroy(public);
 		return 0;
 	}
-	
+
 	fprintf(stderr, "unable to parse input key.\n");
 	return -1;
 }
diff --git a/scripts/keyid2sql.c b/scripts/keyid2sql.c
index 588bd7ac0..2d17c273d 100644
--- a/scripts/keyid2sql.c
+++ b/scripts/keyid2sql.c
@@ -2,11 +2,9 @@
 #include <stdio.h>
 #include <library.h>
 #include <debug.h>
-#include <utils/identification.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
 
-
 /**
  * print the keyids of a private or public key in sql format
  */
@@ -14,13 +12,12 @@ int main(int argc, char *argv[])
 {
 	public_key_t *public;
 	private_key_t *private;
-	identification_t *keyid;
 	chunk_t chunk;
 	char buf[8096];
 	int read, n;
-	
+
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, "gmp pubkey sha1");
+	lib->plugins->load(lib->plugins, NULL, PLUGINS);
 	atexit(library_deinit);
 
 	read = fread(buf, 1, sizeof(buf), stdin);
@@ -29,51 +26,51 @@ int main(int argc, char *argv[])
 		fprintf(stderr, "reading key failed.\n");
 		return -1;
 	}
-	
+
 	chunk = chunk_create(buf, read);
-	
+
 	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-								 BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+								 BUILD_BLOB_PEM, chunk_clone(chunk),
 								 BUILD_END);
 	if (private)
 	{
-		keyid = private->get_id(private, ID_PUBKEY_INFO_SHA1);
-		chunk = keyid->get_encoding(keyid);
-
-		printf("%d, X'", ID_PUBKEY_INFO_SHA1);
-		for (n = 0; n < chunk.len; n++)
+		if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &chunk))
 		{
-			printf("%.2x", chunk.ptr[n]);
+			printf("%d, X'", ID_KEY_ID);
+			for (n = 0; n < chunk.len; n++)
+			{
+				printf("%.2x", chunk.ptr[n]);
+			}
+			printf("'\n");
 		}
-		printf("'\n");
 		private->destroy(private);
 		return 0;
 	}
-	
+
 	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-								BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+								BUILD_BLOB_PEM, chunk_clone(chunk),
 								BUILD_END);
 	if (!public)
 	{
 		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-									BUILD_BLOB_ASN1_DER, chunk_clone(chunk),
+									BUILD_BLOB_PEM, chunk_clone(chunk),
 									BUILD_END);
 	}
 	if (public)
 	{
-		keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-		chunk = keyid->get_encoding(keyid);
-
-		printf("%d, X'", ID_PUBKEY_INFO_SHA1);
-		for (n = 0; n < chunk.len; n++)
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
 		{
-			printf("%.2x", chunk.ptr[n]);
+			printf("%d, X'", ID_KEY_ID);
+			for (n = 0; n < chunk.len; n++)
+			{
+				printf("%.2x", chunk.ptr[n]);
+			}
+			printf("'\n");
 		}
-		printf("'\n");
 		public->destroy(public);
 		return 0;
 	}
-	
+
 	fprintf(stderr, "unable to parse input key.\n");
 	return -1;
 }
diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c
index 86a4e105b..255f650f5 100644
--- a/scripts/pubkey_speed.c
+++ b/scripts/pubkey_speed.c
@@ -4,7 +4,6 @@
 #include <library.h>
 #include <debug.h>
 #include <credentials/keys/private_key.h>
-#include <asn1/pem.h>
 
 void start_timing(struct timespec *start)
 {
@@ -14,7 +13,7 @@ void start_timing(struct timespec *start)
 double end_timing(struct timespec *start)
 {
 	struct timespec end;
-	
+
 	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
 	return (end.tv_nsec - start->tv_nsec) / 1000000000.0 +
 			(end.tv_sec - start->tv_sec) * 1.0;
@@ -26,8 +25,6 @@ static void usage()
 	exit(1);
 }
 
-static char data_buf[] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07};
-
 int main(int argc, char *argv[])
 {
 	private_key_t *private;
@@ -37,15 +34,15 @@ int main(int argc, char *argv[])
 	char buf[8096], *pos = buf;
 	key_type_t type = KEY_ANY;
 	signature_scheme_t scheme = SIGN_UNKNOWN;
-	chunk_t keydata, *sigs, data = chunk_from_buf(data_buf);
-	
+	chunk_t keydata, *sigs, data;
+
 	if (argc < 4)
 	{
 		usage();
 	}
-	
+
 	rounds = atoi(argv[3]);
-	
+
 	if (streq(argv[2], "rsa"))
 	{
 		type = KEY_RSA;
@@ -59,25 +56,20 @@ int main(int argc, char *argv[])
 	{
 		usage();
 	}
-	
-	library_init(STRONGSWAN_CONF);
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, argv[1]);
+
+	library_init(NULL);
+	lib->plugins->load(lib->plugins, NULL, argv[1]);
 	atexit(library_deinit);
-	
+
 	keydata = chunk_create(buf, 0);
 	while ((read = fread(pos, 1, sizeof(buf) - (pos - buf), stdin)))
 	{
 		pos += read;
 		keydata.len += read;
 	}
-	if (pem_to_bin(&keydata, chunk_empty, NULL) != SUCCESS)
-	{
-		printf("converting PEM private key failed.\n");
-		exit(1);
-	}
-	
+
 	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 BUILD_BLOB_ASN1_DER, keydata, BUILD_END);
+								 BUILD_BLOB_PEM, keydata, BUILD_END);
 	if (!private)
 	{
 		printf("parsing private key failed.\n");
@@ -88,7 +80,7 @@ int main(int argc, char *argv[])
 		switch (private->get_keysize(private))
 		{
 			case 32:
-				scheme = SIGN_ECDSA_256; 
+				scheme = SIGN_ECDSA_256;
 				break;
 			case 48:
 				scheme = SIGN_ECDSA_384;
@@ -102,12 +94,13 @@ int main(int argc, char *argv[])
 				exit(1);
 		}
 	}
-	
+
 	printf("%4d bit %N: ", private->get_keysize(private)*8,
 		key_type_names, type);
-	
+
 	sigs = malloc(sizeof(chunk_t) * rounds);
-	
+
+	data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07);
 	start_timing(&timing);
 	for (round = 0; round < rounds; round++)
 	{
@@ -118,7 +111,7 @@ int main(int argc, char *argv[])
 		}
 	};
 	printf("sign()/s: %8.1f   ", rounds / end_timing(&timing));
-	
+
 	public = private->get_public_key(private);
 	if (!public)
 	{
@@ -137,7 +130,7 @@ int main(int argc, char *argv[])
 	printf("verify()/s: %8.1f\n", rounds / end_timing(&timing));
 	public->destroy(public);
 	private->destroy(private);
-	
+
 	for (round = 0; round < rounds; round++)
 	{
 		free(sigs[round].ptr);
diff --git a/scripts/thread_analysis.c b/scripts/thread_analysis.c
index 53cd04359..7670ce1f8 100644
--- a/scripts/thread_analysis.c
+++ b/scripts/thread_analysis.c
@@ -1,5 +1,5 @@
 /* Analyzes the concurrent use of charon's threads
- * 
+ *
  * Copyright (C) 2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
@@ -52,7 +52,7 @@ static int readline(FILE *fd, char *line)
 			*line = '\0';
 			return 1;
 		}
-		line++;		
+		line++;
 	}
 	*line = '\0';
 	return 0;
@@ -69,14 +69,14 @@ static void printline(state_t *state, char *timestamp)
 	for (th = 1; th <= THREADS; th++)
 	{
 		states[state[th]]++;
-		printf("<td class=\"%s\"></td>", state_names[state[th]]);	
+		printf("<td class=\"%s\"></td>", state_names[state[th]]);
 	}
 	total = states[STATE_INIT] + states[STATE_AUTH] + states[STATE_BUSY] + states[STATE_RETRY];
 	printf("<td class=\"init\">%d</td><td class=\"auth\">%d</td><td class=\"busy\">%d</td>",
 			states[STATE_INIT], states[STATE_AUTH], total);
 	for (th = 10; th <= (THREADS + 2); th += 5)
 	{
-		printf("<td class=\"%s\"></td>", (th <= total + 2)? "busy":"idle");	
+		printf("<td class=\"%s\"></td>", (th <= total + 2)? "busy":"idle");
 	}
 	printf("\n");
 	printf("    </tr>\n");
@@ -91,13 +91,13 @@ int main(int argc, char *argv[])
 	FILE *fd;
 
 	state_t state[THREADS + 1];
-	
+
 	/* threads 1..5 and 9 are always busy */
 	for (th = 1; th <= THREADS; th++)
 	{
 		state[th] = (th <= 7 && th != 3)? STATE_BUSY : STATE_IDLE;
 	}
-  
+
 	/* open the log file */
 	fd = fopen(LOGFILE, "r");
 	if (!fd)
@@ -135,16 +135,16 @@ int main(int argc, char *argv[])
 	printf("      <td class=\"log\">Timestamp</td>");
 	for (th = 1 ; th <= THREADS; th++)
 	{
-		printf("<td>%02d</td>", th);	
+		printf("<td>%02d</td>", th);
 	}
 	printf("<td class=\"init\">I</td><td class=\"auth\">A</td><td class=\"busy\">B</td>");
 	for (th = 10; th <= (THREADS + 2); th += 5)
 	{
-		printf("<td class=\"busy\">%d</td>", (th == 100)? 99:th);	
+		printf("<td class=\"busy\">%d</td>", (th == 100)? 99:th);
 	}
 	printf("\n");
 	printf("    </tr>\n");
-	
+
 	while (readline(fd, line))
 	{
 		char *p_section, *p_charon, *p_thread, *p_log;
@@ -170,7 +170,7 @@ int main(int argc, char *argv[])
 		{
 			continue;
 		}
-		
+
 		/* determine thread */
 		p_thread = p_charon + 8;
 		th = atol(p_thread);
@@ -268,6 +268,6 @@ int main(int argc, char *argv[])
 	printf("</body>\n");
 	printf("</html>\n");
 
-	fclose(fd);	
+	fclose(fd);
 	return 0;
 }
diff --git a/src/Makefile.am b/src/Makefile.am
index ebdaa6a63..ae3ec8a20 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -4,6 +4,10 @@ if USE_LIBSTRONGSWAN
   SUBDIRS += libstrongswan
 endif
 
+if USE_SIMAKA
+  SUBDIRS += libsimaka
+endif
+
 if USE_FILE_CONFIG
   SUBDIRS += libfreeswan starter ipsec _copyright
 endif
@@ -25,7 +29,7 @@ if USE_UPDOWN
 endif
 
 if USE_TOOLS
-  SUBDIRS += openac scepclient
+  SUBDIRS += openac scepclient pki
 endif
 
 if USE_DUMM
@@ -50,6 +54,6 @@ endif
 
 EXTRA_DIST = strongswan.conf
 
-install-exec-local :	
+install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
 		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
diff --git a/src/Makefile.in b/src/Makefile.in
index 18da06f7b..2e305f50a 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,8 +16,9 @@
 @SET_MAKE@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -32,25 +34,34 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 @USE_LIBSTRONGSWAN_TRUE@am__append_1 = libstrongswan
-@USE_FILE_CONFIG_TRUE@am__append_2 = libfreeswan starter ipsec _copyright
-@USE_PLUTO_TRUE@am__append_3 = pluto whack
-@USE_CHARON_TRUE@am__append_4 = charon
-@USE_STROKE_TRUE@am__append_5 = stroke
-@USE_UPDOWN_TRUE@am__append_6 = _updown _updown_espmark
-@USE_TOOLS_TRUE@am__append_7 = openac scepclient
-@USE_DUMM_TRUE@am__append_8 = dumm
-@USE_FAST_TRUE@am__append_9 = libfast
-@USE_MANAGER_TRUE@am__append_10 = manager
-@USE_MEDSRV_TRUE@am__append_11 = medsrv
-@USE_INTEGRITY_TEST_TRUE@am__append_12 = checksum
+@USE_SIMAKA_TRUE@am__append_2 = libsimaka
+@USE_FILE_CONFIG_TRUE@am__append_3 = libfreeswan starter ipsec _copyright
+@USE_PLUTO_TRUE@am__append_4 = pluto whack
+@USE_CHARON_TRUE@am__append_5 = charon
+@USE_STROKE_TRUE@am__append_6 = stroke
+@USE_UPDOWN_TRUE@am__append_7 = _updown _updown_espmark
+@USE_TOOLS_TRUE@am__append_8 = openac scepclient pki
+@USE_DUMM_TRUE@am__append_9 = dumm
+@USE_FAST_TRUE@am__append_10 = libfast
+@USE_MANAGER_TRUE@am__append_11 = manager
+@USE_MEDSRV_TRUE@am__append_12 = medsrv
+@USE_INTEGRITY_TEST_TRUE@am__append_13 = checksum
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -62,12 +73,41 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	ps-recursive uninstall-recursive
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
+AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
+	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
+	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . include libstrongswan libfreeswan starter ipsec \
-	_copyright pluto whack charon stroke _updown _updown_espmark \
-	openac scepclient dumm libfast manager medsrv checksum
+DIST_SUBDIRS = . include libstrongswan libsimaka libfreeswan starter \
+	ipsec _copyright pluto whack charon stroke _updown \
+	_updown_espmark openac scepclient pki dumm libfast manager \
+	medsrv checksum
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
@@ -101,25 +141,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -131,11 +168,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -164,9 +204,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -189,7 +229,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -197,6 +237,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -205,10 +246,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -216,12 +259,14 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5) $(am__append_6) \
 	$(am__append_7) $(am__append_8) $(am__append_9) \
-	$(am__append_10) $(am__append_11) $(am__append_12)
+	$(am__append_10) $(am__append_11) $(am__append_12) \
+	$(am__append_13)
 EXTRA_DIST = strongswan.conf
 all: all-recursive
 
@@ -235,9 +280,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -255,6 +300,7 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -286,7 +332,7 @@ $(RECURSIVE_TARGETS):
 	  else \
 	    local_target="$$target"; \
 	  fi; \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
 	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
@@ -320,16 +366,16 @@ $(RECURSIVE_CLEAN_TARGETS):
 	  else \
 	    local_target="$$target"; \
 	  fi; \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
 	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
 	done
 ctags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
 	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
@@ -344,7 +390,7 @@ tags: TAGS
 
 TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
@@ -356,7 +402,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test ! -f $$subdir/TAGS || \
-	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
@@ -365,29 +411,34 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -408,29 +459,44 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
-	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
 	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
-	    distdir=`$(am__cd) $(distdir) && pwd`; \
-	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
-	    (cd $$subdir && \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$top_distdir" \
-	        distdir="$$distdir/$$subdir" \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
 		am__remove_distdir=: \
 		am__skip_length_check=: \
+		am__skip_mode_fix=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
@@ -460,6 +526,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -478,6 +545,8 @@ dvi-am:
 
 html: html-recursive
 
+html-am:
+
 info: info-recursive
 
 info-am:
@@ -486,18 +555,28 @@ install-data-am:
 
 install-dvi: install-dvi-recursive
 
+install-dvi-am:
+
 install-exec-am: install-exec-local
 
 install-html: install-html-recursive
 
+install-html-am:
+
 install-info: install-info-recursive
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-recursive
 
+install-pdf-am:
+
 install-ps: install-ps-recursive
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -518,8 +597,8 @@ ps-am:
 
 uninstall-am:
 
-.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
-	install-strip
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
+	install-am install-strip tags-recursive
 
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am check check-am clean clean-generic clean-libtool \
@@ -536,9 +615,10 @@ uninstall-am:
 	ps ps-am tags tags-recursive uninstall uninstall-am
 
 
-install-exec-local :	
+install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
 		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index fabc84a29..fe529a151 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -37,13 +39,20 @@ subdir = src/_copyright
 DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am__copyright_OBJECTS = _copyright.$(OBJEXT)
 _copyright_OBJECTS = $(am__copyright_OBJECTS)
@@ -53,6 +62,7 @@ _copyright_DEPENDENCIES =  \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -64,6 +74,27 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(_copyright_SOURCES)
 DIST_SOURCES = $(_copyright_SOURCES)
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man8_MANS)
@@ -103,25 +134,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -133,11 +161,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -166,9 +197,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -191,7 +222,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -199,6 +230,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -207,10 +239,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -218,6 +252,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 _copyright_SOURCES = _copyright.c
@@ -240,9 +275,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/_copyright/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/_copyright/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/_copyright/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/_copyright/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -260,34 +295,50 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-ipsecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 _copyright$(EXEEXT): $(_copyright_OBJECTS) $(_copyright_DEPENDENCIES) 
 	@rm -f _copyright$(EXEEXT)
 	$(LINK) $(_copyright_OBJECTS) $(_copyright_LDADD) $(LIBS)
@@ -302,21 +353,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -326,51 +377,40 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(man8_MANS) $(man_MANS)
+install-man8: $(dist_man8_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
+	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man8:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -384,7 +424,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -392,34 +432,52 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -435,13 +493,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -472,6 +534,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -493,6 +556,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -501,18 +566,28 @@ install-data-am: install-ipsecPROGRAMS install-man
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man: install-man8
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -554,6 +629,7 @@ uninstall-man: uninstall-man8
 	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
 	uninstall-man uninstall-man8
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c
index 5abefd4f1..9f0ad9785 100644
--- a/src/_copyright/_copyright.c
+++ b/src/_copyright/_copyright.c
@@ -2,12 +2,12 @@
  * copyright reporter
  * (just avoids having the info in more than one place in the source)
  * Copyright (C) 2001  Henry Spencer.
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
diff --git a/src/_updown/Makefile.am b/src/_updown/Makefile.am
index 5fc04ab88..116322e1e 100644
--- a/src/_updown/Makefile.am
+++ b/src/_updown/Makefile.am
@@ -5,8 +5,8 @@ EXTRA_DIST = _updown.in
 
 _updown : _updown.in
 	sed \
-	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
-	-e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \
-	-e "s:\@IPSEC_ROUTING_TABLE_PRIO\@:$(IPSEC_ROUTING_TABLE_PRIO):" \
+	-e "s:\@sbindir\@:$(sbindir):" \
+	-e "s:\@routing_table\@:$(routing_table):" \
+	-e "s:\@routing_table_prio\@:$(routing_table_prio):" \
 	$(srcdir)/$@.in > $@
 	chmod +x $@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 60755da69..e99238ed8 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -36,13 +38,41 @@ subdir = src/_updown
 DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
-ipsecSCRIPT_INSTALL = $(INSTALL_SCRIPT)
 SCRIPTS = $(ipsec_SCRIPTS)
 SOURCES =
 DIST_SOURCES =
@@ -83,25 +113,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -113,11 +140,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -146,9 +176,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -171,7 +201,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -179,6 +209,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -187,10 +218,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -198,6 +231,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 ipsec_SCRIPTS = _updown
@@ -216,9 +250,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/_updown/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/_updown/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/_updown/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/_updown/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -236,76 +270,81 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-ipsecSCRIPTS: $(ipsec_SCRIPTS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_SCRIPTS)'; for p in $$list; do \
+	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  if test -f $$d$$p; then \
-	    f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
-	    echo " $(ipsecSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	    $(ipsecSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(ipsecdir)/$$f"; \
-	  else :; fi; \
-	done
+	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n' \
+	    -e 'h;s|.*|.|' \
+	    -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) { files[d] = files[d] " " $$1; \
+	      if (++n[d] == $(am__install_max)) { \
+		print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
+	    else { print "f", d "/" $$4, $$1 } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	     if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	     test -z "$$files" || { \
+	       echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	       $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	     } \
+	; done
 
 uninstall-ipsecSCRIPTS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_SCRIPTS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	       sed -e 's,.*/,,;$(transform)'`; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(man8_MANS) $(man_MANS)
+install-man8: $(dist_man8_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
+	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man8:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 tags: TAGS
 TAGS:
 
@@ -314,6 +353,19 @@ CTAGS:
 
 
 distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -329,13 +381,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -367,6 +423,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -385,6 +442,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -393,18 +452,28 @@ install-data-am: install-ipsecSCRIPTS install-man
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man: install-man8
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -445,11 +514,12 @@ uninstall-man: uninstall-man8
 
 _updown : _updown.in
 	sed \
-	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
-	-e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \
-	-e "s:\@IPSEC_ROUTING_TABLE_PRIO\@:$(IPSEC_ROUTING_TABLE_PRIO):" \
+	-e "s:\@sbindir\@:$(sbindir):" \
+	-e "s:\@routing_table\@:$(routing_table):" \
+	-e "s:\@routing_table_prio\@:$(routing_table_prio):" \
 	$(srcdir)/$@.in > $@
 	chmod +x $@
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 838842d06..2cc311665 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -5,12 +5,12 @@
 # Copyright (C) 2003-2004 Tuomo Soini
 # Copyright (C) 2002-2004 Michael Richardson
 # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
-# 
+#
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
 # Free Software Foundation; either version 2 of the License, or (at your
 # option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
+#
 # This program is distributed in the hope that it will be useful, but
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
@@ -117,7 +117,7 @@
 #
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
 export PATH
 
 # uncomment to log VPN connections
@@ -139,10 +139,10 @@ FAC_PRIO=local0.notice
 # must be enabled
 #
 # special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=@IPSEC_ROUTING_TABLE@
+SOURCEIP_ROUTING_TABLE=@routing_table@
 #
 # priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=@IPSEC_ROUTING_TABLE_PRIO@
+SOURCEIP_ROUTING_TABLE_PRIO=@routing_table_prio@
 
 # check interface version
 case "$PLUTO_VERSION" in
@@ -231,7 +231,7 @@ doroute() {
 	    parms2="via $PLUTO_NEXT_HOP"
 	else
 	    parms2="via $PLUTO_PEER"
-	fi	
+	fi
 	parms2="$parms2 dev $PLUTO_INTERFACE"
 
 	parms3=
@@ -251,7 +251,7 @@ doroute() {
 	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
 	"0.0.0.0/0.0.0.0")
 		# opportunistic encryption work around
-		# need to provide route that eclipses default, without 
+		# need to provide route that eclipses default, without
 		# replacing it.
 		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
 			ip route $1 128.0.0.0/1 $parms2 $parms3"
@@ -271,8 +271,8 @@ doroute() {
 	fi
 	return $st
 }
- 
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
 then
 	KLIPS=1
@@ -314,7 +314,7 @@ prepare-host:*|prepare-client:*)
 	# delete possibly-existing route (preliminary to adding a route)
 	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
 	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without 
+		# need to provide route that eclipses default, without
 		# replacing it.
 		parms1="0.0.0.0/1"
 		parms2="128.0.0.0/1"
@@ -333,7 +333,7 @@ prepare-host:*|prepare-client:*)
 		oops="silent error, exit status $status"
 	fi
 	case "$oops" in
-	*'RTNETLINK answers: No such process'*)	
+	*'RTNETLINK answers: No such process'*)
 		# This is what route (currently -- not documented!) gives
 		# for "could not find such a route".
 		oops=
@@ -392,7 +392,7 @@ up-host:iptables)
 	    logger -t $TAG -p $FAC_PRIO \
 	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
-	fi	
+	fi
 	;;
 down-host:iptables)
 	# connection to me, with (left/right)firewall=yes, going down
@@ -551,7 +551,7 @@ up-host-v6:iptables)
 	    logger -t $TAG -p $FAC_PRIO \
 	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
-	fi	
+	fi
 	;;
 down-host-v6:iptables)
 	# connection to me, with (left/right)firewall=yes, going down
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 55d3c6b4d..ed88b67a6 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -36,13 +38,41 @@ subdir = src/_updown_espmark
 DIST_COMMON = $(dist_ipsec_SCRIPTS) $(dist_man8_MANS) \
 	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
-dist_ipsecSCRIPT_INSTALL = $(INSTALL_SCRIPT)
 SCRIPTS = $(dist_ipsec_SCRIPTS)
 SOURCES =
 DIST_SOURCES =
@@ -83,25 +113,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -113,11 +140,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -146,9 +176,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -171,7 +201,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -179,6 +209,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -187,10 +218,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -198,6 +231,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 dist_ipsec_SCRIPTS = _updown_espmark
@@ -214,9 +248,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/_updown_espmark/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/_updown_espmark/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/_updown_espmark/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/_updown_espmark/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -234,76 +268,81 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-dist_ipsecSCRIPTS: $(dist_ipsec_SCRIPTS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(dist_ipsec_SCRIPTS)'; for p in $$list; do \
+	@list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  if test -f $$d$$p; then \
-	    f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
-	    echo " $(dist_ipsecSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	    $(dist_ipsecSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(ipsecdir)/$$f"; \
-	  else :; fi; \
-	done
+	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n' \
+	    -e 'h;s|.*|.|' \
+	    -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) { files[d] = files[d] " " $$1; \
+	      if (++n[d] == $(am__install_max)) { \
+		print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
+	    else { print "f", d "/" $$4, $$1 } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	     if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	     test -z "$$files" || { \
+	       echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	       $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	     } \
+	; done
 
 uninstall-dist_ipsecSCRIPTS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(dist_ipsec_SCRIPTS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	       sed -e 's,.*/,,;$(transform)'`; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(man8_MANS) $(man_MANS)
+install-man8: $(dist_man8_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
+	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man8:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 tags: TAGS
 TAGS:
 
@@ -312,6 +351,19 @@ CTAGS:
 
 
 distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -327,13 +379,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -364,6 +420,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -382,6 +439,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -390,18 +449,28 @@ install-data-am: install-dist_ipsecSCRIPTS install-man
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man: install-man8
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -439,6 +508,7 @@ uninstall-man: uninstall-man8
 	ps ps-am uninstall uninstall-am uninstall-dist_ipsecSCRIPTS \
 	uninstall-man uninstall-man8
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index dd51555c0..e20d45cf8 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -11,10 +11,6 @@ config/ike_cfg.c config/ike_cfg.h \
 config/peer_cfg.c config/peer_cfg.h \
 config/proposal.c config/proposal.h \
 config/auth_cfg.c config/auth_cfg.h \
-config/traffic_selector.c config/traffic_selector.h \
-config/attributes/attribute_provider.h \
-config/attributes/attribute_handler.h \
-config/attributes/attribute_manager.c config/attributes/attribute_manager.h \
 control/controller.c control/controller.h \
 daemon.c daemon.h \
 encoding/generator.c encoding/generator.h \
@@ -64,6 +60,7 @@ processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
+processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
 processing/scheduler.c processing/scheduler.h \
 processing/processor.c processing/processor.h  \
 sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
@@ -95,6 +92,7 @@ sa/tasks/ike_mobike.c sa/tasks/ike_mobike.h \
 sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
 sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
+sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
 sa/tasks/task.c sa/tasks/task.h \
 credentials/credential_manager.c credentials/credential_manager.h \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
@@ -102,13 +100,11 @@ credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
 credentials/credential_set.h
 
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic \
   -DIPSEC_DIR=\"${ipsecdir}\" \
-  -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DIPSEC_PLUGINDIR=\"${plugindir}\" \
-  -DSTRONGSWAN_CONF=\"${strongswan_conf}\"
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB) $(SOCKLIB)
+  -DIPSEC_PIDDIR=\"${piddir}\"
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
 
 # compile options
 #################
@@ -137,10 +133,10 @@ endif
 # build optional plugins
 ########################
 
-SUBDIRS = . 
+SUBDIRS = .
 PLUGINS = ${libstrongswan_plugins}
 
-if USE_LOAD_TESTS
+if USE_LOAD_TESTER
   SUBDIRS += plugins/load_tester
   PLUGINS += load-tester
 endif
@@ -192,42 +188,57 @@ endif
 
 if USE_EAP_IDENTITY
   SUBDIRS += plugins/eap_identity
-  PLUGINS += eapidentity
+  PLUGINS += eap-identity
 endif
 
 if USE_EAP_SIM
   SUBDIRS += plugins/eap_sim
-  PLUGINS += eapsim
+  PLUGINS += eap-sim
 endif
 
 if USE_EAP_SIM_FILE
   SUBDIRS += plugins/eap_sim_file
-  PLUGINS += eapsim-file
+  PLUGINS += eap-sim-file
+endif
+
+if USE_EAP_SIMAKA_PSEUDONYM
+  SUBDIRS += plugins/eap_simaka_pseudonym
+  PLUGINS += eap-simaka-pseudonym
+endif
+
+if USE_EAP_SIMAKA_REAUTH
+  SUBDIRS += plugins/eap_simaka_reauth
+  PLUGINS += eap-simaka-reauth
 endif
 
 if USE_EAP_MD5
   SUBDIRS += plugins/eap_md5
-  PLUGINS += eapmd5
+  PLUGINS += eap-md5
 endif
 
 if USE_EAP_GTC
   SUBDIRS += plugins/eap_gtc
-  PLUGINS += eapgtc
+  PLUGINS += eap-gtc
 endif
 
 if USE_EAP_AKA
   SUBDIRS += plugins/eap_aka
-  PLUGINS += eapaka
+  PLUGINS += eap-aka
+endif
+
+if USE_EAP_AKA_3GPP2
+  SUBDIRS += plugins/eap_aka_3gpp2
+  PLUGINS += eap-aka-3gpp2
 endif
 
 if USE_EAP_MSCHAPV2
   SUBDIRS += plugins/eap_mschapv2
-  PLUGINS += eapmschapv2
+  PLUGINS += eap-mschapv2
 endif
 
 if USE_EAP_RADIUS
   SUBDIRS += plugins/eap_radius
-  PLUGINS += eapradius
+  PLUGINS += eap-radius
 endif
 
 if USE_MEDSRV
@@ -245,9 +256,9 @@ if USE_NM
   PLUGINS += nm
 endif
 
-if USE_RESOLV_CONF
-  SUBDIRS += plugins/resolv_conf
-  PLUGINS += resolv-conf
+if USE_RESOLVE
+  SUBDIRS += plugins/resolve
+  PLUGINS += resolve
 endif
 
 if USE_UCI
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 59c0228f8..d7339b226 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -48,8 +50,8 @@ ipsec_PROGRAMS = charon$(EXEEXT)
 @USE_ME_TRUE@    sa/tasks/ike_me.c sa/tasks/ike_me.h
 
 @USE_CAPABILITIES_TRUE@am__append_4 = -lcap
-@USE_LOAD_TESTS_TRUE@am__append_5 = plugins/load_tester
-@USE_LOAD_TESTS_TRUE@am__append_6 = load-tester
+@USE_LOAD_TESTER_TRUE@am__append_5 = plugins/load_tester
+@USE_LOAD_TESTER_TRUE@am__append_6 = load-tester
 @USE_KERNEL_PFKEY_TRUE@am__append_7 = plugins/kernel_pfkey
 @USE_KERNEL_PFKEY_TRUE@am__append_8 = kernel-pfkey
 @USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute
@@ -69,43 +71,56 @@ ipsec_PROGRAMS = charon$(EXEEXT)
 @USE_ATTR_TRUE@am__append_23 = plugins/attr
 @USE_ATTR_TRUE@am__append_24 = attr
 @USE_EAP_IDENTITY_TRUE@am__append_25 = plugins/eap_identity
-@USE_EAP_IDENTITY_TRUE@am__append_26 = eapidentity
+@USE_EAP_IDENTITY_TRUE@am__append_26 = eap-identity
 @USE_EAP_SIM_TRUE@am__append_27 = plugins/eap_sim
-@USE_EAP_SIM_TRUE@am__append_28 = eapsim
+@USE_EAP_SIM_TRUE@am__append_28 = eap-sim
 @USE_EAP_SIM_FILE_TRUE@am__append_29 = plugins/eap_sim_file
-@USE_EAP_SIM_FILE_TRUE@am__append_30 = eapsim-file
-@USE_EAP_MD5_TRUE@am__append_31 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_32 = eapmd5
-@USE_EAP_GTC_TRUE@am__append_33 = plugins/eap_gtc
-@USE_EAP_GTC_TRUE@am__append_34 = eapgtc
-@USE_EAP_AKA_TRUE@am__append_35 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_36 = eapaka
-@USE_EAP_MSCHAPV2_TRUE@am__append_37 = plugins/eap_mschapv2
-@USE_EAP_MSCHAPV2_TRUE@am__append_38 = eapmschapv2
-@USE_EAP_RADIUS_TRUE@am__append_39 = plugins/eap_radius
-@USE_EAP_RADIUS_TRUE@am__append_40 = eapradius
-@USE_MEDSRV_TRUE@am__append_41 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_42 = medsrv
-@USE_MEDCLI_TRUE@am__append_43 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_44 = medcli
-@USE_NM_TRUE@am__append_45 = plugins/nm
-@USE_NM_TRUE@am__append_46 = nm
-@USE_RESOLV_CONF_TRUE@am__append_47 = plugins/resolv_conf
-@USE_RESOLV_CONF_TRUE@am__append_48 = resolv-conf
-@USE_UCI_TRUE@am__append_49 = plugins/uci
-@USE_UCI_TRUE@am__append_50 = uci
-@USE_UNIT_TESTS_TRUE@am__append_51 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_52 = unit-tester
+@USE_EAP_SIM_FILE_TRUE@am__append_30 = eap-sim-file
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_31 = plugins/eap_simaka_pseudonym
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_32 = eap-simaka-pseudonym
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_33 = plugins/eap_simaka_reauth
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_34 = eap-simaka-reauth
+@USE_EAP_MD5_TRUE@am__append_35 = plugins/eap_md5
+@USE_EAP_MD5_TRUE@am__append_36 = eap-md5
+@USE_EAP_GTC_TRUE@am__append_37 = plugins/eap_gtc
+@USE_EAP_GTC_TRUE@am__append_38 = eap-gtc
+@USE_EAP_AKA_TRUE@am__append_39 = plugins/eap_aka
+@USE_EAP_AKA_TRUE@am__append_40 = eap-aka
+@USE_EAP_AKA_3GPP2_TRUE@am__append_41 = plugins/eap_aka_3gpp2
+@USE_EAP_AKA_3GPP2_TRUE@am__append_42 = eap-aka-3gpp2
+@USE_EAP_MSCHAPV2_TRUE@am__append_43 = plugins/eap_mschapv2
+@USE_EAP_MSCHAPV2_TRUE@am__append_44 = eap-mschapv2
+@USE_EAP_RADIUS_TRUE@am__append_45 = plugins/eap_radius
+@USE_EAP_RADIUS_TRUE@am__append_46 = eap-radius
+@USE_MEDSRV_TRUE@am__append_47 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_48 = medsrv
+@USE_MEDCLI_TRUE@am__append_49 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_50 = medcli
+@USE_NM_TRUE@am__append_51 = plugins/nm
+@USE_NM_TRUE@am__append_52 = nm
+@USE_RESOLVE_TRUE@am__append_53 = plugins/resolve
+@USE_RESOLVE_TRUE@am__append_54 = resolve
+@USE_UCI_TRUE@am__append_55 = plugins/uci
+@USE_UCI_TRUE@am__append_56 = uci
+@USE_UNIT_TESTS_TRUE@am__append_57 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_58 = unit-tester
 subdir = src/charon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am__charon_SOURCES_DIST = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	bus/listeners/file_logger.c bus/listeners/file_logger.h \
@@ -114,12 +129,7 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	config/backend.h config/child_cfg.c config/child_cfg.h \
 	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
 	config/peer_cfg.h config/proposal.c config/proposal.h \
-	config/auth_cfg.c config/auth_cfg.h config/traffic_selector.c \
-	config/traffic_selector.h \
-	config/attributes/attribute_provider.h \
-	config/attributes/attribute_handler.h \
-	config/attributes/attribute_manager.c \
-	config/attributes/attribute_manager.h control/controller.c \
+	config/auth_cfg.c config/auth_cfg.h control/controller.c \
 	control/controller.h daemon.c daemon.h encoding/generator.c \
 	encoding/generator.h encoding/message.c encoding/message.h \
 	encoding/parser.c encoding/parser.h \
@@ -186,7 +196,9 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	processing/jobs/send_keepalive_job.h \
 	processing/jobs/roam_job.c processing/jobs/roam_job.h \
 	processing/jobs/update_sa_job.c \
-	processing/jobs/update_sa_job.h processing/scheduler.c \
+	processing/jobs/update_sa_job.h \
+	processing/jobs/inactivity_job.c \
+	processing/jobs/inactivity_job.h processing/scheduler.c \
 	processing/scheduler.h processing/processor.c \
 	processing/processor.h sa/authenticators/authenticator.c \
 	sa/authenticators/authenticator.h \
@@ -218,7 +230,8 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	sa/tasks/ike_mobike.h sa/tasks/ike_rekey.c \
 	sa/tasks/ike_rekey.h sa/tasks/ike_reauth.c \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
-	sa/tasks/ike_auth_lifetime.h sa/tasks/task.c sa/tasks/task.h \
+	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
+	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
 	credentials/credential_manager.c \
 	credentials/credential_manager.h \
 	credentials/sets/auth_cfg_wrapper.c \
@@ -244,15 +257,14 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h bus/listeners/listener.h \
 am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
 	sys_logger.$(OBJEXT) backend_manager.$(OBJEXT) \
 	child_cfg.$(OBJEXT) ike_cfg.$(OBJEXT) peer_cfg.$(OBJEXT) \
-	proposal.$(OBJEXT) auth_cfg.$(OBJEXT) \
-	traffic_selector.$(OBJEXT) attribute_manager.$(OBJEXT) \
-	controller.$(OBJEXT) daemon.$(OBJEXT) generator.$(OBJEXT) \
-	message.$(OBJEXT) parser.$(OBJEXT) auth_payload.$(OBJEXT) \
-	cert_payload.$(OBJEXT) certreq_payload.$(OBJEXT) \
-	configuration_attribute.$(OBJEXT) cp_payload.$(OBJEXT) \
-	delete_payload.$(OBJEXT) eap_payload.$(OBJEXT) \
-	encodings.$(OBJEXT) encryption_payload.$(OBJEXT) \
-	id_payload.$(OBJEXT) ike_header.$(OBJEXT) ke_payload.$(OBJEXT) \
+	proposal.$(OBJEXT) auth_cfg.$(OBJEXT) controller.$(OBJEXT) \
+	daemon.$(OBJEXT) generator.$(OBJEXT) message.$(OBJEXT) \
+	parser.$(OBJEXT) auth_payload.$(OBJEXT) cert_payload.$(OBJEXT) \
+	certreq_payload.$(OBJEXT) configuration_attribute.$(OBJEXT) \
+	cp_payload.$(OBJEXT) delete_payload.$(OBJEXT) \
+	eap_payload.$(OBJEXT) encodings.$(OBJEXT) \
+	encryption_payload.$(OBJEXT) id_payload.$(OBJEXT) \
+	ike_header.$(OBJEXT) ke_payload.$(OBJEXT) \
 	nonce_payload.$(OBJEXT) notify_payload.$(OBJEXT) \
 	payload.$(OBJEXT) proposal_substructure.$(OBJEXT) \
 	sa_payload.$(OBJEXT) traffic_selector_substructure.$(OBJEXT) \
@@ -266,20 +278,21 @@ am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
 	rekey_child_sa_job.$(OBJEXT) rekey_ike_sa_job.$(OBJEXT) \
 	retransmit_job.$(OBJEXT) send_dpd_job.$(OBJEXT) \
 	send_keepalive_job.$(OBJEXT) roam_job.$(OBJEXT) \
-	update_sa_job.$(OBJEXT) scheduler.$(OBJEXT) \
-	processor.$(OBJEXT) authenticator.$(OBJEXT) \
-	eap_authenticator.$(OBJEXT) eap_method.$(OBJEXT) \
-	eap_manager.$(OBJEXT) sim_manager.$(OBJEXT) \
-	psk_authenticator.$(OBJEXT) pubkey_authenticator.$(OBJEXT) \
-	child_sa.$(OBJEXT) ike_sa.$(OBJEXT) ike_sa_id.$(OBJEXT) \
-	ike_sa_manager.$(OBJEXT) task_manager.$(OBJEXT) \
-	keymat.$(OBJEXT) trap_manager.$(OBJEXT) child_create.$(OBJEXT) \
-	child_delete.$(OBJEXT) child_rekey.$(OBJEXT) \
-	ike_auth.$(OBJEXT) ike_cert_pre.$(OBJEXT) \
-	ike_cert_post.$(OBJEXT) ike_config.$(OBJEXT) \
-	ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) ike_init.$(OBJEXT) \
-	ike_natd.$(OBJEXT) ike_mobike.$(OBJEXT) ike_rekey.$(OBJEXT) \
-	ike_reauth.$(OBJEXT) ike_auth_lifetime.$(OBJEXT) \
+	update_sa_job.$(OBJEXT) inactivity_job.$(OBJEXT) \
+	scheduler.$(OBJEXT) processor.$(OBJEXT) \
+	authenticator.$(OBJEXT) eap_authenticator.$(OBJEXT) \
+	eap_method.$(OBJEXT) eap_manager.$(OBJEXT) \
+	sim_manager.$(OBJEXT) psk_authenticator.$(OBJEXT) \
+	pubkey_authenticator.$(OBJEXT) child_sa.$(OBJEXT) \
+	ike_sa.$(OBJEXT) ike_sa_id.$(OBJEXT) ike_sa_manager.$(OBJEXT) \
+	task_manager.$(OBJEXT) keymat.$(OBJEXT) trap_manager.$(OBJEXT) \
+	child_create.$(OBJEXT) child_delete.$(OBJEXT) \
+	child_rekey.$(OBJEXT) ike_auth.$(OBJEXT) \
+	ike_cert_pre.$(OBJEXT) ike_cert_post.$(OBJEXT) \
+	ike_config.$(OBJEXT) ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) \
+	ike_init.$(OBJEXT) ike_natd.$(OBJEXT) ike_mobike.$(OBJEXT) \
+	ike_rekey.$(OBJEXT) ike_reauth.$(OBJEXT) \
+	ike_auth_lifetime.$(OBJEXT) ike_vendor.$(OBJEXT) \
 	task.$(OBJEXT) credential_manager.$(OBJEXT) \
 	auth_cfg_wrapper.$(OBJEXT) ocsp_response_wrapper.$(OBJEXT) \
 	cert_cache.$(OBJEXT) $(am__objects_1) $(am__objects_2) \
@@ -289,10 +302,11 @@ am__DEPENDENCIES_1 =
 charon_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -313,17 +327,47 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	ps-recursive uninstall-recursive
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
+AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
+	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
+	distdir
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
 	plugins/kernel_pfroute plugins/kernel_klips \
 	plugins/kernel_netlink plugins/stroke plugins/smp plugins/sql \
 	plugins/updown plugins/attr plugins/eap_identity \
-	plugins/eap_sim plugins/eap_sim_file plugins/eap_md5 \
-	plugins/eap_gtc plugins/eap_aka plugins/eap_mschapv2 \
-	plugins/eap_radius plugins/medsrv plugins/medcli plugins/nm \
-	plugins/resolv_conf plugins/uci plugins/unit_tester
+	plugins/eap_sim plugins/eap_sim_file \
+	plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \
+	plugins/eap_md5 plugins/eap_gtc plugins/eap_aka \
+	plugins/eap_aka_3gpp2 plugins/eap_mschapv2 plugins/eap_radius \
+	plugins/medsrv plugins/medcli plugins/nm plugins/resolve \
+	plugins/uci plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
@@ -357,25 +401,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -387,11 +428,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -420,9 +464,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -445,7 +489,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -453,6 +497,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -461,10 +506,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -472,6 +519,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
@@ -481,12 +529,7 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	config/backend.h config/child_cfg.c config/child_cfg.h \
 	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
 	config/peer_cfg.h config/proposal.c config/proposal.h \
-	config/auth_cfg.c config/auth_cfg.h config/traffic_selector.c \
-	config/traffic_selector.h \
-	config/attributes/attribute_provider.h \
-	config/attributes/attribute_handler.h \
-	config/attributes/attribute_manager.c \
-	config/attributes/attribute_manager.h control/controller.c \
+	config/auth_cfg.c config/auth_cfg.h control/controller.c \
 	control/controller.h daemon.c daemon.h encoding/generator.c \
 	encoding/generator.h encoding/message.c encoding/message.h \
 	encoding/parser.c encoding/parser.h \
@@ -553,7 +596,9 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	processing/jobs/send_keepalive_job.h \
 	processing/jobs/roam_job.c processing/jobs/roam_job.h \
 	processing/jobs/update_sa_job.c \
-	processing/jobs/update_sa_job.h processing/scheduler.c \
+	processing/jobs/update_sa_job.h \
+	processing/jobs/inactivity_job.c \
+	processing/jobs/inactivity_job.h processing/scheduler.c \
 	processing/scheduler.h processing/processor.c \
 	processing/processor.h sa/authenticators/authenticator.c \
 	sa/authenticators/authenticator.h \
@@ -585,7 +630,8 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	sa/tasks/ike_mobike.h sa/tasks/ike_rekey.c \
 	sa/tasks/ike_rekey.h sa/tasks/ike_reauth.c \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
-	sa/tasks/ike_auth_lifetime.h sa/tasks/task.c sa/tasks/task.h \
+	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
+	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
 	credentials/credential_manager.c \
 	credentials/credential_manager.h \
 	credentials/sets/auth_cfg_wrapper.c \
@@ -595,14 +641,11 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
 	credentials/credential_set.h $(am__append_1) $(am__append_2) \
 	$(am__append_3)
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PIDDIR=\"${piddir}\" \
-	-DIPSEC_PLUGINDIR=\"${plugindir}\" \
-	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-	-DPLUGINS=\""${PLUGINS}\""
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-	-lpthread -lm $(DLLIB) $(SOCKLIB) $(am__append_4)
+	-DIPSEC_PIDDIR=\"${piddir}\" -DPLUGINS=\""${PLUGINS}\""
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lm \
+	$(PTHREADLIB) $(DLLIB) $(SOCKLIB) $(am__append_4)
 
 # build optional plugins
 ########################
@@ -613,7 +656,8 @@ SUBDIRS = . $(am__append_5) $(am__append_7) $(am__append_9) \
 	$(am__append_29) $(am__append_31) $(am__append_33) \
 	$(am__append_35) $(am__append_37) $(am__append_39) \
 	$(am__append_41) $(am__append_43) $(am__append_45) \
-	$(am__append_47) $(am__append_49) $(am__append_51)
+	$(am__append_47) $(am__append_49) $(am__append_51) \
+	$(am__append_53) $(am__append_55) $(am__append_57)
 PLUGINS = ${libstrongswan_plugins} $(am__append_6) $(am__append_8) \
 	$(am__append_10) $(am__append_12) $(am__append_14) \
 	$(am__append_16) $(am__append_18) $(am__append_20) \
@@ -622,7 +666,8 @@ PLUGINS = ${libstrongswan_plugins} $(am__append_6) $(am__append_8) \
 	$(am__append_34) $(am__append_36) $(am__append_38) \
 	$(am__append_40) $(am__append_42) $(am__append_44) \
 	$(am__append_46) $(am__append_48) $(am__append_50) \
-	$(am__append_52)
+	$(am__append_52) $(am__append_54) $(am__append_56) \
+	$(am__append_58)
 all: all-recursive
 
 .SUFFIXES:
@@ -636,9 +681,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -656,34 +701,50 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-ipsecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 charon$(EXEEXT): $(charon_OBJECTS) $(charon_DEPENDENCIES) 
 	@rm -f charon$(EXEEXT)
 	$(LINK) $(charon_OBJECTS) $(charon_LDADD) $(LIBS)
@@ -695,7 +756,6 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attribute_manager.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Po@am__quote@
@@ -748,6 +808,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_vendor.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Po@am__quote@
@@ -786,7 +848,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Po@am__quote@
@@ -798,1421 +859,1421 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
 bus.o: bus/bus.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.o -MD -MP -MF $(DEPDIR)/bus.Tpo -c -o bus.o `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/bus.c' object='bus.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.o `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
 
 bus.obj: bus/bus.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.obj -MD -MP -MF $(DEPDIR)/bus.Tpo -c -o bus.obj `if test -f 'bus/bus.c'; then $(CYGPATH_W) 'bus/bus.c'; else $(CYGPATH_W) '$(srcdir)/bus/bus.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/bus.c' object='bus.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.obj `if test -f 'bus/bus.c'; then $(CYGPATH_W) 'bus/bus.c'; else $(CYGPATH_W) '$(srcdir)/bus/bus.c'; fi`
 
 file_logger.o: bus/listeners/file_logger.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.o -MD -MP -MF $(DEPDIR)/file_logger.Tpo -c -o file_logger.o `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/file_logger.c' object='file_logger.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.o `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
 
 file_logger.obj: bus/listeners/file_logger.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.obj -MD -MP -MF $(DEPDIR)/file_logger.Tpo -c -o file_logger.obj `if test -f 'bus/listeners/file_logger.c'; then $(CYGPATH_W) 'bus/listeners/file_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/file_logger.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/file_logger.c' object='file_logger.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.obj `if test -f 'bus/listeners/file_logger.c'; then $(CYGPATH_W) 'bus/listeners/file_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/file_logger.c'; fi`
 
 sys_logger.o: bus/listeners/sys_logger.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.o -MD -MP -MF $(DEPDIR)/sys_logger.Tpo -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
 
 sys_logger.obj: bus/listeners/sys_logger.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.obj -MD -MP -MF $(DEPDIR)/sys_logger.Tpo -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`
 
 backend_manager.o: config/backend_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.o -MD -MP -MF $(DEPDIR)/backend_manager.Tpo -c -o backend_manager.o `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/backend_manager.c' object='backend_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.o `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
 
 backend_manager.obj: config/backend_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.obj -MD -MP -MF $(DEPDIR)/backend_manager.Tpo -c -o backend_manager.obj `if test -f 'config/backend_manager.c'; then $(CYGPATH_W) 'config/backend_manager.c'; else $(CYGPATH_W) '$(srcdir)/config/backend_manager.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/backend_manager.c' object='backend_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.obj `if test -f 'config/backend_manager.c'; then $(CYGPATH_W) 'config/backend_manager.c'; else $(CYGPATH_W) '$(srcdir)/config/backend_manager.c'; fi`
 
 child_cfg.o: config/child_cfg.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.o -MD -MP -MF $(DEPDIR)/child_cfg.Tpo -c -o child_cfg.o `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/child_cfg.c' object='child_cfg.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.o `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
 
 child_cfg.obj: config/child_cfg.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.obj -MD -MP -MF $(DEPDIR)/child_cfg.Tpo -c -o child_cfg.obj `if test -f 'config/child_cfg.c'; then $(CYGPATH_W) 'config/child_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/child_cfg.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/child_cfg.c' object='child_cfg.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.obj `if test -f 'config/child_cfg.c'; then $(CYGPATH_W) 'config/child_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/child_cfg.c'; fi`
 
 ike_cfg.o: config/ike_cfg.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.o -MD -MP -MF $(DEPDIR)/ike_cfg.Tpo -c -o ike_cfg.o `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/ike_cfg.c' object='ike_cfg.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.o `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
 
 ike_cfg.obj: config/ike_cfg.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.obj -MD -MP -MF $(DEPDIR)/ike_cfg.Tpo -c -o ike_cfg.obj `if test -f 'config/ike_cfg.c'; then $(CYGPATH_W) 'config/ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/ike_cfg.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/ike_cfg.c' object='ike_cfg.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.obj `if test -f 'config/ike_cfg.c'; then $(CYGPATH_W) 'config/ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/ike_cfg.c'; fi`
 
 peer_cfg.o: config/peer_cfg.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.o -MD -MP -MF $(DEPDIR)/peer_cfg.Tpo -c -o peer_cfg.o `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/peer_cfg.c' object='peer_cfg.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.o `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
 
 peer_cfg.obj: config/peer_cfg.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.obj -MD -MP -MF $(DEPDIR)/peer_cfg.Tpo -c -o peer_cfg.obj `if test -f 'config/peer_cfg.c'; then $(CYGPATH_W) 'config/peer_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/peer_cfg.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/peer_cfg.c' object='peer_cfg.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.obj `if test -f 'config/peer_cfg.c'; then $(CYGPATH_W) 'config/peer_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/peer_cfg.c'; fi`
 
 proposal.o: config/proposal.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.o -MD -MP -MF $(DEPDIR)/proposal.Tpo -c -o proposal.o `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/proposal.c' object='proposal.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.o `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
 
 proposal.obj: config/proposal.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.obj -MD -MP -MF $(DEPDIR)/proposal.Tpo -c -o proposal.obj `if test -f 'config/proposal.c'; then $(CYGPATH_W) 'config/proposal.c'; else $(CYGPATH_W) '$(srcdir)/config/proposal.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/proposal.c' object='proposal.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.obj `if test -f 'config/proposal.c'; then $(CYGPATH_W) 'config/proposal.c'; else $(CYGPATH_W) '$(srcdir)/config/proposal.c'; fi`
 
 auth_cfg.o: config/auth_cfg.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.o -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.o `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/auth_cfg.c' object='auth_cfg.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.o `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
 
 auth_cfg.obj: config/auth_cfg.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.obj -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.obj `if test -f 'config/auth_cfg.c'; then $(CYGPATH_W) 'config/auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/auth_cfg.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/auth_cfg.c' object='auth_cfg.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.obj `if test -f 'config/auth_cfg.c'; then $(CYGPATH_W) 'config/auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/auth_cfg.c'; fi`
 
-traffic_selector.o: config/traffic_selector.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.o -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/traffic_selector.c' object='traffic_selector.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c
-
-traffic_selector.obj: config/traffic_selector.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.obj -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/traffic_selector.c' object='traffic_selector.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi`
-
-attribute_manager.o: config/attributes/attribute_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attribute_manager.o -MD -MP -MF $(DEPDIR)/attribute_manager.Tpo -c -o attribute_manager.o `test -f 'config/attributes/attribute_manager.c' || echo '$(srcdir)/'`config/attributes/attribute_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/attribute_manager.Tpo $(DEPDIR)/attribute_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/attributes/attribute_manager.c' object='attribute_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attribute_manager.o `test -f 'config/attributes/attribute_manager.c' || echo '$(srcdir)/'`config/attributes/attribute_manager.c
-
-attribute_manager.obj: config/attributes/attribute_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attribute_manager.obj -MD -MP -MF $(DEPDIR)/attribute_manager.Tpo -c -o attribute_manager.obj `if test -f 'config/attributes/attribute_manager.c'; then $(CYGPATH_W) 'config/attributes/attribute_manager.c'; else $(CYGPATH_W) '$(srcdir)/config/attributes/attribute_manager.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/attribute_manager.Tpo $(DEPDIR)/attribute_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/attributes/attribute_manager.c' object='attribute_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attribute_manager.obj `if test -f 'config/attributes/attribute_manager.c'; then $(CYGPATH_W) 'config/attributes/attribute_manager.c'; else $(CYGPATH_W) '$(srcdir)/config/attributes/attribute_manager.c'; fi`
-
 controller.o: control/controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.o -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.o `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/controller.c' object='controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o controller.o `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
 
 controller.obj: control/controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.obj -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.obj `if test -f 'control/controller.c'; then $(CYGPATH_W) 'control/controller.c'; else $(CYGPATH_W) '$(srcdir)/control/controller.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/controller.c' object='controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o controller.obj `if test -f 'control/controller.c'; then $(CYGPATH_W) 'control/controller.c'; else $(CYGPATH_W) '$(srcdir)/control/controller.c'; fi`
 
 generator.o: encoding/generator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.o -MD -MP -MF $(DEPDIR)/generator.Tpo -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
 
 generator.obj: encoding/generator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.obj -MD -MP -MF $(DEPDIR)/generator.Tpo -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`
 
 message.o: encoding/message.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.o -MD -MP -MF $(DEPDIR)/message.Tpo -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/message.Tpo $(DEPDIR)/message.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/message.Tpo $(DEPDIR)/message.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
 
 message.obj: encoding/message.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.obj -MD -MP -MF $(DEPDIR)/message.Tpo -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/message.Tpo $(DEPDIR)/message.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/message.Tpo $(DEPDIR)/message.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`
 
 parser.o: encoding/parser.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.o -MD -MP -MF $(DEPDIR)/parser.Tpo -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
 
 parser.obj: encoding/parser.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.obj -MD -MP -MF $(DEPDIR)/parser.Tpo -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`
 
 auth_payload.o: encoding/payloads/auth_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.o -MD -MP -MF $(DEPDIR)/auth_payload.Tpo -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
 
 auth_payload.obj: encoding/payloads/auth_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.obj -MD -MP -MF $(DEPDIR)/auth_payload.Tpo -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`
 
 cert_payload.o: encoding/payloads/cert_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.o -MD -MP -MF $(DEPDIR)/cert_payload.Tpo -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
 
 cert_payload.obj: encoding/payloads/cert_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.obj -MD -MP -MF $(DEPDIR)/cert_payload.Tpo -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`
 
 certreq_payload.o: encoding/payloads/certreq_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.o -MD -MP -MF $(DEPDIR)/certreq_payload.Tpo -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
 
 certreq_payload.obj: encoding/payloads/certreq_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.obj -MD -MP -MF $(DEPDIR)/certreq_payload.Tpo -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`
 
 configuration_attribute.o: encoding/payloads/configuration_attribute.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.o -MD -MP -MF $(DEPDIR)/configuration_attribute.Tpo -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
 
 configuration_attribute.obj: encoding/payloads/configuration_attribute.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.obj -MD -MP -MF $(DEPDIR)/configuration_attribute.Tpo -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`
 
 cp_payload.o: encoding/payloads/cp_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.o -MD -MP -MF $(DEPDIR)/cp_payload.Tpo -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
 
 cp_payload.obj: encoding/payloads/cp_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.obj -MD -MP -MF $(DEPDIR)/cp_payload.Tpo -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`
 
 delete_payload.o: encoding/payloads/delete_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.o -MD -MP -MF $(DEPDIR)/delete_payload.Tpo -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
 
 delete_payload.obj: encoding/payloads/delete_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.obj -MD -MP -MF $(DEPDIR)/delete_payload.Tpo -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`
 
 eap_payload.o: encoding/payloads/eap_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.o -MD -MP -MF $(DEPDIR)/eap_payload.Tpo -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
 
 eap_payload.obj: encoding/payloads/eap_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.obj -MD -MP -MF $(DEPDIR)/eap_payload.Tpo -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`
 
 encodings.o: encoding/payloads/encodings.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.o -MD -MP -MF $(DEPDIR)/encodings.Tpo -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
 
 encodings.obj: encoding/payloads/encodings.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.obj -MD -MP -MF $(DEPDIR)/encodings.Tpo -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`
 
 encryption_payload.o: encoding/payloads/encryption_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.o -MD -MP -MF $(DEPDIR)/encryption_payload.Tpo -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
 
 encryption_payload.obj: encoding/payloads/encryption_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.obj -MD -MP -MF $(DEPDIR)/encryption_payload.Tpo -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`
 
 id_payload.o: encoding/payloads/id_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.o -MD -MP -MF $(DEPDIR)/id_payload.Tpo -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
 
 id_payload.obj: encoding/payloads/id_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.obj -MD -MP -MF $(DEPDIR)/id_payload.Tpo -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`
 
 ike_header.o: encoding/payloads/ike_header.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.o -MD -MP -MF $(DEPDIR)/ike_header.Tpo -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
 
 ike_header.obj: encoding/payloads/ike_header.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.obj -MD -MP -MF $(DEPDIR)/ike_header.Tpo -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`
 
 ke_payload.o: encoding/payloads/ke_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.o -MD -MP -MF $(DEPDIR)/ke_payload.Tpo -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
 
 ke_payload.obj: encoding/payloads/ke_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.obj -MD -MP -MF $(DEPDIR)/ke_payload.Tpo -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`
 
 nonce_payload.o: encoding/payloads/nonce_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.o -MD -MP -MF $(DEPDIR)/nonce_payload.Tpo -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
 
 nonce_payload.obj: encoding/payloads/nonce_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.obj -MD -MP -MF $(DEPDIR)/nonce_payload.Tpo -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`
 
 notify_payload.o: encoding/payloads/notify_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.o -MD -MP -MF $(DEPDIR)/notify_payload.Tpo -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
 
 notify_payload.obj: encoding/payloads/notify_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.obj -MD -MP -MF $(DEPDIR)/notify_payload.Tpo -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`
 
 payload.o: encoding/payloads/payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.o -MD -MP -MF $(DEPDIR)/payload.Tpo -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
 
 payload.obj: encoding/payloads/payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.obj -MD -MP -MF $(DEPDIR)/payload.Tpo -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`
 
 proposal_substructure.o: encoding/payloads/proposal_substructure.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.o -MD -MP -MF $(DEPDIR)/proposal_substructure.Tpo -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
 
 proposal_substructure.obj: encoding/payloads/proposal_substructure.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.obj -MD -MP -MF $(DEPDIR)/proposal_substructure.Tpo -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`
 
 sa_payload.o: encoding/payloads/sa_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.o -MD -MP -MF $(DEPDIR)/sa_payload.Tpo -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
 
 sa_payload.obj: encoding/payloads/sa_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.obj -MD -MP -MF $(DEPDIR)/sa_payload.Tpo -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`
 
 traffic_selector_substructure.o: encoding/payloads/traffic_selector_substructure.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.o -MD -MP -MF $(DEPDIR)/traffic_selector_substructure.Tpo -c -o traffic_selector_substructure.o `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.o `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
 
 traffic_selector_substructure.obj: encoding/payloads/traffic_selector_substructure.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.obj -MD -MP -MF $(DEPDIR)/traffic_selector_substructure.Tpo -c -o traffic_selector_substructure.obj `if test -f 'encoding/payloads/traffic_selector_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/traffic_selector_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/traffic_selector_substructure.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.obj `if test -f 'encoding/payloads/traffic_selector_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/traffic_selector_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/traffic_selector_substructure.c'; fi`
 
 transform_attribute.o: encoding/payloads/transform_attribute.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.o -MD -MP -MF $(DEPDIR)/transform_attribute.Tpo -c -o transform_attribute.o `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_attribute.c' object='transform_attribute.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.o `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
 
 transform_attribute.obj: encoding/payloads/transform_attribute.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.obj -MD -MP -MF $(DEPDIR)/transform_attribute.Tpo -c -o transform_attribute.obj `if test -f 'encoding/payloads/transform_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/transform_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_attribute.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_attribute.c' object='transform_attribute.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.obj `if test -f 'encoding/payloads/transform_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/transform_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_attribute.c'; fi`
 
 transform_substructure.o: encoding/payloads/transform_substructure.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.o -MD -MP -MF $(DEPDIR)/transform_substructure.Tpo -c -o transform_substructure.o `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_substructure.c' object='transform_substructure.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.o `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
 
 transform_substructure.obj: encoding/payloads/transform_substructure.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.obj -MD -MP -MF $(DEPDIR)/transform_substructure.Tpo -c -o transform_substructure.obj `if test -f 'encoding/payloads/transform_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/transform_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_substructure.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_substructure.c' object='transform_substructure.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.obj `if test -f 'encoding/payloads/transform_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/transform_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_substructure.c'; fi`
 
 ts_payload.o: encoding/payloads/ts_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.o -MD -MP -MF $(DEPDIR)/ts_payload.Tpo -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
 
 ts_payload.obj: encoding/payloads/ts_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.obj -MD -MP -MF $(DEPDIR)/ts_payload.Tpo -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`
 
 unknown_payload.o: encoding/payloads/unknown_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.o -MD -MP -MF $(DEPDIR)/unknown_payload.Tpo -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
 
 unknown_payload.obj: encoding/payloads/unknown_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.obj -MD -MP -MF $(DEPDIR)/unknown_payload.Tpo -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`
 
 vendor_id_payload.o: encoding/payloads/vendor_id_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.o -MD -MP -MF $(DEPDIR)/vendor_id_payload.Tpo -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
 
 vendor_id_payload.obj: encoding/payloads/vendor_id_payload.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.obj -MD -MP -MF $(DEPDIR)/vendor_id_payload.Tpo -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`
 
 kernel_interface.o: kernel/kernel_interface.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.o -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.o `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.o `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
 
 kernel_interface.obj: kernel/kernel_interface.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.obj -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.obj `if test -f 'kernel/kernel_interface.c'; then $(CYGPATH_W) 'kernel/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_interface.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.obj `if test -f 'kernel/kernel_interface.c'; then $(CYGPATH_W) 'kernel/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_interface.c'; fi`
 
 kernel_ipsec.o: kernel/kernel_ipsec.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.o -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.o `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.o `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
 
 kernel_ipsec.obj: kernel/kernel_ipsec.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.obj -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.obj `if test -f 'kernel/kernel_ipsec.c'; then $(CYGPATH_W) 'kernel/kernel_ipsec.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_ipsec.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.obj `if test -f 'kernel/kernel_ipsec.c'; then $(CYGPATH_W) 'kernel/kernel_ipsec.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_ipsec.c'; fi`
 
 packet.o: network/packet.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.o -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
 
 packet.obj: network/packet.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.obj -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`
 
 receiver.o: network/receiver.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.o -MD -MP -MF $(DEPDIR)/receiver.Tpo -c -o receiver.o `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/receiver.c' object='receiver.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.o `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
 
 receiver.obj: network/receiver.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.obj -MD -MP -MF $(DEPDIR)/receiver.Tpo -c -o receiver.obj `if test -f 'network/receiver.c'; then $(CYGPATH_W) 'network/receiver.c'; else $(CYGPATH_W) '$(srcdir)/network/receiver.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/receiver.c' object='receiver.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.obj `if test -f 'network/receiver.c'; then $(CYGPATH_W) 'network/receiver.c'; else $(CYGPATH_W) '$(srcdir)/network/receiver.c'; fi`
 
 sender.o: network/sender.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.o -MD -MP -MF $(DEPDIR)/sender.Tpo -c -o sender.o `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/sender.c' object='sender.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.o `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
 
 sender.obj: network/sender.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.obj -MD -MP -MF $(DEPDIR)/sender.Tpo -c -o sender.obj `if test -f 'network/sender.c'; then $(CYGPATH_W) 'network/sender.c'; else $(CYGPATH_W) '$(srcdir)/network/sender.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/sender.c' object='sender.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.obj `if test -f 'network/sender.c'; then $(CYGPATH_W) 'network/sender.c'; else $(CYGPATH_W) '$(srcdir)/network/sender.c'; fi`
 
 acquire_job.o: processing/jobs/acquire_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.o -MD -MP -MF $(DEPDIR)/acquire_job.Tpo -c -o acquire_job.o `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/acquire_job.c' object='acquire_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.o `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
 
 acquire_job.obj: processing/jobs/acquire_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.obj -MD -MP -MF $(DEPDIR)/acquire_job.Tpo -c -o acquire_job.obj `if test -f 'processing/jobs/acquire_job.c'; then $(CYGPATH_W) 'processing/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/acquire_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/acquire_job.c' object='acquire_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.obj `if test -f 'processing/jobs/acquire_job.c'; then $(CYGPATH_W) 'processing/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/acquire_job.c'; fi`
 
 callback_job.o: processing/jobs/callback_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.o -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.o `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.o `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
 
 callback_job.obj: processing/jobs/callback_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.obj -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.obj `if test -f 'processing/jobs/callback_job.c'; then $(CYGPATH_W) 'processing/jobs/callback_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/callback_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.obj `if test -f 'processing/jobs/callback_job.c'; then $(CYGPATH_W) 'processing/jobs/callback_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/callback_job.c'; fi`
 
 delete_child_sa_job.o: processing/jobs/delete_child_sa_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.o -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.o `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.o `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
 
 delete_child_sa_job.obj: processing/jobs/delete_child_sa_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.obj -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.obj `if test -f 'processing/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_child_sa_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.obj `if test -f 'processing/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_child_sa_job.c'; fi`
 
 delete_ike_sa_job.o: processing/jobs/delete_ike_sa_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.o -MD -MP -MF $(DEPDIR)/delete_ike_sa_job.Tpo -c -o delete_ike_sa_job.o `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.o `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
 
 delete_ike_sa_job.obj: processing/jobs/delete_ike_sa_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.obj -MD -MP -MF $(DEPDIR)/delete_ike_sa_job.Tpo -c -o delete_ike_sa_job.obj `if test -f 'processing/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_ike_sa_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.obj `if test -f 'processing/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_ike_sa_job.c'; fi`
 
 migrate_job.o: processing/jobs/migrate_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.o -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.o `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/migrate_job.c' object='migrate_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.o `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
 
 migrate_job.obj: processing/jobs/migrate_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.obj -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.obj `if test -f 'processing/jobs/migrate_job.c'; then $(CYGPATH_W) 'processing/jobs/migrate_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/migrate_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/migrate_job.c' object='migrate_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.obj `if test -f 'processing/jobs/migrate_job.c'; then $(CYGPATH_W) 'processing/jobs/migrate_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/migrate_job.c'; fi`
 
 process_message_job.o: processing/jobs/process_message_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.o -MD -MP -MF $(DEPDIR)/process_message_job.Tpo -c -o process_message_job.o `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/process_message_job.c' object='process_message_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.o `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
 
 process_message_job.obj: processing/jobs/process_message_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.obj -MD -MP -MF $(DEPDIR)/process_message_job.Tpo -c -o process_message_job.obj `if test -f 'processing/jobs/process_message_job.c'; then $(CYGPATH_W) 'processing/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/process_message_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/process_message_job.c' object='process_message_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.obj `if test -f 'processing/jobs/process_message_job.c'; then $(CYGPATH_W) 'processing/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/process_message_job.c'; fi`
 
 rekey_child_sa_job.o: processing/jobs/rekey_child_sa_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.o -MD -MP -MF $(DEPDIR)/rekey_child_sa_job.Tpo -c -o rekey_child_sa_job.o `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.o `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
 
 rekey_child_sa_job.obj: processing/jobs/rekey_child_sa_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.obj -MD -MP -MF $(DEPDIR)/rekey_child_sa_job.Tpo -c -o rekey_child_sa_job.obj `if test -f 'processing/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_child_sa_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.obj `if test -f 'processing/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_child_sa_job.c'; fi`
 
 rekey_ike_sa_job.o: processing/jobs/rekey_ike_sa_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.o -MD -MP -MF $(DEPDIR)/rekey_ike_sa_job.Tpo -c -o rekey_ike_sa_job.o `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.o `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
 
 rekey_ike_sa_job.obj: processing/jobs/rekey_ike_sa_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.obj -MD -MP -MF $(DEPDIR)/rekey_ike_sa_job.Tpo -c -o rekey_ike_sa_job.obj `if test -f 'processing/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_ike_sa_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.obj `if test -f 'processing/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_ike_sa_job.c'; fi`
 
 retransmit_job.o: processing/jobs/retransmit_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.o -MD -MP -MF $(DEPDIR)/retransmit_job.Tpo -c -o retransmit_job.o `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/retransmit_job.c' object='retransmit_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.o `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
 
 retransmit_job.obj: processing/jobs/retransmit_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.obj -MD -MP -MF $(DEPDIR)/retransmit_job.Tpo -c -o retransmit_job.obj `if test -f 'processing/jobs/retransmit_job.c'; then $(CYGPATH_W) 'processing/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/retransmit_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/retransmit_job.c' object='retransmit_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.obj `if test -f 'processing/jobs/retransmit_job.c'; then $(CYGPATH_W) 'processing/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/retransmit_job.c'; fi`
 
 send_dpd_job.o: processing/jobs/send_dpd_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.o -MD -MP -MF $(DEPDIR)/send_dpd_job.Tpo -c -o send_dpd_job.o `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_dpd_job.c' object='send_dpd_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.o `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
 
 send_dpd_job.obj: processing/jobs/send_dpd_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.obj -MD -MP -MF $(DEPDIR)/send_dpd_job.Tpo -c -o send_dpd_job.obj `if test -f 'processing/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'processing/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_dpd_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_dpd_job.c' object='send_dpd_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.obj `if test -f 'processing/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'processing/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_dpd_job.c'; fi`
 
 send_keepalive_job.o: processing/jobs/send_keepalive_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.o -MD -MP -MF $(DEPDIR)/send_keepalive_job.Tpo -c -o send_keepalive_job.o `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.o `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
 
 send_keepalive_job.obj: processing/jobs/send_keepalive_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.obj -MD -MP -MF $(DEPDIR)/send_keepalive_job.Tpo -c -o send_keepalive_job.obj `if test -f 'processing/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'processing/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_keepalive_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.obj `if test -f 'processing/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'processing/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_keepalive_job.c'; fi`
 
 roam_job.o: processing/jobs/roam_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.o -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.o `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/roam_job.c' object='roam_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.o `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
 
 roam_job.obj: processing/jobs/roam_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.obj -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.obj `if test -f 'processing/jobs/roam_job.c'; then $(CYGPATH_W) 'processing/jobs/roam_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/roam_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/roam_job.c' object='roam_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.obj `if test -f 'processing/jobs/roam_job.c'; then $(CYGPATH_W) 'processing/jobs/roam_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/roam_job.c'; fi`
 
 update_sa_job.o: processing/jobs/update_sa_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.o -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.o `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/update_sa_job.c' object='update_sa_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.o `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
 
 update_sa_job.obj: processing/jobs/update_sa_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.obj -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.obj `if test -f 'processing/jobs/update_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/update_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/update_sa_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/update_sa_job.c' object='update_sa_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.obj `if test -f 'processing/jobs/update_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/update_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/update_sa_job.c'; fi`
 
+inactivity_job.o: processing/jobs/inactivity_job.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT inactivity_job.o -MD -MP -MF $(DEPDIR)/inactivity_job.Tpo -c -o inactivity_job.o `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/inactivity_job.Tpo $(DEPDIR)/inactivity_job.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/inactivity_job.c' object='inactivity_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.o `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
+
+inactivity_job.obj: processing/jobs/inactivity_job.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT inactivity_job.obj -MD -MP -MF $(DEPDIR)/inactivity_job.Tpo -c -o inactivity_job.obj `if test -f 'processing/jobs/inactivity_job.c'; then $(CYGPATH_W) 'processing/jobs/inactivity_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/inactivity_job.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/inactivity_job.Tpo $(DEPDIR)/inactivity_job.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/inactivity_job.c' object='inactivity_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.obj `if test -f 'processing/jobs/inactivity_job.c'; then $(CYGPATH_W) 'processing/jobs/inactivity_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/inactivity_job.c'; fi`
+
 scheduler.o: processing/scheduler.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.o -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.o `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.o `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
 
 scheduler.obj: processing/scheduler.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.obj -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.obj `if test -f 'processing/scheduler.c'; then $(CYGPATH_W) 'processing/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/processing/scheduler.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.obj `if test -f 'processing/scheduler.c'; then $(CYGPATH_W) 'processing/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/processing/scheduler.c'; fi`
 
 processor.o: processing/processor.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.o -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.o `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.o `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
 
 processor.obj: processing/processor.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.obj -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.obj `if test -f 'processing/processor.c'; then $(CYGPATH_W) 'processing/processor.c'; else $(CYGPATH_W) '$(srcdir)/processing/processor.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.obj `if test -f 'processing/processor.c'; then $(CYGPATH_W) 'processing/processor.c'; else $(CYGPATH_W) '$(srcdir)/processing/processor.c'; fi`
 
 authenticator.o: sa/authenticators/authenticator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.o -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
 
 authenticator.obj: sa/authenticators/authenticator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.obj -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`
 
 eap_authenticator.o: sa/authenticators/eap_authenticator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.o -MD -MP -MF $(DEPDIR)/eap_authenticator.Tpo -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
 
 eap_authenticator.obj: sa/authenticators/eap_authenticator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.obj -MD -MP -MF $(DEPDIR)/eap_authenticator.Tpo -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`
 
 eap_method.o: sa/authenticators/eap/eap_method.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.o -MD -MP -MF $(DEPDIR)/eap_method.Tpo -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
 
 eap_method.obj: sa/authenticators/eap/eap_method.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.obj -MD -MP -MF $(DEPDIR)/eap_method.Tpo -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`
 
 eap_manager.o: sa/authenticators/eap/eap_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_manager.o -MD -MP -MF $(DEPDIR)/eap_manager.Tpo -c -o eap_manager.o `test -f 'sa/authenticators/eap/eap_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_manager.c' object='eap_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_manager.o `test -f 'sa/authenticators/eap/eap_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_manager.c
 
 eap_manager.obj: sa/authenticators/eap/eap_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_manager.obj -MD -MP -MF $(DEPDIR)/eap_manager.Tpo -c -o eap_manager.obj `if test -f 'sa/authenticators/eap/eap_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_manager.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_manager.c' object='eap_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_manager.obj `if test -f 'sa/authenticators/eap/eap_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_manager.c'; fi`
 
 sim_manager.o: sa/authenticators/eap/sim_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sim_manager.o -MD -MP -MF $(DEPDIR)/sim_manager.Tpo -c -o sim_manager.o `test -f 'sa/authenticators/eap/sim_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/sim_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sim_manager.Tpo $(DEPDIR)/sim_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sim_manager.Tpo $(DEPDIR)/sim_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/sim_manager.c' object='sim_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sim_manager.o `test -f 'sa/authenticators/eap/sim_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/sim_manager.c
 
 sim_manager.obj: sa/authenticators/eap/sim_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sim_manager.obj -MD -MP -MF $(DEPDIR)/sim_manager.Tpo -c -o sim_manager.obj `if test -f 'sa/authenticators/eap/sim_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/sim_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/sim_manager.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sim_manager.Tpo $(DEPDIR)/sim_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sim_manager.Tpo $(DEPDIR)/sim_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/sim_manager.c' object='sim_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sim_manager.obj `if test -f 'sa/authenticators/eap/sim_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/sim_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/sim_manager.c'; fi`
 
 psk_authenticator.o: sa/authenticators/psk_authenticator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.o -MD -MP -MF $(DEPDIR)/psk_authenticator.Tpo -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
 
 psk_authenticator.obj: sa/authenticators/psk_authenticator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.obj -MD -MP -MF $(DEPDIR)/psk_authenticator.Tpo -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`
 
 pubkey_authenticator.o: sa/authenticators/pubkey_authenticator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_authenticator.o -MD -MP -MF $(DEPDIR)/pubkey_authenticator.Tpo -c -o pubkey_authenticator.o `test -f 'sa/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/pubkey_authenticator.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/pubkey_authenticator.c' object='pubkey_authenticator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_authenticator.o `test -f 'sa/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/pubkey_authenticator.c
 
 pubkey_authenticator.obj: sa/authenticators/pubkey_authenticator.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_authenticator.obj -MD -MP -MF $(DEPDIR)/pubkey_authenticator.Tpo -c -o pubkey_authenticator.obj `if test -f 'sa/authenticators/pubkey_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/pubkey_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/pubkey_authenticator.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/pubkey_authenticator.c' object='pubkey_authenticator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_authenticator.obj `if test -f 'sa/authenticators/pubkey_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/pubkey_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/pubkey_authenticator.c'; fi`
 
 child_sa.o: sa/child_sa.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.o -MD -MP -MF $(DEPDIR)/child_sa.Tpo -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
 
 child_sa.obj: sa/child_sa.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.obj -MD -MP -MF $(DEPDIR)/child_sa.Tpo -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`
 
 ike_sa.o: sa/ike_sa.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.o -MD -MP -MF $(DEPDIR)/ike_sa.Tpo -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
 
 ike_sa.obj: sa/ike_sa.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.obj -MD -MP -MF $(DEPDIR)/ike_sa.Tpo -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`
 
 ike_sa_id.o: sa/ike_sa_id.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.o -MD -MP -MF $(DEPDIR)/ike_sa_id.Tpo -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
 
 ike_sa_id.obj: sa/ike_sa_id.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.obj -MD -MP -MF $(DEPDIR)/ike_sa_id.Tpo -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`
 
 ike_sa_manager.o: sa/ike_sa_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.o -MD -MP -MF $(DEPDIR)/ike_sa_manager.Tpo -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
 
 ike_sa_manager.obj: sa/ike_sa_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.obj -MD -MP -MF $(DEPDIR)/ike_sa_manager.Tpo -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`
 
 task_manager.o: sa/task_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.o -MD -MP -MF $(DEPDIR)/task_manager.Tpo -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
 
 task_manager.obj: sa/task_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.obj -MD -MP -MF $(DEPDIR)/task_manager.Tpo -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`
 
 keymat.o: sa/keymat.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.o -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.o `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/keymat.c' object='keymat.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.o `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
 
 keymat.obj: sa/keymat.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.obj -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.obj `if test -f 'sa/keymat.c'; then $(CYGPATH_W) 'sa/keymat.c'; else $(CYGPATH_W) '$(srcdir)/sa/keymat.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/keymat.c' object='keymat.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.obj `if test -f 'sa/keymat.c'; then $(CYGPATH_W) 'sa/keymat.c'; else $(CYGPATH_W) '$(srcdir)/sa/keymat.c'; fi`
 
 trap_manager.o: sa/trap_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.o -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.o `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/trap_manager.c' object='trap_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.o `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
 
 trap_manager.obj: sa/trap_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.obj -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.obj `if test -f 'sa/trap_manager.c'; then $(CYGPATH_W) 'sa/trap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/trap_manager.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/trap_manager.c' object='trap_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.obj `if test -f 'sa/trap_manager.c'; then $(CYGPATH_W) 'sa/trap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/trap_manager.c'; fi`
 
 child_create.o: sa/tasks/child_create.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.o -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
 
 child_create.obj: sa/tasks/child_create.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.obj -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`
 
 child_delete.o: sa/tasks/child_delete.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.o -MD -MP -MF $(DEPDIR)/child_delete.Tpo -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
 
 child_delete.obj: sa/tasks/child_delete.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.obj -MD -MP -MF $(DEPDIR)/child_delete.Tpo -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`
 
 child_rekey.o: sa/tasks/child_rekey.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.o -MD -MP -MF $(DEPDIR)/child_rekey.Tpo -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
 
 child_rekey.obj: sa/tasks/child_rekey.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.obj -MD -MP -MF $(DEPDIR)/child_rekey.Tpo -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`
 
 ike_auth.o: sa/tasks/ike_auth.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.o -MD -MP -MF $(DEPDIR)/ike_auth.Tpo -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
 
 ike_auth.obj: sa/tasks/ike_auth.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.obj -MD -MP -MF $(DEPDIR)/ike_auth.Tpo -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`
 
 ike_cert_pre.o: sa/tasks/ike_cert_pre.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_pre.o -MD -MP -MF $(DEPDIR)/ike_cert_pre.Tpo -c -o ike_cert_pre.o `test -f 'sa/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_pre.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_pre.c' object='ike_cert_pre.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_pre.o `test -f 'sa/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_pre.c
 
 ike_cert_pre.obj: sa/tasks/ike_cert_pre.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_pre.obj -MD -MP -MF $(DEPDIR)/ike_cert_pre.Tpo -c -o ike_cert_pre.obj `if test -f 'sa/tasks/ike_cert_pre.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert_pre.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert_pre.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_pre.c' object='ike_cert_pre.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_pre.obj `if test -f 'sa/tasks/ike_cert_pre.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert_pre.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert_pre.c'; fi`
 
 ike_cert_post.o: sa/tasks/ike_cert_post.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_post.o -MD -MP -MF $(DEPDIR)/ike_cert_post.Tpo -c -o ike_cert_post.o `test -f 'sa/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_post.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_post.c' object='ike_cert_post.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_post.o `test -f 'sa/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_post.c
 
 ike_cert_post.obj: sa/tasks/ike_cert_post.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_post.obj -MD -MP -MF $(DEPDIR)/ike_cert_post.Tpo -c -o ike_cert_post.obj `if test -f 'sa/tasks/ike_cert_post.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert_post.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert_post.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_post.c' object='ike_cert_post.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_post.obj `if test -f 'sa/tasks/ike_cert_post.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert_post.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert_post.c'; fi`
 
 ike_config.o: sa/tasks/ike_config.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.o -MD -MP -MF $(DEPDIR)/ike_config.Tpo -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
 
 ike_config.obj: sa/tasks/ike_config.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.obj -MD -MP -MF $(DEPDIR)/ike_config.Tpo -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`
 
 ike_delete.o: sa/tasks/ike_delete.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.o -MD -MP -MF $(DEPDIR)/ike_delete.Tpo -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
 
 ike_delete.obj: sa/tasks/ike_delete.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.obj -MD -MP -MF $(DEPDIR)/ike_delete.Tpo -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`
 
 ike_dpd.o: sa/tasks/ike_dpd.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.o -MD -MP -MF $(DEPDIR)/ike_dpd.Tpo -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
 
 ike_dpd.obj: sa/tasks/ike_dpd.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.obj -MD -MP -MF $(DEPDIR)/ike_dpd.Tpo -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`
 
 ike_init.o: sa/tasks/ike_init.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.o -MD -MP -MF $(DEPDIR)/ike_init.Tpo -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
 
 ike_init.obj: sa/tasks/ike_init.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.obj -MD -MP -MF $(DEPDIR)/ike_init.Tpo -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`
 
 ike_natd.o: sa/tasks/ike_natd.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.o -MD -MP -MF $(DEPDIR)/ike_natd.Tpo -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
 
 ike_natd.obj: sa/tasks/ike_natd.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.obj -MD -MP -MF $(DEPDIR)/ike_natd.Tpo -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`
 
 ike_mobike.o: sa/tasks/ike_mobike.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.o -MD -MP -MF $(DEPDIR)/ike_mobike.Tpo -c -o ike_mobike.o `test -f 'sa/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/tasks/ike_mobike.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_mobike.c' object='ike_mobike.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.o `test -f 'sa/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/tasks/ike_mobike.c
 
 ike_mobike.obj: sa/tasks/ike_mobike.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.obj -MD -MP -MF $(DEPDIR)/ike_mobike.Tpo -c -o ike_mobike.obj `if test -f 'sa/tasks/ike_mobike.c'; then $(CYGPATH_W) 'sa/tasks/ike_mobike.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_mobike.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_mobike.c' object='ike_mobike.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.obj `if test -f 'sa/tasks/ike_mobike.c'; then $(CYGPATH_W) 'sa/tasks/ike_mobike.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_mobike.c'; fi`
 
 ike_rekey.o: sa/tasks/ike_rekey.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.o -MD -MP -MF $(DEPDIR)/ike_rekey.Tpo -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
 
 ike_rekey.obj: sa/tasks/ike_rekey.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.obj -MD -MP -MF $(DEPDIR)/ike_rekey.Tpo -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`
 
 ike_reauth.o: sa/tasks/ike_reauth.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.o -MD -MP -MF $(DEPDIR)/ike_reauth.Tpo -c -o ike_reauth.o `test -f 'sa/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/tasks/ike_reauth.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_reauth.c' object='ike_reauth.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.o `test -f 'sa/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/tasks/ike_reauth.c
 
 ike_reauth.obj: sa/tasks/ike_reauth.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.obj -MD -MP -MF $(DEPDIR)/ike_reauth.Tpo -c -o ike_reauth.obj `if test -f 'sa/tasks/ike_reauth.c'; then $(CYGPATH_W) 'sa/tasks/ike_reauth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_reauth.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_reauth.c' object='ike_reauth.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.obj `if test -f 'sa/tasks/ike_reauth.c'; then $(CYGPATH_W) 'sa/tasks/ike_reauth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_reauth.c'; fi`
 
 ike_auth_lifetime.o: sa/tasks/ike_auth_lifetime.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_lifetime.o -MD -MP -MF $(DEPDIR)/ike_auth_lifetime.Tpo -c -o ike_auth_lifetime.o `test -f 'sa/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/tasks/ike_auth_lifetime.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth_lifetime.c' object='ike_auth_lifetime.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_lifetime.o `test -f 'sa/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/tasks/ike_auth_lifetime.c
 
 ike_auth_lifetime.obj: sa/tasks/ike_auth_lifetime.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_lifetime.obj -MD -MP -MF $(DEPDIR)/ike_auth_lifetime.Tpo -c -o ike_auth_lifetime.obj `if test -f 'sa/tasks/ike_auth_lifetime.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth_lifetime.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth_lifetime.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth_lifetime.c' object='ike_auth_lifetime.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_lifetime.obj `if test -f 'sa/tasks/ike_auth_lifetime.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth_lifetime.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth_lifetime.c'; fi`
 
+ike_vendor.o: sa/tasks/ike_vendor.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_vendor.o -MD -MP -MF $(DEPDIR)/ike_vendor.Tpo -c -o ike_vendor.o `test -f 'sa/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/tasks/ike_vendor.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_vendor.Tpo $(DEPDIR)/ike_vendor.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_vendor.c' object='ike_vendor.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_vendor.o `test -f 'sa/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/tasks/ike_vendor.c
+
+ike_vendor.obj: sa/tasks/ike_vendor.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_vendor.obj -MD -MP -MF $(DEPDIR)/ike_vendor.Tpo -c -o ike_vendor.obj `if test -f 'sa/tasks/ike_vendor.c'; then $(CYGPATH_W) 'sa/tasks/ike_vendor.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_vendor.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_vendor.Tpo $(DEPDIR)/ike_vendor.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_vendor.c' object='ike_vendor.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_vendor.obj `if test -f 'sa/tasks/ike_vendor.c'; then $(CYGPATH_W) 'sa/tasks/ike_vendor.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_vendor.c'; fi`
+
 task.o: sa/tasks/task.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.o -MD -MP -MF $(DEPDIR)/task.Tpo -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/task.Tpo $(DEPDIR)/task.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task.Tpo $(DEPDIR)/task.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
 
 task.obj: sa/tasks/task.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.obj -MD -MP -MF $(DEPDIR)/task.Tpo -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/task.Tpo $(DEPDIR)/task.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task.Tpo $(DEPDIR)/task.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`
 
 credential_manager.o: credentials/credential_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.o -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.o `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_manager.c' object='credential_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.o `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
 
 credential_manager.obj: credentials/credential_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.obj -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.obj `if test -f 'credentials/credential_manager.c'; then $(CYGPATH_W) 'credentials/credential_manager.c'; else $(CYGPATH_W) '$(srcdir)/credentials/credential_manager.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_manager.c' object='credential_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.obj `if test -f 'credentials/credential_manager.c'; then $(CYGPATH_W) 'credentials/credential_manager.c'; else $(CYGPATH_W) '$(srcdir)/credentials/credential_manager.c'; fi`
 
 auth_cfg_wrapper.o: credentials/sets/auth_cfg_wrapper.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.o -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.o `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.o `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
 
 auth_cfg_wrapper.obj: credentials/sets/auth_cfg_wrapper.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.obj -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.obj `if test -f 'credentials/sets/auth_cfg_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_cfg_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_cfg_wrapper.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.obj `if test -f 'credentials/sets/auth_cfg_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_cfg_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_cfg_wrapper.c'; fi`
 
 ocsp_response_wrapper.o: credentials/sets/ocsp_response_wrapper.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.o -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.o `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.o `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
 
 ocsp_response_wrapper.obj: credentials/sets/ocsp_response_wrapper.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.obj -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.obj `if test -f 'credentials/sets/ocsp_response_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/ocsp_response_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/ocsp_response_wrapper.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.obj `if test -f 'credentials/sets/ocsp_response_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/ocsp_response_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/ocsp_response_wrapper.c'; fi`
 
 cert_cache.o: credentials/sets/cert_cache.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.o -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.o `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/cert_cache.c' object='cert_cache.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.o `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
 
 cert_cache.obj: credentials/sets/cert_cache.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.obj -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.obj `if test -f 'credentials/sets/cert_cache.c'; then $(CYGPATH_W) 'credentials/sets/cert_cache.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/cert_cache.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/cert_cache.c' object='cert_cache.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.obj `if test -f 'credentials/sets/cert_cache.c'; then $(CYGPATH_W) 'credentials/sets/cert_cache.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/cert_cache.c'; fi`
 
 socket-raw.o: network/socket-raw.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket-raw.o -MD -MP -MF $(DEPDIR)/socket-raw.Tpo -c -o socket-raw.o `test -f 'network/socket-raw.c' || echo '$(srcdir)/'`network/socket-raw.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/socket-raw.Tpo $(DEPDIR)/socket-raw.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket-raw.Tpo $(DEPDIR)/socket-raw.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket-raw.c' object='socket-raw.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket-raw.o `test -f 'network/socket-raw.c' || echo '$(srcdir)/'`network/socket-raw.c
 
 socket-raw.obj: network/socket-raw.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket-raw.obj -MD -MP -MF $(DEPDIR)/socket-raw.Tpo -c -o socket-raw.obj `if test -f 'network/socket-raw.c'; then $(CYGPATH_W) 'network/socket-raw.c'; else $(CYGPATH_W) '$(srcdir)/network/socket-raw.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/socket-raw.Tpo $(DEPDIR)/socket-raw.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket-raw.Tpo $(DEPDIR)/socket-raw.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket-raw.c' object='socket-raw.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket-raw.obj `if test -f 'network/socket-raw.c'; then $(CYGPATH_W) 'network/socket-raw.c'; else $(CYGPATH_W) '$(srcdir)/network/socket-raw.c'; fi`
 
 socket.o: network/socket.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.o -MD -MP -MF $(DEPDIR)/socket.Tpo -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/socket.Tpo $(DEPDIR)/socket.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket.Tpo $(DEPDIR)/socket.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
 
 socket.obj: network/socket.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.obj -MD -MP -MF $(DEPDIR)/socket.Tpo -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/socket.Tpo $(DEPDIR)/socket.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket.Tpo $(DEPDIR)/socket.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`
 
 endpoint_notify.o: encoding/payloads/endpoint_notify.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.o -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.o `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/endpoint_notify.c' object='endpoint_notify.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o endpoint_notify.o `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
 
 endpoint_notify.obj: encoding/payloads/endpoint_notify.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.obj -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.obj `if test -f 'encoding/payloads/endpoint_notify.c'; then $(CYGPATH_W) 'encoding/payloads/endpoint_notify.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/endpoint_notify.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/endpoint_notify.c' object='endpoint_notify.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o endpoint_notify.obj `if test -f 'encoding/payloads/endpoint_notify.c'; then $(CYGPATH_W) 'encoding/payloads/endpoint_notify.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/endpoint_notify.c'; fi`
 
 initiate_mediation_job.o: processing/jobs/initiate_mediation_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_mediation_job.o -MD -MP -MF $(DEPDIR)/initiate_mediation_job.Tpo -c -o initiate_mediation_job.o `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/initiate_mediation_job.c' object='initiate_mediation_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_mediation_job.o `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
 
 initiate_mediation_job.obj: processing/jobs/initiate_mediation_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_mediation_job.obj -MD -MP -MF $(DEPDIR)/initiate_mediation_job.Tpo -c -o initiate_mediation_job.obj `if test -f 'processing/jobs/initiate_mediation_job.c'; then $(CYGPATH_W) 'processing/jobs/initiate_mediation_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/initiate_mediation_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/initiate_mediation_job.c' object='initiate_mediation_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_mediation_job.obj `if test -f 'processing/jobs/initiate_mediation_job.c'; then $(CYGPATH_W) 'processing/jobs/initiate_mediation_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/initiate_mediation_job.c'; fi`
 
 mediation_job.o: processing/jobs/mediation_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_job.o -MD -MP -MF $(DEPDIR)/mediation_job.Tpo -c -o mediation_job.o `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/mediation_job.c' object='mediation_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_job.o `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
 
 mediation_job.obj: processing/jobs/mediation_job.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_job.obj -MD -MP -MF $(DEPDIR)/mediation_job.Tpo -c -o mediation_job.obj `if test -f 'processing/jobs/mediation_job.c'; then $(CYGPATH_W) 'processing/jobs/mediation_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/mediation_job.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/mediation_job.c' object='mediation_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_job.obj `if test -f 'processing/jobs/mediation_job.c'; then $(CYGPATH_W) 'processing/jobs/mediation_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/mediation_job.c'; fi`
 
 connect_manager.o: sa/connect_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connect_manager.o -MD -MP -MF $(DEPDIR)/connect_manager.Tpo -c -o connect_manager.o `test -f 'sa/connect_manager.c' || echo '$(srcdir)/'`sa/connect_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/connect_manager.c' object='connect_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connect_manager.o `test -f 'sa/connect_manager.c' || echo '$(srcdir)/'`sa/connect_manager.c
 
 connect_manager.obj: sa/connect_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connect_manager.obj -MD -MP -MF $(DEPDIR)/connect_manager.Tpo -c -o connect_manager.obj `if test -f 'sa/connect_manager.c'; then $(CYGPATH_W) 'sa/connect_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/connect_manager.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/connect_manager.c' object='connect_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connect_manager.obj `if test -f 'sa/connect_manager.c'; then $(CYGPATH_W) 'sa/connect_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/connect_manager.c'; fi`
 
 mediation_manager.o: sa/mediation_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_manager.o -MD -MP -MF $(DEPDIR)/mediation_manager.Tpo -c -o mediation_manager.o `test -f 'sa/mediation_manager.c' || echo '$(srcdir)/'`sa/mediation_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/mediation_manager.c' object='mediation_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_manager.o `test -f 'sa/mediation_manager.c' || echo '$(srcdir)/'`sa/mediation_manager.c
 
 mediation_manager.obj: sa/mediation_manager.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_manager.obj -MD -MP -MF $(DEPDIR)/mediation_manager.Tpo -c -o mediation_manager.obj `if test -f 'sa/mediation_manager.c'; then $(CYGPATH_W) 'sa/mediation_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/mediation_manager.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/mediation_manager.c' object='mediation_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_manager.obj `if test -f 'sa/mediation_manager.c'; then $(CYGPATH_W) 'sa/mediation_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/mediation_manager.c'; fi`
 
 ike_me.o: sa/tasks/ike_me.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_me.o -MD -MP -MF $(DEPDIR)/ike_me.Tpo -c -o ike_me.o `test -f 'sa/tasks/ike_me.c' || echo '$(srcdir)/'`sa/tasks/ike_me.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_me.c' object='ike_me.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_me.o `test -f 'sa/tasks/ike_me.c' || echo '$(srcdir)/'`sa/tasks/ike_me.c
 
 ike_me.obj: sa/tasks/ike_me.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_me.obj -MD -MP -MF $(DEPDIR)/ike_me.Tpo -c -o ike_me.obj `if test -f 'sa/tasks/ike_me.c'; then $(CYGPATH_W) 'sa/tasks/ike_me.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_me.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_me.c' object='ike_me.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_me.obj `if test -f 'sa/tasks/ike_me.c'; then $(CYGPATH_W) 'sa/tasks/ike_me.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_me.c'; fi`
@@ -2247,7 +2308,7 @@ $(RECURSIVE_TARGETS):
 	  else \
 	    local_target="$$target"; \
 	  fi; \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
 	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
@@ -2281,16 +2342,16 @@ $(RECURSIVE_CLEAN_TARGETS):
 	  else \
 	    local_target="$$target"; \
 	  fi; \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
 	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
 	done
 ctags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
 	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
@@ -2305,7 +2366,7 @@ tags: TAGS
 
 TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
@@ -2317,7 +2378,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test ! -f $$subdir/TAGS || \
-	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
@@ -2326,29 +2387,34 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -2369,29 +2435,44 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
-	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
 	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
-	    distdir=`$(am__cd) $(distdir) && pwd`; \
-	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
-	    (cd $$subdir && \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$top_distdir" \
-	        distdir="$$distdir/$$subdir" \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
 		am__remove_distdir=: \
 		am__skip_length_check=: \
+		am__skip_mode_fix=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
@@ -2424,6 +2505,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -2445,6 +2527,8 @@ dvi-am:
 
 html: html-recursive
 
+html-am:
+
 info: info-recursive
 
 info-am:
@@ -2453,18 +2537,28 @@ install-data-am: install-ipsecPROGRAMS
 
 install-dvi: install-dvi-recursive
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-recursive
 
+install-html-am:
+
 install-info: install-info-recursive
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-recursive
 
+install-pdf-am:
+
 install-ps: install-ps-recursive
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -2487,8 +2581,8 @@ ps-am:
 
 uninstall-am: uninstall-ipsecPROGRAMS
 
-.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
-	install-strip
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
+	install-am install-strip tags-recursive
 
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am check check-am clean clean-generic \
@@ -2506,6 +2600,7 @@ uninstall-am: uninstall-ipsecPROGRAMS
 	pdf pdf-am ps ps-am tags tags-recursive uninstall uninstall-am \
 	uninstall-ipsecPROGRAMS
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
index 2671f848e..524a77682 100644
--- a/src/charon/bus/bus.c
+++ b/src/charon/bus/bus.c
@@ -15,11 +15,13 @@
 
 #include "bus.h"
 
-#include <pthread.h>
 #include <stdint.h>
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/thread_value.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
 
 ENUM(debug_names, DBG_DMN, DBG_LIB,
 	"DMN",
@@ -57,26 +59,21 @@ struct private_bus_t {
 	 * Public part of a bus_t object.
 	 */
 	bus_t public;
-	
+
 	/**
 	 * List of registered listeners as entry_t's
 	 */
 	linked_list_t *listeners;
-	
+
 	/**
 	 * mutex to synchronize active listeners, recursively
 	 */
 	mutex_t *mutex;
-	
-	/**
-	 * Thread local storage for a unique, simple thread ID
-	 */
-	pthread_key_t thread_id;
-	
+
 	/**
 	 * Thread local storage the threads IKE_SA
 	 */
-	pthread_key_t thread_sa;
+	thread_value_t *thread_sa;
 };
 
 typedef struct entry_t entry_t;
@@ -90,17 +87,17 @@ struct entry_t {
 	 * registered listener interface
 	 */
 	listener_t *listener;
-	
+
 	/**
 	 * is this a active listen() call with a blocking thread
 	 */
 	bool blocker;
-	
+
 	/**
 	 * are we currently calling this listener
 	 */
 	int calling;
-	
+
 	/**
 	 * condvar where active listeners wait
 	 */
@@ -113,12 +110,12 @@ struct entry_t {
 static entry_t *entry_create(listener_t *listener, bool blocker)
 {
 	entry_t *this = malloc_thing(entry_t);
-	
+
 	this->listener = listener;
 	this->blocker = blocker;
 	this->calling = 0;
 	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	
+
 	return this;
 }
 
@@ -131,28 +128,6 @@ static void entry_destroy(entry_t *entry)
 	free(entry);
 }
 
-/**
- * Get a unique thread number for a calling thread. Since
- * pthread_self returns large and ugly numbers, use this function
- * for logging; these numbers are incremental starting at 1
- */
-static u_int get_thread_number(private_bus_t *this)
-{
-	static uintptr_t current_num = 0;
-	uintptr_t stored_num;
-	
-	stored_num = (uintptr_t)pthread_getspecific(this->thread_id);
-	if (stored_num == 0)
-	{	/* first call of current thread */
-		pthread_setspecific(this->thread_id, (void*)++current_num);
-		return current_num;
-	}
-	else
-	{
-		return stored_num;
-	}
-}
-
 /**
  * Implementation of bus_t.add_listener.
  */
@@ -189,7 +164,7 @@ static void remove_listener(private_bus_t *this, listener_t *listener)
 typedef struct cleanup_data_t cleanup_data_t;
 
 /**
- * data to remove a listener using pthread_cleanup handler
+ * data to remove a listener using thread_cleanup_t handler
  */
 struct cleanup_data_t {
 	/** bus instance */
@@ -199,7 +174,7 @@ struct cleanup_data_t {
 };
 
 /**
- * pthread_cleanup handler to remove a listener
+ * thread_cleanup_t handler to remove a listener
  */
 static void listener_cleanup(cleanup_data_t *data)
 {
@@ -212,26 +187,26 @@ static void listener_cleanup(cleanup_data_t *data)
  */
 static void listen_(private_bus_t *this, listener_t *listener, job_t *job)
 {
-	int old;
+	bool old;
 	cleanup_data_t data;
-	
+
 	data.this = this;
 	data.entry = entry_create(listener, TRUE);
 
 	this->mutex->lock(this->mutex);
 	this->listeners->insert_last(this->listeners, data.entry);
 	charon->processor->queue_job(charon->processor, job);
-	pthread_cleanup_push((void*)this->mutex->unlock, this->mutex);
-	pthread_cleanup_push((void*)listener_cleanup, &data);
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old);
+	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+	thread_cleanup_push((thread_cleanup_t)listener_cleanup, &data);
+	old = thread_cancelability(TRUE);
 	while (data.entry->blocker)
 	{
 		data.entry->condvar->wait(data.entry->condvar, this->mutex);
 	}
-	pthread_setcancelstate(old, NULL);
-	pthread_cleanup_pop(FALSE);
+	thread_cancelability(old);
+	thread_cleanup_pop(FALSE);
 	/* unlock mutex */
-	pthread_cleanup_pop(TRUE);
+	thread_cleanup_pop(TRUE);
 	entry_destroy(data.entry);
 }
 
@@ -240,7 +215,15 @@ static void listen_(private_bus_t *this, listener_t *listener, job_t *job)
  */
 static void set_sa(private_bus_t *this, ike_sa_t *ike_sa)
 {
-	pthread_setspecific(this->thread_sa, ike_sa);
+	this->thread_sa->set(this->thread_sa, ike_sa);
+}
+
+/**
+ * Implementation of bus_t.get_sa
+ */
+static ike_sa_t* get_sa(private_bus_t *this)
+{
+	return this->thread_sa->get(this->thread_sa);
 }
 
 /**
@@ -302,20 +285,20 @@ static void vlog(private_bus_t *this, debug_t group, level_t level,
 				 char* format, va_list args)
 {
 	log_data_t data;
-	
-	data.ike_sa = pthread_getspecific(this->thread_sa);
-	data.thread = get_thread_number(this);
+
+	data.ike_sa = this->thread_sa->get(this->thread_sa);
+	data.thread = thread_current_id();
 	data.group = group;
 	data.level = level;
 	data.format = format;
 	va_copy(data.args, args);
-	
+
 	this->mutex->lock(this->mutex);
 	/* We use the remove() method to invoke all listeners. This is cheap and
 	 * does not require an allocation for this performance critical function. */
 	this->listeners->remove(this->listeners, &data, (void*)log_cb);
 	this->mutex->unlock(this->mutex);
-	
+
 	va_end(data.args);
 }
 
@@ -326,7 +309,7 @@ static void log_(private_bus_t *this, debug_t group, level_t level,
 				 char* format, ...)
 {
 	va_list args;
-	
+
 	va_start(args, format);
 	vlog(this, group, level, format, args);
 	va_end(args);
@@ -360,9 +343,9 @@ static void alert(private_bus_t *this, alert_t alert, ...)
 	entry_t *entry;
 	va_list args;
 	bool keep;
-	
-	ike_sa = pthread_getspecific(this->thread_sa);
-	
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -394,7 +377,7 @@ static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa,
 	enumerator_t *enumerator;
 	entry_t *entry;
 	bool keep;
-	
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -425,9 +408,9 @@ static void child_state_change(private_bus_t *this, child_sa_t *child_sa,
 	ike_sa_t *ike_sa;
 	entry_t *entry;
 	bool keep;
-	
-	ike_sa = pthread_getspecific(this->thread_sa);
-	
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -458,9 +441,9 @@ static void message(private_bus_t *this, message_t *message, bool incoming)
 	ike_sa_t *ike_sa;
 	entry_t *entry;
 	bool keep;
-	
-	ike_sa = pthread_getspecific(this->thread_sa);
-	
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -492,7 +475,7 @@ static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa,
 	enumerator_t *enumerator;
 	entry_t *entry;
 	bool keep;
-	
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -524,9 +507,9 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa,
 	ike_sa_t *ike_sa;
 	entry_t *entry;
 	bool keep;
-	
-	ike_sa = pthread_getspecific(this->thread_sa);
-	
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -557,9 +540,9 @@ static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up)
 	ike_sa_t *ike_sa;
 	entry_t *entry;
 	bool keep;
-	
-	ike_sa = pthread_getspecific(this->thread_sa);
-	
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -590,9 +573,9 @@ static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new)
 	ike_sa_t *ike_sa;
 	entry_t *entry;
 	bool keep;
-	
-	ike_sa = pthread_getspecific(this->thread_sa);
-	
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -621,7 +604,7 @@ static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up)
 	enumerator_t *enumerator;
 	entry_t *entry;
 	bool keep;
-	
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -640,13 +623,13 @@ static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up)
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
-	
+
 	/* a down event for IKE_SA implicitly downs all CHILD_SAs */
 	if (!up)
 	{
 		iterator_t *iterator;
 		child_sa_t *child_sa;
-		
+
 		iterator = ike_sa->create_child_sa_iterator(ike_sa);
 		while (iterator->iterate(iterator, (void**)&child_sa))
 		{
@@ -664,7 +647,7 @@ static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
 	enumerator_t *enumerator;
 	entry_t *entry;
 	bool keep;
-	
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -688,15 +671,15 @@ static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
 /**
  * Implementation of bus_t.authorize
  */
-static bool authorize(private_bus_t *this, linked_list_t *auth, bool final)
+static bool authorize(private_bus_t *this, bool final)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
 	entry_t *entry;
 	bool keep, success = TRUE;
-	
-	ike_sa = pthread_getspecific(this->thread_sa);
-	
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -707,7 +690,7 @@ static bool authorize(private_bus_t *this, linked_list_t *auth, bool final)
 		}
 		entry->calling++;
 		keep = entry->listener->authorize(entry->listener, ike_sa,
-										  auth, final, &success);
+										  final, &success);
 		entry->calling--;
 		if (!keep)
 		{
@@ -728,6 +711,7 @@ static bool authorize(private_bus_t *this, linked_list_t *auth, bool final)
  */
 static void destroy(private_bus_t *this)
 {
+	this->thread_sa->destroy(this->thread_sa);
 	this->mutex->destroy(this->mutex);
 	this->listeners->destroy_function(this->listeners, (void*)entry_destroy);
 	free(this);
@@ -739,11 +723,12 @@ static void destroy(private_bus_t *this)
 bus_t *bus_create()
 {
 	private_bus_t *this = malloc_thing(private_bus_t);
-	
+
 	this->public.add_listener = (void(*)(bus_t*,listener_t*))add_listener;
 	this->public.remove_listener = (void(*)(bus_t*,listener_t*))remove_listener;
 	this->public.listen = (void(*)(bus_t*, listener_t *listener, job_t *job))listen_;
 	this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa;
+	this->public.get_sa = (ike_sa_t*(*)(bus_t*))get_sa;
 	this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_;
 	this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog;
 	this->public.alert = (void(*)(bus_t*, alert_t alert, ...))alert;
@@ -756,14 +741,13 @@ bus_t *bus_create()
 	this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey;
 	this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown;
 	this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey;
-	this->public.authorize = (bool(*)(bus_t*, linked_list_t *auth, bool final))authorize;
+	this->public.authorize = (bool(*)(bus_t*, bool final))authorize;
 	this->public.destroy = (void(*)(bus_t*)) destroy;
-	
+
 	this->listeners = linked_list_create();
 	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-	pthread_key_create(&this->thread_id, NULL);
-	pthread_key_create(&this->thread_sa, NULL);
-	
+	this->thread_sa = thread_value_create(NULL);
+
 	return &this->public;
 }
 
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index 9c90db6f9..af59a14a1 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -133,6 +133,8 @@ enum level_t {
 enum alert_t {
 	/* a RADIUS server did not respond, no additional arguments */
 	ALERT_RADIUS_NOT_RESPONDING,
+	/* a shutdown signal has been received, argument is a int with the signal */
+	ALERT_SHUTDOWN_SIGNAL,
 };
 
 /**
@@ -142,7 +144,7 @@ enum alert_t {
  * may wait actively to events using the blocking listen() call.
  */
 struct bus_t {
-	
+
 	/**
 	 * Register a listener to the bus.
 	 *
@@ -153,14 +155,14 @@ struct bus_t {
 	 * @param listener	listener to register.
 	 */
 	void (*add_listener) (bus_t *this, listener_t *listener);
-	
+
 	/**
 	 * Unregister a listener from the bus.
 	 *
 	 * @param listener	listener to unregister.
 	 */
 	void (*remove_listener) (bus_t *this, listener_t *listener);
-	
+
 	/**
 	 * Register a listener and block the calling thread.
 	 *
@@ -174,20 +176,30 @@ struct bus_t {
 	 * @param job		job to execute asynchronously when registered, or NULL
 	 */
 	void (*listen)(bus_t *this, listener_t *listener, job_t *job);
-	
+
 	/**
 	 * Set the IKE_SA the calling thread is using.
 	 *
 	 * To associate an received log message to an IKE_SA without passing it as
 	 * parameter each time, the thread registers the currenlty used IKE_SA
-	 * during check-out. Before check-in, the thread unregisters the IKE_SA. 
+	 * during check-out. Before check-in, the thread unregisters the IKE_SA.
 	 * This IKE_SA is stored per-thread, so each thread has its own IKE_SA
 	 * registered.
-	 * 
+	 *
 	 * @param ike_sa	ike_sa to register, or NULL to unregister
 	 */
 	void (*set_sa) (bus_t *this, ike_sa_t *ike_sa);
-	
+
+	/**
+	 * Get the IKE_SA the calling thread is currently using.
+	 *
+	 * If a thread currently does not know what IKE_SA it is processing,
+	 * it can call get_sa() to look up the SA set during checkout via set_sa().
+	 *
+	 * @return			registered ike_sa, NULL if none registered
+	 */
+	ike_sa_t* (*get_sa)(bus_t *this);
+
 	/**
 	 * Send a log message to the bus.
 	 *
@@ -202,7 +214,7 @@ struct bus_t {
 	 * @param ...		printf() style argument list
 	 */
 	void (*log)(bus_t *this, debug_t group, level_t level, char* format, ...);
-	
+
 	/**
 	 * Send a log message to the bus using va_list arguments.
 	 *
@@ -215,7 +227,7 @@ struct bus_t {
 	 */
 	void (*vlog)(bus_t *this, debug_t group, level_t level,
 				 char* format, va_list args);
-	
+
 	/**
 	 * Raise an alert over the bus.
 	 *
@@ -223,7 +235,7 @@ struct bus_t {
 	 * @param ...		alert specific attributes
 	 */
 	void (*alert)(bus_t *this, alert_t alert, ...);
-	
+
 	/**
 	 * Send a IKE_SA state change event to the bus.
 	 *
@@ -247,16 +259,15 @@ struct bus_t {
 	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
 	 */
 	void (*message)(bus_t *this, message_t *message, bool incoming);
-	
+
 	/**
 	 * IKE_SA authorization hook.
 	 *
-	 * @param auth		list of auth_cfg_t, containing peers authentication info
 	 * @param final		TRUE if this is the final invocation
 	 * @return			TRUE to establish IKE_SA, FALSE to send AUTH_FAILED
 	 */
-	bool (*authorize)(bus_t *this, linked_list_t *auth, bool final);
-	
+	bool (*authorize)(bus_t *this, bool final);
+
 	/**
 	 * IKE_SA keymat hook.
 	 *
@@ -278,7 +289,7 @@ struct bus_t {
 	 */
 	void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
 					   chunk_t nonce_i, chunk_t nonce_r);
-	
+
 	/**
 	 * IKE_SA up/down hook.
 	 *
@@ -286,7 +297,7 @@ struct bus_t {
 	 * @param up		TRUE for an up event, FALSE for a down event
 	 */
 	void (*ike_updown)(bus_t *this, ike_sa_t *ike_sa, bool up);
-	
+
 	/**
 	 * IKE_SA rekeying hook.
 	 *
@@ -294,7 +305,7 @@ struct bus_t {
 	 * @param new		new IKE_SA replacing old
 	 */
 	void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
-	
+
 	/**
 	 * CHILD_SA up/down hook.
 	 *
@@ -302,7 +313,7 @@ struct bus_t {
 	 * @param up		TRUE for an up event, FALSE for a down event
 	 */
 	void (*child_updown)(bus_t *this, child_sa_t *child_sa, bool up);
-	
+
 	/**
 	 * CHILD_SA rekeying hook.
 	 *
@@ -310,7 +321,7 @@ struct bus_t {
 	 * @param new		new CHILD_SA replacing old
 	 */
 	void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new);
-	
+
 	/**
 	 * Destroy the event bus.
 	 */
diff --git a/src/charon/bus/listeners/file_logger.c b/src/charon/bus/listeners/file_logger.c
index c3213f5f8..12587deaf 100644
--- a/src/charon/bus/listeners/file_logger.c
+++ b/src/charon/bus/listeners/file_logger.c
@@ -25,17 +25,17 @@ typedef struct private_file_logger_t private_file_logger_t;
  * Private data of a file_logger_t object
  */
 struct private_file_logger_t {
-	
+
 	/**
 	 * Public data.
 	 */
 	file_logger_t public;
-	
+
 	/**
 	 * output file
 	 */
 	FILE *out;
-	
+
 	/**
 	 * Maximum level to log, for each group
 	 */
@@ -52,10 +52,10 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level,
 	{
 		char buffer[8192];
 		char *current = buffer, *next;
-		
+
 		/* write in memory buffer first */
 		vsnprintf(buffer, sizeof(buffer), format, args);
-		
+
 		/* prepend a prefix in front of every line */
 		while (current)
 		{
@@ -109,17 +109,17 @@ static void destroy(private_file_logger_t *this)
 file_logger_t *file_logger_create(FILE *out)
 {
 	private_file_logger_t *this = malloc_thing(private_file_logger_t);
-	
+
 	/* public functions */
 	memset(&this->public.listener, 0, sizeof(listener_t));
 	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
 	this->public.set_level = (void(*)(file_logger_t*,debug_t,level_t))set_level;
 	this->public.destroy = (void(*)(file_logger_t*))destroy;
-	
+
 	/* private variables */
 	this->out = out;
 	set_level(this, DBG_ANY, LEVEL_SILENT);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h
index a69374f23..bd443fdb8 100644
--- a/src/charon/bus/listeners/file_logger.h
+++ b/src/charon/bus/listeners/file_logger.h
@@ -29,12 +29,12 @@ typedef struct file_logger_t file_logger_t;
  * Logger to files which implements listener_t.
  */
 struct file_logger_t {
-	
+
 	/**
 	 * Implements the listener_t interface.
 	 */
 	listener_t listener;
-	
+
 	/**
 	 * Set the loglevel for a debug group.
 	 *
@@ -42,7 +42,7 @@ struct file_logger_t {
 	 * @param level		max level to log (0..4)
 	 */
 	void (*set_level) (file_logger_t *this, debug_t group, level_t level);
-	
+
 	/**
 	 * Destroys a file_logger_t object.
 	 */
diff --git a/src/charon/bus/listeners/listener.h b/src/charon/bus/listeners/listener.h
index 578f08ebe..67e36beeb 100644
--- a/src/charon/bus/listeners/listener.h
+++ b/src/charon/bus/listeners/listener.h
@@ -29,7 +29,7 @@ typedef struct listener_t listener_t;
  * Listener interface, listens to events if registered to the bus.
  */
 struct listener_t {
-	
+
 	/**
 	 * Log a debugging message.
 	 *
@@ -48,7 +48,7 @@ struct listener_t {
 	 */
 	bool (*log)(listener_t *this, debug_t group, level_t level, int thread,
 				ike_sa_t *ike_sa, char* format, va_list args);
-	
+
 	/**
 	 * Hook called if a critical alert is risen.
 	 *
@@ -59,7 +59,7 @@ struct listener_t {
 	 */
 	bool (*alert)(listener_t *this, ike_sa_t *ike_sa,
 				  alert_t alert, va_list args);
-	
+
 	/**
 	 * Handle state changes in an IKE_SA.
 	 *
@@ -69,7 +69,7 @@ struct listener_t {
 	 */
 	bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa,
 							 ike_sa_state_t state);
-	
+
 	/**
 	 * Handle state changes in a CHILD_SA.
 	 *
@@ -80,7 +80,7 @@ struct listener_t {
 	 */
 	bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa,
 							   child_sa_t *child_sa, child_sa_state_t state);
-	
+
 	/**
 	 * Hook called for received/sent messages of an IKE_SA.
 	 *
@@ -91,7 +91,7 @@ struct listener_t {
 	 */
 	bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
 					bool incoming);
-	
+
 	/**
 	 * Hook called with IKE_SA key material.
 	 *
@@ -104,7 +104,7 @@ struct listener_t {
 	 */
 	bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
 					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
-	
+
 	/**
 	 * Hook called with CHILD_SA key material.
 	 *
@@ -117,7 +117,7 @@ struct listener_t {
 	 */
 	bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
 					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
-	
+
 	/**
 	 * Hook called if an IKE_SA gets up or down.
 	 *
@@ -126,7 +126,7 @@ struct listener_t {
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
 	bool (*ike_updown)(listener_t *this, ike_sa_t *ike_sa, bool up);
-	
+
 	/**
 	 * Hook called when an IKE_SA gets rekeyed.
 	 *
@@ -135,7 +135,7 @@ struct listener_t {
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
 	bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
-	
+
 	/**
 	 * Hook called when a CHILD_SA gets up or down.
 	 *
@@ -146,7 +146,7 @@ struct listener_t {
 	 */
 	bool (*child_updown)(listener_t *this, ike_sa_t *ike_sa,
 						 child_sa_t *child_sa, bool up);
-	
+
 	/**
 	 * Hook called when an CHILD_SA gets rekeyed.
 	 *
@@ -157,7 +157,7 @@ struct listener_t {
 	 */
 	bool (*child_rekey)(listener_t *this, ike_sa_t *ike_sa,
 						child_sa_t *old, child_sa_t *new);
-	
+
 	/**
 	 * Hook called to invoke additional authorization rules.
 	 *
@@ -167,13 +167,12 @@ struct listener_t {
 	 * it is invoked again, but with final = TRUE.
 	 *
 	 * @param ike_sa	IKE_SA to authorize
-	 * @param auth		list of auth_cfg_t, done in peers authentication rounds
 	 * @param final		TRUE if this is the final hook invocation
 	 * @param success	set to TRUE to complete IKE_SA, FALSE abort
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
-	bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth,
+	bool (*authorize)(listener_t *this, ike_sa_t *ike_sa,
 					  bool final, bool *success);
 };
 
-#endif /* LISTENER_ @}*/
+#endif /** LISTENER_H_ @}*/
diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c
index 0b579ce92..11421ad05 100644
--- a/src/charon/bus/listeners/sys_logger.c
+++ b/src/charon/bus/listeners/sys_logger.c
@@ -25,17 +25,17 @@ typedef struct private_sys_logger_t private_sys_logger_t;
  * Private data of a sys_logger_t object
  */
 struct private_sys_logger_t {
-	
+
 	/**
 	 * Public data.
 	 */
 	sys_logger_t public;
-	
+
 	/**
 	 * syslog facility to use
 	 */
 	int facility;
-	
+
 	/**
 	 * Maximum level to log, for each group
 	 */
@@ -52,10 +52,10 @@ static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
 	{
 		char buffer[8192];
 		char *current = buffer, *next;
-		
+
 		/* write in memory buffer first */
 		vsnprintf(buffer, sizeof(buffer), format, args);
-		
+
 		/* do a syslog with every line */
 		while (current)
 		{
@@ -106,16 +106,16 @@ static void destroy(private_sys_logger_t *this)
 sys_logger_t *sys_logger_create(int facility)
 {
 	private_sys_logger_t *this = malloc_thing(private_sys_logger_t);
-	
+
 	/* public functions */
 	memset(&this->public.listener, 0, sizeof(listener_t));
 	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
 	this->public.set_level = (void(*)(sys_logger_t*,debug_t,level_t))set_level;
 	this->public.destroy = (void(*)(sys_logger_t*))destroy;
-	
+
 	/* private variables */
 	this->facility = facility;
 	set_level(this, DBG_ANY, LEVEL_SILENT);
-	
+
 	return &this->public;
 }
diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h
index 3ed0f02fa..730890d68 100644
--- a/src/charon/bus/listeners/sys_logger.h
+++ b/src/charon/bus/listeners/sys_logger.h
@@ -31,12 +31,12 @@ typedef struct sys_logger_t sys_logger_t;
  * Logger for syslog which implements listener_t.
  */
 struct sys_logger_t {
-	
+
 	/**
 	 * Implements the listener_t interface.
 	 */
 	listener_t listener;
-	
+
 	/**
 	 * Set the loglevel for a debug group.
 	 *
@@ -44,7 +44,7 @@ struct sys_logger_t {
 	 * @param level		max level to log (0..4)
 	 */
 	void (*set_level) (sys_logger_t *this, debug_t group, level_t level);
-	
+
 	/**
 	 * Destroys a sys_logger_t object.
 	 */
diff --git a/src/charon/config/attributes/attribute_handler.h b/src/charon/config/attributes/attribute_handler.h
deleted file mode 100644
index de1c4414d..000000000
--- a/src/charon/config/attributes/attribute_handler.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup attribute_handler attribute_handler
- * @{ @ingroup attributes
- */
-
-#ifndef ATTRIBUTE_HANDLER_H_
-#define ATTRIBUTE_HANDLER_H_
-
-#include <sa/ike_sa.h>
-#include <encoding/payloads/configuration_attribute.h>
-
-typedef struct attribute_handler_t attribute_handler_t;
-
-/**
- * Interface to handle configuration payload attributes.
- */
-struct attribute_handler_t {
-	
-	/**
-	 * Handle a configuration attribute.
-	 *
-	 * After receiving a configuration attriubte, it is passed to each
-	 * attribute handler until it is handled.
-	 *
-	 * @param type		type of configuration attribute to handle
-	 * @param data		associated attribute data
-	 * @return			TRUE if attribute handled
-	 */
-	bool (*handle)(attribute_handler_t *this, ike_sa_t *ike_sa,
-				   configuration_attribute_type_t type, chunk_t data);
-	
-	/**
-	 * Release an attribute handled during handle().
-	 *
-	 * A handler that handle()d an attribute gets a call to release() when the
-	 * IKE_SA gets closed. Depending on the implementation, this is required
-	 * to remove the attribute.
-	 */
-	void (*release)(attribute_handler_t *this, ike_sa_t *ike_sa,
-					configuration_attribute_type_t type, chunk_t data);
-};
-
-#endif /* ATTRIBUTE_HANDLER_ @}*/
diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c
deleted file mode 100644
index bf45fdb42..000000000
--- a/src/charon/config/attributes/attribute_manager.c
+++ /dev/null
@@ -1,267 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "attribute_manager.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/mutex.h>
-
-typedef struct private_attribute_manager_t private_attribute_manager_t;
-
-/**
- * private data of attribute_manager
- */
-struct private_attribute_manager_t {
-
-	/**
-	 * public functions
-	 */
-	attribute_manager_t public;
-	
-	/**
-	 * list of registered providers
-	 */
-	linked_list_t *providers;
-	
-	/**
-	 * list of registered handlers
-	 */
-	linked_list_t *handlers;
-	
-	/**
-	 * rwlock provider list
-	 */
-	rwlock_t *lock;
-};
-
-/**
- * Implementation of attribute_manager_t.acquire_address.
- */
-static host_t* acquire_address(private_attribute_manager_t *this,
-							   char *pool, identification_t *id,
-							   host_t *requested)
-{
-	enumerator_t *enumerator;
-	attribute_provider_t *current;
-	host_t *host = NULL;
-	
-	this->lock->read_lock(this->lock);
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		host = current->acquire_address(current, pool, id, requested);
-		if (host)
-		{
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	
-	if (!host)
-	{
-		DBG1(DBG_CFG, "acquiring address from pool '%s' failed", pool);
-	}
-	return host;
-}
-
-/**
- * Implementation of attribute_manager_t.release_address.
- */
-static void release_address(private_attribute_manager_t *this,
-							char *pool, host_t *address, identification_t *id)
-{
-	enumerator_t *enumerator;
-	attribute_provider_t *current;
-	bool found = FALSE;
-	
-	this->lock->read_lock(this->lock);
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (current->release_address(current, pool, address, id))
-		{
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	
-	if (!found)
-	{
-		DBG1(DBG_CFG, "releasing address to pool '%s' failed", pool);
-	}
-}
-
-/**
- * inner enumerator constructor for attributes
- */
-static enumerator_t *attrib_enum_create(attribute_provider_t *provider,
-										identification_t *id)
-{
-	return provider->create_attribute_enumerator(provider, id);
-}
-
-/**
- * Implementation of attribute_manager_t.create_attribute_enumerator
- */
-static enumerator_t* create_attribute_enumerator(
-						private_attribute_manager_t *this, identification_t *id)
-{
-	this->lock->read_lock(this->lock);
-	return enumerator_create_cleaner(
-				enumerator_create_nested(
-					this->providers->create_enumerator(this->providers),
-					(void*)attrib_enum_create, id, NULL),
-				(void*)this->lock->unlock, this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.add_provider.
- */
-static void add_provider(private_attribute_manager_t *this,
-						 attribute_provider_t *provider)
-{
-	this->lock->write_lock(this->lock);
-	this->providers->insert_last(this->providers, provider);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.remove_provider.
- */
-static void remove_provider(private_attribute_manager_t *this,
-							attribute_provider_t *provider)
-{
-	this->lock->write_lock(this->lock);
-	this->providers->remove(this->providers, provider, NULL);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.handle
- */
-static attribute_handler_t* handle(private_attribute_manager_t *this,
-						ike_sa_t *ike_sa, configuration_attribute_type_t type,
-						chunk_t data)
-{
-	enumerator_t *enumerator;
-	attribute_handler_t *current, *handled = NULL;
-	
-	this->lock->read_lock(this->lock);
-	enumerator = this->handlers->create_enumerator(this->handlers);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (current->handle(current, ike_sa, type, data))
-		{
-			handled = current;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	
-	if (!handled)
-	{
-		DBG1(DBG_CFG, "handling %N attribute failed",
-			 configuration_attribute_type_names, type);
-	}
-	return handled;
-}
-
-/**
- * Implementation of attribute_manager_t.release
- */
-static void release(private_attribute_manager_t *this,
-						attribute_handler_t *handler, ike_sa_t *ike_sa,
-						configuration_attribute_type_t type, chunk_t data)
-{
-	enumerator_t *enumerator;
-	attribute_handler_t *current;
-	
-	this->lock->read_lock(this->lock);
-	enumerator = this->handlers->create_enumerator(this->handlers);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (current == handler)
-		{
-			current->release(current, ike_sa, type, data);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.add_handler
- */
-static void add_handler(private_attribute_manager_t *this,
-						attribute_handler_t *handler)
-{
-	this->lock->write_lock(this->lock);
-	this->handlers->insert_last(this->handlers, handler);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.remove_handler
- */
-static void remove_handler(private_attribute_manager_t *this,
-						attribute_handler_t *handler)
-{
-	this->lock->write_lock(this->lock);
-	this->handlers->remove(this->handlers, handler, NULL);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.destroy
- */
-static void destroy(private_attribute_manager_t *this)
-{
-	this->providers->destroy(this->providers);
-	this->handlers->destroy(this->handlers);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/*
- * see header file
- */
-attribute_manager_t *attribute_manager_create()
-{
-	private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t);
-	
-	this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address;
-	this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address;
-	this->public.create_attribute_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t *id))create_attribute_enumerator;
-	this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider;
-	this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider;
-	this->public.handle = (attribute_handler_t*(*)(attribute_manager_t*, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data))handle;
-	this->public.release = (void(*)(attribute_manager_t*, attribute_handler_t *handler, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data))release;
-	this->public.add_handler = (void(*)(attribute_manager_t*, attribute_handler_t *handler))add_handler;
-	this->public.remove_handler = (void(*)(attribute_manager_t*, attribute_handler_t *handler))remove_handler;
-	this->public.destroy = (void(*)(attribute_manager_t*))destroy;
-	
-	this->providers = linked_list_create();
-	this->handlers = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	
-	return &this->public;
-}
-
diff --git a/src/charon/config/attributes/attribute_manager.h b/src/charon/config/attributes/attribute_manager.h
deleted file mode 100644
index ceea06581..000000000
--- a/src/charon/config/attributes/attribute_manager.h
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup attribute_manager attribute_manager
- * @{ @ingroup attributes
- */
-
-#ifndef ATTRIBUTE_MANAGER_H_
-#define ATTRIBUTE_MANAGER_H_
-
-#include <config/attributes/attribute_provider.h>
-#include <config/attributes/attribute_handler.h>
-
-typedef struct attribute_manager_t attribute_manager_t;
-
-/**
- * The attribute manager hands out attributes or handles them.
- *
- * The attribute manager manages both, attribute providers and attribute
- * handlers. Attribute providers are responsible to hand out attributes if
- * a connecting peer requests them. Handlers handle such attributes if they
- * are received on the requesting peer.
- */
-struct attribute_manager_t {
-	
-	/**
-	 * Acquire a virtual IP address to assign to a peer.
-	 *
-	 * @param pool			pool name to acquire address from
-	 * @param id			peer identity to get address forua
-	 * @param requested		IP in configuration request
-	 * @return				allocated address, NULL to serve none
-	 */
-	host_t* (*acquire_address)(attribute_manager_t *this,
-							   char *pool, identification_t *id,
-							   host_t *requested);
-	
-	/**
-	 * Release a previously acquired address.
-	 *
-	 * @param pool			pool name from which the address was acquired
-	 * @param address		address to release
-	 * @param id			peer identity to get address for
-	 */
-	void (*release_address)(attribute_manager_t *this,
-							char *pool, host_t *address, identification_t *id);
-	
-	/**
-	 * Create an enumerator over attributes to hand out to a peer.
-	 *
-	 * @param id			peer identity to hand out attributes to
-	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
-	 */
-	enumerator_t* (*create_attribute_enumerator)(attribute_manager_t *this,
-												 identification_t *id);
-	
-	/**
-	 * Register an attribute provider to the manager.
-	 *
-	 * @param provider		attribute provider to register
-	 */
-	void (*add_provider)(attribute_manager_t *this,
-						 attribute_provider_t *provider);
-	/**
-	 * Unregister an attribute provider from the manager.
-	 *
-	 * @param provider		attribute provider to unregister
-	 */
-	void (*remove_provider)(attribute_manager_t *this,
-							attribute_provider_t *provider);
-	
-	/**
-	 * Handle a configuration attribute by passing them to the handlers.
-	 *
-	 * @param ike_sa		IKE_SA where attribute was received
-	 * @param type			type of configuration attribute
-	 * @param data			associated attribute data
-	 * @return				handler which handled this attribute, NULL if none
-	 */
-	attribute_handler_t* (*handle)(attribute_manager_t *this, ike_sa_t *ike_sa,
-							configuration_attribute_type_t type, chunk_t data);
-	
-	/**
-	 * Release an attribute previously handle()d by a handler.
-	 *
-	 * @param handler		handler returned by handle() for this attribute
-	 * @param ike_sa		IKE_SA owning the attribute
-	 * @param type			type of attribute to release
-	 * @param data			associated attribute data
-	 */
-	void (*release)(attribute_manager_t *this, attribute_handler_t *handler,
-						ike_sa_t *ike_sa, configuration_attribute_type_t type,
-						chunk_t data);
-	
-	/**
-	 * Register an attribute handler to the manager.
-	 *
-	 * @param handler		attribute handler to register
-	 */
-	void (*add_handler)(attribute_manager_t *this,
-						attribute_handler_t *handler);
-	
-	/**
-	 * Unregister an attribute handler from the manager.
-	 *
-	 * @param handler		attribute handler to unregister
-	 */
-	void (*remove_handler)(attribute_manager_t *this,
-						   attribute_handler_t *handler);
-	
-	/**
-	 * Destroy a attribute_manager instance.
-	 */
-	void (*destroy)(attribute_manager_t *this);
-};
-
-/**
- * Create a attribute_manager instance.
- */
-attribute_manager_t *attribute_manager_create();
-
-#endif /** ATTRIBUTE_MANAGER_H_ @}*/
diff --git a/src/charon/config/attributes/attribute_provider.h b/src/charon/config/attributes/attribute_provider.h
deleted file mode 100644
index 0f1057af4..000000000
--- a/src/charon/config/attributes/attribute_provider.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup attribute_provider attribute_provider
- * @{ @ingroup attributes
- */
-
-#ifndef ATTRIBUTE_PROVIDER_H_
-#define ATTRIBUTE_PROVIDER_H_
-
-#include <library.h>
-#include <utils/host.h>
-#include <utils/identification.h>
-
-typedef struct attribute_provider_t attribute_provider_t;
-
-/**
- * Interface to provide attributes to peers through attribute manager.
- */
-struct attribute_provider_t {
-
-	/**
-	 * Acquire a virtual IP address to assign to a peer.
-	 *
-	 * @param pool			name of the pool to acquire address from
-	 * @param id			peer ID
-	 * @param requested		IP in configuration request
-	 * @return				allocated address, NULL to serve none
-	 */
-	host_t* (*acquire_address)(attribute_provider_t *this,
-							   char *pool, identification_t *id, 
-							   host_t *requested);
-	/**
-	 * Release a previously acquired address.
-	 *
-	 * @param pool			name of the pool this address was acquired from
-	 * @param address		address to release
-	 * @param id			peer ID
-	 * @return				TRUE if the address has been released by the provider
-	 */
-	bool (*release_address)(attribute_provider_t *this,
-							char *pool, host_t *address, identification_t *id);
-	
-	/**
-	 * Create an enumerator over attributes to hand out to a peer.
-	 *
-	 * @param id			peer ID
-	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
-	 */
-	enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this,
-												 identification_t *id);
-};
-
-#endif /** ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/charon/config/auth_cfg.c b/src/charon/config/auth_cfg.c
index e4501bc93..94362c756 100644
--- a/src/charon/config/auth_cfg.c
+++ b/src/charon/config/auth_cfg.c
@@ -45,12 +45,12 @@ typedef struct private_auth_cfg_t private_auth_cfg_t;
  * private data of item_set
  */
 struct private_auth_cfg_t {
-	
+
 	/**
 	 * public functions
 	 */
 	auth_cfg_t public;
-	
+
 	/**
 	 * list of entry_t
 	 */
@@ -84,7 +84,7 @@ typedef struct {
 static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value)
 {
 	entry_t *entry;
-	
+
 	if (this->inner->enumerate(this->inner, &entry))
 	{
 		this->current = entry;
@@ -110,7 +110,7 @@ static void entry_enumerator_destroy(entry_enumerator_t *this)
 static enumerator_t* create_enumerator(private_auth_cfg_t *this)
 {
 	entry_enumerator_t *enumerator;
-	
+
 	enumerator = malloc_thing(entry_enumerator_t);
 	enumerator->inner = this->entries->create_enumerator(this->entries);
 	enumerator->public.enumerate = (void*)enumerate;
@@ -168,9 +168,9 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
 	if (enumerator->current)
 	{
 		va_list args;
-		
+
 		va_start(args, type);
-		
+
 		destroy_entry_value(enumerator->current);
 		enumerator->current->type = type;
 		switch (type)
@@ -210,7 +210,7 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
 	void *current_value, *best_value = NULL;
 	auth_rule_t current_type;
 	bool found = FALSE;
-	
+
 	enumerator = create_enumerator(this);
 	while (enumerator->enumerate(enumerator, &current_type, &current_value))
 	{
@@ -270,7 +270,7 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 {
 	entry_t *entry = malloc_thing(entry_t);
 	va_list args;
-	
+
 	va_start(args, type);
 	entry->type = type;
 	switch (type)
@@ -311,7 +311,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 	bool success = TRUE;
 	auth_rule_t t1, t2;
 	void *value;
-	
+
 	e1 = constraints->create_enumerator(constraints);
 	while (e1->enumerate(e1, &t1, &value))
 	{
@@ -321,9 +321,9 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 			case AUTH_RULE_IM_CERT:
 			{
 				certificate_t *c1, *c2;
-				
+
 				c1 = (certificate_t*)value;
-				
+
 				success = FALSE;
 				e2 = create_enumerator(this);
 				while (e2->enumerate(e2, &t2, &c2))
@@ -345,7 +345,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 			case AUTH_RULE_SUBJECT_CERT:
 			{
 				certificate_t *c1, *c2;
-				
+
 				c1 = (certificate_t*)value;
 				c2 = get(this, AUTH_RULE_SUBJECT_CERT);
 				if (!c2 || !c1->equals(c1, c2))
@@ -364,7 +364,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 			case AUTH_RULE_OCSP_VALIDATION:
 			{
 				cert_validation_t validated, required;
-				
+
 				required = (uintptr_t)value;
 				validated = (uintptr_t)get(this, t1);
 				switch (required)
@@ -401,7 +401,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 			case AUTH_RULE_EAP_IDENTITY:
 			{
 				identification_t *id1, *id2;
-				
+
 				id1 = (identification_t*)value;
 				id2 = get(this, t1);
 				if (!id2 || !id2->matches(id2, id1))
@@ -499,7 +499,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 		enumerator_t *enumerator;
 		auth_rule_t type;
 		void *value;
-		
+
 		enumerator = create_enumerator(other);
 		while (enumerator->enumerate(enumerator, &type, &value))
 		{
@@ -512,7 +512,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_HELPER_SUBJECT_CERT:
 				{
 					certificate_t *cert = (certificate_t*)value;
-					
+
 					add(this, type, cert->get_ref(cert));
 					break;
 				}
@@ -530,7 +530,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_AC_GROUP:
 				{
 					identification_t *id = (identification_t*)value;
-					
+
 					add(this, type, id->clone(id));
 					break;
 				}
@@ -547,7 +547,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 	else
 	{
 		entry_t *entry;
-		
+
 		while (other->entries->remove_first(other->entries,
 											(void**)&entry) == SUCCESS)
 		{
@@ -564,7 +564,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 	enumerator_t *e1, *e2;
 	entry_t *i1, *i2;
 	bool equal = TRUE, found;
-	
+
 	if (this->entries->get_count(this->entries) !=
 		other->entries->get_count(other->entries))
 	{
@@ -601,10 +601,10 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 					case AUTH_HELPER_SUBJECT_CERT:
 					{
 						certificate_t *c1, *c2;
-						
+
 						c1 = (certificate_t*)i1->value;
 						c2 = (certificate_t*)i2->value;
-						
+
 						if (c1->equals(c1, c2))
 						{
 							found = TRUE;
@@ -617,10 +617,10 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 					case AUTH_RULE_AC_GROUP:
 					{
 						identification_t *id1, *id2;
-						
+
 						id1 = (identification_t*)i1->value;
 						id2 = (identification_t*)i2->value;
-						
+
 						if (id1->equals(id1, id2))
 						{
 							found = TRUE;
@@ -660,7 +660,7 @@ static void purge(private_auth_cfg_t *this, bool keep_ca)
 {
 	entry_t *entry;
 	linked_list_t *cas;
-	
+
 	cas = linked_list_create();
 	while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
 	{
@@ -689,7 +689,7 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
 	enumerator_t *enumerator;
 	auth_cfg_t *clone;
 	entry_t *entry;
-	
+
 	clone = auth_cfg_create();
 	enumerator = this->entries->create_enumerator(this->entries);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -749,7 +749,7 @@ static void destroy(private_auth_cfg_t *this)
 auth_cfg_t *auth_cfg_create()
 {
 	private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t);
-	
+
 	this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add;
 	this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get;
 	this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator;
@@ -760,9 +760,9 @@ auth_cfg_t *auth_cfg_create()
 	this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals;
 	this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_;
 	this->public.destroy = (void(*)(auth_cfg_t*))destroy;
-	
+
 	this->entries = linked_list_create();
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/config/auth_cfg.h b/src/charon/config/auth_cfg.h
index c6bc1959b..5e6215a4a 100644
--- a/src/charon/config/auth_cfg.h
+++ b/src/charon/config/auth_cfg.h
@@ -41,7 +41,7 @@ typedef enum auth_rule_t auth_rule_t;
  * to transport credentials during the authentication process.
  */
 enum auth_rule_t {
-	
+
 	/** identity to use for IKEv2 authentication exchange, identification_t* */
 	AUTH_RULE_IDENTITY,
 	/** authentication class, auth_class_t */
@@ -64,7 +64,7 @@ enum auth_rule_t {
 	AUTH_RULE_OCSP_VALIDATION,
 	/** subject is in attribute certificate group, identification_t* */
 	AUTH_RULE_AC_GROUP,
-	
+
 	/** intermediate certificate, certificate_t* */
 	AUTH_HELPER_IM_CERT,
 	/** subject certificate, certificate_t* */
@@ -86,7 +86,7 @@ extern enum_name_t *auth_rule_names;
  * RFC4739 defines multiple authentication rounds. This class defines such
  * a round from a configuration perspective, either for the local or the remote
  * peer. Local config are called "rulesets", as they define how we authenticate.
- * Remote peer configs are called "constraits", they define what is needed to 
+ * Remote peer configs are called "constraits", they define what is needed to
  * complete the authentication round successfully.
  *
  * @verbatim
@@ -122,7 +122,7 @@ struct auth_cfg_t {
 	 * @param ...		associated value to rule
 	 */
 	void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
-	
+
 	/**
 	 * Get an rule value.
 	 *
@@ -130,14 +130,14 @@ struct auth_cfg_t {
 	 * @return			bool if item has been found
 	 */
 	void* (*get)(auth_cfg_t *this, auth_rule_t rule);
-	
+
 	/**
 	 * Create an enumerator over added rules.
 	 *
 	 * @return			enumerator over (auth_rule_t, union{void*,uintpr_t})
 	 */
 	enumerator_t* (*create_enumerator)(auth_cfg_t *this);
-	
+
 	/**
 	 * Replace an rule at enumerator position.
 	 *
@@ -147,7 +147,7 @@ struct auth_cfg_t {
 	 */
 	void (*replace)(auth_cfg_t *this, enumerator_t *pos,
 					auth_rule_t rule, ...);
-	
+
 	/**
 	 * Check if a used config fulfills a set of configured constraints.
 	 *
@@ -156,7 +156,7 @@ struct auth_cfg_t {
 	 * @return				TRUE if this complies with constraints
 	 */
 	bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
-	
+
 	/**
 	 * Merge items from other into this.
 	 *
@@ -164,14 +164,14 @@ struct auth_cfg_t {
 	 * @param copy		TRUE to copy items, FALSE to move them
 	 */
 	void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
-	
+
 	/**
 	 * Purge all rules in a config.
 	 *
 	 * @param keep_ca	wheter to keep AUTH_RULE_CA_CERT entries
 	 */
 	void (*purge)(auth_cfg_t *this, bool keep_ca);
-	
+
 	/**
 	 * Check two configs for equality.
 	 *
@@ -179,14 +179,14 @@ struct auth_cfg_t {
 	 * @return			TRUE if auth infos identical
 	 */
 	bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
-	
+
 	/**
 	 * Clone a authentication config, including all rules.
 	 *
 	 * @return			cloned configuration
 	 */
 	auth_cfg_t* (*clone)(auth_cfg_t *this);
-	
+
 	/**
 	 * Destroy a config with all associated rules/values.
 	 */
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index cfd611858..90ef58563 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -16,11 +16,10 @@
 #include "backend_manager.h"
 
 #include <sys/types.h>
-#include <pthread.h>
 
 #include <daemon.h>
 #include <utils/linked_list.h>
-#include <utils/mutex.h>
+#include <threading/rwlock.h>
 
 
 typedef struct private_backend_manager_t private_backend_manager_t;
@@ -34,12 +33,12 @@ struct private_backend_manager_t {
 	 * Public part of backend_manager_t object.
 	 */
 	backend_manager_t public;
-	
+
 	/**
 	 * list of registered backends
 	 */
 	linked_list_t *backends;
-	
+
 	/**
 	 * rwlock for backends
 	 */
@@ -52,7 +51,7 @@ struct private_backend_manager_t {
 typedef enum ike_cfg_match_t {
 	MATCH_NONE  = 0x00,
 	MATCH_ANY   = 0x01,
-	MATCH_ME    = 0x04,
+	MATCH_ME	= 0x04,
 	MATCH_OTHER = 0x08,
 } ike_cfg_match_t;
 
@@ -80,7 +79,7 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 {
 	host_t *me_cand, *other_cand;
 	ike_cfg_match_t match = MATCH_NONE;
-	
+
 	if (me)
 	{
 		me_cand = host_create_from_dns(cand->get_my_addr(cand),
@@ -103,7 +102,7 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 	{
 		match += MATCH_ANY;
 	}
-	
+
 	if (other)
 	{
 		other_cand = host_create_from_dns(cand->get_other_addr(cand),
@@ -132,21 +131,21 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 /**
  * implements backend_manager_t.get_ike_cfg.
  */
-static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, 
+static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 							  host_t *me, host_t *other)
 {
 	ike_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
 	ike_cfg_match_t match, best = MATCH_ANY;
 	ike_data_t *data;
-	
+
 	data = malloc_thing(ike_data_t);
 	data->this = this;
 	data->me = me;
 	data->other = other;
-	
+
 	DBG2(DBG_CFG, "looking for an ike config for %H...%H", me, other);
-	
+
 	this->lock->read_lock(this->lock);
 	enumerator = enumerator_create_nested(
 						this->backends->create_enumerator(this->backends),
@@ -154,11 +153,11 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
 		match = get_ike_match(current, me, other);
-		
+
 		if (match)
 		{
-			DBG2(DBG_CFG, "  candidate: %s...%s, prio %d", 
-				 current->get_my_addr(current), 
+			DBG2(DBG_CFG, "  candidate: %s...%s, prio %d",
+				 current->get_my_addr(current),
 				 current->get_other_addr(current), match);
 			if (match > best)
 			{
@@ -173,7 +172,7 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
 	this->lock->unlock(this->lock);
 	if (found)
 	{
-		DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d", 
+		DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d",
 			 found->get_my_addr(found), found->get_other_addr(found), best);
 	}
 	return found;
@@ -189,12 +188,12 @@ static id_match_t get_peer_match(identification_t *id,
 	auth_cfg_t *auth;
 	identification_t *candidate;
 	id_match_t match = ID_MATCH_NONE;
-	
+
 	if (!id)
 	{
 		return ID_MATCH_ANY;
 	}
-	
+
 	/* compare first auth config only */
 	enumerator = cfg->create_auth_cfg_enumerator(cfg, local);
 	if (enumerator->enumerate(enumerator, &auth))
@@ -269,7 +268,7 @@ static bool peer_enum_filter(linked_list_t *configs,
 static void peer_enum_filter_destroy(linked_list_t *configs)
 {
 	match_entry_t *entry;
-	
+
 	while (configs->remove_last(configs, (void**)&entry) == SUCCESS)
 	{
 		entry->cfg->destroy(entry->cfg);
@@ -285,7 +284,7 @@ static void insert_sorted(match_entry_t *entry, linked_list_t *list,
 						  linked_list_t *helper)
 {
 	match_entry_t *current;
-	
+
 	while (list->remove_first(list, (void**)&current) == SUCCESS)
 	{
 		helper->insert_last(helper, current);
@@ -311,7 +310,7 @@ static void insert_sorted(match_entry_t *entry, linked_list_t *list,
 
 /**
  * Implements backend_manager_t.create_peer_cfg_enumerator.
- */			
+ */
 static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
 							host_t *me, host_t *other, identification_t *my_id,
 							identification_t *other_id)
@@ -320,26 +319,26 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
 	peer_data_t *data;
 	peer_cfg_t *cfg;
 	linked_list_t *configs, *helper;
-	
+
 	data = malloc_thing(peer_data_t);
 	data->lock = this->lock;
 	data->me = my_id;
 	data->other = other_id;
-	
+
 	/* create a sorted list with all matches */
 	this->lock->read_lock(this->lock);
 	enumerator = enumerator_create_nested(
 					this->backends->create_enumerator(this->backends),
 					(void*)peer_enum_create, data, (void*)peer_enum_destroy);
-	
+
 	if (!me && !other && !my_id && !other_id)
 	{	/* shortcut if we are doing a "listall" */
 		return enumerator;
 	}
-	
+
 	DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
 		 me, my_id, other, other_id);
-	
+
 	configs = linked_list_create();
 	/* only once allocated helper list for sorting */
 	helper = linked_list_create();
@@ -348,16 +347,16 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
 		id_match_t match_peer_me, match_peer_other;
 		ike_cfg_match_t match_ike;
 		match_entry_t *entry;
-		
+
 		match_peer_me = get_peer_match(my_id, cfg, TRUE);
 		match_peer_other = get_peer_match(other_id, cfg, FALSE);
 		match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other);
-		
+
 		if (match_peer_me && match_peer_other && match_ike)
 		{
 			DBG2(DBG_CFG, "  candidate \"%s\", match: %d/%d/%d (me/other/ike)",
 				 cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
-			
+
 			entry = malloc_thing(match_entry_t);
 			entry->match_peer = match_peer_me + match_peer_other;
 			entry->match_ike = match_ike;
@@ -367,7 +366,7 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
 	}
 	enumerator->destroy(enumerator);
 	helper->destroy(helper);
-	
+
 	return enumerator_create_filter(configs->create_enumerator(configs),
 									(void*)peer_enum_filter, configs,
 									(void*)peer_enum_filter_destroy);
@@ -375,13 +374,13 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
 
 /**
  * implements backend_manager_t.get_peer_cfg_by_name.
- */			
+ */
 static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *name)
 {
 	backend_t *backend;
 	peer_cfg_t *config = NULL;
 	enumerator_t *enumerator;
-	
+
 	this->lock->read_lock(this->lock);
 	enumerator = this->backends->create_enumerator(this->backends);
 	while (config == NULL && enumerator->enumerate(enumerator, (void**)&backend))
@@ -429,17 +428,17 @@ static void destroy(private_backend_manager_t *this)
 backend_manager_t *backend_manager_create()
 {
 	private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
-	
+
 	this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
 	this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name;
 	this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator;
 	this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend;
 	this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend;
 	this->public.destroy = (void (*)(backend_manager_t*))destroy;
-	
+
 	this->backends = linked_list_create();
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h
index 0b7d7d0f8..5b394f791 100644
--- a/src/charon/config/backend_manager.h
+++ b/src/charon/config/backend_manager.h
@@ -46,11 +46,11 @@ typedef struct backend_manager_t backend_manager_t;
    |         |----->|           |     +--------------+         |
    |         |      |           |                              |
    +---------+      +-----------+                              |
-   
+
    @endverbatim
  */
 struct backend_manager_t {
-	
+
 	/**
 	 * Get an ike_config identified by two hosts.
 	 *
@@ -58,9 +58,9 @@ struct backend_manager_t {
 	 * @param other_host		address of remote host
 	 * @return					matching ike_config, or NULL if none found
 	 */
-	ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this, 
+	ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this,
 							  host_t *my_host, host_t *other_host);
-	
+
 	/**
 	 * Get a peer_config identified by it's name.
 	 *
@@ -68,7 +68,7 @@ struct backend_manager_t {
 	 * @return					matching peer_config, or NULL if none found
 	 */
 	peer_cfg_t* (*get_peer_cfg_by_name)(backend_manager_t *this, char *name);
-	
+
 	/**
 	 * Create an enumerator over all matching peer configs.
 	 *
@@ -90,14 +90,14 @@ struct backend_manager_t {
 	 * @param backend			backend to register
 	 */
 	void (*add_backend)(backend_manager_t *this, backend_t *backend);
-	
+
 	/**
 	 * Unregister a backend.
 	 *
 	 * @param backend			backend to unregister
 	 */
 	void (*remove_backend)(backend_manager_t *this, backend_t *backend);
-	
+
 	/**
 	 * Destroys a backend_manager_t object.
 	 */
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index 990ee3fd6..8410b3fe5 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -25,7 +25,7 @@ ENUM(action_names, ACTION_NONE, ACTION_RESTART,
 	"restart",
 );
 
-ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE, 
+ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE,
 	"IPCOMP_NONE");
 ENUM_NEXT(ipcomp_transform_names, IPCOMP_OUI, IPCOMP_LZJH, IPCOMP_NONE,
 	"IPCOMP_OUI",
@@ -45,78 +45,72 @@ struct private_child_cfg_t {
 	 * Public part
 	 */
 	child_cfg_t public;
-	
+
 	/**
 	 * Number of references hold by others to this child_cfg
 	 */
 	refcount_t refcount;
-	
+
 	/**
 	 * Name of the child_cfg, used to query it
 	 */
 	char *name;
-	
+
 	/**
 	 * list for all proposals
 	 */
 	linked_list_t *proposals;
-	
+
 	/**
 	 * list for traffic selectors for my site
 	 */
 	linked_list_t *my_ts;
-	
+
 	/**
 	 * list for traffic selectors for others site
 	 */
 	linked_list_t *other_ts;
-	
+
 	/**
 	 * updown script
 	 */
 	char *updown;
-	
+
 	/**
 	 * allow host access
 	 */
 	bool hostaccess;
-	
+
 	/**
 	 * Mode to propose for a initiated CHILD: tunnel/transport
 	 */
 	ipsec_mode_t mode;
-	
+
 	/**
 	 * action to take on DPD
 	 */
 	action_t dpd_action;
-	
+
 	/**
 	 * action to take on CHILD_SA close
 	 */
 	action_t close_action;
-	
-	/**
-	 * Time before an SA gets invalid
-	 */
-	u_int32_t lifetime;
-	
-	/**
-	 * Time before an SA gets rekeyed
-	 */
-	u_int32_t rekeytime;
-	
+
 	/**
-	 * Time, which specifies the range of a random value
-	 * substracted from rekeytime.
+	 * CHILD_SA lifetime config
 	 */
-	u_int32_t jitter;
-	
+	lifetime_cfg_t lifetime;
+
 	/**
 	 * enable IPComp
 	 */
 	bool use_ipcomp;
 
+	/**
+	 * Inactivity timeout
+	 */
+	u_int32_t inactivity;
+
 	/**
 	 * set up IPsec transport SA in MIPv6 proxy mode
 	 */
@@ -152,7 +146,7 @@ static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
 	enumerator_t *enumerator;
 	proposal_t *current;
 	linked_list_t *proposals = linked_list_create();
-	
+
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	while (enumerator->enumerate(enumerator, &current))
 	{
@@ -164,7 +158,7 @@ static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
 		proposals->insert_last(proposals, current);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	return proposals;
 }
 
@@ -172,14 +166,15 @@ static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
  * Implementation of child_cfg_t.select_proposal.
  */
 static proposal_t* select_proposal(private_child_cfg_t*this,
-								   linked_list_t *proposals, bool strip_dh)
+								   linked_list_t *proposals, bool strip_dh,
+								   bool private)
 {
 	enumerator_t *stored_enum, *supplied_enum;
 	proposal_t *stored, *supplied, *selected = NULL;
-	
+
 	stored_enum = this->proposals->create_enumerator(this->proposals);
 	supplied_enum = proposals->create_enumerator(proposals);
-	
+
 	/* compare all stored proposals with all supplied. Stored ones are preferred. */
 	while (stored_enum->enumerate(stored_enum, &stored))
 	{
@@ -190,7 +185,7 @@ static proposal_t* select_proposal(private_child_cfg_t*this,
 			{
 				stored->strip_dh(stored);
 			}
-			selected = stored->select(stored, supplied);
+			selected = stored->select(stored, supplied, private);
 			if (selected)
 			{
 				DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -205,7 +200,7 @@ static proposal_t* select_proposal(private_child_cfg_t*this,
 			break;
 		}
 		supplied_enum->destroy(supplied_enum);
-		supplied_enum = proposals->create_enumerator(proposals);	
+		supplied_enum = proposals->create_enumerator(proposals);
 	}
 	stored_enum->destroy(stored_enum);
 	supplied_enum->destroy(supplied_enum);
@@ -243,7 +238,7 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 	enumerator_t *e1, *e2;
 	traffic_selector_t *ts1, *ts2, *selected;
 	linked_list_t *result = linked_list_create();
-	
+
 	if (local)
 	{
 		e1 = this->my_ts->create_enumerator(this->my_ts);
@@ -252,11 +247,11 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 	{
 		e1 = this->other_ts->create_enumerator(this->other_ts);
 	}
-	
+
 	/* no list supplied, just fetch the stored traffic selectors */
 	if (supplied == NULL)
 	{
-		DBG2(DBG_CFG, "proposing traffic selectors for %s:", 
+		DBG2(DBG_CFG, "proposing traffic selectors for %s:",
 			 local ? "us" : "other");
 		while (e1->enumerate(e1, &ts1))
 		{
@@ -273,7 +268,7 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 	}
 	else
 	{
-		DBG2(DBG_CFG, "selecting traffic selectors for %s:", 
+		DBG2(DBG_CFG, "selecting traffic selectors for %s:",
 			 local ? "us" : "other");
 		e2 = supplied->create_enumerator(supplied);
 		/* iterate over all stored selectors */
@@ -285,7 +280,7 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 			{
 				ts1->set_address(ts1, host);
 			}
-			
+
 			/* iterate over all supplied traffic selectors */
 			while (e2->enumerate(e2, &ts2))
 			{
@@ -309,7 +304,7 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 		e1->destroy(e1);
 		e2->destroy(e2);
 	}
-	
+
 	/* remove any redundant traffic selectors in the list */
 	e1 = result->create_enumerator(result);
 	e2 = result->create_enumerator(result);
@@ -340,7 +335,7 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 	}
 	e1->destroy(e1);
 	e2->destroy(e2);
-	
+
 	return result;
 }
 
@@ -361,19 +356,32 @@ static bool get_hostaccess(private_child_cfg_t *this)
 }
 
 /**
- * Implementation of child_cfg_t.get_lifetime.
+ * Applies jitter to the rekey value. Returns the new rekey value.
+ * Note: The distribution of random values is not perfect, but it
+ * should get the job done.
  */
-static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
+static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
 {
-	if (rekey)
+	if (jitter == 0)
 	{
-		if (this->jitter == 0)
-		{
-			return this->rekeytime;
-		}
-		return this->rekeytime - (random() % this->jitter);
+		return rekey;
 	}
-	return this->lifetime;
+	jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
+	return rekey - jitter * (random() / (RAND_MAX + 1.0));
+}
+#define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
+
+/**
+ * Implementation of child_cfg_t.get_lifetime.
+ */
+static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
+{
+	lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
+	memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
+	APPLY_JITTER(lft->time);
+	APPLY_JITTER(lft->bytes);
+	APPLY_JITTER(lft->packets);
+	return lft;
 }
 
 /**
@@ -408,7 +416,7 @@ static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this)
 	enumerator_t *enumerator;
 	proposal_t *proposal;
 	u_int16_t dh_group = MODP_NONE;
-	
+
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	while (enumerator->enumerate(enumerator, &proposal))
 	{
@@ -429,6 +437,14 @@ static bool use_ipcomp(private_child_cfg_t *this)
 	return this->use_ipcomp;
 }
 
+/**
+ * Implementation of child_cfg_t.get_inactivity.
+ */
+static u_int32_t get_inactivity(private_child_cfg_t *this)
+{
+	return this->inactivity;
+}
+
 /**
  * Implementation of child_cfg_t.set_mipv6_options.
  */
@@ -486,10 +502,11 @@ static void destroy(private_child_cfg_t *this)
 /*
  * Described in header-file
  */
-child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
-							  u_int32_t rekeytime, u_int32_t jitter,
-							  char *updown, bool hostaccess, ipsec_mode_t mode,
-							  action_t dpd_action, action_t close_action, bool ipcomp)
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+							  char *updown, bool hostaccess,
+							  ipsec_mode_t mode, action_t dpd_action,
+							  action_t close_action, bool ipcomp,
+							  u_int32_t inactivity)
 {
 	private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
 
@@ -498,37 +515,37 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 	this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
 	this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
 	this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
-	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
+	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool,bool))select_proposal;
 	this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
 	this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
 	this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
 	this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
 	this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
-	this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
+	this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime;
 	this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
 	this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
 	this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
+	this->public.get_inactivity = (u_int32_t (*) (child_cfg_t *))get_inactivity;
 	this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode;
 	this->public.install_policy = (bool (*) (child_cfg_t *))install_policy;
 	this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref;
 	this->public.destroy = (void (*) (child_cfg_t*))destroy;
-	
+
 	this->name = strdup(name);
-	this->lifetime = lifetime;
-	this->rekeytime = rekeytime;
-	this->jitter = jitter;
 	this->updown = updown ? strdup(updown) : NULL;
 	this->hostaccess = hostaccess;
 	this->mode = mode;
 	this->dpd_action = dpd_action;
 	this->close_action = close_action;
-	this->use_ipcomp = ipcomp; 
+	this->use_ipcomp = ipcomp;
+	this->inactivity = inactivity;
 	this->proxy_mode = FALSE;
-	this->install_policy = TRUE; 
+	this->install_policy = TRUE;
 	this->refcount = 1;
 	this->proposals = linked_list_create();
 	this->my_ts = linked_list_create();
 	this->other_ts = linked_list_create();
+	memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t));
 
 	return &this->public;
 }
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 33c75701c..c6186ea36 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -25,11 +25,12 @@
 
 typedef enum action_t action_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
+typedef struct lifetime_cfg_t lifetime_cfg_t;
 typedef struct child_cfg_t child_cfg_t;
 
 #include <library.h>
+#include <selectors/traffic_selector.h>
 #include <config/proposal.h>
-#include <config/traffic_selector.h>
 #include <kernel/kernel_ipsec.h>
 
 /**
@@ -65,74 +66,91 @@ enum ipcomp_transform_t {
  */
 extern enum_name_t *ipcomp_transform_names;
 
+/**
+ * A lifetime_cfg_t defines the lifetime limits of a CHILD_SA.
+ *
+ * Set any of these values to 0 to ignore.
+ */
+struct lifetime_cfg_t {
+	struct {
+		/** Limit before the CHILD_SA gets invalid. */
+		u_int64_t	life;
+		/** Limit before the CHILD_SA gets rekeyed. */
+		u_int64_t	rekey;
+		/** The range of a random value subtracted from rekey. */
+		u_int64_t	jitter;
+	} time, bytes, packets;
+};
+
 /**
  * A child_cfg_t defines the config template for a CHILD_SA.
  *
  * After creation, proposals and traffic selectors may be added to the config.
  * A child_cfg object is referenced multiple times, and is not thread save.
  * Reading from the object is save, adding things is not allowed while other
- * threads may access the object. 
+ * threads may access the object.
  * A reference counter handles the number of references hold to this config.
  *
  * @see peer_cfg_t to get an overview over the configurations.
  */
 struct child_cfg_t {
-	
+
 	/**
 	 * Get the name of the child_cfg.
-	 * 
+	 *
 	 * @return				child_cfg's name
 	 */
 	char *(*get_name) (child_cfg_t *this);
-	
+
 	/**
-	 * Add a proposal to the list. 
-	 * 
+	 * Add a proposal to the list.
+	 *
 	 * The proposals are stored by priority, first added
 	 * is the most prefered.
 	 * After add, proposal is owned by child_cfg.
-	 * 
+	 *
 	 * @param proposal		proposal to add
 	 */
 	void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
-	
+
 	/**
 	 * Get the list of proposals for the CHILD_SA.
 	 *
 	 * Resulting list and all of its proposals must be freed after use.
-	 * 
+	 *
 	 * @param strip_dh		TRUE strip out diffie hellman groups
 	 * @return				list of proposals
 	 */
 	linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
-	
+
 	/**
 	 * Select a proposal from a supplied list.
 	 *
 	 * Returned propsal is newly created and must be destroyed after usage.
-	 * 
+	 *
 	 * @param proposals		list from from wich proposals are selected
 	 * @param strip_dh		TRUE strip out diffie hellman groups
+	 * @param private		accept algorithms from a private range
 	 * @return				selected proposal, or NULL if nothing matches
 	 */
 	proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
-								   bool strip_dh);
-	
+								   bool strip_dh, bool private);
+
 	/**
 	 * Add a traffic selector to the config.
-	 * 
+	 *
 	 * Use the "local" parameter to add it for the local or the remote side.
 	 * After add, traffic selector is owned by child_cfg.
-	 * 
+	 *
 	 * @param local			TRUE for local side, FALSE for remote
 	 * @param ts			traffic_selector to add
 	 */
 	void (*add_traffic_selector)(child_cfg_t *this, bool local,
 								 traffic_selector_t *ts);
-	
+
 	/**
 	 * Get a list of traffic selectors to use for the CHILD_SA.
-	 * 
+	 *
 	 * The config contains two set of traffic selectors, one for the local
 	 * side, one for the remote side.
 	 * If a list with traffic selectors is supplied, these are used to narrow
@@ -141,7 +159,7 @@ struct child_cfg_t {
 	 * to a specific address (host-to-host or virtual-IP setups). Use
 	 * the "host" parameter to narrow such traffic selectors to that address.
 	 * Resulted list and its traffic selectors must be destroyed after use.
-	 * 
+	 *
 	 * @param local			TRUE for TS on local side, FALSE for remote
 	 * @param supplied		list with TS to select from, or NULL
 	 * @param host			address to use for narrowing "dynamic" TS', or NULL
@@ -152,74 +170,77 @@ struct child_cfg_t {
 											host_t *host);
 	/**
 	 * Get the updown script to run for the CHILD_SA.
-	 * 
+	 *
 	 * @return				path to updown script
 	 */
 	char* (*get_updown)(child_cfg_t *this);
-	
+
 	/**
 	 * Should we allow access to the local host (gateway)?
-	 * 
+	 *
 	 * @return				value of hostaccess flag
 	 */
 	bool (*get_hostaccess) (child_cfg_t *this);
 
 	/**
-	 * Get the lifetime of a CHILD_SA.
+	 * Get the lifetime configuration of a CHILD_SA.
+	 *
+	 * The rekey limits automatically contain a jitter to avoid simultaneous
+	 * rekeying. These values will change with each call to this function.
 	 *
-	 * If "rekey" is set to TRUE, a lifetime is returned before the first
-	 * rekeying should be started. If it is FALSE, the actual lifetime is
-	 * returned when the CHILD_SA must be deleted.
-	 * The rekey time automatically contains a jitter to avoid simlutaneous
-	 * rekeying.
-	 * 
-	 * @param rekey			TRUE to get rekey time
-	 * @return				lifetime in seconds
+	 * @return				lifetime_cfg_t (has to be freed)
 	 */
-	u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey);
-	
+	lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
+
 	/**
 	 * Get the mode to use for the CHILD_SA.
 	 *
 	 * The mode is either tunnel, transport or BEET. The peer must agree
 	 * on the method, fallback is tunnel mode.
-	 * 
+	 *
 	 * @return				ipsec mode
 	 */
 	ipsec_mode_t (*get_mode) (child_cfg_t *this);
-	
+
 	/**
 	 * Action to take on DPD.
 	 *
 	 * @return				DPD action
-	 */	
+	 */
 	action_t (*get_dpd_action) (child_cfg_t *this);
-	
+
 	/**
 	 * Action to take if CHILD_SA gets closed.
 	 *
 	 * @return				close action
-	 */	
+	 */
 	action_t (*get_close_action) (child_cfg_t *this);
-	
+
 	/**
 	 * Get the DH group to use for CHILD_SA setup.
-	 * 
+	 *
 	 * @return				dh group to use
 	 */
 	diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
-	
+
 	/**
 	 * Check whether IPComp should be used, if the other peer supports it.
-	 * 
+	 *
 	 * @return				TRUE, if IPComp should be used
 	 * 						FALSE, otherwise
 	 */
 	bool (*use_ipcomp)(child_cfg_t *this);
 
+	/**
+	 * Get the inactivity timeout value.
+	 *
+	 * @return				inactivity timeout in s
+	 */
+	u_int32_t (*get_inactivity)(child_cfg_t *this);
+
 	/**
 	 * Sets two options needed for Mobile IPv6 interoperability
-	 * 
+	 *
 	 * @param proxy_mode	use IPsec transport proxy mode (default FALSE)
 	 * @param install_policy install IPsec kernel policies (default TRUE)
 	 */
@@ -228,27 +249,27 @@ struct child_cfg_t {
 
 	/**
 	 * Check whether IPsec transport SA should be set up in proxy mode
-	 * 
+	 *
 	 * @return				TRUE, if proxy mode should be used
 	 * 						FALSE, otherwise
 	 */
 	bool (*use_proxy_mode)(child_cfg_t *this);
-	
+
 	/**
 	 * Check whether IPsec policies should be installed in the kernel
-	 * 
+	 *
 	 * @return				TRUE, if IPsec kernel policies should be installed
 	 * 						FALSE, otherwise
 	 */
 	bool (*install_policy)(child_cfg_t *this);
-	
+
 	/**
 	 * Increase the reference count.
 	 *
 	 * @return				reference to this
 	 */
 	child_cfg_t* (*get_ref) (child_cfg_t *this);
-	
+
 	/**
 	 * Destroys the child_cfg object.
 	 *
@@ -260,29 +281,30 @@ struct child_cfg_t {
 
 /**
  * Create a configuration template for CHILD_SA setup.
- * 
+ *
  * The "name" string gets cloned.
- * Lifetimes are in seconds. To prevent to peers to start rekeying at the
- * same time, a jitter may be specified. Rekeying of an SA starts at
- * (rekeytime - random(0, jitter)). You should specify
- * lifetime > rekeytime > jitter.
+ *
+ * The lifetime_cfg_t object gets cloned.
+ * To prevent two peers to start rekeying at the same time, a jitter may be
+ * specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
+ *
  * After a call to create, a reference is obtained (refcount = 1).
- * 
+ *
  * @param name				name of the child_cfg
- * @param lifetime			lifetime after CHILD_SA expires and gets deleted
- * @param rekeytime			time when rekeying should be initiated
- * @param jitter			range of randomization time to remove from rekeytime
+ * @param lifetime			lifetime_cfg_t for this child_cfg
  * @param updown			updown script to execute on up/down event
  * @param hostaccess		TRUE to allow access to the local host
  * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
  * @param dpd_action		DPD action
  * @param close_action		close action
  * @param ipcomp			use IPComp, if peer supports it
+ * @param inactivity		inactivity timeout in s before closing a CHILD_SA
  * @return 					child_cfg_t object
  */
-child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
-							  u_int32_t rekeytime, u_int32_t jitter,
-							  char *updown, bool hostaccess, ipsec_mode_t mode,
-							  action_t dpd_action, action_t close_action, bool ipcomp);
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+							  char *updown, bool hostaccess,
+							  ipsec_mode_t mode, action_t dpd_action,
+							  action_t close_action, bool ipcomp,
+							  u_int32_t inactivity);
 
 #endif /** CHILD_CFG_H_ @}*/
diff --git a/src/charon/config/ike_cfg.c b/src/charon/config/ike_cfg.c
index e80ab577e..2e748f511 100644
--- a/src/charon/config/ike_cfg.c
+++ b/src/charon/config/ike_cfg.c
@@ -32,7 +32,7 @@ struct private_ike_cfg_t {
 	 * Public part
 	 */
 	ike_cfg_t public;
-	
+
 	/**
 	 * Number of references hold by others to this ike_cfg
 	 */
@@ -45,19 +45,19 @@ struct private_ike_cfg_t {
 
 	/**
 	 * Address of remote host
-	 */	
+	 */
 	char *other;
-	
+
 	/**
 	 * should we send a certificate request?
 	 */
 	bool certreq;
-	
+
 	/**
 	 * enforce UDP encapsulation
 	 */
 	bool force_encap;
-	
+
 	/**
 	 * List of proposals to use
 	 */
@@ -71,7 +71,7 @@ static bool send_certreq(private_ike_cfg_t *this)
 {
 	return this->certreq;
 }
-	
+
 /**
  * Implementation of ike_cfg_t.force_encap.
  */
@@ -112,7 +112,7 @@ static linked_list_t* get_proposals(private_ike_cfg_t *this)
 	iterator_t *iterator;
 	proposal_t *current;
 	linked_list_t *proposals = linked_list_create();
-	
+
 	iterator = this->proposals->create_iterator(this->proposals, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
@@ -120,31 +120,31 @@ static linked_list_t* get_proposals(private_ike_cfg_t *this)
 		proposals->insert_last(proposals, (void*)current);
 	}
 	iterator->destroy(iterator);
-	
+
 	return proposals;
 }
-	
+
 /**
  * Implementation of ike_cfg_t.select_proposal.
  */
 static proposal_t *select_proposal(private_ike_cfg_t *this,
-								   linked_list_t *proposals)
+								   linked_list_t *proposals, bool private)
 {
 	iterator_t *stored_iter, *supplied_iter;
 	proposal_t *stored, *supplied, *selected;
-	
+
 	stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
 	supplied_iter = proposals->create_iterator(proposals, TRUE);
-	
-	
+
+
 	/* compare all stored proposals with all supplied. Stored ones are preferred.*/
 	while (stored_iter->iterate(stored_iter, (void**)&stored))
 	{
 		supplied_iter->reset(supplied_iter);
-		
+
 		while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
 		{
-			selected = stored->select(stored, supplied);
+			selected = stored->select(stored, supplied, private);
 			if (selected)
 			{
 				/* they match, return */
@@ -162,7 +162,7 @@ static proposal_t *select_proposal(private_ike_cfg_t *this,
 	supplied_iter->destroy(supplied_iter);
 	DBG1(DBG_CFG, "received proposals: %#P", proposals);
 	DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
-	
+
 	return NULL;
 }
 
@@ -174,7 +174,7 @@ static diffie_hellman_group_t get_dh_group(private_ike_cfg_t *this)
 	enumerator_t *enumerator;
 	proposal_t *proposal;
 	u_int16_t dh_group = MODP_NONE;
-	
+
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	while (enumerator->enumerate(enumerator, &proposal))
 	{
@@ -195,7 +195,7 @@ static bool equals(private_ike_cfg_t *this, private_ike_cfg_t *other)
 	enumerator_t *e1, *e2;
 	proposal_t *p1, *p2;
 	bool eq = TRUE;
-	
+
 	if (this == other)
 	{
 		return TRUE;
@@ -260,7 +260,7 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
 						  char *me, char *other)
 {
 	private_ike_cfg_t *this = malloc_thing(private_ike_cfg_t);
-	
+
 	/* public functions */
 	this->public.send_certreq = (bool(*)(ike_cfg_t*))send_certreq;
 	this->public.force_encap = (bool (*) (ike_cfg_t *))force_encap_meth;
@@ -268,12 +268,12 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
 	this->public.get_other_addr = (char*(*)(ike_cfg_t*))get_other_addr;
 	this->public.add_proposal = (void(*)(ike_cfg_t*, proposal_t*)) add_proposal;
 	this->public.get_proposals = (linked_list_t*(*)(ike_cfg_t*))get_proposals;
-	this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*))select_proposal;
+	this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*,bool))select_proposal;
 	this->public.get_dh_group = (diffie_hellman_group_t(*)(ike_cfg_t*)) get_dh_group;
 	this->public.equals = (bool(*)(ike_cfg_t*,ike_cfg_t*)) equals;
 	this->public.get_ref = (ike_cfg_t*(*)(ike_cfg_t*))get_ref;
 	this->public.destroy = (void(*)(ike_cfg_t*))destroy;
-	
+
 	/* private variables */
 	this->refcount = 1;
 	this->certreq = certreq;
@@ -281,6 +281,6 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
 	this->me = strdup(me);
 	this->other = strdup(other);
 	this->proposals = linked_list_create();
-	
+
 	return &this->public;
 }
diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h
index 064906423..eaac321b9 100644
--- a/src/charon/config/ike_cfg.h
+++ b/src/charon/config/ike_cfg.h
@@ -37,71 +37,73 @@ typedef struct ike_cfg_t ike_cfg_t;
  * @see peer_cfg_t to get an overview over the configurations.
  */
 struct ike_cfg_t {
-	
+
 	/**
 	 * Get own address.
-	 * 
+	 *
 	 * @return		string of address/DNS name
 	 */
 	char* (*get_my_addr) (ike_cfg_t *this);
 
 	/**
 	 * Get peers address.
-	 * 
+	 *
 	 * @return		string of address/DNS name
 	 */
 	char* (*get_other_addr) (ike_cfg_t *this);
-	
+
 	/**
 	 * Adds a proposal to the list.
-	 * 
+	 *
 	 * The first added proposal has the highest priority, the last
 	 * added the lowest.
-	 * 
+	 *
 	 * @param proposal	proposal to add
 	 */
 	void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
-	
+
 	/**
 	 * Returns a list of all supported proposals.
-	 * 
+	 *
 	 * Returned list and its proposals must be destroyed after use.
-	 * 
+	 *
 	 * @return 			list containing all the proposals
 	 */
 	linked_list_t* (*get_proposals) (ike_cfg_t *this);
-	
+
 	/**
 	 * Select a proposed from suggested proposals.
-	 * 
+	 *
 	 * Returned proposal must be destroyed after use.
-	 * 
+	 *
 	 * @param proposals	list of proposals to select from
+	 * @param private	accept algorithms from a private range
 	 * @return			selected proposal, or NULL if none matches.
 	 */
-	proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals);
-	
+	proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
+									bool private);
+
 	/**
 	 * Should we send a certificate request in IKE_SA_INIT?
 	 *
 	 * @return			certificate request sending policy
 	 */
 	bool (*send_certreq) (ike_cfg_t *this);
-	
+
 	/**
 	 * Enforce UDP encapsulation by faking NATD notifies?
-	 * 
+	 *
 	 * @return			TRUE to enfoce UDP encapsulation
 	 */
 	bool (*force_encap) (ike_cfg_t *this);
-	
+
 	/**
 	 * Get the DH group to use for IKE_SA setup.
-	 * 
+	 *
 	 * @return			dh group to use for initialization
 	 */
 	diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
-	
+
 	/**
 	 * Check if two IKE configs are equal.
 	 *
@@ -109,17 +111,17 @@ struct ike_cfg_t {
 	 * @return			TRUE if other equal to this
 	 */
 	bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
-	
+
 	/**
 	 * Increase reference count.
 	 *
 	 * @return			reference to this
 	 */
 	ike_cfg_t* (*get_ref) (ike_cfg_t *this);
-	
+
 	/**
 	 * Destroys a ike_cfg_t object.
-	 * 
+	 *
 	 * Decrements the internal reference counter and
 	 * destroys the ike_cfg when it reaches zero.
 	 */
@@ -137,7 +139,7 @@ struct ike_cfg_t {
  * @param other			address/DNS name of remote peer
  * @return 				ike_cfg_t object.
  */
-ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap, 
+ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
 						  char *me, char *other);
 
 #endif /** IKE_CFG_H_ @}*/
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index f096f269e..9df14c9ae 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -21,7 +21,7 @@
 
 #include <daemon.h>
 
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 #include <utils/linked_list.h>
 #include <utils/identification.h>
 
@@ -48,113 +48,113 @@ struct private_peer_cfg_t {
 	 * Public part
 	 */
 	peer_cfg_t public;
-	
+
 	/**
 	 * Number of references hold by others to this peer_cfg
 	 */
 	refcount_t refcount;
-	
+
 	/**
 	 * Name of the peer_cfg, used to query it
 	 */
 	char *name;
-	
+
 	/**
 	 * IKE version to use for initiation
 	 */
 	u_int ike_version;
-	
+
 	/**
 	 * IKE config associated to this peer config
 	 */
 	ike_cfg_t *ike_cfg;
-	
+
 	/**
 	 * list of child configs associated to this peer config
 	 */
 	linked_list_t *child_cfgs;
-	
+
 	/**
 	 * mutex to lock access to list of child_cfgs
 	 */
 	mutex_t *mutex;
-	
+
 	/**
 	 * should we send a certificate
 	 */
 	cert_policy_t cert_policy;
-	
+
 	/**
 	 * uniqueness of an IKE_SA
 	 */
 	unique_policy_t unique;
-	
+
 	/**
 	 * number of tries after giving up if peer does not respond
 	 */
 	u_int32_t keyingtries;
-	
+
 	/**
 	 * enable support for MOBIKE
 	 */
 	bool use_mobike;
-	
+
 	/**
 	 * Time before starting rekeying
 	 */
 	u_int32_t rekey_time;
-	
+
 	/**
 	 * Time before starting reauthentication
 	 */
 	u_int32_t reauth_time;
-	
+
 	/**
 	 * Time, which specifies the range of a random value substracted from above.
 	 */
 	u_int32_t jitter_time;
-	
+
 	/**
 	 * Delay before deleting a rekeying/reauthenticating SA
 	 */
 	u_int32_t over_time;
-	
+
 	/**
 	 * DPD check intervall
 	 */
 	u_int32_t dpd;
-	
+
 	/**
 	 * virtual IP to use locally
 	 */
 	host_t *virtual_ip;
-	
+
 	/**
 	 * pool to acquire configuration attributes from
 	 */
 	char *pool;
-	
+
 	/**
 	 * local authentication configs (rulesets)
 	 */
 	linked_list_t *local_auth;
-	
+
 	/**
 	 * remote authentication configs (constraints)
 	 */
 	linked_list_t *remote_auth;
-	
-#ifdef ME	
+
+#ifdef ME
 	/**
 	 * Is this a mediation connection?
 	 */
 	bool mediation;
-	
+
 	/**
 	 * Name of the mediation connection to mediate through
 	 */
 	peer_cfg_t *mediated_by;
-	
+
 	/**
 	 * ID of our peer at the mediation server (= leftid of the peer's conn with
 	 * the mediation server)
@@ -239,12 +239,12 @@ static bool child_cfg_enumerate(child_cfg_enumerator_t *this, child_cfg_t **chd)
 static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this)
 {
 	child_cfg_enumerator_t *enumerator = malloc_thing(child_cfg_enumerator_t);
-	
+
 	enumerator->public.enumerate = (void*)child_cfg_enumerate;
 	enumerator->public.destroy = (void*)child_cfg_enumerator_destroy;
 	enumerator->mutex = this->mutex;
 	enumerator->wrapped = this->child_cfgs->create_enumerator(this->child_cfgs);
-	
+
 	this->mutex->lock(this->mutex);
 	return &enumerator->public;
 }
@@ -259,13 +259,13 @@ static int get_ts_match(child_cfg_t *cfg, bool local,
 	enumerator_t *sup_enum, *cfg_enum;
 	traffic_selector_t *sup_ts, *cfg_ts;
 	int match = 0, round;
-	
+
 	/* fetch configured TS list, narrowing dynamic TS */
 	cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host);
-	
+
 	/* use a round counter to rate leading TS with higher priority */
 	round = sup_list->get_count(sup_list);
-	
+
 	sup_enum = sup_list->create_enumerator(sup_list);
 	while (sup_enum->enumerate(sup_enum, &sup_ts))
 	{
@@ -286,9 +286,9 @@ static int get_ts_match(child_cfg_t *cfg, bool local,
 		round--;
 	}
 	sup_enum->destroy(sup_enum);
-	
+
 	cfg_list->destroy_offset(cfg_list, offsetof(traffic_selector_t, destroy));
-	
+
 	return match;
 }
 
@@ -303,16 +303,16 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this,
 	child_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
 	int best = 0;
-	
+
 	DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);
 	enumerator = create_child_cfg_enumerator(this);
 	while (enumerator->enumerate(enumerator, &current))
 	{
 		int my_prio, other_prio;
-		
+
 		my_prio = get_ts_match(current, TRUE, my_ts, my_host);
 		other_prio = get_ts_match(current, FALSE, other_ts, other_host);
-		
+
 		if (my_prio && other_prio)
 		{
 			DBG2(DBG_CFG, "  candidate \"%s\" with prio %d+%d",
@@ -421,7 +421,7 @@ static host_t* get_virtual_ip(private_peer_cfg_t *this)
 {
 	return this->virtual_ip;
 }
-	
+
 /**
  * Implementation of peer_cfg_t.get_pool.
  */
@@ -493,7 +493,7 @@ static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
 	enumerator_t *e1, *e2;
 	auth_cfg_t *cfg1, *cfg2;
 	bool equal = TRUE;
-	
+
 	if (this->local_auth->get_count(this->local_auth) !=
 		other->local_auth->get_count(other->local_auth))
 	{
@@ -504,7 +504,7 @@ static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
 	{
 		return FALSE;
 	}
-	
+
 	e1 = this->local_auth->create_enumerator(this->local_auth);
 	e2 = other->local_auth->create_enumerator(other->local_auth);
 	while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
@@ -517,12 +517,12 @@ static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
 	}
 	e1->destroy(e1);
 	e2->destroy(e2);
-	
+
 	if (!equal)
 	{
 		return FALSE;
 	}
-	
+
 	e1 = this->remote_auth->create_enumerator(this->remote_auth);
 	e2 = other->remote_auth->create_enumerator(other->remote_auth);
 	while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
@@ -535,7 +535,7 @@ static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
 	}
 	e1->destroy(e1);
 	e2->destroy(e2);
-	
+
 	return equal;
 }
 
@@ -552,7 +552,7 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
 	{
 		return FALSE;
 	}
-	
+
 	return (
 		this->ike_version == other->ike_version &&
 		this->cert_policy == other->cert_policy &&
@@ -567,7 +567,7 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
 		(this->virtual_ip == other->virtual_ip ||
 		 (this->virtual_ip && other->virtual_ip &&
 		  this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) &&
-		(this->pool == other->pool || 
+		(this->pool == other->pool ||
 		 (this->pool && other->pool && streq(this->pool, other->pool))) &&
 		auth_cfg_equal(this, other)
 #ifdef ME
@@ -630,8 +630,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	private_peer_cfg_t *this = malloc_thing(private_peer_cfg_t);
 
 	/* public functions */
-	this->public.get_name = (char* (*) (peer_cfg_t *))get_name;	
-	this->public.get_ike_version = (u_int(*) (peer_cfg_t *))get_ike_version;	
+	this->public.get_name = (char* (*) (peer_cfg_t *))get_name;
+	this->public.get_ike_version = (u_int(*) (peer_cfg_t *))get_ike_version;
 	this->public.get_ike_cfg = (ike_cfg_t* (*) (peer_cfg_t *))get_ike_cfg;
 	this->public.add_child_cfg = (void (*) (peer_cfg_t *, child_cfg_t*))add_child_cfg;
 	this->public.remove_child_cfg = (void(*)(peer_cfg_t*, enumerator_t*))remove_child_cfg;
@@ -657,7 +657,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->public.get_mediated_by = (peer_cfg_t* (*) (peer_cfg_t *))get_mediated_by;
 	this->public.get_peer_id = (identification_t* (*) (peer_cfg_t *))get_peer_id;
 #endif /* ME */
-	
+
 	/* apply init values */
 	this->name = strdup(name);
 	this->ike_version = ike_version;
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
index 3c095eff0..6855276f8 100644
--- a/src/charon/config/peer_cfg.h
+++ b/src/charon/config/peer_cfg.h
@@ -30,7 +30,7 @@ typedef struct peer_cfg_t peer_cfg_t;
 #include <library.h>
 #include <utils/identification.h>
 #include <utils/enumerator.h>
-#include <config/traffic_selector.h>
+#include <selectors/traffic_selector.h>
 #include <config/proposal.h>
 #include <config/ike_cfg.h>
 #include <config/child_cfg.h>
@@ -43,17 +43,17 @@ typedef struct peer_cfg_t peer_cfg_t;
  * requests when using this definition for the other peer. If
  * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
  * included.
- * 
+ *
  * @warning These definitions must be the same as in pluto/starter,
  * as they are sent over the stroke socket.
  */
 enum cert_policy_t {
 	/** always send certificates, even when not requested */
-	CERT_ALWAYS_SEND   = 0,
+	CERT_ALWAYS_SEND =		0,
 	/** send certificate upon cert request */
-	CERT_SEND_IF_ASKED = 1,
+	CERT_SEND_IF_ASKED =	1,
 	/** never send a certificate, even when requested */
-	CERT_NEVER_SEND    = 2,
+	CERT_NEVER_SEND =		2,
 };
 
 /**
@@ -108,60 +108,60 @@ extern enum_name_t *unique_policy_names;
  * Each peer_cfg has two lists of authentication config attached. Local
  * authentication configs define how to authenticate ourself against the remote
  * peer. Each config is enforced using the multiple authentication extension
- * (RFC4739). 
+ * (RFC4739).
  * The remote authentication configs are handled as constraints. The peer has
  * to fullfill each of these rules (using multiple authentication, in any order)
  * to gain access to the configuration.
  */
 struct peer_cfg_t {
-	
+
 	/**
 	 * Get the name of the peer_cfg.
-	 * 
+	 *
 	 * Returned object is not getting cloned.
-	 * 
+	 *
 	 * @return				peer_cfg's name
 	 */
 	char* (*get_name) (peer_cfg_t *this);
-	
+
 	/**
 	 * Get the IKE version to use for initiating.
 	 *
 	 * @return 				IKE major version
 	 */
 	u_int (*get_ike_version)(peer_cfg_t *this);
-	
+
 	/**
 	 * Get the IKE config to use for initiaton.
-	 * 
+	 *
 	 * @return				the IKE config to use
 	 */
 	ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
-	
+
 	/**
 	 * Attach a CHILD config.
-	 * 
+	 *
 	 * @param child_cfg		CHILD config to add
 	 */
 	void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
-	
+
 	/**
 	 * Detach a CHILD config, pointed to by an enumerator.
 	 *
 	 * @param enumerator	enumerator indicating element position
 	 */
 	void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
-	
+
 	/**
 	 * Create an enumerator for all attached CHILD configs.
-	 * 
+	 *
 	 * @return				an enumerator over all CHILD configs.
 	 */
 	enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
-	
+
 	/**
 	 * Select a CHILD config from traffic selectors.
-	 * 
+	 *
 	 * @param my_ts			TS for local side
 	 * @param other_ts		TS for remote side
 	 * @param my_host		host to narrow down dynamic TS for local side
@@ -171,7 +171,7 @@ struct peer_cfg_t {
 	child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
 									  linked_list_t *other_ts, host_t *my_host,
 									  host_t *other_host);
-	
+
 	/**
 	 * Add an authentication config to the peer configuration.
 	 *
@@ -179,7 +179,7 @@ struct peer_cfg_t {
 	 * @param local			TRUE for local rules, FALSE for remote constraints
 	 */
 	void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
-	
+
 	/**
 	 * Create an enumerator over registered authentication configs.
 	 *
@@ -201,49 +201,49 @@ struct peer_cfg_t {
 	 * @return			unique policy
 	 */
 	unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
-	
+
 	/**
 	 * Get the max number of retries after timeout.
 	 *
 	 * @return			max number retries
 	 */
 	u_int32_t (*get_keyingtries) (peer_cfg_t *this);
-	
+
 	/**
 	 * Get a time to start rekeying (is randomized with jitter).
 	 *
 	 * @return			time in s when to start rekeying, 0 disables rekeying
 	 */
 	u_int32_t (*get_rekey_time)(peer_cfg_t *this);
-	
+
 	/**
 	 * Get a time to start reauthentication (is randomized with jitter).
 	 *
 	 * @return			time in s when to start reauthentication, 0 disables it
 	 */
 	u_int32_t (*get_reauth_time)(peer_cfg_t *this);
-	
+
 	/**
 	 * Get the timeout of a rekeying/reauthenticating SA.
 	 *
 	 * @return			timeout in s
 	 */
 	u_int32_t (*get_over_time)(peer_cfg_t *this);
-	
+
 	/**
 	 * Use MOBIKE (RFC4555) if peer supports it?
-	 * 
+	 *
 	 * @return			TRUE to enable MOBIKE support
 	 */
 	bool (*use_mobike) (peer_cfg_t *this);
-	
+
 	/**
 	 * Get the DPD check interval.
-	 * 
+	 *
 	 * @return			dpd_delay in seconds
 	 */
 	u_int32_t (*get_dpd) (peer_cfg_t *this);
-	
+
 	/**
 	 * Get a virtual IP for the local peer.
 	 *
@@ -255,37 +255,37 @@ struct peer_cfg_t {
 	 * @return				virtual IP, %any or NULL
 	 */
 	host_t* (*get_virtual_ip) (peer_cfg_t *this);
-	
+
 	/**
 	 * Get the name of the pool to acquire configuration attributes from.
 	 *
 	 * @return				pool name, NULL if none defined
 	 */
 	char* (*get_pool)(peer_cfg_t *this);
-	
+
 #ifdef ME
 	/**
 	 * Is this a mediation connection?
-	 * 
+	 *
 	 * @return				TRUE, if this is a mediation connection
 	 */
 	bool (*is_mediation) (peer_cfg_t *this);
-	
+
 	/**
 	 * Get peer_cfg of the connection this one is mediated through.
-	 * 
+	 *
 	 * @return				the peer_cfg of the mediation connection
 	 */
 	peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
-	
+
 	/**
 	 * Get the id of the other peer at the mediation server.
-	 * 
+	 *
 	 * This is the leftid of the peer's connection with the mediation server.
-	 * 
+	 *
 	 * If it is not configured, it is assumed to be the same as the right id
-	 * of this connection. 
-	 * 
+	 * of this connection.
+	 *
 	 * @return				the id of the other peer
 	 */
 	identification_t* (*get_peer_id) (peer_cfg_t *this);
@@ -300,14 +300,14 @@ struct peer_cfg_t {
 	 * @return				TRUE if peer_cfg and ike_cfg are equal
 	 */
 	bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
-	
+
 	/**
 	 * Increase reference count.
 	 *
 	 * @return				reference to this
 	 */
 	peer_cfg_t* (*get_ref) (peer_cfg_t *this);
-	
+
 	/**
 	 * Destroys the peer_cfg object.
 	 *
@@ -319,14 +319,14 @@ struct peer_cfg_t {
 
 /**
  * Create a configuration object for IKE_AUTH and later.
- * 
+ *
  * name-string gets cloned, ID's not.
  * Virtual IPs are used if they are != NULL. A %any host means the virtual
  * IP should be obtained from the other peer.
  * Lifetimes are in seconds. To prevent to peers to start rekeying at the
  * same time, a jitter may be specified. Rekeying of an SA starts at
- * (rekeylifetime - random(0, jitter)). 
- * 
+ * (rekeylifetime - random(0, jitter)).
+ *
  * @param name				name of the peer_cfg
  * @param ike_version		which IKE version we sould use for this peer
  * @param ike_cfg			IKE config to use when acting as initiator
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index cf7e19605..6b3500b6e 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -52,52 +52,52 @@ struct private_proposal_t {
 	 * Public part
 	 */
 	proposal_t public;
-	
+
 	/**
 	 * protocol (ESP or AH)
 	 */
 	protocol_id_t protocol;
-	
+
 	/**
 	 * priority ordered list of encryption algorithms
 	 */
 	linked_list_t *encryption_algos;
-	
+
 	/**
 	 * priority ordered list of integrity algorithms
 	 */
 	linked_list_t *integrity_algos;
-	
+
 	/**
 	 * priority ordered list of pseudo random functions
 	 */
 	linked_list_t *prf_algos;
-	
+
 	/**
 	 * priority ordered list of dh groups
 	 */
 	linked_list_t *dh_groups;
-	
+
 	/**
 	 * priority ordered list of extended sequence number flags
 	 */
 	linked_list_t *esns;
-	
-	/** 
+
+	/**
 	 * senders SPI
 	 */
 	u_int64_t spi;
 };
 
 /**
- * Struct used to store different kinds of algorithms. 
+ * Struct used to store different kinds of algorithms.
  */
 struct algorithm_t {
 	/**
 	 * Value from an encryption_algorithm_t/integrity_algorithm_t/...
 	 */
 	u_int16_t algorithm;
-	
+
 	/**
 	 * the associated key size in bits, or zero if not needed
 	 */
@@ -110,7 +110,7 @@ struct algorithm_t {
 static void add_algo(linked_list_t *list, u_int16_t algo, u_int16_t key_size)
 {
 	algorithm_t *algo_key;
-	
+
 	algo_key = malloc_thing(algorithm_t);
 	algo_key->algorithm = algo;
 	algo_key->key_size = key_size;
@@ -200,7 +200,7 @@ static bool get_algorithm(private_proposal_t *this, transform_type_t type,
 {
 	enumerator_t *enumerator;
 	bool found = FALSE;
-	
+
 	enumerator = create_enumerator(this, type);
 	if (enumerator->enumerate(enumerator, alg, key_size))
 	{
@@ -216,12 +216,12 @@ static bool get_algorithm(private_proposal_t *this, transform_type_t type,
 static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group)
 {
 	bool result = FALSE;
-	
+
 	if (this->dh_groups->get_count(this->dh_groups))
 	{
 		algorithm_t *current;
 		enumerator_t *enumerator;
-		
+
 		enumerator = this->dh_groups->create_enumerator(this->dh_groups);
 		while (enumerator->enumerate(enumerator, (void**)&current))
 		{
@@ -246,7 +246,7 @@ static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group)
 static void strip_dh(private_proposal_t *this)
 {
 	algorithm_t *alg;
-	
+
 	while (this->dh_groups->remove_last(this->dh_groups, (void**)&alg) == SUCCESS)
 	{
 		free(alg);
@@ -277,19 +277,19 @@ static bool is_authenticated_encryption(u_int16_t alg)
 /**
  * Find a matching alg/keysize in two linked lists
  */
-static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add,
-						u_int16_t *alg, size_t *key_size)
+static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
+						bool *add, u_int16_t *alg, size_t *key_size)
 {
 	enumerator_t *e1, *e2;
 	algorithm_t *alg1, *alg2;
-	
+
 	/* if in both are zero algorithms specified, we HAVE a match */
 	if (first->get_count(first) == 0 && second->get_count(second) == 0)
 	{
 		*add = FALSE;
 		return TRUE;
 	}
-	
+
 	e1 = first->create_enumerator(first);
 	e2 = second->create_enumerator(second);
 	/* compare algs, order of algs in "first" is preferred */
@@ -302,6 +302,13 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add,
 			if (alg1->algorithm == alg2->algorithm &&
 				alg1->key_size == alg2->key_size)
 			{
+				if (!priv && alg1->algorithm >= 1024)
+				{
+					/* accept private use algorithms only if requested */
+					DBG1(DBG_CFG, "an algorithm from private space would match, "
+						 "but peer implementation is unknown, skipped");
+					continue;
+				}
 				/* ok, we have an algorithm */
 				*alg = alg1->algorithm;
 				*key_size = alg1->key_size;
@@ -321,26 +328,27 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add,
 /**
  * Implements proposal_t.select.
  */
-static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t *other)
+static proposal_t *select_proposal(private_proposal_t *this,
+								private_proposal_t *other, bool private)
 {
 	proposal_t *selected;
 	u_int16_t algo;
 	size_t key_size;
 	bool add;
-	
+
 	DBG2(DBG_CFG, "selecting proposal:");
-	
+
 	/* check protocol */
 	if (this->protocol != other->protocol)
 	{
 		DBG2(DBG_CFG, "  protocol mismatch, skipping");
 		return NULL;
 	}
-	
+
 	selected = proposal_create(this->protocol);
-	
+
 	/* select encryption algorithm */
-	if (select_algo(this->encryption_algos, other->encryption_algos,
+	if (select_algo(this->encryption_algos, other->encryption_algos, private,
 					&add, &algo, &key_size))
 	{
 		if (add)
@@ -359,7 +367,7 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 	/* select integrity algorithm */
 	if (!is_authenticated_encryption(algo))
 	{
-		if (select_algo(this->integrity_algos, other->integrity_algos,	
+		if (select_algo(this->integrity_algos, other->integrity_algos, private,
 						&add, &algo, &key_size))
 		{
 			if (add)
@@ -377,7 +385,7 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 		}
 	}
 	/* select prf algorithm */
-	if (select_algo(this->prf_algos, other->prf_algos,
+	if (select_algo(this->prf_algos, other->prf_algos, private,
 					&add, &algo, &key_size))
 	{
 		if (add)
@@ -394,7 +402,8 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 		return NULL;
 	}
 	/* select a DH-group */
-	if (select_algo(this->dh_groups, other->dh_groups, &add, &algo, &key_size))
+	if (select_algo(this->dh_groups, other->dh_groups, private,
+					&add, &algo, &key_size))
 	{
 		if (add)
 		{
@@ -408,8 +417,8 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 			 transform_type_names, DIFFIE_HELLMAN_GROUP);
 		return NULL;
 	}
-	/* select if we use ESNs */
-	if (select_algo(this->esns, other->esns, &add, &algo, &key_size))
+	/* select if we use ESNs (has no private use space) */
+	if (select_algo(this->esns, other->esns, TRUE, &add, &algo, &key_size))
 	{
 		if (add)
 		{
@@ -424,10 +433,10 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 		return NULL;
 	}
 	DBG2(DBG_CFG, "  proposal matches");
-	
+
 	/* apply SPI from "other" */
 	selected->set_spi(selected, other->spi);
-	
+
 	/* everything matched, return new proposal */
 	return selected;
 }
@@ -463,7 +472,7 @@ static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list)
 {
 	algorithm_t *algo, *clone_algo;
 	enumerator_t *enumerator;
-	
+
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, &algo))
 	{
@@ -482,12 +491,12 @@ static bool algo_list_equals(linked_list_t *l1, linked_list_t *l2)
 	enumerator_t *e1, *e2;
 	algorithm_t *alg1, *alg2;
 	bool equals = TRUE;
-	
+
 	if (l1->get_count(l1) != l2->get_count(l2))
 	{
 		return FALSE;
 	}
-	
+
 	e1 = l1->create_enumerator(l1);
 	e2 = l2->create_enumerator(l2);
 	while (e1->enumerate(e1, &alg1) && e2->enumerate(e2, &alg2))
@@ -531,15 +540,15 @@ static bool equals(private_proposal_t *this, private_proposal_t *other)
 static proposal_t *clone_(private_proposal_t *this)
 {
 	private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol);
-	
+
 	clone_algo_list(this->encryption_algos, clone->encryption_algos);
 	clone_algo_list(this->integrity_algos, clone->integrity_algos);
 	clone_algo_list(this->prf_algos, clone->prf_algos);
 	clone_algo_list(this->dh_groups, clone->dh_groups);
 	clone_algo_list(this->esns, clone->esns);
-	
+
 	clone->spi = this->spi;
-	
+
 	return &clone->public;
 }
 
@@ -551,7 +560,7 @@ static void check_proposal(private_proposal_t *this)
 	enumerator_t *e;
 	algorithm_t *alg;
 	bool all_aead = TRUE;
-	
+
 	e = this->encryption_algos->create_enumerator(this->encryption_algos);
 	while (e->enumerate(e, &alg))
 	{
@@ -562,7 +571,7 @@ static void check_proposal(private_proposal_t *this)
 		}
 	}
 	e->destroy(e);
-	
+
 	if (all_aead)
 	{
 		/* if all encryption algorithms in the proposal are authenticated encryption
@@ -613,7 +622,7 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 			case AUTH_AES_XCBC_96:
 				prf = PRF_AES128_XCBC;
 				break;
-			default: 
+			default:
 				prf = PRF_UNDEFINED;
 		}
 		if (prf != PRF_UNDEFINED)
@@ -633,7 +642,7 @@ static int print_alg(private_proposal_t *this, char **dst, size_t *len,
 	enumerator_t *enumerator;
 	size_t written = 0;
 	u_int16_t alg, size;
-	
+
 	enumerator = create_enumerator(this, kind);
 	while (enumerator->enumerate(enumerator, &alg, &size))
 	{
@@ -666,12 +675,12 @@ int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	enumerator_t *enumerator;
 	size_t written = 0;
 	bool first = TRUE;
-	
+
 	if (this == NULL)
 	{
 		return print_in_hook(dst, len, "(null)");
 	}
-	
+
 	if (spec->hash)
 	{
 		enumerator = list->create_enumerator(list);
@@ -690,7 +699,7 @@ int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 		enumerator->destroy(enumerator);
 		return written;
 	}
-	
+
 	written = print_in_hook(dst, len, "%N:", protocol_id_names, this->protocol);
 	written += print_alg(this, &dst, &len, ENCRYPTION_ALGORITHM,
 						 encryption_algorithm_names, &first);
@@ -724,29 +733,29 @@ static void destroy(private_proposal_t *this)
 proposal_t *proposal_create(protocol_id_t protocol)
 {
 	private_proposal_t *this = malloc_thing(private_proposal_t);
-	
+
 	this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,u_int16_t))add_algorithm;
 	this->public.create_enumerator = (enumerator_t* (*)(proposal_t*,transform_type_t))create_enumerator;
 	this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm;
 	this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group;
 	this->public.strip_dh = (void(*)(proposal_t*))strip_dh;
-	this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal;
+	this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*,bool))select_proposal;
 	this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
 	this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
 	this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
 	this->public.equals = (bool(*)(proposal_t*, proposal_t *other))equals;
 	this->public.clone = (proposal_t*(*)(proposal_t*))clone_;
 	this->public.destroy = (void(*)(proposal_t*))destroy;
-	
+
 	this->spi = 0;
 	this->protocol = protocol;
-	
+
 	this->encryption_algos = linked_list_create();
 	this->integrity_algos = linked_list_create();
 	this->prf_algos = linked_list_create();
 	this->dh_groups = linked_list_create();
 	this->esns = linked_list_create();
-	
+
 	return &this->public;
 }
 
@@ -760,7 +769,7 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 	integrity_algorithm_t integrity;
 	pseudo_random_function_t prf;
 	diffie_hellman_group_t group;
-	
+
 	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &encryption))
 	{
@@ -787,10 +796,10 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 				break;
 			default:
 				break;
-		}	
+		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &integrity))
 	{
@@ -806,10 +815,10 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 				break;
 			default:
 				break;
-		}	
+		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &prf))
 	{
@@ -828,7 +837,7 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &group))
 	{
@@ -865,7 +874,7 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 proposal_t *proposal_create_default(protocol_id_t protocol)
 {
 	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
-	
+
 	switch (protocol)
 	{
 		case PROTO_IKE:
@@ -903,14 +912,14 @@ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs
 	chunk_t string = {(void*)algs, strlen(algs)};
 	chunk_t alg;
 	status_t status = SUCCESS;
-	
+
 	eat_whitespace(&string);
 	if (string.len < 1)
 	{
 		destroy(this);
 		return NULL;
 	}
-	
+
 	/* get all tokens, separated by '-' */
 	while (extract_token(&alg, '-', &string))
 	{
@@ -925,9 +934,9 @@ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs
 		destroy(this);
 		return NULL;
 	}
-	
+
 	check_proposal(this);
-	
+
 	if (protocol == PROTO_AH || protocol == PROTO_ESP)
 	{
 		add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h
index bc7a8c5e7..30f63b80d 100644
--- a/src/charon/config/proposal.h
+++ b/src/charon/config/proposal.h
@@ -33,7 +33,7 @@ typedef struct proposal_t proposal_t;
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
 #include <crypto/diffie_hellman.h>
-#include <config/traffic_selector.h>
+#include <selectors/traffic_selector.h>
 
 /**
  * Protocol ID of a proposal.
@@ -65,17 +65,17 @@ extern enum_name_t *extended_sequence_numbers_names;
 
 /**
  * Stores a set of algorithms used for an SA.
- * 
- * A proposal stores algorithms for a specific 
+ *
+ * A proposal stores algorithms for a specific
  * protocol. It can store algorithms for one protocol.
  * Proposals with multiple protocols are not supported,
  * as it's not specified in RFC4301 anymore.
  */
 struct proposal_t {
-	
+
 	/**
 	 * Add an algorithm to the proposal.
-	 * 
+	 *
 	 * The algorithms are stored by priority, first added
 	 * is the most preferred.
 	 * Key size is only needed for encryption algorithms
@@ -84,27 +84,27 @@ struct proposal_t {
 	 * The alg parameter accepts encryption_algorithm_t,
 	 * integrity_algorithm_t, dh_group_number_t and
 	 * extended_sequence_numbers_t.
-	 * 
+	 *
 	 * @param type			kind of algorithm
 	 * @param alg			identifier for algorithm
 	 * @param key_size		key size to use
 	 */
 	void (*add_algorithm) (proposal_t *this, transform_type_t type,
 						   u_int16_t alg, u_int16_t key_size);
-	
+
 	/**
 	 * Get an enumerator over algorithms for a specifc algo type.
-	 * 
+	 *
 	 * @param type			kind of algorithm
 	 * @return				enumerator over u_int16_t alg, u_int16_t key_size
 	 */
 	enumerator_t *(*create_enumerator) (proposal_t *this, transform_type_t type);
-	
+
 	/**
 	 * Get the algorithm for a type to use.
-	 * 
+	 *
 	 * If there are multiple algorithms, only the first is returned.
-	 * 
+	 *
 	 * @param type			kind of algorithm
 	 * @param alg			pointer which receives algorithm
 	 * @param key_size		pointer which receives the key size
@@ -112,53 +112,54 @@ struct proposal_t {
 	 */
 	bool (*get_algorithm) (proposal_t *this, transform_type_t type,
 						   u_int16_t *alg, u_int16_t *key_size);
-	
+
 	/**
 	 * Check if the proposal has a specific DH group.
-	 * 
+	 *
 	 * @param group			group to check for
 	 * @return				TRUE if algorithm included
 	 */
 	bool (*has_dh_group) (proposal_t *this, diffie_hellman_group_t group);
-	
+
 	/**
 	 * Strip DH groups from proposal to use it without PFS.
 	 */
-	void (*strip_dh)(proposal_t *this);	
+	void (*strip_dh)(proposal_t *this);
 
 	/**
 	 * Compare two proposal, and select a matching subset.
-	 * 
+	 *
 	 * If the proposals are for the same protocols (AH/ESP), they are
 	 * compared. If they have at least one algorithm of each type
 	 * in common, a resulting proposal of this kind is created.
-	 * 
+	 *
 	 * @param other			proposal to compair agains
+	 * @param private		accepts algorithms allocated in a private range
 	 * @return				selected proposal, NULL if proposals don't match
 	 */
-	proposal_t *(*select) (proposal_t *this, proposal_t *other);
-	
+	proposal_t *(*select) (proposal_t *this, proposal_t *other, bool private);
+
 	/**
 	 * Get the protocol ID of the proposal.
 	 *
 	 * @return				protocol of the proposal
 	 */
 	protocol_id_t (*get_protocol) (proposal_t *this);
-	
+
 	/**
 	 * Get the SPI of the proposal.
-	 * 
+	 *
 	 * @return				spi for proto
 	 */
 	u_int64_t (*get_spi) (proposal_t *this);
-	
+
 	/**
 	 * Set the SPI of the proposal.
-	 * 
+	 *
 	 * @param spi			spi to set for proto
 	 */
 	void (*set_spi) (proposal_t *this, u_int64_t spi);
-	
+
 	/**
 	 * Check for the eqality of two proposals.
 	 *
@@ -166,14 +167,14 @@ struct proposal_t {
 	 * @return				TRUE if other equal to this
 	 */
 	bool (*equals)(proposal_t *this, proposal_t *other);
-	
+
 	/**
 	 * Clone a proposal.
-	 * 
+	 *
 	 * @return				clone of proposal
 	 */
 	proposal_t *(*clone) (proposal_t *this);
-	
+
 	/**
 	 * Destroys the proposal object.
 	 */
@@ -201,7 +202,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol);
  *
  * The string is in the same form as a in the ipsec.conf file.
  * E.g.:	aes128-sha2_256-modp2048
- *          3des-md5
+ *		  3des-md5
  * An additional '!' at the end of the string forces this proposal,
  * without it the peer may choose another algorithm we support.
  *
@@ -214,10 +215,10 @@ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs
 /**
  * printf hook function for proposal_t.
  *
- * Arguments are: 
- *    proposal_t *proposal
+ * Arguments are:
+ *	proposal_t *proposal
  * With the #-specifier, arguments are:
- *    linked_list_t *list containing proposal_t*
+ *	linked_list_t *list containing proposal_t*
  */
 int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 						 const void *const *args);
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
deleted file mode 100644
index a8ea10008..000000000
--- a/src/charon/config/traffic_selector.c
+++ /dev/null
@@ -1,856 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <arpa/inet.h>
-#include <string.h>
-#include <netdb.h>
-#include <stdio.h>
-
-#include "traffic_selector.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-
-ENUM(ts_type_name, TS_IPV4_ADDR_RANGE, TS_IPV6_ADDR_RANGE,
-	"TS_IPV4_ADDR_RANGE",
-	"TS_IPV6_ADDR_RANGE",
-);
-
-typedef struct private_traffic_selector_t private_traffic_selector_t;
-
-/**
- * Private data of an traffic_selector_t object
- */
-struct private_traffic_selector_t {
-
-	/**
-	 * Public part
-	 */
-	traffic_selector_t public;
-	
-	/**
-	 * Type of address
-	 */
-	ts_type_t type;
-	
-	/**
-	 * IP protocol (UDP, TCP, ICMP, ...)
-	 */
-	u_int8_t protocol;
-	
-	/**
-	 * narrow this traffic selector to hosts external ip
-	 * if set, from and to have no meaning until set_address() is called
-	 */
-	bool dynamic;
-	
-	/** 
-	 * begin of address range, network order
-	 */
-	union {
-		/** dummy char for common address manipulation */
-		char from[0];
-		/** IPv4 address */
-		u_int32_t from4[1];
-		/** IPv6 address */
-		u_int32_t from6[4];
-	};
-	
-	/**
-	 * end of address range, network order
-	 */
-	union {
-		/** dummy char for common address manipulation */
-		char to[0];
-		/** IPv4 address */
-		u_int32_t to4[1];
-		/** IPv6 address */
-		u_int32_t to6[4];
-	};
-	
-	/**
-	 * begin of port range 
-	 */
-	u_int16_t from_port;
-	
-	/**
-	 * end of port range 
-	 */
-	u_int16_t to_port;
-};
-
-/**
- * calculate to "to"-address for the "from" address and a subnet size
- */
-static void calc_range(private_traffic_selector_t *this, u_int8_t netbits)
-{
-	int byte;
-	size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-	
-	/* go through the from address, starting at the tail. While we
-	 * have not processed the bits belonging to the host, set them to 1 on
-	 * the to address. If we reach the bits for the net, copy them from "from". */
-	for (byte = size - 1; byte >=0; byte--)
-	{
-		u_char mask = 0x00;
-		int shift;
-		
-		shift = (byte+1) * 8 - netbits;
-		if (shift > 0)
-		{
-			mask = 1 << shift;
-			if (mask != 0xFF)
-			{
-				mask--;
-			}
-		}
-		this->to[byte] = this->from[byte] | mask;
-	}
-}
-
-/**
- * calculate to subnet size from "to"- and "from"-address
- */
-static u_int8_t calc_netbits(private_traffic_selector_t *this)
-{
-	int byte, bit;
-	size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-	
-	/* go trough all bits of the addresses, beginning in the front.
-	 * as long as they are equal, the subnet gets larger
-	 */
-	for (byte = 0; byte < size; byte++)
-	{
-		for (bit = 7; bit >= 0; bit--)
-		{
-			if ((1<<bit & this->from[byte]) != (1<<bit & this->to[byte]))
-			{
-				return ((7 - bit) + (byte * 8));
-			}
-		}
-	}
-	/* single host, netmask is 32/128 */
-	return (size * 8);
-}
-
-/**
- * internal generic constructor
- */
-static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port);
-
-/**
- * Described in header.
- */
-int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-								 const void *const *args)
-{
-	private_traffic_selector_t *this = *((private_traffic_selector_t**)(args[0]));
-	linked_list_t *list = *((linked_list_t**)(args[0]));
-	iterator_t *iterator;
-	char addr_str[INET6_ADDRSTRLEN] = "";
-	char *serv_proto = NULL;
-	u_int8_t mask;
-	bool has_proto;
-	bool has_ports;
-	size_t written = 0;
-	u_int32_t from[4], to[4];
-	
-	if (this == NULL)
-	{
-		return print_in_hook(dst, len, "(null)");
-	}
-	
-	if (spec->hash)
-	{
-		iterator = list->create_iterator(list, TRUE);
-		while (iterator->iterate(iterator, (void**)&this))
-		{
-			/* call recursivly */
-			written += print_in_hook(dst, len, "%R ", this);
-		}
-		iterator->destroy(iterator);
-		return written;
-	}
-	
-	memset(from, 0, sizeof(from));
-	memset(to, 0xFF, sizeof(to));
-	if (this->dynamic &&
-		memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) && 
-		memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
-	{
-		written += print_in_hook(dst, len, "dynamic");
-	}
-	else
-	{
-		if (this->type == TS_IPV4_ADDR_RANGE)
-		{
-			inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str));
-		}
-		else
-		{
-			inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str));
-		}
-		mask = calc_netbits(this);
-		written += print_in_hook(dst, len, "%s/%d", addr_str, mask);
-	}
-	
-	/* check if we have protocol and/or port selectors */
-	has_proto = this->protocol != 0;
-	has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF);
-
-	if (!has_proto && !has_ports)
-	{
-		return written;
-	}
-
-	written += print_in_hook(dst, len, "[");
-
-	/* build protocol string */
-	if (has_proto)
-	{
-		struct protoent *proto = getprotobynumber(this->protocol);
-
-		if (proto)
-		{
-			written += print_in_hook(dst, len, "%s", proto->p_name);
-			serv_proto = proto->p_name;
-		}
-		else
-		{
-			written += print_in_hook(dst, len, "%d", this->protocol);
-		}
-	}
-	
-	if (has_proto && has_ports)
-	{
-		written += print_in_hook(dst, len, "/");
-	}
-
-	/* build port string */
-	if (has_ports)
-	{
-		if (this->from_port == this->to_port)
-		{
-			struct servent *serv = getservbyport(htons(this->from_port), serv_proto);
-
-			if (serv)
-			{
-				written += print_in_hook(dst, len, "%s", serv->s_name);
-			}
-			else
-			{
-				written += print_in_hook(dst, len, "%d", this->from_port);
-			}
-		}
-		else
-		{
-			written += print_in_hook(dst, len, "%d-%d", this->from_port, this->to_port);
-		}
-	}
-	
-	written += print_in_hook(dst, len, "]");
-
-	return written;
-}
-
-/**
- * implements traffic_selector_t.get_subset
- */
-static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_traffic_selector_t *other)
-{
-	if (this->type == other->type && (this->protocol == other->protocol ||
-								this->protocol == 0 || other->protocol == 0))
-	{
-		u_int16_t from_port, to_port;
-		u_char *from, *to;
-		u_int8_t protocol;
-		size_t size;
-		private_traffic_selector_t *new_ts;
-		
-		/* calculate the maximum port range allowed for both */
-		from_port = max(this->from_port, other->from_port);
-		to_port = min(this->to_port, other->to_port);
-		if (from_port > to_port)
-		{
-			return NULL;
-		}
-		/* select protocol, which is not zero */
-		protocol = max(this->protocol, other->protocol);
-		
-		switch (this->type)
-		{
-			case TS_IPV4_ADDR_RANGE:
-				size = sizeof(this->from4);
-				break;
-			case TS_IPV6_ADDR_RANGE:
-				size = sizeof(this->from6);
-				break;
-			default:
-				return NULL;
-		}
-		
-		/* get higher from-address */
-		if (memcmp(this->from, other->from, size) > 0)
-		{
-			from = this->from;
-		}
-		else
-		{
-			from = other->from;
-		}
-		/* get lower to-address */
-		if (memcmp(this->to, other->to, size) > 0)
-		{
-			to = other->to;
-		}
-		else
-		{
-			to = this->to;
-		}
-		/* if "from" > "to", we don't have a match */
-		if (memcmp(from, to, size) > 0)
-		{
-			return NULL;
-		}
-		
-		/* we have a match in protocol, port, and address: return it... */
-		new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
-		new_ts->type = this->type;
-		new_ts->dynamic = this->dynamic || other->dynamic;
-		memcpy(new_ts->from, from, size);
-		memcpy(new_ts->to, to, size);
-		
-		return &new_ts->public;
-	}
-	return NULL;
-}
-
-/**
- * implements traffic_selector_t.equals
- */
-static bool equals(private_traffic_selector_t *this, private_traffic_selector_t *other)
-{
-	if (this->type != other->type)
-	{
-		return FALSE;
-	}
-	if (!(this->from_port == other->from_port &&
-		  this->to_port == other->to_port &&
-		  this->protocol == other->protocol))
-	{
-		return FALSE;
-	}
-	switch (this->type)
-	{
-		case TS_IPV4_ADDR_RANGE:
-			if (memeq(this->from4, other->from4, sizeof(this->from4)))
-			{
-				return TRUE;
-			}
-			break;
-		case TS_IPV6_ADDR_RANGE:
-			if (memeq(this->from6, other->from6, sizeof(this->from6)))
-			{
-				return TRUE;
-			}
-			break;
-		default:
-			break;
-	}
-	return FALSE;
-}
-
-/**
- * Implements traffic_selector_t.get_from_address.
- */
-static chunk_t get_from_address(private_traffic_selector_t *this)
-{
-	switch (this->type)
-	{
-		case TS_IPV4_ADDR_RANGE:
-			return chunk_create(this->from, sizeof(this->from4));
-		case TS_IPV6_ADDR_RANGE:
-			return chunk_create(this->from, sizeof(this->from6));
-		default:
-			return chunk_empty;
-	}
-}
-	
-/**
- * Implements traffic_selector_t.get_to_address.
- */
-static chunk_t get_to_address(private_traffic_selector_t *this)
-{
-	switch (this->type)
-	{
-		case TS_IPV4_ADDR_RANGE:
-			return chunk_create(this->to, sizeof(this->to4));
-		case TS_IPV6_ADDR_RANGE:
-			return chunk_create(this->to, sizeof(this->to6));
-		default:
-			return chunk_empty;
-	}
-}
-	
-/**
- * Implements traffic_selector_t.get_from_port.
- */
-static u_int16_t get_from_port(private_traffic_selector_t *this)
-{
-	return this->from_port;
-}
-	
-/**
- * Implements traffic_selector_t.get_to_port.
- */
-static u_int16_t get_to_port(private_traffic_selector_t *this)
-{
-	return this->to_port;
-}
-
-/**
- * Implements traffic_selector_t.get_type.
- */
-static ts_type_t get_type(private_traffic_selector_t *this)
-{
-	return this->type;
-}
-
-/**
- * Implements traffic_selector_t.get_protocol.
- */
-static u_int8_t get_protocol(private_traffic_selector_t *this)
-{
-	return this->protocol;
-}
-
-/**
- * Implements traffic_selector_t.is_host.
- */
-static bool is_host(private_traffic_selector_t *this, host_t *host)
-{
-	if (host)
-	{
-		chunk_t addr;
-		int family = host->get_family(host);
-		
-		if ((family == AF_INET && this->type == TS_IPV4_ADDR_RANGE) ||
-			(family == AF_INET6 && this->type == TS_IPV6_ADDR_RANGE))
-		{
-			addr = host->get_address(host);
-			if (memeq(addr.ptr, this->from, addr.len) &&
-				memeq(addr.ptr, this->to, addr.len))
-			{
-				return TRUE;
-			}
-		}
-	}
-	else
-	{
-		size_t length = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-		
-		if (this->dynamic)
-		{
-			return TRUE;
-		}
-		
-		if (memeq(this->from, this->to, length))
-		{
-			return TRUE;
-		}
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of traffic_selector_t.is_dynamic
- */
-static bool is_dynamic(private_traffic_selector_t *this)
-{
-	return this->dynamic;
-}
-
-/**
- * Implements traffic_selector_t.set_address.
- */
-static void set_address(private_traffic_selector_t *this, host_t *host)
-{
-	if (this->dynamic)
-	{
-		this->type = host->get_family(host) == AF_INET ?
-				TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
-		
-		if (host->is_anyaddr(host))
-		{
-			memset(this->from6, 0x00, sizeof(this->from6));
-			memset(this->to6, 0xFF, sizeof(this->to6));
-		}
-		else
-		{
-			chunk_t from = host->get_address(host);
-			memcpy(this->from, from.ptr, from.len);
-			memcpy(this->to, from.ptr, from.len);
-		}
-	}
-}
-
-/**
- * Implements traffic_selector_t.is_contained_in.
- */
-static bool is_contained_in(private_traffic_selector_t *this,
-							private_traffic_selector_t *other)
-{
-	private_traffic_selector_t *subset;
-	bool contained_in = FALSE;
-	
-	subset = (private_traffic_selector_t*)get_subset(this, other);
-	
-	if (subset)
-	{
-		if (equals(subset, this))
-		{
-			contained_in = TRUE;
-		}
-		free(subset);
-	}
-	return contained_in;	
-}
-
-/**
- * Implements traffic_selector_t.includes.
- */
-static bool includes(private_traffic_selector_t *this, host_t *host)
-{
-	chunk_t addr;
-	int family = host->get_family(host);
-
-	if ((family == AF_INET && this->type == TS_IPV4_ADDR_RANGE) ||
-		(family == AF_INET6 && this->type == TS_IPV6_ADDR_RANGE))
-	{
-		addr = host->get_address(host);
-		
-		return memcmp(this->from, addr.ptr, addr.len) <= 0 &&
-				memcmp(this->to, addr.ptr, addr.len) >= 0;
-	}
-
-	return FALSE;	
-}
-
-/**
- * Implements traffic_selector_t.to_subnet.
- */
-static void to_subnet(private_traffic_selector_t *this, host_t **net, u_int8_t *mask)
-{
-	/* there is no way to do this cleanly, as the address range may
-	 * be anything else but a subnet. We use from_addr as subnet 
-	 * and try to calculate a usable subnet mask.
-	 */
-	int family, byte;
-	u_int16_t port = 0;
-	chunk_t net_chunk;
-	
-	*mask = calc_netbits(this);
-	
-	switch (this->type)
-	{
-		case TS_IPV4_ADDR_RANGE:
-		{
-			family = AF_INET;
-			net_chunk.len = sizeof(this->from4);
-			break;
-		}
-		case TS_IPV6_ADDR_RANGE:
-		{
-			family = AF_INET6;
-			net_chunk.len = sizeof(this->from6);
-			break;
-		}
-		default:
-		{
-			/* unreachable */
-			return;
-		}
-	}
-	
-	net_chunk.ptr = malloc(net_chunk.len);
-	memcpy(net_chunk.ptr, this->from, net_chunk.len);
-	
-	for (byte = net_chunk.len - 1; byte >= (*mask / 8); --byte)
-	{
-		int shift = (byte + 1) * 8 - *mask;
-		net_chunk.ptr[byte] = net_chunk.ptr[byte] & (0xFF << shift);
-	}
-	
-	if (this->to_port == this->from_port)
-	{
-		port = this->to_port;
-	}
-	
-	*net = host_create_from_chunk(family, net_chunk, port);	
-	chunk_free(&net_chunk);
-}
-
-/**
- * Implements traffic_selector_t.clone.
- */
-static traffic_selector_t *clone_(private_traffic_selector_t *this)
-{
-	private_traffic_selector_t *clone;
-	
-	clone = traffic_selector_create(this->protocol, this->type, 
-									this->from_port, this->to_port);
-	
-	clone->dynamic = this->dynamic;
-	switch (clone->type)
-	{
-		case TS_IPV4_ADDR_RANGE:
-		{
-			memcpy(clone->from4, this->from4, sizeof(this->from4));
-			memcpy(clone->to4, this->to4, sizeof(this->to4));
-			return &clone->public;
-		}
-		case TS_IPV6_ADDR_RANGE:
-		{
-			memcpy(clone->from6, this->from6, sizeof(this->from6));
-			memcpy(clone->to6, this->to6, sizeof(this->to6));
-			return &clone->public;
-		}
-		default:
-		{
-			/* unreachable */
-			return &clone->public;
-		}
-	}
-}
-
-/**
- * Implements traffic_selector_t.destroy.
- */
-static void destroy(private_traffic_selector_t *this)
-{
-	free(this);
-}
-
-/*
- * see header
- */
-traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol,
-												ts_type_t type, 
-												chunk_t from, u_int16_t from_port, 
-												chunk_t to, u_int16_t to_port)
-{
-	private_traffic_selector_t *this = traffic_selector_create(protocol, type,
-															from_port, to_port);
-	
-	switch (type)
-	{
-		case TS_IPV4_ADDR_RANGE:
-		{
-			if (from.len != 4 || to.len != 4)
-			{
-				free(this);
-				return NULL;
-			}
-			memcpy(this->from4, from.ptr, from.len);
-			memcpy(this->to4, to.ptr, to.len);
-			break;
-		}
-		case TS_IPV6_ADDR_RANGE:
-		{
-			if (from.len != 16 || to.len != 16)
-			{
-				free(this);
-				return NULL;
-			}
-			memcpy(this->from6, from.ptr, from.len);
-			memcpy(this->to6, to.ptr, to.len);
-			break;
-		}
-		default:
-		{
-			free(this);
-			return NULL;	
-		}
-	}
-	return (&this->public);
-}
-
-/*
- * see header
- */
-traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, 
-							u_int8_t netbits, u_int8_t protocol, u_int16_t port)
-{
-	private_traffic_selector_t *this = traffic_selector_create(protocol, 0, 0, 65535);
-
-	switch (net->get_family(net))
-	{
-		case AF_INET:
-		{
-			chunk_t from;
-			
-			this->type = TS_IPV4_ADDR_RANGE;
-			from = net->get_address(net);
-			memcpy(this->from4, from.ptr, from.len);
-			if (this->from4[0] == 0)
-			{
-				/* use /0 for 0.0.0.0 */
-				this->to4[0] = ~0;
-			}
-			else
-			{
-				calc_range(this, netbits);
-			}
-			break;
-		}
-		case AF_INET6:
-		{
-			chunk_t from;
-			
-			this->type = TS_IPV6_ADDR_RANGE;
-			from = net->get_address(net);
-			memcpy(this->from6, from.ptr, from.len);
-			if (this->from6[0] == 0 && this->from6[1] == 0 &&
-				this->from6[2] == 0 && this->from6[3] == 0)
-			{
-				/* use /0 for ::0 */
-				this->to6[0] = ~0;
-				this->to6[1] = ~0;
-				this->to6[2] = ~0;
-				this->to6[3] = ~0;
-			}
-			else
-			{
-				calc_range(this, netbits);
-			}
-			break;
-		}
-		default:
-		{
-			net->destroy(net);
-			free(this);
-			return NULL;
-		}
-	}
-	if (port)
-	{
-		this->from_port = port;
-		this->to_port = port;
-	}
-	net->destroy(net);
-	return (&this->public);
-}
-
-/*
- * see header
- */
-traffic_selector_t *traffic_selector_create_from_string(
-										u_int8_t protocol, ts_type_t type,
-										char *from_addr, u_int16_t from_port,
-										char *to_addr, u_int16_t to_port)
-{
-	private_traffic_selector_t *this = traffic_selector_create(protocol, type,
-															from_port, to_port);
-
-	this->type = type;
-	switch (type)
-	{
-		case TS_IPV4_ADDR_RANGE:
-		{
-			if (inet_pton(AF_INET, from_addr, (struct in_addr*)this->from4) < 0)
-			{
-				free(this);
-				return NULL;
-			}
-			if (inet_pton(AF_INET, to_addr, (struct in_addr*)this->to4) < 0)
-			{
-				free(this);
-				return NULL;
-			}
-			break;	
-		}
-		case TS_IPV6_ADDR_RANGE:
-		{
-			if (inet_pton(AF_INET6, from_addr, (struct in6_addr*)this->from6) < 0)
-			{
-				free(this);
-				return NULL;
-			}
-			if (inet_pton(AF_INET6, to_addr, (struct in6_addr*)this->to6) < 0)
-			{
-				free(this);
-				return NULL;
-			}
-			break;
-		}
-	}
-	return (&this->public);
-}
-
-/*
- * see header
- */
-traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol, 
-									u_int16_t from_port, u_int16_t to_port)
-{
-	private_traffic_selector_t *this = traffic_selector_create(
-							protocol, TS_IPV4_ADDR_RANGE, from_port, to_port);
-	
-	memset(this->from6, 0, sizeof(this->from6));
-	memset(this->to6, 0xFF, sizeof(this->to6));
-	
-	this->dynamic = TRUE;
-	
-	return &this->public;
-}
-
-/*
- * see declaration
- */
-static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
-						ts_type_t type, u_int16_t from_port, u_int16_t to_port)
-{
-	private_traffic_selector_t *this = malloc_thing(private_traffic_selector_t);
-
-	/* public functions */
-	this->public.get_subset = (traffic_selector_t*(*)(traffic_selector_t*,traffic_selector_t*))get_subset;
-	this->public.equals = (bool(*)(traffic_selector_t*,traffic_selector_t*))equals;
-	this->public.get_from_address = (chunk_t(*)(traffic_selector_t*))get_from_address;
-	this->public.get_to_address = (chunk_t(*)(traffic_selector_t*))get_to_address;
-	this->public.get_from_port = (u_int16_t(*)(traffic_selector_t*))get_from_port;
-	this->public.get_to_port = (u_int16_t(*)(traffic_selector_t*))get_to_port;	
-	this->public.get_type = (ts_type_t(*)(traffic_selector_t*))get_type;
-	this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol;
-	this->public.is_host = (bool(*)(traffic_selector_t*,host_t*))is_host;
-	this->public.is_dynamic = (bool(*)(traffic_selector_t*))is_dynamic;
-	this->public.is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in;
-	this->public.includes = (bool(*)(traffic_selector_t*,host_t*))includes;
-	this->public.set_address = (void(*)(traffic_selector_t*,host_t*))set_address;
-	this->public.to_subnet = (void(*)(traffic_selector_t*,host_t**,u_int8_t*))to_subnet;
-	this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone_;
-	this->public.destroy = (void(*)(traffic_selector_t*))destroy;
-	
-	this->from_port = from_port;
-	this->to_port = to_port;
-	this->protocol = protocol;
-	this->type = type;
-	this->dynamic = FALSE;
-	
-	return this;
-}
-
diff --git a/src/charon/config/traffic_selector.h b/src/charon/config/traffic_selector.h
deleted file mode 100644
index a57da43a8..000000000
--- a/src/charon/config/traffic_selector.h
+++ /dev/null
@@ -1,304 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup traffic_selector traffic_selector
- * @{ @ingroup config
- */
-
-#ifndef TRAFFIC_SELECTOR_H_
-#define TRAFFIC_SELECTOR_H_
-
-typedef enum ts_type_t ts_type_t;
-typedef struct traffic_selector_t traffic_selector_t;
-
-#include <library.h>
-#include <utils/host.h>
-
-/**
- * Traffic selector types.
- */
-enum ts_type_t {
-	
-	/**
-	 * A range of IPv4 addresses, represented by two four (4) octet
-     * values.  The first value is the beginning IPv4 address
-     * (inclusive) and the second value is the ending IPv4 address
-     * (inclusive). All addresses falling between the two specified
-     * addresses are considered to be within the list.
-     */
-	TS_IPV4_ADDR_RANGE = 7,
-	
-	/**
-	 * A range of IPv6 addresses, represented by two sixteen (16)
-     * octet values.  The first value is the beginning IPv6 address
-     * (inclusive) and the second value is the ending IPv6 address
-     * (inclusive). All addresses falling between the two specified
-     *  addresses are considered to be within the list.
-	 */
-	TS_IPV6_ADDR_RANGE = 8
-};
-
-/**
- * enum names for ts_type_t
- */
-extern enum_name_t *ts_type_name;
-
-/**
- * Object representing a traffic selector entry.
- *
- * A traffic selector defines an range of addresses
- * and a range of ports. IPv6 is not fully supported yet.
- */
-struct traffic_selector_t {
-	
-	/**
-	 * Compare two traffic selectors, and create a new one
-	 * which is the largest subset of both (subnet & port).
-	 *
-	 * Resulting traffic_selector is newly created and must be destroyed.
-	 *
-	 * @param other		traffic selector to compare
-	 * @return
-	 * 					- created subset of them
-	 * 					- or NULL if no match between this and other
-	 */
-	traffic_selector_t *(*get_subset)  (traffic_selector_t *this, 
-										traffic_selector_t *other);
-	
-	/**
-	 * Clone a traffic selector.
-	 *
-	 * @return			clone of it
-	 */
-	traffic_selector_t *(*clone) (traffic_selector_t *this);
-	
-	/**
-	 * Get starting address of this ts as a chunk.
-	 *
-	 * Chunk is in network order and points to internal data.
-	 *
-	 * @return			chunk containing the address
-	 */
-	chunk_t (*get_from_address) (traffic_selector_t *this);
-	
-	/**
-	 * Get ending address of this ts as a chunk.
-	 *
-	 * Chunk is in network order and points to internal data.
-	 *
-	 * @return			chunk containing the address
-	 */
-	chunk_t (*get_to_address) (traffic_selector_t *this);
-	
-	/**
-	 * Get starting port of this ts.
-	 * 
-	 * Port is in host order, since the parser converts it.
-	 * Size depends on protocol.
-	 *  
-	 * @return			port
-	 */
-	u_int16_t (*get_from_port) (traffic_selector_t *this);
-	
-	/**
-	 * Get ending port of this ts.
-	 *
-	 * Port is in host order, since the parser converts it.
-	 * Size depends on protocol.
-	 *
-	 * @return			port
-	 */
-	u_int16_t (*get_to_port) (traffic_selector_t *this);
-	
-	/**
-	 * Get the type of the traffic selector.
-	 *
-	 * @return			ts_type_t specifying the type
-	 */
-	ts_type_t (*get_type) (traffic_selector_t *this);
-	
-	/**
-	 * Get the protocol id of this ts.
-	 *
-	 * @return			protocol id
-	 */
-	u_int8_t (*get_protocol) (traffic_selector_t *this);
-	
-	/**
-	 * Check if the traffic selector is for a single host.
-	 *
-	 * Traffic selector may describe the end of *-to-host tunnel. In this
-	 * case, the address range is a single address equal to the hosts
-	 * peer address.
-	 * If host is NULL, the traffic selector is checked if it is a single host,
-	 * but not a specific one.
-	 *
-	 * @param host		host_t specifying the address range
-	 */
-	bool (*is_host) (traffic_selector_t *this, host_t* host);
-	
-	/**
-	 * Check if a traffic selector has been created by create_dynamic().
-	 *
-	 * @return			TRUE if TS is dynamic
-	 */
-	bool (*is_dynamic)(traffic_selector_t *this);
-	
-	/**
-	 * Update the address of a traffic selector.
-	 *
-	 * Update the address range of a traffic selector, if it is
-	 * constructed with the traffic_selector_create_dynamic().
-	 *
-	 * @param host		host_t specifying the address
-	 */
-	void (*set_address) (traffic_selector_t *this, host_t* host);
-	
-	/**
-	 * Compare two traffic selectors for equality.
-	 * 
-	 * @param other		ts to compare with this
-	 * @return 			TRUE if equal, FALSE otherwise
-	 */
-	bool (*equals) (traffic_selector_t *this, traffic_selector_t *other);
-	
-	/**
-	 * Check if a traffic selector is contained completly in another.
-	 *
-	 * contains() allows to check if multiple traffic selectors are redundant.
-	 *
-	 * @param other		ts that contains this
-	 * @return			TRUE if other contains this completly, FALSE otherwise
-	 */
-	bool (*is_contained_in) (traffic_selector_t *this, traffic_selector_t *other);
-
-	/**
-	 * Check if a specific host is included in the address range of 
-	 * this traffic selector.
-	 *
-	 * @param host		the host to check
-	 */
-	bool (*includes) (traffic_selector_t *this, host_t *host);
-	
-	/**
-	 * Convert a traffic selector address range to a subnet
-	 * and its net mask.
-	 * If from and to ports of this traffic selector are equal,
-	 * the port of the returned host_t is set to that port.
-	 * 
-	 * @param net		converted subnet (has to be freed)
-	 * @param mask		converted net mask
-	 */
-	void (*to_subnet) (traffic_selector_t *this, host_t **net, u_int8_t *mask);
-	
-	/**
-	 * Destroys the ts object
-	 */
-	void (*destroy) (traffic_selector_t *this);
-};
-
-/**
- * Create a new traffic selector using human readable params.
- * 
- * @param protocol 		protocol for this ts, such as TCP or UDP
- * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
- * @param from_addr		start of address range as string
- * @param from_port		port number in host order
- * @param to_addr		end of address range as string
- * @param to_port		port number in host order
- * @return
- * 						- traffic_selector_t object
- * 						- NULL if invalid address strings/protocol
- */
-traffic_selector_t *traffic_selector_create_from_string(
-									u_int8_t protocol, ts_type_t type,
-									char *from_addr, u_int16_t from_port,
-									char *to_addr, u_int16_t to_port);
-
-/**
- * Create a new traffic selector using data read from the net.
- * 
- * There exists a mix of network and host order in the params.
- * But the parser gives us this data in this format, so we
- * don't have to convert twice.
- * 
- * @param protocol 		protocol for this ts, such as TCP or UDP
- * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
- * @param from_address	start of address range, network order
- * @param from_port		port number, host order
- * @param to_address	end of address range, network order
- * @param to_port		port number, host order
- * @return				traffic_selector_t object
- */
-traffic_selector_t *traffic_selector_create_from_bytes(
-								u_int8_t protocol, ts_type_t type,
-								chunk_t from_address, u_int16_t from_port,
-								chunk_t to_address, u_int16_t to_port);
-
-/**
- * Create a new traffic selector defining a whole subnet.
- * 
- * In most cases, definition of a traffic selector for full subnets
- * is sufficient. This constructor creates a traffic selector for
- * all protocols, all ports and the address range specified by the
- * subnet.
- * Additionally, a protocol and a port may be specified. Port ranges
- * are not supported via this constructor.
- * 
- * @param net			subnet to use
- * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
- * @param protocol 		protocol for this ts, such as TCP or UDP
- * @param port			port number, host order
- * @return
- * 						- traffic_selector_t object
- * 						- NULL if address family of net not supported
- */
-traffic_selector_t *traffic_selector_create_from_subnet(
-									host_t *net, u_int8_t netbits, 
-									u_int8_t protocol, u_int16_t port);
-
-/**
- * Create a traffic selector for host-to-host cases.
- * 
- * For host2host or virtual IP setups, the traffic selectors gets
- * created at runtime using the external/virtual IP. Using this constructor,
- * a call to set_address() sets this traffic selector to the supplied host.
- * 
- * 
- * @param protocol		upper layer protocl to allow
- * @param from_port		start of allowed port range
- * @param to_port		end of range
- * @return
- * 						- traffic_selector_t object
- * 						- NULL if type not supported
- */
-traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
-									u_int16_t from_port, u_int16_t to_port);
-
-/**
- * printf hook function for traffic_selector_t.
- *
- * Arguments are: 
- *    traffic_selector_t *ts
- * With the #-specifier, arguments are:
- *    linked_list_t *list containing traffic_selector_t*
- */
-int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-								 const void *const *args);
-
-#endif /** TRAFFIC_SELECTOR_H_ @}*/
diff --git a/src/charon/control/controller.c b/src/charon/control/controller.c
index 021cb4fdd..94c64028c 100644
--- a/src/charon/control/controller.c
+++ b/src/charon/control/controller.c
@@ -47,42 +47,42 @@ struct interface_listener_t {
 	 * public bus listener interface
 	 */
 	listener_t public;
-	
+
 	/**
 	 * status of the operation, return to method callers
 	 */
 	status_t status;
-	
+
 	/**
 	 *  interface callback (listener gets redirected to here)
 	 */
 	controller_cb_t callback;
-	
+
 	/**
 	 * user parameter to pass to callback
 	 */
 	void *param;
-	
+
 	/**
 	 * child configuration, used for initiate
 	 */
 	child_cfg_t *child_cfg;
-	
+
 	/**
 	 * peer configuration, used for initiate
 	 */
 	peer_cfg_t *peer_cfg;
-	
+
 	/**
 	 * IKE_SA to handle
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * CHILD_SA to handle
 	 */
 	child_sa_t *child_sa;
-	
+
 	/**
 	 * unique ID, used for various methods
 	 */
@@ -92,17 +92,17 @@ struct interface_listener_t {
 
 typedef struct interface_job_t interface_job_t;
 
-/** 
+/**
  * job for asynchronous listen operations
  */
 struct interface_job_t {
-	/** 
-	 * job interface 
+	/**
+	 * job interface
 	 */
 	job_t public;
-	
-	/** 
-	 * associated listener 
+
+	/**
+	 * associated listener
 	 */
 	interface_listener_t listener;
 };
@@ -138,7 +138,7 @@ static bool listener_ike_state(interface_listener_t *this, ike_sa_t *ike_sa,
 			case IKE_ESTABLISHED:
 			{	/* mediation connections are complete without CHILD_SA */
 				peer_cfg_t *peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-				
+
 				if (peer_cfg->is_mediation(peer_cfg))
 				{
 					this->status = SUCCESS;
@@ -219,17 +219,17 @@ static status_t initiate_execute(interface_job_t *job)
 	ike_sa_t *ike_sa;
 	interface_listener_t *listener = &job->listener;
 	peer_cfg_t *peer_cfg = listener->peer_cfg;
-	
+
 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 														peer_cfg);
 	listener->ike_sa = ike_sa;
-	
+
 	if (ike_sa->get_peer_cfg(ike_sa) == NULL)
 	{
 		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
 	}
 	peer_cfg->destroy(peer_cfg);
-	
+
 	if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS)
 	{
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
@@ -279,9 +279,9 @@ static status_t terminate_ike_execute(interface_job_t *job)
 {
 	interface_listener_t *listener = &job->listener;
 	ike_sa_t *ike_sa = listener->ike_sa;
-	
+
 	charon->bus->set_sa(charon->bus, ike_sa);
-	
+
 	if (ike_sa->delete(ike_sa) != DESTROY_ME)
 	{
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
@@ -295,7 +295,7 @@ static status_t terminate_ike_execute(interface_job_t *job)
 /**
  * Implementation of controller_t.terminate_ike.
  */
-static status_t terminate_ike(controller_t *this, u_int32_t unique_id, 
+static status_t terminate_ike(controller_t *this, u_int32_t unique_id,
 							  controller_cb_t callback, void *param)
 {
 	ike_sa_t *ike_sa;
@@ -316,7 +316,7 @@ static status_t terminate_ike(controller_t *this, u_int32_t unique_id,
 			.destroy = (void*)recheckin,
 		},
 	};
-	
+
 	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
 													unique_id, FALSE);
 	if (ike_sa == NULL)
@@ -325,7 +325,7 @@ static status_t terminate_ike(controller_t *this, u_int32_t unique_id,
 		return NOT_FOUND;
 	}
 	job.listener.ike_sa = ike_sa;
-	
+
 	if (callback == NULL)
 	{
 		return terminate_ike_execute(&job);
@@ -342,7 +342,7 @@ static status_t terminate_child_execute(interface_job_t *job)
 	interface_listener_t *listener = &job->listener;
 	ike_sa_t *ike_sa = listener->ike_sa;
 	child_sa_t *child_sa = listener->child_sa;
-	
+
 	charon->bus->set_sa(charon->bus, ike_sa);
 	if (ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa),
 								child_sa->get_spi(child_sa, TRUE)) != DESTROY_ME)
@@ -357,7 +357,7 @@ static status_t terminate_child_execute(interface_job_t *job)
 /**
  * Implementation of controller_t.terminate_child.
  */
-static status_t terminate_child(controller_t *this, u_int32_t reqid, 
+static status_t terminate_child(controller_t *this, u_int32_t reqid,
 								controller_cb_t callback, void *param)
 {
 	ike_sa_t *ike_sa;
@@ -380,9 +380,9 @@ static status_t terminate_child(controller_t *this, u_int32_t reqid,
 			.destroy = (void*)recheckin,
 		},
 	};
-	
+
 	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													reqid, TRUE);							
+													reqid, TRUE);
 	if (ike_sa == NULL)
 	{
 		DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found",
@@ -390,7 +390,7 @@ static status_t terminate_child(controller_t *this, u_int32_t reqid,
 		return NOT_FOUND;
 	}
 	job.listener.ike_sa = ike_sa;
-	
+
 	iterator = ike_sa->create_child_sa_iterator(ike_sa);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
@@ -402,7 +402,7 @@ static status_t terminate_child(controller_t *this, u_int32_t reqid,
 		child_sa = NULL;
 	}
 	iterator->destroy(iterator);
-	
+
 	if (child_sa == NULL)
 	{
 		DBG1(DBG_IKE, "unable to terminate, established "
@@ -443,13 +443,13 @@ static void destroy(private_controller_t *this)
 controller_t *controller_create(void)
 {
 	private_controller_t *this = malloc_thing(private_controller_t);
-	
+
 	this->public.create_ike_sa_enumerator = (enumerator_t*(*)(controller_t*))create_ike_sa_enumerator;
 	this->public.initiate = (status_t(*)(controller_t*,peer_cfg_t*,child_cfg_t*,controller_cb_t,void*))initiate;
 	this->public.terminate_ike = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void*))terminate_ike;
 	this->public.terminate_child = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void *param))terminate_child;
 	this->public.destroy = (void (*)(controller_t*))destroy;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/control/controller.h b/src/charon/control/controller.h
index 3c928d2ea..31b69c78c 100644
--- a/src/charon/control/controller.h
+++ b/src/charon/control/controller.h
@@ -95,7 +95,7 @@ struct controller_t {
 	 * Terminate an IKE_SA and all of its CHILD_SAs.
 	 *
 	 * The terminate() function is synchronous and thus blocks until the
-	 * IKE_SA is properly deleted, or the delete timed out. 
+	 * IKE_SA is properly deleted, or the delete timed out.
 	 * The terminate() function contains a thread cancellation point.
 	 *
 	 * @param unique_id		unique id of the IKE_SA to terminate.
@@ -106,9 +106,9 @@ struct controller_t {
 	 *						- NOT_FOUND, if no such CHILD_SA found
 	 *						- NEED_MORE, if callback returned FALSE
 	 */
-	status_t (*terminate_ike)(controller_t *this, u_int32_t unique_id, 
+	status_t (*terminate_ike)(controller_t *this, u_int32_t unique_id,
 							  controller_cb_t callback, void *param);
-	
+
 	/**
 	 * Terminate a CHILD_SA.
 	 *
@@ -120,9 +120,9 @@ struct controller_t {
 	 *						- NOT_FOUND, if no such CHILD_SA found
 	 *						- NEED_MORE, if callback returned FALSE
 	 */
-	status_t (*terminate_child)(controller_t *this, u_int32_t reqid, 
+	status_t (*terminate_child)(controller_t *this, u_int32_t reqid,
 								controller_cb_t callback, void *param);
-	
+
 	/**
 	 * Destroy a controller_t instance.
 	 */
@@ -132,7 +132,7 @@ struct controller_t {
 
 /**
  * Creates a controller instance.
- * 
+ *
  * @return 			controller_t object
  */
 controller_t *controller_create(void);
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 0967cbc81..adea0b4be 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -13,12 +13,12 @@
  * for more details.
  */
 
-#include <pthread.h>
-
 #include "credential_manager.h"
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/thread_value.h>
+#include <threading/mutex.h>
+#include <threading/rwlock.h>
 #include <utils/linked_list.h>
 #include <credentials/sets/cert_cache.h>
 #include <credentials/sets/auth_cfg_wrapper.h>
@@ -28,8 +28,6 @@
 #include <credentials/certificates/ocsp_request.h>
 #include <credentials/certificates/ocsp_response.h>
 
-#define MAX_CA_LEVELS 6
-
 typedef struct private_credential_manager_t private_credential_manager_t;
 
 /**
@@ -41,31 +39,36 @@ struct private_credential_manager_t {
 	 * public functions
 	 */
 	credential_manager_t public;
-	
+
 	/**
 	 * list of credential sets
 	 */
 	linked_list_t *sets;
-	
+
 	/**
 	 * thread local set of credentials, linked_list_t with credential_set_t's
 	 */
-	pthread_key_t local_sets;
-	
+	thread_value_t *local_sets;
+
 	/**
 	 * trust relationship and certificate cache
 	 */
 	cert_cache_t *cache;
-	
+
 	/**
 	 * certificates queued for persistent caching
 	 */
 	linked_list_t *cache_queue;
-	
+
 	/**
 	 * read-write lock to sets list
 	 */
 	rwlock_t *lock;
+
+	/**
+	 * mutex for cache queue
+	 */
+	mutex_t *queue_mutex;
 };
 
 /** data to pass to create_private_enumerator */
@@ -149,12 +152,12 @@ static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
 {
 	linked_list_t *local;
 	sets_enumerator_t *enumerator = malloc_thing(sets_enumerator_t);
-	
+
 	enumerator->public.enumerate = (void*)sets_enumerator_enumerate;
 	enumerator->public.destroy = (void*)sets_enumerator_destroy;
 	enumerator->global = this->sets->create_enumerator(this->sets);
 	enumerator->local = NULL;
-	local = pthread_getspecific(this->local_sets);
+	local = this->local_sets->get(this->local_sets);
 	if (local)
 	{
 		enumerator->local = local->create_enumerator(local);
@@ -176,7 +179,7 @@ static void destroy_cert_data(cert_data_t *data)
  */
 static enumerator_t *create_cert(credential_set_t *set, cert_data_t *data)
 {
-	return set->create_cert_enumerator(set, data->cert, data->key, 
+	return set->create_cert_enumerator(set, data->cert, data->key,
 									   data->id, data->trusted);
 }
 
@@ -193,7 +196,7 @@ static enumerator_t *create_cert_enumerator(private_credential_manager_t *this,
 	data->key = key;
 	data->id = id;
 	data->trusted = trusted;
-	
+
 	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(create_sets_enumerator(this),
 									(void*)create_cert, data,
@@ -209,7 +212,7 @@ static certificate_t *get_cert(private_credential_manager_t *this,
 {
 	certificate_t *current, *found = NULL;
 	enumerator_t *enumerator;
-	
+
 	enumerator = create_cert_enumerator(this, cert, key, id, trusted);
 	if (enumerator->enumerate(enumerator, &current))
 	{
@@ -247,7 +250,7 @@ static enumerator_t * create_cdp_enumerator(private_credential_manager_t *this,
 	data->this = this;
 	data->type = type;
 	data->id = id;
-	
+
 	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(create_sets_enumerator(this),
 									(void*)create_cdp, data,
@@ -276,10 +279,10 @@ static enumerator_t *create_private(credential_set_t *set, private_data_t *data)
  */
 static enumerator_t* create_private_enumerator(
 									private_credential_manager_t *this,
-								    key_type_t key, identification_t *keyid)
+									key_type_t key, identification_t *keyid)
 {
 	private_data_t *data;
-	
+
 	data = malloc_thing(private_data_t);
 	data->this = this;
 	data->type = key;
@@ -292,13 +295,13 @@ static enumerator_t* create_private_enumerator(
 
 /**
  * Implementation of credential_manager_t.get_private_by_keyid.
- */   
+ */
 static private_key_t *get_private_by_keyid(private_credential_manager_t *this,
-										   key_type_t key, identification_t *keyid)
+										key_type_t key, identification_t *keyid)
 {
 	private_key_t *found = NULL;
 	enumerator_t *enumerator;
-	
+
 	enumerator = create_private_enumerator(this, key, keyid);
 	if (enumerator->enumerate(enumerator, &found))
 	{
@@ -328,7 +331,7 @@ static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data)
 /**
  * Implementation of credential_manager_t.create_shared_enumerator.
  */
-static enumerator_t *create_shared_enumerator(private_credential_manager_t *this, 
+static enumerator_t *create_shared_enumerator(private_credential_manager_t *this,
 						shared_key_type_t type,
 						identification_t *me, identification_t *other)
 {
@@ -337,16 +340,16 @@ static enumerator_t *create_shared_enumerator(private_credential_manager_t *this
 	data->type = type;
 	data->me = me;
 	data->other = other;
-	
+
 	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(create_sets_enumerator(this),
-									(void*)create_shared, data, 
+									(void*)create_shared, data,
 									(void*)destroy_shared_data);
 }
 
 /**
  * Implementation of credential_manager_t.get_shared.
- */   
+ */
 static shared_key_t *get_shared(private_credential_manager_t *this,
 								shared_key_type_t type,	identification_t *me,
 								identification_t *other)
@@ -355,7 +358,7 @@ static shared_key_t *get_shared(private_credential_manager_t *this,
 	id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE;
 	id_match_t *match_me, *match_other;
 	enumerator_t *enumerator;
-	
+
 	enumerator = create_shared_enumerator(this, type, me, other);
 	while (enumerator->enumerate(enumerator, &current, &match_me, &match_other))
 	{
@@ -380,11 +383,11 @@ static void add_local_set(private_credential_manager_t *this,
 {
 	linked_list_t *sets;
 
-	sets = pthread_getspecific(this->local_sets);
+	sets = this->local_sets->get(this->local_sets);
 	if (!sets)
 	{	/* first invocation */
 		sets = linked_list_create();
-		pthread_setspecific(this->local_sets, sets);
+		this->local_sets->set(this->local_sets, sets);
 	}
 	sets->insert_last(sets, set);
 }
@@ -396,8 +399,8 @@ static void remove_local_set(private_credential_manager_t *this,
 							 credential_set_t *set)
 {
 	linked_list_t *sets;
-	
-	sets = pthread_getspecific(this->local_sets);
+
+	sets = this->local_sets->get(this->local_sets);
 	sets->remove(sets, set, NULL);
 }
 
@@ -408,7 +411,7 @@ static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
 {
 	credential_set_t *set;
 	enumerator_t *enumerator;
-	
+
 	if (this->lock->try_write_lock(this->lock))
 	{
 		enumerator = this->sets->create_enumerator(this->sets);
@@ -417,13 +420,14 @@ static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
 			set->cache_cert(set, cert);
 		}
 		enumerator->destroy(enumerator);
+		this->lock->unlock(this->lock);
 	}
 	else
 	{	/* we can't cache now as other threads are active, queue for later */
-		this->lock->read_lock(this->lock);
+		this->queue_mutex->lock(this->queue_mutex);
 		this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert));
+		this->queue_mutex->unlock(this->queue_mutex);
 	}
-	this->lock->unlock(this->lock);
 }
 
 /**
@@ -434,7 +438,8 @@ static void cache_queue(private_credential_manager_t *this)
 	credential_set_t *set;
 	certificate_t *cert;
 	enumerator_t *enumerator;
-	
+
+	this->queue_mutex->lock(this->queue_mutex);
 	if (this->cache_queue->get_count(this->cache_queue) > 0 &&
 		this->lock->try_write_lock(this->lock))
 	{
@@ -451,10 +456,11 @@ static void cache_queue(private_credential_manager_t *this)
 		}
 		this->lock->unlock(this->lock);
 	}
+	this->queue_mutex->unlock(this->queue_mutex);
 }
 
 /**
- * forward declaration 
+ * forward declaration
  */
 static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
 					key_type_t type, identification_t *id, bool crl, bool ocsp);
@@ -467,7 +473,7 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
 {
 	certificate_t *request, *response;
 	chunk_t send, receive;
-	
+
 	/* TODO: requestor name, signature */
 	request = lib->creds->create(lib->creds,
 						CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
@@ -478,12 +484,12 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
 		DBG1(DBG_CFG, "generating ocsp request failed");
 		return NULL;
 	}
-	
+
 	send = request->get_encoding(request);
 	request->destroy(request);
 
 	DBG1(DBG_CFG, "  requesting ocsp status from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &receive, 
+	if (lib->fetcher->fetch(lib->fetcher, url, &receive,
 							FETCH_REQUEST_DATA, send,
 							FETCH_REQUEST_TYPE, "application/ocsp-request",
 							FETCH_END) != SUCCESS)
@@ -493,7 +499,7 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
 		return NULL;
 	}
 	chunk_free(&send);
-	
+
 	response = lib->creds->create(lib->creds,
 								  CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
 								  BUILD_BLOB_ASN1_DER, receive, BUILD_END);
@@ -507,9 +513,9 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
 }
 
 /**
- * check the signature of an OCSP response 
+ * check the signature of an OCSP response
  */
-static bool verify_ocsp(private_credential_manager_t *this, 
+static bool verify_ocsp(private_credential_manager_t *this,
 						ocsp_response_t *response)
 {
 	certificate_t *issuer, *subject;
@@ -520,7 +526,7 @@ static bool verify_ocsp(private_credential_manager_t *this,
 
 	wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
 	add_local_set(this, &wrapper->set);
-	
+
 	subject = &response->certificate;
 	responder = subject->get_issuer(subject);
 	enumerator = create_trusted_enumerator(this, KEY_ANY, responder, FALSE, FALSE);
@@ -529,13 +535,13 @@ static bool verify_ocsp(private_credential_manager_t *this,
 		if (this->cache->issued_by(this->cache, subject, issuer))
 		{
 			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
-						     issuer->get_subject(issuer));
+							 issuer->get_subject(issuer));
 			verified = TRUE;
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	remove_local_set(this, &wrapper->set);
 	wrapper->destroy(wrapper);
 	return verified;
@@ -553,7 +559,7 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this,
 	time_t revocation, this_update, next_update, valid_until;
 	crl_reason_t reason;
 	bool revoked = FALSE;
-	
+
 	response = (ocsp_response_t*)cand;
 
 	/* check ocsp signature */
@@ -570,7 +576,7 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this,
 		case VALIDATION_REVOKED:
 			/* subject has been revoked by a valid OCSP response */
 			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
-				 		  &revocation, TRUE, crl_reason_names, reason);
+						  &revocation, TRUE, crl_reason_names, reason);
 			revoked = TRUE;
 			break;
 		case VALIDATION_GOOD:
@@ -622,14 +628,15 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this,
  * validate a x509 certificate using OCSP
  */
 static cert_validation_t check_ocsp(private_credential_manager_t *this,
-								    x509_t *subject, x509_t *issuer, 
-								    auth_cfg_t *auth)
+									x509_t *subject, x509_t *issuer,
+									auth_cfg_t *auth)
 {
 	enumerator_t *enumerator;
 	cert_validation_t valid = VALIDATION_SKIPPED;
 	certificate_t *best = NULL, *current;
 	identification_t *keyid = NULL;
 	public_key_t *public;
+	chunk_t chunk;
 	char *uri = NULL;
 
 	/** lookup cache for valid OCSP responses */
@@ -651,9 +658,9 @@ static cert_validation_t check_ocsp(private_credential_manager_t *this,
 	/* derive the authorityKeyIdentifier from the issuer's public key */
 	current = &issuer->interface;
 	public = current->get_public_key(current);
-	if (public)
+	if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
 	{
-		keyid = public->get_id(public, ID_PUBKEY_SHA1);
+		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
 	}
 	/** fetch from configured OCSP responder URLs */
 	if (keyid && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
@@ -676,6 +683,7 @@ static cert_validation_t check_ocsp(private_credential_manager_t *this,
 		enumerator->destroy(enumerator);
 	}
 	DESTROY_IF(public);
+	DESTROY_IF(keyid);
 
 	/* fallback to URL fetching from subject certificate's URIs */
 	if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
@@ -721,7 +729,7 @@ static certificate_t* fetch_crl(private_credential_manager_t *this, char *url)
 {
 	certificate_t *crl;
 	chunk_t chunk;
-	
+
 	DBG1(DBG_CFG, "  fetching crl from '%s' ...", url);
 	if (lib->fetcher->fetch(lib->fetcher, url, &chunk, FETCH_END) != SUCCESS)
 	{
@@ -747,7 +755,7 @@ static bool verify_crl(private_credential_manager_t *this, certificate_t *crl)
 	certificate_t *issuer;
 	enumerator_t *enumerator;
 	bool verified = FALSE;
-	
+
 	enumerator = create_trusted_enumerator(this, KEY_ANY, crl->get_issuer(crl),
 										   FALSE, FALSE);
 	while (enumerator->enumerate(enumerator, &issuer, NULL))
@@ -761,7 +769,7 @@ static bool verify_crl(private_credential_manager_t *this, certificate_t *crl)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	return verified;
 }
 
@@ -786,7 +794,7 @@ static certificate_t *get_better_crl(private_credential_manager_t *this,
 		cand->destroy(cand);
 		return best;
 	}
-	
+
 	crl = (crl_t*)cand;
 	enumerator = crl->create_enumerator(crl);
 	while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
@@ -835,7 +843,7 @@ static certificate_t *get_better_crl(private_credential_manager_t *this,
  * validate a x509 certificate using CRL
  */
 static cert_validation_t check_crl(private_credential_manager_t *this,
-								   x509_t *subject, x509_t *issuer, 
+								   x509_t *subject, x509_t *issuer,
 								   auth_cfg_t *auth)
 {
 	cert_validation_t valid = VALIDATION_SKIPPED;
@@ -844,20 +852,18 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
 	certificate_t *current;
 	public_key_t *public;
 	enumerator_t *enumerator;
+	chunk_t chunk;
 	char *uri = NULL;
-	
+
 	/* derive the authorityKeyIdentifier from the issuer's public key */
 	current = &issuer->interface;
 	public = current->get_public_key(current);
-	if (public)
-	{
-		keyid = public->get_id(public, ID_PUBKEY_SHA1);
-	}
-	
-	/* find a cached crl by authorityKeyIdentifier */
-	if (keyid)
+	if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
 	{
-		enumerator = create_cert_enumerator(this, CERT_X509_CRL, KEY_ANY, 
+		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+
+		/* find a cached crl by authorityKeyIdentifier */
+		enumerator = create_cert_enumerator(this, CERT_X509_CRL, KEY_ANY,
 											keyid, FALSE);
 		while (enumerator->enumerate(enumerator, &current))
 		{
@@ -871,27 +877,28 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
 			}
 		}
 		enumerator->destroy(enumerator);
-	}
 
-	/* fallback to fetching crls from credential sets cdps */
-	if (keyid && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
-	{
-		enumerator = create_cdp_enumerator(this, CERT_X509_CRL, keyid);
-
-		while (enumerator->enumerate(enumerator, &uri))
+		/* fallback to fetching crls from credential sets cdps */
+		if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
 		{
-			current = fetch_crl(this, uri);
-			if (current)
+			enumerator = create_cdp_enumerator(this, CERT_X509_CRL, keyid);
+
+			while (enumerator->enumerate(enumerator, &uri))
 			{
-				best = get_better_crl(this, current, best, subject, issuer,
-									  &valid, TRUE);
-				if (best && valid != VALIDATION_STALE)
+				current = fetch_crl(this, uri);
+				if (current)
 				{
-					break;
+					best = get_better_crl(this, current, best, subject, issuer,
+										  &valid, TRUE);
+					if (best && valid != VALIDATION_STALE)
+					{
+						break;
+					}
 				}
 			}
+			enumerator->destroy(enumerator);
 		}
-		enumerator->destroy(enumerator);
+		keyid->destroy(keyid);
 	}
 	DESTROY_IF(public);
 
@@ -915,7 +922,7 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
 		}
 		enumerator->destroy(enumerator);
 	}
-	
+
 	/* an uri was found, but no result. switch validation state to failed */
 	if (valid == VALIDATION_SKIPPED && uri)
 	{
@@ -938,6 +945,60 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
 	return valid;
 }
 
+/**
+ * check a certificate for optional IP address block constraints
+ */
+static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
+{
+	bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
+	bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
+	bool contained = TRUE;
+
+	enumerator_t *subject_enumerator, *issuer_enumerator;
+	traffic_selector_t *subject_ts, *issuer_ts;
+
+	if (!subject_constraint && !issuer_constraint)
+	{
+		return TRUE;		
+	}
+	if (!subject_constraint)
+	{
+		DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
+		return FALSE;
+	}
+	if (!issuer_constraint)
+	{
+		DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
+		return FALSE;		
+	}
+	subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
+	while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
+	{
+		contained = FALSE;
+
+		issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
+		while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
+		{
+			if (subject_ts->is_contained_in(subject_ts, issuer_ts))
+			{
+				DBG2(DBG_CFG, "  subject address block %R is contained in "
+							  "issuer address block %R", subject_ts, issuer_ts);
+				contained = TRUE;
+				break;
+			}
+		}
+		issuer_enumerator->destroy(issuer_enumerator);
+		if (!contained)
+		{
+			DBG1(DBG_CFG, "subject address block %R is not contained in any "
+						  "issuer address block", subject_ts);
+			break;
+		}
+	}
+	subject_enumerator->destroy(subject_enumerator);
+	return contained;	
+}
+
 /**
  * check a certificate for its lifetime
  */
@@ -946,22 +1007,26 @@ static bool check_certificate(private_credential_manager_t *this,
 							  bool crl, bool ocsp, auth_cfg_t *auth)
 {
 	time_t not_before, not_after;
-	
+
 	if (!subject->get_validity(subject, NULL, &not_before, &not_after))
 	{
 		DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
-			 &not_before, TRUE, &not_after, TRUE);
+			 &not_before, FALSE, &not_after, FALSE);
 		return FALSE;
 	}
 	if (!issuer->get_validity(issuer, NULL, &not_before, &not_after))
 	{
 		DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)",
-			 &not_before, TRUE, &not_after, TRUE);
+			 &not_before, FALSE, &not_after, FALSE);
 		return FALSE;
 	}
 	if (issuer->get_type(issuer) == CERT_X509 &&
 		subject->get_type(subject) == CERT_X509)
 	{
+		if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer))
+		{
+			return FALSE;
+		}
 		if (ocsp || crl)
 		{
 			DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
@@ -1019,7 +1084,7 @@ static certificate_t *get_pretrusted_cert(private_credential_manager_t *this,
 {
 	certificate_t *subject;
 	public_key_t *public;
-	
+
 	subject = get_cert(this, CERT_ANY, type, id, TRUE);
 	if (!subject)
 	{
@@ -1043,8 +1108,8 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this,
 {
 	enumerator_t *enumerator;
 	certificate_t *issuer = NULL, *candidate;
-	
-	enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY, 
+
+	enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY,
 										subject->get_issuer(subject), trusted);
 	while (enumerator->enumerate(enumerator, &candidate))
 	{
@@ -1066,12 +1131,14 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 							   bool trusted, bool crl, bool ocsp)
 {
 	certificate_t *current, *issuer;
+	x509_t *x509;
 	auth_cfg_t *auth;
-	u_int level = 0;
-	
+	int pathlen, pathlen_constraint;
+
 	auth = auth_cfg_create();
 	current = subject->get_ref(subject);
-	while (level++ < MAX_CA_LEVELS)
+
+	for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++)
 	{
 		issuer = get_issuer_cert(this, current, TRUE);
 		if (issuer)
@@ -1081,7 +1148,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			{
 				auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
 				DBG1(DBG_CFG, "  using trusted ca certificate \"%Y\"",
-					 issuer->get_subject(issuer));
+							  issuer->get_subject(issuer));
 				trusted = TRUE;
 			}
 			else
@@ -1109,7 +1176,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			}
 			else
 			{
-				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"", 
+				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
 					 current->get_subject(current));
 				break;
 			}
@@ -1121,17 +1188,32 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			issuer->destroy(issuer);
 			break;
 		}
+
+		/* check path length constraint */
+		x509 = (x509_t*)issuer;
+		pathlen_constraint = x509->get_pathLenConstraint(x509);
+		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+			pathlen > pathlen_constraint)
+		{
+			DBG1(DBG_CFG, "path length of %d violates constraint of %d",
+				 pathlen, pathlen_constraint);
+			trusted = FALSE;
+			issuer->destroy(issuer);
+			break;
+		}
 		current->destroy(current);
 		current = issuer;
 		if (trusted)
 		{
+			DBG1(DBG_CFG, "  reached self-signed root ca with a path length of %d",
+						  pathlen);
 			break;
 		}
 	}
 	current->destroy(current);
-	if (level > MAX_CA_LEVELS)
+	if (pathlen > X509_MAX_PATH_LEN)
 	{
-		DBG1(DBG_CFG, "maximum ca path length of %d levels reached", level);
+		DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN);
 	}
 	if (trusted)
 	{
@@ -1172,10 +1254,10 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
 							  certificate_t **cert, auth_cfg_t **auth)
 {
 	certificate_t *current;
-	
+
 	DESTROY_IF(this->auth);
 	this->auth = auth_cfg_create();
-	
+
 	if (!this->candidates)
 	{
 		/* first invocation, build enumerator for next one */
@@ -1186,7 +1268,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
 		if (this->pretrusted)
 		{
 			/* if we find a trusted self signed certificate, we just accept it.
-			 * However, in order to fulfill authorization rules, we try to build 
+			 * However, in order to fulfill authorization rules, we try to build
 			 * the trust chain if it is not self signed */
 			if (this->this->cache->issued_by(this->this->cache,
 								   this->pretrusted, this->pretrusted) ||
@@ -1214,7 +1296,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
 		{	/* skip pretrusted certificate we already served */
 			continue;
 		}
-	
+
 		DBG1(DBG_CFG, "  using certificate \"%Y\"",
 			 current->get_subject(current));
 		if (verify_trust_chain(this->this, current, this->auth, FALSE,
@@ -1249,10 +1331,10 @@ static enumerator_t *create_trusted_enumerator(private_credential_manager_t *thi
 					key_type_t type, identification_t *id, bool crl, bool ocsp)
 {
 	trusted_enumerator_t *enumerator = malloc_thing(trusted_enumerator_t);
-	
+
 	enumerator->public.enumerate = (void*)trusted_enumerate;
 	enumerator->public.destroy = (void*)trusted_destroy;
-	
+
 	enumerator->candidates = NULL;
 	enumerator->this = this;
 	enumerator->type = type;
@@ -1261,7 +1343,7 @@ static enumerator_t *create_trusted_enumerator(private_credential_manager_t *thi
 	enumerator->ocsp = ocsp;
 	enumerator->pretrusted = NULL;
 	enumerator->auth = NULL;
-	
+
 	return &enumerator->public;
 }
 
@@ -1288,7 +1370,7 @@ static bool public_enumerate(public_enumerator_t *this,
 							 public_key_t **key, auth_cfg_t **auth)
 {
 	certificate_t *cert;
-	
+
 	while (this->inner->enumerate(this->inner, &cert, auth))
 	{
 		DESTROY_IF(this->current);
@@ -1315,7 +1397,7 @@ static void public_destroy(public_enumerator_t *this)
 		this->wrapper->destroy(this->wrapper);
 	}
 	this->this->lock->unlock(this->this->lock);
-	
+
 	/* check for delayed certificate cache queue */
 	cache_queue(this->this);
 	free(this);
@@ -1328,7 +1410,7 @@ static enumerator_t* create_public_enumerator(private_credential_manager_t *this
 						key_type_t type, identification_t *id, auth_cfg_t *auth)
 {
 	public_enumerator_t *enumerator = malloc_thing(public_enumerator_t);
-	
+
 	enumerator->public.enumerate = (void*)public_enumerate;
 	enumerator->public.destroy = (void*)public_destroy;
 	enumerator->inner = create_trusted_enumerator(this, type, id, TRUE, TRUE);
@@ -1373,13 +1455,13 @@ static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert)
  */
 static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
 									 certificate_t *subject, auth_cfg_t *auth)
-{	
+{
 	certificate_t *issuer, *current;
 	auth_cfg_t *trustchain;
-	u_int level = 0;
-	
+	int pathlen = 0;
+
 	trustchain = auth_cfg_create();
-	
+
 	current = auth->get(auth, AUTH_RULE_CA_CERT);
 	if (!current)
 	{
@@ -1405,13 +1487,14 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
 			trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
 		}
 		issuer = get_issuer_cert(this, current, FALSE);
-		if (!issuer || issuer->equals(issuer, current) || level > MAX_CA_LEVELS)
+		if (!issuer || issuer->equals(issuer, current) ||
+			pathlen > X509_MAX_PATH_LEN)
 		{
 			DESTROY_IF(issuer);
 			break;
 		}
 		current = issuer;
-		level++;
+		pathlen++;
 	}
 	trustchain->destroy(trustchain);
 	return NULL;
@@ -1424,16 +1507,18 @@ static private_key_t *get_private_by_cert(private_credential_manager_t *this,
 										  certificate_t *cert, key_type_t type)
 {
 	private_key_t *private = NULL;
-	identification_t* keyid;
+	identification_t *keyid;
+	chunk_t chunk;
 	public_key_t *public;
 
 	public = cert->get_public_key(cert);
 	if (public)
 	{
-		keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-		if (keyid)
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
 		{
+			keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
 			private = get_private_by_keyid(this, type, keyid);
+			keyid->destroy(keyid);
 		}
 		public->destroy(public);
 	}
@@ -1451,18 +1536,14 @@ static private_key_t *get_private(private_credential_manager_t *this,
 	certificate_t *cert;
 	private_key_t *private = NULL;
 	auth_cfg_t *trustchain;
-	
+
 	/* check if this is a lookup by key ID, and do it if so */
-	if (id)
+	if (id && id->get_type(id) == ID_KEY_ID)
 	{
-		switch (id->get_type(id))
+		private = get_private_by_keyid(this, type, id);
+		if (private)
 		{
-			case ID_PUBKEY_SHA1:
-			case ID_PUBKEY_INFO_SHA1:
-			case ID_KEY_ID:
-				return get_private_by_keyid(this, type, id);
-			default:
-				break;
+			return private;
 		}
 	}
 
@@ -1482,7 +1563,7 @@ static private_key_t *get_private(private_credential_manager_t *this,
 			return private;
 		}
 	}
-			
+
 	/* try to build a trust chain for each certificate found */
 	enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
 	while (enumerator->enumerate(enumerator, &cert))
@@ -1560,9 +1641,10 @@ static void destroy(private_credential_manager_t *this)
 	this->cache_queue->destroy(this->cache_queue);
 	this->sets->remove(this->sets, this->cache, NULL);
 	this->sets->destroy(this->sets);
-	pthread_key_delete(this->local_sets);
+	this->local_sets->destroy(this->local_sets);
 	this->cache->destroy(this->cache);
 	this->lock->destroy(this->lock);
+	this->queue_mutex->destroy(this->queue_mutex);
 	free(this);
 }
 
@@ -1572,7 +1654,7 @@ static void destroy(private_credential_manager_t *this)
 credential_manager_t *credential_manager_create()
 {
 	private_credential_manager_t *this = malloc_thing(private_credential_manager_t);
-	
+
 	this->public.create_cert_enumerator = (enumerator_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *id,bool))create_cert_enumerator;
 	this->public.create_shared_enumerator = (enumerator_t *(*)(credential_manager_t *this, shared_key_type_t type,identification_t *me, identification_t *other))create_shared_enumerator;
 	this->public.create_cdp_enumerator = (enumerator_t *(*)(credential_manager_t*, certificate_type_t type, identification_t *id))create_cdp_enumerator;
@@ -1585,14 +1667,15 @@ credential_manager_t *credential_manager_create()
 	this->public.add_set = (void(*)(credential_manager_t*, credential_set_t *set))add_set;
 	this->public.remove_set = (void(*)(credential_manager_t*, credential_set_t *set))remove_set;
 	this->public.destroy = (void(*)(credential_manager_t*))destroy;
-	
+
 	this->sets = linked_list_create();
-	pthread_key_create(&this->local_sets, (void*)this->sets->destroy);
+	this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
 	this->cache = cert_cache_create();
 	this->cache_queue = linked_list_create();
 	this->sets->insert_first(this->sets, this->cache);
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	
+	this->queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+
 	return &this->public;
 }
 
diff --git a/src/charon/credentials/credential_manager.h b/src/charon/credentials/credential_manager.h
index 0af54c0b1..0448da992 100644
--- a/src/charon/credentials/credential_manager.h
+++ b/src/charon/credentials/credential_manager.h
@@ -36,11 +36,11 @@ typedef struct credential_manager_t credential_manager_t;
  *
  * The credential manager is the entry point of the credential framework. It
  * uses so called "sets" to access credentials in a modular fashion, these
- * are implemented through the credential_set_t interface. 
+ * are implemented through the credential_set_t interface.
  * The manager additionally does trust chain verification and trust status
  * chaching. A set may call the managers methods if it needs credentials itself,
  * the manager uses recursive locking.
- * 
+ *
  * @verbatim
 
   +-------+        +----------------+
@@ -58,14 +58,14 @@ typedef struct credential_manager_t credential_manager_t;
   |   o   |                    may be recursive
   |   r   |
   +-------+
-    
-   @endverbatim                                       
+
+   @endverbatim
  *
  * The credential manager uses rwlocks for performance reasons, credential
  * sets must be fully thread save.
  */
 struct credential_manager_t {
-	
+
 	/**
 	 * Create an enumerator over all certificates.
 	 *
@@ -90,7 +90,7 @@ struct credential_manager_t {
 	 * @param second	second subject between key is shared
 	 * @return			enumerator over shared keys
 	 */
-	enumerator_t *(*create_shared_enumerator)(credential_manager_t *this, 
+	enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
 								shared_key_type_t type,
 								identification_t *first, identification_t *second);
 	/**
@@ -121,14 +121,14 @@ struct credential_manager_t {
 	 * @param me		own identity
 	 * @param other		peers identity
 	 * @return			shared_key_t, NULL if none found
-	 */			   
+	 */
 	shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
 								identification_t *me, identification_t *other);
 	/**
 	 * Get a private key to create a signature.
 	 *
 	 * The get_private() method gets a secret private key identified by either
-	 * the keyid itself or an id the key belongs to. 
+	 * the keyid itself or an id the key belongs to.
 	 * The auth parameter contains additional information, such as receipients
 	 * trusted CA certs. Auth gets filled with subject and CA certificates
 	 * needed to validate a created signature.
@@ -140,12 +140,12 @@ struct credential_manager_t {
 	 */
 	private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
 								  identification_t *id, auth_cfg_t *auth);
-	
+
 	/**
 	 * Create an enumerator over trusted public keys.
 	 *
 	 * This method gets a an enumerator over trusted public keys to verify a
-	 * signature created by id. The auth parameter contains additional 
+	 * signature created by id. The auth parameter contains additional
 	 * authentication infos, e.g. peer and intermediate certificates.
 	 * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
 	 * where the auth config helper contains rules for constraint checks.
@@ -157,14 +157,14 @@ struct credential_manager_t {
 	 */
 	enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
 					key_type_t type, identification_t *id, auth_cfg_t *auth);
-	
+
 	/**
 	 * Cache a certificate by invoking cache_cert() on all registerd sets.
 	 *
 	 * @param cert		certificate to cache
 	 */
 	void (*cache_cert)(credential_manager_t *this, certificate_t *cert);
-	
+
 	/**
 	 * Flush the certificate cache.
 	 *
@@ -174,25 +174,25 @@ struct credential_manager_t {
 	 * @param type		type of certificate to flush, or CERT_ANY
 	 */
 	void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
-		
+
 	/**
 	 * Register a credential set to the manager.
 	 *
 	 * @param set		set to register
 	 */
 	void (*add_set)(credential_manager_t *this, credential_set_t *set);
-	
+
 	/**
 	 * Unregister a credential set from the manager.
 	 *
 	 * @param set		set to unregister
 	 */
 	void (*remove_set)(credential_manager_t *this, credential_set_t *set);
-	
+
 	/**
-     * Destroy a credential_manager instance.
-     */
-    void (*destroy)(credential_manager_t *this);
+	 * Destroy a credential_manager instance.
+	 */
+	void (*destroy)(credential_manager_t *this);
 };
 
 /**
diff --git a/src/charon/credentials/credential_set.h b/src/charon/credentials/credential_set.h
index e9ad99bfd..274eb3feb 100644
--- a/src/charon/credentials/credential_set.h
+++ b/src/charon/credentials/credential_set.h
@@ -43,12 +43,12 @@ typedef struct credential_set_t credential_set_t;
  * enumerator is alive, so it is save to use a write lock there.
  */
 struct credential_set_t {
-	
+
 	/**
 	 * Create an enumerator over private keys (private_key_t).
 	 *
 	 * The id is either a key identifier of the requested key, or an identity
-	 * of the key owner. 
+	 * of the key owner.
 	 *
 	 * @param type		type of requested private key
 	 * @param id		key identifier/owner
@@ -80,10 +80,10 @@ struct credential_set_t {
 	 * @param other		other identity who owns that secret
 	 * @return			enumerator as described above
 	 */
-	enumerator_t *(*create_shared_enumerator)(credential_set_t *this, 
+	enumerator_t *(*create_shared_enumerator)(credential_set_t *this,
 						shared_key_type_t type,
 						identification_t *me, identification_t *other);
-	
+
 	/**
 	 * Create an enumerator over certificate distribution points.
 	 *
@@ -93,7 +93,7 @@ struct credential_set_t {
 	 */
 	enumerator_t *(*create_cdp_enumerator)(credential_set_t *this,
 						certificate_type_t type, identification_t *id);
-	
+
 	/**
 	 * Cache a certificate in the credential set.
 	 *
@@ -102,7 +102,7 @@ struct credential_set_t {
 	 *
 	 * @param cert		certificate to cache
 	 */
-	void (*cache_cert)(credential_set_t *this, certificate_t *cert);	
+	void (*cache_cert)(credential_set_t *this, certificate_t *cert);
 };
 
 #endif /** CREDENTIAL_SET_H_ @}*/
diff --git a/src/charon/credentials/sets/auth_cfg_wrapper.c b/src/charon/credentials/sets/auth_cfg_wrapper.c
index b2cf5d960..82e33d283 100644
--- a/src/charon/credentials/sets/auth_cfg_wrapper.c
+++ b/src/charon/credentials/sets/auth_cfg_wrapper.c
@@ -29,7 +29,7 @@ struct private_auth_cfg_wrapper_t {
 	 * public functions
 	 */
 	auth_cfg_wrapper_t public;
-	
+
 	/**
 	 * wrapped auth info
 	 */
@@ -67,10 +67,10 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator,
 		/* fetching the certificate previously failed */
 		return FALSE;
 	}
-	
+
 	chunk_t data;
 	certificate_t *cert;
-	
+
 	DBG1(DBG_CFG, "  fetching certificate from '%s' ...", url);
 	if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
 	{
@@ -80,11 +80,11 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator,
 								  *rule, NULL);
 		return FALSE;
 	}
-	
+
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 							  BUILD_BLOB_ASN1_DER, data, BUILD_END);
 	free(data.ptr);
-	
+
 	if (!cert)
 	{
 		DBG1(DBG_CFG, "  parsing fetched certificate failed");
@@ -93,10 +93,10 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator,
 								  *rule, NULL);
 		return FALSE;
 	}
-	
+
 	DBG1(DBG_CFG, "  fetched certificate \"%Y\"", cert->get_subject(cert));
 	charon->credentials->cache_cert(charon->credentials, cert);
-	
+
 	if (*rule == AUTH_HELPER_IM_HASH_URL)
 	{
 		*rule = AUTH_HELPER_IM_CERT;
@@ -174,11 +174,11 @@ static void wrapper_enumerator_destroy(wrapper_enumerator_t *this)
  * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator
  */
 static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this,
-									   certificate_type_t cert, key_type_t key, 
+									   certificate_type_t cert, key_type_t key,
 									   identification_t *id, bool trusted)
 {
 	wrapper_enumerator_t *enumerator;
-	
+
 	if (trusted)
 	{
 		return NULL;
@@ -208,16 +208,16 @@ static void destroy(private_auth_cfg_wrapper_t *this)
 auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth)
 {
 	private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t);
-	
+
 	this->public.set.create_private_enumerator = (void*)return_null;
 	this->public.set.create_cert_enumerator = (void*)create_enumerator;
 	this->public.set.create_shared_enumerator = (void*)return_null;
 	this->public.set.create_cdp_enumerator = (void*)return_null;
 	this->public.set.cache_cert = (void*)nop;
 	this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy;
-	
+
 	this->auth = auth;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/credentials/sets/auth_cfg_wrapper.h b/src/charon/credentials/sets/auth_cfg_wrapper.h
index dd5e0fff6..7653fcdbf 100644
--- a/src/charon/credentials/sets/auth_cfg_wrapper.h
+++ b/src/charon/credentials/sets/auth_cfg_wrapper.h
@@ -35,11 +35,11 @@ struct auth_cfg_wrapper_t {
 	 * implements credential_set_t
 	 */
 	credential_set_t set;
-		
+
 	/**
-     * Destroy a auth_cfg_wrapper instance.
-     */
-    void (*destroy)(auth_cfg_wrapper_t *this);
+	 * Destroy a auth_cfg_wrapper instance.
+	 */
+	void (*destroy)(auth_cfg_wrapper_t *this);
 };
 
 /**
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
index dee0463e6..176accce2 100644
--- a/src/charon/credentials/sets/cert_cache.c
+++ b/src/charon/credentials/sets/cert_cache.c
@@ -19,7 +19,7 @@
 #include <sched.h>
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/rwlock.h>
 #include <utils/linked_list.h>
 
 /** cache size, a power of 2 for fast modulo */
@@ -35,22 +35,22 @@ typedef struct relation_t relation_t;
  * A trusted relation between subject and issuer
  */
 struct relation_t {
-	
+
 	/**
 	 * subject of this relation
 	 */
 	certificate_t *subject;
-	
+
 	/**
 	 * issuer of this relation
 	 */
 	certificate_t *issuer;
-	
+
 	/**
 	 * Cache hits
 	 */
 	u_int hits;
-	
+
 	/**
 	 * Lock for this relation
 	 */
@@ -61,12 +61,12 @@ struct relation_t {
  * private data of cert_cache
  */
 struct private_cert_cache_t {
-	
+
 	/**
 	 * public functions
 	 */
 	cert_cache_t public;
-	
+
 	/**
 	 * array of trusted subject-issuer relations
 	 */
@@ -82,12 +82,12 @@ static void cache(private_cert_cache_t *this,
 	relation_t *rel;
 	int i, offset, try;
 	u_int total_hits = 0;
-	
+
 	/* check for a unused relation slot first */
 	for (i = 0; i < CACHE_SIZE; i++)
 	{
 		rel = &this->relations[i];
-		
+
 		if (!rel->subject && rel->lock->try_write_lock(rel->lock))
 		{
 			/* double-check having lock */
@@ -109,7 +109,7 @@ static void cache(private_cert_cache_t *this,
 		for (i = 0; i < CACHE_SIZE; i++)
 		{
 			rel = &this->relations[(i + offset) % CACHE_SIZE];
-			
+
 			if (rel->hits > total_hits / CACHE_SIZE)
 			{	/* skip often used slots */
 				continue;
@@ -140,11 +140,11 @@ static bool issued_by(private_cert_cache_t *this,
 {
 	relation_t *found = NULL, *current;
 	int i;
-	
+
 	for (i = 0; i < CACHE_SIZE; i++)
 	{
 		current = &this->relations[i];
-		
+
 		current->lock->read_lock(current->lock);
 		if (current->subject)
 		{
@@ -203,14 +203,14 @@ static bool cert_enumerate(cert_enumerator_t *this, certificate_t **out)
 {
 	public_key_t *public;
 	relation_t *rel;
-	
+
 	if (this->locked >= 0)
 	{
 		rel = &this->relations[this->locked];
 		rel->lock->unlock(rel->lock);
 		this->locked = -1;
 	}
-	
+
 	while (++this->index < CACHE_SIZE)
 	{
 		rel = &this->relations[this->index];
@@ -219,7 +219,7 @@ static bool cert_enumerate(cert_enumerator_t *this, certificate_t **out)
 		if (rel->subject)
 		{
 			/* CRL lookup is done using issuer/authkeyidentifier */
-			if (this->key == KEY_ANY && this->id && 
+			if (this->key == KEY_ANY && this->id &&
 				(this->cert == CERT_ANY || this->cert == CERT_X509_CRL) &&
 				rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
 				rel->subject->has_issuer(rel->subject, this->id))
@@ -261,7 +261,7 @@ static bool cert_enumerate(cert_enumerator_t *this, certificate_t **out)
 static void cert_enumerator_destroy(cert_enumerator_t *this)
 {
 	relation_t *rel;
-	
+
 	if (this->locked >= 0)
 	{
 		rel = &this->relations[this->locked];
@@ -274,11 +274,11 @@ static void cert_enumerator_destroy(cert_enumerator_t *this)
  * implementation of credential_set_t.create_cert_enumerator
  */
 static enumerator_t *create_enumerator(private_cert_cache_t *this,
-									   certificate_type_t cert, key_type_t key, 
+									   certificate_type_t cert, key_type_t key,
 									   identification_t *id, bool trusted)
 {
 	cert_enumerator_t *enumerator;
-	
+
 	if (trusted)
 	{
 		return NULL;
@@ -292,7 +292,7 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this,
 	enumerator->relations = this->relations;
 	enumerator->index = -1;
 	enumerator->locked = -1;
-	
+
 	return &enumerator->public;
 }
 
@@ -303,7 +303,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
 {
 	relation_t *rel;
 	int i;
-	
+
 	for (i = 0; i < CACHE_SIZE; i++)
 	{
 		rel = &this->relations[i];
@@ -346,7 +346,7 @@ static void destroy(private_cert_cache_t *this)
 {
 	relation_t *rel;
 	int i;
-	
+
 	for (i = 0; i < CACHE_SIZE; i++)
 	{
 		rel = &this->relations[i];
@@ -367,7 +367,7 @@ cert_cache_t *cert_cache_create()
 {
 	private_cert_cache_t *this;
 	int i;
-	
+
 	this = malloc_thing(private_cert_cache_t);
 	this->public.set.create_private_enumerator = (void*)return_null;
 	this->public.set.create_cert_enumerator = (void*)create_enumerator;
@@ -377,7 +377,7 @@ cert_cache_t *cert_cache_create()
 	this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
 	this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
 	this->public.destroy = (void(*)(cert_cache_t*))destroy;
-	
+
 	for (i = 0; i < CACHE_SIZE; i++)
 	{
 		this->relations[i].subject = NULL;
diff --git a/src/charon/credentials/sets/cert_cache.h b/src/charon/credentials/sets/cert_cache.h
index a2cae367c..d2721866e 100644
--- a/src/charon/credentials/sets/cert_cache.h
+++ b/src/charon/credentials/sets/cert_cache.h
@@ -39,7 +39,7 @@ struct cert_cache_t {
 	 * Implements credential_set_t.
 	 */
 	credential_set_t set;
-	
+
 	/**
 	 * Caching wrapper around certificate_t.issued_by.
 	 *
@@ -49,14 +49,14 @@ struct cert_cache_t {
 	 */
 	bool (*issued_by)(cert_cache_t *this,
 					  certificate_t *subject, certificate_t *issuer);
-	
+
 	/**
 	 * Flush the certificate cache.
 	 *
 	 * @param type			type of certificate to flush, or CERT_ANY
 	 */
 	void (*flush)(cert_cache_t *this, certificate_type_t type);
-		
+
 	/**
 	 * Destroy a cert_cache instance.
 	 */
diff --git a/src/charon/credentials/sets/ocsp_response_wrapper.c b/src/charon/credentials/sets/ocsp_response_wrapper.c
index e9faec472..82079209a 100644
--- a/src/charon/credentials/sets/ocsp_response_wrapper.c
+++ b/src/charon/credentials/sets/ocsp_response_wrapper.c
@@ -26,7 +26,7 @@ struct private_ocsp_response_wrapper_t {
 	 * public functions
 	 */
 	ocsp_response_wrapper_t public;
-	
+
 	/**
 	 * wrapped OCSP response
 	 */
@@ -98,16 +98,16 @@ static void enumerator_destroy(wrapper_enumerator_t *this)
  * implementation of ocsp_response_wrapper_t.set.create_cert_enumerator
  */
 static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this,
-									   certificate_type_t cert, key_type_t key, 
+									   certificate_type_t cert, key_type_t key,
 									   identification_t *id, bool trusted)
 {
 	wrapper_enumerator_t *enumerator;
-	
+
 	if (trusted)
 	{
 		return NULL;
 	}
-	
+
 	enumerator = malloc_thing(wrapper_enumerator_t);
 	enumerator->cert = cert;
 	enumerator->key = key;
@@ -132,16 +132,16 @@ static void destroy(private_ocsp_response_wrapper_t *this)
 ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response)
 {
 	private_ocsp_response_wrapper_t *this = malloc_thing(private_ocsp_response_wrapper_t);
-	
+
 	this->public.set.create_private_enumerator = (void*)return_null;
 	this->public.set.create_cert_enumerator = (void*)create_enumerator;
 	this->public.set.create_shared_enumerator = (void*)return_null;
 	this->public.set.create_cdp_enumerator = (void*)return_null;
 	this->public.set.cache_cert = (void*)nop;
 	this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy;
-	
+
 	this->response = response;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/credentials/sets/ocsp_response_wrapper.h b/src/charon/credentials/sets/ocsp_response_wrapper.h
index 8f141f7a1..dc4b451df 100644
--- a/src/charon/credentials/sets/ocsp_response_wrapper.h
+++ b/src/charon/credentials/sets/ocsp_response_wrapper.h
@@ -35,11 +35,11 @@ struct ocsp_response_wrapper_t {
 	 * implements credential_set_t
 	 */
 	credential_set_t set;
-		
+
 	/**
-     * Destroy a ocsp_response_wrapper instance.
-     */
-    void (*destroy)(ocsp_response_wrapper_t *this);
+	 * Destroy a ocsp_response_wrapper instance.
+	 */
+	void (*destroy)(ocsp_response_wrapper_t *this);
 };
 
 /**
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 0689c448e..e71225fd1 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -1,4 +1,4 @@
-/* 
+/*
  * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
@@ -41,7 +41,8 @@
 
 #include <library.h>
 #include <utils/backtrace.h>
-#include <config/traffic_selector.h>
+#include <threading/thread.h>
+#include <selectors/traffic_selector.h>
 #include <config/proposal.h>
 
 #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
@@ -58,12 +59,17 @@ struct private_daemon_t {
 	 * Public members of daemon_t.
 	 */
 	daemon_t public;
-	
+
 	/**
 	 * Signal set used for signal handling.
 	 */
 	sigset_t signal_set;
 
+	/**
+	 * Reference to main thread.
+	 */
+	thread_t *main_thread;
+
 #ifdef CAPABILITIES
 	/**
 	 * capabilities to keep
@@ -88,7 +94,7 @@ extern void (*dbg) (int level, char *fmt, ...);
 static void dbg_bus(int level, char *fmt, ...)
 {
 	va_list args;
-	
+
 	va_start(args, fmt);
 	charon->bus->vlog(charon->bus, DBG_LIB, level, fmt, args);
 	va_end(args);
@@ -100,7 +106,7 @@ static void dbg_bus(int level, char *fmt, ...)
 static void dbg_stderr(int level, char *fmt, ...)
 {
 	va_list args;
-	
+
 	if (level <= 1)
 	{
 		va_start(args, fmt);
@@ -117,18 +123,19 @@ static void dbg_stderr(int level, char *fmt, ...)
 static void run(private_daemon_t *this)
 {
 	sigset_t set;
-	
+
 	/* handle SIGINT, SIGHUP ans SIGTERM in this handler */
 	sigemptyset(&set);
-	sigaddset(&set, SIGINT); 
-	sigaddset(&set, SIGHUP); 
+	sigaddset(&set, SIGINT);
+	sigaddset(&set, SIGHUP);
 	sigaddset(&set, SIGTERM);
-	
+	sigprocmask(SIG_BLOCK, &set, NULL);
+
 	while (TRUE)
 	{
 		int sig;
 		int error;
-		
+
 		error = sigwait(&set, &sig);
 		if (error)
 		{
@@ -145,11 +152,13 @@ static void run(private_daemon_t *this)
 			case SIGINT:
 			{
 				DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
 				return;
 			}
 			case SIGTERM:
 			{
 				DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
 				return;
 			}
 			default:
@@ -193,14 +202,13 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.mediation_manager);
 #endif /* ME */
 	DESTROY_IF(this->public.backends);
-	DESTROY_IF(this->public.attributes);
 	DESTROY_IF(this->public.credentials);
 	DESTROY_IF(this->public.sender);
 	DESTROY_IF(this->public.receiver);
 	DESTROY_IF(this->public.socket);
 	/* wait until all threads are gone */
 	DESTROY_IF(this->public.processor);
-	
+
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_stderr;
 	DESTROY_IF(this->public.bus);
@@ -225,7 +233,7 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 	{
 		fprintf(stderr, "killing daemon: %s\n", reason);
 	}
-	if (this->public.main_thread_id == pthread_self())
+	if (this->main_thread == thread_current())
 	{
 		/* initialization failed, terminate daemon */
 		unlink(PID_FILE);
@@ -234,9 +242,9 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 	else
 	{
 		DBG1(DBG_DMN, "sending SIGTERM to ourself");
-		pthread_kill(this->public.main_thread_id, SIGTERM);
+		this->main_thread->kill(this->main_thread, SIGTERM);
 		/* thread must die, since he produced a ciritcal failure and can't continue */
-		pthread_exit(NULL);
+		thread_exit(NULL);
 	}
 }
 
@@ -246,18 +254,18 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 static void drop_capabilities(private_daemon_t *this)
 {
 #ifdef HAVE_PRCTL
-	prctl(PR_SET_KEEPCAPS, 1);
+	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
 #endif
 
 	if (setgid(charon->gid) != 0)
 	{
-		kill_daemon(this, "change to unprivileged group failed");	
+		kill_daemon(this, "change to unprivileged group failed");
 	}
 	if (setuid(charon->uid) != 0)
 	{
-		kill_daemon(this, "change to unprivileged user failed");	
+		kill_daemon(this, "change to unprivileged user failed");
 	}
-	
+
 #ifdef CAPABILITIES
 	if (cap_set_proc(this->caps) != 0)
 	{
@@ -279,7 +287,7 @@ static void keep_cap(private_daemon_t *this, u_int cap)
 }
 
 /**
- * lookup UID and GID 
+ * lookup UID and GID
  */
 static void lookup_uid_gid(private_daemon_t *this)
 {
@@ -287,7 +295,7 @@ static void lookup_uid_gid(private_daemon_t *this)
 	{
 		char buf[1024];
 		struct passwd passwd, *pwp;
-	
+
 		if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
 			pwp == NULL)
 		{
@@ -300,7 +308,7 @@ static void lookup_uid_gid(private_daemon_t *this)
 	{
 		char buf[1024];
 		struct group group, *grp;
-	
+
 		if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
 			grp == NULL)
 		{
@@ -319,7 +327,7 @@ static void print_plugins()
 	char buf[512], *plugin;
 	int len = 0;
 	enumerator_t *enumerator;
-	
+
 	buf[0] = '\0';
 	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
 	while (len < sizeof(buf) && enumerator->enumerate(enumerator, &plugin))
@@ -345,7 +353,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 	level_t  def;
 	bool append;
 	FILE *file;
-	
+
 	/* setup sysloggers */
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
 														  "charon.syslog");
@@ -378,7 +386,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	/* and file loggers */
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
 														  "charon.filelog");
@@ -418,10 +426,10 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 		this->public.file_loggers->insert_last(this->public.file_loggers,
 											   file_logger);
 		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
-	
+
 	}
 	enumerator->destroy(enumerator);
-	
+
 	/* set up legacy style default loggers provided via command-line */
 	if (!loggers_defined)
 	{
@@ -443,7 +451,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 				file_logger->set_level(file_logger, group, levels[group]);
 			}
 		}
-		
+
 		/* set up default auth sys_logger */
 		sys_logger = sys_logger_create(LOG_AUTHPRIV);
 		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
@@ -460,14 +468,14 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 {
 	/* for uncritical pseudo random numbers */
 	srandom(time(NULL) + getpid());
-	
+
 	/* setup bus and it's listeners first to enable log output */
 	this->public.bus = bus_create();
 	/* set up hook to log dbg message in library via charons message bus */
 	dbg = dbg_bus;
-	
+
 	initialize_loggers(this, !syslog, levels);
-	
+
 	DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")");
 
 	if (lib->integrity)
@@ -485,15 +493,17 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	this->public.eap = eap_manager_create();
 	this->public.sim = sim_manager_create();
 	this->public.backends = backend_manager_create();
-	this->public.attributes = attribute_manager_create();
 	this->public.kernel_interface = kernel_interface_create();
 	this->public.socket = socket_create();
 	this->public.traps = trap_manager_create();
-	
+
 	/* load plugins, further infrastructure may need it */
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
-		lib->settings->get_str(lib->settings, "charon.load", PLUGINS));
-	
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "charon.load", PLUGINS)))
+	{
+		return FALSE;
+	}
+
 	print_plugins();
 
 	this->public.ike_sa_manager = ike_sa_manager_create();
@@ -507,7 +517,7 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	{
 		return FALSE;
 	}
-	
+
 #ifdef ME
 	this->public.connect_manager = connect_manager_create();
 	if (this->public.connect_manager == NULL)
@@ -516,7 +526,7 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	}
 	this->public.mediation_manager = mediation_manager_create();
 #endif /* ME */
-	
+
 	return TRUE;
 }
 
@@ -526,35 +536,34 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 static void segv_handler(int signal)
 {
 	backtrace_t *backtrace;
-	
-	DBG1(DBG_DMN, "thread %u received %d", pthread_self(), signal);
+
+	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
 	backtrace = backtrace_create(2);
 	backtrace->log(backtrace, stderr);
 	backtrace->destroy(backtrace);
-	
+
 	DBG1(DBG_DMN, "killing ourself, received critical signal");
-	raise(SIGKILL);
+	abort();
 }
 
 /**
  * Create the daemon.
  */
 private_daemon_t *daemon_create(void)
-{	
+{
 	struct sigaction action;
 	private_daemon_t *this = malloc_thing(private_daemon_t);
-		
+
 	/* assign methods */
 	this->public.kill = (void (*) (daemon_t*,char*))kill_daemon;
 	this->public.keep_cap = (void(*)(daemon_t*, u_int cap))keep_cap;
-	
+
 	/* NULL members for clean destruction */
 	this->public.socket = NULL;
 	this->public.ike_sa_manager = NULL;
 	this->public.traps = NULL;
 	this->public.credentials = NULL;
 	this->public.backends = NULL;
-	this->public.attributes = NULL;
 	this->public.sender= NULL;
 	this->public.receiver = NULL;
 	this->public.scheduler = NULL;
@@ -572,8 +581,8 @@ private_daemon_t *daemon_create(void)
 #endif /* ME */
 	this->public.uid = 0;
 	this->public.gid = 0;
-	
-	this->public.main_thread_id = pthread_self();
+
+	this->main_thread = thread_current();
 #ifdef CAPABILITIES
 	this->caps = cap_init();
 	keep_cap(this, CAP_NET_ADMIN);
@@ -582,9 +591,8 @@ private_daemon_t *daemon_create(void)
 		keep_cap(this, CAP_SYS_NICE);
 	}
 #endif /* CAPABILITIES */
-	
+
 	/* add handler for SEGV and ILL,
-	 * add handler for USR1 (cancellation).
 	 * INT, TERM and HUP are handled by sigwait() in run() */
 	action.sa_handler = segv_handler;
 	action.sa_flags = 0;
@@ -597,20 +605,20 @@ private_daemon_t *daemon_create(void)
 	sigaction(SIGBUS, &action, NULL);
 	action.sa_handler = SIG_IGN;
 	sigaction(SIGPIPE, &action, NULL);
-	
-	pthread_sigmask(SIG_SETMASK, &action.sa_mask, 0);
-	
+
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
 	return this;
 }
 
 /**
- * Check/create PID file, return TRUE if already running 
+ * Check/create PID file, return TRUE if already running
  */
 static bool check_pidfile()
 {
 	struct stat stb;
 	FILE *file;
-	
+
 	if (stat(PID_FILE, &stb) == 0)
 	{
 		file = fopen(PID_FILE, "r");
@@ -618,7 +626,7 @@ static bool check_pidfile()
 		{
 			char buf[64];
 			pid_t pid = 0;
-			
+
 			memset(buf, 0, sizeof(buf));
 			if (fread(buf, 1, sizeof(buf), file))
 			{
@@ -633,7 +641,7 @@ static bool check_pidfile()
 		DBG1(DBG_DMN, "removing pidfile '"PID_FILE"', process not running");
 		unlink(PID_FILE);
 	}
-	
+
 	/* create new pidfile */
 	file = fopen(PID_FILE, "w");
 	if (file)
@@ -676,17 +684,17 @@ int main(int argc, char *argv[])
 	private_daemon_t *private_charon;
 	level_t levels[DBG_MAX];
 	int group;
-	
+
 	/* logging for library during initialization, as we have no bus yet */
 	dbg = dbg_stderr;
-	
+
 	/* initialize library */
-	if (!library_init(STRONGSWAN_CONF))
+	if (!library_init(NULL))
 	{
 		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
-	
+
 	if (lib->integrity &&
 		!lib->integrity->check_file(lib->integrity, "charon", argv[0]))
 	{
@@ -694,7 +702,7 @@ int main(int argc, char *argv[])
 		library_deinit();
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
-	
+
 	lib->printf_hook->add_handler(lib->printf_hook, 'R',
 								  traffic_selector_printf_hook,
 								  PRINTF_HOOK_ARGTYPE_POINTER,
@@ -705,15 +713,15 @@ int main(int argc, char *argv[])
 								  PRINTF_HOOK_ARGTYPE_END);
 	private_charon = daemon_create();
 	charon = (daemon_t*)private_charon;
-	
+
 	lookup_uid_gid(private_charon);
-	
+
 	/* use CTRL loglevel for default */
 	for (group = 0; group < DBG_MAX; group++)
 	{
 		levels[group] = LEVEL_CTRL;
 	}
-	
+
 	/* handle arguments */
 	for (;;)
 	{
@@ -734,12 +742,12 @@ int main(int argc, char *argv[])
 			{ "debug-lib", required_argument, &group, DBG_LIB },
 			{ 0,0,0,0 }
 		};
-		
+
 		int c = getopt_long(argc, argv, "", long_opts, NULL);
 		switch (c)
 		{
 			case EOF:
-	    		break;
+				break;
 			case 'h':
 				usage(NULL);
 				break;
@@ -759,39 +767,41 @@ int main(int argc, char *argv[])
 		}
 		break;
 	}
-	
+
 	/* initialize daemon */
 	if (!initialize(private_charon, use_syslog, levels))
 	{
 		DBG1(DBG_DMN, "initialization failed - aborting charon");
 		destroy(private_charon);
+		library_deinit();
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
-	
+
 	if (check_pidfile())
 	{
 		DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
 		destroy(private_charon);
+		library_deinit();
 		exit(-1);
 	}
-	
+
 	/* drop the capabilities we won't need */
 	drop_capabilities(private_charon);
-	
+
 	/* start the engine, go multithreaded */
 	charon->processor->set_threads(charon->processor,
 						lib->settings->get_int(lib->settings, "charon.threads",
 											   DEFAULT_THREADS));
-	
+
 	/* run daemon */
 	run(private_charon);
-	
+
 	/* normal termination, cleanup and exit */
 	destroy(private_charon);
 	unlink(PID_FILE);
-	
+
 	library_deinit();
-	
+
 	return 0;
 }
 
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index 023bae447..cb5946d5d 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -21,7 +21,7 @@
  *
  * @defgroup bus bus
  * @ingroup charon
- * 
+ *
  * @defgroup listeners listeners
  * @ingroup bus
  *
@@ -84,13 +84,13 @@
  * from the processor. Work is delegated to the processor by queueing jobs
  * to it.
    @verbatim
-   
+
       +---------------------------------+       +----------------------------+
       |           controller            |       |          config            |
-      +---------------------------------+       +----------------------------+  
-               |      |      |                           ^     ^    ^           
-               V      V      V                           |     |    |           
-                                                                                
+      +---------------------------------+       +----------------------------+
+               |      |      |                           ^     ^    ^
+               V      V      V                           |     |    |
+
        +----------+  +-----------+   +------+            +----------+    +----+
        | receiver |  |           |   |      |  +------+  | CHILD_SA |    | K  |
        +---+------+  | Scheduler |   | IKE- |  | IKE- |--+----------+    | e  |
@@ -100,43 +100,43 @@
     +------+---+     +-----------+   | ager |  +------+  +----------+    | l  |
            |         |           |   |      |  | IKE- |--| CHILD_SA |    | -  |
        +---+------+  | Processor |---|      |--| SA   |  +----------+    | I  |
-       |  sender  |  |           |   |      |  +------+                  | f  |    
+       |  sender  |  |           |   |      |  +------+                  | f  |
        +----------+  +-----------+   +------+                            +----+
-                                                                                
-               |      |      |                        |      |      |           
-               V      V      V                        V      V      V           
-      +---------------------------------+       +----------------------------+  
-      |               Bus               |       |         credentials        |  
-      +---------------------------------+       +----------------------------+                                                              
+
+               |      |      |                        |      |      |
+               V      V      V                        V      V      V
+      +---------------------------------+       +----------------------------+
+      |               Bus               |       |         credentials        |
+      +---------------------------------+       +----------------------------+
 
    @endverbatim
- * The scheduler is responsible to execute timed events. Jobs may be queued to 
- * the scheduler to get executed at a defined time (e.g. rekeying). The 
+ * The scheduler is responsible to execute timed events. Jobs may be queued to
+ * the scheduler to get executed at a defined time (e.g. rekeying). The
  * scheduler does not execute the jobs itself, it queues them to the processor.
- * 
- * The IKE_SA manager managers all IKE_SA. It further handles the 
+ *
+ * The IKE_SA manager managers all IKE_SA. It further handles the
  * synchronization:
- * Each IKE_SA must be checked out strictly and checked in again after use. The 
- * manager guarantees that only one thread may check out a single IKE_SA. This 
+ * Each IKE_SA must be checked out strictly and checked in again after use. The
+ * manager guarantees that only one thread may check out a single IKE_SA. This
  * allows us to write the (complex) IKE_SAs routines non-threadsave.
- * The IKE_SA contain the state and the logic of each IKE_SA and handle the 
+ * The IKE_SA contain the state and the logic of each IKE_SA and handle the
  * messages.
- * 
+ *
  * The CHILD_SA contains state about a IPsec security association and manages
- * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel 
+ * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
  * takes place here through the kernel interface.
- * 
+ *
  * The kernel interface installs IPsec security associations, policies, routes
- * and virtual addresses. It further provides methods to enumerate interfaces 
+ * and virtual addresses. It further provides methods to enumerate interfaces
  * and may notify the daemon about state changes at lower layers.
- * 
- * The bus receives signals from the different threads and relais them to interested 
- * listeners. Debugging signals, but also important state changes or error 
- * messages are sent over the bus. 
- * It's listeners are not only for logging, but also to track the state of an
+ *
+ * The bus receives signals from the different threads and relays them to
+ * interested listeners. Debugging signals, but also important state changes or
+ * error messages are sent over the bus.
+ * Its listeners are not only for logging, but also to track the state of an
  * IKE_SA.
  *
- * The controller, credential_manager, bus and backend_manager (config) are 
+ * The controller, credential_manager, bus and backend_manager (config) are
  * places where a plugin ca register itself to privide information or observe
  * and control the daemon.
  */
@@ -159,7 +159,6 @@ typedef struct daemon_t daemon_t;
 #include <sa/ike_sa_manager.h>
 #include <sa/trap_manager.h>
 #include <config/backend_manager.h>
-#include <config/attributes/attribute_manager.h>
 #include <credentials/credential_manager.h>
 #include <sa/authenticators/eap/eap_manager.h>
 #include <sa/authenticators/eap/sim_manager.h>
@@ -199,104 +198,99 @@ typedef struct daemon_t daemon_t;
  * Main class of daemon, contains some globals.
  */
 struct daemon_t {
-	
+
 	/**
 	 * A socket_t instance.
 	 */
 	socket_t *socket;
-	
+
 	/**
 	 * A ike_sa_manager_t instance.
 	 */
 	ike_sa_manager_t *ike_sa_manager;
-	
+
 	/**
 	 * Manager for triggering policies, called traps
 	 */
 	trap_manager_t *traps;
-	
+
 	/**
 	 * Manager for the different configuration backends.
 	 */
 	backend_manager_t *backends;
-	
-	/**
-	 * Manager for IKEv2 cfg payload attributes
-	 */
-	attribute_manager_t *attributes;
-	
+
 	/**
 	 * Manager for the credential backends
 	 */
 	credential_manager_t *credentials;
-	
+
 	/**
 	 * The Sender-Thread.
- 	 */
+	 */
 	sender_t *sender;
-	
+
 	/**
 	 * The Receiver-Thread.
 	 */
 	receiver_t *receiver;
-	
+
 	/**
 	 * The Scheduler-Thread.
 	 */
 	scheduler_t *scheduler;
-	
+
 	/**
 	 * Job processing using a thread pool.
 	 */
 	processor_t *processor;
-	
+
 	/**
 	 * The signaling bus.
 	 */
 	bus_t *bus;
-	
+
 	/**
 	 * A list of installed file_logger_t's
 	 */
 	linked_list_t *file_loggers;
-	
+
 	/**
 	 * A list of installed sys_logger_t's
 	 */
 	linked_list_t *sys_loggers;
-	
+
 	/**
 	 * Kernel Interface to communicate with kernel
 	 */
 	kernel_interface_t *kernel_interface;
-	
+
 	/**
 	 * Controller to control the daemon
 	 */
 	controller_t *controller;
-	
+
 	/**
 	 * EAP manager to maintain registered EAP methods
 	 */
 	eap_manager_t *eap;
-	
+
 	/**
-	 * SIM manager to maintain SIM cards/providers
+	 * SIM manager to maintain (U)SIM cards/providers
 	 */
 	sim_manager_t *sim;
-	
+
 #ifdef ME
 	/**
 	 * Connect manager
 	 */
 	connect_manager_t *connect_manager;
-	
+
 	/**
 	 * Mediation manager
 	 */
 	mediation_manager_t *mediation_manager;
 #endif /* ME */
-	
+
 	/**
 	 * User ID the daemon will user after initialization
 	 */
@@ -306,12 +300,7 @@ struct daemon_t {
 	 * Group ID the daemon will use after initialization
 	 */
 	gid_t gid;
-	
-	/** 
-	 * The thread_id of main-thread.
-	 */
-	pthread_t main_thread_id;
-	
+
 	/**
 	 * Do not drop a given capability after initialization.
 	 *
@@ -320,10 +309,10 @@ struct daemon_t {
 	 * drop these.
 	 */
 	void (*keep_cap)(daemon_t *this, u_int cap);
-	
+
 	/**
 	 * Shut down the daemon.
-	 * 
+	 *
 	 * @param reason		describtion why it will be killed
 	 */
 	void (*kill) (daemon_t *this, char *reason);
diff --git a/src/charon/encoding/generator.c b/src/charon/encoding/generator.c
index 406cfc688..6485da492 100644
--- a/src/charon/encoding/generator.c
+++ b/src/charon/encoding/generator.c
@@ -53,55 +53,55 @@ struct private_generator_t {
 	 * Public part of a generator_t object.
 	 */
 	 generator_t public;
-	
+
 	/**
 	 * Buffer used to generate the data into.
 	 */
 	u_int8_t *buffer;
-	
+
 	/**
 	 * Current write position in buffer (one byte aligned).
 	 */
 	u_int8_t *out_position;
-	
+
 	/**
 	 * Position of last byte in buffer.
 	 */
 	u_int8_t *roof_position;
-	
+
 	/**
 	 * Current bit writing to in current byte (between 0 and 7).
 	 */
 	u_int8_t current_bit;
-	
+
 	/**
 	 * Associated data struct to read informations from.
 	 */
 	void *data_struct;
-	
+
 	/*
 	 * Last payload length position offset in the buffer.
 	 */
 	u_int32_t last_payload_length_position_offset;
-	
+
 	/**
 	 * Offset of the header length field in the buffer.
 	 */
 	u_int32_t header_length_position_offset;
-	
+
 	/**
 	 * Last SPI size.
 	 */
 	u_int8_t last_spi_size;
-	
+
 	/**
 	 * Attribute format of the last generated transform attribute.
 	 *
-	 * Used to check if a variable value field is used or not for 
+	 * Used to check if a variable value field is used or not for
 	 * the transform attribute value.
 	 */
 	bool attribute_format;
-	
+
 	/**
 	 * Depending on the value of attribute_format this field is used
 	 * to hold the length of the transform attribute in bytes.
@@ -149,14 +149,14 @@ static void make_space_available(private_generator_t *this, int bits)
 	while ((get_space(this) * 8 - this->current_bit) < bits)
 	{
 		int old_buffer_size, new_buffer_size, out_position_offset;
-		
+
 		old_buffer_size = get_size(this);
 		new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
 		out_position_offset = this->out_position - this->buffer;
-		
-		DBG2(DBG_ENC, "increasing gen buffer from %d to %d byte", 
+
+		DBG2(DBG_ENC, "increasing gen buffer from %d to %d byte",
 			 old_buffer_size, new_buffer_size);
-		
+
 		this->buffer = realloc(this->buffer,new_buffer_size);
 		this->out_position = (this->buffer + out_position_offset);
 		this->roof_position = (this->buffer + new_buffer_size);
@@ -171,9 +171,9 @@ static void write_bytes_to_buffer(private_generator_t *this, void *bytes,
 {
 	int i;
 	u_int8_t *read_position = (u_int8_t *)bytes;
-	
+
 	make_space_available(this, number_of_bytes * 8);
-	
+
 	for (i = 0; i < number_of_bytes; i++)
 	{
 		*(this->out_position) = *(read_position);
@@ -192,14 +192,14 @@ static void write_bytes_to_buffer_at_offset(private_generator_t *this,
 	u_int8_t *read_position = (u_int8_t *)bytes;
 	u_int8_t *write_position;
 	u_int32_t free_space_after_offset = get_size(this) - offset;
-	
-	/* check first if enough space for new data is available */	
+
+	/* check first if enough space for new data is available */
 	if (number_of_bytes > free_space_after_offset)
 	{
-		make_space_available(this, 
+		make_space_available(this,
 							 (number_of_bytes - free_space_after_offset) * 8);
 	}
-	
+
 	write_position = this->buffer + offset;
 	for (i = 0; i < number_of_bytes; i++)
 	{
@@ -216,7 +216,7 @@ static void generate_u_int_type(private_generator_t *this,
 								encoding_type_t int_type,u_int32_t offset)
 {
 	int number_of_bits = 0;
-	
+
 	/* find out number of bits of each U_INT type to check for enough space */
 	switch (int_type)
 	{
@@ -251,14 +251,14 @@ static void generate_u_int_type(private_generator_t *this,
 			 encoding_type_names, int_type);
 		return;
 	}
-	
+
 	make_space_available(this, number_of_bits);
 	switch (int_type)
 	{
 		case U_INT_4:
 		{
 			u_int8_t high, low;
-			
+
 			if (this->current_bit == 0)
 			{
 				/* high of current byte in buffer has to be set to the new value*/
@@ -303,7 +303,7 @@ static void generate_u_int_type(private_generator_t *this,
 		{
 			u_int8_t attribute_format_flag;
 			u_int16_t val;
-			
+
 			/* attribute type must not change first bit of current byte */
 			if (this->current_bit != 1)
 			{
@@ -325,7 +325,7 @@ static void generate_u_int_type(private_generator_t *this,
 			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
 			this->current_bit = 0;
 			break;
-			
+
 		}
 		case U_INT_16:
 		case CONFIGURATION_ATTRIBUTE_LENGTH:
@@ -372,11 +372,11 @@ static void generate_reserved_field(private_generator_t *this, int bits)
 		return ;
 	}
 	make_space_available(this, bits);
-	
+
 	if (bits == 1)
 	{
 		u_int8_t reserved_bit = ~(1 << (7 - this->current_bit));
-		
+
 		*(this->out_position) = *(this->out_position) & reserved_bit;
 		if (this->current_bit == 0)
 		{
@@ -410,11 +410,11 @@ static void generate_flag(private_generator_t *this, u_int32_t offset)
 {
 	u_int8_t flag_value;
 	u_int8_t flag;
-	
+
 	flag_value = (*((bool *) (this->data_struct + offset))) ? 1 : 0;
 	/* get flag position */
 	flag = (flag_value << (7 - this->current_bit));
-	
+
 	/* make sure one bit is available in buffer */
 	make_space_available(this, 1);
 	if (this->current_bit == 0)
@@ -422,10 +422,10 @@ static void generate_flag(private_generator_t *this, u_int32_t offset)
 		/* memory must be zero */
 		*(this->out_position) = 0x00;
 	}
-	
+
 	*(this->out_position) = *(this->out_position) | flag;
 	DBG3(DBG_ENC, "   => %d", *this->out_position);
-	
+
 	this->current_bit++;
 	if (this->current_bit >= 8)
 	{
@@ -440,16 +440,16 @@ static void generate_flag(private_generator_t *this, u_int32_t offset)
 static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
 {
 	chunk_t *value;
-	
+
 	if (this->current_bit != 0)
 	{
 		DBG1(DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit);
 		return ;
 	}
-	
+
 	value = (chunk_t *)(this->data_struct + offset);
 	DBG3(DBG_ENC, "   => %B", value);
-	
+
 	write_bytes_to_buffer(this, value->ptr, value->len);
 }
 
@@ -460,7 +460,7 @@ static void write_to_chunk(private_generator_t *this,chunk_t *data)
 {
 	int data_length = get_length(this);
 	u_int32_t header_length_field = data_length;
-	
+
 	/* write length into header length field */
 	if (this->header_length_position_offset > 0)
 	{
@@ -468,14 +468,14 @@ static void write_to_chunk(private_generator_t *this,chunk_t *data)
 		write_bytes_to_buffer_at_offset(this, &val, sizeof(u_int32_t),
 										this->header_length_position_offset);
 	}
-	
+
 	if (this->current_bit > 0)
 	{
 		data_length++;
 	}
 	*data = chunk_alloc(data_length);
 	memcpy(data->ptr, this->buffer, data_length);
-	
+
 	DBG3(DBG_ENC, "generated data of this generator %B", data);
 }
 
@@ -488,20 +488,20 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 	size_t rule_count;
 	encoding_rule_t *rules;
 	payload_type_t payload_type;
-	
+
 	this->data_struct = payload;
 	payload_type = payload->get_type(payload);
 	/* spi size has to get reseted */
 	this->last_spi_size = 0;
-	
+
 	offset_start = this->out_position - this->buffer;
-	
+
 	DBG2(DBG_ENC, "generating payload of type %N",
 		 payload_type_names, payload_type);
-	
+
 	/* each payload has its own encoding rules */
 	payload->get_encoding_rules(payload, &rules, &rule_count);
-	
+
 	for (i = 0; i < rule_count;i++)
 	{
 		DBG2(DBG_ENC, "  generating rule %d %N",
@@ -529,7 +529,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			{
 				generate_reserved_field(this, 8);
 				break;
-			} 
+			}
 			case FLAG:
 			{
 				generate_flag(this, rules[i].offset);
@@ -578,7 +578,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				u_int16_t length_of_payload;
 				u_int16_t header_length = 0;
 				u_int16_t length_in_network_order;
-				
+
 				switch(rules[i].type)
 				{
 					case KEY_EXCHANGE_DATA:
@@ -619,13 +619,13 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 						break;
 				}
 				generate_from_chunk(this, rules[i].offset);
-				
+
 				payload_length_position_offset =
 									this->last_payload_length_position_offset;
-				
-				length_of_payload = header_length + 
+
+				length_of_payload = header_length +
 						((chunk_t *)(this->data_struct + rules[i].offset))->len;
-				
+
 				length_in_network_order = htons(length_of_payload);
 				write_bytes_to_buffer_at_offset(this, &length_in_network_order,
 							sizeof(u_int16_t), payload_length_position_offset);
@@ -633,7 +633,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			}
 			case PROPOSALS:
 			{
-				u_int32_t payload_length_position_offset = 
+				u_int32_t payload_length_position_offset =
 									this->last_payload_length_position_offset;
 				/* Length of SA_PAYLOAD is calculated */
 				u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH;
@@ -642,13 +642,13 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 										(this->data_struct + rules[i].offset));
 				iterator_t *iterator;
 				payload_t *current_proposal;
-				
+
 				iterator = proposals->create_iterator(proposals,TRUE);
 				while (iterator->iterate(iterator, (void**)&current_proposal))
 				{
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
-					
+
 					before_generate_position_offset = get_offset(this);
 					generate_payload(this, current_proposal);
 					after_generate_position_offset = get_offset(this);
@@ -656,7 +656,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 											 before_generate_position_offset);
 				}
 				iterator->destroy(iterator);
-				
+
 				int16_val = htons(length_of_sa_payload);
 				write_bytes_to_buffer_at_offset(this, &int16_val,
 							sizeof(u_int16_t),payload_length_position_offset);
@@ -664,36 +664,36 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			}
 			case TRANSFORMS:
 			{
-				u_int32_t payload_length_position_offset = 
+				u_int32_t payload_length_position_offset =
 									this->last_payload_length_position_offset;
-				u_int16_t length_of_proposal = 
+				u_int16_t length_of_proposal =
 					PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size;
 				u_int16_t int16_val;
 				linked_list_t *transforms = *((linked_list_t **)
 										(this->data_struct + rules[i].offset));
 				iterator_t *iterator;
 				payload_t *current_transform;
-				
+
 				iterator = transforms->create_iterator(transforms,TRUE);
 				while (iterator->iterate(iterator, (void**)&current_transform))
 				{
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
-					
+
 					before_generate_position_offset = get_offset(this);
 					generate_payload(this, current_transform);
 					after_generate_position_offset = get_offset(this);
-					
+
 					length_of_proposal += (after_generate_position_offset -
 										   before_generate_position_offset);
 				}
 				iterator->destroy(iterator);
-				
+
 				int16_val = htons(length_of_proposal);
 				write_bytes_to_buffer_at_offset(this, &int16_val,
 							sizeof(u_int16_t), payload_length_position_offset);
 				break;
-			}	
+			}
 			case TRANSFORM_ATTRIBUTES:
 			{
 				u_int32_t transform_length_position_offset =
@@ -705,32 +705,32 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 									(this->data_struct + rules[i].offset));
 				iterator_t *iterator;
 				payload_t *current_attribute;
-				
+
 				iterator = transform_attributes->create_iterator(
 													transform_attributes, TRUE);
 				while (iterator->iterate(iterator, (void**)&current_attribute))
 				{
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
-					
+
 					before_generate_position_offset = get_offset(this);
 					generate_payload(this, current_attribute);
 					after_generate_position_offset = get_offset(this);
-					
+
 					length_of_transform += (after_generate_position_offset -
 											before_generate_position_offset);
 				}
-				
+
 				iterator->destroy(iterator);
-				
+
 				int16_val = htons(length_of_transform);
-				write_bytes_to_buffer_at_offset(this, &int16_val, 
+				write_bytes_to_buffer_at_offset(this, &int16_val,
 							sizeof(u_int16_t),transform_length_position_offset);
 				break;
 			}
 			case CONFIGURATION_ATTRIBUTES:
 			{
-				u_int32_t configurations_length_position_offset = 
+				u_int32_t configurations_length_position_offset =
 									this->last_payload_length_position_offset;
 				u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH;
 				u_int16_t int16_val;
@@ -738,29 +738,29 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 										(this->data_struct + rules[i].offset));
 				iterator_t *iterator;
 				payload_t *current_attribute;
-				
+
 				iterator = configuration_attributes->create_iterator(
 												configuration_attributes,TRUE);
 				while (iterator->iterate(iterator, (void**)&current_attribute))
 				{
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
-					
+
 					before_generate_position_offset = get_offset(this);
 					generate_payload(this, current_attribute);
 					after_generate_position_offset = get_offset(this);
-					
+
 					length_of_configurations += after_generate_position_offset -
 											before_generate_position_offset;
 				}
-				
+
 				iterator->destroy(iterator);
-				
+
 				int16_val = htons(length_of_configurations);
-				write_bytes_to_buffer_at_offset(this, &int16_val, 
+				write_bytes_to_buffer_at_offset(this, &int16_val,
 					 sizeof(u_int16_t),configurations_length_position_offset);
 				break;
-			}	
+			}
 			case ATTRIBUTE_FORMAT:
 			{
 				generate_flag(this, rules[i].offset);
@@ -768,7 +768,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				this->attribute_format =
 							*((bool *)(this->data_struct + rules[i].offset));
 				break;
-			}	
+			}
 
 			case ATTRIBUTE_LENGTH_OR_VALUE:
 			{
@@ -797,7 +797,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 			}
 			case TRAFFIC_SELECTORS:
 			{
-				u_int32_t payload_length_position_offset = 
+				u_int32_t payload_length_position_offset =
 									this->last_payload_length_position_offset;
 				u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH;
 				u_int16_t int16_val;
@@ -805,29 +805,29 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 										(this->data_struct + rules[i].offset));
 				iterator_t *iterator;
 				payload_t *current_tss;
-				
+
 				iterator = traffic_selectors->create_iterator(
 													traffic_selectors,TRUE);
 				while (iterator->iterate(iterator, (void **)&current_tss))
 				{
 					u_int32_t before_generate_position_offset;
 					u_int32_t after_generate_position_offset;
-					
+
 					before_generate_position_offset = get_offset(this);
 					generate_payload(this, current_tss);
 					after_generate_position_offset = get_offset(this);
-					
+
 					length_of_ts_payload += (after_generate_position_offset -
 											 before_generate_position_offset);
 				}
 				iterator->destroy(iterator);
-				
+
 				int16_val = htons(length_of_ts_payload);
 				write_bytes_to_buffer_at_offset(this, &int16_val,
 							sizeof(u_int16_t),payload_length_position_offset);
 				break;
-			}	
-			
+			}
+
 			case ENCRYPTED_DATA:
 			{
 				generate_from_chunk(this, rules[i].offset);
@@ -869,10 +869,10 @@ generator_t *generator_create()
 	this->public.generate_payload = (void(*)(generator_t*, payload_t *))generate_payload;
 	this->public.destroy = (void(*)(generator_t*)) destroy;
 	this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *))write_to_chunk;
-	
+
 	/* allocate memory for buffer */
 	this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE);
-	
+
 	/* initiate private variables */
 	this->out_position = this->buffer;
 	this->roof_position = this->buffer + GENERATOR_DATA_BUFFER_SIZE;
@@ -880,7 +880,9 @@ generator_t *generator_create()
 	this->current_bit = 0;
 	this->last_payload_length_position_offset = 0;
 	this->header_length_position_offset = 0;
-	
+	this->attribute_format = FALSE;
+	this->attribute_length = 0;
+
 	return &(this->public);
 }
 
diff --git a/src/charon/encoding/generator.h b/src/charon/encoding/generator.h
index f6fb8981c..2221c84af 100644
--- a/src/charon/encoding/generator.h
+++ b/src/charon/encoding/generator.h
@@ -44,7 +44,7 @@ typedef struct generator_t generator_t;
  * A generator_t class used to generate IKEv2 payloads.
  *
  * After creation, multiple payloads can be generated with the generate_payload
- * method. The generated bytes are appended. After all payloads are added, 
+ * method. The generated bytes are appended. After all payloads are added,
  * the write_to_chunk method writes out all generated data since
  * the creation of the generator. After that, the generator must be destroyed.
  * The generater uses a set of encoding rules, which it can get from
@@ -52,7 +52,7 @@ typedef struct generator_t generator_t;
  * the payload and all substructures automatically.
  */
 struct generator_t {
-	
+
 	/**
 	 * Generates a specific payload from given payload object.
 	 *
@@ -61,14 +61,14 @@ struct generator_t {
 	 * @param payload 		interface payload_t implementing object
 	 */
 	void (*generate_payload) (generator_t *this,payload_t *payload);
-	
+
 	/**
 	 * Writes all generated data of the generator to a chunk.
 	 *
 	 * @param data 		chunk to write the data to
 	 */
 	void (*write_to_chunk) (generator_t *this,chunk_t *data);
-	
+
 	/**
 	 * Destroys a generator_t object.
 	 */
@@ -77,7 +77,7 @@ struct generator_t {
 
 /**
  * Constructor to create a generator.
- * 
+ *
  * @return generator_t object.
  */
 generator_t *generator_create(void);
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c
index 7c6fdb499..397a3c609 100644
--- a/src/charon/encoding/message.c
+++ b/src/charon/encoding/message.c
@@ -47,7 +47,7 @@ typedef struct payload_rule_t payload_rule_t;
 
 /**
  * A payload rule defines the rules for a payload
- * in a specific message rule. It defines if and how 
+ * in a specific message rule. It defines if and how
  * many times a payload must/can occur in a message
  * and if it must be encrypted.
  */
@@ -56,7 +56,7 @@ struct payload_rule_t {
 	 * Payload type.
 	 */
 	 payload_type_t payload_type;
-	 
+
 	 /**
 	  * Minimal occurence of this payload.
 	  */
@@ -66,15 +66,15 @@ struct payload_rule_t {
 	  * Max occurence of this payload.
 	  */
 	 size_t max_occurence;
-	 
+
 	 /**
 	  * TRUE if payload must be encrypted
 	  */
 	 bool encrypted;
-	 
+
 	 /**
 	  * If this payload occurs, the message rule is
-	  * fullfilled in any case. This applies e.g. to 
+	  * fullfilled in any case. This applies e.g. to
 	  * notify_payloads.
 	  */
 	 bool sufficient;
@@ -88,11 +88,11 @@ typedef struct payload_order_t payload_order_t;
 struct payload_order_t {
 
 	/**
-	 * payload type 
+	 * payload type
 	 */
 	payload_type_t type;
-	
-	/** 
+
+	/**
 	 * notify type, if payload == NOTIFY
 	 */
 	notify_type_t notify;
@@ -111,7 +111,7 @@ struct message_rule_t {
 	 * Type of message.
 	 */
 	exchange_type_t exchange_type;
-	
+
 	/**
 	 * Is message a request or response.
 	 */
@@ -121,22 +121,22 @@ struct message_rule_t {
 	 * Message contains encrypted content.
 	 */
 	bool encrypted_content;
-	
+
 	/**
 	 * Number of payload rules which will follow
 	 */
 	int payload_rule_count;
-	 
+
 	/**
 	 * Pointer to first payload rule
 	 */
 	payload_rule_t *payload_rules;
-	
+
 	/**
 	 * Number of payload order rules
 	 */
 	int payload_order_count;
-	
+
 	/**
 	 * payload ordering rules
 	 */
@@ -161,9 +161,9 @@ static payload_rule_t ike_sa_init_i_payload_rules[] = {
 static payload_order_t ike_sa_init_i_payload_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						COOKIE},
-	{SECURITY_ASSOCIATION, 			0},
-	{KEY_EXCHANGE, 					0},
-	{NONCE, 						0},
+	{SECURITY_ASSOCIATION,			0},
+	{KEY_EXCHANGE,					0},
+	{NONCE,							0},
 	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
 	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
 	{NOTIFY,						0},
@@ -187,9 +187,9 @@ static payload_rule_t ike_sa_init_r_payload_rules[] = {
  */
 static payload_order_t ike_sa_init_r_payload_order[] = {
 /*	payload type					notify type */
-	{SECURITY_ASSOCIATION, 			0},
-	{KEY_EXCHANGE, 					0},
-	{NONCE, 						0},
+	{SECURITY_ASSOCIATION,			0},
+	{KEY_EXCHANGE,					0},
+	{NONCE,							0},
 	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
 	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
 	{NOTIFY,						HTTP_CERT_LOOKUP_SUPPORTED},
@@ -241,7 +241,7 @@ static payload_order_t ike_auth_i_payload_order[] = {
 	{NOTIFY,						USE_TRANSPORT_MODE},
 	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
 	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION, 			0},
+	{SECURITY_ASSOCIATION,			0},
 	{TRAFFIC_SELECTOR_INITIATOR,	0},
 	{TRAFFIC_SELECTOR_RESPONDER,	0},
 	{NOTIFY,						MOBIKE_SUPPORTED},
@@ -283,7 +283,7 @@ static payload_order_t ike_auth_r_payload_order[] = {
 	{NOTIFY,						USE_TRANSPORT_MODE},
 	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
 	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION, 			0},
+	{SECURITY_ASSOCIATION,			0},
 	{TRAFFIC_SELECTOR_INITIATOR,	0},
 	{TRAFFIC_SELECTOR_RESPONDER,	0},
 	{NOTIFY,						AUTH_LIFETIME},
@@ -370,9 +370,9 @@ static payload_order_t create_child_sa_i_payload_order[] = {
 	{NOTIFY,						USE_TRANSPORT_MODE},
 	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
 	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION, 			0},
+	{SECURITY_ASSOCIATION,			0},
 	{NONCE,							0},
-	{KEY_EXCHANGE, 					0},
+	{KEY_EXCHANGE,					0},
 	{TRAFFIC_SELECTOR_INITIATOR,	0},
 	{TRAFFIC_SELECTOR_RESPONDER,	0},
 	{NOTIFY,						0},
@@ -402,9 +402,9 @@ static payload_order_t create_child_sa_r_payload_order[] = {
 	{NOTIFY,						USE_TRANSPORT_MODE},
 	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
 	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION, 			0},
+	{SECURITY_ASSOCIATION,			0},
 	{NONCE,							0},
-	{KEY_EXCHANGE, 					0},
+	{KEY_EXCHANGE,					0},
 	{TRAFFIC_SELECTOR_INITIATOR,	0},
 	{TRAFFIC_SELECTOR_RESPONDER,	0},
 	{NOTIFY,						ADDITIONAL_TS_POSSIBLE},
@@ -516,7 +516,7 @@ static message_rule_t message_rules[] = {
 		(sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
 		me_connect_r_payload_order,
 	},
-#endif /* ME */	
+#endif /* ME */
 };
 
 
@@ -536,12 +536,12 @@ struct private_message_t {
 	 * Minor version of message.
 	 */
 	u_int8_t major_version;
-	
+
 	/**
 	 * Major version of message.
 	 */
 	u_int8_t minor_version;
-	
+
 	/**
 	 * First Payload in message.
 	 */
@@ -556,32 +556,32 @@ struct private_message_t {
 	 * TRUE if message is a request, FALSE if a reply.
 	 */
 	bool is_request;
-	
+
 	/**
 	 * Message ID of this message.
 	 */
 	u_int32_t message_id;
-	
+
 	/**
 	 * ID of assigned IKE_SA.
 	 */
 	ike_sa_id_t *ike_sa_id;
-	
+
 	/**
 	 * Assigned UDP packet, stores incoming packet or last generated one.
 	 */
 	packet_t *packet;
-	 
+
 	/**
 	 * Linked List where payload data are stored in.
 	 */
 	linked_list_t *payloads;
-	
+
 	 /**
 	  * Assigned parser to parse Header and Body of this message.
 	  */
 	parser_t *parser;
-	
+
 	/**
 	 * The message rule for this message instance
 	 */
@@ -594,7 +594,7 @@ struct private_message_t {
 static  status_t set_message_rule(private_message_t *this)
 {
 	int i;
-		
+
 	for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
 	{
 		if ((this->exchange_type == message_rules[i].exchange_type) &&
@@ -612,10 +612,11 @@ static  status_t set_message_rule(private_message_t *this)
 /**
  * Implementation of private_message_t.get_payload_rule.
  */
-static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
+static status_t get_payload_rule(private_message_t *this,
+					payload_type_t payload_type, payload_rule_t **payload_rule)
 {
 	int i;
-	
+
 	for (i = 0; i < this->message_rule->payload_rule_count;i++)
 	{
 		if (this->message_rule->payload_rules[i].payload_type == payload_type)
@@ -624,7 +625,7 @@ static status_t get_payload_rule(private_message_t *this, payload_type_t payload
 			return SUCCESS;
 		}
 	}
-	
+
 	*payload_rule = NULL;
 	return NOT_FOUND;
 }
@@ -632,7 +633,7 @@ static status_t get_payload_rule(private_message_t *this, payload_type_t payload
 /**
  * Implementation of message_t.set_ike_sa_id.
  */
-static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
+static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id)
 {
 	DESTROY_IF(this->ike_sa_id);
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
@@ -641,7 +642,7 @@ static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
 /**
  * Implementation of message_t.get_ike_sa_id.
  */
-static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
+static ike_sa_id_t* get_ike_sa_id(private_message_t *this)
 {
 	return this->ike_sa_id;
 }
@@ -649,7 +650,7 @@ static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
 /**
  * Implementation of message_t.set_message_id.
  */
-static void set_message_id (private_message_t *this,u_int32_t message_id)
+static void set_message_id(private_message_t *this,u_int32_t message_id)
 {
 	this->message_id = message_id;
 }
@@ -657,7 +658,7 @@ static void set_message_id (private_message_t *this,u_int32_t message_id)
 /**
  * Implementation of message_t.get_message_id.
  */
-static u_int32_t get_message_id (private_message_t *this)
+static u_int32_t get_message_id(private_message_t *this)
 {
 	return this->message_id;
 }
@@ -665,7 +666,7 @@ static u_int32_t get_message_id (private_message_t *this)
 /**
  * Implementation of message_t.get_initiator_spi.
  */
-static u_int64_t get_initiator_spi (private_message_t *this)
+static u_int64_t get_initiator_spi(private_message_t *this)
 {
 	return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
 }
@@ -673,7 +674,7 @@ static u_int64_t get_initiator_spi (private_message_t *this)
 /**
  * Implementation of message_t.get_responder_spi.
  */
-static u_int64_t get_responder_spi (private_message_t *this)
+static u_int64_t get_responder_spi(private_message_t *this)
 {
 	return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
 }
@@ -681,16 +682,15 @@ static u_int64_t get_responder_spi (private_message_t *this)
 /**
  * Implementation of message_t.set_major_version.
  */
-static void set_major_version (private_message_t *this,u_int8_t major_version)
+static void set_major_version(private_message_t *this,u_int8_t major_version)
 {
 	this->major_version = major_version;
 }
 
-
 /**
  * Implementation of message_t.set_major_version.
  */
-static u_int8_t get_major_version (private_message_t *this)
+static u_int8_t get_major_version(private_message_t *this)
 {
 	return this->major_version;
 }
@@ -698,7 +698,7 @@ static u_int8_t get_major_version (private_message_t *this)
 /**
  * Implementation of message_t.set_minor_version.
  */
-static void set_minor_version (private_message_t *this,u_int8_t minor_version)
+static void set_minor_version(private_message_t *this,u_int8_t minor_version)
 {
 	this->minor_version = minor_version;
 }
@@ -706,7 +706,7 @@ static void set_minor_version (private_message_t *this,u_int8_t minor_version)
 /**
  * Implementation of message_t.get_minor_version.
  */
-static u_int8_t get_minor_version (private_message_t *this)
+static u_int8_t get_minor_version(private_message_t *this)
 {
 	return this->minor_version;
 }
@@ -714,7 +714,8 @@ static u_int8_t get_minor_version (private_message_t *this)
 /**
  * Implementation of message_t.set_exchange_type.
  */
-static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
+static void set_exchange_type(private_message_t *this,
+							  exchange_type_t exchange_type)
 {
 	this->exchange_type = exchange_type;
 }
@@ -722,7 +723,7 @@ static void set_exchange_type (private_message_t *this,exchange_type_t exchange_
 /**
  * Implementation of message_t.get_exchange_type.
  */
-static exchange_type_t get_exchange_type (private_message_t *this)
+static exchange_type_t get_exchange_type(private_message_t *this)
 {
 	return this->exchange_type;
 }
@@ -730,7 +731,7 @@ static exchange_type_t get_exchange_type (private_message_t *this)
 /**
  * Implementation of message_t.get_first_payload_type.
  */
-static payload_type_t get_first_payload_type (private_message_t *this)
+static payload_type_t get_first_payload_type(private_message_t *this)
 {
 	return this->first_payload;
 }
@@ -738,7 +739,7 @@ static payload_type_t get_first_payload_type (private_message_t *this)
 /**
  * Implementation of message_t.set_request.
  */
-static void set_request (private_message_t *this,bool request)
+static void set_request(private_message_t *this, bool request)
 {
 	this->is_request = request;
 }
@@ -746,7 +747,7 @@ static void set_request (private_message_t *this,bool request)
 /**
  * Implementation of message_t.get_request.
  */
-static exchange_type_t get_request (private_message_t *this)
+static exchange_type_t get_request(private_message_t *this)
 {
 	return this->is_request;
 }
@@ -757,7 +758,7 @@ static exchange_type_t get_request (private_message_t *this)
 static bool is_encoded(private_message_t *this)
 {
 	chunk_t data = this->packet->get_data(this->packet);
-	
+
 	if (data.ptr == NULL)
 	{
 		return FALSE;
@@ -791,15 +792,15 @@ static void add_payload(private_message_t *this, payload_t *payload)
 /**
  * Implementation of message_t.add_notify.
  */
-static void add_notify(private_message_t *this, bool flush, notify_type_t type, 
+static void add_notify(private_message_t *this, bool flush, notify_type_t type,
 					   chunk_t data)
 {
 	notify_payload_t *notify;
 	payload_t *payload;
-	
+
 	if (flush)
 	{
-		while (this->payloads->remove_last(this->payloads, 
+		while (this->payloads->remove_last(this->payloads,
 												(void**)&payload) == SUCCESS)
 		{
 			payload->destroy(payload);
@@ -858,7 +859,7 @@ static payload_t *get_payload(private_message_t *this, payload_type_t type)
 {
 	payload_t *current, *found = NULL;
 	enumerator_t *enumerator;
-	
+
 	enumerator = create_payload_enumerator(this);
 	while (enumerator->enumerate(enumerator, &current))
 	{
@@ -880,7 +881,7 @@ static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
 	enumerator_t *enumerator;
 	notify_payload_t *notify = NULL;
 	payload_t *payload;
-	
+
 	enumerator = create_payload_enumerator(this);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
@@ -907,12 +908,12 @@ static char* get_string(private_message_t *this, char *buf, int len)
 	payload_t *payload;
 	int written;
 	char *pos = buf;
-	
+
 	memset(buf, 0, len);
 	len--;
-	
+
 	written = snprintf(pos, len, "%N %s %d [",
-					   exchange_type_names, this->exchange_type, 
+					   exchange_type_names, this->exchange_type,
 					   this->is_request ? "request" : "response",
 					   this->message_id);
 	if (written >= len || written < 0)
@@ -921,12 +922,12 @@ static char* get_string(private_message_t *this, char *buf, int len)
 	}
 	pos += written;
 	len -= written;
-	
+
 	enumerator = create_payload_enumerator(this);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
 		written = snprintf(pos, len, " %N", payload_type_short_names,
-				  		   payload->get_type(payload));
+						   payload->get_type(payload));
 		if (written >= len || written < 0)
 		{
 			return buf;
@@ -937,7 +938,36 @@ static char* get_string(private_message_t *this, char *buf, int len)
 		{
 			notify_payload_t *notify = (notify_payload_t*)payload;
 			written = snprintf(pos, len, "(%N)", notify_type_short_names,
-					  		   notify->get_notify_type(notify));
+							   notify->get_notify_type(notify));
+			if (written >= len || written < 0)
+			{
+				return buf;
+			}
+			pos += written;
+			len -= written;
+		}
+		if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
+		{
+			eap_payload_t *eap = (eap_payload_t*)payload;
+			u_int32_t vendor;
+			eap_type_t type;
+			char method[64] = "";
+
+			type = eap->get_type(eap, &vendor);
+			if (type)
+			{
+				if (vendor)
+				{
+					snprintf(method, sizeof(method), "/%d-%d", type, vendor);
+				}
+				else
+				{
+					snprintf(method, sizeof(method), "/%N",
+							 eap_type_short_names, type);
+				}
+			}
+			written = snprintf(pos, len, "/%N%s", eap_code_short_names,
+							   eap->get_code(eap), method);
 			if (written >= len || written < 0)
 			{
 				return buf;
@@ -947,7 +977,7 @@ static char* get_string(private_message_t *this, char *buf, int len)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	/* remove last space */
 	snprintf(pos, len, " ]");
 	return buf;
@@ -961,7 +991,7 @@ static void order_payloads(private_message_t *this)
 	linked_list_t *list;
 	payload_t *payload;
 	int i;
-	
+
 	/* move to temp list */
 	list = linked_list_create();
 	while (this->payloads->remove_last(this->payloads,
@@ -975,7 +1005,7 @@ static void order_payloads(private_message_t *this)
 		enumerator_t *enumerator;
 		notify_payload_t *notify;
 		payload_order_t order = this->message_rule->payload_order[i];
-		
+
 		/* ... find all payload ... */
 		enumerator = list->create_enumerator(list);
 		while (enumerator->enumerate(enumerator, &payload))
@@ -984,7 +1014,7 @@ static void order_payloads(private_message_t *this)
 			if (payload->get_type(payload) == order.type)
 			{
 				notify = (notify_payload_t*)payload;
-			
+
 				/**... and check notify for type. */
 				if (order.type != NOTIFY || order.notify == 0 ||
 					order.notify == notify->get_notify_type(notify))
@@ -992,17 +1022,21 @@ static void order_payloads(private_message_t *this)
 					list->remove_at(list, enumerator);
 					add_payload(this, payload);
 				}
-			} 
+			}
 		}
 		enumerator->destroy(enumerator);
 	}
 	/* append all payloads without a rule to the end */
 	while (list->remove_last(list, (void**)&payload) == SUCCESS)
 	{
-		DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
-			 payload_type_names, payload->get_type(payload),
-			 exchange_type_names, this->message_rule->exchange_type,
-			 this->message_rule->is_request ? "request" : "response");
+		/* do not complain about payloads in private use space */
+		if (payload->get_type(payload) < 128)
+		{
+			DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
+				 payload_type_names, payload->get_type(payload),
+				 exchange_type_names, this->message_rule->exchange_type,
+				 this->message_rule->is_request ? "request" : "response");
+		}
 		add_payload(this, payload);
 	}
 	list->destroy(list);
@@ -1014,80 +1048,73 @@ static void order_payloads(private_message_t *this)
 static status_t encrypt_payloads(private_message_t *this,
 								 crypter_t *crypter, signer_t* signer)
 {
-	encryption_payload_t *encryption_payload = NULL;
+	encryption_payload_t *encryption;
+	linked_list_t *payloads;
+	payload_t *current;
 	status_t status;
-	linked_list_t *all_payloads;
-	
+
 	if (!this->message_rule->encrypted_content)
 	{
 		DBG2(DBG_ENC, "message doesn't have to be encrypted");
 		/* message contains no content to encrypt */
 		return SUCCESS;
 	}
-	
+
 	if (!crypter || !signer)
 	{
 		DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
 		/* message contains no content to encrypt */
 		return SUCCESS;
 	}
-	
+
 	DBG2(DBG_ENC, "copy all payloads to a temporary list");
-	all_payloads = linked_list_create();
-	
+	payloads = linked_list_create();
+
 	/* first copy all payloads in a temporary list */
 	while (this->payloads->get_count(this->payloads) > 0)
 	{
-		void *current_payload;
-		this->payloads->remove_first(this->payloads,&current_payload);
-		all_payloads->insert_last(all_payloads,current_payload);
+		this->payloads->remove_first(this->payloads, (void**)&current);
+		payloads->insert_last(payloads, current);
 	}
-	
-	encryption_payload = encryption_payload_create();
+
+	encryption = encryption_payload_create();
 
 	DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
-	while (all_payloads->get_count(all_payloads) > 0)
+	while (payloads->get_count(payloads) > 0)
 	{
-		payload_rule_t *payload_rule;
-		payload_t *current_payload;
-		bool to_encrypt = FALSE;
-		
-		all_payloads->remove_first(all_payloads,(void **)&current_payload);
-		
-		status = get_payload_rule(this,
-					current_payload->get_type(current_payload),&payload_rule);
-		/* for payload types which are not found in supported payload list, 
-		 * it is presumed that they don't have to be encrypted */
-		if ((status == SUCCESS) && (payload_rule->encrypted))
+		payload_rule_t *rule;
+		payload_type_t type;
+		bool to_encrypt = TRUE;
+
+		payloads->remove_first(payloads, (void**)&current);
+
+		type = current->get_type(current);
+		if (get_payload_rule(this, type, &rule) == SUCCESS)
 		{
-			DBG2(DBG_ENC, "payload %N gets encrypted",
-				 payload_type_names, current_payload->get_type(current_payload));
-			to_encrypt = TRUE;
+			to_encrypt = rule->encrypted;
 		}
-		
 		if (to_encrypt)
 		{
 			DBG2(DBG_ENC, "insert payload %N to encryption payload",
-				 payload_type_names, current_payload->get_type(current_payload));
-			encryption_payload->add_payload(encryption_payload,current_payload);
+				 payload_type_names, current->get_type(current));
+			encryption->add_payload(encryption, current);
 		}
 		else
 		{
 			DBG2(DBG_ENC, "insert payload %N unencrypted",
-				 payload_type_names ,current_payload->get_type(current_payload));
-			add_payload(this, (payload_t*)encryption_payload);
+				 payload_type_names, current->get_type(current));
+			add_payload(this, (payload_t*)current);
 		}
 	}
 
-	status = SUCCESS;
 	DBG2(DBG_ENC, "encrypting encryption payload");
-	encryption_payload->set_transforms(encryption_payload, crypter,signer);
-	status = encryption_payload->encrypt(encryption_payload);
+	encryption->set_transforms(encryption, crypter, signer);
+	status = encryption->encrypt(encryption);
 	DBG2(DBG_ENC, "add encrypted payload to payload list");
-	add_payload(this, (payload_t*)encryption_payload);
-	
-	all_payloads->destroy(all_payloads);
-	
+	add_payload(this, (payload_t*)encryption);
+
+	payloads->destroy(payloads);
+
 	return status;
 }
 
@@ -1104,28 +1131,28 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 	status_t status;
 	chunk_t packet_data;
 	char str[256];
-	
+
 	if (is_encoded(this))
 	{
 		/* already generated, return a new packet clone */
 		*packet = this->packet->clone(this->packet);
 		return SUCCESS;
 	}
-	
+
 	if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
 	{
 		DBG1(DBG_ENC, "exchange type is not defined");
 		return INVALID_STATE;
 	}
-	
+
 	if (this->packet->get_source(this->packet) == NULL ||
-		this->packet->get_destination(this->packet) == NULL) 
+		this->packet->get_destination(this->packet) == NULL)
 	{
 		DBG1(DBG_ENC, "%s not defined",
 			 !this->packet->get_source(this->packet) ? "source" : "destination");
 		return INVALID_STATE;
 	}
-	
+
 	/* set the rules for this messge */
 	status = set_message_rule(this);
 	if (status != SUCCESS)
@@ -1133,11 +1160,11 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 		DBG1(DBG_ENC, "no message rules specified for this message type");
 		return NOT_SUPPORTED;
 	}
-	
+
 	order_payloads(this);
-	
+
 	DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
-	
+
 	/* going to encrypt all content which have to be encrypted */
 	status = encrypt_payloads(this, crypter, signer);
 	if (status != SUCCESS)
@@ -1145,21 +1172,24 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 		DBG1(DBG_ENC, "payload encryption failed");
 		return status;
 	}
-	
+
 	/* build ike header */
 	ike_header = ike_header_create();
-	
+
 	ike_header->set_exchange_type(ike_header, this->exchange_type);
 	ike_header->set_message_id(ike_header, this->message_id);
 	ike_header->set_response_flag(ike_header, !this->is_request);
-	ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
-	ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
-	ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
-	
+	ike_header->set_initiator_flag(ike_header,
+						this->ike_sa_id->is_initiator(this->ike_sa_id));
+	ike_header->set_initiator_spi(ike_header,
+						this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
+	ike_header->set_responder_spi(ike_header,
+						this->ike_sa_id->get_responder_spi(this->ike_sa_id));
+
 	generator = generator_create();
-	
+
 	payload = (payload_t*)ike_header;
-	
+
 	/* generate every payload expect last one, this is done later*/
 	enumerator = create_payload_enumerator(this);
 	while (enumerator->enumerate(enumerator, &next_payload))
@@ -1169,18 +1199,18 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 		payload = next_payload;
 	}
 	enumerator->destroy(enumerator);
-	
+
 	/* last payload has no next payload*/
 	payload->set_next_type(payload, NO_PAYLOAD);
 
 	generator->generate_payload(generator, payload);
 
 	ike_header->destroy(ike_header);
-		
+
 	/* build packet */
 	generator->write_to_chunk(generator, &packet_data);
 	generator->destroy(generator);
-	
+
 	/* if last payload is of type encrypted, integrity checksum if necessary */
 	if (payload->get_type(payload) == ENCRYPTED)
 	{
@@ -1192,12 +1222,12 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 			return status;
 		}
 	}
-	
+
 	this->packet->set_data(this->packet, packet_data);
-	
+
 	/* clone packet for caller */
 	*packet = this->packet->clone(this->packet);
-	
+
 	DBG2(DBG_ENC, "message generated successfully");
 	return SUCCESS;
 }
@@ -1205,7 +1235,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 /**
  * Implementation of message_t.get_packet.
  */
-static packet_t *get_packet (private_message_t *this)
+static packet_t *get_packet(private_message_t *this)
 {
 	if (this->packet == NULL)
 	{
@@ -1217,7 +1247,7 @@ static packet_t *get_packet (private_message_t *this)
 /**
  * Implementation of message_t.get_packet_data.
  */
-static chunk_t get_packet_data (private_message_t *this)
+static chunk_t get_packet_data(private_message_t *this)
 {
 	if (this->packet == NULL)
 	{
@@ -1233,48 +1263,51 @@ static status_t parse_header(private_message_t *this)
 {
 	ike_header_t *ike_header;
 	status_t status;
-	
+
 	DBG2(DBG_ENC, "parsing header of message");
-	
+
 	this->parser->reset_context(this->parser);
-	status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
+	status = this->parser->parse_payload(this->parser, HEADER,
+										 (payload_t**)&ike_header);
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_ENC, "header could not be parsed");
 		return status;
-		
+
 	}
-	
+
 	/* verify payload */
-	status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
+	status = ike_header->payload_interface.verify(
+										&ike_header->payload_interface);
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_ENC, "header verification failed");
 		ike_header->destroy(ike_header);
 		return status;
 	}
-	
+
 	if (this->ike_sa_id != NULL)
 	{
 		this->ike_sa_id->destroy(this->ike_sa_id);
 	}
-	
+
 	this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
-									   ike_header->get_responder_spi(ike_header),
-									   ike_header->get_initiator_flag(ike_header));
+									ike_header->get_responder_spi(ike_header),
+									ike_header->get_initiator_flag(ike_header));
 
 	this->exchange_type = ike_header->get_exchange_type(ike_header);
 	this->message_id = ike_header->get_message_id(ike_header);
 	this->is_request = (!(ike_header->get_response_flag(ike_header)));
 	this->major_version = ike_header->get_maj_version(ike_header);
 	this->minor_version = ike_header->get_min_version(ike_header);
-	this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
-	
+	this->first_payload = ike_header->payload_interface.get_next_type(
+												&ike_header->payload_interface);
+
 	DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
 		 this->is_request ? "request" : "response");
-	
+
 	ike_header->destroy(ike_header);
-	
+
 	/* get the rules for this messge */
 	status = set_message_rule(this);
 	if (status != SUCCESS)
@@ -1283,14 +1316,15 @@ static status_t parse_header(private_message_t *this)
 			 exchange_type_names, this->exchange_type,
 			 this->is_request ? "request" : "response");
 	}
-	
+
 	return status;
 }
 
 /**
  * Implementation of private_message_t.decrypt_and_verify_payloads.
  */
-static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
+static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter,
+								 signer_t* signer)
 {
 	bool current_payload_was_encrypted = FALSE;
 	payload_t *previous_payload = NULL;
@@ -1306,20 +1340,20 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
 	{
 		payload_rule_t *payload_rule;
 		payload_type_t current_payload_type;
-		
+
 		/* needed to check */
 		current_payload_type = current_payload->get_type(current_payload);
-		
+
 		DBG2(DBG_ENC, "process payload of type %N",
 			 payload_type_names, current_payload_type);
-		
+
 		if (current_payload_type == ENCRYPTED)
 		{
 			encryption_payload_t *encryption_payload;
 			payload_t *current_encrypted_payload;
-			
+
 			encryption_payload = (encryption_payload_t*)current_payload;
-			
+
 			DBG2(DBG_ENC, "found an encryption payload");
 
 			if (payload_number != this->payloads->get_count(this->payloads))
@@ -1330,7 +1364,8 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
 				return VERIFY_ERROR;
 			}
 			/* decrypt */
-			encryption_payload->set_transforms(encryption_payload, crypter, signer);
+			encryption_payload->set_transforms(encryption_payload,
+											   crypter, signer);
 			DBG2(DBG_ENC, "verify signature of encryption payload");
 			status = encryption_payload->verify_signature(encryption_payload,
 										this->packet->get_data(this->packet));
@@ -1348,10 +1383,10 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
 				iterator->destroy(iterator);
 				return PARSE_ERROR;
 			}
-			
+
 			/* needed later to find out if a payload was encrypted */
 			current_payload_was_encrypted = TRUE;
-			
+
 			/* check if there are payloads contained in the encryption payload */
 			if (encryption_payload->get_payload_count(encryption_payload) == 0)
 			{
@@ -1363,39 +1398,52 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
 			}
 			else
 			{
-				/* encryption_payload is replaced with first payload contained in encryption_payload */
-				encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
-				iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
-				current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
+				/* encryption_payload is replaced with first payload contained
+				 * in encryption_payload */
+				encryption_payload->remove_first_payload(encryption_payload,
+													&current_encrypted_payload);
+				iterator->replace(iterator, NULL,
+								  (void *)current_encrypted_payload);
+				current_payload_type = current_encrypted_payload->get_type(
+													current_encrypted_payload);
 			}
-			
+
 			/* is the current paylad the first in the message? */
 			if (previous_payload == NULL)
 			{
-				/* yes, set the first payload type of the message to the current type */
+				/* yes, set the first payload type of the message to the
+				 * current type */
 				this->first_payload = current_payload_type;
 			}
 			else
 			{
-				/* no, set the next_type of the previous payload to the current type */
-				previous_payload->set_next_type(previous_payload, current_payload_type);
+				/* no, set the next_type of the previous payload to the
+				 * current type */
+				previous_payload->set_next_type(previous_payload,
+												current_payload_type);
 			}
-			
+
 			/* all encrypted payloads are added to the payload list */
 			while (encryption_payload->get_payload_count(encryption_payload) > 0)
 			{
-				encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
-				DBG2(DBG_ENC, "insert unencrypted payload of type %N at end of list",
-					 payload_type_names, current_encrypted_payload->get_type(current_encrypted_payload));
-				this->payloads->insert_last(this->payloads,current_encrypted_payload);
+				encryption_payload->remove_first_payload(encryption_payload,
+													&current_encrypted_payload);
+				DBG2(DBG_ENC, "insert unencrypted payload of type "
+					 "%N at end of list", payload_type_names,
+					 current_encrypted_payload->get_type(
+											current_encrypted_payload));
+				this->payloads->insert_last(this->payloads,
+											current_encrypted_payload);
 			}
-			
+
 			/* encryption payload is processed, payloads are moved. Destroy it. */
-			encryption_payload->destroy(encryption_payload);	
+			encryption_payload->destroy(encryption_payload);
 		}
 
-		/* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
-		if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
+		/* we allow unknown payloads of any type and don't bother if it was
+		 * encrypted. Not our problem. */
+		if (current_payload_type != UNKNOWN_PAYLOAD &&
+			current_payload_type != NO_PAYLOAD)
 		{
 			/* get the ruleset for found payload */
 			status = get_payload_rule(this, current_payload_type, &payload_rule);
@@ -1407,11 +1455,13 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
 				iterator->destroy(iterator);
 				return VERIFY_ERROR;
 			}
-			
-			/* check if the payload was encrypted, and if it should been have encrypted */
+
+			/* check if the payload was encrypted, and if it should been have
+			 * encrypted */
 			if (payload_rule->encrypted != current_payload_was_encrypted)
 			{
-				/* payload was not encrypted, but should have been. or vice-versa */
+				/* payload was not encrypted, but should have been.
+				 * or vice-versa */
 				DBG1(DBG_ENC, "payload type %N should be %s!",
 					 payload_type_names, current_payload_type,
 					 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
@@ -1437,24 +1487,24 @@ static status_t verify(private_message_t *this)
 	enumerator_t *enumerator;
 	payload_t *current_payload;
 	size_t total_found_payloads = 0;
-	
+
 	DBG2(DBG_ENC, "verifying message structure");
-	
+
 	/* check for payloads with wrong count*/
 	for (i = 0; i < this->message_rule->payload_rule_count; i++)
 	{
 		size_t found_payloads = 0;
 		payload_rule_t *rule;
-		
+
 		rule = &this->message_rule->payload_rules[i];
 		enumerator = create_payload_enumerator(this);
-		
+
 		/* check all payloads for specific rule */
 		while (enumerator->enumerate(enumerator, &current_payload))
 		{
 			payload_type_t current_payload_type;
 			unknown_payload_t *unknown_payload;
-			
+
 			current_payload_type = current_payload->get_type(current_payload);
 			if (current_payload_type == UNKNOWN_PAYLOAD)
 			{
@@ -1465,7 +1515,7 @@ static status_t verify(private_message_t *this)
 					DBG1(DBG_ENC, "%N is not supported, but its critical!",
 						 payload_type_names, current_payload_type);
 					enumerator->destroy(enumerator);
-					return NOT_SUPPORTED;	
+					return NOT_SUPPORTED;
 				}
 			}
 			else if (current_payload_type == rule->payload_type)
@@ -1474,8 +1524,8 @@ static status_t verify(private_message_t *this)
 				total_found_payloads++;
 				DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
 					 rule->payload_type);
-				
-				/* as soon as ohe payload occures more then specified, 
+
+				/* as soon as ohe payload occures more then specified,
 				 * the verification fails */
 				if (found_payloads >
 					rule->max_occurence)
@@ -1489,7 +1539,7 @@ static status_t verify(private_message_t *this)
 				}
 			}
 		}
-		
+
 		if (found_payloads < rule->min_occurence)
 		{
 			DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
@@ -1502,7 +1552,7 @@ static status_t verify(private_message_t *this)
 			this->payloads->get_count(this->payloads) == total_found_payloads)
 		{
 			enumerator->destroy(enumerator);
-			return SUCCESS;	
+			return SUCCESS;
 		}
 		enumerator->destroy(enumerator);
 	}
@@ -1512,14 +1562,15 @@ static status_t verify(private_message_t *this)
 /**
  * Implementation of message_t.parse_body.
  */
-static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
+static status_t parse_body(private_message_t *this, crypter_t *crypter,
+						   signer_t *signer)
 {
 	status_t status = SUCCESS;
 	payload_type_t current_payload_type;
 	char str[256];
-		
-	current_payload_type = this->first_payload;	
-		
+
+	current_payload_type = this->first_payload;
+
 	DBG2(DBG_ENC, "parsing body of message, first payload is %N",
 		 payload_type_names, current_payload_type);
 
@@ -1527,13 +1578,13 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
 	while ((current_payload_type != NO_PAYLOAD))
 	{
 		payload_t *current_payload;
-		
-		DBG2(DBG_ENC, "starting parsing a %N payload", 
+
+		DBG2(DBG_ENC, "starting parsing a %N payload",
 			 payload_type_names, current_payload_type);
-		
+
 		/* parse current payload */
-		status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
-		
+		status = this->parser->parse_payload(this->parser, current_payload_type,
+											 (payload_t**)&current_payload);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "payload type %N could not be parsed",
@@ -1543,7 +1594,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
 
 		DBG2(DBG_ENC, "verifying payload of type %N",
 			 payload_type_names, current_payload_type);
-		
+
 		/* verify it, stop parsig if its invalid */
 		status = current_payload->verify(current_payload);
 		if (status != SUCCESS)
@@ -1553,19 +1604,20 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
 			current_payload->destroy(current_payload);
 			return VERIFY_ERROR;
 		}
-		
+
 		DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
 			 payload_type_names, current_payload_type);
 		this->payloads->insert_last(this->payloads,current_payload);
-		
-		/* an encryption payload is the last one, so STOP here. decryption is done later */
+
+		/* an encryption payload is the last one, so STOP here. decryption is
+		 * done later */
 		if (current_payload_type == ENCRYPTED)
 		{
 			DBG2(DBG_ENC, "%N payload found. Stop parsing",
 				 payload_type_names, current_payload_type);
 			break;
 		}
-		
+
 		/* get next payload type */
 		current_payload_type = current_payload->get_next_type(current_payload);
 	}
@@ -1579,15 +1631,15 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
 			return status;
 		}
 	}
-	
+
 	status = verify(this);
 	if (status != SUCCESS)
 	{
 		return status;
 	}
-	
+
 	DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
-	
+
 	return SUCCESS;
 }
 
@@ -1641,26 +1693,26 @@ message_t *message_create_from_packet(packet_t *packet)
 	this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
 	this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
 	this->public.destroy = (void(*)(message_t*))destroy;
-		
+
 	/* private values */
 	this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
 	this->is_request = TRUE;
 	this->ike_sa_id = NULL;
 	this->first_payload = NO_PAYLOAD;
 	this->message_id = 0;
-	
+
 	/* private values */
 	if (packet == NULL)
 	{
-		packet = packet_create();	
+		packet = packet_create();
 	}
 	this->message_rule = NULL;
 	this->packet = packet;
 	this->payloads = linked_list_create();
-	
+
 	/* parser is created from data of packet */
 	this->parser = parser_create(this->packet->get_data(this->packet));
-	
+
 	return (&this->public);
 }
 
diff --git a/src/charon/encoding/message.h b/src/charon/encoding/message.h
index 1db3ea0cc..2c7718f49 100644
--- a/src/charon/encoding/message.h
+++ b/src/charon/encoding/message.h
@@ -58,7 +58,7 @@ struct message_t {
 	 * @return				major version of the message
 	 */
 	u_int8_t (*get_major_version) (message_t *this);
-	
+
 	/**
 	 * Sets the IKE minor version of the message.
 	 *
@@ -86,7 +86,7 @@ struct message_t {
 	 * @return				message_id type of the message
 	 */
 	u_int32_t (*get_message_id) (message_t *this);
-	
+
 	/**
 	 * Gets the initiator SPI of the message.
 	 *
@@ -103,7 +103,7 @@ struct message_t {
 
 	/**
 	 * Sets the IKE_SA ID of the message.
-	 * 
+	 *
 	 * ike_sa_id gets cloned.
 	 *
 	 * @param ike_sa_id		ike_sa_id to set
@@ -132,10 +132,10 @@ struct message_t {
 	 * @return				exchange type of the message
 	 */
 	exchange_type_t (*get_exchange_type) (message_t *this);
-	
+
 	/**
 	 * Gets the payload type of the first payload.
-	 * 
+	 *
 	 * @return				payload type of the first payload
 	 */
 	payload_type_t (*get_first_payload_type) (message_t *this);
@@ -156,20 +156,20 @@ struct message_t {
 
 	/**
 	 * Append a payload to the message.
-	 * 
+	 *
 	 * If the payload must be encrypted is not specified here. Encryption
 	 * of payloads is evaluated via internal rules for the messages and
 	 * is done before generation. The order of payloads may change, since
-	 * all payloads to encrypt are added to the encryption payload, which is 
+	 * all payloads to encrypt are added to the encryption payload, which is
 	 * always the last one.
 	 *
 	 * @param payload 		payload to append
-	 */	
+	 */
 	void (*add_payload) (message_t *this, payload_t *payload);
 
 	/**
 	 * Build a notify payload and add it to the message.
-	 * 
+	 *
 	 * This is a helper method to create notify messages or add
 	 * notify payload to messages. The flush parameter specifies if existing
 	 * payloads should get removed before appending the notify.
@@ -177,13 +177,13 @@ struct message_t {
 	 * @param flush			TRUE to remove existing payloads
 	 * @param type			type of the notify
 	 * @param data			a chunk of data to add to the notify, gets cloned
-	 */	
-	void (*add_notify) (message_t *this, bool flush, notify_type_t type, 
+	 */
+	void (*add_notify) (message_t *this, bool flush, notify_type_t type,
 						chunk_t data);
 
 	/**
 	 * Parses header of message.
-	 * 
+	 *
 	 * Begins parisng of a message created via message_create_from_packet().
 	 * The parsing context is stored, so a subsequent call to parse_body()
 	 * will continue the parsing process.
@@ -194,17 +194,17 @@ struct message_t {
 	 * 					- FAILED if consistence check of header failed
 	 */
 	status_t (*parse_header) (message_t *this);
-	
+
 	/**
 	 * Parses body of message.
-	 * 
-	 * The body gets not only parsed, but rather it gets verified. 
-	 * All payloads are verified if they are allowed to exist in the message 
-	 * of this type and if their own structure is ok. 
-	 * If there are encrypted payloads, they get decrypted via the supplied 
+	 *
+	 * The body gets not only parsed, but rather it gets verified.
+	 * All payloads are verified if they are allowed to exist in the message
+	 * of this type and if their own structure is ok.
+	 * If there are encrypted payloads, they get decrypted via the supplied
 	 * crypter. Also the message integrity gets verified with the supplied
 	 * signer.
-	 * Crypter/signer can be omitted (by passing NULL) when no encryption 
+	 * Crypter/signer can be omitted (by passing NULL) when no encryption
 	 * payload is expected.
 	 *
 	 * @param crypter	crypter to decrypt encryption payloads
@@ -222,13 +222,13 @@ struct message_t {
 
 	/**
 	 * Generates the UDP packet of specific message.
-	 * 
+	 *
 	 * Payloads which must be encrypted are generated first and added to
-	 * an encryption payload. This encryption payload will get encrypted via 
+	 * an encryption payload. This encryption payload will get encrypted via
 	 * the supplied crypter. Then all other payloads and the header get generated.
-	 * After that, the checksum is added to the encryption payload over the full 
+	 * After that, the checksum is added to the encryption payload over the full
 	 * message.
-	 * Crypter/signer can be omitted (by passing NULL) when no encryption 
+	 * Crypter/signer can be omitted (by passing NULL) when no encryption
 	 * payload is expected.
 	 * Generation is only done once, multiple calls will just return a packet copy.
 	 *
@@ -240,66 +240,66 @@ struct message_t {
 	 * 					- INVALID_STATE if exchange type is currently not set
 	 * 					- NOT_FOUND if no rules found for message generation
 	 * 					- INVALID_STATE if crypter/signer not supplied but needed.
-	 */	
+	 */
 	status_t (*generate) (message_t *this, crypter_t *crypter, signer_t *signer, packet_t **packet);
 
 	/**
-	 * Gets the source host informations. 
-	 * 
-	 * @warning Returned host_t object is not getting cloned, 
+	 * Gets the source host informations.
+	 *
+	 * @warning Returned host_t object is not getting cloned,
 	 * do not destroy nor modify.
 	 *
 	 * @return			host_t object representing source host
-	 */	
+	 */
 	host_t * (*get_source) (message_t *this);
-	
+
 	/**
-	 * Sets the source host informations. 
-	 * 
+	 * Sets the source host informations.
+	 *
 	 * @warning host_t object is not getting cloned and gets destroyed by
 	 * 			message_t.destroy or next call of message_t.set_source.
 	 *
 	 * @param host		host_t object representing source host
-	 */	
+	 */
 	void (*set_source) (message_t *this, host_t *host);
 
 	/**
-	 * Gets the destination host informations. 
-	 * 
-	 * @warning Returned host_t object is not getting cloned, 
+	 * Gets the destination host informations.
+	 *
+	 * @warning Returned host_t object is not getting cloned,
 	 * do not destroy nor modify.
 	 *
 	 * @return			host_t object representing destination host
-	 */	
+	 */
 	host_t * (*get_destination) (message_t *this);
 
 	/**
-	 * Sets the destination host informations. 
-	 * 
+	 * Sets the destination host informations.
+	 *
 	 * @warning host_t object is not getting cloned and gets destroyed by
 	 * 			message_t.destroy or next call of message_t.set_destination.
 	 *
 	 * @param host		host_t object representing destination host
-	 */	
+	 */
 	void (*set_destination) (message_t *this, host_t *host);
-	
+
 	/**
 	 * Create an enumerator over all payloads.
 	 *
 	 * @return			enumerator over payload_t
-	 */	
+	 */
 	enumerator_t * (*create_payload_enumerator) (message_t *this);
-	
+
 	/**
 	 * Find a payload of a specific type.
-	 * 
-	 * Returns the first occurance. 
+	 *
+	 * Returns the first occurance.
 	 *
 	 * @param type		type of the payload to find
 	 * @return			payload, or NULL if no such payload found
-	 */	
+	 */
 	payload_t* (*get_payload) (message_t *this, payload_type_t type);
-	
+
 	/**
 	 * Get the first notify payload of a specific type.
 	 *
@@ -307,21 +307,21 @@ struct message_t {
 	 * @return			notify payload, NULL if no such notify found
 	 */
 	notify_payload_t* (*get_notify)(message_t *this, notify_type_t type);
-	
+
 	/**
 	 * Returns a clone of the internal stored packet_t object.
 	 *
 	 * @return			packet_t object as clone of internal one
-	 */	
+	 */
 	packet_t * (*get_packet) (message_t *this);
-	
+
 	/**
 	 * Returns a clone of the internal stored packet_t data.
 	 *
 	 * @return			clone of the internal stored packet_t data.
-	 */	
+	 */
 	chunk_t (*get_packet_data) (message_t *this);
-	
+
 	/**
 	 * Destroys a message and all including objects.
 	 */
@@ -330,16 +330,16 @@ struct message_t {
 
 /**
  * Creates an message_t object from a incoming UDP Packet.
- * 
- * @warning the given packet_t object is not copied and gets 
+ *
+ * @warning the given packet_t object is not copied and gets
  *			destroyed in message_t's destroy call.
- * 
+ *
  * - exchange_type is set to NOT_SET
  * - original_initiator is set to TRUE
  * - is_request is set to TRUE
  * Call message_t.parse_header afterwards.
- * 
- * @param packet		packet_t object which is assigned to message	
+ *
+ * @param packet		packet_t object which is assigned to message
  * @return 				message_t object
  */
 message_t * message_create_from_packet(packet_t *packet);
@@ -351,7 +351,7 @@ message_t * message_create_from_packet(packet_t *packet);
  * - exchange_type is set to NOT_SET
  * - original_initiator is set to TRUE
  * - is_request is set to TRUE
- * 
+ *
  * @return message_t object
  */
 message_t * message_create(void);
diff --git a/src/charon/encoding/parser.c b/src/charon/encoding/parser.c
index ac2b78c28..9aa34b1bc 100644
--- a/src/charon/encoding/parser.c
+++ b/src/charon/encoding/parser.c
@@ -50,7 +50,7 @@ typedef struct private_parser_t private_parser_t;
 
 /**
  * Private data stored in a context.
- * 
+ *
  * Contains pointers and counters to store current state.
  */
 struct private_parser_t {
@@ -58,27 +58,27 @@ struct private_parser_t {
 	 * Public members, see parser_t.
 	 */
 	parser_t public;
-	
+
 	/**
 	 * Current bit for reading in input data.
 	 */
 	u_int8_t bit_pos;
-	
+
 	/**
 	 * Current byte for reading in input data.
 	 */
 	u_int8_t *byte_pos;
-	
+
 	/**
 	 * Input data to parse.
 	 */
 	u_int8_t *input;
-	
+
 	/**
 	 * Roof of input, used for length-checking.
 	 */
 	u_int8_t *input_roof;
-	
+
 	/**
 	 * Set of encoding rules for this parsing session.
 	 */
@@ -277,11 +277,11 @@ static bool parse_bit(private_parser_t *this, int rule_number,
 		return short_input(this, rule_number);
 	}
 	if (output_pos)
-	{	
+	{
 		u_int8_t mask;
 		mask = 0x01 << (7 - this->bit_pos);
 		*output_pos = *this->byte_pos & mask;
-		
+
 		if (*output_pos)
 		{	/* set to a "clean", comparable true */
 			*output_pos = TRUE;
@@ -303,7 +303,7 @@ static bool parse_list(private_parser_t *this, int rule_number,
 			linked_list_t **output_pos, payload_type_t payload_type, int length)
 {
 	linked_list_t *list = *output_pos;
-	
+
 	if (length < 0)
 	{
 		return short_input(this, rule_number);
@@ -316,10 +316,10 @@ static bool parse_list(private_parser_t *this, int rule_number,
 	{
 		u_int8_t *pos_before = this->byte_pos;
 		payload_t *payload;
-		
+
 		DBG2(DBG_ENC, "  %d bytes left, parsing recursively %N",
 			 length, payload_type_names, payload_type);
-		
+
 		if (parse_payload(this, payload_type, &payload) != SUCCESS)
 		{
 			DBG1(DBG_ENC, "  parsing of a %N substructure failed",
@@ -377,25 +377,25 @@ static status_t parse_payload(private_parser_t *this,
 	bool attribute_format = FALSE;
 	int rule_number;
 	encoding_rule_t *rule;
-	
+
 	/* create instance of the payload to parse */
 	pld = payload_create(payload_type);
-	
+
 	DBG2(DBG_ENC, "parsing %N payload, %d bytes left",
 		 payload_type_names, payload_type, this->input_roof - this->byte_pos);
-	
+
 	DBG3(DBG_ENC, "parsing payload from %b",
 		 this->byte_pos, this->input_roof - this->byte_pos);
-	
+
 	if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
 	{
 		DBG1(DBG_ENC, "  payload type %d is unknown, handling as %N",
 			 payload_type, payload_type_names, UNKNOWN_PAYLOAD);
 	}
-	
+
 	/* base pointer for output, avoids casting in every rule */
 	output = pld;
-	
+
 	/* parse the payload with its own rulse */
 	pld->get_encoding_rules(pld, &this->rules, &rule_count);
 	for (rule_number = 0; rule_number < rule_count; rule_number++)
@@ -765,7 +765,7 @@ static status_t parse_payload(private_parser_t *this,
 			case ADDRESS:
 			{
 				int address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-				
+
 				if (!parse_chunk(this, rule_number, output + rule->offset,
 								 address_length))
 				{
@@ -808,7 +808,7 @@ static status_t parse_payload(private_parser_t *this,
 		/* process next rulue */
 		rule++;
 	}
-	
+
 	*payload = pld;
 	DBG2(DBG_ENC, "parsing %N payload finished",
 		 payload_type_names, payload_type);
@@ -846,17 +846,17 @@ static void destroy(private_parser_t *this)
 parser_t *parser_create(chunk_t data)
 {
 	private_parser_t *this = malloc_thing(private_parser_t);
-	
+
 	this->public.parse_payload = (status_t(*)(parser_t*,payload_type_t,payload_t**))parse_payload;
 	this->public.reset_context = (void(*)(parser_t*)) reset_context;
 	this->public.get_remaining_byte_count = (int (*) (parser_t *))get_remaining_byte_count;
 	this->public.destroy = (void(*)(parser_t*)) destroy;
-	
+
 	this->input = data.ptr;
 	this->byte_pos = data.ptr;
 	this->bit_pos = 0;
 	this->input_roof = data.ptr + data.len;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/encoding/parser.h b/src/charon/encoding/parser.h
index 230492438..27c5f03fe 100644
--- a/src/charon/encoding/parser.h
+++ b/src/charon/encoding/parser.h
@@ -36,32 +36,32 @@ typedef struct parser_t parser_t;
  * The parser remains the state until destroyed.
  */
 struct parser_t {
-	
+
 	/**
 	 * Parses the next payload.
-	 * 
+	 *
 	 * @warning Caller is responsible for freeing allocated payload.
-	 * 
+	 *
 	 * Rules for parsing are described in the payload definition.
 	 *
 	 * @param payload_type	payload type to parse
 	 * @param payload		pointer where parsed payload was allocated
-	 * @return 			
+	 * @return
 	 * 						- SUCCESSFUL if succeeded,
 	 * 						- PARSE_ERROR if corrupted/invalid data found
 	 */
 	status_t (*parse_payload) (parser_t *this, payload_type_t payload_type, payload_t **payload);
-	
+
 	/**
 	 * Gets the remaining byte count which is not currently parsed.
 	 */
 	int (*get_remaining_byte_count) (parser_t *this);
-	
+
 	/**
 	 * Resets the current parser context.
 	 */
 	void (*reset_context) (parser_t *this);
-	
+
 	/**
 	 * Destroys a parser_t object.
 	 */
@@ -70,7 +70,7 @@ struct parser_t {
 
 /**
  * Constructor to create a parser_t object.
- * 
+ *
  * @param data		chunk of data to parse with this parser_t object
  * @return 			parser_t object
  */
diff --git a/src/charon/encoding/payloads/auth_payload.c b/src/charon/encoding/payloads/auth_payload.c
index 53406f564..d31208abb 100644
--- a/src/charon/encoding/payloads/auth_payload.c
+++ b/src/charon/encoding/payloads/auth_payload.c
@@ -23,15 +23,15 @@ typedef struct private_auth_payload_t private_auth_payload_t;
 
 /**
  * Private data of an auth_payload_t object.
- * 
+ *
  */
 struct private_auth_payload_t {
-	
+
 	/**
 	 * Public auth_payload_t interface.
 	 */
 	auth_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -41,17 +41,17 @@ struct private_auth_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * Method of the AUTH Data.
 	 */
 	u_int8_t auth_method;
-	
+
 	/**
 	 * The contained auth data value.
 	 */
@@ -60,16 +60,16 @@ struct private_auth_payload_t {
 
 /**
  * Encoding rules to parse or generate a AUTH payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_auth_payload_t.
  */
 encoding_rule_t auth_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_auth_payload_t, next_payload) 	},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_auth_payload_t, critical) 		},
- 	/* 7 Bit reserved bits, nowhere stored */
+	/* 7 Bit reserved bits, nowhere stored */
 	{ RESERVED_BIT,		0 												},
 	{ RESERVED_BIT,		0 												},
 	{ RESERVED_BIT,		0 												},
@@ -79,7 +79,7 @@ encoding_rule_t auth_payload_encodings[] = {
 	{ RESERVED_BIT,		0 												},
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_auth_payload_t, payload_length)},
- 	/* 1 Byte AUTH type*/
+	/* 1 Byte AUTH type*/
 	{ U_INT_8,			offsetof(private_auth_payload_t, auth_method)	},
 	/* 3 reserved bytes */
 	{ RESERVED_BYTE,	0 												},
@@ -221,8 +221,8 @@ static void destroy(private_auth_payload_t *this)
 	{
 		chunk_free(&(this->auth_data));
 	}
-	
-	free(this);	
+
+	free(this);
 }
 
 /*
@@ -240,7 +240,7 @@ auth_payload_t *auth_payload_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.destroy = (void (*) (auth_payload_t *)) destroy;
 	this->public.set_auth_method = (void (*) (auth_payload_t *,auth_method_t)) set_auth_method;
@@ -248,7 +248,7 @@ auth_payload_t *auth_payload_create()
 	this->public.set_data = (void (*) (auth_payload_t *,chunk_t)) set_data;
 	this->public.get_data_clone = (chunk_t (*) (auth_payload_t *)) get_data_clone;
 	this->public.get_data = (chunk_t (*) (auth_payload_t *)) get_data;
-	
+
 	/* private variables */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
diff --git a/src/charon/encoding/payloads/auth_payload.h b/src/charon/encoding/payloads/auth_payload.h
index 4287f14d9..37ee149db 100644
--- a/src/charon/encoding/payloads/auth_payload.h
+++ b/src/charon/encoding/payloads/auth_payload.h
@@ -39,7 +39,7 @@ typedef struct auth_payload_t auth_payload_t;
  * The AUTH payload format is described in RFC section 3.8.
  */
 struct auth_payload_t {
-	
+
 	/**
 	 * The payload_t interface.
 	 */
@@ -51,41 +51,41 @@ struct auth_payload_t {
 	 * @param method		auth_method_t to use
 	 */
 	void (*set_auth_method) (auth_payload_t *this, auth_method_t method);
-	
+
 	/**
 	 * Get the AUTH method.
 	 *
 	 * @return				auth_method_t used
 	 */
 	auth_method_t (*get_auth_method) (auth_payload_t *this);
-	
+
 	/**
 	 * Set the AUTH data.
-	 * 
+	 *
 	 * Data gets cloned.
 	 *
 	 * @param data			AUTH data as chunk_t
 	 */
 	void (*set_data) (auth_payload_t *this, chunk_t data);
-	
+
 	/**
 	 * Get the AUTH data.
-	 * 
+	 *
 	 * Returned data are a copy of the internal one.
 	 *
 	 * @return				AUTH data as chunk_t
 	 */
 	chunk_t (*get_data_clone) (auth_payload_t *this);
-	
+
 	/**
 	 * Get the AUTH data.
-	 * 
+	 *
 	 * Returned data are NOT copied
 	 *
 	 * @return				AUTH data as chunk_t
 	 */
 	chunk_t (*get_data) (auth_payload_t *this);
-	
+
 	/**
 	 * Destroys an auth_payload_t object.
 	 */
@@ -94,7 +94,7 @@ struct auth_payload_t {
 
 /**
  * Creates an empty auth_payload_t object.
- * 
+ *
  * @return auth_payload_t object
  */
 auth_payload_t *auth_payload_create(void);
diff --git a/src/charon/encoding/payloads/cert_payload.c b/src/charon/encoding/payloads/cert_payload.c
index 54a8c1392..6dd3141f0 100644
--- a/src/charon/encoding/payloads/cert_payload.c
+++ b/src/charon/encoding/payloads/cert_payload.c
@@ -43,14 +43,14 @@ typedef struct private_cert_payload_t private_cert_payload_t;
 
 /**
  * Private data of an cert_payload_t object.
- * 
+ *
  */
 struct private_cert_payload_t {
 	/**
 	 * Public cert_payload_t interface.
 	 */
 	cert_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -60,22 +60,22 @@ struct private_cert_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * Encoding of the CERT Data.
 	 */
 	u_int8_t encoding;
-	
+
 	/**
 	 * The contained cert data value.
 	 */
 	chunk_t data;
-	
+
 	/**
 	 * TRUE if the "Hash and URL" data is invalid
 	 */
@@ -84,17 +84,17 @@ struct private_cert_payload_t {
 
 /**
  * Encoding rules to parse or generate a CERT payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_cert_payload_t.
- * 
+ *
  */
 encoding_rule_t cert_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_cert_payload_t, next_payload) 	},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_cert_payload_t, critical) 		},
- 	/* 7 Bit reserved bits, nowhere stored */
+	/* 7 Bit reserved bits, nowhere stored */
 	{ RESERVED_BIT,	0 													},
 	{ RESERVED_BIT,	0 													},
 	{ RESERVED_BIT,	0 													},
@@ -104,7 +104,7 @@ encoding_rule_t cert_payload_encodings[] = {
 	{ RESERVED_BIT,	0 													},
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_cert_payload_t, payload_length)},
- 	/* 1 Byte CERT type*/
+	/* 1 Byte CERT type*/
 	{ U_INT_8,			offsetof(private_cert_payload_t, encoding)		},
 	/* some cert data bytes, length is defined in PAYLOAD_LENGTH */
 	{ CERT_DATA,		offsetof(private_cert_payload_t, data) 			}
@@ -139,7 +139,7 @@ static status_t verify(private_cert_payload_t *this)
 			this->invalid_hash_and_url = TRUE;
 			return SUCCESS;
 		}
-		
+
 		int i = 20; /* skipping the hash */
 		for (; i < this->data.len; ++i)
 		{
@@ -156,7 +156,7 @@ static status_t verify(private_cert_payload_t *this)
 				return SUCCESS;
 			}
 		}
-		
+
 		/* URL is not null terminated, correct that */
 		chunk_t data = chunk_alloc(this->data.len + 1);
 		memcpy(data.ptr, this->data.ptr, this->data.len);
@@ -268,7 +268,7 @@ static char *get_url(private_cert_payload_t *this)
 static void destroy(private_cert_payload_t *this)
 {
 	chunk_free(&this->data);
-	free(this);	
+	free(this);
 }
 
 /*
@@ -285,13 +285,13 @@ cert_payload_t *cert_payload_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
-	
+
 	this->public.destroy = (void (*) (cert_payload_t*))destroy;
 	this->public.get_cert = (certificate_t* (*) (cert_payload_t*))get_cert;
 	this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t*))get_cert_encoding;
 	this->public.get_hash = (chunk_t (*) (cert_payload_t*))get_hash;
 	this->public.get_url = (char* (*) (cert_payload_t*))get_url;
-	
+
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
 	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH;
@@ -331,14 +331,9 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert)
 cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url)
 {
 	private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create();
-	chunk_t url_chunk;
-	
+
 	this->encoding = ENC_X509_HASH_AND_URL;
-	
-	url_chunk.ptr = url;
-	url_chunk.len = strlen(url) + 1;
-	
-	this->data = chunk_cat("cc", hash, url_chunk);
+	this->data = chunk_cat("cc", hash, chunk_create(url, strlen(url)));
 	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
 	return &this->public;
 }
diff --git a/src/charon/encoding/payloads/cert_payload.h b/src/charon/encoding/payloads/cert_payload.h
index fba404ee2..aa1c7bf5a 100644
--- a/src/charon/encoding/payloads/cert_payload.h
+++ b/src/charon/encoding/payloads/cert_payload.h
@@ -65,45 +65,45 @@ extern enum_name_t *cert_encoding_names;
  * The CERT payload format is described in RFC section 3.6.
  */
 struct cert_payload_t {
-	
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Get the playoads encoded certifcate.
 	 *
 	 * @return				certifcate copy
 	 */
 	certificate_t *(*get_cert)(cert_payload_t *this);
-	
+
 	/**
 	 * Get the encoding of the certificate.
-	 * 
+	 *
 	 * @return				encoding
 	 */
 	cert_encoding_t (*get_cert_encoding)(cert_payload_t *this);
-	
+
 	/**
 	 * Get the hash if this is a hash and URL encoded certificate.
-	 * 
+	 *
 	 * This function returns internal data, do not free.
-	 * 
+	 *
 	 * @return				hash
 	 */
 	chunk_t (*get_hash)(cert_payload_t *this);
-	
+
 	/**
 	 * Get the URL if this is a hash and URL encoded certificate.
-	 * 
+	 *
 	 * This function returns internal data, do not free.
-	 * 
+	 *
 	 * @return				url
 	 */
 	char *(*get_url)(cert_payload_t *this);
-	
-	
+
+
 	/**
 	 * Destroys the cert_payload object.
 	 */
@@ -112,14 +112,14 @@ struct cert_payload_t {
 
 /**
  * Creates an empty certificate payload.
- * 
+ *
  * @return					cert_payload_t object
  */
 cert_payload_t *cert_payload_create(void);
 
 /**
  * Creates a certificate payload with an embedded certificate.
- * 
+ *
  * @param cert				certificate to embed
  * @return					cert_payload_t object
  */
@@ -127,7 +127,7 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert);
 
 /**
  * Creates a certificate payload with hash and URL encoding of a certificate.
- * 
+ *
  * @param hash				hash of the DER encoded certificate (get's cloned)
  * @param url				the URL to locate the certificate (get's cloned)
  * @return					cert_payload_t object
diff --git a/src/charon/encoding/payloads/certreq_payload.c b/src/charon/encoding/payloads/certreq_payload.c
index 50adedb28..9ff0bdde0 100644
--- a/src/charon/encoding/payloads/certreq_payload.c
+++ b/src/charon/encoding/payloads/certreq_payload.c
@@ -27,14 +27,14 @@ typedef struct private_certreq_payload_t private_certreq_payload_t;
 
 /**
  * Private data of an certreq_payload_t object.
- * 
+ *
  */
 struct private_certreq_payload_t {
 	/**
 	 * Public certreq_payload_t interface.
 	 */
 	certreq_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -44,17 +44,17 @@ struct private_certreq_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * Encoding of the CERT Data.
 	 */
 	u_int8_t encoding;
-	
+
 	/**
 	 * The contained certreq data value.
 	 */
@@ -63,10 +63,10 @@ struct private_certreq_payload_t {
 
 /**
  * Encoding rules to parse or generate a CERTREQ payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_certreq_payload_t.
- * 
+ *
  */
 encoding_rule_t certreq_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
@@ -160,7 +160,7 @@ static size_t get_length(private_certreq_payload_t *this)
 {
 	return this->payload_length;
 }
-	
+
 /**
  * Implementation of certreq_payload_t.add_keyid.
  */
@@ -240,7 +240,7 @@ static certificate_type_t get_cert_type(private_certreq_payload_t *this)
 static void destroy(private_certreq_payload_t *this)
 {
 	chunk_free(&this->data);
-	free(this);	
+	free(this);
 }
 
 /*
@@ -258,13 +258,13 @@ certreq_payload_t *certreq_payload_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
-	
+
 	/* public functions */
 	this->public.destroy = (void (*) (certreq_payload_t*)) destroy;
 	this->public.create_keyid_enumerator = (enumerator_t*(*)(certreq_payload_t*))create_keyid_enumerator;
 		this->public.get_cert_type = (certificate_type_t(*)(certreq_payload_t*))get_cert_type;
 	this->public.add_keyid = (void(*)(certreq_payload_t*, chunk_t keyid))add_keyid;
-	
+
 	/* private variables */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
@@ -281,7 +281,7 @@ certreq_payload_t *certreq_payload_create()
 certreq_payload_t *certreq_payload_create_type(certificate_type_t type)
 {
 	private_certreq_payload_t *this = (private_certreq_payload_t*)certreq_payload_create();
-	
+
 	switch (type)
 	{
 		case CERT_X509:
diff --git a/src/charon/encoding/payloads/certreq_payload.h b/src/charon/encoding/payloads/certreq_payload.h
index ff9814f8a..914063628 100644
--- a/src/charon/encoding/payloads/certreq_payload.h
+++ b/src/charon/encoding/payloads/certreq_payload.h
@@ -50,14 +50,14 @@ struct certreq_payload_t {
 	 * @return			enumerator over chunk_t's.
 	 */
 	enumerator_t* (*create_keyid_enumerator)(certreq_payload_t *this);
-	
+
 	/**
 	 * Get the type of contained certificate keyids.
 	 *
 	 * @return			certificate keyid type
 	 */
 	certificate_type_t (*get_cert_type)(certreq_payload_t *this);
-	
+
 	/**
 	 * Add a certificates keyid to the payload.
 	 *
@@ -65,7 +65,7 @@ struct certreq_payload_t {
 	 * @return
 	 */
 	void (*add_keyid)(certreq_payload_t *this, chunk_t keyid);
-	
+
 	/**
 	 * Destroys an certreq_payload_t object.
 	 */
@@ -74,14 +74,14 @@ struct certreq_payload_t {
 
 /**
  * Creates an empty certreq_payload_t object.
- * 
+ *
  * @return 				certreq payload
  */
 certreq_payload_t *certreq_payload_create(void);
 
 /**
  * Creates an empty certreq_payload_t for a kind of certificates.
- * 
+ *
  * @param type			type of the added keyids
  * @return 				certreq payload
  */
diff --git a/src/charon/encoding/payloads/configuration_attribute.c b/src/charon/encoding/payloads/configuration_attribute.c
index 674feeddd..9094fd44d 100644
--- a/src/charon/encoding/payloads/configuration_attribute.c
+++ b/src/charon/encoding/payloads/configuration_attribute.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -27,67 +27,45 @@ typedef struct private_configuration_attribute_t private_configuration_attribute
 
 /**
  * Private data of an configuration_attribute_t object.
- * 
+ *
  */
 struct private_configuration_attribute_t {
 	/**
 	 * Public configuration_attribute_t interface.
 	 */
 	configuration_attribute_t public;
-	
+
 	/**
 	 * Type of the attribute.
 	 */
-	u_int16_t attribute_type;
-	
+	u_int16_t type;
+
 	/**
 	 * Length of the attribute.
 	 */
-	u_int16_t attribute_length;
+	u_int16_t length;
 
 	/**
 	 * Attribute value as chunk.
 	 */
-	chunk_t attribute_value;
+	chunk_t value;
 };
 
-ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS,
-	"INTERNAL_IP4_ADDRESS",
-	"INTERNAL_IP4_NETMASK",
-	"INTERNAL_IP4_DNS",
-	"INTERNAL_IP4_NBNS",
-	"INTERNAL_ADDRESS_EXPIRY",
-	"INTERNAL_IP4_DHCP",
-	"APPLICATION_VERSION",
-	"INTERNAL_IP6_ADDRESS");
-ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP6_DNS, INTERNAL_IP6_SUBNET, INTERNAL_IP6_ADDRESS,
-	"INTERNAL_IP6_DNS",
-	"INTERNAL_IP6_NBNS",
-	"INTERNAL_IP6_DHCP",
-	"INTERNAL_IP4_SUBNET",
-	"SUPPORTED_ATTRIBUTES",
-	"INTERNAL_IP6_SUBNET");
-ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, INTERNAL_IP6_SUBNET,
-	"INTERNAL_IP4_SERVER",
-	"INTERNAL_IP6_SERVER");
-ENUM_END(configuration_attribute_type_names, INTERNAL_IP6_SERVER);
-
 /**
  * Encoding rules to parse or generate a configuration attribute.
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_configuration_attribute_t.
- * 
  */
 encoding_rule_t configuration_attribute_encodings[] = {
 
-	{ RESERVED_BIT,	0																					},
+	{ RESERVED_BIT,						0													},
 	/* type of the attribute as 15 bit unsigned integer */
-	{ ATTRIBUTE_TYPE,			offsetof(private_configuration_attribute_t, attribute_type)				},	
+	{ ATTRIBUTE_TYPE,					offsetof(private_configuration_attribute_t, type)	},
 	/* Length of attribute value */
-	{ CONFIGURATION_ATTRIBUTE_LENGTH,		offsetof(private_configuration_attribute_t, attribute_length)},
+	{ CONFIGURATION_ATTRIBUTE_LENGTH,	offsetof(private_configuration_attribute_t, length)	},
 	/* Value of attribute if attribute format flag is zero */
-	{ CONFIGURATION_ATTRIBUTE_VALUE,		offsetof(private_configuration_attribute_t, attribute_value)}
+	{ CONFIGURATION_ATTRIBUTE_VALUE,	offsetof(private_configuration_attribute_t, value)	}
 };
 
 /*
@@ -109,66 +87,65 @@ static status_t verify(private_configuration_attribute_t *this)
 {
 	bool failed = FALSE;
 
-	if (this->attribute_length != this->attribute_value.len)
+	if (this->length != this->value.len)
 	{
 		DBG1(DBG_ENC, "invalid attribute length");
 		return FAILED;
 	}
 
-	switch (this->attribute_type)
+	switch (this->type)
 	{
-         case INTERNAL_IP4_ADDRESS:
-         case INTERNAL_IP4_NETMASK:
+		 case INTERNAL_IP4_ADDRESS:
+		 case INTERNAL_IP4_NETMASK:
 		 case INTERNAL_IP4_DNS:
 		 case INTERNAL_IP4_NBNS:
 		 case INTERNAL_ADDRESS_EXPIRY:
 		 case INTERNAL_IP4_DHCP:
-		 	if (this->attribute_length != 0 && this->attribute_length != 4)
-		 	{
+			if (this->length != 0 && this->length != 4)
+			{
 				failed = TRUE;
-		 	}
+			}
 			break;
 		 case INTERNAL_IP4_SUBNET:
-		 	if (this->attribute_length != 0 && this->attribute_length != 8)
-		 	{
+			if (this->length != 0 && this->length != 8)
+			{
 				failed = TRUE;
-		 	}
+			}
 			break;
 		 case INTERNAL_IP6_ADDRESS:
 		 case INTERNAL_IP6_SUBNET:
-		 	if (this->attribute_length != 0 && this->attribute_length != 17)
-		 	{
+			if (this->length != 0 && this->length != 17)
+			{
 				failed = TRUE;
-		 	}
+			}
 			break;
 		 case INTERNAL_IP6_DNS:
 		 case INTERNAL_IP6_NBNS:
 		 case INTERNAL_IP6_DHCP:
-		 	if (this->attribute_length != 0 && this->attribute_length != 16)
-		 	{
+			if (this->length != 0 && this->length != 16)
+			{
 				failed = TRUE;
-		 	}
+			}
 			break;
 		 case SUPPORTED_ATTRIBUTES:
-		 	if (this->attribute_length % 2)
-		 	{
+			if (this->length % 2)
+			{
 				failed = TRUE;
-		 	}
+			}
 			break;
 		 case APPLICATION_VERSION:
-		 	/* any length acceptable */
-		 	break;
+			/* any length acceptable */
+			break;
 		 default:
-			DBG1(DBG_ENC, "unknown attribute type %N", 
-				 configuration_attribute_type_names, this->attribute_type);
-		 	break;
+			DBG1(DBG_ENC, "unknown attribute type %N",
+				 configuration_attribute_type_names, this->type);
+			break;
 	}
-	
+
 	if (failed)
 	{
 		DBG1(DBG_ENC, "invalid attribute length %d for %N",
-			 this->attribute_length, configuration_attribute_type_names,
-			 this->attribute_type);
+			 this->length, configuration_attribute_type_names, this->type);
 		return FAILED;
 	}
 	return SUCCESS;
@@ -177,7 +154,8 @@ static status_t verify(private_configuration_attribute_t *this)
 /**
  * Implementation of payload_t.get_encoding_rules.
  */
-static void get_encoding_rules(private_configuration_attribute_t *this, encoding_rule_t **rules, size_t *rule_count)
+static void get_encoding_rules(private_configuration_attribute_t *this,
+							   encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = configuration_attribute_encodings;
 	*rule_count = sizeof(configuration_attribute_encodings) / sizeof(encoding_rule_t);
@@ -196,13 +174,14 @@ static payload_type_t get_type(private_configuration_attribute_t *this)
  */
 static payload_type_t get_next_type(private_configuration_attribute_t *this)
 {
-	return (NO_PAYLOAD);
+	return NO_PAYLOAD;
 }
 
 /**
  * Implementation of payload_t.set_next_type.
  */
-static void set_next_type(private_configuration_attribute_t *this,payload_type_t type)
+static void set_next_type(private_configuration_attribute_t *this,
+						  payload_type_t type)
 {
 }
 
@@ -211,99 +190,75 @@ static void set_next_type(private_configuration_attribute_t *this,payload_type_t
  */
 static size_t get_length(private_configuration_attribute_t *this)
 {
-	return (this->attribute_value.len + CONFIGURATION_ATTRIBUTE_HEADER_LENGTH);
+	return this->value.len + CONFIGURATION_ATTRIBUTE_HEADER_LENGTH;
 }
 
 /**
- * Implementation of configuration_attribute_t.set_value.
+ * Implementation of configuration_attribute_t.get_type.
  */
-static void set_value(private_configuration_attribute_t *this, chunk_t value)
+static configuration_attribute_type_t get_configuration_attribute_type(
+									private_configuration_attribute_t *this)
 {
-	if (this->attribute_value.ptr != NULL)
-	{
-		/* free existing value */
-		chunk_free(&(this->attribute_value));		
-	}
-	
-	this->attribute_value.ptr = clalloc(value.ptr,value.len);
-	this->attribute_value.len = value.len;
-	
-	this->attribute_length = this->attribute_value.len;
+	return this->type;
 }
 
 /**
  * Implementation of configuration_attribute_t.get_value.
  */
-static chunk_t get_value (private_configuration_attribute_t *this)
+static chunk_t get_value(private_configuration_attribute_t *this)
 {
-	return this->attribute_value;
+	return this->value;
 }
 
 /**
- * Implementation of configuration_attribute_t.set_type.
+ * Implementation of configuration_attribute_t.destroy and payload_t.destroy.
  */
-static void set_attribute_type (private_configuration_attribute_t *this, u_int16_t type)
+static void destroy(private_configuration_attribute_t *this)
 {
-	this->attribute_type = type & 0x7FFF;
+	free(this->value.ptr);
+	free(this);
 }
 
-/**
- * Implementation of configuration_attribute_t.get_type.
+/*
+ * Described in header.
  */
-static u_int16_t get_attribute_type (private_configuration_attribute_t *this)
+configuration_attribute_t *configuration_attribute_create()
 {
-	return this->attribute_type;
-}
+	private_configuration_attribute_t *this;
 
-/**
- * Implementation of configuration_attribute_t.get_length.
- */
-static u_int16_t get_attribute_length (private_configuration_attribute_t *this)
-{
-	return this->attribute_length;
-}
+	this = malloc_thing(private_configuration_attribute_t);
+	this->public.payload_interface.verify = (status_t(*)(payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void(*)(payload_t *, encoding_rule_t **, size_t *) )get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t(*)(payload_t *))get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t(*)(payload_t *))get_next_type;
+	this->public.payload_interface.set_next_type = (void(*)(payload_t *,payload_type_t))set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t(*)(payload_t *))get_type;
+	this->public.payload_interface.destroy = (void(*)(payload_t*))destroy;
 
+	this->public.get_value = (chunk_t(*)(configuration_attribute_t *))get_value;
+	this->public.get_type = (configuration_attribute_type_t(*)(configuration_attribute_t *))get_configuration_attribute_type;
+	this->public.destroy = (void (*)(configuration_attribute_t*))destroy;
 
-/**
- * Implementation of configuration_attribute_t.destroy and payload_t.destroy.
- */
-static void destroy(private_configuration_attribute_t *this)
-{
-	if (this->attribute_value.ptr != NULL)
-	{
-		free(this->attribute_value.ptr);
-	}	
-	free(this);
+	this->type = 0;
+	this->value = chunk_empty;
+	this->length = 0;
+
+	return &this->public;
 }
 
 /*
  * Described in header.
  */
-configuration_attribute_t *configuration_attribute_create()
+configuration_attribute_t *configuration_attribute_create_value(
+							configuration_attribute_type_t type, chunk_t value)
 {
-	private_configuration_attribute_t *this = malloc_thing(private_configuration_attribute_t);
-
-	/* payload interface */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
-	/* public functions */
-	this->public.set_value = (void (*) (configuration_attribute_t *,chunk_t)) set_value;
-	this->public.get_value = (chunk_t (*) (configuration_attribute_t *)) get_value;
-	this->public.set_type = (void (*) (configuration_attribute_t *,u_int16_t type)) set_attribute_type;
-	this->public.get_type = (u_int16_t (*) (configuration_attribute_t *)) get_attribute_type;
-	this->public.get_length = (u_int16_t (*) (configuration_attribute_t *)) get_attribute_length;
-	this->public.destroy = (void (*) (configuration_attribute_t *)) destroy;
-	
-	/* set default values of the fields */
-	this->attribute_type = 0;
-	this->attribute_value = chunk_empty;
-	this->attribute_length = 0;
-
-	return (&(this->public));
+	private_configuration_attribute_t *this;
+
+	this = (private_configuration_attribute_t*)configuration_attribute_create();
+	this->type = ((u_int16_t)type) & 0x7FFF;
+	this->value = chunk_clone(value);
+	this->length = value.len;
+
+	return &this->public;
 }
+
diff --git a/src/charon/encoding/payloads/configuration_attribute.h b/src/charon/encoding/payloads/configuration_attribute.h
index 404130114..6e4b018bb 100644
--- a/src/charon/encoding/payloads/configuration_attribute.h
+++ b/src/charon/encoding/payloads/configuration_attribute.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -22,96 +22,43 @@
 #ifndef CONFIGURATION_ATTRIBUTE_H_
 #define CONFIGURATION_ATTRIBUTE_H_
 
-typedef enum configuration_attribute_type_t configuration_attribute_type_t;
 typedef struct configuration_attribute_t configuration_attribute_t;
 
 #include <library.h>
+#include <attributes/attributes.h>
 #include <encoding/payloads/payload.h>
 
-
 /**
  * Configuration attribute header length in bytes.
  */
 #define CONFIGURATION_ATTRIBUTE_HEADER_LENGTH 4
 
-/**
- * Type of the attribute, as in IKEv2 RFC 3.15.1.
- */
-enum configuration_attribute_type_t {
-	INTERNAL_IP4_ADDRESS = 1,
-	INTERNAL_IP4_NETMASK = 2,
-	INTERNAL_IP4_DNS = 3,
-	INTERNAL_IP4_NBNS = 4,
-	INTERNAL_ADDRESS_EXPIRY = 5,
-	INTERNAL_IP4_DHCP = 6,
-	APPLICATION_VERSION = 7,
-	INTERNAL_IP6_ADDRESS = 8,
-	INTERNAL_IP6_DNS = 10,
-	INTERNAL_IP6_NBNS = 11,
-	INTERNAL_IP6_DHCP = 12,
-	INTERNAL_IP4_SUBNET = 13,
-	SUPPORTED_ATTRIBUTES = 14,
-	INTERNAL_IP6_SUBNET = 15,
-	/* proprietary Microsoft attributes */
-	INTERNAL_IP4_SERVER = 23456,
-	INTERNAL_IP6_SERVER = 23457
-};
-
-/** 
- * enum names for configuration_attribute_type_t.
- */
-extern enum_name_t *configuration_attribute_type_names;
-
 /**
  * Class representing an IKEv2-CONFIGURATION Attribute.
- * 
+ *
  * The CONFIGURATION ATTRIBUTE format is described in RFC section 3.15.1.
  */
 struct configuration_attribute_t {
+
 	/**
-	 * The payload_t interface.
+	 * Implements payload_t interface.
 	 */
 	payload_t payload_interface;
 
 	/**
-	 * Returns the currently set value of the attribute.
-	 * 	
-	 * @warning Returned data are not copied.
-	 * 
-	 * @return 		chunk_t pointing to the value
-	 */
-	chunk_t (*get_value) (configuration_attribute_t *this);
-	
-	/**
-	 * Sets the value of the attribute.
-	 * 	
-	 * Value is getting copied.
-	 * 
-	 * @param value chunk_t pointing to the value to set
+	 * Get the type of the attribute.
+	 *
+	 * @return 		type of the configuration attribute
 	 */
-	void (*set_value) (configuration_attribute_t *this, chunk_t value);
+	configuration_attribute_type_t (*get_type)(configuration_attribute_t *this);
 
 	/**
-	 * Sets the type of the attribute.
-	 * 	
-	 * @param type	type to set (most significant bit is set to zero)
+	 * Returns the value of the attribute.
+	 *
+	 * @return 		chunk_t pointing to the internal value
 	 */
-	void (*set_type) (configuration_attribute_t *this, u_int16_t type);
-	
-	/**
-	 * get the type of the attribute.
-	 * 	
-	 * @return 		type of the value
-	 */
-	u_int16_t (*get_type) (configuration_attribute_t *this);
-	
-	/**
-	 * get the length of an attribute.
-	 * 	
-	 * @return 		type of the value
-	 */
-	u_int16_t (*get_length) (configuration_attribute_t *this);
-	
+	chunk_t (*get_value) (configuration_attribute_t *this);
+
 	/**
 	 * Destroys an configuration_attribute_t object.
 	 */
@@ -119,10 +66,20 @@ struct configuration_attribute_t {
 };
 
 /**
- * Creates an empty configuration_attribute_t object.
- * 
- * @return			created configuration_attribute_t object
+ * Creates an empty configuration attribute.
+ *
+ * @return		created configuration attribute
+ */
+configuration_attribute_t *configuration_attribute_create();
+
+/**
+ * Creates a configuration attribute with type and value.
+ *
+ * @param type	type of configuration attribute
+ * @param value	value, gets cloned
+ * @return		created configuration attribute
  */
-configuration_attribute_t *configuration_attribute_create(void);
+configuration_attribute_t *configuration_attribute_create_value(
+							configuration_attribute_type_t type, chunk_t value);
 
 #endif /** CONFIGURATION_ATTRIBUTE_H_ @}*/
diff --git a/src/charon/encoding/payloads/cp_payload.c b/src/charon/encoding/payloads/cp_payload.c
index b5f1b35c7..f0a26eee2 100644
--- a/src/charon/encoding/payloads/cp_payload.c
+++ b/src/charon/encoding/payloads/cp_payload.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -32,14 +32,14 @@ typedef struct private_cp_payload_t private_cp_payload_t;
 
 /**
  * Private data of an cp_payload_t object.
- * 
+ *
  */
 struct private_cp_payload_t {
 	/**
 	 * Public cp_payload_t interface.
 	 */
 	cp_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -49,51 +49,51 @@ struct private_cp_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
-	 * Configuration Attributes in this payload are stored in a linked_list_t.
+	 * List of attributes, as configuration_attribute_t
 	 */
-	linked_list_t * attributes;
-	
+	linked_list_t *attributes;
+
 	/**
 	 * Config Type.
 	 */
-	u_int8_t config_type;
+	u_int8_t type;
 };
 
 /**
  * Encoding rules to parse or generate a IKEv2-CP Payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_cp_payload_t.
- * 
+ *
  */
 encoding_rule_t cp_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,		offsetof(private_cp_payload_t, next_payload) 			},
 	/* the critical bit */
-	{ FLAG,			offsetof(private_cp_payload_t, critical) 				},	
- 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
+	{ FLAG,			offsetof(private_cp_payload_t, critical) 				},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
 	/* Length of the whole CP payload*/
-	{ PAYLOAD_LENGTH,		offsetof(private_cp_payload_t, payload_length) 	},	
-	/* Proposals are stored in a proposal substructure, 
+	{ PAYLOAD_LENGTH,		offsetof(private_cp_payload_t, payload_length) 	},
+	/* Proposals are stored in a proposal substructure,
 	   offset points to a linked_list_t pointer */
-	{ U_INT_8,		offsetof(private_cp_payload_t, config_type)				},
-	{ RESERVED_BYTE,0 														}, 
-	{ RESERVED_BYTE,0														}, 
-	{ RESERVED_BYTE,0														}, 	
+	{ U_INT_8,				offsetof(private_cp_payload_t, type)			},
+	{ RESERVED_BYTE,0 														},
+	{ RESERVED_BYTE,0														},
+	{ RESERVED_BYTE,0														},
 	{ CONFIGURATION_ATTRIBUTES,	offsetof(private_cp_payload_t, attributes)	}
 };
 
@@ -117,26 +117,27 @@ encoding_rule_t cp_payload_encodings[] = {
 static status_t verify(private_cp_payload_t *this)
 {
 	status_t status = SUCCESS;
-	iterator_t *iterator;
-	configuration_attribute_t *attribute;
-	
-	iterator = this->attributes->create_iterator(this->attributes,TRUE);
-	while(iterator->iterate(iterator, (void**)&attribute))
+	enumerator_t *enumerator;
+	payload_t *attribute;
+
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
 	{
-		status = attribute->payload_interface.verify(&attribute->payload_interface);
+		status = attribute->verify(attribute);
 		if (status != SUCCESS)
 		{
 			break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	return status;
 }
 
 /**
  * Implementation of payload_t.get_encoding_rules.
  */
-static void get_encoding_rules(private_cp_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+static void get_encoding_rules(private_cp_payload_t *this,
+							   encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = cp_payload_encodings;
 	*rule_count = sizeof(cp_payload_encodings) / sizeof(encoding_rule_t);
@@ -155,7 +156,7 @@ static payload_type_t get_type(private_cp_payload_t *this)
  */
 static payload_type_t get_next_type(private_cp_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
 /**
@@ -171,18 +172,17 @@ static void set_next_type(private_cp_payload_t *this,payload_type_t type)
  */
 static void compute_length(private_cp_payload_t *this)
 {
-	iterator_t *iterator;
-	payload_t *current_attribute;
-	size_t length = CP_PAYLOAD_HEADER_LENGTH;
-	
-	iterator = this->attributes->create_iterator(this->attributes,TRUE);
-	while (iterator->iterate(iterator, (void**)&current_attribute))
+	enumerator_t *enumerator;
+	payload_t *attribute;
+
+	this->payload_length = CP_PAYLOAD_HEADER_LENGTH;
+
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
 	{
-		length += current_attribute->get_length(current_attribute);
+		this->payload_length += attribute->get_length(attribute);
 	}
-	iterator->destroy(iterator);
-	
-	this->payload_length = length;
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -190,41 +190,33 @@ static void compute_length(private_cp_payload_t *this)
  */
 static size_t get_length(private_cp_payload_t *this)
 {
-	compute_length(this);
 	return this->payload_length;
 }
 
 /**
- * Implementation of cp_payload_t.create_configuration_attribute_iterator.
+ * Implementation of cp_payload_t.create_attribute_enumerator.
  */
-static iterator_t *create_attribute_iterator (private_cp_payload_t *this)
+static enumerator_t *create_attribute_enumerator(private_cp_payload_t *this)
 {
-	return this->attributes->create_iterator(this->attributes, TRUE);
+	return this->attributes->create_enumerator(this->attributes);
 }
 
 /**
- * Implementation of cp_payload_t.add_proposal_substructure.
+ * Implementation of cp_payload_t.add_attribute.
  */
-static void add_configuration_attribute (private_cp_payload_t *this,configuration_attribute_t *attribute)
+static void add_attribute(private_cp_payload_t *this,
+						  configuration_attribute_t *attribute)
 {
-	this->attributes->insert_last(this->attributes,(void *) attribute);
+	this->attributes->insert_last(this->attributes, attribute);
 	compute_length(this);
 }
 
 /**
- * Implementation of cp_payload_t.set_config_type.
+ * Implementation of cp_payload_t.get_type.
  */
-static void set_config_type (private_cp_payload_t *this,config_type_t config_type)
+static config_type_t get_config_type(private_cp_payload_t *this)
 {
-	this->config_type = config_type;
-}
-
-/**
- * Implementation of cp_payload_t.get_config_type.
- */
-static config_type_t get_config_type (private_cp_payload_t *this)
-{
-	return this->config_type;
+	return this->type;
 }
 
 /**
@@ -233,7 +225,7 @@ static config_type_t get_config_type (private_cp_payload_t *this)
 static void destroy(private_cp_payload_t *this)
 {
 	this->attributes->destroy_offset(this->attributes,
-									 offsetof(configuration_attribute_t, destroy));
+								offsetof(configuration_attribute_t, destroy));
 	free(this);
 }
 
@@ -243,8 +235,7 @@ static void destroy(private_cp_payload_t *this)
 cp_payload_t *cp_payload_create()
 {
 	private_cp_payload_t *this = malloc_thing(private_cp_payload_t);
-	
-	/* public interface */
+
 	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
 	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
 	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
@@ -252,19 +243,31 @@ cp_payload_t *cp_payload_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
-	/* public functions */
-	this->public.create_attribute_iterator = (iterator_t* (*) (cp_payload_t *)) create_attribute_iterator;
-	this->public.add_configuration_attribute = (void (*) (cp_payload_t *,configuration_attribute_t *)) add_configuration_attribute;
-	this->public.set_config_type = (void (*) (cp_payload_t *, config_type_t)) set_config_type;
-	this->public.get_config_type = (config_type_t (*) (cp_payload_t *)) get_config_type;
-	this->public.destroy = (void (*) (cp_payload_t *)) destroy;
-	
+
+	this->public.create_attribute_enumerator = (enumerator_t*(*)(cp_payload_t *))create_attribute_enumerator;
+	this->public.add_attribute = (void (*) (cp_payload_t *,configuration_attribute_t*))add_attribute;
+	this->public.get_type = (config_type_t (*) (cp_payload_t *))get_config_type;
+	this->public.destroy = (void (*)(cp_payload_t *))destroy;
+
 	/* set default values of the fields */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
 	this->payload_length = CP_PAYLOAD_HEADER_LENGTH;
-
 	this->attributes = linked_list_create();
-	return (&(this->public));
+	this->type = CFG_REQUEST;
+
+	return &this->public;
 }
+
+/*
+ * Described in header.
+ */
+cp_payload_t *cp_payload_create_type(config_type_t type)
+{
+	private_cp_payload_t *this = (private_cp_payload_t*)cp_payload_create();
+
+	this->type = type;
+
+	return &this->public;
+}
+
diff --git a/src/charon/encoding/payloads/cp_payload.h b/src/charon/encoding/payloads/cp_payload.h
index 6ffcca708..c0760885a 100644
--- a/src/charon/encoding/payloads/cp_payload.h
+++ b/src/charon/encoding/payloads/cp_payload.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -28,7 +28,7 @@ typedef struct cp_payload_t cp_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/configuration_attribute.h>
-#include <utils/linked_list.h>
+#include <utils/enumerator.h>
 
 /**
  * CP_PAYLOAD length in bytes without any proposal substructure.
@@ -52,49 +52,38 @@ extern enum_name_t *config_type_names;
 
 /**
  * Class representing an IKEv2-CP Payload.
- * 
+ *
  * The CP Payload format is described in RFC section 3.15.
  */
 struct cp_payload_t {
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Creates an iterator of stored configuration_attribute_t objects.
-	 * 
-	 * When deleting an attribute using this iterator, the length of this
-	 * configuration_attribute_t has to be refreshed by calling get_length()!
 	 *
-	 * @return				created iterator_t object
+	 * @return			enumerator over configration_attribute_T
 	 */
-	iterator_t *(*create_attribute_iterator) (cp_payload_t *this);
-	
-	/**
-	 * Adds a configuration_attribute_t object to this object.
-	 * 
-	 * The added configuration_attribute_t object is getting destroyed in
-	 * destroy function of cp_payload_t.
-	 *
-	 * @param attribute		configuration_attribute_t object to add
-	 */
-	void (*add_configuration_attribute) (cp_payload_t *this, configuration_attribute_t *attribute);
-	
+	enumerator_t *(*create_attribute_enumerator) (cp_payload_t *this);
+
 	/**
-	 * Set the config type.
+	 * Adds a configuration attribute to the configuration payload.
 	 *
-	 * @param config_type	config_type_t to set
+	 * @param attribute	attribute to add
 	 */
-	void (*set_config_type) (cp_payload_t *this,config_type_t config_type);
-	
+	void (*add_attribute)(cp_payload_t *this,
+						  configuration_attribute_t *attribute);
+
 	/**
-	 * Get the config type.
+	 * Get the configuration payload type.
 	 *
-	 * @return				config_type_t
+	 * @return			type of configuration payload
 	 */
-	config_type_t (*get_config_type) (cp_payload_t *this);
-	
+	config_type_t (*get_type) (cp_payload_t *this);
+
 	/**
 	 * Destroys an cp_payload_t object.
 	 */
@@ -102,10 +91,18 @@ struct cp_payload_t {
 };
 
 /**
- * Creates an empty cp_payload_t object
- * 
- * @return cp_payload_t object
+ * Creates an empty configuration payload
+ *
+ * @return		empty configuration payload
+ */
+cp_payload_t *cp_payload_create();
+
+/**
+ * Creates an cp_payload_t with type and value
+ *
+ * @param type	type of configuration payload to create
+ * @return		created configuration payload
  */
-cp_payload_t *cp_payload_create(void);
+cp_payload_t *cp_payload_create_type(config_type_t config_type);
 
 #endif /** CP_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/delete_payload.c b/src/charon/encoding/payloads/delete_payload.c
index c2be1e8b5..97b4743b2 100644
--- a/src/charon/encoding/payloads/delete_payload.c
+++ b/src/charon/encoding/payloads/delete_payload.c
@@ -23,14 +23,14 @@ typedef struct private_delete_payload_t private_delete_payload_t;
 
 /**
  * Private data of an delete_payload_t object.
- * 
+ *
  */
 struct private_delete_payload_t {
 	/**
 	 * Public delete_payload_t interface.
 	 */
 	delete_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -40,12 +40,12 @@ struct private_delete_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * Protocol ID.
 	 */
@@ -55,36 +55,36 @@ struct private_delete_payload_t {
 	 * SPI Size.
 	 */
 	u_int8_t spi_size;
-	
+
 	/**
 	 * Number of SPI's.
 	 */
 	u_int16_t spi_count;
-	
+
 	/**
 	 * The contained SPI's.
 	 */
 	chunk_t spis;
-	
+
 	/**
-	 * List containing u_int32_t spis 
+	 * List containing u_int32_t spis
 	 */
 	linked_list_t *spi_list;
 };
 
 /**
  * Encoding rules to parse or generate a DELETE payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_delete_payload_t.
- * 
+ *
  */
 encoding_rule_t delete_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_delete_payload_t, next_payload) 	},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_delete_payload_t, critical) 		},
- 	/* 7 Bit reserved bits, nowhere stored */
+	/* 7 Bit reserved bits, nowhere stored */
 	{ RESERVED_BIT,	0 														},
 	{ RESERVED_BIT,	0 														},
 	{ RESERVED_BIT,	0 														},
@@ -223,7 +223,7 @@ static void add_spi(private_delete_payload_t *this, u_int32_t spi)
 static iterator_t* create_spi_iterator(private_delete_payload_t *this)
 {
 	int i;
-	
+
 	if (this->spi_list == NULL)
 	{
 		this->spi_list = linked_list_create();
@@ -253,7 +253,7 @@ static void destroy(private_delete_payload_t *this)
 	{
 		this->spi_list->destroy(this->spi_list);
 	}
-	free(this);	
+	free(this);
 }
 
 /*
@@ -271,13 +271,13 @@ delete_payload_t *delete_payload_create(protocol_id_t protocol_id)
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.destroy = (void (*) (delete_payload_t *)) destroy;
 	this->public.get_protocol_id = (protocol_id_t (*) (delete_payload_t *)) get_protocol_id;
 	this->public.add_spi = (void (*) (delete_payload_t *,u_int32_t))add_spi;
 	this->public.create_spi_iterator = (iterator_t* (*) (delete_payload_t *)) create_spi_iterator;
-	
+
 	/* private variables */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
diff --git a/src/charon/encoding/payloads/delete_payload.h b/src/charon/encoding/payloads/delete_payload.h
index 58840741a..3b62c1af1 100644
--- a/src/charon/encoding/payloads/delete_payload.h
+++ b/src/charon/encoding/payloads/delete_payload.h
@@ -43,21 +43,21 @@ struct delete_payload_t {
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Get the protocol ID.
 	 *
 	 * @return				protocol ID
 	 */
 	protocol_id_t (*get_protocol_id) (delete_payload_t *this);
-	
+
 	/**
 	 * Add an SPI to the list of deleted SAs.
 	 *
 	 * @param spi			spi to add
 	 */
 	void (*add_spi) (delete_payload_t *this, u_int32_t spi);
-	
+
 	/**
 	 * Get an iterator over the SPIs.
 	 *
@@ -66,7 +66,7 @@ struct delete_payload_t {
 	 * @return				iterator over SPIs
 	 */
 	iterator_t *(*create_spi_iterator) (delete_payload_t *this);
-	
+
 	/**
 	 * Destroys an delete_payload_t object.
 	 */
@@ -75,7 +75,7 @@ struct delete_payload_t {
 
 /**
  * Creates an empty delete_payload_t object.
- * 
+ *
  * @param protocol_id	protocol, such as AH|ESP
  * @return 				delete_payload_t object
  */
diff --git a/src/charon/encoding/payloads/eap_payload.c b/src/charon/encoding/payloads/eap_payload.c
index 1199bac45..21f34a642 100644
--- a/src/charon/encoding/payloads/eap_payload.c
+++ b/src/charon/encoding/payloads/eap_payload.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -24,14 +24,14 @@ typedef struct private_eap_payload_t private_eap_payload_t;
 
 /**
  * Private data of an eap_payload_t object.
- * 
+ *
  */
 struct private_eap_payload_t {
 	/**
 	 * Public eap_payload_t interface.
 	 */
 	eap_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -41,12 +41,12 @@ struct private_eap_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * EAP message data, if available
 	 */
@@ -55,17 +55,17 @@ struct private_eap_payload_t {
 
 /**
  * Encoding rules to parse or generate a EAP payload.
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_eap_payload_t.
- * 
+ *
  */
-encoding_rule_t eap_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+static encoding_rule_t eap_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_eap_payload_t, next_payload) 	},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_eap_payload_t, critical) 		},
- 	/* 7 Bit reserved bits, nowhere stored */
+	/* 7 Bit reserved bits, nowhere stored */
 	{ RESERVED_BIT,	0 													},
 	{ RESERVED_BIT,	0 													},
 	{ RESERVED_BIT,	0 													},
@@ -91,27 +91,25 @@ encoding_rule_t eap_payload_encodings[] = {
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_eap_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_eap_payload_t *this)
 {
 	u_int16_t length;
 	u_int8_t code;
-	
+
 	if (this->data.len < 4)
 	{
 		DBG1(DBG_ENC, "EAP payloads EAP message too short (%d)", this->data.len);
 		return FAILED;
 	}
-	code = *this->data.ptr;
-	length = htons(*(u_int16_t*)(this->data.ptr + 2));
+	length = untoh16(this->data.ptr + 2);
 	if (this->data.len != length)
 	{
-		DBG1(DBG_ENC, "EAP payload length (%d) does not match contained message length (%d)",
-			 this->data.len, length);
+		DBG1(DBG_ENC, "EAP payload length (%d) does not match contained "
+			 "message length (%d)", this->data.len, length);
 		return FAILED;
 	}
+	code = this->data.ptr[0];
 	switch (code)
 	{
 		case EAP_REQUEST:
@@ -140,119 +138,97 @@ static status_t verify(private_eap_payload_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of eap_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_eap_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_eap_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = eap_payload_encodings;
 	*rule_count = sizeof(eap_payload_encodings) / sizeof(encoding_rule_t);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_eap_payload_t *this)
+METHOD(payload_t, get_payload_type, payload_type_t,
+	private_eap_payload_t *this)
 {
 	return EXTENSIBLE_AUTHENTICATION;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_eap_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_eap_payload_t *this)
 {
 	return (this->next_payload);
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_eap_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_eap_payload_t *this, payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_eap_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_eap_payload_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of eap_payload_t.get_data.
- */
-static chunk_t get_data(private_eap_payload_t *this)
+METHOD(eap_payload_t, get_data, chunk_t,
+	private_eap_payload_t *this)
 {
 	return this->data;
 }
 
-/**
- * Implementation of eap_payload_t.set_data.
- */
-static void set_data(private_eap_payload_t *this, chunk_t data)
+METHOD(eap_payload_t, set_data, void,
+	private_eap_payload_t *this, chunk_t data)
 {
-	chunk_free(&this->data);
+	free(this->data.ptr);
 	this->data = chunk_clone(data);
 	this->payload_length = this->data.len + 4;
 }
 
-/**
- * Implementation of eap_payload_t.get_code.
- */
-static eap_code_t get_code(private_eap_payload_t *this)
+METHOD(eap_payload_t, get_code, eap_code_t,
+	private_eap_payload_t *this)
 {
 	if (this->data.len > 0)
 	{
-		return *this->data.ptr;
+		return this->data.ptr[0];
 	}
 	/* should not happen, as it is verified */
 	return 0;
 }
 
-/**
- * Implementation of eap_payload_t.get_identifier.
- */
-static u_int8_t get_identifier(private_eap_payload_t *this)
+METHOD(eap_payload_t, get_identifier, u_int8_t,
+	private_eap_payload_t *this)
 {
 	if (this->data.len > 1)
 	{
-		return *(this->data.ptr + 1);
+		return this->data.ptr[1];
 	}
 	/* should not happen, as it is verified */
 	return 0;
 }
 
-/**
- * Implementation of eap_payload_t.get_type.
- */
-static eap_type_t get_type(private_eap_payload_t *this, u_int32_t *vendor)
+METHOD(eap_payload_t, get_type, eap_type_t,
+	private_eap_payload_t *this, u_int32_t *vendor)
 {
 	eap_type_t type;
 
 	*vendor = 0;
 	if (this->data.len > 4)
 	{
-		type = *(this->data.ptr + 4);
+		type = this->data.ptr[4];
 		if (type != EAP_EXPANDED)
 		{
 			return type;
 		}
 		if (this->data.len >= 12)
 		{
-			*vendor = ntohl(*(u_int32_t*)(this->data.ptr + 4)) & 0x00FFFFFF;
-			return ntohl(*(u_int32_t*)(this->data.ptr + 8));
+			*vendor = untoh32(this->data.ptr + 4) & 0x00FFFFFF;
+			return untoh32(this->data.ptr + 8);
 		}
 	}
 	return 0;
 }
 
-/**
- * Implementation of payload_t.destroy and eap_payload_t.destroy.
- */
-static void destroy(private_eap_payload_t *this)
+METHOD2(payload_t, eap_payload_t, destroy, void,
+	private_eap_payload_t *this)
 {
 	chunk_free(&this->data);
 	free(this);
@@ -263,32 +239,30 @@ static void destroy(private_eap_payload_t *this)
  */
 eap_payload_t *eap_payload_create()
 {
-	private_eap_payload_t *this = malloc_thing(private_eap_payload_t);
-	
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
-	/* public functions */
-	this->public.destroy = (void (*) (eap_payload_t *)) destroy;
-	this->public.get_data = (chunk_t (*) (eap_payload_t*))get_data;
-	this->public.set_data = (void (*) (eap_payload_t *,chunk_t))set_data;
-	this->public.get_code = (eap_code_t (*) (eap_payload_t*))get_code;
-	this->public.get_identifier = (u_int8_t (*) (eap_payload_t*))get_identifier;
-	this->public.get_type = (eap_type_t (*) (eap_payload_t*,u_int32_t*))get_type;
-	
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = EAP_PAYLOAD_HEADER_LENGTH;
-	this->data = chunk_empty;
-	
-	return &(this->public);
+	private_eap_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_payload_type,
+				.destroy = _destroy,
+			},
+			.get_data = _get_data,
+			.set_data = _set_data,
+			.get_code = _get_code,
+			.get_identifier = _get_identifier,
+			.get_type = _get_type,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = EAP_PAYLOAD_HEADER_LENGTH,
+	);
+	return &this->public;
 }
 
 /*
@@ -297,7 +271,7 @@ eap_payload_t *eap_payload_create()
 eap_payload_t *eap_payload_create_data(chunk_t data)
 {
 	eap_payload_t *this = eap_payload_create();
-	
+
 	this->set_data(this, data);
 	return this;
 }
@@ -307,15 +281,11 @@ eap_payload_t *eap_payload_create_data(chunk_t data)
  */
 eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier)
 {
-	eap_payload_t *this = eap_payload_create();
-	chunk_t data = chunk_alloca(4);
-	
-	*(data.ptr + 0) = code;
-	*(data.ptr + 1) = identifier;
-	*(u_int16_t*)(data.ptr + 2) = htons(data.len);
-	
-	this->set_data(this, data);
-	return this;
+	chunk_t data;
+
+	data = chunk_from_chars(code, identifier, 0, 0);
+	htoun16(data.ptr + 2, data.len);
+	return eap_payload_create_data(data);
 }
 
 /*
@@ -323,15 +293,10 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier)
  */
 eap_payload_t *eap_payload_create_nak(u_int8_t identifier)
 {
-	eap_payload_t *this = eap_payload_create();
-	chunk_t data = chunk_alloca(5);
-	
-	*(data.ptr + 0) = EAP_RESPONSE;
-	*(data.ptr + 1) = identifier;
-	*(u_int16_t*)(data.ptr + 2) = htons(data.len);
-	*(data.ptr + 4) = EAP_NAK;
-	
-	this->set_data(this, data);
-	return this;
+	chunk_t data;
+
+	data = chunk_from_chars(EAP_RESPONSE, identifier, 0, 0, EAP_NAK);
+	htoun16(data.ptr + 2, data.len);
+	return eap_payload_create_data(data);
 }
 
diff --git a/src/charon/encoding/payloads/eap_payload.h b/src/charon/encoding/payloads/eap_payload.h
index a4d8a38c6..0bde4b15e 100644
--- a/src/charon/encoding/payloads/eap_payload.h
+++ b/src/charon/encoding/payloads/eap_payload.h
@@ -39,12 +39,12 @@ typedef struct eap_payload_t eap_payload_t;
  * The EAP payload format is described in RFC section 3.16.
  */
 struct eap_payload_t {
-	
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Set the contained EAP data.
 	 *
@@ -54,7 +54,7 @@ struct eap_payload_t {
 	 * @param message	EAP data
 	 */
 	void (*set_data) (eap_payload_t *this, chunk_t data);
-	
+
 	/**
 	 * Get the contained EAP data.
 	 *
@@ -63,21 +63,21 @@ struct eap_payload_t {
 	 * @return			EAP data (pointer to internal data)
 	 */
 	chunk_t (*get_data) (eap_payload_t *this);
-	
+
 	/**
 	 * Get the EAP code.
 	 *
 	 * @return			EAP message as chunk_t
 	 */
 	eap_code_t (*get_code) (eap_payload_t *this);
-	
+
 	/**
 	 * Get the EAP identifier.
 	 *
 	 * @return			unique identifier
 	 */
 	u_int8_t (*get_identifier) (eap_payload_t *this);
-	
+
 	/**
 	 * Get the EAP method type.
 	 *
@@ -85,7 +85,7 @@ struct eap_payload_t {
 	 * @return			EAP method type, vendor specific if vendor != 0
 	 */
 	eap_type_t (*get_type) (eap_payload_t *this, u_int32_t *vendor);
-	
+
 	/**
 	 * Destroys an eap_payload_t object.
 	 */
@@ -109,7 +109,7 @@ eap_payload_t *eap_payload_create_data(chunk_t data);
 /**
  * Creates an eap_payload_t object with a code.
  *
- * Could should be either EAP_SUCCESS/EAP_FAILURE, use 
+ * Could should be either EAP_SUCCESS/EAP_FAILURE, use
  * constructor above otherwise.
  *
  * @param code			EAP status code
diff --git a/src/charon/encoding/payloads/encodings.h b/src/charon/encoding/payloads/encodings.h
index 03554f0af..52af4a984 100644
--- a/src/charon/encoding/payloads/encodings.h
+++ b/src/charon/encoding/payloads/encodings.h
@@ -28,266 +28,266 @@ typedef struct encoding_rule_t encoding_rule_t;
 #include <library.h>
 
 /**
- * All different kinds of encoding types. 
+ * All different kinds of encoding types.
  *
- * Each field of an IKEv2-Message (in header or payload) 
+ * Each field of an IKEv2-Message (in header or payload)
  * which has to be parsed or generated differently has its own
  * type defined here.
  *
- * Header is parsed like a payload and gets its one payload_id 
- * from PRIVATE USE space. Also the substructures 
- * of specific payload types get their own payload_id 
+ * Header is parsed like a payload and gets its one payload_id
+ * from PRIVATE USE space. Also the substructures
+ * of specific payload types get their own payload_id
  * from PRIVATE_USE space. See IKEv2-Draft for more informations.
  */
 enum encoding_type_t {
-	
+
 	/**
 	 * Representing a 4 Bit unsigned int value.
-	 * 
-	 * 
+	 *
+	 *
 	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
 	 * The current write position is moved 4 bit forward afterwards.
-	 * 
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 4 bit forward afterwards.
 	 */
 	U_INT_4,
-	
+
 	/**
 	 * Representing a 8 Bit unsigned int value.
-	 * 
-	 * 
+	 *
+	 *
 	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
 	 * The current write position is moved 8 bit forward afterwards.
-	 *  
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 8 bit forward afterwards.
 	 */
 	U_INT_8,
-	
+
 	/**
 	 * Representing a 16 Bit unsigned int value.
-	 * 
-	 * 
+	 *
+	 *
 	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
- 	 * The current write position is moved 16 bit forward afterwards.
-	 * 
+	 * The current write position is moved 16 bit forward afterwards.
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 16 bit forward afterwards.
 	 */
 	U_INT_16,
-	
+
 	/**
 	 * Representing a 32 Bit unsigned int value.
-	 * 
+	 *
 	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
 	 * The current write position is moved 32 bit forward afterwards.
-	 * 
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 32 bit forward afterwards.
 	 */
 	U_INT_32,
-	
+
 	/**
 	 * represents a RESERVED_BIT used in FLAG-Bytes.
-	 * 
-	 * When generating, the next bit is set to zero and the current write 
+	 *
+	 * When generating, the next bit is set to zero and the current write
 	 * position is moved one bit forward.
 	 * No value is read from the associated data struct.
 	 * The current write position is moved 1 bit forward afterwards.
-	 * 
+	 *
 	 * When parsing, the current read pointer is moved one bit forward.
 	 * No value is written to the associated data struct.
 	 * The current read pointer is moved 1 bit forward afterwards.
 	 */
 	RESERVED_BIT,
-	
+
 	/**
 	 * represents a RESERVED_BYTE.
-	 * 
-	 * When generating, the next byte is set to zero and the current write 
+	 *
+	 * When generating, the next byte is set to zero and the current write
 	 * position is moved one byte forward.
 	 * No value is read from the associated data struct.
 	 * The current write position is moved 1 byte forward afterwards.
-	 * 
+	 *
 	 * When parsing, the current read pointer is moved one byte forward.
 	 * No value is written to the associated data struct.
 	 * The current read pointer is moved 1 byte forward afterwards.
 	 */
 	RESERVED_BYTE,
-	
+
 	/**
 	 * Representing a 1 Bit flag.
-	 * 
-	 * When generation, the next bit is set to 1 if the associated value 
-	 * in the data struct is TRUE, 0 otherwise. The current write position 
+	 *
+	 * When generation, the next bit is set to 1 if the associated value
+	 * in the data struct is TRUE, 0 otherwise. The current write position
 	 * is moved 1 bit forward afterwards.
 	 *
-	 * When parsing, the next bit is read and stored in the associated data 
-	 * struct. 0 means FALSE, 1 means TRUE, The current read pointer 
+	 * When parsing, the next bit is read and stored in the associated data
+	 * struct. 0 means FALSE, 1 means TRUE, The current read pointer
 	 * is moved 1 bit forward afterwards
 	 */
 	FLAG,
-	
+
 	/**
 	 * Representating a length field of a payload.
-	 * 
- 	 * When generating it must be changed from host to network order.
+	 *
+	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
 	 * The current write position is moved 16 bit forward afterwards.
-	 * 
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 16 bit forward afterwards.
 	 */
 	PAYLOAD_LENGTH,
-	
+
 	/**
 	 * Representating a length field of a header.
-	 * 
- 	 * When generating it must be changed from host to network order.
+	 *
+	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
 	 * The current write position is moved 32 bit forward afterwards.
-	 * 
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 32 bit forward afterwards.
 	 */
 	HEADER_LENGTH,
-	
+
 	/**
 	 * Representating a spi size field.
-	 * 
- 	 * When generating it must be changed from host to network order.
+	 *
+	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
 	 * The current write position is moved 8 bit forward afterwards.
-	 * 
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 8 bit forward afterwards.
 	 */
 	SPI_SIZE,
-	
+
 	/**
 	 * Representating a spi field.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
 	 */
 	SPI,
-	
+
 	/**
 	 * Representating a Key Exchange Data field.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
 	 */
 	KEY_EXCHANGE_DATA,
-	
+
 	/**
 	 * Representating a Notification field.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - spi size - 8) bytes are read and written into the chunk pointing to.
 	 */
 	NOTIFICATION_DATA,
-	
+
 	/**
 	 * Representating one or more proposal substructures.
-	 * 
+	 *
 	 * The offset points to a linked_list_t pointer.
-	 * 
-	 * When generating the proposal_substructure_t objects are stored 
+	 *
+	 * When generating the proposal_substructure_t objects are stored
 	 * in the pointed linked_list.
-	 * 
-	 * When parsing the parsed proposal_substructure_t objects have 
+	 *
+	 * When parsing the parsed proposal_substructure_t objects have
 	 * to be stored in the pointed linked_list.
-	 */	
+	 */
 	PROPOSALS,
-	
+
 	/**
 	 * Representating one or more transform substructures.
-	 * 
+	 *
 	 * The offset points to a linked_list_t pointer.
-	 * 
-	 * When generating the transform_substructure_t objects are stored 
+	 *
+	 * When generating the transform_substructure_t objects are stored
 	 * in the pointed linked_list.
-	 * 
-	 * When parsing the parsed transform_substructure_t objects have 
+	 *
+	 * When parsing the parsed transform_substructure_t objects have
 	 * to be stored in the pointed linked_list.
-	 */	
+	 */
 	TRANSFORMS,
-	
+
 	/**
 	 * Representating one or more Attributes of a transform substructure.
-	 * 
+	 *
 	 * The offset points to a linked_list_t pointer.
-	 * 
-	 * When generating the transform_attribute_t objects are stored 
+	 *
+	 * When generating the transform_attribute_t objects are stored
 	 * in the pointed linked_list.
-	 * 
-	 * When parsing the parsed transform_attribute_t objects have 
+	 *
+	 * When parsing the parsed transform_attribute_t objects have
 	 * to be stored in the pointed linked_list.
-	 */	
+	 */
 	TRANSFORM_ATTRIBUTES,
 
 	/**
 	 * Representating one or more Attributes of a configuration payload.
-	 * 
+	 *
 	 * The offset points to a linked_list_t pointer.
-	 * 
-	 * When generating the configuration_attribute_t objects are stored 
+	 *
+	 * When generating the configuration_attribute_t objects are stored
 	 * in the pointed linked_list.
-	 * 
-	 * When parsing the parsed configuration_attribute_t objects have 
+	 *
+	 * When parsing the parsed configuration_attribute_t objects have
 	 * to be stored in the pointed linked_list.
-	 */		
+	 */
 	CONFIGURATION_ATTRIBUTES,
-	
+
 	/**
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
 	 */
 	CONFIGURATION_ATTRIBUTE_VALUE,
-	
+
 	/**
 	 * Representing a 1 Bit flag specifying the format of a transform attribute.
-	 * 
-	 * When generation, the next bit is set to 1 if the associated value 
-	 * in the data struct is TRUE, 0 otherwise. The current write position 
+	 *
+	 * When generation, the next bit is set to 1 if the associated value
+	 * in the data struct is TRUE, 0 otherwise. The current write position
 	 * is moved 1 bit forward afterwards.
 	 *
-	 * When parsing, the next bit is read and stored in the associated data 
-	 * struct. 0 means FALSE, 1 means TRUE, The current read pointer 
+	 * When parsing, the next bit is read and stored in the associated data
+	 * struct. 0 means FALSE, 1 means TRUE, The current read pointer
 	 * is moved 1 bit forward afterwards.
 	 */
 	ATTRIBUTE_FORMAT,
 	/**
-	 * Representing a 15 Bit unsigned int value used as attribute type 
+	 * Representing a 15 Bit unsigned int value used as attribute type
 	 * in an attribute transform.
-	 * 
-	 * 
+	 *
+	 *
 	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
- 	 * The current write position is moved 15 bit forward afterwards.
-	 * 
+	 * The current write position is moved 15 bit forward afterwards.
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 15 bit forward afterwards.
@@ -298,11 +298,11 @@ enum encoding_type_t {
 	 * Depending on the field of type ATTRIBUTE_FORMAT
 	 * this field contains the length or the value of an transform attribute.
 	 * Its stored in a 16 unsigned integer field.
-	 * 
+	 *
 	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
- 	 * The current write position is moved 16 bit forward afterwards.
-	 * 
+	 * The current write position is moved 16 bit forward afterwards.
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 16 bit forward afterwards.
@@ -312,11 +312,11 @@ enum encoding_type_t {
 	/**
 	 * This field contains the length or the value of an configuration attribute.
 	 * Its stored in a 16 unsigned integer field.
-	 * 
+	 *
 	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
- 	 * The current write position is moved 16 bit forward afterwards.
-	 * 
+	 * The current write position is moved 16 bit forward afterwards.
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 16 bit forward afterwards.
@@ -325,155 +325,155 @@ enum encoding_type_t {
 
 	/**
 	 * Depending on the field of type ATTRIBUTE_FORMAT
-	 * this field is available or missing and so parsed/generated 
+	 * this field is available or missing and so parsed/generated
 	 * or not parsed/not generated.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
 	 */
 	ATTRIBUTE_VALUE,
-	
+
 	/**
 	 * Representating one or more Traffic selectors of a TS payload.
-	 * 
+	 *
 	 * The offset points to a linked_list_t pointer.
-	 * 
-	 * When generating the traffic_selector_substructure_t objects are stored 
+	 *
+	 * When generating the traffic_selector_substructure_t objects are stored
 	 * in the pointed linked_list.
-	 * 
-	 * When parsing the parsed traffic_selector_substructure_t objects have 
+	 *
+	 * When parsing the parsed traffic_selector_substructure_t objects have
 	 * to be stored in the pointed linked_list.
-	 */	
+	 */
 	TRAFFIC_SELECTORS,
-	
+
 	/**
 	 * Representating a Traffic selector type field.
-	 * 
+	 *
 	 * When generating it must be changed from host to network order.
 	 * The value is read from the associated data struct.
- 	 * The current write position is moved 16 bit forward afterwards.
-	 * 
+	 * The current write position is moved 16 bit forward afterwards.
+	 *
 	 * When parsing it must be changed from network to host order.
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 16 bit forward afterwards.
 	 */
 	TS_TYPE,
-	
+
 	/**
 	 * Representating an address field in a traffic selector.
-	 * 
+	 *
 	 * Depending on the last field of type TS_TYPE
 	 * this field is either 4 or 16 byte long.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing 4 or 16 bytes are read and written into the chunk pointing to.
 	 */
 	ADDRESS,
 
 	/**
 	 * Representating a Nonce Data field.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
 	 */
 	NONCE_DATA,
-	
+
 	/**
 	 * Representating a ID Data field.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
 	 */
 	ID_DATA,
-	
+
 	/**
 	 * Representating a AUTH Data field.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
 	 */
 	AUTH_DATA,
-	
+
 	/**
 	 * Representating a CERT Data field.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
 	 */
 	CERT_DATA,
 
 	/**
 	 * Representating a CERTREQ Data field.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
 	 */
 	CERTREQ_DATA,
-	
+
 	/**
 	 * Representating an EAP message field.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
 	 */
 	EAP_DATA,
-	
+
 	/**
 	 * Representating the SPIS field in a DELETE payload.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
 	 */
 	SPIS,
-	
+
 	/**
 	 * Representating the VID DATA field in a VENDOR ID payload.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
 	 */
 	VID_DATA,
-	
+
 	/**
 	 * Representating the DATA of an unknown payload.
-	 * 
- 	 * When generating the content of the chunkt pointing to 
- 	 * is written.
-	 * 
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
 	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
 	 */
 	UNKNOWN_DATA,
-	
+
 	/**
 	 * Representating an IKE_SPI field in an IKEv2 Header.
-	 * 
- 	 * When generating the value of the u_int64_t pointing to 
- 	 * is written (host and networ order is not changed).
-	 * 
+	 *
+	 * When generating the value of the u_int64_t pointing to
+	 * is written (host and networ order is not changed).
+	 *
 	 * When parsing 8 bytes are read and written into the u_int64_t pointing to.
 	 */
 	IKE_SPI,
-	
+
 	/**
 	 * Representing the encrypted data body of a encryption payload.
 	 */
@@ -488,25 +488,25 @@ extern enum_name_t *encoding_type_names;
 /**
  * Rule how to en-/decode a payload field.
  *
- * An encoding rule is a mapping of a specific encoding type to 
+ * An encoding rule is a mapping of a specific encoding type to
  * a location in the data struct where the current field is stored to
  * or read from.
  * This rules are used by parser and generator.
  */
 struct encoding_rule_t {
-	
+
 	/**
 	 * Encoding type.
 	 */
 	encoding_type_t type;
-	
+
 	/**
 	 * Offset in the data struct.
-	 * 
-	 * When parsing, data are written to this offset of the 
+	 *
+	 * When parsing, data are written to this offset of the
 	 * data struct.
-	 * 
-	 * When generating, data are read from this offset in the 
+	 *
+	 * When generating, data are read from this offset in the
 	 * data struct.
 	 */
 	u_int32_t offset;
diff --git a/src/charon/encoding/payloads/encryption_payload.c b/src/charon/encoding/payloads/encryption_payload.c
index 55a37bb25..389ab09d7 100644
--- a/src/charon/encoding/payloads/encryption_payload.c
+++ b/src/charon/encoding/payloads/encryption_payload.c
@@ -32,19 +32,19 @@ typedef struct private_encryption_payload_t private_encryption_payload_t;
 
 /**
  * Private data of an encryption_payload_t' Object.
- * 
+ *
  */
 struct private_encryption_payload_t {
-	
+
 	/**
 	 * Public encryption_payload_t interface.
 	 */
 	encryption_payload_t public;
-	
+
 	/**
-	 * There is no next payload for an encryption payload, 
+	 * There is no next payload for an encryption payload,
 	 * since encryption payload MUST be the last one.
-	 * next_payload means here the first payload of the 
+	 * next_payload means here the first payload of the
 	 * contained, encrypted payload.
 	 */
 	u_int8_t next_payload;
@@ -53,33 +53,33 @@ struct private_encryption_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * Chunk containing the iv, data, padding,
 	 * and (an eventually not calculated) signature.
 	 */
 	chunk_t encrypted;
-	
+
 	/**
 	 * Chunk containing the data in decrypted (unpadded) form.
 	 */
 	chunk_t decrypted;
-	
+
 	/**
 	 * Signer set by set_signer.
 	 */
 	signer_t *signer;
-	
+
 	/**
 	 * Crypter, supplied by encrypt/decrypt
 	 */
 	crypter_t *crypter;
-	
+
 	/**
 	 * Contained payloads of this encrpytion_payload.
 	 */
@@ -88,10 +88,10 @@ struct private_encryption_payload_t {
 
 /**
  * Encoding rules to parse or generate a IKEv2-Encryption Payload.
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_encryption_payload_t.
- * 
+ *
  */
 encoding_rule_t encryption_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
@@ -170,7 +170,7 @@ static payload_type_t get_next_type(private_encryption_payload_t *this)
  */
 static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
 {
-	/* set next type is not allowed, since this payload MUST be the last one 
+	/* set next type is not allowed, since this payload MUST be the last one
 	 * and so nothing is done in here*/
 }
 
@@ -190,7 +190,7 @@ static void compute_length(private_encryption_payload_t *this)
 		length += current_payload->get_length(current_payload);
 	}
 	iterator->destroy(iterator);
-	
+
 	if (this->crypter && this->signer)
 	{
 		/* append one byte for padding length */
@@ -268,13 +268,13 @@ static void generate(private_encryption_payload_t *this)
 	payload_t *current_payload, *next_payload;
 	generator_t *generator;
 	iterator_t *iterator;
-	
+
 	/* recalculate length before generating */
 	compute_length(this);
-	
+
 	/* create iterator */
 	iterator = this->payloads->create_iterator(this->payloads, TRUE);
-	
+
 	/* get first payload */
 	if (iterator->iterate(iterator, (void**)&current_payload))
 	{
@@ -289,9 +289,9 @@ static void generate(private_encryption_payload_t *this)
 		iterator->destroy(iterator);
 		return;
 	}
-	
+
 	generator = generator_create();
-	
+
 	/* build all payload, except last */
 	while(iterator->iterate(iterator, (void**)&next_payload))
 	{
@@ -300,14 +300,14 @@ static void generate(private_encryption_payload_t *this)
 		current_payload = next_payload;
 	}
 	iterator->destroy(iterator);
-	
+
 	/* build last payload */
 	current_payload->set_next_type(current_payload, NO_PAYLOAD);
 	generator->generate_payload(generator, current_payload);
-	
+
 	/* free already generated data */
 	free(this->decrypted.ptr);
-	
+
 	generator->write_to_chunk(generator, &(this->decrypted));
 	generator->destroy(generator);
 	DBG2(DBG_ENC, "successfully generated content in encryption payload");
@@ -321,13 +321,13 @@ static status_t encrypt(private_encryption_payload_t *this)
 	chunk_t iv, padding, to_crypt, result;
 	rng_t *rng;
 	size_t block_size;
-	
+
 	if (this->signer == NULL || this->crypter == NULL)
 	{
 		DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
 		return INVALID_STATE;
 	}
-	
+
 	/* for random data in iv and padding */
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
@@ -337,15 +337,15 @@ static status_t encrypt(private_encryption_payload_t *this)
 	}
 	/* build payload chunk */
 	generate(this);
-	
+
 	DBG2(DBG_ENC, "encrypting payloads");
 	DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
-	
+
 	/* build padding */
 	block_size = this->crypter->get_block_size(this->crypter);
 	padding.len = block_size - ((this->decrypted.len + 1) %  block_size);
 	rng->allocate_bytes(rng, padding.len, &padding);
-	
+
 	/* concatenate payload data, padding, padding len */
 	to_crypt.len = this->decrypted.len + padding.len + 1;
 	to_crypt.ptr = malloc(to_crypt.len);
@@ -353,36 +353,36 @@ static status_t encrypt(private_encryption_payload_t *this)
 	memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
 	memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
 	*(to_crypt.ptr + to_crypt.len - 1) = padding.len;
-		
+
 	/* build iv */
 	iv.len = block_size;
 	rng->allocate_bytes(rng, iv.len, &iv);
 	rng->destroy(rng);
-	
+
 	DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
-	
+
 	/* encrypt to_crypt chunk */
 	free(this->encrypted.ptr);
 	this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
 	free(padding.ptr);
 	free(to_crypt.ptr);
-	
+
 	DBG3(DBG_ENC, "data after encryption %B", &result);
-	
+
 	/* build encrypted result with iv and signature */
 	this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
 	free(this->encrypted.ptr);
 	this->encrypted.ptr = malloc(this->encrypted.len);
-	
+
 	/* fill in result, signature is left out */
 	memcpy(this->encrypted.ptr, iv.ptr, iv.len);
 	memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
-	
+
 	free(result.ptr);
 	free(iv.ptr);
 	DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
 		 &this->encrypted);
-	
+
 	return SUCCESS;
 }
 
@@ -394,16 +394,16 @@ static status_t parse(private_encryption_payload_t *this)
 	parser_t *parser;
 	status_t status;
 	payload_type_t current_payload_type;
-	
+
 	/* build a parser on the decrypted data */
 	parser = parser_create(this->decrypted);
-	
+
 	current_payload_type = this->next_payload;
 	/* parse all payloads */
 	while (current_payload_type != NO_PAYLOAD)
 	{
-		payload_t *current_payload;	
-		
+		payload_t *current_payload;
+
 		status = parser->parse_payload(parser, current_payload_type, (payload_t**)&current_payload);
 		if (status != SUCCESS)
 		{
@@ -423,7 +423,7 @@ static status_t parse(private_encryption_payload_t *this)
 
 		/* get next payload type */
 		current_payload_type = current_payload->get_next_type(current_payload);
-		
+
 		this->payloads->insert_last(this->payloads,current_payload);
 	}
 	parser->destroy(parser);
@@ -438,50 +438,50 @@ static status_t decrypt(private_encryption_payload_t *this)
 {
 	chunk_t iv, concatenated;
 	u_int8_t padding_length;
-	
+
 	DBG2(DBG_ENC, "decrypting encryption payload");
 	DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
 		 &this->encrypted);
-	
+
 	if (this->signer == NULL || this->crypter == NULL)
 	{
 		DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
 		return INVALID_STATE;
 	}
-	
+
 	/* get IV */
 	iv.len = this->crypter->get_block_size(this->crypter);
-	
+
 	iv.ptr = this->encrypted.ptr;
-	
+
 	/* point concatenated to data + padding + padding_length*/
 	concatenated.ptr = this->encrypted.ptr + iv.len;
 	concatenated.len = this->encrypted.len - iv.len -
 								this->signer->get_block_size(this->signer);
-		
+
 	/* concatenated must be a multiple of block_size of crypter */
 	if (concatenated.len < iv.len || concatenated.len % iv.len)
 	{
 		DBG1(DBG_ENC, "could not decrypt, invalid input");
 		return FAILED;
 	}
-	
+
 	/* free previus data, if any */
 	free(this->decrypted.ptr);
-	
+
 	DBG3(DBG_ENC, "data before decryption %B", &concatenated);
-	
+
 	this->crypter->decrypt(this->crypter, concatenated, iv, &this->decrypted);
 
 	DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
-	
+
 	/* get padding length, sits just bevore signature */
 	padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
-	/* add one byte to the padding length, since the padding_length field is 
+	/* add one byte to the padding length, since the padding_length field is
 	 * not included */
 	padding_length++;
 	this->decrypted.len -= padding_length;
-	
+
 	/* check size again */
 	if (padding_length > concatenated.len || this->decrypted.len < 0)
 	{
@@ -489,7 +489,7 @@ static status_t decrypt(private_encryption_payload_t *this)
 		/* decryption failed :-/ */
 		return FAILED;
 	}
-	
+
 	/* free padding */
 	this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
 	DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
@@ -513,13 +513,13 @@ static status_t build_signature(private_encryption_payload_t *this, chunk_t data
 {
 	chunk_t data_without_sig = data;
 	chunk_t sig;
-	
+
 	if (this->signer == NULL)
 	{
 		DBG1(DBG_ENC, "unable to build signature, no signer set");
 		return INVALID_STATE;
 	}
-	
+
 	sig.len = this->signer->get_block_size(this->signer);
 	data_without_sig.len -= sig.len;
 	sig.ptr = data.ptr + data_without_sig.len;
@@ -535,7 +535,7 @@ static status_t verify_signature(private_encryption_payload_t *this, chunk_t dat
 {
 	chunk_t sig, data_without_sig;
 	bool valid;
-	
+
 	if (this->signer == NULL)
 	{
 		DBG1(DBG_ENC, "unable to verify signature, no signer set");
@@ -549,18 +549,18 @@ static status_t verify_signature(private_encryption_payload_t *this, chunk_t dat
 		return FAILED;
 	}
 	sig.ptr = data.ptr + data.len - sig.len;
-	
+
 	/* verify it */
 	data_without_sig.len = data.len - sig.len;
 	data_without_sig.ptr = data.ptr;
 	valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
-	
+
 	if (!valid)
 	{
 		DBG1(DBG_ENC, "signature verification failed");
 		return FAILED;
 	}
-	
+
 	DBG2(DBG_ENC, "signature verification successful");
 	return SUCCESS;
 }
@@ -582,7 +582,7 @@ static void destroy(private_encryption_payload_t *this)
 encryption_payload_t *encryption_payload_create()
 {
 	private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
-	
+
 	/* payload_t interface functions */
 	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
 	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
@@ -591,20 +591,20 @@ encryption_payload_t *encryption_payload_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
 	this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
 	this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
 	this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
-	
+
 	this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
 	this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
 	this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
 	this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
 	this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
 	this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
-	
+
 	/* set default values of the fields */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
@@ -614,6 +614,6 @@ encryption_payload_t *encryption_payload_create()
 	this->signer = NULL;
 	this->crypter = NULL;
 	this->payloads = linked_list_create();
-	
+
 	return (&(this->public));
 }
diff --git a/src/charon/encoding/payloads/encryption_payload.h b/src/charon/encoding/payloads/encryption_payload.h
index 3b94587ec..ac5326b87 100644
--- a/src/charon/encoding/payloads/encryption_payload.h
+++ b/src/charon/encoding/payloads/encryption_payload.h
@@ -39,7 +39,7 @@ typedef struct encryption_payload_t encryption_payload_t;
 /**
  * The encryption payload as described in RFC section 3.14.
  *
- * Before any crypt/decrypt/sign/verify operation can occur, 
+ * Before any crypt/decrypt/sign/verify operation can occur,
  * the transforms must be set. After that, a parsed encryption payload
  * can be decrypted, which also will parse the contained payloads.
  * Encryption is done the same way, added payloads will get generated
@@ -54,24 +54,24 @@ struct encryption_payload_t {
 	 * Implements payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Creates an iterator for all contained payloads.
-	 * 
+	 *
 	 * iterator_t object has to get destroyed by the caller.
 	 *
 	 * @param forward 		iterator direction (TRUE: front to end)
 	 * return				created iterator_t object
 	 */
 	 iterator_t *(*create_payload_iterator) (encryption_payload_t *this, bool forward);
-	
+
 	/**
 	 * Adds a payload to this encryption payload.
 	 *
 	 * @param payload		payload_t object to add
 	 */
 	void (*add_payload) (encryption_payload_t *this, payload_t *payload);
-	
+
 	/**
 	 * Reove the last payload in the contained payload list.
 	 *
@@ -81,20 +81,20 @@ struct encryption_payload_t {
 	 * 						- NOT_FOUND if list empty
 	 */
 	status_t (*remove_first_payload) (encryption_payload_t *this, payload_t **payload);
-	
+
 	/**
 	 * Get the number of payloads.
 	 *
 	 * @return				number of contained payloads
 	 */
 	size_t (*get_payload_count) (encryption_payload_t *this);
-	
+
 	/**
 	 * Set transforms to use.
-	 * 
+	 *
 	 * To decryption, encryption, signature building and verifying,
 	 * the payload needs a crypter and a signer object.
-	 * 
+	 *
 	 * @warning Do NOT call this function again after encryption, since
 	 * the signer must be the same while encrypting and signature building!
 	 *
@@ -102,10 +102,10 @@ struct encryption_payload_t {
 	 * @param signer		signer_t to use for data signing/verifying
 	 */
 	void (*set_transforms) (encryption_payload_t *this, crypter_t *crypter, signer_t *signer);
-	
+
 	/**
 	 * Generate and encrypt contained payloads.
-	 * 
+	 *
 	 * This function generates the content for added payloads
 	 * and encrypts them. Signature is not built, since we need
 	 * additional data (the full message).
@@ -113,11 +113,11 @@ struct encryption_payload_t {
 	 * @return				SUCCESS, or INVALID_STATE if transforms not set
 	 */
 	status_t (*encrypt) (encryption_payload_t *this);
-	
+
 	/**
 	 * Decrypt and parse contained payloads.
-	 * 
-	 * This function decrypts the contained data. After, 
+	 *
+	 * This function decrypts the contained data. After,
 	 * the payloads are parsed internally and are accessible
 	 * via the iterator.
 	 *
@@ -127,29 +127,29 @@ struct encryption_payload_t {
 	 * 						- FAILED if data is invalid
 	 */
 	status_t (*decrypt) (encryption_payload_t *this);
-	
+
 	/**
 	 * Build the signature.
-	 * 
+	 *
 	 * The signature is built over the FULL message, so the header
 	 * and every payload (inclusive this one) must already be generated.
 	 * The generated message is supplied via the data paramater.
-	 * 
+	 *
 	 * @param data			chunk contains the already generated message
 	 * @return
 	 * 						- SUCCESS, or
 	 * 						- INVALID_STATE if transforms not set
 	 */
 	status_t (*build_signature) (encryption_payload_t *this, chunk_t data);
-		
+
 	/**
 	 * Verify the signature.
-	 * 
+	 *
 	 * Since the signature is built over the full message, we need
 	 * this data to do the verification. The message data
 	 * is supplied via the data argument.
-	 * 
-	 * @param data			chunk contains the message 
+	 *
+	 * @param data			chunk contains the message
 	 * @return
 	 * 						- SUCCESS, or
 	 * 						- FAILED if signature invalid, or
@@ -165,7 +165,7 @@ struct encryption_payload_t {
 
 /**
  * Creates an empty encryption_payload_t object.
- * 
+ *
  * @return encryption_payload_t object
  */
 encryption_payload_t *encryption_payload_create(void);
diff --git a/src/charon/encoding/payloads/endpoint_notify.c b/src/charon/encoding/payloads/endpoint_notify.c
index c30d29942..faec1ea71 100644
--- a/src/charon/encoding/payloads/endpoint_notify.c
+++ b/src/charon/encoding/payloads/endpoint_notify.c
@@ -23,34 +23,33 @@ typedef struct private_endpoint_notify_t private_endpoint_notify_t;
 
 /**
  * Private data of an notify_payload_t object.
- * 
  */
 struct private_endpoint_notify_t {
 	/**
 	 * Public endpoint_notify_t interface.
 	 */
 	endpoint_notify_t public;
-	
+
 	/**
 	 * Priority
 	 */
 	u_int32_t priority;
-	
+
 	/**
 	 * Family
 	 */
 	me_endpoint_family_t family;
-		
+
 	/**
 	 * Endpoint type
 	 */
 	me_endpoint_type_t type;
-	
+
 	/**
 	 * Endpoint
 	 */
 	host_t *endpoint;
-	
+
 	/**
 	 * Base (used for server reflexive endpoints)
 	 */
@@ -65,7 +64,7 @@ struct private_endpoint_notify_t {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       !     Family    !      Type     !              Port             !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                       IP Address (variable)                   
+      !                       IP Address (variable)                   !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
@@ -122,9 +121,9 @@ static status_t parse_notification_data(private_endpoint_notify_t *this, chunk_t
 	chunk_t addr;
 	u_int8_t *cur = data.ptr;
 	u_int8_t *top = data.ptr + data.len;
-	
+
 	DBG3(DBG_IKE, "me_endpoint_data %B", &data);
-	
+
 	if (parse_uint32(&cur, top, &this->priority) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid priority");
@@ -136,20 +135,19 @@ static status_t parse_notification_data(private_endpoint_notify_t *this, chunk_t
 		DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid family");
 		return FAILED;
 	}
-	
 	this->family = (me_endpoint_family_t)family;
-	
-	if (parse_uint8(&cur, top, &type) != SUCCESS || type >= MAX_TYPE)
+
+	if (parse_uint8(&cur, top, &type) != SUCCESS ||
+		type == NO_TYPE || type >= MAX_TYPE)
 	{
 		DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid type");
 		return FAILED;
 	}
-	
 	this->type = (me_endpoint_type_t)type;
-	
+
 	addr_family = AF_INET;
 	addr.len = 4;
-	
+
 	switch(this->family)
 	{
 		case IPv6:
@@ -160,24 +158,23 @@ static status_t parse_notification_data(private_endpoint_notify_t *this, chunk_t
 			if (parse_uint16(&cur, top, &port) != SUCCESS)
 			{
 				DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid port");
-				return FAILED;	
+				return FAILED;
 			}
-			
+
 			if (cur + addr.len > top)
 			{
 				DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid IP address");
 				return FAILED;
 			}
-			
+
 			addr.ptr = cur;
-			
 			this->endpoint = host_create_from_chunk(addr_family, addr, port);
 			break;
 		case NO_FAMILY:
 		default:
 			this->endpoint = NULL;
 			break;
-	}	
+	}
 	return SUCCESS;
 }
 
@@ -192,14 +189,14 @@ static chunk_t build_notification_data(private_endpoint_notify_t *this)
 	u_int32_t prio;
 	u_int16_t port;
 	u_int8_t family, type;
-	
+
 	prio = htonl(this->priority);
 	prio_chunk = chunk_from_thing(prio);
 	family = this->family;
 	family_chunk = chunk_from_thing(family);
 	type = this->type;
 	type_chunk = chunk_from_thing(type);
-	
+
 	if (this->endpoint)
 	{
 		port = htons(this->endpoint->get_port(this->endpoint));
@@ -208,15 +205,14 @@ static chunk_t build_notification_data(private_endpoint_notify_t *this)
 	else
 	{
 		port = 0;
-		addr_chunk = chunk_empty; 
+		addr_chunk = chunk_empty;
 	}
 	port_chunk = chunk_from_thing(port);
-	
+
 	/* data = prio | family | type | port | addr */
 	data = chunk_cat("ccccc", prio_chunk, family_chunk, type_chunk,
-			port_chunk, addr_chunk);
+					 port_chunk, addr_chunk);
 	DBG3(DBG_IKE, "me_endpoint_data %B", &data);
-	
 	return data;
 }
 
@@ -226,14 +222,14 @@ static chunk_t build_notification_data(private_endpoint_notify_t *this)
 static notify_payload_t *build_notify(private_endpoint_notify_t *this)
 {
 	chunk_t data;
-	notify_payload_t *notify;	
-	
+	notify_payload_t *notify;
+
 	notify = notify_payload_create();
 	notify->set_notify_type(notify, ME_ENDPOINT);
 	data = build_notification_data(this);
 	notify->set_notification_data(notify, data);
 	chunk_free(&data);
-	
+
 	return notify;
 }
 
@@ -291,7 +287,7 @@ static host_t *get_base(private_endpoint_notify_t *this)
 static endpoint_notify_t *_clone(private_endpoint_notify_t *this)
 {
 	private_endpoint_notify_t *clone = (private_endpoint_notify_t*)endpoint_notify_create();
-	
+
 	clone->priority = this->priority;
 	clone->type = this->type;
 	clone->family = this->family;
@@ -299,12 +295,12 @@ static endpoint_notify_t *_clone(private_endpoint_notify_t *this)
 	{
 		clone->endpoint = this->endpoint->clone(this->endpoint);
 	}
-	
+
 	if (this->base)
 	{
 		clone->base = this->base->clone(this->base);
 	}
-	
+
 	return &clone->public;
 }
 
@@ -336,14 +332,14 @@ endpoint_notify_t *endpoint_notify_create()
 	this->public.build_notify = (notify_payload_t *(*) (endpoint_notify_t *)) build_notify;
 	this->public.clone = (endpoint_notify_t *(*) (endpoint_notify_t *)) _clone;
 	this->public.destroy = (void (*) (endpoint_notify_t *)) destroy;
-	
+
 	/* set default values of the fields */
 	this->priority = 0;
 	this->family = NO_FAMILY;
 	this->type = NO_TYPE;
 	this->endpoint = NULL;
 	this->base = NULL;
-	
+
 	return &this->public;
 }
 
@@ -353,34 +349,34 @@ endpoint_notify_t *endpoint_notify_create()
 endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type, host_t *host, host_t *base)
 {
 	private_endpoint_notify_t *this = (private_endpoint_notify_t*)endpoint_notify_create();
-	
+
 	this->type = type;
-	
+
 	switch(type)
 	{
 		case HOST:
-			this->priority = pow(2, 16) * ME_PRIO_HOST; 
+			this->priority = pow(2, 16) * ME_PRIO_HOST;
 			break;
 		case PEER_REFLEXIVE:
-			this->priority = pow(2, 16) * ME_PRIO_PEER; 
+			this->priority = pow(2, 16) * ME_PRIO_PEER;
 			break;
 		case SERVER_REFLEXIVE:
-			this->priority = pow(2, 16) * ME_PRIO_SERVER; 
+			this->priority = pow(2, 16) * ME_PRIO_SERVER;
 			break;
 		case RELAYED:
 		default:
-			this->priority = pow(2, 16) * ME_PRIO_RELAY; 
+			this->priority = pow(2, 16) * ME_PRIO_RELAY;
 			break;
 	}
-	
+
 	/* FIXME: if there is more than one ip address we should vary this priority */
 	this->priority += 65535;
-	
+
 	if (!host)
 	{
 		return &this->public;
 	}
-	
+
 	switch(host->get_family(host))
 	{
 		case AF_INET:
@@ -394,14 +390,14 @@ endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type, hos
 			 * (family is set to NO_FAMILY) */
 			return &this->public;
 	}
-	
+
 	this->endpoint = host->clone(host);
-	
+
 	if (base)
 	{
 		this->base = base->clone(base);
 	}
-	
+
 	return &this->public;
 }
 
@@ -414,7 +410,7 @@ endpoint_notify_t *endpoint_notify_create_from_payload(notify_payload_t *notify)
 	{
 		return NULL;
 	}
-	
+
 	private_endpoint_notify_t *this = (private_endpoint_notify_t*)endpoint_notify_create();
 	chunk_t data = notify->get_notification_data(notify);
 	if (parse_notification_data(this, data) != SUCCESS)
diff --git a/src/charon/encoding/payloads/endpoint_notify.h b/src/charon/encoding/payloads/endpoint_notify.h
index 66aabc683..120eef49a 100644
--- a/src/charon/encoding/payloads/endpoint_notify.h
+++ b/src/charon/encoding/payloads/endpoint_notify.h
@@ -36,34 +36,34 @@ typedef struct endpoint_notify_t endpoint_notify_t;
  * ME endpoint families.
  */
 enum me_endpoint_family_t {
-	
+
 	NO_FAMILY = 0,
-	
+
 	IPv4 = 1,
-	
+
 	IPv6 = 2,
-	
+
 	MAX_FAMILY = 3
-	
+
 };
 
 /**
  * ME endpoint types.
  */
 enum me_endpoint_type_t {
-	
+
 	NO_TYPE = 0,
-	
+
 	HOST = 1,
-	
+
 	PEER_REFLEXIVE = 2,
-	
+
 	SERVER_REFLEXIVE = 3,
-	
+
 	RELAYED = 4,
-	
+
 	MAX_TYPE = 5
-	
+
 };
 
 /**
@@ -79,52 +79,52 @@ extern enum_name_t *me_endpoint_type_names;
 struct endpoint_notify_t {
 	/**
 	 * Returns the priority of this endpoint.
-	 * 
+	 *
 	 * @return			priority
 	 */
 	u_int32_t (*get_priority) (endpoint_notify_t *this);
-	
+
 	/**
 	 * Sets the priority of this endpoint.
-	 * 
+	 *
 	 * @param priority	priority
 	 */
 	void (*set_priority) (endpoint_notify_t *this, u_int32_t priority);
-	
+
 	/**
 	 * Returns the endpoint type of this endpoint.
-	 * 
+	 *
 	 * @return			endpoint type
 	 */
 	me_endpoint_type_t (*get_type) (endpoint_notify_t *this);
-	
+
 	/**
 	 * Returns the endpoint family of this endpoint.
-	 * 
+	 *
 	 * @return			endpoint family
 	 */
 	me_endpoint_family_t (*get_family) (endpoint_notify_t *this);
-	
+
 	/**
 	 * Returns the host of this endpoint.
-	 * 
+	 *
 	 * @return			host
 	 */
 	host_t *(*get_host) (endpoint_notify_t *this);
-	
+
 	/**
 	 * Returns the base of this endpoint.
-	 * 
+	 *
 	 * If this is not a SERVER_REFLEXIVE endpoint, the returned host is the same
 	 * as the one returned by get_host.
-	 * 
+	 *
 	 * @return			host
 	 */
 	host_t *(*get_base) (endpoint_notify_t *this);
-	
+
 	/**
-	 * Generates a notification payload from this endpoint. 
-	 * 	
+	 * Generates a notification payload from this endpoint.
+	 *
 	 * @return 			built notify_payload_t
 	 */
 	notify_payload_t *(*build_notify) (endpoint_notify_t *this);
@@ -135,7 +135,7 @@ struct endpoint_notify_t {
 	 * @return			cloned object
 	 */
 	endpoint_notify_t *(*clone) (endpoint_notify_t *this);
-	
+
 	/**
 	 * Destroys an endpoint_notify_t object.
 	 */
@@ -144,7 +144,7 @@ struct endpoint_notify_t {
 
 /**
  * Creates an empty endpoint_notify_t object.
- * 
+ *
  * @return			created endpoint_notify_t object
  */
 endpoint_notify_t *endpoint_notify_create(void);
@@ -152,7 +152,7 @@ endpoint_notify_t *endpoint_notify_create(void);
 
 /**
  * Creates an endpoint_notify_t object from a host.
- * 
+ *
  * @param type		the endpoint type
  * @param host		host to base the notify on (gets cloned)
  * @param base		base of the endpoint, applies only to reflexive endpoints (gets cloned)
@@ -163,7 +163,7 @@ endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type,
 
 /**
  * Creates an endpoint_notify_t object from a notify payload.
- * 
+ *
  * @param notify	the notify payload
  * @return			- created endpoint_notify_t object
  * 					- NULL if invalid payload
diff --git a/src/charon/encoding/payloads/id_payload.c b/src/charon/encoding/payloads/id_payload.c
index 4a527cb24..4158c3e07 100644
--- a/src/charon/encoding/payloads/id_payload.c
+++ b/src/charon/encoding/payloads/id_payload.c
@@ -27,19 +27,19 @@ typedef struct private_id_payload_t private_id_payload_t;
 
 /**
  * Private data of an id_payload_t object.
- * 
+ *
  */
 struct private_id_payload_t {
 	/**
 	 * Public id_payload_t interface.
 	 */
 	id_payload_t public;
-	
+
 	/**
 	 * one of ID_INITIATOR, ID_RESPONDER
 	 */
 	payload_type_t payload_type;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -49,17 +49,17 @@ struct private_id_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * Type of the ID Data.
 	 */
 	u_int8_t id_type;
-	
+
 	/**
 	 * The contained id data value.
 	 */
@@ -68,17 +68,17 @@ struct private_id_payload_t {
 
 /**
  * Encoding rules to parse or generate a ID payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_id_payload_t.
- * 
+ *
  */
 encoding_rule_t id_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_id_payload_t, next_payload) 	},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_id_payload_t, critical) 		},
- 	/* 7 Bit reserved bits, nowhere stored */
+	/* 7 Bit reserved bits, nowhere stored */
 	{ RESERVED_BIT,	0 													},
 	{ RESERVED_BIT,	0 													},
 	{ RESERVED_BIT,	0 													},
@@ -88,8 +88,8 @@ encoding_rule_t id_payload_encodings[] = {
 	{ RESERVED_BIT,	0 													},
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_id_payload_t, payload_length) 	},
- 	/* 1 Byte ID type*/
-	{ U_INT_8,			offsetof(private_id_payload_t, id_type)		 	},
+	/* 1 Byte ID type*/
+	{ U_INT_8,			offsetof(private_id_payload_t, id_type)			},
 	/* 3 reserved bytes */
 	{ RESERVED_BYTE,	0 												},
 	{ RESERVED_BYTE,	0 												},
@@ -126,7 +126,7 @@ static status_t verify(private_id_payload_t *this)
 		DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
 		return FAILED;
 	}
-		
+
 	return SUCCESS;
 }
 
@@ -242,7 +242,7 @@ static void destroy(private_id_payload_t *this)
 	{
 		chunk_free(&(this->id_data));
 	}
-	free(this);	
+	free(this);
 }
 
 /*
@@ -260,7 +260,7 @@ id_payload_t *id_payload_create(payload_type_t payload_type)
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.destroy = (void (*) (id_payload_t *)) destroy;
 	this->public.set_id_type = (void (*) (id_payload_t *,id_type_t)) set_id_type;
@@ -268,7 +268,7 @@ id_payload_t *id_payload_create(payload_type_t payload_type)
 	this->public.set_data = (void (*) (id_payload_t *,chunk_t)) set_data;
 	this->public.get_data = (chunk_t (*) (id_payload_t *)) get_data;
 	this->public.get_data_clone = (chunk_t (*) (id_payload_t *)) get_data_clone;
-	
+
 	this->public.get_identification = (identification_t * (*) (id_payload_t *this)) get_identification;
 
 	/* private variables */
diff --git a/src/charon/encoding/payloads/id_payload.h b/src/charon/encoding/payloads/id_payload.h
index 555b1324b..5502dc961 100644
--- a/src/charon/encoding/payloads/id_payload.h
+++ b/src/charon/encoding/payloads/id_payload.h
@@ -51,35 +51,35 @@ struct id_payload_t {
 	 * @param type			Type of ID
 	 */
 	void (*set_id_type) (id_payload_t *this, id_type_t type);
-	
+
 	/**
 	 * Get the ID type.
 	 *
-	 * @return				type of the ID 
+	 * @return				type of the ID
 	 */
 	id_type_t (*get_id_type) (id_payload_t *this);
-	
+
 	/**
 	 * Set the ID data.
-	 * 
+	 *
 	 * Data are getting cloned.
 	 *
 	 * @param data			ID data as chunk_t
 	 */
 	void (*set_data) (id_payload_t *this, chunk_t data);
-	
+
 	/**
 	 * Get the ID data.
-	 * 
+	 *
 	 * Returned data are a copy of the internal one
 	 *
 	 * @return				ID data as chunk_t
 	 */
 	chunk_t (*get_data_clone) (id_payload_t *this);
-	
+
 	/**
 	 * Get the ID data.
-	 * 
+	 *
 	 * Returned data are NOT copied.
 	 *
 	 * @return				ID data as chunk_t
@@ -88,13 +88,13 @@ struct id_payload_t {
 
 	/**
 	 * Creates an identification object of this id payload.
-	 * 
+	 *
 	 * Returned object has to get destroyed by the caller.
 	 *
-	 * @return				identification_t object 
+	 * @return				identification_t object
 	 */
 	identification_t *(*get_identification) (id_payload_t *this);
-	
+
 	/**
 	 * Destroys an id_payload_t object.
 	 */
@@ -103,7 +103,7 @@ struct id_payload_t {
 
 /**
  * Creates an empty id_payload_t object.
- * 
+ *
  * @param payload_type	one of ID_INITIATOR, ID_RESPONDER
  * @return				id_payload_t object
  */
@@ -111,7 +111,7 @@ id_payload_t *id_payload_create(payload_type_t payload_type);
 
 /**
  * Creates an id_payload_t from an existing identification_t object.
- * 
+ *
  * @param payload_type		one of ID_INITIATOR, ID_RESPONDER
  * @param identification	identification_t object
  * @return					id_payload_t object
diff --git a/src/charon/encoding/payloads/ike_header.c b/src/charon/encoding/payloads/ike_header.c
index d27bfb82c..735f01304 100644
--- a/src/charon/encoding/payloads/ike_header.c
+++ b/src/charon/encoding/payloads/ike_header.c
@@ -27,14 +27,13 @@ typedef struct private_ike_header_t private_ike_header_t;
 
 /**
  * Private data of an ike_header_t object.
- * 
  */
 struct private_ike_header_t {
 	/**
 	 * Public interface.
 	 */
 	ike_header_t public;
-	
+
 	/**
 	 * SPI of the initiator.
 	 */
@@ -56,19 +55,18 @@ struct private_ike_header_t {
 
 	/**
 	 * IKE minor version.
-	 */	
+	 */
 	u_int8_t  min_version;
 
 	/**
 	 * Exchange type .
-	 */	
+	 */
 	u_int8_t  exchange_type;
-	
+
 	/**
 	 * Flags of the Message.
-	 * 
 	 */
-	struct { 
+	struct {
 		/**
 		 * Sender is initiator of the associated IKE_SA_INIT-Exchange.
 		 */
@@ -89,11 +87,11 @@ struct private_ike_header_t {
 	 * Associated Message-ID.
 	 */
 	u_int32_t message_id;
-	
+
 	/**
 	 * Length of the whole IKEv2-Message (header and all payloads).
 	 */
-	u_int32_t length;	
+	u_int32_t length;
 };
 
 ENUM_BEGIN(exchange_type_names, EXCHANGE_TYPE_UNDEFINED, EXCHANGE_TYPE_UNDEFINED,
@@ -113,38 +111,37 @@ ENUM_END(exchange_type_names, INFORMATIONAL);
 
 /**
  * Encoding rules to parse or generate a IKEv2-Header.
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * ike_header_t.
- * 
  */
 encoding_rule_t ike_header_encodings[] = {
- 	/* 8 Byte SPI, stored in the field initiator_spi */
+	/* 8 Byte SPI, stored in the field initiator_spi */
 	{ IKE_SPI,		offsetof(private_ike_header_t, initiator_spi)	},
- 	/* 8 Byte SPI, stored in the field responder_spi */
+	/* 8 Byte SPI, stored in the field responder_spi */
 	{ IKE_SPI,		offsetof(private_ike_header_t, responder_spi) 	},
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,		offsetof(private_ike_header_t, next_payload) 	},
- 	/* 4 Bit major version, stored in the field maj_version */
+	/* 4 Bit major version, stored in the field maj_version */
 	{ U_INT_4,		offsetof(private_ike_header_t, maj_version) 	},
- 	/* 4 Bit minor version, stored in the field min_version */
+	/* 4 Bit minor version, stored in the field min_version */
 	{ U_INT_4,		offsetof(private_ike_header_t, min_version) 	},
 	/* 8 Bit for the exchange type */
 	{ U_INT_8,		offsetof(private_ike_header_t, exchange_type) 	},
- 	/* 2 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 										}, 
-	{ RESERVED_BIT,	0 										}, 
- 	/* 3 Bit flags, stored in the fields response, version and initiator */
-	{ FLAG,			offsetof(private_ike_header_t, flags.response) 	},	
+	/* 2 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 										},
+	{ RESERVED_BIT,	0 										},
+	/* 3 Bit flags, stored in the fields response, version and initiator */
+	{ FLAG,			offsetof(private_ike_header_t, flags.response) 	},
 	{ FLAG,			offsetof(private_ike_header_t, flags.version) 	},
 	{ FLAG,			offsetof(private_ike_header_t, flags.initiator) },
- 	/* 3 Bit reserved bits, nowhere stored */
+	/* 3 Bit reserved bits, nowhere stored */
 	{ RESERVED_BIT,	0 										},
 	{ RESERVED_BIT,	0 										},
 	{ RESERVED_BIT,	0 										},
- 	/* 4 Byte message id, stored in the field message_id */
+	/* 4 Byte message id, stored in the field message_id */
 	{ U_INT_32,		offsetof(private_ike_header_t, message_id) 		},
- 	/* 4 Byte length fied, stored in the field length */
+	/* 4 Byte length fied, stored in the field length */
 	{ HEADER_LENGTH,	offsetof(private_ike_header_t, length) 			}
 };
 
@@ -194,9 +191,9 @@ static status_t verify(private_ike_header_t *this)
 		/* initiator spi not set */
 		return FAILED;
 	}
-	
+
 	/* verification of version is not done in here */
-	
+
 	return SUCCESS;
 }
 
@@ -212,7 +209,7 @@ static void set_next_type(payload_t *this,payload_type_t type)
  */
 static u_int64_t get_initiator_spi(private_ike_header_t *this)
 {
-	return this->initiator_spi;	
+	return this->initiator_spi;
 }
 
 /**
@@ -228,7 +225,7 @@ static void set_initiator_spi(private_ike_header_t *this, u_int64_t initiator_sp
  */
 static u_int64_t get_responder_spi(private_ike_header_t *this)
 {
-	return this->responder_spi;	
+	return this->responder_spi;
 }
 
 /**
@@ -244,7 +241,7 @@ static void set_responder_spi(private_ike_header_t *this, u_int64_t responder_sp
  */
 static u_int8_t get_maj_version(private_ike_header_t *this)
 {
-	return this->maj_version;	
+	return this->maj_version;
 }
 
 /**
@@ -252,7 +249,7 @@ static u_int8_t get_maj_version(private_ike_header_t *this)
  */
 static u_int8_t get_min_version(private_ike_header_t *this)
 {
-	return this->min_version;	
+	return this->min_version;
 }
 
 /**
@@ -260,7 +257,7 @@ static u_int8_t get_min_version(private_ike_header_t *this)
  */
 static bool get_response_flag(private_ike_header_t *this)
 {
-	return this->flags.response;	
+	return this->flags.response;
 }
 
 /**
@@ -268,7 +265,7 @@ static bool get_response_flag(private_ike_header_t *this)
  */
 static void set_response_flag(private_ike_header_t *this, bool response)
 {
-	this->flags.response = response;	
+	this->flags.response = response;
 }
 
 /**
@@ -276,7 +273,7 @@ static void set_response_flag(private_ike_header_t *this, bool response)
  */
 static bool get_version_flag(private_ike_header_t *this)
 {
-	return this->flags.version;	
+	return this->flags.version;
 }
 
 /**
@@ -284,7 +281,7 @@ static bool get_version_flag(private_ike_header_t *this)
  */
 static bool get_initiator_flag(private_ike_header_t *this)
 {
-	return this->flags.initiator;	
+	return this->flags.initiator;
 }
 
 /**
@@ -292,7 +289,7 @@ static bool get_initiator_flag(private_ike_header_t *this)
  */
 static void set_initiator_flag(private_ike_header_t *this, bool initiator)
 {
-	this->flags.initiator = initiator;	
+	this->flags.initiator = initiator;
 }
 
 /**
@@ -300,7 +297,7 @@ static void set_initiator_flag(private_ike_header_t *this, bool initiator)
  */
 static u_int8_t get_exchange_type(private_ike_header_t *this)
 {
-	return this->exchange_type;	
+	return this->exchange_type;
 }
 
 /**
@@ -308,7 +305,7 @@ static u_int8_t get_exchange_type(private_ike_header_t *this)
  */
 static void set_exchange_type(private_ike_header_t *this, u_int8_t exchange_type)
 {
-	this->exchange_type = exchange_type;	
+	this->exchange_type = exchange_type;
 }
 
 /**
@@ -317,7 +314,7 @@ static void set_exchange_type(private_ike_header_t *this, u_int8_t exchange_type
  */
 static u_int32_t get_message_id(private_ike_header_t *this)
 {
-	return this->message_id;	
+	return this->message_id;
 }
 
 /**
@@ -375,7 +372,7 @@ static size_t get_length(payload_t *this)
 ike_header_t *ike_header_create()
 {
 	private_ike_header_t *this = malloc_thing(private_ike_header_t);
-	
+
 	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
 	this->public.payload_interface.get_encoding_rules = get_encoding_rules;
 	this->public.payload_interface.get_length = get_length;
@@ -384,7 +381,7 @@ ike_header_t *ike_header_create()
 	this->public.payload_interface.get_type = get_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
 	this->public.destroy = destroy;
-	
+
 	this->public.get_initiator_spi = (u_int64_t (*) (ike_header_t*))get_initiator_spi;
 	this->public.set_initiator_spi = (void (*) (ike_header_t*,u_int64_t))set_initiator_spi;
 	this->public.get_responder_spi = (u_int64_t (*) (ike_header_t*))get_responder_spi;
@@ -400,7 +397,7 @@ ike_header_t *ike_header_create()
 	this->public.set_exchange_type = (void (*) (ike_header_t*,u_int8_t))set_exchange_type;
 	this->public.get_message_id = (u_int32_t (*) (ike_header_t*))get_message_id;
 	this->public.set_message_id = (void (*) (ike_header_t*,u_int32_t))set_message_id;
-	
+
 	/* set default values of the fields */
 	this->initiator_spi = 0;
 	this->responder_spi = 0;
@@ -413,6 +410,6 @@ ike_header_t *ike_header_create()
 	this->flags.response = FALSE;
 	this->message_id = 0;
 	this->length = IKE_HEADER_LENGTH;
-	
+
 	return (ike_header_t*)this;
 }
diff --git a/src/charon/encoding/payloads/ike_header.h b/src/charon/encoding/payloads/ike_header.h
index 8de316d19..e63e8bf06 100644
--- a/src/charon/encoding/payloads/ike_header.h
+++ b/src/charon/encoding/payloads/ike_header.h
@@ -60,7 +60,7 @@ enum exchange_type_t{
 	 * EXCHANGE_TYPE_UNDEFINED. In private space, since not a official message type.
 	 */
 	EXCHANGE_TYPE_UNDEFINED = 255,
-	
+
 	/**
 	 * IKE_SA_INIT.
 	 */
@@ -94,11 +94,11 @@ enum exchange_type_t{
 extern enum_name_t *exchange_type_names;
 
 /**
- * An object of this type represents an IKEv2 header and is used to 
+ * An object of this type represents an IKEv2 header and is used to
  * generate and parse IKEv2 headers.
- * 
- * The header format of an IKEv2-Message is compatible to the 
- * ISAKMP-Header format to allow implementations supporting 
+ *
+ * The header format of an IKEv2-Message is compatible to the
+ * ISAKMP-Header format to allow implementations supporting
  * both versions of the IKE-protocol.
  */
 struct ike_header_t {
@@ -106,61 +106,60 @@ struct ike_header_t {
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Get the initiator spi.
 	 *
 	 * @return 				initiator_spi
 	 */
 	u_int64_t (*get_initiator_spi) (ike_header_t *this);
-	
+
 	/**
 	 * Set the initiator spi.
 	 *
 	 * @param initiator_spi	initiator_spi
 	 */
 	void (*set_initiator_spi) (ike_header_t *this, u_int64_t initiator_spi);
-	
+
 	/**
 	 * Get the responder spi.
 	 *
 	 * @return 				responder_spi
 	 */
 	u_int64_t (*get_responder_spi) (ike_header_t *this);
-	
+
 	/**
 	 * Set the responder spi.
 	 *
 	 * @param responder_spi	responder_spi
 	 */
 	void (*set_responder_spi) (ike_header_t *this, u_int64_t responder_spi);
-	
+
 	/**
 	 * Get the major version.
 	 *
 	 * @return 				major version
 	 */
 	u_int8_t (*get_maj_version) (ike_header_t *this);
-	
+
 	/**
 	 * Get the minor version.
 	 *
 	 * @return 				minor version
 	 */
 	u_int8_t (*get_min_version) (ike_header_t *this);
-	
+
 	/**
 	 * Get the response flag.
 	 *
 	 * @return 				response flag
 	 */
 	bool (*get_response_flag) (ike_header_t *this);
-	
+
 	/**
 	 * Set the response flag-
 	 *
 	 * @param response		response flag
-	 * 
 	 */
 	void (*set_response_flag) (ike_header_t *this, bool response);
 	/**
@@ -169,14 +168,14 @@ struct ike_header_t {
 	 * @return 				version flag
 	 */
 	bool (*get_version_flag) (ike_header_t *this);
-	
+
 	/**
 	 * Get the initiator flag.
 	 *
 	 * @return 				initiator flag
 	 */
 	bool (*get_initiator_flag) (ike_header_t *this);
-	
+
 	/**
 	 * Set the initiator flag.
 	 *
@@ -190,28 +189,28 @@ struct ike_header_t {
 	 * @return 				exchange type
 	 */
 	u_int8_t (*get_exchange_type) (ike_header_t *this);
-	
+
 	/**
 	 * Set the  exchange type.
 	 *
 	 * @param exchange_type	exchange type
 	 */
 	void (*set_exchange_type) (ike_header_t *this, u_int8_t exchange_type);
-	
+
 	/**
 	 * Get the message id.
 	 *
 	 * @return 				message id
 	 */
 	u_int32_t (*get_message_id) (ike_header_t *this);
-	
+
 	/**
 	 * Set the message id.
 	 *
 	 * @param initiator_spi	message id
 	 */
 	void (*set_message_id) (ike_header_t *this, u_int32_t message_id);
-	
+
 	/**
 	 * Destroys a ike_header_t object.
 	 */
@@ -220,7 +219,7 @@ struct ike_header_t {
 
 /**
  * Create an ike_header_t object
- * 
+ *
  * @return ike_header_t object
  */
 ike_header_t *ike_header_create(void);
diff --git a/src/charon/encoding/payloads/ke_payload.c b/src/charon/encoding/payloads/ke_payload.c
index aa3e075ca..1bc79f084 100644
--- a/src/charon/encoding/payloads/ke_payload.c
+++ b/src/charon/encoding/payloads/ke_payload.c
@@ -25,14 +25,14 @@ typedef struct private_ke_payload_t private_ke_payload_t;
 
 /**
  * Private data of an ke_payload_t object.
- * 
+ *
  */
 struct private_ke_payload_t {
 	/**
 	 * Public ke_payload_t interface.
 	 */
 	ke_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -42,17 +42,17 @@ struct private_ke_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-		
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * DH Group Number.
 	 */
 	u_int16_t dh_group_number;
-	
+
 	/**
 	 * Key Exchange Data of this KE payload.
 	 */
@@ -61,30 +61,30 @@ struct private_ke_payload_t {
 
 /**
  * Encoding rules to parse or generate a IKEv2-KE Payload.
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_ke_payload_t.
- * 
+ *
  */
 encoding_rule_t ke_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_ke_payload_t, next_payload) 		},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_ke_payload_t, critical) 			},	
- 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
+	{ FLAG,				offsetof(private_ke_payload_t, critical) 			},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_ke_payload_t, payload_length) 		},	
+	{ PAYLOAD_LENGTH,	offsetof(private_ke_payload_t, payload_length) 		},
 	/* DH Group number as 16 bit field*/
 	{ U_INT_16,			offsetof(private_ke_payload_t, dh_group_number) 	},
-	{ RESERVED_BYTE,	0 													}, 
-	{ RESERVED_BYTE,	0 													}, 
+	{ RESERVED_BYTE,	0 													},
+	{ RESERVED_BYTE,	0 													},
 	/* Key Exchange Data is from variable size */
 	{ KEY_EXCHANGE_DATA,	offsetof(private_ke_payload_t, key_exchange_data)}
 };
@@ -166,7 +166,7 @@ static void compute_length(private_ke_payload_t *this)
 	if (this->key_exchange_data.ptr != NULL)
 	{
 		length += this->key_exchange_data.len;
-	}	
+	}
 	this->payload_length = length;
 }
 
@@ -199,9 +199,9 @@ static void set_key_exchange_data(private_ke_payload_t *this, chunk_t key_exchan
 		free(this->key_exchange_data.ptr);
 		this->key_exchange_data.ptr = NULL;
 		this->key_exchange_data.len = 0;
-		
+
 	}
-	
+
 	this->key_exchange_data = chunk_clone(key_exchange_data);
 	compute_length(this);
 }
@@ -244,7 +244,7 @@ ke_payload_t *ke_payload_create()
 	this->public.get_dh_group_number = (diffie_hellman_group_t (*) (ke_payload_t *)) get_dh_group_number;
 	this->public.set_dh_group_number =(void (*) (ke_payload_t *,diffie_hellman_group_t)) set_dh_group_number;
 	this->public.destroy = (void (*) (ke_payload_t *)) destroy;
-	
+
 	/* set default values of the fields */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
@@ -261,10 +261,10 @@ ke_payload_t *ke_payload_create()
 ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *dh)
 {
 	private_ke_payload_t *this = (private_ke_payload_t*)ke_payload_create();
-	
+
 	dh->get_my_public_value(dh, &this->key_exchange_data);
 	this->dh_group_number = dh->get_dh_group(dh);
 	compute_length(this);
-	
+
 	return &this->public;
 }
diff --git a/src/charon/encoding/payloads/ke_payload.h b/src/charon/encoding/payloads/ke_payload.h
index 7e182d970..3ca05009e 100644
--- a/src/charon/encoding/payloads/ke_payload.h
+++ b/src/charon/encoding/payloads/ke_payload.h
@@ -45,38 +45,38 @@ struct ke_payload_t {
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Returns the currently set key exchange data of this KE payload.
-	 * 	
+	 *
 	 * @warning Returned data are not copied.
-	 * 
+	 *
 	 * @return 		chunk_t pointing to the value
 	 */
 	chunk_t (*get_key_exchange_data) (ke_payload_t *this);
-	
+
 	/**
 	 * Sets the key exchange data of this KE payload.
-	 * 	
+	 *
 	 * Value is getting copied.
-	 * 
+	 *
 	 * @param key_exchange_data chunk_t pointing to the value to set
 	 */
 	void (*set_key_exchange_data) (ke_payload_t *this, chunk_t key_exchange_data);
 
 	/**
 	 * Gets the Diffie-Hellman Group Number of this KE payload.
-	 * 	
+	 *
 	 * @return 					DH Group Number of this payload
 	 */
 	diffie_hellman_group_t (*get_dh_group_number) (ke_payload_t *this);
 
 	/**
 	 * Sets the Diffie-Hellman Group Number of this KE payload.
-	 * 	
+	 *
 	 * @param dh_group_number	DH Group to set
 	 */
-	void (*set_dh_group_number) (ke_payload_t *this, 
+	void (*set_dh_group_number) (ke_payload_t *this,
 								 diffie_hellman_group_t dh_group_number);
 
 	/**
@@ -87,14 +87,14 @@ struct ke_payload_t {
 
 /**
  * Creates an empty ke_payload_t object
- * 
+ *
  * @return ke_payload_t object
  */
 ke_payload_t *ke_payload_create(void);
 
 /**
  * Creates a ke_payload_t from a diffie_hellman_t
- * 
+ *
  * @param diffie_hellman	diffie hellman object containing group and key
  * @return 					ke_payload_t object
  */
diff --git a/src/charon/encoding/payloads/nonce_payload.c b/src/charon/encoding/payloads/nonce_payload.c
index f9e075380..4ad5ce9dd 100644
--- a/src/charon/encoding/payloads/nonce_payload.c
+++ b/src/charon/encoding/payloads/nonce_payload.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /* offsetof macro */
 #include <stddef.h>
 
@@ -26,14 +26,14 @@ typedef struct private_nonce_payload_t private_nonce_payload_t;
 
 /**
  * Private data of an nonce_payload_t object.
- * 
+ *
  */
 struct private_nonce_payload_t {
 	/**
 	 * Public nonce_payload_t interface.
 	 */
 	nonce_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -43,12 +43,12 @@ struct private_nonce_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * The contained nonce value.
 	 */
@@ -57,26 +57,26 @@ struct private_nonce_payload_t {
 
 /**
  * Encoding rules to parse or generate a nonce payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_nonce_payload_t.
- * 
+ *
  */
 encoding_rule_t nonce_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_nonce_payload_t, next_payload) 	},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_nonce_payload_t, critical) 		},	
- 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
+	{ FLAG,				offsetof(private_nonce_payload_t, critical) 		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
 	/* Length of the whole nonce payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_nonce_payload_t, payload_length) 	},	
+	{ PAYLOAD_LENGTH,	offsetof(private_nonce_payload_t, payload_length) 	},
 	/* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */
 	{ NONCE_DATA,			offsetof(private_nonce_payload_t, nonce) 		}
 };
@@ -102,7 +102,7 @@ static status_t verify(private_nonce_payload_t *this)
 		/* nonce length is wrong */
 		return FAILED;
 	}
-	
+
 	return SUCCESS;
 }
 
@@ -187,8 +187,8 @@ static void destroy(private_nonce_payload_t *this)
 	{
 		free(this->nonce.ptr);
 	}
-	
-	free(this);	
+
+	free(this);
 }
 
 /*
@@ -206,12 +206,12 @@ nonce_payload_t *nonce_payload_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.destroy = (void (*) (nonce_payload_t *)) destroy;
 	this->public.set_nonce = (void (*) (nonce_payload_t *,chunk_t)) set_nonce;
 	this->public.get_nonce = (chunk_t (*) (nonce_payload_t *)) get_nonce;
-	
+
 	/* private variables */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
diff --git a/src/charon/encoding/payloads/nonce_payload.h b/src/charon/encoding/payloads/nonce_payload.h
index 4adaba481..e9212202e 100644
--- a/src/charon/encoding/payloads/nonce_payload.h
+++ b/src/charon/encoding/payloads/nonce_payload.h
@@ -39,7 +39,7 @@ typedef struct nonce_payload_t nonce_payload_t;
 
 /**
  * Object representing an IKEv2 Nonce payload.
- * 
+ *
  * The Nonce payload format is described in RFC section 3.3.
  */
 struct nonce_payload_t {
@@ -51,17 +51,17 @@ struct nonce_payload_t {
 	/**
 	 * Set the nonce value.
 	 *
-	 * @param nonce	  		chunk containing the nonce, will be cloned
+	 * @param nonce			chunk containing the nonce, will be cloned
 	 */
 	void (*set_nonce) (nonce_payload_t *this, chunk_t nonce);
-	
+
 	/**
 	 * Get the nonce value.
 	 *
 	 * @return				a chunk containing the cloned nonce
 	 */
 	chunk_t (*get_nonce) (nonce_payload_t *this);
-	
+
 	/**
 	 * Destroys an nonce_payload_t object.
 	 */
@@ -70,7 +70,7 @@ struct nonce_payload_t {
 
 /**
  * Creates an empty nonce_payload_t object
- * 
+ *
  * @return nonce_payload_t object
  */
 nonce_payload_t *nonce_payload_create(void);
diff --git a/src/charon/encoding/payloads/notify_payload.c b/src/charon/encoding/payloads/notify_payload.c
index d2a995ace..469698ef5 100644
--- a/src/charon/encoding/payloads/notify_payload.c
+++ b/src/charon/encoding/payloads/notify_payload.c
@@ -41,7 +41,7 @@ ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL
 	"INVALID_KE_PAYLOAD");
 ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
 	"AUTHENTICATION_FAILED");
-ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, AUTHENTICATION_FAILED,
+ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED,
 	"SINGLE_PAIR_REQUIRED",
 	"NO_ADDITIONAL_SAS",
 	"INTERNAL_ADDRESS_FAILURE",
@@ -49,10 +49,11 @@ ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, AUTH
 	"TS_UNACCEPTABLE",
 	"INVALID_SELECTORS",
 	"UNACCEPTABLE_ADDRESSES",
-	"UNEXPECTED_NAT_DETECTED");
-ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, UNEXPECTED_NAT_DETECTED,
+	"UNEXPECTED_NAT_DETECTED",
+	"USE_ASSIGNED_HoA");
+ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA,
 	"ME_CONNECT_FAILED");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ANOTHER_AUTH_FOLLOWS, ME_CONNECT_FAILED,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -74,8 +75,17 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ANOTHER_AUTH_FOLLOWS, ME_CONNECT_F
 	"NO_NATS_ALLOWED",
 	"AUTH_LIFETIME",
 	"MULTIPLE_AUTH_SUPPORTED",
-	"ANOTHER_AUTH_FOLLOWS");
-ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, ANOTHER_AUTH_FOLLOWS,
+	"ANOTHER_AUTH_FOLLOWS",
+	"REDIRECT_SUPPORTED",
+	"REDIRECT",
+	"REDIRECTED_FROM",
+	"TICKET_LT_OPAQUE",
+	"TICKET_REQUEST",
+	"TICKET_ACK",
+	"TICKET_NACK",
+	"TICKET_OPAQUE",
+	"LINK_ID");
+ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID,
 	"EAP_ONLY_AUTHENTICATION");
 ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
 	"USE_BEET_MODE");
@@ -107,7 +117,7 @@ ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PR
 	"INVAL_KE");
 ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
 	"AUTH_FAILED");
-ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, AUTHENTICATION_FAILED,
+ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED,
 	"SINGLE_PAIR",
 	"NO_ADD_SAS",
 	"INT_ADDR_FAIL",
@@ -115,10 +125,11 @@ ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED
 	"TS_UNACCEPT",
 	"INVAL_SEL",
 	"UNACCEPT_ADDR",
-	"UNEXPECT_NAT");
-ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, UNEXPECTED_NAT_DETECTED,
+	"UNEXPECT_NAT",
+	"ASSIGNED_HoA");
+ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA,
 	"ME_CONN_FAIL");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ANOTHER_AUTH_FOLLOWS, ME_CONNECT_FAILED,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -140,8 +151,17 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ANOTHER_AUTH_FOLLOWS, ME_CON
 	"NO_NATS",
 	"AUTH_LFT",
 	"MULT_AUTH",
-	"AUTH_FOLLOWS");
-ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, ANOTHER_AUTH_FOLLOWS,
+	"AUTH_FOLLOWS",
+	"REDIR_SUP",
+	"REDIR",
+	"REDIR_FROM",
+	"TKT_LT_OPAK",
+	"TKT_REQ",
+	"TKT_ACK",
+	"TKT_NACK",
+	"TKT_OPAK",
+	"LINK_ID");
+ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID,
 	"EAP_ONLY");
 ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
 	"BEET_MODE");
@@ -160,14 +180,14 @@ typedef struct private_notify_payload_t private_notify_payload_t;
 
 /**
  * Private data of an notify_payload_t object.
- * 
+ *
  */
 struct private_notify_payload_t {
 	/**
 	 * Public notify_payload_t interface.
 	 */
 	notify_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -177,27 +197,27 @@ struct private_notify_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-		
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-		
+
 	/**
 	 * Protocol id.
 	 */
 	u_int8_t protocol_id;
-	
+
 	/**
 	 * Spi size.
 	 */
 	u_int8_t spi_size;
-	
+
 	/**
 	 * Notify message type.
 	 */
 	u_int16_t notify_type;
-	
+
 	/**
 	 * Security parameter index (spi).
 	 */
@@ -211,26 +231,26 @@ struct private_notify_payload_t {
 
 /**
  * Encoding rules to parse or generate a IKEv2-Notify Payload.
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_notify_payload_t.
- * 
+ *
  */
 encoding_rule_t notify_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload) 		},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_notify_payload_t, critical) 			},	
- 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
+	{ FLAG,				offsetof(private_notify_payload_t, critical) 			},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length) 		},	
+	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length) 		},
 	/* Protocol ID as 8 bit field*/
 	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id) 			},
 	/* SPI Size as 8 bit field*/
@@ -238,7 +258,7 @@ encoding_rule_t notify_payload_encodings[] = {
 	/* Notify message type as 16 bit field*/
 	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)	},
 	/* SPI as variable length field*/
-	{ SPI,				offsetof(private_notify_payload_t, spi)		 			},
+	{ SPI,				offsetof(private_notify_payload_t, spi)					},
 	/* Key Exchange Data is from variable size */
 	{ NOTIFICATION_DATA,	offsetof(private_notify_payload_t, notification_data) 	}
 };
@@ -279,7 +299,7 @@ static status_t verify(private_notify_payload_t *this)
 			DBG1(DBG_ENC, "Unknown protocol (%d)", this->protocol_id);
 			return FAILED;
 	}
-	
+
 	switch (this->notify_type)
 	{
 		case INVALID_KE_PAYLOAD:
@@ -567,7 +587,7 @@ notify_payload_t *notify_payload_create()
 	this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data;
 	this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data;
 	this->public.destroy = (void (*) (notify_payload_t *)) destroy;
-	
+
 	/* set default values of the fields */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
@@ -579,7 +599,7 @@ notify_payload_t *notify_payload_create()
 	this->spi_size = 0;
 	this->notification_data.ptr = NULL;
 	this->notification_data.len = 0;
-	
+
 	return &this->public;
 }
 
@@ -592,6 +612,6 @@ notify_payload_t *notify_payload_create_from_protocol_and_type(protocol_id_t pro
 
 	notify->set_notify_type(notify,notify_type);
 	notify->set_protocol_id(notify,protocol_id);
-	
+
 	return notify;
 }
diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h
index a5f501dca..0e1bc23b8 100644
--- a/src/charon/encoding/payloads/notify_payload.h
+++ b/src/charon/encoding/payloads/notify_payload.h
@@ -59,11 +59,15 @@ enum notify_type_t {
 	FAILED_CP_REQUIRED = 37,
 	TS_UNACCEPTABLE = 38,
 	INVALID_SELECTORS = 39,
+	/* mobile extension, RFC 4555 */
 	UNACCEPTABLE_ADDRESSES = 40,
 	UNEXPECTED_NAT_DETECTED = 41,
+	/* mobile IPv6 bootstrapping, RFC 5026 */
+	USE_ASSIGNED_HoA = 42,
+
 	/* IKE-ME, private use */
 	ME_CONNECT_FAILED = 8192,
-	
+
 	/* notify status messages */
 	INITIAL_CONTACT = 16384,
 	SET_WINDOW_SIZE = 16385,
@@ -87,9 +91,21 @@ enum notify_type_t {
 	NO_NATS_ALLOWED = 16402,
 	/* repeated authentication extension, RFC4478 */
 	AUTH_LIFETIME = 16403,
-    /* multiple authentication exchanges, RFC 4739 */
+	/* multiple authentication exchanges, RFC 4739 */
 	MULTIPLE_AUTH_SUPPORTED = 16404,
 	ANOTHER_AUTH_FOLLOWS = 16405,
+	/* redirect mechanism, RFC 5685 */
+	REDIRECT_SUPPORTED = 16406,
+	REDIRECT = 16407,
+	REDIRECTED_FROM = 16408,
+	/* draft-ietf-ipsecme-ikev2-resumption, assigned by IANA */
+	TICKET_LT_OPAQUE = 16409,
+	TICKET_REQUEST = 16410,
+	TICKET_ACK = 16411,
+	TICKET_NACK = 16412,
+	TICKET_OPAQUE = 16413,
+	LINK_ID = 16414,
+
 	/* draft-eronen-ipsec-ikev2-eap-auth, not assigned by IANA yet */
 	EAP_ONLY_AUTHENTICATION = 40960,
 	/* BEET mode, not even a draft yet. private use */
@@ -116,7 +132,7 @@ extern enum_name_t *notify_type_short_names;
 
 /**
  * Class representing an IKEv2-Notify Payload.
- * 
+ *
  * The Notify Payload format is described in Draft section 3.10.
  */
 struct notify_payload_t {
@@ -124,67 +140,67 @@ struct notify_payload_t {
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Gets the protocol id of this payload.
-	 * 	
+	 *
 	 * @return 			protocol id of this payload
 	 */
 	u_int8_t (*get_protocol_id) (notify_payload_t *this);
 
 	/**
 	 * Sets the protocol id of this payload.
-	 * 	
+	 *
 	 * @param protocol_id	protocol id to set
 	 */
 	void (*set_protocol_id) (notify_payload_t *this, u_int8_t protocol_id);
 
 	/**
 	 * Gets the notify message type of this payload.
-	 * 	
+	 *
 	 * @return 			notify message type of this payload
 	 */
 	notify_type_t (*get_notify_type) (notify_payload_t *this);
 
 	/**
 	 * Sets notify message type of this payload.
-	 * 	
+	 *
 	 * @param type		notify message type to set
 	 */
 	void (*set_notify_type) (notify_payload_t *this, notify_type_t type);
 
 	/**
 	 * Returns the currently set spi of this payload.
-	 * 
+	 *
 	 * This is only valid for notifys with protocol AH|ESP
 	 *
 	 * @return 		SPI value
 	 */
 	u_int32_t (*get_spi) (notify_payload_t *this);
-	
+
 	/**
 	 * Sets the spi of this payload.
-	 * 
+	 *
 	 * This is only valid for notifys with protocol AH|ESP
-	 * 
+	 *
 	 * @param spi	SPI value
 	 */
 	void (*set_spi) (notify_payload_t *this, u_int32_t spi);
 
 	/**
 	 * Returns the currently set notification data of payload.
-	 * 	
+	 *
 	 * Returned data are not copied.
-	 * 
+	 *
 	 * @return 		chunk_t pointing to the value
 	 */
 	chunk_t (*get_notification_data) (notify_payload_t *this);
-	
+
 	/**
 	 * Sets the notification data of this payload.
-	 * 	
+	 *
 	 * @warning Value is getting copied.
-	 * 
+	 *
 	 * @param notification_data 	chunk_t pointing to the value to set
 	 */
 	void (*set_notification_data) (notify_payload_t *this,
@@ -198,14 +214,14 @@ struct notify_payload_t {
 
 /**
  * Creates an empty notify_payload_t object
- * 
+ *
  * @return			created notify_payload_t object
  */
 notify_payload_t *notify_payload_create(void);
 
 /**
  * Creates an notify_payload_t object of specific type for specific protocol id.
- * 
+ *
  * @param protocol_id			protocol id (IKE, AH or ESP)
  * @param type					notify type (see notify_type_t)
  * @return						notify_payload_t object
diff --git a/src/charon/encoding/payloads/payload.h b/src/charon/encoding/payloads/payload.h
index 78f5b7b97..2e783cb30 100644
--- a/src/charon/encoding/payloads/payload.h
+++ b/src/charon/encoding/payloads/payload.h
@@ -33,7 +33,7 @@ typedef struct payload_t payload_t;
 /**
  * Payload-Types of a IKEv2-Message.
  *
- * Header and substructures are also defined as 
+ * Header and substructures are also defined as
  * payload types with values from PRIVATE USE space.
  */
 enum payload_type_t{
@@ -42,7 +42,7 @@ enum payload_type_t{
 	 * End of payload list in next_payload
 	 */
 	NO_PAYLOAD = 0,
-	
+
 	/**
 	 * The security association (SA) payload containing proposals.
 	 */
@@ -122,67 +122,67 @@ enum payload_type_t{
 	 * Extensible authentication payload (EAP).
 	 */
 	EXTENSIBLE_AUTHENTICATION = 48,
-	
+
 #ifdef ME
 	/**
 	 * Identification payload for peers has a value from
-	 * the PRIVATE USE space. 
+	 * the PRIVATE USE space.
 	 */
 	ID_PEER = 128,
 #endif /* ME */
-	
+
 	/**
 	 * Header has a value of PRIVATE USE space.
-	 * 
-	 * This payload type is not sent over wire and just 
+	 *
+	 * This payload type is not sent over wire and just
 	 * used internally to handle IKEv2-Header like a payload.
 	 */
 	HEADER = 140,
-	
+
 	/**
 	 * PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space.
-	 * 
-	 * This payload type is not sent over wire and just 
+	 *
+	 * This payload type is not sent over wire and just
 	 * used internally to handle a proposal substructure like a payload.
 	 */
 	PROPOSAL_SUBSTRUCTURE = 141,
 
 	/**
 	 * TRANSFORM_SUBSTRUCTURE has a value of PRIVATE USE space.
-	 * 
-	 * This payload type is not sent over wire and just 
+	 *
+	 * This payload type is not sent over wire and just
 	 * used internally to handle a transform substructure like a payload.
 	 */
 	TRANSFORM_SUBSTRUCTURE = 142,
-	
+
 	/**
 	 * TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space.
-	 * 
-	 * This payload type is not sent over wire and just 
+	 *
+	 * This payload type is not sent over wire and just
 	 * used internally to handle a transform attribute like a payload.
 	 */
 	TRANSFORM_ATTRIBUTE = 143,
 
 	/**
 	 * TRAFFIC_SELECTOR_SUBSTRUCTURE has a value of PRIVATE USE space.
-	 * 
-	 * This payload type is not sent over wire and just 
+	 *
+	 * This payload type is not sent over wire and just
 	 * used internally to handle a transform selector like a payload.
-	 */	
+	 */
 	TRAFFIC_SELECTOR_SUBSTRUCTURE = 144,
-	
+
 	/**
 	 * CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space.
-	 * 
-	 * This payload type is not sent over wire and just 
+	 *
+	 * This payload type is not sent over wire and just
 	 * used internally to handle a transform attribute like a payload.
 	 */
 	CONFIGURATION_ATTRIBUTE = 145,
-	
+
 	/**
 	 * A unknown payload has a value of PRIVATE USE space.
-	 * 
-	 * This payload type is not sent over wire and just 
+	 *
+	 * This payload type is not sent over wire and just
 	 * used internally to handle a unknown payload.
 	 */
 	UNKNOWN_PAYLOAD = 146,
@@ -201,13 +201,13 @@ extern enum_name_t *payload_type_short_names;
 
 /**
  * Generic interface for all payload types (incl.header and substructures).
- * 
+ *
  * To handle all kinds of payloads on a generic way, this interface must
  * be implemented by every payload. This allows parser_t/generator_t a simple
  * handling of all payloads.
  */
 struct payload_t {
-	
+
 	/**
 	 * Get encoding rules for this payload.
 	 *
@@ -229,7 +229,7 @@ struct payload_t {
 	 * @return 				type of next payload
 	 */
 	payload_type_t (*get_next_type) (payload_t *this);
-	
+
 	/**
 	 * Set type of next payload.
 	 *
@@ -243,14 +243,14 @@ struct payload_t {
 	 * @return 				length of this payload
 	 */
 	size_t (*get_length) (payload_t *this);
-	
+
 	/**
 	 * Verifies payload structure and makes consistence check.
 	 *
 	 * @return 				SUCCESS,  FAILED if consistence not given
 	 */
 	status_t (*verify) (payload_t *this);
-	
+
 	/**
 	 * Destroys a payload and all included substructures.
 	 */
@@ -259,11 +259,11 @@ struct payload_t {
 
 /**
  * Create an empty payload.
- * 
+ *
  * Useful for the parser, who wants a generic constructor for all payloads.
- * It supports all payload_t methods. If a payload type is not known, 
+ * It supports all payload_t methods. If a payload type is not known,
  * an unknwon_paylod is created with the chunk of data in it.
- * 
+ *
  * @param type		type of the payload to create
  * @return			payload_t object
  */
diff --git a/src/charon/encoding/payloads/proposal_substructure.c b/src/charon/encoding/payloads/proposal_substructure.c
index a8166023c..c93f73a68 100644
--- a/src/charon/encoding/payloads/proposal_substructure.c
+++ b/src/charon/encoding/payloads/proposal_substructure.c
@@ -35,14 +35,14 @@ typedef struct private_proposal_substructure_t private_proposal_substructure_t;
 
 /**
  * Private data of an proposal_substructure_t object.
- * 
+ *
  */
 struct private_proposal_substructure_t {
 	/**
 	 * Public proposal_substructure_t interface.
 	 */
 	proposal_substructure_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -52,12 +52,12 @@ struct private_proposal_substructure_t {
 	 * Length of this payload.
 	 */
 	u_int16_t proposal_length;
-	
+
 	/**
 	 * Proposal number.
 	 */
 	u_int8_t proposal_number;
-	
+
 	/**
 	 * Protocol ID.
 	 */
@@ -66,32 +66,32 @@ struct private_proposal_substructure_t {
 	/**
 	 * SPI size of the following SPI.
 	 */
- 	u_int8_t  spi_size;
+	u_int8_t  spi_size;
 
 	/**
 	 * Number of transforms.
 	 */
- 	u_int8_t  transforms_count;
- 	
- 	/**
- 	 * SPI is stored as chunk.
- 	 */
- 	chunk_t spi;
- 	
- 	/**
- 	 * Transforms are stored in a linked_list_t.
- 	 */
+	u_int8_t  transforms_count;
+
+	/**
+	 * SPI is stored as chunk.
+	 */
+	chunk_t spi;
+
+	/**
+	 * Transforms are stored in a linked_list_t.
+	 */
 	linked_list_t * transforms;
 };
 
 /**
  * Encoding rules to parse or generate a Proposal substructure.
  *
- * The defined offsets are the positions in a object of type 
+ * The defined offsets are the positions in a object of type
  * private_proposal_substructure_t.
  */
 encoding_rule_t proposal_substructure_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload) 		},
 	/* Reserved Byte is skipped */
 	{ RESERVED_BYTE,		0															},
@@ -107,7 +107,7 @@ encoding_rule_t proposal_substructure_encodings[] = {
 	{ U_INT_8,				offsetof(private_proposal_substructure_t, transforms_count)	},
 	/* SPI is a chunk of variable size*/
 	{ SPI,					offsetof(private_proposal_substructure_t, spi)				},
-	/* Transforms are stored in a transform substructure, 
+	/* Transforms are stored in a transform substructure,
 	   offset points to a linked_list_t pointer */
 	{ TRANSFORMS,			offsetof(private_proposal_substructure_t, transforms) 		}
 };
@@ -136,7 +136,7 @@ static status_t verify(private_proposal_substructure_t *this)
 	status_t status = SUCCESS;
 	iterator_t *iterator;
 	payload_t *current_transform;
-	
+
 	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 2))
 	{
 		/* must be 0 or 2 */
@@ -178,7 +178,7 @@ static status_t verify(private_proposal_substructure_t *this)
 		DBG1(DBG_ENC, "invalid protocol");
 		return FAILED;
 	}
-	
+
 	iterator = this->transforms->create_iterator(this->transforms,TRUE);
 	while(iterator->iterate(iterator, (void**)&current_transform))
 	{
@@ -190,8 +190,8 @@ static status_t verify(private_proposal_substructure_t *this)
 		}
 	}
 	iterator->destroy(iterator);
-	
-	/* proposal number is checked in SA payload */	
+
+	/* proposal number is checked in SA payload */
 	return status;
 }
 
@@ -236,7 +236,7 @@ static void compute_length(private_proposal_substructure_t *this)
 	payload_t *current_transform;
 	size_t transforms_count = 0;
 	size_t length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH;
-	
+
 	iterator = this->transforms->create_iterator(this->transforms,TRUE);
 	while (iterator->iterate(iterator, (void**)&current_transform))
 	{
@@ -244,7 +244,7 @@ static void compute_length(private_proposal_substructure_t *this)
 		transforms_count++;
 	}
 	iterator->destroy(iterator);
-	
+
 	length += this->spi.len;
 	this->transforms_count = transforms_count;
 	this->proposal_length = length;
@@ -282,7 +282,7 @@ static void add_transform_substructure (private_proposal_substructure_t *this,tr
 
 	}
 	transform->set_is_last_transform(transform,TRUE);
-	
+
 	this->transforms->insert_last(this->transforms,(void *) transform);
 	compute_length(this);
 }
@@ -340,7 +340,7 @@ static void set_spi(private_proposal_substructure_t *this, chunk_t spi)
 		this->spi.len = 0;
 		compute_length(this);
 	}
-	
+
 	this->spi.ptr = clalloc(spi.ptr,spi.len);
 	this->spi.len = spi.len;
 	this->spi_size = spi.len;
@@ -355,7 +355,7 @@ static chunk_t get_spi(private_proposal_substructure_t *this)
 	chunk_t spi;
 	spi.ptr = this->spi.ptr;
 	spi.len = this->spi.len;
-	
+
 	return spi;
 }
 
@@ -384,24 +384,24 @@ proposal_t* get_proposal(private_proposal_substructure_t *this)
 	transform_substructure_t *transform;
 	proposal_t *proposal;
 	u_int64_t spi;
-	
+
 	proposal = proposal_create(this->protocol_id);
-	
+
 	iterator = this->transforms->create_iterator(this->transforms, TRUE);
 	while (iterator->iterate(iterator, (void**)&transform))
 	{
 		transform_type_t transform_type;
 		u_int16_t transform_id;
 		u_int16_t key_length = 0;
-		
+
 		transform_type = transform->get_transform_type(transform);
 		transform_id = transform->get_transform_id(transform);
 		transform->get_key_length(transform, &key_length);
-		
+
 		proposal->add_algorithm(proposal, transform_type, transform_id, key_length);
 	}
 	iterator->destroy(iterator);
-	
+
 	switch (this->spi.len)
 	{
 		case 4:
@@ -414,7 +414,7 @@ proposal_t* get_proposal(private_proposal_substructure_t *this)
 			spi = 0;
 	}
 	proposal->set_spi(proposal, spi);
-	
+
 	return proposal;
 }
 
@@ -426,7 +426,7 @@ static private_proposal_substructure_t* clone_(private_proposal_substructure_t *
 	private_proposal_substructure_t *clone;
 	iterator_t *transforms;
 	transform_substructure_t *current_transform;
-	
+
 	clone = (private_proposal_substructure_t *) proposal_substructure_create();
 	clone->next_payload = this->next_payload;
 	clone->proposal_number = this->proposal_number;
@@ -444,8 +444,8 @@ static private_proposal_substructure_t* clone_(private_proposal_substructure_t *
 		current_transform = current_transform->clone(current_transform);
 		clone->public.add_transform_substructure(&clone->public, current_transform);
 	}
-	transforms->destroy(transforms);	
-	
+	transforms->destroy(transforms);
+
 	return clone;
 }
 
@@ -468,16 +468,16 @@ proposal_substructure_t *proposal_substructure_create()
 {
 	private_proposal_substructure_t *this = malloc_thing(private_proposal_substructure_t);
 
-	/* interface functions */	
+	/* interface functions */
 	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
 	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
 	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
 	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;	
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
-	
+
+
 	/* public functions */
 	this->public.create_transform_substructure_iterator = (iterator_t* (*) (proposal_substructure_t *,bool)) create_transform_substructure_iterator;
 	this->public.add_transform_substructure = (void (*) (proposal_substructure_t *,transform_substructure_t *)) add_transform_substructure;
@@ -490,10 +490,10 @@ proposal_substructure_t *proposal_substructure_create()
 	this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
 	this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
 	this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count;
-	this->public.get_spi_size = (size_t (*) (proposal_substructure_t *)) get_spi_size;	
+	this->public.get_spi_size = (size_t (*) (proposal_substructure_t *)) get_spi_size;
 	this->public.clone = (proposal_substructure_t * (*) (proposal_substructure_t *)) clone_;
 	this->public.destroy = (void (*) (proposal_substructure_t *)) destroy;
-	
+
 	/* set default values of the fields */
 	this->next_payload = NO_PAYLOAD;
 	this->proposal_length = 0;
@@ -503,9 +503,9 @@ proposal_substructure_t *proposal_substructure_create()
 	this->spi_size = 0;
 	this->spi.ptr = NULL;
 	this->spi.len = 0;
-	
+
 	this->transforms = linked_list_create();
-	
+
 	return (&(this->public));
 }
 
@@ -518,9 +518,9 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
 	private_proposal_substructure_t *this;
 	u_int16_t alg, key_size;
 	enumerator_t *enumerator;
-	
+
 	this = (private_proposal_substructure_t*)proposal_substructure_create();
-	
+
 	/* encryption algorithm is only availble in ESP */
 	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
 	while (enumerator->enumerate(enumerator, &alg, &key_size))
@@ -530,7 +530,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
 		add_transform_substructure(this, transform);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	/* integrity algorithms */
 	enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
 	while (enumerator->enumerate(enumerator, &alg, &key_size))
@@ -540,7 +540,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
 		add_transform_substructure(this, transform);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	/* prf algorithms */
 	enumerator = proposal->create_enumerator(proposal, PSEUDO_RANDOM_FUNCTION);
 	while (enumerator->enumerate(enumerator, &alg, &key_size))
@@ -550,17 +550,17 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
 		add_transform_substructure(this, transform);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	/* dh groups */
 	enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
 	while (enumerator->enumerate(enumerator, &alg, NULL))
 	{
-		transform = transform_substructure_create_type(DIFFIE_HELLMAN_GROUP, 
+		transform = transform_substructure_create_type(DIFFIE_HELLMAN_GROUP,
 													   alg, 0);
 		add_transform_substructure(this, transform);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	/* extended sequence numbers */
 	enumerator = proposal->create_enumerator(proposal, EXTENDED_SEQUENCE_NUMBERS);
 	while (enumerator->enumerate(enumerator, &alg, NULL))
@@ -570,7 +570,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
 		add_transform_substructure(this, transform);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	/* add SPI, if necessary */
 	switch (proposal->get_protocol(proposal))
 	{
@@ -593,6 +593,6 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
 	}
 	this->proposal_number = 0;
 	this->protocol_id = proposal->get_protocol(proposal);
-	
+
 	return &this->public;
 }
diff --git a/src/charon/encoding/payloads/proposal_substructure.h b/src/charon/encoding/payloads/proposal_substructure.h
index 8ccb917d6..4934802af 100644
--- a/src/charon/encoding/payloads/proposal_substructure.h
+++ b/src/charon/encoding/payloads/proposal_substructure.h
@@ -38,7 +38,7 @@ typedef struct proposal_substructure_t proposal_substructure_t;
 
 /**
  * Class representing an IKEv2-PROPOSAL SUBSTRUCTURE.
- * 
+ *
  * The PROPOSAL SUBSTRUCTURE format is described in RFC section 3.3.1.
  */
 struct proposal_substructure_t {
@@ -55,7 +55,7 @@ struct proposal_substructure_t {
 	 */
 	iterator_t *(*create_transform_substructure_iterator) (
 								proposal_substructure_t *this, bool forward);
-	
+
 	/**
 	 * Adds a transform_substructure_t object to this object.
 	 *
@@ -63,7 +63,7 @@ struct proposal_substructure_t {
 	 */
 	void (*add_transform_substructure) (proposal_substructure_t *this,
 										transform_substructure_t *transform);
-	
+
 	/**
 	 * Sets the proposal number of current proposal.
 	 *
@@ -71,24 +71,24 @@ struct proposal_substructure_t {
 	 */
 	void (*set_proposal_number) (proposal_substructure_t *this,
 								 u_int8_t proposal_number);
-	
+
 	/**
 	 * get proposal number of current proposal.
-	 * 
+	 *
 	 * @return 			proposal number of current proposal substructure.
 	 */
 	u_int8_t (*get_proposal_number) (proposal_substructure_t *this);
 
 	/**
 	 * get the number of transforms in current proposal.
-	 * 
+	 *
 	 * @return 			transform count in current proposal
 	 */
 	size_t (*get_transform_count) (proposal_substructure_t *this);
 
 	/**
 	 * get size of the set spi in bytes.
-	 * 
+	 *
 	 * @return 			size of the spi in bytes
 	 */
 	size_t (*get_spi_size) (proposal_substructure_t *this);
@@ -100,43 +100,43 @@ struct proposal_substructure_t {
 	 */
 	void (*set_protocol_id) (proposal_substructure_t *this,
 							 u_int8_t protocol_id);
-	
+
 	/**
 	 * get protocol id of current proposal.
-	 * 
+	 *
 	 * @return 			protocol id of current proposal substructure.
 	 */
 	u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
-	
+
 	/**
 	 * Sets the next_payload field of this substructure
-	 * 
+	 *
 	 * If this is the last proposal, next payload field is set to 0,
 	 * otherwise to 2
 	 *
 	 * @param is_last	When TRUE, next payload field is set to 0, otherwise to 2
 	 */
 	void (*set_is_last_proposal) (proposal_substructure_t *this, bool is_last);
-	
+
 	/**
 	 * Returns the currently set SPI of this proposal.
 	 *
 	 * @return 			chunk_t pointing to the value
 	 */
 	chunk_t (*get_spi) (proposal_substructure_t *this);
-	
+
 	/**
 	 * Sets the SPI of the current proposal.
-	 * 	
+	 *
 	 * @warning SPI is getting copied
-	 * 
+	 *
 	 * @param spi		chunk_t pointing to the value to set
 	 */
 	void (*set_spi) (proposal_substructure_t *this, chunk_t spi);
-	
+
 	/**
 	 * Get a proposal_t from the propsal_substructure_t.
-	 * 
+	 *
 	 * @return			proposal_t
 	 */
 	proposal_t * (*get_proposal) (proposal_substructure_t *this);
@@ -156,7 +156,7 @@ struct proposal_substructure_t {
 
 /**
  * Creates an empty proposal_substructure_t object
- * 
+ *
  * @return proposal_substructure_t object
  */
 proposal_substructure_t *proposal_substructure_create(void);
diff --git a/src/charon/encoding/payloads/sa_payload.c b/src/charon/encoding/payloads/sa_payload.c
index 3ca2f08c8..187a8fee0 100644
--- a/src/charon/encoding/payloads/sa_payload.c
+++ b/src/charon/encoding/payloads/sa_payload.c
@@ -27,14 +27,14 @@ typedef struct private_sa_payload_t private_sa_payload_t;
 
 /**
  * Private data of an sa_payload_t object.
- * 
+ *
  */
 struct private_sa_payload_t {
 	/**
 	 * Public sa_payload_t interface.
 	 */
 	sa_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -44,12 +44,12 @@ struct private_sa_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * Proposals in this payload are stored in a linked_list_t.
 	 */
@@ -58,27 +58,27 @@ struct private_sa_payload_t {
 
 /**
  * Encoding rules to parse or generate a IKEv2-SA Payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_sa_payload_t.
- * 
+ *
  */
 encoding_rule_t sa_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,		offsetof(private_sa_payload_t, next_payload) 			},
 	/* the critical bit */
-	{ FLAG,			offsetof(private_sa_payload_t, critical) 				},	
- 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
-	{ RESERVED_BIT,	0 														}, 
+	{ FLAG,			offsetof(private_sa_payload_t, critical) 				},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
 	/* Length of the whole SA payload*/
-	{ PAYLOAD_LENGTH,		offsetof(private_sa_payload_t, payload_length) 	},	
-	/* Proposals are stored in a proposal substructure, 
+	{ PAYLOAD_LENGTH,		offsetof(private_sa_payload_t, payload_length) 	},
+	/* Proposals are stored in a proposal substructure,
 	   offset points to a linked_list_t pointer */
 	{ PROPOSALS,		offsetof(private_sa_payload_t, proposals) 				}
 };
@@ -108,12 +108,12 @@ static status_t verify(private_sa_payload_t *this)
 
 	/* check proposal numbering */
 	iterator = this->proposals->create_iterator(this->proposals,TRUE);
-	
+
 	while(iterator->iterate(iterator, (void**)&current_proposal))
 	{
 		current_number = current_proposal->get_proposal_number(current_proposal);
 		if (current_number < expected_number)
-		{			
+		{
 			if (current_number != (expected_number + 1))
 			{
 				DBG1(DBG_ENC, "proposal number is %d, expected %d or %d",
@@ -129,7 +129,7 @@ static status_t verify(private_sa_payload_t *this)
 			status = FAILED;
 			break;
 		}
-		
+
 		status = current_proposal->payload_interface.verify(&(current_proposal->payload_interface));
 		if (status != SUCCESS)
 		{
@@ -139,7 +139,7 @@ static status_t verify(private_sa_payload_t *this)
 		first = FALSE;
 		expected_number = current_number;
 	}
-	
+
 	iterator->destroy(iterator);
 	return status;
 }
@@ -197,14 +197,14 @@ static void compute_length (private_sa_payload_t *this)
 	iterator_t *iterator;
 	payload_t *current_proposal;
 	size_t length = SA_PAYLOAD_HEADER_LENGTH;
-	
+
 	iterator = this->proposals->create_iterator(this->proposals,TRUE);
 	while (iterator->iterate(iterator, (void **)&current_proposal))
 	{
 		length += current_proposal->get_length(current_proposal);
 	}
 	iterator->destroy(iterator);
-	
+
 	this->payload_length = length;
 }
 
@@ -232,7 +232,7 @@ static void add_proposal_substructure(private_sa_payload_t *this,proposal_substr
 {
 	status_t status;
 	u_int proposal_count = this->proposals->get_count(this->proposals);
-	
+
 	if (proposal_count > 0)
 	{
 		proposal_substructure_t *last_proposal;
@@ -252,7 +252,7 @@ static void add_proposal_substructure(private_sa_payload_t *this,proposal_substr
 static void add_proposal(private_sa_payload_t *this, proposal_t *proposal)
 {
 	proposal_substructure_t *substructure;
-	
+
 	substructure = proposal_substructure_create_from_proposal(proposal);
 	add_proposal_substructure(this, substructure);
 }
@@ -267,10 +267,10 @@ static linked_list_t *get_proposals(private_sa_payload_t *this)
 	iterator_t *iterator;
 	proposal_substructure_t *proposal_struct;
 	linked_list_t *proposal_list;
-	
+
 	/* this list will hold our proposals */
 	proposal_list = linked_list_create();
-	
+
 	/* we do not support proposals split up to two proposal substructures, as
 	 * AH+ESP bundles are not supported in RFC4301 anymore.
 	 * To handle such structures safely, we just skip proposals with multiple
@@ -280,7 +280,7 @@ static linked_list_t *get_proposals(private_sa_payload_t *this)
 	while (iterator->iterate(iterator, (void **)&proposal_struct))
 	{
 		proposal_t *proposal;
-		
+
 		/* check if a proposal has a single protocol */
 		if (proposal_struct->get_proposal_number(proposal_struct) == struct_number)
 		{
@@ -310,7 +310,7 @@ static linked_list_t *get_proposals(private_sa_payload_t *this)
 sa_payload_t *sa_payload_create()
 {
 	private_sa_payload_t *this = malloc_thing(private_sa_payload_t);
-	
+
 	/* public interface */
 	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
 	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
@@ -319,14 +319,14 @@ sa_payload_t *sa_payload_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.create_proposal_substructure_iterator = (iterator_t* (*) (sa_payload_t *,bool)) create_proposal_substructure_iterator;
 	this->public.add_proposal_substructure = (void (*) (sa_payload_t *,proposal_substructure_t *)) add_proposal_substructure;
 	this->public.add_proposal = (void (*) (sa_payload_t*,proposal_t*))add_proposal;
 	this->public.get_proposals = (linked_list_t* (*) (sa_payload_t *)) get_proposals;
 	this->public.destroy = (void (*) (sa_payload_t *)) destroy;
-	
+
 	/* set default values of the fields */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
@@ -343,7 +343,7 @@ sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
 	iterator_t *iterator;
 	proposal_t *proposal;
 	sa_payload_t *sa_payload = sa_payload_create();
-	
+
 	/* add every payload from the list */
 	iterator = proposals->create_iterator(proposals, TRUE);
 	while (iterator->iterate(iterator, (void**)&proposal))
@@ -351,7 +351,7 @@ sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
 		add_proposal((private_sa_payload_t*)sa_payload, proposal);
 	}
 	iterator->destroy(iterator);
-	
+
 	return sa_payload;
 }
 
@@ -361,8 +361,8 @@ sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
 sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal)
 {
 	sa_payload_t *sa_payload = sa_payload_create();
-	
+
 	add_proposal((private_sa_payload_t*)sa_payload, proposal);
-	
+
 	return sa_payload;
 }
diff --git a/src/charon/encoding/payloads/sa_payload.h b/src/charon/encoding/payloads/sa_payload.h
index 58ae72544..25f5a2407 100644
--- a/src/charon/encoding/payloads/sa_payload.h
+++ b/src/charon/encoding/payloads/sa_payload.h
@@ -44,12 +44,12 @@ struct sa_payload_t {
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Creates an iterator of stored proposal_substructure_t objects.
-	 * 
-	 * When deleting an proposal using this iterator, 
-	 * the length of this transform substructure has to be refreshed 
+	 *
+	 * When deleting an proposal using this iterator,
+	 * the length of this transform substructure has to be refreshed
 	 * by calling get_length()!
 	 *
 	 * @param forward 		iterator direction (TRUE: front to end)
@@ -57,7 +57,7 @@ struct sa_payload_t {
 	 */
 	iterator_t *(*create_proposal_substructure_iterator) (sa_payload_t *this,
 														  bool forward);
-	
+
 	/**
 	 * Adds a proposal_substructure_t object to this object.
 	 *
@@ -68,18 +68,18 @@ struct sa_payload_t {
 
 	/**
 	 * Gets the proposals in this payload as a list.
-	 * 
+	 *
 	 * @return					a list containing proposal_t s
 	 */
 	linked_list_t *(*get_proposals) (sa_payload_t *this);
-	
+
 	/**
 	 * Add a child proposal (AH/ESP) to the payload.
-	 * 
+	 *
 	 * @param proposal			child proposal to add to the payload
 	 */
 	void (*add_proposal) (sa_payload_t *this, proposal_t *proposal);
-	
+
 	/**
 	 * Destroys an sa_payload_t object.
 	 */
@@ -88,14 +88,14 @@ struct sa_payload_t {
 
 /**
  * Creates an empty sa_payload_t object
- * 
+ *
  * @return					created sa_payload_t object
  */
 sa_payload_t *sa_payload_create(void);
 
 /**
  * Creates a sa_payload_t object from a list of proposals.
- * 
+ *
  * @param proposals			list of proposals to build the payload from
  * @return					sa_payload_t object
  */
@@ -103,10 +103,10 @@ sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals);
 
 /**
  * Creates a sa_payload_t object from a single proposal.
- * 
+ *
  * This is only for convenience. Use sa_payload_create_from_proposal_list
  * if you want to add more than one proposal.
- * 
+ *
  * @param proposal			proposal from which the payload should be built.
  * @return					sa_payload_t object
  */
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.c b/src/charon/encoding/payloads/traffic_selector_substructure.c
index 7dcdce6aa..f24857591 100644
--- a/src/charon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/charon/encoding/payloads/traffic_selector_substructure.c
@@ -24,19 +24,19 @@ typedef struct private_traffic_selector_substructure_t private_traffic_selector_
 
 /**
  * Private data of an traffic_selector_substructure_t object.
- * 
+ *
  */
 struct private_traffic_selector_substructure_t {
 	/**
 	 * Public traffic_selector_substructure_t interface.
 	 */
 	traffic_selector_substructure_t public;
-	
+
 	/**
 	 * Type of traffic selector.
 	 */
 	u_int8_t ts_type;
-	
+
 	/**
 	 * IP Protocol ID.
 	 */
@@ -46,7 +46,7 @@ struct private_traffic_selector_substructure_t {
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * Start port number.
 	 */
@@ -56,7 +56,7 @@ struct private_traffic_selector_substructure_t {
 	 * End port number.
 	 */
 	u_int16_t end_port;
-	
+
 	/**
 	 * Starting address.
 	 */
@@ -70,21 +70,21 @@ struct private_traffic_selector_substructure_t {
 
 /**
  * Encoding rules to parse or generate a TS payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_traffic_selector_substructure_t.
- * 
+ *
  */
 encoding_rule_t traffic_selector_substructure_encodings[] = {
- 	/* 1 Byte next ts type*/
+	/* 1 Byte next ts type*/
 	{ TS_TYPE,			offsetof(private_traffic_selector_substructure_t, ts_type) 			},
- 	/* 1 Byte IP protocol id*/
+	/* 1 Byte IP protocol id*/
 	{ U_INT_8,			offsetof(private_traffic_selector_substructure_t, ip_protocol_id) 	},
-	/* Length of the whole payload*/	
+	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_traffic_selector_substructure_t, payload_length)		},
- 	/* 2 Byte start port*/
+	/* 2 Byte start port*/
 	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, start_port)			},
- 	/* 2 Byte end port*/
+	/* 2 Byte end port*/
 	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, end_port)			},
 	/* starting address is either 4 or 16 byte */
 	{ ADDRESS,			offsetof(private_traffic_selector_substructure_t, starting_address)	},
@@ -124,7 +124,7 @@ static status_t verify(private_traffic_selector_substructure_t *this)
 	{
 		case TS_IPV4_ADDR_RANGE:
 		{
-			if ((this->starting_address.len != 4) || 
+			if ((this->starting_address.len != 4) ||
 				(this->ending_address.len != 4))
 			{
 				/* ipv4 address must be 4 bytes long */
@@ -148,7 +148,7 @@ static status_t verify(private_traffic_selector_substructure_t *this)
 			return FAILED;
 		}
 	}
-	
+
 	return SUCCESS;
 }
 
@@ -182,7 +182,7 @@ static payload_type_t get_next_type(private_traffic_selector_substructure_t *thi
  */
 static void set_next_type(private_traffic_selector_substructure_t *this,payload_type_t type)
 {
-	
+
 }
 
 /**
@@ -199,8 +199,8 @@ static size_t get_length(private_traffic_selector_substructure_t *this)
 static traffic_selector_t *get_traffic_selector(private_traffic_selector_substructure_t *this)
 {
 	traffic_selector_t *ts;
-	ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type, 
-											this->starting_address, this->start_port, 
+	ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type,
+											this->starting_address, this->start_port,
 											this->ending_address, this->end_port);
 	return ts;
 }
@@ -221,7 +221,7 @@ static void destroy(private_traffic_selector_substructure_t *this)
 {
 	free(this->starting_address.ptr);
 	free(this->ending_address.ptr);
-	free(this);	
+	free(this);
 }
 
 /*
@@ -239,11 +239,11 @@ traffic_selector_substructure_t *traffic_selector_substructure_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.get_traffic_selector = (traffic_selector_t* (*)(traffic_selector_substructure_t*))get_traffic_selector;
 	this->public.destroy = (void (*) (traffic_selector_substructure_t *)) destroy;
-	
+
 	/* private variables */
 	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH;
 	this->start_port = 0;
@@ -269,8 +269,8 @@ traffic_selector_substructure_t *traffic_selector_substructure_create_from_traff
 	this->end_port = traffic_selector->get_to_port(traffic_selector);
 	this->starting_address = chunk_clone(traffic_selector->get_from_address(traffic_selector));
 	this->ending_address = chunk_clone(traffic_selector->get_to_address(traffic_selector));
-	
+
 	compute_length(this);
-	
+
 	return &(this->public);
 }
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.h b/src/charon/encoding/payloads/traffic_selector_substructure.h
index ee3e204a0..0109fd7f5 100644
--- a/src/charon/encoding/payloads/traffic_selector_substructure.h
+++ b/src/charon/encoding/payloads/traffic_selector_substructure.h
@@ -25,9 +25,9 @@
 typedef struct traffic_selector_substructure_t traffic_selector_substructure_t;
 
 #include <library.h>
-#include <encoding/payloads/payload.h>
 #include <utils/host.h>
-#include <config/traffic_selector.h>
+#include <selectors/traffic_selector.h>
+#include <encoding/payloads/payload.h>
 
 /**
  * Length of a TRAFFIC SELECTOR SUBSTRUCTURE without start and end address.
@@ -36,7 +36,7 @@ typedef struct traffic_selector_substructure_t traffic_selector_substructure_t;
 
 /**
  * Class representing an IKEv2 TRAFFIC SELECTOR.
- * 
+ *
  * The TRAFFIC SELECTOR format is described in RFC section 3.13.1.
  */
 struct traffic_selector_substructure_t {
@@ -44,49 +44,49 @@ struct traffic_selector_substructure_t {
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Get the type of Traffic selector.
 	 *
 	 * @return			type of traffic selector
-	 *  
+	 *
 	 */
 	ts_type_t (*get_ts_type) (traffic_selector_substructure_t *this);
-	
+
 	/**
 	 * Set the type of Traffic selector.
 	 *
-	 * @param ts_type	type of traffic selector	
+	 * @param ts_type	type of traffic selector
 	 */
 	void (*set_ts_type) (traffic_selector_substructure_t *this,
 						 ts_type_t ts_type);
-	
+
 	/**
 	 * Get the IP protocol ID of Traffic selector.
 	 *
 	 * @return			type of traffic selector
-	 *  
+	 *
 	 */
 	u_int8_t (*get_protocol_id) (traffic_selector_substructure_t *this);
-	
+
 	/**
 	 * Set the IP protocol ID of Traffic selector
 	 *
-	 * @param protocol_id	protocol ID of traffic selector	
+	 * @param protocol_id	protocol ID of traffic selector
 	 */
 	void (*set_protocol_id) (traffic_selector_substructure_t *this,
 							  u_int8_t protocol_id);
-	
+
 	/**
 	 * Get the start port and address as host_t object.
 	 *
 	 * Returned host_t object has to get destroyed by the caller.
-	 * 
+	 *
 	 * @return			start host as host_t object
-	 *  
+	 *
 	 */
 	host_t *(*get_start_host) (traffic_selector_substructure_t *this);
-	
+
 	/**
 	 * Set the start port and address as host_t object.
 	 *
@@ -94,17 +94,17 @@ struct traffic_selector_substructure_t {
 	 */
 	void (*set_start_host) (traffic_selector_substructure_t *this,
 							host_t *start_host);
-	
+
 	/**
 	 * Get the end port and address as host_t object.
 	 *
 	 * Returned host_t object has to get destroyed by the caller.
-	 * 
+	 *
 	 * @return			end host as host_t object
-	 *  
+	 *
 	 */
 	host_t *(*get_end_host) (traffic_selector_substructure_t *this);
-	
+
 	/**
 	 * Set the end port and address as host_t object.
 	 *
@@ -112,17 +112,17 @@ struct traffic_selector_substructure_t {
 	 */
 	void (*set_end_host) (traffic_selector_substructure_t *this,
 						  host_t *end_host);
-	
+
 	/**
 	 * Get a traffic_selector_t from this substructure.
 	 *
 	 * @warning traffic_selector_t must be destroyed after usage.
-	 * 
+	 *
 	 * @return			contained traffic_selector_t
 	 */
 	traffic_selector_t *(*get_traffic_selector) (
 										traffic_selector_substructure_t *this);
-	
+
 	/**
 	 * Destroys an traffic_selector_substructure_t object.
 	 */
@@ -133,7 +133,7 @@ struct traffic_selector_substructure_t {
  * Creates an empty traffic_selector_substructure_t object.
  *
  * TS type is set to default TS_IPV4_ADDR_RANGE!
- *  
+ *
  * @return 					traffic_selector_substructure_t object
  */
 traffic_selector_substructure_t *traffic_selector_substructure_create(void);
@@ -141,7 +141,7 @@ traffic_selector_substructure_t *traffic_selector_substructure_create(void);
 /**
  * Creates an initialized traffif selector substructure using
  * the values from a traffic_selector_t.
- * 
+ *
  * @param traffic_selector	traffic_selector_t to use for initialization
  * @return					traffic_selector_substructure_t object
  */
diff --git a/src/charon/encoding/payloads/transform_attribute.c b/src/charon/encoding/payloads/transform_attribute.c
index 507d04a34..8bf2ddef4 100644
--- a/src/charon/encoding/payloads/transform_attribute.c
+++ b/src/charon/encoding/payloads/transform_attribute.c
@@ -26,32 +26,32 @@ typedef struct private_transform_attribute_t private_transform_attribute_t;
 
 /**
  * Private data of an transform_attribute_t object.
- * 
+ *
  */
 struct private_transform_attribute_t {
 	/**
 	 * Public transform_attribute_t interface.
 	 */
 	transform_attribute_t public;
-	
+
 	/**
 	 * Attribute Format Flag.
-	 * 
+	 *
 	 * - TRUE means value is stored in attribute_length_or_value
 	 * - FALSE means value is stored in attribute_value
 	 */
 	bool attribute_format;
-	
+
 	/**
 	 * Type of the attribute.
 	 */
 	u_int16_t attribute_type;
-	
+
 	/**
 	 * Attribute Length if attribute_format is 0, attribute Value otherwise.
 	 */
 	u_int16_t attribute_length_or_value;
-	
+
 	/**
 	 * Attribute value as chunk if attribute_format is 0 (FALSE).
 	 */
@@ -67,16 +67,16 @@ ENUM_END(transform_attribute_type_name, KEY_LENGTH);
 
 /**
  * Encoding rules to parse or generate a Transform attribute.
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_transform_attribute_t.
- * 
+ *
  */
 encoding_rule_t transform_attribute_encodings[] = {
 	/* Flag defining the format of this payload */
 	{ ATTRIBUTE_FORMAT,			offsetof(private_transform_attribute_t, attribute_format) 			},
 	/* type of the attribute as 15 bit unsigned integer */
-	{ ATTRIBUTE_TYPE,			offsetof(private_transform_attribute_t, attribute_type)				},	
+	{ ATTRIBUTE_TYPE,			offsetof(private_transform_attribute_t, attribute_type)				},
 	/* Length or value, depending on the attribute format flag */
 	{ ATTRIBUTE_LENGTH_OR_VALUE,	offsetof(private_transform_attribute_t, attribute_length_or_value)	},
 	/* Value of attribute if attribute format flag is zero */
@@ -104,7 +104,7 @@ static status_t verify(private_transform_attribute_t *this)
 	{
 		return FAILED;
 	}
-	
+
 	return SUCCESS;
 }
 
@@ -164,16 +164,16 @@ static void set_value_chunk(private_transform_attribute_t *this, chunk_t value)
 		free(this->attribute_value.ptr);
 		this->attribute_value.ptr = NULL;
 		this->attribute_value.len = 0;
-		
+
 	}
-	
+
 	if (value.len > 2)
 	{
 		this->attribute_value.ptr = clalloc(value.ptr,value.len);
 		this->attribute_value.len = value.len;
 		this->attribute_length_or_value = value.len;
 		/* attribute has not a fixed length */
-		this->attribute_format = FALSE;		
+		this->attribute_format = FALSE;
 	}
 	else
 	{
@@ -192,7 +192,7 @@ static void set_value(private_transform_attribute_t *this, u_int16_t value)
 		free(this->attribute_value.ptr);
 		this->attribute_value.ptr = NULL;
 		this->attribute_value.len = 0;
-		
+
 	}
 	this->attribute_length_or_value = value;
 }
@@ -207,14 +207,14 @@ static chunk_t get_value_chunk (private_transform_attribute_t *this)
 	if (this->attribute_format == FALSE)
 	{
 		value.ptr = this->attribute_value.ptr;
-		value.len = this->attribute_value.len;		
+		value.len = this->attribute_value.len;
 	}
 	else
 	{
 		value.ptr = (void *) &(this->attribute_length_or_value);
 		value.len = 2;
 	}
-	
+
 	return value;
 }
 
@@ -249,19 +249,19 @@ static u_int16_t get_attribute_type (private_transform_attribute_t *this)
 static transform_attribute_t * _clone(private_transform_attribute_t *this)
 {
 	private_transform_attribute_t *new_clone;
-	
+
 	new_clone = (private_transform_attribute_t *) transform_attribute_create();
-	
+
 	new_clone->attribute_format = this->attribute_format;
 	new_clone->attribute_type = this->attribute_type;
 	new_clone->attribute_length_or_value = this->attribute_length_or_value;
-	
+
 	if (!new_clone->attribute_format)
 	{
-		new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len);		
+		new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len);
 		new_clone->attribute_value.len = this->attribute_value.len;
 	}
-	
+
 	return (transform_attribute_t *) new_clone;
 }
 
@@ -273,7 +273,7 @@ static void destroy(private_transform_attribute_t *this)
 	if (this->attribute_value.ptr != NULL)
 	{
 		free(this->attribute_value.ptr);
-	}	
+	}
 	free(this);
 }
 
@@ -292,7 +292,7 @@ transform_attribute_t *transform_attribute_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.set_value_chunk = (void (*) (transform_attribute_t *,chunk_t)) set_value_chunk;
 	this->public.set_value = (void (*) (transform_attribute_t *,u_int16_t)) set_value;
@@ -302,7 +302,7 @@ transform_attribute_t *transform_attribute_create()
 	this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type;
 	this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) _clone;
 	this->public.destroy = (void (*) (transform_attribute_t *)) destroy;
-	
+
 	/* set default values of the fields */
 	this->attribute_format = TRUE;
 	this->attribute_type = 0;
diff --git a/src/charon/encoding/payloads/transform_attribute.h b/src/charon/encoding/payloads/transform_attribute.h
index f7d71a9df..a5fe0154b 100644
--- a/src/charon/encoding/payloads/transform_attribute.h
+++ b/src/charon/encoding/payloads/transform_attribute.h
@@ -37,14 +37,14 @@ enum transform_attribute_type_t {
 	KEY_LENGTH = 14
 };
 
-/** 
+/**
  * enum name for transform_attribute_type_t.
  */
 extern enum_name_t *transform_attribute_type_names;
 
 /**
  * Class representing an IKEv2- TRANSFORM Attribute.
- * 
+ *
  * The TRANSFORM ATTRIBUTE format is described in RFC section 3.3.5.
  */
 struct transform_attribute_t {
@@ -55,52 +55,52 @@ struct transform_attribute_t {
 
 	/**
 	 * Returns the currently set value of the attribute.
-	 * 	
+	 *
 	 * Returned data are not copied.
-	 * 
+	 *
 	 * @return 		chunk_t pointing to the value
 	 */
 	chunk_t (*get_value_chunk) (transform_attribute_t *this);
-	
+
 	/**
 	 * Returns the currently set value of the attribute.
-	 * 	
+	 *
 	 * Returned data are not copied.
-	 * 
+	 *
 	 * @return 		value
 	 */
 	u_int16_t (*get_value) (transform_attribute_t *this);
-	
+
 	/**
 	 * Sets the value of the attribute.
-	 * 	
+	 *
 	 * Value is getting copied.
-	 * 
+	 *
 	 * @param value chunk_t pointing to the value to set
 	 */
 	void (*set_value_chunk) (transform_attribute_t *this, chunk_t value);
 
 	/**
 	 * Sets the value of the attribute.
-	 * 
+	 *
 	 * @param value value to set
 	 */
 	void (*set_value) (transform_attribute_t *this, u_int16_t value);
 
 	/**
 	 * Sets the type of the attribute.
-	 * 	
+	 *
 	 * @param type	type to set (most significant bit is set to zero)
 	 */
 	void (*set_attribute_type) (transform_attribute_t *this, u_int16_t type);
-	
+
 	/**
 	 * get the type of the attribute.
-	 * 	
+	 *
 	 * @return 		type of the value
 	 */
 	u_int16_t (*get_attribute_type) (transform_attribute_t *this);
-	
+
 	/**
 	 * Clones an transform_attribute_t object.
 	 *
@@ -116,14 +116,14 @@ struct transform_attribute_t {
 
 /**
  * Creates an empty transform_attribute_t object.
- * 
+ *
  * @return				transform_attribute_t object
  */
 transform_attribute_t *transform_attribute_create(void);
 
 /**
  * Creates an transform_attribute_t of type KEY_LENGTH.
- * 
+ *
  * @param key_length	key length in bytes
  * @return				transform_attribute_t object
  */
diff --git a/src/charon/encoding/payloads/transform_substructure.c b/src/charon/encoding/payloads/transform_substructure.c
index 497bd53b2..c94f6c1a2 100644
--- a/src/charon/encoding/payloads/transform_substructure.c
+++ b/src/charon/encoding/payloads/transform_substructure.c
@@ -29,37 +29,37 @@ typedef struct private_transform_substructure_t private_transform_substructure_t
 
 /**
  * Private data of an transform_substructure_t object.
- * 
+ *
  */
 struct private_transform_substructure_t {
 	/**
 	 * Public transform_substructure_t interface.
 	 */
 	transform_substructure_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
 	u_int8_t  next_payload;
 
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t transform_length;
-	
-	
+
+
 	/**
 	 * Type of the transform.
 	 */
 	u_int8_t transform_type;
-	
+
 	/**
 	 * Transform ID.
 	 */
 	u_int16_t transform_id;
-	
- 	/**
+
+	/**
 	 * Transforms Attributes are stored in a linked_list_t.
 	 */
 	linked_list_t *attributes;
@@ -68,25 +68,25 @@ struct private_transform_substructure_t {
 
 /**
  * Encoding rules to parse or generate a Transform substructure.
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_transform_substructure_t.
- * 
+ *
  */
 encoding_rule_t transform_substructure_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_transform_substructure_t, next_payload) 		},
 	/* Reserved Byte is skipped */
-	{ RESERVED_BYTE,		0																},	
+	{ RESERVED_BYTE,		0																},
 	/* Length of the whole transform substructure*/
-	{ PAYLOAD_LENGTH,		offsetof(private_transform_substructure_t, transform_length)	},	
+	{ PAYLOAD_LENGTH,		offsetof(private_transform_substructure_t, transform_length)	},
 	/* transform type is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_transform_substructure_t, transform_type) 	},	
+	{ U_INT_8,				offsetof(private_transform_substructure_t, transform_type) 	},
 	/* Reserved Byte is skipped */
-	{ RESERVED_BYTE,		0																},	
+	{ RESERVED_BYTE,		0																},
 	/* tranform ID is a number of 8 bit */
-	{ U_INT_16,				offsetof(private_transform_substructure_t, transform_id)		},	
-	/* Attributes are stored in a transform attribute, 
+	{ U_INT_16,				offsetof(private_transform_substructure_t, transform_id)		},
+	/* Attributes are stored in a transform attribute,
 	   offset points to a linked_list_t pointer */
 	{ TRANSFORM_ATTRIBUTES,	offsetof(private_transform_substructure_t, attributes) 		}
 };
@@ -114,7 +114,7 @@ static status_t verify(private_transform_substructure_t *this)
 	status_t status = SUCCESS;
 	iterator_t *iterator;
 	payload_t *current_attributes;
-	
+
 	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3))
 	{
 		/* must be 0 or 3 */
@@ -139,7 +139,7 @@ static status_t verify(private_transform_substructure_t *this)
 		}
 	}
 	iterator = this->attributes->create_iterator(this->attributes,TRUE);
-	
+
 	while(iterator->iterate(iterator, (void**)&current_attributes))
 	{
 		status = current_attributes->verify(current_attributes);
@@ -149,8 +149,8 @@ static status_t verify(private_transform_substructure_t *this)
 		}
 	}
 	iterator->destroy(iterator);
-	
-	/* proposal number is checked in SA payload */	
+
+	/* proposal number is checked in SA payload */
 	return status;
 }
 
@@ -187,14 +187,14 @@ static void compute_length (private_transform_substructure_t *this)
 	iterator_t *iterator;
 	payload_t *current_attribute;
 	size_t length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
-	
+
 	iterator = this->attributes->create_iterator(this->attributes,TRUE);
 	while (iterator->iterate(iterator, (void**)&current_attribute))
 	{
 		length += current_attribute->get_length(current_attribute);
 	}
 	iterator->destroy(iterator);
-	
+
 	this->transform_length = length;
 }
 
@@ -254,7 +254,7 @@ static void set_transform_type (private_transform_substructure_t *this,u_int8_t
 {
 	this->transform_type = type;
 }
-	
+
 /**
  * Implementation of transform_substructure_t.get_transform_type.
  */
@@ -270,7 +270,7 @@ static void set_transform_id (private_transform_substructure_t *this,u_int16_t i
 {
 	this->transform_id = id;
 }
-	
+
 /**
  * Implementation of transform_substructure_t.get_transform_id.
  */
@@ -287,20 +287,20 @@ static transform_substructure_t *clone_(private_transform_substructure_t *this)
 	private_transform_substructure_t *clone;
 	iterator_t *attributes;
 	transform_attribute_t *current_attribute;
-	
+
 	clone = (private_transform_substructure_t *) transform_substructure_create();
 	clone->next_payload = this->next_payload;
 	clone->transform_type = this->transform_type;
 	clone->transform_id = this->transform_id;
-	
+
 	attributes = this->attributes->create_iterator(this->attributes, FALSE);
 	while (attributes->iterate(attributes, (void**)&current_attribute))
 	{
 		current_attribute = current_attribute->clone(current_attribute);
 		clone->public.add_transform_attribute(&clone->public, current_attribute);
 	}
-	attributes->destroy(attributes);	
-	
+	attributes->destroy(attributes);
+
 	return &clone->public;
 }
 
@@ -312,14 +312,14 @@ static status_t get_key_length(private_transform_substructure_t *this, u_int16_t
 {
 	iterator_t *attributes;
 	transform_attribute_t *current_attribute;
-	
+
 	attributes = this->attributes->create_iterator(this->attributes, TRUE);
 	while (attributes->iterate(attributes, (void**)&current_attribute))
 	{
 		if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH)
 		{
 			*key_length = current_attribute->get_value(current_attribute);
-			attributes->destroy(attributes);	
+			attributes->destroy(attributes);
 			return SUCCESS;
 		}
 	}
@@ -350,10 +350,10 @@ transform_substructure_t *transform_substructure_create()
 	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
 	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
 	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;	
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.create_transform_attribute_iterator = (iterator_t * (*) (transform_substructure_t *,bool)) create_transform_attribute_iterator;
 	this->public.add_transform_attribute = (void (*) (transform_substructure_t *,transform_attribute_t *)) add_transform_attribute;
@@ -366,14 +366,14 @@ transform_substructure_t *transform_substructure_create()
 	this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length;
 	this->public.clone = (transform_substructure_t* (*) (transform_substructure_t *)) clone_;
 	this->public.destroy = (void (*) (transform_substructure_t *)) destroy;
-	
+
 	/* set default values of the fields */
 	this->next_payload = NO_PAYLOAD;
 	this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
 	this->transform_id = 0;
 	this->transform_type = 0;
 	this->attributes = linked_list_create();
-	
+
 	return (&(this->public));
 }
 
@@ -385,17 +385,17 @@ transform_substructure_t *transform_substructure_create_type(
 								u_int16_t transform_id, u_int16_t key_length)
 {
 	transform_substructure_t *transform = transform_substructure_create();
-	
+
 	transform->set_transform_type(transform,transform_type);
 	transform->set_transform_id(transform,transform_id);
-	
+
 	if (key_length)
 	{
 		transform_attribute_t *attribute;
-		
+
 		attribute = transform_attribute_create_key_length(key_length);
 		transform->add_transform_attribute(transform, attribute);
-	
+
 	}
 	return transform;
 }
diff --git a/src/charon/encoding/payloads/transform_substructure.h b/src/charon/encoding/payloads/transform_substructure.h
index b02a94a6c..5d31f8c0a 100644
--- a/src/charon/encoding/payloads/transform_substructure.h
+++ b/src/charon/encoding/payloads/transform_substructure.h
@@ -48,7 +48,7 @@ typedef struct transform_substructure_t transform_substructure_t;
 
 /**
  * Class representing an IKEv2- TRANSFORM SUBSTRUCTURE.
- * 
+ *
  * The TRANSFORM SUBSTRUCTURE format is described in RFC section 3.3.2.
  */
 struct transform_substructure_t {
@@ -56,12 +56,12 @@ struct transform_substructure_t {
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Creates an iterator of stored transform_attribute_t objects.
-	 * 
-	 * When deleting an transform attribute using this iterator, 
-	 * the length of this transform substructure has to be refreshed 
+	 *
+	 * When deleting an transform attribute using this iterator,
+	 * the length of this transform substructure has to be refreshed
 	 * by calling get_length().
 	 *
 	 * @param forward 		iterator direction (TRUE: front to end)
@@ -69,7 +69,7 @@ struct transform_substructure_t {
 	 */
 	iterator_t * (*create_transform_attribute_iterator) (
 								transform_substructure_t *this, bool forward);
-	
+
 	/**
 	 * Adds a transform_attribute_t object to this object.
 	 *
@@ -77,59 +77,59 @@ struct transform_substructure_t {
 	 */
 	void (*add_transform_attribute) (transform_substructure_t *this,
 									 transform_attribute_t *attribute);
-	
+
 	/**
 	 * Sets the next_payload field of this substructure
-	 * 
+	 *
 	 * If this is the last transform, next payload field is set to 0,
 	 * otherwise to 3
 	 *
 	 * @param is_last	When TRUE, next payload field is set to 0, otherwise to 3
 	 */
 	void (*set_is_last_transform) (transform_substructure_t *this, bool is_last);
-	
+
 	/**
 	 * Checks if this is the last transform.
-	 * 
+	 *
 	 * @return 			TRUE if this is the last Transform, FALSE otherwise
 	 */
 	bool (*get_is_last_transform) (transform_substructure_t *this);
-	
+
 	/**
 	 * Sets transform type of the current transform substructure.
 	 *
 	 * @param type		type value to set
 	 */
 	void (*set_transform_type) (transform_substructure_t *this, u_int8_t type);
-	
+
 	/**
 	 * get transform type of the current transform.
-	 * 
+	 *
 	 * @return 			Transform type of current transform substructure.
 	 */
 	u_int8_t (*get_transform_type) (transform_substructure_t *this);
-	
+
 	/**
 	 * Sets transform id of the current transform substructure.
 	 *
 	 * @param id		transform id to set
 	 */
 	void (*set_transform_id) (transform_substructure_t *this, u_int16_t id);
-	
+
 	/**
 	 * get transform id of the current transform.
-	 * 
+	 *
 	 * @return 			Transform id of current transform substructure.
 	 */
 	u_int16_t (*get_transform_id) (transform_substructure_t *this);
-	
+
 	/**
 	 * get transform id of the current transform.
-	 * 
-	 * @param key_length	The key length is written to this location	
-	 * @return 			
+	 *
+	 * @param key_length	The key length is written to this location
+	 * @return
 	 * 						- SUCCESS if a key length attribute is contained
-	 * 						- FAILED if no key length attribute is part of this 
+	 * 						- FAILED if no key length attribute is part of this
 	 * 						  transform or key length uses more then 16 bit!
 	 */
 	status_t (*get_key_length) (transform_substructure_t *this,
@@ -150,18 +150,18 @@ struct transform_substructure_t {
 
 /**
  * Creates an empty transform_substructure_t object.
- * 
+ *
  * @return			created transform_substructure_t object
  */
 transform_substructure_t *transform_substructure_create(void);
 
 /**
  * Creates an empty transform_substructure_t object.
- * 
+ *
  * The key length is used for the transport types ENCRYPTION_ALGORITHM,
- * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all 
+ * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all
  * other transport types the key_length parameter is not used
- * 
+ *
  * @param transform_type	type of transform to create
  * @param transform_id		transform id specifying the specific algorithm of a transform type
  * @param key_length		Key length for key lenght attribute
diff --git a/src/charon/encoding/payloads/ts_payload.c b/src/charon/encoding/payloads/ts_payload.c
index 92ddc380f..6bf3e4293 100644
--- a/src/charon/encoding/payloads/ts_payload.c
+++ b/src/charon/encoding/payloads/ts_payload.c
@@ -25,19 +25,19 @@ typedef struct private_ts_payload_t private_ts_payload_t;
 
 /**
  * Private data of an ts_payload_t object.
- * 
+ *
  */
 struct private_ts_payload_t {
 	/**
 	 * Public ts_payload_t interface.
 	 */
 	ts_payload_t public;
-	
+
 	/**
 	 * TRUE if this TS payload is of type TSi, FALSE for TSr.
 	 */
 	bool is_initiator;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -47,17 +47,17 @@ struct private_ts_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * Number of traffic selectors
 	 */
 	u_int8_t number_of_traffic_selectors;
-	
+
 	/**
 	 * Contains the traffic selectors of type traffic_selector_substructure_t.
 	 */
@@ -66,17 +66,17 @@ struct private_ts_payload_t {
 
 /**
  * Encoding rules to parse or generate a TS payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_ts_payload_t.
- * 
+ *
  */
 encoding_rule_t ts_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_ts_payload_t, next_payload) 				},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_ts_payload_t, critical) 					},
- 	/* 7 Bit reserved bits, nowhere stored */
+	/* 7 Bit reserved bits, nowhere stored */
 	{ RESERVED_BIT,	0 																},
 	{ RESERVED_BIT,	0 																},
 	{ RESERVED_BIT,	0 																},
@@ -84,9 +84,9 @@ encoding_rule_t ts_payload_encodings[] = {
 	{ RESERVED_BIT,	0 																},
 	{ RESERVED_BIT,	0 																},
 	{ RESERVED_BIT,	0 																},
-	/* Length of the whole payload*/	
+	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_ts_payload_t, payload_length)},
- 	/* 1 Byte TS type*/
+	/* 1 Byte TS type*/
 	{ U_INT_8,			offsetof(private_ts_payload_t, number_of_traffic_selectors)	},
 	/* 3 reserved bytes */
 	{ RESERVED_BYTE,	0 															},
@@ -118,13 +118,13 @@ static status_t verify(private_ts_payload_t *this)
 	iterator_t *iterator;
 	payload_t *current_traffic_selector;
 	status_t status = SUCCESS;
-	
+
 	if (this->number_of_traffic_selectors != (this->traffic_selectors->get_count(this->traffic_selectors)))
 	{
 		/* must be the same */
 		return FAILED;
 	}
-	
+
 	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
 	while(iterator->iterate(iterator, (void**)&current_traffic_selector))
 	{
@@ -135,7 +135,7 @@ static status_t verify(private_ts_payload_t *this)
 		}
 	}
 	iterator->destroy(iterator);
-	
+
 	return status;
 }
 
@@ -188,7 +188,7 @@ static void compute_length (private_ts_payload_t *this)
 	size_t ts_count = 0;
 	size_t length = TS_PAYLOAD_HEADER_LENGTH;
 	payload_t *current_traffic_selector;
-	
+
 	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
 	while (iterator->iterate(iterator, (void**)&current_traffic_selector))
 	{
@@ -196,9 +196,9 @@ static void compute_length (private_ts_payload_t *this)
 		ts_count++;
 	}
 	iterator->destroy(iterator);
-	
+
 	this->number_of_traffic_selectors= ts_count;
-	this->payload_length = length;	
+	this->payload_length = length;
 }
 
 /**
@@ -252,7 +252,7 @@ static linked_list_t *get_traffic_selectors(private_ts_payload_t *this)
 	iterator_t *iterator;
 	traffic_selector_substructure_t *ts_substructure;
 	linked_list_t *ts_list = linked_list_create();
-	
+
 	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors, TRUE);
 	while (iterator->iterate(iterator, (void**)&ts_substructure))
 	{
@@ -260,7 +260,7 @@ static linked_list_t *get_traffic_selectors(private_ts_payload_t *this)
 		ts_list->insert_last(ts_list, (void*)ts);
 	}
 	iterator->destroy(iterator);
-	
+
 	return ts_list;
 }
 
@@ -289,7 +289,7 @@ ts_payload_t *ts_payload_create(bool is_initiator)
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.destroy = (void (*) (ts_payload_t *)) destroy;
 	this->public.get_initiator = (bool (*) (ts_payload_t *)) get_initiator;
@@ -297,14 +297,14 @@ ts_payload_t *ts_payload_create(bool is_initiator)
 	this->public.add_traffic_selector_substructure = (void (*) (ts_payload_t *,traffic_selector_substructure_t *)) add_traffic_selector_substructure;
 	this->public.create_traffic_selector_substructure_iterator = (iterator_t* (*) (ts_payload_t *,bool)) create_traffic_selector_substructure_iterator;
 	this->public.get_traffic_selectors = (linked_list_t *(*) (ts_payload_t *)) get_traffic_selectors;
-	
+
 	/* private variables */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
 	this->payload_length =TS_PAYLOAD_HEADER_LENGTH;
 	this->is_initiator = is_initiator;
 	this->number_of_traffic_selectors = 0;
-	this->traffic_selectors = linked_list_create();  
+	this->traffic_selectors = linked_list_create();
 
 	return &(this->public);
 }
@@ -318,9 +318,9 @@ ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked
 	traffic_selector_t *ts;
 	traffic_selector_substructure_t *ts_substructure;
 	private_ts_payload_t *this;
-	
+
 	this = (private_ts_payload_t*)ts_payload_create(is_initiator);
-	
+
 	iterator = traffic_selectors->create_iterator(traffic_selectors, TRUE);
 	while (iterator->iterate(iterator, (void**)&ts))
 	{
@@ -328,7 +328,7 @@ ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked
 		this->public.add_traffic_selector_substructure(&(this->public), ts_substructure);
 	}
 	iterator->destroy(iterator);
-	
+
 	return &(this->public);
 }
 
diff --git a/src/charon/encoding/payloads/ts_payload.h b/src/charon/encoding/payloads/ts_payload.h
index 3c8a6d595..d322ff1a8 100644
--- a/src/charon/encoding/payloads/ts_payload.h
+++ b/src/charon/encoding/payloads/ts_payload.h
@@ -27,7 +27,7 @@ typedef struct ts_payload_t ts_payload_t;
 
 #include <library.h>
 #include <utils/linked_list.h>
-#include <config/traffic_selector.h>
+#include <selectors/traffic_selector.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/traffic_selector_substructure.h>
 
@@ -47,7 +47,7 @@ struct ts_payload_t {
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
 	 * Get the type of TSpayload (TSi or TSr).
 	 *
@@ -56,16 +56,16 @@ struct ts_payload_t {
 	 * 						- FALSE if this payload is of type TSr
 	 */
 	bool (*get_initiator) (ts_payload_t *this);
-	
+
 	/**
 	 * Set the type of TS payload (TSi or TSr).
 	 *
-	 * @param is_initiator	
+	 * @param is_initiator
 	 * 						- TRUE if this payload is of type TSi
 	 * 						- FALSE if this payload is of type TSr
 	 */
 	void (*set_initiator) (ts_payload_t *this,bool is_initiator);
-	
+
 	/**
 	 * Adds a traffic_selector_substructure_t object to this object.
 	 *
@@ -73,12 +73,12 @@ struct ts_payload_t {
 	 */
 	void (*add_traffic_selector_substructure) (ts_payload_t *this,
 							traffic_selector_substructure_t *traffic_selector);
-	
+
 	/**
 	 * Creates an iterator of stored traffic_selector_substructure_t objects.
-	 * 
-	 * When removing an traffic_selector_substructure_t object 
-	 * using this iterator, the length of this payload 
+	 *
+	 * When removing an traffic_selector_substructure_t object
+	 * using this iterator, the length of this payload
 	 * has to get refreshed by calling payload_t.get_length!
 	 *
 	 * @param forward 		iterator direction (TRUE: front to end)
@@ -86,10 +86,10 @@ struct ts_payload_t {
 	 */
 	iterator_t *(*create_traffic_selector_substructure_iterator) (
 											ts_payload_t *this, bool forward);
-	
+
 	/**
 	 * Get a list of nested traffic selectors as traffic_selector_t.
-	 * 
+	 *
 	 * Resulting list and its traffic selectors must be destroyed after usage
 	 *
 	 * @return				list of traffic selectors
@@ -104,8 +104,8 @@ struct ts_payload_t {
 
 /**
  * Creates an empty ts_payload_t object.
- * 
- * @param is_initiator	
+ *
+ * @param is_initiator
  * 						- TRUE if this payload is of type TSi
  * 						- FALSE if this payload is of type TSr
  * @return				ts_payload_t object
@@ -114,14 +114,14 @@ ts_payload_t *ts_payload_create(bool is_initiator);
 
 /**
  * Creates ts_payload with a list of traffic_selector_t
- * 
- * @param is_initiator	
+ *
+ * @param is_initiator
  * 							- TRUE if this payload is of type TSi
  * 							- FALSE if this payload is of type TSr
  * @param traffic_selectors	list of traffic selectors to include
  * @return					ts_payload_t object
  */
-ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, 
+ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator,
 											linked_list_t *traffic_selectors);
 
 #endif /** TS_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/unknown_payload.c b/src/charon/encoding/payloads/unknown_payload.c
index 309663233..dd5547dc3 100644
--- a/src/charon/encoding/payloads/unknown_payload.c
+++ b/src/charon/encoding/payloads/unknown_payload.c
@@ -26,12 +26,12 @@ typedef struct private_unknown_payload_t private_unknown_payload_t;
  * Private data of an unknown_payload_t object.
  */
 struct private_unknown_payload_t {
-	
+
 	/**
 	 * Public unknown_payload_t interface.
 	 */
 	unknown_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -41,12 +41,12 @@ struct private_unknown_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
 	 * The contained data.
 	 */
@@ -55,17 +55,17 @@ struct private_unknown_payload_t {
 
 /**
  * Encoding rules to parse an payload which is not further specified.
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_unknown_payload_t.
- * 
+ *
  */
 encoding_rule_t unknown_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_unknown_payload_t, next_payload)},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_unknown_payload_t, critical) 	},
- 	/* 7 Bit reserved bits, nowhere stored */
+	/* 7 Bit reserved bits, nowhere stored */
 	{ RESERVED_BIT,	0 													},
 	{ RESERVED_BIT,	0 													},
 	{ RESERVED_BIT,	0 													},
@@ -146,7 +146,7 @@ static size_t get_length(private_unknown_payload_t *this)
  */
 static bool is_critical(private_unknown_payload_t *this)
 {
-	return this->critical;	
+	return this->critical;
 }
 
 /**
@@ -166,8 +166,8 @@ static void destroy(private_unknown_payload_t *this)
 	{
 		chunk_free(&(this->data));
 	}
-	
-	free(this);	
+
+	free(this);
 }
 
 /*
@@ -185,12 +185,12 @@ unknown_payload_t *unknown_payload_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
+
 	/* public functions */
 	this->public.destroy = (void (*) (unknown_payload_t *)) destroy;
 	this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical;
 	this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data;
-	
+
 	/* private variables */
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
diff --git a/src/charon/encoding/payloads/unknown_payload.h b/src/charon/encoding/payloads/unknown_payload.h
index 44b6e1a71..c761ed2b6 100644
--- a/src/charon/encoding/payloads/unknown_payload.h
+++ b/src/charon/encoding/payloads/unknown_payload.h
@@ -40,29 +40,29 @@ typedef struct unknown_payload_t unknown_payload_t;
  * a check for the critical bit in the header.
  */
 struct unknown_payload_t {
-	
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
-	
+
 	/**
-	 * Get the raw data of this payload, without 
+	 * Get the raw data of this payload, without
 	 * the generic payload header.
-	 * 
+	 *
 	 * Returned data are NOT copied and must not be freed.
 	 *
 	 * @return				data as chunk_t
 	 */
 	chunk_t (*get_data) (unknown_payload_t *this);
-	
+
 	/**
 	 * Get the critical flag.
 	 *
 	 * @return				TRUE if payload is critical, FALSE if not
 	 */
 	bool (*is_critical) (unknown_payload_t *this);
-	
+
 	/**
 	 * Destroys an unknown_payload_t object.
 	 */
@@ -71,7 +71,7 @@ struct unknown_payload_t {
 
 /**
  * Creates an empty unknown_payload_t object.
- * 
+ *
  * @return unknown_payload_t object
  */
 unknown_payload_t *unknown_payload_create(void);
diff --git a/src/charon/encoding/payloads/vendor_id_payload.c b/src/charon/encoding/payloads/vendor_id_payload.c
index 52d9e12a5..bf33d2418 100644
--- a/src/charon/encoding/payloads/vendor_id_payload.c
+++ b/src/charon/encoding/payloads/vendor_id_payload.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -18,19 +18,18 @@
 
 #include "vendor_id_payload.h"
 
-
 typedef struct private_vendor_id_payload_t private_vendor_id_payload_t;
 
 /**
  * Private data of an vendor_id_payload_t object.
- * 
  */
 struct private_vendor_id_payload_t {
+
 	/**
 	 * Public vendor_id_payload_t interface.
 	 */
 	vendor_id_payload_t public;
-	
+
 	/**
 	 * Next payload type.
 	 */
@@ -40,31 +39,30 @@ struct private_vendor_id_payload_t {
 	 * Critical flag.
 	 */
 	bool critical;
-	
+
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t payload_length;
-	
+
 	/**
-	 * The contained vendor_id data value.
+	 * The contained data.
 	 */
-	chunk_t vendor_id_data;
+	chunk_t data;
 };
 
 /**
  * Encoding rules to parse or generate a VENDOR ID payload
- * 
- * The defined offsets are the positions in a object of type 
+ *
+ * The defined offsets are the positions in a object of type
  * private_vendor_id_payload_t.
- * 
  */
 encoding_rule_t vendor_id_payload_encodings[] = {
- 	/* 1 Byte next payload type, stored in the field next_payload */
+	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_vendor_id_payload_t, next_payload) },
 	/* the critical bit */
 	{ FLAG,				offsetof(private_vendor_id_payload_t, critical)		},
- 	/* 7 Bit reserved bits, nowhere stored */
+	/* 7 Bit reserved bits, nowhere stored */
 	{ RESERVED_BIT,	0 														},
 	{ RESERVED_BIT,	0 														},
 	{ RESERVED_BIT,	0 														},
@@ -75,7 +73,7 @@ encoding_rule_t vendor_id_payload_encodings[] = {
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_vendor_id_payload_t, payload_length)},
 	/* some vendor_id data bytes, length is defined in PAYLOAD_LENGTH */
-	{ VID_DATA,			offsetof(private_vendor_id_payload_t, vendor_id_data) }
+	{ VID_DATA,			offsetof(private_vendor_id_payload_t, data) }
 };
 
 /*
@@ -101,7 +99,8 @@ static status_t verify(private_vendor_id_payload_t *this)
 /**
  * Implementation of vendor_id_payload_t.get_encoding_rules.
  */
-static void get_encoding_rules(private_vendor_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+static void get_encoding_rules(private_vendor_id_payload_t *this,
+							   encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = vendor_id_payload_encodings;
 	*rule_count = sizeof(vendor_id_payload_encodings) / sizeof(encoding_rule_t);
@@ -120,7 +119,7 @@ static payload_type_t get_payload_type(private_vendor_id_payload_t *this)
  */
 static payload_type_t get_next_type(private_vendor_id_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
 /**
@@ -139,41 +138,12 @@ static size_t get_length(private_vendor_id_payload_t *this)
 	return this->payload_length;
 }
 
-/**
- * Implementation of vendor_id_payload_t.set_data.
- */
-static void set_data (private_vendor_id_payload_t *this, chunk_t data)
-{
-	if (this->vendor_id_data.ptr != NULL)
-	{
-		chunk_free(&(this->vendor_id_data));
-	}
-	this->vendor_id_data.ptr = clalloc(data.ptr,data.len);
-	this->vendor_id_data.len = data.len;
-	this->payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH + this->vendor_id_data.len;
-}
-
 /**
  * Implementation of vendor_id_payload_t.get_data.
  */
-static chunk_t get_data (private_vendor_id_payload_t *this)
-{
-	return (this->vendor_id_data);
-}
-
-/**
- * Implementation of vendor_id_payload_t.get_data_clone.
- */
-static chunk_t get_data_clone (private_vendor_id_payload_t *this)
+static chunk_t get_data(private_vendor_id_payload_t *this)
 {
-	chunk_t cloned_data;
-	if (this->vendor_id_data.ptr == NULL)
-	{
-		return (this->vendor_id_data);
-	}
-	cloned_data.ptr = clalloc(this->vendor_id_data.ptr,this->vendor_id_data.len);
-	cloned_data.len = this->vendor_id_data.len;
-	return cloned_data;
+	return this->data;
 }
 
 /**
@@ -181,11 +151,8 @@ static chunk_t get_data_clone (private_vendor_id_payload_t *this)
  */
 static void destroy(private_vendor_id_payload_t *this)
 {
-	if (this->vendor_id_data.ptr != NULL)
-	{
-		chunk_free(&(this->vendor_id_data));
-	}
-	free(this);	
+	free(this->data.ptr);
+	free(this);
 }
 
 /*
@@ -195,7 +162,6 @@ vendor_id_payload_t *vendor_id_payload_create()
 {
 	private_vendor_id_payload_t *this = malloc_thing(private_vendor_id_payload_t);
 
-	/* interface functions */
 	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
 	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
 	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
@@ -203,18 +169,27 @@ vendor_id_payload_t *vendor_id_payload_create()
 	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
 	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
 	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	
-	/* public functions */
-	this->public.destroy = (void (*) (vendor_id_payload_t *)) destroy;
-	this->public.set_data = (void (*) (vendor_id_payload_t *,chunk_t)) set_data;
-	this->public.get_data_clone = (chunk_t (*) (vendor_id_payload_t *)) get_data_clone;
 	this->public.get_data = (chunk_t (*) (vendor_id_payload_t *)) get_data;
-	
-	/* private variables */
+
 	this->critical = FALSE;
 	this->next_payload = NO_PAYLOAD;
 	this->payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH;
-	this->vendor_id_data = chunk_empty;
+	this->data = chunk_empty;
 
-	return (&(this->public));
+	return &this->public;
 }
+
+/*
+ * Described in header
+ */
+vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data)
+{
+	private_vendor_id_payload_t *this;
+
+	this = (private_vendor_id_payload_t*)vendor_id_payload_create();
+	this->payload_length += data.len;
+	this->data = data;
+
+	return &this->public;
+}
+
diff --git a/src/charon/encoding/payloads/vendor_id_payload.h b/src/charon/encoding/payloads/vendor_id_payload.h
index 9ee9ea1d4..241535cac 100644
--- a/src/charon/encoding/payloads/vendor_id_payload.h
+++ b/src/charon/encoding/payloads/vendor_id_payload.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -32,56 +32,39 @@ typedef struct vendor_id_payload_t vendor_id_payload_t;
  */
 #define VENDOR_ID_PAYLOAD_HEADER_LENGTH 4
 
-
 /**
  * Class representing an IKEv2 VENDOR ID payload.
  *
  * The VENDOR ID payload format is described in RFC section 3.12.
  */
 struct vendor_id_payload_t {
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
 
-	/**
-	 * Set the VID data.
-	 * 
-	 * Data are getting cloned.
-	 *
-	 * @param data			VID data as chunk_t
-	 */
-	void (*set_data) (vendor_id_payload_t *this, chunk_t data);
-	
-	/**
-	 * Get the VID data.
-	 * 
-	 * Returned data are a copy of the internal one.
-	 *
-	 * @return				VID data as chunk_t
-	 */
-	chunk_t (*get_data_clone) (vendor_id_payload_t *this);
-	
 	/**
 	 * Get the VID data.
-	 * 
-	 * Returned data are NOT copied.
 	 *
-	 * @return				VID data as chunk_t
-	 */
-	chunk_t (*get_data) (vendor_id_payload_t *this);
-	
-	/**
-	 * Destroys an vendor_id_payload_t object.
+	 * @return		VID data, pointing to an internal chunk_t
 	 */
-	void (*destroy) (vendor_id_payload_t *this);
+	chunk_t (*get_data)(vendor_id_payload_t *this);
 };
 
 /**
- * Creates an empty vendor_id_payload_t object.
- * 
- * @return vendor_id_payload_t object
+ * Creates an empty Vendor ID payload.
+ *
+ * @return			vendor ID payload
+ */
+vendor_id_payload_t *vendor_id_payload_create();
+
+/**
+ * Creates a vendor ID payload using a chunk of data
+ *
+ * @param data		data to use in vendor ID payload, gets owned by payload
+ * @return			vendor ID payload
  */
-vendor_id_payload_t *vendor_id_payload_create(void);
+vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data);
 
 #endif /** VENDOR_ID_PAYLOAD_H_ @}*/
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index 53ae1d200..99bf94e9b 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,8 +15,6 @@
 
 #include "kernel_interface.h"
 
-#include <pthread.h>
-
 #include <daemon.h>
 
 typedef struct private_kernel_interface_t private_kernel_interface_t;
@@ -30,12 +28,12 @@ struct private_kernel_interface_t {
 	 * Public part of kernel_interface_t object.
 	 */
 	kernel_interface_t public;
-	
+
 	/**
 	 * ipsec interface
 	 */
 	kernel_ipsec_t *ipsec;
-	
+
 	/**
 	 * network interface
 	 */
@@ -45,7 +43,7 @@ struct private_kernel_interface_t {
 /**
  * Implementation of kernel_interface_t.get_spi
  */
-static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *dst, 
+static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *dst,
 				 protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
 	if (!this->ipsec)
@@ -58,7 +56,7 @@ static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *d
 /**
  * Implementation of kernel_interface_t.get_cpi
  */
-static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *dst, 
+static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *dst,
 					u_int32_t reqid, u_int16_t *cpi)
 {
 	if (!this->ipsec)
@@ -73,26 +71,27 @@ static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *d
  */
 static status_t add_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
 				u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
-				u_int64_t expire_soft, u_int64_t expire_hard,
+				lifetime_cfg_t *lifetime,
 				u_int16_t enc_alg, chunk_t enc_key,
 				u_int16_t int_alg, chunk_t int_key,
 				ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
-				bool inbound)
+				bool inbound, traffic_selector_t *src_ts,
+				traffic_selector_t *dst_ts)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
-			expire_soft, expire_hard, enc_alg, enc_key, int_alg, int_key,
-			mode, ipcomp, cpi, encap, inbound);
+			lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi,
+			encap, inbound, src_ts, dst_ts);
 }
 
 /**
  * Implementation of kernel_interface_t.update_sa
  */
 static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
-				   protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, 
+				   protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst,
 				   host_t *new_src, host_t *new_dst, bool encap, bool new_encap)
 {
 	if (!this->ipsec)
@@ -289,13 +288,13 @@ static status_t get_address_by_ts(private_kernel_interface_t *this,
 	host_t *host;
 	int family;
 	bool found = FALSE;
-	
+
 	DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
-	
+
 	/* if we have a family which includes localhost, we do not
 	 * search for an IP, we use the default */
 	family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
-	
+
 	if (family == AF_INET)
 	{
 		host = host_create_from_string("127.0.0.1", 0);
@@ -304,7 +303,7 @@ static status_t get_address_by_ts(private_kernel_interface_t *this,
 	{
 		host = host_create_from_string("::1", 0);
 	}
-	
+
 	if (ts->includes(ts, host))
 	{
 		*ip = host_create_any(family);
@@ -313,7 +312,7 @@ static status_t get_address_by_ts(private_kernel_interface_t *this,
 		return SUCCESS;
 	}
 	host->destroy(host);
-	
+
 	addrs = create_address_enumerator(this, TRUE, TRUE);
 	while (addrs->enumerate(addrs, (void**)&host))
 	{
@@ -325,13 +324,13 @@ static status_t get_address_by_ts(private_kernel_interface_t *this,
 		}
 	}
 	addrs->destroy(addrs);
-	
+
 	if (!found)
 	{
 		DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
 		return FAILED;
 	}
-	
+
 	DBG2(DBG_KNL, "using host %H", *ip);
 	return SUCCESS;
 }
@@ -395,17 +394,17 @@ static void destroy(private_kernel_interface_t *this)
 kernel_interface_t *kernel_interface_create()
 {
 	private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
-	
+
 	this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
 	this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
 	this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-	
+
 	this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest, host_t *src))get_source_addr;
 	this->public.get_nexthop = (host_t*(*)(kernel_interface_t*, host_t *dest))get_nexthop;
 	this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface;
@@ -414,18 +413,18 @@ kernel_interface_t *kernel_interface_create()
 	this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
 	this->public.add_route = (status_t(*)(kernel_interface_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
 	this->public.del_route = (status_t(*)(kernel_interface_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
-	
+
 	this->public.get_address_by_ts = (status_t(*)(kernel_interface_t*,traffic_selector_t*,host_t**))get_address_by_ts;
-	
+
 	this->public.add_ipsec_interface = (void(*)(kernel_interface_t*, kernel_ipsec_constructor_t))add_ipsec_interface;
 	this->public.remove_ipsec_interface = (void(*)(kernel_interface_t*, kernel_ipsec_constructor_t))remove_ipsec_interface;
 	this->public.add_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))add_net_interface;
 	this->public.remove_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))remove_net_interface;
-	
+
 	this->public.destroy = (void (*)(kernel_interface_t*))destroy;
-	
+
 	this->ipsec = NULL;
 	this->net = NULL;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index c4a273a34..c39246e72 100644
--- a/src/charon/kernel/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -45,7 +45,7 @@ typedef kernel_net_t* (*kernel_net_constructor_t)(void);
 
 /**
  * Manager and wrapper for different kernel interfaces.
- * 
+ *
  * The kernel interface handles the communication with the kernel
  * for SA and policy management and interface and IP address management.
  */
@@ -61,39 +61,36 @@ struct kernel_interface_t {
 	 * @param spi		allocated spi
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst, 
+	status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
 						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
-	
+
 	/**
 	 * Get a Compression Parameter Index (CPI) from the kernel.
-	 * 
+	 *
 	 * @param src		source address of SA
 	 * @param dst		destination address of SA
 	 * @param reqid		unique ID for the corresponding SA
 	 * @param cpi		allocated cpi
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst, 
+	status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
 						u_int32_t reqid, u_int16_t *cpi);
-	
+
 	/**
 	 * Add an SA to the SAD.
-	 * 
+	 *
 	 * add_sa() may update an already allocated
 	 * SPI (via get_spi). In this case, the replace
 	 * flag must be set.
 	 * This function does install a single SA for a
-	 * single protocol in one direction. The kernel-interface
-	 * gets the keys itself from the PRF, as we don't know
-	 * his algorithms and key sizes.
-	 * 
+	 * single protocol in one direction.
+	 *
 	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param reqid			unique ID for this SA
-	 * @param expire_soft	lifetime in seconds before rekeying
-	 * @param expire_hard	lifetime in seconds before delete
+	 * @param lifetime		lifetime_cfg_t for this SA
 	 * @param enc_alg		Algorithm to use for encryption (ESP only)
 	 * @param enc_key		key to use for encryption
 	 * @param int_alg		Algorithm to use for integrity protection
@@ -103,17 +100,20 @@ struct kernel_interface_t {
 	 * @param cpi			CPI for IPComp
 	 * @param encap			enable UDP encapsulation for NAT traversal
 	 * @param inbound		TRUE if this is an inbound SA
+	 * @param src_ts		traffic selector with BEET source address
+	 * @param dst_ts		traffic selector with BEET destination address
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_sa) (kernel_interface_t *this,
 						host_t *src, host_t *dst, u_int32_t spi,
 						protocol_id_t protocol, u_int32_t reqid,
-						u_int64_t expire_soft, u_int64_t expire_hard,
-					    u_int16_t enc_alg, chunk_t enc_key,
-					    u_int16_t int_alg, chunk_t int_key,
+						lifetime_cfg_t *lifetime,
+						u_int16_t enc_alg, chunk_t enc_key,
+						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						bool encap, bool inbound);
-	
+						bool encap, bool inbound,
+						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+
 	/**
 	 * Update the hosts on an installed SA.
 	 *
@@ -132,17 +132,17 @@ struct kernel_interface_t {
 	 * @param encap			current use of UDP encapsulation
 	 * @param new_encap		new use of UDP encapsulation
 	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
-	 *                      the kernel interface can't update the SA
+	 *					  the kernel interface can't update the SA
 	 */
 	status_t (*update_sa)(kernel_interface_t *this,
 						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst, 
+						  host_t *src, host_t *dst,
 						  host_t *new_src, host_t *new_dst,
 						  bool encap, bool new_encap);
-	
+
 	/**
 	 * Query the number of bytes processed by an SA from the SAD.
-	 * 
+	 *
 	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
@@ -152,10 +152,10 @@ struct kernel_interface_t {
 	 */
 	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
 						  u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
-	
+
 	/**
 	 * Delete a previously installed SA from the SAD.
-	 * 
+	 *
 	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
@@ -165,13 +165,13 @@ struct kernel_interface_t {
 	 */
 	status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
 						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
-	
+
 	/**
 	 * Add a policy to the SPD.
-	 * 
+	 *
 	 * A policy is always associated to an SA. Traffic which matches a
 	 * policy is handled by the SA with the same reqid.
-	 * 
+	 *
 	 * @param src			source address of SA
 	 * @param dst			dest address of SA
 	 * @param src_ts		traffic selector to match traffic source
@@ -194,13 +194,13 @@ struct kernel_interface_t {
 							protocol_id_t protocol, u_int32_t reqid,
 							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
 							bool routed);
-	
+
 	/**
 	 * Query the use time of a policy.
 	 *
 	 * The use time of a policy is the time the policy was used
 	 * for the last time.
-	 * 
+	 *
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
@@ -208,10 +208,10 @@ struct kernel_interface_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_policy) (kernel_interface_t *this,
-							  traffic_selector_t *src_ts, 
+							  traffic_selector_t *src_ts,
 							  traffic_selector_t *dst_ts,
 							  policy_dir_t direction, u_int32_t *use_time);
-	
+
 	/**
 	 * Remove a policy from the SPD.
 	 *
@@ -227,11 +227,11 @@ struct kernel_interface_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_policy) (kernel_interface_t *this,
-							traffic_selector_t *src_ts, 
+							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
 							policy_dir_t direction,
 							bool unrouted);
-	
+
 	/**
 	 * Get our outgoing source address for a destination.
 	 *
@@ -246,7 +246,7 @@ struct kernel_interface_t {
 	 */
 	host_t* (*get_source_addr)(kernel_interface_t *this,
 							   host_t *dest, host_t *src);
-	
+
 	/**
 	 * Get the next hop for a destination.
 	 *
@@ -257,7 +257,7 @@ struct kernel_interface_t {
 	 * @return				next hop address, NULL if unreachable
 	 */
 	host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest);
-	
+
 	/**
 	 * Get the interface name of a local address.
 	 *
@@ -265,21 +265,21 @@ struct kernel_interface_t {
 	 * @return 				allocated interface name, or NULL if not found
 	 */
 	char* (*get_interface) (kernel_interface_t *this, host_t *host);
-	
+
 	/**
 	 * Creates an enumerator over all local addresses.
-	 * 
+	 *
 	 * This function blocks an internal cached address list until the
 	 * enumerator gets destroyed.
 	 * The hosts are read-only, do not modify of free.
-	 * 
+	 *
 	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
 	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
 	 * @return						enumerator over host_t's
 	 */
 	enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
 						bool include_down_ifaces, bool include_virtual_ips);
-	
+
 	/**
 	 * Add a virtual IP to an interface.
 	 *
@@ -294,7 +294,7 @@ struct kernel_interface_t {
 	 */
 	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
 						host_t *iface_ip);
-	
+
 	/**
 	 * Remove a virtual IP from an interface.
 	 *
@@ -304,10 +304,10 @@ struct kernel_interface_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
-	
+
 	/**
 	 * Add a route.
-	 * 
+	 *
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
@@ -318,10 +318,10 @@ struct kernel_interface_t {
 	 */
 	status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
 								host_t *gateway, host_t *src_ip, char *if_name);
-	
+
 	/**
 	 * Delete a route.
-	 * 
+	 *
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
@@ -331,50 +331,50 @@ struct kernel_interface_t {
 	 */
 	status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
 								host_t *gateway, host_t *src_ip, char *if_name);
-	
+
 	/**
 	 * manager methods
 	 */
-	
+
 	/**
 	 * Tries to find an ip address of a local interface that is included in the
 	 * supplied traffic selector.
-	 * 
+	 *
 	 * @param ts			traffic selector
 	 * @param ip			returned ip (has to be destroyed)
 	 * @return				SUCCESS if address found
 	 */
 	status_t (*get_address_by_ts) (kernel_interface_t *this,
 										traffic_selector_t *ts, host_t **ip);
-	
+
 	/**
 	 * Register an ipsec kernel interface constructor on the manager.
 	 *
 	 * @param create			constructor to register
 	 */
 	void (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
-	
+
 	/**
 	 * Unregister an ipsec kernel interface constructor.
 	 *
 	 * @param create			constructor to unregister
 	 */
 	void (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
-	
+
 	/**
 	 * Register a network kernel interface constructor on the manager.
 	 *
 	 * @param create			constructor to register
 	 */
 	void (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
-	
+
 	/**
 	 * Unregister a network kernel interface constructor.
 	 *
 	 * @param create			constructor to unregister
 	 */
 	void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
-	
+
 	/**
 	 * Destroys a kernel_interface_manager_t object.
 	 */
diff --git a/src/charon/kernel/kernel_ipsec.c b/src/charon/kernel/kernel_ipsec.c
index 45eef4907..5b0335b16 100644
--- a/src/charon/kernel/kernel_ipsec.c
+++ b/src/charon/kernel/kernel_ipsec.c
@@ -18,8 +18,6 @@
 ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_BEET,
 	"TRANSPORT",
 	"TUNNEL",
-	"2",
-	"3",
 	"BEET",
 );
 
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
index d6438c197..73ad29b0e 100644
--- a/src/charon/kernel/kernel_ipsec.h
+++ b/src/charon/kernel/kernel_ipsec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -30,7 +30,8 @@ typedef struct kernel_ipsec_t kernel_ipsec_t;
 
 #include <utils/host.h>
 #include <crypto/prf_plus.h>
-#include <encoding/payloads/proposal_substructure.h>
+#include <config/proposal.h>
+#include <config/child_cfg.h>
 
 /**
  * Mode of a CHILD_SA.
@@ -70,9 +71,9 @@ extern enum_name_t *policy_dir_names;
 
 /**
  * Interface to the ipsec subsystem of the kernel.
- * 
+ *
  * The kernel ipsec interface handles the communication with the kernel
- * for SA and policy management. It allows setup of these, and provides 
+ * for SA and policy management. It allows setup of these, and provides
  * further the handling of kernel events.
  * Policy information are cached in the interface. This is necessary to do
  * reference counting. The Linux kernel does not allow the same policy
@@ -80,7 +81,7 @@ extern enum_name_t *policy_dir_names;
  * when rekeying. Thats why we do reference counting of policies.
  */
 struct kernel_ipsec_t {
-	
+
 	/**
 	 * Get a SPI from the kernel.
 	 *
@@ -91,39 +92,36 @@ struct kernel_ipsec_t {
 	 * @param spi		allocated spi
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst, 
+	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
 						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
-	
+
 	/**
 	 * Get a Compression Parameter Index (CPI) from the kernel.
-	 * 
+	 *
 	 * @param src		source address of SA
 	 * @param dst		destination address of SA
 	 * @param reqid		unique ID for the corresponding SA
 	 * @param cpi		allocated cpi
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst, 
+	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
 						u_int32_t reqid, u_int16_t *cpi);
-	
+
 	/**
 	 * Add an SA to the SAD.
-	 * 
+	 *
 	 * add_sa() may update an already allocated
 	 * SPI (via get_spi). In this case, the replace
 	 * flag must be set.
 	 * This function does install a single SA for a
-	 * single protocol in one direction. The kernel-interface
-	 * gets the keys itself from the PRF, as we don't know
-	 * his algorithms and key sizes.
-	 * 
+	 * single protocol in one direction.
+	 *
 	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param reqid			unique ID for this SA
-	 * @param expire_soft	lifetime in seconds before rekeying
-	 * @param expire_hard	lifetime in seconds before delete
+	 * @param lifetime		lifetime_cfg_t for this SA
 	 * @param enc_alg		Algorithm to use for encryption (ESP only)
 	 * @param enc_key		key to use for encryption
 	 * @param int_alg		Algorithm to use for integrity protection
@@ -133,17 +131,20 @@ struct kernel_ipsec_t {
 	 * @param cpi			CPI for IPComp
 	 * @param encap			enable UDP encapsulation for NAT traversal
 	 * @param inbound		TRUE if this is an inbound SA
+	 * @param src_ts		traffic selector with BEET source address
+	 * @param dst_ts		traffic selector with BEET destination address
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_sa) (kernel_ipsec_t *this,
 						host_t *src, host_t *dst, u_int32_t spi,
 						protocol_id_t protocol, u_int32_t reqid,
-						u_int64_t expire_soft, u_int64_t expire_hard,
-					    u_int16_t enc_alg, chunk_t enc_key,
-					    u_int16_t int_alg, chunk_t int_key,
+						lifetime_cfg_t *lifetime,
+						u_int16_t enc_alg, chunk_t enc_key,
+						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						bool encap, bool inbound);
-	
+						bool encap, bool inbound,
+						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+
 	/**
 	 * Update the hosts on an installed SA.
 	 *
@@ -162,17 +163,17 @@ struct kernel_ipsec_t {
 	 * @param encap			current use of UDP encapsulation
 	 * @param new_encap		new use of UDP encapsulation
 	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
-	 *                      the kernel interface can't update the SA
+	 *					  the kernel interface can't update the SA
 	 */
 	status_t (*update_sa)(kernel_ipsec_t *this,
 						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst, 
+						  host_t *src, host_t *dst,
 						  host_t *new_src, host_t *new_dst,
 						  bool encap, bool new_encap);
-	
+
 	/**
 	 * Query the number of bytes processed by an SA from the SAD.
-	 * 
+	 *
 	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
@@ -182,10 +183,10 @@ struct kernel_ipsec_t {
 	 */
 	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
 						  u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
-	
+
 	/**
 	 * Delete a previusly installed SA from the SAD.
-	 * 
+	 *
 	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
@@ -195,13 +196,13 @@ struct kernel_ipsec_t {
 	 */
 	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
 						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
-	
+
 	/**
 	 * Add a policy to the SPD.
-	 * 
+	 *
 	 * A policy is always associated to an SA. Traffic which matches a
 	 * policy is handled by the SA with the same reqid.
-	 * 
+	 *
 	 * @param src			source address of SA
 	 * @param dst			dest address of SA
 	 * @param src_ts		traffic selector to match traffic source
@@ -224,24 +225,25 @@ struct kernel_ipsec_t {
 							protocol_id_t protocol, u_int32_t reqid,
 							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
 							bool routed);
-	
+
 	/**
 	 * Query the use time of a policy.
 	 *
-	 * The use time of a policy is the time the policy was used
-	 * for the last time.
-	 * 
+	 * The use time of a policy is the time the policy was used for the last
+	 * time. It is not the system time, but a monotonic timestamp as returned
+	 * by time_monotonic.
+	 *
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param[out] use_time	the time of this SA's last use
+	 * @param[out] use_time	the monotonic timestamp of this SA's last use
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_policy) (kernel_ipsec_t *this,
-							  traffic_selector_t *src_ts, 
+							  traffic_selector_t *src_ts,
 							  traffic_selector_t *dst_ts,
 							  policy_dir_t direction, u_int32_t *use_time);
-	
+
 	/**
 	 * Remove a policy from the SPD.
 	 *
@@ -257,11 +259,11 @@ struct kernel_ipsec_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_policy) (kernel_ipsec_t *this,
-							traffic_selector_t *src_ts, 
+							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
 							policy_dir_t direction,
 							bool unrouted);
-	
+
 	/**
 	 * Destroy the implementation.
 	 */
diff --git a/src/charon/kernel/kernel_net.h b/src/charon/kernel/kernel_net.h
index 02242f3a8..efb221f88 100644
--- a/src/charon/kernel/kernel_net.h
+++ b/src/charon/kernel/kernel_net.h
@@ -29,7 +29,7 @@ typedef struct kernel_net_t kernel_net_t;
 
 /**
  * Interface to the network subsystem of the kernel.
- * 
+ *
  * The kernel network interface handles the communication with the kernel
  * for interface and IP address management.
  */
@@ -48,7 +48,7 @@ struct kernel_net_t {
 	 * @return				outgoing source address, NULL if unreachable
 	 */
 	host_t* (*get_source_addr)(kernel_net_t *this, host_t *dest, host_t *src);
-	
+
 	/**
 	 * Get the next hop for a destination.
 	 *
@@ -59,7 +59,7 @@ struct kernel_net_t {
 	 * @return				next hop address, NULL if unreachable
 	 */
 	host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest);
-	
+
 	/**
 	 * Get the interface name of a local address.
 	 *
@@ -67,21 +67,21 @@ struct kernel_net_t {
 	 * @return 				allocated interface name, or NULL if not found
 	 */
 	char* (*get_interface) (kernel_net_t *this, host_t *host);
-	
+
 	/**
 	 * Creates an enumerator over all local addresses.
-	 * 
+	 *
 	 * This function blocks an internal cached address list until the
 	 * enumerator gets destroyed.
 	 * The hosts are read-only, do not modify of free.
-	 * 
+	 *
 	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
 	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
 	 * @return						enumerator over host_t's
 	 */
 	enumerator_t *(*create_address_enumerator) (kernel_net_t *this,
 						bool include_down_ifaces, bool include_virtual_ips);
-	
+
 	/**
 	 * Add a virtual IP to an interface.
 	 *
@@ -96,7 +96,7 @@ struct kernel_net_t {
 	 */
 	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip,
 						host_t *iface_ip);
-	
+
 	/**
 	 * Remove a virtual IP from an interface.
 	 *
@@ -106,10 +106,10 @@ struct kernel_net_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip);
-	
+
 	/**
 	 * Add a route.
-	 * 
+	 *
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
@@ -120,10 +120,10 @@ struct kernel_net_t {
 	 */
 	status_t (*add_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
 								host_t *gateway, host_t *src_ip, char *if_name);
-	
+
 	/**
 	 * Delete a route.
-	 * 
+	 *
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
@@ -133,7 +133,7 @@ struct kernel_net_t {
 	 */
 	status_t (*del_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
 								host_t *gateway, host_t *src_ip, char *if_name);
-	
+
 	/**
 	 * Destroy the implementation.
 	 */
diff --git a/src/charon/network/packet.c b/src/charon/network/packet.c
index fd3a274bd..19a62603d 100644
--- a/src/charon/network/packet.c
+++ b/src/charon/network/packet.c
@@ -27,17 +27,17 @@ struct private_packet_t {
 	 * Public part of a packet_t object.
 	 */
 	packet_t public;
-	
+
 	/**
 	 * source address
 	 */
 	host_t *source;
-		
+
 	/**
 	 * destination address
 	 */
 	host_t *destination;
-	 
+
 	 /**
 	  * message data
 	  */
@@ -77,7 +77,7 @@ static host_t *get_destination(private_packet_t *this)
 {
 	return this->destination;
 }
-	
+
 /**
  * Implements packet_t.get_data
  */
@@ -103,7 +103,7 @@ static void destroy(private_packet_t *this)
 	if (this->source != NULL)
 	{
 		this->source->destroy(this->source);
-	}	
+	}
 	if (this->destination != NULL)
 	{
 		this->destination->destroy(this->destination);
@@ -118,7 +118,7 @@ static void destroy(private_packet_t *this)
 static packet_t *clone_(private_packet_t *this)
 {
 	private_packet_t *other = (private_packet_t*)packet_create();
-	
+
 	if (this->destination != NULL)
 	{
 		other->destination = this->destination->clone(this->destination);
@@ -150,10 +150,10 @@ packet_t *packet_create(void)
 	this->public.get_destination = (host_t*(*) (packet_t *)) get_destination;
 	this->public.clone = (packet_t*(*) (packet_t *))clone_;
 	this->public.destroy = (void(*) (packet_t *)) destroy;
-	
+
 	this->destination = NULL;
 	this->source = NULL;
 	this->data = chunk_empty;
-	
+
 	return &(this->public);
 }
diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h
index aacb203e9..18d82c6fc 100644
--- a/src/charon/network/packet.h
+++ b/src/charon/network/packet.h
@@ -34,71 +34,71 @@ struct packet_t {
 
 	/**
 	 * Set the source address.
-	 * 
+	 *
 	 * Set host_t is now owned by packet_t, it will destroy
 	 * it if necessary.
-	 * 
+	 *
 	 * @param source	address to set as source
 	 */
 	void (*set_source) (packet_t *packet, host_t *source);
-	
+
 	/**
 	 * Set the destination address.
-	 * 
+	 *
 	 * Set host_t is now owned by packet_t, it will destroy
 	 * it if necessary.
-	 * 
+	 *
 	 * @param source	address to set as destination
 	 */
 	void (*set_destination) (packet_t *packet, host_t *destination);
-	
+
 	/**
 	 * Get the source address.
-	 * 
+	 *
 	 * Set host_t is still owned by packet_t, clone it
 	 * if needed.
-	 * 
+	 *
 	 * @return			source address
 	 */
 	host_t *(*get_source) (packet_t *packet);
-	
+
 	/**
 	 * Get the destination address.
-	 * 
+	 *
 	 * Set host_t is still owned by packet_t, clone it
 	 * if needed.
-	 * 
+	 *
 	 * @return			destination address
 	 */
 	host_t *(*get_destination) (packet_t *packet);
-	
+
 	/**
 	 * Get the data from the packet.
-	 * 
-	 * The data pointed by the chunk is still owned 
+	 *
+	 * The data pointed by the chunk is still owned
 	 * by the packet. Clone it if needed.
-	 * 
+	 *
 	 * @return			chunk containing the data
 	 */
 	chunk_t (*get_data) (packet_t *packet);
-	
+
 	/**
 	 * Set the data in the packet.
-	 * 
-	 * Supplied chunk data is now owned by the 
+	 *
+	 * Supplied chunk data is now owned by the
 	 * packet. It will free it.
-	 * 
+	 *
 	 * @param data		chunk with data to set
 	 */
 	void (*set_data) (packet_t *packet, chunk_t data);
-	
+
 	/**
 	 * Clones a packet_t object.
-	 *  
+	 *
 	 * @param clone		clone of the packet
 	 */
 	packet_t* (*clone) (packet_t *packet);
-	
+
 	/**
 	 * Destroy the packet, freeing contained data.
 	 */
@@ -107,7 +107,7 @@ struct packet_t {
 
 /**
  * create an empty packet
- *  
+ *
  * @return packet_t object
  */
 packet_t *packet_create(void);
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
index ab4d6d592..6cd99439b 100644
--- a/src/charon/network/receiver.c
+++ b/src/charon/network/receiver.c
@@ -17,7 +17,6 @@
 
 #include <stdlib.h>
 #include <unistd.h>
-#include <pthread.h>
 
 #include "receiver.h"
 
@@ -50,57 +49,52 @@ struct private_receiver_t {
 	 * Public part of a receiver_t object.
 	 */
 	receiver_t public;
-	 
+
 	/**
 	 * Threads job receiving packets
 	 */
 	callback_job_t *job;
-	
-	/**
-	 * Assigned thread.
-	 */
-	pthread_t assigned_thread;
-	 
+
 	/**
 	 * current secret to use for cookie calculation
 	 */
 	char secret[SECRET_LENGTH];
-	
+
 	/**
 	 * previous secret used to verify older cookies
 	 */
 	char secret_old[SECRET_LENGTH];
-	
+
 	/**
 	 * how many times we have used "secret" so far
 	 */
 	u_int32_t secret_used;
-	
+
 	/**
 	 * time we did the cookie switch
 	 */
 	u_int32_t secret_switch;
-	
+
 	/**
 	 * time offset to use, hides our system time
 	 */
 	u_int32_t secret_offset;
-	
+
 	/**
 	 * the RNG to use for secret generation
 	 */
 	rng_t *rng;
-	
+
 	/**
 	 * hasher to use for cookie calculation
 	 */
 	hasher_t *hasher;
-	
+
 	/**
 	 * require cookies after this many half open IKE_SAs
 	 */
 	u_int32_t cookie_threshold;
-	
+
 	/**
 	 * how many half open IKE_SAs per peer before blocking
 	 */
@@ -119,7 +113,7 @@ static void send_notify(message_t *request, notify_type_t type, chunk_t data)
 		host_t *src, *dst;
 		packet_t *packet;
 		ike_sa_id_t *ike_sa_id;
-		
+
 		response = message_create();
 		dst = request->get_source(request);
 		src = request->get_destination(request);
@@ -149,7 +143,7 @@ static chunk_t cookie_build(private_receiver_t *this, message_t *message,
 	u_int64_t spi = message->get_initiator_spi(message);
 	host_t *ip = message->get_source(message);
 	chunk_t input, hash;
-	
+
 	/* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
 	input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
 					  chunk_from_thing(t), secret);
@@ -167,18 +161,18 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
 	u_int32_t t, now;
 	chunk_t reference;
 	chunk_t secret;
-	
-	now = time(NULL);
+
+	now = time_monotonic(NULL);
 	t = *(u_int32_t*)cookie.ptr;
-	
+
 	if (cookie.len != sizeof(u_int32_t) +
-			this->hasher->get_hash_size(this->hasher) || 
+			this->hasher->get_hash_size(this->hasher) ||
 		t < now - this->secret_offset - COOKIE_LIFETIME)
 	{
 		DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
-		return FALSE;	
+		return FALSE;
 	}
-	
+
 	/* check if cookie is derived from old_secret */
 	if (t + this->secret_offset > this->secret_switch)
 	{
@@ -188,7 +182,7 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
 	{
 		secret = chunk_from_thing(this->secret_old);
 	}
-	
+
 	/* compare own calculation against received */
 	reference = cookie_build(this, message, t, secret);
 	if (chunk_equals(reference, cookie))
@@ -206,20 +200,20 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
 static bool cookie_required(private_receiver_t *this, message_t *message)
 {
 	bool failed = FALSE;
-		
+
 	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
 												NULL) >= this->cookie_threshold)
 	{
 		/* check for a cookie. We don't use our parser here and do it
-		 * quick and dirty for performance reasons. 
-		 * we assume the cookie is the first payload (which is a MUST), and 
+		 * quick and dirty for performance reasons.
+		 * we assume the cookie is the first payload (which is a MUST), and
 		 * the cookie's SPI length is zero. */
 		packet_t *packet = message->get_packet(message);
 		chunk_t data = packet->get_data(packet);
-		if (data.len < 
+		if (data.len <
 			 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
 			 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
-			*(data.ptr + 16) != NOTIFY || 
+			*(data.ptr + 16) != NOTIFY ||
 			*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
 		{
 			/* no cookie found */
@@ -261,14 +255,14 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 	packet_t *packet;
 	message_t *message;
 	job_t *job;
-	
+
 	/* read in a packet */
 	if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
 	{
 		DBG2(DBG_NET, "receiving from socket failed!");
 		return JOB_REQUEUE_FAIR;
 	}
-	
+
 	/* parse message header */
 	message = message_create_from_packet(packet);
 	if (message->parse_header(message) != SUCCESS)
@@ -278,28 +272,28 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 		message->destroy(message);
 		return JOB_REQUEUE_DIRECT;
 	}
-	
+
 	/* check IKE major version */
 	if (message->get_major_version(message) != IKE_MAJOR_VERSION)
 	{
 		DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
-			 "sending INVALID_MAJOR_VERSION", message->get_major_version(message), 
+			 "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
 			 message->get_minor_version(message), packet->get_source(packet));
 		send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
 		message->destroy(message);
 		return JOB_REQUEUE_DIRECT;
 	}
-	
+
 	if (message->get_request(message) &&
 		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		/* check for cookies */
 		if (this->cookie_threshold && cookie_required(this, message))
 		{
-			u_int32_t now = time(NULL);
+			u_int32_t now = time_monotonic(NULL);
 			chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
-										  chunk_from_thing(this->secret));	
-			
+										  chunk_from_thing(this->secret));
+
 			DBG2(DBG_NET, "received packet from: %#H to %#H",
 				 message->get_source(message),
 				 message->get_destination(message));
@@ -312,7 +306,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 				/* create new cookie */
 				DBG1(DBG_NET, "generating new cookie secret after %d uses",
 					 this->secret_used);
-				memcpy(this->secret_old, this->secret, SECRET_LENGTH);	
+				memcpy(this->secret_old, this->secret, SECRET_LENGTH);
 				this->rng->get_bytes(this->rng,	SECRET_LENGTH, this->secret);
 				this->secret_switch = now;
 				this->secret_used = 0;
@@ -320,7 +314,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 			message->destroy(message);
 			return JOB_REQUEUE_DIRECT;
 		}
-		
+
 		/* check if peer has not too many IKE_SAs half open */
 		if (this->block_threshold && peer_to_aggressive(this, message))
 		{
@@ -352,10 +346,10 @@ static void destroy(private_receiver_t *this)
 receiver_t *receiver_create()
 {
 	private_receiver_t *this = malloc_thing(private_receiver_t);
-	u_int32_t now = time(NULL);
-	
+	u_int32_t now = time_monotonic(NULL);
+
 	this->public.destroy = (void(*)(receiver_t*)) destroy;
-	
+
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
 	if (this->hasher == NULL)
 	{
@@ -385,11 +379,11 @@ receiver_t *receiver_create()
 		this->cookie_threshold = 0;
 		this->block_threshold = 0;
 	}
-	
+
 	this->job = callback_job_create((callback_job_cb_t)receive_packets,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h
index 87797634e..690d8dbab 100644
--- a/src/charon/network/receiver.h
+++ b/src/charon/network/receiver.h
@@ -29,7 +29,7 @@ typedef struct receiver_t receiver_t;
 
 /**
  * Receives packets from the socket and adds them to the job queue.
- * 
+ *
  * The receiver starts a thread, wich reads on the blocking socket. A received
  * packet is preparsed and a process_message_job is queued in the job queue.
  *
@@ -41,16 +41,16 @@ typedef struct receiver_t receiver_t;
  * find out wich key was used for cookie creation. Further, we can set a
  * lifetime for the cookie, which allows us to reuse the secret for a longer
  * time.
- *         COOKIE = time | sha1( IPi | SPIi | time | secret )
+ *		 COOKIE = time | sha1( IPi | SPIi | time | secret )
  *
  * The secret is changed after a certain amount of cookies sent. The old
  * secret is stored to allow a clean migration between secret changes.
- * 
+ *
  * Further, the number of half-initiated IKE_SAs is limited per peer. This
  * mades it impossible for a peer to flood the server with its real IP address.
  */
 struct receiver_t {
-	
+
 	/**
 	 * Destroys a receiver_t object.
 	 */
@@ -59,10 +59,10 @@ struct receiver_t {
 
 /**
  * Create a receiver_t object.
- * 
+ *
  * The receiver thread will start working, get data
  * from the socket and add those packets to the job queue.
- * 
+ *
  * @return	receiver_t object, NULL if initialization fails
  */
 receiver_t * receiver_create(void);
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
index 19f589115..3be5861dd 100644
--- a/src/charon/network/sender.c
+++ b/src/charon/network/sender.c
@@ -15,14 +15,15 @@
  */
 
 #include <stdlib.h>
-#include <pthread.h>
 
 #include "sender.h"
 
 #include <daemon.h>
 #include <network/socket.h>
 #include <processing/jobs/callback_job.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
 
 
 typedef struct private_sender_t private_sender_t;
@@ -40,7 +41,7 @@ struct private_sender_t {
 	 * Sender threads job.
 	 */
 	callback_job_t *job;
-	 
+
 	/**
 	 * The packets are stored in a linked list
 	 */
@@ -55,7 +56,7 @@ struct private_sender_t {
 	 * condvar to signal for packets added to list
 	 */
 	condvar_t *got;
-	
+
 	/**
 	 * condvar to signal for packets sent
 	 */
@@ -68,11 +69,11 @@ struct private_sender_t {
 static void send_(private_sender_t *this, packet_t *packet)
 {
 	host_t *src, *dst;
-	
+
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
 	DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
-	
+
 	this->mutex->lock(this->mutex);
 	this->list->insert_last(this->list, packet);
 	this->got->signal(this->got);
@@ -85,24 +86,24 @@ static void send_(private_sender_t *this, packet_t *packet)
 static job_requeue_t send_packets(private_sender_t * this)
 {
 	packet_t *packet;
-	int oldstate;
-	
+	bool oldstate;
+
 	this->mutex->lock(this->mutex);
 	while (this->list->get_count(this->list) == 0)
 	{
 		/* add cleanup handler, wait for packet, remove cleanup handler */
-		pthread_cleanup_push((void(*)(void*))this->mutex->unlock, this->mutex);
-		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-		
+		thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+		oldstate = thread_cancelability(TRUE);
+
 		this->got->wait(this->got, this->mutex);
-		
-		pthread_setcancelstate(oldstate, NULL);
-		pthread_cleanup_pop(0);
+
+		thread_cancelability(oldstate);
+		thread_cleanup_pop(FALSE);
 	}
 	this->list->remove_first(this->list, (void**)&packet);
 	this->sent->signal(this->sent);
 	this->mutex->unlock(this->mutex);
-	
+
 	charon->socket->send(charon->socket, packet);
 	packet->destroy(packet);
 	return JOB_REQUEUE_DIRECT;
@@ -134,19 +135,19 @@ static void destroy(private_sender_t *this)
 sender_t * sender_create()
 {
 	private_sender_t *this = malloc_thing(private_sender_t);
-	
+
 	this->public.send = (void(*)(sender_t*,packet_t*))send_;
 	this->public.destroy = (void(*)(sender_t*)) destroy;
-	
+
 	this->list = linked_list_create();
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->got = condvar_create(CONDVAR_TYPE_DEFAULT);
 	this->sent = condvar_create(CONDVAR_TYPE_DEFAULT);
-	
+
 	this->job = callback_job_create((callback_job_cb_t)send_packets,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h
index 55f67af70..f77fadab2 100644
--- a/src/charon/network/sender.h
+++ b/src/charon/network/sender.h
@@ -31,7 +31,7 @@ typedef struct sender_t sender_t;
  * Thread responsible for sending packets over the socket.
  */
 struct sender_t {
-	
+
 	/**
 	 * Send a packet over the network.
 	 *
@@ -39,10 +39,10 @@ struct sender_t {
 	 * Whenever the sender thread thinks it's good to send the packet,
 	 * it'll do so.
 	 *
- 	 * @param packet	packet to send
+	 * @param packet	packet to send
 	 */
 	void (*send) (sender_t *this, packet_t *packet);
-	
+
 	/**
 	 * Destroys a sender object.
 	 */
@@ -51,10 +51,10 @@ struct sender_t {
 
 /**
  * Create the sender thread.
- * 
+ *
  * The thread will start to work, getting packets
  * from its queue and sends them out.
- * 
+ *
  * @return		created sender object
  */
 sender_t * sender_create(void);
diff --git a/src/charon/network/socket-raw.c b/src/charon/network/socket-raw.c
index 148be486c..6cc0463b2 100644
--- a/src/charon/network/socket-raw.c
+++ b/src/charon/network/socket-raw.c
@@ -18,7 +18,6 @@
 /* for struct in6_pktinfo */
 #define _GNU_SOURCE
 
-#include <pthread.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <string.h>
@@ -38,6 +37,7 @@
 #include "socket.h"
 
 #include <daemon.h>
+#include <threading/thread.h>
 
 /* constants for packet handling */
 #define IP_LEN sizeof(struct iphdr)
@@ -85,12 +85,12 @@ struct private_socket_t{
 	  * port used for nat-t
 	  */
 	 int natt_port;
-	 
+
 	 /**
 	  * raw receiver socket for IPv4
 	  */
 	 int recv4;
-	 
+
 	 /**
 	  * raw receiver socket for IPv6
 	  */
@@ -127,12 +127,12 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 	packet_t *pkt;
 	struct udphdr *udp;
 	host_t *source = NULL, *dest = NULL;
-	int bytes_read = 0;
-	int data_offset, oldstate;
+	int bytes_read = 0, data_offset;
+	bool oldstate;
 	fd_set rfds;
 
 	FD_ZERO(&rfds);
-	
+
 	if (this->recv4)
 	{
 		FD_SET(this->recv4, &rfds);
@@ -141,24 +141,24 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 	{
 		FD_SET(this->recv6, &rfds);
 	}
-	
+
 	DBG2(DBG_NET, "waiting for data on raw sockets");
-	
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+
+	oldstate = thread_cancelability(TRUE);
 	if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0)
 	{
-		pthread_setcancelstate(oldstate, NULL);
+		thread_cancelability(oldstate);
 		return FAILED;
 	}
-	pthread_setcancelstate(oldstate, NULL);
-	
+	thread_cancelability(oldstate);
+
 	if (this->recv4 && FD_ISSET(this->recv4, &rfds))
 	{
 		/* IPv4 raw sockets return the IP header. We read src/dest
 		 * information directly from the raw header */
 		struct iphdr *ip;
 		struct sockaddr_in src, dst;
-		
+
 		bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
 		if (bytes_read < 0)
 		{
@@ -166,7 +166,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 			return FAILED;
 		}
 		DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
-		
+
 		/* read source/dest from raw IP/UDP header */
 		if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
 		{
@@ -184,13 +184,13 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 		dst.sin_port = udp->dest;
 		source = host_create_from_sockaddr((sockaddr_t*)&src);
 		dest = host_create_from_sockaddr((sockaddr_t*)&dst);
-		
+
 		pkt = packet_create();
 		pkt->set_source(pkt, source);
 		pkt->set_destination(pkt, dest);
 		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
 		data_offset = IP_LEN + UDP_LEN;
-		/* remove non esp marker */	
+		/* remove non esp marker */
 		if (dest->get_port(dest) == IKEV2_NATT_PORT)
 		{
 			data_offset += MARKER_LEN;
@@ -210,7 +210,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 		struct sockaddr_in6 src, dst;
 		struct iovec iov;
 		char ancillary[64];
-		
+
 		msg.msg_name = &src;
 		msg.msg_namelen = sizeof(src);
 		iov.iov_base = buffer;
@@ -220,7 +220,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 		msg.msg_control = ancillary;
 		msg.msg_controllen = sizeof(ancillary);
 		msg.msg_flags = 0;
-		
+
 		bytes_read = recvmsg(this->recv6, &msg, 0);
 		if (bytes_read < 0)
 		{
@@ -228,14 +228,14 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 			return FAILED;
 		}
 		DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
-		
+
 		if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
 		{
 			DBG3(DBG_NET, "received IPv6 packet too short (%d bytes)",
 				 bytes_read);
 			return FAILED;
 		}
-		
+
 		/* read ancillary data to get destination address */
 		for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
 			 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
@@ -244,13 +244,13 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 			{
 				DBG1(DBG_NET, "error reading IPv6 ancillary data");
 				return FAILED;
-			}	
+			}
 			if (cmsgptr->cmsg_level == SOL_IPV6 &&
 				cmsgptr->cmsg_type == IPV6_2292PKTINFO)
 			{
 				struct in6_pktinfo *pktinfo;
 				pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
-				
+
 				memset(&dst, 0, sizeof(dst));
 				memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
 				dst.sin6_family = AF_INET6;
@@ -266,15 +266,15 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 			DBG1(DBG_NET, "error reading IPv6 packet header");
 			return FAILED;
 		}
-		
+
 		source = host_create_from_sockaddr((sockaddr_t*)&src);
-		
+
 		pkt = packet_create();
 		pkt->set_source(pkt, source);
 		pkt->set_destination(pkt, dest);
 		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
 		data_offset = UDP_LEN;
-		/* remove non esp marker */	
+		/* remove non esp marker */
 		if (dest->get_port(dest) == IKEV2_NATT_PORT)
 		{
 			data_offset += MARKER_LEN;
@@ -290,7 +290,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 		/* oops, shouldn't happen */
 		return FAILED;
 	}
-	
+
 	/* return packet */
 	*packet = pkt;
 	return SUCCESS;
@@ -308,13 +308,13 @@ status_t sender(private_socket_t *this, packet_t *packet)
 	struct msghdr msg;
 	struct cmsghdr *cmsg;
 	struct iovec iov;
-	
+
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
 	data = packet->get_data(packet);
 
 	DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
-	
+
 	/* send data */
 	sport = src->get_port(src);
 	family = dst->get_family(dst);
@@ -362,7 +362,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 		DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
 		return FAILED;
 	}
-	
+
 	memset(&msg, 0, sizeof(struct msghdr));
 	msg.msg_name = dst->get_sockaddr(dst);;
 	msg.msg_namelen = *dst->get_sockaddr_len(dst);
@@ -371,7 +371,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;
 	msg.msg_flags = 0;
-	
+
 	if (!src->is_anyaddr(src))
 	{
 		if (family == AF_INET)
@@ -379,7 +379,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
 			struct in_pktinfo *pktinfo;
 			struct sockaddr_in *sin;
-			
+
 			msg.msg_control = buf;
 			msg.msg_controllen = sizeof(buf);
 			cmsg = CMSG_FIRSTHDR(&msg);
@@ -396,7 +396,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 			char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
 			struct in6_pktinfo *pktinfo;
 			struct sockaddr_in6 *sin;
-			
+
 			msg.msg_control = buf;
 			msg.msg_controllen = sizeof(buf);
 			cmsg = CMSG_FIRSTHDR(&msg);
@@ -409,7 +409,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 			memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
 		}
 	}
-	
+
 	bytes_sent = sendmsg(skt, &msg, 0);
 
 	if (bytes_sent != data.len)
@@ -430,7 +430,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 	struct sockaddr_storage addr;
 	u_int sol;
 	int skt;
-	
+
 	memset(&addr, 0, sizeof(addr));
 	/* precalculate constants depending on address family */
 	switch (family)
@@ -456,14 +456,14 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 		default:
 			return 0;
 	}
-	
+
 	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
 	if (skt < 0)
 	{
 		DBG1(DBG_NET, "could not open send socket: %s", strerror(errno));
 		return 0;
 	}
-	
+
 	if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
 	{
 		DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %s",
@@ -471,7 +471,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 		close(skt);
 		return 0;
 	}
-	
+
 	/* bind the send socket */
 	if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
 	{
@@ -480,7 +480,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 		close(skt);
 		return 0;
 	}
-	
+
 	if (family == AF_INET)
 	{
 		/* enable UDP decapsulation globally, only for one socket needed */
@@ -490,7 +490,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 				 strerror(errno));
 		}
 	}
-	
+
 	return skt;
 }
 
@@ -502,7 +502,7 @@ static int open_recv_socket(private_socket_t *this, int family)
 	int skt;
 	int on = TRUE;
 	u_int proto_offset, ip_len, sol, udp_header, ike_header;
-	
+
 	/* precalculate constants depending on address family */
 	switch (family)
 	{
@@ -521,7 +521,7 @@ static int open_recv_socket(private_socket_t *this, int family)
 	}
 	udp_header = ip_len;
 	ike_header = ip_len + UDP_LEN;
-	
+
 	/* This filter code filters out all non-IKEv2 traffic on
 	 * a SOCK_RAW IP_PROTP_UDP socket. Handling of other
 	 * IKE versions is done in pluto.
@@ -560,7 +560,7 @@ static int open_recv_socket(private_socket_t *this, int family)
 		sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
 		ikev2_filter_code
 	};
-	
+
 	/* set up a raw socket */
 	skt = socket(family, SOCK_RAW, IPPROTO_UDP);
 	if (skt < 0)
@@ -568,7 +568,7 @@ static int open_recv_socket(private_socket_t *this, int family)
 		DBG1(DBG_NET, "unable to create raw socket: %s", strerror(errno));
 		return 0;
 	}
-	
+
 	if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
 				   &ikev2_filter, sizeof(ikev2_filter)) < 0)
 	{
@@ -577,7 +577,7 @@ static int open_recv_socket(private_socket_t *this, int family)
 		close(skt);
 		return 0;
 	}
-	
+
 	if (family == AF_INET6 &&
 		/* we use IPV6_2292PKTINFO, as IPV6_PKTINFO is defined as
 		 * 2 or 50 depending on kernel header version */
@@ -588,7 +588,7 @@ static int open_recv_socket(private_socket_t *this, int family)
 		close(skt);
 		return 0;
 	}
-	
+
 	return skt;
 }
 
@@ -621,7 +621,7 @@ static bool enumerate(socket_enumerator_t *this, int *fd, int *family, int *port
 		{ offsetof(private_socket_t, send4_natt), AF_INET, IKEV2_NATT_PORT },
 		{ offsetof(private_socket_t, send6_natt), AF_INET6, IKEV2_NATT_PORT }
 	};
-	
+
 	while(++this->index < countof(sockets))
 	{
 		int sock = *(int*)((char*)this->socket + sockets[this->index].fd_offset);
@@ -643,7 +643,7 @@ static bool enumerate(socket_enumerator_t *this, int *fd, int *family, int *port
 static enumerator_t *create_enumerator(private_socket_t *this)
 {
 	socket_enumerator_t *enumerator;
-	
+
 	enumerator = malloc_thing(socket_enumerator_t);
 	enumerator->index = -1;
 	enumerator->socket = this;
@@ -690,20 +690,20 @@ static void destroy(private_socket_t *this)
 socket_t *socket_create()
 {
 	private_socket_t *this = malloc_thing(private_socket_t);
-	
+
 	/* public functions */
 	this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
 	this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
 	this->public.create_enumerator = (enumerator_t*(*)(socket_t*))create_enumerator;
 	this->public.destroy = (void(*)(socket_t*)) destroy;
-	
+
 	this->recv4 = 0;
 	this->recv6 = 0;
 	this->send4 = 0;
 	this->send6 = 0;
 	this->send4_natt = 0;
 	this->send6_natt = 0;
-	
+
 	this->recv4 = open_recv_socket(this, AF_INET);
 	if (this->recv4 == 0)
 	{
@@ -726,7 +726,7 @@ socket_t *socket_create()
 			}
 		}
 	}
-	
+
 	this->recv6 = open_recv_socket(this, AF_INET6);
 	if (this->recv6 == 0)
 	{
@@ -749,13 +749,13 @@ socket_t *socket_create()
 			}
 		}
 	}
-	
+
 	if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6))
 	{
 		DBG1(DBG_NET, "could not create any sockets");
 		destroy(this);
 		charon->kill(charon, "socket initialization failed");
 	}
-	
+
 	return (socket_t*)this;
 }
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index 97c88be79..81f860b15 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -23,7 +23,6 @@
 #define __EXTENSIONS__
 #endif
 
-#include <pthread.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <string.h>
@@ -35,7 +34,6 @@
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
-#include <netinet/ip6.h>
 #include <netinet/udp.h>
 #include <net/if.h>
 #ifdef __APPLE__
@@ -45,6 +43,7 @@
 #include "socket.h"
 
 #include <daemon.h>
+#include <threading/thread.h>
 
 /* length of non-esp marker */
 #define MARKER_LEN sizeof(u_int32_t)
@@ -72,9 +71,16 @@
 /* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
  * previously defined IPV6_PKTINFO */
 #ifndef IPV6_RECVPKTINFO
-#define IPV6_RECVPKTINFO IPV6_PKTINFO;
+#define IPV6_RECVPKTINFO IPV6_PKTINFO
 #endif
 
+#ifndef IN6ADDR_ANY_INIT
+#define IN6ADDR_ANY_INIT {{{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}}
+#endif
+
+#ifndef HAVE_IN6ADDR_ANY
+static const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
+#endif
 
 typedef struct private_socket_t private_socket_t;
 
@@ -86,22 +92,22 @@ struct private_socket_t {
 	 * public functions
 	 */
 	socket_t public;
-	
+
 	/**
 	 * IPv4 socket (500)
 	 */
 	int ipv4;
-	 
+
 	/**
 	 * IPv4 socket for NATT (4500)
 	 */
 	int ipv4_natt;
-	
+
 	/**
 	 * IPv6 socket (500)
 	 */
 	int ipv6;
-	
+
 	/**
 	 * IPv6 socket for NATT (4500)
 	 */
@@ -117,14 +123,15 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 	chunk_t data;
 	packet_t *pkt;
 	host_t *source = NULL, *dest = NULL;
-	int bytes_read = 0;
-	int data_offset, oldstate;
+	int bytes_read = 0, data_offset;
+	bool oldstate;
+
 	fd_set rfds;
 	int max_fd = 0, selected = 0;
 	u_int16_t port = 0;
-	
+
 	FD_ZERO(&rfds);
-	
+
 	if (this->ipv4)
 	{
 		FD_SET(this->ipv4, &rfds);
@@ -142,16 +149,16 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 		FD_SET(this->ipv6_natt, &rfds);
 	}
 	max_fd = max(max(this->ipv4, this->ipv4_natt), max(this->ipv6, this->ipv6_natt));
-	
+
 	DBG2(DBG_NET, "waiting for data on sockets");
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	oldstate = thread_cancelability(TRUE);
 	if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
 	{
-		pthread_setcancelstate(oldstate, NULL);
+		thread_cancelability(oldstate);
 		return FAILED;
 	}
-	pthread_setcancelstate(oldstate, NULL);
-	
+	thread_cancelability(oldstate);
+
 	if (FD_ISSET(this->ipv4, &rfds))
 	{
 		port = IKEV2_UDP_PORT;
@@ -182,7 +189,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 			struct sockaddr_in in4;
 			struct sockaddr_in6 in6;
 		} src;
-		
+
 		msg.msg_name = &src;
 		msg.msg_namelen = sizeof(src);
 		iov.iov_base = buffer;
@@ -199,14 +206,14 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 			return FAILED;
 		}
 		DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
-		
+
 		if (bytes_read < MARKER_LEN)
 		{
 			DBG3(DBG_NET, "received packet too short (%d bytes)",
 				 bytes_read);
 			return FAILED;
 		}
-		
+
 		/* read ancillary data to get destination address */
 		for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
 			 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
@@ -216,20 +223,22 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 				DBG1(DBG_NET, "error reading ancillary data");
 				return FAILED;
 			}
-			
+
+#ifdef HAVE_IN6_PKTINFO
 			if (cmsgptr->cmsg_level == SOL_IPV6 &&
 				cmsgptr->cmsg_type == IPV6_PKTINFO)
 			{
 				struct in6_pktinfo *pktinfo;
 				pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
 				struct sockaddr_in6 dst;
-				
+
 				memset(&dst, 0, sizeof(dst));
 				memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
 				dst.sin6_family = AF_INET6;
 				dst.sin6_port = htons(port);
 				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
 			}
+#endif /* HAVE_IN6_PKTINFO */
 			if (cmsgptr->cmsg_level == SOL_IP &&
 #ifdef IP_PKTINFO
 				cmsgptr->cmsg_type == IP_PKTINFO
@@ -252,7 +261,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 #endif
 				memset(&dst, 0, sizeof(dst));
 				memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
-				
+
 				dst.sin_family = AF_INET;
 				dst.sin_port = htons(port);
 				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
@@ -268,13 +277,13 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 			return FAILED;
 		}
 		source = host_create_from_sockaddr((sockaddr_t*)&src);
-		
+
 		pkt = packet_create();
 		pkt->set_source(pkt, source);
 		pkt->set_destination(pkt, dest);
 		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
 		data_offset = 0;
-		/* remove non esp marker */	
+		/* remove non esp marker */
 		if (dest->get_port(dest) == IKEV2_NATT_PORT)
 		{
 			data_offset += MARKER_LEN;
@@ -307,13 +316,13 @@ status_t sender(private_socket_t *this, packet_t *packet)
 	struct msghdr msg;
 	struct cmsghdr *cmsg;
 	struct iovec iov;
-	
+
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
 	data = packet->get_data(packet);
 
 	DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
-	
+
 	/* send data */
 	sport = src->get_port(src);
 	family = dst->get_family(dst);
@@ -361,7 +370,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 		DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
 		return FAILED;
 	}
-	
+
 	memset(&msg, 0, sizeof(struct msghdr));
 	msg.msg_name = dst->get_sockaddr(dst);;
 	msg.msg_namelen = *dst->get_sockaddr_len(dst);
@@ -370,7 +379,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;
 	msg.msg_flags = 0;
-	
+
 	if (!src->is_anyaddr(src))
 	{
 		if (family == AF_INET)
@@ -403,12 +412,13 @@ status_t sender(private_socket_t *this, packet_t *packet)
 			memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
 #endif /* IP_PKTINFO || IP_SENDSRCADDR */
 		}
+#ifdef HAVE_IN6_PKTINFO
 		else
 		{
 			char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
 			struct in6_pktinfo *pktinfo;
 			struct sockaddr_in6 *sin;
-			
+
 			msg.msg_control = buf;
 			msg.msg_controllen = sizeof(buf);
 			cmsg = CMSG_FIRSTHDR(&msg);
@@ -420,8 +430,9 @@ status_t sender(private_socket_t *this, packet_t *packet)
 			sin = (struct sockaddr_in6*)src->get_sockaddr(src);
 			memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
 		}
+#endif /* HAVE_IN6_PKTINFO */
 	}
-	
+
 	bytes_sent = sendmsg(skt, &msg, 0);
 
 	if (bytes_sent != data.len)
@@ -442,7 +453,7 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 	socklen_t addrlen;
 	u_int sol, pktinfo = 0;
 	int skt;
-	
+
 	memset(&addr, 0, sizeof(addr));
 	/* precalculate constants depending on address family */
 	switch (family)
@@ -476,7 +487,7 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 		default:
 			return 0;
 	}
-	
+
 	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
 	if (skt < 0)
 	{
@@ -489,7 +500,7 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 		close(skt);
 		return 0;
 	}
-	
+
 	/* bind the socket */
 	if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
 	{
@@ -497,7 +508,7 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 		close(skt);
 		return 0;
 	}
-	
+
 	/* get additional packet info on receive */
 	if (pktinfo > 0)
 	{
@@ -550,7 +561,7 @@ static bool enumerate(socket_enumerator_t *this, int *fd, int *family, int *port
 		{ offsetof(private_socket_t, ipv4_natt), AF_INET, IKEV2_NATT_PORT },
 		{ offsetof(private_socket_t, ipv6_natt), AF_INET6, IKEV2_NATT_PORT }
 	};
-	
+
 	while(++this->index < countof(sockets))
 	{
 		int sock = *(int*)((char*)this->socket + sockets[this->index].fd_offset);
@@ -572,7 +583,7 @@ static bool enumerate(socket_enumerator_t *this, int *fd, int *family, int *port
 static enumerator_t *create_enumerator(private_socket_t *this)
 {
 	socket_enumerator_t *enumerator;
-	
+
 	enumerator = malloc_thing(socket_enumerator_t);
 	enumerator->index = -1;
 	enumerator->socket = this;
@@ -617,7 +628,7 @@ socket_t *socket_create()
 	this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
 	this->public.create_enumerator = (enumerator_t*(*)(socket_t*))create_enumerator;
 	this->public.destroy = (void(*)(socket_t*)) destroy;
-	
+
 	this->ipv4 = 0;
 	this->ipv6 = 0;
 	this->ipv4_natt = 0;
@@ -634,7 +645,7 @@ socket_t *socket_create()
 		}
 	}
 #endif
-	
+
 	this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
 	if (this->ipv4 == 0)
 	{
@@ -648,7 +659,7 @@ socket_t *socket_create()
 			DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
 		}
 	}
-	
+
 	this->ipv6 = open_socket(this, AF_INET6, IKEV2_UDP_PORT);
 	if (this->ipv6 == 0)
 	{
@@ -662,13 +673,13 @@ socket_t *socket_create()
 			DBG1(DBG_NET, "could not open IPv6 NAT-T socket");
 		}
 	}
-	
+
 	if (!this->ipv4 && !this->ipv6)
 	{
 		DBG1(DBG_NET, "could not create any sockets");
 		destroy(this);
 		charon->kill(charon, "socket initialization failed");
-	}	
+	}
 	return (socket_t*)this;
 }
 
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
index 81f2ec5fe..83bb9d4c9 100644
--- a/src/charon/network/socket.h
+++ b/src/charon/network/socket.h
@@ -44,48 +44,48 @@ typedef struct socket_t socket_t;
  * All available sockets are bound and the receive function
  * reads from them. There are actually two implementations:
  * The first uses raw sockets to allow binding of other daemons (pluto) to
- * UDP/500. An installed "Linux socket filter" filters out all non-IKEv2 
- * traffic and handles just IKEv2 messages. An other daemon (pluto) must 
- * handle all traffic separately, e.g. ignore IKEv2 traffic, since charon 
+ * UDP/500. An installed "Linux socket filter" filters out all non-IKEv2
+ * traffic and handles just IKEv2 messages. An other daemon (pluto) must
+ * handle all traffic separately, e.g. ignore IKEv2 traffic, since charon
  * handles that.
  * The other implementation uses normal sockets and is built if
  * --disable-pluto is given to the configure script.
  */
 struct socket_t {
-	
+
 	/**
 	 * Receive a packet.
-	 * 
+	 *
 	 * Reads a packet from the socket and sets source/dest
 	 * appropriately.
-	 * 
+	 *
 	 * @param packet		pinter gets address from allocated packet_t
-	 * @return 				
+	 * @return
 	 * 						- SUCCESS when packet successfully received
 	 * 						- FAILED when unable to receive
 	 */
 	status_t (*receive) (socket_t *this, packet_t **packet);
-	
+
 	/**
 	 * Send a packet.
-	 * 
+	 *
 	 * Sends a packet to the net using source and destination addresses of
 	 * the packet.
-	 * 
+	 *
 	 * @param packet		packet_t to send
-	 * @return 				
+	 * @return
 	 * 						- SUCCESS when packet successfully sent
 	 * 						- FAILED when unable to send
 	 */
 	status_t (*send) (socket_t *this, packet_t *packet);
-	
+
 	/**
 	 * Enumerate all underlying socket file descriptors.
-	 * 
+	 *
 	 * @return				enumerator over (int fd, int family, int port)
 	 */
 	enumerator_t *(*create_enumerator) (socket_t *this);
-	
+
 	/**
 	 * Destroy socket.
 	 */
diff --git a/src/charon/plugins/attr/Makefile.in b/src/charon/plugins/attr/Makefile.in
index 5c94771e1..689bb3244 100644
--- a/src/charon/plugins/attr/Makefile.in
+++ b/src/charon/plugins/attr/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/attr
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_attr_la_LIBADD =
 am_libstrongswan_attr_la_OBJECTS = attr_plugin.lo attr_provider.lo
@@ -58,6 +82,7 @@ libstrongswan_attr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -105,25 +130,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -135,11 +157,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -168,9 +193,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -193,7 +218,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -201,6 +226,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -209,10 +235,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -220,6 +248,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
@@ -242,9 +271,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/attr/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/attr/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/attr/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/attr/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -262,23 +291,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -303,21 +337,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -340,7 +374,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -348,29 +382,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -391,13 +430,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -428,6 +471,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -449,6 +493,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -457,18 +503,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -507,6 +563,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/attr/attr_plugin.c b/src/charon/plugins/attr/attr_plugin.c
index 9d5532310..6dfb10271 100644
--- a/src/charon/plugins/attr/attr_plugin.c
+++ b/src/charon/plugins/attr/attr_plugin.c
@@ -24,12 +24,12 @@ typedef struct private_attr_plugin_t private_attr_plugin_t;
  * private data of attr plugin
  */
 struct private_attr_plugin_t {
-	
+
 	/**
 	 * implements plugin interface
 	 */
 	attr_plugin_t public;
-	
+
 	/**
 	 * CFG attributes provider
 	 */
@@ -41,7 +41,7 @@ struct private_attr_plugin_t {
  */
 static void destroy(private_attr_plugin_t *this)
 {
-	charon->attributes->remove_provider(charon->attributes, &this->provider->provider);
+	lib->attributes->remove_provider(lib->attributes, &this->provider->provider);
 	this->provider->destroy(this->provider);
 	free(this);
 }
@@ -52,12 +52,12 @@ static void destroy(private_attr_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	this->provider = attr_provider_create();
-	charon->attributes->add_provider(charon->attributes, &this->provider->provider);
-	
+	lib->attributes->add_provider(lib->attributes, &this->provider->provider);
+
 	return &this->public.plugin;
 }
 
diff --git a/src/charon/plugins/attr/attr_plugin.h b/src/charon/plugins/attr/attr_plugin.h
index 9cbbd8bf5..9f31b60e1 100644
--- a/src/charon/plugins/attr/attr_plugin.h
+++ b/src/charon/plugins/attr/attr_plugin.h
@@ -32,7 +32,7 @@ typedef struct attr_plugin_t attr_plugin_t;
  * Plugin providing configuration attribute through strongswan.conf.
  */
 struct attr_plugin_t {
-	
+
 	/**
 	 * implements plugin interface
 	 */
diff --git a/src/charon/plugins/attr/attr_provider.c b/src/charon/plugins/attr/attr_provider.c
index 02fa11327..548896f56 100644
--- a/src/charon/plugins/attr/attr_provider.c
+++ b/src/charon/plugins/attr/attr_provider.c
@@ -28,12 +28,12 @@ typedef struct attribute_entry_t attribute_entry_t;
  * private data of attr_provider
  */
 struct private_attr_provider_t {
-	
+
 	/**
 	 * public functions
 	 */
 	attr_provider_t public;
-	
+
 	/**
 	 * List of attributes, attribute_entry_t
 	 */
@@ -61,12 +61,16 @@ static bool attr_enum_filter(void *null, attribute_entry_t **in,
 /**
  * Implementation of attribute_provider_t.create_attribute_enumerator
  */
-static enumerator_t* create_attribute_enumerator(
-					private_attr_provider_t *this, identification_t *id)
+static enumerator_t* create_attribute_enumerator(private_attr_provider_t *this,
+											identification_t *id, host_t *vip)
 {
-	return enumerator_create_filter(
+	if (vip)
+	{
+		return enumerator_create_filter(
 						this->attributes->create_enumerator(this->attributes),
 						(void*)attr_enum_filter, NULL, NULL);
+	}
+	return enumerator_create_empty();
 }
 
 /**
@@ -75,7 +79,7 @@ static enumerator_t* create_attribute_enumerator(
 static void destroy(private_attr_provider_t *this)
 {
 	attribute_entry_t *entry;
-	
+
 	while (this->attributes->remove_last(this->attributes,
 										 (void**)&entry) == SUCCESS)
 	{
@@ -89,13 +93,13 @@ static void destroy(private_attr_provider_t *this)
 /**
  * Add an attribute entry to the list
  */
-static void add_entry(private_attr_provider_t *this, char *key, int nr,
-					  configuration_attribute_type_t type)
+static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
+							 configuration_attribute_type_t type)
 {
 	attribute_entry_t *entry;
 	host_t *host;
 	char *str;
-	
+
 	str = lib->settings->get_str(lib->settings, "charon.%s%d", NULL, key, nr);
 	if (str)
 	{
@@ -103,7 +107,7 @@ static void add_entry(private_attr_provider_t *this, char *key, int nr,
 		if (host)
 		{
 			entry = malloc_thing(attribute_entry_t);
-			
+
 			if (host->get_family(host) == AF_INET6)
 			{
 				switch (type)
@@ -126,6 +130,82 @@ static void add_entry(private_attr_provider_t *this, char *key, int nr,
 	}
 }
 
+/**
+ * Key to attribute type mappings, for v4 and v6 attributes
+ */
+static struct {
+	char *name;
+	configuration_attribute_type_t v4;
+	configuration_attribute_type_t v6;
+} keys[] = {
+	{"address",		INTERNAL_IP4_ADDRESS,	INTERNAL_IP6_ADDRESS},
+	{"dns",			INTERNAL_IP4_DNS,		INTERNAL_IP6_DNS},
+	{"nbns",		INTERNAL_IP4_NBNS,		INTERNAL_IP6_NBNS},
+	{"dhcp",		INTERNAL_IP4_DHCP,		INTERNAL_IP6_DHCP},
+	{"netmask",		INTERNAL_IP4_NETMASK,	INTERNAL_IP6_NETMASK},
+	{"server",		INTERNAL_IP4_SERVER,	INTERNAL_IP6_SERVER},
+};
+
+/**
+ * Load (numerical) entries from the plugins.attr namespace
+ */
+static void load_entries(private_attr_provider_t *this)
+{
+	enumerator_t *enumerator, *tokens;
+	char *key, *value, *token;
+
+	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
+														"charon.plugins.attr");
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		configuration_attribute_type_t type;
+		attribute_entry_t *entry;
+		host_t *host;
+		int i;
+
+		type = atoi(key);
+		tokens = enumerator_create_token(value, ",", " ");
+		while (tokens->enumerate(tokens, &token))
+		{
+			host = host_create_from_string(token, 0);
+			if (!host)
+			{
+				DBG1(DBG_CFG, "invalid host in key %s: %s", key, token);
+				continue;
+			}
+			if (!type)
+			{
+				for (i = 0; i < countof(keys); i++)
+				{
+					if (streq(key, keys[i].name))
+					{
+						if (host->get_family(host) == AF_INET)
+						{
+							type = keys[i].v4;
+						}
+						else
+						{
+							type = keys[i].v6;
+						}
+					}
+				}
+				if (!type)
+				{
+					DBG1(DBG_CFG, "mapping attribute type %s failed", key);
+					break;
+				}
+			}
+			entry = malloc_thing(attribute_entry_t);
+			entry->type = type;
+			entry->value = chunk_clone(host->get_address(host));
+			host->destroy(host);
+			this->attributes->insert_last(this->attributes, entry);
+		}
+		tokens->destroy(tokens);
+	}
+	enumerator->destroy(enumerator);
+}
+
 /*
  * see header file
  */
@@ -133,22 +213,24 @@ attr_provider_t *attr_provider_create(database_t *db)
 {
 	private_attr_provider_t *this;
 	int i;
-	
+
 	this = malloc_thing(private_attr_provider_t);
-	
+
 	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null;
 	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false;
-	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))create_attribute_enumerator;
+	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))create_attribute_enumerator;
 	this->public.destroy = (void(*)(attr_provider_t*))destroy;
-	
+
 	this->attributes = linked_list_create();
-	
+
 	for (i = 1; i <= SERVER_MAX; i++)
 	{
-		add_entry(this, "dns", i, INTERNAL_IP4_DNS);
-		add_entry(this, "nbns", i, INTERNAL_IP4_NBNS);
+		add_legacy_entry(this, "dns", i, INTERNAL_IP4_DNS);
+		add_legacy_entry(this, "nbns", i, INTERNAL_IP4_NBNS);
 	}
-	
+
+	load_entries(this);
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/attr/attr_provider.h b/src/charon/plugins/attr/attr_provider.h
index 03cbadb4e..a41466718 100644
--- a/src/charon/plugins/attr/attr_provider.h
+++ b/src/charon/plugins/attr/attr_provider.h
@@ -21,7 +21,7 @@
 #ifndef ATTR_PROVIDER_H_
 #define ATTR_PROVIDER_H_
 
-#include <config/attributes/attribute_provider.h>
+#include <attributes/attribute_provider.h>
 
 typedef struct attr_provider_t attr_provider_t;
 
@@ -29,12 +29,12 @@ typedef struct attr_provider_t attr_provider_t;
  * Provide configuration attributes through static strongswan.conf definition.
  */
 struct attr_provider_t {
-	
+
 	/**
 	 * Implements attribute provider interface
 	 */
 	attribute_provider_t provider;
-	
+
 	/**
 	 * Destroy a attr_provider instance.
 	 */
diff --git a/src/charon/plugins/eap_aka/Makefile.am b/src/charon/plugins/eap_aka/Makefile.am
index 1a3ea1857..e007f5f00 100644
--- a/src/charon/plugins/eap_aka/Makefile.am
+++ b/src/charon/plugins/eap_aka/Makefile.am
@@ -1,11 +1,14 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon \
+  -I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = -rdynamic
 
-plugin_LTLIBRARIES = libstrongswan-eapaka.la
+plugin_LTLIBRARIES = libstrongswan-eap-aka.la
 
-libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c
-libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version
-libstrongswan_eapaka_la_LIBADD = -lgmp
+libstrongswan_eap_aka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c \
+  eap_aka_peer.h eap_aka_peer.c \
+  eap_aka_server.h eap_aka_server.c
+libstrongswan_eap_aka_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
+libstrongswan_eap_aka_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in
index 2d2405379..d241e1ad0 100644
--- a/src/charon/plugins/eap_aka/Makefile.in
+++ b/src/charon/plugins/eap_aka/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,30 +37,55 @@ host_triplet = @host@
 subdir = src/charon/plugins/eap_aka
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eapaka_la_DEPENDENCIES =
-am_libstrongswan_eapaka_la_OBJECTS = eap_aka_plugin.lo eap_aka.lo
-libstrongswan_eapaka_la_OBJECTS =  \
-	$(am_libstrongswan_eapaka_la_OBJECTS)
-libstrongswan_eapaka_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+libstrongswan_eap_aka_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libsimaka/libsimaka.la
+am_libstrongswan_eap_aka_la_OBJECTS = eap_aka_plugin.lo \
+	eap_aka_peer.lo eap_aka_server.lo
+libstrongswan_eap_aka_la_OBJECTS =  \
+	$(am_libstrongswan_eap_aka_la_OBJECTS)
+libstrongswan_eap_aka_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eapaka_la_LDFLAGS) $(LDFLAGS) -o $@
+	$(libstrongswan_eap_aka_la_LDFLAGS) $(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -68,8 +95,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eapaka_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eapaka_la_SOURCES)
+SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -106,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,14 +251,20 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon \
+  -I$(top_srcdir)/src/libsimaka
+
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eapaka.la
-libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c
-libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version
-libstrongswan_eapaka_la_LIBADD = -lgmp
+plugin_LTLIBRARIES = libstrongswan-eap-aka.la
+libstrongswan_eap_aka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c \
+  eap_aka_peer.h eap_aka_peer.c \
+  eap_aka_server.h eap_aka_server.c
+
+libstrongswan_eap_aka_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
+libstrongswan_eap_aka_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -242,9 +278,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_aka/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_aka/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_aka/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_aka/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -262,23 +298,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -289,8 +330,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eapaka.la: $(libstrongswan_eapaka_la_OBJECTS) $(libstrongswan_eapaka_la_DEPENDENCIES) 
-	$(libstrongswan_eapaka_la_LINK) -rpath $(plugindir) $(libstrongswan_eapaka_la_OBJECTS) $(libstrongswan_eapaka_la_LIBADD) $(LIBS)
+libstrongswan-eap-aka.la: $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_DEPENDENCIES) 
+	$(libstrongswan_eap_aka_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -298,26 +339,27 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_peer.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_server.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -340,7 +382,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -348,29 +390,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -391,13 +438,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -428,6 +479,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -449,6 +501,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -457,18 +511,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -507,6 +571,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/eap_aka/eap_aka.c b/src/charon/plugins/eap_aka/eap_aka.c
deleted file mode 100644
index 82ee6c3f0..000000000
--- a/src/charon/plugins/eap_aka/eap_aka.c
+++ /dev/null
@@ -1,1553 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-/* The EAP-AKA method uses it's own simple parser for processing EAP-AKA
- * payloads, as the IKEv2 parser is not suitable for that job. There are
- * two simple methods for parsing payloads, read_header() and read_attribute().
- * Every EAP-AKA payload consists of a header and a list of attributes. Those
- * functions mentioned read the data and return the type of the found
- * attribute/EAP-AKA-type. For generating a EAP-AKA message, we have a
- * build_aka_payload(), which builds the whole message from a variable
- * argument list containing its attributes.
- * The processing of messages is split up in various functions:
- * - peer_process() - General processing multiplexer for the peer
- *   - peer_process_challenge() - Specific AKA-Challenge processor
- *   - peer_process_notification() - Processing of AKA-Notification
- * - server_process() - General processing multiplexer for the server
- *   - peer_process_challenge() - Processing of a received Challenge response
- *   - peer_process_synchronize() - Process a sequence number synchronization
- * - server_initiate() - Initiation method for the server, calls
- *   - server_initiate_challenge() - Initiation of AKA-Challenge
- */
-
-#include <limits.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/time.h>
-#include <time.h>
-#include <gmp.h>
-
-#include "eap_aka.h"
-
-#include <daemon.h>
-#include <library.h>
-#include <crypto/hashers/hasher.h>
-
-/* Use test vectors specified in S.S0055
-#define TEST_VECTORS */
-
-#define RAND_LENGTH		16
-#define RES_LENGTH		16
-#define SQN_LENGTH		 6
-#define K_LENGTH		16
-#define MAC_LENGTH 		 8
-#define CK_LENGTH		16
-#define IK_LENGTH		16
-#define AK_LENGTH		 6
-#define AMF_LENGTH		 2
-#define FMK_LENGTH		 4
-#define AUTN_LENGTH 	(SQN_LENGTH + AMF_LENGTH + MAC_LENGTH)
-#define AUTS_LENGTH 	(SQN_LENGTH + MAC_LENGTH)
-#define PAYLOAD_LENGTH	64
-#define MK_LENGTH		20
-#define MSK_LENGTH		64
-#define EMSK_LENGTH		64
-#define KAUTH_LENGTH	16
-#define KENCR_LENGTH	16
-#define AT_MAC_LENGTH	16
-
-#define F1			  0x42
-#define F1STAR		  0x43
-#define F2			  0x44
-#define F3			  0x45
-#define F4			  0x46
-#define F5			  0x47
-#define F5STAR		  0x48
-
-typedef enum aka_subtype_t aka_subtype_t;
-typedef enum aka_attribute_t aka_attribute_t;
-
-/**
- * Subtypes of AKA messages
- */
-enum aka_subtype_t {
-	AKA_CHALLENGE = 1,
-	AKA_AUTHENTICATION_REJECT = 2,
-	AKA_SYNCHRONIZATION_FAILURE = 4,
-	AKA_IDENTITY = 5,
-	AKA_NOTIFICATION = 12,
-	AKA_REAUTHENTICATION = 13,
-	AKA_CLIENT_ERROR = 14,
-};
-
-/**
- * Attribute types in AKA messages
- */
-enum aka_attribute_t {
-	/** defines the end of attribute list */
-	AT_END = -1,
-	AT_RAND = 1,
-	AT_AUTN = 2,
-	AT_RES = 3,
-	AT_AUTS = 4,
-	AT_PADDING = 6,
-	AT_NONCE_MT = 7,
-	AT_PERMANENT_ID_REQ = 10,
-	AT_MAC = 11,
-	AT_NOTIFICATION = 12,
-	AT_ANY_ID_REQ = 13,
-	AT_IDENTITY = 14,
-	AT_VERSION_LIST = 15,
-	AT_SELECTED_VERSION = 16,
-	AT_FULLAUTH_ID_REQ = 17,
-	AT_COUNTER = 19,
-	AT_COUNTER_TOO_SMALL = 20,
-	AT_NONCE_S = 21,
-	AT_CLIENT_ERROR_CODE = 22,
-	AT_IV = 129,
-	AT_ENCR_DATA = 130,
-	AT_NEXT_PSEUDONYM = 132,
-	AT_NEXT_REAUTH_ID = 133,
-	AT_CHECKCODE = 134,
-	AT_RESULT_IND = 135,
-};
-
-ENUM_BEGIN(aka_subtype_names, AKA_CHALLENGE, AKA_IDENTITY,
-	"AKA_CHALLENGE",
-	"AKA_AUTHENTICATION_REJECT",
-	"AKA_3",
-	"AKA_SYNCHRONIZATION_FAILURE",
-	"AKA_IDENTITY");
-ENUM_NEXT(aka_subtype_names, AKA_NOTIFICATION, AKA_CLIENT_ERROR, AKA_IDENTITY,
-	"AKA_NOTIFICATION",
-	"AKA_REAUTHENTICATION",
-	"AKA_CLIENT_ERROR");
-ENUM_END(aka_subtype_names, AKA_CLIENT_ERROR);
-
-
-ENUM_BEGIN(aka_attribute_names, AT_END, AT_CLIENT_ERROR_CODE,
-	"AT_END",
-	"AT_0",
-	"AT_RAND",
-	"AT_AUTN",
-	"AT_RES",
-	"AT_AUTS",
-	"AT_5",
-	"AT_PADDING",
-	"AT_NONCE_MT",
-	"AT_8",
-	"AT_9",
-	"AT_PERMANENT_ID_REQ",
-	"AT_MAC",
-	"AT_NOTIFICATION",
-	"AT_ANY_ID_REQ",
-	"AT_IDENTITY",
-	"AT_VERSION_LIST",
-	"AT_SELECTED_VERSION",
-	"AT_FULLAUTH_ID_REQ",
-	"AT_18",
-	"AT_COUNTER",
-	"AT_COUNTER_TOO_SMALL",
-	"AT_NONCE_S",
-	"AT_CLIENT_ERROR_CODE");
-ENUM_NEXT(aka_attribute_names, AT_IV, AT_RESULT_IND, AT_CLIENT_ERROR_CODE,
-	"AT_IV",
-	"AT_ENCR_DATA",
-	"AT_131",
-	"AT_NEXT_PSEUDONYM",
-	"AT_NEXT_REAUTH_ID",
-	"AT_CHECKCODE",
-	"AT_RESULT_IND");
-ENUM_END(aka_attribute_names, AT_RESULT_IND);
-
-
-typedef struct private_eap_aka_t private_eap_aka_t;
-
-/**
- * Private data of an eap_aka_t object.
- */
-struct private_eap_aka_t {
-	
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_aka_t public;
-	
-	/**
-	 * ID of the server
-	 */
-	identification_t *server;
-	
-	/**
-	 * ID of the peer
-	 */
-	identification_t *peer;
-	
-	/**
-	 * SHA11 hasher
-	 */
-	hasher_t *sha1;
-	
-	/**
-	 * MAC function used in EAP-AKA
-	 */
-	signer_t *signer;
-	
-	/**
-	 * pseudo random function used in EAP-aka
-	 */
-	prf_t *prf;
-	
-	/**
-	 * Special keyed SHA1 hasher used in EAP-AKA, implemented as PRF
-	 */
-	prf_t *keyed_prf;
-	
-	/**
-	 * Key for EAP MAC
-	 */
-	chunk_t k_auth;
-	
-	/**
-	 * Key for EAP encryption
-	 */
-	chunk_t k_encr;
-	
-	/**
-	 * MSK
-	 */
-	chunk_t msk;
-	
-	/**
-	 * Extendend MSK
-	 */
-	chunk_t emsk;
-	
-	/**
-	 * Expected result from client XRES
-	 */
-	chunk_t xres;
-	
-	/**
-	 * Shared secret K from ipsec.conf (padded)
-	 */
-	chunk_t k;
-	
-	/**
-	 * random value RAND generated by server
-	 */
-	 chunk_t rand;
-};
-
-/** Family key, as proposed in S.S0055 */
-static u_int8_t fmk_buf[] = {0x41, 0x48, 0x41, 0x47};
-static chunk_t fmk = chunk_from_buf(fmk_buf);
-
-/** Authentication management field */
-static u_int8_t amf_buf[] = {0x00, 0x01};
-static chunk_t amf = chunk_from_buf(amf_buf);
-
-/** AT_CLIENT_ERROR_CODE AKA attribute */
-static u_int8_t client_error_code_buf[] = {0, 0};
-static chunk_t client_error_code = chunk_from_buf(client_error_code_buf);
-
-/** previously used sqn by peer, next one must be greater */
-static u_int8_t peer_sqn_buf[6];
-static chunk_t peer_sqn = chunk_from_buf(peer_sqn_buf);
-
-/** set SQN to the current time */
-static void update_sqn(u_int8_t *sqn, time_t offset)
-{
-	timeval_t time;
-	gettimeofday(&time, NULL);
-	/* set sqb_sqn to an integer containing seconds followed by most
-	 * significant useconds */
-	time.tv_sec = htonl(time.tv_sec + offset);
-	/* usec's are never larger than 0x000f423f, so we shift the 12 first bits */
-	time.tv_usec <<= 12;
-	time.tv_usec = htonl(time.tv_usec);
-	memcpy(sqn, &time.tv_sec, 4);
-	memcpy(sqn + 4, &time.tv_usec, 2);
-}
-
-/** initialize peers SQN to the current system time at startup */
-static void __attribute__ ((constructor))init_sqn(void)
-{
-	update_sqn(peer_sqn_buf, 0);
-}
-
-/**
- * Binary represnation of the polynom T^160 + T^5 + T^3 + T^2 + 1
- */
-static u_int8_t g[] = {
-	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x2d
-};
-
-/**
- * Predefined random bits from the RAND Corporation book
- */
-static u_int8_t a[] = {
-	0x9d, 0xe9, 0xc9, 0xc8, 0xef, 0xd5, 0x78, 0x11,
-	0x48, 0x23, 0x14, 0x01, 0x90, 0x1f, 0x2d, 0x49,
-	0x3f, 0x4c, 0x63, 0x65
-};
-
-/**
- * Predefined random bits from the RAND Corporation book
- */
-static u_int8_t b[] = {
-	0x75, 0xef, 0xd1, 0x5c, 0x4b, 0x8f, 0x8f, 0x51,
-	0x4e, 0xf3, 0xbc, 0xc3, 0x79, 0x4a, 0x76, 0x5e,
-	0x7e, 0xec, 0x45, 0xe0
-};
-
-/**
- * Multiplicate two mpz_t with bits interpreted as polynoms.
- */
-static void mpz_mul_poly(mpz_t r, mpz_t a, mpz_t b)
-{
-	mpz_t bm, rm;
-	int current = 0, shifted = 0, shift;
-	
-	mpz_init_set(bm, b);
-	mpz_init_set_ui(rm, 0);
-	/* scan through a, for each found bit: */
-	while ((current = mpz_scan1(a, current)) != ULONG_MAX)
-	{
-		/* XOR shifted b into r */
-		shift = current - shifted;
-		mpz_mul_2exp(bm, bm, shift);
-		shifted += shift;
-		mpz_xor(rm, rm, bm);
-		current++;
-	}
-	
-	mpz_swap(r, rm);
-	mpz_clear(rm);
-	mpz_clear(bm);
-}
-
-/**
- * Calculate the sum of a + b interpreted as polynoms.
- */
-static void mpz_add_poly(mpz_t res, mpz_t a, mpz_t b)
-{
-	/* addition of polynominals is just the XOR */
-	mpz_xor(res, a, b);
-}
-
-/**
- * Calculate the remainder of a/b interpreted as polynoms.
- */
-static void mpz_mod_poly(mpz_t r, mpz_t a, mpz_t b)
-{
-	/* Example:
-	 * a = 10001010
-	 * b = 00000101
-	 */
-	int a_bit, b_bit, diff;
-	mpz_t bm, am;
-	
-	mpz_init_set(am, a);
-	mpz_init(bm);
-	
-	a_bit = mpz_sizeinbase(a, 2);
-	b_bit = mpz_sizeinbase(b, 2);
-	
-	/* don't do anything if b > a */
-	if (a_bit >= b_bit)
-	{
-		/* shift b left to align up most signaficant "1" to a:
-		 * a = 10001010
-		 * b = 10100000
-		 */
-		mpz_mul_2exp(bm, b, a_bit - b_bit);
-		do
-		{
-			/* XOR b into a, this kills the most significant "1":
-			 * a = 00101010
-			 */
-			mpz_xor(am, am, bm);
-			/* find the next most significant "1" in a, and align up b:
-			 * a = 00101010
-			 * b = 00101000
-			 */
-			diff = a_bit - mpz_sizeinbase(am, 2);
-			mpz_div_2exp(bm, bm, diff);
-			a_bit -= diff;
-		}
-		while (b_bit <= mpz_sizeinbase(bm, 2));
-		/* While b is not shifted to its original value */
-	}
-	/* after another iteration:
-	 * a = 00000010
-	 * which is the polynomial modulo
-	 */
-	
-	mpz_swap(r, am);
-	mpz_clear(am);
-	mpz_clear(bm);
-}
-
-/**
- * Step 4 of the various fx() functions:
- * Polynomial whiten calculations
- */
-static void step4(private_eap_aka_t *this, u_int8_t x[])
-{
-	mpz_t xm, am, bm, gm;
-	
-	mpz_init(xm);
-	mpz_init(am);
-	mpz_init(bm);
-	mpz_init(gm);
-	
-	mpz_import(xm, HASH_SIZE_SHA1, 1, 1, 1, 0, x);
-	mpz_import(am, sizeof(a), 1, 1, 1, 0, a);
-	mpz_import(bm, sizeof(b), 1, 1, 1, 0, b);
-	mpz_import(gm, sizeof(g), 1, 1, 1, 0, g);
-
-	mpz_mul_poly(xm, am, xm);
-	mpz_add_poly(xm, bm, xm);
-	mpz_mod_poly(xm, xm, gm);
-	
-	mpz_export(x, NULL, 1, HASH_SIZE_SHA1, 1, 0, xm);
-	
-	mpz_clear(xm);
-	mpz_clear(am);
-	mpz_clear(bm);
-	mpz_clear(gm);
-}
-
-/**
- * Step 3 of the various fx() functions:
- * XOR the key into the SHA1 IV
- */
-static void step3(private_eap_aka_t *this,
-				  chunk_t k, chunk_t payload, u_int8_t h[])
-{
-	u_int8_t buf[64];
-	
-	if (payload.len < sizeof(buf))
-	{
-		/* pad c with zeros */
-		memset(buf, 0, sizeof(buf));
-		memcpy(buf, payload.ptr, payload.len);
-		payload.ptr = buf;
-		payload.len = sizeof(buf);
-	}
-	else
-	{
-		/* not more than 512 bits can be G()-ed */
-		payload.len = sizeof(buf);
-	}
-	
-	/* use the keyed hasher to build the hash */
-	this->keyed_prf->set_key(this->keyed_prf, k);
-	this->keyed_prf->get_bytes(this->keyed_prf, payload, h);
-}
-
-/**
- * Calculation function for f2(), f3(), f4()
- */
-static void fx(private_eap_aka_t *this,
-			   u_int8_t f, chunk_t k, chunk_t rand, u_int8_t out[])
-{
-	chunk_t payload = chunk_alloca(PAYLOAD_LENGTH);
-	u_int8_t h[HASH_SIZE_SHA1];
-	u_int8_t i;
-	
-	for (i = 0; i < 2; i++)
-	{
-		memset(payload.ptr, 0x5c, payload.len);
-		payload.ptr[11] ^= f;
-		memxor(payload.ptr + 12, fmk.ptr, fmk.len);
-		memxor(payload.ptr + 24, rand.ptr, rand.len);
-		
-		payload.ptr[3]  ^= i;
-		payload.ptr[19] ^= i;
-		payload.ptr[35] ^= i;
-		payload.ptr[51] ^= i;
-		
-		step3(this, k, payload, h);
-		step4(this, h);
-		memcpy(out + i * 8, h, 8);
-	}
-}
-
-/**
- * Calculation function of f1() and f1star()
- */
-static void f1x(private_eap_aka_t *this,
-				u_int8_t f, chunk_t k, chunk_t rand, chunk_t sqn,
-				chunk_t amf, u_int8_t mac[])
-{
-	/* generate MAC = f1(FMK, SQN, RAND, AMF)
-	 * K is loaded into hashers IV; FMK, RAND, SQN, AMF are XORed in a 512-bit
-	 * payload which gets hashed
-	 */
-	chunk_t payload = chunk_alloca(PAYLOAD_LENGTH);
-	u_int8_t h[HASH_SIZE_SHA1];
-	
-	memset(payload.ptr, 0x5c, PAYLOAD_LENGTH);
-	payload.ptr[11] ^= f;
-	memxor(payload.ptr + 12, fmk.ptr, fmk.len);
-	memxor(payload.ptr + 16, rand.ptr, rand.len);
-	memxor(payload.ptr + 34, sqn.ptr, sqn.len);
-	memxor(payload.ptr + 42, amf.ptr, amf.len);
-	
-	step3(this, k, payload, h);
-	step4(this, h);
-	memcpy(mac, h, MAC_LENGTH);
-}
-
-/**
- * Calculation function of f5() and f5star()
- */
-static void f5x(private_eap_aka_t *this, 
-				u_int8_t f, chunk_t k, chunk_t rand, u_int8_t ak[])
-{
-	chunk_t payload = chunk_alloca(PAYLOAD_LENGTH);
-	u_int8_t h[HASH_SIZE_SHA1];
-	
-	memset(payload.ptr, 0x5c, payload.len);
-	payload.ptr[11] ^= f;
-	memxor(payload.ptr + 12, fmk.ptr, fmk.len);
-	memxor(payload.ptr + 16, rand.ptr, rand.len);
-	
-	step3(this, k, payload, h);
-	step4(this, h);
-	memcpy(ak, h, AK_LENGTH);
-}
-
-/**
- * Calculate the MAC from a RAND, SQN, AMF value using K
- */
-static void f1(private_eap_aka_t *this, chunk_t k, chunk_t rand, chunk_t sqn,
-			   chunk_t amf, u_int8_t mac[])
-{
-	f1x(this, F1, k, rand, sqn, amf, mac);
-	DBG3(DBG_IKE, "MAC %b", mac, MAC_LENGTH);
-}
-
-/**
- * Calculate the MACS from a RAND, SQN, AMF value using K
- */
-static void f1star(private_eap_aka_t *this, chunk_t k, chunk_t rand,
-				   chunk_t sqn, chunk_t amf, u_int8_t macs[])
-{
-	f1x(this, F1STAR, k, rand, sqn, amf, macs);
-	DBG3(DBG_IKE, "MACS %b", macs, MAC_LENGTH);
-}
-
-/**
- * Calculate RES from RAND using K
- */
-static void f2(private_eap_aka_t *this, chunk_t k, chunk_t rand, u_int8_t res[])
-{
-	fx(this, F2, k, rand, res);
-	DBG3(DBG_IKE, "RES %b", res, RES_LENGTH);
-}
-
-/**
- * Calculate CK from RAND using K
- */
-static void f3(private_eap_aka_t *this, chunk_t k, chunk_t rand, u_int8_t ck[])
-{
-	fx(this, F3, k, rand, ck);
-	DBG3(DBG_IKE, "CK %b", ck, CK_LENGTH);
-}
-
-/**
- * Calculate IK from RAND using K
- */
-static void f4(private_eap_aka_t *this, chunk_t k, chunk_t rand, u_int8_t ik[])
-{
-	fx(this, F4, k, rand, ik);
-	DBG3(DBG_IKE, "IK %b", ik, IK_LENGTH);
-}
-
-/**
- * Calculate AK from a RAND using K
- */
-static void f5(private_eap_aka_t *this, chunk_t k, chunk_t rand, u_int8_t ak[])
-{
-	f5x(this, F5, k, rand, ak);
-	DBG3(DBG_IKE, "AK %b", ak, AK_LENGTH);
-}
-
-/**
- * Calculate AKS from a RAND using K
- */
-static void f5star(private_eap_aka_t *this, chunk_t k, chunk_t rand, u_int8_t aks[])
-{
-	f5x(this, F5STAR, k, rand, aks);
-	DBG3(DBG_IKE, "AKS %b", aks, AK_LENGTH);
-}
-
-/**
- * derive the keys needed for EAP_AKA
- */
-static bool derive_keys(private_eap_aka_t *this, identification_t *id)
-{
-	chunk_t ck, ik, mk, identity, tmp;
-	
-	ck = chunk_alloca(CK_LENGTH);
-	ik = chunk_alloca(IK_LENGTH);
-	mk = chunk_alloca(MK_LENGTH);
-	identity = id->get_encoding(id);
-	
-	/* MK = SHA1( Identity | IK | CK ) */
-	f3(this, this->k, this->rand, ck.ptr);
-	f4(this, this->k, this->rand, ik.ptr);
-	DBG3(DBG_IKE, "Identity %B", &identity);
-	tmp = chunk_cata("ccc", identity, ik, ck);
-	DBG3(DBG_IKE, "Identity|IK|CK %B", &tmp);
-	this->sha1->get_hash(this->sha1, tmp, mk.ptr);
-	
-	/* K_encr | K_auth | MSK | EMSK = prf(0) | prf(0)
-	 * FIPS PRF has 320 bit block size, we need 160 byte for keys
-	 *  => run prf four times */
-	this->prf->set_key(this->prf, mk);
-	tmp = chunk_alloca(this->prf->get_block_size(this->prf) * 4);
-	this->prf->get_bytes(this->prf, chunk_empty, tmp.ptr);
-	this->prf->get_bytes(this->prf, chunk_empty, tmp.ptr + tmp.len / 4 * 1);
-	this->prf->get_bytes(this->prf, chunk_empty, tmp.ptr + tmp.len / 4 * 2);
-	this->prf->get_bytes(this->prf, chunk_empty, tmp.ptr + tmp.len / 4 * 3);
-	chunk_free(&this->k_encr);
-	chunk_free(&this->k_auth);
-	chunk_free(&this->msk);
-	chunk_free(&this->emsk);
-	chunk_split(tmp, "aaaa", 16, &this->k_encr, 16, &this->k_auth,
-				64, &this->msk, 64, &this->emsk);
-	DBG3(DBG_IKE, "MK %B", &mk);
-	DBG3(DBG_IKE, "PRF res %B", &tmp);
-	DBG3(DBG_IKE, "K_encr %B", &this->k_encr);
-	DBG3(DBG_IKE, "K_auth %B", &this->k_auth);
-	DBG3(DBG_IKE, "MSK %B", &this->msk);
-	DBG3(DBG_IKE, "EMSK %B", &this->emsk);
-	return TRUE;
-}
-
-/*
- * Get a shared key from ipsec.secrets.
- * We use the standard keys as used in preshared key authentication. As
- * these keys have an undefined length, we:
- * - strip them if they are longer
- * - fill them up with '\0' if they are shorter
- */
-static status_t load_key(identification_t *me, identification_t *other, chunk_t *k)
-{
-	shared_key_t *shared;
-	chunk_t key;
-
-	shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP,
-											 me, other);
-	if (shared == NULL)
-	{
-		return NOT_FOUND;
-	}
-	key = shared->get_key(shared);
-	chunk_free(k);
-	*k = chunk_alloc(K_LENGTH);
-	memset(k->ptr, '\0', k->len);
-	memcpy(k->ptr, key.ptr, min(key.len, k->len));
-	shared->destroy(shared);
-	return SUCCESS;
-}
-
-/**
- * skip EAP_AKA header in message and returns its AKA subtype
- */
-static aka_subtype_t read_header(chunk_t *message)
-{
-	aka_subtype_t type;
-
-	if (message->len < 8)
-	{
-		*message = chunk_empty;
-		return 0;
-	}
-	type = *(message->ptr + 5);
-	*message = chunk_skip(*message, 8);
-	return type;
-}
-
-/**
- * read the next attribute from the chunk data
- */
-static aka_attribute_t read_attribute(chunk_t *data, chunk_t *attr_data)
-{
-	aka_attribute_t attribute;
-	size_t length;
-	
-	DBG3(DBG_IKE, "reading attribute from %B", data);
-	
-	if (data->len < 2)
-	{
-		return AT_END;
-	}
-	/* read attribute and length */
-	attribute = *data->ptr++;
-	length = *data->ptr++ * 4 - 2;
-	data->len -= 2;
-	DBG3(DBG_IKE, "found attribute %N with length %d",
-		 aka_attribute_names, attribute, length);
-	if (length > data->len)
-	{
-		return AT_END;
-	}
-	/* apply attribute value to attr_data */
-	attr_data->len = length;
-	attr_data->ptr = data->ptr;
-	/* update data to point to next attribute */
-	*data = chunk_skip(*data, length);
-	return attribute;
-}
-
-/**
- * Build an AKA payload from different attributes.
- * The variable argument takes an aka_attribute_t
- * followed by its data in a chunk.
- */
-static eap_payload_t *build_aka_payload(private_eap_aka_t *this, eap_code_t code,
-										u_int8_t identifier, aka_subtype_t type, ...)
-{
-	chunk_t message = chunk_alloca(512); /* is enought for all current messages */
-	chunk_t pos = message;
-	eap_payload_t *payload;
-	va_list args;
-	aka_attribute_t attr;
-	u_int8_t *mac_pos = NULL;
-	
-	/* write EAP header, skip length bytes */
-	*pos.ptr++ = code;
-	*pos.ptr++ = identifier;
-	pos.ptr += 2;
-	pos.len -= 4;
-	/* write AKA header with type and subtype, null reserved bytes */
-	*pos.ptr++ = EAP_AKA;
-	*pos.ptr++ = type;
-	*pos.ptr++ = 0;
-	*pos.ptr++ = 0;
-	pos.len -= 4;
-	
-	va_start(args, type);
-	while ((attr = va_arg(args, aka_attribute_t)) != AT_END)
-	{
-		chunk_t data = va_arg(args, chunk_t);
-		
-		DBG3(DBG_IKE, "building %N %B", aka_attribute_names, attr, &data);
-		
-		/* write attribute header */
-		*pos.ptr++ = attr;
-		pos.len--;
-		
-		switch (attr)
-		{
-			case AT_RES:
-			{
-				/* attribute length in 4byte words */
-				*pos.ptr = data.len/4 + 1;
-				pos = chunk_skip(pos, 1);
-				/* RES length in bits */
-				*(u_int16_t*)pos.ptr = htons(data.len * 8);
-				pos = chunk_skip(pos, sizeof(u_int16_t));
-				memcpy(pos.ptr, data.ptr, data.len);
-				pos = chunk_skip(pos, data.len);
-				break;
-			}
-			case AT_AUTN:
-			case AT_RAND:
-			{
-				*pos.ptr++ = data.len/4 + 1; pos.len--;
-				*pos.ptr++ = 0; pos.len--;
-				*pos.ptr++ = 0; pos.len--;
-				memcpy(pos.ptr, data.ptr, data.len);
-				pos = chunk_skip(pos, data.len);
-				break;
-			}
-			case AT_MAC:
-			{
-				*pos.ptr++ = 5; pos.len--;
-				*pos.ptr++ = 0; pos.len--;
-				*pos.ptr++ = 0; pos.len--;
-				mac_pos = pos.ptr;
-				/* MAC is calculated over message including zeroed AT_MAC attribute */
-				memset(mac_pos, 0, AT_MAC_LENGTH);
-				pos.ptr += AT_MAC_LENGTH;
-				pos.len -= AT_MAC_LENGTH;
-				break;
-			}
-			default:
-			{
-				/* length is data length in 4-bytes + 1 for header */
-				*pos.ptr = data.len/4 + 1;
-				pos = chunk_skip(pos, 1);
-				memcpy(pos.ptr, data.ptr, data.len);
-				pos = chunk_skip(pos, data.len);
-			}
-		}
-	}
-	va_end(args);
-	
-	/* calculate message length, write into header */
-	message.len = pos.ptr - message.ptr;
-	*(u_int16_t*)(message.ptr + 2) = htons(message.len);
-	
-	/* create MAC if AT_MAC attribte was included */
-	if (mac_pos)
-	{
-		this->signer->set_key(this->signer, this->k_auth);
-		DBG3(DBG_IKE, "AT_MAC signature of %B", &message);
-		DBG3(DBG_IKE, "using key %B", &this->k_auth);
-		this->signer->get_signature(this->signer, message, mac_pos);
-		DBG3(DBG_IKE, "is %b", mac_pos, AT_MAC_LENGTH);
-	}
-	
-	/* payload constructor takes data with some bytes skipped */
-	payload = eap_payload_create_data(message);
-	
-	DBG3(DBG_IKE, "created EAP message %B", &message);
-	return payload;
-}
-
-/**
- * generate a new non-zero identifier
- */
-static u_char get_identifier()
-{
-	u_char id;
-	
-	do {
-		id = random();
-	} while (!id);
-	return id;
-}
-
-/**
- * Initiate a AKA-Challenge using SQN
- */
-static status_t server_initiate_challenge(private_eap_aka_t *this, chunk_t sqn,
-										  eap_payload_t **out)
-{
-	rng_t *rng;
-	chunk_t mac, ak, autn;
-	
-	mac = chunk_alloca(MAC_LENGTH);
-	ak = chunk_alloca(AK_LENGTH);
-	chunk_free(&this->rand);
-	chunk_free(&this->xres);
-	
-	/* generate RAND:
-	 * we use a registered RNG, not f0() proposed in S.S0055
-	 */
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_IKE, "generating RAND for EAP-AKA authentication failed");
-		return FAILED;
-	}
-	rng->allocate_bytes(rng, RAND_LENGTH, &this->rand);
-	rng->destroy(rng);
-	
-#	ifdef TEST_VECTORS
-	/* Test vector for RAND */
-	u_int8_t test_rand[] = {
-		0x4b,0x05,0x2b,0x20,0xe2,0xa0,0x6c,0x8f,
-		0xf7,0x00,0xda,0x51,0x2b,0x4e,0x11,0x1e,
-	};
-	memcpy(this->rand.ptr, test_rand, this->rand.len); 
-#	endif /* TEST_VECTORS */
-	
-	/* Get the shared key K: */
-	if (load_key(this->server, this->peer, &this->k) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
-				"with EAP-AKA", this->server, this->peer);
-		return FAILED;
-	}
-	
-#	ifdef TEST_VECTORS
-	/* Test vector for K */
-	u_int8_t test_k[] = {
-		0xad,0x1b,0x5a,0x15,0x9b,0xe8,0x6b,0x2c,
-		0xa6,0x6c,0x7a,0xe4,0x0b,0xba,0x9b,0x9d,
-	};
-	memcpy(this->k.ptr, test_k, this->k.len);
-#	endif /* TEST_VECTORS */
-	
-	/* generate MAC */
-	f1(this, this->k, this->rand, sqn, amf, mac.ptr);
-	
-	/* generate AK */
-	f5(this, this->k, this->rand, ak.ptr);
-	
-	/* precalculate XRES as expected from client */
-	this->xres = chunk_alloc(RES_LENGTH);
-	f2(this, this->k, this->rand, this->xres.ptr);
-	
-	/* calculate AUTN = (SQN xor AK) || AMF || MAC */
-	autn = chunk_cata("ccc", sqn, amf, mac);
-	memxor(autn.ptr, ak.ptr, ak.len);
-	DBG3(DBG_IKE, "AUTN %B", &autn);
-	
-	
-	/* derive K_encr, K_auth, MSK, EMSK  */
-	derive_keys(this, this->peer);
-	
-	/* build payload */
-	*out = build_aka_payload(this, EAP_REQUEST, get_identifier(), AKA_CHALLENGE,
-							 AT_RAND, this->rand, AT_AUTN, autn, AT_MAC,
-							 chunk_empty, AT_END);
-	return NEED_MORE;
-}
-
-/**
- * Implementation of eap_method_t.initiate for an EAP_AKA server
- */
-static status_t server_initiate(private_eap_aka_t *this, eap_payload_t **out)
-{
-	chunk_t sqn = chunk_alloca(SQN_LENGTH);
-	
-	/* we use an offset of 3 minutes to tolerate clock inaccuracy
-	 * without the need to synchronize sequence numbers */
-	update_sqn(sqn.ptr, 180);
-	
-#	ifdef TEST_VECTORS
-	/* Test vector for SQN */
-	u_int8_t test_sqn[] = {0x00,0x00,0x00,0x00,0x00,0x01};
-	memcpy(sqn.ptr, test_sqn, sqn.len); 
-#	endif /* TEST_VECTORS */
-	
-	return server_initiate_challenge(this, sqn, out);
-}
-
-static status_t server_process_synchronize(private_eap_aka_t *this,
-										   eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t attr, auts = chunk_empty, pos, message, macs, xmacs, sqn, aks, amf;
-	u_int i;
-	
-	message = in->get_data(in);
-	pos = message;
-	read_header(&pos);
-	
-	/* iterate over attributes */
-	while (TRUE)
-	{
-		aka_attribute_t attribute = read_attribute(&pos, &attr);
-		switch (attribute)
-		{
-			case AT_END:
-				break;
-			case AT_AUTS:
-				auts = attr;
-				continue;
-			default:
-				if (attribute >= 0 && attribute <= 127)
-				{
-					DBG1(DBG_IKE, "found non skippable attribute %N",
-						 aka_attribute_names, attribute);
-					return FAILED;
-				}
-				DBG1(DBG_IKE, "ignoring skippable attribute %N",
-					 aka_attribute_names, attribute);
-				continue;
-		}
-		break;
-	}
-	
-	if (auts.len != AUTS_LENGTH)
-	{
-		DBG1(DBG_IKE, "synchronization request didn't contain useable AUTS");
-		return FAILED;
-	}
-	
-	chunk_split(auts, "mm", SQN_LENGTH, &sqn, MAC_LENGTH, &macs);
-	aks = chunk_alloca(AK_LENGTH);
-	f5star(this, this->k, this->rand, aks.ptr);
-	/* decrypt serial number by XORing AKS */
-	memxor(sqn.ptr, aks.ptr, aks.len);
-	
-	/* verify MACS */
-	xmacs = chunk_alloca(MAC_LENGTH);
-	amf = chunk_alloca(AMF_LENGTH);
-	/* an AMF of zero is used for MACS calculation */
-	memset(amf.ptr, 0, amf.len);
-	f1star(this, this->k, this->rand, sqn, amf, xmacs.ptr);
-	if (!chunk_equals(macs, xmacs))
-	{
-		DBG1(DBG_IKE, "received MACS does not match XMACS");
-		DBG3(DBG_IKE, "MACS %B XMACS %B", &macs, &xmacs);
-		return FAILED;
-	}
-	
-	/* retry the challenge with the received SQN + 1*/
-	for (i = SQN_LENGTH - 1; i >= 0; i--)
-	{
-		if (++sqn.ptr[i] != 0)
-		{
-			break;
-		}
-	}
-	return server_initiate_challenge(this, sqn, out);
-}
-
-/**
- * process an AKA_Challenge response
- */
-static status_t server_process_challenge(private_eap_aka_t *this, eap_payload_t *in)
-{
-	chunk_t attr, res = chunk_empty, at_mac = chunk_empty, pos, message;
-	
-	message = in->get_data(in);
-	pos = message;
-	read_header(&pos);
-	
-	/* iterate over attributes */
-	while (TRUE)
-	{
-		aka_attribute_t attribute = read_attribute(&pos, &attr);
-		switch (attribute)
-		{
-			case AT_END:
-				break;
-			case AT_RES:
-				res = attr;
-				if (attr.len == 2 + RES_LENGTH &&
-					*(u_int16_t*)attr.ptr == htons(RES_LENGTH * 8))
-				{
-					res = chunk_skip(attr, 2);
-				}
-				continue;
-
-			case AT_MAC:
-				attr = chunk_skip(attr, 2);
-				at_mac = chunk_clonea(attr);
-				/* zero MAC in message for MAC verification */
-				memset(attr.ptr, 0, attr.len);
-				continue;
-			default:
-				if (attribute >= 0 && attribute <= 127)
-				{
-					DBG1(DBG_IKE, "found non skippable attribute %N",
-						 aka_attribute_names, attribute);
-					return FAILED;
-				}
-				DBG1(DBG_IKE, "ignoring skippable attribute %N",
-					 aka_attribute_names, attribute);
-				continue;
-		}
-		break;
-	}
-	
-	/* verify EAP message MAC AT_MAC */
-	{
-		this->signer->set_key(this->signer, this->k_auth);
-		DBG3(DBG_IKE, "verifying AT_MAC signature of %B", &message);
-		DBG3(DBG_IKE, "using key %B", &this->k_auth);
-		if (!this->signer->verify_signature(this->signer, message, at_mac))
-		{
-			DBG1(DBG_IKE, "MAC in AT_MAC attribute verification failed");
-			return FAILED;
-		}
-	}
-	
-	/* compare received RES against stored precalculated XRES */
-	if (!chunk_equals(res, this->xres))
-	{
-		DBG1(DBG_IKE, "received RES does not match XRES");
-		DBG3(DBG_IKE, "RES %Bb XRES %B", &res, &this->xres);
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of eap_method_t.process for EAP_AKA servers
- */
-static status_t server_process(private_eap_aka_t *this,
-							   eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t message;
-	aka_subtype_t type;
-	
-	message = in->get_data(in);
-	type = read_header(&message);
-	
-	DBG3(DBG_IKE, "received EAP message %B",  &message);
-	
-	switch (type)
-	{
-		case AKA_CHALLENGE:
-		{
-			return server_process_challenge(this, in);
-		}
-		case AKA_AUTHENTICATION_REJECT:
-		case AKA_CLIENT_ERROR:
-		{
-			DBG1(DBG_IKE, "received %N, authentication failed",
-				 aka_subtype_names, type);
-			return FAILED;
-		}
-		case AKA_SYNCHRONIZATION_FAILURE:
-		{
-			DBG1(DBG_IKE, "received %N, retrying with received SQN",
-				 aka_subtype_names, type);
-			return server_process_synchronize(this, in, out);
-		}
-		default:
-			DBG1(DBG_IKE, "received unknown AKA subtype %N, authentication failed",
-				 aka_subtype_names, type);
-			return FAILED;
-	}
-}
-
-/**
- * Process an incoming AKA-Challenge client side
- */
-static status_t peer_process_challenge(private_eap_aka_t *this,
-									   eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t attr = chunk_empty;
-	chunk_t autn = chunk_empty, at_mac = chunk_empty;
-	chunk_t ak, sqn, sqn_ak, mac, xmac, res, amf, message, pos;
-	u_int8_t identifier;
-	
-	ak = chunk_alloca(AK_LENGTH);
-	xmac = chunk_alloca(MAC_LENGTH);
-	res = chunk_alloca(RES_LENGTH);
-	chunk_free(&this->rand);
-	
-	message = in->get_data(in);
-	pos = message;
-	read_header(&pos);
-	identifier = in->get_identifier(in);
-	
-	DBG3(DBG_IKE, "reading attributes from %B", &pos);
-	
-	/* iterate over attributes */
-	while (TRUE)
-	{
-		aka_attribute_t attribute = read_attribute(&pos, &attr);
-		switch (attribute)
-		{
-			case AT_END:
-				break;
-			case AT_RAND:
-				this->rand = chunk_clone(chunk_skip(attr, 2));
-				continue;
-			case AT_AUTN:
-				autn = chunk_skip(attr, 2);
-				continue;
-			case AT_MAC:
-				attr = chunk_skip(attr, 2);
-				at_mac = chunk_clonea(attr);
-				/* set MAC in message to zero for own MAC verification */
-				memset(attr.ptr, 0, attr.len);
-				continue;
-			default:
-				if (attribute >= 0 && attribute <= 127)
-				{
-					/* non skippable attribute, abort */
-					*out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CLIENT_ERROR,
-								AT_CLIENT_ERROR_CODE, client_error_code, AT_END);
-					DBG1(DBG_IKE, "found non skippable attribute %N, sending %N %d",
-						 aka_attribute_names, attribute,
-						 aka_attribute_names, AT_CLIENT_ERROR_CODE, 0);
-					return NEED_MORE;
-				}
-				DBG1(DBG_IKE, "ignoring skippable attribute %N",
-					 aka_attribute_names, attribute);
-				continue;
-		}
-		break;
-	}
-	
-	if (this->rand.len != RAND_LENGTH || autn.len != AUTN_LENGTH)
-	{
-		/* required attributes wrong/not found, abort */
-		*out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CLIENT_ERROR,
-					AT_CLIENT_ERROR_CODE, client_error_code, AT_END);
-		DBG1(DBG_IKE, "could not find valid RAND/AUTN attribute, sending %N %d",
-			 aka_attribute_names, AT_CLIENT_ERROR_CODE, 0);
-		return NEED_MORE;
-	}
-	
-	DBG3(DBG_IKE, "using autn %B", &autn);
-	/* split up AUTN = SQN xor AK | AMF | MAC */
-	chunk_split(autn, "mmm", SQN_LENGTH, &sqn_ak, AMF_LENGTH, &amf, MAC_LENGTH, &mac);
-	
-	/* Get the shared key K: */
-	chunk_free(&this->k);
-	if (load_key(this->peer, this->server, &this->k) != SUCCESS)
-	{
-	 	*out = build_aka_payload(this, EAP_RESPONSE, identifier,
-	 							 AKA_AUTHENTICATION_REJECT, AT_END);
-		DBG3(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
-			 "with EAP-AKA, sending %N", this->peer, this->server,
-			 aka_subtype_names, AKA_AUTHENTICATION_REJECT);
-		return NEED_MORE;
-	}
-	DBG3(DBG_IKE, "using K %B", &this->k);
-#	ifdef TEST_VECTORS
-	/* Test vector for K */
-	u_int8_t test_k[] = {
-		0xad,0x1b,0x5a,0x15,0x9b,0xe8,0x6b,0x2c,
-		0xa6,0x6c,0x7a,0xe4,0x0b,0xba,0x9b,0x9d,
-	};
-	memcpy(this->k.ptr, test_k, this->k.len);
-#	endif /* TEST_VECTORS */
-	
-	/* calculate anonymity key AK */
-	f5(this, this->k, this->rand, ak.ptr);
-	DBG3(DBG_IKE, "using rand %B", &this->rand);
-	DBG3(DBG_IKE, "using ak %B", &ak);
-	/* XOR AK into SQN to decrypt it */
-	
-	sqn = chunk_clonea(sqn_ak);
-	
-	DBG3(DBG_IKE, "using ak xor sqn %B", &sqn_ak);
-	memxor(sqn.ptr, ak.ptr, sqn.len);
-	DBG3(DBG_IKE, "using sqn %B", &sqn);
-	
-	/* calculate expected MAC and compare against received one */
-	f1(this, this->k, this->rand, sqn, amf, xmac.ptr);
-	if (!chunk_equals(mac, xmac))
-	{
-	 	*out = build_aka_payload(this, EAP_RESPONSE, identifier,
-	 							 AKA_AUTHENTICATION_REJECT, AT_END);
-		DBG1(DBG_IKE, "received MAC does not match XMAC, sending %N",
-			 aka_subtype_names, AKA_AUTHENTICATION_REJECT);
-		DBG3(DBG_IKE, "MAC %B\nXMAC %B", &mac, &xmac);
-		return NEED_MORE;
-	}
-
-#if SEQ_CHECK
-	if (memcmp(peer_sqn.ptr, sqn.ptr, sqn.len) >= 0)
-	{
-		/* sequence number invalid. send AUTS */
-		chunk_t auts, macs, aks, amf;
-		
-		macs = chunk_alloca(MAC_LENGTH);
-		aks = chunk_alloca(AK_LENGTH);
-		amf = chunk_alloca(AMF_LENGTH);
-		
-		/* AMF is set to zero in AKA_SYNCHRONIZATION_FAILURE */
-		memset(amf.ptr, 0, amf.len);		
-		/* AKS = f5*(RAND) */
-		f5star(this, this->k, this->rand, aks.ptr);
-		/* MACS = f1*(RAND) */
-		f1star(this, this->k, this->rand, peer_sqn, amf, macs.ptr);
-		/* AUTS = SQN xor AKS | MACS */
-		memxor(aks.ptr, peer_sqn.ptr, aks.len);
-		auts = chunk_cata("cc", aks, macs);
-		
-	 	*out = build_aka_payload(this, EAP_RESPONSE, identifier,
-	 							 AKA_SYNCHRONIZATION_FAILURE,
-	 							 AT_AUTS, auts, AT_END);
-		DBG1(DBG_IKE, "received SQN invalid, sending %N",
-			 aka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
-		DBG3(DBG_IKE, "received SQN %B\ncurrent SQN %B", &sqn, &peer_sqn);
-		return NEED_MORE;
-	}
-#endif /* SEQ_CHECK */
-
-	/* derive K_encr, K_auth, MSK, EMSK  */
-	derive_keys(this, this->peer);
-	
-	/* verify EAP message MAC AT_MAC */
-	DBG3(DBG_IKE, "verifying AT_MAC signature of %B", &message);
-	DBG3(DBG_IKE, "using key %B", &this->k_auth);
-	this->signer->set_key(this->signer, this->k_auth);
-	if (!this->signer->verify_signature(this->signer, message, at_mac))
-	{
-		*out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CLIENT_ERROR,
-						AT_CLIENT_ERROR_CODE, client_error_code, AT_END);
-		DBG1(DBG_IKE, "MAC in AT_MAC attribute verification "
-			 "failed, sending %N %d", aka_attribute_names,
-			 AT_CLIENT_ERROR_CODE, 0);
-		return NEED_MORE;
-	}
-	
-	/* update stored SQN to the received one */
-	memcpy(peer_sqn.ptr, sqn.ptr, sqn.len);
-	
-	/* calculate RES */
-	f2(this, this->k, this->rand, res.ptr);
-	
-	/* build response */
-	*out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CHALLENGE,
-							 AT_RES, res, AT_MAC, chunk_empty, AT_END);
-	return NEED_MORE;
-}
-
-/**
- * Process an incoming AKA-Notification as client
- */
-static status_t peer_process_notification(private_eap_aka_t *this,
-										  eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t message, pos, attr;
-	u_int8_t identifier;
-	
-	message = in->get_data(in);
-	pos = message;
-	read_header(&pos);
-	identifier = in->get_identifier(in);
-	
-	DBG3(DBG_IKE, "reading attributes from %B", &pos);
-	
-	/* iterate over attributes */
-	while (TRUE)
-	{
-		aka_attribute_t attribute = read_attribute(&pos, &attr);
-		switch (attribute)
-		{
-			case AT_END:
-				break;
-			case AT_NOTIFICATION:
-			{
-				u_int16_t code;
-			
-				if (attr.len != 2)
-				{
-					DBG1(DBG_IKE, "received invalid AKA notification, ignored");
-					continue;
-				}
-				code = ntohs(*(u_int16_t*)attr.ptr);
-				switch (code)
-				{
-					case 0: 
-						DBG1(DBG_IKE, "received AKA notification 'general "
-							 "failure after authentication' (%d)", code);
-						return FAILED;
-					case 16384:
-						DBG1(DBG_IKE, "received AKA notification 'general "
-							 "failure' (%d)", code);
-						return FAILED;
-   					case 32768:
-						DBG1(DBG_IKE, "received AKA notification 'successfully "
-							 "authenticated' (%d)", code);
-						continue;
-   					case 1026:
-						DBG1(DBG_IKE, "received AKA notification 'access "
-							 "temporarily denied' (%d)", code);
-						return FAILED;
-   					case 1031:
-						DBG1(DBG_IKE, "received AKA notification 'not "
-							 "subscribed to service' (%d)", code);
-						return FAILED;
-					default:
-						DBG1(DBG_IKE, "received AKA notification code %d, "
-							 "ignored", code);
-					continue;
-				}
-			}
-			default:
-				if (attribute >= 0 && attribute <= 127)
-				{
-					DBG1(DBG_IKE, "ignoring non-skippable attribute %N in %N",
-					 	aka_attribute_names, attribute, aka_subtype_names,
-					 	AKA_NOTIFICATION);
-				}
-				else
-				{
-					DBG1(DBG_IKE, "ignoring skippable attribute %N",
-						 aka_attribute_names, attribute);
-				}
-				continue;
-		}
-		break;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of eap_method_t.process for an EAP_AKA peer
- */
-static status_t peer_process(private_eap_aka_t *this,
-							 eap_payload_t *in, eap_payload_t **out)
-{
-	aka_subtype_t type;
-	chunk_t message;
-	u_int8_t identifier;
-	
-	message = in->get_data(in);
-	type = read_header(&message);
-	identifier = in->get_identifier(in);
-	
-	DBG3(DBG_IKE, "received EAP message %B",  &message);
-	
-	switch (type)
-	{
-		case AKA_CHALLENGE:
-		{
-			return peer_process_challenge(this, in, out);
-		}
-		case AKA_NOTIFICATION:
-		{
-			return peer_process_notification(this, in, out);
-		}
-		default:
-		{
-			*out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CLIENT_ERROR,
-						AT_CLIENT_ERROR_CODE, client_error_code, AT_END);
-			DBG1(DBG_IKE, "received unsupported %N request, sending %N %d",
-				 aka_subtype_names, type,
-				 aka_attribute_names, AT_CLIENT_ERROR_CODE, 0);
-			return NEED_MORE;
-		}
-	}
-}
-
-/**
- * Implementation of eap_method_t.initiate for an EAP AKA peer
- */
-static status_t peer_initiate(private_eap_aka_t *this, eap_payload_t **out)
-{
-	/* peer never initiates */
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_aka_t *this, u_int32_t *vendor)
-{
-	*vendor = 0;
-	return EAP_AKA;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_aka_t *this, chunk_t *msk)
-{
-	if (this->msk.ptr)
-	{
-		*msk = this->msk;
-		return SUCCESS;
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_aka_t *this)
-{
-	return TRUE;
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_aka_t *this)
-{
-	this->server->destroy(this->server);
-	this->peer->destroy(this->peer);
-	DESTROY_IF(this->sha1);
-	DESTROY_IF(this->signer);
-	DESTROY_IF(this->prf);
-	DESTROY_IF(this->keyed_prf);
-	chunk_free(&this->k_encr);
-	chunk_free(&this->k_auth);
-	chunk_free(&this->msk);
-	chunk_free(&this->emsk);
-	chunk_free(&this->xres);
-	chunk_free(&this->k);
-	chunk_free(&this->rand);
-	free(this);
-}
-
-/**
- * generic constructor used by client & server
- */
-static private_eap_aka_t *eap_aka_create_generic(identification_t *server,
-												 identification_t *peer)
-{
-	private_eap_aka_t *this = malloc_thing(private_eap_aka_t);
-	
-	this->public.eap_method_interface.initiate = NULL;
-	this->public.eap_method_interface.process = NULL;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-	
-	/* private data */
-	this->server = server->clone(server);
-	this->peer = peer->clone(peer);
-	this->k_encr = chunk_empty;
-	this->k_auth = chunk_empty;
-	this->msk = chunk_empty;
-	this->emsk = chunk_empty;
-	this->xres = chunk_empty;
-	this->k = chunk_empty;
-	this->rand = chunk_empty;
-	
-	this->sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128);
-	this->prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160);
-	this->keyed_prf = lib->crypto->create_prf(lib->crypto, PRF_KEYED_SHA1);
-
-	if (!this->sha1 || !this->signer || !this->prf || !this->keyed_prf)
-	{
-		DBG1(DBG_IKE, "unable to initiate EAP-AKA, FIPS-PRF/SHA1 not supported");
-		DESTROY_IF(this->sha1);
-		DESTROY_IF(this->signer);
-		DESTROY_IF(this->prf);
-		DESTROY_IF(this->keyed_prf);
-		destroy(this);
-		return NULL;
-	}
-	return this;
-}
-
-/*
- * Described in header.
- */
-eap_aka_t *eap_aka_create_server(identification_t *server, identification_t *peer)
-{
-	private_eap_aka_t *this = eap_aka_create_generic(server, peer);
-	
-	if (this)
-	{
-		this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))server_initiate;
-		this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))server_process;
-	}
-	return (eap_aka_t*)this;
-}
-
-/*
- * Described in header.
- */
-eap_aka_t *eap_aka_create_peer(identification_t *server, identification_t *peer)
-{
-	private_eap_aka_t *this = eap_aka_create_generic(server, peer);
-	
-	if (this)
-	{
-		this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))peer_initiate;
-		this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))peer_process;
-	}
-	return (eap_aka_t*)this;			
-}
-
diff --git a/src/charon/plugins/eap_aka/eap_aka.h b/src/charon/plugins/eap_aka/eap_aka.h
deleted file mode 100644
index 7686802cf..000000000
--- a/src/charon/plugins/eap_aka/eap_aka.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_aka_i eap_aka
- * @{ @ingroup eap_aka
- */
-
-#ifndef EAP_AKA_H_
-#define EAP_AKA_H_
-
-typedef struct eap_aka_t eap_aka_t;
-
-#include <sa/authenticators/eap/eap_method.h>
-
-/**  check SEQ values as client for validity, disabled by default */
-#ifndef SEQ_CHECK
-# define SEQ_CHECK 0
-#endif
-
-/**
- * Implementation of the eap_method_t interface using EAP-AKA.
- *
- * EAP-AKA uses 3rd generation mobile phone standard authentication
- * mechanism for authentication. It is a mutual authentication
- * mechanism which establishs a shared key and therefore supports EAP_ONLY
- * authentication. This implementation follows the standard of the
- * 3GPP2 (S.S0055) and not the one of 3GGP.
- * The shared key used for authentication is from ipsec.secrets. The
- * peers ID is used to query it.
- * The AKA mechanism uses sequence numbers to detect replay attacks. The
- * peer stores the sequence number normally in a USIM and accepts
- * incremental sequence numbers (incremental for lifetime of the USIM). To
- * prevent a complex sequence number management, this implementation uses
- * a sequence number derived from time. It is initialized to the startup
- * time of the daemon. As long as the (UTC) time of the system is not
- * turned back while the daemon is not running, this method is secure.
- * To enable time based SEQs, define SEQ_CHECK as 1. Default is to accept
- * any SEQ numbers. This allows an attacker to do replay attacks. But since
- * the server has proven his identity via IKE, such an attack is only
- * possible between server and AAA (if any).
- */
-struct eap_aka_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t eap_method_interface;
-};
-
-/**
- * Creates the server implementation of the EAP method EAP-AKA.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_aka_t object
- */
-eap_aka_t *eap_aka_create_server(identification_t *server, identification_t *peer);
-
-/**
- * Creates the peer implementation of the EAP method EAP-AKA.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_aka_t object
- */
-eap_aka_t *eap_aka_create_peer(identification_t *server, identification_t *peer);
-
-#endif /** EAP_AKA_H_ @}*/
diff --git a/src/charon/plugins/eap_aka/eap_aka_peer.c b/src/charon/plugins/eap_aka/eap_aka_peer.c
new file mode 100644
index 000000000..26546809d
--- /dev/null
+++ b/src/charon/plugins/eap_aka/eap_aka_peer.c
@@ -0,0 +1,583 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_peer.h"
+
+#include <library.h>
+#include <daemon.h>
+
+#include <simaka_message.h>
+#include <simaka_crypto.h>
+
+typedef struct private_eap_aka_peer_t private_eap_aka_peer_t;
+
+/**
+ * Private data of an eap_aka_peer_t object.
+ */
+struct private_eap_aka_peer_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_aka_peer_t public;
+
+	/**
+	 * EAP-AKA crypto helper
+	 */
+	simaka_crypto_t *crypto;
+
+	/**
+	 * permanent ID of peer
+	 */
+	identification_t *permanent;
+
+	/**
+	 * Pseudonym identity the peer uses
+	 */
+	identification_t *pseudonym;
+
+	/**
+	 * Reauthentication identity the peer uses
+	 */
+	identification_t *reauth;
+
+	/**
+	 * MSK
+	 */
+	chunk_t msk;
+
+	/**
+	 * Master key, if reauthentication is used
+	 */
+	char mk[HASH_SIZE_SHA1];
+
+	/**
+	 * Counter value if reauthentication is used
+	 */
+	u_int16_t counter;
+};
+
+/**
+ * Create a AKA_CLIENT_ERROR: "Unable to process"
+ */
+static eap_payload_t* create_client_error(private_eap_aka_peer_t *this,
+										  u_int8_t identifier)
+{
+	simaka_message_t *message;
+	eap_payload_t *out;
+	u_int16_t encoded;
+
+	DBG1(DBG_IKE, "sending client error '%N'",
+		 simaka_client_error_names, AKA_UNABLE_TO_PROCESS);
+
+	message = simaka_message_create(FALSE, identifier, EAP_AKA,
+									AKA_CLIENT_ERROR, this->crypto);
+	encoded = htons(AKA_UNABLE_TO_PROCESS);
+	message->add_attribute(message, AT_CLIENT_ERROR_CODE,
+						   chunk_create((char*)&encoded, sizeof(encoded)));
+	out = message->generate(message, chunk_empty);
+	message->destroy(message);
+	return out;
+}
+
+/**
+ * process an EAP-AKA/Request/Identity message
+ */
+static status_t process_identity(private_eap_aka_peer_t *this,
+								 simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, id = chunk_empty;
+	simaka_attribute_t id_req = 0;
+
+	/* reset previously uses reauthentication/pseudonym data */
+	this->crypto->clear_keys(this->crypto);
+	DESTROY_IF(this->pseudonym);
+	this->pseudonym = NULL;
+	DESTROY_IF(this->reauth);
+	this->reauth = NULL;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_ANY_ID_REQ:
+			case AT_FULLAUTH_ID_REQ:
+			case AT_PERMANENT_ID_REQ:
+				id_req = type;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in));
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	switch (id_req)
+	{
+		case AT_ANY_ID_REQ:
+			this->reauth = charon->sim->card_get_reauth(charon->sim,
+									this->permanent, this->mk, &this->counter);
+			if (this->reauth)
+			{
+				id = this->reauth->get_encoding(this->reauth);
+				break;
+			}
+			/* FALL */
+		case AT_FULLAUTH_ID_REQ:
+			this->pseudonym = charon->sim->card_get_pseudonym(charon->sim,
+															  this->permanent);
+			if (this->pseudonym)
+			{
+				id = this->pseudonym->get_encoding(this->pseudonym);
+				break;
+			}
+			/* FALL */
+		case AT_PERMANENT_ID_REQ:
+			id = this->permanent->get_encoding(this->permanent);
+			break;
+		default:
+			break;
+	}
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+									AKA_IDENTITY, this->crypto);
+	if (id.len)
+	{
+		message->add_attribute(message, AT_IDENTITY, id);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	return NEED_MORE;
+}
+
+/**
+ * Process an EAP-AKA/Request/Challenge message
+ */
+static status_t process_challenge(private_eap_aka_peer_t *this,
+								  simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, rand = chunk_empty, autn = chunk_empty, mk;
+	u_char res[AKA_RES_MAX], ck[AKA_CK_LEN], ik[AKA_IK_LEN], auts[AKA_AUTS_LEN];
+	int res_len;
+	identification_t *id;
+	status_t status;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_RAND:
+				rand = data;
+				break;
+			case AT_AUTN:
+				autn = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in));
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!rand.len || !autn.len)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-AKA challenge message");
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+
+	status = charon->sim->card_get_quintuplet(charon->sim, this->permanent,
+									rand.ptr, autn.ptr, ck, ik, res, &res_len);
+	if (status == INVALID_STATE &&
+		charon->sim->card_resync(charon->sim, this->permanent, rand.ptr, auts))
+	{
+		DBG1(DBG_IKE, "received SQN invalid, sending %N",
+			 simaka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
+		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+									AKA_SYNCHRONIZATION_FAILURE, this->crypto);
+		message->add_attribute(message, AT_AUTS,
+							   chunk_create(auts, AKA_AUTS_LEN));
+		*out = message->generate(message, chunk_empty);
+		message->destroy(message);
+		return NEED_MORE;
+	}
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "no USIM found with quintuplets for '%Y', sending %N",
+			 this->permanent, simaka_subtype_names, AKA_AUTHENTICATION_REJECT);
+		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+										AKA_AUTHENTICATION_REJECT, this->crypto);
+		*out = message->generate(message, chunk_empty);
+		message->destroy(message);
+		return NEED_MORE;
+	}
+
+	id = this->permanent;
+	if (this->pseudonym)
+	{
+		id = this->pseudonym;
+	}
+	data = chunk_cata("cc", chunk_create(ik, AKA_IK_LEN),
+					  chunk_create(ck, AKA_CK_LEN));
+	free(this->msk.ptr);
+	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	memcpy(this->mk, mk.ptr, mk.len);
+	free(mk.ptr);
+
+	/* Verify AT_MAC attribute and parse() again after key derivation,
+	 * reading encrypted attributes */
+	if (!in->verify(in, chunk_empty) || !in->parse(in))
+	{
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_NEXT_REAUTH_ID:
+				this->counter = 0;
+				id = identification_create_from_data(data);
+				charon->sim->card_set_reauth(charon->sim, this->permanent, id,
+											 this->mk, this->counter);
+				id->destroy(id);
+				break;
+			case AT_NEXT_PSEUDONYM:
+				id = identification_create_from_data(data);
+				charon->sim->card_set_pseudonym(charon->sim, this->permanent, id);
+				id->destroy(id);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+									AKA_CHALLENGE, this->crypto);
+	message->add_attribute(message, AT_RES, chunk_create(res, res_len));
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+	return NEED_MORE;
+}
+
+/**
+ * Check if a received counter value is acceptable
+ */
+static bool counter_too_small(private_eap_aka_peer_t *this, chunk_t chunk)
+{
+	u_int16_t counter;
+
+	memcpy(&counter, chunk.ptr, sizeof(counter));
+	counter = htons(counter);
+	return counter < this->counter;
+}
+
+/**
+ * process an EAP-AKA/Request/Reauthentication message
+ */
+static status_t process_reauthentication(private_eap_aka_peer_t *this,
+									simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, counter = chunk_empty, nonce = chunk_empty, id = chunk_empty;
+
+	if (!this->reauth)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, AKA_REAUTHENTICATION);
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+
+	this->crypto->derive_keys_reauth(this->crypto,
+									 chunk_create(this->mk, HASH_SIZE_SHA1));
+
+	/* verify MAC and parse again with decryption key */
+	if (!in->verify(in, chunk_empty) || !in->parse(in))
+	{
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_COUNTER:
+				counter = data;
+				break;
+			case AT_NONCE_S:
+				nonce = data;
+				break;
+			case AT_NEXT_REAUTH_ID:
+				id = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in));
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!nonce.len || !counter.len)
+	{
+		DBG1(DBG_IKE, "EAP-AKA/Request/Reauthentication message incomplete");
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+									AKA_REAUTHENTICATION, this->crypto);
+	if (counter_too_small(this, counter))
+	{
+		DBG1(DBG_IKE, "reauthentication counter too small");
+		message->add_attribute(message, AT_COUNTER_TOO_SMALL, chunk_empty);
+	}
+	else
+	{
+		free(this->msk.ptr);
+		this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
+										this->reauth, counter, nonce,
+										chunk_create(this->mk, HASH_SIZE_SHA1));
+		if (id.len)
+		{
+			identification_t *reauth;
+
+			reauth = identification_create_from_data(data);
+			charon->sim->card_set_reauth(charon->sim, this->permanent, reauth,
+							 this->mk, this->counter);
+			reauth->destroy(reauth);
+		}
+	}
+	message->add_attribute(message, AT_COUNTER, counter);
+	*out = message->generate(message, nonce);
+	message->destroy(message);
+	return NEED_MORE;
+}
+
+/**
+ * Process an EAP-AKA/Request/Notification message
+ */
+static status_t process_notification(private_eap_aka_peer_t *this,
+									 simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data;
+	bool success = TRUE;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == AT_NOTIFICATION)
+		{
+			u_int16_t code;
+
+			memcpy(&code, data.ptr, sizeof(code));
+			code = ntohs(code);
+
+			/* test success bit */
+			if (!(data.ptr[0] & 0x80))
+			{
+				success = FALSE;
+				DBG1(DBG_IKE, "received EAP-AKA notification error '%N'",
+					 simaka_notification_names, code);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received EAP-AKA notification '%N'",
+					 simaka_notification_names, code);
+			}
+		}
+		else if (!simaka_attribute_skippable(type))
+		{
+			success = FALSE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (success)
+	{	/* empty notification reply */
+		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+										AKA_NOTIFICATION, this->crypto);
+		*out = message->generate(message, chunk_empty);
+		message->destroy(message);
+	}
+	else
+	{
+		*out = create_client_error(this, in->get_identifier(in));
+	}
+	return NEED_MORE;
+}
+
+
+/**
+ * Implementation of eap_method_t.process
+ */
+static status_t process(private_eap_aka_peer_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	status_t status;
+
+	message = simaka_message_create_from_payload(in, this->crypto);
+	if (!message)
+	{
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+	if (!message->parse(message))
+	{
+		message->destroy(message);
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+	switch (message->get_subtype(message))
+	{
+		case AKA_IDENTITY:
+			status = process_identity(this, message, out);
+			break;
+		case AKA_CHALLENGE:
+			status = process_challenge(this, message, out);
+			break;
+		case AKA_REAUTHENTICATION:
+			status = process_reauthentication(this, message, out);
+			break;
+		case AKA_NOTIFICATION:
+			status = process_notification(this, message, out);
+			break;
+		default:
+			DBG1(DBG_IKE, "unable to process EAP-AKA subtype %N",
+				 simaka_subtype_names, message->get_subtype(message));
+			*out = create_client_error(this, in->get_identifier(in));
+			status = NEED_MORE;
+			break;
+	}
+	message->destroy(message);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_aka_peer_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_aka_peer_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_AKA;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_aka_peer_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_aka_peer_t *this)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_aka_peer_t *this)
+{
+	this->crypto->destroy(this->crypto);
+	this->permanent->destroy(this->permanent);
+	DESTROY_IF(this->pseudonym);
+	DESTROY_IF(this->reauth);
+	free(this->msk.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_aka_peer_t *eap_aka_peer_create(identification_t *server,
+									identification_t *peer)
+{
+	private_eap_aka_peer_t *this = malloc_thing(private_eap_aka_peer_t);
+
+	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	this->crypto = simaka_crypto_create();
+	if (!this->crypto)
+	{
+		free(this);
+		return NULL;
+	}
+	this->permanent = peer->clone(peer);
+	this->pseudonym = NULL;
+	this->reauth = NULL;
+	this->msk = chunk_empty;
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_aka/eap_aka_peer.h b/src/charon/plugins/eap_aka/eap_aka_peer.h
new file mode 100644
index 000000000..65a210406
--- /dev/null
+++ b/src/charon/plugins/eap_aka/eap_aka_peer.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_peer eap_aka_peer
+ * @{ @ingroup eap_aka
+ */
+
+#ifndef EAP_AKA_PEER_H_
+#define EAP_AKA_PEER_H_
+
+typedef struct eap_aka_peer_t eap_aka_peer_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-AKA as a client.
+ */
+struct eap_aka_peer_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t interface;
+};
+
+/**
+ * Creates the peer implementation of the EAP method EAP-AKA.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_aka_peer_t object
+ */
+eap_aka_peer_t *eap_aka_peer_create(identification_t *server,
+									identification_t *peer);
+
+#endif /** EAP_AKA_PEER_H_ @}*/
diff --git a/src/charon/plugins/eap_aka/eap_aka_plugin.c b/src/charon/plugins/eap_aka/eap_aka_plugin.c
index e4a5326fe..c44a08966 100644
--- a/src/charon/plugins/eap_aka/eap_aka_plugin.c
+++ b/src/charon/plugins/eap_aka/eap_aka_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,7 +15,8 @@
 
 #include "eap_aka_plugin.h"
 
-#include "eap_aka.h"
+#include "eap_aka_peer.h"
+#include "eap_aka_server.h"
 
 #include <daemon.h>
 
@@ -25,9 +26,9 @@
 static void destroy(eap_aka_plugin_t *this)
 {
 	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_aka_create_server);
+							   (eap_constructor_t)eap_aka_server_create);
 	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_aka_create_peer);
+							   (eap_constructor_t)eap_aka_peer_create);
 	free(this);
 }
 
@@ -37,14 +38,14 @@ static void destroy(eap_aka_plugin_t *this)
 plugin_t *plugin_create()
 {
 	eap_aka_plugin_t *this = malloc_thing(eap_aka_plugin_t);
-	
+
 	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_SERVER,
-							(eap_constructor_t)eap_aka_create_server);
+							(eap_constructor_t)eap_aka_server_create);
 	charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_PEER,
-							(eap_constructor_t)eap_aka_create_peer);
-	
+							(eap_constructor_t)eap_aka_peer_create);
+
 	return &this->plugin;
 }
 
diff --git a/src/charon/plugins/eap_aka/eap_aka_plugin.h b/src/charon/plugins/eap_aka/eap_aka_plugin.h
index 2c086ca80..938e5ecbd 100644
--- a/src/charon/plugins/eap_aka/eap_aka_plugin.h
+++ b/src/charon/plugins/eap_aka/eap_aka_plugin.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -29,7 +29,10 @@
 typedef struct eap_aka_plugin_t eap_aka_plugin_t;
 
 /**
- * EAP-AKA plugin
+ * EAP-AKA plugin.
+ *
+ * EAP-AKA uses 3rd generation mobile phone standard authentication
+ * mechanism for authentication, as defined RFC4187.
  */
 struct eap_aka_plugin_t {
 
diff --git a/src/charon/plugins/eap_aka/eap_aka_server.c b/src/charon/plugins/eap_aka/eap_aka_server.c
new file mode 100644
index 000000000..9baff3e23
--- /dev/null
+++ b/src/charon/plugins/eap_aka/eap_aka_server.c
@@ -0,0 +1,700 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_server.h"
+
+#include <daemon.h>
+#include <library.h>
+
+#include <simaka_message.h>
+#include <simaka_crypto.h>
+
+/** length of the AT_NONCE_S value */
+#define NONCE_LEN 16
+
+typedef struct private_eap_aka_server_t private_eap_aka_server_t;
+
+/**
+ * Private data of an eap_aka_server_t object.
+ */
+struct private_eap_aka_server_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_aka_server_t public;
+
+	/**
+	 * EAP-AKA crypto helper
+	 */
+	simaka_crypto_t *crypto;
+
+	/**
+	 * permanent ID of the peer
+	 */
+	identification_t *permanent;
+
+	/**
+	 * pseudonym ID of peer
+	 */
+	identification_t *pseudonym;
+
+	/**
+	 * reauthentication ID of peer
+	 */
+	identification_t *reauth;
+
+	/**
+	 * EAP identifier value
+	 */
+	u_int8_t identifier;
+
+	/**
+	 * Expected Result XRES
+	 */
+	chunk_t xres;
+
+	/**
+	 * Random value RAND
+	 */
+	chunk_t rand;
+
+	/**
+	 * MSK
+	 */
+	chunk_t msk;
+
+	/**
+	 * Nonce value used in AT_NONCE_S
+	 */
+	chunk_t nonce;
+
+	/**
+	 * Counter value negotiated, network order
+	 */
+	chunk_t counter;
+
+	/**
+	 * Do we request fast reauthentication?
+	 */
+	bool use_reauth;
+
+	/**
+	 * Do we request pseudonym identities?
+	 */
+	bool use_pseudonym;
+
+	/**
+	 * Do we request permanent identities?
+	 */
+	bool use_permanent;
+
+	/**
+	 * EAP-AKA message we have initiated
+	 */
+	simaka_subtype_t pending;
+
+	/**
+	 * Did the client send a synchronize request?
+	 */
+	bool synchronized;
+};
+
+/**
+ * Create EAP-AKA/Request/Identity message
+ */
+static status_t identity(private_eap_aka_server_t *this, eap_payload_t **out)
+{
+	simaka_message_t *message;
+
+	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
+									AKA_IDENTITY, this->crypto);
+	if (this->use_reauth)
+	{
+		message->add_attribute(message, AT_ANY_ID_REQ, chunk_empty);
+	}
+	else if (this->use_pseudonym)
+	{
+		message->add_attribute(message, AT_FULLAUTH_ID_REQ, chunk_empty);
+	}
+	else if (this->use_permanent)
+	{
+		message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	this->pending = AKA_IDENTITY;
+	return NEED_MORE;
+}
+
+/**
+ * Create EAP-AKA/Request/Challenge message
+ */
+static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	char rand[AKA_RAND_LEN], xres[AKA_RES_MAX];
+	char ck[AKA_CK_LEN], ik[AKA_IK_LEN], autn[AKA_AUTN_LEN];
+	int xres_len;
+	chunk_t data, mk;
+	identification_t *id;
+
+	if (!charon->sim->provider_get_quintuplet(charon->sim, this->permanent,
+										rand, xres, &xres_len, ck, ik, autn))
+	{
+		if (this->use_pseudonym)
+		{
+			/* probably received a pseudonym/reauth id we couldn't map */
+			DBG1(DBG_IKE, "failed to map pseudonym/reauth identity '%Y', "
+				 "fallback to permanent identity request", this->permanent);
+			this->use_pseudonym = FALSE;
+			DESTROY_IF(this->pseudonym);
+			this->pseudonym = NULL;
+			return identity(this, out);
+		}
+		return FAILED;
+	}
+	id = this->permanent;
+	if (this->pseudonym)
+	{
+		id = this->pseudonym;
+	}
+	data = chunk_cata("cc", chunk_create(ik, AKA_IK_LEN),
+					  chunk_create(ck, AKA_CK_LEN));
+	free(this->msk.ptr);
+	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	this->rand = chunk_clone(chunk_create(rand, AKA_RAND_LEN));
+	this->xres = chunk_clone(chunk_create(xres, xres_len));
+
+	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
+									AKA_CHALLENGE, this->crypto);
+	message->add_attribute(message, AT_RAND, this->rand);
+	message->add_attribute(message, AT_AUTN, chunk_create(autn, AKA_AUTN_LEN));
+	id = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk.ptr);
+	if (id)
+	{
+		message->add_attribute(message, AT_NEXT_REAUTH_ID,
+							   id->get_encoding(id));
+		id->destroy(id);
+	}
+	else
+	{
+		id = charon->sim->provider_gen_pseudonym(charon->sim, this->permanent);
+		if (id)
+		{
+			message->add_attribute(message, AT_NEXT_PSEUDONYM,
+								   id->get_encoding(id));
+			id->destroy(id);
+		}
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	free(mk.ptr);
+	this->pending = AKA_CHALLENGE;
+	return NEED_MORE;
+}
+
+/**
+ * Initiate  EAP-AKA/Request/Re-authentication message
+ */
+static status_t reauthenticate(private_eap_aka_server_t *this,
+							   char mk[HASH_SIZE_SHA1], u_int16_t counter,
+							   eap_payload_t **out)
+{
+	simaka_message_t *message;
+	identification_t *next;
+	chunk_t mkc;
+	rng_t *rng;
+
+	DBG1(DBG_IKE, "initiating EAP-AKA reauthentication");
+
+	rng = this->crypto->get_rng(this->crypto);
+	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+
+	mkc = chunk_create(mk, HASH_SIZE_SHA1);
+	counter = htons(counter);
+	this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter)));
+
+	this->crypto->derive_keys_reauth(this->crypto, mkc);
+	this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
+								this->reauth, this->counter, this->nonce, mkc);
+
+	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
+									AKA_REAUTHENTICATION, this->crypto);
+	message->add_attribute(message, AT_COUNTER, this->counter);
+	message->add_attribute(message, AT_NONCE_S, this->nonce);
+	next = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk);
+	if (next)
+	{
+		message->add_attribute(message, AT_NEXT_REAUTH_ID,
+							   next->get_encoding(next));
+		next->destroy(next);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	this->pending = SIM_REAUTHENTICATION;
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_aka_server_t *this, eap_payload_t **out)
+{
+	if (this->use_permanent || this->use_pseudonym || this->use_reauth)
+	{
+		return identity(this, out);
+	}
+	return challenge(this, out);
+}
+
+/**
+ * Process EAP-AKA/Response/Identity message
+ */
+static status_t process_identity(private_eap_aka_server_t *this,
+								 simaka_message_t *in, eap_payload_t **out)
+{
+	identification_t *permanent, *id;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, identity = chunk_empty;
+
+	if (this->pending != AKA_IDENTITY)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, AKA_IDENTITY);
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_IDENTITY:
+				identity = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!identity.len)
+	{
+		DBG1(DBG_IKE, "received incomplete Identity response");
+		return FAILED;
+	}
+
+	id = identification_create_from_data(identity);
+	if (this->use_reauth)
+	{
+		char mk[HASH_SIZE_SHA1];
+		u_int16_t counter;
+
+		permanent = charon->sim->provider_is_reauth(charon->sim, id,
+													mk, &counter);
+		if (permanent)
+		{
+			this->permanent->destroy(this->permanent);
+			this->permanent = permanent;
+			this->reauth = id;
+			return reauthenticate(this, mk, counter, out);
+		}
+		/* unable to map, maybe a pseudonym? */
+		DBG1(DBG_IKE, "'%Y' is not a reauth identity", id);
+		this->use_reauth = FALSE;
+	}
+	if (this->use_pseudonym)
+	{
+		permanent = charon->sim->provider_is_pseudonym(charon->sim, id);
+		if (permanent)
+		{
+			this->permanent->destroy(this->permanent);
+			this->permanent = permanent;
+			this->pseudonym = id->clone(id);
+			/* we already have a new permanent identity now */
+			this->use_permanent = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "'%Y' is not a pseudonym", id);
+		}
+	}
+	if (!this->pseudonym && this->use_permanent)
+	{
+		/* got a permanent identity or a pseudonym reauth id wou couldn't map,
+		 * try to get quintuplets */
+		DBG1(DBG_IKE, "received identity '%Y'", id);
+		this->permanent->destroy(this->permanent);
+		this->permanent = id->clone(id);
+	}
+	id->destroy(id);
+
+	return challenge(this, out);
+}
+
+/**
+ * Process EAP-AKA/Response/Challenge message
+ */
+static status_t process_challenge(private_eap_aka_server_t *this,
+								  simaka_message_t *in)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, res = chunk_empty;
+
+	if (this->pending != AKA_CHALLENGE)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, AKA_CHALLENGE);
+		return FAILED;
+	}
+	/* verify MAC of EAP message, AT_MAC */
+	if (!in->verify(in, chunk_empty))
+	{
+		return FAILED;
+	}
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_RES:
+				res = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* compare received RES against stored XRES */
+	if (!chunk_equals(res, this->xres))
+	{
+		DBG1(DBG_IKE, "received RES does not match XRES");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * process an EAP-AKA/Response/Reauthentication message
+ */
+static status_t process_reauthentication(private_eap_aka_server_t *this,
+									simaka_message_t *in, eap_payload_t **out)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, counter = chunk_empty;
+	bool too_small = FALSE;
+
+	if (this->pending != AKA_REAUTHENTICATION)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, AKA_REAUTHENTICATION);
+		return FAILED;
+	}
+	/* verify AT_MAC attribute, signature is over "EAP packet | NONCE_S"  */
+	if (!in->verify(in, this->nonce))
+	{
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_COUNTER:
+				counter = data;
+				break;
+			case AT_COUNTER_TOO_SMALL:
+				too_small = TRUE;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (too_small)
+	{
+		DBG1(DBG_IKE, "received %N, initiating full authentication",
+			 simaka_attribute_names, AT_COUNTER_TOO_SMALL);
+		this->use_reauth = FALSE;
+		this->crypto->clear_keys(this->crypto);
+		return challenge(this, out);
+	}
+	if (!chunk_equals(counter, this->counter))
+	{
+		DBG1(DBG_IKE, "received counter does not match");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Process EAP-AKA/Response/SynchronizationFailure message
+ */
+static status_t process_synchronize(private_eap_aka_server_t *this,
+									simaka_message_t *in, eap_payload_t **out)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, auts = chunk_empty;
+
+	if (this->synchronized)
+	{
+		DBG1(DBG_IKE, "received %N, but peer did already resynchronize",
+			 simaka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
+		return FAILED;
+	}
+
+	DBG1(DBG_IKE, "received synchronization request, retrying...");
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_AUTS:
+				auts = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!auts.len)
+	{
+		DBG1(DBG_IKE, "synchronization request didn't contain usable AUTS");
+		return FAILED;
+	}
+
+	if (!charon->sim->provider_resync(charon->sim, this->permanent,
+									  this->rand.ptr, auts.ptr))
+	{
+		DBG1(DBG_IKE, "no AKA provider found supporting "
+			 "resynchronization for '%Y'", this->permanent);
+		return FAILED;
+	}
+	this->synchronized = TRUE;
+	return challenge(this, out);
+}
+
+/**
+ * Process EAP-AKA/Response/ClientErrorCode message
+ */
+static status_t process_client_error(private_eap_aka_server_t *this,
+									 simaka_message_t *in)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == AT_CLIENT_ERROR_CODE)
+		{
+			u_int16_t code;
+
+			memcpy(&code, data.ptr, sizeof(code));
+			DBG1(DBG_IKE, "received EAP-AKA client error '%N'",
+				 simaka_client_error_names, ntohs(code));
+		}
+		else if (!simaka_attribute_skippable(type))
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FAILED;
+}
+
+/**
+ * Process EAP-AKA/Response/AuthenticationReject message
+ */
+static status_t process_authentication_reject(private_eap_aka_server_t *this,
+											  simaka_message_t *in)
+{
+	DBG1(DBG_IKE, "received %N, authentication failed",
+		 simaka_subtype_names, in->get_subtype(in));
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.process
+ */
+static status_t process(private_eap_aka_server_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	status_t status;
+
+	message = simaka_message_create_from_payload(in, this->crypto);
+	if (!message)
+	{
+		return FAILED;
+	}
+	if (!message->parse(message))
+	{
+		message->destroy(message);
+		return FAILED;
+	}
+	switch (message->get_subtype(message))
+	{
+		case AKA_IDENTITY:
+			status = process_identity(this, message, out);
+			break;
+		case AKA_CHALLENGE:
+			status = process_challenge(this, message);
+			break;
+		case AKA_REAUTHENTICATION:
+			status = process_reauthentication(this, message, out);
+			break;
+		case AKA_SYNCHRONIZATION_FAILURE:
+			status = process_synchronize(this, message, out);
+			break;
+		case AKA_CLIENT_ERROR:
+			status = process_client_error(this, message);
+			break;
+		case AKA_AUTHENTICATION_REJECT:
+			status = process_authentication_reject(this, message);
+			break;
+		default:
+			DBG1(DBG_IKE, "unable to process EAP-AKA subtype %N",
+				 simaka_subtype_names, message->get_subtype(message));
+			status = FAILED;
+			break;
+	}
+	message->destroy(message);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_aka_server_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_AKA;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_aka_server_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_aka_server_t *this)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_aka_server_t *this)
+{
+	this->crypto->destroy(this->crypto);
+	this->permanent->destroy(this->permanent);
+	DESTROY_IF(this->pseudonym);
+	DESTROY_IF(this->reauth);
+	free(this->xres.ptr);
+	free(this->rand.ptr);
+	free(this->nonce.ptr);
+	free(this->msk.ptr);
+	free(this->counter.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_aka_server_t *eap_aka_server_create(identification_t *server,
+										identification_t *peer)
+{
+	private_eap_aka_server_t *this = malloc_thing(private_eap_aka_server_t);
+
+	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	this->crypto = simaka_crypto_create();
+	if (!this->crypto)
+	{
+		free(this);
+		return NULL;
+	}
+	this->permanent = peer->clone(peer);
+	this->pseudonym = NULL;
+	this->reauth = NULL;
+	this->xres = chunk_empty;
+	this->rand = chunk_empty;
+	this->nonce = chunk_empty;
+	this->msk = chunk_empty;
+	this->counter = chunk_empty;
+	this->pending = 0;
+	this->synchronized = FALSE;
+	this->use_reauth = this->use_pseudonym = this->use_permanent =
+		lib->settings->get_bool(lib->settings,
+								"charon.plugins.eap-aka.request_identity", TRUE);
+	/* generate a non-zero identifier */
+	do {
+		this->identifier = random();
+	} while (!this->identifier);
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_aka/eap_aka_server.h b/src/charon/plugins/eap_aka/eap_aka_server.h
new file mode 100644
index 000000000..d48fc4c34
--- /dev/null
+++ b/src/charon/plugins/eap_aka/eap_aka_server.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_server eap_aka_server
+ * @{ @ingroup eap_aka
+ */
+
+#ifndef EAP_AKA_SERVER_H_
+#define EAP_AKA_SERVER_H_
+
+typedef struct eap_aka_server_t eap_aka_server_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-AKA as server.
+ */
+struct eap_aka_server_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t interface;
+};
+
+/**
+ * Creates the server implementation of the EAP method EAP-AKA.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_aka_server_t object
+ */
+eap_aka_server_t *eap_aka_server_create(identification_t *server,
+										identification_t *peer);
+
+#endif /** EAP_AKA_SERVER_H_ @}*/
diff --git a/src/charon/plugins/eap_aka_3gpp2/Makefile.am b/src/charon/plugins/eap_aka_3gpp2/Makefile.am
new file mode 100644
index 000000000..1a4a3765b
--- /dev/null
+++ b/src/charon/plugins/eap_aka_3gpp2/Makefile.am
@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-eap-aka-3gpp2.la
+
+libstrongswan_eap_aka_3gpp2_la_SOURCES = \
+  eap_aka_3gpp2_plugin.h eap_aka_3gpp2_plugin.c \
+  eap_aka_3gpp2_card.h eap_aka_3gpp2_card.c \
+  eap_aka_3gpp2_provider.h eap_aka_3gpp2_provider.c \
+  eap_aka_3gpp2_functions.h eap_aka_3gpp2_functions.c
+libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp
+
diff --git a/src/charon/plugins/eap_aka_3gpp2/Makefile.in b/src/charon/plugins/eap_aka_3gpp2/Makefile.in
new file mode 100644
index 000000000..b80f97f95
--- /dev/null
+++ b/src/charon/plugins/eap_aka_3gpp2/Makefile.in
@@ -0,0 +1,579 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/eap_aka_3gpp2
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES =
+am_libstrongswan_eap_aka_3gpp2_la_OBJECTS = eap_aka_3gpp2_plugin.lo \
+	eap_aka_3gpp2_card.lo eap_aka_3gpp2_provider.lo \
+	eap_aka_3gpp2_functions.lo
+libstrongswan_eap_aka_3gpp2_la_OBJECTS =  \
+	$(am_libstrongswan_eap_aka_3gpp2_la_OBJECTS)
+libstrongswan_eap_aka_3gpp2_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_aka_3gpp2_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-eap-aka-3gpp2.la
+libstrongswan_eap_aka_3gpp2_la_SOURCES = \
+  eap_aka_3gpp2_plugin.h eap_aka_3gpp2_plugin.c \
+  eap_aka_3gpp2_card.h eap_aka_3gpp2_card.c \
+  eap_aka_3gpp2_provider.h eap_aka_3gpp2_provider.c \
+  eap_aka_3gpp2_functions.h eap_aka_3gpp2_functions.c
+
+libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_aka_3gpp2/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_aka_3gpp2/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-aka-3gpp2.la: $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) 
+	$(libstrongswan_eap_aka_3gpp2_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_card.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_functions.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
new file mode 100644
index 000000000..5c0fe38ad
--- /dev/null
+++ b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_card.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_aka_3gpp2_card_t private_eap_aka_3gpp2_card_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_card_t object.
+ */
+struct private_eap_aka_3gpp2_card_t {
+
+	/**
+	 * Public eap_aka_3gpp2_card_t interface.
+	 */
+	eap_aka_3gpp2_card_t public;
+
+	/**
+	 * AKA functions
+	 */
+	eap_aka_3gpp2_functions_t *f;
+
+	/**
+	 * do sequence number checking?
+	 */
+	bool seq_check;
+
+	/**
+	 * SQN stored in this pseudo-USIM
+	 */
+	char sqn[AKA_SQN_LEN];
+};
+
+/**
+ * Functions from eap_aka_3gpp2_provider.c
+ */
+bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN]);
+void eap_aka_3gpp2_get_sqn(char sqn[AKA_SQN_LEN], int offset);
+
+/**
+ * Implementation of sim_card_t.get_quintuplet
+ */
+static status_t get_quintuplet(private_eap_aka_3gpp2_card_t *this,
+							   identification_t *id, char rand[AKA_RAND_LEN],
+							   char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
+							   char ik[AKA_IK_LEN], char res[AKA_RES_MAX],
+							   int *res_len)
+{
+	char *amf, *mac;
+	char k[AKA_K_LEN], ak[AKA_AK_LEN], sqn[AKA_SQN_LEN], xmac[AKA_MAC_LEN];
+
+	if (!eap_aka_3gpp2_get_k(id, k))
+	{
+		DBG1(DBG_IKE, "no EAP key found for %Y to authenticate with AKA", id);
+		return FAILED;
+	}
+
+	/* AUTN = SQN xor AK | AMF | MAC */
+	DBG3(DBG_IKE, "received autn %b", autn, AKA_AUTN_LEN);
+	DBG3(DBG_IKE, "using K %b", k, AKA_K_LEN);
+	DBG3(DBG_IKE, "using rand %b", rand, AKA_RAND_LEN);
+	memcpy(sqn, autn, AKA_SQN_LEN);
+	amf = autn + AKA_SQN_LEN;
+	mac = autn + AKA_SQN_LEN + AKA_AMF_LEN;
+
+	/* XOR anonymity key AK into SQN to decrypt it */
+	this->f->f5(this->f, k, rand, ak);
+	DBG3(DBG_IKE, "using ak %b", ak, AKA_AK_LEN);
+	memxor(sqn, ak, AKA_SQN_LEN);
+	DBG3(DBG_IKE, "using sqn %b", sqn, AKA_SQN_LEN);
+
+	/* calculate expected MAC and compare against received one */
+	this->f->f1(this->f, k, rand, sqn, amf, xmac);
+	if (!memeq(mac, xmac, AKA_MAC_LEN))
+	{
+		DBG1(DBG_IKE, "received MAC does not match XMAC");
+		DBG3(DBG_IKE, "MAC %b\nXMAC %b", mac, AKA_MAC_LEN, xmac, AKA_MAC_LEN);
+		return FAILED;
+	}
+
+	if (this->seq_check && memcmp(this->sqn, sqn, AKA_SQN_LEN) >= 0)
+	{
+		DBG3(DBG_IKE, "received SQN %b\ncurrent SQN %b",
+			 sqn, AKA_SQN_LEN, this->sqn, AKA_SQN_LEN);
+		return INVALID_STATE;
+	}
+
+	/* update stored SQN to the received one */
+	memcpy(this->sqn, sqn, AKA_SQN_LEN);
+
+	/* CK/IK */
+	this->f->f3(this->f, k, rand, ck);
+	this->f->f4(this->f, k, rand, ik);
+	/* calculate RES */
+	this->f->f2(this->f, k, rand, res);
+	*res_len = AKA_RES_MAX;
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of sim_card_t.resync
+ */
+static bool resync(private_eap_aka_3gpp2_card_t *this, identification_t *id,
+				   char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
+{
+	char amf[AKA_AMF_LEN], k[AKA_K_LEN], aks[AKA_AK_LEN], macs[AKA_MAC_LEN];
+
+	if (!eap_aka_3gpp2_get_k(id, k))
+	{
+		DBG1(DBG_IKE, "no EAP key found for %Y to resync AKA", id);
+		return FALSE;
+	}
+
+	/* AMF is set to zero in resync */
+	memset(amf, 0, AKA_AMF_LEN);
+	this->f->f5star(this->f, k, rand, aks);
+	this->f->f1star(this->f, k, rand, this->sqn, amf, macs);
+	/* AUTS = SQN xor AKS | MACS */
+	memcpy(auts, this->sqn, AKA_SQN_LEN);
+	memxor(auts, aks, AKA_AK_LEN);
+	memcpy(auts + AKA_AK_LEN, macs, AKA_MAC_LEN);
+
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_aka_3gpp2_card_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_card_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f)
+{
+	private_eap_aka_3gpp2_card_t *this = malloc_thing(private_eap_aka_3gpp2_card_t);
+
+	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
+	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
+	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))resync;
+	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *id))return_null;
+	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))nop;
+	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))nop;
+	this->public.destroy = (void(*)(eap_aka_3gpp2_card_t*))destroy;
+
+	this->f = f;
+	this->seq_check = lib->settings->get_bool(lib->settings,
+									"charon.plugins.eap-aka-3gpp2.seq_check",
+#ifdef SEQ_CHECK /* handle legacy compile time configuration as default */
+									TRUE);
+#else /* !SEQ_CHECK */
+									FALSE);
+#endif /* SEQ_CHECK */
+
+	eap_aka_3gpp2_get_sqn(this->sqn, 0);
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h
new file mode 100644
index 000000000..b95bc52af
--- /dev/null
+++ b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2_card eap_aka_3gpp2_card
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_CARD_H_
+#define EAP_AKA_3GPP2_CARD_H_
+
+#include "eap_aka_3gpp2_functions.h"
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_aka_3gpp2_card_t eap_aka_3gpp2_card_t;
+
+/**
+ * SIM card implementation using a set of AKA functions.
+ */
+struct eap_aka_3gpp2_card_t {
+
+	/**
+	 * Implements sim_card_t interface
+	 */
+	sim_card_t card;
+
+	/**
+	 * Destroy a eap_aka_3gpp2_card_t.
+	 */
+	void (*destroy)(eap_aka_3gpp2_card_t *this);
+};
+
+/**
+ * Create a eap_aka_3gpp2_card instance.
+ *
+ * @param f		AKA functions
+ */
+eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f);
+
+#endif /** EAP_AKA_3GPP2_CARD_H_ @}*/
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
new file mode 100644
index 000000000..1d3d246d1
--- /dev/null
+++ b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
@@ -0,0 +1,394 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_functions.h"
+
+#include <gmp.h>
+#include <limits.h>
+
+#include <daemon.h>
+
+typedef struct private_eap_aka_3gpp2_functions_t private_eap_aka_3gpp2_functions_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_functions_t object.
+ */
+struct private_eap_aka_3gpp2_functions_t {
+
+	/**
+	 * Public eap_aka_3gpp2_functions_t interface.
+	 */
+	eap_aka_3gpp2_functions_t public;
+
+	/**
+	 * Used keyed SHA1 function, as PRF
+	 */
+	prf_t *prf;
+};
+
+#define AKA_PAYLOAD_LEN 64
+
+#define F1			  0x42
+#define F1STAR		  0x43
+#define F2			  0x44
+#define F3			  0x45
+#define F4			  0x46
+#define F5			  0x47
+#define F5STAR		  0x48
+
+/** Family key, as proposed in S.S0055 */
+static chunk_t fmk = chunk_from_chars(0x41, 0x48, 0x41, 0x47);
+
+/**
+ * Binary represnation of the polynom T^160 + T^5 + T^3 + T^2 + 1
+ */
+static u_int8_t g[] = {
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x2d
+};
+
+/**
+ * Predefined random bits from the RAND Corporation book
+ */
+static u_int8_t a[] = {
+	0x9d, 0xe9, 0xc9, 0xc8, 0xef, 0xd5, 0x78, 0x11,
+	0x48, 0x23, 0x14, 0x01, 0x90, 0x1f, 0x2d, 0x49,
+	0x3f, 0x4c, 0x63, 0x65
+};
+
+/**
+ * Predefined random bits from the RAND Corporation book
+ */
+static u_int8_t b[] = {
+	0x75, 0xef, 0xd1, 0x5c, 0x4b, 0x8f, 0x8f, 0x51,
+	0x4e, 0xf3, 0xbc, 0xc3, 0x79, 0x4a, 0x76, 0x5e,
+	0x7e, 0xec, 0x45, 0xe0
+};
+
+/**
+ * Multiplicate two mpz_t with bits interpreted as polynoms.
+ */
+static void mpz_mul_poly(mpz_t r, mpz_t a, mpz_t b)
+{
+	mpz_t bm, rm;
+	int current = 0, shifted = 0, shift;
+
+	mpz_init_set(bm, b);
+	mpz_init_set_ui(rm, 0);
+	/* scan through a, for each found bit: */
+	while ((current = mpz_scan1(a, current)) != ULONG_MAX)
+	{
+		/* XOR shifted b into r */
+		shift = current - shifted;
+		mpz_mul_2exp(bm, bm, shift);
+		shifted += shift;
+		mpz_xor(rm, rm, bm);
+		current++;
+	}
+
+	mpz_swap(r, rm);
+	mpz_clear(rm);
+	mpz_clear(bm);
+}
+
+/**
+ * Calculate the sum of a + b interpreted as polynoms.
+ */
+static void mpz_add_poly(mpz_t res, mpz_t a, mpz_t b)
+{
+	/* addition of polynominals is just the XOR */
+	mpz_xor(res, a, b);
+}
+
+/**
+ * Calculate the remainder of a/b interpreted as polynoms.
+ */
+static void mpz_mod_poly(mpz_t r, mpz_t a, mpz_t b)
+{
+	/* Example:
+	 * a = 10001010
+	 * b = 00000101
+	 */
+	int a_bit, b_bit, diff;
+	mpz_t bm, am;
+
+	mpz_init_set(am, a);
+	mpz_init(bm);
+
+	a_bit = mpz_sizeinbase(a, 2);
+	b_bit = mpz_sizeinbase(b, 2);
+
+	/* don't do anything if b > a */
+	if (a_bit >= b_bit)
+	{
+		/* shift b left to align up most signaficant "1" to a:
+		 * a = 10001010
+		 * b = 10100000
+		 */
+		mpz_mul_2exp(bm, b, a_bit - b_bit);
+		do
+		{
+			/* XOR b into a, this kills the most significant "1":
+			 * a = 00101010
+			 */
+			mpz_xor(am, am, bm);
+			/* find the next most significant "1" in a, and align up b:
+			 * a = 00101010
+			 * b = 00101000
+			 */
+			diff = a_bit - mpz_sizeinbase(am, 2);
+			mpz_div_2exp(bm, bm, diff);
+			a_bit -= diff;
+		}
+		while (b_bit <= mpz_sizeinbase(bm, 2));
+		/* While b is not shifted to its original value */
+	}
+	/* after another iteration:
+	 * a = 00000010
+	 * which is the polynomial modulo
+	 */
+
+	mpz_swap(r, am);
+	mpz_clear(am);
+	mpz_clear(bm);
+}
+
+/**
+ * Step 3 of the various fx() functions:
+ * XOR the key into the SHA1 IV
+ */
+static void step3(prf_t *prf, u_char k[AKA_K_LEN],
+				  u_char payload[AKA_PAYLOAD_LEN], u_int8_t h[HASH_SIZE_SHA1])
+{
+	/* use the keyed hasher to build the hash */
+	prf->set_key(prf, chunk_create(k, AKA_K_LEN));
+	prf->get_bytes(prf, chunk_create(payload, AKA_PAYLOAD_LEN), h);
+}
+
+/**
+ * Step 4 of the various fx() functions:
+ * Polynomial whiten calculations
+ */
+static void step4(u_char x[HASH_SIZE_SHA1])
+{
+	mpz_t xm, am, bm, gm;
+
+	mpz_init(xm);
+	mpz_init(am);
+	mpz_init(bm);
+	mpz_init(gm);
+
+	mpz_import(xm, HASH_SIZE_SHA1, 1, 1, 1, 0, x);
+	mpz_import(am, sizeof(a), 1, 1, 1, 0, a);
+	mpz_import(bm, sizeof(b), 1, 1, 1, 0, b);
+	mpz_import(gm, sizeof(g), 1, 1, 1, 0, g);
+
+	mpz_mul_poly(xm, am, xm);
+	mpz_add_poly(xm, bm, xm);
+	mpz_mod_poly(xm, xm, gm);
+
+	mpz_export(x, NULL, 1, HASH_SIZE_SHA1, 1, 0, xm);
+
+	mpz_clear(xm);
+	mpz_clear(am);
+	mpz_clear(bm);
+	mpz_clear(gm);
+}
+
+/**
+ * Calculation function for f2(), f3(), f4()
+ */
+static void fx(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char out[AKA_MAC_LEN])
+{
+	u_char payload[AKA_PAYLOAD_LEN];
+	u_char h[HASH_SIZE_SHA1];
+	u_char i;
+
+	for (i = 0; i < 2; i++)
+	{
+		memset(payload, 0x5c, AKA_PAYLOAD_LEN);
+		payload[11] ^= f;
+		memxor(payload + 12, fmk.ptr, fmk.len);
+		memxor(payload + 24, rand, AKA_RAND_LEN);
+
+		payload[3]  ^= i;
+		payload[19] ^= i;
+		payload[35] ^= i;
+		payload[51] ^= i;
+
+		step3(prf, k, payload, h);
+		step4(h);
+		memcpy(out + i * 8, h, 8);
+	}
+}
+
+/**
+ * Calculation function of f1() and f1star()
+ */
+static void f1x(prf_t *prf, u_int8_t f, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
+				u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN])
+{
+	/* generate MAC = f1(FMK, SQN, RAND, AMF)
+	 * K is loaded into hashers IV; FMK, RAND, SQN, AMF are XORed in a 512-bit
+	 * payload which gets hashed
+	 */
+	u_char payload[AKA_PAYLOAD_LEN];
+	u_char h[HASH_SIZE_SHA1];
+
+	memset(payload, 0x5c, AKA_PAYLOAD_LEN);
+	payload[11] ^= f;
+	memxor(payload + 12, fmk.ptr, fmk.len);
+	memxor(payload + 16, rand, AKA_RAND_LEN);
+	memxor(payload + 34, sqn, AKA_SQN_LEN);
+	memxor(payload + 42, amf, AKA_AMF_LEN);
+
+	step3(prf, k, payload, h);
+	step4(h);
+	memcpy(mac, h, AKA_MAC_LEN);
+}
+
+/**
+ * Calculation function of f5() and f5star()
+ */
+static void f5x(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN])
+{
+	u_char payload[AKA_PAYLOAD_LEN];
+	u_char h[HASH_SIZE_SHA1];
+
+	memset(payload, 0x5c, AKA_PAYLOAD_LEN);
+	payload[11] ^= f;
+	memxor(payload + 12, fmk.ptr, fmk.len);
+	memxor(payload + 16, rand, AKA_RAND_LEN);
+
+	step3(prf, k, payload, h);
+	step4(h);
+	memcpy(ak, h, AKA_AK_LEN);
+}
+
+/**
+ * Calculate MAC from RAND, SQN, AMF using K
+ */
+static void f1(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
+			   u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN])
+{
+	f1x(this->prf, F1, k, rand, sqn, amf, mac);
+	DBG3(DBG_IKE, "MAC %b", mac, AKA_MAC_LEN);
+}
+
+/**
+ * Calculate MACS from RAND, SQN, AMF using K
+ */
+static void f1star(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				   u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
+				   u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN])
+{
+	f1x(this->prf, F1STAR, k, rand, sqn, amf, macs);
+	DBG3(DBG_IKE, "MACS %b", macs, AKA_MAC_LEN);
+}
+
+/**
+ * Calculate RES from RAND using K
+ */
+static void f2(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX])
+{
+	fx(this->prf, F2, k, rand, res);
+	DBG3(DBG_IKE, "RES %b", res, AKA_RES_MAX);
+}
+
+/**
+ * Calculate CK from RAND using K
+ */
+static void f3(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN])
+{
+	fx(this->prf, F3, k, rand, ck);
+	DBG3(DBG_IKE, "CK %b", ck, AKA_CK_LEN);
+}
+
+/**
+ * Calculate IK from RAND using K
+ */
+static void f4(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN])
+{
+	fx(this->prf, F4, k, rand, ik);
+	DBG3(DBG_IKE, "IK %b", ik, AKA_IK_LEN);
+}
+
+/**
+ * Calculate AK from a RAND using K
+ */
+static void f5(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN])
+{
+	f5x(this->prf, F5, k, rand, ak);
+	DBG3(DBG_IKE, "AK %b", ak, AKA_AK_LEN);
+}
+
+/**
+ * Calculate AKS from a RAND using K
+ */
+static void f5star(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN])
+{
+	f5x(this->prf, F5STAR, k, rand, aks);
+	DBG3(DBG_IKE, "AKS %b", aks, AKA_AK_LEN);
+}
+
+
+/**
+ * Implementation of eap_aka_3gpp2_functions_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_functions_t *this)
+{
+	this->prf->destroy(this->prf);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_aka_3gpp2_functions_t *eap_aka_3gpp2_functions_create()
+{
+	private_eap_aka_3gpp2_functions_t *this;
+
+	this = malloc_thing(private_eap_aka_3gpp2_functions_t);
+
+	this->public.f1 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN], u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN]))f1;
+	this->public.f1star = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN], u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN]))f1star;
+	this->public.f2 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX]))f2;
+	this->public.f3 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN]))f3;
+	this->public.f4 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN]))f4;
+	this->public.f5 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN]))f5;
+	this->public.f5star = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN]))f5star;
+	this->public.destroy = (void(*)(eap_aka_3gpp2_functions_t*))destroy;
+
+	this->prf = lib->crypto->create_prf(lib->crypto, PRF_KEYED_SHA1);
+	if (!this->prf)
+	{
+		DBG1(DBG_CFG, "%N not supported, unable to use 3GPP2 algorithm",
+			 pseudo_random_function_names, PRF_KEYED_SHA1);
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
new file mode 100644
index 000000000..95c6da6a9
--- /dev/null
+++ b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2_functions eap_aka_3gpp2_functions
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_FUNCTIONS_H_
+#define EAP_AKA_3GPP2_FUNCTIONS_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+#define AKA_SQN_LEN		 6
+#define AKA_K_LEN		16
+#define AKA_MAC_LEN 	 8
+#define AKA_AK_LEN		 6
+#define AKA_AMF_LEN		 2
+#define AKA_FMK_LEN		 4
+
+typedef struct eap_aka_3gpp2_functions_t eap_aka_3gpp2_functions_t;
+
+/**
+ * f1-f5(), f1*() and f5*() functions from the 3GPP2 (S.S0055) standard.
+ */
+struct eap_aka_3gpp2_functions_t {
+
+	/**
+	 * Calculate MAC from RAND, SQN, AMF using K.
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value rand
+	 * @param sqn	sequence number
+	 * @param amf	authentication management field
+	 * @param mac	buffer receiving mac MAC
+	 */
+	void (*f1)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
+				u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN]);
+
+	/**
+	 * Calculate MACS from RAND, SQN, AMF using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param sqn	sequence number
+	 * @param amf	authentication management field
+	 * @param macs	buffer receiving resynchronization mac MACS
+	 */
+	void (*f1star)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
+				u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN]);
+
+	/**
+	 * Calculate RES from RAND using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param res	buffer receiving result RES, uses full 128 bit
+	 */
+	void (*f2)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX]);
+	/**
+	 * Calculate CK from RAND using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param macs	buffer receiving encryption key CK
+	 */
+	void (*f3)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN]);
+	/**
+	 * Calculate IK from RAND using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param macs	buffer receiving integrity key IK
+	 */
+	void (*f4)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN]);
+	/**
+	 * Calculate AK from a RAND using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param macs	buffer receiving anonymity key AK
+	 */
+	void (*f5)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN]);
+	/**
+	 * Calculate AKS from a RAND using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param macs	buffer receiving resynchronization anonymity key AKS
+	 */
+	void (*f5star)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN]);
+
+	/**
+	 * Destroy a eap_aka_3gpp2_functions_t.
+	 */
+	void (*destroy)(eap_aka_3gpp2_functions_t *this);
+};
+
+/**
+ * Create a eap_aka_3gpp2_functions instance.
+ *
+ * @return			function set, NULL on error
+ */
+eap_aka_3gpp2_functions_t *eap_aka_3gpp2_functions_create();
+
+#endif /** EAP_AKA_3GPP2_FUNCTIONS_H_ @}*/
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
new file mode 100644
index 000000000..5286e0986
--- /dev/null
+++ b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_plugin.h"
+#include "eap_aka_3gpp2_card.h"
+#include "eap_aka_3gpp2_provider.h"
+#include "eap_aka_3gpp2_functions.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_aka_3gpp2_t private_eap_aka_3gpp2_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_t object.
+ */
+struct private_eap_aka_3gpp2_t {
+
+	/**
+	 * Public eap_aka_3gpp2_plugin_t interface.
+	 */
+	eap_aka_3gpp2_plugin_t public;
+
+	/**
+	 * SIM card
+	 */
+	eap_aka_3gpp2_card_t *card;
+
+	/**
+	 * SIM provider
+	 */
+	eap_aka_3gpp2_provider_t *provider;
+
+	/**
+	 * AKA functions
+	 */
+	eap_aka_3gpp2_functions_t *functions;
+};
+
+/**
+ * Implementation of eap_aka_3gpp2_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_t *this)
+{
+	charon->sim->remove_card(charon->sim, &this->card->card);
+	charon->sim->remove_provider(charon->sim, &this->provider->provider);
+	this->card->destroy(this->card);
+	this->provider->destroy(this->provider);
+	this->functions->destroy(this->functions);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *plugin_create()
+{
+	private_eap_aka_3gpp2_t *this = malloc_thing(private_eap_aka_3gpp2_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->functions = eap_aka_3gpp2_functions_create();
+	if (!this->functions)
+	{
+		free(this);
+		return NULL;
+	}
+	this->card = eap_aka_3gpp2_card_create(this->functions);
+	this->provider = eap_aka_3gpp2_provider_create(this->functions);
+
+	charon->sim->add_card(charon->sim, &this->card->card);
+	charon->sim->add_provider(charon->sim, &this->provider->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h
new file mode 100644
index 000000000..ed5c4cf3e
--- /dev/null
+++ b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2 eap_aka_3gpp2
+ * @ingroup cplugins
+ *
+ * @defgroup eap_aka_3gpp2_plugin eap_aka_3gpp2_plugin
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_PLUGIN_H_
+#define EAP_AKA_3GPP2_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_aka_3gpp2_plugin_t eap_aka_3gpp2_plugin_t;
+
+/**
+ * Plugin to provide a SIM card/provider using the 3GPP2 (S.S0055) standard.
+ *
+ * This plugin implements the standard of the 3GPP2 (S.S0055) and not the one
+ * of 3GGP, completely in software using the libgmp library..
+ * The shared key used for authentication is from ipsec.secrets. The
+ * peers ID is used to query it.
+ * The AKA mechanism uses sequence numbers to detect replay attacks. The
+ * peer stores the sequence number normally in a USIM and accepts
+ * incremental sequence numbers (incremental for lifetime of the USIM). To
+ * prevent a complex sequence number management, this implementation uses
+ * a sequence number derived from time. It is initialized to the startup
+ * time of the daemon.
+ * To enable time based SEQs, define SEQ_CHECK as 1. Default is to accept
+ * any SEQ numbers. This allows an attacker to do replay attacks. But since
+ * the server has proven his identity via IKE, such an attack is only
+ * possible between server and AAA (if any).
+ */
+struct eap_aka_3gpp2_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_aka_3gpp2_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** EAP_AKA_3GPP2_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
new file mode 100644
index 000000000..9817fff8f
--- /dev/null
+++ b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_provider.h"
+
+#include <daemon.h>
+#include <credentials/keys/shared_key.h>
+
+typedef struct private_eap_aka_3gpp2_provider_t private_eap_aka_3gpp2_provider_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_provider_t object.
+ */
+struct private_eap_aka_3gpp2_provider_t {
+
+	/**
+	 * Public eap_aka_3gpp2_provider_t interface.
+	 */
+	eap_aka_3gpp2_provider_t public;
+
+	/**
+	 * AKA functions
+	 */
+	eap_aka_3gpp2_functions_t *f;
+
+	/**
+	 * time based SQN, we use the same for all peers
+	 */
+	char sqn[AKA_SQN_LEN];
+};
+
+/** Authentication management field */
+static char amf[AKA_AMF_LEN] = {0x00, 0x01};
+
+/**
+ * Get a shared key K from the credential database
+ */
+bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN])
+{
+	shared_key_t *shared;
+	chunk_t key;
+
+	shared = charon->credentials->get_shared(charon->credentials,
+											 SHARED_EAP, id, NULL);
+	if (shared == NULL)
+	{
+		return FALSE;
+	}
+	key = shared->get_key(shared);
+	memset(k, '\0', AKA_K_LEN);
+	memcpy(k, key.ptr, min(key.len, AKA_K_LEN));
+	shared->destroy(shared);
+	return TRUE;
+}
+
+/**
+ * get SQN using current time
+ */
+void eap_aka_3gpp2_get_sqn(char sqn[AKA_SQN_LEN], int offset)
+{
+	timeval_t time;
+
+	gettimeofday(&time, NULL);
+	/* set sqn to an integer containing 4 bytes seconds + 2 bytes usecs */
+	time.tv_sec = htonl(time.tv_sec + offset);
+	/* usec's are never larger than 0x000f423f, so we shift the 12 first bits */
+	time.tv_usec = htonl(time.tv_usec << 12);
+	memcpy(sqn, (char*)&time.tv_sec + sizeof(time_t) - 4, 4);
+	memcpy(sqn + 4, &time.tv_usec, 2);
+}
+
+/**
+ * Implementation of usim_provider_t.get_quintuplet
+ */
+static bool get_quintuplet(private_eap_aka_3gpp2_provider_t *this,
+						   identification_t *id, char rand[AKA_RAND_LEN],
+						   char xres[AKA_RES_MAX], int *xres_len,
+						   char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+						   char autn[AKA_AUTN_LEN])
+{
+	rng_t *rng;
+	char mac[AKA_MAC_LEN], ak[AKA_AK_LEN], k[AKA_K_LEN];
+
+	/* generate RAND: we use a registered RNG, not f0() proposed in S.S0055 */
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "generating RAND for AKA failed");
+		return FALSE;
+	}
+	rng->get_bytes(rng, AKA_RAND_LEN, rand);
+	rng->destroy(rng);
+
+	if (!eap_aka_3gpp2_get_k(id, k))
+	{
+		DBG1(DBG_IKE, "no EAP key found for %Y to authenticate with AKA", id);
+		return FALSE;
+	}
+
+	DBG3(DBG_IKE, "generated rand %b", rand, AKA_RAND_LEN);
+	DBG3(DBG_IKE, "using K %b", k, AKA_K_LEN);
+
+	/* MAC */
+	this->f->f1(this->f, k, rand, this->sqn, amf, mac);
+	/* AK */
+	this->f->f5(this->f, k, rand, ak);
+	/* XRES as expected from client */
+	this->f->f2(this->f, k, rand, xres);
+	*xres_len = AKA_RES_MAX;
+	/* AUTN = (SQN xor AK) || AMF || MAC */
+	memcpy(autn, this->sqn, AKA_SQN_LEN);
+	memxor(autn, ak, AKA_AK_LEN);
+	memcpy(autn + AKA_SQN_LEN, amf, AKA_AMF_LEN);
+	memcpy(autn + AKA_SQN_LEN + AKA_AMF_LEN, mac, AKA_MAC_LEN);
+	DBG3(DBG_IKE, "AUTN %b", autn, AKA_AUTN_LEN);
+	/* CK/IK */
+	this->f->f3(this->f, k, rand, ck);
+	this->f->f4(this->f, k, rand, ik);
+
+	return TRUE;
+}
+
+/**
+ * Implementation of usim_provider_t.resync
+ */
+static bool resync(private_eap_aka_3gpp2_provider_t *this,
+				   identification_t *id, char rand[AKA_RAND_LEN],
+				   char auts[AKA_AUTS_LEN])
+{
+	char *sqn, *macs;
+	char aks[AKA_AK_LEN], k[AKA_K_LEN], amf[AKA_AMF_LEN], xmacs[AKA_MAC_LEN];
+
+	if (!eap_aka_3gpp2_get_k(id, k))
+	{
+		DBG1(DBG_IKE, "no EAP key found for %Y to authenticate with AKA", id);
+		return FALSE;
+	}
+
+	/* AUTHS = (AK xor SQN) | MAC */
+	sqn = auts;
+	macs = auts + AKA_SQN_LEN;
+	this->f->f5star(this->f, k, rand, aks);
+	memxor(sqn, aks, AKA_AK_LEN);
+
+	/* verify XMACS, AMF of zero is used in resynchronization */
+	memset(amf, 0, AKA_AMF_LEN);
+	this->f->f1star(this->f, k, rand, sqn, amf, xmacs);
+	if (!memeq(macs, xmacs, AKA_MAC_LEN))
+	{
+		DBG1(DBG_IKE, "received MACS does not match XMACS");
+		DBG3(DBG_IKE, "MACS %b XMACS %b",
+			 macs, AKA_MAC_LEN, xmacs, AKA_MAC_LEN);
+		return FALSE;
+	}
+	/* update stored SQN to received SQN + 1 */
+	memcpy(this->sqn, sqn, AKA_SQN_LEN);
+	chunk_increment(chunk_create(this->sqn, AKA_SQN_LEN));
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_aka_3gpp2_provider_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_provider_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create(
+												eap_aka_3gpp2_functions_t *f)
+{
+	private_eap_aka_3gpp2_provider_t *this = malloc_thing(private_eap_aka_3gpp2_provider_t);
+
+	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
+	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))get_quintuplet;
+	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))resync;
+	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))return_null;
+	this->public.destroy = (void(*)(eap_aka_3gpp2_provider_t*))destroy;
+
+	this->f = f;
+	/* use an offset to accept clock skew between client/server without resync */
+	eap_aka_3gpp2_get_sqn(this->sqn, 180);
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h
new file mode 100644
index 000000000..22ac0a96e
--- /dev/null
+++ b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2_provider eap_aka_3gpp2_provider
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_PROVIDER_H_
+#define EAP_AKA_3GPP2_PROVIDER_H_
+
+#include "eap_aka_3gpp2_functions.h"
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_aka_3gpp2_provider_t eap_aka_3gpp2_provider_t;
+
+/**
+ * SIM provider implementation using a set of AKA functions.
+ */
+struct eap_aka_3gpp2_provider_t {
+
+	/**
+	 * Implements sim_provider_t interface.
+	 */
+	sim_provider_t provider;
+
+	/**
+	 * Destroy a eap_aka_3gpp2_provider_t.
+	 */
+	void (*destroy)(eap_aka_3gpp2_provider_t *this);
+};
+
+/**
+ * Create a eap_aka_3gpp2_provider instance.
+ */
+eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create(
+												eap_aka_3gpp2_functions_t *f);
+
+#endif /** EAP_AKA_3GPP2_PROVIDER_H_ @}*/
diff --git a/src/charon/plugins/eap_gtc/Makefile.am b/src/charon/plugins/eap_gtc/Makefile.am
index 547a8dfc5..0d938cacd 100644
--- a/src/charon/plugins/eap_gtc/Makefile.am
+++ b/src/charon/plugins/eap_gtc/Makefile.am
@@ -3,8 +3,8 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
 AM_CFLAGS = -rdynamic
 
-plugin_LTLIBRARIES = libstrongswan-eapgtc.la
+plugin_LTLIBRARIES = libstrongswan-eap-gtc.la
 
-libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
-libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam
+libstrongswan_eap_gtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
+libstrongswan_eap_gtc_la_LDFLAGS = -module -avoid-version -lpam
 
diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in
index 46d438a97..f3662e1cd 100644
--- a/src/charon/plugins/eap_gtc/Makefile.in
+++ b/src/charon/plugins/eap_gtc/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,30 +37,53 @@ host_triplet = @host@
 subdir = src/charon/plugins/eap_gtc
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eapgtc_la_LIBADD =
-am_libstrongswan_eapgtc_la_OBJECTS = eap_gtc_plugin.lo eap_gtc.lo
-libstrongswan_eapgtc_la_OBJECTS =  \
-	$(am_libstrongswan_eapgtc_la_OBJECTS)
-libstrongswan_eapgtc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+libstrongswan_eap_gtc_la_LIBADD =
+am_libstrongswan_eap_gtc_la_OBJECTS = eap_gtc_plugin.lo eap_gtc.lo
+libstrongswan_eap_gtc_la_OBJECTS =  \
+	$(am_libstrongswan_eap_gtc_la_OBJECTS)
+libstrongswan_eap_gtc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eapgtc_la_LDFLAGS) $(LDFLAGS) -o $@
+	$(libstrongswan_eap_gtc_la_LDFLAGS) $(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -68,8 +93,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eapgtc_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eapgtc_la_SOURCES)
+SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -106,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,13 +249,14 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eapgtc.la
-libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
-libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam
+plugin_LTLIBRARIES = libstrongswan-eap-gtc.la
+libstrongswan_eap_gtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
+libstrongswan_eap_gtc_la_LDFLAGS = -module -avoid-version -lpam
 all: all-am
 
 .SUFFIXES:
@@ -241,9 +270,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_gtc/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_gtc/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_gtc/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_gtc/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -261,23 +290,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -288,8 +322,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eapgtc.la: $(libstrongswan_eapgtc_la_OBJECTS) $(libstrongswan_eapgtc_la_DEPENDENCIES) 
-	$(libstrongswan_eapgtc_la_LINK) -rpath $(plugindir) $(libstrongswan_eapgtc_la_OBJECTS) $(libstrongswan_eapgtc_la_LIBADD) $(LIBS)
+libstrongswan-eap-gtc.la: $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_DEPENDENCIES) 
+	$(libstrongswan_eap_gtc_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -302,21 +336,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -339,7 +373,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -347,29 +381,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -390,13 +429,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -427,6 +470,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -448,6 +492,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -456,18 +502,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -506,6 +562,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c
index cb4ab2e59..c7f55fa70 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc.c
+++ b/src/charon/plugins/eap_gtc/eap_gtc.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include "eap_gtc.h"
 
 #include <daemon.h>
@@ -30,22 +30,22 @@ typedef struct private_eap_gtc_t private_eap_gtc_t;
  * Private data of an eap_gtc_t object.
  */
 struct private_eap_gtc_t {
-	
+
 	/**
 	 * Public authenticator_t interface.
 	 */
 	eap_gtc_t public;
-	
+
 	/**
 	 * ID of the server
 	 */
 	identification_t *server;
-	
+
 	/**
 	 * ID of the peer
 	 */
 	identification_t *peer;
-	
+
 	/**
 	 * EAP message identififier
 	 */
@@ -83,10 +83,10 @@ static status_t initiate_peer(private_eap_gtc_t *this, eap_payload_t **out)
  * PAM conv callback function
  */
 static int auth_conv(int num_msg, const struct pam_message **msg,
-                	 struct pam_response **resp, char *password)
+					 struct pam_response **resp, char *password)
 {
 	struct pam_response *response;
-	
+
 	if (num_msg != 1)
 	{
 		return PAM_CONV_ERR;
@@ -103,13 +103,13 @@ static int auth_conv(int num_msg, const struct pam_message **msg,
  */
 static bool authenticate(char *service, char *user, char *password)
 {
-    pam_handle_t *pamh = NULL;
+	pam_handle_t *pamh = NULL;
 	static struct pam_conv conv;
-    int ret;
-	
+	int ret;
+
 	conv.conv = (void*)auth_conv;
 	conv.appdata_ptr = password;
-	
+
 	ret = pam_start(service, user, &conv, &pamh);
 	if (ret != PAM_SUCCESS)
 	{
@@ -143,7 +143,7 @@ static status_t initiate_server(private_eap_gtc_t *this, eap_payload_t **out)
 {
 	eap_gtc_header_t *req;
 	size_t len;
-	
+
 	len = strlen(GTC_REQUEST_MSG);
 	req = alloca(sizeof(eap_gtc_header_t) + len);
 	req->length = htons(sizeof(eap_gtc_header_t) + len);
@@ -151,7 +151,7 @@ static status_t initiate_server(private_eap_gtc_t *this, eap_payload_t **out)
 	req->identifier = this->identifier;
 	req->type = EAP_GTC;
 	memcpy(req->data, GTC_REQUEST_MSG, len);
-	
+
 	*out = eap_payload_create_data(chunk_create((void*)req,
 								   sizeof(eap_gtc_header_t) + len));
 	return NEED_MORE;
@@ -178,7 +178,7 @@ static status_t process_peer(private_eap_gtc_t *this,
 	}
 	key = shared->get_key(shared);
 	len = key.len;
-	
+
 	/* TODO: According to the draft we should "SASLprep" password, RFC4013. */
 
 	res = alloca(sizeof(eap_gtc_header_t) + len);
@@ -187,9 +187,9 @@ static status_t process_peer(private_eap_gtc_t *this,
 	res->identifier = in->get_identifier(in);
 	res->type = EAP_GTC;
 	memcpy(res->data, key.ptr, len);
-	
+
 	shared->destroy(shared);
-	
+
 	*out = eap_payload_create_data(chunk_create((void*)res,
 								   sizeof(eap_gtc_header_t) + len));
 	return NEED_MORE;
@@ -203,14 +203,14 @@ static status_t process_server(private_eap_gtc_t *this,
 {
 	chunk_t data, encoding;
 	char *user, *password, *service, *pos;
-	
+
 	data = chunk_skip(in->get_data(in), 5);
 	if (this->identifier != in->get_identifier(in) || !data.len)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-GTC message");
 		return FAILED;
 	}
-	
+
 	encoding = this->peer->get_encoding(this->peer);
 	/* if a RFC822_ADDR id is provided, we use the username part only */
 	pos = memchr(encoding.ptr, '@', encoding.len);
@@ -221,14 +221,14 @@ static status_t process_server(private_eap_gtc_t *this,
 	user = alloca(encoding.len + 1);
 	memcpy(user, encoding.ptr, encoding.len);
 	user[encoding.len] = '\0';
-	
+
 	password = alloca(data.len + 1);
 	memcpy(password, data.ptr, data.len);
 	password[data.len] = '\0';
-	
+
 	service = lib->settings->get_str(lib->settings,
-						"charon.plugins.eap_gtc.pam_service", GTC_PAM_SERVICE);
-	
+						"charon.plugins.eap-gtc.pam_service", GTC_PAM_SERVICE);
+
 	if (!authenticate(service, user, password))
 	{
 		return FAILED;
@@ -278,19 +278,19 @@ static private_eap_gtc_t *eap_gtc_create_generic(identification_t *server,
 												 identification_t *peer)
 {
 	private_eap_gtc_t *this = malloc_thing(private_eap_gtc_t);
-	
+
 	this->public.eap_method_interface.initiate = NULL;
 	this->public.eap_method_interface.process = NULL;
 	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
 	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
 	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
 	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-	
+
 	/* private data */
 	this->peer = peer->clone(peer);
 	this->server = server->clone(server);
 	this->identifier = 0;
-	
+
 	return this;
 }
 
@@ -300,7 +300,7 @@ static private_eap_gtc_t *eap_gtc_create_generic(identification_t *server,
 eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer)
 {
 	private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
-	
+
 	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
 	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
 
@@ -318,7 +318,7 @@ eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *pee
 eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer)
 {
 	private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
-	
+
 	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
 	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
 
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
index fda6c744a..8550c254c 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
+++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
@@ -40,17 +40,17 @@ static void destroy(eap_gtc_plugin_t *this)
 plugin_t *plugin_create()
 {
 	eap_gtc_plugin_t *this = malloc_thing(eap_gtc_plugin_t);
-	
+
 	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	/* required for PAM authentication */
 	charon->keep_cap(charon, CAP_AUDIT_WRITE);
-	
+
 	charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_SERVER,
 							(eap_constructor_t)eap_gtc_create_server);
 	charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_PEER,
 							(eap_constructor_t)eap_gtc_create_peer);
-	
+
 	return &this->plugin;
 }
 
diff --git a/src/charon/plugins/eap_identity/Makefile.am b/src/charon/plugins/eap_identity/Makefile.am
index 79ddee3e8..992eb43f7 100644
--- a/src/charon/plugins/eap_identity/Makefile.am
+++ b/src/charon/plugins/eap_identity/Makefile.am
@@ -3,8 +3,8 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
 AM_CFLAGS = -rdynamic
 
-plugin_LTLIBRARIES = libstrongswan-eapidentity.la
-libstrongswan_eapidentity_la_SOURCES = \
+plugin_LTLIBRARIES = libstrongswan-eap-identity.la
+libstrongswan_eap_identity_la_SOURCES = \
   eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
-libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_identity_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in
index 0adb9ce10..80709246f 100644
--- a/src/charon/plugins/eap_identity/Makefile.in
+++ b/src/charon/plugins/eap_identity/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,32 +37,55 @@ host_triplet = @host@
 subdir = src/charon/plugins/eap_identity
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eapidentity_la_LIBADD =
-am_libstrongswan_eapidentity_la_OBJECTS = eap_identity_plugin.lo \
+libstrongswan_eap_identity_la_LIBADD =
+am_libstrongswan_eap_identity_la_OBJECTS = eap_identity_plugin.lo \
 	eap_identity.lo
-libstrongswan_eapidentity_la_OBJECTS =  \
-	$(am_libstrongswan_eapidentity_la_OBJECTS)
-libstrongswan_eapidentity_la_LINK = $(LIBTOOL) --tag=CC \
+libstrongswan_eap_identity_la_OBJECTS =  \
+	$(am_libstrongswan_eap_identity_la_OBJECTS)
+libstrongswan_eap_identity_la_LINK = $(LIBTOOL) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eapidentity_la_LDFLAGS) \
-	$(LDFLAGS) -o $@
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_identity_la_LDFLAGS) $(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -70,8 +95,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eapidentity_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eapidentity_la_SOURCES)
+SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -108,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -138,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -171,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -196,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -204,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -212,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -223,15 +251,16 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eapidentity.la
-libstrongswan_eapidentity_la_SOURCES = \
+plugin_LTLIBRARIES = libstrongswan-eap-identity.la
+libstrongswan_eap_identity_la_SOURCES = \
   eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
 
-libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_identity_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -245,9 +274,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_identity/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_identity/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_identity/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_identity/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -265,23 +294,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -292,8 +326,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eapidentity.la: $(libstrongswan_eapidentity_la_OBJECTS) $(libstrongswan_eapidentity_la_DEPENDENCIES) 
-	$(libstrongswan_eapidentity_la_LINK) -rpath $(plugindir) $(libstrongswan_eapidentity_la_OBJECTS) $(libstrongswan_eapidentity_la_LIBADD) $(LIBS)
+libstrongswan-eap-identity.la: $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_DEPENDENCIES) 
+	$(libstrongswan_eap_identity_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -306,21 +340,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -343,7 +377,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -351,29 +385,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -394,13 +433,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -431,6 +474,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -452,6 +496,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -460,18 +506,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -510,6 +566,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/eap_identity/eap_identity.c b/src/charon/plugins/eap_identity/eap_identity.c
index e43c50c50..ab082a955 100644
--- a/src/charon/plugins/eap_identity/eap_identity.c
+++ b/src/charon/plugins/eap_identity/eap_identity.c
@@ -24,17 +24,17 @@ typedef struct private_eap_identity_t private_eap_identity_t;
  * Private data of an eap_identity_t object.
  */
 struct private_eap_identity_t {
-	
+
 	/**
 	 * Public authenticator_t interface.
 	 */
 	eap_identity_t public;
-	
+
 	/**
 	 * ID of the peer
 	 */
 	identification_t *peer;
-	
+
 	/**
 	 * received identity chunk
 	 */
@@ -68,17 +68,17 @@ static status_t process_peer(private_eap_identity_t *this,
 	chunk_t id;
 	eap_identity_header_t *hdr;
 	size_t len;
-	
+
 	id = this->peer->get_encoding(this->peer);
 	len = sizeof(eap_identity_header_t) + id.len;
-	
+
 	hdr = alloca(len);
 	hdr->code = EAP_RESPONSE;
 	hdr->identifier = in->get_identifier(in);
 	hdr->length = htons(len);
 	hdr->type = EAP_IDENTITY;
 	memcpy(hdr->data, id.ptr, id.len);
-	
+
 	*out = eap_payload_create_data(chunk_create((u_char*)hdr, len));
 	return SUCCESS;
 }
@@ -99,7 +99,7 @@ static status_t process_server(private_eap_identity_t *this,
 							   eap_payload_t *in, eap_payload_t **out)
 {
 	chunk_t data;
-	
+
 	data = chunk_skip(in->get_data(in), 5);
 	if (data.len)
 	{
@@ -114,12 +114,12 @@ static status_t process_server(private_eap_identity_t *this,
 static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **out)
 {
 	eap_identity_header_t hdr;
-	
+
 	hdr.code = EAP_REQUEST;
 	hdr.identifier = 0;
 	hdr.length = htons(sizeof(eap_identity_header_t));
 	hdr.type = EAP_IDENTITY;
-	
+
 	*out = eap_payload_create_data(chunk_create((u_char*)&hdr,
 												sizeof(eap_identity_header_t)));
 	return NEED_MORE;
@@ -172,17 +172,17 @@ static private_eap_identity_t *eap_identity_create(identification_t *server,
 												   identification_t *peer)
 {
 	private_eap_identity_t *this = malloc_thing(private_eap_identity_t);
-	
+
 	this->public.eap_method_interface.initiate = NULL;
 	this->public.eap_method_interface.process = NULL;
 	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
 	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
 	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
 	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-	
+
 	this->peer = peer->clone(peer);
 	this->identity = chunk_empty;
-	
+
 	return this;
 }
 
@@ -193,11 +193,11 @@ eap_identity_t *eap_identity_create_peer(identification_t *server,
 										 identification_t *peer)
 {
 	private_eap_identity_t *this = eap_identity_create(server, peer);
-	
+
 	/* public functions */
 	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
 	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
-	
+
 	return &this->public;
 }
 
@@ -208,11 +208,11 @@ eap_identity_t *eap_identity_create_server(identification_t *server,
 										   identification_t *peer)
 {
 	private_eap_identity_t *this = eap_identity_create(server, peer);
-	
+
 	/* public functions */
 	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
 	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/eap_identity/eap_identity_plugin.c b/src/charon/plugins/eap_identity/eap_identity_plugin.c
index 809254ccb..a623e1951 100644
--- a/src/charon/plugins/eap_identity/eap_identity_plugin.c
+++ b/src/charon/plugins/eap_identity/eap_identity_plugin.c
@@ -37,14 +37,14 @@ static void destroy(eap_identity_plugin_t *this)
 plugin_t *plugin_create()
 {
 	eap_identity_plugin_t *this = malloc_thing(eap_identity_plugin_t);
-	
+
 	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_SERVER,
 							(eap_constructor_t)eap_identity_create_server);
 	charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_PEER,
 							(eap_constructor_t)eap_identity_create_peer);
-	
+
 	return &this->plugin;
 }
 
diff --git a/src/charon/plugins/eap_md5/Makefile.am b/src/charon/plugins/eap_md5/Makefile.am
index 8bad64368..f49928cd2 100644
--- a/src/charon/plugins/eap_md5/Makefile.am
+++ b/src/charon/plugins/eap_md5/Makefile.am
@@ -3,8 +3,8 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
 AM_CFLAGS = -rdynamic
 
-plugin_LTLIBRARIES = libstrongswan-eapmd5.la
+plugin_LTLIBRARIES = libstrongswan-eap-md5.la
 
-libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
-libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_md5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
+libstrongswan_eap_md5_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in
index c11837b91..21ac7fa92 100644
--- a/src/charon/plugins/eap_md5/Makefile.in
+++ b/src/charon/plugins/eap_md5/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,30 +37,53 @@ host_triplet = @host@
 subdir = src/charon/plugins/eap_md5
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eapmd5_la_LIBADD =
-am_libstrongswan_eapmd5_la_OBJECTS = eap_md5_plugin.lo eap_md5.lo
-libstrongswan_eapmd5_la_OBJECTS =  \
-	$(am_libstrongswan_eapmd5_la_OBJECTS)
-libstrongswan_eapmd5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+libstrongswan_eap_md5_la_LIBADD =
+am_libstrongswan_eap_md5_la_OBJECTS = eap_md5_plugin.lo eap_md5.lo
+libstrongswan_eap_md5_la_OBJECTS =  \
+	$(am_libstrongswan_eap_md5_la_OBJECTS)
+libstrongswan_eap_md5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eapmd5_la_LDFLAGS) $(LDFLAGS) -o $@
+	$(libstrongswan_eap_md5_la_LDFLAGS) $(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -68,8 +93,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eapmd5_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eapmd5_la_SOURCES)
+SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -106,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,13 +249,14 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eapmd5.la
-libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
-libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version
+plugin_LTLIBRARIES = libstrongswan-eap-md5.la
+libstrongswan_eap_md5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
+libstrongswan_eap_md5_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -241,9 +270,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_md5/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_md5/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_md5/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_md5/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -261,23 +290,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -288,8 +322,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eapmd5.la: $(libstrongswan_eapmd5_la_OBJECTS) $(libstrongswan_eapmd5_la_DEPENDENCIES) 
-	$(libstrongswan_eapmd5_la_LINK) -rpath $(plugindir) $(libstrongswan_eapmd5_la_OBJECTS) $(libstrongswan_eapmd5_la_LIBADD) $(LIBS)
+libstrongswan-eap-md5.la: $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_DEPENDENCIES) 
+	$(libstrongswan_eap_md5_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -302,21 +336,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -339,7 +373,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -347,29 +381,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -390,13 +429,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -427,6 +470,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -448,6 +492,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -456,18 +502,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -506,6 +562,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/eap_md5/eap_md5.c b/src/charon/plugins/eap_md5/eap_md5.c
index 36d726947..0eda8f755 100644
--- a/src/charon/plugins/eap_md5/eap_md5.c
+++ b/src/charon/plugins/eap_md5/eap_md5.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include "eap_md5.h"
 
 #include <daemon.h>
@@ -25,27 +25,27 @@ typedef struct private_eap_md5_t private_eap_md5_t;
  * Private data of an eap_md5_t object.
  */
 struct private_eap_md5_t {
-	
+
 	/**
 	 * Public authenticator_t interface.
 	 */
 	eap_md5_t public;
-	
+
 	/**
 	 * ID of the server
 	 */
 	identification_t *server;
-	
+
 	/**
 	 * ID of the peer
 	 */
 	identification_t *peer;
-	
+
 	/**
 	 * challenge sent by the server
 	 */
 	chunk_t challenge;
-	
+
 	/**
 	 * EAP message identififier
 	 */
@@ -78,21 +78,21 @@ struct eap_md5_header_t {
 /**
  * Hash the challenge string, create response
  */
-static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response)
-{	
+static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response,
+							   identification_t *me, identification_t *other)
+{
 	shared_key_t *shared;
 	chunk_t concat;
 	hasher_t *hasher;
 
 	shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP,
-											 this->server, this->peer);
+											 me, other);
 	if (shared == NULL)
 	{
-		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
-			 this->server, this->peer);
+		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", me, other);
 		return NOT_FOUND;
 	}
-	concat = chunk_cata("ccc", chunk_from_thing(this->identifier),	
+	concat = chunk_cata("ccc", chunk_from_thing(this->identifier),
 						shared->get_key(shared), this->challenge);
 	shared->destroy(shared);
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
@@ -122,7 +122,7 @@ static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out)
 {
 	rng_t *rng;
 	eap_md5_header_t *req;
-	
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
@@ -130,7 +130,7 @@ static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out)
 	}
 	rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
 	rng->destroy(rng);
-	
+
 	req = alloca(PAYLOAD_LEN);
 	req->length = htons(PAYLOAD_LEN);
 	req->code = EAP_REQUEST;
@@ -138,7 +138,7 @@ static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out)
 	req->type = EAP_MD5;
 	req->value_size = this->challenge.len;
 	memcpy(req->value, this->challenge.ptr, this->challenge.len);
-	
+
 	*out = eap_payload_create_data(chunk_create((void*)req, PAYLOAD_LEN));
 	return NEED_MORE;
 }
@@ -152,7 +152,7 @@ static status_t process_peer(private_eap_md5_t *this,
 	chunk_t response;
 	chunk_t data;
 	eap_md5_header_t *req;
-	
+
 	this->identifier = in->get_identifier(in);
 	data = in->get_data(in);
 	this->challenge = chunk_clone(chunk_skip(data, 6));
@@ -161,7 +161,7 @@ static status_t process_peer(private_eap_md5_t *this,
 		DBG1(DBG_IKE, "received invalid EAP-MD5 message");
 		return FAILED;
 	}
-	if (hash_challenge(this, &response) != SUCCESS)
+	if (hash_challenge(this, &response, this->peer, this->server) != SUCCESS)
 	{
 		return FAILED;
 	}
@@ -173,7 +173,7 @@ static status_t process_peer(private_eap_md5_t *this,
 	req->value_size = response.len;
 	memcpy(req->value, response.ptr, response.len);
 	chunk_free(&response);
-	
+
 	*out = eap_payload_create_data(chunk_create((void*)req, PAYLOAD_LEN));
 	return NEED_MORE;
 }
@@ -186,19 +186,19 @@ static status_t process_server(private_eap_md5_t *this,
 {
 	chunk_t response, expected;
 	chunk_t data;
-	
+
 	if (this->identifier != in->get_identifier(in))
 	{
 		DBG1(DBG_IKE, "received invalid EAP-MD5 message");
 		return FAILED;
 	}
-	if (hash_challenge(this, &expected) != SUCCESS)
+	if (hash_challenge(this, &expected, this->server, this->peer) != SUCCESS)
 	{
 		return FAILED;
 	}
 	data = in->get_data(in);
 	response = chunk_skip(data, 6);
-	
+
 	if (response.len < expected.len ||
 		!memeq(response.ptr, expected.ptr, expected.len))
 	{
@@ -253,20 +253,20 @@ static private_eap_md5_t *eap_md5_create_generic(identification_t *server,
 												 identification_t *peer)
 {
 	private_eap_md5_t *this = malloc_thing(private_eap_md5_t);
-	
+
 	this->public.eap_method_interface.initiate = NULL;
 	this->public.eap_method_interface.process = NULL;
 	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
 	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
 	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
 	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-	
+
 	/* private data */
 	this->peer = peer->clone(peer);
 	this->server = server->clone(server);
 	this->challenge = chunk_empty;
 	this->identifier = 0;
-	
+
 	return this;
 }
 
@@ -276,7 +276,7 @@ static private_eap_md5_t *eap_md5_create_generic(identification_t *server,
 eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *peer)
 {
 	private_eap_md5_t *this = eap_md5_create_generic(server, peer);
-	
+
 	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
 	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
 
@@ -294,7 +294,7 @@ eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *pee
 eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer)
 {
 	private_eap_md5_t *this = eap_md5_create_generic(server, peer);
-	
+
 	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
 	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
 
diff --git a/src/charon/plugins/eap_md5/eap_md5_plugin.c b/src/charon/plugins/eap_md5/eap_md5_plugin.c
index e30152fc5..629255ebf 100644
--- a/src/charon/plugins/eap_md5/eap_md5_plugin.c
+++ b/src/charon/plugins/eap_md5/eap_md5_plugin.c
@@ -37,14 +37,14 @@ static void destroy(eap_md5_plugin_t *this)
 plugin_t *plugin_create()
 {
 	eap_md5_plugin_t *this = malloc_thing(eap_md5_plugin_t);
-	
+
 	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_SERVER,
 							(eap_constructor_t)eap_md5_create_server);
 	charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_PEER,
 							(eap_constructor_t)eap_md5_create_peer);
-	
+
 	return &this->plugin;
 }
 
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.am b/src/charon/plugins/eap_mschapv2/Makefile.am
index 179da70fc..4758ad5f3 100644
--- a/src/charon/plugins/eap_mschapv2/Makefile.am
+++ b/src/charon/plugins/eap_mschapv2/Makefile.am
@@ -3,10 +3,10 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
 AM_CFLAGS = -rdynamic
 
-plugin_LTLIBRARIES = libstrongswan-eapmschapv2.la
+plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la
 
-libstrongswan_eapmschapv2_la_SOURCES = \
+libstrongswan_eap_mschapv2_la_SOURCES = \
 	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
 	eap_mschapv2.h eap_mschapv2.c
-libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_mschapv2_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.in b/src/charon/plugins/eap_mschapv2/Makefile.in
index d6dd74b88..001818481 100644
--- a/src/charon/plugins/eap_mschapv2/Makefile.in
+++ b/src/charon/plugins/eap_mschapv2/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,32 +37,55 @@ host_triplet = @host@
 subdir = src/charon/plugins/eap_mschapv2
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eapmschapv2_la_LIBADD =
-am_libstrongswan_eapmschapv2_la_OBJECTS = eap_mschapv2_plugin.lo \
+libstrongswan_eap_mschapv2_la_LIBADD =
+am_libstrongswan_eap_mschapv2_la_OBJECTS = eap_mschapv2_plugin.lo \
 	eap_mschapv2.lo
-libstrongswan_eapmschapv2_la_OBJECTS =  \
-	$(am_libstrongswan_eapmschapv2_la_OBJECTS)
-libstrongswan_eapmschapv2_la_LINK = $(LIBTOOL) --tag=CC \
+libstrongswan_eap_mschapv2_la_OBJECTS =  \
+	$(am_libstrongswan_eap_mschapv2_la_OBJECTS)
+libstrongswan_eap_mschapv2_la_LINK = $(LIBTOOL) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eapmschapv2_la_LDFLAGS) \
-	$(LDFLAGS) -o $@
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_mschapv2_la_LDFLAGS) $(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -70,8 +95,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eapmschapv2_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eapmschapv2_la_SOURCES)
+SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -108,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -138,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -171,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -196,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -204,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -212,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -223,16 +251,17 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eapmschapv2.la
-libstrongswan_eapmschapv2_la_SOURCES = \
+plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la
+libstrongswan_eap_mschapv2_la_SOURCES = \
 	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
 	eap_mschapv2.h eap_mschapv2.c
 
-libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_mschapv2_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -246,9 +275,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_mschapv2/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_mschapv2/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_mschapv2/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_mschapv2/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -266,23 +295,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -293,8 +327,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eapmschapv2.la: $(libstrongswan_eapmschapv2_la_OBJECTS) $(libstrongswan_eapmschapv2_la_DEPENDENCIES) 
-	$(libstrongswan_eapmschapv2_la_LINK) -rpath $(plugindir) $(libstrongswan_eapmschapv2_la_OBJECTS) $(libstrongswan_eapmschapv2_la_LIBADD) $(LIBS)
+libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) 
+	$(libstrongswan_eap_mschapv2_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -307,21 +341,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -344,7 +378,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -352,29 +386,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -395,13 +434,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -432,6 +475,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -453,6 +497,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -461,18 +507,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -511,6 +567,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
index 0e3fac780..f0222840d 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -35,47 +35,47 @@ struct private_eap_mschapv2_t
 	 * Public authenticator_t interface.
 	 */
 	eap_mschapv2_t public;
-	
+
 	/**
 	 * ID of the server
 	 */
 	identification_t *server;
-	
+
 	/**
 	 * ID of the peer
 	 */
 	identification_t *peer;
-	
+
 	/**
 	 * challenge sent by the server
 	 */
 	chunk_t challenge;
-	
+
 	/**
 	 * generated NT-Response
 	 */
 	chunk_t nt_response;
-	
+
 	/**
 	 * generated Authenticator Response
 	 */
 	chunk_t auth_response;
-	
+
 	/**
 	 * generated MSK
 	 */
 	chunk_t msk;
-	
+
 	/**
 	 * EAP message identifier
 	 */
 	u_int8_t identifier;
-	
+
 	/**
 	 * MS-CHAPv2-ID (session ID, increases with each retry)
 	 */
 	u_int8_t mschapv2id;
-	
+
 	/**
 	 * Number of retries
 	 */
@@ -248,7 +248,7 @@ static chunk_t ExpandDESKey(chunk_t key)
 	int i;
 	u_char carry = 0;
 	chunk_t expanded;
-	
+
 	/* expand the 7 octets to 8 octets */
 	expanded = chunk_alloc(8);
 	for (i = 0; i < 7; i++)
@@ -257,7 +257,7 @@ static chunk_t ExpandDESKey(chunk_t key)
 		carry = key.ptr[i] & ~bitmask[i];
 	}
 	expanded.ptr[7] = carry << 1;
-	
+
 	/* add parity bits to each octet */
 	for (i = 0; i < 8; i++)
 	{
@@ -269,7 +269,7 @@ static chunk_t ExpandDESKey(chunk_t key)
 }
 
 /**
- * Calculate the NT password hash (i.e. hash the (unicode) password with MD4) 
+ * Calculate the NT password hash (i.e. hash the (unicode) password with MD4)
  */
 static status_t NtPasswordHash(chunk_t password, chunk_t *password_hash)
 {
@@ -277,7 +277,7 @@ static status_t NtPasswordHash(chunk_t password, chunk_t *password_hash)
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD4);
 	if (hasher == NULL)
 	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, MD4 not supported");
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no MD4 hasher available");
 		return FAILED;
 	}
 	hasher->allocate_hash(hasher, password, password_hash);
@@ -287,7 +287,7 @@ static status_t NtPasswordHash(chunk_t password, chunk_t *password_hash)
 
 /**
  * Calculate the challenge hash (i.e. hash [peer_challenge | server_challenge |
- * username (without domain part)] with SHA1) 
+ * username (without domain part)] with SHA1)
  */
 static status_t ChallengeHash(chunk_t peer_challenge, chunk_t server_challenge,
 							  chunk_t username, chunk_t *challenge_hash)
@@ -331,7 +331,7 @@ static status_t ChallengeResponse(chunk_t challenge_hash, chunk_t password_hash,
 	memset(z_password_hash.ptr, 0, z_password_hash.len);
 	memcpy(z_password_hash.ptr, password_hash.ptr, password_hash.len);
 	chunk_split(z_password_hash, "mmm", 7, &keys[0], 7, &keys[1], 7, &keys[2]);
-	
+
 	*response = chunk_alloc(24);
 	for (i = 0; i < 3; i++)
 	{
@@ -353,35 +353,32 @@ static status_t ChallengeResponse(chunk_t challenge_hash, chunk_t password_hash,
 static status_t AuthenticatorResponse(chunk_t password_hash_hash,
 		chunk_t challenge_hash, chunk_t nt_response, chunk_t *response)
 {
-	static u_int8_t magic1_data[] =
-				{ 0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
-				  0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
-				  0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
-				  0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74 };
-	static u_int8_t magic2_data[] =
-				{ 0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
-				  0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
-				  0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
-				  0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
-				  0x6E };
-	static const chunk_t magic1 = chunk_from_buf(magic1_data);
-	static const chunk_t magic2 = chunk_from_buf(magic2_data);
-	
+	chunk_t magic1 = chunk_from_chars(
+		0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
+		0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
+		0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
+		0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74);
+	chunk_t magic2 = chunk_from_chars(
+		0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
+		0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
+		0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
+		0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
+		0x6E);
 	chunk_t digest = chunk_empty, concat;
 	hasher_t *hasher;
-	
+
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (hasher == NULL)
 	{
 		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
 		return FAILED;
 	}
-	
+
 	concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
 	hasher->allocate_hash(hasher, concat, &digest);
 	concat = chunk_cata("ccc", digest, challenge_hash, magic2);
 	hasher->allocate_hash(hasher, concat, response);
-	
+
 	hasher->destroy(hasher);
 	chunk_free(&digest);
 	return SUCCESS;
@@ -393,71 +390,67 @@ static status_t AuthenticatorResponse(chunk_t password_hash_hash,
 static status_t GenerateMSK(chunk_t password_hash_hash,
 							chunk_t nt_response, chunk_t *msk)
 {
-	static u_int8_t magic1_data[] =
-		{ 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
-		  0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
-		  0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79 };
-	static u_int8_t magic2_data[] =
-		{ 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
-		  0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
-		  0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
-		  0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
-		  0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
-		  0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
-		  0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
-		  0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
-		  0x6b, 0x65, 0x79, 0x2e };
-	static u_int8_t magic3_data[] =
-		{ 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
-		  0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
-		  0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
-		  0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
-		  0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
-		  0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
-		  0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
-		  0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
-		  0x6b, 0x65, 0x79, 0x2e };
-	static u_int8_t shapad1_data[] =
-		{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-	static u_int8_t shapad2_data[] =
-		{ 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
-		  0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
-		  0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
-		  0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2 };
-	static const chunk_t magic1 = chunk_from_buf(magic1_data);
-	static const chunk_t magic2 = chunk_from_buf(magic2_data);
-	static const chunk_t magic3 = chunk_from_buf(magic3_data);
-	static const chunk_t shapad1 = chunk_from_buf(shapad1_data);
-	static const chunk_t shapad2 = chunk_from_buf(shapad2_data);
-	static const chunk_t keypad = { shapad1_data, 16 };
-	
+	chunk_t magic1 = chunk_from_chars(
+		0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
+		0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
+		0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79);
+	chunk_t magic2 = chunk_from_chars(
+		0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
+		0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
+		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+		0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
+		0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+		0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
+		0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+		0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
+		0x6b, 0x65, 0x79, 0x2e);
+	chunk_t magic3 = chunk_from_chars(
+		0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
+		0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
+		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+		0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
+		0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
+		0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
+		0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
+		0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
+		0x6b, 0x65, 0x79, 0x2e);
+	chunk_t shapad1 = chunk_from_chars(
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
+	chunk_t shapad2 = chunk_from_chars(
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2);
+	chunk_t keypad = chunk_from_chars(
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
 	chunk_t concat, master_key, master_receive_key, master_send_key;
 	hasher_t *hasher;
-	
+
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (hasher == NULL)
 	{
 		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
 		return FAILED;
 	}
-	
+
 	concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
 	hasher->allocate_hash(hasher, concat, &master_key);
 	master_key.len = 16;
-	
+
 	concat = chunk_cata("cccc", master_key, shapad1, magic2, shapad2);
 	hasher->allocate_hash(hasher, concat, &master_receive_key);
 	master_receive_key.len = 16;
-	
+
 	concat = chunk_cata("cccc", master_key, shapad1, magic3, shapad2);
 	hasher->allocate_hash(hasher, concat, &master_send_key);
 	master_send_key.len = 16;
-	
+
 	*msk = chunk_cat("cccc", master_receive_key, master_send_key, keypad, keypad);
-	
+
 	hasher->destroy(hasher);
 	chunk_free(&master_key);
 	chunk_free(&master_receive_key);
@@ -472,7 +465,7 @@ static status_t GenerateStuff(private_eap_mschapv2_t *this,
 	status_t status = FAILED;
 	chunk_t password_hash = chunk_empty, password_hash_hash = chunk_empty,
 			challenge_hash = chunk_empty;
-	
+
 	if (NtPasswordHash(password, &password_hash) != SUCCESS)
 	{
 		goto error;
@@ -486,7 +479,7 @@ static status_t GenerateStuff(private_eap_mschapv2_t *this,
 	{
 		goto error;
 	}
-	
+
 	if (ChallengeResponse(challenge_hash, password_hash,
 						  &this->nt_response) != SUCCESS)
 	{
@@ -501,9 +494,9 @@ static status_t GenerateStuff(private_eap_mschapv2_t *this,
 	{
 		goto error;
 	}
-	
+
 	status = SUCCESS;
-	
+
 error:
 	chunk_free(&password_hash);
 	chunk_free(&password_hash_hash);
@@ -532,7 +525,7 @@ static chunk_t ascii_to_unicode(chunk_t ascii)
 static char* sanitize(char *str)
 {
 	char *pos = str;
-	
+
 	while (pos && *pos)
 	{
 		if (!isprint(*pos))
@@ -592,7 +585,7 @@ static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **ou
 	eap_mschapv2_challenge_t *cha;
 	const char *name = MSCHAPV2_HOST_NAME;
 	u_int16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1;
-	
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
@@ -601,7 +594,7 @@ static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **ou
 	}
 	rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
 	rng->destroy(rng);
-	
+
 	eap = alloca(len);
 	eap->code = EAP_REQUEST;
 	eap->identifier = this->identifier;
@@ -610,12 +603,12 @@ static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **ou
 	eap->opcode = MSCHAPV2_CHALLENGE;
 	eap->ms_chapv2_id = this->mschapv2id;
 	set_ms_length(eap, len);
-	
+
 	cha = (eap_mschapv2_challenge_t*)eap->data;
 	cha->value_size = CHALLENGE_LEN;
 	memcpy(cha->challenge, this->challenge.ptr, this->challenge.len);
 	memcpy(cha->name, name, sizeof(MSCHAPV2_HOST_NAME) - 1);
-	
+
 	*out = eap_payload_create_data(chunk_create((void*) eap, len));
 	return NEED_MORE;
 }
@@ -634,29 +627,29 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	shared_key_t *shared;
 	chunk_t data, peer_challenge, username, password;
 	u_int16_t len = RESPONSE_PAYLOAD_LEN;
-	
+
 	data = in->get_data(in);
 	eap = (eap_mschapv2_header_t*)data.ptr;
-	
+
 	/* the name MUST be at least one octet long */
 	if (data.len < CHALLENGE_PAYLOAD_LEN + 1)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
 		return FAILED;
 	}
-	
+
 	cha = (eap_mschapv2_challenge_t*)eap->data;
-			
+
 	if (cha->value_size != CHALLENGE_LEN)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
 			 "invalid challenge size");
 		return FAILED;
 	}
-			
+
 	this->mschapv2id = eap->ms_chapv2_id;
 	this->challenge = chunk_clone(chunk_create(cha->challenge, CHALLENGE_LEN));
-			
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
@@ -666,7 +659,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	peer_challenge = chunk_alloca(CHALLENGE_LEN);
 	rng->get_bytes(rng, CHALLENGE_LEN, peer_challenge.ptr);
 	rng->destroy(rng);
-			
+
 	shared = charon->credentials->get_shared(charon->credentials,
 										SHARED_EAP, this->peer, this->server);
 	if (shared == NULL)
@@ -675,13 +668,13 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 			 this->server, this->peer);
 		return NOT_FOUND;
 	}
-	
+
 	password = ascii_to_unicode(shared->get_key(shared));
 	shared->destroy(shared);
-	
+
 	username = extract_username(this->peer);
 	len += username.len;
-			
+
 	if (GenerateStuff(this, this->challenge, peer_challenge, username, password) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "EAP-MS-CHAPv2 generating NT-Response failed");
@@ -689,7 +682,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 		return FAILED;
 	}
 	chunk_clear(&password);
-			
+
 	eap = alloca(len);
 	eap->code = EAP_RESPONSE;
 	eap->identifier = this->identifier;
@@ -698,16 +691,16 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	eap->opcode = MSCHAPV2_RESPONSE;
 	eap->ms_chapv2_id = this->mschapv2id;
 	set_ms_length(eap, len);
-	
+
 	res = (eap_mschapv2_response_t*)eap->data;
 	res->value_size = RESPONSE_LEN;
 	memset(&res->response, 0, RESPONSE_LEN);
 	memcpy(res->response.peer_challenge, peer_challenge.ptr, peer_challenge.len);
 	memcpy(res->response.nt_response, this->nt_response.ptr, this->nt_response.len);
-	
+
 	username = this->peer->get_encoding(this->peer);
 	memcpy(res->name, username.ptr, username.len);
-	
+
 	*out = eap_payload_create_data(chunk_create((void*) eap, len));
 	return NEED_MORE;
 }
@@ -725,21 +718,21 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 	char *message, *token, *msg = NULL;
 	int message_len;
 	u_int16_t len = SHORT_HEADER_LEN;
-	
+
 	data = in->get_data(in);
 	eap = (eap_mschapv2_header_t*)data.ptr;
-	
+
 	if (data.len < AUTH_RESPONSE_LEN)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
 		return FAILED;
 	}
-	
+
 	message_len = data.len - HEADER_LEN;
 	message = malloc(message_len + 1);
 	memcpy(message, eap->data, message_len);
 	message[message_len] = '\0';
-	
+
 	/* S=<auth_string> M=<msg> */
 	enumerator = enumerator_create_token(message, " ", " ");
 	while (enumerator->enumerate(enumerator, &token))
@@ -764,32 +757,32 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-			
-	if (auth_string.ptr == NULL)	
+
+	if (auth_string.ptr == NULL)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
 			 "auth string missing");
 		goto error;
 	}
-	
+
 	if (!chunk_equals(this->auth_response, auth_string))
 	{
 		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
 		goto error;
 	}
-	
+
 	DBG1(DBG_IKE, "EAP-MS-CHAPv2 succeeded: '%s'", sanitize(msg));
-	
+
 	eap = alloca(len);
 	eap->code = EAP_RESPONSE;
 	eap->identifier = this->identifier;
 	eap->length = htons(len);
 	eap->type = EAP_MSCHAPV2;
 	eap->opcode = MSCHAPV2_SUCCESS;
-	
+
 	*out = eap_payload_create_data(chunk_create((void*) eap, len));
 	status = NEED_MORE;
-	
+
 error:
 	chunk_free(&auth_string);
 	free(message);
@@ -807,21 +800,21 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 	char *message, *token, *msg = NULL;
 	int message_len, error, retryable;
 	chunk_t challenge = chunk_empty;
-	
+
 	data = in->get_data(in);
 	eap = (eap_mschapv2_header_t*)data.ptr;
-	
+
 	if (data.len < 3) /* we want at least an error code: E=e */
 	{
 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
 		return FAILED;
 	}
-	
+
 	message_len = data.len - HEADER_LEN;
 	message = malloc(message_len + 1);
 	memcpy(message, eap->data, message_len);
 	message[message_len] = '\0';
-			
+
 	/* E=eeeeeeeeee R=r C=cccccccccccccccccccccccccccccccc V=vvvvvvvvvv M=<msg> */
 	enumerator = enumerator_create_token(message, " ", " ");
 	while (enumerator->enumerate(enumerator, &token))
@@ -862,28 +855,28 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-			
+
 	DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed with error %N: '%s'",
 		 mschapv2_error_names, error, sanitize(msg));
-			
+
 	/**
 	 * at this point, if the error is retryable, we MAY retry the authentication
 	 * or MAY send a Change Password packet.
-	 * 
+	 *
 	 * if the error is not retryable (or if we do neither of the above), we
 	 * SHOULD send a Failure Response packet.
 	 * windows clients don't do that, and since windows server 2008 r2 behaves
 	 * pretty odd if we do send a Failure Response, we just don't send one
 	 * either. windows 7 actually sends a delete notify (which, according to the
-	 * logs, results in an error on windows server 2008 r2). 
-	 * 
+	 * logs, results in an error on windows server 2008 r2).
+	 *
 	 * btw, windows server 2008 r2 does not send non-retryable errors for e.g.
 	 * a disabled account but returns the windows error code in a notify payload
 	 * of type 12345.
 	 */
-	
+
 	status = FAILED;
-	
+
 error:
 	chunk_free(&challenge);
 	free(message);
@@ -899,7 +892,7 @@ static status_t process_peer(private_eap_mschapv2_t *this, eap_payload_t *in,
 {
 	chunk_t data;
 	eap_mschapv2_header_t *eap;
-	
+
 	this->identifier = in->get_identifier(in);
 	data = in->get_data(in);
 	if (data.len < SHORT_HEADER_LEN)
@@ -907,9 +900,9 @@ static status_t process_peer(private_eap_mschapv2_t *this, eap_payload_t *in,
 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message");
 		return FAILED;
 	}
-	
+
 	eap = (eap_mschapv2_header_t*)data.ptr;
-		
+
 	switch (eap->opcode)
 	{
 		case MSCHAPV2_CHALLENGE:
@@ -945,7 +938,7 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
 	chunk_t hex;
 	char msg[FAILURE_MESSAGE_LEN];
 	u_int16_t len = HEADER_LEN + FAILURE_MESSAGE_LEN - 1; /* no null byte */
-	
+
 	if (++this->retries > MAX_RETRIES)
 	{
 		/* we MAY send a Failure Request with R=0, but windows 7 does not
@@ -957,9 +950,9 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
 			 "maximum number of retries reached");
 		return FAILED;
 	}
-	
+
 	DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed, retry (%d)", this->retries);
-	
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
@@ -968,11 +961,11 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
 	}
 	rng->get_bytes(rng, CHALLENGE_LEN, this->challenge.ptr);
 	rng->destroy(rng);
-	
+
 	chunk_free(&this->nt_response);
 	chunk_free(&this->auth_response);
 	chunk_free(&this->msk);
-	
+
 	eap = alloca(len);
 	eap->code = EAP_REQUEST;
 	eap->identifier = ++this->identifier;
@@ -981,16 +974,16 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
 	eap->opcode = MSCHAPV2_FAILURE;
 	eap->ms_chapv2_id = this->mschapv2id++; /* increase for each retry */
 	set_ms_length(eap, len);
-	
+
 	hex = chunk_to_hex(this->challenge, NULL, TRUE);
 	snprintf(msg, FAILURE_MESSAGE_LEN, "%s%s", FAILURE_MESSAGE, hex.ptr);
 	chunk_free(&hex);
 	memcpy(eap->data, msg, FAILURE_MESSAGE_LEN - 1); /* no null byte */
 	*out = eap_payload_create_data(chunk_create((void*) eap, len));
-	
+
 	/* delay the response for some time to make brute-force attacks harder */
 	sleep(RETRY_DELAY);
-	
+
 	return NEED_MORE;
 }
 
@@ -1007,25 +1000,25 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
 	shared_key_t *shared;
 	int name_len;
 	char buf[256];
-	
+
 	data = in->get_data(in);
 	eap = (eap_mschapv2_header_t*)data.ptr;
-	
+
 	if (data.len < RESPONSE_PAYLOAD_LEN)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
 		return FAILED;
 	}
-	
+
 	res = (eap_mschapv2_response_t*)eap->data;
 	peer_challenge = chunk_create(res->response.peer_challenge, CHALLENGE_LEN);
-	
+
 	name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
 	snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
 	userid = identification_create_from_string(buf);
 	DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
 	username = extract_username(userid);
-	
+
 	shared = charon->credentials->get_shared(charon->credentials,
 											 SHARED_EAP, this->server, userid);
 	if (shared == NULL)
@@ -1035,33 +1028,33 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
 		/* FIXME: windows 7 always sends the username that is first entered in
 		 * the username box, even, if the user changes it during retries (probably
 		 * to keep consistent with the EAP-Identity).
-	 	 * thus, we could actually fail here, because retries do not make much
-	 	 * sense. on the other hand, an attacker could guess usernames, if the
-	 	 * error messages were different. */
+		 * thus, we could actually fail here, because retries do not make much
+		 * sense. on the other hand, an attacker could guess usernames, if the
+		 * error messages were different. */
 		userid->destroy(userid);
 		return process_server_retry(this, out);
 	}
-	
+
 	password = ascii_to_unicode(shared->get_key(shared));
 	shared->destroy(shared);
-	
+
 	if (GenerateStuff(this, this->challenge, peer_challenge,
 					  username, password) != SUCCESS)
 	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");	
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
 		userid->destroy(userid);
 		chunk_clear(&password);
 		return FAILED;
 	}
 	userid->destroy(userid);
 	chunk_clear(&password);
-	
+
 	if (memeq(res->response.nt_response, this->nt_response.ptr, this->nt_response.len))
 	{
 		chunk_t hex;
 		char msg[AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)];
 		u_int16_t len = HEADER_LEN + AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE);
-		
+
 		eap = alloca(len);
 		eap->code = EAP_REQUEST;
 		eap->identifier = ++this->identifier;
@@ -1070,7 +1063,7 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
 		eap->opcode = MSCHAPV2_SUCCESS;
 		eap->ms_chapv2_id = this->mschapv2id;
 		set_ms_length(eap, len);
-		
+
 		hex = chunk_to_hex(this->auth_response, NULL, TRUE);
 		snprintf(msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE),
 					  "S=%s%s", hex.ptr, SUCCESS_MESSAGE);
@@ -1091,23 +1084,23 @@ static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in,
 {
 	eap_mschapv2_header_t *eap;
 	chunk_t data;
-	
+
 	if (this->identifier != in->get_identifier(in))
 	{
 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
 			 "unexpected identifier");
 		return FAILED;
 	}
-	
+
 	data = in->get_data(in);
 	if (data.len < SHORT_HEADER_LEN)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
 		return FAILED;
 	}
-	
+
 	eap = (eap_mschapv2_header_t*)data.ptr;
-	
+
 	switch (eap->opcode)
 	{
 		case MSCHAPV2_RESPONSE:
@@ -1159,7 +1152,7 @@ static status_t get_msk(private_eap_mschapv2_t *this, chunk_t *msk)
  */
 static bool is_mutual(private_eap_mschapv2_t *this)
 {
-	return TRUE;
+	return FALSE;
 }
 
 /**
@@ -1182,14 +1175,14 @@ static void destroy(private_eap_mschapv2_t *this)
 static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *server, identification_t *peer)
 {
 	private_eap_mschapv2_t *this = malloc_thing(private_eap_mschapv2_t);
-	
+
 	this->public.eap_method_interface.initiate = NULL;
 	this->public.eap_method_interface.process = NULL;
 	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
 	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
 	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
 	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-	
+
 	/* private data */
 	this->peer = peer->clone(peer);
 	this->server = server->clone(server);
@@ -1200,7 +1193,7 @@ static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *ser
 	this->identifier = 0;
 	this->mschapv2id = 0;
 	this->retries = 0;
-	
+
 	return this;
 }
 
@@ -1210,7 +1203,7 @@ static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *ser
 eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identification_t *peer)
 {
 	private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
-	
+
 	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
 	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_server;
 
@@ -1219,9 +1212,9 @@ eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identificat
 	{
 		this->identifier = random();
 	} while (!this->identifier);
-	
+
 	this->mschapv2id = this->identifier;
-	
+
 	return &this->public;
 }
 
@@ -1231,10 +1224,10 @@ eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identificat
 eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer)
 {
 	private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
-	
+
 	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
 	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_peer;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
index d0995c477..404cecb20 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
@@ -37,14 +37,14 @@ static void destroy(eap_mschapv2_plugin_t *this)
 plugin_t *plugin_create()
 {
 	eap_mschapv2_plugin_t *this = malloc_thing(eap_mschapv2_plugin_t);
-	
+
 	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_SERVER,
 							(eap_constructor_t)eap_mschapv2_create_server);
 	charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_PEER,
 							(eap_constructor_t)eap_mschapv2_create_peer);
-	
+
 	return &this->plugin;
 }
 
diff --git a/src/charon/plugins/eap_radius/Makefile.am b/src/charon/plugins/eap_radius/Makefile.am
index df5c94656..e476fbed6 100644
--- a/src/charon/plugins/eap_radius/Makefile.am
+++ b/src/charon/plugins/eap_radius/Makefile.am
@@ -3,12 +3,12 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
 AM_CFLAGS = -rdynamic
 
-plugin_LTLIBRARIES = libstrongswan-eapradius.la
+plugin_LTLIBRARIES = libstrongswan-eap-radius.la
 
-libstrongswan_eapradius_la_SOURCES = \
+libstrongswan_eap_radius_la_SOURCES = \
   eap_radius_plugin.h eap_radius_plugin.c \
   eap_radius.h eap_radius.c \
   radius_client.h radius_client.c \
   radius_message.h radius_message.c
-libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_radius_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_radius/Makefile.in b/src/charon/plugins/eap_radius/Makefile.in
index c30111fad..eb135e750 100644
--- a/src/charon/plugins/eap_radius/Makefile.in
+++ b/src/charon/plugins/eap_radius/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,32 +37,55 @@ host_triplet = @host@
 subdir = src/charon/plugins/eap_radius
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eapradius_la_LIBADD =
-am_libstrongswan_eapradius_la_OBJECTS = eap_radius_plugin.lo \
+libstrongswan_eap_radius_la_LIBADD =
+am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \
 	eap_radius.lo radius_client.lo radius_message.lo
-libstrongswan_eapradius_la_OBJECTS =  \
-	$(am_libstrongswan_eapradius_la_OBJECTS)
-libstrongswan_eapradius_la_LINK = $(LIBTOOL) --tag=CC \
+libstrongswan_eap_radius_la_OBJECTS =  \
+	$(am_libstrongswan_eap_radius_la_OBJECTS)
+libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eapradius_la_LDFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_radius_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -70,8 +95,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eapradius_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eapradius_la_SOURCES)
+SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -108,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -138,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -171,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -196,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -204,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -212,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -223,18 +251,19 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eapradius.la
-libstrongswan_eapradius_la_SOURCES = \
+plugin_LTLIBRARIES = libstrongswan-eap-radius.la
+libstrongswan_eap_radius_la_SOURCES = \
   eap_radius_plugin.h eap_radius_plugin.c \
   eap_radius.h eap_radius.c \
   radius_client.h radius_client.c \
   radius_message.h radius_message.c
 
-libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_radius_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -248,9 +277,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_radius/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_radius/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_radius/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_radius/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -268,23 +297,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -295,8 +329,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eapradius.la: $(libstrongswan_eapradius_la_OBJECTS) $(libstrongswan_eapradius_la_DEPENDENCIES) 
-	$(libstrongswan_eapradius_la_LINK) -rpath $(plugindir) $(libstrongswan_eapradius_la_OBJECTS) $(libstrongswan_eapradius_la_LIBADD) $(LIBS)
+libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) 
+	$(libstrongswan_eap_radius_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -311,21 +345,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -348,7 +382,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -356,29 +390,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -399,13 +438,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -436,6 +479,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -457,6 +501,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -465,18 +511,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -515,6 +571,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c
index deb3b648b..f041fda54 100644
--- a/src/charon/plugins/eap_radius/eap_radius.c
+++ b/src/charon/plugins/eap_radius/eap_radius.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include "eap_radius.h"
 
 #include "radius_message.h"
@@ -26,47 +26,47 @@ typedef struct private_eap_radius_t private_eap_radius_t;
  * Private data of an eap_radius_t object.
  */
 struct private_eap_radius_t {
-	
+
 	/**
 	 * Public authenticator_t interface.
 	 */
 	eap_radius_t public;
-	
+
 	/**
 	 * ID of the server
 	 */
 	identification_t *server;
-	
+
 	/**
 	 * ID of the peer
 	 */
 	identification_t *peer;
-	
+
 	/**
 	 * EAP method type we are proxying
 	 */
 	eap_type_t type;
-	
+
 	/**
 	 * EAP vendor, if any
 	 */
 	u_int32_t vendor;
-	
+
 	/**
 	 * EAP MSK, if method established one
 	 */
 	chunk_t msk;
-	
+
 	/**
 	 * RADIUS client instance
 	 */
 	radius_client_t *client;
-	
+
 	/**
 	 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
 	 */
 	bool eap_start;
-	
+
 	/**
 	 * Prefix to prepend to EAP identity
 	 */
@@ -93,11 +93,11 @@ static void add_eap_identity(private_eap_radius_t *this,
 	} __attribute__((__packed__)) *hdr;
 	chunk_t id, prefix;
 	size_t len;
-	
+
 	id = this->peer->get_encoding(this->peer);
 	prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
 	len = sizeof(*hdr) + prefix.len + id.len;
-	
+
 	hdr = alloca(len);
 	hdr->code = EAP_RESPONSE;
 	hdr->identifier = 0;
@@ -105,7 +105,7 @@ static void add_eap_identity(private_eap_radius_t *this,
 	hdr->type = EAP_IDENTITY;
 	memcpy(hdr->data, prefix.ptr, prefix.len);
 	memcpy(hdr->data + prefix.len, id.ptr, id.len);
-	
+
 	request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
 }
 
@@ -117,22 +117,26 @@ static bool radius2ike(private_eap_radius_t *this,
 {
 	enumerator_t *enumerator;
 	eap_payload_t *payload;
-	chunk_t data;
+	chunk_t data, message = chunk_empty;
 	int type;
-	
+
 	enumerator = msg->create_enumerator(msg);
 	while (enumerator->enumerate(enumerator, &type, &data))
 	{
-		if (type == RAT_EAP_MESSAGE)
+		if (type == RAT_EAP_MESSAGE && data.len)
 		{
-			*out = payload = eap_payload_create_data(data);
-			/* apply EAP method selected by RADIUS server */
-			this->type = payload->get_type(payload, &this->vendor);
-			enumerator->destroy(enumerator);
-			return TRUE;
+			message = chunk_cat("mc", message, data);
 		}
 	}
 	enumerator->destroy(enumerator);
+	if (message.len)
+	{
+		*out = payload = eap_payload_create_data(message);
+		free(message.ptr);
+		/* apply EAP method selected by RADIUS server */
+		this->type = payload->get_type(payload, &this->vendor);
+		return TRUE;
+	}
 	return FALSE;
 }
 
@@ -144,12 +148,12 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
 	radius_message_t *request, *response;
 	status_t status = FAILED;
 	chunk_t username;
-	
+
 	request = radius_message_create_request();
 	username = chunk_create(this->id_prefix, strlen(this->id_prefix));
 	username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
 	request->add(request, RAT_USER_NAME, username);
-	
+
 	if (this->eap_start)
 	{
 		request->add(request, RAT_EAP_MESSAGE, chunk_empty);
@@ -158,7 +162,7 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
 	{
 		add_eap_identity(this, request);
 	}
-	
+
 	response = this->client->request(this->client, request);
 	if (response)
 	{
@@ -180,11 +184,19 @@ static status_t process(private_eap_radius_t *this,
 {
 	radius_message_t *request, *response;
 	status_t status = FAILED;
-	
+	chunk_t data;
+
 	request = radius_message_create_request();
 	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
-	request->add(request, RAT_EAP_MESSAGE, in->get_data(in));
-	
+	data = in->get_data(in);
+	/* fragment data suitable for RADIUS (not more than 253 bytes) */
+	while (data.len > 253)
+	{
+		request->add(request, RAT_EAP_MESSAGE, chunk_create(data.ptr, 253));
+		data = chunk_skip(data, 253);
+	}
+	request->add(request, RAT_EAP_MESSAGE, data);
+
 	response = this->client->request(this->client, request);
 	if (response)
 	{
@@ -271,14 +283,14 @@ static void destroy(private_eap_radius_t *this)
 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
 {
 	private_eap_radius_t *this = malloc_thing(private_eap_radius_t);
-	
+
 	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
 	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
 	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
 	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
 	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
 	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-	
+
 	this->client = radius_client_create();
 	if (!this->client)
 	{
@@ -291,10 +303,10 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 	this->type = EAP_RADIUS;
 	this->vendor = 0;
 	this->msk = chunk_empty;
-	this->eap_start = lib->settings->get_bool(lib->settings, 
-								"charon.plugins.eap_radius.eap_start", FALSE);
+	this->eap_start = lib->settings->get_bool(lib->settings,
+								"charon.plugins.eap-radius.eap_start", FALSE);
 	this->id_prefix = lib->settings->get_str(lib->settings,
-								"charon.plugins.eap_radius.id_prefix", "");
+								"charon.plugins.eap-radius.id_prefix", "");
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/eap_radius/eap_radius_plugin.c b/src/charon/plugins/eap_radius/eap_radius_plugin.c
index 7c6a3c9ff..51e6a69c8 100644
--- a/src/charon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/charon/plugins/eap_radius/eap_radius_plugin.c
@@ -36,19 +36,19 @@ static void destroy(eap_radius_plugin_t *this)
 plugin_t *plugin_create()
 {
 	eap_radius_plugin_t *this;
-	
+
 	if (!radius_client_init())
 	{
 		DBG1(DBG_CFG, "RADIUS plugin initialization failed");
 		return NULL;
 	}
-	
+
 	this = malloc_thing(eap_radius_plugin_t);
 	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	charon->eap->add_method(charon->eap, EAP_RADIUS, 0,
 							EAP_SERVER, (eap_constructor_t)eap_radius_create);
-	
+
 	return &this->plugin;
 }
 
diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c
index de1bafc6d..1d1f21742 100644
--- a/src/charon/plugins/eap_radius/radius_client.c
+++ b/src/charon/plugins/eap_radius/radius_client.c
@@ -21,7 +21,8 @@
 #include <daemon.h>
 #include <utils/host.h>
 #include <utils/linked_list.h>
-#include <utils/mutex.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
 
 /**
  * Default RADIUS server port, when not configured
@@ -63,12 +64,12 @@ struct entry_t {
  * Private data of an radius_client_t object.
  */
 struct private_radius_client_t {
-	
+
 	/**
 	 * Public radius_client_t interface.
 	 */
 	radius_client_t public;
-	
+
 	/**
 	 * RADIUS servers State attribute
 	 */
@@ -106,7 +107,7 @@ static chunk_t nas_identifier;
 void radius_client_cleanup()
 {
 	entry_t *entry;
-	
+
 	mutex->destroy(mutex);
 	condvar->destroy(condvar);
 	while (sockets->remove_last(sockets, (void**)&entry) == SUCCESS)
@@ -130,13 +131,13 @@ bool radius_client_init()
 	entry_t *entry;
 	host_t *host;
 	char *server;
-	
+
 	nas_identifier.ptr = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap_radius.nas_identifier", "strongSwan");
+					"charon.plugins.eap-radius.nas_identifier", "strongSwan");
 	nas_identifier.len = strlen(nas_identifier.ptr);
-	
+
 	secret.ptr = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap_radius.secret", NULL);
+					"charon.plugins.eap-radius.secret", NULL);
 	if (!secret.ptr)
 	{
 		DBG1(DBG_CFG, "no RADUIS secret defined");
@@ -144,22 +145,22 @@ bool radius_client_init()
 	}
 	secret.len = strlen(secret.ptr);
 	server = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap_radius.server", NULL);
+					"charon.plugins.eap-radius.server", NULL);
 	if (!server)
 	{
 		DBG1(DBG_CFG, "no RADUIS server defined");
 		return FALSE;
 	}
 	port = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap_radius.port", RADIUS_PORT);
+					"charon.plugins.eap-radius.port", RADIUS_PORT);
 	host = host_create_from_dns(server, 0, port);
 	if (!host)
 	{
 		return FALSE;
 	}
 	count = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap_radius.sockets", 1);
-	
+					"charon.plugins.eap-radius.sockets", 1);
+
 	sockets = linked_list_create();
 	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
@@ -214,7 +215,7 @@ bool radius_client_init()
 static entry_t* get_socket()
 {
 	entry_t *entry;
-	
+
 	mutex->lock(mutex);
 	while (sockets->remove_first(sockets, (void**)&entry) != SUCCESS)
 	{
@@ -243,7 +244,7 @@ static void save_state(private_radius_client_t *this, radius_message_t *msg)
 	enumerator_t *enumerator;
 	int type;
 	chunk_t data;
-	
+
 	enumerator = msg->create_enumerator(msg);
 	while (enumerator->enumerate(enumerator, &type, &data))
 	{
@@ -270,9 +271,9 @@ static radius_message_t* request(private_radius_client_t *this,
 	entry_t *socket;
 	chunk_t data;
 	int i;
-	
+
 	socket = get_socket();
-	
+
 	/* set Message Identifier */
 	req->set_identifier(req, socket->identifier++);
 	/* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */
@@ -286,7 +287,7 @@ static radius_message_t* request(private_radius_client_t *this,
 	}
 	/* sign the request */
 	req->sign(req, socket->rng, socket->signer);
-	
+
 	data = req->get_encoding(req);
 	/* timeout after 2, 3, 4, 5 seconds */
 	for (i = 2; i <= 5; i++)
@@ -294,10 +295,10 @@ static radius_message_t* request(private_radius_client_t *this,
 		radius_message_t *response;
 		bool retransmit = FALSE;
 		struct timeval tv;
-		char buf[1024];
+		char buf[4096];
 		fd_set fds;
 		int res;
-		
+
 		if (send(socket->fd, data.ptr, data.len, 0) != data.len)
 		{
 			DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
@@ -306,7 +307,7 @@ static radius_message_t* request(private_radius_client_t *this,
 		}
 		tv.tv_sec = i;
 		tv.tv_usec = 0;
-		
+
 		while (TRUE)
 		{
 			FD_ZERO(&fds);
@@ -334,7 +335,7 @@ static radius_message_t* request(private_radius_client_t *this,
 			}
 			response = radius_message_parse_response(chunk_create(buf, res));
 			if (response)
-			{	
+			{
 				if (response->verify(response, req->get_authenticator(req),
 							secret, socket->hasher, socket->signer))
 				{
@@ -366,7 +367,7 @@ static chunk_t decrypt_mppe_key(private_radius_client_t *this, u_int16_t salt,
 	chunk_t A, R, P, seed;
 	u_char *c, *p;
 	hasher_t *hasher;
-	
+
 	/**
 	 * From RFC2548 (encryption):
 	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
@@ -374,42 +375,42 @@ static chunk_t decrypt_mppe_key(private_radius_client_t *this, u_int16_t salt,
 	 *      . . .
 	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
 	 */
-	
+
 	if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
 	{
 		return chunk_empty;
 	}
-	
+
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
 	if (!hasher)
 	{
 		return chunk_empty;
 	}
-	
+
 	A = chunk_create((u_char*)&salt, sizeof(salt));
 	R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
 	P = chunk_alloca(C.len);
 	p = P.ptr;
 	c = C.ptr;
-	
+
 	seed = chunk_cata("cc", R, A);
-	
+
 	while (c < C.ptr + C.len)
 	{
 		/* b(i) = MD5(S + c(i-1)) */
 		hasher->get_hash(hasher, secret, NULL);
 		hasher->get_hash(hasher, seed, p);
-		
+
 		/* p(i) = b(i) xor c(1) */
 		memxor(p, c, HASH_SIZE_MD5);
-		
+
 		/* prepare next round */
 		seed = chunk_create(c, HASH_SIZE_MD5);
 		c += HASH_SIZE_MD5;
 		p += HASH_SIZE_MD5;
 	}
 	hasher->destroy(hasher);
-	
+
 	/* remove truncation, first byte is key length */
 	if (*P.ptr >= P.len)
 	{	/* decryption failed? */
@@ -434,7 +435,7 @@ static chunk_t decrypt_msk(private_radius_client_t *this,
 	enumerator_t *enumerator;
 	chunk_t data, send = chunk_empty, recv = chunk_empty;
 	int type;
-	
+
 	enumerator = response->create_enumerator(response);
 	while (enumerator->enumerate(enumerator, &type, &data))
 	{
@@ -482,13 +483,13 @@ static void destroy(private_radius_client_t *this)
 radius_client_t *radius_client_create()
 {
 	private_radius_client_t *this = malloc_thing(private_radius_client_t);
-	
+
 	this->public.request = (radius_message_t*(*)(radius_client_t*, radius_message_t *msg))request;
 	this->public.decrypt_msk = (chunk_t(*)(radius_client_t*, radius_message_t *, radius_message_t *))decrypt_msk;
 	this->public.destroy = (void(*)(radius_client_t*))destroy;
-	
+
 	this->state = chunk_empty;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/eap_radius/radius_client.h b/src/charon/plugins/eap_radius/radius_client.h
index 889861a16..77ba94807 100644
--- a/src/charon/plugins/eap_radius/radius_client.h
+++ b/src/charon/plugins/eap_radius/radius_client.h
@@ -33,11 +33,11 @@ typedef struct radius_client_t radius_client_t;
  * a socket during request() and releases it afterwards.
  */
 struct radius_client_t {
-	
+
 	/**
 	 * Send a RADIUS request and wait for the response.
 	 *
-	 * The client fills in RADIUS Message identifier, NAS-Identifier, 
+	 * The client fills in RADIUS Message identifier, NAS-Identifier,
 	 * NAS-Port-Type, builds a Request-Authenticator and calculates the
 	 * Message-Authenticator attribute.
 	 * The received response gets verified using the Response-Identifier
@@ -47,7 +47,7 @@ struct radius_client_t {
 	 * @return				response, NULL if timed out/verification failed
 	 */
 	radius_message_t* (*request)(radius_client_t *this, radius_message_t *msg);
-	
+
 	/**
 	 * Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key.
 	 *
@@ -57,7 +57,7 @@ struct radius_client_t {
 	 */
 	chunk_t (*decrypt_msk)(radius_client_t *this, radius_message_t *response,
 						   radius_message_t *request);
-	
+
 	/**
 	 * Destroy the client, release the socket.
 	 */
diff --git a/src/charon/plugins/eap_radius/radius_message.c b/src/charon/plugins/eap_radius/radius_message.c
index 59a639f31..11a1d8dfc 100644
--- a/src/charon/plugins/eap_radius/radius_message.c
+++ b/src/charon/plugins/eap_radius/radius_message.c
@@ -54,12 +54,12 @@ struct rattr_t {
  * Private data of an radius_message_t object.
  */
 struct private_radius_message_t {
-	
+
 	/**
 	 * Public radius_message_t interface.
 	 */
 	radius_message_t public;
-	
+
 	/**
 	 * message data, allocated
 	 */
@@ -247,12 +247,12 @@ static bool attribute_enumerate(attribute_enumerator_t *this,
 static enumerator_t* create_enumerator(private_radius_message_t *this)
 {
 	attribute_enumerator_t *e;
-	
+
 	if (ntohs(this->msg->length) < sizeof(rmsg_t) + sizeof(rattr_t))
 	{
 		return enumerator_create_empty();
 	}
-	
+
 	e = malloc_thing(attribute_enumerator_t);
 	e->public.enumerate = (void*)attribute_enumerate;
 	e->public.destroy = (void*)free;
@@ -268,7 +268,8 @@ static void add(private_radius_message_t *this, radius_attribute_type_t type,
 				chunk_t data)
 {
 	rattr_t *attribute;
-	
+
+	data.len = min(data.len, 253);
 	this->msg = realloc(this->msg,
 						ntohs(this->msg->length) + sizeof(rattr_t) + data.len);
 	attribute = ((void*)this->msg) + ntohs(this->msg->length);
@@ -284,10 +285,10 @@ static void add(private_radius_message_t *this, radius_attribute_type_t type,
 static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer)
 {
 	char buf[HASH_SIZE_MD5];
-	
+
 	/* build Request-Authenticator */
 	rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
-	
+
 	/* build Message-Authenticator attribute, using 16 null bytes */
 	memset(buf, 0, sizeof(buf));
 	add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
@@ -307,12 +308,12 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
 	int type;
 	chunk_t data, msg;
 	bool has_eap = FALSE, has_auth = FALSE;
-	
+
 	/* replace Response by Request Authenticator for verification */
 	memcpy(res_auth, this->msg->authenticator, HASH_SIZE_MD5);
 	memcpy(this->msg->authenticator, req_auth, HASH_SIZE_MD5);
 	msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
-	
+
 	/* verify Response-Authenticator */
 	hasher->get_hash(hasher, msg, NULL);
 	hasher->get_hash(hasher, secret, buf);
@@ -321,7 +322,7 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
 		DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed");
 		return FALSE;
 	}
-	
+
 	/* verify Message-Authenticator attribute */
 	enumerator = create_enumerator(this);
 	while (enumerator->enumerate(enumerator, &type, &data))
@@ -359,7 +360,7 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
 	enumerator->destroy(enumerator);
 	/* restore Response-Authenticator */
 	memcpy(this->msg->authenticator, res_auth, HASH_SIZE_MD5);
-	
+
 	if (has_eap && !has_auth)
 	{	/* Message-Authenticator is required if we have an EAP-Message */
 		DBG1(DBG_CFG, "RADIUS Message-Authenticator attribute missing");
@@ -424,7 +425,7 @@ static void destroy(private_radius_message_t *this)
 static private_radius_message_t *radius_message_create()
 {
 	private_radius_message_t *this = malloc_thing(private_radius_message_t);
-	
+
 	this->public.create_enumerator = (enumerator_t*(*)(radius_message_t*))create_enumerator;
 	this->public.add = (void(*)(radius_message_t*, radius_attribute_type_t,chunk_t))add;
 	this->public.get_code = (radius_message_code_t(*)(radius_message_t*))get_code;
@@ -435,7 +436,7 @@ static private_radius_message_t *radius_message_create()
 	this->public.sign = (void(*)(radius_message_t*, rng_t *rng, signer_t *signer))sign;
 	this->public.verify = (bool(*)(radius_message_t*, u_int8_t *req_auth, chunk_t secret, hasher_t *hasher, signer_t *signer))verify;
 	this->public.destroy = (void(*)(radius_message_t*))destroy;
-	
+
 	return this;
 }
 
@@ -445,12 +446,12 @@ static private_radius_message_t *radius_message_create()
 radius_message_t *radius_message_create_request()
 {
 	private_radius_message_t *this = radius_message_create();
-	
+
 	this->msg = malloc_thing(rmsg_t);
 	this->msg->code = RMC_ACCESS_REQUEST;
 	this->msg->identifier = 0;
 	this->msg->length = htons(sizeof(rmsg_t));
-	
+
 	return &this->public;
 }
 
@@ -460,7 +461,7 @@ radius_message_t *radius_message_create_request()
 radius_message_t *radius_message_parse_response(chunk_t data)
 {
 	private_radius_message_t *this = radius_message_create();
-	
+
 	this->msg = malloc(data.len);
 	memcpy(this->msg, data.ptr, data.len);
 	if (data.len < sizeof(rmsg_t) ||
diff --git a/src/charon/plugins/eap_radius/radius_message.h b/src/charon/plugins/eap_radius/radius_message.h
index d4eec8590..266839d3b 100644
--- a/src/charon/plugins/eap_radius/radius_message.h
+++ b/src/charon/plugins/eap_radius/radius_message.h
@@ -181,14 +181,14 @@ extern enum_name_t *radius_attribute_type_names;
  * A RADIUS message, contains attributes.
  */
 struct radius_message_t {
-	
+
 	/**
 	 * Create an enumerator over contained RADIUS attributes.
 	 *
 	 * @return				enumerator over (int type, chunk_t data)
 	 */
 	enumerator_t* (*create_enumerator)(radius_message_t *this);
-	
+
 	/**
 	 * Add a RADIUS attribute to the message.
 	 *
@@ -197,42 +197,42 @@ struct radius_message_t {
 	 */
 	void (*add)(radius_message_t *this, radius_attribute_type_t type,
 				chunk_t data);
-	
+
 	/**
 	 * Get the message type (code).
 	 *
 	 * @return				message code
 	 */
 	radius_message_code_t (*get_code)(radius_message_t *this);
-	
+
 	/**
 	 * Get the message identifier.
 	 *
 	 * @return				message identifier
 	 */
 	u_int8_t (*get_identifier)(radius_message_t *this);
-	
+
 	/**
 	 * Set the message identifier.
 	 *
 	 * @param identifier	message identifier
 	 */
 	void (*set_identifier)(radius_message_t *this, u_int8_t identifier);
-	
+
 	/**
 	 * Get the 16 byte authenticator.
 	 *
 	 * @return				pointer to the Authenticator field
 	 */
 	u_int8_t* (*get_authenticator)(radius_message_t *this);
-	
+
 	/**
 	 * Get the RADIUS message in its encoded form.
 	 *
 	 * @return				chunk pointing to internal RADIUS message.
 	 */
 	chunk_t (*get_encoding)(radius_message_t *this);
-	
+
 	/**
 	 * Calculate and add the Message-Authenticator attribute to the message.
 	 *
@@ -240,7 +240,7 @@ struct radius_message_t {
 	 * @param signer		HMAC-MD5 signer with secret set
 	 */
 	void (*sign)(radius_message_t *this, rng_t *rng, signer_t *signer);
-	
+
 	/**
 	 * Verify the integrity of a received RADIUS response.
 	 *
@@ -251,7 +251,7 @@ struct radius_message_t {
 	 */
 	bool (*verify)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
 				   hasher_t *hasher, signer_t *signer);
-	
+
 	/**
 	 * Destroy the message.
 	 */
diff --git a/src/charon/plugins/eap_sim/Makefile.am b/src/charon/plugins/eap_sim/Makefile.am
index e503bddab..74b9bb4e8 100644
--- a/src/charon/plugins/eap_sim/Makefile.am
+++ b/src/charon/plugins/eap_sim/Makefile.am
@@ -1,11 +1,14 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon \
+  -I$(top_srcdir)/src/libsimaka
 
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DSIM_READER_LIB=\"${simreader}\"
+AM_CFLAGS = -rdynamic
 
-plugin_LTLIBRARIES = libstrongswan-eapsim.la
+plugin_LTLIBRARIES = libstrongswan-eap-sim.la
 
-libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \
-  eap_sim_plugin.h eap_sim_plugin.c
-libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_sim_la_SOURCES = eap_sim_plugin.h eap_sim_plugin.c \
+  eap_sim_peer.h eap_sim_peer.c \
+  eap_sim_server.h eap_sim_server.c
+libstrongswan_eap_sim_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
+libstrongswan_eap_sim_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in
index 8f6daacad..d9b568a42 100644
--- a/src/charon/plugins/eap_sim/Makefile.in
+++ b/src/charon/plugins/eap_sim/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,30 +37,55 @@ host_triplet = @host@
 subdir = src/charon/plugins/eap_sim
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eapsim_la_LIBADD =
-am_libstrongswan_eapsim_la_OBJECTS = eap_sim.lo eap_sim_plugin.lo
-libstrongswan_eapsim_la_OBJECTS =  \
-	$(am_libstrongswan_eapsim_la_OBJECTS)
-libstrongswan_eapsim_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+libstrongswan_eap_sim_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libsimaka/libsimaka.la
+am_libstrongswan_eap_sim_la_OBJECTS = eap_sim_plugin.lo \
+	eap_sim_peer.lo eap_sim_server.lo
+libstrongswan_eap_sim_la_OBJECTS =  \
+	$(am_libstrongswan_eap_sim_la_OBJECTS)
+libstrongswan_eap_sim_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eapsim_la_LDFLAGS) $(LDFLAGS) -o $@
+	$(libstrongswan_eap_sim_la_LDFLAGS) $(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -68,8 +95,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eapsim_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eapsim_la_SOURCES)
+SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -106,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,15 +251,20 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DSIM_READER_LIB=\"${simreader}\"
-plugin_LTLIBRARIES = libstrongswan-eapsim.la
-libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \
-  eap_sim_plugin.h eap_sim_plugin.c
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon \
+  -I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-eap-sim.la
+libstrongswan_eap_sim_la_SOURCES = eap_sim_plugin.h eap_sim_plugin.c \
+  eap_sim_peer.h eap_sim_peer.c \
+  eap_sim_server.h eap_sim_server.c
 
-libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_sim_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
+libstrongswan_eap_sim_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -243,9 +278,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_sim/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_sim/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_sim/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_sim/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -263,23 +298,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -290,8 +330,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eapsim.la: $(libstrongswan_eapsim_la_OBJECTS) $(libstrongswan_eapsim_la_DEPENDENCIES) 
-	$(libstrongswan_eapsim_la_LINK) -rpath $(plugindir) $(libstrongswan_eapsim_la_OBJECTS) $(libstrongswan_eapsim_la_LIBADD) $(LIBS)
+libstrongswan-eap-sim.la: $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_DEPENDENCIES) 
+	$(libstrongswan_eap_sim_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -299,26 +339,27 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_peer.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_server.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -341,7 +382,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -349,29 +390,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -392,13 +438,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -429,6 +479,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -450,6 +501,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -458,18 +511,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -508,6 +571,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/eap_sim/eap_sim.c b/src/charon/plugins/eap_sim/eap_sim.c
deleted file mode 100644
index 2dd6e534b..000000000
--- a/src/charon/plugins/eap_sim/eap_sim.c
+++ /dev/null
@@ -1,1149 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_sim.h"
-
-#include <dlfcn.h>
-
-#include <daemon.h>
-#include <library.h>
-
-#define MAX_TRIES 3
-
-/* number of triplets for one authentication */
-#define TRIPLET_COUNT 3
-
-typedef enum sim_subtype_t sim_subtype_t;
-
-/**
- * Subtypes of SIM messages
- */
-enum sim_subtype_t {
-	SIM_START = 10,
-	SIM_CHALLENGE = 11,
-	SIM_NOTIFICATION = 12,
-	SIM_CLIENT_ERROR = 14,
-};
-
-ENUM(sim_subtype_names, SIM_START, SIM_CLIENT_ERROR,
-	"SIM_START",
-	"SIM_CHALLENGE",
-	"SIM_NOTIFICATION",
-	"SIM_13",
-	"SIM_CLIENT_ERROR",
-);
-
-typedef enum sim_attribute_t sim_attribute_t;
-
-/**
- * Attributes in SIM messages
- */
-enum sim_attribute_t {
-	/** defines the end of attribute list */
-	AT_END = -1,
-	AT_RAND = 1,
-	AT_AUTN = 2,
-	AT_RES = 3,
-	AT_AUTS = 4,
-	AT_PADDING = 6,
-	AT_NONCE_MT = 7,
-	AT_PERMANENT_ID_REQ = 10,
-	AT_MAC = 11,
-	AT_NOTIFICATION = 12,
-	AT_ANY_ID_REQ = 13,
-	AT_IDENTITY = 14,
-	AT_VERSION_LIST = 15,
-	AT_SELECTED_VERSION = 16,
-	AT_FULLAUTH_ID_REQ = 17,
-	AT_COUNTER = 19,
-	AT_COUNTER_TOO_SMALL = 20,
-	AT_NONCE_S = 21,
-	AT_CLIENT_ERROR_CODE = 22,
-	AT_IV = 129,
-	AT_ENCR_DATA = 130,
-	AT_NEXT_PSEUDONYM = 132,
-	AT_NEXT_REAUTH_ID = 133,
-	AT_CHECKCODE = 134,
-	AT_RESULT_IND = 135,
-};
-
-ENUM_BEGIN(sim_attribute_names, AT_END, AT_CLIENT_ERROR_CODE,
-	"AT_END",
-	"AT_0",
-	"AT_RAND",
-	"AT_AUTN",
-	"AT_RES",
-	"AT_AUTS",
-	"AT_5",
-	"AT_PADDING",
-	"AT_NONCE_MT",
-	"AT_8",
-	"AT_9",
-	"AT_PERMANENT_ID_REQ",
-	"AT_MAC",
-	"AT_NOTIFICATION",
-	"AT_ANY_ID_REQ",
-	"AT_IDENTITY",
-	"AT_VERSION_LIST",
-	"AT_SELECTED_VERSION",
-	"AT_FULLAUTH_ID_REQ",
-	"AT_18",
-	"AT_COUNTER",
-	"AT_COUNTER_TOO_SMALL",
-	"AT_NONCE_S",
-	"AT_CLIENT_ERROR_CODE");
-ENUM_NEXT(sim_attribute_names, AT_IV, AT_RESULT_IND, AT_CLIENT_ERROR_CODE,
-	"AT_IV",
-	"AT_ENCR_DATA",
-	"AT_131",
-	"AT_NEXT_PSEUDONYM",
-	"AT_NEXT_REAUTH_ID",
-	"AT_CHECKCODE",
-	"AT_RESULT_IND");
-ENUM_END(sim_attribute_names, AT_RESULT_IND);
-
-
-typedef struct private_eap_sim_t private_eap_sim_t;
-
-/**
- * Private data of an eap_sim_t object.
- */
-struct private_eap_sim_t {
-	
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_sim_t public;
-	
-	/**
-	 * ID of ourself
-	 */
-	identification_t *peer;
-	
-	/**
-	 * hashing function
-	 */
-	hasher_t *hasher;
-	
-	/**
-	 * prf
-	 */
-	prf_t *prf;
-	
-	/**
-	 * MAC function
-	 */
-	signer_t *signer;
-	
-	/**
-	 * how many times we try to authenticate
-	 */
-	int tries;
-	
-	/**
-	 * unique EAP identifier
-	 */
-	u_int8_t identifier;
-	
-	/**
-	 * EAP message type this role sends
-	 */
-	u_int8_t type;
-	
-	/**
-	 * version this implementation uses
-	 */
-	chunk_t version;
-	
-	/**
-	 * version list received from server
-	 */
-	chunk_t version_list;
-	
-	/**
-	 * Nonce value used in AT_NONCE_MT
-	 */
-	chunk_t nonce;
-	
-	/**
-	 * concatenated SRES values
-	 */
-	chunk_t sreses;
-	
-	/**
-	 * k_encr key derived from MK
-	 */
-	chunk_t k_encr;
-	
-	/**
-	 * k_auth key derived from MK, used for AT_MAC verification
-	 */
-	chunk_t k_auth;
-	
-	/**
-	 * MSK, used for EAP-SIM based IKEv2 authentication
-	 */
-	chunk_t msk;
-	
-	/**
-	 * EMSK, extended MSK for further uses
-	 */
-	chunk_t emsk;
-};
-
-/** length of the AT_NONCE_MT nonce value */
-#define NONCE_LEN 16
-/** length of the AT_MAC value */
-#define MAC_LEN 16
-/** length of the AT_RAND value */
-#define RAND_LEN 16
-/** length of Kc */
-#define KC_LEN 8
-/** length of SRES */
-#define SRES_LEN 4
-/** length of the k_encr key */
-#define KENCR_LEN 16
-/** length of the k_auth key */
-#define KAUTH_LEN 16
-/** length of the MSK */
-#define MSK_LEN 64
-/** length of the EMSK */
-#define EMSK_LEN 64
-
-static char version[] = {0x00,0x01};
-/* client error codes used in AT_CLIENT_ERROR_CODE */
-char client_error_general_buf[] = {0x00, 0x01};
-char client_error_unsupported_buf[] = {0x00, 0x02};
-char client_error_insufficient_buf[] = {0x00, 0x03};
-char client_error_notfresh_buf[] = {0x00, 0x04};
-chunk_t client_error_general = chunk_from_buf(client_error_general_buf);
-chunk_t client_error_unsupported = chunk_from_buf(client_error_unsupported_buf);
-chunk_t client_error_insufficient = chunk_from_buf(client_error_insufficient_buf);
-chunk_t client_error_notfresh = chunk_from_buf(client_error_notfresh_buf);
-
-/**
- * Read EAP and EAP-SIM header, return SIM type
- */
-static sim_subtype_t read_header(chunk_t *message)
-{
-	sim_subtype_t type;
-
-	if (message->len < 8)
-	{
-		*message = chunk_empty;
-		return 0;
-	}
-	type = *(message->ptr + 5);
-	*message = chunk_skip(*message, 8);
-	return type;
-}
-
-/**
- * read the next attribute from the chunk data
- */
-static sim_attribute_t read_attribute(chunk_t *message, chunk_t *data)
-{
-	sim_attribute_t attribute;
-	size_t length;
-	
-	DBG3(DBG_IKE, "reading attribute from %B", message);
-	
-	if (message->len < 2)
-	{
-		return AT_END;
-	}
-	attribute = *message->ptr++;
-	length = *message->ptr++ * 4 - 2;
-	message->len -= 2;
-	DBG3(DBG_IKE, "found attribute %N with length %d",
-		 sim_attribute_names, attribute, length);
-
-	if (length > message->len)
-	{
-		return AT_END;
-	}
-	data->len = length;
-	data->ptr = message->ptr;
-	*message = chunk_skip(*message, length);
-	return attribute;
-}
-
-/**
- * Build an EAP-SIM payload using a variable length attribute list.
- * The variable argument takes a sim_attribute_t followed by its data in a chunk.
- */
-static eap_payload_t *build_payload(private_eap_sim_t *this, u_int8_t identifier,
-									sim_subtype_t type, ...)
-{
-	chunk_t message = chunk_alloca(512);
-	chunk_t pos = message;
-	eap_payload_t *payload;
-	va_list args;
-	sim_attribute_t attr;
-	u_int8_t *mac_pos = NULL;
-	chunk_t mac_data = chunk_empty;
-	
-	/* write EAP header, skip length bytes */
-	*pos.ptr++ = this->type;
-	*pos.ptr++ = identifier;
-	pos.ptr += 2;
-	pos.len -= 4;
-	/* write SIM header with type and subtype, zero reserved bytes */
-	*pos.ptr++ = EAP_SIM;
-	*pos.ptr++ = type;
-	*pos.ptr++ = 0;
-	*pos.ptr++ = 0;
-	pos.len -= 4;
-	
-	va_start(args, type);
-	while ((attr = va_arg(args, sim_attribute_t)) != AT_END)
-	{
-		chunk_t data = va_arg(args, chunk_t);
-		
-		DBG3(DBG_IKE, "building %N %B", sim_attribute_names, attr, &data);
-		
-		/* write attribute header */
-		*pos.ptr++ = attr;
-		pos.len--;
-		
-		switch (attr)
-		{
-			case AT_CLIENT_ERROR_CODE:
-			case AT_SELECTED_VERSION:
-			{
-				*pos.ptr = data.len/4 + 1;
-				pos = chunk_skip(pos, 1);
-				memcpy(pos.ptr, data.ptr, data.len);
-				pos = chunk_skip(pos, data.len);
-				break;
-			}
-			case AT_IDENTITY:
-			case AT_VERSION_LIST:
-			{
-				u_int16_t act_len = data.len;
-				/* align up to four byte */
-				if (data.len % 4)
-				{
-					chunk_t tmp = chunk_alloca((data.len/4)*4 + 4);
-					memset(tmp.ptr, 0, tmp.len);
-					memcpy(tmp.ptr, data.ptr, data.len);
-					data = tmp;
-				}
-				*pos.ptr = data.len/4 + 1;
-				pos = chunk_skip(pos, 1);
-				/* actual length in bytes */
-				*(u_int16_t*)pos.ptr = htons(act_len);
-				pos = chunk_skip(pos, sizeof(u_int16_t));
-				memcpy(pos.ptr, data.ptr, data.len);
-				pos = chunk_skip(pos, data.len);
-				break;
-			}
-			case AT_NONCE_MT:
-			{
-				*pos.ptr = data.len/4 + 1;
-				pos = chunk_skip(pos, 1);
-				memset(pos.ptr, 0, 2);
-				pos = chunk_skip(pos, 2);
-				memcpy(pos.ptr, data.ptr, data.len);
-				pos = chunk_skip(pos, data.len);
-				break;
-			}
-			case AT_MAC:
-			{
-				*pos.ptr++ = 5; pos.len--;
-				*pos.ptr++ = 0; pos.len--;
-				*pos.ptr++ = 0; pos.len--;
-				mac_pos = pos.ptr;
-				memset(mac_pos, 0, MAC_LEN);
-				pos = chunk_skip(pos, MAC_LEN);
-				mac_data = data;
-				break;
-			}
-			case AT_RAND:
-			{
-				*pos.ptr++ = data.len/4 + 1; pos.len--;
-				*pos.ptr++ = 0; pos.len--;
-				*pos.ptr++ = 0; pos.len--;
-				memcpy(pos.ptr, data.ptr, data.len);
-				pos = chunk_skip(pos, data.len);
-				break;
-			}
-			default:
-				DBG1(DBG_IKE, "no rule to build EAP_SIM attribute %N, skipped",
-					 sim_attribute_names, attr);
-				break;
-		}
-	}
-	va_end(args);
-	
-	/* calculate message length, write into header */
-	message.len = pos.ptr - message.ptr;
-	*(u_int16_t*)(message.ptr + 2) = htons(message.len);
-	
-	/* create MAC if AT_MAC attribte was included. Append supplied va_arg
-	 * chunk mac_data to "to-sign" chunk */
-	if (mac_pos)
-	{
-		this->signer->set_key(this->signer, this->k_auth);
-		mac_data = chunk_cata("cc", message, mac_data);
-		this->signer->get_signature(this->signer, mac_data, mac_pos);
-		DBG3(DBG_IKE, "AT_MAC signature of %B\n is %b",
-			 &mac_data, mac_pos, MAC_LEN);
-	}
-	
-	payload = eap_payload_create_data(message);
-	
-	DBG3(DBG_IKE, "created EAP message %B", &message);
-	return payload;
-}
-
-/**
- * process an EAP-SIM/Request/Start message
- */
-static status_t peer_process_start(private_eap_sim_t *this, eap_payload_t *in,
-								   eap_payload_t **out)
-{
-	chunk_t message, data;
-	sim_attribute_t attribute, include_id = AT_END;
-	u_int8_t identifier;
-
-	identifier = in->get_identifier(in);
-	message = in->get_data(in);
-	read_header(&message);
-
-	while ((attribute = read_attribute(&message, &data)) != AT_END)
-	{
-		switch (attribute)
-		{
-			case AT_VERSION_LIST:
-			{
-				/* check if server supports our implementation */
-				bool found = FALSE;
-				if (data.len > 2)
-				{
-					/* read actual length first */
-					data.len = min(data.len, ntohs(*(u_int16_t*)data.ptr) + 2);
-					data = chunk_skip(data, 2);
-					chunk_free(&this->version_list);
-					this->version_list = chunk_clone(data);
-					while (data.len >= this->version.len)
-					{
-						if (memeq(data.ptr, this->version.ptr, this->version.len))
-						{
-							found = TRUE;
-							break;
-						}
-						data = chunk_skip(data, this->version.len);
-					}
-				}
-				if (!found)
-				{
-					DBG1(DBG_IKE, "server does not support EAP_SIM "
-						 "version number %#B", &this->version);
-					*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
-							AT_CLIENT_ERROR_CODE, client_error_unsupported,
-							AT_END);
-					return NEED_MORE;
-				}
-				break;
-			}
-			case AT_PERMANENT_ID_REQ:
-			case AT_FULLAUTH_ID_REQ:
-			case AT_ANY_ID_REQ:
-				/* only include AT_IDENTITY if requested */
-				include_id = AT_IDENTITY;
-				break;
-			case AT_NOTIFICATION:
-			{
-				u_int16_t code = 0;
-				if (data.len == 2)
-				{
-					code = ntohs(*(u_int16_t*)data.ptr);
-				}
-				if (code <= 32767) /* no success bit */
-				{
-					DBG1(DBG_IKE, "received %N error %d",
-				 		 sim_attribute_names, attribute, code);
-					*out = build_payload(this,
-									in->get_identifier(in), SIM_CLIENT_ERROR,
-						 			AT_CLIENT_ERROR_CODE, client_error_general,
-									AT_END);
-					return NEED_MORE;
-				}
-				else
-				{
-					DBG1(DBG_IKE, "received %N code %d",
-				 		 sim_attribute_names, attribute, code);
-				}
-				break;
-			}
-			default:
-				DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
-					 sim_attribute_names, attribute);
-				break;
-		}
-	}
-	
-	/* build payload. If "include_id" is AT_END, AT_IDENTITY is ommited */
-	*out = build_payload(this, identifier, SIM_START,
-						 AT_SELECTED_VERSION, this->version,
-						 AT_NONCE_MT, this->nonce,
-						 include_id, this->peer->get_encoding(this->peer),
-						 AT_END);
-	return NEED_MORE;
-}
-
-/**
- * derive EAP keys from kc
- */
-static void derive_keys(private_eap_sim_t *this, chunk_t kcs)
-{
-	chunk_t tmp, mk;
-	int i;
-
-	/* build MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */
-	tmp = chunk_cata("ccccc", this->peer->get_encoding(this->peer), kcs,
-					 this->nonce, this->version_list, this->version);
-	mk = chunk_alloca(this->hasher->get_hash_size(this->hasher));
-	this->hasher->get_hash(this->hasher, tmp, mk.ptr);
-	DBG3(DBG_IKE, "MK = SHA1(%B\n) = %B", &tmp, &mk);
-	
-	/* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf()
-	 * FIPS PRF has 320 bit block size, we need 160 byte for keys
-	 *  => run prf four times */
-	this->prf->set_key(this->prf, mk);
-	tmp = chunk_alloca(this->prf->get_block_size(this->prf) * 4);
-	for (i = 0; i < 4; i++)
-	{
-		this->prf->get_bytes(this->prf, chunk_empty, tmp.ptr + tmp.len / 4 * i);
-	}
-	chunk_free(&this->k_encr);
-	chunk_free(&this->k_auth);
-	chunk_free(&this->msk);
-	chunk_free(&this->emsk);
-	chunk_split(tmp, "aaaa", KENCR_LEN, &this->k_encr, KAUTH_LEN, &this->k_auth,
-				MSK_LEN, &this->msk, EMSK_LEN, &this->emsk);
-	DBG3(DBG_IKE, "K_encr %B\nK_auth %B\nMSK %B\nEMSK %B",
-		 &this->k_encr, &this->k_auth, &this->msk, &this->emsk);
-}
-
-/**
- * Read a triplet from the SIM card
- */
-static bool get_card_triplet(private_eap_sim_t *this,
-							 char *rand, char *sres, char *kc)
-{
-	enumerator_t *enumerator;
-	sim_card_t *card = NULL, *current;
-	id_match_t match, best = ID_MATCH_NONE;
-	bool success = FALSE;
-	
-	/* find the best matching SIM */
-	enumerator = charon->sim->create_card_enumerator(charon->sim);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		match = this->peer->matches(this->peer, current->get_imsi(current));
-		if (match > best)
-		{
-			card = current;
-			best = match;
-			break;
-		}
-	}
-	if (card)
-	{
-		success = card->get_triplet(card, rand, sres, kc);
-	}
-	enumerator->destroy(enumerator);
-	if (!card)
-	{
-		DBG1(DBG_IKE, "no SIM card found matching '%Y'", this->peer);
-	}
-	return success;
-}
-
-/**
- * process an EAP-SIM/Request/Challenge message
- */
-static status_t peer_process_challenge(private_eap_sim_t *this,
-									   eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t message, data, tmp, kcs, kc, sreses, sres;
-	sim_attribute_t attribute;
-	u_int8_t identifier;
-	chunk_t mac = chunk_empty, rands = chunk_empty;
-	
-	if (this->tries-- <= 0)
-	{
-		/* give up without notification. This hack is required as some buggy
-		 * server implementations won't respect our client-error. */
-		return FAILED;
-	}
-
-	identifier = in->get_identifier(in);
-	message = in->get_data(in);
-	read_header(&message);
-
-	while ((attribute = read_attribute(&message, &data)) != AT_END)
-	{
-		switch (attribute)
-		{
-			case AT_RAND:
-			{
-				rands = chunk_skip(data, 2);
-				break;
-			}
-			case AT_MAC:
-			{
-				/* backup MAC, zero it inline for later verification */
-				data = chunk_skip(data, 2);
-				mac = chunk_clonea(data);
-				memset(data.ptr, 0, data.len);
-				break;
-			}
-			case AT_NOTIFICATION:
-			{
-				u_int16_t code = 0;
-				if (data.len == 2)
-				{
-					code = ntohs(*(u_int16_t*)data.ptr);
-				}
-				if (code <= 32767) /* no success bit */
-				{
-					DBG1(DBG_IKE, "received %N error %d",
-				 		 sim_attribute_names, attribute, code);
-					*out = build_payload(this,
-									in->get_identifier(in), SIM_CLIENT_ERROR,
-						 			AT_CLIENT_ERROR_CODE, client_error_general,
-									AT_END);
-					return NEED_MORE;
-				}
-				else
-				{
-					DBG1(DBG_IKE, "received %N code %d",
-				 		 sim_attribute_names, attribute, code);
-				}
-				break;
-			}
-			default:
-				DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
-					 sim_attribute_names, attribute);
-				break;
-		}
-	}
-	
-	/* excepting two or three RAND, each 16 bytes. We require two valid
-	 * and different RANDs */
-	if ((rands.len != 2 * RAND_LEN && rands.len != 3 * RAND_LEN) ||
-		memeq(rands.ptr, rands.ptr + RAND_LEN, RAND_LEN))
-	{
-		DBG1(DBG_IKE, "no valid AT_RAND received");
-		*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
-							 AT_CLIENT_ERROR_CODE, client_error_insufficient,
-							 AT_END);
-		return NEED_MORE;
-	}
-	if (mac.len != MAC_LEN)
-	{
-		DBG1(DBG_IKE, "no valid AT_MAC received");
-		*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
-							 AT_CLIENT_ERROR_CODE, client_error_general,
-							 AT_END);
-		return NEED_MORE;
-	}
-	
-	/* get two or three KCs/SRESes from SIM using RANDs */
-	kcs = kc = chunk_alloca(rands.len / 2);
-	sreses = sres = chunk_alloca(rands.len / 4);
-	while (rands.len >= RAND_LEN)
-	{		
-		if (!get_card_triplet(this, rands.ptr, sres.ptr, kc.ptr))
-		{
-			DBG1(DBG_IKE, "unable to get EAP-SIM triplet");
-			*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
-								 AT_CLIENT_ERROR_CODE, client_error_general,
-								 AT_END);
-			return NEED_MORE;
-		}
-		DBG3(DBG_IKE, "got triplet for RAND %b\n  Kc %b\n  SRES %b",
-			 rands.ptr, RAND_LEN, sres.ptr, SRES_LEN, kc.ptr, KC_LEN);
-		kc = chunk_skip(kc, KC_LEN);
-		sres = chunk_skip(sres, SRES_LEN);
-		rands = chunk_skip(rands, RAND_LEN);
-	}
-	
-	derive_keys(this, kcs);
-	
-	/* verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT"  */
-	this->signer->set_key(this->signer, this->k_auth);
-	tmp = chunk_cata("cc", in->get_data(in), this->nonce);
-	if (!this->signer->verify_signature(this->signer, tmp, mac))
-	{
-		DBG1(DBG_IKE, "AT_MAC verification failed");
-		*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
-							 AT_CLIENT_ERROR_CODE, client_error_general,
-							 AT_END);
-		return NEED_MORE;
-	}
-	
-	/* build response, AT_MAC is built over "EAP packet | n*SRES" */
-	*out = build_payload(this, identifier, SIM_CHALLENGE,
-						 AT_MAC, sreses,
-						 AT_END);
-	return NEED_MORE;
-}
-
-/**
- * process an EAP-SIM/Response/Challenge message
- */
-static status_t server_process_challenge(private_eap_sim_t *this,
-									     eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t message, data;
-	sim_attribute_t attribute;
-	chunk_t mac = chunk_empty, tmp;
-	
-	message = in->get_data(in);
-	read_header(&message);
-
-	while ((attribute = read_attribute(&message, &data)) != AT_END)
-	{
-		switch (attribute)
-		{
-			case AT_MAC:
-				/* MAC has two reserved bytes */
-				if (data.len == MAC_LEN + 2)
-				{	/* clone and zero MAC for verification */
-					mac = chunk_clonea(chunk_skip(data, 2));
-					memset(data.ptr, 0, data.len);
-				}
-				break;
-			default:
-				DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
-					 sim_attribute_names, attribute);
-				break;
-		}
-	}
-	if (!mac.ptr)
-	{
-		DBG1(DBG_IKE, "no valid AT_MAC attribute received");
-		return FAILED;
-	}
-	/* verify AT_MAC attribute, signature is over "EAP packet | n*SRES"  */
-	this->signer->set_key(this->signer, this->k_auth);
-	tmp = chunk_cata("cc", in->get_data(in), this->sreses);
-	if (!this->signer->verify_signature(this->signer, tmp, mac))
-	{
-		DBG1(DBG_IKE, "AT_MAC verification failed");
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Fetch a triplet from a provider
- */
-static bool get_provider_triplet(private_eap_sim_t *this,
-								 char *rand, char *sres, char *kc)
-{
-	enumerator_t *enumerator;
-	sim_provider_t *provider;
-	int tried = 0;
-	
-	enumerator = charon->sim->create_provider_enumerator(charon->sim);
-	while (enumerator->enumerate(enumerator, &provider))
-	{
-		if (provider->get_triplet(provider, this->peer, rand, sres, kc))
-		{
-			enumerator->destroy(enumerator);
-			return TRUE;
-		}
-		tried++;
-	}
-	enumerator->destroy(enumerator);
-	DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
-		 tried, this->peer);
-	return FALSE;
-}
-
-/**
- * process an EAP-SIM/Response/Start message
- */
-static status_t server_process_start(private_eap_sim_t *this,
-									 eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t message, data;
-	sim_attribute_t attribute;
-	bool supported = FALSE;
-	chunk_t rands, rand, kcs, kc, sreses, sres;
-	int i;
-		
-	message = in->get_data(in);
-	read_header(&message);
-
-	while ((attribute = read_attribute(&message, &data)) != AT_END)
-	{
-		switch (attribute)
-		{
-			case AT_NONCE_MT:
-				if (data.len == NONCE_LEN + 2)
-				{
-					this->nonce = chunk_clone(chunk_skip(data, 2));
-				}
-				break;
-			case AT_SELECTED_VERSION:
-				if (chunk_equals(data, this->version))
-				{
-					supported = TRUE;
-				}
-				break;
-			default:
-				DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
-					 sim_attribute_names, attribute);
-				break;
-		}
-	}
-	if (!supported || !this->nonce.ptr)
-	{
-		DBG1(DBG_IKE, "received incomplete EAP-SIM/Response/Start");
-		return FAILED;
-	}
-	
-	/* read triplets from provider */
-	rand = rands = chunk_alloca(RAND_LEN * TRIPLET_COUNT);
-	kc = kcs = chunk_alloca(KC_LEN * TRIPLET_COUNT);
-	sres = sreses = chunk_alloca(SRES_LEN * TRIPLET_COUNT);
-	rands.len = 0;
-	kcs.len = 0;
-	sreses.len = 0;
-	for (i = 0; i < TRIPLET_COUNT; i++)
-	{
-		if (!get_provider_triplet(this, rand.ptr, sres.ptr, kc.ptr))
-		{
-			DBG1(DBG_IKE, "getting EAP-SIM triplet %d failed", i);
-			return FAILED;
-		}
-		rands.len += RAND_LEN;
-		sreses.len += SRES_LEN;
-		kcs.len += KC_LEN;
-		rand = chunk_skip(rand, RAND_LEN);
-		sres = chunk_skip(sres, SRES_LEN);
-		kc = chunk_skip(kc, KC_LEN);
-	}
-	derive_keys(this, kcs);
-	
-	/* build MAC over "EAP packet | NONCE_MT" */
-	*out = build_payload(this, this->identifier++, SIM_CHALLENGE, AT_RAND,
-						 rands, AT_MAC, this->nonce, AT_END);
-	this->sreses = chunk_clone(sreses);
-	return NEED_MORE;
-}
-
-/**
- * process an EAP-SIM/Request/Notification message
- */
-static status_t peer_process_notification(private_eap_sim_t *this,
-										  eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t message, data;
-	sim_attribute_t attribute;
-	
-	message = in->get_data(in);
-	read_header(&message);
-
-	while ((attribute = read_attribute(&message, &data)) != AT_END)
-	{
-		switch (attribute)
-		{
-			case AT_NOTIFICATION:
-			{
-				u_int16_t code = 0;
-				if (data.len == 2)
-				{
-					code = ntohs(*(u_int16_t*)data.ptr);
-				}
-				if (code <= 32767) /* no success bit */
-				{
-					DBG1(DBG_IKE, "received %N error %d",
-				 		 sim_attribute_names, attribute, code);
-					*out = build_payload(this,
-									in->get_identifier(in), SIM_CLIENT_ERROR,
-						 			AT_CLIENT_ERROR_CODE, client_error_general,
-									AT_END);
-					return NEED_MORE;
-				}
-				else
-				{
-					DBG1(DBG_IKE, "received %N code %d",
-				 		 sim_attribute_names, attribute, code);
-				}
-				break;
-			}
-			default:
-				DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
-					 sim_attribute_names, attribute);
-				break;
-		}
-	}
-	/* reply with empty notification */
-	*out = build_payload(this, in->get_identifier(in), SIM_NOTIFICATION, AT_END);
-	return NEED_MORE;
-}
-
-/**
- * Process a client error
- */
-static status_t server_process_client_error(private_eap_sim_t *this,
-											eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t message, data;
-	sim_attribute_t attribute;
-	
-	message = in->get_data(in);
-	read_header(&message);
-
-	while ((attribute = read_attribute(&message, &data)) != AT_END)
-	{
-		if (attribute == AT_CLIENT_ERROR_CODE)
-		{
-			u_int16_t code = 0;
-			if (data.len == 2)
-			{
-				code = ntohs(*(u_int16_t*)data.ptr);
-			}
-			DBG1(DBG_IKE, "received %N error %d",
-		 		 sim_attribute_names, attribute, code);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
-				 sim_attribute_names, attribute);
-		}
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t peer_process(private_eap_sim_t *this,
-							 eap_payload_t *in, eap_payload_t **out)
-{
-	sim_subtype_t type;
-	chunk_t message;
-	
-	message = in->get_data(in);
-	type = read_header(&message);
-	
-	switch (type)
-	{
-		case SIM_START:
-			return peer_process_start(this, in, out);
-		case SIM_CHALLENGE:
-			return peer_process_challenge(this, in, out);
-		case SIM_NOTIFICATION:
-			return peer_process_notification(this, in, out);
-		default:
-			DBG1(DBG_IKE, "unable to process EAP_SIM subtype %N",
-				 sim_subtype_names, type);
-			*out = build_payload(this, in->get_identifier(in), SIM_CLIENT_ERROR,
-					AT_CLIENT_ERROR_CODE, client_error_general, AT_END);
-			return NEED_MORE;
-	}
-}
-
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t server_process(private_eap_sim_t *this,
-							   eap_payload_t *in, eap_payload_t **out)
-{
-	sim_subtype_t type;
-	chunk_t message;
-	
-	message = in->get_data(in);
-	type = read_header(&message);
-	
-	switch (type)
-	{
-		case SIM_START:
-			return server_process_start(this, in, out);
-		case SIM_CHALLENGE:
-			return server_process_challenge(this, in, out);
-		case SIM_CLIENT_ERROR:
-			return server_process_client_error(this, in, out);
-		default:
-			DBG1(DBG_IKE, "unable to process EAP_SIM subtype %N",
-				 sim_subtype_names, type);
-			return FAILED;
-	}
-}
-
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t peer_initiate(private_eap_sim_t *this, eap_payload_t **out)
-{
-	/* peer never initiates */
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t server_initiate(private_eap_sim_t *this, eap_payload_t **out)
-{
-	/* version_list to derive MK, no padding */
-	this->version_list = chunk_clone(this->version);
-	/* build_payloads adds padding itself */
-	*out = build_payload(this, this->identifier++, SIM_START,
-						 AT_VERSION_LIST, this->version, AT_END);
-	return NEED_MORE;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_sim_t *this, u_int32_t *vendor)
-{
-	*vendor = 0;
-	return EAP_SIM;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_sim_t *this, chunk_t *msk)
-{
-	if (this->msk.ptr)
-	{
-		*msk = this->msk;
-		return SUCCESS;
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_sim_t *this)
-{
-	return TRUE;
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_sim_t *this)
-{
-	this->peer->destroy(this->peer);
-	DESTROY_IF(this->hasher);
-	DESTROY_IF(this->prf);
-	DESTROY_IF(this->signer);
-	chunk_free(&this->nonce);
-	chunk_free(&this->sreses);
-	chunk_free(&this->version_list);
-	chunk_free(&this->k_auth);
-	chunk_free(&this->k_encr);
-	chunk_free(&this->msk);
-	chunk_free(&this->emsk);
-	free(this);
-}
-
-/**
- * Generic constructor for both roles
- */
-eap_sim_t *eap_sim_create_generic(eap_role_t role, identification_t *server,
-								  identification_t *peer)
-{
-	private_eap_sim_t *this = malloc_thing(private_eap_sim_t);
-	rng_t *rng;
-	
-	this->nonce = chunk_empty;
-	this->sreses = chunk_empty;
-	this->peer = peer->clone(peer);
-	this->tries = MAX_TRIES;
-	this->version.ptr = version;
-	this->version.len = sizeof(version);
-	this->version_list = chunk_empty;
-	this->k_auth = chunk_empty;
-	this->k_encr = chunk_empty;
-	this->msk = chunk_empty;
-	this->emsk = chunk_empty;
-	/* generate a non-zero identifier */
-	do {
-		this->identifier = random();
-	} while (!this->identifier);
-	
-	switch (role)
-	{
-		case EAP_SERVER:
-			this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))server_initiate;
-			this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))server_process;
-			this->type = EAP_REQUEST;
-			break;
-		case EAP_PEER:
-			this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))peer_initiate;
-			this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))peer_process;
-			this->type = EAP_RESPONSE;
-			rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-			if (!rng)
-			{
-				DBG1(DBG_IKE, "unable to generate NONCE for EAP_SIM");
-				free(this);
-				return NULL;
-			}
-			rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
-			rng->destroy(rng);
- 			break;
-		default:
-			free(this);
-			return NULL;
-	}
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-	
-	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	this->prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160);
-	this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128);
-	if (!this->hasher || !this->prf || !this->signer)
-	{
-		DBG1(DBG_IKE, "initiating EAP-SIM failed, FIPS-PRF/SHA1 not supported");
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-eap_sim_t *eap_sim_create_server(identification_t *server,
-								 identification_t *peer)
-{
-	return eap_sim_create_generic(EAP_SERVER, server, peer);
-}
-
-/*
- * Described in header.
- */
-eap_sim_t *eap_sim_create_peer(identification_t *server,
-							   identification_t *peer)
-{
-	return eap_sim_create_generic(EAP_PEER, server, peer);
-}
-								 
diff --git a/src/charon/plugins/eap_sim/eap_sim.h b/src/charon/plugins/eap_sim/eap_sim.h
deleted file mode 100644
index af1aa2aa5..000000000
--- a/src/charon/plugins/eap_sim/eap_sim.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_sim_i eap_sim
- * @{ @ingroup eap_sim
- */
-
-#ifndef EAP_SIM_H_
-#define EAP_SIM_H_
-
-typedef struct eap_sim_t eap_sim_t;
-
-#include <sa/authenticators/eap/eap_method.h>
-
-/**
- * Implementation of the eap_method_t interface using EAP-SIM.
- *
- * This EAP-SIM client implementation handles the protocol level of EAP-SIM
- * only, it does not provide triplet calculation/fetching. Other plugins may
- * provide these services using the sim_manager_t of charon.
- */
-struct eap_sim_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t eap_method_interface;
-};
-
-/**
- * Creates the EAP method EAP-SIM acting as server.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_sim_t object
- */
-eap_sim_t *eap_sim_create_server(identification_t *server, identification_t *peer);
-
-/**
- * Creates the EAP method EAP-SIM acting as peer.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_sim_t object
- */
-eap_sim_t *eap_sim_create_peer(identification_t *server, identification_t *peer);
-
-#endif /** EAP_SIM_H_ @}*/
diff --git a/src/charon/plugins/eap_sim/eap_sim_peer.c b/src/charon/plugins/eap_sim/eap_sim_peer.c
new file mode 100644
index 000000000..961cfd30d
--- /dev/null
+++ b/src/charon/plugins/eap_sim/eap_sim_peer.c
@@ -0,0 +1,654 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_peer.h"
+
+#include <daemon.h>
+
+#include <simaka_message.h>
+
+/* number of tries we do authenticate */
+#define MAX_TRIES 3
+
+/* number of triplets for one authentication */
+#define TRIPLET_COUNT 3
+
+/** length of the AT_NONCE_MT nonce value */
+#define NONCE_LEN 16
+
+typedef struct private_eap_sim_peer_t private_eap_sim_peer_t;
+
+/**
+ * Private data of an eap_sim_peer_t object.
+ */
+struct private_eap_sim_peer_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_sim_peer_t public;
+
+	/**
+	 * permanent ID of peer
+	 */
+	identification_t *permanent;
+
+	/**
+	 * Pseudonym identity the peer uses
+	 */
+	identification_t *pseudonym;
+
+	/**
+	 * Reauthentication identity the peer uses
+	 */
+	identification_t *reauth;
+
+	/**
+	 * EAP-SIM crypto helper
+	 */
+	simaka_crypto_t *crypto;
+
+	/**
+	 * how many times we try to authenticate
+	 */
+	int tries;
+
+	/**
+	 * version list received from server
+	 */
+	chunk_t version_list;
+
+	/**
+	 * Nonce value used in AT_NONCE_MT/AT_NONCE_S
+	 */
+	chunk_t nonce;
+
+	/**
+	 * MSK, used for EAP-SIM based IKEv2 authentication
+	 */
+	chunk_t msk;
+
+	/**
+	 * Master key, if reauthentication is used
+	 */
+	char mk[HASH_SIZE_SHA1];
+
+	/**
+	 * Counter value if reauthentication is used
+	 */
+	u_int16_t counter;
+};
+
+/* version of SIM protocol we speak */
+static chunk_t version = chunk_from_chars(0x00,0x01);
+
+/**
+ * Create a SIM_CLIENT_ERROR
+ */
+static eap_payload_t* create_client_error(private_eap_sim_peer_t *this,
+							u_int8_t identifier, simaka_client_error_t code)
+{
+	simaka_message_t *message;
+	eap_payload_t *out;
+	u_int16_t encoded;
+
+	DBG1(DBG_IKE, "sending client error '%N'", simaka_client_error_names, code);
+
+	message = simaka_message_create(FALSE, identifier, EAP_SIM,
+									SIM_CLIENT_ERROR, this->crypto);
+	encoded = htons(code);
+	message->add_attribute(message, AT_CLIENT_ERROR_CODE,
+						   chunk_create((char*)&encoded, sizeof(encoded)));
+	out = message->generate(message, chunk_empty);
+	message->destroy(message);
+	return out;
+}
+
+/**
+ * process an EAP-SIM/Request/Start message
+ */
+static status_t process_start(private_eap_sim_peer_t *this,
+							  simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, id = chunk_empty;
+	rng_t *rng;
+	bool supported = FALSE;
+	simaka_attribute_t id_req = 0;
+
+	/* reset previously uses reauthentication/pseudonym data */
+	this->crypto->clear_keys(this->crypto);
+	DESTROY_IF(this->pseudonym);
+	this->pseudonym = NULL;
+	DESTROY_IF(this->reauth);
+	this->reauth = NULL;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_VERSION_LIST:
+			{
+				free(this->version_list.ptr);
+				this->version_list = chunk_clone(data);
+				while (data.len >= version.len)
+				{
+					if (memeq(data.ptr, version.ptr, version.len))
+					{
+						supported = TRUE;
+						break;
+					}
+				}
+				break;
+			}
+			case AT_ANY_ID_REQ:
+			case AT_FULLAUTH_ID_REQ:
+			case AT_PERMANENT_ID_REQ:
+				id_req = type;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in),
+											   SIM_UNABLE_TO_PROCESS);
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!supported)
+	{
+		DBG1(DBG_IKE, "server does not support EAP-SIM version number 1");
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNSUPPORTED_VERSION);
+		return NEED_MORE;
+	}
+
+	switch (id_req)
+	{
+		case AT_ANY_ID_REQ:
+			this->reauth = charon->sim->card_get_reauth(charon->sim,
+									this->permanent, this->mk, &this->counter);
+			if (this->reauth)
+			{
+				id = this->reauth->get_encoding(this->reauth);
+				break;
+			}
+			/* FALL */
+		case AT_FULLAUTH_ID_REQ:
+			this->pseudonym = charon->sim->card_get_pseudonym(charon->sim,
+															  this->permanent);
+			if (this->pseudonym)
+			{
+				id = this->pseudonym->get_encoding(this->pseudonym);
+				break;
+			}
+			/* FALL */
+		case AT_PERMANENT_ID_REQ:
+			id = this->permanent->get_encoding(this->permanent);
+			break;
+		default:
+			break;
+	}
+
+	/* generate AT_NONCE_MT value */
+	rng = this->crypto->get_rng(this->crypto);
+	free(this->nonce.ptr);
+	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+									SIM_START, this->crypto);
+	if (!this->reauth)
+	{
+		message->add_attribute(message, AT_SELECTED_VERSION, version);
+		message->add_attribute(message, AT_NONCE_MT, this->nonce);
+	}
+	if (id.len)
+	{
+		message->add_attribute(message, AT_IDENTITY, id);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	return NEED_MORE;
+}
+
+/**
+ * process an EAP-SIM/Request/Challenge message
+ */
+static status_t process_challenge(private_eap_sim_peer_t *this,
+								  simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, rands = chunk_empty, kcs, kc, sreses, sres, mk;
+	identification_t *id;
+
+	if (this->tries-- <= 0)
+	{
+		/* give up without notification. This hack is required as some buggy
+		 * server implementations won't respect our client-error. */
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_RAND:
+				rands = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in),
+											   SIM_UNABLE_TO_PROCESS);
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* excepting two or three RAND, each 16 bytes. We require two valid
+	 * and different RANDs */
+	if ((rands.len != 2 * SIM_RAND_LEN && rands.len != 3 * SIM_RAND_LEN) ||
+		memeq(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN))
+	{
+		DBG1(DBG_IKE, "no valid AT_RAND received");
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_INSUFFICIENT_CHALLENGES);
+		return NEED_MORE;
+	}
+	/* get two or three KCs/SRESes from SIM using RANDs */
+	kcs = kc = chunk_alloca(rands.len / 2);
+	sreses = sres = chunk_alloca(rands.len / 4);
+	while (rands.len >= SIM_RAND_LEN)
+	{
+		if (!charon->sim->card_get_triplet(charon->sim, this->permanent,
+										   rands.ptr, sres.ptr, kc.ptr))
+		{
+			DBG1(DBG_IKE, "unable to get EAP-SIM triplet");
+			*out = create_client_error(this, in->get_identifier(in),
+									   SIM_UNABLE_TO_PROCESS);
+			return NEED_MORE;
+		}
+		DBG3(DBG_IKE, "got triplet for RAND %b\n  Kc %b\n  SRES %b",
+			 rands.ptr, SIM_RAND_LEN, sres.ptr, SIM_SRES_LEN, kc.ptr, SIM_KC_LEN);
+		kc = chunk_skip(kc, SIM_KC_LEN);
+		sres = chunk_skip(sres, SIM_SRES_LEN);
+		rands = chunk_skip(rands, SIM_RAND_LEN);
+	}
+
+	id = this->permanent;
+	if (this->pseudonym)
+	{
+		id = this->pseudonym;
+	}
+	data = chunk_cata("cccc", kcs, this->nonce, this->version_list, version);
+	free(this->msk.ptr);
+	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	memcpy(this->mk, mk.ptr, mk.len);
+	free(mk.ptr);
+
+	/* Verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT", and
+	 * parse() again after key derivation, reading encrypted attributes */
+	if (!in->verify(in, this->nonce) || !in->parse(in))
+	{
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_NEXT_REAUTH_ID:
+				this->counter = 0;
+				id = identification_create_from_data(data);
+				charon->sim->card_set_reauth(charon->sim, this->permanent, id,
+											 this->mk, this->counter);
+				id->destroy(id);
+				break;
+			case AT_NEXT_PSEUDONYM:
+				id = identification_create_from_data(data);
+				charon->sim->card_set_pseudonym(charon->sim, this->permanent, id);
+				id->destroy(id);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* build response with AT_MAC, built over "EAP packet | n*SRES" */
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+									SIM_CHALLENGE, this->crypto);
+	*out = message->generate(message, sreses);
+	message->destroy(message);
+	return NEED_MORE;
+}
+
+/**
+ * Check if a received counter value is acceptable
+ */
+static bool counter_too_small(private_eap_sim_peer_t *this, chunk_t chunk)
+{
+	u_int16_t counter;
+
+	memcpy(&counter, chunk.ptr, sizeof(counter));
+	counter = htons(counter);
+	return counter < this->counter;
+}
+
+/**
+ * process an EAP-SIM/Request/Re-Authentication message
+ */
+static status_t process_reauthentication(private_eap_sim_peer_t *this,
+									simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, counter = chunk_empty, nonce = chunk_empty, id = chunk_empty;
+
+	if (!this->reauth)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, SIM_REAUTHENTICATION);
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+
+	this->crypto->derive_keys_reauth(this->crypto,
+									 chunk_create(this->mk, HASH_SIZE_SHA1));
+
+	/* verify MAC and parse again with decryption key */
+	if (!in->verify(in, chunk_empty) || !in->parse(in))
+	{
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_COUNTER:
+				counter = data;
+				break;
+			case AT_NONCE_S:
+				nonce = data;
+				break;
+			case AT_NEXT_REAUTH_ID:
+				id = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in),
+											   SIM_UNABLE_TO_PROCESS);
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!nonce.len || !counter.len)
+	{
+		DBG1(DBG_IKE, "EAP-SIM/Request/Re-Authentication message incomplete");
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+									SIM_REAUTHENTICATION, this->crypto);
+	if (counter_too_small(this, counter))
+	{
+		DBG1(DBG_IKE, "reauthentication counter too small");
+		message->add_attribute(message, AT_COUNTER_TOO_SMALL, chunk_empty);
+	}
+	else
+	{
+		free(this->msk.ptr);
+		this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
+										this->reauth, counter, nonce,
+										chunk_create(this->mk, HASH_SIZE_SHA1));
+		if (id.len)
+		{
+			identification_t *reauth;
+
+			reauth = identification_create_from_data(data);
+			charon->sim->card_set_reauth(charon->sim, this->permanent, reauth,
+							 this->mk, this->counter);
+			reauth->destroy(reauth);
+		}
+	}
+	message->add_attribute(message, AT_COUNTER, counter);
+	*out = message->generate(message, nonce);
+	message->destroy(message);
+	return NEED_MORE;
+}
+
+/**
+ * process an EAP-SIM/Request/Notification message
+ */
+static status_t process_notification(private_eap_sim_peer_t *this,
+									 simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data;
+	bool success = TRUE;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == AT_NOTIFICATION)
+		{
+			u_int16_t code;
+
+			memcpy(&code, data.ptr, sizeof(code));
+			code = ntohs(code);
+
+			/* test success bit */
+			if (!(data.ptr[0] & 0x80))
+			{
+				success = FALSE;
+				DBG1(DBG_IKE, "received EAP-SIM notification error '%N'",
+					 simaka_notification_names, code);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received EAP-SIM notification '%N'",
+					 simaka_notification_names, code);
+			}
+		}
+		else if (!simaka_attribute_skippable(type))
+		{
+			success = FALSE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (success)
+	{	/* empty notification reply */
+		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+										SIM_NOTIFICATION, this->crypto);
+		*out = message->generate(message, chunk_empty);
+		message->destroy(message);
+	}
+	else
+	{
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.process
+ */
+static status_t process(private_eap_sim_peer_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	status_t status;
+
+	message = simaka_message_create_from_payload(in, this->crypto);
+	if (!message)
+	{
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+	if (!message->parse(message))
+	{
+		message->destroy(message);
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+	switch (message->get_subtype(message))
+	{
+		case SIM_START:
+			status = process_start(this, message, out);
+			break;
+		case SIM_CHALLENGE:
+			status = process_challenge(this, message, out);
+			break;
+		case SIM_REAUTHENTICATION:
+			status = process_reauthentication(this, message, out);
+			break;
+		case SIM_NOTIFICATION:
+			status = process_notification(this, message, out);
+			break;
+		default:
+			DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N",
+				 simaka_subtype_names, message->get_subtype(message));
+			*out = create_client_error(this, in->get_identifier(in),
+									   SIM_UNABLE_TO_PROCESS);
+			status = NEED_MORE;
+			break;
+	}
+	message->destroy(message);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_sim_peer_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_sim_peer_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_SIM;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_sim_peer_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_sim_peer_t *this)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_sim_peer_t *this)
+{
+	this->permanent->destroy(this->permanent);
+	DESTROY_IF(this->pseudonym);
+	DESTROY_IF(this->reauth);
+	this->crypto->destroy(this->crypto);
+	free(this->version_list.ptr);
+	free(this->nonce.ptr);
+	free(this->msk.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_sim_peer_t *eap_sim_peer_create(identification_t *server,
+									identification_t *peer)
+{
+	private_eap_sim_peer_t *this = malloc_thing(private_eap_sim_peer_t);
+
+	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	this->crypto = simaka_crypto_create();
+	if (!this->crypto)
+	{
+		free(this);
+		return NULL;
+	}
+	this->permanent = peer->clone(peer);
+	this->pseudonym = NULL;
+	this->reauth = NULL;
+	this->tries = MAX_TRIES;
+	this->version_list = chunk_empty;
+	this->nonce = chunk_empty;
+	this->msk = chunk_empty;
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_sim/eap_sim_peer.h b/src/charon/plugins/eap_sim/eap_sim_peer.h
new file mode 100644
index 000000000..89f81301e
--- /dev/null
+++ b/src/charon/plugins/eap_sim/eap_sim_peer.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim_peer eap_sim_peer
+ * @{ @ingroup eap_sim
+ */
+
+#ifndef EAP_SIM_PEER_H_
+#define EAP_SIM_PEER_H_
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct eap_sim_peer_t eap_sim_peer_t;
+
+/**
+ * EAP-SIM peer implementation.
+ *
+ * This EAP-SIM module uses sim_card_t implementations for triplet calculation,
+ * found via the eap_sim_manager_t.
+ */
+struct eap_sim_peer_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t interface;
+
+	/**
+	 * Destroy a eap_sim_peer_t.
+	 */
+	void (*destroy)(eap_sim_peer_t *this);
+};
+
+/**
+ * Creates the EAP method EAP-SIM acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP peer
+ * @return			eap_sim_t object
+ */
+eap_sim_peer_t *eap_sim_peer_create(identification_t *server,
+									identification_t *peer);
+
+#endif /** EAP_SIM_PEER_H_ @}*/
diff --git a/src/charon/plugins/eap_sim/eap_sim_plugin.c b/src/charon/plugins/eap_sim/eap_sim_plugin.c
index cf18007c0..1d2b9cf4f 100644
--- a/src/charon/plugins/eap_sim/eap_sim_plugin.c
+++ b/src/charon/plugins/eap_sim/eap_sim_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,7 +15,8 @@
 
 #include "eap_sim_plugin.h"
 
-#include "eap_sim.h"
+#include "eap_sim_server.h"
+#include "eap_sim_peer.h"
 
 #include <daemon.h>
 
@@ -25,9 +26,9 @@
 static void destroy(eap_sim_plugin_t *this)
 {
 	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_sim_create_server);
+							   (eap_constructor_t)eap_sim_server_create);
 	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_sim_create_peer);
+							   (eap_constructor_t)eap_sim_peer_create);
 	free(this);
 }
 
@@ -37,14 +38,14 @@ static void destroy(eap_sim_plugin_t *this)
 plugin_t *plugin_create()
 {
 	eap_sim_plugin_t *this = malloc_thing(eap_sim_plugin_t);
-	
+
 	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	charon->eap->add_method(charon->eap, EAP_SIM, 0, EAP_SERVER,
-							(eap_constructor_t)eap_sim_create_server);
+							(eap_constructor_t)eap_sim_server_create);
 	charon->eap->add_method(charon->eap, EAP_SIM, 0, EAP_PEER,
-							(eap_constructor_t)eap_sim_create_peer);
-	
+							(eap_constructor_t)eap_sim_peer_create);
+
 	return &this->plugin;
 }
 
diff --git a/src/charon/plugins/eap_sim/eap_sim_server.c b/src/charon/plugins/eap_sim/eap_sim_server.c
new file mode 100644
index 000000000..f6d5df09b
--- /dev/null
+++ b/src/charon/plugins/eap_sim/eap_sim_server.c
@@ -0,0 +1,611 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_server.h"
+
+#include <daemon.h>
+
+#include <simaka_message.h>
+#include <simaka_crypto.h>
+
+/* number of triplets for one authentication */
+#define TRIPLET_COUNT 3
+
+/** length of the AT_NONCE_S value */
+#define NONCE_LEN 16
+
+typedef struct private_eap_sim_server_t private_eap_sim_server_t;
+
+/**
+ * Private data of an eap_sim_server_t object.
+ */
+struct private_eap_sim_server_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_sim_server_t public;
+
+	/**
+	 * permanent ID of peer
+	 */
+	identification_t *permanent;
+
+	/**
+	 * pseudonym ID of peer
+	 */
+	identification_t *pseudonym;
+
+	/**
+	 * reauthentication ID of peer
+	 */
+	identification_t *reauth;
+
+	/**
+	 * EAP-SIM/AKA crypto helper
+	 */
+	simaka_crypto_t *crypto;
+
+	/**
+	 * unique EAP identifier
+	 */
+	u_int8_t identifier;
+
+	/**
+	 * concatenated SRES values
+	 */
+	chunk_t sreses;
+
+	/**
+	 * Nonce value used in AT_NONCE_S
+	 */
+	chunk_t nonce;
+
+	/**
+	 * Counter value negotiated, network order
+	 */
+	chunk_t counter;
+
+	/**
+	 * MSK, used for EAP-SIM based IKEv2 authentication
+	 */
+	chunk_t msk;
+
+	/**
+	 * Do we request fast reauthentication?
+	 */
+	bool use_reauth;
+
+	/**
+	 * Do we request pseudonym identities?
+	 */
+	bool use_pseudonym;
+
+	/**
+	 * Do we request permanent identities?
+	 */
+	bool use_permanent;
+
+	/**
+	 * EAP-SIM message we have initiated
+	 */
+	simaka_subtype_t pending;
+};
+
+/* version of SIM protocol we speak */
+static chunk_t version = chunk_from_chars(0x00,0x01);
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_sim_server_t *this, eap_payload_t **out)
+{
+	simaka_message_t *message;
+
+	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
+									SIM_START, this->crypto);
+	message->add_attribute(message, AT_VERSION_LIST, version);
+	if (this->use_reauth)
+	{
+		message->add_attribute(message, AT_ANY_ID_REQ, chunk_empty);
+	}
+	else if (this->use_pseudonym)
+	{
+		message->add_attribute(message, AT_FULLAUTH_ID_REQ, chunk_empty);
+	}
+	else if (this->use_permanent)
+	{
+		message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	this->pending = SIM_START;
+	return NEED_MORE;
+}
+
+/**
+ * Initiate  EAP-SIM/Request/Re-authentication message
+ */
+static status_t reauthenticate(private_eap_sim_server_t *this,
+							   char mk[HASH_SIZE_SHA1], u_int16_t counter,
+							   eap_payload_t **out)
+{
+	simaka_message_t *message;
+	identification_t *next;
+	chunk_t mkc;
+	rng_t *rng;
+
+	DBG1(DBG_IKE, "initiating EAP-SIM reauthentication");
+
+	rng = this->crypto->get_rng(this->crypto);
+	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+
+	mkc = chunk_create(mk, HASH_SIZE_SHA1);
+	counter = htons(counter);
+	this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter)));
+
+	this->crypto->derive_keys_reauth(this->crypto, mkc);
+	this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
+								this->reauth, this->counter, this->nonce, mkc);
+
+	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
+									SIM_REAUTHENTICATION, this->crypto);
+	message->add_attribute(message, AT_COUNTER, this->counter);
+	message->add_attribute(message, AT_NONCE_S, this->nonce);
+	next = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk);
+	if (next)
+	{
+		message->add_attribute(message, AT_NEXT_REAUTH_ID,
+							   next->get_encoding(next));
+		next->destroy(next);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	this->pending = SIM_REAUTHENTICATION;
+	return NEED_MORE;
+}
+
+/**
+ * process an EAP-SIM/Response/Reauthentication message
+ */
+static status_t process_reauthentication(private_eap_sim_server_t *this,
+									simaka_message_t *in, eap_payload_t **out)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, counter = chunk_empty;
+	bool too_small = FALSE;
+
+	if (this->pending != SIM_REAUTHENTICATION)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, SIM_REAUTHENTICATION);
+		return FAILED;
+	}
+	/* verify AT_MAC attribute, signature is over "EAP packet | NONCE_S"  */
+	if (!in->verify(in, this->nonce))
+	{
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_COUNTER:
+				counter = data;
+				break;
+			case AT_COUNTER_TOO_SMALL:
+				too_small = TRUE;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (too_small)
+	{
+		DBG1(DBG_IKE, "received %N, initiating full authentication",
+			 simaka_attribute_names, AT_COUNTER_TOO_SMALL);
+		this->use_reauth = FALSE;
+		this->crypto->clear_keys(this->crypto);
+		return initiate(this, out);
+	}
+	if (!chunk_equals(counter, this->counter))
+	{
+		DBG1(DBG_IKE, "received counter does not match");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * process an EAP-SIM/Response/Start message
+ */
+static status_t process_start(private_eap_sim_server_t *this,
+							  simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, identity = chunk_empty, nonce = chunk_empty, mk;
+	chunk_t rands, rand, kcs, kc, sreses, sres;
+	bool supported = FALSE;
+	identification_t *id;
+	int i;
+
+	if (this->pending != SIM_START)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, SIM_START);
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_NONCE_MT:
+				nonce = data;
+				break;
+			case AT_SELECTED_VERSION:
+				if (chunk_equals(data, version))
+				{
+					supported = TRUE;
+				}
+				break;
+			case AT_IDENTITY:
+				identity = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (identity.len)
+	{
+		identification_t *permanent;
+
+		id = identification_create_from_data(identity);
+		if (this->use_reauth && !nonce.len)
+		{
+			char mk[HASH_SIZE_SHA1];
+			u_int16_t counter;
+
+			permanent = charon->sim->provider_is_reauth(charon->sim, id,
+														mk, &counter);
+			if (permanent)
+			{
+				this->permanent->destroy(this->permanent);
+				this->permanent = permanent;
+				this->reauth = id;
+				return reauthenticate(this, mk, counter, out);
+			}
+			DBG1(DBG_IKE, "received unknown reauthentication identity '%Y', "
+				 "initiating full authentication", id);
+			this->use_reauth = FALSE;
+			id->destroy(id);
+			return initiate(this, out);
+		}
+		if (this->use_pseudonym)
+		{
+			permanent = charon->sim->provider_is_pseudonym(charon->sim, id);
+			if (permanent)
+			{
+				this->permanent->destroy(this->permanent);
+				this->permanent = permanent;
+				this->pseudonym = id->clone(id);
+				/* we already have a new permanent identity now */
+				this->use_permanent = FALSE;
+			}
+		}
+		if (!this->pseudonym && this->use_permanent)
+		{
+			DBG1(DBG_IKE, "received %spermanent identity '%Y'",
+				 this->use_pseudonym ? "pseudonym or " : "", id);
+			this->permanent->destroy(this->permanent);
+			this->permanent = id->clone(id);
+		}
+		id->destroy(id);
+	}
+
+	if (!supported || !nonce.len)
+	{
+		DBG1(DBG_IKE, "received incomplete EAP-SIM/Response/Start");
+		return FAILED;
+	}
+
+	/* read triplets from provider */
+	rand = rands = chunk_alloca(SIM_RAND_LEN * TRIPLET_COUNT);
+	kc = kcs = chunk_alloca(SIM_KC_LEN * TRIPLET_COUNT);
+	sres = sreses = chunk_alloca(SIM_SRES_LEN * TRIPLET_COUNT);
+	rands.len = kcs.len = sreses.len = 0;
+	for (i = 0; i < TRIPLET_COUNT; i++)
+	{
+		if (!charon->sim->provider_get_triplet(charon->sim, this->permanent,
+											   rand.ptr, sres.ptr, kc.ptr))
+		{
+			if (this->use_pseudonym)
+			{
+				/* probably received a pseudonym we couldn't map */
+				DBG1(DBG_IKE, "failed to map pseudonym identity '%Y', "
+					 "fallback to permanent identity request", this->permanent);
+				this->use_pseudonym = FALSE;
+				DESTROY_IF(this->pseudonym);
+				this->pseudonym = NULL;
+				return initiate(this, out);
+			}
+			return FAILED;
+		}
+		rands.len += SIM_RAND_LEN;
+		sreses.len += SIM_SRES_LEN;
+		kcs.len += SIM_KC_LEN;
+		rand = chunk_skip(rand, SIM_RAND_LEN);
+		sres = chunk_skip(sres, SIM_SRES_LEN);
+		kc = chunk_skip(kc, SIM_KC_LEN);
+	}
+	free(this->sreses.ptr);
+	this->sreses = chunk_clone(sreses);
+
+	data = chunk_cata("cccc", kcs, nonce, version, version);
+	free(this->msk.ptr);
+	id = this->permanent;
+	if (this->pseudonym)
+	{
+		id = this->pseudonym;
+	}
+	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+
+	/* build response with AT_MAC, built over "EAP packet | NONCE_MT" */
+	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
+									SIM_CHALLENGE, this->crypto);
+	message->add_attribute(message, AT_RAND, rands);
+	id = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk.ptr);
+	if (id)
+	{
+		message->add_attribute(message, AT_NEXT_REAUTH_ID,
+							   id->get_encoding(id));
+		id->destroy(id);
+	}
+	else
+	{
+		id = charon->sim->provider_gen_pseudonym(charon->sim, this->permanent);
+		if (id)
+		{
+			message->add_attribute(message, AT_NEXT_PSEUDONYM,
+								   id->get_encoding(id));
+			id->destroy(id);
+		}
+	}
+	*out = message->generate(message, nonce);
+	message->destroy(message);
+
+	free(mk.ptr);
+	this->pending = SIM_CHALLENGE;
+	return NEED_MORE;
+}
+
+/**
+ * process an EAP-SIM/Response/Challenge message
+ */
+static status_t process_challenge(private_eap_sim_server_t *this,
+								  simaka_message_t *in, eap_payload_t **out)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data;
+
+	if (this->pending != SIM_CHALLENGE)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, SIM_CHALLENGE);
+		return FAILED;
+	}
+	/* verify AT_MAC attribute, signature is over "EAP packet | n*SRES"  */
+	if (!in->verify(in, this->sreses))
+	{
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (!simaka_attribute_skippable(type))
+		{
+			enumerator->destroy(enumerator);
+			return FAILED;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return SUCCESS;
+}
+
+/**
+ * EAP-SIM/Response/ClientErrorCode message
+ */
+static status_t process_client_error(private_eap_sim_server_t *this,
+									 simaka_message_t *in)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == AT_CLIENT_ERROR_CODE)
+		{
+			u_int16_t code;
+
+			memcpy(&code, data.ptr, sizeof(code));
+			DBG1(DBG_IKE, "received EAP-SIM client error '%N'",
+				 simaka_client_error_names, ntohs(code));
+		}
+		else if (!simaka_attribute_skippable(type))
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.process
+ */
+static status_t process(private_eap_sim_server_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	status_t status;
+
+	message = simaka_message_create_from_payload(in, this->crypto);
+	if (!message)
+	{
+		return FAILED;
+	}
+	if (!message->parse(message))
+	{
+		message->destroy(message);
+		return FAILED;
+	}
+	switch (message->get_subtype(message))
+	{
+		case SIM_START:
+			status = process_start(this, message, out);
+			break;
+		case SIM_CHALLENGE:
+			status = process_challenge(this, message, out);
+			break;
+		case SIM_REAUTHENTICATION:
+			status = process_reauthentication(this, message, out);
+			break;
+		case SIM_CLIENT_ERROR:
+			status = process_client_error(this, message);
+			break;
+		default:
+			DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N",
+				 simaka_subtype_names, message->get_subtype(message));
+			status = FAILED;
+			break;
+	}
+	message->destroy(message);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_sim_server_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_SIM;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_sim_server_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_sim_server_t *this)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_sim_server_t *this)
+{
+	this->crypto->destroy(this->crypto);
+	this->permanent->destroy(this->permanent);
+	DESTROY_IF(this->pseudonym);
+	DESTROY_IF(this->reauth);
+	free(this->sreses.ptr);
+	free(this->nonce.ptr);
+	free(this->msk.ptr);
+	free(this->counter.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_sim_server_t *eap_sim_server_create(identification_t *server,
+										identification_t *peer)
+{
+	private_eap_sim_server_t *this = malloc_thing(private_eap_sim_server_t);
+
+	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	this->crypto = simaka_crypto_create();
+	if (!this->crypto)
+	{
+		free(this);
+		return NULL;
+	}
+	this->permanent = peer->clone(peer);
+	this->pseudonym = NULL;
+	this->reauth = NULL;
+	this->sreses = chunk_empty;
+	this->nonce = chunk_empty;
+	this->msk = chunk_empty;
+	this->counter = chunk_empty;
+	this->pending = 0;
+	this->use_reauth = this->use_pseudonym = this->use_permanent =
+		lib->settings->get_bool(lib->settings,
+								"charon.plugins.eap-sim.request_identity", TRUE);
+
+	/* generate a non-zero identifier */
+	do {
+		this->identifier = random();
+	} while (!this->identifier);
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_sim/eap_sim_server.h b/src/charon/plugins/eap_sim/eap_sim_server.h
new file mode 100644
index 000000000..978e1e1e9
--- /dev/null
+++ b/src/charon/plugins/eap_sim/eap_sim_server.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim_server eap_sim_server
+ * @{ @ingroup eap_sim
+ */
+
+#ifndef EAP_SIM_SERVER_H_
+#define EAP_SIM_SERVER_H_
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct eap_sim_server_t eap_sim_server_t;
+
+/**
+ * EAP-SIM server implementation.
+ *
+ * This EAP-SIM module uses sim_provider_t implementations for triplet
+ * calculation, found via the eap_sim_manager_t.
+ */
+struct eap_sim_server_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t interface;
+
+	/**
+	 * Destroy a eap_sim_server_t.
+	 */
+	void (*destroy)(eap_sim_server_t *this);
+};
+
+/**
+ * Creates the EAP method EAP-SIM acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP peer
+ * @return			eap_sim_t object
+ */
+eap_sim_server_t *eap_sim_server_create(identification_t *server,
+										identification_t *peer);
+
+#endif /** EAP_SIM_SERVER_H_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/Makefile.am b/src/charon/plugins/eap_sim_file/Makefile.am
index 1cd1dd9e2..350d4244f 100644
--- a/src/charon/plugins/eap_sim_file/Makefile.am
+++ b/src/charon/plugins/eap_sim_file/Makefile.am
@@ -1,14 +1,14 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\"
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
 
-plugin_LTLIBRARIES = libstrongswan-eapsim-file.la
+plugin_LTLIBRARIES = libstrongswan-eap-sim-file.la
 
-libstrongswan_eapsim_file_la_SOURCES = \
+libstrongswan_eap_sim_file_la_SOURCES = \
   eap_sim_file_plugin.h eap_sim_file_plugin.c \
   eap_sim_file_card.h eap_sim_file_card.c \
   eap_sim_file_provider.h eap_sim_file_provider.c \
   eap_sim_file_triplets.h eap_sim_file_triplets.c
-libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_sim_file_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in
index b19cc839f..232c2a133 100644
--- a/src/charon/plugins/eap_sim_file/Makefile.in
+++ b/src/charon/plugins/eap_sim_file/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,33 +37,56 @@ host_triplet = @host@
 subdir = src/charon/plugins/eap_sim_file
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eapsim_file_la_LIBADD =
-am_libstrongswan_eapsim_file_la_OBJECTS = eap_sim_file_plugin.lo \
+libstrongswan_eap_sim_file_la_LIBADD =
+am_libstrongswan_eap_sim_file_la_OBJECTS = eap_sim_file_plugin.lo \
 	eap_sim_file_card.lo eap_sim_file_provider.lo \
 	eap_sim_file_triplets.lo
-libstrongswan_eapsim_file_la_OBJECTS =  \
-	$(am_libstrongswan_eapsim_file_la_OBJECTS)
-libstrongswan_eapsim_file_la_LINK = $(LIBTOOL) --tag=CC \
+libstrongswan_eap_sim_file_la_OBJECTS =  \
+	$(am_libstrongswan_eap_sim_file_la_OBJECTS)
+libstrongswan_eap_sim_file_la_LINK = $(LIBTOOL) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eapsim_file_la_LDFLAGS) \
-	$(LDFLAGS) -o $@
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_sim_file_la_LDFLAGS) $(LDFLAGS) -o $@
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -71,8 +96,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eapsim_file_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eapsim_file_la_SOURCES)
+SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -109,25 +134,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -139,11 +161,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -172,9 +197,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -197,7 +222,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -205,6 +230,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -213,10 +239,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -224,18 +252,19 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\"
-plugin_LTLIBRARIES = libstrongswan-eapsim-file.la
-libstrongswan_eapsim_file_la_SOURCES = \
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+plugin_LTLIBRARIES = libstrongswan-eap-sim-file.la
+libstrongswan_eap_sim_file_la_SOURCES = \
   eap_sim_file_plugin.h eap_sim_file_plugin.c \
   eap_sim_file_card.h eap_sim_file_card.c \
   eap_sim_file_provider.h eap_sim_file_provider.c \
   eap_sim_file_triplets.h eap_sim_file_triplets.c
 
-libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_sim_file_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -249,9 +278,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/eap_sim_file/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/eap_sim_file/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_sim_file/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_sim_file/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -269,23 +298,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -296,8 +330,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eapsim-file.la: $(libstrongswan_eapsim_file_la_OBJECTS) $(libstrongswan_eapsim_file_la_DEPENDENCIES) 
-	$(libstrongswan_eapsim_file_la_LINK) -rpath $(plugindir) $(libstrongswan_eapsim_file_la_OBJECTS) $(libstrongswan_eapsim_file_la_LIBADD) $(LIBS)
+libstrongswan-eap-sim-file.la: $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_DEPENDENCIES) 
+	$(libstrongswan_eap_sim_file_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -312,21 +346,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -349,7 +383,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -357,29 +391,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -400,13 +439,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -437,6 +480,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -458,6 +502,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -466,18 +512,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -516,6 +572,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.c b/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
index 7d441ffb2..d132a38f6 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,54 +15,53 @@
 
 #include "eap_sim_file_card.h"
 
+#include <daemon.h>
+
 typedef struct private_eap_sim_file_card_t private_eap_sim_file_card_t;
 
 /**
  * Private data of an eap_sim_file_card_t object.
  */
 struct private_eap_sim_file_card_t {
-	
+
 	/**
 	 * Public eap_sim_file_card_t interface.
 	 */
 	eap_sim_file_card_t public;
-	
+
 	/**
-	 * IMSI, is ID_ANY for file implementation
+	 * source of triplets
 	 */
-	identification_t *imsi;
-	
-	/**
- 	 * source of triplets
- 	 */
 	eap_sim_file_triplets_t *triplets;
 };
 
-#include <daemon.h>
-
 /**
  * Implementation of sim_card_t.get_triplet
  */
 static bool get_triplet(private_eap_sim_file_card_t *this,
-						char *rand, char *sres, char *kc)
+						identification_t *id, char *rand, char *sres, char *kc)
 {
 	enumerator_t *enumerator;
-	identification_t *id;
+	identification_t *cand;
 	char *c_rand, *c_sres, *c_kc;
-	
-	DBG2(DBG_CFG, "looking for rand: %b", rand, RAND_LEN);
-	
+
+	DBG2(DBG_CFG, "looking for triplet: %Y rand %b", id, rand, SIM_RAND_LEN);
+
 	enumerator = this->triplets->create_enumerator(this->triplets);
-	while (enumerator->enumerate(enumerator, &id, &c_rand, &c_sres, &c_kc))
+	while (enumerator->enumerate(enumerator, &cand, &c_rand, &c_sres, &c_kc))
 	{
-		DBG2(DBG_CFG, "found triplet: rand %b\nsres %b\n kc %b",
-			 c_rand, RAND_LEN, c_sres, SRES_LEN, c_kc, KC_LEN);
-		if (memeq(c_rand, rand, RAND_LEN))
+		DBG2(DBG_CFG, "got a triplet: %Y rand %b\nsres %b\n kc %b", cand,
+			 c_rand, SIM_RAND_LEN, c_sres, SIM_SRES_LEN, c_kc, SIM_KC_LEN);
+		if (id->matches(id, cand))
 		{
-			memcpy(sres, c_sres, SRES_LEN);
-			memcpy(kc, c_kc, KC_LEN);
-			enumerator->destroy(enumerator);
-			return TRUE;
+			if (memeq(c_rand, rand, SIM_RAND_LEN))
+			{
+				DBG2(DBG_CFG, "  => triplet matches");
+				memcpy(sres, c_sres, SIM_SRES_LEN);
+				memcpy(kc, c_kc, SIM_KC_LEN);
+				enumerator->destroy(enumerator);
+				return TRUE;
+			}
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -70,11 +69,11 @@ static bool get_triplet(private_eap_sim_file_card_t *this,
 }
 
 /**
- * Implementation of sim_card_t.get_imsi
+ * Implementation of sim_card_t.get_quintuplet
  */
-static identification_t* get_imsi(private_eap_sim_file_card_t *this)
+static status_t get_quintuplet()
 {
-	return this->imsi;
+	return NOT_SUPPORTED;
 }
 
 /**
@@ -82,7 +81,6 @@ static identification_t* get_imsi(private_eap_sim_file_card_t *this)
  */
 static void destroy(private_eap_sim_file_card_t *this)
 {
-	this->imsi->destroy(this->imsi);
 	free(this);
 }
 
@@ -92,15 +90,18 @@ static void destroy(private_eap_sim_file_card_t *this)
 eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets)
 {
 	private_eap_sim_file_card_t *this = malloc_thing(private_eap_sim_file_card_t);
-	
-	this->public.card.get_triplet = (bool(*)(sim_card_t*, char *rand, char *sres, char *kc))get_triplet;
-	this->public.card.get_imsi = (identification_t*(*)(sim_card_t*))get_imsi;
+
+	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))get_triplet;
+	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
+	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *perm))return_null;
+	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))nop;
+	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))nop;
 	this->public.destroy = (void(*)(eap_sim_file_card_t*))destroy;
-	
-	/* this SIM card implementation does not have an ID, serve ID_ANY */
-	this->imsi = identification_create_from_encoding(ID_ANY, chunk_empty);
+
 	this->triplets = triplets;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
index e7160a33b..1a5470968 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
@@ -36,7 +36,7 @@ struct eap_sim_file_card_t {
 	 * Implements sim_card_t interface
 	 */
 	sim_card_t card;
-	
+
 	/**
 	 * Destroy a eap_sim_file_card_t.
 	 */
@@ -50,4 +50,4 @@ struct eap_sim_file_card_t {
  */
 eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets);
 
-#endif /** EAP_SIM_FILE_CARD_ @}*/
+#endif /** EAP_SIM_FILE_CARD_H_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
index eb6fb4c9c..22ad31703 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
@@ -28,22 +28,22 @@ typedef struct private_eap_sim_file_t private_eap_sim_file_t;
  * Private data of an eap_sim_file_t object.
  */
 struct private_eap_sim_file_t {
-	
+
 	/**
 	 * Public eap_sim_file_plugin_t interface.
 	 */
 	eap_sim_file_plugin_t public;
-	
+
 	/**
 	 * SIM card
 	 */
 	eap_sim_file_card_t *card;
-	
+
 	/**
 	 * SIM provider
 	 */
 	eap_sim_file_provider_t *provider;
-	
+
 	/**
 	 * Triplet source
 	 */
@@ -69,16 +69,22 @@ static void destroy(private_eap_sim_file_t *this)
 plugin_t *plugin_create()
 {
 	private_eap_sim_file_t *this = malloc_thing(private_eap_sim_file_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	this->triplets = eap_sim_file_triplets_create(TRIPLET_FILE);
-	this->card = eap_sim_file_card_create(this->triplets);
 	this->provider = eap_sim_file_provider_create(this->triplets);
-	
+	if (!this->provider)
+	{
+		this->triplets->destroy(this->triplets);
+		free(this);
+		return NULL;
+	}
+	this->card = eap_sim_file_card_create(this->triplets);
+
 	charon->sim->add_card(charon->sim, &this->card->card);
 	charon->sim->add_provider(charon->sim, &this->provider->provider);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
index 89866ade6..9bee31fc3 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,21 +15,23 @@
 
 #include "eap_sim_file_provider.h"
 
+#include <daemon.h>
+
 typedef struct private_eap_sim_file_provider_t private_eap_sim_file_provider_t;
 
 /**
  * Private data of an eap_sim_file_provider_t object.
  */
 struct private_eap_sim_file_provider_t {
-	
+
 	/**
 	 * Public eap_sim_file_provider_t interface.
 	 */
 	eap_sim_file_provider_t public;
-	
+
 	/**
- 	 * source of triplets
- 	 */
+	 * source of triplets
+	 */
 	eap_sim_file_triplets_t *triplets;
 };
 
@@ -37,21 +39,20 @@ struct private_eap_sim_file_provider_t {
  * Implementation of sim_provider_t.get_triplet
  */
 static bool get_triplet(private_eap_sim_file_provider_t *this,
-						identification_t *imsi,
-						char *rand, char *sres, char *kc)
+						identification_t *id, char *rand, char *sres, char *kc)
 {
 	enumerator_t *enumerator;
-	identification_t *id;
+	identification_t *cand;
 	char *c_rand, *c_sres, *c_kc;
-	
+
 	enumerator = this->triplets->create_enumerator(this->triplets);
-	while (enumerator->enumerate(enumerator, &id, &c_rand, &c_sres, &c_kc))
+	while (enumerator->enumerate(enumerator, &cand, &c_rand, &c_sres, &c_kc))
 	{
-		if (imsi->matches(imsi, id))
+		if (id->matches(id, cand))
 		{
-			memcpy(rand, c_rand, RAND_LEN);
-			memcpy(sres, c_sres, SRES_LEN);
-			memcpy(kc, c_kc, KC_LEN);
+			memcpy(rand, c_rand, SIM_RAND_LEN);
+			memcpy(sres, c_sres, SIM_SRES_LEN);
+			memcpy(kc, c_kc, SIM_KC_LEN);
 			enumerator->destroy(enumerator);
 			return TRUE;
 		}
@@ -75,12 +76,18 @@ eap_sim_file_provider_t *eap_sim_file_provider_create(
 											eap_sim_file_triplets_t *triplets)
 {
 	private_eap_sim_file_provider_t *this = malloc_thing(private_eap_sim_file_provider_t);
-	
-	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *imsi, char rand[16], char sres[4], char kc[8]))get_triplet;
+
+	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))get_triplet;
+	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))return_false;
+	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))return_null;
 	this->public.destroy = (void(*)(eap_sim_file_provider_t*))destroy;
-	
+
 	this->triplets = triplets;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
index ec3bfb469..10fda282a 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
@@ -23,8 +23,6 @@
 
 #include "eap_sim_file_triplets.h"
 
-#include <sa/authenticators/eap/sim_manager.h>
-
 typedef struct eap_sim_file_provider_t eap_sim_file_provider_t;
 
 /**
@@ -36,7 +34,7 @@ struct eap_sim_file_provider_t {
 	 * Implements sim_provider_t interface.
 	 */
 	sim_provider_t provider;
-	
+
 	/**
 	 * Destroy a eap_sim_file_provider_t.
 	 */
@@ -49,4 +47,4 @@ struct eap_sim_file_provider_t {
 eap_sim_file_provider_t *eap_sim_file_provider_create(
 											eap_sim_file_triplets_t *triplets);
 
-#endif /** EAP_SIM_FILE_PROVIDER_ @}*/
+#endif /** EAP_SIM_FILE_PROVIDER_H_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
index e27ed6860..6b7d99fb7 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -20,7 +20,7 @@
 
 #include <daemon.h>
 #include <utils/linked_list.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 
 typedef struct private_eap_sim_file_triplets_t private_eap_sim_file_triplets_t;
 
@@ -28,17 +28,17 @@ typedef struct private_eap_sim_file_triplets_t private_eap_sim_file_triplets_t;
  * Private data of an eap_sim_file_triplets_t object.
  */
 struct private_eap_sim_file_triplets_t {
-	
+
 	/**
 	 * Public eap_sim_file_triplets_t interface.
 	 */
 	eap_sim_file_triplets_t public;
-	
+
 	/**
 	 * List of triplets, as triplet_t
 	 */
 	linked_list_t *triplets;
-	
+
 	/**
 	 * mutex to lock triplets list
 	 */
@@ -50,9 +50,9 @@ struct private_eap_sim_file_triplets_t {
  */
 typedef struct  {
 	identification_t *imsi;
-	char rand[RAND_LEN];
-	char sres[SRES_LEN];
-	char kc[KC_LEN];
+	char rand[SIM_RAND_LEN];
+	char sres[SIM_SRES_LEN];
+	char kc[SIM_KC_LEN];
 } triplet_t;
 
 /**
@@ -60,7 +60,7 @@ typedef struct  {
  */
 static void triplet_destroy(triplet_t *this)
 {
-	this->imsi->destroy(this->imsi);
+	DESTROY_IF(this->imsi);
 	free(this);
 }
 
@@ -103,7 +103,7 @@ static bool enumerator_enumerate(triplet_enumerator_t *e, identification_t **ims
 								 char **rand, char **sres, char **kc)
 {
 	triplet_t *triplet;
-	
+
 	if (e->inner->enumerate(e->inner, &triplet))
 	{
 		e->current = triplet;
@@ -123,14 +123,14 @@ static bool enumerator_enumerate(triplet_enumerator_t *e, identification_t **ims
 static enumerator_t* create_enumerator(private_eap_sim_file_triplets_t *this)
 {
 	triplet_enumerator_t *enumerator = malloc_thing(triplet_enumerator_t);
-	
+
 	this->mutex->lock(this->mutex);
 	enumerator->public.enumerate = (void*)enumerator_enumerate;
 	enumerator->public.destroy = (void*)enumerator_destroy;
 	enumerator->inner = this->triplets->create_enumerator(this->triplets);
 	enumerator->current = NULL;
 	enumerator->this = this;
-	
+
 	return &enumerator->public;
 }
 
@@ -140,7 +140,7 @@ static enumerator_t* create_enumerator(private_eap_sim_file_triplets_t *this)
 static void parse_token(char *to, char *from, size_t len)
 {
 	chunk_t chunk;
-	
+
 	chunk = chunk_create(from, min(strlen(from), len * 2));
 	chunk = chunk_from_hex(chunk, NULL);
 	memset(to, 0, len);
@@ -156,22 +156,22 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
 	char line[512];
 	FILE *file;
 	int i, nr = 0;
-	
+
 	file = fopen(path, "r");
 	if (file == NULL)
 	{
-		DBG1(DBG_CFG, "opening triplet file %s failed: %s", 
+		DBG1(DBG_CFG, "opening triplet file %s failed: %s",
 			 path, strerror(errno));
 		return;
 	}
-	
+
 	/* read line by line */
 	while (fgets(line, sizeof(line), file))
 	{
 		triplet_t *triplet;
 		enumerator_t *enumerator;
 		char *token;
-		
+
 		nr++;
 		/* skip comments, empty lines */
 		switch (line[0])
@@ -186,7 +186,7 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
 		}
 		triplet = malloc_thing(triplet_t);
 		memset(triplet, 0, sizeof(triplet_t));
-		
+
 		i = 0;
 		enumerator = enumerator_create_token(line, ",", " \n\r#");
 		while (enumerator->enumerate(enumerator, &token))
@@ -197,13 +197,13 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
 					triplet->imsi = identification_create_from_string(token);
 					continue;
 				case 1: /* rand */
-					parse_token(triplet->rand, token, RAND_LEN);
+					parse_token(triplet->rand, token, SIM_RAND_LEN);
 					continue;
 				case 2: /* sres */
-					parse_token(triplet->sres, token, SRES_LEN);
+					parse_token(triplet->sres, token, SIM_SRES_LEN);
 					continue;
 				case 3: /* kc */
-					parse_token(triplet->kc, token, KC_LEN);
+					parse_token(triplet->kc, token, SIM_KC_LEN);
 					continue;
 				default:
 					break;;
@@ -217,15 +217,15 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
 			triplet_destroy(triplet);
 			continue;
 		}
-		
+
 		DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b",
-			 triplet->imsi, triplet->rand, RAND_LEN,
-			 triplet->sres, SRES_LEN, triplet->kc, KC_LEN);
-			 
+			 triplet->imsi, triplet->rand, SIM_RAND_LEN,
+			 triplet->sres, SIM_SRES_LEN, triplet->kc, SIM_KC_LEN);
+
 		this->triplets->insert_last(this->triplets, triplet);
 	}
 	fclose(file);
-	
+
 	DBG1(DBG_CFG, "read %d triplets from %s",
 		 this->triplets->get_count(this->triplets), path);
 }
@@ -246,15 +246,15 @@ static void destroy(private_eap_sim_file_triplets_t *this)
 eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file)
 {
 	private_eap_sim_file_triplets_t *this = malloc_thing(private_eap_sim_file_triplets_t);
-	
+
 	this->public.create_enumerator = (enumerator_t*(*)(eap_sim_file_triplets_t*))create_enumerator;
 	this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy;
-	
+
 	this->triplets = linked_list_create();
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	
+
 	read_triplets(this, file);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
index d4ff2a781..8f8130810 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
@@ -21,23 +21,7 @@
 #ifndef EAP_SIM_FILE_TRIPLETS_H_
 #define EAP_SIM_FILE_TRIPLETS_H_
 
-#include <utils/enumerator.h>
-#include <utils/identification.h>
-
-/**
- * size of RAND value
- */
-#define RAND_LEN 16
-
-/**
- * size of SRES value
- */
-#define SRES_LEN 4
-
-/**
- * size of KC value
- */
-#define KC_LEN 8
+#include <sa/authenticators/eap/sim_manager.h>
 
 typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
 
@@ -69,4 +53,4 @@ struct eap_sim_file_triplets_t {
  */
 eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file);
 
-#endif /** EAP_SIM_FILE_TRIPLETS_ @}*/
+#endif /** EAP_SIM_FILE_TRIPLETS_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_pseudonym/Makefile.am b/src/charon/plugins/eap_simaka_pseudonym/Makefile.am
new file mode 100644
index 000000000..fe87d6d62
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_pseudonym/Makefile.am
@@ -0,0 +1,13 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
+
+libstrongswan_eap_simaka_pseudonym_la_SOURCES = \
+  eap_simaka_pseudonym_plugin.h eap_simaka_pseudonym_plugin.c \
+  eap_simaka_pseudonym_card.h eap_simaka_pseudonym_card.c \
+  eap_simaka_pseudonym_provider.h eap_simaka_pseudonym_provider.c
+libstrongswan_eap_simaka_pseudonym_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/charon/plugins/eap_simaka_pseudonym/Makefile.in b/src/charon/plugins/eap_simaka_pseudonym/Makefile.in
new file mode 100644
index 000000000..392331fb1
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -0,0 +1,577 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/eap_simaka_pseudonym
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_eap_simaka_pseudonym_la_LIBADD =
+am_libstrongswan_eap_simaka_pseudonym_la_OBJECTS =  \
+	eap_simaka_pseudonym_plugin.lo eap_simaka_pseudonym_card.lo \
+	eap_simaka_pseudonym_provider.lo
+libstrongswan_eap_simaka_pseudonym_la_OBJECTS =  \
+	$(am_libstrongswan_eap_simaka_pseudonym_la_OBJECTS)
+libstrongswan_eap_simaka_pseudonym_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_simaka_pseudonym_la_LDFLAGS) $(LDFLAGS) -o \
+	$@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
+libstrongswan_eap_simaka_pseudonym_la_SOURCES = \
+  eap_simaka_pseudonym_plugin.h eap_simaka_pseudonym_plugin.c \
+  eap_simaka_pseudonym_card.h eap_simaka_pseudonym_card.c \
+  eap_simaka_pseudonym_provider.h eap_simaka_pseudonym_provider.c
+
+libstrongswan_eap_simaka_pseudonym_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_simaka_pseudonym/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_simaka_pseudonym/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-simaka-pseudonym.la: $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) 
+	$(libstrongswan_eap_simaka_pseudonym_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_card.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
new file mode 100644
index 000000000..9b0f1bc71
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_pseudonym_card.h"
+
+#include <daemon.h>
+#include <utils/hashtable.h>
+
+typedef struct private_eap_simaka_pseudonym_card_t private_eap_simaka_pseudonym_card_t;
+
+/**
+ * Private data of an eap_simaka_pseudonym_card_t object.
+ */
+struct private_eap_simaka_pseudonym_card_t {
+
+	/**
+	 * Public eap_simaka_pseudonym_card_t interface.
+	 */
+	eap_simaka_pseudonym_card_t public;
+
+	/**
+	 * Permanent -> pseudonym mappings
+	 */
+	hashtable_t *pseudonym;
+
+	/**
+	 * Reverse pseudonym -> permanent mappings
+	 */
+	hashtable_t *permanent;
+};
+
+/**
+ * hashtable hash function
+ */
+static u_int hash(identification_t *key)
+{
+	return chunk_hash(key->get_encoding(key));
+}
+
+/**
+ * hashtable equals function
+ */
+static bool equals(identification_t *key1, identification_t *key2)
+{
+	return key1->equals(key1, key2);
+}
+
+/**
+ * Implementation of sim_card_t.get_pseudonym
+ */
+static identification_t *get_pseudonym(private_eap_simaka_pseudonym_card_t *this,
+									   identification_t *id)
+{
+	identification_t *pseudonym;
+
+	pseudonym = this->pseudonym->get(this->pseudonym, id);
+	if (pseudonym)
+	{
+		return pseudonym->clone(pseudonym);
+	}
+	return NULL;
+}
+
+/**
+ * Implementation of sim_card_t.set_pseudonym
+ */
+static void set_pseudonym(private_eap_simaka_pseudonym_card_t *this,
+						  identification_t *id, identification_t *pseudonym)
+{
+	identification_t *permanent;
+
+	/* create new entries */
+	id = id->clone(id);
+	pseudonym = pseudonym->clone(pseudonym);
+	permanent = this->permanent->put(this->permanent, pseudonym, id);
+	pseudonym = this->pseudonym->put(this->pseudonym, id, pseudonym);
+
+	/* delete old entries */
+	DESTROY_IF(permanent);
+	DESTROY_IF(pseudonym);
+}
+
+/**
+ * Implementation of sim_card_t.get_quintuplet
+ */
+static status_t get_quintuplet()
+{
+	return NOT_SUPPORTED;
+}
+
+/**
+ * Implementation of eap_simaka_pseudonym_card_t.destroy.
+ */
+static void destroy(private_eap_simaka_pseudonym_card_t *this)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	void *key;
+
+	enumerator = this->pseudonym->create_enumerator(this->pseudonym);
+	while (enumerator->enumerate(enumerator, &key, &id))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->permanent->create_enumerator(this->permanent);
+	while (enumerator->enumerate(enumerator, &key, &id))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	this->pseudonym->destroy(this->pseudonym);
+	this->permanent->destroy(this->permanent);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_pseudonym_card_t *eap_simaka_pseudonym_card_create()
+{
+	private_eap_simaka_pseudonym_card_t *this;
+
+	this = malloc_thing(private_eap_simaka_pseudonym_card_t);
+
+	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
+	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
+	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *perm))get_pseudonym;
+	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))set_pseudonym;
+	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))nop;
+	this->public.destroy = (void(*)(eap_simaka_pseudonym_card_t*))destroy;
+
+	this->pseudonym = hashtable_create((void*)hash, (void*)equals, 0);
+	this->permanent = hashtable_create((void*)hash, (void*)equals, 0);
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h
new file mode 100644
index 000000000..1b5940fdc
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_pseudonym_card eap_simaka_pseudonym_card
+ * @{ @ingroup eap_simaka_pseudonym
+ */
+
+#ifndef EAP_SIMAKA_PSEUDONYM_CARD_H_
+#define EAP_SIMAKA_PSEUDONYM_CARD_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_simaka_pseudonym_card_t eap_simaka_pseudonym_card_t;
+
+/**
+ * SIM card implementing volatile in-memory pseudonym storage.
+ */
+struct eap_simaka_pseudonym_card_t {
+
+	/**
+	 * Implements sim_card_t interface
+	 */
+	sim_card_t card;
+
+	/**
+	 * Destroy a eap_simaka_pseudonym_card_t.
+	 */
+	void (*destroy)(eap_simaka_pseudonym_card_t *this);
+};
+
+/**
+ * Create a eap_simaka_pseudonym_card instance.
+ */
+eap_simaka_pseudonym_card_t *eap_simaka_pseudonym_card_create();
+
+#endif /** EAP_SIMAKA_PSEUDONYM_CARD_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
new file mode 100644
index 000000000..e4e179a7d
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_pseudonym_plugin.h"
+#include "eap_simaka_pseudonym_card.h"
+#include "eap_simaka_pseudonym_provider.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_simaka_pseudonym_t private_eap_simaka_pseudonym_t;
+
+/**
+ * Private data of an eap_simaka_pseudonym_t object.
+ */
+struct private_eap_simaka_pseudonym_t {
+
+	/**
+	 * Public eap_simaka_pseudonym_plugin_t interface.
+	 */
+	eap_simaka_pseudonym_plugin_t public;
+
+	/**
+	 * SIM card
+	 */
+	eap_simaka_pseudonym_card_t *card;
+
+	/**
+	 * SIM provider
+	 */
+	eap_simaka_pseudonym_provider_t *provider;
+};
+
+/**
+ * Implementation of eap_simaka_pseudonym_t.destroy.
+ */
+static void destroy(private_eap_simaka_pseudonym_t *this)
+{
+	charon->sim->remove_card(charon->sim, &this->card->card);
+	charon->sim->remove_provider(charon->sim, &this->provider->provider);
+	this->card->destroy(this->card);
+	this->provider->destroy(this->provider);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *plugin_create()
+{
+	private_eap_simaka_pseudonym_t *this;
+
+	this = malloc_thing(private_eap_simaka_pseudonym_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->provider = eap_simaka_pseudonym_provider_create();
+	if (!this->provider)
+	{
+		free(this);
+		return NULL;
+	}
+	this->card = eap_simaka_pseudonym_card_create();
+
+	charon->sim->add_card(charon->sim, &this->card->card);
+	charon->sim->add_provider(charon->sim, &this->provider->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h
new file mode 100644
index 000000000..032604eb1
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_pseudonym eap_simaka_pseudonym
+ * @ingroup cplugins
+ *
+ * @defgroup eap_simaka_pseudonym_plugin eap_simaka_pseudonym_plugin
+ * @{ @ingroup eap_simaka_pseudonym
+ */
+
+#ifndef EAP_SIMAKA_PSEUDONYM_PLUGIN_H_
+#define EAP_SIMAKA_PSEUDONYM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_simaka_pseudonym_plugin_t eap_simaka_pseudonym_plugin_t;
+
+/**
+ * Plugin to provide in-memory storage of EAP-SIM/AKA pseudonyms.
+ */
+struct eap_simaka_pseudonym_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_simaka_pseudonym_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** EAP_SIMAKA_PSEUDONYM_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
new file mode 100644
index 000000000..0613b8807
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_pseudonym_provider.h"
+
+#include <utils/hashtable.h>
+
+typedef struct private_eap_simaka_pseudonym_provider_t private_eap_simaka_pseudonym_provider_t;
+
+/**
+ * Private data of an eap_simaka_pseudonym_provider_t object.
+ */
+struct private_eap_simaka_pseudonym_provider_t {
+
+	/**
+	 * Public eap_simaka_pseudonym_provider_t interface.
+	 */
+	eap_simaka_pseudonym_provider_t public;
+
+	/**
+	 * Permanent -> pseudonym mappings
+	 */
+	hashtable_t *pseudonym;
+
+	/**
+	 * Reverse pseudonym -> permanent mappings
+	 */
+	hashtable_t *permanent;
+
+	/**
+	 * RNG for pseudonyms/reauth identities
+	 */
+	rng_t *rng;
+};
+
+/**
+ * hashtable hash function
+ */
+static u_int hash(identification_t *key)
+{
+	return chunk_hash(key->get_encoding(key));
+}
+
+/**
+ * hashtable equals function
+ */
+static bool equals(identification_t *key1, identification_t *key2)
+{
+	return key1->equals(key1, key2);
+}
+
+/**
+ * Implementation of sim_provider_t.is_pseudonym
+ */
+static identification_t* is_pseudonym(
+			private_eap_simaka_pseudonym_provider_t *this, identification_t *id)
+{
+	identification_t *permanent;
+
+	permanent = this->permanent->get(this->permanent, id);
+	if (permanent)
+	{
+		return permanent->clone(permanent);
+	}
+	return NULL;
+}
+
+/**
+ * Generate a random identity
+ */
+static identification_t *gen_identity(
+								private_eap_simaka_pseudonym_provider_t *this)
+{
+	char buf[8], hex[sizeof(buf) * 2 + 1];
+
+	this->rng->get_bytes(this->rng, sizeof(buf), buf);
+	chunk_to_hex(chunk_create(buf, sizeof(buf)), hex, FALSE);
+
+	return identification_create_from_string(hex);
+}
+
+/**
+ * Implementation of sim_provider_t.get_pseudonym
+ */
+static identification_t* gen_pseudonym(
+			private_eap_simaka_pseudonym_provider_t *this, identification_t *id)
+{
+	identification_t *pseudonym, *permanent;
+
+	/* remove old entry */
+	pseudonym = this->pseudonym->remove(this->pseudonym, id);
+	if (pseudonym)
+	{
+		permanent = this->permanent->remove(this->permanent, pseudonym);
+		if (permanent)
+		{
+			permanent->destroy(permanent);
+		}
+		pseudonym->destroy(pseudonym);
+	}
+
+	pseudonym = gen_identity(this);
+
+	/* create new entries */
+	id = id->clone(id);
+	this->pseudonym->put(this->pseudonym, id, pseudonym);
+	this->permanent->put(this->permanent, pseudonym, id);
+
+	return pseudonym->clone(pseudonym);
+}
+
+/**
+ * Implementation of eap_simaka_pseudonym_provider_t.destroy.
+ */
+static void destroy(private_eap_simaka_pseudonym_provider_t *this)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	void *key;
+
+	enumerator = this->pseudonym->create_enumerator(this->pseudonym);
+	while (enumerator->enumerate(enumerator, &key, &id))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->permanent->create_enumerator(this->permanent);
+	while (enumerator->enumerate(enumerator, &key, &id))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	this->pseudonym->destroy(this->pseudonym);
+	this->permanent->destroy(this->permanent);
+	this->rng->destroy(this->rng);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_pseudonym_provider_t *eap_simaka_pseudonym_provider_create()
+{
+	private_eap_simaka_pseudonym_provider_t *this;
+
+	this = malloc_thing(private_eap_simaka_pseudonym_provider_t);
+
+	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
+	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))return_false;
+	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))is_pseudonym;
+	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))gen_pseudonym;
+	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))return_null;
+	this->public.destroy = (void(*)(eap_simaka_pseudonym_provider_t*))destroy;
+
+	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!this->rng)
+	{
+		free(this);
+		return NULL;
+	}
+	this->pseudonym = hashtable_create((void*)hash, (void*)equals, 0);
+	this->permanent = hashtable_create((void*)hash, (void*)equals, 0);
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h
new file mode 100644
index 000000000..5d8e6d221
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_pseudonym_provider eap_simaka_pseudonym_provider
+ * @{ @ingroup eap_simaka_pseudonym
+ */
+
+#ifndef EAP_SIMAKA_PSEDUONYM_PROVIDER_H_
+#define EAP_SIMAKA_PSEDUONYM_PROVIDER_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_simaka_pseudonym_provider_t eap_simaka_pseudonym_provider_t;
+
+/**
+ * SIM provider implementing volatile in-memory pseudonym storage.
+ */
+struct eap_simaka_pseudonym_provider_t {
+
+	/**
+	 * Implements sim_provider_t interface.
+	 */
+	sim_provider_t provider;
+
+	/**
+	 * Destroy a eap_simaka_pseudonym_provider_t.
+	 */
+	void (*destroy)(eap_simaka_pseudonym_provider_t *this);
+};
+
+/**
+ * Create a eap_simaka_pseudonym_provider instance.
+ */
+eap_simaka_pseudonym_provider_t *eap_simaka_pseudonym_provider_create();
+
+#endif /** EAP_SIMAKA_PSEDUONYM_PROVIDER_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_reauth/Makefile.am b/src/charon/plugins/eap_simaka_reauth/Makefile.am
new file mode 100644
index 000000000..0ba727136
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_reauth/Makefile.am
@@ -0,0 +1,13 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
+
+libstrongswan_eap_simaka_reauth_la_SOURCES = \
+  eap_simaka_reauth_plugin.h eap_simaka_reauth_plugin.c \
+  eap_simaka_reauth_card.h eap_simaka_reauth_card.c \
+  eap_simaka_reauth_provider.h eap_simaka_reauth_provider.c
+libstrongswan_eap_simaka_reauth_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/charon/plugins/eap_simaka_reauth/Makefile.in b/src/charon/plugins/eap_simaka_reauth/Makefile.in
new file mode 100644
index 000000000..d709acb70
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_reauth/Makefile.in
@@ -0,0 +1,576 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/eap_simaka_reauth
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_eap_simaka_reauth_la_LIBADD =
+am_libstrongswan_eap_simaka_reauth_la_OBJECTS =  \
+	eap_simaka_reauth_plugin.lo eap_simaka_reauth_card.lo \
+	eap_simaka_reauth_provider.lo
+libstrongswan_eap_simaka_reauth_la_OBJECTS =  \
+	$(am_libstrongswan_eap_simaka_reauth_la_OBJECTS)
+libstrongswan_eap_simaka_reauth_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_simaka_reauth_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
+libstrongswan_eap_simaka_reauth_la_SOURCES = \
+  eap_simaka_reauth_plugin.h eap_simaka_reauth_plugin.c \
+  eap_simaka_reauth_card.h eap_simaka_reauth_card.c \
+  eap_simaka_reauth_provider.h eap_simaka_reauth_provider.c
+
+libstrongswan_eap_simaka_reauth_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_simaka_reauth/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/eap_simaka_reauth/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-simaka-reauth.la: $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) 
+	$(libstrongswan_eap_simaka_reauth_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_card.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
new file mode 100644
index 000000000..14d0416d9
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_reauth_card.h"
+
+#include <daemon.h>
+#include <utils/hashtable.h>
+
+typedef struct private_eap_simaka_reauth_card_t private_eap_simaka_reauth_card_t;
+
+/**
+ * Private data of an eap_simaka_reauth_card_t object.
+ */
+struct private_eap_simaka_reauth_card_t {
+
+	/**
+	 * Public eap_simaka_reauth_card_t interface.
+	 */
+	eap_simaka_reauth_card_t public;
+
+	/**
+	 * Permanent -> reauth_data_t mappings
+	 */
+	hashtable_t *reauth;
+};
+
+/**
+ * Data associated to a reauthentication identity
+ */
+typedef struct {
+	/** currently used reauthentication identity */
+	identification_t *id;
+	/** associated permanent identity */
+	identification_t *permanent;
+	/** counter value */
+	u_int16_t counter;
+	/** master key */
+	char mk[HASH_SIZE_SHA1];
+} reauth_data_t;
+
+/**
+ * hashtable hash function
+ */
+static u_int hash(identification_t *key)
+{
+	return chunk_hash(key->get_encoding(key));
+}
+
+/**
+ * hashtable equals function
+ */
+static bool equals(identification_t *key1, identification_t *key2)
+{
+	return key1->equals(key1, key2);
+}
+
+/**
+ * Implementation of sim_card_t.get_reauth
+ */
+static identification_t *get_reauth(private_eap_simaka_reauth_card_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter)
+{
+	reauth_data_t *data;
+	identification_t *reauth;
+
+	/* look up reauthentication data */
+	data = this->reauth->remove(this->reauth, id);
+	if (!data)
+	{
+		return NULL;
+	}
+	*counter = ++data->counter;
+	memcpy(mk, data->mk, HASH_SIZE_SHA1);
+	reauth = data->id;
+	data->permanent->destroy(data->permanent);
+	free(data);
+	return reauth;
+}
+
+/**
+ * Implementation of sim_card_t.set_reauth
+ */
+static void set_reauth(private_eap_simaka_reauth_card_t *this,
+					   identification_t *id, identification_t* next,
+					   char mk[HASH_SIZE_SHA1], u_int16_t counter)
+{
+	reauth_data_t *data;
+
+	data = this->reauth->get(this->reauth, id);
+	if (data)
+	{
+		data->id->destroy(data->id);
+	}
+	else
+	{
+		data = malloc_thing(reauth_data_t);
+		data->permanent = id->clone(id);
+		this->reauth->put(this->reauth, data->permanent, data);
+	}
+	data->counter = counter;
+	data->id = next->clone(next);
+	memcpy(data->mk, mk, HASH_SIZE_SHA1);
+}
+
+/**
+ * Implementation of sim_card_t.get_quintuplet
+ */
+static status_t get_quintuplet()
+{
+	return NOT_SUPPORTED;
+}
+
+/**
+ * Implementation of eap_simaka_reauth_card_t.destroy.
+ */
+static void destroy(private_eap_simaka_reauth_card_t *this)
+{
+	enumerator_t *enumerator;
+	reauth_data_t *data;
+	void *key;
+
+	enumerator = this->reauth->create_enumerator(this->reauth);
+	while (enumerator->enumerate(enumerator, &key, &data))
+	{
+		data->id->destroy(data->id);
+		data->permanent->destroy(data->permanent);
+		free(data);
+	}
+	enumerator->destroy(enumerator);
+
+	this->reauth->destroy(this->reauth);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_reauth_card_t *eap_simaka_reauth_card_create()
+{
+	private_eap_simaka_reauth_card_t *this;
+
+	this = malloc_thing(private_eap_simaka_reauth_card_t);
+
+	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_null;
+	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
+	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *perm))return_null;
+	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))nop;
+	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))get_reauth;
+	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))set_reauth;
+	this->public.destroy = (void(*)(eap_simaka_reauth_card_t*))destroy;
+
+	this->reauth = hashtable_create((void*)hash, (void*)equals, 0);
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h
new file mode 100644
index 000000000..f24dc8a15
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_reauth_card eap_simaka_reauth_card
+ * @{ @ingroup eap_simaka_reauth
+ */
+
+#ifndef EAP_SIMAKA_REAUTH_CARD_H_
+#define EAP_SIMAKA_REAUTH_CARD_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_simaka_reauth_card_t eap_simaka_reauth_card_t;
+
+/**
+ * SIM card implementing volatile in-memory reauthentication data storage.
+ */
+struct eap_simaka_reauth_card_t {
+
+	/**
+	 * Implements sim_card_t interface
+	 */
+	sim_card_t card;
+
+	/**
+	 * Destroy a eap_simaka_reauth_card_t.
+	 */
+	void (*destroy)(eap_simaka_reauth_card_t *this);
+};
+
+/**
+ * Create a eap_simaka_reauth_card instance.
+ */
+eap_simaka_reauth_card_t *eap_simaka_reauth_card_create();
+
+#endif /** EAP_SIMAKA_REAUTH_CARD_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
new file mode 100644
index 000000000..b2e853e21
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_reauth_plugin.h"
+#include "eap_simaka_reauth_card.h"
+#include "eap_simaka_reauth_provider.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_simaka_reauth_t private_eap_simaka_reauth_t;
+
+/**
+ * Private data of an eap_simaka_reauth_t object.
+ */
+struct private_eap_simaka_reauth_t {
+
+	/**
+	 * Public eap_simaka_reauth_plugin_t interface.
+	 */
+	eap_simaka_reauth_plugin_t public;
+
+	/**
+	 * SIM card
+	 */
+	eap_simaka_reauth_card_t *card;
+
+	/**
+	 * SIM provider
+	 */
+	eap_simaka_reauth_provider_t *provider;
+};
+
+/**
+ * Implementation of eap_simaka_reauth_t.destroy.
+ */
+static void destroy(private_eap_simaka_reauth_t *this)
+{
+	charon->sim->remove_card(charon->sim, &this->card->card);
+	charon->sim->remove_provider(charon->sim, &this->provider->provider);
+	this->card->destroy(this->card);
+	this->provider->destroy(this->provider);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *plugin_create()
+{
+	private_eap_simaka_reauth_t *this = malloc_thing(private_eap_simaka_reauth_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->provider = eap_simaka_reauth_provider_create();
+	if (!this->provider)
+	{
+		free(this);
+		return NULL;
+	}
+	this->card = eap_simaka_reauth_card_create();
+
+	charon->sim->add_card(charon->sim, &this->card->card);
+	charon->sim->add_provider(charon->sim, &this->provider->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h
new file mode 100644
index 000000000..e86832c0e
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_reauth eap_simaka_reauth
+ * @ingroup cplugins
+ *
+ * @defgroup eap_simaka_reauth_plugin eap_simaka_reauth_plugin
+ * @{ @ingroup eap_simaka_reauth
+ */
+
+#ifndef EAP_SIMAKA_REAUTH_PLUGIN_H_
+#define EAP_SIMAKA_REAUTH_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_simaka_reauth_plugin_t eap_simaka_reauth_plugin_t;
+
+/**
+ * Plugin to provide in-memory EAP-SIM/AKA reauthentication data storage.
+ */
+struct eap_simaka_reauth_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_simaka_reauth_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** EAP_SIMAKA_REAUTH_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
new file mode 100644
index 000000000..f962b2d84
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_reauth_provider.h"
+
+#include <daemon.h>
+#include <utils/hashtable.h>
+
+typedef struct private_eap_simaka_reauth_provider_t private_eap_simaka_reauth_provider_t;
+
+/**
+ * Private data of an eap_simaka_reauth_provider_t object.
+ */
+struct private_eap_simaka_reauth_provider_t {
+
+	/**
+	 * Public eap_simaka_reauth_provider_t interface.
+	 */
+	eap_simaka_reauth_provider_t public;
+
+	/**
+	 * Permanent -> reauth_data_t mappings
+	 */
+	hashtable_t *reauth;
+
+	/**
+	 * Reverse reauth -> permanent mappings
+	 */
+	hashtable_t *permanent;
+
+	/**
+	 * RNG for pseudonyms/reauth identities
+	 */
+	rng_t *rng;
+};
+
+/**
+ * Data associated to a reauthentication identity
+ */
+typedef struct {
+	/** currently used reauthentication identity */
+	identification_t *id;
+	/** counter value */
+	u_int16_t counter;
+	/** master key */
+	char mk[HASH_SIZE_SHA1];
+} reauth_data_t;
+
+/**
+ * hashtable hash function
+ */
+static u_int hash(identification_t *key)
+{
+	return chunk_hash(key->get_encoding(key));
+}
+
+/**
+ * hashtable equals function
+ */
+static bool equals(identification_t *key1, identification_t *key2)
+{
+	return key1->equals(key1, key2);
+}
+
+/**
+ * Generate a random identity
+ */
+static identification_t *gen_identity(private_eap_simaka_reauth_provider_t *this)
+{
+	char buf[8], hex[sizeof(buf) * 2 + 1];
+
+	this->rng->get_bytes(this->rng, sizeof(buf), buf);
+	chunk_to_hex(chunk_create(buf, sizeof(buf)), hex, FALSE);
+
+	return identification_create_from_string(hex);
+}
+
+/**
+ * Implementation of sim_provider_t.is_reauth
+ */
+static identification_t *is_reauth(private_eap_simaka_reauth_provider_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter)
+{
+	identification_t *permanent;
+	reauth_data_t *data;
+
+	/* look up permanent identity */
+	permanent = this->permanent->get(this->permanent, id);
+	if (!permanent)
+	{
+		return NULL;
+	}
+	/* look up reauthentication data */
+	data = this->reauth->get(this->reauth, permanent);
+	if (!data)
+	{
+		return NULL;
+	}
+	*counter = ++data->counter;
+	memcpy(mk, data->mk, HASH_SIZE_SHA1);
+	return permanent->clone(permanent);
+}
+
+/**
+ * Implementation of sim_provider_t.gen_reauth
+ */
+static identification_t *gen_reauth(private_eap_simaka_reauth_provider_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1])
+{
+	reauth_data_t *data;
+	identification_t *permanent;
+
+	data = this->reauth->get(this->reauth, id);
+	if (data)
+	{	/* update existing entry */
+		permanent = this->permanent->remove(this->permanent, data->id);
+		if (permanent)
+		{
+			data->id->destroy(data->id);
+			data->id = gen_identity(this);
+			this->permanent->put(this->permanent, data->id, permanent);
+		}
+	}
+	else
+	{	/* generate new entry */
+		data = malloc_thing(reauth_data_t);
+		data->counter = 0;
+		data->id = gen_identity(this);
+		id = id->clone(id);
+		this->reauth->put(this->reauth, id, data);
+		this->permanent->put(this->permanent, data->id, id);
+	}
+	memcpy(data->mk, mk, HASH_SIZE_SHA1);
+
+	return data->id->clone(data->id);
+}
+
+/**
+ * Implementation of eap_simaka_reauth_provider_t.destroy.
+ */
+static void destroy(private_eap_simaka_reauth_provider_t *this)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	reauth_data_t *data;
+	void *key;
+
+	enumerator = this->permanent->create_enumerator(this->permanent);
+	while (enumerator->enumerate(enumerator, &key, &id))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->reauth->create_enumerator(this->reauth);
+	while (enumerator->enumerate(enumerator, &key, &data))
+	{
+		data->id->destroy(data->id);
+		free(data);
+	}
+	enumerator->destroy(enumerator);
+
+	this->permanent->destroy(this->permanent);
+	this->reauth->destroy(this->reauth);
+	this->rng->destroy(this->rng);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_reauth_provider_t *eap_simaka_reauth_provider_create()
+{
+	private_eap_simaka_reauth_provider_t *this = malloc_thing(private_eap_simaka_reauth_provider_t);
+
+	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
+	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))return_false;
+	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))is_reauth;
+	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))gen_reauth;
+	this->public.destroy = (void(*)(eap_simaka_reauth_provider_t*))destroy;
+
+	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!this->rng)
+	{
+		free(this);
+		return NULL;
+	}
+	this->permanent = hashtable_create((void*)hash, (void*)equals, 0);
+	this->reauth = hashtable_create((void*)hash, (void*)equals, 0);
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h
new file mode 100644
index 000000000..7ae151a27
--- /dev/null
+++ b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_reauth_provider eap_simaka_reauth_provider
+ * @{ @ingroup eap_simaka_reauth
+ */
+
+#ifndef EAP_SIMAKA_REAUTH_PROVIDER_H_
+#define EAP_SIMAKA_REAUTH_PROVIDER_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_simaka_reauth_provider_t eap_simaka_reauth_provider_t;
+
+/**
+ * SIM provider implementing volatile in-memory reauthentication data storage.
+ */
+struct eap_simaka_reauth_provider_t {
+
+	/**
+	 * Implements sim_provider_t interface.
+	 */
+	sim_provider_t provider;
+
+	/**
+	 * Destroy a eap_simaka_reauth_provider_t.
+	 */
+	void (*destroy)(eap_simaka_reauth_provider_t *this);
+};
+
+/**
+ * Create a eap_simaka_reauth_provider instance.
+ */
+eap_simaka_reauth_provider_t *eap_simaka_reauth_provider_create();
+
+#endif /** EAP_SIMAKA_REAUTH_PROVIDER_H_ @}*/
diff --git a/src/charon/plugins/kernel_klips/Makefile.am b/src/charon/plugins/kernel_klips/Makefile.am
index 0c0987cca..a7ae06df1 100644
--- a/src/charon/plugins/kernel_klips/Makefile.am
+++ b/src/charon/plugins/kernel_klips/Makefile.am
@@ -1,5 +1,5 @@
 
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in
index 4b1c27352..bf194ae16 100644
--- a/src/charon/plugins/kernel_klips/Makefile.in
+++ b/src/charon/plugins/kernel_klips/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/kernel_klips
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_kernel_klips_la_LIBADD =
 am_libstrongswan_kernel_klips_la_OBJECTS = kernel_klips_plugin.lo \
@@ -61,6 +85,7 @@ libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) --tag=CC \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -108,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -138,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -171,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -196,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -204,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -212,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -223,9 +251,10 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
 libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
@@ -245,9 +274,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/kernel_klips/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/kernel_klips/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_klips/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/kernel_klips/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -265,23 +294,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -306,21 +340,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -343,7 +377,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -351,29 +385,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -394,13 +433,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -431,6 +474,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -452,6 +496,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -460,18 +506,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -510,6 +566,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
index 9a903d027..fea1b83a1 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -21,7 +21,6 @@
 #include <linux/udp.h>
 #include <net/if.h>
 #include <unistd.h>
-#include <pthread.h>
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
@@ -30,7 +29,8 @@
 #include "kernel_klips_ipsec.h"
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
 #include <processing/jobs/acquire_job.h>
 #include <processing/jobs/rekey_child_sa_job.h>
@@ -78,7 +78,7 @@
 /** the prefix of the name of KLIPS ipsec devices */
 #define IPSEC_DEV_PREFIX "ipsec"
 /** this is the default number of ipsec devices */
-#define DEFAULT_IPSEC_DEV_COUNT 4 
+#define DEFAULT_IPSEC_DEV_COUNT 4
 /** TRUE if the given name matches an ipsec device */
 #define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1))
 
@@ -88,7 +88,7 @@ struct ipsectunnelconf
 	__u32	cf_cmd;
 	union
 	{
-		char 	cfu_name[12];
+		char	cfu_name[12];
 	} cf_u;
 #define cf_name cf_u.cfu_name
 };
@@ -108,62 +108,62 @@ struct private_kernel_klips_ipsec_t
 	 * Public part of the kernel_klips_t object.
 	 */
 	kernel_klips_ipsec_t public;
-	
+
 	/**
 	 * mutex to lock access to various lists
 	 */
 	mutex_t *mutex;
-	
+
 	/**
 	 * List of installed policies (policy_entry_t)
 	 */
 	linked_list_t *policies;
-	
+
 	/**
 	 * List of allocated SPIs without installed SA (sa_entry_t)
 	 */
 	linked_list_t *allocated_spis;
-	
+
 	/**
 	 * List of installed SAs (sa_entry_t)
 	 */
 	linked_list_t *installed_sas;
-	
+
 	/**
 	 * whether to install routes along policies
 	 */
 	bool install_routes;
-	
+
 	/**
 	 * List of ipsec devices (ipsec_dev_t)
 	 */
 	linked_list_t *ipsec_devices;
-	
+
 	/**
 	 * job receiving PF_KEY events
 	 */
 	callback_job_t *job;
-	
+
 	/**
 	 * mutex to lock access to the PF_KEY socket
 	 */
 	mutex_t *mutex_pfkey;
-	
+
 	/**
 	 * PF_KEY socket to communicate with the kernel
 	 */
 	int socket;
-	
+
 	/**
 	 * PF_KEY socket to receive acquire and expire events
 	 */
 	int socket_events;
-	
+
 	/**
 	 * sequence number for messages sent to the kernel
 	 */
 	int seq;
-	
+
 };
 
 
@@ -175,10 +175,10 @@ typedef struct ipsec_dev_t ipsec_dev_t;
 struct ipsec_dev_t {
 	/** name of the virtual ipsec interface */
 	char name[IFNAMSIZ];
-	
+
 	/** name of the physical interface */
 	char phys_name[IFNAMSIZ];
-	
+
 	/** by how many CHILD_SA's this ipsec device is used */
 	u_int refcount;
 };
@@ -229,14 +229,14 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 	struct ipsectunnelconf *itc = (struct ipsectunnelconf*)&req.ifr_data;
 	short phys_flags;
 	int mtu;
-	
+
 	DBG2(DBG_KNL, "attaching virtual interface %s to %s", name, phys_name);
-	
+
 	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
 	{
 		return FAILED;
 	}
-	
+
 	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
 	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
 	{
@@ -251,18 +251,18 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 		close(sock);
 		return FAILED;
 	}
-	
+
 	if (req.ifr_flags & IFF_UP)
 	{
 		/* if it's already up, it is already attached, detach it first */
 		ioctl(sock, IPSEC_DEL_DEV, &req);
 	}
-	
+
 	/* attach it */
 	strncpy(req.ifr_name, name, IFNAMSIZ);
 	strncpy(itc->cf_name, phys_name, sizeof(itc->cf_name));
 	ioctl(sock, IPSEC_SET_DEV, &req);
-	
+
 	/* copy address from physical to virtual */
 	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
 	if (ioctl(sock, SIOCGIFADDR, &req) == 0)
@@ -270,7 +270,7 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 		strncpy(req.ifr_name, name, IFNAMSIZ);
 		ioctl(sock, SIOCSIFADDR, &req);
 	}
-	
+
 	/* copy net mask from physical to virtual */
 	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
 	if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
@@ -278,7 +278,7 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 		strncpy(req.ifr_name, name, IFNAMSIZ);
 		ioctl(sock, SIOCSIFNETMASK, &req);
 	}
-	
+
 	/* copy other flags and addresses */
 	strncpy(req.ifr_name, name, IFNAMSIZ);
 	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
@@ -288,7 +288,7 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 			req.ifr_flags |= IFF_POINTOPOINT;
 			req.ifr_flags &= ~IFF_BROADCAST;
 			ioctl(sock, SIOCSIFFLAGS, &req);
-			
+
 			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
 			if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0)
 			{
@@ -301,7 +301,7 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 			req.ifr_flags &= ~IFF_POINTOPOINT;
 			req.ifr_flags |= IFF_BROADCAST;
 			ioctl(sock, SIOCSIFFLAGS, &req);
-			
+
 			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
 			if (ioctl(sock, SIOCGIFBRDADDR, &req)==0)
 			{
@@ -318,13 +318,13 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 	}
 
 	mtu = lib->settings->get_int(lib->settings,
-						"charon.plugins.kernel_klips.ipsec_dev_mtu", 0);
+						"charon.plugins.kernel-klips.ipsec_dev_mtu", 0);
 	if (mtu <= 0)
 	{
 		/* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
 		 * ESP overhead      : 73 bytes
 		 * NAT-T overhead    :  8 bytes ==> 81 bytes
-		 * 
+		 *
 		 * assuming tunnel mode with AES encryption and integrity
 		 * outer IP header  : 20 bytes
 		 * (NAT-T UDP header:  8 bytes)
@@ -338,19 +338,19 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 		ioctl(sock, SIOCGIFMTU, &req);
 		mtu = req.ifr_mtu - 81;
 	}
-	
+
 	/* set MTU */
 	strncpy(req.ifr_name, name, IFNAMSIZ);
 	req.ifr_mtu = mtu;
 	ioctl(sock, SIOCSIFMTU, &req);
-	
+
 	/* bring ipsec device UP */
 	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
 	{
 		req.ifr_flags |= IFF_UP;
 		ioctl(sock, SIOCSIFFLAGS, &req);
 	}
-	
+
 	close(sock);
 	return SUCCESS;
 }
@@ -362,37 +362,37 @@ static status_t detach_ipsec_dev(char* name, char *phys_name)
 {
 	int sock;
 	struct ifreq req;
-	
+
 	DBG2(DBG_KNL, "detaching virtual interface %s from %s", name,
 			strlen(phys_name) ? phys_name : "any physical interface");
-	
+
 	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
 	{
 		return FAILED;
 	}
-	
+
 	strncpy(req.ifr_name, name, IFNAMSIZ);
 	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
 	{
 		close(sock);
 		return FAILED;
 	}
-	
+
 	/* shutting interface down */
 	if (req.ifr_flags & IFF_UP)
 	{
 		req.ifr_flags &= ~IFF_UP;
 		ioctl(sock, SIOCSIFFLAGS, &req);
 	}
-	
+
 	/* unset address */
 	memset(&req.ifr_addr, 0, sizeof(req.ifr_addr));
 	req.ifr_addr.sa_family = AF_INET;
 	ioctl(sock, SIOCSIFADDR, &req);
-	
+
 	/* detach interface */
 	ioctl(sock, IPSEC_DEL_DEV, &req);
-	
+
 	close(sock);
 	return SUCCESS;
 }
@@ -415,10 +415,10 @@ typedef struct route_entry_t route_entry_t;
 struct route_entry_t {
 	/** Name of the interface the route is bound to */
 	char *if_name;
-	
+
 	/** Source ip of the route */
 	host_t *src_ip;
-	
+
 	/** Gateway for this route */
 	host_t *gateway;
 
@@ -447,13 +447,13 @@ typedef struct policy_entry_t policy_entry_t;
  * installed kernel policy.
  */
 struct policy_entry_t {
-	
+
 	/** reqid of this policy, if setup as trap */
 	u_int32_t reqid;
-	
+
 	/** direction of this policy: in, out, forward */
 	u_int8_t direction;
-	
+
 	/** parameters of installed policy */
 	struct {
 		/** subnet and port */
@@ -463,13 +463,13 @@ struct policy_entry_t {
 		/** protocol */
 		u_int8_t proto;
 	} src, dst;
-	
+
 	/** associated route installed for this policy */
 	route_entry_t *route;
-	
+
 	/** by how many CHILD_SA's this policy is actively used */
 	u_int activecount;
-	
+
 	/** by how many CHILD_SA's this policy is trapped */
 	u_int trapcount;
 };
@@ -499,22 +499,22 @@ static bool is_host_in_net(host_t *host, host_t *net, u_int8_t mask)
 	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
 	chunk_t host_chunk, net_chunk;
 	int bytes = mask / 8, bits = mask % 8;
-	
+
 	host_chunk = host->get_address(host);
 	net_chunk = net->get_address(net);
-	
+
 	if (host_chunk.len != net_chunk.len)
 	{
 		return FALSE;
 	}
-	
+
 	if (memeq(host_chunk.ptr, net_chunk.ptr, bytes))
 	{
 		return (bits == 0) ||
-			   (host_chunk.ptr[bytes] & bitmask[bits]) == 
+			   (host_chunk.ptr[bytes] & bitmask[bits]) ==
 				   (net_chunk.ptr[bytes] & bitmask[bits]);
 	}
-	
+
 	return FALSE;
 }
 
@@ -530,15 +530,15 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
 	policy->route = NULL;
 	policy->activecount = 0;
 	policy->trapcount = 0;
-	
+
 	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
 	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
-	
+
 	/* src or dest proto may be "any" (0), use more restrictive one */
 	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
-	policy->src.proto = policy->src.proto ? policy->src.proto : 0; 
+	policy->src.proto = policy->src.proto ? policy->src.proto : 0;
 	policy->dst.proto = policy->src.proto;
-	
+
 	return policy;
 }
 
@@ -585,25 +585,25 @@ typedef struct sa_entry_t sa_entry_t;
  * - installed inbound SAs with enabled UDP encapsulation
  */
 struct sa_entry_t {
-	
+
 	/** protocol of this SA */
 	protocol_id_t protocol;
-	
+
 	/** reqid of this SA */
 	u_int32_t reqid;
-	
+
 	/** SPI of this SA */
 	u_int32_t spi;
-	
+
 	/** src address of this SA */
 	host_t *src;
-	
+
 	/** dst address of this SA */
 	host_t *dst;
-	
+
 	/** TRUE if this SA uses UDP encapsulation */
 	bool encap;
-	
+
 	/** TRUE if this SA is inbound */
 	bool inbound;
 };
@@ -672,8 +672,8 @@ struct pfkey_msg_t
 	 * PF_KEY message base
 	 */
 	struct sadb_msg *msg;
-	
-	
+
+
 	/**
 	 * PF_KEY message extensions
 	 */
@@ -761,7 +761,7 @@ struct kernel_algorithm_t {
 	 * Identifier specified in IKEv2
 	 */
 	int ikev2;
-	
+
 	/**
 	 * Identifier as defined in pfkeyv2.h
 	 */
@@ -774,32 +774,32 @@ struct kernel_algorithm_t {
  * Algorithms for encryption
  */
 static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64, 			0							}, */
-	{ENCR_DES, 					SADB_EALG_DESCBC			},
-	{ENCR_3DES, 				SADB_EALG_3DESCBC			},
-/*	{ENCR_RC5, 					0							}, */
-/*	{ENCR_IDEA, 				0							}, */
-/*	{ENCR_CAST, 				0							}, */
-	{ENCR_BLOWFISH, 			SADB_EALG_BFCBC				},
-/*	{ENCR_3IDEA, 				0							}, */
-/*	{ENCR_DES_IV32, 			0							}, */
-	{ENCR_NULL, 				SADB_EALG_NULL				},
-	{ENCR_AES_CBC,	 			SADB_EALG_AESCBC			},
-/*	{ENCR_AES_CTR, 				0							}, */
+/*	{ENCR_DES_IV64,				0							}, */
+	{ENCR_DES,					SADB_EALG_DESCBC			},
+	{ENCR_3DES,					SADB_EALG_3DESCBC			},
+/*	{ENCR_RC5,					0							}, */
+/*	{ENCR_IDEA,					0							}, */
+/*	{ENCR_CAST,					0							}, */
+	{ENCR_BLOWFISH,				SADB_EALG_BFCBC				},
+/*	{ENCR_3IDEA,				0							}, */
+/*	{ENCR_DES_IV32,				0							}, */
+	{ENCR_NULL,					SADB_EALG_NULL				},
+	{ENCR_AES_CBC,				SADB_EALG_AESCBC			},
+/*	{ENCR_AES_CTR,				0							}, */
 /*	{ENCR_AES_CCM_ICV8,			0							}, */
 /*	{ENCR_AES_CCM_ICV12,		0							}, */
 /*	{ENCR_AES_CCM_ICV16,		0							}, */
 /*	{ENCR_AES_GCM_ICV8,			0							}, */
 /*	{ENCR_AES_GCM_ICV12,		0							}, */
 /*	{ENCR_AES_GCM_ICV16,		0							}, */
-	{END_OF_LIST, 				0							},
+	{END_OF_LIST,				0							},
 };
 
 /**
  * Algorithms for integrity protection
  */
 static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96, 			SADB_AALG_MD5HMAC			},
+	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
 	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
 	{AUTH_HMAC_SHA2_256_128,	SADB_AALG_SHA256_HMAC		},
 	{AUTH_HMAC_SHA2_384_192,	SADB_AALG_SHA384_HMAC		},
@@ -807,7 +807,7 @@ static kernel_algorithm_t integrity_algs[] = {
 /*	{AUTH_DES_MAC,				0,							}, */
 /*	{AUTH_KPDK_MD5,				0,							}, */
 /*	{AUTH_AES_XCBC_96,			0,							}, */
-	{END_OF_LIST, 				0,							},
+	{END_OF_LIST,				0,							},
 };
 
 #if 0
@@ -815,11 +815,11 @@ static kernel_algorithm_t integrity_algs[] = {
  * Algorithms for IPComp, unused yet
  */
 static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI, 				0							}, */
+/*	{IPCOMP_OUI,				0							}, */
 	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
 	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
 /*	{IPCOMP_LZJH,				0							}, */
-	{END_OF_LIST, 				0							},
+	{END_OF_LIST,				0							},
 };
 #endif
 
@@ -846,8 +846,8 @@ static void host2ext(host_t *host, struct sadb_address *ext)
 {
 	sockaddr_t *host_addr = host->get_sockaddr(host);
 	socklen_t *len = host->get_sockaddr_len(host);
- 	memcpy((char*)(ext + 1), host_addr, *len);
- 	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+	memcpy((char*)(ext + 1), host_addr, *len);
+	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
 }
 
 /**
@@ -872,7 +872,7 @@ static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
 	addr->sadb_address_exttype = type;
 	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
 	saddr->sa_family = family;
- 	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
 	PFKEY_EXT_ADD(msg, addr);
 }
 
@@ -884,7 +884,7 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst,
 {
 	struct sadb_x_nat_t_type* nat_type;
 	struct sadb_x_nat_t_port* nat_port;
-	
+
 	if (!ports_only)
 	{
 		nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
@@ -893,13 +893,13 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst,
 		nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
 		PFKEY_EXT_ADD(msg, nat_type);
 	}
-	
+
 	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
 	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
 	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
 	nat_port->sadb_x_nat_t_port_port = src->get_port(src);
 	PFKEY_EXT_ADD(msg, nat_port);
-	
+
 	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
 	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
 	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
@@ -917,19 +917,19 @@ static void build_addflow(struct sadb_msg *msg, u_int8_t satype, u_int32_t spi,
 	struct sadb_sa *sa;
 	struct sadb_protocol *proto;
 	host_t *host;
-	
+
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_X_ADDFLOW;
 	msg->sadb_msg_satype = satype;
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_spi = spi;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
 	sa->sadb_sa_flags = replace ? SADB_X_SAFLAGS_REPLACEFLOW : 0;
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	if (!src)
 	{
 		add_anyaddr_ext(msg, src_net->get_family(src_net), SADB_EXT_ADDRESS_SRC);
@@ -938,7 +938,7 @@ static void build_addflow(struct sadb_msg *msg, u_int8_t satype, u_int32_t spi,
 	{
 		add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
 	}
-	
+
 	if (!dst)
 	{
 		add_anyaddr_ext(msg, dst_net->get_family(dst_net), SADB_EXT_ADDRESS_DST);
@@ -947,18 +947,18 @@ static void build_addflow(struct sadb_msg *msg, u_int8_t satype, u_int32_t spi,
 	{
 		add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
 	}
-	
+
 	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
 	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
-	
+
 	host = mask2host(src_net->get_family(src_net), src_mask);
 	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
 	host->destroy(host);
-	
+
 	host = mask2host(dst_net->get_family(dst_net), dst_mask);
 	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
 	host->destroy(host);
-	
+
 	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
 	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
 	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
@@ -975,25 +975,25 @@ static void build_delflow(struct sadb_msg *msg, u_int8_t satype,
 {
 	struct sadb_protocol *proto;
 	host_t *host;
-	
+
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_X_DELFLOW;
 	msg->sadb_msg_satype = satype;
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
 	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
-	
+
 	host = mask2host(src_net->get_family(src_net),
 					 src_mask);
 	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
 	host->destroy(host);
-	
+
 	host = mask2host(dst_net->get_family(dst_net),
 					 dst_mask);
 	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
 	host->destroy(host);
-	
+
 	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
 	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
 	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
@@ -1008,15 +1008,15 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
 {
 	struct sadb_ext* ext;
 	size_t len;
-	
+
 	memset(out, 0, sizeof(pfkey_msg_t));
 	out->msg = msg;
-	
+
 	len = msg->sadb_msg_len;
 	len -= PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
-	
+
 	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
 	{
 		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
@@ -1025,19 +1025,19 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
 			DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
 			break;
 		}
-		
+
 		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
 		{
 			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
 			break;
 		}
-		
+
 		if (out->ext[ext->sadb_ext_type])
 		{
-			DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);			
+			DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);
 			break;
 		}
-		
+
 		out->ext[ext->sadb_ext_type] = ext;
 		ext = PFKEY_EXT_NEXT_LEN(ext, len);
 	}
@@ -1047,7 +1047,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
 		DBG1(DBG_KNL, "PF_KEY message length is invalid");
 		return FAILED;
 	}
-	
+
 	return SUCCESS;
 }
 
@@ -1060,7 +1060,7 @@ static status_t pfkey_send_socket(private_kernel_klips_ipsec_t *this, int socket
 	unsigned char buf[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg;
 	int in_len, len;
-	
+
 	this->mutex_pfkey->lock(this->mutex_pfkey);
 
 	in->sadb_msg_seq = ++this->seq;
@@ -1093,13 +1093,13 @@ static status_t pfkey_send_socket(private_kernel_klips_ipsec_t *this, int socket
 		}
 		break;
 	}
-	
+
 	while (TRUE)
-	{	
+	{
 		msg = (struct sadb_msg*)buf;
-		
+
 		len = recv(socket, buf, sizeof(buf), 0);
-		
+
 		if (len < 0)
 		{
 			if (errno == EINTR)
@@ -1149,13 +1149,13 @@ static status_t pfkey_send_socket(private_kernel_klips_ipsec_t *this, int socket
 		}
 		break;
 	}
-	
+
 	*out_len = len;
 	*out = (struct sadb_msg*)malloc(len);
 	memcpy(*out, buf, len);
-		
+
 	this->mutex_pfkey->unlock(this->mutex_pfkey);
-	
+
 	return SUCCESS;
 }
 
@@ -1175,7 +1175,7 @@ static status_t pfkey_send_ack(private_kernel_klips_ipsec_t *this, struct sadb_m
 {
 	struct sadb_msg *out;
 	size_t len;
-	
+
 	if (pfkey_send(this, in, &out, &len) != SUCCESS)
 	{
 		return FAILED;
@@ -1200,12 +1200,12 @@ static status_t add_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg = (struct sadb_msg*)request;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	build_addflow(msg, satype, spi, src, dst, src_net, src_mask,
 			dst_net, dst_mask, protocol, replace);
-	
+
 	return pfkey_send_ack(this, msg);
 }
 
@@ -1218,11 +1218,11 @@ static status_t del_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg = (struct sadb_msg*)request;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	build_delflow(msg, satype, src_net, src_mask, dst_net, dst_mask, protocol);
-	
+
 	return pfkey_send_ack(this, msg);
 }
 
@@ -1237,7 +1237,7 @@ static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 	u_int8_t proto;
 	policy_entry_t *policy;
 	job_t *job;
-	
+
 	switch (msg->sadb_msg_satype)
 	{
 		case SADB_SATYPE_UNSPEC:
@@ -1248,13 +1248,13 @@ static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 			/* acquire for AH/ESP only */
 			return;
 	}
-	
+
 	if (parse_pfkey_message(msg, &response) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
 		return;
 	}
-	
+
 	/* KLIPS provides us only with the source and destination address,
 	 * and the transport protocol of the packet that triggered the policy.
 	 * we use this information to find a matching policy in our cache.
@@ -1269,7 +1269,7 @@ static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 		DBG1(DBG_KNL, "received an SADB_ACQUIRE with invalid hosts");
 		return;
 	}
-	
+
 	DBG2(DBG_KNL, "received an SADB_ACQUIRE for %H == %H : %d", src, dst, proto);
 	this->mutex->lock(this->mutex);
 	if (this->policies->find_first(this->policies,
@@ -1286,17 +1286,17 @@ static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but policy is not routed anymore");
 		return;
 	}
-	
+
 	/* add a broad %hold eroute that replaces the %trap eroute */
 	add_eroute(this, SADB_X_SATYPE_INT, htonl(SPI_HOLD), NULL, NULL,
 			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
 			policy->src.proto, TRUE);
-	
+
 	/* remove the narrow %hold eroute installed by KLIPS */
 	del_eroute(this, SADB_X_SATYPE_INT, src, 32, dst, 32, proto);
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
 	DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
 	job = (job_t*)acquire_job_create(reqid, NULL, NULL);
@@ -1312,23 +1312,23 @@ static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 	u_int32_t spi, reqid;
 	host_t *old_src, *new_src;
 	job_t *job;
-	
+
 	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
-	
+
 	if (parse_pfkey_message(msg, &response) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
 		return;
 	}
-	
+
 	spi = response.sa->sadb_sa_spi;
-	
+
 	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
 	{
 		sa_entry_t *sa;
 		sockaddr_t *addr = (sockaddr_t*)(response.src + 1);
 		old_src = host_create_from_sockaddr(addr);
-		
+
 		this->mutex->lock(this->mutex);
 		if (!old_src || this->installed_sas->find_first(this->installed_sas,
 				(linked_list_match_t)sa_entry_match_encapbysrc,
@@ -1340,7 +1340,7 @@ static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 		}
 		reqid = sa->reqid;
 		this->mutex->unlock(this->mutex);
-		
+
 		addr = (sockaddr_t*)(response.dst + 1);
 		switch (addr->sa_family)
 		{
@@ -1352,7 +1352,7 @@ static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 			case AF_INET6:
 			{
 				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr;
-				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);				
+				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
 			}
 			default:
 				break;
@@ -1375,12 +1375,13 @@ static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
 {
 	unsigned char buf[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg = (struct sadb_msg*)buf;
-	int len, oldstate;
-	
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
 	len = recv(this->socket_events, buf, sizeof(buf), 0);
-	pthread_setcancelstate(oldstate, NULL);
-	
+	thread_cancelability(oldstate);
+
 	if (len < 0)
 	{
 		switch (errno)
@@ -1397,7 +1398,7 @@ static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
 				return JOB_REQUEUE_FAIR;
 		}
 	}
-	
+
 	if (len < sizeof(struct sadb_msg) ||
 		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
 	{
@@ -1413,7 +1414,7 @@ static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
 		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
 		return JOB_REQUEUE_DIRECT;
 	}
-	
+
 	switch (msg->sadb_msg_type)
 	{
 		case SADB_ACQUIRE:
@@ -1433,7 +1434,7 @@ static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
 		default:
 			break;
 	}
-	
+
 	return JOB_REQUEUE_DIRECT;
 }
 
@@ -1473,11 +1474,11 @@ static job_requeue_t sa_expires(sa_expire_t *expire)
 	sa_entry_t *cached_sa;
 	linked_list_t *list;
 	job_t *job;
-	
+
 	/* for an expired SPI we first check whether the CHILD_SA got installed
 	 * in the meantime, for expired SAs we check whether they are still installed */
 	list = expire->type == EXPIRE_TYPE_SPI ? this->allocated_spis : this->installed_sas;
-	
+
 	this->mutex->lock(this->mutex);
 	if (list->find_first(list, (linked_list_match_t)sa_entry_match_byid,
 			(void**)&cached_sa, &protocol, &spi, &reqid) != SUCCESS)
@@ -1494,10 +1495,10 @@ static job_requeue_t sa_expires(sa_expire_t *expire)
 		sa_entry_destroy(cached_sa);
 	}
 	this->mutex->unlock(this->mutex);
-	
+
 	DBG2(DBG_KNL, "%N CHILD_SA with SPI %.8x and reqid {%d} expired",
 			protocol_id_names, protocol, ntohl(spi), reqid);
-	
+
 	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
 		 hard ? "delete" : "rekey",  protocol_id_names,
 		 protocol, ntohl(spi), reqid);
@@ -1514,7 +1515,7 @@ static job_requeue_t sa_expires(sa_expire_t *expire)
 }
 
 /**
- * Schedule an expire job for an SA. Time is in seconds. 
+ * Schedule an expire job for an SA. Time is in seconds.
  */
 static void schedule_expire(private_kernel_klips_ipsec_t *this,
 							protocol_id_t protocol, u_int32_t spi,
@@ -1534,8 +1535,8 @@ static void schedule_expire(private_kernel_klips_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.get_spi.
  */
-static status_t get_spi(private_kernel_klips_ipsec_t *this, 
-						host_t *src, host_t *dst, 
+static status_t get_spi(private_kernel_klips_ipsec_t *this,
+						host_t *src, host_t *dst,
 						protocol_id_t protocol, u_int32_t reqid,
 						u_int32_t *spi)
 {
@@ -1545,7 +1546,7 @@ static status_t get_spi(private_kernel_klips_ipsec_t *this,
 	 */
 	rng_t *rng;
 	u_int32_t spi_gen;
-	
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
@@ -1554,29 +1555,29 @@ static status_t get_spi(private_kernel_klips_ipsec_t *this,
 	}
 	rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen);
 	rng->destroy(rng);
-	
+
 	/* charon's SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
 	spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF);
-	
+
 	DBG2(DBG_KNL, "allocated SPI %.8x for %N SA between %#H..%#H",
 			spi_gen, protocol_id_names, protocol, src, dst);
-	
+
 	*spi = htonl(spi_gen);
-	
+
 	this->mutex->lock(this->mutex);
 	this->allocated_spis->insert_last(this->allocated_spis,
 			create_sa_entry(protocol, *spi, reqid, NULL, NULL, FALSE, TRUE));
 	this->mutex->unlock(this->mutex);
 	schedule_expire(this, protocol, *spi, reqid, EXPIRE_TYPE_SPI, SPI_TIMEOUT);
-	
+
 	return SUCCESS;
 }
 
 /**
  * Implementation of kernel_interface_t.get_cpi.
  */
-static status_t get_cpi(private_kernel_klips_ipsec_t *this, 
-						host_t *src, host_t *dst, 
+static status_t get_cpi(private_kernel_klips_ipsec_t *this,
+						host_t *src, host_t *dst,
 						u_int32_t reqid, u_int16_t *cpi)
 {
 	return FAILED;
@@ -1592,27 +1593,27 @@ static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this,
 	struct sadb_msg *msg, *out;
 	struct sadb_sa *sa;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "adding pseudo IPIP SA with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_ADD;
 	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
 	sa->sadb_sa_spi = spi;
 	sa->sadb_sa_state = SADB_SASTATE_MATURE;
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x", ntohl(spi));
@@ -1625,7 +1626,7 @@ static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
-	
+
 	free(out);
 	return SUCCESS;
 }
@@ -1642,41 +1643,41 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
 	struct sadb_sa *sa;
 	struct sadb_x_satype *satype;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "grouping SAs with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_X_GRPSA;
 	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
 	sa->sadb_sa_spi = spi;
 	sa->sadb_sa_state = SADB_SASTATE_MATURE;
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-	
+
 	satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg);
 	satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
 	satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype));
 	satype->sadb_x_satype_satype = proto_ike2satype(protocol);
 	PFKEY_EXT_ADD(msg, satype);
-	
+
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_X_EXT_SA2;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
 	sa->sadb_sa_spi = spi;
 	sa->sadb_sa_state = SADB_SASTATE_MATURE;
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	add_addr_ext(msg, dst, SADB_X_EXT_ADDRESS_DST2);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x", ntohl(spi));
@@ -1689,7 +1690,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
-	
+
 	free(out);
 	return SUCCESS;
 }
@@ -1700,18 +1701,19 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
 static status_t add_sa(private_kernel_klips_ipsec_t *this,
 					   host_t *src, host_t *dst, u_int32_t spi,
 					   protocol_id_t protocol, u_int32_t reqid,
-					   u_int64_t expire_soft, u_int64_t expire_hard,
+					   lifetime_cfg_t *lifetime,
 					   u_int16_t enc_alg, chunk_t enc_key,
 					   u_int16_t int_alg, chunk_t int_key,
 					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound)
+					   bool encap, bool inbound, traffic_selector_t *src_ts,
+					   traffic_selector_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	struct sadb_sa *sa;
 	struct sadb_key *key;
 	size_t len;
-	
+
 	if (inbound)
 	{
 		/* for inbound SAs we allocated an SPI via get_spi, so we first check
@@ -1733,17 +1735,17 @@ static status_t add_sa(private_kernel_klips_ipsec_t *this,
 		}
 		this->mutex->unlock(this->mutex);
 	}
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_ADD;
 	msg->sadb_msg_satype = proto_ike2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
@@ -1753,10 +1755,10 @@ static status_t add_sa(private_kernel_klips_ipsec_t *this,
 	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
 	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-	
+
 	if (enc_alg != ENCR_UNDEFINED)
 	{
 		if (!sa->sadb_sa_encrypt)
@@ -1767,16 +1769,16 @@ static status_t add_sa(private_kernel_klips_ipsec_t *this,
 		}
 		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
 			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-		
+
 		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
 		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
 		key->sadb_key_bits = enc_key.len * 8;
 		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
 		memcpy(key + 1, enc_key.ptr, enc_key.len);
-		
+
 		PFKEY_EXT_ADD(msg, key);
 	}
-	
+
 	if (int_alg != AUTH_UNDEFINED)
 	{
 		if (!sa->sadb_sa_auth)
@@ -1787,26 +1789,26 @@ static status_t add_sa(private_kernel_klips_ipsec_t *this,
 		}
 		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
 			 integrity_algorithm_names, int_alg, int_key.len * 8);
-		
+
 		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
 		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
 		key->sadb_key_bits = int_key.len * 8;
 		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
 		memcpy(key + 1, int_key.ptr, int_key.len);
-		
+
 		PFKEY_EXT_ADD(msg, key);
 	}
-	
+
 	if (ipcomp != IPCOMP_NONE)
 	{
 		/*TODO*/
 	}
-	
+
 	if (encap)
 	{
 		add_encap_ext(msg, src, dst, FALSE);
 	}
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
@@ -1820,7 +1822,7 @@ static status_t add_sa(private_kernel_klips_ipsec_t *this,
 		return FAILED;
 	}
 	free(out);
-	
+
 	/* for tunnel mode SAs we have to install an additional IPIP SA and
 	 * group the two SAs together */
 	if (mode == MODE_TUNNEL)
@@ -1832,7 +1834,7 @@ static status_t add_sa(private_kernel_klips_ipsec_t *this,
 			return FAILED;
 		}
 	}
-	
+
 	this->mutex->lock(this->mutex);
 	/* we cache this SA for two reasons:
 	 * - in case an SADB_X_NAT_T_MAPPING_NEW event occurs (we need to find the reqid then)
@@ -1840,20 +1842,20 @@ static status_t add_sa(private_kernel_klips_ipsec_t *this,
 	this->installed_sas->insert_last(this->installed_sas,
 				create_sa_entry(protocol, spi, reqid, src, dst, encap, inbound));
 	this->mutex->unlock(this->mutex);
-	
+
 	/* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime
 	 * of SAs manually in the plugin. Refer to the comments in receive_events()
 	 * for details. */
-	if (expire_soft)
+	if (lifetime->time.rekey)
 	{
-		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, expire_soft);
+		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, lifetime->time.rekey);
 	}
-	
-	if (expire_hard)
+
+	if (lifetime->time.life)
 	{
-		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, expire_hard);
+		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, lifetime->time.life);
 	}
-		
+
 	return SUCCESS;
 }
 
@@ -1870,7 +1872,7 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
 	struct sadb_msg *msg, *out;
 	struct sadb_sa *sa;
 	size_t len;
-	
+
 	/* we can't update the SA if any of the ip addresses have changed.
 	 * that's because we can't use SADB_UPDATE and by deleting and readding the
 	 * SA the sequence numbers would get lost */
@@ -1881,7 +1883,7 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
 				" are not supported", ntohl(spi));
 		return NOT_SUPPORTED;
 	}
-	
+
 	/* because KLIPS does not allow us to change the NAT-T type in an SADB_UPDATE,
 	 * we can't update the SA if the encap flag has changed since installing it */
 	if (encap != new_encap)
@@ -1890,18 +1892,18 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
 				" encapsulation is not supported", ntohl(spi));
 		return NOT_SUPPORTED;
 	}
-	
+
 	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
 		 ntohl(spi), src, dst, new_src, new_dst);
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_UPDATE;
 	msg->sadb_msg_satype = proto_ike2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
@@ -1910,12 +1912,12 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
 	sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; /* ignored */
 	sa->sadb_sa_state = SADB_SASTATE_MATURE;
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-			
+
 	add_encap_ext(msg, new_src, new_dst, TRUE);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
@@ -1929,7 +1931,7 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
 		return FAILED;
 	}
 	free(out);
-	
+
 	return SUCCESS;
 }
 
@@ -1955,13 +1957,13 @@ static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
 	struct sadb_sa *sa;
 	sa_entry_t *cached_sa;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	/* all grouped SAs are automatically deleted by KLIPS as soon as
 	 * one of them is deleted, therefore we delete only the main one */
 	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-	
+
 	this->mutex->lock(this->mutex);
 	/* this should not fail, but we don't care if it does, let the kernel decide
 	 * whether this SA exists or not */
@@ -1973,24 +1975,24 @@ static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
 		sa_entry_destroy(cached_sa);
 	}
 	this->mutex->unlock(this->mutex);
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_DELETE;
 	msg->sadb_msg_satype = proto_ike2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
 	sa->sadb_sa_spi = spi;
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	/* the kernel wants an SADB_EXT_ADDRESS_SRC to be present even though
 	 * it is not used for anything. */
 	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
@@ -2003,7 +2005,7 @@ static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
 		free(out);
 		return FAILED;
 	}
-	
+
 	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
 	free(out);
 	return SUCCESS;
@@ -2012,7 +2014,7 @@ static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
 /**
  * Implementation of kernel_interface_t.add_policy.
  */
-static status_t add_policy(private_kernel_klips_ipsec_t *this, 
+static status_t add_policy(private_kernel_klips_ipsec_t *this,
 						   host_t *src, host_t *dst,
 						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
@@ -2025,21 +2027,21 @@ static status_t add_policy(private_kernel_klips_ipsec_t *this,
 	struct sadb_msg *msg, *out;
 	policy_entry_t *policy, *found = NULL;
 	u_int8_t satype;
-	size_t len;	
-	
+	size_t len;
+
 	if (direction == POLICY_FWD)
 	{
 		/* no forward policies for KLIPS */
 		return SUCCESS;
 	}
-	
+
 	/* tunnel mode policies direct the packets into the pseudo IPIP SA */
 	satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
 									 proto_ike2satype(protocol);
-	
+
 	/* create a policy */
 	policy = create_policy_entry(src_ts, dst_ts, direction);
-	
+
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
 	if (this->policies->find_first(this->policies,
@@ -2057,21 +2059,21 @@ static status_t add_policy(private_kernel_klips_ipsec_t *this,
 		/* apply the new one, if we have no such policy */
 		this->policies->insert_last(this->policies, policy);
 	}
-		
+
 	if (routed)
 	{
 		/* we install this as a %trap eroute in the kernel, later to be
 		 * triggered by packets matching the policy (-> ACQUIRE). */
 		spi = htonl(SPI_TRAP);
 		satype = SADB_X_SATYPE_INT;
-		
+
 		/* the reqid is always set to the latest child SA that trapped this
 		 * policy. we will need this reqid upon receiving an acquire. */
 		policy->reqid = reqid;
-		
+
 		/* increase the trap counter */
 		policy->trapcount++;
-		
+
 		if (policy->activecount)
 		{
 			/* we do not replace the current policy in the kernel while a
@@ -2085,21 +2087,21 @@ static status_t add_policy(private_kernel_klips_ipsec_t *this,
 		/* increase the reference counter */
 		policy->activecount++;
 	}
-	
+
 	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	msg = (struct sadb_msg*)request;
-	
+
 	/* FIXME: SADB_X_SAFLAGS_INFLOW may be required, if we add an inbound policy for an IPIP SA */
 	build_addflow(msg, satype, spi, routed ? NULL : src, routed ? NULL : dst,
 			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
 			policy->src.proto, found != NULL);
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
@@ -2115,9 +2117,9 @@ static status_t add_policy(private_kernel_klips_ipsec_t *this,
 		return FAILED;
 	}
 	free(out);
-	
+
 	this->mutex->lock(this->mutex);
-	
+
 	/* we try to find the policy again and install the route if needed */
 	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
 	{
@@ -2126,7 +2128,7 @@ static status_t add_policy(private_kernel_klips_ipsec_t *this,
 				src_ts, dst_ts, policy_dir_names, direction);
 		return SUCCESS;
 	}
-	
+
 	/* KLIPS requires a special route that directs traffic that matches this
 	 * policy to one of the virtual ipsec interfaces. The virtual interface
 	 * has to be attached to the physical one the traffic runs over.
@@ -2144,19 +2146,19 @@ static status_t add_policy(private_kernel_klips_ipsec_t *this,
 		ipsec_dev_t *dev;
 		route_entry_t *route = malloc_thing(route_entry_t);
 		route->src_ip = NULL;
-		
+
 		if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
 			this->install_routes)
 		{
 			charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
 						src_ts, &route->src_ip);
 		}
-		
+
 		if (!route->src_ip)
 		{
 			route->src_ip = host_create_any(src->get_family(src));
 		}
-		
+
 		/* find the virtual interface */
 		iface = charon->kernel_interface->get_interface(charon->kernel_interface,
 														src);
@@ -2203,13 +2205,13 @@ static status_t add_policy(private_kernel_klips_ipsec_t *this,
 		}
 		free(iface);
 		route->if_name = strdup(dev->name);
-		
+
 		/* get the nexthop to dst */
 		route->gateway = charon->kernel_interface->get_nexthop(
 										charon->kernel_interface, dst);
 		route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net));
 		route->prefixlen = policy->dst.mask;
-		
+
 		switch (charon->kernel_interface->add_route(charon->kernel_interface,
 				route->dst_net, route->prefixlen, route->gateway,
 				route->src_ip, route->if_name))
@@ -2227,10 +2229,10 @@ static status_t add_policy(private_kernel_klips_ipsec_t *this,
 				policy->route = route;
 				break;
 		}
-	}	
-	
-	this->mutex->unlock(this->mutex);	
-	
+	}
+
+	this->mutex->unlock(this->mutex);
+
 	return SUCCESS;
 }
 
@@ -2238,7 +2240,7 @@ static status_t add_policy(private_kernel_klips_ipsec_t *this,
  * Implementation of kernel_interface_t.query_policy.
  */
 static status_t query_policy(private_kernel_klips_ipsec_t *this,
-							 traffic_selector_t *src_ts, 
+							 traffic_selector_t *src_ts,
 							 traffic_selector_t *dst_ts,
 							 policy_dir_t direction, u_int32_t *use_time)
 {
@@ -2250,19 +2252,19 @@ static status_t query_policy(private_kernel_klips_ipsec_t *this,
 	char *said = NULL, *pos;
 	policy_entry_t *policy, *found = NULL;
 	status_t status = FAILED;
-	
+
 	if (direction == POLICY_FWD)
 	{
 		/* we do not install forward policies */
 		return FAILED;
 	}
-	
+
 	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
-	
+
 	/* create a policy */
 	policy = create_policy_entry(src_ts, dst_ts, direction);
-	
+
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
 	if (this->policies->find_first(this->policies,
@@ -2276,7 +2278,7 @@ static status_t query_policy(private_kernel_klips_ipsec_t *this,
 	}
 	policy_entry_destroy(policy);
 	policy = found;
-	
+
 	/* src and dst selectors in KLIPS are of the form NET_ADDR/NETBITS:PROTO */
 	snprintf(src, sizeof(src), "%H/%d:%d", policy->src.net, policy->src.mask,
 			policy->src.proto);
@@ -2284,9 +2286,9 @@ static status_t query_policy(private_kernel_klips_ipsec_t *this,
 	snprintf(dst, sizeof(dst), "%H/%d:%d", policy->dst.net, policy->dst.mask,
 			policy->dst.proto);
 	dst[sizeof(dst) - 1] = '\0';
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	/* we try to find the matching eroute first */
 	file = fopen(path_eroute, "r");
 	if (file == NULL)
@@ -2295,7 +2297,7 @@ static status_t query_policy(private_kernel_klips_ipsec_t *this,
 				dst_ts, policy_dir_names, direction, strerror(errno), errno);
 		return FAILED;
 	}
-	
+
 	/* read line by line where each line looks like:
 	 * packets  src  ->  dst  =>  said */
 	while (fgets(line, sizeof(line), file))
@@ -2303,7 +2305,7 @@ static status_t query_policy(private_kernel_klips_ipsec_t *this,
 		enumerator_t *enumerator;
 		char *token;
 		int i = 0;
-		
+
 		enumerator = enumerator_create_token(line, " \t", " \t\n");
 		while (enumerator->enumerate(enumerator, &token))
 		{
@@ -2334,7 +2336,7 @@ static status_t query_policy(private_kernel_klips_ipsec_t *this,
 			break;
 		}
 		enumerator->destroy(enumerator);
-		
+
 		if (i == 5)
 		{
 			/* eroute matched */
@@ -2342,19 +2344,19 @@ static status_t query_policy(private_kernel_klips_ipsec_t *this,
 		}
 	}
 	fclose(file);
-	
+
 	if (said == NULL)
 	{
 		DBG1(DBG_KNL, "unable to query policy %R === %R %N: found no matching"
 				" eroute", src_ts, dst_ts, policy_dir_names, direction);
 		return FAILED;
 	}
-	
+
 	/* compared with the one in the spi entry the SA ID from the eroute entry
 	 * has an additional ":PROTO" appended, which we need to cut off */
 	pos = strrchr(said, ':');
 	*pos = '\0';
-	
+
 	/* now we try to find the matching spi entry */
 	file = fopen(path_spi, "r");
 	if (file == NULL)
@@ -2363,7 +2365,7 @@ static status_t query_policy(private_kernel_klips_ipsec_t *this,
 				dst_ts, policy_dir_names, direction, strerror(errno), errno);
 		return FAILED;
 	}
-	
+
 	while (fgets(line, sizeof(line), file))
 	{
 		if (strneq(line, said, strlen(said)))
@@ -2381,15 +2383,15 @@ static status_t query_policy(private_kernel_klips_ipsec_t *this,
 				/* idle time not valid */
 				break;
 			}
-			
-			*use_time = time(NULL) - idle_time;
+
+			*use_time = time_monotonic(NULL) - idle_time;
 			status = SUCCESS;
 			break;
 		}
 	}
 	fclose(file);
 	free(said);
-	
+
 	return status;
 }
 
@@ -2397,7 +2399,7 @@ static status_t query_policy(private_kernel_klips_ipsec_t *this,
  * Implementation of kernel_interface_t.del_policy.
  */
 static status_t del_policy(private_kernel_klips_ipsec_t *this,
-						   traffic_selector_t *src_ts, 
+						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
 						   policy_dir_t direction, bool unrouted)
 {
@@ -2406,19 +2408,19 @@ static status_t del_policy(private_kernel_klips_ipsec_t *this,
 	policy_entry_t *policy, *found = NULL;
 	route_entry_t *route;
 	size_t len;
-	
+
 	if (direction == POLICY_FWD)
 	{
 		/* no forward policies for KLIPS */
 		return SUCCESS;
 	}
-	
+
 	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
-	
+
 	/* create a policy */
 	policy = create_policy_entry(src_ts, dst_ts, direction);
-	
+
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
 	if (this->policies->find_first(this->policies,
@@ -2431,10 +2433,10 @@ static status_t del_policy(private_kernel_klips_ipsec_t *this,
 		return NOT_FOUND;
 	}
 	policy_entry_destroy(policy);
-	
+
 	/* decrease appropriate counter */
 	unrouted ? found->trapcount-- : found->activecount--;
-	
+
 	if (found->trapcount == 0)
 	{
 		/* if this policy is finally unrouted, we reset the reqid because it
@@ -2442,7 +2444,7 @@ static status_t del_policy(private_kernel_klips_ipsec_t *this,
 		 * this policy. */
 		found->reqid = 0;
 	}
-	
+
 	if (found->activecount > 0)
 	{
 		/* is still used by SAs, keep in kernel */
@@ -2462,22 +2464,22 @@ static status_t del_policy(private_kernel_klips_ipsec_t *this,
 		this->mutex->unlock(this->mutex);
 		return pfkey_send_ack(this, msg);
 	}
-	
+
 	/* remove if last reference */
 	this->policies->remove(this->policies, found, NULL);
 	policy = found;
-	
+
 	this->mutex->unlock(this->mutex);
-		
+
 	memset(&request, 0, sizeof(request));
-	
+
 	build_delflow(msg, 0, policy->src.net, policy->src.mask, policy->dst.net,
 			policy->dst.mask, policy->src.proto);
-	
+
 	route = policy->route;
 	policy->route = NULL;
 	policy_entry_destroy(policy);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
@@ -2493,11 +2495,11 @@ static status_t del_policy(private_kernel_klips_ipsec_t *this,
 		return FAILED;
 	}
 	free(out);
-	
+
 	if (route)
 	{
 		ipsec_dev_t *dev;
-		
+
 		if (charon->kernel_interface->del_route(charon->kernel_interface,
 				route->dst_net, route->prefixlen, route->gateway,
 				route->src_ip, route->if_name) != SUCCESS)
@@ -2506,11 +2508,11 @@ static status_t del_policy(private_kernel_klips_ipsec_t *this,
 						  " policy %R === %R %N", src_ts, dst_ts,
 						   policy_dir_names, direction);
 		}
-		
+
 		/* we have to detach the ipsec interface from the physical one over which
 		 * this SA ran (if it is not used by any other) */
 		this->mutex->lock(this->mutex);
-		
+
 		if (find_ipsec_dev(this, route->if_name, &dev) == SUCCESS)
 		{
 			/* fine, we found a matching device object, let's check if we have
@@ -2525,12 +2527,12 @@ static status_t del_policy(private_kernel_klips_ipsec_t *this,
 				dev->phys_name[0] = '\0';
 			}
 		}
-		
+
 		this->mutex->unlock(this->mutex);
-		
+
 		route_entry_destroy(route);
 	}
-	
+
 	return SUCCESS;
 }
 
@@ -2540,9 +2542,9 @@ static status_t del_policy(private_kernel_klips_ipsec_t *this,
 static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
 {
 	int i, count = lib->settings->get_int(lib->settings,
-						"charon.plugins.kernel_klips.ipsec_dev_count",
+						"charon.plugins.kernel-klips.ipsec_dev_count",
 						DEFAULT_IPSEC_DEV_COUNT);
-	
+
 	for (i = 0; i < count; ++i)
 	{
 		ipsec_dev_t *dev = malloc_thing(ipsec_dev_t);
@@ -2551,7 +2553,7 @@ static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
 		dev->phys_name[0] = '\0';
 		dev->refcount = 0;
 		this->ipsec_devices->insert_last(this->ipsec_devices, dev);
-		
+
 		/* detach any previously attached ipsec device */
 		detach_ipsec_dev(dev->name, dev->phys_name);
 	}
@@ -2565,15 +2567,15 @@ static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_REGISTER;
 	msg->sadb_msg_satype = satype;
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to register PF_KEY socket");
@@ -2613,18 +2615,18 @@ static void destroy(private_kernel_klips_ipsec_t *this)
 kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 {
 	private_kernel_klips_ipsec_t *this = malloc_thing(private_kernel_klips_ipsec_t);
-	
+
 	/* public functions */
 	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
 	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-	
+
 	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
 
 	/* private members */
@@ -2636,34 +2638,34 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 	this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE);
 	this->seq = 0;
-	
+
 	/* initialize ipsec devices */
 	init_ipsec_devices(this);
-	
+
 	/* create a PF_KEY socket to communicate with the kernel */
 	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
 	if (this->socket <= 0)
 	{
 		charon->kill(charon, "unable to create PF_KEY socket");
 	}
-	
+
 	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
 	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
 	if (this->socket_events <= 0)
 	{
 		charon->kill(charon, "unable to create PF_KEY event socket");
 	}
-	
+
 	/* register the event socket */
 	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
 		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
 	{
 		charon->kill(charon, "unable to register PF_KEY event socket");
 	}
-	
+
 	this->job = callback_job_create((callback_job_cb_t)receive_events,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	
+
 	return &this->public;
 }
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.c b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
index d153ea8af..b0117c10c 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
@@ -47,10 +47,10 @@ static void destroy(private_kernel_klips_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
-	
+
 	return &this->public.plugin;
 }
diff --git a/src/charon/plugins/kernel_klips/pfkeyv2.h b/src/charon/plugins/kernel_klips/pfkeyv2.h
index 78d3dfa91..20d1c298d 100644
--- a/src/charon/plugins/kernel_klips/pfkeyv2.h
+++ b/src/charon/plugins/kernel_klips/pfkeyv2.h
@@ -169,7 +169,7 @@ struct sadb_x_satype {
   uint8_t sadb_x_satype_satype;
   uint8_t sadb_x_satype_reserved[3];
 };
-  
+
 struct sadb_x_debug {
   uint16_t sadb_x_debug_len;
   uint16_t sadb_x_debug_exttype;
@@ -200,7 +200,7 @@ struct sadb_x_nat_t_port {
   uint16_t sadb_x_nat_t_port_port;
   uint16_t sadb_x_nat_t_port_reserved;
 };
-  
+
 /*
  * A protocol structure for passing through the transport level
  * protocol.  It contains more fields than are actually used/needed
diff --git a/src/charon/plugins/kernel_netlink/Makefile.am b/src/charon/plugins/kernel_netlink/Makefile.am
index 6351280d6..31d9c6d5c 100644
--- a/src/charon/plugins/kernel_netlink/Makefile.am
+++ b/src/charon/plugins/kernel_netlink/Makefile.am
@@ -1,7 +1,9 @@
 
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+-DROUTING_TABLE=${routing_table} \
+-DROUTING_TABLE_PRIO=${routing_table_prio}
 
 plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
 
diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in
index 46d2a1c65..09be50587 100644
--- a/src/charon/plugins/kernel_netlink/Makefile.in
+++ b/src/charon/plugins/kernel_netlink/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/kernel_netlink
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_kernel_netlink_la_LIBADD =
 am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \
@@ -62,6 +86,7 @@ libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) --tag=CC \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -109,25 +134,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -139,11 +161,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -172,9 +197,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -197,7 +222,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -205,6 +230,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -213,10 +239,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -224,10 +252,14 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic \
+-DROUTING_TABLE=${routing_table} \
+-DROUTING_TABLE_PRIO=${routing_table_prio}
+
 plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
 libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \
 	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
@@ -247,9 +279,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/kernel_netlink/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/kernel_netlink/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_netlink/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/kernel_netlink/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -267,23 +299,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -310,21 +347,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -347,7 +384,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -355,29 +392,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -398,13 +440,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -435,6 +481,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -456,6 +503,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -464,18 +513,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -514,6 +573,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 2051316f6..850876b9d 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2008 Andreas Steffen
  * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
  * Copyright (C) 2006 Daniel Roethlisberger
@@ -20,23 +20,24 @@
 
 #include <sys/types.h>
 #include <sys/socket.h>
-#include <sys/time.h>
 #include <stdint.h>
 #include <linux/ipsec.h>
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>
 #include <linux/xfrm.h>
 #include <linux/udp.h>
-#include <pthread.h>
 #include <unistd.h>
+#include <time.h>
 #include <errno.h>
 #include <string.h>
+#include <fcntl.h>
 
 #include "kernel_netlink_ipsec.h"
 #include "kernel_netlink_shared.h"
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
 #include <utils/hashtable.h>
 #include <processing/jobs/callback_job.h>
 #include <processing/jobs/acquire_job.h>
@@ -51,27 +52,32 @@
 #endif
 
 /** from linux/in.h */
-#ifndef IP_IPSEC_POLICY
-#define IP_IPSEC_POLICY 16
+#ifndef IP_XFRM_POLICY
+#define IP_XFRM_POLICY 17
 #endif
 
 /* missing on uclibc */
-#ifndef IPV6_IPSEC_POLICY
-#define IPV6_IPSEC_POLICY 34
-#endif /*IPV6_IPSEC_POLICY*/
+#ifndef IPV6_XFRM_POLICY
+#define IPV6_XFRM_POLICY 34
+#endif /*IPV6_XFRM_POLICY*/
 
 /** default priority of installed policies */
 #define PRIO_LOW 3000
 #define PRIO_HIGH 2000
 
+/**
+ * map the limit for bytes and packets to XFRM_INF per default
+ */
+#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
+
 /**
  * Create ORable bitfield of XFRM NL groups
  */
 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
 
 /**
- * returns a pointer to the first rtattr following the nlmsghdr *nlh and the 
- * 'usual' netlink data x like 'struct xfrm_usersa_info' 
+ * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
+ * 'usual' netlink data x like 'struct xfrm_usersa_info'
  */
 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
 /**
@@ -80,8 +86,8 @@
  */
 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
 /**
- * returns the total size of attached rta data 
- * (after 'usual' netlink data x like 'struct xfrm_usersa_info') 
+ * returns the total size of attached rta data
+ * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
  */
 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
 
@@ -95,7 +101,7 @@ struct kernel_algorithm_t {
 	 * Identifier specified in IKEv2
 	 */
 	int ikev2;
-		
+
 	/**
 	 * Name of the algorithm in linux crypto API
 	 */
@@ -157,18 +163,18 @@ ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
  * Algorithms for encryption
  */
 static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64, 			"***"				}, */
-	{ENCR_DES, 					"des" 				},
-	{ENCR_3DES, 				"des3_ede"			},
-/*	{ENCR_RC5, 					"***" 				}, */
-/*	{ENCR_IDEA, 				"***"				}, */
-	{ENCR_CAST, 				"cast128"			},
-	{ENCR_BLOWFISH, 			"blowfish"			},
-/*	{ENCR_3IDEA, 				"***"				}, */
-/*	{ENCR_DES_IV32, 			"***"				}, */
-	{ENCR_NULL, 				"cipher_null"		},
-	{ENCR_AES_CBC,	 			"aes"				},
-	{ENCR_AES_CTR, 				"rfc3686(ctr(aes))"	},
+/*	{ENCR_DES_IV64,				"***"				}, */
+	{ENCR_DES,					"des"				},
+	{ENCR_3DES,					"des3_ede"			},
+/*	{ENCR_RC5,					"***"				}, */
+/*	{ENCR_IDEA,					"***"				}, */
+	{ENCR_CAST,					"cast128"			},
+	{ENCR_BLOWFISH,				"blowfish"			},
+/*	{ENCR_3IDEA,				"***"				}, */
+/*	{ENCR_DES_IV32,				"***"				}, */
+	{ENCR_NULL,					"cipher_null"		},
+	{ENCR_AES_CBC,				"aes"				},
+	{ENCR_AES_CTR,				"rfc3686(ctr(aes))"	},
 	{ENCR_AES_CCM_ICV8,			"rfc4309(ccm(aes))"	},
 	{ENCR_AES_CCM_ICV12,		"rfc4309(ccm(aes))"	},
 	{ENCR_AES_CCM_ICV16,		"rfc4309(ccm(aes))"	},
@@ -181,33 +187,34 @@ static kernel_algorithm_t encryption_algs[] = {
 /*	{ENCR_CAMELLIA_CCM_ICV8,	"***"				}, */
 /*	{ENCR_CAMELLIA_CCM_ICV12,	"***"				}, */
 /*	{ENCR_CAMELLIA_CCM_ICV16,	"***"				}, */
-	{END_OF_LIST, 				NULL				}
+	{END_OF_LIST,				NULL				}
 };
 
 /**
  * Algorithms for integrity protection
  */
 static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96, 			"md5"				},
+	{AUTH_HMAC_MD5_96,			"md5"				},
 	{AUTH_HMAC_SHA1_96,			"sha1"				},
-	{AUTH_HMAC_SHA2_256_128,	"sha256"			},
-	{AUTH_HMAC_SHA2_384_192,	"sha384"			},
-	{AUTH_HMAC_SHA2_512_256,	"sha512"			},
+	{AUTH_HMAC_SHA2_256_96,		"sha256"			},
+	{AUTH_HMAC_SHA2_256_128,	"hmac(sha256)"		},
+	{AUTH_HMAC_SHA2_384_192,	"hmac(sha384)"		},
+	{AUTH_HMAC_SHA2_512_256,	"hmac(sha512)"		},
 /*	{AUTH_DES_MAC,				"***"				}, */
 /*	{AUTH_KPDK_MD5,				"***"				}, */
 	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
-	{END_OF_LIST, 				NULL				}
+	{END_OF_LIST,				NULL				}
 };
 
 /**
  * Algorithms for IPComp
  */
 static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI, 				"***"				}, */
+/*	{IPCOMP_OUI,				"***"				}, */
 	{IPCOMP_DEFLATE,			"deflate"			},
 	{IPCOMP_LZS,				"lzs"				},
 	{IPCOMP_LZJH,				"lzjh"				},
-	{END_OF_LIST, 				NULL				}
+	{END_OF_LIST,				NULL				}
 };
 
 /**
@@ -234,10 +241,10 @@ typedef struct route_entry_t route_entry_t;
 struct route_entry_t {
 	/** Name of the interface the route is bound to */
 	char *if_name;
-	
+
 	/** Source ip of the route */
 	host_t *src_ip;
-	
+
 	/** gateway for this route */
 	host_t *gateway;
 
@@ -255,7 +262,7 @@ static void route_entry_destroy(route_entry_t *this)
 {
 	free(this->if_name);
 	this->src_ip->destroy(this->src_ip);
-	this->gateway->destroy(this->gateway);
+	DESTROY_IF(this->gateway);
 	chunk_free(&this->dst_net);
 	free(this);
 }
@@ -266,16 +273,16 @@ typedef struct policy_entry_t policy_entry_t;
  * installed kernel policy.
  */
 struct policy_entry_t {
-	
+
 	/** direction of this policy: in, out, forward */
 	u_int8_t direction;
-	
+
 	/** parameters of installed policy */
 	struct xfrm_selector sel;
-	
+
 	/** associated route installed for this policy */
 	route_entry_t *route;
-	
+
 	/** by how many CHILD_SA's this policy is used */
 	u_int refcount;
 };
@@ -308,32 +315,32 @@ struct private_kernel_netlink_ipsec_t {
 	 * Public part of the kernel_netlink_t object.
 	 */
 	kernel_netlink_ipsec_t public;
-	
+
 	/**
 	 * mutex to lock access to various lists
 	 */
 	mutex_t *mutex;
-	
+
 	/**
 	 * Hash table of installed policies (policy_entry_t)
 	 */
 	hashtable_t *policies;
-		 
+
 	/**
 	 * job receiving netlink events
 	 */
 	callback_job_t *job;
-	
+
 	/**
 	 * Netlink xfrm socket (IPsec)
 	 */
 	netlink_socket_t *socket_xfrm;
-	
+
 	/**
 	 * netlink xfrm socket to receive acquire and expire events
 	 */
 	int socket_xfrm_events;
-	
+
 	/**
 	 * whether to install routes along policies
 	 */
@@ -396,7 +403,7 @@ static u_int8_t mode2kernel(ipsec_mode_t mode)
 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
 {
 	chunk_t chunk = host->get_address(host);
-	memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));	
+	memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
 }
 
 /**
@@ -405,7 +412,7 @@ static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
 {
 	chunk_t chunk;
-	
+
 	switch (family)
 	{
 		case AF_INET:
@@ -423,12 +430,12 @@ static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
 /**
  * convert a traffic selector address range to subnet and its mask.
  */
-static void ts2subnet(traffic_selector_t* ts, 
+static void ts2subnet(traffic_selector_t* ts,
 					  xfrm_address_t *net, u_int8_t *mask)
 {
 	host_t *net_host;
 	chunk_t net_chunk;
-	
+
 	ts->to_subnet(ts, &net_host, mask);
 	net_chunk = net_host->get_address(net_host);
 	memcpy(net, net_chunk.ptr, net_chunk.len);
@@ -438,7 +445,7 @@ static void ts2subnet(traffic_selector_t* ts,
 /**
  * convert a traffic selector port range to port/portmask
  */
-static void ts2ports(traffic_selector_t* ts, 
+static void ts2ports(traffic_selector_t* ts,
 					 u_int16_t *port, u_int16_t *mask)
 {
 	/* linux does not seem to accept complex portmasks. Only
@@ -446,10 +453,10 @@ static void ts2ports(traffic_selector_t* ts,
 	 * a port range, or to a specific, if we have one port only.
 	 */
 	u_int16_t from, to;
-	
+
 	from = ts->get_from_port(ts);
 	to = ts->get_to_port(ts);
-	
+
 	if (from == to)
 	{
 		*port = htons(from);
@@ -465,7 +472,7 @@ static void ts2ports(traffic_selector_t* ts,
 /**
  * convert a pair of traffic_selectors to a xfrm_selector
  */
-static struct xfrm_selector ts2selector(traffic_selector_t *src, 
+static struct xfrm_selector ts2selector(traffic_selector_t *src,
 										traffic_selector_t *dst)
 {
 	struct xfrm_selector sel;
@@ -480,12 +487,12 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
 	ts2ports(src, &sel.sport, &sel.sport_mask);
 	sel.ifindex = 0;
 	sel.user = 0;
-	
+
 	return sel;
 }
 
 /**
- * convert a xfrm_selector to a src|dst traffic_selector 
+ * convert a xfrm_selector to a src|dst traffic_selector
  */
 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
 {
@@ -493,7 +500,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
 	u_int8_t prefixlen;
 	u_int16_t port = 0;
 	host_t *host = NULL;
-	
+
 	if (src)
 	{
 		addr = (u_char*)&sel->saddr;
@@ -512,9 +519,9 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
 			port = htons(sel->dport);
 		}
 	}
-	
+
 	/* The Linux 2.6 kernel does not set the selector's family field,
-	 * so as a kludge we additionally test the prefix length. 
+	 * so as a kludge we additionally test the prefix length.
 	 */
 	if (sel->family == AF_INET || sel->prefixlen_s == 32)
 	{
@@ -524,7 +531,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
 	{
 		host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
 	}
-	
+
 	if (host)
 	{
 		return traffic_selector_create_from_subnet(host, prefixlen,
@@ -545,7 +552,7 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd
 	struct rtattr *rta;
 	size_t rtasize;
 	job_t *job;
-	
+
 	acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
 	rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
 	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
@@ -593,21 +600,21 @@ static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr
 	protocol_id_t protocol;
 	u_int32_t spi, reqid;
 	struct xfrm_user_expire *expire;
-	
+
 	expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
 	protocol = proto_kernel2ike(expire->state.id.proto);
 	spi = expire->state.id.spi;
 	reqid = expire->state.reqid;
-	
+
 	DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
-	
+
 	if (protocol != PROTO_ESP && protocol != PROTO_AH)
 	{
 		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
 					  "which is not a CHILD_SA", ntohl(spi), reqid);
 		return;
 	}
-	
+
 	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
 		 expire->hard ? "delete" : "rekey",  protocol_id_names,
 		 protocol, ntohl(spi), reqid);
@@ -643,7 +650,7 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd
 	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
 
 	DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
-	
+
 	src_ts = selector2ts(&policy_id->sel, TRUE);
 	dst_ts = selector2ts(&policy_id->sel, FALSE);
 	dir = (policy_dir_t)policy_id->dir;
@@ -712,13 +719,13 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
 	u_int32_t spi, reqid;
 	struct xfrm_user_mapping *mapping;
 	host_t *host;
-	
+
 	mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
 	spi = mapping->id.spi;
 	reqid = mapping->reqid;
-	
+
 	DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
-	
+
 	if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
 	{
 		host = xfrm2host(mapping->id.family, &mapping->new_saddr,
@@ -742,13 +749,14 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
 	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
 	struct sockaddr_nl addr;
 	socklen_t addr_len = sizeof(addr);
-	int len, oldstate;
+	int len;
+	bool oldstate;
 
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	oldstate = thread_cancelability(TRUE);
 	len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
 				   (struct sockaddr*)&addr, &addr_len);
-	pthread_setcancelstate(oldstate, NULL);
-	
+	thread_cancelability(oldstate);
+
 	if (len < 0)
 	{
 		switch (errno)
@@ -765,12 +773,12 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
 				return JOB_REQUEUE_FAIR;
 		}
 	}
-	
+
 	if (addr.nl_pid != 0)
 	{	/* not from kernel. not interested, try another one */
 		return JOB_REQUEUE_DIRECT;
 	}
-	
+
 	while (NLMSG_OK(hdr, len))
 	{
 		switch (hdr->nlmsg_type)
@@ -788,6 +796,7 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
 				process_mapping(this, hdr);
 				break;
 			default:
+				DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
 				break;
 		}
 		hdr = NLMSG_NEXT(hdr, len);
@@ -807,9 +816,9 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 	struct xfrm_userspi_info *userspi;
 	u_int32_t received_spi = 0;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
@@ -824,7 +833,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 	userspi->info.family = src->get_family(src);
 	userspi->min = min;
 	userspi->max = max;
-	
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -841,7 +850,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 				case NLMSG_ERROR:
 				{
 					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					
+
 					DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
 						 strerror(-err->error), -err->error);
 					break;
@@ -856,12 +865,12 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 		}
 		free(out);
 	}
-	
+
 	if (received_spi == 0)
 	{
 		return FAILED;
 	}
-	
+
 	*spi = received_spi;
 	return SUCCESS;
 }
@@ -869,47 +878,47 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.get_spi.
  */
-static status_t get_spi(private_kernel_netlink_ipsec_t *this, 
-						host_t *src, host_t *dst, 
+static status_t get_spi(private_kernel_netlink_ipsec_t *this,
+						host_t *src, host_t *dst,
 						protocol_id_t protocol, u_int32_t reqid,
 						u_int32_t *spi)
 {
 	DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-	
+
 	if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
 			0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
 		return FAILED;
 	}
-	
+
 	DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
-	
+
 	return SUCCESS;
 }
 
 /**
  * Implementation of kernel_interface_t.get_cpi.
  */
-static status_t get_cpi(private_kernel_netlink_ipsec_t *this, 
-						host_t *src, host_t *dst, 
+static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
+						host_t *src, host_t *dst,
 						u_int32_t reqid, u_int16_t *cpi)
 {
 	u_int32_t received_spi = 0;
 
 	DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
-	
+
 	if (get_spi_internal(this, src, dst,
 			IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
 		return FAILED;
 	}
-	
+
 	*cpi = htons((u_int16_t)ntohl(received_spi));
-	
+
 	DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
-	
+
 	return SUCCESS;
 }
 
@@ -919,38 +928,42 @@ static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 					   host_t *src, host_t *dst, u_int32_t spi,
 					   protocol_id_t protocol, u_int32_t reqid,
-					   u_int64_t expire_soft, u_int64_t expire_hard,
+					   lifetime_cfg_t *lifetime,
 					   u_int16_t enc_alg, chunk_t enc_key,
 					   u_int16_t int_alg, chunk_t int_key,
 					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound)
+					   bool encap, bool inbound,
+					   traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
 	netlink_buf_t request;
 	char *alg_name;
 	struct nlmsghdr *hdr;
 	struct xfrm_usersa_info *sa;
-	u_int16_t icv_size = 64;	
-	
+	u_int16_t icv_size = 64;
+
 	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
 	 * we are in the recursive call below */
 	if (ipcomp != IPCOMP_NONE && cpi != 0)
 	{
-		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, 0, 0,
- 			   ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
- 			   mode, ipcomp, 0, FALSE, inbound);
+		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
+		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft,
+			   ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
+			   mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
 		ipcomp = IPCOMP_NONE;
+		/* use transport mode ESP SA, IPComp uses tunnel mode */
+		mode = MODE_TRANSPORT;
 	}
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
 		 ntohl(spi), reqid);
-	
+
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-	
+
 	sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
 	host2xfrm(src, &sa->saddr);
 	host2xfrm(dst, &sa->id.daddr);
@@ -958,25 +971,35 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 	sa->id.proto = proto_ike2kernel(protocol);
 	sa->family = src->get_family(src);
 	sa->mode = mode2kernel(mode);
-	if (mode == MODE_TUNNEL)
+	switch (mode)
 	{
-		sa->flags |= XFRM_STATE_AF_UNSPEC;
+		case MODE_TUNNEL:
+			sa->flags |= XFRM_STATE_AF_UNSPEC;
+			break;
+		case MODE_BEET:
+			if(src_ts && dst_ts)
+			{
+				sa->sel = ts2selector(src_ts, dst_ts);
+			}
+			break;
+		default:
+			break;
 	}
+
 	sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
 	sa->reqid = reqid;
-	/* we currently do not expire SAs by volume/packet count */
-	sa->lft.soft_byte_limit = XFRM_INF;
-	sa->lft.hard_byte_limit = XFRM_INF;
-	sa->lft.soft_packet_limit = XFRM_INF;
-	sa->lft.hard_packet_limit = XFRM_INF;
+	sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
+	sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
+	sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
+	sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
 	/* we use lifetimes since added, not since used */
-	sa->lft.soft_add_expires_seconds = expire_soft;
-	sa->lft.hard_add_expires_seconds = expire_hard;
+	sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
+	sa->lft.hard_add_expires_seconds = lifetime->time.life;
 	sa->lft.soft_use_expires_seconds = 0;
 	sa->lft.hard_use_expires_seconds = 0;
-	
+
 	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
-	
+
 	switch (enc_alg)
 	{
 		case ENCR_UNDEFINED:
@@ -1007,7 +1030,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 			}
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
 				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-			
+
 			rthdr->rta_type = XFRMA_ALG_AEAD;
 			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
 			hdr->nlmsg_len += rthdr->rta_len;
@@ -1015,13 +1038,13 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 			{
 				return FAILED;
 			}
-			
+
 			algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
 			algo->alg_key_len = enc_key.len * 8;
 			algo->alg_icv_len = icv_size;
 			strcpy(algo->alg_name, alg_name);
 			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-			
+
 			rthdr = XFRM_RTA_NEXT(rthdr);
 			break;
 		}
@@ -1038,7 +1061,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 			}
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
 				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-			
+
 			rthdr->rta_type = XFRMA_ALG_CRYPT;
 			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
 			hdr->nlmsg_len += rthdr->rta_len;
@@ -1046,71 +1069,97 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 			{
 				return FAILED;
 			}
-			
+
 			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
 			algo->alg_key_len = enc_key.len * 8;
 			strcpy(algo->alg_name, alg_name);
 			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-			
+
 			rthdr = XFRM_RTA_NEXT(rthdr);
 		}
 	}
-		
+
 	if (int_alg  != AUTH_UNDEFINED)
 	{
-		rthdr->rta_type = XFRMA_ALG_AUTH;
 		alg_name = lookup_algorithm(integrity_algs, int_alg);
 		if (alg_name == NULL)
 		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!", 
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
 				 integrity_algorithm_names, int_alg);
 			return FAILED;
 		}
 		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
 			 integrity_algorithm_names, int_alg, int_key.len * 8);
-		
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
+
+		if (int_alg == AUTH_HMAC_SHA2_256_128)
 		{
-			return FAILED;
+			struct xfrm_algo_auth* algo;
+
+			/* the kernel uses SHA256 with 96 bit truncation by default,
+			 * use specified truncation size supported by newer kernels */
+			rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len);
+
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
+			algo->alg_key_len = int_key.len * 8;
+			algo->alg_trunc_len = 128;
+			strcpy(algo->alg_name, alg_name);
+			memcpy(algo->alg_key, int_key.ptr, int_key.len);
+		}
+		else
+		{
+			struct xfrm_algo* algo;
+
+			rthdr->rta_type = XFRMA_ALG_AUTH;
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
+
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+			algo->alg_key_len = int_key.len * 8;
+			strcpy(algo->alg_name, alg_name);
+			memcpy(algo->alg_key, int_key.ptr, int_key.len);
 		}
-		
-		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-		algo->alg_key_len = int_key.len * 8;
-		strcpy(algo->alg_name, alg_name);
-		memcpy(algo->alg_key, int_key.ptr, int_key.len);
-		
 		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
-	
+
 	if (ipcomp != IPCOMP_NONE)
 	{
 		rthdr->rta_type = XFRMA_ALG_COMP;
 		alg_name = lookup_algorithm(compression_algs, ipcomp);
 		if (alg_name == NULL)
 		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!", 
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
 				 ipcomp_transform_names, ipcomp);
 			return FAILED;
 		}
 		DBG2(DBG_KNL, "  using compression algorithm %N",
 			 ipcomp_transform_names, ipcomp);
-		
+
 		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
 		hdr->nlmsg_len += rthdr->rta_len;
 		if (hdr->nlmsg_len > sizeof(request))
 		{
 			return FAILED;
 		}
-		
+
 		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
 		algo->alg_key_len = 0;
 		strcpy(algo->alg_name, alg_name);
-		
+
 		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
-	
+
 	if (encap)
 	{
 		rthdr->rta_type = XFRMA_ENCAP;
@@ -1127,13 +1176,13 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 		tmpl->encap_sport = htons(src->get_port(src));
 		tmpl->encap_dport = htons(dst->get_port(dst));
 		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-		/* encap_oa could probably be derived from the 
-		 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation 
-		 * pluto does the same as we do here but it uses encap_oa in the 
-		 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates 
+		/* encap_oa could probably be derived from the
+		 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
+		 * pluto does the same as we do here but it uses encap_oa in the
+		 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
 		 * the kernel ignores it anyway
 		 *   -> does that mean that NAT-T encap doesn't work in transport mode?
-		 * No. The reason the kernel ignores NAT-OA is that it recomputes 
+		 * No. The reason the kernel ignores NAT-OA is that it recomputes
 		 * (or, rather, just ignores) the checksum. If packets pass
 		 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
 		rthdr = XFRM_RTA_NEXT(rthdr);
@@ -1160,24 +1209,24 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 	size_t len;
 	struct rtattr *rta;
 	size_t rtasize;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
 
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETAE;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
-	
+
 	aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
 	aevent_id->flags = XFRM_AE_RVAL;
-	
+
 	host2xfrm(dst, &aevent_id->sa_id.daddr);
 	aevent_id->sa_id.spi = spi;
 	aevent_id->sa_id.proto = proto_ike2kernel(protocol);
 	aevent_id->sa_id.family = dst->get_family(dst);
-	
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1206,7 +1255,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 			break;
 		}
 	}
-	
+
 	if (out_aevent == NULL)
 	{
 		DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
@@ -1214,7 +1263,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
-	
+
 	rta = XFRM_RTA(out, struct xfrm_aevent_id);
 	rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
 	while(RTA_OK(rta, rtasize))
@@ -1228,7 +1277,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 		}
 		rta = RTA_NEXT(rta, rtasize);
 	}
-	
+
 	DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
 				  ntohl(spi));
 	free(out);
@@ -1247,7 +1296,7 @@ static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
 	struct xfrm_usersa_id *sa_id;
 	struct xfrm_usersa_info *sa = NULL;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
 
 	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
@@ -1262,7 +1311,7 @@ static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
 	sa_id->spi = spi;
 	sa_id->proto = proto_ike2kernel(protocol);
 	sa_id->family = dst->get_family(dst);
-	
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1291,7 +1340,7 @@ static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
 			break;
 		}
 	}
-	
+
 	if (sa == NULL)
 	{
 		DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
@@ -1299,7 +1348,7 @@ static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
 		return FAILED;
 	}
 	*bytes = sa->curlft.bytes;
-	
+
 	free(out);
 	return SUCCESS;
 }
@@ -1313,28 +1362,28 @@ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct xfrm_usersa_id *sa_id;
-	
+
 	/* if IPComp was used, we first delete the additional IPComp SA */
 	if (cpi)
 	{
 		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
 	}
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-	
+
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_DELSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-	
+
 	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
 	host2xfrm(dst, &sa_id->daddr);
 	sa_id->spi = spi;
 	sa_id->proto = proto_ike2kernel(protocol);
 	sa_id->family = dst->get_family(dst);
-	
+
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
@@ -1364,30 +1413,30 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 	struct xfrm_encap_tmpl* tmpl = NULL;
 	bool got_replay_state = FALSE;
 	struct xfrm_replay_state replay;
-	
+
 	/* if IPComp is used, we first update the IPComp SA */
 	if (cpi)
 	{
 		update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
 				  src, dst, new_src, new_dst, FALSE, FALSE);
 	}
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
-	
+
 	/* query the existing SA first */
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-	
+
 	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
 	host2xfrm(dst, &sa_id->daddr);
 	sa_id->spi = spi;
 	sa_id->proto = proto_ike2kernel(protocol);
 	sa_id->family = dst->get_family(dst);
-	
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1422,13 +1471,13 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
-	
+
 	/* try to get the replay state */
 	if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
 	{
 		got_replay_state = TRUE;
 	}
-	
+
 	/* delete the old SA (without affecting the IPComp SA) */
 	if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
 	{
@@ -1436,18 +1485,18 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
-	
+
 	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
 		 ntohl(spi), src, dst, new_src, new_dst);
 	/* copy over the SA from out to request */
 	hdr = (struct nlmsghdr*)request;
 	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;	
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_NEWSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
 	sa = NLMSG_DATA(hdr);
 	sa->family = new_dst->get_family(new_dst);
-	
+
 	if (!src->ip_equals(src, new_src))
 	{
 		host2xfrm(new_src, &sa->saddr);
@@ -1456,7 +1505,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 	{
 		host2xfrm(new_dst, &sa->id.daddr);
 	}
-	
+
 	rta = XFRM_RTA(out, struct xfrm_usersa_info);
 	rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
 	pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
@@ -1470,47 +1519,47 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 				tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
 				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
 				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
-			}	
+			}
 			memcpy(pos, rta, rta->rta_len);
 			pos += RTA_ALIGN(rta->rta_len);
 			hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
 		}
 		rta = RTA_NEXT(rta, rtasize);
 	}
-	
+
 	rta = (struct rtattr*)pos;
 	if (tmpl == NULL && new_encap)
 	{	/* add tmpl if we are enabling it */
 		rta->rta_type = XFRMA_ENCAP;
 		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-		
+
 		hdr->nlmsg_len += rta->rta_len;
 		if (hdr->nlmsg_len > sizeof(request))
 		{
 			return FAILED;
 		}
-		
+
 		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
 		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
 		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
 		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
 		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-		
+
 		rta = XFRM_RTA_NEXT(rta);
 	}
-	
+
 	if (got_replay_state)
 	{	/* copy the replay data if available */
 		rta->rta_type = XFRMA_REPLAY_VAL;
 		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
-		
+
 		hdr->nlmsg_len += rta->rta_len;
 		if (hdr->nlmsg_len > sizeof(request))
 		{
 			return FAILED;
 		}
 		memcpy(RTA_DATA(rta), &replay, sizeof(replay));
-		
+
 		rta = XFRM_RTA_NEXT(rta);
 	}
 
@@ -1521,14 +1570,14 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 		return FAILED;
 	}
 	free(out);
-	
+
 	return SUCCESS;
 }
 
 /**
  * Implementation of kernel_interface_t.add_policy.
  */
-static status_t add_policy(private_kernel_netlink_ipsec_t *this, 
+static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 						   host_t *src, host_t *dst,
 						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
@@ -1542,13 +1591,13 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 	netlink_buf_t request;
 	struct xfrm_userpolicy_info *policy_info;
 	struct nlmsghdr *hdr;
-	
+
 	/* create a policy */
 	policy = malloc_thing(policy_entry_t);
 	memset(policy, 0, sizeof(policy_entry_t));
 	policy->sel = ts2selector(src_ts, dst_ts);
 	policy->direction = direction;
-	
+
 	/* find the policy, which matches EXACTLY */
 	this->mutex->lock(this->mutex);
 	current = this->policies->get(this->policies, policy);
@@ -1568,10 +1617,10 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 		this->policies->put(this->policies, policy, policy);
 		policy->refcount = 1;
 	}
-	
+
 	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
-	
+
 	memset(&request, 0, sizeof(request));
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
@@ -1589,7 +1638,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 	policy_info->action = XFRM_POLICY_ALLOW;
 	policy_info->share = XFRM_SHARE_ANY;
 	this->mutex->unlock(this->mutex);
-	
+
 	/* policies don't expire */
 	policy_info->lft.soft_byte_limit = XFRM_INF;
 	policy_info->lft.soft_packet_limit = XFRM_INF;
@@ -1599,19 +1648,19 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 	policy_info->lft.hard_add_expires_seconds = 0;
 	policy_info->lft.soft_use_expires_seconds = 0;
 	policy_info->lft.hard_use_expires_seconds = 0;
-	
+
 	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
 	rthdr->rta_type = XFRMA_TMPL;
 	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-	
+
 	hdr->nlmsg_len += rthdr->rta_len;
 	if (hdr->nlmsg_len > sizeof(request))
 	{
 		return FAILED;
 	}
-	
+
 	struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
-	
+
 	if (ipcomp != IPCOMP_NONE)
 	{
 		tmpl->reqid = reqid;
@@ -1620,10 +1669,10 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 		tmpl->mode = mode2kernel(mode);
 		tmpl->optional = direction != POLICY_OUT;
 		tmpl->family = src->get_family(src);
-		
+
 		host2xfrm(src, &tmpl->saddr);
 		host2xfrm(dst, &tmpl->id.daddr);
-		
+
 		/* add an additional xfrm_user_tmpl */
 		rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
 		hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
@@ -1631,53 +1680,58 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 		{
 			return FAILED;
 		}
-		
+
 		tmpl++;
+
+		/* use transport mode for ESP if we have a tunnel mode IPcomp SA */
+		mode = MODE_TRANSPORT;
+	}
+	else
+	{
+		/* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
+		host2xfrm(src, &tmpl->saddr);
+		host2xfrm(dst, &tmpl->id.daddr);
 	}
-	
+
 	tmpl->reqid = reqid;
 	tmpl->id.proto = proto_ike2kernel(protocol);
 	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
 	tmpl->mode = mode2kernel(mode);
 	tmpl->family = src->get_family(src);
-	
-	host2xfrm(src, &tmpl->saddr);
-	host2xfrm(dst, &tmpl->id.daddr);
-	
+
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
 					   policy_dir_names, direction);
 		return FAILED;
 	}
-	
+
 	/* install a route, if:
 	 * - we are NOT updating a policy
 	 * - this is a forward policy (to just get one for each child)
-	 * - we are in tunnel mode
-	 * - we are not using IPv6 (does not work correctly yet!)
+	 * - we are in tunnel/BEET mode
 	 * - routing is not disabled via strongswan.conf
 	 */
 	if (policy->route == NULL && direction == POLICY_FWD &&
-		mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
-		this->install_routes)
+		mode != MODE_TRANSPORT && this->install_routes)
 	{
 		route_entry_t *route = malloc_thing(route_entry_t);
-		
+
 		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
 				dst_ts, &route->src_ip) == SUCCESS)
 		{
 			/* get the nexthop to src (src as we are in POLICY_FWD).*/
 			route->gateway = charon->kernel_interface->get_nexthop(
-									charon->kernel_interface, src);
+												charon->kernel_interface, src);
+			/* install route via outgoing interface */
 			route->if_name = charon->kernel_interface->get_interface(
-									charon->kernel_interface, dst);
+												charon->kernel_interface, dst);
 			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
 			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
 			route->prefixlen = policy->sel.prefixlen_s;
-			
+
 			if (route->if_name)
-			{			
+			{
 				switch (charon->kernel_interface->add_route(
 									charon->kernel_interface, route->dst_net,
 									route->prefixlen, route->gateway,
@@ -1714,7 +1768,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
  * Implementation of kernel_interface_t.query_policy.
  */
 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
-							 traffic_selector_t *src_ts, 
+							 traffic_selector_t *src_ts,
 							 traffic_selector_t *dst_ts,
 							 policy_dir_t direction, u_int32_t *use_time)
 {
@@ -1723,9 +1777,9 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this,
 	struct xfrm_userpolicy_id *policy_id;
 	struct xfrm_userpolicy_info *policy = NULL;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
 
@@ -1737,7 +1791,7 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this,
 	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
 	policy_id->sel = ts2selector(src_ts, dst_ts);
 	policy_id->dir = direction;
-	
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1766,7 +1820,7 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this,
 			break;
 		}
 	}
-	
+
 	if (policy == NULL)
 	{
 		DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
@@ -1774,8 +1828,17 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
-	*use_time = (time_t)policy->curlft.use_time;
-	
+
+	if (policy->curlft.use_time)
+	{
+		/* we need the monotonic time, but the kernel returns system time. */
+		*use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
+	}
+	else
+	{
+		*use_time = 0;
+	}
+
 	free(out);
 	return SUCCESS;
 }
@@ -1784,7 +1847,7 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this,
  * Implementation of kernel_interface_t.del_policy.
  */
 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
-						   traffic_selector_t *src_ts, 
+						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
 						   policy_dir_t direction, bool unrouted)
 {
@@ -1793,15 +1856,15 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct xfrm_userpolicy_id *policy_id;
-	
+
 	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
-	
+
 	/* create a policy */
 	memset(&policy, 0, sizeof(policy_entry_t));
 	policy.sel = ts2selector(src_ts, dst_ts);
 	policy.direction = direction;
-	
+
 	/* find the policy */
 	this->mutex->lock(this->mutex);
 	current = this->policies->get(this->policies, &policy);
@@ -1825,9 +1888,9 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
 					   dst_ts, policy_dir_names, direction);
 		return NOT_FOUND;
 	}
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
@@ -1836,10 +1899,10 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
 	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
 	policy_id->sel = to_delete->sel;
 	policy_id->dir = direction;
-	
+
 	route = to_delete->route;
 	free(to_delete);
-	
+
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
@@ -1856,7 +1919,7 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
 			DBG1(DBG_KNL, "error uninstalling route installed with "
 						  "policy %R === %R %N", src_ts, dst_ts,
 						   policy_dir_names, direction);
-		}		
+		}
 		route_entry_destroy(route);
 	}
 	return SUCCESS;
@@ -1869,7 +1932,7 @@ static void destroy(private_kernel_netlink_ipsec_t *this)
 {
 	enumerator_t *enumerator;
 	policy_entry_t *policy;
-	
+
 	this->job->cancel(this->job);
 	close(this->socket_xfrm_events);
 	this->socket_xfrm->destroy(this->socket_xfrm);
@@ -1892,43 +1955,32 @@ static bool add_bypass_policies()
 	int fd, family, port;
 	enumerator_t *sockets;
 	bool status = TRUE;
-	
-	/* we open an AF_KEY socket to autoload the af_key module. Otherwise
-	 * setsockopt(IPSEC_POLICY) won't work. */
-	fd = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (fd == 0)
-	{
-		DBG1(DBG_KNL, "could not open AF_KEY socket");
-		return FALSE;
-	}
-	close(fd);
-	
+
 	sockets = charon->socket->create_enumerator(charon->socket);
 	while (sockets->enumerate(sockets, &fd, &family, &port))
 	{
-		struct sadb_x_policy policy;
+		struct xfrm_userpolicy_info policy;
 		u_int sol, ipsec_policy;
-		
+
 		switch (family)
 		{
 			case AF_INET:
 				sol = SOL_IP;
-				ipsec_policy = IP_IPSEC_POLICY;
+				ipsec_policy = IP_XFRM_POLICY;
 				break;
 			case AF_INET6:
 				sol = SOL_IPV6;
-				ipsec_policy = IPV6_IPSEC_POLICY;
+				ipsec_policy = IPV6_XFRM_POLICY;
 				break;
 			default:
 				continue;
 		}
-		
+
 		memset(&policy, 0, sizeof(policy));
-		policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
-		policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-		policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-	
-		policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+		policy.action = XFRM_POLICY_ALLOW;
+		policy.sel.family = family;
+
+		policy.dir = XFRM_POLICY_OUT;
 		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 		{
 			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
@@ -1936,10 +1988,10 @@ static bool add_bypass_policies()
 			status = FALSE;
 			break;
 		}
-		policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+		policy.dir = XFRM_POLICY_IN;
 		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 		{
-			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", 
+			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
 				 strerror(errno));
 			status = FALSE;
 			break;
@@ -1956,11 +2008,12 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 {
 	private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
 	struct sockaddr_nl addr;
-	
+	int fd;
+
 	/* public functions */
 	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
 	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
@@ -1975,18 +2028,20 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->install_routes = lib->settings->get_bool(lib->settings,
 					"charon.install_routes", TRUE);
-	
-	/* add bypass policies on the sockets used by charon */
-	if (!add_bypass_policies())
+
+	/* disable lifetimes for allocated SPIs in kernel */
+	fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
+	if (fd)
 	{
-		charon->kill(charon, "unable to add bypass policies on sockets");
+		ignore_result(write(fd, "165", 3));
+		close(fd);
 	}
-	
+
 	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
-	
+
 	memset(&addr, 0, sizeof(addr));
 	addr.nl_family = AF_NETLINK;
-	
+
 	/* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
 	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
 	if (this->socket_xfrm_events <= 0)
@@ -1999,10 +2054,16 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	{
 		charon->kill(charon, "unable to bind XFRM event socket");
 	}
-	
+
+	/* add bypass policies on the sockets used by charon */
+	if (!add_bypass_policies())
+	{
+		charon->kill(charon, "unable to add bypass policies on sockets");
+	}
+
 	this->job = callback_job_create((callback_job_cb_t)receive_events,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	
+
 	return &this->public;
 }
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
index e5c0b5da7..4a9fdf69a 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -17,8 +17,6 @@
 #include <sys/socket.h>
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>
-#include <sys/time.h>
-#include <pthread.h>
 #include <unistd.h>
 #include <errno.h>
 #include <net/if.h>
@@ -27,7 +25,9 @@
 #include "kernel_netlink_shared.h"
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
 #include <utils/linked_list.h>
 #include <processing/jobs/callback_job.h>
 #include <processing/jobs/roam_job.h>
@@ -35,30 +35,22 @@
 /** delay before firing roam jobs (ms) */
 #define ROAM_DELAY 100
 
-/** routing table for routes installed by us */
-#ifndef IPSEC_ROUTING_TABLE
-#define IPSEC_ROUTING_TABLE 100
-#endif
-#ifndef IPSEC_ROUTING_TABLE_PRIO
-#define IPSEC_ROUTING_TABLE_PRIO 100
-#endif
-
 typedef struct addr_entry_t addr_entry_t;
 
 /**
  * IP address in an inface_entry_t
  */
 struct addr_entry_t {
-	
+
 	/** The ip address */
 	host_t *ip;
-	
+
 	/** virtual IP managed by us */
 	bool virtual;
-	
+
 	/** scope of the address */
 	u_char scope;
-	
+
 	/** Number of times this IP is used, if virtual */
 	u_int refcount;
 };
@@ -78,16 +70,16 @@ typedef struct iface_entry_t iface_entry_t;
  * A network interface on this system, containing addr_entry_t's
  */
 struct iface_entry_t {
-	
+
 	/** interface index */
 	int ifindex;
-	
+
 	/** name of the interface */
 	char ifname[IFNAMSIZ];
-	
+
 	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
 	u_int flags;
-	
+
 	/** list of addresses as host_t */
 	linked_list_t *addrs;
 };
@@ -111,57 +103,57 @@ struct private_kernel_netlink_net_t {
 	 * Public part of the kernel_netlink_net_t object.
 	 */
 	kernel_netlink_net_t public;
-	
+
 	/**
 	 * mutex to lock access to various lists
 	 */
 	mutex_t *mutex;
-	
+
 	/**
 	 * condition variable to signal virtual IP add/removal
 	 */
 	condvar_t *condvar;
-	
+
 	/**
 	 * Cached list of interfaces and its addresses (iface_entry_t)
 	 */
 	linked_list_t *ifaces;
-	 
+
 	/**
 	 * job receiving netlink events
 	 */
 	callback_job_t *job;
-	
+
 	/**
 	 * netlink rt socket (routing)
 	 */
 	netlink_socket_t *socket;
-	
+
 	/**
 	 * Netlink rt socket to receive address change events
 	 */
 	int socket_events;
-	
+
 	/**
 	 * time of the last roam_job
 	 */
-	struct timeval last_roam;
-	
+	timeval_t last_roam;
+
 	/**
 	 * routing table to install routes
 	 */
 	int routing_table;
-	
+
 	/**
 	 * priority of used routing table
 	 */
 	int routing_table_prio;
-	
+
 	/**
 	 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
 	 */
 	bool process_route;
-	
+
 	/**
 	 * whether to actually install virtual IPs
 	 */
@@ -177,7 +169,7 @@ static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
 	iface_entry_t *iface;
 	addr_entry_t *addr;
 	int refcount = 0;
-	
+
 	ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
 	while (ifaces->iterate(ifaces, (void**)&iface))
 	{
@@ -198,7 +190,7 @@ static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
 		}
 	}
 	ifaces->destroy(ifaces);
-	
+
 	return refcount;
 }
 
@@ -208,22 +200,20 @@ static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
  */
 static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
 {
-	struct timeval now;
-	
-	if (gettimeofday(&now, NULL) == 0)
+	timeval_t now;
+
+	time_monotonic(&now);
+	if (timercmp(&now, &this->last_roam, >))
 	{
-		if (timercmp(&now, &this->last_roam, >))
+		now.tv_usec += ROAM_DELAY * 1000;
+		while (now.tv_usec > 1000000)
 		{
-			now.tv_usec += ROAM_DELAY * 1000;
-			while (now.tv_usec > 1000000)
-			{
-				now.tv_sec++;
-				now.tv_usec -= 1000000;
-			}
-			this->last_roam = now;
-			charon->scheduler->schedule_job_ms(charon->scheduler,
-					(job_t*)roam_job_create(address), ROAM_DELAY);
+			now.tv_sec++;
+			now.tv_usec -= 1000000;
 		}
+		this->last_roam = now;
+		charon->scheduler->schedule_job_ms(charon->scheduler,
+				(job_t*)roam_job_create(address), ROAM_DELAY);
 	}
 }
 
@@ -240,7 +230,7 @@ static void process_link(private_kernel_netlink_net_t *this,
 	iface_entry_t *current, *entry = NULL;
 	char *name = NULL;
 	bool update = FALSE;
-	
+
 	while(RTA_OK(rta, rtasize))
 	{
 		switch (rta->rta_type)
@@ -255,7 +245,7 @@ static void process_link(private_kernel_netlink_net_t *this,
 	{
 		name = "(unknown)";
 	}
-	
+
 	this->mutex->lock(this->mutex);
 	switch (hdr->nlmsg_type)
 	{
@@ -308,7 +298,7 @@ static void process_link(private_kernel_netlink_net_t *this,
 			{
 				if (current->ifindex == msg->ifi_index)
 				{
-					/* we do not remove it, as an address may be added to a 
+					/* we do not remove it, as an address may be added to a
 					 * "down" interface and we wan't to know that. */
 					current->flags = msg->ifi_flags;
 					break;
@@ -319,7 +309,7 @@ static void process_link(private_kernel_netlink_net_t *this,
 		}
 	}
 	this->mutex->unlock(this->mutex);
-	
+
 	/* send an update to all IKE_SAs */
 	if (update && event)
 	{
@@ -342,7 +332,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
 	addr_entry_t *addr;
 	chunk_t local = chunk_empty, address = chunk_empty;
 	bool update = FALSE, found = FALSE, changed = FALSE;
-	
+
 	while(RTA_OK(rta, rtasize))
 	{
 		switch (rta->rta_type)
@@ -358,7 +348,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
 		}
 		rta = RTA_NEXT(rta, rtasize);
 	}
-	
+
 	/* For PPP interfaces, we need the IFA_LOCAL address,
 	 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
 	 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
@@ -370,12 +360,12 @@ static void process_addr(private_kernel_netlink_net_t *this,
 	{
 		host = host_create_from_chunk(msg->ifa_family, address, 0);
 	}
-	
+
 	if (host == NULL)
 	{	/* bad family? */
 		return;
 	}
-	
+
 	this->mutex->lock(this->mutex);
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
@@ -406,7 +396,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
 				}
 			}
 			addrs->destroy(addrs);
-		
+
 			if (hdr->nlmsg_type == RTM_NEWADDR)
 			{
 				if (!found)
@@ -418,7 +408,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
 					addr->virtual = FALSE;
 					addr->refcount = 1;
 					addr->scope = msg->ifa_scope;
-					
+
 					iface->addrs->insert_last(iface->addrs, addr);
 					if (event)
 					{
@@ -436,7 +426,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
 	ifaces->destroy(ifaces);
 	this->mutex->unlock(this->mutex);
 	host->destroy(host);
-	
+
 	/* send an update to all IKE_SAs */
 	if (update && event && changed)
 	{
@@ -453,13 +443,13 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
 	struct rtattr *rta = RTM_RTA(msg);
 	size_t rtasize = RTM_PAYLOAD(hdr);
 	host_t *host = NULL;
-	
+
 	/* ignore routes added by us */
 	if (msg->rtm_table && msg->rtm_table == this->routing_table)
 	{
 		return;
 	}
-	
+
 	while (RTA_OK(rta, rtasize))
 	{
 		switch (rta->rta_type)
@@ -492,13 +482,14 @@ static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
 	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
 	struct sockaddr_nl addr;
 	socklen_t addr_len = sizeof(addr);
-	int len, oldstate;
+	int len;
+	bool oldstate;
 
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);	
+	oldstate = thread_cancelability(TRUE);
 	len = recvfrom(this->socket_events, response, sizeof(response), 0,
 				   (struct sockaddr*)&addr, &addr_len);
-	pthread_setcancelstate(oldstate, NULL);
-	
+	thread_cancelability(oldstate);
+
 	if (len < 0)
 	{
 		switch (errno)
@@ -515,12 +506,12 @@ static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
 				return JOB_REQUEUE_FAIR;
 		}
 	}
-	
+
 	if (addr.nl_pid != 0)
 	{	/* not from kernel. not interested, try another one */
 		return JOB_REQUEUE_DIRECT;
 	}
-	
+
 	while (NLMSG_OK(hdr, len))
 	{
 		/* looks good so far, dispatch netlink message */
@@ -556,7 +547,7 @@ typedef struct {
 	private_kernel_netlink_net_t* this;
 	/** whether to enumerate down interfaces */
 	bool include_down_ifaces;
-	/** whether to enumerate virtual ip addresses */ 
+	/** whether to enumerate virtual ip addresses */
 	bool include_virtual_ips;
 } address_enumerator_t;
 
@@ -618,7 +609,7 @@ static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *thi
 	data->this = this;
 	data->include_down_ifaces = include_down_ifaces;
 	data->include_virtual_ips = include_virtual_ips;
-	
+
 	this->mutex->lock(this->mutex);
 	return enumerator_create_nested(
 				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
@@ -635,9 +626,9 @@ static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
 	iface_entry_t *iface;
 	addr_entry_t *addr;
 	char *name = NULL;
-	
+
 	DBG2(DBG_KNL, "getting interface name for %H", ip);
-	
+
 	this->mutex->lock(this->mutex);
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
@@ -659,7 +650,7 @@ static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
 	}
 	ifaces->destroy(ifaces);
 	this->mutex->unlock(this->mutex);
-	
+
 	if (name)
 	{
 		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
@@ -679,9 +670,9 @@ static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
 	enumerator_t *ifaces;
 	iface_entry_t *iface;
 	int ifindex = 0;
-	
+
 	DBG2(DBG_KNL, "getting iface index for %s", name);
-	
+
 	this->mutex->lock(this->mutex);
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
@@ -711,7 +702,7 @@ static bool is_interface_up(private_kernel_netlink_net_t *this, int index)
 	iface_entry_t *iface;
 	/* default to TRUE for interface we do not monitor (e.g. lo) */
 	bool up = TRUE;
-	
+
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
 	{
@@ -733,11 +724,14 @@ static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
 	static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
 	int byte = 0;
 
+	if (net_len == 0)
+	{	/* any address matches a /0 network */
+		return TRUE;
+	}
 	if (addr.len != net.len || net_len > 8 * net.len )
 	{
 		return FALSE;
 	}
-
 	/* scan through all bytes in network order */
 	while (net_len > 0)
 	{
@@ -771,35 +765,42 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 	size_t len;
 	int best = -1;
 	host_t *src = NULL, *gtw = NULL;
-	
+
 	DBG2(DBG_KNL, "getting address to reach %H", dest);
-	
+
 	memset(&request, 0, sizeof(request));
 
 	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ROOT;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	if (dest->get_family(dest) == AF_INET)
+	{
+		/* We dump all addresses for IPv4, as we want to ignore IPsec specific
+		 * routes installed by us. But the kernel does not return source
+		 * addresses in a IPv6 dump, so fall back to get() for v6 routes. */
+		hdr->nlmsg_flags |= NLM_F_ROOT | NLM_F_DUMP;
+	}
 	hdr->nlmsg_type = RTM_GETROUTE;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
 
 	msg = (struct rtmsg*)NLMSG_DATA(hdr);
 	msg->rtm_family = dest->get_family(dest);
-	
-	chunk = dest->get_address(dest);
-	netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
 	if (candidate)
 	{
 		chunk = candidate->get_address(candidate);
 		netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
 	}
-	
+	chunk = dest->get_address(dest);
+	netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
+
 	if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "getting address to %H failed", dest);
 		return NULL;
 	}
 	this->mutex->lock(this->mutex);
-	current = out;
-	while (NLMSG_OK(current, len))
+
+	for (current = out; NLMSG_OK(current, len);
+		 current = NLMSG_NEXT(current, len))
 	{
 		switch (current->nlmsg_type)
 		{
@@ -811,10 +812,8 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 				size_t rtasize;
 				chunk_t rta_gtw, rta_src, rta_dst;
 				u_int32_t rta_oif = 0;
-				enumerator_t *ifaces, *addrs;
-				iface_entry_t *iface;
-				addr_entry_t *addr;
-				
+				host_t *new_src, *new_gtw;
+
 				rta_gtw = rta_src = rta_dst = chunk_empty;
 				msg = (struct rtmsg*)(NLMSG_DATA(current));
 				rta = RTM_RTA(msg);
@@ -841,81 +840,74 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 					}
 					rta = RTA_NEXT(rta, rtasize);
 				}
-				if (rta_oif && !is_interface_up(this, rta_oif))
-				{	/* interface is down */
-					goto next;
+				if (msg->rtm_dst_len <= best)
+				{	/* not better than a previous one */
+					continue;
 				}
 				if (this->routing_table != 0 &&
 					msg->rtm_table == this->routing_table)
 				{	/* route is from our own ipsec routing table */
-					goto next;
+					continue;
 				}
-				if (msg->rtm_dst_len <= best)
-				{	/* not better than a previous one */
-					goto next;
+				if (rta_oif && !is_interface_up(this, rta_oif))
+				{	/* interface is down */
+					continue;
 				}
-				if (msg->rtm_dst_len != 0 &&
-					(!rta_dst.ptr ||
-					 !addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len)))
-				{	/* is not the default route and not contained in our dst */
-					goto next;
+				if (!addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))
+				{	/* route destination does not contain dest */
+					continue;
 				}
-				
-				best = msg->rtm_dst_len;
+
 				if (nexthop)
 				{
+					/* nexthop lookup, return gateway if any */
 					DESTROY_IF(gtw);
 					gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
-					goto next;
+					best = msg->rtm_dst_len;
+					continue;
 				}
 				if (rta_src.ptr)
 				{
-					DESTROY_IF(src);
-					src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
-					if (get_vip_refcount(this, src))
-					{	/* skip source address if it is installed by us */
-						DESTROY_IF(src);
-						src = NULL;
-					}
-					goto next;
-				}
-				/* no source addr, get one from the interfaces */
-				ifaces = this->ifaces->create_enumerator(this->ifaces);
-				while (ifaces->enumerate(ifaces, &iface))
-				{
-					if (iface->ifindex == rta_oif && 
-						iface->flags & IFF_UP)
+					/* got a source address */
+					new_src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
+					if (new_src)
 					{
-						addrs = iface->addrs->create_enumerator(iface->addrs);
-						while (addrs->enumerate(addrs, &addr))
+						if (get_vip_refcount(this, new_src))
+						{	/* skip source address if it is installed by us */
+							new_src->destroy(new_src);
+						}
+						else
 						{
-							chunk_t ip = addr->ip->get_address(addr->ip);
-							if ((msg->rtm_dst_len == 0 && 
-								 addr->ip->get_family(addr->ip) ==
-								 	dest->get_family(dest)) ||
-								addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
-							{
-								DESTROY_IF(src);
-								src = addr->ip->clone(addr->ip);
-								break;
-							}
+							DESTROY_IF(src);
+							src = new_src;
+							best = msg->rtm_dst_len;
 						}
-						addrs->destroy(addrs);
 					}
+					continue;
 				}
-				ifaces->destroy(ifaces);
-				goto next;
+				if (rta_gtw.ptr)
+				{	/* no source, but a gateway. Lookup source to reach gtw. */
+					new_gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
+					new_src = get_route(this, new_gtw, FALSE, candidate);
+					new_gtw->destroy(new_gtw);
+					if (new_src)
+					{
+						DESTROY_IF(src);
+						src = new_src;
+						best = msg->rtm_dst_len;
+					}
+					continue;
+				}
+				continue;
 			}
 			default:
-			next:
-				current = NLMSG_NEXT(current, len);
 				continue;
 		}
 		break;
 	}
 	free(out);
 	this->mutex->unlock(this->mutex);
-	
+
 	if (nexthop)
 	{
 		if (gtw)
@@ -955,23 +947,23 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
 	struct nlmsghdr *hdr;
 	struct ifaddrmsg *msg;
 	chunk_t chunk;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	chunk = ip->get_address(ip);
-    
-    hdr = (struct nlmsghdr*)request;
+
+	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
-	hdr->nlmsg_type = nlmsg_type; 
+	hdr->nlmsg_type = nlmsg_type;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
-	
+
 	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
-    msg->ifa_family = ip->get_family(ip);
-    msg->ifa_flags = 0;
-    msg->ifa_prefixlen = 8 * chunk.len;
-    msg->ifa_scope = RT_SCOPE_UNIVERSE;
-    msg->ifa_index = if_index;
-	
+	msg->ifa_family = ip->get_family(ip);
+	msg->ifa_flags = 0;
+	msg->ifa_prefixlen = 8 * chunk.len;
+	msg->ifa_scope = RT_SCOPE_UNIVERSE;
+	msg->ifa_index = if_index;
+
 	netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
 
 	return this->socket->send_ack(this->socket, hdr);
@@ -980,27 +972,27 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
 /**
  * Implementation of kernel_net_t.add_ip.
  */
-static status_t add_ip(private_kernel_netlink_net_t *this, 
+static status_t add_ip(private_kernel_netlink_net_t *this,
 						host_t *virtual_ip, host_t *iface_ip)
 {
 	iface_entry_t *iface;
 	addr_entry_t *addr;
 	enumerator_t *addrs, *ifaces;
 	int ifindex;
-	
+
 	if (!this->install_virtual_ip)
 	{	/* disabled by config */
 		return SUCCESS;
 	}
-	
+
 	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
-	
+
 	this->mutex->lock(this->mutex);
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
 	{
 		bool iface_found = FALSE;
-	
+
 		addrs = iface->addrs->create_enumerator(iface->addrs);
 		while (addrs->enumerate(addrs, &addr))
 		{
@@ -1020,7 +1012,7 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
 			}
 		}
 		addrs->destroy(addrs);
-		
+
 		if (iface_found)
 		{
 			ifindex = iface->ifindex;
@@ -1030,7 +1022,7 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
 			addr->virtual = TRUE;
 			addr->scope = RT_SCOPE_UNIVERSE;
 			iface->addrs->insert_last(iface->addrs, addr);
-			
+
 			if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
 							  ifindex, virtual_ip) == SUCCESS)
 			{
@@ -1050,7 +1042,7 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
 	}
 	ifaces->destroy(ifaces);
 	this->mutex->unlock(this->mutex);
-	
+
 	DBG1(DBG_KNL, "interface address %H not found, unable to install"
 		 "virtual IP %H", iface_ip, virtual_ip);
 	return FAILED;
@@ -1066,14 +1058,14 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
 	enumerator_t *addrs, *ifaces;
 	status_t status;
 	int ifindex;
-	
+
 	if (!this->install_virtual_ip)
 	{	/* disabled by config */
 		return SUCCESS;
 	}
-	
+
 	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
-	
+
 	this->mutex->lock(this->mutex);
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
@@ -1087,7 +1079,7 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
 				if (addr->refcount == 1)
 				{
 					status = manage_ipaddr(this, RTM_DELADDR, 0,
-									  	   ifindex, virtual_ip);
+										   ifindex, virtual_ip);
 					if (status == SUCCESS)
 					{	/* wait until the address is really gone */
 						while (get_vip_refcount(this, virtual_ip) > 0)
@@ -1116,7 +1108,7 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
 	}
 	ifaces->destroy(ifaces);
 	this->mutex->unlock(this->mutex);
-	
+
 	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
 	return FAILED;
 }
@@ -1143,11 +1135,11 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty
 		chunk_t half_net;
 		u_int8_t half_prefixlen;
 		status_t status;
-		
+
 		half_net = chunk_alloca(dst_net.len);
 		memset(half_net.ptr, 0, half_net.len);
 		half_prefixlen = 1;
-		
+
 		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
 					gateway, src_ip, if_name);
 		half_net.ptr[0] |= 0x80;
@@ -1155,7 +1147,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty
 					gateway, src_ip, if_name);
 		return status;
 	}
-	
+
 	memset(&request, 0, sizeof(request));
 
 	hdr = (struct nlmsghdr*)request;
@@ -1170,12 +1162,15 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty
 	msg->rtm_protocol = RTPROT_STATIC;
 	msg->rtm_type = RTN_UNICAST;
 	msg->rtm_scope = RT_SCOPE_UNIVERSE;
-	
+
 	netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request));
 	chunk = src_ip->get_address(src_ip);
 	netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
-	chunk = gateway->get_address(gateway);
-	netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
+	if (gateway && gateway->get_family(gateway) == src_ip->get_family(src_ip))
+	{
+		chunk = gateway->get_address(gateway);
+		netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
+	}
 	ifindex = get_interface_index(this, if_name);
 	chunk.ptr = (char*)&ifindex;
 	chunk.len = sizeof(ifindex);
@@ -1193,7 +1188,7 @@ static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
 	return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
 				dst_net, prefixlen, gateway, src_ip, if_name);
 }
-	
+
 /**
  * Implementation of kernel_net_t.del_route.
  */
@@ -1216,9 +1211,9 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
 	enumerator_t *ifaces, *addrs;
 	iface_entry_t *iface;
 	addr_entry_t *addr;
-	
+
 	DBG1(DBG_KNL, "listening on interfaces:");
-	
+
 	memset(&request, 0, sizeof(request));
 
 	in = (struct nlmsghdr*)&request;
@@ -1226,7 +1221,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
 	in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
 	msg = (struct rtgenmsg*)NLMSG_DATA(in);
 	msg->rtgen_family = AF_UNSPEC;
-	
+
 	/* get all links */
 	in->nlmsg_type = RTM_GETLINK;
 	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
@@ -1250,7 +1245,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
 		break;
 	}
 	free(out);
-	
+
 	/* get all interface addresses */
 	in->nlmsg_type = RTM_GETADDR;
 	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
@@ -1274,7 +1269,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
 		break;
 	}
 	free(out);
-	
+
 	this->mutex->lock(this->mutex);
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
@@ -1299,17 +1294,17 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
  * create or delete a rule to use our routing table
  */
 static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
-							u_int32_t table, u_int32_t prio)
+							int family, u_int32_t table, u_int32_t prio)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct rtmsg *msg;
 	chunk_t chunk;
 
-	memset(&request, 0, sizeof(request));    
+	memset(&request, 0, sizeof(request));
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = nlmsg_type; 
+	hdr->nlmsg_type = nlmsg_type;
 	if (nlmsg_type == RTM_NEWRULE)
 	{
 		hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
@@ -1318,7 +1313,7 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
 
 	msg = (struct rtmsg*)NLMSG_DATA(hdr);
 	msg->rtm_table = table;
-	msg->rtm_family = AF_INET;
+	msg->rtm_family = family;
 	msg->rtm_protocol = RTPROT_BOOT;
 	msg->rtm_scope = RT_SCOPE_UNIVERSE;
 	msg->rtm_type = RTN_UNICAST;
@@ -1336,7 +1331,9 @@ static void destroy(private_kernel_netlink_net_t *this)
 {
 	if (this->routing_table)
 	{
-		manage_rule(this, RTM_DELRULE, this->routing_table,
+		manage_rule(this, RTM_DELRULE, AF_INET, this->routing_table,
+					this->routing_table_prio);
+		manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table,
 					this->routing_table_prio);
 	}
 
@@ -1356,7 +1353,7 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 {
 	private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t);
 	struct sockaddr_nl addr;
-	
+
 	/* public functions */
 	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
 	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
@@ -1370,53 +1367,58 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 
 	/* private members */
 	this->ifaces = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
 	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
 	timerclear(&this->last_roam);
 	this->routing_table = lib->settings->get_int(lib->settings,
-					"charon.routing_table", IPSEC_ROUTING_TABLE);
+					"charon.routing_table", ROUTING_TABLE);
 	this->routing_table_prio = lib->settings->get_int(lib->settings,
-					"charon.routing_table_prio", IPSEC_ROUTING_TABLE_PRIO);
+					"charon.routing_table_prio", ROUTING_TABLE_PRIO);
 	this->process_route = lib->settings->get_bool(lib->settings,
 					"charon.process_route", TRUE);
 	this->install_virtual_ip = lib->settings->get_bool(lib->settings,
 					"charon.install_virtual_ip", TRUE);
-	
+
 	this->socket = netlink_socket_create(NETLINK_ROUTE);
-	
+
 	memset(&addr, 0, sizeof(addr));
 	addr.nl_family = AF_NETLINK;
-	
+
 	/* create and bind RT socket for events (address/interface/route changes) */
 	this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
 	if (this->socket_events <= 0)
 	{
 		charon->kill(charon, "unable to create RT event socket");
 	}
-	addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | 
+	addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
 					 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
 	if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
 	{
 		charon->kill(charon, "unable to bind RT event socket");
 	}
-	
+
 	this->job = callback_job_create((callback_job_cb_t)receive_events,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	
+
 	if (init_address_list(this) != SUCCESS)
 	{
 		charon->kill(charon, "unable to get interface list");
 	}
-	
+
 	if (this->routing_table)
 	{
-		if (manage_rule(this, RTM_NEWRULE, this->routing_table,
+		if (manage_rule(this, RTM_NEWRULE, AF_INET, this->routing_table,
 						this->routing_table_prio) != SUCCESS)
 		{
-			DBG1(DBG_KNL, "unable to create routing table rule");
+			DBG1(DBG_KNL, "unable to create IPv4 routing table rule");
+		}
+		if (manage_rule(this, RTM_NEWRULE, AF_INET6, this->routing_table,
+						this->routing_table_prio) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "unable to create IPv6 routing table rule");
 		}
 	}
-	
+
 	return &this->public;
 }
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
index 77005e871..cdf20f14a 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -49,11 +49,11 @@ static void destroy(private_kernel_netlink_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
 	charon->kernel_interface->add_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
-	
+
 	return &this->public.plugin;
 }
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
index ec1187083..b96186a3a 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -22,7 +22,7 @@
 #include "kernel_netlink_shared.h"
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 
 typedef struct private_netlink_socket_t private_netlink_socket_t;
 
@@ -34,7 +34,7 @@ struct private_netlink_socket_t {
 	 * public part of the netlink_socket_t object.
 	 */
 	netlink_socket_t public;
-	
+
 	/**
 	 * mutex to lock access to netlink socket
 	 */
@@ -46,12 +46,12 @@ struct private_netlink_socket_t {
 	int seq;
 
 	/**
-	 * netlink socket protocol 
+	 * netlink socket protocol
 	 */
 	int protocol;
 
 	/**
-	 * netlink socket 
+	 * netlink socket
 	 */
 	int socket;
 };
@@ -71,12 +71,12 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 	struct sockaddr_nl addr;
 	chunk_t result = chunk_empty, tmp;
 	struct nlmsghdr *msg, peek;
-	
+
 	this->mutex->lock(this->mutex);
-	
+
 	in->nlmsg_seq = ++this->seq;
 	in->nlmsg_pid = getpid();
-	
+
 	memset(&addr, 0, sizeof(addr));
 	addr.nl_family = AF_NETLINK;
 	addr.nl_pid = 0;
@@ -91,11 +91,11 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 
 	while (TRUE)
 	{
-		len = sendto(this->socket, in, in->nlmsg_len, 0, 
+		len = sendto(this->socket, in, in->nlmsg_len, 0,
 					 (struct sockaddr*)&addr, sizeof(addr));
-		
+
 		if (len != in->nlmsg_len)
-		{	
+		{
 			if (errno == EINTR)
 			{
 				/* interrupted, try again */
@@ -107,23 +107,23 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 		}
 		break;
 	}
-	
+
 	while (TRUE)
-	{	
+	{
 		char buf[4096];
 		tmp.len = sizeof(buf);
 		tmp.ptr = buf;
 		msg = (struct nlmsghdr*)tmp.ptr;
-		
+
 		memset(&addr, 0, sizeof(addr));
 		addr.nl_family = AF_NETLINK;
 		addr.nl_pid = getpid();
 		addr.nl_groups = 0;
 		addr_len = sizeof(addr);
-		
+
 		len = recvfrom(this->socket, tmp.ptr, tmp.len, 0,
 					   (struct sockaddr*)&addr, &addr_len);
-		
+
 		if (len < 0)
 		{
 			if (errno == EINTR)
@@ -155,17 +155,17 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 			free(result.ptr);
 			return FAILED;
 		}
-		
+
 		tmp.len = len;
 		result.ptr = realloc(result.ptr, result.len + tmp.len);
 		memcpy(result.ptr + result.len, tmp.ptr, tmp.len);
 		result.len += tmp.len;
-		
+
 		/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
 		 * numbers to detect multi header messages */
 		len = recvfrom(this->socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
 					   (struct sockaddr*)&addr, &addr_len);
-		
+
 		if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
 		{
 			/* seems to be multipart */
@@ -173,12 +173,12 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
 		}
 		break;
 	}
-	
+
 	*out_len = result.len;
 	*out = (struct nlmsghdr*)result.ptr;
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	return SUCCESS;
 }
 
@@ -202,7 +202,7 @@ static status_t netlink_send_ack(private_netlink_socket_t *this, struct nlmsghdr
 			case NLMSG_ERROR:
 			{
 				struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
-				
+
 				if (err->error)
 				{
 					if (-err->error == EEXIST)
@@ -247,7 +247,7 @@ static void destroy(private_netlink_socket_t *this)
 netlink_socket_t *netlink_socket_create(int protocol) {
 	private_netlink_socket_t *this = malloc_thing(private_netlink_socket_t);
 	struct sockaddr_nl addr;
-	
+
 	/* public functions */
 	this->public.send = (status_t(*)(netlink_socket_t*,struct nlmsghdr*, struct nlmsghdr**, size_t*))netlink_send;
 	this->public.send_ack = (status_t(*)(netlink_socket_t*,struct nlmsghdr*))netlink_send_ack;
@@ -256,23 +256,23 @@ netlink_socket_t *netlink_socket_create(int protocol) {
 	/* private members */
 	this->seq = 200;
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	
+
 	memset(&addr, 0, sizeof(addr));
 	addr.nl_family = AF_NETLINK;
-	
+
 	this->protocol = protocol;
 	this->socket = socket(AF_NETLINK, SOCK_RAW, protocol);
 	if (this->socket <= 0)
 	{
 		charon->kill(charon, "unable to create netlink socket");
 	}
-	
+
 	addr.nl_groups = 0;
 	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)))
 	{
 		charon->kill(charon, "unable to bind netlink socket");
 	}
-	
+
 	return &this->public;
 }
 
@@ -283,13 +283,13 @@ void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
 						  size_t buflen)
 {
 	struct rtattr *rta;
-	
+
 	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
 	{
 		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
 		return;
 	}
-	
+
 	rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
 	rta->rta_type = rta_type;
 	rta->rta_len = RTA_LENGTH(data.len);
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
index 5a70e4d9b..dfd27a21a 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -37,20 +37,20 @@ struct netlink_socket_t {
 
 	/**
 	 * Send a netlink message and wait for a reply.
-	 * 
+	 *
 	 * @param	in		netlink message to send
 	 * @param	out 	received netlink message
 	 * @param	out_len	length of the received message
 	 */
 	status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len);
-	
+
 	/**
 	 * Send a netlink message and wait for its acknowledge.
-	 * 
+	 *
 	 * @param	in		netlink message to send
 	 */
 	status_t (*send_ack)(netlink_socket_t *this, struct nlmsghdr *in);
-	
+
 	/**
 	 * Destroy the socket.
 	 */
@@ -59,14 +59,14 @@ struct netlink_socket_t {
 
 /**
  * Create a netlink_socket_t object.
- * 
+ *
  * @param	protocol	protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
  */
 netlink_socket_t *netlink_socket_create(int protocol);
 
 /**
  * Creates an rtattr and adds it to the given netlink message.
- * 
+ *
  * @param	hdr			netlink message
  * @param	rta_type	type of the rtattr
  * @param	data		data to add to the rtattr
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.am b/src/charon/plugins/kernel_pfkey/Makefile.am
index e03a0ca02..a72c6a999 100644
--- a/src/charon/plugins/kernel_pfkey/Makefile.am
+++ b/src/charon/plugins/kernel_pfkey/Makefile.am
@@ -1,5 +1,5 @@
 
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in
index e01510127..8a0961a7d 100644
--- a/src/charon/plugins/kernel_pfkey/Makefile.in
+++ b/src/charon/plugins/kernel_pfkey/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/kernel_pfkey
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_kernel_pfkey_la_LIBADD =
 am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \
@@ -61,6 +85,7 @@ libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) --tag=CC \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -108,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -138,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -171,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -196,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -204,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -212,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -223,9 +251,10 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
 libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
@@ -245,9 +274,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/kernel_pfkey/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/kernel_pfkey/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfkey/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfkey/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -265,23 +294,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -306,21 +340,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -343,7 +377,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -351,29 +385,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -394,13 +433,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -431,6 +474,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -452,6 +496,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -460,18 +506,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -510,6 +566,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 1f83e8f39..9c50746ac 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -49,14 +49,15 @@
 #endif /*HAVE_NATT*/
 
 #include <unistd.h>
-#include <pthread.h>
+#include <time.h>
 #include <errno.h>
 
 #include "kernel_pfkey_ipsec.h"
 
 #include <daemon.h>
 #include <utils/host.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
 #include <processing/jobs/acquire_job.h>
 #include <processing/jobs/migrate_job.h>
@@ -151,42 +152,42 @@ struct private_kernel_pfkey_ipsec_t
 	 * Public part of the kernel_pfkey_t object.
 	 */
 	kernel_pfkey_ipsec_t public;
-	
+
 	/**
 	 * mutex to lock access to various lists
 	 */
 	mutex_t *mutex;
-	
+
 	/**
 	 * List of installed policies (policy_entry_t)
 	 */
 	linked_list_t *policies;
-	
+
 	/**
 	 * whether to install routes along policies
 	 */
 	bool install_routes;
-	
+
 	/**
 	 * job receiving PF_KEY events
 	 */
 	callback_job_t *job;
-	
+
 	/**
 	 * mutex to lock access to the PF_KEY socket
 	 */
 	mutex_t *mutex_pfkey;
-	
+
 	/**
 	 * PF_KEY socket to communicate with the kernel
 	 */
 	int socket;
-	
+
 	/**
 	 * PF_KEY socket to receive acquire and expire events
 	 */
 	int socket_events;
-	
+
 	/**
 	 * sequence number for messages sent to the kernel
 	 */
@@ -201,10 +202,10 @@ typedef struct route_entry_t route_entry_t;
 struct route_entry_t {
 	/** Name of the interface the route is bound to */
 	char *if_name;
-	
+
 	/** Source ip of the route */
 	host_t *src_ip;
-	
+
 	/** gateway for this route */
 	host_t *gateway;
 
@@ -233,16 +234,16 @@ typedef struct policy_entry_t policy_entry_t;
  * installed kernel policy.
  */
 struct policy_entry_t {
-	
+
 	/** reqid of this policy */
 	u_int32_t reqid;
-	
+
 	/** index assigned by the kernel */
 	u_int32_t index;
-	
+
 	/** direction of this policy: in, out, forward */
 	u_int8_t direction;
-	
+
 	/** parameters of installed policy */
 	struct {
 		/** subnet and port */
@@ -252,10 +253,10 @@ struct policy_entry_t {
 		/** protocol */
 		u_int8_t proto;
 	} src, dst;
-	
+
 	/** associated route installed for this policy */
 	route_entry_t *route;
-	
+
 	/** by how many CHILD_SA's this policy is used */
 	u_int refcount;
 };
@@ -272,15 +273,15 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
 	policy->direction = dir;
 	policy->route = NULL;
 	policy->refcount = 0;
-	
+
 	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
 	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
-	
+
 	/* src or dest proto may be "any" (0), use more restrictive one */
 	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
 	policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
 	policy->dst.proto = policy->src.proto;
-	
+
 	return policy;
 }
 
@@ -328,7 +329,7 @@ struct pfkey_msg_t
 	 * PF_KEY message base
 	 */
 	struct sadb_msg *msg;
-	
+
 	/**
 	 * PF_KEY message extensions
 	 */
@@ -518,7 +519,7 @@ struct kernel_algorithm_t {
 	 * Identifier specified in IKEv2
 	 */
 	int ikev2;
-	
+
 	/**
 	 * Identifier as defined in pfkeyv2.h
 	 */
@@ -652,19 +653,19 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
 {
 	struct sadb_x_nat_t_type* nat_type;
 	struct sadb_x_nat_t_port* nat_port;
-	
+
 	nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
 	nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
 	nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
 	nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
 	PFKEY_EXT_ADD(msg, nat_type);
-	
+
 	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
 	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
 	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
 	nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
 	PFKEY_EXT_ADD(msg, nat_port);
-	
+
 	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
 	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
 	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
@@ -682,8 +683,8 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
 	host_t *host;
 
 	/* The Linux 2.6 kernel does not set the protocol and port information
-     * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
-     */
+	 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
+	 */
 	host = host_create_from_sockaddr((sockaddr_t*)&address[1])	;
 	ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
 				address->sadb_address_proto, host->get_port(host));
@@ -697,15 +698,15 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
 {
 	struct sadb_ext* ext;
 	size_t len;
-	
+
 	memset(out, 0, sizeof(pfkey_msg_t));
 	out->msg = msg;
-	
+
 	len = msg->sadb_msg_len;
 	len -= PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
-	
+
 	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
 	{
 		DBG3(DBG_KNL, "  %N", sadb_ext_type_names, ext->sadb_ext_type);
@@ -716,20 +717,20 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
 						   sadb_ext_type_names, ext->sadb_ext_type);
 			break;
 		}
-		
+
 		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
 		{
 			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
 			break;
 		}
-		
+
 		if (out->ext[ext->sadb_ext_type])
 		{
 			DBG1(DBG_KNL, "duplicate %N extension",
 						   sadb_ext_type_names, ext->sadb_ext_type);
 			break;
 		}
-		
+
 		out->ext[ext->sadb_ext_type] = ext;
 		ext = PFKEY_EXT_NEXT_LEN(ext, len);
 	}
@@ -739,7 +740,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
 		DBG1(DBG_KNL, "PF_KEY message length is invalid");
 		return FAILED;
 	}
-	
+
 	return SUCCESS;
 }
 
@@ -752,7 +753,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 	unsigned char buf[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg;
 	int in_len, len;
-	
+
 	this->mutex_pfkey->lock(this->mutex_pfkey);
 
 	/* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
@@ -779,13 +780,13 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 		}
 		break;
 	}
-	
+
 	while (TRUE)
 	{
 		msg = (struct sadb_msg*)buf;
-		
+
 		len = recv(socket, buf, sizeof(buf), 0);
-		
+
 		if (len < 0)
 		{
 			if (errno == EINTR)
@@ -844,13 +845,13 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 		}
 		break;
 	}
-	
+
 	*out_len = len;
 	*out = (struct sadb_msg*)malloc(len);
 	memcpy(*out, buf, len);
-	
+
 	this->mutex_pfkey->unlock(this->mutex_pfkey);
-	
+
 	return SUCCESS;
 }
 
@@ -873,7 +874,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	traffic_selector_t *src_ts, *dst_ts;
 	policy_entry_t *policy;
 	job_t *job;
-	
+
 	switch (msg->sadb_msg_satype)
 	{
 		case SADB_SATYPE_UNSPEC:
@@ -885,13 +886,13 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 			return;
 	}
 	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
-	
+
 	if (parse_pfkey_message(msg, &response) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
 		return;
 	}
-	
+
 	index = response.x_policy->sadb_x_policy_id;
 	this->mutex->lock(this->mutex);
 	if (this->policies->find_first(this->policies,
@@ -907,7 +908,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	src_ts = sadb_address2ts(response.src);
 	dst_ts = sadb_address2ts(response.dst);
 	this->mutex->unlock(this->mutex);
-	
+
 	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
 				   src_ts, dst_ts, reqid);
 	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
@@ -924,27 +925,27 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	u_int32_t spi, reqid;
 	bool hard;
 	job_t *job;
-	
+
 	DBG2(DBG_KNL, "received an SADB_EXPIRE");
-	
+
 	if (parse_pfkey_message(msg, &response) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
 		return;
 	}
-	
+
 	protocol = proto_satype2ike(msg->sadb_msg_satype);
 	spi = response.sa->sadb_sa_spi;
 	reqid = response.x_sa2->sadb_x_sa2_reqid;
 	hard = response.lft_hard != NULL;
-	
+
 	if (protocol != PROTO_ESP && protocol != PROTO_AH)
 	{
 		DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
 					  "which is not a CHILD_SA", ntohl(spi), reqid);
 		return;
 	}
-	
+
 	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
 		 hard ? "delete" : "rekey",  protocol_id_names,
 		 protocol, ntohl(spi), reqid);
@@ -984,7 +985,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
 	DBG2(DBG_KNL, "  policy %R === %R %N, id %u", src_ts, dst_ts,
 					 policy_dir_names, dir);
-	
+
 	/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
 	if (response.x_kmaddress)
 	{
@@ -999,7 +1000,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 		remote = host_create_from_sockaddr(remote_addr);
 		DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
 	}
-	
+
 	if (src_ts && dst_ts && local && remote)
 	{
 		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
@@ -1028,24 +1029,24 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	u_int32_t spi, reqid;
 	host_t *host;
 	job_t *job;
-	
+
 	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
-	
+
 	if (parse_pfkey_message(msg, &response) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
 		return;
 	}
-	
+
 	if (!response.x_sa2)
 	{
 		DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
 		return;
 	}
-	
+
 	spi = response.sa->sadb_sa_spi;
 	reqid = response.x_sa2->sadb_x_sa2_reqid;
-	
+
 	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
 	{
 		sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
@@ -1083,12 +1084,13 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 {
 	unsigned char buf[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg = (struct sadb_msg*)buf;
-	int len, oldstate;
-	
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
 	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-	pthread_setcancelstate(oldstate, NULL);
-	
+	thread_cancelability(oldstate);
+
 	if (len < 0)
 	{
 		switch (errno)
@@ -1105,7 +1107,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 				return JOB_REQUEUE_FAIR;
 		}
 	}
-	
+
 	if (len < sizeof(struct sadb_msg) ||
 		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
 	{
@@ -1121,7 +1123,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
 		return JOB_REQUEUE_DIRECT;
 	}
-	
+
 	switch (msg->sadb_msg_type)
 	{
 		case SADB_ACQUIRE:
@@ -1143,7 +1145,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 		default:
 			break;
 	}
-	
+
 	return JOB_REQUEUE_DIRECT;
 }
 
@@ -1162,31 +1164,31 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
 	pfkey_msg_t response;
 	u_int32_t received_spi = 0;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_GETSPI;
 	msg->sadb_msg_satype = proto_ike2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
 	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
 	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
 	sa2->sadb_x_sa2_reqid = reqid;
 	PFKEY_EXT_ADD(msg, sa2);
-	
+
 	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-	
+
 	range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
 	range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
 	range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
 	range->sadb_spirange_min = 0xc0000000;
 	range->sadb_spirange_max = 0xcFFFFFFF;
 	PFKEY_EXT_ADD(msg, range);
-	
+
 	if (pfkey_send(this, msg, &out, &len) == SUCCESS)
 	{
 		if (out->sadb_msg_errno)
@@ -1200,12 +1202,12 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
 		}
 		free(out);
 	}
-	
+
 	if (received_spi == 0)
 	{
 		return FAILED;
 	}
-	
+
 	*spi = received_spi;
 	return SUCCESS;
 }
@@ -1226,11 +1228,12 @@ static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 					   host_t *src, host_t *dst, u_int32_t spi,
 					   protocol_id_t protocol, u_int32_t reqid,
-					   u_int64_t expire_soft, u_int64_t expire_hard,
+					   lifetime_cfg_t *lifetime,
 					   u_int16_t enc_alg, chunk_t enc_key,
 					   u_int16_t int_alg, chunk_t int_key,
 					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound)
+					   bool encap, bool inbound, traffic_selector_t *src_ts,
+					   traffic_selector_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1239,11 +1242,11 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 	struct sadb_lifetime *lft;
 	struct sadb_key *key;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
@@ -1273,29 +1276,35 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
 	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
 	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
 	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
 	sa2->sadb_x_sa2_mode = mode2kernel(mode);
 	sa2->sadb_x_sa2_reqid = reqid;
 	PFKEY_EXT_ADD(msg, sa2);
-	
+
 	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-	
+
 	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
 	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
 	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-	lft->sadb_lifetime_addtime = expire_soft;
+	lft->sadb_lifetime_allocations = lifetime->packets.rekey;
+	lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
+	lft->sadb_lifetime_addtime = lifetime->time.rekey;
+	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
 	PFKEY_EXT_ADD(msg, lft);
-	
+
 	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
 	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
 	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-	lft->sadb_lifetime_addtime = expire_hard;
+	lft->sadb_lifetime_allocations = lifetime->packets.life;
+	lft->sadb_lifetime_bytes = lifetime->bytes.life;
+	lft->sadb_lifetime_addtime = lifetime->time.life;
+	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
 	PFKEY_EXT_ADD(msg, lft);
-	
+
 	if (enc_alg != ENCR_UNDEFINED)
 	{
 		if (!sa->sadb_sa_encrypt)
@@ -1306,16 +1315,16 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 		}
 		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
 			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-		
+
 		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
 		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
 		key->sadb_key_bits = enc_key.len * 8;
 		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
 		memcpy(key + 1, enc_key.ptr, enc_key.len);
-		
+
 		PFKEY_EXT_ADD(msg, key);
 	}
-	
+
 	if (int_alg != AUTH_UNDEFINED)
 	{
 		if (!sa->sadb_sa_auth)
@@ -1326,16 +1335,16 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 		}
 		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
 			 integrity_algorithm_names, int_alg, int_key.len * 8);
-		
+
 		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
 		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
 		key->sadb_key_bits = int_key.len * 8;
 		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
 		memcpy(key + 1, int_key.ptr, int_key.len);
-		
+
 		PFKEY_EXT_ADD(msg, key);
 	}
-	
+
 	if (ipcomp != IPCOMP_NONE)
 	{
 		/*TODO*/
@@ -1347,7 +1356,7 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 		add_encap_ext(msg, src, dst);
 	}
 #endif /*HAVE_NATT*/
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
@@ -1360,7 +1369,7 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
-	
+
 	free(out);
 	return SUCCESS;
 }
@@ -1379,7 +1388,7 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 	struct sadb_sa *sa;
 	pfkey_msg_t response;
 	size_t len;
-	
+
 	/* we can't update the SA if any of the ip addresses have changed.
 	 * that's because we can't use SADB_UPDATE and by deleting and readding the
 	 * SA the sequence numbers would get lost */
@@ -1390,28 +1399,28 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 				" are not supported", ntohl(spi));
 		return NOT_SUPPORTED;
 	}
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_GET;
 	msg->sadb_msg_satype = proto_ike2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
 	sa->sadb_sa_spi = spi;
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
 	 * it is not used for anything. */
 	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
@@ -1432,18 +1441,18 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
-	
+
 	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
 		 ntohl(spi), src, dst, new_src, new_dst);
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_UPDATE;
 	msg->sadb_msg_satype = proto_ike2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 #ifdef __APPLE__
 	{
 		struct sadb_sa_2 *sa_2;
@@ -1460,32 +1469,32 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 	PFKEY_EXT_COPY(msg, response.sa);
 #endif
 	PFKEY_EXT_COPY(msg, response.x_sa2);
-	
+
 	PFKEY_EXT_COPY(msg, response.src);
 	PFKEY_EXT_COPY(msg, response.dst);
-	
+
 	PFKEY_EXT_COPY(msg, response.lft_soft);
 	PFKEY_EXT_COPY(msg, response.lft_hard);
-	
+
 	if (response.key_encr)
 	{
 		PFKEY_EXT_COPY(msg, response.key_encr);
 	}
-	
+
 	if (response.key_auth)
 	{
 		PFKEY_EXT_COPY(msg, response.key_auth);
 	}
-	
+
 #ifdef HAVE_NATT
 	if (new_encap)
 	{
 		add_encap_ext(msg, new_src, new_dst);
 	}
 #endif /*HAVE_NATT*/
-	
+
 	free(out);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
@@ -1499,7 +1508,7 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 		return FAILED;
 	}
 	free(out);
-	
+
 	return SUCCESS;
 }
 
@@ -1515,29 +1524,29 @@ static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
 	struct sadb_sa *sa;
 	pfkey_msg_t response;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_GET;
 	msg->sadb_msg_satype = proto_ike2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
 	sa->sadb_sa_spi = spi;
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	/* the Linux Kernel doesn't care for the src address, but other systems do
 	 * (e.g. FreeBSD)
 	 */
 	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
@@ -1573,29 +1582,29 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
 	struct sadb_msg *msg, *out;
 	struct sadb_sa *sa;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_DELETE;
 	msg->sadb_msg_satype = proto_ike2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
 	sa->sadb_sa_spi = spi;
 	PFKEY_EXT_ADD(msg, sa);
-	
+
 	/* the Linux Kernel doesn't care for the src address, but other systems do
 	 * (e.g. FreeBSD)
 	 */
 	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
@@ -1608,7 +1617,7 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
 		free(out);
 		return FAILED;
 	}
-	
+
 	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
 	free(out);
 	return SUCCESS;
@@ -1633,16 +1642,16 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 	policy_entry_t *policy, *found = NULL;
 	pfkey_msg_t response;
 	size_t len;
-	
+
 	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
 	{
 		/* FWD policies are not supported on all platforms */
 		return SUCCESS;
 	}
-	
+
 	/* create a policy */
 	policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
-	
+
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
 	if (this->policies->find_first(this->policies,
@@ -1662,18 +1671,18 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 		this->policies->insert_last(this->policies, policy);
 		policy->refcount = 1;
 	}
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
 	msg->sadb_msg_satype = 0;
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
 	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
@@ -1687,7 +1696,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 	pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
 	pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
 #endif
-	
+
 	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
 	req = (struct sadb_x_ipsecrequest*)(pol + 1);
 	req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
@@ -1707,15 +1716,15 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 		memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
 		req->sadb_x_ipsecrequest_len += sl * 2;
 	}
-	
+
 	pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
 	PFKEY_EXT_ADD(msg, pol);
-	
+
 	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
 				 policy->src.mask);
 	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
 				 policy->dst.mask);
-	
+
 #ifdef __FreeBSD__
 	{	/* on FreeBSD a lifetime has to be defined to be able to later query
 		 * the current use time. */
@@ -1727,9 +1736,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 		PFKEY_EXT_ADD(msg, lft);
 	}
 #endif
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
@@ -1751,9 +1760,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
-	
+
 	this->mutex->lock(this->mutex);
-	
+
 	/* we try to find the policy again and update the kernel index */
 	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
 	{
@@ -1765,7 +1774,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 	}
 	policy->index = response.x_policy->sadb_x_policy_id;
 	free(out);
-	
+
 	/* install a route, if:
 	 * - we are NOT updating a policy
 	 * - this is a forward policy (to just get one for each child)
@@ -1778,7 +1787,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 		this->install_routes)
 	{
 		route_entry_t *route = malloc_thing(route_entry_t);
-		
+
 		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
 				dst_ts, &route->src_ip) == SUCCESS)
 		{
@@ -1789,7 +1798,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 									charon->kernel_interface, dst);
 			route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
 			route->prefixlen = policy->src.mask;
-			
+
 			switch (charon->kernel_interface->add_route(charon->kernel_interface,
 					route->dst_net, route->prefixlen, route->gateway,
 					route->src_ip, route->if_name))
@@ -1813,9 +1822,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 			free(route);
 		}
 	}
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	return SUCCESS;
 }
 
@@ -1833,19 +1842,19 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
 	policy_entry_t *policy, *found = NULL;
 	pfkey_msg_t response;
 	size_t len;
-	
+
 	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
 	{
 		/* FWD policies are not supported on all platforms */
 		return NOT_FOUND;
 	}
-	
+
 	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
 
 	/* create a policy */
 	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
-	
+
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
 	if (this->policies->find_first(this->policies,
@@ -1859,15 +1868,15 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
 	}
 	policy_entry_destroy(policy);
 	policy = found;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_X_SPDGET;
 	msg->sadb_msg_satype = 0;
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
 	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 	pol->sadb_x_policy_id = policy->index;
@@ -1875,14 +1884,14 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
 	pol->sadb_x_policy_dir = dir2kernel(direction);
 	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
 	PFKEY_EXT_ADD(msg, pol);
-	
+
 	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
 				 policy->src.mask);
 	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
 				 policy->dst.mask);
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
@@ -1911,11 +1920,18 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
 		free(out);
 		return FAILED;
 	}
-	
-	*use_time = response.lft_current->sadb_lifetime_usetime;
-	
+	/* we need the monotonic time, but the kernel returns system time. */
+	if (response.lft_current->sadb_lifetime_usetime)
+	{
+		*use_time = time_monotonic(NULL) -
+					(time(NULL) - response.lft_current->sadb_lifetime_usetime);
+	}
+	else
+	{
+		*use_time = 0;
+	}
 	free(out);
-	
+
 	return SUCCESS;
 }
 
@@ -1933,19 +1949,19 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 	policy_entry_t *policy, *found = NULL;
 	route_entry_t *route;
 	size_t len;
-	
+
 	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
 	{
 		/* FWD policies are not supported on all platforms */
 		return SUCCESS;
 	}
-	
+
 	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
 				   policy_dir_names, direction);
-	
+
 	/* create a policy */
 	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
-	
+
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
 	if (this->policies->find_first(this->policies,
@@ -1973,31 +1989,31 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 		return NOT_FOUND;
 	}
 	this->mutex->unlock(this->mutex);
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_X_SPDDELETE;
 	msg->sadb_msg_satype = 0;
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
 	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
 	pol->sadb_x_policy_dir = dir2kernel(direction);
 	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
 	PFKEY_EXT_ADD(msg, pol);
-	
+
 	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
 				 policy->src.mask);
 	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
 				 policy->dst.mask);
-	
+
 	route = policy->route;
 	policy->route = NULL;
 	policy_entry_destroy(policy);
-	
+
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
@@ -2013,7 +2029,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 		return FAILED;
 	}
 	free(out);
-	
+
 	if (route)
 	{
 		if (charon->kernel_interface->del_route(charon->kernel_interface,
@@ -2026,7 +2042,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 		}
 		route_entry_destroy(route);
 	}
-	
+
 	return SUCCESS;
 }
 
@@ -2038,15 +2054,15 @@ static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	size_t len;
-	
+
 	memset(&request, 0, sizeof(request));
-	
+
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_REGISTER;
 	msg->sadb_msg_satype = satype;
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-	
+
 	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to register PF_KEY socket");
@@ -2085,13 +2101,13 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
 	int fd, family, port;
 	enumerator_t *sockets;
 	bool status = TRUE;
-	
+
 	sockets = charon->socket->create_enumerator(charon->socket);
 	while (sockets->enumerate(sockets, &fd, &family, &port))
 	{
 		struct sadb_x_policy policy;
 		u_int sol, ipsec_policy;
-		
+
 		switch (family)
 		{
 			case AF_INET:
@@ -2109,12 +2125,12 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
 			default:
 				continue;
 		}
-		
+
 		memset(&policy, 0, sizeof(policy));
 		policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
 		policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 		policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-		
+
 		policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
 		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 		{
@@ -2142,18 +2158,18 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 {
 	private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
-	
+
 	/* public functions */
 	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
 	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-	
+
 	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
 
 	/* private members */
@@ -2163,37 +2179,37 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 	this->install_routes = lib->settings->get_bool(lib->settings,
 												"charon.install_routes", TRUE);
 	this->seq = 0;
-	
+
 	/* create a PF_KEY socket to communicate with the kernel */
 	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
 	if (this->socket <= 0)
 	{
 		charon->kill(charon, "unable to create PF_KEY socket");
 	}
-	
+
 	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
 	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
 	if (this->socket_events <= 0)
 	{
 		charon->kill(charon, "unable to create PF_KEY event socket");
 	}
-	
+
 	/* add bypass policies on the sockets used by charon */
 	if (!add_bypass_policies(this))
 	{
 		charon->kill(charon, "unable to add bypass policies on sockets");
 	}
-	
+
 	/* register the event socket */
 	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
 		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
 	{
 		charon->kill(charon, "unable to register PF_KEY event socket");
 	}
-	
+
 	this->job = callback_job_create((callback_job_cb_t)receive_events,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	
+
 	return &this->public;
 }
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 09dc4780d..3380c328c 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -47,10 +47,10 @@ static void destroy(private_kernel_pfkey_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
-	
+
 	return &this->public.plugin;
 }
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am
index b6e6587a7..0065d9b0a 100644
--- a/src/charon/plugins/kernel_pfroute/Makefile.am
+++ b/src/charon/plugins/kernel_pfroute/Makefile.am
@@ -1,5 +1,5 @@
 
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.in b/src/charon/plugins/kernel_pfroute/Makefile.in
index 05da8e271..da8c7585f 100644
--- a/src/charon/plugins/kernel_pfroute/Makefile.in
+++ b/src/charon/plugins/kernel_pfroute/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/kernel_pfroute
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_kernel_pfroute_la_LIBADD =
 am_libstrongswan_kernel_pfroute_la_OBJECTS = kernel_pfroute_plugin.lo \
@@ -61,6 +85,7 @@ libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) --tag=CC \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -108,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -138,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -171,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -196,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -204,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -212,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -223,9 +251,10 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
 libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
@@ -245,9 +274,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/kernel_pfroute/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/kernel_pfroute/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfroute/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfroute/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -265,23 +294,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -306,21 +340,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -343,7 +377,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -351,29 +385,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -394,13 +433,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -431,6 +474,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -452,6 +496,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -460,18 +506,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -510,6 +566,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
index d5a864b1c..9f1baf5b5 100644
--- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -19,14 +19,14 @@
 #include <ifaddrs.h>
 #include <net/route.h>
 #include <unistd.h>
-#include <pthread.h>
 #include <errno.h>
 
 #include "kernel_pfroute_net.h"
 
 #include <daemon.h>
 #include <utils/host.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
 #include <utils/linked_list.h>
 #include <processing/jobs/callback_job.h>
 #include <processing/jobs/roam_job.h>
@@ -47,13 +47,13 @@ typedef struct addr_entry_t addr_entry_t;
  * IP address in an inface_entry_t
  */
 struct addr_entry_t {
-	
+
 	/** The ip address */
 	host_t *ip;
-	
+
 	/** virtual IP managed by us */
 	bool virtual;
-	
+
 	/** Number of times this IP is used, if virtual */
 	u_int refcount;
 };
@@ -73,16 +73,16 @@ typedef struct iface_entry_t iface_entry_t;
  * A network interface on this system, containing addr_entry_t's
  */
 struct iface_entry_t {
-	
+
 	/** interface index */
 	int ifindex;
-	
+
 	/** name of the interface */
 	char ifname[IFNAMSIZ];
-	
+
 	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
 	u_int flags;
-	
+
 	/** list of addresses as host_t */
 	linked_list_t *addrs;
 };
@@ -108,46 +108,46 @@ struct private_kernel_pfroute_net_t
 	 * Public part of the kernel_pfroute_t object.
 	 */
 	kernel_pfroute_net_t public;
-	
+
 	/**
 	 * mutex to lock access to various lists
 	 */
 	mutex_t *mutex;
-	
+
 	/**
 	 * Cached list of interfaces and their addresses (iface_entry_t)
 	 */
 	linked_list_t *ifaces;
-	
+
 	/**
 	 * job receiving PF_ROUTE events
 	 */
 	callback_job_t *job;
-	
+
 	/**
 	 * mutex to lock access to the PF_ROUTE socket
 	 */
 	mutex_t *mutex_pfroute;
-	
+
 	/**
 	 * PF_ROUTE socket to communicate with the kernel
 	 */
 	int socket;
-	
+
 	/**
 	 * PF_ROUTE socket to receive events
 	 */
 	int socket_events;
-	
+
 	/**
 	 * sequence number for messages sent to the kernel
 	 */
 	int seq;
-	
+
 	/**
 	 * time of last roam job
 	 */
-	struct timeval last_roam;
+	timeval_t last_roam;
 };
 
 /**
@@ -156,22 +156,20 @@ struct private_kernel_pfroute_net_t
  */
 static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
 {
-	struct timeval now;
-	
-	if (gettimeofday(&now, NULL) == 0)
+	timeval_t now;
+
+	time_monotonic(&now);
+	if (timercmp(&now, &this->last_roam, >))
 	{
-		if (timercmp(&now, &this->last_roam, >))
+		now.tv_usec += ROAM_DELAY * 1000;
+		while (now.tv_usec > 1000000)
 		{
-			now.tv_usec += ROAM_DELAY * 1000;
-			while (now.tv_usec > 1000000)
-			{
-				now.tv_sec++;
-				now.tv_usec -= 1000000;
-			}
-			this->last_roam = now;
-			charon->scheduler->schedule_job_ms(charon->scheduler,
-				(job_t*)roam_job_create(address), ROAM_DELAY);
+			now.tv_sec++;
+			now.tv_usec -= 1000000;
 		}
+		this->last_roam = now;
+		charon->scheduler->schedule_job_ms(charon->scheduler,
+			(job_t*)roam_job_create(address), ROAM_DELAY);
 	}
 }
 
@@ -189,7 +187,7 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 	addr_entry_t *addr;
 	bool found = FALSE, changed = FALSE, roam = FALSE;
 	int i;
-	
+
 	for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
 	{
 		if (ifa->ifam_addrs & i)
@@ -202,12 +200,12 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 			sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
 		}
 	}
-	
+
 	if (!host)
 	{
 		return;
 	}
-	
+
 	this->mutex->lock(this->mutex);
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
@@ -238,7 +236,7 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 				}
 			}
 			addrs->destroy(addrs);
-			
+
 			if (!found && ifa->ifam_type == RTM_NEWADDR)
 			{
 				changed = TRUE;
@@ -249,7 +247,7 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 				iface->addrs->insert_last(iface->addrs, addr);
 				DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
 			}
-			
+
 			if (changed && (iface->flags & IFF_UP))
 			{
 				roam = TRUE;
@@ -260,7 +258,7 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 	ifaces->destroy(ifaces);
 	this->mutex->unlock(this->mutex);
 	host->destroy(host);
-	
+
 	if (roam)
 	{
 		fire_roam_job(this, TRUE);
@@ -277,12 +275,12 @@ static void process_link(private_kernel_pfroute_net_t *this,
 	enumerator_t *enumerator;
 	iface_entry_t *iface;
 	bool roam = FALSE;
-	
+
 	if (msg->ifm_flags & IFF_LOOPBACK)
 	{	/* ignore loopback interfaces */
 		return;
 	}
-	
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->ifaces->create_enumerator(this->ifaces);
 	while (enumerator->enumerate(enumerator, &iface))
@@ -305,7 +303,7 @@ static void process_link(private_kernel_pfroute_net_t *this,
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
-	
+
 	if (roam)
 	{
 		fire_roam_job(this, TRUE);
@@ -328,12 +326,13 @@ static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
 {
 	unsigned char buf[PFROUTE_BUFFER_SIZE];
 	struct rt_msghdr *msg = (struct rt_msghdr*)buf;
-	int len, oldstate;
-	
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
 	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-	pthread_setcancelstate(oldstate, NULL);
-	
+	thread_cancelability(oldstate);
+
 	if (len < 0)
 	{
 		switch (errno)
@@ -350,14 +349,14 @@ static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
 				return JOB_REQUEUE_FAIR;
 		}
 	}
-	
+
 	if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
 		msg->rtm_version != RTM_VERSION)
 	{
 		DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
 		return JOB_REQUEUE_DIRECT;
 	}
-	
+
 	switch (msg->rtm_type)
 	{
 		case RTM_NEWADDR:
@@ -374,7 +373,7 @@ static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
 		default:
 			break;
 	}
-	
+
 	return JOB_REQUEUE_DIRECT;
 }
 
@@ -493,7 +492,7 @@ static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
 	}
 	ifaces->destroy(ifaces);
 	this->mutex->unlock(this->mutex);
-	
+
 	if (name)
 	{
 		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
@@ -566,15 +565,15 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 	iface_entry_t *iface, *current;
 	addr_entry_t *addr;
 	enumerator_t *ifaces, *addrs;
-	
+
 	DBG1(DBG_KNL, "listening on interfaces:");
-	
+
 	if (getifaddrs(&ifap) < 0)
 	{
 		DBG1(DBG_KNL, "  failed to get interfaces!");
 		return FAILED;
 	}
-	
+
 	for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
 	{
 		if (ifa->ifa_addr == NULL)
@@ -591,7 +590,7 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 				{	/* ignore loopback interfaces */
 					continue;
 				}
-				
+
 				iface = NULL;
 				ifaces = this->ifaces->create_enumerator(this->ifaces);
 				while (ifaces->enumerate(ifaces, &current))
@@ -603,7 +602,7 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 					}
 				}
 				ifaces->destroy(ifaces);
-				
+
 				if (!iface)
 				{
 					iface = malloc_thing(iface_entry_t);
@@ -613,7 +612,7 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 					iface->addrs = linked_list_create();
 					this->ifaces->insert_last(this->ifaces, iface);
 				}
-				
+
 				if (ifa->ifa_addr->sa_family != AF_LINK)
 				{
 					addr = malloc_thing(addr_entry_t);
@@ -626,7 +625,7 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 		}
 	}
 	freeifaddrs(ifap);
-	
+
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
 	{
@@ -642,7 +641,7 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 		}
 	}
 	ifaces->destroy(ifaces);
-	
+
 	return SUCCESS;
 }
 
@@ -666,7 +665,7 @@ static void destroy(private_kernel_pfroute_net_t *this)
 kernel_pfroute_net_t *kernel_pfroute_net_create()
 {
 	private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
-	
+
 	/* public functions */
 	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
 	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
@@ -676,38 +675,38 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
 	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
 	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
-	
+
 	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
-	
+
 	/* private members */
 	this->ifaces = linked_list_create();
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT);
-	
+
 	this->seq = 0;
-	
+
 	/* create a PF_ROUTE socket to communicate with the kernel */
 	this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
 	if (this->socket <= 0)
 	{
 		charon->kill(charon, "unable to create PF_ROUTE socket");
 	}
-	
+
 	/* create a PF_ROUTE socket to receive events */
 	this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
 	if (this->socket_events <= 0)
 	{
 		charon->kill(charon, "unable to create PF_ROUTE event socket");
 	}
-	
+
 	this->job = callback_job_create((callback_job_cb_t)receive_events,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	
+
 	if (init_address_list(this) != SUCCESS)
 	{
 		charon->kill(charon, "unable to get interface list");
 	}
-	
+
 	return &this->public;
 }
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
index 767049bb0..e73cbeafb 100644
--- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -48,11 +48,11 @@ static void destroy(private_kernel_pfroute_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	charon->kernel_interface->add_net_interface(charon->kernel_interface,
 						(kernel_net_constructor_t)kernel_pfroute_net_create);
-	
+
 	return &this->public.plugin;
 }
diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in
index 3b494cea2..70c7d3c99 100644
--- a/src/charon/plugins/load_tester/Makefile.in
+++ b/src/charon/plugins/load_tester/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/load_tester
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_load_tester_la_LIBADD =
 am_libstrongswan_load_tester_la_OBJECTS = load_tester_plugin.lo \
@@ -63,6 +87,7 @@ libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -110,25 +135,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -140,11 +162,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -173,9 +198,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -198,7 +223,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -206,6 +231,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -214,10 +240,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -225,6 +253,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
@@ -252,9 +281,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/load_tester/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/load_tester/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/load_tester/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/load_tester/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -272,23 +301,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -317,21 +351,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -354,7 +388,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -362,29 +396,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -405,13 +444,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -442,6 +485,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -463,6 +507,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -471,18 +517,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -521,6 +577,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/load_tester/load_tester_config.c b/src/charon/plugins/load_tester/load_tester_config.c
index 963f7cc01..82f408d45 100644
--- a/src/charon/plugins/load_tester/load_tester_config.c
+++ b/src/charon/plugins/load_tester/load_tester_config.c
@@ -28,52 +28,52 @@ struct private_load_tester_config_t {
 	 * Public part
 	 */
 	load_tester_config_t public;
-	
+
 	/**
 	 * peer config
 	 */
 	peer_cfg_t *peer_cfg;
-	
+
 	/**
 	 * virtual IP, if any
 	 */
 	host_t *vip;
-	
+
 	/**
 	 * Remote address
 	 */
 	char *remote;
-	
+
 	/**
 	 * IP address pool
 	 */
 	char *pool;
-	
+
 	/**
- 	 * IKE proposal
- 	 */
+	 * IKE proposal
+	 */
 	proposal_t *proposal;
-	
+
 	/**
 	 * Authentication method(s) to use/expect from initiator
 	 */
 	char *initiator_auth;
-	
+
 	/**
 	 * Authentication method(s) use/expected from responder
 	 */
 	char *responder_auth;
-	
+
 	/**
 	 * IKE_SA rekeying delay
 	 */
 	u_int ike_rekey;
-	
+
 	/**
 	 * CHILD_SA rekeying delay
 	 */
 	u_int child_rekey;
-	
+
 	/**
 	 * incremental numbering of generated configs
 	 */
@@ -93,13 +93,13 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 	eap_type_t type;
 	char buf[128];
 	int rnd = 0;
-	
+
 	enumerator = enumerator_create_token(str, "|", " ");
 	while (enumerator->enumerate(enumerator, &str))
 	{
 		auth = auth_cfg_create();
 		rnd++;
-		
+
 		if (streq(str, "psk"))
 		{	/* PSK authentication, use FQDNs */
 			class = AUTH_CLASS_PSK;
@@ -181,7 +181,14 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	peer_cfg_t *peer_cfg;
 	traffic_selector_t *ts;
 	proposal_t *proposal;
-	
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = this->child_rekey * 2,
+			.rekey = this->child_rekey,
+			.jitter = 0
+		}
+	};
+
 	ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", this->remote);
 	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
 	peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
@@ -201,9 +208,9 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 		generate_auth_cfg(this, this->responder_auth, peer_cfg, TRUE, num);
 		generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
 	}
-	child_cfg = child_cfg_create("load-test", this->child_rekey * 2,
-								 this->child_rekey, 0, NULL, TRUE,
-								 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
+
+	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE,
+								 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0);
 	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
 	child_cfg->add_proposal(child_cfg, proposal);
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
@@ -218,7 +225,7 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
  * Implementation of backend_t.create_peer_cfg_enumerator.
  */
 static enumerator_t* create_peer_cfg_enumerator(private_load_tester_config_t *this,
-												identification_t *me, 
+												identification_t *me,
 												identification_t *other)
 {
 	return enumerator_create_single(this->peer_cfg, NULL);
@@ -266,44 +273,44 @@ static void destroy(private_load_tester_config_t *this)
 load_tester_config_t *load_tester_config_create()
 {
 	private_load_tester_config_t *this = malloc_thing(private_load_tester_config_t);
-	
+
 	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
 	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
 	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
 	this->public.destroy = (void(*)(load_tester_config_t*))destroy;
-	
+
 	this->vip = NULL;
 	if (lib->settings->get_bool(lib->settings,
-				"charon.plugins.load_tester.request_virtual_ip", FALSE))
+				"charon.plugins.load-tester.request_virtual_ip", FALSE))
 	{
 		this->vip = host_create_from_string("0.0.0.0", 0);
 	}
 	this->pool = lib->settings->get_str(lib->settings,
-				"charon.plugins.load_tester.pool", NULL);
-	this->remote = lib->settings->get_str(lib->settings, 
-				"charon.plugins.load_tester.remote", "127.0.0.1");
-				
+				"charon.plugins.load-tester.pool", NULL);
+	this->remote = lib->settings->get_str(lib->settings,
+				"charon.plugins.load-tester.remote", "127.0.0.1");
+
 	this->proposal = proposal_create_from_string(PROTO_IKE,
 			lib->settings->get_str(lib->settings,
-				"charon.plugins.load_tester.proposal", "aes128-sha1-modp768"));
+				"charon.plugins.load-tester.proposal", "aes128-sha1-modp768"));
 	if (!this->proposal)
 	{	/* fallback */
 		this->proposal = proposal_create_from_string(PROTO_IKE,
 													 "aes128-sha1-modp768");
 	}
 	this->ike_rekey = lib->settings->get_int(lib->settings,
-				"charon.plugins.load_tester.ike_rekey", 0);
+				"charon.plugins.load-tester.ike_rekey", 0);
 	this->child_rekey = lib->settings->get_int(lib->settings,
-				"charon.plugins.load_tester.child_rekey", 600);
-	
+				"charon.plugins.load-tester.child_rekey", 600);
+
 	this->initiator_auth = lib->settings->get_str(lib->settings,
-				"charon.plugins.load_tester.initiator_auth", "pubkey");
+				"charon.plugins.load-tester.initiator_auth", "pubkey");
 	this->responder_auth = lib->settings->get_str(lib->settings,
-				"charon.plugins.load_tester.responder_auth", "pubkey");
-	
+				"charon.plugins.load-tester.responder_auth", "pubkey");
+
 	this->num = 1;
 	this->peer_cfg = generate_config(this, 0);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/load_tester/load_tester_config.h b/src/charon/plugins/load_tester/load_tester_config.h
index f09a3f832..c22387743 100644
--- a/src/charon/plugins/load_tester/load_tester_config.h
+++ b/src/charon/plugins/load_tester/load_tester_config.h
@@ -34,11 +34,11 @@ struct load_tester_config_t {
 	 * Implements backend_t interface
 	 */
 	backend_t backend;
-	
+
 	/**
 	 * Destroy the backend.
 	 */
-	void (*destroy)(load_tester_config_t *this);	
+	void (*destroy)(load_tester_config_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/load_tester/load_tester_creds.c b/src/charon/plugins/load_tester/load_tester_creds.c
index fdb5fa370..890703c1a 100644
--- a/src/charon/plugins/load_tester/load_tester_creds.c
+++ b/src/charon/plugins/load_tester/load_tester_creds.c
@@ -32,31 +32,26 @@ struct private_load_tester_creds_t {
 	 * Public part
 	 */
 	load_tester_creds_t public;
-	
+
 	/**
 	 * Private key to create signatures
 	 */
 	private_key_t *private;
-	
+
 	/**
 	 * CA certificate, to issue/verify peer certificates
 	 */
 	certificate_t *ca;
-	
+
 	/**
 	 * serial number to issue certificates
 	 */
 	u_int32_t serial;
-	
+
 	/**
 	 * Preshared key
 	 */
 	shared_key_t *shared;
-	
-	/**
-	 * Identification for shared key
-	 */
-	identification_t *id;
 };
 
 /**
@@ -195,10 +190,7 @@ static enumerator_t* create_private_enumerator(private_load_tester_creds_t *this
 	}
 	if (id)
 	{
-		identification_t *keyid;
-		
-		keyid = this->private->get_id(this->private, id->get_type(id));
-		if (!keyid || !keyid->equals(keyid, id))
+		if (!this->private->has_fingerprint(this->private, id->get_encoding(id)))
 		{
 			return NULL;
 		}
@@ -217,8 +209,7 @@ static enumerator_t* create_cert_enumerator(private_load_tester_creds_t *this,
 	public_key_t *peer_key, *ca_key;
 	u_int32_t serial;
 	time_t now;
-	identification_t *keyid = NULL;
-	
+
 	if (this->ca == NULL)
 	{
 		return NULL;
@@ -231,18 +222,24 @@ static enumerator_t* create_cert_enumerator(private_load_tester_creds_t *this,
 	{
 		return NULL;
 	}
+	if (!id)
+	{
+		return enumerator_create_single(this->ca, NULL);
+	}
 	ca_key = this->ca->get_public_key(this->ca);
-	if (ca_key && id)
+	if (ca_key)
 	{
-		keyid = ca_key->get_id(ca_key, id->get_type(id));
+		if (ca_key->has_fingerprint(ca_key, id->get_encoding(id)))
+		{
+			ca_key->destroy(ca_key);
+			return enumerator_create_single(this->ca, NULL);
+		}
+		ca_key->destroy(ca_key);
 	}
-	if (!id || this->ca->has_subject(this->ca, id) ||
-		(keyid && id->equals(id, keyid)))
-	{	/* ca certificate */
-		DESTROY_IF(ca_key);
+	if (this->ca->has_subject(this->ca, id))
+	{
 		return enumerator_create_single(this->ca, NULL);
 	}
-	DESTROY_IF(ca_key);
 	if (!trusted)
 	{
 		/* peer certificate, generate on demand */
@@ -270,22 +267,10 @@ static enumerator_t* create_cert_enumerator(private_load_tester_creds_t *this,
 /**
  * Implements credential_set_t.create_shared_enumerator
  */
-static enumerator_t* create_shared_enumerator(private_load_tester_creds_t *this, 
+static enumerator_t* create_shared_enumerator(private_load_tester_creds_t *this,
 							shared_key_type_t type,	identification_t *me,
 							identification_t *other)
 {
-	if (type != SHARED_ANY && type != SHARED_IKE)
-	{
-		return NULL;
-	}
-	if (me && !me->matches(me, this->id))
-	{
-		return NULL;
-	}
-	if (other && !other->matches(other, this->id))
-	{
-		return NULL;
-	}
 	return enumerator_create_single(this->shared, NULL);
 }
 
@@ -297,7 +282,6 @@ static void destroy(private_load_tester_creds_t *this)
 	DESTROY_IF(this->private);
 	DESTROY_IF(this->ca);
 	this->shared->destroy(this->shared);
-	this->id->destroy(this->id);
 	free(this);
 }
 
@@ -311,19 +295,18 @@ load_tester_creds_t *load_tester_creds_create()
 	this->public.credential_set.create_cdp_enumerator  = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
 	this->public.credential_set.cache_cert = (void (*)(credential_set_t *, certificate_t *))nop;
 	this->public.destroy = (void(*) (load_tester_creds_t*))destroy;
-	
+
 	this->private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 				BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
 				BUILD_END);
-	
+
 	this->ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 				BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
 				BUILD_X509_FLAG, X509_CA,
 				BUILD_END);
-	
-	this->shared = shared_key_create(SHARED_IKE, 
+
+	this->shared = shared_key_create(SHARED_IKE,
 									 chunk_clone(chunk_create(psk, sizeof(psk))));
-	this->id = identification_create_from_string("CN=*, OU=load-test, O=strongSwan");
 	this->serial = 0;
 	return &this->public;
 }
diff --git a/src/charon/plugins/load_tester/load_tester_creds.h b/src/charon/plugins/load_tester/load_tester_creds.h
index 60cf67795..fb3541164 100644
--- a/src/charon/plugins/load_tester/load_tester_creds.h
+++ b/src/charon/plugins/load_tester/load_tester_creds.h
@@ -34,11 +34,11 @@ struct load_tester_creds_t {
 	 * Implements credential set interface.
 	 */
 	credential_set_t credential_set;
-	
+
 	/**
 	 * Destroy the backend.
 	 */
-	void (*destroy)(load_tester_creds_t *this);	
+	void (*destroy)(load_tester_creds_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.c b/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
index 87d9ef42b..d5ec3599b 100644
--- a/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
+++ b/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
@@ -49,19 +49,19 @@ load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
 												diffie_hellman_group_t group)
 {
 	load_tester_diffie_hellman_t *this;
-	
+
 	if (group != MODP_NULL)
 	{
 		return NULL;
 	}
-	
+
 	this = malloc_thing(load_tester_diffie_hellman_t);
-	
+
 	this->dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *))get_shared_secret;
 	this->dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t ))nop;
 	this->dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *))get_my_public_value;
 	this->dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *))get_dh_group;
 	this->dh.destroy = (void (*)(diffie_hellman_t *))free;
-	
+
 	return this;
 }
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
index 045c4bb4a..672157fb8 100644
--- a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
+++ b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
@@ -29,7 +29,7 @@ typedef struct load_tester_diffie_hellman_t load_tester_diffie_hellman_t;
  * A NULL Diffie Hellman implementation to avoid calculation overhead in tests.
  */
 struct load_tester_diffie_hellman_t {
-	
+
 	/**
 	 * Implements diffie_hellman_t interface.
 	 */
@@ -38,11 +38,11 @@ struct load_tester_diffie_hellman_t {
 
 /**
  * Creates a new gmp_diffie_hellman_t object.
- * 
+ *
  * @param group			Diffie Hellman group, supports MODP_NULL only
  * @return				gmp_diffie_hellman_t object
  */
 load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
 												diffie_hellman_group_t group);
 
-#endif /** LOAD_TESTER_DIFFIE_HELLMAN_ @}*/
+#endif /** LOAD_TESTER_DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c
index e463d2adc..1218443cc 100644
--- a/src/charon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.c
@@ -27,7 +27,7 @@ struct private_load_tester_ipsec_t {
 	 * Public interface.
 	 */
 	load_tester_ipsec_t public;
-	
+
 	/**
 	 * faked SPI counter
 	 */
@@ -37,8 +37,8 @@ struct private_load_tester_ipsec_t {
 /**
  * Implementation of kernel_interface_t.get_spi.
  */
-static status_t get_spi(private_load_tester_ipsec_t *this, 
-						host_t *src, host_t *dst, 
+static status_t get_spi(private_load_tester_ipsec_t *this,
+						host_t *src, host_t *dst,
 						protocol_id_t protocol, u_int32_t reqid,
 						u_int32_t *spi)
 {
@@ -49,8 +49,8 @@ static status_t get_spi(private_load_tester_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.get_cpi.
  */
-static status_t get_cpi(private_load_tester_ipsec_t *this, 
-						host_t *src, host_t *dst, 
+static status_t get_cpi(private_load_tester_ipsec_t *this,
+						host_t *src, host_t *dst,
 						u_int32_t reqid, u_int16_t *cpi)
 {
 	return FAILED;
@@ -62,11 +62,12 @@ static status_t get_cpi(private_load_tester_ipsec_t *this,
 static status_t add_sa(private_load_tester_ipsec_t *this,
 					   host_t *src, host_t *dst, u_int32_t spi,
 					   protocol_id_t protocol, u_int32_t reqid,
-					   u_int64_t expire_soft, u_int64_t expire_hard,
+					   lifetime_cfg_t *lifetime,
 					   u_int16_t enc_alg, chunk_t enc_key,
 					   u_int16_t int_alg, chunk_t int_key,
 					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound)
+					   bool encap, bool inbound, traffic_selector_t *src_ts,
+					   traffic_selector_t *dst_ts)
 {
 	return SUCCESS;
 }
@@ -122,11 +123,11 @@ static status_t add_policy(private_load_tester_ipsec_t *this,
  * Implementation of kernel_interface_t.query_policy.
  */
 static status_t query_policy(private_load_tester_ipsec_t *this,
-							 traffic_selector_t *src_ts, 
+							 traffic_selector_t *src_ts,
 							 traffic_selector_t *dst_ts,
 							 policy_dir_t direction, u_int32_t *use_time)
 {
-	*use_time = time(NULL);
+	*use_time = time_monotonic(NULL);
 	return SUCCESS;
 }
 
@@ -134,7 +135,7 @@ static status_t query_policy(private_load_tester_ipsec_t *this,
  * Implementation of kernel_interface_t.del_policy.
  */
 static status_t del_policy(private_load_tester_ipsec_t *this,
-						   traffic_selector_t *src_ts, 
+						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
 						   policy_dir_t direction, bool unrouted)
 {
@@ -155,11 +156,11 @@ static void destroy(private_load_tester_ipsec_t *this)
 load_tester_ipsec_t *load_tester_ipsec_create()
 {
 	private_load_tester_ipsec_t *this = malloc_thing(private_load_tester_ipsec_t);
-	
+
 	/* public functions */
 	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
 	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
@@ -167,9 +168,9 @@ load_tester_ipsec_t *load_tester_ipsec_create()
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
 	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
-	
+
 	this->spi = 0;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/load_tester/load_tester_listener.c b/src/charon/plugins/load_tester/load_tester_listener.c
index fe9a90aed..96b0cf1ec 100644
--- a/src/charon/plugins/load_tester/load_tester_listener.c
+++ b/src/charon/plugins/load_tester/load_tester_listener.c
@@ -30,7 +30,7 @@ struct private_load_tester_listener_t {
 	 * Public part
 	 */
 	load_tester_listener_t public;
-	
+
 	/**
 	 * Delete IKE_SA after it has been established
 	 */
@@ -40,7 +40,7 @@ struct private_load_tester_listener_t {
 	 * Number of established SAs
 	 */
 	u_int established;
-	
+
 	/**
 	 * Shutdown the daemon if we have established this SA count
 	 */
@@ -56,19 +56,19 @@ static bool ike_state_change(private_load_tester_listener_t *this,
 	if (state == IKE_ESTABLISHED)
 	{
 		ike_sa_id_t *id = ike_sa->get_id(ike_sa);
-	
+
 		if (this->delete_after_established)
 		{
 			charon->processor->queue_job(charon->processor,
 									(job_t*)delete_ike_sa_job_create(id, TRUE));
 		}
-		
+
 		if (id->is_initiator(id))
 		{
 			if (this->shutdown_on == ++this->established)
 			{
 				DBG1(DBG_CFG, "load-test complete, raising SIGTERM");
-				pthread_kill(charon->main_thread_id, SIGTERM);
+				kill(0, SIGTERM);
 			}
 		}
 	}
@@ -86,17 +86,17 @@ static void destroy(private_load_tester_listener_t *this)
 load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
 {
 	private_load_tester_listener_t *this = malloc_thing(private_load_tester_listener_t);
-	
+
 	memset(&this->public.listener, 0, sizeof(listener_t));
 	this->public.listener.ike_state_change = (void*)ike_state_change;
 	this->public.destroy = (void(*) (load_tester_listener_t*))destroy;
-	
+
 	this->delete_after_established = lib->settings->get_bool(lib->settings,
-				"charon.plugins.load_tester.delete_after_established", FALSE);
-	
+				"charon.plugins.load-tester.delete_after_established", FALSE);
+
 	this->shutdown_on = shutdown_on;
 	this->established = 0;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/load_tester/load_tester_listener.h b/src/charon/plugins/load_tester/load_tester_listener.h
index 6842b3532..b9599294c 100644
--- a/src/charon/plugins/load_tester/load_tester_listener.h
+++ b/src/charon/plugins/load_tester/load_tester_listener.h
@@ -34,11 +34,11 @@ struct load_tester_listener_t {
 	 * Implements listener set interface.
 	 */
 	listener_t listener;
-	
+
 	/**
 	 * Destroy the backend.
 	 */
-	void (*destroy)(load_tester_listener_t *this);	
+	void (*destroy)(load_tester_listener_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c
index 93ed2e3c5..e25f97423 100644
--- a/src/charon/plugins/load_tester/load_tester_plugin.c
+++ b/src/charon/plugins/load_tester/load_tester_plugin.c
@@ -24,7 +24,8 @@
 
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
-#include <utils/mutex.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
 
 typedef struct private_load_tester_plugin_t private_load_tester_plugin_t;
 
@@ -37,47 +38,47 @@ struct private_load_tester_plugin_t {
 	 * implements plugin interface
 	 */
 	load_tester_plugin_t public;
-	
+
 	/**
 	 * load_tester configuration backend
 	 */
 	load_tester_config_t *config;
-	
+
 	/**
 	 * load_tester credential set implementation
 	 */
 	load_tester_creds_t *creds;
-	
+
 	/**
 	 * event handler, listens on bus
 	 */
 	load_tester_listener_t *listener;
-	
+
 	/**
 	 * number of iterations per thread
 	 */
 	int iterations;
-	
+
 	/**
 	 * number desired initiator threads
 	 */
 	int initiators;
-	
+
 	/**
 	 * currenly running initiators
 	 */
 	int running;
-	
+
 	/**
 	 * delay between initiations, in ms
 	 */
 	int delay;
-	
+
 	/**
 	 * mutex to lock running field
 	 */
 	mutex_t *mutex;
-	
+
 	/**
 	 * condvar to wait for initiators
 	 */
@@ -90,7 +91,7 @@ struct private_load_tester_plugin_t {
 static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
 {
 	int i, s = 0, ms = 0;
-	
+
 	this->mutex->lock(this->mutex);
 	if (!this->running)
 	{
@@ -102,13 +103,13 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
 		s = this->delay / 1000;
 		ms = this->delay % 1000;
 	}
-	
+
 	for (i = 0; this->iterations == 0 || i < this->iterations; i++)
 	{
 		peer_cfg_t *peer_cfg;
 		child_cfg_t *child_cfg = NULL;
 		enumerator_t *enumerator;
-	
+
 		peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
 														  "load-test");
 		if (!peer_cfg)
@@ -122,7 +123,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
 			break;
 		}
 		enumerator->destroy(enumerator);
-		
+
 		charon->controller->initiate(charon->controller,
 					peer_cfg, child_cfg->get_ref(child_cfg),
 					NULL, NULL);
@@ -176,32 +177,32 @@ plugin_t *plugin_create()
 {
 	private_load_tester_plugin_t *this;
 	u_int i, shutdown_on = 0;
-	
+
 	if (!lib->settings->get_bool(lib->settings,
-								 "charon.plugins.load_tester.enable", FALSE))
+								 "charon.plugins.load-tester.enable", FALSE))
 	{
 		DBG1(DBG_CFG, "disabling load-tester plugin, not configured");
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_load_tester_plugin_t);
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
-	lib->crypto->add_dh(lib->crypto, MODP_NULL, 
+
+	lib->crypto->add_dh(lib->crypto, MODP_NULL,
 						(dh_constructor_t)load_tester_diffie_hellman_create);
-	
+
 	this->delay = lib->settings->get_int(lib->settings,
-					"charon.plugins.load_tester.delay", 0);
+					"charon.plugins.load-tester.delay", 0);
 	this->iterations = lib->settings->get_int(lib->settings,
-					"charon.plugins.load_tester.iterations", 1);
+					"charon.plugins.load-tester.iterations", 1);
 	this->initiators = lib->settings->get_int(lib->settings,
-					"charon.plugins.load_tester.initiators", 0);
+					"charon.plugins.load-tester.initiators", 0);
 	if (lib->settings->get_bool(lib->settings,
-					"charon.plugins.load_tester.shutdown_when_complete", 0))
+					"charon.plugins.load-tester.shutdown_when_complete", 0))
 	{
 		shutdown_on = this->iterations * this->initiators;
 	}
-	
+
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
 	this->config = load_tester_config_create();
@@ -210,17 +211,17 @@ plugin_t *plugin_create()
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
 	charon->bus->add_listener(charon->bus, &this->listener->listener);
-	
+
 	if (lib->settings->get_bool(lib->settings,
-					"charon.plugins.load_tester.fake_kernel", FALSE))
+					"charon.plugins.load-tester.fake_kernel", FALSE))
 	{
-		charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, 
+		charon->kernel_interface->add_ipsec_interface(charon->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	}
 	this->running = 0;
 	for (i = 0; i < this->initiators; i++)
 	{
-		charon->processor->queue_job(charon->processor, 
+		charon->processor->queue_job(charon->processor,
 					(job_t*)callback_job_create((callback_job_cb_t)do_load_test,
 												this, NULL, NULL));
 	}
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.h b/src/charon/plugins/load_tester/load_tester_plugin.h
index 87e8914e0..e33f06ac7 100644
--- a/src/charon/plugins/load_tester/load_tester_plugin.h
+++ b/src/charon/plugins/load_tester/load_tester_plugin.h
@@ -31,7 +31,7 @@ typedef struct load_tester_plugin_t load_tester_plugin_t;
 /**
  * Load tester plugin to inspect system core under high load.
  *
- * This plugin 
+ * This plugin
  */
 struct load_tester_plugin_t {
 
diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in
index 9a2b3f889..47eeecd5b 100644
--- a/src/charon/plugins/medcli/Makefile.in
+++ b/src/charon/plugins/medcli/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/medcli
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_medcli_la_LIBADD =
 am_libstrongswan_medcli_la_OBJECTS = medcli_plugin.lo medcli_creds.lo \
@@ -60,6 +84,7 @@ libstrongswan_medcli_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -107,25 +132,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -137,11 +159,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -170,9 +195,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -195,7 +220,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -203,6 +228,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -211,10 +237,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -222,6 +250,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
@@ -246,9 +275,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/medcli/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/medcli/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/medcli/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/medcli/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -266,23 +295,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -309,21 +343,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -346,7 +380,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -354,29 +388,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -397,13 +436,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -434,6 +477,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -455,6 +499,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -463,18 +509,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -513,6 +569,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/medcli/medcli_config.c b/src/charon/plugins/medcli/medcli_config.c
index 3b3332549..2e49ebbf7 100644
--- a/src/charon/plugins/medcli/medcli_config.c
+++ b/src/charon/plugins/medcli/medcli_config.c
@@ -32,22 +32,22 @@ struct private_medcli_config_t {
 	 * Public part
 	 */
 	medcli_config_t public;
-	
+
 	/**
 	 * database connection
 	 */
 	database_t *db;
-	
+
 	/**
 	 * rekey time
 	 */
 	int rekey;
-	
+
 	/**
 	 * dpd delay
 	 */
 	int dpd;
-	
+
 	/**
 	 * default ike config
 	 */
@@ -64,7 +64,7 @@ static traffic_selector_t *ts_from_string(char *str)
 		int netbits = 32;
 		host_t *net;
 		char *pos;
-		
+
 		str = strdupa(str);
 		pos = strchr(str, '/');
 		if (pos)
@@ -100,9 +100,16 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	child_cfg_t *child_cfg;
 	chunk_t me, other;
 	char *address, *local_net, *remote_net;
-	
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = this->rekey * 60 + this->rekey,
+			.rekey = this->rekey,
+			.jitter = this->rekey
+		}
+	};
+
 	/* query mediation server config:
-	 * - build ike_cfg/peer_cfg for mediation connection on-the-fly 
+	 * - build ike_cfg/peer_cfg for mediation connection on-the-fly
 	 */
 	e = this->db->query(this->db,
 			"SELECT Address, ClientConfig.KeyId, MediationServerConfig.KeyId "
@@ -117,14 +124,14 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	med_cfg = peer_cfg_create(
 		"mediation", 2, ike_cfg,
-		CERT_NEVER_SEND, UNIQUE_REPLACE, 
+		CERT_NEVER_SEND, UNIQUE_REPLACE,
 		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
 		TRUE, this->dpd, 				/* mobike, dpddelay */
 		NULL, NULL, 					/* vip, pool */
 		TRUE, NULL, NULL); 				/* mediation, med by, peer id */
 	e->destroy(e);
-	
+
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	auth->add(auth, AUTH_RULE_IDENTITY,
@@ -135,7 +142,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	auth->add(auth, AUTH_RULE_IDENTITY,
 			  identification_create_from_encoding(ID_KEY_ID, other));
 	med_cfg->add_auth_cfg(med_cfg, auth, FALSE);
-	
+
 	/* query mediated config:
 	 * - use any-any ike_cfg
 	 * - build peer_cfg on-the-fly using med_cfg
@@ -154,14 +161,14 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	}
 	peer_cfg = peer_cfg_create(
 		name, 2, this->ike->get_ref(this->ike),
-		CERT_NEVER_SEND, UNIQUE_REPLACE, 
+		CERT_NEVER_SEND, UNIQUE_REPLACE,
 		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
 		TRUE, this->dpd, 				/* mobike, dpddelay */
 		NULL, NULL, 					/* vip, pool */
-		FALSE, med_cfg,				 	/* mediation, med by */
+		FALSE, med_cfg,					/* mediation, med by */
 		identification_create_from_encoding(ID_KEY_ID, other));
-	
+
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	auth->add(auth, AUTH_RULE_IDENTITY,
@@ -172,10 +179,9 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	auth->add(auth, AUTH_RULE_IDENTITY,
 			  identification_create_from_encoding(ID_KEY_ID, other));
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-	
-	child_cfg = child_cfg_create(name, this->rekey*60 + this->rekey,
-							  this->rekey*60, this->rekey, NULL, TRUE,
-							  MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
+
+	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE,
+							  MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
@@ -217,7 +223,14 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	chunk_t me, other;
 	child_cfg_t *child_cfg;
 	auth_cfg_t *auth;
-	
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = this->rekey * 60 + this->rekey,
+			.rekey = this->rekey,
+			.jitter = this->rekey
+		}
+	};
+
 	DESTROY_IF(this->current);
 	if (!this->inner->enumerate(this->inner, &name, &me, &other,
 								&local_net, &remote_net))
@@ -227,13 +240,13 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	}
 	this->current = peer_cfg_create(
 				name, 2, this->ike->get_ref(this->ike),
-				CERT_NEVER_SEND, UNIQUE_REPLACE, 
+				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
 				TRUE, this->dpd, 				/* mobike, dpddelay */
 				NULL, NULL, 					/* vip, pool */
 				FALSE, NULL, NULL); 			/* mediation, med by, peer id */
-	
+
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	auth->add(auth, AUTH_RULE_IDENTITY,
@@ -244,11 +257,9 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	auth->add(auth, AUTH_RULE_IDENTITY,
 			  identification_create_from_encoding(ID_KEY_ID, other));
 	this->current->add_auth_cfg(this->current, auth, FALSE);
-	
-	child_cfg = child_cfg_create(
-				name, this->rekey*60 + this->rekey,
-				this->rekey*60, this->rekey, NULL, TRUE,
-				MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
+
+	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
+								 ACTION_NONE, ACTION_NONE, FALSE, 0);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
@@ -275,7 +286,7 @@ static enumerator_t* create_peer_cfg_enumerator(private_medcli_config_t *this,
 												identification_t *other)
 {
 	peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
-	
+
 	e->current = NULL;
 	e->ike = this->ike;
 	e->rekey = this->rekey;
@@ -289,12 +300,12 @@ static enumerator_t* create_peer_cfg_enumerator(private_medcli_config_t *this,
 			"Connection.LocalSubnet, Connection.RemoteSubnet "
 			"FROM ClientConfig JOIN Connection "
 			"WHERE Active AND "
-			"(? OR ClientConfig.KeyId = ?) AND (? OR Connection.KeyId = ?)", 
-			DB_INT, me == NULL || me->get_type(me) == ID_ANY, 
-			DB_BLOB, me && me->get_type(me) == ID_KEY_ID ? 
+			"(? OR ClientConfig.KeyId = ?) AND (? OR Connection.KeyId = ?)",
+			DB_INT, me == NULL || me->get_type(me) == ID_ANY,
+			DB_BLOB, me && me->get_type(me) == ID_KEY_ID ?
 				me->get_encoding(me) : chunk_empty,
-			DB_INT, other == NULL || other->get_type(other) == ID_ANY, 
-			DB_BLOB, other && other->get_type(other) == ID_KEY_ID ? 
+			DB_INT, other == NULL || other->get_type(other) == ID_ANY,
+			DB_BLOB, other && other->get_type(other) == ID_KEY_ID ?
 				other->get_encoding(other) : chunk_empty,
 			DB_TEXT, DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT);
 	if (!e->inner)
@@ -312,7 +323,7 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
 {
 	enumerator_t *enumerator;
 	child_cfg_t *child_cfg = NULL;;
-	
+
 	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 	enumerator->enumerate(enumerator, &child_cfg);
 	if (child_cfg)
@@ -337,7 +348,7 @@ static void schedule_autoinit(private_medcli_config_t *this)
 {
 	enumerator_t *e;
 	char *name;
-	
+
 	e = this->db->query(this->db, "SELECT Alias FROM Connection WHERE Active",
 						DB_TEXT);
 	if (e)
@@ -345,7 +356,7 @@ static void schedule_autoinit(private_medcli_config_t *this)
 		while (e->enumerate(e, &name))
 		{
 			peer_cfg_t *peer_cfg;
-			
+
 			peer_cfg = get_peer_cfg_by_name(this, name);
 			if (peer_cfg)
 			{
@@ -380,15 +391,15 @@ medcli_config_t *medcli_config_create(database_t *db)
 	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
 	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
 	this->public.destroy = (void(*)(medcli_config_t*))destroy;
-	
+
 	this->db = db;
 	this->rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200);
 	this->dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300);
 	this->ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", "0.0.0.0");
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
-	
+
 	schedule_autoinit(this);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/medcli/medcli_config.h b/src/charon/plugins/medcli/medcli_config.h
index a37280bd0..36c20adf7 100644
--- a/src/charon/plugins/medcli/medcli_config.h
+++ b/src/charon/plugins/medcli/medcli_config.h
@@ -35,11 +35,11 @@ struct medcli_config_t {
 	 * Implements backend_t interface
 	 */
 	backend_t backend;
-	
+
 	/**
 	 * Destroy the backend.
 	 */
-	void (*destroy)(medcli_config_t *this);	
+	void (*destroy)(medcli_config_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/medcli/medcli_creds.c b/src/charon/plugins/medcli/medcli_creds.c
index d3c66ae35..9729df3f5 100644
--- a/src/charon/plugins/medcli/medcli_creds.c
+++ b/src/charon/plugins/medcli/medcli_creds.c
@@ -30,7 +30,7 @@ struct private_medcli_creds_t {
 	 * Public part
 	 */
 	medcli_creds_t public;
-	
+
 	/**
 	 * underlying database handle
 	 */
@@ -90,21 +90,21 @@ static enumerator_t* create_private_enumerator(private_medcli_creds_t *this,
 										key_type_t type, identification_t *id)
 {
 	private_enumerator_t *e;
-	
+
 	if ((type != KEY_RSA && type != KEY_ANY) ||
 		id == NULL || id->get_type(id) != ID_KEY_ID)
 	{
 		DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id);
 		return NULL;
 	}
-	
+
 	e = malloc_thing(private_enumerator_t);
 	e->current = NULL;
 	e->public.enumerate = (void*)private_enumerator_enumerate;
 	e->public.destroy = (void*)private_enumerator_destroy;
 	e->inner = this->db->query(this->db,
 						"SELECT PrivateKey FROM ClientConfig WHERE KeyId = ?",
-						DB_BLOB, id->get_encoding(id), 
+						DB_BLOB, id->get_encoding(id),
 						DB_BLOB);
 	if (!e->inner)
 	{
@@ -185,13 +185,13 @@ static enumerator_t* create_cert_enumerator(private_medcli_creds_t *this,
 										identification_t *id, bool trusted)
 {
 	cert_enumerator_t *e;
-	
+
 	if ((cert != CERT_TRUSTED_PUBKEY && cert != CERT_ANY) ||
 		id == NULL || id->get_type(id) != ID_KEY_ID)
 	{
 		return NULL;
 	}
-	
+
 	e = malloc_thing(cert_enumerator_t);
 	e->current = NULL;
 	e->type = key;
@@ -218,7 +218,7 @@ static enumerator_t* create_cert_enumerator(private_medcli_creds_t *this,
  */
 static void destroy(private_medcli_creds_t *this)
 {
-    free(this);
+	free(this);
 }
 
 /**
@@ -235,9 +235,9 @@ medcli_creds_t *medcli_creds_create(database_t *db)
 	this->public.set.cache_cert = (void*)nop;
 
 	this->public.destroy = (void (*)(medcli_creds_t*))destroy;
-	
+
 	this->db = db;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/medcli/medcli_creds.h b/src/charon/plugins/medcli/medcli_creds.h
index 97bf1c226..4b5402653 100644
--- a/src/charon/plugins/medcli/medcli_creds.h
+++ b/src/charon/plugins/medcli/medcli_creds.h
@@ -35,11 +35,11 @@ struct medcli_creds_t {
 	 * Implements credential_set_t interface
 	 */
 	credential_set_t set;
-	
+
 	/**
 	 * Destroy the credentials databse.
 	 */
-	void (*destroy)(medcli_creds_t *this);	
+	void (*destroy)(medcli_creds_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/medcli/medcli_listener.c b/src/charon/plugins/medcli/medcli_listener.c
index 4d058c0cd..142f02e6c 100644
--- a/src/charon/plugins/medcli/medcli_listener.c
+++ b/src/charon/plugins/medcli/medcli_listener.c
@@ -39,7 +39,7 @@ struct private_medcli_listener_t {
 	 * Public part
 	 */
 	medcli_listener_t public;
-	
+
 	/**
 	 * underlying database handle
 	 */
@@ -117,17 +117,17 @@ static void destroy(private_medcli_listener_t *this)
 medcli_listener_t *medcli_listener_create(database_t *db)
 {
 	private_medcli_listener_t *this = malloc_thing(private_medcli_listener_t);
-	
+
 	memset(&this->public.listener, 0, sizeof(listener_t));
-	
+
 	this->public.listener.ike_state_change = (void*)ike_state_change;
 	this->public.listener.child_state_change = (void*)child_state_change;
 	this->public.destroy = (void (*)(medcli_listener_t*))destroy;
-	
+
 	this->db = db;
 	db->execute(db, NULL, "UPDATE Connection SET Status = ?",
 				DB_UINT, STATE_DOWN);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/medcli/medcli_listener.h b/src/charon/plugins/medcli/medcli_listener.h
index c6881f88a..4768beccd 100644
--- a/src/charon/plugins/medcli/medcli_listener.h
+++ b/src/charon/plugins/medcli/medcli_listener.h
@@ -35,11 +35,11 @@ struct medcli_listener_t {
 	 * Implements bus_listener_t interface
 	 */
 	listener_t listener;
-	
+
 	/**
 	 * Destroy the credentials databse.
 	 */
-	void (*destroy)(medcli_listener_t *this);	
+	void (*destroy)(medcli_listener_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/medcli/medcli_plugin.c b/src/charon/plugins/medcli/medcli_plugin.c
index 908b144f0..148eded61 100644
--- a/src/charon/plugins/medcli/medcli_plugin.c
+++ b/src/charon/plugins/medcli/medcli_plugin.c
@@ -32,22 +32,22 @@ struct private_medcli_plugin_t {
 	 * implements plugin interface
 	 */
 	medcli_plugin_t public;
-	
+
 	/**
 	 * database connection instance
 	 */
 	database_t *db;
-	
+
 	/**
 	 * medcli credential set instance
 	 */
 	medcli_creds_t *creds;
-	
+
 	/**
 	 * medcli config database
 	 */
 	medcli_config_t *config;
-	
+
 	/**
 	 * Listener to update database connection state
 	 */
@@ -76,9 +76,9 @@ plugin_t *plugin_create()
 {
 	char *uri;
 	private_medcli_plugin_t *this = malloc_thing(private_medcli_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	uri = lib->settings->get_str(lib->settings,
 								 "medcli.database", NULL);
 	if (!uri)
@@ -87,7 +87,7 @@ plugin_t *plugin_create()
 		free(this);
 		return NULL;
 	}
-	
+
 	this->db = lib->db->create(lib->db, uri);
 	if (this->db == NULL)
 	{
@@ -95,15 +95,15 @@ plugin_t *plugin_create()
 		free(this);
 		return NULL;
 	}
-	
+
 	this->creds = medcli_creds_create(this->db);
 	this->config = medcli_config_create(this->db);
 	this->listener = medcli_listener_create(this->db);
-	
+
 	charon->credentials->add_set(charon->credentials, &this->creds->set);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	charon->bus->add_listener(charon->bus, &this->listener->listener);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in
index ba599499b..c72887889 100644
--- a/src/charon/plugins/medsrv/Makefile.in
+++ b/src/charon/plugins/medsrv/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/medsrv
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_medsrv_la_LIBADD =
 am_libstrongswan_medsrv_la_OBJECTS = medsrv_plugin.lo medsrv_creds.lo \
@@ -60,6 +84,7 @@ libstrongswan_medsrv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -107,25 +132,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -137,11 +159,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -170,9 +195,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -195,7 +220,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -203,6 +228,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -211,10 +237,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -222,6 +250,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
@@ -245,9 +274,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/medsrv/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/medsrv/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/medsrv/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/medsrv/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -265,23 +294,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -307,21 +341,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -344,7 +378,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -352,29 +386,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -395,13 +434,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -432,6 +475,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -453,6 +497,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -461,18 +507,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -511,6 +567,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/medsrv/medsrv_config.c b/src/charon/plugins/medsrv/medsrv_config.c
index 1ab7f3864..3df720967 100644
--- a/src/charon/plugins/medsrv/medsrv_config.c
+++ b/src/charon/plugins/medsrv/medsrv_config.c
@@ -30,22 +30,22 @@ struct private_medsrv_config_t {
 	 * Public part
 	 */
 	medsrv_config_t public;
-	
+
 	/**
 	 * database connection
 	 */
 	database_t *db;
-	
+
 	/**
 	 * rekey time
 	 */
 	int rekey;
-	
+
 	/**
 	 * dpd delay
 	 */
 	int dpd;
-	
+
 	/**
 	 * default ike config
 	 */
@@ -77,7 +77,7 @@ static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
 												identification_t *other)
 {
 	enumerator_t *e;
-	
+
 	if (!me || !other || other->get_type(other) != ID_KEY_ID)
 	{
 		return NULL;
@@ -92,7 +92,7 @@ static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
 		peer_cfg_t *peer_cfg;
 		auth_cfg_t *auth;
 		char *name;
-		
+
 		if (e->enumerate(e, &name))
 		{
 			peer_cfg = peer_cfg_create(
@@ -104,7 +104,7 @@ static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
 				NULL, NULL, 					/* vip, pool */
 				TRUE, NULL, NULL); 				/* mediation, med by, peer id */
 			e->destroy(e);
-			
+
 			auth = auth_cfg_create();
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 			auth->add(auth, AUTH_RULE_IDENTITY, me->clone(me));
@@ -113,7 +113,7 @@ static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 			auth->add(auth, AUTH_RULE_IDENTITY, other->clone(other));
 			peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-			
+
 			return enumerator_create_single(peer_cfg, (void*)peer_cfg->destroy);
 		}
 		e->destroy(e);
@@ -141,13 +141,13 @@ medsrv_config_t *medsrv_config_create(database_t *db)
 	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
 	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
 	this->public.destroy = (void(*)(medsrv_config_t*))destroy;
-	
+
 	this->db = db;
 	this->rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200);
 	this->dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300);
 	this->ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", "0.0.0.0");
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/medsrv/medsrv_config.h b/src/charon/plugins/medsrv/medsrv_config.h
index 2ed63bca7..fc8b0e972 100644
--- a/src/charon/plugins/medsrv/medsrv_config.h
+++ b/src/charon/plugins/medsrv/medsrv_config.h
@@ -35,11 +35,11 @@ struct medsrv_config_t {
 	 * Implements backend_t interface
 	 */
 	backend_t backend;
-	
+
 	/**
 	 * Destroy the backend.
 	 */
-	void (*destroy)(medsrv_config_t *this);	
+	void (*destroy)(medsrv_config_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/medsrv/medsrv_creds.c b/src/charon/plugins/medsrv/medsrv_creds.c
index 7dac37f1f..8d1643908 100644
--- a/src/charon/plugins/medsrv/medsrv_creds.c
+++ b/src/charon/plugins/medsrv/medsrv_creds.c
@@ -30,7 +30,7 @@ struct private_medsrv_creds_t {
 	 * Public part
 	 */
 	medsrv_creds_t public;
-	
+
 	/**
 	 * underlying database handle
 	 */
@@ -109,13 +109,13 @@ static enumerator_t* create_cert_enumerator(private_medsrv_creds_t *this,
 										identification_t *id, bool trusted)
 {
 	cert_enumerator_t *e;
-	
+
 	if ((cert != CERT_TRUSTED_PUBKEY && cert != CERT_ANY) ||
 		id == NULL || id->get_type(id) != ID_KEY_ID)
 	{
 		return NULL;
 	}
-	
+
 	e = malloc_thing(cert_enumerator_t);
 	e->current = NULL;
 	e->type = key;
@@ -138,7 +138,7 @@ static enumerator_t* create_cert_enumerator(private_medsrv_creds_t *this,
  */
 static void destroy(private_medsrv_creds_t *this)
 {
-    free(this);
+	free(this);
 }
 
 /**
@@ -155,9 +155,9 @@ medsrv_creds_t *medsrv_creds_create(database_t *db)
 	this->public.set.cache_cert = (void*)nop;
 
 	this->public.destroy = (void (*)(medsrv_creds_t*))destroy;
-	
+
 	this->db = db;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/medsrv/medsrv_creds.h b/src/charon/plugins/medsrv/medsrv_creds.h
index da23220c2..d08adf3bf 100644
--- a/src/charon/plugins/medsrv/medsrv_creds.h
+++ b/src/charon/plugins/medsrv/medsrv_creds.h
@@ -35,11 +35,11 @@ struct medsrv_creds_t {
 	 * Implements credential_set_t interface
 	 */
 	credential_set_t set;
-	
+
 	/**
 	 * Destroy the credentials databse.
 	 */
-	void (*destroy)(medsrv_creds_t *this);	
+	void (*destroy)(medsrv_creds_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/medsrv/medsrv_plugin.c b/src/charon/plugins/medsrv/medsrv_plugin.c
index 4340d7991..7c533f10e 100644
--- a/src/charon/plugins/medsrv/medsrv_plugin.c
+++ b/src/charon/plugins/medsrv/medsrv_plugin.c
@@ -31,17 +31,17 @@ struct private_medsrv_plugin_t {
 	 * implements plugin interface
 	 */
 	medsrv_plugin_t public;
-	
+
 	/**
 	 * database connection instance
 	 */
 	database_t *db;
-	
+
 	/**
 	 * medsrv credential set instance
 	 */
 	medsrv_creds_t *creds;
-	
+
 	/**
 	 * medsrv config database
 	 */
@@ -68,9 +68,9 @@ plugin_t *plugin_create()
 {
 	char *uri;
 	private_medsrv_plugin_t *this = malloc_thing(private_medsrv_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	uri = lib->settings->get_str(lib->settings,
 								 "medsrv.database", NULL);
 	if (!uri)
@@ -79,7 +79,7 @@ plugin_t *plugin_create()
 		free(this);
 		return NULL;
 	}
-	
+
 	this->db = lib->db->create(lib->db, uri);
 	if (this->db == NULL)
 	{
@@ -87,13 +87,13 @@ plugin_t *plugin_create()
 		free(this);
 		return NULL;
 	}
-	
+
 	this->creds = medsrv_creds_create(this->db);
 	this->config = medsrv_config_create(this->db);
-	
+
 	charon->credentials->add_set(charon->credentials, &this->creds->set);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
index b74a4e46f..56eae6e00 100644
--- a/src/charon/plugins/nm/Makefile.am
+++ b/src/charon/plugins/nm/Makefile.am
@@ -1,7 +1,8 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFLAGS}
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+  -DNM_CA_DIR=\"${nm_ca_dir}\"
 
 plugin_LTLIBRARIES = libstrongswan-nm.la
 libstrongswan_nm_la_SOURCES = \
diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in
index c7c428c2a..90a50cfae 100644
--- a/src/charon/plugins/nm/Makefile.in
+++ b/src/charon/plugins/nm/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/nm
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_nm_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
@@ -60,6 +84,7 @@ libstrongswan_nm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -107,25 +132,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -137,11 +159,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -170,9 +195,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -195,7 +220,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -203,6 +228,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -211,10 +237,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -222,10 +250,13 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFLAGS}
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+  -DNM_CA_DIR=\"${nm_ca_dir}\"
+
 plugin_LTLIBRARIES = libstrongswan-nm.la
 libstrongswan_nm_la_SOURCES = \
   nm_plugin.h nm_plugin.c \
@@ -248,9 +279,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/nm/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/nm/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/nm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/nm/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -268,23 +299,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -311,21 +347,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -348,7 +384,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -356,29 +392,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -399,13 +440,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -436,6 +481,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -457,6 +503,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -465,18 +513,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -515,6 +573,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c
index 4ea2c36dd..193838e6b 100644
--- a/src/charon/plugins/nm/nm_creds.c
+++ b/src/charon/plugins/nm/nm_creds.c
@@ -15,8 +15,13 @@
 
 #include "nm_creds.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/rwlock.h>
+#include <credentials/certificates/x509.h>
 
 typedef struct private_nm_creds_t private_nm_creds_t;
 
@@ -29,32 +34,32 @@ struct private_nm_creds_t {
 	 * public functions
 	 */
 	nm_creds_t public;
-	
+
 	/**
-	 * gateway certificate
+	 * List of trusted certificates, certificate_t*
 	 */
-	certificate_t *cert;
-	
+	linked_list_t *certs;
+
 	/**
- 	 * User name
- 	 */
- 	identification_t *user;
-	
+	 * User name
+	 */
+	identification_t *user;
+
 	/**
 	 * User password
 	 */
 	char *pass;
-	
+
 	/**
 	 * users certificate
 	 */
 	certificate_t *usercert;
-	
+
 	/**
 	 * users private key
 	 */
 	private_key_t *key;
-	
+
 	/**
 	 * read/write lock
 	 */
@@ -68,13 +73,13 @@ static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
 							certificate_type_t cert, key_type_t key)
 {
 	public_key_t *public;
-	
+
 	if (cert != CERT_ANY && cert != this->usercert->get_type(this->usercert))
 	{
 		return NULL;
 	}
 	if (key != KEY_ANY)
-	{	
+	{
 		public = this->usercert->get_public_key(this->usercert);
 		if (!public)
 		{
@@ -93,6 +98,80 @@ static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
 								(void*)this->lock->unlock, this->lock);
 }
 
+/**
+ * CA certificate enumerator data
+ */
+typedef struct {
+	/** ref to credential credential store */
+	private_nm_creds_t *this;
+	/** type of key we are looking for */
+	key_type_t key;
+	/** CA certificate ID */
+	identification_t *id;
+} cert_data_t;
+
+/**
+ * Destroy CA certificate enumerator data
+ */
+static void cert_data_destroy(cert_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * Filter function for certificates enumerator
+ */
+static bool cert_filter(cert_data_t *data, certificate_t **in,
+						 certificate_t **out)
+{
+	certificate_t *cert = *in;
+	public_key_t *public;
+
+	public = cert->get_public_key(cert);
+	if (!public)
+	{
+		return FALSE;
+	}
+	if (data->key != KEY_ANY && public->get_type(public) != data->key)
+	{
+		public->destroy(public);
+		return FALSE;
+	}
+	if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
+		public->has_fingerprint(public, data->id->get_encoding(data->id)))
+	{
+		public->destroy(public);
+		*out = cert;
+		return TRUE;
+	}
+	public->destroy(public);
+	if (data->id && !cert->has_subject(cert, data->id))
+	{
+		return FALSE;
+	}
+	*out = cert;
+	return TRUE;
+}
+
+/**
+ * Create enumerator for trusted certificates
+ */
+static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this,
+										key_type_t key, identification_t *id)
+{
+	cert_data_t *data = malloc_thing(cert_data_t);
+
+	data->this = this;
+	data->id = id;
+	data->key = key;
+
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(
+					this->certs->create_enumerator(this->certs),
+					(void*)cert_filter, data, (void*)cert_data_destroy);
+}
+
 /**
  * Implements credential_set_t.create_cert_enumerator
  */
@@ -105,38 +184,11 @@ static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
 	{
 		return create_usercert_enumerator(this, cert, key);
 	}
-
-	if (!this->cert)
-	{
-		return NULL;
-	}
-	if (cert != CERT_ANY && cert != this->cert->get_type(this->cert))
+	if (cert == CERT_X509 || cert == CERT_ANY)
 	{
-		return NULL;
+		return create_trusted_cert_enumerator(this, key, id);
 	}
-	if (id && !this->cert->has_subject(this->cert, id))
-	{
-		return NULL;
-	}
-	if (key != KEY_ANY)
-	{
-		public_key_t *public;
-	
-		public = this->cert->get_public_key(this->cert);
-		if (!public)
-		{
-			return NULL;
-		}
-		if (public->get_type(public) != key)
-		{
-			public->destroy(public);
-			return NULL;
-		}
-		public->destroy(public);
-	}
-	this->lock->read_lock(this->lock);
-	return enumerator_create_cleaner(enumerator_create_single(this->cert, NULL),
-									 (void*)this->lock->unlock, this->lock);
+	return NULL;
 }
 
 /**
@@ -155,10 +207,8 @@ static enumerator_t* create_private_enumerator(private_nm_creds_t *this,
 	}
 	if (id && id->get_type(id) != ID_ANY)
 	{
-		identification_t *keyid;
-		
-		keyid = this->key->get_id(this->key, id->get_type(id));
-		if (!keyid || !keyid->equals(keyid, id))
+		if (id->get_type(id) != ID_KEY_ID ||
+			!this->key->has_fingerprint(this->key, id->get_encoding(id)))
 		{
 			return NULL;
 		}
@@ -207,7 +257,7 @@ static void shared_destroy(shared_enumerator_t *this)
 /**
  * Implements credential_set_t.create_cert_enumerator
  */
-static enumerator_t* create_shared_enumerator(private_nm_creds_t *this, 
+static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
 							shared_key_type_t type,	identification_t *me,
 							identification_t *other)
 {
@@ -225,7 +275,7 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
 	{
 		return NULL;
 	}
-	
+
 	enumerator = malloc_thing(shared_enumerator_t);
 	enumerator->public.enumerate = (void*)shared_enumerate;
 	enumerator->public.destroy = (void*)shared_destroy;
@@ -239,16 +289,72 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
 }
 
 /**
- * Implementation of nm_creds_t.set_certificate
+ * Implementation of nm_creds_t.add_certificate
  */
-static void set_certificate(private_nm_creds_t *this, certificate_t *cert)
+static void add_certificate(private_nm_creds_t *this, certificate_t *cert)
 {
 	this->lock->write_lock(this->lock);
-	DESTROY_IF(this->cert);
-	this->cert = cert;
+	this->certs->insert_last(this->certs, cert);
 	this->lock->unlock(this->lock);
 }
 
+/**
+ * Load a certificate file
+ */
+static void load_ca_file(private_nm_creds_t *this, char *file)
+{
+	certificate_t *cert;
+
+	/* We add the CA constraint, as many CAs miss it */
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, file, BUILD_END);
+	if (!cert)
+	{
+		DBG1(DBG_CFG, "loading CA certificate '%s' failed", file);
+	}
+	else
+	{
+		DBG2(DBG_CFG, "loaded CA certificate '%Y'", cert->get_subject(cert));
+		x509_t *x509 = (x509_t*)cert;
+		if (!(x509->get_flags(x509) & X509_SELF_SIGNED))
+		{
+			DBG1(DBG_CFG, "%Y is not self signed", cert->get_subject(cert));
+		}
+		this->certs->insert_last(this->certs, cert);
+	}
+}
+
+/**
+ * Implementation of nm_creds_t.load_ca_dir
+ */
+static void load_ca_dir(private_nm_creds_t *this, char *dir)
+{
+	enumerator_t *enumerator;
+	char *rel, *abs;
+	struct stat st;
+
+	enumerator = enumerator_create_directory(dir);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &rel, &abs, &st))
+		{
+			/* skip '.', '..' and hidden files */
+			if (rel[0] != '.')
+			{
+				if (S_ISDIR(st.st_mode))
+				{
+					load_ca_dir(this, abs);
+				}
+				else if (S_ISREG(st.st_mode))
+				{
+					load_ca_file(this, abs);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
 /**
  * Implementation of nm_creds_t.set_password
  */
@@ -266,7 +372,7 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id
 /**
  * Implementation of nm_creds_t.set_cert_and_key
  */
-static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,	
+static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
 							 private_key_t *key)
 {
 	this->lock->write_lock(this->lock);
@@ -275,14 +381,19 @@ static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
 	this->key = key;
 	this->usercert = cert;
 	this->lock->unlock(this->lock);
-}	
+}
 
 /**
  * Implementation of nm_creds_t.clear
  */
 static void clear(private_nm_creds_t *this)
 {
-	DESTROY_IF(this->cert);
+	certificate_t *cert;
+
+	while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
+	{
+		cert->destroy(cert);
+	}
 	DESTROY_IF(this->user);
 	free(this->pass);
 	DESTROY_IF(this->usercert);
@@ -290,7 +401,6 @@ static void clear(private_nm_creds_t *this)
 	this->key = NULL;
 	this->usercert = NULL;
 	this->pass = NULL;
-	this->cert = NULL;
 	this->user = NULL;
 }
 
@@ -300,6 +410,7 @@ static void clear(private_nm_creds_t *this)
 static void destroy(private_nm_creds_t *this)
 {
 	clear(this);
+	this->certs->destroy(this->certs);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -310,26 +421,27 @@ static void destroy(private_nm_creds_t *this)
 nm_creds_t *nm_creds_create()
 {
 	private_nm_creds_t *this = malloc_thing(private_nm_creds_t);
-	
+
 	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
 	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
 	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
 	this->public.set.create_cdp_enumerator = (void*)return_null;
 	this->public.set.cache_cert = (void*)nop;
-	this->public.set_certificate = (void(*)(nm_creds_t*, certificate_t *cert))set_certificate;
+	this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate;
+	this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir;
 	this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
 	this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
 	this->public.clear = (void(*)(nm_creds_t*))clear;
 	this->public.destroy = (void(*)(nm_creds_t*))destroy;
-	
+
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	
-	this->cert = NULL;
+
+	this->certs = linked_list_create();
 	this->user = NULL;
 	this->pass = NULL;
 	this->usercert = NULL;
 	this->key = NULL;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/nm/nm_creds.h b/src/charon/plugins/nm/nm_creds.h
index 421442c81..b55cff31e 100644
--- a/src/charon/plugins/nm/nm_creds.h
+++ b/src/charon/plugins/nm/nm_creds.h
@@ -35,14 +35,21 @@ struct nm_creds_t {
 	 * Implements credential_set_t
 	 */
 	credential_set_t set;
-	
+
 	/**
-	 * Set the trusted gateway certificate to serve by this set.
+	 * Add a trusted gateway certificate to serve by this set.
 	 *
 	 * @param cert		certificate to serve
 	 */
-	void (*set_certificate)(nm_creds_t *this, certificate_t *cert);
-	
+	void (*add_certificate)(nm_creds_t *this, certificate_t *cert);
+
+	/**
+	 * Load CA certificates recursively from a directory.
+	 *
+	 * @param dir		directory to PEM encoded CA certificates
+	 */
+	void (*load_ca_dir)(nm_creds_t *this, char *dir);
+
 	/**
 	 * Set the username/password for authentication.
 	 *
diff --git a/src/charon/plugins/nm/nm_handler.c b/src/charon/plugins/nm/nm_handler.c
index 026c47af2..eacb54dda 100644
--- a/src/charon/plugins/nm/nm_handler.c
+++ b/src/charon/plugins/nm/nm_handler.c
@@ -23,17 +23,17 @@ typedef struct private_nm_handler_t private_nm_handler_t;
  * Private data of an nm_handler_t object.
  */
 struct private_nm_handler_t {
-	
+
 	/**
 	 * Public nm_handler_t interface.
 	 */
 	nm_handler_t public;
-	
+
 	/**
 	 * list of received DNS server attributes, pointer to 4 byte data
 	 */
 	linked_list_t *dns;
-	
+
 	/**
 	 * list of received NBNS server attributes, pointer to 4 byte data
 	 */
@@ -43,11 +43,11 @@ struct private_nm_handler_t {
 /**
  * Implementation of attribute_handler_t.handle
  */
-static bool handle(private_nm_handler_t *this, ike_sa_t *ike_sa,
+static bool handle(private_nm_handler_t *this, identification_t *server,
 				   configuration_attribute_type_t type, chunk_t data)
 {
 	linked_list_t *list;
-	
+
 	switch (type)
 	{
 		case INTERNAL_IP4_DNS:
@@ -67,6 +67,50 @@ static bool handle(private_nm_handler_t *this, ike_sa_t *ike_sa,
 	return TRUE;
 }
 
+/**
+ * Implementation of create_attribute_enumerator().enumerate() for WINS
+ */
+static bool enumerate_nbns(enumerator_t *this,
+						   configuration_attribute_type_t *type, chunk_t *data)
+{
+	*type = INTERNAL_IP4_NBNS;
+	*data = chunk_empty;
+	/* done */
+	this->enumerate = (void*)return_false;
+	return TRUE;
+}
+
+/**
+ * Implementation of create_attribute_enumerator().enumerate() for DNS
+ */
+static bool enumerate_dns(enumerator_t *this,
+						  configuration_attribute_type_t *type, chunk_t *data)
+{
+	*type = INTERNAL_IP4_DNS;
+	*data = chunk_empty;
+	/* enumerate WINS server as next attribute ... */
+	this->enumerate = (void*)enumerate_nbns;
+	return TRUE;
+}
+
+/**
+ * Implementation of attribute_handler_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(private_nm_handler_t *this,
+										identification_t *server, host_t *vip)
+{
+	if (vip && vip->get_family(vip) == AF_INET)
+	{	/* no IPv6 attributes yet */
+		enumerator_t *enumerator = malloc_thing(enumerator_t);
+		/* enumerate DNS attribute first ... */
+		enumerator->enumerate = (void*)enumerate_dns;
+		enumerator->destroy = (void*)free;
+
+		return enumerator;
+	}
+	return enumerator_create_empty();
+}
+
 /**
  * convert plain byte ptrs to handy chunk during enumeration
  */
@@ -83,7 +127,7 @@ static enumerator_t* create_enumerator(private_nm_handler_t *this,
 									   configuration_attribute_type_t type)
 {
 	linked_list_t *list;
-	
+
 	switch (type)
 	{
 		case INTERNAL_IP4_DNS:
@@ -105,7 +149,7 @@ static enumerator_t* create_enumerator(private_nm_handler_t *this,
 static void reset(private_nm_handler_t *this)
 {
 	void *data;
-	
+
 	while (this->dns->remove_last(this->dns, (void**)&data) == SUCCESS)
 	{
 		free(data);
@@ -133,16 +177,17 @@ static void destroy(private_nm_handler_t *this)
 nm_handler_t *nm_handler_create()
 {
 	private_nm_handler_t *this = malloc_thing(private_nm_handler_t);
-	
-	this->public.handler.handle = (bool(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))handle;
-	this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))nop;
+
+	this->public.handler.handle = (bool(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))handle;
+	this->public.handler.release = (void(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))nop;
+	this->public.handler.create_attribute_enumerator = (enumerator_t*(*)(attribute_handler_t*, identification_t *server, host_t *vip))create_attribute_enumerator;
 	this->public.create_enumerator = (enumerator_t*(*)(nm_handler_t*, configuration_attribute_type_t type))create_enumerator;
 	this->public.reset = (void(*)(nm_handler_t*))reset;
 	this->public.destroy = (void(*)(nm_handler_t*))destroy;
-	
+
 	this->dns = linked_list_create();
 	this->nbns = linked_list_create();
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/nm/nm_handler.h b/src/charon/plugins/nm/nm_handler.h
index d537bb8de..bb35ce767 100644
--- a/src/charon/plugins/nm/nm_handler.h
+++ b/src/charon/plugins/nm/nm_handler.h
@@ -21,7 +21,7 @@
 #ifndef NM_HANDLER_H_
 #define NM_HANDLER_H_
 
-#include <config/attributes/attribute_handler.h>
+#include <attributes/attribute_handler.h>
 
 typedef struct nm_handler_t nm_handler_t;
 
@@ -29,12 +29,12 @@ typedef struct nm_handler_t nm_handler_t;
  * Handles DNS/NBNS attributes to pass to NM.
  */
 struct nm_handler_t {
-	
+
 	/**
 	 * Implements attribute handler interface
 	 */
 	attribute_handler_t handler;
-	
+
 	/**
 	 * Create an enumerator over received attributes of a given kind.
 	 *
@@ -47,7 +47,7 @@ struct nm_handler_t {
 	 * Reset state, flush all received attributes.
 	 */
 	void (*reset)(nm_handler_t *this);
-	
+
 	/**
 	 * Destroy a nm_handler_t.
 	 */
@@ -59,4 +59,4 @@ struct nm_handler_t {
  */
 nm_handler_t *nm_handler_create();
 
-#endif /* NM_HANDLER_ @}*/
+#endif /** NM_HANDLER_H_ @}*/
diff --git a/src/charon/plugins/nm/nm_plugin.c b/src/charon/plugins/nm/nm_plugin.c
index 1fb46f814..daf2cc660 100644
--- a/src/charon/plugins/nm/nm_plugin.c
+++ b/src/charon/plugins/nm/nm_plugin.c
@@ -34,22 +34,22 @@ struct private_nm_plugin_t {
 	 * implements plugin interface
 	 */
 	nm_plugin_t public;
-	
+
 	/**
 	 * NetworkManager service (VPNPlugin)
 	 */
 	NMStrongswanPlugin *plugin;
-	
+
 	/**
 	 * Glib main loop for a thread, handles DBUS calls
 	 */
 	GMainLoop *loop;
-	
+
 	/**
 	 * credential set registered at the daemon
 	 */
 	nm_creds_t *creds;
-	
+
 	/**
 	 * attribute handler regeisterd at the daemon
 	 */
@@ -84,8 +84,8 @@ static void destroy(private_nm_plugin_t *this)
 		g_object_unref(this->plugin);
 	}
 	charon->credentials->remove_set(charon->credentials, &this->creds->set);
+	lib->attributes->remove_handler(lib->attributes, &this->handler->handler);
 	this->creds->destroy(this->creds);
-	charon->attributes->remove_handler(charon->attributes, &this->handler->handler);
 	this->handler->destroy(this->handler);
 	free(this);
 }
@@ -96,20 +96,20 @@ static void destroy(private_nm_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_nm_plugin_t *this = malloc_thing(private_nm_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	this->loop = NULL;
 	g_type_init ();
 	if (!g_thread_supported())
 	{
 		g_thread_init(NULL);
 	}
-	
+
 	this->creds = nm_creds_create();
 	this->handler = nm_handler_create();
+	lib->attributes->add_handler(lib->attributes, &this->handler->handler);
 	charon->credentials->add_set(charon->credentials, &this->creds->set);
-	charon->attributes->add_handler(charon->attributes, &this->handler->handler);
 	this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
 	if (!this->plugin)
 	{
@@ -117,13 +117,13 @@ plugin_t *plugin_create()
 		destroy(this);
 		return NULL;
 	}
-	
+
 	/* bypass file permissions to read from users ssh-agent */
 	charon->keep_cap(charon, CAP_DAC_OVERRIDE);
-	
-	charon->processor->queue_job(charon->processor, 
+
+	charon->processor->queue_job(charon->processor,
 		 (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL));
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index 88a3cc95e..b05383c2b 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -18,7 +18,6 @@
 #include "nm_service.h"
 
 #include <daemon.h>
-#include <asn1/pem.h>
 #include <utils/host.h>
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
@@ -60,7 +59,7 @@ static GValue* handler_to_val(nm_handler_t *handler,
 	GArray *array;
 	enumerator_t *enumerator;
 	chunk_t chunk;
-	
+
 	enumerator = handler->create_enumerator(handler, type);
 	array = g_array_new (FALSE, TRUE, sizeof (guint32));
 	while (enumerator->enumerate(enumerator, &chunk))
@@ -71,7 +70,7 @@ static GValue* handler_to_val(nm_handler_t *handler,
 	val = g_slice_new0 (GValue);
 	g_value_init (val, DBUS_TYPE_G_UINT_ARRAY);
 	g_value_set_boxed (val, array);
-	
+
 	return val;
 }
 
@@ -85,37 +84,37 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
 	GHashTable *config;
 	host_t *me, *other;
 	nm_handler_t *handler;
-	
+
 	config = g_hash_table_new(g_str_hash, g_str_equal);
 	me = ike_sa->get_my_host(ike_sa);
 	other = ike_sa->get_other_host(ike_sa);
 	handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
-	
+
 	/* NM requires a tundev, but netkey does not use one. Passing an invalid
 	 * iface makes NM complain, but it accepts it without fiddling on eth0. */
 	val = g_slice_new0 (GValue);
 	g_value_init (val, G_TYPE_STRING);
 	g_value_set_string (val, "none");
 	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
-	
+
 	val = g_slice_new0(GValue);
 	g_value_init(val, G_TYPE_UINT);
 	g_value_set_uint(val, *(u_int32_t*)me->get_address(me).ptr);
 	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
-	
+
 	val = g_slice_new0(GValue);
 	g_value_init(val, G_TYPE_UINT);
 	g_value_set_uint(val, me->get_address(me).len * 8);
 	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
-	
+
 	val = handler_to_val(handler, INTERNAL_IP4_DNS);
 	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
-	
+
 	val = handler_to_val(handler, INTERNAL_IP4_NBNS);
 	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NBNS, val);
-	
+
 	handler->reset(handler);
-	
+
 	nm_vpn_plugin_set_ip4_config(plugin, config);
 }
 
@@ -125,11 +124,11 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
 static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure)
 {
 	nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
-	
+
 	handler->reset(handler);
-	
+
 	/* TODO: NM does not handle this failure!? */
-	nm_vpn_plugin_failure(plugin, failure); 
+	nm_vpn_plugin_failure(plugin, failure);
 	nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
 }
 
@@ -140,7 +139,7 @@ static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
 							 ike_sa_state_t state)
 {
 	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-	
+
 	if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
 	{
 		signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
@@ -156,7 +155,7 @@ static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
 							   child_sa_t *child_sa, child_sa_state_t state)
 {
 	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-	
+
 	if (private->ike_sa == ike_sa && state == CHILD_DESTROYING)
 	{
 		signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
@@ -172,7 +171,7 @@ static bool child_updown(listener_t *listener, ike_sa_t *ike_sa,
 						 child_sa_t *child_sa, bool up)
 {
 	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-	
+
 	if (private->ike_sa == ike_sa)
 	{
 		if (up)
@@ -196,7 +195,7 @@ static bool child_updown(listener_t *listener, ike_sa_t *ike_sa,
 static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
 {
 	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-	
+
 	if (private->ike_sa == old)
 	{	/* follow a rekeyed IKE_SA */
 		private->ike_sa = new;
@@ -213,7 +212,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	NMStrongswanPluginPrivate *priv;
 	NMSettingConnection *conn;
 	NMSettingVPN *vpn;
-	identification_t *user = NULL, *gateway;
+	identification_t *user = NULL, *gateway = NULL;
 	const char *address, *str;
 	bool virtual, encap, ipcomp;
 	ike_cfg_t *ike_cfg;
@@ -226,7 +225,14 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	certificate_t *cert = NULL;
 	x509_t *x509;
 	bool agent = FALSE;
-	
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = 10800 /* 3h */,
+			.rekey = 10200 /* 2h50min */,
+			.jitter = 300 /* 5min */
+		}
+	};
+
 	/**
 	 * Read parameters
 	 */
@@ -248,7 +254,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	if (!address || !*address)
 	{
 		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-				    "Gateway address missing.");
+					"Gateway address missing.");
 		return FALSE;
 	}
 	str = nm_setting_vpn_get_data_item(vpn, "virtual");
@@ -274,42 +280,50 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			auth_class = AUTH_CLASS_PUBKEY;
 		}
 	}
-	
+
 	/**
 	 * Register credentials
 	 */
 	priv->creds->clear(priv->creds);
-	
+
 	/* gateway/CA cert */
 	str = nm_setting_vpn_get_data_item(vpn, "certificate");
 	if (str)
 	{
 		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 								  BUILD_FROM_FILE, str, BUILD_END);
-		priv->creds->set_certificate(priv->creds, cert);
+		if (!cert)
+		{
+			g_set_error(err, NM_VPN_PLUGIN_ERROR,
+						NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+						"Loading gateway certificate failed.");
+			return FALSE;
+		}
+		priv->creds->add_certificate(priv->creds, cert);
+
+		x509 = (x509_t*)cert;
+		if (!(x509->get_flags(x509) & X509_CA))
+		{	/* For a gateway certificate, we use the cert subject as identity. */
+			gateway = cert->get_subject(cert);
+			gateway = gateway->clone(gateway);
+			DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
+		}
 	}
-	if (!cert)
+	else
 	{
-		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-				    "Loading gateway certificate failed.");
-		return FALSE;
+		/* no certificate defined, fall back to system-wide CA certificates */
+		priv->creds->load_ca_dir(priv->creds, NM_CA_DIR);
 	}
-	x509 = (x509_t*)cert;
-	if (x509->get_flags(x509) & X509_CA)
-	{	/* If the user configured a CA certificate, we use the IP/DNS
+	if (!gateway)
+	{
+		/* If the user configured a CA certificate, we use the IP/DNS
 		 * of the gateway as its identity. This identity will be used for
 		 * certificate lookup and requires the configured IP/DNS to be
 		 * included in the gateway certificate. */
 		gateway = identification_create_from_string((char*)address);
 		DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
 	}
-	else
-	{	/* For a gateway certificate, we use the cert subject as identity. */
-		gateway = cert->get_subject(cert);
-		gateway = gateway->clone(gateway);
-		DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
-	}
-	
+
 	if (auth_class == AUTH_CLASS_EAP)
 	{
 		/* username/password authentication ... */
@@ -321,7 +335,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			priv->creds->set_username_password(priv->creds, user, (char*)str);
 		}
 	}
-	
+
 	if (auth_class == AUTH_CLASS_PUBKEY)
 	{
 		/* ... or certificate/private key authenitcation */
@@ -330,7 +344,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		{
 			public_key_t *public;
 			private_key_t *private = NULL;
-			
+
 			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 									  BUILD_FROM_FILE, str, BUILD_END);
 			if (!cert)
@@ -341,7 +355,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 				gateway->destroy(gateway);
 				return FALSE;
 			}
-			/* try agent */  
+			/* try agent */
 			str = nm_setting_vpn_get_secret(vpn, "agent");
 			if (agent && str)
 			{
@@ -362,24 +376,20 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 								"Connecting to SSH agent failed.");
 				}
 			}
-			/* ... or key file */  
+			/* ... or key file */
 			str = nm_setting_vpn_get_data_item(vpn, "userkey");
 			if (!agent && str)
 			{
-				chunk_t secret, chunk;
-				bool pgp = FALSE;
-				
+				chunk_t secret;
+
 				secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
 				if (secret.ptr)
 				{
 					secret.len = strlen(secret.ptr);
 				}
-				if (pem_asn1_load_file((char*)str, &secret, &chunk, &pgp))
-				{
-					private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								KEY_RSA, BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-					free(chunk.ptr);
-				}
+				private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								KEY_RSA, BUILD_FROM_FILE, str,
+								BUILD_PASSPHRASE, secret, BUILD_END);
 				if (!private)
 				{
 					g_set_error(err, NM_VPN_PLUGIN_ERROR,
@@ -401,7 +411,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			}
 		}
 	}
-	
+
 	if (!user)
 	{
 		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
@@ -409,7 +419,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		gateway->destroy(gateway);
 		return FALSE;
 	}
-	
+
 	/**
 	 * Set up configurations
 	 */
@@ -430,12 +440,10 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-	
-	child_cfg = child_cfg_create(priv->name,
-								 10800, 10200, /* lifetime 3h, rekey 2h50min */
-								 300, /* jitter 5min */
+
+	child_cfg = child_cfg_create(priv->name, &lifetime,
 								 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
-								 ACTION_NONE, ACTION_NONE, ipcomp);
+								 ACTION_NONE, ACTION_NONE, ipcomp, 0);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@@ -444,7 +452,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 											 "255.255.255.255", 65535);
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-	
+
 	/**
 	 * Prepare IKE_SA
 	 */
@@ -454,11 +462,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	{
 		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
 	}
-	else
-	{
-		peer_cfg->destroy(peer_cfg);
-	}
-	
+	peer_cfg->destroy(peer_cfg);
+
 	/**
 	 * Register listener, enable  initiate-failure-detection hooks
 	 */
@@ -466,7 +471,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	priv->listener.ike_state_change = ike_state_change;
 	priv->listener.child_state_change = child_state_change;
 	charon->bus->add_listener(charon->bus, &priv->listener);
-	
+
 	/**
 	 * Initiate
 	 */
@@ -474,9 +479,9 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	{
 		charon->bus->remove_listener(charon->bus, &priv->listener);
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-		
+
 		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
-				    "Initiating failed.");
+					"Initiating failed.");
 		return FALSE;
 	}
 	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
@@ -484,16 +489,14 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 }
 
 /**
- * NeedSecrets called from NM via DBUS 
+ * NeedSecrets called from NM via DBUS
  */
 static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 							 char **setting_name, GError **error)
 {
 	NMSettingVPN *settings;
 	const char *method, *path;
-	chunk_t secret = chunk_empty, key;
-	bool pgp = FALSE;
-	
+
 	settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
 														NM_TYPE_SETTING_VPN));
 	method = nm_setting_vpn_get_data_item(settings, "method");
@@ -518,14 +521,21 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 			path = nm_setting_vpn_get_data_item(settings, "userkey");
 			if (path)
 			{
+				private_key_t *key;
+				chunk_t secret;
+
 				secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
 				if (secret.ptr)
 				{
 					secret.len = strlen(secret.ptr);
 				}
-				if (pem_asn1_load_file((char*)path, &secret, &key, &pgp))
+				/* try to load/decrypt the private key */
+				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								KEY_RSA, BUILD_FROM_FILE, path,
+								BUILD_PASSPHRASE, secret, BUILD_END);
+				if (key)
 				{
-					free(key.ptr);
+					key->destroy(key);
 					return FALSE;
 				}
 			}
@@ -536,7 +546,7 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 }
 
 /**
- * Disconnect called from NM via DBUS 
+ * Disconnect called from NM via DBUS
  */
 static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
 {
@@ -544,7 +554,7 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
 	u_int id;
-	
+
 	/* our ike_sa pointer might be invalid, lookup sa */
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 	while (enumerator->enumerate(enumerator, &ike_sa))
@@ -559,7 +569,7 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_GENERAL,
 				"Connection not found.");
 	return FALSE;
@@ -571,7 +581,7 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
 static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
 {
 	NMStrongswanPluginPrivate *priv;
-	
+
 	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
 	priv->plugin = NM_VPN_PLUGIN(plugin);
 	memset(&priv->listener.log, 0, sizeof(listener_t));
@@ -586,7 +596,7 @@ static void nm_strongswan_plugin_class_init(
 									NMStrongswanPluginClass *strongswan_class)
 {
 	NMVPNPluginClass *parent_class = NM_VPN_PLUGIN_CLASS(strongswan_class);
-	
+
 	g_type_class_add_private(G_OBJECT_CLASS(strongswan_class),
 							 sizeof(NMStrongswanPluginPrivate));
 	parent_class->connect = connect_;
@@ -607,7 +617,7 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
 	if (plugin)
 	{
 		NMStrongswanPluginPrivate *priv;
-		
+
 		priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
 		priv->creds = creds;
 		priv->handler = handler;
diff --git a/src/charon/plugins/resolv_conf/Makefile.am b/src/charon/plugins/resolv_conf/Makefile.am
deleted file mode 100644
index be7f862f2..000000000
--- a/src/charon/plugins/resolv_conf/Makefile.am
+++ /dev/null
@@ -1,13 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic \
-  -DRESOLV_CONF=\"${resolv_conf}\"
-
-plugin_LTLIBRARIES = libstrongswan-resolv-conf.la
-libstrongswan_resolv_conf_la_SOURCES = \
-  resolv_conf_plugin.h resolv_conf_plugin.c \
-  resolv_conf_handler.h resolv_conf_handler.c 
-libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version
-
-
diff --git a/src/charon/plugins/resolv_conf/Makefile.in b/src/charon/plugins/resolv_conf/Makefile.in
deleted file mode 100644
index 19c20467a..000000000
--- a/src/charon/plugins/resolv_conf/Makefile.in
+++ /dev/null
@@ -1,518 +0,0 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/resolv_conf
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
-am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_resolv_conf_la_LIBADD =
-am_libstrongswan_resolv_conf_la_OBJECTS = resolv_conf_plugin.lo \
-	resolv_conf_handler.lo
-libstrongswan_resolv_conf_la_OBJECTS =  \
-	$(am_libstrongswan_resolv_conf_la_OBJECTS)
-libstrongswan_resolv_conf_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_resolv_conf_la_LDFLAGS) \
-	$(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_resolv_conf_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_resolv_conf_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-RANLIB = @RANLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-confdir = @confdir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-resolv_conf = @resolv_conf@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-simreader = @simreader@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic \
-  -DRESOLV_CONF=\"${resolv_conf}\"
-
-plugin_LTLIBRARIES = libstrongswan-resolv-conf.la
-libstrongswan_resolv_conf_la_SOURCES = \
-  resolv_conf_plugin.h resolv_conf_plugin.c \
-  resolv_conf_handler.h resolv_conf_handler.c 
-
-libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/resolv_conf/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/resolv_conf/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
-	  else :; fi; \
-	done
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-resolv-conf.la: $(libstrongswan_resolv_conf_la_OBJECTS) $(libstrongswan_resolv_conf_la_DEPENDENCIES) 
-	$(libstrongswan_resolv_conf_la_LINK) -rpath $(plugindir) $(libstrongswan_resolv_conf_la_OBJECTS) $(libstrongswan_resolv_conf_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolv_conf_handler.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolv_conf_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	tags=; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
-	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
-	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-info: install-info-am
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-ps: install-ps-am
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
deleted file mode 100644
index 749cfbc5b..000000000
--- a/src/charon/plugins/resolv_conf/resolv_conf_handler.c
+++ /dev/null
@@ -1,192 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "resolv_conf_handler.h"
-
-#include <unistd.h>
-
-#include <daemon.h>
-#include <utils/mutex.h>
-
-typedef struct private_resolv_conf_handler_t private_resolv_conf_handler_t;
-
-/**
- * Private data of an resolv_conf_handler_t object.
- */
-struct private_resolv_conf_handler_t {
-	
-	/**
-	 * Public resolv_conf_handler_t interface.
-	 */
-	resolv_conf_handler_t public;
-	
-	/**
-	 * resolv.conf file to use
-	 */
-	char *file;
-	
-	/**
-	 * Mutex to access file exclusively
-	 */
-	mutex_t *mutex;
-};
-
-/**
- * Implementation of attribute_handler_t.handle
- */
-static bool handle(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa,
-				   configuration_attribute_type_t type, chunk_t data)
-{
-	FILE *in, *out;
-	char buf[1024];
-	host_t *addr;
-	int family;
-	size_t len;
-	bool handled = FALSE;
-	
-	switch (type)
-	{
-		case INTERNAL_IP4_DNS:
-			family = AF_INET;
-			break;
-		case INTERNAL_IP6_DNS:
-			family = AF_INET6;
-			break;
-		default:
-			return FALSE;
-	}
-	
-	this->mutex->lock(this->mutex);
-	
-	in = fopen(this->file, "r");
-	/* allows us to stream from in to out */
-	unlink(this->file);
-	out = fopen(this->file, "w");
-	if (out)
-	{
-		addr = host_create_from_chunk(family, data, 0);
-		fprintf(out, "nameserver %H   # by strongSwan, from %Y\n",
-				addr, ike_sa->get_other_id(ike_sa));
-		DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
-		addr->destroy(addr);
-		handled = TRUE;
-		
-		/* copy rest of the file */
-		if (in)
-		{
-			while ((len = fread(buf, 1, sizeof(buf), in)))
-			{
-				ignore_result(fwrite(buf, 1, len, out));
-			}
-			fclose(in);
-		}
-		fclose(out);
-	}
-	
-	if (!handled)
-	{
-		DBG1(DBG_IKE, "adding DNS server failed", this->file);
-	}
-	this->mutex->unlock(this->mutex);
-	return handled;
-}
-
-/**
- * Implementation of attribute_handler_t.release
- */
-static void release(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa,
-					configuration_attribute_type_t type, chunk_t data)
-{
-	FILE *in, *out;
-	char line[1024], matcher[512], *pos;
-	host_t *addr;
-	int family;
-	
-	switch (type)
-	{
-		case INTERNAL_IP4_DNS:
-			family = AF_INET;
-			break;
-		case INTERNAL_IP6_DNS:
-			family = AF_INET6;
-			break;
-		default:
-			return;
-	}
-	
-	this->mutex->lock(this->mutex);
-	
-	in = fopen(this->file, "r");
-	if (in)
-	{
-		/* allows us to stream from in to out */
-		unlink(this->file);
-		out = fopen(this->file, "w");
-		if (out)
-		{
-			addr = host_create_from_chunk(family, data, 0);
-			snprintf(matcher, sizeof(matcher),
-					 "nameserver %H   # by strongSwan, from %Y\n",
-					 addr, ike_sa->get_other_id(ike_sa));
-			
-			/* copy all, but matching line */
-			while ((pos = fgets(line, sizeof(line), in)))
-			{
-				if (strneq(line, matcher, strlen(matcher)))
-				{
-					DBG1(DBG_IKE, "removing DNS server %H from %s",
-						 addr, this->file);
-				}
-				else
-				{
-					fputs(line, out);
-				}
-			}
-			addr->destroy(addr);
-			fclose(out);
-		}
-		fclose(in);
-	}
-	
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of resolv_conf_handler_t.destroy.
- */
-static void destroy(private_resolv_conf_handler_t *this)
-{
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/**
- * See header
- */
-resolv_conf_handler_t *resolv_conf_handler_create()
-{
-	private_resolv_conf_handler_t *this = malloc_thing(private_resolv_conf_handler_t);
-	
-	this->public.handler.handle = (bool(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))handle;
-	this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))release;
-	this->public.destroy = (void(*)(resolv_conf_handler_t*))destroy;
-	
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->file = lib->settings->get_str(lib->settings,
-								"charon.plugins.resolv-conf.file", RESOLV_CONF);
-	
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.h b/src/charon/plugins/resolv_conf/resolv_conf_handler.h
deleted file mode 100644
index 2635bb802..000000000
--- a/src/charon/plugins/resolv_conf/resolv_conf_handler.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup resolv_conf_handler resolv_conf_handler
- * @{ @ingroup resolv_conf
- */
-
-#ifndef RESOLV_CONF_HANDLER_H_
-#define RESOLV_CONF_HANDLER_H_
-
-#include <config/attributes/attribute_handler.h>
-
-typedef struct resolv_conf_handler_t resolv_conf_handler_t;
-
-/**
- * Handle DNS configuration attributes by mangling a resolv.conf file.
- */
-struct resolv_conf_handler_t {
-	
-	/**
-	 * Implements the attribute_handler_t interface
-	 */
-	attribute_handler_t handler;
-	
-	/**
-	 * Destroy a resolv_conf_handler_t.
-	 */
-	void (*destroy)(resolv_conf_handler_t *this);
-};
-
-/**
- * Create a resolv_conf_handler instance.
- */
-resolv_conf_handler_t *resolv_conf_handler_create();
-
-#endif /* RESOLV_CONF_HANDLER_ @}*/
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_plugin.c b/src/charon/plugins/resolv_conf/resolv_conf_plugin.c
deleted file mode 100644
index ff9d96eb3..000000000
--- a/src/charon/plugins/resolv_conf/resolv_conf_plugin.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "resolv_conf_plugin.h"
-#include "resolv_conf_handler.h"
-
-#include <daemon.h>
-
-typedef struct private_resolv_conf_plugin_t private_resolv_conf_plugin_t;
-
-/**
- * private data of resolv_conf plugin
- */
-struct private_resolv_conf_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	resolv_conf_plugin_t public;
-	
-	/**
-	 * The registerd DNS attribute handler
-	 */
-	resolv_conf_handler_t *handler;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_resolv_conf_plugin_t *this)
-{
-	charon->attributes->remove_handler(charon->attributes,
-									   &this->handler->handler);
-	this->handler->destroy(this->handler);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_resolv_conf_plugin_t *this = malloc_thing(private_resolv_conf_plugin_t);
-	
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
-	this->handler = resolv_conf_handler_create();
-	charon->attributes->add_handler(charon->attributes, &this->handler->handler);
-	
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_plugin.h b/src/charon/plugins/resolv_conf/resolv_conf_plugin.h
deleted file mode 100644
index f5943d9a3..000000000
--- a/src/charon/plugins/resolv_conf/resolv_conf_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup resolv_conf resolv_conf
- * @ingroup cplugins
- *
- * @defgroup resolv_conf_plugin resolv_conf_plugin
- * @{ @ingroup resolv_conf
- */
-
-#ifndef RESOLV_CONF_PLUGIN_H_
-#define RESOLV_CONF_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct resolv_conf_plugin_t resolv_conf_plugin_t;
-
-/**
- * Plugin that writes received DNS servers in a resolv.conf file.
- */
-struct resolv_conf_plugin_t {
-	
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a resolv_conf_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** RESOLV_CONF_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/resolve/Makefile.am b/src/charon/plugins/resolve/Makefile.am
new file mode 100644
index 000000000..9d18b00b4
--- /dev/null
+++ b/src/charon/plugins/resolve/Makefile.am
@@ -0,0 +1,13 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic \
+  -DRESOLV_CONF=\"${resolv_conf}\"
+
+plugin_LTLIBRARIES = libstrongswan-resolve.la
+libstrongswan_resolve_la_SOURCES = \
+  resolve_plugin.h resolve_plugin.c \
+  resolve_handler.h resolve_handler.c
+libstrongswan_resolve_la_LDFLAGS = -module -avoid-version
+
+
diff --git a/src/charon/plugins/resolve/Makefile.in b/src/charon/plugins/resolve/Makefile.in
new file mode 100644
index 000000000..478935752
--- /dev/null
+++ b/src/charon/plugins/resolve/Makefile.in
@@ -0,0 +1,574 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/resolve
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_resolve_la_LIBADD =
+am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \
+	resolve_handler.lo
+libstrongswan_resolve_la_OBJECTS =  \
+	$(am_libstrongswan_resolve_la_OBJECTS)
+libstrongswan_resolve_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_resolve_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_resolve_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic \
+  -DRESOLV_CONF=\"${resolv_conf}\"
+
+plugin_LTLIBRARIES = libstrongswan-resolve.la
+libstrongswan_resolve_la_SOURCES = \
+  resolve_plugin.h resolve_plugin.c \
+  resolve_handler.h resolve_handler.c
+
+libstrongswan_resolve_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/resolve/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/resolve/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) 
+	$(libstrongswan_resolve_la_LINK) -rpath $(plugindir) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/resolve/resolve_handler.c b/src/charon/plugins/resolve/resolve_handler.c
new file mode 100644
index 000000000..714c751a6
--- /dev/null
+++ b/src/charon/plugins/resolve/resolve_handler.c
@@ -0,0 +1,251 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolve_handler.h"
+
+#include <unistd.h>
+
+#include <daemon.h>
+#include <threading/mutex.h>
+
+typedef struct private_resolve_handler_t private_resolve_handler_t;
+
+/**
+ * Private data of an resolve_handler_t object.
+ */
+struct private_resolve_handler_t {
+
+	/**
+	 * Public resolve_handler_t interface.
+	 */
+	resolve_handler_t public;
+
+	/**
+	 * resolv.conf file to use
+	 */
+	char *file;
+
+	/**
+	 * Mutex to access file exclusively
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Implementation of attribute_handler_t.handle
+ */
+static bool handle(private_resolve_handler_t *this, identification_t *server,
+				   configuration_attribute_type_t type, chunk_t data)
+{
+	FILE *in, *out;
+	char buf[1024];
+	host_t *addr;
+	size_t len;
+	bool handled = FALSE;
+
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			addr = host_create_from_chunk(AF_INET, data, 0);
+			break;
+		case INTERNAL_IP6_DNS:
+			addr = host_create_from_chunk(AF_INET6, data, 0);
+			break;
+		default:
+			return FALSE;
+	}
+
+	if (!addr || addr->is_anyaddr(addr))
+	{
+		DESTROY_IF(addr);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+
+	in = fopen(this->file, "r");
+	/* allows us to stream from in to out */
+	unlink(this->file);
+	out = fopen(this->file, "w");
+	if (out)
+	{
+		fprintf(out, "nameserver %H   # by strongSwan, from %Y\n", addr, server);
+		DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
+		handled = TRUE;
+
+		/* copy rest of the file */
+		if (in)
+		{
+			while ((len = fread(buf, 1, sizeof(buf), in)))
+			{
+				ignore_result(fwrite(buf, 1, len, out));
+			}
+		}
+		fclose(out);
+	}
+	if (in)
+	{
+		fclose(in);
+	}
+	this->mutex->unlock(this->mutex);
+	addr->destroy(addr);
+
+	if (!handled)
+	{
+		DBG1(DBG_IKE, "adding DNS server failed", this->file);
+	}
+	return handled;
+}
+
+/**
+ * Implementation of attribute_handler_t.release
+ */
+static void release(private_resolve_handler_t *this, identification_t *server,
+					configuration_attribute_type_t type, chunk_t data)
+{
+	FILE *in, *out;
+	char line[1024], matcher[512], *pos;
+	host_t *addr;
+	int family;
+
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			family = AF_INET;
+			break;
+		case INTERNAL_IP6_DNS:
+			family = AF_INET6;
+			break;
+		default:
+			return;
+	}
+
+	this->mutex->lock(this->mutex);
+
+	in = fopen(this->file, "r");
+	if (in)
+	{
+		/* allows us to stream from in to out */
+		unlink(this->file);
+		out = fopen(this->file, "w");
+		if (out)
+		{
+			addr = host_create_from_chunk(family, data, 0);
+			snprintf(matcher, sizeof(matcher),
+					 "nameserver %H   # by strongSwan, from %Y\n",
+					 addr, server);
+
+			/* copy all, but matching line */
+			while ((pos = fgets(line, sizeof(line), in)))
+			{
+				if (strneq(line, matcher, strlen(matcher)))
+				{
+					DBG1(DBG_IKE, "removing DNS server %H from %s",
+						 addr, this->file);
+				}
+				else
+				{
+					fputs(line, out);
+				}
+			}
+			addr->destroy(addr);
+			fclose(out);
+		}
+		fclose(in);
+	}
+
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Attribute enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator_t interface */
+	enumerator_t public;
+	/** virtual IP we are requesting */
+	host_t *vip;
+} attribute_enumerator_t;
+
+/**
+ * Implementation of create_attribute_enumerator().enumerate()
+ */
+static bool attribute_enumerate(attribute_enumerator_t *this,
+						configuration_attribute_type_t *type, chunk_t *data)
+{
+	switch (this->vip->get_family(this->vip))
+	{
+		case AF_INET:
+			*type = INTERNAL_IP4_DNS;
+			break;
+		case AF_INET6:
+			*type = INTERNAL_IP6_DNS;
+			break;
+		default:
+			return FALSE;
+	}
+	*data = chunk_empty;
+	/* enumerate only once */
+	this->public.enumerate = (void*)return_false;
+	return TRUE;
+}
+
+/**
+ * Implementation of attribute_handler_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(private_resolve_handler_t *this,
+										identification_t *server, host_t *vip)
+{
+	if (vip)
+	{
+		attribute_enumerator_t *enumerator;
+
+		enumerator = malloc_thing(attribute_enumerator_t);
+		enumerator->public.enumerate = (void*)attribute_enumerate;
+		enumerator->public.destroy = (void*)free;
+		enumerator->vip = vip;
+
+		return &enumerator->public;
+	}
+	return enumerator_create_empty();
+}
+
+/**
+ * Implementation of resolve_handler_t.destroy.
+ */
+static void destroy(private_resolve_handler_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+resolve_handler_t *resolve_handler_create()
+{
+	private_resolve_handler_t *this = malloc_thing(private_resolve_handler_t);
+
+	this->public.handler.handle = (bool(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))handle;
+	this->public.handler.release = (void(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))release;
+	this->public.handler.create_attribute_enumerator = (enumerator_t*(*)(attribute_handler_t*, identification_t *server, host_t *vip))create_attribute_enumerator;
+	this->public.destroy = (void(*)(resolve_handler_t*))destroy;
+
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->file = lib->settings->get_str(lib->settings,
+								"charon.plugins.resolve.file", RESOLV_CONF);
+
+	return &this->public;
+}
+
diff --git a/src/charon/plugins/resolve/resolve_handler.h b/src/charon/plugins/resolve/resolve_handler.h
new file mode 100644
index 000000000..77bf9781c
--- /dev/null
+++ b/src/charon/plugins/resolve/resolve_handler.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolve_handler resolve_handler
+ * @{ @ingroup resolve
+ */
+
+#ifndef RESOLVE_HANDLER_H_
+#define RESOLVE_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct resolve_handler_t resolve_handler_t;
+
+/**
+ * Handle DNS configuration attributes by mangling a resolv.conf file.
+ */
+struct resolve_handler_t {
+
+	/**
+	 * Implements the attribute_handler_t interface
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Destroy a resolve_handler_t.
+	 */
+	void (*destroy)(resolve_handler_t *this);
+};
+
+/**
+ * Create a resolve_handler instance.
+ */
+resolve_handler_t *resolve_handler_create();
+
+#endif /** RESOLVE_HANDLER_H_ @}*/
diff --git a/src/charon/plugins/resolve/resolve_plugin.c b/src/charon/plugins/resolve/resolve_plugin.c
new file mode 100644
index 000000000..c564981ef
--- /dev/null
+++ b/src/charon/plugins/resolve/resolve_plugin.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolve_plugin.h"
+#include "resolve_handler.h"
+
+#include <daemon.h>
+
+typedef struct private_resolve_plugin_t private_resolve_plugin_t;
+
+/**
+ * private data of resolve plugin
+ */
+struct private_resolve_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	resolve_plugin_t public;
+
+	/**
+	 * The registerd DNS attribute handler
+	 */
+	resolve_handler_t *handler;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_resolve_plugin_t *this)
+{
+	lib->attributes->remove_handler(lib->attributes, &this->handler->handler);
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	this->handler = resolve_handler_create();
+	lib->attributes->add_handler(lib->attributes, &this->handler->handler);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/resolve/resolve_plugin.h b/src/charon/plugins/resolve/resolve_plugin.h
new file mode 100644
index 000000000..d7e09f284
--- /dev/null
+++ b/src/charon/plugins/resolve/resolve_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolve resolve
+ * @ingroup cplugins
+ *
+ * @defgroup resolve_plugin resolve_plugin
+ * @{ @ingroup resolve
+ */
+
+#ifndef RESOLVE_PLUGIN_H_
+#define RESOLVE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct resolve_plugin_t resolve_plugin_t;
+
+/**
+ * Plugin that writes received DNS servers in a resolv.conf file.
+ */
+struct resolve_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a resolve_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** RESOLVE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in
index d23d2d001..7512cd2f7 100644
--- a/src/charon/plugins/smp/Makefile.in
+++ b/src/charon/plugins/smp/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/smp
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_smp_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
@@ -59,6 +83,7 @@ libstrongswan_smp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -106,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,6 +249,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${xml_CFLAGS}
@@ -242,9 +271,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/smp/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/smp/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/smp/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/smp/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -262,23 +291,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -302,21 +336,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -339,7 +373,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -347,29 +381,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -390,13 +429,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -427,6 +470,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -448,6 +492,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -456,18 +502,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -506,6 +562,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c
index 562add06d..21e682a0a 100644
--- a/src/charon/plugins/smp/smp.c
+++ b/src/charon/plugins/smp/smp.c
@@ -23,13 +23,13 @@
 #include <sys/un.h>
 #include <unistd.h>
 #include <errno.h>
-#include <pthread.h>
 #include <signal.h>
 #include <libxml/xmlreader.h>
 #include <libxml/xmlwriter.h>
 
 #include <library.h>
 #include <daemon.h>
+#include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
 
@@ -44,12 +44,12 @@ struct private_smp_t {
 	 * Public part of smp_t object.
 	 */
 	smp_t public;
-	
+
 	/**
 	 * XML unix socket fd
 	 */
 	int socket;
-	
+
 	/**
 	 * job accepting stroke messages
 	 */
@@ -146,7 +146,7 @@ static void write_networks(xmlTextWriterPtr writer, char *element,
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
-	
+
 	xmlTextWriterStartElement(writer, element);
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, (void**)&ts))
@@ -167,26 +167,26 @@ static void write_networks(xmlTextWriterPtr writer, char *element,
 static void write_childend(xmlTextWriterPtr writer, child_sa_t *child, bool local)
 {
 	linked_list_t *list;
-	
-	xmlTextWriterWriteFormatElement(writer, "spi", "%lx", 
+
+	xmlTextWriterWriteFormatElement(writer, "spi", "%lx",
 									htonl(child->get_spi(child, local)));
 	list = child->get_traffic_selectors(child, local);
 	write_networks(writer, "networks", list);
 }
 
 /**
- * write a child_sa_t 
+ * write a child_sa_t
  */
 static void write_child(xmlTextWriterPtr writer, child_sa_t *child)
 {
 	child_cfg_t *config;
-	
+
 	config = child->get_config(child);
 
 	xmlTextWriterStartElement(writer, "childsa");
 	xmlTextWriterWriteFormatElement(writer, "reqid", "%d",
 									child->get_reqid(child));
-	xmlTextWriterWriteFormatElement(writer, "childconfig", "%s", 
+	xmlTextWriterWriteFormatElement(writer, "childconfig", "%s",
 									config->get_name(config));
 	xmlTextWriterStartElement(writer, "local");
 	write_childend(writer, child, TRUE);
@@ -207,7 +207,7 @@ static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer
 
 	/* <ikesalist> */
 	xmlTextWriterStartElement(writer, "ikesalist");
-	
+
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 	while (enumerator->enumerate(enumerator, &ike_sa))
 	{
@@ -215,18 +215,18 @@ static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer
 		host_t *local, *remote;
 		iterator_t *children;
 		child_sa_t *child_sa;
-		
+
 		id = ike_sa->get_id(ike_sa);
-		
+
 		xmlTextWriterStartElement(writer, "ikesa");
 		xmlTextWriterWriteFormatElement(writer, "id", "%d",
 							ike_sa->get_unique_id(ike_sa));
-		xmlTextWriterWriteFormatElement(writer, "status", "%N", 
+		xmlTextWriterWriteFormatElement(writer, "status", "%N",
 							ike_sa_state_lower_names, ike_sa->get_state(ike_sa));
 		xmlTextWriterWriteElement(writer, "role",
 							id->is_initiator(id) ? "initiator" : "responder");
 		xmlTextWriterWriteElement(writer, "peerconfig", ike_sa->get_name(ike_sa));
-		
+
 		/* <local> */
 		local = ike_sa->get_my_host(ike_sa);
 		xmlTextWriterStartElement(writer, "local");
@@ -243,7 +243,7 @@ static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer
 		}
 		xmlTextWriterEndElement(writer);
 		/* </local> */
-		
+
 		/* <remote> */
 		remote = ike_sa->get_other_host(ike_sa);
 		xmlTextWriterStartElement(writer, "remote");
@@ -259,8 +259,8 @@ static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer
 			write_bool(writer, "nat", ike_sa->has_condition(ike_sa, COND_NAT_THERE));
 		}
 		xmlTextWriterEndElement(writer);
-		/* </remote> */		
-		
+		/* </remote> */
+
 		/* <childsalist> */
 		xmlTextWriterStartElement(writer, "childsalist");
 		children = ike_sa->create_child_sa_iterator(ike_sa);
@@ -270,13 +270,13 @@ static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer
 		}
 		children->destroy(children);
 		/* </childsalist> */
-		xmlTextWriterEndElement(writer);		
-		
+		xmlTextWriterEndElement(writer);
+
 		/* </ikesa> */
 		xmlTextWriterEndElement(writer);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	/* </ikesalist> */
 	xmlTextWriterEndElement(writer);
 }
@@ -291,7 +291,7 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 
 	/* <configlist> */
 	xmlTextWriterStartElement(writer, "configlist");
-	
+
 	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
 														NULL, NULL, NULL, NULL);
 	while (enumerator->enumerate(enumerator, &peer_cfg))
@@ -300,18 +300,18 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 		child_cfg_t *child_cfg;
 		ike_cfg_t *ike_cfg;
 		linked_list_t *list;
-		
+
 		if (peer_cfg->get_ike_version(peer_cfg) != 2)
 		{	/* only IKEv2 connections yet */
 			continue;
 		}
-		
+
 		/* <peerconfig> */
 		xmlTextWriterStartElement(writer, "peerconfig");
 		xmlTextWriterWriteElement(writer, "name", peer_cfg->get_name(peer_cfg));
-		
+
 		/* TODO: write auth_cfgs */
-		
+
 		/* <ikeconfig> */
 		ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
 		xmlTextWriterStartElement(writer, "ikeconfig");
@@ -319,14 +319,14 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 		xmlTextWriterWriteElement(writer, "remote", ike_cfg->get_other_addr(ike_cfg));
 		xmlTextWriterEndElement(writer);
 		/* </ikeconfig> */
-		
+
 		/* <childconfiglist> */
 		xmlTextWriterStartElement(writer, "childconfiglist");
 		children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 		while (children->enumerate(children, &child_cfg))
 		{
 			/* <childconfig> */
-			xmlTextWriterStartElement(writer, "childconfig");		
+			xmlTextWriterStartElement(writer, "childconfig");
 			xmlTextWriterWriteElement(writer, "name",
 									  child_cfg->get_name(child_cfg));
 			list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
@@ -334,7 +334,7 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 			list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
 			list = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
 			write_networks(writer, "remote", list);
-			list->destroy_offset(list, offsetof(traffic_selector_t, destroy));		
+			list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
 			xmlTextWriterEndElement(writer);
 			/* </childconfig> */
 		}
@@ -342,7 +342,7 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 		/* </childconfiglist> */
 		xmlTextWriterEndElement(writer);
 		/* </peerconfig> */
-		xmlTextWriterEndElement(writer);	
+		xmlTextWriterEndElement(writer);
 	}
 	enumerator->destroy(enumerator);
 	/* </configlist> */
@@ -361,7 +361,7 @@ static bool xml_callback(xmlTextWriterPtr writer, debug_t group, level_t level,
 		xmlTextWriterStartElement(writer, "item");
 		xmlTextWriterWriteFormatAttribute(writer, "level", "%d", level);
 		xmlTextWriterWriteFormatAttribute(writer, "source", "%N", debug_names, group);
-		xmlTextWriterWriteFormatAttribute(writer, "thread", "%u", pthread_self());
+		xmlTextWriterWriteFormatAttribute(writer, "thread", "%u", thread_current_id());
 		xmlTextWriterWriteVFormatString(writer, format, args);
 		xmlTextWriterEndElement(writer);
 		/* </item> */
@@ -381,7 +381,7 @@ static void request_control_terminate(xmlTextReaderPtr reader,
 		const char *str;
 		u_int32_t id;
 		status_t status;
-	
+
 		str = xmlTextReaderConstValue(reader);
 		if (str == NULL)
 		{
@@ -393,7 +393,7 @@ static void request_control_terminate(xmlTextReaderPtr reader,
 		{
 			enumerator_t *enumerator;
 			ike_sa_t *ike_sa;
-		
+
 			enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 			while (enumerator->enumerate(enumerator, &ike_sa))
 			{
@@ -411,21 +411,21 @@ static void request_control_terminate(xmlTextReaderPtr reader,
 			DBG1(DBG_CFG, "error parsing XML id string");
 			return;
 		}
-		
+
 		DBG1(DBG_CFG, "terminating %s_SA %d", ike ? "IKE" : "CHILD", id);
-		
+
 		/* <log> */
 		xmlTextWriterStartElement(writer, "log");
 		if (ike)
 		{
 			status = charon->controller->terminate_ike(
-					charon->controller,	id, 
+					charon->controller,	id,
 					(controller_cb_t)xml_callback, writer);
 		}
 		else
 		{
 			status = charon->controller->terminate_child(
-					charon->controller,	id, 
+					charon->controller,	id,
 					(controller_cb_t)xml_callback, writer);
 		}
 		/* </log> */
@@ -448,7 +448,7 @@ static void request_control_initiate(xmlTextReaderPtr reader,
 		peer_cfg_t *peer;
 		child_cfg_t *child = NULL;
 		enumerator_t *enumerator;
-			
+
 		str = xmlTextReaderConstValue(reader);
 		if (str == NULL)
 		{
@@ -456,7 +456,7 @@ static void request_control_initiate(xmlTextReaderPtr reader,
 			return;
 		}
 		DBG1(DBG_CFG, "initiating %s_SA %s", ike ? "IKE" : "CHILD", str);
-		
+
 		/* <log> */
 		xmlTextWriterStartElement(writer, "log");
 		peer = charon->backends->get_peer_cfg_by_name(charon->backends, (char*)str);
@@ -508,8 +508,8 @@ static void request_query(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
 {
 	/* <query> */
 	xmlTextWriterStartElement(writer, "query");
-    while (xmlTextReaderRead(reader))
-    {
+	while (xmlTextReaderRead(reader))
+	{
 		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT)
 		{
 			if (streq(xmlTextReaderConstName(reader), "ikesalist"))
@@ -535,8 +535,8 @@ static void request_control(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
 {
 	/* <control> */
 	xmlTextWriterStartElement(writer, "control");
-    while (xmlTextReaderRead(reader))
-    {
+	while (xmlTextReaderRead(reader))
+	{
 		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT)
 		{
 			if (streq(xmlTextReaderConstName(reader), "ikesaterminate"))
@@ -571,7 +571,7 @@ static void request_control(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
 static void request(xmlTextReaderPtr reader, char *id, int fd)
 {
 	xmlTextWriterPtr writer;
-	
+
 	writer = xmlNewTextWriter(xmlOutputBufferCreateFd(fd, NULL));
 	if (writer == NULL)
 	{
@@ -622,17 +622,18 @@ static void closefdp(int *fd)
  */
 static job_requeue_t process(int *fdp)
 {
-	int oldstate, fd = *fdp;
+	int fd = *fdp;
+	bool oldstate;
 	char buffer[4096];
 	size_t len;
 	xmlTextReaderPtr reader;
 	char *id = NULL, *type = NULL;
-	
-	pthread_cleanup_push((void*)closefdp, (void*)&fd);
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+
+	thread_cleanup_push((thread_cleanup_t)closefdp, (void*)&fd);
+	oldstate = thread_cancelability(TRUE);
 	len = read(fd, buffer, sizeof(buffer));
-	pthread_setcancelstate(oldstate, NULL);
-	pthread_cleanup_pop(0);
+	thread_cancelability(oldstate);
+	thread_cleanup_pop(FALSE);
 	if (len <= 0)
 	{
 		close(fd);
@@ -640,17 +641,17 @@ static job_requeue_t process(int *fdp)
 		return JOB_REQUEUE_NONE;
 	}
 	DBG3(DBG_CFG, "got XML request: %b", buffer, len);
-	
+
 	reader = xmlReaderForMemory(buffer, len, NULL, NULL, 0);
 	if (reader == NULL)
 	{
 		DBG1(DBG_CFG, "opening SMP XML reader failed");
 		return JOB_REQUEUE_FAIR;;
 	}
-	
+
 	/* read message type and id */
-    while (xmlTextReaderRead(reader))
-    {
+	while (xmlTextReaderRead(reader))
+	{
 		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT &&
 			streq(xmlTextReaderConstName(reader), "message"))
 		{
@@ -658,20 +659,20 @@ static job_requeue_t process(int *fdp)
 			type = xmlTextReaderGetAttribute(reader, "type");
 			break;
 		}
-    }
-    
-    /* process message */
-    if (id && type)
+	}
+
+	/* process message */
+	if (id && type)
 	{
-	    if (streq(type, "request"))
-	    {
-	    	request(reader, id, fd);
-	    }
-	    else
-	    {
-	    	/* response(reader, id) */
-	    }
-    }
+		if (streq(type, "request"))
+		{
+			request(reader, id, fd);
+		}
+		else
+		{
+			/* response(reader, id) */
+		}
+	}
 	xmlFreeTextReader(reader);
 	return JOB_REQUEUE_FAIR;;
 }
@@ -682,26 +683,27 @@ static job_requeue_t process(int *fdp)
 static job_requeue_t dispatch(private_smp_t *this)
 {
 	struct sockaddr_un strokeaddr;
-	int oldstate, fd, *fdp, strokeaddrlen = sizeof(strokeaddr);
+	int fd, *fdp, strokeaddrlen = sizeof(strokeaddr);
 	callback_job_t *job;
-	
+	bool oldstate;
+
 	/* wait for connections, but allow thread to terminate */
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	oldstate = thread_cancelability(TRUE);
 	fd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
-	pthread_setcancelstate(oldstate, NULL);
-	
+	thread_cancelability(oldstate);
+
 	if (fd < 0)
 	{
 		DBG1(DBG_CFG, "accepting SMP XML socket failed: %s", strerror(errno));
 		sleep(1);
 		return JOB_REQUEUE_FAIR;;
 	}
-	
+
 	fdp = malloc_thing(int);
 	*fdp = fd;
 	job = callback_job_create((callback_job_cb_t)process, fdp, free, this->job);
 	charon->processor->queue_job(charon->processor, (job_t*)job);
-	
+
 	return JOB_REQUEUE_DIRECT;
 }
 
@@ -725,7 +727,7 @@ plugin_t *plugin_create()
 	mode_t old;
 
 	this->public.plugin.destroy = (void (*)(plugin_t*))destroy;
-	
+
 	/* set up unix socket */
 	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
 	if (this->socket == -1)
@@ -734,7 +736,7 @@ plugin_t *plugin_create()
 		free(this);
 		return NULL;
 	}
-	
+
 	unlink(unix_addr.sun_path);
 	old = umask(~(S_IRWXU | S_IRWXG));
 	if (bind(this->socket, (struct sockaddr *)&unix_addr, sizeof(unix_addr)) < 0)
@@ -749,7 +751,7 @@ plugin_t *plugin_create()
 	{
 		DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
 	}
-	
+
 	if (listen(this->socket, 5) < 0)
 	{
 		DBG1(DBG_CFG, "could not listen on XML socket: %s", strerror(errno));
@@ -760,7 +762,7 @@ plugin_t *plugin_create()
 
 	this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/charon/plugins/sql/Makefile.am b/src/charon/plugins/sql/Makefile.am
index bf4963f29..60135bf08 100644
--- a/src/charon/plugins/sql/Makefile.am
+++ b/src/charon/plugins/sql/Makefile.am
@@ -2,16 +2,11 @@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 
 AM_CFLAGS = -rdynamic \
-  -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-  -DIPSEC_PLUGINDIR=\"${plugindir}\" \
   -DPLUGINS=\""${libstrongswan_plugins}\""
 
 plugin_LTLIBRARIES = libstrongswan-sql.la
-libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
-  sql_config.h sql_config.c sql_cred.h sql_cred.c \
-  sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c
+libstrongswan_sql_la_SOURCES = \
+  sql_plugin.h sql_plugin.c sql_config.h sql_config.c \
+  sql_cred.h sql_cred.c sql_logger.h sql_logger.c
 libstrongswan_sql_la_LDFLAGS = -module -avoid-version
 
-ipsec_PROGRAMS = pool
-pool_SOURCES = pool.c
-pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in
index f6fd8e4f7..ef9c33a1c 100644
--- a/src/charon/plugins/sql/Makefile.in
+++ b/src/charon/plugins/sql/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,11 +15,11 @@
 
 @SET_MAKE@
 
-
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -33,40 +34,56 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-ipsec_PROGRAMS = pool$(EXEEXT)
 subdir = src/charon/plugins/sql
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
-am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_sql_la_LIBADD =
 am_libstrongswan_sql_la_OBJECTS = sql_plugin.lo sql_config.lo \
-	sql_cred.lo sql_attribute.lo sql_logger.lo
+	sql_cred.lo sql_logger.lo
 libstrongswan_sql_la_OBJECTS = $(am_libstrongswan_sql_la_OBJECTS)
 libstrongswan_sql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_sql_la_LDFLAGS) $(LDFLAGS) -o $@
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-PROGRAMS = $(ipsec_PROGRAMS)
-am_pool_OBJECTS = pool.$(OBJEXT)
-pool_OBJECTS = $(am_pool_OBJECTS)
-pool_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -76,8 +93,8 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_sql_la_SOURCES) $(pool_SOURCES)
-DIST_SOURCES = $(libstrongswan_sql_la_SOURCES) $(pool_SOURCES)
+SOURCES = $(libstrongswan_sql_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_sql_la_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -114,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -144,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -177,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -202,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -210,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -218,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -229,22 +249,19 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
 AM_CFLAGS = -rdynamic \
-  -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-  -DIPSEC_PLUGINDIR=\"${plugindir}\" \
   -DPLUGINS=\""${libstrongswan_plugins}\""
 
 plugin_LTLIBRARIES = libstrongswan-sql.la
-libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
-  sql_config.h sql_config.c sql_cred.h sql_cred.c \
-  sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c
+libstrongswan_sql_la_SOURCES = \
+  sql_plugin.h sql_plugin.c sql_config.h sql_config.c \
+  sql_cred.h sql_cred.c sql_logger.h sql_logger.c
 
 libstrongswan_sql_la_LDFLAGS = -module -avoid-version
-pool_SOURCES = pool.c
-pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
 
 .SUFFIXES:
@@ -258,9 +275,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/sql/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/sql/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/sql/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/sql/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -278,23 +295,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -307,37 +329,6 @@ clean-pluginLTLIBRARIES:
 	done
 libstrongswan-sql.la: $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_DEPENDENCIES) 
 	$(libstrongswan_sql_la_LINK) -rpath $(plugindir) $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_LIBADD) $(LIBS)
-install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
-
-uninstall-ipsecPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
-
-clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
-pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) 
-	@rm -f pool$(EXEEXT)
-	$(LINK) $(pool_OBJECTS) $(pool_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -345,8 +336,6 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_config.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_cred.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_logger.Plo@am__quote@
@@ -354,21 +343,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -391,7 +380,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -399,29 +388,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -442,21 +436,25 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+all-am: Makefile $(LTLIBRARIES)
 installdirs:
-	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+	for dir in "$(DESTDIR)$(plugindir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -479,14 +477,15 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
-	clean-pluginLTLIBRARIES mostlyclean-am
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -500,26 +499,38 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -540,25 +551,24 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+uninstall-am: uninstall-pluginLTLIBRARIES
 
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-ipsecPROGRAMS clean-libtool clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-man install-pdf \
-	install-pdf-am install-pluginLTLIBRARIES install-ps \
-	install-ps-am install-strip installcheck installcheck-am \
-	installdirs maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
-	uninstall-am uninstall-ipsecPROGRAMS \
-	uninstall-pluginLTLIBRARIES
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
deleted file mode 100644
index ebcc9adc7..000000000
--- a/src/charon/plugins/sql/pool.c
+++ /dev/null
@@ -1,797 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <getopt.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <time.h>
-
-#include <debug.h>
-#include <library.h>
-#include <utils/host.h>
-#include <utils/identification.h>
-
-/**
- * global database handle
- */
-database_t *db;
-
-/**
- * --start/--end addresses of various subcommands
- */
-host_t *start = NULL, *end = NULL;
-
-/**
- * calculate the size of a pool using start and end address chunk
- */
-static u_int get_pool_size(chunk_t start, chunk_t end)
-{
-	u_int *start_ptr, *end_ptr;
-
-	if (start.len < sizeof(u_int) || end.len < sizeof(u_int))
-	{
-		return 0;	
-	}
-	start_ptr = (u_int*)(start.ptr + start.len - sizeof(u_int));
-	end_ptr = (u_int*)(end.ptr + end.len - sizeof(u_int));
-	return ntohl(*end_ptr) -  ntohl(*start_ptr) + 1;
-}
-
-/**
- * print usage info
- */
-static void usage(void)
-{
-	printf("\
-Usage:\n\
-  ipsec pool --status|--add|--del|--resize|--purge [options]\n\
-  \n\
-  ipsec pool --status\n\
-    Show a list of installed pools with statistics.\n\
-  \n\
-  ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\
-    Add a new pool to the database.\n\
-      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
-      start:   Start address of the pool\n\
-      end:     End address of the pool\n\
-      timeout: Lease time in hours, 0 for static leases\n\
-  \n\
-  ipsec pool --del <name>\n\
-    Delete a pool from the database.\n\
-      name:   Name of the pool to delete\n\
-  \n\
-  ipsec pool --resize <name> --end <end>\n\
-    Grow or shrink an existing pool.\n\
-      name:   Name of the pool to resize\n\
-      end:    New end address for the pool\n\
-  \n\
-  ipsec pool --leases [--filter <filter>] [--utc]\n\
-    Show lease information using filters:\n\
-      filter: Filter string containing comma separated key=value filters,\n\
-              e.g. id=alice@strongswan.org,addr=1.1.1.1\n\
-                  pool:   name of the pool\n\
-                  id:     assigned identity of the lease\n\
-                  addr:   lease IP address\n\
-                  tstamp: UNIX timestamp when lease was valid, as integer\n\
-                  status: status of the lease: online|valid|expired\n\
-      utc:    Show times in UTC instead of local time\n\
-  \n\
-  ipsec pool --purge <name>\n\
-    Delete lease history of a pool:\n\
-      name:   Name of the pool to purge\n\
-  \n");
-	exit(0);
-}
-
-/**
- * ipsec pool --status - show pool overview
- */
-static void status(void)
-{
-	enumerator_t *pool, *lease;
-	bool found = FALSE;
-	
-	pool = db->query(db, "SELECT id, name, start, end, timeout FROM pools",
-					 DB_INT, DB_TEXT, DB_BLOB, DB_BLOB, DB_UINT);
-	if (pool)
-	{
-		char *name;
-		chunk_t start_chunk, end_chunk;
-		host_t *start, *end;
-		u_int id, timeout, online = 0, used = 0, size = 0;
-	
-		while (pool->enumerate(pool, &id, &name,
-							   &start_chunk, &end_chunk, &timeout))
-		{
-			if (!found)
-			{
-				printf("%8s %15s %15s %8s %6s %11s %11s\n", "name", "start",
-					   "end", "timeout", "size", "online", "usage");
-				found = TRUE;
-			}
-			
-			start = host_create_from_chunk(AF_UNSPEC, start_chunk, 0);
-			end = host_create_from_chunk(AF_UNSPEC, end_chunk, 0);
-			size = get_pool_size(start_chunk, end_chunk);
-			printf("%8s %15H %15H ", name, start, end);
-			if (timeout)
-			{
-				printf("%7dh ", timeout/3600);
-			}
-			else
-			{
-				printf("%8s ", "static");
-			}
-			printf("%6d ", size);
-			/* get number of online hosts */
-			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
-							  "WHERE pool = ? AND released = 0",
-							  DB_UINT, id, DB_INT);
-			if (lease)
-			{
-				lease->enumerate(lease, &online);
-				lease->destroy(lease);
-			}
-			printf("%5d (%2d%%) ", online, online*100/size);
-			/* get number of online or valid lieases */
-			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
-							  "WHERE addresses.pool = ? "
-							  "AND ((? AND acquired != 0) "
-							  "     OR released = 0 OR released > ?) ",
-							  DB_UINT, id, DB_UINT, !timeout,
-							  DB_UINT, time(NULL) - timeout, DB_UINT);
-			if (lease)
-			{
-				lease->enumerate(lease, &used);
-				lease->destroy(lease);
-			}
-			printf("%5d (%2d%%) ", used, used*100/size);
-			
-			printf("\n");
-			DESTROY_IF(start);
-			DESTROY_IF(end);
-		}
-		pool->destroy(pool);
-	}
-	if (!found)
-	{
-		printf("no pools found.\n");
-	}
-	exit(0);
-}
-
-/**
- * increment a chunk, as it would reprensent a network order integer
- */
-static void increment_chunk(chunk_t chunk)
-{
-	int i;
-	
-	for (i = chunk.len - 1; i >= 0; i--)
-	{
-		if (++chunk.ptr[i] != 0)
-		{
-			return;
-		}
-	}
-}
-
-/**
- * ipsec pool --add - add a new pool
- */
-static void add(char *name, host_t *start, host_t *end, int timeout)
-{
-	chunk_t start_addr, end_addr, cur_addr;
-	u_int id, count;
-	
-	start_addr = start->get_address(start);
-	end_addr = end->get_address(end);
-	cur_addr = chunk_clonea(start_addr);
-	count = get_pool_size(start_addr, end_addr);
-
-	if (start_addr.len != end_addr.len ||
-		memcmp(start_addr.ptr, end_addr.ptr, start_addr.len) > 0)
-	{
-		fprintf(stderr, "invalid start/end pair specified.\n");
-		exit(-1);
-	}
-	if (db->execute(db, &id,
-			"INSERT INTO pools (name, start, end, timeout) "
-			"VALUES (?, ?, ?, ?)",
-			DB_TEXT, name, DB_BLOB, start_addr,
-			DB_BLOB, end_addr, DB_INT, timeout*3600) != 1)
-	{
-		fprintf(stderr, "creating pool failed.\n");
-		exit(-1);
-	}
-	printf("allocating %d addresses... ", count);
-	fflush(stdout);
-	if (db->get_driver(db) == DB_SQLITE)
-	{	/* run population in a transaction for sqlite */
-		db->execute(db, NULL, "BEGIN TRANSACTION");
-	}
-	while (TRUE)
-	{
-		db->execute(db, NULL,
-			"INSERT INTO addresses (pool, address, identity, acquired, released) "
-			"VALUES (?, ?, ?, ?, ?)",
-			DB_UINT, id, DB_BLOB, cur_addr,	DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
-		if (chunk_equals(cur_addr, end_addr))
-		{
-			break;
-		}
-		increment_chunk(cur_addr);
-	}
-	if (db->get_driver(db) == DB_SQLITE)
-	{
-		db->execute(db, NULL, "END TRANSACTION");
-	}
-	printf("done.\n", count);
-	
-	exit(0);
-}
-
-/**
- * ipsec pool --del - delete a pool
- */
-static void del(char *name)
-{
-	enumerator_t *query;
-	u_int id;
-	bool found = FALSE;
-	
-	query = db->query(db, "SELECT id FROM pools WHERE name = ?",
-					  DB_TEXT, name, DB_UINT);
-	if (!query)
-	{
-		fprintf(stderr, "deleting pool failed.\n");
-		exit(-1);
-	}
-	while (query->enumerate(query, &id))
-	{
-		found = TRUE;
-		if (db->execute(db, NULL,
-				"DELETE FROM leases WHERE address IN ("
-				" SELECT id FROM addresses WHERE pool = ?)", DB_UINT, id) < 0 ||
-			db->execute(db, NULL,
-				"DELETE FROM addresses WHERE pool = ?", DB_UINT, id) < 0 ||
-			db->execute(db, NULL,
-				"DELETE FROM pools WHERE id = ?", DB_UINT, id) < 0)
-		{
-			fprintf(stderr, "deleting pool failed.\n");
-			query->destroy(query);
-			exit(-1);
-		}
-	}
-	query->destroy(query);
-	if (!found)
-	{
-		fprintf(stderr, "pool '%s' not found.\n", name);
-		exit(-1);
-	}
-	exit(0);
-}
-
-/**
- * ipsec pool --resize - resize a pool
- */
-static void resize(char *name, host_t *end)
-{
-	enumerator_t *query;
-	chunk_t old_addr, new_addr, cur_addr;
-	u_int id, count;
-	
-	new_addr = end->get_address(end);
-	
-	query = db->query(db, "SELECT id, end FROM pools WHERE name = ?",
-					  DB_TEXT, name, DB_UINT, DB_BLOB);
-	if (!query || !query->enumerate(query, &id, &old_addr))
-	{
-		DESTROY_IF(query);
-		fprintf(stderr, "resizing pool failed.\n");
-		exit(-1);
-	}
-	if (old_addr.len != new_addr.len ||
-		memcmp(new_addr.ptr, old_addr.ptr, old_addr.len) < 0)
-	{
-		fprintf(stderr, "shrinking of pools not supported.\n");
-		query->destroy(query);
-		exit(-1);
-	}
-	cur_addr = chunk_clonea(old_addr);
-	count = get_pool_size(old_addr, new_addr) - 1;
-	query->destroy(query);
-
-	if (db->execute(db, NULL,
-			"UPDATE pools SET end = ? WHERE name = ?",
-			DB_BLOB, new_addr, DB_TEXT, name) <= 0)
-	{
-		fprintf(stderr, "pool '%s' not found.\n", name);
-		exit(-1);
-	}
-	
-	printf("allocating %d new addresses... ", count);
-	fflush(stdout);
-	if (db->get_driver(db) == DB_SQLITE)
-	{	/* run population in a transaction for sqlite */
-		db->execute(db, NULL, "BEGIN TRANSACTION");
-	}
-	while (count-- > 0)
-	{
-		increment_chunk(cur_addr);
-		db->execute(db, NULL,
-			"INSERT INTO addresses (pool, address, identity, acquired, released) "
-			"VALUES (?, ?, ?, ?, ?)",
-			DB_UINT, id, DB_BLOB, cur_addr,	DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
-	}
-	if (db->get_driver(db) == DB_SQLITE)
-	{
-		db->execute(db, NULL, "END TRANSACTION");
-	}
-	printf("done.\n", count);
-	
-	exit(0);
-}
-
-/**
- * create the lease query using the filter string
- */
-static enumerator_t *create_lease_query(char *filter)
-{
-	enumerator_t *query;
-	identification_t *id = NULL;
-	host_t *addr = NULL;
-	u_int tstamp = 0;
-	bool online = FALSE, valid = FALSE, expired = FALSE;
-	char *value, *pos, *pool = NULL;
-	enum {
-		FIL_POOL = 0,
-		FIL_ID,
-		FIL_ADDR,
-		FIL_TSTAMP,
-		FIL_STATE,
-	};
-	char *const token[] = {
-		[FIL_POOL] = "pool",
-		[FIL_ID] = "id",
-		[FIL_ADDR] = "addr",
-		[FIL_TSTAMP] = "tstamp",
-		[FIL_STATE] = "status",
-		NULL
-	};
-	
-	/* if the filter string contains a distinguished name as a ID, we replace
-	 * ", " by "/ " in order to not confuse the getsubopt parser */
-	pos = filter;
-	while ((pos = strchr(pos, ',')))
-	{
-		if (pos[1] == ' ')
-		{
-			pos[0] = '/';
-		}
-		pos++;
-	}
-	
-	while (filter && *filter != '\0')
-	{
-		switch (getsubopt(&filter, token, &value))
-		{
-			case FIL_POOL:
-				if (value)
-				{
-					pool = value;
-				}
-				break;
-			case FIL_ID:
-				if (value)
-				{
-					id = identification_create_from_string(value);
-				}
-				break;
-			case FIL_ADDR:
-				if (value)
-				{
-					addr = host_create_from_string(value, 0);
-				}
-				if (!addr)
-				{
-					fprintf(stderr, "invalid 'addr' in filter string.\n");
-					exit(-1);
-				}
-				break;
-			case FIL_TSTAMP:
-				if (value)
-				{
-					tstamp = atoi(value);
-				}
-				if (tstamp == 0)
-				{
-					online = TRUE;
-				}
-				break;
-			case FIL_STATE:
-				if (value)
-				{
-					if (streq(value, "online"))
-					{
-						online = TRUE;
-					}
-					else if (streq(value, "valid"))
-					{
-						valid = TRUE;
-					}
-					else if (streq(value, "expired"))
-					{
-						expired = TRUE;
-					}
-					else
-					{
-						fprintf(stderr, "invalid 'state' in filter string.\n");
-						exit(-1);
-					}
-				}
-				break;
-			default:
-				fprintf(stderr, "invalid filter string.\n");
-				exit(-1);
-				break;
-		}
-	}
-	query = db->query(db,
-				"SELECT name, addresses.address, identities.type, "
-				"identities.data, leases.acquired, leases.released, timeout "
-				"FROM leases JOIN addresses ON leases.address = addresses.id "
-				"JOIN pools ON addresses.pool = pools.id "
-				"JOIN identities ON leases.identity = identities.id "
-				"WHERE (? OR name = ?) "
-				"AND (? OR (identities.type = ? AND identities.data = ?)) "
-				"AND (? OR addresses.address = ?) "
-				"AND (? OR (? >= leases.acquired AND (? <= leases.released))) "
-				"AND (? OR leases.released > ? - timeout) "
-				"AND (? OR leases.released < ? - timeout) "
-				"AND ? "
-				"UNION "
-				"SELECT name, address, identities.type, identities.data, "
-				"acquired, released, timeout FROM addresses "
-				"JOIN pools ON addresses.pool = pools.id "
-				"JOIN identities ON addresses.identity = identities.id "
-				"WHERE ? AND released = 0 "
-				"AND (? OR name = ?) "
-				"AND (? OR (identities.type = ? AND identities.data = ?)) "
-				"AND (? OR address = ?)",
-				DB_INT, pool == NULL, DB_TEXT, pool,
-				DB_INT, id == NULL,
-					DB_INT, id ? id->get_type(id) : 0,
-					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
-				DB_INT, addr == NULL,
-					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
-				DB_INT, tstamp == 0, DB_UINT, tstamp, DB_UINT, tstamp,
-				DB_INT, !valid, DB_INT, time(NULL),
-				DB_INT, !expired, DB_INT, time(NULL),
-				DB_INT, !online,
-				/* union */
-				DB_INT, !(valid || expired),
-				DB_INT, pool == NULL, DB_TEXT, pool,
-				DB_INT, id == NULL,
-					DB_INT, id ? id->get_type(id) : 0,
-					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
-				DB_INT, addr == NULL,
-					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
-				/* res */
-				DB_TEXT, DB_BLOB, DB_INT, DB_BLOB, DB_UINT, DB_UINT, DB_UINT);
-	/* id and addr leak but we can't destroy them until query is destroyed. */
-	return query;
-}
-
-/**
- * ipsec pool --leases - show lease information of a pool
- */
-static void leases(char *filter, bool utc)
-{
-	enumerator_t *query;
-	chunk_t address_chunk, identity_chunk;
-	int identity_type;
-	char *name;
-	u_int acquired, released, timeout;
-	host_t *address;
-	identification_t *identity;
-	bool found = FALSE;
-	
-	query = create_lease_query(filter);
-	if (!query)
-	{
-		fprintf(stderr, "querying leases failed.\n");
-		exit(-1);
-	}
-	while (query->enumerate(query, &name, &address_chunk, &identity_type,
-							&identity_chunk, &acquired, &released, &timeout))
-	{
-		if (!found)
-		{
-			int len = utc ? 25 : 21;
-
-			found = TRUE;
-			printf("%-8s %-15s %-7s  %-*s %-*s %s\n",
-				   "name", "address", "status", len, "start", len, "end", "identity");
-		}
-		address = host_create_from_chunk(AF_UNSPEC, address_chunk, 0);
-		identity = identification_create_from_encoding(identity_type, identity_chunk);
-		
-		printf("%-8s %-15H ", name, address);
-		if (released == 0)
-		{
-			printf("%-7s ", "online");
-		}
-		else if (timeout == 0)
-		{
-			printf("%-7s ", "static");
-		}
-		else if (released >= time(NULL) - timeout)
-		{
-			printf("%-7s ", "valid");
-		}
-		else
-		{
-			printf("%-7s ", "expired");
-		}
-		
-		printf(" %T  ", &acquired, utc);
-		if (released)
-		{
-			printf("%T  ", &released, utc);
-		}
-		else
-		{
-			printf("                      ");
-			if (utc)
-			{
-				printf("    ");
-			}
-		}
-		printf("%Y\n", identity);
-		DESTROY_IF(address);
-		identity->destroy(identity);
-	}
-	query->destroy(query);
-	if (!found)
-	{
-		fprintf(stderr, "no matching leases found.\n");
-		exit(-1);
-	}
-	exit(0);
-}
-
-/**
- * ipsec pool --purge - delete expired leases
- */
-static void purge(char *name)
-{
-	int purged = 0;
-	
-	purged = db->execute(db, NULL,
-				"DELETE FROM leases WHERE address IN ("
-				" SELECT id FROM addresses WHERE pool IN ("
-				"  SELECT id FROM pools WHERE name = ?))",
-				DB_TEXT, name);
-	if (purged < 0)
-	{
-		fprintf(stderr, "purging pool '%s' failed.\n", name);
-		exit(-1);
-	}
-	fprintf(stderr, "purged %d leases in pool '%s'.\n", purged, name);
-	exit(0);
-}
-
-/**
- * atexit handler to close db on shutdown
- */
-static void cleanup(void)
-{
-	db->destroy(db);
-	DESTROY_IF(start);
-	DESTROY_IF(end);
-}
-
-/**
- * Logging hook for library logs, using stderr output
- */
-static void dbg_stderr(int level, char *fmt, ...)
-{
-	va_list args;
-	
-	if (level <= 1)
-	{
-		va_start(args, fmt);
-		vfprintf(stderr, fmt, args);
-		fprintf(stderr, "\n");
-		va_end(args);
-	}
-}
-
-int main(int argc, char *argv[])
-{
-	char *uri, *name = "", *filter = "";
-	int timeout = 0;
-	bool utc = FALSE;
-	enum {
-		OP_USAGE,
-		OP_STATUS,
-		OP_ADD,
-		OP_DEL,
-		OP_RESIZE,
-		OP_LEASES,
-		OP_PURGE,
-	} operation = OP_USAGE;
-
-	dbg = dbg_stderr;
-	atexit(library_deinit);
-
-	/* initialize library */
-	if (!library_init(STRONGSWAN_CONF))
-	{
-		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
-	}
-	if (lib->integrity &&
-		!lib->integrity->check_file(lib->integrity, "pool", argv[0]))
-	{
-		fprintf(stderr, "integrity check of pool failed\n");
-		exit(SS_RC_DAEMON_INTEGRITY);
-	}
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
-		lib->settings->get_str(lib->settings, "pool.load", PLUGINS));
-	
-	uri = lib->settings->get_str(lib->settings, "charon.plugins.sql.database", NULL);
-	if (!uri)
-	{
-		fprintf(stderr, "database URI charon.plugins.sql.database not set.\n");
-		exit(-1);
-	}
-	db = lib->db->create(lib->db, uri);
-	if (!db)
-	{
-		fprintf(stderr, "opening database failed.\n");
-		exit(-1);
-	}
-	atexit(cleanup);
-	
-	while (TRUE)
-	{
-		int c;
-		
-		struct option long_opts[] = {
-			{ "help", no_argument, NULL, 'h' },
-		
-			{ "utc", no_argument, NULL, 'u' },
-			{ "status", no_argument, NULL, 'w' },
-			{ "add", required_argument, NULL, 'a' },
-			{ "del", required_argument, NULL, 'd' },
-			{ "resize", required_argument, NULL, 'r' },
-			{ "leases", no_argument, NULL, 'l' },
-			{ "purge", required_argument, NULL, 'p' },
-			
-			{ "start", required_argument, NULL, 's' },
-			{ "end", required_argument, NULL, 'e' },
-			{ "timeout", required_argument, NULL, 't' },
-			{ "filter", required_argument, NULL, 'f' },
-			{ 0,0,0,0 }
-		};
-		
-		c = getopt_long(argc, argv, "", long_opts, NULL);
-		switch (c)
-		{
-			case EOF:
-	    		break;
-			case 'h':
-				break;
-			case 'w':
-				operation = OP_STATUS;
-				break;
-			case 'u':
-				utc = TRUE;
-				continue;
-			case 'a':
-				operation = OP_ADD;
-				name = optarg;
-				continue;
-			case 'd':
-				operation = OP_DEL;
-				name = optarg;
-				continue;
-			case 'r':
-				operation = OP_RESIZE;
-				name = optarg;
-				continue;
-			case 'l':
-				operation = OP_LEASES;
-				continue;
-			case 'p':
-				operation = OP_PURGE;
-				name = optarg;
-				continue;
-			case 's':
-				start = host_create_from_string(optarg, 0);
-				if (start == NULL)
-				{
-					fprintf(stderr, "invalid start address: '%s'.\n", optarg);
-					operation = OP_USAGE;
-					break;
-				}
-				continue;
-			case 'e':
-				end = host_create_from_string(optarg, 0);
-				if (end == NULL)
-				{
-					fprintf(stderr, "invalid end address: '%s'.\n", optarg);
-					operation = OP_USAGE;
-					break;
-				}
-				continue;
-			case 't':
-				timeout = atoi(optarg);
-				if (timeout == 0 && strcmp(optarg, "0") != 0)
-				{
-					fprintf(stderr, "invalid timeout '%s'.\n", optarg);
-					operation = OP_USAGE;
-					break;
-				}
-				continue;
-			case 'f':
-				filter = optarg;
-				continue;
-			default:
-				operation = OP_USAGE;
-				break;
-		}
-		break;
-	}
-	
-	switch (operation)
-	{
-		case OP_USAGE:
-			usage();
-			break;
-		case OP_STATUS:
-			status();
-			break;
-		case OP_ADD:
-			if (start == NULL || end == NULL)
-			{
-				fprintf(stderr, "missing arguments.\n");
-				usage();
-			}
-			add(name, start, end, timeout);
-			break;
-		case OP_DEL:
-			del(name);
-			break;
-		case OP_RESIZE:
-			if (end == NULL)
-			{
-				fprintf(stderr, "missing arguments.\n");
-				usage();
-			}
-			resize(name, end);
-			break;
-		case OP_LEASES:
-			leases(filter, utc);
-			break;
-		case OP_PURGE:
-			purge(name);
-			break;
-	}
-	exit(0);
-}
-
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
deleted file mode 100644
index 77601e612..000000000
--- a/src/charon/plugins/sql/sql_attribute.c
+++ /dev/null
@@ -1,363 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "sql_attribute.h"
-
-#include <time.h>
-
-#include <daemon.h>
-
-typedef struct private_sql_attribute_t private_sql_attribute_t;
-
-/**
- * private data of sql_attribute
- */
-struct private_sql_attribute_t {
-
-	/**
-	 * public functions
-	 */
-	sql_attribute_t public;
-	
-	/**
-	 * database connection
-	 */
-	database_t *db;
-	
-	/**
-	 * wheter to record lease history in lease table
-	 */
-	bool history;
-};
-
-/**
- * lookup/insert an identity
- */
-static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
-{
-	enumerator_t *e;
-	u_int row;
-	
-	/* look for peer identity in the identities table */
-	e = this->db->query(this->db,
-						"SELECT id FROM identities WHERE type = ? AND data = ?",
-						DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
-						DB_UINT);
-						
-	if (e && e->enumerate(e, &row))
-	{
-		e->destroy(e);
-		return row;
-	}
-	DESTROY_IF(e);
-	/* not found, insert new one */
-	if (this->db->execute(this->db, &row,
-				  "INSERT INTO identities (type, data) VALUES (?, ?)",
-				  DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) == 1)
-	{
-		return row;
-	}
-	return 0;
-}
-
-/**
- * Lookup pool by name
- */
-static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
-{
-	enumerator_t *e;
-	u_int pool;
-
-	e = this->db->query(this->db, "SELECT id, timeout FROM pools WHERE name = ?",
-						DB_TEXT, name, DB_UINT, DB_UINT);
-	if (e && e->enumerate(e, &pool, timeout))
-	{
-		e->destroy(e);
-		return pool;
-	}
-	DESTROY_IF(e);
-	return 0;
-}
-
-/**
- * Look up an existing lease
- */
-static host_t* check_lease(private_sql_attribute_t *this, char *name,
-						   u_int pool, u_int identity)
-{
-	while (TRUE)
-	{
-		u_int id;
-		chunk_t address;
-		enumerator_t *e;
-		time_t now = time(NULL);
-
-		e = this->db->query(this->db,
-				"SELECT id, address FROM addresses "
-				"WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1",
-				DB_UINT, pool, DB_UINT, identity, DB_UINT, DB_BLOB);
-		if (!e || !e->enumerate(e, &id, &address))
-		{
-			DESTROY_IF(e);
-			break;	
-		}
-		address = chunk_clonea(address);
-		e->destroy(e);
-
-		if (this->db->execute(this->db, NULL,
-				"UPDATE addresses SET acquired = ?, released = 0 "
-				"WHERE id = ? AND identity = ? AND released != 0",
-				DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0)
-		{
-			host_t *host;
-
-			host = host_create_from_chunk(AF_UNSPEC, address, 0);
-			if (host)
-			{
-				DBG1(DBG_CFG, "acquired existing lease "
-					 "for address %H in pool '%s'", host, name);
-				return host;
-			}
-		}
-	}
-	return NULL;
-}
-
-/**
- * We check for unallocated addresses or expired leases. First we select an
- * address as a candidate, but double check later on if it is still available
- * during the update operation. This allows us to work without locking.
- */
-static host_t* get_lease(private_sql_attribute_t *this, char *name,
-						 u_int pool, u_int timeout, u_int identity)
-{
-	while (TRUE)
-	{
-		u_int id;
-		chunk_t address;
-		enumerator_t *e;
-		time_t now = time(NULL);
-		int hits;
-
-		if (timeout)
-		{
-			/* check for an expired lease */
-			e = this->db->query(this->db,
-				"SELECT id, address FROM addresses "
-				"WHERE pool = ? AND released != 0 AND released < ? LIMIT 1",
-				DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB);
-		}
-		else
-		{
-			/* with static leases, check for an unallocated address */
-			e = this->db->query(this->db,
-				"SELECT id, address FROM addresses "
-				"WHERE pool = ? AND identity = 0 LIMIT 1",
-				DB_UINT, pool, DB_UINT, DB_BLOB);
-
-		}
-
-		if (!e || !e->enumerate(e, &id, &address))
-		{
-			DESTROY_IF(e);
-			break;	
-		}
-		address = chunk_clonea(address);
-		e->destroy(e);
-			
-		if (timeout)
-		{
-			hits = this->db->execute(this->db, NULL,
-						"UPDATE addresses SET "
-						"acquired = ?, released = 0, identity = ? "
-						"WHERE id = ? AND released != 0 AND released < ?",
-						DB_UINT, now, DB_UINT, identity,
-						DB_UINT, id, DB_UINT, now - timeout);
-		}
-		else
-		{
-			hits = this->db->execute(this->db, NULL,
-						"UPDATE addresses SET "
-						"acquired = ?, released = 0, identity = ? "
-						"WHERE id = ? AND identity = 0",
-						DB_UINT, now, DB_UINT, identity, DB_UINT, id);
-		}
-		if (hits > 0)
-		{
-			host_t *host;
-
-			host = host_create_from_chunk(AF_UNSPEC, address, 0);
-			if (host)
-			{
-				DBG1(DBG_CFG, "acquired new lease "
-					 "for address %H in pool '%s'", host, name);
-				return host;
-			}
-		}
-	}
-	DBG1(DBG_CFG, "no available address found in pool '%s'", name);
-	return NULL;
-}
-
-/**
- * Implementation of attribute_provider_t.acquire_address
- */
-static host_t* acquire_address(private_sql_attribute_t *this,
-							   char *names, identification_t *id,
-							   host_t *requested)
-{
-	host_t *address = NULL;
-	u_int identity, pool, timeout;
-
-	identity = get_identity(this, id);
-	if (identity)
-	{
-		/* check for a single pool first (no concatenation and enumeration) */
-		if (strchr(names, ',') == NULL)
-		{
-			pool = get_pool(this, names, &timeout);
-			if (pool)
-			{
-				/* check for an existing lease */
-				address = check_lease(this, names, pool, identity);
-				if (address == NULL)
-				{
-					/* get an unallocated address or expired lease */
-					address = get_lease(this, names, pool, timeout, identity);
-				}
-			}
-		}
-		else
-		{
-			enumerator_t *enumerator;
-			char *name;
-
-			/* in a first step check for an existing lease over all pools */
-			enumerator = enumerator_create_token(names, ",", " ");
-			while (enumerator->enumerate(enumerator, &name))
-			{
-				pool = get_pool(this, name, &timeout);
-				if (pool)
-				{
-					address = check_lease(this, name, pool, identity);
-					if (address)
-					{
-						enumerator->destroy(enumerator);
-						return address;
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
-
-			/* in a second step get an unallocated address or expired lease */
-			enumerator = enumerator_create_token(names, ",", " ");
-			while (enumerator->enumerate(enumerator, &name))
-			{
-				pool = get_pool(this, name, &timeout);
-				if (pool)
-				{
-					address = get_lease(this, name, pool, timeout, identity);
-					if (address)
-					{
-						break;
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-	}
-	return address;
-}
-
-/**
- * Implementation of attribute_provider_t.release_address
- */
-static bool release_address(private_sql_attribute_t *this,
-							char *name, host_t *address, identification_t *id)
-{
-	enumerator_t *enumerator;
-	bool found = FALSE;
-	time_t now = time(NULL);
-	
-	enumerator = enumerator_create_token(name, ",", " ");
-	while (enumerator->enumerate(enumerator, &name))
-	{
-		u_int pool, timeout;
-		
-		pool = get_pool(this, name, &timeout);
-		if (pool)
-		{
-			if (this->history)
-			{
-				this->db->execute(this->db, NULL,
-					"INSERT INTO leases (address, identity, acquired, released)"
-					" SELECT id, identity, acquired, ? FROM addresses "
-					" WHERE pool = ? AND address = ?",
-					DB_UINT, now, DB_UINT, pool,
-					DB_BLOB, address->get_address(address));
-			}
-			if (this->db->execute(this->db, NULL,
-					"UPDATE addresses SET released = ? WHERE "
-					"pool = ? AND address = ?", DB_UINT, time(NULL),
-					DB_UINT, pool, DB_BLOB, address->get_address(address)) > 0)
-			{
-				found = TRUE;
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * Implementation of sql_attribute_t.destroy
- */
-static void destroy(private_sql_attribute_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-sql_attribute_t *sql_attribute_create(database_t *db)
-{
-	private_sql_attribute_t *this = malloc_thing(private_sql_attribute_t);
-	time_t now = time(NULL);
-	
-	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))acquire_address;
-	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
-	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))enumerator_create_empty;
-	this->public.destroy = (void(*)(sql_attribute_t*))destroy;
-	
-	this->db = db;
-	this->history = lib->settings->get_bool(lib->settings,
-									"charon.plugins.sql.lease_history", TRUE);
-	
-	/* close any "online" leases in the case we crashed */
-	if (this->history)
-	{
-		this->db->execute(this->db, NULL,
-					"INSERT INTO leases (address, identity, acquired, released)"
-					" SELECT id, identity, acquired, ? FROM addresses "
-					" WHERE released = 0", DB_UINT, now);
-	}
-	this->db->execute(this->db, NULL,
-					  "UPDATE addresses SET released = ? WHERE released = 0",
-					  DB_UINT, now);
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/sql/sql_attribute.h b/src/charon/plugins/sql/sql_attribute.h
deleted file mode 100644
index 23700dea9..000000000
--- a/src/charon/plugins/sql/sql_attribute.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup sql_attribute sql_attribute
- * @{ @ingroup sql
- */
-
-#ifndef SQL_ATTRIBUTE_H_
-#define SQL_ATTRIBUTE_H_
-
-#include <config/attributes/attribute_provider.h>
-
-typedef struct sql_attribute_t sql_attribute_t;
-
-/**
- * SQL database based IKEv2 cfg attribute provider.
- */
-struct sql_attribute_t {
-
-	/**
-	 * Implements attribute provider interface
-	 */
-	attribute_provider_t provider;
-	
-	/**
-     * Destroy a sql_attribute instance.
-     */
-    void (*destroy)(sql_attribute_t *this);
-};
-
-/**
- * Create a sql_attribute instance.
- */
-sql_attribute_t *sql_attribute_create(database_t *db);
-
-#endif /** SQL_ATTRIBUTE_H_ @}*/
diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c
index e7dfe573b..afee0896c 100644
--- a/src/charon/plugins/sql/sql_config.c
+++ b/src/charon/plugins/sql/sql_config.c
@@ -30,7 +30,7 @@ struct private_sql_config_t {
 	 * Public part
 	 */
 	sql_config_t public;
-	
+
 	/**
 	 * database connection
 	 */
@@ -58,7 +58,7 @@ static traffic_selector_t *build_traffic_selector(private_sql_config_t *this,
 		TS_LOCAL_DYNAMIC = 2,
 		TS_REMOTE_DYNAMIC = 3,
 	} kind;
-	
+
 	while (e->enumerate(e, &kind, &type, &protocol,
 						&start_addr, &end_addr, &start_port, &end_port))
 	{
@@ -99,7 +99,7 @@ static void add_traffic_selectors(private_sql_config_t *this,
 	enumerator_t *e;
 	traffic_selector_t *ts;
 	bool local;
-	
+
 	e = this->db->query(this->db,
 			"SELECT kind, type, protocol, "
 			"start_addr, end_addr, start_port, end_port "
@@ -126,12 +126,15 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
 	int id, lifetime, rekeytime, jitter, hostaccess, mode, dpd, close, ipcomp;
 	char *name, *updown;
 	child_cfg_t *child_cfg;
-	
-	if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, 
+
+	if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter,
 						&updown, &hostaccess, &mode, &dpd, &close, &ipcomp))
 	{
-		child_cfg = child_cfg_create(name, lifetime, rekeytime, jitter,
-									 updown, hostaccess, mode, dpd, close, ipcomp);
+		lifetime_cfg_t lft = {
+			.time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
+		};
+		child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
+									 dpd, close, ipcomp, 0);
 		/* TODO: read proposal from db */
 		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 		add_traffic_selectors(this, child_cfg, id);
@@ -147,7 +150,7 @@ static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id)
 {
 	enumerator_t *e;
 	child_cfg_t *child_cfg;
-	
+
 	e = this->db->query(this->db,
 			"SELECT id, name, lifetime, rekeytime, jitter, "
 			"updown, hostaccess, mode, dpd_action, close_action, ipcomp "
@@ -174,11 +177,11 @@ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e,
 {
 	int certreq, force_encap;
 	char *local, *remote;
-	
+
 	while (e->enumerate(e, &certreq, &force_encap, &local, &remote))
 	{
 		ike_cfg_t *ike_cfg;
-		
+
 		ike_cfg = ike_cfg_create(certreq, force_encap, local, remote);
 		/* TODO: read proposal from db */
 		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
@@ -194,7 +197,7 @@ static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id)
 {
 	enumerator_t *e;
 	ike_cfg_t *ike_cfg = NULL;
-	
+
 	e = this->db->query(this->db,
 			"SELECT certreq, force_encap, local, remote "
 			"FROM ike_configs WHERE id = ?",
@@ -215,7 +218,7 @@ static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id)
 {
 	enumerator_t *e;
 	peer_cfg_t *peer_cfg = NULL;
-	
+
 	e = this->db->query(this->db,
 			"SELECT c.id, name, ike_cfg, l.type, l.data, r.type, r.data, "
 			"cert_policy, uniqueid, auth_method, eap_type, eap_vendor, "
@@ -229,8 +232,8 @@ static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id)
 			"WHERE id = ?",
 			DB_INT, id,
 			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB,
-			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, 
-			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, 
+			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
+			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
 			DB_INT, DB_TEXT, DB_TEXT,
 			DB_INT, DB_INT, DB_INT, DB_BLOB);
 	if (e)
@@ -253,11 +256,11 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		mediation, mediated_by, p_type;
 	chunk_t l_data, r_data, p_data;
 	char *name, *virtual, *pool;
-	
+
 	while (e->enumerate(e,
 			&id, &name, &ike_cfg, &l_type, &l_data, &r_type, &r_data,
 			&cert_policy, &uniqueid, &auth_method, &eap_type, &eap_vendor,
-			&keyingtries, &rekeytime, &reauthtime, &jitter, &overtime, &mobike, 
+			&keyingtries, &rekeytime, &reauthtime, &jitter, &overtime, &mobike,
 			&dpd_delay,	&virtual, &pool,
 			&mediation, &mediated_by, &p_type, &p_data))
 	{
@@ -266,7 +269,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		ike_cfg_t *ike;
 		host_t *vip = NULL;
 		auth_cfg_t *auth;
-		
+
 		local_id = identification_create_from_encoding(l_type, l_data);
 		remote_id = identification_create_from_encoding(r_type, r_data);
 		if ((me && !me->matches(me, local_id)) ||
@@ -328,7 +331,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_sql_config_t *this, char *name)
 {
 	enumerator_t *e;
 	peer_cfg_t *peer_cfg = NULL;
-	
+
 	e = this->db->query(this->db,
 			"SELECT c.id, name, ike_cfg, l.type, l.data, r.type, r.data, "
 			"cert_policy, uniqueid, auth_method, eap_type, eap_vendor, "
@@ -401,14 +404,14 @@ static enumerator_t* create_ike_cfg_enumerator(private_sql_config_t *this,
 											   host_t *me, host_t *other)
 {
 	ike_enumerator_t *e = malloc_thing(ike_enumerator_t);
-	
+
 	e->this = this;
 	e->me = me;
 	e->other = other;
 	e->current = NULL;
 	e->public.enumerate = (void*)ike_enumerator_enumerate;
 	e->public.destroy = (void*)ike_enumerator_destroy;
-	
+
 	e->inner = this->db->query(this->db,
 			"SELECT certreq, force_encap, local, remote "
 			"FROM ike_configs",
@@ -470,7 +473,7 @@ static enumerator_t* create_peer_cfg_enumerator(private_sql_config_t *this,
 												identification_t *other)
 {
 	peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
-	
+
 	e->this = this;
 	e->me = me;
 	e->other = other;
@@ -523,9 +526,9 @@ sql_config_t *sql_config_create(database_t *db)
 	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
 	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
 	this->public.destroy = (void(*)(sql_config_t*))destroy;
-	
+
 	this->db = db;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/sql/sql_config.h b/src/charon/plugins/sql/sql_config.h
index abc6ef382..700d00a97 100644
--- a/src/charon/plugins/sql/sql_config.h
+++ b/src/charon/plugins/sql/sql_config.h
@@ -35,11 +35,11 @@ struct sql_config_t {
 	 * Implements backend_t interface
 	 */
 	backend_t backend;
-	
+
 	/**
 	 * Destry the backend.
 	 */
-	void (*destroy)(sql_config_t *this);	
+	void (*destroy)(sql_config_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/sql/sql_cred.c b/src/charon/plugins/sql/sql_cred.c
index f8b7a35c1..12f4ab045 100644
--- a/src/charon/plugins/sql/sql_cred.c
+++ b/src/charon/plugins/sql/sql_cred.c
@@ -30,7 +30,7 @@ struct private_sql_cred_t {
 	 * Public part
 	 */
 	sql_cred_t public;
-	
+
 	/**
 	 * database connection
 	 */
@@ -92,7 +92,7 @@ static enumerator_t* create_private_enumerator(private_sql_cred_t *this,
 											   identification_t *id)
 {
 	private_enumerator_t *e;
-	
+
 	e = malloc_thing(private_enumerator_t);
 	e->current = NULL;
 	e->public.enumerate = (void*)private_enumerator_enumerate;
@@ -178,7 +178,7 @@ static enumerator_t* create_cert_enumerator(private_sql_cred_t *this,
 										identification_t *id, bool trusted)
 {
 	cert_enumerator_t *e;
-	
+
 	e = malloc_thing(cert_enumerator_t);
 	e->current = NULL;
 	e->public.enumerate = (void*)cert_enumerator_enumerate;
@@ -275,11 +275,11 @@ static void shared_enumerator_destroy(shared_enumerator_t *this)
  * Implementation of credential_set_t.create_shared_enumerator.
  */
 static enumerator_t* create_shared_enumerator(private_sql_cred_t *this,
-								  shared_key_type_t type, 
+								  shared_key_type_t type,
 								  identification_t *me, identification_t *other)
 {
 	shared_enumerator_t *e;
-	
+
 	e = malloc_thing(shared_enumerator_t);
 	e->me = me;
 	e->other = other;
@@ -306,12 +306,12 @@ static enumerator_t* create_shared_enumerator(private_sql_cred_t *this,
 				DB_INT, me->get_type(me), DB_BLOB, me->get_encoding(me),
 				DB_INT, other->get_type(other), DB_BLOB, other->get_encoding(other),
 				DB_INT, type == SHARED_ANY, DB_INT, type,
-				DB_INT, DB_BLOB);				
+				DB_INT, DB_BLOB);
 	}
 	else
 	{
 		identification_t *id = me ? me : other;
-		
+
 		e->inner = this->db->query(this->db,
 				"SELECT s.type, s.data FROM shared_secrets AS s "
 				"JOIN shared_secret_identity AS si ON s.id = si.shared_secret "
@@ -350,16 +350,16 @@ static void destroy(private_sql_cred_t *this)
 sql_cred_t *sql_cred_create(database_t *db)
 {
 	private_sql_cred_t *this = malloc_thing(private_sql_cred_t);
-	
+
 	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
 	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
 	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
 	this->public.set.create_cdp_enumerator = (void*)return_null;
 	this->public.set.cache_cert = (void*)cache_cert;
 	this->public.destroy = (void(*)(sql_cred_t*))destroy;
-	
+
 	this->db = db;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/sql/sql_cred.h b/src/charon/plugins/sql/sql_cred.h
index 2a9a96df1..7f387398e 100644
--- a/src/charon/plugins/sql/sql_cred.h
+++ b/src/charon/plugins/sql/sql_cred.h
@@ -35,11 +35,11 @@ struct sql_cred_t {
 	 * Implements credential_set_t interface
 	 */
 	credential_set_t set;
-	
+
 	/**
 	 * Destry the backend.
 	 */
-	void (*destroy)(sql_cred_t *this);	
+	void (*destroy)(sql_cred_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/sql/sql_logger.c b/src/charon/plugins/sql/sql_logger.c
index 20d42662b..d350c4c3d 100644
--- a/src/charon/plugins/sql/sql_logger.c
+++ b/src/charon/plugins/sql/sql_logger.c
@@ -30,17 +30,17 @@ struct private_sql_logger_t {
 	 * Public part
 	 */
 	sql_logger_t public;
-	
+
 	/**
 	 * database connection
 	 */
 	database_t *db;
-	
+
 	/**
 	 * logging level
 	 */
 	int level;
-	
+
 	/**
 	 * avoid recursive logging
 	 */
@@ -67,7 +67,7 @@ static bool log_(private_sql_logger_t *this, debug_t group, level_t level,
 		identification_t *local_id, *remote_id;
 		u_int64_t ispi, rspi;
 		ike_sa_id_t *id;
-	
+
 		id = ike_sa->get_id(ike_sa);
 		ispi = id->get_initiator_spi(id);
 		rspi = id->get_responder_spi(id);
@@ -86,9 +86,9 @@ static bool log_(private_sql_logger_t *this, debug_t group, level_t level,
 		remote_id = ike_sa->get_other_id(ike_sa);
 		local_host = ike_sa->get_my_host(ike_sa);
 		remote_host = ike_sa->get_other_host(ike_sa);
-		
+
 		vsnprintf(buffer, sizeof(buffer), format, args);
-		
+
 		this->db->execute(this->db, NULL, "REPLACE INTO ike_sas ("
 						  "local_spi, remote_spi, id, initiator, "
 						  "local_id_type, local_id_data, "
@@ -129,17 +129,17 @@ static void destroy(private_sql_logger_t *this)
 sql_logger_t *sql_logger_create(database_t *db)
 {
 	private_sql_logger_t *this = malloc_thing(private_sql_logger_t);
-	
+
 	memset(&this->public.listener, 0, sizeof(listener_t));
 	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
 	this->public.destroy = (void(*)(sql_logger_t*))destroy;
-	
+
 	this->db = db;
 	this->recursive = FALSE;
-	
+
 	this->level = lib->settings->get_int(lib->settings,
 										 "charon.plugins.sql.loglevel", -1);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/sql/sql_logger.h b/src/charon/plugins/sql/sql_logger.h
index 3636c2293..a933705da 100644
--- a/src/charon/plugins/sql/sql_logger.h
+++ b/src/charon/plugins/sql/sql_logger.h
@@ -35,11 +35,11 @@ struct sql_logger_t {
 	 * Implements bus_listener_t interface
 	 */
 	listener_t listener;
-	
+
 	/**
 	 * Destry the backend.
 	 */
-	void (*destroy)(sql_logger_t *this);	
+	void (*destroy)(sql_logger_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/sql/sql_plugin.c b/src/charon/plugins/sql/sql_plugin.c
index e5a4afd1d..e2e410a8a 100644
--- a/src/charon/plugins/sql/sql_plugin.c
+++ b/src/charon/plugins/sql/sql_plugin.c
@@ -18,7 +18,6 @@
 #include <daemon.h>
 #include "sql_config.h"
 #include "sql_cred.h"
-#include "sql_attribute.h"
 #include "sql_logger.h"
 
 typedef struct private_sql_plugin_t private_sql_plugin_t;
@@ -32,27 +31,22 @@ struct private_sql_plugin_t {
 	 * implements plugin interface
 	 */
 	sql_plugin_t public;
-	
+
 	/**
 	 * database connection instance
 	 */
 	database_t *db;
-	
+
 	/**
 	 * configuration backend
 	 */
 	sql_config_t *config;
-	
+
 	/**
 	 * credential set
 	 */
 	sql_cred_t *cred;
-	
-	/**
-	 * CFG attributes
-	 */
-	sql_attribute_t *attribute;
-	
+
 	/**
 	 * bus listener/logger
 	 */
@@ -66,11 +60,9 @@ static void destroy(private_sql_plugin_t *this)
 {
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
 	charon->credentials->remove_set(charon->credentials, &this->cred->set);
-	charon->attributes->remove_provider(charon->attributes, &this->attribute->provider);
 	charon->bus->remove_listener(charon->bus, &this->logger->listener);
 	this->config->destroy(this->config);
 	this->cred->destroy(this->cred);
-	this->attribute->destroy(this->attribute);
 	this->logger->destroy(this->logger);
 	this->db->destroy(this->db);
 	free(this);
@@ -83,18 +75,18 @@ plugin_t *plugin_create()
 {
 	char *uri;
 	private_sql_plugin_t *this;
-	
+
 	uri = lib->settings->get_str(lib->settings, "charon.plugins.sql.database", NULL);
 	if (!uri)
 	{
 		DBG1(DBG_CFG, "sql plugin: database URI not set");
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_sql_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	this->db = lib->db->create(lib->db, uri);
 	if (!this->db)
 	{
@@ -104,14 +96,12 @@ plugin_t *plugin_create()
 	}
 	this->config = sql_config_create(this->db);
 	this->cred = sql_cred_create(this->db);
-	this->attribute = sql_attribute_create(this->db);
 	this->logger = sql_logger_create(this->db);
-	
+
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	charon->credentials->add_set(charon->credentials, &this->cred->set);
-	charon->attributes->add_provider(charon->attributes, &this->attribute->provider);
 	charon->bus->add_listener(charon->bus, &this->logger->listener);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am
index 79a63f2c2..94d311609 100644
--- a/src/charon/plugins/stroke/Makefile.am
+++ b/src/charon/plugins/stroke/Makefile.am
@@ -3,7 +3,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_
 
 AM_CFLAGS = \
 -rdynamic \
--DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_CONFDIR=\"${sysconfdir}\" \
 -DIPSEC_PIDDIR=\"${piddir}\"
 
 plugin_LTLIBRARIES = libstrongswan-stroke.la
diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in
index 19822ebc8..6e6b3b813 100644
--- a/src/charon/plugins/stroke/Makefile.in
+++ b/src/charon/plugins/stroke/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/stroke
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_stroke_la_LIBADD =
 am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \
@@ -61,6 +85,7 @@ libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -108,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -138,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -171,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -196,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -204,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -212,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -223,12 +251,13 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
 AM_CFLAGS = \
 -rdynamic \
--DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_CONFDIR=\"${sysconfdir}\" \
 -DIPSEC_PIDDIR=\"${piddir}\"
 
 plugin_LTLIBRARIES = libstrongswan-stroke.la
@@ -256,9 +285,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/stroke/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/stroke/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -276,23 +305,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -324,21 +358,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -361,7 +395,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -369,29 +403,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -412,13 +451,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -449,6 +492,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -470,6 +514,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -478,18 +524,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -528,6 +584,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
index d3211fd67..7a5ce683e 100644
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ b/src/charon/plugins/stroke/stroke_attribute.c
@@ -18,7 +18,7 @@
 #include <daemon.h>
 #include <utils/linked_list.h>
 #include <utils/hashtable.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 
 #define POOL_LIMIT (sizeof(uintptr_t)*8)
 
@@ -33,12 +33,12 @@ struct private_stroke_attribute_t {
 	 * public functions
 	 */
 	stroke_attribute_t public;
-	
+
 	/**
 	 * list of pools, contains pool_t
 	 */
 	linked_list_t *pools;
-	
+
 	/**
 	 * mutex to lock access to pools
 	 */
@@ -85,7 +85,7 @@ static void pool_destroy(pool_t *this)
 {
 	enumerator_t *enumerator;
 	identification_t *id;
-	
+
 	enumerator = this->ids->create_enumerator(this->ids);
 	while (enumerator->enumerate(enumerator, &id, NULL))
 	{
@@ -107,7 +107,7 @@ static pool_t *find_pool(private_stroke_attribute_t *this, char *name)
 {
 	enumerator_t *enumerator;
 	pool_t *current, *found = NULL;
-	
+
 	enumerator = this->pools->create_enumerator(this->pools);
 	while (enumerator->enumerate(enumerator, &current))
 	{
@@ -129,13 +129,13 @@ host_t* offset2host(pool_t *pool, int offset)
 	chunk_t addr;
 	host_t *host;
 	u_int32_t *pos;
-	
+
 	offset--;
 	if (offset > pool->size)
 	{
 		return NULL;
 	}
-	
+
 	addr = chunk_clone(pool->base->get_address(pool->base));
 	if (pool->base->get_family(pool->base) == AF_INET6)
 	{
@@ -158,7 +158,7 @@ int host2offset(pool_t *pool, host_t *addr)
 {
 	chunk_t host, base;
 	u_int32_t hosti, basei;
-	
+
 	if (addr->get_family(addr) != pool->base->get_family(pool->base))
 	{
 		return -1;
@@ -195,7 +195,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 	uintptr_t offset = 0;
 	enumerator_t *enumerator;
 	identification_t *old_id;
-	
+
 	this->mutex->lock(this->mutex);
 	pool = find_pool(this, name);
 	while (pool)
@@ -206,7 +206,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			this->mutex->unlock(this->mutex);
 			return requested->clone(requested);
 		}
-		
+
 		if (!requested->is_anyaddr(requested) &&
 			requested->get_family(requested) !=
 			pool->base->get_family(pool->base))
@@ -214,7 +214,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			DBG1(DBG_CFG, "IP pool address family mismatch");
 			break;
 		}
-		
+
 		/* check for a valid offline lease, refresh */
 		offset = (uintptr_t)pool->offline->remove(pool->offline, id);
 		if (offset)
@@ -227,7 +227,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 				break;
 			}
 		}
-		
+
 		/* check for a valid online lease, reassign */
 		offset = (uintptr_t)pool->online->get(pool->online, id);
 		if (offset && offset == host2offset(pool, requested))
@@ -235,7 +235,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
 			break;
 		}
-		
+
 		if (pool->unused < pool->size)
 		{
 			/* assigning offset, starting by 1. Handling 0 in hashtable
@@ -270,7 +270,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			}
 		}
 		enumerator->destroy(enumerator);
-		
+
 		DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", name);
 		break;
 	}
@@ -291,7 +291,7 @@ static bool release_address(private_stroke_attribute_t *this,
 	pool_t *pool;
 	bool found = FALSE;
 	uintptr_t offset;
-	
+
 	this->mutex->lock(this->mutex);
 	pool = find_pool(this, name);
 	if (pool)
@@ -320,10 +320,10 @@ static bool release_address(private_stroke_attribute_t *this,
  */
 static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
 {
-	if (msg->add_conn.other.sourceip_size)
+	if (msg->add_conn.other.sourceip_mask)
 	{
 		pool_t *pool;
-		
+
 		pool = malloc_thing(pool_t);
 		pool->base = NULL;
 		pool->size = 0;
@@ -335,17 +335,17 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
 										(hashtable_equals_t)id_equals, 16);
 		pool->ids = hashtable_create((hashtable_hash_t)id_hash,
 										(hashtable_equals_t)id_equals, 16);
-		
+
 		/* if %config, add an empty pool, otherwise */
 		if (msg->add_conn.other.sourceip)
 		{
 			u_int32_t bits;
 			int family;
-		
-			DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d", 
-				 msg->add_conn.name, msg->add_conn.other.sourceip, 
-				 msg->add_conn.other.sourceip_size);
-		
+
+			DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d",
+				 msg->add_conn.name, msg->add_conn.other.sourceip,
+				 msg->add_conn.other.sourceip_mask);
+
 			pool->base = host_create_from_string(msg->add_conn.other.sourceip, 0);
 			if (!pool->base)
 			{
@@ -354,7 +354,7 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
 				return;
 			}
 			family = pool->base->get_family(pool->base);
-			bits = (family == AF_INET ? 32 : 128) - msg->add_conn.other.sourceip_size;
+			bits = (family == AF_INET ? 32 : 128) - msg->add_conn.other.sourceip_mask;
 			if (bits > POOL_LIMIT)
 			{
 				bits = POOL_LIMIT;
@@ -363,7 +363,7 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
 					 (family == AF_INET ? 32 : 128) - bits);
 			}
 			pool->size = 1 << (bits);
-			
+
 			if (pool->size > 2)
 			{	/* do not use first and last addresses of a block */
 				pool->unused++;
@@ -383,7 +383,7 @@ static void del_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
 {
 	enumerator_t *enumerator;
 	pool_t *pool;
-	
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->pools->create_enumerator(this->pools);
 	while (enumerator->enumerate(enumerator, &pool))
@@ -407,7 +407,7 @@ static bool pool_filter(void *mutex, pool_t **poolp, char **name,
 						void *d3, u_int *offline)
 {
 	pool_t *pool = *poolp;
-	
+
 	*name = pool->name;
 	*size = pool->size;
 	*online = pool->online->get_count(pool->online);
@@ -450,10 +450,10 @@ static bool lease_enumerate(lease_enumerator_t *this, identification_t **id_out,
 {
 	identification_t *id;
 	uintptr_t offset;
-	
+
 	DESTROY_IF(this->current);
 	this->current = NULL;
-	
+
 	if (this->inner->enumerate(this->inner, &id, NULL))
 	{
 		offset = (uintptr_t)this->pool->online->get(this->pool->online, id);
@@ -494,7 +494,7 @@ static enumerator_t* create_lease_enumerator(private_stroke_attribute_t *this,
 											 char *pool)
 {
 	lease_enumerator_t *enumerator;
-	
+
 	this->mutex->lock(this->mutex);
 	enumerator = malloc_thing(lease_enumerator_t);
 	enumerator->pool = find_pool(this, pool);
@@ -528,19 +528,19 @@ static void destroy(private_stroke_attribute_t *this)
 stroke_attribute_t *stroke_attribute_create()
 {
 	private_stroke_attribute_t *this = malloc_thing(private_stroke_attribute_t);
-	
+
 	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,host_t *))acquire_address;
 	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
-	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))enumerator_create_empty;
+	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))enumerator_create_empty;
 	this->public.add_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))add_pool;
 	this->public.del_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))del_pool;
 	this->public.create_pool_enumerator = (enumerator_t*(*)(stroke_attribute_t*))create_pool_enumerator;
 	this->public.create_lease_enumerator = (enumerator_t*(*)(stroke_attribute_t*, char *pool))create_lease_enumerator;
 	this->public.destroy = (void(*)(stroke_attribute_t*))destroy;
-	
+
 	this->pools = linked_list_create();
 	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/stroke/stroke_attribute.h b/src/charon/plugins/stroke/stroke_attribute.h
index fc273d1cb..cf6c950a6 100644
--- a/src/charon/plugins/stroke/stroke_attribute.h
+++ b/src/charon/plugins/stroke/stroke_attribute.h
@@ -22,7 +22,7 @@
 #define STROKE_ATTRIBUTE_H_
 
 #include <stroke_msg.h>
-#include <config/attributes/attribute_provider.h>
+#include <attributes/attribute_provider.h>
 
 typedef struct stroke_attribute_t stroke_attribute_t;
 
@@ -30,12 +30,12 @@ typedef struct stroke_attribute_t stroke_attribute_t;
  * Stroke IKEv2 cfg attribute provider
  */
 struct stroke_attribute_t {
-	
+
 	/**
 	 * Implements attribute provider interface
 	 */
 	attribute_provider_t provider;
-	
+
 	/**
 	 * Add a virtual IP address.
 	 *
@@ -43,24 +43,24 @@ struct stroke_attribute_t {
 	 * @param end		end of stroke message that contains virtual IP.
 	 */
 	void (*add_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
-	
+
 	/**
 	 * Remove a virtual IP address.
 	 *
 	 * @param msg		stroke message
 	 */
 	void (*del_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
-	
+
 	/**
 	 * Create an enumerator over installed pools.
 	 *
-	 * Enumerator enumerates over 
+	 * Enumerator enumerates over
 	 * char *pool, u_int size, u_int offline, u_int online.
 	 *
 	 * @return			enumerator
 	 */
 	enumerator_t* (*create_pool_enumerator)(stroke_attribute_t *this);
-	
+
 	/**
 	 * Create an enumerator over the leases of a pool.
 	 *
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index c354d8cb8..49146f18b 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -17,7 +17,7 @@
 #include "stroke_ca.h"
 #include "stroke_cred.h"
 
-#include <utils/mutex.h>
+#include <threading/rwlock.h>
 #include <utils/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
@@ -34,17 +34,17 @@ struct private_stroke_ca_t {
 	 * public functions
 	 */
 	stroke_ca_t public;
-	
+
 	/**
 	 * read-write lock to lists
 	 */
 	rwlock_t *lock;
-	
+
 	/**
 	 * list of starters CA sections and its certificates (ca_section_t)
 	 */
 	linked_list_t *sections;
-	
+
 	/**
 	 * stroke credentials, stores our CA certificates
 	 */
@@ -62,27 +62,27 @@ struct ca_section_t {
 	 * name of the CA section
 	 */
 	char *name;
-	
+
 	/**
 	 * reference to cert in trusted_credential_t
 	 */
 	certificate_t *cert;
-	
+
 	/**
 	 * CRL URIs
 	 */
 	linked_list_t *crl;
-	
+
 	/**
 	 * OCSP URIs
 	 */
 	linked_list_t *ocsp;
-	
+
 	/**
 	 * Hashes of certificates issued by this CA
 	 */
 	linked_list_t *hashes;
-	
+
 	/**
 	 * Base URI used for certificates from this CA
 	 */
@@ -90,12 +90,12 @@ struct ca_section_t {
 };
 
 /**
- * create a new CA section 
+ * create a new CA section
  */
 static ca_section_t *ca_section_create(char *name, certificate_t *cert)
 {
 	ca_section_t *ca = malloc_thing(ca_section_t);
-	
+
 	ca->name = strdup(name);
 	ca->crl = linked_list_create();
 	ca->ocsp = linked_list_create();
@@ -142,10 +142,9 @@ static void cdp_data_destroy(cdp_data_t *data)
 static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
 {
 	public_key_t *public;
-	identification_t *keyid;
 	enumerator_t *enumerator = NULL;
 	linked_list_t *list;
-	
+
 	if (data->type == CERT_X509_OCSP_RESPONSE)
 	{
 		list = section->ocsp;
@@ -164,10 +163,9 @@ static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
 		}
 		else
 		{
-			keyid = public->get_id(public, data->id->get_type(data->id));
-			if (keyid && keyid->matches(keyid, data->id))
+			if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
 			{
-				enumerator = list->create_enumerator(list);		
+				enumerator = list->create_enumerator(list);
 			}
 		}
 		public->destroy(public);
@@ -182,25 +180,25 @@ static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data
 {
 	enumerator_t *enumerator = NULL, *hash_enum;
 	identification_t *current;
-	
+
 	if (!data->id || !section->certuribase)
 	{
 		return NULL;
 	}
-	
+
 	hash_enum = section->hashes->create_enumerator(section->hashes);
 	while (hash_enum->enumerate(hash_enum, &current))
-	{	
+	{
 		if (current->matches(current, data->id))
 		{
 			char *url, *hash;
-			
+
 			url = malloc(strlen(section->certuribase) + 40 + 1);
 			strcpy(url, section->certuribase);
 			hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr;
 			strncat(url, hash, 40);
 			free(hash);
-			
+
 			enumerator = enumerator_create_single(url, free);
 			break;
 		}
@@ -231,7 +229,7 @@ static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this,
 	data->this = this;
 	data->type = type;
 	data->id = id;
-	
+
 	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(this->sections->create_enumerator(this->sections),
 			(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp,
@@ -244,12 +242,12 @@ static void add(private_stroke_ca_t *this, stroke_msg_t *msg)
 {
 	certificate_t *cert;
 	ca_section_t *ca;
-	
+
 	if (msg->add_ca.cacert == NULL)
 	{
 		DBG1(DBG_CFG, "missing cacert parameter");
 		return;
-	}	
+	}
 	cert = this->cred->load_ca(this->cred, msg->add_ca.cacert);
 	if (cert)
 	{
@@ -288,7 +286,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
 {
 	enumerator_t *enumerator;
 	ca_section_t *ca = NULL;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, &ca))
@@ -344,14 +342,14 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 {
 	ca_section_t *section;
 	enumerator_t *enumerator;
-	
+
 	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (hasher == NULL)
 	{
 		DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
 		return;
 	}
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, (void**)&section))
@@ -361,7 +359,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 			chunk_t hash, encoded = cert->get_encoding(cert);
 			hasher->allocate_hash(hasher, encoded, &hash);
 			section->hashes->insert_last(section->hashes,
-					identification_create_from_encoding(ID_CERT_DER_SHA1, hash));
+					identification_create_from_encoding(ID_KEY_ID, hash));
 			chunk_free(&hash);
 			chunk_free(&encoded);
 			break;
@@ -369,7 +367,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
-	
+
 	hasher->destroy(hasher);
 }
 
@@ -381,13 +379,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 	bool first = TRUE;
 	ca_section_t *section;
 	enumerator_t *enumerator;
-	
+
 	this->lock->read_lock(this->lock);
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, (void**)&section))
 	{
 		certificate_t *cert = section->cert;
 		public_key_t *public = cert->get_public_key(cert);
+		chunk_t chunk;
 
 		if (first)
 		{
@@ -401,10 +400,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 		/* list authkey and keyid */
 		if (public)
 		{
-			fprintf(out, "  authkey:      %Y\n",
-					public->get_id(public, ID_PUBKEY_SHA1));
-			fprintf(out, "  keyid:        %Y\n",
-					public->get_id(public, ID_PUBKEY_INFO_SHA1));
+			if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+			{
+				fprintf(out, "  authkey:      %#B\n", &chunk);
+			}
+			if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
+			{
+				fprintf(out, "  keyid:        %#B\n", &chunk);
+			}
 			public->destroy(public);
 		}
 		list_uris(section->crl, "  crluris:     ", out);
@@ -434,7 +437,7 @@ static void destroy(private_stroke_ca_t *this)
 stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
 {
 	private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t);
-	
+
 	this->public.set.create_private_enumerator = (void*)return_null;
 	this->public.set.create_cert_enumerator = (void*)return_null;
 	this->public.set.create_shared_enumerator = (void*)return_null;
@@ -445,11 +448,11 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
 	this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list;
 	this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url;
 	this->public.destroy = (void(*)(stroke_ca_t*))destroy;
-	
+
 	this->sections = linked_list_create();
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	this->cred = cred;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/stroke/stroke_ca.h b/src/charon/plugins/stroke/stroke_ca.h
index c882d7b4e..21af912ea 100644
--- a/src/charon/plugins/stroke/stroke_ca.h
+++ b/src/charon/plugins/stroke/stroke_ca.h
@@ -37,39 +37,39 @@ struct stroke_ca_t {
 	 * Implements credential_set_t
 	 */
 	credential_set_t set;
-	
+
 	/**
 	 * Add a CA to the set using a stroke_msg_t.
 	 *
 	 * @param msg		stroke message containing CA info
 	 */
 	void (*add)(stroke_ca_t *this, stroke_msg_t *msg);
-	
+
 	/**
 	 * Remove a CA from the set using a stroke_msg_t.
 	 *
 	 * @param msg		stroke message containing CA info
 	 */
 	void (*del)(stroke_ca_t *this, stroke_msg_t *msg);
-	
+
 	/**
 	 * List CA sections to stroke console.
 	 *
 	 * @param msg		stroke message
 	 */
 	void (*list)(stroke_ca_t *this, stroke_msg_t *msg, FILE *out);
-	
+
 	/**
 	 * Check if a certificate can be made available through hash and URL.
-	 * 
+	 *
 	 * @param cert		peer certificate
 	 */
 	void (*check_for_hash_and_url)(stroke_ca_t *this, certificate_t* cert);
-	
+
 	/**
-     * Destroy a stroke_ca instance.
-     */
-    void (*destroy)(stroke_ca_t *this);
+	 * Destroy a stroke_ca instance.
+	 */
+	void (*destroy)(stroke_ca_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index 0b6a4ac31..0752f3c93 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -16,7 +16,7 @@
 #include "stroke_config.h"
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 #include <utils/lexparser.h>
 
 typedef struct private_stroke_config_t private_stroke_config_t;
@@ -30,22 +30,22 @@ struct private_stroke_config_t {
 	 * public functions
 	 */
 	stroke_config_t public;
-	
+
 	/**
 	 * list of peer_cfg_t
 	 */
 	linked_list_t *list;
-	
+
 	/**
 	 * mutex to lock config list
 	 */
 	mutex_t *mutex;
-	
+
 	/**
 	 * ca sections
 	 */
 	stroke_ca_t *ca;
-	
+
 	/**
 	 * credentials
 	 */
@@ -93,7 +93,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *nam
 	enumerator_t *e1, *e2;
 	peer_cfg_t *current, *found = NULL;
 	child_cfg_t *child;
-	
+
 	this->mutex->lock(this->mutex);
 	e1 = this->list->create_enumerator(this->list);
 	while (e1->enumerate(e1, &current))
@@ -139,7 +139,7 @@ static void add_proposals(private_stroke_config_t *this, char *string,
 		char *strict;
 		proposal_t *proposal;
 		protocol_id_t proto = PROTO_ESP;
-		
+
 		if (ike_cfg)
 		{
 			proto = PROTO_IKE;
@@ -195,7 +195,7 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 	ike_cfg_t *ike_cfg;
 	char *interface;
 	host_t *host;
-	
+
 	host = host_create_from_dns(msg->add_conn.other.address, 0, 0);
 	if (host)
 	{
@@ -227,7 +227,7 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 				{
 					free(interface);
 				}
-				
+
 			}
 		}
 	}
@@ -236,7 +236,7 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 							 msg->add_conn.me.address,
 							 msg->add_conn.other.address);
 	add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
-	return ike_cfg;					 
+	return ike_cfg;
 }
 
 /**
@@ -275,7 +275,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	stroke_end_t *end, *other_end;
 	auth_cfg_t *cfg;
 	char eap_buf[32];
-	
+
 	/* select strings */
 	if (local)
 	{
@@ -317,7 +317,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			ca = other_end->ca2;
 		}
 	}
-	
+
 	if (!auth)
 	{
 		if (primary)
@@ -366,9 +366,9 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			return NULL;
 		}
 	}
-	
+
 	cfg = auth_cfg_create();
-	
+
 	/* add identity and peer certifcate */
 	identity = identification_create_from_string(id);
 	if (cert)
@@ -380,12 +380,12 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			{
 				this->ca->check_for_hash_and_url(this->ca, certificate);
 			}
-			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate); 
+			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
 			if (identity->get_type(identity) == ID_ANY ||
 				!certificate->has_subject(certificate, identity))
 			{
-				DBG1(DBG_CFG, "  peerid %Y not confirmed by certificate, "
-					 "defaulting to subject DN: %Y", identity,
+				DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
+					 "defaulting to '%Y'", identity,
 					 certificate->get_subject(certificate));
 				identity->destroy(identity);
 				identity = certificate->get_subject(certificate);
@@ -394,7 +394,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		}
 	}
 	cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
-	
+
 	/* CA constraint */
 	if (ca)
 	{
@@ -412,13 +412,13 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 				 "constraint", ca);
 		}
 	}
-	
+
 	/* AC groups */
 	if (end->groups)
 	{
 		enumerator_t *enumerator;
 		char *group;
-		
+
 		enumerator = enumerator_create_token(end->groups, ",", " ");
 		while (enumerator->enumerate(enumerator, &group))
 		{
@@ -428,7 +428,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		}
 		enumerator->destroy(enumerator);
 	}
-	
+
 	/* authentication metod (class, actually) */
 	if (streq(auth, "pubkey") ||
 		streq(auth, "rsasig") || streq(auth, "rsa") ||
@@ -446,9 +446,9 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		enumerator_t *enumerator;
 		char *str;
 		int i = 0, type = 0, vendor;
-		
+
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-		
+
 		/* parse EAP string, format: eap[-type[-vendor]] */
 		enumerator = enumerator_create_token(auth, "-", " ");
 		while (enumerator->enumerate(enumerator, &str))
@@ -488,7 +488,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			i++;
 		}
 		enumerator->destroy(enumerator);
-		
+
 		if (msg->add_conn.eap_identity)
 		{
 			if (streq(msg->add_conn.eap_identity, "%identity"))
@@ -529,37 +529,36 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	u_int32_t rekey = 0, reauth = 0, over, jitter;
 	peer_cfg_t *peer_cfg;
 	auth_cfg_t *auth_cfg;
-	
+
 #ifdef ME
 	if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
 	{
-		DBG1(DBG_CFG, "a mediation connection cannot be a"
-				" mediated connection at the same time, aborting");
+		DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection "
+			 "at the same time, aborting");
 		return NULL;
 	}
-	
+
 	if (msg->add_conn.ikeme.mediation)
 	{
 		/* force unique connections for mediation connections */
 		msg->add_conn.unique = 1;
 	}
-	
+
 	if (msg->add_conn.ikeme.mediated_by)
 	{
 		mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
-												msg->add_conn.ikeme.mediated_by);
+											msg->add_conn.ikeme.mediated_by);
 		if (!mediated_by)
 		{
 			DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
 				 msg->add_conn.ikeme.mediated_by);
 			return NULL;
 		}
-		
 		if (!mediated_by->is_mediation(mediated_by))
 		{
-			DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is"
-				 "no mediation connection, aborting", 
-				msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
+			DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is "
+				 "no mediation connection, aborting",
+				 msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
 			mediated_by->destroy(mediated_by);
 			return NULL;
 		}
@@ -573,7 +572,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 		}
 	}
 #endif /* ME */
-	
+
 	jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
 	over = msg->add_conn.rekey.margin;
 	if (msg->add_conn.rekey.reauth)
@@ -583,8 +582,8 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	else
 	{
 		rekey = msg->add_conn.rekey.ike_lifetime - over;
-	}	
-	if (msg->add_conn.me.sourceip_size)
+	}
+	if (msg->add_conn.me.sourceip_mask)
 	{
 		if (msg->add_conn.me.sourceip)
 		{
@@ -633,19 +632,19 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	{	/* dpdaction=none disables DPD */
 		msg->add_conn.dpd.delay = 0;
 	}
-	
+
 	/* other.sourceip is managed in stroke_attributes. If it is set, we define
 	 * the pool name as the connection name, which the attribute provider
 	 * uses to serve pool addresses. */
 	peer_cfg = peer_cfg_create(msg->add_conn.name,
 		msg->add_conn.ikev2 ? 2 : 1, ike_cfg,
-		msg->add_conn.me.sendcert, unique, 
+		msg->add_conn.me.sendcert, unique,
 		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
 		msg->add_conn.mobike, msg->add_conn.dpd.delay,
-		vip, msg->add_conn.other.sourceip_size ?
+		vip, msg->add_conn.other.sourceip_mask ?
 							msg->add_conn.name : msg->add_conn.other.sourceip,
 		msg->add_conn.ikeme.mediation, mediated_by, peer_id);
-	
+
 	/* build leftauth= */
 	auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
 	if (auth_cfg)
@@ -685,7 +684,7 @@ static void add_ts(private_stroke_config_t *this,
 				   stroke_end_t *end, child_cfg_t *child_cfg, bool local)
 {
 	traffic_selector_t *ts;
-	
+
 	if (end->tohost)
 	{
 		ts = traffic_selector_create_dynamic(end->protocol,
@@ -695,7 +694,7 @@ static void add_ts(private_stroke_config_t *this,
 	else
 	{
 		host_t *net;
-		
+
 		if (!end->subnets)
 		{
 			net = host_create_from_string(end->address, IKEV2_UDP_PORT);
@@ -709,12 +708,12 @@ static void add_ts(private_stroke_config_t *this,
 		else
 		{
 			char *del, *start, *bits;
-			
+
 			start = end->subnets;
 			do
 			{
 				int intbits = 0;
-				
+
 				del = strchr(start, ',');
 				if (del)
 				{
@@ -726,7 +725,7 @@ static void add_ts(private_stroke_config_t *this,
 					*bits = '\0';
 					intbits = atoi(bits + 1);
 				}
-				
+
 				net = host_create_from_string(start, IKEV2_UDP_PORT);
 				if (net)
 				{
@@ -753,7 +752,24 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 {
 	child_cfg_t *child_cfg;
 	action_t dpd;
-	
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = msg->add_conn.rekey.ipsec_lifetime,
+			.rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
+			.jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+		},
+		.bytes = {
+			.life = msg->add_conn.rekey.life_bytes,
+			.rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
+			.jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+		},
+		.packets = {
+			.life = msg->add_conn.rekey.life_packets,
+			.rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
+			.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
+		}
+	};
+
 	switch (msg->add_conn.dpd.action)
 	{	/* map startes magic values to our action type */
 		case 2: /* =hold */
@@ -766,19 +782,19 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 			dpd = ACTION_NONE;
 			break;
 	}
+
 	child_cfg = child_cfg_create(
-				msg->add_conn.name, msg->add_conn.rekey.ipsec_lifetime,
-				msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
-				msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, 
+				msg->add_conn.name, &lifetime,
 				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
-				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp);
+				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
+				msg->add_conn.inactivity);
 	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
 											msg->add_conn.install_policy);
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
 	add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
-	
+
 	add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg);
-	
+
 	return child_cfg;
 }
 
@@ -804,7 +820,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
 		ike_cfg->destroy(ike_cfg);
 		return;
 	}
-	
+
 	enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
 	while (enumerator->enumerate(enumerator, &existing))
 	{
@@ -822,7 +838,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	child_cfg = build_child_cfg(this, msg);
 	if (!child_cfg)
 	{
@@ -830,7 +846,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
 		return;
 	}
 	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-	
+
 	if (use_existing)
 	{
 		peer_cfg->destroy(peer_cfg);
@@ -854,13 +870,13 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg)
 	peer_cfg_t *peer;
 	child_cfg_t *child;
 	bool deleted = FALSE;
-	
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->list->create_enumerator(this->list);
 	while (enumerator->enumerate(enumerator, (void**)&peer))
 	{
 		bool keep = FALSE;
-		
+
 		/* remove any child with such a name */
 		children = peer->create_child_cfg_enumerator(peer);
 		while (children->enumerate(children, &child))
@@ -877,7 +893,7 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg)
 			}
 		}
 		children->destroy(children);
-		
+
 		/* if peer config matches, or has no children anymore, remove it */
 		if (!keep || streq(peer->get_name(peer), msg->del_conn.name))
 		{
@@ -888,7 +904,7 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg)
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
-	
+
 	if (deleted)
 	{
 		DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
@@ -915,19 +931,19 @@ static void destroy(private_stroke_config_t *this)
 stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred)
 {
 	private_stroke_config_t *this = malloc_thing(private_stroke_config_t);
-	
+
 	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
 	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
 	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
 	this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add;
 	this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del;
 	this->public.destroy = (void(*)(stroke_config_t*))destroy;
-	
+
 	this->list = linked_list_create();
 	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
 	this->ca = ca;
 	this->cred = cred;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/stroke/stroke_config.h b/src/charon/plugins/stroke/stroke_config.h
index 270795e4a..05e4665ca 100644
--- a/src/charon/plugins/stroke/stroke_config.h
+++ b/src/charon/plugins/stroke/stroke_config.h
@@ -37,25 +37,25 @@ struct stroke_config_t {
 	 * Implements the backend_t interface
 	 */
 	backend_t backend;
-	
+
 	/**
 	 * Add a configuration to the backend.
 	 *
 	 * @param msg		received stroke message containing config
 	 */
 	void (*add)(stroke_config_t *this, stroke_msg_t *msg);
-	
+
 	/**
 	 * Remove a configuration from the backend.
 	 *
 	 * @param msg		received stroke message containing config name
 	 */
 	void (*del)(stroke_config_t *this, stroke_msg_t *msg);
-	
+
 	/**
-     * Destroy a stroke_config instance.
-     */
-    void (*destroy)(stroke_config_t *this);
+	 * Destroy a stroke_config instance.
+	 */
+	void (*destroy)(stroke_config_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c
index c572117a2..a03aef697 100644
--- a/src/charon/plugins/stroke/stroke_control.c
+++ b/src/charon/plugins/stroke/stroke_control.c
@@ -43,7 +43,7 @@ struct stroke_log_info_t {
 	 * level to log up to
 	 */
 	level_t level;
-	
+
 	/**
 	 * where to write log
 	 */
@@ -75,7 +75,7 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
 {
 	child_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
-	
+
 	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 	while (enumerator->enumerate(enumerator, &current))
 	{
@@ -98,7 +98,7 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
 	stroke_log_info_t info;
-	
+
 	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
 													  msg->initiate.name);
 	if (peer_cfg == NULL)
@@ -113,7 +113,7 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou
 		peer_cfg->destroy(peer_cfg);
 		return;
 	}
-	
+
 	child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
 	if (child_cfg == NULL)
 	{
@@ -121,7 +121,7 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou
 		peer_cfg->destroy(peer_cfg);
 		return;
 	}
-	
+
 	if (msg->output_verbosity < 0)
 	{
 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
@@ -150,9 +150,9 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 	linked_list_t *ike_list, *child_list;
 	stroke_log_info_t info;
 	uintptr_t del;
-	
+
 	string = msg->terminate.name;
-	
+
 	len = strlen(string);
 	if (len < 1)
 	{
@@ -174,7 +174,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 			child = FALSE;
 			break;
 	}
-	
+
 	if (name)
 	{
 		/* is a single name */
@@ -202,10 +202,10 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 			}
 		}
 	}
-	
+
 	info.out = out;
 	info.level = msg->output_verbosity;
-	
+
 	if (id)
 	{
 		if (child)
@@ -220,7 +220,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 		}
 		return;
 	}
-	
+
 	ike_list = linked_list_create();
 	child_list = linked_list_create();
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
@@ -228,7 +228,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 	{
 		child_sa_t *child_sa;
 		iterator_t *children;
-		
+
 		if (child)
 		{
 			children = ike_sa->create_child_sa_iterator(ike_sa);
@@ -261,7 +261,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	enumerator = child_list->create_enumerator(child_list);
 	while (enumerator->enumerate(enumerator, &del))
 	{
@@ -269,7 +269,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 									(controller_cb_t)stroke_log, &info);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	enumerator = ike_list->create_enumerator(ike_list);
 	while (enumerator->enumerate(enumerator, &del))
 	{
@@ -277,7 +277,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 									(controller_cb_t)stroke_log, &info);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	if (child_list->get_count(child_list) == 0 &&
 		ike_list->get_count(ike_list) == 0)
 	{
@@ -298,7 +298,7 @@ static void terminate_srcip(private_stroke_control_t *this,
 	ike_sa_t *ike_sa;
 	host_t *start = NULL, *end = NULL, *vip;
 	chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
-	
+
 	if (msg->terminate_srcip.start)
 	{
 		start = host_create_from_string(msg->terminate_srcip.start, 0);
@@ -320,7 +320,7 @@ static void terminate_srcip(private_stroke_control_t *this,
 		}
 		chunk_end = end->get_address(end);
 	}
-	
+
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 	while (enumerator->enumerate(enumerator, &ike_sa))
 	{
@@ -369,10 +369,10 @@ static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 	linked_list_t *list;
 	uintptr_t del;
 	stroke_log_info_t info;
-	
+
 	info.out = out;
 	info.level = msg->output_verbosity;
-	
+
 	list = linked_list_create();
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 	while (enumerator->enumerate(enumerator, &ike_sa))
@@ -386,7 +386,7 @@ static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 		iterator->destroy(iterator);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, &del))
 	{
@@ -404,7 +404,7 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
-	
+
 	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
 													  msg->route.name);
 	if (peer_cfg == NULL)
@@ -417,7 +417,7 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 		peer_cfg->destroy(peer_cfg);
 		return;
 	}
-	
+
 	child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
 	if (child_cfg == NULL)
 	{
@@ -425,7 +425,7 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 		peer_cfg->destroy(peer_cfg);
 		return;
 	}
-	
+
 	if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
 	{
 		fprintf(out, "configuration '%s' routed\n", msg->route.name);
@@ -446,7 +446,7 @@ static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out
 	child_sa_t *child_sa;
 	enumerator_t *enumerator;
 	u_int32_t id;
-	
+
 	enumerator = charon->traps->create_enumerator(charon->traps);
 	while (enumerator->enumerate(enumerator, NULL, &child_sa))
 	{
@@ -477,7 +477,7 @@ static void destroy(private_stroke_control_t *this)
 stroke_control_t *stroke_control_create()
 {
 	private_stroke_control_t *this = malloc_thing(private_stroke_control_t);
-	
+
 	this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate;
 	this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate;
 	this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip;
@@ -485,7 +485,7 @@ stroke_control_t *stroke_control_create()
 	this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route;
 	this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute;
 	this->public.destroy = (void(*)(stroke_control_t*))destroy;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/stroke/stroke_control.h b/src/charon/plugins/stroke/stroke_control.h
index 5a61a90a4..9b49bdc31 100644
--- a/src/charon/plugins/stroke/stroke_control.h
+++ b/src/charon/plugins/stroke/stroke_control.h
@@ -38,42 +38,42 @@ struct stroke_control_t {
 	 * @param msg		stroke message
 	 */
 	void (*initiate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-	
+
 	/**
 	 * Terminate a connection.
 	 *
 	 * @param msg		stroke message
 	 */
 	void (*terminate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-	
+
 	/**
 	 * Terminate a connection by peers virtual IP.
 	 *
 	 * @param msg		stroke message
 	 */
 	void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-	
+
 	/**
 	 * Delete IKE_SAs without a CHILD_SA.
 	 *
 	 * @param msg		stroke message
 	 */
 	void (*purge_ike)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-	
+
 	/**
 	 * Route a connection.
 	 *
 	 * @param msg		stroke message
 	 */
 	void (*route)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-	
+
 	/**
 	 * Unroute a connection.
 	 *
 	 * @param msg		stroke message
 	 */
 	void (*unroute)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-	
+
 	/**
 	 * Destroy a stroke_control instance.
 	 */
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 31bcfe9f4..bc0b2f6fc 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -27,8 +27,7 @@
 #include <credentials/certificates/ac.h>
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
-#include <utils/mutex.h>
-#include <asn1/pem.h>
+#include <threading/rwlock.h>
 #include <daemon.h>
 
 /* configuration directories and files */
@@ -56,7 +55,7 @@ struct private_stroke_cred_t {
 	 * public functions
 	 */
 	stroke_cred_t public;
-	
+
 	/**
 	 * list of trusted peer/signer/CA certificates (certificate_t)
 	 */
@@ -71,12 +70,12 @@ struct private_stroke_cred_t {
 	 * list of private keys (private_key_t)
 	 */
 	linked_list_t *private;
-	
+
 	/**
 	 * read-write lock to lists
 	 */
 	rwlock_t *lock;
-	
+
 	/**
 	 * cache CRLs to disk?
 	 */
@@ -89,6 +88,7 @@ struct private_stroke_cred_t {
 typedef struct {
 	private_stroke_cred_t *this;
 	identification_t *id;
+	certificate_type_t type;
 } id_data_t;
 
 /**
@@ -106,25 +106,17 @@ static void id_data_destroy(id_data_t *data)
 static bool private_filter(id_data_t *data,
 						   private_key_t **in, private_key_t **out)
 {
-	identification_t *candidate;
-	id_type_t type;
-	
+	private_key_t *key;
+
+	key = *in;
 	if (data->id == NULL)
 	{
-		*out = *in;
+		*out = key;
 		return TRUE;
 	}
-	type = data->id->get_type(data->id);
-	if (type == ID_KEY_ID)
-	{	/* handle ID_KEY_ID as a ID_PUBKEY_SHA1 */
-		type = ID_PUBKEY_SHA1;
-	}
-	candidate = (*in)->get_id(*in, type);
-	if (candidate &&
-		chunk_equals(candidate->get_encoding(candidate),
-					 data->id->get_encoding(data->id)))
+	if (key->has_fingerprint(key, data->id->get_encoding(data->id)))
 	{
-		*out = *in;
+		*out = key;
 		return TRUE;
 	}
 	return FALSE;
@@ -141,7 +133,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
 	data = malloc_thing(id_data_t);
 	data->this = this;
 	data->id = id;
-	
+
 	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->private->create_enumerator(this->private),
 									(void*)private_filter, data,
@@ -154,26 +146,22 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
 static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out)
 {
 	public_key_t *public;
-	identification_t *candidate;
 	certificate_t *cert = *in;
-	certificate_type_t type = cert->get_type(cert);
 
-	if (type == CERT_X509_CRL || type == CERT_X509_AC)
+	if (data->type != CERT_ANY && data->type != cert->get_type(cert))
 	{
 		return FALSE;
 	}
-
 	if (data->id == NULL || cert->has_subject(cert, data->id))
 	{
 		*out = *in;
 		return TRUE;
 	}
-	
-	public = (cert)->get_public_key(cert);
+
+	public = cert->get_public_key(cert);
 	if (public)
 	{
-		candidate = public->get_id(public, data->id->get_type(data->id));
-		if (candidate && data->id->equals(data->id, candidate))
+		if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
 		{
 			public->destroy(public);
 			*out = *in;
@@ -184,46 +172,6 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou
 	return FALSE;
 }
 
-/**
- * filter function for crl enumerator
- */
-static bool crl_filter(id_data_t *data, certificate_t **in, certificate_t **out)
-{
-	certificate_t *cert = *in;
-	
-	if (cert->get_type(cert) != CERT_X509_CRL)
-	{
-		return FALSE;
-	}
-
-	if (data->id == NULL || cert->has_issuer(cert, data->id))
-	{
-		*out = *in;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * filter function for attribute certificate enumerator
- */
-static bool ac_filter(id_data_t *data, certificate_t **in, certificate_t **out)
-{
-	certificate_t *cert = *in;
-	
-	if (cert->get_type(cert) != CERT_X509_AC)
-	{
-		return FALSE;
-	}
-
-	if (data->id == NULL || cert->has_subject(cert, data->id))
-	{
-		*out = *in;
-		return TRUE;
-	}
-	return FALSE;
-}
-
 /**
  * Implements credential_set_t.create_cert_enumerator
  */
@@ -232,30 +180,16 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
 							identification_t *id, bool trusted)
 {
 	id_data_t *data;
-	
-	if (cert == CERT_X509_CRL || cert == CERT_X509_AC)
+
+	if (trusted && (cert == CERT_X509_CRL || cert == CERT_X509_AC))
 	{
-		if (trusted)
-		{
-			return NULL;
-		}
-		data = malloc_thing(id_data_t);
-		data->this = this;
-		data->id = id;
-		
-		this->lock->read_lock(this->lock);
-		return enumerator_create_filter(this->certs->create_enumerator(this->certs),
-					(cert == CERT_X509_CRL)? (void*)crl_filter : (void*)ac_filter,
-					data, (void*)id_data_destroy);
-	}
-	if (cert != CERT_X509 && cert != CERT_ANY)
-	{	/* we only have X509 certificates. TODO: ACs? */
 		return NULL;
 	}
 	data = malloc_thing(id_data_t);
 	data->this = this;
 	data->id = id;
-	
+	data->type = cert;
+
 	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->certs->create_enumerator(this->certs),
 									(void*)certs_filter, data,
@@ -286,7 +220,7 @@ static bool shared_filter(shared_data_t *data,
 						  void **unused1, id_match_t *me,
 						  void **unused2, id_match_t *other)
 {
-	id_match_t my_match, other_match;
+	id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE;
 	stroke_shared_key_t *stroke = *in;
 	shared_key_t *shared = &stroke->shared;
 
@@ -294,10 +228,16 @@ static bool shared_filter(shared_data_t *data,
 	{
 		return FALSE;
 	}
-	
-	my_match = stroke->has_owner(stroke, data->me);
-	other_match = stroke->has_owner(stroke, data->other);
-	if (!my_match && !other_match)
+
+	if (data->me)
+	{
+		my_match = stroke->has_owner(stroke, data->me);
+	}
+	if (data->other)
+	{
+		other_match = stroke->has_owner(stroke, data->other);
+	}
+	if ((data->me || data->other) && (!my_match && !other_match))
 	{
 		return FALSE;
 	}
@@ -316,12 +256,12 @@ static bool shared_filter(shared_data_t *data,
 /**
  * Implements credential_set_t.create_shared_enumerator
  */
-static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this, 
+static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
 							shared_key_type_t type,	identification_t *me,
 							identification_t *other)
 {
 	shared_data_t *data = malloc_thing(shared_data_t);
-	
+
 	data->this = this;
 	data->me = me;
 	data->other = other;
@@ -339,7 +279,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
 {
 	certificate_t *current;
 	enumerator_t *enumerator;
-	bool new = TRUE;	
+	bool new = TRUE;
 
 	this->lock->read_lock(this->lock);
 	enumerator = this->certs->create_enumerator(this->certs);
@@ -363,7 +303,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
 	this->lock->unlock(this->lock);
 	return cert;
 }
-	
+
 /**
  * Implementation of stroke_cred_t.load_ca.
  */
@@ -371,7 +311,7 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
 {
 	certificate_t *cert;
 	char path[PATH_MAX];
-	
+
 	if (*filename == '/')
 	{
 		snprintf(path, sizeof(path), "%s", filename);
@@ -380,7 +320,7 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
 	{
 		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
 	}
-	
+
 	cert = lib->creds->create(lib->creds,
 							  CRED_CERTIFICATE, CERT_X509,
 							  BUILD_FROM_FILE, path,
@@ -388,12 +328,12 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
 	if (cert)
 	{
 		x509_t *x509 = (x509_t*)cert;
-		
+
 		if (!(x509->get_flags(x509) & X509_CA))
 		{
+			DBG1(DBG_CFG, "  ca certificate \"%Y\" misses ca basic constraint, "
+				 "discarded", cert->get_subject(cert));
 			cert->destroy(cert);
-			DBG1(DBG_CFG, "  ca certificate must have ca basic constraint set, "
-				 "discarded");
 			return NULL;
 		}
 		return (certificate_t*)add_cert(this, cert);
@@ -408,7 +348,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 {
 	certificate_t *current, *cert = &crl->certificate;
 	enumerator_t *enumerator;
-	bool new = TRUE, found = FALSE;	
+	bool new = TRUE, found = FALSE;
 
 	this->lock->write_lock(this->lock);
 	enumerator = this->certs->create_enumerator(this->certs);
@@ -417,12 +357,11 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 		if (current->get_type(current) == CERT_X509_CRL)
 		{
 			crl_t *crl_c = (crl_t*)current;
-			identification_t *authkey = crl->get_authKeyIdentifier(crl);
-			identification_t *authkey_c = crl_c->get_authKeyIdentifier(crl_c);
+			chunk_t authkey = crl->get_authKeyIdentifier(crl);
+			chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c);
 
 			/* if compare authorityKeyIdentifiers if available */
-			if (authkey != NULL && authkey_c != NULL &&
-				authkey->equals(authkey, authkey_c))
+			if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c))
 			{
 				found = TRUE;
 			}
@@ -491,17 +430,19 @@ static certificate_t* load_peer(private_stroke_cred_t *this, char *filename)
 	{
 		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
 	}
-	
+
 	cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_X509,
+							  CRED_CERTIFICATE, CERT_ANY,
 							  BUILD_FROM_FILE, path,
-							  BUILD_X509_FLAG, 0,
 							  BUILD_END);
 	if (cert)
 	{
 		cert = add_cert(this, cert);
+		DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
+					  cert->get_subject(cert), filename);
 		return cert->get_ref(cert);
 	}
+	DBG1(DBG_CFG, "  loading certificate from '%s' failed", filename);
 	return NULL;
 }
 
@@ -513,7 +454,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 {
 	struct stat st;
 	char *file;
-	
+
 	enumerator_t *enumerator = enumerator_create_directory(path);
 
 	if (!enumerator)
@@ -535,22 +476,33 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 		{
 			case CERT_X509:
 				if (flag & X509_CA)
-				{	/* for CA certificates, we strictly require CA
-					 * basicconstraints to be set */
+				{	/* for CA certificates, we strictly require
+					 * the CA basic constraint to be set */
 					cert = lib->creds->create(lib->creds,
 										CRED_CERTIFICATE, CERT_X509,
 										BUILD_FROM_FILE, file, BUILD_END);
 					if (cert)
 					{
 						x509_t *x509 = (x509_t*)cert;
-						
+
 						if (!(x509->get_flags(x509) & X509_CA))
 						{
-							DBG1(DBG_CFG, "  ca certificate must have ca "
-								 "basic constraint set, discarded");
+							DBG1(DBG_CFG, "  ca certificate \"%Y\" lacks "
+								 "ca basic constraint, discarded",
+								 cert->get_subject(cert));
 							cert->destroy(cert);
 							cert = NULL;
 						}
+						else
+						{
+							DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
+										  cert->get_subject(cert), file);
+						}
+					}
+					else
+					{
+						DBG1(DBG_CFG, "  loading ca certificate from '%s' "
+									  "failed", file);
 					}
 				}
 				else
@@ -559,6 +511,16 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 										CRED_CERTIFICATE, CERT_X509,
 										BUILD_FROM_FILE, file,
 										BUILD_X509_FLAG, flag, BUILD_END);
+					if (cert)
+					{
+						DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
+									  cert->get_subject(cert), file);
+					}
+					else
+					{
+						DBG1(DBG_CFG, "  loading certificate from '%s' "
+									  "failed", file);
+					}
 				}
 				if (cert)
 				{
@@ -573,6 +535,11 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 				if (cert)
 				{
 					add_crl(this, (crl_t*)cert);
+					DBG1(DBG_CFG, "  loaded crl from '%s'",  file);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  loading crl from '%s' failed", file);
 				}
 				break;
 			case CERT_X509_AC:
@@ -583,10 +550,17 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 				if (cert)
 				{
 					add_ac(this, (ac_t*)cert);
+					DBG1(DBG_CFG, "  loaded attribute certificate from '%s'",
+								  file);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  loading attribute certificate from '%s' "
+								  "failed", file);
 				}
 				break;
 			default:
-				break;	
+				break;
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -601,20 +575,18 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 	{
 		/* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */
 		crl_t *crl = (crl_t*)cert;
-	
+
 		cert->get_ref(cert);
 		if (add_crl(this, crl))
 		{
 			char buf[BUF_LEN];
 			chunk_t chunk, hex;
-			identification_t *id;
-			
-			id = crl->get_authKeyIdentifier(crl);
-			chunk = id->get_encoding(id);
+
+			chunk = crl->get_authKeyIdentifier(crl);
 			hex = chunk_to_hex(chunk, NULL, FALSE);
 			snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex);
 			free(hex.ptr);
-			
+
 			chunk = cert->get_encoding(cert);
 			chunk_write(chunk, buf, "crl", 022, TRUE);
 			free(chunk.ptr);
@@ -669,7 +641,7 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line)
 	}
 
 	if (quotes)
-	{	
+	{
 		/* treat as an ASCII string */
 		*secret = chunk_clone(raw_secret);
 		return NULL;
@@ -692,10 +664,55 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line)
 	return NULL;
 }
 
+/**
+ * Data to pass to passphrase_cb
+ */
+typedef struct {
+	/** socket we use for prompting */
+	FILE *prompt;
+	/** private key file */
+	char *file;
+	/** buffer for passphrase */
+	char buf[256];
+} passphrase_cb_data_t;
+
+/**
+ * Passphrase callback to read from whack fd
+ */
+chunk_t passphrase_cb(passphrase_cb_data_t *data, int try)
+{
+	chunk_t secret = chunk_empty;;
+
+	if (try > 5)
+	{
+		fprintf(data->prompt, "invalid passphrase, too many trials\n");
+		return chunk_empty;
+	}
+	if (try == 1)
+	{
+		fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file);
+	}
+	else
+	{
+		fprintf(data->prompt, "invalid passphrase\n");
+	}
+	fprintf(data->prompt, "Passphrase:\n");
+	if (fgets(data->buf, sizeof(data->buf), data->prompt))
+	{
+		secret = chunk_create(data->buf, strlen(data->buf));
+		if (secret.len)
+		{	/* trim appended \n */
+			secret.len--;
+		}
+	}
+	return secret;
+}
+
 /**
  * reload ipsec.secrets
  */
-static void load_secrets(private_stroke_cred_t *this, char *file, int level)
+static void load_secrets(private_stroke_cred_t *this, char *file, int level,
+						 FILE *prompt)
 {
 	size_t bytes;
 	int line_nr = 0;
@@ -709,7 +726,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 	fd = fopen(file, "r");
 	if (fd == NULL)
 	{
-		DBG1(DBG_CFG, "opening secrets file '%s' failed");
+		DBG1(DBG_CFG, "opening secrets file '%s' failed", file);
 		return;
 	}
 
@@ -722,9 +739,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 	fclose(fd);
 	src = chunk;
 
-	this->lock->write_lock(this->lock);
 	if (level == 0)
 	{
+		this->lock->write_lock(this->lock);
+
 		/* flush secrets on non-recursive invocation */
 		while (this->shared->remove_last(this->shared,
 										 (void**)&shared) == SUCCESS)
@@ -737,7 +755,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			private->destroy(private);
 		}
 	}
-	
+
 	while (fetchline(&src, &line))
 	{
 		chunk_t ids, token;
@@ -755,7 +773,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			glob_t buf;
 			char **expanded, *dir, pattern[PATH_MAX];
 			u_char *pos;
-			
+
 			if (level > MAX_SECRETS_RECURSION)
 			{
 				DBG1(DBG_CFG, "maximum level of %d includes reached, ignored",
@@ -782,7 +800,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			{	/* use directory of current file if relative */
 				dir = strdup(file);
 				dir = dirname(dir);
-				
+
 				if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern))
 				{
 					DBG1(DBG_CFG, "include pattern too long, ignored");
@@ -802,13 +820,13 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			{
 				for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
 				{
-					load_secrets(this, *expanded, level + 1);
+					load_secrets(this, *expanded, level + 1, prompt);
 				}
 			}
 			globfree(&buf);
 			continue;
 		}
-		
+
 		if (line.len > 2 && strneq(": ", line.ptr, 2))
 		{
 			/* no ids, skip the ':' */
@@ -837,9 +855,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			char path[PATH_MAX];
 			chunk_t filename;
 			chunk_t secret = chunk_empty;
-			private_key_t *key;
-			bool pgp = FALSE;
-			chunk_t chunk = chunk_empty;
+			private_key_t *key = NULL;
 			key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA;
 
 			err_t ugh = extract_value(&filename, &line);
@@ -862,7 +878,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			else
 			{
 				/* relative path name */
-				snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, 
+				snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
 						 filename.len, filename.ptr);
 			}
 
@@ -876,18 +892,36 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 					goto error;
 				}
 			}
-
-			if (pem_asn1_load_file(path, &secret, &chunk, &pgp))
+			if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
 			{
-				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
-										 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-				free(chunk.ptr);
-				if (key)
+				if (prompt)
 				{
-					DBG1(DBG_CFG, "  loaded private key file '%s'", path);
-					this->private->insert_last(this->private, key);
+					passphrase_cb_data_t data;
+
+					data.prompt = prompt;
+					data.file = path;
+					key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+											 key_type, BUILD_FROM_FILE, path,
+											 BUILD_PASSPHRASE_CALLBACK,
+											 passphrase_cb, &data, BUILD_END);
 				}
 			}
+			else
+			{
+				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+										 BUILD_FROM_FILE, path,
+										 BUILD_PASSPHRASE, secret, BUILD_END);
+			}
+			if (key)
+			{
+				DBG1(DBG_CFG, "  loaded %N private key from '%s'",
+					 key_type_names, key->get_type(key), path);
+				this->private->insert_last(this->private, key);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "  loading private key from '%s' failed", path);
+			}
 			chunk_clear(&secret);
 		}
 		else if (match("PIN", &token))
@@ -896,9 +930,9 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			char smartcard[32], keyid[22], pin[32];
 			private_key_t *key;
 			u_int slot;
-			
+
 			err_t ugh = extract_value(&sc, &line);
-			
+
 			if (ugh != NULL)
 			{
 				DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
@@ -911,7 +945,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			}
 			snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
 			smartcard[sizeof(smartcard) - 1] = '\0';
-			
+
 			/* parse slot and key id. only two formats are supported.
 			 * first try %smartcard<slot>:<keyid> */
 			if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
@@ -929,7 +963,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 						" supported or invalid", line_nr);
 				goto error;
 			}
-			
+
 			if (!eat_whitespace(&line))
 			{
 				DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
@@ -943,12 +977,12 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			}
 			snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
 			pin[sizeof(pin) - 1] = '\0';
-			
+
 			/* we assume an RSA key */
 			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 									 BUILD_SMARTCARD_KEYID, smartcard,
 									 BUILD_SMARTCARD_PIN, pin, BUILD_END);
-			
+
 			if (key)
 			{
 				DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
@@ -975,7 +1009,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 			DBG1(DBG_CFG, "  loaded %N secret for %s", shared_key_type_names, type,
 				 ids.len > 0 ? (char*)ids.ptr : "%any");
 			DBG4(DBG_CFG, "  secret: %#B", &secret);
-			
+
 			this->shared->insert_last(this->shared, shared_key);
 			while (ids.len > 0)
 			{
@@ -992,7 +1026,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 				{
 					continue;
 				}
-				
+
 				/* NULL terminate the ID string */
 				*(id.ptr + id.len) = '\0';
 				peer_id = identification_create_from_string(id.ptr);
@@ -1001,7 +1035,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 					peer_id->destroy(peer_id);
 					continue;
 				}
-				
+
 				shared_key->add_owner(shared_key, peer_id);
 				any = FALSE;
 			}
@@ -1019,7 +1053,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 		}
 	}
 error:
-	this->lock->unlock(this->lock);
+	if (level == 0)
+	{
+		this->lock->unlock(this->lock);
+	}
 	chunk_clear(&chunk);
 }
 
@@ -1052,12 +1089,12 @@ static void load_certs(private_stroke_cred_t *this)
 /**
  * Implementation of stroke_cred_t.reread.
  */
-static void reread(private_stroke_cred_t *this, stroke_msg_t *msg)
+static void reread(private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt)
 {
 	if (msg->reread.flags & REREAD_SECRETS)
 	{
 		DBG1(DBG_CFG, "rereading secrets");
-		load_secrets(this, SECRETS_FILE, 0);
+		load_secrets(this, SECRETS_FILE, 0, prompt);
 	}
 	if (msg->reread.flags & REREAD_CACERTS)
 	{
@@ -1110,28 +1147,28 @@ static void destroy(private_stroke_cred_t *this)
 stroke_cred_t *stroke_cred_create()
 {
 	private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t);
-	
+
 	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
 	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
 	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
 	this->public.set.create_cdp_enumerator = (void*)return_null;
 	this->public.set.cache_cert = (void*)cache_cert;
-	this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg))reread;
+	this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg, FILE*))reread;
 	this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca;
 	this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer;
 	this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl;
 	this->public.destroy = (void(*)(stroke_cred_t*))destroy;
-	
+
 	this->certs = linked_list_create();
 	this->shared = linked_list_create();
 	this->private = linked_list_create();
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 
 	load_certs(this);
-	load_secrets(this, SECRETS_FILE, 0);
-	
+	load_secrets(this, SECRETS_FILE, 0, NULL);
+
 	this->cachecrl = FALSE;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/stroke/stroke_cred.h b/src/charon/plugins/stroke/stroke_cred.h
index 8bc042f13..ccee7d87c 100644
--- a/src/charon/plugins/stroke/stroke_cred.h
+++ b/src/charon/plugins/stroke/stroke_cred.h
@@ -21,6 +21,8 @@
 #ifndef STROKE_CRED_H_
 #define STROKE_CRED_H_
 
+#include <stdio.h>
+
 #include <stroke_msg.h>
 #include <credentials/credential_set.h>
 #include <credentials/certificates/certificate.h>
@@ -36,14 +38,15 @@ struct stroke_cred_t {
 	 * Implements credential_set_t
 	 */
 	credential_set_t set;
-	
+
 	/**
 	 * Reread secrets from config files.
 	 *
 	 * @param msg		stroke message
+	 * @param prompt	I/O channel to prompt for private key passhprase
 	 */
-	void (*reread)(stroke_cred_t *this, stroke_msg_t *msg);
-	
+	void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt);
+
 	/**
 	 * Load a CA certificate, and serve it through the credential_set.
 	 *
@@ -51,7 +54,7 @@ struct stroke_cred_t {
 	 * @return				reference to loaded certificate, or NULL
 	 */
 	certificate_t* (*load_ca)(stroke_cred_t *this, char *filename);
-	
+
 	/**
 	 * Load a peer certificate and serve it rhrough the credential_set.
 	 *
@@ -59,18 +62,18 @@ struct stroke_cred_t {
 	 * @return				reference to loaded certificate, or NULL
 	 */
 	certificate_t* (*load_peer)(stroke_cred_t *this, char *filename);
-	
+
 	/**
 	 * Enable/Disable CRL caching to disk.
 	 *
 	 * @param enabled		TRUE to enable, FALSE to disable
 	 */
 	void (*cachecrl)(stroke_cred_t *this, bool enabled);
-	
+
 	/**
-     * Destroy a stroke_cred instance.
-     */
-    void (*destroy)(stroke_cred_t *this);
+	 * Destroy a stroke_cred instance.
+	 */
+	void (*destroy)(stroke_cred_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 6f421bd30..c2a98da33 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -22,6 +22,8 @@
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
 #include <credentials/certificates/crl.h>
+#include <credentials/certificates/pgp_certificate.h>
+#include <credentials/ietf_attributes/ietf_attributes.h>
 #include <config/peer_cfg.h>
 
 /* warning intervals for list functions */
@@ -40,12 +42,12 @@ struct private_stroke_list_t {
 	 * public functions
 	 */
 	stroke_list_t public;
-	
+
 	/**
 	 * timestamp of daemon start
 	 */
 	time_t uptime;
-	
+
 	/**
 	 * strokes attribute provider
 	 */
@@ -58,45 +60,45 @@ struct private_stroke_list_t {
 static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 {
 	ike_sa_id_t *id = ike_sa->get_id(ike_sa);
-	time_t now = time(NULL);
-	
+	time_t now = time_monotonic(NULL);
+
 	fprintf(out, "%12s[%d]: %N",
 			ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
 			ike_sa_state_names, ike_sa->get_state(ike_sa));
-	
+
 	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
 	{
 		time_t established;
-		
+
 		established = ike_sa->get_statistic(ike_sa, STAT_ESTABLISHED);
 		fprintf(out, " %V ago", &now, &established);
 	}
-	
+
 	fprintf(out, ", %H[%Y]...%H[%Y]\n",
 			ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
 			ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
-	
+
 	if (all)
 	{
 		proposal_t *ike_proposal;
-		
+
 		ike_proposal = ike_sa->get_proposal(ike_sa);
-		
+
 		fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s",
 				ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
 				id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
 				id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
-		
-		
+
+
 		if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
 		{
 			time_t rekey, reauth;
 			peer_cfg_t *peer_cfg;
-			
+
 			rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY);
 			reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH);
 			peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-			
+
 			if (rekey)
 			{
 				fprintf(out, ", rekeying in %V", &rekey, &now);
@@ -106,7 +108,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 				bool first = TRUE;
 				enumerator_t *enumerator;
 				auth_cfg_t *auth;
-				
+
 				fprintf(out, ", ");
 				enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, TRUE);
 				while (enumerator->enumerate(enumerator, &auth))
@@ -128,11 +130,11 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 			}
 		}
 		fprintf(out, "\n");
-		
+
 		if (ike_proposal)
 		{
 			char buf[BUF_LEN];
-			
+
 			snprintf(buf, BUF_LEN, "%P", ike_proposal);
 			fprintf(out, "%12s[%d]: IKE proposal: %s\n",
 					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
@@ -146,17 +148,18 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
  */
 static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 {
-	time_t use_in, use_out, rekey, now = time(NULL);
+	time_t use_in, use_out, rekey, now;
 	u_int64_t bytes_in, bytes_out;
 	proposal_t *proposal;
 	child_cfg_t *config = child_sa->get_config(child_sa);
-	
-	fprintf(out, "%12s{%d}:  %N, %N%s", 
+
+
+	fprintf(out, "%12s{%d}:  %N, %N%s",
 			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
 			child_sa_state_names, child_sa->get_state(child_sa),
 			ipsec_mode_names, child_sa->get_mode(child_sa),
 			config->use_proxy_mode(config) ? "_PROXY" : "");
-	
+
 	if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
 	{
 		fprintf(out, ", %N%s SPIs: %.8x_i %.8x_o",
@@ -164,30 +167,30 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 				child_sa->has_encap(child_sa) ? " in UDP" : "",
 				ntohl(child_sa->get_spi(child_sa, TRUE)),
 				ntohl(child_sa->get_spi(child_sa, FALSE)));
-		
+
 		if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE)
 		{
 			fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o",
 					ntohs(child_sa->get_cpi(child_sa, TRUE)),
 					ntohs(child_sa->get_cpi(child_sa, FALSE)));
 		}
-		
+
 		if (all)
 		{
-			fprintf(out, "\n%12s{%d}:  ", child_sa->get_name(child_sa), 
+			fprintf(out, "\n%12s{%d}:  ", child_sa->get_name(child_sa),
 					child_sa->get_reqid(child_sa));
-			
+
 			proposal = child_sa->get_proposal(child_sa);
 			if (proposal)
 			{
 				u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
 				u_int16_t encr_size = 0, int_size = 0;
-				
+
 				proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
 										&encr_alg, &encr_size);
 				proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
 										&int_alg, &int_size);
-				
+
 				if (encr_alg != ENCR_UNDEFINED)
 				{
 					fprintf(out, "%N", encryption_algorithm_names, encr_alg);
@@ -206,6 +209,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 				}
 			}
 
+			now = time_monotonic(NULL);
 			child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in);
 			fprintf(out, ", %llu bytes_i", bytes_in);
 			if (use_in)
@@ -220,7 +224,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 				fprintf(out, " (%ds ago)", now - use_out);
 			}
 			fprintf(out, ", rekeying ");
-			
+
 			rekey = child_sa->get_lifetime(child_sa, FALSE);
 			if (rekey)
 			{
@@ -237,10 +241,10 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			{
 				fprintf(out, "disabled");
 			}
-			
+
 		}
 	}
-	
+
 	fprintf(out, "\n%12s{%d}:   %#R=== %#R\n",
 			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
 			child_sa->get_traffic_selectors(child_sa, TRUE),
@@ -260,9 +264,9 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 	certificate_t *cert;
 	cert_validation_t valid;
 	char *name;
-	
+
 	name = peer_cfg->get_name(peer_cfg);
-	
+
 	enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
 	while (enumerator->enumerate(enumerator, &auth))
 	{
@@ -327,7 +331,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 			fprintf(out, "%12s:    ocsp:  status must be GOOD%s\n", name,
 					(valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
 		}
-		
+
 		valid = (uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION);
 		if (valid != VALIDATION_FAILED)
 		{
@@ -360,18 +364,21 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 	ike_sa_t *ike_sa;
 	bool first, found = FALSE;
 	char *name = msg->status.name;
-	
+
 	if (all)
 	{
 		peer_cfg_t *peer_cfg;
 		char *plugin, *pool;
 		host_t *host;
 		u_int32_t dpd;
-		time_t now = time(NULL);
+		time_t since, now;
 		u_int size, online, offline;
-		
+
+		now = time_monotonic(NULL);
+		since = time(NULL) - (now - this->uptime);
+
 		fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n");
-		fprintf(out, "  uptime: %V, since %T\n", &now, &this->uptime, &this->uptime, FALSE);
+		fprintf(out, "  uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE);
 		fprintf(out, "  worker threads: %d idle of %d,",
 				charon->processor->get_idle_threads(charon->processor),
 				charon->processor->get_total_threads(charon->processor));
@@ -387,7 +394,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		}
 		enumerator->destroy(enumerator);
 		fprintf(out, "\n");
-		
+
 		first = TRUE;
 		enumerator = this->attribute->create_pool_enumerator(this->attribute);
 		while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
@@ -404,7 +411,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 			fprintf(out, "  %s: %u/%u/%u\n", pool, size, online, offline);
 		}
 		enumerator->destroy(enumerator);
-		
+
 		enumerator = charon->kernel_interface->create_address_enumerator(
 								charon->kernel_interface, FALSE, FALSE);
 		fprintf(out, "Listening IP addresses:\n");
@@ -413,7 +420,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 			fprintf(out, "  %H\n", host);
 		}
 		enumerator->destroy(enumerator);
-	
+
 		fprintf(out, "Connections:\n");
 		enumerator = charon->backends->create_peer_cfg_enumerator(
 									charon->backends, NULL, NULL, NULL, NULL);
@@ -424,33 +431,33 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 			{
 				continue;
 			}
-			
+
 			ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
 			fprintf(out, "%12s:  %s...%s", peer_cfg->get_name(peer_cfg),
 				ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg));
-			
+
 			dpd = peer_cfg->get_dpd(peer_cfg);
 			if (dpd)
 			{
 				fprintf(out, ", dpddelay=%us", dpd);
 			}
 			fprintf(out, "\n");
-			
+
 			log_auth_cfgs(out, peer_cfg, TRUE);
 			log_auth_cfgs(out, peer_cfg, FALSE);
-			
+
 			children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 			while (children->enumerate(children, &child_cfg))
 			{
 				linked_list_t *my_ts, *other_ts;
-				
+
 				my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
 				other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
 				fprintf(out, "%12s:   child:  %#R=== %#R", child_cfg->get_name(child_cfg),
 						my_ts, other_ts);
 				my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 				other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-				
+
 				if (dpd)
 				{
 					fprintf(out, ", dpdaction=%N", action_names,
@@ -463,7 +470,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		enumerator->destroy(enumerator);
 	}
 
-	first = TRUE;	
+	first = TRUE;
 	enumerator = charon->traps->create_enumerator(charon->traps);
 	while (enumerator->enumerate(enumerator, NULL, &child_sa))
 	{
@@ -475,14 +482,14 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		log_child_sa(out, child_sa, all);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	fprintf(out, "Security Associations:\n");
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 	while (enumerator->enumerate(enumerator, &ike_sa))
 	{
 		bool ike_printed = FALSE;
 		iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
-		
+
 		if (name == NULL || streq(name, ike_sa->get_name(ike_sa)))
 		{
 			log_ike_sa(out, ike_sa, all);
@@ -501,12 +508,12 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 					ike_printed = TRUE;
 				}
 				log_child_sa(out, child_sa, all);
-			}	
+			}
 		}
 		children->destroy(children);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	if (!found)
 	{
 		if (name)
@@ -531,14 +538,14 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
 									charon->credentials, type, KEY_ANY,
 									NULL, FALSE);
 	certificate_t *cert;
-	
+
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
 		iterator_t *iterator = list->create_iterator(list, TRUE);
 		identification_t *issuer = cert->get_issuer(cert);
 		bool previous_same, same = FALSE, last = TRUE;
 		certificate_t *list_cert;
-		
+
 		while (iterator->iterate(iterator, (void**)&list_cert))
 		{
 			/* exit if we have a duplicate? */
@@ -568,6 +575,41 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
 	return list;
 }
 
+/**
+ * Print a single public key.
+ */
+static void list_public_key(public_key_t *public, FILE *out)
+{
+	private_key_t *private = NULL;
+	chunk_t keyid;
+	identification_t *id;
+	auth_cfg_t *auth;
+
+	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+	{
+		id = identification_create_from_encoding(ID_KEY_ID, keyid);
+		auth = auth_cfg_create();
+		private = charon->credentials->get_private(charon->credentials,
+									public->get_type(public), id, auth);
+		auth->destroy(auth);
+		id->destroy(id);
+	}
+
+	fprintf(out, "  pubkey:    %N %d bits%s\n",
+			key_type_names, public->get_type(public),
+			public->get_keysize(public) * 8,
+			private ? ", has private key" : "");
+	if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+	{
+		fprintf(out, "  keyid:     %#B\n", &keyid);
+	}
+	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+	{
+		fprintf(out, "  subjkey:   %#B\n", &keyid);
+	}
+	DESTROY_IF(private);
+}
+
 /**
  * list all raw public keys
  */
@@ -584,9 +626,6 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
 
 		if (public)
 		{
-			private_key_t *private = NULL;
-			identification_t *id, *keyid;
-			
 			if (first)
 			{
 				fprintf(out, "\n");
@@ -595,20 +634,52 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
 			}
 			fprintf(out, "\n");
 
-			/* list public key information */
-			id    = public->get_id(public, ID_PUBKEY_SHA1);
-			keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-
-			private = charon->credentials->get_private(
-								charon->credentials, 
-								public->get_type(public), keyid, NULL);
-			fprintf(out, "  pubkey:    %N %d bits%s\n",
-					key_type_names, public->get_type(public),
-					public->get_keysize(public) * 8,
-					private ? ", has private key" : "");
-			fprintf(out, "  keyid:     %Y\n", keyid);
-			fprintf(out, "  subjkey:   %Y\n", id);
-			DESTROY_IF(private);
+			list_public_key(public, out);
+			public->destroy(public);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * list OpenPGP certificates
+ */
+static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
+{
+	bool first = TRUE;
+	time_t now = time(NULL);
+	enumerator_t *enumerator = list->create_enumerator(list);
+	certificate_t *cert;
+
+	while (enumerator->enumerate(enumerator, (void**)&cert))
+	{
+		time_t created, until;
+		public_key_t *public;
+		pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
+		chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
+
+		if (first)
+		{
+
+			fprintf(out, "\n");
+				fprintf(out, "List of PGP End Entity Certificates:\n");
+				first = FALSE;
+		}
+		fprintf(out, "\n");
+		fprintf(out, "  userid:   '%Y'\n", cert->get_subject(cert));
+
+		fprintf(out, "  digest:    %#B\n", &fingerprint);
+
+		/* list validity */
+		cert->get_validity(cert, &now, &created, &until);
+		fprintf(out, "  created:   %T\n", &created, utc);
+		fprintf(out, "  until:     %T%s\n", &until, utc,
+			(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
+
+		public = cert->get_public_key(cert);
+		if (public)
+		{
+			list_public_key(public, out);
 			public->destroy(public);
 		}
 	}
@@ -618,29 +689,35 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
 /**
  * list all X.509 certificates matching the flags
  */
-static void stroke_list_certs(linked_list_t *list, char *label, 
+static void stroke_list_certs(linked_list_t *list, char *label,
 							  x509_flag_t flags, bool utc, FILE *out)
 {
 	bool first = TRUE;
 	time_t now = time(NULL);
-	enumerator_t *enumerator = list->create_enumerator(list);
+	enumerator_t *enumerator;
 	certificate_t *cert;
+	x509_flag_t flag_mask;
+
+	/* mask all auxiliary flags */
+	flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH |
+				  X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS );
 
+	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
 		x509_t *x509 = (x509_t*)cert;
-		x509_flag_t x509_flags = x509->get_flags(x509);
+		x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
 
-		/* list only if flag is set, or flags == 0 (ignoring self-signed) */
-		if ((x509_flags & flags) || (flags == (x509_flags & ~X509_SELF_SIGNED)))
+		/* list only if flag is set or flag == 0 */
+		if ((x509_flags & flags) || (x509_flags == flags))
 		{
 			enumerator_t *enumerator;
 			identification_t *altName;
 			bool first_altName = TRUE;
-			chunk_t serial = x509->get_serial(x509);
-			identification_t *authkey = x509->get_authKeyIdentifier(x509);
+			int pathlen;
+			chunk_t serial, authkey;
 			time_t notBefore, notAfter;
-			public_key_t *public = cert->get_public_key(cert);
+			public_key_t *public;
 
 			if (first)
 			{
@@ -673,6 +750,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 
 			fprintf(out, "  subject:  \"%Y\"\n", cert->get_subject(cert));
 			fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
+			serial = x509->get_serial(x509);
 			fprintf(out, "  serial:    %#B\n", &serial);
 
 			/* list validity */
@@ -700,33 +778,50 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 				}
 				fprintf(out, " \n");
 			}
-	
-			/* list public key information */
+
+			public = cert->get_public_key(cert);
 			if (public)
 			{
-				private_key_t *private = NULL;
-				identification_t *id, *keyid;
-			
-				id    = public->get_id(public, ID_PUBKEY_SHA1);
-				keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-
-				private = charon->credentials->get_private(
-									charon->credentials, 
-									public->get_type(public), keyid, NULL);
-				fprintf(out, "  pubkey:    %N %d bits%s\n",
-						key_type_names, public->get_type(public),
-						public->get_keysize(public) * 8,
-						private ? ", has private key" : "");
-				fprintf(out, "  keyid:     %Y\n", keyid);
-				fprintf(out, "  subjkey:   %Y\n", id);
-				DESTROY_IF(private);
+				list_public_key(public, out);
 				public->destroy(public);
 			}
-	
+
 			/* list optional authorityKeyIdentifier */
-			if (authkey)
+			authkey = x509->get_authKeyIdentifier(x509);
+			if (authkey.ptr)
 			{
-				fprintf(out, "  authkey:   %Y\n", authkey);
+				fprintf(out, "  authkey:   %#B\n", &authkey);
+			}
+
+			/* list optional pathLenConstraint */
+			pathlen = x509->get_pathLenConstraint(x509);
+			if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
+			{
+				fprintf(out, "  pathlen:   %d\n", pathlen);
+			}
+
+			/* list optional ipAddrBlocks */
+			if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+			{
+				traffic_selector_t *ipAddrBlock;
+				bool first_ipAddrBlock = TRUE;
+
+				fprintf(out, "  addresses: ");
+				enumerator = x509->create_ipAddrBlock_enumerator(x509);
+				while (enumerator->enumerate(enumerator, &ipAddrBlock))
+				{
+					if (first_ipAddrBlock)
+					{
+						first_ipAddrBlock = FALSE;
+					}
+					else
+					{
+						fprintf(out, ", ");
+					}
+					fprintf(out, "%R", ipAddrBlock);
+				}
+				enumerator->destroy(enumerator);
+				fprintf(out, "\n");
 			}
 		}
 	}
@@ -746,11 +841,9 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
 		ac_t *ac = (ac_t*)cert;
-		chunk_t serial  = ac->get_serial(ac);
-		chunk_t holderSerial = ac->get_holderSerial(ac);
-		identification_t *holderIssuer = ac->get_holderIssuer(ac);
-		identification_t *authkey = ac->get_authKeyIdentifier(ac);
-		identification_t *entityName = cert->get_subject(cert);
+		identification_t *id;
+		ietf_attributes_t *groups;
+		chunk_t chunk;
 
 		if (first)
 		{
@@ -760,20 +853,30 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 		}
 		fprintf(out, "\n");
 
-		if (entityName)
+		id = cert->get_subject(cert);
+		if (id)
 		{
-			fprintf(out, "  holder:   \"%Y\"\n", entityName);
+			fprintf(out, "  holder:   \"%Y\"\n", id);
 		}
-		if (holderIssuer)
+		id = ac->get_holderIssuer(ac);
+		if (id)
 		{
-			fprintf(out, "  hissuer:  \"%Y\"\n", holderIssuer);
+			fprintf(out, "  hissuer:  \"%Y\"\n", id);
 		}
-		if (holderSerial.ptr)
+		chunk = ac->get_holderSerial(ac);
+		if (chunk.ptr)
 		{
-			fprintf(out, "  hserial:   %#B\n", &holderSerial);
+			fprintf(out, "  hserial:   %#B\n", &chunk);
+		}
+		groups = ac->get_groups(ac);
+		if (groups)
+		{
+			fprintf(out, "  groups:    %s\n", groups->get_string(groups));
+			groups->destroy(groups);
 		}
 		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-		fprintf(out, "  serial:    %#B\n", &serial);
+		chunk  = ac->get_serial(ac);
+		fprintf(out, "  serial:    %#B\n", &chunk);
 
 		/* list validity */
 		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
@@ -794,9 +897,10 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 		}
 
 		/* list optional authorityKeyIdentifier */
-		if (authkey)
+		chunk = ac->get_authKeyIdentifier(ac);
+		if (chunk.ptr)
 		{
-			fprintf(out, "  authkey:   %Y\n", authkey);
+			fprintf(out, "  authkey:   %#B\n", &chunk);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -811,12 +915,11 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 	time_t thisUpdate, nextUpdate, now = time(NULL);
 	enumerator_t *enumerator = list->create_enumerator(list);
 	certificate_t *cert;
-	
+
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
 		crl_t *crl = (crl_t*)cert;
-		chunk_t serial  = crl->get_serial(crl);
-		identification_t *authkey = crl->get_authKeyIdentifier(crl);
+		chunk_t chunk;
 
 		if (first)
 		{
@@ -829,9 +932,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
 
 		/* list optional crlNumber */
-		if (serial.ptr)
+		chunk = crl->get_serial(crl);
+		if (chunk.ptr)
 		{
-			fprintf(out, "  serial:    %#B\n", &serial);
+			fprintf(out, "  serial:    %#B\n", &chunk);
 		}
 
 		/* count the number of revoked certificates */
@@ -867,9 +971,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 		}
 
 		/* list optional authorityKeyIdentifier */
-		if (authkey)
+		chunk = crl->get_authKeyIdentifier(crl);
+		if (chunk.ptr)
 		{
-			fprintf(out, "  authkey:   %Y\n", authkey);
+			fprintf(out, "  authkey:   %#B\n", &chunk);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -883,7 +988,7 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
 	bool first = TRUE;
 	enumerator_t *enumerator = list->create_enumerator(list);
 	certificate_t *cert;
-	
+
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
 		if (first)
@@ -910,7 +1015,7 @@ static void list_algs(FILE *out)
 	hash_algorithm_t hash;
 	pseudo_random_function_t prf;
 	diffie_hellman_group_t group;
-	
+
 	fprintf(out, "\n");
 	fprintf(out, "List of registered IKEv2 Algorithms:\n");
 	fprintf(out, "\n  encryption: ");
@@ -963,7 +1068,14 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 		linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
 
 		stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
-		pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy)); 
+		pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
+	}
+	if (msg->list.flags & LIST_CERTS)
+	{
+		linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
+
+		stroke_list_pgp(pgp_list, msg->list.utc, out);
+		pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
 	}
 	if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
 	{
@@ -972,7 +1084,7 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 	if (msg->list.flags & LIST_CERTS)
 	{
 		stroke_list_certs(cert_list, "X.509 End Entity Certificates",
-						  0, msg->list.utc, out);
+						  X509_NONE, msg->list.utc, out);
 	}
 	if (msg->list.flags & LIST_CACERTS)
 	{
@@ -989,33 +1101,34 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 		stroke_list_certs(cert_list, "X.509 AA Certificates",
 						  X509_AA, msg->list.utc, out);
 	}
+	DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
+
 	if (msg->list.flags & LIST_ACERTS)
 	{
 		linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
 
 		stroke_list_acerts(ac_list, msg->list.utc, out);
-		ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy)); 
+		ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
 	}
 	if (msg->list.flags & LIST_CRLS)
 	{
 		linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
 
 		stroke_list_crls(crl_list, msg->list.utc, out);
-		crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy)); 
+		crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
 	}
 	if (msg->list.flags & LIST_OCSP)
 	{
 		linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
 
 		stroke_list_ocsp(ocsp_list, msg->list.utc, out);
-		
-		ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy)); 
+
+		ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
 	}
 	if (msg->list.flags & LIST_ALGS)
 	{
 		list_algs(out);
 	}
-	DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
 }
 
 /**
@@ -1029,7 +1142,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
 	host_t *lease;
 	bool on;
 	int found = 0;
-	
+
 	fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n",
 			pool, online + offline, size, online);
 	enumerator = this->attribute->create_lease_enumerator(this->attribute, pool);
@@ -1059,12 +1172,12 @@ static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 	host_t *address = NULL;
 	char *pool;
 	int found = 0;
-	
+
 	if (msg->leases.address)
 	{
 		address = host_create_from_string(msg->leases.address, 0);
 	}
-	
+
 	enumerator = this->attribute->create_pool_enumerator(this->attribute);
 	while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
 	{
@@ -1103,15 +1216,15 @@ static void destroy(private_stroke_list_t *this)
 stroke_list_t *stroke_list_create(stroke_attribute_t *attribute)
 {
 	private_stroke_list_t *this = malloc_thing(private_stroke_list_t);
-	
+
 	this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list;
 	this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status;
 	this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases;
 	this->public.destroy = (void(*)(stroke_list_t*))destroy;
-	
-	this->uptime = time(NULL);
+
+	this->uptime = time_monotonic(NULL);
 	this->attribute = attribute;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/stroke/stroke_list.h b/src/charon/plugins/stroke/stroke_list.h
index 2430abfbb..b5bedc6c2 100644
--- a/src/charon/plugins/stroke/stroke_list.h
+++ b/src/charon/plugins/stroke/stroke_list.h
@@ -40,7 +40,7 @@ struct stroke_list_t {
 	 * @param out		stroke console stream
 	 */
 	void (*list)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
-	
+
 	/**
 	 * Log status information to stroke console.
 	 *
@@ -49,7 +49,7 @@ struct stroke_list_t {
 	 * @param all		TRUE for "statusall"
 	 */
 	void (*status)(stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all);
-	
+
 	/**
 	 * Log pool leases to stroke console.
 	 *
@@ -57,7 +57,7 @@ struct stroke_list_t {
 	 * @param out		stroke console stream
 	 */
 	void (*leases)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
-	
+
 	/**
 	 * Destroy a stroke_list instance.
 	 */
diff --git a/src/charon/plugins/stroke/stroke_plugin.c b/src/charon/plugins/stroke/stroke_plugin.c
index 22c1125a1..61ae10953 100644
--- a/src/charon/plugins/stroke/stroke_plugin.c
+++ b/src/charon/plugins/stroke/stroke_plugin.c
@@ -29,7 +29,7 @@ struct private_stroke_plugin_t {
 	 * public functions
 	 */
 	stroke_plugin_t public;
-	
+
 	/**
 	 * stroke socket, receives strokes
 	 */
@@ -51,9 +51,9 @@ static void destroy(private_stroke_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	this->socket = stroke_socket_create();
 	if (this->socket == NULL)
 	{
diff --git a/src/charon/plugins/stroke/stroke_plugin.h b/src/charon/plugins/stroke/stroke_plugin.h
index 6e9d556ad..3a1e81df6 100644
--- a/src/charon/plugins/stroke/stroke_plugin.h
+++ b/src/charon/plugins/stroke/stroke_plugin.h
@@ -20,7 +20,7 @@
  * @defgroup stroke_plugin stroke_plugin
  * @{ @ingroup stroke
  */
- 
+
 #ifndef STROKE_PLUGIN_H_
 #define STROKE_PLUGIN_H_
 
diff --git a/src/charon/plugins/stroke/stroke_shared_key.c b/src/charon/plugins/stroke/stroke_shared_key.c
index 8f53f509d..4f716e83a 100644
--- a/src/charon/plugins/stroke/stroke_shared_key.c
+++ b/src/charon/plugins/stroke/stroke_shared_key.c
@@ -28,7 +28,7 @@ struct private_stroke_shared_key_t {
 	 * implements shared_key_t
 	 */
 	stroke_shared_key_t public;
-	
+
 	/**
 	 * type of this key
 	 */
@@ -43,7 +43,7 @@ struct private_stroke_shared_key_t {
 	 * list of key owners, as identification_t
 	 */
 	linked_list_t *owners;
-	
+
 	/**
 	 * reference counter
 	 */
@@ -73,8 +73,8 @@ static private_stroke_shared_key_t* get_ref(private_stroke_shared_key_t *this)
 static chunk_t get_key(private_stroke_shared_key_t *this)
 {
 	return this->key;
-}	
-	
+}
+
 /**
  * Implementation of stroke_shared_key_t.has_owner.
  */
@@ -83,7 +83,7 @@ static id_match_t has_owner(private_stroke_shared_key_t *this, identification_t
 	enumerator_t *enumerator;
 	id_match_t match, best = ID_MATCH_NONE;
 	identification_t *current;
-	
+
 	enumerator = this->owners->create_enumerator(this->owners);
 	while (enumerator->enumerate(enumerator, &current))
 	{
@@ -135,6 +135,6 @@ stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t ke
 	this->type = type;
 	this->key = key;
 	this->ref = 1;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/plugins/stroke/stroke_shared_key.h b/src/charon/plugins/stroke/stroke_shared_key.h
index 224062100..05ad55083 100644
--- a/src/charon/plugins/stroke/stroke_shared_key.h
+++ b/src/charon/plugins/stroke/stroke_shared_key.h
@@ -35,21 +35,21 @@ struct stroke_shared_key_t {
 	 * Implements the shared_key_t interface.
 	 */
 	shared_key_t shared;
-	
+
 	/**
 	 * Add an owner to the key.
 	 *
 	 * @param owner		owner to add
 	 */
 	void (*add_owner)(stroke_shared_key_t *this, identification_t *owner);
-	
+
 	/**
 	 * Check if a key has a specific owner.
 	 *
 	 * @param owner		owner to check
 	 * @return			best match found
 	 */
-	id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner);	
+	id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner);
 };
 
 /**
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index 9b6a8a3a7..820e097f1 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -23,11 +23,10 @@
 #include <sys/fcntl.h>
 #include <unistd.h>
 #include <errno.h>
-#include <pthread.h>
 
 #include <processing/jobs/callback_job.h>
 #include <daemon.h>
-#include <utils/mutex.h> /* for Mac OS X compatible accept */
+#include <threading/thread.h>
 
 #include "stroke_config.h"
 #include "stroke_control.h"
@@ -48,42 +47,42 @@ struct private_stroke_socket_t {
 	 * public functions
 	 */
 	stroke_socket_t public;
-		
+
 	/**
 	 * Unix socket to listen for strokes
 	 */
 	int socket;
-	
+
 	/**
 	 * job accepting stroke messages
 	 */
 	callback_job_t *job;
-	
+
 	/**
 	 * configuration backend
 	 */
 	stroke_config_t *config;
-	
+
 	/**
 	 * attribute provider
 	 */
 	stroke_attribute_t *attribute;
-	
+
 	/**
 	 * controller to control daemon
 	 */
 	stroke_control_t *control;
-	
+
 	/**
 	 * credential set
 	 */
 	stroke_cred_t *cred;
-	
+
 	/**
 	 * CA sections
 	 */
 	stroke_ca_t *ca;
-	
+
 	/**
 	 * Status information logging
 	 */
@@ -99,7 +98,7 @@ struct stroke_job_context_t {
 	 * file descriptor to read from
 	 */
 	int fd;
-	
+
 	/**
 	 * global stroke interface
 	 */
@@ -152,7 +151,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	pop_string(msg, &end->ca2);
 	pop_string(msg, &end->groups);
 	pop_string(msg, &end->updown);
-	
+
 	DBG2(DBG_CFG, "  %s=%s", label, end->address);
 	DBG2(DBG_CFG, "  %ssubnet=%s", label, end->subnets);
 	DBG2(DBG_CFG, "  %ssourceip=%s", label, end->sourceip);
@@ -202,7 +201,7 @@ static void stroke_del_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
 {
 	pop_string(msg, &msg->del_conn.name);
 	DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name);
-	
+
 	this->config->del(this->config, msg);
 	this->attribute->del_pool(this->attribute, msg);
 }
@@ -214,7 +213,7 @@ static void stroke_initiate(private_stroke_socket_t *this, stroke_msg_t *msg, FI
 {
 	pop_string(msg, &msg->initiate.name);
 	DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
-	
+
 	this->control->initiate(this->control, msg, out);
 }
 
@@ -227,7 +226,7 @@ static void stroke_terminate(private_stroke_socket_t *this, stroke_msg_t *msg, F
 	DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
 
 	this->control->terminate(this->control, msg, out);
-}	
+}
 
 /**
  * terminate a connection by peers virtual IP
@@ -250,7 +249,7 @@ static void stroke_route(private_stroke_socket_t *this, stroke_msg_t *msg, FILE
 {
 	pop_string(msg, &msg->route.name);
 	DBG1(DBG_CFG, "received stroke: route '%s'", msg->route.name);
-	
+
 	this->control->route(this->control, msg, out);
 }
 
@@ -261,7 +260,7 @@ static void stroke_unroute(private_stroke_socket_t *this, stroke_msg_t *msg, FIL
 {
 	pop_string(msg, &msg->terminate.name);
 	DBG1(DBG_CFG, "received stroke: unroute '%s'", msg->route.name);
-	
+
 	this->control->unroute(this->control, msg, out);
 }
 
@@ -287,7 +286,7 @@ static void stroke_add_ca(private_stroke_socket_t *this,
 	DBG2(DBG_CFG, "  ocspuri=%s",     msg->add_ca.ocspuri);
 	DBG2(DBG_CFG, "  ocspuri2=%s",    msg->add_ca.ocspuri2);
 	DBG2(DBG_CFG, "  certuribase=%s", msg->add_ca.certuribase);
-	
+
 	this->ca->add(this->ca, msg);
 }
 
@@ -299,7 +298,7 @@ static void stroke_del_ca(private_stroke_socket_t *this,
 {
 	pop_string(msg, &msg->del_ca.name);
 	DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name);
-	
+
 	this->ca->del(this->ca, msg);
 }
 
@@ -311,7 +310,7 @@ static void stroke_status(private_stroke_socket_t *this,
 						  stroke_msg_t *msg, FILE *out, bool all)
 {
 	pop_string(msg, &(msg->status.name));
-	
+
 	this->list->status(this->list, msg, out, all);
 }
 
@@ -333,7 +332,7 @@ static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *
 static void stroke_reread(private_stroke_socket_t *this,
 						  stroke_msg_t *msg, FILE *out)
 {
-	this->cred->reread(this->cred, msg);
+	this->cred->reread(this->cred, msg, out);
 }
 
 /**
@@ -361,7 +360,7 @@ static void stroke_leases(private_stroke_socket_t *this,
 {
 	pop_string(msg, &msg->leases.pool);
 	pop_string(msg, &msg->leases.address);
-	
+
 	this->list->leases(this->list, msg, out);
 }
 
@@ -390,11 +389,11 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 	sys_logger_t *sys_logger;
 	file_logger_t *file_logger;
 	debug_t group;
-	
+
 	pop_string(msg, &(msg->loglevel.type));
 	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
 		 msg->loglevel.level, msg->loglevel.type);
-	
+
 	group = get_group_from_name(msg->loglevel.type);
 	if (group < 0)
 	{
@@ -448,7 +447,7 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 	FILE *out;
 	private_stroke_socket_t *this = ctx->this;
 	int strokefd = ctx->fd;
-	
+
 	/* peek the length */
 	bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
 	if (bytes_read != sizeof(msg_length))
@@ -457,7 +456,7 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 			 strerror(errno));
 		return JOB_REQUEUE_NONE;
 	}
-	
+
 	/* read message */
 	msg = alloca(msg_length);
 	bytes_read = recv(strokefd, msg, msg_length, 0);
@@ -466,16 +465,16 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 		DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
 		return JOB_REQUEUE_NONE;
 	}
-	
-	out = fdopen(strokefd, "w");
+
+	out = fdopen(strokefd, "w+");
 	if (out == NULL)
 	{
 		DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno));
 		return JOB_REQUEUE_NONE;
 	}
-	
+
 	DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
-	
+
 	switch (msg->type)
 	{
 		case STR_INITIATE:
@@ -547,27 +546,27 @@ static job_requeue_t receive(private_stroke_socket_t *this)
 	struct sockaddr_un strokeaddr;
 	int strokeaddrlen = sizeof(strokeaddr);
 	int strokefd;
-	int oldstate;
+	bool oldstate;
 	callback_job_t *job;
 	stroke_job_context_t *ctx;
-	
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+
+	oldstate = thread_cancelability(TRUE);
 	strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
-	pthread_setcancelstate(oldstate, NULL);
-	
+	thread_cancelability(oldstate);
+
 	if (strokefd < 0)
 	{
 		DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
 		return JOB_REQUEUE_FAIR;
 	}
-	
+
 	ctx = malloc_thing(stroke_job_context_t);
 	ctx->fd = strokefd;
 	ctx->this = this;
 	job = callback_job_create((callback_job_cb_t)process,
 							  ctx, (void*)stroke_job_context_destroy, this->job);
 	charon->processor->queue_job(charon->processor, (job_t*)job);
-	
+
 	return JOB_REQUEUE_FAIR;
 }
 
@@ -582,7 +581,7 @@ static bool open_socket(private_stroke_socket_t *this)
 
 	socket_addr.sun_family = AF_UNIX;
 	strcpy(socket_addr.sun_path, STROKE_SOCKET);
-	
+
 	/* set up unix socket */
 	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
 	if (this->socket == -1)
@@ -590,7 +589,7 @@ static bool open_socket(private_stroke_socket_t *this)
 		DBG1(DBG_CFG, "could not create stroke socket");
 		return FALSE;
 	}
-	
+
 	unlink(socket_addr.sun_path);
 	old = umask(~(S_IRWXU | S_IRWXG));
 	if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
@@ -605,7 +604,7 @@ static bool open_socket(private_stroke_socket_t *this)
 		DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
 			 strerror(errno));
 	}
-	
+
 	if (listen(this->socket, 10) < 0)
 	{
 		DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno));
@@ -625,7 +624,7 @@ static void destroy(private_stroke_socket_t *this)
 	charon->credentials->remove_set(charon->credentials, &this->ca->set);
 	charon->credentials->remove_set(charon->credentials, &this->cred->set);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->attributes->remove_provider(charon->attributes, &this->attribute->provider);
+	lib->attributes->remove_provider(lib->attributes, &this->attribute->provider);
 	this->cred->destroy(this->cred);
 	this->ca->destroy(this->ca);
 	this->config->destroy(this->config);
@@ -641,31 +640,31 @@ static void destroy(private_stroke_socket_t *this)
 stroke_socket_t *stroke_socket_create()
 {
 	private_stroke_socket_t *this = malloc_thing(private_stroke_socket_t);
-	
+
 	this->public.destroy = (void(*)(stroke_socket_t*))destroy;
-	
+
 	if (!open_socket(this))
 	{
 		free(this);
 		return NULL;
 	}
-	
+
 	this->cred = stroke_cred_create();
 	this->attribute = stroke_attribute_create();
 	this->ca = stroke_ca_create(this->cred);
 	this->config = stroke_config_create(this->ca, this->cred);
 	this->control = stroke_control_create();
 	this->list = stroke_list_create(this->attribute);
-	
+
 	charon->credentials->add_set(charon->credentials, &this->ca->set);
 	charon->credentials->add_set(charon->credentials, &this->cred->set);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
-	charon->attributes->add_provider(charon->attributes, &this->attribute->provider);
-	
+	lib->attributes->add_provider(lib->attributes, &this->attribute->provider);
+
 	this->job = callback_job_create((callback_job_cb_t)receive,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/stroke/stroke_socket.h b/src/charon/plugins/stroke/stroke_socket.h
index 6073f5133..2aac8be9b 100644
--- a/src/charon/plugins/stroke/stroke_socket.h
+++ b/src/charon/plugins/stroke/stroke_socket.h
@@ -27,11 +27,11 @@ typedef struct stroke_socket_t stroke_socket_t;
  * Stroke socket, opens UNIX communication socket, reads and dispatches.
  */
 struct stroke_socket_t {
-		
+
 	/**
-     * Destroy a stroke_socket instance.
-     */
-    void (*destroy)(stroke_socket_t *this);
+	 * Destroy a stroke_socket instance.
+	 */
+	void (*destroy)(stroke_socket_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in
index c4fb335d7..00436f509 100644
--- a/src/charon/plugins/uci/Makefile.in
+++ b/src/charon/plugins/uci/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/uci
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_uci_la_DEPENDENCIES =
 am_libstrongswan_uci_la_OBJECTS = uci_plugin.lo uci_parser.lo \
@@ -59,6 +83,7 @@ libstrongswan_uci_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -106,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,6 +249,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
@@ -246,9 +275,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/uci/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/uci/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/uci/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/uci/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -266,23 +295,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -310,21 +344,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -347,7 +381,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -355,29 +389,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -398,13 +437,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -435,6 +478,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -456,6 +500,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -464,18 +510,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -514,6 +570,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/uci/uci_config.c b/src/charon/plugins/uci/uci_config.c
index e697e8be6..a6ee970ad 100644
--- a/src/charon/plugins/uci/uci_config.c
+++ b/src/charon/plugins/uci/uci_config.c
@@ -34,7 +34,7 @@ struct private_uci_config_t {
 	 * Public part
 	 */
 	uci_config_t public;
-	
+
 	/**
 	 * UCI parser context
 	 */
@@ -59,7 +59,7 @@ typedef struct {
 static proposal_t *create_proposal(char *string, protocol_id_t proto)
 {
 	proposal_t *proposal = NULL;
-	
+
 	if (string)
 	{
 		proposal = proposal_create_from_string(proto, string);
@@ -68,12 +68,12 @@ static proposal_t *create_proposal(char *string, protocol_id_t proto)
 	{	/* UCI default is aes/sha1 only */
 		if (proto == PROTO_IKE)
 		{
-			proposal = proposal_create_from_string(proto, 
+			proposal = proposal_create_from_string(proto,
 								"aes128-aes192-aes256-sha1-modp1536-modp2048");
 		}
 		else
 		{
-			proposal = proposal_create_from_string(proto, 
+			proposal = proposal_create_from_string(proto,
 								"aes128-aes192-aes256-sha1");
 		}
 	}
@@ -90,7 +90,7 @@ static traffic_selector_t *create_ts(char *string)
 		int netbits = 32;
 		host_t *net;
 		char *pos;
-		
+
 		string = strdupa(string);
 		pos = strchr(string, '/');
 		if (pos)
@@ -120,7 +120,7 @@ static traffic_selector_t *create_ts(char *string)
 static u_int create_rekey(char *string)
 {
 	u_int rekey = 0;
-	
+
 	if (string)
 	{
 		rekey = atoi(string);
@@ -144,7 +144,14 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	child_cfg_t *child_cfg;
 	ike_cfg_t *ike_cfg;
 	auth_cfg_t *auth;
-	
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = create_rekey(esp_rekey) + 300,
+			.rekey = create_rekey(esp_rekey),
+			.jitter = 300
+		}
+	};
+
 	/* defaults */
 	name = "unnamed";
 	local_id = NULL;
@@ -157,7 +164,7 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	esp_proposal = NULL;
 	ike_rekey = NULL;
 	esp_rekey = NULL;
-	
+
 	if (this->inner->enumerate(this->inner, &name, &local_id, &remote_id,
 			&local_addr, &remote_addr, &local_net, &remote_net,
 			&ike_proposal, &esp_proposal, &ike_rekey, &esp_rekey))
@@ -177,7 +184,7 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 		auth->add(auth, AUTH_RULE_IDENTITY,
 				  identification_create_from_string(local_id));
 		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, TRUE);
-		
+
 		auth = auth_cfg_create();
 		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
 		if (remote_id)
@@ -186,9 +193,9 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 					  identification_create_from_string(remote_id));
 		}
 		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
-		child_cfg = child_cfg_create(name,
-					create_rekey(esp_rekey) + 300, create_rekey(ike_rekey), 300,
-					NULL, TRUE,	MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
+
+		child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
+									 ACTION_NONE, ACTION_NONE, FALSE, 0);
 		child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
 		child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
 		child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
@@ -213,15 +220,15 @@ static void peer_enumerator_destroy(peer_enumerator_t *this)
  * Implementation of backend_t.create_peer_cfg_enumerator.
  */
 static enumerator_t* create_peer_cfg_enumerator(private_uci_config_t *this,
-												identification_t *me, 
+												identification_t *me,
 												identification_t *other)
 {
 	peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
-	
+
 	e->public.enumerate = (void*)peer_enumerator_enumerate;
 	e->public.destroy = (void*)peer_enumerator_destroy;
 	e->peer_cfg = NULL;
-	e->inner = this->parser->create_section_enumerator(this->parser, 
+	e->inner = this->parser->create_section_enumerator(this->parser,
 					"local_id", "remote_id", "local_addr", "remote_addr",
 					"local_net", "remote_net", "ike_proposal", "esp_proposal",
 					"ike_rekey", "esp_rekey", NULL);
@@ -251,12 +258,12 @@ typedef struct {
 static bool ike_enumerator_enumerate(ike_enumerator_t *this, ike_cfg_t **cfg)
 {
 	char *local_addr, *remote_addr, *ike_proposal;
-	
+
 	/* defaults */
 	local_addr = "0.0.0.0";
 	remote_addr = "0.0.0.0";
 	ike_proposal = NULL;
-	
+
 	if (this->inner->enumerate(this->inner, NULL,
 							   &local_addr, &remote_addr, &ike_proposal))
 	{
@@ -288,11 +295,11 @@ static enumerator_t* create_ike_cfg_enumerator(private_uci_config_t *this,
 											   host_t *me, host_t *other)
 {
 	ike_enumerator_t *e = malloc_thing(ike_enumerator_t);
-	
+
 	e->public.enumerate = (void*)ike_enumerator_enumerate;
 	e->public.destroy = (void*)ike_enumerator_destroy;
 	e->ike_cfg = NULL;
-	e->inner = this->parser->create_section_enumerator(this->parser, 
+	e->inner = this->parser->create_section_enumerator(this->parser,
 							"local_addr", "remote_addr", "ike_proposal", NULL);
 	if (!e->inner)
 	{
@@ -309,7 +316,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_uci_config_t *this, char *name)
 {
 	enumerator_t *enumerator;
 	peer_cfg_t *current, *found = NULL;
-		
+
 	enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
 	if (enumerator)
 	{
diff --git a/src/charon/plugins/uci/uci_config.h b/src/charon/plugins/uci/uci_config.h
index eac05b1df..130f15d85 100644
--- a/src/charon/plugins/uci/uci_config.h
+++ b/src/charon/plugins/uci/uci_config.h
@@ -37,11 +37,11 @@ struct uci_config_t {
 	 * Implements backend_t interface
 	 */
 	backend_t backend;
-	
+
 	/**
 	 * Destroy the backend.
 	 */
-	void (*destroy)(uci_config_t *this);	
+	void (*destroy)(uci_config_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/uci/uci_control.c b/src/charon/plugins/uci/uci_control.c
index f74224fa7..3c4928be4 100644
--- a/src/charon/plugins/uci/uci_control.c
+++ b/src/charon/plugins/uci/uci_control.c
@@ -21,11 +21,11 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <errno.h>
-#include <pthread.h>
 
 #include "uci_control.h"
 
 #include <daemon.h>
+#include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
 #define FIFO_FILE "/var/run/charon.fifo"
@@ -37,14 +37,14 @@ typedef struct private_uci_control_t private_uci_control_t;
  * private data of uci_control_t
  */
 struct private_uci_control_t {
-	
+
 	/**
 	 * Public part
 	 */
 	uci_control_t public;
-	
+
 	/**
-	 * Job 
+	 * Job
 	 */
 	callback_job_t *job;
 };
@@ -56,7 +56,7 @@ static void write_fifo(private_uci_control_t *this, char *format, ...)
 {
 	va_list args;
 	FILE *out;
-	
+
 	out = fopen(FIFO_FILE, "w");
 	if (out)
 	{
@@ -83,7 +83,7 @@ static void status(private_uci_control_t *this, char *name)
 	peer_cfg_t *peer_cfg;
 	char buf[2048];
 	FILE *out = NULL;
-	
+
 	configs = charon->backends->create_peer_cfg_enumerator(charon->backends,
 														NULL, NULL, NULL, NULL);
 	while (configs->enumerate(configs, &peer_cfg))
@@ -109,7 +109,7 @@ static void status(private_uci_control_t *this, char *name)
 			}
 			fprintf(out, "%-8s %-20D %-16H ", ike_sa->get_name(ike_sa),
 				ike_sa->get_other_id(ike_sa), ike_sa->get_other_host(ike_sa));
-			
+
 			children = ike_sa->create_child_sa_iterator(ike_sa);
 			while (children->iterate(children, (void**)&child_sa))
 			{
@@ -141,7 +141,7 @@ static void initiate(private_uci_control_t *this, char *name)
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
 	enumerator_t *enumerator;
-	
+
 	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, name);
 	if (peer_cfg)
 	{
@@ -173,7 +173,7 @@ static void terminate(private_uci_control_t *this, char *name)
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
 	u_int id;
-	
+
 	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
 	while (enumerator->enumerate(enumerator, &ike_sa))
 	{
@@ -197,7 +197,7 @@ static void terminate(private_uci_control_t *this, char *name)
 static void process(private_uci_control_t *this, char *message)
 {
 	enumerator_t* enumerator;
-	
+
 	enumerator = enumerator_create_token(message, " \n", "");
 	if (enumerator->enumerate(enumerator, &message))
 	{
@@ -217,7 +217,7 @@ static void process(private_uci_control_t *this, char *message)
 		{
 			initiate(this, message);
 		}
-		else if (streq(message, "down") && 
+		else if (streq(message, "down") &&
 				 enumerator->enumerate(enumerator, &message))
 		{
 			terminate(this, message);
@@ -237,13 +237,14 @@ static void process(private_uci_control_t *this, char *message)
 static job_requeue_t receive(private_uci_control_t *this)
 {
 	char message[128];
-	int oldstate, len;
+	int len;
+	bool oldstate;
 	FILE *in;
-	
+
 	memset(message, 0, sizeof(message));
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	oldstate = thread_cancelability(TRUE);
 	in = fopen(FIFO_FILE, "r");
-	pthread_setcancelstate(oldstate, NULL);
+	thread_cancelability(oldstate);
 	if (in)
 	{
 		len = fread(message, 1, sizeof(message) - 1, in);
@@ -280,9 +281,9 @@ static void destroy(private_uci_control_t *this)
 uci_control_t *uci_control_create()
 {
 	private_uci_control_t *this = malloc_thing(private_uci_control_t);
-	
+
 	this->public.destroy = (void(*)(uci_control_t*))destroy;
-	
+
 	unlink(FIFO_FILE);
 	if (mkfifo(FIFO_FILE, S_IRUSR|S_IWUSR) != 0)
 	{
diff --git a/src/charon/plugins/uci/uci_control.h b/src/charon/plugins/uci/uci_control.h
index 527ed82e7..794220aa1 100644
--- a/src/charon/plugins/uci/uci_control.h
+++ b/src/charon/plugins/uci/uci_control.h
@@ -27,7 +27,7 @@ typedef struct uci_control_t uci_control_t;
  * UCI control interface, uses a simple FIFO file
  */
 struct uci_control_t {
-	
+
 	/**
 	 * Destroy the controller
 	 */
diff --git a/src/charon/plugins/uci/uci_creds.c b/src/charon/plugins/uci/uci_creds.c
index 05bc6e109..4d664feb2 100644
--- a/src/charon/plugins/uci/uci_creds.c
+++ b/src/charon/plugins/uci/uci_creds.c
@@ -31,7 +31,7 @@ struct private_uci_creds_t {
 	 * Public part
 	 */
 	uci_creds_t public;
-	
+
 	/**
 	 * UCI parser context
 	 */
@@ -66,7 +66,7 @@ static bool shared_enumerator_enumerate(shared_enumerator_t *this,
 		local_id = "%any";
 		remote_id = "%any";
 		psk = NULL;
-		
+
 		if (!this->inner->enumerate(this->inner, NULL,
 									&local_id, &remote_id, &psk))
 		{
@@ -122,23 +122,23 @@ static void shared_enumerator_destroy(shared_enumerator_t *this)
  */
 static enumerator_t* create_shared_enumerator(private_uci_creds_t *this,
 											  shared_key_type_t type,
-											  identification_t *me, 
+											  identification_t *me,
 											  identification_t *other)
 {
 	shared_enumerator_t *e;
-	
+
 	if (type != SHARED_IKE)
 	{
 		return NULL;
 	}
-	
+
 	e = malloc_thing(shared_enumerator_t);
 	e->current = NULL;
 	e->public.enumerate = (void*)shared_enumerator_enumerate;
 	e->public.destroy = (void*)shared_enumerator_destroy;
 	e->me = me;
 	e->other = other;
-	e->inner = this->parser->create_section_enumerator(this->parser, 
+	e->inner = this->parser->create_section_enumerator(this->parser,
 								"local_id", "remote_id", "psk", NULL);
 	if (!e->inner)
 	{
@@ -166,7 +166,7 @@ uci_creds_t *uci_creds_create(uci_parser_t *parser)
 	this->public.credential_set.create_cdp_enumerator  = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
 	this->public.credential_set.cache_cert = (void (*)(credential_set_t *, certificate_t *))nop;
 	this->public.destroy = (void(*) (uci_creds_t*))destroy;
-	
+
 	this->parser = parser;
 
 	return &this->public;
diff --git a/src/charon/plugins/uci/uci_creds.h b/src/charon/plugins/uci/uci_creds.h
index de50984a9..a283ed9f5 100644
--- a/src/charon/plugins/uci/uci_creds.h
+++ b/src/charon/plugins/uci/uci_creds.h
@@ -37,11 +37,11 @@ struct uci_creds_t {
 	 * Implements credential set interface.
 	 */
 	credential_set_t credential_set;
-	
+
 	/**
 	 * Destroy the backend.
 	 */
-	void (*destroy)(uci_creds_t *this);	
+	void (*destroy)(uci_creds_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/uci/uci_parser.c b/src/charon/plugins/uci/uci_parser.c
index f994e36f7..6de55d218 100644
--- a/src/charon/plugins/uci/uci_parser.c
+++ b/src/charon/plugins/uci/uci_parser.c
@@ -32,7 +32,7 @@ struct private_uci_parser_t {
 	 * Public part
 	 */
 	uci_parser_t public;
-	
+
 	/**
 	 * UCI package name this parser reads
 	 */
@@ -66,12 +66,12 @@ static bool section_enumerator_enumerate(section_enumerator_t *this, ...)
 	char **value;
 	va_list args;
 	int i;
-	
+
 	if (&this->current->list == this->list)
 	{
 		return FALSE;
 	}
-	
+
 	va_start(args, this);
 
 	value = va_arg(args, char**);
@@ -87,19 +87,19 @@ static bool section_enumerator_enumerate(section_enumerator_t *this, ...)
 			*value = uci_to_section(this->current)->type;
 		}
 	}
-	
+
 	/* followed by keyword parameters */
 	for (i = 0; this->keywords[i]; i++)
 	{
 		value = va_arg(args, char**);
 		if (value && uci_lookup(this->ctx, &element, this->package,
-					 	  this->current->name, this->keywords[i]) == UCI_OK)
+						  this->current->name, this->keywords[i]) == UCI_OK)
 		{
 			*value = uci_to_option(element)->value;
 		}
 	}
 	va_end(args);
-	
+
 	this->current = list_to_element(this->current->list.next);
 	return TRUE;
 }
@@ -121,7 +121,7 @@ static enumerator_t* create_section_enumerator(private_uci_parser_t *this, ...)
 	section_enumerator_t *e;
 	va_list args;
 	int i;
-	
+
 	/* allocate enumerator large enought to hold keyword pointers */
 	i = 1;
 	va_start(args, this);
@@ -133,16 +133,16 @@ static enumerator_t* create_section_enumerator(private_uci_parser_t *this, ...)
 	e = malloc(sizeof(section_enumerator_t) + sizeof(char*) * i);
 	i = 0;
 	va_start(args, this);
-	do 
+	do
 	{
 		e->keywords[i] = va_arg(args, char*);
 	}
 	while (e->keywords[i++]);
 	va_end(args);
-	
+
 	e->public.enumerate = (void*)section_enumerator_enumerate;
 	e->public.destroy = (void*)section_enumerator_destroy;
-	
+
 	/* load uci context */
 	e->ctx = uci_alloc_context();
 	if (uci_load(e->ctx, this->package, &e->package) != UCI_OK)
@@ -178,9 +178,9 @@ uci_parser_t *uci_parser_create(char *package)
 
 	this->public.create_section_enumerator = (enumerator_t*(*)(uci_parser_t*, ...))create_section_enumerator;
 	this->public.destroy = (void(*)(uci_parser_t*))destroy;
-	
+
 	this->package = strdup(package);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/uci/uci_parser.h b/src/charon/plugins/uci/uci_parser.h
index ef3d7b0f5..7217e507a 100644
--- a/src/charon/plugins/uci/uci_parser.h
+++ b/src/charon/plugins/uci/uci_parser.h
@@ -41,11 +41,11 @@ struct uci_parser_t {
 	 * @return			enumerator over sections
 	 */
 	enumerator_t* (*create_section_enumerator)(uci_parser_t *this, ...);
-	
+
 	/**
 	 * Destroy the parser.
 	 */
-	void (*destroy)(uci_parser_t *this);	
+	void (*destroy)(uci_parser_t *this);
 };
 
 /**
diff --git a/src/charon/plugins/uci/uci_plugin.c b/src/charon/plugins/uci/uci_plugin.c
index 3ab4c92f8..2a79b9109 100644
--- a/src/charon/plugins/uci/uci_plugin.c
+++ b/src/charon/plugins/uci/uci_plugin.c
@@ -36,17 +36,17 @@ struct private_uci_plugin_t {
 	 * implements plugin interface
 	 */
 	uci_plugin_t public;
-	
+
 	/**
 	 * UCI configuration backend
 	 */
 	uci_config_t *config;
-	
+
 	/**
 	 * UCI credential set implementation
 	 */
 	uci_creds_t *creds;
-	
+
 	/**
 	 * UCI parser wrapper
 	 */
@@ -78,16 +78,16 @@ static void destroy(private_uci_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_uci_plugin_t *this = malloc_thing(private_uci_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	this->parser = uci_parser_create(UCI_PACKAGE);
 	this->config = uci_config_create(this->parser);
 	this->creds = uci_creds_create(this->parser);
 	this->control = uci_control_create();
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in
index 0bf0cf301..9926c43e8 100644
--- a/src/charon/plugins/unit_tester/Makefile.in
+++ b/src/charon/plugins/unit_tester/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/unit_tester
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_unit_tester_la_LIBADD =
 am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
@@ -64,6 +88,7 @@ libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -111,25 +136,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -141,11 +163,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -174,9 +199,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -199,7 +224,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -207,6 +232,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -215,10 +241,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -226,6 +254,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
@@ -260,9 +289,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/unit_tester/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/unit_tester/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/unit_tester/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/unit_tester/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -280,23 +309,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -333,115 +367,115 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
 test_enumerator.lo: tests/test_enumerator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_enumerator.lo -MD -MP -MF $(DEPDIR)/test_enumerator.Tpo -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_enumerator.Tpo $(DEPDIR)/test_enumerator.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_enumerator.lo -MD -MP -MF $(DEPDIR)/test_enumerator.Tpo -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_enumerator.Tpo $(DEPDIR)/test_enumerator.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_enumerator.c' object='test_enumerator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
 
 test_auth_info.lo: tests/test_auth_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_auth_info.lo -MD -MP -MF $(DEPDIR)/test_auth_info.Tpo -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_auth_info.Tpo $(DEPDIR)/test_auth_info.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_auth_info.lo -MD -MP -MF $(DEPDIR)/test_auth_info.Tpo -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_auth_info.Tpo $(DEPDIR)/test_auth_info.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_auth_info.c' object='test_auth_info.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
 
 test_curl.lo: tests/test_curl.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_curl.lo -MD -MP -MF $(DEPDIR)/test_curl.Tpo -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_curl.Tpo $(DEPDIR)/test_curl.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_curl.lo -MD -MP -MF $(DEPDIR)/test_curl.Tpo -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_curl.Tpo $(DEPDIR)/test_curl.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_curl.c' object='test_curl.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
 
 test_mysql.lo: tests/test_mysql.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mysql.lo -MD -MP -MF $(DEPDIR)/test_mysql.Tpo -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_mysql.Tpo $(DEPDIR)/test_mysql.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mysql.lo -MD -MP -MF $(DEPDIR)/test_mysql.Tpo -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_mysql.Tpo $(DEPDIR)/test_mysql.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_mysql.c' object='test_mysql.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
 
 test_sqlite.lo: tests/test_sqlite.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_sqlite.lo -MD -MP -MF $(DEPDIR)/test_sqlite.Tpo -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_sqlite.Tpo $(DEPDIR)/test_sqlite.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_sqlite.lo -MD -MP -MF $(DEPDIR)/test_sqlite.Tpo -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_sqlite.Tpo $(DEPDIR)/test_sqlite.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_sqlite.c' object='test_sqlite.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
 
 test_mutex.lo: tests/test_mutex.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mutex.lo -MD -MP -MF $(DEPDIR)/test_mutex.Tpo -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_mutex.Tpo $(DEPDIR)/test_mutex.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mutex.lo -MD -MP -MF $(DEPDIR)/test_mutex.Tpo -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_mutex.Tpo $(DEPDIR)/test_mutex.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_mutex.c' object='test_mutex.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
 
 test_rsa_gen.lo: tests/test_rsa_gen.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_rsa_gen.lo -MD -MP -MF $(DEPDIR)/test_rsa_gen.Tpo -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_rsa_gen.Tpo $(DEPDIR)/test_rsa_gen.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_rsa_gen.lo -MD -MP -MF $(DEPDIR)/test_rsa_gen.Tpo -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_rsa_gen.Tpo $(DEPDIR)/test_rsa_gen.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_rsa_gen.c' object='test_rsa_gen.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
 
 test_cert.lo: tests/test_cert.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_cert.lo -MD -MP -MF $(DEPDIR)/test_cert.Tpo -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_cert.Tpo $(DEPDIR)/test_cert.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_cert.lo -MD -MP -MF $(DEPDIR)/test_cert.Tpo -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_cert.Tpo $(DEPDIR)/test_cert.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_cert.c' object='test_cert.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
 
 test_med_db.lo: tests/test_med_db.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_med_db.lo -MD -MP -MF $(DEPDIR)/test_med_db.Tpo -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_med_db.Tpo $(DEPDIR)/test_med_db.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_med_db.lo -MD -MP -MF $(DEPDIR)/test_med_db.Tpo -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_med_db.Tpo $(DEPDIR)/test_med_db.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_med_db.c' object='test_med_db.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
 
 test_chunk.lo: tests/test_chunk.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_chunk.lo -MD -MP -MF $(DEPDIR)/test_chunk.Tpo -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_chunk.Tpo $(DEPDIR)/test_chunk.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_chunk.lo -MD -MP -MF $(DEPDIR)/test_chunk.Tpo -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_chunk.Tpo $(DEPDIR)/test_chunk.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_chunk.c' object='test_chunk.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
 
 test_pool.lo: tests/test_pool.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_pool.lo -MD -MP -MF $(DEPDIR)/test_pool.Tpo -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_pool.Tpo $(DEPDIR)/test_pool.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_pool.lo -MD -MP -MF $(DEPDIR)/test_pool.Tpo -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_pool.Tpo $(DEPDIR)/test_pool.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_pool.c' object='test_pool.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
 
 test_agent.lo: tests/test_agent.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_agent.lo -MD -MP -MF $(DEPDIR)/test_agent.Tpo -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_agent.Tpo $(DEPDIR)/test_agent.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_agent.lo -MD -MP -MF $(DEPDIR)/test_agent.Tpo -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_agent.Tpo $(DEPDIR)/test_agent.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_agent.c' object='test_agent.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
 
 test_id.lo: tests/test_id.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_id.lo -MD -MP -MF $(DEPDIR)/test_id.Tpo -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/test_id.Tpo $(DEPDIR)/test_id.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_id.lo -MD -MP -MF $(DEPDIR)/test_id.Tpo -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_id.Tpo $(DEPDIR)/test_id.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_id.c' object='test_id.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -461,7 +495,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -469,29 +503,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -512,13 +551,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -549,6 +592,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -570,6 +614,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -578,18 +624,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -628,6 +684,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h
index b99940c1a..96313d390 100644
--- a/src/charon/plugins/unit_tester/tests.h
+++ b/src/charon/plugins/unit_tester/tests.h
@@ -14,7 +14,7 @@
  */
 
 /**
- * @defgroup tests tests 
+ * @defgroup tests tests
  * @{ @ingroup unit_tester
  */
 
diff --git a/src/charon/plugins/unit_tester/tests/test_agent.c b/src/charon/plugins/unit_tester/tests/test_agent.c
index fd76b9cf5..baab629be 100644
--- a/src/charon/plugins/unit_tester/tests/test_agent.c
+++ b/src/charon/plugins/unit_tester/tests/test_agent.c
@@ -21,18 +21,18 @@
  ******************************************************************************/
 bool test_agent()
 {
-	char *path, buf[] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08};
-	chunk_t sig, data = chunk_from_buf(buf);
+	char *path;
+	chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
 	private_key_t *private;
 	public_key_t *public;
-	
+
 	path = getenv("SSH_AUTH_SOCK");
 	if (!path)
 	{
 		DBG1(DBG_CFG, "ssh-agent not found.");
 		return FALSE;
 	}
-	
+
 	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 								 BUILD_AGENT_SOCKET, path, BUILD_END);
 	if (!private)
@@ -53,15 +53,15 @@ bool test_agent()
 		return FALSE;
 	}
 	free(sig.ptr);
-	buf[1] = 0x01; /* fake it */
+	data.ptr[1] = 0x01; /* fake it */
 	if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
 	{
 		return FALSE;
 	}
-	
+
 	private->destroy(private);
 	public->destroy(public);
-	
+
 	return TRUE;
 }
 
diff --git a/src/charon/plugins/unit_tester/tests/test_auth_info.c b/src/charon/plugins/unit_tester/tests/test_auth_info.c
index 37bdd1087..d6abe7a05 100644
--- a/src/charon/plugins/unit_tester/tests/test_auth_info.c
+++ b/src/charon/plugins/unit_tester/tests/test_auth_info.c
@@ -18,9 +18,7 @@
 #include <config/auth_cfg.h>
 
 
-char buf[] = {0x01,0x02,0x03,0x04};
-chunk_t chunk = chunk_from_buf(buf);
-char certbuf[] = {
+static chunk_t certchunk = chunk_from_chars(
 	0x30,0x82,0x02,0xfa,0x30,0x82,0x01,0xe2,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x5a,
 	0xf2,0x65,0xae,0x78,0xff,0x23,0xde,0xf7,0xa6,0xa3,0x94,0x8c,0x3f,0xa0,0xc1,0x30,
 	0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x39,
@@ -69,8 +67,7 @@ char certbuf[] = {
 	0xec,0xd2,0x31,0xc6,0x1e,0xb6,0xc0,0x57,0xd9,0xe1,0x14,0x06,0x9b,0xf8,0x51,0x69,
 	0x47,0xf0,0x9c,0xcd,0x69,0xef,0x8e,0x5f,0x62,0xda,0x10,0xf7,0x3c,0x6d,0x0f,0x33,
 	0xec,0x6f,0xfd,0x94,0x07,0x16,0x41,0x32,0x06,0xa4,0xe1,0x08,0x31,0x87,
-};
-chunk_t certchunk = chunk_from_buf(certbuf);
+);
 
 /*******************************************************************************
  * auth info test
@@ -83,7 +80,7 @@ bool test_auth_cfg()
 	int round = 0;
 	void *value;
 	auth_rule_t type;
-	
+
 	c1 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 							BUILD_BLOB_ASN1_DER, certchunk,
 							BUILD_END);
@@ -91,7 +88,7 @@ bool test_auth_cfg()
 	{
 		return FALSE;
 	}
-	
+
 	auth->add(auth, AUTH_RULE_SUBJECT_CERT, c1->get_ref(c1));
 	c2 = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
 	if (!c2)
@@ -102,7 +99,7 @@ bool test_auth_cfg()
 	{
 		return FALSE;
 	}
-	
+
 	enumerator = auth->create_enumerator(auth);
 	while (enumerator->enumerate(enumerator, &type, &value))
 	{
@@ -114,11 +111,11 @@ bool test_auth_cfg()
 		return FALSE;
 	}
 	enumerator->destroy(enumerator);
-	
+
 	auth2 = auth_cfg_create();
 	auth2->add(auth2, AUTH_RULE_CA_CERT, c1->get_ref(c1));
 	auth2->merge(auth2, auth, FALSE);
-	
+
 	round = 0;
 	enumerator = auth2->create_enumerator(auth2);
 	while (enumerator->enumerate(enumerator, &type, &value))
diff --git a/src/charon/plugins/unit_tester/tests/test_cert.c b/src/charon/plugins/unit_tester/tests/test_cert.c
index 95ab289df..3b00421f8 100644
--- a/src/charon/plugins/unit_tester/tests/test_cert.c
+++ b/src/charon/plugins/unit_tester/tests/test_cert.c
@@ -28,10 +28,10 @@ bool test_cert_x509()
 	identification_t *issuer, *subject;
 	u_int32_t serial = htonl(0);
 	chunk_t encoding;
-	
+
 	issuer = identification_create_from_string("CN=CA, OU=Test, O=strongSwan");
 	subject = identification_create_from_string("CN=Peer, OU=Test, O=strongSwan");
-	
+
 	ca_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 						BUILD_KEY_SIZE, 1024, BUILD_END);
 	peer_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
@@ -50,7 +50,7 @@ bool test_cert_x509()
 	{
 		return FALSE;
 	}
-	
+
 	encoding = ca_cert->get_encoding(ca_cert);
 	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 						BUILD_BLOB_ASN1_DER, encoding,
@@ -65,7 +65,7 @@ bool test_cert_x509()
 		return FALSE;
 	}
 	parsed->destroy(parsed);
-	
+
 	serial = htonl(ntohl(serial) + 1);
 	public = peer_key->get_public_key(peer_key);
 	peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
@@ -80,7 +80,7 @@ bool test_cert_x509()
 	{
 		return FALSE;
 	}
-	
+
 	encoding = peer_cert->get_encoding(peer_cert);
 	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 						BUILD_BLOB_ASN1_DER, encoding,
@@ -95,7 +95,7 @@ bool test_cert_x509()
 		return FALSE;
 	}
 	parsed->destroy(parsed);
-	
+
 	ca_cert->destroy(ca_cert);
 	ca_key->destroy(ca_key);
 	peer_cert->destroy(peer_cert);
diff --git a/src/charon/plugins/unit_tester/tests/test_chunk.c b/src/charon/plugins/unit_tester/tests/test_chunk.c
index 5356c1d96..2e0905b2c 100644
--- a/src/charon/plugins/unit_tester/tests/test_chunk.c
+++ b/src/charon/plugins/unit_tester/tests/test_chunk.c
@@ -31,12 +31,12 @@ bool test_chunk_base64()
 	 * BASE64("fooba") = "Zm9vYmE="
 	 * BASE64("foobar") = "Zm9vYmFy"
 	 */
-	
+
 	typedef struct {
 		char *in;
 		char *out;
 	} testdata_t;
-	
+
 	testdata_t test[] = {
 		{"", ""},
 		{"f", "Zg=="},
@@ -47,31 +47,31 @@ bool test_chunk_base64()
 		{"foobar", "Zm9vYmFy"},
 	};
 	int i;
-	
+
 	for (i = 0; i < countof(test); i++)
 	{
 		chunk_t out;
-		
+
 		out = chunk_to_base64(chunk_create(test[i].in, strlen(test[i].in)), NULL);
-		
+
 		if (!streq(out.ptr, test[i].out))
 		{
-			DBG1(DBG_CFG, "base64 conversion error - should %s, is %s", 
+			DBG1(DBG_CFG, "base64 conversion error - should %s, is %s",
 				test[i].out, out.ptr);
 			return FALSE;
 		}
 		free(out.ptr);
 	}
-	
+
 	for (i = 0; i < countof(test); i++)
 	{
 		chunk_t out;
-		
+
 		out = chunk_from_base64(chunk_create(test[i].out, strlen(test[i].out)), NULL);
-		
+
 		if (!strneq(out.ptr, test[i].in, out.len))
 		{
-			DBG1(DBG_CFG, "base64 conversion error - should %s, is %#B", 
+			DBG1(DBG_CFG, "base64 conversion error - should %s, is %#B",
 				test[i].in, &out);
 			return FALSE;
 		}
diff --git a/src/charon/plugins/unit_tester/tests/test_curl.c b/src/charon/plugins/unit_tester/tests/test_curl.c
index c011617a7..21656a94e 100644
--- a/src/charon/plugins/unit_tester/tests/test_curl.c
+++ b/src/charon/plugins/unit_tester/tests/test_curl.c
@@ -25,14 +25,14 @@
 bool test_curl_get()
 {
 	chunk_t chunk;
-	
+
 	if (lib->fetcher->fetch(lib->fetcher, "http://www.strongswan.org",
 							&chunk, FETCH_END) != SUCCESS)
 	{
 		return FALSE;
 	}
 	free(chunk.ptr);
-	
+
 	if (lib->fetcher->fetch(lib->fetcher, "http://www.google.com",
 							&chunk, FETCH_END) != SUCCESS)
 	{
diff --git a/src/charon/plugins/unit_tester/tests/test_enumerator.c b/src/charon/plugins/unit_tester/tests/test_enumerator.c
index 6898084fc..edbf0f5bb 100644
--- a/src/charon/plugins/unit_tester/tests/test_enumerator.c
+++ b/src/charon/plugins/unit_tester/tests/test_enumerator.c
@@ -23,7 +23,7 @@ bool test_list_remove()
 {
 	void *a = (void*)1, *b = (void*)2;
 	linked_list_t *list;
-	
+
 	list = linked_list_create();
 	list->insert_last(list, a);
 	if (list->remove(list, a, NULL) != 1)
@@ -67,15 +67,15 @@ bool test_enumerate()
 	void *a = (void*)4, *b = (void*)3, *c = (void*)2, *d = (void*)5, *e = (void*)1;
 	linked_list_t *list;
 	enumerator_t *enumerator;
-	
+
 	list = linked_list_create();
-	
+
 	list->insert_last(list, a);
 	list->insert_first(list, b);
 	list->insert_first(list, c);
 	list->insert_last(list, d);
 	list->insert_first(list, e);
-	
+
 	round = 1;
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, &x))
@@ -87,7 +87,7 @@ bool test_enumerate()
 		round++;
 	}
 	enumerator->destroy(enumerator);
-	
+
 	list->destroy(list);
 	return TRUE;
 }
@@ -122,7 +122,7 @@ bool test_enumerate_nested()
 	void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
 	linked_list_t *list, *l1, *l2, *l3;
 	enumerator_t *enumerator;
-	
+
 	bad_data = FALSE;
 	list = linked_list_create();
 	l1 = linked_list_create();
@@ -131,13 +131,13 @@ bool test_enumerate_nested()
 	list->insert_last(list, l1);
 	list->insert_last(list, l2);
 	list->insert_last(list, l3);
-	
+
 	l1->insert_last(l1, a);
 	l1->insert_last(l1, b);
 	l3->insert_last(l3, c);
 	l3->insert_last(l3, d);
 	l3->insert_last(l3, e);
-	
+
 	round = 1;
 	enumerator = enumerator_create_nested(list->create_enumerator(list),
 					(void*)create_inner, (void*)101, destroy_data);
@@ -150,7 +150,7 @@ bool test_enumerate_nested()
 		round++;
 	}
 	enumerator->destroy(enumerator);
-	
+
 	list->destroy(list);
 	l1->destroy(l1);
 	l2->destroy(l2);
@@ -185,16 +185,16 @@ bool test_enumerate_filtered()
 	void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
 	linked_list_t *list;
 	enumerator_t *enumerator;
-	
+
 	bad_data = FALSE;
 	list = linked_list_create();
-	
+
 	list->insert_last(list, a);
 	list->insert_last(list, b);
 	list->insert_last(list, c);
 	list->insert_last(list, d);
 	list->insert_last(list, e);
-	
+
 	round = 1;
 	enumerator = enumerator_create_filter(list->create_enumerator(list),
 									(void*)filter, (void*)101, destroy_data);
@@ -208,7 +208,7 @@ bool test_enumerate_filtered()
 		round++;
 	}
 	enumerator->destroy(enumerator);
-	
+
 	list->destroy(list);
 	return !bad_data;
 }
@@ -216,7 +216,7 @@ bool test_enumerate_filtered()
 /*******************************************************************************
  * token parser test
  ******************************************************************************/
- 
+
 bool test_enumerate_token()
 {
 	enumerator_t *enumerator;
@@ -240,7 +240,7 @@ bool test_enumerate_token()
 		{"a.b,c", ",.", ""},
 		{"  a   b  c  ", " ", " "},
 	};
-	
+
 	for (num = 0; num < countof(tests1); num++)
 	{
 		i = 0;
@@ -270,7 +270,7 @@ bool test_enumerate_token()
 		}
 		enumerator->destroy(enumerator);
 	}
-	
+
 	for (num = 0; num < countof(tests2); num++)
 	{
 		i = 0;
@@ -300,7 +300,7 @@ bool test_enumerate_token()
 		}
 		enumerator->destroy(enumerator);
 	}
-	
+
 	return TRUE;
 }
 
diff --git a/src/charon/plugins/unit_tester/tests/test_id.c b/src/charon/plugins/unit_tester/tests/test_id.c
index a1ef76be8..868a2ca8b 100644
--- a/src/charon/plugins/unit_tester/tests/test_id.c
+++ b/src/charon/plugins/unit_tester/tests/test_id.c
@@ -25,9 +25,9 @@ bool test_id_parts()
 	id_part_t part;
 	chunk_t data;
 	int i = 0;
-	
+
 	id = identification_create_from_string("C=CH, O=strongSwan, CN=tester");
-	
+
 	enumerator = id->create_part_enumerator(id);
 	while (enumerator->enumerate(enumerator, &part, &data))
 	{
@@ -75,7 +75,7 @@ static bool test_id_wildcards_has(char *string)
 {
 	identification_t *id;
 	bool contains;
-	
+
 	id = identification_create_from_string(string);
 	contains = id->contains_wildcards(id);
 	id->destroy(id);
@@ -115,7 +115,7 @@ static bool test_id_equals_one(identification_t *a, char *b_str)
 {
 	identification_t *b;
 	bool equals;
-	
+
 	b = identification_create_from_string(b_str);
 	equals = a->equals(a, b);
 	b->destroy(b);
@@ -127,10 +127,10 @@ bool test_id_equals()
 	identification_t *a;
 	chunk_t encoding, fuzzed;
 	int i;
-	
+
 	a = identification_create_from_string(
 							   "C=CH, E=martin@strongswan.org, CN=martin");
-	
+
 	if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
 	{
 		return FALSE;
@@ -153,7 +153,7 @@ bool test_id_equals()
 	}
 	encoding = chunk_clone(a->get_encoding(a));
 	a->destroy(a);
-	
+
 	/* simple fuzzing, increment each byte of encoding */
 	for (i = 0; i < encoding.len; i++)
 	{
@@ -171,7 +171,7 @@ bool test_id_equals()
 		a->destroy(a);
 		free(fuzzed.ptr);
 	}
-	
+
 	/* and decrement each byte of encoding */
 	for (i = 0; i < encoding.len; i++)
 	{
@@ -201,7 +201,7 @@ static id_match_t test_id_matches_one(identification_t *a, char *b_str)
 {
 	identification_t *b;
 	id_match_t match;
-	
+
 	b = identification_create_from_string(b_str);
 	match = a->matches(a, b);
 	b->destroy(b);
@@ -211,10 +211,10 @@ static id_match_t test_id_matches_one(identification_t *a, char *b_str)
 bool test_id_matches()
 {
 	identification_t *a;
-	
+
 	a = identification_create_from_string(
 							   "C=CH, E=martin@strongswan.org, CN=martin");
-	
+
 	if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin")
 															!= ID_MATCH_PERFECT)
 	{
diff --git a/src/charon/plugins/unit_tester/tests/test_med_db.c b/src/charon/plugins/unit_tester/tests/test_med_db.c
index 7b4603bd7..7fd78b0bc 100644
--- a/src/charon/plugins/unit_tester/tests/test_med_db.c
+++ b/src/charon/plugins/unit_tester/tests/test_med_db.c
@@ -25,25 +25,27 @@
 
 bool test_med_db()
 {
-	char keyid_buf[] = {
+	chunk_t found, keyid = chunk_from_chars(
 		0xed,0x90,0xe6,0x4f,0xec,0xa2,0x1f,0x4b,
 		0x68,0x97,0x99,0x24,0x22,0xe0,0xde,0x21,
 		0xb9,0xd6,0x26,0x29
-	};
-	chunk_t keyid = chunk_from_buf(keyid_buf);
-	identification_t *id, *found;
+	);
+	identification_t *id;
 	enumerator_t *enumerator;
 	public_key_t *public;
 	auth_cfg_t *auth;
 	bool good = FALSE;
-	
+
 	id = identification_create_from_encoding(ID_KEY_ID, keyid);
 	enumerator = charon->credentials->create_public_enumerator(
 									charon->credentials, KEY_ANY, id, NULL);
 	while (enumerator->enumerate(enumerator, &public, &auth))
 	{
-		found = public->get_id(public, ID_PUBKEY_SHA1);
-		good = chunk_equals(id->get_encoding(id), found->get_encoding(found));
+		good = public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &found);
+		if (good)
+		{
+			good = chunk_equals(id->get_encoding(id), found);
+		}
 	}
 	enumerator->destroy(enumerator);
 	id->destroy(id);
diff --git a/src/charon/plugins/unit_tester/tests/test_mutex.c b/src/charon/plugins/unit_tester/tests/test_mutex.c
index cb315276b..77085cb2f 100644
--- a/src/charon/plugins/unit_tester/tests/test_mutex.c
+++ b/src/charon/plugins/unit_tester/tests/test_mutex.c
@@ -14,7 +14,7 @@
  */
 
 #include <library.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 
 #include <unistd.h>
 #include <sched.h>
@@ -46,7 +46,7 @@ static void* run(void* null)
 		if (locked > 1)
 		{
 			failed = TRUE;
-		}	
+		}
 		locked--;
 		mutex->unlock(mutex);
 		mutex->unlock(mutex);
@@ -64,9 +64,9 @@ bool test_mutex()
 {
 	int i;
 	pthread_t threads[THREADS];
-	
+
 	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-	
+
 	for (i = 0; i < 10; i++)
 	{
 		mutex->lock(mutex);
@@ -80,9 +80,9 @@ bool test_mutex()
 	{
 		mutex->unlock(mutex);
 	}
-	
+
 	pthread_barrier_init(&barrier, NULL, THREADS);
-	
+
 	for (i = 0; i < THREADS; i++)
 	{
 		pthread_create(&threads[i], NULL, run, NULL);
@@ -92,9 +92,9 @@ bool test_mutex()
 		pthread_join(threads[i], NULL);
 	}
 	pthread_barrier_destroy(&barrier);
-	
+
 	mutex->destroy(mutex);
-	
+
 	return !failed;
 }
 
diff --git a/src/charon/plugins/unit_tester/tests/test_mysql.c b/src/charon/plugins/unit_tester/tests/test_mysql.c
index ff3d38ad8..252441ef8 100644
--- a/src/charon/plugins/unit_tester/tests/test_mysql.c
+++ b/src/charon/plugins/unit_tester/tests/test_mysql.c
@@ -24,14 +24,13 @@ bool test_mysql()
 {
 	database_t *db;
 	char *txt = "I'm a superduper test";
-	char buf[] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08};
-	chunk_t data = chunk_from_buf(buf);
+	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
 	int row;
 	chunk_t qdata;
 	char *qtxt;
 	bool good = FALSE;
 	enumerator_t *enumerator;
-	
+
 	db = lib->db->create(lib->db, "mysql://testuser:testpass@localhost/test");
 	if (!db)
 	{
diff --git a/src/charon/plugins/unit_tester/tests/test_pool.c b/src/charon/plugins/unit_tester/tests/test_pool.c
index ba5330fd9..109c06fda 100644
--- a/src/charon/plugins/unit_tester/tests/test_pool.c
+++ b/src/charon/plugins/unit_tester/tests/test_pool.c
@@ -13,12 +13,10 @@
  * for more details.
  */
 
-#include <sys/time.h>
 #include <time.h>
 #include <pthread.h>
 
 #include <library.h>
-#include <daemon.h>
 
 #define ALLOCS 1000
 #define THREADS 20
@@ -28,33 +26,34 @@ static void* testing(void *thread)
 	int i;
 	host_t *addr[ALLOCS];
 	identification_t *id[ALLOCS];
-	
+
 	/* prepare identities */
 	for (i = 0; i < ALLOCS; i++)
 	{
 		char buf[256];
-		
+
 		snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (uintptr_t)thread, i);
 		id[i] = identification_create_from_string(buf);
 	}
-	
+
 	/* allocate addresses */
 	for (i = 0; i < ALLOCS; i++)
 	{
-		addr[i] = charon->attributes->acquire_address(charon->attributes, 
-													  "test", id[i], NULL);
+		addr[i] = lib->attributes->acquire_address(lib->attributes,
+												   "test", id[i], NULL);
 		if (!addr[i])
 		{
 			return (void*)FALSE;
 		}
 	}
-	
+
 	/* release addresses */
 	for (i = 0; i < ALLOCS; i++)
 	{
-		charon->attributes->release_address(charon->attributes, "test", addr[i], id[i]);
+		lib->attributes->release_address(lib->attributes,
+										 "test", addr[i], id[i]);
 	}
-	
+
 	/* cleanup */
 	for (i = 0; i < ALLOCS; i++)
 	{
@@ -73,7 +72,7 @@ bool test_pool()
 	uintptr_t i;
 	void *res;
 	pthread_t thread[THREADS];
-	
+
 	for (i = 0; i < THREADS; i++)
 	{
 		if (pthread_create(&thread[i], NULL, (void*)testing, (void*)i) < 0)
diff --git a/src/charon/plugins/unit_tester/tests/test_rsa_gen.c b/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
index 1b7af63ee..59da15644 100644
--- a/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
+++ b/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
@@ -21,12 +21,12 @@
  ******************************************************************************/
 bool test_rsa_gen()
 {
-	char buf[] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08};
-	chunk_t data = chunk_from_buf(buf), sig, crypt, plain;
+	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
+	chunk_t sig, crypt, plain;
 	private_key_t *private;
 	public_key_t *public;
 	u_int key_size;
-	
+
 	for (key_size = 512; key_size <= 2048; key_size *= 2)
 	{
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
@@ -83,37 +83,30 @@ bool test_rsa_gen()
 	return TRUE;
 }
 
-
-/*******************************************************************************
- * Load a subjectPubkeyInfo wrapped key (RSA in this case)
- ******************************************************************************/
-static char public_any[] = {
-  0x30,0x82,0x01,0x20,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
-  0x01,0x05,0x00,0x03,0x82,0x01,0x0d,0x00,0x30,0x82,0x01,0x08,0x02,0x82,0x01,0x01,
-  0x00,0xc6,0x68,0x99,0x1d,0xc8,0x06,0xdb,0xcf,0x1c,0x66,0xbb,0x91,0xc3,0xd4,0x10,
-  0xb2,0x08,0xa9,0xc5,0x71,0x39,0x1c,0xbe,0x5b,0x1d,0xce,0xfd,0x1b,0xfa,0xec,0x04,
-  0x89,0x9f,0x79,0xc8,0x46,0x00,0xd2,0x71,0xfb,0x22,0x16,0x52,0x2f,0xda,0xbf,0x0f,
-  0xe7,0x16,0xb1,0xd7,0x6a,0xa5,0xa5,0xfc,0xee,0xff,0x84,0x4c,0x81,0x3f,0xab,0x84,
-  0x0e,0xed,0x4a,0x26,0x59,0xd0,0x9b,0xb5,0xe1,0xec,0x61,0xc4,0xd3,0x15,0x4c,0x29,
-  0x51,0xa0,0xde,0x33,0x07,0x58,0x6c,0x36,0x1b,0x18,0x61,0xd9,0x56,0x18,0x39,0x54,
-  0x8b,0xd2,0xea,0x4e,0x87,0x28,0x58,0xb9,0x88,0x3d,0x30,0xbc,0xfc,0x6d,0xad,0xab,
-  0x43,0x26,0x09,0x48,0x4e,0x6e,0x8a,0x8b,0x88,0xb3,0xf0,0x29,0x25,0x79,0xb6,0xb6,
-  0x71,0x3c,0x93,0x59,0xd2,0x36,0x94,0xd5,0xfc,0xf3,0x62,0x2b,0x69,0xa3,0x7a,0x47,
-  0x4e,0x53,0xa2,0x35,0x1b,0x26,0x89,0xaa,0x09,0xfd,0x56,0xd7,0x75,0x2a,0xd4,0x91,
-  0xc0,0xf2,0x78,0xd7,0x05,0xca,0x12,0x1d,0xd9,0xd4,0x81,0x23,0xb2,0x3c,0x38,0xd9,
-  0xb4,0xdc,0x21,0xe0,0xe5,0x2d,0xd4,0xbe,0x61,0x39,0x8a,0x46,0x90,0x46,0x73,0x31,
-  0xba,0x48,0xbb,0x51,0xbb,0x91,0xd5,0x62,0xad,0xd1,0x53,0x5b,0x85,0xc9,0x1d,0xa7,
-  0xf6,0xa0,0xe1,0x0e,0x6c,0x22,0x5d,0x29,0x9a,0xe7,0x0f,0xe8,0x0a,0x50,0xa7,0x19,
-  0x11,0xc2,0x8b,0xe0,0x8a,0xfd,0x2b,0x94,0x31,0x7a,0x78,0x9c,0x9b,0x75,0x63,0x49,
-  0xa9,0xe5,0x58,0xe6,0x3a,0x99,0xcb,0x2b,0xdd,0x0e,0xdc,0x7d,0x1b,0x98,0x80,0xc3,
-  0x9f,0x02,0x01,0x23,
-};
-
 bool test_rsa_load_any()
 {
-	chunk_t chunk = chunk_from_buf(public_any);
+	chunk_t chunk = chunk_from_chars(
+		0x30,0x82,0x01,0x20,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
+		0x01,0x05,0x00,0x03,0x82,0x01,0x0d,0x00,0x30,0x82,0x01,0x08,0x02,0x82,0x01,0x01,
+		0x00,0xc6,0x68,0x99,0x1d,0xc8,0x06,0xdb,0xcf,0x1c,0x66,0xbb,0x91,0xc3,0xd4,0x10,
+		0xb2,0x08,0xa9,0xc5,0x71,0x39,0x1c,0xbe,0x5b,0x1d,0xce,0xfd,0x1b,0xfa,0xec,0x04,
+		0x89,0x9f,0x79,0xc8,0x46,0x00,0xd2,0x71,0xfb,0x22,0x16,0x52,0x2f,0xda,0xbf,0x0f,
+		0xe7,0x16,0xb1,0xd7,0x6a,0xa5,0xa5,0xfc,0xee,0xff,0x84,0x4c,0x81,0x3f,0xab,0x84,
+		0x0e,0xed,0x4a,0x26,0x59,0xd0,0x9b,0xb5,0xe1,0xec,0x61,0xc4,0xd3,0x15,0x4c,0x29,
+		0x51,0xa0,0xde,0x33,0x07,0x58,0x6c,0x36,0x1b,0x18,0x61,0xd9,0x56,0x18,0x39,0x54,
+		0x8b,0xd2,0xea,0x4e,0x87,0x28,0x58,0xb9,0x88,0x3d,0x30,0xbc,0xfc,0x6d,0xad,0xab,
+		0x43,0x26,0x09,0x48,0x4e,0x6e,0x8a,0x8b,0x88,0xb3,0xf0,0x29,0x25,0x79,0xb6,0xb6,
+		0x71,0x3c,0x93,0x59,0xd2,0x36,0x94,0xd5,0xfc,0xf3,0x62,0x2b,0x69,0xa3,0x7a,0x47,
+		0x4e,0x53,0xa2,0x35,0x1b,0x26,0x89,0xaa,0x09,0xfd,0x56,0xd7,0x75,0x2a,0xd4,0x91,
+		0xc0,0xf2,0x78,0xd7,0x05,0xca,0x12,0x1d,0xd9,0xd4,0x81,0x23,0xb2,0x3c,0x38,0xd9,
+		0xb4,0xdc,0x21,0xe0,0xe5,0x2d,0xd4,0xbe,0x61,0x39,0x8a,0x46,0x90,0x46,0x73,0x31,
+		0xba,0x48,0xbb,0x51,0xbb,0x91,0xd5,0x62,0xad,0xd1,0x53,0x5b,0x85,0xc9,0x1d,0xa7,
+		0xf6,0xa0,0xe1,0x0e,0x6c,0x22,0x5d,0x29,0x9a,0xe7,0x0f,0xe8,0x0a,0x50,0xa7,0x19,
+		0x11,0xc2,0x8b,0xe0,0x8a,0xfd,0x2b,0x94,0x31,0x7a,0x78,0x9c,0x9b,0x75,0x63,0x49,
+		0xa9,0xe5,0x58,0xe6,0x3a,0x99,0xcb,0x2b,0xdd,0x0e,0xdc,0x7d,0x1b,0x98,0x80,0xc3,
+		0x9f,0x02,0x01,0x23);
 	public_key_t *public;
-	
+
 	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
 								BUILD_BLOB_ASN1_DER, chunk,
 								BUILD_END);
diff --git a/src/charon/plugins/unit_tester/tests/test_sqlite.c b/src/charon/plugins/unit_tester/tests/test_sqlite.c
index d152fc594..dd8d1955e 100644
--- a/src/charon/plugins/unit_tester/tests/test_sqlite.c
+++ b/src/charon/plugins/unit_tester/tests/test_sqlite.c
@@ -29,14 +29,13 @@ bool test_sqlite()
 {
 	database_t *db;
 	char *txt = "I'm a superduper test";
-	char buf[] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08};
-	chunk_t data = chunk_from_buf(buf);
+	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
 	int row;
 	chunk_t qdata;
 	char *qtxt;
 	bool good = FALSE;
 	enumerator_t *enumerator;
-	
+
 	db = lib->db->create(lib->db, "sqlite://" DBFILE);
 	if (!db)
 	{
diff --git a/src/charon/plugins/unit_tester/unit_tester.c b/src/charon/plugins/unit_tester/unit_tester.c
index c9651e601..3c39688c6 100644
--- a/src/charon/plugins/unit_tester/unit_tester.c
+++ b/src/charon/plugins/unit_tester/unit_tester.c
@@ -33,17 +33,17 @@ struct private_unit_tester_t {
 };
 
 struct unit_test_t {
-	
+
 	/**
 	 * name of the test
 	 */
 	char *name;
-	
+
 	/**
 	 * test function
 	 */
 	bool (*test)(void);
-	
+
 	/**
 	 * run the test?
 	 */
@@ -62,10 +62,10 @@ static unit_test_t tests[] = {
 static void run_tests(private_unit_tester_t *this)
 {
 	int i, run = 0, failed = 0, success = 0, skipped = 0;
-	
+
 	DBG1(DBG_CFG, "running unit tests, %d tests registered",
 		 sizeof(tests)/sizeof(unit_test_t));
-	
+
 	for (i = 0; i < sizeof(tests)/sizeof(unit_test_t); i++)
 	{
 		if (tests[i].enabled)
@@ -106,11 +106,11 @@ static void destroy(private_unit_tester_t *this)
 plugin_t *plugin_create()
 {
 	private_unit_tester_t *this = malloc_thing(private_unit_tester_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	run_tests(this);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/charon/plugins/unit_tester/unit_tester.h b/src/charon/plugins/unit_tester/unit_tester.h
index 33b13313d..79d5bc021 100644
--- a/src/charon/plugins/unit_tester/unit_tester.h
+++ b/src/charon/plugins/unit_tester/unit_tester.h
@@ -28,7 +28,7 @@ typedef struct unit_tester_t unit_tester_t;
 /**
  * Unit testing plugin.
  *
- * The unit testing plugin runs tests on plugin initialization. Tests are 
+ * The unit testing plugin runs tests on plugin initialization. Tests are
  * defined in tests.h using the DEFINE_TEST macro. Implementation of the
  * tests is done in the tests folder. Each test has uses a function which
  * returns TRUE for success or FALSE for failure.
diff --git a/src/charon/plugins/updown/Makefile.am b/src/charon/plugins/updown/Makefile.am
index fe6e0bb52..6cad02a96 100644
--- a/src/charon/plugins/updown/Makefile.am
+++ b/src/charon/plugins/updown/Makefile.am
@@ -6,7 +6,7 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-updown.la
 libstrongswan_updown_la_SOURCES = \
   updown_plugin.h updown_plugin.c \
-  updown_listener.h updown_listener.c 
+  updown_listener.h updown_listener.c
 libstrongswan_updown_la_LDFLAGS = -module -avoid-version
 
 
diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in
index b1b6fb497..78ba19d65 100644
--- a/src/charon/plugins/updown/Makefile.in
+++ b/src/charon/plugins/updown/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/charon/plugins/updown
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_updown_la_LIBADD =
 am_libstrongswan_updown_la_OBJECTS = updown_plugin.lo \
@@ -60,6 +84,7 @@ libstrongswan_updown_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -107,25 +132,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -137,11 +159,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -170,9 +195,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -195,7 +220,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -203,6 +228,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -211,10 +237,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -222,6 +250,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
@@ -229,7 +258,7 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-updown.la
 libstrongswan_updown_la_SOURCES = \
   updown_plugin.h updown_plugin.c \
-  updown_listener.h updown_listener.c 
+  updown_listener.h updown_listener.c
 
 libstrongswan_updown_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -245,9 +274,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/plugins/updown/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/charon/plugins/updown/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/updown/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon/plugins/updown/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -265,23 +294,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -306,21 +340,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -343,7 +377,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -351,29 +385,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -394,13 +433,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -431,6 +474,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -452,6 +496,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -460,18 +506,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -510,6 +566,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/plugins/updown/updown_listener.c b/src/charon/plugins/updown/updown_listener.c
index a6be35690..5a6746f92 100644
--- a/src/charon/plugins/updown/updown_listener.c
+++ b/src/charon/plugins/updown/updown_listener.c
@@ -27,12 +27,12 @@ typedef struct private_updown_listener_t private_updown_listener_t;
  * Private data of an updown_listener_t object.
  */
 struct private_updown_listener_t {
-	
+
 	/**
 	 * Public updown_listener_t interface.
 	 */
 	updown_listener_t public;
-	
+
 	/**
 	 * List of cached interface names
 	 */
@@ -58,10 +58,10 @@ static void cache_iface(private_updown_listener_t *this, u_int32_t reqid,
 						char *iface)
 {
 	cache_entry_t *entry = malloc_thing(cache_entry_t);
-	
+
 	entry->reqid = reqid;
 	entry->iface = strdup(iface);
-	
+
 	this->iface_cache->insert_first(this->iface_cache, entry);
 }
 
@@ -73,7 +73,7 @@ static char* uncache_iface(private_updown_listener_t *this, u_int32_t reqid)
 	enumerator_t *enumerator;
 	cache_entry_t *entry;
 	char *iface = NULL;
-	
+
 	enumerator = this->iface_cache->create_enumerator(this->iface_cache);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -89,35 +89,34 @@ static char* uncache_iface(private_updown_listener_t *this, u_int32_t reqid)
 	return iface;
 }
 
-/**
- * Run the up/down script
- */
-static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
-				   child_sa_t *child_sa, bool up)
+METHOD(listener_t, child_updown, bool,
+	private_updown_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	bool up)
 {
 	traffic_selector_t *my_ts, *other_ts;
 	enumerator_t *enumerator;
 	child_cfg_t *config;
 	host_t *vip, *me, *other;
 	char *script;
-	
+
 	config = child_sa->get_config(child_sa);
 	vip = ike_sa->get_virtual_ip(ike_sa, TRUE);
 	script = config->get_updown(config);
 	me = ike_sa->get_my_host(ike_sa);
 	other = ike_sa->get_other_host(ike_sa);
-	
+
 	if (script == NULL)
 	{
-		return;
+		return TRUE;
 	}
-	
+
 	enumerator = child_sa->create_policy_enumerator(child_sa);
 	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 	{
 		char command[1024];
 		char *my_client, *other_client, *my_client_mask, *other_client_mask;
 		char *pos, *virtual_ip, *iface;
+		bool is_host, is_ipv6;
 		FILE *shell;
 
 		/* get subnet/bits from string */
@@ -160,7 +159,7 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
 				virtual_ip = NULL;
 			}
 		}
-		
+
 		if (up)
 		{
 			iface = charon->kernel_interface->get_interface(
@@ -174,7 +173,12 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
 		{
 			iface = uncache_iface(this, child_sa->get_reqid(child_sa));
 		}
-		
+
+		/* determine IPv4/IPv6 and client/host situation */
+		is_host = my_ts->is_host(my_ts, me);
+		is_ipv6 = is_host ? (me->get_family(me) == AF_INET6) :
+							(my_ts->get_type(my_ts) == TS_IPV6_ADDR_RANGE);
+
 		/* build the command with all env variables.
 		 * TODO: PLUTO_PEER_CA and PLUTO_NEXT_HOP are currently missing
 		 */
@@ -203,8 +207,8 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
 				"%s"
 				"%s",
 				 up ? "up" : "down",
-				 my_ts->is_host(my_ts, me) ? "-host" : "-client",
-				 me->get_family(me) == AF_INET ? "" : "-v6",
+				 is_host ? "-host" : "-client",
+				 is_ipv6 ? "-v6" : "",
 				 config->get_name(config),
 				 iface ? iface : "unknown",
 				 child_sa->get_reqid(child_sa),
@@ -225,31 +229,27 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
 		free(other_client);
 		free(virtual_ip);
 		free(iface);
-		
+
 		DBG3(DBG_CHD, "running updown script: %s", command);
 		shell = popen(command, "r");
 
 		if (shell == NULL)
 		{
 			DBG1(DBG_CHD, "could not execute updown script '%s'", script);
-			return;
+			return TRUE;
 		}
-		
+
 		while (TRUE)
 		{
 			char resp[128];
-			
+
 			if (fgets(resp, sizeof(resp), shell) == NULL)
 			{
 				if (ferror(shell))
 				{
 					DBG1(DBG_CHD, "error reading output from updown script");
-					return;
-				}
-				else
-				{
-					break;
 				}
+				break;
 			}
 			else
 			{
@@ -264,37 +264,11 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
 		pclose(shell);
 	}
 	enumerator->destroy(enumerator);
-}
-
-/**
- * Listener implementation
- */
-static bool child_state_change(private_updown_listener_t *this, ike_sa_t *ike_sa,
-							   child_sa_t *child_sa, child_sa_state_t state)
-{
-	child_sa_state_t old;
-	
-	if (ike_sa)
-	{
-		old = child_sa->get_state(child_sa);
-		
-		if ((old == CHILD_INSTALLED && state != CHILD_REKEYING ) ||
-			(old == CHILD_DELETING && state == CHILD_DESTROYING))
-		{
-			updown(this, ike_sa, child_sa, FALSE);
-		}
-		else if (state == CHILD_INSTALLED)
-		{
-			updown(this, ike_sa, child_sa, TRUE);
-		}
-	}
 	return TRUE;
 }
 
-/**
- * Implementation of updown_listener_t.destroy.
- */
-static void destroy(private_updown_listener_t *this)
+METHOD(updown_listener_t, destroy, void,
+	private_updown_listener_t *this)
 {
 	this->iface_cache->destroy(this->iface_cache);
 	free(this);
@@ -305,14 +279,16 @@ static void destroy(private_updown_listener_t *this)
  */
 updown_listener_t *updown_listener_create()
 {
-	private_updown_listener_t *this = malloc_thing(private_updown_listener_t);
-	
-	memset(&this->public.listener, 0, sizeof(listener_t));
-	this->public.listener.child_state_change = (void*)child_state_change;
-	this->public.destroy = (void(*)(updown_listener_t*))destroy;
-	
-	this->iface_cache = linked_list_create();
-	
+	private_updown_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener.child_updown = _child_updown,
+			.destroy = _destroy,
+		},
+		.iface_cache = linked_list_create(),
+	);
+
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/updown/updown_listener.h b/src/charon/plugins/updown/updown_listener.h
index cc59f61c6..5b866c4e5 100644
--- a/src/charon/plugins/updown/updown_listener.h
+++ b/src/charon/plugins/updown/updown_listener.h
@@ -29,12 +29,12 @@ typedef struct updown_listener_t updown_listener_t;
  * Listener which invokes the scripts on CHILD_SA up/down.
  */
 struct updown_listener_t {
-	
+
 	/**
 	 * Implements listener_t.
 	 */
 	listener_t listener;
-	
+
 	/**
 	 * Destroy a updown_listener_t.
 	 */
@@ -46,4 +46,4 @@ struct updown_listener_t {
  */
 updown_listener_t *updown_listener_create();
 
-#endif /** UPDOWN_LISTENER_ @}*/
+#endif /** UPDOWN_LISTENER_H_ @}*/
diff --git a/src/charon/plugins/updown/updown_plugin.c b/src/charon/plugins/updown/updown_plugin.c
index 4f0483fac..6cb0efdcd 100644
--- a/src/charon/plugins/updown/updown_plugin.c
+++ b/src/charon/plugins/updown/updown_plugin.c
@@ -29,7 +29,7 @@ struct private_updown_plugin_t {
 	 * implements plugin interface
 	 */
 	updown_plugin_t public;
-	
+
 	/**
 	 * Listener interface, listens to CHILD_SA state changes
 	 */
@@ -52,12 +52,12 @@ static void destroy(private_updown_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_updown_plugin_t *this = malloc_thing(private_updown_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	this->listener = updown_listener_create();
 	charon->bus->add_listener(charon->bus, &this->listener->listener);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/charon/processing/jobs/acquire_job.c b/src/charon/processing/jobs/acquire_job.c
index 90b221b84..45ace9312 100644
--- a/src/charon/processing/jobs/acquire_job.c
+++ b/src/charon/processing/jobs/acquire_job.c
@@ -28,17 +28,17 @@ struct private_acquire_job_t {
 	 * Public acquire_job_t interface.
 	 */
 	acquire_job_t public;
-	
+
 	/**
 	 * reqid of the child to rekey
 	 */
 	u_int32_t reqid;
-	
+
 	/**
 	 * acquired source traffic selector
 	 */
 	traffic_selector_t *src_ts;
-	
+
 	/**
 	 * acquired destination traffic selector
 	 */
@@ -73,14 +73,14 @@ acquire_job_t *acquire_job_create(u_int32_t reqid,
 								  traffic_selector_t *dst_ts)
 {
 	private_acquire_job_t *this = malloc_thing(private_acquire_job_t);
-	
+
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-	
+
 	this->reqid = reqid;
 	this->src_ts = src_ts;
 	this->dst_ts = dst_ts;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/processing/jobs/acquire_job.h b/src/charon/processing/jobs/acquire_job.h
index a78e5274d..eff79a9b0 100644
--- a/src/charon/processing/jobs/acquire_job.h
+++ b/src/charon/processing/jobs/acquire_job.h
@@ -24,12 +24,12 @@
 typedef struct acquire_job_t acquire_job_t;
 
 #include <library.h>
-#include <config/traffic_selector.h>
+#include <selectors/traffic_selector.h>
 #include <processing/jobs/job.h>
 
 /**
  * Class representing an ACQUIRE Job.
- * 
+ *
  * This job initiates a CHILD SA on kernel request.
  */
 struct acquire_job_t {
diff --git a/src/charon/processing/jobs/callback_job.c b/src/charon/processing/jobs/callback_job.c
index f4beb5abd..7e35dcdcb 100644
--- a/src/charon/processing/jobs/callback_job.c
+++ b/src/charon/processing/jobs/callback_job.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -12,13 +13,15 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include "callback_job.h"
 
-#include <pthread.h>
+#include <semaphore.h>
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
 
 typedef struct private_callback_job_t private_callback_job_t;
 
@@ -30,7 +33,7 @@ struct private_callback_job_t {
 	 * Public callback_job_t interface.
 	 */
 	callback_job_t public;
-	
+
 	/**
 	 * Callback to call on execution
 	 */
@@ -40,70 +43,94 @@ struct private_callback_job_t {
 	 * parameter to supply to callback
 	 */
 	void *data;
-	
+
 	/**
 	 * cleanup function for data
 	 */
 	callback_job_cleanup_t cleanup;
-	
+
 	/**
-	 * thread ID of the job, if running
+	 * thread of the job, if running
 	 */
-	pthread_t thread;
-	
+	thread_t *thread;
+
 	/**
 	 * mutex to access jobs interna
 	 */
 	mutex_t *mutex;
-	
+
 	/**
 	 * list of asociated child jobs
 	 */
 	linked_list_t *children;
-	
+
 	/**
 	 * parent of this job, or NULL
 	 */
 	private_callback_job_t *parent;
-};
 
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_callback_job_t *this)
-{
-	if (this->cleanup)
-	{
-		this->cleanup(this->data);
-	}
-	this->children->destroy(this->children);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
+	/**
+	 * TRUE if the job got cancelled
+	 */
+	bool cancelled;
+
+	/**
+	 * condvar to synchronize the cancellation/destruction of the job
+	 */
+	condvar_t *destroyable;
+
+	/**
+	 * semaphore to synchronize the termination of the assigned thread.
+	 *
+	 * separately allocated during cancellation, so that we can wait on it
+	 * without risking that it gets freed too early during destruction.
+	 */
+	sem_t *terminated;
+};
 
 /**
  * unregister a child from its parent, if any.
+ * note: this->mutex has to be locked
  */
 static void unregister(private_callback_job_t *this)
 {
 	if (this->parent)
 	{
-		iterator_t *iterator;
-		private_callback_job_t *child;
-		
 		this->parent->mutex->lock(this->parent->mutex);
-		iterator = this->parent->children->create_iterator(this->parent->children, TRUE);
-		while (iterator->iterate(iterator, (void**)&child))
+		if (this->parent->cancelled && !this->cancelled)
 		{
-			if (child == this)
-			{
-				iterator->remove(iterator);
-				break;
-			}
+			/* if the parent has been cancelled but we have not yet, we do not
+			 * unregister until we got cancelled by the parent. */
+			this->parent->mutex->unlock(this->parent->mutex);
+			this->destroyable->wait(this->destroyable, this->mutex);
+			this->parent->mutex->lock(this->parent->mutex);
 		}
-		iterator->destroy(iterator);
+		this->parent->children->remove(this->parent->children, this, NULL);
 		this->parent->mutex->unlock(this->parent->mutex);
+		this->parent = NULL;
+	}
+}
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_callback_job_t *this)
+{
+	this->mutex->lock(this->mutex);
+	unregister(this);
+	if (this->cleanup)
+	{
+		this->cleanup(this->data);
 	}
+	if (this->terminated)
+	{
+		sem_post(this->terminated);
+	}
+	this->children->destroy(this->children);
+	this->destroyable->destroy(this->destroyable);
+	this->mutex->unlock(this->mutex);
+	this->mutex->destroy(this->mutex);
+	free(this);
 }
 
 /**
@@ -111,20 +138,42 @@ static void unregister(private_callback_job_t *this)
  */
 static void cancel(private_callback_job_t *this)
 {
-	pthread_t thread;
-	
+	callback_job_t *child;
+	sem_t *terminated = NULL;
+
 	this->mutex->lock(this->mutex);
-	thread = this->thread;
-	
-	/* terminate its children */
-	this->children->invoke_offset(this->children, offsetof(callback_job_t, cancel));
+	this->cancelled = TRUE;
+	/* terminate children */
+	while (this->children->get_first(this->children, (void**)&child) == SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		child->cancel(child);
+		this->mutex->lock(this->mutex);
+	}
+	if (this->thread)
+	{
+		/* terminate the thread, if there is currently one executing the job.
+		 * we wait for its termination using a semaphore */
+		this->thread->cancel(this->thread);
+		terminated = this->terminated = malloc_thing(sem_t);
+		sem_init(terminated, 0, 0);
+	}
+	else
+	{
+		/* if the job is currently queued, it gets terminated later.
+		 * we can't wait, because it might not get executed at all.
+		 * we also unregister the queued job manually from its parent (the
+		 * others get unregistered during destruction) */
+		unregister(this);
+	}
+	this->destroyable->signal(this->destroyable);
 	this->mutex->unlock(this->mutex);
-	
-	/* terminate thread */
-	if (thread)
+
+	if (terminated)
 	{
-		pthread_cancel(thread);
-		pthread_join(thread, NULL);
+		sem_wait(terminated);
+		sem_destroy(terminated);
+		free(terminated);
 	}
 }
 
@@ -135,20 +184,28 @@ static void execute(private_callback_job_t *this)
 {
 	bool cleanup = FALSE;
 
+	thread_cleanup_push((thread_cleanup_t)destroy, this);
+
 	this->mutex->lock(this->mutex);
-	this->thread = pthread_self();
+	this->thread = thread_current();
 	this->mutex->unlock(this->mutex);
-	
-	pthread_cleanup_push((void*)destroy, this);
+
 	while (TRUE)
 	{
+		this->mutex->lock(this->mutex);
+		if (this->cancelled)
+		{
+			this->mutex->unlock(this->mutex);
+			cleanup = TRUE;
+			break;
+		}
+		this->mutex->unlock(this->mutex);
 		switch (this->callback(this->data))
 		{
 			case JOB_REQUEUE_DIRECT:
 				continue;
 			case JOB_REQUEUE_FAIR:
 			{
-				this->thread = 0;
 				charon->processor->queue_job(charon->processor,
 											 &this->public.job_interface);
 				break;
@@ -156,15 +213,19 @@ static void execute(private_callback_job_t *this)
 			case JOB_REQUEUE_NONE:
 			default:
 			{
-				this->thread = 0;
 				cleanup = TRUE;
 				break;
 			}
 		}
 		break;
 	}
-	unregister(this);
-	pthread_cleanup_pop(cleanup);
+	this->mutex->lock(this->mutex);
+	this->thread = NULL;
+	this->mutex->unlock(this->mutex);
+	/* manually create a cancellation point to avoid that a cancelled thread
+	 * goes back into the thread pool */
+	thread_cancellation_point();
+	thread_cleanup_pop(cleanup);
 }
 
 /*
@@ -175,7 +236,7 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
 									callback_job_t *parent)
 {
 	private_callback_job_t *this = malloc_thing(private_callback_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
@@ -189,7 +250,10 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
 	this->thread = 0;
 	this->children = linked_list_create();
 	this->parent = (private_callback_job_t*)parent;
-	
+	this->cancelled = FALSE;
+	this->destroyable = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->terminated = NULL;
+
 	/* register us at parent */
 	if (parent)
 	{
@@ -197,7 +261,7 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
 		this->parent->children->insert_last(this->parent->children, this);
 		this->parent->mutex->unlock(this->parent->mutex);
 	}
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/processing/jobs/callback_job.h b/src/charon/processing/jobs/callback_job.h
index 2bb209cb7..62da1edd1 100644
--- a/src/charon/processing/jobs/callback_job.h
+++ b/src/charon/processing/jobs/callback_job.h
@@ -41,12 +41,12 @@ enum job_requeue_t {
 	 * Do not requeue job, destroy it
 	 */
 	JOB_REQUEUE_NONE,
-	
+
 	/**
 	 * Reque the job fairly, meaning it has to requeue as any other job
 	 */
 	JOB_REQUEUE_FAIR,
-	
+
 	/**
 	 * Reexecute the job directly, without the need of requeueing it
 	 */
@@ -88,10 +88,11 @@ struct callback_job_t {
 	 * The job_t interface.
 	 */
 	job_t job_interface;
-	
+
 	/**
-	 * Cancel the jobs thread and wait for its termination.
-	 */
+	 * Cancel the job's thread and wait for its termination. This only works
+	 * reliably for jobs that always use JOB_REQUEUE_FAIR or JOB_REQUEUE_DIRECT,
+	 * otherwise the job may already be destroyed when cancel is called. */
 	void (*cancel)(callback_job_t *this);
 };
 
@@ -103,7 +104,7 @@ struct callback_job_t {
  * If parent is not NULL, the specified job gets an association. Whenever
  * the parent gets cancelled (or runs out), all of its children are cancelled,
  * too.
- * 
+ *
  * @param cb				callback to call from the processor
  * @param data				user data to supply to callback
  * @param cleanup			destructor for data on destruction, or NULL
diff --git a/src/charon/processing/jobs/delete_child_sa_job.c b/src/charon/processing/jobs/delete_child_sa_job.c
index 206f07617..ca55721f2 100644
--- a/src/charon/processing/jobs/delete_child_sa_job.c
+++ b/src/charon/processing/jobs/delete_child_sa_job.c
@@ -29,17 +29,17 @@ struct private_delete_child_sa_job_t {
 	 * Public delete_child_sa_job_t interface.
 	 */
 	delete_child_sa_job_t public;
-	
+
 	/**
 	 * reqid of the CHILD_SA
 	 */
 	u_int32_t reqid;
-	
+
 	/**
 	 * protocol of the CHILD_SA (ESP/AH)
 	 */
 	protocol_id_t protocol;
-	
+
 	/**
 	 * inbound SPI of the CHILD_SA
 	 */
@@ -60,7 +60,7 @@ static void destroy(private_delete_child_sa_job_t *this)
 static void execute(private_delete_child_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
-	
+
 	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
 													this->reqid, TRUE);
 	if (ike_sa == NULL)
@@ -71,7 +71,7 @@ static void execute(private_delete_child_sa_job_t *this)
 	else
 	{
 		ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi);
-		
+
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
 	destroy(this);
@@ -80,21 +80,21 @@ static void execute(private_delete_child_sa_job_t *this)
 /*
  * Described in header
  */
-delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, 
-												  protocol_id_t protocol, 
+delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
+												  protocol_id_t protocol,
 												  u_int32_t spi)
 {
 	private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-	
+
 	/* private variables */
 	this->reqid = reqid;
 	this->protocol = protocol;
 	this->spi = spi;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/processing/jobs/delete_child_sa_job.h b/src/charon/processing/jobs/delete_child_sa_job.h
index 9bf6ee423..662a7b7c7 100644
--- a/src/charon/processing/jobs/delete_child_sa_job.h
+++ b/src/charon/processing/jobs/delete_child_sa_job.h
@@ -31,7 +31,7 @@ typedef struct delete_child_sa_job_t delete_child_sa_job_t;
 
 /**
  * Class representing an DELETE_CHILD_SA Job.
- * 
+ *
  * This job initiates the delete of a CHILD SA.
  */
 struct delete_child_sa_job_t {
@@ -52,8 +52,8 @@ struct delete_child_sa_job_t {
  * @param spi		security parameter index of the CHILD_SA
  * @return			delete_child_sa_job_t object
  */
-delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, 
-												  protocol_id_t protocol, 
+delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
+												  protocol_id_t protocol,
 												  u_int32_t spi);
 
 #endif /** DELETE_CHILD_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.c b/src/charon/processing/jobs/delete_ike_sa_job.c
index 6d4639fad..dffd08ba3 100644
--- a/src/charon/processing/jobs/delete_ike_sa_job.c
+++ b/src/charon/processing/jobs/delete_ike_sa_job.c
@@ -28,12 +28,12 @@ struct private_delete_ike_sa_job_t {
 	 * public delete_ike_sa_job_t interface
 	 */
 	delete_ike_sa_job_t public;
-	
+
 	/**
 	 * ID of the ike_sa to delete
 	 */
 	ike_sa_id_t *ike_sa_id;
-	
+
 	/**
 	 * Should the IKE_SA be deleted if it is in ESTABLISHED state?
 	 */
@@ -56,7 +56,7 @@ static void destroy(private_delete_ike_sa_job_t *this)
 static void execute(private_delete_ike_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
-	
+
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 											  this->ike_sa_id);
 	if (ike_sa)
@@ -99,18 +99,18 @@ static void execute(private_delete_ike_sa_job_t *this)
 /*
  * Described in header
  */
-delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id, 
+delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
 											  bool delete_if_established)
 {
 	private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t *)) destroy;;
-	
+
 	/* private variables */
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 	this->delete_if_established = delete_if_established;
-	
+
 	return &(this->public);
 }
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.h b/src/charon/processing/jobs/delete_ike_sa_job.h
index 8209977f9..f641deea3 100644
--- a/src/charon/processing/jobs/delete_ike_sa_job.h
+++ b/src/charon/processing/jobs/delete_ike_sa_job.h
@@ -18,7 +18,7 @@
  * @defgroup delete_child_sa_job delete_child_sa_job
  * @{ @ingroup jobs
  */
- 
+
 #ifndef DELETE_IKE_SA_JOB_H_
 #define DELETE_IKE_SA_JOB_H_
 
@@ -32,12 +32,12 @@ typedef struct delete_ike_sa_job_t delete_ike_sa_job_t;
 /**
  * Class representing an DELETE_IKE_SA Job.
  *
- * This job is responsible for deleting established or half open IKE_SAs. 
+ * This job is responsible for deleting established or half open IKE_SAs.
  * A half open IKE_SA is every IKE_SA which hasn't reache the SA_ESTABLISHED
  * state.
  */
 struct delete_ike_sa_job_t {
-	
+
 	/**
 	 * The job_t interface.
 	 */
@@ -46,7 +46,7 @@ struct delete_ike_sa_job_t {
 
 /**
  * Creates a job of type DELETE_IKE_SA.
- * 
+ *
  * @param ike_sa_id				id of the IKE_SA to delete
  * @param delete_if_established	should the IKE_SA be deleted if it is established?
  * @return						created delete_ike_sa_job_t object
diff --git a/src/charon/processing/jobs/inactivity_job.c b/src/charon/processing/jobs/inactivity_job.c
new file mode 100644
index 000000000..13fc5e3d0
--- /dev/null
+++ b/src/charon/processing/jobs/inactivity_job.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "inactivity_job.h"
+
+#include <daemon.h>
+
+typedef struct private_inactivity_job_t private_inactivity_job_t;
+
+/**
+ * Private data of an inactivity_job_t object.
+ */
+struct private_inactivity_job_t {
+
+	/**
+	 * Public inactivity_job_t interface.
+	 */
+	inactivity_job_t public;
+
+	/**
+	 * Reqid of CHILD_SA to check
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * Inactivity timeout
+	 */
+	u_int32_t timeout;
+
+	/**
+	 * Close IKE_SA if last remaining CHILD inactive?
+	 */
+	bool close_ike;
+};
+
+METHOD(job_t, destroy, void,
+	private_inactivity_job_t *this)
+{
+	free(this);
+}
+
+METHOD(job_t, execute, void,
+	private_inactivity_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	bool rescheduled = FALSE;
+
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													this->reqid, TRUE);
+	if (ike_sa)
+	{
+		iterator_t *iterator;
+		child_sa_t *child_sa;
+		u_int32_t delete = 0;
+		protocol_id_t proto = 0;
+		int children = 0;
+		status_t status = SUCCESS;
+
+		iterator = ike_sa->create_child_sa_iterator(ike_sa);
+		while (iterator->iterate(iterator, (void**)&child_sa))
+		{
+			if (child_sa->get_reqid(child_sa) == this->reqid)
+			{
+				time_t in, out, diff;
+
+				child_sa->get_usestats(child_sa, TRUE, &in, NULL);
+				child_sa->get_usestats(child_sa, FALSE, &out, NULL);
+
+				diff = time_monotonic(NULL) - max(in, out);
+
+				if (diff >= this->timeout)
+				{
+					delete = child_sa->get_spi(child_sa, TRUE);
+					proto = child_sa->get_protocol(child_sa);
+				}
+				else
+				{
+					charon->scheduler->schedule_job(charon->scheduler,
+							&this->public.job_interface, this->timeout - diff);
+					rescheduled = TRUE;
+				}
+			}
+			children++;
+		}
+		iterator->destroy(iterator);
+
+		if (delete)
+		{
+			if (children == 1 && this->close_ike)
+			{
+				DBG1(DBG_JOB, "deleting IKE_SA after %d seconds "
+					 "of CHILD_SA inactivity", this->timeout);
+				status = ike_sa->delete(ike_sa);
+			}
+			else
+			{
+				DBG1(DBG_JOB, "deleting CHILD_SA after %d seconds "
+					 "of inactivity", this->timeout);
+				status = ike_sa->delete_child_sa(ike_sa, proto, delete);
+			}
+		}
+		if (status == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	if (!rescheduled)
+	{
+		destroy(this);
+	}
+}
+
+/**
+ * See header
+ */
+inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
+										bool close_ike)
+{
+	private_inactivity_job_t *this;
+
+	INIT(this,
+		.public.job_interface = {
+			.execute = _execute,
+			.destroy = _destroy,
+		},
+		.reqid = reqid,
+		.timeout = timeout,
+		.close_ike = close_ike,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/charon/processing/jobs/inactivity_job.h b/src/charon/processing/jobs/inactivity_job.h
new file mode 100644
index 000000000..9c9daced8
--- /dev/null
+++ b/src/charon/processing/jobs/inactivity_job.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup inactivity_job inactivity_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef INACTIVITY_JOB_H_
+#define INACTIVITY_JOB_H_
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+typedef struct inactivity_job_t inactivity_job_t;
+
+/**
+ * Job checking for inactivity of CHILD_SA to close them.
+ *
+ * The inactivity job reschedules itself to check CHILD_SAs prediodically.
+ */
+struct inactivity_job_t {
+
+	/**
+	 * Implements job_t.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Create a inactivity_job instance.
+ *
+ * @param reqid		reqid of CHILD_SA to check for inactivity
+ * @param timeout	inactivity timeout in s
+ * @param close_ike	close IKE_SA if the last remaining CHILD_SA is inactive?
+ * @return			inactivity checking job
+ */
+inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
+										bool close_ike);
+
+#endif /** INACTIVITY_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/initiate_mediation_job.c b/src/charon/processing/jobs/initiate_mediation_job.c
index 157d84341..ffe8755e2 100644
--- a/src/charon/processing/jobs/initiate_mediation_job.c
+++ b/src/charon/processing/jobs/initiate_mediation_job.c
@@ -29,12 +29,12 @@ struct private_initiate_mediation_job_t {
 	 * public initiate_mediation_job_t interface
 	 */
 	initiate_mediation_job_t public;
-	
+
 	/**
 	 * ID of the IKE_SA of the mediated connection.
 	 */
 	ike_sa_id_t *mediated_sa_id;
-	
+
 	/**
 	 * ID of the IKE_SA of the mediation connection.
 	 */
@@ -68,26 +68,27 @@ static bool initiate_callback(private_initiate_mediation_job_t *this,
 
 /**
  * Implementation of job_t.execute.
- */ 
+ */
 static void initiate(private_initiate_mediation_job_t *this)
 {
 	ike_sa_t *mediated_sa, *mediation_sa;
 	peer_cfg_t *mediated_cfg, *mediation_cfg;
 	enumerator_t *enumerator;
 	auth_cfg_t *auth_cfg;
-	
+
 	mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 												   this->mediated_sa_id);
 	if (mediated_sa)
 	{
+		DBG1(DBG_IKE, "initiating mediation connection");
 		mediated_cfg = mediated_sa->get_peer_cfg(mediated_sa);
-		mediated_cfg->get_ref(mediated_cfg); 
-		
+		mediated_cfg->get_ref(mediated_cfg);
+
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
-		
+
 		mediation_cfg = mediated_cfg->get_mediated_by(mediated_cfg);
 		mediation_cfg->get_ref(mediation_cfg);
-		
+
 		enumerator = mediation_cfg->create_auth_cfg_enumerator(mediation_cfg,
 															   TRUE);
 		if (!enumerator->enumerate(enumerator, &auth_cfg) ||
@@ -99,7 +100,8 @@ static void initiate(private_initiate_mediation_job_t *this)
 			destroy(this);
 			return;
 		}
-		
+		enumerator->destroy(enumerator);
+
 		if (charon->connect_manager->check_and_register(charon->connect_manager,
 				auth_cfg->get(auth_cfg, AUTH_RULE_IDENTITY),
 				mediated_cfg->get_peer_id(mediated_cfg),
@@ -107,7 +109,7 @@ static void initiate(private_initiate_mediation_job_t *this)
 		{
 			mediated_cfg->destroy(mediated_cfg);
 			mediation_cfg->destroy(mediation_cfg);
-			
+
 			mediated_sa = charon->ike_sa_manager->checkout(
 								charon->ike_sa_manager, this->mediated_sa_id);
 			if (mediated_sa)
@@ -121,7 +123,7 @@ static void initiate(private_initiate_mediation_job_t *this)
 			return;
 		}
 		/* we need an additional reference because initiate consumes one */
-		mediation_cfg->get_ref(mediation_cfg); 
+		mediation_cfg->get_ref(mediation_cfg);
 
 		if (charon->controller->initiate(charon->controller, mediation_cfg,
 					NULL, (controller_cb_t)initiate_callback, this) != SUCCESS)
@@ -142,8 +144,7 @@ static void initiate(private_initiate_mediation_job_t *this)
 		mediation_cfg->destroy(mediation_cfg);
 
 		mediation_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-				this->mediation_sa_id);
-		
+														this->mediation_sa_id);
 		if (mediation_sa)
 		{
 			if (mediation_sa->initiate_mediation(mediation_sa,
@@ -163,10 +164,9 @@ static void initiate(private_initiate_mediation_job_t *this)
 				destroy(this);
 				return;
 			}
-			
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediation_sa);
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager,
+											mediation_sa);
 		}
-		
 		mediated_cfg->destroy(mediated_cfg);
 	}
 	destroy(this);
@@ -174,44 +174,50 @@ static void initiate(private_initiate_mediation_job_t *this)
 
 /**
  * Implementation of job_t.execute.
- */ 
+ */
 static void reinitiate(private_initiate_mediation_job_t *this)
 {
 	ike_sa_t *mediated_sa, *mediation_sa;
 	peer_cfg_t *mediated_cfg;
-	
+
 	mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-											  this->mediated_sa_id);
+												   this->mediated_sa_id);
 	if (mediated_sa)
 	{
 		mediated_cfg = mediated_sa->get_peer_cfg(mediated_sa);
 		mediated_cfg->get_ref(mediated_cfg);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
-		
+
 		mediation_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-				this->mediation_sa_id);
+														this->mediation_sa_id);
 		if (mediation_sa)
 		{
-			if (mediation_sa->initiate_mediation(mediation_sa, mediated_cfg) != SUCCESS)
+			if (mediation_sa->initiate_mediation(mediation_sa,
+												 mediated_cfg) != SUCCESS)
 			{
 				DBG1(DBG_JOB, "initiating mediated connection '%s' failed",
-						mediated_cfg->get_name(mediated_cfg));
+					 mediated_cfg->get_name(mediated_cfg));
 				mediated_cfg->destroy(mediated_cfg);
-				charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, mediation_sa);
+				charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager,
+										mediation_sa);
 				mediated_sa = charon->ike_sa_manager->checkout(
-								charon->ike_sa_manager, this->mediated_sa_id);
+										charon->ike_sa_manager,
+										this->mediated_sa_id);
 				if (mediated_sa)
 				{
 					DBG1(DBG_IKE, "establishing mediation connection failed");
 					charon->ike_sa_manager->checkin_and_destroy(
-										charon->ike_sa_manager, mediated_sa);
+										charon->ike_sa_manager,
+										mediated_sa);
 				}
 				destroy(this);
 				return;
 			}
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediation_sa);
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager,
+											mediation_sa);
 		}
-		
+
 		mediated_cfg->destroy(mediated_cfg);
 	}
 	destroy(this);
@@ -223,10 +229,10 @@ static void reinitiate(private_initiate_mediation_job_t *this)
 static private_initiate_mediation_job_t *initiate_mediation_job_create_empty()
 {
 	private_initiate_mediation_job_t *this = malloc_thing(private_initiate_mediation_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	
+
 	/* private variables */
 	this->mediation_sa_id = NULL;
 	this->mediated_sa_id = NULL;
@@ -240,9 +246,9 @@ static private_initiate_mediation_job_t *initiate_mediation_job_create_empty()
 initiate_mediation_job_t *initiate_mediation_job_create(ike_sa_id_t *ike_sa_id)
 {
 	private_initiate_mediation_job_t *this = initiate_mediation_job_create_empty();
-	
+
 	this->public.job_interface.execute = (void (*) (job_t *)) initiate;
-	
+
 	this->mediated_sa_id = ike_sa_id->clone(ike_sa_id);
 
 	return &this->public;
@@ -255,11 +261,11 @@ initiate_mediation_job_t *reinitiate_mediation_job_create(ike_sa_id_t *mediation
 		ike_sa_id_t *mediated_sa_id)
 {
 	private_initiate_mediation_job_t *this = initiate_mediation_job_create_empty();
-	
+
 	this->public.job_interface.execute = (void (*) (job_t *)) reinitiate;
-	
+
 	this->mediation_sa_id = mediation_sa_id->clone(mediation_sa_id);
 	this->mediated_sa_id = mediated_sa_id->clone(mediated_sa_id);
-	
-	return &this->public; 
+
+	return &this->public;
 }
diff --git a/src/charon/processing/jobs/initiate_mediation_job.h b/src/charon/processing/jobs/initiate_mediation_job.h
index 084e1b9fd..fddb1dd7b 100644
--- a/src/charon/processing/jobs/initiate_mediation_job.h
+++ b/src/charon/processing/jobs/initiate_mediation_job.h
@@ -28,7 +28,7 @@ typedef struct initiate_mediation_job_t initiate_mediation_job_t;
 
 /**
  * Class representing a INITIATE_MEDIATION Job.
- * 
+ *
  * This job will initiate a mediation on behalf of a mediated connection.
  * If required the mediation connection is established.
  */
@@ -41,7 +41,7 @@ struct initiate_mediation_job_t {
 
 /**
  * Creates a job of type INITIATE_MEDIATION.
- * 
+ *
  * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
  * @return				job object
  */
@@ -50,12 +50,13 @@ initiate_mediation_job_t *initiate_mediation_job_create(ike_sa_id_t *ike_sa_id);
 /**
  * Creates a special job of type INITIATE_MEDIATION that reinitiates a
  * specific connection.
- * 
+ *
  * @param mediation_sa_id		identification of the mediation sa (gets cloned)
  * @param mediated_sa_id		identification of the mediated sa (gets cloned)
  * @return						job object
  */
-initiate_mediation_job_t *reinitiate_mediation_job_create(ike_sa_id_t *mediation_sa_id,
-		ike_sa_id_t *mediated_sa_id);
+initiate_mediation_job_t *reinitiate_mediation_job_create(
+												ike_sa_id_t *mediation_sa_id,
+												ike_sa_id_t *mediated_sa_id);
 
 #endif /** INITIATE_MEDIATION_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/job.h b/src/charon/processing/jobs/job.h
index acc88b124..0f1c16ebe 100644
--- a/src/charon/processing/jobs/job.h
+++ b/src/charon/processing/jobs/job.h
@@ -33,7 +33,7 @@ struct job_t {
 
 	/**
 	 * Execute a job.
-	 * 
+	 *
 	 * The processing facility executes a job using this method. Jobs are
 	 * one-shot, they destroy themself after execution, so don't use a job
 	 * once it has been executed.
diff --git a/src/charon/processing/jobs/mediation_job.c b/src/charon/processing/jobs/mediation_job.c
index cf522faff..b5b8af3b3 100644
--- a/src/charon/processing/jobs/mediation_job.c
+++ b/src/charon/processing/jobs/mediation_job.c
@@ -29,37 +29,37 @@ struct private_mediation_job_t {
 	 * public mediation_job_t interface
 	 */
 	mediation_job_t public;
-	
+
 	/**
 	 * ID of target peer.
 	 */
 	identification_t *target;
-	
+
 	/**
 	 * ID of the source peer.
 	 */
 	identification_t *source;
-	
+
 	/**
 	 * ME_CONNECTID
 	 */
 	chunk_t connect_id;
-	
+
 	/**
 	 * ME_CONNECTKEY
 	 */
 	chunk_t connect_key;
-	
+
 	/**
 	 * Submitted endpoints
 	 */
 	linked_list_t *endpoints;
-	
+
 	/**
 	 * Is this a callback job?
 	 */
 	bool callback;
-	
+
 	/**
 	 * Is this a response?
 	 */
@@ -81,13 +81,13 @@ static void destroy(private_mediation_job_t *this)
 
 /**
  * Implementation of job_t.execute.
- */ 
+ */
 static void execute(private_mediation_job_t *this)
 {
 	ike_sa_id_t *target_sa_id;
-	
+
 	target_sa_id = charon->mediation_manager->check(charon->mediation_manager, this->target);
-	
+
 	if (target_sa_id)
 	{
 		ike_sa_t *target_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
@@ -120,7 +120,7 @@ static void execute(private_mediation_job_t *this)
 					return;
 				}
 			}
-			
+
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
 		}
 		else
@@ -143,11 +143,11 @@ static void execute(private_mediation_job_t *this)
 static private_mediation_job_t *mediation_job_create_empty()
 {
 	private_mediation_job_t *this = malloc_thing(private_mediation_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	
+
 	/* private variables */
 	this->target = NULL;
 	this->source = NULL;
@@ -156,7 +156,7 @@ static private_mediation_job_t *mediation_job_create_empty()
 	this->connect_key = chunk_empty;
 	this->endpoints = NULL;
 	this->response = FALSE;
-	
+
 	return this;
 }
 
@@ -175,7 +175,7 @@ mediation_job_t *mediation_job_create(identification_t *peer_id,
 	this->connect_key = chunk_clone(connect_key);
 	this->endpoints = endpoints->clone_offset(endpoints, offsetof(endpoint_notify_t, clone));
 	this->response = response;
-	
+
 	return &this->public;
 }
 
@@ -186,10 +186,10 @@ mediation_job_t *mediation_callback_job_create(identification_t *requester,
 		identification_t *peer_id)
 {
 	private_mediation_job_t *this = mediation_job_create_empty();
-	
+
 	this->target = requester->clone(requester);
 	this->source = peer_id->clone(peer_id);
 	this->callback = TRUE;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/processing/jobs/mediation_job.h b/src/charon/processing/jobs/mediation_job.h
index 583ea8230..0574c65eb 100644
--- a/src/charon/processing/jobs/mediation_job.h
+++ b/src/charon/processing/jobs/mediation_job.h
@@ -30,7 +30,7 @@ typedef struct mediation_job_t mediation_job_t;
 
 /**
  * Class representing a MEDIATION Job.
- * 
+ *
  * This job handles the mediation on the mediation server.
  */
 struct mediation_job_t {
@@ -42,9 +42,9 @@ struct mediation_job_t {
 
 /**
  * Creates a job of type MEDIATION.
- * 
+ *
  * Parameters get cloned.
- * 
+ *
  * @param peer_id		ID of the requested peer
  * @param requester		ID of the requesting peer
  * @param connect_id	content of ME_CONNECTID (could be NULL)
@@ -61,9 +61,9 @@ mediation_job_t *mediation_job_create(identification_t *peer_id,
 /**
  * Creates a special job of type MEDIATION that is used to send a callback
  * notification to a peer.
- * 
+ *
  * Parameters get cloned.
- * 
+ *
  * @param requester		ID of the waiting peer
  * @param peer_id		ID of the requested peer
  * @return				job object
diff --git a/src/charon/processing/jobs/migrate_job.c b/src/charon/processing/jobs/migrate_job.c
index a57d0478b..05f47340c 100644
--- a/src/charon/processing/jobs/migrate_job.c
+++ b/src/charon/processing/jobs/migrate_job.c
@@ -30,7 +30,7 @@ struct private_migrate_job_t {
 	 * Public migrate_job_t interface.
 	 */
 	migrate_job_t public;
-	
+
 	/**
 	 * reqid of the CHILD_SA if it already exists
 	 */
@@ -75,7 +75,7 @@ static void destroy(private_migrate_job_t *this)
 static void execute(private_migrate_job_t *this)
 {
 	ike_sa_t *ike_sa = NULL;
-	
+
 	if (this->reqid)
 	{
 		ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
@@ -110,7 +110,7 @@ static void execute(private_migrate_job_t *this)
 
 		if (child_sa->update(child_sa, this->local, this->remote,
 				ike_sa->get_virtual_ip(ike_sa, TRUE),
-			 	ike_sa->has_condition(ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
+				ike_sa->has_condition(ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
 		{
 			ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
 								   child_sa->get_spi(child_sa, TRUE));
@@ -134,17 +134,17 @@ migrate_job_t *migrate_job_create(u_int32_t reqid,
 								  host_t *local, host_t *remote)
 {
 	private_migrate_job_t *this = malloc_thing(private_migrate_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-	
+
 	/* private variables */
 	this->reqid = reqid;
 	this->src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts;
 	this->dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts;
 	this->local = local;
 	this->remote = remote;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/processing/jobs/migrate_job.h b/src/charon/processing/jobs/migrate_job.h
index 672a09b0a..de313d517 100644
--- a/src/charon/processing/jobs/migrate_job.h
+++ b/src/charon/processing/jobs/migrate_job.h
@@ -25,14 +25,14 @@ typedef struct migrate_job_t migrate_job_t;
 
 #include <library.h>
 #include <utils/host.h>
-#include <config/traffic_selector.h>
+#include <selectors/traffic_selector.h>
 #include <kernel/kernel_ipsec.h>
 #include <processing/jobs/job.h>
 
 /**
  * Class representing a MIGRATE Job.
- * 
- * This job sets a routed CHILD_SA for an existing IPsec policy. 
+ *
+ * This job sets a routed CHILD_SA for an existing IPsec policy.
  */
 struct migrate_job_t {
 	/**
@@ -49,15 +49,13 @@ struct migrate_job_t {
  * @param reqid		reqid of the CHILD_SA to acquire
  * @param src_ts	source traffic selector to be used in the policy
  * @param dst_ts	destination traffic selector to be used in the policy
- * @param dir       direction of the policy (in|out)
- * @param local     local host address to be used in the IKE_SA
- * @param remote    remote host address to be used in the IKE_SA
+ * @param dir		direction of the policy (in|out)
+ * @param local		local host address to be used in the IKE_SA
+ * @param remote	remote host address to be used in the IKE_SA
  * @return			migrate_job_t object
  */
 migrate_job_t *migrate_job_create(u_int32_t reqid,
-								  traffic_selector_t *src_ts,
-								  traffic_selector_t *dst_ts,
-								  policy_dir_t dir,
-								  host_t *local, host_t *remote);
+						traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+						policy_dir_t dir, host_t *local, host_t *remote);
 
 #endif /** MIGRATE_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/process_message_job.c b/src/charon/processing/jobs/process_message_job.c
index 1f0b3e287..a47d48e38 100644
--- a/src/charon/processing/jobs/process_message_job.c
+++ b/src/charon/processing/jobs/process_message_job.c
@@ -28,7 +28,7 @@ struct private_process_message_job_t {
 	 * public process_message_job_t interface
 	 */
 	process_message_job_t public;
-	
+
 	/**
 	 * Message associated with this job
 	 */
@@ -50,9 +50,9 @@ static void destroy(private_process_message_job_t *this)
 static void execute(private_process_message_job_t *this)
 {
 	ike_sa_t *ike_sa;
-	
+
 #ifdef ME
-	/* if this is an unencrypted INFORMATIONAL exchange it is likely a 
+	/* if this is an unencrypted INFORMATIONAL exchange it is likely a
 	 * connectivity check. */
 	if (this->message->get_exchange_type(this->message) == INFORMATIONAL &&
 		this->message->get_first_payload_type(this->message) != ENCRYPTED)
@@ -67,7 +67,7 @@ static void execute(private_process_message_job_t *this)
 		return;
 	}
 #endif /* ME */
-	
+
 	ike_sa = charon->ike_sa_manager->checkout_by_message(charon->ike_sa_manager,
 														 this->message);
 	if (ike_sa)
@@ -98,9 +98,9 @@ process_message_job_t *process_message_job_create(message_t *message)
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void(*)(job_t*))destroy;
-	
+
 	/* private variables */
 	this->message = message;
-	
+
 	return &(this->public);
 }
diff --git a/src/charon/processing/jobs/process_message_job.h b/src/charon/processing/jobs/process_message_job.h
index b01d388f9..5e3f44d1f 100644
--- a/src/charon/processing/jobs/process_message_job.h
+++ b/src/charon/processing/jobs/process_message_job.h
@@ -40,7 +40,7 @@ struct process_message_job_t {
 
 /**
  * Creates a job of type PROCESS_MESSAGE.
- * 
+ *
  * @param message		message to process
  * @return				created process_message_job_t object
  */
diff --git a/src/charon/processing/jobs/rekey_child_sa_job.c b/src/charon/processing/jobs/rekey_child_sa_job.c
index 17fcf641b..b797d181e 100644
--- a/src/charon/processing/jobs/rekey_child_sa_job.c
+++ b/src/charon/processing/jobs/rekey_child_sa_job.c
@@ -28,17 +28,17 @@ struct private_rekey_child_sa_job_t {
 	 * Public rekey_child_sa_job_t interface.
 	 */
 	rekey_child_sa_job_t public;
-	
+
 	/**
 	 * reqid of the child to rekey
 	 */
 	u_int32_t reqid;
-	
+
 	/**
 	 * protocol of the CHILD_SA (ESP/AH)
 	 */
 	protocol_id_t protocol;
-	
+
 	/**
 	 * inbound SPI of the CHILD_SA
 	 */
@@ -59,7 +59,7 @@ static void destroy(private_rekey_child_sa_job_t *this)
 static void execute(private_rekey_child_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
-	
+
 	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
 													this->reqid, TRUE);
 	if (ike_sa == NULL)
@@ -69,7 +69,7 @@ static void execute(private_rekey_child_sa_job_t *this)
 	}
 	else
 	{
-		ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi);	
+		ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
 	destroy(this);
@@ -78,20 +78,20 @@ static void execute(private_rekey_child_sa_job_t *this)
 /*
  * Described in header
  */
-rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, 
-												protocol_id_t protocol, 
+rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
+												protocol_id_t protocol,
 												u_int32_t spi)
 {
 	private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-		
+
 	/* private variables */
 	this->reqid = reqid;
 	this->protocol = protocol;
 	this->spi = spi;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/processing/jobs/rekey_child_sa_job.h b/src/charon/processing/jobs/rekey_child_sa_job.h
index 2e2eef361..62887d6b9 100644
--- a/src/charon/processing/jobs/rekey_child_sa_job.h
+++ b/src/charon/processing/jobs/rekey_child_sa_job.h
@@ -51,7 +51,7 @@ struct rekey_child_sa_job_t {
  * @param spi		security parameter index of the CHILD_SA
  * @return			rekey_child_sa_job_t object
  */
-rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, 
+rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
 												protocol_id_t protocol,
 												u_int32_t spi);
 #endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.c b/src/charon/processing/jobs/rekey_ike_sa_job.c
index 1ceb1e144..5ec0b1b88 100644
--- a/src/charon/processing/jobs/rekey_ike_sa_job.c
+++ b/src/charon/processing/jobs/rekey_ike_sa_job.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include "rekey_ike_sa_job.h"
 
 #include <daemon.h>
@@ -27,12 +27,12 @@ struct private_rekey_ike_sa_job_t {
 	 * Public rekey_ike_sa_job_t interface.
 	 */
 	rekey_ike_sa_job_t public;
-	
+
 	/**
 	 * ID of the IKE_SA to rekey
 	 */
 	ike_sa_id_t *ike_sa_id;
-	
+
 	/**
 	 * force reauthentication of the peer (full IKE_SA setup)
 	 */
@@ -55,7 +55,7 @@ static void execute(private_rekey_ike_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	status_t status = SUCCESS;
-	
+
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 											  this->ike_sa_id);
 	if (ike_sa == NULL)
@@ -72,7 +72,7 @@ static void execute(private_rekey_ike_sa_job_t *this)
 		{
 			status = ike_sa->rekey(ike_sa);
 		}
-		
+
 		if (status == DESTROY_ME)
 		{
 			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
@@ -91,14 +91,14 @@ static void execute(private_rekey_ike_sa_job_t *this)
 rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth)
 {
 	private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-		
+
 	/* private variables */
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 	this->reauth = reauth;
-	
+
 	return &(this->public);
 }
diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.h b/src/charon/processing/jobs/rekey_ike_sa_job.h
index 0d830e134..a5c1028aa 100644
--- a/src/charon/processing/jobs/rekey_ike_sa_job.h
+++ b/src/charon/processing/jobs/rekey_ike_sa_job.h
@@ -29,7 +29,7 @@ typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t;
 
 /**
  * Class representing an REKEY_IKE_SA Job.
- * 
+ *
  * This job initiates the rekeying of an IKE_SA.
  */
 struct rekey_ike_sa_job_t {
diff --git a/src/charon/processing/jobs/retransmit_job.c b/src/charon/processing/jobs/retransmit_job.c
index 122cad853..fc787f208 100644
--- a/src/charon/processing/jobs/retransmit_job.c
+++ b/src/charon/processing/jobs/retransmit_job.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include "retransmit_job.h"
 
 #include <daemon.h>
@@ -28,7 +28,7 @@ struct private_retransmit_job_t {
 	 * Public retransmit_job_t interface.
 	 */
 	retransmit_job_t public;
-	
+
 	/**
 	 * Message ID of the request to resend.
 	 */
@@ -55,7 +55,7 @@ static void destroy(private_retransmit_job_t *this)
 static void execute(private_retransmit_job_t *this)
 {
 	ike_sa_t *ike_sa;
-	
+
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 											  this->ike_sa_id);
 	if (ike_sa)
@@ -80,7 +80,7 @@ static void execute(private_retransmit_job_t *this)
 retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id)
 {
 	private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
@@ -88,6 +88,6 @@ retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa
 	/* private variables */
 	this->message_id = message_id;
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-	
+
 	return &this->public;
 }
diff --git a/src/charon/processing/jobs/retransmit_job.h b/src/charon/processing/jobs/retransmit_job.h
index 4c9bea1c8..c8c13479b 100644
--- a/src/charon/processing/jobs/retransmit_job.h
+++ b/src/charon/processing/jobs/retransmit_job.h
@@ -44,7 +44,7 @@ struct retransmit_job_t {
 
 /**
  * Creates a job of type retransmit.
- * 
+ *
  * @param message_id		message_id of the request to resend
  * @param ike_sa_id			identification of the ike_sa as ike_sa_id_t
  * @return					retransmit_job_t object
diff --git a/src/charon/processing/jobs/roam_job.c b/src/charon/processing/jobs/roam_job.c
index c01f83248..adc884a8a 100644
--- a/src/charon/processing/jobs/roam_job.c
+++ b/src/charon/processing/jobs/roam_job.c
@@ -31,7 +31,7 @@ struct private_roam_job_t {
 	 * public roam_job_t interface
 	 */
 	roam_job_t public;
-	
+
 	/**
 	 * has the address list changed, or the routing only?
 	 */
@@ -47,16 +47,16 @@ static void destroy(private_roam_job_t *this)
 }
 
 /**
- * Implementation of job_t.execute. 
- */ 
+ * Implementation of job_t.execute.
+ */
 static void execute(private_roam_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	linked_list_t *list;
 	ike_sa_id_t *id;
 	enumerator_t *enumerator;
-	
-	/* enumerator over all IKE_SAs gives us no way to checkin_and_destroy 
+
+	/* enumerator over all IKE_SAs gives us no way to checkin_and_destroy
 	 * after a DESTROY_ME, so we check out each available IKE_SA by hand. */
 	list = linked_list_create();
 	enumerator = charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager);
@@ -66,7 +66,7 @@ static void execute(private_roam_job_t *this)
 		list->insert_last(list, id->clone(id));
 	}
 	enumerator->destroy(enumerator);
-	
+
 	while (list->remove_last(list, (void**)&id) == SUCCESS)
 	{
 		ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
@@ -95,10 +95,10 @@ static void execute(private_roam_job_t *this)
 roam_job_t *roam_job_create(bool address)
 {
 	private_roam_job_t *this = malloc_thing(private_roam_job_t);
-	
+
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	
+
 	this->address = address;
 
 	return &this->public;
diff --git a/src/charon/processing/jobs/roam_job.h b/src/charon/processing/jobs/roam_job.h
index 7bb1227f5..55bdf2b28 100644
--- a/src/charon/processing/jobs/roam_job.h
+++ b/src/charon/processing/jobs/roam_job.h
@@ -29,7 +29,7 @@ typedef struct roam_job_t roam_job_t;
 
 /**
  * A job to inform IKE_SAs about changed local address setup.
- * 
+ *
  * If a local address appears or disappears, the kernel fires this job to
  * update all IKE_SAs.
  */
@@ -43,7 +43,7 @@ struct roam_job_t {
 
 /**
  * Creates a job to inform IKE_SAs about an updated address list.
- * 
+ *
  * @param address		TRUE if address list changed, FALSE if routing changed
  * @return				initiate_ike_sa_job_t object
  */
diff --git a/src/charon/processing/jobs/send_dpd_job.c b/src/charon/processing/jobs/send_dpd_job.c
index c6e81a56f..1c2da52b8 100644
--- a/src/charon/processing/jobs/send_dpd_job.c
+++ b/src/charon/processing/jobs/send_dpd_job.c
@@ -31,7 +31,7 @@ struct private_send_dpd_job_t {
 	 * public send_dpd_job_t interface
 	 */
 	send_dpd_job_t public;
-	
+
 	/**
 	 * ID of the IKE_SA which the message belongs to.
 	 */
@@ -48,12 +48,12 @@ static void destroy(private_send_dpd_job_t *this)
 }
 
 /**
- * Implementation of job_t.execute. 
- */ 
+ * Implementation of job_t.execute.
+ */
 static void execute(private_send_dpd_job_t *this)
 {
 	ike_sa_t *ike_sa;
-	
+
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 											  this->ike_sa_id);
 	if (ike_sa)
@@ -76,11 +76,11 @@ static void execute(private_send_dpd_job_t *this)
 send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id)
 {
 	private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	
+
 	/* private variables */
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 
diff --git a/src/charon/processing/jobs/send_dpd_job.h b/src/charon/processing/jobs/send_dpd_job.h
index 91556a9d1..8078a38bc 100644
--- a/src/charon/processing/jobs/send_dpd_job.h
+++ b/src/charon/processing/jobs/send_dpd_job.h
@@ -29,7 +29,7 @@ typedef struct send_dpd_job_t send_dpd_job_t;
 
 /**
  * Class representing a SEND_DPD Job.
- * 
+ *
  * Job to periodically send a Dead Peer Detection (DPD) request,
  * ie. an IKE request with no payloads other than the encrypted payload
  * required by the syntax.
@@ -43,7 +43,7 @@ struct send_dpd_job_t {
 
 /**
  * Creates a job of type SEND_DPD.
- * 
+ *
  * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
  * @return				initiate_ike_sa_job_t object
  */
diff --git a/src/charon/processing/jobs/send_keepalive_job.c b/src/charon/processing/jobs/send_keepalive_job.c
index 5d3cfb530..3d02cea2e 100644
--- a/src/charon/processing/jobs/send_keepalive_job.c
+++ b/src/charon/processing/jobs/send_keepalive_job.c
@@ -31,7 +31,7 @@ struct private_send_keepalive_job_t {
 	 * public send_keepalive_job_t interface
 	 */
 	send_keepalive_job_t public;
-	
+
 	/**
 	 * ID of the IKE_SA which the message belongs to.
 	 */
@@ -49,11 +49,11 @@ static void destroy(private_send_keepalive_job_t *this)
 
 /**
  * Implementation of job_t.execute.
- */ 
+ */
 static void execute(private_send_keepalive_job_t *this)
 {
 	ike_sa_t *ike_sa;
-	
+
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 											  this->ike_sa_id);
 	if (ike_sa)
@@ -70,11 +70,11 @@ static void execute(private_send_keepalive_job_t *this)
 send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id)
 {
 	private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t);
-	
+
 	/* interface functions */
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	
+
 	/* private variables */
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 
diff --git a/src/charon/processing/jobs/send_keepalive_job.h b/src/charon/processing/jobs/send_keepalive_job.h
index f92e6217a..cda83cd7e 100644
--- a/src/charon/processing/jobs/send_keepalive_job.h
+++ b/src/charon/processing/jobs/send_keepalive_job.h
@@ -29,7 +29,7 @@ typedef struct send_keepalive_job_t send_keepalive_job_t;
 
 /**
  * Class representing a SEND_KEEPALIVE Job.
- * 
+ *
  * This job will send a NAT keepalive packet if the IKE SA is still alive,
  * and reinsert itself into the event queue.
  */
@@ -42,7 +42,7 @@ struct send_keepalive_job_t {
 
 /**
  * Creates a job of type SEND_KEEPALIVE.
- * 
+ *
  * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
  * @return				initiate_ike_sa_job_t object
  */
diff --git a/src/charon/processing/jobs/update_sa_job.c b/src/charon/processing/jobs/update_sa_job.c
index 5e6c83942..17dce2548 100644
--- a/src/charon/processing/jobs/update_sa_job.c
+++ b/src/charon/processing/jobs/update_sa_job.c
@@ -31,12 +31,12 @@ struct private_update_sa_job_t {
 	 * public update_sa_job_t interface
 	 */
 	update_sa_job_t public;
-	
+
 	/**
 	 * reqid of the CHILD_SA
 	 */
 	u_int32_t reqid;
-	
+
 	/**
 	 * New SA address and port
 	 */
@@ -53,12 +53,12 @@ static void destroy(private_update_sa_job_t *this)
 }
 
 /**
- * Implementation of job_t.execute. 
- */ 
+ * Implementation of job_t.execute.
+ */
 static void execute(private_update_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
-	
+
 	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
 													this->reqid, TRUE);
 	if (ike_sa == NULL)
@@ -84,10 +84,10 @@ static void execute(private_update_sa_job_t *this)
 update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
 {
 	private_update_sa_job_t *this = malloc_thing(private_update_sa_job_t);
-	
+
 	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	
+
 	this->reqid = reqid;
 	this->new = new;
 
diff --git a/src/charon/processing/jobs/update_sa_job.h b/src/charon/processing/jobs/update_sa_job.h
index 93262d46f..11d1ac9b6 100644
--- a/src/charon/processing/jobs/update_sa_job.h
+++ b/src/charon/processing/jobs/update_sa_job.h
@@ -40,7 +40,7 @@ struct update_sa_job_t {
 
 /**
  * Creates a job to update IKE and CHILD_SA addresses.
- * 
+ *
  * @param reqid			reqid of the CHILD_SA
  * @param new			new address and port
  * @return				update_sa_job_t object
diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c
index 4a3943323..d5774af26 100644
--- a/src/charon/processing/processor.c
+++ b/src/charon/processing/processor.c
@@ -13,16 +13,17 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include <stdlib.h>
-#include <pthread.h>
 #include <string.h>
 #include <errno.h>
 
 #include "processor.h"
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
 #include <utils/linked_list.h>
 
 
@@ -41,22 +42,28 @@ struct private_processor_t {
 	 * Number of running threads
 	 */
 	u_int total_threads;
-	
+
 	/**
 	 * Desired number of threads
 	 */
 	u_int desired_threads;
-	
+
 	/**
 	 * Number of threads waiting for work
 	 */
 	u_int idle_threads;
 
+	/**
+	 * All threads managed in the pool (including threads that have been
+	 * cancelled, this allows to join them during destruction)
+	 */
+	linked_list_t *threads;
+
 	/**
 	 * The jobs are stored in a linked list
 	 */
 	linked_list_t *list;
-	
+
 	/**
 	 * access to linked_list is locked through this mutex
 	 */
@@ -66,7 +73,7 @@ struct private_processor_t {
 	 * Condvar to wait for new jobs
 	 */
 	condvar_t *job_added;
-	
+
 	/**
 	 * Condvar to wait for terminated threads
 	 */
@@ -80,17 +87,23 @@ static void process_jobs(private_processor_t *this);
  */
 static void restart(private_processor_t *this)
 {
-	pthread_t thread;
-	
+	thread_t *thread;
+
+	DBG2(DBG_JOB, "terminated worker thread, ID: %u", thread_current_id());
+
 	/* respawn thread if required */
-	if (this->desired_threads == 0 ||
-		pthread_create(&thread, NULL, (void*)process_jobs, this) != 0)
+	this->mutex->lock(this->mutex);
+	if (this->desired_threads < this->total_threads ||
+		(thread = thread_create((thread_main_t)process_jobs, this)) == NULL)
 	{
-		this->mutex->lock(this->mutex);
 		this->total_threads--;
-		this->thread_terminated->broadcast(this->thread_terminated);
-		this->mutex->unlock(this->mutex);
+		this->thread_terminated->signal(this->thread_terminated);
 	}
+	else
+	{
+		this->threads->insert_last(this->threads, thread);
+	}
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -98,17 +111,16 @@ static void restart(private_processor_t *this)
  */
 static void process_jobs(private_processor_t *this)
 {
-	int oldstate;
-	
-	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate);
-	
-	DBG2(DBG_JOB, "started worker thread, thread_ID: %06u", (int)pthread_self());
-	
+	/* worker threads are not cancellable by default */
+	thread_cancelability(FALSE);
+
+	DBG2(DBG_JOB, "started worker thread, ID: %u", thread_current_id());
+
 	this->mutex->lock(this->mutex);
 	while (this->desired_threads >= this->total_threads)
 	{
 		job_t *job;
-		
+
 		if (this->list->get_count(this->list) == 0)
 		{
 			this->idle_threads++;
@@ -119,14 +131,13 @@ static void process_jobs(private_processor_t *this)
 		this->list->remove_first(this->list, (void**)&job);
 		this->mutex->unlock(this->mutex);
 		/* terminated threads are restarted, so we have a constant pool */
-		pthread_cleanup_push((void*)restart, this);
+		thread_cleanup_push((thread_cleanup_t)restart, this);
 		job->execute(job);
-		pthread_cleanup_pop(0);
+		thread_cleanup_pop(FALSE);
 		this->mutex->lock(this->mutex);
 	}
-	this->total_threads--;
-	this->thread_terminated->signal(this->thread_terminated);
 	this->mutex->unlock(this->mutex);
+	restart(this);
 }
 
 /**
@@ -136,7 +147,7 @@ static u_int get_total_threads(private_processor_t *this)
 {
 	u_int count;
 	this->mutex->lock(this->mutex);
-	count = this->total_threads; 
+	count = this->total_threads;
 	this->mutex->unlock(this->mutex);
 	return count;
 }
@@ -175,7 +186,7 @@ static void queue_job(private_processor_t *this, job_t *job)
 	this->job_added->signal(this->job_added);
 	this->mutex->unlock(this->mutex);
 }
-	
+
 /**
  * Implementation of processor_t.set_threads.
  */
@@ -185,14 +196,16 @@ static void set_threads(private_processor_t *this, u_int count)
 	if (count > this->total_threads)
 	{	/* increase thread count */
 		int i;
-		pthread_t current;
-		
+		thread_t *current;
+
 		this->desired_threads = count;
 		DBG1(DBG_JOB, "spawning %d worker threads", count - this->total_threads);
 		for (i = this->total_threads; i < count; i++)
 		{
-			if (pthread_create(&current, NULL, (void*)process_jobs, this) == 0)
+			current = thread_create((thread_main_t)process_jobs, this);
+			if (current)
 			{
+				this->threads->insert_last(this->threads, current);
 				this->total_threads++;
 			}
 		}
@@ -210,6 +223,7 @@ static void set_threads(private_processor_t *this, u_int count)
  */
 static void destroy(private_processor_t *this)
 {
+	thread_t *current;
 	set_threads(this, 0);
 	this->mutex->lock(this->mutex);
 	while (this->total_threads > 0)
@@ -217,11 +231,17 @@ static void destroy(private_processor_t *this)
 		this->job_added->broadcast(this->job_added);
 		this->thread_terminated->wait(this->thread_terminated, this->mutex);
 	}
+	while (this->threads->remove_first(this->threads,
+									   (void**)&current) == SUCCESS)
+	{
+		current->join(current);
+	}
 	this->mutex->unlock(this->mutex);
 	this->thread_terminated->destroy(this->thread_terminated);
 	this->job_added->destroy(this->job_added);
 	this->mutex->destroy(this->mutex);
 	this->list->destroy_offset(this->list, offsetof(job_t, destroy));
+	this->threads->destroy(this->threads);
 	free(this);
 }
 
@@ -231,22 +251,23 @@ static void destroy(private_processor_t *this)
 processor_t *processor_create(size_t pool_size)
 {
 	private_processor_t *this = malloc_thing(private_processor_t);
-	
+
 	this->public.get_total_threads = (u_int(*)(processor_t*))get_total_threads;
 	this->public.get_idle_threads = (u_int(*)(processor_t*))get_idle_threads;
 	this->public.get_job_load = (u_int(*)(processor_t*))get_job_load;
 	this->public.queue_job = (void(*)(processor_t*, job_t*))queue_job;
 	this->public.set_threads = (void(*)(processor_t*, u_int))set_threads;
 	this->public.destroy = (void(*)(processor_t*))destroy;
-	
+
 	this->list = linked_list_create();
+	this->threads = linked_list_create();
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT);
 	this->thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT);
 	this->total_threads = 0;
 	this->desired_threads = 0;
 	this->idle_threads = 0;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/processing/processor.h b/src/charon/processing/processor.h
index e56e69382..5bf8cf573 100644
--- a/src/charon/processing/processor.h
+++ b/src/charon/processing/processor.h
@@ -33,21 +33,21 @@ typedef struct processor_t processor_t;
  * The processor uses threads to process queued jobs.
  */
 struct processor_t {
-	
+
 	/**
 	 * Get the total number of threads used by the processor.
-	 *	
+	 *
 	 * @return				size of thread pool
 	 */
 	u_int (*get_total_threads) (processor_t *this);
-	
+
 	/**
 	 * Get the number of threads currently waiting.
-	 *	
+	 *
 	 * @return				number of idle threads
 	 */
 	u_int (*get_idle_threads) (processor_t *this);
-	
+
 	/**
 	 * Get the number of queued jobs.
 	 *
@@ -60,10 +60,10 @@ struct processor_t {
 	 *
 	 * This function is non blocking and adds a job_t to the queue.
 	 *
- 	 * @param job 			job to add to the queue
+	 * @param job 			job to add to the queue
 	 */
 	void (*queue_job) (processor_t *this, job_t *job);
-	
+
 	/**
 	 * Set the number of threads to use in the processor.
 	 *
@@ -75,7 +75,7 @@ struct processor_t {
 	 * @param count			number of threads to allocate
 	 */
 	void (*set_threads)(processor_t *this, u_int count);
-	
+
 	/**
 	 * Destroy a processor object.
 	 */
diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c
index 1f59205af..345af502a 100644
--- a/src/charon/processing/scheduler.c
+++ b/src/charon/processing/scheduler.c
@@ -16,14 +16,15 @@
  */
 
 #include <stdlib.h>
-#include <pthread.h>
 
 #include "scheduler.h"
 
 #include <daemon.h>
 #include <processing/processor.h>
 #include <processing/jobs/callback_job.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
 
 /* the initial size of the heap */
 #define HEAP_SIZE_DEFAULT 64
@@ -38,7 +39,7 @@ struct event_t {
 	 * Time to fire the event.
 	 */
 	timeval_t time;
-	
+
 	/**
 	 * Every event has its assigned job.
 	 */
@@ -60,37 +61,37 @@ typedef struct private_scheduler_t private_scheduler_t;
  * Private data of a scheduler_t object.
  */
 struct private_scheduler_t {
-	
+
 	/**
 	 * Public part of a scheduler_t object.
 	 */
 	 scheduler_t public;
-	
+
 	/**
 	 * Job which queues scheduled jobs to the processor.
 	 */
 	callback_job_t *job;
-	
+
 	/**
 	 * The heap in which the events are stored.
 	 */
 	event_t **heap;
-	
+
 	/**
 	 * The size of the heap.
 	 */
 	u_int heap_size;
-	
+
 	/**
 	 * The number of scheduled events.
 	 */
 	u_int event_count;
-	
+
 	/**
 	 * Exclusive access to list
 	 */
 	mutex_t *mutex;
-	
+
 	/**
 	 * Condvar to wait for next job.
 	 */
@@ -140,12 +141,12 @@ static event_t *remove_event(private_scheduler_t *this)
 	{
 		return NULL;
 	}
-	
+
 	/* store the value to return */
 	event = this->heap[1];
 	/* move the bottom event to the top */
 	top = this->heap[1] = this->heap[this->event_count];
-		
+
 	if (--this->event_count > 1)
 	{
 		/* seep down the top event */
@@ -153,7 +154,7 @@ static event_t *remove_event(private_scheduler_t *this)
 		while ((position << 1) <= this->event_count)
 		{
 			u_int child = position << 1;
-			
+
 			if ((child + 1) <= this->event_count &&
 				timeval_cmp(&this->heap[child + 1]->time,
 							&this->heap[child]->time) < 0)
@@ -161,14 +162,14 @@ static event_t *remove_event(private_scheduler_t *this)
 				/* the "right" child is smaller */
 				child++;
 			}
-			
+
 			if (timeval_cmp(&top->time, &this->heap[child]->time) <= 0)
 			{
 				/* the top event fires before the smaller of the two children,
 				 * stop */
 				break;
 			}
-			
+
 			/* swap with the smaller child */
 			this->heap[position] = this->heap[child];
 			position = child;
@@ -185,13 +186,12 @@ static job_requeue_t schedule(private_scheduler_t * this)
 {
 	timeval_t now;
 	event_t *event;
-	int oldstate;
-	bool timed = FALSE;
-	
+	bool timed = FALSE, oldstate;
+
 	this->mutex->lock(this->mutex);
-	
-	gettimeofday(&now, NULL);
-	
+
+	time_monotonic(&now);
+
 	if ((event = peek_event(this)) != NULL)
 	{
 		if (timeval_cmp(&now, &event->time) >= 0)
@@ -215,9 +215,9 @@ static job_requeue_t schedule(private_scheduler_t * this)
 		}
 		timed = TRUE;
 	}
-	pthread_cleanup_push((void*)this->mutex->unlock, this->mutex);
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-	
+	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+	oldstate = thread_cancelability(TRUE);
+
 	if (timed)
 	{
 		this->condvar->timed_wait_abs(this->condvar, this->mutex, event->time);
@@ -227,8 +227,8 @@ static job_requeue_t schedule(private_scheduler_t * this)
 		DBG2(DBG_JOB, "no events, waiting");
 		this->condvar->wait(this->condvar, this->mutex);
 	}
-	pthread_setcancelstate(oldstate, NULL);
-	pthread_cleanup_pop(TRUE);
+	thread_cancelability(oldstate);
+	thread_cleanup_pop(TRUE);
 	return JOB_REQUEUE_DIRECT;
 }
 
@@ -251,13 +251,13 @@ static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
 {
 	event_t *event;
 	u_int position;
-	
+
 	event = malloc_thing(event_t);
 	event->job = job;
 	event->time = tv;
-	
+
 	this->mutex->lock(this->mutex);
-	
+
 	this->event_count++;
 	if (this->event_count > this->heap_size)
 	{
@@ -268,7 +268,7 @@ static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
 	}
 	/* "put" the event to the bottom */
 	position = this->event_count;
-	
+
 	/* then bubble it up */
 	while (position > 1 && timeval_cmp(&this->heap[position >> 1]->time,
 									   &event->time) > 0)
@@ -278,7 +278,7 @@ static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
 		position >>= 1;
 	}
 	this->heap[position] = event;
-	
+
 	this->condvar->signal(this->condvar);
 	this->mutex->unlock(this->mutex);
 }
@@ -289,10 +289,10 @@ static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
 static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
 {
 	timeval_t tv;
-	
-	gettimeofday(&tv, NULL);
+
+	time_monotonic(&tv);
 	tv.tv_sec += s;
-	
+
 	schedule_job_tv(this, job, tv);
 }
 
@@ -302,13 +302,13 @@ static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
 static void schedule_job_ms(private_scheduler_t *this, job_t *job, u_int32_t ms)
 {
 	timeval_t tv, add;
-	
-	gettimeofday(&tv, NULL);
+
+	time_monotonic(&tv);
 	add.tv_sec = ms / 1000;
 	add.tv_usec = (ms % 1000) * 1000;
-	
+
 	timeradd(&tv, &add, &tv);
-	
+
 	schedule_job_tv(this, job, tv);
 }
 
@@ -335,24 +335,24 @@ static void destroy(private_scheduler_t *this)
 scheduler_t * scheduler_create()
 {
 	private_scheduler_t *this = malloc_thing(private_scheduler_t);
-	
+
 	this->public.get_job_load = (u_int (*) (scheduler_t *this)) get_job_load;
 	this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t s)) schedule_job;
 	this->public.schedule_job_ms = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job_ms;
 	this->public.schedule_job_tv = (void (*) (scheduler_t *this, job_t *job, timeval_t tv)) schedule_job_tv;
 	this->public.destroy = (void(*)(scheduler_t*)) destroy;
-	
+
 	/* Note: the root of the heap is at index 1 */
 	this->event_count = 0;
 	this->heap_size = HEAP_SIZE_DEFAULT;
 	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
-	
+
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	
+
 	this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/processing/scheduler.h b/src/charon/processing/scheduler.h
index 502f70b33..5f5d2a563 100644
--- a/src/charon/processing/scheduler.h
+++ b/src/charon/processing/scheduler.h
@@ -25,8 +25,6 @@
 
 typedef struct scheduler_t scheduler_t;
 
-#include <sys/time.h>
-
 #include <library.h>
 #include <processing/jobs/job.h>
 
@@ -81,7 +79,7 @@ typedef struct scheduler_t scheduler_t;
  * children has a smaller key or it is again a leaf node.
  */
 struct scheduler_t {
-	
+
 	/**
 	 * Adds a event to the queue, using a relative time offset in s.
 	 *
@@ -89,7 +87,7 @@ struct scheduler_t {
 	 * @param time 			relative time to schedule job, in s
 	 */
 	void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t s);
-	
+
 	/**
 	 * Adds a event to the queue, using a relative time offset in ms.
 	 *
@@ -97,22 +95,25 @@ struct scheduler_t {
 	 * @param time 			relative time to schedule job, in ms
 	 */
 	void (*schedule_job_ms) (scheduler_t *this, job_t *job, u_int32_t ms);
-	
+
 	/**
 	 * Adds a event to the queue, using an absolut time.
 	 *
+	 * The passed timeval should be calculated based on the time_monotonic()
+	 * function.
+	 *
 	 * @param job 			job to schedule
 	 * @param time 			absolut time to schedule job
 	 */
 	void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
-	
+
 	/**
 	 * Returns number of jobs scheduled.
 	 *
 	 * @return 				number of scheduled jobs
 	 */
 	u_int (*get_job_load) (scheduler_t *this);
-	
+
 	/**
 	 * Destroys a scheduler object.
 	 */
diff --git a/src/charon/sa/authenticators/authenticator.c b/src/charon/sa/authenticators/authenticator.c
index ea8a16279..13586a23e 100644
--- a/src/charon/sa/authenticators/authenticator.c
+++ b/src/charon/sa/authenticators/authenticator.c
@@ -75,7 +75,7 @@ authenticator_t *authenticator_create_verifier(
 									chunk_t received_init, chunk_t sent_init)
 {
 	auth_payload_t *auth_payload;
-	
+
 	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
 	if (auth_payload == NULL)
 	{
diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h
index c60881629..fff91ed34 100644
--- a/src/charon/sa/authenticators/authenticator.h
+++ b/src/charon/sa/authenticators/authenticator.h
@@ -36,34 +36,34 @@ typedef struct authenticator_t authenticator_t;
  */
 enum auth_method_t {
 	/**
-	 * Computed as specified in section 2.15 of RFC using 
+	 * Computed as specified in section 2.15 of RFC using
 	 * an RSA private key over a PKCS#1 padded hash.
 	 */
 	AUTH_RSA = 1,
-	
+
 	/**
-	 * Computed as specified in section 2.15 of RFC using the 
-	 * shared key associated with the identity in the ID payload 
+	 * Computed as specified in section 2.15 of RFC using the
+	 * shared key associated with the identity in the ID payload
 	 * and the negotiated prf function
 	 */
 	AUTH_PSK = 2,
-	
+
 	/**
-	 * Computed as specified in section 2.15 of RFC using a 
+	 * Computed as specified in section 2.15 of RFC using a
 	 * DSS private key over a SHA-1 hash.
 	 */
 	AUTH_DSS = 3,
-	
+
 	/**
 	 * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
 	 */
 	AUTH_ECDSA_256 = 9,
-	
+
 	/**
 	 * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
 	 */
 	AUTH_ECDSA_384 = 10,
-	
+
 	/**
 	 * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
 	 */
@@ -115,7 +115,7 @@ struct authenticator_t {
 	 *						- NEED_MORE if another exchange required
 	 */
 	status_t (*process)(authenticator_t *this, message_t *message);
-	
+
 	/**
 	 * Attach authentication data to an outgoing message.
 	 *
@@ -126,7 +126,17 @@ struct authenticator_t {
 	 *						- NEED_MORE if another exchange required
 	 */
 	status_t (*build)(authenticator_t *this, message_t *message);
-	
+
+	/**
+	 * Check if the authenticator is capable of mutual authentication.
+	 *
+	 * Some authenticator authenticate both peers, e.g. EAP. To support
+	 * mutual authentication with only a single authenticator (EAP-only
+	 * authentication), it must be mutual. This method is invoked in ike_auth
+	 * to check if the given authenticator is capable of doing so.
+	 */
+	bool (*is_mutual)(authenticator_t *this);
+
 	/**
 	 * Destroy authenticator instance.
 	 */
@@ -151,7 +161,7 @@ authenticator_t *authenticator_create_builder(
 
 /**
  * Create an authenticator to verify signatures.
- * 
+ *
  * @param ike_sa			associated ike_sa
  * @param message			message containing authentication data
  * @param received_nonce	nonce received in IKE_SA_INIT
diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c
index 24a4fd6ed..f795183f0 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.c
+++ b/src/charon/sa/authenticators/eap/eap_manager.c
@@ -16,7 +16,7 @@
 #include "eap_manager.h"
 
 #include <utils/linked_list.h>
-#include <utils/mutex.h>
+#include <threading/rwlock.h>
 
 typedef struct private_eap_manager_t private_eap_manager_t;
 typedef struct eap_entry_t eap_entry_t;
@@ -25,22 +25,22 @@ typedef struct eap_entry_t eap_entry_t;
  * EAP constructor entry
  */
 struct eap_entry_t {
-	
+
 	/**
 	 * EAP method type, vendor specific if vendor is set
 	 */
 	eap_type_t type;
-	
+
 	/**
 	 * vendor ID, 0 for default EAP methods
 	 */
 	u_int32_t vendor;
-	
+
 	/**
 	 * Role of the method returned by the constructor, EAP_SERVER or EAP_PEER
 	 */
 	eap_role_t role;
-	
+
 	/**
 	 * constructor function to create instance
 	 */
@@ -56,12 +56,12 @@ struct private_eap_manager_t {
 	 * public functions
 	 */
 	eap_manager_t public;
-	
+
 	/**
 	 * list of eap_entry_t's
 	 */
 	linked_list_t *methods;
-	
+
 	/**
 	 * rwlock to lock methods
 	 */
@@ -76,7 +76,7 @@ static void add_method(private_eap_manager_t *this, eap_type_t type,
 					   eap_constructor_t constructor)
 {
 	eap_entry_t *entry = malloc_thing(eap_entry_t);
-	
+
 	entry->type = type;
 	entry->vendor = vendor;
 	entry->role = role;
@@ -94,7 +94,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
 {
 	enumerator_t *enumerator;
 	eap_entry_t *entry;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->methods->create_enumerator(this->methods);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -120,7 +120,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 	enumerator_t *enumerator;
 	eap_entry_t *entry;
 	eap_method_t *method = NULL;
-	
+
 	this->lock->read_lock(this->lock);
 	enumerator = this->methods->create_enumerator(this->methods);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -156,15 +156,15 @@ static void destroy(private_eap_manager_t *this)
 eap_manager_t *eap_manager_create()
 {
 	private_eap_manager_t *this = malloc_thing(private_eap_manager_t);
-	
+
 	this->public.add_method = (void(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, eap_constructor_t constructor))add_method;
 	this->public.remove_method = (void(*)(eap_manager_t*, eap_constructor_t constructor))remove_method;
 	this->public.create_instance = (eap_method_t*(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, identification_t*,identification_t*))create_instance;
 	this->public.destroy = (void(*)(eap_manager_t*))destroy;
-	
+
 	this->methods = linked_list_create();
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/authenticators/eap/eap_manager.h b/src/charon/sa/authenticators/eap/eap_manager.h
index 667c54a8e..0333fb6da 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.h
+++ b/src/charon/sa/authenticators/eap/eap_manager.h
@@ -45,14 +45,14 @@ struct eap_manager_t {
 	 */
 	void (*add_method)(eap_manager_t *this, eap_type_t type, u_int32_t vendor,
 					   eap_role_t role, eap_constructor_t constructor);
-	
+
 	/**
 	 * Unregister a EAP method implementation using it's constructor.
 	 *
 	 * @param constructor	constructor function to remove, as added in add_method
 	 */
 	void (*remove_method)(eap_manager_t *this, eap_constructor_t constructor);
-	
+
 	/**
 	 * Create a new EAP method instance.
 	 *
@@ -67,11 +67,11 @@ struct eap_manager_t {
 									 u_int32_t vendor, eap_role_t role,
 									 identification_t *server,
 									 identification_t *peer);
-	
+
 	/**
-     * Destroy a eap_manager instance.
-     */
-    void (*destroy)(eap_manager_t *this);
+	 * Destroy a eap_manager instance.
+	 */
+	void (*destroy)(eap_manager_t *this);
 };
 
 /**
diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c
index 1d1900301..91fa5305f 100644
--- a/src/charon/sa/authenticators/eap/eap_method.c
+++ b/src/charon/sa/authenticators/eap/eap_method.c
@@ -34,6 +34,25 @@ ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
 	"EAP_EXPERIMENTAL");
 ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
 
+ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
+	"ID",
+	"NTF",
+	"NAK",
+	"MD5",
+	"OTP",
+	"GTC");
+ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC,
+	"SIM");
+ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM,
+	"AKA");
+ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+	"MSCHAPV2");
+ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
+	"RAD",
+	"EXP",
+	"XP");
+ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
+
 /*
  * See header
  */
@@ -53,7 +72,7 @@ eap_type_t eap_type_from_string(char *name)
 		{"mschapv2",	EAP_MSCHAPV2},
 		{"radius",		EAP_RADIUS},
 	};
-	
+
 	for (i = 0; i < countof(types); i++)
 	{
 		if (strcaseeq(name, types[i].name))
@@ -71,6 +90,13 @@ ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
 	"EAP_FAILURE",
 );
 
+ENUM(eap_code_short_names, EAP_REQUEST, EAP_FAILURE,
+	"REQ",
+	"RES",
+	"SUCC",
+	"FAIL",
+);
+
 ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
 	"EAP_SERVER",
 	"EAP_PEER",
diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h
index 578b89e96..4cab84535 100644
--- a/src/charon/sa/authenticators/eap/eap_method.h
+++ b/src/charon/sa/authenticators/eap/eap_method.h
@@ -66,6 +66,11 @@ enum eap_type_t {
  */
 extern enum_name_t *eap_type_names;
 
+/**
+ * short string enum names for eap_type_t.
+ */
+extern enum_name_t *eap_type_short_names;
+
 /**
  * Lookup the EAP method type from a string.
  *
@@ -89,6 +94,11 @@ enum eap_code_t {
  */
 extern enum_name_t *eap_code_names;
 
+/**
+ * short string enum names for eap_code_t.
+ */
+extern enum_name_t *eap_code_short_names;
+
 /**
  * Interface of an EAP method for server and client side.
  *
@@ -107,7 +117,7 @@ extern enum_name_t *eap_code_names;
  * EAP-Identity exchange always uses identifier 0.
  */
 struct eap_method_t {
-	
+
 	/**
 	 * Initiate the EAP exchange.
 	 *
@@ -121,7 +131,7 @@ struct eap_method_t {
 	 * 					- FAILED, if unable to create eap request payload
 	 */
 	status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
-	
+
 	/**
 	 * Process a received EAP message.
 	 *
@@ -136,7 +146,7 @@ struct eap_method_t {
 	 */
 	status_t (*process) (eap_method_t *this, eap_payload_t *in,
 						 eap_payload_t **out);
-	
+
 	/**
 	 * Get the EAP type implemented in this method.
 	 *
@@ -144,17 +154,17 @@ struct eap_method_t {
 	 * @return			type of the EAP method
 	 */
 	eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
-	
+
 	/**
 	 * Check if this EAP method authenticates the server.
 	 *
-	 * Some EAP methods provide mutual authentication and 
+	 * Some EAP methods provide mutual authentication and
 	 * allow authentication using only EAP, if the peer supports it.
 	 *
 	 * @return			TRUE if methods provides mutual authentication
 	 */
 	bool (*is_mutual) (eap_method_t *this);
-	
+
 	/**
 	 * Get the MSK established by this EAP method.
 	 *
@@ -167,7 +177,7 @@ struct eap_method_t {
 	 * 					- FAILED, if MSK not established (yet)
 	 */
 	status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
-	
+
 	/**
 	 * Destroys a eap_method_t object.
 	 */
diff --git a/src/charon/sa/authenticators/eap/sim_manager.c b/src/charon/sa/authenticators/eap/sim_manager.c
index 51cd4fb3f..5060a3147 100644
--- a/src/charon/sa/authenticators/eap/sim_manager.c
+++ b/src/charon/sa/authenticators/eap/sim_manager.c
@@ -15,6 +15,7 @@
 
 #include "sim_manager.h"
 
+#include <daemon.h>
 #include <utils/linked_list.h>
 
 typedef struct private_sim_manager_t private_sim_manager_t;
@@ -23,21 +24,26 @@ typedef struct private_sim_manager_t private_sim_manager_t;
  * Private data of an sim_manager_t object.
  */
 struct private_sim_manager_t {
-	
+
 	/**
 	 * Public sim_manager_t interface.
 	 */
 	sim_manager_t public;
-	
+
 	/**
 	 * list of added cards
 	 */
 	linked_list_t *cards;
-	
+
 	/**
 	 * list of added provider
 	 */
-	linked_list_t *provider;
+	linked_list_t *providers;
+
+	/**
+	 * list of added hooks
+	 */
+	linked_list_t *hooks;
 };
 
 /**
@@ -57,37 +63,431 @@ static void remove_card(private_sim_manager_t *this, sim_card_t *card)
 }
 
 /**
- * Implementation of sim_manager_t.create_card_enumerator
+ * Implementation of sim_manager_t.card_get_triplet
+ */
+static bool card_get_triplet(private_sim_manager_t *this, identification_t *id,
+							 char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+							 char kc[SIM_KC_LEN])
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+	int tried = 0;
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		if (card->get_triplet(card, id, rand, sres, kc))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+		tried++;
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_IKE, "tried %d SIM cards, but none has triplets for '%Y'",
+		 tried, id);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_manager_t.card_get_quintuplet
+ */
+static status_t card_get_quintuplet(private_sim_manager_t *this,
+								identification_t *id, char rand[AKA_RAND_LEN],
+								char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
+								char ik[AKA_IK_LEN], char res[AKA_RES_MAX],
+								int *res_len)
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+	status_t status = NOT_FOUND;
+	int tried = 0;
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		status = card->get_quintuplet(card, id, rand, autn, ck, ik, res, res_len);
+		switch (status)
+		{	/* try next on error, but not on INVALID_STATE */
+			case SUCCESS:
+			case INVALID_STATE:
+				enumerator->destroy(enumerator);
+				return status;
+			case NOT_SUPPORTED:
+			case FAILED:
+			default:
+				tried++;
+				continue;
+		}
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_IKE, "tried %d SIM cards, but none has quintuplets for '%Y'",
+		 tried, id);
+	return status;
+}
+
+/**
+ * Implementation of sim_manager_t.card_resync
+ */
+static bool card_resync(private_sim_manager_t *this, identification_t *id,
+						char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		if (card->resync(card, id, rand, auts))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_manager_t.card_set_pseudonym
+ */
+static void card_set_pseudonym(private_sim_manager_t *this,
+							identification_t *id, identification_t *pseudonym)
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+
+	DBG1(DBG_IKE, "storing pseudonym '%Y' for '%Y'", pseudonym, id);
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		card->set_pseudonym(card, id, pseudonym);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of sim_manager_t.card_get_pseudonym
+ */
+static identification_t* card_get_pseudonym(private_sim_manager_t *this,
+											identification_t *id)
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+	identification_t *pseudonym = NULL;
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		pseudonym = card->get_pseudonym(card, id);
+		if (pseudonym)
+		{
+			DBG1(DBG_IKE, "using stored pseudonym identity '%Y' "
+				 "instead of '%Y'", pseudonym, id);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return pseudonym;
+}
+
+/**
+ * Implementation of sim_manager_t.card_set_reauth
  */
-static enumerator_t* create_card_enumerator(private_sim_manager_t *this)
+static void card_set_reauth(private_sim_manager_t *this, identification_t *id,
+							identification_t *next, char mk[HASH_SIZE_SHA1],
+							u_int16_t counter)
 {
-	return this->cards->create_enumerator(this->cards);
+	enumerator_t *enumerator;
+	sim_card_t *card;
+
+	DBG1(DBG_IKE, "storing next reauthentication identity '%Y' for '%Y'",
+		 next, id);
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		card->set_reauth(card, id, next, mk, counter);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of sim_manager_t.card_get_reauth
+ */
+static identification_t* card_get_reauth(private_sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter)
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+	identification_t *reauth = NULL;
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		reauth = card->get_reauth(card, id, mk, counter);
+		if (reauth)
+		{
+			DBG1(DBG_IKE, "using stored reauthentication identity '%Y' "
+				 "instead of '%Y'", reauth, id);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return reauth;
 }
 
 /**
  * Implementation of sim_manager_t.add_provider
  */
-static void add_provider(private_sim_manager_t *this,
-							  sim_provider_t *provider)
+static void add_provider(private_sim_manager_t *this, sim_provider_t *provider)
 {
-	this->provider->insert_last(this->provider, provider);
+	this->providers->insert_last(this->providers, provider);
 }
 
 /**
  * Implementation of sim_manager_t.remove_provider
  */
 static void remove_provider(private_sim_manager_t *this,
-								sim_provider_t *provider)
+							sim_provider_t *provider)
 {
-	this->provider->remove(this->provider, provider, NULL);
+	this->providers->remove(this->providers, provider, NULL);
 }
 
 /**
- * Implementation of sim_manager_t.create_provider_enumerator
+ * Implementation of sim_manager_t.provider_get_triplet
  */
-static enumerator_t* create_provider_enumerator(private_sim_manager_t *this)
+static bool provider_get_triplet(private_sim_manager_t *this,
+								 identification_t *id, char rand[SIM_RAND_LEN],
+								 char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
 {
-	return this->provider->create_enumerator(this->provider);
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	int tried = 0;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		if (provider->get_triplet(provider, id, rand, sres, kc))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+		tried++;
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
+		 tried, id);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_get_quintuplet
+ */
+static bool provider_get_quintuplet(private_sim_manager_t *this,
+								identification_t *id, char rand[AKA_RAND_LEN],
+								char xres[AKA_RES_MAX], int *xres_len,
+								char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+								char autn[AKA_AUTN_LEN])
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	int tried = 0;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		if (provider->get_quintuplet(provider, id, rand, xres, xres_len,
+									 ck, ik, autn))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_IKE, "tried %d SIM providers, but none had a quintuplet for '%Y'",
+		 tried, id);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_resync
+ */
+static bool provider_resync(private_sim_manager_t *this, identification_t *id,
+							char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		if (provider->resync(provider, id, rand, auts))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_is_pseudonym
+ */
+static identification_t* provider_is_pseudonym(private_sim_manager_t *this,
+											   identification_t *id)
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	identification_t *permanent = NULL;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		permanent = provider->is_pseudonym(provider, id);
+		if (permanent)
+		{
+			DBG1(DBG_IKE, "received pseudonym identity '%Y' "
+				 "mapping to '%Y'", id, permanent);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return permanent;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_gen_pseudonym
+ */
+static identification_t* provider_gen_pseudonym(private_sim_manager_t *this,
+												identification_t *id)
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	identification_t *pseudonym = NULL;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		pseudonym = provider->gen_pseudonym(provider, id);
+		if (pseudonym)
+		{
+			DBG1(DBG_IKE, "proposing new pseudonym '%Y'", pseudonym);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return pseudonym;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_is_reauth
+ */
+static identification_t* provider_is_reauth(private_sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter)
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	identification_t *permanent = NULL;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		permanent = provider->is_reauth(provider, id, mk, counter);
+		if (permanent)
+		{
+			DBG1(DBG_IKE, "received reauthentication identity '%Y' "
+				 "mapping to '%Y'", id, permanent);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return permanent;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_gen_reauth
+ */
+static identification_t* provider_gen_reauth(private_sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1])
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	identification_t *reauth = NULL;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		reauth = provider->gen_reauth(provider, id, mk);
+		if (reauth)
+		{
+			DBG1(DBG_IKE, "proposing new reauthentication identity '%Y'", reauth);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return reauth;
+}
+
+/**
+ * Implementation of sim_manager_t.add_hooks
+ */
+static void add_hooks(private_sim_manager_t *this, sim_hooks_t *hooks)
+{
+	this->hooks->insert_last(this->hooks, hooks);
+}
+
+/**
+ * Implementation of sim_manager_t.remove_hooks
+ */
+static void remove_hooks(private_sim_manager_t *this, sim_hooks_t *hooks)
+{
+	this->hooks->remove(this->hooks, hooks, NULL);
+}
+
+/**
+ * Implementation of sim_manager_t.attribute_hook
+ */
+static bool attribute_hook(private_sim_manager_t *this, eap_code_t code,
+						   eap_type_t type, u_int8_t subtype,
+						   u_int8_t attribute, chunk_t data)
+{
+	enumerator_t *enumerator;
+	sim_hooks_t *hooks;
+	bool filter = FALSE;
+
+	enumerator = this->hooks->create_enumerator(this->hooks);
+	while (enumerator->enumerate(enumerator, &hooks))
+	{
+		if (hooks->attribute(hooks, code, type, subtype, attribute, data))
+		{
+			filter = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return filter;
+}
+
+/**
+ * Implementation of sim_manager_t.key_hook
+ */
+static void key_hook(private_sim_manager_t *this,
+					 chunk_t k_encr, chunk_t k_auth)
+{
+	enumerator_t *enumerator;
+	sim_hooks_t *hooks;
+
+	enumerator = this->hooks->create_enumerator(this->hooks);
+	while (enumerator->enumerate(enumerator, &hooks))
+	{
+		hooks->keys(hooks, k_encr, k_auth);
+	}
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -96,7 +496,8 @@ static enumerator_t* create_provider_enumerator(private_sim_manager_t *this)
 static void destroy(private_sim_manager_t *this)
 {
 	this->cards->destroy(this->cards);
-	this->provider->destroy(this->provider);
+	this->providers->destroy(this->providers);
+	this->hooks->destroy(this->hooks);
 	free(this);
 }
 
@@ -106,18 +507,35 @@ static void destroy(private_sim_manager_t *this)
 sim_manager_t *sim_manager_create()
 {
 	private_sim_manager_t *this = malloc_thing(private_sim_manager_t);
-	
+
 	this->public.add_card = (void(*)(sim_manager_t*, sim_card_t *card))add_card;
 	this->public.remove_card = (void(*)(sim_manager_t*, sim_card_t *card))remove_card;
-	this->public.create_card_enumerator = (enumerator_t*(*)(sim_manager_t*))create_card_enumerator;
+	this->public.card_get_triplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))card_get_triplet;
+	this->public.card_get_quintuplet = (status_t(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))card_get_quintuplet;
+	this->public.card_resync = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))card_resync;
+	this->public.card_set_pseudonym = (void(*)(sim_manager_t*, identification_t *id, identification_t *pseudonym))card_set_pseudonym;
+	this->public.card_get_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))card_get_pseudonym;
+	this->public.card_set_reauth = (void(*)(sim_manager_t*, identification_t *id, identification_t *next, char mk[HASH_SIZE_SHA1], u_int16_t counter))card_set_reauth;
+	this->public.card_get_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))card_get_reauth;
 	this->public.add_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))add_provider;
 	this->public.remove_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))remove_provider;
-	this->public.create_provider_enumerator = (enumerator_t*(*)(sim_manager_t*))create_provider_enumerator;
+	this->public.provider_get_triplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))provider_get_triplet;
+	this->public.provider_get_quintuplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))provider_get_quintuplet;
+	this->public.provider_resync = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))provider_resync;
+	this->public.provider_is_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))provider_is_pseudonym;
+	this->public.provider_gen_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))provider_gen_pseudonym;
+	this->public.provider_is_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))provider_is_reauth;
+	this->public.provider_gen_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))provider_gen_reauth;
+	this->public.add_hooks = (void(*)(sim_manager_t*, sim_hooks_t *hooks))add_hooks;
+	this->public.remove_hooks = (void(*)(sim_manager_t*, sim_hooks_t *hooks))remove_hooks;
+	this->public.attribute_hook = (bool(*)(sim_manager_t*, eap_code_t code, eap_type_t type, u_int8_t subtype, u_int8_t attribute, chunk_t data))attribute_hook;
+	this->public.key_hook = (void(*)(sim_manager_t*, chunk_t k_encr, chunk_t k_auth))key_hook;
 	this->public.destroy = (void(*)(sim_manager_t*))destroy;
-	
+
 	this->cards = linked_list_create();
-	this->provider = linked_list_create();
-	
+	this->providers = linked_list_create();
+	this->hooks = linked_list_create();
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/authenticators/eap/sim_manager.h b/src/charon/sa/authenticators/eap/sim_manager.h
index 3c6d66dfe..49d27cbaa 100644
--- a/src/charon/sa/authenticators/eap/sim_manager.h
+++ b/src/charon/sa/authenticators/eap/sim_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -21,105 +21,484 @@
 #ifndef SIM_MANAGER_H_
 #define SIM_MANAGER_H_
 
+#include <crypto/hashers/hasher.h>
 #include <utils/identification.h>
 #include <utils/enumerator.h>
+#include <sa/authenticators/eap/eap_method.h>
 
 typedef struct sim_manager_t sim_manager_t;
 typedef struct sim_card_t sim_card_t;
 typedef struct sim_provider_t sim_provider_t;
+typedef struct sim_hooks_t sim_hooks_t;
+
+#define SIM_RAND_LEN	16
+#define SIM_SRES_LEN	 4
+#define SIM_KC_LEN		 8
+
+#define AKA_RAND_LEN	16
+#define AKA_RES_MAX		16
+#define AKA_CK_LEN		16
+#define AKA_IK_LEN		16
+#define AKA_AUTN_LEN	16
+#define AKA_AUTS_LEN	14
 
 /**
- * Interface for a SIM card (used as EAP client).
+ * Interface for a (U)SIM card (used as EAP client).
+ *
+ * The SIM card completes triplets/quintuplets requested in a challenge
+ * received from the server.
+ * An implementation supporting only one of SIM/AKA authentication may
+ * implement the other methods with return_false()/return NOT_SUPPORTED/NULL.
  */
 struct sim_card_t {
 
 	/**
-	 * Get the identity of a SIM card.
+	 * Calculate SRES/KC from a RAND for SIM authentication.
+	 *
+	 * @param id		permanent identity to get a triplet for
+	 * @param rand		RAND input buffer, fixed size 16 bytes
+	 * @param sres		SRES output buffer, fixed size 4 byte
+	 * @param kc		KC output buffer, fixed size 8 bytes
+	 * @return			TRUE if SRES/KC calculated, FALSE on error/wrong identity
+	 */
+	bool (*get_triplet)(sim_card_t *this, identification_t *id,
+						char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+						char kc[SIM_KC_LEN]);
+
+	/**
+	 * Calculate CK/IK/RES from RAND/AUTN for AKA authentication.
+	 *
+	 * If the received sequence number (in autn) is out of sync, INVALID_STATE
+	 * is returned.
+	 * The RES value is the only one with variable length. Pass a buffer
+	 * of at least AKA_RES_MAX, the actual number of bytes is written to the
+	 * res_len value. While the standard would allow any bit length between
+	 * 32 and 128 bits, we support only full bytes for now.
+	 *
+	 * @param id		permanent identity to request quintuplet for
+	 * @param rand		random value rand
+	 * @param autn		authentication token autn
+	 * @param ck		buffer receiving encryption key ck
+	 * @param ik		buffer receiving integrity key ik
+	 * @param res		buffer receiving authentication result res
+	 * @param res_len	nubmer of bytes written to res buffer
+	 * @return			SUCCESS, FAILED, or INVALID_STATE if out of sync
+	 */
+	status_t (*get_quintuplet)(sim_card_t *this, identification_t *id,
+							   char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
+							   char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+							   char res[AKA_RES_MAX], int *res_len);
+
+	/**
+	 * Calculate AUTS from RAND for AKA resynchronization.
+	 *
+	 * @param id		permanent identity to request quintuplet for
+	 * @param rand		random value rand
+	 * @param auts		resynchronization parameter auts
+	 * @return			TRUE if parameter generated successfully
+	 */
+	bool (*resync)(sim_card_t *this, identification_t *id,
+				   char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+	/**
+	 * Set the pseudonym to use for next authentication.
+	 *
+	 * @param id		permanent identity of the peer
+	 * @param pseudonym	pseudonym identity received from the server
+	 */
+	void (*set_pseudonym)(sim_card_t *this, identification_t *id,
+						  identification_t *pseudonym);
+
+	/**
+	 * Get the pseudonym previously stored via set_pseudonym().
 	 *
-	 * The returned identity owned by the sim_card and not destroyed outside.
-	 * The SIM card may return ID_ANY if it does not support/use an IMSI.
+	 * @param id		permanent identity of the peer
+	 * @return			associated pseudonym identity, NULL if none stored
+	 */
+	identification_t* (*get_pseudonym)(sim_card_t *this, identification_t *id);
+
+	/**
+	 * Store parameters to use for the next fast reauthentication.
 	 *
-	 * @return		identity
+	 * @param id		permanent identity of the peer
+	 * @param next		next fast reauthentication identity to use
+	 * @param mk		master key MK to store for reauthentication
+	 * @param counter	counter value to store, host order
 	 */
-	identification_t* (*get_imsi)(sim_card_t *this);
-	
+	void (*set_reauth)(sim_card_t *this, identification_t *id,
+					   identification_t *next, char mk[HASH_SIZE_SHA1],
+					   u_int16_t counter);
+
 	/**
-	 * Calculate SRES/KC from a RAND.
+	 * Retrieve parameters for fast reauthentication stored via set_reauth().
 	 *
-	 * @param rand	RAND input buffer, fixed size 16 bytes
-	 * @param sres	SRES output buffer, fixed size 4 byte
-	 * @param kc	KC output buffer, fixed size 8 bytes
-	 * @return		TRUE if SRES/KC calculated, FALSE on error
+	 * @param id		permanent identity of the peer
+	 * @param mk		buffer receiving master key MK
+	 * @param counter	pointer receiving counter value, in host order
+	 * @return			fast reauthentication identity, NULL if not found
 	 */
-	bool (*get_triplet)(sim_card_t *this,
-						char rand[16], char sres[4], char kc[8]);
+	identification_t* (*get_reauth)(sim_card_t *this, identification_t *id,
+									char mk[HASH_SIZE_SHA1], u_int16_t *counter);
 };
 
 /**
- * Interface for a triplet provider (used as EAP server).
+ * Interface for a triplet/quintuplet provider (used as EAP server).
+ *
+ * A SIM provider hands out triplets for SIM authentication and quintuplets
+ * for AKA authentication. Multiple SIM provider instances can serve as
+ * authentication backend to authenticate clients using SIM/AKA.
+ * An implementation supporting only one of SIM/AKA authentication may
+ * implement the other methods with return_false().
  */
 struct sim_provider_t {
-	
+
 	/**
-	 * Get a single triplet to authenticate a EAP client.
+	 * Create a challenge for SIM authentication.
 	 *
-	 * @param imsi	client identity
-	 * @param rand	RAND output buffer, fixed size 16 bytes
-	 * @param sres	SRES output buffer, fixed size 4 byte
-	 * @param kc	KC output buffer, fixed size 8 bytes
-	 * @return		TRUE if triplet received, FALSE otherwise
+	 * @param id		permanent identity of peer to gen triplet for
+	 * @param rand		RAND output buffer, fixed size 16 bytes
+	 * @param sres		SRES output buffer, fixed size 4 byte
+	 * @param kc		KC output buffer, fixed size 8 bytes
+	 * @return			TRUE if triplet received, FALSE otherwise
 	 */
-	bool (*get_triplet)(sim_provider_t *this, identification_t *imsi,
-						char rand[16], char sres[4], char kc[8]);
+	bool (*get_triplet)(sim_provider_t *this, identification_t *id,
+						char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+						char kc[SIM_KC_LEN]);
+
+	/**
+	 * Create a challenge for AKA authentication.
+	 *
+	 * The XRES value is the only one with variable length. Pass a buffer
+	 * of at least AKA_RES_MAX, the actual number of bytes is written to the
+	 * xres_len value. While the standard would allow any bit length between
+	 * 32 and 128 bits, we support only full bytes for now.
+	 *
+	 * @param id		permanent identity of peer to create challenge for
+	 * @param rand		buffer receiving random value rand
+	 * @param xres		buffer receiving expected authentication result xres
+	 * @param xres_len	nubmer of bytes written to xres buffer
+	 * @param ck		buffer receiving encryption key ck
+	 * @param ik		buffer receiving integrity key ik
+	 * @param autn		authentication token autn
+	 * @return			TRUE if quintuplet generated successfully
+	 */
+	bool (*get_quintuplet)(sim_provider_t *this, identification_t *id,
+						   char rand[AKA_RAND_LEN],
+						   char xres[AKA_RES_MAX], int *xres_len,
+						   char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+						   char autn[AKA_AUTN_LEN]);
+
+	/**
+	 * Process AKA resynchroniusation request of a peer.
+	 *
+	 * @param id		permanent identity of peer requesting resynchronisation
+	 * @param rand		random value rand
+	 * @param auts		synchronization parameter auts
+	 * @return			TRUE if resynchronized successfully
+	 */
+	bool (*resync)(sim_provider_t *this, identification_t *id,
+				   char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+	/**
+	 * Check if peer uses a pseudonym, get permanent identity.
+	 *
+	 * @param id		pseudonym identity candidate
+	 * @return			permanent identity, NULL if id not a pseudonym
+	 */
+	identification_t* (*is_pseudonym)(sim_provider_t *this,
+									  identification_t *id);
+
+	/**
+	 * Generate a pseudonym identitiy for a given peer identity.
+	 *
+	 * @param id		permanent identity to generate a pseudonym for
+	 * @return			generated pseudonym, NULL to not use a pseudonym identity
+	 */
+	identification_t* (*gen_pseudonym)(sim_provider_t *this,
+									   identification_t *id);
+
+	/**
+	 * Check if peer uses reauthentication, retrieve reauth parameters.
+	 *
+	 * @param id		reauthentication identity (candidate)
+	 * @param mk		buffer receiving master key MK
+	 * @param counter	pointer receiving current counter value, host order
+	 * @return			permanent identity, NULL if id not a reauth identity
+	 */
+	identification_t* (*is_reauth)(sim_provider_t *this, identification_t *id,
+								   char mk[HASH_SIZE_SHA1], u_int16_t *counter);
+
+	/**
+	 * Generate a fast reauthentication identity, associated to a master key.
+	 *
+	 * @param id		permanent peer identity
+	 * @param mk		master key to store along with generated identity
+	 * @return			fast reauthentication identity, NULL to not use reauth
+	 */
+	identification_t* (*gen_reauth)(sim_provider_t *this, identification_t *id,
+									char mk[HASH_SIZE_SHA1]);
 };
 
 /**
- * The EAP-SIM manager handles multiple SIM cards and providers.
+ * Additional hooks invoked during EAP-SIM/AKA message processing.
+ */
+struct sim_hooks_t {
+
+	/**
+	 * SIM/AKA attribute parsing hook.
+	 *
+	 * @param code		code of EAP message the attribute was parsed from
+	 * @param type		EAP method, SIM or AKA
+	 * @param subtye	method specific subtype
+	 * @param attribute	parsed SIM/AKA attribute type
+	 * @param data		attribute data
+	 * @return			TRUE to filter out attribute from further processing
+	 */
+	bool (*attribute)(sim_hooks_t *this, eap_code_t code, eap_type_t type,
+					  u_int8_t subtype, u_int8_t attribute, chunk_t data);
+
+	/**
+	 * SIM/AKA encryption/authentication key hooks.
+	 *
+	 * @param k_encr	derived SIM/AKA encryption key k_encr
+	 * @param k_auth	derived SIM/AKA authentication key k_auth
+	 */
+	void (*keys)(sim_hooks_t *this, chunk_t k_encr, chunk_t k_auth);
+};
+
+/**
+ * The SIM manager handles multiple (U)SIM cards/providers and hooks.
  */
 struct sim_manager_t {
-	
+
 	/**
 	 * Register a SIM card (client) at the manager.
 	 *
 	 * @param card		sim card to register
 	 */
 	void (*add_card)(sim_manager_t *this, sim_card_t *card);
-	
+
 	/**
 	 * Unregister a previously registered card from the manager.
 	 *
 	 * @param card		sim card to unregister
 	 */
 	void (*remove_card)(sim_manager_t *this, sim_card_t *card);
-	
+
+	/**
+	 * Calculate SIM triplets on one of the registered SIM cards.
+	 *
+	 * @param id		permanent identity to get a triplet for
+	 * @param rand		RAND input buffer, fixed size 16 bytes
+	 * @param sres		SRES output buffer, fixed size 4 byte
+	 * @param kc		KC output buffer, fixed size 8 bytes
+	 * @return			TRUE if calculated, FALSE if no matching card found
+	 */
+	bool (*card_get_triplet)(sim_manager_t *this, identification_t *id,
+							 char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+							 char kc[SIM_KC_LEN]);
+
+	/**
+	 * Calculate AKA quitpulets on one of the registered SIM cards.
+	 *
+	 * @param id		permanent identity to request quintuplet for
+	 * @param rand		random value rand
+	 * @param autn		authentication token autn
+	 * @param ck		buffer receiving encryption key ck
+	 * @param ik		buffer receiving integrity key ik
+	 * @param res		buffer receiving authentication result res
+	 * @param res_len	nubmer of bytes written to res buffer
+	 * @return			SUCCESS, FAILED, or INVALID_STATE if out of sync
+	 */
+	status_t (*card_get_quintuplet)(sim_manager_t *this, identification_t *id,
+								char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
+								char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+								char res[AKA_RES_MAX], int *res_len);
+
+	/**
+	 * Calculate resynchronization data on one of the registered SIM cards.
+	 *
+	 * @param id		permanent identity to request quintuplet for
+	 * @param rand		random value rand
+	 * @param auts		resynchronization parameter auts
+	 * @return			TRUE if calculated, FALSE if no matcing card found
+	 */
+	bool (*card_resync)(sim_manager_t *this, identification_t *id,
+						char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+	/**
+	 * Store a received pseudonym on one of the registered SIM cards.
+	 *
+	 * @param id		permanent identity of the peer
+	 * @param pseudonym	pseudonym identity received from the server
+	 */
+	void (*card_set_pseudonym)(sim_manager_t *this, identification_t *id,
+							   identification_t *pseudonym);
+
+	/**
+	 * Get a stored pseudonym from one of the registerd SIM cards.
+	 *
+	 * @param id		permanent identity of the peer
+	 * @return			associated pseudonym identity, NULL if none found
+	 */
+	identification_t* (*card_get_pseudonym)(sim_manager_t *this,
+											identification_t *id);
+
 	/**
-	 * Create an enumerator over all registered cards.
+	 * Store fast reauthentication parameters on one of the registered cards.
 	 *
-	 * @return			enumerator over sim_card_t's
+	 * @param id		permanent identity of the peer
+	 * @param next		next fast reauthentication identity to use
+	 * @param mk		master key MK to store for reauthentication
+	 * @param counter	counter value to store, host order
 	 */
-	enumerator_t* (*create_card_enumerator)(sim_manager_t *this);
-	
+	void (*card_set_reauth)(sim_manager_t *this, identification_t *id,
+							identification_t *next, char mk[HASH_SIZE_SHA1],
+							u_int16_t counter);
+
+	/**
+	 * Retrieve fast reauthentication parameters from one of the registerd cards.
+	 *
+	 * @param id		permanent identity of the peer
+	 * @param mk		buffer receiving master key MK
+	 * @param counter	pointer receiving counter value, in host order
+	 * @return			fast reauthentication identity, NULL if none found
+	 */
+	identification_t* (*card_get_reauth)(sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter);
+
 	/**
 	 * Register a triplet provider (server) at the manager.
 	 *
 	 * @param card		sim card to register
 	 */
 	void (*add_provider)(sim_manager_t *this, sim_provider_t *provider);
-	
+
 	/**
 	 * Unregister a previously registered provider from the manager.
 	 *
 	 * @param card		sim card to unregister
 	 */
 	void (*remove_provider)(sim_manager_t *this, sim_provider_t *provider);
-	
+
+	/**
+	 * Get a SIM triplet from one of the registered providers.
+	 *
+	 * @param id		permanent identity of peer to gen triplet for
+	 * @param rand		RAND output buffer, fixed size 16 bytes
+	 * @param sres		SRES output buffer, fixed size 4 byte
+	 * @param kc		KC output buffer, fixed size 8 bytes
+	 * @return			TRUE if triplet received, FALSE if no match found
+	 */
+	bool (*provider_get_triplet)(sim_manager_t *this, identification_t *id,
+							char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+							char kc[SIM_KC_LEN]);
+
+	/**
+	 * Get a AKA quintuplet from one of the registered providers.
+	 *
+	 * @param id		permanent identity of peer to create challenge for
+	 * @param rand		buffer receiving random value rand
+	 * @param xres		buffer receiving expected authentication result xres
+	 * @param ck		buffer receiving encryption key ck
+	 * @param ik		buffer receiving integrity key ik
+	 * @param autn		authentication token autn
+	 * @return			TRUE if quintuplet received, FALSE if no match found
+	 */
+	bool (*provider_get_quintuplet)(sim_manager_t *this, identification_t *id,
+							char rand[AKA_RAND_LEN],
+							char xres[AKA_RES_MAX], int *xres_len,
+							char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+							char autn[AKA_AUTN_LEN]);
+
 	/**
-	 * Create an enumerator over all registered provider.
+	 * Pass AKA resynchronization data to one of the registered providers.
 	 *
-	 * @return			enumerator over sim_provider_t's
+	 * @param id		permanent identity of peer requesting resynchronisation
+	 * @param rand		random value rand
+	 * @param auts		synchronization parameter auts
+	 * @return			TRUE if resynchronized, FALSE if not handled
 	 */
-	enumerator_t* (*create_provider_enumerator)(sim_manager_t *this);
-	
+	bool (*provider_resync)(sim_manager_t *this, identification_t *id,
+							char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+	/**
+	 * Check if a peer uses a pseudonym using one of the registered providers.
+	 *
+	 * @param id		pseudonym identity candidate
+	 * @return			permanent identity, NULL if id not a pseudonym
+	 */
+	identification_t* (*provider_is_pseudonym)(sim_manager_t *this,
+											   identification_t *id);
+
+	/**
+	 * Generate a new pseudonym using one of the registered providers.
+	 *
+	 * @param id		permanent identity to generate a pseudonym for
+	 * @return			generated pseudonym, NULL to not use a pseudonym identity
+	 */
+	identification_t* (*provider_gen_pseudonym)(sim_manager_t *this,
+												identification_t *id);
+
+	/**
+	 * Check if a peer uses a reauth id using one of the registered providers.
+	 *
+	 * @param id		reauthentication identity (candidate)
+	 * @param mk		buffer receiving master key MK
+	 * @param counter	pointer receiving current counter value, host order
+	 * @return			permanent identity, NULL if not a known reauth identity
+	 */
+	identification_t* (*provider_is_reauth)(sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter);
+
+	/**
+	 * Generate a fast reauth id using one of the registered providers.
+	 *
+	 * @param id		permanent peer identity
+	 * @param mk		master key to store along with generated identity
+	 * @return			fast reauthentication identity, NULL to not use reauth
+	 */
+	identification_t* (*provider_gen_reauth)(sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1]);
+
+	/**
+	 * Register a set of hooks to the manager.
+	 *
+	 * @param hooks		hook interface implementation to register
+	 */
+	void (*add_hooks)(sim_manager_t *this, sim_hooks_t *hooks);
+
+	/**
+	 * Unregister a set of hooks from the manager.
+	 *
+	 * @param hooks		hook interface implementation to unregister
+	 */
+	void (*remove_hooks)(sim_manager_t *this, sim_hooks_t *hooks);
+
+	/**
+	 * Invoke SIM/AKA attribute hook.
+	 *
+	 * @param code		EAP message code (Request/response/success/failed)
+	 * @param type		EAP method type, EAP-SIM or AKA
+	 * @param subtype	method specific message subtype
+	 * @param attribute	SIM/AKA attribute type
+	 * @param data		attribute data
+	 * @return			TRUE to filter out attribute from further processing
+	 */
+	bool (*attribute_hook)(sim_manager_t *this, eap_code_t code,
+						   eap_type_t type, u_int8_t subtype,
+						   u_int8_t attribute, chunk_t data);
+
+	/**
+	 * Invoke SIM/AKA key hook.
+	 *
+	 * @param k_encr	SIM/AKA encryption key k_encr
+	 * @param k_auth	SIM/AKA authentication key k_auth
+	 */
+	void (*key_hook)(sim_manager_t *this, chunk_t k_encr, chunk_t k_auth);
+
 	/**
 	 * Destroy a manager instance.
 	 */
@@ -127,7 +506,7 @@ struct sim_manager_t {
 };
 
 /**
- * Create an SIM manager to handle multiple SIM cards/providers.
+ * Create an SIM manager to handle multiple (U)SIM cards/providers.
  *
  * @return			sim_t object
  */
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 2abdf7a02..16911050a 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -26,62 +26,67 @@ typedef struct private_eap_authenticator_t private_eap_authenticator_t;
  * Private data of an eap_authenticator_t object.
  */
 struct private_eap_authenticator_t {
-	
+
 	/**
 	 * Public authenticator_t interface.
 	 */
 	eap_authenticator_t public;
-	
+
 	/**
 	 * Assigned IKE_SA
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * others nonce to include in AUTH calculation
 	 */
 	chunk_t received_nonce;
-	
+
 	/**
 	 * our nonce to include in AUTH calculation
 	 */
 	chunk_t sent_nonce;
-	
+
 	/**
 	 * others IKE_SA_INIT message data to include in AUTH calculation
 	 */
 	chunk_t received_init;
-	
+
 	/**
 	 * our IKE_SA_INIT message data to include in AUTH calculation
 	 */
 	chunk_t sent_init;
-	
+
 	/**
 	 * Current EAP method processing
 	 */
 	eap_method_t *method;
-	
+
 	/**
 	 * MSK used to build and verify auth payload
 	 */
 	chunk_t msk;
-	
+
 	/**
 	 * EAP authentication method completed successfully
 	 */
 	bool eap_complete;
-	
+
+	/**
+	 * Set if we require mutual EAP due EAP-only authentication
+	 */
+	bool require_mutual;
+
 	/**
 	 * authentication payload verified successfully
 	 */
 	bool auth_complete;
-	
+
 	/**
 	 * generated EAP payload
 	 */
 	eap_payload_t *eap_payload;
-	
+
 	/**
 	 * EAP identity of peer
 	 */
@@ -95,7 +100,7 @@ static eap_method_t *load_method(private_eap_authenticator_t *this,
 							eap_type_t type, u_int32_t vendor, eap_role_t role)
 {
 	identification_t *server, *peer;
-	
+
 	if (role == EAP_SERVER)
 	{
 		server = this->ike_sa->get_my_id(this->ike_sa);
@@ -125,9 +130,10 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
 	identification_t *id;
 	u_int32_t vendor;
 	eap_payload_t *out;
-	
+	char *action;
+
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-	
+
 	/* initiate EAP-Identity exchange if required */
 	if (!this->eap_identity && do_identity)
 	{
@@ -150,32 +156,61 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
 	/* invoke real EAP method */
 	type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
 	vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
+	action = "loading";
 	this->method = load_method(this, type, vendor, EAP_SERVER);
-	if (this->method &&
-		this->method->initiate(this->method, &out) == NEED_MORE)
+	if (this->method)
 	{
-		if (vendor)
+		action = "initiating";
+		if (this->method->initiate(this->method, &out) == NEED_MORE)
 		{
-			DBG1(DBG_IKE, "initiating EAP vendor type %d-%d", type, vendor);
-			
-		}
-		else
-		{
-			DBG1(DBG_IKE, "initiating %N", eap_type_names, type);
+			if (vendor)
+			{
+				DBG1(DBG_IKE, "initiating EAP vendor type %d-%d method",
+							  type, vendor);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "initiating %N method", eap_type_names, type);
+			}
+			return out;
 		}
-		return out;
 	}
 	if (vendor)
 	{
-		DBG1(DBG_IKE, "initiating EAP vendor type %d-%d failed", type, vendor);
+		DBG1(DBG_IKE, "%s EAP vendor type %d-%d method failed",
+					  action, type,	vendor);
 	}
 	else
 	{
-		DBG1(DBG_IKE, "initiating %N failed", eap_type_names, type);
+		DBG1(DBG_IKE, "%s %N method failed", action, eap_type_names, type);
 	}
 	return eap_payload_create_code(EAP_FAILURE, 0);
 }
 
+/**
+ * Replace the existing EAP-Identity in other auth config
+ */
+static void replace_eap_identity(private_eap_authenticator_t *this)
+{
+	enumerator_t *enumerator;
+	auth_rule_t rule;
+	auth_cfg_t *cfg;
+	void *ptr;
+
+	cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	enumerator = cfg->create_enumerator(cfg);
+	while (enumerator->enumerate(enumerator, &rule, &ptr))
+	{
+		if (rule == AUTH_RULE_EAP_IDENTITY)
+		{
+			cfg->replace(cfg, enumerator, AUTH_RULE_EAP_IDENTITY,
+						 this->eap_identity->clone(this->eap_identity));
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
 /**
  * Handle EAP exchange as server
  */
@@ -186,14 +221,14 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 	u_int32_t vendor, received_vendor;
 	eap_payload_t *out;
 	auth_cfg_t *cfg;
-	
+
 	if (in->get_code(in) != EAP_RESPONSE)
 	{
 		DBG1(DBG_IKE, "received %N, sending %N",
 			 eap_code_names, in->get_code(in), eap_code_names, EAP_FAILURE);
 		return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
 	}
-	
+
 	type = this->method->get_type(this->method, &vendor);
 	received_type = in->get_type(in, &received_vendor);
 	if (type != received_type || vendor != received_vendor)
@@ -210,7 +245,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 		}
 		return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
 	}
-	
+
 	switch (this->method->process(this->method, in, &out))
 	{
 		case NEED_MORE:
@@ -219,14 +254,13 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 			if (type == EAP_IDENTITY)
 			{
 				chunk_t data;
-				char buf[256];
-				
+
 				if (this->method->get_msk(this->method, &data) == SUCCESS)
 				{
-					snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
-					this->eap_identity = identification_create_from_string(buf);
+					this->eap_identity = identification_create_from_data(data);
 					DBG1(DBG_IKE, "received EAP identity '%Y'",
 						 this->eap_identity);
+					replace_eap_identity(this);
 				}
 				/* restart EAP exchange, but with real method */
 				this->method->destroy(this->method);
@@ -262,7 +296,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 			if (vendor)
 			{
 				DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
-					 "peer %Y", type, vendor, 
+					 "peer %Y", type, vendor,
 					 this->ike_sa->get_other_id(this->ike_sa));
 			}
 			else
@@ -286,9 +320,9 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
 	auth_cfg_t *auth;
 	eap_payload_t *out;
 	identification_t *id;
-	
+
 	type = in->get_type(in, &vendor);
-	
+
 	if (!vendor && type == EAP_IDENTITY)
 	{
 		DESTROY_IF(this->eap_identity);
@@ -301,7 +335,7 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
 		DBG1(DBG_IKE, "server requested %N, sending '%Y'",
 			 eap_type_names, type, id);
 		this->eap_identity = id->clone(id);
-		
+
 		this->method = load_method(this, type, vendor, EAP_PEER);
 		if (this->method)
 		{
@@ -337,14 +371,14 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
 			return eap_payload_create_nak(in->get_identifier(in));
 		}
 	}
-	
+
 	type = this->method->get_type(this->method, &vendor);
-	
+
 	if (this->method->process(this->method, in, &out) == NEED_MORE)
 	{	/* client methods should never return SUCCESS */
 		return out;
 	}
-	
+
 	if (vendor)
 	{
 		DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", type, vendor);
@@ -367,7 +401,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
 	identification_t *other_id;
 	auth_cfg_t *auth;
 	keymat_t *keymat;
-	
+
 	auth_payload = (auth_payload_t*)message->get_payload(message,
 														 AUTHENTICATION);
 	if (!auth_payload)
@@ -388,7 +422,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
 		return FALSE;
 	}
 	chunk_free(&auth_data);
-	
+
 	DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
 		 other_id, auth_class_names, AUTH_CLASS_EAP);
 	this->auth_complete = TRUE;
@@ -407,13 +441,13 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message,
 	identification_t *my_id;
 	chunk_t auth_data;
 	keymat_t *keymat;
-	
+
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	
+
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
 		 my_id, auth_class_names, AUTH_CLASS_EAP);
-	
+
 	auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
 	auth_payload = auth_payload_create();
 	auth_payload->set_auth_method(auth_payload, AUTH_PSK);
@@ -429,7 +463,7 @@ static status_t process_server(private_eap_authenticator_t *this,
 							   message_t *message)
 {
 	eap_payload_t *eap_payload;
-	
+
 	if (this->eap_complete)
 	{
 		if (!verify_auth(this, message, this->sent_nonce, this->received_init))
@@ -438,7 +472,7 @@ static status_t process_server(private_eap_authenticator_t *this,
 		}
 		return NEED_MORE;
 	}
-	
+
 	if (!this->method)
 	{
 		this->eap_payload = server_initiate_eap(this, TRUE);
@@ -465,7 +499,7 @@ static status_t build_server(private_eap_authenticator_t *this,
 	if (this->eap_payload)
 	{
 		eap_code_t code;
-		
+
 		code = this->eap_payload->get_code(this->eap_payload);
 		message->add_payload(message, (payload_t*)this->eap_payload);
 		this->eap_payload = NULL;
@@ -490,16 +524,25 @@ static status_t process_client(private_eap_authenticator_t *this,
 							   message_t *message)
 {
 	eap_payload_t *eap_payload;
-	
+
 	if (this->eap_complete)
 	{
 		if (!verify_auth(this, message, this->sent_nonce, this->received_init))
 		{
 			return FAILED;
 		}
+		if (this->require_mutual && !this->method->is_mutual(this->method))
+		{	/* we require mutual authentication due to EAP-only */
+			u_int32_t vendor;
+
+			DBG1(DBG_IKE, "EAP-only authentication requires a mutual and "
+				 "MSK deriving EAP method, but %N is not",
+				 eap_type_names, this->method->get_type(this->method, &vendor));
+			return FAILED;
+		}
 		return SUCCESS;
 	}
-	
+
 	eap_payload = (eap_payload_t*)message->get_payload(message,
 													EXTENSIBLE_AUTHENTICATION);
 	if (eap_payload)
@@ -520,7 +563,7 @@ static status_t process_client(private_eap_authenticator_t *this,
 				eap_type_t type;
 				u_int32_t vendor;
 				auth_cfg_t *cfg;
-				
+
 				if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
 				{
 					this->msk = chunk_clone(this->msk);
@@ -561,7 +604,7 @@ static status_t process_client(private_eap_authenticator_t *this,
 /**
  * Implementation of authenticator_t.build for a client
  */
-static status_t build_client(private_eap_authenticator_t *this,	
+static status_t build_client(private_eap_authenticator_t *this,
 							 message_t *message)
 {
 	if (this->eap_payload)
@@ -578,6 +621,16 @@ static status_t build_client(private_eap_authenticator_t *this,
 	return NEED_MORE;
 }
 
+/**
+ * Implementation of authenticator_t.is_mutual.
+ */
+static bool is_mutual(private_eap_authenticator_t *this)
+{
+	/* we don't know yet, but insist on it after EAP is complete */
+	this->require_mutual = TRUE;
+	return TRUE;
+}
+
 /**
  * Implementation of authenticator_t.destroy.
  */
@@ -598,11 +651,12 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
 									chunk_t received_init, chunk_t sent_init)
 {
 	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
-	
+
 	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client;
 	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual;
 	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-	
+
 	this->ike_sa = ike_sa;
 	this->received_init = received_init;
 	this->received_nonce = received_nonce;
@@ -614,7 +668,8 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
 	this->eap_complete = FALSE;
 	this->auth_complete = FALSE;
 	this->eap_identity = NULL;
-	
+	this->require_mutual = FALSE;
+
 	return &this->public;
 }
 
@@ -626,11 +681,12 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
 									chunk_t received_init, chunk_t sent_init)
 {
 	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
-	
+
 	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server;
 	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual;
 	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-	
+
 	this->ike_sa = ike_sa;
 	this->received_init = received_init;
 	this->received_nonce = received_nonce;
@@ -642,7 +698,8 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
 	this->eap_complete = FALSE;
 	this->auth_complete = FALSE;
 	this->eap_identity = NULL;
-	
+	this->require_mutual = FALSE;
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/authenticators/eap_authenticator.h b/src/charon/sa/authenticators/eap_authenticator.h
index b90a6f4df..41eb6a8c9 100644
--- a/src/charon/sa/authenticators/eap_authenticator.h
+++ b/src/charon/sa/authenticators/eap_authenticator.h
@@ -83,7 +83,7 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
 
 /**
  * Create an authenticator to authenticate EAP clients.
- * 
+ *
  * @param ike_sa			associated ike_sa
  * @param received_nonce	nonce received in IKE_SA_INIT
  * @param sent_nonce		nonce sent in IKE_SA_INIT
diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
index 742b67789..67197d690 100644
--- a/src/charon/sa/authenticators/psk_authenticator.c
+++ b/src/charon/sa/authenticators/psk_authenticator.c
@@ -35,12 +35,12 @@ struct private_psk_authenticator_t {
 	 * Assigned IKE_SA
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * nonce to include in AUTH calculation
 	 */
 	chunk_t nonce;
-	
+
 	/**
 	 * IKE_SA_INIT message data to include in AUTH calculation
 	 */
@@ -57,7 +57,7 @@ static status_t build(private_psk_authenticator_t *this, message_t *message)
 	shared_key_t *key;
 	chunk_t auth_data;
 	keymat_t *keymat;
-	
+
 	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
@@ -79,7 +79,7 @@ static status_t build(private_psk_authenticator_t *this, message_t *message)
 	auth_payload->set_data(auth_payload, auth_data);
 	chunk_free(&auth_data);
 	message->add_payload(message, (payload_t*)auth_payload);
-	
+
 	return SUCCESS;
 }
 
@@ -97,7 +97,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
 	bool authenticated = FALSE;
 	int keys_found = 0;
 	keymat_t *keymat;
-	
+
 	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
 	if (!auth_payload)
 	{
@@ -112,7 +112,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
 	while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
 	{
 		keys_found++;
-		
+
 		auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
 									this->nonce, key->get_key(key), other_id);
 		if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
@@ -124,7 +124,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
 		chunk_free(&auth_data);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	if (!authenticated)
 	{
 		if (keys_found == 0)
@@ -136,7 +136,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
 			 keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
 		return FAILED;
 	}
-	
+
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
 	return SUCCESS;
@@ -166,15 +166,16 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
 									chunk_t received_nonce, chunk_t sent_init)
 {
 	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
-	
+
 	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
 	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
 	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-	
+
 	this->ike_sa = ike_sa;
 	this->ike_sa_init = sent_init;
 	this->nonce = received_nonce;
-	
+
 	return &this->public;
 }
 
@@ -185,15 +186,16 @@ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
 									chunk_t sent_nonce, chunk_t received_init)
 {
 	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
-	
+
 	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed;
 	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
 	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-	
+
 	this->ike_sa = ike_sa;
 	this->ike_sa_init = received_init;
 	this->nonce = sent_nonce;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/authenticators/psk_authenticator.h b/src/charon/sa/authenticators/psk_authenticator.h
index 5bb743d93..0fab11095 100644
--- a/src/charon/sa/authenticators/psk_authenticator.h
+++ b/src/charon/sa/authenticators/psk_authenticator.h
@@ -49,7 +49,7 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
 
 /**
  * Create an authenticator to verify PSK signatures.
- * 
+ *
  * @param ike_sa			associated ike_sa
  * @param sent_nonce		nonce sent in IKE_SA_INIT
  * @param received_init		received IKE_SA_INIT message data
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c
index 44cabfb94..f1dca2702 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.c
+++ b/src/charon/sa/authenticators/pubkey_authenticator.c
@@ -26,22 +26,22 @@ typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
  * Private data of an pubkey_authenticator_t object.
  */
 struct private_pubkey_authenticator_t {
-	
+
 	/**
 	 * Public authenticator_t interface.
 	 */
 	pubkey_authenticator_t public;
-	
+
 	/**
 	 * Assigned IKE_SA
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * nonce to include in AUTH calculation
 	 */
 	chunk_t nonce;
-	
+
 	/**
 	 * IKE_SA_INIT message data to include in AUTH calculation
 	 */
@@ -72,11 +72,11 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 		DBG1(DBG_IKE, "no private key found for '%Y'", id);
 		return NOT_FOUND;
 	}
-	
+
 	switch (private->get_type(private))
 	{
 		case KEY_RSA:
-			/* we currently use always SHA1 for signatures, 
+			/* we currently use always SHA1 for signatures,
 			 * TODO: support other hashes depending on configuration/auth */
 			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
 			auth_method = AUTH_RSA;
@@ -86,7 +86,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 			switch (private->get_keysize(private))
 			{
 				case 32:
-					scheme = SIGN_ECDSA_256; 
+					scheme = SIGN_ECDSA_256;
 					auth_method = AUTH_ECDSA_256;
 					break;
 				case 48:
@@ -121,11 +121,11 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 		status = SUCCESS;
 	}
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
-		 auth_method_names, auth_method, 
+		 auth_method_names, auth_method,
 		 (status == SUCCESS)? "successful":"failed");
 	chunk_free(&octets);
 	private->destroy(private);
-	
+
 	return status;
 }
 
@@ -145,7 +145,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message
 	signature_scheme_t scheme;
 	status_t status = NOT_FOUND;
 	keymat_t *keymat;
-	
+
 	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
 	if (!auth_payload)
 	{
@@ -231,15 +231,16 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
 									chunk_t received_nonce, chunk_t sent_init)
 {
 	private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
-	
+
 	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
 	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
 	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-	
+
 	this->ike_sa = ike_sa;
 	this->ike_sa_init = sent_init;
 	this->nonce = received_nonce;
-	
+
 	return &this->public;
 }
 
@@ -250,14 +251,15 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
 									chunk_t sent_nonce, chunk_t received_init)
 {
 	private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
-	
+
 	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed;
 	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
 	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-	
+
 	this->ike_sa = ike_sa;
 	this->ike_sa_init = received_init;
 	this->nonce = sent_nonce;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.h b/src/charon/sa/authenticators/pubkey_authenticator.h
index e67f020ff..be369cb89 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.h
+++ b/src/charon/sa/authenticators/pubkey_authenticator.h
@@ -50,7 +50,7 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
 
 /**
  * Create an authenticator to verify public key signatures.
- * 
+ *
  * @param ike_sa			associated ike_sa
  * @param sent_nonce		nonce sent in IKE_SA_INIT
  * @param received_init		received IKE_SA_INIT message data
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 14d174ab5..3fdfb51ad 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -46,67 +46,67 @@ struct private_child_sa_t {
 	 * Public interface of child_sa_t.
 	 */
 	child_sa_t public;
-	
+
 	/**
 	 * address of us
 	 */
 	host_t *my_addr;
-	
+
 	/**
 	 * address of remote
 	 */
 	host_t *other_addr;
-	
+
 	/**
 	 * our actually used SPI, 0 if unused
 	 */
 	u_int32_t my_spi;
-	
+
 	/**
 	 * others used SPI, 0 if unused
 	 */
 	u_int32_t other_spi;
-	
+
 	/**
 	 * our Compression Parameter Index (CPI) used, 0 if unused
 	 */
 	u_int16_t my_cpi;
-	
+
 	/**
 	 * others Compression Parameter Index (CPI) used, 0 if unused
 	 */
 	u_int16_t other_cpi;
-	
+
 	/**
 	 * List for local traffic selectors
 	 */
 	linked_list_t *my_ts;
-	
+
 	/**
 	 * List for remote traffic selectors
 	 */
 	linked_list_t *other_ts;
-	
+
 	/**
 	 * Protocol used to protect this SA, ESP|AH
 	 */
 	protocol_id_t protocol;
-	
+
 	/**
 	 * reqid used for this child_sa
 	 */
 	u_int32_t reqid;
-	
+
 	/**
 	 * absolute time when rekeying is scheduled
 	 */
 	time_t rekey_time;
-	
+
 	/**
 	 * absolute time when the SA expires
 	 */
 	time_t expire_time;
-	
+
 	/**
 	 * state of the CHILD_SA
 	 */
@@ -116,22 +116,22 @@ struct private_child_sa_t {
 	 * Specifies if UDP encapsulation is enabled (NAT traversal)
 	 */
 	bool encap;
-	
+
 	/**
 	 * Specifies the IPComp transform used (IPCOMP_NONE if disabled)
 	 */
 	ipcomp_transform_t ipcomp;
-	
+
 	/**
 	 * mode this SA uses, tunnel/transport
 	 */
 	ipsec_mode_t mode;
-	
+
 	/**
- 	 * selected proposal
- 	 */
- 	proposal_t *proposal;
-	
+	 * selected proposal
+	 */
+	proposal_t *proposal;
+
 	/**
 	 * config used to create this child
 	 */
@@ -320,7 +320,7 @@ static bool policy_enumerate(policy_enumerator_t *this,
 				 traffic_selector_t **my_out, traffic_selector_t **other_out)
 {
 	traffic_selector_t *other_ts;
-	
+
 	while (this->ts || this->mine->enumerate(this->mine, &this->ts))
 	{
 		if (!this->other->enumerate(this->other, &other_ts))
@@ -363,14 +363,14 @@ static void policy_destroy(policy_enumerator_t *this)
 static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
 {
 	policy_enumerator_t *e = malloc_thing(policy_enumerator_t);
-	
+
 	e->public.enumerate = (void*)policy_enumerate;
 	e->public.destroy = (void*)policy_destroy;
 	e->mine = this->my_ts->create_enumerator(this->my_ts);
 	e->other = this->other_ts->create_enumerator(this->other_ts);
 	e->list = this->other_ts;
 	e->ts = NULL;
-	
+
 	return &e->public;
 }
 
@@ -384,7 +384,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 {
 	status_t status = FAILED;
 	u_int64_t bytes;
-	
+
 	if (inbound)
 	{
 		if (this->my_spi)
@@ -434,12 +434,12 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
 	u_int32_t last_use = 0;
-	
+
 	enumerator = create_policy_enumerator(this);
 	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 	{
 		u_int32_t in, out, fwd;
-		
+
 		if (inbound)
 		{
 			if (charon->kernel_interface->query_policy(charon->kernel_interface,
@@ -507,7 +507,7 @@ static void get_usestats(private_child_sa_t *this, bool inbound,
 /**
  * Implementation of child_sa_t.get_lifetime
  */
-static u_int32_t get_lifetime(private_child_sa_t *this, bool hard)
+static time_t get_lifetime(private_child_sa_t *this, bool hard)
 {
 	return hard ? this->expire_time : this->rekey_time;
 }
@@ -544,14 +544,17 @@ static u_int16_t alloc_cpi(private_child_sa_t *this)
  * Implementation of child_sa_t.install
  */
 static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi, bool inbound)
+						u_int32_t spi, u_int16_t cpi, bool inbound,
+						linked_list_t *my_ts, linked_list_t *other_ts)
 {
 	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
-	u_int32_t soft, hard, now;
+	traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
+	time_t now;
+	lifetime_cfg_t *lifetime;
 	host_t *src, *dst;
 	status_t status;
 	bool update = FALSE;
-	
+
 	/* now we have to decide which spi to use. Use self allocated, if "in",
 	 * or the one in the proposal, if not "in" (others). Additionally,
 	 * source and dest host switch depending on the role */
@@ -573,35 +576,59 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
 		this->other_spi = spi;
 		this->other_cpi = cpi;
 	}
-	
+
 	DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
 		 protocol_id_names, this->protocol);
-	
+
 	/* send SA down to the kernel */
 	DBG2(DBG_CHD, "  SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
-	
+
 	this->proposal->get_algorithm(this->proposal, ENCRYPTION_ALGORITHM,
 								  &enc_alg, &size);
 	this->proposal->get_algorithm(this->proposal, INTEGRITY_ALGORITHM,
 								  &int_alg, &size);
-	
-	soft = this->config->get_lifetime(this->config, TRUE);
-	hard = this->config->get_lifetime(this->config, FALSE);
-	
-	status = charon->kernel_interface->add_sa(charon->kernel_interface,
-				src, dst, spi, this->protocol, this->reqid,
-				inbound ? soft : 0, hard, enc_alg, encr, int_alg, integ,
-				this->mode, this->ipcomp, cpi, this->encap, update);
-	
-	now = time(NULL);
-	if (soft)
+
+	lifetime = this->config->get_lifetime(this->config);
+
+	now = time_monotonic(NULL);
+	if (lifetime->time.rekey)
 	{
-		this->rekey_time = now + soft;
+		this->rekey_time = now + lifetime->time.rekey;
 	}
-	if (hard)
+	if (lifetime->time.life)
+	{
+		this->expire_time = now + lifetime->time.life;
+	}
+
+	if (!lifetime->time.jitter && !inbound)
+	{	/* avoid triggering multiple rekey events */
+		lifetime->time.rekey = 0;
+	}
+
+	if (this->mode == MODE_BEET)
 	{
-		this->expire_time = now + hard;
+		/* BEET requires the bound address from the traffic selectors.
+		 * TODO: We add just the first traffic selector for now, as the
+		 * kernel accepts a single TS per SA only */
+		if (inbound)
+		{
+			my_ts->get_first(my_ts, (void**)&dst_ts);
+			other_ts->get_first(other_ts, (void**)&src_ts);
+		}
+		else
+		{
+			my_ts->get_first(my_ts, (void**)&src_ts);
+			other_ts->get_first(other_ts, (void**)&dst_ts);
+		}
 	}
+
+	status = charon->kernel_interface->add_sa(charon->kernel_interface,
+				src, dst, spi, this->protocol, this->reqid, lifetime,
+				enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi,
+				this->encap, update, src_ts, dst_ts);
+
+	free(lifetime);
+
 	return status;
 }
 
@@ -615,7 +642,7 @@ static status_t add_policies(private_child_sa_t *this,
 	traffic_selector_t *my_ts, *other_ts;
 	status_t status = SUCCESS;
 	bool routed = (this->state == CHILD_CREATED);
-	
+
 	/* apply traffic selectors */
 	enumerator = my_ts_list->create_enumerator(my_ts_list);
 	while (enumerator->enumerate(enumerator, &my_ts))
@@ -629,7 +656,7 @@ static status_t add_policies(private_child_sa_t *this,
 		this->other_ts->insert_last(this->other_ts, other_ts->clone(other_ts));
 	}
 	enumerator->destroy(enumerator);
-	
+
 	if (this->config->install_policy(this->config))
 	{
 		/* enumerate pairs of traffic selectors */
@@ -641,7 +668,7 @@ static status_t add_policies(private_child_sa_t *this,
 					this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT,
 					this->other_spi, this->protocol, this->reqid, this->mode,
 					this->ipcomp, this->other_cpi, routed);
-			
+
 			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
 					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN,
 					this->my_spi, this->protocol, this->reqid, this->mode,
@@ -653,7 +680,7 @@ static status_t add_policies(private_child_sa_t *this,
 					this->my_spi, this->protocol, this->reqid, this->mode,
 					this->ipcomp, this->my_cpi, routed);
 			}
-			
+
 			if (status != SUCCESS)
 			{
 				break;
@@ -661,7 +688,7 @@ static status_t add_policies(private_child_sa_t *this,
 		}
 		enumerator->destroy(enumerator);
 	}
-	
+
 	if (status == SUCCESS && this->state == CHILD_CREATED)
 	{	/* switch to routed state if no SAD entry set up */
 		set_state(this, CHILD_ROUTED);
@@ -677,19 +704,19 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 {
 	child_sa_state_t old;
 	bool transport_proxy_mode;
-	
+
 	/* anything changed at all? */
 	if (me->equals(me, this->my_addr) &&
 		other->equals(other, this->other_addr) && this->encap == encap)
 	{
 		return SUCCESS;
 	}
-	
+
 	old = this->state;
 	set_state(this, CHILD_UPDATING);
 	transport_proxy_mode = this->config->use_proxy_mode(this->config) &&
 						   this->mode == MODE_TRANSPORT;
-	
+
 	if (!transport_proxy_mode)
 	{
 		/* update our (initator) SA */
@@ -704,13 +731,13 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 				return NOT_SUPPORTED;
 			}
 		}
-		
+
 		/* update his (responder) SA */
 		if (this->other_spi)
 		{
 			if (charon->kernel_interface->update_sa(charon->kernel_interface,
 							this->other_spi, this->protocol,
-					 		this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
+							this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
 							this->my_addr, this->other_addr, me, other,
 							this->encap, encap) == NOT_SUPPORTED)
 			{
@@ -718,7 +745,7 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 			}
 		}
 	}
-	
+
 	if (this->config->install_policy(this->config))
 	{
 		/* update policies */
@@ -727,7 +754,7 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 		{
 			enumerator_t *enumerator;
 			traffic_selector_t *my_ts, *other_ts;
-			
+
 			/* always use high priorities, as hosts getting updated are INSTALLED */
 			enumerator = create_policy_enumerator(this);
 			while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
@@ -742,7 +769,7 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 					charon->kernel_interface->del_policy(charon->kernel_interface,
 											other_ts, my_ts, POLICY_FWD, FALSE);
 				}
-				
+
 				/* check whether we have to update a "dynamic" traffic selector */
 				if (!me->ip_equals(me, this->my_addr) &&
 					my_ts->is_host(my_ts, this->my_addr))
@@ -754,7 +781,7 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 				{
 					other_ts->set_address(other_ts, other);
 				}
-				
+
 				/* we reinstall the virtual IP to handle interface roaming
 				 * correctly */
 				if (vip)
@@ -762,7 +789,7 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 					charon->kernel_interface->del_ip(charon->kernel_interface, vip);
 					charon->kernel_interface->add_ip(charon->kernel_interface, vip, me);
 				}
-				
+
 				/* reinstall updated policies */
 				charon->kernel_interface->add_policy(charon->kernel_interface,
 						me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
@@ -813,12 +840,18 @@ static void destroy(private_child_sa_t *this)
 	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
 	bool unrouted = (this->state == CHILD_ROUTED);
-	
+
 	set_state(this, CHILD_DESTROYING);
-	
+
 	/* delete SAs in the kernel, if they are set up */
 	if (this->my_spi)
 	{
+		/* if CHILD was not established, use PROTO_ESP used during alloc_spi().
+		 * TODO: For AH support, we have to store protocol specific SPI.s */
+		if (this->protocol == PROTO_NONE)
+		{
+			this->protocol = PROTO_ESP;
+		}
 		charon->kernel_interface->del_sa(charon->kernel_interface,
 					this->other_addr, this->my_addr, this->my_spi,
 					this->protocol, this->my_cpi);
@@ -829,7 +862,7 @@ static void destroy(private_child_sa_t *this)
 					this->my_addr, this->other_addr, this->other_spi,
 					this->protocol, this->other_cpi);
 	}
-	
+
 	if (this->config->install_policy(this->config))
 	{
 		/* delete all policies in the kernel */
@@ -848,7 +881,7 @@ static void destroy(private_child_sa_t *this)
 		}
 		enumerator->destroy(enumerator);
 	}
-	
+
 	this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
 	this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
 	this->my_addr->destroy(this->my_addr);
@@ -881,20 +914,20 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->public.set_mode = (void(*)(child_sa_t*, ipsec_mode_t mode))set_mode;
 	this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal;
 	this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal;
-	this->public.get_lifetime = (u_int32_t(*)(child_sa_t*, bool))get_lifetime;
+	this->public.get_lifetime = (time_t(*)(child_sa_t*, bool))get_lifetime;
 	this->public.get_usestats = (void(*)(child_sa_t*,bool,time_t*,u_int64_t*))get_usestats;
 	this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
 	this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
 	this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp;
 	this->public.alloc_spi = (u_int32_t(*)(child_sa_t*, protocol_id_t protocol))alloc_spi;
 	this->public.alloc_cpi = (u_int16_t(*)(child_sa_t*))alloc_cpi;
-	this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound))install;
+	this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound, linked_list_t *my_ts_list, linked_list_t *other_ts_list))install;
 	this->public.update = (status_t (*)(child_sa_t*,host_t*,host_t*,host_t*,bool))update;
 	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*))add_policies;
 	this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
 	this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
 	this->public.destroy = (void(*)(child_sa_t*))destroy;
-	
+
 	/* private data */
 	this->my_addr = me->clone(me);
 	this->other_addr = other->clone(other);
@@ -920,10 +953,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->expire_time = 0;
 	this->config = config;
 	config->get_ref(config);
-	
+
 	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
 	if (config->get_mode(config) == MODE_TRANSPORT &&
-	    config->use_proxy_mode(config))
+		config->use_proxy_mode(config))
 	{
 		ts_type_t type;
 		int family;
@@ -932,9 +965,9 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		enumerator_t *enumerator;
 		linked_list_t *my_ts_list, *other_ts_list;
 		traffic_selector_t *my_ts, *other_ts;
-		
+
 		this->mode = MODE_TRANSPORT;
-		
+
 		my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, me);
 		enumerator = my_ts_list->create_enumerator(my_ts_list);
 		if (enumerator->enumerate(enumerator, &my_ts))
@@ -955,7 +988,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		}
 		enumerator->destroy(enumerator);
 		my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy));
-		
+
 		other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, other);
 		enumerator = other_ts_list->create_enumerator(other_ts_list);
 		if (enumerator->enumerate(enumerator, &other_ts))
@@ -977,6 +1010,6 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		enumerator->destroy(enumerator);
 		other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy));
 	}
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index 698da8bc7..d70bed664 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -36,42 +36,42 @@ typedef struct child_sa_t child_sa_t;
  * States of a CHILD_SA
  */
 enum child_sa_state_t {
-	
+
 	/**
 	 * Just created, uninstalled CHILD_SA
 	 */
 	CHILD_CREATED,
-	
+
 	/**
 	 * Installed SPD, but no SAD entries
 	 */
 	CHILD_ROUTED,
-	
+
 	/**
 	 * Installing an in-use CHILD_SA
 	 */
 	CHILD_INSTALLING,
-	
+
 	/**
 	 * Installed an in-use CHILD_SA
 	 */
 	CHILD_INSTALLED,
-	
+
 	/**
 	 * While updating hosts, in update_hosts()
 	 */
 	CHILD_UPDATING,
-	
+
 	/**
 	 * CHILD_SA which is rekeying
 	 */
 	CHILD_REKEYING,
-	
+
 	/**
 	 * CHILD_SA in progress of delete
 	 */
 	CHILD_DELETING,
-	
+
 	/**
 	 * CHILD_SA object gets destroyed
 	 */
@@ -102,14 +102,14 @@ extern enum_name_t *child_sa_state_names;
  * Once SAs are set up, policies can be added using add_policies.
  */
 struct child_sa_t {
-	
+
 	/**
 	 * Get the name of the config this CHILD_SA uses.
 	 *
 	 * @return			name
 	 */
 	char* (*get_name) (child_sa_t *this);
-	
+
 	/**
 	 * Get the reqid of the CHILD SA.
 	 *
@@ -119,28 +119,28 @@ struct child_sa_t {
 	 * @return 			reqid of the CHILD SA
 	 */
 	u_int32_t (*get_reqid)(child_sa_t *this);
-	
+
 	/**
 	 * Get the config used to set up this child sa.
 	 *
 	 * @return			child_cfg
 	 */
 	child_cfg_t* (*get_config) (child_sa_t *this);
-	
+
 	/**
 	 * Get the state of the CHILD_SA.
 	 *
 	 * @return 			CHILD_SA state
 	 */
 	child_sa_state_t (*get_state) (child_sa_t *this);
-	
+
 	/**
 	 * Set the state of the CHILD_SA.
 	 *
 	 * @param state		state to set on CHILD_SA
 	 */
 	void (*set_state) (child_sa_t *this, child_sa_state_t state);
-	
+
 	/**
 	 * Get the SPI of this CHILD_SA.
 	 *
@@ -152,7 +152,7 @@ struct child_sa_t {
 	 * @return 			SPI of the CHILD SA
 	 */
 	u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
-	
+
 	/**
 	 * Get the CPI of this CHILD_SA.
 	 *
@@ -171,71 +171,71 @@ struct child_sa_t {
 	 * @return 			AH | ESP
 	 */
 	protocol_id_t (*get_protocol) (child_sa_t *this);
-	
+
 	/**
 	 * Set the negotiated protocol to use for this CHILD_SA.
 	 *
 	 * @param protocol	AH | ESP
 	 */
 	void (*set_protocol)(child_sa_t *this, protocol_id_t protocol);
-	
+
 	/**
 	 * Get the IPsec mode of this CHILD_SA.
 	 *
 	 * @return			TUNNEL | TRANSPORT | BEET
 	 */
 	ipsec_mode_t (*get_mode)(child_sa_t *this);
-	
+
 	/**
 	 * Set the negotiated IPsec mode to use.
 	 *
 	 * @param mode		TUNNEL | TRANPORT | BEET
 	 */
 	void (*set_mode)(child_sa_t *this, ipsec_mode_t mode);
-	
+
 	/**
 	 * Get the used IPComp algorithm.
 	 *
 	 * @return			IPComp compression algorithm.
 	 */
 	ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
-	
+
 	/**
 	 * Set the IPComp algorithm to use.
 	 *
 	 * @param ipcomp	the IPComp transform to use
 	 */
 	void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
-	
+
 	/**
 	 * Get the selected proposal.
 	 *
 	 * @return			selected proposal
 	 */
 	proposal_t* (*get_proposal)(child_sa_t *this);
-	
+
 	/**
 	 * Set the negotiated proposal.
 	 *
 	 * @param proposal	selected proposal
 	 */
 	void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
-	
+
 	/**
 	 * Check if this CHILD_SA uses UDP encapsulation.
 	 *
 	 * @return			TRUE if SA encapsulates ESP packets
 	 */
 	bool (*has_encap)(child_sa_t *this);
-	
+
 	/**
-	 * Get the lifetime of the CHILD_SA.
+	 * Get the absolute time when the CHILD_SA expires or gets rekeyed.
 	 *
 	 * @param hard		TRUE for hard lifetime, FALSE for soft (rekey) lifetime
-	 * @return			lifetime in seconds
+	 * @return			absolute time
 	 */
-	u_int32_t (*get_lifetime)(child_sa_t *this, bool hard);
-	
+	time_t (*get_lifetime)(child_sa_t *this, bool hard);
+
 	/**
 	 * Get last use time and the number of bytes processed.
 	 *
@@ -245,7 +245,7 @@ struct child_sa_t {
 	 */
 	void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
 						 u_int64_t *bytes);
-	
+
 	/**
 	 * Get the traffic selectors list added for one side.
 	 *
@@ -253,14 +253,14 @@ struct child_sa_t {
 	 * @return			list of traffic selectors
 	 */
 	linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
-	
+
 	/**
 	 * Create an enumerator over installed policies.
 	 *
 	 * @return			enumerator over pairs of traffic selectors.
 	 */
 	enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
-	
+
 	/**
 	 * Allocate an SPI to include in a proposal.
 	 *
@@ -269,14 +269,14 @@ struct child_sa_t {
 	 * @return			SPI, 0 on failure
 	 */
 	u_int32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
-	
+
 	/**
 	 * Allocate a CPI to use for IPComp.
 	 *
 	 * @return			CPI, 0 on failure
 	 */
 	u_int16_t (*alloc_cpi)(child_sa_t *this);
-	
+
 	/**
 	 * Install an IPsec SA for one direction.
 	 *
@@ -285,10 +285,13 @@ struct child_sa_t {
 	 * @param spi		SPI to use, allocated for inbound
 	 * @param cpi		CPI to use, allocated for outbound
 	 * @param inbound	TRUE to install an inbound SA, FALSE for outbound
+	 * @param my_ts		negotiated local traffic selector list
+	 * @param other_ts	negotiated remote traffic selector list
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi, bool inbound);
+						u_int32_t spi, u_int16_t cpi, bool inbound,
+						linked_list_t *my_ts, linked_list_t *other_ts);
 	/**
 	 * Install the policies using some traffic selectors.
 	 *
diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c
index f26cf9405..b78ba070d 100644
--- a/src/charon/sa/connect_manager.c
+++ b/src/charon/sa/connect_manager.c
@@ -18,7 +18,7 @@
 #include <math.h>
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 #include <utils/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
@@ -42,7 +42,6 @@
  * the first check has succeeded */
 #define ME_WAIT_TO_FINISH 1000 /* ms */
 
-
 typedef struct private_connect_manager_t private_connect_manager_t;
 
 /**
@@ -53,24 +52,25 @@ struct private_connect_manager_t {
 	 * Public interface of connect_manager_t.
 	 */
 	 connect_manager_t public;
-	
+
 	 /**
 	  * Lock for exclusivly accessing the manager.
 	  */
 	 mutex_t *mutex;
-	 
+
 	 /**
 	  * Hasher to generate signatures
 	  */
 	 hasher_t *hasher;
-	 
+
 	 /**
 	  * Linked list with initiated mediated connections
 	  */
 	 linked_list_t *initiated;
-	 
+
 	 /**
-	  * Linked list with checklists (hash table with connect ID as key would be better).
+	  * Linked list with checklists (hash table with connect ID as key would
+	  * be better).
 	  */
 	 linked_list_t *checklists;
 };
@@ -93,24 +93,24 @@ typedef struct endpoint_pair_t endpoint_pair_t;
 struct endpoint_pair_t {
 	/** pair id */
 	u_int32_t id;
-	
+
 	/** priority */
 	u_int64_t priority;
-	
+
 	/** local endpoint */
-    host_t *local;
-    
-    /** remote endpoint */
-    host_t *remote;
-    
-    /** state */
-    check_state_t state;
-    
-    /** number of retransmissions */
-    u_int32_t retransmitted;
-    
-    /** the generated packet */
-    packet_t *packet;
+	host_t *local;
+
+	/** remote endpoint */
+	host_t *remote;
+
+	/** state */
+	check_state_t state;
+
+	/** number of retransmissions */
+	u_int32_t retransmitted;
+
+	/** the generated packet */
+	packet_t *packet;
 };
 
 /**
@@ -119,8 +119,8 @@ struct endpoint_pair_t {
 static void endpoint_pair_destroy(endpoint_pair_t *this)
 {
 	DESTROY_IF(this->local);
-    DESTROY_IF(this->remote);
-    DESTROY_IF(this->packet);
+	DESTROY_IF(this->remote);
+	DESTROY_IF(this->packet);
 	free(this);
 }
 
@@ -131,22 +131,24 @@ static endpoint_pair_t *endpoint_pair_create(endpoint_notify_t *initiator,
 		endpoint_notify_t *responder, bool initiator_is_local)
 {
 	endpoint_pair_t *this = malloc_thing(endpoint_pair_t);
-	
+
 	this->id = 0;
-	
+
 	u_int32_t pi = initiator->get_priority(initiator);
 	u_int32_t pr = responder->get_priority(responder);
 	this->priority = pow(2, 32) * min(pi, pr) + 2 * max(pi, pr) + (pi > pr ? 1 : 0);
-	
-	this->local = initiator_is_local ? initiator->get_base(initiator) : responder->get_base(responder);
+
+	this->local = initiator_is_local ? initiator->get_base(initiator)
+									 : responder->get_base(responder);
 	this->local = this->local->clone(this->local);
-	this->remote = initiator_is_local ? responder->get_host(responder) : initiator->get_host(initiator);
+	this->remote = initiator_is_local ? responder->get_host(responder)
+									  : initiator->get_host(initiator);
 	this->remote = this->remote->clone(this->remote);
-	
+
 	this->state = CHECK_WAITING;
 	this->retransmitted = 0;
 	this->packet = NULL;
-    
+
 	return this;
 }
 
@@ -157,50 +159,50 @@ typedef struct check_list_t check_list_t;
  * An entry in the linked list.
  */
 struct check_list_t {
-	
+
 	struct {
 		/** initiator's id */
 		identification_t *id;
-		
+
 		/** initiator's key */
 		chunk_t key;
-		
+
 		/** initiator's endpoints */
 		linked_list_t *endpoints;
 	} initiator;
-	
+
 	struct {
 		/** responder's id */
 		identification_t *id;
-		
+
 		/** responder's key */
 		chunk_t key;
-		
+
 		/** responder's endpoints */
 		linked_list_t *endpoints;
 	} responder;
-	
+
 	/** connect id */
 	chunk_t connect_id;
-	
-    /** list of endpoint pairs */
-    linked_list_t *pairs;
-    
-    /** pairs queued for triggered checks */
-    linked_list_t *triggered;
-    
-    /** state */
-    check_state_t state;
-    
-    /** TRUE if this is the initiator */
+
+	/** list of endpoint pairs */
+	linked_list_t *pairs;
+
+	/** pairs queued for triggered checks */
+	linked_list_t *triggered;
+
+	/** state */
+	check_state_t state;
+
+	/** TRUE if this is the initiator */
 	bool is_initiator;
-	
+
 	/** TRUE if the initiator is finishing the checks */
 	bool is_finishing;
-	
+
 	/** the current sender job */
 	job_t *sender;
-	
+
 };
 
 /**
@@ -210,46 +212,51 @@ static void check_list_destroy(check_list_t *this)
 {
 	DESTROY_IF(this->initiator.id);
 	DESTROY_IF(this->responder.id);
-	
+
 	chunk_free(&this->connect_id);
 	chunk_free(&this->initiator.key);
 	chunk_free(&this->responder.key);
-	
-	DESTROY_OFFSET_IF(this->initiator.endpoints, offsetof(endpoint_notify_t, destroy));
-	DESTROY_OFFSET_IF(this->responder.endpoints, offsetof(endpoint_notify_t, destroy));
-	
+
+	DESTROY_OFFSET_IF(this->initiator.endpoints,
+					  offsetof(endpoint_notify_t, destroy));
+	DESTROY_OFFSET_IF(this->responder.endpoints,
+					  offsetof(endpoint_notify_t, destroy));
+
 	DESTROY_FUNCTION_IF(this->pairs, (void*)endpoint_pair_destroy);
-	/* this list contains some of the same elements as contained in this->pairs */
-	DESTROY_IF(this->triggered); 
-	
+	/* this list contains some of the elements contained in this->pairs */
+	DESTROY_IF(this->triggered);
+
 	free(this);
 }
 
 /**
  * Creates a new checklist
  */
-static check_list_t *check_list_create(identification_t *initiator, identification_t *responder,
-		chunk_t connect_id, chunk_t initiator_key, linked_list_t *initiator_endpoints,
-		bool is_initiator)
+static check_list_t *check_list_create(identification_t *initiator,
+									   identification_t *responder,
+									   chunk_t connect_id,
+									   chunk_t initiator_key,
+									   linked_list_t *initiator_endpoints,
+									   bool is_initiator)
 {
 	check_list_t *this = malloc_thing(check_list_t);
-	
+
 	this->connect_id = chunk_clone(connect_id);
-	
+
 	this->initiator.id = initiator->clone(initiator);
 	this->initiator.key = chunk_clone(initiator_key);
 	this->initiator.endpoints = initiator_endpoints->clone_offset(initiator_endpoints, offsetof(endpoint_notify_t, clone));
-	
+
 	this->responder.id = responder->clone(responder);
 	this->responder.key = chunk_empty;
-    this->responder.endpoints = NULL;
-    
-    this->pairs = linked_list_create();
-    this->triggered = linked_list_create();
-    this->state = CHECK_NONE;
-    this->is_initiator = is_initiator;
-    this->is_finishing = FALSE;
-    
+	this->responder.endpoints = NULL;
+
+	this->pairs = linked_list_create();
+	this->triggered = linked_list_create();
+	this->state = CHECK_NONE;
+	this->is_initiator = is_initiator;
+	this->is_finishing = FALSE;
+
 	return this;
 }
 
@@ -261,10 +268,10 @@ typedef struct initiated_t initiated_t;
 struct initiated_t {
 	/** my id */
 	identification_t *id;
-	
+
 	/** peer id */
 	identification_t *peer_id;
-	
+
 	/** list of mediated sas */
 	linked_list_t *mediated;
 };
@@ -276,21 +283,23 @@ static void initiated_destroy(initiated_t *this)
 {
 	DESTROY_IF(this->id);
 	DESTROY_IF(this->peer_id);
-	this->mediated->destroy_offset(this->mediated, offsetof(ike_sa_id_t, destroy));
+	this->mediated->destroy_offset(this->mediated,
+								   offsetof(ike_sa_id_t, destroy));
 	free(this);
 }
 
 /**
  * Creates a queued initiation
  */
-static initiated_t *initiated_create(identification_t *id, identification_t *peer_id)
+static initiated_t *initiated_create(identification_t *id,
+									 identification_t *peer_id)
 {
 	initiated_t *this = malloc_thing(initiated_t);
-	
+
 	this->id = id->clone(id);
 	this->peer_id = peer_id->clone(peer_id);
 	this->mediated = linked_list_create();
-    
+
 	return this;
 }
 
@@ -303,24 +312,24 @@ typedef struct check_t check_t;
 struct check_t {
 	/** message id */
 	u_int32_t mid;
-	
+
 	/** source of the connectivity check */
 	host_t *src;
-	
+
 	/** destination of the connectivity check */
 	host_t *dst;
-	
+
 	/** connect id */
 	chunk_t connect_id;
-	
+
 	/** endpoint */
 	endpoint_notify_t *endpoint;
-	
+
 	/** raw endpoint payload (to verify the signature) */
 	chunk_t endpoint_raw;
-	
-    /** connect auth */
-    chunk_t auth;
+
+	/** connect auth */
+	chunk_t auth;
 };
 
 /**
@@ -343,16 +352,16 @@ static void check_destroy(check_t *this)
 static check_t *check_create()
 {
 	check_t *this = malloc_thing(check_t);
-	
+
 	this->connect_id = chunk_empty;
 	this->auth = chunk_empty;
 	this->endpoint_raw = chunk_empty;
 	this->src = NULL;
 	this->dst = NULL;
 	this->endpoint = NULL;
-	
+
 	this->mid = 0;
-	
+
 	return this;
 }
 
@@ -364,10 +373,10 @@ typedef struct callback_data_t callback_data_t;
 struct callback_data_t {
 	/** connect manager */
 	private_connect_manager_t *connect_manager;
-	
+
 	/** connect id */
 	chunk_t connect_id;
-	
+
 	/** message (pair) id */
 	u_int32_t mid;
 };
@@ -385,9 +394,9 @@ static void callback_data_destroy(callback_data_t *this)
  * Creates a new callback data object
  */
 static callback_data_t *callback_data_create(private_connect_manager_t *connect_manager,
-		chunk_t connect_id)
+											 chunk_t connect_id)
 {
-	callback_data_t *this = malloc_thing(callback_data_t);	
+	callback_data_t *this = malloc_thing(callback_data_t);
 	this->connect_manager = connect_manager;
 	this->connect_id = chunk_clone(connect_id);
 	this->mid = 0;
@@ -398,7 +407,7 @@ static callback_data_t *callback_data_create(private_connect_manager_t *connect_
  * Creates a new retransmission data object
  */
 static callback_data_t *retransmit_data_create(private_connect_manager_t *connect_manager,
-		chunk_t connect_id, u_int32_t mid)
+											   chunk_t connect_id, u_int32_t mid)
 {
 	callback_data_t *this = callback_data_create(connect_manager, connect_id);
 	this->mid = mid;
@@ -413,7 +422,7 @@ typedef struct initiate_data_t initiate_data_t;
 struct initiate_data_t {
 	/** checklist */
 	check_list_t *checklist;
-	
+
 	/** waiting mediated connections */
 	initiated_t *initiated;
 };
@@ -431,10 +440,11 @@ static void initiate_data_destroy(initiate_data_t *this)
 /**
  * Creates a new initiate data object
  */
-static initiate_data_t *initiate_data_create(check_list_t *checklist, initiated_t *initiated)
+static initiate_data_t *initiate_data_create(check_list_t *checklist,
+											 initiated_t *initiated)
 {
 	initiate_data_t *this = malloc_thing(initiate_data_t);
-	
+
 	this->checklist = checklist;
 	this->initiated = initiated;
 
@@ -445,27 +455,30 @@ static initiate_data_t *initiate_data_create(check_list_t *checklist, initiated_
  * Find an initiated connection by the peers' ids
  */
 static bool match_initiated_by_ids(initiated_t *current, identification_t *id,
-		identification_t *peer_id)
+								   identification_t *peer_id)
 {
 	return id->equals(id, current->id) && peer_id->equals(peer_id, current->peer_id);
 }
 
 static status_t get_initiated_by_ids(private_connect_manager_t *this,
-		identification_t *id, identification_t *peer_id, initiated_t **initiated)
+									 identification_t *id,
+									 identification_t *peer_id,
+									 initiated_t **initiated)
 {
 	return this->initiated->find_first(this->initiated,
-				(linked_list_match_t)match_initiated_by_ids,
-				(void**)initiated, id, peer_id);
+								(linked_list_match_t)match_initiated_by_ids,
+								(void**)initiated, id, peer_id);
 }
 
 /**
  * Removes data about initiated connections
  */
-static void remove_initiated(private_connect_manager_t *this, initiated_t *initiated)
+static void remove_initiated(private_connect_manager_t *this,
+							 initiated_t *initiated)
 {
 	iterator_t *iterator;
 	initiated_t *current;
-	
+
 	iterator = this->initiated->create_iterator(this->initiated, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
@@ -487,21 +500,23 @@ static bool match_checklist_by_id(check_list_t *current, chunk_t *connect_id)
 }
 
 static status_t get_checklist_by_id(private_connect_manager_t *this,
-		chunk_t connect_id, check_list_t **check_list)
+									chunk_t connect_id,
+									check_list_t **check_list)
 {
 	return this->checklists->find_first(this->checklists,
-				(linked_list_match_t)match_checklist_by_id,
-				(void**)check_list, &connect_id);
+								(linked_list_match_t)match_checklist_by_id,
+								(void**)check_list, &connect_id);
 }
 
 /**
  * Removes a checklist
  */
-static void remove_checklist(private_connect_manager_t *this, check_list_t *checklist)
+static void remove_checklist(private_connect_manager_t *this,
+							 check_list_t *checklist)
 {
 	iterator_t *iterator;
 	check_list_t *current;
-	
+
 	iterator = this->checklists->create_iterator(this->checklists, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
@@ -522,22 +537,23 @@ static bool match_endpoint_by_host(endpoint_notify_t *current, host_t *host)
 	return host->equals(host, current->get_host(current));
 }
 
-static status_t endpoints_contain(linked_list_t *endpoints, host_t *host, endpoint_notify_t **endpoint)
+static status_t endpoints_contain(linked_list_t *endpoints, host_t *host,
+								  endpoint_notify_t **endpoint)
 {
 	return endpoints->find_first(endpoints,
-				(linked_list_match_t)match_endpoint_by_host,
-				(void**)endpoint, host);
+								 (linked_list_match_t)match_endpoint_by_host,
+								 (void**)endpoint, host);
 }
 
 /**
- * Inserts an endpoint pair into the list of pairs ordered by priority (high to low)
+ * Inserts an endpoint pair into a list of pairs ordered by priority (high to low)
  */
 static void insert_pair_by_priority(linked_list_t *pairs, endpoint_pair_t *pair)
 {
 	iterator_t *iterator;
 	endpoint_pair_t *current;
 	bool inserted = FALSE;
-	
+
 	iterator = pairs->create_iterator(pairs, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
@@ -549,7 +565,7 @@ static void insert_pair_by_priority(linked_list_t *pairs, endpoint_pair_t *pair)
 		}
 	}
 	iterator->destroy(iterator);
-	
+
 	if (!inserted)
 	{
 		pairs->insert_last(pairs, pair);
@@ -559,16 +575,17 @@ static void insert_pair_by_priority(linked_list_t *pairs, endpoint_pair_t *pair)
 /**
  * Searches a list of endpoint_pair_t for a pair with specific host_ts
  */
-static bool match_pair_by_hosts(endpoint_pair_t *current, host_t *local, host_t *remote)
+static bool match_pair_by_hosts(endpoint_pair_t *current, host_t *local,
+								host_t *remote)
 {
 	return local->equals(local, current->local) && remote->equals(remote, current->remote);
 }
 
-static status_t get_pair_by_hosts(linked_list_t *pairs, host_t *local, host_t *remote, endpoint_pair_t **pair)
+static status_t get_pair_by_hosts(linked_list_t *pairs, host_t *local,
+								  host_t *remote, endpoint_pair_t **pair)
 {
-	return pairs->find_first(pairs,
-				(linked_list_match_t)match_pair_by_hosts,
-				(void**)pair, local, remote);
+	return pairs->find_first(pairs, (linked_list_match_t)match_pair_by_hosts,
+							 (void**)pair, local, remote);
 }
 
 static bool match_pair_by_id(endpoint_pair_t *current, u_int32_t *id)
@@ -579,11 +596,12 @@ static bool match_pair_by_id(endpoint_pair_t *current, u_int32_t *id)
 /**
  * Searches for a pair with a specific id
  */
-static status_t get_pair_by_id(check_list_t *checklist, u_int32_t id, endpoint_pair_t **pair)
+static status_t get_pair_by_id(check_list_t *checklist, u_int32_t id,
+							   endpoint_pair_t **pair)
 {
 	return checklist->pairs->find_first(checklist->pairs,
-				(linked_list_match_t)match_pair_by_id,
-				(void**)pair, &id);
+										(linked_list_match_t)match_pair_by_id,
+										(void**)pair, &id);
 }
 
 static bool match_succeeded_pair(endpoint_pair_t *current)
@@ -592,13 +610,14 @@ static bool match_succeeded_pair(endpoint_pair_t *current)
 }
 
 /**
- * Returns the best pair of state CHECK_SUCCEEDED from a checklist. 
+ * Returns the best pair of state CHECK_SUCCEEDED from a checklist.
  */
-static status_t get_best_valid_pair(check_list_t *checklist, endpoint_pair_t **pair)
+static status_t get_best_valid_pair(check_list_t *checklist,
+									endpoint_pair_t **pair)
 {
 	return checklist->pairs->find_first(checklist->pairs,
-				(linked_list_match_t)match_succeeded_pair,
-				(void**)pair);
+									(linked_list_match_t)match_succeeded_pair,
+									(void**)pair);
 }
 
 static bool match_waiting_pair(endpoint_pair_t *current)
@@ -607,19 +626,20 @@ static bool match_waiting_pair(endpoint_pair_t *current)
 }
 
 /**
- * Returns and *removes* the first triggered pair in state CHECK_WAITING. 
+ * Returns and *removes* the first triggered pair in state CHECK_WAITING.
  */
-static status_t get_triggered_pair(check_list_t *checklist, endpoint_pair_t **pair)
+static status_t get_triggered_pair(check_list_t *checklist,
+								   endpoint_pair_t **pair)
 {
 	iterator_t *iterator;
 	endpoint_pair_t *current;
 	status_t status = NOT_FOUND;
-	
+
 	iterator = checklist->triggered->create_iterator(checklist->triggered, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
 		iterator->remove(iterator);
-		
+
 		if (current->state == CHECK_WAITING)
 		{
 			if (pair)
@@ -631,7 +651,7 @@ static status_t get_triggered_pair(check_list_t *checklist, endpoint_pair_t **pa
 		}
 	}
 	iterator->destroy(iterator);
-	
+
 	return status;
 }
 
@@ -642,13 +662,13 @@ static void print_checklist(check_list_t *checklist)
 {
 	iterator_t *iterator;
 	endpoint_pair_t *current;
-	
+
 	DBG1(DBG_IKE, "pairs on checklist %#B:", &checklist->connect_id);
 	iterator = checklist->pairs->create_iterator(checklist->pairs, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
 		DBG1(DBG_IKE, " * %#H - %#H (%d)", current->local, current->remote,
-				current->priority);
+			 current->priority);
 	}
 	iterator->destroy(iterator);
 }
@@ -662,29 +682,29 @@ static void prune_pairs(linked_list_t *pairs)
 	iterator_t *iterator, *search;
 	endpoint_pair_t *current, *other;
 	u_int32_t id = 0;
-	
+
 	iterator = pairs->create_iterator(pairs, TRUE);
 	search = pairs->create_iterator(pairs, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
 		current->id = ++id;
-		
+
 		while (search->iterate(search, (void**)&other))
 		{
 			if (current == other)
 			{
 				continue;
 			}
-			
+
 			if (current->local->equals(current->local, other->local) &&
-					current->remote->equals(current->remote, other->remote))
+				current->remote->equals(current->remote, other->remote))
 			{
 				/* since the list of pairs is sorted by priority in descending
 				 * order, and we iterate the list from the beginning, we are
 				 * sure that the priority of 'other' is lower than that of
 				 * 'current', remove it */
 				DBG1(DBG_IKE, "pruning endpoint pair %#H - %#H with priority %d",
-						other->local, other->remote, other->priority);
+					 other->local, other->remote, other->priority);
 				search->remove(search);
 				endpoint_pair_destroy(other);
 			}
@@ -703,25 +723,27 @@ static void build_pairs(check_list_t *checklist)
 	/* FIXME: limit endpoints and pairs */
 	iterator_t *iterator_i, *iterator_r;
 	endpoint_notify_t *initiator, *responder;
-	
-	iterator_i = checklist->initiator.endpoints->create_iterator(checklist->initiator.endpoints, TRUE);
+
+	iterator_i = checklist->initiator.endpoints->create_iterator(
+										checklist->initiator.endpoints, TRUE);
 	while (iterator_i->iterate(iterator_i, (void**)&initiator))
 	{
-		iterator_r = checklist->responder.endpoints->create_iterator(checklist->responder.endpoints, TRUE);
+		iterator_r = checklist->responder.endpoints->create_iterator(
+										checklist->responder.endpoints, TRUE);
 		while (iterator_r->iterate(iterator_r, (void**)&responder))
 		{
 			if (initiator->get_family(initiator) != responder->get_family(responder))
 			{
 				continue;
 			}
-			
-			insert_pair_by_priority(checklist->pairs,
-					endpoint_pair_create(initiator, responder, checklist->is_initiator));
+
+			insert_pair_by_priority(checklist->pairs, endpoint_pair_create(
+							initiator, responder, checklist->is_initiator));
 		}
 		iterator_r->destroy(iterator_r);
 	}
 	iterator_i->destroy(iterator_i);
-	
+
 	print_checklist(checklist);
 
 	prune_pairs(checklist->pairs);
@@ -741,22 +763,24 @@ static status_t process_payloads(message_t *message, check_t *check)
 		if (payload->get_type(payload) != NOTIFY)
 		{
 			DBG1(DBG_IKE, "ignoring payload of type '%N' while processing "
-					"connectivity check", payload_type_names, payload->get_type(payload));
+				 "connectivity check", payload_type_names,
+				 payload->get_type(payload));
 			continue;
 		}
-		
+
 		notify_payload_t *notify = (notify_payload_t*)payload;
-		
+
 		switch (notify->get_notify_type(notify))
 		{
 			case ME_ENDPOINT:
 			{
 				if (check->endpoint)
 				{
-					DBG1(DBG_IKE, "connectivity check contains multiple ME_ENDPOINT notifies");
+					DBG1(DBG_IKE, "connectivity check contains multiple "
+						 "ME_ENDPOINT notifies");
 					break;
 				}
-				
+
 				endpoint_notify_t *endpoint = endpoint_notify_create_from_payload(notify);
 				if (!endpoint)
 				{
@@ -772,7 +796,8 @@ static status_t process_payloads(message_t *message, check_t *check)
 			{
 				if (check->connect_id.ptr)
 				{
-					DBG1(DBG_IKE, "connectivity check contains multiple ME_CONNECTID notifies");
+					DBG1(DBG_IKE, "connectivity check contains multiple "
+						 "ME_CONNECTID notifies");
 					break;
 				}
 				check->connect_id = chunk_clone(notify->get_notification_data(notify));
@@ -783,7 +808,8 @@ static status_t process_payloads(message_t *message, check_t *check)
 			{
 				if (check->auth.ptr)
 				{
-					DBG1(DBG_IKE, "connectivity check contains multiple ME_CONNECTAUTH notifies");
+					DBG1(DBG_IKE, "connectivity check contains multiple "
+						 "ME_CONNECTAUTH notifies");
 					break;
 				}
 				check->auth = chunk_clone(notify->get_notification_data(notify));
@@ -795,38 +821,40 @@ static status_t process_payloads(message_t *message, check_t *check)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	if (!check->connect_id.ptr || !check->endpoint || !check->auth.ptr)
 	{
-		DBG1(DBG_IKE, "at least one payload was missing from the connectivity check");
+		DBG1(DBG_IKE, "at least one required payload was missing from the "
+			 "connectivity check");
 		return FAILED;
 	}
-	
+
 	return SUCCESS;
 }
 
 /**
  * Builds the signature for a connectivity check
  */
-static chunk_t build_signature(private_connect_manager_t *this, 
+static chunk_t build_signature(private_connect_manager_t *this,
 		check_list_t *checklist, check_t *check, bool outbound)
 {
 	u_int32_t mid;
 	chunk_t mid_chunk, key_chunk, sig_chunk;
 	chunk_t sig_hash;
-	
+
 	mid = htonl(check->mid);
 	mid_chunk = chunk_from_thing(mid);
-	
+
 	key_chunk = (checklist->is_initiator && outbound) || (!checklist->is_initiator && !outbound)
 					? checklist->initiator.key : checklist->responder.key;
-	
+
 	/* signature = SHA1( MID | ME_CONNECTID | ME_ENDPOINT | ME_CONNECTKEY ) */
-	sig_chunk = chunk_cat("cccc", mid_chunk, check->connect_id, check->endpoint_raw, key_chunk);
+	sig_chunk = chunk_cat("cccc", mid_chunk, check->connect_id,
+						  check->endpoint_raw, key_chunk);
 	this->hasher->allocate_hash(this->hasher, sig_chunk, &sig_hash);
 	DBG3(DBG_IKE, "sig_chunk %#B", &sig_chunk);
 	DBG3(DBG_IKE, "sig_hash %#B", &sig_hash);
-	
+
 	chunk_free(&sig_chunk);
 	return sig_hash;
 }
@@ -837,7 +865,7 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli
 
 /**
  * After one of the initiator's pairs has succeeded we finish the checks without
- * waiting for all the timeouts  
+ * waiting for all the timeouts
  */
 static job_requeue_t initiator_finish(callback_data_t *data)
 {
@@ -848,23 +876,24 @@ static job_requeue_t initiator_finish(callback_data_t *data)
 	check_list_t *checklist;
 	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
 	{
-		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't finish connectivity checks",
-				&data->connect_id);
+		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't finish "
+			 "connectivity checks", &data->connect_id);
 		this->mutex->unlock(this->mutex);
 		return JOB_REQUEUE_NONE;
 	}
-	
+
 	finish_checks(this, checklist);
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	return JOB_REQUEUE_NONE;
 }
 
 /**
  * Updates the state of the whole checklist
  */
-static void update_checklist_state(private_connect_manager_t *this, check_list_t *checklist)
+static void update_checklist_state(private_connect_manager_t *this,
+								   check_list_t *checklist)
 {
 	iterator_t *iterator;
 	endpoint_pair_t *current;
@@ -891,21 +920,22 @@ static void update_checklist_state(private_connect_manager_t *this, check_list_t
 		}
 	}
 	iterator->destroy(iterator);
-	
+
 	if (checklist->is_initiator && succeeded && !checklist->is_finishing)
 	{
 		/* instead of waiting until all checks have finished (i.e. all
 		 * retransmissions have failed) the initiator finishes the checks
 		 * right after the first check has succeeded. to allow a probably
 		 * better pair to succeed, we still wait a certain time */
-		DBG2(DBG_IKE, "fast finishing checks for checklist '%#B'", &checklist->connect_id);
-		
+		DBG2(DBG_IKE, "fast finishing checks for checklist '%#B'",
+			 &checklist->connect_id);
+
 		callback_data_t *data = callback_data_create(this, checklist->connect_id);
 		job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
 		charon->scheduler->schedule_job_ms(charon->scheduler, job, ME_WAIT_TO_FINISH);
 		checklist->is_finishing = TRUE;
 	}
-	
+
 	if (in_progress)
 	{
 		checklist->state = CHECK_IN_PROGRESS;
@@ -926,48 +956,48 @@ static void update_checklist_state(private_connect_manager_t *this, check_list_t
 static job_requeue_t retransmit(callback_data_t *data)
 {
 	private_connect_manager_t *this = data->connect_manager;
-	
+
 	this->mutex->lock(this->mutex);
 
 	check_list_t *checklist;
 	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
 	{
-		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't retransmit connectivity check",
-				&data->connect_id);
+		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't retransmit "
+			 "connectivity check", &data->connect_id);
 		this->mutex->unlock(this->mutex);
 		return JOB_REQUEUE_NONE;
 	}
-	
+
 	endpoint_pair_t *pair;
 	if (get_pair_by_id(checklist, data->mid, &pair) != SUCCESS)
 	{
-		DBG1(DBG_IKE, "pair with id '%d' not found, can't retransmit connectivity check",
-				data->mid);
+		DBG1(DBG_IKE, "pair with id '%d' not found, can't retransmit "
+			 "connectivity check", data->mid);
 		goto retransmit_end;
 	}
-	
+
 	if (pair->state != CHECK_IN_PROGRESS)
 	{
-		DBG2(DBG_IKE, "pair with id '%d' is in wrong state [%d], don't retransmit the connectivity check",
-				data->mid, pair->state);
+		DBG2(DBG_IKE, "pair with id '%d' is in wrong state [%d], don't "
+			 "retransmit the connectivity check", data->mid, pair->state);
 		goto retransmit_end;
 	}
-	
+
 	if (++pair->retransmitted > ME_MAX_RETRANS)
 	{
 		DBG2(DBG_IKE, "pair with id '%d' failed after %d retransmissions",
-				data->mid, ME_MAX_RETRANS);
+			 data->mid, ME_MAX_RETRANS);
 		pair->state = CHECK_FAILED;
 		goto retransmit_end;
 	}
-	
+
 	charon->sender->send(charon->sender, pair->packet->clone(pair->packet));
-	
+
 	queue_retransmission(this, checklist, pair);
 
 retransmit_end:
 	update_checklist_state(this, checklist);
-	
+
 	switch(checklist->state)
 	{
 		case CHECK_SUCCEEDED:
@@ -977,9 +1007,9 @@ retransmit_end:
 		default:
 			break;
 	}
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	/* we reschedule it manually */
 	return JOB_REQUEUE_NONE;
 }
@@ -991,15 +1021,16 @@ static void queue_retransmission(private_connect_manager_t *this, check_list_t *
 {
 	callback_data_t *data = retransmit_data_create(this, checklist->connect_id, pair->id);
 	job_t *job = (job_t*)callback_job_create((callback_job_cb_t)retransmit, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-	
+
 	u_int32_t retransmission = pair->retransmitted + 1;
 	u_int32_t rto = ME_INTERVAL;
 	if (retransmission > ME_BOOST)
 	{
 		rto = (u_int32_t)(ME_INTERVAL * pow(ME_RETRANS_BASE, retransmission - ME_BOOST));
 	}
-	DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms", retransmission, pair->id, rto);
-	
+	DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms",
+		 retransmission, pair->id, rto);
+
 	charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)job, rto);
 }
 
@@ -1015,28 +1046,28 @@ static void send_check(private_connect_manager_t *this, check_list_t *checklist,
 	message->set_request(message, request);
 	message->set_destination(message, check->dst->clone(check->dst));
 	message->set_source(message, check->src->clone(check->src));
-	
+
 	ike_sa_id_t *ike_sa_id = ike_sa_id_create(0, 0, request);
 	message->set_ike_sa_id(message, ike_sa_id);
 	ike_sa_id->destroy(ike_sa_id);
 
 	message->add_notify(message, FALSE, ME_CONNECTID, check->connect_id);
 	DBG2(DBG_IKE, "send ME_CONNECTID %#B", &check->connect_id);
-	
+
 	notify_payload_t *endpoint = check->endpoint->build_notify(check->endpoint);
 	check->endpoint_raw = chunk_clone(endpoint->get_notification_data(endpoint));
 	message->add_payload(message, (payload_t*)endpoint);
 	DBG2(DBG_IKE, "send ME_ENDPOINT notify");
-	
+
 	check->auth = build_signature(this, checklist, check, TRUE);
 	message->add_notify(message, FALSE, ME_CONNECTAUTH, check->auth);
 	DBG2(DBG_IKE, "send ME_CONNECTAUTH %#B", &check->auth);
-	
+
 	packet_t *packet;
 	if (message->generate(message, NULL, NULL, &packet) == SUCCESS)
 	{
 		charon->sender->send(charon->sender, packet->clone(packet));
-		
+
 		if (request)
 		{
 			DESTROY_IF(pair->packet);
@@ -1055,18 +1086,18 @@ static void send_check(private_connect_manager_t *this, check_list_t *checklist,
 /**
  * Queues a triggered check
  */
-static void queue_triggered_check(private_connect_manager_t *this, 
+static void queue_triggered_check(private_connect_manager_t *this,
 		check_list_t *checklist, endpoint_pair_t *pair)
 {
 	DBG2(DBG_IKE, "queueing triggered check for pair '%d'", pair->id);
- 	pair->state = CHECK_WAITING;
- 	checklist->triggered->insert_last(checklist->triggered, pair);
- 	
- 	if (!checklist->sender)
- 	{
- 		/* if the sender is not running we restart it */
- 		schedule_checks(this, checklist, ME_INTERVAL);
- 	}
+	pair->state = CHECK_WAITING;
+	checklist->triggered->insert_last(checklist->triggered, pair);
+
+	if (!checklist->sender)
+	{
+		/* if the sender is not running we restart it */
+		schedule_checks(this, checklist, ME_INTERVAL);
+	}
 }
 
 /**
@@ -1077,26 +1108,27 @@ static job_requeue_t sender(callback_data_t *data)
 	private_connect_manager_t *this = data->connect_manager;
 
 	this->mutex->lock(this->mutex);
-	
+
 	check_list_t *checklist;
 	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
 	{
-		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't send connectivity check",
-				&data->connect_id);
+		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't send "
+			 "connectivity check", &data->connect_id);
 		this->mutex->unlock(this->mutex);
 		return JOB_REQUEUE_NONE;
 	}
-	
+
 	/* reset the sender */
 	checklist->sender = NULL;
-	
+
 	endpoint_pair_t *pair;
 	if (get_triggered_pair(checklist, &pair) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "no triggered check queued, sending an ordinary check");
-		
+
 		if (checklist->pairs->find_first(checklist->pairs,
-				(linked_list_match_t)match_waiting_pair, (void**)&pair) != SUCCESS)
+									(linked_list_match_t)match_waiting_pair,
+									(void**)&pair) != SUCCESS)
 		{
 			this->mutex->unlock(this->mutex);
 			DBG1(DBG_IKE, "no pairs in waiting state, aborting");
@@ -1113,19 +1145,20 @@ static job_requeue_t sender(callback_data_t *data)
 	check->src = pair->local->clone(pair->local);
 	check->dst = pair->remote->clone(pair->remote);
 	check->connect_id = chunk_clone(checklist->connect_id);
-	check->endpoint = endpoint_notify_create();
-	
+	check->endpoint = endpoint_notify_create_from_host(PEER_REFLEXIVE, NULL,
+													   NULL);
+
 	pair->state = CHECK_IN_PROGRESS;
-	
+
 	send_check(this, checklist, check, pair, TRUE);
-	
+
 	check_destroy(check);
-	
+
 	/* schedule this job again */
 	schedule_checks(this, checklist, ME_INTERVAL);
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	/* we reschedule it manually */
 	return JOB_REQUEUE_NONE;
 }
@@ -1147,7 +1180,7 @@ static job_requeue_t initiate_mediated(initiate_data_t *data)
 {
 	check_list_t *checklist = data->checklist;
 	initiated_t *initiated = data->initiated;
-	
+
 	endpoint_pair_t *pair;
 	if (get_best_valid_pair(checklist, &pair) == SUCCESS)
 	{
@@ -1169,7 +1202,7 @@ static job_requeue_t initiate_mediated(initiate_data_t *data)
 	{
 		/* this should (can?) not happen */
 	}
-	
+
 	return JOB_REQUEUE_NONE;
 }
 
@@ -1186,7 +1219,7 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli
 		{
 			remove_checklist(this, checklist);
 			remove_initiated(this, initiated);
-			
+
 			initiate_data_t *data = initiate_data_create(checklist, initiated);
 			job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiate_mediated, data, (callback_job_cleanup_t)initiate_data_destroy, NULL);
 			charon->processor->queue_job(charon->processor, job);
@@ -1194,8 +1227,8 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli
 		}
 		else
 		{
-			DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y' "
-					"and '%Y'", checklist->initiator.id, checklist->responder.id);
+			DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y'"
+				 " and '%Y'", checklist->initiator.id, checklist->responder.id);
 		}
 	}
 }
@@ -1210,28 +1243,30 @@ static void process_response(private_connect_manager_t *this, check_t *check,
 	if (get_pair_by_id(checklist, check->mid, &pair) == SUCCESS)
 	{
 		if (pair->local->equals(pair->local, check->dst) &&
-				pair->remote->equals(pair->remote, check->src))
+			pair->remote->equals(pair->remote, check->src))
 		{
-			DBG1(DBG_IKE, "endpoint pair '%d' is valid: '%#H' - '%#H'", pair->id,
-					pair->local, pair->remote);
+			DBG1(DBG_IKE, "endpoint pair '%d' is valid: '%#H' - '%#H'",
+				 pair->id, pair->local, pair->remote);
 			pair->state = CHECK_SUCCEEDED;
 		}
-		
+
 		linked_list_t *local_endpoints = checklist->is_initiator ?
 			checklist->initiator.endpoints : checklist->responder.endpoints;
-		
+
 		endpoint_notify_t *local_endpoint;
 		if (endpoints_contain(local_endpoints,
-				check->endpoint->get_host(check->endpoint), &local_endpoint) != SUCCESS)
+							  check->endpoint->get_host(check->endpoint),
+							  &local_endpoint) != SUCCESS)
 		{
 			local_endpoint = endpoint_notify_create_from_host(PEER_REFLEXIVE,
 					check->endpoint->get_host(check->endpoint), pair->local);
-			local_endpoint->set_priority(local_endpoint, check->endpoint->get_priority(check->endpoint));
+			local_endpoint->set_priority(local_endpoint,
+								check->endpoint->get_priority(check->endpoint));
 			local_endpoints->insert_last(local_endpoints, local_endpoint);
 		}
-		
+
 		update_checklist_state(this, checklist);
-		
+
 		switch(checklist->state)
 		{
 			case CHECK_SUCCEEDED:
@@ -1249,31 +1284,35 @@ static void process_response(private_connect_manager_t *this, check_t *check,
 }
 
 static void process_request(private_connect_manager_t *this, check_t *check,
-		check_list_t *checklist)
+							check_list_t *checklist)
 {
 	linked_list_t *remote_endpoints = checklist->is_initiator ?
 				checklist->responder.endpoints : checklist->initiator.endpoints;
-		
+
 	endpoint_notify_t *peer_reflexive, *remote_endpoint;
-	peer_reflexive = endpoint_notify_create_from_host(PEER_REFLEXIVE, check->src, NULL);
-	peer_reflexive->set_priority(peer_reflexive, check->endpoint->get_priority(check->endpoint));
-		
+	peer_reflexive = endpoint_notify_create_from_host(PEER_REFLEXIVE,
+													  check->src, NULL);
+	peer_reflexive->set_priority(peer_reflexive,
+							check->endpoint->get_priority(check->endpoint));
+
 	if (endpoints_contain(remote_endpoints, check->src, &remote_endpoint) != SUCCESS)
 	{
 		remote_endpoint = peer_reflexive->clone(peer_reflexive);
 		remote_endpoints->insert_last(remote_endpoints, remote_endpoint);
 	}
-	
+
 	endpoint_pair_t *pair;
-	if (get_pair_by_hosts(checklist->pairs, check->dst, check->src, &pair) == SUCCESS)
+	if (get_pair_by_hosts(checklist->pairs, check->dst, check->src,
+						  &pair) == SUCCESS)
 	{
 		switch(pair->state)
 		{
 			case CHECK_IN_PROGRESS:
 				/* prevent retransmissions */
 				pair->retransmitted = ME_MAX_RETRANS;
-				/* FIXME: we should wait to the next rto to send the triggered check
-				 * fall-through */
+				/* FIXME: we should wait to the next rto to send the triggered
+				 * check */
+				/* fall-through */
 			case CHECK_WAITING:
 			case CHECK_FAILED:
 				queue_triggered_check(this, checklist, pair);
@@ -1286,31 +1325,30 @@ static void process_request(private_connect_manager_t *this, check_t *check,
 	else
 	{
 		endpoint_notify_t *local_endpoint = endpoint_notify_create_from_host(HOST, check->dst, NULL);
-		
+
 		endpoint_notify_t *initiator = checklist->is_initiator ? local_endpoint : remote_endpoint;
 		endpoint_notify_t *responder = checklist->is_initiator ? remote_endpoint : local_endpoint;
-		
+
 		pair = endpoint_pair_create(initiator, responder, checklist->is_initiator);
 		pair->id = checklist->pairs->get_count(checklist->pairs) + 1;
-		
+
 		insert_pair_by_priority(checklist->pairs, pair);
-		
+
 		queue_triggered_check(this, checklist, pair);
-		
+
 		local_endpoint->destroy(local_endpoint);
 	}
-	
-	
+
 	check_t *response = check_create();
-	
+
 	response->mid = check->mid;
 	response->src = check->dst->clone(check->dst);
 	response->dst = check->src->clone(check->src);
 	response->connect_id = chunk_clone(check->connect_id);
 	response->endpoint = peer_reflexive;
-	
+
 	send_check(this, checklist, response, pair, FALSE);
-	
+
 	check_destroy(response);
 }
 
@@ -1327,35 +1365,35 @@ static void process_check(private_connect_manager_t *this, message_t *message)
 			 message->get_message_id(message));
 		return;
 	}
-	
+
 	check_t *check = check_create();
 	check->mid = message->get_message_id(message);
 	check->src = message->get_source(message);
 	check->src = check->src->clone(check->src);
 	check->dst = message->get_destination(message);
 	check->dst = check->dst->clone(check->dst);
-	
+
 	if (process_payloads(message, check) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "invalid connectivity check %s received",
-				message->get_request(message) ? "request" : "response");
+			 message->get_request(message) ? "request" : "response");
 		check_destroy(check);
 		return;
 	}
-	
+
 	this->mutex->lock(this->mutex);
-	
+
 	check_list_t *checklist;
 	if (get_checklist_by_id(this, check->connect_id, &checklist) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "checklist with id '%#B' not found",
-				&check->connect_id);
+			 &check->connect_id);
 		check_destroy(check);
 		this->mutex->unlock(this->mutex);
 		return;
 	}
-	
-	chunk_t sig = build_signature(this, checklist, check, FALSE); 
+
+	chunk_t sig = build_signature(this, checklist, check, FALSE);
 	if (!chunk_equals(sig, check->auth))
 	{
 		DBG1(DBG_IKE, "connectivity check verification failed");
@@ -1365,7 +1403,7 @@ static void process_check(private_connect_manager_t *this, message_t *message)
 		return;
 	}
 	chunk_free(&sig);
-	
+
 	if (message->get_request(message))
 	{
 		process_request(this, check, checklist);
@@ -1374,9 +1412,9 @@ static void process_check(private_connect_manager_t *this, message_t *message)
 	{
 		process_response(this, check, checklist);
 	}
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	check_destroy(check);
 }
 
@@ -1394,16 +1432,19 @@ static bool check_and_register(private_connect_manager_t *this,
 
 	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
 	{
-		DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'", peer_id);
+		DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'",
+			 peer_id);
 		initiated = initiated_create(id, peer_id);
 		this->initiated->insert_last(this->initiated, initiated);
 		already_there = FALSE;
 	}
-	
-	if (initiated->mediated->find_first(initiated->mediated, 
-			(linked_list_match_t)mediated_sa->equals, NULL, mediated_sa) != SUCCESS)
+
+	if (initiated->mediated->find_first(initiated->mediated,
+								(linked_list_match_t)mediated_sa->equals,
+								NULL, mediated_sa) != SUCCESS)
 	{
-		initiated->mediated->insert_last(initiated->mediated, mediated_sa->clone(mediated_sa));
+		initiated->mediated->insert_last(initiated->mediated,
+										 mediated_sa->clone(mediated_sa));
 	}
 
 	this->mutex->unlock(this->mutex);
@@ -1414,8 +1455,9 @@ static bool check_and_register(private_connect_manager_t *this,
 /**
  * Implementation of connect_manager_t.check_and_initiate.
  */
-static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *mediation_sa,
-		identification_t *id, identification_t *peer_id)
+static void check_and_initiate(private_connect_manager_t *this,
+							   ike_sa_id_t *mediation_sa, identification_t *id,
+							   identification_t *peer_id)
 {
 	initiated_t *initiated;
 
@@ -1427,12 +1469,14 @@ static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *med
 		this->mutex->unlock(this->mutex);
 		return;
 	}
-	
+
 	ike_sa_id_t *waiting_sa;
-	iterator_t *iterator = initiated->mediated->create_iterator(initiated->mediated, TRUE);
+	iterator_t *iterator = initiated->mediated->create_iterator(
+													initiated->mediated, TRUE);
 	while (iterator->iterate(iterator, (void**)&waiting_sa))
 	{
-		job_t *job = (job_t*)reinitiate_mediation_job_create(mediation_sa, waiting_sa);
+		job_t *job = (job_t*)reinitiate_mediation_job_create(mediation_sa,
+															 waiting_sa);
 		charon->processor->queue_job(charon->processor, job);
 	}
 	iterator->destroy(iterator);
@@ -1444,26 +1488,29 @@ static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *med
  * Implementation of connect_manager_t.set_initiator_data.
  */
 static status_t set_initiator_data(private_connect_manager_t *this,
-		identification_t *initiator, identification_t *responder,
-		chunk_t connect_id, chunk_t key, linked_list_t *endpoints, bool is_initiator)
+								   identification_t *initiator,
+								   identification_t *responder,
+								   chunk_t connect_id, chunk_t key,
+								   linked_list_t *endpoints, bool is_initiator)
 {
 	check_list_t *checklist;
-	
-	this->mutex->lock(this->mutex);	
-	
+
+	this->mutex->lock(this->mutex);
+
 	if (get_checklist_by_id(this, connect_id, NULL) == SUCCESS)
 	{
 		DBG1(DBG_IKE, "checklist with id '%#B' already exists, aborting",
-				&connect_id);
+			 &connect_id);
 		this->mutex->unlock(this->mutex);
 		return FAILED;
 	}
-	
-	checklist = check_list_create(initiator, responder, connect_id, key, endpoints, is_initiator);
+
+	checklist = check_list_create(initiator, responder, connect_id, key,
+								  endpoints, is_initiator);
 	this->checklists->insert_last(this->checklists, checklist);
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	return SUCCESS;
 }
 
@@ -1471,31 +1518,33 @@ static status_t set_initiator_data(private_connect_manager_t *this,
  * Implementation of connect_manager_t.set_responder_data.
  */
 static status_t set_responder_data(private_connect_manager_t *this,
-		chunk_t connect_id, chunk_t key, linked_list_t *endpoints)
+								   chunk_t connect_id, chunk_t key,
+								   linked_list_t *endpoints)
 {
 	check_list_t *checklist;
 
 	this->mutex->lock(this->mutex);
-	
+
 	if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "checklist with id '%#B' not found",
-				&connect_id);
+			 &connect_id);
 		this->mutex->unlock(this->mutex);
 		return NOT_FOUND;
 	}
-	
+
 	checklist->responder.key = chunk_clone(key);
-	checklist->responder.endpoints = endpoints->clone_offset(endpoints, offsetof(endpoint_notify_t, clone));
+	checklist->responder.endpoints = endpoints->clone_offset(endpoints,
+											offsetof(endpoint_notify_t, clone));
 	checklist->state = CHECK_WAITING;
-	
+
 	build_pairs(checklist);
-	
+
 	/* send the first check immediately */
 	schedule_checks(this, checklist, 0);
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	return SUCCESS;
 }
 
@@ -1507,22 +1556,22 @@ static status_t stop_checks(private_connect_manager_t *this, chunk_t connect_id)
 	check_list_t *checklist;
 
 	this->mutex->lock(this->mutex);
-	
+
 	if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "checklist with id '%#B' not found",
-				&connect_id);
+			 &connect_id);
 		this->mutex->unlock(this->mutex);
 		return NOT_FOUND;
 	}
-	
+
 	DBG1(DBG_IKE, "removing checklist with id '%#B'", &connect_id);
-	
+
 	remove_checklist(this, checklist);
 	check_list_destroy(checklist);
-	
+
 	this->mutex->unlock(this->mutex);
-	
+
 	return SUCCESS;
 }
 
@@ -1532,12 +1581,12 @@ static status_t stop_checks(private_connect_manager_t *this, chunk_t connect_id)
 static void destroy(private_connect_manager_t *this)
 {
 	this->mutex->lock(this->mutex);
-	
+
 	this->hasher->destroy(this->hasher);
 	this->checklists->destroy_function(this->checklists, (void*)check_list_destroy);
 	this->initiated->destroy_function(this->initiated, (void*)initiated_destroy);
-	
-	this->mutex->unlock(this->mutex);	
+
+	this->mutex->unlock(this->mutex);
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
@@ -1556,7 +1605,7 @@ connect_manager_t *connect_manager_create()
 	this->public.set_responder_data = (status_t(*)(connect_manager_t*,chunk_t,chunk_t,linked_list_t*))set_responder_data;
 	this->public.process_check = (void(*)(connect_manager_t*,message_t*))process_check;
 	this->public.stop_checks = (status_t(*)(connect_manager_t*,chunk_t))stop_checks;
-	
+
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (this->hasher == NULL)
 	{
@@ -1564,11 +1613,11 @@ connect_manager_t *connect_manager_create()
 		free(this);
 		return NULL;
 	}
-	
+
 	this->checklists = linked_list_create();
 	this->initiated = linked_list_create();
-	
+
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	
+
 	return (connect_manager_t*)this;
 }
diff --git a/src/charon/sa/connect_manager.h b/src/charon/sa/connect_manager.h
index b5abc853c..8fa8ff697 100644
--- a/src/charon/sa/connect_manager.h
+++ b/src/charon/sa/connect_manager.h
@@ -32,79 +32,84 @@ typedef struct connect_manager_t connect_manager_t;
  * connection with another peer.
  */
 struct connect_manager_t {
-	
+
 	/**
 	 * Checks if a there is already a mediated connection registered
 	 * between two peers.
-	 * 
-	 * @param id				my id
-	 * @param peer_id			the other peer's id
-	 * @param mediated_sa		the IKE_SA ID of the mediated connection
-	 * @returns 				
-	 * 							- TRUE, if there was already a mediated connection registered
-	 * 							- FALSE, otherwise
+	 *
+	 * @param id			my id
+	 * @param peer_id		the other peer's id
+	 * @param mediated_sa	the IKE_SA ID of the mediated connection
+	 * @returns
+	 *						- TRUE, if a mediated connection is registered
+	 *						- FALSE, otherwise
 	 */
-	bool (*check_and_register) (connect_manager_t *this,
-			identification_t *id, identification_t *peer_id, ike_sa_id_t *mediated_sa);
-	
+	bool (*check_and_register) (connect_manager_t *this, identification_t *id,
+								identification_t *peer_id,
+								ike_sa_id_t *mediated_sa);
+
 	/**
 	 * Checks if there are waiting connections with a specific peer.
 	 * If so, reinitiate them.
-	 * 
-	 * @param id				my id
-	 * @param peer_id			the other peer's id
+	 *
+	 * @param id			my id
+	 * @param peer_id		the other peer's id
 	 */
-	void (*check_and_initiate) (connect_manager_t *this, ike_sa_id_t *mediation_sa,
-			identification_t *id, identification_t *peer_id);
-	
+	void (*check_and_initiate) (connect_manager_t *this,
+								ike_sa_id_t *mediation_sa, identification_t *id,
+								identification_t *peer_id);
+
 	/**
 	 * Creates a checklist and sets the initiator's data.
-	 * 
-	 * @param initiator			ID of the initiator
-	 * @param responder			ID of the responder
-	 * @param connect_id		the connect ID provided by the initiator
-	 * @param key				the initiator's key
-	 * @param endpoints			the initiator's endpoints
-	 * @param is_initiator		TRUE, if the caller of this method is the initiator
-	 * 							FALSE, otherwise
-	 * @returns					SUCCESS
+	 *
+	 * @param initiator		ID of the initiator
+	 * @param responder		ID of the responder
+	 * @param connect_id	the connect ID provided by the initiator
+	 * @param key			the initiator's key
+	 * @param endpoints		the initiator's endpoints
+	 * @param is_initiator	TRUE, if the caller of this method is the initiator
+	 * @returns				SUCCESS
 	 */
 	status_t (*set_initiator_data) (connect_manager_t *this,
-		identification_t *initiator, identification_t *responder,
-		chunk_t connect_id, chunk_t key, linked_list_t *endpoints, bool is_initiator);
-	
+									identification_t *initiator,
+									identification_t *responder,
+									chunk_t connect_id, chunk_t key,
+									linked_list_t *endpoints,
+									bool is_initiator);
+
 	/**
 	 * Updates a checklist and sets the responder's data. The checklist's
 	 * state is advanced to WAITING which means that checks will be sent.
-	 * 
-	 * @param connect_id		the connect ID
-	 * @param chunk_t			the responder's key
-	 * @param endpoints			the responder's endpoints 
-	 * @returns 				
-	 * 							- NOT_FOUND, if the checklist has not been found
-	 * 							- SUCCESS, otherwise
+	 *
+	 * @param connect_id	the connect ID
+	 * @param chunk_t		the responder's key
+	 * @param endpoints		the responder's endpoints
+	 * @returns
+	 *						- NOT_FOUND, if the checklist has not been found
+	 *						- SUCCESS, otherwise
 	 */
 	status_t (*set_responder_data) (connect_manager_t *this,
-		chunk_t connect_id, chunk_t key, linked_list_t *endpoints);
-	
+									chunk_t connect_id, chunk_t key,
+									linked_list_t *endpoints);
+
 	/**
-	 * Stops checks for a checklist. Used after the responder received an IKE_SA_INIT
-	 * request which contains a ME_CONNECTID payload.
-	 * 
-	 * @param connect_id		the connect ID
+	 * Stops checks for a checklist. Called after the responder received an
+	 * IKE_SA_INIT request which contains a ME_CONNECTID payload.
+	 *
+	 * @param connect_id	the connect ID
 	 * @returns
-	 * 							- NOT_FOUND, if the checklist has not been found
-	 * 							- SUCCESS, otherwise
+	 *						- NOT_FOUND, if the checklist has not been found
+	 *						- SUCCESS, otherwise
 	 */
 	status_t (*stop_checks) (connect_manager_t *this, chunk_t connect_id);
-	
+
 	/**
 	 * Processes a connectivity check
-	 * 
-	 * @param message			the received message
+	 *
+	 * @param message		the received message
 	 */
 	void (*process_check) (connect_manager_t *this, message_t *message);
-	
+
 	/**
 	 * Destroys the manager with all data.
 	 */
@@ -113,8 +118,8 @@ struct connect_manager_t {
 
 /**
  * Create a manager.
- * 
- * @returns 	connect_manager_t object
+ *
+ * @returns	connect_manager_t object
  */
 connect_manager_t *connect_manager_create(void);
 
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index be973a2ce..975a0904a 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -16,7 +16,6 @@
  * for more details.
  */
 
-#include <sys/time.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <errno.h>
@@ -41,6 +40,7 @@
 #include <sa/tasks/ike_reauth.h>
 #include <sa/tasks/ike_delete.h>
 #include <sa/tasks/ike_dpd.h>
+#include <sa/tasks/ike_vendor.h>
 #include <sa/tasks/child_create.h>
 #include <sa/tasks/child_delete.h>
 #include <sa/tasks/child_rekey.h>
@@ -72,169 +72,174 @@ typedef struct attribute_entry_t attribute_entry_t;
  * Private data of an ike_sa_t object.
  */
 struct private_ike_sa_t {
-	
+
 	/**
 	 * Public members
 	 */
 	ike_sa_t public;
-	
+
 	/**
 	 * Identifier for the current IKE_SA.
 	 */
 	ike_sa_id_t *ike_sa_id;
-	
+
 	/**
 	 * unique numerical ID for this IKE_SA.
 	 */
 	u_int32_t unique_id;
-	
+
 	/**
 	 * Current state of the IKE_SA
 	 */
 	ike_sa_state_t state;
-	
+
 	/**
 	 * IKE configuration used to set up this IKE_SA
 	 */
 	ike_cfg_t *ike_cfg;
-	
+
 	/**
 	 * Peer and authentication information to establish IKE_SA.
 	 */
 	peer_cfg_t *peer_cfg;
-	
+
 	/**
 	 * currently used authentication ruleset, local (as auth_cfg_t)
 	 */
 	auth_cfg_t *my_auth;
-	
+
+	/**
+	 * list of completed local authentication rounds
+	 */
+	linked_list_t *my_auths;
+
+	/**
+	 * list of completed remote authentication rounds
+	 */
+	linked_list_t *other_auths;
+
 	/**
 	 * currently used authentication constraints, remote (as auth_cfg_t)
 	 */
 	auth_cfg_t *other_auth;
-	
+
 	/**
 	 * Selected IKE proposal
 	 */
 	proposal_t *proposal;
-	
+
 	/**
 	 * Juggles tasks to process messages
 	 */
 	task_manager_t *task_manager;
-	
+
 	/**
 	 * Address of local host
 	 */
 	host_t *my_host;
-	
+
 	/**
 	 * Address of remote host
 	 */
 	host_t *other_host;
-	
+
 #ifdef ME
 	/**
 	 * Are we mediation server
 	 */
 	bool is_mediation_server;
-	
+
 	/**
 	 * Server reflexive host
 	 */
 	host_t *server_reflexive_host;
-	
+
 	/**
 	 * Connect ID
 	 */
 	chunk_t connect_id;
 #endif /* ME */
-		
+
 	/**
 	 * Identification used for us
 	 */
 	identification_t *my_id;
-	
+
 	/**
 	 * Identification used for other
 	 */
 	identification_t *other_id;
-	
-	/**
-	 * EAP Identity exchange in EAP-Identity method
-	 */
-	identification_t *eap_identity;;
-	
+
 	/**
 	 * set of extensions the peer supports
 	 */
 	ike_extension_t extensions;
-	
+
 	/**
 	 * set of condition flags currently enabled for this IKE_SA
 	 */
 	ike_condition_t conditions;
-	
+
 	/**
 	 * Linked List containing the child sa's of the current IKE_SA.
 	 */
 	linked_list_t *child_sas;
-	
+
 	/**
 	 * keymat of this IKE_SA
 	 */
 	keymat_t *keymat;
-	
+
 	/**
 	 * Virtual IP on local host, if any
 	 */
 	host_t *my_virtual_ip;
-	
+
 	/**
 	 * Virtual IP on remote host, if any
 	 */
 	host_t *other_virtual_ip;
-	
+
 	/**
 	 * List of configuration attributes (attribute_entry_t)
 	 */
 	linked_list_t *attributes;
-	
+
 	/**
 	 * list of peers additional addresses, transmitted via MOBIKE
 	 */
 	linked_list_t *additional_addresses;
-	
+
 	/**
 	 * previously value of received DESTINATION_IP hash
 	 */
 	chunk_t nat_detection_dest;
-	
+
 	/**
 	 * number pending UPDATE_SA_ADDRESS (MOBIKE)
 	 */
 	u_int32_t pending_updates;
-	
+
 	/**
 	 * NAT keep alive interval
 	 */
 	u_int32_t keepalive_interval;
-	
+
 	/**
 	 * Timestamps for this IKE_SA
 	 */
 	u_int32_t stats[STAT_MAX];
-	
+
 	/**
 	 * how many times we have retried so far (keyingtries)
 	 */
 	u_int32_t keyingtry;
-	
+
 	/**
 	 * local host address to be used for IKE, set via MIGRATE kernel message
 	 */
 	host_t *local_host;
-	
+
 	/**
 	 * remote host address to be used for IKE, set via MIGRATE kernel message
 	 */
@@ -261,7 +266,7 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
 	time_t use_time, current;
-	
+
 	if (inbound)
 	{
 		use_time = this->stats[STAT_INBOUND];
@@ -277,7 +282,7 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 		use_time = max(use_time, current);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	return use_time;
 }
 
@@ -363,7 +368,7 @@ static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
 	DESTROY_IF(this->peer_cfg);
 	peer_cfg->get_ref(peer_cfg);
 	this->peer_cfg = peer_cfg;
-	
+
 	if (this->ike_cfg == NULL)
 	{
 		this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
@@ -383,6 +388,56 @@ static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local)
 	return this->other_auth;
 }
 
+/**
+ * Implementation of ike_sa_t.add_auth_cfg
+ */
+static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
+{
+	if (local)
+	{
+		this->my_auths->insert_last(this->my_auths, cfg);
+	}
+	else
+	{
+		this->other_auths->insert_last(this->other_auths, cfg);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.create_auth_cfg_enumerator
+ */
+static enumerator_t* create_auth_cfg_enumerator(private_ike_sa_t *this,
+												bool local)
+{
+	if (local)
+	{
+		return this->my_auths->create_enumerator(this->my_auths);
+	}
+	return this->other_auths->create_enumerator(this->other_auths);
+}
+
+/**
+ * Flush the stored authentication round information
+ */
+static void flush_auth_cfgs(private_ike_sa_t *this)
+{
+	auth_cfg_t *cfg;
+
+	if (lib->settings->get_bool(lib->settings, "charon.flush_auth_cfg", TRUE))
+	{
+		while (this->my_auths->remove_last(this->my_auths,
+										   (void**)&cfg) == SUCCESS)
+		{
+			cfg->destroy(cfg);
+		}
+		while (this->other_auths->remove_last(this->other_auths,
+											  (void**)&cfg) == SUCCESS)
+		{
+			cfg->destroy(cfg);
+		}
+	}
+}
+
 /**
  * Implementation of ike_sa_t.get_proposal
  */
@@ -422,22 +477,22 @@ static void send_keepalive(private_ike_sa_t *this)
 {
 	send_keepalive_job_t *job;
 	time_t last_out, now, diff;
-	
+
 	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
 	{	/* disable keep alives if we are not NATed anymore */
 		return;
 	}
-	
+
 	last_out = get_use_time(this, FALSE);
-	now = time(NULL);
-	
+	now = time_monotonic(NULL);
+
 	diff = now - last_out;
-	
+
 	if (diff >= this->keepalive_interval)
 	{
 		packet_t *packet;
 		chunk_t data;
-		
+
 		packet = packet_create();
 		packet->set_source(packet, this->my_host->clone(this->my_host));
 		packet->set_destination(packet, this->other_host->clone(this->other_host));
@@ -552,15 +607,15 @@ static status_t send_dpd(private_ike_sa_t *this)
 {
 	job_t *job;
 	time_t diff, delay;
-	
+
 	delay = this->peer_cfg->get_dpd(this->peer_cfg);
-	
+
 	if (delay == 0)
 	{
 		/* DPD disabled */
 		return SUCCESS;
 	}
-	
+
 	if (this->task_manager->busy(this->task_manager))
 	{
 		/* an exchange is in the air, no need to start a DPD check */
@@ -571,14 +626,14 @@ static status_t send_dpd(private_ike_sa_t *this)
 		/* check if there was any inbound traffic */
 		time_t last_in, now;
 		last_in = get_use_time(this, TRUE);
-		now = time(NULL);
+		now = time_monotonic(NULL);
 		diff = now - last_in;
 		if (diff >= delay)
 		{
 			/* to long ago, initiate dead peer detection */
 			task_t *task;
 			ike_mobike_t *mobike;
-			
+
 			if (supports_extension(this, EXT_MOBIKE) &&
 				has_condition(this, COND_NAT_HERE))
 			{
@@ -593,7 +648,7 @@ static status_t send_dpd(private_ike_sa_t *this)
 			}
 			diff = 0;
 			DBG1(DBG_IKE, "sending DPD request");
-			
+
 			this->task_manager->queue_task(this->task_manager, task);
 			this->task_manager->initiate(this->task_manager);
 		}
@@ -621,7 +676,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 		 get_name(this), this->unique_id,
 		 ike_sa_state_names, this->state,
 		 ike_sa_state_names, state);
-	
+
 	switch (state)
 	{
 		case IKE_ESTABLISHED:
@@ -631,14 +686,14 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 			{
 				job_t *job;
 				u_int32_t t;
-			
+
 				/* calculate rekey, reauth and lifetime */
-				this->stats[STAT_ESTABLISHED] = time(NULL);
-				
+				this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
+
 				/* schedule rekeying if we have a time which is smaller than
 				 * an already scheduled rekeying */
 				t = this->peer_cfg->get_rekey_time(this->peer_cfg);
-				if (t && (this->stats[STAT_REKEY] == 0 || 
+				if (t && (this->stats[STAT_REKEY] == 0 ||
 					(this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
 				{
 					this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
@@ -647,7 +702,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 					DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
 				}
 				t = this->peer_cfg->get_reauth_time(this->peer_cfg);
-				if (t && (this->stats[STAT_REAUTH] == 0 || 
+				if (t && (this->stats[STAT_REAUTH] == 0 ||
 					(this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
 				{
 					this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
@@ -677,7 +732,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 					charon->scheduler->schedule_job(charon->scheduler, job, t);
 					DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
 				}
-				
+
 				/* start DPD checks */
 				send_dpd(this);
 			}
@@ -687,7 +742,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 		{
 			/* delete may fail if a packet gets lost, so set a timeout */
 			job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-			charon->scheduler->schedule_job(charon->scheduler, job, 
+			charon->scheduler->schedule_job(charon->scheduler, job,
 											HALF_OPEN_IKE_SA_TIMEOUT);
 			break;
 		}
@@ -708,9 +763,9 @@ static void reset(private_ike_sa_t *this)
 	{
 		this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
 	}
-	
+
 	set_state(this, IKE_CREATED);
-	
+
 	this->task_manager->reset(this->task_manager, 0, 0);
 }
 
@@ -777,7 +832,7 @@ static void add_additional_address(private_ike_sa_t *this, host_t *host)
 {
 	this->additional_addresses->insert_last(this->additional_addresses, host);
 }
-	
+
 /**
  * Implementation of ike_sa_t.create_additional_address_iterator.
  */
@@ -828,7 +883,7 @@ static u_int32_t get_pending_updates(private_ike_sa_t *this)
 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 {
 	bool update = FALSE;
-	
+
 	if (me == NULL)
 	{
 		me = this->my_host;
@@ -837,7 +892,7 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 	{
 		other = this->other_host;
 	}
-	
+
 	/* apply hosts on first received message */
 	if (this->my_host->is_anyaddr(this->my_host) ||
 		this->other_host->is_anyaddr(this->other_host))
@@ -854,7 +909,7 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 			set_my_host(this, me->clone(me));
 			update = TRUE;
 		}
-		
+
 		if (!other->equals(other, this->other_host))
 		{
 			/* update others adress if we are NOT NATed,
@@ -867,13 +922,13 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 			}
 		}
 	}
-	
+
 	/* update all associated CHILD_SAs, if required */
 	if (update)
 	{
 		iterator_t *iterator;
 		child_sa_t *child_sa;
-	
+
 		iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 		while (iterator->iterate(iterator, (void**)&child_sa))
 		{
@@ -896,7 +951,7 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 static status_t generate_message(private_ike_sa_t *this, message_t *message,
 								 packet_t **packet)
 {
-	this->stats[STAT_OUTBOUND] = time(NULL);
+	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
 	message->set_ike_sa_id(message, this->ike_sa_id);
 	return message->generate(message,
 				this->keymat->get_crypter(this->keymat, FALSE),
@@ -911,7 +966,7 @@ static void send_notify_response(private_ike_sa_t *this, message_t *request,
 {
 	message_t *response;
 	packet_t *packet;
-	
+
 	response = message_create();
 	response->set_exchange_type(response, request->get_exchange_type(request));
 	response->set_request(response, FALSE);
@@ -989,7 +1044,7 @@ static chunk_t get_connect_id(private_ike_sa_t *this)
  * Implementation of ike_sa_t.respond
  */
 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
-		chunk_t connect_id)
+						chunk_t connect_id)
 {
 	ike_me_t *task = ike_me_create(&this->public, TRUE);
 	task->respond(task, peer_id, connect_id);
@@ -1012,7 +1067,8 @@ static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
  * Implementation of ike_sa_t.relay
  */
 static status_t relay(private_ike_sa_t *this, identification_t *requester,
-			chunk_t connect_id, chunk_t connect_key, linked_list_t *endpoints, bool response)
+					  chunk_t connect_id, chunk_t connect_key,
+					  linked_list_t *endpoints, bool response)
 {
 	ike_me_t *task = ike_me_create(&this->public, TRUE);
 	task->relay(task, requester, connect_id, connect_key, endpoints, response);
@@ -1023,7 +1079,8 @@ static status_t relay(private_ike_sa_t *this, identification_t *requester,
 /**
  * Implementation of ike_sa_t.initiate_mediation
  */
-static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
+static status_t initiate_mediation(private_ike_sa_t *this,
+								   peer_cfg_t *mediated_cfg)
 {
 	ike_me_t *task = ike_me_create(&this->public, TRUE);
 	task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
@@ -1034,14 +1091,13 @@ static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_
 /**
  * Implementation of ike_sa_t.initiate_mediated
  */
-static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
-		chunk_t connect_id)
+static status_t initiate_mediated(private_ike_sa_t *this, host_t *me,
+								  host_t *other, chunk_t connect_id)
 {
 	set_my_host(this, me->clone(me));
 	set_other_host(this, other->clone(other));
 	chunk_free(&this->connect_id);
 	this->connect_id = chunk_clone(connect_id);
-	
 	return this->task_manager->initiate(this->task_manager);
 }
 #endif /* ME */
@@ -1052,7 +1108,7 @@ static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *ot
 static void resolve_hosts(private_ike_sa_t *this)
 {
 	host_t *host;
-	
+
 	if (this->remote_host)
 	{
 		host = this->remote_host->clone(this->remote_host);
@@ -1067,7 +1123,7 @@ static void resolve_hosts(private_ike_sa_t *this)
 	{
 		set_other_host(this, host);
 	}
-	
+
 	if (this->local_host)
 	{
 		host = this->local_host->clone(this->local_host);
@@ -1075,10 +1131,16 @@ static void resolve_hosts(private_ike_sa_t *this)
 	}
 	else
 	{
+		int family = 0;
+
+		/* use same address family as for other */
+		if (!this->other_host->is_anyaddr(this->other_host))
+		{
+			family = this->other_host->get_family(this->other_host);
+		}
 		host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
-									this->my_host->get_family(this->my_host),
-									IKEV2_UDP_PORT);
-	
+									family, IKEV2_UDP_PORT);
+
 		if (host && host->is_anyaddr(host) &&
 			!this->other_host->is_anyaddr(this->other_host))
 		{
@@ -1111,11 +1173,11 @@ static status_t initiate(private_ike_sa_t *this,
 						 traffic_selector_t *tsi, traffic_selector_t *tsr)
 {
 	task_t *task;
-	
+
 	if (this->state == IKE_CREATED)
 	{
 		resolve_hosts(this);
-		
+
 		if (this->other_host->is_anyaddr(this->other_host)
 #ifdef ME
 			&& !this->peer_cfg->get_mediated_by(this->peer_cfg)
@@ -1126,11 +1188,13 @@ static status_t initiate(private_ike_sa_t *this,
 			DBG1(DBG_IKE, "unable to initiate to %%any");
 			return DESTROY_ME;
 		}
-		
+
 		set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
-		
+
 		task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
 		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_vendor_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
 		task = (task_t*)ike_natd_create(&this->public, TRUE);
 		this->task_manager->queue_task(this->task_manager, task);
 		task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
@@ -1159,8 +1223,8 @@ static status_t initiate(private_ike_sa_t *this,
 	{
 		if (this->state == IKE_ESTABLISHED)
 		{
-			/* mediation connection is already established, retrigger state change
-			 * to notify bus listeners */
+			/* mediation connection is already established, retrigger state
+			 * change to notify bus listeners */
 			DBG1(DBG_IKE, "mediation connection is already up");
 			set_state(this, IKE_ESTABLISHED);
 		}
@@ -1190,7 +1254,7 @@ static status_t initiate(private_ike_sa_t *this,
 		}
 #endif /* ME */
 	}
-	
+
 	return this->task_manager->initiate(this->task_manager);
 }
 
@@ -1201,20 +1265,20 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 {
 	status_t status;
 	bool is_request;
-	
+
 	if (this->state == IKE_PASSIVE)
 	{	/* do not handle messages in passive state */
 		return FAILED;
 	}
-	
+
 	is_request = message->get_request(message);
-	
+
 	status = message->parse_body(message,
 								 this->keymat->get_crypter(this->keymat, TRUE),
 								 this->keymat->get_signer(this->keymat, TRUE));
 	if (status != SUCCESS)
 	{
-		
+
 		if (is_request)
 		{
 			switch (status)
@@ -1258,20 +1322,19 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 			 exchange_type_names, message->get_exchange_type(message),
 			 message->get_request(message) ? "request" : "response",
 			 message->get_message_id(message));
-		
+
 		if (this->state == IKE_CREATED)
 		{	/* invalid initiation attempt, close SA */
 			return DESTROY_ME;
 		}
-		return status;
 	}
 	else
 	{
 		host_t *me, *other;
-		
+
 		me = message->get_destination(message);
 		other = message->get_source(message);
-		
+
 		/* if this IKE_SA is virgin, we check for a config */
 		if (this->ike_cfg == NULL)
 		{
@@ -1291,7 +1354,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 			charon->scheduler->schedule_job(charon->scheduler, job,
 											HALF_OPEN_IKE_SA_TIMEOUT);
 		}
-		this->stats[STAT_INBOUND] = time(NULL);
+		this->stats[STAT_INBOUND] = time_monotonic(NULL);
 		/* check if message is trustworthy, and update host information */
 		if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
 			message->get_exchange_type(message) != IKE_SA_INIT)
@@ -1301,8 +1364,14 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 				update_hosts(this, me, other);
 			}
 		}
-		return this->task_manager->process_message(this->task_manager, message);
+		status = this->task_manager->process_message(this->task_manager, message);
+		if (message->get_exchange_type(message) == IKE_AUTH &&
+			this->state == IKE_ESTABLISHED)
+		{	/* authentication completed */
+			flush_auth_cfgs(this);
+		}
 	}
+	return status;
 }
 
 /**
@@ -1347,23 +1416,6 @@ static void set_other_id(private_ike_sa_t *this, identification_t *other)
 	this->other_id = other;
 }
 
-/**
- * Implementation of ike_sa_t.get_eap_identity.
- */
-static identification_t* get_eap_identity(private_ike_sa_t *this)
-{
-	return this->eap_identity;
-}
-
-/**
- * Implementation of ike_sa_t.set_eap_identity.
- */
-static void set_eap_identity(private_ike_sa_t *this, identification_t *id)
-{
-	DESTROY_IF(this->eap_identity);
-	this->eap_identity = id;
-}
-
 /**
  * Implementation of ike_sa_t.add_child_sa.
  */
@@ -1380,7 +1432,7 @@ static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
 {
 	iterator_t *iterator;
 	child_sa_t *current, *found = NULL;
-	
+
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
@@ -1409,7 +1461,7 @@ static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
 							   u_int32_t spi)
 {
 	child_rekey_t *child_rekey;
-	
+
 	child_rekey = child_rekey_create(&this->public, protocol, spi);
 	this->task_manager->queue_task(this->task_manager, &child_rekey->task);
 	return this->task_manager->initiate(this->task_manager);
@@ -1422,7 +1474,7 @@ static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
 								u_int32_t spi)
 {
 	child_delete_t *child_delete;
-	
+
 	child_delete = child_delete_create(&this->public, protocol, spi);
 	this->task_manager->queue_task(this->task_manager, &child_delete->task);
 	return this->task_manager->initiate(this->task_manager);
@@ -1437,7 +1489,7 @@ static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
 	iterator_t *iterator;
 	child_sa_t *child_sa;
 	status_t status = NOT_FOUND;
-	
+
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
@@ -1487,9 +1539,9 @@ static status_t delete_(private_ike_sa_t *this)
 static status_t rekey(private_ike_sa_t *this)
 {
 	ike_rekey_t *ike_rekey;
-	
+
 	ike_rekey = ike_rekey_create(&this->public, TRUE);
-	
+
 	this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
 	return this->task_manager->initiate(this->task_manager);
 }
@@ -1510,13 +1562,13 @@ static status_t reauth(private_ike_sa_t *this)
 		if (this->other_virtual_ip != NULL ||
 			has_condition(this, COND_EAP_AUTHENTICATED)
 #ifdef ME
-			/* if we are mediation server we too cannot reauth the IKE_SA */
+			/* as mediation server we too cannot reauth the IKE_SA */
 			|| this->is_mediation_server
 #endif /* ME */
 			)
 		{
-			time_t now = time(NULL);
-			
+			time_t now = time_monotonic(NULL);
+
 			DBG1(DBG_IKE, "IKE_SA will timeout in %V",
 				 &now, &this->stats[STAT_DELETE]);
 			return FAILED;
@@ -1543,10 +1595,10 @@ static status_t reestablish(private_ike_sa_t *this)
 	iterator_t *iterator;
 	child_sa_t *child_sa;
 	child_cfg_t *child_cfg;
-	bool required = FALSE;
+	bool restart = FALSE;
 	status_t status = FAILED;
-	
-	/* check if we have children to keep up at all*/
+
+	/* check if we have children to keep up at all */
 	iterator = create_child_sa_iterator(this);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
@@ -1562,25 +1614,28 @@ static status_t reestablish(private_ike_sa_t *this)
 		switch (action)
 		{
 			case ACTION_RESTART:
+				restart = TRUE;
+				break;
 			case ACTION_ROUTE:
-				required = TRUE;
+				charon->traps->install(charon->traps, this->peer_cfg, child_cfg);
+				break;
 			default:
 				break;
 		}
 	}
 	iterator->destroy(iterator);
 #ifdef ME
-	/* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
+	/* mediation connections have no children, keep them up anyway */
 	if (this->peer_cfg->is_mediation(this->peer_cfg))
 	{
-		required = TRUE;
+		restart = TRUE;
 	}
 #endif /* ME */
-	if (!required)
+	if (!restart)
 	{
 		return FAILED;
 	}
-	
+
 	/* check if we are able to reestablish this IKE_SA */
 	if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
 		(this->other_virtual_ip != NULL ||
@@ -1593,7 +1648,7 @@ static status_t reestablish(private_ike_sa_t *this)
 		DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
 		return FAILED;
 	}
-	
+
 	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
 	new->set_peer_cfg(new, this->peer_cfg);
 	host = this->other_host;
@@ -1606,7 +1661,7 @@ static status_t reestablish(private_ike_sa_t *this)
 	{
 		new->set_virtual_ip(new, TRUE, host);
 	}
-	
+
 #ifdef ME
 	if (this->peer_cfg->is_mediation(this->peer_cfg))
 	{
@@ -1635,10 +1690,6 @@ static status_t reestablish(private_ike_sa_t *this)
 					child_cfg->get_ref(child_cfg);
 					status = new->initiate(new, child_cfg, 0, NULL, NULL);
 					break;
-				case ACTION_ROUTE:
-					charon->traps->install(charon->traps,
-										   this->peer_cfg, child_cfg);
-					break;
 				default:
 					continue;
 			}
@@ -1649,7 +1700,7 @@ static status_t reestablish(private_ike_sa_t *this)
 		}
 		iterator->destroy(iterator);
 	}
-	
+
 	if (status == DESTROY_ME)
 	{
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
@@ -1669,7 +1720,7 @@ static status_t reestablish(private_ike_sa_t *this)
  */
 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 {
-	this->stats[STAT_OUTBOUND] = time(NULL);
+	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
 	if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
 	{
 		/* send a proper signal to brief interested bus listeners */
@@ -1711,17 +1762,17 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
 {
 	u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
-	u_int32_t reauth_time = time(NULL) + lifetime - reduction;
+	u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction;
 
 	if (lifetime < reduction)
 	{
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
 			 lifetime);
 		charon->processor->queue_job(charon->processor,
-		 			(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
+					(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
 	}
 	else if (this->stats[STAT_REAUTH] == 0 ||
-			 this->stats[STAT_REAUTH] > reauth_time) 
+			 this->stats[STAT_REAUTH] > reauth_time)
 	{
 		this->stats[STAT_REAUTH] = reauth_time;
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
@@ -1732,8 +1783,9 @@ static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
 	}
 	else
 	{
-		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, reauthentication already "
-			 "scheduled in %ds", lifetime, this->stats[STAT_REAUTH] - time(NULL));
+		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
+			 "reauthentication already scheduled in %ds", lifetime,
+			 this->stats[STAT_REAUTH] - time_monotonic(NULL));
 	}
 }
 
@@ -1744,7 +1796,7 @@ static status_t roam(private_ike_sa_t *this, bool address)
 {
 	host_t *src;
 	ike_mobike_t *mobike;
-	
+
 	switch (this->state)
 	{
 		case IKE_CREATED:
@@ -1767,7 +1819,7 @@ static status_t roam(private_ike_sa_t *this, bool address)
 		}
 		return SUCCESS;
 	}
-	
+
 	/* keep existing path if possible */
 	src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
 											this->other_host, this->my_host);
@@ -1782,14 +1834,14 @@ static status_t roam(private_ike_sa_t *this, bool address)
 			return SUCCESS;
 		}
 		src->destroy(src);
-		
+
 	}
 	else
 	{
 		/* check if we find a route at all */
 		enumerator_t *enumerator;
 		host_t *addr;
-		
+
 		src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
 														this->other_host, NULL);
 		if (!src)
@@ -1818,7 +1870,7 @@ static status_t roam(private_ike_sa_t *this, bool address)
 		src->destroy(src);
 	}
 	set_condition(this, COND_STALE, FALSE);
-	
+
 	/* update addresses with mobike, if supported ... */
 	if (supports_extension(this, EXT_MOBIKE))
 	{
@@ -1837,22 +1889,16 @@ static status_t roam(private_ike_sa_t *this, bool address)
  * Implementation of ike_sa_t.add_configuration_attribute
  */
 static void add_configuration_attribute(private_ike_sa_t *this,
+							attribute_handler_t *handler,
 							configuration_attribute_type_t type, chunk_t data)
 {
-	attribute_entry_t *entry;
-	attribute_handler_t *handler;
-	
-	handler = charon->attributes->handle(charon->attributes,
-										 &this->public, type, data);
-	if (handler)
-	{
-		entry = malloc_thing(attribute_entry_t);
-		entry->handler = handler;
-		entry->type = type;
-		entry->data = chunk_clone(data);
-		
-		this->attributes->insert_last(this->attributes, entry);
-	}
+	attribute_entry_t *entry = malloc_thing(attribute_entry_t);
+
+	entry->handler = handler;
+	entry->type = type;
+	entry->data = chunk_clone(data);
+
+	this->attributes->insert_last(this->attributes, entry);
 }
 
 /**
@@ -1862,7 +1908,7 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 {
 	child_sa_t *child_sa;
 	attribute_entry_t *entry;
-	
+
 	/* apply hosts and ids */
 	this->my_host->destroy(this->my_host);
 	this->other_host->destroy(this->other_host);
@@ -1872,7 +1918,7 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 	this->other_host = other->other_host->clone(other->other_host);
 	this->my_id = other->my_id->clone(other->my_id);
 	this->other_id = other->other_id->clone(other->other_id);
-	
+
 	/* apply virtual assigned IPs... */
 	if (other->my_virtual_ip)
 	{
@@ -1884,9 +1930,9 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 		this->other_virtual_ip = other->other_virtual_ip;
 		other->other_virtual_ip = NULL;
 	}
-	
+
 	/* ... and configuration attributes */
-	while (other->attributes->remove_last(other->attributes, 
+	while (other->attributes->remove_last(other->attributes,
 										  (void**)&entry) == SUCCESS)
 	{
 		this->attributes->insert_first(this->attributes, entry);
@@ -1898,7 +1944,7 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 	{
 		send_keepalive(this);
 	}
-	
+
 #ifdef ME
 	if (other->is_mediation_server)
 	{
@@ -1913,28 +1959,28 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 
 	/* adopt all children */
 	while (other->child_sas->remove_last(other->child_sas,
-		   								 (void**)&child_sa) == SUCCESS)
+										 (void**)&child_sa) == SUCCESS)
 	{
 		this->child_sas->insert_first(this->child_sas, (void*)child_sa);
 	}
-	
+
 	/* move pending tasks to the new IKE_SA */
 	this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
-	
+
 	/* reauthentication timeout survives a rekeying */
 	if (other->stats[STAT_REAUTH])
 	{
-		time_t reauth, delete, now = time(NULL);
-	
+		time_t reauth, delete, now = time_monotonic(NULL);
+
 		this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
 		reauth = this->stats[STAT_REAUTH] - now;
 		delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
 		this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
 		DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
 			 "lifetime reduced to %ds", reauth, delete);
-		charon->scheduler->schedule_job(charon->scheduler, 
+		charon->scheduler->schedule_job(charon->scheduler,
 				(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
-		charon->scheduler->schedule_job(charon->scheduler, 
+		charon->scheduler->schedule_job(charon->scheduler,
 				(job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
 	}
 	/* we have to initate here, there may be new tasks to handle */
@@ -1947,30 +1993,30 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 static void destroy(private_ike_sa_t *this)
 {
 	attribute_entry_t *entry;
-	
+
 	charon->bus->set_sa(charon->bus, &this->public);
-	
+
 	set_state(this, IKE_DESTROYING);
-	
+
 	/* remove attributes first, as we pass the IKE_SA to the handler */
-	while (this->attributes->remove_last(this->attributes, 
+	while (this->attributes->remove_last(this->attributes,
 										 (void**)&entry) == SUCCESS)
 	{
-		charon->attributes->release(charon->attributes, entry->handler,
-									&this->public, entry->type, entry->data);
+		lib->attributes->release(lib->attributes, entry->handler,
+								 this->other_id, entry->type, entry->data);
 		free(entry->data.ptr);
 		free(entry);
 	}
 	this->attributes->destroy(this->attributes);
-	
+
 	this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
-	
+
 	/* unset SA after here to avoid usage by the listeners */
 	charon->bus->set_sa(charon->bus, NULL);
-	
+
 	this->task_manager->destroy(this->task_manager);
 	this->keymat->destroy(this->keymat);
-	
+
 	if (this->my_virtual_ip)
 	{
 		charon->kernel_interface->del_ip(charon->kernel_interface,
@@ -1981,7 +2027,7 @@ static void destroy(private_ike_sa_t *this)
 	{
 		if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
 		{
-			charon->attributes->release_address(charon->attributes,
+			lib->attributes->release_address(lib->attributes,
 									this->peer_cfg->get_pool(this->peer_cfg),
 									this->other_virtual_ip, this->other_id);
 		}
@@ -1992,27 +2038,31 @@ static void destroy(private_ike_sa_t *this)
 #ifdef ME
 	if (this->is_mediation_server)
 	{
-		charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
+		charon->mediation_manager->remove(charon->mediation_manager,
+										  this->ike_sa_id);
 	}
 	DESTROY_IF(this->server_reflexive_host);
 	chunk_free(&this->connect_id);
 #endif /* ME */
 	free(this->nat_detection_dest.ptr);
-	
+
 	DESTROY_IF(this->my_host);
 	DESTROY_IF(this->other_host);
 	DESTROY_IF(this->my_id);
 	DESTROY_IF(this->other_id);
 	DESTROY_IF(this->local_host);
 	DESTROY_IF(this->remote_host);
-	DESTROY_IF(this->eap_identity);
-	
+
 	DESTROY_IF(this->ike_cfg);
 	DESTROY_IF(this->peer_cfg);
 	DESTROY_IF(this->proposal);
 	this->my_auth->destroy(this->my_auth);
 	this->other_auth->destroy(this->other_auth);
-	
+	this->my_auths->destroy_offset(this->my_auths,
+								   offsetof(auth_cfg_t, destroy));
+	this->other_auths->destroy_offset(this->other_auths,
+									  offsetof(auth_cfg_t, destroy));
+
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	free(this);
 }
@@ -2024,7 +2074,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 {
 	private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
 	static u_int32_t unique_id = 0;
-	
+
 	/* Public functions */
 	this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
 	this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
@@ -2037,6 +2087,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
 	this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
 	this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg;
+	this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(ike_sa_t*, bool local))create_auth_cfg_enumerator;
+	this->public.add_auth_cfg = (void(*)(ike_sa_t*, bool local, auth_cfg_t *cfg))add_auth_cfg;
 	this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
 	this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
 	this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
@@ -2050,8 +2102,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
 	this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
 	this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
-	this->public.get_eap_identity = (identification_t* (*)(ike_sa_t*)) get_eap_identity;
-	this->public.set_eap_identity = (void (*)(ike_sa_t*,identification_t*)) set_eap_identity;
 	this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
 	this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
 	this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
@@ -2084,7 +2134,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
 	this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
 	this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
-	this->public.add_configuration_attribute = (void(*)(ike_sa_t*, configuration_attribute_type_t type, chunk_t data))add_configuration_attribute;
+	this->public.add_configuration_attribute = (void(*)(ike_sa_t*, attribute_handler_t *handler,configuration_attribute_type_t type, chunk_t data))add_configuration_attribute;
 	this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
 #ifdef ME
 	this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
@@ -2097,7 +2147,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
 	this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
 #endif /* ME */
-	
+
 	/* initialize private fields */
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 	this->child_sas = linked_list_create();
@@ -2106,7 +2156,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->other_host = host_create_any(AF_INET);
 	this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
 	this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
-	this->eap_identity = NULL;
 	this->extensions = 0;
 	this->conditions = 0;
 	this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id));
@@ -2114,11 +2163,13 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->keepalive_interval = lib->settings->get_time(lib->settings,
 									"charon.keep_alive", KEEPALIVE_INTERVAL);
 	memset(this->stats, 0, sizeof(this->stats));
-	this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time(NULL);
+	this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
 	this->ike_cfg = NULL;
 	this->peer_cfg = NULL;
 	this->my_auth = auth_cfg_create();
 	this->other_auth = auth_cfg_create();
+	this->my_auths = linked_list_create();
+	this->other_auths = linked_list_create();
 	this->proposal = NULL;
 	this->task_manager = task_manager_create(&this->public);
 	this->unique_id = ++unique_id;
@@ -2136,6 +2187,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->server_reflexive_host = NULL;
 	this->connect_id = chunk_empty;
 #endif /* ME */
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index 41d7a7976..4dce1937c 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -66,7 +66,7 @@ typedef struct ike_sa_t ike_sa_t;
  * Extensions (or optional features) the peer supports
  */
 enum ike_extension_t {
-	
+
 	/**
 	 * peer supports NAT traversal as specified in RFC4306
 	 */
@@ -76,58 +76,68 @@ enum ike_extension_t {
 	 * peer supports MOBIKE (RFC4555)
 	 */
 	EXT_MOBIKE = (1<<1),
-	
+
 	/**
 	 * peer supports HTTP cert lookups as specified in RFC4306
 	 */
 	EXT_HASH_AND_URL = (1<<2),
-	
+
 	/**
 	 * peer supports multiple authentication exchanges, RFC4739
 	 */
 	EXT_MULTIPLE_AUTH = (1<<3),
+
+	/**
+	 * peer uses strongSwan, accept private use extensions
+	 */
+	EXT_STRONGSWAN = (1<<4),
+
+	/**
+	 * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
+	 */
+	EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
 };
 
 /**
  * Conditions of an IKE_SA, change during its lifetime
  */
 enum ike_condition_t {
-	
+
 	/**
 	 * Connection is natted (or faked) somewhere
 	 */
 	COND_NAT_ANY = (1<<0),
-	
+
 	/**
 	 * we are behind NAT
 	 */
 	COND_NAT_HERE = (1<<1),
-	
+
 	/**
 	 * other is behind NAT
 	 */
 	COND_NAT_THERE = (1<<2),
-	
+
 	/**
 	 * Faking NAT to enforce UDP encapsulation
 	 */
 	COND_NAT_FAKE = (1<<3),
-	
+
 	/**
 	 * peer has been authenticated using EAP at least once
 	 */
 	COND_EAP_AUTHENTICATED = (1<<4),
-	
+
 	/**
 	 * received a certificate request from the peer
 	 */
 	COND_CERTREQ_SEEN = (1<<5),
-	
+
 	/**
 	 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
 	 */
 	COND_ORIGINAL_INITIATOR = (1<<6),
-	
+
 	/**
 	 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
 	 */
@@ -150,7 +160,7 @@ enum statistic_t {
 	STAT_INBOUND,
 	/** Timestamp of last outbound IKE packet */
 	STAT_OUTBOUND,
-	
+
 	STAT_MAX
 };
 
@@ -164,7 +174,7 @@ enum statistic_t {
                  ¦   SA_CREATED   ¦
                  +----------------+
                          ¦
-    on initiate()--->    ¦   <----- on IKE_SA_INIT received 
+    on initiate()--->    ¦   <----- on IKE_SA_INIT received
                          V
                  +----------------+
                  ¦ SA_CONNECTING  ¦
@@ -192,37 +202,37 @@ enum statistic_t {
    @endverbatim
  */
 enum ike_sa_state_t {
-	
+
 	/**
 	 * IKE_SA just got created, but is not initiating nor responding yet.
 	 */
 	IKE_CREATED,
-	
+
 	/**
 	 * IKE_SA gets initiated actively or passively
 	 */
 	IKE_CONNECTING,
-	
+
 	/**
 	 * IKE_SA is fully established
 	 */
 	IKE_ESTABLISHED,
-	
+
 	/**
 	 * IKE_SA is managed externally and does not process messages
 	 */
 	IKE_PASSIVE,
-	
+
 	/**
 	 * IKE_SA rekeying in progress
 	 */
 	IKE_REKEYING,
-	
+
 	/**
 	 * IKE_SA is in progress of deletion
 	 */
 	IKE_DELETING,
-	
+
 	/**
 	 * IKE_SA object gets destroyed
 	 */
@@ -246,41 +256,41 @@ struct ike_sa_t {
 
 	/**
 	 * Get the id of the SA.
-	 * 
+	 *
 	 * Returned ike_sa_id_t object is not getting cloned!
 	 *
 	 * @return 				ike_sa's ike_sa_id_t
 	 */
 	ike_sa_id_t* (*get_id) (ike_sa_t *this);
-	
+
 	/**
 	 * Get the numerical ID uniquely defining this IKE_SA.
 	 *
 	 * @return 				unique ID
 	 */
 	u_int32_t (*get_unique_id) (ike_sa_t *this);
-	
+
 	/**
 	 * Get the state of the IKE_SA.
 	 *
 	 * @return				state of the IKE_SA
 	 */
 	ike_sa_state_t (*get_state) (ike_sa_t *this);
-	
+
 	/**
 	 * Set the state of the IKE_SA.
 	 *
 	 * @param state			state to set for the IKE_SA
 	 */
 	void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
-	
+
 	/**
 	 * Get the name of the connection this IKE_SA uses.
 	 *
 	 * @return				name
 	 */
 	char* (*get_name) (ike_sa_t *this);
-	
+
 	/**
 	 * Get statistic values from the IKE_SA.
 	 *
@@ -288,35 +298,35 @@ struct ike_sa_t {
 	 * @return				value as integer
 	 */
 	u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
-	
+
 	/**
 	 * Get the own host address.
-	 * 
+	 *
 	 * @return				host address
 	 */
 	host_t* (*get_my_host) (ike_sa_t *this);
-	
+
 	/**
 	 * Set the own host address.
-	 * 
+	 *
 	 * @param me			host address
 	 */
 	void (*set_my_host) (ike_sa_t *this, host_t *me);
-	
+
 	/**
 	 * Get the other peers host address.
-	 * 
+	 *
 	 * @return				host address
 	 */
 	host_t* (*get_other_host) (ike_sa_t *this);
-	
+
 	/**
 	 * Set the others host address.
-	 * 
+	 *
 	 * @param other			host address
 	 */
 	void (*set_other_host) (ike_sa_t *this, host_t *other);
-	
+
 	/**
 	 * Update the IKE_SAs host.
 	 *
@@ -326,79 +336,63 @@ struct ike_sa_t {
 	 * @param other			new remote host address, or NULL
 	 */
 	void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
-	
+
 	/**
 	 * Get the own identification.
-	 * 
+	 *
 	 * @return				identification
 	 */
 	identification_t* (*get_my_id) (ike_sa_t *this);
-	
+
 	/**
 	 * Set the own identification.
-	 * 
+	 *
 	 * @param me			identification
 	 */
 	void (*set_my_id) (ike_sa_t *this, identification_t *me);
-	
+
 	/**
 	 * Get the other peer's identification.
-	 * 
+	 *
 	 * @return				identification
 	 */
 	identification_t* (*get_other_id) (ike_sa_t *this);
-	
+
 	/**
 	 * Set the other peer's identification.
-	 * 
+	 *
 	 * @param other			identification
 	 */
 	void (*set_other_id) (ike_sa_t *this, identification_t *other);
-	
-	/**
-	 * Get the peers EAP identity.
-	 *
-	 * The EAP identity is exchanged in a EAP-Identity exchange.
-	 * 
-	 * @return				identification, NULL if none set
-	 */
-	identification_t* (*get_eap_identity) (ike_sa_t *this);
-	
-	/**
-	 * Set the peer's EAP identity.
-	 * 
-	 * @param id			identification
-	 */
-	void (*set_eap_identity) (ike_sa_t *this, identification_t *id);
-	
+
 	/**
 	 * Get the config used to setup this IKE_SA.
-	 * 
+	 *
 	 * @return				ike_config
 	 */
 	ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
-	
+
 	/**
 	 * Set the config to setup this IKE_SA.
-	 * 
+	 *
 	 * @param config		ike_config to use
 	 */
 	void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
 
 	/**
 	 * Get the peer config used by this IKE_SA.
-	 * 
+	 *
 	 * @return				peer_config
 	 */
 	peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
-	
+
 	/**
 	 * Set the peer config to use with this IKE_SA.
-	 * 
+	 *
 	 * @param config		peer_config to use
 	 */
 	void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
-	
+
 	/**
 	 * Get the authentication config with rules of the current auth round.
 	 *
@@ -406,21 +400,37 @@ struct ike_sa_t {
 	 * @return				current cfg
 	 */
 	auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
-	
+
+	/**
+	 * Insert a completed authentication round.
+	 *
+	 * @param local			TRUE for own rules, FALSE for others constraints
+	 * @param cfg			auth config to append
+	 */
+	void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
+
+	/**
+	 * Create an enumerator over added authentication rounds.
+	 *
+	 * @param local			TRUE for own rules, FALSE for others constraints
+	 * @return				enumerator over auth_cfg_t
+	 */
+	enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
+
 	/**
 	 * Get the selected proposal of this IKE_SA.
 	 *
 	 * @return				selected proposal
 	 */
 	proposal_t* (*get_proposal)(ike_sa_t *this);
-	
+
 	/**
 	 * Set the proposal selected for this IKE_SA.
 	 *
 	 * @param				selected proposal
 	 */
 	void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
-	
+
 	/**
 	 * Set the message id of the IKE_SA.
 	 *
@@ -431,7 +441,7 @@ struct ike_sa_t {
 	 * @param mid			message id to set
 	 */
 	void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
-	
+
 	/**
 	 * Add an additional address for the peer.
 	 *
@@ -443,14 +453,14 @@ struct ike_sa_t {
 	 * @param host			host to add to list
 	 */
 	void (*add_additional_address)(ike_sa_t *this, host_t *host);
-	
+
 	/**
 	 * Create an iterator over all additional addresses of the peer.
 	 *
 	 * @return 				iterator over addresses
 	 */
 	iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
-	
+
 	/**
 	 * Check if mappings have changed on a NAT for our source address.
 	 *
@@ -458,7 +468,7 @@ struct ike_sa_t {
 	 * @return				TRUE if mappings have changed
 	 */
 	bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
-	
+
 	/**
 	 * Enable an extension the peer supports.
 	 *
@@ -468,7 +478,7 @@ struct ike_sa_t {
 	 * @param extension		extension to enable
 	 */
 	void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
-	
+
 	/**
 	 * Check if the peer supports an extension.
 	 *
@@ -476,7 +486,7 @@ struct ike_sa_t {
 	 * @return				TRUE if peer supports it, FALSE otherwise
 	 */
 	bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
-	
+
 	/**
 	 * Enable/disable a condition flag for this IKE_SA.
 	 *
@@ -492,150 +502,152 @@ struct ike_sa_t {
 	 * @return				TRUE if condition flag set, FALSE otherwise
 	 */
 	bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
-	
+
 	/**
 	 * Get the number of queued MOBIKE address updates.
 	 *
 	 * @return				number of pending updates
 	 */
 	u_int32_t (*get_pending_updates)(ike_sa_t *this);
-	
+
 	/**
 	 * Set the number of queued MOBIKE address updates.
 	 *
 	 * @param updates		number of pending updates
 	 */
 	void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
-	
+
 #ifdef ME
 	/**
 	 * Activate mediation server functionality for this IKE_SA.
 	 */
 	void (*act_as_mediation_server) (ike_sa_t *this);
-	
+
 	/**
 	 * Get the server reflexive host.
-	 * 
+	 *
 	 * @return				server reflexive host
 	 */
 	host_t* (*get_server_reflexive_host) (ike_sa_t *this);
-	
+
 	/**
 	 * Set the server reflexive host.
-	 * 
+	 *
 	 * @param host			server reflexive host
 	 */
 	void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
-	
+
 	/**
 	 * Get the connect ID.
-	 * 
+	 *
 	 * @return				connect ID
 	 */
 	chunk_t (*get_connect_id) (ike_sa_t *this);
-	
+
 	/**
 	 * Initiate the mediation of a mediated connection (i.e. initiate a
-	 * ME_CONNECT exchange).
-	 * 
-	 * @param mediated_cfg		peer_cfg of the mediated connection
-	 * @return				
-	 * 							- SUCCESS if initialization started
-	 * 							- DESTROY_ME if initialization failed
+	 * ME_CONNECT exchange to a mediation server).
+	 *
+	 * @param mediated_cfg	peer_cfg of the mediated connection
+	 * @return
+	 * 						- SUCCESS if initialization started
+	 * 						- DESTROY_ME if initialization failed
 	 */
 	status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
-	
+
 	/**
 	 * Initiate the mediated connection
-	 * 
-	 * @param me				local endpoint (gets cloned)
-	 * @param other				remote endpoint (gets cloned)
-	 * @param connect_id		connect ID (gets cloned)
-	 * @return				
-	 * 							- SUCCESS if initialization started
-	 * 							- DESTROY_ME if initialization failed
+	 *
+	 * @param me			local endpoint (gets cloned)
+	 * @param other			remote endpoint (gets cloned)
+	 * @param connect_id	connect ID (gets cloned)
+	 * @return
+	 * 						- SUCCESS if initialization started
+	 * 						- DESTROY_ME if initialization failed
 	 */
 	status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
-			chunk_t connect_id);
-	
+								   chunk_t connect_id);
+
 	/**
-	 * Relay data from one peer to another (i.e. initiate a
-	 * ME_CONNECT exchange).
+	 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
+	 * to a peer).
 	 *
 	 * Data is cloned.
-	 * 
-	 * @param requester			ID of the requesting peer
-	 * @param connect_id		data of the ME_CONNECTID payload
-	 * @param connect_key		data of the ME_CONNECTKEY payload
-	 * @param endpoints			endpoints
-	 * @param response			TRUE if this is a response
-	 * @return				
-	 * 							- SUCCESS if relay started
-	 * 							- DESTROY_ME if relay failed
-	 */
-	status_t (*relay) (ike_sa_t *this, identification_t *requester, chunk_t connect_id,
-			chunk_t connect_key, linked_list_t *endpoints, bool response);
-	
+	 *
+	 * @param requester		ID of the requesting peer
+	 * @param connect_id	data of the ME_CONNECTID payload
+	 * @param connect_key	data of the ME_CONNECTKEY payload
+	 * @param endpoints		endpoints
+	 * @param response		TRUE if this is a response
+	 * @return
+	 * 						- SUCCESS if relay started
+	 * 						- DESTROY_ME if relay failed
+	 */
+	status_t (*relay) (ike_sa_t *this, identification_t *requester,
+					   chunk_t connect_id, chunk_t connect_key,
+					   linked_list_t *endpoints, bool response);
+
 	/**
 	 * Send a callback to a peer.
-	 * 
+	 *
 	 * Data is cloned.
-	 * 
-	 * @param peer_id			ID of the other peer
+	 *
+	 * @param peer_id		ID of the other peer
 	 * @return
-	 * 							- SUCCESS if response started
-	 * 							- DESTROY_ME if response failed
+	 * 						- SUCCESS if response started
+	 * 						- DESTROY_ME if response failed
 	 */
 	status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
-	
+
 	/**
 	 * Respond to a ME_CONNECT request.
-	 * 
+	 *
 	 * Data is cloned.
-	 * 
-	 * @param peer_id			ID of the other peer
-	 * @param connect_id		the connect ID supplied by the initiator
+	 *
+	 * @param peer_id		ID of the other peer
+	 * @param connect_id	the connect ID supplied by the initiator
 	 * @return
-	 * 							- SUCCESS if response started
-	 * 							- DESTROY_ME if response failed
+	 * 						- SUCCESS if response started
+	 * 						- DESTROY_ME if response failed
 	 */
-	status_t (*respond) (ike_sa_t *this, identification_t *peer_id, chunk_t connect_id);
+	status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
+						 chunk_t connect_id);
 #endif /* ME */
-	
+
 	/**
 	 * Initiate a new connection.
 	 *
 	 * The configs are owned by the IKE_SA after the call. If the initiate
 	 * is triggered by a packet, traffic selectors of the packet can be added
 	 * to the CHILD_SA.
-	 * 
+	 *
 	 * @param child_cfg		child config to create CHILD from
 	 * @param reqid			reqid to use for CHILD_SA, 0 assigne uniquely
 	 * @param tsi			source of triggering packet
 	 * @param tsr			destination of triggering packet.
-	 * @return				
+	 * @return
 	 * 						- SUCCESS if initialization started
 	 * 						- DESTROY_ME if initialization failed
 	 */
 	status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
 						  u_int32_t reqid, traffic_selector_t *tsi,
 						  traffic_selector_t *tsr);
-	
+
 	/**
 	 * Initiates the deletion of an IKE_SA.
-	 * 
+	 *
 	 * Sends a delete message to the remote peer and waits for
 	 * its response. If the response comes in, or a timeout occurs,
 	 * the IKE SA gets deleted.
-	 * 
+	 *
 	 * @return
 	 * 						- SUCCESS if deletion is initialized
-	 * 						- DESTROY_ME, if the IKE_SA is not in 
+	 * 						- DESTROY_ME, if the IKE_SA is not in
 	 * 						  an established state and can not be
 	 * 						  deleted (but destroyed).
 	 */
 	status_t (*delete) (ike_sa_t *this);
-	
+
 	/**
 	 * Update IKE_SAs after network interfaces have changed.
 	 *
@@ -649,61 +661,61 @@ struct ike_sa_t {
 	 * @return				SUCCESS, FAILED, DESTROY_ME
 	 */
 	status_t (*roam)(ike_sa_t *this, bool address);
-	
+
 	/**
 	 * Processes a incoming IKEv2-Message.
 	 *
-	 * Message processing may fail. If a critical failure occurs, 
-	 * process_message() return DESTROY_ME. Then the caller must 
+	 * Message processing may fail. If a critical failure occurs,
+	 * process_message() return DESTROY_ME. Then the caller must
 	 * destroy the IKE_SA immediatly, as it is unusable.
-	 * 
+	 *
 	 * @param message 		message to process
-	 * @return 				
+	 * @return
 	 * 						- SUCCESS
 	 * 						- FAILED
 	 * 						- DESTROY_ME if this IKE_SA MUST be deleted
 	 */
 	status_t (*process_message) (ike_sa_t *this, message_t *message);
-	
+
 	/**
 	 * Generate a IKE message to send it to the peer.
-	 * 
+	 *
 	 * This method generates all payloads in the message and encrypts/signs
 	 * the packet.
-	 * 
+	 *
 	 * @param message 		message to generate
 	 * @param packet		generated output packet
-	 * @return 				
+	 * @return
 	 * 						- SUCCESS
 	 * 						- FAILED
 	 * 						- DESTROY_ME if this IKE_SA MUST be deleted
 	 */
 	status_t (*generate_message) (ike_sa_t *this, message_t *message,
 								  packet_t **packet);
-	
+
 	/**
 	 * Retransmits a request.
-	 * 
+	 *
 	 * @param message_id	ID of the request to retransmit
 	 * @return
 	 * 						- SUCCESS
 	 * 						- NOT_FOUND if request doesn't have to be retransmited
 	 */
 	status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
-	
+
 	/**
 	 * Sends a DPD request to the peer.
 	 *
 	 * To check if a peer is still alive, periodic
 	 * empty INFORMATIONAL messages are sent if no
 	 * other traffic was received.
-	 * 
+	 *
 	 * @return
 	 * 						- SUCCESS
 	 * 						- DESTROY_ME, if peer did not respond
 	 */
 	status_t (*send_dpd) (ike_sa_t *this);
-	
+
 	/**
 	 * Sends a keep alive packet.
 	 *
@@ -713,39 +725,39 @@ struct ike_sa_t {
 	 * was sent.
 	 */
 	void (*send_keepalive) (ike_sa_t *this);
-	
+
 	/**
 	 * Get the keying material of this IKE_SA.
 	 *
 	 * @return				per IKE_SA keymat instance
 	 */
 	keymat_t* (*get_keymat)(ike_sa_t *this);
-	
+
 	/**
 	 * Associates a child SA to this IKE SA
-	 * 
+	 *
 	 * @param child_sa		child_sa to add
 	 */
 	void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
-	
+
 	/**
 	 * Get a CHILD_SA identified by protocol and SPI.
-	 * 
+	 *
 	 * @param protocol		protocol of the SA
 	 * @param spi			SPI of the CHILD_SA
 	 * @param inbound		TRUE if SPI is inbound, FALSE if outbound
 	 * @return				child_sa, or NULL if none found
 	 */
-	child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol, 
+	child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
 								 u_int32_t spi, bool inbound);
-	
+
 	/**
 	 * Create an iterator over all CHILD_SAs.
-	 * 
+	 *
 	 * @return				iterator
 	 */
 	iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
-	
+
 	/**
 	 * Rekey the CHILD SA with the specified reqid.
 	 *
@@ -814,14 +826,14 @@ struct ike_sa_t {
 	 * @return				DESTROY_ME to destroy the IKE_SA
 	 */
 	status_t (*reestablish) (ike_sa_t *this);
-	
+
 	/**
 	 * Set the lifetime limit received from a AUTH_LIFETIME notify.
 	 *
 	 * @param lifetime		lifetime in seconds
 	 */
 	void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
-	
+
 	/**
 	 * Set the virtual IP to use for this IKE_SA and its children.
 	 *
@@ -832,7 +844,7 @@ struct ike_sa_t {
 	 * @param ip			IP to set as virtual IP
 	 */
 	void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
-	
+
 	/**
 	 * Get the virtual IP configured.
 	 *
@@ -840,7 +852,7 @@ struct ike_sa_t {
 	 * @return				host_t *virtual IP
 	 */
 	host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
-	
+
 	/**
 	 * Register a configuration attribute to the IKE_SA.
 	 *
@@ -853,8 +865,9 @@ struct ike_sa_t {
 	 * @param data			associated attribute data
 	 */
 	void (*add_configuration_attribute)(ike_sa_t *this,
+							attribute_handler_t *handler,
 							configuration_attribute_type_t type, chunk_t data);
-	
+
 	/**
 	 * Set local and remote host addresses to be used for IKE.
 	 *
@@ -865,7 +878,7 @@ struct ike_sa_t {
 	 * @param remote		remote kmaddress
 	 */
 	void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
-	
+
 	/**
 	 * Inherit all attributes of other to this after rekeying.
 	 *
@@ -877,12 +890,12 @@ struct ike_sa_t {
 	 * @return				DESTROY_ME if initiation of inherited task failed
 	 */
 	status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
-		
+
 	/**
 	 * Reset the IKE_SA, useable when initiating fails
 	 */
 	void (*reset) (ike_sa_t *this);
-	
+
 	/**
 	 * Destroys a ike_sa_t object.
 	 */
diff --git a/src/charon/sa/ike_sa_id.h b/src/charon/sa/ike_sa_id.h
index 377e64e8a..a833aa9d6 100644
--- a/src/charon/sa/ike_sa_id.h
+++ b/src/charon/sa/ike_sa_id.h
@@ -67,21 +67,21 @@ struct ike_sa_id_t {
 
 	/**
 	 * Check if two ike_sa_id_t objects are equal.
-	 * 
+	 *
 	 * Two ike_sa_id_t objects are equal if both SPI values and the role matches.
 	 *
- 	 * @param other 			ike_sa_id_t object to check if equal
- 	 * @return 					TRUE if given ike_sa_id_t are equal, FALSE otherwise
+	 * @param other 			ike_sa_id_t object to check if equal
+	 * @return 					TRUE if given ike_sa_id_t are equal, FALSE otherwise
 	 */
 	bool (*equals) (ike_sa_id_t *this, ike_sa_id_t *other);
 
 	/**
 	 * Replace all values of a given ike_sa_id_t object with values.
 	 * from another ike_sa_id_t object.
-	 * 
+	 *
 	 * After calling this function, both objects are equal.
 	 *
- 	 * @param other 			ike_sa_id_t object from which values will be taken
+	 * @param other 			ike_sa_id_t object from which values will be taken
 	 */
 	void (*replace_values) (ike_sa_id_t *this, ike_sa_id_t *other);
 
@@ -94,7 +94,7 @@ struct ike_sa_id_t {
 
 	/**
 	 * Switche the original initiator flag.
-	 * 
+	 *
 	 * @return 					TRUE if we are the original initator after switch, FALSE otherwise
 	 */
 	bool (*switch_initiator) (ike_sa_id_t *this);
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index ec1a7f741..3ef0f3bb0 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -22,7 +22,9 @@
 #include <daemon.h>
 #include <sa/ike_sa_id.h>
 #include <bus/bus.h>
-#include <utils/mutex.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <threading/rwlock.h>
 #include <utils/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
@@ -41,67 +43,67 @@ typedef struct entry_t entry_t;
  * An entry in the linked list, contains IKE_SA, locking and lookup data.
  */
 struct entry_t {
-	
+
 	/**
 	 * Number of threads waiting for this ike_sa_t object.
 	 */
 	int waiting_threads;
-	
+
 	/**
 	 * Condvar where threads can wait until ike_sa_t object is free for use again.
 	 */
 	condvar_t *condvar;
-	
+
 	/**
 	 * Is this ike_sa currently checked out?
 	 */
 	bool checked_out;
-	
+
 	/**
 	 * Does this SA drives out new threads?
 	 */
 	bool driveout_new_threads;
-	
+
 	/**
 	 * Does this SA drives out waiting threads?
 	 */
 	bool driveout_waiting_threads;
-	
+
 	/**
 	 * Identification of an IKE_SA (SPIs).
 	 */
 	ike_sa_id_t *ike_sa_id;
-	
+
 	/**
 	 * The contained ike_sa_t object.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * hash of the IKE_SA_INIT message, used to detect retransmissions
 	 */
 	chunk_t init_hash;
-	
+
 	/**
 	 * remote host address, required for DoS detection
 	 */
 	host_t *other;
-	
+
 	/**
 	 * As responder: Is this SA half-open?
 	 */
 	bool half_open;
-		
+
 	/**
 	 * own identity, required for duplicate checking
 	 */
 	identification_t *my_id;
-	
+
 	/**
 	 * remote identity, required for duplicate checking
 	 */
 	identification_t *other_id;
-	
+
 	/**
 	 * message ID currently processing, if any
 	 */
@@ -131,10 +133,10 @@ static status_t entry_destroy(entry_t *this)
 static entry_t *entry_create()
 {
 	entry_t *this = malloc_thing(entry_t);
-	
+
 	this->waiting_threads = 0;
 	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	
+
 	/* we set checkout flag when we really give it out */
 	this->checked_out = FALSE;
 	this->driveout_new_threads = FALSE;
@@ -147,7 +149,7 @@ static entry_t *entry_create()
 	this->other_id = NULL;
 	this->ike_sa_id = NULL;
 	this->ike_sa = NULL;
-	
+
 	return this;
 }
 
@@ -171,7 +173,7 @@ static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id)
 	if (id->equals(id, entry->ike_sa_id))
 	{
 		return TRUE;
-	}	
+	}
 	if ((id->get_responder_spi(id) == 0 ||
 		 entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) &&
 		id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
@@ -208,7 +210,7 @@ typedef struct half_open_t half_open_t;
 struct half_open_t {
 	/** chunk of remote host address */
 	chunk_t other;
-	
+
 	/** the number of half-open IKE_SAs with that host */
 	u_int count;
 };
@@ -235,10 +237,10 @@ typedef struct connected_peers_t connected_peers_t;
 struct connected_peers_t {
 	/** own identity */
 	identification_t *my_id;
-	
+
 	/** remote identity */
 	identification_t *other_id;
-	
+
 	/** list of ike_sa_id_t objects of IKE_SAs between the two identities */
 	linked_list_t *sas;
 };
@@ -269,7 +271,7 @@ typedef struct segment_t segment_t;
 struct segment_t {
 	/** mutex to access a segment exclusively */
 	mutex_t *mutex;
-	
+
 	/** the number of entries in this segment */
 	u_int count;
 };
@@ -282,7 +284,7 @@ typedef struct shareable_segment_t shareable_segment_t;
 struct shareable_segment_t {
 	/** rwlock to access a segment non-/exclusively */
 	rwlock_t *lock;
-	
+
 	/** the number of entries in this segment - in case of the "half-open table"
 	 * it's the sum of all half_open_t.count in a segment. */
 	u_int count;
@@ -298,67 +300,67 @@ struct private_ike_sa_manager_t {
 	 * Public interface of ike_sa_manager_t.
 	 */
 	 ike_sa_manager_t public;
-	
+
 	 /**
 	  * Hash table with entries for the ike_sa_t objects.
 	  */
 	 linked_list_t **ike_sa_table;
-	 
+
 	 /**
 	  * The size of the hash table.
 	  */
 	 u_int table_size;
-	 
+
 	 /**
 	  * Mask to map the hashes to table rows.
 	  */
 	 u_int table_mask;
-	 
+
 	 /**
 	  * Segments of the hash table.
 	  */
 	 segment_t *segments;
-	 
+
 	 /**
 	  * The number of segments.
 	  */
 	 u_int segment_count;
-	 
+
 	 /**
 	  * Mask to map a table row to a segment.
 	  */
 	 u_int segment_mask;
-	 
+
 	 /**
 	  * Hash table with half_open_t objects.
 	  */
 	 linked_list_t **half_open_table;
-	 
+
 	 /**
 	  * Segments of the "half-open" hash table.
 	  */
 	 shareable_segment_t *half_open_segments;
-	 
+
 	 /**
 	  * Hash table with connected_peers_t objects.
 	  */
 	 linked_list_t **connected_peers_table;
-	 
+
 	 /**
 	  * Segments of the "connected peers" hash table.
 	  */
 	 shareable_segment_t *connected_peers_segments;
-	 
+
 	 /**
 	  * RNG to get random SPIs for our side
 	  */
 	 rng_t *rng;
-	 
+
 	 /**
 	  * SHA1 hasher for IKE_SA_INIT retransmit detection
 	  */
 	 hasher_t *hasher;
-	
+
 	/**
 	 * reuse existing IKE_SAs in checkout_by_config
 	 */
@@ -372,7 +374,7 @@ struct private_ike_sa_manager_t {
 static void lock_single_segment(private_ike_sa_manager_t *this, u_int index)
 {
 	mutex_t *lock = this->segments[index & this->segment_mask].mutex;
-	
+
 	lock->lock(lock);
 }
 
@@ -383,7 +385,7 @@ static void lock_single_segment(private_ike_sa_manager_t *this, u_int index)
 static void unlock_single_segment(private_ike_sa_manager_t *this, u_int index)
 {
 	mutex_t *lock = this->segments[index & this->segment_mask].mutex;
-	
+
 	lock->unlock(lock);
 }
 
@@ -393,7 +395,7 @@ static void unlock_single_segment(private_ike_sa_manager_t *this, u_int index)
 static void lock_all_segments(private_ike_sa_manager_t *this)
 {
 	u_int i;
-	
+
 	for (i = 0; i < this->segment_count; ++i)
 	{
 		this->segments[i].mutex->lock(this->segments[i].mutex);
@@ -406,7 +408,7 @@ static void lock_all_segments(private_ike_sa_manager_t *this)
 static void unlock_all_segments(private_ike_sa_manager_t *this)
 {
 	u_int i;
-	
+
 	for (i = 0; i < this->segment_count; ++i)
 	{
 		this->segments[i].mutex->unlock(this->segments[i].mutex);
@@ -424,27 +426,27 @@ struct private_enumerator_t {
 	 * implements enumerator interface
 	 */
 	enumerator_t enumerator;
-	
+
 	/**
 	 * associated ike_sa_manager_t
 	 */
 	private_ike_sa_manager_t *manager;
-	
+
 	/**
 	 * current segment index
 	 */
 	u_int segment;
-	
+
 	/**
 	 * currently enumerating entry
 	 */
 	entry_t *entry;
-	
+
 	/**
 	 * current table row index
 	 */
 	u_int row;
-	
+
 	/**
 	 * enumerator for the current table row
 	 */
@@ -468,7 +470,7 @@ static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segmen
 			if (this->current)
 			{
 				entry_t *item;
-				
+
 				if (this->current->enumerate(this->current, &item))
 				{
 					*entry = this->entry = item;
@@ -482,7 +484,7 @@ static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segmen
 			else
 			{
 				linked_list_t *list;
-				
+
 				lock_single_segment(this->manager, this->segment);
 				if ((list = this->manager->ike_sa_table[this->row]) != NULL &&
 					 list->get_count(list))
@@ -523,7 +525,7 @@ static void enumerator_destroy(private_enumerator_t *this)
 static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
 {
 	private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
-	
+
 	enumerator->enumerator.enumerate = (void*)enumerate;
 	enumerator->enumerator.destroy = (void*)enumerator_destroy;
 	enumerator->manager = this;
@@ -531,7 +533,7 @@ static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
 	enumerator->entry = NULL;
 	enumerator->row = 0;
 	enumerator->current = NULL;
-	
+
 	return &enumerator->enumerator;
 }
 
@@ -544,7 +546,7 @@ static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
 	linked_list_t *list;
 	u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
 	u_int segment = row & this->segment_mask;
-	
+
 	lock_single_segment(this, segment);
 	if ((list = this->ike_sa_table[row]) == NULL)
 	{
@@ -564,7 +566,7 @@ static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry)
 	linked_list_t *list;
 	u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
 	u_int segment = row & this->segment_mask;
-	
+
 	if ((list = this->ike_sa_table[row]) != NULL)
 	{
 		entry_t *current;
@@ -609,7 +611,7 @@ static status_t get_entry_by_match_function(private_ike_sa_manager_t *this,
 	linked_list_t *list;
 	u_int row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
 	u_int seg = row & this->segment_mask;
-	
+
 	lock_single_segment(this, seg);
 	if ((list = this->ike_sa_table[row]) != NULL)
 	{
@@ -632,7 +634,7 @@ static status_t get_entry_by_match_function(private_ike_sa_manager_t *this,
 static status_t get_entry_by_id(private_ike_sa_manager_t *this,
 						ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment)
 {
-	return get_entry_by_match_function(this, ike_sa_id, entry, segment, 
+	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
 				(linked_list_match_t)entry_match_by_id, ike_sa_id, NULL);
 }
 
@@ -670,7 +672,7 @@ static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry,
 		/* we are not allowed to get this */
 		return FALSE;
 	}
-	while (entry->checked_out && !entry->driveout_waiting_threads)	
+	while (entry->checked_out && !entry->driveout_waiting_threads)
 	{
 		/* so wait until we can get it for us.
 		 * we register us as waiting. */
@@ -698,7 +700,7 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
 	chunk_t addr = entry->other->get_address(entry->other);
 	u_int row = chunk_hash(addr) & this->table_mask;
 	u_int segment = row & this->segment_mask;
-	
+
 	rwlock_t *lock = this->half_open_segments[segment].lock;
 	lock->write_lock(lock);
 	if ((list = this->half_open_table[row]) == NULL)
@@ -716,7 +718,7 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
 			this->half_open_segments[segment].count++;
 		}
 	}
-	
+
 	if (!half_open)
 	{
 		half_open = malloc_thing(half_open_t);
@@ -737,7 +739,7 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
 	chunk_t addr = entry->other->get_address(entry->other);
 	u_int row = chunk_hash(addr) & this->table_mask;
 	u_int segment = row & this->segment_mask;
-	
+
 	rwlock_t *lock = this->half_open_segments[segment].lock;
 	lock->write_lock(lock);
 	if ((list = this->half_open_table[row]) != NULL)
@@ -773,7 +775,7 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
 			other_id = entry->other_id->get_encoding(entry->other_id);
 	u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
 	u_int segment = row & this->segment_mask;
-	
+
 	rwlock_t *lock = this->connected_peers_segments[segment].lock;
 	lock->write_lock(lock);
 	if ((list = this->connected_peers_table[row]) == NULL)
@@ -796,7 +798,7 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
 			}
 		}
 	}
-	
+
 	if (!connected_peers)
 	{
 		connected_peers = malloc_thing(connected_peers_t);
@@ -821,7 +823,7 @@ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entr
 			other_id = entry->other_id->get_encoding(entry->other_id);
 	u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
 	u_int segment = row & this->segment_mask;
-	
+
 	rwlock_t *lock = this->connected_peers_segments[segment].lock;
 	lock->write_lock(lock);
 	if ((list = this->connected_peers_table[row]) != NULL)
@@ -864,7 +866,7 @@ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entr
 static u_int64_t get_next_spi(private_ike_sa_manager_t *this)
 {
 	u_int64_t spi;
-	
+
 	this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi);
 	return spi;
 }
@@ -877,9 +879,9 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
 	ike_sa_t *ike_sa = NULL;
 	entry_t *entry;
 	u_int segment;
-	
+
 	DBG2(DBG_MGR, "checkout IKE_SA");
-	
+
 	if (get_entry_by_id(this, ike_sa_id, &entry, &segment) == SUCCESS)
 	{
 		if (wait_for_entry(this, entry, segment))
@@ -903,7 +905,7 @@ static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
 	ike_sa_t *ike_sa;
 	entry_t *entry;
 	u_int segment;
-	
+
 	if (initiator)
 	{
 		ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
@@ -913,15 +915,15 @@ static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
 		ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE);
 	}
 	ike_sa = ike_sa_create(ike_sa_id);
-	
+
 	DBG2(DBG_MGR, "created IKE_SA");
-	
+
 	if (!initiator)
 	{
 		ike_sa_id->destroy(ike_sa_id);
 		return ike_sa;
 	}
-	
+
 	entry = entry_create();
 	entry->ike_sa_id = ike_sa_id;
 	entry->ike_sa = ike_sa;
@@ -944,19 +946,19 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 
 	id = id->clone(id);
 	id->switch_initiator(id);
-	
+
 	DBG2(DBG_MGR, "checkout IKE_SA by message");
-	
+
 	if (message->get_request(message) &&
 		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		/* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */
 		chunk_t data, hash;
-			
+
 		data = message->get_packet_data(message);
 		this->hasher->allocate_hash(this->hasher, data, &hash);
 		chunk_free(&data);
-		
+
 		if (get_entry_by_hash(this, id, hash, &entry, &segment) == SUCCESS)
 		{
 			if (entry->message_id == 0)
@@ -976,7 +978,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 			}
 			unlock_single_segment(this, segment);
 		}
-		
+
 		if (ike_sa == NULL)
 		{
 			if (id->get_responder_spi(id) == 0 &&
@@ -987,15 +989,15 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 				entry = entry_create();
 				entry->ike_sa = ike_sa_create(id);
 				entry->ike_sa_id = id->clone(id);
-				
+
 				segment = put_entry(this, entry);
 				entry->checked_out = TRUE;
 				unlock_single_segment(this, segment);
-				
-				entry->message_id = message->get_message_id(message);				
+
+				entry->message_id = message->get_message_id(message);
 				entry->init_hash = hash;
 				ike_sa = entry->ike_sa;
-				
+
 				DBG2(DBG_MGR, "created IKE_SA");
 			}
 			else
@@ -1012,7 +1014,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 		charon->bus->set_sa(charon->bus, ike_sa);
 		return ike_sa;
 	}
-	
+
 	if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS)
 	{
 		/* only check out if we are not processing this request */
@@ -1053,14 +1055,14 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 	peer_cfg_t *current_peer;
 	ike_cfg_t *current_ike;
 	u_int segment;
-	
+
 	if (!this->reuse_ikesa)
 	{	/* IKE_SA reuse disable by config */
-		ike_sa = checkout_new(this, TRUE);	
+		ike_sa = checkout_new(this, TRUE);
 		charon->bus->set_sa(charon->bus, ike_sa);
 		return ike_sa;
 	}
-	
+
 	enumerator = create_table_enumerator(this);
 	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
@@ -1072,7 +1074,7 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 		{	/* skip IKE_SAs which are not usable */
 			continue;
 		}
-		
+
 		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
 		if (current_peer && current_peer->equals(current_peer, peer_cfg))
 		{
@@ -1088,10 +1090,10 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	if (!ike_sa)
 	{	/* no IKE_SA using such a config, hand out a new */
-		ike_sa = checkout_new(this, TRUE);	
+		ike_sa = checkout_new(this, TRUE);
 	}
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
@@ -1109,7 +1111,7 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
 	ike_sa_t *ike_sa = NULL;
 	child_sa_t *child_sa;
 	u_int segment;
-	
+
 	enumerator = create_table_enumerator(this);
 	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
@@ -1125,7 +1127,7 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
 					{
 						ike_sa = entry->ike_sa;
 						break;
-					}		
+					}
 				}
 				children->destroy(children);
 			}
@@ -1145,7 +1147,7 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
 }
@@ -1162,7 +1164,7 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
 	ike_sa_t *ike_sa = NULL;
 	child_sa_t *child_sa;
 	u_int segment;
-	
+
 	enumerator = create_table_enumerator(this);
 	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
@@ -1178,7 +1180,7 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
 					{
 						ike_sa = entry->ike_sa;
 						break;
-					}		
+					}
 				}
 				children->destroy(children);
 			}
@@ -1198,13 +1200,13 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
 }
 
 /**
- * enumerator filter function 
+ * enumerator filter function
  */
 static bool enumerator_filter(private_ike_sa_manager_t *this,
 							  entry_t **in, ike_sa_t **out, u_int *segment)
@@ -1243,14 +1245,14 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 	host_t *other;
 	identification_t *my_id, *other_id;
 	u_int segment;
-	
+
 	ike_sa_id = ike_sa->get_id(ike_sa);
 	my_id = ike_sa->get_my_id(ike_sa);
 	other_id = ike_sa->get_other_id(ike_sa);
 	other = ike_sa->get_other_host(ike_sa);
-	
+
 	DBG2(DBG_MGR, "checkin IKE_SA");
-	
+
 	/* look for the entry */
 	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
 	{
@@ -1293,7 +1295,7 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 		entry->ike_sa = ike_sa;
 		segment = put_entry(this, entry);
 	}
-	
+
 	/* apply identities for duplicate test (only as responder) */
 	if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
 		ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
@@ -1303,9 +1305,9 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 		entry->other_id = other_id->clone(other_id);
 		put_connected_peers(this, entry);
 	}
-	
+
 	unlock_single_segment(this, segment);
-	
+
 	charon->bus->set_sa(charon->bus, NULL);
 }
 
@@ -1322,11 +1324,11 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
 	entry_t *entry;
 	ike_sa_id_t *ike_sa_id;
 	u_int segment;
-	
+
 	ike_sa_id = ike_sa->get_id(ike_sa);
-	
+
 	DBG2(DBG_MGR, "checkin and destroy IKE_SA");
-	
+
 	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
 	{
 		/* drive out waiting threads, as we are in hurry */
@@ -1343,7 +1345,7 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
 		}
 		remove_entry(this, entry);
 		unlock_single_segment(this, segment);
-		
+
 		if (entry->half_open)
 		{
 			remove_half_open(this, entry);
@@ -1353,9 +1355,9 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
 		{
 			remove_connected_peers(this, entry);
 		}
-		
+
 		entry_destroy(entry);
-		
+
 		DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
 	}
 	else
@@ -1366,7 +1368,7 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
 	charon->bus->set_sa(charon->bus, NULL);
 }
 
-	
+
 /**
  * Implementation of ike_sa_manager_t.check_uniqueness.
  */
@@ -1381,27 +1383,27 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 	identification_t *me, *other;
 	u_int row, segment;
 	rwlock_t *lock;
-	
+
 	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
 	policy = peer_cfg->get_unique_policy(peer_cfg);
 	if (policy == UNIQUE_NO)
 	{
 		return FALSE;
 	}
-	
+
 	me = ike_sa->get_my_id(ike_sa);
 	other = ike_sa->get_other_id(ike_sa);
-	
+
 	row = chunk_hash_inc(other->get_encoding(other),
 						 chunk_hash(me->get_encoding(me))) & this->table_mask;
 	segment = row & this->segment_mask;
-	
+
 	lock = this->connected_peers_segments[segment & this->segment_mask].lock;
 	lock->read_lock(lock);
 	if ((list = this->connected_peers_table[row]) != NULL)
 	{
 		connected_peers_t *current;
-		
+
 		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
 							 (void**)&current, me, other) == SUCCESS)
 		{
@@ -1411,18 +1413,18 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 		}
 	}
 	lock->unlock(lock);
-	
+
 	if (!duplicate_ids)
 	{
 		return FALSE;
 	}
-	
+
 	enumerator = duplicate_ids->create_enumerator(duplicate_ids);
 	while (enumerator->enumerate(enumerator, &duplicate_id))
 	{
 		status_t status = SUCCESS;
 		ike_sa_t *duplicate;
-		
+
 		duplicate = checkout(this, duplicate_id);
 		if (!duplicate)
 		{
@@ -1485,13 +1487,13 @@ static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
 		chunk_t addr = ip->get_address(ip);
 		u_int row = chunk_hash(addr) & this->table_mask;
 		u_int segment = row & this->segment_mask;
-		
+
 		rwlock_t *lock = this->half_open_segments[segment & this->segment_mask].lock;
 		lock->read_lock(lock);
 		if ((list = this->half_open_table[row]) != NULL)
 		{
 			half_open_t *current;
-			
+
 			if (list->find_first(list, (linked_list_match_t)half_open_match,
 								 (void**)&current, &addr) == SUCCESS)
 			{
@@ -1503,7 +1505,7 @@ static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
 	else
 	{
 		u_int segment;
-		
+
 		for (segment = 0; segment < this->segment_count; ++segment)
 		{
 			rwlock_t *lock;
@@ -1513,7 +1515,7 @@ static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
 			lock->unlock(lock);
 		}
 	}
-	
+
 	return count;
 }
 
@@ -1526,7 +1528,7 @@ static void flush(private_ike_sa_manager_t *this)
 	enumerator_t *enumerator;
 	entry_t *entry;
 	u_int segment;
-	
+
 	lock_all_segments(this);
 	DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
 	/* Step 1: drive out all waiting threads  */
@@ -1536,7 +1538,7 @@ static void flush(private_ike_sa_manager_t *this)
 	{
 		/* do not accept new threads, drive out waiting threads */
 		entry->driveout_new_threads = TRUE;
-		entry->driveout_waiting_threads = TRUE;	
+		entry->driveout_waiting_threads = TRUE;
 	}
 	enumerator->destroy(enumerator);
 	DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
@@ -1573,7 +1575,7 @@ static void flush(private_ike_sa_manager_t *this)
 		entry->ike_sa->delete(entry->ike_sa);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	DBG2(DBG_MGR, "destroy all entries");
 	/* Step 4: destroy all entries */
 	enumerator = create_table_enumerator(this);
@@ -1633,7 +1635,7 @@ static void destroy(private_ike_sa_manager_t *this)
 	free(this->segments);
 	free(this->half_open_segments);
 	free(this->connected_peers_segments);
-	
+
 	this->rng->destroy(this->rng);
 	this->hasher->destroy(this->hasher);
 	free(this);
@@ -1648,7 +1650,7 @@ static void destroy(private_ike_sa_manager_t *this)
 static u_int get_nearest_powerof2(u_int n)
 {
 	u_int i;
-	
+
 	--n;
 	for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
 	{
@@ -1679,7 +1681,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 	this->public.checkin = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
 	this->public.checkin_and_destroy = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
 	this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count;
-	
+
 	/* initialize private variables */
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
 	if (this->hasher == NULL)
@@ -1700,21 +1702,21 @@ ike_sa_manager_t *ike_sa_manager_create()
 						"charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE));
 	this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
 	this->table_mask = this->table_size - 1;
-	
+
 	this->segment_count = get_nearest_powerof2(lib->settings->get_int(lib->settings,
 						"charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT));
 	this->segment_count = max(1, min(this->segment_count, this->table_size));
 	this->segment_mask = this->segment_count - 1;
-	
+
 	this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*));
-	
+
 	this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
 	for (i = 0; i < this->segment_count; ++i)
 	{
 		this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
 		this->segments[i].count = 0;
 	}
-	
+
 	/* we use the same table parameters for the table to track half-open SAs */
 	this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*));
 	this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
@@ -1723,7 +1725,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 		this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 		this->half_open_segments[i].count = 0;
 	}
-	
+
 	/* also for the hash table used for duplicate tests */
 	this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*));
 	this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
@@ -1732,7 +1734,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 		this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 		this->connected_peers_segments[i].count = 0;
 	}
-	
+
 	this->reuse_ikesa = lib->settings->get_bool(lib->settings,
 												"charon.reuse_ikesa", TRUE);
 	return &this->public;
diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h
index 6da768080..38f5454e1 100644
--- a/src/charon/sa/ike_sa_manager.h
+++ b/src/charon/sa/ike_sa_manager.h
@@ -38,20 +38,20 @@ typedef struct ike_sa_manager_t ike_sa_manager_t;
  * by the owning thread.
  */
 struct ike_sa_manager_t {
-	
+
 	/**
 	 * Checkout an existing IKE_SA.
-	 * 
+	 *
 	 * @param ike_sa_id			the SA identifier, will be updated
-	 * @returns 					
+	 * @returns
 	 * 							- checked out IKE_SA if found
 	 * 							- NULL, if specified IKE_SA is not found.
 	 */
 	ike_sa_t* (*checkout) (ike_sa_manager_t* this, ike_sa_id_t *sa_id);
-	
+
 	/**
 	 * Create and check out a new IKE_SA.
-	 * 
+	 *
 	 * @note If initiator equals FALSE, the returned IKE_SA is not registered
 	 * in the manager.
 	 *
@@ -59,30 +59,30 @@ struct ike_sa_manager_t {
 	 * @returns 				created and checked out IKE_SA
 	 */
 	ike_sa_t* (*checkout_new) (ike_sa_manager_t* this, bool initiator);
-	
+
 	/**
 	 * Checkout an IKE_SA by a message.
-	 * 
+	 *
 	 * In some situations, it is necessary that the manager knows the
 	 * message to use for the checkout. This has the following reasons:
-	 * 
+	 *
 	 * 1. If the targeted IKE_SA is already processing a message, we do not
 	 *    check it out if the message ID is the same.
-	 * 2. If it is an IKE_SA_INIT request, we have to check if it is a 
+	 * 2. If it is an IKE_SA_INIT request, we have to check if it is a
 	 *    retransmission. If so, we have to drop the message, we would
 	 *    create another unneeded IKE_SA for each retransmitted packet.
 	 *
 	 * A call to checkout_by_message() returns a (maybe new created) IKE_SA.
 	 * If processing the message does not make sense (for the reasons above),
 	 * NULL is returned.
-	 * 
+	 *
 	 * @param ike_sa_id			the SA identifier, will be updated
-	 * @returns 					
+	 * @returns
 	 * 							- checked out/created IKE_SA
 	 * 							- NULL to not process message further
 	 */
 	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
-	
+
 	/**
 	 * Checkout an IKE_SA for initiation by a peer_config.
 	 *
@@ -97,27 +97,27 @@ struct ike_sa_manager_t {
 	 * @return					checked out/created IKE_SA
 	 */
 	ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this,
-								 	 peer_cfg_t *peer_cfg);
-	
+									 peer_cfg_t *peer_cfg);
+
 	/**
 	 * Check for duplicates of the given IKE_SA.
-	 * 
+	 *
 	 * Measures are taken according to the uniqueness policy of the IKE_SA.
 	 * The return value indicates whether duplicates have been found and if
 	 * further measures should be taken (e.g. cancelling an IKE_AUTH exchange).
 	 * check_uniqueness() must be called before the IKE_SA is complete,
 	 * deadlocks occur otherwise.
-	 * 
+	 *
 	 * @param ike_sa			ike_sa to check
 	 * @return					TRUE, if the given IKE_SA has duplicates and
 	 * 							should be deleted
 	 */
 	bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa);
-	
+
 	/**
 	 * Check out an IKE_SA a unique ID.
 	 *
-	 * Every IKE_SA and every CHILD_SA is uniquely identified by an ID. 
+	 * Every IKE_SA and every CHILD_SA is uniquely identified by an ID.
 	 * These checkout function uses, depending
 	 * on the child parameter, the unique ID of the IKE_SA or the reqid
 	 * of one of a IKE_SAs CHILD_SA.
@@ -130,7 +130,7 @@ struct ike_sa_manager_t {
 	 */
 	ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id,
 								 bool child);
-	
+
 	/**
 	 * Check out an IKE_SA by the policy/connection name.
 	 *
@@ -145,7 +145,7 @@ struct ike_sa_manager_t {
 	 */
 	ike_sa_t* (*checkout_by_name) (ike_sa_manager_t* this, char *name,
 								   bool child);
-	
+
 	/**
 	 * Create an enumerator over all stored IKE_SAs.
 	 *
@@ -155,7 +155,7 @@ struct ike_sa_manager_t {
 	 * @return					enumerator over all IKE_SAs.
 	 */
 	enumerator_t *(*create_enumerator) (ike_sa_manager_t* this);
-	
+
 	/**
 	 * Checkin the SA after usage.
 	 *
@@ -165,7 +165,7 @@ struct ike_sa_manager_t {
 	 * @param ike_sa			checked out SA
 	 */
 	void (*checkin) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
-	
+
 	/**
 	 * Destroy a checked out SA.
 	 *
@@ -179,7 +179,7 @@ struct ike_sa_manager_t {
 	 * @param ike_sa			SA to delete
 	 */
 	void (*checkin_and_destroy) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
-	
+
 	/**
 	 * Get the number of IKE_SAs which are in the connecting state.
 	 *
@@ -189,19 +189,19 @@ struct ike_sa_manager_t {
 	 * If a host is supplied, only the number of half open IKE_SAs initiated
 	 * from this IP are counted.
 	 * Only SAs for which we are the responder are counted.
-	 * 
+	 *
 	 * @param ip				NULL for all, IP for half open IKE_SAs with IP
 	 * @return					number of half open IKE_SAs
 	 */
 	int (*get_half_open_count) (ike_sa_manager_t *this, host_t *ip);
-	
+
 	/**
 	 * Delete all existing IKE_SAs and destroy them immediately.
-	 * 
+	 *
 	 * Threads will be driven out, so all SAs can be deleted cleanly.
 	 */
 	void (*flush)(ike_sa_manager_t *this);
-	
+
 	/**
 	 * Destroys the manager with all associated SAs.
 	 *
@@ -212,7 +212,7 @@ struct ike_sa_manager_t {
 
 /**
  * Create the IKE_SA manager.
- * 
+ *
  * @returns 	ike_sa_manager_t object, NULL if initialization fails
  */
 ike_sa_manager_t *ike_sa_manager_create(void);
diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c
index 46fb79587..e49626354 100644
--- a/src/charon/sa/keymat.c
+++ b/src/charon/sa/keymat.c
@@ -24,52 +24,52 @@ typedef struct private_keymat_t private_keymat_t;
  * Private data of an keymat_t object.
  */
 struct private_keymat_t {
-	
+
 	/**
 	 * Public keymat_t interface.
 	 */
 	keymat_t public;
-	
+
 	/**
- 	 * IKE_SA Role, initiator or responder
- 	 */
- 	bool initiator;
-	
+	 * IKE_SA Role, initiator or responder
+	 */
+	bool initiator;
+
 	/**
 	 * inbound signer (verify)
 	 */
 	signer_t *signer_in;
-	
+
 	/**
 	 * outbound signer (sign)
 	 */
 	signer_t *signer_out;
-	
+
 	/**
 	 * inbound crypter (decrypt)
 	 */
 	crypter_t *crypter_in;
-	
+
 	/**
 	 * outbound crypter (encrypt)
 	 */
 	crypter_t *crypter_out;
-	
+
 	/**
 	 * General purpose PRF
 	 */
 	prf_t *prf;
-	
+
 	/**
 	 * Negotiated PRF algorithm
 	 */
 	pseudo_random_function_t prf_alg;
-	
+
 	/**
 	 * Key to derive key material from for CHILD_SAs, rekeying
 	 */
 	chunk_t skd;
-	
+
 	/**
 	 * Key to build outging authentication data (SKp)
 	 */
@@ -110,6 +110,7 @@ keylen_entry_t keylen_enc[] = {
 keylen_entry_t keylen_int[] = {
 	{AUTH_HMAC_MD5_96, 			128},
 	{AUTH_HMAC_SHA1_96,			160},
+	{AUTH_HMAC_SHA2_256_96,		256},
 	{AUTH_HMAC_SHA2_256_128,	256},
 	{AUTH_HMAC_SHA2_384_192,	384},
 	{AUTH_HMAC_SHA2_512_256,	512},
@@ -158,15 +159,15 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	prf_plus_t *prf_plus;
 	u_int16_t alg, key_size;
 	prf_t *rekey_prf = NULL;
-	
+
 	spi_i = chunk_alloca(sizeof(u_int64_t));
 	spi_r = chunk_alloca(sizeof(u_int64_t));
-	
+
 	if (dh->get_shared_secret(dh, &secret) != SUCCESS)
 	{
 		return FALSE;
 	}
-	
+
 	/* Create SAs general purpose PRF first, we may use it here */
 	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
 	{
@@ -206,8 +207,8 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	*((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
 	*((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
 	prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
-	
-	/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr) 
+
+	/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
 	 *
 	 * if we are rekeying, SKEYSEED is built on another way
 	 */
@@ -221,7 +222,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	}
 	else
 	{
-		/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr) 
+		/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
 		 * use OLD SAs PRF functions for both prf_plus and prf */
 		rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
 		if (!rekey_prf)
@@ -240,20 +241,20 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 		prf_plus = prf_plus_create(rekey_prf, prf_plus_seed);
 	}
 	DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
-	
+
 	chunk_clear(&skeyseed);
 	chunk_clear(&secret);
 	chunk_free(&full_nonce);
 	chunk_free(&fixed_nonce);
 	chunk_clear(&prf_plus_seed);
-	
+
 	/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
-	
+
 	/* SK_d is used for generating CHILD_SA key mat => store for later use */
 	key_size = this->prf->get_key_size(this->prf);
 	prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
 	DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
-	
+
 	/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
 	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
 	{
@@ -275,17 +276,17 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 		return FALSE;
 	}
 	key_size = signer_i->get_key_size(signer_i);
-	
+
 	prf_plus->allocate_bytes(prf_plus, key_size, &key);
 	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
 	signer_i->set_key(signer_i, key);
 	chunk_clear(&key);
-	
+
 	prf_plus->allocate_bytes(prf_plus, key_size, &key);
 	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
 	signer_r->set_key(signer_r, key);
 	chunk_clear(&key);
-	
+
 	if (this->initiator)
 	{
 		this->signer_in = signer_r;
@@ -296,7 +297,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 		this->signer_in = signer_i;
 		this->signer_out = signer_r;
 	}
-	
+
 	/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
 	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
 	{
@@ -318,17 +319,17 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 		return FALSE;
 	}
 	key_size = crypter_i->get_key_size(crypter_i);
-	
+
 	prf_plus->allocate_bytes(prf_plus, key_size, &key);
 	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
 	crypter_i->set_key(crypter_i, key);
 	chunk_clear(&key);
-	
+
 	prf_plus->allocate_bytes(prf_plus, key_size, &key);
 	DBG4(DBG_IKE, "Sk_er secret %B", &key);
 	crypter_r->set_key(crypter_r, key);
 	chunk_clear(&key);
-	
+
 	if (this->initiator)
 	{
 		this->crypter_in = crypter_r;
@@ -339,8 +340,8 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 		this->crypter_in = crypter_i;
 		this->crypter_out = crypter_r;
 	}
-	
-	/* SK_pi/SK_pr used for authentication => stored for later */	
+
+	/* SK_pi/SK_pr used for authentication => stored for later */
 	key_size = this->prf->get_key_size(this->prf);
 	prf_plus->allocate_bytes(prf_plus, key_size, &key);
 	DBG4(DBG_IKE, "Sk_pi secret %B", &key);
@@ -362,11 +363,11 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	{
 		this->skp_build = key;
 	}
-	
+
 	/* all done, prf_plus not needed anymore */
 	prf_plus->destroy(prf_plus);
 	DESTROY_IF(rekey_prf);
-	
+
 	return TRUE;
 }
 
@@ -382,7 +383,7 @@ static bool derive_child_keys(private_keymat_t *this,
 	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
 	chunk_t seed, secret = chunk_empty;
 	prf_plus_t *prf_plus;
-	
+
 	if (dh)
 	{
 		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
@@ -393,13 +394,13 @@ static bool derive_child_keys(private_keymat_t *this,
 	}
 	seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
 	DBG4(DBG_CHD, "seed %B", &seed);
-	
+
 	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
 								&enc_alg, &enc_size))
 	{
-		DBG2(DBG_CHD, "  using %N for encryption", 
+		DBG2(DBG_CHD, "  using %N for encryption",
 			 encryption_algorithm_names, enc_alg);
-		
+
 		if (!enc_size)
 		{
 			enc_size = lookup_keylen(keylen_enc, enc_alg);
@@ -412,7 +413,7 @@ static bool derive_child_keys(private_keymat_t *this,
 		}
 		/* to bytes */
 		enc_size /= 8;
-		
+
 		/* CCM/GCM/CTR needs additional bytes */
 		switch (enc_alg)
 		{
@@ -434,13 +435,13 @@ static bool derive_child_keys(private_keymat_t *this,
 				break;
 		}
 	}
-	
+
 	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
 								&int_alg, &int_size))
 	{
 		DBG2(DBG_CHD, "  using %N for integrity",
 			 integrity_algorithm_names, int_alg);
-		
+
 		if (!int_size)
 		{
 			int_size = lookup_keylen(keylen_int, int_alg);
@@ -454,17 +455,17 @@ static bool derive_child_keys(private_keymat_t *this,
 		/* to bytes */
 		int_size /= 8;
 	}
-	
+
 	this->prf->set_key(this->prf, this->skd);
 	prf_plus = prf_plus_create(this->prf, seed);
-	
+
 	prf_plus->allocate_bytes(prf_plus, enc_size, encr_i);
 	prf_plus->allocate_bytes(prf_plus, int_size, integ_i);
 	prf_plus->allocate_bytes(prf_plus, enc_size, encr_r);
 	prf_plus->allocate_bytes(prf_plus, int_size, integ_r);
-	
+
 	prf_plus->destroy(prf_plus);
-	
+
 	if (enc_size)
 	{
 		DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
@@ -512,19 +513,19 @@ static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
 {
 	chunk_t chunk, idx, octets;
 	chunk_t skp;
-	
+
 	skp = verify ? this->skp_verify : this->skp_build;
-	
+
 	chunk = chunk_alloca(4);
 	memset(chunk.ptr, 0, chunk.len);
 	chunk.ptr[0] = id->get_type(id);
 	idx = chunk_cata("cc", chunk, id->get_encoding(id));
-	
+
 	DBG3(DBG_IKE, "IDx' %B", &idx);
 	DBG3(DBG_IKE, "SK_p %B", &skp);
 	this->prf->set_key(this->prf, skp);
 	this->prf->allocate_bytes(this->prf, idx, &chunk);
-	
+
 	octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
 	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
 	return octets;
@@ -539,12 +540,12 @@ static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
 /**
  * Implementation of keymat_t.get_psk_sig
  */
-static chunk_t get_psk_sig(private_keymat_t *this, bool verify, 
+static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
 						   chunk_t ike_sa_init, chunk_t nonce, chunk_t secret,
 						   identification_t *id)
 {
 	chunk_t key_pad, key, sig, octets;
-	
+
 	if (!secret.len)
 	{	/* EAP uses SK_p if no MSK has been established */
 		secret = verify ? this->skp_verify : this->skp_build;
@@ -561,7 +562,7 @@ static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
 	DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
 	chunk_free(&octets);
 	chunk_free(&key);
-	
+
 	return sig;
 }
 
@@ -587,7 +588,7 @@ static void destroy(private_keymat_t *this)
 keymat_t *keymat_create(bool initiator)
 {
 	private_keymat_t *this = malloc_thing(private_keymat_t);
-	
+
 	this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
 	this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys;
 	this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
@@ -597,9 +598,9 @@ keymat_t *keymat_create(bool initiator)
 	this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
 	this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig;
 	this->public.destroy = (void(*)(keymat_t*))destroy;
-	
+
 	this->initiator = initiator;
-	
+
 	this->signer_in = NULL;
 	this->signer_out = NULL;
 	this->crypter_in = NULL;
@@ -609,7 +610,7 @@ keymat_t *keymat_create(bool initiator)
 	this->skd = chunk_empty;
 	this->skp_verify = chunk_empty;
 	this->skp_build = chunk_empty;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/keymat.h b/src/charon/sa/keymat.h
index 43b9dd113..e51709e8d 100644
--- a/src/charon/sa/keymat.h
+++ b/src/charon/sa/keymat.h
@@ -35,7 +35,7 @@ typedef struct keymat_t keymat_t;
  * Derivation an management of sensitive keying material.
  */
 struct keymat_t {
-	
+
 	/**
 	 * Create a diffie hellman object for key agreement.
 	 *
@@ -47,7 +47,7 @@ struct keymat_t {
 	 * @return				DH object, NULL if group not supported
 	 */
 	diffie_hellman_t* (*create_dh)(keymat_t *this, diffie_hellman_group_t group);
-	
+
 	/**
 	 * Derive keys for the IKE_SA.
 	 *
@@ -86,7 +86,7 @@ struct keymat_t {
 	 * @param integ_r	chunk to write responders integrity key to
 	 * @return			TRUE on success
 	 */
-	bool (*derive_child_keys)(keymat_t *this, 
+	bool (*derive_child_keys)(keymat_t *this,
 							  proposal_t *proposal, diffie_hellman_t *dh,
 							  chunk_t nonce_i, chunk_t nonce_r,
 							  chunk_t *encr_i, chunk_t *integ_i,
@@ -98,7 +98,7 @@ struct keymat_t {
 	 * @return			PRF function to derive keymat
 	 */
 	pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd);
-	
+
 	/**
 	 * Get a signer to sign/verify IKE messages.
 	 *
@@ -106,7 +106,7 @@ struct keymat_t {
 	 * @return			signer
 	 */
 	signer_t* (*get_signer)(keymat_t *this, bool in);
-	
+
 	/*
 	 * Get a crypter to en-/decrypt IKE messages.
 	 *
@@ -114,7 +114,7 @@ struct keymat_t {
 	 * @return			crypter
 	 */
 	crypter_t* (*get_crypter)(keymat_t *this, bool in);
-	
+
 	/**
 	 * Generate octets to use for authentication procedure (RFC4306 2.15).
 	 *
@@ -160,4 +160,4 @@ struct keymat_t {
  */
 keymat_t *keymat_create(bool initiator);
 
-#endif /** KEYMAT_ @}*/
+#endif /** KEYMAT_H_ @}*/
diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c
index a69c00173..035f49053 100644
--- a/src/charon/sa/mediation_manager.c
+++ b/src/charon/sa/mediation_manager.c
@@ -16,11 +16,10 @@
 #include "mediation_manager.h"
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 #include <utils/linked_list.h>
 #include <processing/jobs/mediation_job.h>
 
-
 typedef struct peer_t peer_t;
 
 /**
@@ -28,13 +27,13 @@ typedef struct peer_t peer_t;
  */
 struct peer_t {
 	/** id of the peer */
-    identification_t *id;
+	identification_t *id;
 
 	/** sa id of the peer, NULL if offline */
-    ike_sa_id_t *ike_sa_id;   
-    
-    /** list of peer ids that reuested this peer */
-    linked_list_t *requested_by;
+	ike_sa_id_t *ike_sa_id;
+
+	/** list of peer ids that reuested this peer */
+	linked_list_t *requested_by;
 };
 
 /**
@@ -43,8 +42,9 @@ struct peer_t {
 static void peer_destroy(peer_t *this)
 {
 	DESTROY_IF(this->id);
-    DESTROY_IF(this->ike_sa_id);
-    this->requested_by->destroy_offset(this->requested_by, offsetof(identification_t, destroy));
+	DESTROY_IF(this->ike_sa_id);
+	this->requested_by->destroy_offset(this->requested_by,
+									   offsetof(identification_t, destroy));
 	free(this);
 }
 
@@ -54,16 +54,15 @@ static void peer_destroy(peer_t *this)
 static peer_t *peer_create(identification_t *id, ike_sa_id_t* ike_sa_id)
 {
 	peer_t *this = malloc_thing(peer_t);
-	
+
 	/* clone everything */
 	this->id = id->clone(id);
-    this->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
-    this->requested_by = linked_list_create();
-    
+	this->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
+	this->requested_by = linked_list_create();
+
 	return this;
 }
 
-
 typedef struct private_mediation_manager_t private_mediation_manager_t;
 
 /**
@@ -74,7 +73,7 @@ struct private_mediation_manager_t {
 	 * Public interface of mediation_manager_t.
 	 */
 	 mediation_manager_t public;
-	
+
 	 /**
 	  * Lock for exclusivly accessing the manager.
 	  */
@@ -93,7 +92,7 @@ static void register_peer(peer_t *peer, identification_t *peer_id)
 {
 	iterator_t *iterator;
 	identification_t *current;
-	
+
 	iterator = peer->requested_by->create_iterator(peer->requested_by, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
@@ -104,20 +103,21 @@ static void register_peer(peer_t *peer, identification_t *peer_id)
 		}
 	}
 	iterator->destroy(iterator);
-	
-	peer->requested_by->insert_last(peer->requested_by, peer_id->clone(peer_id));
+
+	peer->requested_by->insert_last(peer->requested_by,
+									peer_id->clone(peer_id));
 }
 
 /**
  * Get a peer_t object by a peer's id
  */
 static status_t get_peer_by_id(private_mediation_manager_t *this,
-		identification_t *id, peer_t **peer)
+							   identification_t *id, peer_t **peer)
 {
 	iterator_t *iterator;
 	peer_t *current;
 	status_t status = NOT_FOUND;
-	
+
 	iterator = this->peers->create_iterator(this->peers, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
@@ -141,7 +141,8 @@ static status_t get_peer_by_id(private_mediation_manager_t *this,
  * and then remove peers completely that are not online and have no registered
  * peers.
  */
-static void unregister_peer(private_mediation_manager_t *this, identification_t *peer_id)
+static void unregister_peer(private_mediation_manager_t *this,
+							identification_t *peer_id)
 {
 	iterator_t *iterator, *iterator_r;
 	peer_t *peer;
@@ -150,7 +151,8 @@ static void unregister_peer(private_mediation_manager_t *this, identification_t
 	iterator = this->peers->create_iterator(this->peers, TRUE);
 	while (iterator->iterate(iterator, (void**)&peer))
 	{
-		iterator_r = peer->requested_by->create_iterator(peer->requested_by, TRUE);
+		iterator_r = peer->requested_by->create_iterator(peer->requested_by,
+														 TRUE);
 		while (iterator_r->iterate(iterator_r, (void**)&registered))
 		{
 			if (peer_id->equals(peer_id, registered))
@@ -161,7 +163,7 @@ static void unregister_peer(private_mediation_manager_t *this, identification_t
 			}
 		}
 		iterator_r->destroy(iterator_r);
-		
+
 		if (!peer->ike_sa_id && !peer->requested_by->get_count(peer->requested_by))
 		{
 			iterator->remove(iterator);
@@ -181,16 +183,16 @@ static void remove_sa(private_mediation_manager_t *this, ike_sa_id_t *ike_sa_id)
 	peer_t *peer;
 
 	this->mutex->lock(this->mutex);
-	
+
 	iterator = this->peers->create_iterator(this->peers, TRUE);
 	while (iterator->iterate(iterator, (void**)&peer))
 	{
 		if (ike_sa_id->equals(ike_sa_id, peer->ike_sa_id))
 		{
 			iterator->remove(iterator);
-			
+
 			unregister_peer(this, peer->id);
-			
+
 			peer_destroy(peer);
 			break;
 		}
@@ -222,7 +224,7 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe
 		}
 	}
 	iterator->destroy(iterator);
-	
+
 	if (!found)
 	{
 		DBG2(DBG_IKE, "adding peer '%Y'", peer_id);
@@ -230,18 +232,19 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe
 		this->peers->insert_last(this->peers, peer);
 	}
 
-	DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);			
+	DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);
 	peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
-	
+
 	/* send callbacks to registered peers */
 	identification_t *requester;
-	while(peer->requested_by->remove_last(peer->requested_by, (void**)&requester) == SUCCESS)
+	while(peer->requested_by->remove_last(peer->requested_by,
+										  (void**)&requester) == SUCCESS)
 	{
 		job_t *job = (job_t*)mediation_callback_job_create(requester, peer_id);
 		charon->processor->queue_job(charon->processor, job);
 		requester->destroy(requester);
 	}
-	
+
 	this->mutex->unlock(this->mutex);
 }
 
@@ -286,11 +289,12 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
 		peer = peer_create(peer_id, NULL);
 		this->peers->insert_last(this->peers, peer);
 	}
-	
+
 	if (!peer->ike_sa_id)
 	{
 		/* the peer is not online */
-		DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'", peer_id, requester);
+		DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'",
+			 peer_id, requester);
 		register_peer(peer, requester);
 		this->mutex->unlock(this->mutex);
 		return NULL;
@@ -309,9 +313,9 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
 static void destroy(private_mediation_manager_t *this)
 {
 	this->mutex->lock(this->mutex);
-	
+
 	this->peers->destroy_function(this->peers, (void*)peer_destroy);
-	
+
 	this->mutex->unlock(this->mutex);
 	this->mutex->destroy(this->mutex);
 	free(this);
@@ -329,9 +333,9 @@ mediation_manager_t *mediation_manager_create()
 	this->public.update_sa_id = (void(*)(mediation_manager_t*,identification_t*,ike_sa_id_t*))update_sa_id;
 	this->public.check = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*))check;
 	this->public.check_and_register = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*,identification_t*))check_and_register;
-	
+
 	this->peers = linked_list_create();
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	
+
 	return (mediation_manager_t*)this;
 }
diff --git a/src/charon/sa/mediation_manager.h b/src/charon/sa/mediation_manager.h
index 29e16d84f..31a16f69c 100644
--- a/src/charon/sa/mediation_manager.h
+++ b/src/charon/sa/mediation_manager.h
@@ -31,48 +31,49 @@ typedef struct mediation_manager_t mediation_manager_t;
  * peers and registered requests for offline peers on the mediation server.
  */
 struct mediation_manager_t {
-	
+
 	/**
 	 * Remove the IKE_SA of a peer.
-	 * 
+	 *
 	 * @param ike_sa_id			the IKE_SA ID of the peer's SA
 	 */
 	void (*remove) (mediation_manager_t* this, ike_sa_id_t *ike_sa_id);
-	
+
 	/**
 	 * Update the ike_sa_id that is assigned to a peer's ID. If the peer
-	 * is new, it gets a new record assigned. 
-	 * 
+	 * is new, it gets a new record assigned.
+	 *
 	 * @param peer_id			the peer's ID
 	 * @param ike_sa_id			the IKE_SA ID of the peer's SA
 	 */
 	void (*update_sa_id) (mediation_manager_t* this, identification_t *peer_id,
-			ike_sa_id_t *ike_sa_id);
-	
+						  ike_sa_id_t *ike_sa_id);
+
 	/**
 	 * Checks if a specific peer is online.
-	 * 
+	 *
 	 * @param peer_id			the peer's ID
-	 * @returns 					
-	 * 							- IKE_SA ID of the peer's SA.
-	 * 							- NULL, if the peer is not online.
+	 * @returns
+	 *							- IKE_SA ID of the peer's SA.
+	 *							- NULL, if the peer is not online.
 	 */
 	ike_sa_id_t* (*check) (mediation_manager_t* this,
-			identification_t *peer_id);
-	
+						   identification_t *peer_id);
+
 	/**
 	 * Checks if a specific peer is online and registers the requesting
 	 * peer if it is not.
-	 * 
+	 *
 	 * @param peer_id			the peer's ID
 	 * @param requester			the requesters ID
-	 * @returns 					
-	 * 							- IKE_SA ID of the peer's SA.
-	 * 							- NULL, if the peer is not online.
+	 * @returns
+	 *							- IKE_SA ID of the peer's SA.
+	 *							- NULL, if the peer is not online.
 	 */
 	ike_sa_id_t* (*check_and_register) (mediation_manager_t* this,
-			identification_t *peer_id, identification_t *requester);
-	
+										identification_t *peer_id,
+										identification_t *requester);
+
 	/**
 	 * Destroys the manager with all data.
 	 */
@@ -81,8 +82,8 @@ struct mediation_manager_t {
 
 /**
  * Create a manager.
- * 
- * @returns 	mediation_manager_t object
+ *
+ * @returns	mediation_manager_t object
  */
 mediation_manager_t *mediation_manager_create(void);
 
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
index f33fcd6d4..1de0c06f0 100644
--- a/src/charon/sa/task_manager.c
+++ b/src/charon/sa/task_manager.c
@@ -30,6 +30,7 @@
 #include <sa/tasks/ike_delete.h>
 #include <sa/tasks/ike_config.h>
 #include <sa/tasks/ike_dpd.h>
+#include <sa/tasks/ike_vendor.h>
 #include <sa/tasks/child_create.h>
 #include <sa/tasks/child_rekey.h>
 #include <sa/tasks/child_delete.h>
@@ -46,12 +47,12 @@ typedef struct exchange_t exchange_t;
  * An exchange in the air, used do detect and handle retransmission
  */
 struct exchange_t {
-	
+
 	/**
 	 * Message ID used for this transaction
 	 */
 	u_int32_t mid;
-	
+
 	/**
 	 * generated packet for retransmission
 	 */
@@ -64,17 +65,17 @@ typedef struct private_task_manager_t private_task_manager_t;
  * private data of the task manager
  */
 struct private_task_manager_t {
-	
+
 	/**
 	 * public functions
 	 */
 	task_manager_t public;
-	
+
 	/**
 	 * associated IKE_SA we are serving
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Exchange we are currently handling as responder
 	 */
@@ -83,14 +84,14 @@ struct private_task_manager_t {
 		 * Message ID of the exchange
 		 */
 		u_int32_t mid;
-		
+
 		/**
 		 * packet for retransmission
 		 */
 		packet_t *packet;
-		
+
 	} responding;
-	
+
 	/**
 	 * Exchange we are currently handling as initiator
 	 */
@@ -99,7 +100,7 @@ struct private_task_manager_t {
 		 * Message ID of the exchange
 		 */
 		u_int32_t mid;
-		
+
 		/**
 		 * how many times we have retransmitted so far
 		 */
@@ -109,33 +110,48 @@ struct private_task_manager_t {
 		 * packet for retransmission
 		 */
 		packet_t *packet;
-		
+
 		/**
 		 * type of the initated exchange
 		 */
 		exchange_type_t type;
-	
+
 	} initiating;
-	
+
 	/**
 	 * List of queued tasks not yet in action
 	 */
 	linked_list_t *queued_tasks;
-	
+
 	/**
 	 * List of active tasks, initiated by ourselve
 	 */
 	linked_list_t *active_tasks;
-	
+
 	/**
 	 * List of tasks initiated by peer
 	 */
 	linked_list_t *passive_tasks;
-	
+
 	/**
-	 * the task manager has been reset 
+	 * the task manager has been reset
 	 */
 	bool reset;
+
+	/**
+	 * Number of times we retransmit messages before giving up
+	 */
+	u_int retransmit_tries;
+
+	/**
+	 * Retransmission timeout
+	 */
+	double retransmit_timeout;
+
+	/**
+	 * Base to calculate retransmission timeout
+	 */
+	double retransmit_base;
 };
 
 /**
@@ -143,7 +159,7 @@ struct private_task_manager_t {
  */
 static void flush(private_task_manager_t *this)
 {
-	this->queued_tasks->destroy_offset(this->queued_tasks, 
+	this->queued_tasks->destroy_offset(this->queued_tasks,
 										offsetof(task_t, destroy));
 	this->passive_tasks->destroy_offset(this->passive_tasks,
 										offsetof(task_t, destroy));
@@ -162,7 +178,7 @@ static bool activate_task(private_task_manager_t *this, task_type_t type)
 	iterator_t *iterator;
 	task_t *task;
 	bool found = FALSE;
-	
+
 	iterator = this->queued_tasks->create_iterator(this->queued_tasks, TRUE);
 	while (iterator->iterate(iterator, (void**)&task))
 	{
@@ -192,7 +208,7 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
 		packet_t *packet;
 		task_t *task;
 		ike_mobike_t *mobike = NULL;
-		
+
 		/* check if we are retransmitting a MOBIKE routability check */
 		iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
 		while (iterator->iterate(iterator, (void*)&task))
@@ -211,10 +227,10 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
 
 		if (mobike == NULL)
 		{
-			if (this->initiating.retransmitted <= RETRANSMIT_TRIES)
+			if (this->initiating.retransmitted <= this->retransmit_tries)
 			{
-				timeout = (u_int32_t)(RETRANSMIT_TIMEOUT *
-							pow(RETRANSMIT_BASE, this->initiating.retransmitted));
+				timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
+					pow(this->retransmit_base, this->initiating.retransmitted));
 			}
 			else
 			{
@@ -226,13 +242,14 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
 				}
 				return DESTROY_ME;
 			}
-			
+
 			if (this->initiating.retransmitted)
 			{
 				DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
 					 this->initiating.retransmitted, message_id);
 			}
 			packet = this->initiating.packet->clone(this->initiating.packet);
+			charon->sender->send(charon->sender, packet);
 		}
 		else
 		{	/* for routeability checks, we use a more aggressive behavior */
@@ -247,18 +264,15 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
 				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 				return DESTROY_ME;
 			}
-			
+
 			if (this->initiating.retransmitted)
 			{
 				DBG1(DBG_IKE, "path probing attempt %d",
 					 this->initiating.retransmitted);
 			}
-			packet = this->initiating.packet->clone(this->initiating.packet);
-			mobike->transmit(mobike, packet);
+			mobike->transmit(mobike, this->initiating.packet);
 		}
-		
-		charon->sender->send(charon->sender, packet);
-		
+
 		this->initiating.retransmitted++;
 		job = (job_t*)retransmit_job_create(this->initiating.mid,
 											this->ike_sa->get_id(this->ike_sa));
@@ -279,14 +293,14 @@ static status_t build_request(private_task_manager_t *this)
 	host_t *me, *other;
 	status_t status;
 	exchange_type_t exchange = 0;
-	
+
 	if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
 	{
 		DBG2(DBG_IKE, "delaying task initiation, exchange in progress");
 		/* do not initiate if we already have a message in the air */
 		return SUCCESS;
 	}
-	
+
 	if (this->active_tasks->get_count(this->active_tasks) == 0)
 	{
 		DBG2(DBG_IKE, "activating new tasks");
@@ -297,6 +311,7 @@ static status_t build_request(private_task_manager_t *this)
 				{
 					this->initiating.mid = 0;
 					exchange = IKE_SA_INIT;
+					activate_task(this, IKE_VENDOR);
 					activate_task(this, IKE_NATD);
 					activate_task(this, IKE_CERT_PRE);
 #ifdef ME
@@ -402,17 +417,17 @@ static status_t build_request(private_task_manager_t *this)
 		}
 		iterator->destroy(iterator);
 	}
-	
+
 	if (exchange == 0)
 	{
 		DBG2(DBG_IKE, "nothing to initiate");
 		/* nothing to do yet... */
 		return SUCCESS;
 	}
-	
+
 	me = this->ike_sa->get_my_host(this->ike_sa);
 	other = this->ike_sa->get_other_host(this->ike_sa);
-	
+
 	message = message_create();
 	message->set_message_id(message, this->initiating.mid);
 	message->set_source(message, me->clone(me));
@@ -420,7 +435,7 @@ static status_t build_request(private_task_manager_t *this)
 	message->set_exchange_type(message, exchange);
 	this->initiating.type = exchange;
 	this->initiating.retransmitted = 0;
-	
+
 	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
 	while (iterator->iterate(iterator, (void*)&task))
 	{
@@ -450,10 +465,11 @@ static status_t build_request(private_task_manager_t *this)
 		}
 	}
 	iterator->destroy(iterator);
-	
+
 	/* update exchange type if a task changed it */
 	this->initiating.type = message->get_exchange_type(message);
-	
+
+	charon->bus->message(charon->bus, message, FALSE);
 	status = this->ike_sa->generate_message(this->ike_sa, message,
 											&this->initiating.packet);
 	if (status != SUCCESS)
@@ -465,10 +481,8 @@ static status_t build_request(private_task_manager_t *this)
 		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 		return DESTROY_ME;
 	}
-	
-	charon->bus->message(charon->bus, message, FALSE);
 	message->destroy(message);
-	
+
 	return retransmit(this, this->initiating.mid);
 }
 
@@ -480,7 +494,7 @@ static status_t process_response(private_task_manager_t *this,
 {
 	iterator_t *iterator;
 	task_t *task;
-	
+
 	if (message->get_exchange_type(message) != this->initiating.type)
 	{
 		DBG1(DBG_IKE, "received %N response, but expected %N",
@@ -489,7 +503,7 @@ static status_t process_response(private_task_manager_t *this,
 		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 		return DESTROY_ME;
 	}
-	
+
 	/* catch if we get resetted while processing */
 	this->reset = FALSE;
 	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
@@ -521,15 +535,15 @@ static status_t process_response(private_task_manager_t *this,
 			this->reset = FALSE;
 			iterator->destroy(iterator);
 			return build_request(this);
-		}	
+		}
 	}
 	iterator->destroy(iterator);
-	
+
 	this->initiating.mid++;
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
 	this->initiating.packet->destroy(this->initiating.packet);
 	this->initiating.packet = NULL;
-	
+
 	return build_request(this);
 }
 
@@ -541,9 +555,9 @@ static void handle_collisions(private_task_manager_t *this, task_t *task)
 	iterator_t *iterator;
 	task_t *active;
 	task_type_t type;
-	
+
 	type = task->get_type(task);
-	
+
 	/* do we have to check  */
 	if (type == IKE_REKEY || type == CHILD_REKEY ||
 		type == CHILD_DELETE || type == IKE_DELETE || type == IKE_REAUTH)
@@ -594,10 +608,10 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	host_t *me, *other;
 	bool delete = FALSE;
 	status_t status;
-	
+
 	me = request->get_destination(request);
 	other = request->get_source(request);
-	
+
 	message = message_create();
 	message->set_exchange_type(message, request->get_exchange_type(request));
 	/* send response along the path the request came in */
@@ -605,7 +619,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	message->set_destination(message, other->clone(other));
 	message->set_message_id(message, this->responding.mid);
 	message->set_request(message, FALSE);
-	
+
 	iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
 	while (iterator->iterate(iterator, (void*)&task))
 	{
@@ -633,27 +647,27 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 		}
 	}
 	iterator->destroy(iterator);
-	
+
 	/* remove resonder SPI if IKE_SA_INIT failed */
 	if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
 	{
 		ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
 		id->set_responder_spi(id, 0);
 	}
-	
+
 	/* message complete, send it */
 	DESTROY_IF(this->responding.packet);
 	this->responding.packet = NULL;
+	charon->bus->message(charon->bus, message, FALSE);
 	status = this->ike_sa->generate_message(this->ike_sa, message,
 											&this->responding.packet);
-	charon->bus->message(charon->bus, message, FALSE);
 	message->destroy(message);
 	if (status != SUCCESS)
 	{
 		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 		return DESTROY_ME;
 	}
-	
+
 	charon->sender->send(charon->sender,
 						 this->responding.packet->clone(this->responding.packet));
 	if (delete)
@@ -675,7 +689,7 @@ static status_t process_request(private_task_manager_t *this,
 	payload_t *payload;
 	notify_payload_t *notify;
 	delete_payload_t *delete;
-	
+
 	if (this->passive_tasks->get_count(this->passive_tasks) == 0)
 	{	/* create tasks depending on request type, if not already some queued */
 		switch (message->get_exchange_type(message))
@@ -684,11 +698,13 @@ static status_t process_request(private_task_manager_t *this,
 			{
 				task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
 				task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
 				task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
-#ifdef ME			
+#ifdef ME
 				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
 #endif /* ME */
@@ -737,7 +753,7 @@ static status_t process_request(private_task_manager_t *this,
 					}
 				}
 				enumerator->destroy(enumerator);
-				
+
 				if (ts_found)
 				{
 					if (notify_found)
@@ -816,7 +832,7 @@ static status_t process_request(private_task_manager_t *this,
 					}
 				}
 				enumerator->destroy(enumerator);
-			
+
 				if (task == NULL)
 				{
 					task = (task_t*)ike_dpd_create(FALSE);
@@ -835,7 +851,7 @@ static status_t process_request(private_task_manager_t *this,
 				break;
 		}
 	}
-	
+
 	/* let the tasks process the message */
 	iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
 	while (iterator->iterate(iterator, (void*)&task))
@@ -863,7 +879,7 @@ static status_t process_request(private_task_manager_t *this,
 		}
 	}
 	iterator->destroy(iterator);
-	
+
 	return build_response(this, message);
 }
 
@@ -873,7 +889,7 @@ static status_t process_request(private_task_manager_t *this,
 static status_t process_message(private_task_manager_t *this, message_t *msg)
 {
 	u_int32_t mid = msg->get_message_id(msg);
-	
+
 	if (msg->get_request(msg))
 	{
 		if (mid == this->responding.mid)
@@ -890,9 +906,9 @@ static status_t process_message(private_task_manager_t *this, message_t *msg)
 		{
 			packet_t *clone;
 			host_t *me, *other;
-			
+
 			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
-			 	 "retransmitting response", mid);
+				 "retransmitting response", mid);
 			clone = this->responding.packet->clone(this->responding.packet);
 			me = msg->get_destination(msg);
 			other = msg->get_source(msg);
@@ -935,7 +951,7 @@ static void queue_task(private_task_manager_t *this, task_t *task)
 	{	/*  there is no need to queue more than one mobike task */
 		iterator_t *iterator;
 		task_t *current;
-		
+
 		iterator = this->queued_tasks->create_iterator(this->queued_tasks, TRUE);
 		while (iterator->iterate(iterator, (void**)&current))
 		{
@@ -958,7 +974,7 @@ static void queue_task(private_task_manager_t *this, task_t *task)
 static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *other)
 {
 	task_t *task;
-	
+
 	/* move queued tasks from other to this */
 	while (other->queued_tasks->remove_last(other->queued_tasks,
 												(void**)&task) == SUCCESS)
@@ -984,7 +1000,7 @@ static void reset(private_task_manager_t *this,
 				  u_int32_t initiate, u_int32_t respond)
 {
 	task_t *task;
-	
+
 	/* reset message counters and retransmit packets */
 	DESTROY_IF(this->responding.packet);
 	DESTROY_IF(this->initiating.packet);
@@ -999,7 +1015,7 @@ static void reset(private_task_manager_t *this,
 		this->responding.mid = respond;
 	}
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-	
+
 	/* reset active tasks */
 	while (this->active_tasks->remove_last(this->active_tasks,
 										   (void**)&task) == SUCCESS)
@@ -1007,7 +1023,7 @@ static void reset(private_task_manager_t *this,
 		task->migrate(task, this->ike_sa);
 		this->queued_tasks->insert_first(this->queued_tasks, task);
 	}
-	
+
 	this->reset = TRUE;
 }
 
@@ -1017,11 +1033,11 @@ static void reset(private_task_manager_t *this,
 static void destroy(private_task_manager_t *this)
 {
 	flush(this);
-	
+
 	this->active_tasks->destroy(this->active_tasks);
 	this->queued_tasks->destroy(this->queued_tasks);
 	this->passive_tasks->destroy(this->passive_tasks);
-	
+
 	DESTROY_IF(this->responding.packet);
 	DESTROY_IF(this->initiating.packet);
 	free(this);
@@ -1033,7 +1049,7 @@ static void destroy(private_task_manager_t *this)
 task_manager_t *task_manager_create(ike_sa_t *ike_sa)
 {
 	private_task_manager_t *this = malloc_thing(private_task_manager_t);
-	
+
 	this->public.process_message = (status_t(*)(task_manager_t*,message_t*))process_message;
 	this->public.queue_task = (void(*)(task_manager_t*,task_t*))queue_task;
 	this->public.initiate = (status_t(*)(task_manager_t*))build_request;
@@ -1042,7 +1058,7 @@ task_manager_t *task_manager_create(ike_sa_t *ike_sa)
 	this->public.adopt_tasks = (void(*)(task_manager_t*,task_manager_t*))adopt_tasks;
 	this->public.busy = (bool(*)(task_manager_t*))busy;
 	this->public.destroy = (void(*)(task_manager_t*))destroy;
-	
+
 	this->ike_sa = ike_sa;
 	this->responding.packet = NULL;
 	this->initiating.packet = NULL;
@@ -1053,6 +1069,14 @@ task_manager_t *task_manager_create(ike_sa_t *ike_sa)
 	this->active_tasks = linked_list_create();
 	this->passive_tasks = linked_list_create();
 	this->reset = FALSE;
-	
+
+	this->retransmit_tries = lib->settings->get_int(lib->settings,
+								"charon.retransmit_tries", RETRANSMIT_TRIES);
+	this->retransmit_timeout = lib->settings->get_double(lib->settings,
+								"charon.retransmit_timeout", RETRANSMIT_TIMEOUT);
+	this->retransmit_base = lib->settings->get_double(lib->settings,
+								"charon.retransmit_base", RETRANSMIT_BASE);
+
 	return &this->public;
 }
+
diff --git a/src/charon/sa/task_manager.h b/src/charon/sa/task_manager.h
index 9c3b2cc87..731ed4898 100644
--- a/src/charon/sa/task_manager.h
+++ b/src/charon/sa/task_manager.h
@@ -31,9 +31,9 @@ typedef struct task_manager_t task_manager_t;
 #include <sa/tasks/task.h>
 
 /**
- * First retransmit timeout in milliseconds.
+ * First retransmit timeout in seconds.
  */
-#define RETRANSMIT_TIMEOUT 4000
+#define RETRANSMIT_TIMEOUT 4.0
 
 /**
  * Base which is raised to the power of the retransmission try.
@@ -69,7 +69,7 @@ typedef struct task_manager_t task_manager_t;
  * For the initial IKE_SA setup, several tasks are queued: One for the
  * unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup
  * and maybe one for virtual IP assignement.
- * The task manager is also responsible for retransmission. It uses a backoff 
+ * The task manager is also responsible for retransmission. It uses a backoff
  * algorithm. The timeout is calculated using
  * RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try).
  * When try reaches RETRANSMIT_TRIES, retransmission is given up.
@@ -84,7 +84,7 @@ typedef struct task_manager_t task_manager_t;
    4s * (1.8 ** 3) =   23s        47s
    4s * (1.8 ** 4) =   42s        89s
    4s * (1.8 ** 5) =   76s       165s
- 
+
    @endverbatim
  * The peer is considered dead after 2min 45s when no reply comes in.
  */
@@ -92,10 +92,10 @@ struct task_manager_t {
 
 	/**
 	 * Process an incoming message.
-	 * 
+	 *
 	 * @param message		message to add payloads to
 	 * @return
-	 * 						- DESTROY_ME if IKE_SA must be closed
+	 *						- DESTROY_ME if IKE_SA must be closed
 	 *						- SUCCESS otherwise
 	 */
 	status_t (*process_message) (task_manager_t *this, message_t *message);
@@ -118,24 +118,24 @@ struct task_manager_t {
 	 * A return value of INVALID_STATE means that the message was already
 	 * acknowledged and has not to be retransmitted. A return value of SUCCESS
 	 * means retransmission was required and the message has been resent.
-	 * 
+	 *
 	 * @param message_id	ID of the message to retransmit
 	 * @return
-	 * 						- INVALID_STATE if retransmission not required
+	 *						- INVALID_STATE if retransmission not required
 	 *						- SUCCESS if retransmission sent
 	 */
 	status_t (*retransmit) (task_manager_t *this, u_int32_t message_id);
-	
+
 	/**
 	 * Migrate all tasks from other to this.
 	 *
 	 * To rekey or reestablish an IKE_SA completely, all queued or active
 	 * tasks should get migrated to the new IKE_SA.
-	 * 
+	 *
 	 * @param other			manager which gives away its tasks
 	 */
 	void (*adopt_tasks) (task_manager_t *this, task_manager_t *other);
-	
+
 	/**
 	 * Reset message ID counters of the task manager.
 	 *
@@ -149,14 +149,14 @@ struct task_manager_t {
 	 * @param respond		message ID to respond to exchanges (expect)
 	 */
 	void (*reset) (task_manager_t *this, u_int32_t initiate, u_int32_t respond);
-	
+
 	/**
 	 * Check if we are currently waiting for a reply.
 	 *
 	 * @return				TRUE if we are waiting, FALSE otherwise
 	 */
 	bool (*busy) (task_manager_t *this);
-	
+
 	/**
 	 * Destroy the task_manager_t.
 	 */
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index 558938f2e..3f002f263 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -19,12 +19,14 @@
 
 #include <daemon.h>
 #include <crypto/diffie_hellman.h>
+#include <credentials/certificates/x509.h>
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/ke_payload.h>
 #include <encoding/payloads/ts_payload.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/notify_payload.h>
 #include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/inactivity_job.h>
 
 
 typedef struct private_child_create_t private_child_create_t;
@@ -33,132 +35,132 @@ typedef struct private_child_create_t private_child_create_t;
  * Private members of a child_create_t task.
  */
 struct private_child_create_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	child_create_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * nonce chosen by us
 	 */
 	chunk_t my_nonce;
-	
+
 	/**
 	 * nonce chosen by peer
 	 */
 	chunk_t other_nonce;
-	
+
 	/**
 	 * config to create the CHILD_SA from
 	 */
 	child_cfg_t *config;
-	
+
 	/**
 	 * list of proposal candidates
 	 */
 	linked_list_t *proposals;
-	
+
 	/**
 	 * selected proposal to use for CHILD_SA
 	 */
 	proposal_t *proposal;
-	
+
 	/**
 	 * traffic selectors for initiators side
 	 */
 	linked_list_t *tsi;
-	
+
 	/**
 	 * traffic selectors for responders side
 	 */
 	linked_list_t *tsr;
-	
+
 	/**
 	 * source of triggering packet
 	 */
 	traffic_selector_t *packet_tsi;
-	
+
 	/**
 	 * destination of triggering packet
 	 */
 	traffic_selector_t *packet_tsr;
-	
+
 	/**
 	 * optional diffie hellman exchange
 	 */
 	diffie_hellman_t *dh;
-	
+
 	/**
 	 * group used for DH exchange
 	 */
 	diffie_hellman_group_t dh_group;
-	
+
 	/**
 	 * IKE_SAs keymat
 	 */
 	keymat_t *keymat;
-	
+
 	/**
 	 * mode the new CHILD_SA uses (transport/tunnel/beet)
 	 */
 	ipsec_mode_t mode;
-	
+
 	/**
 	 * IPComp transform to use
 	 */
 	ipcomp_transform_t ipcomp;
-	
+
 	/**
 	 * IPComp transform proposed or accepted by the other peer
 	 */
 	ipcomp_transform_t ipcomp_received;
-	
+
 	/**
 	 * Own allocated SPI
 	 */
 	u_int32_t my_spi;
-	
+
 	/**
 	 * SPI received in proposal
 	 */
 	u_int32_t other_spi;
-	
+
 	/**
 	 * Own allocated Compression Parameter Index (CPI)
 	 */
 	u_int16_t my_cpi;
-	
+
 	/**
 	 * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
 	 */
 	u_int16_t other_cpi;
-	
+
 	/**
 	 * reqid to use if we are rekeying
 	 */
 	u_int32_t reqid;
-	
+
 	/**
 	 * CHILD_SA which gets established
 	 */
 	child_sa_t *child_sa;
-	
+
 	/**
 	 * successfully established the CHILD?
 	 */
 	bool established;
-	
+
 	/**
 	 * whether the CHILD_SA rekeys an existing one
 	 */
@@ -171,7 +173,7 @@ struct private_child_create_t {
 static status_t get_nonce(message_t *message, chunk_t *nonce)
 {
 	nonce_payload_t *payload;
-	
+
 	payload = (nonce_payload_t*)message->get_payload(message, NONCE);
 	if (payload == NULL)
 	{
@@ -187,7 +189,7 @@ static status_t get_nonce(message_t *message, chunk_t *nonce)
 static status_t generate_nonce(chunk_t *nonce)
 {
 	rng_t *rng;
-	
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
@@ -207,7 +209,7 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host)
 	traffic_selector_t *ts;
 	bool is_host = TRUE;
 	iterator_t *iterator = list->create_iterator(list, TRUE);
-	
+
 	while (is_host && iterator->iterate(iterator, (void**)&ts))
 	{
 		is_host = is_host && ts->is_host(ts, host);
@@ -223,8 +225,8 @@ static bool allocate_spi(private_child_create_t *this)
 {
 	enumerator_t *enumerator;
 	proposal_t *proposal;
-	
-	/* TODO: allocate additional SPI for AH if we have such proposals */ 
+
+	/* TODO: allocate additional SPI for AH if we have such proposals */
 	this->my_spi = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
 	if (this->my_spi)
 	{
@@ -246,6 +248,25 @@ static bool allocate_spi(private_child_create_t *this)
 	return FALSE;
 }
 
+/**
+ * Schedule inactivity timeout for CHILD_SA with reqid, if enabled
+ */
+static void schedule_inactivity_timeout(private_child_create_t *this)
+{
+	u_int32_t timeout;
+	bool close_ike;
+
+	timeout = this->config->get_inactivity(this->config);
+	if (timeout)
+	{
+		close_ike = lib->settings->get_bool(lib->settings,
+										"charon.inactivity_close_ike", FALSE);
+		charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
+									  timeout, close_ike), timeout);
+	}
+}
+
 /**
  * Install a CHILD_SA for usage, return value:
  * - FAILED: no acceptable proposal
@@ -260,7 +281,8 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
 	linked_list_t *my_ts, *other_ts;
 	host_t *me, *other, *other_vip, *my_vip;
-	
+	bool private;
+
 	if (this->proposals == NULL)
 	{
 		DBG1(DBG_IKE, "SA payload missing in message");
@@ -271,32 +293,33 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		DBG1(DBG_IKE, "TS payloads missing in message");
 		return NOT_FOUND;
 	}
-	
+
 	me = this->ike_sa->get_my_host(this->ike_sa);
 	other = this->ike_sa->get_other_host(this->ike_sa);
 	my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
 	other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
-	
-	this->proposal = this->config->select_proposal(this->config, this->proposals,
-												   no_dh);
+
+	private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+	this->proposal = this->config->select_proposal(this->config,
+											this->proposals, no_dh, private);
 	if (this->proposal == NULL)
 	{
 		DBG1(DBG_IKE, "no acceptable proposal found");
 		return FAILED;
 	}
 	this->other_spi = this->proposal->get_spi(this->proposal);
-	
+
 	if (!this->initiator && !allocate_spi(this))
 	{	/* responder has no SPI allocated yet */
 		DBG1(DBG_IKE, "allocating SPI failed");
 		return FAILED;
 	}
 	this->child_sa->set_proposal(this->child_sa, this->proposal);
-	
+
 	if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
 		u_int16_t group;
-		
+
 		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
 										  &group, NULL))
 		{
@@ -312,7 +335,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 			return FAILED;
 		}
 	}
-	
+
 	if (my_vip == NULL)
 	{
 		my_vip = me;
@@ -321,7 +344,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	{
 		other_vip = other;
 	}
-	
+
 	if (this->initiator)
 	{
 		nonce_i = this->my_nonce;
@@ -338,9 +361,9 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	}
 	my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
 												my_vip);
-	other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts, 
+	other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
 												   other_vip);
-	
+
 	if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
 	{
 		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
@@ -348,7 +371,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		DBG1(DBG_IKE, "no acceptable traffic selectors found");
 		return NOT_FOUND;
 	}
-	
+
 	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
 	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
 	if (this->initiator)
@@ -361,7 +384,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		this->tsr = my_ts;
 		this->tsi = other_ts;
 	}
-	
+
 	if (!this->initiator)
 	{
 		/* check if requested mode is acceptable, downgrade if required */
@@ -394,13 +417,73 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 				break;
 		}
 	}
-	
+
+	/* check for any certificate-based IP address block constraints */
+	if (this->mode == MODE_BEET || this->mode == MODE_TUNNEL)
+	{
+		auth_cfg_t *auth;
+		enumerator_t *auth_enum;
+		certificate_t *cert = NULL;
+
+		auth_enum = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
+		while (auth_enum->enumerate(auth_enum, &auth))
+		{
+			cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
+			if (cert)
+			{
+				break;
+			}
+		}
+		auth_enum->destroy(auth_enum);
+
+		if (cert && cert->get_type(cert) == CERT_X509)
+		{
+			x509_t *x509 = (x509_t*)cert;
+
+			if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+			{
+				enumerator_t *enumerator, *block_enum;
+				traffic_selector_t *ts, *block_ts;
+
+				DBG1(DBG_IKE, "checking certificate-based traffic selector "
+							  "constraints [RFC 3779]");
+				enumerator = other_ts->create_enumerator(other_ts);
+				while (enumerator->enumerate(enumerator, &ts))
+				{
+					bool contained = FALSE;
+
+					block_enum = x509->create_ipAddrBlock_enumerator(x509);
+					while (block_enum->enumerate(block_enum, &block_ts))
+					{
+						if (ts->is_contained_in(ts, block_ts))
+						{
+							DBG1(DBG_IKE, "  TS %R is contained in address block"
+										  " constraint %R", ts, block_ts);
+							contained = TRUE;
+							break;
+						}
+					}
+					block_enum->destroy(block_enum);
+
+					if (!contained)
+					{
+						DBG1(DBG_IKE, "  TS %R is not contained in any"
+									  " address block constraint", ts);
+						enumerator->destroy(enumerator);
+						return FAILED;
+					}
+				}
+				enumerator->destroy(enumerator);
+			}
+		}
+	}
+
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
 	this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
 	this->child_sa->set_mode(this->child_sa, this->mode);
 	this->child_sa->set_protocol(this->child_sa,
 								 this->proposal->get_protocol(this->proposal));
-	
+
 	if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
 	{
 		this->my_cpi = this->other_cpi = 0;
@@ -408,28 +491,28 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	}
 	status_i = status_o = FAILED;
 	if (this->keymat->derive_child_keys(this->keymat, this->proposal,
-			this->dh, nonce_i, nonce_r,	&encr_i, &integ_i, &encr_r, &integ_r))
+			this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
 	{
 		if (this->initiator)
 		{
 			status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
-										this->my_spi, this->my_cpi, TRUE);
+					this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
 			status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
-										this->other_spi, this->other_cpi, FALSE);
+					this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
 		}
 		else
 		{
 			status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
-										this->my_spi, this->my_cpi, TRUE);
+					this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
 			status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
-										this->other_spi, this->other_cpi, FALSE);
+					this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
 		}
 	}
 	chunk_clear(&integ_i);
 	chunk_clear(&integ_r);
 	chunk_clear(&encr_i);
 	chunk_clear(&encr_r);
-	
+
 	if (status_i != SUCCESS || status_o != SUCCESS)
 	{
 		DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
@@ -438,21 +521,26 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 			(status_o != SUCCESS) ? "outbound " : "");
 		return FAILED;
 	}
-	
+
 	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
 	if (status != SUCCESS)
-	{	
+	{
 		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
 		return NOT_FOUND;
 	}
-	
+
 	charon->bus->child_keys(charon->bus, this->child_sa, this->dh,
 							nonce_i, nonce_r);
-	
+
 	/* add to IKE_SA, and remove from task */
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
 	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
 	this->established = TRUE;
+
+	if (!this->rekey)
+	{	/* a rekeyed SA uses the same reqid, no need for a new job */
+		schedule_inactivity_timeout(this);
+	}
 	return SUCCESS;
 }
 
@@ -476,7 +564,7 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 		sa_payload = sa_payload_create_from_proposal(this->proposal);
 	}
 	message->add_payload(message, (payload_t*)sa_payload);
-	
+
 	/* add nonce payload if not in IKE_AUTH */
 	if (message->get_exchange_type(message) == CREATE_CHILD_SA)
 	{
@@ -484,14 +572,14 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 		nonce_payload->set_nonce(nonce_payload, this->my_nonce);
 		message->add_payload(message, (payload_t*)nonce_payload);
 	}
-	
+
 	/* diffie hellman exchange, if PFS enabled */
 	if (this->dh)
 	{
 		ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
 		message->add_payload(message, (payload_t*)ke_payload);
 	}
-	
+
 	/* add TSi/TSr payloads */
 	ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
 	message->add_payload(message, (payload_t*)ts_payload);
@@ -524,12 +612,12 @@ static void add_ipcomp_notify(private_child_create_t *this,
 			 "IPComp disabled");
 		return;
 	}
-	
+
 	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
 	if (this->my_cpi)
 	{
 		this->ipcomp = ipcomp;
-		message->add_notify(message, FALSE, IPCOMP_SUPPORTED, 
+		message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
 							chunk_cata("cc", chunk_from_thing(this->my_cpi),
 									   chunk_from_thing(ipcomp)));
 	}
@@ -550,14 +638,22 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify
 			this->mode = MODE_TRANSPORT;
 			break;
 		case USE_BEET_MODE:
-			this->mode = MODE_BEET;
+			if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+			{	/* handle private use notify only if we know its meaning */
+				this->mode = MODE_BEET;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received a notify strongSwan uses for BEET "
+					 "mode, but peer implementation unknown, skipped");
+			}
 			break;
 		case IPCOMP_SUPPORTED:
 		{
 			ipcomp_transform_t ipcomp;
 			u_int16_t cpi;
 			chunk_t data;
-			
+
 			data = notify->get_notification_data(notify);
 			cpi = *(u_int16_t*)data.ptr;
 			ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
@@ -591,7 +687,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 	sa_payload_t *sa_payload;
 	ke_payload_t *ke_payload;
 	ts_payload_t *ts_payload;
-	
+
 	/* defaults to TUNNEL mode */
 	this->mode = MODE_TUNNEL;
 
@@ -620,7 +716,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 			case TRAFFIC_SELECTOR_INITIATOR:
 				ts_payload = (ts_payload_t*)payload;
 				this->tsi = ts_payload->get_traffic_selectors(ts_payload);
-				break;	
+				break;
 			case TRAFFIC_SELECTOR_RESPONDER:
 				ts_payload = (ts_payload_t*)payload;
 				this->tsr = ts_payload->get_traffic_selectors(ts_payload);
@@ -642,7 +738,7 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 {
 	host_t *me, *other, *vip;
 	peer_cfg_t *peer_cfg;
-	
+
 	switch (message->get_exchange_type(message))
 	{
 		case IKE_SA_INIT:
@@ -668,7 +764,7 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 		default:
 			break;
 	}
-	
+
 	if (this->reqid)
 	{
 		DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
@@ -679,7 +775,7 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 		DBG0(DBG_IKE, "establishing CHILD_SA %s",
 			 this->config->get_name(this->config));
 	}
-	
+
 	/* reuse virtual IP if we already have one */
 	me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
 	if (me == NULL)
@@ -691,7 +787,7 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 	{
 		other = this->ike_sa->get_other_host(this->ike_sa);
 	}
-	
+
 	/* check if we want a virtual IP, but don't have one */
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 	vip = peer_cfg->get_virtual_ip(peer_cfg);
@@ -708,9 +804,9 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
 														NULL, me);
 	}
-	this->tsr = this->config->get_traffic_selectors(this->config, FALSE, 
+	this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
 													NULL, other);
-	
+
 	if (this->packet_tsi)
 	{
 		this->tsi->insert_first(this->tsi,
@@ -724,37 +820,43 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 	this->proposals = this->config->get_proposals(this->config,
 												  this->dh_group == MODP_NONE);
 	this->mode = this->config->get_mode(this->config);
-	
+	if (this->mode == MODE_TRANSPORT &&
+		this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+	{
+		this->mode = MODE_TUNNEL;
+		DBG1(DBG_IKE, "not using transport mode, connection NATed");
+	}
+
 	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
 			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
 			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
-	
+
 	if (!allocate_spi(this))
 	{
 		DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
 		return FAILED;
 	}
-	
+
 	if (this->dh_group != MODP_NONE)
 	{
 		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
 	}
-	
+
 	if (this->config->use_ipcomp(this->config))
 	{
 		/* IPCOMP_DEFLATE is the only transform we support at the moment */
 		add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
 	}
-	
+
 	build_payloads(this, message);
-	
+
 	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
 	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
 	this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
 	this->tsi = NULL;
 	this->tsr = NULL;
 	this->proposals = NULL;
-	
+
 	return NEED_MORE;
 }
 
@@ -779,9 +881,9 @@ static status_t process_r(private_child_create_t *this, message_t *message)
 		default:
 			break;
 	}
-	
+
 	process_payloads(this, message);
-	
+
 	return NEED_MORE;
 }
 
@@ -813,7 +915,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 	payload_t *payload;
 	enumerator_t *enumerator;
 	bool no_dh = TRUE;
-	
+
 	switch (message->get_exchange_type(message))
 	{
 		case IKE_SA_INIT:
@@ -835,19 +937,19 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		default:
 			break;
 	}
-	
+
 	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
 	{
 		DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
 		message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
 		return SUCCESS;
 	}
-	
+
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 	if (peer_cfg && this->tsi && this->tsr)
 	{
 		host_t *me, *other;
-		
+
 		me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
 		if (me == NULL)
 		{
@@ -861,7 +963,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
 												  this->tsi, me, other);
 	}
-	
+
 	if (this->config == NULL)
 	{
 		DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
@@ -870,7 +972,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		handle_child_sa_failure(this, message);
 		return SUCCESS;
 	}
-	
+
 	/* check if ike_config_t included non-critical error notifies */
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
@@ -878,7 +980,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		if (payload->get_type(payload) == NOTIFY)
 		{
 			notify_payload_t *notify = (notify_payload_t*)payload;
-			
+
 			switch (notify->get_notify_type(notify))
 			{
 				case INTERNAL_ADDRESS_FAILURE:
@@ -896,11 +998,11 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
 			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
 			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
-	
+
 	if (this->ipcomp_received != IPCOMP_NONE)
 	{
 		if (this->config->use_ipcomp(this->config))
@@ -913,7 +1015,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 				 notify_type_names, IPCOMP_SUPPORTED);
 		}
 	}
-	
+
 	switch (select_and_install(this, no_dh))
 	{
 		case SUCCESS:
@@ -936,9 +1038,9 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 			handle_child_sa_failure(this, message);
 			return SUCCESS;
 	}
-	
+
 	build_payloads(this, message);
-	
+
 	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
 		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
 		 this->child_sa->get_name(this->child_sa),
@@ -947,7 +1049,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
 		 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
 		 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-	
+
 	if (!this->rekey)
 	{	/* invoke the child_up() hook if we are not rekeying */
 		charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
@@ -989,7 +1091,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 		{
 			notify_payload_t *notify = (notify_payload_t*)payload;
 			notify_type_t type = notify->get_notify_type(notify);
-			
+
 			switch (type)
 			{
 				/* handle notify errors related to CHILD_SA only */
@@ -1011,15 +1113,18 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 				case INVALID_KE_PAYLOAD:
 				{
 					chunk_t data;
-					diffie_hellman_group_t bad_group;
-					
-					bad_group = this->dh_group;
+					u_int16_t group = MODP_NONE;
+
 					data = notify->get_notification_data(notify);
-					this->dh_group = ntohs(*((u_int16_t*)data.ptr));
+					if (data.len == sizeof(group))
+					{
+						memcpy(&group, data.ptr, data.len);
+						group = ntohs(group);
+					}
 					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
 						 "it requested %N", diffie_hellman_group_names,
-						 bad_group, diffie_hellman_group_names, this->dh_group);
-					
+						 this->dh_group, diffie_hellman_group_names, group);
+					this->dh_group = group;
 					this->public.task.migrate(&this->public.task, this->ike_sa);
 					enumerator->destroy(enumerator);
 					return NEED_MORE;
@@ -1030,9 +1135,9 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	process_payloads(this, message);
-	
+
 	if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
 	{
 		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
@@ -1053,7 +1158,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 		handle_child_sa_failure(this, message);
 		return SUCCESS;
 	}
-	
+
 	if (select_and_install(this, no_dh) == SUCCESS)
 	{
 		DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
@@ -1064,7 +1169,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 			 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
 			 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
 			 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-		
+
 		if (!this->rekey)
 		{	/* invoke the child_up() hook if we are not rekeying */
 			charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
@@ -1105,7 +1210,7 @@ static child_sa_t* get_child(private_child_create_t *this)
  * Implementation of child_create_t.get_lower_nonce
  */
 static chunk_t get_lower_nonce(private_child_create_t *this)
-{	
+{
 	if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
 			   min(this->my_nonce.len, this->other_nonce.len)) < 0)
 	{
@@ -1139,7 +1244,7 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
 	{
 		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
 	}
-	
+
 	this->ike_sa = ike_sa;
 	this->keymat = ike_sa->get_keymat(ike_sa);
 	this->proposal = NULL;
@@ -1183,7 +1288,7 @@ static void destroy(private_child_create_t *this)
 	{
 		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
 	}
-	
+
 	DESTROY_IF(this->config);
 	free(this);
 }
@@ -1216,7 +1321,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 		this->initiator = FALSE;
 	}
-	
+
 	this->ike_sa = ike_sa;
 	this->config = config;
 	this->my_nonce = chunk_empty;
@@ -1241,6 +1346,6 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
 	this->reqid = 0;
 	this->established = FALSE;
 	this->rekey = rekey;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h
index 41f4fe2c8..5dedeb8b1 100644
--- a/src/charon/sa/tasks/child_create.h
+++ b/src/charon/sa/tasks/child_create.h
@@ -31,7 +31,7 @@ typedef struct child_create_t child_create_t;
 /**
  * Task of type CHILD_CREATE, established a new CHILD_SA.
  *
- * This task may be included in the IKE_AUTH message or in a separate 
+ * This task may be included in the IKE_AUTH message or in a separate
  * CREATE_CHILD_SA exchange.
  */
 struct child_create_t {
@@ -40,24 +40,24 @@ struct child_create_t {
 	 * Implements the task_t interface
 	 */
 	task_t task;
-	
+
 	/**
 	 * Use a specific reqid for the CHILD_SA.
 	 *
 	 * When this task is used for rekeying, the same reqid is used
-	 * for the new CHILD_SA. 
+	 * for the new CHILD_SA.
 	 *
 	 * @param reqid		reqid to use
 	 */
 	void (*use_reqid) (child_create_t *this, u_int32_t reqid);
-	
+
 	/**
 	 * Get the lower of the two nonces, used for rekey collisions.
 	 *
 	 * @return			lower nonce
 	 */
 	chunk_t (*get_lower_nonce) (child_create_t *this);
-	
+
 	/**
 	 * Get the CHILD_SA established/establishing by this task.
 	 *
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
index 7abb07a84..d7c6b0541 100644
--- a/src/charon/sa/tasks/child_delete.c
+++ b/src/charon/sa/tasks/child_delete.c
@@ -25,42 +25,42 @@ typedef struct private_child_delete_t private_child_delete_t;
  * Private members of a child_delete_t task.
  */
 struct private_child_delete_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	child_delete_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * Protocol of CHILD_SA to delete
 	 */
 	protocol_id_t protocol;
-	
+
 	/**
 	 * Inbound SPI of CHILD_SA to delete
 	 */
 	u_int32_t spi;
-	
+
 	/**
 	 * whether to enforce delete action policy
 	 */
 	bool check_delete_action;
-	
+
 	/**
 	 * is this delete exchange following a rekey?
 	 */
 	bool rekeyed;
-	
+
 	/**
 	 * CHILD_SAs which get deleted
 	 */
@@ -75,10 +75,10 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
 	delete_payload_t *ah = NULL, *esp = NULL;
 	iterator_t *iterator;
 	child_sa_t *child_sa;
-	
+
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
-	{	
+	{
 		protocol_id_t protocol = child_sa->get_protocol(child_sa);
 		u_int32_t spi = child_sa->get_spi(child_sa, TRUE);
 
@@ -91,7 +91,7 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
 					message->add_payload(message, (payload_t*)esp);
 				}
 				esp->add_spi(esp, spi);
-				DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x", 
+				DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
 							   protocol_id_names, protocol, ntohl(spi));
 				break;
 			case PROTO_AH:
@@ -101,7 +101,7 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
 					message->add_payload(message, (payload_t*)ah);
 				}
 				ah->add_spi(ah, spi);
-				DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x", 
+				DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
 							   protocol_id_names, protocol, ntohl(spi));
 				break;
 			default:
@@ -124,7 +124,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 	u_int32_t *spi;
 	protocol_id_t protocol;
 	child_sa_t *child_sa;
-	
+
 	payloads = message->create_payload_enumerator(message);
 	while (payloads->enumerate(payloads, &payload))
 	{
@@ -147,9 +147,9 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 						 "but no such SA", protocol_id_names, protocol, ntohl(*spi));
 					continue;
 				}
-				DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x", 
+				DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
 						protocol_id_names, protocol, ntohl(*spi));
-				
+
 				switch (child_sa->get_state(child_sa))
 				{
 					case CHILD_REKEYING:
@@ -172,7 +172,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 					default:
 						break;
 				}
-				
+
 				this->child_sas->insert_last(this->child_sas, child_sa);
 			}
 			spis->destroy(spis);
@@ -192,7 +192,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 	protocol_id_t protocol;
 	u_int32_t spi;
 	status_t status = SUCCESS;
-	
+
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
@@ -215,7 +215,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 					status = this->ike_sa->initiate(this->ike_sa, child_cfg, 0,
 													NULL, NULL);
 					break;
-				case ACTION_ROUTE:	
+				case ACTION_ROUTE:
 					charon->traps->install(charon->traps,
 							this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg);
 					break;
@@ -241,13 +241,13 @@ static void log_children(private_child_delete_t *this)
 	iterator_t *iterator;
 	child_sa_t *child_sa;
 	u_int64_t bytes_in, bytes_out;
-	
+
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
 		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
 		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
-		
+
 		DBG0(DBG_IKE, "closing CHILD_SA %s{%d} "
 			 "with SPIs %.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
 			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
@@ -265,12 +265,19 @@ static void log_children(private_child_delete_t *this)
 static status_t build_i(private_child_delete_t *this, message_t *message)
 {
 	child_sa_t *child_sa;
-	
+
 	child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
 										  this->spi, TRUE);
 	if (!child_sa)
-	{	/* child does not exist anymore */
-		return SUCCESS;
+	{	/* check if it is an outbound sa */
+		child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+											  this->spi, FALSE);
+		if (!child_sa)
+		{	/* child does not exist anymore */
+			return SUCCESS;
+		}
+		/* we work only with the inbound SPI */
+		this->spi = child_sa->get_spi(child_sa, TRUE);
 	}
 	this->child_sas->insert_last(this->child_sas, child_sa);
 	if (child_sa->get_state(child_sa) == CHILD_REKEYING)
@@ -290,7 +297,7 @@ static status_t process_i(private_child_delete_t *this, message_t *message)
 	/* flush the list before adding new SAs */
 	this->child_sas->destroy(this->child_sas);
 	this->child_sas = linked_list_create();
-	
+
 	process_payloads(this, message);
 	DBG1(DBG_IKE, "CHILD_SA closed");
 	return destroy_and_reestablish(this);
@@ -314,7 +321,7 @@ static status_t build_r(private_child_delete_t *this, message_t *message)
 	/* if we are rekeying, we send an empty informational */
 	if (this->ike_sa->get_state(this->ike_sa) != IKE_REKEYING)
 	{
-		build_payloads(this, message);	
+		build_payloads(this, message);
 	}
 	DBG1(DBG_IKE, "CHILD_SA closed");
 	return destroy_and_reestablish(this);
@@ -345,7 +352,7 @@ static void migrate(private_child_delete_t *this, ike_sa_t *ike_sa)
 {
 	this->check_delete_action = FALSE;
 	this->ike_sa = ike_sa;
-	
+
 	this->child_sas->destroy(this->child_sas);
 	this->child_sas = linked_list_create();
 }
@@ -371,14 +378,14 @@ child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	this->ike_sa = ike_sa;
 	this->check_delete_action = FALSE;
 	this->child_sas = linked_list_create();
 	this->protocol = protocol;
 	this->spi = spi;
 	this->rekeyed = FALSE;
-	
+
 	if (protocol != PROTO_NONE)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
diff --git a/src/charon/sa/tasks/child_delete.h b/src/charon/sa/tasks/child_delete.h
index 27d847035..365807c68 100644
--- a/src/charon/sa/tasks/child_delete.h
+++ b/src/charon/sa/tasks/child_delete.h
@@ -37,7 +37,7 @@ struct child_delete_t {
 	 * Implements the task_t interface
 	 */
 	task_t task;
-	
+
 	/**
 	 * Get the CHILD_SA to delete by this task.
 	 *
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
index 601e054ea..b5e4e84b4 100644
--- a/src/charon/sa/tasks/child_rekey.c
+++ b/src/charon/sa/tasks/child_rekey.c
@@ -30,47 +30,47 @@ typedef struct private_child_rekey_t private_child_rekey_t;
  * Private members of a child_rekey_t task.
  */
 struct private_child_rekey_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	child_rekey_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * Protocol of CHILD_SA to rekey
 	 */
 	protocol_id_t protocol;
-	
+
 	/**
 	 * Inbound SPI of CHILD_SA to rekey
 	 */
 	u_int32_t spi;
-	
+
 	/**
 	 * the CHILD_CREATE task which is reused to simplify rekeying
 	 */
 	child_create_t *child_create;
-	
+
 	/**
 	 * the CHILD_DELETE task to delete rekeyed CHILD_SA
 	 */
 	child_delete_t *child_delete;
-	
+
 	/**
 	 * CHILD_SA which gets rekeyed
 	 */
 	child_sa_t *child_sa;
-	
+
 	/**
 	 * colliding task, may be delete or rekey
 	 */
@@ -84,7 +84,7 @@ static status_t build_i_delete(private_child_rekey_t *this, message_t *message)
 {
 	/* update exchange type to INFORMATIONAL for the delete */
 	message->set_exchange_type(message, INFORMATIONAL);
-	
+
 	return this->child_delete->task.build(&this->child_delete->task, message);
 }
 
@@ -101,35 +101,22 @@ static status_t process_i_delete(private_child_rekey_t *this, message_t *message
  */
 static void find_child(private_child_rekey_t *this, message_t *message)
 {
-	enumerator_t *enumerator;
-	payload_t *payload;
-	
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
+	notify_payload_t *notify;
+	protocol_id_t protocol;
+	u_int32_t spi;
+
+	notify = message->get_notify(message, REKEY_SA);
+	if (notify)
 	{
-		notify_payload_t *notify;
-		u_int32_t spi;
-		protocol_id_t protocol;
-		
-		if (payload->get_type(payload) != NOTIFY)
-		{
-			continue;
-		}
-		
-		notify = (notify_payload_t*)payload;
 		protocol = notify->get_protocol_id(notify);
 		spi = notify->get_spi(notify);
-		
-		if (protocol != PROTO_ESP && protocol != PROTO_AH)
+
+		if (protocol == PROTO_ESP || protocol == PROTO_AH)
 		{
-			continue;
+			this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
+														spi, FALSE);
 		}
-		this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
-													spi, FALSE);
-		break;
-			
 	}
-	enumerator->destroy(enumerator);
 }
 
 /**
@@ -140,30 +127,42 @@ static status_t build_i(private_child_rekey_t *this, message_t *message)
 	notify_payload_t *notify;
 	u_int32_t reqid;
 	child_cfg_t *config;
-	
+
 	this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
 												this->spi, TRUE);
 	if (!this->child_sa)
-	{	/* CHILD_SA is gone, unable to rekey */
-		return SUCCESS;
+	{	/* check if it is an outbound CHILD_SA */
+		this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+													this->spi, FALSE);
+		if (!this->child_sa)
+		{	/* CHILD_SA is gone, unable to rekey. As an empty CREATE_CHILD_SA
+			 * exchange is invalid, we fall back to an INFORMATIONAL exchange.*/
+			message->set_exchange_type(message, INFORMATIONAL);
+			return SUCCESS;
+		}
+		/* we work only with the inbound SPI */
+		this->spi = this->child_sa->get_spi(this->child_sa, TRUE);
 	}
 	config = this->child_sa->get_config(this->child_sa);
-	
+
 	/* we just need the rekey notify ... */
 	notify = notify_payload_create_from_protocol_and_type(this->protocol,
 														  REKEY_SA);
 	notify->set_spi(notify, this->spi);
 	message->add_payload(message, (payload_t*)notify);
-	
+
 	/* ... our CHILD_CREATE task does the hard work for us. */
+	if (!this->child_create)
+	{
+		this->child_create = child_create_create(this->ike_sa, config, TRUE,
+												 NULL, NULL);
+	}
 	reqid = this->child_sa->get_reqid(this->child_sa);
-	this->child_create = child_create_create(this->ike_sa, config, TRUE,
-											 NULL, NULL);
 	this->child_create->use_reqid(this->child_create, reqid);
 	this->child_create->task.build(&this->child_create->task, message);
-	
+
 	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
-	
+
 	return NEED_MORE;
 }
 
@@ -174,9 +173,9 @@ static status_t process_r(private_child_rekey_t *this, message_t *message)
 {
 	/* let the CHILD_CREATE task process the message */
 	this->child_create->task.process(&this->child_create->task, message);
-	
+
 	find_child(this, message);
-	
+
 	return NEED_MORE;
 }
 
@@ -194,21 +193,21 @@ static status_t build_r(private_child_rekey_t *this, message_t *message)
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return SUCCESS;
 	}
-	
+
 	/* let the CHILD_CREATE task build the response */
 	reqid = this->child_sa->get_reqid(this->child_sa);
 	this->child_create->use_reqid(this->child_create, reqid);
 	this->child_create->task.build(&this->child_create->task, message);
-	
+
 	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
 	{
 		/* rekeying failed, reuse old child */
 		this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
 		return SUCCESS;
 	}
-	
+
 	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
-	
+
 	/* invoke rekey hook */
 	charon->bus->child_rekey(charon->bus, this->child_sa,
 							 this->child_create->get_child(this->child_create));
@@ -223,33 +222,20 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 	protocol_id_t protocol;
 	u_int32_t spi;
 	child_sa_t *to_delete;
-	enumerator_t *enumerator;
-	payload_t *payload;
-	
-	/* handle NO_ADDITIONAL_SAS notify */
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
+
+	if (message->get_notify(message, NO_ADDITIONAL_SAS))
 	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify_payload_t *notify = (notify_payload_t*)payload;
-			
-			if (notify->get_notify_type(notify) == NO_ADDITIONAL_SAS)
-			{
-				DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
-					 "starting reauthentication");
-				this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-				charon->processor->queue_job(charon->processor,
-						(job_t*)rekey_ike_sa_job_create(
-									this->ike_sa->get_id(this->ike_sa), TRUE));
-				enumerator->destroy(enumerator);
-				return SUCCESS;
-			}
-		}
+		DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
+			 "starting reauthentication");
+		this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+		charon->processor->queue_job(charon->processor,
+				(job_t*)rekey_ike_sa_job_create(
+							this->ike_sa->get_id(this->ike_sa), TRUE));
+		return SUCCESS;
 	}
-	enumerator->destroy(enumerator);
-	
-	if (this->child_create->task.process(&this->child_create->task, message) == NEED_MORE)
+
+	if (this->child_create->task.process(&this->child_create->task,
+										 message) == NEED_MORE)
 	{
 		/* bad DH group while rekeying, try again */
 		this->child_create->task.migrate(&this->child_create->task, this->ike_sa);
@@ -259,39 +245,39 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 	{
 		/* establishing new child failed, reuse old. but not when we
 		 * recieved a delete in the meantime */
-		if (!(this->collision && 
+		if (!(this->collision &&
 			  this->collision->get_type(this->collision) == CHILD_DELETE))
 		{
 			job_t *job;
 			u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
-			
+
 			job = (job_t*)rekey_child_sa_job_create(
 								this->child_sa->get_reqid(this->child_sa),
 								this->child_sa->get_protocol(this->child_sa),
 								this->child_sa->get_spi(this->child_sa, TRUE));
 			DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
-				 				"trying again in %d seconds", retry);
+								"trying again in %d seconds", retry);
 			this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
 			charon->scheduler->schedule_job(charon->scheduler, job, retry);
 		}
 		return SUCCESS;
 	}
-	
+
 	to_delete = this->child_sa;
-	
+
 	/* check for rekey collisions */
 	if (this->collision &&
 		this->collision->get_type(this->collision) == CHILD_REKEY)
 	{
 		chunk_t this_nonce, other_nonce;
 		private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
-		
+
 		this_nonce = this->child_create->get_lower_nonce(this->child_create);
 		other_nonce = other->child_create->get_lower_nonce(other->child_create);
-		
+
 		/* if we have the lower nonce, delete rekeyed SA. If not, delete
 		 * the redundant. */
-		if (memcmp(this_nonce.ptr, other_nonce.ptr, 
+		if (memcmp(this_nonce.ptr, other_nonce.ptr,
 				   min(this_nonce.len, other_nonce.len)) < 0)
 		{
 			DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting rekeyed child");
@@ -307,21 +293,21 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 			}
 		}
 	}
-	
+
 	if (to_delete != this->child_create->get_child(this->child_create))
 	{	/* invoke rekey hook if rekeying successful */
 		charon->bus->child_rekey(charon->bus, this->child_sa,
 							this->child_create->get_child(this->child_create));
 	}
-	
+
 	spi = to_delete->get_spi(to_delete, TRUE);
 	protocol = to_delete->get_protocol(to_delete);
-	
+
 	/* rekeying done, delete the obsolete CHILD_SA using a subtask */
 	this->child_delete = child_delete_create(this->ike_sa, protocol, spi);
 	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
 	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
-	
+
 	return NEED_MORE;
 }
 
@@ -338,7 +324,7 @@ static task_type_t get_type(private_child_rekey_t *this)
  */
 static void collide(private_child_rekey_t *this, task_t *other)
 {
-	/* the task manager only detects exchange collision, but not if 
+	/* the task manager only detects exchange collision, but not if
 	 * the collision is for the same child. we check it here. */
 	if (other->get_type(other) == CHILD_REKEY)
 	{
@@ -346,6 +332,7 @@ static void collide(private_child_rekey_t *this, task_t *other)
 		if (rekey == NULL || rekey->child_sa != this->child_sa)
 		{
 			/* not the same child => no collision */
+			other->destroy(other);
 			return;
 		}
 	}
@@ -354,13 +341,15 @@ static void collide(private_child_rekey_t *this, task_t *other)
 		child_delete_t *del = (child_delete_t*)other;
 		if (del == NULL || del->get_child(del) != this->child_sa)
 		{
-			/* not the same child => no collision */ 
+			/* not the same child => no collision */
+			other->destroy(other);
 			return;
 		}
 	}
 	else
 	{
 		/* any other task is not critical for collisisions, ignore */
+		other->destroy(other);
 		return;
 	}
 	DESTROY_IF(this->collision);
@@ -371,7 +360,7 @@ static void collide(private_child_rekey_t *this, task_t *other)
  * Implementation of task_t.migrate
  */
 static void migrate(private_child_rekey_t *this, ike_sa_t *ike_sa)
-{	
+{
 	if (this->child_create)
 	{
 		this->child_create->task.migrate(&this->child_create->task, ike_sa);
@@ -381,7 +370,7 @@ static void migrate(private_child_rekey_t *this, ike_sa_t *ike_sa)
 		this->child_delete->task.migrate(&this->child_delete->task, ike_sa);
 	}
 	DESTROY_IF(this->collision);
-	
+
 	this->ike_sa = ike_sa;
 	this->collision = NULL;
 }
@@ -410,7 +399,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 								  u_int32_t spi)
 {
 	private_child_rekey_t *this = malloc_thing(private_child_rekey_t);
-	
+
 	this->public.collide = (void (*)(child_rekey_t*,task_t*))collide;
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
@@ -429,13 +418,13 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 		this->initiator = FALSE;
 		this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL);
 	}
-	
+
 	this->ike_sa = ike_sa;
 	this->child_sa = NULL;
 	this->protocol = protocol;
 	this->spi = spi;
 	this->collision = NULL;
 	this->child_delete = NULL;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/child_rekey.h b/src/charon/sa/tasks/child_rekey.h
index 5aae2fb39..9b1aea5fa 100644
--- a/src/charon/sa/tasks/child_rekey.h
+++ b/src/charon/sa/tasks/child_rekey.h
@@ -37,7 +37,7 @@ struct child_rekey_t {
 	 * Implements the task_t interface
 	 */
 	task_t task;
-	
+
 	/**
 	 * Register a rekeying task which collides with this one
 	 *
@@ -56,7 +56,7 @@ struct child_rekey_t {
  * @param ike_sa		IKE_SA this task works for
  * @param protocol		protocol of CHILD_SA to rekey, PROTO_NONE as responder
  * @param spi			inbound SPI of CHILD_SA to rekey
- * @return			  	child_rekey task to handle by the task_manager
+ * @return				child_rekey task to handle by the task_manager
  */
 child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 								  u_int32_t spi);
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index d0b2a7e91..a07f96767 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -31,82 +31,72 @@ typedef struct private_ike_auth_t private_ike_auth_t;
  * Private members of a ike_auth_t task.
  */
 struct private_ike_auth_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_auth_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * Nonce chosen by us in ike_init
 	 */
 	chunk_t my_nonce;
-	
+
 	/**
 	 * Nonce chosen by peer in ike_init
 	 */
 	chunk_t other_nonce;
-	
+
 	/**
 	 * IKE_SA_INIT message sent by us
 	 */
 	packet_t *my_packet;
-	
+
 	/**
 	 * IKE_SA_INIT message sent by peer
 	 */
 	packet_t *other_packet;
-	
-	/**
-	 * completed authentication configs initiated by us (auth_cfg_t)
-	 */
-	linked_list_t *my_cfgs;
-	
-	/**
-	 * completed authentication configs initiated by other (auth_cfg_t)
-	 */
-	linked_list_t *other_cfgs;;
-	
+
 	/**
 	 * currently active authenticator, to authenticate us
 	 */
 	authenticator_t *my_auth;
-	
+
 	/**
 	 * currently active authenticator, to authenticate peer
 	 */
 	authenticator_t *other_auth;
-	
+
 	/**
 	 * peer_cfg candidates, ordered by priority
 	 */
 	linked_list_t *candidates;
-	
+
 	/**
 	 * selected peer config (might change when using multiple authentications)
 	 */
 	peer_cfg_t *peer_cfg;
-	
+
 	/**
 	 * have we planned an(other) authentication exchange?
 	 */
 	bool do_another_auth;
-	
+
 	/**
 	 * has the peer announced another authentication exchange?
 	 */
 	bool expect_another_auth;
-	
+
 	/**
 	 * should we send a AUTHENTICATION_FAILED notify?
 	 */
@@ -129,7 +119,7 @@ static status_t collect_my_init_data(private_ike_auth_t *this,
 									 message_t *message)
 {
 	nonce_payload_t *nonce;
-	
+
 	/* get the nonce that was generated in ike_init */
 	nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
 	if (nonce == NULL)
@@ -137,14 +127,14 @@ static status_t collect_my_init_data(private_ike_auth_t *this,
 		return FAILED;
 	}
 	this->my_nonce = nonce->get_nonce(nonce);
-	
+
 	/* pre-generate the message, keep a copy */
 	if (this->ike_sa->generate_message(this->ike_sa, message,
 									   &this->my_packet) != SUCCESS)
 	{
 		return FAILED;
 	}
-	return NEED_MORE; 
+	return NEED_MORE;
 }
 
 /**
@@ -155,7 +145,7 @@ static status_t collect_other_init_data(private_ike_auth_t *this,
 {
 	/* we collect the needed information in the IKE_SA_INIT exchange */
 	nonce_payload_t *nonce;
-	
+
 	/* get the nonce that was generated in ike_init */
 	nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
 	if (nonce == NULL)
@@ -163,10 +153,10 @@ static status_t collect_other_init_data(private_ike_auth_t *this,
 		return FAILED;
 	}
 	this->other_nonce = nonce->get_nonce(nonce);
-	
+
 	/* keep a copy of the received packet */
 	this->other_packet = message->get_packet(message);
-	return NEED_MORE; 
+	return NEED_MORE;
 }
 
 /**
@@ -176,21 +166,14 @@ static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
 {
 	enumerator_t *e1, *e2;
 	auth_cfg_t *c1, *c2, *next = NULL;
-	
+
 	/* find an available config not already done */
 	e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
 	while (e1->enumerate(e1, &c1))
 	{
 		bool found = FALSE;
-		
-		if (local)
-		{
-			e2 = this->my_cfgs->create_enumerator(this->my_cfgs);
-		}
-		else
-		{
-			e2 = this->other_cfgs->create_enumerator(this->other_cfgs);
-		}
+
+		e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
 		while (e2->enumerate(e2, &c2))
 		{
 			if (c2->complies(c2, c1, FALSE))
@@ -218,13 +201,13 @@ static bool do_another_auth(private_ike_auth_t *this)
 	bool do_another = FALSE;
 	enumerator_t *done, *todo;
 	auth_cfg_t *done_cfg, *todo_cfg;
-	
+
 	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
 	{
 		return FALSE;
 	}
-	
-	done = this->my_cfgs->create_enumerator(this->my_cfgs);
+
+	done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
 	todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
 	while (todo->enumerate(todo, &todo_cfg))
 	{
@@ -252,12 +235,12 @@ static bool load_cfg_candidates(private_ike_auth_t *this)
 	peer_cfg_t *peer_cfg;
 	host_t *me, *other;
 	identification_t *my_id, *other_id;
-	
+
 	me = this->ike_sa->get_my_host(this->ike_sa);
 	other = this->ike_sa->get_other_host(this->ike_sa);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	
+
 	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
 													me, other, my_id, other_id);
 	while (enumerator->enumerate(enumerator, &peer_cfg))
@@ -296,10 +279,10 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
 			bool complies = TRUE;
 			enumerator_t *e1, *e2, *tmp;
 			auth_cfg_t *c1, *c2;
-			
-			e1 = this->other_cfgs->create_enumerator(this->other_cfgs);
+
+			e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
 			e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
-			
+
 			if (strict)
 			{	/* swap lists in strict mode: all configured rounds must be
 				 * fulfilled. If !strict, we check only the rounds done so far. */
@@ -342,7 +325,7 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
 		}
 	}
 	while (this->peer_cfg);
-	
+
 	return this->peer_cfg != NULL;
 }
 
@@ -352,39 +335,45 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
 static status_t build_i(private_ike_auth_t *this, message_t *message)
 {
 	auth_cfg_t *cfg;
-	
+
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		return collect_my_init_data(this, message);
 	}
-	
+
 	if (this->peer_cfg == NULL)
 	{
 		this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 		this->peer_cfg->get_ref(this->peer_cfg);
 	}
-	
-	if (message->get_message_id(message) == 1 &&
-		this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
-	{	/* in the first IKE_AUTH, indicate support for multiple authentication */
-		message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, chunk_empty);
+
+	if (message->get_message_id(message) == 1)
+	{	/* in the first IKE_AUTH ... */
+		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
+		{	/* indicate support for multiple authentication */
+			message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
+								chunk_empty);
+		}
+		/* indicate support for EAP-only authentication */
+		message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
+							chunk_empty);
 	}
-	
+
 	if (!this->do_another_auth && !this->my_auth)
 	{	/* we have done our rounds */
 		return NEED_MORE;
 	}
-	
+
 	/* check if an authenticator is in progress */
 	if (this->my_auth == NULL)
 	{
 		identification_t *id;
 		id_payload_t *id_payload;
-		
+
 		/* clean up authentication config from a previous round */
 		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
 		cfg->purge(cfg, TRUE);
-		
+
 		/* add (optional) IDr */
 		cfg = get_auth_cfg(this, FALSE);
 		if (cfg)
@@ -410,7 +399,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 		this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
 		id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
 		message->add_payload(message, (payload_t*)id_payload);
-		
+
 		/* build authentication data */
 		this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
 							this->other_nonce, this->my_nonce,
@@ -427,7 +416,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 			/* authentication step complete, reset authenticator */
 			cfg = auth_cfg_create();
 			cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
-			this->my_cfgs->insert_last(this->my_cfgs, cfg);
+			this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
 			this->my_auth->destroy(this->my_auth);
 			this->my_auth = NULL;
 			break;
@@ -436,7 +425,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 		default:
 			return FAILED;
 	}
-	
+
 	/* check for additional authentication rounds */
 	if (do_another_auth(this))
 	{
@@ -460,12 +449,12 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 	auth_cfg_t *cfg, *cand;
 	id_payload_t *id_payload;
 	identification_t *id;
-	
+
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		return collect_other_init_data(this, message);
 	}
-	
+
 	if (this->my_auth == NULL && this->do_another_auth)
 	{
 		/* handle (optional) IDr payload, apply proposed identity */
@@ -480,16 +469,26 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 		}
 		this->ike_sa->set_my_id(this->ike_sa, id);
 	}
-	
+
 	if (!this->expect_another_auth)
 	{
 		return NEED_MORE;
 	}
-	if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
-	{
-		this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+
+	if (message->get_message_id(message) == 1)
+	{	/* check for extensions in the first IKE_AUTH */
+		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
+		{
+			this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+		}
+		if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
+			message->get_notify(message, EAP_ONLY_AUTHENTICATION))
+		{	/* EAP-only has no official notify, accept only from strongSwan */
+			this->ike_sa->enable_extension(this->ike_sa,
+										   EXT_EAP_ONLY_AUTHENTICATION);
+		}
 	}
-	
+
 	if (this->other_auth == NULL)
 	{
 		/* handle IDi payload */
@@ -503,7 +502,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 		this->ike_sa->set_other_id(this->ike_sa, id);
 		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 		cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
-		
+
 		if (this->peer_cfg == NULL)
 		{
 			if (!load_cfg_candidates(this))
@@ -530,7 +529,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 			}
 			cfg->merge(cfg, cand, TRUE);
 		}
-		
+
 		/* verify authentication data */
 		this->other_auth = authenticator_create_verifier(this->ike_sa,
 							message, this->other_nonce, this->my_nonce,
@@ -558,27 +557,26 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 			this->authentication_failed = TRUE;
 			return NEED_MORE;
 	}
-	
+
 	/* store authentication information */
 	cfg = auth_cfg_create();
 	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-	this->other_cfgs->insert_last(this->other_cfgs, cfg);
-	
+	this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+
 	/* another auth round done, invoke authorize hook */
-	if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
+	if (!charon->bus->authorize(charon->bus, FALSE))
 	{
-		DBG1(DBG_IKE, "round %d authorization hook forbids IKE_SA, cancelling",
-			 this->other_cfgs->get_count(this->other_cfgs));
+		DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
 		this->authentication_failed = TRUE;
 		return NEED_MORE;
 	}
-	
+
 	if (!update_cfg_candidates(this, FALSE))
 	{
 		this->authentication_failed = TRUE;
 		return NEED_MORE;
 	}
-	
+
 	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
 	{
 		this->expect_another_auth = FALSE;
@@ -597,7 +595,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 static status_t build_r(private_ike_auth_t *this, message_t *message)
 {
 	auth_cfg_t *cfg;
-	
+
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		if (multiple_auth_enabled())
@@ -607,23 +605,23 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 		}
 		return collect_my_init_data(this, message);
 	}
-	
+
 	if (this->authentication_failed || this->peer_cfg == NULL)
 	{
 		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
 		return FAILED;
 	}
-	
+
 	if (this->my_auth == NULL && this->do_another_auth)
 	{
 		identification_t *id, *id_cfg;
 		id_payload_t *id_payload;
-		
+
 		/* add IDr */
 		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
 		cfg->purge(cfg, TRUE);
 		cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
-		
+
 		id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
 		id = this->ike_sa->get_my_id(this->ike_sa);
 		if (id->get_type(id) == ID_ANY)
@@ -648,22 +646,38 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 				return FAILED;
 			}
 		}
-		
+
 		id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
 		message->add_payload(message, (payload_t*)id_payload);
-		
-		/* build authentication data */
-		this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
-							this->other_nonce, this->my_nonce,
-							this->other_packet->get_data(this->other_packet),
-							this->my_packet->get_data(this->my_packet));
-		if (!this->my_auth)
+
+		if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
+		{	/* EAP-only authentication */
+			if (!this->ike_sa->supports_extension(this->ike_sa,
+												  EXT_EAP_ONLY_AUTHENTICATION))
+			{
+				DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
+					 "does not support it");
+				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+									chunk_empty);
+				return FAILED;
+			}
+		}
+		else
 		{
-			message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
-			return FAILED;
+			/* build authentication data */
+			this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+								this->other_nonce, this->my_nonce,
+								this->other_packet->get_data(this->other_packet),
+								this->my_packet->get_data(this->my_packet));
+			if (!this->my_auth)
+			{
+				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+									chunk_empty);
+				return FAILED;
+			}
 		}
 	}
-	
+
 	if (this->other_auth)
 	{
 		switch (this->other_auth->build(this->other_auth, message))
@@ -691,7 +705,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 				cfg = auth_cfg_create();
 				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
 						   TRUE);
-				this->my_cfgs->insert_last(this->my_cfgs, cfg);
+				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
 				this->my_auth->destroy(this->my_auth);
 				this->my_auth = NULL;
 				break;
@@ -703,7 +717,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 				return FAILED;
 		}
 	}
-	
+
 	/* check for additional authentication rounds */
 	if (do_another_auth(this))
 	{
@@ -723,21 +737,21 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 								chunk_empty);
 			return FAILED;
 		}
-		if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
+		if (!charon->bus->authorize(charon->bus, TRUE))
 		{
 			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
 			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
 								chunk_empty);
 			return FAILED;
 		}
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
 		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 			 this->ike_sa->get_name(this->ike_sa),
 			 this->ike_sa->get_unique_id(this->ike_sa),
 			 this->ike_sa->get_my_host(this->ike_sa),
-			 this->ike_sa->get_my_id(this->ike_sa), 
+			 this->ike_sa->get_my_id(this->ike_sa),
 			 this->ike_sa->get_other_host(this->ike_sa),
 			 this->ike_sa->get_other_id(this->ike_sa));
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
 		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
 		return SUCCESS;
 	}
@@ -752,7 +766,8 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 	enumerator_t *enumerator;
 	payload_t *payload;
 	auth_cfg_t *cfg;
-	
+	bool mutual_eap = FALSE;
+
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
@@ -762,7 +777,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 		}
 		return collect_other_init_data(this, message);
 	}
-	
+
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
@@ -770,7 +785,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 		{
 			notify_payload_t *notify = (notify_payload_t*)payload;
 			notify_type_t type = notify->get_notify_type(notify);
-			
+
 			switch (type)
 			{
 				case NO_PROPOSAL_CHOSEN:
@@ -801,7 +816,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
 						enumerator->destroy(enumerator);
-						return FAILED;	
+						return FAILED;
 					}
 					DBG2(DBG_IKE, "received %N notify",
 						notify_type_names, type);
@@ -811,41 +826,14 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
-	if (this->my_auth)
-	{
-		switch (this->my_auth->process(this->my_auth, message))
-		{
-			case SUCCESS:
-				cfg = auth_cfg_create();
-				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
-						   TRUE);
-				this->my_cfgs->insert_last(this->my_cfgs, cfg);
-				this->my_auth->destroy(this->my_auth);
-				this->my_auth = NULL;
-				this->do_another_auth = do_another_auth(this);
-				break;
-			case NEED_MORE:
-				break;
-			default:
-				return FAILED;
-		}
-	}
-	
+
 	if (this->expect_another_auth)
 	{
 		if (this->other_auth == NULL)
 		{
 			id_payload_t *id_payload;
 			identification_t *id;
-			
-			/* responder is not allowed to do EAP */
-			if (!message->get_payload(message, AUTHENTICATION))
-			{
-				DBG1(DBG_IKE, "AUTH payload missing");
-				return FAILED;
-			}
-			
+
 			/* handle IDr payload */
 			id_payload = (id_payload_t*)message->get_payload(message,
 															 ID_RESPONDER);
@@ -858,42 +846,81 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 			this->ike_sa->set_other_id(this->ike_sa, id);
 			cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 			cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
-			
-			/* verify authentication data */
-			this->other_auth = authenticator_create_verifier(this->ike_sa,
-							message, this->other_nonce, this->my_nonce,
-							this->other_packet->get_data(this->other_packet),
-							this->my_packet->get_data(this->my_packet));
-			if (!this->other_auth)
+
+			if (message->get_payload(message, AUTHENTICATION))
 			{
-				return FAILED;
+				/* verify authentication data */
+				this->other_auth = authenticator_create_verifier(this->ike_sa,
+								message, this->other_nonce, this->my_nonce,
+								this->other_packet->get_data(this->other_packet),
+								this->my_packet->get_data(this->my_packet));
+				if (!this->other_auth)
+				{
+					return FAILED;
+				}
+			}
+			else
+			{
+				/* responder omitted AUTH payload, indicating EAP-only */
+				mutual_eap = TRUE;
 			}
 		}
-		switch (this->other_auth->process(this->other_auth, message))
+		if (this->other_auth)
+		{
+			switch (this->other_auth->process(this->other_auth, message))
+			{
+				case SUCCESS:
+					break;
+				case NEED_MORE:
+					return NEED_MORE;
+				default:
+					return FAILED;
+			}
+			this->other_auth->destroy(this->other_auth);
+			this->other_auth = NULL;
+		}
+		/* store authentication information, reset authenticator */
+		cfg = auth_cfg_create();
+		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+		this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+
+		/* another auth round done, invoke authorize hook */
+		if (!charon->bus->authorize(charon->bus, FALSE))
+		{
+			DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
+			return FAILED;
+		}
+	}
+
+	if (this->my_auth)
+	{
+		switch (this->my_auth->process(this->my_auth, message))
 		{
 			case SUCCESS:
+				cfg = auth_cfg_create();
+				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
+						   TRUE);
+				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+				this->my_auth->destroy(this->my_auth);
+				this->my_auth = NULL;
+				this->do_another_auth = do_another_auth(this);
 				break;
 			case NEED_MORE:
-				return NEED_MORE;
+				break;
 			default:
 				return FAILED;
 		}
-		/* store authentication information, reset authenticator */
-		cfg = auth_cfg_create();
-		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-		this->other_cfgs->insert_last(this->other_cfgs, cfg);
-		this->other_auth->destroy(this->other_auth);
-		this->other_auth = NULL;
-		
-		/* another auth round done, invoke authorize hook */
-		if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
+	}
+	if (mutual_eap)
+	{
+		if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
 		{
-			DBG1(DBG_IKE, "round %d authorization forbids IKE_SA, cancelling",
-				 this->other_cfgs->get_count(this->other_cfgs));
+			DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
 			return FAILED;
 		}
+		DBG1(DBG_IKE, "allow mutual EAP-only authentication");
 	}
-	
+
 	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
 	{
 		this->expect_another_auth = FALSE;
@@ -904,19 +931,19 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 		{
 			return FAILED;
 		}
-		if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
+		if (!charon->bus->authorize(charon->bus, TRUE))
 		{
 			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
 			return FAILED;
 		}
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
 		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 			 this->ike_sa->get_name(this->ike_sa),
 			 this->ike_sa->get_unique_id(this->ike_sa),
 			 this->ike_sa->get_my_host(this->ike_sa),
-			 this->ike_sa->get_my_id(this->ike_sa), 
+			 this->ike_sa->get_my_id(this->ike_sa),
 			 this->ike_sa->get_other_host(this->ike_sa),
 			 this->ike_sa->get_other_id(this->ike_sa));
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
 		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
 		return SUCCESS;
 	}
@@ -943,10 +970,8 @@ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
 	DESTROY_IF(this->peer_cfg);
 	DESTROY_IF(this->my_auth);
 	DESTROY_IF(this->other_auth);
-	this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
-	this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
 	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
-	
+
 	this->my_packet = NULL;
 	this->other_packet = NULL;
 	this->ike_sa = ike_sa;
@@ -956,8 +981,6 @@ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
 	this->do_another_auth = TRUE;
 	this->expect_another_auth = TRUE;
 	this->authentication_failed = FALSE;
-	this->my_cfgs = linked_list_create();
-	this->other_cfgs = linked_list_create();
 	this->candidates = linked_list_create();
 }
 
@@ -973,8 +996,6 @@ static void destroy(private_ike_auth_t *this)
 	DESTROY_IF(this->my_auth);
 	DESTROY_IF(this->other_auth);
 	DESTROY_IF(this->peer_cfg);
-	this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
-	this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
 	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
 	free(this);
 }
@@ -985,11 +1006,11 @@ static void destroy(private_ike_auth_t *this)
 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
 {
 	private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
-	
+
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -1000,7 +1021,7 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	
+
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
 	this->my_nonce = chunk_empty;
@@ -1008,15 +1029,13 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
 	this->my_packet = NULL;
 	this->other_packet = NULL;
 	this->peer_cfg = NULL;
-	this->my_cfgs = linked_list_create();
-	this->other_cfgs = linked_list_create();
 	this->candidates = linked_list_create();
 	this->my_auth = NULL;
 	this->other_auth = NULL;
 	this->do_another_auth = TRUE;
 	this->expect_another_auth = TRUE;
 	this->authentication_failed = FALSE;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/tasks/ike_auth_lifetime.c b/src/charon/sa/tasks/ike_auth_lifetime.c
index a047e6b81..75ff35168 100644
--- a/src/charon/sa/tasks/ike_auth_lifetime.c
+++ b/src/charon/sa/tasks/ike_auth_lifetime.c
@@ -27,12 +27,12 @@ typedef struct private_ike_auth_lifetime_t private_ike_auth_lifetime_t;
  * Private members of a ike_auth_lifetime_t task.
  */
 struct private_ike_auth_lifetime_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_auth_lifetime_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
@@ -46,11 +46,11 @@ static void add_auth_lifetime(private_ike_auth_lifetime_t *this, message_t *mess
 {
 	chunk_t chunk;
 	u_int32_t lifetime;
-	
+
 	lifetime = this->ike_sa->get_statistic(this->ike_sa, STAT_REAUTH);
 	if (lifetime)
 	{
-		lifetime -= time(NULL);
+		lifetime -= time_monotonic(NULL);
 		chunk = chunk_from_thing(lifetime);
 		*(u_int32_t*)chunk.ptr = htonl(lifetime);
 		message->add_notify(message, FALSE, AUTH_LIFETIME, chunk);
@@ -62,31 +62,17 @@ static void add_auth_lifetime(private_ike_auth_lifetime_t *this, message_t *mess
  */
 static void process_payloads(private_ike_auth_lifetime_t *this, message_t *message)
 {
-	enumerator_t *enumerator;
-	payload_t *payload;
 	notify_payload_t *notify;
-	
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
+	chunk_t data;
+	u_int32_t lifetime;
+
+	notify = message->get_notify(message, AUTH_LIFETIME);
+	if (notify)
 	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify = (notify_payload_t*)payload;
-			switch (notify->get_notify_type(notify))
-			{
-				case AUTH_LIFETIME:					
-				{
-					chunk_t data = notify->get_notification_data(notify);
-					u_int32_t lifetime = ntohl(*(u_int32_t*)data.ptr);
-					this->ike_sa->set_auth_lifetime(this->ike_sa, lifetime);
-					break;
-				}
-				default:
-					break;
-			}
-		}
+		data = notify->get_notification_data(notify);
+		lifetime = ntohl(*(u_int32_t*)data.ptr);
+		this->ike_sa->set_auth_lifetime(this->ike_sa, lifetime);
 	}
-	enumerator->destroy(enumerator);
 }
 
 /**
@@ -177,7 +163,7 @@ ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator)
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -188,9 +174,9 @@ ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	
+
 	this->ike_sa = ike_sa;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/tasks/ike_auth_lifetime.h b/src/charon/sa/tasks/ike_auth_lifetime.h
index 812caaf43..3b129b9e3 100644
--- a/src/charon/sa/tasks/ike_auth_lifetime.h
+++ b/src/charon/sa/tasks/ike_auth_lifetime.h
@@ -30,7 +30,7 @@ typedef struct ike_auth_lifetime_t ike_auth_lifetime_t;
 /**
  * Task of type IKE_AUTH_LIFETIME, implements RFC4478.
  *
- * This task exchanges lifetimes for IKE_AUTH to force a client to 
+ * This task exchanges lifetimes for IKE_AUTH to force a client to
  * reauthenticate before the responders lifetime reaches the limit.
  */
 struct ike_auth_lifetime_t {
@@ -46,7 +46,7 @@ struct ike_auth_lifetime_t {
  *
  * @param ike_sa		IKE_SA this task works for
  * @param initiator		TRUE if taks is initiated by us
- * @return			  	ike_auth_lifetime task to handle by the task_manager
+ * @return				ike_auth_lifetime task to handle by the task_manager
  */
 ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator);
 
diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c
index 70e87c2e7..c831df975 100644
--- a/src/charon/sa/tasks/ike_cert_post.c
+++ b/src/charon/sa/tasks/ike_cert_post.c
@@ -30,17 +30,17 @@ typedef struct private_ike_cert_post_t private_ike_cert_post_t;
  * Private members of a ike_cert_post_t task.
  */
 struct private_ike_cert_post_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_cert_post_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
@@ -50,49 +50,47 @@ struct private_ike_cert_post_t {
 /**
  * Generates the cert payload, if possible with "Hash and URL"
  */
-static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, certificate_t *cert)
+static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
+										 certificate_t *cert)
 {
+	hasher_t *hasher;
+	identification_t *id;
+	chunk_t hash, encoded ;
+	enumerator_t *enumerator;
+	char *url;
 	cert_payload_t *payload = NULL;
-	
-	if (this->ike_sa->supports_extension(this->ike_sa, EXT_HASH_AND_URL))
+
+	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_HASH_AND_URL))
 	{
-		/* ok, our peer sent us a HTTP_CERT_LOOKUP_SUPPORTED Notify */
-		hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-		if (hasher != NULL)
-		{	
-			chunk_t hash, encoded = cert->get_encoding(cert);
-			enumerator_t *enumerator;
-			char *url;
-			
-			hasher->allocate_hash(hasher, encoded, &hash);
-			identification_t *id = identification_create_from_encoding(ID_CERT_DER_SHA1, hash);
-			
-			enumerator = charon->credentials->create_cdp_enumerator(charon->credentials, CERT_X509, id);
-			if (enumerator->enumerate(enumerator, &url))
-			{
-				/* if we have an URL available we send that to our peer */
-				payload = cert_payload_create_from_hash_and_url(hash, url);
-			}
-			enumerator->destroy(enumerator);
-			
-			id->destroy(id);
-			chunk_free(&hash);
-			chunk_free(&encoded);
-			hasher->destroy(hasher);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
-		}
+		return cert_payload_create_from_cert(cert);
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
+		return cert_payload_create_from_cert(cert);
 	}
-	
-	if (!payload)
+
+	encoded = cert->get_encoding(cert);
+	hasher->allocate_hash(hasher, encoded, &hash);
+	chunk_free(&encoded);
+	hasher->destroy(hasher);
+	id = identification_create_from_encoding(ID_KEY_ID, hash);
+
+	enumerator = charon->credentials->create_cdp_enumerator(charon->credentials,
+															CERT_X509, id);
+	if (enumerator->enumerate(enumerator, &url))
+	{
+		payload = cert_payload_create_from_hash_and_url(hash, url);
+	}
+	else
 	{
-		/* our peer does not support "Hash and URL" or we do not have an URL
-		 * to send to our peer, just create a normal cert payload */
 		payload = cert_payload_create_from_cert(cert);
 	}
-	
+	enumerator->destroy(enumerator);
+	chunk_free(&hash);
+	id->destroy(id);
 	return payload;
 }
 
@@ -103,14 +101,14 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 {
 	peer_cfg_t *peer_cfg;
 	auth_payload_t *payload;
-	
+
 	payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 	if (!peer_cfg || !payload || payload->get_auth_method(payload) == AUTH_PSK)
 	{	/* no CERT payload for EAP/PSK */
 		return;
 	}
-	
+
 	switch (peer_cfg->get_cert_policy(peer_cfg))
 	{
 		case CERT_NEVER_SEND:
@@ -128,9 +126,9 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 			certificate_t *cert;
 			auth_rule_t type;
 			auth_cfg_t *auth;
-			
+
 			auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-			
+
 			/* get subject cert first, then issuing certificates */
 			cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
 			if (!cert)
@@ -145,7 +143,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 			DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
 				 cert->get_subject(cert));
 			message->add_payload(message, (payload_t*)payload);
-			
+
 			enumerator = auth->create_enumerator(auth);
 			while (enumerator->enumerate(enumerator, &type, &cert))
 			{
@@ -161,7 +159,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 				}
 			}
 			enumerator->destroy(enumerator);
-		}	
+		}
 	}
 }
 
@@ -171,7 +169,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 static status_t build_i(private_ike_cert_post_t *this, message_t *message)
 {
 	build_certs(this, message);
-	
+
 	return NEED_MORE;
 }
 
@@ -179,7 +177,7 @@ static status_t build_i(private_ike_cert_post_t *this, message_t *message)
  * Implementation of task_t.process for responder
  */
 static status_t process_r(private_ike_cert_post_t *this, message_t *message)
-{	
+{
 	return NEED_MORE;
 }
 
@@ -189,7 +187,7 @@ static status_t process_r(private_ike_cert_post_t *this, message_t *message)
 static status_t build_r(private_ike_cert_post_t *this, message_t *message)
 {
 	build_certs(this, message);
-	
+
 	if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
 	{	/* stay alive, we might have additional rounds with certs */
 		return NEED_MORE;
@@ -243,7 +241,7 @@ ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator)
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -254,10 +252,10 @@ ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	
+
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/tasks/ike_cert_post.h b/src/charon/sa/tasks/ike_cert_post.h
index fa555eac7..a21f45927 100644
--- a/src/charon/sa/tasks/ike_cert_post.h
+++ b/src/charon/sa/tasks/ike_cert_post.h
@@ -46,7 +46,7 @@ struct ike_cert_post_t {
  *
  * @param ike_sa		IKE_SA this task works for
  * @param initiator		TRUE if thask is the original initator
- * @return			  	ike_cert_post task to handle by the task_manager
+ * @return				ike_cert_post task to handle by the task_manager
  */
 ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator);
 
diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c
index 1c72f289f..0805d0290 100644
--- a/src/charon/sa/tasks/ike_cert_pre.c
+++ b/src/charon/sa/tasks/ike_cert_pre.c
@@ -29,27 +29,27 @@ typedef struct private_ike_cert_pre_t private_ike_cert_pre_t;
  * Private members of a ike_cert_pre_t task.
  */
 struct private_ike_cert_pre_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_cert_pre_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * Do we accept HTTP certificate lookup requests
 	 */
 	bool do_http_lookup;
-	
+
 	/**
 	 * wheter this is the final authentication round
 	 */
@@ -57,29 +57,29 @@ struct private_ike_cert_pre_t {
 };
 
 /**
- * read certificate requests 
+ * read certificate requests
  */
 static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
 	auth_cfg_t *auth;
-	
+
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-	
+
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
-		switch(payload->get_type(payload))
+		switch (payload->get_type(payload))
 		{
 			case CERTIFICATE_REQUEST:
 			{
 				certreq_payload_t *certreq = (certreq_payload_t*)payload;
 				enumerator_t *enumerator;
 				chunk_t keyid;
-				
+
 				this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
-				
+
 				if (certreq->get_cert_type(certreq) != CERT_X509)
 				{
 					DBG1(DBG_IKE, "cert payload %N not supported - ignored",
@@ -91,10 +91,9 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 				{
 					identification_t *id;
 					certificate_t *cert;
-					
-					id = identification_create_from_encoding(
-											ID_PUBKEY_INFO_SHA1, keyid);
-					cert = charon->credentials->get_cert(charon->credentials, 
+
+					id = identification_create_from_encoding(ID_KEY_ID, keyid);
+					cert = charon->credentials->get_cert(charon->credentials,
 											CERT_X509, KEY_ANY, id, TRUE);
 					if (cert)
 					{
@@ -115,7 +114,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 			case NOTIFY:
 			{
 				notify_payload_t *notify = (notify_payload_t*)payload;
-				
+
 				/* we only handle one type of notify here */
 				if (notify->get_notify_type(notify) == HTTP_CERT_LOOKUP_SUPPORTED)
 				{
@@ -135,11 +134,11 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
  * tries to extract a certificate from the cert payload or the credential
  * manager (based on the hash of a "Hash and URL" encoded cert).
  * Note: the returned certificate (if any) has to be destroyed
- */ 
+ */
 static certificate_t *try_get_cert(cert_payload_t *cert_payload)
 {
 	certificate_t *cert = NULL;
-	
+
 	switch (cert_payload->get_cert_encoding(cert_payload))
 	{
 		case ENC_X509_SIGNATURE:
@@ -156,8 +155,8 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload)
 				/* invalid "Hash and URL" data (logged elsewhere) */
 				break;
 			}
-			id = identification_create_from_encoding(ID_CERT_DER_SHA1, hash);
-			cert = charon->credentials->get_cert(charon->credentials, 
+			id = identification_create_from_encoding(ID_KEY_ID, hash);
+			cert = charon->credentials->get_cert(charon->credentials,
 												 CERT_X509, KEY_ANY, id, FALSE);
 			id->destroy(id);
 			break;
@@ -179,9 +178,9 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 	payload_t *payload;
 	auth_cfg_t *auth;
 	bool first = TRUE;
-	
+
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-	
+
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
@@ -191,10 +190,10 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 			cert_encoding_t encoding;
 			certificate_t *cert;
 			char *url;
-			
+
 			cert_payload = (cert_payload_t*)payload;
 			encoding = cert_payload->get_cert_encoding(cert_payload);
-			
+
 			switch (encoding)
 			{
 				case ENC_X509_HASH_AND_URL:
@@ -284,9 +283,9 @@ static void add_certreq(certreq_payload_t **req, certificate_t *cert)
 		case CERT_X509:
 		{
 			public_key_t *public;
-			identification_t *keyid;
+			chunk_t keyid;
 			x509_t *x509 = (x509_t*)cert;
-			
+
 			if (!(x509->get_flags(x509) & X509_CA))
 			{	/* no CA cert, skip */
 				break;
@@ -300,11 +299,13 @@ static void add_certreq(certreq_payload_t **req, certificate_t *cert)
 			{
 				*req = certreq_payload_create_type(CERT_X509);
 			}
-			keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-			(*req)->add_keyid(*req, keyid->get_encoding(keyid));
+			if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+			{
+				(*req)->add_keyid(*req, keyid);
+				DBG1(DBG_IKE, "sending cert request for \"%Y\"",
+					 cert->get_subject(cert));
+			}
 			public->destroy(public);
-			DBG1(DBG_IKE, "sending cert request for \"%Y\"",
-				 cert->get_subject(cert));
 			break;
 		}
 		default:
@@ -320,7 +321,7 @@ static void add_certreqs(certreq_payload_t **req, auth_cfg_t *auth)
 	enumerator_t *enumerator;
 	auth_rule_t type;
 	void *value;
-	
+
 	enumerator = auth->create_enumerator(auth);
 	while (enumerator->enumerate(enumerator, &type, &value))
 	{
@@ -347,13 +348,13 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
 	certificate_t *cert;
 	auth_cfg_t *auth;
 	certreq_payload_t *req = NULL;
-	
+
 	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 	if (!ike_cfg->send_certreq(ike_cfg))
 	{
 		return;
 	}
-	
+
 	/* check if we require a specific CA for that peer */
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 	if (peer_cfg)
@@ -365,7 +366,7 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
 		}
 		enumerator->destroy(enumerator);
 	}
-	
+
 	if (!req)
 	{
 		/* otherwise add all trusted CA certificates */
@@ -377,11 +378,11 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
 		}
 		enumerator->destroy(enumerator);
 	}
-	
+
 	if (req)
 	{
 		message->add_payload(message, (payload_t*)req);
-		
+
 		if (lib->settings->get_bool(lib->settings, "charon.hash_and_url", FALSE))
 		{
 			message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
@@ -396,29 +397,15 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
  */
 static bool final_auth(message_t *message)
 {
-	enumerator_t *enumerator;
-	payload_t *payload;
-	notify_payload_t *notify;
-	
 	/* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */
 	if (message->get_payload(message, AUTHENTICATION) == NULL)
 	{
 		return FALSE;
 	}
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
+	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS))
 	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify = (notify_payload_t*)payload;
-			if (notify->get_notify_type(notify) == ANOTHER_AUTH_FOLLOWS)
-			{
-				enumerator->destroy(enumerator);
-				return FALSE;
-			}
-		}
+		return FALSE;
 	}
-	enumerator->destroy(enumerator);
 	return TRUE;
 }
 
@@ -426,7 +413,7 @@ static bool final_auth(message_t *message)
  * Implementation of task_t.process for initiator
  */
 static status_t build_i(private_ike_cert_pre_t *this, message_t *message)
-{	
+{
 	if (message->get_message_id(message) == 1)
 	{	/* initiator sends CERTREQs in first IKE_AUTH */
 		build_certreqs(this, message);
@@ -474,7 +461,7 @@ static status_t process_i(private_ike_cert_pre_t *this, message_t *message)
 		process_certreqs(this, message);
 	}
 	process_certs(this, message);
-	
+
 	if (final_auth(message))
 	{
 		return SUCCESS;
@@ -516,7 +503,7 @@ ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator)
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -527,11 +514,11 @@ ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	
+
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
 	this->do_http_lookup = FALSE;
 	this->final = FALSE;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/ike_cert_pre.h b/src/charon/sa/tasks/ike_cert_pre.h
index d49005e68..1541b80e5 100644
--- a/src/charon/sa/tasks/ike_cert_pre.h
+++ b/src/charon/sa/tasks/ike_cert_pre.h
@@ -46,7 +46,7 @@ struct ike_cert_pre_t {
  *
  * @param ike_sa		IKE_SA this task works for
  * @param initiator		TRUE if thask is the original initator
- * @return			  	ike_cert_pre task to handle by the task_manager
+ * @return				ike_cert_pre task to handle by the task_manager
  */
 ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator);
 
diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c
index 1f75521b6..f010439fe 100644
--- a/src/charon/sa/tasks/ike_config.c
+++ b/src/charon/sa/tasks/ike_config.c
@@ -19,50 +19,60 @@
 #include <daemon.h>
 #include <encoding/payloads/cp_payload.h>
 
-#define DNS_SERVER_MAX		2
-#define NBNS_SERVER_MAX		2
-
 typedef struct private_ike_config_t private_ike_config_t;
 
 /**
  * Private members of a ike_config_t task.
  */
 struct private_ike_config_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_config_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * virtual ip
 	 */
 	host_t *virtual_ip;
+
+	/**
+	 * list of attributes requested and its handler, entry_t
+	 */
+	linked_list_t *requested;
 };
 
 /**
- * build INTERNAL_IPV4/6_ADDRESS from virtual ip
+ * Entry for a requested attribute and the requesting handler
+ */
+typedef struct {
+	/** attribute requested */
+	configuration_attribute_type_t type;
+	/** handler requesting this attribute */
+	attribute_handler_t *handler;
+} entry_t;
+
+/**
+ * build INTERNAL_IPV4/6_ADDRESS attribute from virtual ip
  */
-static void build_vip(private_ike_config_t *this, host_t *vip, cp_payload_t *cp)
+static configuration_attribute_t *build_vip(host_t *vip)
 {
-	configuration_attribute_t *ca;
+	configuration_attribute_type_t type;
 	chunk_t chunk, prefix;
-	
-	ca = configuration_attribute_create();
-	
+
 	if (vip->get_family(vip) == AF_INET)
 	{
-		ca->set_type(ca, INTERNAL_IP4_ADDRESS);
+		type = INTERNAL_IP4_ADDRESS;
 		if (vip->is_anyaddr(vip))
 		{
 			chunk = chunk_empty;
@@ -74,7 +84,7 @@ static void build_vip(private_ike_config_t *this, host_t *vip, cp_payload_t *cp)
 	}
 	else
 	{
-		ca->set_type(ca, INTERNAL_IP6_ADDRESS);
+		type = INTERNAL_IP6_ADDRESS;
 		if (vip->is_anyaddr(vip))
 		{
 			chunk = chunk_empty;
@@ -87,8 +97,42 @@ static void build_vip(private_ike_config_t *this, host_t *vip, cp_payload_t *cp)
 			chunk = chunk_cata("cc", chunk, prefix);
 		}
 	}
-	ca->set_value(ca, chunk);
-	cp->add_configuration_attribute(cp, ca);
+	return configuration_attribute_create_value(type, chunk);
+}
+
+/**
+ * Handle a received attribute as initiator
+ */
+static void handle_attribute(private_ike_config_t *this,
+							 configuration_attribute_t *ca)
+{
+	attribute_handler_t *handler = NULL;
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	/* find the handler which requested this attribute */
+	enumerator = this->requested->create_enumerator(this->requested);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->type == ca->get_type(ca))
+		{
+			handler = entry->handler;
+			this->requested->remove_at(this->requested, enumerator);
+			free(entry);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* and pass it to the handle function */
+	handler = lib->attributes->handle(lib->attributes,
+							this->ike_sa->get_other_id(this->ike_sa), handler,
+							ca->get_type(ca), ca->get_value(ca));
+	if (handler)
+	{
+		this->ike_sa->add_configuration_attribute(this->ike_sa,
+				handler, ca->get_type(ca), ca->get_value(ca));
+	}
 }
 
 /**
@@ -100,7 +144,7 @@ static void process_attribute(private_ike_config_t *this,
 	host_t *ip;
 	chunk_t addr;
 	int family = AF_INET6;
-	
+
 	switch (ca->get_type(ca))
 	{
 		case INTERNAL_IP4_ADDRESS:
@@ -118,7 +162,7 @@ static void process_attribute(private_ike_config_t *this,
 				/* skip prefix byte in IPv6 payload*/
 				if (family == AF_INET6)
 				{
-					addr.len--; 
+					addr.len--;
 				}
 				ip = host_create_from_chunk(family, addr, 0);
 			}
@@ -130,15 +174,12 @@ static void process_attribute(private_ike_config_t *this,
 			break;
 		}
 		default:
+		{
 			if (this->initiator)
 			{
-				this->ike_sa->add_configuration_attribute(this->ike_sa,
-										ca->get_type(ca), ca->get_value(ca));
-			}
-			else
-			{
-				/* we do not handle attribute requests other than for VIPs */
+				handle_attribute(this, ca);
 			}
+		}
 	}
 }
 
@@ -147,10 +188,9 @@ static void process_attribute(private_ike_config_t *this,
  */
 static void process_payloads(private_ike_config_t *this, message_t *message)
 {
-	enumerator_t *enumerator;
-	iterator_t *attributes;
+	enumerator_t *enumerator, *attributes;
 	payload_t *payload;
-	
+
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
@@ -158,22 +198,25 @@ static void process_payloads(private_ike_config_t *this, message_t *message)
 		{
 			cp_payload_t *cp = (cp_payload_t*)payload;
 			configuration_attribute_t *ca;
-			switch (cp->get_config_type(cp))
+
+			switch (cp->get_type(cp))
 			{
 				case CFG_REQUEST:
 				case CFG_REPLY:
 				{
-					attributes = cp->create_attribute_iterator(cp);
-					while (attributes->iterate(attributes, (void**)&ca))
+					attributes = cp->create_attribute_enumerator(cp);
+					while (attributes->enumerate(attributes, &ca))
 					{
+						DBG2(DBG_IKE, "processing %N attribute",
+							 configuration_attribute_type_names, ca->get_type(ca));
 						process_attribute(this, ca);
 					}
 					attributes->destroy(attributes);
 					break;
 				}
 				default:
-					DBG1(DBG_IKE, "ignoring %N config payload", 
-						 config_type_names, cp->get_config_type(cp));
+					DBG1(DBG_IKE, "ignoring %N config payload",
+						 config_type_names, cp->get_type(cp));
 					break;
 			}
 		}
@@ -188,9 +231,14 @@ static status_t build_i(private_ike_config_t *this, message_t *message)
 {
 	if (message->get_message_id(message) == 1)
 	{	/* in first IKE_AUTH only */
+		cp_payload_t *cp = NULL;
+		enumerator_t *enumerator;
+		attribute_handler_t *handler;
 		peer_cfg_t *config;
+		configuration_attribute_type_t type;
+		chunk_t data;
 		host_t *vip;
-		
+
 		/* reuse virtual IP if we already have one */
 		vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
 		if (!vip)
@@ -199,26 +247,39 @@ static status_t build_i(private_ike_config_t *this, message_t *message)
 			vip = config->get_virtual_ip(config);
 		}
 		if (vip)
+		{
+			cp = cp_payload_create_type(CFG_REQUEST);
+			cp->add_attribute(cp, build_vip(vip));
+		}
+
+		enumerator = lib->attributes->create_initiator_enumerator(lib->attributes,
+								this->ike_sa->get_other_id(this->ike_sa), vip);
+		while (enumerator->enumerate(enumerator, &handler, &type, &data))
 		{
 			configuration_attribute_t *ca;
-			cp_payload_t *cp;
-			
-			cp = cp_payload_create();
-			cp->set_config_type(cp, CFG_REQUEST);
-			
-			build_vip(this, vip, cp);
-			
-			/* we currently always add a DNS request if we request an IP */
-			ca = configuration_attribute_create();
-			if (vip->get_family(vip) == AF_INET)
-			{
-				ca->set_type(ca, INTERNAL_IP4_DNS);
-			}
-			else
+			entry_t *entry;
+
+			/* create configuration attribute */
+			DBG2(DBG_IKE, "building %N attribute",
+				 configuration_attribute_type_names, type);
+			ca = configuration_attribute_create_value(type, data);
+			if (!cp)
 			{
-				ca->set_type(ca, INTERNAL_IP6_DNS);
+				cp = cp_payload_create_type(CFG_REQUEST);
 			}
-			cp->add_configuration_attribute(cp, ca);
+			cp->add_attribute(cp, ca);
+
+			/* save handler along with requested type */
+			entry = malloc_thing(entry_t);
+			entry->type = type;
+			entry->handler = handler;
+
+			this->requested->insert_last(this->requested, entry);
+		}
+		enumerator->destroy(enumerator);
+
+		if (cp)
+		{
 			message->add_payload(message, (payload_t*)cp);
 		}
 	}
@@ -237,6 +298,38 @@ static status_t process_r(private_ike_config_t *this, message_t *message)
 	return NEED_MORE;
 }
 
+/**
+ * Find a peer (EAP) identity to query provider for attributes
+ */
+static identification_t *get_peer_identity(private_ike_config_t *this)
+{
+	identification_t *id = NULL, *current;
+	enumerator_t *enumerator;
+	auth_cfg_t *cfg;
+
+	enumerator = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &cfg))
+	{
+		/* prefer EAP-Identity of last round */
+		current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
+		if (!current || current->get_type(current) == ID_ANY)
+		{
+			current = cfg->get(cfg, AUTH_RULE_IDENTITY);
+		}
+		if (current && current->get_type(current) != ID_ANY)
+		{
+			id = current;
+			continue;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!id)
+	{	/* fallback, should not happen */
+		id = this->ike_sa->get_other_id(this->ike_sa);
+	}
+	return id;
+}
+
 /**
  * Implementation of task_t.build for responder
  */
@@ -244,24 +337,24 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
 {
 	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
 	{	/* in last IKE_AUTH exchange */
-		peer_cfg_t *config = this->ike_sa->get_peer_cfg(this->ike_sa);
-		
+		enumerator_t *enumerator;
+		configuration_attribute_type_t type;
+		chunk_t value;
+		host_t *vip = NULL;
+		cp_payload_t *cp = NULL;
+		peer_cfg_t *config;
+		identification_t *id;
+
+		id = get_peer_identity(this);
+
+		config = this->ike_sa->get_peer_cfg(this->ike_sa);
 		if (config && this->virtual_ip)
 		{
-			enumerator_t *enumerator;
-			configuration_attribute_type_t type;
-			configuration_attribute_t *ca;
-			chunk_t value;
-			cp_payload_t *cp;
-			host_t *vip = NULL;
-			
 			DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
 			if (config->get_pool(config))
 			{
-				vip = charon->attributes->acquire_address(charon->attributes, 
-									config->get_pool(config),
-									this->ike_sa->get_other_id(this->ike_sa),
-									this->virtual_ip);
+				vip = lib->attributes->acquire_address(lib->attributes,
+							config->get_pool(config), id, this->virtual_ip);
 			}
 			if (vip == NULL)
 			{
@@ -273,27 +366,32 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
 			}
 			DBG1(DBG_IKE, "assigning virtual IP %H to peer", vip);
 			this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip);
-			
-			cp = cp_payload_create();
-			cp->set_config_type(cp, CFG_REPLY);
-			
-			build_vip(this, vip, cp);
-			vip->destroy(vip);
-			
-			/* if we add an IP, we also look for other attributes */
-			enumerator = charon->attributes->create_attribute_enumerator(
-				charon->attributes, this->ike_sa->get_other_id(this->ike_sa));
-			while (enumerator->enumerate(enumerator, &type, &value))
+
+			cp = cp_payload_create_type(CFG_REPLY);
+			cp->add_attribute(cp, build_vip(vip));
+		}
+
+		/* query registered providers for additional attributes to include */
+		enumerator = lib->attributes->create_responder_enumerator(
+													lib->attributes, id, vip);
+		while (enumerator->enumerate(enumerator, &type, &value))
+		{
+			if (!cp)
 			{
-				ca = configuration_attribute_create();
-				ca->set_type(ca, type);
-				ca->set_value(ca, value);
-				cp->add_configuration_attribute(cp, ca);
+				cp = cp_payload_create_type(CFG_REPLY);
 			}
-			enumerator->destroy(enumerator);
-			
+			DBG2(DBG_IKE, "building %N attribute",
+				 configuration_attribute_type_names, type);
+			cp->add_attribute(cp,
+						configuration_attribute_create_value(type, value));
+		}
+		enumerator->destroy(enumerator);
+
+		if (cp)
+		{
 			message->add_payload(message, (payload_t*)cp);
 		}
+		DESTROY_IF(vip);
 		return SUCCESS;
 	}
 	return NEED_MORE;
@@ -306,9 +404,9 @@ static status_t process_i(private_ike_config_t *this, message_t *message)
 {
 	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
 	{	/* in last IKE_AUTH exchange */
-		
+
 		process_payloads(this, message);
-		
+
 		if (this->virtual_ip)
 		{
 			this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip);
@@ -332,9 +430,11 @@ static task_type_t get_type(private_ike_config_t *this)
 static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa)
 {
 	DESTROY_IF(this->virtual_ip);
-	
+
 	this->ike_sa = ike_sa;
 	this->virtual_ip = NULL;
+	this->requested->destroy_function(this->requested, free);
+	this->requested = linked_list_create();
 }
 
 /**
@@ -343,6 +443,7 @@ static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa)
 static void destroy(private_ike_config_t *this)
 {
 	DESTROY_IF(this->virtual_ip);
+	this->requested->destroy_function(this->requested, free);
 	free(this);
 }
 
@@ -352,15 +453,16 @@ static void destroy(private_ike_config_t *this)
 ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
 {
 	private_ike_config_t *this = malloc_thing(private_ike_config_t);
-	
+
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	this->initiator = initiator;
 	this->ike_sa = ike_sa;
 	this->virtual_ip = NULL;
-	
+	this->requested = linked_list_create();
+
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -371,7 +473,7 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/tasks/ike_config.h b/src/charon/sa/tasks/ike_config.h
index 32635e85e..8cef08697 100644
--- a/src/charon/sa/tasks/ike_config.h
+++ b/src/charon/sa/tasks/ike_config.h
@@ -44,7 +44,7 @@ struct ike_config_t {
  *
  * @param ike_sa		IKE_SA this task works for
  * @param initiator		TRUE for initiator
- * @return			  	ike_config task to handle by the task_manager
+ * @return				ike_config task to handle by the task_manager
  */
 ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator);
 
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
index cde117934..130948836 100644
--- a/src/charon/sa/tasks/ike_delete.c
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -25,27 +25,27 @@ typedef struct private_ike_delete_t private_ike_delete_t;
  * Private members of a ike_delete_t task.
  */
 struct private_ike_delete_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_delete_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * are we deleting a rekeyed SA?
 	 */
 	bool rekeyed;
-	
+
 	/**
 	 * are we responding to a delete, but have initated our own?
 	 */
@@ -69,7 +69,7 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
 
 	delete_payload = delete_payload_create(PROTO_IKE);
 	message->add_payload(message, (payload_t*)delete_payload);
-	
+
 	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
 	{
 		this->rekeyed = TRUE;
@@ -189,7 +189,7 @@ ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator)
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -200,11 +200,11 @@ ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	
+
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
 	this->rekeyed = FALSE;
 	this->simultaneous = FALSE;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/ike_dpd.c b/src/charon/sa/tasks/ike_dpd.c
index 3aa714049..4c6ba7662 100644
--- a/src/charon/sa/tasks/ike_dpd.c
+++ b/src/charon/sa/tasks/ike_dpd.c
@@ -24,7 +24,7 @@ typedef struct private_ike_dpd_t private_ike_dpd_t;
  * Private members of a ike_dpd_t task.
  */
 struct private_ike_dpd_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
@@ -83,7 +83,7 @@ ike_dpd_t *ike_dpd_create(bool initiator)
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))return_need_more;
@@ -94,6 +94,6 @@ ike_dpd_t *ike_dpd_create(bool initiator)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))return_success;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))return_need_more;
 	}
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
index 2705f5886..5eb33b540 100644
--- a/src/charon/sa/tasks/ike_init.c
+++ b/src/charon/sa/tasks/ike_init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -24,7 +24,6 @@
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/ke_payload.h>
 #include <encoding/payloads/nonce_payload.h>
-#include <encoding/payloads/vendor_id_payload.h>
 
 /** maximum retries to do with cookies/other dh groups */
 #define MAX_RETRIES 5
@@ -35,67 +34,67 @@ typedef struct private_ike_init_t private_ike_init_t;
  * Private members of a ike_init_t task.
  */
 struct private_ike_init_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_init_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * IKE config to establish
 	 */
 	ike_cfg_t *config;
-	
+
 	/**
 	 * diffie hellman group to use
 	 */
 	diffie_hellman_group_t dh_group;
-	
+
 	/**
 	 * diffie hellman key exchange
 	 */
 	diffie_hellman_t *dh;
-	
+
 	/**
 	 * Keymat derivation (from IKE_SA)
 	 */
 	keymat_t *keymat;
-	
+
 	/**
 	 * nonce chosen by us
 	 */
 	chunk_t my_nonce;
-	
+
 	/**
 	 * nonce chosen by peer
 	 */
 	chunk_t other_nonce;
-	
+
 	/**
 	 * Negotiated proposal used for IKE_SA
 	 */
 	proposal_t *proposal;
-	
+
 	/**
 	 * Old IKE_SA which gets rekeyed
 	 */
 	ike_sa_t *old_sa;
-	
+
 	/**
 	 * cookie received from responder
 	 */
 	chunk_t cookie;
-	
+
 	/**
 	 * retries done so far after failure (cookie or bad dh group)
 	 */
@@ -114,16 +113,16 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
 	ike_sa_id_t *id;
 	proposal_t *proposal;
 	iterator_t *iterator;
-	
+
 	id = this->ike_sa->get_id(this->ike_sa);
-	
+
 	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
 
 	if (this->initiator)
 	{
 		proposal_list = this->config->get_proposals(this->config);
 		if (this->old_sa)
-		{	
+		{
 			/* include SPI of new IKE_SA when we are rekeying */
 			iterator = proposal_list->create_iterator(proposal_list, TRUE);
 			while (iterator->iterate(iterator, (void**)&proposal))
@@ -132,7 +131,7 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
 			}
 			iterator->destroy(iterator);
 		}
-		
+
 		sa_payload = sa_payload_create_from_proposal_list(proposal_list);
 		proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
 	}
@@ -146,11 +145,11 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
 		sa_payload = sa_payload_create_from_proposal(this->proposal);
 	}
 	message->add_payload(message, (payload_t*)sa_payload);
-	
+
 	nonce_payload = nonce_payload_create();
 	nonce_payload->set_nonce(nonce_payload, this->my_nonce);
 	ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
-	
+
 	if (this->old_sa)
 	{	/* payload order differs if we are rekeying */
 		message->add_payload(message, (payload_t*)nonce_payload);
@@ -170,7 +169,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
-	
+
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
@@ -180,18 +179,21 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			{
 				sa_payload_t *sa_payload = (sa_payload_t*)payload;
 				linked_list_t *proposal_list;
-				
+				bool private;
+
 				proposal_list = sa_payload->get_proposals(sa_payload);
+				private = this->ike_sa->supports_extension(this->ike_sa,
+														   EXT_STRONGSWAN);
 				this->proposal = this->config->select_proposal(this->config,
-															   proposal_list);
-				proposal_list->destroy_offset(proposal_list, 
+														proposal_list, private);
+				proposal_list->destroy_offset(proposal_list,
 											  offsetof(proposal_t, destroy));
 				break;
 			}
 			case KEY_EXCHANGE:
 			{
 				ke_payload_t *ke_payload = (ke_payload_t*)payload;
-				
+
 				this->dh_group = ke_payload->get_dh_group_number(ke_payload);
 				if (!this->initiator)
 				{
@@ -212,13 +214,6 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 				this->other_nonce = nonce_payload->get_nonce(nonce_payload);
 				break;
 			}
-			case VENDOR_ID:
-			{
-				vendor_id_payload_t *vendor_id = (vendor_id_payload_t*)payload;
-				chunk_t vid = vendor_id->get_data(vendor_id);
-
-				DBG1(DBG_ENC, "received vendor id: %#B", &vid);					
-			}
 			default:
 				break;
 		}
@@ -232,20 +227,20 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 static status_t build_i(private_ike_init_t *this, message_t *message)
 {
 	rng_t *rng;
-	
+
 	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
 	DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa),
 		 this->ike_sa->get_other_host(this->ike_sa));
 	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
-	
-	if (this->retry++ >= MAX_RETRIES)
+
+	if (this->retry >= MAX_RETRIES)
 	{
 		DBG1(DBG_IKE, "giving up after %d retries", MAX_RETRIES);
 		return FAILED;
 	}
-	
+
 	/* if the DH group is set via use_dh_group(), we already have a DH object */
 	if (!this->dh)
 	{
@@ -258,7 +253,7 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
 			return FAILED;
 		}
 	}
-	
+
 	/* generate nonce only when we are trying the first time */
 	if (this->my_nonce.ptr == NULL)
 	{
@@ -271,12 +266,12 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
 		rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
 		rng->destroy(rng);
 	}
-	
+
 	if (this->cookie.ptr)
 	{
 		message->add_notify(message, FALSE, COOKIE, this->cookie);
 	}
-	
+
 	build_payloads(this, message);
 
 #ifdef ME
@@ -288,7 +283,7 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
 		}
 	}
 #endif /* ME */
-	
+
 	return NEED_MORE;
 }
 
@@ -296,9 +291,9 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
  * Implementation of task_t.process for responder
  */
 static status_t process_r(private_ike_init_t *this, message_t *message)
-{	
+{
 	rng_t *rng;
-	
+
 	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
 	DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message));
 	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
@@ -311,59 +306,22 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
 	}
 	rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
 	rng->destroy(rng);
-	
+
 #ifdef ME
 	{
-		chunk_t connect_id = chunk_empty;
-		enumerator_t *enumerator;
-		payload_t *payload;
-		
-		/* check for a ME_CONNECTID notify */
-		enumerator = message->create_payload_enumerator(message);
-		while (enumerator->enumerate(enumerator, &payload))
-		{
-			if (payload->get_type(payload) == NOTIFY)
-			{
-				notify_payload_t *notify = (notify_payload_t*)payload;
-				notify_type_t type = notify->get_notify_type(notify);
-			
-				switch (type)
-				{
-					case ME_CONNECTID:
-					{
-						chunk_free(&connect_id);
-						connect_id = chunk_clone(notify->get_notification_data(notify));
-						DBG2(DBG_IKE, "received ME_CONNECTID %#B", &connect_id);
-						break;
-					}
-					default:
-					{
-						if (type < 16383)
-						{
-							DBG1(DBG_IKE, "received %N notify error",
-								notify_type_names, type);
-							break;	
-						}
-						DBG2(DBG_IKE, "received %N notify",
-							notify_type_names, type);
-						break;
-					}
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-		
-		if (connect_id.ptr)
+		notify_payload_t *notify = message->get_notify(message, ME_CONNECTID);
+		if (notify)
 		{
+			chunk_t connect_id = notify->get_notification_data(notify);
+			DBG2(DBG_IKE, "received ME_CONNECTID %#B", &connect_id);
 			charon->connect_manager->stop_checks(charon->connect_manager,
-				connect_id);
-			chunk_free(&connect_id);
+												 connect_id);
 		}
 	}
 #endif /* ME */
-	
+
 	process_payloads(this, message);
-	
+
 	return NEED_MORE;
 }
 
@@ -377,7 +335,7 @@ static bool derive_keys(private_ike_init_t *this,
 	pseudo_random_function_t prf_alg = PRF_UNDEFINED;
 	chunk_t skd = chunk_empty;
 	ike_sa_id_t *id;
-	
+
 	id = this->ike_sa->get_id(this->ike_sa);
 	if (this->old_sa)
 	{
@@ -417,12 +375,12 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
 		return FAILED;
 	}
 	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
-	
+
 	if (this->dh == NULL ||
 		!this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
 		u_int16_t group;
-		
+
 		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
 										  &group, NULL))
 		{
@@ -440,7 +398,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
 		}
 		return FAILED;
 	}
-	
+
 	if (!derive_keys(this, this->other_nonce, this->my_nonce))
 	{
 		DBG1(DBG_IKE, "key derivation failed");
@@ -458,7 +416,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
-	
+
 	/* check for erronous notifies */
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
@@ -467,27 +425,28 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 		{
 			notify_payload_t *notify = (notify_payload_t*)payload;
 			notify_type_t type = notify->get_notify_type(notify);
-			
+
 			switch (type)
 			{
 				case INVALID_KE_PAYLOAD:
 				{
 					chunk_t data;
 					diffie_hellman_group_t bad_group;
-					
+
 					bad_group = this->dh_group;
 					data = notify->get_notification_data(notify);
 					this->dh_group = ntohs(*((u_int16_t*)data.ptr));
 					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
 						 "it requested %N", diffie_hellman_group_names,
 						 bad_group, diffie_hellman_group_names, this->dh_group);
-						 
+
 					if (this->old_sa == NULL)
 					{	/* reset the IKE_SA if we are not rekeying */
 						this->ike_sa->reset(this->ike_sa);
 					}
-					
+
 					enumerator->destroy(enumerator);
+					this->retry++;
 					return NEED_MORE;
 				}
 				case NAT_DETECTION_SOURCE_IP:
@@ -504,6 +463,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 					this->ike_sa->reset(this->ike_sa);
 					enumerator->destroy(enumerator);
 					DBG2(DBG_IKE, "received %N notify", notify_type_names, type);
+					this->retry++;
 					return NEED_MORE;
 				}
 				default:
@@ -513,7 +473,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
 						enumerator->destroy(enumerator);
-						return FAILED;	
+						return FAILED;
 					}
 					DBG2(DBG_IKE, "received %N notify",
 						notify_type_names, type);
@@ -523,7 +483,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	process_payloads(this, message);
 
 	/* check if we have everything */
@@ -534,14 +494,14 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 		return FAILED;
 	}
 	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
-	
+
 	if (this->dh == NULL ||
 		!this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
 		DBG1(DBG_IKE, "peer DH group selection invalid");
 		return FAILED;
 	}
-	
+
 	if (!derive_keys(this, this->my_nonce, this->other_nonce))
 	{
 		DBG1(DBG_IKE, "key derivation failed");
@@ -581,7 +541,7 @@ static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa)
 {
 	DESTROY_IF(this->proposal);
 	chunk_free(&this->other_nonce);
-	
+
 	this->ike_sa = ike_sa;
 	this->proposal = NULL;
 	DESTROY_IF(this->dh);
@@ -622,7 +582,7 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	
+
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
 	this->dh_group = MODP_NONE;
@@ -635,6 +595,6 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 	this->config = NULL;
 	this->old_sa = old_sa;
 	this->retry = 0;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/ike_init.h b/src/charon/sa/tasks/ike_init.h
index 8d3810ef2..7bd784cff 100644
--- a/src/charon/sa/tasks/ike_init.h
+++ b/src/charon/sa/tasks/ike_init.h
@@ -38,7 +38,7 @@ struct ike_init_t {
 	 * Implements the task_t interface
 	 */
 	task_t task;
-	
+
 	/**
 	 * Get the lower of the two nonces, used for rekey collisions.
 	 *
diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c
index d359aa339..2d2847ae0 100644
--- a/src/charon/sa/tasks/ike_me.c
+++ b/src/charon/sa/tasks/ike_me.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include "ike_me.h"
 
 #include <string.h>
@@ -33,71 +33,71 @@ typedef struct private_ike_me_t private_ike_me_t;
  * Private members of a ike_me_t task.
  */
 struct private_ike_me_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_me_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * Is this a mediation connection?
 	 */
 	bool mediation;
-	
+
 	/**
 	 * Is this the response from another peer?
 	 */
 	bool response;
-	
+
 	/**
 	 * Gathered endpoints
 	 */
 	linked_list_t *local_endpoints;
-	
+
 	/**
 	 * Parsed endpoints
 	 */
 	linked_list_t *remote_endpoints;
-	
+
 	/**
 	 * Did the peer request a callback?
 	 */
 	bool callback;
-	
+
 	/**
 	 * Did the connect fail?
 	 */
 	bool failed;
-	
+
 	/**
 	 * Was there anything wrong with the payloads?
 	 */
 	bool invalid_syntax;
-	
+
 	/**
 	 * The requested peer
 	 */
-	identification_t *peer_id;	
+	identification_t *peer_id;
 	/**
 	 * Received ID used for connectivity checks
 	 */
 	chunk_t connect_id;
-	
+
 	/**
 	 * Received key used for connectivity checks
 	 */
 	chunk_t connect_key;
-	
+
 	/**
 	 * Peer config of the mediated connection
 	 */
@@ -112,7 +112,7 @@ static void add_endpoints_to_message(message_t *message, linked_list_t *endpoint
 {
 	iterator_t *iterator;
 	endpoint_notify_t *endpoint;
-	
+
 	iterator = endpoints->create_iterator(endpoints, TRUE);
 	while (iterator->iterate(iterator, (void**)&endpoint))
 	{
@@ -129,25 +129,25 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 	enumerator_t *enumerator;
 	host_t *addr, *host;
 	u_int16_t port;
-	
+
 	/* get the port that is used to communicate with the ms */
 	host = this->ike_sa->get_my_host(this->ike_sa);
 	port = host->get_port(host);
-	
+
 	enumerator = charon->kernel_interface->create_address_enumerator(
 										charon->kernel_interface, FALSE, FALSE);
 	while (enumerator->enumerate(enumerator, (void**)&addr))
 	{
 		host = addr->clone(addr);
 		host->set_port(host, port);
-		
+
 		this->local_endpoints->insert_last(this->local_endpoints,
 				endpoint_notify_create_from_host(HOST, host, NULL));
-		
+
 		host->destroy(host);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	host = this->ike_sa->get_server_reflexive_host(this->ike_sa);
 	if (host)
 	{
@@ -155,7 +155,7 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 				endpoint_notify_create_from_host(SERVER_REFLEXIVE, host,
 						this->ike_sa->get_my_host(this->ike_sa)));
 	}
-	
+
 	add_endpoints_to_message(message, this->local_endpoints);
 }
 
@@ -166,7 +166,7 @@ static void process_payloads(private_ike_me_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
-	
+
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
@@ -174,9 +174,9 @@ static void process_payloads(private_ike_me_t *this, message_t *message)
 		{
 			continue;
 		}
-		
+
 		notify_payload_t *notify = (notify_payload_t*)payload;
-		
+
 		switch (notify->get_notify_type(notify))
 		{
 			case ME_CONNECT_FAILED:
@@ -193,16 +193,19 @@ static void process_payloads(private_ike_me_t *this, message_t *message)
 			}
 			case ME_ENDPOINT:
 			{
-				endpoint_notify_t *endpoint = endpoint_notify_create_from_payload(notify);
+				endpoint_notify_t *endpoint;
+				endpoint = endpoint_notify_create_from_payload(notify);
 				if (!endpoint)
 				{
 					DBG1(DBG_IKE, "received invalid ME_ENDPOINT notify");
 					break;
 				}
-				DBG1(DBG_IKE, "received %N ME_ENDPOINT %#H", me_endpoint_type_names,
-					endpoint->get_type(endpoint), endpoint->get_host(endpoint));
-				
-				this->remote_endpoints->insert_last(this->remote_endpoints, endpoint);
+				DBG1(DBG_IKE, "received %N ME_ENDPOINT %#H",
+					 me_endpoint_type_names, endpoint->get_type(endpoint),
+					 endpoint->get_host(endpoint));
+
+				this->remote_endpoints->insert_last(this->remote_endpoints,
+													endpoint);
 				break;
 			}
 			case ME_CALLBACK:
@@ -263,7 +266,9 @@ static status_t build_i(private_ike_me_t *this, message_t *message)
 		{
 			if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
 			{
-				endpoint_notify_t *endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE, NULL, NULL);
+				endpoint_notify_t *endpoint;
+				endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE,
+															NULL, NULL);
 				message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
 				endpoint->destroy(endpoint);
 			}
@@ -271,42 +276,42 @@ static status_t build_i(private_ike_me_t *this, message_t *message)
 		}
 		case ME_CONNECT:
 		{
-			id_payload_t *id_payload;
 			rng_t *rng;
-			
-			id_payload = id_payload_create_from_identification(ID_PEER, this->peer_id);
+			id_payload_t *id_payload;
+			id_payload = id_payload_create_from_identification(ID_PEER,
+															   this->peer_id);
 			message->add_payload(message, (payload_t*)id_payload);
-			
+
 			rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 			if (!rng)
 			{
-				DBG1(DBG_IKE, "unable to generate connect ID for ME_CONNECT");	
+				DBG1(DBG_IKE, "unable to generate connect ID for ME_CONNECT");
 				return FAILED;
 			}
 			if (!this->response)
 			{
-				/* only the initiator creates a connect ID. the responder returns
-				 * the connect ID that it received from the initiator */
+				/* only the initiator creates a connect ID. the responder
+				 * returns the connect ID that it received from the initiator */
 				rng->allocate_bytes(rng, ME_CONNECTID_LEN, &this->connect_id);
 			}
 			rng->allocate_bytes(rng, ME_CONNECTKEY_LEN, &this->connect_key);
 			rng->destroy(rng);
-			
+
 			message->add_notify(message, FALSE, ME_CONNECTID, this->connect_id);
 			message->add_notify(message, FALSE, ME_CONNECTKEY, this->connect_key);
-			
+
 			if (this->response)
 			{
 				message->add_notify(message, FALSE, ME_RESPONSE, chunk_empty);
 			}
 			else
 			{
-				/* FIXME: should we make that configurable? */
+				/* FIXME: should we make this configurable? */
 				message->add_notify(message, FALSE, ME_CALLBACK, chunk_empty);
 			}
-			
+
 			gather_and_add_endpoints(this, message);
-			
+
 			break;
 		}
 		default:
@@ -328,40 +333,44 @@ static status_t process_r(private_ike_me_t *this, message_t *message)
 			id_payload = (id_payload_t*)message->get_payload(message, ID_PEER);
 			if (!id_payload)
 			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload, aborting");
+				DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload"
+					 ", aborting");
 				break;
 			}
 			this->peer_id = id_payload->get_identification(id_payload);
-			
+
 			process_payloads(this, message);
-			
+
 			if (this->callback)
 			{
 				DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id);
 				break;
-			}			
-			
+			}
+
 			if (!this->connect_id.ptr)
 			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify, aborting");
+				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify"
+					 ", aborting");
 				this->invalid_syntax = TRUE;
 				break;
 			}
-			
+
 			if (!this->connect_key.ptr)
 			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY notify, aborting");
+				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY "
+					 "notify, aborting");
 				this->invalid_syntax = TRUE;
 				break;
 			}
-			
+
 			if (!this->remote_endpoints->get_count(this->remote_endpoints))
 			{
-				DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT payloads, aborting");
+				DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT "
+					 "payloads, aborting");
 				this->invalid_syntax = TRUE;
 				break;
 			}
-			
+
 			DBG1(DBG_IKE, "received ME_CONNECT");
 			break;
 		}
@@ -385,33 +394,39 @@ static status_t build_r(private_ike_me_t *this, message_t *message)
 				message->add_notify(message, TRUE, INVALID_SYNTAX, chunk_empty);
 				break;
 			}
-			
+
 			if (this->callback)
 			{
-				charon->connect_manager->check_and_initiate(charon->connect_manager,
+				/* we got a callback from the mediation server, initiate the
+				 * queued mediated connecction */
+				charon->connect_manager->check_and_initiate(
+						charon->connect_manager,
 						this->ike_sa->get_id(this->ike_sa),
 						this->ike_sa->get_my_id(this->ike_sa), this->peer_id);
 				return SUCCESS;
 			}
-			
+
 			if (this->response)
 			{
 				/* FIXME: handle result of set_responder_data
 				 * as initiator, upon receiving a response from another peer,
 				 * update the checklist and start sending checks */
-				charon->connect_manager->set_responder_data(charon->connect_manager,
-						this->connect_id, this->connect_key, this->remote_endpoints);
+				charon->connect_manager->set_responder_data(
+						charon->connect_manager,
+						this->connect_id, this->connect_key,
+						this->remote_endpoints);
 			}
 			else
 			{
 				/* FIXME: handle result of set_initiator_data
 				 * as responder, create a checklist with the initiator's data */
-				charon->connect_manager->set_initiator_data(charon->connect_manager,
+				charon->connect_manager->set_initiator_data(
+						charon->connect_manager,
 						this->peer_id, this->ike_sa->get_my_id(this->ike_sa),
-						this->connect_id, this->connect_key, this->remote_endpoints,
-						FALSE);
+						this->connect_id, this->connect_key,
+						this->remote_endpoints, FALSE);
 				if (this->ike_sa->respond(this->ike_sa, this->peer_id,
-						this->connect_id) != SUCCESS)
+										  this->connect_id) != SUCCESS)
 				{
 					return FAILED;
 				}
@@ -434,13 +449,11 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
 		case IKE_SA_INIT:
 		{
 			process_payloads(this, message);
-		
 			if (!this->mediation)
 			{
 				DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting");
 				return FAILED;
 			}
-	
 			return NEED_MORE;
 		}
 		case IKE_AUTH:
@@ -449,24 +462,21 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
 			/* FIXME: we should update the server reflexive endpoint somehow,
 			 * if mobike notices a change */
 			endpoint_notify_t *reflexive;
-			if (this->remote_endpoints->get_first(this->remote_endpoints, 
+			if (this->remote_endpoints->get_first(this->remote_endpoints,
 											(void**)&reflexive) == SUCCESS &&
 				reflexive->get_type(reflexive) == SERVER_REFLEXIVE)
-			{	/* FIXME: should we accept this endpoint even if we did not send 
+			{	/* FIXME: should we accept this endpoint even if we did not send
 				 * a request? */
 				host_t *endpoint = reflexive->get_host(reflexive);
-				
-				this->ike_sa->set_server_reflexive_host(this->ike_sa, endpoint->clone(endpoint));
+				endpoint = endpoint->clone(endpoint);
+				this->ike_sa->set_server_reflexive_host(this->ike_sa, endpoint);
 			}
-			/* FIXME: what if it failed? e.g. AUTH failure */
-			DBG1(DBG_IKE, "established mediation connection successfully");
-			
 			break;
 		}
 		case ME_CONNECT:
 		{
 			process_payloads(this, message);
-			
+
 			if (this->failed)
 			{
 				DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id);
@@ -476,21 +486,25 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
 			{
 				if (this->response)
 				{
-					/* FIXME: handle result of set_responder_data.
-					 * as responder, we update the checklist and start sending checks */
-					charon->connect_manager->set_responder_data(charon->connect_manager,
-							this->connect_id, this->connect_key, this->local_endpoints);
+					/* FIXME: handle result of set_responder_data. */
+					/* as responder, we update the checklist and start sending
+					 * checks */
+					charon->connect_manager->set_responder_data(
+							charon->connect_manager, this->connect_id,
+							this->connect_key, this->local_endpoints);
 				}
 				else
 				{
-					/* FIXME: handle result of set_initiator_data
-					 * as initiator, we create a checklist and set the initiator's data */
-					charon->connect_manager->set_initiator_data(charon->connect_manager,
-						this->ike_sa->get_my_id(this->ike_sa), this->peer_id,
-						this->connect_id, this->connect_key, this->local_endpoints,
-						TRUE);
-					/* FIXME: also start a timer for the whole transaction (maybe
-					 * within the connect_manager?) */
+					/* FIXME: handle result of set_initiator_data */
+					/* as initiator, we create a checklist and set the
+					 * initiator's data */
+					charon->connect_manager->set_initiator_data(
+							charon->connect_manager,
+							this->ike_sa->get_my_id(this->ike_sa),
+							this->peer_id, this->connect_id, this->connect_key,
+							this->local_endpoints, TRUE);
+					/* FIXME: also start a timer for the whole transaction
+					 * (maybe within the connect_manager?) */
 				}
 			}
 			break;
@@ -510,9 +524,11 @@ static status_t build_i_ms(private_ike_me_t *this, message_t *message)
 	{
 		case ME_CONNECT:
 		{
-			id_payload_t *id_payload = id_payload_create_from_identification(ID_PEER, this->peer_id);
+			id_payload_t *id_payload;
+			id_payload = id_payload_create_from_identification(ID_PEER,
+															   this->peer_id);
 			message->add_payload(message, (payload_t*)id_payload);
-			
+
 			if (this->callback)
 			{
 				message->add_notify(message, FALSE, ME_CALLBACK, chunk_empty);
@@ -521,11 +537,13 @@ static status_t build_i_ms(private_ike_me_t *this, message_t *message)
 			{
 				if (this->response)
 				{
-					message->add_notify(message, FALSE, ME_RESPONSE, chunk_empty);
-				}	
-				message->add_notify(message, FALSE, ME_CONNECTID, this->connect_id);
-				message->add_notify(message, FALSE, ME_CONNECTKEY, this->connect_key);
-				
+					message->add_notify(message, FALSE, ME_RESPONSE,
+										chunk_empty);
+				}
+				message->add_notify(message, FALSE, ME_CONNECTID,
+									this->connect_id);
+				message->add_notify(message, FALSE, ME_CONNECTKEY,
+									this->connect_key);
 				add_endpoints_to_message(message, this->remote_endpoints);
 			}
 			break;
@@ -533,7 +551,6 @@ static status_t build_i_ms(private_ike_me_t *this, message_t *message)
 		default:
 			break;
 	}
-	
 	return NEED_MORE;
 }
 
@@ -546,15 +563,15 @@ static status_t process_r_ms(private_ike_me_t *this, message_t *message)
 	{
 		case IKE_SA_INIT:
 		{
-			/* FIXME: we should check for SA* and TS* payloads
-			 * if any are there send NO_ADDITIONAL_SAS back and delete this SA */
+			/* FIXME: we should check for SA* and TS* payloads. if there are
+			 * any, send NO_ADDITIONAL_SAS back and delete this SA */
 			process_payloads(this, message);
 			return this->mediation ? NEED_MORE : SUCCESS;
 		}
 		case IKE_AUTH:
 		{
-			/* FIXME: we should check whether the current peer_config is configured
-			 * as mediation connection */
+			/* FIXME: we should check whether the current peer_config is
+			 * configured as mediation connection */
 			process_payloads(this, message);
 			break;
 		}
@@ -570,32 +587,35 @@ static status_t process_r_ms(private_ike_me_t *this, message_t *message)
 			id_payload = (id_payload_t*)message->get_payload(message, ID_PEER);
 			if (!id_payload)
 			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload, aborting");
+				DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload"
+					 ", aborting");
 				this->invalid_syntax = TRUE;
 				break;
 			}
-			
 			this->peer_id = id_payload->get_identification(id_payload);
-			
+
 			process_payloads(this, message);
-			
+
 			if (!this->connect_id.ptr)
 			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify, aborting");
+				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify"
+					 ", aborting");
 				this->invalid_syntax = TRUE;
 				break;
 			}
-			
+
 			if (!this->connect_key.ptr)
 			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY notify, aborting");
+				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY notify"
+					 ", aborting");
 				this->invalid_syntax = TRUE;
 				break;
 			}
-			
+
 			if (!this->remote_endpoints->get_count(this->remote_endpoints))
 			{
-				DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT payloads, aborting");
+				DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT "
+					 "payloads, aborting");
 				this->invalid_syntax = TRUE;
 				break;
 			}
@@ -604,7 +624,6 @@ static status_t process_r_ms(private_ike_me_t *this, message_t *message)
 		default:
 			break;
 	}
-	
 	return NEED_MORE;
 }
 
@@ -623,58 +642,54 @@ static status_t build_r_ms(private_ike_me_t *this, message_t *message)
 		case IKE_AUTH:
 		{
 			endpoint_notify_t *endpoint;
-			if (this->remote_endpoints->get_first(this->remote_endpoints, (void**)&endpoint) == SUCCESS &&
-					endpoint->get_type(endpoint) == SERVER_REFLEXIVE)
+			if (this->remote_endpoints->get_first(this->remote_endpoints,
+											(void**)&endpoint) == SUCCESS &&
+				endpoint->get_type(endpoint) == SERVER_REFLEXIVE)
 			{
 				host_t *host = this->ike_sa->get_other_host(this->ike_sa);
-				
-				DBG2(DBG_IKE, "received request for a server reflexive endpoint "
-						"sending: %#H", host);
-				
-				endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE, host, NULL);								
+				DBG2(DBG_IKE, "received request for a server reflexive "
+					 "endpoint sending: %#H", host);
+				endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE,
+															host, NULL);
 				message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
 				endpoint->destroy(endpoint);
 			}
-			
-			/* FIXME: we actually must delete any existing IKE_SAs with the same remote id */
 			this->ike_sa->act_as_mediation_server(this->ike_sa);
-			
-			DBG1(DBG_IKE, "established mediation connection successfully");
-			
 			break;
 		}
 		case ME_CONNECT:
-		{	
+		{
 			if (this->invalid_syntax)
 			{
 				message->add_notify(message, TRUE, INVALID_SYNTAX, chunk_empty);
 				break;
 			}
-			
+
 			ike_sa_id_t *peer_sa;
 			if (this->callback)
 			{
-				peer_sa = charon->mediation_manager->check_and_register(charon->mediation_manager,
-						this->peer_id, this->ike_sa->get_other_id(this->ike_sa));
+				peer_sa = charon->mediation_manager->check_and_register(
+									charon->mediation_manager, this->peer_id,
+									this->ike_sa->get_other_id(this->ike_sa));
 			}
 			else
 			{
-				peer_sa = charon->mediation_manager->check(charon->mediation_manager,
-						this->peer_id);
+				peer_sa = charon->mediation_manager->check(
+									charon->mediation_manager, this->peer_id);
 			}
-			
+
 			if (!peer_sa)
 			{
 				/* the peer is not online */
-				message->add_notify(message, TRUE, ME_CONNECT_FAILED, chunk_empty);
+				message->add_notify(message, TRUE, ME_CONNECT_FAILED,
+									chunk_empty);
 				break;
 			}
-			
+
 			job_t *job = (job_t*)mediation_job_create(this->peer_id,
 					this->ike_sa->get_other_id(this->ike_sa), this->connect_id,
 					this->connect_key, this->remote_endpoints, this->response);
 			charon->processor->queue_job(charon->processor, job);
-			
 			break;
 		}
 		default:
@@ -706,8 +721,8 @@ static void me_connect(private_ike_me_t *this, identification_t *peer_id)
 /**
  * Implementation of ike_me.respond
  */
-static void me_respond(private_ike_me_t *this, identification_t *peer_id, 
-		chunk_t connect_id)
+static void me_respond(private_ike_me_t *this, identification_t *peer_id,
+					   chunk_t connect_id)
 {
 	this->peer_id = peer_id->clone(peer_id);
 	this->connect_id = chunk_clone(connect_id);
@@ -726,16 +741,19 @@ static void me_callback(private_ike_me_t *this, identification_t *peer_id)
 /**
  * Implementation of ike_me.relay
  */
-static void relay(private_ike_me_t *this, identification_t *requester, chunk_t connect_id,
-		chunk_t connect_key, linked_list_t *endpoints, bool response)
+static void relay(private_ike_me_t *this, identification_t *requester,
+				  chunk_t connect_id, chunk_t connect_key,
+				  linked_list_t *endpoints, bool response)
 {
 	this->peer_id = requester->clone(requester);
 	this->connect_id = chunk_clone(connect_id);
 	this->connect_key = chunk_clone(connect_key);
-	
-	this->remote_endpoints->destroy_offset(this->remote_endpoints, offsetof(endpoint_notify_t, destroy));
-	this->remote_endpoints = endpoints->clone_offset(endpoints, offsetof(endpoint_notify_t, clone));
-	
+
+	this->remote_endpoints->destroy_offset(this->remote_endpoints,
+										offsetof(endpoint_notify_t, destroy));
+	this->remote_endpoints = endpoints->clone_offset(endpoints,
+										offsetof(endpoint_notify_t, clone));
+
 	this->response = response;
 }
 
@@ -761,13 +779,15 @@ static void migrate(private_ike_me_t *this, ike_sa_t *ike_sa)
 static void destroy(private_ike_me_t *this)
 {
 	DESTROY_IF(this->peer_id);
-	
+
 	chunk_free(&this->connect_id);
 	chunk_free(&this->connect_key);
-	
-	this->local_endpoints->destroy_offset(this->local_endpoints, offsetof(endpoint_notify_t, destroy));
-	this->remote_endpoints->destroy_offset(this->remote_endpoints, offsetof(endpoint_notify_t, destroy));
-	
+
+	this->local_endpoints->destroy_offset(this->local_endpoints,
+										offsetof(endpoint_notify_t, destroy));
+	this->remote_endpoints->destroy_offset(this->remote_endpoints,
+										offsetof(endpoint_notify_t, destroy));
+
 	DESTROY_IF(this->mediated_cfg);
 	free(this);
 }
@@ -782,7 +802,7 @@ ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator)
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
 	{
 		if (initiator)
@@ -810,15 +830,15 @@ ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator)
 			this->public.task.process = (status_t(*)(task_t*,message_t*))process_r_ms;
 		}
 	}
-	
+
 	this->public.connect = (void(*)(ike_me_t*,identification_t*))me_connect;
 	this->public.respond = (void(*)(ike_me_t*,identification_t*,chunk_t))me_respond;
 	this->public.callback = (void(*)(ike_me_t*,identification_t*))me_callback;
 	this->public.relay = (void(*)(ike_me_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool))relay;
-	
+
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
-	
+
 	this->peer_id = NULL;
 	this->connect_id = chunk_empty;
 	this->connect_key = chunk_empty;
@@ -829,8 +849,8 @@ ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator)
 	this->callback = FALSE;
 	this->failed = FALSE;
 	this->invalid_syntax = FALSE;
-	
+
 	this->mediated_cfg = NULL;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/ike_me.h b/src/charon/sa/tasks/ike_me.h
index 4b35c313c..31285a426 100644
--- a/src/charon/sa/tasks/ike_me.h
+++ b/src/charon/sa/tasks/ike_me.h
@@ -34,18 +34,17 @@ typedef struct ike_me_t ike_me_t;
  * connection, allows to initiate mediated connections using ME_CONNECT
  * exchanges and to request reflexive addresses from the mediation server using
  * ME_ENDPOINT notifies.
- * 
+ *
  * @note This task has to be activated before the IKE_AUTH task, because that
  * task generates the IKE_SA_INIT message so that no more payloads can be added
  * to it afterwards.
  */
 struct ike_me_t {
-
 	/**
 	 * Implements the task_t interface
 	 */
 	task_t task;
-	
+
 	/**
 	 * Initiates a connection with another peer (i.e. sends a ME_CONNECT
 	 * to the mediation server)
@@ -53,45 +52,48 @@ struct ike_me_t {
 	 * @param peer_id			ID of the other peer (gets cloned)
 	 */
 	void (*connect)(ike_me_t *this, identification_t *peer_id);
-	
+
 	/**
 	 * Responds to a ME_CONNECT from another peer (i.e. sends a ME_CONNECT
 	 * to the mediation server)
-	 * 
-	 * @param peer_id			ID of the other peer (gets cloned)
-	 * @param connect_id		the connect ID as provided by the initiator (gets cloned)
+	 *
+	 * Data gets cloned.
+	 *
+	 * @param peer_id			ID of the other peer
+	 * @param connect_id		the connect ID as provided by the initiator
 	 */
-	void (*respond)(ike_me_t *this, identification_t *peer_id, chunk_t connect_id);
-	
+	void (*respond)(ike_me_t *this, identification_t *peer_id,
+					chunk_t connect_id);
+
 	/**
-	 * Sends a ME_CALLBACK to a peer that previously requested another peer.
-	 * 
+	 * Sends a ME_CALLBACK to a peer that previously requested some other peer.
+	 *
 	 * @param peer_id			ID of the other peer (gets cloned)
 	 */
 	void (*callback)(ike_me_t *this, identification_t *peer_id);
-	
+
 	/**
 	 * Relays data to another peer (i.e. sends a ME_CONNECT to the peer)
-	 * 
+	 *
 	 * Data gets cloned.
-	 * 
+	 *
 	 * @param requester			ID of the requesting peer
 	 * @param connect_id		content of the ME_CONNECTID notify
 	 * @param connect_key		content of the ME_CONNECTKEY notify
 	 * @param endpoints			endpoints
 	 * @param response			TRUE if this is a response
 	 */
-	void (*relay)(ike_me_t *this, identification_t *requester, chunk_t connect_id,
-			chunk_t connect_key, linked_list_t *endpoints, bool response);
-
+	void (*relay)(ike_me_t *this, identification_t *requester,
+				  chunk_t connect_id, chunk_t connect_key,
+				  linked_list_t *endpoints, bool response);
 };
 
 /**
  * Create a new ike_me task.
  *
  * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE if taks is initiated by us
- * @return			  	ike_me task to handle by the task_manager
+ * @param initiator		TRUE if task is initiated by us
+ * @return				ike_me task to be handled by the task_manager
  */
 ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator);
 
diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c
index 9a1afe744..d76ba8d2b 100644
--- a/src/charon/sa/tasks/ike_mobike.c
+++ b/src/charon/sa/tasks/ike_mobike.c
@@ -30,42 +30,42 @@ typedef struct private_ike_mobike_t private_ike_mobike_t;
  * Private members of a ike_mobike_t task.
  */
 struct private_ike_mobike_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_mobike_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * cookie2 value to verify new addresses
 	 */
 	chunk_t cookie2;
-	
+
 	/**
 	 * NAT discovery reusing the IKE_NATD task
 	 */
 	ike_natd_t *natd;
-	
+
 	/**
 	 * use task to update addresses
 	 */
 	bool update;
-	
+
 	/**
 	 * do routability check
 	 */
 	bool check;
-	
+
 	/**
 	 * include address list update
 	 */
@@ -79,7 +79,7 @@ static void flush_additional_addresses(private_ike_mobike_t *this)
 {
 	iterator_t *iterator;
 	host_t *host;
-	
+
 	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
 	while (iterator->iterate(iterator, (void**)&host))
 	{
@@ -98,7 +98,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 	enumerator_t *enumerator;
 	payload_t *payload;
 	bool first = TRUE;
-	
+
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
@@ -106,7 +106,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 		notify_payload_t *notify;
 		chunk_t data;
 		host_t *host;
-		
+
 		if (payload->get_type(payload) != NOTIFY)
 		{
 			continue;
@@ -117,9 +117,9 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 			case MOBIKE_SUPPORTED:
 			{
 				peer_cfg_t *peer_cfg;
-				
+
 				peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-				if (!this->initiator && 
+				if (!this->initiator &&
 					peer_cfg && !peer_cfg->use_mobike(peer_cfg))
 				{
 					DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
@@ -191,7 +191,7 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 	host_t *host, *me;
 	notify_type_t type;
 	int added = 0;
-	
+
 	me = this->ike_sa->get_my_host(this->ike_sa);
 	enumerator = charon->kernel_interface->create_address_enumerator(
 										charon->kernel_interface, FALSE, FALSE);
@@ -227,7 +227,7 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 }
 
 /**
- * build a cookie and add it to the message 
+ * build a cookie and add it to the message
  */
 static void build_cookie(private_ike_mobike_t *this, message_t *message)
 {
@@ -250,12 +250,12 @@ static void update_children(private_ike_mobike_t *this)
 {
 	iterator_t *iterator;
 	child_sa_t *child_sa;
-	
+
 	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
 		if (child_sa->update(child_sa,
-				this->ike_sa->get_my_host(this->ike_sa), 
+				this->ike_sa->get_my_host(this->ike_sa),
 				this->ike_sa->get_other_host(this->ike_sa),
 				this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
 				this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
@@ -276,7 +276,7 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 	host_t *me, *other, *me_old, *other_old;
 	iterator_t *iterator;
 	packet_t *copy;
-	
+
 	if (!this->check)
 	{
 		return;
@@ -284,16 +284,19 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 
 	me_old = this->ike_sa->get_my_host(this->ike_sa);
 	other_old = this->ike_sa->get_other_host(this->ike_sa);
-	
+
 	me = charon->kernel_interface->get_source_addr(
 									charon->kernel_interface, other_old, NULL);
 	if (me)
 	{
 		me->set_port(me, me->ip_equals(me, me_old) ?
 					 me_old->get_port(me_old) : IKEV2_NATT_PORT);
-		packet->set_source(packet, me);
+		DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old);
+		copy = packet->clone(packet);
+		copy->set_source(copy, me);
+		charon->sender->send(charon->sender, copy);
 	}
-	
+
 	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
 	while (iterator->iterate(iterator, (void**)&other))
 	{
@@ -320,9 +323,6 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 		}
 	}
 	iterator->destroy(iterator);
-	me = packet->get_source(packet);
-	other = packet->get_destination(packet);
-	DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
 }
 
 /**
@@ -338,8 +338,8 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
 	else if (message->get_exchange_type(message) == INFORMATIONAL)
 	{
 		host_t *old, *new;
-		
-		/* we check if the existing address is still valid */ 
+
+		/* we check if the existing address is still valid */
 		old = message->get_source(message);
 		new = charon->kernel_interface->get_source_addr(charon->kernel_interface,
 										message->get_destination(message), old);
@@ -388,13 +388,13 @@ static status_t process_r(private_ike_mobike_t *this, message_t *message)
 		if (this->update)
 		{
 			host_t *me, *other;
-			
+
 			me = message->get_destination(message);
 			other = message->get_source(message);
 			this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
 			this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
 		}
-		
+
 		if (this->natd)
 		{
 			this->natd->task.process(&this->natd->task, message);
@@ -461,7 +461,7 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 		if (this->cookie2.ptr)
 		{	/* check cookie if we included one */
 			chunk_t cookie2;
-			
+
 			cookie2 = this->cookie2;
 			this->cookie2 = chunk_empty;
 			process_payloads(this, message);
@@ -496,17 +496,17 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 		if (this->check)
 		{
 			host_t *me_new, *me_old, *other_new, *other_old;
-			
+
 			me_new = message->get_destination(message);
 			other_new = message->get_source(message);
 			me_old = this->ike_sa->get_my_host(this->ike_sa);
 			other_old = this->ike_sa->get_other_host(this->ike_sa);
-			
+
 			if (!me_new->equals(me_new, me_old))
 			{
 				this->update = TRUE;
 				this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
-			}			
+			}
 			if (!other_new->equals(other_new, other_old))
 			{
 				this->update = TRUE;
@@ -538,7 +538,7 @@ static void roam(private_ike_mobike_t *this, bool address)
 {
 	this->check = TRUE;
 	this->address = address;
-	this->ike_sa->set_pending_updates(this->ike_sa, 
+	this->ike_sa->set_pending_updates(this->ike_sa,
 							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
 }
 
@@ -552,7 +552,7 @@ static void dpd(private_ike_mobike_t *this)
 		this->natd = ike_natd_create(this->ike_sa, this->initiator);
 	}
 	this->address = FALSE;
-	this->ike_sa->set_pending_updates(this->ike_sa, 
+	this->ike_sa->set_pending_updates(this->ike_sa,
 							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
 }
 
@@ -612,7 +612,7 @@ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -623,7 +623,7 @@ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	
+
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
 	this->update = FALSE;
@@ -631,7 +631,7 @@ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
 	this->address = TRUE;
 	this->cookie2 = chunk_empty;
 	this->natd = NULL;
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/tasks/ike_mobike.h b/src/charon/sa/tasks/ike_mobike.h
index 919b5ddd3..05b2224d1 100644
--- a/src/charon/sa/tasks/ike_mobike.h
+++ b/src/charon/sa/tasks/ike_mobike.h
@@ -35,7 +35,7 @@ typedef struct ike_mobike_t ike_mobike_t;
  * and IPsec tunnel addresses.
  * This tasks handles the MOBIKE_SUPPORTED notify exchange to detect MOBIKE
  * support, allows the exchange of ADDITIONAL_*_ADDRESS to exchange additional
- * endpoints and handles the UPDATE_SA_ADDRESS notify to finally update 
+ * endpoints and handles the UPDATE_SA_ADDRESS notify to finally update
  * endpoints.
  */
 struct ike_mobike_t {
@@ -44,36 +44,36 @@ struct ike_mobike_t {
 	 * Implements the task_t interface
 	 */
 	task_t task;
-	
+
 	/**
 	 * Use the task to roam to other addresses.
 	 *
 	 * @param address		TRUE to include address list update
 	 */
 	void (*roam)(ike_mobike_t *this, bool address);
-	
+
 	/**
 	 * Use the task for a DPD check which detects changes in NAT mappings.
 	 */
 	void (*dpd)(ike_mobike_t *this);
-	
+
 	/**
 	 * Transmision hook, called by task manager.
 	 *
-	 * The task manager calls this hook whenever it transmits a packet. It 
+	 * The task manager calls this hook whenever it transmits a packet. It
 	 * allows the mobike task to send the packet on multiple paths to do path
 	 * probing.
 	 *
 	 * @param packet		the packet to transmit
 	 */
 	void (*transmit)(ike_mobike_t *this, packet_t *packet);
-	
+
 	/**
 	 * Check if this task is probing for routability.
 	 *
 	 * @return				TRUE if task is probing
 	 */
-	bool (*is_probing)(ike_mobike_t *this);	
+	bool (*is_probing)(ike_mobike_t *this);
 };
 
 /**
@@ -81,7 +81,7 @@ struct ike_mobike_t {
  *
  * @param ike_sa		IKE_SA this task works for
  * @param initiator		TRUE if taks is initiated by us
- * @return			  	ike_mobike task to handle by the task_manager
+ * @return				ike_mobike task to handle by the task_manager
  */
 ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator);
 
diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c
index bb18e7bda..9121fe2ea 100644
--- a/src/charon/sa/tasks/ike_natd.c
+++ b/src/charon/sa/tasks/ike_natd.c
@@ -30,47 +30,47 @@ typedef struct private_ike_natd_t private_ike_natd_t;
  * Private members of a ike_natd_t task.
  */
 struct private_ike_natd_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_natd_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * Hasher used to build NAT detection hashes
 	 */
 	hasher_t *hasher;
-	
+
 	/**
 	 * Did we process any NAT detection notifys for a source address?
 	 */
 	bool src_seen;
-	
+
 	/**
 	 * Did we process any NAT detection notifys for a destination address?
 	 */
 	bool dst_seen;
-	
+
 	/**
 	 * Have we found a matching source address NAT hash?
 	 */
 	bool src_matched;
-	
+
 	/**
 	 * Have we found a matching destination address NAT hash?
 	 */
 	bool dst_matched;
-	
+
 	/**
 	 * whether NAT mappings for our NATed address has changed
 	 */
@@ -88,7 +88,7 @@ static chunk_t generate_natd_hash(private_ike_natd_t *this,
 	chunk_t natd_hash;
 	u_int64_t spi_i, spi_r;
 	u_int16_t port;
-	
+
 	/* prepare all required chunks */
 	spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
 	spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
@@ -100,13 +100,13 @@ static chunk_t generate_natd_hash(private_ike_natd_t *this,
 	port_chunk.ptr = (void*)&port;
 	port_chunk.len = sizeof(port);
 	addr_chunk = host->get_address(host);
-		
+
 	/*  natd_hash = SHA1( spi_i | spi_r | address | port ) */
 	natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
 	this->hasher->allocate_hash(this->hasher, natd_chunk, &natd_hash);
 	DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
 	DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
-	
+
 	chunk_free(&natd_chunk);
 	return natd_hash;
 }
@@ -118,7 +118,7 @@ static chunk_t generate_natd_hash_faked(private_ike_natd_t *this)
 {
 	rng_t *rng;
 	chunk_t chunk;
-	
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
@@ -137,10 +137,10 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
 											notify_type_t type, host_t *host)
 {
 	chunk_t hash;
-	notify_payload_t *notify;	
+	notify_payload_t *notify;
 	ike_sa_id_t *ike_sa_id;
 	ike_cfg_t *config;
-	
+
 	ike_sa_id = this->ike_sa->get_id(this->ike_sa);
 	config = this->ike_sa->get_ike_cfg(this->ike_sa);
 	if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
@@ -155,7 +155,7 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
 	notify->set_notify_type(notify, type);
 	notify->set_notification_data(notify, hash);
 	chunk_free(&hash);
-	
+
 	return notify;
 }
 
@@ -171,17 +171,17 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 	ike_sa_id_t *ike_sa_id;
 	host_t *me, *other;
 	ike_cfg_t *config;
-	
+
 	/* Precompute NAT-D hashes for incoming NAT notify comparison */
 	ike_sa_id = message->get_ike_sa_id(message);
 	me = message->get_destination(message);
 	other = message->get_source(message);
 	dst_hash = generate_natd_hash(this, ike_sa_id, me);
 	src_hash = generate_natd_hash(this, ike_sa_id, other);
-	
+
 	DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
 	DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
-	
+
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
@@ -234,10 +234,10 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	chunk_free(&src_hash);
 	chunk_free(&dst_hash);
-	
+
 	if (this->src_seen && this->dst_seen)
 	{
 		this->ike_sa->enable_extension(this->ike_sa, EXT_NATT);
@@ -245,12 +245,12 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 		this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
 									!this->dst_matched);
 		this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
-									!this->src_matched);	
+									!this->src_matched);
 		config = this->ike_sa->get_ike_cfg(this->ike_sa);
 		if (this->dst_matched && this->src_matched &&
 			config->force_encap(config))
 		{
-			this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);	
+			this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
 		}
 	}
 }
@@ -261,7 +261,7 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 static status_t process_i(private_ike_natd_t *this, message_t *message)
 {
 	process_payloads(this, message);
-	
+
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
@@ -275,10 +275,10 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 			return SUCCESS;
 		}
 #endif /* ME */
-		
+
 		if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
 #ifdef ME
-			/* if we are on a mediation connection we swith to port 4500 even
+			/* if we are on a mediation connection we switch to port 4500 even
 			 * if no NAT is detected. */
 			peer_cfg->is_mediation(peer_cfg) ||
 #endif /* ME */
@@ -288,7 +288,7 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 			 this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
 		{
 			host_t *me, *other;
-		
+
 			/* do not switch if we have a custom port from mobike/NAT */
 			me = this->ike_sa->get_my_host(this->ike_sa);
 			if (me->get_port(me) == IKEV2_UDP_PORT)
@@ -302,7 +302,7 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 			}
 		}
 	}
-	
+
 	return SUCCESS;
 }
 
@@ -314,18 +314,18 @@ static status_t build_i(private_ike_natd_t *this, message_t *message)
 	notify_payload_t *notify;
 	enumerator_t *enumerator;
 	host_t *host;
-	
+
 	if (this->hasher == NULL)
 	{
 		DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
 		return NEED_MORE;
 	}
-	
+
 	/* destination is always set */
 	host = message->get_destination(message);
 	notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
 	message->add_payload(message, (payload_t*)notify);
-	
+
 	/* source may be any, we have 3 possibilities to get our source address:
 	 * 1. It is defined in the config => use the one of the IKE_SA
 	 * 2. We do a routing lookup in the kernel interface
@@ -374,7 +374,7 @@ static status_t build_r(private_ike_natd_t *this, message_t *message)
 {
 	notify_payload_t *notify;
 	host_t *me, *other;
-	
+
 	/* only add notifies on successfull responses. */
 	if (message->get_exchange_type(message) == IKE_SA_INIT &&
 		message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
@@ -389,12 +389,12 @@ static status_t build_r(private_ike_natd_t *this, message_t *message)
 			DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
 			return SUCCESS;
 		}
-	
+
 		/* initiator seems to support NAT detection, add response */
 		me = message->get_source(message);
 		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, me);
 		message->add_payload(message, (payload_t*)notify);
-		
+
 		other = message->get_destination(message);
 		notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, other);
 		message->add_payload(message, (payload_t*)notify);
@@ -406,9 +406,9 @@ static status_t build_r(private_ike_natd_t *this, message_t *message)
  * Implementation of task_t.process for responder
  */
 static status_t process_r(private_ike_natd_t *this, message_t *message)
-{	
+{
 	process_payloads(this, message);
-	
+
 	return NEED_MORE;
 }
 
@@ -460,7 +460,7 @@ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	
+
 	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -471,9 +471,9 @@ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	
+
 	this->public.has_mapping_changed = (bool(*)(ike_natd_t*))has_mapping_changed;
-	
+
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
@@ -482,6 +482,6 @@ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
 	this->src_matched = FALSE;
 	this->dst_matched = FALSE;
 	this->mapping_changed = FALSE;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/ike_natd.h b/src/charon/sa/tasks/ike_natd.h
index 698394842..97b652ead 100644
--- a/src/charon/sa/tasks/ike_natd.h
+++ b/src/charon/sa/tasks/ike_natd.h
@@ -36,7 +36,7 @@ struct ike_natd_t {
 	 * Implements the task_t interface
 	 */
 	task_t task;
-	
+
 	/**
 	 * Check if the NAT mapping has changed for our address.
 	 *
diff --git a/src/charon/sa/tasks/ike_reauth.c b/src/charon/sa/tasks/ike_reauth.c
index 80f1b7b8c..ac89c358b 100644
--- a/src/charon/sa/tasks/ike_reauth.c
+++ b/src/charon/sa/tasks/ike_reauth.c
@@ -25,17 +25,17 @@ typedef struct private_ike_reauth_t private_ike_reauth_t;
  * Private members of a ike_reauth_t task.
  */
 struct private_ike_reauth_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_reauth_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * reused ike_delete task
 	 */
@@ -60,17 +60,17 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 	iterator_t *iterator;
 	child_sa_t *child_sa;
 	peer_cfg_t *peer_cfg;
-	
+
 	/* process delete response first */
 	this->ike_delete->task.process(&this->ike_delete->task, message);
 
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	
+
 	/* reauthenticate only if we have children */
 	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
 	if (iterator->get_count(iterator) == 0
 #ifdef ME
-		/* we allow a peer to reauth a mediation connection (without CHILD_SA) */
+		/* we allow peers to reauth mediation connections (without children) */
 		&& !peer_cfg->is_mediation(peer_cfg)
 #endif /* ME */
 		)
@@ -79,9 +79,9 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 		iterator->destroy(iterator);
 		return FAILED;
 	}
-	
+
 	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
-	
+
 	new->set_peer_cfg(new, peer_cfg);
 	host = this->ike_sa->get_other_host(this->ike_sa);
 	new->set_other_host(new, host->clone(host));
@@ -93,7 +93,7 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 	{
 		new->set_virtual_ip(new, TRUE, host);
 	}
-	
+
 #ifdef ME
 	/* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
 	if (peer_cfg->is_mediation(peer_cfg))
@@ -109,7 +109,7 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 		}
 	}
 #endif /* ME */
-	
+
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
 		switch (child_sa->get_state(child_sa))
@@ -144,7 +144,7 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
 	charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
 	/* set threads active IKE_SA after checkin */
 	charon->bus->set_sa(charon->bus, this->ike_sa);
-	
+
 	/* we always return failed to delete the obsolete IKE_SA */
 	return FAILED;
 }
@@ -187,10 +187,10 @@ ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa)
 	this->public.task.destroy = (void(*)(task_t*))destroy;
 	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
 	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	
+
 	this->ike_sa = ike_sa;
 	this->ike_delete = ike_delete_create(ike_sa, TRUE);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index 3a049b566..a2275e796 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -30,37 +30,37 @@ typedef struct private_ike_rekey_t private_ike_rekey_t;
  * Private members of a ike_rekey_t task.
  */
 struct private_ike_rekey_t {
-	
+
 	/**
 	 * Public methods and task_t interface.
 	 */
 	ike_rekey_t public;
-	
+
 	/**
 	 * Assigned IKE_SA.
 	 */
 	ike_sa_t *ike_sa;
-	
+
 	/**
 	 * New IKE_SA which replaces the current one
 	 */
 	ike_sa_t *new_sa;
-	
+
 	/**
 	 * Are we the initiator?
 	 */
 	bool initiator;
-	
+
 	/**
 	 * the IKE_INIT task which is reused to simplify rekeying
 	 */
 	ike_init_t *ike_init;
-	
+
 	/**
 	 * IKE_DELETE task to delete the old IKE_SA after rekeying was successful
 	 */
 	ike_delete_t *ike_delete;
-	
+
 	/**
 	 * colliding task detected by the task manager
 	 */
@@ -74,7 +74,7 @@ static status_t build_i_delete(private_ike_rekey_t *this, message_t *message)
 {
 	/* update exchange type to INFORMATIONAL for the delete */
 	message->set_exchange_type(message, INFORMATIONAL);
-	
+
 	return this->ike_delete->task.build(&this->ike_delete->task, message);
 }
 
@@ -93,13 +93,13 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message)
 {
 	peer_cfg_t *peer_cfg;
 	host_t *other_host;
-	
+
 	/* create new SA only on first try */
 	if (this->new_sa == NULL)
 	{
 		this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
 															TRUE);
-		
+
 		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 		other_host = this->ike_sa->get_other_host(this->ike_sa);
 		this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
@@ -120,7 +120,7 @@ static status_t process_r(private_ike_rekey_t *this, message_t *message)
 	peer_cfg_t *peer_cfg;
 	iterator_t *iterator;
 	child_sa_t *child_sa;
-	
+
 	if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
 	{
 		DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
@@ -144,15 +144,15 @@ static status_t process_r(private_ike_rekey_t *this, message_t *message)
 		}
 	}
 	iterator->destroy(iterator);
-	
+
 	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
 														FALSE);
-	
+
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 	this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
 	this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa);
 	this->ike_init->task.process(&this->ike_init->task, message);
-	
+
 	return NEED_MORE;
 }
 
@@ -167,12 +167,12 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return SUCCESS;
 	}
-	
+
 	if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
 	{
 		return SUCCESS;
 	}
-	
+
 	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
 	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
@@ -182,7 +182,7 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
 		 this->ike_sa->get_my_id(this->ike_sa),
 		 this->ike_sa->get_other_host(this->ike_sa),
 		 this->ike_sa->get_other_id(this->ike_sa));
-	
+
 	return SUCCESS;
 }
 
@@ -191,32 +191,17 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
  */
 static status_t process_i(private_ike_rekey_t *this, message_t *message)
 {
-	enumerator_t *enumerator;
-	payload_t *payload;
-	
-	/* handle NO_ADDITIONAL_SAS notify */
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
+	if (message->get_notify(message, NO_ADDITIONAL_SAS))
 	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify_payload_t *notify = (notify_payload_t*)payload;
-			
-			if (notify->get_notify_type(notify) == NO_ADDITIONAL_SAS)
-			{
-				DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
-					 "starting reauthentication");
-				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-				charon->processor->queue_job(charon->processor,
-						(job_t*)rekey_ike_sa_job_create(
-									this->ike_sa->get_id(this->ike_sa), TRUE));
-				enumerator->destroy(enumerator);
-				return SUCCESS;
-			}
-		}
+		DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
+			 "starting reauthentication");
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+		charon->processor->queue_job(charon->processor,
+				(job_t*)rekey_ike_sa_job_create(
+							this->ike_sa->get_id(this->ike_sa), TRUE));
+		return SUCCESS;
 	}
-	enumerator->destroy(enumerator);
-	
+
 	switch (this->ike_init->task.process(&this->ike_init->task, message))
 	{
 		case FAILED:
@@ -230,7 +215,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 				job = (job_t*)rekey_ike_sa_job_create(
 										this->ike_sa->get_id(this->ike_sa), FALSE);
 				DBG1(DBG_IKE, "IKE_SA rekeying failed, "
-					 					"trying again in %d seconds", retry);
+										"trying again in %d seconds", retry);
 				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
 				charon->scheduler->schedule_job(charon->scheduler, job, retry);
 			}
@@ -242,7 +227,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 		default:
 			break;
 	}
-	
+
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
 	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 		 this->new_sa->get_name(this->new_sa),
@@ -251,7 +236,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 		 this->ike_sa->get_my_id(this->ike_sa),
 		 this->ike_sa->get_other_host(this->ike_sa),
 		 this->ike_sa->get_other_id(this->ike_sa));
-	
+
 	/* check for collisions */
 	if (this->collision &&
 		this->collision->get_type(this->collision) == IKE_REKEY)
@@ -259,13 +244,13 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 		chunk_t this_nonce, other_nonce;
 		host_t *host;
 		private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
-		
+
 		this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
 		other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
-		
+
 		/* if we have the lower nonce, delete rekeyed SA. If not, delete
 		 * the redundant. */
-		if (memcmp(this_nonce.ptr, other_nonce.ptr, 
+		if (memcmp(this_nonce.ptr, other_nonce.ptr,
 				   min(this_nonce.len, other_nonce.len)) < 0)
 		{
 			/* peer should delete this SA. Add a timeout just in case. */
@@ -305,12 +290,12 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 		/* set threads active IKE_SA after checkin */
 		charon->bus->set_sa(charon->bus, this->ike_sa);
 	}
-	
+
 	/* rekeying successful, delete the IKE_SA using a subtask */
 	this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
 	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
 	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
-	
+
 	return NEED_MORE;
 }
 
@@ -349,7 +334,7 @@ static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
 		charon->bus->set_sa(charon->bus, this->ike_sa);
 	}
 	DESTROY_IF(this->collision);
-	
+
 	this->collision = NULL;
 	this->ike_sa = ike_sa;
 	this->new_sa = NULL;
@@ -412,13 +397,13 @@ ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
 	}
-	
+
 	this->ike_sa = ike_sa;
 	this->new_sa = NULL;
 	this->ike_init = NULL;
 	this->ike_delete = NULL;
 	this->initiator = initiator;
 	this->collision = NULL;
-	
+
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/ike_rekey.h b/src/charon/sa/tasks/ike_rekey.h
index 6748279ab..1c9550768 100644
--- a/src/charon/sa/tasks/ike_rekey.h
+++ b/src/charon/sa/tasks/ike_rekey.h
@@ -36,7 +36,7 @@ struct ike_rekey_t {
 	 * Implements the task_t interface
 	 */
 	task_t task;
-	
+
 	/**
 	 * Register a rekeying task which collides with this one.
 	 *
@@ -54,7 +54,7 @@ struct ike_rekey_t {
  *
  * @param ike_sa		IKE_SA this task works for
  * @param initiator		TRUE for initiator, FALSE for responder
- * @return			  	IKE_REKEY task to handle by the task_manager
+ * @return				IKE_REKEY task to handle by the task_manager
  */
 ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator);
 
diff --git a/src/charon/sa/tasks/ike_vendor.c b/src/charon/sa/tasks/ike_vendor.c
new file mode 100644
index 000000000..7c435b6d1
--- /dev/null
+++ b/src/charon/sa/tasks/ike_vendor.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_vendor.h"
+
+#include <daemon.h>
+#include <encoding/payloads/vendor_id_payload.h>
+
+typedef struct private_ike_vendor_t private_ike_vendor_t;
+
+/**
+ * Private data of an ike_vendor_t object.
+ */
+struct private_ike_vendor_t {
+
+	/**
+	 * Public ike_vendor_t interface.
+	 */
+	ike_vendor_t public;
+
+	/**
+	 * Associated IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the inititator of this task
+	 */
+	bool initiator;
+};
+
+/**
+ * strongSwan specific vendor ID without version, MD5("strongSwan")
+ */
+static chunk_t strongswan_vid = chunk_from_chars(
+	0x88,0x2f,0xe5,0x6d,0x6f,0xd2,0x0d,0xbc,
+	0x22,0x51,0x61,0x3b,0x2e,0xbe,0x5b,0xeb
+);
+
+METHOD(task_t, build, status_t,
+	private_ike_vendor_t *this, message_t *message)
+{
+	if (lib->settings->get_bool(lib->settings,
+								"charon.send_vendor_id", FALSE))
+	{
+		vendor_id_payload_t *vid;
+
+		vid = vendor_id_payload_create_data(chunk_clone(strongswan_vid));
+		message->add_payload(message, &vid->payload_interface);
+	}
+
+	return this->initiator ? NEED_MORE : SUCCESS;
+}
+
+METHOD(task_t, process, status_t,
+	private_ike_vendor_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == VENDOR_ID)
+		{
+			vendor_id_payload_t *vid;
+			chunk_t data;
+
+			vid = (vendor_id_payload_t*)payload;
+			data = vid->get_data(vid);
+
+			if (chunk_equals(data, strongswan_vid))
+			{
+				DBG1(DBG_IKE, "received strongSwan vendor id");
+				this->ike_sa->enable_extension(this->ike_sa, EXT_STRONGSWAN);
+			}
+			else
+			{
+				DBG1(DBG_ENC, "received unknown vendor id: %#B", &data);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return this->initiator ? SUCCESS : NEED_MORE;
+}
+
+METHOD(task_t, migrate, void,
+	private_ike_vendor_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_ike_vendor_t *this)
+{
+	return IKE_VENDOR;
+}
+
+METHOD(task_t, destroy, void,
+	private_ike_vendor_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_vendor_t *this;
+
+	INIT(this,
+		.public.task = {
+			.build = _build,
+			.process = _process,
+			.migrate = _migrate,
+			.get_type = _get_type,
+			.destroy = _destroy,
+		},
+		.initiator = initiator,
+		.ike_sa = ike_sa,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/charon/sa/tasks/ike_vendor.h b/src/charon/sa/tasks/ike_vendor.h
new file mode 100644
index 000000000..dcdd37424
--- /dev/null
+++ b/src/charon/sa/tasks/ike_vendor.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_vendor ike_vendor
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_VENDOR_H_
+#define IKE_VENDOR_H_
+
+typedef struct ike_vendor_t ike_vendor_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Vendor ID processing task.
+ */
+struct ike_vendor_t {
+
+	/**
+	 * Implements task interface.
+	 */
+	task_t task;
+};
+
+/**
+ * Create a ike_vendor instance.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if thask is the original initator
+ */
+ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_VENDOR_H_ @}*/
diff --git a/src/charon/sa/tasks/task.c b/src/charon/sa/tasks/task.c
index 9e35b62a5..0d7383141 100644
--- a/src/charon/sa/tasks/task.c
+++ b/src/charon/sa/tasks/task.c
@@ -30,6 +30,7 @@ ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
 	"IKE_REAUTH",
 	"IKE_DELETE",
 	"IKE_DPD",
+	"IKE_VENDOR",
 	"IKE_ME",
 	"CHILD_CREATE",
 	"CHILD_DELETE",
@@ -49,6 +50,7 @@ ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
 	"IKE_REAUTH",
 	"IKE_DELETE",
 	"IKE_DPD",
+	"IKE_VENDOR",
 	"CHILD_CREATE",
 	"CHILD_DELETE",
 	"CHILD_REKEY",
diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h
index 3d2014599..4468f2ebe 100644
--- a/src/charon/sa/tasks/task.h
+++ b/src/charon/sa/tasks/task.h
@@ -57,6 +57,8 @@ enum task_type_t {
 	IKE_DELETE,
 	/** liveness check */
 	IKE_DPD,
+	/** Vendor ID processing */
+	IKE_VENDOR,
 #ifdef ME
 	/** handle ME stuff */
 	IKE_ME,
@@ -79,7 +81,7 @@ extern enum_name_t *task_type_names;
  *
  * A task is an elemantary operation. It may be handled by a single or by
  * multiple exchanges. An exchange may even complete multiple tasks.
- * A task has a build() and an process() operation. The build() operation 
+ * A task has a build() and an process() operation. The build() operation
  * creates payloads and adds it to the message. The process() operation
  * inspects a message and handles its payloads. An initiator of an exchange
  * first calls build() to build the request, and processes the response message
@@ -97,7 +99,7 @@ struct task_t {
 
 	/**
 	 * Build a request or response message for this task.
-	 * 
+	 *
 	 * @param message		message to add payloads to
 	 * @return
 	 *						- FAILED if a critical error occured
@@ -109,7 +111,7 @@ struct task_t {
 
 	/**
 	 * Process a request or response message for this task.
-	 * 
+	 *
 	 * @param message		message to read payloads from
 	 * @return
 	 * 						- FAILED if a critical error occured
@@ -123,7 +125,7 @@ struct task_t {
 	 * Get the type of the task implementation.
 	 */
 	task_type_t (*get_type) (task_t *this);
-	
+
 	/**
 	 * Migrate a task to a new IKE_SA.
 	 *
@@ -138,7 +140,7 @@ struct task_t {
 	 * @param ike_sa		new IKE_SA this task works for
 	 */
 	void (*migrate) (task_t *this, ike_sa_t *ike_sa);
-	
+
 	/**
 	 * Destroys a task_t object.
 	 */
diff --git a/src/charon/sa/trap_manager.c b/src/charon/sa/trap_manager.c
index 570335eb4..ed758995a 100644
--- a/src/charon/sa/trap_manager.c
+++ b/src/charon/sa/trap_manager.c
@@ -16,7 +16,7 @@
 #include "trap_manager.h"
 
 #include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/rwlock.h>
 #include <utils/linked_list.h>
 
 
@@ -27,12 +27,12 @@ typedef struct trap_listener_t trap_listener_t;
  * listener to track acquires
  */
 struct trap_listener_t {
-	
+
 	/**
 	 * Implements listener interface
 	 */
 	listener_t listener;
-	
+
 	/**
 	 * points to trap_manager
 	 */
@@ -43,22 +43,22 @@ struct trap_listener_t {
  * Private data of an trap_manager_t object.
  */
 struct private_trap_manager_t {
-	
+
 	/**
 	 * Public trap_manager_t interface.
 	 */
 	trap_manager_t public;
-	
+
 	/**
 	 * Installed traps, as entry_t
 	 */
 	linked_list_t *traps;
-	
+
 	/**
 	 * read write lock for traps list
 	 */
 	rwlock_t *lock;
-	
+
 	/**
 	 * listener to track acquiring IKE_SAs
 	 */
@@ -102,7 +102,7 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
 	bool found = FALSE;
 	status_t status;
 	u_int32_t reqid;
-	
+
 	/* check if not already done */
 	this->lock->read_lock(this->lock);
 	enumerator = this->traps->create_enumerator(this->traps);
@@ -123,10 +123,10 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
 			 child->get_name(child));
 		return 0;
 	}
-	
+
 	/* try to resolve addresses */
 	ike_cfg = peer->get_ike_cfg(peer);
-	other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg), 
+	other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg),
 								 0, IKEV2_UDP_PORT);
 	if (!other)
 	{
@@ -148,14 +148,14 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
 		}
 		me->set_port(me, IKEV2_UDP_PORT);
 	}
-	
+
 	/* create and route CHILD_SA */
 	child_sa = child_sa_create(me, other, child, 0, FALSE);
 	my_ts = child->get_traffic_selectors(child, TRUE, NULL, me);
 	other_ts = child->get_traffic_selectors(child, FALSE, NULL, other);
 	me->destroy(me);
 	other->destroy(other);
-	
+
 	/* while we don't know the finally negotiated protocol (ESP|AH), we
 	 * could iterate all proposals for a best guest (TODO). But as we
 	 * support ESP only for now, we set here. */
@@ -170,17 +170,17 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
 		DBG1(DBG_CFG, "installing trap failed");
 		return 0;
 	}
-	
+
 	reqid = child_sa->get_reqid(child_sa);
 	entry = malloc_thing(entry_t);
 	entry->child_sa = child_sa;
 	entry->peer_cfg = peer->get_ref(peer);
 	entry->pending = NULL;
-	
+
 	this->lock->write_lock(this->lock);
 	this->traps->insert_last(this->traps, entry);
 	this->lock->unlock(this->lock);
-	
+
 	return reqid;
 }
 
@@ -191,7 +191,7 @@ static bool uninstall(private_trap_manager_t *this, u_int32_t reqid)
 {
 	enumerator_t *enumerator;
 	entry_t *entry, *found = NULL;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -205,13 +205,13 @@ static bool uninstall(private_trap_manager_t *this, u_int32_t reqid)
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
-	
+
 	if (!found)
 	{
 		DBG1(DBG_CFG, "trap %d not found to uninstall", reqid);
 		return FALSE;
 	}
-	
+
 	destroy_entry(found);
 	return TRUE;
 }
@@ -255,7 +255,7 @@ static void acquire(private_trap_manager_t *this, u_int32_t reqid,
 	peer_cfg_t *peer;
 	child_cfg_t *child;
 	ike_sa_t *ike_sa;
-	
+
 	this->lock->read_lock(this->lock);
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -267,7 +267,7 @@ static void acquire(private_trap_manager_t *this, u_int32_t reqid,
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	if (!found)
 	{
 		DBG1(DBG_CFG, "trap not found, unable to acquire reqid %d",reqid);
@@ -303,37 +303,64 @@ static void acquire(private_trap_manager_t *this, u_int32_t reqid,
 }
 
 /**
- * Implementation of listener_t.ike_state_change
+ * Complete the acquire, if successful or failed
  */
-static bool ike_state_change(trap_listener_t *listener, ike_sa_t *ike_sa,
-							 ike_sa_state_t state)
+static void complete(private_trap_manager_t *this, ike_sa_t *ike_sa,
+					 child_sa_t *child_sa)
 {
-	private_trap_manager_t *this;
 	enumerator_t *enumerator;
 	entry_t *entry;
-	
-	switch (state)
-	{
-		case IKE_ESTABLISHED:
-		case IKE_DESTROYING:
-			break;
-		default:
-			return TRUE;
-	}
-	
-	this = listener->traps;
+
 	this->lock->read_lock(this->lock);
 	enumerator = this->traps->create_enumerator(this->traps);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->pending == ike_sa)
+		if (entry->pending != ike_sa)
+		{
+			continue;
+		}
+		if (child_sa && child_sa->get_reqid(child_sa) !=
+									entry->child_sa->get_reqid(entry->child_sa))
 		{
-			entry->pending = NULL;
+			continue;
 		}
+		entry->pending = NULL;
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
-	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(trap_listener_t *listener, ike_sa_t *ike_sa,
+							 ike_sa_state_t state)
+{
+	switch (state)
+	{
+		case IKE_DESTROYING:
+			complete(listener->traps, ike_sa, NULL);
+			return TRUE;
+		default:
+			return TRUE;
+	}
+}
+
+/**
+ * Implementation of listener_t.child_state_change
+ */
+static bool child_state_change(trap_listener_t *listener, ike_sa_t *ike_sa,
+							   child_sa_t *child_sa, child_sa_state_t state)
+{
+	switch (state)
+	{
+		case CHILD_INSTALLED:
+		case CHILD_DESTROYING:
+			complete(listener->traps, ike_sa, child_sa);
+			return TRUE;
+		default:
+			return TRUE;
+	}
 }
 
 /**
@@ -354,22 +381,23 @@ static void destroy(private_trap_manager_t *this)
 trap_manager_t *trap_manager_create()
 {
 	private_trap_manager_t *this = malloc_thing(private_trap_manager_t);
-	
+
 	this->public.install = (u_int(*)(trap_manager_t*, peer_cfg_t *peer, child_cfg_t *child))install;
 	this->public.uninstall = (bool(*)(trap_manager_t*, u_int32_t id))uninstall;
 	this->public.create_enumerator = (enumerator_t*(*)(trap_manager_t*))create_enumerator;
 	this->public.acquire = (void(*)(trap_manager_t*, u_int32_t reqid, traffic_selector_t *src, traffic_selector_t *dst))acquire;
 	this->public.destroy = (void(*)(trap_manager_t*))destroy;
-	
+
 	this->traps = linked_list_create();
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	
+
 	/* register listener for IKE state changes */
 	this->listener.traps = this;
 	memset(&this->listener.listener, 0, sizeof(listener_t));
 	this->listener.listener.ike_state_change = (void*)ike_state_change;
+	this->listener.listener.child_state_change = (void*)child_state_change;
 	charon->bus->add_listener(charon->bus, &this->listener.listener);
-	
+
 	return &this->public;
 }
 
diff --git a/src/charon/sa/trap_manager.h b/src/charon/sa/trap_manager.h
index cb6907cdc..37b42e2b0 100644
--- a/src/charon/sa/trap_manager.h
+++ b/src/charon/sa/trap_manager.h
@@ -31,7 +31,7 @@ typedef struct trap_manager_t trap_manager_t;
  * Manage policies to create SAs from traffic.
  */
 struct trap_manager_t {
-	
+
 	/**
 	 * Install a policy as a trap.
 	 *
@@ -41,7 +41,7 @@ struct trap_manager_t {
 	 */
 	u_int32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
 						 child_cfg_t *child);
-	
+
 	/**
 	 * Uninstall a trap policy.
 	 *
@@ -49,14 +49,14 @@ struct trap_manager_t {
 	 * @return			TRUE if uninstalled successfully
 	 */
 	bool (*uninstall)(trap_manager_t *this, u_int32_t reqid);
-	
+
 	/**
 	 * Create an enumerator over all installed traps.
 	 *
 	 * @return			enumerator over (peer_cfg_t, child_sa_t)
 	 */
 	enumerator_t* (*create_enumerator)(trap_manager_t *this);
-	
+
 	/**
 	 * Acquire an SA triggered by an installed trap.
 	 *
@@ -66,7 +66,7 @@ struct trap_manager_t {
 	 */
 	void (*acquire)(trap_manager_t *this, u_int32_t reqid,
 					traffic_selector_t *src, traffic_selector_t *dst);
-	
+
 	/**
 	 * Destroy a trap_manager_t.
 	 */
@@ -78,4 +78,4 @@ struct trap_manager_t {
  */
 trap_manager_t *trap_manager_create();
 
-#endif /* TRAP_MANAGER_ @}*/
+#endif /** TRAP_MANAGER_H_ @}*/
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index bd42c231f..d0413e64e 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -25,11 +25,12 @@ endif
 
 if USE_TOOLS
   libs += $(top_builddir)/src/openac/.libs/openac
+  libs += $(top_builddir)/src/pki/.libs/pki
   libs += $(top_builddir)/src/scepclient/.libs/scepclient
 endif
 
-if USE_SQL
-  libs += $(top_builddir)/src/charon/plugins/sql/.libs/pool
+if USE_ATTR_SQL
+  libs += $(top_builddir)/src/libstrongswan/plugins/attr_sql/.libs/pool
 endif
 
 checksum.c : checksum_builder $(libs)
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 4d38df2dd..6769c2601 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,8 +18,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -38,24 +40,47 @@ noinst_PROGRAMS = checksum_builder$(EXEEXT)
 @USE_PLUTO_TRUE@am__append_2 = $(top_builddir)/src/pluto/.libs/pluto
 @USE_TOOLS_TRUE@am__append_3 =  \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/openac/.libs/openac \
+@USE_TOOLS_TRUE@	$(top_builddir)/src/pki/.libs/pki \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/scepclient/.libs/scepclient
-@USE_SQL_TRUE@am__append_4 = $(top_builddir)/src/charon/plugins/sql/.libs/pool
+@USE_ATTR_SQL_TRUE@am__append_4 = $(top_builddir)/src/libstrongswan/plugins/attr_sql/.libs/pool
 subdir = src/checksum
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
-ipsecLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(ipsec_LTLIBRARIES)
 libchecksum_la_LIBADD =
 nodist_libchecksum_la_OBJECTS = checksum.lo
@@ -71,6 +96,7 @@ checksum_builder_DEPENDENCIES =  \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -118,25 +144,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -148,11 +171,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -181,9 +207,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -206,7 +232,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -214,6 +240,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -222,10 +249,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -233,6 +262,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 ipsec_LTLIBRARIES = libchecksum.la
@@ -262,9 +292,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/checksum/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/checksum/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/checksum/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/checksum/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -282,23 +312,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-ipsecLTLIBRARIES: $(ipsec_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(ipsec_LTLIBRARIES)'; test -n "$(ipsecdir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(ipsecdir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipsecdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipsecdir)"; \
+	}
 
 uninstall-ipsecLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipsecdir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipsecdir)/$$p"; \
+	@list='$(ipsec_LTLIBRARIES)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
 	done
 
 clean-ipsecLTLIBRARIES:
@@ -313,11 +348,13 @@ libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES)
 	$(libchecksum_la_LINK) -rpath $(ipsecdir) $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
 
 clean-noinstPROGRAMS:
-	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) 
 	@rm -f checksum_builder$(EXEEXT)
 	$(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
@@ -333,21 +370,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -370,7 +407,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -378,29 +415,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -421,13 +463,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -461,6 +507,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -483,6 +530,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -491,18 +540,28 @@ install-data-am: install-ipsecLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -525,7 +584,7 @@ ps-am:
 
 uninstall-am: uninstall-ipsecLTLIBRARIES
 
-.MAKE: install-am install-strip
+.MAKE: all check install install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
 	clean-ipsecLTLIBRARIES clean-libtool clean-noinstPROGRAMS \
@@ -545,6 +604,7 @@ uninstall-am: uninstall-ipsecLTLIBRARIES
 
 checksum.c : checksum_builder $(libs)
 		./checksum_builder $(libs) > checksum.c
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index a713eb526..54f4539ff 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -28,14 +28,14 @@ int main(int argc, char* argv[])
 {
 	int i;
 	integrity_checker_t *integrity;
-	
+
 	/* avoid confusing leak reports in build process */
 	setenv("LEAK_DETECTIVE_DISABLE", "1", 0);
 	library_init(NULL);
 	atexit(library_deinit);
-	
+
 	integrity = integrity_checker_create(NULL);
-	
+
 	printf("/**\n");
 	printf(" * checksums of files and loaded code segments.\n");
 	printf(" * created by %s\n", argv[0]);
@@ -55,7 +55,7 @@ int main(int argc, char* argv[])
 		size_t ssize = 0;
 
 		path = argv[i];
-		
+
 		if ((name = strstr(path, "libstrongswan-")))
 		{
 			name = strdup(name + strlen("libstrongswan-"));
@@ -89,12 +89,16 @@ int main(int argc, char* argv[])
 		{
 			name = strdup("scepclient\",");
 		}
+		else if (strstr(path, "pki"))
+		{
+			name = strdup("pki\",");
+		}
 		else
 		{
 			fprintf(stderr, "don't know how to handle '%s', ignored", path);
 			continue;
 		}
-		
+
 		fsum = integrity->build_file(integrity, path, &fsize);
 		ssum = 0;
 		if (sname)
@@ -120,7 +124,7 @@ int main(int argc, char* argv[])
 		}
 		printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n",
 			   name, fsize, fsum, ssize, ssum);
-		fprintf(stderr, "\"%-20s%7u / 0x%08x       %6u / 0x%08x\n", 
+		fprintf(stderr, "\"%-20s%7u / 0x%08x       %6u / 0x%08x\n",
 				name, fsize, fsum, ssize, ssum);
 		free(name);
 	}
@@ -129,7 +133,7 @@ int main(int argc, char* argv[])
 	printf("int checksum_count = countof(checksums);\n");
 	printf("\n");
 	integrity->destroy(integrity);
-	
+
 	exit(0);
 }
 
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 817e31104..8bc08e2c1 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,8 +18,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -37,26 +39,47 @@ ipsec_PROGRAMS = dumm$(EXEEXT) irdumm$(EXEEXT)
 subdir = src/dumm
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(ipsecdir)"
-libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 libdumm_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_libdumm_la_OBJECTS = dumm.lo guest.lo iface.lo bridge.lo \
 	mconsole.lo cowfs.lo
 libdumm_la_OBJECTS = $(am_libdumm_la_OBJECTS)
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am_dumm_OBJECTS = main.$(OBJEXT)
 dumm_OBJECTS = $(am_dumm_OBJECTS)
@@ -68,6 +91,7 @@ irdumm_DEPENDENCIES = libdumm.la
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -115,25 +139,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -145,11 +166,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -178,9 +202,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -203,7 +227,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -211,6 +235,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -219,10 +244,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -230,6 +257,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 EXTRA_DIST = ext/dumm.c ext/README \
@@ -263,9 +291,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/dumm/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/dumm/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/dumm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/dumm/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -283,23 +311,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
-	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
+	}
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
 	done
 
 clean-libLTLIBRARIES:
@@ -315,31 +348,46 @@ libdumm.la: $(libdumm_la_OBJECTS) $(libdumm_la_DEPENDENCIES)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-ipsecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 dumm$(EXEEXT): $(dumm_OBJECTS) $(dumm_DEPENDENCIES) 
 	@rm -f dumm$(EXEEXT)
 	$(LINK) $(dumm_OBJECTS) $(dumm_LDADD) $(LIBS)
@@ -364,21 +412,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -401,7 +449,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -409,29 +457,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -452,13 +505,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -489,6 +546,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -510,6 +568,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -518,18 +578,28 @@ install-data-am: install-data-local install-ipsecPROGRAMS
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am: install-libLTLIBRARIES
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -583,6 +653,7 @@ ext:	libdumm.la
 	(cd ext && $(RUBY) extconf.rb && $(MAKE))
 
 .PHONY: ext
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/dumm/bridge.c b/src/dumm/bridge.c
index 209e54fc1..592fecefd 100644
--- a/src/dumm/bridge.c
+++ b/src/dumm/bridge.c
@@ -36,7 +36,7 @@ struct private_bridge_t {
  * defined in iface.c
  */
 bool iface_control(char *name, bool up);
-	
+
 /**
  * Implementation of bridge_t.get_name.
  */
@@ -149,7 +149,7 @@ static void destroy(private_bridge_t *this)
 bridge_t *bridge_create(char *name)
 {
 	private_bridge_t *this;
-	
+
 	if (instances == 0)
 	{
 		if (br_init() != 0)
@@ -158,7 +158,7 @@ bridge_t *bridge_create(char *name)
 			return NULL;
 		}
 	}
-	
+
 	this = malloc_thing(private_bridge_t);
 	this->public.get_name = (char*(*)(bridge_t*))get_name;
 	this->public.create_iface_enumerator = (enumerator_t*(*)(bridge_t*))create_iface_enumerator;
diff --git a/src/dumm/bridge.h b/src/dumm/bridge.h
index 37b22a03e..c557de994 100644
--- a/src/dumm/bridge.h
+++ b/src/dumm/bridge.h
@@ -27,14 +27,14 @@ typedef struct bridge_t bridge_t;
  * Interface in a guest, connected to a tap device on the host.
  */
 struct bridge_t {
-	
+
 	/**
 	 * Get the name of the bridge.
 	 *
 	 * @return			name of the bridge
 	 */
 	char* (*get_name)(bridge_t *this);
-	
+
 	/**
 	 * Add an interface to a bridge.
 	 *
@@ -42,7 +42,7 @@ struct bridge_t {
 	 * @return			TRUE if interface added
 	 */
 	bool (*connect_iface)(bridge_t *this, iface_t *iface);
-	
+
 	/**
 	 * Remove an interface from a bridge.
 	 *
@@ -50,14 +50,14 @@ struct bridge_t {
 	 * @return			TRUE if interface removed
 	 */
 	bool (*disconnect_iface)(bridge_t *this, iface_t *iface);
-	
+
 	/**
 	 * Create an enumerator over all interfaces.
 	 *
 	 * @return 			enumerator over iface_t's
 	 */
-	enumerator_t* (*create_iface_enumerator)(bridge_t *this);	
-	
+	enumerator_t* (*create_iface_enumerator)(bridge_t *this);
+
 	/**
 	 * Destroy a bridge
 	 */
diff --git a/src/dumm/cowfs.c b/src/dumm/cowfs.c
index 69f008976..f7b6b0cf3 100644
--- a/src/dumm/cowfs.c
+++ b/src/dumm/cowfs.c
@@ -29,12 +29,12 @@
 #include <dirent.h>
 #include <errno.h>
 #include <sys/time.h>
-#include <pthread.h>
 
 #include "cowfs.h"
 
 #include <library.h>
 #include <debug.h>
+#include <threading/thread.h>
 
 /** define _XOPEN_SOURCE 500 fails when using libstrongswan, define popen */
 extern ssize_t pread(int fd, void *buf, size_t count, off_t offset);
@@ -64,7 +64,7 @@ struct private_cowfs_t {
 	/** optional COW overlay */
 	int over_fd;
 	/** thread processing FUSE */
-	pthread_t thread;
+	thread_t *thread;
 };
 
 /**
@@ -96,7 +96,7 @@ static void rel(const char **path)
 static int get_rd(const char *path)
 {
 	private_cowfs_t *this = get_this();
-	
+
 	if (this->over_fd > 0 && faccessat(this->over_fd, path, F_OK, 0) == 0)
 	{
 		return this->over_fd;
@@ -130,7 +130,7 @@ static bool clone_path(int rd, int wr, const char *path)
 	struct stat st;
 	full = strdupa(path);
 	pos = full;
-	
+
 	while ((pos = strchr(pos, '/')))
 	{
 		*pos = '\0';
@@ -162,10 +162,10 @@ static int copy(const char *path)
 	int rd, wr;
 	int from, to;
 	struct stat st;
-	
+
 	rd = get_rd(path);
 	wr = get_wr(path);
-	
+
 	if (rd == wr)
 	{
 		/* already writeable */
@@ -223,7 +223,7 @@ static int copy(const char *path)
 static int cowfs_getattr(const char *path, struct stat *stbuf)
 {
 	rel(&path);
-	
+
 	if (fstatat(get_rd(path), path, stbuf, AT_SYMLINK_NOFOLLOW) < 0)
 	{
 		return -errno;
@@ -237,7 +237,7 @@ static int cowfs_getattr(const char *path, struct stat *stbuf)
 static int cowfs_access(const char *path, int mask)
 {
 	rel(&path);
-	
+
 	if (faccessat(get_rd(path), path, mask, 0) < 0)
 	{
 		return -errno;
@@ -251,9 +251,9 @@ static int cowfs_access(const char *path, int mask)
 static int cowfs_readlink(const char *path, char *buf, size_t size)
 {
 	int res;
-	
+
 	rel(&path);
-	
+
 	res = readlinkat(get_rd(path), path, buf, size - 1);
 	if (res < 0)
 	{
@@ -269,16 +269,16 @@ static int cowfs_readlink(const char *path, char *buf, size_t size)
 static DIR* get_dir(char *dir, const char *subdir)
 {
 	char *full;
-	
+
 	if (dir == NULL)
 	{
 		return NULL;
 	}
-	
+
 	full = alloca(strlen(dir) + strlen(subdir) + 1);
 	strcpy(full, dir);
 	strcat(full, subdir);
-	
+
 	return opendir(full);
 }
 
@@ -290,7 +290,7 @@ static bool contains_dir(DIR *d, char *dirname)
 	if (d)
 	{
 		struct dirent *ent;
-		
+
 		rewinddir(d);
 		while ((ent = readdir(d)))
 		{
@@ -313,13 +313,13 @@ static int cowfs_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
 	DIR *d1, *d2, *d3;
 	struct stat st;
 	struct dirent *ent;
-	
+
 	memset(&st, 0, sizeof(st));
-	
+
 	d1 = get_dir(this->master, path);
 	d2 = get_dir(this->host, path);
 	d3 = get_dir(this->over, path);
-	
+
 	if (d1)
 	{
 		while ((ent = readdir(d1)))
@@ -369,13 +369,13 @@ static int cowfs_mknod(const char *path, mode_t mode, dev_t rdev)
 {
 	int fd;
 	rel(&path);
-	
+
 	fd = get_wr(path);
 	if (!clone_path(get_rd(path), fd, path))
 	{
 		return -errno;
 	}
-	
+
 	if (mknodat(fd, path, mode, rdev) < 0)
 	{
 		return -errno;
@@ -390,7 +390,7 @@ static int cowfs_mkdir(const char *path, mode_t mode)
 {
 	int fd;
 	rel(&path);
-	
+
 	fd = get_wr(path);
 	if (!clone_path(get_rd(path), fd, path))
 	{
@@ -409,7 +409,7 @@ static int cowfs_mkdir(const char *path, mode_t mode)
 static int cowfs_unlink(const char *path)
 {
 	rel(&path);
-	
+
 	/* TODO: whiteout master */
 	if (unlinkat(get_wr(path), path, 0) < 0)
 	{
@@ -424,7 +424,7 @@ static int cowfs_unlink(const char *path)
 static int cowfs_rmdir(const char *path)
 {
 	rel(&path);
-	
+
 	/* TODO: whiteout master */
 	if (unlinkat(get_wr(path), path, AT_REMOVEDIR) < 0)
 	{
@@ -440,10 +440,10 @@ static int cowfs_symlink(const char *from, const char *to)
 {
 	int fd;
 	const char *fromrel = from;
-	
+
 	rel(&to);
 	rel(&fromrel);
-	
+
 	fd = get_wr(to);
 	if (!clone_path(get_rd(fromrel), fd, fromrel))
 	{
@@ -462,10 +462,10 @@ static int cowfs_symlink(const char *from, const char *to)
 static int cowfs_rename(const char *from, const char *to)
 {
 	int fd;
-	
+
 	rel(&from);
 	rel(&to);
-	
+
 	fd = copy(from);
 	if (fd < 0)
 	{
@@ -484,13 +484,13 @@ static int cowfs_rename(const char *from, const char *to)
 static int cowfs_link(const char *from, const char *to)
 {
 	int rd, wr;
-	
+
 	rel(&from);
 	rel(&to);
-	
+
 	rd = get_rd(from);
 	wr = get_wr(to);
-	
+
 	if (!clone_path(rd, wr, to))
 	{
 		DBG1("cloning path '%s' failed", to);
@@ -511,7 +511,7 @@ static int cowfs_chmod(const char *path, mode_t mode)
 {
 	int fd;
 	struct stat st;
-	
+
 	rel(&path);
 	fd = get_rd(path);
 	if (fstatat(fd, path, &st, 0) < 0)
@@ -541,7 +541,7 @@ static int cowfs_chown(const char *path, uid_t uid, gid_t gid)
 {
 	int fd;
 	struct stat st;
-	
+
 	rel(&path);
 	fd = get_rd(path);
 	if (fstatat(fd, path, &st, 0) < 0)
@@ -571,7 +571,7 @@ static int cowfs_truncate(const char *path, off_t size)
 {
 	int fd;
 	struct stat st;
-	
+
 	rel(&path);
 	fd = get_rd(path);
 	if (fstatat(fd, path, &st, 0) < 0)
@@ -608,19 +608,19 @@ static int cowfs_utimens(const char *path, const struct timespec ts[2])
 {
 	struct timeval tv[2];
 	int fd;
-	
+
 	rel(&path);
 	fd = copy(path);
 	if (fd < 0)
 	{
 		return -errno;
 	}
-	
+
 	tv[0].tv_sec = ts[0].tv_sec;
 	tv[0].tv_usec = ts[0].tv_nsec / 1000;
 	tv[1].tv_sec = ts[1].tv_sec;
 	tv[1].tv_usec = ts[1].tv_nsec / 1000;
-	
+
 	if (futimesat(fd, path, tv) < 0)
 	{
 		return -errno;
@@ -634,10 +634,10 @@ static int cowfs_utimens(const char *path, const struct timespec ts[2])
 static int cowfs_open(const char *path, struct fuse_file_info *fi)
 {
 	int fd;
-	
+
 	rel(&path);
 	fd = get_rd(path);
-	
+
 	fd = openat(fd, path, fi->flags);
 	if (fd < 0)
 	{
@@ -654,17 +654,17 @@ static int cowfs_read(const char *path, char *buf, size_t size, off_t offset,
 					  struct fuse_file_info *fi)
 {
 	int file, fd, res;
-	
+
 	rel(&path);
-	
+
 	fd = get_rd(path);
-	
+
 	file = openat(fd, path, O_RDONLY);
 	if (file < 0)
 	{
 		return -errno;
 	}
-	
+
 	res = pread(file, buf, size, offset);
 	if (res < 0)
 	{
@@ -681,9 +681,9 @@ static int cowfs_write(const char *path, const char *buf, size_t size,
 					   off_t offset, struct fuse_file_info *fi)
 {
 	int file, fd, res;
-	
+
 	rel(&path);
-	
+
 	fd = copy(path);
 	if (fd < 0)
 	{
@@ -709,25 +709,25 @@ static int cowfs_write(const char *path, const char *buf, size_t size,
 static int cowfs_statfs(const char *path, struct statvfs *stbuf)
 {
 	int fd;
-	
+
 	fd = get_rd(path);
 	if (fstatvfs(fd, stbuf) < 0)
 	{
 		return -errno;
 	}
-	
+
 	return 0;
 }
 
-/** 
+/**
  * FUSE init method
  */
 static void *cowfs_init(struct fuse_conn_info *conn)
 {
 	struct fuse_context *ctx;
-	
+
 	ctx = fuse_get_context();
-	
+
 	return ctx->private_data;
 }
 
@@ -792,7 +792,7 @@ static void destroy(private_cowfs_t *this)
 {
 	fuse_exit(this->fuse);
 	fuse_unmount(this->mount, this->chan);
-	pthread_join(this->thread, NULL);
+	this->thread->join(this->thread);
 	fuse_destroy(this->fuse);
 	free(this->mount);
 	free(this->master);
@@ -814,10 +814,10 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 {
 	struct fuse_args args = {0, NULL, 0};
 	private_cowfs_t *this = malloc_thing(private_cowfs_t);
-	
+
 	this->public.set_overlay = (bool(*)(cowfs_t*, char *path))set_overlay;
 	this->public.destroy = (void(*)(cowfs_t*))destroy;
-	
+
 	this->master_fd = open(master, O_RDONLY | O_DIRECTORY);
 	if (this->master_fd < 0)
 	{
@@ -834,7 +834,7 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 		return NULL;
 	}
 	this->over_fd = -1;
-	
+
 	this->chan = fuse_mount(mount, &args);
 	if (this->chan == NULL)
 	{
@@ -844,7 +844,7 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 		free(this);
 		return NULL;
 	}
-	
+
 	this->fuse = fuse_new(this->chan, &args, &cowfs_operations,
 						  sizeof(cowfs_operations), this);
 	if (this->fuse == NULL)
@@ -856,13 +856,14 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 		free(this);
 		return NULL;
 	}
-	
+
 	this->mount = strdup(mount);
 	this->master = strdup(master);
 	this->host = strdup(host);
 	this->over = NULL;
-	
-	if (pthread_create(&this->thread, NULL, (void*)fuse_loop, this->fuse) != 0)
+
+	this->thread = thread_create((thread_main_t)fuse_loop, this->fuse);
+	if (!this->thread)
 	{
 		DBG1("creating thread to handle FUSE failed");
 		fuse_unmount(mount, this->chan);
@@ -874,7 +875,7 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 		free(this);
 		return NULL;
 	}
-	
+
 	return &this->public;
 }
 
diff --git a/src/dumm/cowfs.h b/src/dumm/cowfs.h
index bb589f158..d430597a8 100644
--- a/src/dumm/cowfs.h
+++ b/src/dumm/cowfs.h
@@ -25,7 +25,7 @@ typedef struct cowfs_t cowfs_t;
  *
  */
 struct cowfs_t {
-	
+
 	/**
 	 * Set an additional copy on write overlay.
 	 *
@@ -33,7 +33,7 @@ struct cowfs_t {
 	 * @return 			FALSE if failed
 	 */
 	bool (*set_overlay)(cowfs_t *this, char *path);
-	
+
 	/**
 	 * Stop, umount and destroy a cowfs FUSE filesystem.
 	 */
diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c
index 2cb1235e1..0e8ab43f3 100644
--- a/src/dumm/dumm.c
+++ b/src/dumm/dumm.c
@@ -52,11 +52,11 @@ struct private_dumm_t {
 /**
  * Implementation of dumm_t.create_guest.
  */
-static guest_t* create_guest(private_dumm_t *this, char *name, char *kernel, 
+static guest_t* create_guest(private_dumm_t *this, char *name, char *kernel,
 							 char *master, char *args)
 {
 	guest_t *guest;
-	
+
 	guest = guest_create(this->guest_dir, name, kernel, master, args);
 	if (guest)
 	{
@@ -82,7 +82,7 @@ static void delete_guest(private_dumm_t *this, guest_t *guest)
 	{
 		char buf[512];
 		int len;
-		
+
 		len = snprintf(buf, sizeof(buf), "rm -Rf %s/%s",
 					   this->guest_dir, guest->get_name(guest));
 		guest->destroy(guest);
@@ -99,7 +99,7 @@ static void delete_guest(private_dumm_t *this, guest_t *guest)
 static bridge_t* create_bridge(private_dumm_t *this, char *name)
 {
 	bridge_t *bridge;
-	
+
 	bridge = bridge_create(name);
 	if (bridge)
 	{
@@ -128,16 +128,16 @@ static void delete_bridge(private_dumm_t *this, bridge_t *bridge)
 }
 
 /**
- * disable the currently enabled template 
+ * disable the currently enabled template
  */
 static void clear_template(private_dumm_t *this)
 {
 	enumerator_t *enumerator;
 	guest_t *guest;
-	
+
 	free(this->template);
 	this->template = NULL;
-	
+
 	enumerator = this->guests->create_enumerator(this->guests);
 	while (enumerator->enumerate(enumerator, (void**)&guest))
 	{
@@ -153,9 +153,9 @@ static bool load_template(private_dumm_t *this, char *dir)
 {
 	enumerator_t *enumerator;
 	guest_t *guest;
-	
+
 	clear_template(this);
-	
+
 	if (dir == NULL)
 	{
 		return TRUE;
@@ -165,7 +165,7 @@ static bool load_template(private_dumm_t *this, char *dir)
 		DBG1("template directory string '%s' is too long", dir);
 		return FALSE;
 	}
-	
+
 	if (asprintf(&this->template, "%s/%s", TEMPLATE_DIR, dir) < 0)
 	{
 		this->template = NULL;
@@ -210,7 +210,7 @@ static bool template_enumerate(template_enumerator_t *this, char **template)
 {
 	struct stat st;
 	char *rel;
-	
+
 	while (this->inner->enumerate(this->inner, &rel, NULL, &st))
 	{
 		if (S_ISDIR(st.st_mode) && *rel != '.')
@@ -237,12 +237,12 @@ static void template_enumerator_destroy(template_enumerator_t *this)
 static enumerator_t* create_template_enumerator(private_dumm_t *this)
 {
 	template_enumerator_t *enumerator;
-	
+
 	enumerator = malloc_thing(template_enumerator_t);
 	enumerator->public.enumerate = (void*)template_enumerate;
 	enumerator->public.destroy = (void*)template_enumerator_destroy;
 	enumerator->inner = enumerator_create_directory(TEMPLATE_DIR);
-	
+
 	return &enumerator->public;
 }
 
@@ -253,16 +253,16 @@ static void destroy(private_dumm_t *this)
 {
 	enumerator_t *enumerator;
 	guest_t *guest;
-	
+
 	this->bridges->destroy_offset(this->bridges, offsetof(bridge_t, destroy));
-	
+
 	enumerator = this->guests->create_enumerator(this->guests);
 	while (enumerator->enumerate(enumerator, (void**)&guest))
 	{
 		guest->stop(guest, NULL);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	while (this->guests->remove_last(this->guests, (void**)&guest) == SUCCESS)
 	{
 		guest->destroy(guest);
@@ -282,13 +282,13 @@ static void load_guests(private_dumm_t *this)
 	DIR *dir;
 	struct dirent *ent;
 	guest_t *guest;
-	
+
 	dir = opendir(this->guest_dir);
 	if (dir == NULL)
 	{
 		return;
 	}
-	
+
 	while ((ent = readdir(dir)))
 	{
 		if (*ent->d_name == '.')
@@ -315,7 +315,7 @@ dumm_t *dumm_create(char *dir)
 {
 	char cwd[PATH_MAX];
 	private_dumm_t *this = malloc_thing(private_dumm_t);
-	
+
 	this->public.create_guest = (guest_t*(*)(dumm_t*,char*,char*,char*,char*))create_guest;
 	this->public.create_guest_enumerator = (enumerator_t*(*)(dumm_t*))create_guest_enumerator;
 	this->public.delete_guest = (void(*)(dumm_t*,guest_t*))delete_guest;
@@ -325,7 +325,7 @@ dumm_t *dumm_create(char *dir)
 	this->public.load_template = (bool(*)(dumm_t*, char *name))load_template;
 	this->public.create_template_enumerator = (enumerator_t*(*)(dumm_t*))create_template_enumerator;
 	this->public.destroy = (void(*)(dumm_t*))destroy;
-	
+
 	if (dir && *dir == '/')
 	{
 		this->dir = strdup(dir);
@@ -356,7 +356,7 @@ dumm_t *dumm_create(char *dir)
 	}
 	this->guests = linked_list_create();
 	this->bridges = linked_list_create();
-	
+
 	if (this->dir == NULL || this->guest_dir == NULL ||
 		(mkdir(this->guest_dir, PERME) < 0 && errno != EEXIST))
 	{
@@ -364,7 +364,7 @@ dumm_t *dumm_create(char *dir)
 		destroy(this);
 		return NULL;
 	}
-	
+
 	load_guests(this);
 	return &this->public;
 }
diff --git a/src/dumm/dumm.h b/src/dumm/dumm.h
index 5f2e0542a..54c3fbc03 100644
--- a/src/dumm/dumm.h
+++ b/src/dumm/dumm.h
@@ -43,23 +43,23 @@ struct dumm_t {
 	 * @param args		additional args to pass to kernel
 	 * @return			guest if started, NULL if failed
 	 */
-	guest_t* (*create_guest) (dumm_t *this, char *name, char *kernel, 
+	guest_t* (*create_guest) (dumm_t *this, char *name, char *kernel,
 							  char *master, char *args);
-	
+
 	/**
 	 * Create an enumerator over all guests.
 	 *
 	 * @return			enumerator over guest_t's
 	 */
 	enumerator_t* (*create_guest_enumerator) (dumm_t *this);
-	
+
 	/**
 	 * Delete a guest from disk.
 	 *
 	 * @param guest		guest to destroy
 	 */
 	void (*delete_guest) (dumm_t *this, guest_t *guest);
-	
+
 	/**
 	 * Create a new bridge.
 	 *
@@ -67,21 +67,21 @@ struct dumm_t {
 	 * @return			created bridge
 	 */
 	bridge_t* (*create_bridge)(dumm_t *this, char *name);
-	
+
 	/**
 	 * Create an enumerator over all bridges.
 	 *
 	 * @return			enumerator over bridge_t's
 	 */
 	enumerator_t* (*create_bridge_enumerator)(dumm_t *this);
-	
+
 	/**
 	 * Delete a bridge.
 	 *
 	 * @param bridge	bridge to destroy
 	 */
 	void (*delete_bridge) (dumm_t *this, bridge_t *bridge);
-	
+
 	/**
 	 * Loads a template, create a new one if it does not exist.
 	 *
@@ -89,14 +89,14 @@ struct dumm_t {
 	 * @return			FALSE if load/create failed
 	 */
 	bool (*load_template)(dumm_t *this, char *dir);
-	
+
 	/**
 	 * Create an enumerator over all available templates.
 	 *
 	 * @return			enumerator over char*
 	 */
 	enumerator_t* (*create_template_enumerator)(dumm_t *this);
-	
+
 	/**
 	 * stop all guests and destroy the modeler
 	 */
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index f7caf252d..230e8ae68 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -29,6 +29,7 @@
 #undef PACKAGE_VERSION
 #undef PACKAGE_STRING
 #undef PACKAGE_BUGREPORT
+#undef PACKAGE_URL
 #include <ruby.h>
 
 static dumm_t *dumm;
@@ -45,7 +46,7 @@ static VALUE rbc_template;
 static pid_t invoke(void *null, guest_t *guest, char *args[], int argc)
 {
 	pid_t pid;
-	
+
 	pid = fork();
 	switch (pid)
 	{
@@ -71,7 +72,7 @@ static void sigchld_handler(int signal, siginfo_t *info, void* ptr)
 {
 	enumerator_t *enumerator;
 	guest_t *guest;
-	
+
 	enumerator = dumm->create_guest_enumerator(dumm);
 	while (enumerator->enumerate(enumerator, &guest))
 	{
@@ -91,7 +92,7 @@ static VALUE guest_find(VALUE class, VALUE key)
 {
 	enumerator_t *enumerator;
 	guest_t *guest, *found = NULL;
-	
+
 	if (TYPE(key) == T_SYMBOL)
 	{
 		key = rb_convert_type(key, T_STRING, "String", "to_s");
@@ -128,7 +129,7 @@ static VALUE guest_each(int argc, VALUE *argv, VALUE class)
 	linked_list_t *list;
 	enumerator_t *enumerator;
 	guest_t *guest;
-	
+
 	if (!rb_block_given_p())
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
@@ -152,7 +153,7 @@ static VALUE guest_new(VALUE class, VALUE name, VALUE kernel,
 					   VALUE master, VALUE args)
 {
 	guest_t *guest;
-	
+
 	guest = dumm->create_guest(dumm, StringValuePtr(name), StringValuePtr(kernel),
 							   StringValuePtr(master), StringValuePtr(args));
 	if (!guest)
@@ -165,7 +166,7 @@ static VALUE guest_new(VALUE class, VALUE name, VALUE kernel,
 static VALUE guest_to_s(VALUE self)
 {
 	guest_t *guest;
-	
+
 	Data_Get_Struct(self, guest_t, guest);
 	return rb_str_new2(guest->get_name(guest));
 }
@@ -173,9 +174,9 @@ static VALUE guest_to_s(VALUE self)
 static VALUE guest_start(VALUE self)
 {
 	guest_t *guest;
-	
+
 	Data_Get_Struct(self, guest_t, guest);
-	
+
 	if (!guest->start(guest, invoke, NULL, NULL))
 	{
 		rb_raise(rb_eRuntimeError, "starting guest failed");
@@ -186,7 +187,7 @@ static VALUE guest_start(VALUE self)
 static VALUE guest_stop(VALUE self)
 {
 	guest_t *guest;
-	
+
 	Data_Get_Struct(self, guest_t, guest);
 	guest->stop(guest, NULL);
 	return self;
@@ -195,7 +196,7 @@ static VALUE guest_stop(VALUE self)
 static VALUE guest_running(VALUE self)
 {
 	guest_t *guest;
-	
+
 	Data_Get_Struct(self, guest_t, guest);
 	return guest->get_pid(guest) ? Qtrue : Qfalse;
 }
@@ -210,7 +211,7 @@ static VALUE guest_exec(VALUE self, VALUE cmd)
 	guest_t *guest;
 	bool block;
 	int ret;
-	
+
 	block = rb_block_given_p();
 	Data_Get_Struct(self, guest_t, guest);
 	if ((ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
@@ -226,7 +227,7 @@ static VALUE guest_mconsole(VALUE self, VALUE cmd)
 	guest_t *guest;
 	bool block;
 	int ret;
-	
+
 	block = rb_block_given_p();
 	Data_Get_Struct(self, guest_t, guest);
 	if ((ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
@@ -241,7 +242,7 @@ static VALUE guest_add_iface(VALUE self, VALUE name)
 {
 	guest_t *guest;
 	iface_t *iface;
-	
+
 	Data_Get_Struct(self, guest_t, guest);
 	iface = guest->create_iface(guest, StringValuePtr(name));
 	if (!iface)
@@ -256,7 +257,7 @@ static VALUE guest_find_iface(VALUE self, VALUE key)
 	enumerator_t *enumerator;
 	iface_t *iface, *found = NULL;
 	guest_t *guest;
-	
+
 	if (TYPE(key) == T_SYMBOL)
 	{
 		key = rb_convert_type(key, T_STRING, "String", "to_s");
@@ -295,7 +296,7 @@ static VALUE guest_each_iface(int argc, VALUE *argv, VALUE self)
 	linked_list_t *list;
 	guest_t *guest;
 	iface_t *iface;
-	
+
 	if (!rb_block_given_p())
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
@@ -319,7 +320,7 @@ static VALUE guest_each_iface(int argc, VALUE *argv, VALUE self)
 static VALUE guest_delete(VALUE self)
 {
 	guest_t *guest;
-	
+
 	Data_Get_Struct(self, guest_t, guest);
 	if (guest->get_pid(guest))
 	{
@@ -334,13 +335,13 @@ static void guest_init()
 	rbc_guest = rb_define_class_under(rbm_dumm , "Guest", rb_cObject);
 	rb_include_module(rb_class_of(rbc_guest), rb_mEnumerable);
 	rb_include_module(rbc_guest, rb_mEnumerable);
-	
+
 	rb_define_singleton_method(rbc_guest, "[]", guest_get, 1);
 	rb_define_singleton_method(rbc_guest, "each", guest_each, -1);
 	rb_define_singleton_method(rbc_guest, "new", guest_new, 4);
 	rb_define_singleton_method(rbc_guest, "include?", guest_find, 1);
 	rb_define_singleton_method(rbc_guest, "guest?", guest_find, 1);
-	
+
 	rb_define_method(rbc_guest, "to_s", guest_to_s, 0);
 	rb_define_method(rbc_guest, "start", guest_start, 0);
 	rb_define_method(rbc_guest, "stop", guest_stop, 0);
@@ -362,7 +363,7 @@ static VALUE bridge_find(VALUE class, VALUE key)
 {
 	enumerator_t *enumerator;
 	bridge_t *bridge, *found = NULL;
-	
+
 	if (TYPE(key) == T_SYMBOL)
 	{
 		key = rb_convert_type(key, T_STRING, "String", "to_s");
@@ -399,7 +400,7 @@ static VALUE bridge_each(int argc, VALUE *argv, VALUE class)
 	enumerator_t *enumerator;
 	linked_list_t *list;
 	bridge_t *bridge;
-	
+
 	if (!rb_block_given_p())
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
@@ -423,7 +424,7 @@ static VALUE bridge_new(VALUE class, VALUE name)
 
 {
 	bridge_t *bridge;
-	
+
 	bridge = dumm->create_bridge(dumm, StringValuePtr(name));
 	if (!bridge)
 	{
@@ -435,7 +436,7 @@ static VALUE bridge_new(VALUE class, VALUE name)
 static VALUE bridge_to_s(VALUE self)
 {
 	bridge_t *bridge;
-	
+
 	Data_Get_Struct(self, bridge_t, bridge);
 	return rb_str_new2(bridge->get_name(bridge));
 }
@@ -446,7 +447,7 @@ static VALUE bridge_each_iface(int argc, VALUE *argv, VALUE self)
 	linked_list_t *list;
 	bridge_t *bridge;
 	iface_t *iface;
-	
+
 	if (!rb_block_given_p())
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
@@ -470,7 +471,7 @@ static VALUE bridge_each_iface(int argc, VALUE *argv, VALUE self)
 static VALUE bridge_delete(VALUE self)
 {
 	bridge_t *bridge;
-	
+
 	Data_Get_Struct(self, bridge_t, bridge);
 	dumm->delete_bridge(dumm, bridge);
 	return Qnil;
@@ -481,13 +482,13 @@ static void bridge_init()
 	rbc_bridge = rb_define_class_under(rbm_dumm , "Bridge", rb_cObject);
 	rb_include_module(rb_class_of(rbc_bridge), rb_mEnumerable);
 	rb_include_module(rbc_bridge, rb_mEnumerable);
-	
+
 	rb_define_singleton_method(rbc_bridge, "[]", bridge_get, 1);
 	rb_define_singleton_method(rbc_bridge, "each", bridge_each, -1);
 	rb_define_singleton_method(rbc_bridge, "new", bridge_new, 1);
 	rb_define_singleton_method(rbc_bridge, "include?", bridge_find, 1);
 	rb_define_singleton_method(rbc_bridge, "bridge?", bridge_find, 1);
-	
+
 	rb_define_method(rbc_bridge, "to_s", bridge_to_s, 0);
 	rb_define_method(rbc_bridge, "each", bridge_each_iface, -1);
 	rb_define_method(rbc_bridge, "delete", bridge_delete, 0);
@@ -499,7 +500,7 @@ static void bridge_init()
 static VALUE iface_to_s(VALUE self)
 {
 	iface_t *iface;
-	
+
 	Data_Get_Struct(self, iface_t, iface);
 	return rb_str_new2(iface->get_hostif(iface));
 }
@@ -508,7 +509,7 @@ static VALUE iface_connect(VALUE self, VALUE vbridge)
 {
 	iface_t *iface;
 	bridge_t *bridge;
-	
+
 	Data_Get_Struct(self, iface_t, iface);
 	Data_Get_Struct(vbridge, bridge_t, bridge);
 	if (!bridge->connect_iface(bridge, iface))
@@ -522,7 +523,7 @@ static VALUE iface_disconnect(VALUE self)
 {
 	iface_t *iface;
 	bridge_t *bridge;
-	
+
 	Data_Get_Struct(self, iface_t, iface);
 	bridge = iface->get_bridge(iface);
 	if (!bridge || !bridge->disconnect_iface(bridge, iface))
@@ -536,7 +537,7 @@ static VALUE iface_add_addr(VALUE self, VALUE name)
 {
 	iface_t *iface;
 	host_t *addr;
-	
+
 	addr = host_create_from_string(StringValuePtr(name), 0);
 	if (!addr)
 	{
@@ -563,7 +564,7 @@ static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self)
 	iface_t *iface;
 	host_t *addr;
 	char buf[64];
-	
+
 	if (!rb_block_given_p())
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
@@ -589,7 +590,7 @@ static VALUE iface_del_addr(VALUE self, VALUE vaddr)
 {
 	iface_t *iface;
 	host_t *addr;
-	
+
 	addr = host_create_from_string(StringValuePtr(vaddr), 0);
 	if (!addr)
 	{
@@ -613,7 +614,7 @@ static VALUE iface_delete(VALUE self)
 {
 	guest_t *guest;
 	iface_t *iface;
-	
+
 	Data_Get_Struct(self, iface_t, iface);
 	guest = iface->get_guest(iface);
 	guest->destroy_iface(guest, iface);
@@ -624,7 +625,7 @@ static void iface_init()
 {
 	rbc_iface = rb_define_class_under(rbm_dumm , "Iface", rb_cObject);
 	rb_include_module(rbc_iface, rb_mEnumerable);
-	
+
 	rb_define_method(rbc_iface, "to_s", iface_to_s, 0);
 	rb_define_method(rbc_iface, "connect", iface_connect, 1);
 	rb_define_method(rbc_iface, "disconnect", iface_disconnect, 0);
@@ -656,7 +657,7 @@ static VALUE template_each(int argc, VALUE *argv, VALUE class)
 {
 	enumerator_t *enumerator;
 	char *template;
-	
+
 	if (!rb_block_given_p())
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
@@ -673,7 +674,7 @@ static VALUE template_each(int argc, VALUE *argv, VALUE class)
 static void template_init()
 {
 	rbc_template = rb_define_class_under(rbm_dumm , "Template", rb_cObject);
-	
+
 	rb_define_singleton_method(rbc_template, "load", template_load, 1);
 	rb_define_singleton_method(rbc_template, "unload", template_unload, 0);
 	rb_define_singleton_method(rbc_template, "each", template_each, -1);
@@ -685,14 +686,14 @@ static void template_init()
 void Final_dumm()
 {
 	struct sigaction action;
-	
+
 	dumm->destroy(dumm);
-	
+
 	sigemptyset(&action.sa_mask);
 	action.sa_handler = SIG_DFL;
 	action.sa_flags = 0;
 	sigaction(SIGCHLD, &action, NULL);
-	
+
 	library_deinit();
 }
 
@@ -702,25 +703,25 @@ void Final_dumm()
 void Init_dumm()
 {
 	struct sigaction action;
-	
+
 	/* there are too many to report, rubyruby... */
 	setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
-	
+
 	library_init(NULL);
-	
+
 	dumm = dumm_create(NULL);
-	
+
 	rbm_dumm = rb_define_module("Dumm");
-	
+
 	guest_init();
 	bridge_init();
 	iface_init();
 	template_init();
-	
+
 	sigemptyset(&action.sa_mask);
 	action.sa_sigaction = sigchld_handler;
 	action.sa_flags = SA_SIGINFO;
 	sigaction(SIGCHLD, &action, NULL);
-	
+
 	rb_set_end_proc(Final_dumm, 0);
 }
diff --git a/src/dumm/guest.c b/src/dumm/guest.c
index 969a2a99d..112adb441 100644
--- a/src/dumm/guest.c
+++ b/src/dumm/guest.c
@@ -97,13 +97,13 @@ static iface_t* create_iface(private_guest_t *this, char *name)
 {
 	enumerator_t *enumerator;
 	iface_t *iface;
-	
+
 	if (this->state != GUEST_RUNNING)
 	{
 		DBG1("guest '%s' not running, unable to add interface", this->name);
 		return NULL;
 	}
-	
+
 	enumerator = this->ifaces->create_enumerator(this->ifaces);
 	while (enumerator->enumerate(enumerator, (void**)&iface))
 	{
@@ -131,7 +131,7 @@ static void destroy_iface(private_guest_t *this, iface_t *iface)
 {
 	enumerator_t *enumerator;
 	iface_t *current;
-	
+
 	enumerator = this->ifaces->create_enumerator(this->ifaces);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
@@ -152,7 +152,7 @@ static enumerator_t* create_iface_enumerator(private_guest_t *this)
 {
 	return this->ifaces->create_enumerator(this->ifaces);
 }
-	
+
 /**
  * Implementation of guest_t.get_state.
  */
@@ -224,7 +224,7 @@ static void stop(private_guest_t *this, idle_function_t idle)
 void savepid(private_guest_t *this)
 {
 	FILE *file;
-	
+
 	file = fdopen(openat(this->dir, PID_FILE, O_RDWR | O_CREAT | O_TRUNC,
 						 PERM), "w");
 	if (file)
@@ -246,18 +246,18 @@ static bool start(private_guest_t *this, invoke_function_t invoke, void* data,
 	char *args[32];
 	int i = 0;
 	size_t left = sizeof(buf);
-	
+
 	memset(args, 0, sizeof(args));
-	
+
 	if (this->state != GUEST_STOPPED)
 	{
 		DBG1("unable to start guest in state %N", guest_state_names, this->state);
 		return FALSE;
 	}
 	this->state = GUEST_STARTING;
-	
+
 	notify = write_arg(&pos, &left, "%s/%s", this->dirname, NOTIFY_FILE);
-	
+
 	args[i++] = write_arg(&pos, &left, "nice");
 	args[i++] = write_arg(&pos, &left, "%s/%s", this->dirname, KERNEL_FILE);
 	args[i++] = write_arg(&pos, &left, "root=/dev/root");
@@ -271,7 +271,7 @@ static bool start(private_guest_t *this, invoke_function_t invoke, void* data,
 	{
 		args[i++] = this->args;
 	}
-	  
+
 	this->pid = invoke(data, &this->public, args, i);
 	if (!this->pid)
 	{
@@ -279,7 +279,7 @@ static bool start(private_guest_t *this, invoke_function_t invoke, void* data,
 		return FALSE;
 	}
 	savepid(this);
-	
+
 	/* open mconsole */
 	this->mconsole = mconsole_create(notify, idle);
 	if (this->mconsole == NULL)
@@ -288,11 +288,11 @@ static bool start(private_guest_t *this, invoke_function_t invoke, void* data,
 		stop(this, NULL);
 		return FALSE;
 	}
-	
+
 	this->state = GUEST_RUNNING;
 	return TRUE;
-}	
-	
+}
+
 /**
  * Implementation of guest_t.load_template.
  */
@@ -300,12 +300,12 @@ static bool load_template(private_guest_t *this, char *path)
 {
 	char dir[PATH_MAX];
 	size_t len;
-	
+
 	if (path == NULL)
 	{
-		return this->cowfs->set_overlay(this->cowfs, NULL);	
+		return this->cowfs->set_overlay(this->cowfs, NULL);
 	}
-	
+
 	len = snprintf(dir, sizeof(dir), "%s/%s", path, this->name);
 	if (len < 0 || len >= sizeof(dir))
 	{
@@ -334,11 +334,11 @@ static int vexec(private_guest_t *this, void(*cb)(void*,char*,size_t), void *dat
 {
 	char buf[1024];
 	size_t len;
-	
+
 	if (this->mconsole)
 	{
 		len = vsnprintf(buf, sizeof(buf), cmd, args);
-		
+
 		if (len > 0 && len < sizeof(buf))
 		{
 			return this->mconsole->exec(this->mconsole, cb, data, buf);
@@ -389,7 +389,7 @@ static void exec_str_cb(exec_str_t *data, char *buf, size_t len)
 		}
 		strncat(data->buf.ptr, buf, len);
 	}
-	
+
 	if (data->cb)
 	{
 		char *nl;
@@ -477,7 +477,7 @@ static bool mount_unionfs(private_guest_t *this)
 		snprintf(master, sizeof(master), "%s/%s", this->dirname, MASTER_DIR);
 		snprintf(diff, sizeof(diff), "%s/%s", this->dirname, DIFF_DIR);
 		snprintf(mount, sizeof(mount), "%s/%s", this->dirname, UNION_DIR);
-		
+
 		this->cowfs = cowfs_create(master, diff, mount);
 		if (this->cowfs)
 		{
@@ -494,7 +494,7 @@ char *loadargs(private_guest_t *this)
 {
 	FILE *file;
 	char buf[512], *args = NULL;
-	
+
 	file = fdopen(openat(this->dir, ARGS_FILE, O_RDONLY, PERM), "r");
 	if (file)
 	{
@@ -514,7 +514,7 @@ bool saveargs(private_guest_t *this, char *args)
 {
 	FILE *file;
 	bool retval = FALSE;
-	
+
 	file = fdopen(openat(this->dir, ARGS_FILE, O_RDWR | O_CREAT | O_TRUNC,
 						 PERM), "w");
 	if (file)
@@ -554,7 +554,7 @@ static private_guest_t *guest_create_generic(char *parent, char *name,
 {
 	char cwd[PATH_MAX];
 	private_guest_t *this = malloc_thing(private_guest_t);
-	
+
 	this->public.get_name = (void*)get_name;
 	this->public.get_pid = (pid_t(*)(guest_t*))get_pid;
 	this->public.get_state = (guest_state_t(*)(guest_t*))get_state;
@@ -568,7 +568,7 @@ static private_guest_t *guest_create_generic(char *parent, char *name,
 	this->public.exec_str = (int(*)(guest_t*, void(*cb)(void*,char*),bool,void*,char*,...))exec_str;
 	this->public.sigchild = (void(*)(guest_t*))sigchild;
 	this->public.destroy = (void*)destroy;
-		
+
 	if (*parent == '/' || getcwd(cwd, sizeof(cwd)) == NULL)
 	{
 		if (asprintf(&this->dirname, "%s/%s", parent, name) < 0)
@@ -607,7 +607,7 @@ static private_guest_t *guest_create_generic(char *parent, char *name,
 	this->args = NULL;
 	this->name = strdup(name);
 	this->cowfs = NULL;
-	
+
 	return this;
 }
 
@@ -618,7 +618,7 @@ static bool make_symlink(private_guest_t *this, char *old, char *new)
 {
 	char cwd[PATH_MAX];
 	char buf[PATH_MAX];
-	
+
 	if (*old == '/' || getcwd(cwd, sizeof(cwd)) == NULL)
 	{
 		snprintf(buf, sizeof(buf), "%s", old);
@@ -632,18 +632,18 @@ static bool make_symlink(private_guest_t *this, char *old, char *new)
 
 
 /**
- * create the guest instance, including required dirs and mounts 
+ * create the guest instance, including required dirs and mounts
  */
 guest_t *guest_create(char *parent, char *name, char *kernel,
 					  char *master, char *args)
 {
 	private_guest_t *this = guest_create_generic(parent, name, TRUE);
-	
+
 	if (this == NULL)
 	{
 		return NULL;
 	}
-	
+
 	if (!make_symlink(this, master, MASTER_DIR) ||
 		!make_symlink(this, kernel, KERNEL_FILE))
 	{
@@ -651,22 +651,22 @@ guest_t *guest_create(char *parent, char *name, char *kernel,
 		destroy(this);
 		return NULL;
 	}
-	
-	if (mkdirat(this->dir, UNION_DIR, PERME) != 0 || 
+
+	if (mkdirat(this->dir, UNION_DIR, PERME) != 0 ||
 		mkdirat(this->dir, DIFF_DIR, PERME) != 0)
 	{
 		DBG1("unable to create directories for '%s': %m", name);
 		destroy(this);
 		return NULL;
 	}
-	
+
 	this->args = args;
 	if (args && !saveargs(this, args))
 	{
 		destroy(this);
 		return NULL;
 	}
-	
+
 	if (!mount_unionfs(this))
 	{
 		destroy(this);
@@ -682,20 +682,20 @@ guest_t *guest_create(char *parent, char *name, char *kernel,
 guest_t *guest_load(char *parent, char *name)
 {
 	private_guest_t *this = guest_create_generic(parent, name, FALSE);
-	
+
 	if (this == NULL)
 	{
 		return NULL;
 	}
-	
+
 	this->args = loadargs(this);
-	
+
 	if (!mount_unionfs(this))
 	{
 		destroy(this);
 		return NULL;
 	}
-	
+
 	return &this->public;
 }
 
diff --git a/src/dumm/guest.h b/src/dumm/guest.h
index a1e4966ac..5f812f8eb 100644
--- a/src/dumm/guest.h
+++ b/src/dumm/guest.h
@@ -56,10 +56,10 @@ extern enum_name_t *guest_state_names;
  * @param guest		guest to start
  * @param args		args to use for guest invocation, args[0] is kernel
  * @param argc		number of elements in args
- * @param idle		
+ * @param idle
  * @return			PID of child, 0 if failed
  */
-typedef pid_t (*invoke_function_t)(void *data, guest_t *guest, 
+typedef pid_t (*invoke_function_t)(void *data, guest_t *guest,
 								   char *args[], int argc);
 
 /**
@@ -71,28 +71,28 @@ typedef void (*idle_function_t)(void);
  * A guest is a UML instance running on the host.
  **/
 struct guest_t {
-	
+
 	/**
 	 * Get the name of this guest.
 	 *
 	 * @return		name of the guest
 	 */
 	char* (*get_name) (guest_t *this);
-	
+
 	/**
 	 * Get the process ID of the guest child process.
 	 *
 	 * @return		name of the guest
 	 */
 	pid_t (*get_pid) (guest_t *this);
-	
+
 	/**
 	 * Get the state of the guest (stopped, started, etc.).
 	 *
 	 * @return		guests state
 	 */
-	guest_state_t (*get_state)(guest_t *this);	
-	
+	guest_state_t (*get_state)(guest_t *this);
+
 	/**
 	 * Start the guest.
 	 *
@@ -103,14 +103,14 @@ struct guest_t {
 	 */
 	bool (*start) (guest_t *this, invoke_function_t invoke, void *data,
 				   idle_function_t idle);
-	
+
 	/**
 	 * Kill the guest.
 	 *
 	 * @param idle		idle function to call while waiting to termination
 	 */
 	void (*stop) (guest_t *this, idle_function_t idle);
-	
+
 	/**
 	 * Create a new interface in the current scenario.
 	 *
@@ -118,21 +118,21 @@ struct guest_t {
 	 * @return		created interface, or NULL if failed
 	 */
 	iface_t* (*create_iface)(guest_t *this, char *name);
-	
+
 	/**
 	 * Destroy an interface on guest.
 	 *
 	 * @param iface	interface to destroy
 	 */
 	void (*destroy_iface)(guest_t *this, iface_t *iface);
-	
+
 	/**
 	 * Create an enumerator over all guest interfaces.
 	 *
 	 * @return		enumerator over iface_t's
 	 */
 	enumerator_t* (*create_iface_enumerator)(guest_t *this);
-	
+
 	/**
 	 * Set the template COWFS overlay to use.
 	 *
@@ -140,7 +140,7 @@ struct guest_t {
 	 * @return			FALSE if failed
 	 */
 	bool (*load_template)(guest_t *this, char *parent);
-	
+
 	/**
 	 * Execute a command on the guests mconsole.
 	 *
@@ -152,15 +152,15 @@ struct guest_t {
 	 */
 	int (*exec)(guest_t *this, void(*cb)(void*,char*,size_t), void *data,
 				char *cmd, ...);
-	
+
 	/**
 	 * Execute a command on the guests mconsole, with output formatter.
-	 * 
+	 *
 	 * If lines is TRUE, callback is invoked for each output line. Otherwise
 	 * the full result is returned in one callback invocation.
-	 * 
+	 *
 	 * @note This function does not work with binary output.
-	 * 
+	 *
 	 * @param cb		callback to call for each line or for the complete output
 	 * @param lines		TRUE if the callback should be called for each line
 	 * @param data		data to pass to callback
@@ -170,15 +170,15 @@ struct guest_t {
 	 */
 	int (*exec_str)(guest_t *this, void(*cb)(void*,char*), bool lines,
 					void *data, char *cmd, ...);
-	
+
 	/**
 	 * Called whenever a SIGCHILD for the guests PID is received.
 	 */
 	void (*sigchild)(guest_t *this);
-	
+
 	/**
 	 * Close and destroy a guest with all interfaces
-	 */	
+	 */
 	void (*destroy) (guest_t *this);
 };
 
diff --git a/src/dumm/iface.c b/src/dumm/iface.c
index bf73c82a5..9910c392e 100644
--- a/src/dumm/iface.c
+++ b/src/dumm/iface.c
@@ -55,10 +55,10 @@ bool iface_control(char *name, bool up)
 	int s;
 	bool good = FALSE;
 	struct ifreq ifr;
-	
+
 	memset(&ifr, 0, sizeof(struct ifreq));
 	strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
-	
+
 	s = socket(AF_INET, SOCK_DGRAM, 0);
 	if (!s)
 	{
@@ -104,7 +104,7 @@ static char* get_hostif(private_iface_t *this)
  */
 static bool add_address(private_iface_t *this, host_t *addr)
 {
-	return (this->guest->exec(this->guest, NULL, NULL, 
+	return (this->guest->exec(this->guest, NULL, NULL,
 				  "exec ip addr add %H dev %s", addr, this->guestif) == 0);
 }
 
@@ -185,7 +185,7 @@ static guest_t* get_guest(private_iface_t *this)
 {
 	return this->guest;
 }
-	
+
 /**
  * destroy the tap device
  */
@@ -193,7 +193,7 @@ static bool destroy_tap(private_iface_t *this)
 {
 	struct ifreq ifr;
 	int tap;
-	
+
 	if (!iface_control(this->hostif, FALSE))
 	{
 		DBG1("bringing iface down failed: %m");
@@ -201,7 +201,7 @@ static bool destroy_tap(private_iface_t *this)
 	memset(&ifr, 0, sizeof(ifr));
 	ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
 	strncpy(ifr.ifr_name, this->hostif, sizeof(ifr.ifr_name) - 1);
-	
+
 	tap = open(TAP_DEVICE, O_RDWR);
 	if (tap < 0)
 	{
@@ -241,11 +241,11 @@ static char* create_tap(private_iface_t *this)
 	if (ioctl(tap, TUNSETIFF, &ifr) < 0 ||
 		ioctl(tap, TUNSETPERSIST, 1) < 0 ||
 		ioctl(tap, TUNSETOWNER, 0))
-    {
+	{
 		DBG1("creating new tap device failed: %m");
 		close(tap);
 		return NULL;
-    } 
+	}
 	close(tap);
 	return strdup(ifr.ifr_name);
 }
@@ -274,7 +274,7 @@ static void destroy(private_iface_t *this)
 iface_t *iface_create(char *name, guest_t *guest, mconsole_t *mconsole)
 {
 	private_iface_t *this = malloc_thing(private_iface_t);
-	
+
 	this->public.get_hostif = (char*(*)(iface_t*))get_hostif;
 	this->public.get_guestif = (char*(*)(iface_t*))get_guestif;
 	this->public.add_address = (bool(*)(iface_t*, host_t *addr))add_address;
diff --git a/src/dumm/iface.h b/src/dumm/iface.h
index 7aef95c01..dabefaa17 100644
--- a/src/dumm/iface.h
+++ b/src/dumm/iface.h
@@ -32,21 +32,21 @@ typedef struct iface_t iface_t;
  * Interface in a guest, connected to a tap device on the host.
  */
 struct iface_t {
-	
+
 	/**
 	 * Get the interface name in the guest (e.g. eth0).
 	 *
 	 * @return			guest interface name
 	 */
 	char* (*get_guestif)(iface_t *this);
-	
+
 	/**
 	 * Get the interface name at the host (e.g. tap0).
 	 *
 	 * @return			host interface (tap device) name
 	 */
 	char* (*get_hostif)(iface_t *this);
-	
+
 	/**
 	 * Add an address to the interface.
 	 *
@@ -54,43 +54,43 @@ struct iface_t {
 	 * @return			TRUE if address added
 	 */
 	bool (*add_address)(iface_t *this, host_t *addr);
-	
+
 	/**
 	 * Create an enumerator over all installed addresses.
 	 *
 	 * @return			enumerator over host_t*
 	 */
 	enumerator_t* (*create_address_enumerator)(iface_t *this);
-	
+
 	/**
 	 * Remove an address from an interface.
 	 *
 	 * @param addr		address to remove
 	 * @return			TRUE if address removed
 	 */
-	bool (*delete_address)(iface_t *this, host_t *addr);	
-	
+	bool (*delete_address)(iface_t *this, host_t *addr);
+
 	/**
 	 * Set the bridge this interface is attached to.
 	 *
 	 * @param bridge	assigned bridge, or NULL for none
 	 */
 	void (*set_bridge)(iface_t *this, bridge_t *bridge);
-	
+
 	/**
 	 * Get the bridge this iface is connected, or NULL.
 	 *
 	 * @return			connected bridge, or NULL
 	 */
 	bridge_t* (*get_bridge)(iface_t *this);
-	
+
 	/**
 	 * Get the guest this iface belongs to.
 	 *
 	 * @return			guest of this iface
 	 */
 	guest_t* (*get_guest)(iface_t *this);
-	
+
 	/**
 	 * Destroy an interface
 	 */
diff --git a/src/dumm/irdumm.c b/src/dumm/irdumm.c
index bca8ce1db..7543e6bd6 100644
--- a/src/dumm/irdumm.c
+++ b/src/dumm/irdumm.c
@@ -17,6 +17,8 @@
 #undef PACKAGE_TARNAME
 #undef PACKAGE_VERSION
 #undef PACKAGE_STRING
+#undef PACKAGE_BUGREPORT
+#undef PACKAGE_URL
 #include <ruby.h>
 
 /**
@@ -26,10 +28,10 @@ int main(int argc, char *argv[])
 {
 	int state, i;
 	char buf[512];
-	
+
 	ruby_init();
 	ruby_init_loadpath();
-	
+
 	rb_eval_string_protect("require 'dumm' and include Dumm", &state);
 	if (state)
 	{
@@ -53,7 +55,7 @@ int main(int argc, char *argv[])
 	{
 		rb_p(ruby_errinfo);
 	}
-	
+
 	ruby_finalize();
 	return 0;
 }
diff --git a/src/dumm/main.c b/src/dumm/main.c
index ba2801760..337a1a144 100644
--- a/src/dumm/main.c
+++ b/src/dumm/main.c
@@ -62,7 +62,7 @@ static void child_exited(VteReaper *vtereaper, gint pid, gint status)
 {
 	enumerator_t *enumerator;
 	page_t *page;
-	
+
 	enumerator = pages->create_enumerator(pages);
 	while (enumerator->enumerate(enumerator, (void**)&page))
 	{
@@ -81,7 +81,7 @@ static page_t* get_page(int num)
 {
 	enumerator_t *enumerator;
 	page_t *page, *found = NULL;
-	
+
 	enumerator = pages->create_enumerator(pages);
 	while (enumerator->enumerate(enumerator, (void**)&page))
 	{
@@ -114,7 +114,7 @@ void idle(void)
 static void start_guest()
 {
 	page_t *page;
-	
+
 	page = get_page(gtk_notebook_get_current_page(GTK_NOTEBOOK(notebook)));
 	if (page && page->guest->get_state(page->guest) == GUEST_STOPPED)
 	{
@@ -128,7 +128,7 @@ static void start_all_guests()
 {
 	enumerator_t *enumerator;
 	page_t *page;
-	
+
 	enumerator = pages->create_enumerator(pages);
 	while (enumerator->enumerate(enumerator, (void**)&page))
 	{
@@ -146,7 +146,7 @@ static void start_all_guests()
 static void stop_guest()
 {
 	page_t *page;
-	
+
 	page = get_page(gtk_notebook_get_current_page(GTK_NOTEBOOK(notebook)));
 	if (page && page->guest->get_state(page->guest) == GUEST_RUNNING)
 	{
@@ -163,17 +163,17 @@ static void quit()
 	page_t *page;
 
 	dumm->load_template(dumm, NULL);
-	
+
 	enumerator = pages->create_enumerator(pages);
 	while (enumerator->enumerate(enumerator, &page))
 	{
 		if (page->guest->get_state(page->guest) != GUEST_STOPPED)
-		{			
+		{
 			page->guest->stop(page->guest, idle);
 		}
 	}
 	enumerator->destroy(enumerator);
-    gtk_main_quit();
+	gtk_main_quit();
 }
 
 static void error_dialog(char *msg)
@@ -191,32 +191,32 @@ static void create_switch()
 {
 	GtkWidget *dialog, *table, *label, *name;
 	bridge_t *bridge;
-	
+
 	dialog = gtk_dialog_new_with_buttons("Create new switch", GTK_WINDOW(window),
 							GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
 							GTK_STOCK_CANCEL, GTK_RESPONSE_REJECT,
 							GTK_STOCK_NEW, GTK_RESPONSE_ACCEPT, NULL);
-	
+
 	table = gtk_table_new(1, 2, TRUE);
 	gtk_container_add(GTK_CONTAINER(GTK_DIALOG(dialog)->vbox), table);
-	
+
 	label = gtk_label_new("Switch name");
 	gtk_table_attach(GTK_TABLE(table), label,  0, 1, 0, 1, 0, 0, 0, 0);
 	gtk_widget_show(label);
-	
+
 	name = gtk_entry_new();
 	gtk_table_attach(GTK_TABLE(table), name, 1, 2, 0, 1,
 					 GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
 	gtk_widget_show(name);
-	
+
 	gtk_widget_show(table);
-	
+
 	while (TRUE)
 	{
 		switch (gtk_dialog_run(GTK_DIALOG(dialog)))
 		{
 			case GTK_RESPONSE_ACCEPT:
-			{			
+			{
 				if (streq(gtk_entry_get_text(GTK_ENTRY(name)), ""))
 				{
 					continue;
@@ -250,34 +250,34 @@ static void connect_guest()
 	bridge_t *bridge;
 	iface_t *iface;
 	enumerator_t *enumerator;
-	
+
 	page = get_page(gtk_notebook_get_current_page(GTK_NOTEBOOK(notebook)));
 	if (!page || page->guest->get_state(page->guest) != GUEST_RUNNING)
 	{
 		return;
 	}
-	
+
 	dialog = gtk_dialog_new_with_buttons("Connect guest", GTK_WINDOW(window),
 							GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
 							GTK_STOCK_CANCEL, GTK_RESPONSE_REJECT,
 							GTK_STOCK_NEW, GTK_RESPONSE_ACCEPT, NULL);
-	
+
 	table = gtk_table_new(2, 2, TRUE);
 	gtk_container_add(GTK_CONTAINER(GTK_DIALOG(dialog)->vbox), table);
-	
+
 	label = gtk_label_new("Interface name");
 	gtk_table_attach(GTK_TABLE(table), label,  0, 1, 0, 1, 0, 0, 0, 0);
 	gtk_widget_show(label);
-	
+
 	name = gtk_entry_new();
 	gtk_table_attach(GTK_TABLE(table), name, 1, 2, 0, 1,
 					 GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
 	gtk_widget_show(name);
-	
+
 	label = gtk_label_new("Connected switch");
 	gtk_table_attach(GTK_TABLE(table), label,  0, 1, 1, 2, 0, 0, 0, 0);
 	gtk_widget_show(label);
-	
+
 	box = gtk_combo_box_new_text();
 	gtk_table_attach(GTK_TABLE(table), box, 1, 2, 1, 2,
 					 GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
@@ -288,20 +288,20 @@ static void connect_guest()
 	}
 	enumerator->destroy(enumerator);
 	gtk_widget_show(box);
-	
+
 	gtk_widget_show(table);
-	
+
 	while (TRUE)
 	{
 		switch (gtk_dialog_run(GTK_DIALOG(dialog)))
 		{
 			case GTK_RESPONSE_ACCEPT:
-			{			
+			{
 				if (streq(gtk_entry_get_text(GTK_ENTRY(name)), ""))
 				{
 					continue;
 				}
-				
+
 				iface = page->guest->create_iface(page->guest,
 									(char*)gtk_entry_get_text(GTK_ENTRY(name)));
 				if (!iface)
@@ -337,7 +337,7 @@ static void disconnect_guest()
 static void delete_guest()
 {
 	page_t *page;
-	
+
 	page = get_page(gtk_notebook_get_current_page(GTK_NOTEBOOK(notebook)));
 	if (page)
 	{
@@ -356,7 +356,7 @@ static page_t* create_page(guest_t *guest)
 {
 	GtkWidget *label;
 	page_t *page;
-	
+
 	page = g_new(page_t, 1);
 	page->guest = guest;
 	page->vte = vte_terminal_new();
@@ -375,55 +375,55 @@ static void create_guest()
 {
 	guest_t *guest;
 	GtkWidget *dialog, *table, *label, *name, *kernel, *master, *args;
-	
+
 	dialog = gtk_dialog_new_with_buttons("Create new guest", GTK_WINDOW(window),
 							GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
 							GTK_STOCK_CANCEL, GTK_RESPONSE_REJECT,
 							GTK_STOCK_NEW, GTK_RESPONSE_ACCEPT, NULL);
-	
+
 	table = gtk_table_new(4, 2, TRUE);
 	gtk_container_add(GTK_CONTAINER(GTK_DIALOG(dialog)->vbox), table);
-	
+
 	label = gtk_label_new("Guest name");
 	gtk_table_attach(GTK_TABLE(table), label,  0, 1, 0, 1, 0, 0, 0, 0);
 	gtk_widget_show(label);
-	
+
 	label = gtk_label_new("UML kernel");
 	gtk_table_attach(GTK_TABLE(table), label, 0, 1, 1, 2, 0, 0, 0, 0);
 	gtk_widget_show(label);
-	
+
 	label = gtk_label_new("Master filesystem");
 	gtk_table_attach(GTK_TABLE(table), label, 0, 1, 2, 3, 0, 0, 0, 0);
 	gtk_widget_show(label);
-	
+
 	label = gtk_label_new("Kernel arguments");
 	gtk_table_attach(GTK_TABLE(table), label, 0, 1, 3, 4, 0, 0, 0, 0);
 	gtk_widget_show(label);
-	
+
 	name = gtk_entry_new();
 	gtk_table_attach(GTK_TABLE(table), name, 1, 2, 0, 1,
 					 GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
 	gtk_widget_show(name);
-	
+
 	kernel = gtk_file_chooser_button_new("Select UML kernel image",
 										 GTK_FILE_CHOOSER_ACTION_OPEN);
 	gtk_table_attach(GTK_TABLE(table), kernel, 1, 2, 1, 2,
 					 GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
 	gtk_widget_show(kernel);
-	
+
 	master = gtk_file_chooser_button_new("Select master filesystem",
 										 GTK_FILE_CHOOSER_ACTION_SELECT_FOLDER);
 	gtk_table_attach(GTK_TABLE(table), master, 1, 2, 2, 3,
 					 GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
 	gtk_widget_show(master);
-	
+
 	args = gtk_entry_new();
 	gtk_table_attach(GTK_TABLE(table), args, 1, 2, 3, 4,
 					 GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
 	gtk_widget_show(args);
-	
+
 	gtk_widget_show(table);
-	
+
 	while (TRUE)
 	{
 		switch (gtk_dialog_run(GTK_DIALOG(dialog)))
@@ -432,12 +432,12 @@ static void create_guest()
 			{
 				char *sname, *skernel, *smaster, *sargs;
 				page_t *page;
-				
+
 				sname = (char*)gtk_entry_get_text(GTK_ENTRY(name));
 				skernel = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(kernel));
 				smaster = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(master));
 				sargs = (char*)gtk_entry_get_text(GTK_ENTRY(args));
-			
+
 				if (!sname[0] || !skernel || !smaster)
 				{
 					continue;
@@ -469,10 +469,10 @@ int main(int argc, char *argv[])
 	GtkWidget *dummMenu, *guestMenu, *switchMenu;
 	enumerator_t *enumerator;
 	guest_t *guest;
-	
+
 	library_init(NULL);
 	gtk_init(&argc, &argv);
-	
+
 	pages = linked_list_create();
 	dumm = dumm_create(NULL);
 
@@ -483,7 +483,7 @@ int main(int argc, char *argv[])
 	gtk_window_set_default_size(GTK_WINDOW (window), 1000, 500);
 	g_signal_connect(G_OBJECT(vte_reaper_get()), "child-exited",
 					 G_CALLBACK(child_exited), NULL);
-	
+
 	/* add vbox with menubar, notebook */
 	vbox = gtk_vbox_new(FALSE, 0);
 	gtk_container_add(GTK_CONTAINER(window), vbox);
@@ -492,15 +492,15 @@ int main(int argc, char *argv[])
 	notebook = gtk_notebook_new();
 	g_object_set(G_OBJECT(notebook), "homogeneous", TRUE, NULL);
 	gtk_notebook_set_tab_pos(GTK_NOTEBOOK(notebook), GTK_POS_BOTTOM);
-    gtk_container_add(GTK_CONTAINER(vbox), notebook);
+	gtk_container_add(GTK_CONTAINER(vbox), notebook);
 
 	/* Dumm menu */
 	menu = gtk_menu_new();
-  	dummMenu = gtk_menu_item_new_with_mnemonic("_Dumm");
+	dummMenu = gtk_menu_item_new_with_mnemonic("_Dumm");
 	gtk_menu_bar_append(GTK_MENU_BAR(menubar), dummMenu);
 	gtk_widget_show(dummMenu);
 	gtk_menu_item_set_submenu(GTK_MENU_ITEM(dummMenu), menu);
-	
+
 	/* Dumm -> exit */
 	menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_QUIT, NULL);
 	g_signal_connect(G_OBJECT(menuitem), "activate",
@@ -510,61 +510,61 @@ int main(int argc, char *argv[])
 
 	/* Guest menu */
 	menu = gtk_menu_new();
-  	guestMenu = gtk_menu_item_new_with_mnemonic("_Guest");
+	guestMenu = gtk_menu_item_new_with_mnemonic("_Guest");
 	gtk_menu_bar_append(GTK_MENU_BAR(menubar), guestMenu);
 	gtk_widget_show(guestMenu);
 	gtk_menu_item_set_submenu(GTK_MENU_ITEM(guestMenu), menu);
-	
+
 	/* Guest -> new */
 	menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_NEW, NULL);
 	g_signal_connect(G_OBJECT(menuitem), "activate",
 					 G_CALLBACK(create_guest), NULL);
 	gtk_menu_append(GTK_MENU(menu), menuitem);
 	gtk_widget_show(menuitem);
-	
+
 	/* Guest -> delete */
 	menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_DELETE, NULL);
 	g_signal_connect(G_OBJECT(menuitem), "activate",
 					 G_CALLBACK(delete_guest), NULL);
 	gtk_menu_append(GTK_MENU(menu), menuitem);
 	gtk_widget_show(menuitem);
-	
+
 	menuitem = gtk_separator_menu_item_new();
 	gtk_menu_append(GTK_MENU(menu), menuitem);
 	gtk_widget_show(menuitem);
-	
+
 	/* Guest -> start */
 	menuitem = gtk_menu_item_new_with_mnemonic("_Start");
 	g_signal_connect(G_OBJECT(menuitem), "activate",
 					 G_CALLBACK(start_guest), NULL);
 	gtk_menu_append(GTK_MENU(menu), menuitem);
 	gtk_widget_show(menuitem);
-	
+
 	/* Guest -> startall */
 	menuitem = gtk_menu_item_new_with_mnemonic("Start _all");
 	g_signal_connect(G_OBJECT(menuitem), "activate",
 					 G_CALLBACK(start_all_guests), NULL);
 	gtk_menu_append(GTK_MENU(menu), menuitem);
 	gtk_widget_show(menuitem);
-	
+
 	/* Guest -> stop */
 	menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_STOP, NULL);
 	g_signal_connect(G_OBJECT(menuitem), "activate",
 					 G_CALLBACK(stop_guest), NULL);
 	gtk_menu_append(GTK_MENU(menu), menuitem);
 	gtk_widget_show(menuitem);
-	
+
 	menuitem = gtk_separator_menu_item_new();
 	gtk_menu_append(GTK_MENU(menu), menuitem);
 	gtk_widget_show(menuitem);
-	
+
 	/* Guest -> connect */
 	menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_CONNECT, NULL);
 	g_signal_connect(G_OBJECT(menuitem), "activate",
 					 G_CALLBACK(connect_guest), NULL);
 	gtk_menu_append(GTK_MENU(menu), menuitem);
 	gtk_widget_show(menuitem);
-	
+
 	/* Guest -> disconnect */
 	menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_DISCONNECT, NULL);
 	g_signal_connect(G_OBJECT(menuitem), "activate",
@@ -575,18 +575,18 @@ int main(int argc, char *argv[])
 
 	/* Switch menu */
 	menu = gtk_menu_new();
-  	switchMenu = gtk_menu_item_new_with_mnemonic("_Switch");
+	switchMenu = gtk_menu_item_new_with_mnemonic("_Switch");
 	gtk_menu_bar_append(GTK_MENU_BAR(menubar), switchMenu);
 	gtk_widget_show(switchMenu);
 	gtk_menu_item_set_submenu(GTK_MENU_ITEM(switchMenu), menu);
-	
+
 	/* Switch -> new */
 	menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_NEW, NULL);
 	g_signal_connect(G_OBJECT(menuitem), "activate",
 					 G_CALLBACK(create_switch), NULL);
 	gtk_menu_append(GTK_MENU(menu), menuitem);
 	gtk_widget_show(menuitem);
-	
+
 	/* Switch -> delete */
 	menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_DELETE, NULL);
 	g_signal_connect(G_OBJECT(menuitem), "activate",
@@ -594,13 +594,13 @@ int main(int argc, char *argv[])
 	gtk_menu_append(GTK_MENU(menu), menuitem);
 	gtk_widget_set_sensitive(menuitem, FALSE);
 	gtk_widget_show(menuitem);
-	
-  	/* show widgets */
+
+	/* show widgets */
 	gtk_widget_show(menubar);
 	gtk_widget_show(notebook);
 	gtk_widget_show(vbox);
 	gtk_widget_show(window);
-	
+
 	/* fill notebook with guests */
 	enumerator = dumm->create_guest_enumerator(dumm);
 	while (enumerator->enumerate(enumerator, (void**)&guest))
@@ -608,12 +608,12 @@ int main(int argc, char *argv[])
 		create_page(guest);
 	}
 	enumerator->destroy(enumerator);
-	
+
 	gtk_main();
-	
+
 	dumm->destroy(dumm);
 	pages->destroy_function(pages, g_free);
-	
+
 	library_deinit();
 	return 0;
 }
diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c
index 2ed96d562..35984bdd5 100644
--- a/src/dumm/mconsole.c
+++ b/src/dumm/mconsole.c
@@ -73,16 +73,16 @@ struct mconsole_reply {
 typedef struct mconsole_notify mconsole_notify;
 /** mconsole notify message */
 struct mconsole_notify {
-    u_int32_t magic;
-    u_int32_t version;
-    enum {
+	u_int32_t magic;
+	u_int32_t version;
+	enum {
 		MCONSOLE_SOCKET,
 		MCONSOLE_PANIC,
 		MCONSOLE_HANG,
 		MCONSOLE_USER_NOTIFY,
-    } type;
-    u_int32_t len;
-    char data[MCONSOLE_MAX_DATA];
+	} type;
+	u_int32_t len;
+	char data[MCONSOLE_MAX_DATA];
 };
 
 /**
@@ -95,14 +95,14 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
 	mconsole_reply reply;
 	int len, flags = 0;
 	va_list args;
-	
+
 	memset(&request, 0, sizeof(request));
 	request.magic = MCONSOLE_MAGIC;
 	request.version = MCONSOLE_VERSION;
 	va_start(args, command);
 	request.len = vsnprintf(request.data, sizeof(request.data), command, args);
 	va_end(args);
-	
+
 	if (this->idle)
 	{
 		flags = MSG_DONTWAIT;
@@ -117,13 +117,13 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
 					 (struct sockaddr*)&this->uml, sizeof(this->uml));
 	}
 	while (len < 0 && (errno == EINTR || errno == EAGAIN));
-	
+
 	if (len < 0)
 	{
 		DBG1("sending mconsole command to UML failed: %m");
 		return -1;
 	}
-	do 
+	do
 	{
 		len = recv(this->console, &reply, sizeof(reply), flags);
 		if (len < 0 && (errno == EINTR || errno == EAGAIN))
@@ -157,7 +157,7 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
 		}
 	}
 	while (reply.more);
-	
+
 	return reply.err;
 }
 
@@ -174,7 +174,7 @@ static void ignore(void *data, char *buf, size_t len)
 static bool add_iface(private_mconsole_t *this, char *guest, char *host)
 {
 	int tries = 0;
-	
+
 	while (tries++ < 5)
 	{
 		if (request(this, ignore, NULL, "config %s=tuntap,%s", guest, host) == 0)
@@ -190,7 +190,7 @@ static bool add_iface(private_mconsole_t *this, char *guest, char *host)
  * Implementation of mconsole_t.del_iface.
  */
 static bool del_iface(private_mconsole_t *this, char *guest)
-{	
+{
 	if (request(this, NULL, NULL, "remove %s", guest) != 0)
 	{
 		return FALSE;
@@ -270,7 +270,7 @@ static bool wait_for_notify(private_mconsole_t *this, char *nsock)
 		len = recvfrom(this->notify, &notify, sizeof(notify), flags, NULL, 0);
 	}
 	while (len < 0 && (errno == EINTR || errno == EAGAIN));
-	
+
 	if (len < 0 || len >= sizeof(notify))
 	{
 		DBG1("reading from mconsole notify socket failed: %m");
@@ -300,7 +300,7 @@ static bool wait_for_notify(private_mconsole_t *this, char *nsock)
 static bool setup_console(private_mconsole_t *this)
 {
 	struct sockaddr_un addr;
-	
+
 	this->console = socket(AF_UNIX, SOCK_DGRAM, 0);
 	if (this->console < 0)
 	{
@@ -326,20 +326,20 @@ static bool setup_console(private_mconsole_t *this)
 mconsole_t *mconsole_create(char *notify, void(*idle)(void))
 {
 	private_mconsole_t *this = malloc_thing(private_mconsole_t);
-	
+
 	this->public.add_iface = (bool(*)(mconsole_t*, char *guest, char *host))add_iface;
 	this->public.del_iface = (bool(*)(mconsole_t*, char *guest))del_iface;
 	this->public.exec = (int(*)(mconsole_t*,  void(*cb)(void*,char*,size_t), void *data, char *cmd))exec;
 	this->public.destroy = (void*)destroy;
-	
+
 	this->idle = idle;
-	
+
 	if (!wait_for_notify(this, notify))
 	{
 		free(this);
 		return NULL;
 	}
-	
+
 	if (!setup_console(this))
 	{
 		close(this->notify);
@@ -348,9 +348,9 @@ mconsole_t *mconsole_create(char *notify, void(*idle)(void))
 		return NULL;
 	}
 	unlink(notify);
-	
+
 	wait_bootup(this);
-	
+
 	return &this->public;
 }
 
diff --git a/src/dumm/mconsole.h b/src/dumm/mconsole.h
index a4d93e48e..9fa2755ef 100644
--- a/src/dumm/mconsole.h
+++ b/src/dumm/mconsole.h
@@ -24,7 +24,7 @@ typedef struct mconsole_t mconsole_t;
  * UML mconsole, change running UML configuration using mconsole.
  */
 struct mconsole_t {
-	
+
 	/**
 	 * Create a guest interface and connect it to tap host interface.
 	 *
@@ -33,7 +33,7 @@ struct mconsole_t {
 	 * @return				TRUE if interface created
 	 */
 	bool (*add_iface)(mconsole_t *this, char *guest, char *host);
-	
+
 	/**
 	 * Delete a guest interface.
 	 *
@@ -41,7 +41,7 @@ struct mconsole_t {
 	 * @return				TRUE if interface deleted
 	 */
 	bool (*del_iface)(mconsole_t *this, char *guest);
-	
+
 	/**
 	 * Execute a command on the mconsole.
 	 *
@@ -52,7 +52,7 @@ struct mconsole_t {
 	 */
 	int (*exec)(mconsole_t *this, void(*cb)(void*,char*,size_t), void *data,
 				char *cmd);
-	
+
 	/**
 	 * Destroy the mconsole instance
 	 */
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 495d02cc2..762b32649 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,8 +16,9 @@
 @SET_MAKE@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -34,11 +36,19 @@ host_triplet = @host@
 subdir = src/include
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
 DIST_SOURCES =
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -75,25 +85,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -105,11 +112,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -138,9 +148,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -163,7 +173,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -171,6 +181,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -179,10 +190,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -190,6 +203,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 EXTRA_DIST = linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
@@ -208,9 +222,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/include/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/include/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/include/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/include/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -228,6 +242,7 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -257,13 +272,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -291,6 +310,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -309,6 +329,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -317,18 +339,28 @@ install-data-am:
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -362,6 +394,7 @@ uninstall-am:
 	maintainer-clean-generic mostlyclean mostlyclean-generic \
 	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/include/linux/netlink.h b/src/include/linux/netlink.h
index af65dc499..1aeee628b 100644
--- a/src/include/linux/netlink.h
+++ b/src/include/linux/netlink.h
@@ -14,7 +14,7 @@
 #define NETLINK_SELINUX		7	/* SELinux event notifications */
 #define NETLINK_ISCSI		8	/* Open-iSCSI */
 #define NETLINK_AUDIT		9	/* auditing */
-#define NETLINK_FIB_LOOKUP	10	
+#define NETLINK_FIB_LOOKUP	10
 #define NETLINK_CONNECTOR	11
 #define NETLINK_NETFILTER	12	/* netfilter subsystem */
 #define NETLINK_IP6_FW		13
@@ -22,14 +22,14 @@
 #define NETLINK_KOBJECT_UEVENT	15	/* Kernel messages to userspace */
 #define NETLINK_GENERIC		16
 
-#define MAX_LINKS 32		
+#define MAX_LINKS 32
 
 struct sockaddr_nl
 {
 	sa_family_t	nl_family;	/* AF_NETLINK	*/
 	unsigned short	nl_pad;		/* zero		*/
 	__u32		nl_pid;		/* process pid	*/
-       	__u32		nl_groups;	/* multicast groups mask */
+	__u32		nl_groups;	/* multicast groups mask */
 };
 
 struct nlmsghdr
diff --git a/src/include/linux/rtnetlink.h b/src/include/linux/rtnetlink.h
index 56bf7b01c..131822c0f 100644
--- a/src/include/linux/rtnetlink.h
+++ b/src/include/linux/rtnetlink.h
@@ -104,7 +104,7 @@ enum {
 #define RTM_NR_FAMILIES	(RTM_NR_MSGTYPES >> 2)
 #define RTM_FAM(cmd)	(((cmd) - RTM_BASE) >> 2)
 
-/* 
+/*
    Generic structure for encapsulation of optional route information.
    It is reminiscent of sockaddr, but with sa_family replaced
    with attribute type.
@@ -146,7 +146,7 @@ struct rtmsg
 
 	unsigned char		rtm_table;	/* Routing table id */
 	unsigned char		rtm_protocol;	/* Routing protocol; see below	*/
-	unsigned char		rtm_scope;	/* See below */	
+	unsigned char		rtm_scope;	/* See below */
 	unsigned char		rtm_type;	/* See below	*/
 
 	unsigned		rtm_flags;
@@ -632,7 +632,7 @@ struct ifinfomsg
 };
 
 /********************************************************************
- *		prefix information 
+ *		prefix information
  ****/
 
 struct prefixmsg
@@ -647,7 +647,7 @@ struct prefixmsg
 	unsigned char	prefix_pad3;
 };
 
-enum 
+enum
 {
 	PREFIX_UNSPEC,
 	PREFIX_ADDRESS,
@@ -691,7 +691,7 @@ struct rtnl_link_stats
 	__u32	tx_fifo_errors;
 	__u32	tx_heartbeat_errors;
 	__u32	tx_window_errors;
-	
+
 	/* for cslip etc */
 	__u32	rx_compressed;
 	__u32	tx_compressed;
@@ -902,7 +902,7 @@ struct tcamsg
 };
 #define TA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcamsg))))
 #define TA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcamsg))
-#define TCA_ACT_TAB 1 /* attr type must be >=1 */	
+#define TCA_ACT_TAB 1 /* attr type must be >=1 */
 #define TCAA_MAX 1
 
 /* End of information exported to user level */
@@ -941,7 +941,7 @@ extern void __rta_fill(struct sk_buff *skb, int attrtype, int attrlen, const voi
 #define RTA_PUT(skb, attrtype, attrlen, data) \
 ({	if (unlikely(skb_tailroom(skb) < (int)RTA_SPACE(attrlen))) \
 		 goto rtattr_failure; \
-   	__rta_fill(skb, attrtype, attrlen, data); }) 
+	__rta_fill(skb, attrtype, attrlen, data); })
 
 #define RTA_APPEND(skb, attrlen, data) \
 ({	if (unlikely(skb_tailroom(skb) < (int)(attrlen))) \
@@ -1021,7 +1021,7 @@ extern void __rta_fill(struct sk_buff *skb, int attrtype, int attrlen, const voi
 
 #define RTA_GET_SECS(rta) ((unsigned long) RTA_GET_U64(rta) * HZ)
 #define RTA_GET_MSECS(rta) (msecs_to_jiffies((unsigned long) RTA_GET_U64(rta)))
-		
+
 static __inline__ struct rtattr *
 __rta_reserve(struct sk_buff *skb, int attrtype, int attrlen)
 {
@@ -1038,7 +1038,7 @@ __rta_reserve(struct sk_buff *skb, int attrtype, int attrlen)
 #define __RTA_PUT(skb, attrtype, attrlen) \
 ({ 	if (unlikely(skb_tailroom(skb) < (int)RTA_SPACE(attrlen))) \
 		goto rtattr_failure; \
-   	__rta_reserve(skb, attrtype, attrlen); })
+	__rta_reserve(skb, attrtype, attrlen); })
 
 extern void rtmsg_ifinfo(int type, struct net_device *dev, unsigned change);
 
diff --git a/src/include/linux/udp.h b/src/include/linux/udp.h
index 2ee121bd0..c213d2a51 100644
--- a/src/include/linux/udp.h
+++ b/src/include/linux/udp.h
@@ -45,7 +45,7 @@ struct udp_sock {
 	struct inet_sock inet;
 	int		 pending;	/* Any pending frames ? */
 	unsigned int	 corkflag;	/* Cork is required */
-  	__u16		 encap_type;	/* Is this an Encapsulation socket? */
+	__u16		 encap_type;	/* Is this an Encapsulation socket? */
 	/*
 	 * Following member retains the infomation to create a UDP header
 	 * when the socket is uncorked.
diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h
index 52f3abd45..d28e85310 100644
--- a/src/include/linux/xfrm.h
+++ b/src/include/linux/xfrm.h
@@ -58,7 +58,7 @@ struct xfrm_selector
 	__u8	prefixlen_s;
 	__u8	proto;
 	int	ifindex;
-	uid_t	user;
+	__kernel_uid32_t	user;
 };
 
 #define XFRM_INF (~(__u64)0)
@@ -96,6 +96,13 @@ struct xfrm_algo {
 	char		alg_key[0];
 };
 
+struct xfrm_algo_auth {
+	char		alg_name[64];
+	unsigned int	alg_key_len;    /* in bits */
+	unsigned int	alg_trunc_len;  /* in bits */
+	char		alg_key[0];
+};
+
 struct xfrm_algo_aead {
 	char		alg_name[64];
 	unsigned int	alg_key_len;	/* in bits */
@@ -283,6 +290,7 @@ enum xfrm_attr_type_t {
 	XFRMA_MIGRATE,
 	XFRMA_ALG_AEAD,		/* struct xfrm_algo_aead */
 	XFRMA_KMADDRESS,        /* struct xfrm_user_kmaddress */
+	XFRMA_ALG_AUTH_TRUNC,	/* struct xfrm_algo_auth */
 	__XFRMA_MAX
 
 #define XFRMA_MAX (__XFRMA_MAX - 1)
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index de069b928..ff88ed1ff 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -36,13 +38,41 @@ subdir = src/ipsec
 DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
-sbinSCRIPT_INSTALL = $(INSTALL_SCRIPT)
 SCRIPTS = $(sbin_SCRIPTS)
 SOURCES =
 DIST_SOURCES =
@@ -83,25 +113,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -113,11 +140,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -146,9 +176,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -171,7 +201,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -179,6 +209,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -187,10 +218,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -198,6 +231,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 sbin_SCRIPTS = ipsec
@@ -216,9 +250,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/ipsec/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/ipsec/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/ipsec/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/ipsec/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -236,76 +270,81 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-sbinSCRIPTS: $(sbin_SCRIPTS)
 	@$(NORMAL_INSTALL)
 	test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
-	@list='$(sbin_SCRIPTS)'; for p in $$list; do \
+	@list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  if test -f $$d$$p; then \
-	    f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
-	    echo " $(sbinSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(sbindir)/$$f'"; \
-	    $(sbinSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(sbindir)/$$f"; \
-	  else :; fi; \
-	done
+	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n' \
+	    -e 'h;s|.*|.|' \
+	    -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) { files[d] = files[d] " " $$1; \
+	      if (++n[d] == $(am__install_max)) { \
+		print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
+	    else { print "f", d "/" $$4, $$1 } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	     if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	     test -z "$$files" || { \
+	       echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(sbindir)$$dir'"; \
+	       $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \
+	     } \
+	; done
 
 uninstall-sbinSCRIPTS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(sbin_SCRIPTS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
-	  echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(sbindir)/$$f"; \
-	done
+	@list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	       sed -e 's,.*/,,;$(transform)'`; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(sbindir)" && rm -f $$files
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(man8_MANS) $(man_MANS)
+install-man8: $(dist_man8_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
+	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man8:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 tags: TAGS
 TAGS:
 
@@ -314,6 +353,19 @@ CTAGS:
 
 
 distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -329,13 +381,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -367,6 +423,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -385,6 +442,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -393,18 +452,28 @@ install-data-am: install-man
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am: install-sbinSCRIPTS
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man: install-man8
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -454,6 +523,7 @@ ipsec : ipsec.in
 	-e "s:@IPSEC_PIDDIR@:$(piddir):" \
 	$(srcdir)/$@.in > $@
 	chmod +x $@
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libfast/Makefile.am b/src/libfast/Makefile.am
index 6104f335d..870dcd6f1 100644
--- a/src/libfast/Makefile.am
+++ b/src/libfast/Makefile.am
@@ -3,6 +3,6 @@ lib_LTLIBRARIES = libfast.la
 libfast_la_SOURCES = context.h dispatcher.c request.h session.h \
   controller.h dispatcher.h request.c session.c filter.h
 libfast_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  -lfcgi -lpthread -lneo_cgi -lneo_cs -lneo_utl -lz
+  -lfcgi -lneo_cgi -lneo_cs -lneo_utl -lz $(PTHREADLIB)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I/usr/include/ClearSilver
 AM_CFLAGS = -rdynamic
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 266898984..e5ed4a289 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,27 +37,52 @@ host_triplet = @host@
 subdir = src/libfast
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(libdir)"
-libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
 libfast_la_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1)
 am_libfast_la_OBJECTS = dispatcher.lo request.lo session.lo
 libfast_la_OBJECTS = $(am_libfast_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -103,25 +130,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -133,11 +157,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -166,9 +193,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -191,7 +218,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -199,6 +226,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -207,10 +235,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -218,6 +248,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 lib_LTLIBRARIES = libfast.la
@@ -225,7 +256,7 @@ libfast_la_SOURCES = context.h dispatcher.c request.h session.h \
   controller.h dispatcher.h request.c session.c filter.h
 
 libfast_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  -lfcgi -lpthread -lneo_cgi -lneo_cs -lneo_utl -lz
+  -lfcgi -lneo_cgi -lneo_cs -lneo_utl -lz $(PTHREADLIB)
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I/usr/include/ClearSilver
 AM_CFLAGS = -rdynamic
@@ -242,9 +273,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libfast/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libfast/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libfast/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libfast/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -262,23 +293,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
-	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
+	}
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
 	done
 
 clean-libLTLIBRARIES:
@@ -304,21 +340,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -341,7 +377,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -349,29 +385,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -392,13 +433,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -429,6 +474,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -450,6 +496,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -458,18 +506,28 @@ install-data-am:
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am: install-libLTLIBRARIES
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -508,6 +566,7 @@ uninstall-am: uninstall-libLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-libLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libfast/context.h b/src/libfast/context.h
index 48b3c5e23..4f8d11d2c 100644
--- a/src/libfast/context.h
+++ b/src/libfast/context.h
@@ -32,7 +32,7 @@ typedef context_t *(*context_constructor_t)(void *param);
  * User specific session context, to extend.
  */
 struct context_t {
-	
+
 	/**
 	 * Destroy the context_t.
 	 */
diff --git a/src/libfast/controller.h b/src/libfast/controller.h
index 55ba6f58a..1edf72e90 100644
--- a/src/libfast/controller.h
+++ b/src/libfast/controller.h
@@ -42,14 +42,14 @@ typedef controller_t *(*controller_constructor_t)(context_t* context, void *para
  * The controller handle function is called for each incoming request.
  */
 struct controller_t {
-	
+
 	/**
 	 * Get the name of the controller.
 	 *
 	 * @return				name of the controller
 	 */
 	char* (*get_name)(controller_t *this);
-	
+
 	/**
 	 * Handle a HTTP request for that controller.
 	 *
@@ -67,7 +67,7 @@ struct controller_t {
 	 */
 	void (*handle)(controller_t *this, request_t *request,
 				   char *p1, char *p2, char *p3, char *p4, char *p5);
-		
+
 	/**
 	 * Destroy the controller instance.
 	 */
diff --git a/src/libfast/dispatcher.c b/src/libfast/dispatcher.c
index 35ae55814..7690230d3 100644
--- a/src/libfast/dispatcher.c
+++ b/src/libfast/dispatcher.c
@@ -19,12 +19,18 @@
 #include "session.h"
 
 #include <fcgiapp.h>
-#include <pthread.h>
 #include <signal.h>
 #include <unistd.h>
 
 #include <debug.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
 #include <utils/linked_list.h>
+#include <utils/hashtable.h>
+
+/** Intervall to check for expired sessions, in seconds */
+#define CLEANUP_INTERVAL 30
 
 typedef struct private_dispatcher_t private_dispatcher_t;
 
@@ -37,57 +43,62 @@ struct private_dispatcher_t {
 	 * public functions
 	 */
 	dispatcher_t public;
-	
+
 	/**
 	 * fcgi socket fd
 	 */
 	int fd;
-	
+
 	/**
 	 * thread list
 	 */
-	pthread_t *threads;
-	
+	thread_t **threads;
+
 	/**
 	 * number of threads in "threads"
 	 */
 	int thread_count;
-	
+
 	/**
 	 * session locking mutex
 	 */
-	pthread_mutex_t mutex;
-	
+	mutex_t *mutex;
+
 	/**
-	 * List of sessions
+	 * Hahstable with active sessions
 	 */
-	linked_list_t *sessions;
-	
+	hashtable_t *sessions;
+
 	/**
 	 * session timeout
 	 */
 	time_t timeout;
-	
+
+	/**
+	 * timestamp of last session cleanup round
+	 */
+	time_t last_cleanup;
+
 	/**
 	 * running in debug mode?
 	 */
 	bool debug;
-	
+
 	/**
 	 * List of controllers controller_constructor_t
 	 */
 	linked_list_t *controllers;
-	
+
 	/**
 	 * List of filters filter_constructor_t
 	 */
 	linked_list_t *filters;
-	
-	/** 
+
+	/**
 	 * constructor function to create session context (in controller_entry_t)
 	 */
 	context_constructor_t context_constructor;
-	
+
 	/**
 	 * user param to context constructor
 	 */
@@ -112,7 +123,7 @@ typedef struct {
 	/** session instance */
 	session_t *session;
 	/** condvar to wait for session */
-	pthread_cond_t cond;
+	condvar_t *cond;
 	/** client host address, to prevent session hijacking */
 	char *host;
 	/** TRUE if session is in use */
@@ -128,36 +139,36 @@ typedef struct {
  */
 static session_t* load_session(private_dispatcher_t *this)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	controller_entry_t *centry;
 	filter_entry_t *fentry;
 	session_t *session;
 	context_t *context = NULL;
 	controller_t *controller;
 	filter_t *filter;
-	
+
 	if (this->context_constructor)
 	{
 		context = this->context_constructor(this->param);
 	}
 	session = session_create(context);
-	
-	iterator = this->controllers->create_iterator(this->controllers, TRUE);
-	while (iterator->iterate(iterator, (void**)&centry))
+
+	enumerator = this->controllers->create_enumerator(this->controllers);
+	while (enumerator->enumerate(enumerator, &centry))
 	{
 		controller = centry->constructor(context, centry->param);
 		session->add_controller(session, controller);
 	}
-	iterator->destroy(iterator);
-	
-	iterator = this->filters->create_iterator(this->filters, TRUE);
-	while (iterator->iterate(iterator, (void**)&fentry))
+	enumerator->destroy(enumerator);
+
+	enumerator = this->filters->create_enumerator(this->filters);
+	while (enumerator->enumerate(enumerator, &fentry))
 	{
 		filter = fentry->constructor(context, fentry->param);
 		session->add_filter(session, filter);
 	}
-	iterator->destroy(iterator);
-	
+	enumerator->destroy(enumerator);
+
 	return session;
 }
 
@@ -168,21 +179,25 @@ static session_entry_t *session_entry_create(private_dispatcher_t *this,
 											 char *host)
 {
 	session_entry_t *entry;
-	
+
 	entry = malloc_thing(session_entry_t);
 	entry->in_use = FALSE;
 	entry->closed = FALSE;
-	pthread_cond_init(&entry->cond, NULL);
+	entry->cond = condvar_create(CONDVAR_TYPE_DEFAULT);
 	entry->session = load_session(this);
-	entry->used = time(NULL);
+	entry->used = time_monotonic(NULL);
 	entry->host = strdup(host);
-	
+
 	return entry;
 }
 
+/**
+ * destroy a session
+ */
 static void session_entry_destroy(session_entry_t *entry)
 {
 	entry->session->destroy(entry->session);
+	entry->cond->destroy(entry->cond);
 	free(entry->host);
 	free(entry);
 }
@@ -194,7 +209,7 @@ static void add_controller(private_dispatcher_t *this,
 						   controller_constructor_t constructor, void *param)
 {
 	controller_entry_t *entry = malloc_thing(controller_entry_t);
-	
+
 	entry->constructor = constructor;
 	entry->param = param;
 	this->controllers->insert_last(this->controllers, entry);
@@ -207,90 +222,129 @@ static void add_filter(private_dispatcher_t *this,
 					   filter_constructor_t constructor, void *param)
 {
 	filter_entry_t *entry = malloc_thing(filter_entry_t);
-	
+
 	entry->constructor = constructor;
 	entry->param = param;
 	this->filters->insert_last(this->filters, entry);
 }
 
 /**
- * Actual dispatching code 
+ * Hashtable hash function
+ */
+static u_int session_hash(char *sid)
+{
+	return chunk_hash(chunk_create(sid, strlen(sid)));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool session_equals(char *sid1, char *sid2)
+{
+	return streq(sid1, sid2);
+}
+
+/**
+ * Cleanup unused sessions
+ */
+static void cleanup_sessions(private_dispatcher_t *this, time_t now)
+{
+	if (this->last_cleanup < now - CLEANUP_INTERVAL)
+	{
+		char *sid;
+		session_entry_t *entry;
+		enumerator_t *enumerator;
+		linked_list_t *remove;
+
+		this->last_cleanup = now;
+		remove = linked_list_create();
+		enumerator = this->sessions->create_enumerator(this->sessions);
+		while (enumerator->enumerate(enumerator, &sid, &entry))
+		{
+			/* check all sessions for timeout or close flag */
+			if (!entry->in_use &&
+				(entry->used < now - this->timeout || entry->closed))
+			{
+				remove->insert_last(remove, sid);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		while (remove->remove_last(remove, (void**)&sid) == SUCCESS)
+		{
+			entry = this->sessions->remove(this->sessions, sid);
+			if (entry)
+			{
+				session_entry_destroy(entry);
+			}
+		}
+		remove->destroy(remove);
+	}
+}
+
+/**
+ * Actual dispatching code
  */
 static void dispatch(private_dispatcher_t *this)
 {
-	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+	thread_cancelability(FALSE);
 
 	while (TRUE)
 	{
 		request_t *request;
-		session_entry_t *current, *found = NULL;
-		iterator_t *iterator;
+		session_entry_t *found = NULL;
 		time_t now;
 		char *sid;
-		
-		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);
+
+		thread_cancelability(TRUE);
 		request = request_create(this->fd, this->debug);
-		pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+		thread_cancelability(FALSE);
 
 		if (request == NULL)
 		{
 			continue;
 		}
+		now = time_monotonic(NULL);
 		sid = request->get_cookie(request, "SID");
-		now = time(NULL);
-		
-		/* find session */
-		pthread_mutex_lock(&this->mutex);
-		iterator = this->sessions->create_iterator(this->sessions, TRUE);
-		while (iterator->iterate(iterator, (void**)&current))
+
+		this->mutex->lock(this->mutex);
+		if (sid)
 		{
-			/* check all sessions for timeout or close flag 
-			 * TODO: use a seperate cleanup thread */
-			if (!current->in_use &&
-				(current->used < now - this->timeout || current->closed))
-			{
-				iterator->remove(iterator);
-				session_entry_destroy(current);
-				continue;
-			}
-			/* find by session ID. Prevent session hijacking by host check */
-			if (!found && sid &&
-				streq(current->session->get_sid(current->session), sid) &&
-				streq(current->host, request->get_host(request)))
-			{
-				found = current;
-			}
+			found = this->sessions->get(this->sessions, sid);
+		}
+		if (found && !streq(found->host, request->get_host(request)))
+		{
+			found = NULL;
 		}
-		iterator->destroy(iterator);
-		
 		if (found)
 		{
 			/* wait until session is unused */
 			while (found->in_use)
 			{
-				pthread_cond_wait(&found->cond, &this->mutex);
+				found->cond->wait(found->cond, this->mutex);
 			}
 		}
 		else
 		{	/* create a new session if not found */
 			found = session_entry_create(this, request->get_host(request));
-			this->sessions->insert_first(this->sessions, found);
+			sid = found->session->get_sid(found->session);
+			this->sessions->put(this->sessions, sid, found);
 		}
 		found->in_use = TRUE;
-		pthread_mutex_unlock(&this->mutex);
-	
+		this->mutex->unlock(this->mutex);
+
 		/* start processing */
 		found->session->process(found->session, request);
-		found->used = time(NULL);
-		
+		found->used = time_monotonic(NULL);
+
 		/* release session */
-		pthread_mutex_lock(&this->mutex);
+		this->mutex->lock(this->mutex);
 		found->in_use = FALSE;
 		found->closed = request->session_closed(request);
-		pthread_cond_signal(&found->cond);
-		pthread_mutex_unlock(&this->mutex);
-		
-		/* cleanup */
+		found->cond->signal(found->cond);
+		cleanup_sessions(this, now);
+		this->mutex->unlock(this->mutex);
+
 		request->destroy(request);
 	}
 }
@@ -301,11 +355,12 @@ static void dispatch(private_dispatcher_t *this)
 static void run(private_dispatcher_t *this, int threads)
 {
 	this->thread_count = threads;
-	this->threads = malloc(sizeof(pthread_t) * threads);
+	this->threads = malloc(sizeof(thread_t*) * threads);
 	while (threads)
 	{
-		if (pthread_create(&this->threads[threads - 1],
-						   NULL, (void*)dispatch, this) == 0)
+		this->threads[threads - 1] = thread_create((thread_main_t)dispatch,
+												   this);
+		if (this->threads[threads - 1])
 		{
 			threads--;
 		}
@@ -319,7 +374,7 @@ static void waitsignal(private_dispatcher_t *this)
 {
 	sigset_t set;
 	int sig;
-	
+
 	sigemptyset(&set);
 	sigaddset(&set, SIGINT);
 	sigaddset(&set, SIGTERM);
@@ -333,15 +388,27 @@ static void waitsignal(private_dispatcher_t *this)
  */
 static void destroy(private_dispatcher_t *this)
 {
+	char *sid;
+	session_entry_t *entry;
+	enumerator_t *enumerator;
+
 	FCGX_ShutdownPending();
 	while (this->thread_count--)
 	{
-		pthread_cancel(this->threads[this->thread_count]);
-		pthread_join(this->threads[this->thread_count], NULL);
+		thread_t *thread = this->threads[this->thread_count];
+		thread->cancel(thread);
+		thread->join(thread);
+	}
+	enumerator = this->sessions->create_enumerator(this->sessions);
+	while (enumerator->enumerate(enumerator, &sid, &entry))
+	{
+		session_entry_destroy(entry);
 	}
-	this->sessions->destroy_function(this->sessions, (void*)session_entry_destroy);
+	enumerator->destroy(enumerator);
+	this->sessions->destroy(this->sessions);
 	this->controllers->destroy_function(this->controllers, free);
 	this->filters->destroy_function(this->filters, free);
+	this->mutex->destroy(this->mutex);
 	free(this->threads);
 	free(this);
 }
@@ -359,22 +426,24 @@ dispatcher_t *dispatcher_create(char *socket, bool debug, int timeout,
 	this->public.run = (void(*)(dispatcher_t*, int threads))run;
 	this->public.waitsignal = (void(*)(dispatcher_t*))waitsignal;
 	this->public.destroy = (void(*)(dispatcher_t*))destroy;
-	
-	this->sessions = linked_list_create();
+
+	this->sessions = hashtable_create((void*)session_hash,
+									  (void*)session_equals, 4096);
 	this->controllers = linked_list_create();
 	this->filters = linked_list_create();
 	this->context_constructor = constructor;
-	pthread_mutex_init(&this->mutex, NULL);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->param = param;
-    this->fd = 0;
-    this->timeout = timeout;
-    this->debug = debug;
-    this->threads = NULL;
-	
-    FCGX_Init();
-    
-    if (socket)
-    {
+	this->fd = 0;
+	this->timeout = timeout;
+	this->last_cleanup = time_monotonic(NULL);
+	this->debug = debug;
+	this->threads = NULL;
+
+	FCGX_Init();
+
+	if (socket)
+	{
 		unlink(socket);
 		this->fd = FCGX_OpenSocket(socket, 10);
 	}
diff --git a/src/libfast/dispatcher.h b/src/libfast/dispatcher.h
index 5b4e3f947..16223fe76 100644
--- a/src/libfast/dispatcher.h
+++ b/src/libfast/dispatcher.h
@@ -23,33 +23,33 @@
  * the webserver. It is multithreaded and really fast.
  *
  * The application has a global context and a session context. The global
- * context is accessed from all sessions simultaneously and therefore 
+ * context is accessed from all sessions simultaneously and therefore
  * needs to be threadsave. Often a database wrapper is the global context.
  * The session context is instanciated per session. Sessions are managed
  * automatically through session cookies. The session context is kept alive
  * until the session times out. It must implement the context_t interface and
- * a #context_constructor_t is needed to create instances. To each session, 
- * a set of controllers gets instanciated. The controller instances are per 
+ * a #context_constructor_t is needed to create instances. To each session,
+ * a set of controllers gets instanciated. The controller instances are per
  * session, so you can hold private data for each user.
- * Controllers need to implement the controller_t interface and need a 
+ * Controllers need to implement the controller_t interface and need a
  * #controller_constructor_t function to create instances.
  *
  * A small example shows how to set up libfast:
  * @code
 	dispatcher_t *dispatcher;
 	your_global_context_implementation_t *global;
- 
- 	global = initialize_your_global_context();
- 
- 	dispatcher = dispatcher_create(NULL, FALSE, 180,
+
+	global = initialize_your_global_context();
+
+	dispatcher = dispatcher_create(NULL, FALSE, 180,
 			(context_constructor_t)your_session_context_create, global);
 	dispatcher->add_controller(dispatcher, your_controller1_create, param1);
 	dispatcher->add_controller(dispatcher, your_controller2_create, param2);
-	
+
 	dispatcher->run(dispatcher, 20);
-	
+
 	dispatcher->waitsignal(dispatcher);
-	
+
 	dispatcher->destroy(dispatcher);
 	global->destroy();
    @endcode
@@ -76,7 +76,7 @@ typedef struct dispatcher_t dispatcher_t;
  * constructor added with add_controller.
  */
 struct dispatcher_t {
-	
+
 	/**
 	 * Register a controller to the dispatcher.
 	 *
@@ -90,14 +90,14 @@ struct dispatcher_t {
 						   controller_constructor_t constructor, void *param);
 
 	/**
-	 * @brief Add a filter to the dispatcher.
+	 * Add a filter to the dispatcher.
 	 *
 	 * @param constructor	constructor to create filter in session
 	 * @param param			param to pass to constructor
 	 */
 	void (*add_filter)(dispatcher_t *this,
-					   filter_constructor_t constructor, void *param); 	
-	
+					   filter_constructor_t constructor, void *param);
+
 	/**
 	 * Start with dispatching.
 	 *
@@ -106,13 +106,13 @@ struct dispatcher_t {
 	 * @param threads		number of dispatching threads
 	 */
 	void (*run)(dispatcher_t *this, int threads);
-	
+
 	/**
 	 * Wait for a relevant signal action.
 	 *
 	 */
 	void (*waitsignal)(dispatcher_t *this);
-	
+
 	/**
 	 * Destroy the dispatcher_t.
 	 */
diff --git a/src/libfast/filter.h b/src/libfast/filter.h
index d2602db9d..305a8bb6e 100644
--- a/src/libfast/filter.h
+++ b/src/libfast/filter.h
@@ -39,7 +39,7 @@ typedef filter_t *(*filter_constructor_t)(context_t* context, void *param);
  * Filter interface, to be implemented by users filters.
  */
 struct filter_t {
-	
+
 	/**
 	 * Called before the controller handles the request.
 	 *
@@ -53,7 +53,7 @@ struct filter_t {
 	 */
 	bool (*run)(filter_t *this, request_t *request,
 				char *p0, char *p1, char *p2, char *p3, char *p4, char *p5);
-	
+
 	/**
 	 * Destroy the filter instance.
 	 */
diff --git a/src/libfast/request.c b/src/libfast/request.c
index 96dfab8e7..3f4894c45 100644
--- a/src/libfast/request.c
+++ b/src/libfast/request.c
@@ -20,10 +20,13 @@
 #include <library.h>
 #include <debug.h>
 #include <stdlib.h>
-#include <string.h>
 #include <pthread.h>
+#include <string.h>
 #include <ClearSilver/ClearSilver.h>
 
+#include <threading/thread.h>
+#include <threading/thread_value.h>
+
 typedef struct private_request_t private_request_t;
 
 /**
@@ -35,32 +38,32 @@ struct private_request_t {
 	 * public functions
 	 */
 	request_t public;
-	
+
 	/**
 	 * FastCGI request object
 	 */
 	FCGX_Request req;
-	
+
 	/**
 	 * length of the req.envp array
 	 */
 	int req_env_len;
-	
+
 	/**
 	 * ClearSilver CGI Kit context
 	 */
 	CGI *cgi;
-	
+
 	/**
 	 * ClearSilver HDF dataset for this request
 	 */
 	HDF *hdf;
-	
-	/** 
+
+	/**
 	 * close the session?
 	 */
 	bool closed;
-	
+
 	/**
 	 * reference count
 	 */
@@ -68,11 +71,10 @@ struct private_request_t {
 };
 
 /**
- * key to a the threads "this" request, used for ClearSilver cgiwrap callbacks.
  * ClearSilver cgiwrap is not threadsave, so we use a private
  * context for each thread.
  */
-static pthread_key_t this_key;
+static thread_value_t *thread_this;
 
 /**
  * control variable for pthread_once
@@ -84,8 +86,8 @@ pthread_once_t once = PTHREAD_ONCE_INIT;
  */
 static int read_cb(void *null, char *buf, int size)
 {
-	private_request_t *this = (private_request_t*)pthread_getspecific(this_key);
-	
+	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
+
 	return FCGX_GetStr(buf, size, this->req.in);
 }
 
@@ -94,8 +96,8 @@ static int read_cb(void *null, char *buf, int size)
  */
 static int writef_cb(void *null, const char *format, va_list args)
 {
-	private_request_t *this = (private_request_t*)pthread_getspecific(this_key);
-	
+	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
+
 	FCGX_VFPrintF(this->req.out, format, args);
 	return 0;
 }
@@ -104,8 +106,8 @@ static int writef_cb(void *null, const char *format, va_list args)
  */
 static int write_cb(void *null, const char *buf, int size)
 {
-	private_request_t *this = (private_request_t*)pthread_getspecific(this_key);
-	
+	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
+
 	return FCGX_PutStr(buf, size, this->req.out);
 }
 
@@ -115,8 +117,8 @@ static int write_cb(void *null, const char *buf, int size)
 static char *getenv_cb(void *null, const char *key)
 {
 	char *value;
-	private_request_t *this = (private_request_t*)pthread_getspecific(this_key);
-	
+	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
+
 	value = FCGX_GetParam(key, this->req.envp);
 	return value ? strdup(value) : NULL;
 }
@@ -137,7 +139,7 @@ static int iterenv_cb(void *null, int num, char **key, char **value)
 {
 	*key = NULL;
 	*value = NULL;
-	private_request_t *this = (private_request_t*)pthread_getspecific(this_key);
+	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
 	if (num < this->req_env_len)
 	{
 		char *eq;
@@ -157,7 +159,7 @@ static int iterenv_cb(void *null, int num, char **key, char **value)
 	}
 	return 0;
 }
-	
+
 /**
  * Implementation of request_t.get_cookie.
  */
@@ -165,7 +167,7 @@ static char* get_cookie(private_request_t *this, char *name)
 {
 	return hdf_get_valuef(this->hdf, "Cookie.%s", name);
 }
-	
+
 /**
  * Implementation of request_t.get_path.
  */
@@ -206,12 +208,12 @@ static char* get_query_data(private_request_t *this, char *name)
  */
 static void add_cookie(private_request_t *this, char *name, char *value)
 {
-	pthread_setspecific(this_key, this);
+	thread_this->set(thread_this, this);
 	cgi_cookie_set (this->cgi, name, value,
 					FCGX_GetParam("SCRIPT_NAME", this->req.envp),
 					NULL, NULL, 0, 0);
 }
-	
+
 /**
  * Implementation of request_t.redirect.
  */
@@ -246,7 +248,7 @@ static char* get_base(private_request_t *this)
 {
 	return FCGX_GetParam("SCRIPT_NAME", this->req.envp);
 }
-	
+
 /**
  * Implementation of request_t.session_closed.
  */
@@ -279,8 +281,8 @@ static void serve(private_request_t *this, char *headers, chunk_t chunk)
 static void render(private_request_t *this, char *template)
 {
 	NEOERR* err;
-	
-	pthread_setspecific(this_key, this);
+
+	thread_this->set(thread_this, this);
 	err = cgi_display(this->cgi, template);
 	if (err)
 	{
@@ -327,8 +329,8 @@ static void setf(private_request_t *this, char *format, ...)
 	va_start(args, format);
 	hdf_set_valuevf(this->hdf, format, args);
 	va_end(args);
-}	
-	
+}
+
 /**
  * Implementation of request_t.get_ref.
  */
@@ -345,7 +347,7 @@ static void destroy(private_request_t *this)
 {
 	if (ref_put(&this->ref))
 	{
-		pthread_setspecific(this_key, this);
+		thread_this->set(thread_this, this);
 		cgi_destroy(&this->cgi);
 		FCGX_Finish_r(&this->req);
 		free(this);
@@ -359,8 +361,8 @@ static void destroy(private_request_t *this)
 static void init(void)
 {
 	cgiwrap_init_emu(NULL, read_cb, writef_cb, write_cb,
-	                 getenv_cb, putenv_cb, iterenv_cb);
-	pthread_key_create(&this_key, NULL);
+					 getenv_cb, putenv_cb, iterenv_cb);
+	thread_this = thread_value_create(NULL);
 }
 
 /*
@@ -371,14 +373,14 @@ request_t *request_create(int fd, bool debug)
 	NEOERR* err;
 	private_request_t *this = malloc_thing(private_request_t);
 	bool failed = FALSE;
-	
-	pthread_cleanup_push(free, this);
+
+	thread_cleanup_push(free, this);
 	if (FCGX_InitRequest(&this->req, fd, 0) != 0 ||
 		FCGX_Accept_r(&this->req) != 0)
 	{
 		failed = TRUE;
 	}
-	pthread_cleanup_pop(failed);
+	thread_cleanup_pop(failed);
 	if (failed)
 	{
 		return NULL;
@@ -402,18 +404,18 @@ request_t *request_create(int fd, bool debug)
 	this->public.setf = (void(*)(request_t*, char *format, ...))setf;
 	this->public.get_ref = (request_t*(*)(request_t*))get_ref;
 	this->public.destroy = (void(*)(request_t*))destroy;
-	
+
 	pthread_once(&once, init);
-	pthread_setspecific(this_key, this);
-	
+	thread_this->set(thread_this, this);
+
 	this->ref = 1;
 	this->closed = FALSE;
-	this->req_env_len = 0;	
+	this->req_env_len = 0;
 	while (this->req.envp[this->req_env_len] != NULL)
 	{
 		this->req_env_len++;
 	}
-	
+
 	err = hdf_init(&this->hdf);
 	if (!err)
 	{
@@ -425,7 +427,7 @@ request_t *request_create(int fd, bool debug)
 			hdf_set_value(this->hdf, "Config.CompressionEnabled", "1");
 			hdf_set_value(this->hdf, "Config.WhiteSpaceStrip", "2");
 		}
-	
+
 		err = cgi_init(&this->cgi, this->hdf);
 		if (!err)
 		{
diff --git a/src/libfast/request.h b/src/libfast/request.h
index b9ea88830..61e2d59f0 100644
--- a/src/libfast/request.h
+++ b/src/libfast/request.h
@@ -32,7 +32,7 @@ typedef struct request_t request_t;
  * The response is also handled through the request object.
  */
 struct request_t {
-	
+
 	/**
 	 * Add a cookie to the reply (Set-Cookie header).
 	 *
@@ -40,7 +40,7 @@ struct request_t {
 	 * @param value		value of the cookie
 	 */
 	void (*add_cookie)(request_t *this, char *name, char *value);
-	
+
 	/**
 	 * Get a cookie the client sent in the request.
 	 *
@@ -48,35 +48,35 @@ struct request_t {
 	 * @return			cookie value, NULL if no such cookie found
 	 */
 	char* (*get_cookie)(request_t *this, char *name);
-	
+
 	/**
 	 * Get the request path relative to the application.
 	 *
 	 * @return			path
 	 */
 	char* (*get_path)(request_t *this);
-	
+
 	/**
 	 * Get the base path of the application.
 	 *
 	 * @return			base path
 	 */
 	char* (*get_base)(request_t *this);
-	
+
 	/**
 	 * Get the remote host address of this request.
 	 *
 	 * @return			host address as string
 	 */
 	char* (*get_host)(request_t *this);
-	
+
 	/**
 	 * Get the user agent string.
 	 *
 	 * @return			user agent string
 	 */
 	char* (*get_user_agent)(request_t *this);
-		
+
 	/**
 	 * Get a post/get variable included in the request.
 	 *
@@ -84,19 +84,19 @@ struct request_t {
 	 * @return			value, NULL if not found
 	 */
 	char* (*get_query_data)(request_t *this, char *name);
-	
+
 	/**
 	 * Close the session and it's context after handling.
 	 */
 	void (*close_session)(request_t *this);
-	
+
 	/**
 	 * Has the session been closed by close_session()?
 	 *
 	 * @return			TRUE if session has been closed
 	 */
 	bool (*session_closed)(request_t *this);
-	
+
 	/**
 	 * Redirect the client to another location.
 	 *
@@ -104,12 +104,12 @@ struct request_t {
 	 * @param ...		variable argument for fmt
 	 */
 	void (*redirect)(request_t *this, char *fmt, ...);
-	
+
 	/**
 	 * Redirect the client to the referer.
 	 */
 	void (*to_referer)(request_t *this);
-		
+
 	/**
 	 * Set a template value.
 	 *
@@ -117,7 +117,7 @@ struct request_t {
 	 * @param value		value to set key to
 	 */
 	void (*set)(request_t *this, char *key, char *value);
-	
+
 	/**
 	 * Set a template value using format strings.
 	 *
@@ -128,7 +128,7 @@ struct request_t {
 	 * @param ...		variable argument list
 	 */
 	void (*setf)(request_t *this, char *format, ...);
-	
+
 	/**
 	 * Render a template.
 	 *
@@ -139,7 +139,7 @@ struct request_t {
 	 * @param template	clearsilver template file location
 	 */
 	void (*render)(request_t *this, char *template);
-	
+
 	/**
 	 * Stream a format string to the client.
 	 *
@@ -151,7 +151,7 @@ struct request_t {
 	 * @return			number of streamed bytes, < 0 if stream closed
 	 */
 	int (*streamf)(request_t *this, char *format, ...);
-	
+
 	/**
 	 * Serve a request with headers and a body.
 	 *
@@ -159,14 +159,14 @@ struct request_t {
 	 * @param chunk		body to write to output
 	 */
 	void (*serve)(request_t *this, char *headers, chunk_t chunk);
-	
+
 	/**
 	 * Increase the reference count to the stream.
 	 *
 	 * @return			this with increased refcount
 	 */
 	request_t* (*get_ref)(request_t *this);
-	
+
 	/**
 	 * Destroy the request_t.
 	 */
diff --git a/src/libfast/session.c b/src/libfast/session.c
index 455c8d5e1..f03b75542 100644
--- a/src/libfast/session.c
+++ b/src/libfast/session.c
@@ -23,6 +23,8 @@
 
 #include <utils/linked_list.h>
 
+#define COOKIE_LEN 16
+
 typedef struct private_session_t private_session_t;
 
 /**
@@ -34,22 +36,27 @@ struct private_session_t {
 	 * public functions
 	 */
 	session_t public;
-	
+
 	/**
 	 * session ID
 	 */
-	char *sid;
-	
+	char sid[COOKIE_LEN * 2 + 1];
+
+	/**
+	 * have we sent the session cookie?
+	 */
+	bool cookie_sent;
+
 	/**
 	 * list of controller instances controller_t
 	 */
 	linked_list_t *controllers;
-	
+
 	/**
 	 * list of filter instances filter_t
 	 */
 	linked_list_t *filters;
-	
+
 	/**
 	 * user defined session context
 	 */
@@ -75,20 +82,20 @@ static void add_filter(private_session_t *this, filter_t *filter)
 /**
  * Create a session ID and a cookie
  */
-static void create_sid(private_session_t *this, request_t *request)
+static void create_sid(private_session_t *this)
 {
-	char buf[16];
-	chunk_t chunk = chunk_from_buf(buf);
+	char buf[COOKIE_LEN];
 	rng_t *rng;
-	
+
+	memset(buf, 0, sizeof(buf));
+	memset(this->sid, 0, sizeof(this->sid));
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (rng)
 	{
 		rng->get_bytes(rng, sizeof(buf), buf);
-		this->sid = chunk_to_hex(chunk, NULL, FALSE).ptr;
-		request->add_cookie(request, "SID", this->sid);
 		rng->destroy(rng);
 	}
+	chunk_to_hex(chunk_create(buf, sizeof(buf)), this->sid, FALSE);
 }
 
 /**
@@ -99,7 +106,7 @@ static bool run_filter(private_session_t *this, request_t *request, char *p0,
 {
 	enumerator_t *enumerator;
 	filter_t *filter;
-	
+
 	enumerator = this->filters->create_enumerator(this->filters);
 	while (enumerator->enumerate(enumerator, &filter))
 	{
@@ -123,12 +130,13 @@ static void process(private_session_t *this, request_t *request)
 	bool handled = FALSE;
 	controller_t *current;
 	int i = 0;
-	
-	if (this->sid == NULL)
+
+	if (!this->cookie_sent)
 	{
-		create_sid(this, request);
+		request->add_cookie(request, "SID", this->sid);
+		this->cookie_sent = TRUE;
 	}
-	
+
 	start = request->get_path(request);
 	if (start)
 	{
@@ -142,15 +150,15 @@ static void process(private_session_t *this, request_t *request)
 			start = pos + 1;
 		}
 		param[i] = strdupa(start);
-		
-		if (run_filter(this, request, param[0], param[1], param[2], param[3], 
-					    param[4], param[5]))
+
+		if (run_filter(this, request, param[0], param[1], param[2], param[3],
+						param[4], param[5]))
 		{
 			enumerator = this->controllers->create_enumerator(this->controllers);
 			while (enumerator->enumerate(enumerator, &current))
 			{
 				if (streq(current->get_name(current), param[0]))
-				{	
+				{
 					current->handle(current, request, param[1], param[2],
 									param[3], param[4], param[5]);
 					handled = TRUE;
@@ -190,7 +198,6 @@ static void destroy(private_session_t *this)
 	this->controllers->destroy_offset(this->controllers, offsetof(controller_t, destroy));
 	this->filters->destroy_offset(this->filters, offsetof(filter_t, destroy));
 	DESTROY_IF(this->context);
-	free(this->sid);
 	free(this);
 }
 
@@ -207,11 +214,12 @@ session_t *session_create(context_t *context)
 	this->public.get_sid = (char*(*)(session_t*))get_sid;
 	this->public.destroy = (void(*)(session_t*))destroy;
 
-	this->sid = NULL;
+	create_sid(this);
+	this->cookie_sent = FALSE;
 	this->controllers = linked_list_create();
 	this->filters = linked_list_create();
 	this->context = context;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libfast/session.h b/src/libfast/session.h
index 524e60f46..c6633f9ae 100644
--- a/src/libfast/session.h
+++ b/src/libfast/session.h
@@ -31,35 +31,35 @@ typedef struct session_t session_t;
  * Session handling class, instanciated for each user session.
  */
 struct session_t {
-	
+
 	/**
 	 * Get the session ID of the session.
 	 *
 	 * @return				session ID
 	 */
 	char* (*get_sid)(session_t *this);
-	
+
 	/**
 	 * Add a controller instance to the session.
 	 *
 	 * @param controller	controller to add
 	 */
 	void (*add_controller)(session_t *this, controller_t *controller);
-	
+
 	/**
-	 * @brief Add a filter instance to the session.
+	 * Add a filter instance to the session.
 	 *
 	 * @param filter		filter to add
 	 */
 	void (*add_filter)(session_t *this, filter_t *filter);
-	
+
 	/**
 	 * Process a request in this session.
 	 *
 	 * @param request		request to process
 	 */
 	void (*process)(session_t *this, request_t *request);
-	
+
 	/**
 	 * Destroy the session_t.
 	 *
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index 31ea3a634..e72759bca 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -36,11 +38,19 @@ subdir = src/libfreeswan
 DIST_COMMON = $(dist_man3_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 LIBRARIES = $(noinst_LIBRARIES)
 ARFLAGS = cru
 libfreeswan_a_AR = $(AR) $(ARFLAGS)
@@ -64,6 +74,7 @@ libfreeswan_a_OBJECTS = $(am_libfreeswan_a_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -75,6 +86,27 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libfreeswan_a_SOURCES)
 DIST_SOURCES = $(libfreeswan_a_SOURCES)
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 man3dir = $(mandir)/man3
 am__installdirs = "$(DESTDIR)$(man3dir)"
 NROFF = nroff
@@ -115,25 +147,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -145,11 +174,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -178,9 +210,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -203,7 +235,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -211,6 +243,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -219,10 +252,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -230,6 +265,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 noinst_LIBRARIES = libfreeswan.a
@@ -264,9 +300,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libfreeswan/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libfreeswan/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libfreeswan/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libfreeswan/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -284,6 +320,7 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 
 clean-noinstLIBRARIES:
 	-test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES)
@@ -340,21 +377,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -364,51 +401,40 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man3: $(man3_MANS) $(man_MANS)
+install-man3: $(dist_man3_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)"
-	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.3*) list="$$list $$i" ;; \
-	  esac; \
+	@list='$(dist_man3_MANS)'; test -n "$(man3dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    3*) ;; \
-	    *) ext='3' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man3dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man3dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man3:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.3*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    3*) ;; \
-	    *) ext='3' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man3dir)/$$inst"; \
-	done
+	@list='$(dist_man3_MANS)'; test -n "$(man3dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man3dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man3dir)" && rm -f $$files; }
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -422,7 +448,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -430,34 +456,52 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -473,13 +517,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -510,6 +558,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -531,6 +580,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -539,18 +590,28 @@ install-data-am: install-man
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man: install-man3
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -591,6 +652,7 @@ uninstall-man: uninstall-man3
 	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
 	uninstall-am uninstall-man uninstall-man3
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libfreeswan/addrtoa.c b/src/libfreeswan/addrtoa.c
index 7acfa5ded..e1c71da3c 100644
--- a/src/libfreeswan/addrtoa.c
+++ b/src/libfreeswan/addrtoa.c
@@ -1,12 +1,12 @@
 /*
  * addresses to ASCII
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/addrtot.c b/src/libfreeswan/addrtot.c
index 6efdfccca..d1a338730 100644
--- a/src/libfreeswan/addrtot.c
+++ b/src/libfreeswan/addrtot.c
@@ -1,12 +1,12 @@
 /*
  * addresses to text
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
@@ -251,7 +251,7 @@ struct rtab {
 	{"1:2::3:4",                   'Q', "1:2:0:0:0:0:3:4"},
 	{"1:2:0:0:3:4:0:0",             0, "1:2::3:4:0:0"},
 	{"1.2.3.4",                    'r' , "4.3.2.1.IN-ADDR.ARPA."},
- 	/*                                    0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f */
+	/*                                    0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f */
 	{"1:2::3:4",                   'r', "4.0.0.0.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.1.0.0.0.IP6.ARPA."},
 	 {NULL,				0, NULL}
 };
@@ -279,11 +279,11 @@ regress()
 
 		if (n == 0 && r->output == NULL)
 			{}		/* okay, error expected */
-		
+
 		else if (n == 0) {
 			printf("`%s' atoasr failed\n", r->input);
 			status = 1;
-			
+
 		} else if (r->output == NULL) {
 			printf("`%s' atoasr succeeded unexpectedly '%c'\n",
 							r->input, r->format);
diff --git a/src/libfreeswan/addrtypeof.c b/src/libfreeswan/addrtypeof.c
index f402eca70..ee3cc998f 100644
--- a/src/libfreeswan/addrtypeof.c
+++ b/src/libfreeswan/addrtypeof.c
@@ -1,12 +1,12 @@
 /*
  * extract parts of an ip_address
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/anyaddr.c b/src/libfreeswan/anyaddr.c
index f2eb8d07a..5b7691b7b 100644
--- a/src/libfreeswan/anyaddr.c
+++ b/src/libfreeswan/anyaddr.c
@@ -1,12 +1,12 @@
 /*
  * special addresses
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/atoaddr.c b/src/libfreeswan/atoaddr.c
index cbda541d3..8f1be0a84 100644
--- a/src/libfreeswan/atoaddr.c
+++ b/src/libfreeswan/atoaddr.c
@@ -1,12 +1,12 @@
 /*
  * conversion from ASCII forms of addresses to internal ones
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/atoasr.c b/src/libfreeswan/atoasr.c
index ef8412fe8..ad62ef46b 100644
--- a/src/libfreeswan/atoasr.c
+++ b/src/libfreeswan/atoasr.c
@@ -1,12 +1,12 @@
 /*
  * convert from ASCII form of address/subnet/range to binary
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/atosa.c b/src/libfreeswan/atosa.c
index aeb5742e1..7339b4c3e 100644
--- a/src/libfreeswan/atosa.c
+++ b/src/libfreeswan/atosa.c
@@ -1,12 +1,12 @@
 /*
  * convert from ASCII form of SA ID to binary
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/atosubnet.c b/src/libfreeswan/atosubnet.c
index a123a39da..8b2bfa17e 100644
--- a/src/libfreeswan/atosubnet.c
+++ b/src/libfreeswan/atosubnet.c
@@ -1,12 +1,12 @@
 /*
  * convert from ASCII form of subnet specification to binary
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/atoul.c b/src/libfreeswan/atoul.c
index 7e51de8fe..d8e1528cb 100644
--- a/src/libfreeswan/atoul.c
+++ b/src/libfreeswan/atoul.c
@@ -1,12 +1,12 @@
 /*
  * convert from ASCII form of unsigned long to binary
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/datatot.c b/src/libfreeswan/datatot.c
index b18d4b050..3e2aed76d 100644
--- a/src/libfreeswan/datatot.c
+++ b/src/libfreeswan/datatot.c
@@ -1,12 +1,12 @@
 /*
  * convert from binary data (e.g. key) to text form
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h
index 77ce8f2be..342f59987 100644
--- a/src/libfreeswan/freeswan.h
+++ b/src/libfreeswan/freeswan.h
@@ -3,12 +3,12 @@
  * header file for FreeS/WAN library functions
  * Copyright (C) 1998, 1999, 2000  Henry Spencer.
  * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
@@ -391,7 +391,7 @@ extern unsigned int pfkey_lib_debug;  /* bits selecting what to report */
 
 /*
  * pluto and lwdnsq need to know the maximum size of the commands to,
- * and replies from lwdnsq. 
+ * and replies from lwdnsq.
  */
 
 #define LWDNSQ_CMDBUF_LEN      1024
diff --git a/src/libfreeswan/goodmask.c b/src/libfreeswan/goodmask.c
index a2d51de0c..66edae20f 100644
--- a/src/libfreeswan/goodmask.c
+++ b/src/libfreeswan/goodmask.c
@@ -1,12 +1,12 @@
 /*
  * minor utilities for subnet-mask manipulation
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
@@ -17,7 +17,7 @@
 
 /*
  - goodmask - is this a good (^1*0*$) subnet mask?
- * You are not expected to understand this.  See Henry S. Warren Jr, 
+ * You are not expected to understand this.  See Henry S. Warren Jr,
  * "Functions realizable with word-parallel logical and two's-complement
  * addition instructions", CACM 20.6 (June 1977), p.439.
  */
diff --git a/src/libfreeswan/initaddr.c b/src/libfreeswan/initaddr.c
index c30efb812..c84006f47 100644
--- a/src/libfreeswan/initaddr.c
+++ b/src/libfreeswan/initaddr.c
@@ -1,12 +1,12 @@
 /*
  * initialize address structure
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/initsaid.c b/src/libfreeswan/initsaid.c
index fb8187422..4e4bc9a35 100644
--- a/src/libfreeswan/initsaid.c
+++ b/src/libfreeswan/initsaid.c
@@ -1,12 +1,12 @@
 /*
  * initialize SA ID structure
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/initsubnet.c b/src/libfreeswan/initsubnet.c
index 0e19098c5..27faddabc 100644
--- a/src/libfreeswan/initsubnet.c
+++ b/src/libfreeswan/initsubnet.c
@@ -1,12 +1,12 @@
 /*
  * initialize subnet structure
  * Copyright (C) 2000, 2002  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/internal.h b/src/libfreeswan/internal.h
index fa24f7d2d..832c8a53d 100644
--- a/src/libfreeswan/internal.h
+++ b/src/libfreeswan/internal.h
@@ -1,12 +1,12 @@
 /*
  * internal definitions for use within the library; do not export!
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/ipsec_param.h b/src/libfreeswan/ipsec_param.h
index b0ee845a5..93426b8ee 100644
--- a/src/libfreeswan/ipsec_param.h
+++ b/src/libfreeswan/ipsec_param.h
@@ -3,19 +3,19 @@
  *
  * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
  *                 and Michael Richardson  <mcr@freeswan.org>
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
 
-/* 
+/*
  * This file provides a set of #define's which may be tuned by various
  * people/configurations. It keeps all compile-time tunables in one place.
  *
@@ -38,16 +38,16 @@
 # define IPSEC_SA_REF_TABLE_IDX_WIDTH 16
 #endif
 
-#ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 
-# define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4 
+#ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
+# define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4
 #endif
 
-#ifndef IPSEC_SA_REF_FREELIST_NUM_ENTRIES 
+#ifndef IPSEC_SA_REF_FREELIST_NUM_ENTRIES
 # define IPSEC_SA_REF_FREELIST_NUM_ENTRIES 256
 #endif
 
-#ifndef IPSEC_SA_REF_CODE 
-# define IPSEC_SA_REF_CODE 1 
+#ifndef IPSEC_SA_REF_CODE
+# define IPSEC_SA_REF_CODE 1
 #endif
 
 #define _IPSEC_PARAM_H_
diff --git a/src/libfreeswan/keyblobtoid.c b/src/libfreeswan/keyblobtoid.c
index 118e61391..89ab5fced 100644
--- a/src/libfreeswan/keyblobtoid.c
+++ b/src/libfreeswan/keyblobtoid.c
@@ -1,12 +1,12 @@
 /*
  * generate printable key IDs
  * Copyright (C) 2002  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/pfkey.h b/src/libfreeswan/pfkey.h
index ba0010bc7..993678c8b 100644
--- a/src/libfreeswan/pfkey.h
+++ b/src/libfreeswan/pfkey.h
@@ -1,12 +1,12 @@
 /*
  * FreeS/WAN specific PF_KEY headers
  * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
diff --git a/src/libfreeswan/pfkey_v2_build.c b/src/libfreeswan/pfkey_v2_build.c
index ddc21040f..c0bb369cb 100644
--- a/src/libfreeswan/pfkey_v2_build.c
+++ b/src/libfreeswan/pfkey_v2_build.c
@@ -1,12 +1,12 @@
 /*
  * RFC2367 PF_KEYv2 Key management API message parser
  * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
@@ -48,7 +48,7 @@ void
 pfkey_extensions_init(struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
 	int i;
-	
+
 	for (i = 0; i != SADB_EXT_MAX + 1; i++) {
 		extensions[i] = NULL;
 	}
@@ -58,7 +58,7 @@ void
 pfkey_extensions_free(struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
 	int i;
-	
+
 	if (!extensions) {
 		return;
 	}
@@ -68,7 +68,7 @@ pfkey_extensions_free(struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 		FREE(extensions[0]);
 		extensions[0] = NULL;
 	}
-	
+
 	for (i = 1; i != SADB_EXT_MAX + 1; i++) {
 		if(extensions[i]) {
 			memset(extensions[i], 0, extensions[i]->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
@@ -135,7 +135,7 @@ pfkey_msg_hdr_build(struct sadb_ext**	pfkey_ext,
 	if (satype > SADB_SATYPE_MAX) {
 		DEBUGGING(
 			"pfkey_msg_hdr_build: "
-			"satype %d > max %d\n", 
+			"satype %d > max %d\n",
 			satype, SADB_SATYPE_MAX);
 		SENDERR(EINVAL);
 	}
@@ -169,7 +169,7 @@ pfkey_msg_hdr_build(struct sadb_ext**	pfkey_ext,
 		*pfkey_ext);
 errlab:
 	return error;
-}	
+}
 
 int
 pfkey_sa_ref_build(struct sadb_ext **		pfkey_ext,
@@ -254,7 +254,7 @@ pfkey_sa_ref_build(struct sadb_ext **		pfkey_ext,
 			SADB_SASTATE_DEAD);
 		SENDERR(EINVAL);
 	}
-	
+
 	if ((IPSEC_SAREF_NULL != ref) && (ref >= (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH))) {
 		DEBUGGING(
 			  "pfkey_sa_build: "
@@ -264,7 +264,7 @@ pfkey_sa_ref_build(struct sadb_ext **		pfkey_ext,
 			  IPSEC_SA_REF_TABLE_NUM_ENTRIES);
 		SENDERR(EINVAL);
 	}
-	
+
 	pfkey_sa = (struct sadb_sa*)MALLOC(sizeof(struct sadb_sa));
 	*pfkey_ext = (struct sadb_ext*)pfkey_sa;
 
@@ -275,7 +275,7 @@ pfkey_sa_ref_build(struct sadb_ext **		pfkey_ext,
 		SENDERR(ENOMEM);
 	}
 	memset(pfkey_sa, 0, sizeof(struct sadb_sa));
-	
+
 	pfkey_sa->sadb_sa_len = sizeof(*pfkey_sa) / IPSEC_PFKEYv2_ALIGN;
 	pfkey_sa->sadb_sa_exttype = exttype;
 	pfkey_sa->sadb_sa_spi = spi;
@@ -284,11 +284,11 @@ pfkey_sa_ref_build(struct sadb_ext **		pfkey_ext,
 	pfkey_sa->sadb_sa_auth = auth;
 	pfkey_sa->sadb_sa_encrypt = encrypt;
 	pfkey_sa->sadb_sa_flags = flags;
-	pfkey_sa->sadb_x_sa_ref = ref;  
+	pfkey_sa->sadb_x_sa_ref = ref;
 
 errlab:
 	return error;
-}	
+}
 
 int
 pfkey_sa_build(struct sadb_ext **	pfkey_ext,
@@ -377,7 +377,7 @@ pfkey_address_build(struct sadb_ext**	pfkey_ext,
 	int saddr_len = 0;
 	char ipaddr_txt[ADDRTOT_BUF + 6/*extra for port number*/];
 	struct sadb_address *pfkey_address = (struct sadb_address *)*pfkey_ext;
-	
+
 	DEBUGGING(
 		"pfkey_address_build: "
 		"exttype=%d proto=%d prefixlen=%d\n",
@@ -397,8 +397,8 @@ pfkey_address_build(struct sadb_ext**	pfkey_ext,
 				  "address is NULL\n");
 			SENDERR(EINVAL);
 	}
-	
-	switch(exttype) {	
+
+	switch(exttype) {
 	case SADB_EXT_ADDRESS_SRC:
 	case SADB_EXT_ADDRESS_DST:
 	case SADB_EXT_ADDRESS_PROXY:
@@ -410,11 +410,11 @@ pfkey_address_build(struct sadb_ext**	pfkey_ext,
 	case SADB_X_EXT_NAT_T_OA:
 		break;
 	default:
-		DEBUGGING( 
+		DEBUGGING(
 			"pfkey_address_build: "
-			"unrecognised ext_type=%d.\n", 
-			exttype); 
-		SENDERR(EINVAL); 
+			"unrecognised ext_type=%d.\n",
+			exttype);
+		SENDERR(EINVAL);
 	}
 
 	switch (address->sa_family) {
@@ -479,10 +479,10 @@ pfkey_address_build(struct sadb_ext**	pfkey_ext,
 	       0,
 	       ALIGN_N(sizeof(struct sadb_address) + saddr_len,
 		     IPSEC_PFKEYv2_ALIGN));
-	       
+
 	pfkey_address->sadb_address_len = DIVUP(sizeof(struct sadb_address) + saddr_len,
 						IPSEC_PFKEYv2_ALIGN);
-	
+
 	pfkey_address->sadb_address_exttype = exttype;
 	pfkey_address->sadb_address_proto = proto;
 	pfkey_address->sadb_address_prefixlen = prefixlen;
@@ -540,7 +540,7 @@ pfkey_key_build(struct sadb_ext**	pfkey_ext,
 	}
 
 	pfkey_key = (struct sadb_key*)
-		MALLOC(sizeof(struct sadb_key) + 
+		MALLOC(sizeof(struct sadb_key) +
 			DIVUP(key_bits, 64) * IPSEC_PFKEYv2_ALIGN);
 	*pfkey_ext = (struct sadb_ext*)pfkey_key;
 
@@ -554,7 +554,7 @@ pfkey_key_build(struct sadb_ext**	pfkey_ext,
 	       0,
 	       sizeof(struct sadb_key) +
 	       DIVUP(key_bits, 64) * IPSEC_PFKEYv2_ALIGN);
-	
+
 	pfkey_key->sadb_key_len = DIVUP(sizeof(struct sadb_key) * IPSEC_PFKEYv2_ALIGN +	key_bits,
 					64);
 	pfkey_key->sadb_key_exttype = exttype;
@@ -622,12 +622,12 @@ pfkey_ident_build(struct sadb_ext**	pfkey_ext,
 			"string required to allocate size of extension.\n");
 		SENDERR(EINVAL);
 	}
-	
+
 #if 0
 	if (ident_type == SADB_IDENTTYPE_USERFQDN) {
 	}
 #endif
-	    
+
 	pfkey_ident = (struct sadb_ident*)
 		MALLOC(ident_len * IPSEC_PFKEYv2_ALIGN);
 	*pfkey_ext = (struct sadb_ext*)pfkey_ident;
@@ -639,7 +639,7 @@ pfkey_ident_build(struct sadb_ext**	pfkey_ext,
 		SENDERR(ENOMEM);
 	}
 	memset(pfkey_ident, 0, ident_len * IPSEC_PFKEYv2_ALIGN);
-	
+
 	pfkey_ident->sadb_ident_len = ident_len;
 	pfkey_ident->sadb_ident_exttype = exttype;
 	pfkey_ident->sadb_ident_type = ident_type;
@@ -699,7 +699,7 @@ pfkey_sens_build(struct sadb_ext**	pfkey_ext,
 	       0,
 	       sizeof(struct sadb_sens) +
 	       (sens_len + integ_len) * sizeof(uint64_t));
-	
+
 	pfkey_sens->sadb_sens_len = (sizeof(struct sadb_sens) +
 		    (sens_len + integ_len) * sizeof(uint64_t)) / IPSEC_PFKEYv2_ALIGN;
 	pfkey_sens->sadb_sens_exttype = SADB_EXT_SENSITIVITY;
@@ -761,7 +761,7 @@ pfkey_prop_build(struct sadb_ext**	pfkey_ext,
 	       0,
 	       sizeof(struct sadb_prop) +
 		    comb_num * sizeof(struct sadb_comb));
-	
+
 	pfkey_prop->sadb_prop_len = (sizeof(struct sadb_prop) +
 		    comb_num * sizeof(struct sadb_comb)) / IPSEC_PFKEYv2_ALIGN;
 
@@ -846,7 +846,7 @@ pfkey_supported_build(struct sadb_ext**	pfkey_ext,
 	       sizeof(struct sadb_supported) +
 					       alg_num *
 					       sizeof(struct sadb_alg));
-	
+
 	pfkey_supported->sadb_supported_len = (sizeof(struct sadb_supported) +
 					       alg_num *
 					       sizeof(struct sadb_alg)) /
@@ -860,7 +860,7 @@ pfkey_supported_build(struct sadb_ext**	pfkey_ext,
 		pfkey_alg->sadb_alg_reserved = 0;
 		pfkey_alg++;
 	}
-	
+
 #if 0
 	DEBUGGING(
 		"pfkey_supported_build: "
@@ -886,7 +886,7 @@ pfkey_spirange_build(struct sadb_ext**	pfkey_ext,
 {
 	int error = 0;
 	struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)*pfkey_ext;
-	
+
 	/* sanity checks... */
 	if (pfkey_spirange) {
 		DEBUGGING(
@@ -894,7 +894,7 @@ pfkey_spirange_build(struct sadb_ext**	pfkey_ext,
 			"why is pfkey_spirange already pointing to something?\n");
 		SENDERR(EINVAL);
 	}
-	
+
         if (ntohl(max) < ntohl(min)) {
 		DEBUGGING(
 			"pfkey_spirange_build: "
@@ -903,7 +903,7 @@ pfkey_spirange_build(struct sadb_ext**	pfkey_ext,
 			ntohl(max));
                 SENDERR(EINVAL);
         }
-	
+
 	if (ntohl(min) <= 255) {
 		DEBUGGING(
 			"pfkey_spirange_build: "
@@ -911,7 +911,7 @@ pfkey_spirange_build(struct sadb_ext**	pfkey_ext,
 			ntohl(min));
 		SENDERR(EEXIST);
 	}
-	
+
 	pfkey_spirange = (struct sadb_spirange*)
 		MALLOC(sizeof(struct sadb_spirange));
 	*pfkey_ext = (struct sadb_ext*)pfkey_spirange;
@@ -925,7 +925,7 @@ pfkey_spirange_build(struct sadb_ext**	pfkey_ext,
 	memset(pfkey_spirange,
 	       0,
 	       sizeof(struct sadb_spirange));
-	
+
         pfkey_spirange->sadb_spirange_len = sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN;
 
 	pfkey_spirange->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
@@ -949,7 +949,7 @@ pfkey_x_kmprivate_build(struct sadb_ext**	pfkey_ext)
 			"why is pfkey_x_kmprivate already pointing to something?\n");
 		SENDERR(EINVAL);
 	}
-	
+
 	pfkey_x_kmprivate->sadb_x_kmprivate_reserved = 0;
 
 	DEBUGGING(
@@ -971,7 +971,7 @@ pfkey_x_kmprivate_build(struct sadb_ext**	pfkey_ext)
 	memset(pfkey_x_kmprivate,
 	       0,
 	       sizeof(struct sadb_x_kmprivate));
-	
+
         pfkey_x_kmprivate->sadb_x_kmprivate_len =
 		sizeof(struct sadb_x_kmprivate) / IPSEC_PFKEYv2_ALIGN;
 
@@ -998,7 +998,7 @@ pfkey_x_satype_build(struct sadb_ext**	pfkey_ext,
 			"why is pfkey_x_satype already pointing to something?\n");
 		SENDERR(EINVAL);
 	}
-	
+
 	if (!satype) {
 		DEBUGGING(
 			"pfkey_x_satype_build: "
@@ -1009,7 +1009,7 @@ pfkey_x_satype_build(struct sadb_ext**	pfkey_ext,
 	if (satype > SADB_SATYPE_MAX) {
 		DEBUGGING(
 			"pfkey_x_satype_build: "
-			"satype %d > max %d\n", 
+			"satype %d > max %d\n",
 			satype, SADB_SATYPE_MAX);
 		SENDERR(EINVAL);
 	}
@@ -1028,7 +1028,7 @@ pfkey_x_satype_build(struct sadb_ext**	pfkey_ext,
 	memset(pfkey_x_satype,
 	       0,
 	       sizeof(struct sadb_x_satype));
-	
+
         pfkey_x_satype->sadb_x_satype_len = sizeof(struct sadb_x_satype) / IPSEC_PFKEYv2_ALIGN;
 
 	pfkey_x_satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
@@ -1069,7 +1069,7 @@ pfkey_x_debug_build(struct sadb_ext**	pfkey_ext,
 			"why is pfkey_x_debug already pointing to something?\n");
 		SENDERR(EINVAL);
 	}
-	
+
 	DEBUGGING(
 		"pfkey_x_debug_build: "
 		"tunnel=%x netlink=%x xform=%x eroute=%x spi=%x radij=%x esp=%x ah=%x rcv=%x pfkey=%x ipcomp=%x verbose=%x?\n",
@@ -1090,7 +1090,7 @@ pfkey_x_debug_build(struct sadb_ext**	pfkey_ext,
 	       0,
 	       sizeof(struct sadb_x_debug));
 #endif
-	
+
         pfkey_x_debug->sadb_x_debug_len = sizeof(struct sadb_x_debug) / IPSEC_PFKEYv2_ALIGN;
 	pfkey_x_debug->sadb_x_debug_exttype = SADB_X_EXT_DEBUG;
 
@@ -1132,7 +1132,7 @@ pfkey_x_nat_t_type_build(struct sadb_ext**	pfkey_ext,
 			"why is pfkey_x_nat_t_type already pointing to something?\n");
 		SENDERR(EINVAL);
 	}
-	
+
 	DEBUGGING(
 		"pfkey_x_nat_t_type_build: "
 		"type=%d\n", type);
@@ -1147,7 +1147,7 @@ pfkey_x_nat_t_type_build(struct sadb_ext**	pfkey_ext,
 			"memory allocation failed\n");
 		SENDERR(ENOMEM);
 	}
-	
+
 	pfkey_x_nat_t_type->sadb_x_nat_t_type_len = sizeof(struct sadb_x_nat_t_type) / IPSEC_PFKEYv2_ALIGN;
 	pfkey_x_nat_t_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
 	pfkey_x_nat_t_type->sadb_x_nat_t_type_type = type;
@@ -1176,17 +1176,17 @@ pfkey_x_nat_t_port_build(struct sadb_ext**	pfkey_ext,
 			"why is pfkey_x_nat_t_port already pointing to something?\n");
 		SENDERR(EINVAL);
 	}
-	
-	switch (exttype) {	
+
+	switch (exttype) {
 	case SADB_X_EXT_NAT_T_SPORT:
 	case SADB_X_EXT_NAT_T_DPORT:
 		break;
 	default:
-		DEBUGGING( 
+		DEBUGGING(
 			"pfkey_nat_t_port_build: "
-			"unrecognised ext_type=%d.\n", 
-			exttype); 
-		SENDERR(EINVAL); 
+			"unrecognised ext_type=%d.\n",
+			exttype);
+		SENDERR(EINVAL);
 	}
 
 	DEBUGGING(
@@ -1203,7 +1203,7 @@ pfkey_x_nat_t_port_build(struct sadb_ext**	pfkey_ext,
 			"memory allocation failed\n");
 		SENDERR(ENOMEM);
 	}
-	
+
 	pfkey_x_nat_t_port->sadb_x_nat_t_port_len = sizeof(struct sadb_x_nat_t_port) / IPSEC_PFKEYv2_ALIGN;
 	pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype = exttype;
 	pfkey_x_nat_t_port->sadb_x_nat_t_port_port = port;
@@ -1281,7 +1281,7 @@ pfkey_msg_build(struct sadb_msg **pfkey_msg, struct sadb_ext *extensions[], int
 	struct sadb_ext *pfkey_ext;
 	int extensions_seen = 0;
 	struct sadb_ext *extensions_check[SADB_EXT_MAX + 1];
-	
+
 	if (!extensions[0]) {
 		DEBUGGING(
 			"pfkey_msg_build: "
@@ -1294,7 +1294,7 @@ pfkey_msg_build(struct sadb_msg **pfkey_msg, struct sadb_ext *extensions[], int
 		if(extensions[ext]) {
 			total_size += (extensions[ext])->sadb_ext_len;
 		}
-        }                
+        }
 
 	if (!(*pfkey_msg = (struct sadb_msg*)MALLOC(total_size * IPSEC_PFKEYv2_ALIGN))) {
 		DEBUGGING(
@@ -1320,14 +1320,14 @@ pfkey_msg_build(struct sadb_msg **pfkey_msg, struct sadb_ext *extensions[], int
 
 	for (ext = 1; ext <= SADB_EXT_MAX; ext++) {
 		/* copy from extension[ext] to buffer */
-		if (extensions[ext]) {    
+		if (extensions[ext]) {
 			/* Is this type of extension permitted for this type of message? */
 			if (!(extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type] &
 			     1<<ext)) {
 				DEBUGGING(
 					"pfkey_msg_build: "
-					"ext type %d not permitted, exts_perm=%08x, 1<<type=%08x\n", 
-					ext, 
+					"ext type %d not permitted, exts_perm=%08x, 1<<type=%08x\n",
+					ext,
 					extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type],
 					1<<ext);
 				SENDERR(EINVAL);
@@ -1342,7 +1342,7 @@ pfkey_msg_build(struct sadb_msg **pfkey_msg, struct sadb_ext *extensions[], int
 			memcpy(pfkey_ext,
 			       extensions[ext],
 			       (extensions[ext])->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
-			{      
+			{
 				char *pfkey_ext_c = (char *)pfkey_ext;
 
 				pfkey_ext_c += (extensions[ext])->sadb_ext_len * IPSEC_PFKEYv2_ALIGN;
@@ -1360,7 +1360,7 @@ pfkey_msg_build(struct sadb_msg **pfkey_msg, struct sadb_ext *extensions[], int
 		extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type],
 		extensions_seen,
 		extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]);
-	
+
 	if ((extensions_seen &
 	    extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) !=
 	    extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) {
@@ -1372,7 +1372,7 @@ pfkey_msg_build(struct sadb_msg **pfkey_msg, struct sadb_ext *extensions[], int
 			 extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) );
 		SENDERR(EINVAL);
 	}
-	
+
 	error = pfkey_msg_parse(*pfkey_msg, NULL, extensions_check, dir);
 	if (error) {
 		DEBUGGING(
diff --git a/src/libfreeswan/pfkey_v2_debug.c b/src/libfreeswan/pfkey_v2_debug.c
index 0256e2a03..0217538a0 100644
--- a/src/libfreeswan/pfkey_v2_debug.c
+++ b/src/libfreeswan/pfkey_v2_debug.c
@@ -3,12 +3,12 @@
  *
  * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
  *                 and Michael Richardson  <mcr@freeswan.org>
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
@@ -22,7 +22,7 @@
 #include "pfkeyv2.h"
 #include "pfkey.h"
 
-/* 
+/*
  * This file provides ASCII translations of PF_KEY magic numbers.
  *
  */
diff --git a/src/libfreeswan/pfkey_v2_ext_bits.c b/src/libfreeswan/pfkey_v2_ext_bits.c
index b6ef4496d..49b4aa567 100644
--- a/src/libfreeswan/pfkey_v2_ext_bits.c
+++ b/src/libfreeswan/pfkey_v2_ext_bits.c
@@ -1,12 +1,12 @@
 /*
  * RFC2367 PF_KEYv2 Key management API message parser
  * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
diff --git a/src/libfreeswan/pfkey_v2_parse.c b/src/libfreeswan/pfkey_v2_parse.c
index 7ee08978c..49d5cdf4a 100644
--- a/src/libfreeswan/pfkey_v2_parse.c
+++ b/src/libfreeswan/pfkey_v2_parse.c
@@ -1,12 +1,12 @@
 /*
  * RFC2367 PF_KEYv2 Key management API message parser
  * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
@@ -107,7 +107,7 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 #if 0
 	struct sadb_sa sav2;
 #endif
-	
+
 	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
 		  "pfkey_sa_parse: entry\n");
 	/* sanity checks... */
@@ -117,7 +117,7 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 			  "NULL pointer passed in.\n");
 		SENDERR(EINVAL);
 	}
-	
+
 #if 0
 	/* check if this structure is short, and if so, fix it up.
 	 * XXX this is NOT the way to do things.
@@ -129,7 +129,7 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 		memcpy(&sav2, pfkey_sa, sizeof(struct sadb_sa_v1));
 		sav2.sadb_x_sa_ref=-1;
 		sav2.sadb_sa_len = sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN;
-		
+
 		pfkey_sa = &sav2;
 	}
 #endif
@@ -143,7 +143,7 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 			  (int)sizeof(struct sadb_sa));
 		SENDERR(EINVAL);
 	}
-	
+
 	if(pfkey_sa->sadb_sa_encrypt > SADB_EALG_MAX) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			  "pfkey_sa_parse: "
@@ -152,7 +152,7 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 			  SADB_EALG_MAX);
 		SENDERR(EINVAL);
 	}
-	
+
 	if(pfkey_sa->sadb_sa_auth > SADB_AALG_MAX) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			  "pfkey_sa_parse: "
@@ -161,7 +161,7 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 			  SADB_AALG_MAX);
 		SENDERR(EINVAL);
 	}
-	
+
 	if(pfkey_sa->sadb_sa_state > SADB_SASTATE_MAX) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			  "pfkey_sa_parse: "
@@ -170,7 +170,7 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 			  SADB_SASTATE_MAX);
 		SENDERR(EINVAL);
 	}
-	
+
 	if(pfkey_sa->sadb_sa_state == SADB_SASTATE_DEAD) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			  "pfkey_sa_parse: "
@@ -179,7 +179,7 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 			  SADB_SASTATE_DEAD);
 		SENDERR(EINVAL);
 	}
-	
+
 	if(pfkey_sa->sadb_sa_replay > 64) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			  "pfkey_sa_parse: "
@@ -187,7 +187,7 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 			  pfkey_sa->sadb_sa_replay);
 		SENDERR(EINVAL);
 	}
-	
+
 	if(! ((pfkey_sa->sadb_sa_exttype ==  SADB_EXT_SA) ||
 	      (pfkey_sa->sadb_sa_exttype ==  SADB_X_EXT_SA2)))
 	{
@@ -209,7 +209,7 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 			  IPSEC_SA_REF_TABLE_NUM_ENTRIES);
 		SENDERR(EINVAL);
 	}
-	
+
 	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
 		  "pfkey_sa_parse: "
 		  "successfully found len=%d exttype=%d(%s) spi=%08lx replay=%d state=%d auth=%d encrypt=%d flags=%d ref=%d.\n",
@@ -223,10 +223,10 @@ pfkey_sa_parse(struct sadb_ext *pfkey_ext)
 		  pfkey_sa->sadb_sa_encrypt,
 		  pfkey_sa->sadb_sa_flags,
 		  pfkey_sa->sadb_x_sa_ref);
-	
+
  errlab:
 	return error;
-}	
+}
 
 DEBUG_NO_STATIC int
 pfkey_lifetime_parse(struct sadb_ext  *pfkey_ext)
@@ -259,21 +259,21 @@ pfkey_lifetime_parse(struct sadb_ext  *pfkey_ext)
 	   (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_CURRENT)) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			  "pfkey_lifetime_parse: "
-			  "unexpected ext_type=%d.\n", 
-			  pfkey_lifetime->sadb_lifetime_exttype); 
+			  "unexpected ext_type=%d.\n",
+			  pfkey_lifetime->sadb_lifetime_exttype);
 		SENDERR(EINVAL);
 	}
 
 	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
 		  "pfkey_lifetime_parse: "
-		  "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u pkts=%u.\n", 
+		  "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u pkts=%u.\n",
 		  pfkey_lifetime->sadb_lifetime_exttype,
 		  pfkey_v2_sadb_ext_string(pfkey_lifetime->sadb_lifetime_exttype),
 		  pfkey_lifetime->sadb_lifetime_allocations,
 		  (unsigned)pfkey_lifetime->sadb_lifetime_bytes,
 		  (unsigned)pfkey_lifetime->sadb_lifetime_addtime,
 		  (unsigned)pfkey_lifetime->sadb_lifetime_usetime,
-		  pfkey_lifetime->sadb_x_lifetime_packets); 
+		  pfkey_lifetime->sadb_x_lifetime_packets);
 errlab:
 	return error;
 }
@@ -286,7 +286,7 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext)
 	struct sadb_address *pfkey_address = (struct sadb_address *)pfkey_ext;
 	struct sockaddr* s = (struct sockaddr*)((char*)pfkey_address + sizeof(*pfkey_address));
 	char ipaddr_txt[ADDRTOT_BUF];
-	
+
 	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
 		"pfkey_address_parse:enter\n");
 	/* sanity checks... */
@@ -296,7 +296,7 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext)
 			"NULL pointer passed in.\n");
 		SENDERR(EINVAL);
 	}
-	
+
 	if(pfkey_address->sadb_address_len <
 	   (sizeof(struct sadb_address) + sizeof(struct sockaddr))/
 	   IPSEC_PFKEYv2_ALIGN) {
@@ -308,7 +308,7 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext)
 			  (int)sizeof(struct sockaddr));
 		SENDERR(EINVAL);
 	}
-	
+
 	if(pfkey_address->sadb_address_reserved) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			  "pfkey_address_parse: "
@@ -316,8 +316,8 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext)
 			  pfkey_address->sadb_address_reserved);
 		SENDERR(EINVAL);
 	}
-	
-	switch(pfkey_address->sadb_address_exttype) {	
+
+	switch(pfkey_address->sadb_address_exttype) {
 	case SADB_EXT_ADDRESS_SRC:
 	case SADB_EXT_ADDRESS_DST:
 	case SADB_EXT_ADDRESS_PROXY:
@@ -329,7 +329,7 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext)
 	case SADB_X_EXT_NAT_T_OA:
 		break;
 	default:
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, 
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			"pfkey_address_parse: "
 			"unexpected ext_type=%d.\n",
 			pfkey_address->sadb_address_exttype);
@@ -382,7 +382,7 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext)
 			s->sa_family);
 		SENDERR(EPFNOSUPPORT);
 	}
-	
+
 	if(pfkey_address->sadb_address_len !=
 	   DIVUP(sizeof(struct sadb_address) + saddr_len, IPSEC_PFKEYv2_ALIGN)) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
@@ -393,16 +393,16 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext)
 			  saddr_len);
 		SENDERR(EINVAL);
 	}
-	
+
 	if(pfkey_address->sadb_address_prefixlen != 0) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			"pfkey_address_parse: "
 			"address prefixes not supported yet.\n");
 		SENDERR(EAFNOSUPPORT); /* not supported yet */
 	}
-	
+
 	/* XXX check if port!=0 */
-	
+
 	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
 		"pfkey_address_parse: successful.\n");
  errlab:
@@ -452,7 +452,7 @@ pfkey_key_parse(struct sadb_ext *pfkey_ext)
 			pfkey_key->sadb_key_len);
 		SENDERR(EINVAL);
 	}
-	
+
 	if(pfkey_key->sadb_key_reserved) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			"pfkey_key_parse: "
@@ -527,7 +527,7 @@ pfkey_ident_parse(struct sadb_ext *pfkey_ext)
 			SENDERR(EINVAL);
 		}
 	}
-	
+
 	if( ! ((pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ||
 	       (pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_DST))) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
@@ -578,7 +578,7 @@ pfkey_prop_parse(struct sadb_ext *pfkey_ext)
 	struct sadb_comb *pfkey_comb = (struct sadb_comb *)((char*)pfkey_ext + sizeof(struct sadb_prop));
 
 	/* sanity checks... */
-	if((pfkey_prop->sadb_prop_len < sizeof(struct sadb_prop) / IPSEC_PFKEYv2_ALIGN) || 
+	if((pfkey_prop->sadb_prop_len < sizeof(struct sadb_prop) / IPSEC_PFKEYv2_ALIGN) ||
 	   (((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) % sizeof(struct sadb_comb))) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			  "pfkey_prop_parse: "
@@ -596,7 +596,7 @@ pfkey_prop_parse(struct sadb_ext *pfkey_ext)
 			pfkey_prop->sadb_prop_replay);
 		SENDERR(EINVAL);
 	}
-	
+
 	for(i=0; i<3; i++) {
 		if(pfkey_prop->sadb_prop_reserved[i]) {
 			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
@@ -869,7 +869,7 @@ pfkey_supported_parse(struct sadb_ext *pfkey_ext)
 		}
 		pfkey_alg++;
 	}
-	
+
  errlab:
 	return error;
 }
@@ -879,7 +879,7 @@ pfkey_spirange_parse(struct sadb_ext *pfkey_ext)
 {
 	int error = 0;
 	struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)pfkey_ext;
-	
+
 	/* sanity checks... */
         if(pfkey_spirange->sadb_spirange_len !=
 	   sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN) {
@@ -890,7 +890,7 @@ pfkey_spirange_parse(struct sadb_ext *pfkey_ext)
 			  (int)sizeof(struct sadb_spirange));
                 SENDERR(EINVAL);
         }
-	
+
         if(pfkey_spirange->sadb_spirange_reserved) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			"pfkey_spirange_parse: "
@@ -898,7 +898,7 @@ pfkey_spirange_parse(struct sadb_ext *pfkey_ext)
 			pfkey_spirange->sadb_spirange_reserved);
                 SENDERR(EINVAL);
         }
-	
+
         if(ntohl(pfkey_spirange->sadb_spirange_max) < ntohl(pfkey_spirange->sadb_spirange_min)) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			"pfkey_spirange_parse: "
@@ -907,7 +907,7 @@ pfkey_spirange_parse(struct sadb_ext *pfkey_ext)
 			ntohl(pfkey_spirange->sadb_spirange_max));
                 SENDERR(EINVAL);
         }
-	
+
 	if(ntohl(pfkey_spirange->sadb_spirange_min) <= 255) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			"pfkey_spirange_parse: "
@@ -915,7 +915,7 @@ pfkey_spirange_parse(struct sadb_ext *pfkey_ext)
 			ntohl(pfkey_spirange->sadb_spirange_min));
 		SENDERR(EEXIST);
 	}
-	
+
 	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
 		  "pfkey_spirange_parse: "
 		  "ext_len=%u ext_type=%u(%s) min=%u max=%u res=%u.\n",
@@ -983,7 +983,7 @@ pfkey_x_satype_parse(struct sadb_ext *pfkey_ext)
 			  (int)sizeof(struct sadb_x_satype));
 		SENDERR(EINVAL);
 	}
-	
+
 	if(!pfkey_x_satype->sadb_x_satype_satype) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			"pfkey_x_satype_parse: "
@@ -994,7 +994,7 @@ pfkey_x_satype_parse(struct sadb_ext *pfkey_ext)
 	if(pfkey_x_satype->sadb_x_satype_satype > SADB_SATYPE_MAX) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			"pfkey_x_satype_parse: "
-			"satype %d > max %d, invalid.\n", 
+			"satype %d > max %d, invalid.\n",
 			pfkey_x_satype->sadb_x_satype_satype, SADB_SATYPE_MAX);
 		SENDERR(EINVAL);
 	}
@@ -1016,7 +1016,7 @@ pfkey_x_satype_parse(struct sadb_ext *pfkey_ext)
 			SENDERR(EINVAL);
 		}
 	}
-	
+
 	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
 		  "pfkey_x_satype_parse: "
 		  "len=%u ext=%u(%s) satype=%u(%s) res=%u,%u,%u.\n",
@@ -1051,7 +1051,7 @@ pfkey_x_ext_debug_parse(struct sadb_ext *pfkey_ext)
 			  (int)sizeof(struct sadb_x_debug));
 		SENDERR(EINVAL);
 	}
-	
+
 	for(i = 0; i < 4; i++) {
 		if(pfkey_x_debug->sadb_x_debug_reserved[i]) {
 			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
@@ -1061,7 +1061,7 @@ pfkey_x_ext_debug_parse(struct sadb_ext *pfkey_ext)
 			SENDERR(EINVAL);
 		}
 	}
-	
+
 errlab:
 	return error;
 }
@@ -1071,17 +1071,17 @@ pfkey_x_ext_protocol_parse(struct sadb_ext *pfkey_ext)
 {
 	int error = 0;
 	struct sadb_protocol *p = (struct sadb_protocol *)pfkey_ext;
-	
+
 	DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_x_protocol_parse:\n");
 	/* sanity checks... */
-	
+
 	if (p->sadb_protocol_len != sizeof(*p)/IPSEC_PFKEYv2_ALIGN) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			  "pfkey_x_protocol_parse: size wrong ext_len=%d, key_ext_len=%d.\n",
 			  p->sadb_protocol_len, (int)sizeof(*p));
 		SENDERR(EINVAL);
 	}
-	
+
 	if (p->sadb_protocol_reserved2 != 0) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			  "pfkey_protocol_parse: res=%d, must be zero.\n",
@@ -1168,10 +1168,10 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 	int remain;
 	struct sadb_ext *pfkey_ext;
 	int extensions_seen = 0;
-	
+
 	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
 		  "pfkey_msg_parse: "
-		  "parsing message ver=%d, type=%d(%s), errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n", 
+		  "parsing message ver=%d, type=%d(%s), errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n",
 		  pfkey_msg->sadb_msg_version,
 		  pfkey_msg->sadb_msg_type,
 		  pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
@@ -1182,20 +1182,20 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 		  pfkey_msg->sadb_msg_reserved,
 		  pfkey_msg->sadb_msg_seq,
 		  pfkey_msg->sadb_msg_pid);
-	
+
 	if(ext_parsers == NULL) ext_parsers = ext_default_parsers;
-	
+
 	pfkey_extensions_init(extensions);
-	
+
 	remain = pfkey_msg->sadb_msg_len;
 	remain -= sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
-	
+
 	pfkey_ext = (struct sadb_ext*)((char*)pfkey_msg +
 				       sizeof(struct sadb_msg));
-	
+
 	extensions[0] = (struct sadb_ext *) pfkey_msg;
-	
-	
+
+
 	if(pfkey_msg->sadb_msg_version != PF_KEY_V2) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			"pfkey_msg_parse: "
@@ -1261,7 +1261,7 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 	default:
 		break;
 	}
-	
+
 	/* errno must not be set in downward messages */
 	/* this is not entirely true... a response to an ACQUIRE could return an error */
 	if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type != SADB_ACQUIRE) && pfkey_msg->sadb_msg_errno) {
@@ -1274,54 +1274,54 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 
 	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
 		  "pfkey_msg_parse: "
-		  "remain=%d, ext_type=%d(%s), ext_len=%d.\n", 
+		  "remain=%d, ext_type=%d(%s), ext_len=%d.\n",
 		  remain,
 		  pfkey_ext->sadb_ext_type,
 		  pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
 		  pfkey_ext->sadb_ext_len);
-	
+
 	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
 		"pfkey_msg_parse: "
 		"extensions permitted=%08x, required=%08x.\n",
 		extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
 		extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
-	
+
 	extensions_seen = 1;
-	
+
 	while( (remain * IPSEC_PFKEYv2_ALIGN) >= sizeof(struct sadb_ext) ) {
 		/* Is there enough message left to support another extension header? */
 		if(remain < pfkey_ext->sadb_ext_len) {
 			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 				"pfkey_msg_parse: "
-				"remain %d less than ext len %d.\n", 
+				"remain %d less than ext len %d.\n",
 				remain, pfkey_ext->sadb_ext_len);
 			SENDERR(EINVAL);
 		}
-		
+
 		DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
 			"pfkey_msg_parse: "
 			"parsing ext type=%d(%s) remain=%d.\n",
 			pfkey_ext->sadb_ext_type,
 			pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
 			remain);
-		
+
 		/* Is the extension header type valid? */
 		if((pfkey_ext->sadb_ext_type > SADB_EXT_MAX) || (!pfkey_ext->sadb_ext_type)) {
 			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 				"pfkey_msg_parse: "
-				"ext type %d(%s) invalid, SADB_EXT_MAX=%d.\n", 
+				"ext type %d(%s) invalid, SADB_EXT_MAX=%d.\n",
 				pfkey_ext->sadb_ext_type,
 				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
 				SADB_EXT_MAX);
 			SENDERR(EINVAL);
 		}
-		
+
 		/* Have we already seen this type of extension? */
 		if((extensions_seen & ( 1 << pfkey_ext->sadb_ext_type )) != 0)
 		{
 			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 				"pfkey_msg_parse: "
-				"ext type %d(%s) already seen.\n", 
+				"ext type %d(%s) already seen.\n",
 				pfkey_ext->sadb_ext_type,
 				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
 			SENDERR(EINVAL);
@@ -1331,7 +1331,7 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 		if(ext_parsers[pfkey_ext->sadb_ext_type]==NULL) {
 			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 				"pfkey_msg_parse: "
-				"ext type %d(%s) unknown, ignoring.\n", 
+				"ext type %d(%s) unknown, ignoring.\n",
 				pfkey_ext->sadb_ext_type,
 				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
 			goto next_ext;
@@ -1342,8 +1342,8 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 		     1<<pfkey_ext->sadb_ext_type)) {
 			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 				"pfkey_msg_parse: "
-				"ext type %d(%s) not permitted, exts_perm_in=%08x, 1<<type=%08x\n", 
-				pfkey_ext->sadb_ext_type, 
+				"ext type %d(%s) not permitted, exts_perm_in=%08x, 1<<type=%08x\n",
+				pfkey_ext->sadb_ext_type,
 				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
 				extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
 				1<<pfkey_ext->sadb_ext_type);
@@ -1359,7 +1359,7 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 			  pfkey_ext->sadb_ext_len,
 			  pfkey_ext,
 			  ext_parsers[pfkey_ext->sadb_ext_type]->parser_name);
-		
+
 		/* Parse the extension */
 		if((error =
 		    (*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) {
@@ -1368,7 +1368,7 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 				"extension parsing for type %d(%s) failed with error %d.\n",
 				pfkey_ext->sadb_ext_type,
 				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
-				error); 
+				error);
 			SENDERR(-error);
 		}
 		DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
@@ -1376,12 +1376,12 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 			"Extension %d(%s) parsed.\n",
 			pfkey_ext->sadb_ext_type,
 			pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
-		
+
 		/* Mark that we have seen this extension and remember the header location */
 		extensions_seen |= ( 1 << pfkey_ext->sadb_ext_type );
 		extensions[pfkey_ext->sadb_ext_type] = pfkey_ext;
 
-	next_ext:		
+	next_ext:
 		/* Calculate how much message remains */
 		remain -= pfkey_ext->sadb_ext_len;
 
@@ -1396,7 +1396,7 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 	if(remain) {
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
 			"pfkey_msg_parse: "
-			"unexpected remainder of %d.\n", 
+			"unexpected remainder of %d.\n",
 			remain);
 		/* why is there still something remaining? */
 		SENDERR(EINVAL);
@@ -1427,7 +1427,7 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 			 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]));
 		SENDERR(EINVAL);
 	}
-	
+
 	if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == SADB_X_DELFLOW)
 	   && ((extensions_seen	& SADB_X_EXT_ADDRESS_DELFLOW)
 	       != SADB_X_EXT_ADDRESS_DELFLOW)
@@ -1443,7 +1443,7 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 			(1<<SADB_EXT_SA) - (extensions_seen & (1<<SADB_EXT_SA)));
 		SENDERR(EINVAL);
 	}
-	
+
 	switch(pfkey_msg->sadb_msg_type) {
 	case SADB_ADD:
 	case SADB_UPDATE:
@@ -1457,7 +1457,7 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 				SADB_SASTATE_MATURE);
 			SENDERR(EINVAL);
 		}
-		
+
 		/* check AH and ESP */
 		switch(((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype) {
 		case SADB_SATYPE_AH:
@@ -1529,7 +1529,7 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
 				ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi));
 			SENDERR(EINVAL);
 		}
-	default:	
+	default:
 		break;
 	}
 errlab:
diff --git a/src/libfreeswan/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h
index 461299c78..685db1273 100644
--- a/src/libfreeswan/pfkeyv2.h
+++ b/src/libfreeswan/pfkeyv2.h
@@ -182,7 +182,7 @@ struct sadb_x_satype {
   uint8_t sadb_x_satype_satype;
   uint8_t sadb_x_satype_reserved[3];
 };
-  
+
 struct sadb_x_policy {
   uint16_t sadb_x_policy_len;
   uint16_t sadb_x_policy_exttype;
@@ -192,7 +192,7 @@ struct sadb_x_policy {
   uint32_t sadb_x_policy_id;
   uint32_t sadb_x_policy_reserved2;
 };
- 
+
 struct sadb_x_debug {
   uint16_t sadb_x_debug_len;
   uint16_t sadb_x_debug_exttype;
@@ -318,7 +318,8 @@ struct sadb_protocol {
 #define SADB_X_AALG_RIPEMD160HMAC	8
 #define SADB_X_AALG_AES_XCBC_MAC	9
 #define SADB_X_AALG_NULL			251	/* kame */
-#define SADB_AALG_MAX				251
+#define SADB_X_AALG_SHA2_256_96HMAC	252
+#define SADB_AALG_MAX				252
 
 /* Encryption algorithms */
 #define SADB_EALG_NONE				0
diff --git a/src/libfreeswan/portof.c b/src/libfreeswan/portof.c
index 6d06473ad..c44b839f3 100644
--- a/src/libfreeswan/portof.c
+++ b/src/libfreeswan/portof.c
@@ -1,12 +1,12 @@
 /*
  * low-level ip_address ugliness
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/prng.c b/src/libfreeswan/prng.c
index 6cb84e484..347f13f89 100644
--- a/src/libfreeswan/prng.c
+++ b/src/libfreeswan/prng.c
@@ -2,12 +2,12 @@
  * crypto-class pseudorandom number generator
  * currently uses same algorithm as RC4(TM), from Schneier 2nd ed p397
  * Copyright (C) 2002  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/rangetoa.c b/src/libfreeswan/rangetoa.c
index c5a7ddfda..704558248 100644
--- a/src/libfreeswan/rangetoa.c
+++ b/src/libfreeswan/rangetoa.c
@@ -1,12 +1,12 @@
 /*
  * convert binary form of address range to ASCII
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/rangetosubnet.c b/src/libfreeswan/rangetosubnet.c
index 0defa0739..2a989300e 100644
--- a/src/libfreeswan/rangetosubnet.c
+++ b/src/libfreeswan/rangetosubnet.c
@@ -1,12 +1,12 @@
 /*
  * express an address range as a subnet (if possible)
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/sameaddr.c b/src/libfreeswan/sameaddr.c
index 653b94c30..47daaa4ee 100644
--- a/src/libfreeswan/sameaddr.c
+++ b/src/libfreeswan/sameaddr.c
@@ -1,12 +1,12 @@
 /*
  * comparisons
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/satoa.c b/src/libfreeswan/satoa.c
index fe7fb2ea0..09a152727 100644
--- a/src/libfreeswan/satoa.c
+++ b/src/libfreeswan/satoa.c
@@ -1,12 +1,12 @@
 /*
  * convert from binary form of SA ID to ASCII
  * Copyright (C) 1998, 1999, 2001  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/satot.c b/src/libfreeswan/satot.c
index a16d62840..e70036482 100644
--- a/src/libfreeswan/satot.c
+++ b/src/libfreeswan/satot.c
@@ -1,12 +1,12 @@
 /*
  * convert from binary form of SA ID to text
  * Copyright (C) 2000, 2001  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
@@ -91,7 +91,7 @@ size_t dstlen;
 							PASSTHROUGH6NAME);
 		len = strlen(buf);
 	}
-	
+
 	if (sa->proto == SA_INT && addrtypeof(&sa->dst) == AF_INET &&
 						isunspecaddr(&sa->dst)) {
 		switch (ntohl(sa->spi)) {
diff --git a/src/libfreeswan/subnetof.c b/src/libfreeswan/subnetof.c
index 55786a2e4..ec9b8ec7d 100644
--- a/src/libfreeswan/subnetof.c
+++ b/src/libfreeswan/subnetof.c
@@ -1,12 +1,12 @@
 /*
  * minor network-address manipulation utilities
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/subnettoa.c b/src/libfreeswan/subnettoa.c
index e8d98168d..694fa40da 100644
--- a/src/libfreeswan/subnettoa.c
+++ b/src/libfreeswan/subnettoa.c
@@ -1,12 +1,12 @@
 /*
  * convert binary form of subnet description to ASCII
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/subnettot.c b/src/libfreeswan/subnettot.c
index 03d2e1e57..64d511ba2 100644
--- a/src/libfreeswan/subnettot.c
+++ b/src/libfreeswan/subnettot.c
@@ -1,12 +1,12 @@
 /*
  * convert binary form of subnet description to text
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/subnettypeof.c b/src/libfreeswan/subnettypeof.c
index 9fa15a7d5..96c283c04 100644
--- a/src/libfreeswan/subnettypeof.c
+++ b/src/libfreeswan/subnettypeof.c
@@ -1,12 +1,12 @@
 /*
  * extract parts of an ip_subnet, and related
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/ttoaddr.c b/src/libfreeswan/ttoaddr.c
index bda2be5ed..234c9d8e7 100644
--- a/src/libfreeswan/ttoaddr.c
+++ b/src/libfreeswan/ttoaddr.c
@@ -1,12 +1,12 @@
 /*
  * conversion from text forms of addresses to internal ones
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
@@ -61,7 +61,7 @@ ip_address *dst;
 	case AF_INET6:
 	case 0:                  /* guess */
 		break;
-	    
+
 	default:
 		return "invalid address family";
 	}
@@ -78,7 +78,7 @@ ip_address *dst;
 	    {
 		af = AF_INET6;
 	    }
-	    
+
 		if (af != AF_INET6)
 			return "non-ipv6 address may not contain `:'";
 		return colon(src, srclen, dst);
@@ -127,7 +127,7 @@ ip_address *dst;
 		}
 		return "does not appear to be either IPv4 or IPv6 numeric address";
 		break;
-	    
+
 	case AF_INET6:
 		return colon(src, srclen, dst);
 		break;
diff --git a/src/libfreeswan/ttodata.c b/src/libfreeswan/ttodata.c
index b0d5e4d01..ef3717797 100644
--- a/src/libfreeswan/ttodata.c
+++ b/src/libfreeswan/ttodata.c
@@ -1,12 +1,12 @@
 /*
  * convert from text form of arbitrary data (e.g., keys) to binary
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
@@ -125,7 +125,7 @@ unsigned int flags;
 			else if (!(skipSpace && (*src == ' ' || *src == '\t')))
 				stage[sl++] = *src;
 		}
-		
+
 		nbytes = (*decode)(stage, buf, sizeof(buf));
 		switch (nbytes) {
 		case BADCH0:
@@ -229,7 +229,7 @@ size_t dstlen;		/* not large enough is a failure */
 
 	if (dstlen < 1)
 		return SHORT;
-	
+
 	p = strchr(hex, *src);
 	if (p == NULL)
 		p = strchr(hex, tolower(*src));
@@ -659,7 +659,7 @@ char *pgm;
 				break;
 			}
 		}
-		
+
 		if (base >= IGNORESPACE_BIAS) {
 			base = base - IGNORESPACE_BIAS;
 			check(r, buf, n, ttodatav(r->ascii, 0, base, buf, sizeof(buf), &n, NULL, 0, TTODATAV_IGNORESPACE), &status);
diff --git a/src/libfreeswan/ttoprotoport.c b/src/libfreeswan/ttoprotoport.c
index c3d033168..e75b206be 100644
--- a/src/libfreeswan/ttoprotoport.c
+++ b/src/libfreeswan/ttoprotoport.c
@@ -72,7 +72,7 @@ bool *has_port_wildcard;	/* set if port is %any */
 
     /* is there a port wildcard? */
     *has_port_wildcard = (strcmp(service_name, "%any") == 0);
-   
+
     if (*has_port_wildcard)
     {
 	*port = 0;
diff --git a/src/libfreeswan/ttosa.c b/src/libfreeswan/ttosa.c
index 20e01b152..9873231c0 100644
--- a/src/libfreeswan/ttosa.c
+++ b/src/libfreeswan/ttosa.c
@@ -1,12 +1,12 @@
 /*
  * convert from text form of SA ID to binary
  * Copyright (C) 2000, 2001  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/ttosubnet.c b/src/libfreeswan/ttosubnet.c
index 36c039a96..a18a3f326 100644
--- a/src/libfreeswan/ttosubnet.c
+++ b/src/libfreeswan/ttosubnet.c
@@ -1,12 +1,12 @@
 /*
  * convert from text form of subnet specification to binary
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/ttoul.c b/src/libfreeswan/ttoul.c
index 853a6130c..7524789c4 100644
--- a/src/libfreeswan/ttoul.c
+++ b/src/libfreeswan/ttoul.c
@@ -1,12 +1,12 @@
 /*
  * convert from text form of unsigned long to binary
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/ultoa.c b/src/libfreeswan/ultoa.c
index ef45366a1..16ddd2c1e 100644
--- a/src/libfreeswan/ultoa.c
+++ b/src/libfreeswan/ultoa.c
@@ -1,12 +1,12 @@
 /*
  * convert unsigned long to ASCII
  * Copyright (C) 1998, 1999  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libfreeswan/ultot.c b/src/libfreeswan/ultot.c
index c4f2d7884..6685f8f7c 100644
--- a/src/libfreeswan/ultot.c
+++ b/src/libfreeswan/ultot.c
@@ -1,12 +1,12 @@
 /*
  * convert unsigned long to text
  * Copyright (C) 2000  Henry Spencer.
- * 
+ *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
diff --git a/src/libsimaka/Makefile.am b/src/libsimaka/Makefile.am
new file mode 100644
index 000000000..f64e4dba3
--- /dev/null
+++ b/src/libsimaka/Makefile.am
@@ -0,0 +1,6 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+noinst_LTLIBRARIES = libsimaka.la
+libsimaka_la_SOURCES = simaka_message.h simaka_message.c \
+  simaka_crypto.h simaka_crypto.c
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
new file mode 100644
index 000000000..9a448ef02
--- /dev/null
+++ b/src/libsimaka/Makefile.in
@@ -0,0 +1,516 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libsimaka
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+LTLIBRARIES = $(noinst_LTLIBRARIES)
+libsimaka_la_LIBADD =
+am_libsimaka_la_OBJECTS = simaka_message.lo simaka_crypto.lo
+libsimaka_la_OBJECTS = $(am_libsimaka_la_OBJECTS)
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libsimaka_la_SOURCES)
+DIST_SOURCES = $(libsimaka_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+noinst_LTLIBRARIES = libsimaka.la
+libsimaka_la_SOURCES = simaka_message.h simaka_message.c \
+  simaka_crypto.h simaka_crypto.c
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libsimaka/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libsimaka/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libsimaka.la: $(libsimaka_la_OBJECTS) $(libsimaka_la_DEPENDENCIES) 
+	$(LINK)  $(libsimaka_la_OBJECTS) $(libsimaka_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/simaka_crypto.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/simaka_message.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libsimaka/simaka_crypto.c b/src/libsimaka/simaka_crypto.c
new file mode 100644
index 000000000..b85502012
--- /dev/null
+++ b/src/libsimaka/simaka_crypto.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "simaka_crypto.h"
+
+#include <daemon.h>
+
+/** length of the k_encr key */
+#define KENCR_LEN 16
+/** length of the k_auth key */
+#define KAUTH_LEN 16
+/** length of the MSK */
+#define MSK_LEN 64
+/** length of the EMSK */
+#define EMSK_LEN 64
+
+typedef struct private_simaka_crypto_t private_simaka_crypto_t;
+
+/**
+ * Private data of an simaka_crypto_t object.
+ */
+struct private_simaka_crypto_t {
+
+	/**
+	 * Public simaka_crypto_t interface.
+	 */
+	simaka_crypto_t public;
+
+	/**
+	 * signer to create/verify AT_MAC
+	 */
+	signer_t *signer;
+
+	/**
+	 * crypter to encrypt/decrypt AT_ENCR_DATA
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * hasher used in key derivation
+	 */
+	hasher_t *hasher;
+
+	/**
+	 * PRF function used in key derivation
+	 */
+	prf_t *prf;
+
+	/**
+	 * Random number generator to generate nonces
+	 */
+	rng_t *rng;
+
+	/**
+	 * Have k_encr/k_auth been derived?
+	 */
+	bool derived;
+};
+
+/**
+ * Implementation of simaka_crypto_t.get_signer
+ */
+static signer_t* get_signer(private_simaka_crypto_t *this)
+{
+	return this->derived ? this->signer : NULL;
+}
+
+/**
+ * Implementation of simaka_crypto_t.get_crypter
+ */
+static crypter_t* get_crypter(private_simaka_crypto_t *this)
+{
+	return this->derived ? this->crypter : NULL;
+}
+
+/**
+ * Implementation of simaka_crypto_t.get_rng
+ */
+static rng_t* get_rng(private_simaka_crypto_t *this)
+{
+	return this->rng;
+}
+
+/**
+ * Implementation of simaka_crypto_t.derive_keys_full
+ */
+static chunk_t derive_keys_full(private_simaka_crypto_t *this,
+								identification_t *id, chunk_t data, chunk_t *mk)
+{
+	chunk_t str, msk, k_encr, k_auth;
+	int i;
+
+	/* For SIM: MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version)
+	 * For AKA: MK = SHA1(Identity|IK|CK) */
+	this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL);
+	this->hasher->allocate_hash(this->hasher, data, mk);
+	DBG3(DBG_IKE, "MK %B", mk);
+
+	/* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf() */
+	this->prf->set_key(this->prf, *mk);
+	str = chunk_alloca(this->prf->get_block_size(this->prf) * 3);
+	for (i = 0; i < 3; i++)
+	{
+		this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 3 * i);
+	}
+
+	k_encr = chunk_create(str.ptr, KENCR_LEN);
+	k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN);
+	msk = chunk_create(str.ptr + KENCR_LEN + KAUTH_LEN, MSK_LEN);
+	DBG3(DBG_IKE, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, &msk);
+
+	this->signer->set_key(this->signer, k_auth);
+	this->crypter->set_key(this->crypter, k_encr);
+
+	charon->sim->key_hook(charon->sim, k_encr, k_auth);
+
+	this->derived = TRUE;
+	return chunk_clone(msk);
+}
+
+/**
+ * Implementation of simaka_crypto_t.derive_keys_reauth
+ */
+static void derive_keys_reauth(private_simaka_crypto_t *this, chunk_t mk)
+{
+	chunk_t str, k_encr, k_auth;
+	int i;
+
+	/* K_encr | K_auth = prf() | prf() */
+	this->prf->set_key(this->prf, mk);
+	str = chunk_alloca(this->prf->get_block_size(this->prf) * 2);
+	for (i = 0; i < 2; i++)
+	{
+		this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 2 * i);
+	}
+	k_encr = chunk_create(str.ptr, KENCR_LEN);
+	k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN);
+	DBG3(DBG_IKE, "K_encr %B\nK_auth %B", &k_encr, &k_auth);
+
+	this->signer->set_key(this->signer, k_auth);
+	this->crypter->set_key(this->crypter, k_encr);
+
+	charon->sim->key_hook(charon->sim, k_encr, k_auth);
+
+	this->derived = TRUE;
+}
+
+/**
+ * Implementation of simaka_crypto_t.derive_keys_reauth_msk
+ */
+static chunk_t derive_keys_reauth_msk(private_simaka_crypto_t *this,
+									  identification_t *id, chunk_t counter,
+									  chunk_t nonce_s, chunk_t mk)
+{
+	char xkey[HASH_SIZE_SHA1];
+	chunk_t str, msk;
+	int i;
+
+	this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL);
+	this->hasher->get_hash(this->hasher, counter, NULL);
+	this->hasher->get_hash(this->hasher, nonce_s, NULL);
+	this->hasher->get_hash(this->hasher, mk, xkey);
+
+	/* MSK | EMSK = prf() | prf() | prf() | prf() */
+	this->prf->set_key(this->prf, chunk_create(xkey, sizeof(xkey)));
+	str = chunk_alloca(this->prf->get_block_size(this->prf) * 2);
+	for (i = 0; i < 2; i++)
+	{
+		this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 2 * i);
+	}
+	msk = chunk_create(str.ptr, MSK_LEN);
+	DBG3(DBG_IKE, "MSK %B", &msk);
+
+	return chunk_clone(msk);
+}
+
+/**
+ * Implementation of simaka_crypto_t.clear_keys
+ */
+static void clear_keys(private_simaka_crypto_t *this)
+{
+	this->derived = FALSE;
+}
+
+/**
+ * Implementation of simaka_crypto_t.destroy.
+ */
+static void destroy(private_simaka_crypto_t *this)
+{
+	DESTROY_IF(this->rng);
+	DESTROY_IF(this->hasher);
+	DESTROY_IF(this->prf);
+	DESTROY_IF(this->signer);
+	DESTROY_IF(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+simaka_crypto_t *simaka_crypto_create()
+{
+	private_simaka_crypto_t *this = malloc_thing(private_simaka_crypto_t);
+
+	this->public.get_signer = (signer_t*(*)(simaka_crypto_t*))get_signer;
+	this->public.get_crypter = (crypter_t*(*)(simaka_crypto_t*))get_crypter;
+	this->public.get_rng = (rng_t*(*)(simaka_crypto_t*))get_rng;
+	this->public.derive_keys_full = (chunk_t(*)(simaka_crypto_t*, identification_t *id, chunk_t data, chunk_t *mk))derive_keys_full;
+	this->public.derive_keys_reauth = (void(*)(simaka_crypto_t*, chunk_t mk))derive_keys_reauth;
+	this->public.derive_keys_reauth_msk = (chunk_t(*)(simaka_crypto_t*, identification_t *id, chunk_t counter, chunk_t nonce_s, chunk_t mk))derive_keys_reauth_msk;
+	this->public.clear_keys = (void(*)(simaka_crypto_t*))clear_keys;
+	this->public.destroy = (void(*)(simaka_crypto_t*))destroy;
+
+	this->derived = FALSE;
+	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	this->prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160);
+	this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128);
+	this->crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16);
+	if (!this->rng || !this->hasher || !this->prf ||
+		!this->signer || !this->crypter)
+	{
+		DBG1(DBG_IKE, "unable to use EAP-SIM, missing algorithms");
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libsimaka/simaka_crypto.h b/src/libsimaka/simaka_crypto.h
new file mode 100644
index 000000000..d1830e658
--- /dev/null
+++ b/src/libsimaka/simaka_crypto.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup simaka_crypto simaka_crypto
+ * @{ @ingroup libsimaka
+ */
+
+#ifndef SIMAKA_CRYPTO_H_
+#define SIMAKA_CRYPTO_H_
+
+#include <library.h>
+
+typedef struct simaka_crypto_t simaka_crypto_t;
+
+/**
+ * EAP-SIM/AKA crypto helper and key derivation class.
+ */
+struct simaka_crypto_t {
+
+	/**
+	 * Get the signer to use for AT_MAC calculation/verification.
+	 *
+	 * @return		signer reference, NULL if no keys have been derived
+	 */
+	signer_t* (*get_signer)(simaka_crypto_t *this);
+
+	/**
+	 * Get the signer to use for AT_ENCR_DATA encryption/decryption.
+	 *
+	 * @return		crypter reference, NULL if no keys have been derived
+	 */
+	crypter_t* (*get_crypter)(simaka_crypto_t *this);
+
+	/**
+	 * Get the random number generator.
+	 *
+	 * @return		rng reference
+	 */
+	rng_t* (*get_rng)(simaka_crypto_t *this);
+
+	/**
+	 * Derive keys after full authentication.
+	 *
+	 * This methods derives the k_encr/k_auth keys and loads them into the
+	 * internal crypter/signer instances. The passed data is method specific:
+	 * For EAP-SIM, it is "n*Kc|NONCE_MT|Version List|Selected Version", for
+	 * EAP-AKA it is "IK|CK".
+	 *
+	 * @param id	peer identity
+	 * @param data	method specific data
+	 * @param mk	chunk receiving allocated master key MK
+	 * @return		allocated MSK value
+	 */
+	chunk_t (*derive_keys_full)(simaka_crypto_t *this, identification_t *id,
+								chunk_t data, chunk_t *mk);
+
+	/**
+	 * Derive k_encr/k_auth keys from MK using fast reauthentication.
+	 *
+	 * This methods derives the k_encr/k_auth keys and loads them into the
+	 * internal crypter/signer instances.
+	 *
+	 * @param mk	master key
+	 */
+	void (*derive_keys_reauth)(simaka_crypto_t *this, chunk_t mk);
+
+	/**
+	 * Derive MSK using fast reauthentication.
+	 *
+	 * @param id		fast reauthentication identity
+	 * @param counter	fast reauthentication counter value, network order
+	 * @param nonce_s	server generated NONCE_S value
+	 * @param mk		master key of last full authentication
+	 */
+	chunk_t (*derive_keys_reauth_msk)(simaka_crypto_t *this,
+									  identification_t *id, chunk_t counter,
+									  chunk_t nonce_s, chunk_t mk);
+
+	/**
+	 * Clear keys (partially) derived.
+	 */
+	void (*clear_keys)(simaka_crypto_t *this);
+
+	/**
+	 * Destroy a simaka_crypto_t.
+	 */
+	void (*destroy)(simaka_crypto_t *this);
+};
+
+/**
+ * Create a simaka_crypto instance.
+ *
+ * @return		EAP-SIM/AKA crypto instance, NULL if algorithms missing
+ */
+simaka_crypto_t *simaka_crypto_create();
+
+#endif /** SIMAKA_CRYPTO_H_ @}*/
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
new file mode 100644
index 000000000..22d111bfd
--- /dev/null
+++ b/src/libsimaka/simaka_message.c
@@ -0,0 +1,909 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "simaka_message.h"
+
+typedef struct private_simaka_message_t private_simaka_message_t;
+typedef struct hdr_t hdr_t;
+typedef struct attr_hdr_t attr_hdr_t;
+typedef struct attr_t attr_t;
+
+/**
+ * packed EAP-SIM/AKA header struct
+ */
+struct hdr_t {
+	/** EAP code (REQUEST/RESPONSE) */
+	u_int8_t code;
+	/** unique message identifier */
+	u_int8_t identifier;
+	/** length of whole message */
+	u_int16_t length;
+	/** EAP type => EAP_SIM/EAP_AKA */
+	u_int8_t type;
+	/** SIM subtype */
+	u_int8_t subtype;
+	/** reserved bytes */
+	u_int16_t reserved;
+} __attribute__((__packed__));
+
+/**
+ * packed EAP-SIM/AKA attribute header struct
+ */
+struct attr_hdr_t {
+	/** attribute type */
+	u_int8_t type;
+	/** attibute length */
+	u_int8_t length;
+} __attribute__((__packed__));
+
+/**
+ * SIM/AKA attribute, parsed
+ */
+struct attr_t {
+	/** type of attribute */
+	simaka_attribute_t type;
+	/** length of data */
+	size_t len;
+	/** start of data, variable length */
+	char data[];
+};
+
+ENUM_BEGIN(simaka_subtype_names, AKA_CHALLENGE, AKA_IDENTITY,
+	"AKA_CHALLENGE",
+	"AKA_AUTHENTICATION_REJECT",
+	"AKA_3",
+	"AKA_SYNCHRONIZATION_FAILURE",
+	"AKA_IDENTITY");
+ENUM_NEXT(simaka_subtype_names, SIM_START, AKA_CLIENT_ERROR, AKA_IDENTITY,
+	"SIM_START",
+	"SIM_CHALLENGE",
+	"SIM/AKA_NOTIFICATION",
+	"SIM/AKA_REAUTHENTICATION",
+	"SIM/AKA_CLIENT_ERROR");
+ENUM_END(simaka_subtype_names, AKA_CLIENT_ERROR);
+
+
+ENUM_BEGIN(simaka_attribute_names, AT_RAND, AT_CLIENT_ERROR_CODE,
+	"AT_RAND",
+	"AT_AUTN",
+	"AT_RES",
+	"AT_AUTS",
+	"AT_5",
+	"AT_PADDING",
+	"AT_NONCE_MT",
+	"AT_8",
+	"AT_9",
+	"AT_PERMANENT_ID_REQ",
+	"AT_MAC",
+	"AT_NOTIFICATION",
+	"AT_ANY_ID_REQ",
+	"AT_IDENTITY",
+	"AT_VERSION_LIST",
+	"AT_SELECTED_VERSION",
+	"AT_FULLAUTH_ID_REQ",
+	"AT_18",
+	"AT_COUNTER",
+	"AT_COUNTER_TOO_SMALL",
+	"AT_NONCE_S",
+	"AT_CLIENT_ERROR_CODE");
+ENUM_NEXT(simaka_attribute_names, AT_IV, AT_RESULT_IND, AT_CLIENT_ERROR_CODE,
+	"AT_IV",
+	"AT_ENCR_DATA",
+	"AT_131",
+	"AT_NEXT_PSEUDONYM",
+	"AT_NEXT_REAUTH_ID",
+	"AT_CHECKCODE",
+	"AT_RESULT_IND");
+ENUM_END(simaka_attribute_names, AT_RESULT_IND);
+
+
+ENUM_BEGIN(simaka_notification_names, SIM_GENERAL_FAILURE_AA, SIM_GENERAL_FAILURE_AA,
+	"General failure after authentication");
+ENUM_NEXT(simaka_notification_names, SIM_TEMP_DENIED, SIM_TEMP_DENIED, SIM_GENERAL_FAILURE_AA,
+	"User has been temporarily denied access");
+ENUM_NEXT(simaka_notification_names, SIM_NOT_SUBSCRIBED, SIM_NOT_SUBSCRIBED, SIM_TEMP_DENIED,
+	"User has not subscribed to the requested service");
+ENUM_NEXT(simaka_notification_names, SIM_GENERAL_FAILURE, SIM_GENERAL_FAILURE, SIM_NOT_SUBSCRIBED,
+	"General failure");
+ENUM_NEXT(simaka_notification_names, SIM_SUCCESS, SIM_SUCCESS, SIM_GENERAL_FAILURE,
+	"User has been successfully authenticated");
+ENUM_END(simaka_notification_names, SIM_SUCCESS);
+
+
+ENUM(simaka_client_error_names, SIM_UNABLE_TO_PROCESS, SIM_RANDS_NOT_FRESH,
+	"unable to process packet",
+	"unsupported version",
+	"insufficient number of challenges",
+	"RANDs are not fresh",
+);
+
+/**
+ * Check if an EAP-SIM/AKA attribute is skippable
+ */
+bool simaka_attribute_skippable(simaka_attribute_t attribute)
+{
+	bool skippable = !(attribute >= 0 && attribute <= 127);
+
+	DBG1(DBG_IKE, "%sskippable EAP-SIM/AKA attribute %N",
+		 skippable ? "ignoring " : "found non-",
+		 simaka_attribute_names, attribute);
+	return skippable;
+}
+
+/**
+ * Private data of an simaka_message_t object.
+ */
+struct private_simaka_message_t {
+
+	/**
+	 * Public simaka_message_t interface.
+	 */
+	simaka_message_t public;
+
+	/**
+	 * EAP message, starting with EAP header
+	 */
+	hdr_t *hdr;
+
+	/**
+	 * List of parsed attributes, attr_t
+	 */
+	linked_list_t *attributes;
+
+	/**
+	 * Currently parsing AT_ENCR_DATA wrapped attributes?
+	 */
+	bool encrypted;
+
+	/**
+	 * crypto helper
+	 */
+	simaka_crypto_t *crypto;
+
+	/**
+	 * Phase a NOTIFICATION is sent within
+	 */
+	bool p_bit;
+
+	/**
+	 * MAC value, pointing into message
+	 */
+	chunk_t mac;
+
+	/**
+	 * ENCR_DATA value, pointing into message
+	 */
+	chunk_t encr;
+
+	/**
+	 * IV value, pointing into message
+	 */
+	chunk_t iv;
+};
+
+/**
+ * Implementation of simaka_message_t.is_request
+ */
+static bool is_request(private_simaka_message_t *this)
+{
+	return this->hdr->code == EAP_REQUEST;
+}
+
+/**
+ * Implementation of simaka_message_t.get_identifier
+ */
+static u_int8_t get_identifier(private_simaka_message_t *this)
+{
+	return this->hdr->identifier;
+}
+
+/**
+ * Implementation of simaka_message_t.get_subtype
+ */
+static simaka_subtype_t get_subtype(private_simaka_message_t *this)
+{
+	return this->hdr->subtype;
+}
+
+/**
+ * Implementation of simaka_message_t.get_type
+ */
+static eap_type_t get_type(private_simaka_message_t *this)
+{
+	return this->hdr->type;
+}
+
+/**
+ * convert attr_t to type and data enumeration
+ */
+static bool attr_enum_filter(void *null, attr_t **in, simaka_attribute_t *type,
+							 void *dummy, chunk_t *data)
+{
+	attr_t *attr = *in;
+
+	*type = attr->type;
+	*data = chunk_create(attr->data, attr->len);
+	return TRUE;
+}
+
+/**
+ * Implementation of simaka_message_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(private_simaka_message_t *this)
+{
+	return enumerator_create_filter(
+						this->attributes->create_enumerator(this->attributes),
+						(void*)attr_enum_filter, NULL, NULL);
+}
+
+/**
+ * Implementation of simaka_message_t.add_attribute
+ */
+static void add_attribute(private_simaka_message_t *this,
+						  simaka_attribute_t type, chunk_t data)
+{
+	attr_t *attr;
+
+	if (!charon->sim->attribute_hook(charon->sim, this->hdr->code,
+							this->hdr->type, this->hdr->subtype, type, data))
+	{
+		attr = malloc(sizeof(attr_t) + data.len);
+		attr->len = data.len;
+		attr->type = type;
+		memcpy(attr->data, data.ptr, data.len);
+
+		this->attributes->insert_last(this->attributes, attr);
+	}
+}
+
+/**
+ * Error handling for unencrypted attributes
+ */
+static bool not_encrypted(simaka_attribute_t type)
+{
+	DBG1(DBG_IKE, "received unencrypted %N", simaka_attribute_names, type);
+	return FALSE;
+}
+
+/**
+ * Error handling for invalid length
+ */
+static bool invalid_length(simaka_attribute_t type)
+{
+	DBG1(DBG_IKE, "invalid length of %N", simaka_attribute_names, type);
+	return FALSE;
+}
+
+/**
+ * Parse attributes from a chunk of data
+ */
+static bool parse_attributes(private_simaka_message_t *this, chunk_t in)
+{
+	while (in.len)
+	{
+		attr_hdr_t *hdr;
+		chunk_t data;
+
+		if (in.len < sizeof(attr_hdr_t))
+		{
+			DBG1(DBG_IKE, "found short %N attribute header",
+				 eap_type_names, this->hdr->type);
+			return FALSE;
+		}
+		hdr = (attr_hdr_t*)in.ptr;
+
+		switch (hdr->type)
+		{
+			/* attributes without data */
+			case AT_COUNTER_TOO_SMALL:
+				if (!this->encrypted)
+				{
+					return not_encrypted(hdr->type);
+				}
+				/* FALL */
+			case AT_ANY_ID_REQ:
+			case AT_PERMANENT_ID_REQ:
+			case AT_FULLAUTH_ID_REQ:
+			{
+				if (hdr->length != 1 || in.len < 4)
+				{
+					return invalid_length(hdr->type);
+				}
+				data = chunk_empty;
+				in = chunk_skip(in, 4);
+				break;
+			}
+			/* attributes with two bytes data */
+			case AT_COUNTER:
+				if (!this->encrypted)
+				{
+					return not_encrypted(hdr->type);
+				}
+				/* FALL */
+			case AT_CLIENT_ERROR_CODE:
+			case AT_SELECTED_VERSION:
+			case AT_NOTIFICATION:
+			{
+				if (hdr->length != 1 || in.len < 4)
+				{
+					return invalid_length(hdr->type);
+				}
+				data = chunk_create(in.ptr + 2, 2);
+				in = chunk_skip(in, 4);
+				break;
+			}
+			/* attributes with an additional actual-length in bits or bytes */
+			case AT_NEXT_PSEUDONYM:
+			case AT_NEXT_REAUTH_ID:
+				if (!this->encrypted)
+				{
+					return not_encrypted(hdr->type);
+				}
+				/* FALL */
+			case AT_RES:
+			case AT_IDENTITY:
+			case AT_VERSION_LIST:
+			{
+				u_int16_t len;
+
+				if (hdr->length < 1 || in.len < 4)
+				{
+					return invalid_length(hdr->type);
+				}
+				memcpy(&len, in.ptr + 2, 2);
+				len = ntohs(len);
+				if (hdr->type == AT_RES)
+				{	/* AT_RES uses length encoding in bits */
+					len /= 8;
+				}
+				if (len > hdr->length * 4 || len > in.len)
+				{
+					return invalid_length(hdr->type);
+				}
+				data = chunk_create(in.ptr + 4, len);
+				in = chunk_skip(in, hdr->length * 4);
+				break;
+			}
+			/* attributes with two reserved bytes, 16 bytes length */
+			case AT_NONCE_S:
+				if (!this->encrypted)
+				{
+					return not_encrypted(hdr->type);
+				}
+				/* FALL */
+			case AT_AUTN:
+			case AT_NONCE_MT:
+			case AT_IV:
+			case AT_MAC:
+			{
+				if (hdr->length != 5 || in.len < 20)
+				{
+					return invalid_length(hdr->type);
+				}
+				data = chunk_create(in.ptr + 4, 16);
+				in = chunk_skip(in, 20);
+				break;
+			}
+			/* attributes with two reserved bytes, variable length */
+			case AT_ENCR_DATA:
+			case AT_RAND:
+			{
+				if (hdr->length * 4 > in.len || in.len < 4)
+				{
+					return invalid_length(hdr->type);
+				}
+				data = chunk_create(in.ptr + 4, hdr->length * 4 - 4);
+				in = chunk_skip(in, hdr->length * 4);
+				break;
+			}
+			/* attributes with no reserved bytes, 14 bytes length */
+			case AT_AUTS:
+			{
+				if (hdr->length != 4 || in.len < 16)
+				{
+					return invalid_length(hdr->type);
+				}
+				data = chunk_create(in.ptr + 2, 14);
+				in = chunk_skip(in, 16);
+				break;
+			}
+			/* other attributes (with 4n + 2 length) */
+			case AT_PADDING:
+			default:
+			{
+				if (hdr->length * 4 > in.len || in.len < 4)
+				{
+					return invalid_length(hdr->type);
+				}
+				data = chunk_create(in.ptr + 2, hdr->length * 4 - 2);
+				in = chunk_skip(in, hdr->length * 4);
+				break;
+			}
+		}
+
+		/* handle special attributes */
+		switch (hdr->type)
+		{
+			case AT_MAC:
+				this->mac = data;
+				break;
+			case AT_IV:
+				this->iv = data;
+				break;
+			case AT_ENCR_DATA:
+				this->encr = data;
+				break;
+			case AT_PADDING:
+				break;
+			case AT_NOTIFICATION:
+				if (this->p_bit)
+				{	/* remember P bit for MAC verification */
+					this->p_bit = !!(data.ptr[0] & 0x40);
+				}
+				else if (!this->encrypted)
+				{
+					DBG1(DBG_IKE, "found P-bit 0 notify in unencrypted message");
+					return FALSE;
+				}
+				/* FALL */
+			default:
+				add_attribute(this, hdr->type, data);
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Decrypt a message and parse the decrypted attributes
+ */
+static bool decrypt(private_simaka_message_t *this)
+{
+	bool success;
+	crypter_t *crypter;
+	chunk_t plain;
+
+	crypter = this->crypto->get_crypter(this->crypto);
+	if (!crypter || !this->iv.len || !this->encr.len || this->encrypted)
+	{
+		return TRUE;
+	}
+	if (this->encr.len % crypter->get_block_size(crypter))
+	{
+		DBG1(DBG_IKE, "%N ENCR_DATA not a multiple of block size",
+			 eap_type_names, this->hdr->type);
+		return FALSE;
+	}
+
+	crypter->decrypt(crypter, this->encr, this->iv, &plain);
+
+	this->encrypted = TRUE;
+	success = parse_attributes(this, plain);
+	this->encrypted = FALSE;
+	free(plain.ptr);
+	return success;
+}
+
+/**
+ * Implementation of simaka_message_t.parse
+ */
+static bool parse(private_simaka_message_t *this)
+{
+	chunk_t in;
+
+	if (this->attributes->get_count(this->attributes))
+	{	/* Already parsed. Try to decrypt and parse AT_ENCR_DATA. */
+		return decrypt(this);
+	}
+
+	in = chunk_create((char*)this->hdr, ntohs(this->hdr->length));
+	if (!parse_attributes(this, chunk_skip(in, sizeof(hdr_t))))
+	{
+		return FALSE;
+	}
+	/* try to decrypt if we already have keys */
+	return decrypt(this);
+}
+
+/**
+ * Implementation of simaka_message_t.verify
+ */
+static bool verify(private_simaka_message_t *this, chunk_t sigdata)
+{
+	chunk_t data, backup;
+	signer_t *signer;
+
+	signer = this->crypto->get_signer(this->crypto);
+
+	switch (this->hdr->subtype)
+	{
+		case SIM_START:
+		case SIM_CLIENT_ERROR:
+		  /* AKA_CLIENT_ERROR: */
+		case AKA_AUTHENTICATION_REJECT:
+		case AKA_SYNCHRONIZATION_FAILURE:
+		case AKA_IDENTITY:
+			/* skip MAC if available */
+			return TRUE;
+		case SIM_CHALLENGE:
+		case AKA_CHALLENGE:
+		case SIM_REAUTHENTICATION:
+		  /* AKA_REAUTHENTICATION: */
+		{
+			if (!this->mac.ptr || !signer)
+			{	/* require MAC, but not found */
+				DBG1(DBG_IKE, "%N message requires a MAC, but none found",
+					 simaka_subtype_names, this->hdr->subtype);
+				return FALSE;
+			}
+			break;
+		}
+		case SIM_NOTIFICATION:
+		  /* AKA_NOTIFICATION: */
+		{
+			if (this->p_bit)
+			{	/* MAC not verified if in Phase 1 */
+				return TRUE;
+			}
+			if (!this->mac.ptr || !signer)
+			{
+				DBG1(DBG_IKE, "%N message has a phase 0 notify, but "
+					 "no MAC found", simaka_subtype_names, this->hdr->subtype);
+				return FALSE;
+			}
+			break;
+		}
+		default:
+			/* unknown message? */
+			DBG1(DBG_IKE, "signature rule for %N messages missing",
+				 simaka_subtype_names, this->hdr->subtype);
+			return FALSE;
+	}
+
+	/* zero MAC for verification */
+	backup = chunk_clonea(this->mac);
+	memset(this->mac.ptr, 0, this->mac.len);
+
+	data = chunk_create((char*)this->hdr, ntohs(this->hdr->length));
+	if (sigdata.len)
+	{
+		data = chunk_cata("cc", data, sigdata);
+	}
+	if (!signer->verify_signature(signer, data, backup))
+	{
+		DBG1(DBG_IKE, "%N MAC verification failed",
+			 eap_type_names, this->hdr->type);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of simaka_message_t.generate
+ */
+static eap_payload_t* generate(private_simaka_message_t *this, chunk_t sigdata)
+{
+	/* buffers large enough for messages we generate */
+	char out_buf[1024], encr_buf[512];
+	enumerator_t *enumerator;
+	chunk_t out, encr, data, *target, mac = chunk_empty;
+	simaka_attribute_t type;
+	attr_hdr_t *hdr;
+	u_int16_t len;
+	signer_t *signer;
+
+	out = chunk_create(out_buf, sizeof(out_buf));
+	encr = chunk_create(encr_buf, sizeof(encr_buf));
+
+	/* copy header */
+	memcpy(out.ptr, this->hdr, sizeof(hdr_t));
+	out = chunk_skip(out, sizeof(hdr_t));
+
+	/* encode attributes */
+	enumerator = create_attribute_enumerator(this);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		/* encrypt this attribute? */
+		switch (type)
+		{
+			case AT_NONCE_S:
+			case AT_NEXT_PSEUDONYM:
+			case AT_NEXT_REAUTH_ID:
+			case AT_COUNTER:
+			case AT_COUNTER_TOO_SMALL:
+				target = &encr;
+				break;
+			case AT_NOTIFICATION:
+				/* P bit not set, encrypt */
+				if (!(data.ptr[0] & 0x40))
+				{
+					target = &encr;
+					break;
+				}
+				/* FALL */
+			default:
+				target = &out;
+				break;
+		}
+
+		hdr = (attr_hdr_t*)target->ptr;
+		hdr->type = type;
+
+		/* encode type specific */
+		switch (type)
+		{
+			/* attributes without data */
+			case AT_COUNTER_TOO_SMALL:
+			case AT_ANY_ID_REQ:
+			case AT_PERMANENT_ID_REQ:
+			case AT_FULLAUTH_ID_REQ:
+			{
+				hdr->length = 1;
+				memset(target->ptr + 2, 0, 2);
+				*target = chunk_skip(*target, 4);
+				break;
+			}
+			/* attributes with two bytes data */
+			case AT_COUNTER:
+			case AT_CLIENT_ERROR_CODE:
+			case AT_SELECTED_VERSION:
+			case AT_NOTIFICATION:
+			{
+				hdr->length = 1;
+				memcpy(target->ptr + 2, data.ptr, 2);
+				*target = chunk_skip(*target, 4);
+				break;
+			}
+			/* attributes with an additional actual-length in bits or bytes */
+			case AT_NEXT_PSEUDONYM:
+			case AT_NEXT_REAUTH_ID:
+			case AT_IDENTITY:
+			case AT_VERSION_LIST:
+			case AT_RES:
+			{
+				u_int16_t len, padding;
+
+				len = htons(data.len);
+				if (type == AT_RES)
+				{	/* AT_RES uses length encoding in bits */
+					len *= 8;
+				}
+				memcpy(target->ptr + 2, &len, sizeof(len));
+				memcpy(target->ptr + 4, data.ptr, data.len);
+				hdr->length = data.len / 4 + 1;
+				padding = (4 - (data.len % 4)) % 4;
+				if (padding)
+				{
+					hdr->length++;
+					memset(target->ptr + 4 + data.len, 0, padding);
+				}
+				*target = chunk_skip(*target, hdr->length * 4);
+				break;
+			}
+			/* attributes with two reserved bytes, 16 bytes length */
+			case AT_NONCE_S:
+			case AT_NONCE_MT:
+			case AT_AUTN:
+			{
+				hdr->length = 5;
+				memset(target->ptr + 2, 0, 2);
+				memcpy(target->ptr + 4, data.ptr, data.len);
+				*target = chunk_skip(*target, 20);
+				break;
+			}
+			/* attributes with two reserved bytes, variable length */
+			case AT_RAND:
+			{
+				hdr->length = 1 + data.len / 4;
+				memset(target->ptr + 2, 0, 2);
+				memcpy(target->ptr + 4, data.ptr, data.len);
+				*target = chunk_skip(*target, data.len + 4);
+				break;
+			}
+			/* attributes with no reserved bytes, 14 bytes length */
+			case AT_AUTS:
+			{
+				hdr->length = 4;
+				memcpy(target->ptr + 2, data.ptr, data.len);
+				*target = chunk_skip(*target, 16);
+				break;
+			}
+			default:
+			{
+				DBG1(DBG_IKE, "no rule to encode %N, skipped",
+					 simaka_attribute_names, type);
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* encrypt attributes, if any */
+	if (encr.len < sizeof(encr_buf))
+	{
+		chunk_t iv;
+		size_t bs, padding;
+		crypter_t *crypter;
+		rng_t *rng;
+
+		crypter = this->crypto->get_crypter(this->crypto);
+		bs = crypter->get_block_size(crypter);
+
+		/* add AT_PADDING attribute */
+		padding = bs - ((sizeof(encr_buf) - encr.len) % bs);
+		if (padding)
+		{
+			hdr = (attr_hdr_t*)encr.ptr;
+			hdr->type = AT_PADDING;
+			hdr->length = padding / 4;
+			memset(encr.ptr + 2, 0, padding - 2);
+			encr = chunk_skip(encr, padding);
+		}
+		encr = chunk_create(encr_buf, sizeof(encr_buf) - encr.len);
+
+		/* add IV attribute */
+		hdr = (attr_hdr_t*)out.ptr;
+		hdr->type = AT_IV;
+		hdr->length = bs / 4 + 1;
+		memset(out.ptr + 2, 0, 2);
+		out = chunk_skip(out, 4);
+
+		rng = this->crypto->get_rng(this->crypto);
+		rng->get_bytes(rng, bs, out.ptr);
+
+		iv = chunk_clonea(chunk_create(out.ptr, bs));
+		out = chunk_skip(out, bs);
+
+		/* inline encryption */
+		crypter->encrypt(crypter, encr, iv, NULL);
+
+		/* add ENCR_DATA attribute */
+		hdr = (attr_hdr_t*)out.ptr;
+		hdr->type = AT_ENCR_DATA;
+		hdr->length = encr.len / 4 + 1;
+		memset(out.ptr + 2, 0, 2);
+		memcpy(out.ptr + 4, encr.ptr, encr.len);
+		out = chunk_skip(out, encr.len + 4);
+	}
+
+	/* include MAC ? */
+	signer = this->crypto->get_signer(this->crypto);
+	switch (this->hdr->subtype)
+	{
+		case SIM_CHALLENGE:
+		case AKA_CHALLENGE:
+		case SIM_REAUTHENTICATION:
+		  /* AKA_REAUTHENTICATION: */
+		/* TODO: Notifications without P bit */
+		{
+			size_t bs;
+
+			bs = signer->get_block_size(signer);
+			hdr = (attr_hdr_t*)out.ptr;
+			hdr->type = AT_MAC;
+			hdr->length = bs / 4 + 1;
+			memset(out.ptr + 2, 0, 2 + bs);
+			mac = chunk_create(out.ptr + 4, bs);
+			out = chunk_skip(out, bs + 4);
+			break;
+		}
+		default:
+			break;
+	}
+
+	/* calculate message length */
+	out = chunk_create(out_buf, sizeof(out_buf) - out.len);
+	len = htons(out.len);
+	memcpy(out.ptr + 2, &len, sizeof(len));
+
+	/* generate MAC */
+	if (mac.len)
+	{
+		data = chunk_cata("cc", out, sigdata);
+		signer->get_signature(signer, data, mac.ptr);
+	}
+	return eap_payload_create_data(out);
+}
+
+/**
+ * Implementation of simaka_message_t.destroy.
+ */
+static void destroy(private_simaka_message_t *this)
+{
+	this->attributes->destroy_function(this->attributes, free);
+	free(this->hdr);
+	free(this);
+}
+
+/**
+ * Generic constructor.
+ */
+static simaka_message_t *simaka_message_create_data(chunk_t data,
+													simaka_crypto_t *crypto)
+{
+	private_simaka_message_t *this;
+	hdr_t *hdr = (hdr_t*)data.ptr;
+
+	if (data.len < sizeof(hdr_t) || hdr->length != htons(data.len))
+	{
+		DBG1(DBG_IKE, "EAP-SIM/AKA header has invalid length");
+		return NULL;
+	}
+	if (hdr->code != EAP_REQUEST && hdr->code != EAP_RESPONSE)
+	{
+		DBG1(DBG_IKE, "invalid EAP code in EAP-SIM/AKA message",
+			 eap_type_names, hdr->type);
+		return NULL;
+	}
+	if (hdr->type != EAP_SIM && hdr->type != EAP_AKA)
+	{
+		DBG1(DBG_IKE, "invalid EAP type in EAP-SIM/AKA message",
+			 eap_type_names, hdr->type);
+		return NULL;
+	}
+
+	this = malloc_thing(private_simaka_message_t);
+
+	this->public.is_request = (bool(*)(simaka_message_t*))is_request;
+	this->public.get_identifier = (u_int8_t(*)(simaka_message_t*))get_identifier;
+	this->public.get_type = (eap_type_t(*)(simaka_message_t*))get_type;
+	this->public.get_subtype = (simaka_subtype_t(*)(simaka_message_t*))get_subtype;
+	this->public.create_attribute_enumerator = (enumerator_t*(*)(simaka_message_t*))create_attribute_enumerator;
+	this->public.add_attribute = (void(*)(simaka_message_t*, simaka_attribute_t type, chunk_t data))add_attribute;
+	this->public.parse = (bool(*)(simaka_message_t*))parse;
+	this->public.verify = (bool(*)(simaka_message_t*, chunk_t sigdata))verify;
+	this->public.generate = (eap_payload_t*(*)(simaka_message_t*, chunk_t sigdata))generate;
+	this->public.destroy = (void(*)(simaka_message_t*))destroy;
+
+	this->attributes = linked_list_create();
+	this->encrypted = FALSE;
+	this->crypto = crypto;
+	this->p_bit = TRUE;
+	this->mac = chunk_empty;
+	this->encr = chunk_empty;
+	this->iv = chunk_empty;
+	this->hdr = malloc(data.len);
+	memcpy(this->hdr, hdr, data.len);
+
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+simaka_message_t *simaka_message_create_from_payload(eap_payload_t *payload,
+													 simaka_crypto_t *crypto)
+{
+	return simaka_message_create_data(payload->get_data(payload), crypto);
+}
+
+/**
+ * See header.
+ */
+simaka_message_t *simaka_message_create(bool request, u_int8_t identifier,
+									eap_type_t type, simaka_subtype_t subtype,
+									simaka_crypto_t *crypto)
+{
+	hdr_t hdr = {
+		.code = request ? EAP_REQUEST : EAP_RESPONSE,
+		.identifier = identifier,
+		.length = htons(sizeof(hdr_t)),
+		.type = type,
+		.subtype = subtype,
+	};
+	return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)),
+									  crypto);
+}
+
diff --git a/src/libsimaka/simaka_message.h b/src/libsimaka/simaka_message.h
new file mode 100644
index 000000000..ee9b3ebec
--- /dev/null
+++ b/src/libsimaka/simaka_message.h
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libsimaka libsimaka
+ *
+ * @addtogroup libsimaka
+ * Library providing functions shared between EAP-SIM and EAP-AKA plugins.
+ *
+ * @defgroup simaka_message simaka_message
+ * @{ @ingroup libsimaka
+ */
+
+#ifndef SIMAKA_MESSAGE_H_
+#define SIMAKA_MESSAGE_H_
+
+#include <enum.h>
+#include <daemon.h>
+
+#include "simaka_crypto.h"
+
+typedef struct simaka_message_t simaka_message_t;
+typedef enum simaka_attribute_t simaka_attribute_t;
+typedef enum simaka_subtype_t simaka_subtype_t;
+typedef enum simaka_notification_t simaka_notification_t;
+typedef enum simaka_client_error_t simaka_client_error_t;
+
+/**
+ * Subtypes of EAP-SIM/AKA messages
+ */
+enum simaka_subtype_t {
+	AKA_CHALLENGE = 1,
+	AKA_AUTHENTICATION_REJECT = 2,
+	AKA_SYNCHRONIZATION_FAILURE = 4,
+	AKA_IDENTITY = 5,
+	SIM_START = 10,
+	SIM_CHALLENGE = 11,
+	SIM_NOTIFICATION = 12,
+	AKA_NOTIFICATION = 12,
+	SIM_REAUTHENTICATION = 13,
+	AKA_REAUTHENTICATION = 13,
+	SIM_CLIENT_ERROR = 14,
+	AKA_CLIENT_ERROR = 14,
+};
+
+/**
+ * Enum names for simaka_subtype_t
+ */
+extern enum_name_t *simaka_subtype_names;
+
+/**
+ * Attributes in EAP-SIM/AKA messages
+ */
+enum simaka_attribute_t {
+	AT_RAND = 1,
+	AT_AUTN = 2,
+	AT_RES = 3,
+	AT_AUTS = 4,
+	AT_PADDING = 6,
+	AT_NONCE_MT = 7,
+	AT_PERMANENT_ID_REQ = 10,
+	AT_MAC = 11,
+	AT_NOTIFICATION = 12,
+	AT_ANY_ID_REQ = 13,
+	AT_IDENTITY = 14,
+	AT_VERSION_LIST = 15,
+	AT_SELECTED_VERSION = 16,
+	AT_FULLAUTH_ID_REQ = 17,
+	AT_COUNTER = 19,
+	AT_COUNTER_TOO_SMALL = 20,
+	AT_NONCE_S = 21,
+	AT_CLIENT_ERROR_CODE = 22,
+	AT_IV = 129,
+	AT_ENCR_DATA = 130,
+	AT_NEXT_PSEUDONYM = 132,
+	AT_NEXT_REAUTH_ID = 133,
+	AT_CHECKCODE = 134,
+	AT_RESULT_IND = 135,
+};
+
+/**
+ * Enum names for simaka_attribute_t
+ */
+extern enum_name_t *simaka_attribute_names;
+
+/**
+ * Notification codes used within AT_NOTIFICATION attribute.
+ */
+enum simaka_notification_t {
+	/** SIM General failure after authentication. (Implies failure) */
+	SIM_GENERAL_FAILURE_AA = 0,
+	/** AKA General failure after authentication. (Implies failure) */
+	AKA_GENERAL_FAILURE_AA = 0,
+	/** SIM General failure. (Implies failure, used before authentication) */
+	SIM_GENERAL_FAILURE = 16384,
+	/** AKA General failure. (Implies failure, used before authentication) */
+	AKA_GENERAL_FAILURE = 16384,
+	/** SIM User has been temporarily denied access to the requested service. */
+	SIM_TEMP_DENIED = 1026,
+	/** AKA User has been temporarily denied access to the requested service. */
+	AKA_TEMP_DENIED = 1026,
+	/** SIM User has not subscribed to the requested service. */
+	SIM_NOT_SUBSCRIBED = 1031,
+	/** AKA User has not subscribed to the requested service. */
+	AKA_NOT_SUBSCRIBED = 1031,
+	/** SIM Success. User has been successfully authenticated. */
+	SIM_SUCCESS = 32768,
+	/** AKA Success. User has been successfully authenticated. */
+	AKA_SUCCESS = 32768,
+};
+
+/**
+ * Enum names for simaka_notification_t
+ */
+extern enum_name_t *simaka_notification_names;
+
+/**
+ * Error codes sent in AT_CLIENT_ERROR_CODE attribute
+ */
+enum simaka_client_error_t {
+	/** AKA unable to process packet */
+	AKA_UNABLE_TO_PROCESS = 0,
+	/** SIM unable to process packet */
+	SIM_UNABLE_TO_PROCESS = 0,
+	/** SIM unsupported version */
+	SIM_UNSUPPORTED_VERSION = 1,
+	/** SIM insufficient number of challenges */
+	SIM_INSUFFICIENT_CHALLENGES = 2,
+	/** SIM RANDs are not fresh */
+	SIM_RANDS_NOT_FRESH = 3,
+};
+
+/**
+ * Enum names for simaka_client_error_t
+ */
+extern enum_name_t *simaka_client_error_names;
+
+/**
+ * Check if an EAP-SIM/AKA attribute is "skippable".
+ *
+ * @param attribute		attribute to check
+ * @return				TRUE if attribute skippable, FALSE if non-skippable
+ */
+bool simaka_attribute_skippable(simaka_attribute_t attribute);
+
+/**
+ * EAP-SIM and EAP-AKA message abstraction.
+ *
+ * Messages for EAP-SIM and EAP-AKA share a common format, this class
+ * abstracts such a message and provides encoding/encryption/signing
+ * functionality.
+ */
+struct simaka_message_t {
+
+	/**
+	 * Check if the given message is a request or response.
+	 *
+	 * @return			TRUE if request, FALSE if response
+	 */
+	bool (*is_request)(simaka_message_t *this);
+
+	/**
+	 * Get the EAP message identifier.
+	 *
+	 * @return			EAP message identifier
+	 */
+	u_int8_t (*get_identifier)(simaka_message_t *this);
+
+	/**
+	 * Get the EAP type of the message.
+	 *
+	 * @return			EAP type: EAP-SIM or EAP-AKA
+	 */
+	eap_type_t (*get_type)(simaka_message_t *this);
+
+	/**
+	 * Get the subtype of an EAP-SIM message.
+	 *
+	 * @return			subtype of message
+	 */
+	simaka_subtype_t (*get_subtype)(simaka_message_t *this);
+
+	/**
+	 * Create an enumerator over message attributes.
+	 *
+	 * @return			enumerator over (simaka_attribute_t, chunk_t)
+	 */
+	enumerator_t* (*create_attribute_enumerator)(simaka_message_t *this);
+
+	/**
+	 * Append an attribute to the EAP-SIM message.
+	 *
+	 * Make sure to pass only data of correct length for the given attribute.
+	 *
+	 * @param type		type of attribute to add to message
+	 * @param data		unpadded attribute data to add
+	 */
+	void (*add_attribute)(simaka_message_t *this, simaka_attribute_t type,
+						  chunk_t data);
+
+	/**
+	 * Parse a message, with optional attribute decryption.
+	 *
+	 * This method does not verify message integrity, as the key is available
+	 * only after the payload has been parsed. It might be necessary to call
+	 * parse twice, as key derivation data in EAP-SIM/AKA is in the same
+	 * packet as encrypted data.
+	 *
+	 * @param crypto	EAP-SIM/AKA crypto helper
+	 * @return			TRUE if message parsed successfully
+	 */
+	bool (*parse)(simaka_message_t *this);
+
+	/**
+	 * Verify the message integrity of a parsed message.
+	 *
+	 * @param crypto	EAP-SIM/AKA crypto helper
+	 * @param sigdata	additional data to include in signature, if any
+	 * @return			TRUE if message integrity check successful
+	 */
+	bool (*verify)(simaka_message_t *this, chunk_t sigdata);
+
+	/**
+	 * Generate a message, optionally encrypt attributes and create a MAC.
+	 *
+	 * @param sigdata	additional data to include in signature, if any
+	 * @return			generated eap payload, NULL if failed
+	 */
+	eap_payload_t* (*generate)(simaka_message_t *this, chunk_t sigdata);
+
+	/**
+	 * Destroy a simaka_message_t.
+	 */
+	void (*destroy)(simaka_message_t *this);
+};
+
+/**
+ * Create an empty simaka_message.
+ *
+ * @param request		TRUE for a request message, FALSE for a response
+ * @param identifier	EAP message identifier
+ * @param type			EAP type: EAP-SIM or EAP-AKA
+ * @param subtype		subtype of the EAP message
+ * @param crypto		EAP-SIM/AKA crypto helper
+ * @return				empty message of requested kind, NULL on error
+ */
+simaka_message_t *simaka_message_create(bool request, u_int8_t identifier,
+									eap_type_t type, simaka_subtype_t subtype,
+									simaka_crypto_t *crypto);
+
+/**
+ * Create an simaka_message from a chunk of data.
+ *
+ * @param payload		payload to create message from
+ * @param crypto		EAP-SIM/AKA crypto helper
+ * @return				EAP message, NULL on error
+ */
+simaka_message_t *simaka_message_create_from_payload(eap_payload_t *payload,
+													 simaka_crypto_t *crypto);
+
+#endif /** SIMAKA_MESSAGE_H_ @}*/
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index ee6996558..7ee15052c 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -10,7 +10,9 @@ printf_hook.c printf_hook.h \
 asn1/asn1.c asn1/asn1.h \
 asn1/asn1_parser.c asn1/asn1_parser.h \
 asn1/oid.c asn1/oid.h \
-asn1/pem.c asn1/pem.h \
+attributes/attributes.c attributes/attributes.h \
+attributes/attribute_provider.h attributes/attribute_handler.h \
+attributes/attribute_manager.c attributes/attribute_manager.h \
 crypto/crypters/crypter.c crypto/crypters/crypter.h \
 crypto/hashers/hasher.h crypto/hashers/hasher.c \
 crypto/pkcs9.c crypto/pkcs9.h \
@@ -25,6 +27,7 @@ crypto/diffie_hellman.c crypto/diffie_hellman.h \
 crypto/transform.c crypto/transform.h \
 credentials/credential_factory.c credentials/credential_factory.h \
 credentials/builder.c credentials/builder.h \
+credentials/keys/key_encoding.c credentials/keys/key_encoding.h \
 credentials/keys/private_key.c credentials/keys/private_key.h \
 credentials/keys/public_key.c credentials/keys/public_key.h \
 credentials/keys/shared_key.c credentials/keys/shared_key.h \
@@ -32,11 +35,19 @@ credentials/certificates/certificate.c credentials/certificates/certificate.h \
 credentials/certificates/x509.h credentials/certificates/x509.c \
 credentials/certificates/ac.h \
 credentials/certificates/crl.h credentials/certificates/crl.c \
+credentials/certificates/pkcs10.h \
 credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \
+credentials/certificates/pgp_certificate.h \
+credentials/ietf_attributes/ietf_attributes.c credentials/ietf_attributes/ietf_attributes.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
-pgp/pgp.c pgp/pgp.h \
+selectors/traffic_selector.c selectors/traffic_selector.h \
+threading/thread.h threading/thread.c \
+threading/thread_value.h threading/thread_value.c \
+threading/mutex.h threading/mutex.c threading/condvar.h  \
+threading/rwlock.h threading/rwlock.c \
+threading/lock_profiler.h \
 utils.h utils.c \
 utils/host.c utils/host.h \
 utils/identification.c utils/identification.h \
@@ -46,16 +57,16 @@ utils/linked_list.c utils/linked_list.h \
 utils/hashtable.c utils/hashtable.h \
 utils/enumerator.c utils/enumerator.h \
 utils/optionsfrom.c utils/optionsfrom.h \
-utils/mutex.c utils/mutex.h \
 utils/backtrace.c utils/backtrace.h \
 plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
 
-libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB)
+libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB)
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
 -DIPSEC_DIR=\"${ipsecdir}\" \
--DIPSEC_PLUGINDIR=\"${plugindir}\"
+-DPLUGINDIR=\"${plugindir}\" \
+-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
 
 if USE_LEAK_DETECTIVE
   AM_CFLAGS += -DLEAK_DETECTIVE
@@ -162,6 +173,22 @@ if USE_PUBKEY
   SUBDIRS += plugins/pubkey
 endif
 
+if USE_PKCS1
+  SUBDIRS += plugins/pkcs1
+endif
+
+if USE_PGP
+  SUBDIRS += plugins/pgp
+endif
+
+if USE_DNSKEY
+  SUBDIRS += plugins/dnskey
+endif
+
+if USE_PEM
+  SUBDIRS += plugins/pem
+endif
+
 if USE_CURL
   SUBDIRS += plugins/curl
 endif
@@ -178,6 +205,10 @@ if USE_SQLITE
   SUBDIRS += plugins/sqlite
 endif
 
+if USE_ATTR_SQL
+  SUBDIRS += plugins/attr_sql
+endif
+
 if USE_PADLOCK
   SUBDIRS += plugins/padlock
 endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index ae751c098..729d32eb3 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -56,44 +58,74 @@ host_triplet = @host@
 @USE_XCBC_TRUE@am__append_18 = plugins/xcbc
 @USE_X509_TRUE@am__append_19 = plugins/x509
 @USE_PUBKEY_TRUE@am__append_20 = plugins/pubkey
-@USE_CURL_TRUE@am__append_21 = plugins/curl
-@USE_LDAP_TRUE@am__append_22 = plugins/ldap
-@USE_MYSQL_TRUE@am__append_23 = plugins/mysql
-@USE_SQLITE_TRUE@am__append_24 = plugins/sqlite
-@USE_PADLOCK_TRUE@am__append_25 = plugins/padlock
-@USE_OPENSSL_TRUE@am__append_26 = plugins/openssl
-@USE_GCRYPT_TRUE@am__append_27 = plugins/gcrypt
-@USE_AGENT_TRUE@am__append_28 = plugins/agent
-@USE_TEST_VECTORS_TRUE@am__append_29 = plugins/test_vectors
+@USE_PKCS1_TRUE@am__append_21 = plugins/pkcs1
+@USE_PGP_TRUE@am__append_22 = plugins/pgp
+@USE_DNSKEY_TRUE@am__append_23 = plugins/dnskey
+@USE_PEM_TRUE@am__append_24 = plugins/pem
+@USE_CURL_TRUE@am__append_25 = plugins/curl
+@USE_LDAP_TRUE@am__append_26 = plugins/ldap
+@USE_MYSQL_TRUE@am__append_27 = plugins/mysql
+@USE_SQLITE_TRUE@am__append_28 = plugins/sqlite
+@USE_ATTR_SQL_TRUE@am__append_29 = plugins/attr_sql
+@USE_PADLOCK_TRUE@am__append_30 = plugins/padlock
+@USE_OPENSSL_TRUE@am__append_31 = plugins/openssl
+@USE_GCRYPT_TRUE@am__append_32 = plugins/gcrypt
+@USE_AGENT_TRUE@am__append_33 = plugins/agent
+@USE_TEST_VECTORS_TRUE@am__append_34 = plugins/test_vectors
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(libdir)"
-libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
 am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
 	printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \
 	asn1/asn1_parser.c asn1/asn1_parser.h asn1/oid.c asn1/oid.h \
-	asn1/pem.c asn1/pem.h crypto/crypters/crypter.c \
-	crypto/crypters/crypter.h crypto/hashers/hasher.h \
-	crypto/hashers/hasher.c crypto/pkcs9.c crypto/pkcs9.h \
-	crypto/proposal/proposal_keywords.c \
+	attributes/attributes.c attributes/attributes.h \
+	attributes/attribute_provider.h attributes/attribute_handler.h \
+	attributes/attribute_manager.c attributes/attribute_manager.h \
+	crypto/crypters/crypter.c crypto/crypters/crypter.h \
+	crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \
+	crypto/pkcs9.h crypto/proposal/proposal_keywords.c \
 	crypto/proposal/proposal_keywords.h crypto/prfs/prf.c \
 	crypto/prfs/prf.h crypto/rngs/rng.c crypto/rngs/rng.h \
 	crypto/prf_plus.h crypto/prf_plus.c crypto/signers/signer.c \
@@ -103,7 +135,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
 	credentials/credential_factory.c \
 	credentials/credential_factory.h credentials/builder.c \
-	credentials/builder.h credentials/keys/private_key.c \
+	credentials/builder.h credentials/keys/key_encoding.c \
+	credentials/keys/key_encoding.h credentials/keys/private_key.c \
 	credentials/keys/private_key.h credentials/keys/public_key.c \
 	credentials/keys/public_key.h credentials/keys/shared_key.c \
 	credentials/keys/shared_key.h \
@@ -112,18 +145,26 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	credentials/certificates/x509.h \
 	credentials/certificates/x509.c credentials/certificates/ac.h \
 	credentials/certificates/crl.h credentials/certificates/crl.c \
+	credentials/certificates/pkcs10.h \
 	credentials/certificates/ocsp_request.h \
 	credentials/certificates/ocsp_response.h \
-	credentials/certificates/ocsp_response.c database/database.h \
-	database/database_factory.h database/database_factory.c \
-	fetcher/fetcher.h fetcher/fetcher_manager.h \
-	fetcher/fetcher_manager.c pgp/pgp.c pgp/pgp.h utils.h utils.c \
-	utils/host.c utils/host.h utils/identification.c \
-	utils/identification.h utils/iterator.h utils/lexparser.c \
-	utils/lexparser.h utils/linked_list.c utils/linked_list.h \
-	utils/hashtable.c utils/hashtable.h utils/enumerator.c \
-	utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \
-	utils/mutex.c utils/mutex.h utils/backtrace.c \
+	credentials/certificates/ocsp_response.c \
+	credentials/certificates/pgp_certificate.h \
+	credentials/ietf_attributes/ietf_attributes.c \
+	credentials/ietf_attributes/ietf_attributes.h \
+	database/database.h database/database_factory.h \
+	database/database_factory.c fetcher/fetcher.h \
+	fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+	selectors/traffic_selector.c selectors/traffic_selector.h \
+	threading/thread.h threading/thread.c threading/thread_value.h \
+	threading/thread_value.c threading/mutex.h threading/mutex.c \
+	threading/condvar.h threading/rwlock.h threading/rwlock.c \
+	threading/lock_profiler.h utils.h utils.c utils/host.c \
+	utils/host.h utils/identification.c utils/identification.h \
+	utils/iterator.h utils/lexparser.c utils/lexparser.h \
+	utils/linked_list.c utils/linked_list.h utils/hashtable.c \
+	utils/hashtable.h utils/enumerator.c utils/enumerator.h \
+	utils/optionsfrom.c utils/optionsfrom.h utils/backtrace.c \
 	utils/backtrace.h plugins/plugin_loader.c \
 	plugins/plugin_loader.h plugins/plugin.h \
 	utils/leak_detective.c utils/leak_detective.h \
@@ -132,19 +173,22 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 @USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
 am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
 	settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \
-	pem.lo crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo \
-	prf.lo rng.lo prf_plus.lo signer.lo crypto_factory.lo \
-	crypto_tester.lo diffie_hellman.lo transform.lo \
-	credential_factory.lo builder.lo private_key.lo public_key.lo \
-	shared_key.lo certificate.lo x509.lo crl.lo ocsp_response.lo \
-	database_factory.lo fetcher_manager.lo pgp.lo utils.lo host.lo \
+	attributes.lo attribute_manager.lo crypter.lo hasher.lo \
+	pkcs9.lo proposal_keywords.lo prf.lo rng.lo prf_plus.lo \
+	signer.lo crypto_factory.lo crypto_tester.lo diffie_hellman.lo \
+	transform.lo credential_factory.lo builder.lo key_encoding.lo \
+	private_key.lo public_key.lo shared_key.lo certificate.lo \
+	x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \
+	database_factory.lo fetcher_manager.lo traffic_selector.lo \
+	thread.lo thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \
 	identification.lo lexparser.lo linked_list.lo hashtable.lo \
-	enumerator.lo optionsfrom.lo mutex.lo backtrace.lo \
-	plugin_loader.lo $(am__objects_1) $(am__objects_2)
+	enumerator.lo optionsfrom.lo backtrace.lo plugin_loader.lo \
+	$(am__objects_1) $(am__objects_2)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -165,15 +209,45 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	ps-recursive uninstall-recursive
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
+AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
+	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
+	distdir
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \
 	plugins/md5 plugins/sha1 plugins/sha2 plugins/fips_prf \
 	plugins/gmp plugins/random plugins/hmac plugins/xcbc \
-	plugins/x509 plugins/pubkey plugins/curl plugins/ldap \
-	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
-	plugins/gcrypt plugins/agent plugins/test_vectors
+	plugins/x509 plugins/pubkey plugins/pkcs1 plugins/pgp \
+	plugins/dnskey plugins/pem plugins/curl plugins/ldap \
+	plugins/mysql plugins/sqlite plugins/attr_sql plugins/padlock \
+	plugins/openssl plugins/gcrypt plugins/agent \
+	plugins/test_vectors
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
@@ -207,25 +281,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -237,11 +308,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -270,9 +344,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -295,7 +369,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -303,6 +377,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -311,10 +386,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -322,13 +399,17 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 lib_LTLIBRARIES = libstrongswan.la
 libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	debug.h enum.c enum.h settings.h settings.c printf_hook.c \
 	printf_hook.h asn1/asn1.c asn1/asn1.h asn1/asn1_parser.c \
-	asn1/asn1_parser.h asn1/oid.c asn1/oid.h asn1/pem.c asn1/pem.h \
+	asn1/asn1_parser.h asn1/oid.c asn1/oid.h \
+	attributes/attributes.c attributes/attributes.h \
+	attributes/attribute_provider.h attributes/attribute_handler.h \
+	attributes/attribute_manager.c attributes/attribute_manager.h \
 	crypto/crypters/crypter.c crypto/crypters/crypter.h \
 	crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \
 	crypto/pkcs9.h crypto/proposal/proposal_keywords.c \
@@ -341,7 +422,8 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
 	credentials/credential_factory.c \
 	credentials/credential_factory.h credentials/builder.c \
-	credentials/builder.h credentials/keys/private_key.c \
+	credentials/builder.h credentials/keys/key_encoding.c \
+	credentials/keys/key_encoding.h credentials/keys/private_key.c \
 	credentials/keys/private_key.h credentials/keys/public_key.c \
 	credentials/keys/public_key.h credentials/keys/shared_key.c \
 	credentials/keys/shared_key.h \
@@ -350,26 +432,34 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	credentials/certificates/x509.h \
 	credentials/certificates/x509.c credentials/certificates/ac.h \
 	credentials/certificates/crl.h credentials/certificates/crl.c \
+	credentials/certificates/pkcs10.h \
 	credentials/certificates/ocsp_request.h \
 	credentials/certificates/ocsp_response.h \
-	credentials/certificates/ocsp_response.c database/database.h \
-	database/database_factory.h database/database_factory.c \
-	fetcher/fetcher.h fetcher/fetcher_manager.h \
-	fetcher/fetcher_manager.c pgp/pgp.c pgp/pgp.h utils.h utils.c \
-	utils/host.c utils/host.h utils/identification.c \
-	utils/identification.h utils/iterator.h utils/lexparser.c \
-	utils/lexparser.h utils/linked_list.c utils/linked_list.h \
-	utils/hashtable.c utils/hashtable.h utils/enumerator.c \
-	utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \
-	utils/mutex.c utils/mutex.h utils/backtrace.c \
+	credentials/certificates/ocsp_response.c \
+	credentials/certificates/pgp_certificate.h \
+	credentials/ietf_attributes/ietf_attributes.c \
+	credentials/ietf_attributes/ietf_attributes.h \
+	database/database.h database/database_factory.h \
+	database/database_factory.c fetcher/fetcher.h \
+	fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+	selectors/traffic_selector.c selectors/traffic_selector.h \
+	threading/thread.h threading/thread.c threading/thread_value.h \
+	threading/thread_value.c threading/mutex.h threading/mutex.c \
+	threading/condvar.h threading/rwlock.h threading/rwlock.c \
+	threading/lock_profiler.h utils.h utils.c utils/host.c \
+	utils/host.h utils/identification.c utils/identification.h \
+	utils/iterator.h utils/lexparser.c utils/lexparser.h \
+	utils/linked_list.c utils/linked_list.h utils/hashtable.c \
+	utils/hashtable.h utils/enumerator.c utils/enumerator.h \
+	utils/optionsfrom.c utils/optionsfrom.h utils/backtrace.c \
 	utils/backtrace.h plugins/plugin_loader.c \
 	plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \
 	$(am__append_5)
-libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB) \
-	$(am__append_6)
+libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
+	$(RTLIB) $(am__append_6)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \
 	$(am__append_3) $(am__append_4)
 EXTRA_DIST = \
 asn1/oid.txt asn1/oid.pl \
@@ -393,7 +483,9 @@ SUBDIRS = . $(am__append_7) $(am__append_8) $(am__append_9) \
 	$(am__append_19) $(am__append_20) $(am__append_21) \
 	$(am__append_22) $(am__append_23) $(am__append_24) \
 	$(am__append_25) $(am__append_26) $(am__append_27) \
-	$(am__append_28) $(am__append_29)
+	$(am__append_28) $(am__append_29) $(am__append_30) \
+	$(am__append_31) $(am__append_32) $(am__append_33) \
+	$(am__append_34)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -408,9 +500,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -428,23 +520,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
-	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
+	}
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
 	done
 
 clean-libLTLIBRARIES:
@@ -466,6 +563,8 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attribute_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backtrace.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@
@@ -485,7 +584,9 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key_encoding.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@
@@ -494,8 +595,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs9.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_loader.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Plo@am__quote@
@@ -505,306 +604,352 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_keywords.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rng.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rwlock.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/settings.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shared_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_value.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
 asn1.lo: asn1/asn1.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF $(DEPDIR)/asn1.Tpo -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/asn1.Tpo $(DEPDIR)/asn1.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF $(DEPDIR)/asn1.Tpo -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/asn1.Tpo $(DEPDIR)/asn1.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/asn1.c' object='asn1.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
 
 asn1_parser.lo: asn1/asn1_parser.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1_parser.lo -MD -MP -MF $(DEPDIR)/asn1_parser.Tpo -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/asn1_parser.Tpo $(DEPDIR)/asn1_parser.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1_parser.lo -MD -MP -MF $(DEPDIR)/asn1_parser.Tpo -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/asn1_parser.Tpo $(DEPDIR)/asn1_parser.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/asn1_parser.c' object='asn1_parser.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
 
 oid.lo: asn1/oid.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF $(DEPDIR)/oid.Tpo -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/oid.Tpo $(DEPDIR)/oid.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF $(DEPDIR)/oid.Tpo -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/oid.Tpo $(DEPDIR)/oid.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/oid.c' object='oid.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
 
-pem.lo: asn1/pem.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pem.lo -MD -MP -MF $(DEPDIR)/pem.Tpo -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/pem.Tpo $(DEPDIR)/pem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/pem.c' object='pem.lo' libtool=yes @AMDEPBACKSLASH@
+attributes.lo: attributes/attributes.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attributes.lo -MD -MP -MF $(DEPDIR)/attributes.Tpo -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/attributes.Tpo $(DEPDIR)/attributes.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/attributes.c' object='attributes.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
+
+attribute_manager.lo: attributes/attribute_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attribute_manager.lo -MD -MP -MF $(DEPDIR)/attribute_manager.Tpo -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/attribute_manager.Tpo $(DEPDIR)/attribute_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/attribute_manager.c' object='attribute_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
 
 crypter.lo: crypto/crypters/crypter.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypters/crypter.c' object='crypter.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
 
 hasher.lo: crypto/hashers/hasher.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF $(DEPDIR)/hasher.Tpo -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/hasher.Tpo $(DEPDIR)/hasher.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF $(DEPDIR)/hasher.Tpo -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hasher.Tpo $(DEPDIR)/hasher.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/hasher.c' object='hasher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
 
 pkcs9.lo: crypto/pkcs9.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs9.lo -MD -MP -MF $(DEPDIR)/pkcs9.Tpo -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/pkcs9.Tpo $(DEPDIR)/pkcs9.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs9.lo -MD -MP -MF $(DEPDIR)/pkcs9.Tpo -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs9.Tpo $(DEPDIR)/pkcs9.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/pkcs9.c' object='pkcs9.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
 
 proposal_keywords.lo: crypto/proposal/proposal_keywords.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords.lo -MD -MP -MF $(DEPDIR)/proposal_keywords.Tpo -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/proposal_keywords.Tpo $(DEPDIR)/proposal_keywords.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords.lo -MD -MP -MF $(DEPDIR)/proposal_keywords.Tpo -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_keywords.Tpo $(DEPDIR)/proposal_keywords.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/proposal/proposal_keywords.c' object='proposal_keywords.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
 
 prf.lo: crypto/prfs/prf.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF $(DEPDIR)/prf.Tpo -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/prf.Tpo $(DEPDIR)/prf.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF $(DEPDIR)/prf.Tpo -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/prf.Tpo $(DEPDIR)/prf.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prfs/prf.c' object='prf.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
 
 rng.lo: crypto/rngs/rng.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/rngs/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
 
 prf_plus.lo: crypto/prf_plus.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF $(DEPDIR)/prf_plus.Tpo -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/prf_plus.Tpo $(DEPDIR)/prf_plus.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF $(DEPDIR)/prf_plus.Tpo -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/prf_plus.Tpo $(DEPDIR)/prf_plus.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prf_plus.c' object='prf_plus.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
 
 signer.lo: crypto/signers/signer.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF $(DEPDIR)/signer.Tpo -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/signer.Tpo $(DEPDIR)/signer.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF $(DEPDIR)/signer.Tpo -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/signer.Tpo $(DEPDIR)/signer.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/signers/signer.c' object='signer.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
 
 crypto_factory.lo: crypto/crypto_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_factory.lo -MD -MP -MF $(DEPDIR)/crypto_factory.Tpo -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/crypto_factory.Tpo $(DEPDIR)/crypto_factory.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_factory.lo -MD -MP -MF $(DEPDIR)/crypto_factory.Tpo -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypto_factory.Tpo $(DEPDIR)/crypto_factory.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypto_factory.c' object='crypto_factory.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
 
 crypto_tester.lo: crypto/crypto_tester.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_tester.lo -MD -MP -MF $(DEPDIR)/crypto_tester.Tpo -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/crypto_tester.Tpo $(DEPDIR)/crypto_tester.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_tester.lo -MD -MP -MF $(DEPDIR)/crypto_tester.Tpo -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypto_tester.Tpo $(DEPDIR)/crypto_tester.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypto_tester.c' object='crypto_tester.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
 
 diffie_hellman.lo: crypto/diffie_hellman.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF $(DEPDIR)/diffie_hellman.Tpo -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/diffie_hellman.Tpo $(DEPDIR)/diffie_hellman.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF $(DEPDIR)/diffie_hellman.Tpo -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/diffie_hellman.Tpo $(DEPDIR)/diffie_hellman.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/diffie_hellman.c' object='diffie_hellman.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
 
 transform.lo: crypto/transform.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform.lo -MD -MP -MF $(DEPDIR)/transform.Tpo -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/transform.Tpo $(DEPDIR)/transform.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform.lo -MD -MP -MF $(DEPDIR)/transform.Tpo -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform.Tpo $(DEPDIR)/transform.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/transform.c' object='transform.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
 
 credential_factory.lo: credentials/credential_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_factory.lo -MD -MP -MF $(DEPDIR)/credential_factory.Tpo -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/credential_factory.Tpo $(DEPDIR)/credential_factory.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_factory.lo -MD -MP -MF $(DEPDIR)/credential_factory.Tpo -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_factory.Tpo $(DEPDIR)/credential_factory.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_factory.c' object='credential_factory.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
 
 builder.lo: credentials/builder.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT builder.lo -MD -MP -MF $(DEPDIR)/builder.Tpo -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/builder.Tpo $(DEPDIR)/builder.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT builder.lo -MD -MP -MF $(DEPDIR)/builder.Tpo -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/builder.Tpo $(DEPDIR)/builder.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/builder.c' object='builder.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
+
+key_encoding.lo: credentials/keys/key_encoding.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT key_encoding.lo -MD -MP -MF $(DEPDIR)/key_encoding.Tpo -c -o key_encoding.lo `test -f 'credentials/keys/key_encoding.c' || echo '$(srcdir)/'`credentials/keys/key_encoding.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/key_encoding.Tpo $(DEPDIR)/key_encoding.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/key_encoding.c' object='key_encoding.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o key_encoding.lo `test -f 'credentials/keys/key_encoding.c' || echo '$(srcdir)/'`credentials/keys/key_encoding.c
 
 private_key.lo: credentials/keys/private_key.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT private_key.lo -MD -MP -MF $(DEPDIR)/private_key.Tpo -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/private_key.Tpo $(DEPDIR)/private_key.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT private_key.lo -MD -MP -MF $(DEPDIR)/private_key.Tpo -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/private_key.Tpo $(DEPDIR)/private_key.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/private_key.c' object='private_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
 
 public_key.lo: credentials/keys/public_key.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT public_key.lo -MD -MP -MF $(DEPDIR)/public_key.Tpo -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/public_key.Tpo $(DEPDIR)/public_key.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT public_key.lo -MD -MP -MF $(DEPDIR)/public_key.Tpo -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/public_key.Tpo $(DEPDIR)/public_key.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/public_key.c' object='public_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
 
 shared_key.lo: credentials/keys/shared_key.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT shared_key.lo -MD -MP -MF $(DEPDIR)/shared_key.Tpo -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/shared_key.Tpo $(DEPDIR)/shared_key.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT shared_key.lo -MD -MP -MF $(DEPDIR)/shared_key.Tpo -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/shared_key.Tpo $(DEPDIR)/shared_key.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/shared_key.c' object='shared_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
 
 certificate.lo: credentials/certificates/certificate.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certificate.lo -MD -MP -MF $(DEPDIR)/certificate.Tpo -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/certificate.Tpo $(DEPDIR)/certificate.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certificate.lo -MD -MP -MF $(DEPDIR)/certificate.Tpo -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/certificate.Tpo $(DEPDIR)/certificate.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/certificate.c' object='certificate.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
 
 x509.lo: credentials/certificates/x509.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF $(DEPDIR)/x509.Tpo -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/x509.Tpo $(DEPDIR)/x509.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF $(DEPDIR)/x509.Tpo -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/x509.Tpo $(DEPDIR)/x509.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/x509.c' object='x509.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c
 
 crl.lo: credentials/certificates/crl.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/crl.c' object='crl.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
 
 ocsp_response.lo: credentials/certificates/ocsp_response.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response.lo -MD -MP -MF $(DEPDIR)/ocsp_response.Tpo -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ocsp_response.Tpo $(DEPDIR)/ocsp_response.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response.lo -MD -MP -MF $(DEPDIR)/ocsp_response.Tpo -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response.Tpo $(DEPDIR)/ocsp_response.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/ocsp_response.c' object='ocsp_response.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
+
+ietf_attributes.lo: credentials/ietf_attributes/ietf_attributes.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attributes.lo -MD -MP -MF $(DEPDIR)/ietf_attributes.Tpo -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attributes.Tpo $(DEPDIR)/ietf_attributes.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/ietf_attributes/ietf_attributes.c' object='ietf_attributes.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
 
 database_factory.lo: database/database_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='database/database_factory.c' object='database_factory.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
 
 fetcher_manager.lo: fetcher/fetcher_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher_manager.lo -MD -MP -MF $(DEPDIR)/fetcher_manager.Tpo -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fetcher_manager.Tpo $(DEPDIR)/fetcher_manager.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher_manager.lo -MD -MP -MF $(DEPDIR)/fetcher_manager.Tpo -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fetcher_manager.Tpo $(DEPDIR)/fetcher_manager.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fetcher/fetcher_manager.c' object='fetcher_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
+
+traffic_selector.lo: selectors/traffic_selector.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.lo -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='selectors/traffic_selector.c' object='traffic_selector.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
+
+thread.lo: threading/thread.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread.lo -MD -MP -MF $(DEPDIR)/thread.Tpo -c -o thread.lo `test -f 'threading/thread.c' || echo '$(srcdir)/'`threading/thread.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/thread.Tpo $(DEPDIR)/thread.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/thread.c' object='thread.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread.lo `test -f 'threading/thread.c' || echo '$(srcdir)/'`threading/thread.c
 
-pgp.lo: pgp/pgp.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pgp.lo -MD -MP -MF $(DEPDIR)/pgp.Tpo -c -o pgp.lo `test -f 'pgp/pgp.c' || echo '$(srcdir)/'`pgp/pgp.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/pgp.Tpo $(DEPDIR)/pgp.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pgp/pgp.c' object='pgp.lo' libtool=yes @AMDEPBACKSLASH@
+thread_value.lo: threading/thread_value.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_value.lo -MD -MP -MF $(DEPDIR)/thread_value.Tpo -c -o thread_value.lo `test -f 'threading/thread_value.c' || echo '$(srcdir)/'`threading/thread_value.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/thread_value.Tpo $(DEPDIR)/thread_value.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/thread_value.c' object='thread_value.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pgp.lo `test -f 'pgp/pgp.c' || echo '$(srcdir)/'`pgp/pgp.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_value.lo `test -f 'threading/thread_value.c' || echo '$(srcdir)/'`threading/thread_value.c
+
+mutex.lo: threading/mutex.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mutex.lo -MD -MP -MF $(DEPDIR)/mutex.Tpo -c -o mutex.lo `test -f 'threading/mutex.c' || echo '$(srcdir)/'`threading/mutex.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mutex.Tpo $(DEPDIR)/mutex.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/mutex.c' object='mutex.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mutex.lo `test -f 'threading/mutex.c' || echo '$(srcdir)/'`threading/mutex.c
+
+rwlock.lo: threading/rwlock.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rwlock.lo -MD -MP -MF $(DEPDIR)/rwlock.Tpo -c -o rwlock.lo `test -f 'threading/rwlock.c' || echo '$(srcdir)/'`threading/rwlock.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rwlock.Tpo $(DEPDIR)/rwlock.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/rwlock.c' object='rwlock.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rwlock.lo `test -f 'threading/rwlock.c' || echo '$(srcdir)/'`threading/rwlock.c
 
 host.lo: utils/host.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
 
 identification.lo: utils/identification.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF $(DEPDIR)/identification.Tpo -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/identification.Tpo $(DEPDIR)/identification.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF $(DEPDIR)/identification.Tpo -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/identification.Tpo $(DEPDIR)/identification.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/identification.c' object='identification.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
 
 lexparser.lo: utils/lexparser.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF $(DEPDIR)/lexparser.Tpo -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/lexparser.Tpo $(DEPDIR)/lexparser.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF $(DEPDIR)/lexparser.Tpo -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/lexparser.Tpo $(DEPDIR)/lexparser.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/lexparser.c' object='lexparser.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
 
 linked_list.lo: utils/linked_list.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
 
 hashtable.lo: utils/hashtable.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/hashtable.c' object='hashtable.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
 
 enumerator.lo: utils/enumerator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
 
 optionsfrom.lo: utils/optionsfrom.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT optionsfrom.lo -MD -MP -MF $(DEPDIR)/optionsfrom.Tpo -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/optionsfrom.Tpo $(DEPDIR)/optionsfrom.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT optionsfrom.lo -MD -MP -MF $(DEPDIR)/optionsfrom.Tpo -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/optionsfrom.Tpo $(DEPDIR)/optionsfrom.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/optionsfrom.c' object='optionsfrom.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
-
-mutex.lo: utils/mutex.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mutex.lo -MD -MP -MF $(DEPDIR)/mutex.Tpo -c -o mutex.lo `test -f 'utils/mutex.c' || echo '$(srcdir)/'`utils/mutex.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/mutex.Tpo $(DEPDIR)/mutex.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/mutex.c' object='mutex.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mutex.lo `test -f 'utils/mutex.c' || echo '$(srcdir)/'`utils/mutex.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
 
 backtrace.lo: utils/backtrace.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backtrace.lo -MD -MP -MF $(DEPDIR)/backtrace.Tpo -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/backtrace.Tpo $(DEPDIR)/backtrace.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backtrace.lo -MD -MP -MF $(DEPDIR)/backtrace.Tpo -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/backtrace.Tpo $(DEPDIR)/backtrace.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/backtrace.c' object='backtrace.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
 
 plugin_loader.lo: plugins/plugin_loader.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
 
 leak_detective.lo: utils/leak_detective.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/leak_detective.c' object='leak_detective.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -836,7 +981,7 @@ $(RECURSIVE_TARGETS):
 	  else \
 	    local_target="$$target"; \
 	  fi; \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
 	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
@@ -870,16 +1015,16 @@ $(RECURSIVE_CLEAN_TARGETS):
 	  else \
 	    local_target="$$target"; \
 	  fi; \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
 	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
 	done
 ctags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
 	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
@@ -894,7 +1039,7 @@ tags: TAGS
 
 TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
@@ -906,7 +1051,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test ! -f $$subdir/TAGS || \
-	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
@@ -915,29 +1060,34 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -958,29 +1108,44 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
-	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
 	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
-	    distdir=`$(am__cd) $(distdir) && pwd`; \
-	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
-	    (cd $$subdir && \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$top_distdir" \
-	        distdir="$$distdir/$$subdir" \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
 		am__remove_distdir=: \
 		am__skip_length_check=: \
+		am__skip_mode_fix=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
@@ -1015,6 +1180,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -1038,6 +1204,8 @@ dvi-am:
 
 html: html-recursive
 
+html-am:
+
 info: info-recursive
 
 info-am:
@@ -1046,18 +1214,28 @@ install-data-am:
 
 install-dvi: install-dvi-recursive
 
+install-dvi-am:
+
 install-exec-am: install-libLTLIBRARIES
 
 install-html: install-html-recursive
 
+install-html-am:
+
 install-info: install-info-recursive
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-recursive
 
+install-pdf-am:
+
 install-ps: install-ps-recursive
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -1080,8 +1258,9 @@ ps-am:
 
 uninstall-am: uninstall-libLTLIBRARIES
 
-.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
-	install-strip
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all check \
+	ctags-recursive install install-am install-strip \
+	tags-recursive
 
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am check check-am clean clean-generic \
@@ -1110,6 +1289,7 @@ $(srcdir)/crypto/proposal/proposal_keywords.c:	$(srcdir)/crypto/proposal/proposa
 												$(srcdir)/crypto/proposal/proposal_keywords.h
 		$(GPERF) -N proposal_get_token -m 10 -C -G -c -t -D < \
 												$(srcdir)/crypto/proposal/proposal_keywords.txt > $@
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index ec46b165b..763caafc4 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -18,7 +18,6 @@
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
-#include <pthread.h>
 
 #include <utils.h>
 #include <debug.h>
@@ -28,161 +27,34 @@
 #include "asn1_parser.h"
 
 /**
- * some common prefabricated ASN.1 constants
+ * Commonly used ASN1 values.
  */
-static u_char ASN1_INTEGER_0_str[] = { 0x02, 0x00 };
-static u_char ASN1_INTEGER_1_str[] = { 0x02, 0x01, 0x01 };
-static u_char ASN1_INTEGER_2_str[] = { 0x02, 0x01, 0x02 };
-
-const chunk_t ASN1_INTEGER_0 = chunk_from_buf(ASN1_INTEGER_0_str);
-const chunk_t ASN1_INTEGER_1 = chunk_from_buf(ASN1_INTEGER_1_str);
-const chunk_t ASN1_INTEGER_2 = chunk_from_buf(ASN1_INTEGER_2_str);
-
-/**
- * some popular algorithmIdentifiers
- */
-
-static u_char ASN1_md2_id_str[] = {
-	0x30, 0x0c,
-		  0x06, 0x08,
-				0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x02,
-		  0x05,0x00,
-};
-
-static u_char ASN1_md5_id_str[] = {
-	0x30, 0x0C,
-		  0x06, 0x08,
-				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05,
-		  0x05, 0x00
-};
-
-static u_char ASN1_sha1_id_str[] = {
-	0x30, 0x09,
-		  0x06, 0x05,
-				0x2B, 0x0E,0x03, 0x02, 0x1A,
-		  0x05, 0x00
-};
-
-static u_char ASN1_sha256_id_str[] = {
-	0x30, 0x0d,
-		  0x06, 0x09,
-				0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
-		  0x05, 0x00
-};
-
-static u_char ASN1_sha384_id_str[] = {
-	0x30, 0x0d,
-		  0x06, 0x09,
-				0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
-		  0x05, 0x00
-};
-
-static u_char ASN1_sha512_id_str[] = {
-	0x30, 0x0d,
-		  0x06, 0x09,
-				0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
-		  0x05,0x00
-};
-
-static u_char ASN1_md2WithRSA_id_str[] = {
-	0x30, 0x0D,
-		  0x06, 0x09,
-				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x02,
-		  0x05, 0x00
-};
-
-static u_char ASN1_md5WithRSA_id_str[] = {
-	0x30, 0x0D,
-		  0x06, 0x09,
-				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04,
-		  0x05, 0x00
-};
-
-static u_char ASN1_sha1WithRSA_id_str[] = {
-	0x30, 0x0D,
-		  0x06, 0x09,
-				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05,
-		  0x05, 0x00
-};
-
-static u_char ASN1_sha256WithRSA_id_str[] = {
-	0x30, 0x0D,
-		  0x06, 0x09,
-				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
-		  0x05, 0x00
-};
-
-static u_char ASN1_sha384WithRSA_id_str[] = {
-	0x30, 0x0D,
-		  0x06, 0x09,
-				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0C,
-		  0x05, 0x00
-};
-
-static u_char ASN1_sha512WithRSA_id_str[] = {
-	0x30, 0x0D,
-		  0x06, 0x09,
-				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0D,
-		  0x05, 0x00
-};
-
-static u_char ASN1_rsaEncryption_id_str[] = {
-	0x30, 0x0D,
-		  0x06, 0x09,
-				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
-		  0x05, 0x00
-};
-
-static const chunk_t ASN1_md2_id    = chunk_from_buf(ASN1_md2_id_str);
-static const chunk_t ASN1_md5_id    = chunk_from_buf(ASN1_md5_id_str);
-static const chunk_t ASN1_sha1_id   = chunk_from_buf(ASN1_sha1_id_str);
-static const chunk_t ASN1_sha256_id = chunk_from_buf(ASN1_sha256_id_str);
-static const chunk_t ASN1_sha384_id = chunk_from_buf(ASN1_sha384_id_str);
-static const chunk_t ASN1_sha512_id = chunk_from_buf(ASN1_sha512_id_str);
-static const chunk_t ASN1_rsaEncryption_id = chunk_from_buf(ASN1_rsaEncryption_id_str);
-static const chunk_t ASN1_md2WithRSA_id = chunk_from_buf(ASN1_md2WithRSA_id_str);
-static const chunk_t ASN1_md5WithRSA_id = chunk_from_buf(ASN1_md5WithRSA_id_str);
-static const chunk_t ASN1_sha1WithRSA_id = chunk_from_buf(ASN1_sha1WithRSA_id_str);
-static const chunk_t ASN1_sha256WithRSA_id = chunk_from_buf(ASN1_sha256WithRSA_id_str);
-static const chunk_t ASN1_sha384WithRSA_id = chunk_from_buf(ASN1_sha384WithRSA_id_str);
-static const chunk_t ASN1_sha512WithRSA_id = chunk_from_buf(ASN1_sha512WithRSA_id_str);
+const chunk_t ASN1_INTEGER_0 = chunk_from_chars(0x02, 0x00);
+const chunk_t ASN1_INTEGER_1 = chunk_from_chars(0x02, 0x01, 0x01);
+const chunk_t ASN1_INTEGER_2 = chunk_from_chars(0x02, 0x01, 0x02);
 
 /*
  * Defined in header.
  */
 chunk_t asn1_algorithmIdentifier(int oid)
 {
+	chunk_t parameters;
+
+	/* some algorithmIdentifiers have a NULL parameters field and some do not */
 	switch (oid)
 	{
-		case OID_RSA_ENCRYPTION:
-			return ASN1_rsaEncryption_id;
-		case OID_MD2_WITH_RSA:
-			return ASN1_md2WithRSA_id;
-		case OID_MD5_WITH_RSA:
-			return ASN1_md5WithRSA_id;
-		case OID_SHA1_WITH_RSA:
-			return ASN1_sha1WithRSA_id;
-		case OID_SHA256_WITH_RSA:
-			return ASN1_sha256WithRSA_id;
-		case OID_SHA384_WITH_RSA:
-			return ASN1_sha384WithRSA_id;
-		case OID_SHA512_WITH_RSA:
-			return ASN1_sha512WithRSA_id;
-		case OID_MD2:
-			return ASN1_md2_id;
-		case OID_MD5:
-			return ASN1_md5_id;
-		case OID_SHA1:
-			return ASN1_sha1_id;
-		case OID_SHA256:
-			return ASN1_sha256_id;
-		case OID_SHA384:
-			return ASN1_sha384_id;
-		case OID_SHA512:
-			return ASN1_sha512_id;
+		case OID_ECDSA_WITH_SHA1:
+		case OID_ECDSA_WITH_SHA224:
+		case OID_ECDSA_WITH_SHA256:
+		case OID_ECDSA_WITH_SHA384:
+		case OID_ECDSA_WITH_SHA512:
+			parameters = chunk_empty;
+			break;
 		default:
-			return chunk_empty;
+			parameters = asn1_simple_object(ASN1_NULL, chunk_empty);
+			break;
 	}
+	return asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(oid), parameters);
 }
 
 /*
@@ -191,14 +63,14 @@ chunk_t asn1_algorithmIdentifier(int oid)
 int asn1_known_oid(chunk_t object)
 {
 	int oid = 0;
-	
+
 	while (object.len)
 	{
 		if (oid_names[oid].octet == *object.ptr)
 		{
 			if (--object.len == 0 || oid_names[oid].down == 0)
 			{
-				return oid;          /* found terminal symbol */
+				return oid;		  /* found terminal symbol */
 			}
 			else
 			{
@@ -227,17 +99,17 @@ chunk_t asn1_build_known_oid(int n)
 {
 	chunk_t oid;
 	int i;
-	
+
 	if (n < 0 || n >= OID_MAX)
 	{
 		return chunk_empty;
 	}
-	
+
 	i = oid_names[n].level + 1;
 	oid = chunk_alloc(2 + i);
 	oid.ptr[0] = ASN1_OID;
 	oid.ptr[1] = i;
-	
+
 	do
 	{
 		if (oid_names[n].level >= i)
@@ -248,7 +120,7 @@ chunk_t asn1_build_known_oid(int n)
 		oid.ptr[--i + 2] = oid_names[n--].octet;
 	}
 	while (i > 0);
-	
+
 	return oid;
 }
 
@@ -259,18 +131,18 @@ size_t asn1_length(chunk_t *blob)
 {
 	u_char n;
 	size_t len;
-	
+
 	if (blob->len < 2)
 	{
 		DBG2("insufficient number of octets to parse ASN.1 length");
 		return ASN1_INVALID_LENGTH;
 	}
-	
+
 	/* read length field, skip tag and length */
 	n = blob->ptr[1];
 	*blob = chunk_skip(*blob, 2);
-	
-	if ((n & 0x80) == 0) 
+
+	if ((n & 0x80) == 0)
 	{	/* single length octet */
 		if (n > blob->len)
 		{
@@ -279,25 +151,25 @@ size_t asn1_length(chunk_t *blob)
 		}
 		return n;
 	}
-	
+
 	/* composite length, determine number of length octets */
 	n &= 0x7f;
-	
+
 	if (n == 0 || n > blob->len)
 	{
 		DBG2("number of length octets invalid");
 		return ASN1_INVALID_LENGTH;
 	}
-	
+
 	if (n > sizeof(len))
 	{
-		DBG2("number of length octets is larger than limit of %d octets", 
+		DBG2("number of length octets is larger than limit of %d octets",
 			 (int)sizeof(len));
 		return ASN1_INVALID_LENGTH;
 	}
-	
+
 	len = 0;
-	
+
 	while (n-- > 0)
 	{
 		len = 256*len + *blob->ptr++;
@@ -319,7 +191,7 @@ int asn1_unwrap(chunk_t *blob, chunk_t *inner)
 	chunk_t res;
 	u_char len;
 	int type;
-	
+
 	if (blob->len < 2)
 	{
 		return ASN1_INVALID;
@@ -327,7 +199,7 @@ int asn1_unwrap(chunk_t *blob, chunk_t *inner)
 	type = blob->ptr[0];
 	len = blob->ptr[1];
 	*blob = chunk_skip(*blob, 2);
-	
+
 	if ((len & 0x80) == 0)
 	{	/* single length octet */
 		res.len = len;
@@ -358,8 +230,6 @@ int asn1_unwrap(chunk_t *blob, chunk_t *inner)
 	return type;
 }
 
-#define TIME_MAX	0x7fffffff
-
 static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 };
 static const int tm_leap_1970 = 477;
 
@@ -373,7 +243,7 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	int tz_hour, tz_min, tz_offset;
 	time_t tm_secs;
 	u_char *eot = NULL;
-	
+
 	if ((eot = memchr(utctime->ptr, 'Z', utctime->len)) != NULL)
 	{
 		tz_offset = 0; /* Zulu time with a zero time zone offset */
@@ -398,19 +268,19 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	{
 		return 0; /* error in time format */
 	}
-	
+
 	/* parse ASN.1 time string */
 	{
 		const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
 													 "%4d%2d%2d%2d%2d";
-	
+
 		if (sscanf(utctime->ptr, format, &tm_year, &tm_mon, &tm_day,
 										 &tm_hour, &tm_min) != 5)
 		{
 			return 0; /* error in [yy]yymmddhhmm time format */
 		}
 	}
-	
+
 	/* is there a seconds field? */
 	if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
 	{
@@ -423,17 +293,17 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	{
 		tm_sec = 0;
 	}
-	
+
 	/* representation of two-digit years */
 	if (type == ASN1_UTCTIME)
 	{
 		tm_year += (tm_year < 50) ? 2000 : 1900;
 	}
-	
+
 	/* prevent large 32 bit integer overflows */
 	if (sizeof(time_t) == 4 && tm_year > 2038)
 	{
-		return TIME_MAX;
+		return TIME_32_BIT_SIGNED_MAX;
 	}
 
 	/* representation of months as 0..11*/
@@ -442,7 +312,7 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 		return 0; /* error in month format */
 	}
 	tm_mon--;
-	
+
 	/* representation of days as 0..30 */
 	tm_day--;
 
@@ -461,8 +331,8 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	tm_days = 365 * (tm_year - 1970) + days[tm_mon] + tm_day + tm_leap;
 	tm_secs = 60 * (60 * (24 * tm_days + tm_hour) + tm_min) + tm_sec - tz_offset;
 
-	/* has a 32 bit overflow occurred? */
-	return (tm_secs < 0) ? TIME_MAX : tm_secs;
+	/* has a 32 bit signed integer overflow occurred? */
+	return (tm_secs < 0) ? TIME_32_BIT_SIGNED_MAX : tm_secs;
 }
 
 /**
@@ -475,7 +345,7 @@ chunk_t asn1_from_time(const time_t *time, asn1_t type)
 	char buf[BUF_LEN];
 	chunk_t formatted_time;
 	struct tm t;
-	
+
 	gmtime_r(time, &t);
 	if (type == ASN1_GENERALIZEDTIME)
 	{
@@ -487,7 +357,7 @@ chunk_t asn1_from_time(const time_t *time, asn1_t type)
 		format = "%02d%02d%02d%02d%02d%02dZ";
 		offset = (t.tm_year < 100)? 0 : -100;
 	}
-	snprintf(buf, BUF_LEN, format, t.tm_year + offset, 
+	snprintf(buf, BUF_LEN, format, t.tm_year + offset,
 			 t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec);
 	formatted_time.ptr = buf;
 	formatted_time.len = strlen(buf);
@@ -500,7 +370,7 @@ chunk_t asn1_from_time(const time_t *time, asn1_t type)
 void asn1_debug_simple_object(chunk_t object, asn1_t type, bool private)
 {
 	int oid;
-	
+
 	switch (type)
 	{
 		case ASN1_OID:
@@ -545,30 +415,30 @@ void asn1_debug_simple_object(chunk_t object, asn1_t type, bool private)
 bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level, const char* name)
 {
 	size_t len;
-	
+
 	/* an ASN.1 object must possess at least a tag and length field */
 	if (object->len < 2)
 	{
 		DBG2("L%d - %s:  ASN.1 object smaller than 2 octets", level, name);
 		return FALSE;
 	}
-	
+
 	if (*object->ptr != type)
 	{
 		DBG2("L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
 			 level, name, type, *object->ptr);
 		return FALSE;
 	}
-	
+
 	len = asn1_length(object);
-	
+
 	if (len == ASN1_INVALID_LENGTH || object->len < len)
 	{
 		DBG2("L%d - %s:  length of ASN.1 object invalid or too large",
 			 level, name);
 		return FALSE;
 	}
-	
+
 	DBG2("L%d - %s:", level, name);
 	asn1_debug_simple_object(*object, type, FALSE);
 	return TRUE;
@@ -578,11 +448,11 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level, const c
  * ASN.1 definition of an algorithmIdentifier
  */
 static const asn1Object_t algorithmIdentifierObjects[] = {
-	{ 0, "algorithmIdentifier",	ASN1_SEQUENCE,	ASN1_NONE         }, /* 0 */
-	{ 1,   "algorithm",			ASN1_OID,		ASN1_BODY         }, /* 1 */
-	{ 1,   "parameters",		ASN1_EOC,		ASN1_RAW|ASN1_OPT }, /* 2 */
-	{ 1,   "end opt",			ASN1_EOC,		ASN1_END  	      }, /* 3 */
-	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT         }
+	{ 0, "algorithmIdentifier",	ASN1_SEQUENCE,	ASN1_NONE			}, /* 0 */
+	{ 1,   "algorithm",			ASN1_OID,		ASN1_BODY			}, /* 1 */
+	{ 1,   "parameters",		ASN1_EOC,		ASN1_RAW|ASN1_OPT	}, /* 2 */
+	{ 1,   "end opt",			ASN1_EOC,		ASN1_END			}, /* 3 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT			}
 };
 #define ALGORITHM_ID_ALG			1
 #define ALGORITHM_ID_PARAMETERS		2
@@ -596,10 +466,10 @@ int asn1_parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters
 	chunk_t object;
 	int objectID;
 	int alg = OID_UNKNOWN;
-	
+
 	parser = asn1_parser_create(algorithmIdentifierObjects, blob);
 	parser->set_top_level(parser, level0);
-	
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		switch (objectID)
@@ -629,7 +499,7 @@ bool is_asn1(chunk_t blob)
 	u_int len;
 	u_char tag = *blob.ptr;
 
-	if (tag != ASN1_SEQUENCE && tag != ASN1_SET)
+	if (tag != ASN1_SEQUENCE && tag != ASN1_SET && tag != ASN1_OCTET_STRING)
 	{
 		DBG2("  file content is not binary ASN.1");
 		return FALSE;
@@ -661,7 +531,7 @@ bool asn1_is_printablestring(chunk_t str)
 	const char printablestring_charset[] =
 		"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 '()+,-./:=?";
 	u_int i;
-	
+
 	for (i = 0; i < str.len; i++)
 	{
 		if (strchr(printablestring_charset, str.ptr[i]) == NULL)
@@ -711,24 +581,24 @@ u_char* asn1_build_object(chunk_t *object, asn1_t type, size_t datalen)
 	u_char length_buf[4];
 	chunk_t length = { length_buf, 0 };
 	u_char *pos;
-	
+
 	/* code the asn.1 length field */
 	asn1_code_length(datalen, &length);
-	
+
 	/* allocate memory for the asn.1 TLV object */
 	object->len = 1 + length.len + datalen;
 	object->ptr = malloc(object->len);
-	
+
 	/* set position pointer at the start of the object */
 	pos = object->ptr;
-	
+
 	/* copy the asn.1 tag field and advance the pointer */
 	*pos++ = type;
-	
+
 	/* copy the asn.1 length field and advance the pointer */
-	memcpy(pos, length.ptr, length.len); 
+	memcpy(pos, length.ptr, length.len);
 	pos += length.len;
-	
+
 	return pos;
 }
 
@@ -738,11 +608,11 @@ u_char* asn1_build_object(chunk_t *object, asn1_t type, size_t datalen)
 chunk_t asn1_simple_object(asn1_t tag, chunk_t content)
 {
 	chunk_t object;
-	
+
 	u_char *pos = asn1_build_object(&object, tag, content.len);
-	memcpy(pos, content.ptr, content.len); 
+	memcpy(pos, content.ptr, content.len);
 	pos += content.len;
-	
+
 	return object;
 }
 
@@ -809,8 +679,8 @@ chunk_t asn1_wrap(asn1_t type, const char *mode, ...)
 	u_char *pos;
 	int i;
 	int count = strlen(mode);
-	
-	/* sum up lengths of individual chunks */ 
+
+	/* sum up lengths of individual chunks */
 	va_start(chunks, mode);
 	construct.len = 0;
 	for (i = 0; i < count; i++)
@@ -819,26 +689,33 @@ chunk_t asn1_wrap(asn1_t type, const char *mode, ...)
 		construct.len += ch.len;
 	}
 	va_end(chunks);
-	
+
 	/* allocate needed memory for construct */
 	pos = asn1_build_object(&construct, type, construct.len);
-	
+
 	/* copy or move the chunks */
 	va_start(chunks, mode);
 	for (i = 0; i < count; i++)
 	{
 		chunk_t ch = va_arg(chunks, chunk_t);
-		
+
 		memcpy(pos, ch.ptr, ch.len);
 		pos += ch.len;
 
-		if (*mode++ == 'm')
+		switch (*mode++)
 		{
-			free(ch.ptr);
+			case 's':
+				chunk_clear(&ch);
+				break;
+			case 'm':
+				free(ch.ptr);
+				break;
+			default:
+				break;
 		}
 	}
 	va_end(chunks);
-	
+
 	return construct;
 }
 
@@ -846,11 +723,11 @@ chunk_t asn1_wrap(asn1_t type, const char *mode, ...)
  * ASN.1 definition of time
  */
 static const asn1Object_t timeObjects[] = {
-	{ 0, "utcTime",			ASN1_UTCTIME,			ASN1_OPT|ASN1_BODY 	}, /* 0 */
-	{ 0, "end opt",			ASN1_EOC,				ASN1_END  			}, /* 1 */
-	{ 0, "generalizeTime",	ASN1_GENERALIZEDTIME,	ASN1_OPT|ASN1_BODY 	}, /* 2 */
-	{ 0, "end opt",			ASN1_EOC,				ASN1_END  			}, /* 3 */
-	{ 0, "exit",			ASN1_EOC,				ASN1_EXIT  			}
+	{ 0, "utcTime",			ASN1_UTCTIME,			ASN1_OPT|ASN1_BODY	}, /* 0 */
+	{ 0, "end opt",			ASN1_EOC,				ASN1_END			}, /* 1 */
+	{ 0, "generalizeTime",	ASN1_GENERALIZEDTIME,	ASN1_OPT|ASN1_BODY	}, /* 2 */
+	{ 0, "end opt",			ASN1_EOC,				ASN1_END			}, /* 3 */
+	{ 0, "exit",			ASN1_EOC,				ASN1_EXIT			}
 };
 #define TIME_UTC			0
 #define TIME_GENERALIZED	2
@@ -864,10 +741,10 @@ time_t asn1_parse_time(chunk_t blob, int level0)
 	chunk_t object;
 	int objectID;
 	time_t utc_time = 0;
-	
+
 	parser= asn1_parser_create(timeObjects, blob);
 	parser->set_top_level(parser, level0);
-	
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		if (objectID == TIME_UTC || objectID == TIME_GENERALIZED)
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 8072d62d6..d29190df7 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup asn1i asn1
  * @{ @ingroup asn1
@@ -32,51 +32,51 @@
  * Definition of some primitive ASN1 types
  */
 typedef enum {
-    ASN1_EOC =				0x00,
-    ASN1_BOOLEAN =			0x01,
-    ASN1_INTEGER =			0x02,
-    ASN1_BIT_STRING =		0x03,
-    ASN1_OCTET_STRING = 	0x04,
-    ASN1_NULL = 			0x05,
-    ASN1_OID =				0x06,
-    ASN1_ENUMERATED =		0x0A,
-    ASN1_UTF8STRING =		0x0C,
-    ASN1_NUMERICSTRING =	0x12,
-    ASN1_PRINTABLESTRING =	0x13,
-    ASN1_T61STRING =		0x14,
-    ASN1_VIDEOTEXSTRING =	0x15,
-    ASN1_IA5STRING =		0x16,
-    ASN1_UTCTIME =			0x17,
-    ASN1_GENERALIZEDTIME =	0x18,
-    ASN1_GRAPHICSTRING =	0x19,
-    ASN1_VISIBLESTRING = 	0x1A,
-    ASN1_GENERALSTRING =	0x1B,
-    ASN1_UNIVERSALSTRING =	0x1C,
-    ASN1_BMPSTRING =		0x1E,
-
-    ASN1_CONSTRUCTED =		0x20,
-
-    ASN1_SEQUENCE =			0x30,
-    ASN1_SET =				0x31,
-
-    ASN1_CONTEXT_S_0 =		0x80,
-    ASN1_CONTEXT_S_1 =		0x81,
-    ASN1_CONTEXT_S_2 =		0x82,
-    ASN1_CONTEXT_S_3 =		0x83,
-    ASN1_CONTEXT_S_4 =		0x84,
-    ASN1_CONTEXT_S_5 =		0x85,
-    ASN1_CONTEXT_S_6 =		0x86,
-    ASN1_CONTEXT_S_7 =		0x87,
-    ASN1_CONTEXT_S_8 =		0x88,
-
-    ASN1_CONTEXT_C_0 =		0xA0,
-    ASN1_CONTEXT_C_1 =		0xA1,
-    ASN1_CONTEXT_C_2 =		0xA2,
-    ASN1_CONTEXT_C_3 =		0xA3,
-    ASN1_CONTEXT_C_4 =		0xA4,
-    ASN1_CONTEXT_C_5 =		0xA5,
-
-    ASN1_INVALID = 			0x100,
+	ASN1_EOC =				0x00,
+	ASN1_BOOLEAN =			0x01,
+	ASN1_INTEGER =			0x02,
+	ASN1_BIT_STRING =		0x03,
+	ASN1_OCTET_STRING = 	0x04,
+	ASN1_NULL = 			0x05,
+	ASN1_OID =				0x06,
+	ASN1_ENUMERATED =		0x0A,
+	ASN1_UTF8STRING =		0x0C,
+	ASN1_NUMERICSTRING =	0x12,
+	ASN1_PRINTABLESTRING =	0x13,
+	ASN1_T61STRING =		0x14,
+	ASN1_VIDEOTEXSTRING =	0x15,
+	ASN1_IA5STRING =		0x16,
+	ASN1_UTCTIME =			0x17,
+	ASN1_GENERALIZEDTIME =	0x18,
+	ASN1_GRAPHICSTRING =	0x19,
+	ASN1_VISIBLESTRING = 	0x1A,
+	ASN1_GENERALSTRING =	0x1B,
+	ASN1_UNIVERSALSTRING =	0x1C,
+	ASN1_BMPSTRING =		0x1E,
+
+	ASN1_CONSTRUCTED =		0x20,
+
+	ASN1_SEQUENCE =			0x30,
+	ASN1_SET =				0x31,
+
+	ASN1_CONTEXT_S_0 =		0x80,
+	ASN1_CONTEXT_S_1 =		0x81,
+	ASN1_CONTEXT_S_2 =		0x82,
+	ASN1_CONTEXT_S_3 =		0x83,
+	ASN1_CONTEXT_S_4 =		0x84,
+	ASN1_CONTEXT_S_5 =		0x85,
+	ASN1_CONTEXT_S_6 =		0x86,
+	ASN1_CONTEXT_S_7 =		0x87,
+	ASN1_CONTEXT_S_8 =		0x88,
+
+	ASN1_CONTEXT_C_0 =		0xA0,
+	ASN1_CONTEXT_C_1 =		0xA1,
+	ASN1_CONTEXT_C_2 =		0xA2,
+	ASN1_CONTEXT_C_3 =		0xA3,
+	ASN1_CONTEXT_C_4 =		0xA4,
+	ASN1_CONTEXT_C_5 =		0xA5,
+
+	ASN1_INVALID = 			0x100,
 } asn1_t;
 
 #define ASN1_INVALID_LENGTH	0xffffffff
@@ -92,10 +92,10 @@ extern const chunk_t ASN1_INTEGER_2;
 /** Some ASN.1 analysis functions */
 
 /**
- * Returns some popular algorithmIdentifiers
+ * Build an algorithmIdentifier from a known OID.
  *
  * @param oid		known OID index
- * @return			body of the corresponding OID
+ * @return			body of the corresponding OID, allocated
  */
 chunk_t asn1_algorithmIdentifier(int oid);
 
@@ -103,7 +103,7 @@ chunk_t asn1_algorithmIdentifier(int oid);
  * Converts an ASN.1 OID into a known OID index
  *
  * @param object	body of an OID
- * @return			index into the oid_names[] table or OID_UNKNOWN  
+ * @return			index into the oid_names[] table or OID_UNKNOWN
  */
 int asn1_known_oid(chunk_t object);
 
@@ -139,7 +139,7 @@ int asn1_unwrap(chunk_t *blob, chunk_t *content);
  * @param blob		ASN.1 coded blob
  * @param level0	top-most level offset
  * @param params	returns optional [ASN.1 coded] parameters
- * @return			known OID index or OID_UNKNOWN	
+ * @return			known OID index or OID_UNKNOWN
  */
 int asn1_parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *params);
 
@@ -178,7 +178,7 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type);
  *
  * @param time		time_t in UTC
  * @param type		ASN1_UTCTIME or ASN1_GENERALIZEDTIME
- * @return			body of an ASN.1 code time object			
+ * @return			body of an ASN.1 code time object
  */
 chunk_t asn1_from_time(const time_t *time, asn1_t type);
 
@@ -187,7 +187,7 @@ chunk_t asn1_from_time(const time_t *time, asn1_t type);
  *
  * @param blob		ASN.1 coded time object
  * @param level0	top-most level offset
- * @return			time_t in UTC 	
+ * @return			time_t in UTC
  */
 time_t asn1_parse_time(chunk_t blob, int level0);
 
@@ -250,8 +250,12 @@ chunk_t asn1_integer(const char *mode, chunk_t content);
 /**
  * Build an ASN.1 object from a variable number of individual chunks
  *
+ * The mode string specifies the number of chunks, and how to handle each of
+ * them with a single character: 'c' for copy (allocate new chunk), 'm' for move
+ * (free given chunk) or 's' for sensitive-copy (clear given chunk, then free).
+ *
  * @param type		ASN.1 type to be created
- * @param mode		for each list member: 'c' for copy or 'm' for move
+ * @param mode		for each list member: 'c', 'm' or 's'
  * @return			chunk containing the ASN.1 coded object
  */
 chunk_t asn1_wrap(asn1_t type, const char *mode, ...);
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index bc4c0b50f..dc7726ad7 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -54,7 +54,7 @@ struct private_asn1_parser_t {
 	bool success;
 
 	/**
-	 * Declare object data as private - use debug level 4 to log it 
+	 * Declare object data as private - use debug level 4 to log it
 	 */
 	bool private;
 
@@ -88,7 +88,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 	u_char *start_ptr;
 	u_int level;
 	asn1Object_t obj;
-	
+
 	*object = chunk_empty;
 
 	/* Advance to the next object syntax definition line */
@@ -99,7 +99,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 	{
 		return FALSE;
 	}
-		
+
 	if (obj.flags & ASN1_END)  /* end of loop or option found */
 	{
 		if (this->loopAddr[obj.level] && this->blobs[obj.level+1].len > 0)
@@ -109,16 +109,16 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 		}
 		else
 		{
-			this->loopAddr[obj.level] = 0;         /* exit loop or option*/
+			this->loopAddr[obj.level] = 0;		 /* exit loop or option*/
 			goto end;
 		}
 	}
-	
+
 	level = this->level0 + obj.level;
 	blob = this->blobs + obj.level;
 	blob1 = blob + 1;
 	start_ptr = blob->ptr;
-	
+
 	/* handle ASN.1 defaults values */
 	if ((obj.flags & ASN1_DEF) && (blob->len == 0 || *start_ptr != obj.type) )
 	{
@@ -130,9 +130,9 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 		}
 		goto end;
 	}
-	
+
 	/* handle ASN.1 options */
-	
+
 	if ((obj.flags & ASN1_OPT)
 			&& (blob->len == 0 || *start_ptr != obj.type))
 	{
@@ -145,9 +145,9 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 				 (this->objects[this->line].level == obj.level)));
 		goto end;
 	}
-		
+
 	/* an ASN.1 object must possess at least a tag and length field */
-	
+
 	if (blob->len < 2)
 	{
 		DBG1("L%d - %s:  ASN.1 object smaller than 2 octets",
@@ -155,22 +155,22 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 		this->success = FALSE;
 		goto end;
 	}
-	
+
 	blob1->len = asn1_length(blob);
-	
+
 	if (blob1->len == ASN1_INVALID_LENGTH)
 	{
-		DBG1("L%d - %s:  length of ASN.1 object invalid or too large", 
+		DBG1("L%d - %s:  length of ASN.1 object invalid or too large",
 					level, obj.name);
 		this->success = FALSE;
 	}
-	
+
 	blob1->ptr = blob->ptr;
 	blob->ptr += blob1->len;
 	blob->len -= blob1->len;
-	
+
 	/* return raw ASN.1 object without prior type checking */
-	
+
 	if (obj.flags & ASN1_RAW)
 	{
 		DBG2("L%d - %s:", level, obj.name);
@@ -187,10 +187,10 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 		this->success = FALSE;
 		goto end;
 	}
-	
+
 	DBG2("L%d - %s:", level, obj.name);
-	
-	/* In case of "SEQUENCE OF" or "SET OF" start a loop */	
+
+	/* In case of "SEQUENCE OF" or "SET OF" start a loop */
 	if (obj.flags & ASN1_LOOP)
 	{
 		if (blob1->len > 0)
diff --git a/src/libstrongswan/asn1/asn1_parser.h b/src/libstrongswan/asn1/asn1_parser.h
index b2f4133a1..49325232d 100644
--- a/src/libstrongswan/asn1/asn1_parser.h
+++ b/src/libstrongswan/asn1/asn1_parser.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup asn1_parser asn1_parser
  * @{ @ingroup asn1
@@ -57,7 +57,7 @@ struct asn1Object_t{
 typedef struct asn1_parser_t asn1_parser_t;
 
 /**
- * Public interface of an ASN.1 parser 
+ * Public interface of an ASN.1 parser
  */
 struct asn1_parser_t {
 
@@ -69,25 +69,25 @@ struct asn1_parser_t {
 	 * @return 			- FALSE if end of object syntax definition was reached
 	 *							or a parsing error occurred
 	 *					- TRUE	otherwise
-     */
+	 */
 	bool (*iterate)(asn1_parser_t *this, int *objectID, chunk_t *object);
 
 	/**
-     * Get the current parsing level
+	 * Get the current parsing level
 	 *
 	 * @return 			current level
 	 */
 	u_int (*get_level)(asn1_parser_t *this);
 
 	/**
-     * Set the top-most level
+	 * Set the top-most level
 	 *
 	 * @param level		top-most level
 	 */
 	void (*set_top_level)(asn1_parser_t *this, u_int level0);
 
 	/**
-     * Set implicit and private flags
+	 * Set implicit and private flags
 	 *
 	 * @param implicit	top-most type of object is implicit
 	 * @param private	object data is private (use debug level 4)
@@ -95,7 +95,7 @@ struct asn1_parser_t {
 	void (*set_flags)(asn1_parser_t *this, bool implicit, bool private);
 
 	/**
-     * Show final parsing status
+	 * Show final parsing status
 	 *
 	 * @return			TRUE if parsing was successful, FALSE otherwise
 	 */
@@ -106,7 +106,7 @@ struct asn1_parser_t {
 	 */
 	void (*destroy)(asn1_parser_t *this);
 };
- 
+
 /**
  * Create an ASN.1 parser
  *
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 391d65e89..8f91a2e2b 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -28,7 +28,7 @@ const oid_t oid_names[] = {
  {                0x01,       0, 1,  8, "pilotAttributeType"        }, /*  15 */
  {                  0x01,    17, 0,  9, "UID"                       }, /*  16 */
  {                  0x19,     0, 0,  9, "DC"                        }, /*  17 */
- {0x55,                      52, 1,  0, "X.500"                     }, /*  18 */
+ {0x55,                      64, 1,  0, "X.500"                     }, /*  18 */
  {  0x04,                    36, 1,  1, "X.509"                     }, /*  19 */
  {    0x03,                  21, 0,  2, "CN"                        }, /*  20 */
  {    0x04,                  22, 0,  2, "S"                         }, /*  21 */
@@ -56,260 +56,312 @@ const oid_t oid_names[] = {
  {    0x13,                  44, 0,  2, "basicConstraints"          }, /*  43 */
  {    0x14,                  45, 0,  2, "crlNumber"                 }, /*  44 */
  {    0x15,                  46, 0,  2, "reasonCode"                }, /*  45 */
- {    0x1F,                  47, 0,  2, "crlDistributionPoints"     }, /*  46 */
- {    0x20,                  48, 0,  2, "certificatePolicies"       }, /*  47 */
- {    0x23,                  49, 0,  2, "authorityKeyIdentifier"    }, /*  48 */
- {    0x25,                  50, 0,  2, "extendedKeyUsage"          }, /*  49 */
- {    0x37,                  51, 0,  2, "targetInformation"         }, /*  50 */
- {    0x38,                   0, 0,  2, "noRevAvail"                }, /*  51 */
- {0x2A,                     149, 1,  0, ""                          }, /*  52 */
- {  0x83,                    65, 1,  1, ""                          }, /*  53 */
- {    0x08,                   0, 1,  2, "jp"                        }, /*  54 */
- {      0x8C,                 0, 1,  3, ""                          }, /*  55 */
- {        0x9A,               0, 1,  4, ""                          }, /*  56 */
- {          0x4B,             0, 1,  5, ""                          }, /*  57 */
- {            0x3D,           0, 1,  6, ""                          }, /*  58 */
- {              0x01,         0, 1,  7, "security"                  }, /*  59 */
- {                0x01,       0, 1,  8, "algorithm"                 }, /*  60 */
- {                  0x01,     0, 1,  9, "symm-encryption-alg"       }, /*  61 */
- {                    0x02,  63, 0, 10, "camellia128-cbc"           }, /*  62 */
- {                    0x03,  64, 0, 10, "camellia192-cbc"           }, /*  63 */
- {                    0x04,   0, 0, 10, "camellia256-cbc"           }, /*  64 */
- {  0x86,                     0, 1,  1, ""                          }, /*  65 */
- {    0x48,                   0, 1,  2, "us"                        }, /*  66 */
- {      0x86,               108, 1,  3, ""                          }, /*  67 */
- {        0xF6,              73, 1,  4, ""                          }, /*  68 */
- {          0x7D,             0, 1,  5, "NortelNetworks"            }, /*  69 */
- {            0x07,           0, 1,  6, "Entrust"                   }, /*  70 */
- {              0x41,         0, 1,  7, "nsn-ce"                    }, /*  71 */
- {                0x00,       0, 0,  8, "entrustVersInfo"           }, /*  72 */
- {        0xF7,               0, 1,  4, ""                          }, /*  73 */
- {          0x0D,             0, 1,  5, "RSADSI"                    }, /*  74 */
- {            0x01,         103, 1,  6, "PKCS"                      }, /*  75 */
- {              0x01,        85, 1,  7, "PKCS-1"                    }, /*  76 */
- {                0x01,      78, 0,  8, "rsaEncryption"             }, /*  77 */
- {                0x02,      79, 0,  8, "md2WithRSAEncryption"      }, /*  78 */
- {                0x04,      80, 0,  8, "md5WithRSAEncryption"      }, /*  79 */
- {                0x05,      81, 0,  8, "sha-1WithRSAEncryption"    }, /*  80 */
- {                0x0B,      82, 0,  8, "sha256WithRSAEncryption"   }, /*  81 */
- {                0x0C,      83, 0,  8, "sha384WithRSAEncryption"   }, /*  82 */
- {                0x0D,      84, 0,  8, "sha512WithRSAEncryption"   }, /*  83 */
- {                0x0E,       0, 0,  8, "sha224WithRSAEncryption"   }, /*  84 */
- {              0x07,        92, 1,  7, "PKCS-7"                    }, /*  85 */
- {                0x01,      87, 0,  8, "data"                      }, /*  86 */
- {                0x02,      88, 0,  8, "signedData"                }, /*  87 */
- {                0x03,      89, 0,  8, "envelopedData"             }, /*  88 */
- {                0x04,      90, 0,  8, "signedAndEnvelopedData"    }, /*  89 */
- {                0x05,      91, 0,  8, "digestedData"              }, /*  90 */
- {                0x06,       0, 0,  8, "encryptedData"             }, /*  91 */
- {              0x09,         0, 1,  7, "PKCS-9"                    }, /*  92 */
- {                0x01,      94, 0,  8, "E"                         }, /*  93 */
- {                0x02,      95, 0,  8, "unstructuredName"          }, /*  94 */
- {                0x03,      96, 0,  8, "contentType"               }, /*  95 */
- {                0x04,      97, 0,  8, "messageDigest"             }, /*  96 */
- {                0x05,      98, 0,  8, "signingTime"               }, /*  97 */
- {                0x06,      99, 0,  8, "counterSignature"          }, /*  98 */
- {                0x07,     100, 0,  8, "challengePassword"         }, /*  99 */
- {                0x08,     101, 0,  8, "unstructuredAddress"       }, /* 100 */
- {                0x0E,     102, 0,  8, "extensionRequest"          }, /* 101 */
- {                0x0F,       0, 0,  8, "S/MIME Capabilities"       }, /* 102 */
- {            0x02,         106, 1,  6, "digestAlgorithm"           }, /* 103 */
- {              0x02,       105, 0,  7, "md2"                       }, /* 104 */
- {              0x05,         0, 0,  7, "md5"                       }, /* 105 */
- {            0x03,           0, 1,  6, "encryptionAlgorithm"       }, /* 106 */
- {              0x07,         0, 0,  7, "3des-ede-cbc"              }, /* 107 */
- {      0xCE,                 0, 1,  3, ""                          }, /* 108 */
- {        0x3D,               0, 1,  4, "ansi-X9-62"                }, /* 109 */
- {          0x02,           112, 1,  5, "id-publicKeyType"          }, /* 110 */
- {            0x01,           0, 0,  6, "id-ecPublicKey"            }, /* 111 */
- {          0x03,           142, 1,  5, "ellipticCurve"             }, /* 112 */
- {            0x00,         134, 1,  6, "c-TwoCurve"                }, /* 113 */
- {              0x01,       115, 0,  7, "c2pnb163v1"                }, /* 114 */
- {              0x02,       116, 0,  7, "c2pnb163v2"                }, /* 115 */
- {              0x03,       117, 0,  7, "c2pnb163v3"                }, /* 116 */
- {              0x04,       118, 0,  7, "c2pnb176w1"                }, /* 117 */
- {              0x05,       119, 0,  7, "c2tnb191v1"                }, /* 118 */
- {              0x06,       120, 0,  7, "c2tnb191v2"                }, /* 119 */
- {              0x07,       121, 0,  7, "c2tnb191v3"                }, /* 120 */
- {              0x08,       122, 0,  7, "c2onb191v4"                }, /* 121 */
- {              0x09,       123, 0,  7, "c2onb191v5"                }, /* 122 */
- {              0x0A,       124, 0,  7, "c2pnb208w1"                }, /* 123 */
- {              0x0B,       125, 0,  7, "c2tnb239v1"                }, /* 124 */
- {              0x0C,       126, 0,  7, "c2tnb239v2"                }, /* 125 */
- {              0x0D,       127, 0,  7, "c2tnb239v3"                }, /* 126 */
- {              0x0E,       128, 0,  7, "c2onb239v4"                }, /* 127 */
- {              0x0F,       129, 0,  7, "c2onb239v5"                }, /* 128 */
- {              0x10,       130, 0,  7, "c2pnb272w1"                }, /* 129 */
- {              0x11,       131, 0,  7, "c2pnb304w1"                }, /* 130 */
- {              0x12,       132, 0,  7, "c2tnb359v1"                }, /* 131 */
- {              0x13,       133, 0,  7, "c2pnb368w1"                }, /* 132 */
- {              0x14,         0, 0,  7, "c2tnb431r1"                }, /* 133 */
- {            0x01,           0, 1,  6, "primeCurve"                }, /* 134 */
- {              0x01,       136, 0,  7, "prime192v1"                }, /* 135 */
- {              0x02,       137, 0,  7, "prime192v2"                }, /* 136 */
- {              0x03,       138, 0,  7, "prime192v3"                }, /* 137 */
- {              0x04,       139, 0,  7, "prime239v1"                }, /* 138 */
- {              0x05,       140, 0,  7, "prime239v2"                }, /* 139 */
- {              0x06,       141, 0,  7, "prime239v3"                }, /* 140 */
- {              0x07,         0, 0,  7, "prime256v1"                }, /* 141 */
- {          0x04,             0, 1,  5, "id-ecSigType"              }, /* 142 */
- {            0x01,         144, 0,  6, "ecdsa-with-SHA1"           }, /* 143 */
- {            0x03,           0, 1,  6, "ecdsa-with-Specified"      }, /* 144 */
- {              0x01,       146, 0,  7, "ecdsa-with-SHA224"         }, /* 145 */
- {              0x02,       147, 0,  7, "ecdsa-with-SHA256"         }, /* 146 */
- {              0x03,       148, 0,  7, "ecdsa-with-SHA384"         }, /* 147 */
- {              0x04,         0, 0,  7, "ecdsa-with-SHA512"         }, /* 148 */
- {0x2B,                     249, 1,  0, ""                          }, /* 149 */
- {  0x06,                   202, 1,  1, "dod"                       }, /* 150 */
- {    0x01,                   0, 1,  2, "internet"                  }, /* 151 */
- {      0x04,               170, 1,  3, "private"                   }, /* 152 */
- {        0x01,               0, 1,  4, "enterprise"                }, /* 153 */
- {          0x82,           163, 1,  5, ""                          }, /* 154 */
- {            0x37,           0, 1,  6, "Microsoft"                 }, /* 155 */
- {              0x0A,       160, 1,  7, ""                          }, /* 156 */
- {                0x03,       0, 1,  8, ""                          }, /* 157 */
- {                  0x03,   159, 0,  9, "msSGC"                     }, /* 158 */
- {                  0x04,     0, 0,  9, "msEncryptingFileSystem"    }, /* 159 */
- {              0x14,         0, 1,  7, "msEnrollmentInfrastructure"}, /* 160 */
- {                0x02,       0, 1,  8, "msCertificateTypeExtension"}, /* 161 */
- {                  0x02,     0, 0,  9, "msSmartcardLogon"          }, /* 162 */
- {          0x89,             0, 1,  5, ""                          }, /* 163 */
- {            0x31,           0, 1,  6, ""                          }, /* 164 */
- {              0x01,         0, 1,  7, ""                          }, /* 165 */
- {                0x01,       0, 1,  8, ""                          }, /* 166 */
- {                  0x02,     0, 1,  9, ""                          }, /* 167 */
- {                    0x02, 169, 0, 10, ""                          }, /* 168 */
- {                    0x4B,   0, 0, 10, "TCGID"                     }, /* 169 */
- {      0x05,                 0, 1,  3, "security"                  }, /* 170 */
- {        0x05,               0, 1,  4, "mechanisms"                }, /* 171 */
- {          0x07,             0, 1,  5, "id-pkix"                   }, /* 172 */
- {            0x01,         175, 1,  6, "id-pe"                     }, /* 173 */
- {              0x01,         0, 0,  7, "authorityInfoAccess"       }, /* 174 */
- {            0x03,         185, 1,  6, "id-kp"                     }, /* 175 */
- {              0x01,       177, 0,  7, "serverAuth"                }, /* 176 */
- {              0x02,       178, 0,  7, "clientAuth"                }, /* 177 */
- {              0x03,       179, 0,  7, "codeSigning"               }, /* 178 */
- {              0x04,       180, 0,  7, "emailProtection"           }, /* 179 */
- {              0x05,       181, 0,  7, "ipsecEndSystem"            }, /* 180 */
- {              0x06,       182, 0,  7, "ipsecTunnel"               }, /* 181 */
- {              0x07,       183, 0,  7, "ipsecUser"                 }, /* 182 */
- {              0x08,       184, 0,  7, "timeStamping"              }, /* 183 */
- {              0x09,         0, 0,  7, "ocspSigning"               }, /* 184 */
- {            0x08,         187, 1,  6, "id-otherNames"             }, /* 185 */
- {              0x05,         0, 0,  7, "xmppAddr"                  }, /* 186 */
- {            0x0A,         192, 1,  6, "id-aca"                    }, /* 187 */
- {              0x01,       189, 0,  7, "authenticationInfo"        }, /* 188 */
- {              0x02,       190, 0,  7, "accessIdentity"            }, /* 189 */
- {              0x03,       191, 0,  7, "chargingIdentity"          }, /* 190 */
- {              0x04,         0, 0,  7, "group"                     }, /* 191 */
- {            0x30,           0, 1,  6, "id-ad"                     }, /* 192 */
- {              0x01,       201, 1,  7, "ocsp"                      }, /* 193 */
- {                0x01,     195, 0,  8, "basic"                     }, /* 194 */
- {                0x02,     196, 0,  8, "nonce"                     }, /* 195 */
- {                0x03,     197, 0,  8, "crl"                       }, /* 196 */
- {                0x04,     198, 0,  8, "response"                  }, /* 197 */
- {                0x05,     199, 0,  8, "noCheck"                   }, /* 198 */
- {                0x06,     200, 0,  8, "archiveCutoff"             }, /* 199 */
- {                0x07,       0, 0,  8, "serviceLocator"            }, /* 200 */
- {              0x02,         0, 0,  7, "caIssuers"                 }, /* 201 */
- {  0x0E,                   208, 1,  1, "oiw"                       }, /* 202 */
- {    0x03,                   0, 1,  2, "secsig"                    }, /* 203 */
- {      0x02,                 0, 1,  3, "algorithms"                }, /* 204 */
- {        0x07,             206, 0,  4, "des-cbc"                   }, /* 205 */
- {        0x1A,             207, 0,  4, "sha-1"                     }, /* 206 */
- {        0x1D,               0, 0,  4, "sha-1WithRSASignature"     }, /* 207 */
- {  0x24,                   215, 1,  1, "TeleTrusT"                 }, /* 208 */
- {    0x03,                   0, 1,  2, "algorithm"                 }, /* 209 */
- {      0x03,                 0, 1,  3, "signatureAlgorithm"        }, /* 210 */
- {        0x01,               0, 1,  4, "rsaSignature"              }, /* 211 */
- {          0x02,           213, 0,  5, "rsaSigWithripemd160"       }, /* 212 */
- {          0x03,           214, 0,  5, "rsaSigWithripemd128"       }, /* 213 */
- {          0x04,             0, 0,  5, "rsaSigWithripemd256"       }, /* 214 */
- {  0x81,                     0, 1,  1, ""                          }, /* 215 */
- {    0x04,                   0, 1,  2, "Certicom"                  }, /* 216 */
- {      0x00,                 0, 1,  3, "curve"                     }, /* 217 */
- {        0x01,             219, 0,  4, "sect163k1"                 }, /* 218 */
- {        0x02,             220, 0,  4, "sect163r1"                 }, /* 219 */
- {        0x03,             221, 0,  4, "sect239k1"                 }, /* 220 */
- {        0x04,             222, 0,  4, "sect113r1"                 }, /* 221 */
- {        0x05,             223, 0,  4, "sect113r2"                 }, /* 222 */
- {        0x06,             224, 0,  4, "secp112r1"                 }, /* 223 */
- {        0x07,             225, 0,  4, "secp112r2"                 }, /* 224 */
- {        0x08,             226, 0,  4, "secp160r1"                 }, /* 225 */
- {        0x09,             227, 0,  4, "secp160k1"                 }, /* 226 */
- {        0x0A,             228, 0,  4, "secp256k1"                 }, /* 227 */
- {        0x0F,             229, 0,  4, "sect163r2"                 }, /* 228 */
- {        0x10,             230, 0,  4, "sect283k1"                 }, /* 229 */
- {        0x11,             231, 0,  4, "sect283r1"                 }, /* 230 */
- {        0x16,             232, 0,  4, "sect131r1"                 }, /* 231 */
- {        0x17,             233, 0,  4, "sect131r2"                 }, /* 232 */
- {        0x18,             234, 0,  4, "sect193r1"                 }, /* 233 */
- {        0x19,             235, 0,  4, "sect193r2"                 }, /* 234 */
- {        0x1A,             236, 0,  4, "sect233k1"                 }, /* 235 */
- {        0x1B,             237, 0,  4, "sect233r1"                 }, /* 236 */
- {        0x1C,             238, 0,  4, "secp128r1"                 }, /* 237 */
- {        0x1D,             239, 0,  4, "secp128r2"                 }, /* 238 */
- {        0x1E,             240, 0,  4, "secp160r2"                 }, /* 239 */
- {        0x1F,             241, 0,  4, "secp192k1"                 }, /* 240 */
- {        0x20,             242, 0,  4, "secp224k1"                 }, /* 241 */
- {        0x21,             243, 0,  4, "secp224r1"                 }, /* 242 */
- {        0x22,             244, 0,  4, "secp384r1"                 }, /* 243 */
- {        0x23,             245, 0,  4, "secp521r1"                 }, /* 244 */
- {        0x24,             246, 0,  4, "sect409k1"                 }, /* 245 */
- {        0x25,             247, 0,  4, "sect409r1"                 }, /* 246 */
- {        0x26,             248, 0,  4, "sect571k1"                 }, /* 247 */
- {        0x27,               0, 0,  4, "sect571r1"                 }, /* 248 */
- {0x60,                       0, 1,  0, ""                          }, /* 249 */
- {  0x86,                     0, 1,  1, ""                          }, /* 250 */
- {    0x48,                   0, 1,  2, ""                          }, /* 251 */
- {      0x01,               295, 1,  3, "organization"              }, /* 252 */
- {        0x65,             271, 1,  4, "gov"                       }, /* 253 */
- {          0x03,             0, 1,  5, "csor"                      }, /* 254 */
- {            0x04,           0, 1,  6, "nistalgorithm"             }, /* 255 */
- {              0x01,       266, 1,  7, "aes"                       }, /* 256 */
- {                0x02,     258, 0,  8, "id-aes128-CBC"             }, /* 257 */
- {                0x06,     259, 0,  8, "id-aes128-GCM"             }, /* 258 */
- {                0x07,     260, 0,  8, "id-aes128-CCM"             }, /* 259 */
- {                0x16,     261, 0,  8, "id-aes192-CBC"             }, /* 260 */
- {                0x1A,     262, 0,  8, "id-aes192-GCM"             }, /* 261 */
- {                0x1B,     263, 0,  8, "id-aes192-CCM"             }, /* 262 */
- {                0x2A,     264, 0,  8, "id-aes256-CBC"             }, /* 263 */
- {                0x2E,     265, 0,  8, "id-aes256-GCM"             }, /* 264 */
- {                0x2F,       0, 0,  8, "id-aes256-CCM"             }, /* 265 */
- {              0x02,         0, 1,  7, "hashalgs"                  }, /* 266 */
- {                0x01,     268, 0,  8, "id-SHA-256"                }, /* 267 */
- {                0x02,     269, 0,  8, "id-SHA-384"                }, /* 268 */
- {                0x03,     270, 0,  8, "id-SHA-512"                }, /* 269 */
- {                0x04,       0, 0,  8, "id-SHA-224"                }, /* 270 */
- {        0x86,               0, 1,  4, ""                          }, /* 271 */
- {          0xf8,             0, 1,  5, ""                          }, /* 272 */
- {            0x42,         285, 1,  6, "netscape"                  }, /* 273 */
- {              0x01,       280, 1,  7, ""                          }, /* 274 */
- {                0x01,     276, 0,  8, "nsCertType"                }, /* 275 */
- {                0x03,     277, 0,  8, "nsRevocationUrl"           }, /* 276 */
- {                0x04,     278, 0,  8, "nsCaRevocationUrl"         }, /* 277 */
- {                0x08,     279, 0,  8, "nsCaPolicyUrl"             }, /* 278 */
- {                0x0d,       0, 0,  8, "nsComment"                 }, /* 279 */
- {              0x03,       283, 1,  7, "directory"                 }, /* 280 */
- {                0x01,       0, 1,  8, ""                          }, /* 281 */
- {                  0x03,     0, 0,  9, "employeeNumber"            }, /* 282 */
- {              0x04,         0, 1,  7, "policy"                    }, /* 283 */
- {                0x01,       0, 0,  8, "nsSGC"                     }, /* 284 */
- {            0x45,           0, 1,  6, "verisign"                  }, /* 285 */
- {              0x01,         0, 1,  7, "pki"                       }, /* 286 */
- {                0x09,       0, 1,  8, "attributes"                }, /* 287 */
- {                  0x02,   289, 0,  9, "messageType"               }, /* 288 */
- {                  0x03,   290, 0,  9, "pkiStatus"                 }, /* 289 */
- {                  0x04,   291, 0,  9, "failInfo"                  }, /* 290 */
- {                  0x05,   292, 0,  9, "senderNonce"               }, /* 291 */
- {                  0x06,   293, 0,  9, "recipientNonce"            }, /* 292 */
- {                  0x07,   294, 0,  9, "transID"                   }, /* 293 */
- {                  0x08,     0, 0,  9, "extensionReq"              }, /* 294 */
- {      0x86,                 0, 1,  3, "old-netscape"              }, /* 295 */
- {        0xF7,               0, 1,  4, ""                          }, /* 296 */
- {          0x0D,             0, 1,  5, ""                          }, /* 297 */
- {            0x01,           0, 1,  6, ""                          }, /* 298 */
- {              0x09,         0, 1,  7, ""                          }, /* 299 */
- {                0x01,     301, 0,  8, "emailAddress"              }, /* 300 */
- {                0x02,       0, 0,  8, "unstructuredName"          }  /* 301 */
+ {    0x17,                  47, 0,  2, "holdInstructionCode"       }, /*  46 */
+ {    0x18,                  48, 0,  2, "invalidityDate"            }, /*  47 */
+ {    0x1B,                  49, 0,  2, "deltaCrlIndicator"         }, /*  48 */
+ {    0x1C,                  50, 0,  2, "issuingDistributionPoint"  }, /*  49 */
+ {    0x1D,                  51, 0,  2, "certificateIssuer"         }, /*  50 */
+ {    0x1E,                  52, 0,  2, "nameConstraints"           }, /*  51 */
+ {    0x1F,                  53, 0,  2, "crlDistributionPoints"     }, /*  52 */
+ {    0x20,                  55, 1,  2, "certificatePolicies"       }, /*  53 */
+ {      0x00,                 0, 0,  3, "anyPolicy"                 }, /*  54 */
+ {    0x21,                  56, 0,  2, "policyMappings"            }, /*  55 */
+ {    0x23,                  57, 0,  2, "authorityKeyIdentifier"    }, /*  56 */
+ {    0x24,                  58, 0,  2, "policyConstraints"         }, /*  57 */
+ {    0x25,                  60, 1,  2, "extendedKeyUsage"          }, /*  58 */
+ {      0x00,                 0, 0,  3, "anyExtendedKeyUsage"       }, /*  59 */
+ {    0x2E,                  61, 0,  2, "freshestCRL"               }, /*  60 */
+ {    0x36,                  62, 0,  2, "inhibitAnyPolicy"          }, /*  61 */
+ {    0x37,                  63, 0,  2, "targetInformation"         }, /*  62 */
+ {    0x38,                   0, 0,  2, "noRevAvail"                }, /*  63 */
+ {0x2A,                     161, 1,  0, ""                          }, /*  64 */
+ {  0x83,                    77, 1,  1, ""                          }, /*  65 */
+ {    0x08,                   0, 1,  2, "jp"                        }, /*  66 */
+ {      0x8C,                 0, 1,  3, ""                          }, /*  67 */
+ {        0x9A,               0, 1,  4, ""                          }, /*  68 */
+ {          0x4B,             0, 1,  5, ""                          }, /*  69 */
+ {            0x3D,           0, 1,  6, ""                          }, /*  70 */
+ {              0x01,         0, 1,  7, "security"                  }, /*  71 */
+ {                0x01,       0, 1,  8, "algorithm"                 }, /*  72 */
+ {                  0x01,     0, 1,  9, "symm-encryption-alg"       }, /*  73 */
+ {                    0x02,  75, 0, 10, "camellia128-cbc"           }, /*  74 */
+ {                    0x03,  76, 0, 10, "camellia192-cbc"           }, /*  75 */
+ {                    0x04,   0, 0, 10, "camellia256-cbc"           }, /*  76 */
+ {  0x86,                     0, 1,  1, ""                          }, /*  77 */
+ {    0x48,                   0, 1,  2, "us"                        }, /*  78 */
+ {      0x86,               120, 1,  3, ""                          }, /*  79 */
+ {        0xF6,              85, 1,  4, ""                          }, /*  80 */
+ {          0x7D,             0, 1,  5, "NortelNetworks"            }, /*  81 */
+ {            0x07,           0, 1,  6, "Entrust"                   }, /*  82 */
+ {              0x41,         0, 1,  7, "nsn-ce"                    }, /*  83 */
+ {                0x00,       0, 0,  8, "entrustVersInfo"           }, /*  84 */
+ {        0xF7,               0, 1,  4, ""                          }, /*  85 */
+ {          0x0D,             0, 1,  5, "RSADSI"                    }, /*  86 */
+ {            0x01,         115, 1,  6, "PKCS"                      }, /*  87 */
+ {              0x01,        97, 1,  7, "PKCS-1"                    }, /*  88 */
+ {                0x01,      90, 0,  8, "rsaEncryption"             }, /*  89 */
+ {                0x02,      91, 0,  8, "md2WithRSAEncryption"      }, /*  90 */
+ {                0x04,      92, 0,  8, "md5WithRSAEncryption"      }, /*  91 */
+ {                0x05,      93, 0,  8, "sha-1WithRSAEncryption"    }, /*  92 */
+ {                0x0B,      94, 0,  8, "sha256WithRSAEncryption"   }, /*  93 */
+ {                0x0C,      95, 0,  8, "sha384WithRSAEncryption"   }, /*  94 */
+ {                0x0D,      96, 0,  8, "sha512WithRSAEncryption"   }, /*  95 */
+ {                0x0E,       0, 0,  8, "sha224WithRSAEncryption"   }, /*  96 */
+ {              0x07,       104, 1,  7, "PKCS-7"                    }, /*  97 */
+ {                0x01,      99, 0,  8, "data"                      }, /*  98 */
+ {                0x02,     100, 0,  8, "signedData"                }, /*  99 */
+ {                0x03,     101, 0,  8, "envelopedData"             }, /* 100 */
+ {                0x04,     102, 0,  8, "signedAndEnvelopedData"    }, /* 101 */
+ {                0x05,     103, 0,  8, "digestedData"              }, /* 102 */
+ {                0x06,       0, 0,  8, "encryptedData"             }, /* 103 */
+ {              0x09,         0, 1,  7, "PKCS-9"                    }, /* 104 */
+ {                0x01,     106, 0,  8, "E"                         }, /* 105 */
+ {                0x02,     107, 0,  8, "unstructuredName"          }, /* 106 */
+ {                0x03,     108, 0,  8, "contentType"               }, /* 107 */
+ {                0x04,     109, 0,  8, "messageDigest"             }, /* 108 */
+ {                0x05,     110, 0,  8, "signingTime"               }, /* 109 */
+ {                0x06,     111, 0,  8, "counterSignature"          }, /* 110 */
+ {                0x07,     112, 0,  8, "challengePassword"         }, /* 111 */
+ {                0x08,     113, 0,  8, "unstructuredAddress"       }, /* 112 */
+ {                0x0E,     114, 0,  8, "extensionRequest"          }, /* 113 */
+ {                0x0F,       0, 0,  8, "S/MIME Capabilities"       }, /* 114 */
+ {            0x02,         118, 1,  6, "digestAlgorithm"           }, /* 115 */
+ {              0x02,       117, 0,  7, "md2"                       }, /* 116 */
+ {              0x05,         0, 0,  7, "md5"                       }, /* 117 */
+ {            0x03,           0, 1,  6, "encryptionAlgorithm"       }, /* 118 */
+ {              0x07,         0, 0,  7, "3des-ede-cbc"              }, /* 119 */
+ {      0xCE,                 0, 1,  3, ""                          }, /* 120 */
+ {        0x3D,               0, 1,  4, "ansi-X9-62"                }, /* 121 */
+ {          0x02,           124, 1,  5, "id-publicKeyType"          }, /* 122 */
+ {            0x01,           0, 0,  6, "id-ecPublicKey"            }, /* 123 */
+ {          0x03,           154, 1,  5, "ellipticCurve"             }, /* 124 */
+ {            0x00,         146, 1,  6, "c-TwoCurve"                }, /* 125 */
+ {              0x01,       127, 0,  7, "c2pnb163v1"                }, /* 126 */
+ {              0x02,       128, 0,  7, "c2pnb163v2"                }, /* 127 */
+ {              0x03,       129, 0,  7, "c2pnb163v3"                }, /* 128 */
+ {              0x04,       130, 0,  7, "c2pnb176w1"                }, /* 129 */
+ {              0x05,       131, 0,  7, "c2tnb191v1"                }, /* 130 */
+ {              0x06,       132, 0,  7, "c2tnb191v2"                }, /* 131 */
+ {              0x07,       133, 0,  7, "c2tnb191v3"                }, /* 132 */
+ {              0x08,       134, 0,  7, "c2onb191v4"                }, /* 133 */
+ {              0x09,       135, 0,  7, "c2onb191v5"                }, /* 134 */
+ {              0x0A,       136, 0,  7, "c2pnb208w1"                }, /* 135 */
+ {              0x0B,       137, 0,  7, "c2tnb239v1"                }, /* 136 */
+ {              0x0C,       138, 0,  7, "c2tnb239v2"                }, /* 137 */
+ {              0x0D,       139, 0,  7, "c2tnb239v3"                }, /* 138 */
+ {              0x0E,       140, 0,  7, "c2onb239v4"                }, /* 139 */
+ {              0x0F,       141, 0,  7, "c2onb239v5"                }, /* 140 */
+ {              0x10,       142, 0,  7, "c2pnb272w1"                }, /* 141 */
+ {              0x11,       143, 0,  7, "c2pnb304w1"                }, /* 142 */
+ {              0x12,       144, 0,  7, "c2tnb359v1"                }, /* 143 */
+ {              0x13,       145, 0,  7, "c2pnb368w1"                }, /* 144 */
+ {              0x14,         0, 0,  7, "c2tnb431r1"                }, /* 145 */
+ {            0x01,           0, 1,  6, "primeCurve"                }, /* 146 */
+ {              0x01,       148, 0,  7, "prime192v1"                }, /* 147 */
+ {              0x02,       149, 0,  7, "prime192v2"                }, /* 148 */
+ {              0x03,       150, 0,  7, "prime192v3"                }, /* 149 */
+ {              0x04,       151, 0,  7, "prime239v1"                }, /* 150 */
+ {              0x05,       152, 0,  7, "prime239v2"                }, /* 151 */
+ {              0x06,       153, 0,  7, "prime239v3"                }, /* 152 */
+ {              0x07,         0, 0,  7, "prime256v1"                }, /* 153 */
+ {          0x04,             0, 1,  5, "id-ecSigType"              }, /* 154 */
+ {            0x01,         156, 0,  6, "ecdsa-with-SHA1"           }, /* 155 */
+ {            0x03,           0, 1,  6, "ecdsa-with-Specified"      }, /* 156 */
+ {              0x01,       158, 0,  7, "ecdsa-with-SHA224"         }, /* 157 */
+ {              0x02,       159, 0,  7, "ecdsa-with-SHA256"         }, /* 158 */
+ {              0x03,       160, 0,  7, "ecdsa-with-SHA384"         }, /* 159 */
+ {              0x04,         0, 0,  7, "ecdsa-with-SHA512"         }, /* 160 */
+ {0x2B,                     307, 1,  0, ""                          }, /* 161 */
+ {  0x06,                   221, 1,  1, "dod"                       }, /* 162 */
+ {    0x01,                   0, 1,  2, "internet"                  }, /* 163 */
+ {      0x04,               182, 1,  3, "private"                   }, /* 164 */
+ {        0x01,               0, 1,  4, "enterprise"                }, /* 165 */
+ {          0x82,           175, 1,  5, ""                          }, /* 166 */
+ {            0x37,           0, 1,  6, "Microsoft"                 }, /* 167 */
+ {              0x0A,       172, 1,  7, ""                          }, /* 168 */
+ {                0x03,       0, 1,  8, ""                          }, /* 169 */
+ {                  0x03,   171, 0,  9, "msSGC"                     }, /* 170 */
+ {                  0x04,     0, 0,  9, "msEncryptingFileSystem"    }, /* 171 */
+ {              0x14,         0, 1,  7, "msEnrollmentInfrastructure"}, /* 172 */
+ {                0x02,       0, 1,  8, "msCertificateTypeExtension"}, /* 173 */
+ {                  0x02,     0, 0,  9, "msSmartcardLogon"          }, /* 174 */
+ {          0x89,             0, 1,  5, ""                          }, /* 175 */
+ {            0x31,           0, 1,  6, ""                          }, /* 176 */
+ {              0x01,         0, 1,  7, ""                          }, /* 177 */
+ {                0x01,       0, 1,  8, ""                          }, /* 178 */
+ {                  0x02,     0, 1,  9, ""                          }, /* 179 */
+ {                    0x02, 181, 0, 10, ""                          }, /* 180 */
+ {                    0x4B,   0, 0, 10, "TCGID"                     }, /* 181 */
+ {      0x05,                 0, 1,  3, "security"                  }, /* 182 */
+ {        0x05,               0, 1,  4, "mechanisms"                }, /* 183 */
+ {          0x07,             0, 1,  5, "id-pkix"                   }, /* 184 */
+ {            0x01,         188, 1,  6, "id-pe"                     }, /* 185 */
+ {              0x01,       187, 0,  7, "authorityInfoAccess"       }, /* 186 */
+ {              0x07,         0, 0,  7, "ipAddrBlocks"              }, /* 187 */
+ {            0x02,         191, 1,  6, "id-qt"                     }, /* 188 */
+ {              0x01,       190, 0,  7, "cps"                       }, /* 189 */
+ {              0x02,         0, 0,  7, "unotice"                   }, /* 190 */
+ {            0x03,         201, 1,  6, "id-kp"                     }, /* 191 */
+ {              0x01,       193, 0,  7, "serverAuth"                }, /* 192 */
+ {              0x02,       194, 0,  7, "clientAuth"                }, /* 193 */
+ {              0x03,       195, 0,  7, "codeSigning"               }, /* 194 */
+ {              0x04,       196, 0,  7, "emailProtection"           }, /* 195 */
+ {              0x05,       197, 0,  7, "ipsecEndSystem"            }, /* 196 */
+ {              0x06,       198, 0,  7, "ipsecTunnel"               }, /* 197 */
+ {              0x07,       199, 0,  7, "ipsecUser"                 }, /* 198 */
+ {              0x08,       200, 0,  7, "timeStamping"              }, /* 199 */
+ {              0x09,         0, 0,  7, "ocspSigning"               }, /* 200 */
+ {            0x08,         203, 1,  6, "id-otherNames"             }, /* 201 */
+ {              0x05,         0, 0,  7, "xmppAddr"                  }, /* 202 */
+ {            0x0A,         208, 1,  6, "id-aca"                    }, /* 203 */
+ {              0x01,       205, 0,  7, "authenticationInfo"        }, /* 204 */
+ {              0x02,       206, 0,  7, "accessIdentity"            }, /* 205 */
+ {              0x03,       207, 0,  7, "chargingIdentity"          }, /* 206 */
+ {              0x04,         0, 0,  7, "group"                     }, /* 207 */
+ {            0x0B,         209, 0,  6, "subjectInfoAccess"         }, /* 208 */
+ {            0x30,           0, 1,  6, "id-ad"                     }, /* 209 */
+ {              0x01,       218, 1,  7, "ocsp"                      }, /* 210 */
+ {                0x01,     212, 0,  8, "basic"                     }, /* 211 */
+ {                0x02,     213, 0,  8, "nonce"                     }, /* 212 */
+ {                0x03,     214, 0,  8, "crl"                       }, /* 213 */
+ {                0x04,     215, 0,  8, "response"                  }, /* 214 */
+ {                0x05,     216, 0,  8, "noCheck"                   }, /* 215 */
+ {                0x06,     217, 0,  8, "archiveCutoff"             }, /* 216 */
+ {                0x07,       0, 0,  8, "serviceLocator"            }, /* 217 */
+ {              0x02,       219, 0,  7, "caIssuers"                 }, /* 218 */
+ {              0x03,       220, 0,  7, "timeStamping"              }, /* 219 */
+ {              0x05,         0, 0,  7, "caRepository"              }, /* 220 */
+ {  0x0E,                   227, 1,  1, "oiw"                       }, /* 221 */
+ {    0x03,                   0, 1,  2, "secsig"                    }, /* 222 */
+ {      0x02,                 0, 1,  3, "algorithms"                }, /* 223 */
+ {        0x07,             225, 0,  4, "des-cbc"                   }, /* 224 */
+ {        0x1A,             226, 0,  4, "sha-1"                     }, /* 225 */
+ {        0x1D,               0, 0,  4, "sha-1WithRSASignature"     }, /* 226 */
+ {  0x24,                   273, 1,  1, "TeleTrusT"                 }, /* 227 */
+ {    0x03,                   0, 1,  2, "algorithm"                 }, /* 228 */
+ {      0x03,                 0, 1,  3, "signatureAlgorithm"        }, /* 229 */
+ {        0x01,             234, 1,  4, "rsaSignature"              }, /* 230 */
+ {          0x02,           232, 0,  5, "rsaSigWithripemd160"       }, /* 231 */
+ {          0x03,           233, 0,  5, "rsaSigWithripemd128"       }, /* 232 */
+ {          0x04,             0, 0,  5, "rsaSigWithripemd256"       }, /* 233 */
+ {        0x02,               0, 1,  4, "ecSign"                    }, /* 234 */
+ {          0x01,           236, 0,  5, "ecSignWithsha1"            }, /* 235 */
+ {          0x02,           237, 0,  5, "ecSignWithripemd160"       }, /* 236 */
+ {          0x03,           238, 0,  5, "ecSignWithmd2"             }, /* 237 */
+ {          0x04,           239, 0,  5, "ecSignWithmd5"             }, /* 238 */
+ {          0x05,           256, 1,  5, "ttt-ecg"                   }, /* 239 */
+ {            0x01,         244, 1,  6, "fieldType"                 }, /* 240 */
+ {              0x01,         0, 1,  7, "characteristictwoField"    }, /* 241 */
+ {                0x01,       0, 1,  8, "basisType"                 }, /* 242 */
+ {                  0x01,     0, 0,  9, "ipBasis"                   }, /* 243 */
+ {            0x02,         246, 1,  6, "keyType"                   }, /* 244 */
+ {              0x01,         0, 0,  7, "ecgPublicKey"              }, /* 245 */
+ {            0x03,         247, 0,  6, "curve"                     }, /* 246 */
+ {            0x04,         254, 1,  6, "signatures"                }, /* 247 */
+ {              0x01,       249, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 248 */
+ {              0x02,       250, 0,  7, "ecgdsa-with-SHA1"          }, /* 249 */
+ {              0x03,       251, 0,  7, "ecgdsa-with-SHA224"        }, /* 250 */
+ {              0x04,       252, 0,  7, "ecgdsa-with-SHA256"        }, /* 251 */
+ {              0x05,       253, 0,  7, "ecgdsa-with-SHA384"        }, /* 252 */
+ {              0x06,         0, 0,  7, "ecgdsa-with-SHA512"        }, /* 253 */
+ {            0x05,           0, 1,  6, "module"                    }, /* 254 */
+ {              0x01,         0, 0,  7, "1"                         }, /* 255 */
+ {          0x08,             0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 256 */
+ {            0x01,           0, 1,  6, "ellipticCurve"             }, /* 257 */
+ {              0x01,         0, 1,  7, "versionOne"                }, /* 258 */
+ {                0x01,     260, 0,  8, "brainpoolP160r1"           }, /* 259 */
+ {                0x02,     261, 0,  8, "brainpoolP160t1"           }, /* 260 */
+ {                0x03,     262, 0,  8, "brainpoolP192r1"           }, /* 261 */
+ {                0x04,     263, 0,  8, "brainpoolP192t1"           }, /* 262 */
+ {                0x05,     264, 0,  8, "brainpoolP224r1"           }, /* 263 */
+ {                0x06,     265, 0,  8, "brainpoolP224t1"           }, /* 264 */
+ {                0x07,     266, 0,  8, "brainpoolP256r1"           }, /* 265 */
+ {                0x08,     267, 0,  8, "brainpoolP256t1"           }, /* 266 */
+ {                0x09,     268, 0,  8, "brainpoolP320r1"           }, /* 267 */
+ {                0x0A,     269, 0,  8, "brainpoolP320t1"           }, /* 268 */
+ {                0x0B,     270, 0,  8, "brainpoolP384r1"           }, /* 269 */
+ {                0x0C,     271, 0,  8, "brainpoolP384t1"           }, /* 270 */
+ {                0x0D,     272, 0,  8, "brainpoolP512r1"           }, /* 271 */
+ {                0x0E,       0, 0,  8, "brainpoolP512t1"           }, /* 272 */
+ {  0x81,                     0, 1,  1, ""                          }, /* 273 */
+ {    0x04,                   0, 1,  2, "Certicom"                  }, /* 274 */
+ {      0x00,                 0, 1,  3, "curve"                     }, /* 275 */
+ {        0x01,             277, 0,  4, "sect163k1"                 }, /* 276 */
+ {        0x02,             278, 0,  4, "sect163r1"                 }, /* 277 */
+ {        0x03,             279, 0,  4, "sect239k1"                 }, /* 278 */
+ {        0x04,             280, 0,  4, "sect113r1"                 }, /* 279 */
+ {        0x05,             281, 0,  4, "sect113r2"                 }, /* 280 */
+ {        0x06,             282, 0,  4, "secp112r1"                 }, /* 281 */
+ {        0x07,             283, 0,  4, "secp112r2"                 }, /* 282 */
+ {        0x08,             284, 0,  4, "secp160r1"                 }, /* 283 */
+ {        0x09,             285, 0,  4, "secp160k1"                 }, /* 284 */
+ {        0x0A,             286, 0,  4, "secp256k1"                 }, /* 285 */
+ {        0x0F,             287, 0,  4, "sect163r2"                 }, /* 286 */
+ {        0x10,             288, 0,  4, "sect283k1"                 }, /* 287 */
+ {        0x11,             289, 0,  4, "sect283r1"                 }, /* 288 */
+ {        0x16,             290, 0,  4, "sect131r1"                 }, /* 289 */
+ {        0x17,             291, 0,  4, "sect131r2"                 }, /* 290 */
+ {        0x18,             292, 0,  4, "sect193r1"                 }, /* 291 */
+ {        0x19,             293, 0,  4, "sect193r2"                 }, /* 292 */
+ {        0x1A,             294, 0,  4, "sect233k1"                 }, /* 293 */
+ {        0x1B,             295, 0,  4, "sect233r1"                 }, /* 294 */
+ {        0x1C,             296, 0,  4, "secp128r1"                 }, /* 295 */
+ {        0x1D,             297, 0,  4, "secp128r2"                 }, /* 296 */
+ {        0x1E,             298, 0,  4, "secp160r2"                 }, /* 297 */
+ {        0x1F,             299, 0,  4, "secp192k1"                 }, /* 298 */
+ {        0x20,             300, 0,  4, "secp224k1"                 }, /* 299 */
+ {        0x21,             301, 0,  4, "secp224r1"                 }, /* 300 */
+ {        0x22,             302, 0,  4, "secp384r1"                 }, /* 301 */
+ {        0x23,             303, 0,  4, "secp521r1"                 }, /* 302 */
+ {        0x24,             304, 0,  4, "sect409k1"                 }, /* 303 */
+ {        0x25,             305, 0,  4, "sect409r1"                 }, /* 304 */
+ {        0x26,             306, 0,  4, "sect571k1"                 }, /* 305 */
+ {        0x27,               0, 0,  4, "sect571r1"                 }, /* 306 */
+ {0x60,                       0, 1,  0, ""                          }, /* 307 */
+ {  0x86,                     0, 1,  1, ""                          }, /* 308 */
+ {    0x48,                   0, 1,  2, ""                          }, /* 309 */
+ {      0x01,                 0, 1,  3, "organization"              }, /* 310 */
+ {        0x65,             329, 1,  4, "gov"                       }, /* 311 */
+ {          0x03,             0, 1,  5, "csor"                      }, /* 312 */
+ {            0x04,           0, 1,  6, "nistalgorithm"             }, /* 313 */
+ {              0x01,       324, 1,  7, "aes"                       }, /* 314 */
+ {                0x02,     316, 0,  8, "id-aes128-CBC"             }, /* 315 */
+ {                0x06,     317, 0,  8, "id-aes128-GCM"             }, /* 316 */
+ {                0x07,     318, 0,  8, "id-aes128-CCM"             }, /* 317 */
+ {                0x16,     319, 0,  8, "id-aes192-CBC"             }, /* 318 */
+ {                0x1A,     320, 0,  8, "id-aes192-GCM"             }, /* 319 */
+ {                0x1B,     321, 0,  8, "id-aes192-CCM"             }, /* 320 */
+ {                0x2A,     322, 0,  8, "id-aes256-CBC"             }, /* 321 */
+ {                0x2E,     323, 0,  8, "id-aes256-GCM"             }, /* 322 */
+ {                0x2F,       0, 0,  8, "id-aes256-CCM"             }, /* 323 */
+ {              0x02,         0, 1,  7, "hashalgs"                  }, /* 324 */
+ {                0x01,     326, 0,  8, "id-SHA-256"                }, /* 325 */
+ {                0x02,     327, 0,  8, "id-SHA-384"                }, /* 326 */
+ {                0x03,     328, 0,  8, "id-SHA-512"                }, /* 327 */
+ {                0x04,       0, 0,  8, "id-SHA-224"                }, /* 328 */
+ {        0x86,               0, 1,  4, ""                          }, /* 329 */
+ {          0xf8,             0, 1,  5, ""                          }, /* 330 */
+ {            0x42,         343, 1,  6, "netscape"                  }, /* 331 */
+ {              0x01,       338, 1,  7, ""                          }, /* 332 */
+ {                0x01,     334, 0,  8, "nsCertType"                }, /* 333 */
+ {                0x03,     335, 0,  8, "nsRevocationUrl"           }, /* 334 */
+ {                0x04,     336, 0,  8, "nsCaRevocationUrl"         }, /* 335 */
+ {                0x08,     337, 0,  8, "nsCaPolicyUrl"             }, /* 336 */
+ {                0x0d,       0, 0,  8, "nsComment"                 }, /* 337 */
+ {              0x03,       341, 1,  7, "directory"                 }, /* 338 */
+ {                0x01,       0, 1,  8, ""                          }, /* 339 */
+ {                  0x03,     0, 0,  9, "employeeNumber"            }, /* 340 */
+ {              0x04,         0, 1,  7, "policy"                    }, /* 341 */
+ {                0x01,       0, 0,  8, "nsSGC"                     }, /* 342 */
+ {            0x45,           0, 1,  6, "verisign"                  }, /* 343 */
+ {              0x01,         0, 1,  7, "pki"                       }, /* 344 */
+ {                0x09,       0, 1,  8, "attributes"                }, /* 345 */
+ {                  0x02,   347, 0,  9, "messageType"               }, /* 346 */
+ {                  0x03,   348, 0,  9, "pkiStatus"                 }, /* 347 */
+ {                  0x04,   349, 0,  9, "failInfo"                  }, /* 348 */
+ {                  0x05,   350, 0,  9, "senderNonce"               }, /* 349 */
+ {                  0x06,   351, 0,  9, "recipientNonce"            }, /* 350 */
+ {                  0x07,   352, 0,  9, "transID"                   }, /* 351 */
+ {                  0x08,   353, 0,  9, "extensionReq"              }, /* 352 */
+ {                  0x08,     0, 0,  9, "extensionReq"              }  /* 353 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index b7241af8d..32e2eb033 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -45,146 +45,162 @@ extern const oid_t oid_names[];
 #define OID_BASIC_CONSTRAINTS				43
 #define OID_CRL_NUMBER						44
 #define OID_CRL_REASON_CODE					45
-#define OID_CRL_DISTRIBUTION_POINTS			46
-#define OID_AUTHORITY_KEY_ID				48
-#define OID_EXTENDED_KEY_USAGE				49
-#define OID_TARGET_INFORMATION				50
-#define OID_NO_REV_AVAIL					51
-#define OID_CAMELLIA128_CBC					62
-#define OID_CAMELLIA192_CBC					63
-#define OID_CAMELLIA256_CBC					64
-#define OID_RSA_ENCRYPTION					77
-#define OID_MD2_WITH_RSA					78
-#define OID_MD5_WITH_RSA					79
-#define OID_SHA1_WITH_RSA					80
-#define OID_SHA256_WITH_RSA					81
-#define OID_SHA384_WITH_RSA					82
-#define OID_SHA512_WITH_RSA					83
-#define OID_SHA224_WITH_RSA					84
-#define OID_PKCS7_DATA						86
-#define OID_PKCS7_SIGNED_DATA				87
-#define OID_PKCS7_ENVELOPED_DATA			88
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA		89
-#define OID_PKCS7_DIGESTED_DATA				90
-#define OID_PKCS7_ENCRYPTED_DATA			91
-#define OID_PKCS9_EMAIL						93
-#define OID_PKCS9_CONTENT_TYPE				95
-#define OID_PKCS9_MESSAGE_DIGEST			96
-#define OID_PKCS9_SIGNING_TIME				97
-#define OID_MD2								104
-#define OID_MD5								105
-#define OID_3DES_EDE_CBC					107
-#define OID_EC_PUBLICKEY					111
-#define OID_C2PNB163V1						114
-#define OID_C2PNB163V2						115
-#define OID_C2PNB163V3						116
-#define OID_C2PNB176W1						117
-#define OID_C2PNB191V1						118
-#define OID_C2PNB191V2						119
-#define OID_C2PNB191V3						120
-#define OID_C2PNB191V4						121
-#define OID_C2PNB191V5						122
-#define OID_C2PNB208W1						123
-#define OID_C2PNB239V1						124
-#define OID_C2PNB239V2						125
-#define OID_C2PNB239V3						126
-#define OID_C2PNB239V4						127
-#define OID_C2PNB239V5						128
-#define OID_C2PNB272W1						129
-#define OID_C2PNB304W1						130
-#define OID_C2PNB359V1						131
-#define OID_C2PNB368W1						132
-#define OID_C2PNB431R1						133
-#define OID_PRIME192V1						135
-#define OID_PRIME192V2						136
-#define OID_PRIME192V3						137
-#define OID_PRIME239V1						138
-#define OID_PRIME239V2						139
-#define OID_PRIME239V3						140
-#define OID_PRIME256V1						141
-#define OID_ECDSA_WITH_SHA1					143
-#define OID_ECDSA_WITH_SHA224				145
-#define OID_ECDSA_WITH_SHA256				146
-#define OID_ECDSA_WITH_SHA384				147
-#define OID_ECDSA_WITH_SHA512				148
-#define OID_TCGID							169
-#define OID_AUTHORITY_INFO_ACCESS			174
-#define OID_OCSP_SIGNING					184
-#define OID_XMPP_ADDR						186
-#define OID_AUTHENTICATION_INFO				188
-#define OID_ACCESS_IDENTITY					189
-#define OID_CHARGING_IDENTITY				190
-#define OID_GROUP							191
-#define OID_OCSP							193
-#define OID_BASIC							194
-#define OID_NONCE							195
-#define OID_CRL								196
-#define OID_RESPONSE						197
-#define OID_NO_CHECK						198
-#define OID_ARCHIVE_CUTOFF					199
-#define OID_SERVICE_LOCATOR					200
-#define OID_CA_ISSUERS						201
-#define OID_DES_CBC							205
-#define OID_SHA1							206
-#define OID_SHA1_WITH_RSA_OIW				207
-#define OID_SECT163K1						218
-#define OID_SECT163R1						219
-#define OID_SECT239K1						220
-#define OID_SECT113R1						221
-#define OID_SECT113R2						222
-#define OID_SECT112R1						223
-#define OID_SECT112R2						224
-#define OID_SECT160R1						225
-#define OID_SECT160K1						226
-#define OID_SECT256K1						227
-#define OID_SECT163R2						228
-#define OID_SECT283K1						229
-#define OID_SECT283R1						230
-#define OID_SECT131R1						231
-#define OID_SECT131R2						232
-#define OID_SECT193R1						233
-#define OID_SECT193R2						234
-#define OID_SECT233K1						235
-#define OID_SECT233R1						236
-#define OID_SECT128R1						237
-#define OID_SECT128R2						238
-#define OID_SECT160R2						239
-#define OID_SECT192K1						240
-#define OID_SECT224K1						241
-#define OID_SECT224R1						242
-#define OID_SECT384R1						243
-#define OID_SECT521R1						244
-#define OID_SECT409K1						245
-#define OID_SECT409R1						246
-#define OID_SECT571K1						247
-#define OID_SECT571R1						248
-#define OID_AES128_CBC						257
-#define OID_AES128_GCM						258
-#define OID_AES128_CCM						259
-#define OID_AES192_CBC						260
-#define OID_AES192_GCM						261
-#define OID_AES192_CCM						262
-#define OID_AES256_CBC						263
-#define OID_AES256_GCM						264
-#define OID_AES256_CCM						265
-#define OID_SHA256							267
-#define OID_SHA384							268
-#define OID_SHA512							269
-#define OID_SHA224							270
-#define OID_NS_REVOCATION_URL				276
-#define OID_NS_CA_REVOCATION_URL			277
-#define OID_NS_CA_POLICY_URL				278
-#define OID_NS_COMMENT						279
-#define OID_EMPLOYEE_NUMBER					282
-#define OID_PKI_MESSAGE_TYPE				288
-#define OID_PKI_STATUS						289
-#define OID_PKI_FAIL_INFO					290
-#define OID_PKI_SENDER_NONCE				291
-#define OID_PKI_RECIPIENT_NONCE				292
-#define OID_PKI_TRANS_ID					293
-#define OID_EMAIL_ADDRESS					300
-#define OID_UNSTRUCTURED_NAME				301
+#define OID_DELTA_CRL_INDICATOR				48
+#define OID_NAME_CONSTRAINTS				51
+#define OID_CRL_DISTRIBUTION_POINTS			52
+#define OID_ANY_POLICY						54
+#define OID_AUTHORITY_KEY_ID				56
+#define OID_EXTENDED_KEY_USAGE				58
+#define OID_FRESHEST_CRL					60
+#define OID_INHIBIT_ANY_POLICY				61
+#define OID_TARGET_INFORMATION				62
+#define OID_NO_REV_AVAIL					63
+#define OID_CAMELLIA128_CBC					74
+#define OID_CAMELLIA192_CBC					75
+#define OID_CAMELLIA256_CBC					76
+#define OID_RSA_ENCRYPTION					89
+#define OID_MD2_WITH_RSA					90
+#define OID_MD5_WITH_RSA					91
+#define OID_SHA1_WITH_RSA					92
+#define OID_SHA256_WITH_RSA					93
+#define OID_SHA384_WITH_RSA					94
+#define OID_SHA512_WITH_RSA					95
+#define OID_SHA224_WITH_RSA					96
+#define OID_PKCS7_DATA						98
+#define OID_PKCS7_SIGNED_DATA				99
+#define OID_PKCS7_ENVELOPED_DATA			100
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA		101
+#define OID_PKCS7_DIGESTED_DATA				102
+#define OID_PKCS7_ENCRYPTED_DATA			103
+#define OID_EMAIL_ADDRESS					105
+#define OID_UNSTRUCTURED_NAME				106
+#define OID_PKCS9_CONTENT_TYPE				107
+#define OID_PKCS9_MESSAGE_DIGEST			108
+#define OID_PKCS9_SIGNING_TIME				109
+#define OID_CHALLENGE_PASSWORD				111
+#define OID_EXTENSION_REQUEST				113
+#define OID_MD2								116
+#define OID_MD5								117
+#define OID_3DES_EDE_CBC					119
+#define OID_EC_PUBLICKEY					123
+#define OID_C2PNB163V1						126
+#define OID_C2PNB163V2						127
+#define OID_C2PNB163V3						128
+#define OID_C2PNB176W1						129
+#define OID_C2PNB191V1						130
+#define OID_C2PNB191V2						131
+#define OID_C2PNB191V3						132
+#define OID_C2PNB191V4						133
+#define OID_C2PNB191V5						134
+#define OID_C2PNB208W1						135
+#define OID_C2PNB239V1						136
+#define OID_C2PNB239V2						137
+#define OID_C2PNB239V3						138
+#define OID_C2PNB239V4						139
+#define OID_C2PNB239V5						140
+#define OID_C2PNB272W1						141
+#define OID_C2PNB304W1						142
+#define OID_C2PNB359V1						143
+#define OID_C2PNB368W1						144
+#define OID_C2PNB431R1						145
+#define OID_PRIME192V1						147
+#define OID_PRIME192V2						148
+#define OID_PRIME192V3						149
+#define OID_PRIME239V1						150
+#define OID_PRIME239V2						151
+#define OID_PRIME239V3						152
+#define OID_PRIME256V1						153
+#define OID_ECDSA_WITH_SHA1					155
+#define OID_ECDSA_WITH_SHA224				157
+#define OID_ECDSA_WITH_SHA256				158
+#define OID_ECDSA_WITH_SHA384				159
+#define OID_ECDSA_WITH_SHA512				160
+#define OID_TCGID							181
+#define OID_AUTHORITY_INFO_ACCESS			186
+#define OID_IP_ADDR_BLOCKS					187
+#define OID_SERVER_AUTH						192
+#define OID_CLIENT_AUTH						193
+#define OID_OCSP_SIGNING					200
+#define OID_XMPP_ADDR						202
+#define OID_AUTHENTICATION_INFO				204
+#define OID_ACCESS_IDENTITY					205
+#define OID_CHARGING_IDENTITY				206
+#define OID_GROUP							207
+#define OID_OCSP							210
+#define OID_BASIC							211
+#define OID_NONCE							212
+#define OID_CRL								213
+#define OID_RESPONSE						214
+#define OID_NO_CHECK						215
+#define OID_ARCHIVE_CUTOFF					216
+#define OID_SERVICE_LOCATOR					217
+#define OID_CA_ISSUERS						218
+#define OID_DES_CBC							224
+#define OID_SHA1							225
+#define OID_SHA1_WITH_RSA_OIW				226
+#define OID_ECGDSA_PUBKEY					245
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		248
+#define OID_ECGDSA_SIG_WITH_SHA1			249
+#define OID_ECGDSA_SIG_WITH_SHA224			250
+#define OID_ECGDSA_SIG_WITH_SHA256			251
+#define OID_ECGDSA_SIG_WITH_SHA384			252
+#define OID_ECGDSA_SIG_WITH_SHA512			253
+#define OID_SECT163K1						276
+#define OID_SECT163R1						277
+#define OID_SECT239K1						278
+#define OID_SECT113R1						279
+#define OID_SECT113R2						280
+#define OID_SECT112R1						281
+#define OID_SECT112R2						282
+#define OID_SECT160R1						283
+#define OID_SECT160K1						284
+#define OID_SECT256K1						285
+#define OID_SECT163R2						286
+#define OID_SECT283K1						287
+#define OID_SECT283R1						288
+#define OID_SECT131R1						289
+#define OID_SECT131R2						290
+#define OID_SECT193R1						291
+#define OID_SECT193R2						292
+#define OID_SECT233K1						293
+#define OID_SECT233R1						294
+#define OID_SECT128R1						295
+#define OID_SECT128R2						296
+#define OID_SECT160R2						297
+#define OID_SECT192K1						298
+#define OID_SECT224K1						299
+#define OID_SECT224R1						300
+#define OID_SECT384R1						301
+#define OID_SECT521R1						302
+#define OID_SECT409K1						303
+#define OID_SECT409R1						304
+#define OID_SECT571K1						305
+#define OID_SECT571R1						306
+#define OID_AES128_CBC						315
+#define OID_AES128_GCM						316
+#define OID_AES128_CCM						317
+#define OID_AES192_CBC						318
+#define OID_AES192_GCM						319
+#define OID_AES192_CCM						320
+#define OID_AES256_CBC						321
+#define OID_AES256_GCM						322
+#define OID_AES256_CCM						323
+#define OID_SHA256							325
+#define OID_SHA384							326
+#define OID_SHA512							327
+#define OID_SHA224							328
+#define OID_NS_REVOCATION_URL				334
+#define OID_NS_CA_REVOCATION_URL			335
+#define OID_NS_CA_POLICY_URL				336
+#define OID_NS_COMMENT						337
+#define OID_EMPLOYEE_NUMBER					340
+#define OID_PKI_MESSAGE_TYPE				346
+#define OID_PKI_STATUS						347
+#define OID_PKI_FAIL_INFO					348
+#define OID_PKI_SENDER_NONCE				349
+#define OID_PKI_RECIPIENT_NONCE				350
+#define OID_PKI_TRANS_ID					351
 
-#define OID_MAX								302
+#define OID_MAX								354
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 5adca6289..203bc1f28 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -44,10 +44,22 @@
     0x13                     "basicConstraints"			OID_BASIC_CONSTRAINTS
     0x14                     "crlNumber"				OID_CRL_NUMBER
     0x15                     "reasonCode"				OID_CRL_REASON_CODE
+    0x17                     "holdInstructionCode"
+    0x18                     "invalidityDate"
+    0x1B                     "deltaCrlIndicator"		OID_DELTA_CRL_INDICATOR
+    0x1C                     "issuingDistributionPoint"
+    0x1D                     "certificateIssuer"
+    0x1E                     "nameConstraints"			OID_NAME_CONSTRAINTS
     0x1F                     "crlDistributionPoints"	OID_CRL_DISTRIBUTION_POINTS
     0x20                     "certificatePolicies"
+      0x00                   "anyPolicy"				OID_ANY_POLICY
+    0x21                     "policyMappings"
     0x23                     "authorityKeyIdentifier"	OID_AUTHORITY_KEY_ID
+    0x24                     "policyConstraints"
     0x25                     "extendedKeyUsage"			OID_EXTENDED_KEY_USAGE
+      0x00                   "anyExtendedKeyUsage"
+    0x2E                     "freshestCRL"				OID_FRESHEST_CRL
+    0x36                     "inhibitAnyPolicy"			OID_INHIBIT_ANY_POLICY
     0x37                     "targetInformation"		OID_TARGET_INFORMATION
     0x38                     "noRevAvail"				OID_NO_REV_AVAIL
 0x2A                         ""
@@ -91,15 +103,15 @@
                 0x05         "digestedData"				OID_PKCS7_DIGESTED_DATA
                 0x06         "encryptedData"			OID_PKCS7_ENCRYPTED_DATA
               0x09           "PKCS-9"
-                0x01         "E"						OID_PKCS9_EMAIL
-                0x02         "unstructuredName"
+                0x01         "E"						OID_EMAIL_ADDRESS
+                0x02         "unstructuredName"			OID_UNSTRUCTURED_NAME
                 0x03         "contentType"				OID_PKCS9_CONTENT_TYPE
                 0x04         "messageDigest"			OID_PKCS9_MESSAGE_DIGEST
                 0x05         "signingTime"				OID_PKCS9_SIGNING_TIME
                 0x06         "counterSignature"
-                0x07         "challengePassword"
+                0x07         "challengePassword"		OID_CHALLENGE_PASSWORD
                 0x08         "unstructuredAddress"
-                0x0E         "extensionRequest"
+                0x0E         "extensionRequest"			OID_EXTENSION_REQUEST
                 0x0F         "S/MIME Capabilities"
             0x02             "digestAlgorithm"
               0x02           "md2"						OID_MD2
@@ -173,9 +185,13 @@
           0x07               "id-pkix"
             0x01             "id-pe"
               0x01           "authorityInfoAccess"		OID_AUTHORITY_INFO_ACCESS
+              0x07           "ipAddrBlocks"				OID_IP_ADDR_BLOCKS
+            0x02             "id-qt"
+              0x01           "cps"
+              0x02           "unotice"
             0x03             "id-kp"
-              0x01           "serverAuth"
-              0x02           "clientAuth"
+              0x01           "serverAuth"				OID_SERVER_AUTH
+              0x02           "clientAuth"				OID_CLIENT_AUTH
               0x03           "codeSigning"
               0x04           "emailProtection"
               0x05           "ipsecEndSystem"
@@ -190,6 +206,7 @@
               0x02           "accessIdentity"			OID_ACCESS_IDENTITY
               0x03           "chargingIdentity"			OID_CHARGING_IDENTITY
               0x04           "group"					OID_GROUP
+            0x0B             "subjectInfoAccess"
             0x30             "id-ad"
               0x01           "ocsp"						OID_OCSP
                 0x01         "basic"					OID_BASIC
@@ -200,6 +217,8 @@
                 0x06         "archiveCutoff"			OID_ARCHIVE_CUTOFF
                 0x07         "serviceLocator"			OID_SERVICE_LOCATOR
               0x02           "caIssuers"				OID_CA_ISSUERS
+              0x03           "timeStamping"
+              0x05           "caRepository"
   0x0E                       "oiw"
     0x03                     "secsig"
       0x02                   "algorithms"
@@ -213,6 +232,45 @@
           0x02               "rsaSigWithripemd160"
           0x03               "rsaSigWithripemd128"
           0x04               "rsaSigWithripemd256"
+        0x02                 "ecSign"
+          0x01               "ecSignWithsha1"
+          0x02               "ecSignWithripemd160"
+          0x03               "ecSignWithmd2"
+          0x04               "ecSignWithmd5"
+          0x05               "ttt-ecg"
+            0x01             "fieldType"
+              0x01           "characteristictwoField"
+                0x01         "basisType"
+                  0x01       "ipBasis"
+            0x02             "keyType"
+              0x01           "ecgPublicKey"				OID_ECGDSA_PUBKEY
+            0x03             "curve"
+            0x04             "signatures"
+              0x01           "ecgdsa-with-RIPEMD160"	OID_ECGDSA_SIG_WITH_RIPEMD160
+              0x02           "ecgdsa-with-SHA1"			OID_ECGDSA_SIG_WITH_SHA1
+              0x03           "ecgdsa-with-SHA224"		OID_ECGDSA_SIG_WITH_SHA224
+              0x04           "ecgdsa-with-SHA256"		OID_ECGDSA_SIG_WITH_SHA256
+              0x05           "ecgdsa-with-SHA384"		OID_ECGDSA_SIG_WITH_SHA384
+              0x06           "ecgdsa-with-SHA512"		OID_ECGDSA_SIG_WITH_SHA512
+            0x05             "module"
+              0x01           "1"
+          0x08               "ecStdCurvesAndGeneration"
+            0x01             "ellipticCurve"
+              0x01           "versionOne"
+                0x01         "brainpoolP160r1"
+                0x02         "brainpoolP160t1"
+                0x03         "brainpoolP192r1"
+                0x04         "brainpoolP192t1"
+                0x05         "brainpoolP224r1"
+                0x06         "brainpoolP224t1"
+                0x07         "brainpoolP256r1"
+                0x08         "brainpoolP256t1"
+                0x09         "brainpoolP320r1"
+                0x0A         "brainpoolP320t1"
+                0x0B         "brainpoolP384r1"
+                0x0C         "brainpoolP384t1"
+                0x0D         "brainpoolP512r1"
+                0x0E         "brainpoolP512t1"
   0x81                       ""
     0x04                     "Certicom"
       0x00                   "curve"
@@ -293,10 +351,4 @@
                   0x06       "recipientNonce"			OID_PKI_RECIPIENT_NONCE
                   0x07       "transID"					OID_PKI_TRANS_ID
                   0x08       "extensionReq"
-      0x86                   "old-netscape"
-        0xF7                 ""
-          0x0D               ""
-            0x01             ""
-              0x09           ""
-                0x01         "emailAddress"				OID_EMAIL_ADDRESS
-                0x02         "unstructuredName"			OID_UNSTRUCTURED_NAME
+
diff --git a/src/libstrongswan/asn1/pem.c b/src/libstrongswan/asn1/pem.c
deleted file mode 100755
index 059795548..000000000
--- a/src/libstrongswan/asn1/pem.c
+++ /dev/null
@@ -1,393 +0,0 @@
-/*
- * Copyright (C) 2001-2008 Andreas Steffen
- *
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <errno.h>
-#include <string.h>
-#include <stddef.h>
-#include <sys/types.h>
-
-#include "pem.h"
-
-#include <library.h>
-#include <debug.h>
-#include <asn1/asn1.h>
-
-#include <utils/lexparser.h>
-#include <crypto/hashers/hasher.h>
-#include <crypto/crypters/crypter.h>
-
-#define PKCS5_SALT_LEN	8	/* bytes */
-
-/**
- * check the presence of a pattern in a character string
- */
-static bool present(const char* pattern, chunk_t* ch)
-{
-	u_int pattern_len = strlen(pattern);
-
-	if (ch->len >= pattern_len && strneq(ch->ptr, pattern, pattern_len))
-	{
-		ch->ptr += pattern_len;
-		ch->len -= pattern_len;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * find a boundary of the form -----tag name-----
- */
-static bool find_boundary(const char* tag, chunk_t *line)
-{
-	chunk_t name = chunk_empty;
-
-	if (!present("-----", line))
-		return FALSE;
-	if (!present(tag, line))
-		return FALSE;
-	if (*line->ptr != ' ')
-		return FALSE;
-	line->ptr++;  line->len--;
-	
-	/* extract name */
-	name.ptr = line->ptr;
-	while (line->len > 0)
-	{
-		if (present("-----", line))
-		{
-			DBG2("  -----%s %.*s-----", tag, (int)name.len, name.ptr);
-			return TRUE;
-		}
-		line->ptr++;  line->len--;  name.len++;
-	}
-	return FALSE;
-}
-
-/*
- * decrypts a passphrase protected encrypted data block
- */
-static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_size,
-							chunk_t *iv, chunk_t passphrase)
-{
-	hasher_t *hasher;
-	crypter_t *crypter;
-	chunk_t salt = { iv->ptr, PKCS5_SALT_LEN };
-	chunk_t hash;
-	chunk_t decrypted;
-	chunk_t key = {alloca(key_size), key_size};
-	u_int8_t padding, *last_padding_pos, *first_padding_pos;
-	
-	if (passphrase.len == 0)
-	{
-		DBG1("  missing passphrase");
-		return INVALID_ARG;
-	}
-
-	/* build key from passphrase and IV */
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-	if (hasher == NULL)
-	{
-		DBG1("  MD5 hash algorithm not available");
-		return NOT_SUPPORTED;
-	}
-	hash.len = hasher->get_hash_size(hasher);
-	hash.ptr = alloca(hash.len);
-	hasher->get_hash(hasher, passphrase, NULL);
-	hasher->get_hash(hasher, salt, hash.ptr);
-	memcpy(key.ptr, hash.ptr, hash.len);
-
-	if (key.len > hash.len)
-	{
-		hasher->get_hash(hasher, hash, NULL);
-		hasher->get_hash(hasher, passphrase, NULL);
-		hasher->get_hash(hasher, salt, hash.ptr);	
-		memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len);
-	}	
-	hasher->destroy(hasher);
-	
-	/* decrypt blob */
-	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size);
-	if (crypter == NULL)
-	{
-		DBG1("  %N encryption algorithm not available",
-			 encryption_algorithm_names, alg);
-		return NOT_SUPPORTED;
-	}
-	crypter->set_key(crypter, key);
-	
-	if (iv->len != crypter->get_block_size(crypter) ||
-		blob->len % iv->len)
-	{
-		crypter->destroy(crypter);
-		DBG1("  data size is not multiple of block size");
-		return PARSE_ERROR;
-	}
-	crypter->decrypt(crypter, *blob, *iv, &decrypted);
-	crypter->destroy(crypter);
-	memcpy(blob->ptr, decrypted.ptr, blob->len);
-	chunk_free(&decrypted);
-	
-	/* determine amount of padding */
-	last_padding_pos = blob->ptr + blob->len - 1;
-	padding = *last_padding_pos;
-	first_padding_pos = (padding > blob->len) ? blob->ptr : last_padding_pos - padding;
-
-	/* check the padding pattern */
-	while (--last_padding_pos > first_padding_pos)
-	{
-		if (*last_padding_pos != padding)
-		{
-			DBG1("  invalid passphrase");
-			return INVALID_ARG;
-		}
-	}
-	/* remove padding */
-	blob->len -= padding;
-	return SUCCESS;
-}
-
-/*  Converts a PEM encoded file into its binary form
- *
- *  RFC 1421 Privacy Enhancement for Electronic Mail, February 1993
- *  RFC 934 Message Encapsulation, January 1985
- */
-status_t pem_to_bin(chunk_t *blob, chunk_t passphrase, bool *pgp)
-{
-	typedef enum {
-		PEM_PRE    = 0,
-		PEM_MSG    = 1,
-		PEM_HEADER = 2,
-		PEM_BODY   = 3,
-		PEM_POST   = 4,
-		PEM_ABORT  = 5
-	} state_t;
-
-	encryption_algorithm_t alg = ENCR_UNDEFINED;
-	size_t key_size = 0;
-
-	bool encrypted = FALSE;
-
-	state_t state  = PEM_PRE;
-
-	chunk_t src    = *blob;
-	chunk_t dst    = *blob;
-	chunk_t line   = chunk_empty;
-	chunk_t iv     = chunk_empty;
-
-	u_char iv_buf[16]; /* MD5 digest size */
-
-	/* zero size of converted blob */
-	dst.len = 0;
-
-	/* zero size of IV */
-	iv.ptr = iv_buf;
-	iv.len = 0;
-
-	while (fetchline(&src, &line))
-	{
-		if (state == PEM_PRE)
-		{
-			if (find_boundary("BEGIN", &line))
-			{
-				state = PEM_MSG;
-			}
-			continue;
-		}
-		else
-		{
-			if (find_boundary("END", &line))
-			{
-				state = PEM_POST;
-				break;
-			}
-			if (state == PEM_MSG)
-			{
-				state = (memchr(line.ptr, ':', line.len) == NULL) ? PEM_BODY : PEM_HEADER;
-			}
-			if (state == PEM_HEADER)
-			{
-				err_t ugh = NULL;
-				chunk_t name  = chunk_empty;
-				chunk_t value = chunk_empty;
-
-				/* an empty line separates HEADER and BODY */
-				if (line.len == 0)
-				{
-					state = PEM_BODY;
-					continue;
-				}
-
-				/* we are looking for a parameter: value pair */
-				DBG2("  %.*s", (int)line.len, line.ptr);
-				ugh = extract_parameter_value(&name, &value, &line);
-				if (ugh != NULL)
-				{
-					continue;
-				}
-				if (match("Proc-Type", &name) && *value.ptr == '4')
-				{
-					encrypted = TRUE;
-				}
-				else if (match("DEK-Info", &name))
-				{
-					chunk_t dek;
-
-					if (!extract_token(&dek, ',', &value))
-					{
-						dek = value;
-					}
-					if (match("DES-EDE3-CBC", &dek))
-					{
-						alg = ENCR_3DES;
-						key_size = 24;
-					}
-					else if (match("AES-128-CBC", &dek))
-					{
-						alg = ENCR_AES_CBC;
-						key_size = 16;
-					}
-					else if (match("AES-192-CBC", &dek))
-					{
-						alg = ENCR_AES_CBC;
-						key_size = 24;
-					}
-					else if (match("AES-256-CBC", &dek))
-					{
-						alg = ENCR_AES_CBC;
-						key_size = 32;
-					}
-					else
-					{
-						DBG1("  encryption algorithm '%.s' not supported",
-							 dek.len, dek.ptr);
-						return NOT_SUPPORTED;
-					}
-					eat_whitespace(&value);
-					iv = chunk_from_hex(value, iv.ptr);
-				}
-			}
-			else /* state is PEM_BODY */
-			{
-				chunk_t data;
-				
-				/* remove any trailing whitespace */
-				if (!extract_token(&data ,' ', &line))
-				{
-					data = line;
-				}
-				
-				/* check for PGP armor checksum */
-				if (*data.ptr == '=')
-				{
-					*pgp = TRUE;
-					data.ptr++;
-					data.len--;
-					DBG2("  armor checksum: %.*s", (int)data.len, data.ptr);
-		    		continue;
-				}
-				
-				if (blob->len - dst.len < data.len / 4 * 3)
-				{
-					state = PEM_ABORT;
-				}
-				data = chunk_from_base64(data, dst.ptr);
-
-				dst.ptr += data.len;
-				dst.len += data.len;
-			}
-		}
-	}
-	/* set length to size of binary blob */
-	blob->len = dst.len;
-
-	if (state != PEM_POST)
-	{
-		DBG1("  file coded in unknown format, discarded");
-		return PARSE_ERROR;
-	}
-	if (!encrypted)
-	{
-		return SUCCESS;
-	}
-	return pem_decrypt(blob, alg, key_size, &iv, passphrase);
-	
-}
-
-/* load a coded key or certificate file with autodetection
- * of binary DER or base64 PEM ASN.1 formats and armored PGP format
- */
-bool pem_asn1_load_file(char *filename, chunk_t *passphrase,
-						chunk_t *blob, bool *pgp)
-{
-	FILE *fd = fopen(filename, "r");
-
-	if (fd)
-	{
-		chunk_t pass = chunk_empty;
-		int bytes;
-
-		fseek(fd, 0, SEEK_END );
-		blob->len = ftell(fd);
-		rewind(fd);
-		blob->ptr = malloc(blob->len);
-		bytes = fread(blob->ptr, 1, blob->len, fd);
-		fclose(fd);
-		DBG2("  loading '%s' (%d bytes)", filename, bytes);
-
-		*pgp = FALSE;
-
-		/* try DER format */
-		if (is_asn1(*blob))
-		{
-			DBG2("  file coded in DER format");
-			return TRUE;
-		}
-
-		if (passphrase != NULL)
-		{
-			pass = *passphrase;
-			DBG4("  passphrase: %#B", passphrase);
-		}
-
-		/* try PEM format */
-		if (pem_to_bin(blob, pass, pgp) == SUCCESS)
-		{
-			if (*pgp)
-			{
-				DBG2("  file coded in armored PGP format");
-				return TRUE;
-			}
-			if (is_asn1(*blob))
-			{
-				DBG2("  file coded in PEM format");
-				return TRUE;
-			}
-			DBG1("  file coded in unknown format, discarded");
-		}
-
-		/* a conversion error has occured */
-		chunk_free(blob);
-	}
-	else
-	{
-		DBG1("  reading file '%s' failed", filename);
-	}
-	return FALSE;
-}
-
diff --git a/src/libstrongswan/asn1/pem.h b/src/libstrongswan/asn1/pem.h
deleted file mode 100755
index 7385330d7..000000000
--- a/src/libstrongswan/asn1/pem.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2001-2008 Andreas Steffen
- *
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef PEM_H_
-#define PEM_H_
-
-#include <stdio.h>
-
-#include <library.h>
-
-status_t pem_to_bin(chunk_t *blob, chunk_t passphrase, bool *pgp);
-
-bool pem_asn1_load_file(char *filename, chunk_t *passphrase, chunk_t *blob,
-						bool *pgp);
-
-#endif /*PEM_H_ @} */
diff --git a/src/libstrongswan/attributes/attribute_handler.h b/src/libstrongswan/attributes/attribute_handler.h
new file mode 100644
index 000000000..d042f47ef
--- /dev/null
+++ b/src/libstrongswan/attributes/attribute_handler.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attribute_handler attribute_handler
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_HANDLER_H_
+#define ATTRIBUTE_HANDLER_H_
+
+#include <chunk.h>
+#include <utils/host.h>
+#include <utils/identification.h>
+
+#include "attributes.h"
+
+typedef struct attribute_handler_t attribute_handler_t;
+
+/**
+ * Interface to handle configuration payload attributes.
+ */
+struct attribute_handler_t {
+
+	/**
+	 * Handle a configuration attribute.
+	 *
+	 * After receiving a configuration attriubte, it is passed to each
+	 * attribute handler until it is handled.
+	 *
+	 * @param server	server from which the attribute was received
+	 * @param type		type of configuration attribute to handle
+	 * @param data		associated attribute data
+	 * @return			TRUE if attribute handled
+	 */
+	bool (*handle)(attribute_handler_t *this, identification_t *server,
+				   configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Release an attribute handled during handle().
+	 *
+	 * A handler that handle()d an attribute gets a call to release() when the
+	 * connection gets closed. Depending on the implementation, this is required
+	 * to remove the attribute.
+	 */
+	void (*release)(attribute_handler_t *this, identification_t *server,
+					configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Enumerate attributes to request from a server.
+	 *
+	 * @param server		server identity to request attributes from
+	 * @param vip			virtual IP we are requesting, if any
+	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
+	 */
+	enumerator_t* (*create_attribute_enumerator)(attribute_handler_t *this,
+										identification_t *server, host_t *vip);
+};
+
+#endif /** ATTRIBUTE_HANDLER_H_ @}*/
diff --git a/src/libstrongswan/attributes/attribute_manager.c b/src/libstrongswan/attributes/attribute_manager.c
new file mode 100644
index 000000000..91fa1ebb5
--- /dev/null
+++ b/src/libstrongswan/attributes/attribute_manager.c
@@ -0,0 +1,374 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "attribute_manager.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_attribute_manager_t private_attribute_manager_t;
+
+/**
+ * private data of attribute_manager
+ */
+struct private_attribute_manager_t {
+
+	/**
+	 * public functions
+	 */
+	attribute_manager_t public;
+
+	/**
+	 * list of registered providers
+	 */
+	linked_list_t *providers;
+
+	/**
+	 * list of registered handlers
+	 */
+	linked_list_t *handlers;
+
+	/**
+	 * rwlock provider list
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * Data to pass to enumerator filters
+ */
+typedef struct {
+	/** server/peer identity */
+	identification_t *id;
+	/** requesting/assigned virtual IP */
+	host_t *vip;
+} enum_data_t;
+
+/**
+ * Implementation of attribute_manager_t.acquire_address.
+ */
+static host_t* acquire_address(private_attribute_manager_t *this,
+							   char *pool, identification_t *id,
+							   host_t *requested)
+{
+	enumerator_t *enumerator;
+	attribute_provider_t *current;
+	host_t *host = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		host = current->acquire_address(current, pool, id, requested);
+		if (host)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	if (!host)
+	{
+		DBG1("acquiring address from pool '%s' failed", pool);
+	}
+	return host;
+}
+
+/**
+ * Implementation of attribute_manager_t.release_address.
+ */
+static void release_address(private_attribute_manager_t *this,
+							char *pool, host_t *address, identification_t *id)
+{
+	enumerator_t *enumerator;
+	attribute_provider_t *current;
+	bool found = FALSE;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current->release_address(current, pool, address, id))
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	if (!found)
+	{
+		DBG1("releasing address to pool '%s' failed", pool);
+	}
+}
+
+/**
+ * inner enumerator constructor for responder attributes
+ */
+static enumerator_t *responder_enum_create(attribute_provider_t *provider,
+										   enum_data_t *data)
+{
+	return provider->create_attribute_enumerator(provider, data->id, data->vip);
+}
+
+/**
+ * Implementation of attribute_manager_t.create_responder_enumerator
+ */
+static enumerator_t* create_responder_enumerator(
+			private_attribute_manager_t *this, identification_t *id, host_t *vip)
+{
+	enum_data_t *data = malloc_thing(enum_data_t);
+
+	data->id = id;
+	data->vip = vip;
+	this->lock->read_lock(this->lock);
+	return enumerator_create_cleaner(
+				enumerator_create_nested(
+					this->providers->create_enumerator(this->providers),
+					(void*)responder_enum_create, data, free),
+				(void*)this->lock->unlock, this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.add_provider.
+ */
+static void add_provider(private_attribute_manager_t *this,
+						 attribute_provider_t *provider)
+{
+	this->lock->write_lock(this->lock);
+	this->providers->insert_last(this->providers, provider);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.remove_provider.
+ */
+static void remove_provider(private_attribute_manager_t *this,
+							attribute_provider_t *provider)
+{
+	this->lock->write_lock(this->lock);
+	this->providers->remove(this->providers, provider, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.handle
+ */
+static attribute_handler_t* handle(private_attribute_manager_t *this,
+						identification_t *server, attribute_handler_t *handler,
+						configuration_attribute_type_t type, chunk_t data)
+{
+	enumerator_t *enumerator;
+	attribute_handler_t *current, *handled = NULL;
+
+	this->lock->read_lock(this->lock);
+
+	/* try to find the passed handler */
+	enumerator = this->handlers->create_enumerator(this->handlers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current == handler && current->handle(current, server, type, data))
+		{
+			handled = current;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!handled)
+	{	/* handler requesting this attribute not found, try any other */
+		enumerator = this->handlers->create_enumerator(this->handlers);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (current->handle(current, server, type, data))
+			{
+				handled = current;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	this->lock->unlock(this->lock);
+
+	if (!handled)
+	{
+		DBG1("handling %N attribute failed",
+			 configuration_attribute_type_names, type);
+	}
+	return handled;
+}
+
+/**
+ * Implementation of attribute_manager_t.release
+ */
+static void release(private_attribute_manager_t *this,
+					attribute_handler_t *handler,
+					identification_t *server,
+					configuration_attribute_type_t type, chunk_t data)
+{
+	enumerator_t *enumerator;
+	attribute_handler_t *current;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->handlers->create_enumerator(this->handlers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current == handler)
+		{
+			current->release(current, server, type, data);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Enumerator implementation to enumerate nested initiator attributes
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** back ref */
+	private_attribute_manager_t *this;
+	/** currently processing handler */
+	attribute_handler_t *handler;
+	/** outer enumerator over handlers */
+	enumerator_t *outer;
+	/** inner enumerator over current handlers attributes */
+	enumerator_t *inner;
+	/** server ID we want attributes for */
+	identification_t *id;
+	/** virtual IP we are requesting along with attriubutes */
+	host_t *vip;
+} initiator_enumerator_t;
+
+/**
+ * Enumerator implementation for initiator attributes
+ */
+static bool initiator_enumerate(initiator_enumerator_t *this,
+								attribute_handler_t **handler,
+								configuration_attribute_type_t *type,
+								chunk_t *value)
+{
+	/* enumerate inner attributes using outer handler enumerator */
+	while (!this->inner || !this->inner->enumerate(this->inner, type, value))
+	{
+		if (!this->outer->enumerate(this->outer, &this->handler))
+		{
+			return FALSE;
+		}
+		DESTROY_IF(this->inner);
+		this->inner = this->handler->create_attribute_enumerator(this->handler,
+														this->id, this->vip);
+	}
+	/* inject the handler as additional attribute */
+	*handler = this->handler;
+	return TRUE;
+}
+
+/**
+ * Cleanup function of initiator attribute enumerator
+ */
+static void initiator_destroy(initiator_enumerator_t *this)
+{
+	this->this->lock->unlock(this->this->lock);
+	this->outer->destroy(this->outer);
+	DESTROY_IF(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of attribute_manager_t.create_initiator_enumerator
+ */
+static enumerator_t* create_initiator_enumerator(
+		private_attribute_manager_t *this, identification_t *id, host_t *vip)
+{
+	initiator_enumerator_t *enumerator = malloc_thing(initiator_enumerator_t);
+
+	this->lock->read_lock(this->lock);
+	enumerator->public.enumerate = (void*)initiator_enumerate;
+	enumerator->public.destroy = (void*)initiator_destroy;
+	enumerator->this = this;
+	enumerator->id = id;
+	enumerator->vip = vip;
+	enumerator->outer = this->handlers->create_enumerator(this->handlers);
+	enumerator->inner = NULL;
+	enumerator->handler = NULL;
+
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of attribute_manager_t.add_handler
+ */
+static void add_handler(private_attribute_manager_t *this,
+						attribute_handler_t *handler)
+{
+	this->lock->write_lock(this->lock);
+	this->handlers->insert_last(this->handlers, handler);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.remove_handler
+ */
+static void remove_handler(private_attribute_manager_t *this,
+						attribute_handler_t *handler)
+{
+	this->lock->write_lock(this->lock);
+	this->handlers->remove(this->handlers, handler, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.destroy
+ */
+static void destroy(private_attribute_manager_t *this)
+{
+	this->providers->destroy(this->providers);
+	this->handlers->destroy(this->handlers);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+attribute_manager_t *attribute_manager_create()
+{
+	private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t);
+
+	this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address;
+	this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address;
+	this->public.create_responder_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t*, host_t*))create_responder_enumerator;
+	this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider;
+	this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider;
+	this->public.handle = (attribute_handler_t*(*)(attribute_manager_t*,identification_t*, attribute_handler_t*, configuration_attribute_type_t, chunk_t))handle;
+	this->public.release = (void(*)(attribute_manager_t*, attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))release;
+	this->public.create_initiator_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t*, host_t*))create_initiator_enumerator;
+	this->public.add_handler = (void(*)(attribute_manager_t*, attribute_handler_t*))add_handler;
+	this->public.remove_handler = (void(*)(attribute_manager_t*, attribute_handler_t*))remove_handler;
+	this->public.destroy = (void(*)(attribute_manager_t*))destroy;
+
+	this->providers = linked_list_create();
+	this->handlers = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/attributes/attribute_manager.h b/src/libstrongswan/attributes/attribute_manager.h
new file mode 100644
index 000000000..642662366
--- /dev/null
+++ b/src/libstrongswan/attributes/attribute_manager.h
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attribute_manager attribute_manager
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_MANAGER_H_
+#define ATTRIBUTE_MANAGER_H_
+
+#include "attribute_provider.h"
+#include "attribute_handler.h"
+
+typedef struct attribute_manager_t attribute_manager_t;
+
+/**
+ * The attribute manager hands out attributes or handles them.
+ *
+ * The attribute manager manages both, attribute providers and attribute
+ * handlers. Attribute providers are responsible to hand out attributes if
+ * a connecting peer requests them. Handlers handle such attributes if they
+ * are received on the requesting peer.
+ */
+struct attribute_manager_t {
+
+	/**
+	 * Acquire a virtual IP address to assign to a peer.
+	 *
+	 * @param pool			pool name to acquire address from
+	 * @param id			peer identity to get address forua
+	 * @param requested		IP in configuration request
+	 * @return				allocated address, NULL to serve none
+	 */
+	host_t* (*acquire_address)(attribute_manager_t *this,
+							   char *pool, identification_t *id,
+							   host_t *requested);
+
+	/**
+	 * Release a previously acquired address.
+	 *
+	 * @param pool			pool name from which the address was acquired
+	 * @param address		address to release
+	 * @param id			peer identity to get address for
+	 */
+	void (*release_address)(attribute_manager_t *this,
+							char *pool, host_t *address, identification_t *id);
+
+	/**
+	 * Create an enumerator over attributes to hand out to a peer.
+	 *
+	 * @param id			peer identity to hand out attributes to
+	 * @param vip			virtual IP to assign to peer, if any
+	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
+	 */
+	enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this,
+											identification_t *id, host_t *vip);
+
+	/**
+	 * Register an attribute provider to the manager.
+	 *
+	 * @param provider		attribute provider to register
+	 */
+	void (*add_provider)(attribute_manager_t *this,
+						 attribute_provider_t *provider);
+	/**
+	 * Unregister an attribute provider from the manager.
+	 *
+	 * @param provider		attribute provider to unregister
+	 */
+	void (*remove_provider)(attribute_manager_t *this,
+							attribute_provider_t *provider);
+
+	/**
+	 * Handle a configuration attribute by passing them to the handlers.
+	 *
+	 * @param server		server from which the attribute was received
+	 * @param handler		handler we requested the attribute for, if any
+	 * @param type			type of configuration attribute
+	 * @param data			associated attribute data
+	 * @return				handler which handled this attribute, NULL if none
+	 */
+	attribute_handler_t* (*handle)(attribute_manager_t *this,
+						identification_t *server, attribute_handler_t *handler,
+						configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Release an attribute previously handle()d by a handler.
+	 *
+	 * @param handler		handler returned by handle() for this attribute
+	 * @param server		server from which the attribute was received
+	 * @param type			type of attribute to release
+	 * @param data			associated attribute data
+	 */
+	void (*release)(attribute_manager_t *this, attribute_handler_t *handler,
+						identification_t *server,
+						configuration_attribute_type_t type,
+						chunk_t data);
+
+	/**
+	 * Create an enumerator over attributes to request from server.
+	 *
+	 * @param id			server identity to hand out attributes to
+	 * @param vip			virtual IP going to request, if any
+	 * @return				enumerator (attribute_handler_t, ca_type_t, chunk_t)
+	 */
+	enumerator_t* (*create_initiator_enumerator)(attribute_manager_t *this,
+											identification_t *id, host_t *vip);
+
+	/**
+	 * Register an attribute handler to the manager.
+	 *
+	 * @param handler		attribute handler to register
+	 */
+	void (*add_handler)(attribute_manager_t *this,
+						attribute_handler_t *handler);
+
+	/**
+	 * Unregister an attribute handler from the manager.
+	 *
+	 * @param handler		attribute handler to unregister
+	 */
+	void (*remove_handler)(attribute_manager_t *this,
+						   attribute_handler_t *handler);
+
+	/**
+	 * Destroy a attribute_manager instance.
+	 */
+	void (*destroy)(attribute_manager_t *this);
+};
+
+/**
+ * Create a attribute_manager instance.
+ */
+attribute_manager_t *attribute_manager_create();
+
+#endif /** ATTRIBUTE_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/attributes/attribute_provider.h b/src/libstrongswan/attributes/attribute_provider.h
new file mode 100644
index 000000000..f8485cc6c
--- /dev/null
+++ b/src/libstrongswan/attributes/attribute_provider.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attribute_provider attribute_provider
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_PROVIDER_H_
+#define ATTRIBUTE_PROVIDER_H_
+
+#include <utils/host.h>
+#include <utils/identification.h>
+
+typedef struct attribute_provider_t attribute_provider_t;
+
+/**
+ * Interface to provide attributes to peers through attribute manager.
+ */
+struct attribute_provider_t {
+
+	/**
+	 * Acquire a virtual IP address to assign to a peer.
+	 *
+	 * @param pool			name of the pool to acquire address from
+	 * @param id			peer ID
+	 * @param requested		IP in configuration request
+	 * @return				allocated address, NULL to serve none
+	 */
+	host_t* (*acquire_address)(attribute_provider_t *this,
+							   char *pool, identification_t *id,
+							   host_t *requested);
+	/**
+	 * Release a previously acquired address.
+	 *
+	 * @param pool			name of the pool this address was acquired from
+	 * @param address		address to release
+	 * @param id			peer ID
+	 * @return				TRUE if the address has been released by the provider
+	 */
+	bool (*release_address)(attribute_provider_t *this,
+							char *pool, host_t *address, identification_t *id);
+
+	/**
+	 * Create an enumerator over attributes to hand out to a peer.
+	 *
+	 * @param id			peer ID
+	 * @param vip			virtual IP to assign to peer, if any
+	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
+	 */
+	enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this,
+											identification_t *id, host_t *vip);
+};
+
+#endif /** ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/libstrongswan/attributes/attributes.c b/src/libstrongswan/attributes/attributes.c
new file mode 100644
index 000000000..83feed17e
--- /dev/null
+++ b/src/libstrongswan/attributes/attributes.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "attributes.h"
+
+ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP6_PREFIX,
+	"INTERNAL_IP4_ADDRESS",
+	"INTERNAL_IP4_NETMASK",
+	"INTERNAL_IP4_DNS",
+	"INTERNAL_IP4_NBNS",
+	"INTERNAL_ADDRESS_EXPIRY",
+	"INTERNAL_IP4_DHCP",
+	"APPLICATION_VERSION",
+	"INTERNAL_IP6_ADDRESS",
+	"INTERNAL_IP6_NETMASK",
+	"INTERNAL_IP6_DNS",
+	"INTERNAL_IP6_NBNS",
+	"INTERNAL_IP6_DHCP",
+	"INTERNAL_IP4_SUBNET",
+	"SUPPORTED_ATTRIBUTES",
+	"INTERNAL_IP6_SUBNET",
+	"MIP6_HOME_PREFIX",
+	"INTERNAL_IP6_LINK",
+	"INTERNAL_IP6_PREFIX");
+ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, INTERNAL_IP6_PREFIX,
+	"INTERNAL_IP4_SERVER",
+	"INTERNAL_IP6_SERVER");
+ENUM_END(configuration_attribute_type_names, INTERNAL_IP6_SERVER);
+
diff --git a/src/libstrongswan/attributes/attributes.h b/src/libstrongswan/attributes/attributes.h
new file mode 100644
index 000000000..f4a396f21
--- /dev/null
+++ b/src/libstrongswan/attributes/attributes.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attributes_g attributes
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTES_H_
+#define ATTRIBUTES_H_
+
+typedef enum configuration_attribute_type_t configuration_attribute_type_t;
+
+#include <enum.h>
+
+/**
+ * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig.
+ */
+enum configuration_attribute_type_t {
+	INTERNAL_IP4_ADDRESS = 1,
+	INTERNAL_IP4_NETMASK = 2,
+	INTERNAL_IP4_DNS = 3,
+	INTERNAL_IP4_NBNS = 4,
+	INTERNAL_ADDRESS_EXPIRY = 5,
+	INTERNAL_IP4_DHCP = 6,
+	APPLICATION_VERSION = 7,
+	INTERNAL_IP6_ADDRESS = 8,
+	INTERNAL_IP6_NETMASK = 9,
+	INTERNAL_IP6_DNS = 10,
+	INTERNAL_IP6_NBNS = 11,
+	INTERNAL_IP6_DHCP = 12,
+	INTERNAL_IP4_SUBNET = 13,
+	SUPPORTED_ATTRIBUTES = 14,
+	INTERNAL_IP6_SUBNET = 15,
+	MIP6_HOME_PREFIX = 16,
+	INTERNAL_IP6_LINK = 17,
+	INTERNAL_IP6_PREFIX = 18,
+	/* proprietary Microsoft attributes */
+	INTERNAL_IP4_SERVER = 23456,
+	INTERNAL_IP6_SERVER = 23457
+};
+
+/**
+ * enum names for configuration_attribute_type_t.
+ */
+extern enum_name_t *configuration_attribute_type_names;
+
+
+#endif /** ATTRIBUTES_H_ @}*/
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index 40a93e21a..86436e997 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -46,14 +46,14 @@ chunk_t chunk_empty = { NULL, 0 };
 chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk)
 {
 	chunk_t clone = chunk_empty;
-	
+
 	if (chunk.ptr && chunk.len > 0)
 	{
 		clone.ptr = ptr;
 		clone.len = chunk.len;
 		memcpy(clone.ptr, chunk.ptr, chunk.len);
 	}
-	
+
 	return clone;
 }
 
@@ -64,7 +64,7 @@ size_t chunk_length(const char* mode, ...)
 {
 	va_list chunks;
 	size_t length = 0;
-	
+
 	va_start(chunks, mode);
 	while (TRUE)
 	{
@@ -72,6 +72,7 @@ size_t chunk_length(const char* mode, ...)
 		{
 			case 'm':
 			case 'c':
+			case 's':
 			{
 				chunk_t ch = va_arg(chunks, chunk_t);
 				length += ch.len;
@@ -93,36 +94,42 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
 {
 	va_list chunks;
 	chunk_t construct = chunk_create(ptr, 0);
-	
+
 	va_start(chunks, mode);
 	while (TRUE)
 	{
-		bool free_chunk = FALSE;
+		bool free_chunk = FALSE, clear_chunk = FALSE;
+		chunk_t ch;
+
 		switch (*mode++)
 		{
+			case 's':
+				clear_chunk = TRUE;
+				/* FALL */
 			case 'm':
-			{
 				free_chunk = TRUE;
-			}
+				/* FALL */
 			case 'c':
-			{
-				chunk_t ch = va_arg(chunks, chunk_t);
-				memcpy(ptr, ch.ptr, ch.len); 
+				ch = va_arg(chunks, chunk_t);
+				memcpy(ptr, ch.ptr, ch.len);
 				ptr += ch.len;
 				construct.len += ch.len;
-				if (free_chunk)
+				if (clear_chunk)
+				{
+					chunk_clear(&ch);
+				}
+				else if (free_chunk)
 				{
 					free(ch.ptr);
 				}
 				continue;
-			}
 			default:
 				break;
 		}
 		break;
 	}
 	va_end(chunks);
-	
+
 	return construct;
 }
 
@@ -134,7 +141,7 @@ void chunk_split(chunk_t chunk, const char *mode, ...)
 	va_list chunks;
 	u_int len;
 	chunk_t *ch;
-	
+
 	va_start(chunks, mode);
 	while (TRUE)
 	{
@@ -255,19 +262,19 @@ chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase)
 {
 	int i, len;
 	char *hexdig = hexdig_lower;
-	
+
 	if (uppercase)
 	{
 		hexdig = hexdig_upper;
 	}
-	
+
 	len = chunk.len * 2;
 	if (!buf)
 	{
 		buf = malloc(len + 1);
 	}
 	buf[len] = '\0';
-	
+
 	for (i = 0; i < chunk.len; i++)
 	{
 		buf[i*2]   = hexdig[(chunk.ptr[i] >> 4) & 0xF];
@@ -301,7 +308,7 @@ chunk_t chunk_from_hex(chunk_t hex, char *buf)
 {
 	int i, len;
 	bool odd = FALSE;
-	
+
 	len = (hex.len / 2);
 	if (hex.len % 2)
 	{
@@ -327,7 +334,7 @@ chunk_t chunk_from_hex(chunk_t hex, char *buf)
 }
 
 /** base 64 conversion digits */
-static char b64digits[] = 
+static char b64digits[] =
 	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 
 /**
@@ -337,7 +344,7 @@ chunk_t chunk_to_base64(chunk_t chunk, char *buf)
 {
 	int i, len;
 	char *pos;
-	
+
 	len = chunk.len + ((3 - chunk.len % 3) % 3);
 	if (!buf)
 	{
@@ -401,7 +408,7 @@ chunk_t chunk_from_base64(chunk_t base64, char *buf)
 {
 	u_char *pos, byte[4];
 	int i, j, len, outlen;
-	
+
 	len = base64.len / 4 * 3;
 	if (!buf)
 	{
@@ -442,6 +449,24 @@ int chunk_compare(chunk_t a, chunk_t b)
 	return memcmp(a.ptr, b.ptr, len);
 };
 
+
+/**
+ * Described in header.
+ */
+bool chunk_increment(chunk_t chunk)
+{
+	int i;
+
+	for (i = chunk.len - 1; i >= 0; i--)
+	{
+		if (++chunk.ptr[i] != 0)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
 /**
  * Remove non-printable characters from a chunk.
  */
@@ -449,7 +474,7 @@ bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
 {
 	bool printable = TRUE;
 	int i;
-	
+
 	if (sane)
 	{
 		*sane = chunk_clone(chunk);
@@ -470,7 +495,7 @@ bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
 
 /**
  * Described in header.
- * 
+ *
  * The implementation is based on Paul Hsieh's SuperFastHash:
  * 	 http://www.azillionmonkeys.com/qed/hash.html
  */
@@ -480,15 +505,15 @@ u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
 	size_t len = chunk.len;
 	u_int32_t tmp;
 	int rem;
-	
+
 	if (!len || data == NULL)
 	{
 		return 0;
 	}
-	
+
 	rem = len & 3;
 	len >>= 2;
-	
+
 	/* Main loop */
 	for (; len > 0; --len)
 	{
@@ -498,7 +523,7 @@ u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
 		data += 2 * sizeof(u_int16_t);
 		hash += hash >> 11;
 	}
-	
+
 	/* Handle end cases */
 	switch (rem)
 	{
@@ -525,7 +550,7 @@ u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
 			break;
 		}
 	}
-	
+
 	/* Force "avalanching" of final 127 bits */
 	hash ^= hash << 3;
 	hash += hash >> 5;
@@ -533,7 +558,7 @@ u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
 	hash += hash >> 17;
 	hash ^= hash << 25;
 	hash += hash >> 6;
-	
+
 	return hash;
 }
 
@@ -555,13 +580,13 @@ int chunk_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	bool first = TRUE;
 	chunk_t copy = *chunk;
 	int written = 0;
-	
+
 	if (!spec->hash)
 	{
 		const void *new_args[] = {&chunk->ptr, &chunk->len};
 		return mem_printf_hook(dst, len, spec, new_args);
 	}
-	
+
 	while (copy.len > 0)
 	{
 		if (first)
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 66c3f26a2..a526f4a89 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -69,9 +69,11 @@ chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk);
 size_t chunk_length(const char *mode, ...);
 
 /**
- * Concatenate chunks into a chunk pointing to "ptr",
- * "mode" is a string of "c" (copy) and "m" (move), which says
- * how to handle the chunks in "..."
+ * Concatenate chunks into a chunk pointing to "ptr".
+ *
+ * The mode string specifies the number of chunks, and how to handle each of
+ * them with a single character: 'c' for copy (allocate new chunk), 'm' for move
+ * (free given chunk) or 's' for sensitive-move (clear given chunk, then free).
  */
 chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...);
 
@@ -90,7 +92,7 @@ void chunk_split(chunk_t chunk, const char *mode, ...);
  *
  * @param chunk			contents to write to file
  * @param path			path where file is written to
- * @param label			label specifying file type 
+ * @param label			label specifying file type
  * @param mask			file mode creation mask
  * @param force			overwrite existing file by force
  * @return				TRUE if write operation was successful
@@ -167,9 +169,9 @@ static inline void chunk_clear(chunk_t *chunk)
 }
 
 /**
- * Initialize a chunk to point to buffer inspectable by sizeof()
+ * Initialize a chunk using a char array
  */
-#define chunk_from_buf(str) { str, sizeof(str) }
+#define chunk_from_chars(...) ((chunk_t){(char[]){__VA_ARGS__}, sizeof((char[]){__VA_ARGS__})})
 
 /**
  * Initialize a chunk to point to a thing
@@ -179,22 +181,22 @@ static inline void chunk_clear(chunk_t *chunk)
 /**
  * Allocate a chunk on the heap
  */
-#define chunk_alloc(bytes) chunk_create(malloc(bytes), bytes)
+#define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(malloc(x), x);})
 
 /**
  * Allocate a chunk on the stack
  */
-#define chunk_alloca(bytes) chunk_create(alloca(bytes), bytes)
+#define chunk_alloca(bytes) ({size_t x = (bytes); chunk_create(alloca(x), x);})
 
 /**
  * Clone a chunk on heap
  */
-#define chunk_clone(chunk) chunk_create_clone((chunk).len ? malloc((chunk).len) : NULL, chunk)
+#define chunk_clone(chunk) ({chunk_t x = (chunk); chunk_create_clone(x.len ? malloc(x.len) : NULL, x);})
 
 /**
  * Clone a chunk on stack
  */
-#define chunk_clonea(chunk) chunk_create_clone(alloca((chunk).len), chunk)
+#define chunk_clonea(chunk) ({chunk_t x = (chunk); chunk_create_clone(alloca(x.len), x);})
 
 /**
  * Concatenate chunks into a chunk on heap
@@ -236,6 +238,14 @@ static inline bool chunk_equals(chunk_t a, chunk_t b)
 			a.len == b.len && memeq(a.ptr, b.ptr, a.len);
 }
 
+/**
+ * Increment a chunk, as it would reprensent a network order integer.
+ *
+ * @param chunk			chunk to increment
+ * @return				TRUE if an overflow occured
+ */
+bool chunk_increment(chunk_t chunk);
+
 /**
  * Check if a chunk has printable characters only.
  *
@@ -263,8 +273,8 @@ u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash);
 /**
  * printf hook function for chunk_t.
  *
- * Arguments are: 
- *    chunk_t *chunk
+ * Arguments are:
+ *	chunk_t *chunk
  * Use #-modifier to print a compact version
  */
 int chunk_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 701cbcde3..8be1c1576 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -17,36 +17,43 @@
 
 ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_FROM_FILE",
+	"BUILD_FROM_FD",
 	"BUILD_AGENT_SOCKET",
 	"BUILD_BLOB_ASN1_DER",
-	"BUILD_BLOB_ASN1_PEM",
+	"BUILD_BLOB_PEM",
 	"BUILD_BLOB_PGP",
-	"BUILD_BLOB_RFC_3110",
+	"BUILD_BLOB_DNSKEY",
+	"BUILD_PASSPHRASE",
+	"BUILD_PASSPHRASE_CALLBACK",
 	"BUILD_KEY_SIZE",
 	"BUILD_SIGNING_KEY",
 	"BUILD_SIGNING_CERT",
 	"BUILD_PUBLIC_KEY",
 	"BUILD_SUBJECT",
-	"BUILD_SUBJECT_ALTNAME",
+	"BUILD_SUBJECT_ALTNAMES",
 	"BUILD_ISSUER",
-	"BUILD_ISSUER_ALTNAME",
+	"BUILD_ISSUER_ALTNAMES",
 	"BUILD_NOT_BEFORE_TIME",
 	"BUILD_NOT_AFTER_TIME",
 	"BUILD_SERIAL",
+	"BUILD_DIGEST_ALG",
 	"BUILD_IETF_GROUP_ATTR",
 	"BUILD_CA_CERT",
 	"BUILD_CERT",
+	"BUILD_CRL_DISTRIBUTION_POINTS",
+	"BUILD_OCSP_ACCESS_LOCATIONS",
+	"BUILD_PATHLEN",
 	"BUILD_X509_FLAG",
 	"BUILD_SMARTCARD_KEYID",
 	"BUILD_SMARTCARD_PIN",
+	"BUILD_RSA_MODULUS",
+	"BUILD_RSA_PUB_EXP",
+	"BUILD_RSA_PRIV_EXP",
+	"BUILD_RSA_PRIME1",
+	"BUILD_RSA_PRIME2",
+	"BUILD_RSA_EXP1",
+	"BUILD_RSA_EXP2",
+	"BUILD_RSA_COEFF",
 	"BUILD_END",
 );
 
-/**
- * See header.
- */
-void* builder_free(builder_t *this)
-{
-	free(this);
-	return NULL;
-}
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 01ccf2a5c..62a6ffaaf 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -21,16 +21,21 @@
 #ifndef BUILDER_H_
 #define BUILDER_H_
 
-typedef struct builder_t builder_t;
+#include <stdarg.h>
+
 typedef enum builder_part_t builder_part_t;
 
 /**
- * Constructor function which creates a new builder instance.
+ * Constructor function to build credentials.
+ *
+ * Any added parts are cloned/refcounted by the builder implementation, a
+ * caller may need to free the passed ressources themself.
  *
- * @param subtype	constructor specific subtype, e.g. certificate_type_t
- * @return			builder to construct a instance of type
+ * @param subtype	constructor specific subtype, e.g. a certificate_type_t
+ * @param args		list of builder part types, followed by parts, BUILD_END
+ * @return			builder specific credential, NULL on error
  */
-typedef builder_t* (*builder_constructor_t)(int subtype);
+typedef void* (*builder_function_t)(int subtype, va_list args);
 
 #include <library.h>
 
@@ -38,18 +43,26 @@ typedef builder_t* (*builder_constructor_t)(int subtype);
  * Parts to build credentials from.
  */
 enum builder_part_t {
-	/** path to a file containing an ASN.1 blob, char* */
+	/** path to a file encoded in any format, char* */
 	BUILD_FROM_FILE,
+	/** file descriptor to read data, encoded in any format, int */
+	BUILD_FROM_FD,
 	/** unix socket of a ssh/pgp agent, char* */
 	BUILD_AGENT_SOCKET,
 	/** DER encoded ASN.1 blob, chunk_t */
 	BUILD_BLOB_ASN1_DER,
-	/** PEM encoded ASN.1 blob, null terminated char* */
-	BUILD_BLOB_ASN1_PEM,
+	/** PEM encoded ASN.1/PGP blob, chunk_t */
+	BUILD_BLOB_PEM,
 	/**  OpenPGP key blob, chunk_t */
 	BUILD_BLOB_PGP,
-	/** RFC 3110 DNS public key blob, chunk_t */
-	BUILD_BLOB_RFC_3110,
+	/** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
+	BUILD_BLOB_DNSKEY,
+	/** passphrase for e.g. PEM decryption, chunk_t */
+	BUILD_PASSPHRASE,
+	/** passphrase callback, chunk_t(*fn)(void *user, int try), void *user.
+	 *  The callback is invoked until the returned passphrase is accepted, or
+	 *  a zero-length passphrase is returned. Try starts at 1. */
+	BUILD_PASSPHRASE_CALLBACK,
 	/** key size in bits, as used for key generation, u_int */
 	BUILD_KEY_SIZE,
 	/** private key to use for signing, private_key_t* */
@@ -60,30 +73,54 @@ enum builder_part_t {
 	BUILD_PUBLIC_KEY,
 	/** subject for e.g. certificates, identification_t* */
 	BUILD_SUBJECT,
-	/** additional subject name, identification_t* */
-	BUILD_SUBJECT_ALTNAME,
+	/** additional subject names, linked_list_t* containing identification_t* */
+	BUILD_SUBJECT_ALTNAMES,
 	/** issuer for e.g. certificates, identification_t* */
 	BUILD_ISSUER,
-	/** additional issuer name, identification_t* */
-	BUILD_ISSUER_ALTNAME,
+	/** additional issuer names, linked_list_t* containing identification_t* */
+	BUILD_ISSUER_ALTNAMES,
 	/** notBefore, time_t* */
 	BUILD_NOT_BEFORE_TIME,
 	/** notAfter, time_t* */
 	BUILD_NOT_AFTER_TIME,
 	/** a serial number in binary form, chunk_t */
 	BUILD_SERIAL,
+	/** digest algorithm to be used for signature, int */
+	BUILD_DIGEST_ALG,
 	/** a comma-separated list of ietf group attributes, char* */
 	BUILD_IETF_GROUP_ATTR,
 	/** a ca certificate, certificate_t* */
 	BUILD_CA_CERT,
 	/** a certificate, certificate_t* */
 	BUILD_CERT,
+	/** CRL distribution point URIs, linked_list_t* containing char* */
+	BUILD_CRL_DISTRIBUTION_POINTS,
+	/** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */
+	BUILD_OCSP_ACCESS_LOCATIONS,
+	/** certificate path length constraint */
+	BUILD_PATHLEN,
 	/** enforce an additional X509 flag, x509_flag_t */
 	BUILD_X509_FLAG,
 	/** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */
 	BUILD_SMARTCARD_KEYID,
 	/** pin to access a key on a smartcard, null terminated char* */
 	BUILD_SMARTCARD_PIN,
+	/** modulus (n) of a RSA key, chunk_t */
+	BUILD_RSA_MODULUS,
+	/** public exponent (e) of a RSA key, chunk_t */
+	BUILD_RSA_PUB_EXP,
+	/** private exponent (d) of a RSA key, chunk_t */
+	BUILD_RSA_PRIV_EXP,
+	/** prime 1 (p) of a RSA key (p < q), chunk_t */
+	BUILD_RSA_PRIME1,
+	/** prime 2 (q) of a RSA key (p < q), chunk_t */
+	BUILD_RSA_PRIME2,
+	/** exponent 1 (exp1) of a RSA key, chunk_t */
+	BUILD_RSA_EXP1,
+	/** exponent 2 (exp1) of a RSA key, chunk_t */
+	BUILD_RSA_EXP2,
+	/** coefficient (coeff) of a RSA key, chunk_t */
+	BUILD_RSA_COEFF,
 	/** end of variable argument builder list */
 	BUILD_END,
 };
@@ -93,44 +130,4 @@ enum builder_part_t {
  */
 extern enum_name_t *builder_part_names;
 
-/**
- * Credential construction API.
- *
- * The builder allows the construction of credentials in a generic and
- * flexible way.
- */
-struct builder_t {
-
-	/**
-	 * Add a part to the construct.
-	 *
-	 * Any added parts are cloned/refcounted by the builder implementation, a 
-	 * caller may need to free the passed ressources themself.
-	 *
-	 * @param part		kind of part
-	 * @param ...		part specific variable argument
-	 */
-	void (*add)(builder_t *this, builder_part_t part, ...);
-	
-	/**
-	 * Build the construct with all supplied parts.
-	 *
-	 * Once build() is called, the builder gets destroyed.
-	 *
-	 * @return			specific interface, as requested with constructor.
-	 */
-	void* (*build)(builder_t *this);
-};
-
-/**
- * Helper macro to cancel a build in a builder
- */
-#define builder_cancel(builder) { (builder)->add = (void*)nop; \
-								  (builder)->build = (void*)builder_free; }
-
-/**
- * Helper function for a cancelled build.
- */
-void* builder_free(builder_t *this);
-
 #endif /** BUILDER_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h
index fb99b4756..fef7f8c65 100644
--- a/src/libstrongswan/credentials/certificates/ac.h
+++ b/src/libstrongswan/credentials/certificates/ac.h
@@ -1,9 +1,7 @@
 /*
- * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
- * Copyright (C) 2003 Martin Berner, Lukas Suter
- * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2002-2009 Andreas Steffen
  *
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -26,6 +24,7 @@
 
 #include <library.h>
 #include <credentials/certificates/certificate.h>
+#include <credentials/ietf_attributes/ietf_attributes.h>
 
 typedef struct ac_t ac_t;
 
@@ -41,14 +40,14 @@ struct ac_t {
 	 * Implements the certificate_t interface
 	 */
 	certificate_t certificate;
-	
+
 	/**
 	 * Get the attribute certificate's serial number.
 	 *
 	 * @return			chunk pointing to serialNumber
 	 */
 	chunk_t (*get_serial)(ac_t *this);
-	
+
 	/**
 	 * Get the serial number of the holder certificate.
 	 *
@@ -64,11 +63,18 @@ struct ac_t {
 	identification_t* (*get_holderIssuer)(ac_t *this);
 
 	/**
-	 * Get the thauthorityKeyIdentifier.
+	 * Get the authorityKeyIdentifier.
+	 *
+	 * @return			authKeyIdentifier as chunk_t, to internal data
+	 */
+	chunk_t (*get_authKeyIdentifier)(ac_t *this);
+
+	/**
+	 * Get the group memberships as a list of IETF attributes
 	 *
-	 * @return			authKeyIdentifier as identification_t*
+	 * @return			object containing a list of IETF attributes
 	 */
-	identification_t* (*get_authKeyIdentifier)(ac_t *this);
+	ietf_attributes_t* (*get_groups)(ac_t *this);
 
 	/**
 	 * @brief Checks if two attribute certificates belong to the same holder
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 041e2f1db..156d12358 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -17,16 +17,19 @@
 
 #include <credentials/certificates/x509.h>
 
-ENUM(certificate_type_names, CERT_ANY, CERT_PGP,
+ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
 	"ANY",
 	"X509",
 	"X509_CRL",
 	"X509_OCSP_REQUEST",
 	"X509_OCSP_RESPONSE",
 	"X509_AC",
-	"X509_CHAIN",
 	"TRUSTED_PUBKEY",
+	"PKCS10_REQUEST",
 	"PGP",
+	"PLUTO_CERT",
+	"PLUTO_AC",
+	"PLUTO_CRL",
 );
 
 ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 81fce5508..a4f9aa3e0 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -47,8 +47,14 @@ enum certificate_type_t {
 	CERT_X509_AC,
 	/** trusted, preinstalled public key */
 	CERT_TRUSTED_PUBKEY,
+	/** PKCS#10 certificate request */
+	CERT_PKCS10_REQUEST,
 	/** PGP certificate */
-	CERT_PGP,
+	CERT_GPG,
+	/** Pluto cert_t (not a certificate_t), either x509 or PGP */
+	CERT_PLUTO_CERT,
+	/** Pluto x509crl_t (not a certificate_t), certificate revocation list */
+	CERT_PLUTO_CRL,
 };
 
 /**
@@ -82,7 +88,7 @@ extern enum_name_t *cert_validation_names;
 /**
  * An abstract certificate.
  *
- * A certificate designs a subject-issuer relationship. It may have an 
+ * A certificate designs a subject-issuer relationship. It may have an
  * associated public key.
  */
 struct certificate_t {
@@ -90,7 +96,7 @@ struct certificate_t {
 	/**
 	 * Get the type of the certificate.
 	 *
-	 * @return			certifcate type
+	 * @return			certificate type
 	 */
 	certificate_type_t (*get_type)(certificate_t *this);
 
@@ -100,7 +106,7 @@ struct certificate_t {
 	 * @return			subject identity
 	 */
 	identification_t* (*get_subject)(certificate_t *this);
-	
+
 	/**
 	 * Check if certificate contains a subject ID.
 	 *
@@ -111,14 +117,14 @@ struct certificate_t {
 	 * @return 			matching value of best match
 	 */
 	id_match_t (*has_subject)(certificate_t *this, identification_t *subject);
-		
+
 	/**
 	 * Get the issuer which signed this certificate.
 	 *
 	 * @return			issuer identity
 	 */
 	identification_t* (*get_issuer)(certificate_t *this);
-	
+
 	/**
 	 * Check if certificate contains an issuer ID.
 	 *
@@ -129,7 +135,7 @@ struct certificate_t {
 	 * @return 			matching value of best match
 	 */
 	id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer);
-	
+
 	/**
 	 * Check if this certificate is issued and signed by a specific issuer.
 	 *
@@ -137,14 +143,14 @@ struct certificate_t {
 	 * @return 			TRUE if certificate issued by issuer and trusted
 	 */
 	bool (*issued_by)(certificate_t *this, certificate_t *issuer);
-	
+
 	/**
 	 * Get the public key associated to this certificate.
 	 *
 	 * @return			newly referenced public_key, NULL if none available
 	 */
 	public_key_t* (*get_public_key)(certificate_t *this);
-	
+
 	/**
 	 * Check the lifetime of the certificate.
 	 *
@@ -155,21 +161,21 @@ struct certificate_t {
 	 */
 	bool (*get_validity)(certificate_t *this, time_t *when,
 						 time_t *not_before, time_t *not_after);
-	
+
 	/**
 	 * Is this newer than that?
 	 *
 	 * @return			TRUE if newer, FALSE otherwise
 	 */
 	bool (*is_newer)(certificate_t *this, certificate_t *that);
-	
+
 	/**
 	 * Get the certificate in an encoded form.
 	 *
 	 * @return				allocated chunk of encoded cert
 	 */
 	chunk_t (*get_encoding)(certificate_t *this);
-	
+
 	/**
 	 * Check if two certificates are equal.
 	 *
@@ -177,18 +183,18 @@ struct certificate_t {
 	 * @return				TRUE if certificates are equal
 	 */
 	bool (*equals)(certificate_t *this, certificate_t *other);
-	
+
 	/**
 	 * Get a new reference to the certificate.
 	 *
-	 * @return			this, with an increased refcount 
+	 * @return			this, with an increased refcount
 	 */
 	certificate_t* (*get_ref)(certificate_t *this);
-	
+
 	/**
-     * Destroy a certificate.
-     */
-    void (*destroy)(certificate_t *this);
+	 * Destroy a certificate.
+	 */
+	void (*destroy)(certificate_t *this);
 };
 
 #endif /** CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 0d6654075..085ad16cc 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,7 +16,7 @@
 
 #include "crl.h"
 
-ENUM(crl_reason_names, CRL_UNSPECIFIED, CRL_REMOVE_FROM_CRL,
+ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"unspecified",
 	"key compromise",
 	"ca compromise",
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 3fef0d710..4b612390c 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -32,14 +32,14 @@ typedef enum crl_reason_t crl_reason_t;
  * RFC 2459 CRL reason codes
  */
 enum crl_reason_t {
-    CRL_UNSPECIFIED 			= 0,
-    CRL_KEY_COMPROMISE			= 1,
-    CRL_CA_COMPROMISE			= 2,
-    CRL_AFFILIATION_CHANGED		= 3,
-    CRL_SUPERSEDED				= 4,
-    CRL_CESSATION_OF_OPERATON	= 5,
-    CRL_CERTIFICATE_HOLD		= 6,
-    CRL_REMOVE_FROM_CRL			= 8,
+	CRL_REASON_UNSPECIFIED			= 0,
+	CRL_REASON_KEY_COMPROMISE		 = 1,
+	CRL_REASON_CA_COMPROMISE		  = 2,
+	CRL_REASON_AFFILIATION_CHANGED	= 3,
+	CRL_REASON_SUPERSEDED			 = 4,
+	CRL_REASON_CESSATION_OF_OPERATON  = 5,
+	CRL_REASON_CERTIFICATE_HOLD	   = 6,
+	CRL_REASON_REMOVE_FROM_CRL		= 8,
 };
 
 /**
@@ -56,21 +56,21 @@ struct crl_t {
 	 * Implements (parts of) the certificate_t interface
 	 */
 	certificate_t certificate;
-	
+
 	/**
 	 * Get the CRL serial number.
 	 *
 	 * @return			chunk pointing to internal crlNumber
 	 */
 	chunk_t (*get_serial)(crl_t *this);
-	
+
 	/**
 	 * Get the the authorityKeyIdentifier.
 	 *
-	 * @return			authKeyIdentifier as identification_t*
+	 * @return			authKeyIdentifier chunk, point to internal data
 	 */
-	identification_t* (*get_authKeyIdentifier)(crl_t *this);
-	
+	chunk_t (*get_authKeyIdentifier)(crl_t *this);
+
 	/**
 	 * Create an enumerator over all revoked certificates.
 	 *
@@ -80,7 +80,7 @@ struct crl_t {
 	 * @return			enumerator over revoked certificates.
 	 */
 	enumerator_t* (*create_enumerator)(crl_t *this);
-	
+
 };
 
 #endif /** CRL_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h
index a70f3eee4..157577458 100644
--- a/src/libstrongswan/credentials/certificates/ocsp_response.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.h
@@ -28,7 +28,7 @@ typedef struct ocsp_response_t ocsp_response_t;
 typedef enum ocsp_status_t ocsp_status_t;
 
 /**
- * OCSP response status 
+ * OCSP response status
  */
 enum ocsp_status_t {
 	OCSP_SUCCESSFUL 		= 0,
@@ -53,7 +53,7 @@ struct ocsp_response_t {
 	 * Implements certificiate_t interface
 	 */
 	certificate_t certificate;
-	
+
 	/**
 	 * Check the status of a certificate by this OCSP response.
 	 *
@@ -65,18 +65,18 @@ struct ocsp_response_t {
 	 * @param next_update		exptected time of next revocation list
 	 * @return					certificate revocation status
 	 */
-	cert_validation_t (*get_status)(ocsp_response_t *this, 
+	cert_validation_t (*get_status)(ocsp_response_t *this,
 									x509_t *subject, x509_t *issuer,
 									time_t *revocation_time,
 									crl_reason_t *revocation_reason,
 									time_t *this_update, time_t *next_update);
-	
+
 	/**
 	 * Create an enumerator over the contained certificates.
 	 *
 	 * @return					enumerator over certificate_t*
 	 */
-	enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);	
+	enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);
 };
 
 #endif /** OCSP_RESPONSE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/pgp_certificate.h b/src/libstrongswan/credentials/certificates/pgp_certificate.h
new file mode 100644
index 000000000..94a31e14d
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/pgp_certificate.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pgp_certificate pgp_certificate
+ * @{ @ingroup certificates
+ */
+
+#ifndef PGP_CERTIFICATE_H_
+#define PGP_CERTIFICATE_H_
+
+#include <credentials/certificates/certificate.h>
+
+typedef struct pgp_certificate_t pgp_certificate_t;
+
+/**
+ * PGP certificate interface.
+ */
+struct pgp_certificate_t {
+
+	/**
+	 * Implements certificate_t.
+	 */
+	certificate_t interface;
+
+	/**
+	 * Get the v3 or v4 fingerprint of the PGP public key
+	 *
+	 * @return	fingerprint as chunk_t, internal data
+	 */
+	chunk_t (*get_fingerprint)(pgp_certificate_t *this);
+};
+
+#endif /** PGP_CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/pkcs10.h b/src/libstrongswan/credentials/certificates/pkcs10.h
new file mode 100644
index 000000000..9a4979757
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/pkcs10.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup req req
+ * @{ @ingroup certificates
+ */
+
+#ifndef PKCS10_H_
+#define PKCS10_H_
+
+#include <utils/enumerator.h>
+#include <credentials/certificates/certificate.h>
+
+typedef struct pkcs10_t pkcs10_t;
+
+/**
+ * PKCS#10 certificate request interface.
+ *
+ * This interface adds additional methods to the certificate_t type to
+ * allow further operations on a certificate request.
+ */
+struct pkcs10_t {
+
+	/**
+	 * Implements certificate_t.
+	 */
+	certificate_t interface;
+
+	/**
+	 * Get the challenge password
+	 *
+	 * @return			challenge password as a chunk_t
+	 */
+	chunk_t (*get_challengePassword)(pkcs10_t *this);
+
+	/**
+	 * Get.
+	 *
+	 * @return			enumerator over subjectAltNames as identification_t*
+	 */
+	enumerator_t* (*create_subjectAltName_enumerator)(pkcs10_t *this);
+};
+
+#endif /** PKCS10_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c
index 5d53f0c68..66dc192c1 100644
--- a/src/libstrongswan/credentials/certificates/x509.c
+++ b/src/libstrongswan/credentials/certificates/x509.c
@@ -15,10 +15,14 @@
 
 #include "x509.h"
 
-ENUM(x509_flag_names, X509_CA, X509_SELF_SIGNED,
+ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS,
+	"X509_NONE",
 	"X509_CA",
 	"X509_AA",
 	"X509_OCSP_SIGNER",
+	"X509_SERVER_AUTH",
+	"X509_CLIENT_AUTH",
 	"X509_SELF_SIGNED",
+	"X509_IP_ADDR_BLOCKS",
 );
 
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index eedab78f7..172bd9696 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -24,6 +24,9 @@
 #include <utils/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
+#define X509_NO_PATH_LEN_CONSTRAINT		-1
+#define X509_MAX_PATH_LEN				 7
+
 typedef struct x509_t x509_t;
 typedef enum x509_flag_t x509_flag_t;
 
@@ -31,14 +34,22 @@ typedef enum x509_flag_t x509_flag_t;
  * X.509 certificate flags.
  */
 enum x509_flag_t {
+	/** cert has no constraints */
+	X509_NONE =				0,
 	/** cert has CA constraint */
-	X509_CA = 			(1<<0),
+	X509_CA = 				(1<<0),
 	/** cert has AA constraint */
-	X509_AA = 			(1<<1),
+	X509_AA = 				(1<<1),
 	/** cert has OCSP signer constraint */
-	X509_OCSP_SIGNER = 	(1<<2),
+	X509_OCSP_SIGNER = 		(1<<2),
+	/** cert has serverAuth key usage */
+	X509_SERVER_AUTH = 		(1<<3),
+	/** cert has clientAuth key usage */
+	X509_CLIENT_AUTH =		(1<<4),
 	/** cert is self-signed */
-	X509_SELF_SIGNED =  (1<<3),
+	X509_SELF_SIGNED =		(1<<5),
+	/** cert has an ipAddrBlocks extension */
+	X509_IP_ADDR_BLOCKS =	(1<<6),
 };
 
 /**
@@ -58,48 +69,69 @@ struct x509_t {
 	 * Implements certificate_t.
 	 */
 	certificate_t interface;
-	
+
 	/**
 	 * Get the flags set for this certificate.
 	 *
 	 * @return			set of flags
 	 */
 	x509_flag_t (*get_flags)(x509_t *this);
-	
+
 	/**
 	 * Get the certificate serial number.
 	 *
 	 * @return			chunk pointing to internal serial number
 	 */
 	chunk_t (*get_serial)(x509_t *this);
-	
+
+	/**
+	 * Get the the subjectKeyIdentifier.
+	 *
+	 * @return			subjectKeyIdentifier as chunk_t, internal data
+	 */
+	chunk_t (*get_subjectKeyIdentifier)(x509_t *this);
+
 	/**
 	 * Get the the authorityKeyIdentifier.
 	 *
-	 * @return			authKeyIdentifier as identification_t*
+	 * @return			authKeyIdentifier as chunk_t, internal data
 	 */
-	identification_t* (*get_authKeyIdentifier)(x509_t *this);
-	
+	chunk_t (*get_authKeyIdentifier)(x509_t *this);
+
+	/**
+	 * Get an optional path length constraint.
+	 *
+	 * @return			pathLenConstraint, -1 if no constraint exists
+	 */
+	int (*get_pathLenConstraint)(x509_t *this);
+
 	/**
 	 * Create an enumerator over all subjectAltNames.
 	 *
 	 * @return			enumerator over subjectAltNames as identification_t*
 	 */
 	enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
-	
+
 	/**
 	 * Create an enumerator over all CRL URIs.
 	 *
 	 * @return			enumerator over URIs as char*
 	 */
 	enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
-	
+
 	/**
 	 * Create an enumerator over all OCSP URIs.
 	 *
 	 * @return			enumerator over URIs as char*
 	 */
 	enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over all ipAddrBlocks.
+	 *
+	 * @return			enumerator over ipAddrBlocks as traffic_selector_t*
+	 */
+	enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
 };
 
 #endif /** X509_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index e55df0398..5139ad504 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -13,17 +13,21 @@
  * for more details.
  */
 
+#include <stdint.h>
+
 #include "credential_factory.h"
 
 #include <debug.h>
 #include <utils/linked_list.h>
-#include <utils/mutex.h>
+#include <threading/thread_value.h>
+#include <threading/rwlock.h>
 #include <credentials/certificates/x509.h>
 
 ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CERTIFICATE,
 	"CRED_PRIVATE_KEY",
 	"CRED_PUBLIC_KEY",
 	"CRED_CERTIFICATE",
+	"CRED_PLUTO_CERT",
 );
 
 typedef struct private_credential_factory_t private_credential_factory_t;
@@ -37,12 +41,17 @@ struct private_credential_factory_t {
 	 * public functions
 	 */
 	credential_factory_t public;
-	
+
 	/**
 	 * list with entry_t
 	 */
 	linked_list_t *constructors;
-	
+
+	/**
+	 * Thread specific recursiveness counter
+	 */
+	thread_value_t *recursive;
+
 	/**
 	 * lock access to builders
 	 */
@@ -55,52 +64,19 @@ struct entry_t {
 	credential_type_t type;
 	/** subtype of credential, e.g. certificate_type_t */
 	int subtype;
-	/** builder construction function */
-	builder_constructor_t constructor;
+	/** builder function */
+	builder_function_t constructor;
 };
 
-/**
- * type/subtype filter function for builder_enumerator
- */
-static bool builder_filter(entry_t *data, entry_t **in, builder_t **out)
-{
-	if (data->type == (*in)->type &&
-		data->subtype == (*in)->subtype)
-	{
-		*out = (*in)->constructor(data->subtype);
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of credential_factory_t.create_builder_enumerator.
- */
-static enumerator_t* create_builder_enumerator(
-		private_credential_factory_t *this,	credential_type_t type, int subtype)
-{
-	entry_t *data = malloc_thing(entry_t);
-	
-	data->type = type;
-	data->subtype = subtype;
-	
-	this->lock->read_lock(this->lock);
-	return enumerator_create_cleaner(
-				enumerator_create_filter(
-					this->constructors->create_enumerator(this->constructors),
-					(void*)builder_filter, data, free), 
-				(void*)this->lock->unlock, this->lock);
-}
-
 /**
  * Implementation of credential_factory_t.add_builder_constructor.
  */
 static void add_builder(private_credential_factory_t *this,
 						credential_type_t type, int subtype,
-						builder_constructor_t constructor)
+						builder_function_t constructor)
 {
 	entry_t *entry = malloc_thing(entry_t);
-	
+
 	entry->type = type;
 	entry->subtype = subtype;
 	entry->constructor = constructor;
@@ -113,11 +89,11 @@ static void add_builder(private_credential_factory_t *this,
  * Implementation of credential_factory_t.remove_builder.
  */
 static void remove_builder(private_credential_factory_t *this,
-						   builder_constructor_t constructor)
+						   builder_function_t constructor)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->constructors->create_enumerator(this->constructors);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -139,73 +115,46 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
 					int subtype, ...)
 {
 	enumerator_t *enumerator;
-	builder_t *builder;
-	builder_part_t part;
+	entry_t *entry;
 	va_list args;
-	void* construct = NULL;
-	
-	enumerator = create_builder_enumerator(this, type, subtype);
-	while (enumerator->enumerate(enumerator, &builder))
+	void *construct = NULL;
+	int failures = 0;
+	uintptr_t level;
+
+	level = (uintptr_t)this->recursive->get(this->recursive);
+	this->recursive->set(this->recursive, (void*)level + 1);
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->constructors->create_enumerator(this->constructors);
+	while (enumerator->enumerate(enumerator, &entry))
 	{
-		va_start(args, subtype);
-		while (TRUE)
+		if (entry->type == type && entry->subtype == subtype)
 		{
-			part = va_arg(args, builder_part_t);
-			switch (part)
+			va_start(args, subtype);
+			construct = entry->constructor(subtype, args);
+			va_end(args);
+			if (construct)
 			{
-				case BUILD_END:
-					break;
-				case BUILD_BLOB_ASN1_DER:
-				case BUILD_BLOB_PGP:
-				case BUILD_BLOB_RFC_3110:
-				case BUILD_SERIAL:
-					builder->add(builder, part, va_arg(args, chunk_t));
-					continue;
-				case BUILD_X509_FLAG:
-					builder->add(builder, part, va_arg(args, x509_flag_t));
-					continue;
-				case BUILD_KEY_SIZE:
-					builder->add(builder, part, va_arg(args, u_int));
-					continue;
-				case BUILD_NOT_BEFORE_TIME:
-				case BUILD_NOT_AFTER_TIME:
-					builder->add(builder, part, va_arg(args, time_t));
-					continue;
-				case BUILD_BLOB_ASN1_PEM:
-				case BUILD_FROM_FILE:
-				case BUILD_AGENT_SOCKET:
-				case BUILD_SIGNING_KEY:
-				case BUILD_PUBLIC_KEY:
-				case BUILD_SUBJECT:
-				case BUILD_SUBJECT_ALTNAME:
-				case BUILD_ISSUER:
-				case BUILD_ISSUER_ALTNAME:
-				case BUILD_SIGNING_CERT:
-				case BUILD_CA_CERT:
-				case BUILD_CERT:
-				case BUILD_IETF_GROUP_ATTR:
-				case BUILD_SMARTCARD_KEYID:
-				case BUILD_SMARTCARD_PIN:
-					builder->add(builder, part, va_arg(args, void*));
-					continue;
-				/* no default to get a compiler warning */
+				break;
 			}
-			break;
-		}
-		va_end(args);
-		
-		construct = builder->build(builder);
-		if (construct)
-		{
-			break;
+			failures++;
 		}
 	}
 	enumerator->destroy(enumerator);
-	if (!construct)
+	this->lock->unlock(this->lock);
+
+	if (!construct && !level)
 	{
-		DBG1("failed to create a builder for credential type %N,"
-			 " subtype (%d)", credential_type_names, type, subtype);
+		enum_name_t *names = key_type_names;
+
+		if (type == CRED_CERTIFICATE)
+		{
+			names = certificate_type_names;
+		}
+		DBG1("building %N - %N failed, tried %d builders",
+			 credential_type_names, type, names, subtype, failures);
 	}
+	this->recursive->set(this->recursive, (void*)level);
 	return construct;
 }
 
@@ -215,6 +164,7 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
 static void destroy(private_credential_factory_t *this)
 {
 	this->constructors->destroy_function(this->constructors, free);
+	this->recursive->destroy(this->recursive);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -227,15 +177,14 @@ credential_factory_t *credential_factory_create()
 	private_credential_factory_t *this = malloc_thing(private_credential_factory_t);
 
 	this->public.create = (void*(*)(credential_factory_t*, credential_type_t type, int subtype, ...))create;
-	this->public.create_builder_enumerator = (enumerator_t*(*)(credential_factory_t*, credential_type_t type, int subtype))create_builder_enumerator;
-	this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_constructor_t constructor))add_builder;
-	this->public.remove_builder = (void(*)(credential_factory_t*,builder_constructor_t constructor))remove_builder;
+	this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_function_t constructor))add_builder;
+	this->public.remove_builder = (void(*)(credential_factory_t*,builder_function_t constructor))remove_builder;
 	this->public.destroy = (void(*)(credential_factory_t*))destroy;
-	
+
 	this->constructors = linked_list_create();
-	
+	this->recursive = thread_value_create(NULL);
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index 5057a7aae..e8ffb6b9d 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -47,13 +47,13 @@ extern enum_name_t *credential_type_names;
  * Manages credential construction functions and creates instances.
  */
 struct credential_factory_t {
-						 
+
 	/**
 	 * Create a credential using a list of builder_part_t's.
 	 *
 	 * The variable argument list takes builder_part_t types followed
 	 * by the type specific value. The list must be terminated using BUILD_END.
-	 * All passed parts get cloned/refcounted by the builder implementations,
+	 * All passed parts get cloned/refcounted by the builder functions,
 	 * so free up allocated ressources after successful and unsuccessful
 	 * invocations.
 	 *
@@ -64,41 +64,28 @@ struct credential_factory_t {
 	 */
 	void* (*create)(credential_factory_t *this, credential_type_t type,
 					int subtype, ...);
-	
-	/**
-	 * Create an enumerator for a builder type.
-	 *
-	 * The build() method has to be called on each enumerated builder to 
-	 * cleanup associated ressources. 
-	 *
-	 * @param type			type of credentials the builder creates
-	 * @param subtype		type specific subtype, such as certificate_type_t
-	 * @return				enumerator over builder_t
-	 */
-	enumerator_t* (*create_builder_enumerator)(credential_factory_t *this,
-										credential_type_t type, int subtype);
-	
+
 	/**
-	 * Register a builder_t constructor function.
+	 * Register a credential builder function.
 	 *
 	 * @param type			type of credential the builder creates
 	 * @param constructor	builder constructor function to register
 	 */
 	void (*add_builder)(credential_factory_t *this,
-						credential_type_t type, int subtype, 
-						builder_constructor_t constructor);
+						credential_type_t type, int subtype,
+						builder_function_t constructor);
 	/**
-	 * Unregister a builder_t constructor function.
+	 * Unregister a credential builder function.
 	 *
 	 * @param constructor	constructor function to unregister.
 	 */
-	void (*remove_builder)(credential_factory_t *this, 
-						   builder_constructor_t constructor);
-	
+	void (*remove_builder)(credential_factory_t *this,
+						   builder_function_t constructor);
+
 	/**
-     * Destroy a credential_factory instance.
-     */
-    void (*destroy)(credential_factory_t *this);
+	 * Destroy a credential_factory instance.
+	 */
+	void (*destroy)(credential_factory_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
new file mode 100644
index 000000000..ff3ddeb6f
--- /dev/null
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
@@ -0,0 +1,533 @@
+/*
+ * Copyright (C) 2007-2009 Andreas Steffen
+ *
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <utils/linked_list.h>
+#include <utils/lexparser.h>
+
+#include "ietf_attributes.h"
+
+/**
+ * Private definition of IETF attribute types
+ */
+typedef enum {
+	IETF_ATTRIBUTE_OCTETS =	0,
+	IETF_ATTRIBUTE_OID =	1,
+	IETF_ATTRIBUTE_STRING =	2
+} ietf_attribute_type_t;
+
+typedef struct ietf_attr_t ietf_attr_t;
+
+/**
+ * Private definition of an IETF attribute
+ */
+struct ietf_attr_t {
+	/**
+	 * IETF attribute type
+	 */
+	ietf_attribute_type_t type;
+
+	/**
+	 * IETF attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Compares two IETF attributes
+	 *
+	 * return -1 if this is earlier in the alphabet than other
+	 * return  0 if this equals other
+	 * return +1 if this is later in the alphabet than other
+	 *
+	 * @param other		other object
+	 */
+	int (*compare) (ietf_attr_t *this, ietf_attr_t *other);
+
+	/**
+	 * Destroys an ietf_attr_t object.
+	 */
+	void (*destroy) (ietf_attr_t *this);
+};
+
+/**
+ * Implements ietf_attr_t.compare.
+ */
+static int ietf_attr_compare(ietf_attr_t *this, ietf_attr_t *other)
+{
+	int cmp_len, len, cmp_value;
+
+	/* OID attributes are appended after STRING and OCTETS attributes */
+	if (this->type != IETF_ATTRIBUTE_OID && other->type == IETF_ATTRIBUTE_OID)
+	{
+		return -1;
+	}
+	if (this->type == IETF_ATTRIBUTE_OID && other->type != IETF_ATTRIBUTE_OID)
+	{
+		return 1;
+	}
+
+	cmp_len = this->value.len - other->value.len;
+	len = (cmp_len < 0) ? this->value.len : other->value.len;
+	cmp_value = memcmp(this->value.ptr, other->value.ptr, len);
+
+	return (cmp_value == 0) ? cmp_len : cmp_value;
+}
+
+/**
+ * Implements ietf_attr_t.destroy.
+ */
+static void ietf_attr_destroy(ietf_attr_t *this)
+{
+	free(this->value.ptr);
+	free(this);
+}
+
+/**
+ * Creates an ietf_attr_t object.
+ */
+static ietf_attr_t* ietf_attr_create(ietf_attribute_type_t type, chunk_t value)
+{
+	ietf_attr_t *this = malloc_thing(ietf_attr_t);
+
+	/* initialize */
+	this->type = type;
+	this->value = chunk_clone(value);
+
+	/* function */
+	this->compare = ietf_attr_compare;
+	this->destroy = ietf_attr_destroy;
+
+	return this;
+}
+
+typedef struct private_ietf_attributes_t private_ietf_attributes_t;
+
+/**
+ * Private data of an ietf_attributes_t object.
+ */
+struct private_ietf_attributes_t {
+	/**
+	 * Public interface.
+	 */
+	ietf_attributes_t public;
+
+	/**
+	 * Printable representation of the IETF attributes
+	 */
+	char *string;
+
+	/**
+	 * Linked list of IETF attributes.
+	 */
+	linked_list_t *list;
+
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Implementation of ietf_attributes_t.get_string.
+ */
+static char* get_string(private_ietf_attributes_t *this)
+{
+	if (this->string == NULL)
+	{
+		char buf[BUF_LEN];
+		char *pos = buf;
+		int len = BUF_LEN;
+		bool first = TRUE;
+		ietf_attr_t *attr;
+		enumerator_t *enumerator;
+
+		enumerator = this->list->create_enumerator(this->list);
+		while (enumerator->enumerate(enumerator, &attr))
+		{
+			int written = 0;
+
+			if (first)
+			{
+				first = FALSE;
+			}
+			else
+			{
+				written = snprintf(pos, len, ", ");
+				pos += written;
+				len -= written; 
+			}
+
+			switch (attr->type)
+			{
+				case IETF_ATTRIBUTE_OCTETS:
+				case IETF_ATTRIBUTE_STRING:
+					written = snprintf(pos, len, "%.*s", (int)attr->value.len,
+														 attr->value.ptr);
+					break;
+				case IETF_ATTRIBUTE_OID:
+				{
+					int oid = asn1_known_oid(attr->value);
+
+					if (oid == OID_UNKNOWN)
+					{
+						written = snprintf(pos, len, "0x#B", &attr->value);
+					}
+					else
+					{
+						written = snprintf(pos, len, "%s", oid_names[oid]);
+					}
+					break;
+				}
+				default:
+					break;
+			}
+			pos += written;
+			len -= written;
+		}
+		enumerator->destroy(enumerator);
+		if (len < BUF_LEN)
+		{
+			this->string = strdup(buf);
+		}
+	}
+	return this->string;
+}
+
+/**
+ * Implementation of ietf_attributes_t.get_encoding.
+ */
+static chunk_t get_encoding(private_ietf_attributes_t *this)
+{
+	chunk_t values;
+	size_t size = 0;
+	u_char *pos;
+	ietf_attr_t *attr;
+	enumerator_t *enumerator;
+
+	/* precalculate the total size of all values */
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		size_t len = attr->value.len;
+
+		size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len;
+	}
+	enumerator->destroy(enumerator);
+
+	pos = asn1_build_object(&values, ASN1_SEQUENCE, size);
+
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		chunk_t ietfAttribute;
+		asn1_t type = ASN1_NULL;
+
+		switch (attr->type)
+		{
+			case IETF_ATTRIBUTE_OCTETS:
+				type = ASN1_OCTET_STRING;
+				break;
+			case IETF_ATTRIBUTE_STRING:
+				type = ASN1_UTF8STRING;
+				break;
+			case IETF_ATTRIBUTE_OID:
+				type = ASN1_OID;
+				break;
+		}
+		ietfAttribute = asn1_simple_object(type, attr->value);
+
+		/* copy ietfAttribute into values chunk */
+		memcpy(pos, ietfAttribute.ptr, ietfAttribute.len);
+		pos += ietfAttribute.len;
+		free(ietfAttribute.ptr);
+	}
+	enumerator->destroy(enumerator);
+
+	return asn1_wrap(ASN1_SEQUENCE, "m", values);
+}
+
+static bool equals(private_ietf_attributes_t *this, private_ietf_attributes_t *other)
+{
+	 bool result = TRUE;
+
+	/* lists must have the same number of attributes */
+	if (other == NULL ||
+		this->list->get_count(this->list) != other->list->get_count(other->list))
+	{
+		return FALSE;
+	}
+
+	/* compare two alphabetically-sorted lists */
+	{
+		ietf_attr_t *attr_a, *attr_b;
+		enumerator_t *enum_a, *enum_b;
+
+		enum_a = this->list->create_enumerator(this->list);
+		enum_b = other->list->create_enumerator(other->list);
+		while (enum_a->enumerate(enum_a, &attr_a) &&
+			   enum_b->enumerate(enum_b, &attr_b))
+		{
+			if (attr_a->compare(attr_a, attr_b) != 0)
+			{
+				/* we have a mismatch */
+				result = FALSE;
+				break;
+			}
+		}
+		enum_a->destroy(enum_a);
+		enum_b->destroy(enum_b);
+	}
+	return result;
+}
+
+static bool matches(private_ietf_attributes_t *this, private_ietf_attributes_t *other)
+{
+	bool result = FALSE;
+	ietf_attr_t *attr_a, *attr_b;
+	enumerator_t *enum_a, *enum_b;
+
+	/* always match if this->list does not contain any attributes */
+	if (this->list->get_count(this->list) == 0)
+	{
+		return TRUE;
+	}
+
+	/* never match if other->list does not contain any attributes */
+	if (other == NULL || other->list->get_count(other->list) == 0)
+	{
+		return FALSE;
+	}
+
+	/* get first attribute from both lists */
+	enum_a = this->list->create_enumerator(this->list);
+	enum_a->enumerate(enum_a, &attr_a);
+	enum_b = other->list->create_enumerator(other->list);
+	enum_b->enumerate(enum_b, &attr_b);
+
+	/* look for at least one common attribute */
+	while (TRUE)
+	{
+		bool cmp = attr_a->compare(attr_a, attr_b);
+
+		if (cmp == 0)
+		{
+			/* we have a match */
+			result = TRUE;
+			break;
+		}
+		if (cmp == -1)
+		{
+			/* attr_a is earlier in the alphabet, get next attr_a */
+			if (!enum_a->enumerate(enum_a, &attr_a))
+			{
+				/* we have reached the end of enum_a */
+				break;
+			}
+		}
+		else
+		{
+			/* attr_a is later in the alphabet, get next attr_b */
+			if (!enum_b->enumerate(enum_b, &attr_b))
+			{
+				/* we have reached the end of enum_b */
+				break;
+			}
+		}
+	}
+	enum_a->destroy(enum_a);
+	enum_b->destroy(enum_b);
+
+	return result;
+}
+
+/**
+ * Implementation of ietf_attributes_t.get_ref
+ */
+static private_ietf_attributes_t* get_ref(private_ietf_attributes_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of ietf_attributes_t.destroy.
+ */
+static void destroy(private_ietf_attributes_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->list->destroy_offset(this->list, offsetof(ietf_attr_t, destroy));
+		free(this->string);
+		free(this);
+	}
+}
+
+static private_ietf_attributes_t* create_empty(void)
+{
+	private_ietf_attributes_t *this = malloc_thing(private_ietf_attributes_t);
+
+	this->public.get_string = (char* (*)(ietf_attributes_t*))get_string;
+	this->public.get_encoding = (chunk_t (*)(ietf_attributes_t*))get_encoding;
+	this->public.equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals;
+	this->public.matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches;
+	this->public.get_ref = (ietf_attributes_t* (*)(ietf_attributes_t*))get_ref;
+	this->public.destroy = (void (*)(ietf_attributes_t*))destroy;
+
+	this->list = linked_list_create();
+	this->string = NULL;
+	this->ref = 1;
+	return this;
+}
+
+/**
+ * Adds an ietf_attr_t object to a sorted linked list
+ */
+static void ietf_attributes_add(private_ietf_attributes_t *this,
+								ietf_attr_t *attr)
+{
+	ietf_attr_t *current_attr;
+	bool found = FALSE;
+	iterator_t *iterator;
+
+	iterator = this->list->create_iterator(this->list, TRUE);
+	while (iterator->iterate(iterator, (void **)&current_attr))
+	{
+		int cmp = attr->compare(attr, current_attr);
+
+		if (cmp > 0)
+		{
+			 continue;
+		}
+		if (cmp == 0)
+		{
+			attr->destroy(attr);
+		}
+		else
+		{
+			iterator->insert_before(iterator, attr);
+		}
+		found = TRUE;
+		break;
+	}
+	iterator->destroy(iterator);
+	if (!found)
+	{
+		this->list->insert_last(this->list, attr);
+	}
+}
+
+/*
+ * Described in header.
+ */
+ietf_attributes_t *ietf_attributes_create_from_string(char *string)
+{
+	private_ietf_attributes_t *this = create_empty();
+
+	chunk_t line = { string, strlen(string) };
+
+	while (eat_whitespace(&line))
+	{
+		chunk_t group;
+
+		/* extract the next comma-separated group attribute */
+		if (!extract_token(&group, ',', &line))
+		{
+			group = line;
+			line.len = 0;
+		}
+
+		/* remove any trailing spaces */
+		while (group.len > 0 && *(group.ptr + group.len - 1) == ' ')
+		{
+			group.len--;
+		}
+
+		/* add the group attribute to the list */
+		if (group.len > 0)
+		{
+			ietf_attr_t *attr = ietf_attr_create(IETF_ATTRIBUTE_STRING, group);
+
+			ietf_attributes_add(this, attr);
+		}
+	}
+
+	return &(this->public);
+}
+
+/**
+ * ASN.1 definition of ietfAttrSyntax
+ */
+static const asn1Object_t ietfAttrSyntaxObjects[] =
+{
+	{ 0, "ietfAttrSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "policyAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+													ASN1_BODY }, /*  1 */
+	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
+	{ 1,   "values",			ASN1_SEQUENCE,		ASN1_LOOP }, /*  3 */
+	{ 2,     "octets",			ASN1_OCTET_STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  4 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  5 */
+	{ 2,     "oid",				ASN1_OID,			ASN1_OPT |
+													ASN1_BODY }, /*  6 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  7 */
+	{ 2,     "string",			ASN1_UTF8STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  8 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  9 */
+	{ 1,   "end loop",			ASN1_EOC,			ASN1_END  }, /* 10 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT }
+};
+#define IETF_ATTR_OCTETS	 4
+#define IETF_ATTR_OID		 6
+#define IETF_ATTR_STRING	 8
+
+/*
+ * Described in header.
+ */
+ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded)
+{
+	private_ietf_attributes_t *this = create_empty();
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+
+	parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case IETF_ATTR_OCTETS:
+			case IETF_ATTR_OID:
+			case IETF_ATTR_STRING:
+				{
+					ietf_attribute_type_t type;
+					ietf_attr_t *attr;
+
+					type = (objectID - IETF_ATTR_OCTETS) / 2;
+					attr   = ietf_attr_create(type, object);
+					ietf_attributes_add(this, attr);
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	parser->destroy(parser);
+
+	return &(this->public);
+}
+
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h
new file mode 100644
index 000000000..ab6bae984
--- /dev/null
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2007-2009 Andreas Steffen
+ *
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attributes ietf_attributes
+ * @{ @ingroup credentials
+ */
+
+#ifndef IETF_ATTRIBUTES_H_
+#define IETF_ATTRIBUTES_H_
+
+typedef struct ietf_attributes_t ietf_attributes_t;
+
+#include <library.h>
+
+/**
+ *
+ */
+struct ietf_attributes_t {
+
+	/**
+	 * Get the an alphabetically sorted list of printable IETF attributes.
+	 *
+	 * Result points to internal data, do not free.
+	 *
+	 * @return 			a string containing printable attributes
+	 */
+	char* (*get_string) (ietf_attributes_t *this);
+
+	/**
+	 * Get the ASN.1 encoding of the IETF attributes.
+	 *
+	 * @return 			allocated chunk containing the encoded bytes
+	 */
+	chunk_t (*get_encoding) (ietf_attributes_t *this);
+
+	/**
+	 * Check for equality between two lists.
+	 *
+	 * @param other		attribute list to be checked for equality
+	 * @return 			TRUE if equal
+	 */
+	bool (*equals) (ietf_attributes_t *this, ietf_attributes_t *other);
+
+	/**
+	 * Check for common attributes between two lists.
+	 *
+	 * @param other		attribute list to be matched 
+	 * @return 			TRUE if there is at least a common attribute
+	 */
+	bool (*matches) (ietf_attributes_t *this, ietf_attributes_t *other);
+
+	/**
+	 * Get a new reference to the IETF attributes.
+	 *
+	 * @return			this, with an increased refcount
+	 */
+	ietf_attributes_t* (*get_ref)(ietf_attributes_t *this);
+
+	/**
+	 * Destroys an ietf_attributes_t object.
+	 */
+	void (*destroy) (ietf_attributes_t *this);
+};
+
+/**
+ * @param string	input string, which will be converted
+ * @return			ietf_attributes_t
+ */
+ietf_attributes_t *ietf_attributes_create_from_string(char *string);
+
+/**
+ * @param encoded	ASN.1 encoded bytes, such as from ietf_attributes.get_encoding
+ * @return			ietf_attributes_t
+ */
+ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded);
+
+#endif /** IETF_ATTRIBUTES_H_ @}*/
+
diff --git a/src/libstrongswan/credentials/keys/key_encoding.c b/src/libstrongswan/credentials/keys/key_encoding.c
new file mode 100644
index 000000000..89b25226c
--- /dev/null
+++ b/src/libstrongswan/credentials/keys/key_encoding.c
@@ -0,0 +1,299 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "key_encoding.h"
+
+#include <stdint.h>
+
+#include <utils/linked_list.h>
+#include <utils/hashtable.h>
+#include <threading/rwlock.h>
+
+typedef struct private_key_encoding_t private_key_encoding_t;
+
+/**
+ * Private data of an key_encoding_t object.
+ */
+struct private_key_encoding_t {
+
+	/**
+	 * Public key_encoding_t interface.
+	 */
+	key_encoding_t public;
+
+	/**
+	 * cached encodings, a table for each encoding_type_t, containing chunk_t*
+	 */
+	hashtable_t *cache[KEY_ENCODING_MAX];
+
+	/**
+	 * Registered encoding fuctions, key_encoder_t
+	 */
+	linked_list_t *encoders;
+
+	/**
+	 * lock to access cache/encoders
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * See header.
+ */
+bool key_encoding_args(va_list args, ...)
+{
+	va_list parts, copy;
+	bool failed = FALSE;
+
+	va_start(parts, args);
+
+	while (!failed)
+	{
+		key_encoding_part_t current, target;
+		chunk_t *out, data;
+
+		/* get the part we are looking for */
+		target = va_arg(parts, key_encoding_part_t);
+		if (target == KEY_PART_END)
+		{
+			break;
+		}
+		out = va_arg(parts, chunk_t*);
+
+		va_copy(copy, args);
+		while (!failed)
+		{
+			current = va_arg(copy, key_encoding_part_t);
+			if (current == KEY_PART_END)
+			{
+				failed = TRUE;
+				break;
+			}
+			data = va_arg(copy, chunk_t);
+			if (current == target)
+			{
+				*out = data;
+				break;
+			}
+		}
+		va_end(copy);
+	}
+	va_end(parts);
+	return !failed;
+}
+
+/**
+ * hashtable hash() function
+ */
+static u_int hash(void *key)
+{
+	return (uintptr_t)key;
+}
+
+/**
+ * hashtable equals() function
+ */
+static bool equals(void *key1, void *key2)
+{
+	return key1 == key2;
+}
+
+/**
+ * Implementation of key_encoding_t.get_cache
+ */
+static bool get_cache(private_key_encoding_t *this, key_encoding_type_t type,
+					  void *cache, chunk_t *encoding)
+{
+	chunk_t *chunk;
+
+	if (type >= KEY_ENCODING_MAX || type < 0)
+	{
+		return FALSE;
+	}
+	this->lock->read_lock(this->lock);
+	chunk = this->cache[type]->get(this->cache[type], cache);
+	if (chunk)
+	{
+		*encoding = *chunk;
+	}
+	this->lock->unlock(this->lock);
+	return !!chunk;
+}
+
+/**
+ * Implementation of key_encoding_t.encode
+ */
+static bool encode(private_key_encoding_t *this, key_encoding_type_t type,
+				   void *cache, chunk_t *encoding, ...)
+{
+	enumerator_t *enumerator;
+	va_list args, copy;
+	key_encoder_t encode;
+	bool success = FALSE;
+	chunk_t *chunk;
+
+	if (type >= KEY_ENCODING_MAX || type < 0)
+	{
+		return FALSE;
+	}
+	this->lock->read_lock(this->lock);
+	if (cache)
+	{
+		chunk = this->cache[type]->get(this->cache[type], cache);
+		if (chunk)
+		{
+			*encoding = *chunk;
+			this->lock->unlock(this->lock);
+			return TRUE;
+		}
+	}
+	va_start(args, encoding);
+	enumerator = this->encoders->create_enumerator(this->encoders);
+	while (enumerator->enumerate(enumerator, &encode))
+	{
+		va_copy(copy, args);
+		success = encode(type, encoding, copy);
+		va_end(copy);
+		if (success)
+		{
+			if (cache)
+			{
+				chunk = malloc_thing(chunk_t);
+				*chunk = *encoding;
+				this->lock->unlock(this->lock);
+				this->lock->write_lock(this->lock);
+				this->cache[type]->put(this->cache[type], cache, chunk);
+			}
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	va_end(args);
+	this->lock->unlock(this->lock);
+	return success;
+}
+
+/**
+ * Implementation of key_encoding_t.cache
+ */
+static void cache(private_key_encoding_t *this, key_encoding_type_t type,
+				  void *cache, chunk_t encoding)
+{
+	chunk_t *chunk;
+
+	if (type >= KEY_ENCODING_MAX || type < 0)
+	{
+		return free(encoding.ptr);
+	}
+	chunk = malloc_thing(chunk_t);
+	*chunk = encoding;
+	this->lock->write_lock(this->lock);
+	chunk = this->cache[type]->put(this->cache[type], cache, chunk);
+	this->lock->unlock(this->lock);
+	/* free an encoding already associated to the cache */
+	if (chunk)
+	{
+		free(chunk->ptr);
+		free(chunk);
+	}
+}
+
+/**
+ * Implementation of key_encoding_t.clear_cache
+ */
+static void clear_cache(private_key_encoding_t *this, void *cache)
+{
+	key_encoding_type_t type;
+	chunk_t *chunk;
+
+	this->lock->write_lock(this->lock);
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		chunk = this->cache[type]->remove(this->cache[type], cache);
+		if (chunk)
+		{
+			chunk_free(chunk);
+			free(chunk);
+		}
+	}
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of key_encoding_t.add_encoder
+ */
+static void add_encoder(private_key_encoding_t *this, key_encoder_t encoder)
+{
+	this->lock->write_lock(this->lock);
+	this->encoders->insert_last(this->encoders, encoder);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of key_encoding_t.remove_encoder
+ */
+static void remove_encoder(private_key_encoding_t *this, key_encoder_t encoder)
+{
+	this->lock->write_lock(this->lock);
+	this->encoders->remove(this->encoders, encoder, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of key_encoder_t.destroy.
+ */
+static void destroy(private_key_encoding_t *this)
+{
+	key_encoding_type_t type;
+
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		/* We explicitly do not free remaining encodings. All keys should
+		 * have gone now, and they are responsible for cleaning out their
+		 * cache entries. Not flushing here allows the leak detective to
+		 * complain if a key did not flush cached encodings. */
+		this->cache[type]->destroy(this->cache[type]);
+	}
+	this->encoders->destroy(this->encoders);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+key_encoding_t *key_encoding_create()
+{
+	private_key_encoding_t *this = malloc_thing(private_key_encoding_t);
+	key_encoding_type_t type;
+
+	this->public.encode = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode;
+	this->public.get_cache = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding))get_cache;
+	this->public.cache = (void(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t encoding))cache;
+	this->public.clear_cache = (void(*)(key_encoding_t*, void *cache))clear_cache;
+	this->public.add_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))add_encoder;
+	this->public.remove_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))remove_encoder;
+	this->public.destroy = (void(*)(key_encoding_t*))destroy;
+
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		this->cache[type] = hashtable_create(hash, equals, 8);
+	}
+	this->encoders = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/credentials/keys/key_encoding.h b/src/libstrongswan/credentials/keys/key_encoding.h
new file mode 100644
index 000000000..384117166
--- /dev/null
+++ b/src/libstrongswan/credentials/keys/key_encoding.h
@@ -0,0 +1,203 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup key_encoding key_encoding
+ * @{ @ingroup keys
+ */
+
+#ifndef KEY_ENCODING_H_
+#define KEY_ENCODING_H_
+
+typedef struct key_encoding_t key_encoding_t;
+typedef enum key_encoding_type_t key_encoding_type_t;
+typedef enum key_encoding_part_t key_encoding_part_t;
+
+#include <library.h>
+
+/**
+ * Key encoder function implementing encoding/fingerprinting.
+ *
+ * The variable argument list takes key_encoding_part_t, followed by part
+ * specific arguments, terminated by KEY_PART_END.
+ *
+ * @param type		format to encode the key to
+ * @param args		list of (key_encoding_part_t, data)
+ * @param encoding	encoding result, allocated
+ * @return			TRUE if encoding successful
+ */
+typedef bool (*key_encoder_t)(key_encoding_type_t type, chunk_t *encoding,
+							  va_list args);
+
+/**
+ * Helper function for key_encoder_t implementations to parse argument list.
+ *
+ * Key encoder functions get a variable argument list to parse. To simplify
+ * the job, this function reads the arguments and returns chunks for each
+ * part.
+ * The argument list of this function takes a key_encoding_part_t, followed
+ * by a data pointer receiving the value, terminated by KEY_PART_END.
+ *
+ * @param args		argument list passed to key encoder function
+ * @param ...		list of (key_encoding_part_t, data*)
+ * @return			TRUE if all parts found, FALSE otherwise
+ */
+bool key_encoding_args(va_list args, ...);
+
+/**
+ * Encoding type of a fingerprint/private-/public-key.
+ *
+ * Fingerprints have have the KEY_ID_*, public keys the KEY_PUB_* and
+ * private keys the KEY_PRIV_* prefix.
+ */
+enum key_encoding_type_t {
+	/** SHA1 fingerprint over subjectPublicKeyInfo */
+	KEY_ID_PUBKEY_INFO_SHA1 = 0,
+	/** SHA1 fingerprint over subjectPublicKey */
+	KEY_ID_PUBKEY_SHA1,
+	/** PGPv3 fingerprint */
+	KEY_ID_PGPV3,
+	/** PGPv4 fingerprint */
+	KEY_ID_PGPV4,
+
+	KEY_ID_MAX,
+
+	/** PKCS#1 and similar ASN.1 key encoding */
+	KEY_PUB_ASN1_DER,
+	KEY_PRIV_ASN1_DER,
+	/** subjectPublicKeyInfo encoding */
+	KEY_PUB_SPKI_ASN1_DER,
+	/** PEM oncoded PKCS#1 key */
+	KEY_PUB_PEM,
+	KEY_PRIV_PEM,
+	/** PGP key encoding */
+	KEY_PUB_PGP,
+	KEY_PRIV_PGP,
+
+	KEY_ENCODING_MAX,
+};
+
+/**
+ * Parts of a key to encode.
+ */
+enum key_encoding_part_t {
+	/** modulus of a RSA key, n */
+	KEY_PART_RSA_MODULUS,
+	/** public exponent of a RSA key, e */
+	KEY_PART_RSA_PUB_EXP,
+	/** private exponent of a RSA key, d */
+	KEY_PART_RSA_PRIV_EXP,
+	/** prime1 a RSA key, p */
+	KEY_PART_RSA_PRIME1,
+	/** prime2 a RSA key, q */
+	KEY_PART_RSA_PRIME2,
+	/** exponent1 a RSA key, exp1 */
+	KEY_PART_RSA_EXP1,
+	/** exponent1 a RSA key, exp2 */
+	KEY_PART_RSA_EXP2,
+	/** coefficient of RSA key, coeff */
+	KEY_PART_RSA_COEFF,
+	/** a DER encoded RSA public key */
+	KEY_PART_RSA_PUB_ASN1_DER,
+	/** a DER encoded RSA private key */
+	KEY_PART_RSA_PRIV_ASN1_DER,
+	/** a DER encoded ECDSA public key */
+	KEY_PART_ECDSA_PUB_ASN1_DER,
+	/** a DER encoded ECDSA private key */
+	KEY_PART_ECDSA_PRIV_ASN1_DER,
+
+	KEY_PART_END,
+};
+
+/**
+ * Private/Public key encoding and fingerprinting facility.
+ */
+struct key_encoding_t {
+
+	/**
+	 * Encode a key into a format using several key parts, optional caching.
+	 *
+	 * The variable argument list takes key_encoding_part_t, followed by part
+	 * specific arguments, terminated by KEY_PART_END.
+	 * If a cache key is given, the returned encoding points to internal data:
+	 * do not free or modify. If no cache key is given, the encoding is
+	 * allocated and must be freed by the caller.
+	 *
+	 * @param type			format the key should be encoded to
+	 * @param cache			key to use for caching, NULL to not cache
+	 * @param encoding		encoding result, allocated if caching disabled
+	 * @param ...			list of (key_encoding_part_t, data)
+	 * @return				TRUE if encoding successful
+	 */
+	bool (*encode)(key_encoding_t *this, key_encoding_type_t type, void *cache,
+				   chunk_t *encoding, ...);
+
+	/**
+	 * Clear all cached encodings of a given cache key.
+	 *
+	 * @param cache			key used in encode() for caching
+	 */
+	void (*clear_cache)(key_encoding_t *this, void *cache);
+
+	/**
+	 * Check for a cached encoding.
+	 *
+	 * @param type			format of the key encoding
+	 * @param cache			key to use for caching, as given to encode()
+	 * @param encoding		encoding result, internal data
+	 * @return				TRUE if cache entry found
+	 */
+	bool (*get_cache)(key_encoding_t *this, key_encoding_type_t type,
+					  void *cache, chunk_t *encoding);
+
+	/**
+	 * Cache a key encoding created externally.
+	 *
+	 * After calling cache(), the passed encoding is owned by the key encoding
+	 * facility.
+	 *
+	 * @param type			format of the key encoding
+	 * @param cache			key to use for caching, as given to encode()
+	 * @param encoding		encoding to cache, gets owned by this
+	 */
+	void (*cache)(key_encoding_t *this, key_encoding_type_t type, void *cache,
+				  chunk_t encoding);
+
+	/**
+	 * Register a key encoder function.
+	 *
+	 * @param encoder		key encoder function to add
+	 */
+	void (*add_encoder)(key_encoding_t *this, key_encoder_t encoder);
+
+	/**
+	 * Unregister a previously registered key encoder function.
+	 *
+	 * @param encoder		key encoder function to remove
+	 */
+	void (*remove_encoder)(key_encoding_t *this, key_encoder_t encoder);
+
+	/**
+	 * Destroy a key_encoding_t.
+	 */
+	void (*destroy)(key_encoding_t *this);
+};
+
+/**
+ * Create a key_encoding instance.
+ */
+key_encoding_t *key_encoding_create();
+
+#endif /** KEY_ENCODING_H_ @}*/
diff --git a/src/libstrongswan/credentials/keys/private_key.c b/src/libstrongswan/credentials/keys/private_key.c
index 0a01d0385..c3b5ac55b 100644
--- a/src/libstrongswan/credentials/keys/private_key.c
+++ b/src/libstrongswan/credentials/keys/private_key.c
@@ -15,3 +15,65 @@
 
 #include "private_key.h"
 
+/**
+ * See header.
+ */
+bool private_key_equals(private_key_t *this, private_key_t *other)
+{
+	key_encoding_type_t type;
+	chunk_t a, b;
+
+	if (this == other)
+	{
+		return TRUE;
+	}
+
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		if (this->get_fingerprint(this, type, &a) &&
+			other->get_fingerprint(other, type, &b))
+		{
+			return chunk_equals(a, b);
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool private_key_belongs_to(private_key_t *private, public_key_t *public)
+{
+	key_encoding_type_t type;
+	chunk_t a, b;
+
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		if (private->get_fingerprint(private, type, &a) &&
+			public->get_fingerprint(public, type, &b))
+		{
+			return chunk_equals(a, b);
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool private_key_has_fingerprint(private_key_t *private, chunk_t fingerprint)
+{
+	key_encoding_type_t type;
+	chunk_t current;
+
+	for (type = 0; type < KEY_ID_MAX; type++)
+	{
+		if (private->get_fingerprint(private, type, &current) &&
+			chunk_equals(current, fingerprint))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
index f38af8ff4..d4517f296 100644
--- a/src/libstrongswan/credentials/keys/private_key.h
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup private_key private_key
  * @{ @ingroup keys
@@ -23,7 +23,6 @@
 
 typedef struct private_key_t private_key_t;
 
-#include <utils/identification.h>
 #include <credentials/keys/public_key.h>
 
 /**
@@ -46,7 +45,7 @@ struct private_key_t {
 	 * @param signature	where to allocate created signature
 	 * @return			TRUE if signature created
 	 */
-	bool (*sign)(private_key_t *this, signature_scheme_t scheme, 
+	bool (*sign)(private_key_t *this, signature_scheme_t scheme,
 				 chunk_t data, chunk_t *signature);
 	/**
 	 * Decrypt a chunk of data.
@@ -56,32 +55,24 @@ struct private_key_t {
 	 * @return			TRUE if data decrypted and plaintext allocated
 	 */
 	bool (*decrypt)(private_key_t *this, chunk_t crypto, chunk_t *plain);
-	
+
 	/**
 	 * Get the strength of the key in bytes.
-	 * 
+	 *
 	 * @return			strength of the key in bytes
 	 */
 	size_t (*get_keysize) (private_key_t *this);
 
-	/**
-	 * Get a unique key identifier, such as a hash over the public key.
-	 * 
-	 * @param type		type of the key ID to get
-	 * @return			unique ID of the key as identification_t, or NULL
-	 */
-	identification_t* (*get_id) (private_key_t *this, id_type_t type);
-	
 	/**
 	 * Get the public part from the private key.
 	 *
 	 * @return			public key
 	 */
 	public_key_t* (*get_public_key)(private_key_t *this);
-	
+
 	/**
 	 * Check if two private keys are equal.
-	 * 
+	 *
 	 * @param other		other private key
 	 * @return			TRUE, if equality
 	 */
@@ -89,32 +80,78 @@ struct private_key_t {
 
 	/**
 	 * Check if a private key belongs to a public key.
-	 * 
+	 *
 	 * @param public	public key
 	 * @return			TRUE, if keys belong together
 	 */
 	bool (*belongs_to) (private_key_t *this, public_key_t *public);
-	
+
 	/**
-	 * Get an encoded form of the private key.
+	 * Get the fingerprint of the key.
 	 *
-	 * @todo Do we need a encoding type specification?
+	 * @param type		type of fingerprint, one of KEY_ID_*
+	 * @param fp		fingerprint, points to internal data
+	 * @return			TRUE if fingerprint type supported
+	 */
+	bool (*get_fingerprint)(private_key_t *this, key_encoding_type_t type,
+							chunk_t *fp);
+
+	/**
+	 * Check if a key has a given fingerprint of any kind.
 	 *
-	 * @return			allocated chunk containing encoded private key
+	 * @param fp		fingerprint to check
+	 * @return			TRUE if key has given fingerprint
 	 */
-	chunk_t (*get_encoding)(private_key_t *this);	
-	
+	bool (*has_fingerprint)(private_key_t *this, chunk_t fp);
+
+	/**
+	 * Get the key in an encoded form as a chunk.
+	 *
+	 * @param type		type of the encoding, one of KEY_PRIV_*
+	 * @param encoding	encoding of the key, allocated
+	 * @return			TRUE if encoding supported
+	 */
+	bool (*get_encoding)(private_key_t *this, key_encoding_type_t type,
+						 chunk_t *encoding);
+
 	/**
 	 * Increase the refcount to this private key.
 	 *
 	 * @return			this, with an increased refcount
 	 */
 	private_key_t* (*get_ref)(private_key_t *this);
-		
+
 	/**
-     * Decrease refcount, destroy private_key if no more references.
-     */
-    void (*destroy)(private_key_t *this);
+	 * Decrease refcount, destroy private_key if no more references.
+	 */
+	void (*destroy)(private_key_t *this);
 };
 
+/**
+ * Generic private key equals() implementation, usable by implementors.
+ *
+ * @param this			first key to compare
+ * @param other			second key to compare
+ * @return				TRUE if this is equal to other
+ */
+bool private_key_equals(private_key_t *this, private_key_t *other);
+
+/**
+ * Generic private key belongs_to() implementation, usable by implementors.
+ *
+ * @param private		private key to check
+ * @param public		public key to compare
+ * @return				TRUE if this is equal to other
+ */
+bool private_key_belongs_to(private_key_t *private, public_key_t *public);
+
+/**
+ * Generic private key has_fingerprint() implementation, usable by implementors.
+ *
+ * @param this			key to check fingerprint
+ * @param fingerprint	fingerprint to check
+ * @return				TRUE if key has given fingerprint
+ */
+bool private_key_has_fingerprint(private_key_t *this, chunk_t fingerprint);
+
 #endif /** PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index a5f547038..ba3036793 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -32,13 +32,59 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
 	"RSA_EMSA_PKCS1_SHA256",
 	"RSA_EMSA_PKCS1_SHA384",
 	"RSA_EMSA_PKCS1_SHA512",
+	"ECDSA_WITH_SHA1_DER",
+	"ECDSA_WITH_SHA256_DER",
+	"ECDSA_WITH_SHA384_DER",
+	"ECDSA_WITH_SHA512_DER",
 	"ECDSA_WITH_NULL",
-	"ECDSA_WITH_SHA1",
 	"ECDSA-256",
 	"ECDSA-384",
 	"ECDSA-521",
 );
 
+/**
+ * See header.
+ */
+bool public_key_equals(public_key_t *this, public_key_t *other)
+{
+	key_encoding_type_t type;
+	chunk_t a, b;
+
+	if (this == other)
+	{
+		return TRUE;
+	}
+
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		if (this->get_fingerprint(this, type, &a) &&
+			other->get_fingerprint(other, type, &b))
+		{
+			return chunk_equals(a, b);
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint)
+{
+	key_encoding_type_t type;
+	chunk_t current;
+
+	for (type = 0; type < KEY_ID_MAX; type++)
+	{
+		if (public->get_fingerprint(public, type, &current) &&
+			chunk_equals(current, fingerprint))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
 /*
  * Defined in header.
  */
@@ -66,13 +112,13 @@ signature_scheme_t signature_scheme_from_oid(int oid)
 			return SIGN_RSA_EMSA_PKCS1_SHA512;
 		case OID_ECDSA_WITH_SHA1:
 		case OID_EC_PUBLICKEY:
-			return SIGN_ECDSA_WITH_SHA1;
+			return SIGN_ECDSA_WITH_SHA1_DER;
 		case OID_ECDSA_WITH_SHA256:
-			return SIGN_ECDSA_256;
+			return SIGN_ECDSA_WITH_SHA256_DER;
 		case OID_ECDSA_WITH_SHA384:
-			return SIGN_ECDSA_384;
+			return SIGN_ECDSA_WITH_SHA384_DER;
 		case OID_ECDSA_WITH_SHA512:
-			return SIGN_ECDSA_521;
+			return SIGN_ECDSA_WITH_SHA512_DER;
 		default:
 			return SIGN_UNKNOWN;
 	}
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index be5f3bde6..a421e7b5b 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup public_key public_key
  * @{ @ingroup keys
@@ -28,6 +28,7 @@ typedef enum signature_scheme_t signature_scheme_t;
 
 #include <library.h>
 #include <utils/identification.h>
+#include <credentials/keys/key_encoding.h>
 
 /**
  * Type of a key pair, the used crypto system
@@ -53,9 +54,8 @@ extern enum_name_t *key_type_names;
  * Signature scheme for signature creation
  *
  * EMSA-PKCS1 signatures are defined in PKCS#1 standard.
- * A prepended ASN.1 encoded digestInfo field contains the 
- * OID of the used hash algorithm. The ASN.1 type of the PKCS#7
- * variants is OCTET_STRING instead of the default BIT_STRING.
+ * A prepended ASN.1 encoded digestInfo field contains the
+ * OID of the used hash algorithm.
  */
 enum signature_scheme_t {
 	/** Unknown signature scheme                                       */
@@ -74,10 +74,16 @@ enum signature_scheme_t {
 	SIGN_RSA_EMSA_PKCS1_SHA384,
 	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-512   */
 	SIGN_RSA_EMSA_PKCS1_SHA512,
-	/** ECDSA over precomputed digest                                  */
+	/** ECDSA with SHA-1 using DER encoding as in RFC 3279             */
+	SIGN_ECDSA_WITH_SHA1_DER,
+	/** ECDSA with SHA-256 using DER encoding as in RFC 3279           */
+	SIGN_ECDSA_WITH_SHA256_DER,
+	/** ECDSA with SHA-384 using DER encoding as in RFC 3279           */
+	SIGN_ECDSA_WITH_SHA384_DER,
+	/** ECDSA with SHA-1 using DER encoding as in RFC 3279             */
+	SIGN_ECDSA_WITH_SHA512_DER,
+	/** ECDSA over precomputed digest, signature as in RFC 4754        */
 	SIGN_ECDSA_WITH_NULL,
-	/** ECDSA with SHA-1                                               */
-	SIGN_ECDSA_WITH_SHA1,
 	/** ECDSA on the P-256 curve with SHA-256 as in RFC 4754           */
 	SIGN_ECDSA_256,
 	/** ECDSA on the P-384 curve with SHA-384 as in RFC 4754           */
@@ -102,7 +108,7 @@ struct public_key_t {
 	 * @return			type of the key
 	 */
 	key_type_t (*get_type)(public_key_t *this);
-	
+
 	/**
 	 * Verifies a signature against a chunk of data.
 	 *
@@ -111,9 +117,9 @@ struct public_key_t {
 	 * @param signature	signature to check
 	 * @return			TRUE if signature matches
 	 */
-	bool (*verify)(public_key_t *this, signature_scheme_t scheme, 
+	bool (*verify)(public_key_t *this, signature_scheme_t scheme,
 				   chunk_t data, chunk_t signature);
-	
+
 	/**
 	 * Encrypt a chunk of data.
 	 *
@@ -122,10 +128,10 @@ struct public_key_t {
 	 * @return 			TRUE if data successfully encrypted
 	 */
 	bool (*encrypt)(public_key_t *this, chunk_t plain, chunk_t *crypto);
-	
+
 	/**
 	 * Check if two public keys are equal.
-	 * 
+	 *
 	 * @param other		other public key
 	 * @return			TRUE, if equality
 	 */
@@ -133,44 +139,73 @@ struct public_key_t {
 
 	/**
 	 * Get the strength of the key in bytes.
-	 * 
+	 *
 	 * @return			strength of the key in bytes
 	 */
 	size_t (*get_keysize) (public_key_t *this);
 
 	/**
-	 * Get a unique key identifier, such as a hash over the key.
-	 * 
-	 * @param type		type of the key ID to get
-	 * @return			unique ID of the key as identification_t, or NULL
+	 * Get the fingerprint of the key.
+	 *
+	 * @param type		type of fingerprint, one of KEY_ID_*
+	 * @param fp		fingerprint, points to internal data
+	 * @return			TRUE if fingerprint type supported
 	 */
-	identification_t* (*get_id) (public_key_t *this, id_type_t type);
-	
+	bool (*get_fingerprint)(public_key_t *this, key_encoding_type_t type,
+							chunk_t *fp);
+
 	/**
-	 * Get an encoded form of the key.
+	 * Check if a key has a given fingerprint of any kind.
 	 *
-	 * @todo Do we need a encoding type specification?
+	 * @param fp		fingerprint to check
+	 * @return			TRUE if key has given fingerprint
+	 */
+	bool (*has_fingerprint)(public_key_t *this, chunk_t fp);
+
+	/**
+	 * Get the key in an encoded form as a chunk.
 	 *
-	 * @return			allocated chunk containing encoded key
+	 * @param type		type of the encoding, one of KEY_PRIV_*
+	 * @param encoding	encoding of the key, allocated
+	 * @return			TRUE if encoding supported
 	 */
-	chunk_t (*get_encoding)(public_key_t *this);	
-	
+	bool (*get_encoding)(public_key_t *this, key_encoding_type_t type,
+						 chunk_t *encoding);
+
 	/**
 	 * Increase the refcount of the key.
 	 *
 	 * @return			this with an increased refcount
 	 */
 	public_key_t* (*get_ref)(public_key_t *this);
-	
+
 	/**
 	 * Destroy a public_key instance.
 	 */
 	void (*destroy)(public_key_t *this);
 };
 
+/**
+ * Generic public key equals() implementation, usable by implementors.
+ *
+ * @param this			first key to compare
+ * @param other			second key to compare
+ * @return				TRUE if this is equal to other
+ */
+bool public_key_equals(public_key_t *this, public_key_t *other);
+
+/**
+ * Generic public key has_fingerprint() implementation, usable by implementors.
+ *
+ * @param this			key to check fingerprint
+ * @param fingerprint	fingerprint to check
+ * @return				TRUE if key has given fingerprint
+ */
+bool public_key_has_fingerprint(public_key_t *this, chunk_t fingerprint);
+
 /**
  * Conversion of ASN.1 signature or hash OID to signature scheme.
- * 
+ *
  * @param oid			ASN.1 OID
  * @return				signature_scheme, SIGN_UNKNOWN if OID is unsupported
  */
diff --git a/src/libstrongswan/credentials/keys/shared_key.c b/src/libstrongswan/credentials/keys/shared_key.c
index c6f141446..f695c078d 100644
--- a/src/libstrongswan/credentials/keys/shared_key.c
+++ b/src/libstrongswan/credentials/keys/shared_key.c
@@ -34,17 +34,17 @@ struct private_shared_key_t {
 	 * public functions
 	 */
 	shared_key_t public;
-	
+
 	/**
 	 * type of this shared key
 	 */
 	shared_key_type_t type;
-	
+
 	/**
 	 * associated shared key data
 	 */
 	chunk_t key;
-	
+
 	/**
 	 * reference counter
 	 */
@@ -94,16 +94,16 @@ static void destroy(private_shared_key_t *this)
 shared_key_t *shared_key_create(shared_key_type_t type, chunk_t key)
 {
 	private_shared_key_t *this = malloc_thing(private_shared_key_t);
-	
+
 	this->public.get_type = (shared_key_type_t (*)(shared_key_t *this))get_type;
 	this->public.get_key = (chunk_t (*)(shared_key_t *this))get_key;
 	this->public.get_ref = (shared_key_t* (*)(shared_key_t *this))get_ref;
 	this->public.destroy = (void(*)(shared_key_t*))destroy;
-	
+
 	this->type = type;
 	this->key = key;
 	this->ref = 1;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h
index ceb1309b7..fe7bc86be 100644
--- a/src/libstrongswan/credentials/keys/shared_key.h
+++ b/src/libstrongswan/credentials/keys/shared_key.h
@@ -55,32 +55,32 @@ extern enum_name_t *shared_key_type_names;
  * reading.
  */
 struct shared_key_t {
-	
+
 	/**
 	 * Get the kind of this key.
 	 *
 	 * @return			type of the key
 	 */
 	shared_key_type_t (*get_type)(shared_key_t *this);
-	
+
 	/**
 	 * Get the shared key data.
 	 *
 	 * @return			chunk pointing to the internal key
 	 */
 	chunk_t (*get_key)(shared_key_t *this);
-	
-	/** 
+
+	/**
 	 * Increase refcount of the key.
 	 *
-	 * @return			this with an increased refcount 
+	 * @return			this with an increased refcount
 	 */
 	shared_key_t* (*get_ref)(shared_key_t *this);
-		
+
 	/**
-     * Destroy a shared_key instance if all references are gone.
-     */
-    void (*destroy)(shared_key_t *this);
+	 * Destroy a shared_key instance if all references are gone.
+	 */
+	void (*destroy)(shared_key_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index 2879e24c0..f052a181d 100644
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup crypter crypter
  * @{ @ingroup crypto
@@ -56,14 +56,15 @@ enum encryption_algorithm_t {
 	ENCR_CAMELLIA_CCM_ICV12 = 26,
 	ENCR_CAMELLIA_CCM_ICV16 = 27,
 	ENCR_UNDEFINED =        1024,
-    ENCR_DES_ECB =          1025,
+	ENCR_DES_ECB =          1025,
 	ENCR_SERPENT_CBC =      1026,
-    ENCR_TWOFISH_CBC =      1027
+	ENCR_TWOFISH_CBC =      1027
 };
 
 #define DES_BLOCK_SIZE			 8
 #define BLOWFISH_BLOCK_SIZE		 8
 #define AES_BLOCK_SIZE			16
+#define CAMELLIA_BLOCK_SIZE		16
 #define SERPENT_BLOCK_SIZE		16
 #define TWOFISH_BLOCK_SIZE		16
 
@@ -76,7 +77,7 @@ extern enum_name_t *encryption_algorithm_names;
  * Generic interface for symmetric encryption algorithms.
  */
 struct crypter_t {
-	
+
 	/**
 	 * Encrypt a chunk of data and allocate space for the encrypted value.
 	 *
@@ -90,14 +91,14 @@ struct crypter_t {
 	 */
 	void (*encrypt) (crypter_t *this, chunk_t data, chunk_t iv,
 					 chunk_t *encrypted);
-	
+
 	/**
 	 * Decrypt a chunk of data and allocate space for the decrypted value.
 	 *
 	 * The length of the iv must equal to get_block_size(), while the length
 	 * of data must be a multiple it.
 	 * If decrpyted is NULL, the encryption is done in-place (overwriting data).
-	 * 
+	 *
 	 * @param data			data to decrypt
 	 * @param iv			initializing vector
 	 * @param encrypted		chunk to allocate decrypted data, or NULL
@@ -107,18 +108,18 @@ struct crypter_t {
 
 	/**
 	 * Get the block size of the crypto algorithm.
-	 * 
+	 *
 	 * @return					block size in bytes
 	 */
 	size_t (*get_block_size) (crypter_t *this);
 
 	/**
 	 * Get the key size of the crypto algorithm.
-	 * 
+	 *
 	 * @return					key size in bytes
 	 */
 	size_t (*get_key_size) (crypter_t *this);
-	
+
 	/**
 	 * Set the key.
 	 *
@@ -127,7 +128,7 @@ struct crypter_t {
 	 * @param key				key to set
 	 */
 	void (*set_key) (crypter_t *this, chunk_t key);
-	
+
 	/**
 	 * Destroys a crypter_t object.
 	 */
@@ -136,7 +137,7 @@ struct crypter_t {
 
 /**
  * Conversion of ASN.1 OID to encryption algorithm.
- * 
+ *
  * @param oid			ASN.1 OID
  * @param key_size		returns size of encryption key in bits
  * @return				encryption algorithm, ENCR_UNDEFINED if OID unsupported
@@ -145,7 +146,7 @@ encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size);
 
 /**
  * Conversion of encryption algorithm to ASN.1 OID.
- * 
+ *
  * @param alg			encryption algorithm
  * @param key_size		size of encryption key in bits
  * @return				ASN.1 OID, OID_UNKNOWN if OID is unknown
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index e928e8cdf..46b50329d 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -16,7 +16,7 @@
 #include "crypto_factory.h"
 
 #include <debug.h>
-#include <utils/mutex.h>
+#include <threading/rwlock.h>
 #include <utils/linked_list.h>
 #include <crypto/crypto_tester.h>
 
@@ -46,52 +46,52 @@ struct private_crypto_factory_t {
 	 * public functions
 	 */
 	crypto_factory_t public;
-	
+
 	/**
 	 * registered crypters, as entry_t
 	 */
 	linked_list_t *crypters;
-	
+
 	/**
 	 * registered signers, as entry_t
 	 */
 	linked_list_t *signers;
-	
+
 	/**
 	 * registered hashers, as entry_t
 	 */
 	linked_list_t *hashers;
-	
+
 	/**
 	 * registered prfs, as entry_t
 	 */
 	linked_list_t *prfs;
-	
+
 	/**
 	 * registered rngs, as entry_t
 	 */
 	linked_list_t *rngs;
-	
+
 	/**
 	 * registered diffie hellman, as entry_t
 	 */
 	linked_list_t *dhs;
-	
+
 	/**
 	 * test manager to test crypto algorithms
 	 */
 	crypto_tester_t *tester;
-	
+
 	/**
 	 * whether to test algorithms during registration
 	 */
 	bool test_on_add;
-	
+
 	/**
 	 * whether to test algorithms on each crypto primitive construction
 	 */
 	bool test_on_create;
-	
+
 	/**
 	 * rwlock to lock access to modules
 	 */
@@ -107,7 +107,7 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 	enumerator_t *enumerator;
 	entry_t *entry;
 	crypter_t *crypter = NULL;
-	
+
 	this->lock->read_lock(this->lock);
 	enumerator = this->crypters->create_enumerator(this->crypters);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -116,7 +116,7 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_crypter(this->tester, algo, key_size,
-										    entry->create_crypter))
+											entry->create_crypter))
 			{
 				continue;
 			}
@@ -141,7 +141,7 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 	enumerator_t *enumerator;
 	entry_t *entry;
 	signer_t *signer = NULL;
-	
+
 	this->lock->read_lock(this->lock);
 	enumerator = this->signers->create_enumerator(this->signers);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -163,7 +163,7 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
-	
+
 	return signer;
 }
 
@@ -243,7 +243,7 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
 	entry_t *entry;
 	u_int diff = ~0;
 	rng_constructor_t constr = NULL;
-	
+
 	this->lock->read_lock(this->lock);
 	enumerator = this->rngs->create_enumerator(this->rngs);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -311,7 +311,7 @@ static void add_crypter(private_crypto_factory_t *this,
 		this->tester->test_crypter(this->tester, algo, 0, create))
 	{
 		entry_t *entry = malloc_thing(entry_t);
-		
+
 		entry->algo = algo;
 		entry->create_crypter = create;
 		this->lock->write_lock(this->lock);
@@ -328,7 +328,7 @@ static void remove_crypter(private_crypto_factory_t *this,
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->crypters->create_enumerator(this->crypters);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -353,7 +353,7 @@ static void add_signer(private_crypto_factory_t *this,
 		this->tester->test_signer(this->tester, algo, create))
 	{
 		entry_t *entry = malloc_thing(entry_t);
-		
+
 		entry->algo = algo;
 		entry->create_signer = create;
 		this->lock->write_lock(this->lock);
@@ -370,7 +370,7 @@ static void remove_signer(private_crypto_factory_t *this,
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->signers->create_enumerator(this->signers);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -395,7 +395,7 @@ static void add_hasher(private_crypto_factory_t *this, hash_algorithm_t algo,
 		this->tester->test_hasher(this->tester, algo, create))
 	{
 		entry_t *entry = malloc_thing(entry_t);
-		
+
 		entry->algo = algo;
 		entry->create_hasher = create;
 		this->lock->write_lock(this->lock);
@@ -412,7 +412,7 @@ static void remove_hasher(private_crypto_factory_t *this,
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->hashers->create_enumerator(this->hashers);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -437,7 +437,7 @@ static void add_prf(private_crypto_factory_t *this,
 		this->tester->test_prf(this->tester, algo, create))
 	{
 		entry_t *entry = malloc_thing(entry_t);
-		
+
 		entry->algo = algo;
 		entry->create_prf = create;
 		this->lock->write_lock(this->lock);
@@ -453,7 +453,7 @@ static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->prfs->create_enumerator(this->prfs);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -478,7 +478,7 @@ static void add_rng(private_crypto_factory_t *this, rng_quality_t quality,
 		this->tester->test_rng(this->tester, quality, create))
 	{
 		entry_t *entry = malloc_thing(entry_t);
-		
+
 		entry->algo = quality;
 		entry->create_rng = create;
 		this->lock->write_lock(this->lock);
@@ -494,7 +494,7 @@ static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->rngs->create_enumerator(this->rngs);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -516,7 +516,7 @@ static void add_dh(private_crypto_factory_t *this, diffie_hellman_group_t group,
 				   dh_constructor_t create)
 {
 	entry_t *entry = malloc_thing(entry_t);
-	
+
 	entry->algo = group;
 	entry->create_dh = create;
 	this->lock->write_lock(this->lock);
@@ -531,7 +531,7 @@ static void remove_dh(private_crypto_factory_t *this, dh_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->dhs->create_enumerator(this->dhs);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -713,7 +713,7 @@ static void destroy(private_crypto_factory_t *this)
 crypto_factory_t *crypto_factory_create()
 {
 	private_crypto_factory_t *this = malloc_thing(private_crypto_factory_t);
-	
+
 	this->public.create_crypter = (crypter_t*(*)(crypto_factory_t*, encryption_algorithm_t, size_t))create_crypter;
 	this->public.create_signer = (signer_t*(*)(crypto_factory_t*, integrity_algorithm_t))create_signer;
 	this->public.create_hasher = (hasher_t*(*)(crypto_factory_t*, hash_algorithm_t))create_hasher;
@@ -739,7 +739,7 @@ crypto_factory_t *crypto_factory_create()
 	this->public.create_dh_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_dh_enumerator;
 	this->public.add_test_vector = (void(*)(crypto_factory_t*, transform_type_t type, ...))add_test_vector;
 	this->public.destroy = (void(*)(crypto_factory_t*))destroy;
-	
+
 	this->crypters = linked_list_create();
 	this->signers = linked_list_create();
 	this->hashers = linked_list_create();
@@ -752,7 +752,7 @@ crypto_factory_t *crypto_factory_create()
 								"libstrongswan.crypto_test.on_add", FALSE);
 	this->test_on_create = lib->settings->get_bool(lib->settings,
 								"libstrongswan.crypto_test.on_create", FALSE);
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index f1ebcf90a..9c6effd26 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -76,7 +76,7 @@ struct crypto_factory_t {
 	 */
 	crypter_t* (*create_crypter)(crypto_factory_t *this,
 								 encryption_algorithm_t algo, size_t key_size);
-	
+
 	/**
 	 * Create a symmetric signer instance.
 	 *
@@ -93,7 +93,7 @@ struct crypto_factory_t {
 	 * @return				hasher_t instance, NULL if not supported
 	 */
 	hasher_t* (*create_hasher)(crypto_factory_t *this, hash_algorithm_t algo);
-	
+
 	/**
 	 * Create a pseudo random function instance.
 	 *
@@ -101,7 +101,7 @@ struct crypto_factory_t {
 	 * @return				prf_t instance, NULL if not supported
 	 */
 	prf_t* (*create_prf)(crypto_factory_t *this, pseudo_random_function_t algo);
-	
+
 	/**
 	 * Create a source of randomness.
 	 *
@@ -109,7 +109,7 @@ struct crypto_factory_t {
 	 * @return				rng_t instance, NULL if no RNG with such a quality
 	 */
 	rng_t* (*create_rng)(crypto_factory_t *this, rng_quality_t quality);
-	
+
 	/**
 	 * Create a diffie hellman instance.
 	 *
@@ -118,7 +118,7 @@ struct crypto_factory_t {
 	 */
 	diffie_hellman_t* (*create_dh)(crypto_factory_t *this,
 								   diffie_hellman_group_t group);
-	
+
 	/**
 	 * Register a crypter constructor.
 	 *
@@ -128,14 +128,14 @@ struct crypto_factory_t {
 	 */
 	void (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo,
 						crypter_constructor_t create);
-	
+
 	/**
 	 * Unregister a crypter constructor.
 	 *
 	 * @param create		constructor function to unregister
 	 */
 	void (*remove_crypter)(crypto_factory_t *this, crypter_constructor_t create);
-	
+
 	/**
 	 * Register a signer constructor.
 	 *
@@ -145,14 +145,14 @@ struct crypto_factory_t {
 	 */
 	void (*add_signer)(crypto_factory_t *this, integrity_algorithm_t algo,
 					   signer_constructor_t create);
-	
+
 	/**
 	 * Unregister a signer constructor.
 	 *
 	 * @param create		constructor function to unregister
 	 */
 	void (*remove_signer)(crypto_factory_t *this, signer_constructor_t create);
-	
+
 	/**
 	 * Register a hasher constructor.
 	 *
@@ -165,14 +165,14 @@ struct crypto_factory_t {
 	 */
 	void (*add_hasher)(crypto_factory_t *this, hash_algorithm_t algo,
 					   hasher_constructor_t create);
-	
+
 	/**
 	 * Unregister a hasher constructor.
 	 *
 	 * @param create		constructor function to unregister
 	 */
 	void (*remove_hasher)(crypto_factory_t *this, hasher_constructor_t create);
-	
+
 	/**
 	 * Register a prf constructor.
 	 *
@@ -182,14 +182,14 @@ struct crypto_factory_t {
 	 */
 	void (*add_prf)(crypto_factory_t *this, pseudo_random_function_t algo,
 					prf_constructor_t create);
-	
+
 	/**
 	 * Unregister a prf constructor.
 	 *
 	 * @param create		constructor function to unregister
 	 */
 	void (*remove_prf)(crypto_factory_t *this, prf_constructor_t create);
-	
+
 	/**
 	 * Register a source of randomness.
 	 *
@@ -197,14 +197,14 @@ struct crypto_factory_t {
 	 * @param create		constructor function for such a quality
 	 */
 	void (*add_rng)(crypto_factory_t *this, rng_quality_t quality, rng_constructor_t create);
-	
+
 	/**
 	 * Unregister a source of randomness.
 	 *
 	 * @param create		constructor function to unregister
 	 */
 	void (*remove_rng)(crypto_factory_t *this, rng_constructor_t create);
-	
+
 	/**
 	 * Register a diffie hellman constructor.
 	 *
@@ -214,49 +214,49 @@ struct crypto_factory_t {
 	 */
 	void (*add_dh)(crypto_factory_t *this, diffie_hellman_group_t group,
 				   dh_constructor_t create);
-	
+
 	/**
 	 * Unregister a diffie hellman constructor.
 	 *
 	 * @param create		constructor function to unregister
 	 */
 	void (*remove_dh)(crypto_factory_t *this, dh_constructor_t create);
-	
+
 	/**
 	 * Create an enumerator over all registered crypter algorithms.
 	 *
 	 * @return				enumerator over encryption_algorithm_t
 	 */
 	enumerator_t* (*create_crypter_enumerator)(crypto_factory_t *this);
-	
+
 	/**
 	 * Create an enumerator over all registered signer algorithms.
 	 *
 	 * @return				enumerator over integrity_algorithm_t
 	 */
 	enumerator_t* (*create_signer_enumerator)(crypto_factory_t *this);
-	
+
 	/**
 	 * Create an enumerator over all registered hasher algorithms.
 	 *
 	 * @return				enumerator over hash_algorithm_t
 	 */
 	enumerator_t* (*create_hasher_enumerator)(crypto_factory_t *this);
-	
+
 	/**
 	 * Create an enumerator over all registered PRFs.
 	 *
 	 * @return				enumerator over pseudo_random_function_t
 	 */
 	enumerator_t* (*create_prf_enumerator)(crypto_factory_t *this);
-	
+
 	/**
 	 * Create an enumerator over all registered diffie hellman groups.
 	 *
 	 * @return				enumerator over diffie_hellman_group_t
 	 */
 	enumerator_t* (*create_dh_enumerator)(crypto_factory_t *this);
-	
+
 	/**
 	 * Add a test vector to the crypto factory.
 	 *
@@ -264,7 +264,7 @@ struct crypto_factory_t {
 	 * @param ...			pointer to a test vector, defined in crypto_tester.h
 	 */
 	void (*add_test_vector)(crypto_factory_t *this, transform_type_t type, ...);
-	
+
 	/**
 	 * Destroy a crypto_factory instance.
 	 */
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 4d13474a1..86daf65f9 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -24,42 +24,42 @@ typedef struct private_crypto_tester_t private_crypto_tester_t;
  * Private data of an crypto_tester_t object.
  */
 struct private_crypto_tester_t {
-	
+
 	/**
 	 * Public crypto_tester_t interface.
 	 */
 	crypto_tester_t public;
-	
+
 	/**
 	 * List of crypter test vectors
 	 */
 	linked_list_t *crypter;
-	
+
 	/**
 	 * List of signer test vectors
 	 */
 	linked_list_t *signer;
-	
+
 	/**
 	 * List of hasher test vectors
 	 */
 	linked_list_t *hasher;
-	
+
 	/**
 	 * List of PRF test vectors
 	 */
 	linked_list_t *prf;
-	
+
 	/**
 	 * List of RNG test vectors
 	 */
 	linked_list_t *rng;
-	
+
 	/**
 	 * Is a test vector required to pass a test?
 	 */
 	bool required;
-	
+
 	/**
 	 * should we run RNG_TRUE tests? Enough entropy?
 	 */
@@ -76,13 +76,13 @@ static bool test_crypter(private_crypto_tester_t *this,
 	crypter_test_vector_t *vector;
 	bool failed = FALSE;
 	u_int tested = 0;
-	
+
 	enumerator = this->crypter->create_enumerator(this->crypter);
 	while (enumerator->enumerate(enumerator, &vector))
 	{
 		crypter_t *crypter;
 		chunk_t key, plain, cipher, iv;
-		
+
 		if (vector->alg != alg)
 		{
 			continue;
@@ -96,14 +96,14 @@ static bool test_crypter(private_crypto_tester_t *this,
 		{	/* key size not supported... */
 			continue;
 		}
-		
+
 		failed = FALSE;
 		tested++;
-		
+
 		key = chunk_create(vector->key, crypter->get_key_size(crypter));
 		crypter->set_key(crypter, key);
 		iv = chunk_create(vector->iv, crypter->get_block_size(crypter));
-		
+
 		/* allocated encryption */
 		plain = chunk_create(vector->plain, vector->len);
 		crypter->encrypt(crypter, plain, iv, &cipher);
@@ -132,7 +132,7 @@ static bool test_crypter(private_crypto_tester_t *this,
 			failed = TRUE;
 		}
 		free(plain.ptr);
-		
+
 		crypter->destroy(crypter);
 		if (failed)
 		{
@@ -167,18 +167,18 @@ static bool test_signer(private_crypto_tester_t *this,
 	signer_test_vector_t *vector;
 	bool failed = FALSE;
 	u_int tested = 0;
-	
+
 	enumerator = this->signer->create_enumerator(this->signer);
 	while (enumerator->enumerate(enumerator, &vector))
 	{
 		signer_t *signer;
 		chunk_t key, data, mac;
-		
+
 		if (vector->alg != alg)
 		{
 			continue;
 		}
-		
+
 		tested++;
 		signer = create(alg);
 		if (!signer)
@@ -188,12 +188,12 @@ static bool test_signer(private_crypto_tester_t *this,
 			failed = TRUE;
 			break;
 		}
-		
+
 		failed = FALSE;
-		
+
 		key = chunk_create(vector->key, signer->get_key_size(signer));
 		signer->set_key(signer, key);
-		
+
 		/* allocated signature */
 		data = chunk_create(vector->data, vector->len);
 		signer->allocate_signature(signer, data, &mac);
@@ -236,7 +236,7 @@ static bool test_signer(private_crypto_tester_t *this,
 			}
 		}
 		free(mac.ptr);
-		
+
 		signer->destroy(signer);
 		if (failed)
 		{
@@ -271,18 +271,18 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 	hasher_test_vector_t *vector;
 	bool failed = FALSE;
 	u_int tested = 0;
-	
+
 	enumerator = this->hasher->create_enumerator(this->hasher);
 	while (enumerator->enumerate(enumerator, &vector))
 	{
 		hasher_t *hasher;
 		chunk_t data, hash;
-		
+
 		if (vector->alg != alg)
 		{
 			continue;
 		}
-		
+
 		tested++;
 		hasher = create(alg);
 		if (!hasher)
@@ -292,9 +292,9 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 			failed = TRUE;
 			break;
 		}
-		
+
 		failed = FALSE;
-		
+
 		/* allocated hash */
 		data = chunk_create(vector->data, vector->len);
 		hasher->allocate_hash(hasher, data, &hash);
@@ -326,7 +326,7 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 			}
 		}
 		free(hash.ptr);
-		
+
 		hasher->destroy(hasher);
 		if (failed)
 		{
@@ -361,18 +361,18 @@ static bool test_prf(private_crypto_tester_t *this,
 	prf_test_vector_t *vector;
 	bool failed = FALSE;
 	u_int tested = 0;
-	
+
 	enumerator = this->prf->create_enumerator(this->prf);
 	while (enumerator->enumerate(enumerator, &vector))
 	{
 		prf_t *prf;
 		chunk_t key, seed, out;
-		
+
 		if (vector->alg != alg)
 		{
 			continue;
 		}
-		
+
 		tested++;
 		prf = create(alg);
 		if (!prf)
@@ -382,12 +382,12 @@ static bool test_prf(private_crypto_tester_t *this,
 			failed = TRUE;
 			break;
 		}
-		
+
 		failed = FALSE;
-		
+
 		key = chunk_create(vector->key, vector->key_size);
 		prf->set_key(prf, key);
-		
+
 		/* allocated bytes */
 		seed = chunk_create(vector->seed, vector->len);
 		prf->allocate_bytes(prf, seed, &out);
@@ -427,7 +427,7 @@ static bool test_prf(private_crypto_tester_t *this,
 			}
 		}
 		free(out.ptr);
-		
+
 		prf->destroy(prf);
 		if (failed)
 		{
@@ -462,25 +462,25 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 	rng_test_vector_t *vector;
 	bool failed = FALSE;
 	u_int tested = 0;
-	
+
 	if (!this->rng_true && quality == RNG_TRUE)
 	{
 		DBG1("enabled  %N: skipping test (disabled by config)",
 			 rng_quality_names, quality);
 		return TRUE;
 	}
-	
+
 	enumerator = this->rng->create_enumerator(this->rng);
 	while (enumerator->enumerate(enumerator, &vector))
 	{
 		rng_t *rng;
 		chunk_t data;
-		
+
 		if (vector->quality != quality)
 		{
 			continue;
 		}
-		
+
 		tested++;
 		rng = create(quality);
 		if (!rng)
@@ -490,9 +490,9 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 			failed = TRUE;
 			break;
 		}
-		
+
 		failed = FALSE;
-		
+
 		/* allocated bytes */
 		rng->allocate_bytes(rng, vector->len, &data);
 		if (data.len != vector->len)
@@ -511,7 +511,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 			failed = TRUE;
 		}
 		free(data.ptr);
-		
+
 		rng->destroy(rng);
 		if (failed)
 		{
@@ -600,7 +600,7 @@ static void destroy(private_crypto_tester_t *this)
 crypto_tester_t *crypto_tester_create()
 {
 	private_crypto_tester_t *this = malloc_thing(private_crypto_tester_t);
-	
+
 	this->public.test_crypter = (bool(*)(crypto_tester_t*, encryption_algorithm_t alg,size_t key_size, crypter_constructor_t create))test_crypter;
 	this->public.test_signer = (bool(*)(crypto_tester_t*, integrity_algorithm_t alg, signer_constructor_t create))test_signer;
 	this->public.test_hasher = (bool(*)(crypto_tester_t*, hash_algorithm_t alg, hasher_constructor_t create))test_hasher;
@@ -612,18 +612,18 @@ crypto_tester_t *crypto_tester_create()
 	this->public.add_prf_vector = (void(*)(crypto_tester_t*, prf_test_vector_t *vector))add_prf_vector;
 	this->public.add_rng_vector = (void(*)(crypto_tester_t*, rng_test_vector_t *vector))add_rng_vector;
 	this->public.destroy = (void(*)(crypto_tester_t*))destroy;
-	
+
 	this->crypter = linked_list_create();
 	this->signer = linked_list_create();
 	this->hasher = linked_list_create();
 	this->prf = linked_list_create();
 	this->rng = linked_list_create();
-	
+
 	this->required = lib->settings->get_bool(lib->settings,
 								"libstrongswan.crypto_test.required", FALSE);
 	this->rng_true = lib->settings->get_bool(lib->settings,
 								"libstrongswan.crypto_test.rng_true", FALSE);
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h
index d2929f33d..ddcc2da51 100644
--- a/src/libstrongswan/crypto/crypto_tester.h
+++ b/src/libstrongswan/crypto/crypto_tester.h
@@ -109,12 +109,12 @@ struct rng_test_vector_t {
  * Cryptographic primitive testing framework.
  */
 struct crypto_tester_t {
-	
+
 	/**
 	 * Test a crypter algorithm, optionally using a specified key size.
 	 *
 	 * @param alg			algorithm to test
-	 * @param key_size		key size to test, 0 for all 
+	 * @param key_size		key size to test, 0 for all
 	 * @param create		constructor function for the crypter
 	 * @return				TRUE if test passed
 	 */
@@ -183,14 +183,14 @@ struct crypto_tester_t {
 	 * @param vector		pointer to test vector
 	 */
 	void (*add_prf_vector)(crypto_tester_t *this, prf_test_vector_t *vector);
-	
+
 	/**
 	 * Add a test vector to test a RNG.
 	 *
 	 * @param vector		pointer to test vector
 	 */
 	void (*add_rng_vector)(crypto_tester_t *this, rng_test_vector_t *vector);
-	
+
 	/**
 	 * Destroy a crypto_tester_t.
 	 */
@@ -202,4 +202,4 @@ struct crypto_tester_t {
  */
 crypto_tester_t *crypto_tester_create();
 
-#endif /* CRYPTO_TESTER_ @}*/
+#endif /** CRYPTO_TESTER_H_ @}*/
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index a40a73526..842938c3b 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup diffie_hellman diffie_hellman
  * @{ @ingroup crypto
@@ -32,7 +32,7 @@ typedef struct diffie_hellman_t diffie_hellman_t;
  *
  * The modulus (or group) to use for a Diffie-Hellman calculation.
  * See IKEv2 RFC 3.3.2 and RFC 3526.
- * 
+ *
  * ECP groups are defined in RFC 4753 and RFC 5114.
  */
 enum diffie_hellman_group_t {
@@ -63,39 +63,39 @@ extern enum_name_t *diffie_hellman_group_names;
  * Implementation of the Diffie-Hellman algorithm, as in RFC2631.
  */
 struct diffie_hellman_t {
-		
+
 	/**
 	 * Returns the shared secret of this diffie hellman exchange.
-	 * 	
-	 * Space for returned secret is allocated and must be 
+	 *
+	 * Space for returned secret is allocated and must be
 	 * freed by the caller.
-	 * 
+	 *
 	 * @param secret 	shared secret will be written into this chunk
 	 * @return 			SUCCESS, FAILED if not both DH values are set
 	 */
 	status_t (*get_shared_secret) (diffie_hellman_t *this, chunk_t *secret);
-	
+
 	/**
 	 * Sets the public value of partner.
-	 * 	
+	 *
 	 * Chunk gets cloned and can be destroyed afterwards.
-	 * 
+	 *
 	 * @param value 	public value of partner
 	 */
 	void (*set_other_public_value) (diffie_hellman_t *this, chunk_t value);
-	
+
 	/**
 	 * Gets the own public value to transmit.
-	 * 	
+	 *
 	 * Space for returned chunk is allocated and must be freed by the caller.
-	 * 
+	 *
 	 * @param value		public value of caller is stored at this location
 	 */
 	void (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value);
-	
+
 	/**
 	 * Get the DH group used.
-	 * 
+	 *
 	 * @return			DH group set in construction
 	 */
 	diffie_hellman_group_t (*get_dh_group) (diffie_hellman_t *this);
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index 4d6904e47..81750a519 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -104,36 +104,46 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg)
 /*
  * Described in header.
  */
-int hasher_signature_algorithm_to_oid(hash_algorithm_t alg)
+int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
 {
-	int oid;
-
-	switch (alg)
+	switch (key)
 	{
-		case HASH_MD2:
-			oid = OID_MD2_WITH_RSA;
-			break;
-		case HASH_MD5:
-			oid = OID_MD5_WITH_RSA;
-			break;
-		case HASH_SHA1:
-			oid = OID_SHA1_WITH_RSA;
-			break;
-		case HASH_SHA224:
-			oid = OID_SHA224_WITH_RSA;
-			break;
-		case HASH_SHA256:
-			oid = OID_SHA256_WITH_RSA;
-			break;
-		case HASH_SHA384:
-			oid = OID_SHA384_WITH_RSA;
-			break;
-		case HASH_SHA512:
-			oid = OID_SHA512_WITH_RSA;
-			break;
+		case KEY_RSA:
+			switch (alg)
+			{
+				case HASH_MD2:
+					return OID_MD2_WITH_RSA;
+				case HASH_MD5:
+					return OID_MD5_WITH_RSA;
+				case HASH_SHA1:
+					return OID_SHA1_WITH_RSA;
+				case HASH_SHA224:
+					return OID_SHA224_WITH_RSA;
+				case HASH_SHA256:
+					return OID_SHA256_WITH_RSA;
+				case HASH_SHA384:
+					return OID_SHA384_WITH_RSA;
+				case HASH_SHA512:
+					return OID_SHA512_WITH_RSA;
+				default:
+					return OID_UNKNOWN;
+			}
+		case KEY_ECDSA:
+			switch (alg)
+			{
+				case HASH_SHA1:
+					return OID_ECDSA_WITH_SHA1;
+				case HASH_SHA256:
+					return OID_ECDSA_WITH_SHA256;
+				case HASH_SHA384:
+					return OID_ECDSA_WITH_SHA384;
+				case HASH_SHA512:
+					return OID_ECDSA_WITH_SHA512;
+				default:
+					return OID_UNKNOWN;
+			}
 		default:
-			oid = OID_UNKNOWN;
+			return OID_UNKNOWN;
 	}
-	return oid;
 }
 
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 6deed37ab..9fa043c7e 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup hasher hasher
  * @{ @ingroup crypto
@@ -27,6 +27,7 @@ typedef enum hash_algorithm_t hash_algorithm_t;
 typedef struct hasher_t hasher_t;
 
 #include <library.h>
+#include <credentials/keys/public_key.h>
 
 /**
  * Algorithms to use for hashing.
@@ -35,7 +36,7 @@ enum hash_algorithm_t {
 	/** not specified hash function */
 	HASH_UNKNOWN 		= 0,
 	/** preferred hash function, general purpose */
-	HASH_PREFERRED	 	= 1,
+	HASH_PREFERRED		= 1,
 	HASH_MD2 			= 2,
 	HASH_MD4			= 3,
 	HASH_MD5 			= 4,
@@ -66,43 +67,43 @@ extern enum_name_t *hash_algorithm_names;
 struct hasher_t {
 	/**
 	 * Hash data and write it in the buffer.
-	 * 
+	 *
 	 * If the parameter hash is NULL, no result is written back
 	 * and more data can be appended to already hashed data.
 	 * If not, the result is written back and the hasher is reset.
-	 * 
+	 *
 	 * The hash output parameter must hold at least
 	 * hash_t.get_block_size() bytes.
-	 * 
+	 *
 	 * @param data		data to hash
 	 * @param hash		pointer where the hash will be written
 	 */
 	void (*get_hash) (hasher_t *this, chunk_t data, u_int8_t *hash);
-	
+
 	/**
 	 * Hash data and allocate space for the hash.
-	 * 
+	 *
 	 * If the parameter hash is NULL, no result is written back
 	 * and more data can be appended to already hashed data.
 	 * If not, the result is written back and the hasher is reset.
-	 * 
+	 *
 	 * @param data		chunk with data to hash
 	 * @param hash		chunk which will hold allocated hash
 	 */
 	void (*allocate_hash) (hasher_t *this, chunk_t data, chunk_t *hash);
-	
+
 	/**
 	 * Get the size of the resulting hash.
-	 * 
+	 *
 	 * @return			hash size in bytes
 	 */
 	size_t (*get_hash_size) (hasher_t *this);
-	
+
 	/**
 	 * Resets the hashers state.
 	 */
 	void (*reset) (hasher_t *this);
-	
+
 	/**
 	 * Destroys a hasher object.
 	 */
@@ -111,7 +112,7 @@ struct hasher_t {
 
 /**
  * Conversion of ASN.1 OID to hash algorithm.
- * 
+ *
  * @param oid			ASN.1 OID
  * @return				hash algorithm, HASH_UNKNOWN if OID unsuported
  */
@@ -119,7 +120,7 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid);
 
 /**
  * Conversion of hash algorithm into ASN.1 OID.
- * 
+ *
  * @param alg			hash algorithm
  * @return				ASN.1 OID, or OID_UNKNOW
  */
@@ -127,10 +128,11 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg);
 
 /**
  * Conversion of hash signature algorithm into ASN.1 OID.
- * 
+ *
  * @param alg			hash algorithm
+ * @param key			public key type
  * @return				ASN.1 OID if, or OID_UNKNOW
  */
-int hasher_signature_algorithm_to_oid(hash_algorithm_t alg);
+int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key);
 
 #endif /** HASHER_H_ @}*/
diff --git a/src/libstrongswan/crypto/pkcs9.c b/src/libstrongswan/crypto/pkcs9.c
index 525ea9db5..e3ba0f129 100644
--- a/src/libstrongswan/crypto/pkcs9.c
+++ b/src/libstrongswan/crypto/pkcs9.c
@@ -68,7 +68,7 @@ struct attribute_t {
 
 	/**
 	 * Destroys the attribute.
-	 * 
+	 *
 	 * @param this			attribute to destroy
 	 */
 	void (*destroy) (attribute_t *this);
@@ -78,48 +78,30 @@ struct attribute_t {
 /**
  * PKCS#9 attribute type OIDs
  */
-static u_char ASN1_contentType_oid_str[] = {
+static chunk_t ASN1_contentType_oid = chunk_from_chars(
 	0x06, 0x09,
 		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03
-};
-
-static u_char ASN1_messageDigest_oid_str[] = {
+);
+static chunk_t ASN1_messageDigest_oid = chunk_from_chars(
 	0x06, 0x09,
 		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04
-};
-
-static u_char ASN1_signingTime_oid_str[] = {
+);
+static chunk_t ASN1_signingTime_oid = chunk_from_chars(
 	0x06, 0x09,
 		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x05
-};
-
-static char ASN1_messageType_oid_str[] = {
+);
+static chunk_t ASN1_messageType_oid = chunk_from_chars(
 	0x06, 0x0A,
 		  0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02
-};
-
-static char ASN1_senderNonce_oid_str[] = {
+);
+static chunk_t ASN1_senderNonce_oid = chunk_from_chars(
 	0x06, 0x0A,
 		  0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05
-};
-
-static char ASN1_transId_oid_str[] = {
+);
+static chunk_t ASN1_transId_oid = chunk_from_chars(
 	0x06, 0x0A,
 		  0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07
-};
-
-static const chunk_t ASN1_contentType_oid =
-						chunk_from_buf(ASN1_contentType_oid_str);
-static const chunk_t ASN1_messageDigest_oid =
-						chunk_from_buf(ASN1_messageDigest_oid_str);
-static const chunk_t ASN1_signingTime_oid =
-						chunk_from_buf(ASN1_signingTime_oid_str);
-static const chunk_t ASN1_messageType_oid =
-						chunk_from_buf(ASN1_messageType_oid_str);
-static const chunk_t ASN1_senderNonce_oid =
-						chunk_from_buf(ASN1_senderNonce_oid_str);
-static const chunk_t ASN1_transId_oid =
-						chunk_from_buf(ASN1_transId_oid_str);
+);
 
 /**
  * return the ASN.1 encoded OID of a PKCS#9 attribute
@@ -243,14 +225,14 @@ static void build_encoding(private_pkcs9_t *this)
 	/* allocate memory for the attributes and build the encoding */
 	{
 		u_char *pos = asn1_build_object(&this->encoding, ASN1_SET, attributes_len);
-		
+
 		iterator = this->attributes->create_iterator(this->attributes, TRUE);
 
 		while (iterator->iterate(iterator, (void**)&attribute))
 		{
 			memcpy(pos, attribute->encoding.ptr, attribute->encoding.len);
-            pos += attribute->encoding.len;
- 		}
+			pos += attribute->encoding.len;
+		}
 		iterator->destroy(iterator);
 	}
 }
@@ -346,7 +328,7 @@ static void destroy(private_pkcs9_t *this)
 static private_pkcs9_t *pkcs9_create_empty(void)
 {
 	private_pkcs9_t *this = malloc_thing(private_pkcs9_t);
-	
+
 	/* initialize */
 	this->encoding = chunk_empty;
 	this->attributes = linked_list_create();
@@ -428,7 +410,7 @@ static bool parse_attributes(chunk_t chunk, int level0, private_pkcs9_t* this)
 
 					if (type != ASN1_EOC)
 					{
-				    	if (!asn1_parse_simple_object(&object, type,
+						if (!asn1_parse_simple_object(&object, type,
 										parser->get_level(parser)+1,
 										oid_names[oid].name))
 						{
@@ -452,7 +434,7 @@ end:
 pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level)
 {
 	private_pkcs9_t *this = pkcs9_create_empty();
-	
+
 	this->encoding = chunk_clone(chunk);
 
 	if (!parse_attributes(chunk, level, this))
diff --git a/src/libstrongswan/crypto/pkcs9.h b/src/libstrongswan/crypto/pkcs9.h
index 80d915701..5b85692d6 100644
--- a/src/libstrongswan/crypto/pkcs9.h
+++ b/src/libstrongswan/crypto/pkcs9.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup pkcs9 pkcs9
  * @{ @ingroup crypto
@@ -29,7 +29,7 @@ typedef struct pkcs9_t pkcs9_t;
  * PKCS#9 attributes.
  */
 struct pkcs9_t {
-	
+
 	/**
 	 * Generate ASN.1 encoding of attribute list
 	 */
@@ -54,7 +54,7 @@ struct pkcs9_t {
 	 * Adds a PKCS#9 attribute
 	 *
 	 * @param oid			OID of the attribute
-	 * @param value			ASN.1 encoded value of the attribute 
+	 * @param value			ASN.1 encoded value of the attribute
 	 */
 	void (*set_attribute) (pkcs9_t *this, int oid, chunk_t value);
 
@@ -68,7 +68,7 @@ struct pkcs9_t {
 	/**
 	 * Add a PKCS#9 messageDigest attribute
 	 *
-	 * @param value			messageDigest 
+	 * @param value			messageDigest
 	 */
 	void (*set_messageDigest) (pkcs9_t *this, chunk_t value);
 
@@ -80,7 +80,7 @@ struct pkcs9_t {
 
 /**
  * Read a PKCS#9 attribute list from a DER encoded chunk.
- * 
+ *
  * @param chunk		chunk containing DER encoded data
  * @param level		ASN.1 parsing start level
  * @return 			created pkcs9 attribute list, or NULL if invalid.
@@ -89,7 +89,7 @@ pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level);
 
 /**
  * Create an empty PKCS#9 attribute list
- * 
+ *
  * @return 				created pkcs9 attribute list.
  */
 pkcs9_t *pkcs9_create(void);
diff --git a/src/libstrongswan/crypto/prf_plus.c b/src/libstrongswan/crypto/prf_plus.c
index a4fc377ef..6bd0f7465 100644
--- a/src/libstrongswan/crypto/prf_plus.c
+++ b/src/libstrongswan/crypto/prf_plus.c
@@ -22,34 +22,34 @@ typedef struct private_prf_plus_t private_prf_plus_t;
 
 /**
  * Private data of an prf_plus_t object.
- * 
+ *
  */
 struct private_prf_plus_t {
 	/**
 	 * Public interface of prf_plus_t.
 	 */
 	prf_plus_t public;
-	
+
 	/**
 	 * PRF to use.
 	 */
 	prf_t *prf;
-	
+
 	/**
 	 * Initial seed.
 	 */
 	chunk_t seed;
-	
+
 	/**
 	 * Buffer to store current PRF result.
 	 */
 	chunk_t buffer;
-		
+
 	/**
 	 * Already given out bytes in current buffer.
 	 */
 	size_t given_out;
-	
+
 	/**
 	 * Octet which will be appended to the seed.
 	 */
@@ -60,18 +60,18 @@ struct private_prf_plus_t {
  * Implementation of prf_plus_t.get_bytes.
  */
 static void get_bytes(private_prf_plus_t *this, size_t length, u_int8_t *buffer)
-{	
+{
 	chunk_t appending_chunk;
 	size_t bytes_in_round;
 	size_t total_bytes_written = 0;
-	
+
 	appending_chunk.ptr = &(this->appending_octet);
 	appending_chunk.len = 1;
-	
+
 	while (length > 0)
 	{	/* still more to do... */
 		if (this->buffer.len == this->given_out)
-		{	/* no bytes left in buffer, get next*/	
+		{	/* no bytes left in buffer, get next*/
 			this->prf->get_bytes(this->prf, this->buffer, NULL);
 			this->prf->get_bytes(this->prf, this->seed, NULL);
 			this->prf->get_bytes(this->prf, appending_chunk, this->buffer.ptr);
@@ -82,7 +82,7 @@ static void get_bytes(private_prf_plus_t *this, size_t length, u_int8_t *buffer)
 		bytes_in_round = min(length, this->buffer.len - this->given_out);
 		/* copy bytes from buffer with offset */
 		memcpy(buffer + total_bytes_written, this->buffer.ptr + this->given_out, bytes_in_round);
-		
+
 		length -= bytes_in_round;
 		this->given_out += bytes_in_round;
 		total_bytes_written += bytes_in_round;
@@ -91,7 +91,7 @@ static void get_bytes(private_prf_plus_t *this, size_t length, u_int8_t *buffer)
 
 /**
  * Implementation of prf_plus_t.allocate_bytes.
- */	
+ */
 static void allocate_bytes(private_prf_plus_t *this, size_t length, chunk_t *chunk)
 {
 	if (length)
@@ -123,23 +123,23 @@ prf_plus_t *prf_plus_create(prf_t *prf, chunk_t seed)
 {
 	private_prf_plus_t *this;
 	chunk_t appending_chunk;
-	
+
 	this = malloc_thing(private_prf_plus_t);
 
 	/* set public methods */
 	this->public.get_bytes = (void (*)(prf_plus_t *,size_t,u_int8_t*))get_bytes;
 	this->public.allocate_bytes = (void (*)(prf_plus_t *,size_t,chunk_t*))allocate_bytes;
 	this->public.destroy = (void (*)(prf_plus_t *))destroy;
-	
+
 	/* take over prf */
 	this->prf = prf;
-	
+
 	/* allocate buffer for prf output */
 	this->buffer.len = prf->get_block_size(prf);
 	this->buffer.ptr = malloc(this->buffer.len);
 
 	this->appending_octet = 0x01;
-	
+
 	/* clone seed */
 	this->seed.ptr = clalloc(seed.ptr, seed.len);
 	this->seed.len = seed.len;
@@ -151,6 +151,6 @@ prf_plus_t *prf_plus_create(prf_t *prf, chunk_t seed)
 	this->prf->get_bytes(this->prf, appending_chunk, this->buffer.ptr);
 	this->given_out = 0;
 	this->appending_octet++;
-	
+
 	return &(this->public);
 }
diff --git a/src/libstrongswan/crypto/prf_plus.h b/src/libstrongswan/crypto/prf_plus.h
index 2e5b66152..4179f2695 100644
--- a/src/libstrongswan/crypto/prf_plus.h
+++ b/src/libstrongswan/crypto/prf_plus.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup prf_plus prf_plus
  * @{ @ingroup crypto
@@ -36,26 +36,26 @@ typedef struct prf_plus_t prf_plus_t;
 struct prf_plus_t {
 	/**
 	 * Get pseudo random bytes.
-	 * 
+	 *
 	 * Get the next few bytes of the prf+ output. Space
 	 * must be allocated by the caller.
-	 * 
+	 *
 	 * @param length	number of bytes to get
 	 * @param buffer	pointer where the generated bytes will be written
 	 */
 	void (*get_bytes) (prf_plus_t *this, size_t length, u_int8_t *buffer);
-	
+
 	/**
 	 * Allocate pseudo random bytes.
-	 * 
+	 *
 	 * Get the next few bytes of the prf+ output. This function
 	 * will allocate the required space.
-	 * 
+	 *
 	 * @param length	number of bytes to get
 	 * @param chunk		chunk which will hold generated bytes
 	 */
 	void (*allocate_bytes) (prf_plus_t *this, size_t length, chunk_t *chunk);
-	
+
 	/**
 	 * Destroys a prf_plus_t object.
 	 */
@@ -64,11 +64,11 @@ struct prf_plus_t {
 
 /**
  * Creates a new prf_plus_t object.
- * 
+ *
  * Seed will be cloned. prf will
  * not be cloned, must be destroyed outside after
  * prf_plus_t usage.
- * 
+ *
  * @param prf				prf object to use
  * @param seed				input seed for prf
  * @return					prf_plus_t object
diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h
index f2a5afc45..6e853444f 100644
--- a/src/libstrongswan/crypto/prfs/prf.h
+++ b/src/libstrongswan/crypto/prfs/prf.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup prf prf
  * @{ @ingroup crypto
@@ -55,7 +55,7 @@ enum pseudo_random_function_t {
 	PRF_FIPS_SHA1_160 = 1025,
 	/** FIPS 186-2-change1, uses fixed output size of 160bit */
 	PRF_FIPS_DES = 1026,
-	/** 
+	/**
 	 * Keyed hash algorithm using SHA1, used in EAP-AKA:
 	 * This PRF uses SHA1, but XORs the key into the IV. No "Final()" operation
 	 * is applied to the SHA1 state. */
@@ -78,39 +78,39 @@ struct prf_t {
 	 * @param buffer	pointer where the generated bytes will be written
 	 */
 	void (*get_bytes) (prf_t *this, chunk_t seed, u_int8_t *buffer);
-	
+
 	/**
 	 * Generates pseudo random bytes and allocate space for them.
-	 * 
+	 *
 	 * @param seed		a chunk containing the seed for the next bytes
 	 * @param chunk		chunk which will hold generated bytes
 	 */
 	void (*allocate_bytes) (prf_t *this, chunk_t seed, chunk_t *chunk);
-	
+
 	/**
 	 * Get the block size of this prf_t object.
-	 * 
+	 *
 	 * @return			block size in bytes
 	 */
 	size_t (*get_block_size) (prf_t *this);
-	
+
 	/**
 	 * Get the key size of this prf_t object.
 	 *
 	 * This is a suggestion only, all implemented PRFs accept variable key
 	 * length.
-	 * 
+	 *
 	 * @return			key size in bytes
 	 */
 	size_t (*get_key_size) (prf_t *this);
-	
+
 	/**
 	 * Set the key for this prf_t object.
-	 * 
+	 *
 	 * @param key		key to set
 	 */
 	void (*set_key) (prf_t *this, chunk_t key);
-	
+
 	/**
 	 * Destroys a prf object.
 	 */
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index 14321e070..75816e8b3 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -56,15 +56,15 @@ struct proposal_token {
     char             *name;
     transform_type_t  type;
 	u_int16_t         algorithm;
-    u_int16_t         keysize;  
+    u_int16_t         keysize;
 };
 
-#define TOTAL_KEYWORDS 87
+#define TOTAL_KEYWORDS 89
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 12
 #define MIN_HASH_VALUE 4
-#define MAX_HASH_VALUE 129
-/* maximum key range = 126, duplicates = 0 */
+#define MAX_HASH_VALUE 123
+/* maximum key range = 120, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -80,32 +80,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130,  11,
-        2,  15,   5,  27,  21,   8,   5,   0, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130,  39, 130,  24,   0,   1,
-        8,   2,  50,   0,   9,  53, 130, 130,   0, 130,
-       42,   0, 130, 130,   5,   9,  34,   4, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130, 130, 130, 130,
-      130, 130, 130, 130, 130, 130, 130
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124,  11,
+        2,  23,   5,  27,  21,   8,   5,   0, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124,  22, 124,  24,   0,   1,
+        8,   2,  50,   0,  11,  54, 124, 124,   0, 124,
+       42,   0, 124, 124,   5,   9,  34,   6, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
+      124, 124, 124, 124, 124, 124, 124
     };
   register int hval = len;
 
@@ -197,31 +197,33 @@ static const struct proposal_token wordlist[] =
     {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     256},
     {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,         0},
     {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          192},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0},
     {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      192},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,            0},
     {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,            0},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128},
+    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0},
     {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128},
     {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128},
-    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       192},
     {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,            0},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,            0},
     {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       192},
-    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128},
+    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       192},
     {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128},
     {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       128},
-    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128},
     {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                0},
     {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128},
-    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,            0},
     {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,              0},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,            0},
     {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       128},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       256},
+    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0},
+    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,    0},
+    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,    0},
     {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          256},
     {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      256},
     {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       256},
-    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0}
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       256}
   };
 
 static const short lookup[] =
@@ -231,11 +233,10 @@ static const short lookup[] =
     17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, -1,
     30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43,
     44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57,
-    58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, -1,
-    71, -1, 72, -1, 73, -1, 74, 75, 76, 77, 78, -1, -1, 79,
-    -1, -1, -1, -1, -1, -1, 80, -1, -1, -1, -1, -1, -1, 81,
-    -1, -1, -1, -1, -1, -1, 82, 83, 84, -1, 85, -1, -1, -1,
-    -1, -1, -1, 86
+    58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, -1, 70,
+    71, 72, -1, -1, 73, 74, 75, 76, 77, -1, 78, -1, -1, -1,
+    -1, -1, -1, -1, -1, -1, 79, 80, -1, -1, -1, -1, -1, 81,
+    82, 83, -1, 84, -1, -1, -1, 85, -1, 86, 87, 88
   };
 
 #ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.h b/src/libstrongswan/crypto/proposal/proposal_keywords.h
index 86cb7ef09..53fa1728f 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.h
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.h
@@ -21,10 +21,10 @@
 typedef struct proposal_token proposal_token_t;
 
 struct proposal_token {
-    char             *name;
-    transform_type_t  type;
+	char             *name;
+	transform_type_t  type;
 	u_int16_t         algorithm;
-    u_int16_t         keysize;  
+	u_int16_t         keysize;
 };
 
 extern const proposal_token_t* proposal_get_token(register const char *str,
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.txt b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
index 511fdd50a..139d689ca 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
@@ -26,7 +26,7 @@ struct proposal_token {
     char             *name;
     transform_type_t  type;
 	u_int16_t         algorithm;
-    u_int16_t         keysize;  
+    u_int16_t         keysize;
 };
 %%
 null,             ENCRYPTION_ALGORITHM, ENCR_NULL,                0
@@ -96,6 +96,8 @@ sha,              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0
 sha1,             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0
 sha256,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0
 sha2_256,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0
+sha256_96,        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,    0
+sha2_256_96,      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,    0
 sha384,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0
 sha2_384,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0
 sha512,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0
diff --git a/src/libstrongswan/crypto/rngs/rng.h b/src/libstrongswan/crypto/rngs/rng.h
index 89bc2f2de..36ef52bb4 100644
--- a/src/libstrongswan/crypto/rngs/rng.h
+++ b/src/libstrongswan/crypto/rngs/rng.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup rng rng
  * @{ @ingroup crypto
@@ -55,15 +55,15 @@ struct rng_t {
 	 * @param buffer	pointer where the generated bytes will be written
 	 */
 	void (*get_bytes) (rng_t *this, size_t len, u_int8_t *buffer);
-	
+
 	/**
 	 * Generates random bytes and allocate space for them.
-	 * 
+	 *
 	 * @param len		number of bytes to get
 	 * @param chunk		chunk which will hold generated bytes
 	 */
 	void (*allocate_bytes) (rng_t *this, size_t len, chunk_t *chunk);
-	
+
 	/**
 	 * Destroys a rng object.
 	 */
diff --git a/src/libstrongswan/crypto/signers/signer.c b/src/libstrongswan/crypto/signers/signer.c
index 1147e1f26..e98916bfe 100644
--- a/src/libstrongswan/crypto/signers/signer.c
+++ b/src/libstrongswan/crypto/signers/signer.c
@@ -16,10 +16,11 @@
 
 #include "signer.h"
 
-ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_HMAC_SHA1_128,
+ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_HMAC_SHA2_256_96,
 	"UNDEFINED",
-	"HMAC_SHA1_128");
-ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_HMAC_SHA1_128,
+	"HMAC_SHA1_128",
+	"HMAC_SHA2_256_96");
+ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_HMAC_SHA2_256_96,
 	"HMAC_MD5_96",
 	"HMAC_SHA1_96",
 	"DES_MAC",
diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h
index 0d9bfc5af..94e8c99b9 100644
--- a/src/libstrongswan/crypto/signers/signer.h
+++ b/src/libstrongswan/crypto/signers/signer.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup signer signer
  * @{ @ingroup crypto
@@ -64,6 +64,8 @@ enum integrity_algorithm_t {
 	AUTH_HMAC_SHA2_512_256 = 14,
 	/** private use */
 	AUTH_HMAC_SHA1_128 = 1025,
+	/** SHA256 96 bit truncation variant, supported by Linux kernels */
+	AUTH_HMAC_SHA2_256_96 = 1026,
 };
 
 /**
@@ -80,53 +82,53 @@ struct signer_t {
 	 *
 	 * If buffer is NULL, data is processed and prepended to a next call until
 	 * buffer is a valid pointer.
-	 * 
+	 *
 	 * @param data		a chunk containing the data to sign
 	 * @param buffer	pointer where the signature will be written
 	 */
 	void (*get_signature) (signer_t *this, chunk_t data, u_int8_t *buffer);
-	
+
 	/**
 	 * Generate a signature and allocate space for it.
 	 *
 	 * If chunk is NULL, data is processed and prepended to a next call until
 	 * chunk is a valid chunk pointer.
-	 * 
+	 *
 	 * @param data		a chunk containing the data to sign
 	 * @param chunk		chunk which will hold the allocated signature
 	 */
 	void (*allocate_signature) (signer_t *this, chunk_t data, chunk_t *chunk);
-	
+
 	/**
 	 * Verify a signature.
-	 * 
+	 *
 	 * @param data		a chunk containing the data to verify
 	 * @param signature	a chunk containing the signature
 	 * @return			TRUE, if signature is valid, FALSE otherwise
 	 */
 	bool (*verify_signature) (signer_t *this, chunk_t data, chunk_t signature);
-	
+
 	/**
 	 * Get the block size of this signature algorithm.
-	 * 
+	 *
 	 * @return			block size in bytes
 	 */
 	size_t (*get_block_size) (signer_t *this);
-	
+
 	/**
 	 * Get the key size of the signature algorithm.
-	 * 
+	 *
 	 * @return			key size in bytes
 	 */
 	size_t (*get_key_size) (signer_t *this);
-	
+
 	/**
 	 * Set the key for this object.
-	 * 
+	 *
 	 * @param key		key to set
 	 */
 	void (*set_key) (signer_t *this, chunk_t key);
-	
+
 	/**
 	 * Destroys a signer_t object.
 	 */
diff --git a/src/libstrongswan/database/database.h b/src/libstrongswan/database/database.h
index 16472d869..8df1c6f7f 100644
--- a/src/libstrongswan/database/database.h
+++ b/src/libstrongswan/database/database.h
@@ -59,41 +59,41 @@ enum db_driver_t {
  * Interface for a database implementation.
  *
  * @code
-   int affected, rowid, aint;
-   char *atext;
-   database_t *db;
-   enumerator_t *enumerator;
-   
-   db = lib->database->create("mysql://user:pass@host/database");
-   affected = db->execute(db, &rowid, "INSERT INTO table VALUES (?, ?)",
-   						  DB_INT, 77, DB_TEXT, "a text");
-   printf("inserted %d row, new row ID: %d\n", affected, rowid);
-   
-   enumerator = db->query(db, "SELECT aint, atext FROM table WHERE aint > ?",
-   						  DB_INT, 10, 		// 1 argument to SQL string
-   						  DB_INT, DB_TEXT); // 2 enumerated types in query
-   if (enumerator)
-   {
-       while (enumerator->enumerate(enumerator, &aint, &atext))
-       {
-           printf("%d: %s\n", aint, atext);
-       }
-       enumerator->destroy(enumerator);
-   }
+	int affected, rowid, aint;
+	char *atext;
+	database_t *db;
+	enumerator_t *enumerator;
+
+	db = lib->database->create("mysql://user:pass@host/database");
+	affected = db->execute(db, &rowid, "INSERT INTO table VALUES (?, ?)",
+						   DB_INT, 77, DB_TEXT, "a text");
+	printf("inserted %d row, new row ID: %d\n", affected, rowid);
+
+	enumerator = db->query(db, "SELECT aint, atext FROM table WHERE aint > ?",
+						   DB_INT, 10, 		// 1 argument to SQL string
+						   DB_INT, DB_TEXT); // 2 enumerated types in query
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &aint, &atext))
+		{
+			printf("%d: %s\n", aint, atext);
+		}
+		enumerator->destroy(enumerator);
+	}
    @endcode
  */
 struct database_t {
-	
+
 	/**
 	 * Run a query which returns rows, such as a SELECT.
 	 *
 	 * @param sql		sql query string, containing '?' placeholders
 	 * @param ...		list of sql placeholder db_type_t followed by its value,
-	 *                  followed by enumerators arguments as db_type_t's
+	 *					followed by enumerators arguments as db_type_t's
 	 * @return			enumerator as defined with arguments, NULL on failure
 	 */
 	enumerator_t* (*query)(database_t *this, char *sql, ...);
-	
+
 	/**
 	 * Execute a query which dows not return rows, such as INSERT.
 	 *
@@ -103,7 +103,7 @@ struct database_t {
 	 * @return			number of affected rows, < 0 on failure
 	 */
 	int (*execute)(database_t *this, int *rowid, char *sql, ...);
-	
+
 	/**
 	 * Get the database implementation type.
 	 *
@@ -113,11 +113,11 @@ struct database_t {
 	 * @return			database implementation type
 	 */
 	db_driver_t (*get_driver)(database_t *this);
-	
+
 	/**
-     * Destroy a database connection.
-     */
-    void (*destroy)(database_t *this);
+	 * Destroy a database connection.
+	 */
+	void (*destroy)(database_t *this);
 };
 
 #endif /** DATABASE_H_ @}*/
diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c
index ef6927874..3936565a1 100644
--- a/src/libstrongswan/database/database_factory.c
+++ b/src/libstrongswan/database/database_factory.c
@@ -16,7 +16,7 @@
 #include "database_factory.h"
 
 #include <utils/linked_list.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 
 typedef struct private_database_factory_t private_database_factory_t;
 
@@ -29,12 +29,12 @@ struct private_database_factory_t {
 	 * public functions
 	 */
 	database_factory_t public;
-	
+
 	/**
 	 * list of registered database_t implementations
 	 */
 	linked_list_t *databases;
-	
+
 	/**
 	 * mutex to lock access to databases
 	 */
@@ -49,7 +49,7 @@ static database_t* create(private_database_factory_t *this, char *uri)
 	enumerator_t *enumerator;
 	database_t *database = NULL;
 	database_constructor_t create;
-	
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->databases->create_enumerator(this->databases);
 	while (enumerator->enumerate(enumerator, &create))
@@ -103,15 +103,15 @@ static void destroy(private_database_factory_t *this)
 database_factory_t *database_factory_create()
 {
 	private_database_factory_t *this = malloc_thing(private_database_factory_t);
-	
+
 	this->public.create = (database_t*(*)(database_factory_t*, char *url))create;
 	this->public.add_database = (void(*)(database_factory_t*, database_constructor_t))add_database;
 	this->public.remove_database = (void(*)(database_factory_t*, database_constructor_t))remove_database;
 	this->public.destroy = (void(*)(database_factory_t*))destroy;
-	
+
 	this->databases = linked_list_create();
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/database/database_factory.h b/src/libstrongswan/database/database_factory.h
index 8875adad7..3213e1a08 100644
--- a/src/libstrongswan/database/database_factory.h
+++ b/src/libstrongswan/database/database_factory.h
@@ -44,25 +44,25 @@ struct database_factory_t {
 	 * @return			database_t instance, NULL if not supported/failed
 	 */
 	database_t* (*create)(database_factory_t *this, char *uri);
-	
+
 	/**
 	 * Register a database constructor.
 	 *
 	 * @param create	database constructor to register
 	 */
 	void (*add_database)(database_factory_t *this, database_constructor_t create);
-	
+
 	/**
 	 * Unregister a previously registered database constructor.
 	 *
 	 * @param create	database constructor to unregister
 	 */
 	void (*remove_database)(database_factory_t *this, database_constructor_t create);
-	
+
 	/**
-     * Destroy a database_factory instance.
-     */
-    void (*destroy)(database_factory_t *this);
+	 * Destroy a database_factory instance.
+	 */
+	void (*destroy)(database_factory_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/debug.c
index b4a84cf76..51b7875d8 100644
--- a/src/libstrongswan/debug.c
+++ b/src/libstrongswan/debug.c
@@ -14,24 +14,57 @@
  */
 
 #include <stdarg.h>
-#include <stdio.h>
 
 #include "debug.h"
 
+/**
+ * level logged by the default logger
+ */
+static int default_level = 1;
+
+/**
+ * stream logged to by the default logger
+ */
+static FILE *default_stream = NULL;
+
 /**
  * default dbg function which printf all to stderr
  */
 void dbg_default(int level, char *fmt, ...)
 {
-	if (level <= 1)
+	if (!default_stream)
+	{
+		default_stream = stderr;
+	}
+	if (level <= default_level)
 	{
 		va_list args;
-	
+
 		va_start(args, fmt);
-		vfprintf(stderr, fmt, args);
-		fprintf(stderr, "\n");
+		vfprintf(default_stream, fmt, args);
+		fprintf(default_stream, "\n");
 		va_end(args);
 	}
 }
 
+/**
+ * set the level logged by the default stderr logger
+ */
+void dbg_default_set_level(int level)
+{
+	default_level = level;
+}
+
+/**
+ * set the stream logged by dbg_default() to
+ */
+void dbg_default_set_stream(FILE *stream)
+{
+	default_stream = stream;
+}
+
+/**
+ * The registered debug hook.
+ */
 void (*dbg) (int level, char *fmt, ...) = dbg_default;
+
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h
index 1413ff54e..085795acb 100644
--- a/src/libstrongswan/debug.h
+++ b/src/libstrongswan/debug.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup debug debug
  * @{ @ingroup libstrongswan
@@ -21,6 +21,8 @@
 #ifndef DEBUG_H_
 #define DEBUG_H_
 
+#include <stdio.h>
+
 #ifndef DEBUG_LEVEL
 # define DEBUG_LEVEL 4
 #endif /* DEBUG_LEVEL */
@@ -52,10 +54,16 @@
 # define DBG4(...) {}
 #endif
 
-/** dbg function hook, uses stderr logger by default */
+/** dbg function hook, uses dbg_default() by default */
 extern void (*dbg) (int level, char *fmt, ...);
 
-/** default logging function, prints to stderr */
+/** default logging function */
 void dbg_default(int level, char *fmt, ...);
 
+/** set the level logged by dbg_default() */
+void dbg_default_set_level(int level);
+
+/** set the stream logged by dbg_default() to */
+void dbg_default_set_stream(FILE *stream);
+
 #endif /** DEBUG_H_ @}*/
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/enum.h
index 3f3ca1172..6b9fd7eaa 100644
--- a/src/libstrongswan/enum.h
+++ b/src/libstrongswan/enum.h
@@ -98,7 +98,7 @@ struct enum_name_t {
  *
  * This is a convenience macro to use when a enum_name list contains only
  * one range, and is equal as defining ENUM_BEGIN followed by ENUM_END.
- * 
+ *
  * @param name	name of the enum_name list
  * @param first	enum value of the first enum string
  * @param last	enum value of the last enum string
@@ -109,8 +109,8 @@ struct enum_name_t {
 /**
  * printf hook function for enum_names_t.
  *
- * Arguments are: 
- *    enum_names_t *names, int value
+ * Arguments are:
+ *	enum_names_t *names, int value
  */
 int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 					 const void *const *args);
diff --git a/src/libstrongswan/fetcher/fetcher.h b/src/libstrongswan/fetcher/fetcher.h
index 70d14bf97..f312206bb 100644
--- a/src/libstrongswan/fetcher/fetcher.h
+++ b/src/libstrongswan/fetcher/fetcher.h
@@ -33,36 +33,36 @@ typedef enum fetcher_option_t fetcher_option_t;
  */
 enum fetcher_option_t {
 
-	/** 
+	/**
 	 * Data to include in fetch request, e.g. on a HTTP post.
 	 * Additional argument is a chunk_t
 	 */
 	FETCH_REQUEST_DATA,
-	
-	/** 
+
+	/**
 	 * Mime-Type of data included in FETCH_REQUEST_DATA.
 	 * Additional argument is a char*.
 	 */
 	FETCH_REQUEST_TYPE,
-	
-	/** 
+
+	/**
 	 * HTTP header to be sent with with the fetch request.
 	 * Additional argument is a char*.
 	 */
 	FETCH_REQUEST_HEADER,
 
-	/** 
+	/**
 	 * Use HTTP Version 1.0 instead of 1.1.
 	 * No additional argument is needed.
 	 */
 	FETCH_HTTP_VERSION_1_0,
 
-	/** 
+	/**
 	 * Timeout to use for fetch, in seconds.
 	 * Additional argument is u_int
 	 */
 	FETCH_TIMEOUT,
-	
+
 	/**
 	 * end of fetching options
 	 */
@@ -96,7 +96,7 @@ struct fetcher_t {
 	 *					- FAILED, NOT_FOUND, PARSE_ERROR on failure
 	 */
 	status_t (*fetch)(fetcher_t *this, char *uri, chunk_t *result);
-	
+
 	/**
 	 * Set a fetcher option, as defined in fetcher_option_t.
 	 *
@@ -107,11 +107,11 @@ struct fetcher_t {
 	 * @return			TRUE if option supported, FALSE otherwise
 	 */
 	bool (*set_option)(fetcher_t *this, fetcher_option_t option, ...);
-	
+
 	/**
 	 * Destroy the fetcher instance.
 	 */
-	void (*destroy)(fetcher_t *this);	
+	void (*destroy)(fetcher_t *this);
 };
 
 #endif /** FETCHER_H_ @}*/
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index 1f87412c8..b73bfacf6 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -16,7 +16,7 @@
 #include "fetcher_manager.h"
 
 #include <debug.h>
-#include <utils/mutex.h>
+#include <threading/rwlock.h>
 #include <utils/linked_list.h>
 
 typedef struct private_fetcher_manager_t private_fetcher_manager_t;
@@ -30,12 +30,12 @@ struct private_fetcher_manager_t {
 	 * public functions
 	 */
 	fetcher_manager_t public;
-	
+
 	/**
 	 * list of registered fetchers, as entry_t
 	 */
 	linked_list_t *fetchers;
-	
+
 	/**
 	 * read write lock to list
 	 */
@@ -68,7 +68,7 @@ static status_t fetch(private_fetcher_manager_t *this,
 	status_t status = NOT_SUPPORTED;
 	entry_t *entry;
 	bool capable = FALSE;
-	
+
 	this->lock->read_lock(this->lock);
 	enumerator = this->fetchers->create_enumerator(this->fetchers);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -119,7 +119,7 @@ static status_t fetch(private_fetcher_manager_t *this,
 			fetcher->destroy(fetcher);
 			continue;
 		}
-		
+
 		status = fetcher->fetch(fetcher, url, response);
 		fetcher->destroy(fetcher);
 		/* try another fetcher only if this one does not support that URL */
@@ -142,11 +142,11 @@ static status_t fetch(private_fetcher_manager_t *this,
 /**
  * Implementation of fetcher_manager_t.add_fetcher.
  */
-static void add_fetcher(private_fetcher_manager_t *this,	
+static void add_fetcher(private_fetcher_manager_t *this,
 						fetcher_constructor_t create, char *url)
 {
 	entry_t *entry = malloc_thing(entry_t);
-	
+
 	entry->url = strdup(url);
 	entry->create = create;
 
@@ -163,7 +163,7 @@ static void remove_fetcher(private_fetcher_manager_t *this,
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
-	
+
 	this->lock->write_lock(this->lock);
 	enumerator = this->fetchers->create_enumerator(this->fetchers);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -194,15 +194,15 @@ static void destroy(private_fetcher_manager_t *this)
 fetcher_manager_t *fetcher_manager_create()
 {
 	private_fetcher_manager_t *this = malloc_thing(private_fetcher_manager_t);
-	
+
 	this->public.fetch = (status_t(*)(fetcher_manager_t*, char *url, chunk_t *response, ...))fetch;
 	this->public.add_fetcher = (void(*)(fetcher_manager_t*, fetcher_constructor_t,char*))add_fetcher;
 	this->public.remove_fetcher = (void(*)(fetcher_manager_t*, fetcher_constructor_t))remove_fetcher;
 	this->public.destroy = (void(*)(fetcher_manager_t*))destroy;
-	
+
 	this->fetchers = linked_list_create();
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/fetcher/fetcher_manager.h b/src/libstrongswan/fetcher/fetcher_manager.h
index 183964d6c..a7ac6611e 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.h
+++ b/src/libstrongswan/fetcher/fetcher_manager.h
@@ -51,19 +51,19 @@ struct fetcher_manager_t {
 	 */
 	void (*add_fetcher)(fetcher_manager_t *this,
 						fetcher_constructor_t constructor, char *url);
-	
+
 	/**
 	 * Unregister a previously registered fetcher implementation.
 	 *
 	 * @param constructor	fetcher constructor function to unregister
 	 */
-	void (*remove_fetcher)(fetcher_manager_t *this, 
+	void (*remove_fetcher)(fetcher_manager_t *this,
 						   fetcher_constructor_t constructor);
-	
+
 	/**
-     * Destroy a fetcher_manager instance.
-     */
-    void (*destroy)(fetcher_manager_t *this);
+	 * Destroy a fetcher_manager instance.
+	 */
+	void (*destroy)(fetcher_manager_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c
index 32a296d79..51da4e725 100644
--- a/src/libstrongswan/integrity_checker.c
+++ b/src/libstrongswan/integrity_checker.c
@@ -35,22 +35,22 @@ typedef struct private_integrity_checker_t private_integrity_checker_t;
  * Private data of an integrity_checker_t object.
  */
 struct private_integrity_checker_t {
-	
+
 	/**
 	 * Public integrity_checker_t interface.
 	 */
 	integrity_checker_t public;
-	
+
 	/**
 	 * dlopen handle to checksum library
 	 */
 	void *handle;
-	
+
 	/**
 	 * checksum array
 	 */
 	integrity_checksum_t *checksums;
-	
+
 	/**
 	 * number of checksums in array
 	 */
@@ -68,21 +68,21 @@ static u_int32_t build_file(private_integrity_checker_t *this, char *file,
 	struct stat sb;
 	void *addr;
 	int fd;
-	
+
 	fd = open(file, O_RDONLY);
 	if (fd == -1)
 	{
 		DBG1("  opening '%s' failed: %s", file, strerror(errno));
 		return 0;
 	}
-	
+
 	if (fstat(fd, &sb) == -1)
 	{
 		DBG1("  getting file size of '%s' failed: %s", file, strerror(errno));
 		close(fd);
 		return 0;
 	}
-	
+
 	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
 	if (addr == MAP_FAILED)
 	{
@@ -91,13 +91,13 @@ static u_int32_t build_file(private_integrity_checker_t *this, char *file,
 		return 0;
 	}
 
-	*len = sb.st_size;	
+	*len = sb.st_size;
 	contents = chunk_create(addr, sb.st_size);
 	checksum = chunk_hash(contents);
-	
+
 	munmap(addr, sb.st_size);
 	close(fd);
-	
+
 	return checksum;
 }
 
@@ -116,11 +116,11 @@ static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli)
 		dlpi->dlpi_name && *dlpi->dlpi_name)
 	{
 		int i;
-		
+
 		for (i = 0; i < dlpi->dlpi_phnum; i++)
 		{
 			const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i];
-			
+
 			/* we are interested in the executable LOAD segment */
 			if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X))
 			{
@@ -143,7 +143,7 @@ static u_int32_t build_segment(private_integrity_checker_t *this, void *sym,
 {
 	chunk_t segment;
 	Dl_info dli;
-	
+
 	if (dladdr(sym, &dli) == 0)
 	{
 		DBG1("  unable to locate symbol: %s", dlerror());
@@ -155,7 +155,7 @@ static u_int32_t build_segment(private_integrity_checker_t *this, void *sym,
 		DBG1("  executable section not found");
 		return 0;
 	}
-	
+
 	segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
 	*len = segment.len;
 	return chunk_hash(segment);
@@ -168,7 +168,7 @@ static integrity_checksum_t *find_checksum(private_integrity_checker_t *this,
 										   char *name)
 {
 	int i;
-	
+
 	for (i = 0; i < this->checksum_count; i++)
 	{
 		if (streq(this->checksums[i].name, name))
@@ -188,7 +188,7 @@ static bool check_file(private_integrity_checker_t *this,
 	integrity_checksum_t *cs;
 	u_int32_t sum;
 	size_t len = 0;
-	
+
 	cs = find_checksum(this, name);
 	if (!cs)
 	{
@@ -225,7 +225,7 @@ static bool check_segment(private_integrity_checker_t *this,
 	integrity_checksum_t *cs;
 	u_int32_t sum;
 	size_t len = 0;
-	
+
 	cs = find_checksum(this, name);
 	if (!cs)
 	{
@@ -259,7 +259,7 @@ static bool check_segment(private_integrity_checker_t *this,
 static bool check(private_integrity_checker_t *this, char *name, void *sym)
 {
 	Dl_info dli;
-	
+
 	if (dladdr(sym, &dli) == 0)
 	{
 		DBG1("unable to locate symbol: %s", dlerror());
@@ -294,14 +294,14 @@ static void destroy(private_integrity_checker_t *this)
 integrity_checker_t *integrity_checker_create(char *checksum_library)
 {
 	private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t);
-	
+
 	this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file;
 	this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file;
 	this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment;
 	this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment;
 	this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check;
 	this->public.destroy = (void(*)(integrity_checker_t*))destroy;
-	
+
 	this->checksum_count = 0;
 	this->handle = NULL;
 	if (checksum_library)
@@ -310,7 +310,7 @@ integrity_checker_t *integrity_checker_create(char *checksum_library)
 		if (this->handle)
 		{
 			int *checksum_count;
-		
+
 			this->checksums = dlsym(this->handle, "checksums");
 			checksum_count = dlsym(this->handle, "checksum_count");
 			if (this->checksums && checksum_count)
diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/integrity_checker.h
index d078dd6fb..7349353f3 100644
--- a/src/libstrongswan/integrity_checker.h
+++ b/src/libstrongswan/integrity_checker.h
@@ -34,11 +34,11 @@ struct integrity_checksum_t {
 	/* name of the checksum */
 	char *name;
 	/* size in bytes of the file on disk */
-	size_t file_len; 
+	size_t file_len;
 	/* checksum of the file on disk */
 	u_int32_t file;
 	/* size in bytes of executable segment in memory */
-	size_t segment_len; 
+	size_t segment_len;
 	/* checksum of the executable segment in memory */
 	u_int32_t segment;
 };
@@ -59,7 +59,7 @@ struct integrity_checker_t {
 	 * @return			TRUE if integrity tested successfully
 	 */
 	bool (*check_file)(integrity_checker_t *this, char *name, char *file);
-	
+
 	/**
 	 * Build the integrity checksum of a file on disk.
 	 *
@@ -68,7 +68,7 @@ struct integrity_checker_t {
 	 * @return			checksum, 0 on error
 	 */
 	u_int32_t (*build_file)(integrity_checker_t *this, char *file, size_t *len);
-	
+
 	/**
 	 * Check the integrity of the code segment in memory.
 	 *
@@ -85,7 +85,7 @@ struct integrity_checker_t {
 	 * @return			checksum, 0 on error
 	 */
 	u_int32_t (*build_segment)(integrity_checker_t *this, void *sym, size_t *len);
-	
+
 	/**
 	 * Check both, on disk file integrity and loaded segment.
 	 *
@@ -94,7 +94,7 @@ struct integrity_checker_t {
 	 * @return			TRUE if integrity tested successfully
 	 */
 	bool (*check)(integrity_checker_t *this, char *name, void *sym);
-	
+
 	/**
 	 * Destroy a integrity_checker_t.
 	 */
@@ -108,4 +108,4 @@ struct integrity_checker_t {
  */
 integrity_checker_t *integrity_checker_create(char *checksum_library);
 
-#endif /* INTEGRITY_CHECKER_H_ @}*/
+#endif /** INTEGRITY_CHECKER_H_ @}*/
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 832c8b607..4e8bb87d0 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -21,6 +21,7 @@
 #include <utils.h>
 #include <chunk.h>
 #include <debug.h>
+#include <threading/thread.h>
 #include <utils/identification.h>
 #include <utils/host.h>
 #ifdef LEAK_DETECTIVE
@@ -64,21 +65,26 @@ void library_deinit()
 	this->public.plugins->destroy(this->public.plugins);
 	this->public.settings->destroy(this->public.settings);
 	this->public.creds->destroy(this->public.creds);
+	this->public.encoding->destroy(this->public.encoding);
 	this->public.crypto->destroy(this->public.crypto);
 	this->public.fetcher->destroy(this->public.fetcher);
+	this->public.attributes->destroy(this->public.attributes);
 	this->public.db->destroy(this->public.db);
 	this->public.printf_hook->destroy(this->public.printf_hook);
 	if (this->public.integrity)
 	{
 		this->public.integrity->destroy(this->public.integrity);
 	}
-	
+
 #ifdef LEAK_DETECTIVE
 	if (this->detective)
 	{
 		this->detective->destroy(this->detective);
 	}
 #endif /* LEAK_DETECTIVE */
+
+	threads_deinit();
+
 	free(this);
 	lib = NULL;
 }
@@ -91,16 +97,18 @@ bool library_init(char *settings)
 	printf_hook_t *pfh;
 	private_library_t *this = malloc_thing(private_library_t);
 	lib = &this->public;
-	
+
+	threads_init();
+
 	lib->leak_detective = FALSE;
-	
+
 #ifdef LEAK_DETECTIVE
 	this->detective = leak_detective_create();
 #endif /* LEAK_DETECTIVE */
 
 	pfh = printf_hook_create();
 	this->public.printf_hook = pfh;
-	
+
 	pfh->add_handler(pfh, 'b', mem_printf_hook,
 					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_INT,
 					 PRINTF_HOOK_ARGTYPE_END);
@@ -119,15 +127,17 @@ bool library_init(char *settings)
 					 PRINTF_HOOK_ARGTYPE_END);
 	pfh->add_handler(pfh, 'Y', identification_printf_hook,
 					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
-	
+
 	this->public.settings = settings_create(settings);
 	this->public.crypto = crypto_factory_create();
 	this->public.creds = credential_factory_create();
+	this->public.encoding = key_encoding_create();
 	this->public.fetcher = fetcher_manager_create();
+	this->public.attributes = attribute_manager_create();
 	this->public.db = database_factory_create();
 	this->public.plugins = plugin_loader_create();
 	this->public.integrity = NULL;
-	
+
 	if (lib->settings->get_bool(lib->settings,
 								"libstrongswan.integrity_test", FALSE))
 	{
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index df4121803..78a6fe0a9 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -19,9 +19,6 @@
  * @defgroup asn1 asn1
  * @ingroup libstrongswan
  *
- * @defgroup pgp pgp
- * @ingroup libstrongswan
- *
  * @defgroup credentials credentials
  * @ingroup libstrongswan
  *
@@ -43,6 +40,9 @@
  * @defgroup plugins plugins
  * @ingroup libstrongswan
  *
+ * @defgroup threading threading
+ * @ingroup libstrongswan
+ *
  * @defgroup utils utils
  * @ingroup libstrongswan
  */
@@ -63,8 +63,10 @@
 #include <plugins/plugin_loader.h>
 #include <crypto/crypto_factory.h>
 #include <fetcher/fetcher_manager.h>
+#include <attributes/attribute_manager.h>
 #include <database/database_factory.h>
 #include <credentials/credential_factory.h>
+#include <credentials/keys/key_encoding.h>
 
 typedef struct library_t library_t;
 
@@ -77,42 +79,52 @@ struct library_t {
 	 * Printf hook registering facility
 	 */
 	printf_hook_t *printf_hook;
-	
+
 	/**
 	 * crypto algorithm registry and factory
 	 */
 	crypto_factory_t *crypto;
-	
+
 	/**
 	 * credential constructor registry and factory
 	 */
 	credential_factory_t *creds;
-	
+
+	/**
+	 * key encoding registry and factory
+	 */
+	key_encoding_t *encoding;
+
 	/**
 	 * URL fetching facility
 	 */
 	fetcher_manager_t *fetcher;
-	
+
+	/**
+	 * manager for payload attributes
+	 */
+	attribute_manager_t *attributes;
+
 	/**
 	 * database construction factory
 	 */
 	database_factory_t *db;
-	
+
 	/**
 	 * plugin loading facility
 	 */
 	plugin_loader_t *plugins;
-	
+
 	/**
 	 * various settings loaded from settings file
 	 */
 	settings_t *settings;
-	
+
 	/**
 	 * integrity checker to verify code integrity
 	 */
 	integrity_checker_t *integrity;
-	
+
 	/**
 	 * is leak detective running?
 	 */
diff --git a/src/libstrongswan/pgp/pgp.c b/src/libstrongswan/pgp/pgp.c
deleted file mode 100644
index 613c318c1..000000000
--- a/src/libstrongswan/pgp/pgp.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2002-2009 Andreas Steffen
- *
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
- 
-#include "pgp.h"
-
-ENUM_BEGIN(pgp_packet_tag_names, PGP_PKT_RESERVED, PGP_PKT_PUBLIC_SUBKEY,
-	"Reserved",
-	"Public-Key Encrypted Session Key Packet",
-	"Signature Packet",
-	"Symmetric-Key Encrypted Session Key Packet",
-	"One-Pass Signature Packet",
-	"Secret Key Packet",
-	"Public Key Packet",
-	"Secret Subkey Packet",
-	"Compressed Data Packet",
-	"Symmetrically Encrypted Data Packet",
-	"Marker Packet",
-	"Literal Data Packet",
-	"Trust Packet",
-	"User ID Packet",
-	"Public Subkey Packet"
-);
-ENUM_NEXT(pgp_packet_tag_names, PGP_PKT_USER_ATTRIBUTE, PGP_PKT_MOD_DETECT_CODE, PGP_PKT_PUBLIC_SUBKEY,
-	"User Attribute Packet",
-	"Sym. Encrypted and Integrity Protected Data Packet",
-	"Modification Detection Code Packet"
-);
-ENUM_END(pgp_packet_tag_names, PGP_PKT_MOD_DETECT_CODE);
-
-
-ENUM_BEGIN(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_RSA, PGP_PUBKEY_ALG_RSA_SIGN_ONLY,
-	"RSA",
-	"RSA_ENC_ONLY",
-	"RSA_SIGN_ONLY"
-);
-ENUM_NEXT(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY, PGP_PUBKEY_ALG_DIFFIE_HELLMAN, PGP_PUBKEY_ALG_RSA_SIGN_ONLY,
-	"ELGAMAL_ENC_ONLY",
-	"DSA",
-	"ECC",
-	"ECDSA",
-	"ELGAMAL",
-	"DIFFIE_HELLMAN"
-);
-ENUM_END(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_DIFFIE_HELLMAN);
-
-
-ENUM(pgp_sym_alg_names, PGP_SYM_ALG_PLAIN, PGP_SYM_ALG_TWOFISH,
-	"PLAINTEXT",
-	"IDEA",
-	"3DES",
-	"CAST5",
-	"BLOWFISH",
-	"SAFER",
-	"DES",
-	"AES_128",
-	"AES_192",
-	"AES_256",
-	"TWOFISH"
-);
-
-/*
- * Defined in header.
- */
-size_t pgp_length(chunk_t *blob, size_t len)
-{
-	size_t size = 0;
-
-	if (len > blob->len)
-	{
-		return PGP_INVALID_LENGTH;
-	}
-	blob->len -= len;
-
-	while (len-- > 0)
-	{
-		size = 256*size + *blob->ptr++;
-	}
-	return size;
-}
-
diff --git a/src/libstrongswan/pgp/pgp.h b/src/libstrongswan/pgp/pgp.h
deleted file mode 100644
index 677c5b1cc..000000000
--- a/src/libstrongswan/pgp/pgp.h
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2002-2009 Andreas Steffen
- *
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
- 
-/**
- * @defgroup pgpi pgp
- * @{ @ingroup pgp
- */
-
-#ifndef PGP_H_
-#define PGP_H_
-
-typedef enum pgp_packet_tag_t pgp_packet_tag_t;
-typedef enum pgp_pubkey_alg_t pgp_pubkey_alg_t;
-typedef enum pgp_sym_alg_t pgp_sym_alg_t;
-
-#include <chunk.h>
-#include <enum.h>
-
-/**
- * OpenPGP packet tags as defined in section 4.3 of RFC 4880
- */
-enum pgp_packet_tag_t {
-	PGP_PKT_RESERVED               =  0,
-	PGP_PKT_PUBKEY_ENC_SESSION_KEY =  1,
-	PGP_PKT_SIGNATURE              =  2,
-	PGP_PKT_SYMKEY_ENC_SESSION_KEY =  3,
-	PGP_PKT_ONE_PASS_SIGNATURE_PKT =  4,
-	PGP_PKT_SECRET_KEY             =  5,
-	PGP_PKT_PUBLIC_KEY             =  6,
-	PGP_PKT_SECRET_SUBKEY          =  7,
-	PGP_PKT_COMPRESSED_DATA        =  8,
-	PGP_PKT_SYMKEY_ENC_DATA        =  9,
-	PGP_PKT_MARKER                 = 10,
-	PGP_PKT_LITERAL_DATA           = 11,
-	PGP_PKT_TRUST                  = 12,
-	PGP_PKT_USER_ID                = 13,
-	PGP_PKT_PUBLIC_SUBKEY          = 14,
-	PGP_PKT_USER_ATTRIBUTE         = 17,
-	PGP_PKT_SYM_ENC_INT_PROT_DATA  = 18,
-	PGP_PKT_MOD_DETECT_CODE        = 19
-};
-
-/**
- * Enum names for pgp_packet_tag_t
- */
-extern enum_name_t *pgp_packet_tag_names;
-
-/**
- * OpenPGP public key algorithms as defined in section 9.1 of RFC 4880
- */
-enum pgp_pubkey_alg_t {
-	PGP_PUBKEY_ALG_RSA              =  1,
-	PGP_PUBKEY_ALG_RSA_ENC_ONLY     =  2,
-	PGP_PUBKEY_ALG_RSA_SIGN_ONLY    =  3,
-	PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY = 16,
-	PGP_PUBKEY_ALG_DSA              = 17,
-	PGP_PUBKEY_ALG_ECC              = 18,
-	PGP_PUBKEY_ALG_ECDSA            = 19,
-	PGP_PUBKEY_ALG_ELGAMAL          = 20,
-	PGP_PUBKEY_ALG_DIFFIE_HELLMAN   = 21,
-};
-
-/**
- * Enum names for pgp_pubkey_alg_t
- */
-extern enum_name_t *pgp_pubkey_alg_names;
-
-/**
- * OpenPGP symmetric key algorithms as defined in section 9.2 of RFC 4880
- */
-enum pgp_sym_alg_t {
-	PGP_SYM_ALG_PLAIN    =  0,
-	PGP_SYM_ALG_IDEA     =  1,
-	PGP_SYM_ALG_3DES     =  2,
-	PGP_SYM_ALG_CAST5    =  3,
-	PGP_SYM_ALG_BLOWFISH =  4,
-	PGP_SYM_ALG_SAFER    =  5,
-	PGP_SYM_ALG_DES      =  6,
-	PGP_SYM_ALG_AES_128  =  7,
-	PGP_SYM_ALG_AES_192  =  8,
-	PGP_SYM_ALG_AES_256  =  9,
-	PGP_SYM_ALG_TWOFISH  = 10
-};
-
-/**
- * Enum names for pgp_sym_alg_t
- */
-extern enum_name_t *pgp_sym_alg_names;
-
-#define PGP_INVALID_LENGTH	0xffffffff
-
-/**
- * Returns the length of an OpenPGP (RFC 4880) packet
- * The blob pointer is advanced past the length field
- *
- * @param blob		pointer to an OpenPGP blob
- * @param len		size of the length field
- * @return			length of the next OpenPGP packet
- */
-size_t pgp_length(chunk_t *blob, size_t len);
-
-#endif /** PGP_H_ @}*/
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 4414b2ede..03ef465e0 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/aes
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_aes_la_LIBADD =
 am_libstrongswan_aes_la_OBJECTS = aes_plugin.lo aes_crypter.lo
@@ -58,6 +82,7 @@ libstrongswan_aes_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -105,25 +130,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -135,11 +157,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -168,9 +193,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -193,7 +218,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -201,6 +226,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -209,10 +235,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -220,6 +248,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -240,9 +269,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/aes/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/aes/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/aes/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/aes/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -260,23 +289,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -301,21 +335,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -338,7 +372,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -346,29 +380,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -389,13 +428,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -426,6 +469,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -447,6 +491,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -455,18 +501,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -505,6 +561,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c
index c5b091750..10d48cf67 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.c
+++ b/src/libstrongswan/plugins/aes/aes_crypter.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include "aes_crypter.h"
 
 /*
@@ -36,26 +36,26 @@ typedef struct private_aes_crypter_t private_aes_crypter_t;
 
 /**
  * Class implementing the AES symmetric encryption algorithm.
- * 
+ *
  * @ingroup crypters
  */
 struct private_aes_crypter_t {
-	
+
 	/**
 	 * Public part of this class.
 	 */
 	aes_crypter_t public;
-	
+
 	/**
 	 * Number of words in the key input block.
 	 */
 	u_int32_t    aes_Nkey;
-	
+
 	/**
 	 * The number of cipher rounds.
 	 */
 	u_int32_t    aes_Nrnd;
-	
+
 	/**
 	* The encryption key schedule.
 	*/
@@ -65,7 +65,7 @@ struct private_aes_crypter_t {
 	* The decryption key schedule.
 	*/
 	u_int32_t    aes_d_key[AES_KS_LENGTH];
-	
+
 	/**
 	* Key size of this AES cypher object.
 	*/
@@ -84,13 +84,13 @@ struct private_aes_crypter_t {
  *     is not defined, individually declared 32-bit words are used.
  * 6.  Define FAST_VARIABLE if a high speed variable block implementation
  *     is needed (essentially three separate fixed block size code sequences)
- * 7.  Define either ONE_TABLE or FOUR_TABLES for a fast table driven 
+ * 7.  Define either ONE_TABLE or FOUR_TABLES for a fast table driven
  *     version using 1 table (2 kbytes of table space) or 4 tables (8
  *     kbytes of table space) for higher speed.
- * 8.  Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed 
+ * 8.  Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed
  *     increase by using tables for the last rounds but with more table
  *     space (2 or 8 kbytes extra).
- * 9.  If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but 
+ * 9.  If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but
  *     slower version is provided.
  * 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
  *     or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
@@ -131,17 +131,17 @@ struct private_aes_crypter_t {
 
 #if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
 #error an illegal block size has been specified
-#endif  
+#endif
 
 /**
- * Rotates bytes within words by n positions, moving bytes 
+ * Rotates bytes within words by n positions, moving bytes
  * to higher index positions with wrap around into low positions.
- */ 
+ */
 #define upr(x,n)        (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
 /**
- * Moves bytes by n positions to higher index positions in 
+ * Moves bytes by n positions to higher index positions in
  * words but without wrap around.
- */ 
+ */
 #define ups(x,n)        ((x) << 8 * (n))
 
 /**
@@ -154,7 +154,7 @@ struct private_aes_crypter_t {
 
 /* little endian processor without data alignment restrictions: AES_LE_OK */
 /* original code: i386 */
-#if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386) 
+#if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386)
 #define	AES_LE_OK 1
 /* added (tested): alpha  --jjo */
 #elif defined(__alpha__)|| defined (__alpha)
@@ -220,9 +220,9 @@ struct private_aes_crypter_t {
 // give improved performance if a fast 32-bit multiply is not available. Note
 // that a temporary variable u needs to be defined where FFmulX is used.
 
-// #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6)) 
+// #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
 // #define m4  0x1b1b1b1b
-// #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4) 
+// #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
 
 // perform column mix operation on four bytes in parallel
 
@@ -343,7 +343,7 @@ static const u_int32_t rcon_tab[29] =
 #define w2(p)        0x00##p##0000
 #define w3(p)        0x##p##000000
 
-#if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES)) 
+#if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES))
 
 //  data for forward tables (other than last round)
 
@@ -526,7 +526,7 @@ static const u_int32_t it_tab[4][256] =
 
 #endif
 
-#if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES)) 
+#if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES))
 
 //  data for inverse tables (last round)
 
@@ -608,7 +608,7 @@ static const u_int32_t il_tab[4][256] =
 
 #endif
 
-#if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES)) 
+#if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES))
 
 #define m_table \
     r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
@@ -733,8 +733,8 @@ static u_int32_t  im_tab[4][256];
 
 #if !defined(FF_TABLES)
 
-// It will generally be sensible to use tables to compute finite 
-// field multiplies and inverses but where memory is scarse this 
+// It will generally be sensible to use tables to compute finite
+// field multiplies and inverses but where memory is scarse this
 // code might sometimes be better.
 
 // return 2 ^ (n - 1) where n is the bit number of the highest bit
@@ -743,7 +743,7 @@ static u_int32_t  im_tab[4][256];
 
 static unsigned char hibit(const u_int32_t x)
 {   unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
-    
+
     r |= (r >> 2);
     r |= (r >> 4);
     return (r + 1) >> 1;
@@ -761,14 +761,14 @@ static unsigned char FFinv(const unsigned char x)
         if(!n1) return v1;
 
         while(n2 >= n1)
-        {   
+        {
             n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
         }
-        
+
         if(!n2) return v2;
 
         while(n1 >= n2)
-        {   
+        {
             n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
         }
     }
@@ -815,9 +815,9 @@ static void gen_tabs(void)
     // 0x011b as modular polynomial - the simplest primitive
     // root is 0x03, used here to generate the tables
 
-    i = 0; w = 1; 
+    i = 0; w = 1;
     do
-    {   
+    {
         pow[i] = (unsigned char)w;
         pow[i + 255] = (unsigned char)w;
         log[w] = (unsigned char)i++;
@@ -987,8 +987,8 @@ switch(nc) \
 // is being computed, return the input state variables which are
 // needed for each row (r) of the state
 
-// For the fixed block size options, compilers reduce these two 
-// expressions to fixed variable references. For variable block 
+// For the fixed block size options, compilers reduce these two
+// expressions to fixed variable references. For variable block
 // size code conditional clauses will sometimes be returned
 
 #define unused  77  // Sunset Strip
@@ -1226,17 +1226,17 @@ static void encrypt_block(const private_aes_crypter_t *this, const unsigned char
 
     switch(this->aes_Nrnd)
     {
-    case 14:    round(fwd_rnd,  b1, b0, kp         ); 
+    case 14:    round(fwd_rnd,  b1, b0, kp         );
                 round(fwd_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
-    case 12:    round(fwd_rnd,  b1, b0, kp         ); 
+    case 12:    round(fwd_rnd,  b1, b0, kp         );
                 round(fwd_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
-    case 10:    round(fwd_rnd,  b1, b0, kp         );             
+    case 10:    round(fwd_rnd,  b1, b0, kp         );
                 round(fwd_rnd,  b0, b1, kp +     nc);
-                round(fwd_rnd,  b1, b0, kp + 2 * nc); 
+                round(fwd_rnd,  b1, b0, kp + 2 * nc);
                 round(fwd_rnd,  b0, b1, kp + 3 * nc);
-                round(fwd_rnd,  b1, b0, kp + 4 * nc); 
+                round(fwd_rnd,  b1, b0, kp + 4 * nc);
                 round(fwd_rnd,  b0, b1, kp + 5 * nc);
-                round(fwd_rnd,  b1, b0, kp + 6 * nc); 
+                round(fwd_rnd,  b1, b0, kp + 6 * nc);
                 round(fwd_rnd,  b0, b1, kp + 7 * nc);
                 round(fwd_rnd,  b1, b0, kp + 8 * nc);
                 round(fwd_lrnd, b0, b1, kp + 9 * nc);
@@ -1247,7 +1247,7 @@ static void encrypt_block(const private_aes_crypter_t *this, const unsigned char
 
         for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
         {
-            round(fwd_rnd, b1, b0, kp); 
+            round(fwd_rnd, b1, b0, kp);
             round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
         }
 
@@ -1259,7 +1259,7 @@ static void encrypt_block(const private_aes_crypter_t *this, const unsigned char
 
         for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
         {
-            round(fwd_rnd, b1, b0, kp); 
+            round(fwd_rnd, b1, b0, kp);
             l_copy(b0, b1); kp += nc;
         }
 
@@ -1278,7 +1278,7 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char
     const u_int32_t  *kp = this->aes_d_key;
 
 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
-    u_int32_t        f2, f4, f8, f9; 
+    u_int32_t        f2, f4, f8, f9;
 #endif
 
     state_in(b0, in_blk, kp); kp += nc;
@@ -1291,13 +1291,13 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char
                 round(inv_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
     case 12:    round(inv_rnd,  b1, b0, kp         );
                 round(inv_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
-    case 10:    round(inv_rnd,  b1, b0, kp         );             
+    case 10:    round(inv_rnd,  b1, b0, kp         );
                 round(inv_rnd,  b0, b1, kp +     nc);
-                round(inv_rnd,  b1, b0, kp + 2 * nc); 
+                round(inv_rnd,  b1, b0, kp + 2 * nc);
                 round(inv_rnd,  b0, b1, kp + 3 * nc);
-                round(inv_rnd,  b1, b0, kp + 4 * nc); 
+                round(inv_rnd,  b1, b0, kp + 4 * nc);
                 round(inv_rnd,  b0, b1, kp + 5 * nc);
-                round(inv_rnd,  b1, b0, kp + 6 * nc); 
+                round(inv_rnd,  b1, b0, kp + 6 * nc);
                 round(inv_rnd,  b0, b1, kp + 7 * nc);
                 round(inv_rnd,  b1, b0, kp + 8 * nc);
                 round(inv_lrnd, b0, b1, kp + 9 * nc);
@@ -1308,7 +1308,7 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char
 
         for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
         {
-            round(inv_rnd, b1, b0, kp); 
+            round(inv_rnd, b1, b0, kp);
             round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
         }
 
@@ -1320,7 +1320,7 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char
 
         for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
         {
-            round(inv_rnd, b1, b0, kp); 
+            round(inv_rnd, b1, b0, kp);
             l_copy(b0, b1); kp += nc;
         }
 
@@ -1340,7 +1340,7 @@ static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv,
 	int pos;
 	const u_int32_t *iv_i;
 	u_int8_t *in, *out;
-	
+
 	if (decrypted)
 	{
 		*decrypted = chunk_alloc(data.len);
@@ -1351,7 +1351,7 @@ static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv,
 		out = data.ptr;
 	}
 	in = data.ptr;
-	
+
 	pos = data.len-16;
 	in += pos;
 	out += pos;
@@ -1386,7 +1386,7 @@ static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv,
 	int pos;
 	const u_int32_t *iv_i;
 	u_int8_t *in, *out;
-	
+
 	in = data.ptr;
 	out = data.ptr;
 	if (encrypted)
@@ -1394,7 +1394,7 @@ static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv,
 		*encrypted = chunk_alloc(data.len);
 		out = encrypted->ptr;
 	}
-	
+
 	pos=0;
 	while(pos<data.len)
 	{
@@ -1440,18 +1440,18 @@ static void set_key (private_aes_crypter_t *this, chunk_t key)
 {
 	u_int32_t    *kf, *kt, rci, f = 0;
 	u_int8_t *in_key = key.ptr;
-	
-	this->aes_Nrnd = (this->aes_Nkey > (nc) ? this->aes_Nkey : (nc)) + 6; 
-	
+
+	this->aes_Nrnd = (this->aes_Nkey > (nc) ? this->aes_Nkey : (nc)) + 6;
+
 	this->aes_e_key[0] = const_word_in(in_key     );
 	this->aes_e_key[1] = const_word_in(in_key +  4);
 	this->aes_e_key[2] = const_word_in(in_key +  8);
 	this->aes_e_key[3] = const_word_in(in_key + 12);
-	
-	kf = this->aes_e_key; 
-	kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey; 
+
+	kf = this->aes_e_key;
+	kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey;
 	rci = 0;
-	
+
 	switch(this->aes_Nkey)
 	{
 	case 4: do
@@ -1463,7 +1463,7 @@ static void set_key (private_aes_crypter_t *this, chunk_t key)
 			}
 			while(kf < kt);
 			break;
-	
+
 	case 6: this->aes_e_key[4] = const_word_in(in_key + 16);
 			this->aes_e_key[5] = const_word_in(in_key + 20);
 			do
@@ -1496,18 +1496,18 @@ static void set_key (private_aes_crypter_t *this, chunk_t key)
 			while (kf < kt);
 			break;
 	}
-	
+
 	if(!f)
     {
 		u_int32_t    i;
 
 		kt = this->aes_d_key + nc * this->aes_Nrnd;
 		kf = this->aes_e_key;
-		
+
 		cpy(kt, kf); kt -= 2 * nc;
-		
+
 		for(i = 1; i < this->aes_Nrnd; ++i)
-		{ 
+		{
 #if defined(ONE_TABLE) || defined(FOUR_TABLES)
 #if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
 			u_int32_t    f2, f4, f8, f9;
@@ -1536,18 +1536,18 @@ static void destroy (private_aes_crypter_t *this)
 aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo, size_t key_size)
 {
 	private_aes_crypter_t *this;
-	
+
 	if (algo != ENCR_AES_CBC)
 	{
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_aes_crypter_t);
-	
+
 	#if !defined(FIXED_TABLES)
 	if(!tab_gen) { gen_tabs(); tab_gen = 1; }
 	#endif
-	
+
 	this->key_size = key_size;
 	switch(key_size)
 	{
@@ -1564,13 +1564,13 @@ aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo, size_t key_size)
 		free(this);
 		return NULL;
 	}
-	
+
 	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
 	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
 	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
 	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
 	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
 	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-	
+
 	return &(this->public);
 }
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.h b/src/libstrongswan/plugins/aes/aes_crypter.h
index 19ea6b4b7..061d72fd6 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.h
+++ b/src/libstrongswan/plugins/aes/aes_crypter.h
@@ -30,7 +30,7 @@ typedef struct aes_crypter_t aes_crypter_t;
  * Class implementing the AES encryption algorithm.
  */
 struct aes_crypter_t {
-	
+
 	/**
 	 * The crypter_t interface.
 	 */
@@ -39,7 +39,7 @@ struct aes_crypter_t {
 
 /**
  * Constructor to create aes_crypter_t objects.
- * 
+ *
  * @param key_size		key size in bytes
  * @param algo			algorithm to implement
  * @return				aes_crypter_t object, NULL if not supported
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c
index 63fa48330..c6215cc7f 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.c
+++ b/src/libstrongswan/plugins/aes/aes_plugin.c
@@ -47,12 +47,12 @@ static void destroy(private_aes_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_aes_plugin_t *this = malloc_thing(private_aes_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 							 (crypter_constructor_t)aes_crypter_create);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index a73edb362..5bf52aa56 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/agent
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_agent_la_LIBADD =
 am_libstrongswan_agent_la_OBJECTS = agent_plugin.lo \
@@ -59,6 +83,7 @@ libstrongswan_agent_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -106,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,6 +249,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -243,9 +272,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/agent/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/agent/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/agent/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/agent/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -263,23 +292,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -304,21 +338,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -341,7 +375,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -349,29 +383,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -392,13 +431,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -429,6 +472,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -450,6 +494,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -458,18 +504,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -508,6 +564,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index 84b85d4bd..299b2cc1d 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -37,7 +37,7 @@ struct private_agent_plugin_t {
 static void destroy(private_agent_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
-							   (builder_constructor_t)agent_private_key_builder);
+							   (builder_function_t)agent_private_key_open);
 	free(this);
 }
 
@@ -47,11 +47,11 @@ static void destroy(private_agent_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_agent_plugin_t *this = malloc_thing(private_agent_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-							(builder_constructor_t)agent_private_key_builder);
+							(builder_function_t)agent_private_key_open);
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.h b/src/libstrongswan/plugins/agent/agent_plugin.h
index 33a5dcb53..e49af42d8 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.h
+++ b/src/libstrongswan/plugins/agent/agent_plugin.h
@@ -16,7 +16,7 @@
 /**
  * @defgroup agent_p agent
  * @ingroup plugins
- * 
+ *
  * @defgroup agent_plugin agent_plugin
  * @{ @ingroup agent_p
  */
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index ffdc6d778..d0a2da87f 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -26,8 +26,6 @@
 #include <library.h>
 #include <chunk.h>
 #include <debug.h>
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
 
 #ifndef UNIX_PATH_MAX
 #define UNIX_PATH_MAX 108
@@ -44,36 +42,26 @@ struct private_agent_private_key_t {
 	 * Public interface for this signer.
 	 */
 	agent_private_key_t public;
-	
+
 	/**
 	 * ssh-agent unix socket connection
 	 */
 	int socket;
-	
+
 	/**
 	 * key identity blob in ssh format
 	 */
 	chunk_t key;
-	
+
 	/**
 	 * keysize in bytes
 	 */
 	size_t key_size;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKey object
-	 */
-	identification_t* keyid;
 
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
-	 */
-	identification_t* keyid_info;
-	
 	/**
 	 * reference count
 	 */
-	refcount_t ref;	
+	refcount_t ref;
 };
 
 /**
@@ -127,7 +115,7 @@ static chunk_t read_string(chunk_t *blob)
 {
 	int len;
 	chunk_t str;
-	
+
 	len = read_uint32(blob);
 	if (len > blob->len)
 	{
@@ -152,11 +140,11 @@ static int open_connection(char *path)
 		DBG1("opening ssh-agent socket %s failed: %s:", path, strerror(errno));
 		return -1;
 	}
-	
+
 	addr.sun_family = AF_UNIX;
 	addr.sun_path[UNIX_PATH_MAX - 1] = '\0';
 	strncpy(addr.sun_path, path, UNIX_PATH_MAX - 1);
-	
+
 	if (connect(s, (struct sockaddr*)&addr, SUN_LEN(&addr)) != 0)
 	{
 		DBG1("connecting to ssh-agent socket failed: %s", strerror(errno));
@@ -167,51 +155,14 @@ static int open_connection(char *path)
 }
 
 /**
- * check if the ssh agent key blob matches to our public key
- */
-static bool matches_pubkey(chunk_t key, public_key_t *pubkey)
-{
-	chunk_t pubkeydata, hash, n, e;
-	hasher_t *hasher;
-	identification_t *id;
-	bool match;
-	
-	if (!pubkey)
-	{
-		return TRUE;
-	}
-	read_string(&key);
-	e = read_string(&key);
-	n = read_string(&key);
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		return FALSE;
-	}
-	pubkeydata = asn1_wrap(ASN1_SEQUENCE, "mm", 
-						asn1_integer("c", n),
-						asn1_integer("c", e));
-	hasher->allocate_hash(hasher, pubkeydata, &hash);
-	free(pubkeydata.ptr);
-	id = pubkey->get_id(pubkey, ID_PUBKEY_SHA1);
-	if (!id)
-	{
-		return FALSE;
-	}
-	match = chunk_equals(id->get_encoding(id), hash);
-	free(hash.ptr);
-	return match;
-}
-
-/** 
  * Get the first usable key from the agent
  */
 static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 {
 	int len, count;
 	char buf[2048];
-	chunk_t blob = chunk_from_buf(buf), key, type, tmp;
-	
+	chunk_t blob, key, type, n;
+
 	len = htonl(1);
 	buf[0] = SSH_AGENT_ID_REQUEST;
 	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
@@ -220,9 +171,10 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 		DBG1("writing to ssh-agent failed");
 		return FALSE;
 	}
-	
+
+	blob = chunk_create(buf, sizeof(buf));
 	blob.len = read(this->socket, blob.ptr, blob.len);
-	
+
 	if (blob.len < sizeof(u_int32_t) + sizeof(u_char) ||
 		read_uint32(&blob) != blob.len ||
 		read_byte(&blob) != SSH_AGENT_ID_RESPONSE)
@@ -231,51 +183,59 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 		return FALSE;
 	}
 	count = read_uint32(&blob);
-	
+
 	while (blob.len)
 	{
 		key = read_string(&blob);
-		if (key.len)
+		if (!key.len)
+		{
+			break;
+		}
+		this->key = key;
+		type = read_string(&key);
+		if (!type.len || !strneq("ssh-rsa", type.ptr, type.len))
+		{
+			break;
+		}
+		read_string(&key);
+		n = read_string(&key);
+		if (n.len <= 512/8)
+		{
+			break;;
+		}
+		if (pubkey && !private_key_belongs_to(&this->public.interface, pubkey))
 		{
-			tmp = key;
-			type = read_string(&tmp);
-			read_string(&tmp);
-			tmp = read_string(&tmp);
-			if (type.len && strneq("ssh-rsa", type.ptr, type.len) &&
-				tmp.len >= 512/8 && matches_pubkey(key, pubkey))
-			{
-				this->key = chunk_clone(key);
-				this->key_size = tmp.len;
-				if (tmp.ptr[0] == 0)
-				{
-					this->key_size--;
-				}
-				return TRUE;
-			}
 			continue;
 		}
-		break;
+		this->key_size = n.len;
+		if (n.ptr[0] == 0)
+		{
+			this->key_size--;
+		}
+		this->key = chunk_clone(this->key);
+		return TRUE;
 	}
+	this->key = chunk_empty;
 	return FALSE;
 }
 
 /**
  * Implementation of agent_private_key.destroy.
  */
-static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme, 
+static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 				 chunk_t data, chunk_t *signature)
 {
 	u_int32_t len, flags;
 	char buf[2048];
-	chunk_t blob = chunk_from_buf(buf);
-	
+	chunk_t blob;
+
 	if (scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
 	{
 		DBG1("signature scheme %N not supported by ssh-agent",
 			 signature_scheme_names, scheme);
 		return FALSE;
 	}
-	
+
 	len = htonl(1 + sizeof(u_int32_t) * 3 + this->key.len + data.len);
 	buf[0] = SSH_AGENT_SIGN_REQUEST;
 	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
@@ -284,7 +244,7 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 		DBG1("writing to ssh-agent failed");
 		return FALSE;
 	}
-	
+
 	len = htonl(this->key.len);
 	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
 		write(this->socket, this->key.ptr, this->key.len) != this->key.len)
@@ -292,7 +252,7 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 		DBG1("writing to ssh-agent failed");
 		return FALSE;
 	}
-	
+
 	len = htonl(data.len);
 	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
 		write(this->socket, data.ptr, data.len) != data.len)
@@ -300,14 +260,15 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 		DBG1("writing to ssh-agent failed");
 		return FALSE;
 	}
-	
+
 	flags = htonl(0);
 	if (write(this->socket, &flags, sizeof(flags)) != sizeof(flags))
 	{
 		DBG1("writing to ssh-agent failed");
 		return FALSE;
 	}
-	
+
+	blob = chunk_create(buf, sizeof(buf));
 	blob.len = read(this->socket, blob.ptr, blob.len);
 	if (blob.len < sizeof(u_int32_t) + sizeof(u_char) ||
 		read_uint32(&blob) != blob.len ||
@@ -357,113 +318,50 @@ static size_t get_keysize(private_agent_private_key_t *this)
 	return this->key_size;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static identification_t* get_id(private_agent_private_key_t *this,
-								id_type_t type)
-{
-	switch (type)
-	{
-		case ID_PUBKEY_INFO_SHA1:
-			return this->keyid_info;
-		case ID_PUBKEY_SHA1:
-			return this->keyid;
-		default:
-			return NULL;
-	}
-}
-
 /**
  * Implementation of agent_private_key.get_public_key.
  */
 static public_key_t* get_public_key(private_agent_private_key_t *this)
 {
-	chunk_t key, n, e, encoded;
-	public_key_t *public;
-	
+	chunk_t key, n, e;
+
 	key = this->key;
 	read_string(&key);
 	e = read_string(&key);
 	n = read_string(&key);
-	encoded = asn1_wrap(ASN1_SEQUENCE, "mm", 
-					asn1_integer("c", n),
-					asn1_integer("c", e));
-
-	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, 
-								BUILD_BLOB_ASN1_DER, encoded, BUILD_END);
-	free(encoded.ptr);
-	return public;
+
+	return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
 }
 
 /**
- * Implementation of agent_private_key.belongs_to.
+ * Implementation of private_key_t.get_encoding
  */
-static bool belongs_to(private_agent_private_key_t *this, public_key_t *public)
+static bool get_encoding(private_agent_private_key_t *this,
+						 key_encoding_type_t type, chunk_t *encoding)
 {
-	identification_t *keyid;
-
-	if (public->get_type(public) != KEY_RSA)
-	{
-		return FALSE;
-	}
-	keyid = public->get_id(public, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
 	return FALSE;
 }
 
 /**
- * Build the RSA key identifier from n and e using SHA1 hashed publicKey(Info).
+ * Implementation of private_key_t.get_fingerprint
  */
-static bool build_ids(private_agent_private_key_t *this)
+static bool get_fingerprint(private_agent_private_key_t *this,
+							key_encoding_type_t type, chunk_t *fp)
 {
-	chunk_t publicKeyInfo, publicKey, hash, key, n, e;
-	hasher_t *hasher;
-	
+	chunk_t n, e, key;
+
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
 	key = this->key;
 	read_string(&key);
 	e = read_string(&key);
 	n = read_string(&key);
-	
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1("SHA1 hash algorithm not supported, unable to use RSA");
-		return FALSE;
-	}
-	publicKey = asn1_wrap(ASN1_SEQUENCE, "mm", 
-					asn1_integer("c", n),
-					asn1_integer("c", e));
-	hasher->allocate_hash(hasher, publicKey, &hash);
-	this->keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
-	chunk_free(&hash);
-	
-	publicKeyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
-						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
-						asn1_bitstring("m", publicKey));
-	hasher->allocate_hash(hasher, publicKeyInfo, &hash);
-	this->keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
-	chunk_free(&hash);
-	
-	hasher->destroy(hasher);
-	chunk_free(&publicKeyInfo);
-	return TRUE;
-}
 
-/**
- * Implementation of private_key_t.get_encoding.
- */
-static chunk_t get_encoding(private_agent_private_key_t *this)
-{
-	return chunk_empty;
+	return lib->encoding->encode(lib->encoding, type, this, fp,
+				KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
 }
 
 /**
@@ -483,32 +381,58 @@ static void destroy(private_agent_private_key_t *this)
 	if (ref_put(&this->ref))
 	{
 		close(this->socket);
-		DESTROY_IF(this->keyid);
-		DESTROY_IF(this->keyid_info);
 		free(this->key.ptr);
+		lib->encoding->clear_cache(lib->encoding, this);
 		free(this);
 	}
 }
 
 /**
- * Internal constructor
+ * See header.
  */
-static agent_private_key_t *agent_private_key_create(char *path,
-													 public_key_t *pubkey)
+agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 {
-	private_agent_private_key_t *this = malloc_thing(private_agent_private_key_t);
-	
+	private_agent_private_key_t *this;
+	public_key_t *pubkey = NULL;
+	char *path = NULL;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_AGENT_SOCKET:
+				path = va_arg(args, char*);
+				continue;
+			case BUILD_PUBLIC_KEY:
+				pubkey = va_arg(args, public_key_t*);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!path)
+	{
+		return FALSE;
+	}
+
+	this = malloc_thing(private_agent_private_key_t);
+
 	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
 	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
 	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
 	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
 	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
-	this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
+	this->public.interface.belongs_to = private_key_belongs_to;
+	this->public.interface.equals = private_key_equals;
+	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
+	this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-	
+
 	this->socket = open_connection(path);
 	if (this->socket < 0)
 	{
@@ -516,93 +440,13 @@ static agent_private_key_t *agent_private_key_create(char *path,
 		return NULL;
 	}
 	this->key = chunk_empty;
-	this->keyid = NULL;
-	this->keyid_info = NULL;
 	this->ref = 1;
-	if (!read_key(this, pubkey) || !build_ids(this))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for key loading/generation
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** agent unix socket */
-	char *socket;
-	/** matching public key */
-	public_key_t *pubkey;
-};
 
-/**
- * Implementation of builder_t.build
- */
-static agent_private_key_t *build(private_builder_t *this)
-{
-	agent_private_key_t *key = NULL;
-	
-	if (this->socket)
-	{
-		key = agent_private_key_create(this->socket, this->pubkey);
-	}
-	free(this);
-	return key;
-}
-
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	va_list args;
-	
-	switch (part)
-	{
-		case BUILD_AGENT_SOCKET:
-		{
-			va_start(args, part);
-			this->socket = va_arg(args, char*);
-			va_end(args);
-			return;
-		}
-		case BUILD_PUBLIC_KEY:
-		{
-			va_start(args, part);
-			this->pubkey = va_arg(args, public_key_t*);
-			va_end(args);
-			return;
-		}
-		default:
-			break;
-	}
-	builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *agent_private_key_builder(key_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != KEY_RSA)
+	if (!read_key(this, pubkey))
 	{
+		destroy(this);
 		return NULL;
 	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->pubkey = NULL;
-	this->socket = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.h b/src/libstrongswan/plugins/agent/agent_private_key.h
index 929e88a50..3d9500c1a 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.h
+++ b/src/libstrongswan/plugins/agent/agent_private_key.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -21,6 +21,7 @@
 #ifndef AGENT_PRIVATE_KEY_H_
 #define AGENT_PRIVATE_KEY_H_
 
+#include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
 typedef struct agent_private_key_t agent_private_key_t;
@@ -37,12 +38,16 @@ struct agent_private_key_t {
 };
 
 /**
- * Create the builder for a private key.
+ * Open connection to a private key stored in a SSH agent.
  *
- * @param type		type of the key
- * @return 			builder instance
+ * The function takes BUILD_AGENT_SOCKET and optionally a BUILD_PUBLIC_KEY
+ * to select a specific key loaded in ssh-agent.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @param args		builder_part_t argument list
+ * @return 			built key, NULL on failure
  */
-builder_t *agent_private_key_builder(key_type_t type);
+agent_private_key_t *agent_private_key_open(key_type_t type, va_list args);
 
 #endif /** AGENT_PRIVATE_KEY_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/attr_sql/Makefile.am b/src/libstrongswan/plugins/attr_sql/Makefile.am
new file mode 100644
index 000000000..5be310abf
--- /dev/null
+++ b/src/libstrongswan/plugins/attr_sql/Makefile.am
@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic \
+  -DPLUGINS=\""${libstrongswan_plugins}\""
+
+plugin_LTLIBRARIES = libstrongswan-attr-sql.la
+libstrongswan_attr_sql_la_SOURCES = \
+  attr_sql_plugin.h attr_sql_plugin.c \
+  sql_attribute.h sql_attribute.c
+libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = pool
+pool_SOURCES = pool.c
+pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/libstrongswan/plugins/attr_sql/Makefile.in b/src/libstrongswan/plugins/attr_sql/Makefile.in
new file mode 100644
index 000000000..e157a9b78
--- /dev/null
+++ b/src/libstrongswan/plugins/attr_sql/Makefile.in
@@ -0,0 +1,633 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = pool$(EXEEXT)
+subdir = src/libstrongswan/plugins/attr_sql
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_attr_sql_la_LIBADD =
+am_libstrongswan_attr_sql_la_OBJECTS = attr_sql_plugin.lo \
+	sql_attribute.lo
+libstrongswan_attr_sql_la_OBJECTS =  \
+	$(am_libstrongswan_attr_sql_la_OBJECTS)
+libstrongswan_attr_sql_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_sql_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+PROGRAMS = $(ipsec_PROGRAMS)
+am_pool_OBJECTS = pool.$(OBJEXT)
+pool_OBJECTS = $(am_pool_OBJECTS)
+pool_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
+DIST_SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic \
+  -DPLUGINS=\""${libstrongswan_plugins}\""
+
+plugin_LTLIBRARIES = libstrongswan-attr-sql.la
+libstrongswan_attr_sql_la_SOURCES = \
+  attr_sql_plugin.h attr_sql_plugin.c \
+  sql_attribute.h sql_attribute.c
+
+libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
+pool_SOURCES = pool.c
+pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/attr_sql/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/attr_sql/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) 
+	$(libstrongswan_attr_sql_la_LINK) -rpath $(plugindir) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) 
+	@rm -f pool$(EXEEXT)
+	$(LINK) $(pool_OBJECTS) $(pool_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-ipsecPROGRAMS install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.c b/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.c
new file mode 100644
index 000000000..66b309c67
--- /dev/null
+++ b/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <debug.h>
+
+#include "attr_sql_plugin.h"
+#include "sql_attribute.h"
+
+typedef struct private_attr_sql_plugin_t private_attr_sql_plugin_t;
+
+/**
+ * private data of attr_sql plugin
+ */
+struct private_attr_sql_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	attr_sql_plugin_t public;
+
+	/**
+	 * database connection instance
+	 */
+	database_t *db;
+
+	/**
+	 * configuration attributes
+	 */
+	sql_attribute_t *attribute;
+
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_attr_sql_plugin_t *this)
+{
+	lib->attributes->remove_provider(lib->attributes, &this->attribute->provider);
+	this->attribute->destroy(this->attribute);
+	this->db->destroy(this->db);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	char *uri;
+	private_attr_sql_plugin_t *this;
+
+	uri = lib->settings->get_str(lib->settings, "libstrongswan.plugins.attr-sql.database", NULL);
+	if (!uri)
+	{
+		DBG1("attr-sql plugin: database URI not set");
+		return NULL;
+	}
+
+	this = malloc_thing(private_attr_sql_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->db = lib->db->create(lib->db, uri);
+	if (!this->db)
+	{
+		DBG1("attr-sql plugin failed to connect to database");
+		free(this);
+		return NULL;
+	}
+	this->attribute = sql_attribute_create(this->db);
+	lib->attributes->add_provider(lib->attributes, &this->attribute->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.h b/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.h
new file mode 100644
index 000000000..3a60ea0d2
--- /dev/null
+++ b/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attr_sql attr_sql
+ * @ingroup plugins
+ *
+ * @defgroup sql_plugin sql_plugin
+ * @{ @ingroup attr_sql
+ */
+
+#ifndef ATTR_SQL_PLUGIN_H_
+#define ATTR_SQL_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct attr_sql_plugin_t attr_sql_plugin_t;
+
+/**
+ * SQL database attribute configuration plugin
+ */
+struct attr_sql_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a sql_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** ATTR_SQL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/attr_sql/pool.c b/src/libstrongswan/plugins/attr_sql/pool.c
new file mode 100644
index 000000000..85b30a70f
--- /dev/null
+++ b/src/libstrongswan/plugins/attr_sql/pool.c
@@ -0,0 +1,1050 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <getopt.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <time.h>
+
+#include <debug.h>
+#include <library.h>
+#include <utils/host.h>
+#include <utils/identification.h>
+#include <attributes/attributes.h>
+
+/**
+ * global database handle
+ */
+database_t *db;
+
+/**
+ * --start/--end/--server addresses of various subcommands
+ */
+host_t *start = NULL, *end = NULL, *server = NULL;
+
+/**
+ * instead of a pool handle a DNS or NBNS attribute
+ */
+static bool is_attribute(char *name)
+{
+	return strcaseeq(name, "dns") || strcaseeq(name, "nbns") ||
+		   strcaseeq(name, "wins");
+}
+
+/**
+ * determine configuration attribute type
+ */
+static configuration_attribute_type_t get_attribute_type(char *name, host_t* addr)
+{
+	if (strcaseeq(name, "dns"))
+	{
+		return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_DNS :
+													 INTERNAL_IP6_DNS;
+	}
+	else
+	{
+		return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_NBNS :
+													 INTERNAL_IP6_NBNS;
+	}
+}
+
+/**
+ * calculate the size of a pool using start and end address chunk
+ */
+static u_int get_pool_size(chunk_t start, chunk_t end)
+{
+	u_int *start_ptr, *end_ptr;
+
+	if (start.len < sizeof(u_int) || end.len < sizeof(u_int))
+	{
+		return 0;
+	}
+	start_ptr = (u_int*)(start.ptr + start.len - sizeof(u_int));
+	end_ptr = (u_int*)(end.ptr + end.len - sizeof(u_int));
+	return ntohl(*end_ptr) -  ntohl(*start_ptr) + 1;
+}
+
+/**
+ * print usage info
+ */
+static void usage(void)
+{
+	printf("\
+Usage:\n\
+  ipsec pool --status|--add|--del|--resize|--purge [options]\n\
+  \n\
+  ipsec pool --status\n\
+    Show a list of installed pools with statistics.\n\
+  \n\
+  ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\
+    Add a new pool to the database.\n\
+      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
+      start:   Start address of the pool\n\
+      end:     End address of the pool\n\
+      timeout: Lease time in hours, 0 for static leases\n\
+  \n\
+  ipsec pool --add dns|nbns|wins --server <server>\n\
+    Add a new DNS or NBNS server to the database.\n\
+      server:  IP address of the name server\n\
+  \n\
+  ipsec pool --del <name>\n\
+    Delete a pool from the database.\n\
+      name:    Name of the pool to delete\n\
+  \n\
+  ipsec pool --del dns|nbns|wins [--server <server>]\n\
+    Delete a specific or all DNS or NBNS servers from the database.\n\
+      server:  IP address of the name server to delete\n\
+  \n\
+  ipsec pool --resize <name> --end <end>\n\
+    Grow or shrink an existing pool.\n\
+      name:    Name of the pool to resize\n\
+      end:     New end address for the pool\n\
+  \n\
+  ipsec pool --leases [--filter <filter>] [--utc]\n\
+    Show lease information using filters:\n\
+      filter:  Filter string containing comma separated key=value filters,\n\
+               e.g. id=alice@strongswan.org,addr=1.1.1.1\n\
+                  pool:   name of the pool\n\
+                  id:     assigned identity of the lease\n\
+                  addr:   lease IP address\n\
+                  tstamp: UNIX timestamp when lease was valid, as integer\n\
+                  status: status of the lease: online|valid|expired\n\
+      utc:    Show times in UTC instead of local time\n\
+  \n\
+  ipsec pool --purge <name>\n\
+    Delete lease history of a pool:\n\
+      name:    Name of the pool to purge\n\
+  \n");
+	exit(0);
+}
+
+/**
+ * ipsec pool --status - show pool overview
+ */
+static void status(void)
+{
+	enumerator_t *ns, *pool, *lease;
+	host_t *server;
+	chunk_t value;
+	bool found = FALSE;
+
+	/* enumerate IPv4 DNS servers */
+	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
+				   DB_INT, INTERNAL_IP4_DNS, DB_BLOB);
+	if (ns)
+	{
+		while (ns->enumerate(ns, &value))
+		{
+			if (!found)
+			{
+				printf("dns servers:");
+				found = TRUE;
+			}
+			server = host_create_from_chunk(AF_INET, value, 0);
+			if (server)
+			{
+				printf(" %H", server);
+				server->destroy(server);
+			}
+		}
+		ns->destroy(ns);
+	}
+
+	/* enumerate IPv6 DNS servers */
+	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
+				   DB_INT, INTERNAL_IP6_DNS, DB_BLOB);
+	if (ns)
+	{
+		while (ns->enumerate(ns, &value))
+		{
+			if (!found)
+			{
+				printf("dns servers:");
+				found = TRUE;
+			}
+			server = host_create_from_chunk(AF_INET6, value, 0);
+			if (server)
+			{
+				printf(" %H", server);
+				server->destroy(server);
+			}
+		}
+		ns->destroy(ns);
+	}
+	if (found)
+	{
+		printf("\n");
+	}
+	else
+	{
+		printf("no dns servers found.\n");
+	}
+	found = FALSE;
+
+	/* enumerate IPv4 NBNS servers */
+	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
+				   DB_INT, INTERNAL_IP4_NBNS, DB_BLOB);
+	if (ns)
+	{
+		while (ns->enumerate(ns, &value))
+		{
+			if (!found)
+			{
+				printf("nbns servers:");
+				found = TRUE;
+			}
+			server = host_create_from_chunk(AF_INET, value, 0);
+			if (server)
+			{
+				printf(" %H", server);
+				server->destroy(server);
+			}
+		}
+		ns->destroy(ns);
+	}
+
+	/* enumerate IPv6 NBNS servers */
+	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
+				   DB_INT, INTERNAL_IP6_NBNS, DB_BLOB);
+	if (ns)
+	{
+		while (ns->enumerate(ns, &value))
+		{
+			if (!found)
+			{
+				printf("nbns servers:");
+				found = TRUE;
+			}
+			server = host_create_from_chunk(AF_INET6, value, 0);
+			if (server)
+			{
+				printf(" %H", server);
+				server->destroy(server);
+			}
+		}
+		ns->destroy(ns);
+	}
+	if (found)
+	{
+		printf("\n");
+	}
+	else
+	{
+		printf("no nbns servers found.\n");
+	}
+	found = FALSE;
+
+	pool = db->query(db, "SELECT id, name, start, end, timeout FROM pools",
+					 DB_INT, DB_TEXT, DB_BLOB, DB_BLOB, DB_UINT);
+	if (pool)
+	{
+		char *name;
+		chunk_t start_chunk, end_chunk;
+		host_t *start, *end;
+		u_int id, timeout, online = 0, used = 0, size = 0;
+
+		while (pool->enumerate(pool, &id, &name,
+							   &start_chunk, &end_chunk, &timeout))
+		{
+			if (!found)
+			{
+				printf("%8s %15s %15s %8s %6s %11s %11s\n", "name", "start",
+					   "end", "timeout", "size", "online", "usage");
+				found = TRUE;
+			}
+
+			start = host_create_from_chunk(AF_UNSPEC, start_chunk, 0);
+			end = host_create_from_chunk(AF_UNSPEC, end_chunk, 0);
+			size = get_pool_size(start_chunk, end_chunk);
+			printf("%8s %15H %15H ", name, start, end);
+			if (timeout)
+			{
+				printf("%7dh ", timeout/3600);
+			}
+			else
+			{
+				printf("%8s ", "static");
+			}
+			printf("%6d ", size);
+			/* get number of online hosts */
+			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
+							  "WHERE pool = ? AND released = 0",
+							  DB_UINT, id, DB_INT);
+			if (lease)
+			{
+				lease->enumerate(lease, &online);
+				lease->destroy(lease);
+			}
+			printf("%5d (%2d%%) ", online, online*100/size);
+			/* get number of online or valid lieases */
+			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
+							  "WHERE addresses.pool = ? "
+							  "AND ((? AND acquired != 0) "
+							  "     OR released = 0 OR released > ?) ",
+							  DB_UINT, id, DB_UINT, !timeout,
+							  DB_UINT, time(NULL) - timeout, DB_UINT);
+			if (lease)
+			{
+				lease->enumerate(lease, &used);
+				lease->destroy(lease);
+			}
+			printf("%5d (%2d%%) ", used, used*100/size);
+
+			printf("\n");
+			DESTROY_IF(start);
+			DESTROY_IF(end);
+		}
+		pool->destroy(pool);
+	}
+	if (!found)
+	{
+		printf("no pools found.\n");
+	}
+	exit(0);
+}
+
+/**
+ * ipsec pool --add - add a new pool
+ */
+static void add(char *name, host_t *start, host_t *end, int timeout)
+{
+	chunk_t start_addr, end_addr, cur_addr;
+	u_int id, count;
+
+	start_addr = start->get_address(start);
+	end_addr = end->get_address(end);
+	cur_addr = chunk_clonea(start_addr);
+	count = get_pool_size(start_addr, end_addr);
+
+	if (start_addr.len != end_addr.len ||
+		memcmp(start_addr.ptr, end_addr.ptr, start_addr.len) > 0)
+	{
+		fprintf(stderr, "invalid start/end pair specified.\n");
+		exit(-1);
+	}
+	if (db->execute(db, &id,
+			"INSERT INTO pools (name, start, end, timeout) "
+			"VALUES (?, ?, ?, ?)",
+			DB_TEXT, name, DB_BLOB, start_addr,
+			DB_BLOB, end_addr, DB_INT, timeout*3600) != 1)
+	{
+		fprintf(stderr, "creating pool failed.\n");
+		exit(-1);
+	}
+	printf("allocating %d addresses... ", count);
+	fflush(stdout);
+	if (db->get_driver(db) == DB_SQLITE)
+	{	/* run population in a transaction for sqlite */
+		db->execute(db, NULL, "BEGIN TRANSACTION");
+	}
+	while (TRUE)
+	{
+		db->execute(db, NULL,
+			"INSERT INTO addresses (pool, address, identity, acquired, released) "
+			"VALUES (?, ?, ?, ?, ?)",
+			DB_UINT, id, DB_BLOB, cur_addr,	DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
+		if (chunk_equals(cur_addr, end_addr))
+		{
+			break;
+		}
+		chunk_increment(cur_addr);
+	}
+	if (db->get_driver(db) == DB_SQLITE)
+	{
+		db->execute(db, NULL, "END TRANSACTION");
+	}
+	printf("done.\n", count);
+
+	exit(0);
+}
+
+/**
+ * ipsec pool --add dns|nbns|wins - add a DNS or NBNS server entry
+ */
+static void add_attr(char *name, host_t *server)
+{
+	configuration_attribute_type_t type;
+	chunk_t value;
+
+	type = get_attribute_type(name, server);
+	value = server->get_address(server);
+	if (db->execute(db, NULL,
+			"INSERT INTO attributes (type, value) VALUES (?, ?)",
+			DB_INT, type, DB_BLOB, value) != 1)
+	{
+		fprintf(stderr, "adding %s server %H failed.\n", name, server);
+		exit(-1);
+	}
+	printf("added %s server %H\n", name, server);
+	exit(0);
+}
+
+/**
+ * ipsec pool --del - delete a pool
+ */
+static void del(char *name)
+{
+	enumerator_t *query;
+	u_int id;
+	bool found = FALSE;
+
+	query = db->query(db, "SELECT id FROM pools WHERE name = ?",
+					  DB_TEXT, name, DB_UINT);
+	if (!query)
+	{
+		fprintf(stderr, "deleting pool failed.\n");
+		exit(-1);
+	}
+	while (query->enumerate(query, &id))
+	{
+		found = TRUE;
+		if (db->execute(db, NULL,
+				"DELETE FROM leases WHERE address IN ("
+				" SELECT id FROM addresses WHERE pool = ?)", DB_UINT, id) < 0 ||
+			db->execute(db, NULL,
+				"DELETE FROM addresses WHERE pool = ?", DB_UINT, id) < 0 ||
+			db->execute(db, NULL,
+				"DELETE FROM pools WHERE id = ?", DB_UINT, id) < 0)
+		{
+			fprintf(stderr, "deleting pool failed.\n");
+			query->destroy(query);
+			exit(-1);
+		}
+	}
+	query->destroy(query);
+	if (!found)
+	{
+		fprintf(stderr, "pool '%s' not found.\n", name);
+		exit(-1);
+	}
+	exit(0);
+}
+
+/**
+ * ipsec pool --del dns|nbns|wins - delete a DNS or NBNS server entry
+ */
+static void del_attr(char *name, host_t *server)
+{
+	configuration_attribute_type_t type;
+	chunk_t value;
+	u_int id;
+	enumerator_t *query;
+	bool found = FALSE;
+
+	if (server)
+	{
+		type = get_attribute_type(name, server);
+		value = server->get_address(server);
+		query = db->query(db, 
+					"SELECT id, type, value FROM attributes "
+					"WHERE type = ? AND value = ?",
+					DB_INT, type, DB_BLOB, value,
+					DB_UINT, DB_INT, DB_BLOB);
+	}
+	else
+	{
+		configuration_attribute_type_t type_ip4, type_ip6;
+
+		if (strcaseeq(name, "dns"))
+		{
+			type_ip4 = INTERNAL_IP4_DNS;
+			type_ip6 = INTERNAL_IP6_DNS;
+		}
+		else
+		{
+			type_ip4 = INTERNAL_IP4_NBNS;
+			type_ip6 = INTERNAL_IP6_NBNS;
+		}
+			
+		query = db->query(db,
+					"SELECT id, type, value FROM attributes "
+					"WHERE type = ? OR type = ?",
+					DB_INT, type_ip4, DB_INT, type_ip6,
+					DB_UINT, DB_INT, DB_BLOB);
+	}	
+	if (!query)
+	{
+		fprintf(stderr, "deleting %s servers failed.\n", name);
+		exit(-1);
+	}
+
+	while (query->enumerate(query, &id, &type, &value))
+	{
+		int family;
+		host_t *host;
+
+		found = TRUE;
+		family = (type == INTERNAL_IP4_DNS || type == INTERNAL_IP4_NBNS) ?
+				  AF_INET : AF_INET6;
+		host = host_create_from_chunk(family, value, 0);
+		if (db->execute(db, NULL,
+					"DELETE FROM attributes WHERE id = ?",
+					 DB_UINT, id) != 1)
+		{
+			fprintf(stderr, "deleting %s server %H failed\n", name, host);
+			query->destroy(query);
+			DESTROY_IF(host);
+			exit(-1);
+		}
+		printf("deleted %s server %H\n", name, host);
+		DESTROY_IF(host);
+	}
+	query->destroy(query);
+
+	if (!found)
+	{
+		printf("no matching %s servers found\n", name);
+		exit(-1);		
+	}
+	exit(0);
+}
+
+/**
+ * ipsec pool --resize - resize a pool		if (db->execute(db, NULL,
+					"DELETE FROM attributes WHERE type = ? AND value = ?",
+					 DB_INT, type, DB_BLOB, value) != 1)
+		{
+			fprintf(stderr, "deleting %s server %H failed\n", name, server);
+			exit(-1);
+		}
+		printf("deleted %s server %H\n", name, server);
+		if (db->execute(db, NULL,
+					"DELETE FROM attributes WHERE type = ? AND value = ?",
+					 DB_INT, type, DB_BLOB, value) != 1)
+		{
+			fprintf(stderr, "deleting %s server %H failed\n", name, server);
+			exit(-1);
+		}
+		printf("deleted %s server %H\n", name, server);
+
+ */
+static void resize(char *name, host_t *end)
+{
+	enumerator_t *query;
+	chunk_t old_addr, new_addr, cur_addr;
+	u_int id, count;
+
+	new_addr = end->get_address(end);
+
+	query = db->query(db, "SELECT id, end FROM pools WHERE name = ?",
+					  DB_TEXT, name, DB_UINT, DB_BLOB);
+	if (!query || !query->enumerate(query, &id, &old_addr))
+	{
+		DESTROY_IF(query);
+		fprintf(stderr, "resizing pool failed.\n");
+		exit(-1);
+	}
+	if (old_addr.len != new_addr.len ||
+		memcmp(new_addr.ptr, old_addr.ptr, old_addr.len) < 0)
+	{
+		fprintf(stderr, "shrinking of pools not supported.\n");
+		query->destroy(query);
+		exit(-1);
+	}
+	cur_addr = chunk_clonea(old_addr);
+	count = get_pool_size(old_addr, new_addr) - 1;
+	query->destroy(query);
+
+	if (db->execute(db, NULL,
+			"UPDATE pools SET end = ? WHERE name = ?",
+			DB_BLOB, new_addr, DB_TEXT, name) <= 0)
+	{
+		fprintf(stderr, "pool '%s' not found.\n", name);
+		exit(-1);
+	}
+
+	printf("allocating %d new addresses... ", count);
+	fflush(stdout);
+	if (db->get_driver(db) == DB_SQLITE)
+	{	/* run population in a transaction for sqlite */
+		db->execute(db, NULL, "BEGIN TRANSACTION");
+	}
+	while (count-- > 0)
+	{
+		chunk_increment(cur_addr);
+		db->execute(db, NULL,
+			"INSERT INTO addresses (pool, address, identity, acquired, released) "
+			"VALUES (?, ?, ?, ?, ?)",
+			DB_UINT, id, DB_BLOB, cur_addr,	DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
+	}
+	if (db->get_driver(db) == DB_SQLITE)
+	{
+		db->execute(db, NULL, "END TRANSACTION");
+	}
+	printf("done.\n", count);
+
+	exit(0);
+}
+
+/**
+ * create the lease query using the filter string
+ */
+static enumerator_t *create_lease_query(char *filter)
+{
+	enumerator_t *query;
+	identification_t *id = NULL;
+	host_t *addr = NULL;
+	u_int tstamp = 0;
+	bool online = FALSE, valid = FALSE, expired = FALSE;
+	char *value, *pos, *pool = NULL;
+	enum {
+		FIL_POOL = 0,
+		FIL_ID,
+		FIL_ADDR,
+		FIL_TSTAMP,
+		FIL_STATE,
+	};
+	char *const token[] = {
+		[FIL_POOL] = "pool",
+		[FIL_ID] = "id",
+		[FIL_ADDR] = "addr",
+		[FIL_TSTAMP] = "tstamp",
+		[FIL_STATE] = "status",
+		NULL
+	};
+
+	/* if the filter string contains a distinguished name as a ID, we replace
+	 * ", " by "/ " in order to not confuse the getsubopt parser */
+	pos = filter;
+	while ((pos = strchr(pos, ',')))
+	{
+		if (pos[1] == ' ')
+		{
+			pos[0] = '/';
+		}
+		pos++;
+	}
+
+	while (filter && *filter != '\0')
+	{
+		switch (getsubopt(&filter, token, &value))
+		{
+			case FIL_POOL:
+				if (value)
+				{
+					pool = value;
+				}
+				break;
+			case FIL_ID:
+				if (value)
+				{
+					id = identification_create_from_string(value);
+				}
+				break;
+			case FIL_ADDR:
+				if (value)
+				{
+					addr = host_create_from_string(value, 0);
+				}
+				if (!addr)
+				{
+					fprintf(stderr, "invalid 'addr' in filter string.\n");
+					exit(-1);
+				}
+				break;
+			case FIL_TSTAMP:
+				if (value)
+				{
+					tstamp = atoi(value);
+				}
+				if (tstamp == 0)
+				{
+					online = TRUE;
+				}
+				break;
+			case FIL_STATE:
+				if (value)
+				{
+					if (streq(value, "online"))
+					{
+						online = TRUE;
+					}
+					else if (streq(value, "valid"))
+					{
+						valid = TRUE;
+					}
+					else if (streq(value, "expired"))
+					{
+						expired = TRUE;
+					}
+					else
+					{
+						fprintf(stderr, "invalid 'state' in filter string.\n");
+						exit(-1);
+					}
+				}
+				break;
+			default:
+				fprintf(stderr, "invalid filter string.\n");
+				exit(-1);
+				break;
+		}
+	}
+	query = db->query(db,
+				"SELECT name, addresses.address, identities.type, "
+				"identities.data, leases.acquired, leases.released, timeout "
+				"FROM leases JOIN addresses ON leases.address = addresses.id "
+				"JOIN pools ON addresses.pool = pools.id "
+				"JOIN identities ON leases.identity = identities.id "
+				"WHERE (? OR name = ?) "
+				"AND (? OR (identities.type = ? AND identities.data = ?)) "
+				"AND (? OR addresses.address = ?) "
+				"AND (? OR (? >= leases.acquired AND (? <= leases.released))) "
+				"AND (? OR leases.released > ? - timeout) "
+				"AND (? OR leases.released < ? - timeout) "
+				"AND ? "
+				"UNION "
+				"SELECT name, address, identities.type, identities.data, "
+				"acquired, released, timeout FROM addresses "
+				"JOIN pools ON addresses.pool = pools.id "
+				"JOIN identities ON addresses.identity = identities.id "
+				"WHERE ? AND released = 0 "
+				"AND (? OR name = ?) "
+				"AND (? OR (identities.type = ? AND identities.data = ?)) "
+				"AND (? OR address = ?)",
+				DB_INT, pool == NULL, DB_TEXT, pool,
+				DB_INT, id == NULL,
+					DB_INT, id ? id->get_type(id) : 0,
+					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
+				DB_INT, addr == NULL,
+					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
+				DB_INT, tstamp == 0, DB_UINT, tstamp, DB_UINT, tstamp,
+				DB_INT, !valid, DB_INT, time(NULL),
+				DB_INT, !expired, DB_INT, time(NULL),
+				DB_INT, !online,
+				/* union */
+				DB_INT, !(valid || expired),
+				DB_INT, pool == NULL, DB_TEXT, pool,
+				DB_INT, id == NULL,
+					DB_INT, id ? id->get_type(id) : 0,
+					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
+				DB_INT, addr == NULL,
+					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
+				/* res */
+				DB_TEXT, DB_BLOB, DB_INT, DB_BLOB, DB_UINT, DB_UINT, DB_UINT);
+	/* id and addr leak but we can't destroy them until query is destroyed. */
+	return query;
+}
+
+/**
+ * ipsec pool --leases - show lease information of a pool
+ */
+static void leases(char *filter, bool utc)
+{
+	enumerator_t *query;
+	chunk_t address_chunk, identity_chunk;
+	int identity_type;
+	char *name;
+	u_int acquired, released, timeout;
+	host_t *address;
+	identification_t *identity;
+	bool found = FALSE;
+
+	query = create_lease_query(filter);
+	if (!query)
+	{
+		fprintf(stderr, "querying leases failed.\n");
+		exit(-1);
+	}
+	while (query->enumerate(query, &name, &address_chunk, &identity_type,
+							&identity_chunk, &acquired, &released, &timeout))
+	{
+		if (!found)
+		{
+			int len = utc ? 25 : 21;
+
+			found = TRUE;
+			printf("%-8s %-15s %-7s  %-*s %-*s %s\n",
+				   "name", "address", "status", len, "start", len, "end", "identity");
+		}
+		address = host_create_from_chunk(AF_UNSPEC, address_chunk, 0);
+		identity = identification_create_from_encoding(identity_type, identity_chunk);
+
+		printf("%-8s %-15H ", name, address);
+		if (released == 0)
+		{
+			printf("%-7s ", "online");
+		}
+		else if (timeout == 0)
+		{
+			printf("%-7s ", "static");
+		}
+		else if (released >= time(NULL) - timeout)
+		{
+			printf("%-7s ", "valid");
+		}
+		else
+		{
+			printf("%-7s ", "expired");
+		}
+
+		printf(" %T  ", &acquired, utc);
+		if (released)
+		{
+			printf("%T  ", &released, utc);
+		}
+		else
+		{
+			printf("                      ");
+			if (utc)
+			{
+				printf("    ");
+			}
+		}
+		printf("%Y\n", identity);
+		DESTROY_IF(address);
+		identity->destroy(identity);
+	}
+	query->destroy(query);
+	if (!found)
+	{
+		fprintf(stderr, "no matching leases found.\n");
+		exit(-1);
+	}
+	exit(0);
+}
+
+/**
+ * ipsec pool --purge - delete expired leases
+ */
+static void purge(char *name)
+{
+	int purged = 0;
+
+	purged = db->execute(db, NULL,
+				"DELETE FROM leases WHERE address IN ("
+				" SELECT id FROM addresses WHERE pool IN ("
+				"  SELECT id FROM pools WHERE name = ?))",
+				DB_TEXT, name);
+	if (purged < 0)
+	{
+		fprintf(stderr, "purging pool '%s' failed.\n", name);
+		exit(-1);
+	}
+	fprintf(stderr, "purged %d leases in pool '%s'.\n", purged, name);
+	exit(0);
+}
+
+/**
+ * atexit handler to close db on shutdown
+ */
+static void cleanup(void)
+{
+	db->destroy(db);
+	DESTROY_IF(start);
+	DESTROY_IF(end);
+	DESTROY_IF(server);
+}
+
+int main(int argc, char *argv[])
+{
+	char *uri, *name = "", *filter = "";
+	int timeout = 0;
+	bool utc = FALSE;
+	enum {
+		OP_USAGE,
+		OP_STATUS,
+		OP_ADD,
+		OP_ADD_ATTR,
+		OP_DEL,
+		OP_DEL_ATTR,
+		OP_RESIZE,
+		OP_LEASES,
+		OP_PURGE
+	} operation = OP_USAGE;
+
+	atexit(library_deinit);
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "pool", argv[0]))
+	{
+		fprintf(stderr, "integrity check of pool failed\n");
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "pool.load", PLUGINS)))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	uri = lib->settings->get_str(lib->settings, "libstrongswan.plugins.attr-sql.database", NULL);
+	if (!uri)
+	{
+		fprintf(stderr, "database URI libstrongswan.plugins.attr-sql.database not set.\n");
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	db = lib->db->create(lib->db, uri);
+	if (!db)
+	{
+		fprintf(stderr, "opening database failed.\n");
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	atexit(cleanup);
+
+	while (TRUE)
+	{
+		int c;
+
+		struct option long_opts[] = {
+			{ "help", no_argument, NULL, 'h' },
+
+			{ "utc", no_argument, NULL, 'u' },
+			{ "status", no_argument, NULL, 'w' },
+			{ "add", required_argument, NULL, 'a' },
+			{ "del", required_argument, NULL, 'd' },
+			{ "resize", required_argument, NULL, 'r' },
+			{ "leases", no_argument, NULL, 'l' },
+			{ "purge", required_argument, NULL, 'p' },
+
+			{ "start", required_argument, NULL, 's' },
+			{ "end", required_argument, NULL, 'e' },
+			{ "timeout", required_argument, NULL, 't' },
+			{ "filter", required_argument, NULL, 'f' },
+			{ "server", required_argument, NULL, 'v' },
+			{ 0,0,0,0 }
+		};
+
+		c = getopt_long(argc, argv, "", long_opts, NULL);
+		switch (c)
+		{
+			case EOF:
+				break;
+			case 'h':
+				break;
+			case 'w':
+				operation = OP_STATUS;
+				break;
+			case 'u':
+				utc = TRUE;
+				continue;
+			case 'a':
+				name = optarg;
+				operation = is_attribute(name) ? OP_ADD_ATTR : OP_ADD;
+				continue;
+			case 'd':
+				name = optarg;
+				operation = is_attribute(name) ? OP_DEL_ATTR : OP_DEL;
+				continue;
+			case 'r':
+				name = optarg;
+				operation = OP_RESIZE;
+				continue;
+			case 'l':
+				operation = OP_LEASES;
+				continue;
+			case 'p':
+				name = optarg;
+				operation = OP_PURGE;
+				continue;
+			case 's':
+				start = host_create_from_string(optarg, 0);
+				if (start == NULL)
+				{
+					fprintf(stderr, "invalid start address: '%s'.\n", optarg);
+					operation = OP_USAGE;
+					break;
+				}
+				continue;
+			case 'e':
+				end = host_create_from_string(optarg, 0);
+				if (end == NULL)
+				{
+					fprintf(stderr, "invalid end address: '%s'.\n", optarg);
+					operation = OP_USAGE;
+					break;
+				}
+				continue;
+			case 't':
+				timeout = atoi(optarg);
+				if (timeout == 0 && strcmp(optarg, "0") != 0)
+				{
+					fprintf(stderr, "invalid timeout '%s'.\n", optarg);
+					operation = OP_USAGE;
+					break;
+				}
+				continue;
+			case 'f':
+				filter = optarg;
+				continue;
+			case 'v':
+				server = host_create_from_string(optarg, 0);
+				if (server == NULL)
+				{
+					fprintf(stderr, "invalid server address: '%s'.\n", optarg);
+					operation = OP_USAGE;
+					break;
+				}
+				continue;
+			default:
+				operation = OP_USAGE;
+				break;
+		}
+		break;
+	}
+
+	switch (operation)
+	{
+		case OP_USAGE:
+			usage();
+			break;
+		case OP_STATUS:
+			status();
+			break;
+		case OP_ADD:
+			if (start == NULL || end == NULL)
+			{
+				fprintf(stderr, "missing arguments.\n");
+				usage();
+			}
+			add(name, start, end, timeout);
+			break;
+		case OP_ADD_ATTR:
+			if (server == NULL)
+			{
+				fprintf(stderr, "missing arguments.\n");
+				usage();
+			}
+			add_attr(name, server);
+			break;
+		case OP_DEL:
+			del(name);
+			break;
+		case OP_DEL_ATTR:
+			del_attr(name, server);
+			break;
+		case OP_RESIZE:
+			if (end == NULL)
+			{
+				fprintf(stderr, "missing arguments.\n");
+				usage();
+			}
+			resize(name, end);
+			break;
+		case OP_LEASES:
+			leases(filter, utc);
+			break;
+		case OP_PURGE:
+			purge(name);
+			break;
+	}
+	exit(0);
+}
+
diff --git a/src/libstrongswan/plugins/attr_sql/sql_attribute.c b/src/libstrongswan/plugins/attr_sql/sql_attribute.c
new file mode 100644
index 000000000..a89195b6d
--- /dev/null
+++ b/src/libstrongswan/plugins/attr_sql/sql_attribute.c
@@ -0,0 +1,384 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+
+#include <debug.h>
+#include <library.h>
+
+#include "sql_attribute.h"
+
+typedef struct private_sql_attribute_t private_sql_attribute_t;
+
+/**
+ * private data of sql_attribute
+ */
+struct private_sql_attribute_t {
+
+	/**
+	 * public functions
+	 */
+	sql_attribute_t public;
+
+	/**
+	 * database connection
+	 */
+	database_t *db;
+
+	/**
+	 * wheter to record lease history in lease table
+	 */
+	bool history;
+};
+
+/**
+ * lookup/insert an identity
+ */
+static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
+{
+	enumerator_t *e;
+	u_int row;
+
+	/* look for peer identity in the identities table */
+	e = this->db->query(this->db,
+						"SELECT id FROM identities WHERE type = ? AND data = ?",
+						DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
+						DB_UINT);
+
+	if (e && e->enumerate(e, &row))
+	{
+		e->destroy(e);
+		return row;
+	}
+	DESTROY_IF(e);
+	/* not found, insert new one */
+	if (this->db->execute(this->db, &row,
+				  "INSERT INTO identities (type, data) VALUES (?, ?)",
+				  DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) == 1)
+	{
+		return row;
+	}
+	return 0;
+}
+
+/**
+ * Lookup pool by name
+ */
+static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
+{
+	enumerator_t *e;
+	u_int pool;
+
+	e = this->db->query(this->db, "SELECT id, timeout FROM pools WHERE name = ?",
+						DB_TEXT, name, DB_UINT, DB_UINT);
+	if (e && e->enumerate(e, &pool, timeout))
+	{
+		e->destroy(e);
+		return pool;
+	}
+	DESTROY_IF(e);
+	return 0;
+}
+
+/**
+ * Look up an existing lease
+ */
+static host_t* check_lease(private_sql_attribute_t *this, char *name,
+						   u_int pool, u_int identity)
+{
+	while (TRUE)
+	{
+		u_int id;
+		chunk_t address;
+		enumerator_t *e;
+		time_t now = time(NULL);
+
+		e = this->db->query(this->db,
+				"SELECT id, address FROM addresses "
+				"WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1",
+				DB_UINT, pool, DB_UINT, identity, DB_UINT, DB_BLOB);
+		if (!e || !e->enumerate(e, &id, &address))
+		{
+			DESTROY_IF(e);
+			break;
+		}
+		address = chunk_clonea(address);
+		e->destroy(e);
+
+		if (this->db->execute(this->db, NULL,
+				"UPDATE addresses SET acquired = ?, released = 0 "
+				"WHERE id = ? AND identity = ? AND released != 0",
+				DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0)
+		{
+			host_t *host;
+
+			host = host_create_from_chunk(AF_UNSPEC, address, 0);
+			if (host)
+			{
+				DBG1("acquired existing lease for address %H in pool '%s'",
+					 host, name);
+				return host;
+			}
+		}
+	}
+	return NULL;
+}
+
+/**
+ * We check for unallocated addresses or expired leases. First we select an
+ * address as a candidate, but double check later on if it is still available
+ * during the update operation. This allows us to work without locking.
+ */
+static host_t* get_lease(private_sql_attribute_t *this, char *name,
+						 u_int pool, u_int timeout, u_int identity)
+{
+	while (TRUE)
+	{
+		u_int id;
+		chunk_t address;
+		enumerator_t *e;
+		time_t now = time(NULL);
+		int hits;
+
+		if (timeout)
+		{
+			/* check for an expired lease */
+			e = this->db->query(this->db,
+				"SELECT id, address FROM addresses "
+				"WHERE pool = ? AND released != 0 AND released < ? LIMIT 1",
+				DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB);
+		}
+		else
+		{
+			/* with static leases, check for an unallocated address */
+			e = this->db->query(this->db,
+				"SELECT id, address FROM addresses "
+				"WHERE pool = ? AND identity = 0 LIMIT 1",
+				DB_UINT, pool, DB_UINT, DB_BLOB);
+
+		}
+
+		if (!e || !e->enumerate(e, &id, &address))
+		{
+			DESTROY_IF(e);
+			break;
+		}
+		address = chunk_clonea(address);
+		e->destroy(e);
+
+		if (timeout)
+		{
+			hits = this->db->execute(this->db, NULL,
+						"UPDATE addresses SET "
+						"acquired = ?, released = 0, identity = ? "
+						"WHERE id = ? AND released != 0 AND released < ?",
+						DB_UINT, now, DB_UINT, identity,
+						DB_UINT, id, DB_UINT, now - timeout);
+		}
+		else
+		{
+			hits = this->db->execute(this->db, NULL,
+						"UPDATE addresses SET "
+						"acquired = ?, released = 0, identity = ? "
+						"WHERE id = ? AND identity = 0",
+						DB_UINT, now, DB_UINT, identity, DB_UINT, id);
+		}
+		if (hits > 0)
+		{
+			host_t *host;
+
+			host = host_create_from_chunk(AF_UNSPEC, address, 0);
+			if (host)
+			{
+				DBG1("acquired new lease for address %H in pool '%s'",
+					 host, name);
+				return host;
+			}
+		}
+	}
+	DBG1("no available address found in pool '%s'", name);
+	return NULL;
+}
+
+/**
+ * Implementation of attribute_provider_t.acquire_address
+ */
+static host_t* acquire_address(private_sql_attribute_t *this,
+							   char *names, identification_t *id,
+							   host_t *requested)
+{
+	host_t *address = NULL;
+	u_int identity, pool, timeout;
+
+	identity = get_identity(this, id);
+	if (identity)
+	{
+		/* check for a single pool first (no concatenation and enumeration) */
+		if (strchr(names, ',') == NULL)
+		{
+			pool = get_pool(this, names, &timeout);
+			if (pool)
+			{
+				/* check for an existing lease */
+				address = check_lease(this, names, pool, identity);
+				if (address == NULL)
+				{
+					/* get an unallocated address or expired lease */
+					address = get_lease(this, names, pool, timeout, identity);
+				}
+			}
+		}
+		else
+		{
+			enumerator_t *enumerator;
+			char *name;
+
+			/* in a first step check for an existing lease over all pools */
+			enumerator = enumerator_create_token(names, ",", " ");
+			while (enumerator->enumerate(enumerator, &name))
+			{
+				pool = get_pool(this, name, &timeout);
+				if (pool)
+				{
+					address = check_lease(this, name, pool, identity);
+					if (address)
+					{
+						enumerator->destroy(enumerator);
+						return address;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			/* in a second step get an unallocated address or expired lease */
+			enumerator = enumerator_create_token(names, ",", " ");
+			while (enumerator->enumerate(enumerator, &name))
+			{
+				pool = get_pool(this, name, &timeout);
+				if (pool)
+				{
+					address = get_lease(this, name, pool, timeout, identity);
+					if (address)
+					{
+						break;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+	return address;
+}
+
+/**
+ * Implementation of attribute_provider_t.release_address
+ */
+static bool release_address(private_sql_attribute_t *this,
+							char *name, host_t *address, identification_t *id)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	time_t now = time(NULL);
+
+	enumerator = enumerator_create_token(name, ",", " ");
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		u_int pool, timeout;
+
+		pool = get_pool(this, name, &timeout);
+		if (pool)
+		{
+			if (this->history)
+			{
+				this->db->execute(this->db, NULL,
+					"INSERT INTO leases (address, identity, acquired, released)"
+					" SELECT id, identity, acquired, ? FROM addresses "
+					" WHERE pool = ? AND address = ?",
+					DB_UINT, now, DB_UINT, pool,
+					DB_BLOB, address->get_address(address));
+			}
+			if (this->db->execute(this->db, NULL,
+					"UPDATE addresses SET released = ? WHERE "
+					"pool = ? AND address = ?", DB_UINT, time(NULL),
+					DB_UINT, pool, DB_BLOB, address->get_address(address)) > 0)
+			{
+				found = TRUE;
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Implementation of sql_attribute_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(private_sql_attribute_t *this,
+											identification_t *id, host_t *vip)
+{
+	if (vip)
+	{
+		enumerator_t *enumerator;
+
+		enumerator = this->db->query(this->db,
+						"SELECT type, value FROM attributes", DB_INT, DB_BLOB);
+		if (enumerator)
+		{
+			return enumerator;
+		}
+	}
+	return enumerator_create_empty();
+}
+
+/**
+ * Implementation of sql_attribute_t.destroy
+ */
+static void destroy(private_sql_attribute_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+sql_attribute_t *sql_attribute_create(database_t *db)
+{
+	private_sql_attribute_t *this = malloc_thing(private_sql_attribute_t);
+	time_t now = time(NULL);
+
+	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))acquire_address;
+	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
+	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *host))create_attribute_enumerator;
+	this->public.destroy = (void(*)(sql_attribute_t*))destroy;
+
+	this->db = db;
+	this->history = lib->settings->get_bool(lib->settings,
+						"libstrongswan.plugins.attr-sql.lease_history", TRUE);
+
+	/* close any "online" leases in the case we crashed */
+	if (this->history)
+	{
+		this->db->execute(this->db, NULL,
+					"INSERT INTO leases (address, identity, acquired, released)"
+					" SELECT id, identity, acquired, ? FROM addresses "
+					" WHERE released = 0", DB_UINT, now);
+	}
+	this->db->execute(this->db, NULL,
+					  "UPDATE addresses SET released = ? WHERE released = 0",
+					  DB_UINT, now);
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/attr_sql/sql_attribute.h b/src/libstrongswan/plugins/attr_sql/sql_attribute.h
new file mode 100644
index 000000000..ca87eb27e
--- /dev/null
+++ b/src/libstrongswan/plugins/attr_sql/sql_attribute.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sql_attribute sql_attribute
+ * @{ @ingroup attr_sql
+ */
+
+#ifndef SQL_ATTRIBUTE_H_
+#define SQL_ATTRIBUTE_H_
+
+#include <attributes/attribute_provider.h>
+#include <database/database.h>
+
+typedef struct sql_attribute_t sql_attribute_t;
+
+/**
+ * SQL database based IKEv2 cfg attribute provider.
+ */
+struct sql_attribute_t {
+
+	/**
+	 * Implements attribute provider interface
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Destroy a sql_attribute instance.
+	 */
+	void (*destroy)(sql_attribute_t *this);
+};
+
+/**
+ * Create a sql_attribute instance.
+ */
+sql_attribute_t *sql_attribute_create(database_t *db);
+
+#endif /** SQL_ATTRIBUTE_H_ @}*/
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am
index 3fbc5893b..de8948445 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.am
+++ b/src/libstrongswan/plugins/blowfish/Makefile.am
@@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-blowfish.la
 
 libstrongswan_blowfish_la_SOURCES = \
 blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
-bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c 
+bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
 libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index e536b5fc6..7b55d69c7 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/blowfish
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_blowfish_la_LIBADD =
 am_libstrongswan_blowfish_la_OBJECTS = blowfish_plugin.lo \
@@ -61,6 +85,7 @@ libstrongswan_blowfish_la_LINK = $(LIBTOOL) --tag=CC \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -108,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -138,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -171,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -196,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -204,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -212,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -223,6 +251,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -230,7 +259,7 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-blowfish.la
 libstrongswan_blowfish_la_SOURCES = \
 blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
-bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c 
+bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
 
 libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -246,9 +275,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/blowfish/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/blowfish/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/blowfish/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/blowfish/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -266,23 +295,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -309,21 +343,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -346,7 +380,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -354,29 +388,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -397,13 +436,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -434,6 +477,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -455,6 +499,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -463,18 +509,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -513,6 +569,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/blowfish/bf_enc.c b/src/libstrongswan/plugins/blowfish/bf_enc.c
index c2f3ce2e8..ebcc5dbdf 100644
--- a/src/libstrongswan/plugins/blowfish/bf_enc.c
+++ b/src/libstrongswan/plugins/blowfish/bf_enc.c
@@ -5,21 +5,21 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -34,10 +34,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
diff --git a/src/libstrongswan/plugins/blowfish/bf_locl.h b/src/libstrongswan/plugins/blowfish/bf_locl.h
index 283bf4c43..1375a0aa9 100644
--- a/src/libstrongswan/plugins/blowfish/bf_locl.h
+++ b/src/libstrongswan/plugins/blowfish/bf_locl.h
@@ -5,21 +5,21 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -34,10 +34,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
diff --git a/src/libstrongswan/plugins/blowfish/bf_pi.h b/src/libstrongswan/plugins/blowfish/bf_pi.h
index 9949513c6..79d23db6c 100644
--- a/src/libstrongswan/plugins/blowfish/bf_pi.h
+++ b/src/libstrongswan/plugins/blowfish/bf_pi.h
@@ -5,21 +5,21 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -34,10 +34,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
@@ -64,262 +64,262 @@ static const BF_KEY bf_init= {
 	0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L, 0xb5470917L,
 	0x9216d5d9L, 0x8979fb1b
 	},{
-	0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, 
-	0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, 
-	0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L, 
-	0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL, 
-	0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL, 
-	0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, 
-	0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL, 
-	0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL, 
-	0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L, 
-	0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L, 
-	0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, 
-	0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, 
-	0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL, 
-	0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L, 
-	0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L, 
-	0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, 
-	0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L, 
-	0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L, 
-	0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL, 
-	0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L, 
-	0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, 
-	0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, 
-	0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L, 
-	0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL, 
-	0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L, 
-	0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, 
-	0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, 
-	0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L, 
-	0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL, 
-	0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L, 
-	0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, 
-	0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, 
-	0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L, 
-	0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL, 
-	0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L, 
-	0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, 
-	0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL, 
-	0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L, 
-	0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL, 
-	0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L, 
-	0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, 
-	0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, 
-	0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L, 
-	0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L, 
-	0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L, 
-	0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, 
-	0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, 
-	0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL, 
-	0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL, 
-	0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L, 
-	0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, 
-	0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, 
-	0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L, 
-	0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL, 
-	0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L, 
-	0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, 
-	0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, 
-	0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L, 
-	0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L, 
-	0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L, 
-	0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, 
-	0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, 
-	0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L, 
-	0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL, 
-	0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L, 
-	0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, 
-	0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, 
-	0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL, 
-	0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L, 
-	0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L, 
-	0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, 
-	0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, 
-	0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L, 
-	0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L, 
-	0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL, 
-	0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, 
-	0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L, 
-	0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L, 
-	0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L, 
-	0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L, 
-	0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, 
-	0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL, 
-	0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL, 
-	0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L, 
-	0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL, 
-	0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, 
-	0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L, 
-	0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL, 
-	0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL, 
-	0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L, 
-	0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, 
-	0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, 
-	0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL, 
-	0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL, 
-	0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L, 
-	0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, 
-	0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, 
-	0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L, 
-	0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L, 
-	0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L, 
-	0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, 
-	0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, 
-	0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L, 
-	0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL, 
-	0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L, 
-	0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, 
-	0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L, 
-	0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L, 
-	0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L, 
-	0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L, 
-	0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, 
-	0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, 
-	0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L, 
-	0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L, 
-	0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L, 
-	0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, 
-	0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, 
-	0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L, 
-	0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L, 
-	0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L, 
-	0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, 
-	0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL, 
-	0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L, 
-	0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL, 
-	0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L, 
-	0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, 
-	0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, 
-	0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L, 
-	0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L, 
-	0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L, 
-	0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, 
-	0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L, 
-	0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L, 
-	0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L, 
-	0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL, 
-	0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, 
-	0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL, 
-	0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L, 
-	0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L, 
-	0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL, 
-	0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, 
-	0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, 
-	0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L, 
-	0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL, 
-	0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L, 
-	0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, 
-	0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L, 
-	0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL, 
-	0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L, 
-	0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L, 
-	0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, 
-	0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L, 
-	0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L, 
-	0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L, 
-	0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L, 
-	0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, 
-	0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, 
-	0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL, 
-	0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L, 
-	0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL, 
-	0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, 
-	0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, 
-	0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL, 
-	0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL, 
-	0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L, 
-	0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, 
-	0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, 
-	0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL, 
-	0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL, 
-	0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL, 
-	0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, 
-	0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L, 
-	0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L, 
-	0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L, 
-	0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L, 
-	0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, 
-	0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL, 
-	0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L, 
-	0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L, 
-	0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L, 
-	0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, 
-	0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L, 
-	0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L, 
-	0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L, 
-	0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L, 
-	0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, 
-	0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, 
-	0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL, 
-	0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L, 
-	0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL, 
-	0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, 
-	0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L, 
-	0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL, 
-	0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL, 
-	0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL, 
-	0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, 
-	0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, 
-	0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L, 
-	0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L, 
-	0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L, 
-	0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, 
-	0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, 
-	0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L, 
-	0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L, 
-	0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L, 
-	0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, 
-	0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, 
-	0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL, 
-	0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL, 
-	0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L, 
-	0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, 
-	0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, 
-	0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL, 
-	0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L, 
-	0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL, 
-	0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, 
-	0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L, 
-	0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L, 
-	0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L, 
-	0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L, 
-	0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, 
-	0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, 
-	0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L, 
-	0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L, 
-	0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L, 
-	0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, 
-	0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, 
-	0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L, 
-	0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L, 
-	0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL, 
-	0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, 
-	0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, 
-	0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L, 
-	0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL, 
-	0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL, 
-	0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, 
-	0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, 
-	0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L, 
-	0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L, 
-	0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL, 
-	0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, 
-	0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, 
-	0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL, 
-	0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L, 
-	0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L, 
-	0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, 
-	0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L, 
-	0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL, 
-	0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L, 
-	0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL, 
-	0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, 
-	0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L, 
-	0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL, 
-	0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L, 
-	0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL, 
-	0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L, 
+	0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L,
+	0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L,
+	0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L,
+	0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL,
+	0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL,
+	0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L,
+	0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL,
+	0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL,
+	0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L,
+	0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L,
+	0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL,
+	0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL,
+	0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL,
+	0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L,
+	0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L,
+	0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L,
+	0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L,
+	0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L,
+	0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL,
+	0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L,
+	0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L,
+	0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L,
+	0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L,
+	0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL,
+	0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L,
+	0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL,
+	0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL,
+	0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L,
+	0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL,
+	0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L,
+	0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL,
+	0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L,
+	0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L,
+	0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL,
+	0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L,
+	0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L,
+	0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL,
+	0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L,
+	0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL,
+	0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L,
+	0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L,
+	0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL,
+	0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L,
+	0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L,
+	0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L,
+	0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L,
+	0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L,
+	0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL,
+	0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL,
+	0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L,
+	0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L,
+	0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L,
+	0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L,
+	0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL,
+	0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L,
+	0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL,
+	0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL,
+	0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L,
+	0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L,
+	0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L,
+	0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L,
+	0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L,
+	0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L,
+	0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL,
+	0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L,
+	0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L,
+	0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L,
+	0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL,
+	0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L,
+	0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L,
+	0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL,
+	0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L,
+	0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L,
+	0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L,
+	0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL,
+	0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL,
+	0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L,
+	0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L,
+	0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L,
+	0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L,
+	0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL,
+	0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL,
+	0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL,
+	0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L,
+	0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL,
+	0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L,
+	0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L,
+	0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL,
+	0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL,
+	0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L,
+	0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL,
+	0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L,
+	0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL,
+	0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL,
+	0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L,
+	0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L,
+	0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L,
+	0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L,
+	0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L,
+	0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L,
+	0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L,
+	0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL,
+	0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L,
+	0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL,
+	0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L,
+	0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L,
+	0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L,
+	0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L,
+	0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L,
+	0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L,
+	0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L,
+	0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L,
+	0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L,
+	0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L,
+	0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L,
+	0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L,
+	0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L,
+	0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L,
+	0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L,
+	0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L,
+	0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL,
+	0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL,
+	0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L,
+	0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL,
+	0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L,
+	0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L,
+	0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L,
+	0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L,
+	0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L,
+	0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L,
+	0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL,
+	0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L,
+	0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L,
+	0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L,
+	0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL,
+	0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL,
+	0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL,
+	0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L,
+	0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L,
+	0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL,
+	0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L,
+	0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL,
+	0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L,
+	0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL,
+	0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L,
+	0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL,
+	0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L,
+	0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL,
+	0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L,
+	0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L,
+	0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL,
+	0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L,
+	0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L,
+	0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L,
+	0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L,
+	0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL,
+	0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L,
+	0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL,
+	0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L,
+	0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL,
+	0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L,
+	0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL,
+	0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL,
+	0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL,
+	0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L,
+	0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L,
+	0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL,
+	0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL,
+	0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL,
+	0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL,
+	0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL,
+	0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L,
+	0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L,
+	0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L,
+	0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L,
+	0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL,
+	0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL,
+	0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L,
+	0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L,
+	0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L,
+	0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L,
+	0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L,
+	0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L,
+	0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L,
+	0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L,
+	0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L,
+	0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L,
+	0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL,
+	0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L,
+	0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL,
+	0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L,
+	0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L,
+	0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL,
+	0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL,
+	0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL,
+	0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L,
+	0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L,
+	0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L,
+	0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L,
+	0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L,
+	0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L,
+	0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L,
+	0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L,
+	0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L,
+	0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L,
+	0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L,
+	0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L,
+	0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL,
+	0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL,
+	0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L,
+	0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL,
+	0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL,
+	0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL,
+	0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L,
+	0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL,
+	0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL,
+	0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L,
+	0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L,
+	0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L,
+	0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L,
+	0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL,
+	0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL,
+	0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L,
+	0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L,
+	0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L,
+	0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL,
+	0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L,
+	0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L,
+	0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L,
+	0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL,
+	0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L,
+	0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L,
+	0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L,
+	0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL,
+	0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL,
+	0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L,
+	0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L,
+	0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L,
+	0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L,
+	0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL,
+	0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L,
+	0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL,
+	0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL,
+	0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L,
+	0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L,
+	0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL,
+	0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L,
+	0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL,
+	0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L,
+	0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL,
+	0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L,
+	0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L,
+	0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL,
+	0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L,
+	0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL,
+	0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L,
 	}
 	};
 
diff --git a/src/libstrongswan/plugins/blowfish/bf_skey.c b/src/libstrongswan/plugins/blowfish/bf_skey.c
index 8cdbbd283..ceec3b8d4 100644
--- a/src/libstrongswan/plugins/blowfish/bf_skey.c
+++ b/src/libstrongswan/plugins/blowfish/bf_skey.c
@@ -5,21 +5,21 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -34,10 +34,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
diff --git a/src/libstrongswan/plugins/blowfish/blowfish.h b/src/libstrongswan/plugins/blowfish/blowfish.h
index ccb97e272..9aa30df4b 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish.h
+++ b/src/libstrongswan/plugins/blowfish/blowfish.h
@@ -5,21 +5,21 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -34,10 +34,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
@@ -90,7 +90,7 @@ extern "C" {
  * So I've chosen long...
  *					<appro@fy.chalmers.se>
  */
-	
+
 /* des.h-like hack <jjo-ipsec@mendoza.gov.ar> */
 #ifndef BF_LONG
 #ifdef __KERNEL__
@@ -110,7 +110,7 @@ typedef struct bf_key_st
 	BF_LONG S[4*256];
 	} BF_KEY;
 
- 
+
 void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
 
 void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
index 5064bfef6..fb856ed37 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
@@ -4,21 +4,21 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -33,10 +33,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +48,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
@@ -61,23 +61,23 @@
  * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
  * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
  */
- 
+
 #include "blowfish_crypter.h"
 
 typedef struct private_blowfish_crypter_t private_blowfish_crypter_t;
 
 /**
  * Class implementing the Blowfish symmetric encryption algorithm.
- * 
+ *
  * @ingroup crypters
  */
 struct private_blowfish_crypter_t {
-	
+
 	/**
 	 * Public part of this class.
 	 */
 	blowfish_crypter_t public;
-	
+
 	/**
 	 * Blowfish key schedule
 	 */
@@ -96,7 +96,7 @@ static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
 					chunk_t *decrypted)
 {
 	u_int8_t *in, *out;
-	
+
 	if (decrypted)
 	{
 		*decrypted = chunk_alloc(data.len);
@@ -121,7 +121,7 @@ static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
 					 chunk_t *encrypted)
 {
 	u_int8_t *in, *out;
-	
+
 	if (encrypted)
 	{
 		*encrypted = chunk_alloc(data.len);
@@ -177,14 +177,14 @@ static void destroy (private_blowfish_crypter_t *this)
 blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t key_size)
 {
 	private_blowfish_crypter_t *this;
-	
+
 	if (algo != ENCR_BLOWFISH)
 	{
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_blowfish_crypter_t);
-	
+
 	this->key_size = key_size;
 	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
 	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
@@ -192,6 +192,6 @@ blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t
 	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
 	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
 	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-	
+
 	return &(this->public);
 }
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
index 2bb896e64..71cc09cd0 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
@@ -30,7 +30,7 @@ typedef struct blowfish_crypter_t blowfish_crypter_t;
  * Class implementing the Blowfish encryption algorithm.
  */
 struct blowfish_crypter_t {
-	
+
 	/**
 	 * The crypter_t interface.
 	 */
@@ -39,7 +39,7 @@ struct blowfish_crypter_t {
 
 /**
  * Constructor to create blowfish_crypter_t objects.
- * 
+ *
  * @param key_size		key size in bytes
  * @param algo			algorithm to implement
  * @return				blowfish_crypter_t object, NULL if not supported
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
index 6e2f6d4fa..993dc8b3b 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -48,12 +48,12 @@ static void destroy(private_blowfish_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_blowfish_plugin_t *this = malloc_thing(private_blowfish_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
 							 (crypter_constructor_t)blowfish_crypter_create);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 21d77ac8f..32b2504fe 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/curl
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_curl_la_DEPENDENCIES =
 am_libstrongswan_curl_la_OBJECTS = curl_plugin.lo curl_fetcher.lo
@@ -58,6 +82,7 @@ libstrongswan_curl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -105,25 +130,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -135,11 +157,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -168,9 +193,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -193,7 +218,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -201,6 +226,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -209,10 +235,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -220,6 +248,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -241,9 +270,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/curl/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/curl/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/curl/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/curl/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -261,23 +290,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -302,21 +336,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -339,7 +373,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -347,29 +381,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -390,13 +429,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -427,6 +470,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -448,6 +492,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -456,18 +502,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -506,6 +562,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 7ee9fa1bd..08315e932 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -33,14 +33,14 @@ struct private_curl_fetcher_t {
 	 * Public data
 	 */
 	curl_fetcher_t public;
-	
+
 	/**
 	 * CURL handle
 	 */
 	CURL* curl;
-	
+
 	/**
-     * Optional HTTP headers
+	 * Optional HTTP headers
 	 */
 	struct curl_slist *headers;
 };
@@ -51,7 +51,7 @@ struct private_curl_fetcher_t {
 static size_t append(void *ptr, size_t size, size_t nmemb, chunk_t *data)
 {
 	size_t realsize = size * nmemb;
-	
+
 	data->ptr = (u_char*)realloc(data->ptr, data->len + realsize);
 	if (data->ptr)
 	{
@@ -61,16 +61,14 @@ static size_t append(void *ptr, size_t size, size_t nmemb, chunk_t *data)
 	return realsize;
 }
 
-/**
- * Implements fetcher_t.fetch.
- */
-static status_t fetch(private_curl_fetcher_t *this, char *uri, chunk_t *result)
+METHOD(fetcher_t, fetch, status_t,
+	private_curl_fetcher_t *this, char *uri, chunk_t *result)
 {
 	char error[CURL_ERROR_SIZE];
 	status_t status;
-	
+
 	*result = chunk_empty;
-	
+
 	if (curl_easy_setopt(this->curl, CURLOPT_URL, uri) != CURLE_OK)
 	{	/* URL type not supported by curl */
 		return NOT_SUPPORTED;
@@ -85,7 +83,7 @@ static status_t fetch(private_curl_fetcher_t *this, char *uri, chunk_t *result)
 	{
 		curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers);
 	}
-	
+
 	DBG2("  sending http request to '%s'...", uri);
 	switch (curl_easy_perform(this->curl))
 	{
@@ -103,13 +101,11 @@ static status_t fetch(private_curl_fetcher_t *this, char *uri, chunk_t *result)
 	return status;
 }
 
-/**
- * Implementation of fetcher_t.set_option.
- */
-static bool set_option(private_curl_fetcher_t *this, fetcher_option_t option, ...)
+METHOD(fetcher_t, set_option, bool,
+	private_curl_fetcher_t *this, fetcher_option_t option, ...)
 {
 	va_list args;
-	
+
 	va_start(args, option);
 	switch (option)
 	{
@@ -154,10 +150,8 @@ static bool set_option(private_curl_fetcher_t *this, fetcher_option_t option, ..
 	}
 }
 
-/**
- * Implements fetcher_t.destroy
- */
-static void destroy(private_curl_fetcher_t *this)
+METHOD(fetcher_t, destroy, void,
+	private_curl_fetcher_t *this)
 {
 	curl_slist_free_all(this->headers);
 	curl_easy_cleanup(this->curl);
@@ -169,20 +163,22 @@ static void destroy(private_curl_fetcher_t *this)
  */
 curl_fetcher_t *curl_fetcher_create()
 {
-	private_curl_fetcher_t *this = malloc_thing(private_curl_fetcher_t);
-	
-	this->curl = curl_easy_init();
-	if (this->curl == NULL)
+	private_curl_fetcher_t *this;
+
+	INIT(this,
+		.public.interface = {
+			.fetch = _fetch,
+			.set_option = _set_option,
+			.destroy = _destroy,
+		},
+		.curl = curl_easy_init(),
+	);
+
+	if (!this->curl)
 	{
 		free(this);
 		return NULL;
 	}
-	this->headers = NULL;
-	
-	this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch;
-	this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option;
-	this->public.interface.destroy = (void (*)(fetcher_t*))destroy;
-	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.h b/src/libstrongswan/plugins/curl/curl_fetcher.h
index 043beb834..6b9cad657 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.h
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.h
@@ -32,11 +32,6 @@ struct curl_fetcher_t {
 	 * Implements fetcher interface
 	 */
 	fetcher_t interface;
-		
-	/**
-     * Destroy a curl_fetcher instance.
-     */
-    void (*destroy)(curl_fetcher_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
index 97fa07866..13dfa053f 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -52,26 +52,26 @@ plugin_t *plugin_create()
 {
 	CURLcode res;
 	private_curl_plugin_t *this = malloc_thing(private_curl_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	res = curl_global_init(CURL_GLOBAL_NOTHING);
 	if (res == CURLE_OK)
 	{
 		lib->fetcher->add_fetcher(lib->fetcher,
 						(fetcher_constructor_t)curl_fetcher_create, "file://");
-		lib->fetcher->add_fetcher(lib->fetcher, 
+		lib->fetcher->add_fetcher(lib->fetcher,
 						(fetcher_constructor_t)curl_fetcher_create, "http://");
 		lib->fetcher->add_fetcher(lib->fetcher,
 						(fetcher_constructor_t)curl_fetcher_create, "https://");
-		lib->fetcher->add_fetcher(lib->fetcher, 
+		lib->fetcher->add_fetcher(lib->fetcher,
 						(fetcher_constructor_t)curl_fetcher_create, "ftp://");
-    }
-    else
-    {
-    	DBG1("global libcurl initializing failed: %s, curl disabled", 
+	}
+	else
+	{
+		DBG1("global libcurl initializing failed: %s, curl disabled",
 			 curl_easy_strerror(res));
-    }
+	}
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 19da339fe..f68b4bd03 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/des
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_des_la_LIBADD =
 am_libstrongswan_des_la_OBJECTS = des_plugin.lo des_crypter.lo
@@ -58,6 +82,7 @@ libstrongswan_des_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -105,25 +130,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -135,11 +157,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -168,9 +193,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -193,7 +218,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -201,6 +226,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -209,10 +235,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -220,6 +248,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -240,9 +269,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/des/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/des/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/des/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/des/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -260,23 +289,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -301,21 +335,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -338,7 +372,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -346,29 +380,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -389,13 +428,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -426,6 +469,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -447,6 +491,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -455,18 +501,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -505,6 +561,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index 680fe8b6a..142e79613 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -11,17 +11,17 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -36,10 +36,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -73,17 +73,17 @@ typedef struct private_des_crypter_t private_des_crypter_t;
  * Private data for des_crypter_t
  */
 struct private_des_crypter_t {
-	
+
 	/**
 	 * Public part of this class.
 	 */
 	des_crypter_t public;
-	
+
 	/**
 	 * Key size, depends on algoritm...
 	 */
 	size_t key_size;
-	
+
 	union {
 		/** key schedule for single des */
 		des_key_schedule ks;
@@ -141,7 +141,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
    even newer MIPS CPU's, but at the moment one size fits all for
    optimization options.  Older Sparc's work better with only UNROLL, but
    there's no way to tell at compile time what it is you're running on */
- 
+
 #if defined( sun )		/* Newer Sparc's */
 #define DES_PTR
 #define DES_RISC1
@@ -879,7 +879,7 @@ static int des_set_key(des_cblock *key, des_key_schedule *schedule)
 	c2l(in,c);
 	c2l(in,d);
 
-	/* do PC1 in 60 simple operations */ 
+	/* do PC1 in 60 simple operations */
 /*	PERM_OP(d,c,t,4,0x0f0f0f0fL);
 	HPERM_OP(c,t,-2, 0xcccc0000L);
 	HPERM_OP(c,t,-1, 0xaaaa0000L);
@@ -1037,7 +1037,7 @@ static void des_encrypt(DES_LONG *data, des_key_schedule ks, int enc)
 /**
  * DES CBC encrypt decrypt routine
  */
-static void des_cbc_encrypt(des_cblock *input, des_cblock *output, long length, 
+static void des_cbc_encrypt(des_cblock *input, des_cblock *output, long length,
 						    des_key_schedule schedule, des_cblock *ivec, int enc)
 {
 	register DES_LONG tin0,tin1;
@@ -1110,7 +1110,7 @@ static void des_cbc_encrypt(des_cblock *input, des_cblock *output, long length,
 /**
  * DES ECB encrypt decrypt routine
  */
-static void des_ecb_encrypt(des_cblock *input, des_cblock *output, long length, 
+static void des_ecb_encrypt(des_cblock *input, des_cblock *output, long length,
 						    des_key_schedule schedule, int enc)
 {
 	register DES_LONG tin0,tin1;
@@ -1260,7 +1260,7 @@ static void des_encrypt2(DES_LONG *data, des_key_schedule ks, int enc)
 /**
  * Single block 3DES EDE encrypt routine
  */
-static void des_encrypt3(DES_LONG *data, des_key_schedule ks1, 
+static void des_encrypt3(DES_LONG *data, des_key_schedule ks1,
 						 des_key_schedule ks2, des_key_schedule ks3)
 {
 	register DES_LONG l,r;
@@ -1283,7 +1283,7 @@ static void des_encrypt3(DES_LONG *data, des_key_schedule ks1,
 /**
  * Single block 3DES EDE decrypt routine
  */
-static void des_decrypt3(DES_LONG *data, des_key_schedule ks1, 
+static void des_decrypt3(DES_LONG *data, des_key_schedule ks1,
 						 des_key_schedule ks2, des_key_schedule ks3)
 {
 	register DES_LONG l,r;
@@ -1391,7 +1391,7 @@ static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long len
 		{
 			c2l(in,tin0);
 			c2l(in,tin1);
-			
+
 			t0=tin0;
 			t1=tin1;
 
@@ -1400,7 +1400,7 @@ static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long len
 			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
 			tout0=tin[0];
 			tout1=tin[1];
-		
+
 			tout0^=xor0;
 			tout1^=xor1;
 			l2cn(tout0,tout1,out,l+8);
@@ -1424,7 +1424,7 @@ static void decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 {
 	des_cblock ivb;
 	u_int8_t *out;
-	
+
 	out = data.ptr;
 	if (decrypted)
 	{
@@ -1445,7 +1445,7 @@ static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 {
 	des_cblock ivb;
 	u_int8_t *out;
-	
+
 	out = data.ptr;
 	if (encrypted)
 	{
@@ -1464,7 +1464,7 @@ static void decrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 						chunk_t *decrypted)
 {
 	u_int8_t *out;
-	
+
 	out = data.ptr;
 	if (decrypted)
 	{
@@ -1482,7 +1482,7 @@ static void encrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 						chunk_t *encrypted)
 {
 	u_int8_t *out;
-	
+
 	out = data.ptr;
 	if (encrypted)
 	{
@@ -1501,7 +1501,7 @@ static void decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 {
 	des_cblock ivb;
 	u_int8_t *out;
-	
+
 	out = data.ptr;
 	if (decrypted)
 	{
@@ -1522,7 +1522,7 @@ static void encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 {
 	des_cblock ivb;
 	u_int8_t *out;
-	
+
 	out = data.ptr;
 	if (encrypted)
 	{
@@ -1563,7 +1563,7 @@ static void set_key(private_des_crypter_t *this, chunk_t key)
  * Implementation of crypter_t.set_key for 3DES.
  */
 static void set_key3(private_des_crypter_t *this, chunk_t key)
-{	
+{
 	des_set_key((des_cblock*)(key.ptr) + 0, &this->ks3[0]);
 	des_set_key((des_cblock*)(key.ptr) + 1, &this->ks3[1]);
 	des_set_key((des_cblock*)(key.ptr) + 2, &this->ks3[2]);
@@ -1583,12 +1583,12 @@ static void destroy(private_des_crypter_t *this)
 des_crypter_t *des_crypter_create(encryption_algorithm_t algo)
 {
 	private_des_crypter_t *this = malloc_thing(private_des_crypter_t);
-	
-	/* functions of crypter_t interface */	
+
+	/* functions of crypter_t interface */
 	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
 	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
 	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-	
+
 	/* use functions depending on algorithm */
 	switch (algo)
 	{
diff --git a/src/libstrongswan/plugins/des/des_crypter.h b/src/libstrongswan/plugins/des/des_crypter.h
index 623b292fc..cffbd4ce3 100644
--- a/src/libstrongswan/plugins/des/des_crypter.h
+++ b/src/libstrongswan/plugins/des/des_crypter.h
@@ -30,7 +30,7 @@ typedef struct des_crypter_t des_crypter_t;
  * Class implementing the DES and 3DES encryption algorithms.
  */
 struct des_crypter_t {
-	
+
 	/**
 	 * The crypter_t interface.
 	 */
@@ -39,7 +39,7 @@ struct des_crypter_t {
 
 /**
  * Constructor to create des_crypter_t objects.
- * 
+ *
  * @param algo		ENCR_DES for single DES, ENCR_3DES for triple DES
  * @return			des_crypter_t object, NULL if algo not supported
  */
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index e16b475d4..649d224ab 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -47,16 +47,16 @@ static void destroy(private_des_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_des_plugin_t *this = malloc_thing(private_des_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
 							 (crypter_constructor_t)des_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
 							 (crypter_constructor_t)des_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
 							 (crypter_constructor_t)des_crypter_create);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.am b/src/libstrongswan/plugins/dnskey/Makefile.am
new file mode 100644
index 000000000..fd020f505
--- /dev/null
+++ b/src/libstrongswan/plugins/dnskey/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-dnskey.la
+
+libstrongswan_dnskey_la_SOURCES = dnskey_plugin.h dnskey_plugin.c \
+  dnskey_builder.h dnskey_builder.c
+
+libstrongswan_dnskey_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
new file mode 100644
index 000000000..d7d5ff29b
--- /dev/null
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -0,0 +1,571 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/dnskey
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_dnskey_la_LIBADD =
+am_libstrongswan_dnskey_la_OBJECTS = dnskey_plugin.lo \
+	dnskey_builder.lo
+libstrongswan_dnskey_la_OBJECTS =  \
+	$(am_libstrongswan_dnskey_la_OBJECTS)
+libstrongswan_dnskey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_dnskey_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_dnskey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_dnskey_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-dnskey.la
+libstrongswan_dnskey_la_SOURCES = dnskey_plugin.h dnskey_plugin.c \
+  dnskey_builder.h dnskey_builder.c
+
+libstrongswan_dnskey_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/dnskey/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/dnskey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-dnskey.la: $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_DEPENDENCIES) 
+	$(libstrongswan_dnskey_la_LINK) -rpath $(plugindir) $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_builder.c b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
new file mode 100644
index 000000000..ba20e7158
--- /dev/null
+++ b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "dnskey_builder.h"
+
+#include <debug.h>
+#include <credentials/keys/private_key.h>
+
+
+typedef struct dnskey_rr_t dnskey_rr_t;
+typedef enum dnskey_algorithm_t dnskey_algorithm_t;
+
+/**
+ * Header of a DNSKEY resource record
+ */
+struct dnskey_rr_t {
+	u_int16_t flags;
+	u_int8_t protocol;
+	u_int8_t algorithm;
+	u_int8_t data[];
+} __attribute__((__packed__));
+
+/**
+ * DNSSEC algorithms, RFC4034 Appendix A.1.
+ */
+enum dnskey_algorithm_t {
+	DNSKEY_ALG_RSA_MD5 = 1,
+	DNSKEY_ALG_DH = 2,
+	DNSKEY_ALG_DSA = 3,
+	DNSKEY_ALG_ECC = 4,
+	DNSKEY_ALG_RSA_SHA1 = 5,
+};
+
+/**
+ * Load a generic public key from a DNSKEY RR blob
+ */
+static dnskey_public_key_t *parse_public_key(chunk_t blob)
+{
+	dnskey_rr_t *rr = (dnskey_rr_t*)blob.ptr;
+
+	if (blob.len < sizeof(dnskey_rr_t))
+	{
+		DBG1("DNSKEY too short");
+		return NULL;
+	}
+	blob = chunk_skip(blob, sizeof(dnskey_rr_t));
+
+	switch (rr->algorithm)
+	{
+		case DNSKEY_ALG_RSA_SHA1:
+			return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+									  BUILD_BLOB_DNSKEY, blob, BUILD_END);
+		default:
+			DBG1("DNSKEY public key algorithm %d not supported", rr->algorithm);
+			return NULL;
+	}
+}
+
+/**
+ * Load a RSA public key from DNSKEY RR data
+ */
+static dnskey_public_key_t *parse_rsa_public_key(chunk_t blob)
+{
+	chunk_t n, e;
+
+	if (blob.len < 3)
+	{
+		DBG1("RFC 3110 public key blob too short for exponent length");
+		return NULL;
+	}
+
+	if (blob.ptr[0])
+	{
+		e.len = blob.ptr[0];
+		blob = chunk_skip(blob, 1);
+	}
+	else
+	{
+		e.len = blob.ptr[1] * 256 + blob.ptr[2];
+		blob = chunk_skip(blob, 3);
+	}
+	e.ptr = blob.ptr;
+	if (e.len >= blob.len)
+	{
+		DBG1("RFC 3110 public key blob too short for exponent");
+		return NULL;
+	}
+	n = chunk_skip(blob, e.len);
+
+	return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e,
+						BUILD_END);
+}
+
+/**
+ * See header.
+ */
+dnskey_public_key_t *dnskey_public_key_load(key_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_DNSKEY:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!blob.ptr)
+	{
+		return NULL;
+	}
+	switch (type)
+	{
+		case KEY_ANY:
+			return parse_public_key(blob);
+		case KEY_RSA:
+			return parse_rsa_public_key(blob);
+		default:
+			return NULL;
+	}
+}
+
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_builder.h b/src/libstrongswan/plugins/dnskey/dnskey_builder.h
new file mode 100644
index 000000000..16eff3269
--- /dev/null
+++ b/src/libstrongswan/plugins/dnskey/dnskey_builder.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup dnskey_public_key dnskey_public_key
+ * @{ @ingroup dnskey_p
+ */
+
+#ifndef DNSKEY_BUILDER_H_
+#define DNSKEY_BUILDER_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/public_key.h>
+
+typedef struct dnskey_public_key_t dnskey_public_key_t;
+
+/**
+ * Public key implementation supporting RFC4034 decoding.
+ */
+struct dnskey_public_key_t {
+
+	/**
+	 * Implements public_key_t interface.
+	 */
+	public_key_t interface;
+};
+
+/**
+ * Load a public key in RFC4034 format.
+ *
+ * Takes a BUILD_BLOB_DNSKEY to parse the public key.
+ *
+ * @param type		type of the key, must be KEY_RSA or KEY_ANY
+ * @param args		builder_part_t argument list
+ * @return 			built key, NULL on failure
+ */
+dnskey_public_key_t *dnskey_public_key_load(key_type_t type, va_list args);
+
+#endif /** DNSKEY_BUILDER_H_ @}*/
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
new file mode 100644
index 000000000..83dbe31a1
--- /dev/null
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "dnskey_plugin.h"
+
+#include <library.h>
+#include "dnskey_builder.h"
+
+typedef struct private_dnskey_plugin_t private_dnskey_plugin_t;
+
+/**
+ * private data of dnskey_plugin
+ */
+struct private_dnskey_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	dnskey_plugin_t public;
+};
+
+/**
+ * Implementation of dnskey_plugin_t.dnskeytroy
+ */
+static void destroy(private_dnskey_plugin_t *this)
+{
+	lib->creds->remove_builder(lib->creds,
+							(builder_function_t)dnskey_public_key_load);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_dnskey_plugin_t *this = malloc_thing(private_dnskey_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+							(builder_function_t)dnskey_public_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+							(builder_function_t)dnskey_public_key_load);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.h b/src/libstrongswan/plugins/dnskey/dnskey_plugin.h
new file mode 100644
index 000000000..17790e1c6
--- /dev/null
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup dnskey_p dnskey
+ * @ingroup plugins
+ *
+ * @defgroup dnskey_plugin dnskey_plugin
+ * @{ @ingroup dnskey_p
+ */
+
+#ifndef DNSKEY_PLUGIN_H_
+#define DNSKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct dnskey_plugin_t dnskey_plugin_t;
+
+/**
+ * Plugin providing RFC4034 public key decoding functions.
+ */
+struct dnskey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a dnskey_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** DNSKEY_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 5dcae7f27..b23af6def 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/fips_prf
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_fips_prf_la_LIBADD =
 am_libstrongswan_fips_prf_la_OBJECTS = fips_prf_plugin.lo fips_prf.lo
@@ -60,6 +84,7 @@ libstrongswan_fips_prf_la_LINK = $(LIBTOOL) --tag=CC \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -107,25 +132,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -137,11 +159,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -170,9 +195,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -195,7 +220,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -203,6 +228,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -211,10 +237,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -222,6 +250,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -242,9 +271,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/fips_prf/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/fips_prf/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/fips_prf/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/fips_prf/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -262,23 +291,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -303,21 +337,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -340,7 +374,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -348,29 +382,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -391,13 +430,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -428,6 +471,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -449,6 +493,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -457,18 +503,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -507,6 +563,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
index be28f10bc..123d2a244 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -29,22 +29,22 @@ struct private_fips_prf_t {
 	 * Public fips_prf_t interface.
 	 */
 	fips_prf_t public;
-	
+
 	/**
 	 * key of prf function, "b" long
 	 */
 	u_int8_t *key;
-	
+
 	/**
 	 * size of "b" in bytes
 	 */
 	size_t b;
-	
+
 	/**
 	 * Keyed SHA1 prf: It does not use SHA1Final operation
 	 */
 	prf_t *keyed_prf;
-	
+
 	/**
 	 * G function, either SHA1 or DES
 	 */
@@ -57,11 +57,11 @@ struct private_fips_prf_t {
 static void add_mod(size_t length, u_int8_t a[], u_int8_t b[], u_int8_t sum[])
 {
 	int i, c = 0;
-	
+
 	for(i = length - 1; i >= 0; i--)
 	{
 		u_int32_t tmp;
-		
+
 		tmp = a[i] + b[i] + c;
 		sum[i] = 0xff & tmp;
 		c = tmp >> 8;
@@ -114,14 +114,13 @@ static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
 	u_int8_t sum[this->b];
 	u_int8_t *xkey = this->key;
 	u_int8_t one[this->b];
-	chunk_t xval_chunk = chunk_from_buf(xval);
-	
+
 	memset(one, 0, this->b);
 	one[this->b - 1] = 0x01;
-	
+
 	/* 3.1 */
 	chunk_mod(this->b, seed, xseed);
-	
+
 	/* 3.2 */
 	for (i = 0; i < 2; i++) /* twice */
 	{
@@ -129,14 +128,14 @@ static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
 		add_mod(this->b, xkey, xseed, xval);
 		DBG3("XVAL %b", xval, this->b);
 		/* b. wi = G(t, XVAL ) */
-		this->g(this, xval_chunk, &w[i * this->b]);
+		this->g(this, chunk_create(xval, this->b), &w[i * this->b]);
 		DBG3("w[%d] %b", i, &w[i * this->b], this->b);
 		/* c. XKEY = (1 + XKEY + wi) mod 2b */
 		add_mod(this->b, xkey, &w[i * this->b], sum);
 		add_mod(this->b, sum, one, xkey);
 		DBG3("XKEY %b", xkey, this->b);
 	}
-	
+
 	/* 3.3 done already, mod q not used */
 }
 
@@ -179,7 +178,7 @@ static void set_key(private_fips_prf_t *this, chunk_t key)
 void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[])
 {
 	u_int8_t buf[64];
-	
+
 	if (c.len < sizeof(buf))
 	{
 		/* pad c with zeros */
@@ -193,7 +192,7 @@ void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[])
 		/* not more than 512 bits can be G()-ed */
 		c.len = sizeof(buf);
 	}
-	
+
 	/* use the keyed hasher, but use an empty key to use SHA1 IV */
 	this->keyed_prf->set_key(this->keyed_prf, chunk_empty);
 	this->keyed_prf->get_bytes(this->keyed_prf, c, res);
@@ -215,14 +214,14 @@ static void destroy(private_fips_prf_t *this)
 fips_prf_t *fips_prf_create(pseudo_random_function_t algo)
 {
 	private_fips_prf_t *this = malloc_thing(private_fips_prf_t);
-	
+
 	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
 	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
 	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
 	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
 	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
 	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-	
+
 	switch (algo)
 	{
 		case PRF_FIPS_SHA1_160:
@@ -244,7 +243,7 @@ fips_prf_t *fips_prf_create(pseudo_random_function_t algo)
 			return NULL;
 	}
 	this->key = malloc(this->b);
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.h b/src/libstrongswan/plugins/fips_prf/fips_prf.h
index b2940be72..514e3c5d9 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.h
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.h
@@ -37,7 +37,7 @@ typedef struct fips_prf_t fips_prf_t;
  * The FIPS PRF is stateful; the key changes every time when bytes are acquired.
  */
 struct fips_prf_t {
-	
+
 	/**
 	 * Generic prf_t interface for this fips_prf_t class.
 	 */
@@ -46,7 +46,7 @@ struct fips_prf_t {
 
 /**
  * Creates a new fips_prf_t object.
- * 
+ *
  * FIPS 186-2 defines G() functions used in the PRF function. It can
  * be implemented either based on SHA1 or DES.
  * The G() function is selected using the algo parameter.
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
index 7576e79ad..6c0842f81 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
@@ -47,11 +47,11 @@ static void destroy(private_fips_prf_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_fips_prf_plugin_t *this = malloc_thing(private_fips_prf_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160,
 						 (prf_constructor_t)fips_prf_create);
-	
+
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am
index 7394676e2..a468a5ed9 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.am
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.am
@@ -1,7 +1,7 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
-AM_CFLAGS = -rdynamic $(LIBGCRYPT_CFLAGS)
+AM_CFLAGS = -rdynamic
 
 plugin_LTLIBRARIES = libstrongswan-gcrypt.la
 
@@ -14,4 +14,4 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
 	gcrypt_hasher.h gcrypt_hasher.c
 
 libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
-libstrongswan_gcrypt_la_LIBADD  = $(LIBGCRYPT_LIBS)
+libstrongswan_gcrypt_la_LIBADD  = -lgcrypt
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index e3d27f7f8..c3081e2dd 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,22 +37,43 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/gcrypt
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-libstrongswan_gcrypt_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+libstrongswan_gcrypt_la_DEPENDENCIES =
 am_libstrongswan_gcrypt_la_OBJECTS = gcrypt_plugin.lo \
 	gcrypt_rsa_public_key.lo gcrypt_rsa_private_key.lo \
 	gcrypt_dh.lo gcrypt_rng.lo gcrypt_crypter.lo gcrypt_hasher.lo
@@ -62,6 +85,7 @@ libstrongswan_gcrypt_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -109,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -139,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -172,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -197,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -205,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -213,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -224,10 +251,11 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic $(LIBGCRYPT_CFLAGS)
+AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-gcrypt.la
 libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
 	gcrypt_rsa_public_key.h gcrypt_rsa_public_key.c \
@@ -238,7 +266,7 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
 	gcrypt_hasher.h gcrypt_hasher.c
 
 libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
-libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS)
+libstrongswan_gcrypt_la_LIBADD = -lgcrypt
 all: all-am
 
 .SUFFIXES:
@@ -252,9 +280,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/gcrypt/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/gcrypt/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/gcrypt/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/gcrypt/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -272,23 +300,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -318,21 +351,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -355,7 +388,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -363,29 +396,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -406,13 +444,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -443,6 +485,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -464,6 +507,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -472,18 +517,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -522,6 +577,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
index f82d23185..1eee6226d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil 
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -25,17 +25,17 @@ typedef struct private_gcrypt_crypter_t private_gcrypt_crypter_t;
  * Private data of gcrypt_crypter_t
  */
 struct private_gcrypt_crypter_t {
-	
+
 	/**
 	 * Public part of this class.
 	 */
 	gcrypt_crypter_t public;
-	
+
 	/**
 	 * gcrypt cipher handle
 	 */
 	gcry_cipher_hd_t h;
-	
+
 	/**
 	 * gcrypt algorithm identifier
 	 */
@@ -49,7 +49,7 @@ static void decrypt(private_gcrypt_crypter_t *this, chunk_t data,
 					chunk_t iv, chunk_t *dst)
 {
 	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
-	
+
 	if (dst)
 	{
 		*dst = chunk_alloc(data.len);
@@ -68,7 +68,7 @@ static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
 					chunk_t iv, chunk_t *dst)
 {
 	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
-	
+
 	if (dst)
 	{
 		*dst = chunk_alloc(data.len);
@@ -86,7 +86,7 @@ static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
 static size_t get_block_size(private_gcrypt_crypter_t *this)
 {
 	size_t len = 0;
-	
+
 	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
 	return len;
 }
@@ -97,7 +97,7 @@ static size_t get_block_size(private_gcrypt_crypter_t *this)
 static size_t get_key_size(private_gcrypt_crypter_t *this)
 {
 	size_t len = 0;
-	
+
 	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_KEYLEN, NULL, &len);
 	return len;
 }
@@ -129,7 +129,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 	int gcrypt_alg;
 	int mode = GCRY_CIPHER_MODE_CBC;
 	gcry_error_t err;
-	
+
 	switch (algo)
 	{
 		case ENCR_DES:
@@ -227,9 +227,9 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		default:
 			return NULL;
 	}
-	
+
 	this = malloc_thing(private_gcrypt_crypter_t);
-	
+
 	this->alg = gcrypt_alg;
 	err = gcry_cipher_open(&this->h, gcrypt_alg, mode, 0);
 	if (err)
@@ -239,14 +239,14 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		free(this);
 		return NULL;
 	}
-	
+
 	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *))encrypt;
 	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *))decrypt;
 	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *))get_block_size;
 	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *))get_key_size;
 	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t))set_key;
 	this->public.crypter_interface.destroy = (void (*) (crypter_t *))destroy;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
index c5a5e6723..ce0ead4a8 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
@@ -29,7 +29,7 @@ typedef struct gcrypt_crypter_t gcrypt_crypter_t;
  * Implementation of crypters using gcrypt.
  */
 struct gcrypt_crypter_t {
-	
+
 	/**
 	 * The crypter_t interface.
 	 */
@@ -38,7 +38,7 @@ struct gcrypt_crypter_t {
 
 /**
  * Constructor to create gcrypt_crypter_t.
- * 
+ *
  * @param algo			algorithm to implement
  * @param key_size		key size in bytes
  * @return				gcrypt_crypter_t, NULL if not supported
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index 89d9f2348..59c82f1e7 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -278,7 +278,7 @@ static u_int8_t group18_modulus[] = {
 
 typedef struct modulus_entry_t modulus_entry_t;
 
-/** 
+/**
  * Entry of the modulus list.
  */
 struct modulus_entry_t {
@@ -312,7 +312,7 @@ static modulus_entry_t modulus_entries[] = {
 static modulus_entry_t *find_entry(diffie_hellman_group_t group)
 {
 	int i;
-	
+
 	for (i = 0; i < countof(modulus_entries); i++)
 	{
 		if (modulus_entries[i].group == group)
@@ -329,47 +329,47 @@ typedef struct private_gcrypt_dh_t private_gcrypt_dh_t;
  * Private data of an gcrypt_dh_t object.
  */
 struct private_gcrypt_dh_t {
-	
+
 	/**
 	 * Public gcrypt_dh_t interface
 	 */
 	gcrypt_dh_t public;
-	
+
 	/**
 	 * Diffie Hellman group number
 	 */
 	u_int16_t group;
-	
-	/* 
+
+	/*
 	 * Generator value
-	 */	
+	 */
 	gcry_mpi_t g;
-	
+
 	/**
 	 * Own private value
 	 */
 	gcry_mpi_t xa;
-	
+
 	/**
 	 * Own public value
 	 */
 	gcry_mpi_t ya;
-	
+
 	/**
 	 * Other public value
 	 */
 	gcry_mpi_t yb;
-	
+
 	/**
 	 * Shared secret
 	 */
 	gcry_mpi_t zz;
-	
+
 	/**
 	 * Modulus
 	 */
 	gcry_mpi_t p;
-	
+
 	/**
 	 * Modulus length.
 	 */
@@ -383,7 +383,7 @@ static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value)
 {
 	gcry_mpi_t p_min_1;
 	gcry_error_t err;
-	
+
 	if (this->yb)
 	{
 		gcry_mpi_release(this->yb);
@@ -395,11 +395,11 @@ static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value)
 		DBG1("importing mpi yb failed: %s", gpg_strerror(err));
 		return;
 	}
-	
+
 	p_min_1 = gcry_mpi_new(this->p_len * 8);
 	gcry_mpi_sub_ui(p_min_1, this->p, 1);
-	
-	/* check public value: 
+
+	/* check public value:
 	 * 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
 	 * 2. a public value larger or equal the modulus is invalid */
 	if (gcry_mpi_cmp_ui(this->yb, 1) > 0 &&
@@ -425,7 +425,7 @@ static chunk_t export_mpi(gcry_mpi_t value, size_t len)
 {
 	chunk_t chunk;
 	size_t written;
-	
+
 	chunk = chunk_alloc(len);
 	gcry_mpi_print(GCRYMPI_FMT_USG, chunk.ptr, chunk.len, &written, value);
 	if (written < len)
@@ -490,21 +490,21 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	chunk_t random;
 	rng_t *rng;
 	size_t len;
-	
+
 	entry = find_entry(group);
 	if (!entry)
 	{
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_gcrypt_dh_t);
-	
+
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
 	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
 	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-	
+
 	this->group = group;
 	this->p_len = entry->modulus.len;
 	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG,
@@ -524,7 +524,7 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	{
 		len = entry->opt_len;
 	}
-	
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (rng)
 	{	/* prefer external randomizer */
@@ -551,14 +551,14 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 		/* achieve bitsof(p)-1 by setting MSB to 0 */
 		gcry_mpi_clear_bit(this->xa, len * 8 - 1);
 	}
-	
+
 	this->g = gcry_mpi_set_ui(NULL, entry->g);
 	this->ya = gcry_mpi_new(this->p_len * 8);
 	this->yb = NULL;
 	this->zz = NULL;
-	
+
 	gcry_mpi_powm(this->ya, this->g, this->xa, this->p);
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
index dbef96ca7..95b68dcd0 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
@@ -29,7 +29,7 @@ typedef struct gcrypt_dh_t gcrypt_dh_t;
  * Implementation of the Diffie-Hellman algorithm using libgcrypt mpi.
  */
 struct gcrypt_dh_t {
-	
+
 	/**
 	 * Implements diffie_hellman_t interface.
 	 */
@@ -38,7 +38,7 @@ struct gcrypt_dh_t {
 
 /**
  * Creates a new gcrypt_dh_t object.
- * 
+ *
  * @param group			Diffie Hellman group number to use
  * @return				gcrypt_dh_t object, NULL if not supported
  */
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 41e17c897..d12fe11d5 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil 
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -25,12 +25,12 @@ typedef struct private_gcrypt_hasher_t private_gcrypt_hasher_t;
  * Private data of gcrypt_hasher_t
  */
 struct private_gcrypt_hasher_t {
-	
+
 	/**
 	 * Public part of this class.
 	 */
 	gcrypt_hasher_t public;
-	
+
 	/**
 	 * gcrypt hasher context
 	 */
@@ -101,7 +101,7 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 	private_gcrypt_hasher_t *this;
 	int gcrypt_alg;
 	gcry_error_t err;
-	
+
 	switch (algo)
 	{
 		case HASH_MD2:
@@ -131,9 +131,9 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 		default:
 			return NULL;
 	}
-	
+
 	this = malloc_thing(private_gcrypt_hasher_t);
-	
+
 	err = gcry_md_open(&this->hd, gcrypt_alg, 0);
 	if (err)
 	{
@@ -142,13 +142,13 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 		free(this);
 		return NULL;
 	}
-	
+
 	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
 	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
 	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
 	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
 	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
index 6f724fba8..708ccaafb 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
@@ -29,7 +29,7 @@ typedef struct gcrypt_hasher_t gcrypt_hasher_t;
  * Implementation of hashers using libgcrypt.
  */
 struct gcrypt_hasher_t {
-	
+
 	/**
 	 * The hasher_t interface.
 	 */
@@ -38,7 +38,7 @@ struct gcrypt_hasher_t {
 
 /**
  * Constructor to create gcrypt_hasher_t.
- * 
+ *
  * @param algo			algorithm
  * @return				gcrypt_hasher_t, NULL if not supported
  */
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 939e0886c..8c9ea893b 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -24,7 +24,7 @@
 
 #include <library.h>
 #include <debug.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 
 #include <errno.h>
 #include <gcrypt.h>
@@ -57,7 +57,7 @@ static int mutex_init(void **lock)
 static int mutex_destroy(void **lock)
 {
 	mutex_t *mutex = *lock;
-	
+
 	mutex->destroy(mutex);
 	return 0;
 }
@@ -68,7 +68,7 @@ static int mutex_destroy(void **lock)
 static int mutex_lock(void **lock)
 {
 	mutex_t *mutex = *lock;
-	
+
 	mutex->lock(mutex);
 	return 0;
 }
@@ -79,7 +79,7 @@ static int mutex_lock(void **lock)
 static int mutex_unlock(void **lock)
 {
 	mutex_t *mutex = *lock;
-	
+
 	mutex->unlock(mutex);
 	return 0;
 }
@@ -107,9 +107,11 @@ static void destroy(private_gcrypt_plugin_t *this)
 	lib->crypto->remove_dh(lib->crypto,
 					(dh_constructor_t)gcrypt_dh_create);
 	lib->creds->remove_builder(lib->creds,
-					(builder_constructor_t)gcrypt_rsa_private_key_builder);
+					(builder_function_t)gcrypt_rsa_private_key_gen);
+	lib->creds->remove_builder(lib->creds,
+					(builder_function_t)gcrypt_rsa_private_key_load);
 	lib->creds->remove_builder(lib->creds,
-					(builder_constructor_t)gcrypt_rsa_public_key_builder);
+					(builder_function_t)gcrypt_rsa_public_key_load);
 	free(this);
 }
 
@@ -119,15 +121,15 @@ static void destroy(private_gcrypt_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_gcrypt_plugin_t *this;
-	
+
 	gcry_control(GCRYCTL_SET_THREAD_CBS, &thread_functions);
-	
+
 	if (!gcry_check_version(GCRYPT_VERSION))
 	{
 		DBG1("libgcrypt version mismatch");
 		return NULL;
 	}
-	
+
 	/* we currently do not use secure memory */
 	gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
 	if (lib->settings->get_bool(lib->settings,
@@ -136,11 +138,11 @@ plugin_t *plugin_create()
 		gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
 	}
 	gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
-	
+
 	this = malloc_thing(private_gcrypt_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	/* hashers */
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
 					(hasher_constructor_t)gcrypt_hasher_create);
@@ -156,7 +158,7 @@ plugin_t *plugin_create()
 					(hasher_constructor_t)gcrypt_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
 					(hasher_constructor_t)gcrypt_hasher_create);
-	
+
 	/* crypters */
 	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
 					(crypter_constructor_t)gcrypt_crypter_create);
@@ -176,39 +178,41 @@ plugin_t *plugin_create()
 					(crypter_constructor_t)gcrypt_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
-	
+
 	/* random numbers */
-	lib->crypto->add_rng(lib->crypto, RNG_WEAK, 
+	lib->crypto->add_rng(lib->crypto, RNG_WEAK,
 						 (rng_constructor_t)gcrypt_rng_create);
-	lib->crypto->add_rng(lib->crypto, RNG_STRONG, 
+	lib->crypto->add_rng(lib->crypto, RNG_STRONG,
 						 (rng_constructor_t)gcrypt_rng_create);
-	lib->crypto->add_rng(lib->crypto, RNG_TRUE, 
+	lib->crypto->add_rng(lib->crypto, RNG_TRUE,
 						 (rng_constructor_t)gcrypt_rng_create);
-	
+
 	/* diffie hellman groups, using modp */
-	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
-	
+
 	/* RSA */
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-					(builder_constructor_t)gcrypt_rsa_private_key_builder);
+					(builder_function_t)gcrypt_rsa_private_key_gen);
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+					(builder_function_t)gcrypt_rsa_private_key_load);
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-					(builder_constructor_t)gcrypt_rsa_public_key_builder);
-	
+					(builder_function_t)gcrypt_rsa_public_key_load);
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
index 64b4eb8d0..d0d252572 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
@@ -28,7 +28,7 @@ struct private_gcrypt_rng_t {
 	 * Public gcrypt_rng_t interface.
 	 */
 	gcrypt_rng_t public;
-	
+
 	/**
 	 * RNG quality of this instance
 	 */
@@ -79,7 +79,7 @@ static void destroy(private_gcrypt_rng_t *this)
 gcrypt_rng_t *gcrypt_rng_create(rng_quality_t quality)
 {
 	private_gcrypt_rng_t *this;
-	
+
 	switch (quality)
 	{
 		case RNG_WEAK:
@@ -89,15 +89,15 @@ gcrypt_rng_t *gcrypt_rng_create(rng_quality_t quality)
 		default:
 			return NULL;
 	}
-	
+
 	this = malloc_thing(private_gcrypt_rng_t);
-	
+
 	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
 	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
 	this->public.rng.destroy = (void (*) (rng_t *))destroy;
-	
+
 	this->quality = quality;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.h
index 3cfde8447..a0cc12369 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup gcrypt_rng gcrypt_rng
  * @{ @ingroup gcrypt_p
@@ -29,7 +29,7 @@ typedef struct gcrypt_rng_t gcrypt_rng_t;
  * rng_t implementation using libgcrypt.
  */
 struct gcrypt_rng_t {
-	
+
 	/**
 	 * Implements rng_t.
 	 */
@@ -38,7 +38,7 @@ struct gcrypt_rng_t {
 
 /**
  * Creates an gcrypt_rng_t instance.
- * 
+ *
  * @param quality	required quality of gcryptness
  * @return			created gcrypt_rng_t
  */
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index e0e8015db..cd156961e 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -28,38 +28,23 @@ typedef struct private_gcrypt_rsa_private_key_t private_gcrypt_rsa_private_key_t
  * Private data of a gcrypt_rsa_private_key_t object.
  */
 struct private_gcrypt_rsa_private_key_t {
-	
+
 	/**
 	 * Public interface
 	 */
 	gcrypt_rsa_private_key_t public;
-	
+
 	/**
 	 * gcrypt S-expression representing an RSA key
 	 */
 	gcry_sexp_t key;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKey object
-	 */
-	identification_t* keyid;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
-	 */
-	identification_t* keyid_info;
-	
+
 	/**
 	 * reference count
 	 */
 	refcount_t ref;
 };
 
-/**
- * Implemented in gcrypt_rsa_public_key.c
- */
-public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key);
-
 /**
  * find a token in a S-expression. If a key is given, its length is used to
  * pad the output to a given length.
@@ -69,7 +54,7 @@ chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key)
 	gcry_sexp_t token;
 	chunk_t data = chunk_empty, tmp;
 	size_t len = 0;
-	
+
 	token = gcry_sexp_find_token(sexp, name, 1);
 	if (token)
 	{
@@ -123,7 +108,7 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this,
 	gcry_error_t err;
 	chunk_t em;
 	size_t k;
-	
+
 	/* EM = 0x00 || 0x01 || PS || 0x00 || T
 	 * PS = 0xFF padding, with length to fill em
 	 * T  = data
@@ -139,7 +124,7 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this,
 	em.ptr[1] = 0x01;
 	em.ptr[em.len - data.len - 1] = 0x00;
 	memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
-	
+
 	err = gcry_sexp_build(&in, NULL, "(data(flags raw)(value %b))",
 						  em.len, em.ptr);
 	chunk_free(&em);
@@ -172,7 +157,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 	gcry_error_t err;
 	gcry_sexp_t in, out;
 	int hash_oid;
-	
+
 	hash_oid = hasher_algorithm_to_oid(hash_algorithm);
 	if (hash_oid == OID_UNKNOWN)
 	{
@@ -185,7 +170,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 	}
 	hasher->allocate_hash(hasher, data, &hash);
 	hasher->destroy(hasher);
-	
+
 	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))",
 						  hash_name, hash.len, hash.ptr);
 	chunk_free(&hash);
@@ -217,7 +202,7 @@ static key_type_t get_type(private_gcrypt_rsa_private_key_t *this)
 /**
  * Implementation of gcrypt_rsa_private_key.destroy.
  */
-static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme, 
+static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
 				 chunk_t data, chunk_t *sig)
 {
 	switch (scheme)
@@ -253,7 +238,7 @@ static bool decrypt(private_gcrypt_rsa_private_key_t *this,
 	gcry_sexp_t in, out;
 	chunk_t padded;
 	u_char *pos = NULL;;
-	
+
 	err = gcry_sexp_build(&in, NULL, "(enc-val(flags)(rsa(a %b)))",
 						  encrypted.len, encrypted.ptr);
 	if (err)
@@ -298,98 +283,41 @@ static size_t get_keysize(private_gcrypt_rsa_private_key_t *this)
 	return gcry_pk_get_nbits(this->key) / 8;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static identification_t* get_id(private_gcrypt_rsa_private_key_t *this,
-								id_type_t type)
-{
-	switch (type)
-	{
-		case ID_PUBKEY_INFO_SHA1:
-			return this->keyid_info;
-		case ID_PUBKEY_SHA1:
-			return this->keyid;
-		default:
-			return NULL;
-	}
-}
-
 /**
  * Implementation of gcrypt_rsa_private_key.get_public_key.
  */
 static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
 {
-	return gcrypt_rsa_public_key_create_from_sexp(this->key);
-}
+	chunk_t n, e;
+	public_key_t *public;
 
-/**
- * Implementation of gcrypt_rsa_private_key.equals.
- */
-static bool equals(private_gcrypt_rsa_private_key_t *this, private_key_t *other)
-{
-	identification_t *keyid;
+	n = gcrypt_rsa_find_token(this->key, "n", NULL);
+	e = gcrypt_rsa_find_token(this->key, "e", NULL);
 
-	if (&this->public.interface == other)
-	{
-		return TRUE;
-	}
-	if (other->get_type(other) != KEY_RSA)
-	{
-		return FALSE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
-	return FALSE;
-}
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
+	chunk_free(&n);
+	chunk_free(&e);
 
-/**
- * Implementation of gcrypt_rsa_private_key.belongs_to.
- */
-static bool belongs_to(private_gcrypt_rsa_private_key_t *this,
-					   public_key_t *public)
-{
-	identification_t *keyid;
-	
-	if (public->get_type(public) != KEY_RSA)
-	{
-		return FALSE;
-	}
-	keyid = public->get_id(public, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
-	return FALSE;
+	return public;
 }
 
 /**
- * Implementation of private_key_t.get_encoding.
+ * Implementation of private_key_t.get_encoding
  */
-static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
+static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
+						 key_encoding_type_t type, chunk_t *encoding)
 {
-	chunk_t cp, cq, cd, cexp1 = chunk_empty, cexp2 = chunk_empty;
+	chunk_t cn, ce, cp, cq, cd, cu, cexp1 = chunk_empty, cexp2 = chunk_empty;
 	gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2;
 	gcry_error_t err;
-	
+	bool success;
+
 	/* p and q are swapped, gcrypt expects p < q */
 	cp = gcrypt_rsa_find_token(this->key, "q", NULL);
 	cq = gcrypt_rsa_find_token(this->key, "p", NULL);
 	cd = gcrypt_rsa_find_token(this->key, "d", NULL);
-	
+
 	err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL)
 		| gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL)
 		| gcry_mpi_scan(&d, GCRYMPI_FMT_USG, cd.ptr, cd.len, NULL);
@@ -402,26 +330,26 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
 		chunk_clear(&cq);
 		chunk_clear(&cd);
 		DBG1("scanning mpi for export failed: %s", gpg_strerror(err));
-		return chunk_empty;
+		return FALSE;
 	}
-	
+
 	gcry_mpi_sub_ui(p, p, 1);
 	exp1 = gcry_mpi_new(gcry_pk_get_nbits(this->key));
 	gcry_mpi_mod(exp1, d, p);
 	gcry_mpi_release(p);
-	
+
 	gcry_mpi_sub_ui(q, q, 1);
 	exp2 = gcry_mpi_new(gcry_pk_get_nbits(this->key));
 	gcry_mpi_mod(exp1, d, q);
 	gcry_mpi_release(q);
-	
+
 	err = gcry_mpi_aprint(GCRYMPI_FMT_USG, &cexp1.ptr, &cexp1.len, exp1)
 		| gcry_mpi_aprint(GCRYMPI_FMT_USG, &cexp2.ptr, &cexp2.len, exp2);
-	
+
 	gcry_mpi_release(d);
 	gcry_mpi_release(exp1);
 	gcry_mpi_release(exp2);
-	
+
 	if (err)
 	{
 		DBG1("printing mpi for export failed: %s", gpg_strerror(err));
@@ -430,18 +358,53 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
 		chunk_clear(&cd);
 		chunk_clear(&cexp1);
 		chunk_clear(&cexp2);
-		return chunk_empty;
+		return FALSE;
+	}
+
+	cn = gcrypt_rsa_find_token(this->key, "n", NULL);
+	ce = gcrypt_rsa_find_token(this->key, "e", NULL);
+	cu = gcrypt_rsa_find_token(this->key, "u", NULL);
+
+	success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
+							KEY_PART_RSA_MODULUS, cn,
+							KEY_PART_RSA_PUB_EXP, ce, KEY_PART_RSA_PRIV_EXP, cd,
+							KEY_PART_RSA_PRIME1, cp, KEY_PART_RSA_PRIME2, cq,
+							KEY_PART_RSA_EXP1, cexp1, KEY_PART_RSA_EXP2, cexp2,
+							KEY_PART_RSA_COEFF, cu, KEY_PART_END);
+	chunk_free(&cn);
+	chunk_free(&ce);
+	chunk_clear(&cd);
+	chunk_clear(&cp);
+	chunk_clear(&cq);
+	chunk_clear(&cexp1);
+	chunk_clear(&cexp2);
+	chunk_clear(&cu);
+
+	return success;
+}
+
+/**
+ * Implementation of private_key_t.get_fingerprint
+ */
+static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
+							key_encoding_type_t type, chunk_t *fp)
+{
+	chunk_t n, e;
+	bool success;
+
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
 	}
-	
-	return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", ASN1_INTEGER_0,
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)),
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)),
-			asn1_integer("m", cd),
-			asn1_integer("m", cp),
-			asn1_integer("m", cq),
-			asn1_integer("m", cexp1),
-			asn1_integer("m", cexp2),
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "u", NULL)));
+	n = gcrypt_rsa_find_token(this->key, "n", NULL);
+	e = gcrypt_rsa_find_token(this->key, "e", NULL);
+
+	success = lib->encoding->encode(lib->encoding,
+								type, this, fp, KEY_PART_RSA_MODULUS, n,
+								KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+	chunk_free(&n);
+	chunk_free(&e);
+	return success;
 }
 
 /**
@@ -460,9 +423,8 @@ static void destroy(private_gcrypt_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
-		DESTROY_IF(this->keyid);
-		DESTROY_IF(this->keyid_info);
 		gcry_sexp_release(this->key);
+		lib->encoding->clear_cache(lib->encoding, this);
 		free(this);
 	}
 }
@@ -473,192 +435,121 @@ static void destroy(private_gcrypt_rsa_private_key_t *this)
 static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty()
 {
 	private_gcrypt_rsa_private_key_t *this = malloc_thing(private_gcrypt_rsa_private_key_t);
-	
+
 	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
 	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
 	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
 	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
 	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
-	this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
-	this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
+	this->public.interface.equals = private_key_equals;
+	this->public.interface.belongs_to = private_key_belongs_to;
+	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
+	this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-	
+
 	this->key = NULL;
-	this->keyid = NULL;
-	this->keyid_info = NULL;
 	this->ref = 1;
-	
+
 	return this;
 }
 
 /**
- * build the keyids of a private/public key
+ * See header.
  */
-bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
-							 identification_t **keyid_info)
+gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type,
+													 va_list args)
 {
-	chunk_t publicKeyInfo, publicKey, hash;
-	hasher_t *hasher;
-	
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (!hasher)
+	private_gcrypt_rsa_private_key_t *this;
+	gcry_sexp_t param;
+	gcry_error_t err;
+	u_int key_size = 0;
+
+	while (TRUE)
 	{
-		DBG1("SHA1 hash algorithm not supported, unable to use RSA");
-		return FALSE;
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_KEY_SIZE:
+				key_size = va_arg(args, u_int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!key_size)
+	{
+		return NULL;
 	}
-	publicKey = asn1_wrap(ASN1_SEQUENCE, "mm",
-				 asn1_integer("m", gcrypt_rsa_find_token(key, "n", NULL)),
-				 asn1_integer("m", gcrypt_rsa_find_token(key, "e", NULL)));
-	hasher->allocate_hash(hasher, publicKey, &hash);
-	*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
-	chunk_free(&hash);
-	
-	publicKeyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
-						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
-						asn1_bitstring("m", publicKey));
-	hasher->allocate_hash(hasher, publicKeyInfo, &hash);
-	*keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
-	chunk_free(&hash);
-	
-	hasher->destroy(hasher);
-	chunk_free(&publicKeyInfo);
-	
-	return TRUE;
-}
 
-/**
- * Generate an RSA key of specified key size
- */
-static gcrypt_rsa_private_key_t *generate(size_t key_size)
-{
-	private_gcrypt_rsa_private_key_t *this;
-	gcry_sexp_t param, key;
-	gcry_error_t err;
-	
 	err = gcry_sexp_build(&param, NULL, "(genkey(rsa(nbits %d)))", key_size);
 	if (err)
 	{
 		DBG1("building S-expression failed: %s", gpg_strerror(err));
 		return NULL;
 	}
-	
-	err = gcry_pk_genkey(&key, param);
+	this = gcrypt_rsa_private_key_create_empty();
+	err = gcry_pk_genkey(&this->key, param);
 	gcry_sexp_release(param);
 	if (err)
 	{
+		free(this);
 		DBG1("generating RSA key failed: %s", gpg_strerror(err));
 		return NULL;
 	}
-	this = gcrypt_rsa_private_key_create_empty();
-	this->key = key;
-	
-	if (!gcrypt_rsa_build_keyids(this->key, &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	
 	return &this->public;
 }
 
 /**
- * ASN.1 definition of a PKCS#1 RSA private key
- */
-static const asn1Object_t privkeyObjects[] = {
-	{ 0, "RSAPrivateKey",		ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
-	{ 1,   "version",			ASN1_INTEGER,      ASN1_BODY }, /*  1 */
-	{ 1,   "modulus",			ASN1_INTEGER,      ASN1_BODY }, /*  2 */
-	{ 1,   "publicExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  3 */
-	{ 1,   "privateExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  4 */
-	{ 1,   "prime1",			ASN1_INTEGER,      ASN1_BODY }, /*  5 */
-	{ 1,   "prime2",			ASN1_INTEGER,      ASN1_BODY }, /*  6 */
-	{ 1,   "exponent1",			ASN1_INTEGER,      ASN1_BODY }, /*  7 */
-	{ 1,   "exponent2",			ASN1_INTEGER,      ASN1_BODY }, /*  8 */
-	{ 1,   "coefficient",		ASN1_INTEGER,      ASN1_BODY }, /*  9 */
-	{ 1,   "otherPrimeInfos",	ASN1_SEQUENCE,     ASN1_OPT |
-												   ASN1_LOOP }, /* 10 */
-	{ 2,     "otherPrimeInfo",	ASN1_SEQUENCE,     ASN1_NONE }, /* 11 */
-	{ 3,       "prime",			ASN1_INTEGER,      ASN1_BODY }, /* 12 */
-	{ 3,       "exponent",		ASN1_INTEGER,      ASN1_BODY }, /* 13 */
-	{ 3,       "coefficient",	ASN1_INTEGER,      ASN1_BODY }, /* 14 */
-	{ 1,   "end opt or loop",	ASN1_EOC,          ASN1_END  }, /* 15 */
-	{ 0, "exit",				ASN1_EOC,          ASN1_EXIT }
-};
-#define PRIV_KEY_VERSION		 1
-#define PRIV_KEY_MODULUS		 2
-#define PRIV_KEY_PUB_EXP		 3
-#define PRIV_KEY_PRIV_EXP		 4
-#define PRIV_KEY_PRIME1			 5
-#define PRIV_KEY_PRIME2			 6
-#define PRIV_KEY_EXP1			 7
-#define PRIV_KEY_EXP2			 8
-#define PRIV_KEY_COEFF			 9
-
-/**
- * load private key from a ASN1 encoded blob
+ * See header.
  */
-static gcrypt_rsa_private_key_t *load(chunk_t blob)
+gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type,
+													  va_list args)
 {
 	private_gcrypt_rsa_private_key_t *this;
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID ;
-	bool success = FALSE;
-	chunk_t n, e, d, u, p, q;
+	chunk_t n, e, d, p, q, exp, u;
 	gcry_error_t err;
-	
-	n = e = d = u = p = q = chunk_empty;
-	
-	parser = asn1_parser_create(privkeyObjects, blob);
-	parser->set_flags(parser, FALSE, TRUE);
-	
-	while (parser->iterate(parser, &objectID, &object))
+
+	n = e = d = p = q = u = chunk_empty;
+	while (TRUE)
 	{
-		switch (objectID)
+		switch (va_arg(args, builder_part_t))
 		{
-			case PRIV_KEY_VERSION:
-				if (object.len > 0 && *object.ptr != 0)
-				{
-					goto end;
-				}
-				break;
-			case PRIV_KEY_MODULUS:
-				n = object;
-				break;
-			case PRIV_KEY_PUB_EXP:
-				e = object;
-				break;
-			case PRIV_KEY_PRIV_EXP:
-				d = object;
-				break;
-			case PRIV_KEY_PRIME1:
-				/* p and q are swapped, as gcrypt expects p < q */
-				q = object;
-				break;
-			case PRIV_KEY_PRIME2:
-				p = object;
-				break;
-			case PRIV_KEY_EXP1:
-			case PRIV_KEY_EXP2:
-				break;
-			case PRIV_KEY_COEFF:
-				u = object;
+			case BUILD_RSA_MODULUS:
+				n = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PUB_EXP:
+				e = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PRIV_EXP:
+				d = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PRIME1:
+				/* swap p and q, gcrypt expects p < q */
+				q = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PRIME2:
+				p = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_EXP1:
+			case BUILD_RSA_EXP2:
+				/* not required for gcrypt */
+				exp = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_COEFF:
+				u = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
 				break;
+			default:
+				return NULL;
 		}
+		break;
 	}
-	success = parser->success(parser);
-	
-end:
-	parser->destroy(parser);
-	
-	if (!success)
-	{
-		return NULL;
-	}
-	
+
 	this = gcrypt_rsa_private_key_create_empty();
 	err = gcry_sexp_build(&this->key, NULL,
 					"(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))",
@@ -677,91 +568,6 @@ end:
 		destroy(this);
 		return NULL;
 	}
-	if (!gcrypt_rsa_build_keyids(this->key, &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
-typedef struct private_builder_t private_builder_t;
-
-/**
- * Builder implementation for key loading/generation
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded/generated private key */
-	gcrypt_rsa_private_key_t *key;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static gcrypt_rsa_private_key_t *build(private_builder_t *this)
-{
-	gcrypt_rsa_private_key_t *key = this->key;
-	
-	free(this);
-	return key;
-}
-
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->key)
-	{
-		va_list args;
-		
-		switch (part)
-		{
-			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				this->key = load(va_arg(args, chunk_t));
-				va_end(args);
-				return;
-			}
-			case BUILD_KEY_SIZE:
-			{
-				va_start(args, part);
-				this->key = generate(va_arg(args, u_int));
-				va_end(args);
-				return;
-			}
-			default:
-				break;
-		}
-	}
-	if (this->key)
-	{
-		destroy((private_gcrypt_rsa_private_key_t*)this->key);
-	}
-	builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *gcrypt_rsa_private_key_builder(key_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != KEY_RSA)
-	{
-		return NULL;
-	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
index 2edd7ce5d..4c3605f4b 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
@@ -21,6 +21,7 @@
 #ifndef GCRYPT_RSA_PRIVATE_KEY_H_
 #define GCRYPT_RSA_PRIVATE_KEY_H_
 
+#include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
 typedef struct gcrypt_rsa_private_key_t gcrypt_rsa_private_key_t;
@@ -29,7 +30,7 @@ typedef struct gcrypt_rsa_private_key_t gcrypt_rsa_private_key_t;
  * Private_key_t implementation of RSA algorithm using libgcrypt.
  */
 struct gcrypt_rsa_private_key_t {
-	
+
 	/**
 	 * Implements private_key_t interface
 	 */
@@ -37,11 +38,27 @@ struct gcrypt_rsa_private_key_t {
 };
 
 /**
- * Create the builder for a private key.
+ * Generate a private key using gcrypt.
+ *
+ * Accepts the BUILD_KEY_SIZE argument.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @param args		builder_part_t argument list
+ * @return			generated key, NULL on failure
+ */
+gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type,
+													 va_list args);
+
+/**
+ * Load a gcrypt RSA private keys.
+ *
+ * Accepts BUILD_RSA_* components.
  *
  * @param type		type of the key, must be KEY_RSA
- * @return 			builder instance
+ * @param args		builder_part_t argument list
+ * @return			loaded key, NULL on failure
  */
-builder_t *gcrypt_rsa_private_key_builder(key_type_t type);
+gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type,
+													  va_list args);
 
 #endif /** GCRYPT_RSA_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 4d9c88c6d..e083fac94 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include <gcrypt.h>
 
 #include "gcrypt_rsa_public_key.h"
@@ -21,7 +21,6 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
 
 typedef struct private_gcrypt_rsa_public_key_t private_gcrypt_rsa_public_key_t;
@@ -30,27 +29,17 @@ typedef struct private_gcrypt_rsa_public_key_t private_gcrypt_rsa_public_key_t;
  * Private data structure with signing context.
  */
 struct private_gcrypt_rsa_public_key_t {
-	
+
 	/**
 	 * Public interface for this signer.
 	 */
 	gcrypt_rsa_public_key_t public;
-	
+
 	/**
 	 * gcrypt S-expression representing an public RSA key
 	 */
 	gcry_sexp_t key;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKey object
-	 */
-	identification_t* keyid;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
-	 */
-	identification_t* keyid_info;
-	
+
 	/**
 	 * reference counter
 	 */
@@ -61,8 +50,6 @@ struct private_gcrypt_rsa_public_key_t {
  * Implemented in gcrypt_rsa_private_key.c
  */
 chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key);
-bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
-							 identification_t **keyid_info);
 
 /**
  * verification of a padded PKCS1 signature without an OID
@@ -74,7 +61,7 @@ static bool verify_raw(private_gcrypt_rsa_public_key_t *this,
 	gcry_error_t err;
 	chunk_t em;
 	size_t k;
-	
+
 	/* EM = 0x00 || 0x01 || PS || 0x00 || T
 	 * PS = 0xFF padding, with length to fill em
 	 * T  = data
@@ -90,7 +77,7 @@ static bool verify_raw(private_gcrypt_rsa_public_key_t *this,
 	em.ptr[1] = 0x01;
 	em.ptr[em.len - data.len - 1] = 0x00;
 	memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
-	
+
 	err = gcry_sexp_build(&in, NULL, "(data(flags raw)(value %b))",
 						  em.len, em.ptr);
 	chunk_free(&em);
@@ -129,7 +116,7 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 	chunk_t hash;
 	gcry_error_t err;
 	gcry_sexp_t in, sig;
-	
+
 	hasher = lib->crypto->create_hasher(lib->crypto, algorithm);
 	if (!hasher)
 	{
@@ -137,7 +124,7 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 	}
 	hasher->allocate_hash(hasher, data, &hash);
 	hasher->destroy(hasher);
-	
+
 	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))",
 						  hash_name, hash.len, hash.ptr);
 	chunk_free(&hash);
@@ -146,7 +133,7 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 		DBG1("building data S-expression failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
-	
+
 	err = gcry_sexp_build(&sig, NULL, "(sig-val(rsa(s %b)))",
 						  signature.len, signature.ptr);
 	if (err)
@@ -211,7 +198,7 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
 {
 	gcry_sexp_t in, out;
 	gcry_error_t err;
-	
+
 	/* "pkcs1" uses PKCS 1.5 (section 8.1) block type 2 encryption:
 	 * 00 | 02 | RANDOM | 00 | DATA */
 	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(value %b))",
@@ -234,66 +221,55 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
 }
 
 /**
- * Implementation of gcrypt_rsa_public_key.equals.
+ * Implementation of public_key_t.get_keysize.
  */
-static bool equals(private_gcrypt_rsa_public_key_t *this, public_key_t *other)
+static size_t get_keysize(private_gcrypt_rsa_public_key_t *this)
 {
-	identification_t *keyid;
-
-	if (&this->public.interface == other)
-	{
-		return TRUE;
-	}
-	if (other->get_type(other) != KEY_RSA)
-	{
-		return FALSE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
-	return FALSE;
+	return gcry_pk_get_nbits(this->key) / 8;
 }
 
 /**
- * Implementation of public_key_t.get_keysize.
+ * Implementation of private_key_t.get_encoding
  */
-static size_t get_keysize(private_gcrypt_rsa_public_key_t *this)
+static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
+						 key_encoding_type_t type, chunk_t *encoding)
 {
-	return gcry_pk_get_nbits(this->key) / 8;
+	chunk_t n, e;
+	bool success;
+
+	n = gcrypt_rsa_find_token(this->key, "n", NULL);
+	e = gcrypt_rsa_find_token(this->key, "e", NULL);
+	success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
+							KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e,
+							KEY_PART_END);
+	chunk_free(&n);
+	chunk_free(&e);
+
+	return success;
 }
 
 /**
- * Implementation of public_key_t.get_id.
+ * Implementation of private_key_t.get_fingerprint
  */
-static identification_t *get_id(private_gcrypt_rsa_public_key_t *this,
-								id_type_t type)
+static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
+							key_encoding_type_t type, chunk_t *fp)
 {
-	switch (type)
+	chunk_t n, e;
+	bool success;
+
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
 	{
-		case ID_PUBKEY_INFO_SHA1:
-			return this->keyid_info;
-		case ID_PUBKEY_SHA1:
-			return this->keyid;
-		default:
-			return NULL;
+		return TRUE;
 	}
-}
+	n = gcrypt_rsa_find_token(this->key, "n", NULL);
+	e = gcrypt_rsa_find_token(this->key, "e", NULL);
 
-/*
- * Implementation of public_key_t.get_encoding.
- */
-static chunk_t get_encoding(private_gcrypt_rsa_public_key_t *this)
-{
-	return asn1_wrap(ASN1_SEQUENCE, "mm",
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)),
-			asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)));
+	success = lib->encoding->encode(lib->encoding,
+								type, this, fp, KEY_PART_RSA_MODULUS, n,
+								KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+	chunk_free(&n);
+	chunk_free(&e);
+	return success;
 }
 
 /**
@@ -312,118 +288,57 @@ static void destroy(private_gcrypt_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
-		DESTROY_IF(this->keyid);
-		DESTROY_IF(this->keyid_info);
 		gcry_sexp_release(this->key);
+		lib->encoding->clear_cache(lib->encoding, this);
 		free(this);
 	}
 }
 
 /**
- * Generic private constructor
- */
-static private_gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_create_empty()
-{
-	private_gcrypt_rsa_public_key_t *this = malloc_thing(private_gcrypt_rsa_public_key_t);
-	
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
-	this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-	
-	this->key = NULL;
-	this->keyid = NULL;
-	this->keyid_info = NULL;
-	this->ref = 1;
-	
-	return this;
-}
-
-/**
- * Create a public key from a S-expression, used in gcrypt_rsa_private_key
+ * See header.
  */
-public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key)
+gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type,
+													va_list args)
 {
 	private_gcrypt_rsa_public_key_t *this;
 	gcry_error_t err;
 	chunk_t n, e;
-	
-	this = gcrypt_rsa_public_key_create_empty();
-	n = gcrypt_rsa_find_token(key, "n", NULL);
-	e = gcrypt_rsa_find_token(key, "e", NULL);
-	
-	err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
-						  n.len, n.ptr, e.len, e.ptr);
-	chunk_free(&n);
-	chunk_free(&e);
-	if (err)
-	{
-		DBG1("loading public key failed: %s", gpg_strerror(err));
-		free(this);
-		return NULL;
-	}
-	if (!gcrypt_rsa_build_keyids(this->key, &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public.interface;
-}
 
-/**
- * ASN.1 definition of RSApublicKey
- */
-static const asn1Object_t pubkeyObjects[] = {
-	{ 0, "RSAPublicKey",		ASN1_SEQUENCE,	ASN1_OBJ  }, /*  0 */
-	{ 1,   "modulus",			ASN1_INTEGER,	ASN1_BODY }, /*  1 */
-	{ 1,   "publicExponent",	ASN1_INTEGER,	ASN1_BODY }, /*  2 */
-	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
-};
-#define PUB_KEY_RSA_PUBLIC_KEY		0
-#define PUB_KEY_MODULUS				1
-#define PUB_KEY_EXPONENT			2
-
-/**
- * Load a public key from an ASN1 encoded blob
- */
-static gcrypt_rsa_public_key_t *load(chunk_t blob)
-{
-	private_gcrypt_rsa_public_key_t *this;
-	asn1_parser_t *parser;
-	chunk_t object, n, e;
-	int objectID;
-	bool success = FALSE;
-	gcry_error_t err;
-	
 	n = e = chunk_empty;
-	
-	parser = asn1_parser_create(pubkeyObjects, blob);
-	while (parser->iterate(parser, &objectID, &object))
+	while (TRUE)
 	{
-		switch (objectID)
+		switch (va_arg(args, builder_part_t))
 		{
-			case PUB_KEY_MODULUS:
-				n = object;
-				break;
-			case PUB_KEY_EXPONENT:
-				e = object;
+			case BUILD_RSA_MODULUS:
+				n = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PUB_EXP:
+				e = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
 				break;
+			default:
+				return NULL;
 		}
+		break;
 	}
-	success = parser->success(parser);
-	parser->destroy(parser);
-	
-	if (!success)
-	{
-		return NULL;
-	}
-	
-	this = gcrypt_rsa_public_key_create_empty();
+
+	this = malloc_thing(private_gcrypt_rsa_public_key_t);
+
+	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
+	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
+	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
+	this->public.interface.equals = public_key_equals;
+	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
+	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
+	this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
+
+	this->key = NULL;
+	this->ref = 1;
+
 	err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
 						  n.len, n.ptr, e.len, e.ptr);
 	if (err)
@@ -432,83 +347,7 @@ static gcrypt_rsa_public_key_t *load(chunk_t blob)
 		free(this);
 		return NULL;
 	}
-	if (!gcrypt_rsa_build_keyids(this->key, &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for key loading
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded public key */
-	gcrypt_rsa_public_key_t *key;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static gcrypt_rsa_public_key_t *build(private_builder_t *this)
-{
-	gcrypt_rsa_public_key_t *key = this->key;
-	
-	free(this);
-	return key;
-}
-
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->key)
-	{
-		va_list args;
-		
-		switch (part)
-		{
-			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				this->key = load(va_arg(args, chunk_t));
-				va_end(args);
-				return;
-			}
-			default:
-				break;
-		}
-	}
-	if (this->key)
-	{
-		destroy((private_gcrypt_rsa_public_key_t*)this->key);
-	}
-	builder_cancel(&this->public);
-}
 
-/**
- * Builder construction function
- */
-builder_t *gcrypt_rsa_public_key_builder(key_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != KEY_RSA)
-	{
-		return NULL;
-	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
index 102547276..fa18c357b 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
@@ -21,10 +21,11 @@
 #ifndef GCRYPT_RSA_PUBLIC_KEY_H_
 #define GCRYPT_RSA_PUBLIC_KEY_H_
 
-typedef struct gcrypt_rsa_public_key_t gcrypt_rsa_public_key_t;
-
+#include <credentials/builder.h>
 #include <credentials/keys/public_key.h>
 
+typedef struct gcrypt_rsa_public_key_t gcrypt_rsa_public_key_t;
+
 /**
  * public_key_t implementation of RSA algorithm using libgcrypt.
  */
@@ -37,11 +38,15 @@ struct gcrypt_rsa_public_key_t {
 };
 
 /**
- * Create the builder for a public key.
+ * Load a RSA public key using gcrypt.
+ *
+ * Accepts BUILD_RSA_* components.
  *
  * @param type		type of the key, must be KEY_RSA
- * @return			builder instance
+ * @param args		builder_part_t argument list
+ * @return			loaded key, NULL on failure
  */
-builder_t *gcrypt_rsa_public_key_builder(key_type_t type);
+gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type,
+													va_list args);
 
 #endif /** GCRYPT_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 8d5dff34b..3077ea7e8 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/gmp
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_gmp_la_DEPENDENCIES =
 am_libstrongswan_gmp_la_OBJECTS = gmp_plugin.lo gmp_diffie_hellman.lo \
@@ -59,6 +83,7 @@ libstrongswan_gmp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -106,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,6 +249,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -246,9 +275,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/gmp/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/gmp/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/gmp/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/gmp/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -266,23 +295,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -309,21 +343,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -346,7 +380,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -354,29 +388,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -397,13 +436,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -434,6 +477,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -455,6 +499,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -463,18 +509,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -513,6 +569,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index a03e83e66..ea7e6fdd2 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -282,7 +282,7 @@ static u_int8_t group18_modulus[] = {
 
 typedef struct modulus_entry_t modulus_entry_t;
 
-/** 
+/**
  * Entry of the modulus list.
  */
 struct modulus_entry_t {
@@ -290,25 +290,25 @@ struct modulus_entry_t {
 	 * Group number as it is defined in file transform_substructure.h.
 	 */
 	diffie_hellman_group_t group;
-	
+
 	/**
 	 * Pointer to first byte of modulus (network order).
 	 */
 	u_int8_t *modulus;
-	
-	/* 
+
+	/*
 	 * Length of modulus in bytes.
-	 */	
+	 */
 	size_t modulus_len;
-	
-	/* 
+
+	/*
 	 * Optimum length of exponent in bytes.
-	 */	
+	 */
 	size_t opt_exponent_len;
 
-	/* 
+	/*
 	 * Generator value.
-	 */	
+	 */
 	u_int16_t generator;
 };
 
@@ -336,47 +336,47 @@ struct private_gmp_diffie_hellman_t {
 	 * Public gmp_diffie_hellman_t interface.
 	 */
 	gmp_diffie_hellman_t public;
-	
+
 	/**
 	 * Diffie Hellman group number.
 	 */
 	u_int16_t group;
-	
-	/* 
+
+	/*
 	 * Generator value.
-	 */	
+	 */
 	mpz_t g;
-	
+
 	/**
 	 * My private value.
 	 */
 	mpz_t xa;
-	
+
 	/**
 	 * My public value.
 	 */
 	mpz_t ya;
-	
+
 	/**
 	 * Other public value.
-	 */	
+	 */
 	mpz_t yb;
-	
+
 	/**
 	 * Shared secret.
-	 */	
+	 */
 	mpz_t zz;
 
 	/**
 	 * Modulus.
 	 */
 	mpz_t p;
-	
+
 	/**
 	 * Modulus length.
 	 */
 	size_t p_len;
-	
+
 	/**
 	 * Optimal exponent length.
 	 */
@@ -394,13 +394,13 @@ struct private_gmp_diffie_hellman_t {
 static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t value)
 {
 	mpz_t p_min_1;
-	
+
 	mpz_init(p_min_1);
 	mpz_sub_ui(p_min_1, this->p, 1);
-	
+
 	mpz_import(this->yb, value.len, 1, 1, 1, 0, value.ptr);
-	
-	/* check public value: 
+
+	/* check public value:
 	 * 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
 	 * 2. a public value larger or equal the modulus is invalid */
 	if (mpz_cmp_ui(this->yb, 1) > 0 &&
@@ -409,7 +409,7 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 #ifdef EXTENDED_DH_TEST
 		/* 3. test if y ^ q mod p = 1, where q = (p - 1)/2. */
 		mpz_t q, one;
-		
+
 		mpz_init(q);
 		mpz_init(one);
 		mpz_fdiv_q_2exp(q, p_min_1, 1);
@@ -443,11 +443,11 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *value)
 {
 	value->len = this->p_len;
-    value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
-    if (value->ptr == NULL)
-    {
-    	value->len = 0;
-    }
+	value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
+	if (value->ptr == NULL)
+	{
+		value->len = 0;
+	}
 }
 
 /**
@@ -483,7 +483,7 @@ static status_t set_modulus(private_gmp_diffie_hellman_t *this)
 {
 	int i;
 	status_t status = NOT_FOUND;
-	
+
 	for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
 	{
 		if (modulus_entries[i].group == this->group)
@@ -533,7 +533,7 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-	
+
 	/* private variables */
 	this->group = group;
 	mpz_init(this->p);
@@ -542,10 +542,10 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	mpz_init(this->xa);
 	mpz_init(this->zz);
 	mpz_init(this->g);
-	
+
 	this->computed = FALSE;
-		
-	/* find a modulus according to group */	
+
+	/* find a modulus according to group */
 	if (set_modulus(this) != SUCCESS)
 	{
 		destroy(this);
@@ -561,7 +561,7 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 
 	ansi_x9_42 = lib->settings->get_int(lib->settings,
 					 "libstrongswan.dh_exponent_ansi_x9_42", TRUE);
-	exponent_len = (ansi_x9_42) ? this->p_len : this->opt_exponent_len;	
+	exponent_len = (ansi_x9_42) ? this->p_len : this->opt_exponent_len;
 	rng->allocate_bytes(rng, exponent_len, &random);
 	rng->destroy(rng);
 
@@ -575,7 +575,7 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	DBG2("size of DH secret exponent: %u bits", mpz_sizeinbase(this->xa, 2));
 
 	mpz_powm(this->ya, this->g, this->xa, this->p);
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
index 774c31cc2..2a54eebb1 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
@@ -30,7 +30,7 @@ typedef struct gmp_diffie_hellman_t gmp_diffie_hellman_t;
  * Implementation of the Diffie-Hellman algorithm, as in RFC2631. Uses libgmp.
  */
 struct gmp_diffie_hellman_t {
-	
+
 	/**
 	 * Implements diffie_hellman_t interface.
 	 */
@@ -39,7 +39,7 @@ struct gmp_diffie_hellman_t {
 
 /**
  * Creates a new gmp_diffie_hellman_t object.
- * 
+ *
  * @param group			Diffie Hellman group number to use
  * @return				gmp_diffie_hellman_t object, NULL if not supported
  */
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index f6ea964c1..b70ff881c 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -41,9 +41,11 @@ static void destroy(private_gmp_plugin_t *this)
 	lib->crypto->remove_dh(lib->crypto,
 						(dh_constructor_t)gmp_diffie_hellman_create);
 	lib->creds->remove_builder(lib->creds,
-						(builder_constructor_t)gmp_rsa_private_key_builder);
+						(builder_function_t)gmp_rsa_private_key_gen);
 	lib->creds->remove_builder(lib->creds,
-						(builder_constructor_t)gmp_rsa_public_key_builder);
+						(builder_function_t)gmp_rsa_private_key_load);
+	lib->creds->remove_builder(lib->creds,
+						(builder_function_t)gmp_rsa_public_key_load);
 	free(this);
 }
 
@@ -53,31 +55,33 @@ static void destroy(private_gmp_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_gmp_plugin_t *this = malloc_thing(private_gmp_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
-	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
+
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	
+
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+						(builder_function_t)gmp_rsa_private_key_gen);
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-						(builder_constructor_t)gmp_rsa_private_key_builder);
+						(builder_function_t)gmp_rsa_private_key_load);
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-						(builder_constructor_t)gmp_rsa_public_key_builder);
-	
+						(builder_function_t)gmp_rsa_public_key_load);
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.h b/src/libstrongswan/plugins/gmp/gmp_plugin.h
index d707d78ea..77d53965d 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.h
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.h
@@ -16,7 +16,7 @@
 /**
  * @defgroup gmp_p gmp
  * @ingroup plugins
- * 
+ *
  * @defgroup gmp_plugin gmp_plugin
  * @{ @ingroup gmp_p
  */
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index 259c8e9ad..1829bd459 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -26,7 +26,6 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <pgp/pgp.h>
 
 /**
  *  Public exponent to use for key generation.
@@ -43,89 +42,82 @@ struct private_gmp_rsa_private_key_t {
 	 * Public interface for this signer.
 	 */
 	gmp_rsa_private_key_t public;
-	
-	/**
-	 * Version of key, as encoded in PKCS#1
-	 */
-	u_int version;
-	
+
 	/**
 	 * Public modulus.
 	 */
 	mpz_t n;
-	
+
 	/**
 	 * Public exponent.
 	 */
 	mpz_t e;
-	
+
 	/**
 	 * Private prime 1.
 	 */
 	mpz_t p;
-	
+
 	/**
 	 * Private Prime 2.
 	 */
 	mpz_t q;
-	
+
 	/**
 	 * Private exponent.
 	 */
 	mpz_t d;
-	
+
 	/**
 	 * Private exponent 1.
 	 */
 	mpz_t exp1;
-	
+
 	/**
 	 * Private exponent 2.
 	 */
 	mpz_t exp2;
-	
+
 	/**
 	 * Private coefficient.
 	 */
 	mpz_t coeff;
-	
+
 	/**
 	 * Keysize in bytes.
 	 */
 	size_t k;
 
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKey object
-	 */
-	identification_t* keyid;
-
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
-	 */
-	identification_t* keyid_info;
-	
 	/**
 	 * reference count
 	 */
-	refcount_t ref;	
+	refcount_t ref;
 };
 
 /**
- * Shared functions defined in gmp_rsa_public_key.c
+ * Convert a MP integer into a chunk_t
  */
-extern bool gmp_rsa_public_key_build_id(mpz_t n, mpz_t e, 
-										identification_t **keyid,
-										identification_t **keyid_info);
-extern gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e);
+chunk_t gmp_mpz_to_chunk(const mpz_t value)
+{
+	chunk_t n;
+
+	n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
+	n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
+	if (n.ptr == NULL)
+	{	/* if we have zero in "value", gmp returns NULL */
+		n.len = 0;
+	}
+	return n;
+}
 
 /**
  * Auxiliary function overwriting private key material with zero bytes
  */
-static void mpz_clear_randomized(mpz_t z)
+static void mpz_clear_sensitive(mpz_t z)
 {
 	size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
 	u_int8_t *random = alloca(len);
-	
+
 	memset(random, 0, len);
 	/* overwrite mpz_t with zero bytes before clearing it */
 	mpz_import(z, len, 1, 1, 1, 0, random);
@@ -140,28 +132,28 @@ static status_t compute_prime(private_gmp_rsa_private_key_t *this,
 {
 	rng_t *rng;
 	chunk_t random_bytes;
-	
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
 	if (!rng)
 	{
 		DBG1("no RNG of quality %N found", rng_quality_names, RNG_TRUE);
 		return FAILED;
 	}
-	
+
 	mpz_init(*prime);
 	do
 	{
 		rng->allocate_bytes(rng, prime_size, &random_bytes);
 		/* make sure most significant bit is set */
 		random_bytes.ptr[0] = random_bytes.ptr[0] | 0x80;
-		
+
 		mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
 		mpz_nextprime (*prime, *prime);
 		chunk_clear(&random_bytes);
 	}
 	/* check if it isn't too large */
 	while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
-	
+
 	rng->destroy(rng);
 	return SUCCESS;
 }
@@ -173,32 +165,32 @@ static chunk_t rsadp(private_gmp_rsa_private_key_t *this, chunk_t data)
 {
 	mpz_t t1, t2;
 	chunk_t decrypted;
-	
+
 	mpz_init(t1);
 	mpz_init(t2);
-	
+
 	mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
-	
+
 	mpz_powm(t2, t1, this->exp1, this->p);	/* m1 = c^dP mod p */
 	mpz_powm(t1, t1, this->exp2, this->q);	/* m2 = c^dQ mod Q */
 	mpz_sub(t2, t2, t1);					/* h = qInv (m1 - m2) mod p */
 	mpz_mod(t2, t2, this->p);
 	mpz_mul(t2, t2, this->coeff);
 	mpz_mod(t2, t2, this->p);
-	
+
 	mpz_mul(t2, t2, this->q);				/* m = m2 + h q */
 	mpz_add(t1, t1, t2);
-	
+
 	decrypted.len = this->k;
 	decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
 	if (decrypted.ptr == NULL)
 	{
 		decrypted.len = 0;
 	}
-	
-	mpz_clear_randomized(t1);
-	mpz_clear_randomized(t2);
-	
+
+	mpz_clear_sensitive(t1);
+	mpz_clear_sensitive(t2);
+
 	return decrypted;
 }
 
@@ -225,7 +217,7 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 		hasher_t *hasher;
 		chunk_t hash;
 		int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
-	
+
 		if (hash_oid == OID_UNKNOWN)
 		{
 			return FALSE;
@@ -238,9 +230,9 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 		}
 		hasher->allocate_hash(hasher, data, &hash);
 		hasher->destroy(hasher);
-	
+
 		/* build DER-encoded digestInfo */
-		digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
+		digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
 						asn1_algorithmIdentifier(hash_oid),
 						asn1_simple_object(ASN1_OCTET_STRING, hash)
 					  );
@@ -254,15 +246,15 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 		DBG1("unable to sign %d bytes using a %dbit key", data.len, this->k * 8);
 		return FALSE;
 	}
-	
+
 	/* build chunk to rsa-decrypt:
-	 * EM = 0x00 || 0x01 || PS || 0x00 || T. 
+	 * EM = 0x00 || 0x01 || PS || 0x00 || T.
 	 * PS = 0xFF padding, with length to fill em
 	 * T = encoded_hash
 	 */
 	em.len = this->k;
 	em.ptr = malloc(em.len);
-	
+
 	/* fill em with padding */
 	memset(em.ptr, 0xFF, em.len);
 	/* set magic bytes */
@@ -274,11 +266,11 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 
 	/* build signature */
 	*signature = rsasp1(this, em);
-	
+
 	free(digestInfo.ptr);
 	free(em.ptr);
-	
-	return TRUE;	
+
+	return TRUE;
 }
 
 /**
@@ -292,7 +284,7 @@ static key_type_t get_type(private_gmp_rsa_private_key_t *this)
 /**
  * Implementation of gmp_rsa_private_key.sign.
  */
-static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, 
+static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
 				 chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
@@ -326,7 +318,7 @@ static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
 {
 	chunk_t em, stripped;
 	bool success = FALSE;
-	
+
 	/* rsa decryption using PKCS#1 RSADP */
 	stripped = em = rsadp(this, crypto);
 
@@ -365,29 +357,23 @@ static size_t get_keysize(private_gmp_rsa_private_key_t *this)
 	return this->k;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_id.
- */
-static identification_t* get_id(private_gmp_rsa_private_key_t *this,
-								id_type_t type)
-{
-	switch (type)
-	{
-		case ID_PUBKEY_INFO_SHA1:
-			return this->keyid_info;
-		case ID_PUBKEY_SHA1:
-			return this->keyid;
-		default:
-			return NULL;
-	}
-}
-
 /**
  * Implementation of gmp_rsa_private_key.get_public_key.
  */
-static gmp_rsa_public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
+static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
 {
-	return gmp_rsa_public_key_create_from_n_e(this->n, this->e);
+	chunk_t n, e;
+	public_key_t *public;
+
+	n = gmp_mpz_to_chunk(this->n);
+	e = gmp_mpz_to_chunk(this->e);
+
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
+	chunk_free(&n);
+	chunk_free(&e);
+
+	return public;
 }
 
 /**
@@ -395,27 +381,7 @@ static gmp_rsa_public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
  */
 static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
 {
-	identification_t *keyid;
-
-	if (&this->public.interface == other)
-	{
-		return TRUE;
-	}
-	if (other->get_type(other) != KEY_RSA)
-	{
-		return FALSE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
-	return FALSE;
+	return private_key_equals(&this->public.interface, other);
 }
 
 /**
@@ -423,64 +389,67 @@ static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
  */
 static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
 {
-	identification_t *keyid;
-
-	if (public->get_type(public) != KEY_RSA)
-	{
-		return FALSE;
-	}
-	keyid = public->get_id(public, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
-	return FALSE;
+	return private_key_belongs_to(&this->public.interface, public);
 }
 
 /**
- * Convert a MP integer into a chunk_t
+ * Implementation of private_key_t.get_encoding
  */
-chunk_t gmp_mpz_to_chunk(const mpz_t value)
+static bool get_encoding(private_gmp_rsa_private_key_t *this,
+						 key_encoding_type_t type, chunk_t *encoding)
 {
-	chunk_t n;
-	
-	n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
-	n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
-	if (n.ptr == NULL)
-	{	/* if we have zero in "value", gmp returns NULL */
-		n.len = 0;
-	}
-	return n;
-}
+	chunk_t n, e, d, p, q, exp1, exp2, coeff;
+	bool success;
+
+	n = gmp_mpz_to_chunk(this->n);
+	e = gmp_mpz_to_chunk(this->e);
+	d = gmp_mpz_to_chunk(this->d);
+	p = gmp_mpz_to_chunk(this->p);
+	q = gmp_mpz_to_chunk(this->q);
+	exp1 = gmp_mpz_to_chunk(this->exp1);
+	exp2 = gmp_mpz_to_chunk(this->exp2);
+	coeff = gmp_mpz_to_chunk(this->coeff);
+
+	success = lib->encoding->encode(lib->encoding,
+							type, NULL, encoding, KEY_PART_RSA_MODULUS, n,
+							KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d,
+							KEY_PART_RSA_PRIME1, p, KEY_PART_RSA_PRIME2, q,
+							KEY_PART_RSA_EXP1, exp1, KEY_PART_RSA_EXP2, exp2,
+							KEY_PART_RSA_COEFF, coeff, KEY_PART_END);
+	chunk_free(&n);
+	chunk_free(&e);
+	chunk_clear(&d);
+	chunk_clear(&p);
+	chunk_clear(&q);
+	chunk_clear(&exp1);
+	chunk_clear(&exp2);
+	chunk_clear(&coeff);
 
-/**
- * Convert a MP integer into a DER coded ASN.1 object
- */
-chunk_t gmp_mpz_to_asn1(const mpz_t value)
-{
-	return asn1_wrap(ASN1_INTEGER, "m", gmp_mpz_to_chunk(value));
+	return success;
 }
 
 /**
- * Implementation of private_key_t.get_encoding.
+ * Implementation of private_key_t.get_fingerprint
  */
-static chunk_t get_encoding(private_gmp_rsa_private_key_t *this)
+static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
+							key_encoding_type_t type, chunk_t *fp)
 {
-	return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm",
-					 ASN1_INTEGER_0,
-					 gmp_mpz_to_asn1(this->n),
-					 gmp_mpz_to_asn1(this->e),
-					 gmp_mpz_to_asn1(this->d),
-					 gmp_mpz_to_asn1(this->p),
-					 gmp_mpz_to_asn1(this->q),
-					 gmp_mpz_to_asn1(this->exp1),
-					 gmp_mpz_to_asn1(this->exp2),
-					 gmp_mpz_to_asn1(this->coeff));
+	chunk_t n, e;
+	bool success;
+
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
+	n = gmp_mpz_to_chunk(this->n);
+	e = gmp_mpz_to_chunk(this->e);
+
+	success = lib->encoding->encode(lib->encoding, type, this, fp,
+				KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+	chunk_free(&n);
+	chunk_free(&e);
+
+	return success;
 }
 
 /**
@@ -490,7 +459,6 @@ static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *thi
 {
 	ref_get(&this->ref);
 	return this;
-
 }
 
 /**
@@ -500,16 +468,15 @@ static void destroy(private_gmp_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
-		mpz_clear_randomized(this->n);
-		mpz_clear_randomized(this->e);
-		mpz_clear_randomized(this->p);
-		mpz_clear_randomized(this->q);
-		mpz_clear_randomized(this->d);
-		mpz_clear_randomized(this->exp1);
-		mpz_clear_randomized(this->exp2);
-		mpz_clear_randomized(this->coeff);
-		DESTROY_IF(this->keyid);
-		DESTROY_IF(this->keyid_info);
+		mpz_clear_sensitive(this->n);
+		mpz_clear_sensitive(this->e);
+		mpz_clear_sensitive(this->p);
+		mpz_clear_sensitive(this->q);
+		mpz_clear_sensitive(this->d);
+		mpz_clear_sensitive(this->exp1);
+		mpz_clear_sensitive(this->exp2);
+		mpz_clear_sensitive(this->coeff);
+		lib->encoding->clear_cache(lib->encoding, this);
 		free(this);
 	}
 }
@@ -521,7 +488,7 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 {
 	mpz_t t, u, q1;
 	status_t status = SUCCESS;
-	
+
 	/* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
 	 * We actually require more (for security).
 	 */
@@ -530,25 +497,25 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 		DBG1("key shorter than 512 bits");
 		return FAILED;
 	}
-	
+
 	/* we picked a max modulus size to simplify buffer allocation */
 	if (this->k > 8192 / BITS_PER_BYTE)
 	{
 		DBG1("key larger than 8192 bits");
 		return FAILED;
 	}
-	
+
 	mpz_init(t);
 	mpz_init(u);
 	mpz_init(q1);
-	
+
 	/* check that n == p * q */
 	mpz_mul(u, this->p, this->q);
 	if (mpz_cmp(u, this->n) != 0)
 	{
 		status = FAILED;
 	}
-	
+
 	/* check that e divides neither p-1 nor q-1 */
 	mpz_sub_ui(t, this->p, 1);
 	mpz_mod(t, t, this->e);
@@ -556,14 +523,14 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	{
 		status = FAILED;
 	}
-	
+
 	mpz_sub_ui(t, this->q, 1);
 	mpz_mod(t, t, this->e);
 	if (mpz_cmp_ui(t, 0) == 0)
 	{
 		status = FAILED;
 	}
-	
+
 	/* check that d is e^-1 (mod lcm(p-1, q-1)) */
 	/* see PKCS#1v2, aka RFC 2437, for the "lcm" */
 	mpz_sub_ui(q1, this->q, 1);
@@ -571,14 +538,14 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	mpz_gcd(t, u, q1);		/* t := gcd(p-1, q-1) */
 	mpz_mul(u, u, q1);		/* u := (p-1) * (q-1) */
 	mpz_divexact(u, u, t);	/* u := lcm(p-1, q-1) */
-	
+
 	mpz_mul(t, this->d, this->e);
 	mpz_mod(t, t, u);
 	if (mpz_cmp_ui(t, 1) != 0)
 	{
 		status = FAILED;
 	}
-	
+
 	/* check that exp1 is d mod (p-1) */
 	mpz_sub_ui(u, this->p, 1);
 	mpz_mod(t, this->d, u);
@@ -586,7 +553,7 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	{
 		status = FAILED;
 	}
-	
+
 	/* check that exp2 is d mod (q-1) */
 	mpz_sub_ui(u, this->q, 1);
 	mpz_mod(t, this->d, u);
@@ -594,7 +561,7 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	{
 		status = FAILED;
 	}
-	
+
 	/* check that coeff is (q^-1) mod p */
 	mpz_mul(t, this->coeff, this->q);
 	mpz_mod(t, t, this->p);
@@ -602,10 +569,10 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	{
 		status = FAILED;
 	}
-	
-	mpz_clear_randomized(t);
-	mpz_clear_randomized(u);
-	mpz_clear_randomized(q1);
+
+	mpz_clear_sensitive(t);
+	mpz_clear_sensitive(u);
+	mpz_clear_sensitive(q1);
 	if (status != SUCCESS)
 	{
 		DBG1("key integrity tests failed");
@@ -619,63 +586,82 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
 {
 	private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
-	
+
 	this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
 	this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
 	this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
 	this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (private_key_t*, id_type_t))get_id;
 	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
 	this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
 	this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
-	this->public.interface.get_encoding = (chunk_t (*) (private_key_t*))get_encoding;
+	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
+	this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
 	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
-	
-	this->keyid = NULL;
-	this->keyid_info = NULL;
+
 	this->ref = 1;
-	
+
 	return this;
 }
 
 /**
- * Generate an RSA key of specified key size
+ * See header.
  */
-static gmp_rsa_private_key_t *generate(size_t key_size)
+gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 {
-	mpz_t p, q, n, e, d, exp1, exp2, coeff;
-	mpz_t m, q1, t;
-	private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
-	
+	mpz_t p, q, n, e, d, exp1, exp2, coeff, m, q1, t;
+	private_gmp_rsa_private_key_t *this;
+	u_int key_size = 0;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_KEY_SIZE:
+				key_size = va_arg(args, u_int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!key_size)
+	{
+		return NULL;
+	}
+
+	this = gmp_rsa_private_key_create_empty();
 	key_size = key_size / BITS_PER_BYTE;
-	
+
 	/* Get values of primes p and q  */
 	if (compute_prime(this, key_size/2, &p) != SUCCESS)
 	{
 		free(this);
 		return NULL;
-	}	
+	}
 	if (compute_prime(this, key_size/2, &q) != SUCCESS)
 	{
 		mpz_clear(p);
 		free(this);
 		return NULL;
 	}
-	
-	mpz_init(t);	
+
+	mpz_init(t);
 	mpz_init(n);
 	mpz_init(d);
 	mpz_init(exp1);
 	mpz_init(exp2);
 	mpz_init(coeff);
-	
+
 	/* Swapping Primes so p is larger then q */
 	if (mpz_cmp(p, q) < 0)
 	{
 		mpz_swap(p, q);
 	}
-	
+
 	mpz_mul(n, p, q);						/* n = p*q */
 	mpz_init_set_ui(e, PUBLIC_EXPONENT);	/* assign public exponent */
 	mpz_init_set(m, p); 					/* m = p */
@@ -696,16 +682,16 @@ static gmp_rsa_private_key_t *generate(size_t key_size)
 	mpz_mod(exp1, d, t);					/* exp1 = d mod p-1 */
 	mpz_sub_ui(t, q, 1);					/* t = q-1 */
 	mpz_mod(exp2, d, t);					/* exp2 = d mod q-1 */
-	
+
 	mpz_invert(coeff, q, p);				/* coeff = q^-1 mod p */
 	if (mpz_cmp_ui(coeff, 0) < 0)			/* make coeff d is positive */
 	{
 		mpz_add(coeff, coeff, p);
 	}
 
-	mpz_clear_randomized(q1);
-	mpz_clear_randomized(m);
-	mpz_clear_randomized(t);
+	mpz_clear_sensitive(q1);
+	mpz_clear_sensitive(m);
+	mpz_clear_sensitive(t);
 
 	/* apply values */
 	*(this->p) = *p;
@@ -716,145 +702,60 @@ static gmp_rsa_private_key_t *generate(size_t key_size)
 	*(this->exp1) = *exp1;
 	*(this->exp2) = *exp2;
 	*(this->coeff) = *coeff;
-	
+
 	/* set key size in bytes */
 	this->k = key_size;
-	
+
 	return &this->public;
 }
 
 /**
- * ASN.1 definition of a PKCS#1 RSA private key
- */
-static const asn1Object_t privkeyObjects[] = {
-	{ 0, "RSAPrivateKey",		ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
-	{ 1,   "version",			ASN1_INTEGER,      ASN1_BODY }, /*  1 */
-	{ 1,   "modulus",			ASN1_INTEGER,      ASN1_BODY }, /*  2 */
-	{ 1,   "publicExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  3 */
-	{ 1,   "privateExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  4 */
-	{ 1,   "prime1",			ASN1_INTEGER,      ASN1_BODY }, /*  5 */
-	{ 1,   "prime2",			ASN1_INTEGER,      ASN1_BODY }, /*  6 */
-	{ 1,   "exponent1",			ASN1_INTEGER,      ASN1_BODY }, /*  7 */
-	{ 1,   "exponent2",			ASN1_INTEGER,      ASN1_BODY }, /*  8 */
-	{ 1,   "coefficient",		ASN1_INTEGER,      ASN1_BODY }, /*  9 */
-	{ 1,   "otherPrimeInfos",	ASN1_SEQUENCE,     ASN1_OPT |
-												   ASN1_LOOP }, /* 10 */
-	{ 2,     "otherPrimeInfo",	ASN1_SEQUENCE,     ASN1_NONE }, /* 11 */
-	{ 3,       "prime",			ASN1_INTEGER,      ASN1_BODY }, /* 12 */
-	{ 3,       "exponent",		ASN1_INTEGER,      ASN1_BODY }, /* 13 */
-	{ 3,       "coefficient",	ASN1_INTEGER,      ASN1_BODY }, /* 14 */
-	{ 1,   "end opt or loop",	ASN1_EOC,          ASN1_END  }, /* 15 */
-	{ 0, "exit",				ASN1_EOC,          ASN1_EXIT }
-};
-#define PRIV_KEY_VERSION		 1
-#define PRIV_KEY_MODULUS		 2
-#define PRIV_KEY_PUB_EXP		 3
-#define PRIV_KEY_PRIV_EXP		 4
-#define PRIV_KEY_PRIME1			 5
-#define PRIV_KEY_PRIME2			 6
-#define PRIV_KEY_EXP1			 7
-#define PRIV_KEY_EXP2			 8
-#define PRIV_KEY_COEFF			 9
-
-/**
- * load private key from a ASN1 encoded blob
+ * See header.
  */
-static gmp_rsa_private_key_t *load_asn1_der(chunk_t blob)
+gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
 {
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID ;
-	bool success = FALSE;
+	chunk_t n, e, d, p, q, exp1, exp2, coeff;
+	private_gmp_rsa_private_key_t *this;
 
-	private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
-	
-	mpz_init(this->n);
-	mpz_init(this->e);
-	mpz_init(this->p);
-	mpz_init(this->q);
-	mpz_init(this->d);
-	mpz_init(this->exp1);
-	mpz_init(this->exp2);
-	mpz_init(this->coeff);
-	
-	parser = asn1_parser_create(privkeyObjects, blob);
-	parser->set_flags(parser, FALSE, TRUE);
-	
-	while (parser->iterate(parser, &objectID, &object))
+	n = e = d = p = q = exp1 = exp2 = coeff = chunk_empty;
+	while (TRUE)
 	{
-		switch (objectID)
+		switch (va_arg(args, builder_part_t))
 		{
-			case PRIV_KEY_VERSION:
-				if (object.len > 0 && *object.ptr != 0)
-				{
-					DBG1("PKCS#1 private key format is not version 1");
-					goto end;
-				}
-				break;
-			case PRIV_KEY_MODULUS:
-				mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_PUB_EXP:
-				mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_PRIV_EXP:
-				mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_PRIME1:
-				mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_PRIME2:
-				mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_EXP1:
-				mpz_import(this->exp1, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_EXP2:
-				mpz_import(this->exp2, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_COEFF:
-				mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
+			case BUILD_RSA_MODULUS:
+				n = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PUB_EXP:
+				e = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PRIV_EXP:
+				d = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PRIME1:
+				p = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PRIME2:
+				q = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_EXP1:
+				exp1 = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_EXP2:
+				exp2 = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_COEFF:
+				coeff = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
 				break;
+			default:
+				return NULL;
 		}
+		break;
 	}
-	success = parser->success(parser);
 
-end:
-	parser->destroy(parser);
-	chunk_clear(&blob);
+	this = gmp_rsa_private_key_create_empty();
 
-	if (!success)
-	{
-		destroy(this);
-		return NULL;
-	}
-	
-	this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
-
-	if (!gmp_rsa_public_key_build_id(this->n, this->e,
-									 &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	if (check(this) != SUCCESS)
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
-/**
- * load private key from an OpenPGP blob coded according to section 
- */
-static gmp_rsa_private_key_t *load_pgp(chunk_t blob)
-{
-	mpz_t u;
-	int objectID;
-	chunk_t packet = blob;
-	private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
-	
 	mpz_init(this->n);
 	mpz_init(this->e);
 	mpz_init(this->p);
@@ -864,205 +765,36 @@ static gmp_rsa_private_key_t *load_pgp(chunk_t blob)
 	mpz_init(this->exp2);
 	mpz_init(this->coeff);
 
-	for (objectID = PRIV_KEY_MODULUS; objectID <= PRIV_KEY_COEFF; objectID++)
-	{
-		chunk_t object;	
-
-		switch (objectID)
-		{
-			case PRIV_KEY_PRIV_EXP:
-			{
-				pgp_sym_alg_t s2k;
-
-				/* string-to-key usage */
-				s2k = pgp_length(&packet, 1);
-				DBG2("L3 - string-to-key:  %d", s2k);
-
-				if (s2k == 255 || s2k == 254)
-				{
-					DBG1("string-to-key specifiers not supported");
-					goto end;
-				}
-				DBG2("  %N", pgp_sym_alg_names, s2k);
-
-				if (s2k != PGP_SYM_ALG_PLAIN)
-				{
-					DBG1("%N encryption not supported",  pgp_sym_alg_names, s2k);
-					goto end;
-				}
-				break;
-			}
-			case PRIV_KEY_EXP1:
-			case PRIV_KEY_EXP2:
-				/* not contained in OpenPGP secret key payload */
-				continue;
-			default:
-				break;
-		}		
-
-		DBG2("L3 - %s:", privkeyObjects[objectID].name);
-		object.len = pgp_length(&packet, 2);
-
-		if (object.len == PGP_INVALID_LENGTH)
-		{
-			DBG1("OpenPGP length is invalid");
-			goto end;
-		}
-		object.len = (object.len + 7) / BITS_PER_BYTE;
-		if (object.len > packet.len)
-		{
-			DBG1("OpenPGP field is too short");
-			goto end;
-		}
-		object.ptr = packet.ptr;
-		packet.ptr += object.len;
-		packet.len -= object.len;
-		DBG4("%B", &object);
-
-		switch (objectID)
-		{
-			case PRIV_KEY_MODULUS:
-				mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_PUB_EXP:
-				mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_PRIV_EXP:
-				mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_PRIME1:
-				mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_PRIME2:
-				mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PRIV_KEY_COEFF:
-				mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-		}
-	}
-
-	/* auxiliary variable */
-	mpz_init(u);
-
-	/* exp1 = d mod (p-1) */
-	mpz_sub_ui(u, this->p, 1);
-	mpz_mod(this->exp1, this->d, u);
-
-	/* exp2 = d mod (q-1) */
-	mpz_sub_ui(u, this->q, 1);
-	mpz_mod(this->exp2, this->d, u);
-
-	mpz_clear(u);
-	chunk_clear(&blob);
-
-	this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
-
-	if (!gmp_rsa_public_key_build_id(this->n, this->e,
-									 &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
+	mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
+	mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
+	mpz_import(this->d, d.len, 1, 1, 1, 0, d.ptr);
+	mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
+	mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr);
+	mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr);
+	if (!exp1.len)
+	{	/* exp1 missing in key, recalculate: exp1 = d mod (p-1) */
+		mpz_sub_ui(this->exp1, this->p, 1);
+		mpz_mod(this->exp1, this->d, this->exp1);
 	}
-	if (check(this) != SUCCESS)
+	else
 	{
-		destroy(this);
-		return NULL;
+		mpz_import(this->exp1, exp1.len, 1, 1, 1, 0, exp1.ptr);
 	}
-	return &this->public;
-
-end:
-	chunk_clear(&blob);
-	destroy(this);
-	return NULL;
-}
-
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for key loading/generation
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded/generated private key */
-	gmp_rsa_private_key_t *key;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static gmp_rsa_private_key_t *build(private_builder_t *this)
-{
-	gmp_rsa_private_key_t *key = this->key;
-	
-	free(this);
-	return key;
-}
-
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->key)
-	{
-		va_list args;
-		chunk_t chunk;
-	
-		switch (part)
-		{
-			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->key = load_asn1_der(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}		
-			case BUILD_BLOB_PGP:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->key = load_pgp(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}		
-			case BUILD_KEY_SIZE:
-			{
-				va_start(args, part);
-				this->key = generate(va_arg(args, u_int));
-				va_end(args);
-				return;
-			}
-			default:
-				break;
-		}
+	if (!exp2.len)
+	{	/* exp2 missing in key, recalculate: exp2 = d mod (q-1) */
+		mpz_sub_ui(this->exp2, this->q, 1);
+		mpz_mod(this->exp2, this->d, this->exp2);
 	}
-	if (this->key)
+	else
 	{
-		destroy((private_gmp_rsa_private_key_t*)this->key);
+		mpz_import(this->exp2, exp2.len, 1, 1, 1, 0, exp2.ptr);
 	}
-	builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *gmp_rsa_private_key_builder(key_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != KEY_RSA)
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
+	if (check(this) != SUCCESS)
 	{
+		destroy(this);
 		return NULL;
 	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
index d47e2583d..db1fcf535 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -21,6 +21,7 @@
 #ifndef GMP_RSA_PRIVATE_KEY_H_
 #define GMP_RSA_PRIVATE_KEY_H_
 
+#include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
 typedef struct gmp_rsa_private_key_t gmp_rsa_private_key_t;
@@ -37,12 +38,25 @@ struct gmp_rsa_private_key_t {
 };
 
 /**
- * Create the builder for a private key.
+ * Generated a RSA private keys using libgmp.
+ *
+ * Accepts the BUILD_KEY_SIZE argument.
  *
  * @param type		type of the key, must be KEY_RSA
- * @return 			builder instance
+ * @param args		builder_part_t argument list
+ * @return 			generated key, NULL on failure
  */
-builder_t *gmp_rsa_private_key_builder(key_type_t type);
+gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args);
 
-#endif /** GMP_RSA_PRIVATE_KEY_H_ @}*/
+/**
+ * Loaded a RSA private keys using libgmp.
+ *
+ * Accepts BUILD_RSA_* components.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args);
 
+#endif /** GMP_RSA_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index c26187c64..5fea69131 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 #include <gmp.h>
 #include <sys/stat.h>
 #include <unistd.h>
@@ -26,9 +26,7 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
-#include <pgp/pgp.h>
 
 typedef struct private_gmp_rsa_public_key_t private_gmp_rsa_public_key_t;
 
@@ -40,32 +38,22 @@ struct private_gmp_rsa_public_key_t {
 	 * Public interface for this signer.
 	 */
 	gmp_rsa_public_key_t public;
-	
+
 	/**
 	 * Public modulus.
 	 */
 	mpz_t n;
-	
+
 	/**
 	 * Public exponent.
 	 */
 	mpz_t e;
-	
+
 	/**
 	 * Keysize in bytes.
 	 */
 	size_t k;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
-	 */
-	identification_t *keyid_info;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKey object
-	 */
-	identification_t *keyid;
-	
+
 	/**
 	 * reference counter
 	 */
@@ -76,7 +64,6 @@ struct private_gmp_rsa_public_key_t {
  * Shared functions defined in gmp_rsa_private_key.c
  */
 extern chunk_t gmp_mpz_to_chunk(const mpz_t value);
-extern chunk_t gmp_mpz_to_asn1(const mpz_t value);
 
 /**
  * RSAEP algorithm specified in PKCS#1.
@@ -85,12 +72,12 @@ static chunk_t rsaep(private_gmp_rsa_public_key_t *this, chunk_t data)
 {
 	mpz_t m, c;
 	chunk_t encrypted;
-	
+
 	mpz_init(c);
 	mpz_init(m);
-	
+
 	mpz_import(m, data.len, 1, 1, 1, 0, data.ptr);
-	
+
 	mpz_powm(c, m, this->e, this->n);
 
 	encrypted.len = this->k;
@@ -99,10 +86,10 @@ static chunk_t rsaep(private_gmp_rsa_public_key_t *this, chunk_t data)
 	{
 		encrypted.len = 0;
 	}
-	
+
 	mpz_clear(c);
 	mpz_clear(m);
-	
+
 	return encrypted;
 }
 
@@ -136,34 +123,34 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 {
 	chunk_t em_ori, em;
 	bool success = FALSE;
-	
+
 	/* remove any preceding 0-bytes from signature */
 	while (signature.len && *(signature.ptr) == 0x00)
 	{
 		signature = chunk_skip(signature, 1);
 	}
-	
+
 	if (signature.len == 0 || signature.len > this->k)
 	{
 		return INVALID_ARG;
 	}
-	
+
 	/* unpack signature */
 	em_ori = em = rsavp1(this, signature);
-	
+
 	/* result should look like this:
-	 * EM = 0x00 || 0x01 || PS || 0x00 || T. 
+	 * EM = 0x00 || 0x01 || PS || 0x00 || T.
 	 * PS = 0xFF padding, with length to fill em
 	 * T = oid || hash
 	 */
-	
+
 	/* check magic bytes */
 	if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x01)
 	{
 		goto end;
 	}
 	em = chunk_skip(em, 2);
-	
+
 	/* find magic 0x00 */
 	while (em.len > 0)
 	{
@@ -240,7 +227,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 				{
 					chunk_t hash;
 					hasher_t *hasher;
-					
+
 					hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
 					if (hasher == NULL)
 					{
@@ -290,7 +277,7 @@ static key_type_t get_type(private_gmp_rsa_public_key_t *this)
 /**
  * Implementation of public_key_t.verify.
  */
-static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme, 
+static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
 				   chunk_t data, chunk_t signature)
 {
 	switch (scheme)
@@ -316,7 +303,7 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
 	}
 }
 
-#define MIN_PS_PADDING		8	
+#define MIN_PS_PADDING 8
 
 /**
  * Implementation of public_key_t.encrypt.
@@ -327,7 +314,7 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 	chunk_t em;
 	u_char *pos;
 	int padding, i;
- 	rng_t *rng;
+	rng_t *rng;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (rng == NULL)
@@ -338,7 +325,7 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 
 	/* number of pseudo-random padding octets */
 	padding = this->k - plain.len - 3;
- 	if (padding < MIN_PS_PADDING)
+	if (padding < MIN_PS_PADDING)
 	{
 		DBG1("pseudo-random padding must be at least %d octets", MIN_PS_PADDING);
 		return FALSE;
@@ -346,9 +333,9 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 
 	/* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */
 	DBG2("padding %u bytes of data to the rsa modulus size of %u bytes",
-		 plain.len, this->k); 
+		 plain.len, this->k);
 	em.len = this->k;
-	em.ptr = malloc(em.len); 
+	em.ptr = malloc(em.len);
 	pos = em.ptr;
 	*pos++ = 0x00;
 	*pos++ = 0x02;
@@ -373,7 +360,7 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 	/* now add the data */
 	memcpy(pos, plain.ptr, plain.len);
 	DBG3("padded data before rsa encryption: %B", &em);
-	
+
 	/* rsa encryption using PKCS#1 RSAEP */
 	*crypto = rsaep(this, em);
 	DBG3("rsa encrypted data: %B", crypto);
@@ -386,27 +373,7 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
  */
 static bool equals(private_gmp_rsa_public_key_t *this, public_key_t *other)
 {
-	identification_t *keyid;
-
-	if (&this->public.interface == other)
-	{
-		return TRUE;
-	}
-	if (other->get_type(other) != KEY_RSA)
-	{
-		return FALSE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
-	return FALSE;
+	return public_key_equals(&this->public.interface, other);
 }
 
 /**
@@ -418,72 +385,47 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this)
 }
 
 /**
- * Build the PGP version 3 RSA key identifier from n and e using
- * MD5 hashed modulus and exponent.
+ * Implementation of public_key_t.get_encoding
  */
-static identification_t* gmp_rsa_build_pgp_v3_keyid(mpz_t n, mpz_t e)
+static bool get_encoding(private_gmp_rsa_public_key_t *this,
+						 key_encoding_type_t type, chunk_t *encoding)
 {
-	identification_t *keyid;
-	chunk_t modulus, mod, exponent, exp, hash;
-	hasher_t *hasher;
-	
-	hasher= lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-	if (hasher == NULL)
-	{
-		DBG1("computation of PGP V3 keyid failed, no MD5 hasher is available");
-		return NULL;
-	}
-	mod = modulus  = gmp_mpz_to_chunk(n);
-	exp = exponent = gmp_mpz_to_chunk(e);
+	chunk_t n, e;
+	bool success;
 
-	/* remove leading zero bytes before hashing modulus and exponent */
-	while (mod.len > 0 && *mod.ptr == 0x00)
-	{
-		mod.ptr++;
-		mod.len--;
-	} 
-	while (exp.len > 0 && *exp.ptr == 0x00)
-	{
-		exp.ptr++;
-		exp.len--;
-	} 
-	hasher->allocate_hash(hasher, mod, NULL);
-	hasher->allocate_hash(hasher, exp, &hash);
-	hasher->destroy(hasher);
-	keyid = identification_create_from_encoding(ID_KEY_ID, hash);
-	free(hash.ptr);
-	free(modulus.ptr);
-	free(exponent.ptr);
-	return keyid;
+	n = gmp_mpz_to_chunk(this->n);
+	e = gmp_mpz_to_chunk(this->e);
+
+	success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
+				KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+	chunk_free(&n);
+	chunk_free(&e);
+
+	return success;
 }
 
 /**
- * Implementation of public_key_t.get_id.
+ * Implementation of public_key_t.get_fingerprint
  */
-static identification_t *get_id(private_gmp_rsa_public_key_t *this,
-								id_type_t type)
+static bool get_fingerprint(private_gmp_rsa_public_key_t *this,
+							key_encoding_type_t type, chunk_t *fp)
 {
-	switch (type)
+	chunk_t n, e;
+	bool success;
+
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
 	{
-		case ID_PUBKEY_INFO_SHA1:
-			return this->keyid_info;
-		case ID_PUBKEY_SHA1:
-			return this->keyid;
-		case ID_KEY_ID:
-			return gmp_rsa_build_pgp_v3_keyid(this->n, this->e);
-		default:
-			return NULL;
+		return TRUE;
 	}
-}
+	n = gmp_mpz_to_chunk(this->n);
+	e = gmp_mpz_to_chunk(this->e);
 
-/*
- * Implementation of public_key_t.get_encoding.
- */
-static chunk_t get_encoding(private_gmp_rsa_public_key_t *this)
-{
-	return asn1_wrap(ASN1_SEQUENCE, "mm",
-					 gmp_mpz_to_asn1(this->n),
-					 gmp_mpz_to_asn1(this->e));
+	success = lib->encoding->encode(lib->encoding, type, this, fp,
+				KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+	chunk_free(&n);
+	chunk_free(&e);
+
+	return success;
 }
 
 /**
@@ -504,369 +446,65 @@ static void destroy(private_gmp_rsa_public_key_t *this)
 	{
 		mpz_clear(this->n);
 		mpz_clear(this->e);
-		DESTROY_IF(this->keyid);
-		DESTROY_IF(this->keyid_info);
+		lib->encoding->clear_cache(lib->encoding, this);
 		free(this);
 	}
 }
 
 /**
- * Generic private constructor
+ * See header.
  */
-static private_gmp_rsa_public_key_t *gmp_rsa_public_key_create_empty()
+gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
 {
-	private_gmp_rsa_public_key_t *this = malloc_thing(private_gmp_rsa_public_key_t);
-	
-	this->public.interface.get_type = (key_type_t (*) (public_key_t*))get_type;
-	this->public.interface.verify = (bool (*) (public_key_t*, signature_scheme_t, chunk_t, chunk_t))verify;
-	this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_;
-	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t*))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (public_key_t*, id_type_t))get_id;
-	this->public.interface.get_encoding = (chunk_t(*) (public_key_t*))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*) (public_key_t *this))destroy;
-	
-	this->keyid = NULL;
-	this->keyid_info = NULL;
-	this->ref = 1;
-	
-	return this;
-}
+	private_gmp_rsa_public_key_t *this;
+	chunk_t n, e;
 
-/**
- * Build the RSA key identifier from n and e using SHA1 hashed publicKey(Info).
- * Also used in rsa_private_key.c.
- */
-bool gmp_rsa_public_key_build_id(mpz_t n, mpz_t e, identification_t **keyid,
-								 identification_t **keyid_info)
-{
-	chunk_t publicKeyInfo, publicKey, hash;
-	hasher_t *hasher;
-	
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1("SHA1 hash algorithm not supported, unable to use RSA");
-		return FALSE;
-	}
-	publicKey = asn1_wrap(ASN1_SEQUENCE, "mm",
-					gmp_mpz_to_asn1(n),
-					gmp_mpz_to_asn1(e));
-	hasher->allocate_hash(hasher, publicKey, &hash);
-	*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
-	chunk_free(&hash);
-	
-	publicKeyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
-						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
-						asn1_bitstring("m", publicKey));
-	hasher->allocate_hash(hasher, publicKeyInfo, &hash);
-	*keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
-	chunk_free(&hash);
-	
-	hasher->destroy(hasher);
-	chunk_free(&publicKeyInfo);
-	
-	return TRUE;
-}
-
-/**
- * Create a public key from mpz values, used in gmp_rsa_private_key
- */
-gmp_rsa_public_key_t *gmp_rsa_public_key_create_from_n_e(mpz_t n, mpz_t e)
-{
-	private_gmp_rsa_public_key_t *this = gmp_rsa_public_key_create_empty();
-
-	mpz_init_set(this->n, n);
-	mpz_init_set(this->e, e);
-	
-	this->k = (mpz_sizeinbase(this->n, 2) + 7) /  BITS_PER_BYTE;
-	if (!gmp_rsa_public_key_build_id(this->n, this->e,
-									 &this->keyid, &this->keyid_info))
+	n = e = chunk_empty;
+	while (TRUE)
 	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
-/**
- * ASN.1 definition of RSApublicKey
- */
-static const asn1Object_t pubkeyObjects[] = {
-	{ 0, "RSAPublicKey",		ASN1_SEQUENCE,	ASN1_OBJ  }, /*  0 */
-	{ 1,   "modulus",			ASN1_INTEGER,	ASN1_BODY }, /*  1 */
-	{ 1,   "publicExponent",	ASN1_INTEGER,	ASN1_BODY }, /*  2 */
-	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
-};
-#define PUB_KEY_RSA_PUBLIC_KEY		0
-#define PUB_KEY_MODULUS				1
-#define PUB_KEY_EXPONENT			2
-
-/**
- * Load a public key from an ASN.1 encoded blob
- */
-static gmp_rsa_public_key_t *load_asn1_der(chunk_t blob)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	bool success = FALSE;
-
-	private_gmp_rsa_public_key_t *this = gmp_rsa_public_key_create_empty();
-
-	mpz_init(this->n);
-	mpz_init(this->e);
-	
-	parser = asn1_parser_create(pubkeyObjects, blob);
-	
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
+		switch (va_arg(args, builder_part_t))
 		{
-			case PUB_KEY_MODULUS:
-				mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PUB_KEY_EXPONENT:
-				mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
+			case BUILD_RSA_MODULUS:
+				n = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PUB_EXP:
+				e = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
 				break;
+			default:
+				return NULL;
 		}
+		break;
 	}
-	success = parser->success(parser);
-	free(blob.ptr);
-	parser->destroy(parser);
-
-	if (!success)
+	if (!e.ptr || !n.ptr)
 	{
-		destroy(this);
 		return NULL;
 	}
-	
-	this->k = (mpz_sizeinbase(this->n, 2) + 7) /  BITS_PER_BYTE;
 
-	if (!gmp_rsa_public_key_build_id(this->n, this->e,
-									 &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
+	this = malloc_thing(private_gmp_rsa_public_key_t);
 
-/**
- * Load a public key from an OpenPGP blob
- */
-static gmp_rsa_public_key_t* load_pgp(chunk_t blob)
-{
-	int objectID;
-	chunk_t packet = blob;
-	private_gmp_rsa_public_key_t *this = gmp_rsa_public_key_create_empty();
-
-	mpz_init(this->n);
-	mpz_init(this->e);
-	
-	for (objectID = PUB_KEY_MODULUS; objectID <= PUB_KEY_EXPONENT; objectID++)
-	{
-		chunk_t object;	
-
-		DBG2("L3 - %s:", pubkeyObjects[objectID].name);
-		object.len = pgp_length(&packet, 2);
-
-		if (object.len == PGP_INVALID_LENGTH)
-		{
-			DBG1("OpenPGP length is invalid");
-			goto end;
-		}
-		object.len = (object.len + 7) / BITS_PER_BYTE;
-		if (object.len > packet.len)
-		{
-			DBG1("OpenPGP field is too short");
-			goto end;
-		}
-		object.ptr = packet.ptr;
-		packet.ptr += object.len;
-		packet.len -= object.len;
-		DBG4("%B", &object);
-
-		switch (objectID)
-		{
-			case PUB_KEY_MODULUS:
-				mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-			case PUB_KEY_EXPONENT:
-				mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
-				break;
-		}
-	}
-
-	this->k = (mpz_sizeinbase(this->n, 2) + 7) /  BITS_PER_BYTE;
-	free(blob.ptr);
-
-	if (!gmp_rsa_public_key_build_id(this->n, this->e,
-									 &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
+	this->public.interface.get_type = (key_type_t (*) (public_key_t*))get_type;
+	this->public.interface.verify = (bool (*) (public_key_t*, signature_scheme_t, chunk_t, chunk_t))verify;
+	this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_;
+	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
+	this->public.interface.get_keysize = (size_t (*) (public_key_t*))get_keysize;
+	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
+	this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref;
+	this->public.interface.destroy = (void (*) (public_key_t *this))destroy;
 
-end:
-	free(blob.ptr);
-	destroy(this);
-	return NULL;
-}
+	this->ref = 1;
 
-/**
- * Load a public key from an RFC 3110 encoded blob
- */
-static gmp_rsa_public_key_t *load_rfc_3110(chunk_t blob)
-{
-	chunk_t exponent, modulus;
-	u_char *pos = blob.ptr;
-	size_t len  = blob.len;
-	private_gmp_rsa_public_key_t *this = gmp_rsa_public_key_create_empty();
-	
 	mpz_init(this->n);
 	mpz_init(this->e);
 
-	if (blob.len < 3)
-	{
-		DBG1("RFC 3110 public key blob too short for exponent length");
-		goto end;
-	}
-	if (pos[0] != 0x00)
-	{
-		exponent = chunk_create(pos + 1, pos[0]);
-		pos++;
-		len--;
-	}
-	else
-	{
-		exponent = chunk_create(pos + 3, 256*pos[1] + pos[2]);
-		pos += 3;
-		len -= 3;
-	}
-	if (exponent.len > len)
-	{
-		DBG1("RFC 3110 public key blob too short for exponent");
-		goto end;
-	}
-	pos += exponent.len;
-	len -= exponent.len;
-
-	if (len == 0)
-	{
-		DBG1("RFC 3110 public key blob has zero length modulus");
-		goto end;
-	}	
-	modulus = chunk_create(pos, len);
+	mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
+	mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
 
-	mpz_import(this->n, modulus.len,  1, 1, 1, 0, modulus.ptr);
-	mpz_import(this->e, exponent.len, 1, 1, 1, 0, exponent.ptr);
-	this->k = (mpz_sizeinbase(this->n, 2) + 7) /  BITS_PER_BYTE;
-	free(blob.ptr);
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
 
-	if (!gmp_rsa_public_key_build_id(this->n, this->e,
-									 &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-
-end:
-	free(blob.ptr);
-	destroy(this);
-	return NULL;
-}
-
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for key loading
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded public key */
-	gmp_rsa_public_key_t *key;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static gmp_rsa_public_key_t *build(private_builder_t *this)
-{
-	gmp_rsa_public_key_t *key = this->key;
-	
-	free(this);
-	return key;
-}
-
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->key)
-	{
-		va_list args;
-		chunk_t chunk;
-	
-		switch (part)
-		{
-			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->key = load_asn1_der(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}
-			case BUILD_BLOB_PGP:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->key = load_pgp(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}
-			case BUILD_BLOB_RFC_3110:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->key = load_rfc_3110(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}
-			default:
-				break;
-		}
-	}
-	if (this->key)
-	{
-		destroy((private_gmp_rsa_public_key_t*)this->key);
-	}
-	builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *gmp_rsa_public_key_builder(key_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != KEY_RSA)
-	{
-		return NULL;
-	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
index ed7b9429f..807f0bb7c 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
@@ -22,10 +22,11 @@
 #ifndef GMP_RSA_PUBLIC_KEY_H_
 #define GMP_RSA_PUBLIC_KEY_H_
 
-typedef struct gmp_rsa_public_key_t gmp_rsa_public_key_t;
-
+#include <credentials/builder.h>
 #include <credentials/keys/public_key.h>
 
+typedef struct gmp_rsa_public_key_t gmp_rsa_public_key_t;
+
 /**
  * public_key_t implementation of RSA algorithm using libgmp.
  */
@@ -38,11 +39,14 @@ struct gmp_rsa_public_key_t {
 };
 
 /**
- * Create the builder for a public key.
+ * Load a RSA public key using libgmp.
+ *
+ * Accepts BUILD_RSA_* components.
  *
  * @param type		type of the key, must be KEY_RSA
- * @return 			builder instance
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
  */
-builder_t *gmp_rsa_public_key_builder(key_type_t type);
+gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args);
 
 #endif /** GMP_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index 389bde8f9..7dc8269a4 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/hmac
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_hmac_la_LIBADD =
 am_libstrongswan_hmac_la_OBJECTS = hmac_plugin.lo hmac.lo hmac_prf.lo \
@@ -59,6 +83,7 @@ libstrongswan_hmac_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -106,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,6 +249,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -243,9 +272,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/hmac/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/hmac/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/hmac/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/hmac/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -263,23 +292,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -306,21 +340,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -343,7 +377,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -351,29 +385,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -394,13 +433,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -431,6 +474,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -452,6 +496,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -460,18 +506,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -510,6 +566,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c
index 6dfa02233..c1ab48899 100644
--- a/src/libstrongswan/plugins/hmac/hmac.c
+++ b/src/libstrongswan/plugins/hmac/hmac.c
@@ -23,7 +23,7 @@ typedef struct private_hmac_t private_hmac_t;
 
 /**
  * Private data of a hmac_t object.
- * 
+ *
  * The variable names are the same as in the RFC.
  */
 struct private_hmac_t {
@@ -31,22 +31,22 @@ struct private_hmac_t {
 	 * Public hmac_t interface.
 	 */
 	hmac_t hmac;
-	
+
 	/**
 	 * Block size, as in RFC.
 	 */
 	u_int8_t b;
-	
+
 	/**
 	 * Hash function.
 	 */
 	hasher_t *h;
-	
+
 	/**
 	 * Previously xor'ed key using opad.
 	 */
 	chunk_t opaded_key;
-	
+
 	/**
 	 * Previously xor'ed key using ipad.
 	 */
@@ -58,16 +58,16 @@ struct private_hmac_t {
  */
 static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
 {
-	/* H(K XOR opad, H(K XOR ipad, text)) 
-	 * 
+	/* H(K XOR opad, H(K XOR ipad, text))
+	 *
 	 * if out is NULL, we append text to the inner hash.
 	 * else, we complete the inner and do the outer.
-	 * 
+	 *
 	 */
-	
+
 	u_int8_t buffer[this->h->get_hash_size(this->h)];
 	chunk_t inner;
-	
+
 	if (out == NULL)
 	{
 		/* append data to inner */
@@ -78,14 +78,14 @@ static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
 		/* append and do outer hash */
 		inner.ptr = buffer;
 		inner.len = this->h->get_hash_size(this->h);
-		
+
 		/* complete inner */
 		this->h->get_hash(this->h, data, buffer);
-		
+
 		/* do outer */
 		this->h->get_hash(this->h, this->opaded_key, NULL);
 		this->h->get_hash(this->h, inner, out);
-		
+
 		/* reinit for next call */
 		this->h->get_hash(this->h, this->ipaded_key, NULL);
 	}
@@ -109,7 +109,7 @@ static void allocate_mac(private_hmac_t *this, chunk_t data, chunk_t *out)
 		this->hmac.get_mac(&(this->hmac), data, out->ptr);
 	}
 }
-	
+
 /**
  * Implementation of hmac_t.get_block_size.
  */
@@ -125,27 +125,27 @@ static void set_key(private_hmac_t *this, chunk_t key)
 {
 	int i;
 	u_int8_t buffer[this->b];
-	
+
 	memset(buffer, 0, this->b);
-	
+
 	if (key.len > this->b)
-	{	
+	{
 		/* if key is too long, it will be hashed */
 		this->h->get_hash(this->h, key, buffer);
 	}
 	else
-	{	
+	{
 		/* if not, just copy it in our pre-padded k */
-		memcpy(buffer, key.ptr, key.len);	
+		memcpy(buffer, key.ptr, key.len);
 	}
-			
+
 	/* apply ipad and opad to key */
 	for (i = 0; i < this->b; i++)
 	{
 		this->ipaded_key.ptr[i] = buffer[i] ^ 0x36;
 		this->opaded_key.ptr[i] = buffer[i] ^ 0x5C;
 	}
-	
+
 	/* begin hashing of inner pad */
 	this->h->reset(this->h);
 	this->h->get_hash(this->h, this->ipaded_key, NULL);
@@ -175,7 +175,7 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 	this->hmac.get_block_size = (size_t (*)(hmac_t *))get_block_size;
 	this->hmac.set_key = (void (*)(hmac_t *,chunk_t))set_key;
 	this->hmac.destroy = (void (*)(hmac_t *))destroy;
-	
+
 	/* set b, according to hasher */
 	switch (hash_algorithm)
 	{
@@ -190,15 +190,15 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 			break;
 		default:
 			free(this);
-			return NULL;	
+			return NULL;
 	}
-	
+
 	/* build the hasher */
 	this->h = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
 	if (this->h == NULL)
 	{
 		free(this);
-		return NULL;	
+		return NULL;
 	}
 
 	/* build ipad and opad */
diff --git a/src/libstrongswan/plugins/hmac/hmac.h b/src/libstrongswan/plugins/hmac/hmac.h
index a204d3b17..be1bce66d 100644
--- a/src/libstrongswan/plugins/hmac/hmac.h
+++ b/src/libstrongswan/plugins/hmac/hmac.h
@@ -36,46 +36,46 @@ typedef struct hmac_t hmac_t;
 struct hmac_t {
 	/**
 	 * Generate message authentication code.
-	 * 
+	 *
 	 * If buffer is NULL, no result is given back. A next call will
-	 * append the data to already supplied data. If buffer is not NULL, 
+	 * append the data to already supplied data. If buffer is not NULL,
 	 * the mac of all apended data is calculated, returned and the
 	 * state of the hmac_t is reseted.
-	 * 
+	 *
 	 * @param data		chunk of data to authenticate
 	 * @param buffer	pointer where the generated bytes will be written
 	 */
 	void (*get_mac) (hmac_t *this, chunk_t data, u_int8_t *buffer);
-	
+
 	/**
 	 * Generates message authentication code and allocate space for them.
-	 * 
+	 *
 	 * If chunk is NULL, no result is given back. A next call will
-	 * append the data to already supplied. If chunk is not NULL, 
+	 * append the data to already supplied. If chunk is not NULL,
 	 * the mac of all apended data is calculated, returned and the
 	 * state of the hmac_t reset;
-	 * 
+	 *
 	 * @param data		chunk of data to authenticate
 	 * @param chunk		chunk which will hold generated bytes
 	 */
 	void (*allocate_mac) (hmac_t *this, chunk_t data, chunk_t *chunk);
-	
+
 	/**
 	 * Get the block size of this hmac_t object.
-	 * 
+	 *
 	 * @return			block size in bytes
 	 */
-	size_t (*get_block_size) (hmac_t *this);	
-	
+	size_t (*get_block_size) (hmac_t *this);
+
 	/**
 	 * Set the key for this hmac_t object.
-	 * 
+	 *
 	 * Any key length is accepted.
-	 * 
+	 *
 	 * @param key		key to set
 	 */
 	void (*set_key) (hmac_t *this, chunk_t key);
-	
+
 	/**
 	 * Destroys a hmac_t object.
 	 */
@@ -84,7 +84,7 @@ struct hmac_t {
 
 /**
  * Creates a new hmac_t object.
- * 
+ *
  * @param hash_algorithm	hash algorithm to use
  * @return					hmac_t object, NULL if not supported
  */
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index aa1e994b0..94332ee36 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -50,35 +50,35 @@ static void destroy(private_hmac_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_hmac_plugin_t *this = malloc_thing(private_hmac_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, 
+
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256,
 						 (prf_constructor_t)hmac_prf_create);
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, 
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1,
 						 (prf_constructor_t)hmac_prf_create);
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, 
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5,
 						 (prf_constructor_t)hmac_prf_create);
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, 
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384,
 						 (prf_constructor_t)hmac_prf_create);
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, 
+	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512,
 						 (prf_constructor_t)hmac_prf_create);
-	
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, 
+
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96,
 							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, 
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128,
 							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, 
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160,
 							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, 
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128,
 							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, 
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96,
 							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, 
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128,
 							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, 
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192,
 							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, 
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256,
 							(signer_constructor_t)hmac_signer_create);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.c b/src/libstrongswan/plugins/hmac/hmac_prf.c
index 454d40be3..cca6e9570 100644
--- a/src/libstrongswan/plugins/hmac/hmac_prf.c
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.c
@@ -28,8 +28,8 @@ struct private_hmac_prf_t {
 	/**
 	 * Public hmac_prf_t interface.
 	 */
-	hmac_prf_t public;	
-	
+	hmac_prf_t public;
+
 	/**
 	 * Hmac to use for generation.
 	 */
@@ -93,7 +93,7 @@ hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo)
 {
 	private_hmac_prf_t *this;
 	hash_algorithm_t hash;
-	
+
 	switch (algo)
 	{
 		case PRF_HMAC_SHA1:
@@ -114,22 +114,22 @@ hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo)
 		default:
 			return NULL;
 	}
-	
+
 	this = malloc_thing(private_hmac_prf_t);
 	this->hmac = hmac_create(hash);
 	if (this->hmac == NULL)
 	{
 		free(this);
-		return NULL;	
+		return NULL;
 	}
-	
+
 	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
 	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
 	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
 	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
 	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
 	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-	
+
 	return &(this->public);
 }
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.h b/src/libstrongswan/plugins/hmac/hmac_prf.h
index aa75272e1..975b456f5 100644
--- a/src/libstrongswan/plugins/hmac/hmac_prf.h
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.h
@@ -28,12 +28,12 @@ typedef struct hmac_prf_t hmac_prf_t;
 
 /**
  * Implementation of prf_t interface using the HMAC algorithm.
- * 
+ *
  * This simply wraps a hmac_t in a prf_t. More a question of
  * interface matching.
  */
 struct hmac_prf_t {
-	
+
 	/**
 	 * Generic prf_t interface for this hmac_prf_t class.
 	 */
@@ -42,7 +42,7 @@ struct hmac_prf_t {
 
 /**
  * Creates a new hmac_prf_t object.
- * 
+ *
  * @param algo		algorithm to implement
  * @return			hmac_prf_t object, NULL if hash not supported
  */
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.c b/src/libstrongswan/plugins/hmac/hmac_signer.c
index b44bc2109..f82a8f3a1 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.c
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.c
@@ -29,12 +29,12 @@ struct private_hmac_signer_t {
 	 * Public interface of hmac_signer_t.
 	 */
 	hmac_signer_t public;
-	
+
 	/**
 	 * Assigned hmac function.
 	 */
 	hmac_t *hmac;
-	
+
 	/**
 	 * Block size (truncation of HMAC Hash)
 	 */
@@ -54,7 +54,7 @@ static void get_signature(private_hmac_signer_t *this,
 	else
 	{
 		u_int8_t mac[this->hmac->get_block_size(this->hmac)];
-		
+
 		this->hmac->get_mac(this->hmac, data, mac);
 		memcpy(buffer, mac, this->block_size);
 	}
@@ -73,12 +73,12 @@ static void allocate_signature (private_hmac_signer_t *this,
 	else
 	{
 		u_int8_t mac[this->hmac->get_block_size(this->hmac)];
-		
+
 		this->hmac->get_mac(this->hmac, data, mac);
 
 		chunk->ptr = malloc(this->block_size);
 		chunk->len = this->block_size;
-		
+
 		memcpy(chunk->ptr, mac, this->block_size);
 	}
 }
@@ -90,9 +90,9 @@ static bool verify_signature(private_hmac_signer_t *this,
 							 chunk_t data, chunk_t signature)
 {
 	u_int8_t mac[this->hmac->get_block_size(this->hmac)];
-	
+
 	this->hmac->get_mac(this->hmac, data, mac);
-	
+
 	if (signature.len != this->block_size)
 	{
 		return FALSE;
@@ -142,7 +142,7 @@ hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
 	private_hmac_signer_t *this;
 	size_t trunc;
 	hash_algorithm_t hash;
-	
+
 	switch (algo)
 	{
 		case AUTH_HMAC_SHA1_96:
@@ -180,7 +180,7 @@ hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
 		default:
 			return NULL;
 	}
-	
+
 	this = malloc_thing(private_hmac_signer_t);
 	this->hmac = hmac_create(hash);
 	if (this->hmac == NULL)
@@ -190,7 +190,7 @@ hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
 	}
 	/* prevent invalid truncation */
 	this->block_size = min(trunc, this->hmac->get_block_size(this->hmac));
-	
+
 	/* interface functions */
 	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
 	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
@@ -199,7 +199,7 @@ hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
 	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
 	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
 	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
-	
+
 	return &(this->public);
 }
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.h b/src/libstrongswan/plugins/hmac/hmac_signer.h
index 197e28fa7..0de93440c 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.h
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.h
@@ -32,7 +32,7 @@ typedef struct hmac_signer_t hmac_signer_t;
  * HMAC uses a standard hash function implemented in a hasher_t to build a MAC.
  */
 struct hmac_signer_t {
-	
+
 	/**
 	 * generic signer_t interface for this signer
 	 */
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 93fc9a0c1..d9ebb0147 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/ldap
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_ldap_la_DEPENDENCIES =
 am_libstrongswan_ldap_la_OBJECTS = ldap_plugin.lo ldap_fetcher.lo
@@ -58,6 +82,7 @@ libstrongswan_ldap_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -105,25 +130,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -135,11 +157,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -168,9 +193,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -193,7 +218,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -201,6 +226,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -209,10 +235,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -220,6 +248,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -241,9 +270,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/ldap/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/ldap/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ldap/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/ldap/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -261,23 +290,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -302,21 +336,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -339,7 +373,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -347,29 +381,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -390,13 +429,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -427,6 +470,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -448,6 +492,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -456,18 +502,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -506,6 +562,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index b2a40219f..ce5b7d56b 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -38,7 +38,7 @@ struct private_ldap_fetcher_t {
 	 * Public data
 	 */
 	ldap_fetcher_t public;
-	
+
 	/**
 	 * timeout to use for fetches
 	 */
@@ -79,7 +79,7 @@ static bool parse(LDAP *ldap, LDAPMessage *result, chunk_t *response)
 			}
 			else
 			{
-				DBG1("getting LDAP values failed: %s", 
+				DBG1("getting LDAP values failed: %s",
 					 ldap_err2string(ldap_result2error(ldap, entry, 0)));
 			}
 			ldap_memfree(attr);
@@ -110,7 +110,7 @@ static status_t fetch(private_ldap_fetcher_t *this, char *url,
 	int ldap_version = LDAP_VERSION3;
 	struct timeval timeout;
 	status_t status = FAILED;
-	
+
 	if (!strneq(url, "ldap", 4))
 	{
 		return NOT_SUPPORTED;
@@ -126,7 +126,7 @@ static status_t fetch(private_ldap_fetcher_t *this, char *url,
 		ldap_free_urldesc(lurl);
 		return FAILED;
 	}
-	
+
 	timeout.tv_sec = this->timeout;
 	timeout.tv_usec = 0;
 
@@ -171,7 +171,7 @@ static status_t fetch(private_ldap_fetcher_t *this, char *url,
 static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, ...)
 {
 	va_list args;
-	
+
 	va_start(args, option);
 	switch (option)
 	{
@@ -203,9 +203,9 @@ ldap_fetcher_t *ldap_fetcher_create()
 	this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch;
 	this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option;
 	this->public.interface.destroy = (void (*)(fetcher_t*))destroy;
-	
+
 	this->timeout = DEFAULT_TIMEOUT;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.c b/src/libstrongswan/plugins/ldap/ldap_plugin.c
index 994f3db46..a31308bbf 100644
--- a/src/libstrongswan/plugins/ldap/ldap_plugin.c
+++ b/src/libstrongswan/plugins/ldap/ldap_plugin.c
@@ -36,7 +36,7 @@ struct private_ldap_plugin_t {
  */
 static void destroy(private_ldap_plugin_t *this)
 {
-	lib->fetcher->remove_fetcher(lib->fetcher, 
+	lib->fetcher->remove_fetcher(lib->fetcher,
 								 (fetcher_constructor_t)ldap_fetcher_create);
 	free(this);
 }
@@ -47,14 +47,14 @@ static void destroy(private_ldap_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_ldap_plugin_t *this = malloc_thing(private_ldap_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
 	lib->fetcher->add_fetcher(lib->fetcher,
 						(fetcher_constructor_t)ldap_fetcher_create, "ldap://");
 	lib->fetcher->add_fetcher(lib->fetcher,
 						(fetcher_constructor_t)ldap_fetcher_create, "ldaps://");
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 7ca6a20cc..6014ddcf8 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/md4
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_md4_la_LIBADD =
 am_libstrongswan_md4_la_OBJECTS = md4_plugin.lo md4_hasher.lo
@@ -58,6 +82,7 @@ libstrongswan_md4_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -105,25 +130,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -135,11 +157,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -168,9 +193,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -193,7 +218,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -201,6 +226,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -209,10 +235,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -220,6 +248,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -240,9 +269,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/md4/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/md4/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/md4/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/md4/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -260,23 +289,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -301,21 +335,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -338,7 +372,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -346,29 +380,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -389,13 +428,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -426,6 +469,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -447,6 +491,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -455,18 +501,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -505,6 +561,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/md4/md4_hasher.c b/src/libstrongswan/plugins/md4/md4_hasher.c
index 3801110dc..366d37328 100644
--- a/src/libstrongswan/plugins/md4/md4_hasher.c
+++ b/src/libstrongswan/plugins/md4/md4_hasher.c
@@ -2,9 +2,9 @@
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
- * Copyright (C) 1990-1992, RSA Data Security, Inc. Created 1990. 
+ * Copyright (C) 1990-1992, RSA Data Security, Inc. Created 1990.
  * All rights reserved.
- * 
+ *
  * Derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm.
  * Ported to fulfill hasher_t interface.
  *
@@ -83,7 +83,7 @@ struct private_md4_hasher_t {
 	 * Public interface for this hasher.
 	 */
 	md4_hasher_t public;
-	
+
 	/*
 	 * State of the hasher.
 	 */
@@ -101,7 +101,7 @@ static void Encode (u_int8_t *output, u_int32_t *input, size_t len)
 {
 	size_t i, j;
 
-	for (i = 0, j = 0; j < len; i++, j += 4) 
+	for (i = 0, j = 0; j < len; i++, j += 4)
 	{
 		output[j] = (u_int8_t)(input[i] & 0xff);
 		output[j+1] = (u_int8_t)((input[i] >> 8) & 0xff);
@@ -119,7 +119,7 @@ static void Decode(u_int32_t *output, u_int8_t *input, size_t len)
 
 	for (i = 0, j = 0; j < len; i++, j += 4)
 	{
- 		output[i] = ((u_int32_t)input[j]) | (((u_int32_t)input[j+1]) << 8) |
+		output[i] = ((u_int32_t)input[j]) | (((u_int32_t)input[j+1]) << 8) |
 		(((u_int32_t)input[j+2]) << 16) | (((u_int32_t)input[j+3]) << 24);
 	}
 }
@@ -220,14 +220,14 @@ static void MD4Update(private_md4_hasher_t *this, u_int8_t *input, size_t inputL
 	partLen = 64 - index;
 
 	/* Transform as many times as possible. */
-	if (inputLen >= partLen) 
+	if (inputLen >= partLen)
 	{
 		memcpy(&this->buffer[index], input, partLen);
 		MD4Transform (this->state, this->buffer);
 
 		for (i = partLen; i + 63 < inputLen; i += 64)
 		{
-	    	MD4Transform (this->state, &input[i]);
+		MD4Transform (this->state, &input[i]);
 		}
 		index = 0;
 	}
@@ -288,7 +288,7 @@ static void get_hash(private_md4_hasher_t *this, chunk_t chunk, u_int8_t *buffer
 static void allocate_hash(private_md4_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
-	
+
 	MD4Update(this, chunk.ptr, chunk.len);
 	if (hash != NULL)
 	{
@@ -297,11 +297,11 @@ static void allocate_hash(private_md4_hasher_t *this, chunk_t chunk, chunk_t *ha
 
 		MD4Final(this, allocated_hash.ptr);
 		this->public.hasher_interface.reset(&(this->public.hasher_interface));
-		
+
 		*hash = allocated_hash;
 	}
 }
-	
+
 /**
  * Implementation of hasher_t.get_hash_size.
  */
@@ -337,21 +337,21 @@ static void destroy(private_md4_hasher_t *this)
 md4_hasher_t *md4_hasher_create(hash_algorithm_t algo)
 {
 	private_md4_hasher_t *this;
-	
+
 	if (algo != HASH_MD4)
 	{
 		return NULL;
 	}
 	this = malloc_thing(private_md4_hasher_t);
-	
+
 	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
 	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
 	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
 	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
 	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-	
+
 	/* initialize */
 	reset(this);
-	
+
 	return &(this->public);
 }
diff --git a/src/libstrongswan/plugins/md4/md4_hasher.h b/src/libstrongswan/plugins/md4/md4_hasher.h
index b0b8c65d2..aeb68f718 100644
--- a/src/libstrongswan/plugins/md4/md4_hasher.h
+++ b/src/libstrongswan/plugins/md4/md4_hasher.h
@@ -30,7 +30,7 @@ typedef struct md4_hasher_t md4_hasher_t;
  * Implementation of hasher_t interface using the MD4 algorithm.
  */
 struct md4_hasher_t {
-	
+
 	/**
 	 * Generic hasher_t interface for this hasher.
 	 */
@@ -39,7 +39,7 @@ struct md4_hasher_t {
 
 /**
  * Creates a new md4_hasher_t.
- * 
+ *
  * @param algo		hash algorithm, must be HASH_MD4
  * @return			md4_hasher_t object, NULL if not supported
  */
diff --git a/src/libstrongswan/plugins/md4/md4_plugin.c b/src/libstrongswan/plugins/md4/md4_plugin.c
index 43ae6261d..ba4041d2d 100644
--- a/src/libstrongswan/plugins/md4/md4_plugin.c
+++ b/src/libstrongswan/plugins/md4/md4_plugin.c
@@ -47,12 +47,12 @@ static void destroy(private_md4_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_md4_plugin_t *this = malloc_thing(private_md4_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->crypto->add_hasher(lib->crypto, HASH_MD4,
 							(hasher_constructor_t)md4_hasher_create);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index fb9bc4b4d..fcb921316 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/md5
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_md5_la_LIBADD =
 am_libstrongswan_md5_la_OBJECTS = md5_plugin.lo md5_hasher.lo
@@ -58,6 +82,7 @@ libstrongswan_md5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -105,25 +130,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -135,11 +157,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -168,9 +193,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -193,7 +218,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -201,6 +226,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -209,10 +235,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -220,6 +248,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -240,9 +269,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/md5/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/md5/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/md5/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/md5/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -260,23 +289,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -301,21 +335,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -338,7 +372,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -346,29 +380,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -389,13 +428,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -426,6 +469,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -447,6 +491,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -455,18 +501,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -505,6 +561,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/md5/md5_hasher.c b/src/libstrongswan/plugins/md5/md5_hasher.c
index 0ec5c073a..a97ad5cae 100644
--- a/src/libstrongswan/plugins/md5/md5_hasher.c
+++ b/src/libstrongswan/plugins/md5/md5_hasher.c
@@ -2,9 +2,9 @@
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
- * Copyright (C) 1991-1992, RSA Data Security, Inc. Created 1991. 
+ * Copyright (C) 1991-1992, RSA Data Security, Inc. Created 1991.
  * All rights reserved.
- * 
+ *
  * Derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.
  * Ported to fulfill hasher_t interface.
  *
@@ -50,7 +50,7 @@ static u_int8_t PADDING[64] = {
 
 /*
  * ugly macro stuff
- */ 
+ */
 /* F, G, H and I are basic MD5 functions.
  */
 #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
@@ -98,13 +98,13 @@ struct private_md5_hasher_t {
 	 * Public interface for this hasher.
 	 */
 	md5_hasher_t public;
-	
+
 	/*
 	 * State of the hasher.
 	 */
 	u_int32_t state[5];
-    u_int32_t count[2];
-    u_int8_t buffer[64];
+	u_int32_t count[2];
+	u_int8_t buffer[64];
 };
 
 
@@ -117,7 +117,7 @@ static void Encode (u_int8_t *output, u_int32_t *input, size_t len)
 {
 	size_t i, j;
 
-	for (i = 0, j = 0; j < len; i++, j += 4) 
+	for (i = 0, j = 0; j < len; i++, j += 4)
 	{
 		output[j] = (u_int8_t)(input[i] & 0xff);
 		output[j+1] = (u_int8_t)((input[i] >> 8) & 0xff);
@@ -135,7 +135,7 @@ static void Decode(u_int32_t *output, u_int8_t *input, size_t len)
 
 	for (i = 0, j = 0; j < len; i++, j += 4)
 	{
- 		output[i] = ((u_int32_t)input[j]) | (((u_int32_t)input[j+1]) << 8) |
+		output[i] = ((u_int32_t)input[j]) | (((u_int32_t)input[j+1]) << 8) |
 		(((u_int32_t)input[j+2]) << 16) | (((u_int32_t)input[j+3]) << 24);
 	}
 }
@@ -253,14 +253,14 @@ static void MD5Update(private_md5_hasher_t *this, u_int8_t *input, size_t inputL
 	partLen = 64 - index;
 
 	/* Transform as many times as possible. */
-	if (inputLen >= partLen) 
+	if (inputLen >= partLen)
 	{
 		memcpy(&this->buffer[index], input, partLen);
 		MD5Transform (this->state, this->buffer);
 
 		for (i = partLen; i + 63 < inputLen; i += 64)
 		{
-	    	MD5Transform (this->state, &input[i]);
+			MD5Transform (this->state, &input[i]);
 		}
 		index = 0;
 	}
@@ -321,7 +321,7 @@ static void get_hash(private_md5_hasher_t *this, chunk_t chunk, u_int8_t *buffer
 static void allocate_hash(private_md5_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
-	
+
 	MD5Update(this, chunk.ptr, chunk.len);
 	if (hash != NULL)
 	{
@@ -330,11 +330,11 @@ static void allocate_hash(private_md5_hasher_t *this, chunk_t chunk, chunk_t *ha
 
 		MD5Final(this, allocated_hash.ptr);
 		this->public.hasher_interface.reset(&(this->public.hasher_interface));
-		
+
 		*hash = allocated_hash;
 	}
 }
-	
+
 /**
  * Implementation of hasher_t.get_hash_size.
  */
@@ -370,21 +370,21 @@ static void destroy(private_md5_hasher_t *this)
 md5_hasher_t *md5_hasher_create(hash_algorithm_t algo)
 {
 	private_md5_hasher_t *this;
-	
+
 	if (algo != HASH_MD5)
 	{
 		return NULL;
 	}
 	this = malloc_thing(private_md5_hasher_t);
-	
+
 	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
 	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
 	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
 	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
 	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-	
+
 	/* initialize */
 	reset(this);
-	
+
 	return &(this->public);
 }
diff --git a/src/libstrongswan/plugins/md5/md5_hasher.h b/src/libstrongswan/plugins/md5/md5_hasher.h
index 0064c177b..7f29a9621 100644
--- a/src/libstrongswan/plugins/md5/md5_hasher.h
+++ b/src/libstrongswan/plugins/md5/md5_hasher.h
@@ -30,7 +30,7 @@ typedef struct md5_hasher_t md5_hasher_t;
  * Implementation of hasher_t interface using the MD5 algorithm.
  */
 struct md5_hasher_t {
-	
+
 	/**
 	 * Generic hasher_t interface for this hasher.
 	 */
@@ -39,7 +39,7 @@ struct md5_hasher_t {
 
 /**
  * Creates a new md5_hasher_t.
- * 
+ *
  * @param algo		hash algorithm, must be HASH_MD5
  * @return			md5_hasher_t object, NULL if not supported
  */
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c
index b1a3b495c..7592c20df 100644
--- a/src/libstrongswan/plugins/md5/md5_plugin.c
+++ b/src/libstrongswan/plugins/md5/md5_plugin.c
@@ -47,12 +47,12 @@ static void destroy(private_md5_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_md5_plugin_t *this = malloc_thing(private_md5_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
 							(hasher_constructor_t)md5_hasher_create);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am
index 0daf7655b..c64481fd5 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.am
+++ b/src/libstrongswan/plugins/mysql/Makefile.am
@@ -1,12 +1,12 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic $(MYSQLCFLAG)
 
 plugin_LTLIBRARIES = libstrongswan-mysql.la
 
 libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c  \
 	mysql_database.h mysql_database.c
 libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
-libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
+libstrongswan_mysql_la_LIBADD = $(MYSQLLIB)
 
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 21fe61923..dc56940d2 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,21 +37,44 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/mysql
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_mysql_la_DEPENDENCIES =
+am__DEPENDENCIES_1 =
+libstrongswan_mysql_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_mysql_la_OBJECTS = mysql_plugin.lo mysql_database.lo
 libstrongswan_mysql_la_OBJECTS = $(am_libstrongswan_mysql_la_OBJECTS)
 libstrongswan_mysql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -58,6 +83,7 @@ libstrongswan_mysql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -105,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -135,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -168,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -193,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -201,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -209,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -220,16 +249,17 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic $(MYSQLCFLAG)
 plugin_LTLIBRARIES = libstrongswan-mysql.la
 libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c  \
 	mysql_database.h mysql_database.c
 
 libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
-libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
+libstrongswan_mysql_la_LIBADD = $(MYSQLLIB)
 all: all-am
 
 .SUFFIXES:
@@ -243,9 +273,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/mysql/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/mysql/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/mysql/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/mysql/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -263,23 +293,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -304,21 +339,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -341,7 +376,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -349,29 +384,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -392,13 +432,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -429,6 +473,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -450,6 +495,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -458,18 +505,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -508,6 +565,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 341217dd4..2338428f2 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -15,13 +15,13 @@
 
 #define _GNU_SOURCE
 #include <string.h>
-#include <pthread.h>
-#include <mysql/mysql.h>
+#include <mysql.h>
 
 #include "mysql_database.h"
 
 #include <debug.h>
-#include <utils/mutex.h>
+#include <threading/thread_value.h>
+#include <threading/mutex.h>
 #include <utils/linked_list.h>
 
 /* Older mysql.h headers do not define it, but we need it. It is not returned
@@ -42,37 +42,37 @@ struct private_mysql_database_t {
 	 * public functions
 	 */
 	mysql_database_t public;
-	
+
 	/**
 	 * connection pool, contains conn_t
 	 */
 	linked_list_t *pool;
-	
+
 	/**
 	 * mutex to lock pool
 	 */
 	mutex_t *mutex;
-	
+
 	/**
- 	 * hostname to connect to
- 	 */
+	 * hostname to connect to
+	 */
 	char *host;
-	
+
 	/**
 	 * username to use
 	 */
 	char *username;
-	
+
 	/**
 	 * password
 	 */
 	char *password;
-	
+
 	/**
 	 * database name
 	 */
 	char *database;
-	
+
 	/**
 	 * tcp port
 	 */
@@ -85,12 +85,12 @@ typedef struct conn_t conn_t;
  * connection pool entry
  */
 struct conn_t {
-	
+
 	/**
 	 * MySQL database connection
 	 */
 	MYSQL *mysql;
-	
+
 	/**
 	 * connection in use?
 	 */
@@ -104,19 +104,20 @@ static void conn_release(conn_t *conn)
 {
 	conn->in_use = FALSE;
 }
+
 /**
  * thread specific initialization flag
  */
-pthread_key_t initialized;
+thread_value_t *initialized;
 
 /**
  * Initialize a thread for mysql usage
  */
 static void thread_initialize()
 {
-	if (pthread_getspecific(initialized) == NULL)
+	if (initialized->get(initialized) == NULL)
 	{
-		pthread_setspecific(initialized, (void*)TRUE);
+		initialized->set(initialized, (void*)TRUE);
 		mysql_thread_init();
 	}
 }
@@ -130,11 +131,7 @@ bool mysql_database_init()
 	{
 		return FALSE;
 	}
-	if (pthread_key_create(&initialized, (void*)mysql_thread_end))
-	{
-		mysql_library_end();
-		return FALSE;
-	}
+	initialized = thread_value_create((thread_cleanup_t)mysql_thread_end);
 	return TRUE;
 }
 
@@ -143,7 +140,7 @@ bool mysql_database_init()
  */
 void mysql_database_deinit()
 {
-	pthread_key_delete(initialized);
+	initialized->destroy(initialized);
 	mysql_thread_end();
 	/* mysql_library_end(); would be the clean way, however, it hangs... */
 }
@@ -164,9 +161,9 @@ static conn_t *conn_get(private_mysql_database_t *this)
 {
 	conn_t *current, *found = NULL;
 	enumerator_t *enumerator;
-	
+
 	thread_initialize();
-	
+
 	while (TRUE)
 	{
 		this->mutex->lock(this->mutex);
@@ -231,28 +228,28 @@ static MYSQL_STMT* run(MYSQL *mysql, char *sql, va_list *args)
 {
 	MYSQL_STMT *stmt;
 	int params;
-	
+
 	stmt = mysql_stmt_init(mysql);
 	if (stmt == NULL)
 	{
-    	DBG1("creating MySQL statement failed: %s", mysql_error(mysql));
+		DBG1("creating MySQL statement failed: %s", mysql_error(mysql));
 		return NULL;
 	}
 	if (mysql_stmt_prepare(stmt, sql, strlen(sql)))
 	{
-    	DBG1("preparing MySQL statement failed: %s", mysql_stmt_error(stmt));
-    	mysql_stmt_close(stmt);
-    	return NULL;
+		DBG1("preparing MySQL statement failed: %s", mysql_stmt_error(stmt));
+		mysql_stmt_close(stmt);
+		return NULL;
 	}
 	params = mysql_stmt_param_count(stmt);
 	if (params > 0)
 	{
 		int i;
 		MYSQL_BIND *bind;
-	
+
 		bind = alloca(sizeof(MYSQL_BIND) * params);
 		memset(bind, 0, sizeof(MYSQL_BIND) * params);
-		
+
 		for (i = 0; i < params; i++)
 		{
 			switch (va_arg(*args, db_type_t))
@@ -285,7 +282,7 @@ static MYSQL_STMT* run(MYSQL *mysql, char *sql, va_list *args)
 					break;
 				}
 				case DB_BLOB:
-				{	
+				{
 					chunk_t chunk = va_arg(*args, chunk_t);
 					bind[i].buffer_type = MYSQL_TYPE_BLOB;
 					bind[i].buffer = chunk.ptr;
@@ -300,28 +297,28 @@ static MYSQL_STMT* run(MYSQL *mysql, char *sql, va_list *args)
 					bind[i].buffer_length = sizeof(double);
 					break;
 				}
-    			case DB_NULL:
+				case DB_NULL:
 				{
 					bind[i].buffer_type = MYSQL_TYPE_NULL;
 					break;
 				}
 				default:
-    				DBG1("invalid data type supplied");
-    				mysql_stmt_close(stmt);
-    				return NULL;
+					DBG1("invalid data type supplied");
+					mysql_stmt_close(stmt);
+					return NULL;
 			}
 		}
 		if (mysql_stmt_bind_param(stmt, bind))
 		{
-    		DBG1("binding MySQL param failed: %s", mysql_stmt_error(stmt));
-    		mysql_stmt_close(stmt);
+			DBG1("binding MySQL param failed: %s", mysql_stmt_error(stmt));
+			mysql_stmt_close(stmt);
 			return NULL;
 		}
 	}
 	if (mysql_stmt_execute(stmt))
 	{
-    	DBG1("executing MySQL statement failed: %s", mysql_stmt_error(stmt));
-    	mysql_stmt_close(stmt);
+		DBG1("executing MySQL statement failed: %s", mysql_stmt_error(stmt));
+		mysql_stmt_close(stmt);
 		return NULL;
 	}
 	return stmt;
@@ -353,9 +350,9 @@ typedef struct {
 static void mysql_enumerator_destroy(mysql_enumerator_t *this)
 {
 	int columns, i;
-	
+
 	columns = mysql_stmt_field_count(this->stmt);
-	
+
 	for (i = 0; i < columns; i++)
 	{
 		switch (this->bind[i].buffer_type)
@@ -385,9 +382,9 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...)
 {
 	int i, columns;
 	va_list args;
-	
+
 	columns = mysql_stmt_field_count(this->stmt);
-	
+
 	/* free/reset data set of previous call */
 	for (i = 0; i < columns; i++)
 	{
@@ -419,7 +416,7 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...)
 			DBG1("fetching MySQL row failed: %s", mysql_stmt_error(this->stmt));
 			return FALSE;
 	}
-	
+
 	va_start(args, this);
 	for (i = 0; i < columns; i++)
 	{
@@ -445,9 +442,9 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...)
 				this->bind[i].buffer = malloc(this->length[i]+1);
 				this->bind[i].buffer_length = this->length[i];
 				*value = this->bind[i].buffer;
-	  			mysql_stmt_fetch_column(this->stmt, &this->bind[i], i, 0);
-	  			((char*)this->bind[i].buffer)[this->length[i]] = '\0';
-	  			break;
+				mysql_stmt_fetch_column(this->stmt, &this->bind[i], i, 0);
+				((char*)this->bind[i].buffer)[this->length[i]] = '\0';
+				break;
 			}
 			case MYSQL_TYPE_BLOB:
 			{
@@ -456,8 +453,8 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...)
 				this->bind[i].buffer_length = this->length[i];
 				value->ptr = this->bind[i].buffer;
 				value->len = this->length[i];
-	  			mysql_stmt_fetch_column(this->stmt, &this->bind[i], i, 0);
-	  			break;
+				mysql_stmt_fetch_column(this->stmt, &this->bind[i], i, 0);
+				break;
 			}
 			case MYSQL_TYPE_DOUBLE:
 			{
@@ -481,7 +478,7 @@ static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
 	va_list args;
 	mysql_enumerator_t *enumerator = NULL;
 	conn_t *conn;
-	
+
 	conn = conn_get(this);
 	if (!conn)
 	{
@@ -493,7 +490,7 @@ static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
 	if (stmt)
 	{
 		int columns, i;
-		
+
 		enumerator = malloc_thing(mysql_enumerator_t);
 		enumerator->public.enumerate = (void*)mysql_enumerator_enumerate;
 		enumerator->public.destroy = (void*)mysql_enumerator_destroy;
@@ -527,7 +524,7 @@ static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
 					break;
 				}
 				case DB_BLOB:
-				{	
+				{
 					enumerator->bind[i].buffer_type = MYSQL_TYPE_BLOB;
 					enumerator->bind[i].length = &enumerator->length[i];
 					break;
@@ -539,17 +536,17 @@ static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
 					break;
 				}
 				default:
-    				DBG1("invalid result data type supplied");
-    				mysql_enumerator_destroy(enumerator);
-    				va_end(args);
-    				return NULL;
+					DBG1("invalid result data type supplied");
+					mysql_enumerator_destroy(enumerator);
+					va_end(args);
+					return NULL;
 			}
 		}
 		if (mysql_stmt_bind_result(stmt, enumerator->bind))
 		{
 			DBG1("binding MySQL result failed: %s", mysql_stmt_error(stmt));
-    		mysql_enumerator_destroy(enumerator);
-    		enumerator = NULL;
+			mysql_enumerator_destroy(enumerator);
+			enumerator = NULL;
 		}
 	}
 	else
@@ -569,7 +566,7 @@ static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...)
 	va_list args;
 	conn_t *conn;
 	int affected = -1;
-	
+
 	conn = conn_get(this);
 	if (!conn)
 	{
@@ -590,7 +587,7 @@ static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...)
 	conn_release(conn);
 	return affected;
 }
-	
+
 /**
  * Implementation of database_t.get_driver
  */
@@ -646,7 +643,7 @@ static bool parse_uri(private_mysql_database_t *this, char *uri)
 			{
 				*pos = '\0';
 				database = pos + 1;
-	
+
 				this->host = strdup(host);
 				this->username = strdup(username);
 				this->password = strdup(password);
@@ -668,19 +665,19 @@ mysql_database_t *mysql_database_create(char *uri)
 {
 	conn_t *conn;
 	private_mysql_database_t *this;
-	
+
 	if (!strneq(uri, "mysql://", 8))
 	{
 		return NULL;
 	}
 
 	this = malloc_thing(private_mysql_database_t);
-	
+
 	this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
 	this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
 	this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
 	this->public.db.destroy = (void(*)(database_t*))destroy;
-	
+
 	if (!parse_uri(this, uri))
 	{
 		free(this);
@@ -688,13 +685,13 @@ mysql_database_t *mysql_database_create(char *uri)
 	}
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->pool = linked_list_create();
-	
+
 	/* check connectivity */
 	conn = conn_get(this);
 	if (!conn)
 	{
-    	destroy(this);
-    	return NULL;
+		destroy(this);
+		return NULL;
 	}
 	conn_release(conn);
 	return &this->public;
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c
index 92914ae6d..0e64bbc3d 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.c
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c
@@ -49,16 +49,16 @@ static void destroy(private_mysql_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_mysql_plugin_t *this;
-	
+
 	if (!mysql_database_init())
 	{
 		DBG1("MySQL client library initialization failed");
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_mysql_plugin_t);
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->db->add_database(lib->db,
 						  (database_constructor_t)mysql_database_create);
 
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index e6d7b479b..aa8ecf06c 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/openssl
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_openssl_la_DEPENDENCIES =
 am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
@@ -63,6 +87,7 @@ libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -110,25 +135,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -140,11 +162,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -173,9 +198,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -198,7 +223,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -206,6 +231,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -214,10 +240,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -225,6 +253,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -256,9 +285,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/openssl/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/openssl/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/openssl/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/openssl/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -276,23 +305,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -325,21 +359,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -362,7 +396,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -370,29 +404,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -413,13 +452,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -450,6 +493,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -471,6 +515,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -479,18 +525,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -529,6 +585,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index 424fec60a..a8923ab56 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil 
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -23,17 +23,17 @@ typedef struct private_openssl_crypter_t private_openssl_crypter_t;
  * Private data of openssl_crypter_t
  */
 struct private_openssl_crypter_t {
-	
+
 	/**
 	 * Public part of this class.
 	 */
 	openssl_crypter_t public;
-	
+
 	/*
 	 * the key
 	 */
 	chunk_t	key;
-	
+
 	/*
 	 * the cipher to use
 	 */
@@ -49,17 +49,17 @@ typedef struct {
 	 * Identifier specified in IKEv2
 	 */
 	int ikev2_id;
-	
+
 	/**
 	 * Name of the algorithm, as used in OpenSSL
 	 */
 	char *name;
-	
+
 	/**
 	 * Minimum valid key length in bytes
 	 */
 	size_t key_size_min;
-	
+
 	/**
 	 * Maximum valid key length in bytes
 	 */
@@ -91,7 +91,7 @@ static openssl_algorithm_t encryption_algs[] = {
 /**
  * Look up an OpenSSL algorithm name and validate its key size
  */
-static char* lookup_algorithm(openssl_algorithm_t *openssl_algo, 
+static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
 					   u_int16_t ikev2_algo, size_t *key_size)
 {
 	while (openssl_algo->ikev2_id != END_OF_LIST)
@@ -104,7 +104,7 @@ static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
 			{
 				*key_size = openssl_algo->key_size_min;
 			}
-			
+
 			/* validate key size */
 			if (*key_size < openssl_algo->key_size_min ||
 				*key_size > openssl_algo->key_size_max)
@@ -123,7 +123,7 @@ static void crypt(private_openssl_crypter_t *this, chunk_t data,
 {
 	int len;
 	u_char *out;
-	
+
 	out = data.ptr;
 	if (dst)
 	{
@@ -144,7 +144,7 @@ static void crypt(private_openssl_crypter_t *this, chunk_t data,
 /**
  * Implementation of crypter_t.decrypt.
  */
-static void decrypt(private_openssl_crypter_t *this, chunk_t data, 
+static void decrypt(private_openssl_crypter_t *this, chunk_t data,
 						chunk_t iv, chunk_t *dst)
 {
 	crypt(this, data, iv, dst, 0);
@@ -154,7 +154,7 @@ static void decrypt(private_openssl_crypter_t *this, chunk_t data,
 /**
  * Implementation of crypter_t.encrypt.
  */
-static void encrypt (private_openssl_crypter_t *this, chunk_t data, 
+static void encrypt (private_openssl_crypter_t *this, chunk_t data,
 							chunk_t iv, chunk_t *dst)
 {
 	crypt(this, data, iv, dst, 1);
@@ -196,13 +196,13 @@ static void destroy (private_openssl_crypter_t *this)
 /*
  * Described in header
  */
-openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo, 
+openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 												  size_t key_size)
 {
 	private_openssl_crypter_t *this;
-	
+
 	this = malloc_thing(private_openssl_crypter_t);
-	
+
 	switch (algo)
 	{
 		case ENCR_NULL:
@@ -218,7 +218,7 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 					this->cipher = EVP_get_cipherbyname("aes192");
 					break;
 				case 32:        /* AES-256 */
-					this->cipher = EVP_get_cipherbyname("aes256"); 
+					this->cipher = EVP_get_cipherbyname("aes256");
 					break;
 				default:
 					free(this);
@@ -235,7 +235,7 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 					this->cipher = EVP_get_cipherbyname("camellia192");
 					break;
 				case 32:        /* CAMELLIA 256 */
-					this->cipher = EVP_get_cipherbyname("camellia256"); 
+					this->cipher = EVP_get_cipherbyname("camellia256");
 					break;
 				default:
 					free(this);
@@ -258,22 +258,22 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 			break;
 		}
 	}
-	
+
 	if (!this->cipher)
 	{
 		/* OpenSSL does not support the requested algo */
 		free(this);
 		return NULL;
 	}
-	
+
 	this->key = chunk_alloc(key_size);
-	
+
 	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
 	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
 	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
 	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
 	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
 	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-	
+
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.h b/src/libstrongswan/plugins/openssl/openssl_crypter.h
index e5a899418..7e30ae03c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.h
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.h
@@ -29,7 +29,7 @@ typedef struct openssl_crypter_t openssl_crypter_t;
  * Implementation of crypters using OpenSSL.
  */
 struct openssl_crypter_t {
-	
+
 	/**
 	 * The crypter_t interface.
 	 */
@@ -38,7 +38,7 @@ struct openssl_crypter_t {
 
 /**
  * Constructor to create openssl_crypter_t.
- * 
+ *
  * @param algo			algorithm to implement
  * @param key_size		key size in bytes
  * @return				openssl_crypter_t, NULL if not supported
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index fe042efdc..80a1ee878 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -22,7 +22,7 @@
 
 typedef struct modulus_entry_t modulus_entry_t;
 
-/** 
+/**
  * Entry of the modulus list.
  */
 struct modulus_entry_t {
@@ -30,20 +30,20 @@ struct modulus_entry_t {
 	 * Group number as it is defined in file transform_substructure.h.
 	 */
 	diffie_hellman_group_t group;
-	
+
 	/**
 	 * Pointer to the function to get the modulus.
 	 */
 	BIGNUM *(*get_prime)(BIGNUM *bn);
-	
-	/* 
+
+	/*
 	 * Optimum length of exponent in bits.
-	 */	
+	 */
 	long opt_exponent_len;
-	
-	/* 
+
+	/*
 	 * Generator value.
-	 */	
+	 */
 	u_int16_t generator;
 };
 
@@ -71,27 +71,27 @@ struct private_openssl_diffie_hellman_t {
 	 * Public openssl_diffie_hellman_t interface.
 	 */
 	openssl_diffie_hellman_t public;
-	
+
 	/**
 	 * Diffie Hellman group number.
 	 */
 	u_int16_t group;
-	
+
 	/**
 	 * Diffie Hellman object
 	 */
 	DH *dh;
-	
+
 	/**
 	 * Other public value
 	 */
 	BIGNUM *pub_key;
-	
+
 	/**
 	 * Shared secret
 	 */
 	chunk_t shared_secret;
-	
+
 	/**
 	 * True if shared secret is computed
 	 */
@@ -123,7 +123,7 @@ static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
 	/* shared secret should requires a len according the DH group */
 	*secret = chunk_alloc(DH_size(this->dh));
 	memset(secret->ptr, 0, secret->len);
-	memcpy(secret->ptr + secret->len - this->shared_secret.len, 
+	memcpy(secret->ptr + secret->len - this->shared_secret.len,
 		   this->shared_secret.ptr, this->shared_secret.len);
 
 	return SUCCESS;
@@ -137,7 +137,7 @@ static void set_other_public_value(private_openssl_diffie_hellman_t *this,
 								   chunk_t value)
 {
 	int len;
-	
+
 	BN_bin2bn(value.ptr, value.len, this->pub_key);
 	chunk_clear(&this->shared_secret);
 	this->shared_secret.ptr = malloc(DH_size(this->dh));
@@ -167,10 +167,10 @@ static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 {
 	int i;
 	bool ansi_x9_42;
-	
+
 	ansi_x9_42 = lib->settings->get_bool(lib->settings,
 										 "libstrongswan.dh_exponent_ansi_x9_42", TRUE);
-	
+
 	for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
 	{
 		if (modulus_entries[i].group == this->group)
@@ -205,32 +205,32 @@ static void destroy(private_openssl_diffie_hellman_t *this)
 openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group)
 {
 	private_openssl_diffie_hellman_t *this = malloc_thing(private_openssl_diffie_hellman_t);
-	
+
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
 	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
 	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-	
+
 	this->dh = DH_new();
 	if (!this->dh)
 	{
 		free(this);
 		return NULL;
 	}
-	
+
 	this->group = group;
 	this->computed = FALSE;
 	this->pub_key = BN_new();
 	this->shared_secret = chunk_empty;
-	
+
 	/* find a modulus according to group */
 	if (set_modulus(this) != SUCCESS)
 	{
 		destroy(this);
 		return NULL;
 	}
-	
+
 	/* generate my public and private values */
 	if (!DH_generate_key(this->dh))
 	{
@@ -238,6 +238,6 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 		return NULL;
 	}
 	DBG2("size of DH secret exponent: %d bits", BN_num_bits(this->dh->priv_key));
-	
+
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
index bdc153812..6c4b4fe81 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
@@ -29,7 +29,7 @@ typedef struct openssl_diffie_hellman_t openssl_diffie_hellman_t;
  * Implementation of the Diffie-Hellman algorithm using OpenSSL.
  */
 struct openssl_diffie_hellman_t {
-	
+
 	/**
 	 * Implements diffie_hellman_t interface.
 	 */
@@ -38,7 +38,7 @@ struct openssl_diffie_hellman_t {
 
 /**
  * Creates a new openssl_diffie_hellman_t object.
- * 
+ *
  * @param group			Diffie Hellman group number to use
  * @return				openssl_diffie_hellman_t object, NULL if not supported
  */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 082aed9ca..671fa41e2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -31,27 +31,27 @@ struct private_openssl_ec_diffie_hellman_t {
 	 * Public openssl_ec_diffie_hellman_t interface.
 	 */
 	openssl_ec_diffie_hellman_t public;
-	
+
 	/**
 	 * Diffie Hellman group number.
 	 */
 	u_int16_t group;
-	
+
 	/**
 	 * EC private (public) key
 	 */
 	EC_KEY *key;
-	
+
 	/**
 	 * EC group
 	 */
 	const EC_GROUP *ec_group;
-	
+
 	/**
 	 * Other public key
 	 */
 	EC_POINT *pub_key;
-	
+
 	/**
 	 * Shared secret
 	 */
@@ -72,13 +72,13 @@ static bool chunk2ecp(const EC_GROUP *group, chunk_t chunk, EC_POINT *point)
 	BN_CTX *ctx;
 	BIGNUM *x, *y;
 	bool ret = FALSE;
-	
+
 	ctx = BN_CTX_new();
 	if (!ctx)
 	{
 		return FALSE;
 	}
-	
+
 	BN_CTX_start(ctx);
 	x = BN_CTX_get(ctx);
 	y = BN_CTX_get(ctx);
@@ -86,17 +86,17 @@ static bool chunk2ecp(const EC_GROUP *group, chunk_t chunk, EC_POINT *point)
 	{
 		goto error;
 	}
-	
+
 	if (!openssl_bn_split(chunk, x, y))
 	{
 		goto error;
 	}
-	
+
 	if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
 	{
 		goto error;
 	}
-	
+
 	ret = TRUE;
 error:
 	BN_CTX_end(ctx);
@@ -114,13 +114,13 @@ static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point,
 	BN_CTX *ctx;
 	BIGNUM *x, *y;
 	bool ret = FALSE;
-	
+
 	ctx = BN_CTX_new();
 	if (!ctx)
 	{
 		return FALSE;
 	}
-	
+
 	BN_CTX_start(ctx);
 	x = BN_CTX_get(ctx);
 	y = BN_CTX_get(ctx);
@@ -128,12 +128,12 @@ static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point,
 	{
 		goto error;
 	}
-	
+
 	if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
 	{
 		goto error;
 	}
-	
+
 	if (x_coordinate_only)
 	{
 		y = NULL;
@@ -142,7 +142,7 @@ static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point,
 	{
 		goto error;
 	}
-	
+
 	ret = TRUE;
 error:
 	BN_CTX_end(ctx);
@@ -152,7 +152,7 @@ error:
 
 /**
  * Compute the shared secret.
- * 
+ *
  * We cannot use the function ECDH_compute_key() because that returns only the
  * x coordinate of the shared secret point (which is defined, for instance, in
  * 'NIST SP 800-56A').
@@ -166,13 +166,13 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_
 	const BIGNUM *priv_key;
 	EC_POINT *secret = NULL;
 	bool x_coordinate_only, ret = FALSE;
-	
+
 	priv_key = EC_KEY_get0_private_key(this->key);
 	if (!priv_key)
 	{
 		goto error;
 	}
-	
+
 	secret = EC_POINT_new(this->ec_group);
 	if (!secret)
 	{
@@ -183,7 +183,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_
 	{
 		goto error;
 	}
-	
+
 	/*
 	 * The default setting ecp_x_coordinate_only = TRUE
 	 * applies the following errata for RFC 4753:
@@ -195,7 +195,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_
 	{
 		goto error;
 	}
-	
+
 	ret = TRUE;
 error:
 	if (secret)
@@ -215,14 +215,14 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
 		DBG1("ECDH public value is malformed");
 		return;
 	}
-	
+
 	chunk_free(&this->shared_secret);
-	
+
 	if (!compute_shared_key(this, &this->shared_secret)) {
 		DBG1("ECDH shared secret computation failed");
 		return;
 	}
-	
+
 	this->computed = TRUE;
 }
 
@@ -272,13 +272,13 @@ static void destroy(private_openssl_ec_diffie_hellman_t *this)
 openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group)
 {
 	private_openssl_ec_diffie_hellman_t *this = malloc_thing(private_openssl_ec_diffie_hellman_t);
-	
+
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
 	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
 	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-	
+
 	switch (group)
 	{
 		case ECP_192_BIT:
@@ -300,34 +300,34 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro
 			this->key = NULL;
 			break;
 	}
-	
+
 	if (!this->key)
 	{
 		free(this);
 		return NULL;
 	}
-	
+
 	/* caching the EC group */
 	this->ec_group = EC_KEY_get0_group(this->key);
-	
+
 	this->pub_key = EC_POINT_new(this->ec_group);
 	if (!this->pub_key)
 	{
 		free(this);
 		return NULL;
 	}
-	
+
 	/* generate an EC private (public) key */
 	if (!EC_KEY_generate_key(this->key))
 	{
 		free(this);
 		return NULL;
 	}
-	
+
 	this->group = group;
 	this->computed = FALSE;
-	
+
 	this->shared_secret = chunk_empty;
-	
+
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
index 9d17aed57..fd60732b9 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.h
@@ -29,7 +29,7 @@ typedef struct openssl_ec_diffie_hellman_t openssl_ec_diffie_hellman_t;
  * Implementation of the EC Diffie-Hellman algorithm using OpenSSL.
  */
 struct openssl_ec_diffie_hellman_t {
-	
+
 	/**
 	 * Implements diffie_hellman_t interface.
 	 */
@@ -38,7 +38,7 @@ struct openssl_ec_diffie_hellman_t {
 
 /**
  * Creates a new openssl_ec_diffie_hellman_t object.
- * 
+ *
  * @param group			EC Diffie Hellman group number to use
  * @return				openssl_ec_diffie_hellman_t object, NULL if not supported
  */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index d6b442ae9..89ced5a9a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Martin Willi
  * Copyright (C) 2008 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
@@ -21,6 +22,7 @@
 
 #include <openssl/evp.h>
 #include <openssl/ecdsa.h>
+#include <openssl/x509.h>
 
 typedef struct private_openssl_ec_private_key_t private_openssl_ec_private_key_t;
 
@@ -32,175 +34,138 @@ struct private_openssl_ec_private_key_t {
 	 * Public interface for this signer.
 	 */
 	openssl_ec_private_key_t public;
-	
+
 	/**
 	 * EC key object
 	 */
 	EC_KEY *ec;
 
-	/**
-	 * Keyid formed as a SHA-1 hash of a privateKey object
-	 */
-	identification_t* keyid;
-
-	/**
-	 * Keyid formed as a SHA-1 hash of a privateKeyInfo object
-	 */
-	identification_t* keyid_info;
-	
 	/**
 	 * reference count
 	 */
-	refcount_t ref;	
+	refcount_t ref;
 };
 
-/**
- * Mapping from the signature scheme defined in (RFC 4754) to the elliptic
- * curve and the hash algorithm
- */
-typedef struct {
-	/**
-	 * Scheme specified in RFC 4754
-	 */
-	int scheme;
-	
-	/**
-	 * NID of the hash
-	 */
-	int hash;
-	
-	/**
-	 * NID of the curve
-	 */
-	int curve;
-} openssl_ecdsa_scheme_t;
-
-#define END_OF_LIST -1
+/* from ec public key */
+bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp);
 
 /**
- * Signature schemes
+ * Build a signature as in RFC 4754
  */
-static openssl_ecdsa_scheme_t ecdsa_schemes[] = {
-	{SIGN_ECDSA_256, NID_sha256, NID_X9_62_prime256v1},
-	{SIGN_ECDSA_384, NID_sha384, NID_secp384r1},
-	{SIGN_ECDSA_521, NID_sha512, NID_secp521r1},
-	{END_OF_LIST,    0,          0},
-};
-
-/**
- * Look up the hash and curve of a signature scheme
- */
-static bool lookup_scheme(int scheme, int *hash, int *curve)
+static bool build_signature(private_openssl_ec_private_key_t *this,
+							chunk_t hash, chunk_t *signature)
 {
-	openssl_ecdsa_scheme_t *ecdsa_scheme = ecdsa_schemes;
-	while (ecdsa_scheme->scheme != END_OF_LIST)
+	bool built = FALSE;
+	ECDSA_SIG *sig;
+
+	sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
+	if (sig)
 	{
-		if (scheme == ecdsa_scheme->scheme)
-		{
-			*hash = ecdsa_scheme->hash;
-			*curve = ecdsa_scheme->curve;
-			return TRUE;
-		}
-		ecdsa_scheme++;
+		/* concatenate BNs r/s to a signature chunk */
+		built = openssl_bn_cat(EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec)),
+							   sig->r, sig->s, signature);
+		ECDSA_SIG_free(sig);
 	}
-	return FALSE;
-}
-
-/**
- * shared functions, implemented in openssl_ec_public_key.c
- */
-bool openssl_ec_public_key_build_id(EC_KEY *ec, identification_t **keyid,
-								 identification_t **keyid_info);
-
-openssl_ec_public_key_t *openssl_ec_public_key_create_from_private_key(EC_KEY *ec);
-
-
-/**
- * Convert an ECDSA_SIG to a chunk by concatenating r and s.
- * This function allocates memory for the chunk.
- */
-static bool sig2chunk(const EC_GROUP *group, ECDSA_SIG *sig, chunk_t *chunk)
-{
-	return openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), sig->r, sig->s, chunk);
+	return built;
 }
 
 /**
- * Build the signature
+ * Build a RFC 4754 signature for a specified curve and hash algorithm
  */
-static bool build_signature(private_openssl_ec_private_key_t *this,
-							chunk_t hash, chunk_t *signature)
+static bool build_curve_signature(private_openssl_ec_private_key_t *this,
+								signature_scheme_t scheme, int nid_hash,
+								int nid_curve, chunk_t data, chunk_t *signature)
 {
-	ECDSA_SIG *sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
-	bool success;
+	const EC_GROUP *my_group;
+	EC_GROUP *req_group;
+	chunk_t hash;
+	bool built;
 
-	if (!sig)
+	req_group = EC_GROUP_new_by_curve_name(nid_curve);
+	if (!req_group)
+	{
+		DBG1("signature scheme %N not supported in EC (required curve "
+			 "not supported)", signature_scheme_names, scheme);
+		return FALSE;
+	}
+	my_group = EC_KEY_get0_group(this->ec);
+	if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
+	{
+		DBG1("signature scheme %N not supported by private key",
+			 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	EC_GROUP_free(req_group);
+	if (!openssl_hash_chunk(nid_hash, data, &hash))
 	{
 		return FALSE;
 	}
-	success = sig2chunk(EC_KEY_get0_group(this->ec), sig, signature);
-	ECDSA_SIG_free(sig);
-	return success;
+	built = build_signature(this, hash, signature);
+	chunk_free(&hash);
+	return built;
 }
 
 /**
- * Implementation of private_key_t.get_type.
+ * Build a DER encoded signature as in RFC 3279
  */
-static key_type_t get_type(private_openssl_ec_private_key_t *this)
+static bool build_der_signature(private_openssl_ec_private_key_t *this,
+								int hash_nid, chunk_t data, chunk_t *signature)
 {
-	return KEY_ECDSA;
+	chunk_t hash, sig;
+	int siglen = 0;
+	bool built;
+
+	if (!openssl_hash_chunk(hash_nid, data, &hash))
+	{
+		return FALSE;
+	}
+	sig = chunk_alloc(ECDSA_size(this->ec));
+	built = ECDSA_sign(0, hash.ptr, hash.len, sig.ptr, &siglen, this->ec) == 1;
+	sig.len = siglen;
+	if (built)
+	{
+		*signature = sig;
+	}
+	else
+	{
+		free(sig.ptr);
+	}
+	free(hash.ptr);
+	return built;
 }
 
 /**
  * Implementation of private_key_t.sign.
  */
-static bool sign(private_openssl_ec_private_key_t *this, signature_scheme_t scheme, 
-				 chunk_t data, chunk_t *signature)
+static bool sign(private_openssl_ec_private_key_t *this,
+				 signature_scheme_t scheme, chunk_t data, chunk_t *signature)
 {
-	bool success;
-
-	if (scheme == SIGN_ECDSA_WITH_NULL)
+	switch (scheme)
 	{
-		success = build_signature(this, data, signature);
-	}
-	else
-	{
-		EC_GROUP *req_group;
-		const EC_GROUP *my_group;
-		chunk_t hash = chunk_empty;
-		int hash_type, curve;
-
-		if (!lookup_scheme(scheme, &hash_type, &curve))
-		{
-			DBG1("signature scheme %N not supported in EC",
-					 signature_scheme_names, scheme);
-			return FALSE;
-		}
-	
-		req_group = EC_GROUP_new_by_curve_name(curve);
-		if (!req_group)
-		{
-			DBG1("signature scheme %N not supported in EC (required curve not supported)",
-					 signature_scheme_names, scheme);
-			return FALSE;
-		}
-	
-		my_group = EC_KEY_get0_group(this->ec);
-		if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
-		{
-			DBG1("signature scheme %N not supported by private key",
-					 signature_scheme_names, scheme);
-			return FALSE;
-		}
-		EC_GROUP_free(req_group);
-
-		if (!openssl_hash_chunk(hash_type, data, &hash))
-		{
+		case SIGN_ECDSA_WITH_NULL:
+			return build_signature(this, data, signature);
+		case SIGN_ECDSA_WITH_SHA1_DER:
+			return build_der_signature(this, NID_sha1, data, signature);
+		case SIGN_ECDSA_WITH_SHA256_DER:
+			return build_der_signature(this, NID_sha256, data, signature);
+		case SIGN_ECDSA_WITH_SHA384_DER:
+			return build_der_signature(this, NID_sha384, data, signature);
+		case SIGN_ECDSA_WITH_SHA512_DER:
+			return build_der_signature(this, NID_sha512, data, signature);
+		case SIGN_ECDSA_256:
+			return build_curve_signature(this, scheme, NID_sha256,
+										 NID_X9_62_prime256v1, data, signature);
+		case SIGN_ECDSA_384:
+			return build_curve_signature(this, scheme, NID_sha384,
+										 NID_secp384r1, data, signature);
+		case SIGN_ECDSA_521:
+			return build_curve_signature(this, scheme, NID_sha512,
+										 NID_secp521r1, data, signature);
+		default:
+			DBG1("signature scheme %N not supported",
+				 signature_scheme_names, scheme);
 			return FALSE;
-		}
-		success = build_signature(this, hash, signature);
-		chunk_free(&hash);
-	}	
-	return success;
+	}
 }
 
 /**
@@ -222,73 +187,70 @@ static size_t get_keysize(private_openssl_ec_private_key_t *this)
 }
 
 /**
- * Implementation of private_key_t.get_id.
+ * Implementation of private_key_t.get_type.
  */
-static identification_t* get_id(private_openssl_ec_private_key_t *this,
-								id_type_t type)
+static key_type_t get_type(private_openssl_ec_private_key_t *this)
 {
-	switch (type)
-	{
-		case ID_PUBKEY_INFO_SHA1:
-			return this->keyid_info;
-		case ID_PUBKEY_SHA1:
-			return this->keyid;
-		default:
-			return NULL;
-	}
+	return KEY_ECDSA;
 }
 
 /**
  * Implementation of private_key_t.get_public_key.
  */
-static openssl_ec_public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
+static public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
 {
-	return openssl_ec_public_key_create_from_private_key(this->ec);
+	public_key_t *public;
+	chunk_t key;
+	u_char *p;
+
+	key = chunk_alloc(i2d_EC_PUBKEY(this->ec, NULL));
+	p = key.ptr;
+	i2d_EC_PUBKEY(this->ec, &p);
+
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
+								BUILD_BLOB_ASN1_DER, key, BUILD_END);
+	free(key.ptr);
+	return public;
 }
 
 /**
- * Implementation of private_key_t.belongs_to.
+ * Implementation of private_key_t.get_fingerprint.
  */
-static bool belongs_to(private_openssl_ec_private_key_t *this, public_key_t *public)
+static bool get_fingerprint(private_openssl_ec_private_key_t *this,
+							key_encoding_type_t type, chunk_t *fingerprint)
 {
-	identification_t *keyid;
-
-	if (public->get_type(public) != KEY_ECDSA)
-	{
-		return FALSE;
-	}
-	keyid = public->get_id(public, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
-	return FALSE;
+	return openssl_ec_fingerprint(this->ec, type, fingerprint);
 }
 
 /**
  * Implementation of private_key_t.get_encoding.
  */
-static chunk_t get_encoding(private_openssl_ec_private_key_t *this)
+static bool get_encoding(private_openssl_ec_private_key_t *this,
+						 key_encoding_type_t type, chunk_t *encoding)
 {
-	chunk_t enc = chunk_alloc(i2d_ECPrivateKey(this->ec, NULL));
-	u_char *p = enc.ptr;
-	i2d_ECPrivateKey(this->ec, &p);
-	return enc;
+	u_char *p;
+
+	switch (type)
+	{
+		case KEY_PRIV_ASN1_DER:
+		{
+			*encoding = chunk_alloc(i2d_ECPrivateKey(this->ec, NULL));
+			p = encoding->ptr;
+			i2d_ECPrivateKey(this->ec, &p);
+			return TRUE;
+		}
+		default:
+			return FALSE;
+	}
 }
 
 /**
  * Implementation of private_key_t.get_ref.
  */
-static private_openssl_ec_private_key_t* get_ref(private_openssl_ec_private_key_t *this)
+static private_key_t* get_ref(private_openssl_ec_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
-
+	return &this->public.interface;
 }
 
 /**
@@ -300,10 +262,9 @@ static void destroy(private_openssl_ec_private_key_t *this)
 	{
 		if (this->ec)
 		{
+			lib->encoding->clear_cache(lib->encoding, this->ec);
 			EC_KEY_free(this->ec);
 		}
-		DESTROY_IF(this->keyid);
-		DESTROY_IF(this->keyid_info);
 		free(this);
 	}
 }
@@ -311,133 +272,121 @@ static void destroy(private_openssl_ec_private_key_t *this)
 /**
  * Internal generic constructor
  */
-static private_openssl_ec_private_key_t *openssl_ec_private_key_create_empty(void)
+static private_openssl_ec_private_key_t *create_empty(void)
 {
 	private_openssl_ec_private_key_t *this = malloc_thing(private_openssl_ec_private_key_t);
-	
+
 	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
 	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
 	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
 	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (private_key_t *this,id_type_t))get_id;
 	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.belongs_to = (bool (*) (private_key_t *this, public_key_t *public))belongs_to;
-	this->public.interface.get_encoding = (chunk_t(*)(private_key_t*))get_encoding;
+	this->public.interface.equals = private_key_equals;
+	this->public.interface.belongs_to = private_key_belongs_to;
+	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
+	this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-	
+
 	this->ec = NULL;
-	this->keyid = NULL;
-	this->keyid_info = NULL;
 	this->ref = 1;
-	
+
 	return this;
 }
 
 /**
- * load private key from an ASN1 encoded blob
+ * See header.
  */
-static openssl_ec_private_key_t *load(chunk_t blob)
+openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
+													 va_list args)
 {
-	u_char *p = blob.ptr;
-	private_openssl_ec_private_key_t *this = openssl_ec_private_key_create_empty();
-	
-	this->ec = d2i_ECPrivateKey(NULL, (const u_char**)&p, blob.len);
-	
-	chunk_clear(&blob);
+	private_openssl_ec_private_key_t *this;
+	u_int key_size = 0;
 
-	if (!this->ec)
+	while (TRUE)
 	{
-		destroy(this);
-		return NULL;
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_KEY_SIZE:
+				key_size = va_arg(args, u_int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
 	}
-	
-	if (!openssl_ec_public_key_build_id(this->ec, &this->keyid, &this->keyid_info))
+	if (!key_size)
 	{
-		destroy(this);
 		return NULL;
 	}
-	
-	if (!EC_KEY_check_key(this->ec))
+	this = create_empty();
+	switch (key_size)
+	{
+		case 256:
+			this->ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+			break;
+		case 384:
+			this->ec = EC_KEY_new_by_curve_name(NID_secp384r1);
+			break;
+		case 521:
+			this->ec = EC_KEY_new_by_curve_name(NID_secp521r1);
+			break;
+		default:
+			DBG1("EC private key size %d not supported", key_size);
+			destroy(this);
+			return NULL;
+	}
+	if (EC_KEY_generate_key(this->ec) != 1)
 	{
+		DBG1("EC private key generation failed", key_size);
 		destroy(this);
 		return NULL;
 	}
-	
+	/* encode as a named curve key (no parameters), uncompressed public key */
+	EC_KEY_set_asn1_flag(this->ec, OPENSSL_EC_NAMED_CURVE);
+	EC_KEY_set_conv_form(this->ec, POINT_CONVERSION_UNCOMPRESSED);
 	return &this->public;
 }
 
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for key loading/generation
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded/generated private key */
-	openssl_ec_private_key_t *key;
-};
-
 /**
- * Implementation of builder_t.build
+ * See header.
  */
-static openssl_ec_private_key_t *build(private_builder_t *this)
+openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type,
+													  va_list args)
 {
-	openssl_ec_private_key_t *key = this->key;
-	
-	free(this);
-	return key;
-}
+	private_openssl_ec_private_key_t *this;
+	chunk_t blob = chunk_empty;
 
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->key)
+	while (TRUE)
 	{
-		va_list args;
-		chunk_t chunk;
-		
-		switch (part)
+		switch (va_arg(args, builder_part_t))
 		{
 			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->key = load(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}
-			default:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
 				break;
+			default:
+				return NULL;
 		}
+		break;
 	}
-	if (this->key)
+
+	this = create_empty();
+	this->ec = d2i_ECPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
+	if (!this->ec)
 	{
-		destroy((private_openssl_ec_private_key_t*)this->key);
+		destroy(this);
+		return NULL;
 	}
-	builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *openssl_ec_private_key_builder(key_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != KEY_ECDSA)
+	if (!EC_KEY_check_key(this->ec))
 	{
+		destroy(this);
 		return NULL;
 	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
index 6a6f7c867..720c63f90 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
@@ -21,6 +21,7 @@
 #ifndef OPENSSL_EC_PRIVATE_KEY_H_
 #define OPENSSL_EC_PRIVATE_KEY_H_
 
+#include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
 typedef struct openssl_ec_private_key_t openssl_ec_private_key_t;
@@ -37,11 +38,27 @@ struct openssl_ec_private_key_t {
 };
 
 /**
- * Create the builder for a private key.
+ * Generate a ECDSA private key using OpenSSL.
+ *
+ * Accepts the BUILD_KEY_SIZE argument.
+ *
+ * @param type		type of the key, must be KEY_ECDSA
+ * @param args		builder_part_t argument list
+ * @return 			generated key, NULL on failure
+ */
+openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
+													 va_list args);
+
+/**
+ * Load a ECDSA private key using OpenSSL.
+ *
+ * Accepts a BUILD_BLOB_ASN1_DER argument.
  *
  * @param type		type of the key, must be KEY_ECDSA
- * @return 			builder instance
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
  */
-builder_t *openssl_ec_private_key_builder(key_type_t type);
+openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type,
+													  va_list args);
 
 #endif /** OPENSSL_EC_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 635a106dd..f37c736b1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Martin Willi
  * Copyright (C) 2008 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
@@ -32,122 +33,96 @@ struct private_openssl_ec_public_key_t {
 	 * Public interface for this signer.
 	 */
 	openssl_ec_public_key_t public;
-	
+
 	/**
 	 * EC key object
 	 */
 	EC_KEY *ec;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
-	 */
-	identification_t *keyid_info;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKey object
-	 */
-	identification_t *keyid;
-	
+
 	/**
 	 * reference counter
 	 */
 	refcount_t ref;
 };
 
-/**
- * Convert a chunk to an ECDSA_SIG (which must already exist). r and s
- * of the signature have to be concatenated in the chunk.
- */
-static bool chunk2sig(const EC_GROUP *group, chunk_t chunk, ECDSA_SIG *sig)
-{
-	return openssl_bn_split(chunk, sig->r, sig->s);
-}
-
 /**
  * Verification of a signature as in RFC 4754
  */
 static bool verify_signature(private_openssl_ec_public_key_t *this,
-								int hash_type, chunk_t data, chunk_t signature)
+							 chunk_t hash, chunk_t signature)
 {
-	chunk_t hash = chunk_empty;
-	ECDSA_SIG *sig;
 	bool valid = FALSE;
-	
-	if (hash_type == NID_undef)
-	{
-		hash = data;
-	}
-	else
+	ECDSA_SIG *sig;
+
+	sig = ECDSA_SIG_new();
+	if (sig)
 	{
-		if (!openssl_hash_chunk(hash_type, data, &hash))
+		/* split the signature chunk in r and s */
+		if (openssl_bn_split(signature, sig->r, sig->s))
 		{
-			return FALSE;
+			valid = (ECDSA_do_verify(hash.ptr, hash.len, sig, this->ec) == 1);
 		}
+		ECDSA_SIG_free(sig);
 	}
-	
-	sig = ECDSA_SIG_new();
-	if (!sig)
-	{
-		goto error;
-	}
-	
-	if (!chunk2sig(EC_KEY_get0_group(this->ec), signature, sig))
+	return valid;
+}
+
+/**
+ * Verify a RFC 4754 signature for a specified curve and hash algorithm
+ */
+static bool verify_curve_signature(private_openssl_ec_public_key_t *this,
+								signature_scheme_t scheme, int nid_hash,
+								int nid_curve, chunk_t data, chunk_t signature)
+{
+	const EC_GROUP *my_group;
+	EC_GROUP *req_group;
+	chunk_t hash;
+	bool valid;
+
+	req_group = EC_GROUP_new_by_curve_name(nid_curve);
+	if (!req_group)
 	{
-		goto error;
+		DBG1("signature scheme %N not supported in EC (required curve "
+			 "not supported)", signature_scheme_names, scheme);
+		return FALSE;
 	}
-	valid = (ECDSA_do_verify(hash.ptr, hash.len, sig, this->ec) == 1);
-	
-error:
-	if (sig)
+	my_group = EC_KEY_get0_group(this->ec);
+	if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
 	{
-		ECDSA_SIG_free(sig);
+		DBG1("signature scheme %N not supported by private key",
+			 signature_scheme_names, scheme);
+		return FALSE;
 	}
-	if (hash_type != NID_undef)
+	EC_GROUP_free(req_group);
+	if (!openssl_hash_chunk(nid_hash, data, &hash))
 	{
-		chunk_free(&hash);
+		return FALSE;
 	}
+	valid = verify_signature(this, hash, signature);
+	chunk_free(&hash);
 	return valid;
 }
 
-
 /**
- * Verification of the default signature using SHA-1
+ * Verification of a DER encoded signature as in RFC 3279
  */
-static bool verify_default_signature(private_openssl_ec_public_key_t *this,
-								chunk_t data, chunk_t signature)
+static bool verify_der_signature(private_openssl_ec_public_key_t *this,
+								 int nid_hash, chunk_t data, chunk_t signature)
 {
+	chunk_t hash;
 	bool valid = FALSE;
-	chunk_t hash = chunk_empty;
-	u_char *p;
-	ECDSA_SIG *sig;
-	
+
 	/* remove any preceding 0-bytes from signature */
-	while (signature.len && *(signature.ptr) == 0x00)
-	{
-		signature.len -= 1;
-		signature.ptr++;
-	}
-	
-	p = signature.ptr;
-	sig = d2i_ECDSA_SIG(NULL, (const u_char**)&p, signature.len);
-	if (!sig)
-	{
-		return FALSE;
-	}
-	
-	if (!openssl_hash_chunk(NID_sha1, data, &hash))
+	while (signature.len && signature.ptr[0] == 0x00)
 	{
-		goto error;
+		signature = chunk_skip(signature, 1);
 	}
-	
-	valid = (ECDSA_do_verify(hash.ptr, hash.len, sig, this->ec) == 1);
-
-error:
-	if (sig)
+	if (openssl_hash_chunk(nid_hash, data, &hash))
 	{
-		ECDSA_SIG_free(sig);
+		valid = ECDSA_verify(0, hash.ptr, hash.len,
+							 signature.ptr, signature.len, this->ec);
+		free(hash.ptr);
 	}
-	chunk_free(&hash);
 	return valid;
 }
 
@@ -162,21 +137,30 @@ static key_type_t get_type(private_openssl_ec_public_key_t *this)
 /**
  * Implementation of public_key_t.verify.
  */
-static bool verify(private_openssl_ec_public_key_t *this, signature_scheme_t scheme, 
-				   chunk_t data, chunk_t signature)
+static bool verify(private_openssl_ec_public_key_t *this,
+				   signature_scheme_t scheme, chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
+		case SIGN_ECDSA_WITH_SHA1_DER:
+			return verify_der_signature(this, NID_sha1, data, signature);
+		case SIGN_ECDSA_WITH_SHA256_DER:
+			return verify_der_signature(this, NID_sha256, data, signature);
+		case SIGN_ECDSA_WITH_SHA384_DER:
+			return verify_der_signature(this, NID_sha384, data, signature);
+		case SIGN_ECDSA_WITH_SHA512_DER:
+			return verify_der_signature(this, NID_sha512, data, signature);
 		case SIGN_ECDSA_WITH_NULL:
-			return verify_signature(this, NID_undef, data, signature);
-		case SIGN_ECDSA_WITH_SHA1:
-			return verify_default_signature(this, data, signature);
+			return verify_signature(this, data, signature);
 		case SIGN_ECDSA_256:
-			return verify_signature(this, NID_sha256, data, signature);
+			return verify_curve_signature(this, scheme, NID_sha256,
+										  NID_X9_62_prime256v1, data, signature);
 		case SIGN_ECDSA_384:
-			return verify_signature(this, NID_sha384, data, signature);
+			return verify_curve_signature(this, scheme, NID_sha384,
+										  NID_secp384r1, data, signature);
 		case SIGN_ECDSA_521:
-			return verify_signature(this, NID_sha512, data, signature);
+			return verify_curve_signature(this, scheme, NID_sha512,
+										  NID_secp521r1, data, signature);
 		default:
 			DBG1("signature scheme %N not supported in EC",
 				 signature_scheme_names, scheme);
@@ -187,7 +171,8 @@ static bool verify(private_openssl_ec_public_key_t *this, signature_scheme_t sch
 /**
  * Implementation of public_key_t.get_keysize.
  */
-static bool encrypt_(private_openssl_ec_public_key_t *this, chunk_t crypto, chunk_t *plain)
+static bool encrypt_(private_openssl_ec_public_key_t *this,
+					 chunk_t crypto, chunk_t *plain)
 {
 	DBG1("EC public key encryption not implemented");
 	return FALSE;
@@ -202,64 +187,85 @@ static size_t get_keysize(private_openssl_ec_public_key_t *this)
 }
 
 /**
- * Implementation of public_key_t.get_id.
+ * Calculate fingerprint from a EC_KEY, also used in ec private key.
  */
-static identification_t *get_id(private_openssl_ec_public_key_t *this,
-								id_type_t type)
+bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp)
 {
+	hasher_t *hasher;
+	chunk_t key;
+	u_char *p;
+
+	if (lib->encoding->get_cache(lib->encoding, type, ec, fp))
+	{
+		return TRUE;
+	}
 	switch (type)
 	{
-		case ID_PUBKEY_INFO_SHA1:
-			return this->keyid_info;
-		case ID_PUBKEY_SHA1:
-			return this->keyid;
+		case KEY_ID_PUBKEY_SHA1:
+			key = chunk_alloc(i2o_ECPublicKey(ec, NULL));
+			p = key.ptr;
+			i2o_ECPublicKey(ec, &p);
+			break;
+		case KEY_ID_PUBKEY_INFO_SHA1:
+			key = chunk_alloc(i2d_EC_PUBKEY(ec, NULL));
+			p = key.ptr;
+			i2d_EC_PUBKEY(ec, &p);
+			break;
 		default:
-			return NULL;
+			return FALSE;
+	}
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		DBG1("SHA1 hash algorithm not supported, fingerprinting failed");
+		free(key.ptr);
+		return FALSE;
 	}
+	hasher->allocate_hash(hasher, key, fp);
+	hasher->destroy(hasher);
+	free(key.ptr);
+	lib->encoding->cache(lib->encoding, type, ec, *fp);
+	return TRUE;
 }
 
 /**
- * Encodes the public key
- */ 
-static chunk_t get_encoding_raw(EC_KEY *ec)
+ * Implementation of private_key_t.get_fingerprint.
+ */
+static bool get_fingerprint(private_openssl_ec_public_key_t *this,
+							key_encoding_type_t type, chunk_t *fingerprint)
 {
-	/* since the points can be stored in three different forms this may not
-	 * be correct for all cases */
-	const EC_GROUP *group = EC_KEY_get0_group(ec);
-	const EC_POINT *pub = EC_KEY_get0_public_key(ec);
-	chunk_t enc = chunk_alloc(EC_POINT_point2oct(group, pub,
-						POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL));
-	EC_POINT_point2oct(group, pub, POINT_CONVERSION_UNCOMPRESSED,
-						enc.ptr, enc.len, NULL);
-	return enc;	
+	return openssl_ec_fingerprint(this->ec, type, fingerprint);
 }
 
 /**
- * Encodes the public key info (public key with ec parameters)
- */ 
-static chunk_t get_encoding_full(EC_KEY *ec)
-{
-	chunk_t enc = chunk_alloc(i2d_EC_PUBKEY(ec, NULL));
-	u_char *p = enc.ptr;
-	i2d_EC_PUBKEY(ec, &p);
-	return enc;
-}
-
-/*
- * Implementation of public_key_t.get_encoding.
+ * Implementation of private_key_t.get_encoding.
  */
-static chunk_t get_encoding(private_openssl_ec_public_key_t *this)
+static bool get_encoding(private_openssl_ec_public_key_t *this,
+						 key_encoding_type_t type, chunk_t *encoding)
 {
-	return get_encoding_full(this->ec);
+	u_char *p;
+
+	switch (type)
+	{
+		case KEY_PUB_SPKI_ASN1_DER:
+		{
+			*encoding = chunk_alloc(i2d_EC_PUBKEY(this->ec, NULL));
+			p = encoding->ptr;
+			i2d_EC_PUBKEY(this->ec, &p);
+			return TRUE;
+		}
+		default:
+			return FALSE;
+	}
 }
 
 /**
  * Implementation of public_key_t.get_ref.
  */
-static private_openssl_ec_public_key_t* get_ref(private_openssl_ec_public_key_t *this)
+static public_key_t* get_ref(private_openssl_ec_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.interface;
 }
 
 /**
@@ -271,10 +277,9 @@ static void destroy(private_openssl_ec_public_key_t *this)
 	{
 		if (this->ec)
 		{
+			lib->encoding->clear_cache(lib->encoding, this->ec);
 			EC_KEY_free(this->ec);
 		}
-		DESTROY_IF(this->keyid);
-		DESTROY_IF(this->keyid_info);
 		free(this);
 	}
 }
@@ -282,168 +287,62 @@ static void destroy(private_openssl_ec_public_key_t *this)
 /**
  * Generic private constructor
  */
-static private_openssl_ec_public_key_t *openssl_ec_public_key_create_empty()
+static private_openssl_ec_public_key_t *create_empty()
 {
 	private_openssl_ec_public_key_t *this = malloc_thing(private_openssl_ec_public_key_t);
-	
+
 	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
 	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
 	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
 	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
-	this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
+	this->public.interface.equals = public_key_equals;
+	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
+	this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-	
+
 	this->ec = NULL;
-	this->keyid = NULL;
-	this->keyid_info = NULL;
 	this->ref = 1;
-	
+
 	return this;
 }
 
 /**
- * Build key identifier from the public key using SHA1 hashed publicKey(Info).
- * Also used in openssl_ec_private_key.c.
+ * See header.
  */
-bool openssl_ec_public_key_build_id(EC_KEY *ec, identification_t **keyid,
-								 identification_t **keyid_info)
+openssl_ec_public_key_t *openssl_ec_public_key_load(key_type_t type,
+													va_list args)
 {
-	chunk_t publicKeyInfo, publicKey, hash;
-	hasher_t *hasher;
-	
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1("SHA1 hash algorithm not supported, unable to use EC");
-		return FALSE;
-	}
-	
-	publicKey = get_encoding_raw(ec);
-	
-	hasher->allocate_hash(hasher, publicKey, &hash);
-	*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
-	chunk_free(&hash);
-	
-	publicKeyInfo = get_encoding_full(ec);
-	
-	hasher->allocate_hash(hasher, publicKeyInfo, &hash);
-	*keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
-	chunk_free(&hash);
-	
-	hasher->destroy(hasher);
-	chunk_free(&publicKeyInfo);
-	chunk_free(&publicKey);
-	
-	return TRUE;
-}
+	private_openssl_ec_public_key_t *this;
+	chunk_t blob = chunk_empty;
 
-/**
- * Load a public key from an ASN1 encoded blob
- */
-static openssl_ec_public_key_t *load(chunk_t blob)
-{
-	u_char *p = blob.ptr;
-	private_openssl_ec_public_key_t *this = openssl_ec_public_key_create_empty();
-	
-	this->ec = d2i_EC_PUBKEY(NULL, (const u_char**)&p, blob.len);
-	
-	chunk_clear(&blob);
-	
-	if (!this->ec)
+	if (type != KEY_ECDSA)
 	{
-		destroy(this);
 		return NULL;
 	}
-	
-	if (!openssl_ec_public_key_build_id(this->ec, &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
-/**
- * Create a public key from BIGNUM values, used in openssl_ec_private_key.c
- */
-openssl_ec_public_key_t *openssl_ec_public_key_create_from_private_key(EC_KEY *ec)
-{
-	return (openssl_ec_public_key_t*)load(get_encoding_full(ec));
-}
-
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for key loading
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded public key */
-	openssl_ec_public_key_t *key;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static openssl_ec_public_key_t *build(private_builder_t *this)
-{
-	openssl_ec_public_key_t *key = this->key;
-	
-	free(this);
-	return key;
-}
 
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->key)
+	while (TRUE)
 	{
-		va_list args;
-		chunk_t chunk;
-	
-		switch (part)
+		switch (va_arg(args, builder_part_t))
 		{
 			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->key = load(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}
-			default:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
 				break;
+			default:
+				return NULL;
 		}
+		break;
 	}
-	if (this->key)
-	{
-		destroy((private_openssl_ec_public_key_t*)this->key);
-	}
-	builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *openssl_ec_public_key_builder(key_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != KEY_ECDSA)
+	this = create_empty();
+	this->ec = d2i_EC_PUBKEY(NULL, (const u_char**)&blob.ptr, blob.len);
+	if (!this->ec)
 	{
+		destroy(this);
 		return NULL;
 	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
index bdbb2fe6e..29d607d38 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
@@ -23,6 +23,7 @@
 
 typedef struct openssl_ec_public_key_t openssl_ec_public_key_t;
 
+#include <credentials/builder.h>
 #include <credentials/keys/public_key.h>
 
 /**
@@ -37,11 +38,15 @@ struct openssl_ec_public_key_t {
 };
 
 /**
- * Create the builder for a public key.
+ * Load a ECDSA public key using OpenSSL.
+ *
+ * Accepts a BUILD_BLOB_ASN1_DER argument.
  *
  * @param type		type of the key, must be KEY_ECDSA
- * @return 			builder instance
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
  */
-builder_t *openssl_ec_public_key_builder(key_type_t type);
+openssl_ec_public_key_t *openssl_ec_public_key_load(key_type_t type,
+													va_list args);
 
 #endif /** OPENSSL_EC_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
index 90a5229d5..7556bc594 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil 
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -23,19 +23,19 @@ typedef struct private_openssl_hasher_t private_openssl_hasher_t;
  * Private data of openssl_hasher_t
  */
 struct private_openssl_hasher_t {
-	
+
 	/**
 	 * Public part of this class.
 	 */
 	openssl_hasher_t public;
-	
+
 	/**
 	 * the hasher to use
 	 */
 	const EVP_MD *hasher;
-	
+
 	/**
-	 * the current digest context 
+	 * the current digest context
 	 */
 	EVP_MD_CTX *ctx;
 };
@@ -49,7 +49,7 @@ typedef struct {
 	 * Identifier specified in IKEv2
 	 */
 	int ikev2_id;
-	
+
 	/**
 	 * Name of the algorithm, as used in OpenSSL
 	 */
@@ -76,7 +76,7 @@ static openssl_algorithm_t integrity_algs[] = {
 /**
  * Look up an OpenSSL algorithm name
  */
-static char* lookup_algorithm(openssl_algorithm_t *openssl_algo, 
+static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
 					   u_int16_t ikev2_algo)
 {
 	while (openssl_algo->ikev2_id != END_OF_LIST)
@@ -133,7 +133,7 @@ static void allocate_hash(private_openssl_hasher_t *this, chunk_t chunk,
 	}
 	else
 	{
-		get_hash(this, chunk, NULL);	
+		get_hash(this, chunk, NULL);
 	}
 }
 
@@ -152,7 +152,7 @@ static void destroy (private_openssl_hasher_t *this)
 openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 {
 	private_openssl_hasher_t *this;
-	
+
 	char* name = lookup_algorithm(integrity_algs, algo);
 	if (!name)
 	{
@@ -161,7 +161,7 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 	}
 
 	this = malloc_thing(private_openssl_hasher_t);
-	
+
 	this->hasher = EVP_get_digestbyname(name);
 	if (!this->hasher)
 	{
@@ -169,17 +169,17 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 		free(this);
 		return NULL;
 	}
-	
+
 	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
 	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
 	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
 	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
 	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-	
+
 	this->ctx = EVP_MD_CTX_create();
-	
+
 	/* initialization */
 	reset(this);
-	
+
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.h b/src/libstrongswan/plugins/openssl/openssl_hasher.h
index aec5bc7dd..fd7a043d1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.h
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.h
@@ -29,7 +29,7 @@ typedef struct openssl_hasher_t openssl_hasher_t;
  * Implementation of hashers using OpenSSL.
  */
 struct openssl_hasher_t {
-	
+
 	/**
 	 * The hasher_t interface.
 	 */
@@ -38,7 +38,7 @@ struct openssl_hasher_t {
 
 /**
  * Constructor to create openssl_hasher_t.
- * 
+ *
  * @param algo			algorithm
  * @return				openssl_hasher_t, NULL if not supported
  */
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index ce6716f5a..548a76bb4 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -18,12 +18,13 @@
 #include <openssl/evp.h>
 #include <openssl/engine.h>
 #include <openssl/crypto.h>
-#include <pthread.h>
 
 #include "openssl_plugin.h"
 
 #include <library.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include "openssl_util.h"
 #include "openssl_crypter.h"
 #include "openssl_hasher.h"
 #include "openssl_diffie_hellman.h"
@@ -82,7 +83,7 @@ struct CRYPTO_dynlock_value {
 static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
 {
 	struct CRYPTO_dynlock_value *lock;
-	
+
 	lock = malloc_thing(struct CRYPTO_dynlock_value);
 	lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	return lock;
@@ -119,7 +120,7 @@ static void destroy_function(struct CRYPTO_dynlock_value *lock,
  */
 static unsigned long id_function(void)
 {
-	return (unsigned long)pthread_self();
+	return (unsigned long)thread_current_id();
 }
 
 /**
@@ -130,12 +131,12 @@ static void threading_init()
 	int i, num_locks;
 
 	CRYPTO_set_id_callback(id_function);
- 	CRYPTO_set_locking_callback(locking_function);
-	
+	CRYPTO_set_locking_callback(locking_function);
+
 	CRYPTO_set_dynlock_create_callback(create_function);
 	CRYPTO_set_dynlock_lock_callback(lock_function);
 	CRYPTO_set_dynlock_destroy_callback(destroy_function);
-	
+
 	num_locks = CRYPTO_num_locks();
 	mutex = malloc(sizeof(mutex_t*) * num_locks);
 	for (i = 0; i < num_locks; i++)
@@ -150,7 +151,7 @@ static void threading_init()
 static void threading_cleanup()
 {
 	int i, num_locks;
-	
+
 	num_locks = CRYPTO_num_locks();
 	for (i = 0; i < num_locks; i++)
 	{
@@ -169,25 +170,31 @@ static void destroy(private_openssl_plugin_t *this)
 					(crypter_constructor_t)openssl_crypter_create);
 	lib->crypto->remove_hasher(lib->crypto,
 					(hasher_constructor_t)openssl_hasher_create);
-	lib->crypto->remove_dh(lib->crypto, 
+	lib->crypto->remove_dh(lib->crypto,
 					(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->remove_dh(lib->crypto, 
+	lib->crypto->remove_dh(lib->crypto,
 					(dh_constructor_t)openssl_ec_diffie_hellman_create);
 	lib->creds->remove_builder(lib->creds,
-					(builder_constructor_t)openssl_rsa_private_key_builder);
+					(builder_function_t)openssl_rsa_private_key_load);
+	lib->creds->remove_builder(lib->creds,
+					(builder_function_t)openssl_rsa_private_key_gen);
 	lib->creds->remove_builder(lib->creds,
-					(builder_constructor_t)openssl_rsa_public_key_builder);
+					(builder_function_t)openssl_rsa_private_key_connect);
 	lib->creds->remove_builder(lib->creds,
-					(builder_constructor_t)openssl_ec_private_key_builder);
+					(builder_function_t)openssl_rsa_public_key_load);
 	lib->creds->remove_builder(lib->creds,
-					(builder_constructor_t)openssl_ec_public_key_builder);
-	
+					(builder_function_t)openssl_ec_private_key_load);
+	lib->creds->remove_builder(lib->creds,
+					(builder_function_t)openssl_ec_private_key_gen);
+	lib->creds->remove_builder(lib->creds,
+					(builder_function_t)openssl_ec_public_key_load);
+
 	ENGINE_cleanup();
 	EVP_cleanup();
 	CONF_modules_free();
-	
+
 	threading_cleanup();
-	
+
 	free(this);
 }
 
@@ -197,18 +204,18 @@ static void destroy(private_openssl_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_openssl_plugin_t *this = malloc_thing(private_openssl_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	threading_init();
-	
+
 	OPENSSL_config(NULL);
 	OpenSSL_add_all_algorithms();
-	
+
 	/* activate support for hardware accelerators */
 	ENGINE_load_builtin_engines();
 	ENGINE_register_all_complete();
-	
+
 	/* crypter */
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)openssl_crypter_create);
@@ -230,7 +237,7 @@ plugin_t *plugin_create()
 					(crypter_constructor_t)openssl_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_NULL,
 					(crypter_constructor_t)openssl_crypter_create);
-	
+
 	/* hasher */
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
 					(hasher_constructor_t)openssl_hasher_create);
@@ -248,48 +255,53 @@ plugin_t *plugin_create()
 					(hasher_constructor_t)openssl_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
 					(hasher_constructor_t)openssl_hasher_create);
-	
-	/* ec diffie hellman */
-	lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
-						(dh_constructor_t)openssl_ec_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, ECP_224_BIT,
-						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+
+	/* (ec) diffie hellman */
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
+						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, ECP_384_BIT,
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, ECP_521_BIT,
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
-	
-	/* diffie hellman */
-	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, 
-						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, 
-						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, 
+	lib->crypto->add_dh(lib->crypto, ECP_224_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
+						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, 
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	
+
 	/* rsa */
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-						(builder_constructor_t)openssl_rsa_private_key_builder);
+					(builder_function_t)openssl_rsa_private_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+					(builder_function_t)openssl_rsa_private_key_gen);
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+					(builder_function_t)openssl_rsa_private_key_connect);
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-						(builder_constructor_t)openssl_rsa_public_key_builder);
-	
+					(builder_function_t)openssl_rsa_public_key_load);
+
 	/* ec */
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
-						(builder_constructor_t)openssl_ec_private_key_builder);
+					(builder_function_t)openssl_ec_private_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+					(builder_function_t)openssl_ec_private_key_gen);
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
-						(builder_constructor_t)openssl_ec_public_key_builder);
-	
+					(builder_function_t)openssl_ec_public_key_load);
+
 	return &this->public.plugin;
 }
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 95c0ffdc8..078f889a6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Martin Willi
  * Copyright (C) 2008 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
@@ -37,42 +38,25 @@ struct private_openssl_rsa_private_key_t {
 	 * Public interface for this signer.
 	 */
 	openssl_rsa_private_key_t public;
-	
+
 	/**
 	 * RSA object from OpenSSL
 	 */
 	RSA *rsa;
-	
+
 	/**
 	 * TRUE if the key is from an OpenSSL ENGINE and might not be readable
 	 */
 	bool engine;
 
-	/**
-	 * Keyid formed as a SHA-1 hash of a privateKey object
-	 */
-	identification_t* keyid;
-
-	/**
-	 * Keyid formed as a SHA-1 hash of a privateKeyInfo object
-	 */
-	identification_t* keyid_info;
-	
 	/**
 	 * reference count
 	 */
-	refcount_t ref;	
+	refcount_t ref;
 };
 
-/**
- * shared functions, implemented in openssl_rsa_public_key.c
- */
-bool openssl_rsa_public_key_build_id(RSA *rsa, identification_t **keyid,
-								 identification_t **keyid_info);
-
-
-openssl_rsa_public_key_t *openssl_rsa_public_key_create_from_n_e(BIGNUM *n, BIGNUM *e);
-
+/* implemented in rsa public key */
+bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp);
 
 /**
  * Build an EMPSA PKCS1 signature described in PKCS#1
@@ -104,7 +88,7 @@ static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this,
 		{
 			return FALSE;
 		}
-	
+
 		ctx = EVP_MD_CTX_create();
 		key = EVP_PKEY_new();
 		if (!ctx || !key)
@@ -127,7 +111,7 @@ static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this,
 		{
 			success = TRUE;
 		}
-	
+
 error:
 		if (key)
 		{
@@ -156,7 +140,7 @@ static key_type_t get_type(private_openssl_rsa_private_key_t *this)
 /**
  * Implementation of openssl_rsa_private_key.sign.
  */
-static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme, 
+static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
 				 chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
@@ -200,96 +184,57 @@ static size_t get_keysize(private_openssl_rsa_private_key_t *this)
 	return RSA_size(this->rsa);
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_id.
- */
-static identification_t* get_id(private_openssl_rsa_private_key_t *this,
-								id_type_t type)
-{
-	switch (type)
-	{
-		case ID_PUBKEY_INFO_SHA1:
-			return this->keyid_info;
-		case ID_PUBKEY_SHA1:
-			return this->keyid;
-		default:
-			return NULL;
-	}
-}
-
 /**
  * Implementation of openssl_rsa_private_key.get_public_key.
  */
-static openssl_rsa_public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
+static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
 {
-	return openssl_rsa_public_key_create_from_n_e(this->rsa->n, this->rsa->e);
+	chunk_t enc;
+	public_key_t *key;
+	u_char *p;
+
+	enc = chunk_alloc(i2d_RSAPublicKey(this->rsa, NULL));
+	p = enc.ptr;
+	i2d_RSAPublicKey(this->rsa, &p);
+	key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+							 BUILD_BLOB_ASN1_DER, enc, BUILD_END);
+	free(enc.ptr);
+	return key;
 }
 
 /**
- * Implementation of openssl_rsa_private_key.equals.
+ * Implementation of public_key_t.get_fingerprint.
  */
-static bool equals(private_openssl_rsa_private_key_t *this, private_key_t *other)
+static bool get_fingerprint(private_openssl_rsa_private_key_t *this,
+							key_encoding_type_t type, chunk_t *fingerprint)
 {
-	identification_t *keyid;
-
-	if (&this->public.interface == other)
-	{
-		return TRUE;
-	}
-	if (other->get_type(other) != KEY_RSA)
-	{
-		return FALSE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
-	return FALSE;
+	return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
 }
 
-/**
- * Implementation of openssl_rsa_private_key.belongs_to.
+/*
+ * Implementation of public_key_t.get_encoding.
  */
-static bool belongs_to(private_openssl_rsa_private_key_t *this, public_key_t *public)
+static bool get_encoding(private_openssl_rsa_private_key_t *this,
+						 key_encoding_type_t type, chunk_t *encoding)
 {
-	identification_t *keyid;
+	u_char *p;
 
-	if (public->get_type(public) != KEY_RSA)
+	if (this->engine)
 	{
 		return FALSE;
 	}
-	keyid = public->get_id(public, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of private_key_t.get_encoding.
- */
-static chunk_t get_encoding(private_openssl_rsa_private_key_t *this)
-{
-	chunk_t enc = chunk_empty;
-	if (!this->engine)
+	switch (type)
 	{
-		enc = chunk_alloc(i2d_RSAPrivateKey(this->rsa, NULL));
-		u_char *p = enc.ptr;
-		i2d_RSAPrivateKey(this->rsa, &p);
+		case KEY_PRIV_ASN1_DER:
+		{
+			*encoding = chunk_alloc(i2d_RSAPrivateKey(this->rsa, NULL));
+			p = encoding->ptr;
+			i2d_RSAPrivateKey(this->rsa, &p);
+			return TRUE;
+		}
+		default:
+			return FALSE;
 	}
-	return enc;
 }
 
 /**
@@ -299,7 +244,6 @@ static private_openssl_rsa_private_key_t* get_ref(private_openssl_rsa_private_ke
 {
 	ref_get(&this->ref);
 	return this;
-
 }
 
 /**
@@ -311,10 +255,9 @@ static void destroy(private_openssl_rsa_private_key_t *this)
 	{
 		if (this->rsa)
 		{
+			lib->encoding->clear_cache(lib->encoding, this->rsa);
 			RSA_free(this->rsa);
 		}
-		DESTROY_IF(this->keyid);
-		DESTROY_IF(this->keyid_info);
 		free(this);
 	}
 }
@@ -322,238 +265,215 @@ static void destroy(private_openssl_rsa_private_key_t *this)
 /**
  * Internal generic constructor
  */
-static private_openssl_rsa_private_key_t *openssl_rsa_private_key_create_empty(void)
+static private_openssl_rsa_private_key_t *create_empty(void)
 {
 	private_openssl_rsa_private_key_t *this = malloc_thing(private_openssl_rsa_private_key_t);
-	
+
 	this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
 	this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
 	this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
 	this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (private_key_t*, id_type_t))get_id;
 	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
-	this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
-	this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
-	this->public.interface.get_encoding = (chunk_t(*) (private_key_t*))get_encoding;
+	this->public.interface.equals = private_key_equals;
+	this->public.interface.belongs_to = private_key_belongs_to;
+	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
+	this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
 	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
-	
+
 	this->engine = FALSE;
-	this->keyid = NULL;
-	this->keyid_info = NULL;
 	this->ref = 1;
-	
+
 	return this;
 }
 
 /**
- * Generate an RSA key of specified key size
+ * See header.
  */
-static openssl_rsa_private_key_t *generate(size_t key_size)
+openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
+													   va_list args)
 {
-	private_openssl_rsa_private_key_t *this = openssl_rsa_private_key_create_empty();
-	
-	this->rsa = RSA_generate_key(key_size, PUBLIC_EXPONENT, NULL, NULL);
-	
-	if (!openssl_rsa_public_key_build_id(this->rsa, &this->keyid, &this->keyid_info))
+	private_openssl_rsa_private_key_t *this;
+	u_int key_size = 0;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_KEY_SIZE:
+				key_size = va_arg(args, u_int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!key_size)
 	{
-		destroy(this);
 		return NULL;
 	}
-	
+	this = create_empty();
+	this->rsa = RSA_generate_key(key_size, PUBLIC_EXPONENT, NULL, NULL);
+
 	return &this->public;
 }
 
 /**
- * load private key from an ASN1 encoded blob
+ * See header
  */
-static openssl_rsa_private_key_t *load(chunk_t blob)
+openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
+														va_list args)
 {
-	u_char *p = blob.ptr;
-	private_openssl_rsa_private_key_t *this = openssl_rsa_private_key_create_empty();
-	
-	this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&p, blob.len);
-	
-	chunk_clear(&blob);
-
-	if (!this->rsa)
+	private_openssl_rsa_private_key_t *this;
+	chunk_t blob, n, e, d, p, q, exp1, exp2, coeff;
+
+	blob = n = e = d = p = q = exp1 = exp2 = coeff = chunk_empty;
+	while (TRUE)
 	{
-		destroy(this);
-		return NULL;
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_MODULUS:
+				n = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PUB_EXP:
+				e = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PRIV_EXP:
+				d = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PRIME1:
+				p = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PRIME2:
+				q = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_EXP1:
+				exp1 = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_EXP2:
+				exp2 = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_COEFF:
+				coeff = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
 	}
-	
-	if (!openssl_rsa_public_key_build_id(this->rsa, &this->keyid, &this->keyid_info))
+
+	this = create_empty();
+	if (blob.ptr)
 	{
-		destroy(this);
-		return NULL;
+		this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
+		if (this->rsa && RSA_check_key(this->rsa))
+		{
+			return &this->public;
+		}
 	}
-	
-	if (!RSA_check_key(this->rsa))
+	else if (n.ptr && e.ptr && d.ptr && p.ptr && q.ptr && coeff.ptr)
 	{
-		destroy(this);
-		return NULL;
+		this->rsa = RSA_new();
+		this->rsa->n = BN_bin2bn((const u_char*)n.ptr, n.len, NULL);
+		this->rsa->e = BN_bin2bn((const u_char*)e.ptr, e.len, NULL);
+		this->rsa->d = BN_bin2bn((const u_char*)d.ptr, d.len, NULL);
+		this->rsa->p = BN_bin2bn((const u_char*)p.ptr, p.len, NULL);
+		this->rsa->q = BN_bin2bn((const u_char*)q.ptr, q.len, NULL);
+		if (exp1.ptr)
+		{
+			this->rsa->dmp1 = BN_bin2bn((const u_char*)exp1.ptr, exp1.len, NULL);
+		}
+		if (exp2.ptr)
+		{
+			this->rsa->dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL);
+		}
+		this->rsa->iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL);
+		if (RSA_check_key(this->rsa))
+		{
+			return &this->public;
+		}
 	}
-	
-	return &this->public;
+	destroy(this);
+	return NULL;
 }
 
 /**
- * load private key from a smart card
+ * See header.
  */
-static openssl_rsa_private_key_t *load_from_smartcard(char *keyid, char *pin)
+openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
+														   va_list args)
 {
-	private_openssl_rsa_private_key_t *this = NULL;
+	private_openssl_rsa_private_key_t *this;
+	char *keyid = NULL, *pin = NULL;
 	EVP_PKEY *key;
-	char *engine_id = lib->settings->get_str(lib->settings,
+	char *engine_id;
+	ENGINE *engine;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_SMARTCARD_KEYID:
+				keyid = va_arg(args, char*);
+				continue;
+			case BUILD_SMARTCARD_PIN:
+				pin = va_arg(args, char*);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!keyid || !pin)
+	{
+		return NULL;
+	}
+
+	engine_id = lib->settings->get_str(lib->settings,
 								"library.plugins.openssl.engine_id", "pkcs11");
-	
-	ENGINE *engine = ENGINE_by_id(engine_id);
+	engine = ENGINE_by_id(engine_id);
 	if (!engine)
 	{
 		DBG1("engine '%s' is not available", engine_id);
 		return NULL;
 	}
-	
 	if (!ENGINE_init(engine))
 	{
 		DBG1("failed to initialize engine '%s'", engine_id);
-		goto error;
+		ENGINE_free(engine);
+		return NULL;
 	}
-	
 	if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
 	{
 		DBG1("failed to set PIN on engine '%s'", engine_id);
-		goto error;
+		ENGINE_free(engine);
+		return NULL;
 	}
-	
+
 	key = ENGINE_load_private_key(engine, keyid, NULL, NULL);
-	
 	if (!key)
 	{
-		DBG1("failed to load private key with ID '%s' from engine '%s'", keyid,
-				engine_id);
-		goto error;
-	}
-	ENGINE_free(engine);
-	
-	this = openssl_rsa_private_key_create_empty();
-	this->rsa = EVP_PKEY_get1_RSA(key);
-	this->engine = TRUE;
-	
-	if (!openssl_rsa_public_key_build_id(this->rsa, &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
+		DBG1("failed to load private key with ID '%s' from engine '%s'",
+			 keyid, engine_id);
+		ENGINE_free(engine);
 		return NULL;
 	}
-	return &this->public;
-	
-error:
 	ENGINE_free(engine);
-	return NULL;
-}
-
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for key loading/generation
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded/generated private key */
-	openssl_rsa_private_key_t *key;
-	/** temporary stored smartcard key ID */
-	char *keyid;
-	/** temporary stored smartcard pin */
-	char *pin;
-};
 
-/**
- * Implementation of builder_t.build
- */
-static openssl_rsa_private_key_t *build(private_builder_t *this)
-{
-	openssl_rsa_private_key_t *key = this->key;
-	
-	if (this->keyid && this->pin)
-	{
-		key = load_from_smartcard(this->keyid, this->pin);
-	}
-	free(this);
-	return key;
-}
-
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->key)
-	{
-		va_list args;
-		chunk_t chunk;
-	
-		switch (part)
-		{
-			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->key = load(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}		
-			case BUILD_KEY_SIZE:
-			{
-				va_start(args, part);
-				this->key = generate(va_arg(args, u_int));
-				va_end(args);
-				return;
-			}
-			case BUILD_SMARTCARD_KEYID:
-			{
-				va_start(args, part);
-				this->keyid = va_arg(args, char*);
-				va_end(args);
-				return;
-			}
-			case BUILD_SMARTCARD_PIN:
-			{
-				va_start(args, part);
-				this->pin = va_arg(args, char*);
-				va_end(args);
-				return;
-			}
-			default:
-				break;
-		}
-	}
-	if (this->key)
-	{
-		destroy((private_openssl_rsa_private_key_t*)this->key);
-	}
-	builder_cancel(&this->public);
-}
+	this = create_empty();
+	this->rsa = EVP_PKEY_get1_RSA(key);
+	this->engine = TRUE;
 
-/**
- * Builder construction function
- */
-builder_t *openssl_rsa_private_key_builder(key_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != KEY_RSA)
-	{
-		return NULL;
-	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	this->keyid = NULL;
-	this->pin = NULL;
-	
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
index 53ec44b28..079dfa46a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
@@ -21,6 +21,7 @@
 #ifndef OPENSSL_RSA_PRIVATE_KEY_H_
 #define OPENSSL_RSA_PRIVATE_KEY_H_
 
+#include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
 typedef struct openssl_rsa_private_key_t openssl_rsa_private_key_t;
@@ -37,11 +38,40 @@ struct openssl_rsa_private_key_t {
 };
 
 /**
- * Create the builder for a private key.
+ * Generate a RSA private key using OpenSSL.
+ *
+ * Accepts the BUILD_KEY_SIZE argument.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @param args		builder_part_t argument list
+ * @return 			generated key, NULL on failure
+ */
+openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
+													   va_list args);
+
+/**
+ * Load a RSA private key using OpenSSL.
+ *
+ * Accepts a BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the key, must be KEY_RSA
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
+														va_list args);
+
+/**
+ * Connect to a RSA private key on a smartcard.
+ *
+ * Accepts the BUILD_SMARTCARD_KEYID and the BUILD_SMARTCARD_PIN
+ * arguments.
  *
  * @param type		type of the key, must be KEY_RSA
- * @return 			builder instance
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
  */
-builder_t *openssl_rsa_private_key_builder(key_type_t type);
+openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
+														   va_list args);
 
 #endif /** OPENSSL_RSA_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index bc1ba35b6..422262b19 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Martin Willi
  * Copyright (C) 2008 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
@@ -31,22 +32,12 @@ struct private_openssl_rsa_public_key_t {
 	 * Public interface for this signer.
 	 */
 	openssl_rsa_public_key_t public;
-	
+
 	/**
 	 * RSA object from OpenSSL
 	 */
 	RSA *rsa;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
-	 */
-	identification_t *keyid_info;
-	
-	/**
-	 * Keyid formed as a SHA-1 hash of a publicKey object
-	 */
-	identification_t *keyid;
-	
+
 	/**
 	 * reference counter
 	 */
@@ -109,7 +100,7 @@ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
 			goto error;
 		}
 		valid = (EVP_VerifyFinal(ctx, signature.ptr, signature.len, key) == 1);
-	
+
 error:
 		if (key)
 		{
@@ -134,7 +125,7 @@ static key_type_t get_type(private_openssl_rsa_public_key_t *this)
 /**
  * Implementation of public_key_t.verify.
  */
-static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t scheme, 
+static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
 				   chunk_t data, chunk_t signature)
 {
 	switch (scheme)
@@ -163,40 +154,13 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 /**
  * Implementation of public_key_t.get_keysize.
  */
-static bool encrypt_(private_openssl_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain)
+static bool encrypt_(private_openssl_rsa_public_key_t *this,
+					 chunk_t crypto, chunk_t *plain)
 {
 	DBG1("RSA public key encryption not implemented");
 	return FALSE;
 }
 
-/**
- * Implementation of public_key_t.equals.
- */
-static bool equals(private_openssl_rsa_public_key_t *this, public_key_t *other)
-{
-	identification_t *keyid;
-
-	if (&this->public.interface == other)
-	{
-		return TRUE;
-	}
-	if (other->get_type(other) != KEY_RSA)
-	{
-		return FALSE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid))
-	{
-		return TRUE;
-	}
-	keyid = other->get_id(other, ID_PUBKEY_INFO_SHA1);
-	if (keyid && keyid->equals(keyid, this->keyid_info))
-	{
-		return TRUE;
-	}
-	return FALSE;
-}
-
 /**
  * Implementation of public_key_t.get_keysize.
  */
@@ -206,79 +170,92 @@ static size_t get_keysize(private_openssl_rsa_public_key_t *this)
 }
 
 /**
- * Implementation of public_key_t.get_id.
+ * Calculate fingerprint from a RSA key, also used in rsa private key.
  */
-static identification_t *get_id(private_openssl_rsa_public_key_t *this,
-								id_type_t type)
+bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp)
 {
+	hasher_t *hasher;
+	chunk_t key;
+	u_char *p;
+
+	if (lib->encoding->get_cache(lib->encoding, type, rsa, fp))
+	{
+		return TRUE;
+	}
 	switch (type)
 	{
-		case ID_PUBKEY_INFO_SHA1:
-			return this->keyid_info;
-		case ID_PUBKEY_SHA1:
-			return this->keyid;
+		case KEY_ID_PUBKEY_SHA1:
+			key = chunk_alloc(i2d_RSAPublicKey(rsa, NULL));
+			p = key.ptr;
+			i2d_RSAPublicKey(rsa, &p);
+			break;
+		case KEY_ID_PUBKEY_INFO_SHA1:
+			key = chunk_alloc(i2d_RSA_PUBKEY(rsa, NULL));
+			p = key.ptr;
+			i2d_RSA_PUBKEY(rsa, &p);
+			break;
 		default:
-			return NULL;
+			return FALSE;
 	}
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		DBG1("SHA1 hash algorithm not supported, fingerprinting failed");
+		free(key.ptr);
+		return FALSE;
+	}
+	hasher->allocate_hash(hasher, key, fp);
+	free(key.ptr);
+	hasher->destroy(hasher);
+	lib->encoding->cache(lib->encoding, type, rsa, *fp);
+	return TRUE;
 }
 
 /**
- * Encodes the public key
- */ 
-static chunk_t get_encoding_raw(RSA *rsa)
-{
-	chunk_t enc = chunk_alloc(i2d_RSAPublicKey(rsa, NULL));
-	u_char *p = enc.ptr;
-	i2d_RSAPublicKey(rsa, &p);
-	return enc;
-}
-
-/**
- * Encodes the public key with the algorithm used
+ * Implementation of public_key_t.get_fingerprint.
  */
-static chunk_t get_encoding_with_algo(RSA *rsa)
+static bool get_fingerprint(private_openssl_rsa_public_key_t *this,
+							key_encoding_type_t type, chunk_t *fingerprint)
 {
-	u_char *p;
-	chunk_t enc;
-	X509_PUBKEY *pubkey = X509_PUBKEY_new();
-	
-	ASN1_OBJECT_free(pubkey->algor->algorithm);
-	pubkey->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
-	
-	if (pubkey->algor->parameter == NULL ||
-		pubkey->algor->parameter->type != V_ASN1_NULL)
-	{
-		ASN1_TYPE_free(pubkey->algor->parameter);
-		pubkey->algor->parameter = ASN1_TYPE_new();
-		pubkey->algor->parameter->type = V_ASN1_NULL;
-	}
-	
-	enc = get_encoding_raw(rsa);
-	M_ASN1_BIT_STRING_set(pubkey->public_key, enc.ptr, enc.len);
-	chunk_free(&enc);
-	
-	enc = chunk_alloc(i2d_X509_PUBKEY(pubkey, NULL));
-	p = enc.ptr;
-	i2d_X509_PUBKEY(pubkey, &p);
-	X509_PUBKEY_free(pubkey);
-	return enc;
+	return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
 }
 
 /*
  * Implementation of public_key_t.get_encoding.
  */
-static chunk_t get_encoding(private_openssl_rsa_public_key_t *this)
+static bool get_encoding(private_openssl_rsa_public_key_t *this,
+						 key_encoding_type_t type, chunk_t *encoding)
 {
-	return get_encoding_raw(this->rsa);
+	u_char *p;
+
+	switch (type)
+	{
+		case KEY_PUB_SPKI_ASN1_DER:
+		{
+			*encoding = chunk_alloc(i2d_RSA_PUBKEY(this->rsa, NULL));
+			p = encoding->ptr;
+			i2d_RSA_PUBKEY(this->rsa, &p);
+			return TRUE;
+		}
+		case KEY_PUB_ASN1_DER:
+		{
+			*encoding = chunk_alloc(i2d_RSAPublicKey(this->rsa, NULL));
+			p = encoding->ptr;
+			i2d_RSAPublicKey(this->rsa, &p);
+			return TRUE;
+		}
+		default:
+			return FALSE;
+	}
 }
 
 /**
  * Implementation of public_key_t.get_ref.
  */
-static private_openssl_rsa_public_key_t* get_ref(private_openssl_rsa_public_key_t *this)
+static public_key_t* get_ref(private_openssl_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.interface;
 }
 
 /**
@@ -290,10 +267,9 @@ static void destroy(private_openssl_rsa_public_key_t *this)
 	{
 		if (this->rsa)
 		{
+			lib->encoding->clear_cache(lib->encoding, this->rsa);
 			RSA_free(this->rsa);
 		}
-		DESTROY_IF(this->keyid);
-		DESTROY_IF(this->keyid_info);
 		free(this);
 	}
 }
@@ -301,179 +277,75 @@ static void destroy(private_openssl_rsa_public_key_t *this)
 /**
  * Generic private constructor
  */
-static private_openssl_rsa_public_key_t *openssl_rsa_public_key_create_empty()
+static private_openssl_rsa_public_key_t *create_empty()
 {
 	private_openssl_rsa_public_key_t *this = malloc_thing(private_openssl_rsa_public_key_t);
-	
+
 	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
 	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
 	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
+	this->public.interface.equals = public_key_equals;
 	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
-	this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
+	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
+	this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-	
-	this->keyid = NULL;
-	this->keyid_info = NULL;
-	this->ref = 1;
-	
-	return this;
-}
-
-/**
- * Build the RSA key identifier from n and e using SHA1 hashed publicKey(Info).
- * Also used in openssl_rsa_private_key.c.
- */
-bool openssl_rsa_public_key_build_id(RSA *rsa, identification_t **keyid,
-								 identification_t **keyid_info)
-{
-	chunk_t publicKeyInfo, publicKey, hash;
-	hasher_t *hasher;
-	
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1("SHA1 hash algorithm not supported, unable to use RSA");
-		return FALSE;
-	}
-	
-	publicKey = get_encoding_raw(rsa);
-	
-	hasher->allocate_hash(hasher, publicKey, &hash);
-	*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
-	chunk_free(&hash);
-	
-	publicKeyInfo = get_encoding_with_algo(rsa);
-	
-	hasher->allocate_hash(hasher, publicKeyInfo, &hash);
-	*keyid_info = identification_create_from_encoding(ID_PUBKEY_INFO_SHA1, hash);
-	chunk_free(&hash);
-	
-	hasher->destroy(hasher);
-	chunk_free(&publicKeyInfo);
-	chunk_free(&publicKey);
-	
-	return TRUE;
-}
-
-/**
- * Create a public key from BIGNUM values, used in openssl_rsa_private_key.c
- */
-openssl_rsa_public_key_t *openssl_rsa_public_key_create_from_n_e(BIGNUM *n, BIGNUM *e)
-{
-	private_openssl_rsa_public_key_t *this = openssl_rsa_public_key_create_empty();
-	
-	this->rsa = RSA_new();
-	this->rsa->n = BN_dup(n);
-	this->rsa->e = BN_dup(e);
-	
-	if (!openssl_rsa_public_key_build_id(this->rsa, &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
 
-/**
- * Load a public key from an ASN1 encoded blob
- */
-static openssl_rsa_public_key_t *load(chunk_t blob)
-{
-	u_char *p = blob.ptr;
-	private_openssl_rsa_public_key_t *this = openssl_rsa_public_key_create_empty();
-
-	this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&p, blob.len);
-	
-	chunk_clear(&blob);
-
-	if (!this->rsa)
-	{
-		destroy(this);
-		return NULL;
-	}
+	this->rsa = NULL;
+	this->ref = 1;
 
-	if (!openssl_rsa_public_key_build_id(this->rsa, &this->keyid, &this->keyid_info))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
+	return this;
 }
 
-typedef struct private_builder_t private_builder_t;
 /**
- * Builder implementation for key loading
+ * See header.
  */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded public key */
-	openssl_rsa_public_key_t *key;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static openssl_rsa_public_key_t *build(private_builder_t *this)
+openssl_rsa_public_key_t *openssl_rsa_public_key_load(key_type_t type,
+													  va_list args)
 {
-	openssl_rsa_public_key_t *key = this->key;
-	
-	free(this);
-	return key;
-}
+	private_openssl_rsa_public_key_t *this;
+	chunk_t blob, n, e;
 
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->key)
+	n = e = blob = chunk_empty;
+	while (TRUE)
 	{
-		va_list args;
-		chunk_t chunk;
-	
-		switch (part)
+		switch (va_arg(args, builder_part_t))
 		{
 			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->key = load(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}
-			default:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_MODULUS:
+				n = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PUB_EXP:
+				e = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
 				break;
+			default:
+				return NULL;
 		}
+		break;
 	}
-	if (this->key)
+
+	this = create_empty();
+	if (blob.ptr)
 	{
-		destroy((private_openssl_rsa_public_key_t*)this->key);
+		this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&blob.ptr, blob.len);
+		if (this->rsa)
+		{
+			return &this->public;
+		}
 	}
-	builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *openssl_rsa_public_key_builder(key_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != KEY_RSA)
+	else if (n.ptr && e.ptr)
 	{
-		return NULL;
+		this->rsa = RSA_new();
+		this->rsa->n = BN_bin2bn((const u_char*)n.ptr, n.len, NULL);
+		this->rsa->e = BN_bin2bn((const u_char*)e.ptr, e.len, NULL);
+		return &this->public;
 	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
-	return &this->public;
+	destroy(this);
+	return NULL;
 }
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
index ff99ddbc5..620aa51ce 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
@@ -37,11 +37,15 @@ struct openssl_rsa_public_key_t {
 };
 
 /**
- * Create the builder for a public key.
+ * Load a RSA public key using OpenSSL.
+ *
+ * Accepts a BUILD_BLOB_ASN1_DER argument.
  *
  * @param type		type of the key, must be KEY_RSA
- * @return 			builder instance
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
  */
-builder_t *openssl_rsa_public_key_builder(key_type_t type);
+openssl_rsa_public_key_t *openssl_rsa_public_key_load(key_type_t type,
+													  va_list args);
 
 #endif /** OPENSSL_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index c8c453f64..55b18a524 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Martin Willi
  * Copyright (C) 2008 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
@@ -18,6 +19,7 @@
 #include <debug.h>
 
 #include <openssl/evp.h>
+#include <openssl/x509.h>
 
 /**
  * Described in header.
@@ -31,30 +33,30 @@ bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash)
 	{
 		return FALSE;
 	}
-	
-	ctx = EVP_MD_CTX_create();	
+
+	ctx = EVP_MD_CTX_create();
 	if (!ctx)
 	{
 		goto error;
 	}
-	
+
 	if (!EVP_DigestInit_ex(ctx, hasher, NULL))
 	{
 		goto error;
 	}
-	
+
 	if (!EVP_DigestUpdate(ctx, data.ptr, data.len))
 	{
 		goto error;
 	}
-	
+
 	*hash = chunk_alloc(hasher->md_size);
 	if (!EVP_DigestFinal_ex(ctx, hash->ptr, NULL))
 	{
 		chunk_free(hash);
 		goto error;
 	}
-	
+
 	ret = TRUE;
 error:
 	if (ctx)
@@ -70,18 +72,18 @@ error:
 bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk)
 {
 	int offset;
-	
+
 	chunk->len = len + (b ? len : 0);
 	chunk->ptr = malloc(chunk->len);
 	memset(chunk->ptr, 0, chunk->len);
-	
+
 	/* convert a */
 	offset = len - BN_num_bytes(a);
 	if (!BN_bn2bin(a, chunk->ptr + offset))
 	{
 		goto error;
 	}
-	
+
 	/* optionally convert and concatenate b */
 	if (b)
 	{
@@ -90,8 +92,8 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk)
 		{
 			goto error;
 		}
-	}	
-	
+	}
+
 	return TRUE;
 error:
 	chunk_free(chunk);
@@ -105,19 +107,20 @@ error:
 bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b)
 {
 	int len;
-	
+
 	if ((chunk.len % 2) != 0)
 	{
 		return FALSE;
 	}
-	
+
 	len = chunk.len / 2;
-	
+
 	if (!BN_bin2bn(chunk.ptr, len, a) ||
 		!BN_bin2bn(chunk.ptr + len, len, b))
 	{
 		return FALSE;
 	}
-	
+
 	return TRUE;
 }
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
index 6ba1ff07b..538008f2c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.h
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -31,9 +31,9 @@
 
 /**
  * Creates a hash of a given type of a chunk of data.
- * 
+ *
  * Note: this function allocates memory for the hash
- * 
+ *
  * @param hash_type	NID of the hash
  * @param data		the chunk of data to hash
  * @param hash		chunk that contains the hash
@@ -44,9 +44,9 @@ bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash);
 /**
  * Concatenates two bignums into a chunk, thereby enfocing the length of
  * a single BIGNUM, if necessary, by pre-pending it with zeros.
- * 
+ *
  * Note: this function allocates memory for the chunk
- * 
+ *
  * @param len		the length of a single BIGNUM
  * @param a			first BIGNUM
  * @param b			second BIGNUM
@@ -57,7 +57,7 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk);
 
 /**
  * Splits a chunk into two bignums of equal binary length.
- * 
+ *
  * @param chunk		a chunk that contains the two BIGNUMs
  * @param a			first BIGNUM
  * @param b			second BIGNUM
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 44f533744..59ea98799 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/padlock
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_padlock_la_LIBADD =
 am_libstrongswan_padlock_la_OBJECTS = padlock_plugin.lo \
@@ -60,6 +84,7 @@ libstrongswan_padlock_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -107,25 +132,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -137,11 +159,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -170,9 +195,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -195,7 +220,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -203,6 +228,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -211,10 +237,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -222,6 +250,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -246,9 +275,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/padlock/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/padlock/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/padlock/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/padlock/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -266,23 +295,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -309,21 +343,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -346,7 +380,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -354,29 +388,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -397,13 +436,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -434,6 +477,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -455,6 +499,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -463,18 +509,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -513,6 +569,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
index afdd85b79..9edea4bd3 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2008 Thomas Kallenberg
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil 
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -26,12 +26,12 @@ typedef struct private_padlock_aes_crypter_t private_padlock_aes_crypter_t;
  * Private data of padlock_aes_crypter_t
  */
 struct private_padlock_aes_crypter_t {
-	
+
 	/**
 	 * Public part of this class.
 	 */
 	padlock_aes_crypter_t public;
-	
+
 	/*
 	 * the key
 	 */
@@ -56,7 +56,7 @@ typedef struct {
 /**
  * Invoke the actual de/encryption
  */
-static void padlock_crypt(void *key, void *ctrl, void *src, void *dst, 
+static void padlock_crypt(void *key, void *ctrl, void *src, void *dst,
 						  int count, void *iv)
 {
 	asm volatile(
@@ -81,7 +81,7 @@ static void padlock_crypt(void *key, void *ctrl, void *src, void *dst,
 /*
  * Implementation of crypter_t.crypt
  */
-static void crypt(private_padlock_aes_crypter_t *this, char *iv, 
+static void crypt(private_padlock_aes_crypter_t *this, char *iv,
 				  chunk_t src, chunk_t *dst, bool enc)
 {
 	cword cword PADLOCK_ALIGN;
@@ -110,7 +110,7 @@ static void crypt(private_padlock_aes_crypter_t *this, char *iv,
 /**
  * Implementation of crypter_t.decrypt.
  */
-static void decrypt(private_padlock_aes_crypter_t *this, chunk_t data, 
+static void decrypt(private_padlock_aes_crypter_t *this, chunk_t data,
 						chunk_t iv, chunk_t *dst)
 {
 	crypt(this, iv.ptr, data, dst, TRUE);
@@ -120,7 +120,7 @@ static void decrypt(private_padlock_aes_crypter_t *this, chunk_t data,
 /**
  * Implementation of crypter_t.encrypt.
  */
-static void encrypt (private_padlock_aes_crypter_t *this, chunk_t data, 
+static void encrypt (private_padlock_aes_crypter_t *this, chunk_t data,
 							chunk_t iv, chunk_t *dst)
 {
 	crypt(this, iv.ptr, data, dst, FALSE);
@@ -162,18 +162,18 @@ static void destroy (private_padlock_aes_crypter_t *this)
 /*
  * Described in header
  */
-padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo, 
+padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo,
 												  size_t key_size)
 {
 	private_padlock_aes_crypter_t *this;
-	
+
 	if (algo != ENCR_AES_CBC)
 	{
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_padlock_aes_crypter_t);
-	
+
 	switch (key_size)
 	{
 		case 16:        /* AES 128 */
@@ -185,15 +185,15 @@ padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo,
 			free(this);
 			return NULL;
 	}
-	
+
 	this->key = chunk_alloc(key_size);
-	
+
 	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
 	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
 	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
 	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
 	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
 	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-	
+
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
index d8ac9c2a0..d4c7a7577 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
@@ -30,7 +30,7 @@ typedef struct padlock_aes_crypter_t padlock_aes_crypter_t;
  * Implementation of AES-128 using VIA Padlock.
  */
 struct padlock_aes_crypter_t {
-	
+
 	/**
 	 * The crypter_t interface.
 	 */
@@ -39,7 +39,7 @@ struct padlock_aes_crypter_t {
 
 /**
  * Constructor to create padlock_aes_crypter_t.
- * 
+ *
  * @param key_size		key size in bytes, currently supports only 16.
  * @param algo			algorithm to implement, must be ENCR_AES_CBC
  * @return				padlock_aes_crypter_t, NULL if not supported
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index e241b59be..32b18ec4b 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -55,7 +55,7 @@ struct private_padlock_plugin_t {
 	 * public functions
 	 */
 	padlock_plugin_t public;
-	
+
 	/**
 	 * features supported by Padlock
 	 */
@@ -81,11 +81,11 @@ static padlock_feature_t get_padlock_features()
 {
 	char vendor[3 * sizeof(int) + 1];
 	int a, b, c, d;
-	
+
 	cpuid(0, a, b, c, d);
 	/* VendorID string is in b-d-c (yes, in this order) */
 	snprintf(vendor, sizeof(vendor), "%.4s%.4s%.4s", &b, &d, &c);
-	
+
 	/* check if we have a VIA chip */
 	if (streq(vendor, "CentaurHauls"))
 	{
@@ -134,9 +134,9 @@ static void destroy(private_padlock_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_padlock_plugin_t *this = malloc_thing(private_padlock_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	this->features = get_padlock_features();
 	if (!this->features)
 	{
@@ -154,7 +154,7 @@ plugin_t *plugin_create()
 		 this->features & PADLOCK_ACE2_ENABLED ? " ACE2" : "",
 		 this->features & PADLOCK_PHE_ENABLED ? " PHE" : "",
 		 this->features & PADLOCK_PMM_ENABLED ? " PMM" : "");
-	
+
 	if (this->features & PADLOCK_RNG_ENABLED)
 	{
 		lib->crypto->add_rng(lib->crypto, RNG_TRUE,
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.c b/src/libstrongswan/plugins/padlock/padlock_rng.c
index 8a04dccfc..8ff46081b 100644
--- a/src/libstrongswan/plugins/padlock/padlock_rng.c
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.c
@@ -36,12 +36,12 @@ enum padlock_quality_factor_t {
  * Private data of an padlock_rng_t object.
  */
 struct private_padlock_rng_t {
-	
+
 	/**
 	 * Public padlock_rng_t interface.
 	 */
 	padlock_rng_t public;
-	
+
 	/**
 	 * Padlock quality factor
 	 */
@@ -56,14 +56,14 @@ static void rng(char *buf, int len, int quality)
 	while (len > 0)
 	{
 		int status;
-		
+
 		/* run XSTORE until we have all bytes needed. We do not use REP, as
 		 * this should not be performance critical and it's easier this way. */
 		asm volatile (
 			".byte 0x0F,0xA7,0xC0 \n\t"
 			: "=D"(buf), "=a"(status)
 			: "d"(quality), "D"(buf));
-		
+
 		/* bits[0..4] of status word contains the number of bytes read */
 		len -= status & 0x1F;
 	}
@@ -78,7 +78,7 @@ static void allocate_bytes(private_padlock_rng_t *this, size_t bytes,
 	chunk->len = bytes;
 	/* padlock requires some additional bytes */
 	chunk->ptr = malloc(bytes + 7);
-	
+
 	rng(chunk->ptr, chunk->len, this->quality);
 }
 
@@ -89,7 +89,7 @@ static void get_bytes(private_padlock_rng_t *this, size_t bytes,
 					  u_int8_t *buffer)
 {
 	chunk_t chunk;
-	
+
 	/* Padlock needs a larger buffer than "bytes", we need a new buffer */
 	allocate_bytes(this, bytes, &chunk);
 	memcpy(buffer, chunk.ptr, bytes);
@@ -110,11 +110,11 @@ static void destroy(private_padlock_rng_t *this)
 padlock_rng_t *padlock_rng_create(rng_quality_t quality)
 {
 	private_padlock_rng_t *this = malloc_thing(private_padlock_rng_t);
-	
+
 	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
 	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
 	this->public.rng.destroy = (void (*) (rng_t *))destroy;
-	
+
 	/* map RNG quality to Padlock quality factor */
 	switch (quality)
 	{
@@ -128,7 +128,7 @@ padlock_rng_t *padlock_rng_create(rng_quality_t quality)
 			this->quality = PADLOCK_QF3;
 			break;
 	}
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.h b/src/libstrongswan/plugins/padlock/padlock_rng.h
index 237d8fbe2..776be8937 100644
--- a/src/libstrongswan/plugins/padlock/padlock_rng.h
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.h
@@ -29,7 +29,7 @@ typedef struct padlock_rng_t padlock_rng_t;
  * Hardware-RNG based on via Padlock.
  */
 struct padlock_rng_t {
-	
+
 	/**
 	 * Implements rng_t interface.
 	 */
@@ -44,4 +44,4 @@ struct padlock_rng_t {
  */
 padlock_rng_t *padlock_rng_create(rng_quality_t quality);
 
-#endif /** PADLOCK_RNG_ @}*/
+#endif /** PADLOCK_RNG_H_ @}*/
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
index b5a6abc64..60b516675 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
@@ -32,7 +32,7 @@ struct private_padlock_sha1_hasher_t {
 	 * Public interface for this hasher.
 	 */
 	padlock_sha1_hasher_t public;
-	
+
 	/**
 	 * data collected to hash
 	 */
@@ -45,8 +45,8 @@ struct private_padlock_sha1_hasher_t {
 static void padlock_sha1(int len, u_char *in, u_char *out)
 {
 	/* rep xsha1 */
-    asm volatile (
-		".byte 0xf3, 0x0f, 0xa6, 0xc8" 
+	asm volatile (
+		".byte 0xf3, 0x0f, 0xa6, 0xc8"
 		: "+S"(in), "+D"(out)
 		: "c"(len), "a"(0));
 }
@@ -57,7 +57,7 @@ static void padlock_sha1(int len, u_char *in, u_char *out)
 static void sha1(chunk_t data, u_int32_t *digest)
 {
 	u_int32_t hash[128] PADLOCK_ALIGN;
- 
+
 	hash[0] = 0x67452301;
 	hash[1] = 0xefcdab89;
 	hash[2] = 0x98badcfe;
@@ -105,14 +105,14 @@ static void get_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
 			sha1(this->data, (u_int32_t*)hash);
 		}
 		else
-		{   /* hash directly if no previous data found */   
+		{   /* hash directly if no previous data found */
 			sha1(chunk, (u_int32_t*)hash);
 		}
 		reset(this);
 	}
 	else
 	{
-		append_data(this, chunk);	
+		append_data(this, chunk);
 	}
 }
 
@@ -129,10 +129,10 @@ static void allocate_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
 	}
 	else
 	{
-		get_hash(this, chunk, NULL);	
+		get_hash(this, chunk, NULL);
 	}
 }
-	
+
 /**
  * Implementation of hasher_t.get_hash_size.
  */
@@ -156,20 +156,20 @@ static void destroy(private_padlock_sha1_hasher_t *this)
 padlock_sha1_hasher_t *padlock_sha1_hasher_create(hash_algorithm_t algo)
 {
 	private_padlock_sha1_hasher_t *this;
-	
+
 	if (algo != HASH_SHA1)
 	{
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_padlock_sha1_hasher_t);
 	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
 	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
 	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
 	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
 	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-	
+
 	this->data = chunk_empty;
-	
+
 	return &(this->public);
 }
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
index afa1e046d..740bdfe98 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
@@ -30,7 +30,7 @@ typedef struct padlock_sha1_hasher_t padlock_sha1_hasher_t;
  * Implementation of hasher_t interface using the SHA1 algorithm.
  */
 struct padlock_sha1_hasher_t {
-	
+
 	/**
 	 * Implements hasher_t interface.
 	 */
diff --git a/src/libstrongswan/plugins/pem/Makefile.am b/src/libstrongswan/plugins/pem/Makefile.am
new file mode 100644
index 000000000..98f356aaf
--- /dev/null
+++ b/src/libstrongswan/plugins/pem/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-pem.la
+
+libstrongswan_pem_la_SOURCES = pem_plugin.h pem_plugin.c \
+  pem_builder.c pem_builder.h
+
+libstrongswan_pem_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
new file mode 100644
index 000000000..e81b4f78f
--- /dev/null
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -0,0 +1,569 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pem
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_pem_la_LIBADD =
+am_libstrongswan_pem_la_OBJECTS = pem_plugin.lo pem_builder.lo
+libstrongswan_pem_la_OBJECTS = $(am_libstrongswan_pem_la_OBJECTS)
+libstrongswan_pem_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_pem_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_pem_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pem_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-pem.la
+libstrongswan_pem_la_SOURCES = pem_plugin.h pem_plugin.c \
+  pem_builder.c pem_builder.h
+
+libstrongswan_pem_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pem/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pem/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pem.la: $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_DEPENDENCIES) 
+	$(libstrongswan_pem_la_LINK) -rpath $(plugindir) $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
new file mode 100644
index 000000000..2f285e9bc
--- /dev/null
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -0,0 +1,566 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Copyright (C) 2001-2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pem_builder.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <stddef.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+
+#include <debug.h>
+#include <library.h>
+#include <utils/lexparser.h>
+#include <asn1/asn1.h>
+#include <crypto/hashers/hasher.h>
+#include <crypto/crypters/crypter.h>
+#include <credentials/certificates/x509.h>
+
+#define PKCS5_SALT_LEN	8	/* bytes */
+
+/**
+ * check the presence of a pattern in a character string, skip if found
+ */
+static bool present(char* pattern, chunk_t* ch)
+{
+	u_int len = strlen(pattern);
+
+	if (ch->len >= len && strneq(ch->ptr, pattern, len))
+	{
+		*ch = chunk_skip(*ch, len);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * find a boundary of the form -----tag name-----
+ */
+static bool find_boundary(char* tag, chunk_t *line)
+{
+	chunk_t name = chunk_empty;
+
+	if (!present("-----", line) ||
+		!present(tag, line) ||
+		*line->ptr != ' ')
+	{
+		return FALSE;
+	}
+	*line = chunk_skip(*line, 1);
+
+	/* extract name */
+	name.ptr = line->ptr;
+	while (line->len > 0)
+	{
+		if (present("-----", line))
+		{
+			DBG2("  -----%s %.*s-----", tag, (int)name.len, name.ptr);
+			return TRUE;
+		}
+		line->ptr++;  line->len--;  name.len++;
+	}
+	return FALSE;
+}
+
+/*
+ * decrypts a passphrase protected encrypted data block
+ */
+static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
+							size_t key_size, chunk_t iv, chunk_t passphrase)
+{
+	hasher_t *hasher;
+	crypter_t *crypter;
+	chunk_t salt = { iv.ptr, PKCS5_SALT_LEN };
+	chunk_t hash;
+	chunk_t decrypted;
+	chunk_t key = {alloca(key_size), key_size};
+	u_int8_t padding, *last_padding_pos, *first_padding_pos;
+
+	/* build key from passphrase and IV */
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+	if (hasher == NULL)
+	{
+		DBG1("  MD5 hash algorithm not available");
+		return NOT_SUPPORTED;
+	}
+	hash.len = hasher->get_hash_size(hasher);
+	hash.ptr = alloca(hash.len);
+	hasher->get_hash(hasher, passphrase, NULL);
+	hasher->get_hash(hasher, salt, hash.ptr);
+	memcpy(key.ptr, hash.ptr, hash.len);
+
+	if (key.len > hash.len)
+	{
+		hasher->get_hash(hasher, hash, NULL);
+		hasher->get_hash(hasher, passphrase, NULL);
+		hasher->get_hash(hasher, salt, hash.ptr);
+		memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len);
+	}
+	hasher->destroy(hasher);
+
+	/* decrypt blob */
+	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size);
+	if (crypter == NULL)
+	{
+		DBG1("  %N encryption algorithm not available",
+			 encryption_algorithm_names, alg);
+		return NOT_SUPPORTED;
+	}
+	crypter->set_key(crypter, key);
+
+	if (iv.len != crypter->get_block_size(crypter) ||
+		blob->len % iv.len)
+	{
+		crypter->destroy(crypter);
+		DBG1("  data size is not multiple of block size");
+		return PARSE_ERROR;
+	}
+	crypter->decrypt(crypter, *blob, iv, &decrypted);
+	crypter->destroy(crypter);
+	memcpy(blob->ptr, decrypted.ptr, blob->len);
+	chunk_free(&decrypted);
+
+	/* determine amount of padding */
+	last_padding_pos = blob->ptr + blob->len - 1;
+	padding = *last_padding_pos;
+	if (padding > blob->len)
+	{
+		first_padding_pos = blob->ptr;
+	}
+	else
+	{
+		first_padding_pos = last_padding_pos - padding;
+	}
+	/* check the padding pattern */
+	while (--last_padding_pos > first_padding_pos)
+	{
+		if (*last_padding_pos != padding)
+		{
+			DBG1("  invalid passphrase");
+			return INVALID_ARG;
+		}
+	}
+	/* remove padding */
+	blob->len -= padding;
+	return SUCCESS;
+}
+
+/**
+ * Converts a PEM encoded file into its binary form (RFC 1421, RFC 934)
+ */
+static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data,
+						   bool *pgp)
+{
+	typedef enum {
+		PEM_PRE    = 0,
+		PEM_MSG    = 1,
+		PEM_HEADER = 2,
+		PEM_BODY   = 3,
+		PEM_POST   = 4,
+		PEM_ABORT  = 5
+	} state_t;
+
+	encryption_algorithm_t alg = ENCR_UNDEFINED;
+	size_t key_size = 0;
+	bool encrypted = FALSE;
+	state_t state  = PEM_PRE;
+	chunk_t src    = *blob;
+	chunk_t dst    = *blob;
+	chunk_t line   = chunk_empty;
+	chunk_t iv     = chunk_empty;
+	chunk_t passphrase;
+	int try = 0;
+	u_char iv_buf[HASH_SIZE_MD5];
+
+	dst.len = 0;
+	iv.ptr = iv_buf;
+	iv.len = 0;
+
+	while (fetchline(&src, &line))
+	{
+		if (state == PEM_PRE)
+		{
+			if (find_boundary("BEGIN", &line))
+			{
+				state = PEM_MSG;
+			}
+			continue;
+		}
+		else
+		{
+			if (find_boundary("END", &line))
+			{
+				state = PEM_POST;
+				break;
+			}
+			if (state == PEM_MSG)
+			{
+				state = PEM_HEADER;
+				if (memchr(line.ptr, ':', line.len) == NULL)
+				{
+					state = PEM_BODY;
+				}
+			}
+			if (state == PEM_HEADER)
+			{
+				err_t ugh = NULL;
+				chunk_t name  = chunk_empty;
+				chunk_t value = chunk_empty;
+
+				/* an empty line separates HEADER and BODY */
+				if (line.len == 0)
+				{
+					state = PEM_BODY;
+					continue;
+				}
+
+				/* we are looking for a parameter: value pair */
+				DBG2("  %.*s", (int)line.len, line.ptr);
+				ugh = extract_parameter_value(&name, &value, &line);
+				if (ugh != NULL)
+				{
+					continue;
+				}
+				if (match("Proc-Type", &name) && *value.ptr == '4')
+				{
+					encrypted = TRUE;
+				}
+				else if (match("DEK-Info", &name))
+				{
+					chunk_t dek;
+
+					if (!extract_token(&dek, ',', &value))
+					{
+						dek = value;
+					}
+					if (match("DES-EDE3-CBC", &dek))
+					{
+						alg = ENCR_3DES;
+						key_size = 24;
+					}
+					else if (match("AES-128-CBC", &dek))
+					{
+						alg = ENCR_AES_CBC;
+						key_size = 16;
+					}
+					else if (match("AES-192-CBC", &dek))
+					{
+						alg = ENCR_AES_CBC;
+						key_size = 24;
+					}
+					else if (match("AES-256-CBC", &dek))
+					{
+						alg = ENCR_AES_CBC;
+						key_size = 32;
+					}
+					else
+					{
+						DBG1("  encryption algorithm '%.*s' not supported",
+							 dek.len, dek.ptr);
+						return NOT_SUPPORTED;
+					}
+					eat_whitespace(&value);
+					iv = chunk_from_hex(value, iv.ptr);
+				}
+			}
+			else /* state is PEM_BODY */
+			{
+				chunk_t data;
+
+				/* remove any trailing whitespace */
+				if (!extract_token(&data ,' ', &line))
+				{
+					data = line;
+				}
+
+				/* check for PGP armor checksum */
+				if (*data.ptr == '=')
+				{
+					*pgp = TRUE;
+					data.ptr++;
+					data.len--;
+					DBG2("  armor checksum: %.*s", (int)data.len, data.ptr);
+					continue;
+				}
+
+				if (blob->len - dst.len < data.len / 4 * 3)
+				{
+					state = PEM_ABORT;
+				}
+				data = chunk_from_base64(data, dst.ptr);
+
+				dst.ptr += data.len;
+				dst.len += data.len;
+			}
+		}
+	}
+	/* set length to size of binary blob */
+	blob->len = dst.len;
+
+	if (state != PEM_POST)
+	{
+		DBG1("  file coded in unknown format, discarded");
+		return PARSE_ERROR;
+	}
+	if (!encrypted)
+	{
+		return SUCCESS;
+	}
+	if (!cb)
+	{
+		DBG1("  missing passphrase");
+		return INVALID_ARG;
+	}
+	while (TRUE)
+	{
+		passphrase = cb(cb_data, ++try);
+		if (!passphrase.len || !passphrase.ptr)
+		{
+			return INVALID_ARG;
+		}
+		switch (pem_decrypt(blob, alg, key_size, iv, passphrase))
+		{
+			case INVALID_ARG:
+				/* bad passphrase, retry */
+				continue;
+			case SUCCESS:
+				return SUCCESS;
+			default:
+				return FAILED;
+		}
+	}
+}
+
+/**
+ * load the credential from a blob
+ */
+static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
+							chunk_t(*cb)(void*,int), void *cb_data,
+							x509_flag_t flags)
+{
+	void *cred = NULL;
+	bool pgp = FALSE;
+
+	blob = chunk_clone(blob);
+	if (!is_asn1(blob))
+	{
+		if (pem_to_bin(&blob, cb, cb_data, &pgp) != SUCCESS)
+		{
+			chunk_clear(&blob);
+			return NULL;
+		}
+		if (pgp && type == CRED_PRIVATE_KEY)
+		{
+			/* PGP encoded keys are parsed with a KEY_ANY key type, as it
+			 * can contain any type of key. However, ipsec.secrets uses
+			 * RSA for PGP keys, which is actually wrong. */
+			subtype = KEY_ANY;
+		}
+	}
+	/* if CERT_ANY is given, ASN1 encoded blob is handled as X509 */
+	if (type == CRED_CERTIFICATE && subtype == CERT_ANY)
+	{
+		subtype = pgp ? CERT_GPG : CERT_X509;
+	}
+	cred = lib->creds->create(lib->creds, type, subtype,
+							  pgp ? BUILD_BLOB_PGP : BUILD_BLOB_ASN1_DER, blob,
+							  flags ? BUILD_X509_FLAG : BUILD_END,
+							  flags, BUILD_END);
+	chunk_clear(&blob);
+	return cred;
+}
+
+/**
+ * load the credential from a file
+ */
+static void *load_from_file(char *file, credential_type_t type, int subtype,
+							chunk_t(*cb)(void*,int), void *cb_data,
+							x509_flag_t flags)
+{
+	void *cred = NULL;
+	struct stat sb;
+	void *addr;
+	int fd;
+
+	fd = open(file, O_RDONLY);
+	if (fd == -1)
+	{
+		DBG1("  opening '%s' failed: %s", file, strerror(errno));
+		return NULL;
+	}
+
+	if (fstat(fd, &sb) == -1)
+	{
+		DBG1("  getting file size of '%s' failed: %s", file, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+
+	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+	if (addr == MAP_FAILED)
+	{
+		DBG1("  mapping '%s' failed: %s", file, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+
+	cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype,
+						  cb, cb_data, flags);
+
+	munmap(addr, sb.st_size);
+	close(fd);
+	return cred;
+}
+
+/**
+ * load the credential from a file descriptor
+ */
+static void *load_from_fd(int fd, credential_type_t type, int subtype,
+						  chunk_t(*cb)(void*,int), void *cb_data,
+						  x509_flag_t flags)
+{
+	char buf[8096];
+	char *pos = buf;
+	ssize_t len, total = 0;
+
+	while (TRUE)
+	{
+		len = read(fd, pos, buf + sizeof(buf) - pos);
+		if (len < 0)
+		{
+			DBG1("reading from file descriptor failed: %s", strerror(errno));
+			return NULL;
+		}
+		if (len == 0)
+		{
+			break;
+		}
+		total += len;
+		if (total == sizeof(buf))
+		{
+			DBG1("buffer too small to read from file descriptor");
+			return NULL;
+		}
+	}
+	return load_from_blob(chunk_create(buf, total), type, subtype,
+						  cb, cb_data, flags);
+}
+
+/**
+ * passphrase callback to use if passphrase given
+ */
+static chunk_t given_passphrase_cb(chunk_t *passphrase, int try)
+{
+	if (try > 1)
+	{	/* try only once for given passphrases */
+		return chunk_empty;
+	}
+	return *passphrase;
+}
+
+/**
+ * Load all kind of PEM encoded credentials.
+ */
+static void *pem_load(credential_type_t type, int subtype, va_list args)
+{
+	char *file = NULL;
+	int fd = -1;
+	chunk_t pem = chunk_empty, passphrase = chunk_empty;
+	chunk_t (*cb)(void *data, int try) = NULL;
+	void *cb_data = NULL;
+	int flags = 0;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_FROM_FILE:
+				file = va_arg(args, char*);
+				continue;
+			case BUILD_FROM_FD:
+				fd = va_arg(args, int);
+				continue;
+			case BUILD_BLOB_PEM:
+				pem = va_arg(args, chunk_t);
+				continue;
+			case BUILD_PASSPHRASE:
+				passphrase = va_arg(args, chunk_t);
+				if (passphrase.len && passphrase.ptr)
+				{
+					cb = (void*)given_passphrase_cb;
+					cb_data = &passphrase;
+				}
+				continue;
+			case BUILD_PASSPHRASE_CALLBACK:
+				cb = va_arg(args, chunk_t(*)(void*,int));
+				cb_data = va_arg(args, void*);
+				continue;
+			case BUILD_X509_FLAG:
+				flags = va_arg(args, int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (pem.ptr)
+	{
+		return load_from_blob(pem, type, subtype, cb, cb_data, flags);
+	}
+	if (file)
+	{
+		return load_from_file(file, type, subtype, cb, cb_data, flags);
+	}
+	if (fd != -1)
+	{
+		return load_from_fd(fd, type, subtype, cb, cb_data, flags);
+	}
+	return NULL;
+}
+
+/**
+ * Private key PEM loader.
+ */
+private_key_t *pem_private_key_load(key_type_t type, va_list args)
+{
+	return pem_load(CRED_PRIVATE_KEY, type, args);
+}
+
+/**
+ * Public key PEM loader.
+ */
+public_key_t *pem_public_key_load(key_type_t type, va_list args)
+{
+	return pem_load(CRED_PUBLIC_KEY, type, args);
+}
+
+/**
+ * Certificate PEM loader.
+ */
+certificate_t *pem_certificate_load(certificate_type_t type, va_list args)
+{
+	return pem_load(CRED_CERTIFICATE, type, args);
+}
+
diff --git a/src/libstrongswan/plugins/pem/pem_builder.h b/src/libstrongswan/plugins/pem/pem_builder.h
new file mode 100644
index 000000000..189a5430f
--- /dev/null
+++ b/src/libstrongswan/plugins/pem/pem_builder.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pem_builder pem_builder
+ * @{ @ingroup pem_p
+ */
+
+#ifndef PEM_PRIVATE_KEY_H_
+#define PEM_PRIVATE_KEY_H_
+
+#include <credentials/builder.h>
+#include <credentials/credential_factory.h>
+#include <credentials/keys/private_key.h>
+#include <credentials/certificates/certificate.h>
+
+/**
+ * Load PEM encoded private keys.
+ *
+ * @param type		type of the key
+ * @param args		builder_part_t argument list
+ * @return 			private key, NULL if failed
+ */
+private_key_t *pem_private_key_load(key_type_t type, va_list args);
+
+/**
+ * Load PEM encoded public keys.
+ *
+ * @param type		type of the key
+ * @param args		builder_part_t argument list
+ * @return 			public key, NULL if failed
+ */
+public_key_t *pem_public_key_load(key_type_t type, va_list args);
+
+/**
+ * Build PEM encoded certificates.
+ *
+ * @param type		type of the certificate
+ * @param args		builder_part_t argument list
+ * @return 			certificate, NULL if failed
+ */
+certificate_t *pem_certificate_load(certificate_type_t type, va_list args);
+
+#endif /** PEM_PRIVATE_KEY_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
new file mode 100644
index 000000000..5a5149ca8
--- /dev/null
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pem_plugin.h"
+
+#include <library.h>
+#include "pem_builder.h"
+
+typedef struct private_pem_plugin_t private_pem_plugin_t;
+
+/**
+ * private data of pem_plugin
+ */
+struct private_pem_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pem_plugin_t public;
+};
+
+/**
+ * Implementation of pem_plugin_t.pemtroy
+ */
+static void destroy(private_pem_plugin_t *this)
+{
+	lib->creds->remove_builder(lib->creds,
+							   (builder_function_t)pem_private_key_load);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_function_t)pem_public_key_load);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_function_t)pem_certificate_load);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_pem_plugin_t *this = malloc_thing(private_pem_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	/* register private key PEM decoding builders */
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+							(builder_function_t)pem_private_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+							(builder_function_t)pem_private_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+							(builder_function_t)pem_private_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_DSA,
+							(builder_function_t)pem_private_key_load);
+
+	/* register public key PEM decoding builders */
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+							(builder_function_t)pem_public_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+							(builder_function_t)pem_public_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
+							(builder_function_t)pem_public_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_DSA,
+							(builder_function_t)pem_public_key_load);
+
+	/* register certificate PEM decoding builders */
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_ANY,
+							(builder_function_t)pem_certificate_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							(builder_function_t)pem_certificate_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+							(builder_function_t)pem_certificate_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+							(builder_function_t)pem_certificate_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+							(builder_function_t)pem_certificate_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+							(builder_function_t)pem_certificate_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+							(builder_function_t)pem_certificate_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+							(builder_function_t)pem_certificate_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG,
+							(builder_function_t)pem_certificate_load);
+
+	/* register pluto specific certificate formats */
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
+							(builder_function_t)pem_certificate_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
+							(builder_function_t)pem_certificate_load);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.h b/src/libstrongswan/plugins/pem/pem_plugin.h
new file mode 100644
index 000000000..75616c496
--- /dev/null
+++ b/src/libstrongswan/plugins/pem/pem_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pem_p pem
+ * @ingroup plugins
+ *
+ * @defgroup pem_plugin pem_plugin
+ * @{ @ingroup pem_p
+ */
+
+#ifndef PEM_PLUGIN_H_
+#define PEM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pem_plugin_t pem_plugin_t;
+
+/**
+ * Plugin providing support to load credentials in PEM format
+ */
+struct pem_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a pem_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** PEM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pgp/Makefile.am b/src/libstrongswan/plugins/pgp/Makefile.am
new file mode 100644
index 000000000..c232971bb
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/Makefile.am
@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-pgp.la
+
+libstrongswan_pgp_la_SOURCES = pgp_plugin.h pgp_plugin.c \
+  pgp_utils.h pgp_utils.c \
+  pgp_cert.h pgp_cert.c \
+  pgp_encoder.h pgp_encoder.c \
+  pgp_builder.h pgp_builder.c
+
+libstrongswan_pgp_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
new file mode 100644
index 000000000..70840c400
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -0,0 +1,576 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pgp
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_pgp_la_LIBADD =
+am_libstrongswan_pgp_la_OBJECTS = pgp_plugin.lo pgp_utils.lo \
+	pgp_cert.lo pgp_encoder.lo pgp_builder.lo
+libstrongswan_pgp_la_OBJECTS = $(am_libstrongswan_pgp_la_OBJECTS)
+libstrongswan_pgp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_pgp_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_pgp_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pgp_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-pgp.la
+libstrongswan_pgp_la_SOURCES = pgp_plugin.h pgp_plugin.c \
+  pgp_utils.h pgp_utils.c \
+  pgp_cert.h pgp_cert.c \
+  pgp_encoder.h pgp_encoder.c \
+  pgp_builder.h pgp_builder.c
+
+libstrongswan_pgp_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pgp/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pgp/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pgp.la: $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_DEPENDENCIES) 
+	$(libstrongswan_pgp_la_LINK) -rpath $(plugindir) $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp_cert.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp_encoder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp_utils.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c
new file mode 100644
index 000000000..d262d18ff
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/pgp_builder.c
@@ -0,0 +1,275 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Copyright (C) 2002-2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pgp_builder.h"
+#include "pgp_utils.h"
+
+#include <enum.h>
+#include <debug.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * Load a generic public key from a PGP packet
+ */
+static public_key_t *parse_public_key(chunk_t blob)
+{
+	u_int32_t alg;
+	public_key_t *key;
+
+	if (!pgp_read_scalar(&blob, 1, &alg))
+	{
+		return NULL;
+	}
+	switch (alg)
+	{
+		case PGP_PUBKEY_ALG_RSA:
+		case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
+			key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+									 BUILD_BLOB_PGP, blob, BUILD_END);
+			break;
+		default:
+			DBG1("PGP public key algorithm %N not supported",
+				 pgp_pubkey_alg_names, alg);
+			return NULL;
+	}
+	return key;
+}
+
+/**
+ * Load a RSA public key from a PGP packet
+ */
+static public_key_t *parse_rsa_public_key(chunk_t blob)
+{
+	chunk_t mpi[2];
+	int i;
+
+	for (i = 0; i < 2; i++)
+	{
+		if (!pgp_read_mpi(&blob, &mpi[i]))
+		{
+			return NULL;
+		}
+	}
+	return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+						BUILD_RSA_MODULUS, mpi[0], BUILD_RSA_PUB_EXP, mpi[1],
+						BUILD_END);
+}
+
+/**
+ * Load a RSA private key from a PGP packet
+ */
+static private_key_t *parse_rsa_private_key(chunk_t blob)
+{
+	chunk_t mpi[6];
+	u_int32_t s2k;
+	int i;
+
+	for (i = 0; i < 2; i++)
+	{
+		if (!pgp_read_mpi(&blob, &mpi[i]))
+		{
+			return NULL;
+		}
+	}
+	if (!pgp_read_scalar(&blob, 1, &s2k))
+	{
+		return NULL;
+	}
+	if (s2k == 255 || s2k == 254)
+	{
+		DBG1("string-to-key specifiers not supported");
+		return NULL;
+	}
+	if (s2k != PGP_SYM_ALG_PLAIN)
+	{
+		DBG1("%N private key encryption not supported", pgp_sym_alg_names, s2k);
+		return NULL;
+	}
+
+	for (i = 2; i < 6; i++)
+	{
+		if (!pgp_read_mpi(&blob, &mpi[i]))
+		{
+			return NULL;
+		}
+	}
+
+	/* PGP has uses p < q, but we use p > q */
+	return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+						BUILD_RSA_MODULUS, mpi[0], BUILD_RSA_PUB_EXP, mpi[1],
+						BUILD_RSA_PRIV_EXP, mpi[2], BUILD_RSA_PRIME2, mpi[3],
+						BUILD_RSA_PRIME1, mpi[4], BUILD_RSA_COEFF, mpi[5],
+						BUILD_END);
+}
+
+/**
+ * Implementation of private_key_t.sign for encryption-only keys
+ */
+static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme,
+							 chunk_t data, chunk_t *signature)
+{
+	DBG1("signing failed - decryption only key");
+	return FALSE;
+}
+
+/**
+ * Implementation of private_key_t.decrypt for signature-only keys
+ */
+static bool decrypt_not_allowed(private_key_t *this,
+								chunk_t crypto, chunk_t *plain)
+{
+	DBG1("decryption failed - signature only key");
+	return FALSE;
+}
+
+/**
+ * Load a generic private key from a PGP packet
+ */
+static private_key_t *parse_private_key(chunk_t blob)
+{
+	chunk_t packet;
+	pgp_packet_tag_t tag;
+	u_int32_t version, created, days, alg;
+	private_key_t *key;
+
+	if (!pgp_read_packet(&blob, &packet, &tag))
+	{
+		return NULL;
+	}
+	if (!pgp_read_scalar(&packet, 1, &version))
+	{
+		return FALSE;
+	}
+	switch (version)
+	{
+		case 3:
+			if (!pgp_read_scalar(&packet, 2, &days))
+			{
+				return NULL;
+			}
+			break;
+		case 4:
+			break;
+		default:
+			DBG1("PGP packet version V%d not supported", version);
+			return FALSE;
+	}
+	if (!pgp_read_scalar(&packet, 4, &created))
+	{
+		return NULL;
+	}
+	if (!pgp_read_scalar(&packet, 1, &alg))
+	{
+		return NULL;
+	}
+	switch (alg)
+	{
+		case PGP_PUBKEY_ALG_RSA:
+			return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+									  BUILD_BLOB_PGP, packet, BUILD_END);
+		case PGP_PUBKEY_ALG_RSA_ENC_ONLY:
+			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+									  BUILD_BLOB_PGP, packet, BUILD_END);
+			if (key)
+			{
+				key->sign = sign_not_allowed;
+			}
+			return key;
+		case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
+			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+									  BUILD_BLOB_PGP, packet, BUILD_END);
+			if (key)
+			{
+				key->decrypt = decrypt_not_allowed;
+			}
+			return key;
+		case PGP_PUBKEY_ALG_ECDSA:
+			return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+									  BUILD_BLOB_PGP, packet, BUILD_END);
+		case PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY:
+		case PGP_PUBKEY_ALG_DSA:
+		case PGP_PUBKEY_ALG_ECC:
+		case PGP_PUBKEY_ALG_ELGAMAL:
+		case PGP_PUBKEY_ALG_DIFFIE_HELLMAN:
+		default:
+			return NULL;
+	}
+}
+
+/**
+ *  See header.
+ */
+public_key_t *pgp_public_key_load(key_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_PGP:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	switch (type)
+	{
+		case KEY_ANY:
+			return parse_public_key(blob);
+		case KEY_RSA:
+			return parse_rsa_public_key(blob);
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * See header.
+ */
+private_key_t *pgp_private_key_load(key_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_PGP:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	switch (type)
+	{
+		case KEY_ANY:
+			return parse_private_key(blob);
+		case KEY_RSA:
+			return parse_rsa_private_key(blob);
+		default:
+			return NULL;
+	}
+}
+
diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.h b/src/libstrongswan/plugins/pgp/pgp_builder.h
new file mode 100644
index 000000000..1168babd6
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/pgp_builder.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pgp_public_key pgp_public_key
+ * @{ @ingroup pgp
+ */
+
+#ifndef PGP_BUILDER_H_
+#define PGP_BUILDER_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * Load a generic or an RSA public key using PGP decoding.
+ *
+ * @param type		type of the key, either KEY_ANY or KEY_RSA
+ * @param args		builder_part_t argument list
+ * @return 			private key, NULL if failed
+ */
+public_key_t *pgp_public_key_load(key_type_t type, va_list args);
+
+/**
+ * Load a generic or RSA private key using PGP decoding.
+ *
+ * @param type		type of the key, either KEY_ANY or KEY_RSA
+ * @param args		builder_part_t argument list
+ * @return 			builder instance
+ */
+private_key_t *pgp_private_key_load(key_type_t type, va_list args);
+
+#endif /** PGP_BUILDER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c
new file mode 100644
index 000000000..fa2612285
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/pgp_cert.c
@@ -0,0 +1,501 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pgp_cert.h"
+#include "pgp_utils.h"
+
+#include <time.h>
+
+#include <debug.h>
+
+typedef struct private_pgp_cert_t private_pgp_cert_t;
+
+/**
+ * Private data of an pgp_cert_t object.
+ */
+struct private_pgp_cert_t {
+
+	/**
+	 * Implements pgp_cert_t interface.
+	 */
+	pgp_cert_t public;
+
+	/**
+	 * Public key of the certificate
+	 */
+	public_key_t *key;
+
+	/**
+	 * version of the public key
+	 */
+	u_int32_t version;
+
+	/**
+	 * creation time
+	 */
+	u_int32_t created;
+
+	/**
+	 * days the certificate is valid
+	 */
+	u_int32_t valid;
+
+	/**
+	 * userid of the certificate
+	 */
+	identification_t *user_id;
+
+	/**
+	 * v3 or v4 fingerprint of the PGP public key
+	 */
+	chunk_t fingerprint;
+
+	/**
+	 * full PGP encoding
+	 */
+	chunk_t encoding;
+
+	/**
+	 * reference counter
+	 */
+	refcount_t ref;
+};
+
+
+/**
+ * Implementation of certificate_t.get_type
+ */
+static certificate_type_t get_type(private_pgp_cert_t *this)
+{
+	return CERT_GPG;
+}
+
+/**
+ * Implementation of certificate_t.get_subject
+ */
+static identification_t* get_subject(private_pgp_cert_t *this)
+{
+	return this->user_id;
+}
+
+/**
+ * Implementation of certificate_t.get_issuer
+ */
+static identification_t* get_issuer(private_pgp_cert_t *this)
+{
+	return this->user_id;
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_subject(private_pgp_cert_t *this,
+							  identification_t *subject)
+{
+	id_match_t match_user_id;
+
+	match_user_id = this->user_id->matches(this->user_id, subject);
+	if (match_user_id == ID_MATCH_NONE &&
+		subject->get_type(subject) == ID_KEY_ID &&
+        chunk_equals(this->fingerprint, subject->get_encoding(subject)))
+	{
+		return ID_MATCH_PERFECT;
+	}
+	return match_user_id;
+}
+
+/**
+ * Implementation of certificate_t.has_subject.
+ */
+static id_match_t has_issuer(private_pgp_cert_t *this, identification_t *issuer)
+{
+	return ID_MATCH_NONE;
+}
+
+/**
+ * Implementation of certificate_t.issued_by
+ */
+static bool issued_by(private_pgp_cert_t *this, certificate_t *issuer)
+{
+	/* TODO: check signature blobs for a valid signature */
+	return FALSE;
+}
+
+/**
+ * Implementation of certificate_t.get_public_key
+ */
+static public_key_t* get_public_key(private_pgp_cert_t *this)
+{
+	this->key->get_ref(this->key);
+	return this->key;
+}
+
+/**
+ * Implementation of certificate_t.get_ref
+ */
+static private_pgp_cert_t* get_ref(private_pgp_cert_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of certificate_t.get_validity.
+ */
+static bool get_validity(private_pgp_cert_t *this, time_t *when,
+						 time_t *not_before, time_t *not_after)
+{
+	time_t t, until;
+
+	if (when)
+	{
+		t = *when;
+	}
+	else
+	{
+		t = time(NULL);
+	}
+	if (not_before)
+	{
+		*not_before = this->created;
+	}
+	if (this->valid)
+	{
+		until = this->valid + this->created * 24 * 60 * 60;
+	}
+	else
+	{
+		/* Jan 19 03:14:07 UTC 2038 */
+		until = TIME_32_BIT_SIGNED_MAX;
+	}
+	if (not_after)
+	{
+		*not_after = until;
+	}
+	return (t >= this->valid && t <= until);
+}
+
+/**
+ * Implementation of certificate_t.is_newer.
+ */
+static bool is_newer(certificate_t *this, certificate_t *that)
+{
+	time_t this_update, that_update, now = time(NULL);
+	bool new;
+
+	this->get_validity(this, &now, &this_update, NULL);
+	that->get_validity(that, &now, &that_update, NULL);
+	new = this_update > that_update;
+	DBG1("  certificate from %T is %s - existing certificate from %T %s",
+				&this_update, FALSE, new ? "newer":"not newer",
+				&that_update, FALSE, new ? "replaced":"retained");
+	return new;
+}
+
+/**
+ * Implementation of certificate_t.get_encoding.
+ */
+static chunk_t get_encoding(private_pgp_cert_t *this)
+{
+	return chunk_clone(this->encoding);
+}
+
+/**
+ * Implementation of certificate_t.equals.
+ */
+static bool equals(private_pgp_cert_t *this, certificate_t *other)
+{
+	chunk_t encoding;
+	bool equal;
+
+	if (this == (private_pgp_cert_t*)other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != CERT_X509)
+	{
+		return FALSE;
+	}
+	if (other->equals == (void*)equals)
+	{	/* skip allocation if we have the same implementation */
+		return chunk_equals(this->encoding, ((private_pgp_cert_t*)other)->encoding);
+	}
+	encoding = other->get_encoding(other);
+	equal = chunk_equals(this->encoding, encoding);
+	free(encoding.ptr);
+	return equal;
+}
+
+/**
+ * Implementation of pgp_cert_t.destroy.
+ */
+static void destroy(private_pgp_cert_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		DESTROY_IF(this->key);
+		DESTROY_IF(this->user_id);
+		free(this->fingerprint.ptr);
+		free(this->encoding.ptr);
+		free(this);
+	}
+}
+
+/**
+ * Implementation of pgp_certificate_t.get_fingerprint.
+ */
+static chunk_t get_fingerprint(private_pgp_cert_t *this)
+{
+	return this->fingerprint;
+}
+
+/**
+ * See header
+ */
+private_pgp_cert_t *create_empty()
+{
+	private_pgp_cert_t *this = malloc_thing(private_pgp_cert_t);
+
+	this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
+	this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
+	this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer;
+	this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject;
+	this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer;
+	this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
+	this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
+	this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
+	this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer;
+	this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
+	this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
+	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
+	this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
+	this->public.interface.get_fingerprint = (chunk_t (*)(pgp_certificate_t*))get_fingerprint;
+
+	this->key = NULL;
+	this->version = 0;
+	this->created = 0;
+	this->valid = 0;
+	this->user_id = NULL;
+	this->fingerprint = chunk_empty;
+	this->encoding = chunk_empty;
+	this->ref = 1;
+
+	return this;
+}
+
+/**
+ * Parse the public key packet of a PGP certificate
+ */
+static bool parse_public_key(private_pgp_cert_t *this, chunk_t packet)
+{
+	chunk_t pubkey_packet = packet;
+
+	if (!pgp_read_scalar(&packet, 1, &this->version))
+	{
+		return FALSE;
+	}
+	switch (this->version)
+	{
+		case 3:
+			if (!pgp_read_scalar(&packet, 4, &this->created) ||
+				!pgp_read_scalar(&packet, 2, &this->valid))
+			{
+				return FALSE;
+			}
+			break;
+		case 4:
+			if (!pgp_read_scalar(&packet, 4, &this->created))
+			{
+				return FALSE;
+			}
+			break;
+		default:
+			DBG1("PGP packet version V%d not supported", this->version);
+			return FALSE;
+	}
+	if (this->valid)
+	{
+		DBG2("L2 - created %T, valid %d days", &this->created, FALSE, this->valid);
+	}
+	else
+	{
+		DBG2("L2 - created %T, never expires", &this->created, FALSE);
+	}
+	DESTROY_IF(this->key);
+	this->key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+									BUILD_BLOB_PGP, packet, BUILD_END);
+	if (this->key == NULL)
+	{
+		return FALSE;
+	}
+
+	/* compute V4 or V3 fingerprint according to section 12.2 of RFC 4880 */
+	if (this->version == 4)
+	{
+		chunk_t pubkey_packet_header = chunk_from_chars(
+					0x99, pubkey_packet.len / 256, pubkey_packet.len % 256
+				);
+		hasher_t *hasher;
+
+		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+		if (hasher == NULL)
+		{
+			DBG1("no SHA-1 hasher available");
+			return FALSE;
+		}
+		hasher->allocate_hash(hasher, pubkey_packet_header, NULL);
+		hasher->allocate_hash(hasher, pubkey_packet, &this->fingerprint);
+		hasher->destroy(hasher);
+		DBG2("L2 - v4 fingerprint %#B", &this->fingerprint);
+	}
+	else
+	{
+		/* V3 fingerprint is computed by public_key_t class */
+		if (!this->key->get_fingerprint(this->key, KEY_ID_PGPV3,
+										&this->fingerprint))
+		{
+			return FALSE;
+		}
+		this->fingerprint = chunk_clone(this->fingerprint);
+		DBG2("L2 - v3 fingerprint %#B", &this->fingerprint);
+	}
+	return TRUE;
+}
+
+/**
+ * Parse the signature packet of a PGP certificate
+ */
+static bool parse_signature(private_pgp_cert_t *this, chunk_t packet)
+{
+	u_int32_t version, len, type, created;
+
+	if (!pgp_read_scalar(&packet, 1, &version))
+	{
+		return FALSE;
+	}
+
+	/* we parse only v3 or v4 signature packets */
+	if (version != 3 && version != 4)
+	{
+		DBG2("L2 - v%d signature ignored", version);
+		return TRUE;
+	}
+	if (version == 4)
+	{
+		if (!pgp_read_scalar(&packet, 1, &type))
+		{
+			return FALSE;
+		}
+		DBG2("L2 - v%d signature of type 0x%02x", version, type);
+	}
+	else
+	{
+		if (!pgp_read_scalar(&packet, 1, &len) || len != 5)
+		{
+			return FALSE;
+		}
+		if (!pgp_read_scalar(&packet, 1, &type) ||
+			!pgp_read_scalar(&packet, 4, &created))
+		{
+			return FALSE;
+		}
+		DBG2("L2 - v3 signature of type 0x%02x, created %T", type,
+												&created, FALSE);
+	}
+	/* TODO: parse and save signature to a list */
+	return TRUE;
+}
+
+/**
+ * Parse the userid packet of a PGP certificate
+ */
+static bool parse_user_id(private_pgp_cert_t *this, chunk_t packet)
+{
+	DESTROY_IF(this->user_id);
+	this->user_id = identification_create_from_encoding(ID_KEY_ID, packet);
+	DBG2("L2 - '%Y'", this->user_id);
+	return TRUE;
+}
+
+/**
+ * See header.
+ */
+pgp_cert_t *pgp_cert_load(certificate_type_t type, va_list args)
+{
+	chunk_t packet, blob = chunk_empty;
+	pgp_packet_tag_t tag;
+	private_pgp_cert_t *this;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_PGP:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	this = create_empty();
+	this->encoding = chunk_clone(blob);
+	while (blob.len)
+	{
+		if (!pgp_read_packet(&blob, &packet, &tag))
+		{
+			destroy(this);
+			return NULL;
+		}
+		switch (tag)
+		{
+			case PGP_PKT_PUBLIC_KEY:
+				if (!parse_public_key(this, packet))
+				{
+					destroy(this);
+					return NULL;
+				}
+				break;
+			case PGP_PKT_SIGNATURE:
+				if (!parse_signature(this, packet))
+				{
+					destroy(this);
+					return FALSE;
+				}
+				break;
+			case PGP_PKT_USER_ID:
+				if (!parse_user_id(this, packet))
+				{
+					destroy(this);
+					return FALSE;
+				}
+				break;
+			default:
+				DBG1("ignoring %N packet in PGP certificate",
+					 pgp_packet_tag_names, tag);
+				break;
+		}
+	}
+	if (this->key)
+	{
+		return &this->public;
+	}
+	destroy(this);
+	return NULL;
+}
+
diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.h b/src/libstrongswan/plugins/pgp/pgp_cert.h
new file mode 100644
index 000000000..4db795ddc
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/pgp_cert.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pgp_cert pgp_cert
+ * @{ @ingroup pgp
+ */
+
+#ifndef PGP_CERT_H_
+#define PGP_CERT_H_
+
+#include <credentials/certificates/pgp_certificate.h>
+
+typedef struct pgp_cert_t pgp_cert_t;
+
+/**
+ * PGP certificate implementation.
+ */
+struct pgp_cert_t {
+
+	/**
+	 * Implements pgp_certificate_t.
+	 */
+	pgp_certificate_t interface;
+};
+
+/**
+ * Load a PGP certificate.
+ *
+ * @param type		type of the certificate, CERT_GPG
+ * @param args		builder_part_t argument list
+ * @return 			builder instance
+ */
+pgp_cert_t *pgp_cert_load(certificate_type_t type, va_list args);
+
+#endif /** PGP_CERT_H_ @}*/
diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c
new file mode 100644
index 000000000..56acac597
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pgp_encoder.h"
+
+#include <debug.h>
+
+/**
+ * Build a PGPv3 fingerprint
+ */
+static bool build_v3_fingerprint(chunk_t *encoding, va_list args)
+{
+	hasher_t *hasher;
+	chunk_t n, e;
+
+	if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
+						  KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
+	{
+		hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+		if (!hasher)
+		{
+			DBG1("MD5 hash algorithm not supported, PGP fingerprinting failed");
+			return FALSE;
+		}
+		/* remove leading zero bytes before hashing modulus and exponent */
+		while (n.len > 0 && n.ptr[0] == 0x00)
+		{
+			n = chunk_skip(n, 1);
+		}
+		while (e.len > 0 && e.ptr[0] == 0x00)
+		{
+			e = chunk_skip(e, 1);
+		}
+		hasher->allocate_hash(hasher, n, NULL);
+		hasher->allocate_hash(hasher, e, encoding);
+		hasher->destroy(hasher);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool pgp_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+						  va_list args)
+{
+	switch (type)
+	{
+		case KEY_ID_PGPV3:
+			return build_v3_fingerprint(encoding, args);
+		default:
+			return FALSE;
+	}
+}
+
diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.h b/src/libstrongswan/plugins/pgp/pgp_encoder.h
new file mode 100644
index 000000000..9df143399
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/pgp_encoder.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pgp_encoder pgp_encoder
+ * @{ @ingroup pgp
+ */
+
+#ifndef PGP_ENCODER_H_
+#define PGP_ENCODER_H_
+
+#include <credentials/keys/key_encoding.h>
+
+/**
+ * Encoding function for PGP fingerprints.
+ */
+bool pgp_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+						va_list args);
+
+#endif /** PGP_ENCODER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c
new file mode 100644
index 000000000..eabb3695f
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pgp_plugin.h"
+
+#include <library.h>
+#include "pgp_builder.h"
+#include "pgp_encoder.h"
+#include "pgp_cert.h"
+
+typedef struct private_pgp_plugin_t private_pgp_plugin_t;
+
+/**
+ * private data of pgp_plugin
+ */
+struct private_pgp_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pgp_plugin_t public;
+};
+
+/**
+ * Implementation of pgp_plugin_t.pgptroy
+ */
+static void destroy(private_pgp_plugin_t *this)
+{
+	lib->creds->remove_builder(lib->creds,
+							(builder_function_t)pgp_public_key_load);
+	lib->creds->remove_builder(lib->creds,
+							(builder_function_t)pgp_private_key_load);
+
+	lib->creds->remove_builder(lib->creds,
+							(builder_function_t)pgp_cert_load);
+
+	lib->encoding->remove_encoder(lib->encoding, pgp_encoder_encode);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_pgp_plugin_t *this = malloc_thing(private_pgp_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+							(builder_function_t)pgp_public_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+							(builder_function_t)pgp_public_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+							(builder_function_t)pgp_private_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+							(builder_function_t)pgp_private_key_load);
+
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG,
+							(builder_function_t)pgp_cert_load);
+
+	lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.h b/src/libstrongswan/plugins/pgp/pgp_plugin.h
new file mode 100644
index 000000000..95765cd76
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/pgp_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pgp pgp
+ * @ingroup plugins
+ *
+ * @defgroup pgp_plugin pgp_plugin
+ * @{ @ingroup pgp
+ */
+
+#ifndef PGP_PLUGIN_H_
+#define PGP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pgp_plugin_t pgp_plugin_t;
+
+/**
+ * Plugin providing PKCS#1 private/public key decoding functions
+ */
+struct pgp_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a pgp_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** PGP_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pgp/pgp_utils.c b/src/libstrongswan/plugins/pgp/pgp_utils.c
new file mode 100644
index 000000000..1658f3232
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/pgp_utils.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pgp_utils.h"
+
+#include <debug.h>
+
+ENUM_BEGIN(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_RSA, PGP_PUBKEY_ALG_RSA_SIGN_ONLY,
+	"RSA",
+	"RSA_ENC_ONLY",
+	"RSA_SIGN_ONLY"
+);
+ENUM_NEXT(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY, PGP_PUBKEY_ALG_DIFFIE_HELLMAN, PGP_PUBKEY_ALG_RSA_SIGN_ONLY,
+	"ELGAMAL_ENC_ONLY",
+	"DSA",
+	"ECC",
+	"ECDSA",
+	"ELGAMAL",
+	"DIFFIE_HELLMAN"
+);
+ENUM_END(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_DIFFIE_HELLMAN);
+
+ENUM(pgp_sym_alg_names, PGP_SYM_ALG_PLAIN, PGP_SYM_ALG_TWOFISH,
+	"PLAINTEXT",
+	"IDEA",
+	"3DES",
+	"CAST5",
+	"BLOWFISH",
+	"SAFER",
+	"DES",
+	"AES_128",
+	"AES_192",
+	"AES_256",
+	"TWOFISH"
+);
+
+ENUM_BEGIN(pgp_packet_tag_names, PGP_PKT_RESERVED, PGP_PKT_PUBLIC_SUBKEY,
+	"Reserved",
+	"Public-Key Encrypted Session Key Packet",
+	"Signature Packet",
+	"Symmetric-Key Encrypted Session Key Packet",
+	"One-Pass Signature Packet",
+	"Secret Key Packet",
+	"Public Key Packet",
+	"Secret Subkey Packet",
+	"Compressed Data Packet",
+	"Symmetrically Encrypted Data Packet",
+	"Marker Packet",
+	"Literal Data Packet",
+	"Trust Packet",
+	"User ID Packet",
+	"Public Subkey Packet"
+);
+ENUM_NEXT(pgp_packet_tag_names, PGP_PKT_USER_ATTRIBUTE, PGP_PKT_MOD_DETECT_CODE, PGP_PKT_PUBLIC_SUBKEY,
+	"User Attribute Packet",
+	"Sym. Encrypted and Integrity Protected Data Packet",
+	"Modification Detection Code Packet"
+);
+ENUM_END(pgp_packet_tag_names, PGP_PKT_MOD_DETECT_CODE);
+
+/**
+ * Read a PGP scalar of bytes length, advance blob
+ */
+bool pgp_read_scalar(chunk_t *blob, size_t bytes, u_int32_t *scalar)
+{
+	u_int32_t res = 0;
+
+	if (bytes > blob->len)
+	{
+		DBG1("PGP data too short to read %d byte scalar", bytes);
+		return FALSE;
+	}
+	while (bytes-- > 0)
+	{
+		res = 256 * res + blob->ptr[0];
+		*blob = chunk_skip(*blob, 1);
+	}
+	*scalar = res;
+	return TRUE;
+}
+
+/**
+ * Read a PGP MPI, advance blob
+ */
+bool pgp_read_mpi(chunk_t *blob, chunk_t *mpi)
+{
+	u_int32_t bits, bytes;
+
+	if (!pgp_read_scalar(blob, 2, &bits))
+	{
+		DBG1("PGP data too short to read MPI length");
+		return FALSE;
+	}
+	bytes = (bits + 7) / 8;
+	if (bytes > blob->len)
+	{
+		DBG1("PGP data too short to read %d byte MPI", bytes);
+		return FALSE;
+	}
+	*mpi = chunk_create(blob->ptr, bytes);
+	*blob = chunk_skip(*blob, bytes);
+	return TRUE;
+}
+
+/**
+ * Read length of an PGP old packet length encoding
+ */
+static bool pgp_old_packet_length(chunk_t *blob, u_int32_t *length)
+{
+	/* bits 0 and 1 define the packet length type */
+	u_char type;
+
+	if (!blob->len)
+	{
+		return FALSE;
+	}
+	type = 0x03 & blob->ptr[0];
+	*blob = chunk_skip(*blob, 1);
+
+	if (type > 2)
+	{
+		return FALSE;
+	}
+	return pgp_read_scalar(blob, type == 0 ? 1 : type * 2, length);
+}
+
+/**
+ * See header.
+ */
+bool pgp_read_packet(chunk_t *blob, chunk_t *data, pgp_packet_tag_t *tag)
+{
+	u_int32_t len;
+	u_char t;
+
+	if (!blob->len)
+	{
+		DBG1("missing input");
+		return FALSE;
+	}
+	t = blob->ptr[0];
+
+	/* bit 7 must be set */
+	if (!(t & 0x80))
+	{
+		DBG1("invalid packet tag");
+		return FALSE;
+	}
+	/* bit 6 set defines new packet format */
+	if (t & 0x40)
+	{
+		DBG1("new PGP packet format not supported");
+		return FALSE;
+	}
+
+	t = (t & 0x3C) >> 2;
+	if (!pgp_old_packet_length(blob, &len) || len > blob->len)
+	{
+		DBG1("invalid packet length");
+		return FALSE;
+	}
+	*data = chunk_create(blob->ptr, len);
+	*blob = chunk_skip(*blob, len);
+	*tag = t;
+	DBG2("L1 - PGP %N (%u bytes)", pgp_packet_tag_names, t, len);
+	DBG3("%B", data);
+	return TRUE;
+}
+
diff --git a/src/libstrongswan/plugins/pgp/pgp_utils.h b/src/libstrongswan/plugins/pgp/pgp_utils.h
new file mode 100644
index 000000000..203a0a85d
--- /dev/null
+++ b/src/libstrongswan/plugins/pgp/pgp_utils.h
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pgp_utils pgp_utils
+ * @{ @ingroup pgp
+ */
+
+#ifndef PGP_UTILS_H_
+#define PGP_UTILS_H_
+
+#include <library.h>
+
+typedef enum pgp_pubkey_alg_t pgp_pubkey_alg_t;
+typedef enum pgp_sym_alg_t pgp_sym_alg_t;
+typedef enum pgp_packet_tag_t pgp_packet_tag_t;
+
+/**
+ * OpenPGP public key algorithms as defined in section 9.1 of RFC 4880
+ */
+enum pgp_pubkey_alg_t {
+	PGP_PUBKEY_ALG_RSA              =  1,
+	PGP_PUBKEY_ALG_RSA_ENC_ONLY     =  2,
+	PGP_PUBKEY_ALG_RSA_SIGN_ONLY    =  3,
+	PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY = 16,
+	PGP_PUBKEY_ALG_DSA              = 17,
+	PGP_PUBKEY_ALG_ECC              = 18,
+	PGP_PUBKEY_ALG_ECDSA            = 19,
+	PGP_PUBKEY_ALG_ELGAMAL          = 20,
+	PGP_PUBKEY_ALG_DIFFIE_HELLMAN   = 21,
+};
+
+/**
+ * Enum names of pgp_pubkey_alg_t
+ */
+extern enum_name_t *pgp_pubkey_alg_names;
+
+/**
+ * OpenPGP symmetric key algorithms as defined in section 9.2 of RFC 4880
+ */
+enum pgp_sym_alg_t {
+	PGP_SYM_ALG_PLAIN    =  0,
+	PGP_SYM_ALG_IDEA     =  1,
+	PGP_SYM_ALG_3DES     =  2,
+	PGP_SYM_ALG_CAST5    =  3,
+	PGP_SYM_ALG_BLOWFISH =  4,
+	PGP_SYM_ALG_SAFER    =  5,
+	PGP_SYM_ALG_DES      =  6,
+	PGP_SYM_ALG_AES_128  =  7,
+	PGP_SYM_ALG_AES_192  =  8,
+	PGP_SYM_ALG_AES_256  =  9,
+	PGP_SYM_ALG_TWOFISH  = 10
+};
+
+/**
+ * Enum names of pgp_sym_alg_t
+ */
+extern enum_name_t *pgp_sym_alg_names;
+
+/**
+ * OpenPGP packet tags as defined in section 4.3 of RFC 4880
+ */
+enum pgp_packet_tag_t {
+	PGP_PKT_RESERVED               =  0,
+	PGP_PKT_PUBKEY_ENC_SESSION_KEY =  1,
+	PGP_PKT_SIGNATURE              =  2,
+	PGP_PKT_SYMKEY_ENC_SESSION_KEY =  3,
+	PGP_PKT_ONE_PASS_SIGNATURE_PKT =  4,
+	PGP_PKT_SECRET_KEY             =  5,
+	PGP_PKT_PUBLIC_KEY             =  6,
+	PGP_PKT_SECRET_SUBKEY          =  7,
+	PGP_PKT_COMPRESSED_DATA        =  8,
+	PGP_PKT_SYMKEY_ENC_DATA        =  9,
+	PGP_PKT_MARKER                 = 10,
+	PGP_PKT_LITERAL_DATA           = 11,
+	PGP_PKT_TRUST                  = 12,
+	PGP_PKT_USER_ID                = 13,
+	PGP_PKT_PUBLIC_SUBKEY          = 14,
+	PGP_PKT_USER_ATTRIBUTE         = 17,
+	PGP_PKT_SYM_ENC_INT_PROT_DATA  = 18,
+	PGP_PKT_MOD_DETECT_CODE        = 19
+};
+
+/**
+ * Enum names of pgp_packet_tag_t
+ */
+extern enum_name_t *pgp_packet_tag_names;
+
+/**
+ * Parse a PGP encoded MPI.
+ *
+ * @param blob		blob to read from, gets advanced
+ * @param mpi		parsed MPI value
+ * @return			TRUE if MPI parsed successfully
+ */
+bool pgp_read_mpi(chunk_t *blob, chunk_t *mpi);
+
+/**
+ * Parse a PGP encoded Scalar.
+ *
+ * @param blob		blob to read from, gets advanced
+ * @param bytes		number of bytes the scalar uses for encoding
+ * @param scalar	resultin scalar
+ * @return			TRUE if scalar parsed successfully
+ */
+bool pgp_read_scalar(chunk_t *blob, size_t bytes, u_int32_t *scalar);
+
+/**
+ * Parse a PGP packet.
+ *
+ * @param blob		blob to read from, gets advanced
+ * @param data		contained packet data
+ * @param tag		tag of the parsed PGP packet
+ * @return			TRUE if packet parsed successfully
+ */
+bool pgp_read_packet(chunk_t *blob, chunk_t *data, pgp_packet_tag_t *tag);
+
+#endif /** PGP_UTILS_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.am b/src/libstrongswan/plugins/pkcs1/Makefile.am
new file mode 100644
index 000000000..88d25a26b
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.am
@@ -0,0 +1,13 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-pkcs1.la
+
+libstrongswan_pkcs1_la_SOURCES = pkcs1_plugin.h pkcs1_plugin.c \
+  pkcs1_encoder.h pkcs1_encoder.c \
+  pkcs1_builder.h pkcs1_builder.c
+
+libstrongswan_pkcs1_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
new file mode 100644
index 000000000..4439cd60f
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -0,0 +1,572 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pkcs1
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_pkcs1_la_LIBADD =
+am_libstrongswan_pkcs1_la_OBJECTS = pkcs1_plugin.lo pkcs1_encoder.lo \
+	pkcs1_builder.lo
+libstrongswan_pkcs1_la_OBJECTS = $(am_libstrongswan_pkcs1_la_OBJECTS)
+libstrongswan_pkcs1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_pkcs1_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_pkcs1_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pkcs1_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-pkcs1.la
+libstrongswan_pkcs1_la_SOURCES = pkcs1_plugin.h pkcs1_plugin.c \
+  pkcs1_encoder.h pkcs1_encoder.c \
+  pkcs1_builder.h pkcs1_builder.c
+
+libstrongswan_pkcs1_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs1/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs1/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pkcs1.la: $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_DEPENDENCIES) 
+	$(libstrongswan_pkcs1_la_LINK) -rpath $(plugindir) $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs1_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs1_encoder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs1_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
new file mode 100644
index 000000000..fbd35e830
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -0,0 +1,299 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2000-2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs1_builder.h"
+
+#include <debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * ASN.1 definition of a subjectPublicKeyInfo structure
+ */
+static const asn1Object_t pkinfoObjects[] = {
+	{ 0, "subjectPublicKeyInfo",ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
+	{ 1,   "algorithm",			ASN1_EOC,			ASN1_RAW	}, /* 1 */
+	{ 1,   "subjectPublicKey",	ASN1_BIT_STRING,	ASN1_BODY	}, /* 2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
+};
+#define PKINFO_SUBJECT_PUBLIC_KEY_ALGORITHM	1
+#define PKINFO_SUBJECT_PUBLIC_KEY			2
+
+/**
+ * Load a generic public key from an ASN.1 encoded blob
+ */
+static public_key_t *parse_public_key(chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	public_key_t *key = NULL;
+	key_type_t type = KEY_ANY;
+
+	parser = asn1_parser_create(pkinfoObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PKINFO_SUBJECT_PUBLIC_KEY_ALGORITHM:
+			{
+				int oid = asn1_parse_algorithmIdentifier(object,
+										parser->get_level(parser)+1, NULL);
+
+				if (oid == OID_RSA_ENCRYPTION)
+				{
+					type = KEY_RSA;
+				}
+				else if (oid == OID_EC_PUBLICKEY)
+				{
+					/* we need the whole subjectPublicKeyInfo for EC public keys */
+					key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+								KEY_ECDSA, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+					goto end;
+				}
+				else
+				{
+					/* key type not supported */
+					goto end;
+				}
+				break;
+			}
+			case PKINFO_SUBJECT_PUBLIC_KEY:
+				if (object.len > 0 && *object.ptr == 0x00)
+				{
+					/* skip initial bit string octet defining 0 unused bits */
+					object = chunk_skip(object, 1);
+				}
+				DBG2("-- > --");
+				key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type,
+										 BUILD_BLOB_ASN1_DER, object, BUILD_END);
+				DBG2("-- < --");
+				break;
+		}
+	}
+
+end:
+	parser->destroy(parser);
+	return key;
+}
+
+/**
+ * ASN.1 definition of RSApublicKey
+ */
+static const asn1Object_t pubkeyObjects[] = {
+	{ 0, "RSAPublicKey",		ASN1_SEQUENCE,	ASN1_OBJ  }, /*  0 */
+	{ 1,   "modulus",			ASN1_INTEGER,	ASN1_BODY }, /*  1 */
+	{ 1,   "publicExponent",	ASN1_INTEGER,	ASN1_BODY }, /*  2 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
+};
+#define PUB_KEY_RSA_PUBLIC_KEY		0
+#define PUB_KEY_MODULUS				1
+#define PUB_KEY_EXPONENT			2
+
+/**
+ * Load a RSA public key from an ASN.1 encoded blob.
+ */
+static public_key_t *parse_rsa_public_key(chunk_t blob)
+{
+	chunk_t n, e;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(pubkeyObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PUB_KEY_MODULUS:
+				n = object;
+				break;
+			case PUB_KEY_EXPONENT:
+				e = object;
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	if (!success)
+	{
+		return NULL;
+	}
+	return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
+}
+
+/**
+ * ASN.1 definition of a PKCS#1 RSA private key
+ */
+static const asn1Object_t privkeyObjects[] = {
+	{ 0, "RSAPrivateKey",		ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
+	{ 1,   "version",			ASN1_INTEGER,      ASN1_BODY }, /*  1 */
+	{ 1,   "modulus",			ASN1_INTEGER,      ASN1_BODY }, /*  2 */
+	{ 1,   "publicExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  3 */
+	{ 1,   "privateExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  4 */
+	{ 1,   "prime1",			ASN1_INTEGER,      ASN1_BODY }, /*  5 */
+	{ 1,   "prime2",			ASN1_INTEGER,      ASN1_BODY }, /*  6 */
+	{ 1,   "exponent1",			ASN1_INTEGER,      ASN1_BODY }, /*  7 */
+	{ 1,   "exponent2",			ASN1_INTEGER,      ASN1_BODY }, /*  8 */
+	{ 1,   "coefficient",		ASN1_INTEGER,      ASN1_BODY }, /*  9 */
+	{ 1,   "otherPrimeInfos",	ASN1_SEQUENCE,     ASN1_OPT |
+												   ASN1_LOOP }, /* 10 */
+	{ 2,     "otherPrimeInfo",	ASN1_SEQUENCE,     ASN1_NONE }, /* 11 */
+	{ 3,       "prime",			ASN1_INTEGER,      ASN1_BODY }, /* 12 */
+	{ 3,       "exponent",		ASN1_INTEGER,      ASN1_BODY }, /* 13 */
+	{ 3,       "coefficient",	ASN1_INTEGER,      ASN1_BODY }, /* 14 */
+	{ 1,   "end opt or loop",	ASN1_EOC,          ASN1_END  }, /* 15 */
+	{ 0, "exit",				ASN1_EOC,          ASN1_EXIT }
+};
+#define PRIV_KEY_VERSION		 1
+#define PRIV_KEY_MODULUS		 2
+#define PRIV_KEY_PUB_EXP		 3
+#define PRIV_KEY_PRIV_EXP		 4
+#define PRIV_KEY_PRIME1			 5
+#define PRIV_KEY_PRIME2			 6
+#define PRIV_KEY_EXP1			 7
+#define PRIV_KEY_EXP2			 8
+#define PRIV_KEY_COEFF			 9
+
+/**
+ * Load a RSA private key from a ASN1 encoded blob.
+ */
+static private_key_t *parse_rsa_private_key(chunk_t blob)
+{
+	chunk_t n, e, d, p, q, exp1, exp2, coeff;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID ;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(privkeyObjects, blob);
+	parser->set_flags(parser, FALSE, TRUE);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PRIV_KEY_VERSION:
+				if (object.len > 0 && *object.ptr != 0)
+				{
+					DBG1("PKCS#1 private key format is not version 1");
+					goto end;
+				}
+				break;
+			case PRIV_KEY_MODULUS:
+				n = object;
+				break;
+			case PRIV_KEY_PUB_EXP:
+				e = object;
+				break;
+			case PRIV_KEY_PRIV_EXP:
+				d = object;
+				break;
+			case PRIV_KEY_PRIME1:
+				p = object;
+				break;
+			case PRIV_KEY_PRIME2:
+				q = object;
+				break;
+			case PRIV_KEY_EXP1:
+				exp1 = object;
+				break;
+			case PRIV_KEY_EXP2:
+				exp2 = object;
+				break;
+			case PRIV_KEY_COEFF:
+				coeff = object;
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	if (!success)
+	{
+		return NULL;
+	}
+	return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+			BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_RSA_PRIV_EXP, d,
+			BUILD_RSA_PRIME1, p,  BUILD_RSA_PRIME2, q, BUILD_RSA_EXP1, exp1,
+			BUILD_RSA_EXP2, exp2, BUILD_RSA_COEFF, coeff, BUILD_END);
+}
+
+/**
+ * See header.
+ */
+public_key_t *pkcs1_public_key_load(key_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	switch (type)
+	{
+		case KEY_ANY:
+			return parse_public_key(blob);
+		case KEY_RSA:
+			return parse_rsa_public_key(blob);
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * See header.
+ */
+private_key_t *pkcs1_private_key_load(key_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	return parse_rsa_private_key(blob);
+}
+
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.h b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.h
new file mode 100644
index 000000000..62ca9f351
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs1_public_key pkcs1_public_key
+ * @{ @ingroup pkcs1
+ */
+
+#ifndef PKCS1_BUILDER_H_
+#define PKCS1_BUILDER_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * Load a generic or an RSA public key from PKCS#1 data.
+ *
+ * @param type		type of the key, either KEY_ANY or KEY_RSA
+ * @param args		builder_part_t argument list
+ * @return 			public key, NULL on failure
+ */
+public_key_t *pkcs1_public_key_load(key_type_t type, va_list args);
+
+/**
+ * Load a RSA public key from PKCS#1 data.
+ *
+ * @param type		type of the key, KEY_RSA
+ * @param args		builder_part_t argument list
+ * @return 			private key, NULL on failure
+ */
+private_key_t *pkcs1_private_key_load(key_type_t type, va_list args);
+
+#endif /** PKCS1_BUILDER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
new file mode 100644
index 000000000..0a8da815a
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs1_encoder.h"
+
+#include <debug.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+/**
+ * Encode a public key in PKCS#1/ASN.1 DER
+ */
+bool build_pub(chunk_t *encoding, va_list args)
+{
+	chunk_t n, e;
+
+	if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
+						  KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
+	{
+		*encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_wrap(ASN1_INTEGER, "c", n),
+						asn1_wrap(ASN1_INTEGER, "c", e));
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Encode a public key in PKCS#1/ASN.1 DER, contained in subjectPublicKeyInfo
+ */
+bool build_pub_info(chunk_t *encoding, va_list args)
+{
+	chunk_t n, e;
+
+	if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
+						  KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
+	{
+		*encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+						asn1_bitstring("m",
+							asn1_wrap(ASN1_SEQUENCE, "mm",
+								asn1_wrap(ASN1_INTEGER, "c", n),
+								asn1_wrap(ASN1_INTEGER, "c", e))));
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Encode a private key in PKCS#1/ASN.1 DER
+ */
+bool build_priv(chunk_t *encoding, va_list args)
+{
+	chunk_t n, e, d, p, q, exp1, exp2, coeff;
+
+	if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
+					KEY_PART_RSA_PUB_EXP, &e, KEY_PART_RSA_PRIV_EXP, &d,
+					KEY_PART_RSA_PRIME1, &p, KEY_PART_RSA_PRIME2, &q,
+					KEY_PART_RSA_EXP1, &exp1, KEY_PART_RSA_EXP2, &exp2,
+					KEY_PART_RSA_COEFF, &coeff, KEY_PART_END))
+	{
+		*encoding = asn1_wrap(ASN1_SEQUENCE, "cmmssssss",
+						ASN1_INTEGER_0,
+						asn1_wrap(ASN1_INTEGER, "c", n),
+						asn1_wrap(ASN1_INTEGER, "c", e),
+						asn1_wrap(ASN1_INTEGER, "c", d),
+						asn1_wrap(ASN1_INTEGER, "c", p),
+						asn1_wrap(ASN1_INTEGER, "c", q),
+						asn1_wrap(ASN1_INTEGER, "c", exp1),
+						asn1_wrap(ASN1_INTEGER, "c", exp2),
+						asn1_wrap(ASN1_INTEGER, "c", coeff));
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Build the SHA1 hash of pubkey(info) ASN.1 data
+ */
+static bool hash_pubkey(chunk_t pubkey, chunk_t *hash)
+{
+	hasher_t *hasher;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		chunk_free(&pubkey);
+		DBG1("SHA1 hash algorithm not supported, fingerprinting failed");
+		return FALSE;
+	}
+	hasher->allocate_hash(hasher, pubkey, hash);
+	hasher->destroy(hasher);
+	chunk_free(&pubkey);
+	return TRUE;
+}
+
+/**
+ * build the fingerprint of the subjectPublicKeyInfo object
+ */
+static bool build_info_sha1(chunk_t *encoding, va_list args)
+{
+	chunk_t pubkey;
+
+	if (build_pub_info(&pubkey, args))
+	{
+		return hash_pubkey(pubkey, encoding);
+	}
+	return FALSE;
+}
+
+/**
+ * build the fingerprint of the subjectPublicKey object
+ */
+static bool build_sha1(chunk_t *encoding, va_list args)
+{
+	chunk_t pubkey;
+
+	if (build_pub(&pubkey, args))
+	{
+		return hash_pubkey(pubkey, encoding);
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool pkcs1_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+						  va_list args)
+{
+	switch (type)
+	{
+		case KEY_ID_PUBKEY_INFO_SHA1:
+			return build_info_sha1(encoding, args);
+		case KEY_ID_PUBKEY_SHA1:
+			return build_sha1(encoding, args);
+		case KEY_PUB_ASN1_DER:
+			return build_pub(encoding, args);
+		case KEY_PUB_SPKI_ASN1_DER:
+			return build_pub_info(encoding, args);
+		case KEY_PRIV_ASN1_DER:
+			return build_priv(encoding, args);
+		default:
+			return FALSE;
+	}
+}
+
+
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h
new file mode 100644
index 000000000..11d9f27f2
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs1_encoder pkcs1_encoder
+ * @{ @ingroup pkcs1
+ */
+
+#ifndef PKCS1_ENCODER_H_
+#define PKCS1_ENCODER_H_
+
+#include <credentials/keys/key_encoding.h>
+
+/**
+ * Encoding function for PKCS#1/ASN.1 fingerprints/key formats.
+ */
+bool pkcs1_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+						  va_list args);
+
+#endif /** PKCS1_ENCODER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
new file mode 100644
index 000000000..9d71e1388
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs1_plugin.h"
+
+#include <library.h>
+#include "pkcs1_builder.h"
+#include "pkcs1_encoder.h"
+
+typedef struct private_pkcs1_plugin_t private_pkcs1_plugin_t;
+
+/**
+ * private data of pkcs1_plugin
+ */
+struct private_pkcs1_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pkcs1_plugin_t public;
+};
+
+/**
+ * Implementation of pkcs1_plugin_t.pkcs1troy
+ */
+static void destroy(private_pkcs1_plugin_t *this)
+{
+	lib->creds->remove_builder(lib->creds,
+							(builder_function_t)pkcs1_public_key_load);
+	lib->creds->remove_builder(lib->creds,
+							(builder_function_t)pkcs1_private_key_load);
+
+	lib->encoding->remove_encoder(lib->encoding, pkcs1_encoder_encode);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_pkcs1_plugin_t *this = malloc_thing(private_pkcs1_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+							(builder_function_t)pkcs1_public_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+							(builder_function_t)pkcs1_public_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+							(builder_function_t)pkcs1_private_key_load);
+
+	lib->encoding->add_encoder(lib->encoding, pkcs1_encoder_encode);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.h b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.h
new file mode 100644
index 000000000..465c7ef2c
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs1 pkcs1
+ * @ingroup plugins
+ *
+ * @defgroup pkcs1_plugin pkcs1_plugin
+ * @{ @ingroup pkcs1
+ */
+
+#ifndef PKCS1_PLUGIN_H_
+#define PKCS1_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pkcs1_plugin_t pkcs1_plugin_t;
+
+/**
+ * Plugin providing PKCS#1 private/public key decoding functions
+ */
+struct pkcs1_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a pkcs1_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** PKCS1_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin.h b/src/libstrongswan/plugins/plugin.h
index 6ca71540c..28c800c0c 100644
--- a/src/libstrongswan/plugins/plugin.h
+++ b/src/libstrongswan/plugins/plugin.h
@@ -27,11 +27,11 @@ typedef struct plugin_t plugin_t;
  * Interface definition of a plugin.
  */
 struct plugin_t {
-	
+
 	/**
-     * Destroy a plugin instance.
-     */
-    void (*destroy)(plugin_t *this);
+	 * Destroy a plugin instance.
+	 */
+	void (*destroy)(plugin_t *this);
 };
 
 
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 459ba9ba9..d4513f25a 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -37,12 +37,12 @@ struct private_plugin_loader_t {
 	 * public functions
 	 */
 	plugin_loader_t public;
-	
+
 	/**
 	 * list of loaded plugins
 	 */
 	linked_list_t *plugins;
-	
+
 	/**
 	 * names of loaded plugins
 	 */
@@ -59,9 +59,9 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
 	void *handle;
 	plugin_t *plugin;
 	plugin_constructor_t constructor;
-	
+
 	snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name);
-	
+
 	if (lib->integrity)
 	{
 		if (!lib->integrity->check_file(lib->integrity, name, file))
@@ -101,7 +101,7 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
 		return NULL;
 	}
 	DBG2("plugin '%s': loaded successfully", name);
-	
+
 	/* we do not store or free dlopen() handles, leak_detective requires
 	 * the modules to keep loaded until leak report */
 	return plugin;
@@ -110,26 +110,50 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
 /**
  * Implementation of plugin_loader_t.load_plugins.
  */
-static int load(private_plugin_loader_t *this, char *path, char *list)
+static bool load(private_plugin_loader_t *this, char *path, char *list)
 {
-	plugin_t *plugin;
 	enumerator_t *enumerator;
 	char *token;
-	int count = 0;
-	
+	bool critical_failed = FALSE;
+
+	if (path == NULL)
+	{
+		path = PLUGINDIR;
+	}
+
 	enumerator = enumerator_create_token(list, " ", " ");
-	while (enumerator->enumerate(enumerator, &token))
+	while (!critical_failed && enumerator->enumerate(enumerator, &token))
 	{
+		plugin_t *plugin;
+		bool critical = FALSE;
+		int len;
+
+		token = strdup(token);
+		len = strlen(token);
+		if (token[len-1] == '!')
+		{
+			critical = TRUE;
+			token[len-1] = '\0';
+		}
 		plugin = load_plugin(this, path, token);
 		if (plugin)
-		{	/* insert in front to destroy them in reverse order */
+		{
+			/* insert in front to destroy them in reverse order */
 			this->plugins->insert_last(this->plugins, plugin);
-			this->names->insert_last(this->names, strdup(token));
-			count++;
+			this->names->insert_last(this->names, token);
+		}
+		else
+		{
+			if (critical)
+			{
+				critical_failed = TRUE;
+				DBG1("loading critical plugin '%s' failed", token);
+			}
+			free(token);
 		}
 	}
 	enumerator->destroy(enumerator);
-	return count;
+	return !critical_failed;
 }
 
 /**
@@ -139,7 +163,7 @@ static void unload(private_plugin_loader_t *this)
 {
 	plugin_t *plugin;
 	char *name;
-	
+
 	while (this->plugins->remove_first(this->plugins,
 									   (void**)&plugin) == SUCCESS)
 	{
@@ -157,7 +181,7 @@ static void unload(private_plugin_loader_t *this)
 static enumerator_t* create_plugin_enumerator(private_plugin_loader_t *this)
 {
 	return this->names->create_enumerator(this->names);
-}	 
+}
 
 /**
  * Implementation of plugin_loader_t.destroy
@@ -175,15 +199,15 @@ static void destroy(private_plugin_loader_t *this)
 plugin_loader_t *plugin_loader_create()
 {
 	private_plugin_loader_t *this = malloc_thing(private_plugin_loader_t);
-	
-	this->public.load = (int(*)(plugin_loader_t*, char *path, char *prefix))load;
+
+	this->public.load = (bool(*)(plugin_loader_t*, char *path, char *prefix))load;
 	this->public.unload = (void(*)(plugin_loader_t*))unload;
 	this->public.create_plugin_enumerator = (enumerator_t*(*)(plugin_loader_t*))create_plugin_enumerator;
 	this->public.destroy = (void(*)(plugin_loader_t*))destroy;
-	
+
 	this->plugins = linked_list_create();
 	this->names = linked_list_create();
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index 6230f9d68..f72c91c60 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -28,33 +28,37 @@ typedef struct plugin_loader_t plugin_loader_t;
 /**
  * The plugin_loader loads plugins from a directory and initializes them
  */
-struct plugin_loader_t {	
-	
+struct plugin_loader_t {
+
 	/**
 	 * Load a list of plugins from a directory.
 	 *
-	 * @param path			path containing loadable plugins
+	 * Each plugin in list may have a ending exclamation mark (!) to mark it
+	 * as a critical plugin. If loading a critical plugin fails, plugin loading
+	 * is aborted and FALSE is returned.
+	 *
+	 * @param path			path containing loadable plugins, NULL for default
 	 * @param list			space separated list of plugins to load
-	 * @return				number of successfully loaded plugins
+	 * @return				TRUE if all critical plugins loaded successfully
 	 */
-	int (*load)(plugin_loader_t *this, char *path, char *list);
-	
+	bool (*load)(plugin_loader_t *this, char *path, char *list);
+
 	/**
 	 * Unload all loaded plugins.
 	 */
 	void (*unload)(plugin_loader_t *this);
-	
+
 	/**
 	 * Create an enumerator over all loaded plugin names.
 	 *
 	 * @return				enumerator over char*
 	 */
 	enumerator_t* (*create_plugin_enumerator)(plugin_loader_t *this);
-	
+
 	/**
-     * Unload loaded plugins, destroy plugin_loader instance.
-     */
-    void (*destroy)(plugin_loader_t *this);
+	 * Unload loaded plugins, destroy plugin_loader instance.
+	 */
+	void (*destroy)(plugin_loader_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am
index 9423e6689..770d77325 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.am
+++ b/src/libstrongswan/plugins/pubkey/Makefile.am
@@ -6,8 +6,7 @@ AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-pubkey.la
 
 libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
-  pubkey_cert.h pubkey_cert.c\
-  pubkey_public_key.h pubkey_public_key.c
+  pubkey_cert.h pubkey_cert.c
 
 libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index a672e2ea8..f95e7b357 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,23 +37,44 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/pubkey
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_pubkey_la_LIBADD =
-am_libstrongswan_pubkey_la_OBJECTS = pubkey_plugin.lo pubkey_cert.lo \
-	pubkey_public_key.lo
+am_libstrongswan_pubkey_la_OBJECTS = pubkey_plugin.lo pubkey_cert.lo
 libstrongswan_pubkey_la_OBJECTS =  \
 	$(am_libstrongswan_pubkey_la_OBJECTS)
 libstrongswan_pubkey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -60,6 +83,7 @@ libstrongswan_pubkey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -107,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -137,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -170,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -195,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -203,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -211,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -222,14 +249,14 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 plugin_LTLIBRARIES = libstrongswan-pubkey.la
 libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
-  pubkey_cert.h pubkey_cert.c\
-  pubkey_public_key.h pubkey_public_key.c
+  pubkey_cert.h pubkey_cert.c
 
 libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -245,9 +272,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/pubkey/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/pubkey/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pubkey/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pubkey/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -265,23 +292,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -303,25 +335,24 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_cert.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_public_key.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -344,7 +375,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -352,29 +383,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -395,13 +431,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -432,6 +472,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -453,6 +494,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -461,18 +504,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -511,6 +564,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index 863a8a1d4..f149f6379 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -17,11 +17,6 @@
 
 #include <debug.h>
 
-/**
- * defined in pubkey_public_key.c
- */
-extern public_key_t *pubkey_public_key_load(chunk_t blob);
-
 typedef struct private_pubkey_cert_t private_pubkey_cert_t;
 
 /**
@@ -33,17 +28,22 @@ struct private_pubkey_cert_t {
 	 * public functions
 	 */
 	pubkey_cert_t public;
-	
+
 	/**
 	 * wrapped public key
 	 */
 	public_key_t *key;
-	
+
 	/**
 	 * dummy issuer id, ID_ANY
 	 */
 	identification_t *issuer;
-	
+
+	/**
+	 * subject, ID_KEY_ID of the public key
+	 */
+	identification_t *subject;
+
 	/**
 	 * reference count
 	 */
@@ -63,7 +63,7 @@ static certificate_type_t get_type(private_pubkey_cert_t *this)
  */
 static identification_t* get_subject(private_pubkey_cert_t *this)
 {
-	return this->key->get_id(this->key, ID_PUBKEY_INFO_SHA1);
+	return this->subject;
 }
 
 /**
@@ -80,14 +80,21 @@ static identification_t* get_issuer(private_pubkey_cert_t *this)
 static id_match_t has_subject(private_pubkey_cert_t *this,
 							  identification_t *subject)
 {
-	identification_t *id;
-	
-	id = this->key->get_id(this->key, subject->get_type(subject));
-	if (id)
+	if (subject->get_type(subject) == ID_KEY_ID)
 	{
-		return id->matches(id, subject);
+		key_encoding_type_t type;
+		chunk_t fingerprint;
+
+		for (type = 0; type < KEY_ENCODING_MAX; type++)
+		{
+			if (this->key->get_fingerprint(this->key, type, &fingerprint) &&
+				chunk_equals(fingerprint, subject->get_encoding(subject)))
+			{
+				return ID_MATCH_PERFECT;
+			}
+		}
 	}
-	return ID_MATCH_NONE;	
+	return ID_MATCH_NONE;
 }
 
 /**
@@ -104,15 +111,19 @@ static id_match_t has_issuer(private_pubkey_cert_t *this,
  */
 static bool equals(private_pubkey_cert_t *this, certificate_t *other)
 {
-	if (this == (private_pubkey_cert_t*)other)
-	{
-		return TRUE;
-	}
-	if (other->get_type(other) != CERT_TRUSTED_PUBKEY)
+	public_key_t *other_key;
+
+	other_key = other->get_public_key(other);
+	if (other_key)
 	{
-		return FALSE;
+		if (public_key_equals(this->key, other_key))
+		{
+			other_key->destroy(other_key);
+			return TRUE;
+		}
+		other_key->destroy(other_key);
 	}
-	return other->has_subject(other, this->key->get_id(this->key, ID_PUBKEY_INFO_SHA1));
+	return FALSE;
 }
 
 /**
@@ -131,6 +142,7 @@ static public_key_t* get_public_key(private_pubkey_cert_t *this)
 	this->key->get_ref(this->key);
 	return this->key;
 }
+
 /**
  * Implementation of certificate_t.get_validity.
  */
@@ -155,13 +167,19 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 {
 	return FALSE;
 }
-	
+
 /**
  * Implementation of certificate_t.get_encoding.
  */
 static chunk_t get_encoding(private_pubkey_cert_t *this)
 {
-	return this->key->get_encoding(this->key);
+	chunk_t encoding;
+
+	if (this->key->get_encoding(this->key, KEY_PUB_ASN1_DER, &encoding))
+	{
+		return encoding;
+	}
+	return chunk_empty;
 }
 
 /**
@@ -180,6 +198,7 @@ static void destroy(private_pubkey_cert_t *this)
 {
 	if (ref_put(&this->ref))
 	{
+		this->subject->destroy(this->subject);
 		this->issuer->destroy(this->issuer);
 		this->key->destroy(this->key);
 		free(this);
@@ -192,7 +211,8 @@ static void destroy(private_pubkey_cert_t *this)
 static pubkey_cert_t *pubkey_cert_create(public_key_t *key)
 {
 	private_pubkey_cert_t *this = malloc_thing(private_pubkey_cert_t);
-	
+	chunk_t fingerprint;
+
 	this->public.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
 	this->public.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
 	this->public.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
@@ -206,97 +226,60 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key)
 	this->public.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
 	this->public.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(certificate_t *this))destroy;
-	
+
 	this->ref = 1;
 	this->key = key;
 	this->issuer = identification_create_from_encoding(ID_ANY, chunk_empty);
-	
-	return &this->public;
-}
-
-static pubkey_cert_t *pubkey_cert_create_from_chunk(chunk_t blob)
-{
-	public_key_t *key = pubkey_public_key_load(chunk_clone(blob));
+	if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &fingerprint))
+	{
+		this->subject = identification_create_from_encoding(ID_KEY_ID, fingerprint);
+	}
+	else
+	{
+		this->subject = identification_create_from_encoding(ID_ANY, chunk_empty);
+	}
 
-	return (key)? pubkey_cert_create(key) : NULL;
+	return &this->public;
 }
 
-typedef struct private_builder_t private_builder_t;
 /**
- * Builder implementation for key loading
+ * See header.
  */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded public key */
-	pubkey_cert_t *key;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static pubkey_cert_t *build(private_builder_t *this)
+pubkey_cert_t *pubkey_cert_wrap(certificate_type_t type, va_list args)
 {
-	pubkey_cert_t *key = this->key;
-	
-	free(this);
-	return key;
-}
+	public_key_t *key = NULL;
+	chunk_t blob = chunk_empty;
 
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->key)
+	while (TRUE)
 	{
-		va_list args;
-	
-		switch (part)
+		switch (va_arg(args, builder_part_t))
 		{
 			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				this->key = pubkey_cert_create_from_chunk(va_arg(args, chunk_t));
-				va_end(args);
-				return;
-			}
+				blob = va_arg(args, chunk_t);
+				continue;
 			case BUILD_PUBLIC_KEY:
-			{
-				va_start(args, part);
-				this->key = pubkey_cert_create(va_arg(args, public_key_t*));
-				va_end(args);
-				return;
-			}
-			default:
+				key = va_arg(args, public_key_t*);
+				continue;
+			case BUILD_END:
 				break;
+			default:
+				return NULL;
 		}
+		break;
 	}
-	if (this->key)
+	if (key)
 	{
-		destroy((private_pubkey_cert_t*)this->key);
+		key->get_ref(key);
 	}
-	builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *pubkey_cert_builder(certificate_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != CERT_TRUSTED_PUBKEY)
+	else if (blob.ptr)
 	{
-		return NULL;
+		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+								 BUILD_BLOB_ASN1_DER, blob, BUILD_END);
 	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
-	return &this->public;
+	if (key)
+	{
+		return pubkey_cert_create(key);
+	}
+	return NULL;
 }
 
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.h b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
index 394fc8b98..a2d735342 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.h
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
@@ -21,6 +21,7 @@
 #ifndef PUBKEY_CERT_H_
 #define PUBKEY_CERT_H_
 
+#include <credentials/builder.h>
 #include <credentials/certificates/certificate.h>
 
 typedef struct pubkey_cert_t pubkey_cert_t;
@@ -37,13 +38,14 @@ struct pubkey_cert_t {
 };
 
 /**
- * Create the builder for a trusted public key.
+ * Create a trusted public key cert using a public key.
  *
- * The builders add() function takes BUILD_PUBLIC_KEY to enwrap.
+ * The build accepts a BUILD_PUBLIC_KEY or a BUILD_BLOB_ASN1_DER part.
  *
  * @param type		type of the certificate, must be CERT_pubkey_cert
- * @return 			builder instance
+ * @param args		builder_part_t argument list
+ * @return 			pubkey_cert_t, NULL on failure
  */
-builder_t *pubkey_cert_builder(certificate_type_t type);
+pubkey_cert_t *pubkey_cert_wrap(certificate_type_t type, va_list args);
 
 #endif /** PUBKEY_CERT_H_ @}*/
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
index 7672e8dc1..ad84eed99 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -17,7 +17,6 @@
 
 #include <library.h>
 #include "pubkey_cert.h"
-#include "pubkey_public_key.h"
 
 typedef struct private_pubkey_plugin_t private_pubkey_plugin_t;
 
@@ -38,9 +37,7 @@ struct private_pubkey_plugin_t {
 static void destroy(private_pubkey_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
-							(builder_constructor_t)pubkey_cert_builder);
-	lib->creds->remove_builder(lib->creds,
-							(builder_constructor_t)pubkey_public_key_builder);
+							(builder_function_t)pubkey_cert_wrap);
 	free(this);
 }
 
@@ -50,13 +47,11 @@ static void destroy(private_pubkey_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_pubkey_plugin_t *this = malloc_thing(private_pubkey_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
-							(builder_constructor_t)pubkey_cert_builder);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-							(builder_constructor_t)pubkey_public_key_builder);
+							(builder_function_t)pubkey_cert_wrap);
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_public_key.c b/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
deleted file mode 100644
index 6d3ae66ab..000000000
--- a/src/libstrongswan/plugins/pubkey/pubkey_public_key.c
+++ /dev/null
@@ -1,184 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Copyright (C) 2000-2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "pubkey_public_key.h"
-
-#include <debug.h>
-#include <asn1/pem.h>
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-
-/**
- * ASN.1 definition of a subjectPublicKeyInfo structure
- */
-static const asn1Object_t pkinfoObjects[] = {
-	{ 0, "subjectPublicKeyInfo",ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
-	{ 1,   "algorithm",			ASN1_EOC,			ASN1_RAW	}, /* 1 */
-	{ 1,   "subjectPublicKey",	ASN1_BIT_STRING,	ASN1_BODY	}, /* 2 */
-	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
-};
-#define PKINFO_SUBJECT_PUBLIC_KEY_ALGORITHM	1
-#define PKINFO_SUBJECT_PUBLIC_KEY			2
-
-
-/**
- * Load a public key from an ASN.1 encoded blob
- * Also used by pubkey_cert.c
- */
-public_key_t *pubkey_public_key_load(chunk_t blob)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	public_key_t *key = NULL;
-	key_type_t type = KEY_ANY;
-
-	parser = asn1_parser_create(pkinfoObjects, blob);
-	
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case PKINFO_SUBJECT_PUBLIC_KEY_ALGORITHM:
-			{
-				int oid = asn1_parse_algorithmIdentifier(object,
-										parser->get_level(parser)+1, NULL);
-				
-				if (oid == OID_RSA_ENCRYPTION)
-				{
-					type = KEY_RSA;
-				}
-				else if (oid == OID_EC_PUBLICKEY)
-				{
-					/* we need the whole subjectPublicKeyInfo for EC public keys */
-					key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, 
-								KEY_ECDSA, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
-					goto end;
-				}
-				else
-				{
-					/* key type not supported */
-					goto end;
-				}
-				break;
-			}
-			case PKINFO_SUBJECT_PUBLIC_KEY:
-				if (object.len > 0 && *object.ptr == 0x00)
-				{
-					/* skip initial bit string octet defining 0 unused bits */
-					object = chunk_skip(object, 1);
-				}
-				key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type,
-										 BUILD_BLOB_ASN1_DER, object, BUILD_END);
-				break;
-		}
-	} 
-	
-end:
-	parser->destroy(parser);
-	free(blob.ptr);
-	return key; 
-}
-
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for key loading
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded public key */
-	public_key_t *key;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static public_key_t *build(private_builder_t *this)
-{
-	public_key_t *key = this->key;
-	
-	free(this);
-	return key;
-}
-
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->key)
-	{
-		va_list args;
-		chunk_t blob;
-		
-		switch (part)
-		{
-			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				blob = va_arg(args, chunk_t);
-				this->key = pubkey_public_key_load(chunk_clone(blob));
-				va_end(args);
-				return;
-			}
-			case BUILD_BLOB_ASN1_PEM:
-			{
-				bool pgp;
-				char *pem;
-			
-				va_start(args, part);
-				pem = va_arg(args, char *);
-				blob = chunk_clone(chunk_create(pem, strlen(pem)));
-				if (pem_to_bin(&blob, chunk_empty, &pgp) == SUCCESS)
-				{
-					this->key = pubkey_public_key_load(chunk_clone(blob));
-				}
-				free(blob.ptr);
-				va_end(args);
-				return;
-			}
-			default:
-				break;
-		}
-	}
-	DESTROY_IF(this->key);
-	builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *pubkey_public_key_builder(key_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != KEY_ANY)
-	{
-		return NULL;
-	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_public_key.h b/src/libstrongswan/plugins/pubkey/pubkey_public_key.h
deleted file mode 100644
index d3198fab2..000000000
--- a/src/libstrongswan/plugins/pubkey/pubkey_public_key.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pubkey_public_key pubkey_public_key
- * @{ @ingroup pubkey_p
- */
-
-#ifndef PUBKEY_PUBLIC_KEY_H_
-#define PUBKEY_PUBLIC_KEY_H_
-
-#include <credentials/keys/public_key.h>
-
-/**
- * Create the builder for a generic public key.
- *
- * @param type		type of the key, must be KEY_ANY
- * @return 			builder instance
- */
-builder_t *pubkey_public_key_builder(key_type_t type);
-
-#endif /** PUBKEY_RSA_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am
index 9a11b8567..7c2283ae7 100644
--- a/src/libstrongswan/plugins/random/Makefile.am
+++ b/src/libstrongswan/plugins/random/Makefile.am
@@ -1,7 +1,9 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+-DDEV_RANDOM=\"${random_device}\" \
+-DDEV_URANDOM=\"${urandom_device}\"
 
 plugin_LTLIBRARIES = libstrongswan-random.la
 
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index a2869fb51..355ab14bc 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/random
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_random_la_LIBADD =
 am_libstrongswan_random_la_OBJECTS = random_plugin.lo random_rng.lo
@@ -59,6 +83,7 @@ libstrongswan_random_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -106,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,10 +249,14 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+-DDEV_RANDOM=\"${random_device}\" \
+-DDEV_URANDOM=\"${urandom_device}\"
+
 plugin_LTLIBRARIES = libstrongswan-random.la
 libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
   random_rng.c random_rng.h
@@ -243,9 +275,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/random/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/random/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/random/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/random/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -263,23 +295,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -304,21 +341,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -341,7 +378,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -349,29 +386,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -392,13 +434,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -429,6 +475,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -450,6 +497,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -458,18 +507,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -508,6 +567,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index 5f04f1d79..df0a8f556 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -47,14 +47,14 @@ static void destroy(private_random_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_random_plugin_t *this = malloc_thing(private_random_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
-	lib->crypto->add_rng(lib->crypto, RNG_STRONG, 
+
+	lib->crypto->add_rng(lib->crypto, RNG_STRONG,
 						 (rng_constructor_t)random_rng_create);
-	lib->crypto->add_rng(lib->crypto, RNG_TRUE, 
+	lib->crypto->add_rng(lib->crypto, RNG_TRUE,
 						 (rng_constructor_t)random_rng_create);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/random/random_plugin.h b/src/libstrongswan/plugins/random/random_plugin.h
index 8145c7875..6ce0f71be 100644
--- a/src/libstrongswan/plugins/random/random_plugin.h
+++ b/src/libstrongswan/plugins/random/random_plugin.h
@@ -16,7 +16,7 @@
 /**
  * @defgroup random_p random
  * @ingroup plugins
- * 
+ *
  * @defgroup random_plugin random_plugin
  * @{ @ingroup random_p
  */
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 22d21574e..34f300296 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -43,12 +43,12 @@ struct private_random_rng_t {
 	 * Public random_rng_t interface.
 	 */
 	random_rng_t public;
-	
+
 	/**
 	 * random device, depends on quality
 	 */
 	int dev;
-	
+
 	/**
 	 * file we read random bytes from
 	 */
@@ -63,9 +63,9 @@ static void get_bytes(private_random_rng_t *this, size_t bytes,
 {
 	size_t done;
 	ssize_t got;
-	
+
 	done = 0;
-	
+
 	while (done < bytes)
 	{
 		got = read(this->dev, buffer + done, bytes - done);
@@ -120,7 +120,7 @@ random_rng_t *random_rng_create(rng_quality_t quality)
 	{
 		this->file = DEV_URANDOM;
 	}
-	
+
 	this->dev = open(this->file, 0);
 	if (this->dev < 0)
 	{
diff --git a/src/libstrongswan/plugins/random/random_rng.h b/src/libstrongswan/plugins/random/random_rng.h
index bcb9cb204..4e6f3afb2 100644
--- a/src/libstrongswan/plugins/random/random_rng.h
+++ b/src/libstrongswan/plugins/random/random_rng.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup random_rng random_rng
  * @{ @ingroup random_p
@@ -29,7 +29,7 @@ typedef struct random_rng_t random_rng_t;
  * rng_t implementation on top of /dev/[u]random
  */
 struct random_rng_t {
-	
+
 	/**
 	 * Implements rng_t.
 	 */
@@ -38,7 +38,7 @@ struct random_rng_t {
 
 /**
  * Creates an random_rng_t instance.
- * 
+ *
  * @param quality	required quality of randomness
  * @return			created random_rng_t
  */
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index f1f5807ab..4f08b882c 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/sha1
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_sha1_la_LIBADD =
 am_libstrongswan_sha1_la_OBJECTS = sha1_plugin.lo sha1_hasher.lo \
@@ -59,6 +83,7 @@ libstrongswan_sha1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -106,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,6 +249,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -243,9 +272,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sha1/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sha1/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/sha1/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/sha1/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -263,23 +292,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -305,21 +339,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -342,7 +376,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -350,29 +384,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -393,13 +432,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -430,6 +473,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -451,6 +495,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -459,18 +505,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -509,6 +565,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/sha1/sha1_hasher.c b/src/libstrongswan/plugins/sha1/sha1_hasher.c
index ba3dd9592..85bc89f37 100644
--- a/src/libstrongswan/plugins/sha1/sha1_hasher.c
+++ b/src/libstrongswan/plugins/sha1/sha1_hasher.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
- * 
+ *
  * Ported from Steve Reid's <steve@edmweb.com> implementation
  * "SHA1 in C" found in strongSwan.
  *
@@ -24,7 +24,7 @@
 
 /*
  * ugly macro stuff
- */ 
+ */
 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
 
 #if BYTE_ORDER == LITTLE_ENDIAN
@@ -54,64 +54,64 @@ struct private_sha1_hasher_t {
 	 * Public interface for this hasher.
 	 */
 	sha1_hasher_t public;
-	
+
 	/*
 	 * State of the hasher. Shared with sha1_prf.c, do not change it!!!
 	 */
 	u_int32_t state[5];
-    u_int32_t count[2];
-    u_int8_t buffer[64];
+	u_int32_t count[2];
+	u_int8_t buffer[64];
 };
 
-/* 
+/*
  * Hash a single 512-bit block. This is the core of the algorithm. *
  */
 static void SHA1Transform(u_int32_t state[5], const unsigned char buffer[64])
 {
 	u_int32_t a, b, c, d, e;
 	typedef union {
-    	u_int8_t c[64];
-    	u_int32_t l[16];
+		u_int8_t c[64];
+		u_int32_t l[16];
 	} CHAR64LONG16;
 	CHAR64LONG16 block[1];  /* use array to appear as a pointer */
-    memcpy(block, buffer, 64);
+	memcpy(block, buffer, 64);
 
-    /* Copy context->state[] to working vars */
-    a = state[0];
-    b = state[1];
-    c = state[2];
-    d = state[3];
-    e = state[4];
-    /* 4 rounds of 20 operations each. Loop unrolled. */
-    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
-    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
-    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
-    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
-    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
-    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
-    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
-    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
-    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
-    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
-    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
-    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
-    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
-    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
-    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
-    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
-    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
-    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
-    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
-    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
-    /* Add the working vars back into context.state[] */
-    state[0] += a;
-    state[1] += b;
-    state[2] += c;
-    state[3] += d;
-    state[4] += e;
-    /* Wipe variables */
-    a = b = c = d = e = 0;
-    memset(block, '\0', sizeof(block));
+	/* Copy context->state[] to working vars */
+	a = state[0];
+	b = state[1];
+	c = state[2];
+	d = state[3];
+	e = state[4];
+	/* 4 rounds of 20 operations each. Loop unrolled. */
+	R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+	R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+	R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+	R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+	R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+	R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+	R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+	R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+	R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+	R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+	R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+	R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+	R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+	R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+	R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+	R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+	R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+	R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+	R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+	R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+	/* Add the working vars back into context.state[] */
+	state[0] += a;
+	state[1] += b;
+	state[2] += c;
+	state[3] += d;
+	state[4] += e;
+	/* Wipe variables */
+	a = b = c = d = e = 0;
+	memset(block, '\0', sizeof(block));
 }
 
 /**
@@ -122,33 +122,33 @@ void SHA1Update(private_sha1_hasher_t* this, u_int8_t *data, u_int32_t len)
 	u_int32_t i;
 	u_int32_t j;
 
-    j = this->count[0];
-    if ((this->count[0] += len << 3) < j)
-    {
+	j = this->count[0];
+	if ((this->count[0] += len << 3) < j)
+	{
 		this->count[1]++;
-    }
-    this->count[1] += (len>>29);
-    j = (j >> 3) & 63;
-    if ((j + len) > 63) 
-    {
-        memcpy(&this->buffer[j], data, (i = 64-j));
-        SHA1Transform(this->state, this->buffer);
-        for ( ; i + 63 < len; i += 64) 
-        {
-            SHA1Transform(this->state, &data[i]);
-        }
-        j = 0;
-    }
-    else 
-    {
-    	i = 0;
-    }
-    memcpy(&this->buffer[j], &data[i], len - i);
+	}
+	this->count[1] += (len>>29);
+	j = (j >> 3) & 63;
+	if ((j + len) > 63)
+	{
+		memcpy(&this->buffer[j], data, (i = 64-j));
+		SHA1Transform(this->state, this->buffer);
+		for ( ; i + 63 < len; i += 64)
+		{
+		    SHA1Transform(this->state, &data[i]);
+		}
+		j = 0;
+	}
+	else
+	{
+		i = 0;
+	}
+	memcpy(&this->buffer[j], &data[i], len - i);
 }
 
 
-/* 
- * Add padding and return the message digest. 
+/*
+ * Add padding and return the message digest.
  */
 static void SHA1Final(private_sha1_hasher_t *this, u_int8_t *digest)
 {
@@ -156,23 +156,23 @@ static void SHA1Final(private_sha1_hasher_t *this, u_int8_t *digest)
 	u_int8_t finalcount[8];
 	u_int8_t c;
 
-    for (i = 0; i < 8; i++) 
-    {
-        finalcount[i] = (u_int8_t)((this->count[(i >= 4 ? 0 : 1)]
-         >> ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
-    }
-    c = 0200;
-    SHA1Update(this, &c, 1);
-    while ((this->count[0] & 504) != 448) 
-    {
+	for (i = 0; i < 8; i++)
+	{
+		finalcount[i] = (u_int8_t)((this->count[(i >= 4 ? 0 : 1)]
+		 >> ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
+	}
+	c = 0200;
+	SHA1Update(this, &c, 1);
+	while ((this->count[0] & 504) != 448)
+	{
 		c = 0000;
-        SHA1Update(this, &c, 1);
-    }
-    SHA1Update(this, finalcount, 8);  /* Should cause a SHA1Transform() */
-    for (i = 0; i < 20; i++) 
-    {
-        digest[i] = (u_int8_t)((this->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
-    }
+		SHA1Update(this, &c, 1);
+	}
+	SHA1Update(this, finalcount, 8);  /* Should cause a SHA1Transform() */
+	for (i = 0; i < 20; i++)
+	{
+		digest[i] = (u_int8_t)((this->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+	}
 }
 
 /**
@@ -181,12 +181,12 @@ static void SHA1Final(private_sha1_hasher_t *this, u_int8_t *digest)
 static void reset(private_sha1_hasher_t *this)
 {
 	this->state[0] = 0x67452301;
-    this->state[1] = 0xEFCDAB89;
-    this->state[2] = 0x98BADCFE;
-    this->state[3] = 0x10325476;
-    this->state[4] = 0xC3D2E1F0;
-    this->count[0] = 0;
-    this->count[1] = 0;
+	this->state[1] = 0xEFCDAB89;
+	this->state[2] = 0x98BADCFE;
+	this->state[3] = 0x10325476;
+	this->state[4] = 0xC3D2E1F0;
+	this->count[0] = 0;
+	this->count[1] = 0;
 }
 
 /**
@@ -209,15 +209,15 @@ static void allocate_hash(private_sha1_hasher_t *this, chunk_t chunk, chunk_t *h
 {
 	SHA1Update(this, chunk.ptr, chunk.len);
 	if (hash != NULL)
-	{	
+	{
 		hash->ptr = malloc(HASH_SIZE_SHA1);
 		hash->len = HASH_SIZE_SHA1;
-		
+
 		SHA1Final(this, hash->ptr);
 		reset(this);
 	}
 }
-	
+
 /**
  * Implementation of hasher_t.get_hash_size.
  */
@@ -250,10 +250,10 @@ sha1_hasher_t *sha1_hasher_create(hash_algorithm_t algo)
 	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
 	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
 	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-	
+
 	/* initialize */
 	reset(this);
-	
+
 	return &(this->public);
 }
 
diff --git a/src/libstrongswan/plugins/sha1/sha1_hasher.h b/src/libstrongswan/plugins/sha1/sha1_hasher.h
index b9bfe1c86..7fa6f1bc0 100644
--- a/src/libstrongswan/plugins/sha1/sha1_hasher.h
+++ b/src/libstrongswan/plugins/sha1/sha1_hasher.h
@@ -30,7 +30,7 @@ typedef struct sha1_hasher_t sha1_hasher_t;
  * Implementation of hasher_t interface using the SHA1 algorithm.
  */
 struct sha1_hasher_t {
-	
+
 	/**
 	 * Implements hasher_t interface.
 	 */
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c
index b9eb62ac5..a038228da 100644
--- a/src/libstrongswan/plugins/sha1/sha1_plugin.c
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c
@@ -50,14 +50,14 @@ static void destroy(private_sha1_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_sha1_plugin_t *this = malloc_thing(private_sha1_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
 							(hasher_constructor_t)sha1_hasher_create);
 	lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
 							(prf_constructor_t)sha1_prf_create);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/sha1/sha1_prf.c b/src/libstrongswan/plugins/sha1/sha1_prf.c
index 4a5f7c293..a68779d37 100644
--- a/src/libstrongswan/plugins/sha1/sha1_prf.c
+++ b/src/libstrongswan/plugins/sha1/sha1_prf.c
@@ -29,13 +29,13 @@ struct private_sha1_hasher_t {
 	 * Public interface for this hasher.
 	 */
 	sha1_hasher_t public;
-	
+
 	/*
 	 * State of the hasher. From sha1_hasher.c, do not change it!
 	 */
 	u_int32_t state[5];
-    u_int32_t count[2];
-    u_int8_t buffer[64];
+	u_int32_t count[2];
+	u_int8_t buffer[64];
 };
 
 /**
@@ -107,7 +107,7 @@ static void set_key(private_sha1_prf_t *this, chunk_t key)
 {
 	int i, rounds;
 	u_int32_t *iv = (u_int32_t*)key.ptr;
-	
+
 	this->hasher->public.hasher_interface.reset(&this->hasher->public.hasher_interface);
 	rounds = min(key.len/sizeof(u_int32_t), sizeof(this->hasher->state));
 	for (i = 0; i < rounds; i++)
@@ -142,9 +142,9 @@ sha1_prf_t *sha1_prf_create(pseudo_random_function_t algo)
 	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
 	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
 	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-	
+
 	this->hasher = (private_sha1_hasher_t*)sha1_hasher_create(HASH_SHA1);
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/sha1/sha1_prf.h b/src/libstrongswan/plugins/sha1/sha1_prf.h
index b6cd2f9d0..1ab4cbc24 100644
--- a/src/libstrongswan/plugins/sha1/sha1_prf.h
+++ b/src/libstrongswan/plugins/sha1/sha1_prf.h
@@ -29,7 +29,7 @@ typedef struct sha1_prf_t sha1_prf_t;
  * Implementation of prf_t interface using keyed SHA1 algorithm (used for EAP-AKA).
  */
 struct sha1_prf_t {
-	
+
 	/**
 	 * Implements prf_t interface.
 	 */
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index b34286813..e4ea58094 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/sha2
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_sha2_la_LIBADD =
 am_libstrongswan_sha2_la_OBJECTS = sha2_plugin.lo sha2_hasher.lo
@@ -58,6 +82,7 @@ libstrongswan_sha2_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -105,25 +130,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -135,11 +157,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -168,9 +193,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -193,7 +218,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -201,6 +226,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -209,10 +235,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -220,6 +248,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -240,9 +269,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sha2/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sha2/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/sha2/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/sha2/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -260,23 +289,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -301,21 +335,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -338,7 +372,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -346,29 +380,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -389,13 +428,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -426,6 +469,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -447,6 +491,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -455,18 +501,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -505,6 +561,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.c b/src/libstrongswan/plugins/sha2/sha2_hasher.c
index 645f4d786..d407fad1b 100644
--- a/src/libstrongswan/plugins/sha2/sha2_hasher.c
+++ b/src/libstrongswan/plugins/sha2/sha2_hasher.c
@@ -31,7 +31,7 @@ struct private_sha512_hasher_t {
 	 * Public interface for this hasher.
 	 */
 	sha2_hasher_t public;
-	
+
 	unsigned char   sha_out[128];   /* results are here, bytes 0..47/0..63 */
 	u_int64_t       sha_H[8];
 	u_int64_t       sha_blocks;
@@ -50,7 +50,7 @@ struct private_sha256_hasher_t {
 	 * Public interface for this hasher.
 	 */
 	sha2_hasher_t public;
-	
+
 	unsigned char   sha_out[64];    /* results are here, bytes 0...31 */
 	u_int32_t       sha_H[8];
 	u_int64_t       sha_blocks;
@@ -60,7 +60,7 @@ struct private_sha256_hasher_t {
 
 static const u_int32_t sha224_hashInit[8] = {
 	0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511,
-	0x64f98fa7, 0xbefa4fa4 
+	0x64f98fa7, 0xbefa4fa4
 };
 
 static const u_int32_t sha256_hashInit[8] = {
@@ -139,7 +139,7 @@ static const u_int64_t sha512_K[80] = {
 /**
  * Single block SHA256 transformation
  */
-static void sha256_transform(private_sha256_hasher_t *ctx, 
+static void sha256_transform(private_sha256_hasher_t *ctx,
 							 const unsigned char *datap)
 {
 	register int    j;
@@ -168,7 +168,7 @@ static void sha256_transform(private_sha256_hasher_t *ctx,
 	j = 0;
 	do
 	{
-		if(j >= 16) 
+		if(j >= 16)
 		{
 			Wm2 = W[j - 2];
 			Wm15 = W[j - 15];
@@ -198,7 +198,7 @@ static void sha256_transform(private_sha256_hasher_t *ctx,
 /**
  * Update SHA256 hash
  */
-static void sha256_write(private_sha256_hasher_t *ctx, 
+static void sha256_write(private_sha256_hasher_t *ctx,
 						 const unsigned char *datap, int length)
 {
 	while(length > 0)
@@ -243,7 +243,7 @@ static void sha256_final(private_sha256_hasher_t *ctx)
 	{
 		sha256_write(ctx, &padByte, 1);
 	}
-	
+
 	/* write bit length, big endian byte order */
 	ctx->sha_out[56] = bitLength >> 56;
 	ctx->sha_out[57] = bitLength >> 48;
@@ -254,7 +254,7 @@ static void sha256_final(private_sha256_hasher_t *ctx)
 	ctx->sha_out[62] = bitLength >> 8;
 	ctx->sha_out[63] = bitLength;
 	sha256_transform(ctx, &ctx->sha_out[0]);
-	
+
 	/* return results in ctx->sha_out[0...31] */
 	datap = &ctx->sha_out[0];
 	j = 0;
@@ -283,7 +283,7 @@ static void sha256_final(private_sha256_hasher_t *ctx)
 /**
  * Single block SHA384/SHA512 transformation
  */
-static void sha512_transform(private_sha512_hasher_t *ctx, 
+static void sha512_transform(private_sha512_hasher_t *ctx,
 							 const unsigned char *datap)
 {
 	register int    j;
@@ -343,14 +343,14 @@ static void sha512_transform(private_sha512_hasher_t *ctx,
 /**
  * Update a SHA384/SHA512 hash
  */
-static void sha512_write(private_sha512_hasher_t *ctx, 
+static void sha512_write(private_sha512_hasher_t *ctx,
 						 const unsigned char *datap, int length)
 {
-	while(length > 0) 
+	while(length > 0)
 	{
-		if(!ctx->sha_bufCnt) 
+		if(!ctx->sha_bufCnt)
 		{
-			while(length >= sizeof(ctx->sha_out)) 
+			while(length >= sizeof(ctx->sha_out))
 			{
 				sha512_transform(ctx, datap);
 				datap += sizeof(ctx->sha_out);
@@ -360,7 +360,7 @@ static void sha512_write(private_sha512_hasher_t *ctx,
 		}
 		ctx->sha_out[ctx->sha_bufCnt] = *datap++;
 		length--;
-		if(++ctx->sha_bufCnt == sizeof(ctx->sha_out)) 
+		if(++ctx->sha_bufCnt == sizeof(ctx->sha_out))
 		{
 			sha512_transform(ctx, &ctx->sha_out[0]);
 			ctx->sha_bufCnt = 0;
@@ -385,7 +385,7 @@ static void sha512_final(private_sha512_hasher_t *ctx)
 
 	/* pad extra space with zeroes */
 	padByte = 0;
-	while(ctx->sha_bufCnt != 112) 
+	while(ctx->sha_bufCnt != 112)
 	{
 		sha512_write(ctx, &padByte, 1);
 	}
@@ -408,7 +408,7 @@ static void sha512_final(private_sha512_hasher_t *ctx)
 	ctx->sha_out[126] = bitLength >> 8;
 	ctx->sha_out[127] = bitLength;
 	sha512_transform(ctx, &ctx->sha_out[0]);
-	
+
 	/* return results in ctx->sha_out[0...63] */
 	datap = &ctx->sha_out[0];
 	j = 0;
@@ -429,7 +429,7 @@ static void sha512_final(private_sha512_hasher_t *ctx)
 /**
  * Implementation of hasher_t.get_hash for SHA224.
  */
-static void get_hash224(private_sha256_hasher_t *this, 
+static void get_hash224(private_sha256_hasher_t *this,
 						chunk_t chunk, u_int8_t *buffer)
 {
 	sha256_write(this, chunk.ptr, chunk.len);
@@ -444,7 +444,7 @@ static void get_hash224(private_sha256_hasher_t *this,
 /**
  * Implementation of hasher_t.get_hash for SHA256.
  */
-static void get_hash256(private_sha256_hasher_t *this, 
+static void get_hash256(private_sha256_hasher_t *this,
 						chunk_t chunk, u_int8_t *buffer)
 {
 	sha256_write(this, chunk.ptr, chunk.len);
@@ -489,11 +489,11 @@ static void get_hash512(private_sha512_hasher_t *this,
 /**
  * Implementation of hasher_t.allocate_hash for SHA224.
  */
-static void allocate_hash224(private_sha256_hasher_t *this, 
+static void allocate_hash224(private_sha256_hasher_t *this,
 							 chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
-	
+
 	sha256_write(this, chunk.ptr, chunk.len);
 	if (hash != NULL)
 	{
@@ -508,11 +508,11 @@ static void allocate_hash224(private_sha256_hasher_t *this,
 /**
  * Implementation of hasher_t.allocate_hash for SHA256.
  */
-static void allocate_hash256(private_sha256_hasher_t *this, 
+static void allocate_hash256(private_sha256_hasher_t *this,
 							 chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
-	
+
 	sha256_write(this, chunk.ptr, chunk.len);
 	if (hash != NULL)
 	{
@@ -527,11 +527,11 @@ static void allocate_hash256(private_sha256_hasher_t *this,
 /**
  * Implementation of hasher_t.allocate_hash for SHA384.
  */
-static void allocate_hash384(private_sha512_hasher_t *this, 
+static void allocate_hash384(private_sha512_hasher_t *this,
 							 chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
-	
+
 	sha512_write(this, chunk.ptr, chunk.len);
 	if (hash != NULL)
 	{
@@ -546,11 +546,11 @@ static void allocate_hash384(private_sha512_hasher_t *this,
 /**
  * Implementation of hasher_t.allocate_hash for SHA512.
  */
-static void allocate_hash512(private_sha512_hasher_t *this, 
+static void allocate_hash512(private_sha512_hasher_t *this,
 							 chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
-	
+
 	sha512_write(this, chunk.ptr, chunk.len);
 	if (hash != NULL)
 	{
@@ -577,7 +577,7 @@ static size_t get_hash_size256(private_sha256_hasher_t *this)
 {
 	return HASH_SIZE_SHA256;
 }
-	
+
 /**
  * Implementation of hasher_t.get_hash_size for SHA384.
  */
@@ -585,7 +585,7 @@ static size_t get_hash_size384(private_sha512_hasher_t *this)
 {
 	return HASH_SIZE_SHA384;
 }
-	
+
 /**
  * Implementation of hasher_t.get_hash_size for SHA512.
  */
@@ -650,7 +650,7 @@ static void destroy(sha2_hasher_t *this)
 sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm)
 {
 	sha2_hasher_t *this;
-	
+
 	switch (algorithm)
 	{
 		case HASH_SHA224:
@@ -686,9 +686,9 @@ sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm)
 			return NULL;
 	}
 	this->hasher_interface.destroy = (void(*)(hasher_t*))destroy;
-	
+
 	/* initialize */
 	this->hasher_interface.reset(&this->hasher_interface);
-	
+
 	return this;
 }
diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.h b/src/libstrongswan/plugins/sha2/sha2_hasher.h
index 11f4fac26..ed57ae0bd 100644
--- a/src/libstrongswan/plugins/sha2/sha2_hasher.h
+++ b/src/libstrongswan/plugins/sha2/sha2_hasher.h
@@ -32,7 +32,7 @@ typedef struct sha2_hasher_t sha2_hasher_t;
  * the SHA hash algorithm.
  */
 struct sha2_hasher_t {
-	
+
 	/**
 	 * Generic hasher_t interface for this hasher.
 	 */
@@ -41,7 +41,7 @@ struct sha2_hasher_t {
 
 /**
  * Creates a new sha2_hasher_t.
- * 
+ *
  * @param	algorithm	HASH_SHA256, HASH_SHA384 or HASH_SHA512
  * @return				sha2_hasher_t object, NULL if not supported
  */
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c
index 0743f7b1a..90f7cec77 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.c
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c
@@ -47,9 +47,9 @@ static void destroy(private_sha2_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_sha2_plugin_t *this = malloc_thing(private_sha2_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
 							(hasher_constructor_t)sha2_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
@@ -58,7 +58,7 @@ plugin_t *plugin_create()
 							(hasher_constructor_t)sha2_hasher_create);
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
 							(hasher_constructor_t)sha2_hasher_create);
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index b59a1c343..831408c9e 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/sqlite
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_sqlite_la_DEPENDENCIES =
 am_libstrongswan_sqlite_la_OBJECTS = sqlite_plugin.lo \
@@ -60,6 +84,7 @@ libstrongswan_sqlite_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -107,25 +132,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -137,11 +159,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -170,9 +195,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -195,7 +220,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -203,6 +228,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -211,10 +237,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -222,6 +250,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -245,9 +274,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sqlite/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/sqlite/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/sqlite/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/sqlite/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -265,23 +294,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -306,21 +340,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -343,7 +377,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -351,29 +385,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -394,13 +433,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -431,6 +474,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -452,6 +496,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -460,18 +506,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -510,6 +566,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index 6e4951f2d..721f1a126 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -19,7 +19,7 @@
 #include <unistd.h>
 #include <library.h>
 #include <debug.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
 
 typedef struct private_sqlite_database_t private_sqlite_database_t;
 
@@ -32,12 +32,12 @@ struct private_sqlite_database_t {
 	 * public functions
 	 */
 	sqlite_database_t public;
-	
+
 	/**
 	 * sqlite database connection
 	 */
 	sqlite3 *db;
-	
+
 	/**
 	 * mutex used to lock execute()
 	 */
@@ -220,12 +220,12 @@ static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...)
 	va_list args;
 	sqlite_enumerator_t *enumerator = NULL;
 	int i;
-	
+
 #if SQLITE_VERSION_NUMBER < 3005000
 	/* sqlite connections prior to 3.5 may be used by a single thread only, */
 	this->mutex->lock(this->mutex);
 #endif
-	
+
 	va_start(args, sql);
 	stmt = run(this, sql, &args);
 	if (stmt)
@@ -254,7 +254,7 @@ static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...)
 	sqlite3_stmt *stmt;
 	int affected = -1;
 	va_list args;
-	
+
 	/* we need a lock to get our rowid/changes correctly */
 	this->mutex->lock(this->mutex);
 	va_start(args, sql);
@@ -316,7 +316,7 @@ sqlite_database_t *sqlite_database_create(char *uri)
 {
 	char *file;
 	private_sqlite_database_t *this;
-	
+
 	/**
 	 * parse sqlite:///path/to/file.db uri
 	 */
@@ -325,16 +325,16 @@ sqlite_database_t *sqlite_database_create(char *uri)
 		return NULL;
 	}
 	file = uri + 9;
-	
+
 	this = malloc_thing(private_sqlite_database_t);
-	
+
 	this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
 	this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
 	this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
 	this->public.db.destroy = (void(*)(database_t*))destroy;
-	
+
 	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-	
+
 	if (sqlite3_open(file, &this->db) != SQLITE_OK)
 	{
 		DBG1("opening SQLite database '%s' failed: %s",
@@ -342,9 +342,9 @@ sqlite_database_t *sqlite_database_create(char *uri)
 		destroy(this);
 		return NULL;
 	}
-	
+
 	sqlite3_busy_handler(this->db, (void*)busy_handler, this);
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
index bedf91e0f..955402bf9 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
@@ -47,9 +47,9 @@ static void destroy(private_sqlite_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_sqlite_plugin_t *this = malloc_thing(private_sqlite_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	lib->db->add_database(lib->db,
 						  (database_constructor_t)sqlite_database_create);
 
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 0e408ba7e..a8674d282 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/test_vectors
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_test_vectors_la_LIBADD =
 am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
@@ -64,6 +88,7 @@ libstrongswan_test_vectors_la_LINK = $(LIBTOOL) --tag=CC \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -111,25 +136,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -141,11 +163,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -174,9 +199,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -199,7 +224,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -207,6 +232,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -215,10 +241,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -226,6 +254,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -270,9 +299,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/test_vectors/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/test_vectors/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/test_vectors/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/test_vectors/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -290,23 +319,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -352,178 +386,178 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
 3des_cbc.lo: test_vectors/3des_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT 3des_cbc.lo -MD -MP -MF $(DEPDIR)/3des_cbc.Tpo -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/3des_cbc.Tpo $(DEPDIR)/3des_cbc.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT 3des_cbc.lo -MD -MP -MF $(DEPDIR)/3des_cbc.Tpo -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/3des_cbc.Tpo $(DEPDIR)/3des_cbc.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/3des_cbc.c' object='3des_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
 
 aes_cbc.lo: test_vectors/aes_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.lo -MD -MP -MF $(DEPDIR)/aes_cbc.Tpo -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes_cbc.Tpo $(DEPDIR)/aes_cbc.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.lo -MD -MP -MF $(DEPDIR)/aes_cbc.Tpo -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_cbc.Tpo $(DEPDIR)/aes_cbc.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_cbc.c' object='aes_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
 
 aes_xcbc.lo: test_vectors/aes_xcbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_xcbc.c' object='aes_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
 
 blowfish.lo: test_vectors/blowfish.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/blowfish.c' object='blowfish.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
 
 camellia_cbc.lo: test_vectors/camellia_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_cbc.lo -MD -MP -MF $(DEPDIR)/camellia_cbc.Tpo -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/camellia_cbc.Tpo $(DEPDIR)/camellia_cbc.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_cbc.lo -MD -MP -MF $(DEPDIR)/camellia_cbc.Tpo -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_cbc.Tpo $(DEPDIR)/camellia_cbc.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_cbc.c' object='camellia_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
 
 cast.lo: test_vectors/cast.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/cast.c' object='cast.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
 
 des.lo: test_vectors/des.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des.lo -MD -MP -MF $(DEPDIR)/des.Tpo -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/des.Tpo $(DEPDIR)/des.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des.lo -MD -MP -MF $(DEPDIR)/des.Tpo -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/des.Tpo $(DEPDIR)/des.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/des.c' object='des.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
 
 idea.lo: test_vectors/idea.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT idea.lo -MD -MP -MF $(DEPDIR)/idea.Tpo -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/idea.Tpo $(DEPDIR)/idea.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT idea.lo -MD -MP -MF $(DEPDIR)/idea.Tpo -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/idea.Tpo $(DEPDIR)/idea.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/idea.c' object='idea.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
 
 null.lo: test_vectors/null.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT null.lo -MD -MP -MF $(DEPDIR)/null.Tpo -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/null.Tpo $(DEPDIR)/null.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT null.lo -MD -MP -MF $(DEPDIR)/null.Tpo -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/null.Tpo $(DEPDIR)/null.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/null.c' object='null.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
 
 rc5.lo: test_vectors/rc5.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rc5.lo -MD -MP -MF $(DEPDIR)/rc5.Tpo -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rc5.Tpo $(DEPDIR)/rc5.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rc5.lo -MD -MP -MF $(DEPDIR)/rc5.Tpo -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rc5.Tpo $(DEPDIR)/rc5.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/rc5.c' object='rc5.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
 
 serpent_cbc.lo: test_vectors/serpent_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.lo -MD -MP -MF $(DEPDIR)/serpent_cbc.Tpo -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/serpent_cbc.Tpo $(DEPDIR)/serpent_cbc.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.lo -MD -MP -MF $(DEPDIR)/serpent_cbc.Tpo -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/serpent_cbc.Tpo $(DEPDIR)/serpent_cbc.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/serpent_cbc.c' object='serpent_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
 
 twofish_cbc.lo: test_vectors/twofish_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.lo -MD -MP -MF $(DEPDIR)/twofish_cbc.Tpo -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/twofish_cbc.Tpo $(DEPDIR)/twofish_cbc.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.lo -MD -MP -MF $(DEPDIR)/twofish_cbc.Tpo -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/twofish_cbc.Tpo $(DEPDIR)/twofish_cbc.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/twofish_cbc.c' object='twofish_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
 
 md2.lo: test_vectors/md2.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md2.lo -MD -MP -MF $(DEPDIR)/md2.Tpo -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/md2.Tpo $(DEPDIR)/md2.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md2.lo -MD -MP -MF $(DEPDIR)/md2.Tpo -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md2.Tpo $(DEPDIR)/md2.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md2.c' object='md2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
 
 md4.lo: test_vectors/md4.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md4.lo -MD -MP -MF $(DEPDIR)/md4.Tpo -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/md4.Tpo $(DEPDIR)/md4.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md4.lo -MD -MP -MF $(DEPDIR)/md4.Tpo -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md4.Tpo $(DEPDIR)/md4.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md4.c' object='md4.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
 
 md5.lo: test_vectors/md5.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5.lo -MD -MP -MF $(DEPDIR)/md5.Tpo -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/md5.Tpo $(DEPDIR)/md5.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5.lo -MD -MP -MF $(DEPDIR)/md5.Tpo -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md5.Tpo $(DEPDIR)/md5.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md5.c' object='md5.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
 
 md5_hmac.lo: test_vectors/md5_hmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hmac.lo -MD -MP -MF $(DEPDIR)/md5_hmac.Tpo -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/md5_hmac.Tpo $(DEPDIR)/md5_hmac.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hmac.lo -MD -MP -MF $(DEPDIR)/md5_hmac.Tpo -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md5_hmac.Tpo $(DEPDIR)/md5_hmac.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md5_hmac.c' object='md5_hmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
 
 sha1.lo: test_vectors/sha1.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1.lo -MD -MP -MF $(DEPDIR)/sha1.Tpo -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha1.Tpo $(DEPDIR)/sha1.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1.lo -MD -MP -MF $(DEPDIR)/sha1.Tpo -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha1.Tpo $(DEPDIR)/sha1.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha1.c' object='sha1.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
 
 sha1_hmac.lo: test_vectors/sha1_hmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hmac.lo -MD -MP -MF $(DEPDIR)/sha1_hmac.Tpo -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha1_hmac.Tpo $(DEPDIR)/sha1_hmac.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hmac.lo -MD -MP -MF $(DEPDIR)/sha1_hmac.Tpo -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha1_hmac.Tpo $(DEPDIR)/sha1_hmac.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha1_hmac.c' object='sha1_hmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
 
 sha2.lo: test_vectors/sha2.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.lo -MD -MP -MF $(DEPDIR)/sha2.Tpo -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha2.Tpo $(DEPDIR)/sha2.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.lo -MD -MP -MF $(DEPDIR)/sha2.Tpo -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha2.Tpo $(DEPDIR)/sha2.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha2.c' object='sha2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
 
 sha2_hmac.lo: test_vectors/sha2_hmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hmac.lo -MD -MP -MF $(DEPDIR)/sha2_hmac.Tpo -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha2_hmac.Tpo $(DEPDIR)/sha2_hmac.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hmac.lo -MD -MP -MF $(DEPDIR)/sha2_hmac.Tpo -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha2_hmac.Tpo $(DEPDIR)/sha2_hmac.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha2_hmac.c' object='sha2_hmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
 
 fips_prf.lo: test_vectors/fips_prf.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF $(DEPDIR)/fips_prf.Tpo -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_prf.Tpo $(DEPDIR)/fips_prf.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF $(DEPDIR)/fips_prf.Tpo -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fips_prf.Tpo $(DEPDIR)/fips_prf.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/fips_prf.c' object='fips_prf.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
 
 rng.lo: test_vectors/rng.c
-@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -543,7 +577,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -551,29 +585,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -594,13 +633,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -631,6 +674,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -652,6 +696,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -660,18 +706,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -710,6 +766,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/blowfish.c b/src/libstrongswan/plugins/test_vectors/test_vectors/blowfish.c
index 63bbb1261..a4e06180a 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/blowfish.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/blowfish.c
@@ -30,7 +30,7 @@ crypter_test_vector_t blowfish1 = {
 };
 
 /**
- * Test vector by Chilkat Software 
+ * Test vector by Chilkat Software
  * (www.chilkatsoft.com/p/php_blowfish.asp)
  */
 crypter_test_vector_t blowfish2 = {
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
index 8502df7ad..4dc1cc174 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
@@ -33,7 +33,7 @@ monobit_t monobit_all = {
 static bool test_monobit(monobit_t *param, chunk_t data)
 {
 	int i, j, bits = 0;
-	
+
 	for (i = 0; i < data.len; i++)
 	{
 		for (j = 0; j < 8; j++)
@@ -87,15 +87,15 @@ static bool test_poker(poker_t *param, chunk_t data)
 {
 	int i, counter[16];
 	double sum = 0.0;
-	
+
 	memset(counter, 0, sizeof(counter));
-	
+
 	for (i = 0; i < data.len; i++)
 	{
 		counter[data.ptr[i] & 0x0F]++;
 		counter[(data.ptr[i] & 0xF0) >> 4]++;
 	}
-	
+
 	for (i = 0; i < countof(counter); i++)
 	{
 		sum += (counter[i] * counter[i]) / 5000.0 * 16.0;
@@ -145,10 +145,10 @@ runs_t runs_all = {
 static bool test_runs(runs_t *param, chunk_t data)
 {
 	int i, j, zero_runs[7], one_runs[7], zero = 0, one = 0, longrun = 0;
-	
+
 	memset(one_runs, 0, sizeof(zero_runs));
 	memset(zero_runs, 0, sizeof(one_runs));
-	
+
 	for (i = 0; i < data.len; i++)
 	{
 		for (j = 0; j < 8; j++)
@@ -189,7 +189,7 @@ static bool test_runs(runs_t *param, chunk_t data)
 			}
 		}
 	}
-	
+
 	DBG2("  Runs: zero: %d/%d/%d/%d/%d/%d, one: %d/%d/%d/%d/%d/%d, "
 		 "longruns: %d",
 		 zero_runs[1], zero_runs[2], zero_runs[3],
@@ -197,12 +197,12 @@ static bool test_runs(runs_t *param, chunk_t data)
 		 one_runs[1], one_runs[2], one_runs[3],
 		 one_runs[4], one_runs[5], one_runs[6],
 		 longrun);
-	
+
 	if (longrun)
 	{
 		return FALSE;
 	}
-	
+
 	for (i = 1; i < countof(zero_runs); i++)
 	{
 		if (zero_runs[i] <= param->lower[i] ||
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index b96dc0c9a..7ad8c3c73 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -108,9 +108,9 @@ plugin_t *plugin_create()
 {
 	private_test_vectors_plugin_t *this = malloc_thing(private_test_vectors_plugin_t);
 	int i;
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
+
 	for (i = 0; i < countof(crypter); i++)
 	{
 		lib->crypto->add_test_vector(lib->crypto,
@@ -136,7 +136,7 @@ plugin_t *plugin_create()
 		lib->crypto->add_test_vector(lib->crypto,
 									 RANDOM_NUMBER_GENERATOR, rng[i]);
 	}
-	
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am
index e9668b4e4..853b1cebc 100644
--- a/src/libstrongswan/plugins/x509/Makefile.am
+++ b/src/libstrongswan/plugins/x509/Makefile.am
@@ -9,8 +9,8 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
   x509_cert.h x509_cert.c \
   x509_crl.h x509_crl.c \
   x509_ac.h x509_ac.c \
+  x509_pkcs10.h x509_pkcs10.c \
   x509_ocsp_request.h x509_ocsp_request.c \
-  x509_ocsp_response.h x509_ocsp_response.c \
-  ietf_attr_list.h ietf_attr_list.c
+  x509_ocsp_response.h x509_ocsp_response.c
 libstrongswan_x509_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 56cb04769..428643254 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,24 +37,46 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/x509
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_x509_la_LIBADD =
 am_libstrongswan_x509_la_OBJECTS = x509_plugin.lo x509_cert.lo \
-	x509_crl.lo x509_ac.lo x509_ocsp_request.lo \
-	x509_ocsp_response.lo ietf_attr_list.lo
+	x509_crl.lo x509_ac.lo x509_pkcs10.lo x509_ocsp_request.lo \
+	x509_ocsp_response.lo
 libstrongswan_x509_la_OBJECTS = $(am_libstrongswan_x509_la_OBJECTS)
 libstrongswan_x509_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -60,6 +84,7 @@ libstrongswan_x509_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -107,25 +132,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -137,11 +159,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -170,9 +195,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -195,7 +220,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -203,6 +228,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -211,10 +237,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -222,6 +250,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -231,9 +260,9 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
   x509_cert.h x509_cert.c \
   x509_crl.h x509_crl.c \
   x509_ac.h x509_ac.c \
+  x509_pkcs10.h x509_pkcs10.c \
   x509_ocsp_request.h x509_ocsp_request.c \
-  x509_ocsp_response.h x509_ocsp_response.c \
-  ietf_attr_list.h ietf_attr_list.c
+  x509_ocsp_response.h x509_ocsp_response.c
 
 libstrongswan_x509_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -249,9 +278,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/x509/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/x509/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/x509/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/x509/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -269,23 +298,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -305,31 +339,31 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_list.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_ac.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_cert.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_crl.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_ocsp_request.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_ocsp_response.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_pkcs10.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_plugin.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -352,7 +386,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -360,29 +394,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -403,13 +442,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -440,6 +483,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -461,6 +505,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -469,18 +515,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -519,6 +575,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/x509/ietf_attr_list.c b/src/libstrongswan/plugins/x509/ietf_attr_list.c
deleted file mode 100644
index 17f6949b2..000000000
--- a/src/libstrongswan/plugins/x509/ietf_attr_list.c
+++ /dev/null
@@ -1,396 +0,0 @@
-/* 
- * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-#include <stdio.h>
-
-#include <debug.h>
-#include <library.h>
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <utils/lexparser.h>
-
-#include "ietf_attr_list.h"
-
-/**
- * Private definition of ietfAttribute kinds
- */
-typedef enum {
-	IETF_ATTRIBUTE_OCTETS =	0,
-	IETF_ATTRIBUTE_OID =	1,
-	IETF_ATTRIBUTE_STRING =	2
-} ietfAttribute_t;
-
-typedef struct ietfAttr_t ietfAttr_t;
-
-/**
- * Private definition of an ietfAttribute
- */
-struct ietfAttr_t {
-	/**
-	 * IETF attribute kind
-	 */
-	ietfAttribute_t kind;
-
-	/**
-	 * IETF attribute valuse
-	 */
-	chunk_t value;
-
-	/**
-	 * Compares two ietfAttributes
-	 *	
-	 * return -1 if this is earlier in the alphabet than other
-	 * return  0 if this equals other
-	 * return +1 if this is later in the alphabet than other
-	 *
-	 * @param this		calling object
-	 * @param other		other object
-	 */
-	int (*compare) (const ietfAttr_t *this ,const ietfAttr_t *other);
-
-	/**
-	 * Destroys the ietfAttr_t object.
-	 * 
-	 * @param this			ietfAttr_t to destroy
-	 */
-	void (*destroy) (ietfAttr_t *this);
-};
-
-/**
- * Implements ietfAttr_t.compare.
- */
-static int ietfAttr_compare(const ietfAttr_t *this ,const ietfAttr_t *other)
-{
-	int cmp_len, len, cmp_value;
-
-	/* OID attributes are appended after STRING and OCTETS attributes */
-	if (this->kind != IETF_ATTRIBUTE_OID && other->kind == IETF_ATTRIBUTE_OID)
-	{
-		return -1;
-	}
-	if (this->kind == IETF_ATTRIBUTE_OID && other->kind != IETF_ATTRIBUTE_OID)
-	{
-		return 1;
-	}
-	
-    cmp_len = this->value.len - other->value.len;
-    len = (cmp_len < 0)? this->value.len : other->value.len;
-    cmp_value = memcmp(this->value.ptr, other->value.ptr, len);
-
-    return (cmp_value == 0)? cmp_len : cmp_value;
-}
-
-/**
- * Implements ietfAttr_t.destroy.
- */
-static void ietfAttr_destroy(ietfAttr_t *this)
-{
-	free(this->value.ptr);
-	free(this);
-}
-
-/**
- * Creates an ietfAttr_t object.
- */
-static ietfAttr_t *ietfAttr_create(ietfAttribute_t kind, chunk_t value)
-{
-	ietfAttr_t *this = malloc_thing(ietfAttr_t);
-
-	/* initialize */
-	this->kind = kind;
-	this->value = chunk_clone(value);
-
-	/* function */
-	this->compare = ietfAttr_compare;
-	this->destroy = ietfAttr_destroy;
-
-	return this;
-}
-
-/**
- * Adds an ietfAttr_t object to a sorted linked list
- */
-static void ietfAttr_add(linked_list_t *list, ietfAttr_t *attr)
-{
-	iterator_t *iterator = list->create_iterator(list, TRUE);
-	ietfAttr_t *current_attr;
-	bool found = FALSE;
-
-	while (iterator->iterate(iterator, (void **)&current_attr))
-	{
-		int cmp = attr->compare(attr, current_attr);
-
-		if (cmp > 0)
-		{
-			 continue;
-		}
-		if (cmp == 0)
-		{
-			attr->destroy(attr);
-		}
-		else
-		{
-			iterator->insert_before(iterator, attr);
-		}
-		found = TRUE;
-		break;
-	}
-	iterator->destroy(iterator);
-	if (!found)
-	{
-		list->insert_last(list, attr);
-	}
-}
-
-/*
- * Described in header.
- */
-bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b)
-{
-	 bool result = TRUE;
-
-	/* lists must have the same number of attributes */
-	if (list_a->get_count(list_a) != list_b->get_count(list_b))
-	{
-		return FALSE;
-	}
-	/* empty lists - no attributes */
-	if (list_a->get_count(list_a) == 0)
-	{
-		return TRUE;
-	}
-
-	/* compare two alphabetically-sorted lists */
-	{
-		iterator_t *iterator_a = list_a->create_iterator(list_a, TRUE);
-		iterator_t *iterator_b = list_b->create_iterator(list_b, TRUE);
-		ietfAttr_t *attr_a, *attr_b;
-
-		while (iterator_a->iterate(iterator_a, (void **)&attr_a) &&
-			   iterator_b->iterate(iterator_b, (void **)&attr_b))
-		{
-			if (attr_a->compare(attr_a, attr_b) != 0)
-			{
-				/* we have a mismatch */
-				result = FALSE;
-				break;
-			}
-  		}
-		iterator_a->destroy(iterator_a);
-		iterator_b->destroy(iterator_b);
-	}
-	return result;
-}
-
-/*
- * Described in header.
- */
-void ietfAttr_list_list(linked_list_t *list, FILE *out)
-{
-	iterator_t *iterator = list->create_iterator(list, TRUE);
-	ietfAttr_t *attr;
-	bool first = TRUE;
-
-	while (iterator->iterate(iterator, (void **)&attr))
-	{
-		if (first)
-		{
-			first = FALSE;
-		}
-		else
-		{
-			fprintf(out, ", ");
-		}
-
-		switch (attr->kind)
-		{
-			case IETF_ATTRIBUTE_OCTETS:
-			case IETF_ATTRIBUTE_STRING:
-				fprintf(out, "%.*s", (int)attr->value.len, attr->value.ptr);
-				break;
-			case IETF_ATTRIBUTE_OID:
-				{
-					int oid = asn1_known_oid(attr->value);
-
-					if (oid == OID_UNKNOWN)
-					{
-						fprintf(out, "0x#B", &attr->value);
-					}
-					else
-					{
-						fprintf(out, "%s", oid_names[oid]);
-					}
-				}
-	    		break;
-			default:
-	    		break;
-  		}
-	}
-	iterator->destroy(iterator);
-}
-
-/*
- * Described in header.
- */
-void ietfAttr_list_create_from_string(char *msg, linked_list_t *list)
-{
-	chunk_t line = { msg, strlen(msg) };
-
-	while (eat_whitespace(&line))
-	{
-		chunk_t group;
-
-		/* extract the next comma-separated group attribute */
-		if (!extract_token(&group, ',', &line))
-		{
-			group = line;
-			line.len = 0;
-		}
-
-		/* remove any trailing spaces */
-		while (group.len > 0 && *(group.ptr + group.len - 1) == ' ')
-		{
-			group.len--;
-		}
-
-		/* add the group attribute to the list */
-		if (group.len > 0)
-		{
-			ietfAttr_t *attr = ietfAttr_create(IETF_ATTRIBUTE_STRING, group);
-		
-			ietfAttr_add(list, attr);
-		}
-	}
-}
-
-/**
- * ASN.1 definition of ietfAttrSyntax
- */
-static const asn1Object_t ietfAttrSyntaxObjects[] =
-{
-	{ 0, "ietfAttrSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
-	{ 1,   "policyAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
-													ASN1_BODY }, /*  1 */
-	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
-	{ 1,   "values",			ASN1_SEQUENCE,		ASN1_LOOP }, /*  3 */
-	{ 2,     "octets",			ASN1_OCTET_STRING,	ASN1_OPT |
-													ASN1_BODY }, /*  4 */
-	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  5 */
-	{ 2,     "oid",				ASN1_OID,			ASN1_OPT |
-													ASN1_BODY }, /*  6 */
-	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  7 */
-	{ 2,     "string",			ASN1_UTF8STRING,	ASN1_OPT |
-													ASN1_BODY }, /*  8 */
-	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  9 */
-	{ 1,   "end loop",			ASN1_EOC,			ASN1_END  }, /* 10 */
-	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT }
-};
-#define IETF_ATTR_OCTETS	 4
-#define IETF_ATTR_OID		 6
-#define IETF_ATTR_STRING	 8
-
-/*
- * Described in header.
- */
-void ietfAttr_list_create_from_chunk(chunk_t chunk, linked_list_t *list, int level0)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-
-	parser = asn1_parser_create(ietfAttrSyntaxObjects, chunk);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case IETF_ATTR_OCTETS:
-			case IETF_ATTR_OID:
-			case IETF_ATTR_STRING:
-				{
-					ietfAttribute_t kind = (objectID - IETF_ATTR_OCTETS) / 2;
-					ietfAttr_t *attr   = ietfAttr_create(kind, object);
-					ietfAttr_add(list, attr);
-				}
-				break;
-			default:
-				break;
-		}
-	}
-	parser->destroy(parser);
-}
-
-/*
- * Described in header.
- */
-chunk_t ietfAttr_list_encode(linked_list_t *list)
-{
-	chunk_t ietfAttributes;
-	size_t size = 0;
-	u_char *pos;
-	iterator_t *iterator = list->create_iterator(list, TRUE);
-	ietfAttr_t *attr;
-
-	/* precalculate the total size of all values */
-	while (iterator->iterate(iterator, (void **)&attr))
-	{
-		size_t len = attr->value.len;
-
-		size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len;
-	}
-	iterator->destroy(iterator);
-
-	pos = asn1_build_object(&ietfAttributes, ASN1_SEQUENCE, size);
-
-	iterator = list->create_iterator(list, TRUE);
-	while (iterator->iterate(iterator, (void **)&attr))
-	{
-		chunk_t ietfAttribute;
-		asn1_t type = ASN1_NULL;
-
-		switch (attr->kind)
-		{
-			case IETF_ATTRIBUTE_OCTETS:
-				type = ASN1_OCTET_STRING;
-				break;
-			case IETF_ATTRIBUTE_STRING:
-				type = ASN1_UTF8STRING;
-				break;
-			case IETF_ATTRIBUTE_OID:
-				type = ASN1_OID;
-				break;
-		}
-		ietfAttribute = asn1_simple_object(type, attr->value);
-
-		/* copy ietfAttribute into ietfAttributes chunk */
-		memcpy(pos, ietfAttribute.ptr, ietfAttribute.len); 
-		pos += ietfAttribute.len;
-		free(ietfAttribute.ptr);
-	}
-	iterator->destroy(iterator);
-
-	return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes);
-}
-
-/*
- * Described in header.
- */
-void ietfAttr_list_destroy(linked_list_t *list)
-{
-	list->destroy_offset(list, offsetof(ietfAttr_t, destroy));
-}
diff --git a/src/libstrongswan/plugins/x509/ietf_attr_list.h b/src/libstrongswan/plugins/x509/ietf_attr_list.h
deleted file mode 100644
index 5807a899e..000000000
--- a/src/libstrongswan/plugins/x509/ietf_attr_list.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2007 Andreas Steffen
- *
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ietf_attr_list ietf_attr_list
- * @{ @ingroup x509_p
- */
-
-#ifndef IETF_ATTR_LIST_H_
-#define IETF_ATTR_LIST_H_
-
-#include <library.h>
-#include <utils/linked_list.h>
-
-
-/**
- * @brief Compare two linked lists of ietfAttr_t objects for equality
- *
- * @param list_a	first alphabetically-sorted list
- * @param list_b	second alphabetically-sorted list
- * @return			TRUE if equal	
- */
-bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b);
-
-/**
- * @brief Lists a linked list of ietfAttr_t objects
- *
- * @param list		alphabetically-sorted linked list of attributes
- * @param out		output file	
- */
-void ietfAttr_list_list(linked_list_t *list, FILE *out);
-
-/**
- * @brief Create a linked list of ietfAttr_t objects from a string
- *
- * @param msg		string with comma-separated group names
- * @param list		alphabetically-sorted linked list of attributes
-  */
-void ietfAttr_list_create_from_string(char *msg, linked_list_t *list);
-
-/**
- * @brief Create a linked list of ietfAttr_t objects from an ASN.1-coded chunk
- *
- * @param chunk		chunk containing ASN.1-coded attributes
- * @param list		alphabetically-sorted linked list of attributes
- * @param level0	parsing level
- */
-void ietfAttr_list_create_from_chunk(chunk_t chunk, linked_list_t *list, int level0);
-
-/**
- * @brief Encode a linked list of ietfAttr_t objects into an ASN.1-coded chunk
- *
- * @param list		alphabetically-sorted linked list of attributes
- * @return			chunk containing ASN.1-coded attributes
- */
-chunk_t ietfAttr_list_encode(linked_list_t *list);
-
-/**
- * @brief Destroys a linked list of ietfAttr_t objects
- *
- * @param list		list to be destroyed
- */
-void ietfAttr_list_destroy(linked_list_t *list);
-
-#endif /** IETF_ATTR_LIST_H_ @}*/
-
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 638f96b44..79ff80933 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -1,9 +1,10 @@
 /*
  * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
  * Copyright (C) 2003 Martin Berner, Lukas Suter
- * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2002-2009 Andreas Steffen
+ * Copyright (C) 2009 Martin Willi
  *
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -17,7 +18,6 @@
  */
 
 #include "x509_ac.h"
-#include "ietf_attr_list.h"
 
 #include <time.h>
 
@@ -26,14 +26,14 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <utils/identification.h>
 #include <utils/linked_list.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/ietf_attributes/ietf_attributes.h>
 #include <credentials/keys/private_key.h>
 
-extern identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob,
-							 int level0, chunk_t *authKeySerialNumber);
+extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob,
+									int level0, chunk_t *authKeySerialNumber);
 
 typedef struct private_x509_ac_t private_x509_ac_t;
 
@@ -46,7 +46,7 @@ struct private_x509_ac_t {
 	 * public functions
 	 */
 	x509_ac_t public;
-	
+
 	/**
 	 * X.509 attribute certificate encoding in ASN.1 DER format
 	 */
@@ -81,7 +81,7 @@ struct private_x509_ac_t {
 	 * ID representing the holder
 	 */
 	identification_t *entityName;
-	
+
 	/**
 	 * ID representing the attribute certificate issuer
 	 */
@@ -100,17 +100,17 @@ struct private_x509_ac_t {
 	/**
 	 * List of charging attributes
 	 */
-	linked_list_t *charging;
+	ietf_attributes_t *charging;
 
 	/**
 	 * List of groub attributes
 	 */
-	linked_list_t *groups;
+	ietf_attributes_t *groups;
 
 	/**
 	 * Authority Key Identifier
 	 */
-	identification_t *authKeyIdentifier;
+	chunk_t authKeyIdentifier;
 
 	/**
 	 * Authority Key Serial Number
@@ -132,19 +132,19 @@ struct private_x509_ac_t {
 	 */
 	chunk_t signature;
 
-    /**
-     * Holder certificate
-     */
+	/**
+	 * Holder certificate
+	 */
 	certificate_t *holderCert;
 
-    /**
-     * Signer certificate
-     */
+	/**
+	 * Signer certificate
+	 */
 	certificate_t *signerCert;
 
-   /**
-    * Signer private key;
-    */
+	/**
+	* Signer private key;
+	*/
 	private_key_t *signerKey;
 
 	/**
@@ -153,30 +153,13 @@ struct private_x509_ac_t {
 	refcount_t ref;
 };
 
-static u_char ASN1_group_oid_str[] = {
-	0x06, 0x08,
-		  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04
-};
-
-static const chunk_t ASN1_group_oid = chunk_from_buf(ASN1_group_oid_str);
-
-static u_char ASN1_authorityKeyIdentifier_oid_str[] = {
-	0x06, 0x03,
-		  0x55, 0x1d, 0x23
-};
-
-static const chunk_t ASN1_authorityKeyIdentifier_oid =
-	 			 	 	chunk_from_buf(ASN1_authorityKeyIdentifier_oid_str);
-
-static u_char ASN1_noRevAvail_ext_str[] = {
+static chunk_t ASN1_noRevAvail_ext = chunk_from_chars(
 	0x30, 0x09,
 		  0x06, 0x03,
 				0x55, 0x1d, 0x38,
 		  0x04, 0x02,
 				0x05, 0x00
-};
-
-static const chunk_t ASN1_noRevAvail_ext = chunk_from_buf(ASN1_noRevAvail_ext_str);
+);
 
 /**
  * declaration of function implemented in x509_cert.c
@@ -294,7 +277,7 @@ static const asn1Object_t acObjects[] =
 	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /* 21 */
 	{ 4,	       "issuerSerial",			ASN1_SEQUENCE,		  ASN1_NONE }, /* 22 */
 	{ 5,	         "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 23 */
-	{ 5,	  	 "serial",					ASN1_INTEGER,		  ASN1_BODY }, /* 24 */
+	{ 5,		 "serial",					ASN1_INTEGER,		  ASN1_BODY }, /* 24 */
 	{ 5,           "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
 																  ASN1_BODY }, /* 25 */
 	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 26 */
@@ -302,7 +285,7 @@ static const asn1Object_t acObjects[] =
 	{ 3,       "objectDigestInfo",			ASN1_CONTEXT_C_1,	  ASN1_OPT  }, /* 28 */
 	{ 4,	       "digestInfo",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 29 */
 	{ 5,  	 "digestedObjectType",			ASN1_ENUMERATED,	  ASN1_BODY }, /* 30 */
-	{ 5,	  	 "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+	{ 5,		 "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
 																  ASN1_BODY }, /* 31 */
 	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 32 */
 	{ 5,           "digestAlgorithm",		ASN1_EOC,			  ASN1_RAW  }, /* 33 */
@@ -430,10 +413,14 @@ static bool parse_certificate(private_x509_ac_t *this)
 						DBG2("  need to parse accessIdentity");
 						break;
 					case OID_CHARGING_IDENTITY:
-						ietfAttr_list_create_from_chunk(object, this->charging, level);
+						DBG2("-- > --");
+						this->charging = ietf_attributes_create_from_encoding(object);
+						DBG2("-- < --");
 						break;
 					case OID_GROUP:
-						ietfAttr_list_create_from_chunk(object, this->groups, level);
+						DBG2("-- > --");
+						this->groups = ietf_attributes_create_from_encoding(object);
+						DBG2("-- < --");
 						break;
 					case OID_ROLE:
 						parse_roleSyntax(object, level);
@@ -459,7 +446,7 @@ static bool parse_certificate(private_x509_ac_t *this)
 						break;
 					case OID_AUTHORITY_KEY_ID:
 						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
-						 							level, &this->authKeySerialNumber);
+													level, &this->authKeySerialNumber);
 						break;
 					case OID_TARGET_INFORMATION:
 						DBG2("  need to parse targetInformation");
@@ -547,10 +534,10 @@ static chunk_t build_attr_cert_validity(private_x509_ac_t *this)
 /**
  * build attribute type
  */
-static chunk_t build_attribute_type(const chunk_t type, chunk_t content)
+static chunk_t build_attribute_type(int type, chunk_t content)
 {
-	return asn1_wrap(ASN1_SEQUENCE, "cm",
-				type,
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+				asn1_build_known_oid(type),
 				asn1_wrap(ASN1_SET, "m", content));
 }
 
@@ -560,7 +547,7 @@ static chunk_t build_attribute_type(const chunk_t type, chunk_t content)
 static chunk_t build_attributes(private_x509_ac_t *this)
 {
 	return asn1_wrap(ASN1_SEQUENCE, "m",
-		build_attribute_type(ASN1_group_oid, ietfAttr_list_encode(this->groups)));
+		build_attribute_type(OID_GROUP, this->groups->get_encoding(this->groups)));
 }
 
 /**
@@ -568,31 +555,30 @@ static chunk_t build_attributes(private_x509_ac_t *this)
  */
 static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this)
 {
-	chunk_t keyIdentifier;
+	chunk_t keyIdentifier = chunk_empty;
 	chunk_t authorityCertIssuer;
 	chunk_t authorityCertSerialNumber;
-	x509_t *x509 = (x509_t*)this->signerCert;
-	identification_t *issuer = this->signerCert->get_issuer(this->signerCert);
-	public_key_t *public = this->signerCert->get_public_key(this->signerCert);
+	identification_t *issuer;
+	public_key_t *public;
+	x509_t *x509;
 
+	x509 = (x509_t*)this->signerCert;
+	issuer = this->signerCert->get_issuer(this->signerCert);
+	public = this->signerCert->get_public_key(this->signerCert);
 	if (public)
 	{
-		identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);
-
-		this->authKeyIdentifier = keyid = keyid->clone(keyid);
-		keyIdentifier = keyid->get_encoding(keyid);		
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyIdentifier))
+		{
+			this->authKeyIdentifier = chunk_clone(keyIdentifier);
+		}
 		public->destroy(public);
 	}
-	else
-	{
-		keyIdentifier = chunk_empty;
-	}
 	authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1,
-								issuer->get_encoding(issuer));
+											issuer->get_encoding(issuer));
 	authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2,
-									x509->get_serial(x509));
-	return asn1_wrap(ASN1_SEQUENCE, "cm",
-				ASN1_authorityKeyIdentifier_oid,
+											x509->get_serial(x509));
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+				asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
 				asn1_wrap(ASN1_OCTET_STRING, "m",
 					asn1_wrap(ASN1_SEQUENCE, "cmm",
 						keyIdentifier,
@@ -618,7 +604,7 @@ static chunk_t build_extensions(private_x509_ac_t *this)
  */
 static chunk_t build_attr_cert_info(private_x509_ac_t *this)
 {
-	return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm",
+	return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmm",
 				ASN1_INTEGER_1,
 				build_holder(this),
 				build_v2_form(this),
@@ -636,14 +622,14 @@ static chunk_t build_attr_cert_info(private_x509_ac_t *this)
 static chunk_t build_ac(private_x509_ac_t *this)
 {
 	chunk_t signatureValue;
-    chunk_t attributeCertificateInfo;
+	chunk_t attributeCertificateInfo;
 
 	attributeCertificateInfo = build_attr_cert_info(this);
 
 	this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1,
 						  attributeCertificateInfo, &signatureValue);
 
-	return asn1_wrap(ASN1_SEQUENCE, "mcm",
+	return asn1_wrap(ASN1_SEQUENCE, "mmm",
 				attributeCertificateInfo,
 				asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
 				asn1_bitstring("m", signatureValue));
@@ -676,11 +662,19 @@ static identification_t* get_holderIssuer(private_x509_ac_t *this)
 /**
  * Implementation of ac_t.get_authKeyIdentifier.
  */
-static identification_t* get_authKeyIdentifier(private_x509_ac_t *this)
+static chunk_t get_authKeyIdentifier(private_x509_ac_t *this)
 {
 	return this->authKeyIdentifier;
 }
 
+/**
+ * Implementation of certificate_t.get_groups.
+ */
+static ietf_attributes_t* get_groups(private_x509_ac_t *this)
+{
+	return this->groups ? this->groups->get_ref(this->groups) : NULL;
+}
+
 /**
  * Implementation of certificate_t.get_type
  */
@@ -710,7 +704,7 @@ static identification_t* get_issuer(private_x509_ac_t *this)
  */
 static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject)
 {
-	return ID_MATCH_NONE;	
+	return ID_MATCH_NONE;
 }
 
 /**
@@ -718,24 +712,12 @@ static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject
  */
 static id_match_t has_issuer(private_x509_ac_t *this, identification_t *issuer)
 {
-	id_match_t match;
-
-	if (issuer->get_type(issuer) == ID_PUBKEY_SHA1)
-	{
-		if (this->authKeyIdentifier)
-		{
-			match = issuer->matches(issuer, this->authKeyIdentifier);
-		}
-		else
-		{
-			match = ID_MATCH_NONE;
-		}
-	}
-	else
+	if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr &&
+		chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer)))
 	{
-		match = this->issuerName->matches(this->issuerName, issuer);
+		return ID_MATCH_PERFECT;
 	}
-	return match;
+	return this->issuerName->matches(this->issuerName, issuer);
 }
 
 /**
@@ -747,7 +729,7 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer)
 	signature_scheme_t scheme;
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
-	
+
 	/* check if issuer is an X.509 AA certificate */
 	if (issuer->get_type(issuer) != CERT_X509)
 	{
@@ -762,19 +744,20 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer)
 	key = issuer->get_public_key(issuer);
 
 	/* compare keyIdentifiers if available, otherwise use DNs */
-	if (this->authKeyIdentifier && key)
+	if (this->authKeyIdentifier.ptr && key)
 	{
-		identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1);
+		chunk_t fingerprint;
 
-		if (!subjectKeyIdentifier->equals(subjectKeyIdentifier,
-										  this->authKeyIdentifier))
+		if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+			!chunk_equals(fingerprint, this->authKeyIdentifier))
 		{
 			return FALSE;
 		}
 	}
-	else 
+	else
 	{
-		if (!this->issuerName->equals(this->issuerName, issuer->get_subject(issuer)))
+		if (!this->issuerName->equals(this->issuerName,
+									  issuer->get_subject(issuer)))
 		{
 			return FALSE;
 		}
@@ -815,16 +798,8 @@ static private_x509_ac_t* get_ref(private_x509_ac_t *this)
 static bool get_validity(private_x509_ac_t *this, time_t *when,
 						 time_t *not_before, time_t *not_after)
 {
-	time_t t;
-	
-	if (when)
-	{
-		t = *when;
-	}
-	else
-	{
-		t = time(NULL);
-	}
+	time_t t = when ? *when : time(NULL);
+
 	if (not_before)
 	{
 		*not_before = this->notBefore;
@@ -849,12 +824,12 @@ static bool is_newer(private_x509_ac_t *this, ac_t *that)
 	this_cert->get_validity(this_cert, &now, &this_update, NULL);
 	that_cert->get_validity(that_cert, &now, &that_update, NULL);
 	new = this_update > that_update;
-	DBG1("  attr cert from %T is %s - existing attr_cert from %T %s",
+	DBG1("  attr cert from %T is %s - existing attr cert from %T %s",
 			&this_update, FALSE, new ? "newer":"not newer",
 			&that_update, FALSE, new ? "replaced":"retained");
 	return new;
 }
-	
+
 /**
  * Implementation of certificate_t.get_encoding.
  */
@@ -870,14 +845,14 @@ static bool equals(private_x509_ac_t *this, certificate_t *other)
 {
 	chunk_t encoding;
 	bool equal;
-	
+
 	if ((certificate_t*)this == other)
 	{
 		return TRUE;
 	}
 	if (other->equals == (void*)equals)
 	{	/* skip allocation if we have the same implementation */
-		return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding); 
+		return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding);
 	}
 	encoding = other->get_encoding(other);
 	equal = chunk_equals(this->encoding, encoding);
@@ -895,14 +870,13 @@ static void destroy(private_x509_ac_t *this)
 		DESTROY_IF(this->holderIssuer);
 		DESTROY_IF(this->entityName);
 		DESTROY_IF(this->issuerName);
-		DESTROY_IF(this->authKeyIdentifier);
 		DESTROY_IF(this->holderCert);
 		DESTROY_IF(this->signerCert);
 		DESTROY_IF(this->signerKey);
-
-		ietfAttr_list_destroy(this->charging);
-		ietfAttr_list_destroy(this->groups);
+		DESTROY_IF(this->charging);
+		DESTROY_IF(this->groups);
 		free(this->serialNumber.ptr);
+		free(this->authKeyIdentifier.ptr);
 		free(this->encoding.ptr);
 		free(this);
 	}
@@ -914,12 +888,13 @@ static void destroy(private_x509_ac_t *this)
 static private_x509_ac_t *create_empty(void)
 {
 	private_x509_ac_t *this = malloc_thing(private_x509_ac_t);
-	
+
 	/* public functions */
 	this->public.interface.get_serial = (chunk_t (*)(ac_t*))get_serial;
 	this->public.interface.get_holderSerial = (chunk_t (*)(ac_t*))get_holderSerial;
 	this->public.interface.get_holderIssuer = (identification_t* (*)(ac_t*))get_holderIssuer;
-	this->public.interface.get_authKeyIdentifier = (identification_t* (*)(ac_t*))get_authKeyIdentifier;
+	this->public.interface.get_authKeyIdentifier = (chunk_t (*)(ac_t*))get_authKeyIdentifier;
+	this->public.interface.get_groups = (ietf_attributes_t* (*)(ac_t*))get_groups;
 	this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
 	this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
 	this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
@@ -938,187 +913,108 @@ static private_x509_ac_t *create_empty(void)
 	this->encoding = chunk_empty;
 	this->serialNumber = chunk_empty;
 	this->holderSerial = chunk_empty;
+	this->authKeyIdentifier = chunk_empty;
 	this->holderIssuer = NULL;
 	this->entityName = NULL;
 	this->issuerName = NULL;
-	this->authKeyIdentifier = NULL;
 	this->holderCert = NULL;
 	this->signerCert = NULL;
 	this->signerKey = NULL;
-	this->charging = linked_list_create();
-	this->groups = linked_list_create();
+	this->charging = NULL;
+	this->groups = NULL;
 	this->ref = 1;
 
 	return this;
 }
 
 /**
- * create X.509 attribute certificate from a chunk
+ * See header.
  */
-static private_x509_ac_t* create_from_chunk(chunk_t chunk)
+x509_ac_t *x509_ac_load(certificate_type_t type, va_list args)
 {
-	private_x509_ac_t *this = create_empty();
-
-	this->encoding = chunk;
-	if (!parse_certificate(this))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return this;
-}	
+	chunk_t blob = chunk_empty;
 
-/**
- * create X.509 crl from a file
- */
-static private_x509_ac_t* create_from_file(char *path)
-{
-	bool pgp = FALSE;
-	chunk_t chunk;
-	private_x509_ac_t *this;
-	
-	if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
+	while (TRUE)
 	{
-		return NULL;
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
 	}
-
-	this = create_from_chunk(chunk);
-
-	if (this == NULL)
+	if (blob.ptr)
 	{
-		DBG1("  could not parse loaded attribute certificate file '%s'", path);
-		return NULL;
-	}
-	DBG1("  loaded attribute certificate file '%s'", path);
-	return this;
-}
-	
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for certificate loading
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** X.509 attribute certificate to build */
-	private_x509_ac_t *ac;
-};
+		private_x509_ac_t *ac = create_empty();
 
-/**
- * Implementation of builder_t.build
- */
-static private_x509_ac_t* build(private_builder_t *this)
-{
-	private_x509_ac_t *ac = this->ac;
-
-	free(this);
-
-	/* synthesis if encoding does not exist */
-	if (ac && ac->encoding.ptr == NULL)
-	{
-		if (ac->holderCert && ac->signerCert && ac->signerKey)
+		ac->encoding = chunk_clone(blob);
+		if (parse_certificate(ac))
 		{
-			ac->encoding = build_ac(ac);
-			return ac;
+			return &ac->public;
 		}
 		destroy(ac);
-		return NULL;
-	}
-	else
-	{
-		return ac;
 	}
+	return NULL;
 }
 
 /**
- * Implementation of builder_t.add
+ * See header.
  */
-static void add(private_builder_t *this, builder_part_t part, ...)
+x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args)
 {
-	va_list args;
-	certificate_t *cert;
-	chunk_t chunk;
+	private_x509_ac_t *ac;
 
-	va_start(args, part);
-	switch (part)
+	ac = create_empty();
+	while (TRUE)
 	{
-		case BUILD_FROM_FILE:
-			if (this->ac)
-			{
-				destroy(this->ac);
-			}
-			this->ac = create_from_file(va_arg(args, char*));
-			break;
-		case BUILD_BLOB_ASN1_DER:
-			if (this->ac)
-			{
-				destroy(this->ac);
-			}
-			chunk = va_arg(args, chunk_t);
-			this->ac = create_from_chunk(chunk_clone(chunk));
-			break;
-		case BUILD_NOT_BEFORE_TIME:
-			this->ac->notBefore = va_arg(args, time_t);
-			break;
-		case BUILD_NOT_AFTER_TIME:
-			this->ac->notAfter = va_arg(args, time_t);
-			break;
-		case BUILD_SERIAL:
-			chunk = va_arg(args, chunk_t);
-			this->ac->serialNumber = chunk_clone(chunk);
-			break;
-		case BUILD_IETF_GROUP_ATTR:
-			ietfAttr_list_create_from_string(va_arg(args, char*),
-											 this->ac->groups);
-			break;
-		case BUILD_CERT:
-			cert = va_arg(args, certificate_t*);
-			if (cert->get_type(cert) == CERT_X509)
-			{
-				this->ac->holderCert = cert->get_ref(cert);
-			}
-			break;
-		case BUILD_SIGNING_CERT:
-			cert = va_arg(args, certificate_t*);
-			if (cert->get_type(cert) == CERT_X509)
-			{
-				this->ac->signerCert = cert->get_ref(cert);
-			}
-			break;
-		case BUILD_SIGNING_KEY:
-			this->ac->signerKey = va_arg(args, private_key_t*);
-			this->ac->signerKey->get_ref(this->ac->signerKey);
-			break;
-		default:
-			/* abort if unsupported option */
-			if (this->ac)
-			{
-				destroy(this->ac);
-			}
-			builder_cancel(&this->public);
-			break;
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_NOT_BEFORE_TIME:
+				ac->notBefore = va_arg(args, time_t);
+				continue;
+			case BUILD_NOT_AFTER_TIME:
+				ac->notAfter = va_arg(args, time_t);
+				continue;
+			case BUILD_SERIAL:
+				ac->serialNumber = chunk_clone(va_arg(args, chunk_t));
+				continue;
+			case BUILD_IETF_GROUP_ATTR:
+				ac->groups = ietf_attributes_create_from_string(va_arg(args, char*));
+				continue;
+			case BUILD_CERT:
+				ac->holderCert = va_arg(args, certificate_t*);
+				ac->holderCert->get_ref(ac->holderCert);
+				continue;
+			case BUILD_SIGNING_CERT:
+				ac->signerCert = va_arg(args, certificate_t*);
+				ac->signerCert->get_ref(ac->signerCert);
+				continue;
+			case BUILD_SIGNING_KEY:
+				ac->signerKey = va_arg(args, private_key_t*);
+				ac->signerKey->get_ref(ac->signerKey);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				destroy(ac);
+				return NULL;
+		}
+		break;
 	}
-	va_end(args);
-}
 
-/**
- * Builder construction function
- */
-builder_t *x509_ac_builder(certificate_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != CERT_X509_AC)
+	if (ac->signerKey && ac->holderCert && ac->signerCert &&
+		ac->holderCert->get_type(ac->holderCert) == CERT_X509 &&
+		ac->signerCert->get_type(ac->signerCert) == CERT_X509)
 	{
-		return NULL;
+		ac->encoding = build_ac(ac);
+		return &ac->public;
 	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->ac = create_empty();
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
-	return &this->public;
+	destroy(ac);
+	return NULL;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_ac.h b/src/libstrongswan/plugins/x509/x509_ac.h
index 958d5c57a..da0988c6e 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.h
+++ b/src/libstrongswan/plugins/x509/x509_ac.h
@@ -2,6 +2,7 @@
  * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
  * Copyright (C) 2003 Martin Berner, Lukas Suter
  * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2009 Martin Willi
  *
  * Hochschule fuer Technik Rapperswil
  *
@@ -24,6 +25,7 @@
 #ifndef X509_AC_H_
 #define X509_AC_H_
 
+#include <credentials/builder.h>
 #include <credentials/certificates/ac.h>
 
 typedef struct x509_ac_t x509_ac_t;
@@ -40,18 +42,28 @@ struct x509_ac_t {
 };
 
 /**
- * Create the building facility for X.509 attribute certificates.
+ * Load a X.509 attribute certificate.
  *
- * The resulting builder accepts:
- * 	BUILD_USER_CERT: 	user certificate, exactly one
- *	BUILD_SIGNER_CERT:	signer certificate, exactly one
- *	BUILD_SIGNER_KEY:	signer private key, exactly one
- *  BUILD_SERIAL:		serial number, exactly one
- *  BUILD_GROUP_ATTR:	group attribute, optional, several possible
+ * @param type		certificate type, CERT_X509_AC only
+ * @param args		builder_part_t argument list
+ * @return			X.509 Attribute certificate, NULL on failure
+ */
+x509_ac_t *x509_ac_load(certificate_type_t type, va_list args);
+
+/**
+ * Generate a X.509 attribute certificate.
+ *
+ * Accepted build parts:
+ *  BUILD_USER_CERT:	user certificate
+ *  BUILD_SIGNER_CERT:	signer certificate
+ *  BUILD_SIGNER_KEY:	signer private key
+ *  BUILD_SERIAL:		serial number
+ *  BUILD_GROUP_ATTR:	group attribute, several possible
  *
  * @param type		certificate type, CERT_X509_AC only
- * @return			builder instance to build X.509 attribute certificates
+ * @param args		builder_part_t argument list
+ * @return			X.509 Attribute certificate, NULL on failure
  */
-builder_t *x509_ac_builder(certificate_type_t type);
+x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args);
 
 #endif /** X509_AC_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 6fe1809c2..3b729236e 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -3,7 +3,7 @@
  * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
  * Copyright (C) 2002 Mario Strasser
  * Copyright (C) 2000-2006 Andreas Steffen
- * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
  * Copyright (C) 2008 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
@@ -33,11 +33,11 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <crypto/hashers/hasher.h>
 #include <credentials/keys/private_key.h>
 #include <utils/linked_list.h>
 #include <utils/identification.h>
+#include <selectors/traffic_selector.h>
 
 /**
  * Different kinds of generalNames
@@ -65,17 +65,17 @@ struct private_x509_cert_t {
 	 * Public interface for this certificate.
 	 */
 	x509_cert_t public;
-	
+
 	/**
 	 * X.509 certificate encoding in ASN.1 DER format
 	 */
 	chunk_t encoding;
-	
+
 	/**
 	 * SHA1 hash of the DER encoding of this X.509 certificate
 	 */
 	chunk_t encoding_hash;
-	
+
 	/**
 	 * X.509 certificate body over which signature is computed
 	 */
@@ -85,100 +85,109 @@ struct private_x509_cert_t {
 	 * Version of the X.509 certificate
 	 */
 	u_int version;
-	
+
 	/**
 	 * Serial number of the X.509 certificate
 	 */
 	chunk_t serialNumber;
-	
+
 	/**
 	 * ID representing the certificate issuer
 	 */
 	identification_t *issuer;
-	
+
 	/**
 	 * Start time of certificate validity
 	 */
 	time_t notBefore;
-	
+
 	/**
 	 * End time of certificate validity
 	 */
 	time_t notAfter;
-	
+
 	/**
 	 * ID representing the certificate subject
 	 */
 	identification_t *subject;
-	
+
 	/**
 	 * List of subjectAltNames as identification_t
 	 */
 	linked_list_t *subjectAltNames;
-	
+
 	/**
 	 * List of crlDistributionPoints as allocated char*
 	 */
 	linked_list_t *crl_uris;
-	
+
 	/**
-	 * List ocspAccessLocations as identification_t
+	 * List of ocspAccessLocations as allocated char*
 	 */
 	linked_list_t *ocsp_uris;
-	
+
 	/**
-	 * certificates embedded public key
+	 * List of ipAddrBlocks as traffic_selector_t
+	 */
+	linked_list_t *ipAddrBlocks;
+
+	/**
+	 * certificate's embedded public key
 	 */
 	public_key_t *public_key;
-	
+
 	/**
 	 * Subject Key Identifier
 	 */
-	chunk_t subjectKeyID;
-	
+	chunk_t subjectKeyIdentifier;
+
 	/**
 	 * Authority Key Identifier
 	 */
-	identification_t *authKeyIdentifier;
-	
+	chunk_t authKeyIdentifier;
+
 	/**
 	 * Authority Key Serial Number
 	 */
 	chunk_t authKeySerialNumber;
-	
+
+	/**
+	 * Path Length Constraint
+	 */
+	int pathLenConstraint;
+
 	/**
 	 * x509 constraints and other flags
 	 */
 	x509_flag_t flags;
-	
+
 	/**
 	 * Signature algorithm
 	 */
 	int algorithm;
-	
+
 	/**
 	 * Signature
 	 */
 	chunk_t signature;
-	
+
 	/**
 	 * Certificate parsed from blob/file?
 	 */
 	bool parsed;
-	
+
 	/**
 	 * reference count
 	 */
 	refcount_t ref;
 };
 
-static u_char ASN1_sAN_oid_buf[] = {
+static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars(
 	0x06, 0x03, 0x55, 0x1D, 0x11
-};
-static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_sAN_oid_buf);
+);
 
 /**
- * ASN.1 definition of a basicConstraints extension 
+ * ASN.1 definition of a basicConstraints extension
  */
 static const asn1Object_t basicConstraintsObjects[] = {
 	{ 0, "basicConstraints",	ASN1_SEQUENCE,	ASN1_NONE			}, /*  0 */
@@ -187,12 +196,14 @@ static const asn1Object_t basicConstraintsObjects[] = {
 	{ 1,   "end opt",			ASN1_EOC,		ASN1_END  			}, /*  3 */
 	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT  			}
 };
-#define BASIC_CONSTRAINTS_CA	1
+#define BASIC_CONSTRAINTS_CA		1
+#define BASIC_CONSTRAINTS_PATH_LEN	2
 
 /**
  * Extracts the basicConstraints extension
  */
-static bool parse_basicConstraints(chunk_t blob, int level0)
+static void parse_basicConstraints(chunk_t blob, int level0,
+								   private_x509_cert_t *this)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
@@ -204,19 +215,39 @@ static bool parse_basicConstraints(chunk_t blob, int level0)
 
 	while (parser->iterate(parser, &objectID, &object))
 	{
-		if (objectID == BASIC_CONSTRAINTS_CA)
+		switch (objectID)
 		{
-			isCA = object.len && *object.ptr;
-			DBG2("  %s", isCA ? "TRUE" : "FALSE");
+			case BASIC_CONSTRAINTS_CA:
+				isCA = object.len && *object.ptr;
+				DBG2("  %s", isCA ? "TRUE" : "FALSE");
+				if (isCA)
+				{
+					this->flags |= X509_CA;
+				}
+				break;
+			case BASIC_CONSTRAINTS_PATH_LEN:
+				if (isCA)
+				{
+					if (object.len == 0)
+					{
+						this->pathLenConstraint = 0;
+					}
+					else if (object.len == 1)
+					{
+						this->pathLenConstraint = *object.ptr;
+					}
+					/* we ignore path length constraints > 127 */
+				}
+				break;
+			default:
+				break;
 		}
 	}
 	parser->destroy(parser);
-
-	return isCA;
 }
 
 /**
- * ASN.1 definition of otherName 
+ * ASN.1 definition of otherName
  */
 static const asn1Object_t otherNameObjects[] = {
 	{0, "type-id",	ASN1_OID,			ASN1_BODY	}, /* 0 */
@@ -262,14 +293,14 @@ static bool parse_otherName(chunk_t blob, int level0)
 		}
 	}
 	success = parser->success(parser);
-	
+
 end:
 	parser->destroy(parser);
 	return success;
 }
 
 /**
- * ASN.1 definition of generalName 
+ * ASN.1 definition of generalName
  */
 static const asn1Object_t generalNameObjects[] = {
 	{ 0, "otherName",		ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_BODY	}, /*  0 */
@@ -292,10 +323,10 @@ static const asn1Object_t generalNameObjects[] = {
 	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 17 */
 	{ 0, "exit",			ASN1_EOC,          ASN1_EXIT			}
 };
-#define GN_OBJ_OTHER_NAME	 	 0
-#define GN_OBJ_RFC822_NAME	 	 2
-#define GN_OBJ_DNS_NAME		 	 4
-#define GN_OBJ_X400_ADDRESS	 	 6
+#define GN_OBJ_OTHER_NAME		 0
+#define GN_OBJ_RFC822_NAME		 2
+#define GN_OBJ_DNS_NAME			 4
+#define GN_OBJ_X400_ADDRESS		 6
 #define GN_OBJ_DIRECTORY_NAME	 8
 #define GN_OBJ_EDI_PARTY_NAME	10
 #define GN_OBJ_URI				12
@@ -310,16 +341,16 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 	asn1_parser_t *parser;
 	chunk_t object;
 	int objectID ;
-	
+
 	identification_t *gn = NULL;
-	
+
 	parser = asn1_parser_create(generalNameObjects, blob);
 	parser->set_top_level(parser, level0);
-	
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		id_type_t id_type = ID_ANY;
-		
+
 		switch (objectID)
 		{
 			case GN_OBJ_RFC822_NAME:
@@ -356,14 +387,14 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 			goto end;
 		}
 	}
-	
+
 end:
 	parser->destroy(parser);
 	return gn;
 }
 
 /**
- * ASN.1 definition of generalNames 
+ * ASN.1 definition of generalNames
  */
 static const asn1Object_t generalNamesObjects[] = {
 	{ 0, "generalNames",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
@@ -381,18 +412,18 @@ void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_lis
 	asn1_parser_t *parser;
 	chunk_t object;
 	int objectID;
-	
+
 	parser = asn1_parser_create(generalNamesObjects, blob);
 	parser->set_top_level(parser, level0);
 	parser->set_flags(parser, implicit, FALSE);
-	
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		if (objectID == GENERAL_NAMES_GN)
 		{
 			identification_t *gn = parse_generalName(object,
 											parser->get_level(parser)+1);
-			
+
 			if (gn)
 			{
 				list->insert_last(list, (void *)gn);
@@ -403,7 +434,7 @@ void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_lis
 }
 
 /**
- * ASN.1 definition of a authorityKeyIdentifier extension 
+ * ASN.1 definition of a authorityKeyIdentifier extension
  */
 static const asn1Object_t authKeyIdentifierObjects[] = {
 	{ 0, "authorityKeyIdentifier",		ASN1_SEQUENCE,		ASN1_NONE 			}, /* 0 */
@@ -422,26 +453,25 @@ static const asn1Object_t authKeyIdentifierObjects[] = {
 /**
  * Extracts an authoritykeyIdentifier
  */
-identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
+chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
 												chunk_t *authKeySerialNumber)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
 	int objectID;
-	identification_t *authKeyIdentifier = NULL;
-	
+	chunk_t authKeyIdentifier = chunk_empty;
+
 	*authKeySerialNumber = chunk_empty;
-	
+
 	parser = asn1_parser_create(authKeyIdentifierObjects, blob);
 	parser->set_top_level(parser, level0);
-	
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
-		switch (objectID) 
+		switch (objectID)
 		{
 			case AUTH_KEY_ID_KEY_ID:
-				authKeyIdentifier = identification_create_from_encoding(
-												ID_PUBKEY_SHA1, object); 
+				authKeyIdentifier = chunk_clone(object);
 				break;
 			case AUTH_KEY_ID_CERT_ISSUER:
 				/* TODO: x509_parse_generalNames(object, level+1, TRUE); */
@@ -458,7 +488,7 @@ identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
 }
 
 /**
- * ASN.1 definition of a authorityInfoAccess extension 
+ * ASN.1 definition of a authorityInfoAccess extension
  */
 static const asn1Object_t authInfoAccessObjects[] = {
 	{ 0, "authorityInfoAccess",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
@@ -481,13 +511,13 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
 	chunk_t object;
 	int objectID;
 	int accessMethod = OID_UNKNOWN;
-	
+
 	parser = asn1_parser_create(authInfoAccessObjects, blob);
 	parser->set_top_level(parser, level0);
-	
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
-		switch (objectID) 
+		switch (objectID)
 		{
 			case AUTH_INFO_ACCESS_METHOD:
 				accessMethod = asn1_known_oid(object);
@@ -501,7 +531,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
 						{
 							identification_t *id;
 							char *uri;
-							
+
 							id = parse_generalName(object,
 											parser->get_level(parser)+1);
 							if (id == NULL)
@@ -528,7 +558,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
 				break;
 		}
 	}
-	
+
 end:
 	parser->destroy(parser);
 }
@@ -547,26 +577,37 @@ static const asn1Object_t extendedKeyUsageObjects[] = {
 /**
  * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
  */
-static bool parse_extendedKeyUsage(chunk_t blob, int level0)
+static void parse_extendedKeyUsage(chunk_t blob, int level0,
+								   private_x509_cert_t *this)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
 	int objectID;
-	bool ocsp_signing = FALSE;
-	
+
 	parser = asn1_parser_create(extendedKeyUsageObjects, blob);
 	parser->set_top_level(parser, level0);
-	
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
-		if (objectID == EXT_KEY_USAGE_PURPOSE_ID && 
-			asn1_known_oid(object) == OID_OCSP_SIGNING)
+		if (objectID == EXT_KEY_USAGE_PURPOSE_ID)
 		{
-			ocsp_signing = TRUE;
+			switch (asn1_known_oid(object))
+			{
+				case OID_SERVER_AUTH:
+					this->flags |= X509_SERVER_AUTH;
+					break;
+				case OID_CLIENT_AUTH:
+					this->flags |= X509_CLIENT_AUTH;
+					break;
+				case OID_OCSP_SIGNING:
+					this->flags |= X509_OCSP_SIGNER;
+					break;
+				default:
+					break;
+			}
 		}
 	}
 	parser->destroy(parser);
-	return ocsp_signing;
 }
 
 /**
@@ -600,24 +641,24 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0,
 	chunk_t object;
 	int objectID;
 	linked_list_t *list = linked_list_create();
-	
+
 	parser = asn1_parser_create(crlDistributionPointsObjects, blob);
 	parser->set_top_level(parser, level0);
-	
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		if (objectID == CRL_DIST_POINTS_FULLNAME)
 		{
 			identification_t *id;
-			
+
 			/* append extracted generalNames to existing chained list */
 			x509_parse_generalNames(object, parser->get_level(parser)+1,
 									TRUE, list);
-	
+
 			while (list->remove_last(list, (void**)&id) == SUCCESS)
 			{
 				char *uri;
-				
+
 				if (asprintf(&uri, "%Y", id) > 0)
 				{
 					this->crl_uris->insert_last(this->crl_uris, uri);
@@ -630,6 +671,147 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0,
 	list->destroy(list);
 }
 
+/**
+ * ASN.1 definition of ipAddrBlocks according to RFC 3779
+ */
+static const asn1Object_t ipAddrBlocksObjects[] = {
+	{ 0, "ipAddrBlocks",	        ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
+	{ 1,   "ipAddressFamily",		ASN1_SEQUENCE,		ASN1_NONE			}, /*  1 */
+	{ 2,     "addressFamily",	    ASN1_OCTET_STRING,	ASN1_BODY          	}, /*  2 */
+	{ 2,     "inherit",             ASN1_NULL,          ASN1_OPT|ASN1_NONE  }, /*  3 */
+	{ 2,     "end choice",          ASN1_EOC,           ASN1_END            }, /*  4 */
+	{ 2,     "addressesOrRanges",	ASN1_SEQUENCE,	    ASN1_OPT|ASN1_LOOP 	}, /*  5 */
+	{ 3,       "addressPrefix",	    ASN1_BIT_STRING,	ASN1_OPT|ASN1_BODY  }, /*  6 */
+	{ 3,       "end choice",        ASN1_EOC,           ASN1_END            }, /*  7 */
+	{ 3,       "addressRange",      ASN1_SEQUENCE,      ASN1_OPT|ASN1_NONE  }, /*  8 */
+	{ 4,         "min",             ASN1_BIT_STRING,    ASN1_BODY           }, /*  9 */
+	{ 4,         "max",             ASN1_BIT_STRING,    ASN1_BODY           }, /* 10 */
+	{ 3,       "end choice",        ASN1_EOC,           ASN1_END            }, /* 11 */
+	{ 2,     "end choice/loop",     ASN1_EOC,           ASN1_END            }, /* 12 */
+	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /* 13 */
+	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
+};
+#define IP_ADDR_BLOCKS_FAMILY       2
+#define IP_ADDR_BLOCKS_INHERIT      3
+#define IP_ADDR_BLOCKS_PREFIX       6
+#define IP_ADDR_BLOCKS_MIN          9
+#define IP_ADDR_BLOCKS_MAX         10
+
+static bool check_address_object(ts_type_t ts_type, chunk_t object)
+{
+	switch (ts_type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			if (object.len > 5)
+			{
+				DBG1("IPv4 address object is larger than 5 octets");
+				return FALSE;
+			}
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			if (object.len > 17)
+			{
+				DBG1("IPv6 address object is larger than 17 octets");
+				return FALSE;
+			}
+			break;
+		default:
+			DBG1("unknown address family");
+			return FALSE;
+	}
+	if (object.len == 0)
+	{
+		DBG1("An ASN.1 bit string must contain at least the initial octet");
+		return FALSE;
+	}
+	if (object.len == 1 && object.ptr[0] != 0)
+	{
+		DBG1("An empty ASN.1 bit string must contain a zero initial octet");
+		return FALSE;
+	}
+	if (object.ptr[0] > 7)
+	{
+		DBG1("number of unused bits is too large");
+		return FALSE;
+	}
+	return TRUE;
+}
+
+static void parse_ipAddrBlocks(chunk_t blob, int level0,
+							   private_x509_cert_t *this)
+{
+	asn1_parser_t *parser;
+	chunk_t object, min_object;
+	ts_type_t ts_type = 0;
+	traffic_selector_t *ts;
+	int objectID;
+
+	parser = asn1_parser_create(ipAddrBlocksObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case IP_ADDR_BLOCKS_FAMILY:
+				ts_type = 0;
+				if (object.len == 2 && object.ptr[0] == 0)
+				{
+					if (object.ptr[1] == 1)
+					{
+						ts_type = TS_IPV4_ADDR_RANGE;
+					}
+					else if (object.ptr[1] == 2)
+					{
+						ts_type = TS_IPV6_ADDR_RANGE;
+					}
+					else
+					{
+						break;
+					}
+					DBG2("  %N", ts_type_name, ts_type);
+				}
+				break;
+			case IP_ADDR_BLOCKS_INHERIT:
+				DBG1("inherit choice is not supported");
+				break;
+			case IP_ADDR_BLOCKS_PREFIX:
+				if (!check_address_object(ts_type, object))
+				{
+					goto end;
+				}
+				ts = traffic_selector_create_from_rfc3779_format(ts_type,
+													object, object);
+				DBG2("  %R", ts);
+				this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
+				break;
+			case IP_ADDR_BLOCKS_MIN:
+				if (!check_address_object(ts_type, object))
+				{
+					goto end;
+				}
+				min_object = object;
+				break;
+			case IP_ADDR_BLOCKS_MAX:
+				if (!check_address_object(ts_type, object))
+				{
+					goto end;
+				}
+				ts = traffic_selector_create_from_rfc3779_format(ts_type,
+													min_object, object);
+				DBG2("  %R", ts);
+				this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
+				break;
+			default:
+				break;
+		}
+	}
+	this->flags |= X509_IP_ADDR_BLOCKS;
+
+end:
+	parser->destroy(parser);
+}
+
 /**
  * ASN.1 definition of an X.509v3 x509_cert
  */
@@ -671,12 +853,18 @@ static const asn1Object_t certObjects[] = {
 #define X509_OBJ_NOT_AFTER						 9
 #define X509_OBJ_SUBJECT						10
 #define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO		11
+#define X509_OBJ_OPTIONAL_EXTENSIONS			16
 #define X509_OBJ_EXTN_ID						19
 #define X509_OBJ_CRITICAL						20
 #define X509_OBJ_EXTN_VALUE						21
 #define X509_OBJ_ALGORITHM						24
 #define X509_OBJ_SIGNATURE						25
 
+/**
+ * forward declaration
+ */
+static bool issued_by(private_x509_cert_t *this, certificate_t *issuer);
+
 /**
  * Parses an X.509v3 certificate
  */
@@ -688,14 +876,14 @@ static bool parse_certificate(private_x509_cert_t *this)
 	int extn_oid = OID_UNKNOWN;
 	int sig_alg  = OID_UNKNOWN;
 	bool success = FALSE;
-	bool critical;
-	
+	bool critical = FALSE;
+
 	parser = asn1_parser_create(certObjects, this->encoding);
-	
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		u_int level = parser->get_level(parser)+1;
-		
+
 		switch (objectID)
 		{
 			case X509_OBJ_TBS_CERTIFICATE:
@@ -703,7 +891,15 @@ static bool parse_certificate(private_x509_cert_t *this)
 				break;
 			case X509_OBJ_VERSION:
 				this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
-				DBG2("  v%d", this->version);
+				if (this->version < 1 || this->version > 3)
+				{
+					DBG1("X.509v%d not supported", this->version);
+					goto end;
+				}
+				else
+				{
+					DBG2("  X.509v%d", this->version);
+				}
 				break;
 			case X509_OBJ_SERIAL_NUMBER:
 				this->serialNumber = object;
@@ -726,13 +922,22 @@ static bool parse_certificate(private_x509_cert_t *this)
 				DBG2("  '%Y'", this->subject);
 				break;
 			case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
+				DBG2("-- > --");
 				this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
 						KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
+				DBG2("-- < --");
 				if (this->public_key == NULL)
 				{
 					goto end;
 				}
 				break;
+			case X509_OBJ_OPTIONAL_EXTENSIONS:
+				if (this->version != 3)
+				{
+					DBG1("Only X.509v3 certificates have extensions");
+					goto end;
+				}
+				break;
 			case X509_OBJ_EXTN_ID:
 				extn_oid = asn1_known_oid(object);
 				break;
@@ -750,45 +955,50 @@ static bool parse_certificate(private_x509_cert_t *this)
 						{
 							goto end;
 						}
-						this->subjectKeyID = object;
+						this->subjectKeyIdentifier = object;
 						break;
 					case OID_SUBJECT_ALT_NAME:
 						x509_parse_generalNames(object, level, FALSE,
 												this->subjectAltNames);
 						break;
 					case OID_BASIC_CONSTRAINTS:
-						if (parse_basicConstraints(object, level))
-						{
-							this->flags |= X509_CA;
-						}
+						parse_basicConstraints(object, level, this);
 						break;
 					case OID_CRL_DISTRIBUTION_POINTS:
 						parse_crlDistributionPoints(object, level, this);
 						break;
 					case OID_AUTHORITY_KEY_ID:
 						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
-							 							level, &this->authKeySerialNumber);
+														level, &this->authKeySerialNumber);
 						break;
 					case OID_AUTHORITY_INFO_ACCESS:
 						parse_authorityInfoAccess(object, level, this);
 						break;
 					case OID_EXTENDED_KEY_USAGE:
-						if (parse_extendedKeyUsage(object, level))
-						{
-							this->flags |= X509_OCSP_SIGNER;
-						}
+						parse_extendedKeyUsage(object, level, this);
+						break;
+					case OID_IP_ADDR_BLOCKS:
+						parse_ipAddrBlocks(object, level, this);
 						break;
 					case OID_NS_REVOCATION_URL:
 					case OID_NS_CA_REVOCATION_URL:
 					case OID_NS_CA_POLICY_URL:
 					case OID_NS_COMMENT:
-						if (!asn1_parse_simple_object(&object, ASN1_IA5STRING, 
+						if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
 											level, oid_names[extn_oid].name))
 						{
 							goto end;
 						}
 						break;
 					default:
+						if (critical && lib->settings->get_bool(lib->settings,
+							"libstrongswan.plugins.x509.enforce_critical", FALSE))
+						{
+							DBG1("critical %s extension not supported",
+								 (extn_oid == OID_UNKNOWN) ? "unknown" :
+								 (char*)oid_names[extn_oid].name);
+							goto end;
+						}
 						break;
 				}
 				break;
@@ -809,9 +1019,28 @@ static bool parse_certificate(private_x509_cert_t *this)
 		}
 	}
 	success = parser->success(parser);
-	
+
 end:
 	parser->destroy(parser);
+	if (success)
+	{
+		hasher_t *hasher;
+
+		/* check if the certificate is self-signed */
+		if (issued_by(this, &this->public.interface.interface))
+		{
+			this->flags |= X509_SELF_SIGNED;
+		}
+		/* create certificate hash */
+		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+		if (hasher == NULL)
+		{
+			DBG1("  unable to create hash of certificate, SHA1 not supported");
+			return NULL;
+		}
+		hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
+		hasher->destroy(hasher);
+	}
 	return success;
 }
 
@@ -847,13 +1076,15 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
 	identification_t *current;
 	enumerator_t *enumerator;
 	id_match_t match, best;
-	
-	if (this->encoding_hash.ptr && subject->get_type(subject) == ID_CERT_DER_SHA1 &&
-		chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+
+	if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID)
 	{
-		return ID_MATCH_PERFECT;
+		if (chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+		{
+			return ID_MATCH_PERFECT;
+		}
 	}
-	
+
 	best = this->subject->matches(this->subject, subject);
 	enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
 	while (enumerator->enumerate(enumerator, &current))
@@ -861,15 +1092,15 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
 		match = current->matches(current, subject);
 		if (match > best)
 		{
-			best = match;	
+			best = match;
 		}
 	}
 	enumerator->destroy(enumerator);
-	return best;	
+	return best;
 }
 
 /**
- * Implementation of certificate_t.has_subject.
+ * Implementation of certificate_t.has_issuer.
  */
 static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer)
 {
@@ -878,7 +1109,7 @@ static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer
 }
 
 /**
- * Implementation of certificate_t.issued_by
+ * Implementation of certificate_t.issued_by.
  */
 static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
 {
@@ -886,7 +1117,7 @@ static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
 	signature_scheme_t scheme;
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
-	
+
 	if (&this->public.interface.interface == issuer)
 	{
 		if (this->flags & X509_SELF_SIGNED)
@@ -910,17 +1141,18 @@ static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
 		return FALSE;
 	}
 
-	/* get the public key of the issuer */
-	key = issuer->get_public_key(issuer);
-
 	/* determine signature scheme */
 	scheme = signature_scheme_from_oid(this->algorithm);
-
-	if (scheme == SIGN_UNKNOWN || key == NULL)
+	if (scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
+	/* get the public key of the issuer */
+	key = issuer->get_public_key(issuer);
+	if (!key)
 	{
 		return FALSE;
 	}
-	/* TODO: add a lightweight check option (comparing auth/subject keyids only) */
 	valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
 	key->destroy(key);
 	return valid;
@@ -936,7 +1168,7 @@ static public_key_t* get_public_key(private_x509_cert_t *this)
 }
 
 /**
- * Implementation of certificate_t.asdf
+ * Implementation of certificate_t.get_ref
  */
 static private_x509_cert_t* get_ref(private_x509_cert_t *this)
 {
@@ -958,16 +1190,8 @@ static x509_flag_t get_flags(private_x509_cert_t *this)
 static bool get_validity(private_x509_cert_t *this, time_t *when,
 						 time_t *not_before, time_t *not_after)
 {
-	time_t t;
-	
-	if (when)
-	{
-		t = *when;
-	}
-	else
-	{
-		t = time(NULL);
-	}
+	time_t t = when ? *when : time(NULL);
+
 	if (not_before)
 	{
 		*not_before = this->notBefore;
@@ -986,7 +1210,7 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 {
 	time_t this_update, that_update, now = time(NULL);
 	bool new;
-	
+
 	this->get_validity(this, &now, &this_update, NULL);
 	that->get_validity(that, &now, &that_update, NULL);
 	new = this_update > that_update;
@@ -995,7 +1219,7 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 				&that_update, FALSE, new ? "replaced":"retained");
 	return new;
 }
-	
+
 /**
  * Implementation of certificate_t.get_encoding.
  */
@@ -1011,7 +1235,7 @@ static bool equals(private_x509_cert_t *this, certificate_t *other)
 {
 	chunk_t encoding;
 	bool equal;
-	
+
 	if (this == (private_x509_cert_t*)other)
 	{
 		return TRUE;
@@ -1022,7 +1246,7 @@ static bool equals(private_x509_cert_t *this, certificate_t *other)
 	}
 	if (other->equals == (void*)equals)
 	{	/* skip allocation if we have the same implementation */
-		return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding); 
+		return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
 	}
 	encoding = other->get_encoding(other);
 	equal = chunk_equals(this->encoding, encoding);
@@ -1038,14 +1262,47 @@ static chunk_t get_serial(private_x509_cert_t *this)
 	return this->serialNumber;
 }
 
+/**
+ * Implementation of x509_t.get_subjectKeyIdentifier.
+ */
+static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this)
+{
+	if (this->subjectKeyIdentifier.ptr)
+	{
+		return this->subjectKeyIdentifier;
+	}
+	else
+	{
+		chunk_t fingerprint;
+
+		if (this->public_key->get_fingerprint(this->public_key,
+					 				KEY_ID_PUBKEY_SHA1, &fingerprint))
+		{
+			return fingerprint;
+		}
+		else
+		{
+			return chunk_empty;
+		}
+	}
+}
+
 /**
  * Implementation of x509_t.get_authKeyIdentifier.
  */
-static identification_t *get_authKeyIdentifier(private_x509_cert_t *this)
+static chunk_t get_authKeyIdentifier(private_x509_cert_t *this)
 {
 	return this->authKeyIdentifier;
 }
 
+/**
+ * Implementation of x509_t.get_pathLenConstraint.
+ */
+static int get_pathLenConstraint(private_x509_cert_t *this)
+{
+	return this->pathLenConstraint;
+}
+
 /**
  * Implementation of x509_cert_t.create_subjectAltName_enumerator.
  */
@@ -1071,7 +1328,15 @@ static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this)
 }
 
 /**
- * Implementation of certificate_t.asdf
+ * Implementation of x509_cert_t.create_ipAddrBlock_enumerator.
+ */
+static enumerator_t* create_ipAddrBlock_enumerator(private_x509_cert_t *this)
+{
+	return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
+}
+
+/**
+ * Implementation of certificate_t.destroy.
  */
 static void destroy(private_x509_cert_t *this)
 {
@@ -1081,10 +1346,11 @@ static void destroy(private_x509_cert_t *this)
 									offsetof(identification_t, destroy));
 		this->crl_uris->destroy_function(this->crl_uris, free);
 		this->ocsp_uris->destroy_function(this->ocsp_uris, free);
+		this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy));
 		DESTROY_IF(this->issuer);
 		DESTROY_IF(this->subject);
 		DESTROY_IF(this->public_key);
-		DESTROY_IF(this->authKeyIdentifier);
+		chunk_free(&this->authKeyIdentifier);
 		chunk_free(&this->encoding);
 		chunk_free(&this->encoding_hash);
 		if (!this->parsed)
@@ -1103,7 +1369,7 @@ static void destroy(private_x509_cert_t *this)
 static private_x509_cert_t* create_empty(void)
 {
 	private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
-	
+
 	this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
 	this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
 	this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer;
@@ -1119,16 +1385,19 @@ static private_x509_cert_t* create_empty(void)
 	this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
 	this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
 	this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
-	this->public.interface.get_authKeyIdentifier = (identification_t* (*)(x509_t*))get_authKeyIdentifier;
+	this->public.interface.get_subjectKeyIdentifier = (chunk_t (*)(x509_t*))get_subjectKeyIdentifier;
+	this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier;
+	this->public.interface.get_pathLenConstraint = (int (*)(x509_t*))get_pathLenConstraint;
 	this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
 	this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
 	this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
-	
+	this->public.interface.create_ipAddrBlock_enumerator = (enumerator_t* (*)(x509_t*))create_ipAddrBlock_enumerator;
+
 	this->encoding = chunk_empty;
 	this->encoding_hash = chunk_empty;
 	this->tbsCertificate = chunk_empty;
-	this->version = 3;
-	this->serialNumber = chunk_empty;	
+	this->version = 1;
+	this->serialNumber = chunk_empty;
 	this->notBefore = 0;
 	this->notAfter = 0;
 	this->public_key = NULL;
@@ -1137,111 +1406,96 @@ static private_x509_cert_t* create_empty(void)
 	this->subjectAltNames = linked_list_create();
 	this->crl_uris = linked_list_create();
 	this->ocsp_uris = linked_list_create();
-	this->subjectKeyID = chunk_empty;
-	this->authKeyIdentifier = NULL;
+	this->ipAddrBlocks = linked_list_create();
+	this->subjectKeyIdentifier = chunk_empty;
+	this->authKeyIdentifier = chunk_empty;
 	this->authKeySerialNumber = chunk_empty;
+	this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
 	this->algorithm = 0;
 	this->signature = chunk_empty;
 	this->flags = 0;
 	this->ref = 1;
 	this->parsed = FALSE;
-	
-	return this;
-}
 
-/**
- * create an X.509 certificate from a chunk
- */
-static private_x509_cert_t *create_from_chunk(chunk_t chunk)
-{
-	hasher_t *hasher;
-	private_x509_cert_t *this = create_empty();
-	
-	this->encoding = chunk;
-	this->parsed = TRUE;
-	if (!parse_certificate(this))
-	{
-		destroy(this);
-		return NULL;
-	}
-	
-	/* check if the certificate is self-signed */
-	if (issued_by(this, &this->public.interface.interface))
-	{
-		this->flags |= X509_SELF_SIGNED;
-	}
-	
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1("  unable to create hash of certificate, SHA1 not supported");	
-		destroy(this);
-		return NULL;	
-	}
-	hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
-	hasher->destroy(hasher);
-	
 	return this;
 }
 
 /**
- * create an X.509 certificate from a file
+ * Encode a linked list of subjectAltNames
  */
-static private_x509_cert_t *create_from_file(char *path)
+chunk_t x509_build_subjectAltNames(linked_list_t *list)
 {
-	bool pgp = FALSE;
-	chunk_t chunk;
-	private_x509_cert_t *this;
-	
-	if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
+	chunk_t subjectAltNames = chunk_empty;
+	enumerator_t *enumerator;
+	identification_t *id;
+
+	if (list->get_count(list) == 0)
 	{
-		return NULL;
+		return chunk_empty;
 	}
 
-	this = create_from_chunk(chunk);
-
-	if (this == NULL)
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &id))
 	{
-		DBG1("  could not parse loaded certificate file '%s'",path);
-		return NULL;
+		int context;
+		chunk_t name;
+
+		switch (id->get_type(id))
+		{
+			case ID_RFC822_ADDR:
+				context = ASN1_CONTEXT_S_1;
+				break;
+			case ID_FQDN:
+				context = ASN1_CONTEXT_S_2;
+				break;
+			case ID_IPV4_ADDR:
+			case ID_IPV6_ADDR:
+				context = ASN1_CONTEXT_S_7;
+				break;
+			default:
+				DBG1("encoding %N as subjectAltName not supported",
+					 id_type_names, id->get_type(id));
+				enumerator->destroy(enumerator);
+				free(subjectAltNames.ptr);
+				return chunk_empty;
+		}
+		name = asn1_wrap(context, "c", id->get_encoding(id));
+		subjectAltNames = chunk_cat("mm", subjectAltNames, name);
 	}
-	DBG1("  loaded certificate file '%s'",  path);
-	return this;
-}
+	enumerator->destroy(enumerator);
 
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for certificate loading
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded certificate */
-	private_x509_cert_t *cert;
-	/** additional flags to enforce */
-	x509_flag_t flags;
-	/** certificate to sign, if we generate a new cert */
-	certificate_t *sign_cert;
-	/** private key to sign, if we generate a new cert */
-	private_key_t *sign_key;
-};
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_build_known_oid(OID_SUBJECT_ALT_NAME),
+						asn1_wrap(ASN1_OCTET_STRING, "m",
+							asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)
+						)
+					 );
+}
 
 /**
  * Generate and sign a new certificate
  */
-static bool generate(private_builder_t *this)
+static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
+					 private_key_t *sign_key, int digest_alg)
 {
-	chunk_t extensions = chunk_empty;
+	chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
+	chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
+	chunk_t ocspSigning = chunk_empty;
+	chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
+	chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
+	chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
 	identification_t *issuer, *subject;
-	chunk_t key_info, key;
+	chunk_t key_info;
 	signature_scheme_t scheme;
 	hasher_t *hasher;
-	
-	subject = this->cert->subject;
-	if (this->sign_cert)
+	enumerator_t *enumerator;
+	char *uri;
+
+	subject = cert->subject;
+	if (sign_cert)
 	{
-		issuer = this->sign_cert->get_subject(this->sign_cert);
-		if (!this->cert->public_key)
+		issuer = sign_cert->get_subject(sign_cert);
+		if (!cert->public_key)
 		{
 			return FALSE;
 		}
@@ -1249,216 +1503,355 @@ static bool generate(private_builder_t *this)
 	else
 	{	/* self signed */
 		issuer = subject;
-		if (!this->cert->public_key)
+		if (!cert->public_key)
 		{
-			this->cert->public_key = this->sign_key->get_public_key(this->sign_key);
+			cert->public_key = sign_key->get_public_key(sign_key);
 		}
-		this->flags |= X509_SELF_SIGNED;
+		cert->flags |= X509_SELF_SIGNED;
 	}
-	this->cert->issuer = issuer->clone(issuer);
-	if (!this->cert->notBefore)
+	cert->issuer = issuer->clone(issuer);
+	if (!cert->notBefore)
 	{
-		this->cert->notBefore = time(NULL);
+		cert->notBefore = time(NULL);
 	}
-	if (!this->cert->notAfter)
-	{	/* defaults to 1 years from now on */
-		this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
+	if (!cert->notAfter)
+	{	/* defaults to 1 year from now */
+		cert->notAfter = cert->notBefore + 60 * 60 * 24 * 365;
 	}
-	this->cert->flags = this->flags;
-	
-	switch (this->sign_key->get_type(this->sign_key))
+
+	/* select signature scheme */
+	cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg,
+								sign_key->get_type(sign_key));
+	if (cert->algorithm == OID_UNKNOWN)
 	{
-		case KEY_RSA:
-			this->cert->algorithm = OID_SHA1_WITH_RSA;
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-			break;
-		default:
-			return FALSE;
+		return FALSE;
 	}
-	
-	switch (this->cert->public_key->get_type(this->cert->public_key))
+	scheme = signature_scheme_from_oid(cert->algorithm);
+
+	if (!cert->public_key->get_encoding(cert->public_key,
+										KEY_PUB_SPKI_ASN1_DER, &key_info))
 	{
-		case KEY_RSA:
-			key = this->cert->public_key->get_encoding(this->cert->public_key);
-			key_info = asn1_wrap(ASN1_SEQUENCE, "cm",
-							asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), 
-							asn1_bitstring("m", key));	
-			break;
-		default:
-			return FALSE;
+		return FALSE;
+	}
+
+	/* encode subjectAltNames */
+	subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames);
+
+	/* encode CRL distribution points extension */
+	enumerator = cert->crl_uris->create_enumerator(cert->crl_uris);
+	while (enumerator->enumerate(enumerator, &uri))
+	{
+		chunk_t distributionPoint;
+
+		distributionPoint = asn1_wrap(ASN1_SEQUENCE, "m",
+								asn1_wrap(ASN1_CONTEXT_C_0, "m",
+									asn1_wrap(ASN1_CONTEXT_C_0, "m",
+										asn1_wrap(ASN1_CONTEXT_S_6, "c",
+											chunk_create(uri, strlen(uri))))));
+
+		crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
+										  distributionPoint);
+	}
+	enumerator->destroy(enumerator);
+	if (crlDistributionPoints.ptr)
+	{
+		crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm",
+					asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS),
+					asn1_wrap(ASN1_OCTET_STRING, "m",
+						asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
+	}
+
+	/* encode OCSP URIs in authorityInfoAccess extension */
+	enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
+	while (enumerator->enumerate(enumerator, &uri))
+	{
+		chunk_t accessDescription;
+
+		accessDescription = asn1_wrap(ASN1_SEQUENCE, "mm",
+								asn1_build_known_oid(OID_OCSP),
+								asn1_wrap(ASN1_CONTEXT_S_6, "c",
+										  chunk_create(uri, strlen(uri))));
+		authorityInfoAccess = chunk_cat("mm", authorityInfoAccess,
+										accessDescription);
+	}
+	enumerator->destroy(enumerator);
+	if (authorityInfoAccess.ptr)
+	{
+		authorityInfoAccess = asn1_wrap(ASN1_SEQUENCE, "mm",
+					asn1_build_known_oid(OID_AUTHORITY_INFO_ACCESS),
+					asn1_wrap(ASN1_OCTET_STRING, "m",
+						asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
+	}
+
+	/* build CA basicConstraint for CA certificates */
+	if (cert->flags & X509_CA)
+	{
+		chunk_t pathLenConstraint = chunk_empty;
+
+		if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT)
+		{
+			char pathlen = (char)cert->pathLenConstraint;
+
+			pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen));
+		}
+		basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
+								asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
+								asn1_wrap(ASN1_BOOLEAN, "c",
+									chunk_from_chars(0xFF)),
+								asn1_wrap(ASN1_OCTET_STRING, "m",
+										asn1_wrap(ASN1_SEQUENCE, "mm",
+											asn1_wrap(ASN1_BOOLEAN, "c",
+												chunk_from_chars(0xFF)),
+											pathLenConstraint)));
+	}
+
+	/* add serverAuth extendedKeyUsage flag */
+	if (cert->flags & X509_SERVER_AUTH)
+	{
+		serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
+	}
+	if (cert->flags & X509_CLIENT_AUTH)
+	{
+		clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
+	}
+
+	/* add ocspSigning extendedKeyUsage flag */
+	if (cert->flags & X509_OCSP_SIGNER)
+	{
+		ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
+	}
+
+	if (serverAuth.ptr || clientAuth.ptr || ocspSigning.ptr)
+	{
+		extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
+								asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
+								asn1_wrap(ASN1_OCTET_STRING, "m",
+									asn1_wrap(ASN1_SEQUENCE, "mmm",
+										serverAuth, clientAuth, ocspSigning)));
+	}
+
+	/* add subjectKeyIdentifier to CA and OCSP signer certificates */
+	if (cert->flags & (X509_CA | X509_OCSP_SIGNER))
+	{
+		chunk_t keyid;
+
+		if (cert->public_key->get_fingerprint(cert->public_key,
+											  KEY_ID_PUBKEY_SHA1, &keyid))
+		{
+			subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
+									asn1_build_known_oid(OID_SUBJECT_KEY_ID),
+									asn1_wrap(ASN1_OCTET_STRING, "m",
+										asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
+		}
+	}
+
+	/* add the keyid authKeyIdentifier for non self-signed certificates */
+	if (sign_key)
+	{
+		chunk_t keyid;
+
+		if (sign_key->get_fingerprint(sign_key, KEY_ID_PUBKEY_SHA1, &keyid))
+		{
+			authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
+							asn1_wrap(ASN1_OCTET_STRING, "m",
+								asn1_wrap(ASN1_SEQUENCE, "m",
+									asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
+		}
 	}
-	
-	if (this->cert->subjectAltNames->get_count(this->cert->subjectAltNames))
+	if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
+		crlDistributionPoints.ptr)
 	{
-		/* TODO: encode subjectAltNames */
+		extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
+						asn1_wrap(ASN1_SEQUENCE, "mmmmmmm",
+							basicConstraints, subjectKeyIdentifier,
+							authKeyIdentifier, subjectAltNames,
+							extendedKeyUsage, crlDistributionPoints,
+							authorityInfoAccess));
 	}
-	
-	this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm", 
+
+	cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
 		asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
-		asn1_integer("c", this->cert->serialNumber),
-		asn1_algorithmIdentifier(this->cert->algorithm),
+		asn1_integer("c", cert->serialNumber),
+		asn1_algorithmIdentifier(cert->algorithm),
 		issuer->get_encoding(issuer),
 		asn1_wrap(ASN1_SEQUENCE, "mm",
-			asn1_from_time(&this->cert->notBefore, ASN1_UTCTIME),
-			asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)),
+			asn1_from_time(&cert->notBefore, ASN1_UTCTIME),
+			asn1_from_time(&cert->notAfter, ASN1_UTCTIME)),
 		subject->get_encoding(subject),
 		key_info, extensions);
-	
-	if (!this->sign_key->sign(this->sign_key, scheme, 
-							this->cert->tbsCertificate, &this->cert->signature))
+
+	if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature))
 	{
 		return FALSE;
 	}
-	this->cert->encoding = asn1_wrap(ASN1_SEQUENCE, "ccm",
-								this->cert->tbsCertificate,
-								asn1_algorithmIdentifier(this->cert->algorithm),
-								asn1_bitstring("c", this->cert->signature));
-	
+	cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->tbsCertificate,
+							   asn1_algorithmIdentifier(cert->algorithm),
+							   asn1_bitstring("c", cert->signature));
+
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher)
 	{
 		return FALSE;
 	}
-	hasher->allocate_hash(hasher, this->cert->encoding,
-						  &this->cert->encoding_hash);
+	hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash);
 	hasher->destroy(hasher);
 	return TRUE;
 }
 
 /**
- * Implementation of builder_t.build
+ * See header.
  */
-static private_x509_cert_t *build(private_builder_t *this)
+x509_cert_t *x509_cert_load(certificate_type_t type, va_list args)
 {
-	private_x509_cert_t *cert;
-	
-	if (this->cert)
+	x509_flag_t flags = 0;
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
 	{
-		this->cert->flags |= this->flags;
-		if (!this->cert->encoding.ptr)
-		{	/* generate a new certificate */
-			if (!this->sign_key || !generate(this))
-			{
-				destroy(this->cert);
-				free(this);
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_X509_FLAG:
+				flags |= va_arg(args, x509_flag_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
 				return NULL;
-			}
 		}
+		break;
+	}
+
+	if (blob.ptr)
+	{
+		private_x509_cert_t *cert = create_empty();
+
+		cert->encoding = chunk_clone(blob);
+		cert->parsed = TRUE;
+		if (parse_certificate(cert))
+		{
+			cert->flags |= flags;
+			return &cert->public;
+		}
+		destroy(cert);
 	}
-	cert = this->cert;
-	free(this);
-	return cert;
+	return NULL;
 }
 
 /**
- * Implementation of builder_t.add
+ * See header.
  */
-static void add(private_builder_t *this, builder_part_t part, ...)
+x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
 {
-	va_list args;
-	chunk_t chunk;
-	bool handled = TRUE;
-	
-	va_start(args, part);
-	switch (part)
+	private_x509_cert_t *cert;
+	certificate_t *sign_cert = NULL;
+	private_key_t *sign_key = NULL;
+	hash_algorithm_t digest_alg = HASH_SHA1;
+
+	cert = create_empty();
+	while (TRUE)
 	{
-		case BUILD_FROM_FILE:
-			this->cert = create_from_file(va_arg(args, char*));
-			break;
-		case BUILD_BLOB_ASN1_DER:
-			chunk = va_arg(args, chunk_t);
-			this->cert = create_from_chunk(chunk_clone(chunk));
-			break;
-		case BUILD_X509_FLAG:
-			this->flags = va_arg(args, x509_flag_t);
-			break;
-		case BUILD_SIGNING_KEY:
-			this->sign_key = va_arg(args, private_key_t*);
-			break;
-		case BUILD_SIGNING_CERT:
-			this->sign_cert = va_arg(args, certificate_t*);
-			break;
-		default:
-			/* all other parts need an empty cert */
-			if (!this->cert)
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_X509_FLAG:
+				cert->flags |= va_arg(args, x509_flag_t);
+				continue;
+			case BUILD_SIGNING_KEY:
+				sign_key = va_arg(args, private_key_t*);
+				continue;
+			case BUILD_SIGNING_CERT:
+				sign_cert = va_arg(args, certificate_t*);
+				continue;
+			case BUILD_PUBLIC_KEY:
+				cert->public_key = va_arg(args, public_key_t*);
+				cert->public_key->get_ref(cert->public_key);
+				continue;
+			case BUILD_SUBJECT:
+				cert->subject = va_arg(args, identification_t*);
+				cert->subject = cert->subject->clone(cert->subject);
+				continue;
+			case BUILD_SUBJECT_ALTNAMES:
 			{
-				this->cert = create_empty();
+				enumerator_t *enumerator;
+				identification_t *id;
+				linked_list_t *list;
+
+				list = va_arg(args, linked_list_t*);
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &id))
+				{
+					cert->subjectAltNames->insert_last(cert->subjectAltNames,
+													id->clone(id));
+				}
+				enumerator->destroy(enumerator);
+				continue;
 			}
-			handled = FALSE;
-			break;
-	}
-	if (handled)
-	{
-		va_end(args);
-		return;
-	}
-	
-	switch (part)
-	{
-		case BUILD_PUBLIC_KEY:
-		{
-			public_key_t *key = va_arg(args, public_key_t*);
-			this->cert->public_key = key->get_ref(key);
-			break;
-		}
-		case BUILD_SUBJECT:
-		{
-			identification_t *id = va_arg(args, identification_t*);
-			this->cert->subject = id->clone(id);
-			break;
-		}
-		case BUILD_SUBJECT_ALTNAME:
-		{
-			identification_t *id = va_arg(args, identification_t*);
-			this->cert->subjectAltNames->insert_last(
-									this->cert->subjectAltNames, id->clone(id));
-			break;
-		}
-		case BUILD_NOT_BEFORE_TIME:
-			this->cert->notBefore = va_arg(args, time_t);
-			break;
-		case BUILD_NOT_AFTER_TIME:
-			this->cert->notAfter = va_arg(args, time_t);
-			break;
-		case BUILD_SERIAL:
-		{
-			chunk_t serial = va_arg(args, chunk_t);
-			this->cert->serialNumber = chunk_clone(serial);
-			break;
-		}
-		default:
-			/* abort if unsupported option */
-			if (this->cert)
+			case BUILD_CRL_DISTRIBUTION_POINTS:
 			{
-				destroy(this->cert);
+				enumerator_t *enumerator;
+				linked_list_t *list;
+				char *uri;
+
+				list = va_arg(args, linked_list_t*);
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &uri))
+				{
+					cert->crl_uris->insert_last(cert->crl_uris, strdup(uri));
+				}
+				enumerator->destroy(enumerator);
+				continue;
 			}
-			builder_cancel(&this->public);
-			break;
+			case BUILD_OCSP_ACCESS_LOCATIONS:
+			{
+				enumerator_t *enumerator;
+				linked_list_t *list;
+				char *uri;
+
+				list = va_arg(args, linked_list_t*);
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &uri))
+				{
+					cert->ocsp_uris->insert_last(cert->ocsp_uris, strdup(uri));
+				}
+				enumerator->destroy(enumerator);
+				continue;
+			}
+			case BUILD_PATHLEN:
+				cert->pathLenConstraint = va_arg(args, int);
+				if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
+				{
+					cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
+				}
+				continue;
+			case BUILD_NOT_BEFORE_TIME:
+				cert->notBefore = va_arg(args, time_t);
+				continue;
+			case BUILD_NOT_AFTER_TIME:
+				cert->notAfter = va_arg(args, time_t);
+				continue;
+			case BUILD_SERIAL:
+				cert->serialNumber = chunk_clone(va_arg(args, chunk_t));
+				continue;
+			case BUILD_DIGEST_ALG:
+				digest_alg = va_arg(args, int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				destroy(cert);
+				return NULL;
+		}
+		break;
 	}
-	va_end(args);
-}
 
-/**
- * Builder construction function
- */
-builder_t *x509_cert_builder(certificate_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != CERT_X509)
+	if (sign_key && generate(cert, sign_cert, sign_key, digest_alg))
 	{
-		return NULL;
+		return &cert->public;
 	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->cert = NULL;
-	this->flags = 0;
-	this->sign_cert = NULL;
-	this->sign_key = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
-	return &this->public;
+	destroy(cert);
+	return NULL;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_cert.h b/src/libstrongswan/plugins/x509/x509_cert.h
index 5ebe1567d..772117f1c 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.h
+++ b/src/libstrongswan/plugins/x509/x509_cert.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,6 +23,7 @@
 
 typedef struct x509_cert_t x509_cert_t;
 
+#include <credentials/builder.h>
 #include <credentials/certificates/x509.h>
 
 /**
@@ -37,11 +38,29 @@ struct x509_cert_t {
 };
 
 /**
- * Create the building facility for x509 certificates
+ * Load a X.509 certificate.
+ *
+ * This function takes a BUILD_BLOB_ASN1_DER.
+ *
+ * @param type		certificate type, CERT_X509 only
+ * @param args		builder_part_t argument list
+ * @return			X.509 certificate, NULL on failure
+ */
+x509_cert_t *x509_cert_load(certificate_type_t type, va_list args);
+
+/**
+ * Generate a X.509 certificate.
+ *
+ * To issue a self-signed certificate, the function takes:
+ * BUILD_SUBJECT, BUILD_SUBJECT_ALTNAMES, BUILD_SIGNING_KEY, BUILD_X509_FLAG,
+ * BUILD_NOT_BEFORE_TIME, BUILD_NOT_AFTER_TIME, BUILD_SERIAL, BUILD_DIGEST_ALG.
+ * To issue certificates from a CA, additionally pass:
+ * BUILD_SIGNING_CERT and BUILD_PUBLIC_KEY.
  *
  * @param type		certificate type, CERT_X509 only
- * @return			builder instance to build certificate
+ * @param args		builder_part_t argument list
+ * @return			X.509 certificate, NULL on failure
  */
-builder_t *x509_cert_builder(certificate_type_t type);
+x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args);
 
 #endif /** X509_CERT_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index f502668cb..b9ef3218b 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -25,7 +25,6 @@ typedef struct revoked_t revoked_t;
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <asn1/pem.h>
 #include <credentials/certificates/x509.h>
 #include <utils/linked_list.h>
 
@@ -37,12 +36,12 @@ struct revoked_t {
 	 * serial of the revoked certificate
 	 */
 	chunk_t serial;
-	
+
 	/**
 	 * date of revocation
 	 */
 	time_t date;
-	
+
 	/**
 	 * reason for revocation
 	 */
@@ -58,7 +57,7 @@ struct private_x509_crl_t {
 	 * public functions
 	 */
 	x509_crl_t public;
-	
+
 	/**
 	 * X.509 crl encoding in ASN.1 DER format
 	 */
@@ -73,12 +72,12 @@ struct private_x509_crl_t {
 	 * Version of the X.509 crl
 	 */
 	u_int version;
-	
+
 	/**
 	 * ID representing the crl issuer
 	 */
 	identification_t *issuer;
-	
+
 	/**
 	 * CRL number
 	 */
@@ -98,27 +97,27 @@ struct private_x509_crl_t {
 	 * list of revoked certificates as revoked_t
 	 */
 	linked_list_t *revoked;
-	
+
 	/**
 	 * Authority Key Identifier
 	 */
-	identification_t *authKeyIdentifier;
+	chunk_t authKeyIdentifier;
 
 	/**
 	 * Authority Key Serial Number
 	 */
 	chunk_t authKeySerialNumber;
-	
+
 	/**
 	 * Signature algorithm
 	 */
 	int algorithm;
-	
+
 	/**
 	 * Signature
 	 */
 	chunk_t signature;
-	
+
 	/**
 	 * reference counter
 	 */
@@ -128,8 +127,8 @@ struct private_x509_crl_t {
 /**
  * from x509_cert
  */
-extern identification_t* x509_parse_authorityKeyIdentifier(
-								chunk_t blob, int level0, 
+extern chunk_t x509_parse_authorityKeyIdentifier(
+								chunk_t blob, int level0,
 								chunk_t *authKeySerialNumber);
 
 /**
@@ -141,7 +140,7 @@ static const asn1Object_t crlObjects[] = {
 	{ 2,     "version",					ASN1_INTEGER,      ASN1_OPT |
 														   ASN1_BODY }, /*  2 */
 	{ 2,     "end opt",					ASN1_EOC,          ASN1_END  }, /*  3 */
-	{ 2,     "signature",				ASN1_EOC,          ASN1_RAW  }, /*  4 */	
+	{ 2,     "signature",				ASN1_EOC,          ASN1_RAW  }, /*  4 */
 	{ 2,     "issuer",					ASN1_SEQUENCE,     ASN1_OBJ  }, /*  5 */
 	{ 2,     "thisUpdate",				ASN1_EOC,          ASN1_RAW  }, /*  6 */
 	{ 2,     "nextUpdate",				ASN1_EOC,          ASN1_RAW  }, /*  7 */
@@ -151,7 +150,7 @@ static const asn1Object_t crlObjects[] = {
 	{ 4,         "userCertificate",		ASN1_INTEGER,      ASN1_BODY }, /* 10 */
 	{ 4,         "revocationDate",		ASN1_EOC,          ASN1_RAW  }, /* 11 */
 	{ 4,         "crlEntryExtensions",  ASN1_SEQUENCE,     ASN1_OPT |
-							   							   ASN1_LOOP }, /* 12 */
+														   ASN1_LOOP }, /* 12 */
 	{ 5,           "extension",			ASN1_SEQUENCE,	   ASN1_NONE }, /* 13 */
 	{ 6,             "extnID",			ASN1_OID,          ASN1_BODY }, /* 14 */
 	{ 6,             "critical",		ASN1_BOOLEAN,      ASN1_DEF |
@@ -239,7 +238,7 @@ static bool parse(private_x509_crl_t *this)
 				revoked = malloc_thing(revoked_t);
 				revoked->serial = userCertificate;
 				revoked->date = asn1_parse_time(object, level);
-				revoked->reason = CRL_UNSPECIFIED;
+				revoked->reason = CRL_REASON_UNSPECIFIED;
 				this->revoked->insert_last(this->revoked, (void *)revoked);
 				break;
 			case CRL_OBJ_CRL_ENTRY_EXTN_ID:
@@ -269,7 +268,7 @@ static bool parse(private_x509_crl_t *this)
 					{
 
 						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
-									 					level, &this->authKeySerialNumber);
+														level, &this->authKeySerialNumber);
 					}
 					else if (extn_oid == OID_CRL_NUMBER)
 					{
@@ -338,17 +337,18 @@ static chunk_t get_serial(private_x509_crl_t *this)
 /**
  * Implementation of crl_t.get_authKeyIdentifier.
  */
-static identification_t* get_authKeyIdentifier(private_x509_crl_t *this)
+static chunk_t get_authKeyIdentifier(private_x509_crl_t *this)
 {
 	return this->authKeyIdentifier;
 }
+
 /**
  * Implementation of crl_t.create_enumerator.
  */
 static enumerator_t* create_enumerator(private_x509_crl_t *this)
 {
 	return enumerator_create_filter(
-								this->revoked->create_enumerator(this->revoked), 
+								this->revoked->create_enumerator(this->revoked),
 								(void*)filter, NULL, NULL);
 }
 
@@ -373,24 +373,12 @@ static identification_t* get_issuer(private_x509_crl_t *this)
  */
 static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer)
 {
-	id_match_t match;
-
-	if (issuer->get_type(issuer) == ID_PUBKEY_SHA1)
-	{
-		if (this->authKeyIdentifier)
-		{
-			match = issuer->matches(issuer, this->authKeyIdentifier);
-		}
-		else
-		{
-			match = ID_MATCH_NONE;
-		}
-	}
-	else
+	if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr &&
+		chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer)))
 	{
-		match = this->issuer->matches(this->issuer, issuer);
+		return ID_MATCH_PERFECT;
 	}
-	return match;
+	return this->issuer->matches(this->issuer, issuer);
 }
 
 /**
@@ -402,7 +390,7 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
 	signature_scheme_t scheme;
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
-	
+
 	/* check if issuer is an X.509 CA certificate */
 	if (issuer->get_type(issuer) != CERT_X509)
 	{
@@ -417,17 +405,17 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
 	key = issuer->get_public_key(issuer);
 
 	/* compare keyIdentifiers if available, otherwise use DNs */
-	if (this->authKeyIdentifier && key)
+	if (this->authKeyIdentifier.ptr && key)
 	{
-		identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1);
+		chunk_t fingerprint;
 
-		if (!subjectKeyIdentifier->equals(subjectKeyIdentifier,
-										  this->authKeyIdentifier))
+		if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+			!chunk_equals(fingerprint, this->authKeyIdentifier))
 		{
 			return FALSE;
 		}
 	}
-	else 
+	else
 	{
 		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
 		{
@@ -470,16 +458,8 @@ static private_x509_crl_t* get_ref(private_x509_crl_t *this)
 static bool get_validity(private_x509_crl_t *this, time_t *when,
 						 time_t *not_before, time_t *not_after)
 {
-	time_t t;
-	
-	if (when)
-	{
-		t = *when;
-	}
-	else
-	{
-		t = time(NULL);
-	}
+	time_t t = when ? *when : time(NULL);
+
 	if (not_before)
 	{
 		*not_before = this->thisUpdate;
@@ -498,7 +478,7 @@ static bool is_newer(private_x509_crl_t *this, crl_t *that)
 {
 	chunk_t that_crlNumber = that->get_serial(that);
 	bool new;
-	
+
 	/* compare crlNumbers if available - otherwise use thisUpdate */
 	if (this->crlNumber.ptr != NULL && that_crlNumber.ptr != NULL)
 	{
@@ -507,7 +487,7 @@ static bool is_newer(private_x509_crl_t *this, crl_t *that)
 				&this->crlNumber, new ? "newer":"not newer",
 				&that_crlNumber,  new ? "replaced":"retained");
 	}
-	else 
+	else
 	{
 		certificate_t *this_cert = &this->public.crl.certificate;
 		certificate_t *that_cert = &that->certificate;
@@ -523,7 +503,7 @@ static bool is_newer(private_x509_crl_t *this, crl_t *that)
 	}
 	return new;
 }
-	
+
 /**
  * Implementation of certificate_t.get_encoding.
  */
@@ -539,14 +519,14 @@ static bool equals(private_x509_crl_t *this, certificate_t *other)
 {
 	chunk_t encoding;
 	bool equal;
-	
+
 	if ((certificate_t*)this == other)
 	{
 		return TRUE;
 	}
 	if (other->equals == (void*)equals)
 	{	/* skip allocation if we have the same implementation */
-		return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding); 
+		return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding);
 	}
 	encoding = other->get_encoding(other);
 	equal = chunk_equals(this->encoding, encoding);
@@ -563,7 +543,7 @@ static void destroy(private_x509_crl_t *this)
 	{
 		this->revoked->destroy_function(this->revoked, free);
 		DESTROY_IF(this->issuer);
-		DESTROY_IF(this->authKeyIdentifier);
+		free(this->authKeyIdentifier.ptr);
 		free(this->encoding.ptr);
 		free(this);
 	}
@@ -575,9 +555,9 @@ static void destroy(private_x509_crl_t *this)
 static private_x509_crl_t* create_empty(void)
 {
 	private_x509_crl_t *this = malloc_thing(private_x509_crl_t);
-	
+
 	this->public.crl.get_serial = (chunk_t (*)(crl_t*))get_serial;
-	this->public.crl.get_authKeyIdentifier = (identification_t* (*)(crl_t*))get_authKeyIdentifier;
+	this->public.crl.get_authKeyIdentifier = (chunk_t (*)(crl_t*))get_authKeyIdentifier;
 	this->public.crl.create_enumerator = (enumerator_t* (*)(crl_t*))create_enumerator;
 	this->public.crl.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
 	this->public.crl.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer;
@@ -592,138 +572,51 @@ static private_x509_crl_t* create_empty(void)
 	this->public.crl.certificate.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
 	this->public.crl.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
 	this->public.crl.certificate.destroy = (void (*)(certificate_t *this))destroy;
-	
+
 	this->encoding = chunk_empty;
 	this->tbsCertList = chunk_empty;
 	this->issuer = NULL;
 	this->crlNumber = chunk_empty;
 	this->revoked = linked_list_create();
-	this->authKeyIdentifier = NULL;
+	this->authKeyIdentifier = chunk_empty;
 	this->authKeySerialNumber = chunk_empty;
 	this->ref = 1;
-	
-	return this;
-}
 
-/**
- * create an X.509 crl from a chunk
- */
-static private_x509_crl_t* create_from_chunk(chunk_t chunk)
-{
-	private_x509_crl_t *this = create_empty();
-
-	this->encoding = chunk;
-	if (!parse(this))
-	{
-		destroy(this);
-		return NULL;
-	}
 	return this;
 }
 
 /**
- * create an X.509 crl from a file
+ * See header.
  */
-static private_x509_crl_t* create_from_file(char *path)
+x509_crl_t *x509_crl_load(certificate_type_t type, va_list args)
 {
-	bool pgp = FALSE;
-	chunk_t chunk;
-	private_x509_crl_t *this;
-	
-	if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
-	{
-		return NULL;
-	}
-
-	this = create_from_chunk(chunk);
-
-	if (this == NULL)
-	{
-		DBG1("  could not parse loaded crl file '%s'",path);
-		return NULL;
-	}
-	DBG1("  loaded crl file '%s'",  path);
-	return this;
-}
+	chunk_t blob = chunk_empty;
 
-typedef struct private_builder_t private_builder_t;
-/**
- * Builder implementation for certificate loading
- */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded CRL */
-	private_x509_crl_t *crl;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static private_x509_crl_t *build(private_builder_t *this)
-{
-	private_x509_crl_t *crl = this->crl;
-	
-	free(this);
-	return crl;
-}
-
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->crl)
+	while (TRUE)
 	{
-		va_list args;
-		chunk_t chunk;
-	
-		switch (part)
+		switch (va_arg(args, builder_part_t))
 		{
-			case BUILD_FROM_FILE:
-			{
-				va_start(args, part);
-				this->crl = create_from_file(va_arg(args, char*));
-				va_end(args);
-				return;
-			}
 			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->crl = create_from_chunk(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}
-			default:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
 				break;
+			default:
+				return NULL;
 		}
+		break;
 	}
-	if (this->crl)
+	if (blob.ptr)
 	{
-		destroy(this->crl);
-	}
-	builder_cancel(&this->public);
-}
+		private_x509_crl_t *crl = create_empty();
 
-/**
- * Builder construction function
- */
-builder_t *x509_crl_builder(certificate_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != CERT_X509_CRL)
-	{
-		return NULL;
+		crl->encoding = chunk_clone(blob);
+		if (parse(crl))
+		{
+			return &crl->public;
+		}
+		destroy(crl);
 	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->crl = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
-	return &this->public;
-}
+	return NULL;
+};
 
diff --git a/src/libstrongswan/plugins/x509/x509_crl.h b/src/libstrongswan/plugins/x509/x509_crl.h
index daa8e4846..890650162 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.h
+++ b/src/libstrongswan/plugins/x509/x509_crl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,6 +23,7 @@
 
 typedef struct x509_crl_t x509_crl_t;
 
+#include <credentials/builder.h>
 #include <credentials/certificates/crl.h>
 
 /**
@@ -36,13 +37,13 @@ struct x509_crl_t {
 	crl_t crl;
 };
 
-
 /**
- * Create the building facility for x509 certificate revocation lists.
+ * Load a X.509 CRL.
  *
  * @param type		certificate type, CERT_X509_CRL only
- * @return			builder instance to build certificate
+ * @param args		builder_part_t argument list
+ * @return			X.509 CRL, NULL on failure
  */
-builder_t *x509_crl_builder(certificate_type_t type);
+x509_crl_t *x509_crl_load(certificate_type_t type, va_list args);
 
 #endif /** X509_CRL_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index 4020d8d95..f86f87751 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Copyright (C) 2007 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
@@ -39,12 +39,12 @@ struct private_x509_ocsp_request_t {
 	 * public functions
 	 */
 	x509_ocsp_request_t public;
-	
+
 	/**
 	 * CA the candidates belong to
 	 */
 	x509_t *ca;
-	
+
 	/**
 	 * Requestor name, subject of cert used if not set
 	 */
@@ -54,56 +54,50 @@ struct private_x509_ocsp_request_t {
 	 * Requestor certificate, included in request
 	 */
 	certificate_t *cert;
-	
+
 	/**
 	 * Requestor private key to sign request
 	 */
 	private_key_t *key;
-	
+
 	/**
 	 * list of certificates to check, x509_t
 	 */
 	linked_list_t *candidates;
-	
+
 	/**
 	 * nonce used in request
 	 */
 	chunk_t nonce;
-	
+
 	/**
 	 * encoded OCSP request
 	 */
 	chunk_t encoding;
-	
+
 	/**
 	 * reference count
 	 */
 	refcount_t ref;
 };
 
-static u_char ASN1_nonce_oid_str[] = {
+static const chunk_t ASN1_nonce_oid = chunk_from_chars(
 	0x06, 0x09,
 		  0x2B, 0x06,
 				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
-};
-
-static u_char ASN1_response_oid_str[] = {
+);
+static const chunk_t ASN1_response_oid = chunk_from_chars(
 	0x06, 0x09,
 		  0x2B, 0x06,
 				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
-};
-
-static u_char ASN1_response_content_str[] = {
+);
+static const chunk_t ASN1_response_content = chunk_from_chars(
 	0x04, 0x0D,
 		  0x30, 0x0B,
 				0x06, 0x09,
 				0x2B, 0x06,
 				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
-};
-
-static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
-static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
-static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
+);
 
 /**
  * build requestorName
@@ -120,7 +114,7 @@ static chunk_t build_requestorName(private_x509_ocsp_request_t *this)
 		return asn1_wrap(ASN1_CONTEXT_C_1, "m",
 					asn1_simple_object(ASN1_CONTEXT_C_4,
 						this->requestor->get_encoding(this->requestor)));
-	
+
 	}
 	return chunk_empty;
 }
@@ -133,7 +127,7 @@ static chunk_t build_Request(private_x509_ocsp_request_t *this,
 							 chunk_t serialNumber)
 {
 	return asn1_wrap(ASN1_SEQUENCE, "m",
-				asn1_wrap(ASN1_SEQUENCE, "cmmm",
+				asn1_wrap(ASN1_SEQUENCE, "mmmm",
 					asn1_algorithmIdentifier(OID_SHA1),
 					asn1_simple_object(ASN1_OCTET_STRING, issuerNameHash),
 					asn1_simple_object(ASN1_OCTET_STRING, issuerKeyHash),
@@ -151,7 +145,7 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this)
 	certificate_t *cert;
 	chunk_t list = chunk_empty;
 	public_key_t *public;
-	
+
 	cert = (certificate_t*)this->ca;
 	public = cert->get_public_key(cert);
 	if (public)
@@ -159,23 +153,21 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this)
 		hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 		if (hasher)
 		{
-			identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);	
-			if (keyid)
+			if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1,
+										&issuerKeyHash))
 			{
 				enumerator_t *enumerator;
-			
-				issuerKeyHash = keyid->get_encoding(keyid);
-		
+
 				issuer = cert->get_subject(cert);
 				hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
 									  &issuerNameHash);
 				hasher->destroy(hasher);
-	
+
 				enumerator = this->candidates->create_enumerator(this->candidates);
 				while (enumerator->enumerate(enumerator, &x509))
 				{
 					chunk_t request, serialNumber;
-			
+
 					serialNumber = x509->get_serial(x509);
 					request = build_Request(this, issuerNameHash, issuerKeyHash,
 											serialNumber);
@@ -204,7 +196,7 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this)
 static chunk_t build_nonce(private_x509_ocsp_request_t *this)
 {
 	rng_t *rng;
-	
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (rng)
 	{
@@ -232,7 +224,7 @@ static chunk_t build_acceptableResponses(private_x509_ocsp_request_t *this)
  */
 static chunk_t build_requestExtensions(private_x509_ocsp_request_t *this)
 {
-    return asn1_wrap(ASN1_CONTEXT_C_2, "m",
+	return asn1_wrap(ASN1_CONTEXT_C_2, "m",
 				asn1_wrap(ASN1_SEQUENCE, "mm",
 					build_nonce(this),
 					build_acceptableResponses(this)));
@@ -258,7 +250,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
 	int oid;
 	signature_scheme_t scheme;
 	chunk_t certs, signature;
-	
+
 	switch (this->key->get_type(this->key))
 	{
 		/* TODO: use a generic mapping function */
@@ -268,14 +260,14 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
 			break;
 		case KEY_ECDSA:
 			oid = OID_ECDSA_WITH_SHA1;
-			scheme = SIGN_ECDSA_WITH_SHA1;
+			scheme = SIGN_ECDSA_WITH_SHA1_DER;
 			break;
 		default:
 			DBG1("unable to sign OCSP request, %N signature not supported",
 				 key_type_names, this->key->get_type(this->key));
 			return chunk_empty;
 	}
-	
+
 	if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
 	{
 		DBG1("creating OCSP signature failed, skipped");
@@ -288,7 +280,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
 						this->cert->get_encoding(this->cert)));
 	}
 	return asn1_wrap(ASN1_CONTEXT_C_0, "m",
-				asn1_wrap(ASN1_SEQUENCE, "cmm", 
+				asn1_wrap(ASN1_SEQUENCE, "cmm",
 					asn1_algorithmIdentifier(oid),
 					asn1_bitstring("m", signature),
 					certs));
@@ -301,7 +293,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
 static chunk_t build_OCSPRequest(private_x509_ocsp_request_t *this)
 {
 	chunk_t tbsRequest, optionalSignature = chunk_empty;
-	
+
 	tbsRequest = build_tbsRequest(this);
 	if (this->key)
 	{
@@ -325,7 +317,7 @@ static certificate_type_t get_type(private_x509_ocsp_request_t *this)
 static identification_t* get_subject(private_x509_ocsp_request_t *this)
 {
 	certificate_t *ca = (certificate_t*)this->ca;
-	
+
 	if (this->requestor)
 	{
 		return this->requestor;
@@ -343,7 +335,7 @@ static identification_t* get_subject(private_x509_ocsp_request_t *this)
 static identification_t* get_issuer(private_x509_ocsp_request_t *this)
 {
 	certificate_t *ca = (certificate_t*)this->ca;
-	
+
 	return ca->get_subject(ca);
 }
 
@@ -363,11 +355,11 @@ static id_match_t has_subject(private_x509_ocsp_request_t *this,
 		match = current->has_subject(current, subject);
 		if (match > best)
 		{
-			best = match;	
+			best = match;
 		}
 	}
 	enumerator->destroy(enumerator);
-	return best;	
+	return best;
 }
 
 /**
@@ -416,7 +408,7 @@ static bool get_validity(private_x509_ocsp_request_t *this, time_t *when,
 	}
 	return cert->get_validity(cert, when, not_before, not_after);
 }
-	
+
 /**
  * Implementation of certificate_t.get_encoding.
  */
@@ -432,7 +424,7 @@ static bool equals(private_x509_ocsp_request_t *this, certificate_t *other)
 {
 	chunk_t encoding;
 	bool equal;
-	
+
 	if (this == (private_x509_ocsp_request_t*)other)
 	{
 		return TRUE;
@@ -443,7 +435,7 @@ static bool equals(private_x509_ocsp_request_t *this, certificate_t *other)
 	}
 	if (other->equals == (void*)equals)
 	{	/* skip allocation if we have the same implementation */
-		return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding); 
+		return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding);
 	}
 	encoding = other->get_encoding(other);
 	equal = chunk_equals(this->encoding, encoding);
@@ -484,7 +476,7 @@ static void destroy(private_x509_ocsp_request_t *this)
 static private_x509_ocsp_request_t *create_empty()
 {
 	private_x509_ocsp_request_t *this = malloc_thing(private_x509_ocsp_request_t);
-	
+
 	this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
 	this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
 	this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
@@ -497,7 +489,7 @@ static private_x509_ocsp_request_t *create_empty()
 	this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
 	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
 	this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
-	
+
 	this->ca = NULL;
 	this->requestor = NULL;
 	this->cert = NULL;
@@ -506,30 +498,60 @@ static private_x509_ocsp_request_t *create_empty()
 	this->encoding = chunk_empty;
 	this->candidates = linked_list_create();
 	this->ref = 1;
-	
+
 	return this;
 }
 
-typedef struct private_builder_t private_builder_t;
 /**
- * Builder implementation for certificate loading
+ * See header.
  */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** OCSP request to build */
-	private_x509_ocsp_request_t *req;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static x509_ocsp_request_t *build(private_builder_t *this)
+x509_ocsp_request_t *x509_ocsp_request_gen(certificate_type_t type, va_list args)
 {
 	private_x509_ocsp_request_t *req;
-	
-	req = this->req;
-	free(this);
+	certificate_t *cert;
+	private_key_t *private;
+	identification_t *subject;
+
+	req = create_empty();
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_CA_CERT:
+				cert = va_arg(args, certificate_t*);
+				if (cert->get_type(cert) == CERT_X509)
+				{
+					req->ca = (x509_t*)cert->get_ref(cert);
+				}
+				continue;
+			case BUILD_CERT:
+				cert = va_arg(args, certificate_t*);
+				if (cert->get_type(cert) == CERT_X509)
+				{
+					req->candidates->insert_last(req->candidates,
+												 cert->get_ref(cert));
+				}
+				continue;
+			case BUILD_SIGNING_CERT:
+				cert = va_arg(args, certificate_t*);
+				req->cert = cert->get_ref(cert);
+				continue;
+			case BUILD_SIGNING_KEY:
+				private = va_arg(args, private_key_t*);
+				req->key = private->get_ref(private);
+				continue;
+			case BUILD_SUBJECT:
+				subject = va_arg(args, identification_t*);
+				req->requestor = subject->clone(subject);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				destroy(req);
+				return NULL;
+		}
+		break;
+	}
 	if (req->ca)
 	{
 		req->encoding = build_OCSPRequest(req);
@@ -539,76 +561,3 @@ static x509_ocsp_request_t *build(private_builder_t *this)
 	return NULL;
 }
 
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	va_list args;
-	certificate_t *cert;
-	identification_t *subject;
-	private_key_t *private;
-	
-	va_start(args, part);
-	switch (part)
-	{
-		case BUILD_CA_CERT:
-			cert = va_arg(args, certificate_t*);
-			if (cert->get_type(cert) == CERT_X509)
-			{
-				this->req->ca = (x509_t*)cert->get_ref(cert);
-			}
-			break;
-		case BUILD_CERT:
-			cert = va_arg(args, certificate_t*);
-			if (cert->get_type(cert) == CERT_X509)
-			{
-				this->req->candidates->insert_last(this->req->candidates,
-												   cert->get_ref(cert));
-			}
-			break;
-		case BUILD_SIGNING_CERT:
-			cert = va_arg(args, certificate_t*);
-			this->req->cert = cert->get_ref(cert);
-			break;
-		case BUILD_SIGNING_KEY:
-			private = va_arg(args, private_key_t*);
-			this->req->key = private->get_ref(private);
-			break;
-		case BUILD_SUBJECT:
-			subject = va_arg(args, identification_t*);
-			this->req->requestor = subject->clone(subject);
-			break;
-		default:
-			/* cancel if option not supported */
-			if (this->req)
-			{
-				destroy(this->req);
-			}
-			builder_cancel(&this->public);
-			break;
-	}
-	va_end(args);
-}
-
-/**
- * Builder construction function
- */
-builder_t *x509_ocsp_request_builder(certificate_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != CERT_X509_OCSP_REQUEST)
-	{
-		return NULL;
-	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->req = create_empty();
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.h b/src/libstrongswan/plugins/x509/x509_ocsp_request.h
index ffaa3c634..4c0e4b8f2 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.h
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -21,6 +21,7 @@
 #ifndef X509_OCSP_REQUEST_H_
 #define X509_OCSP_REQUEST_H_
 
+#include <credentials/builder.h>
 #include <credentials/certificates/ocsp_request.h>
 
 typedef struct x509_ocsp_request_t x509_ocsp_request_t;
@@ -37,7 +38,7 @@ struct x509_ocsp_request_t {
 };
 
 /**
- * Create the building facility for OCSP requests.
+ * Generate a X.509 OCSP request.
  *
  * The resulting builder accepts:
  * 	BUILD_CA_CERT:		CA of the checked certificates, exactly one
@@ -46,9 +47,10 @@ struct x509_ocsp_request_t {
  *	BUILD_SIGNING_CERT:	certificate to create requestor signature, optional
  *	BUILD_SIGNING_KEY:	private key to create requestor signature, optional
  *
- * @param type		certificate type, CERT_X509_OCSP_REQUEST only
- * @return			builder instance to build OCSP requests
+ * @param type			certificate type, CERT_X509_OCSP_REQUEST only
+ * @param args			builder_part_t argument list
+ * @return				OCSP request, NULL on failure
  */
-builder_t *x509_ocsp_request_builder(certificate_type_t type);
+x509_ocsp_request_t *x509_ocsp_request_gen(certificate_type_t type, va_list args);
 
 #endif /** X509_OCSP_REQUEST_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 1b3187258..948d7ad85 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Copyright (C) 2007 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
@@ -45,42 +45,42 @@ struct private_x509_ocsp_response_t {
 	 * Public interface for this ocsp object.
 	 */
 	x509_ocsp_response_t public;
-	
+
 	/**
 	 * complete encoded OCSP response
 	 */
 	chunk_t encoding;
-	
+
 	/**
 	 * data for signature verficiation
 	 */
 	chunk_t tbsResponseData;
-	
+
 	/**
 	 * signature algorithm (OID)
 	 */
 	int signatureAlgorithm;
-	
+
 	/**
 	 * signature
 	 */
 	chunk_t signature;
-	
+
 	/**
 	 * name or keyid of the responder
 	 */
 	identification_t *responderId;
-	
+
 	/**
 	 * time of response production
 	 */
 	time_t producedAt;
-	
+
 	/**
 	 * latest nextUpdate in this OCSP response
 	 */
 	time_t usableUntil;
-	
+
 	/**
 	 * list of included certificates
 	 */
@@ -95,7 +95,7 @@ struct private_x509_ocsp_response_t {
 	 * Nonce required for ocsp request and response
 	 */
 	chunk_t nonce;
-	
+
 	/**
 	 * reference counter
 	 */
@@ -130,29 +130,23 @@ typedef struct {
 #define OCSP_BASIC_RESPONSE_VERSION 1
 
 /* some OCSP specific prefabricated ASN.1 constants */
-static u_char ASN1_nonce_oid_str[] = {
+static const chunk_t ASN1_nonce_oid = chunk_from_chars(
 	0x06, 0x09,
 		  0x2B, 0x06,
 				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
-};
-
-static u_char ASN1_response_oid_str[] = {
+);
+static const chunk_t ASN1_response_oid = chunk_from_chars(
 	0x06, 0x09,
 		  0x2B, 0x06,
 				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
-};
-
-static u_char ASN1_response_content_str[] = {
+);
+static const chunk_t ASN1_response_content = chunk_from_chars(
 	0x04, 0x0D,
 		  0x30, 0x0B,
 				0x06, 0x09,
 				0x2B, 0x06,
 				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
-};
-
-static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
-static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
-static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
+);
 
 /**
  * Implementaiton of ocsp_response_t.get_status
@@ -167,14 +161,15 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this,
 	single_response_t *response;
 	cert_validation_t status = VALIDATION_FAILED;
 	certificate_t *issuercert = &issuer->interface;
-	
+
 	enumerator = this->responses->create_enumerator(this->responses);
 	while (enumerator->enumerate(enumerator, &response))
 	{
 		hasher_t *hasher;
 		identification_t *id;
-		chunk_t hash;
-		
+		key_encoding_type_t type;
+		chunk_t hash, fingerprint;
+
 		/* check serial first, is cheaper */
 		if (!chunk_equals(subject->get_serial(subject), response->serialNumber))
 		{
@@ -184,22 +179,23 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this,
 		if (response->issuerKeyHash.ptr)
 		{
 			public_key_t *public;
-			
+
 			public = issuercert->get_public_key(issuercert);
 			if (!public)
 			{
 				continue;
 			}
 			switch (response->hashAlgorithm)
-			{	/* TODO: generic mapper function */
+			{
 				case OID_SHA1:
-					id = public->get_id(public, ID_PUBKEY_SHA1);
+					type = KEY_ID_PUBKEY_SHA1;
 					break;
 				default:
 					public->destroy(public);
 					continue;
 			}
-			if (!chunk_equals(response->issuerKeyHash, id->get_encoding(id)))
+			if (!public->get_fingerprint(public, type, &fingerprint) ||
+				!chunk_equals(response->issuerKeyHash, fingerprint))
 			{
 				public->destroy(public);
 				continue;
@@ -209,7 +205,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this,
 		/* check issuerNameHash, if available */
 		else if (response->issuerNameHash.ptr)
 		{
-			hasher = lib->crypto->create_hasher(lib->crypto, 
+			hasher = lib->crypto->create_hasher(lib->crypto,
 							hasher_algorithm_from_oid(response->hashAlgorithm));
 			if (!hasher)
 			{
@@ -233,7 +229,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this,
 		*revocation_reason = response->revocationReason;
 		*this_update = response->thisUpdate;
 		*next_update = response->nextUpdate;
-		
+
 		break;
 	}
 	enumerator->destroy(enumerator);
@@ -310,7 +306,7 @@ static bool parse_singleResponse(private_x509_ocsp_response_t *this,
 	bool success = FALSE;
 
 	single_response_t *response;
-	
+
 	response = malloc_thing(single_response_t);
 	response->hashAlgorithm = OID_UNKNOWN;
 	response->issuerNameHash = chunk_empty;
@@ -318,7 +314,7 @@ static bool parse_singleResponse(private_x509_ocsp_response_t *this,
 	response->serialNumber = chunk_empty;
 	response->status = VALIDATION_FAILED;
 	response->revocationTime = 0;
-	response->revocationReason = CRL_UNSPECIFIED;
+	response->revocationReason = CRL_REASON_UNSPECIFIED;
 	response->thisUpdate = UNDEFINED_TIME;
 	/* if nextUpdate is missing, we give it a short lifetime */
 	response->nextUpdate = this->producedAt + OCSP_DEFAULT_LIFETIME;
@@ -357,7 +353,7 @@ static bool parse_singleResponse(private_x509_ocsp_response_t *this,
 				{
 					response->revocationReason = *object.ptr;
 				}
-	    		break;
+				break;
 			case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
 				response->status = VALIDATION_FAILED;
 				break;
@@ -370,7 +366,7 @@ static bool parse_singleResponse(private_x509_ocsp_response_t *this,
 				{
 					this->usableUntil = response->nextUpdate;
 				}
-	    		break;
+				break;
 		}
 	}
 	success = parser->success(parser);
@@ -400,14 +396,14 @@ static const asn1Object_t responsesObjects[] = {
 /**
  * Parse all responses
  */
-static bool parse_responses(private_x509_ocsp_response_t *this, 
+static bool parse_responses(private_x509_ocsp_response_t *this,
 							chunk_t blob, int level0)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
 	int objectID;
 	bool success = FALSE;
-	
+
 	parser = asn1_parser_create(responsesObjects, blob);
 	parser->set_top_level(parser, level0);
 
@@ -484,7 +480,7 @@ static const asn1Object_t basicResponseObjects[] = {
 /**
  * Parse a basicOCSPResponse
  */
-static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, 
+static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 									chunk_t blob, int level0)
 {
 	asn1_parser_t *parser;
@@ -496,7 +492,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 	certificate_t *cert;
 	bool success = FALSE;
 	bool critical;
-	
+
 	parser = asn1_parser_create(basicResponseObjects, blob);
 	parser->set_top_level(parser, level0);
 
@@ -525,7 +521,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 				break;
 			case BASIC_RESPONSE_ID_BY_KEY:
 				this->responderId = identification_create_from_encoding(
-													ID_PUBKEY_INFO_SHA1, object);
+													ID_KEY_ID, object);
 				DBG2("  '%Y'", this->responderId);
 				break;
 			case BASIC_RESPONSE_PRODUCED_AT:
@@ -622,15 +618,15 @@ static bool parse_OCSPResponse(private_x509_ocsp_response_t *this)
 			case OCSP_RESPONSE_STATUS:
 				status = (ocsp_status_t)*object.ptr;
 				switch (status)
-	    		{
-	    			case OCSP_SUCCESSFUL:
+				{
+					case OCSP_SUCCESSFUL:
 						break;
 					default:
 						DBG1("  ocsp response status: %N",
 							 ocsp_status_names, status);
 						goto end;
 				}
-	    		break;
+				break;
 			case OCSP_RESPONSE_TYPE:
 				responseType = asn1_known_oid(object);
 				break;
@@ -689,35 +685,33 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer)
 	signature_scheme_t scheme;
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
-	
+
 	if (issuer->get_type(issuer) != CERT_X509)
 	{
 		return FALSE;
 	}
-	if (this->responderId->get_type(this->responderId) == ID_DER_ASN1_DN)
+	if (this->responderId->get_type(this->responderId) == ID_KEY_ID)
 	{
-		if (!this->responderId->equals(this->responderId,
-									   issuer->get_subject(issuer)))
+		chunk_t fingerprint;
+
+		key = issuer->get_public_key(issuer);
+		if (!key ||
+			!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+			!chunk_equals(fingerprint,
+						  this->responderId->get_encoding(this->responderId)))
 		{
+			DESTROY_IF(key);
 			return FALSE;
 		}
+		key->destroy(key);
 	}
 	else
 	{
-		bool equal;
-		public_key_t *public = issuer->get_public_key(issuer);
-
-		if (public == NULL)
+		if (!this->responderId->equals(this->responderId,
+									   issuer->get_subject(issuer)))
 		{
 			return FALSE;
 		}
-		equal = this->responderId->equals(this->responderId,
-										  public->get_id(public, ID_PUBKEY_SHA1));
-		public->destroy(public);
-		if (!equal)
-		{
-				return FALSE;
-		}
 	}
 	if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
 		!(x509->get_flags(x509) & X509_CA))
@@ -754,16 +748,8 @@ static public_key_t* get_public_key(private_x509_ocsp_response_t *this)
 static bool get_validity(private_x509_ocsp_response_t *this, time_t *when,
 						 time_t *not_before, time_t *not_after)
 {
-	time_t t;
+	time_t t = when ? *when : time(NULL);
 
-	if (when == NULL)
-	{
-		t = time(NULL);
-	}
-	else
-	{
-		t = *when;
-	}
 	if (not_before)
 	{
 		*not_before = this->producedAt;
@@ -791,7 +777,7 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 				&that_update, FALSE, new ? "replaced":"retained");
 	return new;
 }
-	
+
 /**
  * Implementation of certificate_t.get_encoding.
  */
@@ -807,7 +793,7 @@ static bool equals(private_x509_ocsp_response_t *this, certificate_t *other)
 {
 	chunk_t encoding;
 	bool equal;
-	
+
 	if (this == (private_x509_ocsp_response_t*)other)
 	{
 		return TRUE;
@@ -818,7 +804,7 @@ static bool equals(private_x509_ocsp_response_t *this, certificate_t *other)
 	}
 	if (other->equals == (void*)equals)
 	{	/* skip allocation if we have the same implementation */
-		return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding); 
+		return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding);
 	}
 	encoding = other->get_encoding(other);
 	equal = chunk_equals(this->encoding, encoding);
@@ -853,12 +839,12 @@ static void destroy(private_x509_ocsp_response_t *this)
 /**
  * load an OCSP response
  */
-static x509_ocsp_response_t *load(chunk_t data)
+static x509_ocsp_response_t *load(chunk_t blob)
 {
 	private_x509_ocsp_response_t *this;
-	
+
 	this = malloc_thing(private_x509_ocsp_response_t);
-	
+
 	this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
 	this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer;
 	this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
@@ -874,9 +860,9 @@ static x509_ocsp_response_t *load(chunk_t data)
 	this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
 	this->public.interface.get_status = (cert_validation_t(*)(ocsp_response_t*, x509_t *subject, x509_t *issuer, time_t *revocation_time,crl_reason_t *revocation_reason,time_t *this_update, time_t *next_update))get_status;
 	this->public.interface.create_cert_enumerator = (enumerator_t*(*)(ocsp_response_t*))create_cert_enumerator;
-	
+
 	this->ref = 1;
-	this->encoding = data;
+	this->encoding = chunk_clone(blob);
 	this->tbsResponseData = chunk_empty;
 	this->responderId = NULL;
 	this->producedAt = UNDEFINED_TIME;
@@ -895,78 +881,32 @@ static x509_ocsp_response_t *load(chunk_t data)
 	return &this->public;
 }
 
-
-typedef struct private_builder_t private_builder_t;
 /**
- * Builder implementation for certificate loading
+ * See header.
  */
-struct private_builder_t {
-	/** implements the builder interface */
-	builder_t public;
-	/** loaded response */
-	x509_ocsp_response_t *res;
-};
-
-/**
- * Implementation of builder_t.build
- */
-static x509_ocsp_response_t *build(private_builder_t *this)
+x509_ocsp_response_t *x509_ocsp_response_load(certificate_type_t type,
+											  va_list args)
 {
-	x509_ocsp_response_t *res = this->res;
-	
-	free(this);
-	return res;
-}
+	chunk_t blob = chunk_empty;
 
-/**
- * Implementation of builder_t.add
- */
-static void add(private_builder_t *this, builder_part_t part, ...)
-{
-	if (!this->res)
+	while (TRUE)
 	{
-		va_list args;
-		chunk_t chunk;
-		
-		switch (part)
+		switch (va_arg(args, builder_part_t))
 		{
 			case BUILD_BLOB_ASN1_DER:
-			{
-				va_start(args, part);
-				chunk = va_arg(args, chunk_t);
-				this->res = load(chunk_clone(chunk));
-				va_end(args);
-				return;
-			}
-			default:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
 				break;
+			default:
+				return NULL;
 		}
+		break;
 	}
-	if (this->res)
+	if (blob.ptr)
 	{
-		destroy((private_x509_ocsp_response_t*)this->res);
+		return load(blob);
 	}
-	builder_cancel(&this->public);
-}
-
-/**
- * Builder construction function
- */
-builder_t *x509_ocsp_response_builder(certificate_type_t type)
-{
-	private_builder_t *this;
-	
-	if (type != CERT_X509_OCSP_RESPONSE)
-	{
-		return NULL;
-	}
-	
-	this = malloc_thing(private_builder_t);
-	
-	this->res = NULL;
-	this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
-	this->public.build = (void*(*)(builder_t *this))build;
-	
-	return &this->public;
+	return NULL;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.h b/src/libstrongswan/plugins/x509/x509_ocsp_response.h
index 06a9fd3c7..7a525626e 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.h
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -21,6 +21,7 @@
 #ifndef X509_OCSP_RESPONSE_H_
 #define X509_OCSP_RESPONSE_H_
 
+#include <credentials/builder.h>
 #include <credentials/certificates/ocsp_response.h>
 
 typedef struct x509_ocsp_response_t x509_ocsp_response_t;
@@ -37,11 +38,13 @@ struct x509_ocsp_response_t {
 };
 
 /**
- * Create the building facility for OCSP responses.
+ * Load a X.509 OCSP response.
  *
  * @param type		certificate type, CERT_X509_OCSP_RESPONSE only
- * @return			builder instance to build OCSP responses
+ * @param args		builder_part_t argument list
+ * @return			OCSP response, NULL on failure
  */
-builder_t *x509_ocsp_response_builder(certificate_type_t type);
+x509_ocsp_response_t *x509_ocsp_response_load(certificate_type_t type,
+											  va_list args);
 
 #endif /** X509_OCSP_RESPONSE_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
new file mode 100644
index 000000000..6d750c98c
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -0,0 +1,707 @@
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Copyright (C) 2009 Andreas Steffen
+ *
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "x509_pkcs10.h"
+
+#include <library.h>
+#include <debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <credentials/keys/private_key.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+typedef struct private_x509_pkcs10_t private_x509_pkcs10_t;
+
+/**
+ * Private data of a x509_pkcs10_t object.
+ */
+struct private_x509_pkcs10_t {
+	/**
+	 * Public interface for this certificate.
+	 */
+	x509_pkcs10_t public;
+
+	/**
+	 * PKCS#10 certificate request encoding in ASN.1 DER format
+	 */
+	chunk_t encoding;
+
+	/**
+	 * PKCS#10 request body over which signature is computed
+	 */
+	chunk_t certificationRequestInfo;
+
+	/**
+	 * Version of the PKCS#10 certificate request
+	 */
+	u_int version;
+
+	/**
+	 * ID representing the certificate subject
+	 */
+	identification_t *subject;
+
+	/**
+	 * List of subjectAltNames as identification_t
+	 */
+	linked_list_t *subjectAltNames;
+
+	/**
+	 * certificate's embedded public key
+	 */
+	public_key_t *public_key;
+
+	/**
+	 * challenge password
+	 */
+	chunk_t challengePassword;
+
+	/**
+	 * Signature algorithm
+	 */
+	int algorithm;
+
+	/**
+	 * Signature
+	 */
+	chunk_t signature;
+
+	/**
+	 * Is the certificate request self-signed?
+	 */
+	bool self_signed;
+
+	/**
+	 * Certificate request parsed from blob/file?
+	 */
+	bool parsed;
+
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Imported from x509_cert.c
+ */
+extern void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list);
+extern chunk_t x509_build_subjectAltNames(linked_list_t *list);
+
+/**
+ * Implementation of certificate_t.get_type.
+ */
+static certificate_type_t get_type(private_x509_pkcs10_t *this)
+{
+	return CERT_PKCS10_REQUEST;
+}
+
+/**
+ * Implementation of certificate_t.get_subject and get_issuer.
+ */
+static identification_t* get_subject(private_x509_pkcs10_t *this)
+{
+	return this->subject;
+}
+
+/**
+ * Implementation of certificate_t.has_subject and has_issuer.
+ */
+static id_match_t has_subject(private_x509_pkcs10_t *this, identification_t *subject)
+{
+	return this->subject->matches(this->subject, subject);
+}
+
+/**
+ * Implementation of certificate_t.issued_by.
+ */
+static bool issued_by(private_x509_pkcs10_t *this, certificate_t *issuer)
+{
+	public_key_t *key;
+	signature_scheme_t scheme;
+
+	if (&this->public.interface.interface != issuer)
+	{
+		return FALSE;
+	}
+	if (this->self_signed)
+	{
+		return TRUE;
+	}
+
+	/* determine signature scheme */
+	scheme = signature_scheme_from_oid(this->algorithm);
+	if (scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
+
+	/* get the public key contained in the certificate request */
+	key = this->public_key;
+	if (!key)
+	{
+		return FALSE;
+	}
+	return key->verify(key, scheme, this->certificationRequestInfo,
+									this->signature);
+}
+
+/**
+ * Implementation of certificate_t.get_public_key.
+ */
+static public_key_t* get_public_key(private_x509_pkcs10_t *this)
+{
+	this->public_key->get_ref(this->public_key);
+	return this->public_key;
+}
+
+/**
+ * Implementation of certificate_t.get_validity.
+ */
+static bool get_validity(private_x509_pkcs10_t *this, time_t *when,
+						 time_t *not_before, time_t *not_after)
+{
+	if (not_before)
+	{
+		*not_before = 0;
+	}
+	if (not_after)
+	{
+		*not_after = ~0;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of certificate_t.is_newer.
+ */
+static bool is_newer(certificate_t *this, certificate_t *that)
+{
+	return FALSE;
+}
+
+/**
+ * Implementation of certificate_t.get_encoding.
+ */
+static chunk_t get_encoding(private_x509_pkcs10_t *this)
+{
+	return chunk_clone(this->encoding);
+}
+
+/**
+ * Implementation of certificate_t.equals.
+ */
+static bool equals(private_x509_pkcs10_t *this, certificate_t *other)
+{
+	chunk_t encoding;
+	bool equal;
+
+	if (this == (private_x509_pkcs10_t*)other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != CERT_PKCS10_REQUEST)
+	{
+		return FALSE;
+	}
+	if (other->equals == (void*)equals)
+	{	/* skip allocation if we have the same implementation */
+		return chunk_equals(this->encoding, ((private_x509_pkcs10_t*)other)->encoding);
+	}
+	encoding = other->get_encoding(other);
+	equal = chunk_equals(this->encoding, encoding);
+	free(encoding.ptr);
+	return equal;
+}
+
+/**
+ * Implementation of certificate_t.get_ref
+ */
+static private_x509_pkcs10_t* get_ref(private_x509_pkcs10_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of certificate_t.get_challengePassword.
+ */
+static chunk_t get_challengePassword(private_x509_pkcs10_t *this)
+{
+	return this->challengePassword;
+}
+
+/**
+ * Implementation of pkcs10_t.create_subjectAltName_enumerator.
+ */
+static enumerator_t* create_subjectAltName_enumerator(private_x509_pkcs10_t *this)
+{
+	return this->subjectAltNames->create_enumerator(this->subjectAltNames);
+}
+
+/**
+ * ASN.1 definition of a PKCS#10 extension request
+ */
+static const asn1Object_t extensionRequestObjects[] = {
+	{ 0, "extensions",   ASN1_SEQUENCE,     ASN1_LOOP           }, /* 0 */
+	{ 1,   "extension",   ASN1_SEQUENCE,     ASN1_NONE          }, /* 1 */
+	{ 2,     "extnID",	  ASN1_OID,          ASN1_BODY          }, /* 2 */
+	{ 2,     "critical",  ASN1_BOOLEAN,      ASN1_DEF|ASN1_BODY }, /* 3 */
+	{ 2,     "extnValue", ASN1_OCTET_STRING, ASN1_BODY          }, /* 4 */
+	{ 1, "end loop",      ASN1_EOC,          ASN1_END			}, /* 5 */
+	{ 0, "exit",          ASN1_EOC,          ASN1_EXIT          }
+};
+#define PKCS10_EXTN_ID			2
+#define PKCS10_EXTN_CRITICAL	3
+#define PKCS10_EXTN_VALUE		4
+
+/**
+ * Parses a PKCS#10 extension request
+ */
+static bool parse_extension_request(private_x509_pkcs10_t *this, chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int extn_oid = OID_UNKNOWN;
+	bool success = FALSE;
+	bool critical;
+
+	parser = asn1_parser_create(extensionRequestObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser)+1;
+
+		switch (objectID)
+		{
+			case PKCS10_EXTN_ID:
+				extn_oid = asn1_known_oid(object);
+				break;
+			case PKCS10_EXTN_CRITICAL:
+				critical = object.len && *object.ptr;
+				DBG2("  %s", critical ? "TRUE" : "FALSE");
+				break;
+			case PKCS10_EXTN_VALUE:
+			{
+				switch (extn_oid)
+				{
+					case OID_SUBJECT_ALT_NAME:
+						x509_parse_generalNames(object, level, FALSE,
+												this->subjectAltNames);
+						break;
+					default:
+						break;
+				}
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * Parses a PKCS#10 challenge password
+ */
+static bool parse_challengePassword(private_x509_pkcs10_t *this, chunk_t blob, int level)
+{
+	char tag;
+
+	if (blob.len < 2)
+	{
+		DBG1("L%d - challengePassword:  ASN.1 object smaller than 2 octets",
+					level);
+		return FALSE;
+	}
+	tag = *blob.ptr;
+	if (tag < ASN1_UTF8STRING || tag > ASN1_IA5STRING)
+	{
+		DBG1("L%d - challengePassword:  ASN.1 object is not a character string",
+					level);
+		return FALSE;
+	}
+	if (asn1_length(&blob) == ASN1_INVALID_LENGTH)
+	{
+		DBG1("L%d - challengePassword:  ASN.1 object has an invalid length",
+					level);
+		return FALSE;
+	}		
+	DBG2("L%d - challengePassword:", level);
+	DBG4("  '%.*s'", blob.len, blob.ptr);
+	return TRUE;
+}
+
+/**
+ * ASN.1 definition of a PKCS#10 certificate request
+ */
+static const asn1Object_t certificationRequestObjects[] = {
+	{ 0, "certificationRequest",       ASN1_SEQUENCE,    ASN1_OBJ  }, /*  0 */
+	{ 1,   "certificationRequestInfo", ASN1_SEQUENCE,    ASN1_OBJ  }, /*  1 */
+	{ 2,     "version",                ASN1_INTEGER,     ASN1_BODY }, /*  2 */
+	{ 2,     "subject",                ASN1_SEQUENCE,    ASN1_OBJ  }, /*  3 */
+	{ 2,     "subjectPublicKeyInfo",   ASN1_SEQUENCE,    ASN1_RAW  }, /*  4 */
+	{ 2,     "attributes",             ASN1_CONTEXT_C_0, ASN1_LOOP }, /*  5 */
+	{ 3,       "attribute",            ASN1_SEQUENCE,    ASN1_NONE }, /*  6 */
+	{ 4,         "type",               ASN1_OID,         ASN1_BODY }, /*  7 */
+	{ 4,         "values",             ASN1_SET,         ASN1_LOOP }, /*  8 */
+	{ 5,           "value",            ASN1_EOC,         ASN1_RAW  }, /*  9 */
+	{ 4,         "end loop",           ASN1_EOC,         ASN1_END  }, /* 10 */
+	{ 2,     "end loop",               ASN1_EOC,         ASN1_END  }, /* 11 */
+	{ 1,   "signatureAlgorithm",       ASN1_EOC,         ASN1_RAW  }, /* 12 */
+	{ 1,    "signature",               ASN1_BIT_STRING,  ASN1_BODY }, /* 13 */
+	{ 0, "exit",                       ASN1_EOC,         ASN1_EXIT }
+};
+#define PKCS10_CERT_REQUEST_INFO		 1
+#define PKCS10_VERSION					 2
+#define PKCS10_SUBJECT					 3
+#define PKCS10_SUBJECT_PUBLIC_KEY_INFO	 4
+#define PKCS10_ATTR_TYPE				 7
+#define PKCS10_ATTR_VALUE				 9
+#define PKCS10_ALGORITHM				12
+#define PKCS10_SIGNATURE				13
+
+/**
+ * Parses a PKCS#10 certificate request
+ */
+static bool parse_certificate_request(private_x509_pkcs10_t *this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int attr_oid = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(certificationRequestObjects, this->encoding);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser)+1;
+
+		switch (objectID)
+		{
+			case PKCS10_CERT_REQUEST_INFO:
+				this->certificationRequestInfo = object;
+				break;
+			case PKCS10_VERSION:
+				if (object.len > 0 && *object.ptr != 0)
+				{
+					DBG1("PKCS#10 certificate request format is not version 1");
+					goto end;
+				}
+				break;
+			case PKCS10_SUBJECT:
+				this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+				DBG2("  '%Y'", this->subject);
+				break;
+			case PKCS10_SUBJECT_PUBLIC_KEY_INFO:
+				this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+						KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
+				if (this->public_key == NULL)
+				{
+					goto end;
+				}
+				break;
+			case PKCS10_ATTR_TYPE:
+				attr_oid = asn1_known_oid(object);
+				break;
+			case PKCS10_ATTR_VALUE:
+				switch (attr_oid)
+				{
+					case OID_EXTENSION_REQUEST:
+						if (!parse_extension_request(this, object, level))
+						{
+							goto end;
+						}
+						break;
+					case OID_CHALLENGE_PASSWORD:
+						if (!parse_challengePassword(this, object, level))
+						{
+							goto end;
+						}
+						break;
+					default:
+						break;
+				}
+				break;
+			case PKCS10_ALGORITHM:
+				this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case PKCS10_SIGNATURE:
+				this->signature = object;
+				break;
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	if (success)
+	{
+		/* check if the certificate request is self-signed */
+		if (issued_by(this, &this->public.interface.interface))
+		{
+			this->self_signed = TRUE;
+		}
+		else
+		{
+			DBG1("certificate request is not self-signed");
+			success = FALSE;
+		}
+	}
+	return success;
+}
+
+/**
+ * Implementation of certificate_t.destroy
+ */
+static void destroy(private_x509_pkcs10_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->subjectAltNames->destroy_offset(this->subjectAltNames,
+									offsetof(identification_t, destroy));
+		DESTROY_IF(this->subject);
+		DESTROY_IF(this->public_key);
+		chunk_free(&this->encoding);
+		if (!this->parsed)
+		{	/* only parsed certificate requests point these fields to "encoded" */
+			chunk_free(&this->certificationRequestInfo);
+			chunk_free(&this->challengePassword);
+			chunk_free(&this->signature);
+		}
+		free(this);
+	}
+}
+
+/**
+ * create an empty but initialized PKCS#10 certificate request
+ */
+static private_x509_pkcs10_t* create_empty(void)
+{
+	private_x509_pkcs10_t *this = malloc_thing(private_x509_pkcs10_t);
+
+	this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
+	this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
+	this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_subject;
+	this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject;
+	this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_subject;
+	this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
+	this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
+	this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
+	this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer;
+	this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
+	this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
+	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
+	this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
+	this->public.interface.get_challengePassword = (chunk_t (*)(pkcs10_t*))get_challengePassword;
+	this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(pkcs10_t*))create_subjectAltName_enumerator;
+
+	this->encoding = chunk_empty;
+	this->certificationRequestInfo = chunk_empty;
+	this->subject = NULL;
+	this->public_key = NULL;
+	this->subjectAltNames = linked_list_create();
+	this->challengePassword = chunk_empty;
+	this->signature = chunk_empty;
+	this->ref = 1;
+	this->self_signed = FALSE;
+	this->parsed = FALSE;
+
+	return this;
+}
+
+/**
+ * Generate and sign a new certificate request
+ */
+static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key,
+					 int digest_alg)
+{
+	chunk_t key_info, subjectAltNames, attributes;
+	chunk_t extensionRequest  = chunk_empty;
+	chunk_t challengePassword = chunk_empty;
+	signature_scheme_t scheme;
+	identification_t *subject;
+
+	subject = cert->subject;
+	cert->public_key = sign_key->get_public_key(sign_key);
+
+	/* select signature scheme */
+	cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg,
+									sign_key->get_type(sign_key));
+	if (cert->algorithm == OID_UNKNOWN)
+	{
+		return FALSE;
+	}
+	scheme = signature_scheme_from_oid(cert->algorithm);
+
+	if (!cert->public_key->get_encoding(cert->public_key,
+										KEY_PUB_SPKI_ASN1_DER, &key_info))
+	{
+		return FALSE;
+	}
+
+	/* encode subjectAltNames */
+	subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames);
+
+	if (subjectAltNames.ptr)
+	{
+		extensionRequest = asn1_wrap(ASN1_SEQUENCE, "mm",
+					asn1_build_known_oid(OID_EXTENSION_REQUEST),
+					asn1_wrap(ASN1_SET, "m",
+						asn1_wrap(ASN1_SEQUENCE, "m", subjectAltNames)
+					));
+	}
+	if (cert->challengePassword.len > 0)
+	{
+		asn1_t type = asn1_is_printablestring(cert->challengePassword) ?
+								ASN1_PRINTABLESTRING : ASN1_T61STRING;
+
+		challengePassword = asn1_wrap(ASN1_SEQUENCE, "mm",
+					asn1_build_known_oid(OID_CHALLENGE_PASSWORD),
+					asn1_wrap(ASN1_SET, "m",
+						asn1_simple_object(type, cert->challengePassword)
+					)
+			);
+	}
+	attributes = asn1_wrap(ASN1_CONTEXT_C_0, "mm", extensionRequest,
+												   challengePassword);
+
+	cert->certificationRequestInfo = asn1_wrap(ASN1_SEQUENCE, "ccmm",
+							ASN1_INTEGER_0,
+							subject->get_encoding(subject),
+							key_info,
+							attributes);
+
+	if (!sign_key->sign(sign_key, scheme, cert->certificationRequestInfo,
+						&cert->signature))
+	{
+		return FALSE;
+	}
+
+	cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm",
+							   cert->certificationRequestInfo,
+							   asn1_algorithmIdentifier(cert->algorithm),
+							   asn1_bitstring("c", cert->signature));
+	return TRUE;
+}
+
+/**
+ * See header.
+ */
+x509_pkcs10_t *x509_pkcs10_load(certificate_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (blob.ptr)
+	{
+		private_x509_pkcs10_t *cert = create_empty();
+
+		cert->encoding = chunk_clone(blob);
+		cert->parsed = TRUE;
+		if (parse_certificate_request(cert))
+		{
+			return &cert->public;
+		}
+		destroy(cert);
+	}
+	return NULL;
+}
+
+/**
+ * See header.
+ */
+x509_pkcs10_t *x509_pkcs10_gen(certificate_type_t type, va_list args)
+{
+	private_x509_pkcs10_t *cert;
+	private_key_t *sign_key = NULL;
+	hash_algorithm_t digest_alg = HASH_SHA1;
+
+	cert = create_empty();
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_SIGNING_KEY:
+				sign_key = va_arg(args, private_key_t*);
+				continue;
+			case BUILD_SUBJECT:
+				cert->subject = va_arg(args, identification_t*);
+				cert->subject = cert->subject->clone(cert->subject);
+				continue;
+			case BUILD_SUBJECT_ALTNAMES:
+			{
+				enumerator_t *enumerator;
+				identification_t *id;
+				linked_list_t *list;
+
+				list = va_arg(args, linked_list_t*);
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &id))
+				{
+					cert->subjectAltNames->insert_last(cert->subjectAltNames,
+													   id->clone(id));
+				}
+				enumerator->destroy(enumerator);
+				continue;
+			}
+			case BUILD_PASSPHRASE:
+				cert->challengePassword = chunk_clone(va_arg(args, chunk_t));
+				continue;
+			case BUILD_DIGEST_ALG:
+				digest_alg = va_arg(args, int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				destroy(cert);
+				return NULL;
+		}
+		break;
+	}
+
+	if (sign_key && generate(cert, sign_key, digest_alg))
+	{
+		return &cert->public;
+	}
+	destroy(cert);
+	return NULL;
+}
+
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.h b/src/libstrongswan/plugins/x509/x509_pkcs10.h
new file mode 100644
index 000000000..f9490b1dc
--- /dev/null
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Copyright (C) 2009 Andreas Steffen
+ *
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup x509_pkcs10 x509_pkcs10
+ * @{ @ingroup x509_p
+ */
+
+#ifndef X509_PKCS10_H_
+#define X509_PKCS10_H_
+
+typedef struct x509_pkcs10_t x509_pkcs10_t;
+
+#include <credentials/builder.h>
+#include <credentials/certificates/pkcs10.h>
+
+/**
+ * Implementation of pkcs10_t/certificate_t using own ASN.1 parser.
+ */
+struct x509_pkcs10_t {
+
+	/**
+	 * Implements the pkcs10_t interface
+	 */
+	pkcs10_t interface;
+};
+
+/**
+ * Load a PKCS#10 certificate.
+ *
+ * This function takes a BUILD_BLOB_ASN1_DER.
+ *
+ * @param type		certificate type, CERT_PKCS10_REQUEST only
+ * @param args		builder_part_t argument list
+ * @return			PKCS#10 certificate request, NULL on failure
+ */
+x509_pkcs10_t *x509_pkcs10_load(certificate_type_t type, va_list args);
+
+/**
+ * Generate a PKCS#10 certificate request.
+ *
+ * To issue a self-signed certificate request, the function takes:
+ * BUILD_SUBJECT, BUILD_SUBJECT_ALTNAMES, BUILD_SIGNING_KEY, BUILD_DIGEST_ALG.
+ *
+ * @param type		certificate type, CERT_PKCS10_REQUEST only
+ * @param args		builder_part_t argument list
+ * @return			PKCS#10 certificate request, NULL on failure
+ */
+x509_pkcs10_t *x509_pkcs10_gen(certificate_type_t type, va_list args);
+
+#endif /** X509_PKCS10_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 9ed7f95bd..94c49b1e1 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -21,6 +21,7 @@
 #include "x509_crl.h"
 #include "x509_ocsp_request.h"
 #include "x509_ocsp_response.h"
+#include "x509_pkcs10.h"
 
 typedef struct private_x509_plugin_t private_x509_plugin_t;
 
@@ -41,15 +42,23 @@ struct private_x509_plugin_t {
 static void destroy(private_x509_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
-							   (builder_constructor_t)x509_cert_builder);
+							   (builder_function_t)x509_cert_gen);
 	lib->creds->remove_builder(lib->creds,
-							   (builder_constructor_t)x509_ac_builder);
+							   (builder_function_t)x509_cert_load);
 	lib->creds->remove_builder(lib->creds,
-							   (builder_constructor_t)x509_crl_builder);
+							   (builder_function_t)x509_ac_gen);
 	lib->creds->remove_builder(lib->creds,
-							   (builder_constructor_t)x509_ocsp_request_builder);
+							   (builder_function_t)x509_ac_load);
 	lib->creds->remove_builder(lib->creds,
-							   (builder_constructor_t)x509_ocsp_response_builder);
+							   (builder_function_t)x509_crl_load);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_function_t)x509_ocsp_request_gen);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_function_t)x509_ocsp_response_load);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_function_t)x509_pkcs10_gen);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_function_t)x509_pkcs10_load);
 	free(this);
 }
 
@@ -59,19 +68,27 @@ static void destroy(private_x509_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							(builder_constructor_t)x509_cert_builder);
+							(builder_function_t)x509_cert_gen);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							(builder_function_t)x509_cert_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+							(builder_function_t)x509_ac_gen);
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
-							(builder_constructor_t)x509_ac_builder);
+							(builder_function_t)x509_ac_load);
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
-							(builder_constructor_t)x509_crl_builder);
+							(builder_function_t)x509_crl_load);
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
-							(builder_constructor_t)x509_ocsp_request_builder);
+							(builder_function_t)x509_ocsp_request_gen);
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
-							(builder_constructor_t)x509_ocsp_response_builder);
+							(builder_function_t)x509_ocsp_response_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+							(builder_function_t)x509_pkcs10_gen);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+							(builder_function_t)x509_pkcs10_load);
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 1d4e39586..3720aeaeb 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
 subdir = src/libstrongswan/plugins/xcbc
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(plugin_LTLIBRARIES)
 libstrongswan_xcbc_la_LIBADD =
 am_libstrongswan_xcbc_la_OBJECTS = xcbc_plugin.lo xcbc.lo xcbc_prf.lo \
@@ -59,6 +83,7 @@ libstrongswan_xcbc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -106,25 +131,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -136,11 +158,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -169,9 +194,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -194,7 +219,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -202,6 +227,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -210,10 +236,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -221,6 +249,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -243,9 +272,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/plugins/xcbc/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/libstrongswan/plugins/xcbc/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/xcbc/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/xcbc/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -263,23 +292,28 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
-	    $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
 
 uninstall-pluginLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
 	done
 
 clean-pluginLTLIBRARIES:
@@ -306,21 +340,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -343,7 +377,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -351,29 +385,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -394,13 +433,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -431,6 +474,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -452,6 +496,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -460,18 +506,28 @@ install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -510,6 +566,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index dd63af005..b9f03eeac 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -23,7 +23,7 @@ typedef struct private_xcbc_t private_xcbc_t;
 
 /**
  * Private data of a xcbc_t object.
- * 
+ *
  * The variable names are the same as in the RFC.
  */
 struct private_xcbc_t {
@@ -31,42 +31,42 @@ struct private_xcbc_t {
 	 * Public xcbc_t interface.
 	 */
 	xcbc_t xcbc;
-	
+
 	/**
 	 * Block size, in bytes
 	 */
 	u_int8_t b;
-	
+
 	/**
 	 * crypter using k1
 	 */
 	crypter_t *k1;
-	
+
 	/**
 	 * k2
 	 */
 	u_int8_t *k2;
-	
+
 	/**
 	 * k3
 	 */
 	u_int8_t *k3;
-	
+
 	/**
 	 * E
 	 */
 	u_int8_t *e;
-	
+
 	/**
 	 * remaining, unprocessed bytes in append mode
 	 */
 	u_int8_t *remaining;
-	
+
 	/**
 	 * number of bytes in remaining
 	 */
 	int remaining_bytes;
-	
+
 	/**
 	 * TRUE if we have zero bytes to xcbc in final()
 	 */
@@ -79,34 +79,34 @@ struct private_xcbc_t {
 static void update(private_xcbc_t *this, chunk_t data)
 {
 	chunk_t iv;
-	
+
 	if (data.len)
 	{
 		this->zero = FALSE;
 	}
-	
+
 	if (this->remaining_bytes + data.len <= this->b)
 	{	/* no complete block, just copy into remaining */
 		memcpy(this->remaining + this->remaining_bytes, data.ptr, data.len);
 		this->remaining_bytes += data.len;
 		return;
 	}
-	
+
 	iv = chunk_alloca(this->b);
 	memset(iv.ptr, 0, iv.len);
-	
+
 	/* (3) For each block M[i], where i = 1 ... n-1:
 	 *     XOR M[i] with E[i-1], then encrypt the result with Key K1,
 	 *     yielding E[i].
 	 */
-	
+
 	/* append data to remaining bytes, process block M[1] */
 	memcpy(this->remaining + this->remaining_bytes, data.ptr,
 		   this->b - this->remaining_bytes);
 	data = chunk_skip(data, this->b - this->remaining_bytes);
 	memxor(this->e, this->remaining, this->b);
 	this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
-	
+
 	/* process blocks M[2] ... M[n-1] */
 	while (data.len > this->b)
 	{
@@ -115,7 +115,7 @@ static void update(private_xcbc_t *this, chunk_t data)
 		memxor(this->e, this->remaining, this->b);
 		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
 	}
-	
+
 	/* store remaining bytes of block M[n] */
 	memcpy(this->remaining, data.ptr, data.len);
 	this->remaining_bytes = data.len;
@@ -127,10 +127,10 @@ static void update(private_xcbc_t *this, chunk_t data)
 static void final(private_xcbc_t *this, u_int8_t *out)
 {
 	chunk_t iv;
-	
+
 	iv = chunk_alloca(this->b);
 	memset(iv.ptr, 0, iv.len);
-	
+
 	/* (4) For block M[n]: */
 	if (this->remaining_bytes == this->b && !this->zero)
 	{
@@ -165,9 +165,9 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 		memxor(this->e, this->k3, this->b);
 		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
 	}
-	
+
 	memcpy(out, this->e, this->b);
-	
+
 	/* (2) Define E[0] = 0x00000000000000000000000000000000 */
 	memset(this->e, 0, this->b);
 	this->remaining_bytes = 0;
@@ -181,13 +181,13 @@ static void get_mac(private_xcbc_t *this, chunk_t data, u_int8_t *out)
 {
 	/* update E, do not process last block */
 	update(this, data);
-	
+
 	if (out)
 	{	/* if not in append mode, process last block and output result */
 		final(this, out);
 	}
 }
-	
+
 /**
  * Implementation of xcbc_t.get_block_size.
  */
@@ -225,8 +225,8 @@ static void set_key(private_xcbc_t *this, chunk_t key)
 	k1 = chunk_alloca(this->b);
 	iv = chunk_alloca(this->b);
 	memset(iv.ptr, 0, iv.len);
-	
-	/* 
+
+	/*
 	 * (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret
      *     key K, as follows:
      *     K1 = 0x01010101010101010101010101010101 encrypted with Key K
@@ -263,7 +263,7 @@ xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size)
 {
 	private_xcbc_t *this;
 	crypter_t *crypter;
-	
+
 	crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size);
 	if (!crypter)
 	{
@@ -275,13 +275,13 @@ xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size)
 		crypter->destroy(crypter);
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_xcbc_t);
 	this->xcbc.get_mac = (void (*)(xcbc_t *,chunk_t,u_int8_t*))get_mac;
 	this->xcbc.get_block_size = (size_t (*)(xcbc_t *))get_block_size;
 	this->xcbc.set_key = (void (*)(xcbc_t *,chunk_t))set_key;
 	this->xcbc.destroy = (void (*)(xcbc_t *))destroy;
-	
+
 	this->b = crypter->get_block_size(crypter);
 	this->k1 = crypter;
 	this->k2 = malloc(this->b);
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.h b/src/libstrongswan/plugins/xcbc/xcbc.h
index a334c675b..f28e0b8e0 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc.h
@@ -32,34 +32,34 @@ typedef struct xcbc_t xcbc_t;
  * described in RFC3566.
  */
 struct xcbc_t {
-	
+
 	/**
 	 * Generate message authentication code.
-	 * 
+	 *
 	 * If buffer is NULL, no result is given back. A next call will
-	 * append the data to already supplied data. If buffer is not NULL, 
+	 * append the data to already supplied data. If buffer is not NULL,
 	 * the mac of all apended data is calculated, returned and the
 	 * state of the xcbc_t is reseted.
-	 * 
+	 *
 	 * @param data		chunk of data to authenticate
 	 * @param buffer	pointer where the generated bytes will be written
 	 */
 	void (*get_mac) (xcbc_t *this, chunk_t data, u_int8_t *buffer);
-	
+
 	/**
 	 * Get the block size of this xcbc_t object.
-	 * 
+	 *
 	 * @return			block size in bytes
 	 */
 	size_t (*get_block_size) (xcbc_t *this);
-	
+
 	/**
 	 * Set the key for this xcbc_t object.
-	 * 
+	 *
 	 * @param key		key to set
 	 */
 	void (*set_key) (xcbc_t *this, chunk_t key);
-	
+
 	/**
 	 * Destroys a xcbc_t object.
 	 */
@@ -68,7 +68,7 @@ struct xcbc_t {
 
 /**
  * Creates a new xcbc_t object.
- * 
+ *
  * @param algo			underlying crypto algorithm
  * @param key_size		key size to use, if required for algorithm
  * @return				xcbc_t object, NULL if not supported
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
index 25f59c650..3eb7f0927 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -50,12 +50,12 @@ static void destroy(private_xcbc_plugin_t *this)
 plugin_t *plugin_create()
 {
 	private_xcbc_plugin_t *this = malloc_thing(private_xcbc_plugin_t);
-	
+
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	
-	lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, 
+
+	lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC,
 						 (prf_constructor_t)xcbc_prf_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, 
+	lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96,
 							(signer_constructor_t)xcbc_signer_create);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.c b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
index a90f2d44f..2459dc616 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
@@ -27,8 +27,8 @@ struct private_xcbc_prf_t {
 	/**
 	 * Public xcbc_prf_t interface.
 	 */
-	xcbc_prf_t public;	
-	
+	xcbc_prf_t public;
+
 	/**
 	 * xcbc to use for generation.
 	 */
@@ -100,7 +100,7 @@ xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo)
 {
 	private_xcbc_prf_t *this;
 	xcbc_t *xcbc;
-	
+
 	switch (algo)
 	{
 		case PRF_AES128_XCBC:
@@ -113,17 +113,17 @@ xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo)
 	{
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_xcbc_prf_t);
 	this->xcbc = xcbc;
-	
+
 	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
 	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
 	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
 	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
 	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
 	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.h b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
index bbf5b972a..d2db9af41 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
@@ -27,12 +27,12 @@ typedef struct xcbc_prf_t xcbc_prf_t;
 
 /**
  * Implementation of prf_t on CBC block cipher using XCBC, RFC3664/RFC4434.
- * 
+ *
  * This simply wraps a xcbc_t in a prf_t. More a question of
  * interface matching.
  */
 struct xcbc_prf_t {
-	
+
 	/**
 	 * Generic prf_t interface for this xcbc_prf_t class.
 	 */
@@ -41,7 +41,7 @@ struct xcbc_prf_t {
 
 /**
  * Creates a new xcbc_prf_t object.
- * 
+ *
  * @param algo		algorithm to implement
  * @return			xcbc_prf_t object, NULL if hash not supported
  */
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.c b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
index b394bb251..1c98d39d7 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
@@ -29,12 +29,12 @@ struct private_xcbc_signer_t {
 	 * Public interface of xcbc_signer_t.
 	 */
 	xcbc_signer_t public;
-	
+
 	/**
 	 * Assigned xcbc function.
 	 */
 	xcbc_t *xcbc;
-	
+
 	/**
 	 * Block size (truncation of XCBC MAC)
 	 */
@@ -54,7 +54,7 @@ static void get_signature(private_xcbc_signer_t *this,
 	else
 	{
 		u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
-		
+
 		this->xcbc->get_mac(this->xcbc, data, mac);
 		memcpy(buffer, mac, this->block_size);
 	}
@@ -73,12 +73,12 @@ static void allocate_signature (private_xcbc_signer_t *this,
 	else
 	{
 		u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
-		
+
 		this->xcbc->get_mac(this->xcbc, data, mac);
 
 		chunk->ptr = malloc(this->block_size);
 		chunk->len = this->block_size;
-		
+
 		memcpy(chunk->ptr, mac, this->block_size);
 	}
 }
@@ -90,12 +90,12 @@ static bool verify_signature(private_xcbc_signer_t *this,
 							 chunk_t data, chunk_t signature)
 {
 	u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
-	
+
 	if (signature.len != this->block_size)
 	{
 		return FALSE;
 	}
-	
+
 	this->xcbc->get_mac(this->xcbc, data, mac);
 	return memeq(signature.ptr, mac, this->block_size);
 }
@@ -142,7 +142,7 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
 	private_xcbc_signer_t *this;
 	size_t trunc;
 	xcbc_t *xcbc;
-	
+
 	switch (algo)
 	{
 		case AUTH_AES_XCBC_96:
@@ -156,11 +156,11 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
 	{
 		return NULL;
 	}
-	
+
 	this = malloc_thing(private_xcbc_signer_t);
 	this->xcbc = xcbc;
 	this->block_size = min(trunc, xcbc->get_block_size(xcbc));
-	
+
 	/* interface functions */
 	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
 	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
@@ -169,7 +169,7 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
 	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
 	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
 	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.h b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
index dc0087392..181cfe299 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
@@ -29,7 +29,7 @@ typedef struct xcbc_signer_t xcbc_signer_t;
  * Implementation of signer_t based on CBC symmetric cypher. XCBC, RFC3566.
  */
 struct xcbc_signer_t {
-	
+
 	/**
 	 * generic signer_t interface for this signer
 	 */
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c
index 692ad9cf8..0b516c99e 100644
--- a/src/libstrongswan/printf_hook.c
+++ b/src/libstrongswan/printf_hook.c
@@ -44,17 +44,17 @@ struct private_printf_hook_t {
  * struct with information about a registered handler
  */
 struct printf_hook_handler_t {
-	
+
 	/**
 	 * callback function
 	 */
 	printf_hook_function_t hook;
-	
+
 	/**
 	 * number of arguments
 	 */
 	int numargs;
-	
+
 	/**
 	 * types of the arguments
 	 */
@@ -75,7 +75,8 @@ static printf_hook_handler_t *printf_hooks[NUM_HANDLERS];
 #define SPEC_TO_INDEX(spec) ((int)(spec) - (int)'A')
 #define IS_VALID_SPEC(spec) (SPEC_TO_INDEX(spec) > -1 && SPEC_TO_INDEX(spec) < NUM_HANDLERS)
 
-#if defined(HAVE_PRINTF_HOOKS) && !defined(USE_VSTR)
+#if !defined(USE_VSTR) && \
+	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
 
 /**
  * Printf hook print function. This is actually of type "printf_function",
@@ -89,11 +90,11 @@ static int custom_print(FILE *stream, const struct printf_info *info,
 	char buf[PRINTF_BUF_LEN];
 	printf_hook_spec_t spec;
 	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
-	
+
 	spec.hash = info->alt;
 	spec.minus = info->left;
 	spec.width = info->width;
-	
+
 	written = handler->hook(buf, sizeof(buf), &spec, args);
 	if (written > 0)
 	{
@@ -104,13 +105,17 @@ static int custom_print(FILE *stream, const struct printf_info *info,
 
 /**
  * Printf hook arginfo function, which is actually of type
- * "printf_arginfo_function".
+ * "printf_arginfo_[size_]function".
  */
-static int custom_arginfo(const struct printf_info *info, size_t n, int *argtypes)
+static int custom_arginfo(const struct printf_info *info, size_t n, int *argtypes
+#ifdef HAVE_PRINTF_SPECIFIER
+						  , int *size
+#endif
+						  )
 {
 	int i;
 	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
-	
+
 	if (handler->numargs <= n)
 	{
 		for (i = 0; i < handler->numargs; ++i)
@@ -118,6 +123,7 @@ static int custom_arginfo(const struct printf_info *info, size_t n, int *argtype
 			argtypes[i] = handler->argtypes[i];
 		}
 	}
+	/* we never set "size", as we have no user defined types */
 	return handler->numargs;
 }
 
@@ -136,7 +142,7 @@ static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec)
 	const void *args[ARGS_MAX];
 	printf_hook_spec_t spec;
 	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(fmt_spec->name[0])];
-	
+
 	for (i = 0; i < handler->numargs; i++)
 	{
 		switch(handler->argtypes[i])
@@ -149,11 +155,11 @@ static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec)
 				break;
 		}
 	}
-	
+
 	spec.hash = fmt_spec->fmt_hash;
 	spec.minus = fmt_spec->fmt_minus;
 	spec.width = fmt_spec->fmt_field_width;
-	
+
 	written = handler->hook(buf, sizeof(buf), &spec, args);
 	if (written > 0)
 	{
@@ -185,15 +191,9 @@ static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler
 /**
  * Management of thread-specific Vstr_conf objects
  */
-#include <pthread.h>
-
-static pthread_key_t vstr_conf_key;
-static pthread_once_t vstr_conf_key_once = PTHREAD_ONCE_INIT;
+#include <threading/thread_value.h>
 
-static void init_vstr_conf_key(void)
-{
-	pthread_key_create(&vstr_conf_key, (void*)vstr_free_conf);
-}
+static thread_value_t *vstr_conf;
 
 static Vstr_conf *create_vstr_conf()
 {
@@ -217,12 +217,11 @@ static Vstr_conf *create_vstr_conf()
 static inline Vstr_conf *get_vstr_conf()
 {
 	Vstr_conf *conf;
-	pthread_once(&vstr_conf_key_once, init_vstr_conf_key);
-	conf = (Vstr_conf*)pthread_getspecific(vstr_conf_key);
+	conf = (Vstr_conf*)vstr_conf->get(vstr_conf);
 	if (!conf)
 	{
 		conf = create_vstr_conf();
-		pthread_setspecific(vstr_conf_key, conf);
+		vstr_conf->set(vstr_conf, conf);
 	}
 	return conf;
 }
@@ -331,16 +330,16 @@ static void add_handler(private_printf_hook_t *this, char spec,
 	printf_hook_handler_t *handler;
 	printf_hook_argtype_t argtype;
 	va_list args;
-	
+
 	if (!IS_VALID_SPEC(spec))
 	{
 		DBG1("'%c' is not a valid printf hook specifier, not registered!", spec);
 		return;
 	}
-	
+
 	handler = malloc_thing(printf_hook_handler_t);
 	handler->hook = hook;
-	
+
 	va_start(args, hook);
 	while ((argtype = va_arg(args, printf_hook_argtype_t)) != PRINTF_HOOK_ARGTYPE_END)
 	{
@@ -354,13 +353,18 @@ static void add_handler(private_printf_hook_t *this, char spec,
 		handler->argtypes[i] = argtype;
 	}
 	va_end(args);
-	
+
 	handler->numargs = i + 1;
-	
+
 	if (handler->numargs > 0)
 	{
-#if defined(HAVE_PRINTF_HOOKS) && !defined(USE_VSTR)
+#if !defined(USE_VSTR) && \
+	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
+#	ifdef HAVE_PRINTF_SPECIFIER
+		register_printf_specifier(spec, custom_print, custom_arginfo);
+#	else
 		register_printf_function(spec, custom_print, custom_arginfo);
+#	endif
 #else
 		Vstr_conf *conf = get_vstr_conf();
 		handler->name = malloc(2);
@@ -385,7 +389,7 @@ static void destroy(private_printf_hook_t *this)
 #ifdef USE_VSTR
 	Vstr_conf *conf = get_vstr_conf();
 #endif
-	
+
 	for (i = 0; i < NUM_HANDLERS; ++i)
 	{
 		printf_hook_handler_t *handler = printf_hooks[i];
@@ -398,10 +402,10 @@ static void destroy(private_printf_hook_t *this)
 			free(handler);
 		}
 	}
-	
+
 #ifdef USE_VSTR
 	/* freeing the Vstr_conf of the main thread */
-	pthread_key_delete(vstr_conf_key);
+	vstr_conf->destroy(vstr_conf);
 	vstr_free_conf(conf);
 	vstr_exit();
 #endif
@@ -414,12 +418,12 @@ static void destroy(private_printf_hook_t *this)
 printf_hook_t *printf_hook_create()
 {
 	private_printf_hook_t *this = malloc_thing(private_printf_hook_t);
-	
+
 	this->public.add_handler = (void(*)(printf_hook_t*, char, printf_hook_function_t, ...))add_handler;
 	this->public.destroy = (void(*)(printf_hook_t*))destroy;
-	
+
 	memset(printf_hooks, 0, sizeof(printf_hooks));
-	
+
 #ifdef USE_VSTR
 	if (!vstr_init())
 	{
@@ -427,8 +431,9 @@ printf_hook_t *printf_hook_create()
 		free(this);
 		return NULL;
 	}
+	vstr_conf = thread_value_create((thread_cleanup_t)vstr_free_conf);
 #endif
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
index 02c973580..ce7e10b24 100644
--- a/src/libstrongswan/printf_hook.h
+++ b/src/libstrongswan/printf_hook.h
@@ -26,7 +26,8 @@ typedef struct printf_hook_t printf_hook_t;
 typedef struct printf_hook_spec_t printf_hook_spec_t;
 typedef enum printf_hook_argtype_t printf_hook_argtype_t;
 
-#if defined(HAVE_PRINTF_HOOKS) && !defined(USE_VSTR)
+#if !defined(USE_VSTR) && \
+	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
 
 #include <stdio.h>
 #include <printf.h>
@@ -77,7 +78,7 @@ int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list a
 
 /**
  * Callback function type for printf hooks.
- * 
+ *
  * @param dst		destination buffer
  * @param len		length of the buffer
  * @param spec		format specifier
@@ -111,12 +112,12 @@ struct printf_hook_spec_t {
 	 * TRUE if a '#' was used in the format specifier
 	 */
 	int hash;
-	
+
 	/**
 	 * TRUE if a '-' was used in the format specifier
 	 */
 	int minus;
-	
+
 	/**
 	 * The width as given in the format specifier.
 	 */
@@ -127,7 +128,7 @@ struct printf_hook_spec_t {
  * Printf handler management.
  */
 struct printf_hook_t {
-	
+
 	/**
 	 * Register a printf handler.
 	 *
@@ -137,11 +138,11 @@ struct printf_hook_t {
 	 */
 	void (*add_handler)(printf_hook_t *this, char spec,
 						printf_hook_function_t hook, ...);
-	
+
 	/**
-     * Destroy a printf_hook instance.
-     */
-    void (*destroy)(printf_hook_t *this);
+	 * Destroy a printf_hook instance.
+	 */
+	void (*destroy)(printf_hook_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
new file mode 100644
index 000000000..68bbbe2fd
--- /dev/null
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -0,0 +1,916 @@
+/*
+ * Copyright (C) 2007-2009 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <arpa/inet.h>
+#include <string.h>
+#include <netdb.h>
+#include <stdio.h>
+
+#include "traffic_selector.h"
+
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+#define NON_SUBNET_ADDRESS_RANGE	255
+
+ENUM(ts_type_name, TS_IPV4_ADDR_RANGE, TS_IPV6_ADDR_RANGE,
+	"TS_IPV4_ADDR_RANGE",
+	"TS_IPV6_ADDR_RANGE",
+);
+
+typedef struct private_traffic_selector_t private_traffic_selector_t;
+
+/**
+ * Private data of an traffic_selector_t object
+ */
+struct private_traffic_selector_t {
+
+	/**
+	 * Public part
+	 */
+	traffic_selector_t public;
+
+	/**
+	 * Type of address
+	 */
+	ts_type_t type;
+
+	/**
+	 * IP protocol (UDP, TCP, ICMP, ...)
+	 */
+	u_int8_t protocol;
+
+	/**
+	 * narrow this traffic selector to hosts external ip
+	 * if set, from and to have no meaning until set_address() is called
+	 */
+	bool dynamic;
+
+	/**
+	 * subnet size in CIDR notation, 255 means a non-subnet address range 
+	 */
+	u_int8_t netbits;
+
+	/**
+	 * begin of address range, network order
+	 */
+	union {
+		/** dummy char for common address manipulation */
+		char from[0];
+		/** IPv4 address */
+		u_int32_t from4[1];
+		/** IPv6 address */
+		u_int32_t from6[4];
+	};
+
+	/**
+	 * end of address range, network order
+	 */
+	union {
+		/** dummy char for common address manipulation */
+		char to[0];
+		/** IPv4 address */
+		u_int32_t to4[1];
+		/** IPv6 address */
+		u_int32_t to6[4];
+	};
+
+	/**
+	 * begin of port range
+	 */
+	u_int16_t from_port;
+
+	/**
+	 * end of port range
+	 */
+	u_int16_t to_port;
+};
+
+/**
+ * calculate the "to"-address for the "from" address and a subnet size
+ */
+static void calc_range(private_traffic_selector_t *this, u_int8_t netbits)
+{
+	size_t len;
+	int bytes, bits;
+	u_int8_t mask;
+
+	this->netbits = netbits;
+
+	len   = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+	bytes = (netbits + 7)/8;
+	bits  = (bytes * 8) - netbits;
+	mask  = bits ? (1 << bits) - 1 : 0;
+
+	memcpy(this->to, this->from, bytes);
+	memset(this->from + bytes, 0x00, len - bytes);
+	memset(this->to   + bytes, 0xff, len - bytes);
+	this->from[bytes-1] &= ~mask;
+	this->to[bytes-1]   |=  mask;
+}
+
+/**
+ * calculate the subnet size from the "to" and "from" addresses
+ */
+static u_int8_t calc_netbits(private_traffic_selector_t *this)
+{
+	int byte, bit;
+	u_int8_t netbits; 
+	size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+	bool prefix = TRUE;
+	
+	/* a perfect match results in a single address with a /32 or /128 netmask */
+	netbits = (size * 8); 
+	this->netbits = netbits;
+
+	/* go through all bits of the addresses, beginning in the front.
+	 * as long as they are equal, the subnet gets larger
+	 */
+	for (byte = 0; byte < size; byte++)
+	{
+		for (bit = 7; bit >= 0; bit--)
+		{
+			u_int8_t bitmask = 1 << bit;
+
+			if (prefix)
+			{
+				if ((bitmask & this->from[byte]) != (bitmask & this->to[byte]))
+				{
+					/* store the common prefix which might be a true subnet */
+					netbits = (7 - bit) + (byte * 8);
+					this->netbits = netbits; 
+					prefix = FALSE;
+				}
+			}
+			else
+			{
+				if ((bitmask & this->from[byte]) || !(bitmask & this->to[byte]))
+				{
+					this->netbits = NON_SUBNET_ADDRESS_RANGE;
+					return netbits;  /* return a pseudo subnet */
+
+				}
+			}					
+		}
+	}
+	return netbits;  /* return a true subnet */
+}
+
+/**
+ * internal generic constructor
+ */
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+
+/**
+ * Described in header.
+ */
+int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+								 const void *const *args)
+{
+	private_traffic_selector_t *this = *((private_traffic_selector_t**)(args[0]));
+	linked_list_t *list = *((linked_list_t**)(args[0]));
+	iterator_t *iterator;
+	char from_str[INET6_ADDRSTRLEN] = "";
+	char to_str[INET6_ADDRSTRLEN] = "";
+	char *serv_proto = NULL;
+	bool has_proto;
+	bool has_ports;
+	size_t written = 0;
+	u_int32_t from[4], to[4];
+
+	if (this == NULL)
+	{
+		return print_in_hook(dst, len, "(null)");
+	}
+
+	if (spec->hash)
+	{
+		iterator = list->create_iterator(list, TRUE);
+		while (iterator->iterate(iterator, (void**)&this))
+		{
+			/* call recursivly */
+			written += print_in_hook(dst, len, "%R ", this);
+		}
+		iterator->destroy(iterator);
+		return written;
+	}
+
+	memset(from, 0, sizeof(from));
+	memset(to, 0xFF, sizeof(to));
+	if (this->dynamic &&
+		memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) &&
+		memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
+	{
+		written += print_in_hook(dst, len, "dynamic");
+	}
+	else
+	{
+		if (this->type == TS_IPV4_ADDR_RANGE)
+		{
+			inet_ntop(AF_INET, &this->from4, from_str, sizeof(from_str));
+		}
+		else
+		{
+			inet_ntop(AF_INET6, &this->from6, from_str, sizeof(from_str));
+		}
+		if (this->netbits == NON_SUBNET_ADDRESS_RANGE)
+		{
+			if (this->type == TS_IPV4_ADDR_RANGE)
+			{
+				inet_ntop(AF_INET, &this->to4, to_str, sizeof(to_str));
+			}
+			else
+			{
+				inet_ntop(AF_INET6, &this->to6, to_str, sizeof(to_str));
+			}
+			written += print_in_hook(dst, len, "%s..%s", from_str, to_str);
+		}
+		else
+		{
+			written += print_in_hook(dst, len, "%s/%d", from_str, this->netbits);
+		}
+	}
+
+	/* check if we have protocol and/or port selectors */
+	has_proto = this->protocol != 0;
+	has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF);
+
+	if (!has_proto && !has_ports)
+	{
+		return written;
+	}
+
+	written += print_in_hook(dst, len, "[");
+
+	/* build protocol string */
+	if (has_proto)
+	{
+		struct protoent *proto = getprotobynumber(this->protocol);
+
+		if (proto)
+		{
+			written += print_in_hook(dst, len, "%s", proto->p_name);
+			serv_proto = proto->p_name;
+		}
+		else
+		{
+			written += print_in_hook(dst, len, "%d", this->protocol);
+		}
+	}
+
+	if (has_proto && has_ports)
+	{
+		written += print_in_hook(dst, len, "/");
+	}
+
+	/* build port string */
+	if (has_ports)
+	{
+		if (this->from_port == this->to_port)
+		{
+			struct servent *serv = getservbyport(htons(this->from_port), serv_proto);
+
+			if (serv)
+			{
+				written += print_in_hook(dst, len, "%s", serv->s_name);
+			}
+			else
+			{
+				written += print_in_hook(dst, len, "%d", this->from_port);
+			}
+		}
+		else
+		{
+			written += print_in_hook(dst, len, "%d-%d", this->from_port, this->to_port);
+		}
+	}
+
+	written += print_in_hook(dst, len, "]");
+
+	return written;
+}
+
+/**
+ * implements traffic_selector_t.get_subset
+ */
+static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_traffic_selector_t *other)
+{
+	if (this->type == other->type && (this->protocol == other->protocol ||
+								this->protocol == 0 || other->protocol == 0))
+	{
+		u_int16_t from_port, to_port;
+		u_char *from, *to;
+		u_int8_t protocol;
+		size_t size;
+		private_traffic_selector_t *new_ts;
+
+		/* calculate the maximum port range allowed for both */
+		from_port = max(this->from_port, other->from_port);
+		to_port = min(this->to_port, other->to_port);
+		if (from_port > to_port)
+		{
+			return NULL;
+		}
+		/* select protocol, which is not zero */
+		protocol = max(this->protocol, other->protocol);
+
+		switch (this->type)
+		{
+			case TS_IPV4_ADDR_RANGE:
+				size = sizeof(this->from4);
+				break;
+			case TS_IPV6_ADDR_RANGE:
+				size = sizeof(this->from6);
+				break;
+			default:
+				return NULL;
+		}
+
+		/* get higher from-address */
+		if (memcmp(this->from, other->from, size) > 0)
+		{
+			from = this->from;
+		}
+		else
+		{
+			from = other->from;
+		}
+		/* get lower to-address */
+		if (memcmp(this->to, other->to, size) > 0)
+		{
+			to = other->to;
+		}
+		else
+		{
+			to = this->to;
+		}
+		/* if "from" > "to", we don't have a match */
+		if (memcmp(from, to, size) > 0)
+		{
+			return NULL;
+		}
+
+		/* we have a match in protocol, port, and address: return it... */
+		new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
+		new_ts->dynamic = this->dynamic || other->dynamic;
+		memcpy(new_ts->from, from, size);
+		memcpy(new_ts->to, to, size);
+		calc_netbits(new_ts);
+		return &new_ts->public;
+	}
+	return NULL;
+}
+
+/**
+ * implements traffic_selector_t.equals
+ */
+static bool equals(private_traffic_selector_t *this, private_traffic_selector_t *other)
+{
+	if (this->type != other->type)
+	{
+		return FALSE;
+	}
+	if (!(this->from_port == other->from_port &&
+		  this->to_port == other->to_port &&
+		  this->protocol == other->protocol))
+	{
+		return FALSE;
+	}
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			if (memeq(this->from4, other->from4, sizeof(this->from4)))
+			{
+				return TRUE;
+			}
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			if (memeq(this->from6, other->from6, sizeof(this->from6)))
+			{
+				return TRUE;
+			}
+			break;
+		default:
+			break;
+	}
+	return FALSE;
+}
+
+/**
+ * Implements traffic_selector_t.get_from_address.
+ */
+static chunk_t get_from_address(private_traffic_selector_t *this)
+{
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			return chunk_create(this->from, sizeof(this->from4));
+		case TS_IPV6_ADDR_RANGE:
+			return chunk_create(this->from, sizeof(this->from6));
+		default:
+			return chunk_empty;
+	}
+}
+
+/**
+ * Implements traffic_selector_t.get_to_address.
+ */
+static chunk_t get_to_address(private_traffic_selector_t *this)
+{
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			return chunk_create(this->to, sizeof(this->to4));
+		case TS_IPV6_ADDR_RANGE:
+			return chunk_create(this->to, sizeof(this->to6));
+		default:
+			return chunk_empty;
+	}
+}
+
+/**
+ * Implements traffic_selector_t.get_from_port.
+ */
+static u_int16_t get_from_port(private_traffic_selector_t *this)
+{
+	return this->from_port;
+}
+
+/**
+ * Implements traffic_selector_t.get_to_port.
+ */
+static u_int16_t get_to_port(private_traffic_selector_t *this)
+{
+	return this->to_port;
+}
+
+/**
+ * Implements traffic_selector_t.get_type.
+ */
+static ts_type_t get_type(private_traffic_selector_t *this)
+{
+	return this->type;
+}
+
+/**
+ * Implements traffic_selector_t.get_protocol.
+ */
+static u_int8_t get_protocol(private_traffic_selector_t *this)
+{
+	return this->protocol;
+}
+
+/**
+ * Implements traffic_selector_t.is_host.
+ */
+static bool is_host(private_traffic_selector_t *this, host_t *host)
+{
+	if (host)
+	{
+		chunk_t addr;
+		int family = host->get_family(host);
+
+		if ((family == AF_INET && this->type == TS_IPV4_ADDR_RANGE) ||
+			(family == AF_INET6 && this->type == TS_IPV6_ADDR_RANGE))
+		{
+			addr = host->get_address(host);
+			if (memeq(addr.ptr, this->from, addr.len) &&
+				memeq(addr.ptr, this->to, addr.len))
+			{
+				return TRUE;
+			}
+		}
+	}
+	else
+	{
+		size_t length = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+
+		if (this->dynamic)
+		{
+			return TRUE;
+		}
+
+		if (memeq(this->from, this->to, length))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of traffic_selector_t.is_dynamic
+ */
+static bool is_dynamic(private_traffic_selector_t *this)
+{
+	return this->dynamic;
+}
+
+/**
+ * Implements traffic_selector_t.set_address.
+ */
+static void set_address(private_traffic_selector_t *this, host_t *host)
+{
+	if (this->dynamic)
+	{
+		this->type = host->get_family(host) == AF_INET ?
+				TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
+
+		if (host->is_anyaddr(host))
+		{
+			memset(this->from6, 0x00, sizeof(this->from6));
+			memset(this->to6, 0xFF, sizeof(this->to6));
+			this->netbits = 0;
+		}
+		else
+		{
+			chunk_t from = host->get_address(host);
+			memcpy(this->from, from.ptr, from.len);
+			memcpy(this->to, from.ptr, from.len);
+			this->netbits = from.len * 8;
+		}
+	}
+}
+
+/**
+ * Implements traffic_selector_t.is_contained_in.
+ */
+static bool is_contained_in(private_traffic_selector_t *this,
+							private_traffic_selector_t *other)
+{
+	private_traffic_selector_t *subset;
+	bool contained_in = FALSE;
+
+	subset = (private_traffic_selector_t*)get_subset(this, other);
+
+	if (subset)
+	{
+		if (equals(subset, this))
+		{
+			contained_in = TRUE;
+		}
+		free(subset);
+	}
+	return contained_in;
+}
+
+/**
+ * Implements traffic_selector_t.includes.
+ */
+static bool includes(private_traffic_selector_t *this, host_t *host)
+{
+	chunk_t addr;
+	int family = host->get_family(host);
+
+	if ((family == AF_INET && this->type == TS_IPV4_ADDR_RANGE) ||
+		(family == AF_INET6 && this->type == TS_IPV6_ADDR_RANGE))
+	{
+		addr = host->get_address(host);
+
+		return memcmp(this->from, addr.ptr, addr.len) <= 0 &&
+				memcmp(this->to, addr.ptr, addr.len) >= 0;
+	}
+
+	return FALSE;
+}
+
+/**
+ * Implements traffic_selector_t.to_subnet.
+ */
+static void to_subnet(private_traffic_selector_t *this, host_t **net, u_int8_t *mask)
+{
+	/* there is no way to do this cleanly, as the address range may
+	 * be anything else but a subnet. We use from_addr as subnet
+	 * and try to calculate a usable subnet mask.
+	 */
+	int family, byte;
+	u_int16_t port = 0;
+	chunk_t net_chunk;
+
+	*mask = (this->netbits == NON_SUBNET_ADDRESS_RANGE) ? calc_netbits(this)
+														: this->netbits;
+
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			family = AF_INET;
+			net_chunk.len = sizeof(this->from4);
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			family = AF_INET6;
+			net_chunk.len = sizeof(this->from6);
+			break;
+		default:
+			/* unreachable */
+			return;
+	}
+
+	net_chunk.ptr = malloc(net_chunk.len);
+	memcpy(net_chunk.ptr, this->from, net_chunk.len);
+
+	for (byte = net_chunk.len - 1; byte >= (*mask / 8); --byte)
+	{
+		int shift = (byte + 1) * 8 - *mask;
+		net_chunk.ptr[byte] = net_chunk.ptr[byte] & (0xFF << shift);
+	}
+
+	if (this->to_port == this->from_port)
+	{
+		port = this->to_port;
+	}
+
+	*net = host_create_from_chunk(family, net_chunk, port);
+	chunk_free(&net_chunk);
+}
+
+/**
+ * Implements traffic_selector_t.clone.
+ */
+static traffic_selector_t *clone_(private_traffic_selector_t *this)
+{
+	private_traffic_selector_t *clone;
+
+	clone = traffic_selector_create(this->protocol, this->type,
+									this->from_port, this->to_port);
+	clone->netbits = this->netbits;
+	clone->dynamic = this->dynamic;
+
+	switch (clone->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			memcpy(clone->from4, this->from4, sizeof(this->from4));
+			memcpy(clone->to4, this->to4, sizeof(this->to4));
+			return &clone->public;
+		case TS_IPV6_ADDR_RANGE:
+			memcpy(clone->from6, this->from6, sizeof(this->from6));
+			memcpy(clone->to6, this->to6, sizeof(this->to6));
+			return &clone->public;
+		default:
+			/* unreachable */
+			return &clone->public;
+	}
+}
+
+/**
+ * Implements traffic_selector_t.destroy.
+ */
+static void destroy(private_traffic_selector_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol,
+												ts_type_t type,
+												chunk_t from, u_int16_t from_port,
+												chunk_t to, u_int16_t to_port)
+{
+	private_traffic_selector_t *this = traffic_selector_create(protocol, type,
+															from_port, to_port);
+
+	switch (type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			if (from.len != 4 || to.len != 4)
+			{
+				free(this);
+				return NULL;
+			}
+			memcpy(this->from4, from.ptr, from.len);
+			memcpy(this->to4, to.ptr, to.len);
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			if (from.len != 16 || to.len != 16)
+			{
+				free(this);
+				return NULL;
+			}
+			memcpy(this->from6, from.ptr, from.len);
+			memcpy(this->to6, to.ptr, to.len);
+			break;
+		default:
+			free(this);
+			return NULL;
+	}
+	calc_netbits(this);
+	return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
+												chunk_t from, chunk_t to)
+{
+	size_t len;
+	private_traffic_selector_t *this = traffic_selector_create(0, type, 0, 65535);
+
+	switch (type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			len = 4;
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			len = 16;
+			break;
+		default:
+			free(this);
+			return NULL;
+	}
+	memset(this->from, 0x00, len);
+	memset(this->to  , 0xff, len);
+
+	if (from.len > 1)
+	{
+		memcpy(this->from, from.ptr+1, from.len-1);
+	}
+	if (to.len > 1)
+	{
+		u_int8_t mask = to.ptr[0] ? (1 << to.ptr[0]) - 1 : 0;
+
+		memcpy(this->to, to.ptr+1, to.len-1);
+		this->to[to.len-2] |= mask;
+	}
+	this->netbits = chunk_equals(from, to) ? (from.len-1)*8 - from.ptr[0]
+										   : NON_SUBNET_ADDRESS_RANGE;
+	return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
+							u_int8_t netbits, u_int8_t protocol, u_int16_t port)
+{
+	private_traffic_selector_t *this = traffic_selector_create(protocol, 0, 0, 65535);
+
+	switch (net->get_family(net))
+	{
+		case AF_INET:
+		{
+			chunk_t from;
+
+			this->type = TS_IPV4_ADDR_RANGE;
+			from = net->get_address(net);
+			memcpy(this->from, from.ptr, from.len);
+			if (this->from4[0] == 0)
+			{
+				/* use /0 for 0.0.0.0 */
+				this->to4[0] = ~0;
+				this->netbits = 0;
+			}
+			else
+			{
+				calc_range(this, netbits);
+			}
+			break;
+		}
+		case AF_INET6:
+		{
+			chunk_t from;
+
+			this->type = TS_IPV6_ADDR_RANGE;
+			from = net->get_address(net);
+			memcpy(this->from, from.ptr, from.len);
+			if (this->from6[0] == 0 && this->from6[1] == 0 &&
+				this->from6[2] == 0 && this->from6[3] == 0)
+			{
+				/* use /0 for ::0 */
+				this->to6[0] = ~0;
+				this->to6[1] = ~0;
+				this->to6[2] = ~0;
+				this->to6[3] = ~0;
+				this->netbits = 0;
+			}
+			else
+			{
+				calc_range(this, netbits);
+			}
+			break;
+		}
+		default:
+		{
+			net->destroy(net);
+			free(this);
+			return NULL;
+		}
+	}
+	if (port)
+	{
+		this->from_port = port;
+		this->to_port = port;
+	}
+	net->destroy(net);
+	return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_string(
+										u_int8_t protocol, ts_type_t type,
+										char *from_addr, u_int16_t from_port,
+										char *to_addr, u_int16_t to_port)
+{
+	private_traffic_selector_t *this = traffic_selector_create(protocol, type,
+															from_port, to_port);
+
+	switch (type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			if (inet_pton(AF_INET, from_addr, (struct in_addr*)this->from4) < 0)
+			{
+				free(this);
+				return NULL;
+			}
+			if (inet_pton(AF_INET, to_addr, (struct in_addr*)this->to4) < 0)
+			{
+				free(this);
+				return NULL;
+			}
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			if (inet_pton(AF_INET6, from_addr, (struct in6_addr*)this->from6) < 0)
+			{
+				free(this);
+				return NULL;
+			}
+			if (inet_pton(AF_INET6, to_addr, (struct in6_addr*)this->to6) < 0)
+			{
+				free(this);
+				return NULL;
+			}
+			break;
+	}
+	calc_netbits(this);
+	return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
+									u_int16_t from_port, u_int16_t to_port)
+{
+	private_traffic_selector_t *this = traffic_selector_create(
+							protocol, TS_IPV4_ADDR_RANGE, from_port, to_port);
+
+	memset(this->from6, 0, sizeof(this->from6));
+	memset(this->to6, 0xFF, sizeof(this->to6));
+	this->netbits = 0;
+	this->dynamic = TRUE;
+
+	return &this->public;
+}
+
+/*
+ * see declaration
+ */
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
+						ts_type_t type, u_int16_t from_port, u_int16_t to_port)
+{
+	private_traffic_selector_t *this = malloc_thing(private_traffic_selector_t);
+
+	/* public functions */
+	this->public.get_subset = (traffic_selector_t*(*)(traffic_selector_t*,traffic_selector_t*))get_subset;
+	this->public.equals = (bool(*)(traffic_selector_t*,traffic_selector_t*))equals;
+	this->public.get_from_address = (chunk_t(*)(traffic_selector_t*))get_from_address;
+	this->public.get_to_address = (chunk_t(*)(traffic_selector_t*))get_to_address;
+	this->public.get_from_port = (u_int16_t(*)(traffic_selector_t*))get_from_port;
+	this->public.get_to_port = (u_int16_t(*)(traffic_selector_t*))get_to_port;
+	this->public.get_type = (ts_type_t(*)(traffic_selector_t*))get_type;
+	this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol;
+	this->public.is_host = (bool(*)(traffic_selector_t*,host_t*))is_host;
+	this->public.is_dynamic = (bool(*)(traffic_selector_t*))is_dynamic;
+	this->public.is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in;
+	this->public.includes = (bool(*)(traffic_selector_t*,host_t*))includes;
+	this->public.set_address = (void(*)(traffic_selector_t*,host_t*))set_address;
+	this->public.to_subnet = (void(*)(traffic_selector_t*,host_t**,u_int8_t*))to_subnet;
+	this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone_;
+	this->public.destroy = (void(*)(traffic_selector_t*))destroy;
+
+	this->from_port = from_port;
+	this->to_port = to_port;
+	this->protocol = protocol;
+	this->type = type;
+	this->dynamic = FALSE;
+
+	return this;
+}
+
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
new file mode 100644
index 000000000..b5964b541
--- /dev/null
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -0,0 +1,315 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup traffic_selector traffic_selector
+ * @{ @ingroup config
+ */
+
+#ifndef TRAFFIC_SELECTOR_H_
+#define TRAFFIC_SELECTOR_H_
+
+typedef enum ts_type_t ts_type_t;
+typedef struct traffic_selector_t traffic_selector_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * Traffic selector types.
+ */
+enum ts_type_t {
+
+	/**
+	 * A range of IPv4 addresses, represented by two four (4) octet
+	 * values.  The first value is the beginning IPv4 address
+	 * (inclusive) and the second value is the ending IPv4 address
+	 * (inclusive). All addresses falling between the two specified
+	 * addresses are considered to be within the list.
+	 */
+	TS_IPV4_ADDR_RANGE = 7,
+
+	/**
+	 * A range of IPv6 addresses, represented by two sixteen (16)
+	 * octet values.  The first value is the beginning IPv6 address
+	 * (inclusive) and the second value is the ending IPv6 address
+	 * (inclusive). All addresses falling between the two specified
+	 *  addresses are considered to be within the list.
+	 */
+	TS_IPV6_ADDR_RANGE = 8
+};
+
+/**
+ * enum names for ts_type_t
+ */
+extern enum_name_t *ts_type_name;
+
+/**
+ * Object representing a traffic selector entry.
+ *
+ * A traffic selector defines an range of addresses
+ * and a range of ports. IPv6 is not fully supported yet.
+ */
+struct traffic_selector_t {
+
+	/**
+	 * Compare two traffic selectors, and create a new one
+	 * which is the largest subset of both (subnet & port).
+	 *
+	 * Resulting traffic_selector is newly created and must be destroyed.
+	 *
+	 * @param other		traffic selector to compare
+	 * @return
+	 * 					- created subset of them
+	 * 					- or NULL if no match between this and other
+	 */
+	traffic_selector_t *(*get_subset)  (traffic_selector_t *this,
+										traffic_selector_t *other);
+
+	/**
+	 * Clone a traffic selector.
+	 *
+	 * @return			clone of it
+	 */
+	traffic_selector_t *(*clone) (traffic_selector_t *this);
+
+	/**
+	 * Get starting address of this ts as a chunk.
+	 *
+	 * Chunk is in network order and points to internal data.
+	 *
+	 * @return			chunk containing the address
+	 */
+	chunk_t (*get_from_address) (traffic_selector_t *this);
+
+	/**
+	 * Get ending address of this ts as a chunk.
+	 *
+	 * Chunk is in network order and points to internal data.
+	 *
+	 * @return			chunk containing the address
+	 */
+	chunk_t (*get_to_address) (traffic_selector_t *this);
+
+	/**
+	 * Get starting port of this ts.
+	 *
+	 * Port is in host order, since the parser converts it.
+	 * Size depends on protocol.
+	 *
+	 * @return			port
+	 */
+	u_int16_t (*get_from_port) (traffic_selector_t *this);
+
+	/**
+	 * Get ending port of this ts.
+	 *
+	 * Port is in host order, since the parser converts it.
+	 * Size depends on protocol.
+	 *
+	 * @return			port
+	 */
+	u_int16_t (*get_to_port) (traffic_selector_t *this);
+
+	/**
+	 * Get the type of the traffic selector.
+	 *
+	 * @return			ts_type_t specifying the type
+	 */
+	ts_type_t (*get_type) (traffic_selector_t *this);
+
+	/**
+	 * Get the protocol id of this ts.
+	 *
+	 * @return			protocol id
+	 */
+	u_int8_t (*get_protocol) (traffic_selector_t *this);
+
+	/**
+	 * Check if the traffic selector is for a single host.
+	 *
+	 * Traffic selector may describe the end of *-to-host tunnel. In this
+	 * case, the address range is a single address equal to the hosts
+	 * peer address.
+	 * If host is NULL, the traffic selector is checked if it is a single host,
+	 * but not a specific one.
+	 *
+	 * @param host		host_t specifying the address range
+	 */
+	bool (*is_host) (traffic_selector_t *this, host_t* host);
+
+	/**
+	 * Check if a traffic selector has been created by create_dynamic().
+	 *
+	 * @return			TRUE if TS is dynamic
+	 */
+	bool (*is_dynamic)(traffic_selector_t *this);
+
+	/**
+	 * Update the address of a traffic selector.
+	 *
+	 * Update the address range of a traffic selector, if it is
+	 * constructed with the traffic_selector_create_dynamic().
+	 *
+	 * @param host		host_t specifying the address
+	 */
+	void (*set_address) (traffic_selector_t *this, host_t* host);
+
+	/**
+	 * Compare two traffic selectors for equality.
+	 *
+	 * @param other		ts to compare with this
+	 * @return 			TRUE if equal, FALSE otherwise
+	 */
+	bool (*equals) (traffic_selector_t *this, traffic_selector_t *other);
+
+	/**
+	 * Check if a traffic selector is contained completly in another.
+	 *
+	 * contains() allows to check if multiple traffic selectors are redundant.
+	 *
+	 * @param other		ts that contains this
+	 * @return			TRUE if other contains this completly, FALSE otherwise
+	 */
+	bool (*is_contained_in) (traffic_selector_t *this, traffic_selector_t *other);
+
+	/**
+	 * Check if a specific host is included in the address range of
+	 * this traffic selector.
+	 *
+	 * @param host		the host to check
+	 */
+	bool (*includes) (traffic_selector_t *this, host_t *host);
+
+	/**
+	 * Convert a traffic selector address range to a subnet
+	 * and its net mask.
+	 * If from and to ports of this traffic selector are equal,
+	 * the port of the returned host_t is set to that port.
+	 *
+	 * @param net		converted subnet (has to be freed)
+	 * @param mask		converted net mask
+	 */
+	void (*to_subnet) (traffic_selector_t *this, host_t **net, u_int8_t *mask);
+
+	/**
+	 * Destroys the ts object
+	 */
+	void (*destroy) (traffic_selector_t *this);
+};
+
+/**
+ * Create a new traffic selector using human readable params.
+ *
+ * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_addr		start of address range as string
+ * @param from_port		port number in host order
+ * @param to_addr		end of address range as string
+ * @param to_port		port number in host order
+ * @return
+ * 						- traffic_selector_t object
+ * 						- NULL if invalid address strings/protocol
+ */
+traffic_selector_t *traffic_selector_create_from_string(
+									u_int8_t protocol, ts_type_t type,
+									char *from_addr, u_int16_t from_port,
+									char *to_addr, u_int16_t to_port);
+
+/**
+ * Create a new traffic selector using data read from the net.
+ *
+ * There exists a mix of network and host order in the params.
+ * But the parser gives us this data in this format, so we
+ * don't have to convert twice.
+ *
+ * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_addr		start of address range, network order
+ * @param from_port		port number, host order
+ * @param to_addr		end of address range, network order
+ * @param to_port		port number, host order
+ * @return				traffic_selector_t object
+ */
+traffic_selector_t *traffic_selector_create_from_bytes(
+								u_int8_t protocol, ts_type_t type,
+								chunk_t from_address, u_int16_t from_port,
+								chunk_t to_address, u_int16_t to_port);
+
+/**
+ * Create a new traffic selector using the RFC 3779 ASN.1 min/max address format
+ *
+ * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_addr		start of address range in RFC 3779 ASN.1 BIT STRING format
+ * @param to_addr		end of address range in RFC 3779 ASN.1 BIT STRING format
+ * @return				traffic_selector_t object
+ */
+traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
+								chunk_t from_addr, chunk_t to_addr);
+
+/**
+ * Create a new traffic selector defining a whole subnet.
+ *
+ * In most cases, definition of a traffic selector for full subnets
+ * is sufficient. This constructor creates a traffic selector for
+ * all protocols, all ports and the address range specified by the
+ * subnet.
+ * Additionally, a protocol and a port may be specified. Port ranges
+ * are not supported via this constructor.
+ *
+ * @param net			subnet to use
+ * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
+ * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param port			port number, host order
+ * @return
+ * 						- traffic_selector_t object
+ * 						- NULL if address family of net not supported
+ */
+traffic_selector_t *traffic_selector_create_from_subnet(
+									host_t *net, u_int8_t netbits,
+									u_int8_t protocol, u_int16_t port);
+
+/**
+ * Create a traffic selector for host-to-host cases.
+ *
+ * For host2host or virtual IP setups, the traffic selectors gets
+ * created at runtime using the external/virtual IP. Using this constructor,
+ * a call to set_address() sets this traffic selector to the supplied host.
+ *
+ *
+ * @param protocol		upper layer protocl to allow
+ * @param from_port		start of allowed port range
+ * @param to_port		end of range
+ * @return
+ * 						- traffic_selector_t object
+ * 						- NULL if type not supported
+ */
+traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
+									u_int16_t from_port, u_int16_t to_port);
+
+/**
+ * printf hook function for traffic_selector_t.
+ *
+ * Arguments are:
+ *	traffic_selector_t *ts
+ * With the #-specifier, arguments are:
+ *	linked_list_t *list containing traffic_selector_t*
+ */
+int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+								 const void *const *args);
+
+#endif /** TRAFFIC_SELECTOR_H_ @}*/
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c
index 64ac09299..4a822bcbf 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/settings.c
@@ -38,12 +38,12 @@ struct private_settings_t {
 	 * public functions
 	 */
 	settings_t public;
-	
+
 	/**
 	 * top level section
 	 */
 	section_t *top;
-	
+
 	/**
 	 * allocated file text
 	 */
@@ -64,7 +64,7 @@ struct section_t {
 	 * subsections, as section_t
 	 */
 	linked_list_t *sections;
-	
+
 	/**
 	 * key value pairs, as kv_t
 	 */
@@ -77,10 +77,10 @@ struct section_t {
 struct kv_t {
 
 	/**
- 	 * key string, relative
- 	 */
+	 * key string, relative
+	 */
 	char *key;
-	
+
 	/**
 	 * value as string
 	 */
@@ -95,7 +95,7 @@ static section_t *find_section(section_t *section, char *key, va_list args)
 	char name[512], *pos;
 	enumerator_t *enumerator;
 	section_t *current, *found = NULL;
-	
+
 	if (section == NULL)
 	{
 		return NULL;
@@ -104,7 +104,7 @@ static section_t *find_section(section_t *section, char *key, va_list args)
 	{
 		return NULL;
 	}
-	
+
 	pos = strchr(name, '.');
 	if (pos)
 	{
@@ -134,17 +134,17 @@ static char *find_value(section_t *section, char *key, va_list args)
 	enumerator_t *enumerator;
 	kv_t *kv;
 	section_t *current, *found = NULL;
-	
+
 	if (section == NULL)
 	{
 		return NULL;
 	}
-	
+
 	if (vsnprintf(name, sizeof(name), key, args) >= sizeof(name))
 	{
 		return NULL;
 	}
-	
+
 	pos = strchr(name, '.');
 	if (pos)
 	{
@@ -188,7 +188,7 @@ static char* get_str(private_settings_t *this, char *key, char *def, ...)
 {
 	char *value;
 	va_list args;
-	
+
 	va_start(args, def);
 	value = find_value(this->top, key, args);
 	va_end(args);
@@ -206,7 +206,7 @@ static bool get_bool(private_settings_t *this, char *key, bool def, ...)
 {
 	char *value;
 	va_list args;
-	
+
 	va_start(args, def);
 	value = find_value(this->top, key, args);
 	va_end(args);
@@ -238,7 +238,7 @@ static int get_int(private_settings_t *this, char *key, int def, ...)
 	char *value;
 	int intval;
 	va_list args;
-	
+
 	va_start(args, def);
 	value = find_value(this->top, key, args);
 	va_end(args);
@@ -254,6 +254,30 @@ static int get_int(private_settings_t *this, char *key, int def, ...)
 	return def;
 }
 
+/**
+ * Implementation of settings_t.get_double.
+ */
+static double get_double(private_settings_t *this, char *key, double def, ...)
+{
+	char *value;
+	double dval;
+	va_list args;
+
+	va_start(args, def);
+	value = find_value(this->top, key, args);
+	va_end(args);
+	if (value)
+	{
+		errno = 0;
+		dval = strtod(value, NULL);
+		if (errno == 0)
+		{
+			return dval;
+		}
+	}
+	return def;
+}
+
 /**
  * Implementation of settings_t.get_time.
  */
@@ -262,7 +286,7 @@ static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, ..
 	char *value, *endptr;
 	u_int32_t timeval;
 	va_list args;
-	
+
 	va_start(args, def);
 	value = find_value(this->top, key, args);
 	va_end(args);
@@ -310,13 +334,13 @@ static enumerator_t* create_section_enumerator(private_settings_t *this,
 {
 	section_t *section;
 	va_list args;
-	
+
 	va_start(args, key);
 	section = find_section(this->top, key, args);
 	va_end(args);
-	
+
 	if (!section)
-	{	
+	{
 		return enumerator_create_empty();
 	}
 	return enumerator_create_filter(
@@ -324,6 +348,39 @@ static enumerator_t* create_section_enumerator(private_settings_t *this,
 					(void*)section_filter, NULL, NULL);
 }
 
+/**
+ * Enumerate key and values, not kv_t entries
+ */
+static bool kv_filter(void *null, kv_t **in, char **key,
+					  void *none, char **value)
+{
+	*key = (*in)->key;
+	*value = (*in)->value;
+	return TRUE;
+}
+
+/**
+ * Implementation of settings_t.create_key_value_enumerator
+ */
+static enumerator_t* create_key_value_enumerator(private_settings_t *this,
+												 char *key, ...)
+{
+	section_t *section;
+	va_list args;
+
+	va_start(args, key);
+	section = find_section(this->top, key, args);
+	va_end(args);
+
+	if (!section)
+	{
+		return enumerator_create_empty();
+	}
+	return enumerator_create_filter(
+					section->kv->create_enumerator(section->kv),
+					(void*)kv_filter, NULL, NULL);
+}
+
 /**
  * destroy a section
  */
@@ -331,7 +388,7 @@ static void section_destroy(section_t *this)
 {
 	this->kv->destroy_function(this->kv, free);
 	this->sections->destroy_function(this->sections, (void*)section_destroy);
-	
+
 	free(this);
 }
 
@@ -362,7 +419,7 @@ static char parse(char **text, char *skip, char *term, char *br, char **token)
 	{
 		char *pos = *text;
 		int level = 1;
-		
+
 		/* find terminator */
 		while (*pos)
 		{
@@ -417,15 +474,15 @@ static section_t* parse_section(char **text, char *name)
 	section_t *sub, *section;
 	bool finished = FALSE;
 	char *key, *value, *inner;
-	
+
 	static int lev = 0;
 	lev++;
-	
+
 	section = malloc_thing(section_t);
 	section->name = name;
 	section->sections = linked_list_create();
 	section->kv = linked_list_create();
-	
+
 	while (!finished)
 	{
 		switch (parse(text, "\t\n ", "{=#", NULL, &key))
@@ -484,51 +541,53 @@ static void destroy(private_settings_t *this)
  */
 settings_t *settings_create(char *file)
 {
-	private_settings_t *this = malloc_thing(private_settings_t);
-	
+	private_settings_t *this;
+	char *pos;
+	FILE *fd;
+	int len;
+
+	this = malloc_thing(private_settings_t);
 	this->public.get_str = (char*(*)(settings_t*, char *key, char* def, ...))get_str;
 	this->public.get_int = (int(*)(settings_t*, char *key, int def, ...))get_int;
+	this->public.get_double = (double(*)(settings_t*, char *key, double def, ...))get_double;
 	this->public.get_time = (u_int32_t(*)(settings_t*, char *key, u_int32_t def, ...))get_time;
 	this->public.get_bool = (bool(*)(settings_t*, char *key, bool def, ...))get_bool;
 	this->public.create_section_enumerator = (enumerator_t*(*)(settings_t*,char *section, ...))create_section_enumerator;
+	this->public.create_key_value_enumerator = (enumerator_t*(*)(settings_t*, char *key, ...))create_key_value_enumerator;
 	this->public.destroy = (void(*)(settings_t*))destroy;
-	
+
 	this->top = NULL;
 	this->text = NULL;
-	
-	if (file)
+
+	if (file == NULL)
 	{
-		FILE *fd;
-		int len;
-		char *pos;
-	
-		fd = fopen(file, "r");
-		if (fd == NULL)
-		{
-			DBG1("'%s' does not exist or is not readable", file);
-			return &this->public;
-		}
-		fseek(fd, 0, SEEK_END);
-		len = ftell(fd);
-		rewind(fd);
-		this->text = malloc(len + 1);
-		this->text[len] = '\0';
-		if (fread(this->text, 1, len, fd) != len)
-		{
-			free(this->text);
-			this->text = NULL;
-			return &this->public;
-		}
-		fclose(fd);
+		file = STRONGSWAN_CONF;
+	}
+	fd = fopen(file, "r");
+	if (fd == NULL)
+	{
+		DBG1("'%s' does not exist or is not readable", file);
+		return &this->public;
+	}
+	fseek(fd, 0, SEEK_END);
+	len = ftell(fd);
+	rewind(fd);
+	this->text = malloc(len + 1);
+	this->text[len] = '\0';
+	if (fread(this->text, 1, len, fd) != len)
+	{
+		free(this->text);
+		this->text = NULL;
+		return &this->public;
+	}
+	fclose(fd);
 
-		pos = this->text;
-		this->top = parse_section(&pos, NULL);
-		if (this->top == NULL)
-		{
-			free(this->text);
-			this->text = NULL;
-			return &this->public;
-		}
+	pos = this->text;
+	this->top = parse_section(&pos, NULL);
+	if (this->top == NULL)
+	{
+		free(this->text);
+		this->text = NULL;
 	}
 	return &this->public;
 }
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
index 1816787ae..9e8d75cc0 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/settings.h
@@ -37,17 +37,17 @@ typedef struct settings_t settings_t;
  *
  * E.g.:
  * @code
-  	a = b
-  	section-one {
-  		somevalue = asdf
-  		subsection {
-  			othervalue = xxx
-  		}
-  		yetanother = zz
-  	}
-  	section-two {
-  	}
-  	@endcode
+	a = b
+	section-one {
+		somevalue = asdf
+		subsection {
+			othervalue = xxx
+		}
+		yetanother = zz
+	}
+	section-two {
+	}
+	@endcode
  *
  * The values are accesses using the get() functions using dotted keys, e.g.
  *   section-one.subsection.othervalue
@@ -63,7 +63,7 @@ struct settings_t {
 	 * @return			value pointing to internal string
 	 */
 	char* (*get_str)(settings_t *this, char *key, char *def, ...);
-	
+
 	/**
 	 * Get a boolean yes|no, true|false value.
 	 *
@@ -73,7 +73,7 @@ struct settings_t {
 	 * @return			value of the key
 	 */
 	bool (*get_bool)(settings_t *this, char *key, bool def, ...);
-	
+
 	/**
 	 * Get an integer value.
 	 *
@@ -83,7 +83,17 @@ struct settings_t {
 	 * @return			value of the key
 	 */
 	int (*get_int)(settings_t *this, char *key, int def, ...);
-	
+
+	/**
+	 * Get an double value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param def		value returned if key not found
+	 * @param ...		argument list for key
+	 * @return			value of the key
+	 */
+	double (*get_double)(settings_t *this, char *key, double def, ...);
+
 	/**
 	 * Get a time value.
 	 *
@@ -93,7 +103,7 @@ struct settings_t {
 	 * @return			value of the key
 	 */
 	u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def, ...);
-	
+
 	/**
 	 * Create an enumerator over subsection names of a section.
 	 *
@@ -103,6 +113,17 @@ struct settings_t {
 	 */
 	enumerator_t* (*create_section_enumerator)(settings_t *this,
 											   char *section, ...);
+
+	/**
+	 * Create an enumerator over key/value pairs in a section.
+	 *
+	 * @param section	section name to list key/value pairs of, printf style
+	 * @param ...		argmuent list for section
+	 * @return			enumerator over (char *key, char *value)
+	 */
+	enumerator_t* (*create_key_value_enumerator)(settings_t *this,
+												 char *section, ...);
+
 	/**
 	 * Destroy a settings instance.
 	 */
@@ -110,7 +131,10 @@ struct settings_t {
 };
 
 /**
- * Load setings from a file.
+ * Load settings from a file.
+ *
+ * @param file			file to read settings from, NULL for default
+ * @return				settings object
  */
 settings_t *settings_create(char *file);
 
diff --git a/src/libstrongswan/threading/condvar.h b/src/libstrongswan/threading/condvar.h
new file mode 100644
index 000000000..48c949c7c
--- /dev/null
+++ b/src/libstrongswan/threading/condvar.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup condvar condvar
+ * @{ @ingroup threading
+ */
+
+#ifndef THREADING_CONDVAR_H_
+#define THREADING_CONDVAR_H_
+
+typedef struct condvar_t condvar_t;
+typedef enum condvar_type_t condvar_type_t;
+
+#include "mutex.h"
+
+/**
+ * Type of condvar.
+ */
+enum condvar_type_t {
+	/** default condvar */
+	CONDVAR_TYPE_DEFAULT = 0,
+};
+
+/**
+ * Condvar wrapper to use in conjunction with mutex_t.
+ */
+struct condvar_t {
+
+	/**
+	 * Wait on a condvar until it gets signalized.
+	 *
+	 * @param mutex			mutex to release while waiting
+	 */
+	void (*wait)(condvar_t *this, mutex_t *mutex);
+
+	/**
+	 * Wait on a condvar until it gets signalized, or times out.
+	 *
+	 * @param mutex			mutex to release while waiting
+	 * @param timeout		timeout im ms
+	 * @return				TRUE if timed out, FALSE otherwise
+	 */
+	bool (*timed_wait)(condvar_t *this, mutex_t *mutex, u_int timeout);
+
+	/**
+	 * Wait on a condvar until it gets signalized, or times out.
+	 *
+	 * The passed timeval should be calculated based on the time_monotonic()
+	 * function.
+	 *
+	 * @param mutex			mutex to release while waiting
+	 * @param tv			absolute time until timeout
+	 * @return				TRUE if timed out, FALSE otherwise
+	 */
+	bool (*timed_wait_abs)(condvar_t *this, mutex_t *mutex, timeval_t tv);
+
+	/**
+	 * Wake up a single thread in a condvar.
+	 */
+	void (*signal)(condvar_t *this);
+
+	/**
+	 * Wake up all threads in a condvar.
+	 */
+	void (*broadcast)(condvar_t *this);
+
+	/**
+	 * Destroy a condvar and free its resources.
+	 */
+	void (*destroy)(condvar_t *this);
+};
+
+/**
+ * Create a condvar instance.
+ *
+ * @param type		type of condvar to create
+ * @return			condvar instance
+ */
+condvar_t *condvar_create(condvar_type_t type);
+
+#endif /** THREADING_CONDVAR_H_ @} */
+
diff --git a/src/libstrongswan/threading/lock_profiler.h b/src/libstrongswan/threading/lock_profiler.h
new file mode 100644
index 000000000..b64453ba1
--- /dev/null
+++ b/src/libstrongswan/threading/lock_profiler.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef THREADING_LOCK_PROFILER_H_
+#define THREADING_LOCK_PROFILER_H_
+
+#ifdef LOCK_PROFILER
+
+#include <time.h>
+
+/**
+ * Do not report mutexes with an overall waiting time smaller than this (in us)
+ */
+#define PROFILE_WAIT_TRESHHOLD 10000
+
+/**
+ * Do not report mutexes with an overall lock count smaller than this
+ */
+#define PROFILE_LOCK_TRESHHOLD 1000
+
+#include <utils/backtrace.h>
+
+typedef struct lock_profile_t lock_profile_t;
+
+struct lock_profile_t {
+	/**
+	 * how long threads have waited for the lock in this mutex so far
+	 */
+	timeval_t waited;
+
+	/**
+	 * How many times the lock has been invoked
+	 */
+	u_int locked;
+
+	/**
+	 * backtrace where mutex has been created
+	 */
+	backtrace_t *backtrace;
+};
+
+/**
+ * Print and cleanup mutex profiler
+ */
+static inline void profiler_cleanup(lock_profile_t *profile)
+{
+	if (profile->waited.tv_sec > 0 ||
+		profile->waited.tv_usec > PROFILE_WAIT_TRESHHOLD ||
+		profile->locked > PROFILE_LOCK_TRESHHOLD)
+	{
+		fprintf(stderr, "%d.%03ds / %d times in lock created at:",
+			profile->waited.tv_sec, profile->waited.tv_usec, profile->locked);
+		profile->backtrace->log(profile->backtrace, stderr);
+	}
+	profile->backtrace->destroy(profile->backtrace);
+}
+
+/**
+ * Initialize mutex profiler
+ */
+static inline void profiler_init(lock_profile_t *profile)
+{
+	profile->backtrace = backtrace_create(2);
+	timerclear(&profile->waited);
+	profile->locked = 0;
+}
+
+#define profiler_start(profile) { \
+	struct timeval _start, _end, _diff; \
+	(profile)->locked++; \
+	time_monotonic(&_start);
+
+#define profiler_end(profile) \
+	time_monotonic(&_end); \
+	timersub(&_end, &_start, &_diff); \
+	timeradd(&(profile)->waited, &_diff, &(profile)->waited); }
+
+#else /* !LOCK_PROFILER */
+
+#define lock_profile_t struct {}
+#define profiler_cleanup(...) {}
+#define profiler_init(...) {}
+#define profiler_start(...) {}
+#define profiler_end(...) {}
+
+#endif /* LOCK_PROFILER */
+
+#endif /* THREADING_LOCK_PROFILER_H_ */
+
diff --git a/src/libstrongswan/threading/mutex.c b/src/libstrongswan/threading/mutex.c
new file mode 100644
index 000000000..a35695624
--- /dev/null
+++ b/src/libstrongswan/threading/mutex.c
@@ -0,0 +1,375 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <pthread.h>
+#include <stdint.h>
+#include <time.h>
+#include <errno.h>
+
+#include <library.h>
+#include <debug.h>
+
+#include "condvar.h"
+#include "mutex.h"
+#include "lock_profiler.h"
+
+typedef struct private_mutex_t private_mutex_t;
+typedef struct private_r_mutex_t private_r_mutex_t;
+typedef struct private_condvar_t private_condvar_t;
+
+/**
+ * private data of mutex
+ */
+struct private_mutex_t {
+
+	/**
+	 * public functions
+	 */
+	mutex_t public;
+
+	/**
+	 * wrapped pthread mutex
+	 */
+	pthread_mutex_t mutex;
+
+	/**
+	 * is this a recursiv emutex, implementing private_r_mutex_t?
+	 */
+	bool recursive;
+
+	/**
+	 * profiling info, if enabled
+	 */
+	lock_profile_t profile;
+};
+
+/**
+ * private data of mutex, extended by recursive locking information
+ */
+struct private_r_mutex_t {
+
+	/**
+	 * Extends private_mutex_t
+	 */
+	private_mutex_t generic;
+
+	/**
+	 * thread which currently owns mutex
+	 */
+	pthread_t thread;
+
+	/**
+	 * times we have locked the lock, stored per thread
+	 */
+	pthread_key_t times;
+};
+
+/**
+ * private data of condvar
+ */
+struct private_condvar_t {
+
+	/**
+	 * public functions
+	 */
+	condvar_t public;
+
+	/**
+	 * wrapped pthread condvar
+	 */
+	pthread_cond_t condvar;
+
+};
+
+
+
+/**
+ * Implementation of mutex_t.lock.
+ */
+static void lock(private_mutex_t *this)
+{
+	int err;
+
+	profiler_start(&this->profile);
+	err = pthread_mutex_lock(&this->mutex);
+	if (err)
+	{
+		DBG1("!!! MUTEX LOCK ERROR: %s !!!", strerror(err));
+	}
+	profiler_end(&this->profile);
+}
+
+/**
+ * Implementation of mutex_t.unlock.
+ */
+static void unlock(private_mutex_t *this)
+{
+	int err;
+
+	err = pthread_mutex_unlock(&this->mutex);
+	if (err)
+	{
+		DBG1("!!! MUTEX UNLOCK ERROR: %s !!!", strerror(err));
+	}
+}
+
+/**
+ * Implementation of mutex_t.lock.
+ */
+static void lock_r(private_r_mutex_t *this)
+{
+	pthread_t self = pthread_self();
+
+	if (this->thread == self)
+	{
+		uintptr_t times;
+
+		/* times++ */
+		times = (uintptr_t)pthread_getspecific(this->times);
+		pthread_setspecific(this->times, (void*)times + 1);
+	}
+	else
+	{
+		lock(&this->generic);
+		this->thread = self;
+		/* times = 1 */
+		pthread_setspecific(this->times, (void*)1);
+	}
+}
+
+/**
+ * Implementation of mutex_t.unlock.
+ */
+static void unlock_r(private_r_mutex_t *this)
+{
+	uintptr_t times;
+
+	/* times-- */
+	times = (uintptr_t)pthread_getspecific(this->times);
+	pthread_setspecific(this->times, (void*)--times);
+
+	if (times == 0)
+	{
+		this->thread = 0;
+		unlock(&this->generic);
+	}
+}
+
+/**
+ * Implementation of mutex_t.destroy
+ */
+static void mutex_destroy(private_mutex_t *this)
+{
+	profiler_cleanup(&this->profile);
+	pthread_mutex_destroy(&this->mutex);
+	free(this);
+}
+
+/**
+ * Implementation of mutex_t.destroy for recursive mutex'
+ */
+static void mutex_destroy_r(private_r_mutex_t *this)
+{
+	profiler_cleanup(&this->generic.profile);
+	pthread_mutex_destroy(&this->generic.mutex);
+	pthread_key_delete(this->times);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+mutex_t *mutex_create(mutex_type_t type)
+{
+	switch (type)
+	{
+		case MUTEX_TYPE_RECURSIVE:
+		{
+			private_r_mutex_t *this = malloc_thing(private_r_mutex_t);
+
+			this->generic.public.lock = (void(*)(mutex_t*))lock_r;
+			this->generic.public.unlock = (void(*)(mutex_t*))unlock_r;
+			this->generic.public.destroy = (void(*)(mutex_t*))mutex_destroy_r;
+
+			pthread_mutex_init(&this->generic.mutex, NULL);
+			pthread_key_create(&this->times, NULL);
+			this->generic.recursive = TRUE;
+			profiler_init(&this->generic.profile);
+			this->thread = 0;
+
+			return &this->generic.public;
+		}
+		case MUTEX_TYPE_DEFAULT:
+		default:
+		{
+			private_mutex_t *this = malloc_thing(private_mutex_t);
+
+			this->public.lock = (void(*)(mutex_t*))lock;
+			this->public.unlock = (void(*)(mutex_t*))unlock;
+			this->public.destroy = (void(*)(mutex_t*))mutex_destroy;
+
+			pthread_mutex_init(&this->mutex, NULL);
+			this->recursive = FALSE;
+			profiler_init(&this->profile);
+
+			return &this->public;
+		}
+	}
+}
+
+
+
+/**
+ * Implementation of condvar_t.wait.
+ */
+static void _wait(private_condvar_t *this, private_mutex_t *mutex)
+{
+	if (mutex->recursive)
+	{
+		private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
+
+		/* mutex owner gets cleared during condvar wait */
+		recursive->thread = 0;
+		pthread_cond_wait(&this->condvar, &mutex->mutex);
+		recursive->thread = pthread_self();
+	}
+	else
+	{
+		pthread_cond_wait(&this->condvar, &mutex->mutex);
+	}
+}
+
+/* use the monotonic clock based version of this function if available */
+#ifdef HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC
+#define pthread_cond_timedwait pthread_cond_timedwait_monotonic
+#endif
+
+/**
+ * Implementation of condvar_t.timed_wait_abs.
+ */
+static bool timed_wait_abs(private_condvar_t *this, private_mutex_t *mutex,
+						   timeval_t time)
+{
+	struct timespec ts;
+	bool timed_out;
+
+	ts.tv_sec = time.tv_sec;
+	ts.tv_nsec = time.tv_usec * 1000;
+
+	if (mutex->recursive)
+	{
+		private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
+
+		recursive->thread = 0;
+		timed_out = pthread_cond_timedwait(&this->condvar, &mutex->mutex,
+										   &ts) == ETIMEDOUT;
+		recursive->thread = pthread_self();
+	}
+	else
+	{
+		timed_out = pthread_cond_timedwait(&this->condvar, &mutex->mutex,
+										   &ts) == ETIMEDOUT;
+	}
+	return timed_out;
+}
+
+/**
+ * Implementation of condvar_t.timed_wait.
+ */
+static bool timed_wait(private_condvar_t *this, private_mutex_t *mutex,
+					   u_int timeout)
+{
+	timeval_t tv;
+	u_int s, ms;
+
+	time_monotonic(&tv);
+
+	s = timeout / 1000;
+	ms = timeout % 1000;
+
+	tv.tv_sec += s;
+	tv.tv_usec += ms * 1000;
+
+	if (tv.tv_usec > 1000000 /* 1s */)
+	{
+		tv.tv_usec -= 1000000;
+		tv.tv_sec++;
+	}
+	return timed_wait_abs(this, mutex, tv);
+}
+
+/**
+ * Implementation of condvar_t.signal.
+ */
+static void _signal(private_condvar_t *this)
+{
+	pthread_cond_signal(&this->condvar);
+}
+
+/**
+ * Implementation of condvar_t.broadcast.
+ */
+static void broadcast(private_condvar_t *this)
+{
+	pthread_cond_broadcast(&this->condvar);
+}
+
+/**
+ * Implementation of condvar_t.destroy
+ */
+static void condvar_destroy(private_condvar_t *this)
+{
+	pthread_cond_destroy(&this->condvar);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+condvar_t *condvar_create(condvar_type_t type)
+{
+	switch (type)
+	{
+		case CONDVAR_TYPE_DEFAULT:
+		default:
+		{
+			private_condvar_t *this = malloc_thing(private_condvar_t);
+
+			this->public.wait = (void(*)(condvar_t*, mutex_t *mutex))_wait;
+			this->public.timed_wait = (bool(*)(condvar_t*, mutex_t *mutex, u_int timeout))timed_wait;
+			this->public.timed_wait_abs = (bool(*)(condvar_t*, mutex_t *mutex, timeval_t time))timed_wait_abs;
+			this->public.signal = (void(*)(condvar_t*))_signal;
+			this->public.broadcast = (void(*)(condvar_t*))broadcast;
+			this->public.destroy = (void(*)(condvar_t*))condvar_destroy;
+
+#ifdef HAVE_PTHREAD_CONDATTR_INIT
+			{
+				pthread_condattr_t condattr;
+				pthread_condattr_init(&condattr);
+#ifdef HAVE_CONDATTR_CLOCK_MONOTONIC
+				pthread_condattr_setclock(&condattr, CLOCK_MONOTONIC);
+#endif
+				pthread_cond_init(&this->condvar, &condattr);
+				pthread_condattr_destroy(&condattr);
+			}
+#endif
+
+			return &this->public;
+		}
+	}
+}
+
diff --git a/src/libstrongswan/threading/mutex.h b/src/libstrongswan/threading/mutex.h
new file mode 100644
index 000000000..ac36b6a25
--- /dev/null
+++ b/src/libstrongswan/threading/mutex.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mutex mutex
+ * @{ @ingroup threading
+ */
+
+#ifndef THREADING_MUTEX_H_
+#define THREADING_MUTEX_H_
+
+typedef struct mutex_t mutex_t;
+typedef enum mutex_type_t mutex_type_t;
+
+/**
+ * Type of mutex.
+ */
+enum mutex_type_t {
+	/** default mutex */
+	MUTEX_TYPE_DEFAULT	= 0,
+	/** allow recursive locking of the mutex */
+	MUTEX_TYPE_RECURSIVE	= 1,
+};
+
+/**
+ * Mutex wrapper implements simple, portable and advanced mutex functions.
+ */
+struct mutex_t {
+
+	/**
+	 * Acquire the lock to the mutex.
+	 */
+	void (*lock)(mutex_t *this);
+
+	/**
+	 * Release the lock on the mutex.
+	 */
+	void (*unlock)(mutex_t *this);
+
+	/**
+	 * Destroy a mutex instance.
+	 */
+	void (*destroy)(mutex_t *this);
+};
+
+/**
+ * Create a mutex instance.
+ *
+ * @param type		type of mutex to create
+ * @return			unlocked mutex instance
+ */
+mutex_t *mutex_create(mutex_type_t type);
+
+#endif /** THREADING_MUTEX_H_ @} */
+
diff --git a/src/libstrongswan/threading/rwlock.c b/src/libstrongswan/threading/rwlock.c
new file mode 100644
index 000000000..ee9fb10be
--- /dev/null
+++ b/src/libstrongswan/threading/rwlock.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <pthread.h>
+
+#include <library.h>
+#include <debug.h>
+
+#include "rwlock.h"
+#include "condvar.h"
+#include "mutex.h"
+#include "lock_profiler.h"
+
+typedef struct private_rwlock_t private_rwlock_t;
+
+/**
+ * private data of rwlock
+ */
+struct private_rwlock_t {
+
+	/**
+	 * public functions
+	 */
+	rwlock_t public;
+
+#ifdef HAVE_PTHREAD_RWLOCK_INIT
+
+	/**
+	 * wrapped pthread rwlock
+	 */
+	pthread_rwlock_t rwlock;
+
+#else
+
+	/**
+	 * mutex to emulate a native rwlock
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * condvar to handle writers
+	 */
+	condvar_t *writers;
+
+	/**
+	 * condvar to handle readers
+	 */
+	condvar_t *readers;
+
+	/**
+	 * number of waiting writers
+	 */
+	u_int waiting_writers;
+
+	/**
+	 * number of readers holding the lock
+	 */
+	u_int reader_count;
+
+	/**
+	 * current writer thread, if any
+	 */
+	pthread_t writer;
+
+#endif /* HAVE_PTHREAD_RWLOCK_INIT */
+
+	/**
+	 * profiling info, if enabled
+	 */
+	lock_profile_t profile;
+};
+
+
+#ifdef HAVE_PTHREAD_RWLOCK_INIT
+
+/**
+ * Implementation of rwlock_t.read_lock
+ */
+static void read_lock(private_rwlock_t *this)
+{
+	int err;
+
+	profiler_start(&this->profile);
+	err = pthread_rwlock_rdlock(&this->rwlock);
+	if (err != 0)
+	{
+		DBG1("!!! RWLOCK READ LOCK ERROR: %s !!!", strerror(err));
+	}
+	profiler_end(&this->profile);
+}
+
+/**
+ * Implementation of rwlock_t.write_lock
+ */
+static void write_lock(private_rwlock_t *this)
+{
+	int err;
+
+	profiler_start(&this->profile);
+	err = pthread_rwlock_wrlock(&this->rwlock);
+	if (err != 0)
+	{
+		DBG1("!!! RWLOCK WRITE LOCK ERROR: %s !!!", strerror(err));
+	}
+	profiler_end(&this->profile);
+}
+
+/**
+ * Implementation of rwlock_t.try_write_lock
+ */
+static bool try_write_lock(private_rwlock_t *this)
+{
+	return pthread_rwlock_trywrlock(&this->rwlock) == 0;
+}
+
+/**
+ * Implementation of rwlock_t.unlock
+ */
+static void rw_unlock(private_rwlock_t *this)
+{
+	int err;
+
+	err = pthread_rwlock_unlock(&this->rwlock);
+	if (err != 0)
+	{
+		DBG1("!!! RWLOCK UNLOCK ERROR: %s !!!", strerror(err));
+	}
+}
+
+/**
+ * Implementation of rwlock_t.destroy
+ */
+static void rw_destroy(private_rwlock_t *this)
+{
+	pthread_rwlock_destroy(&this->rwlock);
+	profiler_cleanup(&this->profile);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+rwlock_t *rwlock_create(rwlock_type_t type)
+{
+	switch (type)
+	{
+		case RWLOCK_TYPE_DEFAULT:
+		default:
+		{
+			private_rwlock_t *this = malloc_thing(private_rwlock_t);
+
+			this->public.read_lock = (void(*)(rwlock_t*))read_lock;
+			this->public.write_lock = (void(*)(rwlock_t*))write_lock;
+			this->public.try_write_lock = (bool(*)(rwlock_t*))try_write_lock;
+			this->public.unlock = (void(*)(rwlock_t*))rw_unlock;
+			this->public.destroy = (void(*)(rwlock_t*))rw_destroy;
+
+			pthread_rwlock_init(&this->rwlock, NULL);
+			profiler_init(&this->profile);
+
+			return &this->public;
+		}
+	}
+}
+
+#else /* HAVE_PTHREAD_RWLOCK_INIT */
+
+/**
+ * This implementation of the rwlock_t interface uses mutex_t and condvar_t
+ * primitives, if the pthread_rwlock_* group of functions is not available.
+ *
+ * The following constraints are enforced:
+ *   - Multiple readers can hold the lock at the same time.
+ *   - Only a single writer can hold the lock at any given time.
+ *   - A writer must block until all readers have released the lock before
+ *     obtaining the lock exclusively.
+ *   - Readers that arrive while a writer is waiting to acquire the lock will
+ *     block until after the writer has obtained and released the lock.
+ * These constraints allow for read sharing, prevent write sharing, prevent
+ * read-write sharing and prevent starvation of writers by a steady stream
+ * of incoming readers. Reader starvation is not prevented (this could happen
+ * if there are more writers than readers).
+ *
+ * The implementation does not support recursive locking and readers must not
+ * acquire the lock exclusively at the same time and vice-versa (this is not
+ * checked or enforced so behave yourself to prevent deadlocks).
+ */
+
+/**
+ * Implementation of rwlock_t.read_lock
+ */
+static void read_lock(private_rwlock_t *this)
+{
+	profiler_start(&this->profile);
+	this->mutex->lock(this->mutex);
+	while (this->writer || this->waiting_writers)
+	{
+		this->readers->wait(this->readers, this->mutex);
+	}
+	this->reader_count++;
+	profiler_end(&this->profile);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of rwlock_t.write_lock
+ */
+static void write_lock(private_rwlock_t *this)
+{
+	profiler_start(&this->profile);
+	this->mutex->lock(this->mutex);
+	this->waiting_writers++;
+	while (this->writer || this->reader_count)
+	{
+		this->writers->wait(this->writers, this->mutex);
+	}
+	this->waiting_writers--;
+	this->writer = pthread_self();
+	profiler_end(&this->profile);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of rwlock_t.try_write_lock
+ */
+static bool try_write_lock(private_rwlock_t *this)
+{
+	bool res = FALSE;
+	this->mutex->lock(this->mutex);
+	if (!this->writer && !this->reader_count)
+	{
+		res = TRUE;
+		this->writer = pthread_self();
+	}
+	this->mutex->unlock(this->mutex);
+	return res;
+}
+
+/**
+ * Implementation of rwlock_t.unlock
+ */
+static void rw_unlock(private_rwlock_t *this)
+{
+	this->mutex->lock(this->mutex);
+	if (this->writer == pthread_self())
+	{
+		this->writer = 0;
+		if (this->waiting_writers)
+		{
+			this->writers->signal(this->writers);
+		}
+		else
+		{
+			this->readers->broadcast(this->readers);
+		}
+	}
+	else
+	{
+		this->reader_count--;
+		if (!this->reader_count)
+		{
+			this->writers->signal(this->writers);
+		}
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of rwlock_t.destroy
+ */
+static void rw_destroy(private_rwlock_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	this->writers->destroy(this->writers);
+	this->readers->destroy(this->readers);
+	profiler_cleanup(&this->profile);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+rwlock_t *rwlock_create(rwlock_type_t type)
+{
+	switch (type)
+	{
+		case RWLOCK_TYPE_DEFAULT:
+		default:
+		{
+			private_rwlock_t *this = malloc_thing(private_rwlock_t);
+
+			this->public.read_lock = (void(*)(rwlock_t*))read_lock;
+			this->public.write_lock = (void(*)(rwlock_t*))write_lock;
+			this->public.try_write_lock = (bool(*)(rwlock_t*))try_write_lock;
+			this->public.unlock = (void(*)(rwlock_t*))rw_unlock;
+			this->public.destroy = (void(*)(rwlock_t*))rw_destroy;
+
+			this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+			this->writers = condvar_create(CONDVAR_TYPE_DEFAULT);
+			this->readers = condvar_create(CONDVAR_TYPE_DEFAULT);
+			this->waiting_writers = 0;
+			this->reader_count = 0;
+			this->writer = 0;
+
+			profiler_init(&this->profile);
+
+			return &this->public;
+		}
+	}
+}
+
+#endif /* HAVE_PTHREAD_RWLOCK_INIT */
+
diff --git a/src/libstrongswan/threading/rwlock.h b/src/libstrongswan/threading/rwlock.h
new file mode 100644
index 000000000..a86a241c5
--- /dev/null
+++ b/src/libstrongswan/threading/rwlock.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rwlock rwlock
+ * @{ @ingroup threading
+ */
+
+#ifndef THREADING_RWLOCK_H_
+#define THREADING_RWLOCK_H_
+
+typedef struct rwlock_t rwlock_t;
+typedef enum rwlock_type_t rwlock_type_t;
+
+/**
+ * Type of read-write lock.
+ */
+enum rwlock_type_t {
+	/** default condvar */
+	RWLOCK_TYPE_DEFAULT = 0,
+};
+
+/**
+ * Read-Write lock wrapper.
+ */
+struct rwlock_t {
+
+	/**
+	 * Acquire the read lock.
+	 */
+	void (*read_lock)(rwlock_t *this);
+
+	/**
+	 * Acquire the write lock.
+	 */
+	void (*write_lock)(rwlock_t *this);
+
+	/**
+	 * Try to acquire the write lock.
+	 *
+	 * Never blocks, but returns FALSE if the lock was already occupied.
+	 *
+	 * @return		TRUE if lock acquired
+	 */
+	bool (*try_write_lock)(rwlock_t *this);
+
+	/**
+	 * Release any acquired lock.
+	 */
+	void (*unlock)(rwlock_t *this);
+
+	/**
+	 * Destroy the read-write lock.
+	 */
+	void (*destroy)(rwlock_t *this);
+};
+
+/**
+ * Create a read-write lock instance.
+ *
+ * @param type		type of rwlock to create
+ * @return			unlocked rwlock instance
+ */
+rwlock_t *rwlock_create(rwlock_type_t type);
+
+#endif /** THREADING_RWLOCK_H_ @} */
+
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
new file mode 100644
index 000000000..bbfb2c2c6
--- /dev/null
+++ b/src/libstrongswan/threading/thread.c
@@ -0,0 +1,440 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <pthread.h>
+#include <signal.h>
+#include <semaphore.h>
+
+#include <library.h>
+#include <debug.h>
+
+#include <threading/thread_value.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+
+#include "thread.h"
+
+typedef struct private_thread_t private_thread_t;
+
+struct private_thread_t {
+	/**
+	 * Public interface.
+	 */
+	thread_t public;
+
+	/**
+	 * Human-readable ID of this thread.
+	 */
+	u_int id;
+
+	/**
+	 * ID of the underlying thread.
+	 */
+	pthread_t thread_id;
+
+	/**
+	 * Main function of this thread (NULL for the main thread).
+	 */
+	thread_main_t main;
+
+	/**
+	 * Argument for the main function.
+	 */
+	void *arg;
+
+	/**
+	 * Stack of cleanup handlers.
+	 */
+	linked_list_t *cleanup_handlers;
+
+	/**
+	 * Mutex to make modifying thread properties safe.
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Semaphore used to sync the creation/start of the thread.
+	 */
+	sem_t created;
+
+	/**
+	 * TRUE if this thread has been detached or joined, i.e. can be cleaned
+	 * up after terminating.
+	 */
+	bool detached_or_joined;
+
+	/**
+	 * TRUE if the threads has terminated (cancelled, via thread_exit or
+	 * returned from the main function)
+	 */
+	bool terminated;
+
+};
+
+typedef struct {
+	/**
+	 * Cleanup callback function.
+	 */
+	thread_cleanup_t cleanup;
+
+	/**
+	 * Argument provided to the cleanup function.
+	 */
+	void *arg;
+
+} cleanup_handler_t;
+
+
+/**
+ * Next thread ID.
+ */
+static u_int next_id = 1;
+
+/**
+ * Mutex to safely access the next thread ID.
+ */
+static mutex_t *id_mutex;
+
+/**
+ * Store the thread object in a thread-specific value.
+ */
+static thread_value_t *current_thread;
+
+#ifndef HAVE_PTHREAD_CANCEL
+/* if pthread_cancel is not available, we emulate it using a signal */
+#define SIG_CANCEL (SIGRTMIN+7)
+
+/* the signal handler for SIG_CANCEL uses pthread_exit to terminate the
+ * "cancelled" thread */
+static void cancel_signal_handler(int sig)
+{
+	pthread_exit(NULL);
+}
+#endif
+
+
+/**
+ * Destroy an internal thread object.
+ *
+ * @note The mutex of this thread object has to be locked, it gets unlocked
+ * automatically.
+ */
+static void thread_destroy(private_thread_t *this)
+{
+	if (!this->terminated || !this->detached_or_joined)
+	{
+		this->mutex->unlock(this->mutex);
+		return;
+	}
+	this->cleanup_handlers->destroy(this->cleanup_handlers);
+	this->mutex->unlock(this->mutex);
+	this->mutex->destroy(this->mutex);
+	sem_destroy(&this->created);
+	free(this);
+}
+
+/**
+ * Implementation of thread_t.cancel.
+ */
+static void cancel(private_thread_t *this)
+{
+	this->mutex->lock(this->mutex);
+	if (pthread_equal(this->thread_id, pthread_self()))
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1("!!! CANNOT CANCEL CURRENT THREAD !!!");
+		return;
+	}
+#ifdef HAVE_PTHREAD_CANCEL
+	pthread_cancel(this->thread_id);
+#else
+	pthread_kill(this->thread_id, SIG_CANCEL);
+#endif /* HAVE_PTHREAD_CANCEL */
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of thread_t.kill.
+ */
+static void _kill(private_thread_t *this, int sig)
+{
+	this->mutex->lock(this->mutex);
+	if (pthread_equal(this->thread_id, pthread_self()))
+	{
+		/* it might actually be possible to send a signal to pthread_self (there
+		 * is an example in raise(3) describing that), the problem is though,
+		 * that the thread only returns here after the signal handler has
+		 * returned, so depending on the signal, the lock might not get
+		 * unlocked. */
+		this->mutex->unlock(this->mutex);
+		DBG1("!!! CANNOT SEND SIGNAL TO CURRENT THREAD !!!");
+		return;
+	}
+	pthread_kill(this->thread_id, sig);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of thread_t.detach.
+ */
+static void detach(private_thread_t *this)
+{
+	this->mutex->lock(this->mutex);
+	pthread_detach(this->thread_id);
+	this->detached_or_joined = TRUE;
+	thread_destroy(this);
+}
+
+/**
+ * Implementation of thread_t.join.
+ */
+static void *join(private_thread_t *this)
+{
+	pthread_t thread_id;
+	void *val;
+	this->mutex->lock(this->mutex);
+	if (pthread_equal(this->thread_id, pthread_self()))
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1("!!! CANNOT JOIN CURRENT THREAD !!!");
+		return NULL;
+	}
+	if (this->detached_or_joined)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1("!!! CANNOT JOIN DETACHED THREAD !!!");
+		return NULL;
+	}
+	thread_id = this->thread_id;
+	this->detached_or_joined = TRUE;
+	if (this->terminated)
+	{
+		/* thread has terminated before the call to join */
+		thread_destroy(this);
+	}
+	else
+	{
+		/* thread_destroy is called when the thread terminates normally */
+		this->mutex->unlock(this->mutex);
+	}
+	pthread_join(thread_id, &val);
+	return val;
+}
+
+/**
+ * Create an internal thread object.
+ */
+static private_thread_t *thread_create_internal()
+{
+	private_thread_t *this = malloc_thing(private_thread_t);
+	this->public.cancel = (void(*)(thread_t*))cancel;
+	this->public.kill = (void(*)(thread_t*,int))_kill;
+	this->public.detach = (void(*)(thread_t*))detach;
+	this->public.join = (void*(*)(thread_t*))join;
+
+	this->id = 0;
+	this->thread_id = 0;
+	this->main = NULL;
+	this->arg = NULL;
+	this->cleanup_handlers = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	sem_init(&this->created, FALSE, 0);
+	this->detached_or_joined = FALSE;
+	this->terminated = FALSE;
+
+	return this;
+}
+
+/**
+ * Main cleanup function for threads.
+ */
+static void thread_cleanup(private_thread_t *this)
+{
+	cleanup_handler_t *handler;
+	this->mutex->lock(this->mutex);
+	while (this->cleanup_handlers->remove_last(this->cleanup_handlers,
+											   (void**)&handler) == SUCCESS)
+	{
+		handler->cleanup(handler->arg);
+		free(handler);
+	}
+	this->terminated = TRUE;
+	thread_destroy(this);
+}
+
+/**
+ * Main function wrapper for threads.
+ */
+static void *thread_main(private_thread_t *this)
+{
+	void *res;
+	sem_wait(&this->created);
+	current_thread->set(current_thread, this);
+	pthread_cleanup_push((thread_cleanup_t)thread_cleanup, this);
+	res = this->main(this->arg);
+	pthread_cleanup_pop(TRUE);
+	return res;
+}
+
+/**
+ * Described in header.
+ */
+thread_t *thread_create(thread_main_t main, void *arg)
+{
+	private_thread_t *this = thread_create_internal();
+	this->main = main;
+	this->arg = arg;
+	if (pthread_create(&this->thread_id, NULL, (void*)thread_main, this) != 0)
+	{
+		DBG1("failed to create thread!");
+		thread_destroy(this);
+		return NULL;
+	}
+	id_mutex->lock(id_mutex);
+	this->id = next_id++;
+	id_mutex->unlock(id_mutex);
+	sem_post(&this->created);
+	return &this->public;
+}
+
+/**
+ * Described in header.
+ */
+thread_t *thread_current()
+{
+	return current_thread->get(current_thread);
+}
+
+/**
+ * Described in header.
+ */
+u_int thread_current_id()
+{
+	private_thread_t *this = (private_thread_t*)thread_current();
+	return this->id;
+}
+
+/**
+ * Described in header.
+ */
+void thread_cleanup_push(thread_cleanup_t cleanup, void *arg)
+{
+	private_thread_t *this = (private_thread_t*)thread_current();
+	cleanup_handler_t *handler;
+	this->mutex->lock(this->mutex);
+	handler = malloc_thing(cleanup_handler_t);
+	handler->cleanup = cleanup;
+	handler->arg = arg;
+	this->cleanup_handlers->insert_last(this->cleanup_handlers, handler);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Described in header.
+ */
+void thread_cleanup_pop(bool execute)
+{
+	private_thread_t *this = (private_thread_t*)thread_current();
+	cleanup_handler_t *handler;
+	this->mutex->lock(this->mutex);
+	if (this->cleanup_handlers->remove_last(this->cleanup_handlers,
+											(void**)&handler) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1("!!! THREAD CLEANUP ERROR !!!");
+		return;
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (execute)
+	{
+		handler->cleanup(handler->arg);
+	}
+	free(handler);
+}
+
+/**
+ * Described in header.
+ */
+bool thread_cancelability(bool enable)
+{
+#ifdef HAVE_PTHREAD_CANCEL
+	int old;
+	pthread_setcancelstate(enable ? PTHREAD_CANCEL_ENABLE
+								  : PTHREAD_CANCEL_DISABLE, &old);
+	return old == PTHREAD_CANCEL_ENABLE;
+#else
+	sigset_t new, old;
+	sigemptyset(&new);
+	sigaddset(&new, SIG_CANCEL);
+	pthread_sigmask(enable ? SIG_UNBLOCK : SIG_BLOCK, &new, &old);
+	return sigismember(&old, SIG_CANCEL) == 0;
+#endif /* HAVE_PTHREAD_CANCEL */
+}
+
+/**
+ * Described in header.
+ */
+void thread_cancellation_point()
+{
+	bool old = thread_cancelability(TRUE);
+#ifdef HAVE_PTHREAD_CANCEL
+	pthread_testcancel();
+#endif /* HAVE_PTHREAD_CANCEL */
+	thread_cancelability(old);
+}
+
+/**
+ * Described in header.
+ */
+void thread_exit(void *val)
+{
+	pthread_exit(val);
+}
+
+/**
+ * Described in header.
+ */
+void threads_init()
+{
+	private_thread_t *main_thread = thread_create_internal();
+	main_thread->id = 0;
+	main_thread->thread_id = pthread_self();
+	current_thread = thread_value_create(NULL);
+	current_thread->set(current_thread, (void*)main_thread);
+	id_mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+
+#ifndef HAVE_PTHREAD_CANCEL
+	{	/* install a signal handler for our custom SIG_CANCEL */
+		struct sigaction action = {
+			.sa_handler = cancel_signal_handler
+		};
+		sigaction(SIG_CANCEL, &action, NULL);
+	}
+#endif /* HAVE_PTHREAD_CANCEL */
+}
+
+/**
+ * Described in header.
+ */
+void threads_deinit()
+{
+	private_thread_t *main_thread = (private_thread_t*)thread_current();
+	thread_destroy(main_thread);
+	current_thread->destroy(current_thread);
+	id_mutex->destroy(id_mutex);
+}
+
diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h
new file mode 100644
index 000000000..6bf8fac79
--- /dev/null
+++ b/src/libstrongswan/threading/thread.h
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup thread thread
+ * @{ @ingroup threading
+ */
+
+#ifndef THREADING_THREAD_H_
+#define THREADING_THREAD_H_
+
+typedef struct thread_t thread_t;
+
+#ifdef __APPLE__
+/* on Mac OS X 10.5 several system calls we use are no cancellation points.
+ * fortunately, select isn't one of them, so we wrap some of the others with
+ * calls to select(2).
+ */
+#include <sys/socket.h>
+#include <sys/select.h>
+
+#define WRAP_WITH_SELECT(func, socket, ...)\
+	fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\
+	if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\
+	return func(socket, __VA_ARGS__)
+
+static inline int cancellable_accept(int socket, struct sockaddr *address,
+									 socklen_t *address_len)
+{
+	WRAP_WITH_SELECT(accept, socket, address, address_len);
+}
+#define accept cancellable_accept
+static inline int cancellable_recvfrom(int socket, void *buffer, size_t length,
+				int flags, struct sockaddr *address, socklen_t *address_len)
+{
+	WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len);
+}
+#define recvfrom cancellable_recvfrom
+#endif /* __APPLE__ */
+
+/**
+ * Main function of a thread.
+ *
+ * @param arg			argument provided to constructor
+ * @return				value provided to threads joining the terminating thread
+ */
+typedef void *(*thread_main_t)(void *arg);
+
+/**
+ * Cleanup callback function for a thread.
+ *
+ * @param arg			argument provided to thread_cleanup_push
+ */
+typedef void (*thread_cleanup_t)(void *arg);
+
+
+/**
+ * Thread wrapper implements simple, portable and advanced thread functions.
+ *
+ * @note All threads other than the main thread need either to be joined or
+ * detached by calling the corresponding method.
+ */
+struct thread_t {
+
+	/**
+	 * Cancel this thread.
+	 */
+	void (*cancel)(thread_t *this);
+
+	/**
+	 * Send a signal to this thread.
+	 *
+	 * @param sig		the signal to be sent to this thread
+	 */
+	void (*kill)(thread_t *this, int sig);
+
+	/**
+	 * Detach this thread, this automatically destroys the thread object after
+	 * the thread returned from its main function.
+	 *
+	 * @note Calling detach is like calling destroy on other objects.
+	 */
+	void (*detach)(thread_t *this);
+
+	/**
+	 * Join this thread, this automatically destroys the thread object
+	 * afterwards.
+	 *
+	 * @note Calling join is like calling destroy on other objects.
+	 *
+	 * @return			the value returned from the thread's main function or
+	 *					a call to exit.
+	 */
+	void *(*join)(thread_t *this);
+
+};
+
+
+/**
+ * Create a new thread instance.
+ *
+ * @param main			thread main function
+ * @param arg			argument provided to the main function
+ * @return				thread instance
+ */
+thread_t *thread_create(thread_main_t main, void *arg);
+
+/**
+ * Get a thread object for the current thread.
+ *
+ * @return				thread instance
+ */
+thread_t *thread_current();
+
+/**
+ * Get the human-readable ID of the current thread.
+ *
+ * The IDs are assigned incrementally starting from 1.
+ *
+ * @return				human-readable ID
+ */
+u_int thread_current_id();
+
+/**
+ * Push a function onto the current thread's cleanup handler stack.
+ * The callback function is called whenever the thread is cancelled, exits or
+ * thread_cleanup_pop is called with TRUE as execute argument.
+ *
+ * @param cleanup		function called on thread exit
+ * @param arg			argument provided to the callback
+ */
+void thread_cleanup_push(thread_cleanup_t cleanup, void *arg);
+
+/**
+ * Remove the top function from the current thread's cleanup handler stack
+ * and optionally execute it.
+ *
+ * @param execute		TRUE to execute the function
+ */
+void thread_cleanup_pop(bool execute);
+
+/**
+ * Enable or disable the cancelability of the current thread. The current
+ * value is returned.
+ *
+ * @param enable		TRUE to enable cancelability
+ * @return				the current state of the cancelability
+ */
+bool thread_cancelability(bool enable);
+
+/**
+ * Force creation of a cancellation point in the calling thread.
+ */
+void thread_cancellation_point();
+
+/**
+ * Exit the current thread.
+ *
+ * @param val			value provided to threads joining the current thread
+ */
+void thread_exit(void *val);
+
+/**
+ * Called by the main thread to initialize the thread management.
+ */
+void threads_init();
+
+/**
+ * Called by the main thread to deinitialize the thread management.
+ */
+void threads_deinit();
+
+
+#endif /** THREADING_THREAD_H_ @} */
+
diff --git a/src/libstrongswan/threading/thread_value.c b/src/libstrongswan/threading/thread_value.c
new file mode 100644
index 000000000..8f2a8846c
--- /dev/null
+++ b/src/libstrongswan/threading/thread_value.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <pthread.h>
+
+#include <library.h>
+
+#include "thread_value.h"
+
+typedef struct private_thread_value_t private_thread_value_t;
+
+struct private_thread_value_t {
+	/**
+	 * Public interface.
+	 */
+	thread_value_t public;
+
+	/**
+	 * Key to access thread-specific values.
+	 */
+	pthread_key_t key;
+
+};
+
+
+/**
+ * Implementation of thread_value_t.set.
+ */
+static void set(private_thread_value_t *this, void *val)
+{
+	pthread_setspecific(this->key, val);
+}
+
+/**
+ * Implementation of thread_value_t.get.
+ */
+static void *get(private_thread_value_t *this)
+{
+	return pthread_getspecific(this->key);
+}
+
+/**
+ * Implementation of thread_value_t.destroy.
+ */
+static void destroy(private_thread_value_t *this)
+{
+	pthread_key_delete(this->key);
+	free(this);
+}
+
+
+/**
+ * Described in header.
+ */
+thread_value_t *thread_value_create(thread_cleanup_t destructor)
+{
+	private_thread_value_t *this = malloc_thing(private_thread_value_t);
+	this->public.set = (void(*)(thread_value_t*,void*))set;
+	this->public.get = (void*(*)(thread_value_t*))get;
+	this->public.destroy = (void(*)(thread_value_t*))destroy;
+
+	pthread_key_create(&this->key, destructor);
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/threading/thread_value.h b/src/libstrongswan/threading/thread_value.h
new file mode 100644
index 000000000..48f5f7d6b
--- /dev/null
+++ b/src/libstrongswan/threading/thread_value.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup thread_value thread_value
+ * @{ @ingroup threading
+ */
+
+#ifndef THREADING_THREAD_VALUE_H_
+#define THREADING_THREAD_VALUE_H_
+
+#include <threading/thread.h>
+
+typedef struct thread_value_t thread_value_t;
+
+/**
+ * Wrapper for thread-specific values.
+ */
+struct thread_value_t {
+
+	/**
+	 * Set a thread-specific value.
+	 *
+	 * @param val		thread specific value
+	 */
+	void (*set)(thread_value_t *this, void *val);
+
+	/**
+	 * Get a thread-specific value.
+	 *
+	 * @return			the value specific to the current thread
+	 */
+	void *(*get)(thread_value_t *this);
+
+	/**
+	 * Destroys this thread specific value wrapper. There is no check for
+	 * non-NULL values which are currently assigned to the calling thread, no
+	 * destructor is called.
+	 */
+	void (*destroy)(thread_value_t *this);
+
+};
+
+/**
+ * Create a new thread-specific value wrapper.
+ *
+ * The optional destructor is called whenever a thread terminates, with the
+ * assigned value as argument. It is not called if that value is NULL.
+ *
+ * @param destructor	destructor
+ * @return				thread-specific value wrapper
+ */
+thread_value_t *thread_value_create(thread_cleanup_t destructor);
+
+#endif /** THREADING_THREAD_VALUE_H_ @} */
+
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index 305841172..e331ac0d0 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -50,9 +50,9 @@ void *clalloc(void * pointer, size_t size)
 {
 	void *data;
 	data = malloc(size);
-	
+
 	memcpy(data, pointer, size);
-	
+
 	return (data);
 }
 
@@ -62,9 +62,9 @@ void *clalloc(void * pointer, size_t size)
 void memxor(u_int8_t dst[], u_int8_t src[], size_t n)
 {
 	int m, i;
-	
+
 	/* byte wise XOR until dst aligned */
-	for (i = 0; (uintptr_t)&dst[i] % sizeof(long); i++)
+	for (i = 0; (uintptr_t)&dst[i] % sizeof(long) && i < n; i++)
 	{
 		dst[i] ^= src[i];
 	}
@@ -162,6 +162,44 @@ bool mkdir_p(const char *path, mode_t mode)
 	return TRUE;
 }
 
+/**
+ * Return monotonic time
+ */
+time_t time_monotonic(timeval_t *tv)
+{
+#if defined(HAVE_CLOCK_GETTIME) && \
+	(defined(HAVE_CONDATTR_CLOCK_MONOTONIC) || \
+	 defined(HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC))
+	/* as we use time_monotonic() for condvar operations, we use the
+	 * monotonic time source only if it is also supported by pthread. */
+	timespec_t ts;
+
+	if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
+	{
+		if (tv)
+		{
+			tv->tv_sec = ts.tv_sec;
+			tv->tv_usec = ts.tv_nsec / 1000;
+		}
+		return ts.tv_sec;
+	}
+#endif /* HAVE_CLOCK_GETTIME && (...) */
+	/* Fallback to non-monotonic timestamps:
+	 * On MAC OS X, creating monotonic timestamps is rather difficult. We
+	 * could use mach_absolute_time() and catch sleep/wakeup notifications.
+	 * We stick to the simpler (non-monotonic) gettimeofday() for now.
+	 * But keep in mind: we need the same time source here as in condvar! */
+	if (!tv)
+	{
+		return time(NULL);
+	}
+	if (gettimeofday(tv, NULL) != 0)
+	{	/* should actually never fail if passed pointers are valid */
+		return -1;
+	}
+	return tv->tv_sec;
+}
+
 /**
  * return null
  */
@@ -197,7 +235,7 @@ void nop()
 #include <pthread.h>
 
 /**
- * We use a single mutex for all refcount variables. 
+ * We use a single mutex for all refcount variables.
  */
 static pthread_mutex_t ref_mutex = PTHREAD_MUTEX_INITIALIZER;
 
@@ -217,7 +255,7 @@ void ref_get(refcount_t *ref)
 bool ref_put(refcount_t *ref)
 {
 	bool more_refs;
-	
+
 	pthread_mutex_lock(&ref_mutex);
 	more_refs = --(*ref);
 	pthread_mutex_unlock(&ref_mutex);
@@ -238,7 +276,7 @@ int time_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	time_t *time = *((time_t**)(args[0]));
 	bool utc = *((bool*)(args[1]));;
 	struct tm t;
-	
+
 	if (time == UNDEFINED_TIME)
 	{
 		return print_in_hook(dst, len, "--- -- --:--:--%s----",
@@ -267,7 +305,7 @@ int time_delta_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	time_t *arg1 = *((time_t**)(args[0]));
 	time_t *arg2 = *((time_t**)(args[1]));
 	time_t delta = abs(*arg1 - *arg2);
-	
+
 	if (delta > 2 * 60 * 60 * 24)
 	{
 		delta /= 60 * 60 * 24;
@@ -301,7 +339,7 @@ int mem_printf_hook(char *dst, size_t dstlen,
 {
 	char *bytes = *((void**)(args[0]));
 	int len = *((size_t*)(args[1]));
-	
+
 	char buffer[BYTES_PER_LINE * 3];
 	char ascii_buffer[BYTES_PER_LINE + 1];
 	char *buffer_pos = buffer;
@@ -310,9 +348,9 @@ int mem_printf_hook(char *dst, size_t dstlen,
 	int line_start = 0;
 	int i = 0;
 	int written = 0;
-	
+
 	written += print_in_hook(dst, dstlen, "=> %d bytes @ %p", len, bytes);
-	
+
 	while (bytes_pos < bytes_roof)
 	{
 		*buffer_pos++ = hexdig_upper[(*bytes_pos >> 4) & 0xF];
@@ -321,20 +359,20 @@ int mem_printf_hook(char *dst, size_t dstlen,
 		ascii_buffer[i++] =
 				(*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.';
 
-		if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE) 
+		if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE)
 		{
 			int padding = 3 * (BYTES_PER_LINE - i);
-			
+
 			while (padding--)
 			{
 				*buffer_pos++ = ' ';
 			}
 			*buffer_pos++ = '\0';
 			ascii_buffer[i] = '\0';
-			
+
 			written += print_in_hook(dst, dstlen, "\n%4d: %s  %s",
-								     line_start, buffer, ascii_buffer);
-			
+									 line_start, buffer, ascii_buffer);
+
 			buffer_pos = buffer;
 			line_start += BYTES_PER_LINE;
 			i = 0;
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index 5d273d272..964cbd1d2 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -25,6 +25,9 @@
 #include <sys/types.h>
 #include <stdlib.h>
 #include <stddef.h>
+#include <sys/time.h>
+#include <arpa/inet.h>
+#include <string.h>
 
 #include <enum.h>
 
@@ -71,12 +74,19 @@
 /**
  * Macro gives back larger of two values.
  */
-#define max(x,y) ((x) > (y) ? (x):(y))
+#define max(x,y) ({ \
+	typeof(x) _x = (x); \
+	typeof(y) _y = (y); \
+	_x > _y ? _x : _y; })
+
 
 /**
  * Macro gives back smaller of two values.
  */
-#define min(x,y) ((x) < (y) ? (x):(y))
+#define min(x,y) ({ \
+	typeof(x) _x = (x); \
+	typeof(y) _y = (y); \
+	_x < _y ? _x : _y; })
 
 /**
  * Call destructor of an object, if object != NULL
@@ -98,6 +108,35 @@
  */
 #define POS printf("%s, line %d\n", __FILE__, __LINE__)
 
+/**
+ * Object allocation/initialization macro, using designated initializer.
+ */
+#define INIT(this, ...) { (this) = malloc(sizeof(*this)); \
+						  *(this) = (typeof(*this)){ __VA_ARGS__ }; }
+
+/**
+ * Method declaration/definition macro, providing private and public interface.
+ *
+ * Defines a method name with this as first parameter and a return value ret,
+ * and an alias for this method with a _ prefix, having the this argument
+ * safely casted to the public interface iface.
+ * _name is provided a function pointer, but will get optimized out by GCC.
+ */
+#define METHOD(iface, name, ret, this, ...) \
+	static ret name(union {iface *_public; this;} \
+	__attribute__((transparent_union)), ##__VA_ARGS__); \
+	const static typeof(name) *_##name = (const typeof(name)*)name; \
+	static ret name(this, ##__VA_ARGS__)
+
+/**
+ * Same as METHOD(), but is defined for two public interfaces.
+ */
+#define METHOD2(iface1, iface2, name, ret, this, ...) \
+	static ret name(union {iface1 *_public1; iface2 *_public2; this;} \
+	__attribute__((transparent_union)), ##__VA_ARGS__); \
+	const static typeof(name) *_##name = (const typeof(name)*)name; \
+	static ret name(this, ##__VA_ARGS__)
+
 /**
  * Macro to allocate a sized type.
  */
@@ -123,6 +162,11 @@
  */
 #define UNDEFINED_TIME 0
 
+/**
+ * Maximum time since epoch causing wrap-around on Jan 19 03:14:07 UTC 2038
+ */
+#define TIME_32_BIT_SIGNED_MAX	0x7fffffff
+
 /**
  * General purpose boolean type.
  */
@@ -167,57 +211,57 @@ enum status_t {
 	 * Call succeeded.
 	 */
 	SUCCESS,
-	
+
 	/**
 	 * Call failed.
 	 */
 	FAILED,
-	
+
 	/**
 	 * Out of resources.
 	 */
 	OUT_OF_RES,
-	
+
 	/**
 	 * The suggested operation is already done
 	 */
 	ALREADY_DONE,
-	
+
 	/**
 	 * Not supported.
 	 */
 	NOT_SUPPORTED,
-	
+
 	/**
 	 * One of the arguments is invalid.
 	 */
 	INVALID_ARG,
-	
+
 	/**
 	 * Something could not be found.
 	 */
 	NOT_FOUND,
-	
+
 	/**
 	 * Error while parsing.
 	 */
 	PARSE_ERROR,
-	
+
 	/**
 	 * Error while verifying.
 	 */
 	VERIFY_ERROR,
-	
+
 	/**
 	 * Object in invalid state.
 	 */
 	INVALID_STATE,
-	
+
 	/**
 	 * Destroy object which called method belongs to.
 	 */
 	DESTROY_ME,
-	
+
 	/**
 	 * Another call to the method is required.
 	 */
@@ -267,14 +311,26 @@ void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
 void *memstr(const void *haystack, const char *needle, size_t n);
 
 /**
- * Creates a directory and all required parent directories. 
+ * Creates a directory and all required parent directories.
  *
- * @param	path	path to the new directory
- * @param	mode	permissions of the new directory/directories 
+ * @param path		path to the new directory
+ * @param mode		permissions of the new directory/directories
  * @return			TRUE on success
  */
 bool mkdir_p(const char *path, mode_t mode);
 
+/**
+ * Get a timestamp from a monotonic time source.
+ *
+ * While the time()/gettimeofday() functions are affected by leap seconds
+ * and system time changes, this function returns ever increasing monotonic
+ * time stamps.
+ *
+ * @param tv		timeval struct receiving monotonic timestamps, or NULL
+ * @return			monotonic timestamp in seconds
+ */
+time_t time_monotonic(timeval_t *tv);
+
 /**
  * returns null
  */
@@ -295,6 +351,64 @@ bool return_true();
  */
 bool return_false();
 
+/**
+ * Write a 16-bit host order value in network order to an unaligned address.
+ *
+ * @param host		host order 16-bit value
+ * @param network	unaligned address to write network order value to
+ */
+static inline void htoun16(void *network, u_int16_t host)
+{
+	char *unaligned = (char*)network;
+
+	host = htons(host);
+	memcpy(unaligned, &host, sizeof(host));
+}
+
+/**
+ * Write a 32-bit host order value in network order to an unaligned address.
+ *
+ * @param host		host order 32-bit value
+ * @param network	unaligned address to write network order value to
+ */
+static inline void htoun32(void *network, u_int32_t host)
+{
+	char *unaligned = (char*)network;
+
+	host = htonl(host);
+	memcpy((char*)unaligned, &host, sizeof(host));
+}
+
+/**
+ * Read a 16-bit value in network order from an unaligned address to host order.
+ *
+ * @param network	unaligned address to read network order value from
+ * @return			host order value
+ */
+static inline u_int16_t untoh16(void *network)
+{
+	char *unaligned = (char*)network;
+	u_int16_t tmp;
+
+	memcpy(&tmp, unaligned, sizeof(tmp));
+	return ntohs(tmp);
+}
+
+/**
+ * Read a 32-bit value in network order from an unaligned address to host order.
+ *
+ * @param network	unaligned address to read network order value from
+ * @return			host order value
+ */
+static inline u_int32_t untoh32(void *network)
+{
+	char *unaligned = (char*)network;
+	u_int32_t tmp;
+
+	memcpy(&tmp, unaligned, sizeof(tmp));
+	return ntohl(tmp);
+}
+
 /**
  * Special type to count references
  */
@@ -320,7 +434,7 @@ void ref_get(refcount_t *ref);
 /**
  * Put back a unused reference.
  *
- * Decrements the reference counter atomic and 
+ * Decrements the reference counter atomic and
  * says if more references available.
  *
  * @param ref	pointer to ref counter
@@ -333,8 +447,8 @@ bool ref_put(refcount_t *ref);
 /**
  * printf hook for time_t.
  *
- * Arguments are: 
- *    time_t* time, bool utc
+ * Arguments are:
+ *	time_t* time, bool utc
  */
 int time_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 					 const void *const *args);
@@ -342,8 +456,8 @@ int time_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 /**
  * printf hook for time_t deltas.
  *
- * Arguments are: 
- *    time_t* begin, time_t* end
+ * Arguments are:
+ *	time_t* begin, time_t* end
  */
 int time_delta_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 						   const void *const *args);
@@ -351,8 +465,8 @@ int time_delta_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 /**
  * printf hook for memory areas.
  *
- * Arguments are: 
- *    u_char *ptr, int len
+ * Arguments are:
+ *	u_char *ptr, int len
  */
 int mem_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 					const void *const *args);
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index f110521af..5bba8ec21 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -33,17 +33,17 @@ typedef struct private_backtrace_t private_backtrace_t;
  * Private data of an backtrace_t object.
  */
 struct private_backtrace_t {
-	
+
 	/**
 	 * Public backtrace_t interface.
 	 */
 	backtrace_t public;
-	
+
 	/**
 	 * Number of stacks frames obtained in stack_frames
 	 */
 	int frame_count;
-	
+
 	/**
 	 * Recorded stack frames.
 	 */
@@ -58,7 +58,7 @@ static void log_(private_backtrace_t *this, FILE *file)
 #ifdef HAVE_BACKTRACE
 	size_t i;
 	char **strings;
-	
+
 	strings = backtrace_symbols(this->frames, this->frame_count);
 
 	fprintf(file, " dumping %d stack frame addresses:\n", this->frame_count);
@@ -66,14 +66,14 @@ static void log_(private_backtrace_t *this, FILE *file)
 	{
 #ifdef HAVE_DLADDR
 		Dl_info info;
-		
+
 		if (dladdr(this->frames[i], &info))
 		{
 			char cmd[1024];
 			FILE *output;
-			char c;
+			int c;
 			void *ptr = this->frames[i];
-			
+
 			if (strstr(info.dli_fname, ".so"))
 			{
 				ptr = (void*)(this->frames[i] - info.dli_fbase);
@@ -136,7 +136,7 @@ static bool contains_function(private_backtrace_t *this, char *function)
 	for (i = 0; i< this->frame_count; i++)
 	{
 		Dl_info info;
-		
+
 		if (dladdr(this->frames[i], &info) && info.dli_sname)
 		{
 			if (streq(info.dli_sname, function))
@@ -165,7 +165,7 @@ backtrace_t *backtrace_create(int skip)
 	private_backtrace_t *this;
 	void *frames[50];
 	int frame_count = 0;
-	
+
 #ifdef HAVE_BACKTRACE
 	frame_count = backtrace(frames, countof(frames));
 #endif /* HAVE_BACKTRACE */
@@ -173,11 +173,11 @@ backtrace_t *backtrace_create(int skip)
 	this = malloc(sizeof(private_backtrace_t) + frame_count * sizeof(void*));
 	memcpy(this->frames, frames + skip, frame_count * sizeof(void*));
 	this->frame_count = frame_count;
-	
+
 	this->public.log = (void(*)(backtrace_t*,FILE*))log_;
 	this->public.contains_function = (bool(*)(backtrace_t*, char *function))contains_function;
 	this->public.destroy = (void(*)(backtrace_t*))destroy;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h
index 061d9f356..c4d4284d1 100644
--- a/src/libstrongswan/utils/backtrace.h
+++ b/src/libstrongswan/utils/backtrace.h
@@ -31,12 +31,12 @@ typedef struct backtrace_t backtrace_t;
  * A backtrace registers the frames on the stack during creation.
  */
 struct backtrace_t {
-	
+
 	/**
 	 * Log the backtrace to a FILE stream.
 	 */
 	void (*log)(backtrace_t *this, FILE *file);
-	
+
 	/**
 	 * Check if the backtrace contains a frame in a specific function.
 	 *
@@ -44,7 +44,7 @@ struct backtrace_t {
 	 * @return		TRUE if function is in the stack
 	 */
 	bool (*contains_function)(backtrace_t *this, char *function);
-	
+
 	/**
 	 * Destroy a backtrace instance.
 	 */
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c
index 08522b8d5..7efdd883e 100644
--- a/src/libstrongswan/utils/enumerator.c
+++ b/src/libstrongswan/utils/enumerator.c
@@ -77,7 +77,7 @@ static bool enumerate_dir_enum(dir_enum_t *this, char **relative,
 {
 	struct dirent *entry = readdir(this->dir);
 	size_t len, remaining;
-	
+
 	if (!entry)
 	{
 		return FALSE;
@@ -91,7 +91,7 @@ static bool enumerate_dir_enum(dir_enum_t *this, char **relative,
 		*relative = entry->d_name;
 	}
 	if (absolute || st)
-	{	
+	{
 		remaining = sizeof(this->full) - (this->full_end - this->full);
 		len = snprintf(this->full_end, remaining, "%s", entry->d_name);
 		if (len < 0 || len >= remaining)
@@ -124,7 +124,7 @@ enumerator_t* enumerator_create_directory(char *path)
 	dir_enum_t *this = malloc_thing(dir_enum_t);
 	this->public.enumerate = (void*)enumerate_dir_enum;
 	this->public.destroy = (void*)destroy_dir_enum;
-	
+
 	if (*path == '\0')
 	{
 		path = "./";
@@ -132,7 +132,7 @@ enumerator_t* enumerator_create_directory(char *path)
 	len = snprintf(this->full, sizeof(this->full)-1, "%s", path);
 	if (len < 0 || len >= sizeof(this->full)-1)
 	{
-		DBG1("path string %s too long", path);
+		DBG1("path string '%s' too long", path);
 		free(this);
 		return NULL;
 	}
@@ -143,11 +143,11 @@ enumerator_t* enumerator_create_directory(char *path)
 		this->full[len] = '\0';
 	}
 	this->full_end = &this->full[len];
-	
+
 	this->dir = opendir(path);
 	if (this->dir == NULL)
 	{
-		DBG1("opening directory %s failed: %s", path, strerror(errno));
+		DBG1("opening directory '%s' failed: %s", path, strerror(errno));
 		free(this);
 		return NULL;
 	}
@@ -186,7 +186,7 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 {
 	char *pos = NULL, *tmp, *sep, *trim;
 	bool last = FALSE;
-	
+
 	/* trim leading characters/separators */
 	while (*this->pos)
 	{
@@ -215,7 +215,7 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 			break;
 		}
 	}
-	
+
 	switch (*this->pos)
 	{
 		case '"':
@@ -259,7 +259,7 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 			break;
 		}
 	}
-	
+
 	/* trim trailing characters/separators */
 	pos--;
 	while (pos >= *token)
@@ -289,7 +289,7 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 			break;
 		}
 	}
-	
+
 	if (!last || pos >= *token)
 	{
 		return TRUE;
@@ -303,14 +303,14 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 enumerator_t* enumerator_create_token(char *string, char *sep, char *trim)
 {
 	token_enum_t *enumerator = malloc_thing(token_enum_t);
-	
+
 	enumerator->public.enumerate = (void*)enumerate_token_enum;
 	enumerator->public.destroy = (void*)destroy_token_enum;
 	enumerator->string = strdup(string);
 	enumerator->pos = enumerator->string;
 	enumerator->sep = sep;
 	enumerator->trim = trim;
-	
+
 	return &enumerator->public;
 }
 
@@ -342,9 +342,9 @@ static bool enumerate_nested(nested_enumerator_t *this, void *v1, void *v2,
 	while (TRUE)
 	{
 		while (this->inner == NULL)
-		{	
+		{
 			void *outer;
-			
+
 			if (!this->outer->enumerate(this->outer, &outer))
 			{
 				return FALSE;
@@ -382,7 +382,7 @@ enumerator_t *enumerator_create_nested(enumerator_t *outer,
 					void *data, void (*destroy_data)(void *data))
 {
 	nested_enumerator_t *enumerator = malloc_thing(nested_enumerator_t);
-	
+
 	enumerator->public.enumerate = (void*)enumerate_nested;
 	enumerator->public.destroy = (void*)destroy_nested;
 	enumerator->outer = outer;
@@ -390,7 +390,7 @@ enumerator_t *enumerator_create_nested(enumerator_t *outer,
 	enumerator->create_inner = (void*)inner_constructor;
 	enumerator->data = data;
 	enumerator->destroy_data = destroy_data;
-	
+
 	return &enumerator->public;
 }
 
@@ -444,14 +444,14 @@ enumerator_t *enumerator_create_filter(enumerator_t *unfiltered,
 									   void *data, void (*destructor)(void *data))
 {
 	filter_enumerator_t *this = malloc_thing(filter_enumerator_t);
-	
+
 	this->public.enumerate = (void*)enumerate_filter;
 	this->public.destroy = (void*)destroy_filter;
 	this->unfiltered = unfiltered;
 	this->filter = filter;
 	this->data = data;
 	this->destructor = destructor;
-	
+
 	return &this->public;
 }
 
@@ -491,13 +491,13 @@ enumerator_t *enumerator_create_cleaner(enumerator_t *wrapped,
 										void (*cleanup)(void *data), void *data)
 {
 	cleaner_enumerator_t *this = malloc_thing(cleaner_enumerator_t);
-	
+
 	this->public.enumerate = (void*)enumerate_cleaner;
 	this->public.destroy = (void*)destroy_cleaner;
 	this->wrapped = wrapped;
 	this->cleanup = cleanup;
 	this->data = data;
-	
+
 	return &this->public;
 }
 
@@ -543,13 +543,13 @@ static bool enumerate_single(single_enumerator_t *this, void **item)
 enumerator_t *enumerator_create_single(void *item, void (*cleanup)(void *item))
 {
 	single_enumerator_t *this = malloc_thing(single_enumerator_t);
-	
+
 	this->public.enumerate = (void*)enumerate_single;
 	this->public.destroy = (void*)destroy_single;
 	this->item = item;
 	this->cleanup = cleanup;
 	this->done = FALSE;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/utils/enumerator.h
index 4367d0836..3056498b1 100644
--- a/src/libstrongswan/utils/enumerator.h
+++ b/src/libstrongswan/utils/enumerator.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup enumerator enumerator
  * @{ @ingroup utils
@@ -33,18 +33,18 @@ struct enumerator_t {
 	/**
 	 * Enumerate collection.
 	 *
-	 * The enumerate function takes a variable argument list containing 
+	 * The enumerate function takes a variable argument list containing
 	 * pointers where the enumerated values get written.
 	 *
 	 * @param ...	variable list of enumerated items, implementation dependant
 	 * @return		TRUE if pointers returned
 	 */
 	bool (*enumerate)(enumerator_t *this, ...);
-		
+
 	/**
-     * Destroy a enumerator instance.
-     */
-    void (*destroy)(enumerator_t *this);
+	 * Destroy a enumerator instance.
+	 */
+	void (*destroy)(enumerator_t *this);
 };
 
 /**
@@ -75,7 +75,7 @@ enumerator_t *enumerator_create_single(void *item, void (*cleanup)(void *item));
 	char *rel, *abs;
 	struct stat st;
 	enumerator_t *e;
-	
+
 	e = enumerator_create_directory("/tmp");
 	if (e)
 	{
@@ -110,7 +110,7 @@ enumerator_t* enumerator_create_token(char *string, char *sep, char *trim);
 
 /**
  * Creates an enumerator which enumerates over enumerated enumerators :-).
- * 
+ *
  * The variable argument list of enumeration values is limit to 5.
  *
  * @param outer					outer enumerator
diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c
index 6d33d023b..02c225833 100644
--- a/src/libstrongswan/utils/hashtable.c
+++ b/src/libstrongswan/utils/hashtable.c
@@ -30,12 +30,12 @@ struct pair_t {
 	 * Key of a hash table item.
 	 */
 	void *key;
-	
+
 	/**
 	 * Value of a hash table item.
 	 */
 	void *value;
-	
+
 	/**
 	 * Cached hash (used in case of a resize).
 	 */
@@ -48,11 +48,11 @@ struct pair_t {
 pair_t *pair_create(void *key, void *value, u_int hash)
 {
 	pair_t *this = malloc_thing(pair_t);
-	
+
 	this->key = key;
 	this->value = value;
 	this->hash = hash;
-	
+
 	return this;
 }
 
@@ -67,37 +67,37 @@ struct private_hashtable_t {
 	 * Public part of hash table.
 	 */
 	hashtable_t public;
-	
+
 	/**
-	 * The number of items in the hash table. 
+	 * The number of items in the hash table.
 	 */
 	u_int count;
-	
+
 	/**
 	 * The current capacity of the hash table (always a power of 2).
 	 */
 	u_int capacity;
-	
+
 	/**
-	 * The current mask to calculate the row index (capacity - 1). 
+	 * The current mask to calculate the row index (capacity - 1).
 	 */
 	u_int mask;
-	
+
 	/**
 	 * The load factor.
 	 */
 	float load_factor;
-	
+
 	/**
 	 * The actual table.
 	 */
 	linked_list_t **table;
-	
+
 	/**
 	 * The hashing function.
 	 */
 	hashtable_hash_t hash;
-	
+
 	/**
 	 * The equality function.
 	 */
@@ -115,17 +115,17 @@ struct private_enumerator_t {
 	 * implements enumerator interface
 	 */
 	enumerator_t enumerator;
-	
+
 	/**
 	 * associated hash table
 	 */
 	private_hashtable_t *table;
-	
+
 	/**
 	 * current row index
 	 */
 	u_int row;
-	
+
 	/**
 	 * enumerator for the current row
 	 */
@@ -149,6 +149,7 @@ static inline bool pair_equals(pair_t *pair, private_hashtable_t *this, void *ke
 static u_int get_nearest_powerof2(u_int n)
 {
 	u_int i;
+
 	--n;
 	for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
 	{
@@ -166,7 +167,7 @@ static void init_hashtable(private_hashtable_t *this, u_int capacity)
 	this->capacity = get_nearest_powerof2(capacity);
 	this->mask = this->capacity - 1;
 	this->load_factor = 0.75;
-	
+
 	this->table = calloc(this->capacity, sizeof(linked_list_t*));
 }
 
@@ -175,30 +176,37 @@ static void init_hashtable(private_hashtable_t *this, u_int capacity)
  */
 static void rehash(private_hashtable_t *this)
 {
-	u_int row;
-	u_int old_capacity = this->capacity;
-	linked_list_t **old_table = this->table;
-	
-	if (old_capacity >= MAX_CAPACITY)
+	linked_list_t **old_table;
+	u_int row, old_capacity;
+
+	if (this->capacity < MAX_CAPACITY)
 	{
 		return;
 	}
-	
+
+	old_capacity = this->capacity;
+	old_table = this->table;
+
 	init_hashtable(this, old_capacity << 1);
-	
-	for (row = 0; row < old_capacity; ++row)
+
+	for (row = 0; row < old_capacity; row++)
 	{
-		linked_list_t *list;
-		if ((list = old_table[row]) != NULL)
+		enumerator_t *enumerator;
+		linked_list_t *list, *new_list;
+		pair_t *pair;
+		u_int new_row;
+
+		list = old_table[row];
+		if (list)
 		{
-			pair_t *pair;
-			enumerator_t *enumerator = list->create_enumerator(list);
+			enumerator = list->create_enumerator(list);
 			while (enumerator->enumerate(enumerator, &pair))
 			{
-				linked_list_t *new_list;
-				u_int new_row = pair->hash & this->mask;
+				new_row = pair->hash & this->mask;
+
 				list->remove_at(list, enumerator);
-				if ((new_list = this->table[new_row]) == NULL)
+				new_list = this->table[new_row];
+				if (!new_list)
 				{
 					new_list = this->table[new_row] = linked_list_create();
 				}
@@ -216,15 +224,20 @@ static void rehash(private_hashtable_t *this)
  */
 static void *put(private_hashtable_t *this, void *key, void *value)
 {
-	linked_list_t *list;
 	void *old_value = NULL;
-	u_int hash = this->hash(key);
-	u_int row = hash & this->mask;
-	
-	if ((list = this->table[row]) != NULL)
+	linked_list_t *list;
+	u_int hash;
+	u_int row;
+
+	hash = this->hash(key);
+	row = hash & this->mask;
+	list = this->table[row];
+	if (list)
 	{
+		enumerator_t *enumerator;
 		pair_t *pair;
-		enumerator_t *enumerator = list->create_enumerator(list);
+
+		enumerator = list->create_enumerator(list);
 		while (enumerator->enumerate(enumerator, &pair))
 		{
 			if (pair_equals(pair, this, key))
@@ -240,43 +253,39 @@ static void *put(private_hashtable_t *this, void *key, void *value)
 	{
 		list = this->table[row] = linked_list_create();
 	}
-	
 	if (!old_value)
 	{
 		list->insert_last(list, pair_create(key, value, hash));
 		this->count++;
 	}
-	
 	if (this->count >= this->capacity * this->load_factor)
 	{
 		rehash(this);
 	}
-	
 	return old_value;
 }
-	
+
 /**
- * Implementation of hashtable_t.get  
+ * Implementation of hashtable_t.get
  */
 static void *get(private_hashtable_t *this, void *key)
 {
 	void *value = NULL;
 	linked_list_t *list;
-	u_int row = this->hash(key) & this->mask;
-	
-	if ((list = this->table[row]) != NULL)
+	pair_t *pair;
+
+	list = this->table[this->hash(key) & this->mask];
+	if (list)
 	{
-		pair_t *pair;
 		if (list->find_first(list, (linked_list_match_t)pair_equals,
-				(void**)&pair, this, key) == SUCCESS)
+							 (void**)&pair, this, key) == SUCCESS)
 		{
 			value = pair->value;
 		}
 	}
-	
 	return value;
 }
-	
+
 /**
  * Implementation of hashtable_t.remove
  */
@@ -284,12 +293,14 @@ static void *remove_(private_hashtable_t *this, void *key)
 {
 	void *value = NULL;
 	linked_list_t *list;
-	u_int row = this->hash(key) & this->mask;	
-	
-	if ((list = this->table[row]) != NULL)
+
+	list = this->table[this->hash(key) & this->mask];
+	if (list)
 	{
+		enumerator_t *enumerator;
 		pair_t *pair;
-		enumerator_t *enumerator = list->create_enumerator(list);
+
+		enumerator = list->create_enumerator(list);
 		while (enumerator->enumerate(enumerator, &pair))
 		{
 			if (pair_equals(pair, this, key))
@@ -303,10 +314,9 @@ static void *remove_(private_hashtable_t *this, void *key)
 		}
 		enumerator->destroy(enumerator);
 	}
-	
 	return value;
 }
-	
+
 /**
  * Implementation of hashtable_t.get_count
  */
@@ -325,7 +335,7 @@ static bool enumerate(private_enumerator_t *this, void **key, void **value)
 		if (this->current)
 		{
 			pair_t *pair;
-			
+
 			if (this->current->enumerate(this->current, &pair))
 			{
 				if (key)
@@ -344,8 +354,9 @@ static bool enumerate(private_enumerator_t *this, void **key, void **value)
 		else
 		{
 			linked_list_t *list;
-			
-			if ((list = this->table->table[this->row]) != NULL)
+
+			list = this->table->table[this->row];
+			if (list)
 			{
 				this->current = list->create_enumerator(list);
 				continue;
@@ -374,26 +385,28 @@ static void enumerator_destroy(private_enumerator_t *this)
 static enumerator_t* create_enumerator(private_hashtable_t *this)
 {
 	private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
-	
+
 	enumerator->enumerator.enumerate = (void*)enumerate;
 	enumerator->enumerator.destroy = (void*)enumerator_destroy;
 	enumerator->table = this;
 	enumerator->row = 0;
 	enumerator->current = NULL;
-	
+
 	return &enumerator->enumerator;
 }
-	
+
 /**
  * Implementation of hashtable_t.destroy
  */
 static void destroy(private_hashtable_t *this)
 {
+	linked_list_t *list;
 	u_int row;
-	for (row = 0; row < this->capacity; ++row)
+
+	for (row = 0; row < this->capacity; row++)
 	{
-		linked_list_t *list;
-		if ((list = this->table[row]) != NULL)
+		list = this->table[row];
+		if (list)
 		{
 			list->destroy_function(list, free);
 		}
@@ -411,12 +424,12 @@ hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
 	private_hashtable_t *this = malloc_thing(private_hashtable_t);
 
 	this->public.put = (void*(*)(hashtable_t*,void*,void*))put;
-	this->public.get = (void*(*)(hashtable_t*,void*))get; 
+	this->public.get = (void*(*)(hashtable_t*,void*))get;
 	this->public.remove = (void*(*)(hashtable_t*,void*))remove_;
 	this->public.get_count = (u_int(*)(hashtable_t*))get_count;
 	this->public.create_enumerator = (enumerator_t*(*)(hashtable_t*))create_enumerator;
 	this->public.destroy = (void(*)(hashtable_t*))destroy;
-	
+
 	this->count = 0;
 	this->capacity = 0;
 	this->mask = 0;
@@ -424,8 +437,9 @@ hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
 	this->table = NULL;
 	this->hash = hash;
 	this->equals = equals;
-	
+
 	init_hashtable(this, capacity);
-	
+
 	return &this->public;
 }
+
diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/utils/hashtable.h
index cbe51f557..142ea6329 100644
--- a/src/libstrongswan/utils/hashtable.h
+++ b/src/libstrongswan/utils/hashtable.h
@@ -48,61 +48,61 @@ typedef bool (*hashtable_equals_t)(void *key, void *other_key);
  * General purpose hash table. This hash table is not synchronized.
  */
 struct hashtable_t {
-	
+
 	/**
 	 * Create an enumerator over the hash table key/value pairs.
-	 * 
+	 *
 	 * @return			enumerator over (void *key, void *value)
 	 */
 	enumerator_t *(*create_enumerator) (hashtable_t *this);
-	
+
 	/**
 	 * Adds the given value with the given key to the hash table, if there
 	 * exists no entry with that key. NULL is returned in this case.
 	 * Otherwise the existing value is replaced and the function returns the
 	 * old value.
-	 * 
+	 *
 	 * @param key		the key to store
 	 * @param value		the value to store
 	 * @return			NULL if no item was replaced, the old value otherwise
 	 */
 	void *(*put) (hashtable_t *this, void *key, void *value);
-	
+
 	/**
 	 * Returns the value with the given key, if the hash table contains such an
 	 * entry, otherwise NULL is returned.
-	 * 
+	 *
 	 * @param key		the key of the requested value
-	 * @return			the value, NULL if not found  
+	 * @return			the value, NULL if not found
 	 */
 	void *(*get) (hashtable_t *this, void *key);
-	
+
 	/**
 	 * Removes the value with the given key from the hash table and returns the
 	 * removed value (or NULL if no such value existed).
-	 * 
+	 *
 	 * @param key		the key of the value to remove
 	 * @return			the removed value, NULL if not found
 	 */
 	void *(*remove) (hashtable_t *this, void *key);
-	
+
 	/**
 	 * Gets the number of items in the hash table.
-	 * 
+	 *
 	 * @return 			number of items
 	 */
 	u_int (*get_count) (hashtable_t *this);
-	
+
 	/**
 	 * Destroys a hash table object.
 	 */
 	void (*destroy) (hashtable_t *this);
-	
+
 };
 
 /**
  * Creates an empty hash table object.
- * 
+ *
  * @param hash			hash function
  * @param equals		equals function
  * @param capacity		initial capacity
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index 661bec315..a610b3a4d 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -38,7 +38,7 @@ struct private_host_t {
 	 * Public data
 	 */
 	host_t public;
-	
+
 	/**
 	 * low-lewel structure, wich stores the address
 	 */
@@ -111,7 +111,7 @@ int host_printf_hook(char *dst, size_t dstlen, printf_hook_spec_t *spec,
 {
 	private_host_t *this = *((private_host_t**)(args[0]));
 	char buffer[INET6_ADDRSTRLEN + 16];
-	
+
 	if (this == NULL)
 	{
 		snprintf(buffer, sizeof(buffer), "(null)");
@@ -126,10 +126,10 @@ int host_printf_hook(char *dst, size_t dstlen, printf_hook_spec_t *spec,
 		void *address;
 		u_int16_t port;
 		int len;
-		
+
 		address = &this->address6.sin6_addr;
 		port = this->address6.sin6_port;
-		
+
 		switch (this->address.sa_family)
 		{
 			case AF_INET:
@@ -137,7 +137,7 @@ int host_printf_hook(char *dst, size_t dstlen, printf_hook_spec_t *spec,
 				port = this->address4.sin_port;
 				/* fall */
 			case AF_INET6:
-	
+
 				if (inet_ntop(this->address.sa_family, address,
 							  buffer, sizeof(buffer)) == NULL)
 				{
@@ -169,7 +169,7 @@ int host_printf_hook(char *dst, size_t dstlen, printf_hook_spec_t *spec,
 static chunk_t get_address(private_host_t *this)
 {
 	chunk_t address = chunk_empty;
-	
+
 	switch (this->address.sa_family)
 	{
 		case AF_INET:
@@ -252,7 +252,7 @@ static void set_port(private_host_t *this, u_int16_t port)
 static private_host_t *clone_(private_host_t *this)
 {
 	private_host_t *new = malloc_thing(private_host_t);
-	
+
 	memcpy(new, this, sizeof(private_host_t));
 	return new;
 }
@@ -267,7 +267,7 @@ static bool ip_equals(private_host_t *this, private_host_t *other)
 		/* 0.0.0.0 and 0::0 are equal */
 		return (is_anyaddr(this) && is_anyaddr(other));
 	}
-	
+
 	switch (this->address.sa_family)
 	{
 		case AF_INET:
@@ -292,7 +292,7 @@ static bool ip_equals(private_host_t *this, private_host_t *other)
 static host_diff_t get_differences(host_t *this, host_t *other)
 {
 	host_diff_t ret = HOST_DIFF_NONE;
-	
+
 	if (!this->ip_equals(this, other))
 	{
 		ret |= HOST_DIFF_ADDR;
@@ -302,7 +302,7 @@ static host_diff_t get_differences(host_t *this, host_t *other)
 	{
 		ret |= HOST_DIFF_PORT;
 	}
-	
+
 	return ret;
 }
 
@@ -315,7 +315,7 @@ static bool equals(private_host_t *this, private_host_t *other)
 	{
 		return FALSE;
 	}
-	
+
 	switch (this->address.sa_family)
 	{
 		case AF_INET:
@@ -346,7 +346,7 @@ static void destroy(private_host_t *this)
 static private_host_t *host_create_empty(void)
 {
 	private_host_t *this = malloc_thing(private_host_t);
-	
+
 	this->public.get_sockaddr = (sockaddr_t* (*) (host_t*))get_sockaddr;
 	this->public.get_sockaddr_len = (socklen_t*(*) (host_t*))get_sockaddr_len;
 	this->public.clone = (host_t* (*) (host_t*))clone_;
@@ -359,7 +359,7 @@ static private_host_t *host_create_empty(void)
 	this->public.equals = (bool (*) (host_t *,host_t *)) equals;
 	this->public.is_anyaddr = (bool (*) (host_t *)) is_anyaddr;
 	this->public.destroy = (void (*) (host_t*))destroy;
-	
+
 	return this;
 }
 
@@ -369,7 +369,7 @@ static private_host_t *host_create_empty(void)
 static host_t *host_create_any_port(int family, u_int16_t port)
 {
 	host_t *this;
-	
+
 	this = host_create_any(family);
 	this->set_port(this, port);
 	return this;
@@ -381,7 +381,7 @@ static host_t *host_create_any_port(int family, u_int16_t port)
 host_t *host_create_from_string(char *string, u_int16_t port)
 {
 	private_host_t *this;
-	
+
 	if (streq(string, "%any"))
 	{
 		return host_create_any_port(AF_INET, port);
@@ -390,7 +390,7 @@ host_t *host_create_from_string(char *string, u_int16_t port)
 	{
 		return host_create_any_port(AF_INET6, port);
 	}
-	
+
 	this = host_create_empty();
 	if (strchr(string, '.'))
 	{
@@ -437,7 +437,7 @@ host_t *host_create_from_string(char *string, u_int16_t port)
 host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
 {
 	private_host_t *this = host_create_empty();
-	
+
 	switch (sockaddr->sa_family)
 	{
 		case AF_INET:
@@ -467,7 +467,7 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 	private_host_t *this;
 	struct addrinfo hints, *result;
 	int error;
-	
+
 	if (streq(string, "%any"))
 	{
 		return host_create_any_port(af ? af : AF_INET, port);
@@ -476,7 +476,7 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 	{
 		return host_create_any_port(af ? af : AF_INET6, port);
 	}
-	
+
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_family = af;
 	error = getaddrinfo(string, NULL, &hints, &result);
@@ -510,7 +510,7 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
 {
 	private_host_t *this;
-	
+
 	switch (family)
 	{
 		case AF_INET:
@@ -567,10 +567,10 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
 host_t *host_create_any(int family)
 {
 	private_host_t *this = host_create_empty();
-	
+
 	memset(&this->address_max, 0, sizeof(struct sockaddr_storage));
 	this->address.sa_family = family;
-	
+
 	switch (family)
 	{
 		case AF_INET:
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h
index 0a2541d96..f5796154c 100644
--- a/src/libstrongswan/utils/host.h
+++ b/src/libstrongswan/utils/host.h
@@ -34,7 +34,7 @@ typedef struct host_t host_t;
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
-#include <library.h>
+#include <chunk.h>
 
 /**
  * Differences between two hosts. They differ in
@@ -48,103 +48,103 @@ enum host_diff_t {
 
 /**
  * Representates a Host
- * 
- * Host object, identifies a address:port pair and defines some 
+ *
+ * Host object, identifies a address:port pair and defines some
  * useful functions on it.
  */
 struct host_t {
-	
-	/** 
+
+	/**
 	 * Build a clone of this host object.
-	 * 
+	 *
 	 * @return		cloned host
 	 */
 	host_t *(*clone) (host_t *this);
-	
-	/** 
+
+	/**
 	 * Get a pointer to the internal sockaddr struct.
-	 * 
+	 *
 	 * This is used for sending and receiving via sockets.
-	 * 
+	 *
 	 * @return		pointer to the internal sockaddr structure
 	 */
 	sockaddr_t  *(*get_sockaddr) (host_t *this);
-	
-	/** 
+
+	/**
 	 * Get the length of the sockaddr struct.
-	 * 
+	 *
 	 * Depending on the family, the length of the sockaddr struct
 	 * is different. Use this function to get the length of the sockaddr
 	 * struct returned by get_sock_addr.
-	 * 
+	 *
 	 * This is used for sending and receiving via sockets.
-	 * 
+	 *
 	 * @return		length of the sockaddr struct
 	 */
 	socklen_t *(*get_sockaddr_len) (host_t *this);
-	
+
 	/**
 	 * Gets the family of the address
-	 * 
+	 *
 	 * @return		family
 	 */
 	int (*get_family) (host_t *this);
-	
-	/** 
+
+	/**
 	 * Checks if the ip address of host is set to default route.
-	 * 
+	 *
 	 * @return		TRUE if host is 0.0.0.0 or 0::0, FALSE otherwise
 	 */
 	bool (*is_anyaddr) (host_t *this);
-	
-	/** 
+
+	/**
 	 * Get the address of this host as chunk_t
-	 * 
+	 *
 	 * Returned chunk points to internal data.
-	 * 
-	 * @return		address string, 
+	 *
+	 * @return		address string,
 	 */
 	chunk_t (*get_address) (host_t *this);
-		
-	/** 
+
+	/**
 	 * Get the port of this host
-	 * 
+	 *
 	 * @return		port number
 	 */
 	u_int16_t (*get_port) (host_t *this);
 
-	/** 
+	/**
 	 * Set the port of this host
 	 *
 	 * @param port	port numer
 	 */
 	void (*set_port) (host_t *this, u_int16_t port);
-		
-	/** 
+
+	/**
 	 * Compare the ips of two hosts hosts.
-	 * 
+	 *
 	 * @param other	the other to compare
 	 * @return		TRUE if addresses are equal.
 	 */
 	bool (*ip_equals) (host_t *this, host_t *other);
-		
-	/** 
+
+	/**
 	 * Compare two hosts, with port.
-	 * 
+	 *
 	 * @param other	the other to compare
 	 * @return		TRUE if addresses and ports are equal.
 	 */
 	bool (*equals) (host_t *this, host_t *other);
 
-	/** 
+	/**
 	 * Compare two hosts and return the differences.
 	 *
 	 * @param other	the other to compare
 	 * @return		differences in a combination of host_diff_t's
 	 */
 	host_diff_t (*get_differences) (host_t *this, host_t *other);
-	
-	/** 
+
+	/**
 	 * Destroy this host object.
 	 */
 	void (*destroy) (host_t *this);
@@ -200,8 +200,8 @@ host_t *host_create_any(int family);
 /**
  * printf hook function for host_t.
  *
- * Arguments are: 
- *    host_t *host
+ * Arguments are:
+ *	host_t *host
  * Use #-modifier to include port number
  */
 int host_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 10daf4679..b0da340bc 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -26,6 +26,7 @@
 
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
+#include <crypto/hashers/hasher.h>
 
 ENUM_BEGIN(id_match_names, ID_MATCH_NONE, ID_MATCH_MAX_WILDCARDS,
 	"MATCH_NONE",
@@ -48,15 +49,14 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
 	"ID_DER_ASN1_DN",
 	"ID_DER_ASN1_GN",
 	"ID_KEY_ID");
-ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_CERT_DER_SHA1, ID_KEY_ID,
-	"ID_DER_ASN1_GN_URI",
-	"ID_PUBKEY_INFO_SHA1",
-	"ID_PUBKEY_SHA1",
-	"ID_CERT_DER_SHA1");
-ENUM_END(id_type_names, ID_CERT_DER_SHA1);
+ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
+	"ID_DER_ASN1_GN_URI"
+	"ID_IETF_ATTR_STRING"
+	"ID_MYID");
+ENUM_END(id_type_names, ID_MYID);
 
 /**
- * coding of X.501 distinguished name 
+ * coding of X.501 distinguished name
  */
 typedef struct {
 	const u_char *name;
@@ -109,12 +109,12 @@ struct private_identification_t {
 	 * Public interface.
 	 */
 	identification_t public;
-	
+
 	/**
 	 * Encoded representation of this ID.
 	 */
 	chunk_t encoded;
-	
+
 	/**
 	 * Type of this ID.
 	 */
@@ -133,14 +133,11 @@ typedef struct {
 	chunk_t seqs;
 } rdn_enumerator_t;
 
-/**
- * Implementation of rdn_enumerator_t.enumerate
- */
-static bool rdn_enumerate(rdn_enumerator_t *this, chunk_t *oid,
-						  u_char *type, chunk_t *data)
+METHOD(enumerator_t, rdn_enumerate, bool,
+	rdn_enumerator_t *this, chunk_t *oid, u_char *type, chunk_t *data)
 {
 	chunk_t rdn;
-	
+
 	/* a DN contains one or more SET, each containing one or more SEQUENCES,
 	 * each containing a OID/value RDN */
 	if (!this->seqs.len)
@@ -155,7 +152,7 @@ static bool rdn_enumerate(rdn_enumerator_t *this, chunk_t *oid,
 		asn1_unwrap(&rdn, oid) == ASN1_OID)
 	{
 		int t = asn1_unwrap(&rdn, data);
-		
+
 		if (t != ASN1_INVALID)
 		{
 			*type = t;
@@ -170,11 +167,15 @@ static bool rdn_enumerate(rdn_enumerator_t *this, chunk_t *oid,
  */
 static enumerator_t* create_rdn_enumerator(chunk_t dn)
 {
-	rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t);
-	
-	e->public.enumerate = (void*)rdn_enumerate;
-	e->public.destroy = (void*)free;
-	
+	rdn_enumerator_t *e;
+
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_rdn_enumerate,
+			.destroy = (void*)free,
+		},
+	);
+
 	/* a DN is a SEQUENCE, get the first SET of it */
 	if (asn1_unwrap(&dn, &e->sets) == ASN1_SEQUENCE)
 	{
@@ -195,11 +196,8 @@ typedef struct {
 	enumerator_t *inner;
 } rdn_part_enumerator_t;
 
-/**
- * Implementation of rdn_part_enumerator_t.enumerate().
- */
-static bool rdn_part_enumerate(rdn_part_enumerator_t *this,
-							   id_part_t *type, chunk_t *data)
+METHOD(enumerator_t, rdn_part_enumerate, bool,
+	rdn_part_enumerator_t *this, id_part_t *type, chunk_t *data)
 {
 	int i, known_oid, strtype;
 	chunk_t oid, inner_data;
@@ -224,7 +222,7 @@ static bool rdn_part_enumerate(rdn_part_enumerator_t *this,
 		{OID_EMAIL_ADDRESS,		ID_PART_RDN_E},
 		{OID_EMPLOYEE_NUMBER,	ID_PART_RDN_EN},
 	};
-	
+
 	while (this->inner->enumerate(this->inner, &oid, &strtype, &inner_data))
 	{
 		known_oid = asn1_known_oid(oid);
@@ -241,30 +239,29 @@ static bool rdn_part_enumerate(rdn_part_enumerator_t *this,
 	return FALSE;
 }
 
-/**
- * Implementation of rdn_part_enumerator_t.destroy().
- */
-static void rdn_part_enumerator_destroy(rdn_part_enumerator_t *this)
+METHOD(enumerator_t, rdn_part_enumerator_destroy, void,
+	rdn_part_enumerator_t *this)
 {
 	this->inner->destroy(this->inner);
 	free(this);
 }
 
-/**
- * Implementation of identification_t.create_part_enumerator
- */
-static enumerator_t* create_part_enumerator(private_identification_t *this)
+METHOD(identification_t, create_part_enumerator, enumerator_t*,
+	private_identification_t *this)
 {
 	switch (this->type)
 	{
 		case ID_DER_ASN1_DN:
 		{
-			rdn_part_enumerator_t *e = malloc_thing(rdn_part_enumerator_t);
-			
-			e->inner = create_rdn_enumerator(this->encoded);
-			e->public.enumerate = (void*)rdn_part_enumerate;
-			e->public.destroy = (void*)rdn_part_enumerator_destroy;
-			
+			rdn_part_enumerator_t *e;
+
+			INIT(e,
+				.inner = create_rdn_enumerator(this->encoded),
+				.public = {
+					.enumerate = (void*)_rdn_part_enumerate,
+					.destroy = _rdn_part_enumerator_destroy,
+				},
+			);
 			return &e->public;
 		}
 		case ID_RFC822_ADDR:
@@ -282,16 +279,16 @@ static enumerator_t* create_part_enumerator(private_identification_t *this)
 static void dntoa(chunk_t dn, char *buf, size_t len)
 {
 	enumerator_t *e;
-	chunk_t oid_data, data;
+	chunk_t oid_data, data, printable;
 	u_char type;
 	int oid, written;
 	bool finished = FALSE;
-	
+
 	e = create_rdn_enumerator(dn);
 	while (e->enumerate(e, &oid_data, &type, &data))
 	{
 		oid = asn1_known_oid(oid_data);
-		
+
 		if (oid == OID_UNKNOWN)
 		{
 			written = snprintf(buf, len, "%#B=", &oid_data);
@@ -302,18 +299,13 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 		}
 		buf += written;
 		len -= written;
-		
-		if (chunk_printable(data, NULL, '?'))
-		{
-			written = snprintf(buf, len, "%.*s", data.len, data.ptr);
-		}
-		else
-		{
-			written = snprintf(buf, len, "%#B", &data);
-		}
+
+		chunk_printable(data, &printable, '?');
+		written = snprintf(buf, len, "%.*s", printable.len, printable.ptr);
+		chunk_free(&printable);
 		buf += written;
 		len -= written;
-		
+
 		if (data.ptr + data.len != dn.ptr + dn.len)
 		{
 			written = snprintf(buf, len, ", ");
@@ -347,7 +339,7 @@ static status_t atodn(char *src, chunk_t *dn)
 		READ_NAME =		3,
 		UNKNOWN_OID =	4
 	} state_t;
-	
+
 	chunk_t oid  = chunk_empty;
 	chunk_t name = chunk_empty;
 	chunk_t rdns[RDN_MAX];
@@ -358,7 +350,7 @@ static status_t atodn(char *src, chunk_t *dn)
 	asn1_t rdn_type;
 	state_t state = SEARCH_OID;
 	status_t status = SUCCESS;
-	
+
 	do
 	{
 		switch (state)
@@ -379,7 +371,7 @@ static status_t atodn(char *src, chunk_t *dn)
 				else
 				{
 					bool found = FALSE;
-					
+
 					for (i = 0; i < countof(x501rdns); i++)
 					{
 						if (strlen(x501rdns[i].name) == oid.len &&
@@ -424,15 +416,15 @@ static status_t atodn(char *src, chunk_t *dn)
 					rdn_type = (x501rdns[i].type == ASN1_PRINTABLESTRING
 								&& !asn1_is_printablestring(name))
 								? ASN1_T61STRING : x501rdns[i].type;
-					
+
 					if (rdn_count < RDN_MAX)
 					{
 						chunk_t rdn_oid;
-						
+
 						rdn_oid = asn1_build_known_oid(x501rdns[i].oid);
 						if (rdn_oid.len)
 						{
-							rdns[rdn_count] = 
+							rdns[rdn_count] =
 									asn1_wrap(ASN1_SET, "m",
 										asn1_wrap(ASN1_SEQUENCE, "mm",
 											rdn_oid,
@@ -459,20 +451,20 @@ static status_t atodn(char *src, chunk_t *dn)
 				break;
 		}
 	} while (*src++ != '\0');
-	
+
 	/* build the distinguished name sequence */
 	{
 		int i;
 		u_char *pos = asn1_build_object(dn, ASN1_SEQUENCE, dn_len);
-		
+
 		for (i = 0; i < rdn_count; i++)
 		{
-			memcpy(pos, rdns[i].ptr, rdns[i].len); 
+			memcpy(pos, rdns[i].ptr, rdns[i].len);
 			pos += rdns[i].len;
 			free(rdns[i].ptr);
 		}
 	}
-	
+
 	if (status != SUCCESS)
 	{
 		free(dn->ptr);
@@ -481,32 +473,26 @@ static status_t atodn(char *src, chunk_t *dn)
 	return status;
 }
 
-/**
- * Implementation of identification_t.get_encoding.
- */
-static chunk_t get_encoding(private_identification_t *this)
+METHOD(identification_t, get_encoding, chunk_t,
+	private_identification_t *this)
 {
 	return this->encoded;
 }
 
-/**
- * Implementation of identification_t.get_type.
- */
-static id_type_t get_type(private_identification_t *this)
+METHOD(identification_t, get_type, id_type_t,
+	private_identification_t *this)
 {
 	return this->type;
 }
 
-/**
- * Implementation of identification_t.contains_wildcards for ID_DER_ASN1_DN.
- */
-static bool contains_wildcards_dn(private_identification_t *this)
+METHOD(identification_t, contains_wildcards_dn, bool,
+	private_identification_t *this)
 {
 	enumerator_t *enumerator;
 	bool contains = FALSE;
 	id_part_t type;
 	chunk_t data;
-	
+
 	enumerator = create_part_enumerator(this);
 	while (enumerator->enumerate(enumerator, &type, &data))
 	{
@@ -520,27 +506,22 @@ static bool contains_wildcards_dn(private_identification_t *this)
 	return contains;
 }
 
-/**
- * Implementation of identification_t.contains_wildcards using memchr(*).
- */
-static bool contains_wildcards_memchr(private_identification_t *this)
+METHOD(identification_t, contains_wildcards_memchr, bool,
+	private_identification_t *this)
 {
 	return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
 }
 
-/**
- * Default implementation of identification_t.equals.
- * compares encoded chunk for equality.
- */
-static bool equals_binary(private_identification_t *this, private_identification_t *other)
+METHOD(identification_t, equals_binary, bool,
+	private_identification_t *this, identification_t *other)
 {
-	if (this->type == other->type)
+	if (this->type == other->get_type(other))
 	{
 		if (this->type == ID_ANY)
 		{
 			return TRUE;
 		}
-		return chunk_equals(this->encoded, other->encoded);
+		return chunk_equals(this->encoded, other->get_encoding(other));
 	}
 	return FALSE;
 }
@@ -554,7 +535,7 @@ static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc)
 	chunk_t t_oid, o_oid, t_data, o_data;
 	u_char t_type, o_type;
 	bool t_next, o_next, finished = FALSE;
-	
+
 	if (wc)
 	{
 		*wc = 0;
@@ -571,14 +552,14 @@ static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc)
 	{
 		return TRUE;
 	}
-	
+
 	t = create_rdn_enumerator(t_dn);
 	o = create_rdn_enumerator(o_dn);
 	while (TRUE)
 	{
 		t_next = t->enumerate(t, &t_oid, &t_type, &t_data);
 		o_next = o->enumerate(o, &o_oid, &o_type, &o_data);
-		
+
 		if (!o_next && !t_next)
 		{
 			break;
@@ -605,8 +586,7 @@ static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc)
 			if (t_type == o_type &&
 				(t_type == ASN1_PRINTABLESTRING ||
 				 (t_type == ASN1_IA5STRING &&
-				  (asn1_known_oid(t_oid) == OID_PKCS9_EMAIL ||
-				   asn1_known_oid(t_oid) == OID_EMAIL_ADDRESS))))
+				  asn1_known_oid(t_oid) == OID_EMAIL_ADDRESS)))
 			{	/* ignore case for printableStrings and email RDNs */
 				if (strncasecmp(t_data.ptr, o_data.ptr, t_data.len) != 0)
 				{
@@ -634,65 +614,55 @@ static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc)
 	return finished;
 }
 
-/**
- * Special implementation of identification_t.equals for ID_DER_ASN1_DN.
- */
-static bool equals_dn(private_identification_t *this,
-					  private_identification_t *other)
+METHOD(identification_t, equals_dn, bool,
+	private_identification_t *this, identification_t *other)
 {
-	return compare_dn(this->encoded, other->encoded, NULL);
+	return compare_dn(this->encoded, other->get_encoding(other), NULL);
 }
 
-/**
- * Special implementation of identification_t.equals for RFC822 and FQDN.
- */
-static bool equals_strcasecmp(private_identification_t *this,
-							  private_identification_t *other)
+METHOD(identification_t, equals_strcasecmp,  bool,
+	private_identification_t *this, identification_t *other)
 {
-	/* we do some extra sanity checks to check for invalid IDs with a 
+	chunk_t encoded = other->get_encoding(other);
+
+	/* we do some extra sanity checks to check for invalid IDs with a
 	 * terminating null in it. */
-	if (this->encoded.len == other->encoded.len &&
+	if (this->encoded.len == encoded.len &&
 		memchr(this->encoded.ptr, 0, this->encoded.len) == NULL &&
-		memchr(other->encoded.ptr, 0, other->encoded.len) == NULL &&
-		strncasecmp(this->encoded.ptr, other->encoded.ptr, this->encoded.len) == 0)
+		memchr(encoded.ptr, 0, encoded.len) == NULL &&
+		strncasecmp(this->encoded.ptr, encoded.ptr, this->encoded.len) == 0)
 	{
 		return TRUE;
 	}
 	return FALSE;
 }
 
-/**
- * Default implementation of identification_t.matches.
- */
-static id_match_t matches_binary(private_identification_t *this, 
-						   private_identification_t *other)
+METHOD(identification_t, matches_binary, id_match_t,
+	private_identification_t *this, identification_t *other)
 {
-	if (other->type == ID_ANY)
+	if (other->get_type(other) == ID_ANY)
 	{
 		return ID_MATCH_ANY;
 	}
-	if (this->type == other->type && 
-		chunk_equals(this->encoded, other->encoded))
+	if (this->type == other->get_type(other) &&
+		chunk_equals(this->encoded, other->get_encoding(other)))
 	{
 		return ID_MATCH_PERFECT;
 	}
 	return ID_MATCH_NONE;
 }
 
-/**
- * Special implementation of identification_t.matches for ID_RFC822_ADDR/ID_FQDN.
- * Checks for a wildcard in other-string, and compares it against this-string.
- */
-static id_match_t matches_string(private_identification_t *this,
-								 private_identification_t *other)
+METHOD(identification_t, matches_string, id_match_t,
+	private_identification_t *this, identification_t *other)
 {
-	u_int len = other->encoded.len;
-	
-	if (other->type == ID_ANY)
+	chunk_t encoded = other->get_encoding(other);
+	u_int len = encoded.len;
+
+	if (other->get_type(other) == ID_ANY)
 	{
 		return ID_MATCH_ANY;
 	}
-	if (this->type != other->type)
+	if (this->type != other->get_type(other))
 	{
 		return ID_MATCH_NONE;
 	}
@@ -707,15 +677,15 @@ static id_match_t matches_string(private_identification_t *this,
 	}
 
 	/* check for single wildcard at the head of the string */
-	if (*other->encoded.ptr == '*')
+	if (*encoded.ptr == '*')
 	{
 		/* single asterisk matches any string */
 		if (len-- == 1)
 		{	/* not better than ID_ANY */
 			return ID_MATCH_ANY;
 		}
-		if (strncasecmp(this->encoded.ptr + this->encoded.len - len, 
-						other->encoded.ptr + 1, len) == 0)
+		if (strncasecmp(this->encoded.ptr + this->encoded.len - len,
+						encoded.ptr + 1, len) == 0)
 		{
 			return ID_MATCH_ONE_WILDCARD;
 		}
@@ -723,36 +693,29 @@ static id_match_t matches_string(private_identification_t *this,
 	return ID_MATCH_NONE;
 }
 
-/**
- * Special implementation of identification_t.matches for ID_ANY.
- * ANY matches only another ANY, but nothing other
- */
-static id_match_t matches_any(private_identification_t *this,
-							  private_identification_t *other)
+METHOD(identification_t, matches_any, id_match_t,
+	private_identification_t *this, identification_t *other)
 {
-	if (other->type == ID_ANY)
+	if (other->get_type(other) == ID_ANY)
 	{
 		return ID_MATCH_ANY;
 	}
 	return ID_MATCH_NONE;
 }
 
-/**
- * Special implementation of identification_t.matches for ID_DER_ASN1_DN
- */
-static id_match_t matches_dn(private_identification_t *this,
-							 private_identification_t *other)
+METHOD(identification_t, matches_dn, id_match_t,
+	private_identification_t *this, identification_t *other)
 {
 	int wc;
-	
-	if (other->type == ID_ANY)
+
+	if (other->get_type(other) == ID_ANY)
 	{
 		return ID_MATCH_ANY;
 	}
-	
-	if (this->type == other->type)
+
+	if (this->type == other->get_type(other))
 	{
-		if (compare_dn(this->encoded, other->encoded, &wc))
+		if (compare_dn(this->encoded, other->get_encoding(other), &wc))
 		{
 			wc = min(wc, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS);
 			return ID_MATCH_PERFECT - wc;
@@ -770,12 +733,12 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	private_identification_t *this = *((private_identification_t**)(args[0]));
 	chunk_t proper;
 	char buf[512];
-	
+
 	if (this == NULL)
 	{
 		return print_in_hook(dst, len, "%*s", spec->width, "(null)");
 	}
-	
+
 	switch (this->type)
 	{
 		case ID_ANY:
@@ -810,7 +773,8 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 			snprintf(buf, sizeof(buf), "(ASN.1 general Name");
 			break;
 		case ID_KEY_ID:
-			if (chunk_printable(this->encoded, NULL, '?'))
+			if (chunk_printable(this->encoded, NULL, '?') &&
+				this->encoded.len != HASH_SIZE_SHA1)
 			{	/* fully printable, use ascii version */
 				snprintf(buf, sizeof(buf), "%.*s",
 						 this->encoded.len, this->encoded.ptr);
@@ -820,10 +784,8 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 				snprintf(buf, sizeof(buf), "%#B", &this->encoded);
 			}
 			break;
-		case ID_PUBKEY_INFO_SHA1:
-		case ID_PUBKEY_SHA1:
-		case ID_CERT_DER_SHA1:
-			snprintf(buf, sizeof(buf), "%#B", &this->encoded);
+		case ID_MYID:
+			snprintf(buf, sizeof(buf), "%%myid");
 			break;
 		default:
 			snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
@@ -835,13 +797,12 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	}
 	return print_in_hook(dst, len, "%*s", spec->width, buf);
 }
-/**
- * Implementation of identification_t.clone.
- */
-static identification_t *clone_(private_identification_t *this)
+
+METHOD(identification_t, clone, identification_t*,
+	private_identification_t *this)
 {
 	private_identification_t *clone = malloc_thing(private_identification_t);
-	
+
 	memcpy(clone, this, sizeof(private_identification_t));
 	if (this->encoded.len)
 	{
@@ -850,10 +811,8 @@ static identification_t *clone_(private_identification_t *this)
 	return &clone->public;
 }
 
-/**
- * Implementation of identification_t.destroy.
- */
-static void destroy(private_identification_t *this)
+METHOD(identification_t, destroy, void,
+	private_identification_t *this)
 {
 	chunk_free(&this->encoded);
 	free(this);
@@ -864,42 +823,43 @@ static void destroy(private_identification_t *this)
  */
 static private_identification_t *identification_create(id_type_t type)
 {
-	private_identification_t *this = malloc_thing(private_identification_t);
-	
-	this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
-	this->public.get_type = (id_type_t (*) (identification_t*))get_type;
-	this->public.create_part_enumerator = (enumerator_t*(*)(identification_t*))create_part_enumerator;
-	this->public.clone = (identification_t* (*) (identification_t*))clone_;
-	this->public.destroy = (void (*) (identification_t*))destroy;
-	
+	private_identification_t *this;
+
+	INIT(this,
+		.public = {
+			.get_encoding = _get_encoding,
+			.get_type = _get_type,
+			.create_part_enumerator = _create_part_enumerator,
+			.clone = _clone,
+			.destroy = _destroy,
+		},
+		.type = type,
+	);
+
 	switch (type)
 	{
 		case ID_ANY:
-			this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_any;
-			this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
-			this->public.contains_wildcards = (bool (*) (identification_t *this))return_true;
+			this->public.matches = _matches_any;
+			this->public.equals = _equals_binary;
+			this->public.contains_wildcards = return_true;
 			break;
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
-			this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_string;
-			this->public.equals = (bool (*)(identification_t*,identification_t*))equals_strcasecmp;
-			this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_memchr;
+			this->public.matches = _matches_string;
+			this->public.equals = _equals_strcasecmp;
+			this->public.contains_wildcards = _contains_wildcards_memchr;
 			break;
 		case ID_DER_ASN1_DN:
-			this->public.equals = (bool (*)(identification_t*,identification_t*))equals_dn;
-			this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_dn;
-			this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_dn;
+			this->public.equals = _equals_dn;
+			this->public.matches = _matches_dn;
+			this->public.contains_wildcards = _contains_wildcards_dn;
 			break;
 		default:
-			this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
-			this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary;
-			this->public.contains_wildcards = (bool (*) (identification_t *this))return_false;
+			this->public.equals = _equals_binary;
+			this->public.matches = _matches_binary;
+			this->public.contains_wildcards = return_false;
 			break;
 	}
-	
-	this->type = type;
-	this->encoded = chunk_empty;
-	
 	return this;
 }
 
@@ -910,7 +870,7 @@ identification_t *identification_create_from_string(char *string)
 {
 	private_identification_t *this;
 	chunk_t encoded;
-	
+
 	if (string == NULL)
 	{
 		string = "%any";
@@ -951,7 +911,7 @@ identification_t *identification_create_from_string(char *string)
 			{
 				struct in_addr address;
 				chunk_t chunk = {(void*)&address, sizeof(address)};
-				
+
 				if (inet_pton(AF_INET, string, &address) > 0)
 				{	/* is IPv4 */
 					this = identification_create(ID_IPV4_ADDR);
@@ -968,7 +928,7 @@ identification_t *identification_create_from_string(char *string)
 			{
 				struct in6_addr address;
 				chunk_t chunk = {(void*)&address, sizeof(address)};
-				
+
 				if (inet_pton(AF_INET6, string, &address) > 0)
 				{	/* is IPv6 */
 					this = identification_create(ID_IPV6_ADDR);
@@ -1012,6 +972,18 @@ identification_t *identification_create_from_string(char *string)
 	}
 }
 
+/*
+ * Described in header.
+ */
+identification_t * identification_create_from_data(chunk_t data)
+{
+	char buf[data.len + 1];
+
+	/* use string constructor */
+	snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
+	return identification_create_from_string(buf);
+}
+
 /*
  * Described in header.
  */
@@ -1019,7 +991,7 @@ identification_t *identification_create_from_encoding(id_type_t type,
 													  chunk_t encoded)
 {
 	private_identification_t *this = identification_create(type);
-	
+
 	/* apply encoded chunk */
 	if (type != ID_ANY)
 	{
@@ -1028,3 +1000,33 @@ identification_t *identification_create_from_encoding(id_type_t type,
 	return &(this->public);
 }
 
+/*
+ * Described in header.
+ */
+identification_t *identification_create_from_sockaddr(sockaddr_t *sockaddr)
+{
+	switch (sockaddr->sa_family)
+	{
+		case AF_INET:
+		{
+			struct in_addr *addr = &(((struct sockaddr_in*)sockaddr)->sin_addr);
+
+			return identification_create_from_encoding(ID_IPV4_ADDR,
+					chunk_create((u_char*)addr, sizeof(struct in_addr)));
+		}
+		case AF_INET6:
+		{
+			struct in6_addr *addr = &(((struct sockaddr_in6*)sockaddr)->sin6_addr);
+
+			return identification_create_from_encoding(ID_IPV6_ADDR,
+					chunk_create((u_char*)addr, sizeof(struct in6_addr)));
+		}
+		default:
+		{
+			private_identification_t *this = identification_create(ID_ANY);
+
+			return &(this->public);
+		}
+	}
+}
+
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index dc0aec18e..fe5c7d0fd 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup identification identification
  * @{ @ingroup utils
@@ -29,9 +29,10 @@ typedef struct identification_t identification_t;
 typedef enum id_match_t id_match_t;
 typedef enum id_part_t id_part_t;
 
-#include <library.h>
+#include <chunk.h>
+#include <utils/enumerator.h>
 
-/** 
+/**
  * Matches returned from identification_t.match
  */
 enum id_match_t {
@@ -79,8 +80,8 @@ enum id_type_t {
 	 * An example of an ID_RFC822_ADDR is "jsmith@example.com".
 	 * The string MUST NOT contain any terminators.
 	 */
-	ID_USER_FQDN   = 3,    /* IKEv1 only */
-	ID_RFC822_ADDR = 3,    /* IKEv2 only */
+	ID_USER_FQDN   = 3,	/* IKEv1 only */
+	ID_RFC822_ADDR = 3,	/* IKEv2 only */
 
 	/**
 	 * ID data is an IPv4 subnet (IKEv1 only)
@@ -128,31 +129,16 @@ enum id_type_t {
 	 * private type which represents a GeneralName of type URI
 	 */
 	ID_DER_ASN1_GN_URI = 201,
-	
-	/**
-	 * SHA1 hash over PKCS#1 subjectPublicKeyInfo
-	 */
-	ID_PUBKEY_INFO_SHA1 = 202,
-	
-	/**
-	 * SHA1 hash over PKCS#1 subjectPublicKey
-	 */
-	ID_PUBKEY_SHA1 = 203,
-	
-	/**
-	 * SHA1 hash of the binary DER encoding of a certificate
-	 */
-	ID_CERT_DER_SHA1 = 204,
 
 	/**
 	 * IETF Attribute Syntax String (RFC 3281)
 	 */
-	ID_IETF_ATTR_STRING = 205,
+	ID_IETF_ATTR_STRING = 202,
 
 	/**
 	 * Private ID used by the pluto daemon for opportunistic encryption
 	 */
-	ID_MYID = 206,
+	ID_MYID = 203,
 };
 
 /**
@@ -168,14 +154,14 @@ enum id_part_t {
 	ID_PART_USERNAME,
 	/** Domain part of an RFC822_ADDR */
 	ID_PART_DOMAIN,
-	
+
 	/** Top-Level domain of a FQDN */
 	ID_PART_TLD,
 	/** Second-Level domain of a FQDN */
 	ID_PART_SLD,
 	/** Another Level domain of a FQDN */
 	ID_PART_ALD,
-	
+
 	/** Country RDN of a DN */
 	ID_PART_RDN_C,
 	/** CommonName RDN of a DN */
@@ -212,40 +198,40 @@ enum id_part_t {
 
 /**
  * Generic identification, such as used in ID payload.
- * 
+ *
  * @todo Support for ID_DER_ASN1_GN is minimal right now. Comparison
  * between them and ID_IPV4_ADDR/RFC822_ADDR would be nice.
  */
 struct identification_t {
-	
+
 	/**
 	 * Get the encoding of this id, to send over
 	 * the network.
-	 * 
+	 *
 	 * Result points to internal data, do not free.
-	 * 
+	 *
 	 * @return 			a chunk containing the encoded bytes
 	 */
 	chunk_t (*get_encoding) (identification_t *this);
-	
+
 	/**
 	 * Get the type of this identification.
-	 * 
+	 *
 	 * @return 			id_type_t
 	 */
 	id_type_t (*get_type) (identification_t *this);
-	
+
 	/**
 	 * Check if two identification_t objects are equal.
-	 * 
+	 *
 	 * @param other		other identification_t object
 	 * @return 			TRUE if the IDs are equal
 	 */
 	bool (*equals) (identification_t *this, identification_t *other);
-	
+
 	/**
 	 * Check if an ID matches a wildcard ID.
-	 * 
+	 *
 	 * An identification_t may contain wildcards, such as
 	 * *.strongswan.org. This call checks if a given ID
 	 * (e.g. tester.strongswan.org) belongs to a such wildcard
@@ -256,24 +242,24 @@ struct identification_t {
 	 *
 	 * The larger the return value is, the better is the match. Zero means
 	 * no match at all, 1 means a bad match, and 2 a slightly better match.
-	 * 
+	 *
 	 * @param other		the ID containing one or more wildcards
 	 * @param wildcards	returns the number of wildcards, may be NULL
 	 * @return 			match value as described above
 	 */
 	id_match_t (*matches) (identification_t *this, identification_t *other);
-	
+
 	/**
 	 * Check if an ID is a wildcard ID.
 	 *
 	 * If the ID represents multiple IDs (with wildcards, or
 	 * as the type ID_ANY), TRUE is returned. If it is unique,
 	 * FALSE is returned.
-	 * 
+	 *
 	 * @return 			TRUE if ID contains wildcards
 	 */
 	bool (*contains_wildcards) (identification_t *this);
-	
+
 	/**
 	 * Create an enumerator over subparts of an identity.
 	 *
@@ -286,10 +272,10 @@ struct identification_t {
 	 * @return			an enumerator over (id_part_t type, chunk_t data)
 	 */
 	enumerator_t* (*create_part_enumerator)(identification_t *this);
-	
+
 	/**
 	 * Clone a identification_t instance.
-	 * 
+	 *
 	 * @return 			clone of this
 	 */
 	identification_t *(*clone) (identification_t *this);
@@ -314,34 +300,50 @@ struct identification_t {
  * pluto resolves domainnames without an @ to IPv4 addresses. Since
  * we use a seperate host_t class for addresses, this doesn't
  * make sense for us.
- * 
+ *
  * A distinguished name may contain one or more of the following RDNs:
  * ND, UID, DC, CN, S, SN, serialNumber, C, L, ST, O, OU, T, D,
- * N, G, I, ID, EN, EmployeeNumber, E, Email, emailAddress, UN, 
+ * N, G, I, ID, EN, EmployeeNumber, E, Email, emailAddress, UN,
  * unstructuredName, TCGID.
- * 
+ *
  * This constructor never returns NULL. If it does not find a suitable
  * conversion function, it will copy the string to an ID_KEY_ID.
- * 
+ *
  * @param string	input string, which will be converted
  * @return			identification_t
  */
 identification_t * identification_create_from_string(char *string);
 
+/**
+ * Creates an identification from a chunk of data, guessing its type.
+ *
+ * @param data		identification data
+ * @return			identification_t
+ */
+identification_t * identification_create_from_data(chunk_t data);
+
 /**
  * Creates an identification_t object from an encoded chunk.
- * 
+ *
  * @param type		type of this id, such as ID_IPV4_ADDR
  * @param encoded	encoded bytes, such as from identification_t.get_encoding
  * @return			identification_t
  */
 identification_t * identification_create_from_encoding(id_type_t type, chunk_t encoded);
 
+/**
+ * Creates an identification_t object from a sockaddr struct
+ *
+ * @param sockaddr		sockaddr struct which contains family and address
+ * @return 				identification_t
+ */
+identification_t * identification_create_from_sockaddr(sockaddr_t *sockaddr);
+
 /**
  * printf hook function for identification_t.
  *
- * Arguments are: 
- *    identification_t *identification
+ * Arguments are:
+ *	identification_t *identification
  */
 int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 							   const void *const *args);
diff --git a/src/libstrongswan/utils/iterator.h b/src/libstrongswan/utils/iterator.h
index 1dbf01539..9be65b229 100644
--- a/src/libstrongswan/utils/iterator.h
+++ b/src/libstrongswan/utils/iterator.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup iterator iterator
  * @{ @ingroup utils
@@ -39,45 +39,45 @@ struct iterator_t {
 
 	/**
 	 * Return number of list items.
-	 * 
+	 *
 	 * @return				number of list items
 	 */
 	int (*get_count) (iterator_t *this);
-	
+
 	/**
 	 * Iterate over all items.
-	 * 
+	 *
 	 * The easy way to iterate over items.
-	 * 
+	 *
 	 * @param value 	item
 	 * @return			TRUE, if there was an element available, FALSE otherwise
 	 */
 	bool (*iterate) (iterator_t *this, void** value);
-	
+
 	/**
 	 * Inserts a new item before the given iterator position.
-	 * 
+	 *
 	 * The iterator position is not changed after inserting
-	 * 
+	 *
 	 * @param item 		value to insert in list
 	 */
 	void (*insert_before) (iterator_t *this, void *item);
 
 	/**
 	 * Inserts a new item after the given iterator position.
-	 * 
+	 *
 	 * The iterator position is not changed after inserting.
-	 * 
+	 *
 	 * @param this 		calling iterator
 	 * @param item 		value to insert in list
 	 */
 	void (*insert_after) (iterator_t *this, void *item);
-	
+
 	/**
 	 * Replace the current item at current iterator position.
-	 * 
+	 *
 	 * The iterator position is not changed after replacing.
-	 * 
+	 *
 	 * @param this 		calling iterator
 	 * @param old		old value will be written here(can be NULL)
 	 * @param new		new value
@@ -87,18 +87,18 @@ struct iterator_t {
 
 	/**
 	 * Removes an element from list at the given iterator position.
-	 * 
+	 *
 	 * The iterator is set the the following position:
 	 * - to the item before, if available
 	 * - it gets reseted, otherwise
-	 * 
+	 *
 	 * @return 				SUCCESS, FAILED if iterator is on an invalid position
 	 */
 	status_t (*remove) (iterator_t *this);
-	
+
 	/**
 	 * Resets the iterator position.
-	 * 
+	 *
 	 * After reset, the iterator_t objects doesn't point to an element.
 	 * A call to iterator_t.has_next is necessary to do any other operations
 	 * with the resetted iterator.
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 2cac3b458..2c2a36af3 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -12,14 +12,14 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
-	
+
 #define _GNU_SOURCE
 #include <sched.h>
 #include <stddef.h>
 #include <string.h>
 #include <stdio.h>
 #include <malloc.h>
-#include <signal.h> 
+#include <signal.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
@@ -90,32 +90,32 @@ typedef struct memory_tail_t memory_tail_t;
  * Header which is prepended to each allocated memory block
  */
 struct memory_header_t {
-	
+
 	/**
 	 * Number of bytes following after the header
 	 */
 	u_int bytes;
-	
+
 	/**
 	 * Pointer to previous entry in linked list
 	 */
 	memory_header_t *previous;
-	
+
 	/**
 	 * Pointer to next entry in linked list
 	 */
 	memory_header_t *next;
-	
+
 	/**
 	 * backtrace taken during (re-)allocation
 	 */
 	backtrace_t *backtrace;
-	
+
 	/**
 	 * magic bytes to detect bad free or heap underflow, MEMORY_HEADER_MAGIC
 	 */
 	u_int32_t magic;
-	
+
 }__attribute__((__packed__));
 
 /**
@@ -127,11 +127,11 @@ struct memory_tail_t {
 	 * Magic bytes to detect heap overflow, MEMORY_TAIL_MAGIC
 	 */
 	u_int32_t magic;
-	
+
 }__attribute__((__packed__));
 
 /**
- * first mem header is just a dummy to chain 
+ * first mem header is just a dummy to chain
  * the others on it...
  */
 static memory_header_t first_header = {
@@ -143,7 +143,7 @@ static memory_header_t first_header = {
 };
 
 /**
- * are the hooks currently installed? 
+ * are the hooks currently installed?
  */
 static bool installed = FALSE;
 
@@ -151,7 +151,7 @@ static bool installed = FALSE;
  * Leak report white list
  *
  * List of functions using static allocation buffers or should be suppressed
- * otherwise on leak report. 
+ * otherwise on leak report.
  */
 char *whitelist[] = {
 	/* backtraces, including own */
@@ -170,11 +170,14 @@ char *whitelist[] = {
 	"getprotobynumber",
 	"getservbyport",
 	"getservbyname",
+	"gethostbyname2",
 	"gethostbyname_r",
 	"gethostbyname2_r",
+	"getnetbyname",
 	"getpwnam_r",
 	"getgrnam_r",
 	"register_printf_function",
+	"register_printf_specifier",
 	"syslog",
 	"vsyslog",
 	"getaddrinfo",
@@ -193,6 +196,8 @@ char *whitelist[] = {
 	"xmlInitCharEncodingHandlers",
 	"xmlInitParser",
 	"xmlInitParserCtxt",
+	/* libcurl */
+	"Curl_client_write",
 	/* ClearSilver */
 	"nerr_init",
 	/* OpenSSL */
@@ -200,6 +205,7 @@ char *whitelist[] = {
 	"DH_new_method",
 	"ENGINE_load_builtin_engines",
 	"OPENSSL_config",
+	"ecdsa_check",
 	/* libgcrypt */
 	"gcry_control",
 	"gcry_check_version",
@@ -230,7 +236,7 @@ void report_leaks()
 {
 	memory_header_t *hdr;
 	int leaks = 0, whitelisted = 0;
-	
+
 	for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
 	{
 		if (is_whitelisted(hdr->backtrace))
@@ -245,7 +251,7 @@ void report_leaks()
 			leaks++;
 		}
 	}
-		
+
 	switch (leaks)
 	{
 		case 0:
@@ -300,14 +306,14 @@ void *malloc_hook(size_t bytes, const void *caller)
 	memory_header_t *hdr;
 	memory_tail_t *tail;
 	pthread_t thread_id = pthread_self();
-    int oldpolicy;
-    struct sched_param oldparams, params;
-    
-    pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-    
-    params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
+	int oldpolicy;
+	struct sched_param oldparams, params;
+
+	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
+
+	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
 	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
-	
+
 	count_malloc++;
 	uninstall_hooks();
 	hdr = malloc(sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
@@ -315,13 +321,13 @@ void *malloc_hook(size_t bytes, const void *caller)
 	/* set to something which causes crashes */
 	memset(hdr, MEMORY_ALLOC_PATTERN,
 		   sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
-	
+
 	hdr->magic = MEMORY_HEADER_MAGIC;
 	hdr->bytes = bytes;
 	hdr->backtrace = backtrace_create(3);
 	tail->magic = MEMORY_TAIL_MAGIC;
 	install_hooks();
-	
+
 	/* insert at the beginning of the list */
 	hdr->next = first_header.next;
 	if (hdr->next)
@@ -330,9 +336,9 @@ void *malloc_hook(size_t bytes, const void *caller)
 	}
 	hdr->previous = &first_header;
 	first_header.next = hdr;
-	
+
 	pthread_setschedparam(thread_id, oldpolicy, &oldparams);
-	
+
 	return hdr + 1;
 }
 
@@ -341,13 +347,14 @@ void *malloc_hook(size_t bytes, const void *caller)
  */
 void free_hook(void *ptr, const void *caller)
 {
-	memory_header_t *hdr;
+	memory_header_t *hdr, *current;
 	memory_tail_t *tail;
-    backtrace_t *backtrace;
+	backtrace_t *backtrace;
 	pthread_t thread_id = pthread_self();
-    int oldpolicy;
-    struct sched_param oldparams, params;
-    
+	int oldpolicy;
+	struct sched_param oldparams, params;
+	bool found = FALSE;
+
 	/* allow freeing of NULL */
 	if (ptr == NULL)
 	{
@@ -355,20 +362,37 @@ void free_hook(void *ptr, const void *caller)
 	}
 	hdr = ptr - sizeof(memory_header_t);
 	tail = ptr + hdr->bytes;
-	
+
 	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-	
-    params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
+
+	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
 	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
-	
+
 	count_free++;
 	uninstall_hooks();
 	if (hdr->magic != MEMORY_HEADER_MAGIC ||
 		tail->magic != MEMORY_TAIL_MAGIC)
 	{
-		fprintf(stderr, "freeing invalid memory (%p): "
-				"header magic 0x%x, tail magic 0x%x:\n",
-				ptr, hdr->magic, tail->magic);
+		for (current = &first_header; current != NULL; current = current->next)
+		{
+			if (current == hdr)
+			{
+				found = TRUE;
+				break;
+			}
+		}
+		if (found)
+		{
+			/* memory was allocated by our hooks but is corrupted */
+			fprintf(stderr, "freeing corrupted memory (%p): "
+					"header magic 0x%x, tail magic 0x%x:\n",
+					ptr, hdr->magic, tail->magic);
+		}
+		else
+		{
+			/* memory was not allocated by our hooks */
+			fprintf(stderr, "freeing invalid memory (%p)", ptr);
+		}
 		backtrace = backtrace_create(3);
 		backtrace->log(backtrace, stderr);
 		backtrace->destroy(backtrace);
@@ -382,13 +406,14 @@ void free_hook(void *ptr, const void *caller)
 		}
 		hdr->previous->next = hdr->next;
 		hdr->backtrace->destroy(hdr->backtrace);
-		
+
 		/* clear MAGIC, set mem to something remarkable */
-		memset(hdr, MEMORY_FREE_PATTERN, hdr->bytes + sizeof(memory_header_t));
-		
+		memset(hdr, MEMORY_FREE_PATTERN,
+			   sizeof(memory_header_t) + hdr->bytes + sizeof(memory_tail_t));
+
 		free(hdr);
 	}
-	
+
 	install_hooks();
 	pthread_setschedparam(thread_id, oldpolicy, &oldparams);
 }
@@ -402,23 +427,23 @@ void *realloc_hook(void *old, size_t bytes, const void *caller)
 	memory_tail_t *tail;
 	backtrace_t *backtrace;
 	pthread_t thread_id = pthread_self();
-    int oldpolicy;
-    struct sched_param oldparams, params;
-    
+	int oldpolicy;
+	struct sched_param oldparams, params;
+
 	/* allow reallocation of NULL */
 	if (old == NULL)
 	{
 		return malloc_hook(bytes, caller);
 	}
-	
+
 	hdr = old - sizeof(memory_header_t);
 	tail = old + hdr->bytes;
-	
+
 	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-	
+
 	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
 	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
-	
+
 	count_realloc++;
 	uninstall_hooks();
 	if (hdr->magic != MEMORY_HEADER_MAGIC ||
@@ -472,21 +497,21 @@ static void destroy(private_leak_detective_t *this)
 leak_detective_t *leak_detective_create()
 {
 	private_leak_detective_t *this = malloc_thing(private_leak_detective_t);
-	
+
 	this->public.destroy = (void(*)(leak_detective_t*))destroy;
-	
+
 	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
 	{
 		cpu_set_t mask;
-		
+
 		CPU_ZERO(&mask);
 		CPU_SET(0, &mask);
-		
+
 		if (sched_setaffinity(0, sizeof(cpu_set_t), &mask) != 0)
 		{
 			fprintf(stderr, "setting CPU affinity failed: %m");
 		}
-	
+
 		lib->leak_detective = TRUE;
 		install_hooks();
 	}
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
index cd30dcd5f..181f8f3db 100644
--- a/src/libstrongswan/utils/leak_detective.h
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -32,11 +32,11 @@ typedef struct leak_detective_t leak_detective_t;
  * and dynamic whitelisting.
  */
 struct leak_detective_t {
-		
+
 	/**
-     * Destroy a leak_detective instance.
-     */
-    void (*destroy)(leak_detective_t *this);
+	 * Destroy a leak_detective instance.
+	 */
+	void (*destroy)(leak_detective_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/utils/lexparser.c b/src/libstrongswan/utils/lexparser.c
index 2472f6751..b0aced180 100644
--- a/src/libstrongswan/utils/lexparser.c
+++ b/src/libstrongswan/utils/lexparser.c
@@ -40,31 +40,31 @@ bool match(const char *pattern, const chunk_t *ch)
 bool extract_token(chunk_t *token, const char termination, chunk_t *src)
 {
 	u_char *eot = memchr(src->ptr, termination, src->len);
-	
+
 	if (termination == ' ')
 	{
 		u_char *eot_tab = memchr(src->ptr, '\t', src->len);
-		
+
 		/* check if a tab instead of a space terminates the token */
 		eot = ( eot_tab == NULL || (eot && eot < eot_tab) ) ? eot : eot_tab;
 	}
-	
+
 	/* initialize empty token */
 	*token = chunk_empty;
-	
+
 	if (eot == NULL) /* termination symbol not found */
 	{
 		return FALSE;
 	}
-	
+
 	/* extract token */
 	token->ptr = src->ptr;
 	token->len = (u_int)(eot - src->ptr);
-	
+
 	/* advance src pointer after termination symbol */
 	src->ptr = eot + 1;
 	src->len -= (token->len + 1);
-	
+
 	return TRUE;
 }
 
@@ -75,23 +75,23 @@ bool extract_token_str(chunk_t *token, const char *termination, chunk_t *src)
 {
 	u_char *eot = memstr(src->ptr, termination, src->len);
 	size_t l = strlen(termination);
-	
+
 	/* initialize empty token */
 	*token = chunk_empty;
-	
+
 	if (eot == NULL) /* termination string not found */
 	{
 		return FALSE;
 	}
-	
+
 	/* extract token */
 	token->ptr = src->ptr;
 	token->len = (u_int)(eot - src->ptr);
-	
+
 	/* advance src pointer after termination string */
 	src->ptr = eot + l;
 	src->len -= (token->len + l);
-	
+
 	return TRUE;
 }
 
diff --git a/src/libstrongswan/utils/lexparser.h b/src/libstrongswan/utils/lexparser.h
index 7e2edb278..7eb68069b 100644
--- a/src/libstrongswan/utils/lexparser.h
+++ b/src/libstrongswan/utils/lexparser.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup lexparser lexparser
  * @{ @ingroup utils
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c
index a45468cca..4aa8ea6ca 100644
--- a/src/libstrongswan/utils/linked_list.c
+++ b/src/libstrongswan/utils/linked_list.c
@@ -33,14 +33,14 @@ struct element_t {
 
 	/**
 	 * Previous list element.
-	 * 
+	 *
 	 * NULL if first element in list.
 	 */
 	element_t *previous;
-	
+
 	/**
 	 * Next list element.
-	 * 
+	 *
 	 * NULL if last element in list.
 	 */
 	element_t *next;
@@ -52,11 +52,11 @@ struct element_t {
 element_t *element_create(void *value)
 {
 	element_t *this = malloc_thing(element_t);
-	
+
 	this->previous = NULL;
 	this->next = NULL;
 	this->value = value;
-	
+
 	return (this);
 }
 
@@ -83,7 +83,7 @@ struct private_linked_list_t {
 	 * NULL if no elements in list.
 	 */
 	element_t *first;
-	
+
 	/**
 	 * Last element in list.
 	 * NULL if no elements in list.
@@ -130,12 +130,12 @@ struct private_enumerator_t {
 	 * implements enumerator interface
 	 */
 	enumerator_t enumerator;
-	
+
 	/**
 	 * associated linked list
 	 */
 	private_linked_list_t *list;
-	
+
 	/**
 	 * current item
 	 */
@@ -173,12 +173,12 @@ static bool enumerate(private_enumerator_t *this, void **item)
 static enumerator_t* create_enumerator(private_linked_list_t *this)
 {
 	private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
-	
+
 	enumerator->enumerator.enumerate = (void*)enumerate;
 	enumerator->enumerator.destroy = (void*)free;
 	enumerator->list = this;
 	enumerator->current = NULL;
-	
+
 	return &enumerator->enumerator;
 }
 
@@ -273,7 +273,7 @@ static status_t iterator_remove(private_iterator_t *this)
 		this->current->previous->next = this->current->next;
 		this->current->next->previous = this->current->previous;
 	}
-	
+
 	this->list->count--;
 	free(this->current);
 	/* set the new iterator position */
@@ -290,7 +290,7 @@ static void insert_before(private_iterator_t * iterator, void *item)
 	{
 		iterator->list->public.insert_first(&(iterator->list->public), item);
 	}
-	
+
 	element_t *element = element_create(item);
 	if (iterator->current->previous == NULL)
 	{
@@ -322,7 +322,7 @@ static status_t replace(private_iterator_t *this, void **old_item, void *new_ite
 		*old_item = this->current->value;
 	}
 	this->current->value = new_item;
-	
+
 	return SUCCESS;
 }
 
@@ -336,7 +336,7 @@ static void insert_after(private_iterator_t *iterator, void *item)
 		iterator->list->public.insert_first(&(iterator->list->public),item);
 		return;
 	}
-	
+
 	element_t *element = element_create(item);
 	if (iterator->current->next == NULL)
 	{
@@ -376,7 +376,7 @@ static int get_count(private_linked_list_t *this)
 static void insert_first(private_linked_list_t *this, void *item)
 {
 	element_t *element;
-	
+
 	element = element_create(item);
 	if (this->count == 0)
 	{
@@ -407,7 +407,7 @@ static element_t* remove_element(private_linked_list_t *this, element_t *element
 	next = element->next;
 	previous = element->previous;
 	free(element);
-	if (next) 
+	if (next)
 	{
 		next->previous = previous;
 	}
@@ -463,7 +463,7 @@ static status_t remove_first(private_linked_list_t *this, void **item)
 static void insert_last(private_linked_list_t *this, void *item)
 {
 	element_t *element = element_create(item);
-	
+
 	if (this->count == 0)
 	{
 		/* first entry in list */
@@ -508,7 +508,7 @@ static status_t remove_last(private_linked_list_t *this, void **item)
 	}
 	return NOT_FOUND;
 }
-	
+
 /**
  * Implementation of linked_list_t.remove.
  */
@@ -517,7 +517,7 @@ static int remove_(private_linked_list_t *this, void *item,
 {
 	element_t *current = this->first;
 	int removed = 0;
-	
+
 	while (current)
 	{
 		if ((compare && compare(current->value, item)) ||
@@ -556,7 +556,7 @@ static status_t find_first(private_linked_list_t *this, linked_list_match_t matc
 		void **item, void *d1, void *d2, void *d3, void *d4, void *d5)
 {
 	element_t *current = this->first;
-	
+
 	while (current)
 	{
 		if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
@@ -580,7 +580,7 @@ static status_t find_last(private_linked_list_t *this, linked_list_match_t match
 		void **item, void *d1, void *d2, void *d3, void *d4, void *d5)
 {
 	element_t *current = this->last;
-	
+
 	while (current)
 	{
 		if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
@@ -604,7 +604,7 @@ static void invoke_offset(private_linked_list_t *this, size_t offset,
 		void *d1, void *d2, void *d3, void *d4, void *d5)
 {
 	element_t *current = this->first;
-	
+
 	while (current)
 	{
 		linked_list_invoke_t *method = current->value + offset;
@@ -620,7 +620,7 @@ static void invoke_function(private_linked_list_t *this, linked_list_invoke_t fn
 		void *d1, void *d2, void *d3, void *d4, void *d5)
 {
 	element_t *current = this->first;
-	
+
 	while (current)
 	{
 		fn(current->value, d1, d2, d3, d4, d5);
@@ -635,14 +635,14 @@ static linked_list_t *clone_offset(private_linked_list_t *this, size_t offset)
 {
 	linked_list_t *clone = linked_list_create();
 	element_t *current = this->first;
-	
+
 	while (current)
 	{
 		void* (**method)(void*) = current->value + offset;
 		clone->insert_last(clone, (*method)(current->value));
 		current = current->next;
 	}
-	
+
 	return clone;
 }
 
@@ -653,13 +653,13 @@ static linked_list_t *clone_function(private_linked_list_t *this, void* (*fn)(vo
 {
 	linked_list_t *clone = linked_list_create();
 	element_t *current = this->first;
-	
+
 	while (current)
 	{
 		clone->insert_last(clone, fn(current->value));
 		current = current->next;
 	}
-	
+
 	return clone;
 }
 
@@ -684,7 +684,7 @@ static void destroy(private_linked_list_t *this)
 static void destroy_offset(private_linked_list_t *this, size_t offset)
 {
 	element_t *current = this->first, *next;
-	
+
 	while (current)
 	{
 		void (**method)(void*) = current->value + offset;
@@ -702,7 +702,7 @@ static void destroy_offset(private_linked_list_t *this, size_t offset)
 static void destroy_function(private_linked_list_t *this, void (*fn)(void*))
 {
 	element_t *current = this->first, *next;
-	
+
 	while (current)
 	{
 		fn(current->value);
@@ -719,7 +719,7 @@ static void destroy_function(private_linked_list_t *this, void (*fn)(void*))
 static iterator_t *create_iterator(private_linked_list_t *linked_list, bool forward)
 {
 	private_iterator_t *this = malloc_thing(private_iterator_t);
-	
+
 	this->public.get_count = (int (*) (iterator_t*)) get_list_count;
 	this->public.iterate = (bool (*) (iterator_t*, void **value)) iterate;
 	this->public.insert_before = (void (*) (iterator_t*, void *item)) insert_before;
@@ -728,11 +728,11 @@ static iterator_t *create_iterator(private_linked_list_t *linked_list, bool forw
 	this->public.remove = (status_t (*) (iterator_t*)) iterator_remove;
 	this->public.reset = (void (*) (iterator_t*)) iterator_reset;
 	this->public.destroy = (void (*) (iterator_t*)) iterator_destroy;
-	
+
 	this->forward = forward;
 	this->current = NULL;
 	this->list = linked_list;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h
index 8b2de9083..ba5f28f6a 100644
--- a/src/libstrongswan/utils/linked_list.h
+++ b/src/libstrongswan/utils/linked_list.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup linked_list linked_list
  * @{ @ingroup utils
@@ -56,24 +56,24 @@ struct linked_list_t {
 
 	/**
 	 * Gets the count of items in the list.
-	 * 
+	 *
 	 * @return 			number of items in list
 	 */
 	int (*get_count) (linked_list_t *this);
-	
+
 	/**
 	 * Creates a iterator for the given list.
-	 * 
+	 *
 	 * @warning Created iterator_t object has to get destroyed by the caller.
 	 *
 	 * @deprecated Iterator is obsolete and will disappear, it is too
 	 * complicated to implement. Use enumerator instead.
-	 * 
+	 *
 	 * @param forward 	iterator direction (TRUE: front to end)
 	 * @return			new iterator_t object
 	 */
 	iterator_t *(*create_iterator) (linked_list_t *this, bool forward);
-	
+
 	/**
 	 * Create an enumerator over the list.
 	 *
@@ -83,7 +83,7 @@ struct linked_list_t {
 	 * @return			enumerator over list items
 	 */
 	enumerator_t* (*create_enumerator)(linked_list_t *this);
-	
+
 	/**
 	 * Inserts a new item at the beginning of the list.
 	 *
@@ -93,22 +93,22 @@ struct linked_list_t {
 
 	/**
 	 * Removes the first item in the list and returns its value.
-	 * 
+	 *
 	 * @param item 		returned value of first item, or NULL
 	 * @return			SUCCESS, or NOT_FOUND if list is empty
 	 */
 	status_t (*remove_first) (linked_list_t *this, void **item);
-	
+
 	/**
 	 * Remove an item from the list where the enumerator points to.
 	 *
 	 * @param enumerator enumerator with position
 	 */
 	void (*remove_at)(linked_list_t *this, enumerator_t *enumerator);
-	
+
 	/**
 	 * Remove items from the list matching item.
-	 * 
+	 *
 	 * If a compare function is given, it is called for each item, where
 	 * the first parameter is the current list item and the second parameter
 	 * is the supplied item parameter.
@@ -119,11 +119,11 @@ struct linked_list_t {
 	 * @return			number of removed items
 	 */
 	int (*remove)(linked_list_t *this, void *item, bool (*compare)(void *,void*));
-	
+
 	/**
 	 * Returns the value of the first list item without removing it.
-	 * 
-	 * @param this	 	calling object
+	 *
+	 * @param this		calling object
 	 * @param item		returned value of first item
 	 * @return			SUCCESS, NOT_FOUND if list is empty
 	 */
@@ -131,15 +131,15 @@ struct linked_list_t {
 
 	/**
 	 * Inserts a new item at the end of the list.
-	 * 
+	 *
 	 * @param item 		value to insert into list
 	 */
 	void (*insert_last) (linked_list_t *this, void *item);
 
 	/**
 	 * Removes the last item in the list and returns its value.
-	 * 
-	 * @param this	 	calling object
+	 *
+	 * @param this		calling object
 	 * @param item		returned value of last item, or NULL
 	 * @return			SUCCESS, NOT_FOUND if list is empty
 	 */
@@ -147,15 +147,15 @@ struct linked_list_t {
 
 	/**
 	 * Returns the value of the last list item without removing it.
-	 * 
+	 *
 	 * @param this 		calling object
 	 * @param item		returned value of last item
 	 * @return			SUCCESS, NOT_FOUND if list is empty
 	 */
 	status_t (*get_last) (linked_list_t *this, void **item);
-	
+
 	/** Find the first matching element in the list.
-	 * 
+	 *
 	 * The first object passed to the match function is the current list item,
 	 * followed by the user supplied data.
 	 * If the supplied function returns TRUE this function returns SUCCESS, and
@@ -163,7 +163,7 @@ struct linked_list_t {
 	 * the next item is checked.
 	 *
 	 * If match is NULL, *item and the current object are compared.
-	 * 
+	 *
 	 * @warning Only use pointers as user supplied data.
 	 *
 	 * @param match			comparison function to call on each object, or NULL
@@ -173,17 +173,17 @@ struct linked_list_t {
 	 */
 	status_t (*find_first) (linked_list_t *this, linked_list_match_t match,
 							void **item, ...);
-	
+
 	/** Find the last matching element in the list.
-	 * 
+	 *
 	 * The first object passed to the match function is the current list item,
 	 * followed by the user supplied data.
 	 * If the supplied function returns TRUE this function returns SUCCESS, and
 	 * the current object is returned in the third parameter, otherwise,
 	 * the next item is checked.
-	 * 
+	 *
 	 * If match is NULL, *item and the current object are compared.
-	 * 
+	 *
 	 * @warning Only use pointers as user supplied data.
 	 *
 	 * @param match			comparison function to call on each object, or NULL
@@ -193,7 +193,7 @@ struct linked_list_t {
 	 */
 	status_t (*find_last) (linked_list_t *this, linked_list_match_t match,
 						   void **item, ...);
-	
+
 	/**
 	 * Invoke a method on all of the contained objects.
 	 *
@@ -202,41 +202,41 @@ struct linked_list_t {
 	 * method is specified by an offset of the function pointer,
 	 * which can be evalutated at compile time using the offsetof
 	 * macro, e.g.: list->invoke(list, offsetof(object_t, method));
-	 * 
+	 *
 	 * @param offset	offset of the method to invoke on objects
 	 * @param ...		user data to supply to called function (limited to 5 arguments)
 	 */
 	void (*invoke_offset) (linked_list_t *this, size_t offset, ...);
-	
+
 	/**
 	 * Invoke a function on all of the contained objects.
-	 * 
+	 *
 	 * @param function	offset of the method to invoke on objects
 	 * @param ...		user data to supply to called function (limited to 5 arguments)
 	 */
 	void (*invoke_function) (linked_list_t *this, linked_list_invoke_t function, ...);
-	
+
 	/**
 	 * Clones a list and its objects using the objects' clone method.
-	 * 
+	 *
 	 * @param offset	offset ot the objects clone function
 	 * @return			cloned list
 	 */
 	linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
-	
+
 	/**
 	 * Clones a list and its objects using a given function.
-	 * 
+	 *
 	 * @param function	function that clones an object
 	 * @return			cloned list
 	 */
 	linked_list_t *(*clone_function) (linked_list_t *this, void*(*)(void*));
-	
+
 	/**
 	 * Destroys a linked_list object.
 	 */
 	void (*destroy) (linked_list_t *this);
-	
+
 	/**
 	 * Destroys a list and its objects using the destructor.
 	 *
@@ -248,10 +248,10 @@ struct linked_list_t {
 	 * @param offset	offset of the objects destructor
 	 */
 	void (*destroy_offset) (linked_list_t *this, size_t offset);
-	
+
 	/**
 	 * Destroys a list and its contents using a a cleanup function.
-	 * 
+	 *
 	 * If a linked list and its contents should get destroyed using a specific
 	 * cleanup function, use destroy_function. This is useful when the
 	 * list contains malloc()-ed blocks which should get freed,
@@ -264,7 +264,7 @@ struct linked_list_t {
 
 /**
  * Creates an empty linked list object.
- * 
+ *
  * @return 		linked_list_t object.
  */
 linked_list_t *linked_list_create(void);
diff --git a/src/libstrongswan/utils/mutex.c b/src/libstrongswan/utils/mutex.c
deleted file mode 100644
index a6c39e94c..000000000
--- a/src/libstrongswan/utils/mutex.c
+++ /dev/null
@@ -1,509 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <pthread.h>
-#include <sys/time.h>
-#include <stdint.h>
-#include <time.h>
-#include <errno.h>
-
-#include "mutex.h"
-
-#include <library.h>
-#include <debug.h>
-
-typedef struct private_mutex_t private_mutex_t;
-typedef struct private_r_mutex_t private_r_mutex_t;
-typedef struct private_condvar_t private_condvar_t;
-typedef struct private_rwlock_t private_rwlock_t;
-
-#ifdef LOCK_PROFILER
-
-/**
- * Do not report mutexes with an overall waiting time smaller than this (in us)
- */
-#define PROFILE_TRESHHOLD 1000
-
-#include <utils/backtrace.h>
-
-typedef struct lock_profile_t lock_profile_t;
-
-struct lock_profile_t {
-
-	/**
-	 * how long threads have waited for the lock in this mutex so far
-	 */
-	struct timeval waited;
-	
-	/**
-	 * backtrace where mutex has been created
-	 */
-	backtrace_t *backtrace;
-};
-
-/**
- * Print and cleanup mutex profiler
- */
-static void profiler_cleanup(lock_profile_t *profile)
-{
-	if (profile->waited.tv_sec > 0 ||
-		profile->waited.tv_usec > PROFILE_TRESHHOLD)
-	{
-		fprintf(stderr, "%d.%06ds in lock created at:",
-				profile->waited.tv_sec, profile->waited.tv_usec);
-		profile->backtrace->log(profile->backtrace, stderr);
-	}
-	profile->backtrace->destroy(profile->backtrace);
-}
-
-/**
- * Initialize mutex profiler
- */
-static void profiler_init(lock_profile_t *profile)
-{
-	profile->backtrace = backtrace_create(2);
-	timerclear(&profile->waited);
-}
-
-#define profiler_start(profile) { \
-	struct timeval _start, _end, _diff; \
-	gettimeofday(&_start, NULL);
-	
-#define profiler_end(profile) \
-	gettimeofday(&_end, NULL); \
-	timersub(&_end, &_start, &_diff); \
-	timeradd(&(profile)->waited, &_diff, &(profile)->waited); }
-
-#else /* !LOCK_PROFILER */
-
-#define lock_profile_t struct {}
-#define profiler_cleanup(...) {}
-#define profiler_init(...) {}
-#define profiler_start(...) {}
-#define profiler_end(...) {}
-
-#endif /* LOCK_PROFILER */
-
-/**
- * private data of mutex
- */
-struct private_mutex_t {
-
-	/**
-	 * public functions
-	 */
-	mutex_t public;
-	
-	/**
-	 * wrapped pthread mutex
-	 */
-	pthread_mutex_t mutex;
-	
-	/**
-	 * is this a recursiv emutex, implementing private_r_mutex_t?
-	 */
-	bool recursive;
-	
-	/**
-	 * profiling info, if enabled
-	 */
-	lock_profile_t profile;
-};
-
-/**
- * private data of mutex, extended by recursive locking information
- */
-struct private_r_mutex_t {
-
-	/**
-	 * Extends private_mutex_t
-	 */
-	private_mutex_t generic;
-	
-	/**
-	 * thread which currently owns mutex
-	 */
-	pthread_t thread;
-	
-	/**
-	 * times we have locked the lock, stored per thread
-	 */
-	pthread_key_t times;
-};
-
-/**
- * private data of condvar
- */
-struct private_condvar_t {
-
-	/**
-	 * public functions
-	 */
-	condvar_t public;
-	
-	/**
-	 * wrapped pthread condvar
-	 */
-	pthread_cond_t condvar;
-};
-
-/**
- * private data of rwlock
- */
-struct private_rwlock_t {
-
-	/**
-	 * public functions
-	 */
-	rwlock_t public;
-	
-	/**
-	 * wrapped pthread rwlock
-	 */
-	pthread_rwlock_t rwlock;
-	
-	/**
-	 * profiling info, if enabled
-	 */
-	lock_profile_t profile;
-};
-
-/**
- * Implementation of mutex_t.lock.
- */
-static void lock(private_mutex_t *this)
-{
-	profiler_start(&this->profile);
-	if (pthread_mutex_lock(&this->mutex))
-	{
-		DBG1("!!!! MUTEX %sLOCK ERROR, your code is buggy !!!", "");
-	}
-	profiler_end(&this->profile);
-}
-
-/**
- * Implementation of mutex_t.unlock.
- */
-static void unlock(private_mutex_t *this)
-{
-	if (pthread_mutex_unlock(&this->mutex))
-	{
-		DBG1("!!!! MUTEX %sLOCK ERROR, your code is buggy !!!", "UN");
-	}
-}
-
-/**
- * Implementation of mutex_t.lock.
- */
-static void lock_r(private_r_mutex_t *this)
-{
-	pthread_t self = pthread_self();
-
-	if (this->thread == self)
-	{
-		uintptr_t times;
-		
-		/* times++ */
-		times = (uintptr_t)pthread_getspecific(this->times);
-		pthread_setspecific(this->times, (void*)times + 1);
-	}
-	else
-	{
-		lock(&this->generic);
-		this->thread = self;
-		/* times = 1 */
-		pthread_setspecific(this->times, (void*)1);
-	}
-}
-
-/**
- * Implementation of mutex_t.unlock.
- */
-static void unlock_r(private_r_mutex_t *this)
-{
-	uintptr_t times;
-
-	/* times-- */
-	times = (uintptr_t)pthread_getspecific(this->times);
-	pthread_setspecific(this->times, (void*)--times);
-	
-	if (times == 0)
-	{
-		this->thread = 0;
-		unlock(&this->generic);
-	}
-}
-
-/**
- * Implementation of mutex_t.destroy
- */
-static void mutex_destroy(private_mutex_t *this)
-{
-	profiler_cleanup(&this->profile);
-	pthread_mutex_destroy(&this->mutex);
-	free(this);
-}
-
-/**
- * Implementation of mutex_t.destroy for recursive mutex'
- */
-static void mutex_destroy_r(private_r_mutex_t *this)
-{
-	profiler_cleanup(&this->generic.profile);
-	pthread_mutex_destroy(&this->generic.mutex);
-	pthread_key_delete(this->times);
-	free(this);
-}
-
-/*
- * see header file
- */
-mutex_t *mutex_create(mutex_type_t type)
-{
-	switch (type)
-	{
-		case MUTEX_TYPE_RECURSIVE:
-		{
-			private_r_mutex_t *this = malloc_thing(private_r_mutex_t);
-			
-			this->generic.public.lock = (void(*)(mutex_t*))lock_r;
-			this->generic.public.unlock = (void(*)(mutex_t*))unlock_r;
-			this->generic.public.destroy = (void(*)(mutex_t*))mutex_destroy_r;	
-			
-			pthread_mutex_init(&this->generic.mutex, NULL);
-			pthread_key_create(&this->times, NULL);
-			this->generic.recursive = TRUE;
-			profiler_init(&this->generic.profile);
-			this->thread = 0;
-			
-			return &this->generic.public;
-		}
-		case MUTEX_TYPE_DEFAULT:
-		default:
-		{
-			private_mutex_t *this = malloc_thing(private_mutex_t);
-		
-			this->public.lock = (void(*)(mutex_t*))lock;
-			this->public.unlock = (void(*)(mutex_t*))unlock;
-			this->public.destroy = (void(*)(mutex_t*))mutex_destroy;
-			
-			pthread_mutex_init(&this->mutex, NULL);
-			this->recursive = FALSE;
-			profiler_init(&this->profile);
-			
-			return &this->public;
-		}
-	}
-}
-
-/**
- * Implementation of condvar_t.wait.
- */
-static void _wait(private_condvar_t *this, private_mutex_t *mutex)
-{
-	if (mutex->recursive)
-	{
-		private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
-		
-		/* mutex owner gets cleared during condvar wait */
-		recursive->thread = 0;
-		pthread_cond_wait(&this->condvar, &mutex->mutex);
-		recursive->thread = pthread_self();
-	}
-	else
-	{
-		pthread_cond_wait(&this->condvar, &mutex->mutex);
-	}
-}
-
-/**
- * Implementation of condvar_t.timed_wait_abs.
- */
-static bool timed_wait_abs(private_condvar_t *this, private_mutex_t *mutex,
-						   timeval_t time)
-{
-	struct timespec ts;
-	bool timed_out;
-	
-	ts.tv_sec = time.tv_sec;
-	ts.tv_nsec = time.tv_usec * 1000;
-	
-	if (mutex->recursive)
-	{
-		private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
-		
-		recursive->thread = 0;
-		timed_out = pthread_cond_timedwait(&this->condvar, &mutex->mutex,
-										   &ts) == ETIMEDOUT;
-		recursive->thread = pthread_self();
-	}
-	else
-	{
-		timed_out = pthread_cond_timedwait(&this->condvar, &mutex->mutex,
-										   &ts) == ETIMEDOUT;
-	}
-	return timed_out;
-}
-
-/**
- * Implementation of condvar_t.timed_wait.
- */
-static bool timed_wait(private_condvar_t *this, private_mutex_t *mutex,
-					   u_int timeout)
-{
-	timeval_t tv;
-	u_int s, ms;
-	
-	gettimeofday(&tv, NULL);
-	
-	s = timeout / 1000;
-	ms = timeout % 1000;
-	
-	tv.tv_sec += s;
-	tv.tv_usec += ms * 1000;
-	
-	if (tv.tv_usec > 1000000 /* 1s */)
-	{
-		tv.tv_usec -= 1000000;
-		tv.tv_sec++;
-	}
-	return timed_wait_abs(this, mutex, tv);
-}
-
-/**
- * Implementation of condvar_t.signal.
- */
-static void _signal(private_condvar_t *this)
-{
-	pthread_cond_signal(&this->condvar);
-}
-
-/**
- * Implementation of condvar_t.broadcast.
- */
-static void broadcast(private_condvar_t *this)
-{
-	pthread_cond_broadcast(&this->condvar);
-}
-
-/**
- * Implementation of condvar_t.destroy
- */
-static void condvar_destroy(private_condvar_t *this)
-{
-	pthread_cond_destroy(&this->condvar);
-	free(this);
-}
-
-/*
- * see header file
- */
-condvar_t *condvar_create(condvar_type_t type)
-{
-	switch (type)
-	{
-		case CONDVAR_TYPE_DEFAULT:
-		default:
-		{
-			private_condvar_t *this = malloc_thing(private_condvar_t);
-		
-			this->public.wait = (void(*)(condvar_t*, mutex_t *mutex))_wait;
-			this->public.timed_wait = (bool(*)(condvar_t*, mutex_t *mutex, u_int timeout))timed_wait;
-			this->public.timed_wait_abs = (bool(*)(condvar_t*, mutex_t *mutex, timeval_t time))timed_wait_abs;
-			this->public.signal = (void(*)(condvar_t*))_signal;
-			this->public.broadcast = (void(*)(condvar_t*))broadcast;
-			this->public.destroy = (void(*)(condvar_t*))condvar_destroy;
-		
-			pthread_cond_init(&this->condvar, NULL);
-		
-			return &this->public;
-		}
-	}
-}
-
-/**
- * Implementation of rwlock_t.read_lock
- */
-static void read_lock(private_rwlock_t *this)
-{
-	profiler_start(&this->profile);
-	pthread_rwlock_rdlock(&this->rwlock);
-	profiler_end(&this->profile);
-}
-
-/**
- * Implementation of rwlock_t.write_lock
- */
-static void write_lock(private_rwlock_t *this)
-{
-	profiler_start(&this->profile);
-	pthread_rwlock_wrlock(&this->rwlock);
-	profiler_end(&this->profile);
-}
-
-/**
- * Implementation of rwlock_t.try_write_lock
- */
-static bool try_write_lock(private_rwlock_t *this)
-{
-	return pthread_rwlock_trywrlock(&this->rwlock) == 0;
-}
-
-/**
- * Implementation of rwlock_t.unlock
- */
-static void rw_unlock(private_rwlock_t *this)
-{
-	pthread_rwlock_unlock(&this->rwlock);
-}
-
-/**
- * Implementation of rwlock_t.destroy
- */
-static void rw_destroy(private_rwlock_t *this)
-{
-	pthread_rwlock_destroy(&this->rwlock);
-	profiler_cleanup(&this->profile);
-	free(this);
-}
-
-/*
- * see header file
- */
-rwlock_t *rwlock_create(rwlock_type_t type)
-{
-	switch (type)
-	{
-		case RWLOCK_TYPE_DEFAULT:
-		default:
-		{
-			private_rwlock_t *this = malloc_thing(private_rwlock_t);
-			
-			this->public.read_lock = (void(*)(rwlock_t*))read_lock;
-			this->public.write_lock = (void(*)(rwlock_t*))write_lock;
-			this->public.try_write_lock = (bool(*)(rwlock_t*))try_write_lock;
-			this->public.unlock = (void(*)(rwlock_t*))rw_unlock;
-			this->public.destroy = (void(*)(rwlock_t*))rw_destroy;
-			
-			pthread_rwlock_init(&this->rwlock, NULL);
-			profiler_init(&this->profile);
-			
-			return &this->public;
-		}
-	}
-}
-
diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h
deleted file mode 100644
index 273f56b47..000000000
--- a/src/libstrongswan/utils/mutex.h
+++ /dev/null
@@ -1,213 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup mutex mutex
- * @{ @ingroup utils
- */
-
-#ifndef MUTEX_H_
-#define MUTEX_H_
-
-typedef struct mutex_t mutex_t;
-typedef struct condvar_t condvar_t;
-typedef struct rwlock_t rwlock_t;
-typedef enum mutex_type_t mutex_type_t;
-typedef enum condvar_type_t condvar_type_t;
-typedef enum rwlock_type_t rwlock_type_t;
-
-#include <library.h>
-
-#ifdef __APPLE__
-/* on Mac OS X 10.5 several system calls we use are no cancellation points.
- * fortunately, select isn't one of them, so we wrap some of the others with
- * calls to select(2).
- */
-#include <sys/socket.h>
-#include <sys/select.h>
-
-#define WRAP_WITH_SELECT(func, socket, ...)\
-	fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\
-	if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\
-	return func(socket, __VA_ARGS__)
-
-static inline int cancellable_accept(int socket, struct sockaddr *address,
-									 socklen_t *address_len)
-{
-	WRAP_WITH_SELECT(accept, socket, address, address_len);
-}
-#define accept cancellable_accept
-static inline int cancellable_recvfrom(int socket, void *buffer, size_t length,
-				int flags, struct sockaddr *address, socklen_t *address_len)
-{
-	WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len);
-}
-#define recvfrom cancellable_recvfrom
-#endif /* __APPLE__ */
-
-/**
- * Type of mutex.
- */
-enum mutex_type_t {
-	/** default mutex */
-	MUTEX_TYPE_DEFAULT	= 0,
-	/** allow recursive locking of the mutex */
-	MUTEX_TYPE_RECURSIVE	= 1,
-};
-
-/**
- * Type of condvar.
- */
-enum condvar_type_t {
-	/** default condvar */
-	CONDVAR_TYPE_DEFAULT	= 0,
-};
-
-/**
- * Type of read-write lock.
- */
-enum rwlock_type_t {
-	/** default condvar */
-	RWLOCK_TYPE_DEFAULT	= 0,
-};
-
-/**
- * Mutex wrapper implements simple, portable and advanced mutex functions.
- */
-struct mutex_t {
-
-	/**
-	 * Acquire the lock to the mutex.
-	 */
-	void (*lock)(mutex_t *this);
-	
-	/**
-	 * Release the lock on the mutex.
-	 */
-	void (*unlock)(mutex_t *this);
-			
-	/**
-     * Destroy a mutex instance.
-     */
-    void (*destroy)(mutex_t *this);
-};
-
-/**
- * Condvar wrapper to use in conjunction with mutex_t.
- */
-struct condvar_t {
-
-	/**
-	 * Wait on a condvar until it gets signalized.
-	 *
-	 * @param mutex			mutex to release while waiting
-	 */
-	void (*wait)(condvar_t *this, mutex_t *mutex);
-	
-	/**
-	 * Wait on a condvar until it gets signalized, or times out.
-	 *
-	 * @param mutex			mutex to release while waiting
-	 * @param timeout		timeout im ms
-	 * @return				TRUE if timed out, FALSE otherwise
-	 */
-	bool (*timed_wait)(condvar_t *this, mutex_t *mutex, u_int timeout);
-	
-	/**
-	 * Wait on a condvar until it gets signalized, or times out.
-	 * 
-	 * @param mutex			mutex to release while waiting
-	 * @param time			absolute time until timeout
-	 * @return				TRUE if timed out, FALSE otherwise
-	 */
-	bool (*timed_wait_abs)(condvar_t *this, mutex_t *mutex, timeval_t timeout);
-	
-	/**
-	 * Wake up a single thread in a condvar.
-	 */
-	void (*signal)(condvar_t *this);
-	
-	/**
-	 * Wake up all threads in a condvar.
-	 */
-	void (*broadcast)(condvar_t *this);
-	
-	/**
-	 * Destroy a condvar and free its resources.
-	 */
-	void (*destroy)(condvar_t *this);
-};
-
-/**
- * Read-Write lock wrapper.
- */
-struct rwlock_t {
-
-	/**
-	 * Acquire the read lock.
-	 */
-	void (*read_lock)(rwlock_t *this);
-	
-	/**
-	 * Acquire the write lock.
-	 */
-	void (*write_lock)(rwlock_t *this);
-	
-	/**
-	 * Try to acquire the write lock.
-	 *
-	 * Never blocks, but returns FALSE if the lock was already occupied.
-	 *
-	 * @return		TRUE if lock acquired
-	 */
-	bool (*try_write_lock)(rwlock_t *this);	
-	
-	/**
-	 * Release any acquired lock.
-	 */
-	void (*unlock)(rwlock_t *this);
-	
-	/**
-	 * Destroy the read-write lock.
-	 */
-	void (*destroy)(rwlock_t *this);
-};
-
-/**
- * Create a mutex instance.
- *
- * @param type		type of mutex to create
- * @return			unlocked mutex instance
- */
-mutex_t *mutex_create(mutex_type_t type);
-
-/**
- * Create a condvar instance.
- *
- * @param type		type of condvar to create
- * @return			condvar instance
- */
-condvar_t *condvar_create(condvar_type_t type);
-
-/**
- * Create a read-write lock instance.
- *
- * @param type		type of rwlock to create
- * @return			unlocked rwlock instance
- */
-rwlock_t *rwlock_create(rwlock_type_t type);
-
-#endif /** MUTEX_H_ @}*/
diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c
index bf47e6b98..bf528caa0 100644
--- a/src/libstrongswan/utils/optionsfrom.c
+++ b/src/libstrongswan/utils/optionsfrom.c
@@ -6,7 +6,7 @@
  * under the terms of the GNU Library General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
+ *
  * This library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
@@ -83,7 +83,7 @@ bool from(private_options_t *this, char *filename, int *argcp, char **argvp[],
 		DBG1("optionsfrom called %d times by \"%s\" - looping?", this->nuses + 1, (*argvp)[0]);
 		return FALSE;
 	}
-	
+
 	fd = fopen(filename, "r");
 	if (fd == NULL)
 	{
diff --git a/src/libstrongswan/utils/optionsfrom.h b/src/libstrongswan/utils/optionsfrom.h
index 05269f4f5..b0a9d0096 100644
--- a/src/libstrongswan/utils/optionsfrom.h
+++ b/src/libstrongswan/utils/optionsfrom.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup optionsfrom optionsfrom
  * @{ @ingroup utils
@@ -28,7 +28,7 @@ typedef struct options_t options_t;
  * Reads additional command line arguments from a file
  */
 struct options_t {
-	
+
 	/**
 	 * Check if the PKCS#7 contentType is data
 	 *
diff --git a/src/manager/Makefile.am b/src/manager/Makefile.am
index 6c50f1563..e6c31e9b4 100644
--- a/src/manager/Makefile.am
+++ b/src/manager/Makefile.am
@@ -14,10 +14,8 @@ manager_fcgi_LDADD = $(top_builddir)/src/libfast/libfast.la ${xml_LIBS}
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_CFLAGS}
 AM_CFLAGS = -rdynamic \
-  -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DIPSEC_PLUGINDIR=\"${plugindir}\"\
   -DPLUGINS=\""${libstrongswan_plugins}\""
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 2252f57ec..20438acc3 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,8 +18,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -37,11 +39,19 @@ manager_PROGRAMS = manager.fcgi$(EXEEXT)
 subdir = src/manager
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(managerdir)" \
 	"$(DESTDIR)$(manager_templatesdir)" \
 	"$(DESTDIR)$(manager_templates_authdir)" \
@@ -50,7 +60,6 @@ am__installdirs = "$(DESTDIR)$(managerdir)" \
 	"$(DESTDIR)$(manager_templates_gatewaydir)" \
 	"$(DESTDIR)$(manager_templates_ikesadir)" \
 	"$(DESTDIR)$(manager_templates_staticdir)"
-managerPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(manager_PROGRAMS)
 am_manager_fcgi_OBJECTS = main.$(OBJEXT) manager.$(OBJEXT) \
 	gateway.$(OBJEXT) storage.$(OBJEXT) xml.$(OBJEXT) \
@@ -64,6 +73,7 @@ manager_fcgi_DEPENDENCIES = $(top_builddir)/src/libfast/libfast.la \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -80,14 +90,22 @@ am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
-manager_templatesDATA_INSTALL = $(INSTALL_DATA)
-manager_templates_authDATA_INSTALL = $(INSTALL_DATA)
-manager_templates_configDATA_INSTALL = $(INSTALL_DATA)
-manager_templates_controlDATA_INSTALL = $(INSTALL_DATA)
-manager_templates_gatewayDATA_INSTALL = $(INSTALL_DATA)
-manager_templates_ikesaDATA_INSTALL = $(INSTALL_DATA)
-manager_templates_staticDATA_INSTALL = $(INSTALL_DATA)
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 DATA = $(manager_templates_DATA) $(manager_templates_auth_DATA) \
 	$(manager_templates_config_DATA) \
 	$(manager_templates_control_DATA) \
@@ -130,25 +148,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -160,11 +175,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -193,9 +211,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -218,7 +236,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -226,6 +244,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -234,10 +253,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -245,6 +266,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 managerdir = ${ipsecdir}/manager
@@ -259,10 +281,8 @@ controller/gateway_controller.c controller/gateway_controller.h
 manager_fcgi_LDADD = $(top_builddir)/src/libfast/libfast.la ${xml_LIBS}
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_CFLAGS}
 AM_CFLAGS = -rdynamic \
-  -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DIPSEC_PLUGINDIR=\"${plugindir}\"\
   -DPLUGINS=\""${libstrongswan_plugins}\""
 
 
@@ -312,9 +332,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/manager/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/manager/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/manager/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/manager/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -332,34 +352,50 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-managerPROGRAMS: $(manager_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(managerdir)" || $(MKDIR_P) "$(DESTDIR)$(managerdir)"
-	@list='$(manager_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(managerPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(managerdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(managerPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(managerdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(manager_PROGRAMS)'; test -n "$(managerdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(managerdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(managerdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-managerPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(manager_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(managerdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(managerdir)/$$f"; \
-	done
+	@list='$(manager_PROGRAMS)'; test -n "$(managerdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(managerdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(managerdir)" && rm -f $$files
 
 clean-managerPROGRAMS:
-	@list='$(manager_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(manager_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 manager.fcgi$(EXEEXT): $(manager_fcgi_OBJECTS) $(manager_fcgi_DEPENDENCIES) 
 	@rm -f manager.fcgi$(EXEEXT)
 	$(LINK) $(manager_fcgi_OBJECTS) $(manager_fcgi_LDADD) $(LIBS)
@@ -383,91 +419,91 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
 auth_controller.o: controller/auth_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_controller.o -MD -MP -MF $(DEPDIR)/auth_controller.Tpo -c -o auth_controller.o `test -f 'controller/auth_controller.c' || echo '$(srcdir)/'`controller/auth_controller.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/auth_controller.c' object='auth_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_controller.o `test -f 'controller/auth_controller.c' || echo '$(srcdir)/'`controller/auth_controller.c
 
 auth_controller.obj: controller/auth_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_controller.obj -MD -MP -MF $(DEPDIR)/auth_controller.Tpo -c -o auth_controller.obj `if test -f 'controller/auth_controller.c'; then $(CYGPATH_W) 'controller/auth_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/auth_controller.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/auth_controller.c' object='auth_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_controller.obj `if test -f 'controller/auth_controller.c'; then $(CYGPATH_W) 'controller/auth_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/auth_controller.c'; fi`
 
 ikesa_controller.o: controller/ikesa_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ikesa_controller.o -MD -MP -MF $(DEPDIR)/ikesa_controller.Tpo -c -o ikesa_controller.o `test -f 'controller/ikesa_controller.c' || echo '$(srcdir)/'`controller/ikesa_controller.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/ikesa_controller.c' object='ikesa_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ikesa_controller.o `test -f 'controller/ikesa_controller.c' || echo '$(srcdir)/'`controller/ikesa_controller.c
 
 ikesa_controller.obj: controller/ikesa_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ikesa_controller.obj -MD -MP -MF $(DEPDIR)/ikesa_controller.Tpo -c -o ikesa_controller.obj `if test -f 'controller/ikesa_controller.c'; then $(CYGPATH_W) 'controller/ikesa_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/ikesa_controller.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/ikesa_controller.c' object='ikesa_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ikesa_controller.obj `if test -f 'controller/ikesa_controller.c'; then $(CYGPATH_W) 'controller/ikesa_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/ikesa_controller.c'; fi`
 
 control_controller.o: controller/control_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT control_controller.o -MD -MP -MF $(DEPDIR)/control_controller.Tpo -c -o control_controller.o `test -f 'controller/control_controller.c' || echo '$(srcdir)/'`controller/control_controller.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/control_controller.c' object='control_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o control_controller.o `test -f 'controller/control_controller.c' || echo '$(srcdir)/'`controller/control_controller.c
 
 control_controller.obj: controller/control_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT control_controller.obj -MD -MP -MF $(DEPDIR)/control_controller.Tpo -c -o control_controller.obj `if test -f 'controller/control_controller.c'; then $(CYGPATH_W) 'controller/control_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/control_controller.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/control_controller.c' object='control_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o control_controller.obj `if test -f 'controller/control_controller.c'; then $(CYGPATH_W) 'controller/control_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/control_controller.c'; fi`
 
 config_controller.o: controller/config_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT config_controller.o -MD -MP -MF $(DEPDIR)/config_controller.Tpo -c -o config_controller.o `test -f 'controller/config_controller.c' || echo '$(srcdir)/'`controller/config_controller.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/config_controller.c' object='config_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o config_controller.o `test -f 'controller/config_controller.c' || echo '$(srcdir)/'`controller/config_controller.c
 
 config_controller.obj: controller/config_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT config_controller.obj -MD -MP -MF $(DEPDIR)/config_controller.Tpo -c -o config_controller.obj `if test -f 'controller/config_controller.c'; then $(CYGPATH_W) 'controller/config_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/config_controller.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/config_controller.c' object='config_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o config_controller.obj `if test -f 'controller/config_controller.c'; then $(CYGPATH_W) 'controller/config_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/config_controller.c'; fi`
 
 gateway_controller.o: controller/gateway_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gateway_controller.o -MD -MP -MF $(DEPDIR)/gateway_controller.Tpo -c -o gateway_controller.o `test -f 'controller/gateway_controller.c' || echo '$(srcdir)/'`controller/gateway_controller.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/gateway_controller.c' object='gateway_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gateway_controller.o `test -f 'controller/gateway_controller.c' || echo '$(srcdir)/'`controller/gateway_controller.c
 
 gateway_controller.obj: controller/gateway_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gateway_controller.obj -MD -MP -MF $(DEPDIR)/gateway_controller.Tpo -c -o gateway_controller.obj `if test -f 'controller/gateway_controller.c'; then $(CYGPATH_W) 'controller/gateway_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/gateway_controller.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/gateway_controller.c' object='gateway_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gateway_controller.obj `if test -f 'controller/gateway_controller.c'; then $(CYGPATH_W) 'controller/gateway_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/gateway_controller.c'; fi`
@@ -480,122 +516,143 @@ clean-libtool:
 install-manager_templatesDATA: $(manager_templates_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templatesdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templatesdir)"
-	@list='$(manager_templates_DATA)'; for p in $$list; do \
+	@list='$(manager_templates_DATA)'; test -n "$(manager_templatesdir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(manager_templatesDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(manager_templatesdir)/$$f'"; \
-	  $(manager_templatesDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(manager_templatesdir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(manager_templatesdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(manager_templatesdir)" || exit $$?; \
 	done
 
 uninstall-manager_templatesDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(manager_templates_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(manager_templatesdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(manager_templatesdir)/$$f"; \
-	done
+	@list='$(manager_templates_DATA)'; test -n "$(manager_templatesdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(manager_templatesdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(manager_templatesdir)" && rm -f $$files
 install-manager_templates_authDATA: $(manager_templates_auth_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_authdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_authdir)"
-	@list='$(manager_templates_auth_DATA)'; for p in $$list; do \
+	@list='$(manager_templates_auth_DATA)'; test -n "$(manager_templates_authdir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(manager_templates_authDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(manager_templates_authdir)/$$f'"; \
-	  $(manager_templates_authDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(manager_templates_authdir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(manager_templates_authdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(manager_templates_authdir)" || exit $$?; \
 	done
 
 uninstall-manager_templates_authDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(manager_templates_auth_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(manager_templates_authdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(manager_templates_authdir)/$$f"; \
-	done
+	@list='$(manager_templates_auth_DATA)'; test -n "$(manager_templates_authdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(manager_templates_authdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(manager_templates_authdir)" && rm -f $$files
 install-manager_templates_configDATA: $(manager_templates_config_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_configdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_configdir)"
-	@list='$(manager_templates_config_DATA)'; for p in $$list; do \
+	@list='$(manager_templates_config_DATA)'; test -n "$(manager_templates_configdir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(manager_templates_configDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(manager_templates_configdir)/$$f'"; \
-	  $(manager_templates_configDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(manager_templates_configdir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(manager_templates_configdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(manager_templates_configdir)" || exit $$?; \
 	done
 
 uninstall-manager_templates_configDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(manager_templates_config_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(manager_templates_configdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(manager_templates_configdir)/$$f"; \
-	done
+	@list='$(manager_templates_config_DATA)'; test -n "$(manager_templates_configdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(manager_templates_configdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(manager_templates_configdir)" && rm -f $$files
 install-manager_templates_controlDATA: $(manager_templates_control_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_controldir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_controldir)"
-	@list='$(manager_templates_control_DATA)'; for p in $$list; do \
+	@list='$(manager_templates_control_DATA)'; test -n "$(manager_templates_controldir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(manager_templates_controlDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(manager_templates_controldir)/$$f'"; \
-	  $(manager_templates_controlDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(manager_templates_controldir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(manager_templates_controldir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(manager_templates_controldir)" || exit $$?; \
 	done
 
 uninstall-manager_templates_controlDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(manager_templates_control_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(manager_templates_controldir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(manager_templates_controldir)/$$f"; \
-	done
+	@list='$(manager_templates_control_DATA)'; test -n "$(manager_templates_controldir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(manager_templates_controldir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(manager_templates_controldir)" && rm -f $$files
 install-manager_templates_gatewayDATA: $(manager_templates_gateway_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_gatewaydir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_gatewaydir)"
-	@list='$(manager_templates_gateway_DATA)'; for p in $$list; do \
+	@list='$(manager_templates_gateway_DATA)'; test -n "$(manager_templates_gatewaydir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(manager_templates_gatewayDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(manager_templates_gatewaydir)/$$f'"; \
-	  $(manager_templates_gatewayDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(manager_templates_gatewaydir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(manager_templates_gatewaydir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(manager_templates_gatewaydir)" || exit $$?; \
 	done
 
 uninstall-manager_templates_gatewayDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(manager_templates_gateway_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(manager_templates_gatewaydir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(manager_templates_gatewaydir)/$$f"; \
-	done
+	@list='$(manager_templates_gateway_DATA)'; test -n "$(manager_templates_gatewaydir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(manager_templates_gatewaydir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(manager_templates_gatewaydir)" && rm -f $$files
 install-manager_templates_ikesaDATA: $(manager_templates_ikesa_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_ikesadir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_ikesadir)"
-	@list='$(manager_templates_ikesa_DATA)'; for p in $$list; do \
+	@list='$(manager_templates_ikesa_DATA)'; test -n "$(manager_templates_ikesadir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(manager_templates_ikesaDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(manager_templates_ikesadir)/$$f'"; \
-	  $(manager_templates_ikesaDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(manager_templates_ikesadir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(manager_templates_ikesadir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(manager_templates_ikesadir)" || exit $$?; \
 	done
 
 uninstall-manager_templates_ikesaDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(manager_templates_ikesa_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(manager_templates_ikesadir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(manager_templates_ikesadir)/$$f"; \
-	done
+	@list='$(manager_templates_ikesa_DATA)'; test -n "$(manager_templates_ikesadir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(manager_templates_ikesadir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(manager_templates_ikesadir)" && rm -f $$files
 install-manager_templates_staticDATA: $(manager_templates_static_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_staticdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_staticdir)"
-	@list='$(manager_templates_static_DATA)'; for p in $$list; do \
+	@list='$(manager_templates_static_DATA)'; test -n "$(manager_templates_staticdir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(manager_templates_staticDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(manager_templates_staticdir)/$$f'"; \
-	  $(manager_templates_staticDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(manager_templates_staticdir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(manager_templates_staticdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(manager_templates_staticdir)" || exit $$?; \
 	done
 
 uninstall-manager_templates_staticDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(manager_templates_static_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(manager_templates_staticdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(manager_templates_staticdir)/$$f"; \
-	done
+	@list='$(manager_templates_static_DATA)'; test -n "$(manager_templates_staticdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(manager_templates_staticdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(manager_templates_staticdir)" && rm -f $$files
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -609,7 +666,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -617,29 +674,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -660,13 +722,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -697,6 +763,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -718,6 +785,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -732,18 +801,28 @@ install-data-am: install-managerPROGRAMS install-manager_templatesDATA \
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -802,6 +881,7 @@ uninstall-am: uninstall-managerPROGRAMS \
 	uninstall-manager_templates_ikesaDATA \
 	uninstall-manager_templates_staticDATA
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/manager/controller/auth_controller.c b/src/manager/controller/auth_controller.c
index 5f9c3b623..dd469cee4 100644
--- a/src/manager/controller/auth_controller.c
+++ b/src/manager/controller/auth_controller.c
@@ -30,7 +30,7 @@ struct private_auth_controller_t {
 	 * public functions
 	 */
 	auth_controller_t public;
-	
+
 	/**
 	 * manager instance
 	 */
@@ -47,7 +47,7 @@ static void login(private_auth_controller_t *this, request_t *request)
 static void check(private_auth_controller_t *this, request_t *request)
 {
 	char *username, *password;
-	
+
 	username = request->get_query_data(request, "username");
 	password = request->get_query_data(request, "password");
 	if (username && password &&
@@ -87,11 +87,11 @@ static void handle(private_auth_controller_t *this,
 		{
 			return login(this, request);
 		}
-		else if (streq(action, "check")) 
+		else if (streq(action, "check"))
 		{
 			return check(this, request);
 		}
-		else if (streq(action, "logout")) 
+		else if (streq(action, "logout"))
 		{
 			return logout(this, request);
 		}
@@ -117,9 +117,9 @@ controller_t *auth_controller_create(context_t *context, void *param)
 	this->public.controller.get_name = (char*(*)(controller_t*))get_name;
 	this->public.controller.handle = (void(*)(controller_t*,request_t*,char*,char*,char*,char*,char*))handle;
 	this->public.controller.destroy = (void(*)(controller_t*))destroy;
-	
+
 	this->manager = (manager_t*)context;
-	
+
 	return &this->public.controller;
 }
 
diff --git a/src/manager/controller/config_controller.c b/src/manager/controller/config_controller.c
index dda2938a1..828a4ac97 100644
--- a/src/manager/controller/config_controller.c
+++ b/src/manager/controller/config_controller.c
@@ -33,7 +33,7 @@ struct private_config_controller_t {
 	 * public functions
 	 */
 	config_controller_t public;
-	
+
 	/**
 	 * manager instance
 	 */
@@ -54,7 +54,7 @@ static void process_peerconfig(private_config_controller_t *this,
 	{
 		if (streq(name, "name"))
 		{
-			config = value;	
+			config = value;
 		}
 		else if (streq(name, "ikeconfig"))
 		{
@@ -80,7 +80,7 @@ static void process_peerconfig(private_config_controller_t *this,
 				if (streq(name, "childconfig"))
 				{
 					int num = 0;
-					
+
 					e2 = xml->children(xml);
 					while (e2->enumerate(e2, &xml, &name, &value))
 					{
@@ -199,9 +199,9 @@ controller_t *config_controller_create(context_t *context, void *param)
 	this->public.controller.get_name = (char*(*)(controller_t*))get_name;
 	this->public.controller.handle = (void(*)(controller_t*,request_t*,char*,char*,char*,char*,char*))handle;
 	this->public.controller.destroy = (void(*)(controller_t*))destroy;
-	
+
 	this->manager = (manager_t*)context;
-	
+
 	return &this->public.controller;
 }
 
diff --git a/src/manager/controller/control_controller.c b/src/manager/controller/control_controller.c
index c22591182..fdf66bf14 100644
--- a/src/manager/controller/control_controller.c
+++ b/src/manager/controller/control_controller.c
@@ -33,7 +33,7 @@ struct private_control_controller_t {
 	 * public functions
 	 */
 	control_controller_t public;
-	
+
 	/**
 	 * manager instance
 	 */
@@ -50,7 +50,7 @@ static void handle_result(private_control_controller_t *this, request_t *r,
 	xml_t *xml;
 	char *name, *value;
 	int num = 0;
-	
+
 	if (e)
 	{
 		while (e->enumerate(e, &xml, &name, &value))
@@ -113,7 +113,7 @@ static void terminate(private_control_controller_t *this, request_t *r,
 {
 	gateway_t *gateway;
 	enumerator_t *e;
-	
+
 	r->setf(r, "title=Terminate %s SA %d", ike ? "IKE" : "CHILD", id);
 	gateway = this->manager->select_gateway(this->manager, 0);
 	e = gateway->terminate(gateway, ike, id);
@@ -145,7 +145,7 @@ static void handle(private_control_controller_t *this,
 	if (action)
 	{
 		u_int32_t id;
-	
+
 		if (streq(action, "terminateike"))
 		{
 			if (str && (id = atoi(str)))
@@ -196,9 +196,9 @@ controller_t *control_controller_create(context_t *context, void *param)
 	this->public.controller.get_name = (char*(*)(controller_t*))get_name;
 	this->public.controller.handle = (void(*)(controller_t*,request_t*,char*,char*,char*,char*,char*))handle;
 	this->public.controller.destroy = (void(*)(controller_t*))destroy;
-	
+
 	this->manager = (manager_t*)context;
-	
+
 	return &this->public.controller;
 }
 
diff --git a/src/manager/controller/gateway_controller.c b/src/manager/controller/gateway_controller.c
index 164bf5921..9fca220e9 100644
--- a/src/manager/controller/gateway_controller.c
+++ b/src/manager/controller/gateway_controller.c
@@ -31,12 +31,12 @@ struct private_gateway_controller_t {
 	 * public functions
 	 */
 	gateway_controller_t public;
-	
+
 	/**
 	 * manager instance
 	 */
 	manager_t *manager;
-	
+
 };
 
 static void list(private_gateway_controller_t *this, request_t *request)
@@ -44,7 +44,7 @@ static void list(private_gateway_controller_t *this, request_t *request)
 	enumerator_t *enumerator;
 	char *name, *address;
 	int id, port;
-	
+
 	enumerator = this->manager->create_gateway_enumerator(this->manager);
 	while (enumerator->enumerate(enumerator, &id, &name, &port, &address))
 	{
@@ -69,7 +69,7 @@ static void list(private_gateway_controller_t *this, request_t *request)
 static void _select(private_gateway_controller_t *this, request_t *request)
 {
 	char *id;
-	
+
 	id = request->get_query_data(request, "gateway");
 	if (id)
 	{
@@ -106,7 +106,7 @@ static void handle(private_gateway_controller_t *this,
 		{
 			return list(this, request);
 		}
-		else if (streq(action, "select")) 
+		else if (streq(action, "select"))
 		{
 			return _select(this, request);
 		}
@@ -133,9 +133,9 @@ controller_t *gateway_controller_create(context_t *context, void *param)
 	this->public.controller.get_name = (char*(*)(controller_t*))get_name;
 	this->public.controller.handle = (void(*)(controller_t*,request_t*,char*,char*,char*,char*,char*))handle;
 	this->public.controller.destroy = (void(*)(controller_t*))destroy;
-	
+
 	this->manager = (manager_t*)context;
-	
+
 	return &this->public.controller;
 }
 
diff --git a/src/manager/controller/ikesa_controller.c b/src/manager/controller/ikesa_controller.c
index c35ff42e6..afa4a67f8 100644
--- a/src/manager/controller/ikesa_controller.c
+++ b/src/manager/controller/ikesa_controller.c
@@ -33,7 +33,7 @@ struct private_ikesa_controller_t {
 	 * public functions
 	 */
 	ikesa_controller_t public;
-	
+
 	/**
 	 * manager instance
 	 */
@@ -50,7 +50,7 @@ static void process_childsa(private_ikesa_controller_t *this, char *id,
 	enumerator_t *e1, *e2;
 	char *name, *value, *reqid = "", *section = "";
 	int num = 0;
-	
+
 	while (e->enumerate(e, &xml, &name, &value))
 	{
 		if (streq(name, "reqid"))
@@ -106,7 +106,7 @@ static void process_ikesa(private_ikesa_controller_t *this,
 	{
 		if (streq(name, "id"))
 		{
-			id = value;	
+			id = value;
 		}
 		else if (streq(name, "local") || streq(name, "remote"))
 		{
@@ -223,9 +223,9 @@ controller_t *ikesa_controller_create(context_t *context, void *param)
 	this->public.controller.get_name = (char*(*)(controller_t*))get_name;
 	this->public.controller.handle = (void(*)(controller_t*,request_t*,char*,char*,char*,char*,char*))handle;
 	this->public.controller.destroy = (void(*)(controller_t*))destroy;
-	
+
 	this->manager = (manager_t*)context;
-	
+
 	return &this->public.controller;
 }
 
diff --git a/src/manager/gateway.c b/src/manager/gateway.c
index f0d557c71..fd462afa7 100644
--- a/src/manager/gateway.c
+++ b/src/manager/gateway.c
@@ -35,22 +35,22 @@ struct private_gateway_t {
 	 * public functions
 	 */
 	gateway_t public;
-	
+
 	/**
 	 * name of the gateway
 	 */
 	char *name;
-	
+
 	/**
 	 * host to connect using tcp
 	 */
 	host_t *host;
-	
+
 	/**
 	 * socket file descriptor, > 0 if connected
 	 */
 	int fd;
-	
+
 	/**
 	 * unique id assigned to each xml message
 	 */
@@ -83,7 +83,7 @@ static bool connect_(private_gateway_t *this)
 		addr = (struct sockaddr*)&unix_addr;
 		len = sizeof(unix_addr);
 	}
-	
+
 	this->fd = socket(family, SOCK_STREAM, 0);
 	if (this->fd < 0)
 	{
@@ -115,7 +115,7 @@ static char* request(private_gateway_t *this, char *xml, ...)
 		char buf[8096];
 		ssize_t len;
 		va_list args;
-		
+
 		va_start(args, xml);
 		len = vsnprintf(buf, sizeof(buf), xml, args);
 		va_end(args);
@@ -153,7 +153,7 @@ static enumerator_t* query_ikesalist(private_gateway_t *this)
 	char *str, *name, *value;
 	xml_t *xml;
 	enumerator_t *e1, *e2, *e3, *e4 = NULL;
-	
+
 	str = request(this,	"<message type=\"request\" id=\"%d\">"
 							"<query>"
 								"<ikesalist/>"
@@ -168,7 +168,7 @@ static enumerator_t* query_ikesalist(private_gateway_t *this)
 	{
 		return NULL;
 	}
-	
+
 	e1 = xml->children(xml);
 	free(str);
 	while (e1->enumerate(e1, &xml, &name, &value))
@@ -202,7 +202,7 @@ static enumerator_t* query_ikesalist(private_gateway_t *this)
 	return NULL;
 }
 
-	
+
 /**
  * Implementation of gateway_t.query_configlist.
  */
@@ -211,7 +211,7 @@ static enumerator_t* query_configlist(private_gateway_t *this)
 	char *str, *name, *value;
 	xml_t *xml;
 	enumerator_t *e1, *e2, *e3, *e4 = NULL;
-	
+
 	str = request(this,	"<message type=\"request\" id=\"%d\">"
 							"<query>"
 								"<configlist/>"
@@ -226,7 +226,7 @@ static enumerator_t* query_configlist(private_gateway_t *this)
 	{
 		return NULL;
 	}
-	
+
 	e1 = xml->children(xml);
 	free(str);
 	while (e1->enumerate(e1, &xml, &name, &value))
@@ -308,7 +308,7 @@ static enumerator_t* read_result(private_gateway_t *this, char *res)
 static enumerator_t* initiate(private_gateway_t *this, bool ike, char *name)
 {
 	char *str, *kind;
-	
+
 	if (ike)
 	{
 		kind = "ike";
@@ -331,7 +331,7 @@ static enumerator_t* initiate(private_gateway_t *this, bool ike, char *name)
 static enumerator_t* terminate(private_gateway_t *this, bool ike, u_int32_t id)
 {
 	char *str, *kind;
-	
+
 	if (ike)
 	{
 		kind = "ike";
@@ -368,19 +368,19 @@ static void destroy(private_gateway_t *this)
 static private_gateway_t *gateway_create(char *name)
 {
 	private_gateway_t *this = malloc_thing(private_gateway_t);
-	
+
 	this->public.request = (char*(*)(gateway_t*, char *xml))request;
 	this->public.query_ikesalist = (enumerator_t*(*)(gateway_t*))query_ikesalist;
 	this->public.query_configlist = (enumerator_t*(*)(gateway_t*))query_configlist;
 	this->public.initiate = (enumerator_t*(*)(gateway_t*, bool ike, char *name))initiate;
 	this->public.terminate = (enumerator_t*(*)(gateway_t*, bool ike, u_int32_t id))terminate;
 	this->public.destroy = (void(*)(gateway_t*))destroy;
-	
+
 	this->name = strdup(name);
 	this->host = NULL;
 	this->fd = -1;
 	this->xmlid = 1;
-	
+
 	return this;
 }
 
@@ -390,9 +390,9 @@ static private_gateway_t *gateway_create(char *name)
 gateway_t *gateway_create_tcp(char *name, host_t *host)
 {
 	private_gateway_t *this = gateway_create(name);
-	
+
 	this->host = host;
-	
+
 	return &this->public;
 }
 
@@ -402,7 +402,7 @@ gateway_t *gateway_create_tcp(char *name, host_t *host)
 gateway_t *gateway_create_unix(char *name)
 {
 	private_gateway_t *this = gateway_create(name);
-	
+
 	return &this->public;
 }
 
diff --git a/src/manager/gateway.h b/src/manager/gateway.h
index 7c76fa474..54aade7b1 100644
--- a/src/manager/gateway.h
+++ b/src/manager/gateway.h
@@ -30,7 +30,7 @@ typedef struct gateway_t gateway_t;
  * A connection to a gateway.
  */
 struct gateway_t {
-	
+
 	/**
 	 * Send an XML request to the gateway.
 	 *
@@ -38,21 +38,21 @@ struct gateway_t {
 	 * @return			allocated xml response string
 	 */
 	char* (*request)(gateway_t *this, char *xml);
-	
+
 	/**
 	 * Query the list of IKE_SAs and all its children.
 	 *
 	 * @return			enumerator over ikesa XML elements
 	 */
 	enumerator_t* (*query_ikesalist)(gateway_t *this);
-	
+
 	/**
 	 * Query the list of peer configs and its subconfigs.
 	 *
 	 * @return			enumerator over peerconfig XML elements
 	 */
 	enumerator_t* (*query_configlist)(gateway_t *this);
-	
+
 	/**
 	 * Terminate an IKE or a CHILD SA.
 	 *
@@ -61,7 +61,7 @@ struct gateway_t {
 	 * @return			enumerator over control response XML children
 	 */
 	enumerator_t* (*terminate)(gateway_t *this, bool ike, u_int32_t id);
-	
+
 	/**
 	 * Initiate an IKE or a CHILD SA.
 	 *
@@ -70,7 +70,7 @@ struct gateway_t {
 	 * @return			enumerator over control response XML children
 	 */
 	enumerator_t* (*initiate)(gateway_t *this, bool ike, char *name);
-	
+
 	/**
 	 * Destroy a gateway instance.
 	 */
diff --git a/src/manager/main.c b/src/manager/main.c
index 6fef0bf3e..1f5c45113 100644
--- a/src/manager/main.c
+++ b/src/manager/main.c
@@ -34,10 +34,13 @@ int main (int arc, char *argv[])
 	bool debug;
 	int threads, timeout;
 
-	library_init(STRONGSWAN_CONF);
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
-		lib->settings->get_str(lib->settings, "manager.load", PLUGINS));
-	
+	library_init(NULL);
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "manager.load", PLUGINS)))
+	{
+		return 1;
+	}
+
 	socket = lib->settings->get_str(lib->settings, "manager.socket", NULL);
 	debug = lib->settings->get_bool(lib->settings, "manager.debug", FALSE);
 	timeout = lib->settings->get_time(lib->settings, "manager.timeout", 900);
@@ -48,13 +51,13 @@ int main (int arc, char *argv[])
 		DBG1("database URI undefined, set manager.database in strongswan.conf");
 		return 1;
 	}
-	
+
 	storage = storage_create(database);
 	if (storage == NULL)
 	{
 		return 1;
 	}
-	
+
 	dispatcher = dispatcher_create(socket, debug, timeout,
 						(context_constructor_t)manager_create, storage);
 	dispatcher->add_controller(dispatcher, ikesa_controller_create, NULL);
@@ -62,16 +65,16 @@ int main (int arc, char *argv[])
 	dispatcher->add_controller(dispatcher, auth_controller_create, NULL);
 	dispatcher->add_controller(dispatcher, control_controller_create, NULL);
 	dispatcher->add_controller(dispatcher, config_controller_create, NULL);
-	
+
 	dispatcher->run(dispatcher, threads);
-	
+
 	dispatcher->waitsignal(dispatcher);
-	
+
 	dispatcher->destroy(dispatcher);
 	storage->destroy(storage);
-	
+
 	library_deinit();
 
-    return 0;
+	return 0;
 }
 
diff --git a/src/manager/manager.c b/src/manager/manager.c
index 72f402a48..fb89c6b72 100644
--- a/src/manager/manager.c
+++ b/src/manager/manager.c
@@ -30,23 +30,23 @@ struct private_manager_t {
 	 * public functions
 	 */
 	manager_t public;
-	
+
 	/**
 	 * underlying storage database
 	 */
 	storage_t *store;
-	
+
 	/**
 	 * user id, if we are logged in
 	 */
 	int user;
-	
+
 	/**
 	 * selected gateway
 	 */
 	gateway_t *gateway;
-};	
-	
+};
+
 /**
  * Implementation of manager_t.create_gateway_enumerator.
  */
@@ -66,10 +66,10 @@ static gateway_t* select_gateway(private_manager_t *this, int select_id)
 		int id, port;
 		char *name, *address;
 		host_t *host;
-		
+
 		if (this->gateway) this->gateway->destroy(this->gateway);
 		this->gateway = NULL;
-		
+
 		enumerator = this->store->create_gateway_enumerator(this->store, this->user);
 		while (enumerator->enumerate(enumerator, &id, &name, &port, &address))
 		{
@@ -143,18 +143,18 @@ static void destroy(private_manager_t *this)
 manager_t *manager_create(storage_t *storage)
 {
 	private_manager_t *this = malloc_thing(private_manager_t);
-	
+
 	this->public.login = (bool(*)(manager_t*, char *username, char *password))login;
 	this->public.logged_in = (bool(*)(manager_t*))logged_in;
 	this->public.logout = (void(*)(manager_t*))logout;
 	this->public.create_gateway_enumerator = (enumerator_t*(*)(manager_t*))create_gateway_enumerator;
 	this->public.select_gateway = (gateway_t*(*)(manager_t*, int id))select_gateway;
 	this->public.context.destroy = (void(*)(context_t*))destroy;
-	
+
 	this->user = 0;
 	this->store = storage;
 	this->gateway = NULL;
-	
+
 	return &this->public;
 }
 
diff --git a/src/manager/manager.h b/src/manager/manager.h
index dc5fc1831..231b0f5f3 100644
--- a/src/manager/manager.h
+++ b/src/manager/manager.h
@@ -44,7 +44,7 @@ struct manager_t {
 	 * implements context_t interface
 	 */
 	context_t context;
-	
+
 	/**
 	 * Create an iterator over all configured gateways.
 	 *
@@ -54,7 +54,7 @@ struct manager_t {
 	 * @return			enumerator
 	 */
 	enumerator_t* (*create_gateway_enumerator)(manager_t *this);
-	
+
 	/**
 	 * Select a gateway.
 	 *
@@ -65,7 +65,7 @@ struct manager_t {
 	 * @return			selected gateway, or NULL
 	 */
 	gateway_t* (*select_gateway)(manager_t *this, int id);
-	
+
 	/**
 	 * Try to log in.
 	 *
@@ -74,14 +74,14 @@ struct manager_t {
 	 * @return			TRUE if login successful
 	 */
 	bool (*login)(manager_t *this, char *username, char *password);
-	
+
 	/**
 	 * Check if user logged in.
 	 *
 	 * @return			TRUE if logged in
 	 */
 	bool (*logged_in)(manager_t *this);
-	
+
 	/**
 	 * Log out.
 	 */
diff --git a/src/manager/storage.c b/src/manager/storage.c
index 00e688e08..f7635ea71 100644
--- a/src/manager/storage.c
+++ b/src/manager/storage.c
@@ -30,7 +30,7 @@ struct private_storage_t {
 	 * public functions
 	 */
 	storage_t public;
-	
+
 	/**
 	 * database connection
 	 */
@@ -47,7 +47,7 @@ static int login(private_storage_t *this, char *username, char *password)
 	size_t username_len, password_len;
 	int uid = 0;
 	enumerator_t *enumerator;
-	
+
 	/* hash = SHA1( username | password ) */
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (hasher == NULL)
@@ -63,8 +63,8 @@ static int login(private_storage_t *this, char *username, char *password)
 	hasher->get_hash(hasher, data, hash.ptr);
 	hasher->destroy(hasher);
 	hex_str = chunk_to_hex(hash, NULL, FALSE);
-	
-	enumerator = this->db->query(this->db, 
+
+	enumerator = this->db->query(this->db,
 			"SELECT oid FROM users WHERE username = ? AND password = ?;",
 			DB_TEXT, username, DB_TEXT, hex_str.ptr,
 			DB_INT);
@@ -83,8 +83,8 @@ static int login(private_storage_t *this, char *username, char *password)
 static enumerator_t* create_gateway_enumerator(private_storage_t *this, int user)
 {
 	enumerator_t *enumerator;
-	
-	enumerator = this->db->query(this->db, 
+
+	enumerator = this->db->query(this->db,
 			"SELECT gateways.oid AS gid, name, port, address FROM "
 			"gateways, user_gateway AS ug ON gid = ug.gateway WHERE ug.user = ?;",
 			DB_INT, user,
@@ -111,11 +111,11 @@ static void destroy(private_storage_t *this)
 storage_t *storage_create(char *uri)
 {
 	private_storage_t *this = malloc_thing(private_storage_t);
-	
+
 	this->public.login = (int(*)(storage_t*, char *username, char *password))login;
 	this->public.create_gateway_enumerator = (enumerator_t*(*)(storage_t*,int))create_gateway_enumerator;
 	this->public.destroy = (void(*)(storage_t*))destroy;
-	
+
 	this->db = lib->db->create(lib->db, uri);
 	if (this->db == NULL)
 	{
diff --git a/src/manager/storage.h b/src/manager/storage.h
index 2495b3a26..d8e8b7479 100644
--- a/src/manager/storage.h
+++ b/src/manager/storage.h
@@ -39,7 +39,7 @@ struct storage_t {
 	 * @return					user ID if login good, 0 otherwise
 	 */
 	int (*login)(storage_t *this, char *username, char *password);
-	
+
 	/**
 	 * Create an iterator over the gateways.
 	 *
@@ -49,12 +49,12 @@ struct storage_t {
 	 * @param user				user Id
 	 * @return					enumerator
 	 */
-	enumerator_t* (*create_gateway_enumerator)(storage_t *this, int user);	
+	enumerator_t* (*create_gateway_enumerator)(storage_t *this, int user);
 
 	/**
-     * Destroy a storage instance.
-     */
-    void (*destroy)(storage_t *this);
+	 * Destroy a storage instance.
+	 */
+	void (*destroy)(storage_t *this);
 };
 
 /**
diff --git a/src/manager/xml.c b/src/manager/xml.c
index 5aa2e3e1e..a9ef60c24 100644
--- a/src/manager/xml.c
+++ b/src/manager/xml.c
@@ -32,22 +32,22 @@ struct private_xml_t {
 	 * public functions
 	 */
 	xml_t public;
-	
+
 	/**
 	 * root node of this xml (part)
 	 */
 	xmlNode *node;
-	
+
 	/**
 	 * document, only for root xml_t
 	 */
 	xmlDoc *doc;
-	
+
 	/**
 	 * Root xml_t*
 	 */
 	private_xml_t *root;
-	
+
 	/**
 	 * number of enumerator instances
 	 */
@@ -79,10 +79,10 @@ static bool child_enumerate(child_enum_t *e, private_xml_t **child,
 	if (e->node)
 	{
 		xmlNode *text;
-		
+
 		text = e->node->children;
 		*value = NULL;
-		
+
 		while (text && text->type != XML_TEXT_NODE)
 		{
 			text = text->next;
@@ -109,7 +109,7 @@ static char* get_attribute(private_xml_t *this, char *name)
 }
 
 /**
- * destroy enumerator, and complete tree if this was the last enumerator 
+ * destroy enumerator, and complete tree if this was the last enumerator
  */
 static void child_destroy(child_enum_t *this)
 {
@@ -145,10 +145,10 @@ static enumerator_t* children(private_xml_t *this)
 xml_t *xml_create(char *xml)
 {
 	private_xml_t *this = malloc_thing(private_xml_t);
-	
+
 	this->public.get_attribute = (char*(*)(xml_t*,char*))get_attribute;
 	this->public.children = (enumerator_t*(*)(xml_t*))children;
-	
+
 	this->doc = xmlReadMemory(xml, strlen(xml), NULL, NULL, 0);
 	if (this->doc == NULL)
 	{
@@ -158,7 +158,7 @@ xml_t *xml_create(char *xml)
 	this->node = xmlDocGetRootElement(this->doc);
 	this->root = this;
 	this->enums = 0;
-	
+
 	return &this->public;
 }
 
diff --git a/src/manager/xml.h b/src/manager/xml.h
index 230e0f925..0c362fed1 100644
--- a/src/manager/xml.h
+++ b/src/manager/xml.h
@@ -43,7 +43,7 @@ struct xml_t {
 	 * @return			enumerator over (xml_t* child, char *name, char *value)
 	 */
 	enumerator_t* (*children)(xml_t *this);
-	
+
 	/**
 	 * Get an attribute value by its name.
 	 *
diff --git a/src/medsrv/Makefile.am b/src/medsrv/Makefile.am
index 8da1cfcc4..9f5c9e2f7 100644
--- a/src/medsrv/Makefile.am
+++ b/src/medsrv/Makefile.am
@@ -11,10 +11,8 @@ medsrv_fcgi_LDADD = $(top_builddir)/src/libfast/libfast.la
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
 AM_CFLAGS = -rdynamic \
-  -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DIPSEC_PLUGINDIR=\"${plugindir}\"\
   -DPLUGINS=\""${libstrongswan_plugins}\""
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
@@ -24,10 +22,10 @@ medsrv_templates_DATA = templates/header.cs templates/footer.cs
 medsrv_templates_userdir = ${medsrv_templatesdir}/user
 medsrv_templates_user_DATA = templates/user/add.cs templates/user/edit.cs \
 templates/user/login.cs templates/user/help.cs
-  
+
 medsrv_templates_peerdir = ${medsrv_templatesdir}/peer
 medsrv_templates_peer_DATA = templates/peer/add.cs templates/peer/edit.cs \
-templates/peer/list.cs 
+templates/peer/list.cs
 
 medsrv_templates_staticdir = ${medsrv_templatesdir}/static
 medsrv_templates_static_DATA = templates/header.cs templates/footer.cs \
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 239923c40..8f602930d 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,8 +18,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -37,17 +39,24 @@ medsrv_PROGRAMS = medsrv.fcgi$(EXEEXT)
 subdir = src/medsrv
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(medsrvdir)" \
 	"$(DESTDIR)$(medsrv_templatesdir)" \
 	"$(DESTDIR)$(medsrv_templates_peerdir)" \
 	"$(DESTDIR)$(medsrv_templates_staticdir)" \
 	"$(DESTDIR)$(medsrv_templates_userdir)"
-medsrvPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(medsrv_PROGRAMS)
 am_medsrv_fcgi_OBJECTS = user.$(OBJEXT) main.$(OBJEXT) \
 	auth_filter.$(OBJEXT) user_controller.$(OBJEXT) \
@@ -57,6 +66,7 @@ medsrv_fcgi_DEPENDENCIES = $(top_builddir)/src/libfast/libfast.la
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -73,11 +83,22 @@ am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
-medsrv_templatesDATA_INSTALL = $(INSTALL_DATA)
-medsrv_templates_peerDATA_INSTALL = $(INSTALL_DATA)
-medsrv_templates_staticDATA_INSTALL = $(INSTALL_DATA)
-medsrv_templates_userDATA_INSTALL = $(INSTALL_DATA)
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 DATA = $(medsrv_templates_DATA) $(medsrv_templates_peer_DATA) \
 	$(medsrv_templates_static_DATA) $(medsrv_templates_user_DATA)
 ETAGS = etags
@@ -116,25 +137,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -146,11 +164,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -179,9 +200,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -204,7 +225,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -212,6 +233,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -220,10 +242,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -231,6 +255,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 medsrvdir = ${ipsecdir}/medsrv
@@ -242,10 +267,8 @@ controller/peer_controller.c controller/peer_controller.h
 medsrv_fcgi_LDADD = $(top_builddir)/src/libfast/libfast.la
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
 AM_CFLAGS = -rdynamic \
-  -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DIPSEC_PLUGINDIR=\"${plugindir}\"\
   -DPLUGINS=\""${libstrongswan_plugins}\""
 
 
@@ -258,7 +281,7 @@ templates/user/login.cs templates/user/help.cs
 
 medsrv_templates_peerdir = ${medsrv_templatesdir}/peer
 medsrv_templates_peer_DATA = templates/peer/add.cs templates/peer/edit.cs \
-templates/peer/list.cs 
+templates/peer/list.cs
 
 medsrv_templates_staticdir = ${medsrv_templatesdir}/static
 medsrv_templates_static_DATA = templates/header.cs templates/footer.cs \
@@ -285,9 +308,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/medsrv/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/medsrv/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/medsrv/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/medsrv/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -305,34 +328,50 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-medsrvPROGRAMS: $(medsrv_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrvdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrvdir)"
-	@list='$(medsrv_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(medsrvPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(medsrvdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(medsrvPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(medsrvdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(medsrv_PROGRAMS)'; test -n "$(medsrvdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(medsrvdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(medsrvdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-medsrvPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(medsrv_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(medsrvdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(medsrvdir)/$$f"; \
-	done
+	@list='$(medsrv_PROGRAMS)'; test -n "$(medsrvdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(medsrvdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(medsrvdir)" && rm -f $$files
 
 clean-medsrvPROGRAMS:
-	@list='$(medsrv_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(medsrv_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 medsrv.fcgi$(EXEEXT): $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_DEPENDENCIES) 
 	@rm -f medsrv.fcgi$(EXEEXT)
 	$(LINK) $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_LDADD) $(LIBS)
@@ -351,63 +390,63 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
 auth_filter.o: filter/auth_filter.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_filter.o -MD -MP -MF $(DEPDIR)/auth_filter.Tpo -c -o auth_filter.o `test -f 'filter/auth_filter.c' || echo '$(srcdir)/'`filter/auth_filter.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='filter/auth_filter.c' object='auth_filter.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_filter.o `test -f 'filter/auth_filter.c' || echo '$(srcdir)/'`filter/auth_filter.c
 
 auth_filter.obj: filter/auth_filter.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_filter.obj -MD -MP -MF $(DEPDIR)/auth_filter.Tpo -c -o auth_filter.obj `if test -f 'filter/auth_filter.c'; then $(CYGPATH_W) 'filter/auth_filter.c'; else $(CYGPATH_W) '$(srcdir)/filter/auth_filter.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='filter/auth_filter.c' object='auth_filter.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_filter.obj `if test -f 'filter/auth_filter.c'; then $(CYGPATH_W) 'filter/auth_filter.c'; else $(CYGPATH_W) '$(srcdir)/filter/auth_filter.c'; fi`
 
 user_controller.o: controller/user_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT user_controller.o -MD -MP -MF $(DEPDIR)/user_controller.Tpo -c -o user_controller.o `test -f 'controller/user_controller.c' || echo '$(srcdir)/'`controller/user_controller.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/user_controller.c' object='user_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o user_controller.o `test -f 'controller/user_controller.c' || echo '$(srcdir)/'`controller/user_controller.c
 
 user_controller.obj: controller/user_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT user_controller.obj -MD -MP -MF $(DEPDIR)/user_controller.Tpo -c -o user_controller.obj `if test -f 'controller/user_controller.c'; then $(CYGPATH_W) 'controller/user_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/user_controller.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/user_controller.c' object='user_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o user_controller.obj `if test -f 'controller/user_controller.c'; then $(CYGPATH_W) 'controller/user_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/user_controller.c'; fi`
 
 peer_controller.o: controller/peer_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_controller.o -MD -MP -MF $(DEPDIR)/peer_controller.Tpo -c -o peer_controller.o `test -f 'controller/peer_controller.c' || echo '$(srcdir)/'`controller/peer_controller.c
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/peer_controller.c' object='peer_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_controller.o `test -f 'controller/peer_controller.c' || echo '$(srcdir)/'`controller/peer_controller.c
 
 peer_controller.obj: controller/peer_controller.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_controller.obj -MD -MP -MF $(DEPDIR)/peer_controller.Tpo -c -o peer_controller.obj `if test -f 'controller/peer_controller.c'; then $(CYGPATH_W) 'controller/peer_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/peer_controller.c'; fi`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/peer_controller.c' object='peer_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_controller.obj `if test -f 'controller/peer_controller.c'; then $(CYGPATH_W) 'controller/peer_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/peer_controller.c'; fi`
@@ -420,71 +459,83 @@ clean-libtool:
 install-medsrv_templatesDATA: $(medsrv_templates_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrv_templatesdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templatesdir)"
-	@list='$(medsrv_templates_DATA)'; for p in $$list; do \
+	@list='$(medsrv_templates_DATA)'; test -n "$(medsrv_templatesdir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(medsrv_templatesDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(medsrv_templatesdir)/$$f'"; \
-	  $(medsrv_templatesDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(medsrv_templatesdir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(medsrv_templatesdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(medsrv_templatesdir)" || exit $$?; \
 	done
 
 uninstall-medsrv_templatesDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(medsrv_templates_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(medsrv_templatesdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(medsrv_templatesdir)/$$f"; \
-	done
+	@list='$(medsrv_templates_DATA)'; test -n "$(medsrv_templatesdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(medsrv_templatesdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(medsrv_templatesdir)" && rm -f $$files
 install-medsrv_templates_peerDATA: $(medsrv_templates_peer_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrv_templates_peerdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_peerdir)"
-	@list='$(medsrv_templates_peer_DATA)'; for p in $$list; do \
+	@list='$(medsrv_templates_peer_DATA)'; test -n "$(medsrv_templates_peerdir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(medsrv_templates_peerDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(medsrv_templates_peerdir)/$$f'"; \
-	  $(medsrv_templates_peerDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(medsrv_templates_peerdir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(medsrv_templates_peerdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(medsrv_templates_peerdir)" || exit $$?; \
 	done
 
 uninstall-medsrv_templates_peerDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(medsrv_templates_peer_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(medsrv_templates_peerdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(medsrv_templates_peerdir)/$$f"; \
-	done
+	@list='$(medsrv_templates_peer_DATA)'; test -n "$(medsrv_templates_peerdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(medsrv_templates_peerdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(medsrv_templates_peerdir)" && rm -f $$files
 install-medsrv_templates_staticDATA: $(medsrv_templates_static_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrv_templates_staticdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_staticdir)"
-	@list='$(medsrv_templates_static_DATA)'; for p in $$list; do \
+	@list='$(medsrv_templates_static_DATA)'; test -n "$(medsrv_templates_staticdir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(medsrv_templates_staticDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(medsrv_templates_staticdir)/$$f'"; \
-	  $(medsrv_templates_staticDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(medsrv_templates_staticdir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(medsrv_templates_staticdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(medsrv_templates_staticdir)" || exit $$?; \
 	done
 
 uninstall-medsrv_templates_staticDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(medsrv_templates_static_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(medsrv_templates_staticdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(medsrv_templates_staticdir)/$$f"; \
-	done
+	@list='$(medsrv_templates_static_DATA)'; test -n "$(medsrv_templates_staticdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(medsrv_templates_staticdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(medsrv_templates_staticdir)" && rm -f $$files
 install-medsrv_templates_userDATA: $(medsrv_templates_user_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrv_templates_userdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_userdir)"
-	@list='$(medsrv_templates_user_DATA)'; for p in $$list; do \
+	@list='$(medsrv_templates_user_DATA)'; test -n "$(medsrv_templates_userdir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(medsrv_templates_userDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(medsrv_templates_userdir)/$$f'"; \
-	  $(medsrv_templates_userDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(medsrv_templates_userdir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(medsrv_templates_userdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(medsrv_templates_userdir)" || exit $$?; \
 	done
 
 uninstall-medsrv_templates_userDATA:
 	@$(NORMAL_UNINSTALL)
-	@list='$(medsrv_templates_user_DATA)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(medsrv_templates_userdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(medsrv_templates_userdir)/$$f"; \
-	done
+	@list='$(medsrv_templates_user_DATA)'; test -n "$(medsrv_templates_userdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(medsrv_templates_userdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(medsrv_templates_userdir)" && rm -f $$files
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -498,7 +549,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -506,29 +557,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -549,13 +605,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -586,6 +646,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -607,6 +668,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -618,18 +681,28 @@ install-data-am: install-medsrvPROGRAMS install-medsrv_templatesDATA \
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -678,6 +751,7 @@ uninstall-am: uninstall-medsrvPROGRAMS uninstall-medsrv_templatesDATA \
 	uninstall-medsrv_templates_staticDATA \
 	uninstall-medsrv_templates_userDATA
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c
index 01ba0c8cc..e1e4661e0 100755
--- a/src/medsrv/controller/peer_controller.c
+++ b/src/medsrv/controller/peer_controller.c
@@ -42,8 +42,8 @@ struct private_peer_controller_t {
 	 * active user session
 	 */
 	user_t *user;
-	
-	/** 
+
+	/**
 	 * underlying database
 	 */
 	database_t *db;
@@ -55,19 +55,19 @@ struct private_peer_controller_t {
 static void list(private_peer_controller_t *this, request_t *request)
 {
 	enumerator_t *query;
-	
+
 	query = this->db->query(this->db,
 			"SELECT id, alias, keyid FROM peer WHERE user = ? ORDER BY alias",
 			DB_UINT, this->user->get_user(this->user),
 			DB_UINT, DB_TEXT, DB_BLOB);
-	
+
 	if (query)
 	{
 		u_int id;
 		char *alias;
 		chunk_t keyid;
 		identification_t *identifier;
-	
+
 		while (query->enumerate(query, &id, &alias, &keyid))
 		{
 			request->setf(request, "peers.%d.alias=%s", id, alias);
@@ -89,7 +89,7 @@ static bool verify_alias(private_peer_controller_t *this, request_t *request,
 	if (!alias || *alias == '\0')
 	{
 		request->setf(request, "error=Alias is missing.");
-		return FALSE;	
+		return FALSE;
 	}
 	while (*alias != '\0')
 	{
@@ -121,27 +121,31 @@ static bool parse_public_key(private_peer_controller_t *this,
 							 chunk_t *encoding, chunk_t *keyid)
 {
 	public_key_t *public;
-	identification_t *id;
-		
+	chunk_t blob, id;
+
 	if (!public_key || *public_key == '\0')
 	{
 		request->setf(request, "error=Public key is missing.");
 		return FALSE;
 	}
+	blob = chunk_clone(chunk_create(public_key, strlen(public_key)));
 	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-								BUILD_BLOB_ASN1_PEM, public_key,
+								BUILD_BLOB_PEM, blob,
 								BUILD_END);
+	chunk_free(&blob);
 	if (!public)
 	{
 		request->setf(request, "error=Parsing public key failed.");
 		return FALSE;
 	}
 	/* TODO: use get_encoding() with an encoding type */
-	*encoding = asn1_wrap(ASN1_SEQUENCE, "cm",
-						  asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
-						  asn1_bitstring("m", public->get_encoding(public)));
-	id = public->get_id(public, ID_PUBKEY_SHA1);
-	*keyid = chunk_clone(id->get_encoding(id));
+	if (!public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id) ||
+		!public->get_encoding(public, KEY_PUB_SPKI_ASN1_DER, encoding))
+	{
+		request->setf(request, "error=Encoding public key failed.");
+		return FALSE;
+	}
+	*keyid = chunk_clone(id);
 	public->destroy(public);
 	return TRUE;
 }
@@ -152,7 +156,7 @@ static bool parse_public_key(private_peer_controller_t *this,
 static void add(private_peer_controller_t *this, request_t *request)
 {
 	char *alias = "", *public_key = "";
-	
+
 	if (request->get_query_data(request, "back"))
 	{
 		return request->redirect(request, "peer/list");
@@ -160,10 +164,10 @@ static void add(private_peer_controller_t *this, request_t *request)
 	while (request->get_query_data(request, "add"))
 	{
 		chunk_t encoding, keyid;
-	
+
 		alias = request->get_query_data(request, "alias");
 		public_key = request->get_query_data(request, "public_key");
-		
+
 		if (!verify_alias(this, request, alias))
 		{
 			break;
@@ -190,7 +194,7 @@ static void add(private_peer_controller_t *this, request_t *request)
 	}
 	request->set(request, "alias", alias);
 	request->set(request, "public_key", public_key);
-	
+
 	return request->render(request, "templates/peer/add.cs");
 }
 
@@ -205,7 +209,7 @@ char* pem_encode(chunk_t der)
 	char *pem;
 	chunk_t base64;
 	int i = 0;
-	
+
 	base64 = chunk_to_base64(der, NULL);
 	len = strlen(begin) + base64.len + base64.len/64 + strlen(end) + 2;
 	pem = malloc(len + 1);
@@ -219,7 +223,7 @@ char* pem_encode(chunk_t der)
 	}
 	while (i < base64.len - 2);
 	strcat(pem, end);
-	
+
 	free(base64.ptr);
 	return pem;
 }
@@ -231,7 +235,7 @@ static void edit(private_peer_controller_t *this, request_t *request, int id)
 {
 	char *alias = "", *public_key = "", *pem;
 	chunk_t encoding, keyid;
-	
+
 	if (request->get_query_data(request, "back"))
 	{
 		return request->redirect(request, "peer/list");
@@ -249,7 +253,7 @@ static void edit(private_peer_controller_t *this, request_t *request, int id)
 		{
 			alias = request->get_query_data(request, "alias");
 			public_key = request->get_query_data(request, "public_key");
-		
+
 			if (!verify_alias(this, request, alias))
 			{
 				break;
@@ -329,7 +333,7 @@ static void handle(private_peer_controller_t *this, request_t *request,
 		{
 			id = atoi(idstr);
 		}
-		
+
 		if (streq(action, "list"))
 		{
 			return list(this, request);
diff --git a/src/medsrv/controller/user_controller.c b/src/medsrv/controller/user_controller.c
index bc4717e32..0f25799d8 100755
--- a/src/medsrv/controller/user_controller.c
+++ b/src/medsrv/controller/user_controller.c
@@ -37,12 +37,12 @@ struct private_user_controller_t {
 	 * database connection
 	 */
 	database_t *db;
-	
+
 	/**
 	 * user session
 	 */
 	user_t *user;
-	
+
 	/**
 	 * minimum required password lenght
 	 */
@@ -56,7 +56,7 @@ static chunk_t hash_password(char *login, char *password)
 {
 	hasher_t *hasher;
 	chunk_t hash, data;
-	
+
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher)
 	{
@@ -77,16 +77,16 @@ static void login(private_user_controller_t *this, request_t *request)
 	if (request->get_query_data(request, "submit"))
 	{
 		char *login, *password;
-		
+
 		login = request->get_query_data(request, "login");
 		password = request->get_query_data(request, "password");
-		
+
 		if (login && password)
 		{
 			enumerator_t *query;
 			u_int id = 0;
 			chunk_t hash;
-			
+
 			hash = hash_password(login, password);
 			query = this->db->query(this->db,
 						"SELECT id FROM user WHERE login = ? AND password = ?",
@@ -126,7 +126,7 @@ static bool verify_login(private_user_controller_t *this, request_t *request,
 	if (!login || *login == '\0')
 	{
 		request->setf(request, "error=Username is missing.");
-		return FALSE;	
+		return FALSE;
 	}
 	while (*login != '\0')
 	{
@@ -190,13 +190,13 @@ static void add(private_user_controller_t *this, request_t *request)
 		login = request->get_query_data(request, "new_login");
 		password = request->get_query_data(request, "new_password");
 		confirm = request->get_query_data(request, "confirm_password");
-		
+
 		if (!verify_login(this, request, login) ||
 			!verify_password(this, request, password, confirm))
 		{
 			break;
 		}
-		
+
 		hash = hash_password(login, password);
 		if (!hash.ptr || this->db->execute(this->db, &id,
 							"INSERT INTO user (login, password) VALUES (?, ?)",
@@ -222,7 +222,7 @@ static void edit(private_user_controller_t *this, request_t *request)
 {
 	enumerator_t *query;
 	char *old_login;
-	
+
 	/* lookup old login */
 	query = this->db->query(this->db, "SELECT login FROM user WHERE id = ?",
 							DB_INT, this->user->get_user(this->user),
@@ -256,12 +256,12 @@ static void edit(private_user_controller_t *this, request_t *request)
 	{
 		char *new_login, *old_pass, *new_pass, *confirm;
 		chunk_t old_hash, new_hash;
-		
+
 		new_login = request->get_query_data(request, "old_login");
 		old_pass = request->get_query_data(request, "old_password");
 		new_pass = request->get_query_data(request, "new_password");
 		confirm = request->get_query_data(request, "confirm_password");
-		
+
 		if (!verify_login(this, request, new_login) ||
 			!verify_password(this, request, new_pass, confirm))
 		{
@@ -270,7 +270,7 @@ static void edit(private_user_controller_t *this, request_t *request)
 		}
 		old_hash = hash_password(old_login, old_pass);
 		new_hash = hash_password(new_login, new_pass);
-		
+
 		if (this->db->execute(this->db, NULL,
 			"UPDATE user SET login = ?, password = ? "
 			"WHERE id = ? AND password = ?",
diff --git a/src/medsrv/filter/auth_filter.c b/src/medsrv/filter/auth_filter.c
index 76114a347..9ed356042 100755
--- a/src/medsrv/filter/auth_filter.c
+++ b/src/medsrv/filter/auth_filter.c
@@ -33,7 +33,7 @@ struct private_auth_filter_t {
 	 * user session
 	 */
 	user_t *user;
-	
+
 	/**
 	 * database connection
 	 */
@@ -50,7 +50,7 @@ static bool run(private_auth_filter_t *this, request_t *request,
 	{
 		enumerator_t *query;
 		char *login;
-	
+
 		query = this->db->query(this->db, "SELECT login FROM user WHERE id = ?",
 								DB_INT, this->user->get_user(this->user),
 								DB_TEXT);
diff --git a/src/medsrv/main.c b/src/medsrv/main.c
index 20dec9d37..1f43a7e17 100644
--- a/src/medsrv/main.c
+++ b/src/medsrv/main.c
@@ -32,11 +32,14 @@ int main(int arc, char *argv[])
 	bool debug;
 	char *uri;
 	int timeout, threads;
-	
-	library_init(STRONGSWAN_CONF);
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
-	    lib->settings->get_str(lib->settings, "medsrv.load", PLUGINS));
-	
+
+	library_init(NULL);
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "medsrv.load", PLUGINS)))
+	{
+		return 1;
+	}
+
 	socket = lib->settings->get_str(lib->settings, "medsrv.socket", NULL);
 	debug = lib->settings->get_bool(lib->settings, "medsrv.debug", FALSE);
 	timeout = lib->settings->get_time(lib->settings, "medsrv.timeout", 900);
@@ -47,14 +50,14 @@ int main(int arc, char *argv[])
 		fprintf(stderr, "database URI medsrv.database not defined.\n");
 		return 1;
 	}
-	
+
 	db = lib->db->create(lib->db, uri);
 	if (db == NULL)
 	{
 		fprintf(stderr, "opening database failed.\n");
 		return 1;
 	}
-	
+
 	dispatcher = dispatcher_create(socket, debug, timeout,
 								   (context_constructor_t)user_create, db);
 	dispatcher->add_filter(dispatcher,
@@ -63,13 +66,13 @@ int main(int arc, char *argv[])
 						(controller_constructor_t)user_controller_create, db);
 	dispatcher->add_controller(dispatcher,
 						(controller_constructor_t)peer_controller_create, db);
-	
+
 	dispatcher->run(dispatcher, threads);
-	
+
 	dispatcher->waitsignal(dispatcher);
 	dispatcher->destroy(dispatcher);
 	db->destroy(db);
-	
+
 	library_deinit();
 	return 0;
 }
diff --git a/src/medsrv/user.h b/src/medsrv/user.h
index 2d1c738ca..f14650f03 100644
--- a/src/medsrv/user.h
+++ b/src/medsrv/user.h
@@ -25,17 +25,17 @@ typedef struct user_t user_t;
  * Per session context. Contains user user state and data.
  */
 struct user_t {
-	
+
 	/**
 	 * implements context_t interface
 	 */
 	context_t context;
-	
+
 	/**
 	 * Set the user ID of the logged in user.
 	 */
 	void (*set_user)(user_t *this, u_int id);
-	
+
 	/**
 	 * Get the user ID of the logged in user.
 	 */
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
index 005486779..ca6238258 100644
--- a/src/openac/Makefile.am
+++ b/src/openac/Makefile.am
@@ -4,9 +4,7 @@ dist_man_MANS = openac.8
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
-  -DIPSEC_CONFDIR=\"${confdir}\" \
-  -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-  -DIPSEC_PLUGINDIR=\"${plugindir}\" \
+  -DIPSEC_CONFDIR=\"${sysconfdir}\" \
   -DPLUGINS=\""${libstrongswan_plugins}\""
-openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp
+openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index d8d590eb2..08f621395 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -37,13 +39,20 @@ subdir = src/openac
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am_openac_OBJECTS = openac.$(OBJEXT)
 openac_OBJECTS = $(am_openac_OBJECTS)
@@ -52,6 +61,7 @@ openac_DEPENDENCIES =  \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -63,6 +73,27 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(openac_SOURCES)
 DIST_SOURCES = $(openac_SOURCES)
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -102,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -132,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -165,9 +196,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -190,7 +221,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -198,6 +229,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -206,10 +238,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -217,18 +251,17 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 openac_SOURCES = openac.c
 dist_man_MANS = openac.8
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
-  -DIPSEC_CONFDIR=\"${confdir}\" \
-  -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-  -DIPSEC_PLUGINDIR=\"${plugindir}\" \
+  -DIPSEC_CONFDIR=\"${sysconfdir}\" \
   -DPLUGINS=\""${libstrongswan_plugins}\""
 
-openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp
+openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
 
 .SUFFIXES:
@@ -242,9 +275,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/openac/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/openac/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/openac/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/openac/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -262,34 +295,50 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-ipsecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) 
 	@rm -f openac$(EXEEXT)
 	$(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
@@ -304,21 +353,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -328,51 +377,44 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(man8_MANS) $(man_MANS)
+install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
+	@list=''; test -n "$(man8dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.8[a-z]*$$/p'; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man8:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	@list=''; test -n "$(man8dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.8[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -386,7 +428,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -394,34 +436,52 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -437,13 +497,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -474,6 +538,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -495,6 +560,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -503,18 +570,28 @@ install-data-am: install-ipsecPROGRAMS install-man
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man: install-man8
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -556,6 +633,7 @@ uninstall-man: uninstall-man8
 	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
 	uninstall-man uninstall-man8
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/openac/openac.c b/src/openac/openac.c
index a8f75e093..2b9270ff9 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -1,8 +1,8 @@
 /**
  * @file openac.c
- * 
+ *
  * @brief Generation of X.509 attribute certificates.
- * 
+ *
  */
 
 /*
@@ -29,12 +29,10 @@
 #include <getopt.h>
 #include <ctype.h>
 #include <time.h>
-#include <gmp.h>
 
 #include <library.h>
 #include <debug.h>
 #include <asn1/asn1.h>
-#include <asn1/pem.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
 #include <credentials/keys/private_key.h>
@@ -79,55 +77,29 @@ static void usage(const char *message)
 	);
 }
 
-
-/**
- * convert a chunk into a multi-precision integer
- */
-static void chunk_to_mpz(chunk_t chunk, mpz_t number)
-{
-	mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
-}
-
-/**
- * convert a multi-precision integer into a chunk
- */
-static chunk_t mpz_to_chunk(mpz_t number)
-{
-	chunk_t chunk;
-
-	chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
-	chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
-	if (chunk.ptr == NULL)
-	{
-		chunk.len = 0;
-	}
-	return chunk;
-}
-
 /**
  * read the last serial number from file
  */
 static chunk_t read_serial(void)
 {
-	mpz_t number;
-
-	char buf[BUF_LEN], buf1[BUF_LEN];
-	chunk_t hex_serial  = { buf, BUF_LEN };
-	chunk_t last_serial = { buf1, BUF_LEN };
-	chunk_t serial;
-
-	FILE *fd = fopen(OPENAC_SERIAL, "r");
-
-	/* last serial number defaults to 0 */
-	*last_serial.ptr = 0x00;
-	last_serial.len = 1;
+	chunk_t hex, serial = chunk_empty;
+	char one[] = {0x01};
+	FILE *fd;
 
+	fd = fopen(OPENAC_SERIAL, "r");
 	if (fd)
 	{
-		if (fscanf(fd, "%s", hex_serial.ptr))
+		hex = chunk_alloca(64);
+		hex.len = fread(hex.ptr, 1, hex.len, fd);
+		if (hex.len)
 		{
-			hex_serial.len = strlen(hex_serial.ptr);
-			last_serial = chunk_from_hex(hex_serial, last_serial.ptr);
+			/* remove any terminating newline character */
+			if (hex.ptr[hex.len-1] == '\n')
+			{
+				hex.len--;
+			}
+			serial = chunk_alloca((hex.len / 2) + (hex.len % 2));
+			serial = chunk_from_hex(hex, serial.ptr);
 		}
 		fclose(fd);
 	}
@@ -135,19 +107,15 @@ static chunk_t read_serial(void)
 	{
 		DBG1("  file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
 	}
-
-	/**
-	 * conversion of read serial number to a multiprecision integer
-	 * and incrementing it by one
-	 * and representing it as a two's complement octet string
-	 */
-	mpz_init(number);
-	chunk_to_mpz(last_serial, number);
-	mpz_add_ui(number, number, 0x01);
-	serial = mpz_to_chunk(number);
-	mpz_clear(number);
-
-	return serial;
+	if (!serial.len)
+	{
+		return chunk_clone(chunk_create(one, 1));
+	}
+	if (chunk_increment(serial))
+	{	/* overflow, prepend 0x01 */
+		return chunk_cat("cc", chunk_create(one, 1), serial);
+	}
+	return chunk_clone(serial);
 }
 
 /**
@@ -173,32 +141,6 @@ static void write_serial(chunk_t serial)
 	}
 }
 
-/**
- * Load and parse a private key file
- */
-static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
-{
-	bool pgp = FALSE;
-	chunk_t chunk = chunk_empty;
-	private_key_t *key = NULL;
-
-	if (!pem_asn1_load_file(path, secret, &chunk, &pgp))
-	{
-		DBG1("  could not load private key file '%s'", path);
-		return NULL;
-	}
-	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-							 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-	free(chunk.ptr);
-	if (key == NULL)
-	{
-		DBG1("  could not parse loaded private key file '%s'", path);
-		return NULL;
-	}
-	DBG1("  loaded private key file '%s'", path);
-	return key;
-}
-
 /**
  * global variables accessible by both main() and build.c
  */
@@ -215,7 +157,7 @@ static void openac_dbg(int level, char *fmt, ...)
 	char buffer[8192];
 	char *current = buffer, *next;
 	va_list args;
-	
+
 	if (level <= debug_level)
 	{
 		if (!stderr_quiet)
@@ -274,7 +216,7 @@ int main(int argc, char **argv)
 	chunk_t attr_chunk = chunk_empty;
 
 	int status = 1;
-	
+
 	/* enable openac debugging hook */
 	dbg = openac_dbg;
 
@@ -283,20 +225,22 @@ int main(int argc, char **argv)
 	openlog("openac", 0, LOG_AUTHPRIV);
 
 	/* initialize library */
-	if (!library_init(STRONGSWAN_CONF))
+	atexit(library_deinit);
+	if (!library_init(NULL))
 	{
-		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
 	if (lib->integrity &&
 		!lib->integrity->check_file(lib->integrity, "openac", argv[0]))
 	{
 		fprintf(stderr, "integrity check of openac failed\n");
-		library_deinit();
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
-		lib->settings->get_str(lib->settings, "openac.load", PLUGINS));
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "openac.load", PLUGINS)))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
 
 	/* initialize optionsfrom */
 	options_t *options = options_create();
@@ -323,7 +267,7 @@ int main(int argc, char **argv)
 			{ "debug", required_argument, NULL, 'd' },
 			{ 0,0,0,0 }
 		};
-	
+
 		int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
 
 		/* Note: "breaking" from case terminates loop */
@@ -333,7 +277,7 @@ int main(int argc, char **argv)
 				break;
 
 			case 0: /* long option already handled */
-		 		continue;
+				continue;
 
 			case ':':	/* diagnostic already printed by getopt_long */
 			case '?':	/* diagnostic already printed by getopt_long */
@@ -353,18 +297,18 @@ int main(int argc, char **argv)
 
 					if (*optarg == '/')	/* absolute pathname */
 					{
-		    			strncpy(path, optarg, BUF_LEN);
+						strncpy(path, optarg, BUF_LEN);
 					}
 					else			/* relative pathname */
 					{
-		    			snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
+						snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
 					}
 					if (!options->from(options, path, &argc, &argv, optind))
 					{
 						status = 1;
 						goto end;
 					}
-		 		}
+				}
 				continue;
 
 			case 'q':	/* --quiet */
@@ -492,12 +436,15 @@ int main(int argc, char **argv)
 	/* load the signer's RSA private key */
 	if (keyfile != NULL)
 	{
-		signerKey = private_key_create_from_file(keyfile, &passphrase);
-
+		signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+									   BUILD_FROM_FILE, keyfile,
+									   BUILD_PASSPHRASE, passphrase,
+									   BUILD_END);
 		if (signerKey == NULL)
 		{
 			goto end;
 		}
+		DBG1("  loaded private key file '%s'", keyfile);
 	}
 
 	/* load the signer's X.509 certificate */
@@ -506,7 +453,6 @@ int main(int argc, char **argv)
 		signerCert = lib->creds->create(lib->creds,
 										CRED_CERTIFICATE, CERT_X509,
 										BUILD_FROM_FILE, certfile,
-										BUILD_X509_FLAG, 0,
 										BUILD_END);
 		if (signerCert == NULL)
 		{
@@ -520,7 +466,6 @@ int main(int argc, char **argv)
 		userCert = lib->creds->create(lib->creds,
 									  CRED_CERTIFICATE, CERT_X509,
 									  BUILD_FROM_FILE, usercertfile,
-									  BUILD_X509_FLAG, 0,
 									  BUILD_END);
 		if (userCert == NULL)
 		{
@@ -553,7 +498,7 @@ int main(int argc, char **argv)
 		{
 			goto end;
 		}
-	
+
 		/* write the attribute certificate to file */
 		attr_chunk = attr_cert->get_encoding(attr_cert);
 		if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
@@ -579,6 +524,5 @@ end:
 	closelog();
 	dbg = dbg_default;
 	options->destroy(options);
-	library_deinit();
 	exit(status);
 }
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
new file mode 100644
index 000000000..a471b6477
--- /dev/null
+++ b/src/pki/Makefile.am
@@ -0,0 +1,15 @@
+ipsec_PROGRAMS = pki
+
+pki_SOURCES = pki.c pki.h command.c command.h \
+	commands/gen.c \
+	commands/issue.c \
+	commands/keyid.c \
+	commands/pub.c \
+	commands/req.c \
+	commands/self.c \
+	commands/verify.c 
+
+pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = \
+	-DPLUGINS=\""${libstrongswan_plugins}\""
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
new file mode 100644
index 000000000..1261d7fa8
--- /dev/null
+++ b/src/pki/Makefile.in
@@ -0,0 +1,673 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = pki$(EXEEXT)
+subdir = src/pki
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
+PROGRAMS = $(ipsec_PROGRAMS)
+am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \
+	issue.$(OBJEXT) keyid.$(OBJEXT) pub.$(OBJEXT) req.$(OBJEXT) \
+	self.$(OBJEXT) verify.$(OBJEXT)
+pki_OBJECTS = $(am_pki_OBJECTS)
+pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(pki_SOURCES)
+DIST_SOURCES = $(pki_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+pki_SOURCES = pki.c pki.h command.c command.h \
+	commands/gen.c \
+	commands/issue.c \
+	commands/keyid.c \
+	commands/pub.c \
+	commands/req.c \
+	commands/self.c \
+	commands/verify.c 
+
+pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = \
+	-DPLUGINS=\""${libstrongswan_plugins}\""
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pki/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/pki/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+pki$(EXEEXT): $(pki_OBJECTS) $(pki_DEPENDENCIES) 
+	@rm -f pki$(EXEEXT)
+	$(LINK) $(pki_OBJECTS) $(pki_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/command.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/issue.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pub.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/self.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+gen.o: commands/gen.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.o -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/gen.c' object='gen.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
+
+gen.obj: commands/gen.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.obj -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/gen.c' object='gen.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
+
+issue.o: commands/issue.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.o -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/issue.c' object='issue.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
+
+issue.obj: commands/issue.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.obj -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/issue.c' object='issue.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
+
+keyid.o: commands/keyid.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.o -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/keyid.c' object='keyid.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
+
+keyid.obj: commands/keyid.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.obj -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/keyid.c' object='keyid.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
+
+pub.o: commands/pub.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.o -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pub.c' object='pub.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
+
+pub.obj: commands/pub.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.obj -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pub.c' object='pub.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
+
+req.o: commands/req.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.o -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/req.c' object='req.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
+
+req.obj: commands/req.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.obj -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/req.c' object='req.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
+
+self.o: commands/self.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.o -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/self.c' object='self.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
+
+self.obj: commands/self.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.obj -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/self.c' object='self.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
+
+verify.o: commands/verify.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/verify.c' object='verify.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
+
+verify.obj: commands/verify.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.obj -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/verify.c' object='verify.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/pki/command.c b/src/pki/command.c
new file mode 100644
index 000000000..8f53817f0
--- /dev/null
+++ b/src/pki/command.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "command.h"
+#include "pki.h"
+
+#define _GNU_SOURCE
+#include <getopt.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+#include <library.h>
+#include <debug.h>
+#include <utils/optionsfrom.h>
+
+/**
+ * Registered commands.
+ */
+command_t cmds[MAX_COMMANDS];
+
+/**
+ * active command.
+ */
+static int active = 0;
+
+/**
+ * number of registered commands
+ */
+static int registered = 0;
+
+/**
+ * help command index
+ */
+static int help_idx;
+
+static int argc;
+
+static char **argv;
+
+static options_t *options;
+
+/**
+ * Global options used by all subcommands
+ */
+static struct option command_opts[MAX_COMMANDS > MAX_OPTIONS ?: MAX_OPTIONS];
+
+/**
+ * Global optstring used by all subcommands
+ */
+static char command_optstring[(MAX_COMMANDS > MAX_OPTIONS ?: MAX_OPTIONS) * 3];
+
+/**
+ * Build command_opts/command_optstr for the active command
+ */
+static void build_opts()
+{
+	int i, pos = 0;
+
+	memset(command_opts, 0, sizeof(command_opts));
+	memset(command_optstring, 0, sizeof(command_optstring));
+	if (active == help_idx)
+	{
+		for (i = 0; cmds[i].cmd; i++)
+		{
+			command_opts[i].name = cmds[i].cmd;
+			command_opts[i].val = cmds[i].op;
+			command_optstring[i] = cmds[i].op;
+		}
+	}
+	else
+	{
+		for (i = 0; cmds[active].options[i].name; i++)
+		{
+			command_opts[i].name = cmds[active].options[i].name;
+			command_opts[i].has_arg = cmds[active].options[i].arg;
+			command_opts[i].val = cmds[active].options[i].op;
+			command_optstring[pos++] = cmds[active].options[i].op;
+			switch (cmds[active].options[i].arg)
+			{
+				case optional_argument:
+					command_optstring[pos++] = ':';
+					/* FALL */
+				case required_argument:
+					command_optstring[pos++] = ':';
+					/* FALL */
+				case no_argument:
+				default:
+					break;
+			}
+		}
+	}
+}
+
+/**
+ * getopt_long wrapper
+ */
+int command_getopt(char **arg)
+{
+	int op;
+
+	while (TRUE)
+	{
+		op = getopt_long(argc, argv, command_optstring, command_opts, NULL);
+		switch (op)
+		{
+			case '+':
+				if (!options->from(options, optarg, &argc, &argv, optind))
+				{
+					/* a error value */
+					return 255;
+				}
+				continue;
+			case 'v':
+				dbg_default_set_level(atoi(optarg));
+				continue;
+			default:
+				*arg = optarg;
+				return op;
+		}
+	}
+}
+
+/**
+ * Register a command
+ */
+void command_register(command_t command)
+{
+	int i;
+
+	cmds[registered] = command;
+	/* append default options, but not to --help */
+	if (!active)
+	{
+		for (i = 0; i < countof(cmds[registered].options); i++)
+		{
+			if (cmds[registered].options[i].name)
+			{
+				continue;
+			}
+			cmds[registered].options[i++] = (command_option_t) {
+				"debug",	'v', 1, "set debug level, default: 1"
+			};
+			cmds[registered].options[i++] = (command_option_t) {
+				"options",	'+', 1, "read command line options from file"
+			};
+			break;
+		}
+	}
+	registered++;
+}
+
+/**
+ * Print usage text, with an optional error
+ */
+int command_usage(char *error)
+{
+	FILE *out = stdout;
+	int i;
+
+	if (error)
+	{
+		out = stderr;
+		fprintf(out, "Error: %s\n", error);
+	}
+	fprintf(out, "strongSwan %s PKI tool\n", VERSION);
+	fprintf(out, "usage:\n");
+	if (active == help_idx)
+	{
+		for (i = 0; cmds[i].cmd; i++)
+		{
+			fprintf(out, "  pki --%-6s (-%c)  %s\n",
+					cmds[i].cmd, cmds[i].op, cmds[i].description);
+		}
+	}
+	else
+	{
+		for (i = 0; cmds[active].line[i]; i++)
+		{
+			if (i == 0)
+			{
+				fprintf(out, "  pki --%s %s\n",
+						cmds[active].cmd, cmds[active].line[i]);
+			}
+			else
+			{
+				fprintf(out, "              %s\n", cmds[active].line[i]);
+			}
+		}
+		for (i = 0; cmds[active].options[i].name; i++)
+		{
+			fprintf(out, "        --%-8s (-%c)  %s\n",
+					cmds[active].options[i].name, cmds[active].options[i].op,
+					cmds[active].options[i].desc);
+		}
+	}
+	return error != NULL;
+}
+
+
+/**
+ * Show usage information
+ */
+static int help(int argc, char *argv[])
+{
+	return command_usage(NULL);
+}
+
+/**
+ * Dispatch cleanup hook
+ */
+static void cleanup()
+{
+	options->destroy(options);
+}
+
+/**
+ * Dispatch commands.
+ */
+int command_dispatch(int c, char *v[])
+{
+	int op, i;
+
+	options = options_create();
+	atexit(cleanup);
+	active = help_idx = registered;
+	argc = c;
+	argv = v;
+	command_register((command_t){help, 'h', "help", "show usage information"});
+
+	build_opts();
+	op = getopt_long(c, v, command_optstring, command_opts, NULL);
+	for (i = 0; cmds[i].cmd; i++)
+	{
+		if (cmds[i].op == op)
+		{
+			active = i;
+			build_opts();
+			return cmds[i].call();
+		}
+	}
+	return command_usage("invalid operation");
+}
+
diff --git a/src/pki/command.h b/src/pki/command.h
new file mode 100644
index 000000000..fad598c0b
--- /dev/null
+++ b/src/pki/command.h
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup command command
+ * @{ @ingroup pki
+ */
+
+#ifndef COMMAND_H_
+#define COMMAND_H_
+
+/**
+ * Maximum number of commands.
+ */
+#define MAX_COMMANDS 10
+
+/**
+ * Maximum number of options in a command (+1)
+ */
+#define MAX_OPTIONS 20
+
+/**
+ * Maximum number of usage summary lines (+1)
+ */
+#define MAX_LINES 10
+
+typedef struct command_t command_t;
+typedef struct command_option_t command_option_t;
+typedef enum command_type_t command_type_t;
+
+/**
+ * Option specification
+ */
+struct command_option_t {
+	/** long option string of the option */
+	char *name;
+	/** short option character of the option */
+	char op;
+	/** expected argument to option, no/req/opt_argument */
+	int arg;
+	/** description of the option */
+	char *desc;
+};
+
+/**
+ * Command specification.
+ */
+struct command_t {
+	/** Function implementing the command */
+	int (*call)();
+	/** short option character */
+	char op;
+	/** long option string */
+	char *cmd;
+	/** description of the command */
+	char *description;
+	/** usage summary of the command */
+	char *line[MAX_LINES];
+	/** list of options the command accepts */
+	command_option_t options[MAX_OPTIONS];
+};
+
+/**
+ * Get the next option, as with getopt.
+ */
+int command_getopt(char **arg);
+
+/**
+ * Register a command.
+ */
+void command_register(command_t command);
+
+/**
+ * Dispatch commands.
+ */
+int command_dispatch(int argc, char *argv[]);
+
+/**
+ * Show usage information of active command.
+ */
+int command_usage(char *error);
+
+#endif /* COMMAND_H_ @}*/
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
new file mode 100644
index 000000000..16d8d48d4
--- /dev/null
+++ b/src/pki/commands/gen.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pki.h"
+
+/**
+ * Generate a private key
+ */
+static int gen()
+{
+	key_encoding_type_t form = KEY_PRIV_ASN1_DER;
+	key_type_t type = KEY_RSA;
+	u_int size = 0;
+	private_key_t *key;
+	chunk_t encoding;
+	char *arg;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 't':
+				if (streq(arg, "rsa"))
+				{
+					type = KEY_RSA;
+				}
+				else if (streq(arg, "ecdsa"))
+				{
+					type = KEY_ECDSA;
+				}
+				else
+				{
+					return command_usage("invalid key type");
+				}
+				continue;
+			case 'o':
+				if (!get_form(arg, &form, FALSE))
+				{
+					return command_usage("invalid key output format");
+				}
+				continue;
+			case 's':
+				size = atoi(arg);
+				if (!size)
+				{
+					return command_usage("invalid key size");
+				}
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --gen option");
+		}
+		break;
+	}
+	/* default key sizes */
+	if (!size)
+	{
+		switch (type)
+		{
+			case KEY_RSA:
+				size = 2048;
+				break;
+			case KEY_ECDSA:
+				size = 384;
+				break;
+			default:
+				break;
+		}
+	}
+	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+							 BUILD_KEY_SIZE, size, BUILD_END);
+	if (!key)
+	{
+		fprintf(stderr, "private key generation failed\n");
+		return 1;
+	}
+	if (!key->get_encoding(key, form, &encoding))
+	{
+		fprintf(stderr, "private key encoding failed\n");
+		key->destroy(key);
+		return 1;
+	}
+	key->destroy(key);
+	if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
+	{
+		fprintf(stderr, "writing private key failed\n");
+		free(encoding.ptr);
+		return 1;
+	}
+	free(encoding.ptr);
+	return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		gen, 'g', "gen", "generate a new private key",
+		{"[--type rsa|ecdsa] [--size bits] [--outform der|pem|pgp]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"type",	't', 1, "type of key, default: rsa"},
+			{"size",	's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"},
+			{"outform",	'f', 1, "encoding of generated private key"},
+		}
+	});
+}
+
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
new file mode 100644
index 000000000..07ab9066a
--- /dev/null
+++ b/src/pki/commands/issue.c
@@ -0,0 +1,370 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+
+#include "pki.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/pkcs10.h>
+
+/**
+ * Issue a certificate using a CA certificate and key
+ */
+static int issue()
+{
+	hash_algorithm_t digest = HASH_SHA1;
+	certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
+	private_key_t *private = NULL;
+	public_key_t *public = NULL;
+	bool pkcs10 = FALSE;
+	char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
+	char *error = NULL;
+	identification_t *id = NULL;
+	linked_list_t *san, *cdps, *ocsp;
+	int lifetime = 1080;
+	int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
+	chunk_t serial = chunk_empty;
+	chunk_t encoding = chunk_empty;
+	time_t not_before, not_after;
+	x509_flag_t flags = 0;
+	x509_t *x509;
+	char *arg;
+
+	san = linked_list_create();
+	cdps = linked_list_create();
+	ocsp = linked_list_create();
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				goto usage;
+			case 't':
+				if (streq(arg, "pkcs10"))
+				{
+					pkcs10 = TRUE;
+				}
+				else if (!streq(arg, "pub"))
+				{
+					error = "invalid input type";
+					goto usage;
+				}
+				continue;
+			case 'g':
+				digest = get_digest(arg);
+				if (digest == HASH_UNKNOWN)
+				{
+					error = "invalid --digest type";
+					goto usage;
+				}
+				continue;
+			case 'i':
+				file = arg;
+				continue;
+			case 'c':
+				cacert = arg;
+				continue;
+			case 'k':
+				cakey = arg;
+				continue;
+			case 'd':
+				dn = arg;
+				continue;
+			case 'a':
+				san->insert_last(san, identification_create_from_string(arg));
+				continue;
+			case 'l':
+				lifetime = atoi(arg);
+				if (!lifetime)
+				{
+					error = "invalid --lifetime value";
+					goto usage;
+				}
+				continue;
+			case 's':
+				hex = arg;
+				continue;
+			case 'b':
+				flags |= X509_CA;
+				continue;
+			case 'p':
+				pathlen = atoi(arg);
+				continue;
+			case 'f':
+				if (streq(arg, "serverAuth"))
+				{
+					flags |= X509_SERVER_AUTH;
+				}
+				else if (streq(arg, "clientAuth"))
+				{
+					flags |= X509_CLIENT_AUTH;
+				}
+				else if (streq(arg, "ocspSigning"))
+				{
+					flags |= X509_OCSP_SIGNER;
+				}
+				continue;
+			case 'u':
+				cdps->insert_last(cdps, arg);
+				continue;
+			case 'o':
+				ocsp->insert_last(ocsp, arg);
+				continue;
+			case EOF:
+				break;
+			default:
+				error = "invalid --issue option";
+				goto usage;
+		}
+		break;
+	}
+
+	if (!pkcs10 && !dn)
+	{
+		error = "--dn is required";
+		goto usage;
+	}
+	if (!cacert)
+	{
+		error = "--cacert is required";
+		goto usage;
+	}
+	if (!cakey)
+	{
+		error = "--cakey is required";
+		goto usage;
+	}
+	if (dn)
+	{
+		id = identification_create_from_string(dn);
+		if (id->get_type(id) != ID_DER_ASN1_DN)
+		{
+			error = "supplied --dn is not a distinguished name";
+			goto end;
+		}
+	}
+
+	DBG2("Reading ca certificate:");
+	ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							BUILD_FROM_FILE, cacert, BUILD_END);
+	if (!ca)
+	{
+		error = "parsing CA certificate failed";
+		goto end;
+	}
+	x509 = (x509_t*)ca;
+	if (!(x509->get_flags(x509) & X509_CA))
+	{
+		error = "CA certificate misses CA basicConstraint";
+		goto end;
+	}
+	public = ca->get_public_key(ca);
+	if (!public)
+	{
+		error = "extracting CA certificate public key failed";
+		goto end;
+	}
+
+	DBG2("Reading ca private key:");
+	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								 public->get_type(public),
+								 BUILD_FROM_FILE, cakey, BUILD_END);
+	if (!private)
+	{
+		error = "parsing CA private key failed";
+		goto end;
+	}
+	if (!private->belongs_to(private, public))
+	{
+		error = "CA private key does not match CA certificate";
+		goto end;
+	}
+	public->destroy(public);
+
+	if (hex)
+	{
+		serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
+	}
+	else
+	{
+		rng_t *rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+
+		if (!rng)
+		{
+			error = "no random number generator found";
+			goto end;
+		}
+		rng->allocate_bytes(rng, 8, &serial);
+		rng->destroy(rng);
+	}
+
+	if (pkcs10)
+	{
+		enumerator_t *enumerator;
+		identification_t *subjectAltName;
+		pkcs10_t *req;
+
+		DBG2("Reading certificate request");
+		if (file)
+		{
+			cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+										  CERT_PKCS10_REQUEST,
+										  BUILD_FROM_FILE, file, BUILD_END);
+		}
+		else
+		{
+			cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+										  CERT_PKCS10_REQUEST,
+										  BUILD_FROM_FD, 0, BUILD_END);
+		}
+		if (!cert_req)
+		{
+			error = "parsing certificate request failed";
+			goto end;
+		}
+
+		/* If not set yet use subject from PKCS#10 certificate request as DN */
+		if (!id)
+		{
+			id = cert_req->get_subject(cert_req);
+			id = id->clone(id);
+		}
+
+		/* Add subjectAltNames from PKCS#10 certificate request */
+		req = (pkcs10_t*)cert_req;
+		enumerator = req->create_subjectAltName_enumerator(req);
+		while (enumerator->enumerate(enumerator, &subjectAltName))
+		{
+			san->insert_last(san, subjectAltName->clone(subjectAltName));
+		}
+		enumerator->destroy(enumerator);
+
+		/* Use public key from PKCS#10 certificate request */
+		public = cert_req->get_public_key(cert_req);
+	}
+	else
+	{
+		DBG2("Reading public key:");
+		if (file)
+		{
+			public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+										BUILD_FROM_FILE, file, BUILD_END);
+		}
+		else
+		{
+			public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+										 BUILD_FROM_FD, 0, BUILD_END);
+		}
+	}
+	if (!public)
+	{
+		error = "parsing public key failed";
+		goto end;
+	}
+
+	not_before = time(NULL);
+	not_after = not_before + lifetime * 24 * 60 * 60;
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+					BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
+					BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
+					BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
+					BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
+					BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
+					BUILD_PATHLEN, pathlen,
+					BUILD_CRL_DISTRIBUTION_POINTS, cdps,
+					BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
+	if (!cert)
+	{
+		error = "generating certificate failed";
+		goto end;
+	}
+	encoding = cert->get_encoding(cert);
+	if (!encoding.ptr)
+	{
+		error = "encoding certificate failed";
+		goto end;
+	}
+	if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
+	{
+		error = "writing certificate key failed";
+		goto end;
+	}
+
+end:
+	DESTROY_IF(id);
+	DESTROY_IF(cert_req);
+	DESTROY_IF(cert);
+	DESTROY_IF(ca);
+	DESTROY_IF(public);
+	DESTROY_IF(private);
+	san->destroy_offset(san, offsetof(identification_t, destroy));
+	cdps->destroy(cdps);
+	ocsp->destroy(ocsp);
+	free(encoding.ptr);
+	free(serial.ptr);
+
+	if (error)
+	{
+		fprintf(stderr, "%s\n", error);
+		return 1;
+	}
+	return 0;
+
+usage:
+	san->destroy_offset(san, offsetof(identification_t, destroy));
+	cdps->destroy(cdps);
+	ocsp->destroy(ocsp);
+	return command_usage(error);
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		issue, 'i', "issue",
+		"issue a certificate using a CA certificate and key",
+		{"[--in file] [--type pub|pkcs10]",
+		 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
+		 "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
+		 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+",
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"in",		'i', 1, "public key/request file to issue, default: stdin"},
+			{"type",	't', 1, "type of input, default: pub"},
+			{"cacert",	'c', 1, "CA certificate file"},
+			{"cakey",	'k', 1, "CA private key file"},
+			{"dn",		'd', 1, "distinguished name to include as subject"},
+			{"san",		'a', 1, "subjectAltName to include in certificate"},
+			{"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
+			{"serial",	's', 1, "serial number in hex, default: random"},
+			{"ca",		'b', 0, "include CA basicConstraint, default: no"},
+			{"pathlen",	'p', 1, "set path length constraint"},
+			{"flag",	'f', 1, "include extendedKeyUsage flag"},
+			{"crl",		'u', 1, "CRL distribution point URI to include"},
+			{"ocsp",	'o', 1, "OCSP AuthorityInfoAccess URI to include"},
+			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
+		}
+	});
+}
+
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
new file mode 100644
index 000000000..c15c1193e
--- /dev/null
+++ b/src/pki/commands/keyid.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pki.h"
+
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+
+/**
+ * Calculate the keyid of a key/certificate
+ */
+static int keyid()
+{
+	credential_type_t type = CRED_PRIVATE_KEY;
+	int subtype = KEY_RSA;
+	certificate_t *cert;
+	private_key_t *private;
+	public_key_t *public;
+	char *file = NULL;
+	void *cred;
+	chunk_t id;
+	char *arg;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 't':
+				if (streq(arg, "rsa-priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_RSA;
+				}
+				else if (streq(arg, "ecdsa-priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ECDSA;
+				}
+				else if (streq(arg, "pub"))
+				{
+					type = CRED_PUBLIC_KEY;
+					subtype = KEY_ANY;
+				}
+				else if (streq(arg, "pkcs10"))
+				{
+					type = CRED_CERTIFICATE;
+					subtype = CERT_PKCS10_REQUEST;
+				}
+				else if (streq(arg, "x509"))
+				{
+					type = CRED_CERTIFICATE;
+					subtype = CERT_X509;
+				}
+				else
+				{
+					return command_usage( "invalid input type");
+				}
+				continue;
+			case 'i':
+				file = arg;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --keyid option");
+		}
+		break;
+	}
+	if (file)
+	{
+		cred = lib->creds->create(lib->creds, type, subtype,
+								  BUILD_FROM_FILE, file, BUILD_END);
+	}
+	else
+	{
+		cred = lib->creds->create(lib->creds, type, subtype,
+								  BUILD_FROM_FD, 0, BUILD_END);
+	}
+	if (!cred)
+	{
+		fprintf(stderr, "parsing input failed\n");
+		return 1;
+	}
+
+	if (type == CRED_PRIVATE_KEY)
+	{
+		private = cred;
+		if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &id))
+		{
+			printf("subjectKeyIdentifier:      %#B\n", &id);
+		}
+		if (private->get_fingerprint(private, KEY_ID_PUBKEY_INFO_SHA1, &id))
+		{
+			printf("subjectPublicKeyInfo hash: %#B\n", &id);
+		}
+		private->destroy(private);
+	}
+	else if (type == CRED_PUBLIC_KEY)
+	{
+		public = cred;
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id))
+		{
+			printf("subjectKeyIdentifier:      %#B\n", &id);
+		}
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &id))
+		{
+			printf("subjectPublicKeyInfo hash: %#B\n", &id);
+		}
+		public->destroy(public);
+	}
+	else
+	{
+		cert = cred;
+		public = cert->get_public_key(cert);
+		if (!public)
+		{
+			fprintf(stderr, "extracting public key from certificate failed");
+			return 1;
+		}
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id))
+		{
+			printf("subjectKeyIdentifier:      %#B\n", &id);
+		}
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &id))
+		{
+			printf("subjectPublicKeyInfo hash: %#B\n", &id);
+		}
+		public->destroy(public);
+		cert->destroy(cert);
+	}
+	return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t)
+		{ keyid, 'k', "keyid",
+		"calculate key identifiers of a key/certificate",
+		{"[--in file] [--type rsa-priv|ecdsa-priv|pub|pkcs10|x509]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"in",		'i', 1, "input file, default: stdin"},
+			{"type",	't', 1, "type of key, default: rsa-priv"},
+		}
+	});
+}
+
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
new file mode 100644
index 000000000..de0444c1a
--- /dev/null
+++ b/src/pki/commands/pub.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pki.h"
+
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+
+/**
+ * Extract a public key from a private key/certificate
+ */
+static int pub()
+{
+	key_encoding_type_t form = KEY_PUB_SPKI_ASN1_DER;
+	credential_type_t type = CRED_PRIVATE_KEY;
+	int subtype = KEY_RSA;
+	certificate_t *cert;
+	private_key_t *private;
+	public_key_t *public;
+	chunk_t encoding;
+	char *file = NULL;
+	void *cred;
+	char *arg;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 't':
+				if (streq(arg, "rsa"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_RSA;
+				}
+				else if (streq(arg, "ecdsa"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ECDSA;
+				}
+				else if (streq(arg, "pkcs10"))
+				{
+					type = CRED_CERTIFICATE;
+					subtype = CERT_PKCS10_REQUEST;
+				}
+				else if (streq(arg, "x509"))
+				{
+					type = CRED_CERTIFICATE;
+					subtype = CERT_X509;
+				}
+				else
+				{
+					return command_usage("invalid input type");
+				}
+				continue;
+			case 'f':
+				if (!get_form(arg, &form, TRUE))
+				{
+					return command_usage("invalid output format");
+				}
+				continue;
+			case 'i':
+				file = arg;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --pub option");
+		}
+		break;
+	}
+	if (file)
+	{
+		cred = lib->creds->create(lib->creds, type, subtype,
+									 BUILD_FROM_FILE, file, BUILD_END);
+	}
+	else
+	{
+		cred = lib->creds->create(lib->creds, type, subtype,
+									 BUILD_FROM_FD, 0, BUILD_END);
+	}
+
+	if (type == CRED_PRIVATE_KEY)
+	{
+		private = cred;
+		if (!private)
+		{
+			fprintf(stderr, "parsing private key failed\n");
+			return 1;
+		}
+		public = private->get_public_key(private);
+		private->destroy(private);
+	}
+	else
+	{
+		cert = cred;
+		if (!cert)
+		{
+			fprintf(stderr, "parsing certificate failed\n");
+			return 1;
+		}
+		public = cert->get_public_key(cert);
+		cert->destroy(cert);
+	}
+	if (!public)
+	{
+		fprintf(stderr, "extracting public key failed\n");
+		return 1;
+	}
+	if (!public->get_encoding(public, form, &encoding))
+	{
+		fprintf(stderr, "public key encoding failed\n");
+		public->destroy(public);
+		return 1;
+	}
+	public->destroy(public);
+	if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
+	{
+		fprintf(stderr, "writing public key failed\n");
+		free(encoding.ptr);
+		return 1;
+	}
+	free(encoding.ptr);
+	return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		pub, 'p', "pub",
+		"extract the public key from a private key/certificate",
+		{"[--in file] [--type rsa|ecdsa|pkcs10|x509] [--outform der|pem|pgp]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"in",		'i', 1, "input file, default: stdin"},
+			{"type",	't', 1, "type of credential, default: rsa"},
+			{"outform",	'f', 1, "encoding of extracted public key"},
+		}
+	});
+}
+
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
new file mode 100644
index 000000000..8335f2595
--- /dev/null
+++ b/src/pki/commands/req.c
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Copyright (C) 2009 Andreas Steffen
+ *
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+
+#include "pki.h"
+
+#include <utils/linked_list.h>
+#include <credentials/certificates/certificate.h>
+
+/**
+ * Create a self-signed PKCS#10 certificate requesst.
+ */
+static int req()
+{
+	key_type_t type = KEY_RSA;
+	hash_algorithm_t digest = HASH_SHA1;
+	certificate_t *cert = NULL;
+	private_key_t *private = NULL;
+	char *file = NULL, *dn = NULL, *error = NULL;
+	identification_t *id = NULL;
+	linked_list_t *san;
+	chunk_t encoding = chunk_empty;
+	chunk_t challenge_password = chunk_empty;
+	char *arg;
+
+	san = linked_list_create();
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				goto usage;
+			case 't':
+				if (streq(arg, "rsa"))
+				{
+					type = KEY_RSA;
+				}
+				else if (streq(arg, "ecdsa"))
+				{
+					type = KEY_ECDSA;
+				}
+				else
+				{
+					error = "invalid input type";
+					goto usage;
+				}
+				continue;
+			case 'g':
+				digest = get_digest(arg);
+				if (digest == HASH_UNKNOWN)
+				{
+					error = "invalid --digest type";
+					goto usage;
+				}
+				continue;
+			case 'i':
+				file = arg;
+				continue;
+			case 'd':
+				dn = arg;
+				continue;
+			case 'a':
+				san->insert_last(san, identification_create_from_string(arg));
+				continue;
+			case 'p':
+				challenge_password = chunk_create(arg, strlen(arg));
+				continue;
+			case EOF:
+				break;
+			default:
+				error = "invalid --req option";
+				goto usage;
+		}
+		break;
+	}
+
+	if (!dn)
+	{
+		error = "--dn is required";
+		goto usage;
+	}
+	id = identification_create_from_string(dn);
+	if (id->get_type(id) != ID_DER_ASN1_DN)
+	{
+		error = "supplied --dn is not a distinguished name";
+		goto end;
+	}
+	if (file)
+	{
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+									 BUILD_FROM_FILE, file, BUILD_END);
+	}
+	else
+	{
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+									 BUILD_FROM_FD, 0, BUILD_END);
+	}
+	if (!private)
+	{
+		error = "parsing private key failed";
+		goto end;
+	}
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+							  BUILD_SIGNING_KEY, private,
+							  BUILD_SUBJECT, id,
+							  BUILD_SUBJECT_ALTNAMES, san,
+							  BUILD_PASSPHRASE, challenge_password,
+							  BUILD_DIGEST_ALG, digest,
+							  BUILD_END);
+	if (!cert)
+	{
+		error = "generating certificate request failed";
+		goto end;
+	}
+	encoding = cert->get_encoding(cert);
+	if (!encoding.ptr)
+	{
+		error = "encoding certificate request failed";
+		goto end;
+	}
+	if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
+	{
+		error = "writing certificate request failed";
+		goto end;
+	}
+
+end:
+	DESTROY_IF(id);
+	DESTROY_IF(cert);
+	DESTROY_IF(private);
+	san->destroy_offset(san, offsetof(identification_t, destroy));
+	free(encoding.ptr);
+
+	if (error)
+	{
+		fprintf(stderr, "%s\n", error);
+		return 1;
+	}
+	return 0;
+
+usage:
+	san->destroy_offset(san, offsetof(identification_t, destroy));
+	return command_usage(error);
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		req, 'r', "req",
+		"create a PKCS#10 certificate request",
+		{"[--in file] [--type rsa|ecdsa]",
+		 " --dn distinguished-name [--san subjectAltName]+",
+		 "[--password challengePassword]",
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"in",		'i', 1, "private key input file, default: stdin"},
+			{"type",	't', 1, "type of input key, default: rsa"},
+			{"dn",		'd', 1, "subject distinguished name"},
+			{"san",		'a', 1, "subjectAltName to include in cert request"},
+			{"password",'p', 1, "challengePassword to include in cert request"},
+			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
+		}
+	});
+}
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
new file mode 100644
index 000000000..30ae23be5
--- /dev/null
+++ b/src/pki/commands/self.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+
+#include "pki.h"
+
+#include <utils/linked_list.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+
+/**
+ * Create a self signed certificate.
+ */
+static int self()
+{
+	key_type_t type = KEY_RSA;
+	hash_algorithm_t digest = HASH_SHA1;
+	certificate_t *cert = NULL;
+	private_key_t *private = NULL;
+	public_key_t *public = NULL;
+	char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL;
+	identification_t *id = NULL;
+	linked_list_t *san, *ocsp;
+	int lifetime = 1080;
+	int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
+	chunk_t serial = chunk_empty;
+	chunk_t encoding = chunk_empty;
+	time_t not_before, not_after;
+	x509_flag_t flags = 0;
+	char *arg;
+
+	san = linked_list_create();
+	ocsp = linked_list_create();
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				goto usage;
+			case 't':
+				if (streq(arg, "rsa"))
+				{
+					type = KEY_RSA;
+				}
+				else if (streq(arg, "ecdsa"))
+				{
+					type = KEY_ECDSA;
+				}
+				else
+				{
+					error = "invalid input type";
+					goto usage;
+				}
+				continue;
+			case 'g':
+				digest = get_digest(arg);
+				if (digest == HASH_UNKNOWN)
+				{
+					error = "invalid --digest type";
+					goto usage;
+				}
+				continue;
+			case 'i':
+				file = arg;
+				continue;
+			case 'd':
+				dn = arg;
+				continue;
+			case 'a':
+				san->insert_last(san, identification_create_from_string(arg));
+				continue;
+			case 'l':
+				lifetime = atoi(arg);
+				if (!lifetime)
+				{
+					error = "invalid --lifetime value";
+					goto usage;
+				}
+				continue;
+			case 's':
+				hex = arg;
+				continue;
+			case 'b':
+				flags |= X509_CA;
+				continue;
+			case 'p':
+				pathlen = atoi(arg);
+				continue;
+			case 'o':
+				ocsp->insert_last(ocsp, arg);
+				continue;
+			case EOF:
+				break;
+			default:
+				error = "invalid --self option";
+				goto usage;
+		}
+		break;
+	}
+
+	if (!dn)
+	{
+		error = "--dn is required";
+		goto usage;
+	}
+	id = identification_create_from_string(dn);
+	if (id->get_type(id) != ID_DER_ASN1_DN)
+	{
+		error = "supplied --dn is not a distinguished name";
+		goto end;
+	}
+	if (file)
+	{
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+									 BUILD_FROM_FILE, file, BUILD_END);
+	}
+	else
+	{
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+									 BUILD_FROM_FD, 0, BUILD_END);
+	}
+	if (!private)
+	{
+		error = "parsing private key failed";
+		goto end;
+	}
+	public = private->get_public_key(private);
+	if (!public)
+	{
+		error = "extracting public key failed";
+		goto end;
+	}
+	if (hex)
+	{
+		serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
+	}
+	else
+	{
+		rng_t *rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+
+		if (!rng)
+		{
+			error = "no random number generator found";
+			goto end;
+		}
+		rng->allocate_bytes(rng, 8, &serial);
+		rng->destroy(rng);
+	}
+	not_before = time(NULL);
+	not_after = not_before + lifetime * 24 * 60 * 60;
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
+						BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
+						BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
+						BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
+						BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
+						BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
+	if (!cert)
+	{
+		error = "generating certificate failed";
+		goto end;
+	}
+	encoding = cert->get_encoding(cert);
+	if (!encoding.ptr)
+	{
+		error = "encoding certificate failed";
+		goto end;
+	}
+	if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
+	{
+		error = "writing certificate key failed";
+		goto end;
+	}
+
+end:
+	DESTROY_IF(id);
+	DESTROY_IF(cert);
+	DESTROY_IF(public);
+	DESTROY_IF(private);
+	san->destroy_offset(san, offsetof(identification_t, destroy));
+	ocsp->destroy(ocsp);
+	free(encoding.ptr);
+	free(serial.ptr);
+
+	if (error)
+	{
+		fprintf(stderr, "%s\n", error);
+		return 1;
+	}
+	return 0;
+
+usage:
+	san->destroy_offset(san, offsetof(identification_t, destroy));
+	ocsp->destroy(ocsp);
+	return command_usage(error);
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		self, 's', "self",
+		"create a self signed certificate",
+		{"[--in file] [--type rsa|ecdsa]",
+		 " --dn distinguished-name [--san subjectAltName]+",
+		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"in",		'i', 1, "private key input file, default: stdin"},
+			{"type",	't', 1, "type of input key, default: rsa"},
+			{"dn",		'd', 1, "subject and issuer distinguished name"},
+			{"san",		'a', 1, "subjectAltName to include in certificate"},
+			{"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
+			{"serial",	's', 1, "serial number in hex, default: random"},
+			{"ca",		'b', 0, "include CA basicConstraint, default: no"},
+			{"pathlen",	'p', 1, "set path length constraint"},
+			{"ocsp",	'o', 1, "OCSP AuthorityInfoAccess URI to include"},
+			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
+		}
+	});
+}
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
new file mode 100644
index 000000000..bbcc53891
--- /dev/null
+++ b/src/pki/commands/verify.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pki.h"
+
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+
+/**
+ * Verify a certificate signature
+ */
+static int verify()
+{
+	certificate_t *cert, *ca;
+	char *file = NULL, *cafile = NULL;
+	bool good = FALSE;
+	char *arg;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 'i':
+				file = arg;
+				continue;
+			case 'c':
+				cafile = arg;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --verify option");
+		}
+		break;
+	}
+
+	if (file)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, file, BUILD_END);
+	}
+	else
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FD, 0, BUILD_END);
+	}
+	if (!cert)
+	{
+		fprintf(stderr, "parsing certificate failed\n");
+		return 1;
+	}
+	if (cafile)
+	{
+		ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								BUILD_FROM_FILE, cafile, BUILD_END);
+		if (!ca)
+		{
+			fprintf(stderr, "parsing CA certificate failed\n");
+			return 1;
+		}
+	}
+	else
+	{
+		ca = cert;
+	}
+	if (cert->issued_by(cert, ca))
+	{
+		if (cert->get_validity(cert, NULL, NULL, NULL))
+		{
+			if (cafile)
+			{
+				if (ca->get_validity(ca, NULL, NULL, NULL))
+				{
+					printf("signature good, certificates valid\n");
+					good = TRUE;
+				}
+				else
+				{
+					printf("signature good, CA certificates not valid now\n");
+				}
+			}
+			else
+			{
+				printf("signature good, certificate valid\n");
+				good = TRUE;
+			}
+		}
+		else
+		{
+			printf("certificate not valid now\n");
+		}
+	}
+	else
+	{
+		printf("signature invalid\n");
+	}
+	if (cafile)
+	{
+		ca->destroy(ca);
+	}
+	cert->destroy(cert);
+
+	return good ? 0 : 2;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		verify, 'v', "verify",
+		"verify a certificate using the CA certificate",
+		{"[--in file] [--ca file]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"in",		'i', 1, "X.509 certificate to verify, default: stdin"},
+			{"cacert",	'c', 1, "CA certificate, default: verify self signed"},
+		}
+	});
+}
+
diff --git a/src/pki/pki.c b/src/pki/pki.c
new file mode 100644
index 000000000..0912d5051
--- /dev/null
+++ b/src/pki/pki.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "command.h"
+#include "pki.h"
+
+#include <debug.h>
+
+/**
+ * Convert a form string to a encoding type
+ */
+bool get_form(char *form, key_encoding_type_t *type, bool pub)
+{
+	if (streq(form, "der"))
+	{
+		/* der encoded keys usually contain the complete SubjectPublicKeyInfo */
+		*type = pub ? KEY_PUB_SPKI_ASN1_DER : KEY_PRIV_ASN1_DER;
+	}
+	else if (streq(form, "pem"))
+	{
+		*type = pub ? KEY_PUB_PEM : KEY_PRIV_PEM;
+	}
+	else if (streq(form, "pgp"))
+	{
+		*type = pub ? KEY_PUB_PGP : KEY_PRIV_PGP;
+	}
+	else
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Convert a digest string to a hash algorithm
+ */
+hash_algorithm_t get_digest(char *name)
+{
+	if (streq(name, "md5"))
+	{
+		return HASH_MD5;
+	}
+	if (streq(name, "sha1"))
+	{
+		return HASH_SHA1;
+	}
+	if (streq(name, "sha224"))
+	{
+		return HASH_SHA224;
+	}
+	if (streq(name, "sha256"))
+	{
+		return HASH_SHA256;
+	}
+	if (streq(name, "sha384"))
+	{
+		return HASH_SHA384;
+	}
+	if (streq(name, "sha512"))
+	{
+		return HASH_SHA512;
+	}
+	return HASH_UNKNOWN;
+}
+
+/**
+ * Library initialization and operation parsing
+ */
+int main(int argc, char *argv[])
+{
+	atexit(library_deinit);
+	if (!library_init(NULL))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "pki", argv[0]))
+	{
+		fprintf(stderr, "integrity check of pki failed\n");
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	return command_dispatch(argc, argv);
+}
+
diff --git a/src/pki/pki.h b/src/pki/pki.h
new file mode 100644
index 000000000..01b103c8f
--- /dev/null
+++ b/src/pki/pki.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pki pki
+ * @{ @ingroup pki
+ */
+
+#ifndef PKI_H_
+#define PKI_H_
+
+#include "command.h"
+
+#include <library.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * Convert a form string to a encoding type
+ */
+bool get_form(char *form, key_encoding_type_t *type, bool pub);
+
+/**
+ * Convert a digest string to a hash algorithm
+ */
+hash_algorithm_t get_digest(char *name);
+
+#endif /** PKI_H_ @}*/
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index c9cb6651f..b83e4be33 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -20,7 +20,6 @@ demux.c demux.h \
 dnskey.c dnskey.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
-id.c id.h \
 ike_alg.c ike_alg.h \
 ipsec_doi.c ipsec_doi.h \
 kameipsec.h \
@@ -32,12 +31,11 @@ kernel_pfkey.c kernel_pfkey.h \
 keys.c keys.h \
 lex.c lex.h \
 log.c log.h \
+myid.c myid.h \
 modecfg.c modecfg.h \
 nat_traversal.c nat_traversal.h \
 ocsp.c ocsp.h \
 packet.c packet.h \
-pem.c pem.h \
-pgpcert.c pgpcert.h \
 pkcs7.c pkcs7.h \
 plutomain.c \
 rcv_whack.c rcv_whack.h \
@@ -50,6 +48,7 @@ vendor.c vendor.h \
 virtual.c virtual.h \
 xauth.c xauth.h \
 x509.c x509.h \
+builder.c builder.h \
 rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 
 _pluto_adns_SOURCES = adns.c adns.h
@@ -58,26 +57,25 @@ LIBSTRONGSWANDIR=$(top_builddir)/src/libstrongswan
 LIBFREESWANDIR=$(top_builddir)/src/libfreeswan
 
 INCLUDES = \
--I${linuxdir} \
+-I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
 -I$(top_srcdir)/src/whack
 
 AM_CFLAGS = \
 -DIPSEC_DIR=\"${ipsecdir}\" \
--DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_CONFDIR=\"${sysconfdir}\" \
 -DIPSEC_PIDDIR=\"${piddir}\" \
--DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
--DIPSEC_PLUGINDIR=\"${plugindir}\" \
+-DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
 -DPLUGINS=\""${pluto_plugins}\"" \
--DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
+-DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \
 -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \
 -DPLUTO -DKLIPS -DDEBUG
 
 pluto_LDADD = \
 $(LIBSTRONGSWANDIR)/libstrongswan.la \
 $(LIBFREESWANDIR)/libfreeswan.a \
--lresolv -lpthread $(DLLIB)
+-lresolv $(PTHREADLIB) $(DLLIB)
 
 _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 871f0c905..c93756c44 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -20,8 +21,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -58,14 +60,21 @@ subdir = src/pluto
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
 	"$(DESTDIR)$(man8dir)"
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am__pluto_adns_OBJECTS = adns.$(OBJEXT)
 _pluto_adns_OBJECTS = $(am__pluto_adns_OBJECTS)
@@ -77,23 +86,24 @@ am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \
 	cookie.$(OBJEXT) crl.$(OBJEXT) crypto.$(OBJEXT) \
 	db_ops.$(OBJEXT) defs.$(OBJEXT) demux.$(OBJEXT) \
 	dnskey.$(OBJEXT) fetch.$(OBJEXT) foodgroups.$(OBJEXT) \
-	id.$(OBJEXT) ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) \
-	kernel.$(OBJEXT) kernel_alg.$(OBJEXT) kernel_netlink.$(OBJEXT) \
+	ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) kernel.$(OBJEXT) \
+	kernel_alg.$(OBJEXT) kernel_netlink.$(OBJEXT) \
 	kernel_noklips.$(OBJEXT) kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) \
-	lex.$(OBJEXT) log.$(OBJEXT) modecfg.$(OBJEXT) \
+	lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) modecfg.$(OBJEXT) \
 	nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) packet.$(OBJEXT) \
-	pem.$(OBJEXT) pgpcert.$(OBJEXT) pkcs7.$(OBJEXT) \
-	plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) server.$(OBJEXT) \
-	smartcard.$(OBJEXT) spdb.$(OBJEXT) state.$(OBJEXT) \
-	timer.$(OBJEXT) vendor.$(OBJEXT) virtual.$(OBJEXT) \
-	xauth.$(OBJEXT) x509.$(OBJEXT)
+	pkcs7.$(OBJEXT) plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) \
+	server.$(OBJEXT) smartcard.$(OBJEXT) spdb.$(OBJEXT) \
+	state.$(OBJEXT) timer.$(OBJEXT) vendor.$(OBJEXT) \
+	virtual.$(OBJEXT) xauth.$(OBJEXT) x509.$(OBJEXT) \
+	builder.$(OBJEXT)
 pluto_OBJECTS = $(am_pluto_OBJECTS)
 pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \
 	$(LIBFREESWANDIR)/libfreeswan.a $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -105,6 +115,27 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES)
 DIST_SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES)
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 NROFF = nroff
@@ -145,25 +176,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -175,11 +203,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -208,9 +239,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -233,7 +264,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -241,6 +272,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -249,10 +281,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -260,6 +294,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 pluto_SOURCES = \
@@ -278,7 +313,6 @@ demux.c demux.h \
 dnskey.c dnskey.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
-id.c id.h \
 ike_alg.c ike_alg.h \
 ipsec_doi.c ipsec_doi.h \
 kameipsec.h \
@@ -290,12 +324,11 @@ kernel_pfkey.c kernel_pfkey.h \
 keys.c keys.h \
 lex.c lex.h \
 log.c log.h \
+myid.c myid.h \
 modecfg.c modecfg.h \
 nat_traversal.c nat_traversal.h \
 ocsp.c ocsp.h \
 packet.c packet.h \
-pem.c pem.h \
-pgpcert.c pgpcert.h \
 pkcs7.c pkcs7.h \
 plutomain.c \
 rcv_whack.c rcv_whack.h \
@@ -308,29 +341,29 @@ vendor.c vendor.h \
 virtual.c virtual.h \
 xauth.c xauth.h \
 x509.c x509.h \
+builder.c builder.h \
 rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 
 _pluto_adns_SOURCES = adns.c adns.h
 LIBSTRONGSWANDIR = $(top_builddir)/src/libstrongswan
 LIBFREESWANDIR = $(top_builddir)/src/libfreeswan
 INCLUDES = \
--I${linuxdir} \
+-I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
 -I$(top_srcdir)/src/whack
 
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
-	-DIPSEC_PIDDIR=\"${piddir}\" \
-	-DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
-	-DIPSEC_PLUGINDIR=\"${plugindir}\" \
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
+	-DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
 	-DPLUGINS=\""${pluto_plugins}\"" \
-	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DKERNEL26_SUPPORT \
+	-DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" -DKERNEL26_SUPPORT \
 	-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \
 	$(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5) $(am__append_7)
 pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \
-	$(LIBFREESWANDIR)/libfreeswan.a -lresolv -lpthread $(DLLIB) \
-	$(am__append_6)
+	$(LIBFREESWANDIR)/libfreeswan.a -lresolv $(PTHREADLIB) \
+	$(DLLIB) $(am__append_6)
 _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
@@ -349,9 +382,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/pluto/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/pluto/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pluto/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/pluto/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -369,34 +402,50 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-ipsecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 _pluto_adns$(EXEEXT): $(_pluto_adns_OBJECTS) $(_pluto_adns_DEPENDENCIES) 
 	@rm -f _pluto_adns$(EXEEXT)
 	$(LINK) $(_pluto_adns_OBJECTS) $(_pluto_adns_LDADD) $(LIBS)
@@ -413,6 +462,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ac.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/adns.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alg_info.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connections.Po@am__quote@
@@ -426,7 +476,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/foodgroups.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_doi.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel.Po@am__quote@
@@ -438,11 +487,10 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/modecfg.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/myid.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nat_traversal.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgpcert.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plutomain.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcv_whack.Po@am__quote@
@@ -458,21 +506,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -482,96 +530,82 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man5: $(man5_MANS) $(man_MANS)
+install-man5: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.5*) list="$$list $$i" ;; \
-	  esac; \
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    5*) ;; \
-	    *) ext='5' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man5:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.5*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    5*) ;; \
-	    *) ext='5' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
-	done
-install-man8: $(man8_MANS) $(man_MANS)
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
+install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
+	@list=''; test -n "$(man8dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.8[a-z]*$$/p'; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man8:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	@list=''; test -n "$(man8dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.8[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -585,7 +619,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -593,34 +627,52 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -636,13 +688,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -673,6 +729,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -694,6 +751,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -702,18 +761,28 @@ install-data-am: install-ipsecPROGRAMS install-man
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man: install-man5 install-man8
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -756,6 +825,7 @@ uninstall-man: uninstall-man5 uninstall-man8
 	uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \
 	uninstall-man8
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/pluto/ac.c b/src/pluto/ac.c
index 3b5df9738..d8b16112f 100644
--- a/src/pluto/ac.c
+++ b/src/pluto/ac.c
@@ -1,6 +1,7 @@
 /* Support of X.509 attribute certificates
  * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
  * Copyright (C) 2003 Martin Berner, Lukas Suter
+ * Copyright (C) 2009 Andreas Steffen
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,971 +14,284 @@
  * for more details.
  */
 
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <dirent.h>
+#include <sys/stat.h>
 #include <time.h>
-#include <sys/types.h>
 
-#include <freeswan.h>
-
-#include <utils.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <asn1/oid.h>
+#include <debug.h>
+#include <utils/enumerator.h>
+#include <utils/linked_list.h>
+#include <credentials/certificates/ac.h>
 
 #include "ac.h"
-#include "x509.h"
-#include "crl.h"
 #include "ca.h"
 #include "certs.h"
-#include "log.h"
-#include "whack.h"
 #include "fetch.h"
+#include "log.h"
 
 /**
  * Chained list of X.509 attribute certificates
  */
-static x509acert_t *x509acerts   = NULL;
-
-/**
- * Chained list of ietfAttributes
- */
-static ietfAttrList_t *ietfAttributes = NULL;
-
-/**
- * ASN.1 definition of ietfAttrSyntax
- */
-static const asn1Object_t ietfAttrSyntaxObjects[] =
-{
-	{ 0, "ietfAttrSyntax",                ASN1_SEQUENCE,        ASN1_NONE }, /*  0 */
-	{ 1,   "policyAuthority",             ASN1_CONTEXT_C_0,     ASN1_OPT |
-																ASN1_BODY }, /*  1 */
-	{ 1,   "end opt",                     ASN1_EOC,             ASN1_END  }, /*  2 */
-	{ 1,   "values",                      ASN1_SEQUENCE,        ASN1_LOOP }, /*  3 */
-	{ 2,     "octets",                    ASN1_OCTET_STRING,    ASN1_OPT |
-																ASN1_BODY }, /*  4 */
-	{ 2,     "end choice",                ASN1_EOC,             ASN1_END  }, /*  5 */
-	{ 2,     "oid",                       ASN1_OID,             ASN1_OPT |
-																ASN1_BODY }, /*  6 */
-	{ 2,     "end choice",                ASN1_EOC,             ASN1_END  }, /*  7 */
-	{ 2,     "string",                    ASN1_UTF8STRING,      ASN1_OPT |
-																ASN1_BODY }, /*  8 */
-	{ 2,     "end choice",                ASN1_EOC,             ASN1_END  }, /*  9 */
-	{ 1,   "end loop",                    ASN1_EOC,             ASN1_END  }, /* 10 */
-	{ 0, "exit",                          ASN1_EOC,             ASN1_EXIT }
-};
-
-#define IETF_ATTR_OCTETS         4
-#define IETF_ATTR_OID            6
-#define IETF_ATTR_STRING         8
-
-/**
- * ASN.1 definition of roleSyntax
- */
-static const asn1Object_t roleSyntaxObjects[] =
-{
-	{ 0, "roleSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
-	{ 1,   "roleAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
-												ASN1_OBJ  }, /* 1 */
-	{ 1,   "end opt",		ASN1_EOC,			ASN1_END  }, /* 2 */
-	{ 1,   "roleName",		ASN1_CONTEXT_C_1,	ASN1_OBJ  }, /* 3 */
-	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT }
-};
-
-/**
- * ASN.1 definition of an X509 attribute certificate
- */
-static const asn1Object_t acObjects[] =
-{
-	{ 0, "AttributeCertificate",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  0 */
-	{ 1,   "AttributeCertificateInfo",		ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  1 */
-	{ 2,	   "version",					ASN1_INTEGER,		  ASN1_DEF |
-																  ASN1_BODY }, /*  2 */
-	{ 2,	   "holder",					ASN1_SEQUENCE,		  ASN1_NONE }, /*  3 */
-	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /*  4 */
-	{ 4,	       "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  5 */
-	{ 4,	       "serial",				ASN1_INTEGER,		  ASN1_BODY }, /*  6 */
-	{ 4,         "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
-																  ASN1_BODY }, /*  7 */
-	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /*  8 */
-	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /*  9 */
-	{ 3,	   "entityName",				ASN1_CONTEXT_C_1,	  ASN1_OPT |
-																  ASN1_OBJ  }, /* 10 */
-	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 11 */
-	{ 3,	     "objectDigestInfo",		ASN1_CONTEXT_C_2,	  ASN1_OPT  }, /* 12 */
-	{ 4,	       "digestedObjectType",	ASN1_ENUMERATED,	  ASN1_BODY }, /* 13 */
-	{ 4,	       "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
-																  ASN1_BODY }, /* 14 */
-	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /* 15 */
-	{ 4,         "digestAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 16 */
-	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 17 */
-	{ 2,	   "v2Form",					ASN1_CONTEXT_C_0,	  ASN1_NONE }, /* 18 */
-	{ 3,	     "issuerName",				ASN1_SEQUENCE,		  ASN1_OPT |
-																  ASN1_OBJ  }, /* 19 */
-	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 20 */
-	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /* 21 */
-	{ 4,	       "issuerSerial",			ASN1_SEQUENCE,		  ASN1_NONE }, /* 22 */
-	{ 5,	         "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 23 */
-	{ 5,	  	 "serial",					ASN1_INTEGER,		  ASN1_BODY }, /* 24 */
-	{ 5,           "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
-																  ASN1_BODY }, /* 25 */
-	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 26 */
-	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 27 */
-	{ 3,       "objectDigestInfo",			ASN1_CONTEXT_C_1,	  ASN1_OPT  }, /* 28 */
-	{ 4,	       "digestInfo",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 29 */
-	{ 5,  	 "digestedObjectType",			ASN1_ENUMERATED,	  ASN1_BODY }, /* 30 */
-	{ 5,	  	 "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
-																  ASN1_BODY }, /* 31 */
-	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 32 */
-	{ 5,           "digestAlgorithm",		ASN1_EOC,			  ASN1_RAW  }, /* 33 */
-	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 34 */
-	{ 2,	   "signature",					ASN1_EOC,			  ASN1_RAW  }, /* 35 */
-	{ 2,	   "serialNumber",				ASN1_INTEGER,		  ASN1_BODY }, /* 36 */
-	{ 2,	   "attrCertValidityPeriod",	ASN1_SEQUENCE,		  ASN1_NONE }, /* 37 */
-	{ 3,	     "notBeforeTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
-	{ 3,	     "notAfterTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
-	{ 2,	   "attributes",				ASN1_SEQUENCE,		  ASN1_LOOP }, /* 40 */
-	{ 3,       "attribute",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 41 */
-	{ 4,         "type",					ASN1_OID,			  ASN1_BODY }, /* 42 */
-	{ 4,         "values",					ASN1_SET, 			  ASN1_LOOP }, /* 43 */
-	{ 5,           "value",					ASN1_EOC, 			  ASN1_RAW  }, /* 44 */
-	{ 4, 	       "end loop",				ASN1_EOC,			  ASN1_END  }, /* 45 */
-	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 46 */
-	{ 2,     "extensions",					ASN1_SEQUENCE,		  ASN1_LOOP }, /* 47 */
-	{ 3,       "extension",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 48 */
-	{ 4,         "extnID",					ASN1_OID,			  ASN1_BODY }, /* 49 */
-	{ 4,         "critical",				ASN1_BOOLEAN,		  ASN1_DEF |
-																  ASN1_BODY }, /* 50 */
-	{ 4,         "extnValue",				ASN1_OCTET_STRING,	  ASN1_BODY }, /* 51 */
-	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 52 */
-	{ 1,   "signatureAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 53 */
-	{ 1,   "signatureValue",				ASN1_BIT_STRING,	  ASN1_BODY }, /* 54 */
-	{ 0, "exit",							ASN1_EOC,			  ASN1_EXIT }
-};
-
-#define AC_OBJ_CERTIFICATE               0
-#define AC_OBJ_CERTIFICATE_INFO          1
-#define AC_OBJ_VERSION                   2
-#define AC_OBJ_HOLDER_ISSUER             5
-#define AC_OBJ_HOLDER_SERIAL             6
-#define AC_OBJ_ENTITY_NAME              10
-#define AC_OBJ_ISSUER_NAME              19
-#define AC_OBJ_ISSUER                   23
-#define AC_OBJ_SIG_ALG                  35
-#define AC_OBJ_SERIAL_NUMBER            36
-#define AC_OBJ_NOT_BEFORE               38
-#define AC_OBJ_NOT_AFTER                39
-#define AC_OBJ_ATTRIBUTE_TYPE           42
-#define AC_OBJ_ATTRIBUTE_VALUE          44
-#define AC_OBJ_EXTN_ID                  49
-#define AC_OBJ_CRITICAL                 50
-#define AC_OBJ_EXTN_VALUE               51
-#define AC_OBJ_ALGORITHM                53
-#define AC_OBJ_SIGNATURE                54
-
-const x509acert_t empty_ac = {
-	  NULL     , /* *next */
-			0  , /* installed */
-	{ NULL, 0 }, /* certificate */
-	{ NULL, 0 }, /*   certificateInfo */
-			1  , /*     version */
-				 /*     holder */
-				 /*       baseCertificateID */
-	{ NULL, 0 }, /*         holderIssuer */
-	{ NULL, 0 }, /*         holderSerial */
-				 /*       entityName */
-	{ NULL, 0 }, /*         generalNames */
-				 /*     v2Form */
-	{ NULL, 0 }, /*       issuerName */
-				 /*     signature */
-	OID_UNKNOWN, /*       sigAlg */
-	{ NULL, 0 }, /*     serialNumber */
-				 /*     attrCertValidityPeriod */
-			0  , /*       notBefore */
-			0  , /*       notAfter */
-				 /*     attributes */
-	  NULL     , /*       charging */
-	  NULL     , /*       groups */
-				 /*     extensions */
-	{ NULL, 0 }, /*       authKeyID */
-	{ NULL, 0 }, /*       authKeySerialNumber */
-	  FALSE    , /*       noRevAvail */
-				 /*   signatureAlgorithm */
-	OID_UNKNOWN, /*     algorithm */
-	{ NULL, 0 }, /*   signature */
-};
-
+static linked_list_t *acerts   = NULL;
 
 /**
- *  compare two ietfAttributes, returns zero if a equals b
- *  negative/positive if a is earlier/later in the alphabet than b
+ * Initialize the linked list of attribute certificates
  */
-static int cmp_ietfAttr(ietfAttr_t *a,ietfAttr_t *b)
+void ac_initialize(void)
 {
-	int cmp_len, len, cmp_value;
-
-	/* cannot compare OID with STRING or OCTETS attributes */
-	if (a->kind == IETF_ATTRIBUTE_OID && b->kind != IETF_ATTRIBUTE_OID)
-		return 1;
-		
-	cmp_len = a->value.len - b->value.len;
-	len = (cmp_len < 0)? a->value.len : b->value.len;
-	cmp_value = memcmp(a->value.ptr, b->value.ptr, len);
-
-	return (cmp_value == 0)? cmp_len : cmp_value;
+	acerts = linked_list_create();
 }
 
 /**
- *  add an ietfAttribute to the chained list
+ * Free the linked list of attribute certificates
  */
-static ietfAttr_t* add_ietfAttr(ietfAttr_t *attr)
+void ac_finalize(void)
 {
-	ietfAttrList_t **listp = &ietfAttributes;
-	ietfAttrList_t *list = *listp;
-	int cmp = -1;
-
-	while (list != NULL)
-	{
-		cmp = cmp_ietfAttr(attr, list->attr);
-		if (cmp <= 0)
-			break;
-		listp = &list->next;
-		list = *listp;
-	}
-
-	if (cmp == 0)
-	{
-		/* attribute already exists, increase count */
-		free(attr);
-		list->attr->count++;
-		return list->attr;
-	}
-	else
+	if (acerts)
 	{
-		ietfAttrList_t *el = malloc_thing(ietfAttrList_t);
-
-		/* new attribute, unshare value */
-		attr->value = chunk_clone(attr->value);
-		attr->count = 1;
-		time(&attr->installed);
-
-		el->attr = attr;
-		el->next = list;
-		*listp = el;
-
-		return attr;
+		acerts->destroy_offset(acerts, offsetof(certificate_t, destroy));
 	}
 }
 
 /**
- * decodes a comma separated list of group attributes
+ *  Get a X.509 attribute certificate for a given holder
  */
-void decode_groups(char *groups, ietfAttrList_t **listp)
+certificate_t* ac_get_cert(identification_t *issuer, chunk_t serial)
 {
-	if (groups == NULL)
-		return;
+	enumerator_t *enumerator;
+	certificate_t *cert, *found = NULL;
 
-	while (strlen(groups) > 0)
+	enumerator = acerts->create_enumerator(acerts);
+	while (enumerator->enumerate(enumerator, &cert))
 	{
-		char *end;
-		char *next = strchr(groups, ',');
-
-		if (next == NULL)
-		   end = next = groups + strlen(groups);
-		else
-		   end = next++;
-
-		/* eat preceeding whitespace */
-		while (groups < end && *groups == ' ')
-			groups++;
+		ac_t *ac = (ac_t*)cert;
 
-		/* eat trailing whitespace */
-		while (end > groups && *(end-1) == ' ')
-			end--;
-
-		if (groups < end)
+		if (issuer->equals(issuer, ac->get_holderIssuer(ac)) &&
+			  chunk_equals(serial, ac->get_holderSerial(ac)))
 		{
-			ietfAttr_t *attr   = malloc_thing(ietfAttr_t);
-			ietfAttrList_t *el = malloc_thing(ietfAttrList_t);
-
-			attr->kind  = IETF_ATTRIBUTE_STRING;
-			attr->value.ptr = groups;
-			attr->value.len = end - groups;
-			attr->count = 0;
-
-			el->attr = add_ietfAttr(attr);
-			el->next = *listp;
-			*listp = el;
+			found = cert;
+			break;
 		}
-
-		groups = next;
 	}
+	enumerator->destroy(enumerator);
+	return found;
 }
 
-static bool same_attribute(const ietfAttr_t *a, const ietfAttr_t *b)
+/**
+ * Verifies a X.509 attribute certificate
+ */
+bool ac_verify_cert(certificate_t *cert, bool strict)
 {
-	return (a->kind == b->kind && a->value.len == b->value.len
-		   && memeq(a->value.ptr, b->value.ptr, b->value.len));
-}
+	ac_t *ac = (ac_t*)cert;
+	identification_t *subject = cert->get_subject(cert);
+	identification_t *issuer  = cert->get_issuer(cert);
+	chunk_t authKeyID = ac->get_authKeyIdentifier(ac);
+	cert_t *aacert;
+	time_t notBefore, valid_until;
 
-bool group_membership(const ietfAttrList_t *peer_list
-			   , const char *conn
-			   , const ietfAttrList_t *conn_list)
-{
-	if (conn_list == NULL)
-		return TRUE;
+	DBG1("holder: '%Y'", subject);
+	DBG1("issuer: '%Y'", issuer);
 
-	while (peer_list != NULL)
+	if (!cert->get_validity(cert, NULL, NULL, &valid_until))
 	{
-		const ietfAttr_t *peer_attr = peer_list->attr;
-		const ietfAttrList_t *list = conn_list;
-
-		while (list != NULL)
-		{
-			ietfAttr_t *conn_attr = list->attr;
-
-			if (same_attribute(conn_attr, peer_attr))
-			{
-				DBG(DBG_CONTROL,
-					DBG_log("%s: peer matches group '%.*s'"
-						, conn
-						, (int)peer_attr->value.len, peer_attr->value.ptr)
-				)
-				return TRUE;
-			}
-			list = list->next;
-		}
-		peer_list = peer_list->next;
+		DBG1("attribute certificate is invalid (valid from %T to %T)",
+			 &notBefore, FALSE, &valid_until, FALSE);
+		return FALSE;
 	}
-		DBG(DBG_CONTROL,
-			DBG_log("%s: peer doesn't match any group", conn)
-		)
-	return FALSE;
-}
+	DBG1("attribute certificate is valid until %T", &valid_until, FALSE);
 
-void unshare_ietfAttrList(ietfAttrList_t **listp)
-{
-	ietfAttrList_t *list = *listp;
+	lock_authcert_list("verify_x509acert");
+	aacert = get_authcert(issuer, authKeyID, X509_AA);
+	unlock_authcert_list("verify_x509acert");
 
-	while (list != NULL)
+	if (aacert == NULL)
 	{
-		ietfAttrList_t *el = malloc_thing(ietfAttrList_t);
-
-		el->attr = list->attr;
-		el->attr->count++;
-		el->next = NULL;
-		*listp = el;
-		listp = &el->next;
-		list = list->next;
+		DBG1("issuer aacert not found");
+		return FALSE;
 	}
-}
-
-/**
- * Parses ietfAttrSyntax
- */
-static ietfAttrList_t* parse_ietfAttrSyntax(chunk_t blob, int level0)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
+	DBG2("issuer aacert found");
 
-	ietfAttrList_t *list = NULL;
-
-	parser = asn1_parser_create(ietfAttrSyntaxObjects, blob);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
+	if (!cert->issued_by(cert, aacert->cert))
 	{
-		switch (objectID)
-		{
-		case IETF_ATTR_OCTETS:
-		case IETF_ATTR_OID:
-		case IETF_ATTR_STRING:
-			{
-				ietfAttr_t *attr   = malloc_thing(ietfAttr_t);
-				ietfAttrList_t *el = malloc_thing(ietfAttrList_t);
-
-				attr->kind  = (objectID - IETF_ATTR_OCTETS) / 2;
-				attr->value = object;
-				attr->count = 0;
-
-				el->attr = add_ietfAttr(attr);
-				el->next = list;
-				list = el;
-			}
-			break;
-		default:
-			break;
-		}
+		DBG1("attribute certificate signature is invalid");
+		return FALSE;
 	}
-	parser->destroy(parser);
-	return list;
-}
-
-/**
- * Parses roleSyntax
- */
-static void parse_roleSyntax(chunk_t blob, int level0)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
+	DBG1("attribute certificate signature is valid");
 
-	parser = asn1_parser_create(roleSyntaxObjects, blob);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			default:
-				break;
-		}
-	}
-	parser->destroy(parser);
+	return verify_x509cert(aacert, strict, &valid_until);
 }
 
 /**
- *  Parses an X.509 attribute certificate
+ *  Add a X.509 attribute certificate to the chained list
  */
-bool parse_ac(chunk_t blob, x509acert_t *ac)
+static void ac_add_cert(certificate_t *cert)
 {
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	int type = OID_UNKNOWN;
-	int extn_oid = OID_UNKNOWN;
-	bool success = FALSE;
-	bool critical;
+	ac_t *ac = (ac_t*)cert;
+	identification_t *hIssuer = ac->get_holderIssuer(ac);
+	chunk_t hSerial = ac->get_holderSerial(ac);
 
-	parser = asn1_parser_create(acObjects, blob);
+	enumerator_t *enumerator;
+	certificate_t *cert_old;
 
-	while (parser->iterate(parser, &objectID, &object))
+	enumerator = acerts->create_enumerator(acerts);
+	while (enumerator->enumerate(enumerator, &cert_old))
 	{
-		u_int level = parser->get_level(parser)+1;
+		ac_t *ac_old = (ac_t*)cert_old;
 
-		switch (objectID)
+		if (hIssuer->equals(hIssuer, ac_old->get_holderIssuer(ac_old)) &&
+			   chunk_equals(hSerial, ac_old->get_holderSerial(ac_old)))
 		{
-		case AC_OBJ_CERTIFICATE:
-			ac->certificate = object;
-			break;
-		case AC_OBJ_CERTIFICATE_INFO:
-			ac->certificateInfo = object;
-			break;
-		case AC_OBJ_VERSION:
-			ac->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
-			DBG(DBG_PARSING,
-				DBG_log("  v%d", ac->version);
-			)
-			if (ac->version != 2)
+			if (cert->is_newer(cert, cert_old))
 			{
-				plog("v%d attribute certificates are not supported"
-					, ac->version);
-				goto end;
+				acerts->remove_at(acerts, enumerator);
+				cert_old->destroy(cert_old);
 			}
-			break;
-		case AC_OBJ_HOLDER_ISSUER:
-			ac->holderIssuer = get_directoryName(object, level, FALSE);
-			break;
-		case AC_OBJ_HOLDER_SERIAL:
-			ac->holderSerial = object;
-			break;
-		case AC_OBJ_ENTITY_NAME:
-			ac->entityName = get_directoryName(object, level, TRUE);
-			break;
-		case AC_OBJ_ISSUER_NAME:
-			ac->issuerName = get_directoryName(object, level, FALSE);
-			break;
-		case AC_OBJ_SIG_ALG:
-			ac->sigAlg = asn1_parse_algorithmIdentifier(object, level, NULL);
-			break;
-		case AC_OBJ_SERIAL_NUMBER:
-			ac->serialNumber = object;
-			break;
-		case AC_OBJ_NOT_BEFORE:
-			ac->notBefore = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
-			break;
-		case AC_OBJ_NOT_AFTER:
-			ac->notAfter = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
-			break;
-		case AC_OBJ_ATTRIBUTE_TYPE:
-			type = asn1_known_oid(object);
-			break;
-		case AC_OBJ_ATTRIBUTE_VALUE:
+			else
 			{
-				switch (type) {
-				case OID_AUTHENTICATION_INFO:
-					DBG(DBG_PARSING,
-						DBG_log("  need to parse authenticationInfo")
-					)
-					break;
-				case OID_ACCESS_IDENTITY:
-					DBG(DBG_PARSING,
-						DBG_log("  need to parse accessIdentity")
-					)
-					break;
-				case OID_CHARGING_IDENTITY:
-					ac->charging = parse_ietfAttrSyntax(object, level);
-					break;
-				case OID_GROUP:
-					ac->groups = parse_ietfAttrSyntax(object, level);
-					break;
-				case OID_ROLE:
-					parse_roleSyntax(object, level);
-					break;
-				default:
-					break;
-				}
+				cert->destroy(cert);
+				cert = NULL;
 			}
 			break;
-		case AC_OBJ_EXTN_ID:
-			extn_oid = asn1_known_oid(object);
-			break;
-		case AC_OBJ_CRITICAL:
-			critical = object.len && *object.ptr;
-			DBG(DBG_PARSING,
-				DBG_log("  %s",(critical)?"TRUE":"FALSE");
-			)
-			break;
-		case AC_OBJ_EXTN_VALUE:
-			{
-				switch (extn_oid) {
-				case OID_CRL_DISTRIBUTION_POINTS:
-					DBG(DBG_PARSING,
-						DBG_log("  need to parse crlDistributionPoints")
-					)
-					break;
-				case OID_AUTHORITY_KEY_ID:
-					parse_authorityKeyIdentifier(object, level
-						, &ac->authKeyID, &ac->authKeySerialNumber);
-					break;
-				case OID_TARGET_INFORMATION:
-					DBG(DBG_PARSING,
-						DBG_log("  need to parse targetInformation")
-					)
-					break;
-				case OID_NO_REV_AVAIL:
-					ac->noRevAvail = TRUE;
-					break;
-				default:
-					break;
-				}
-			}
-			break;
-		case AC_OBJ_ALGORITHM:
-			ac->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
-			break;
-		case AC_OBJ_SIGNATURE:
-			ac->signature = object;
-			break;
-
-		default:
-			break;
 		}
 	}
-	success = parser->success(parser);
-	time(&ac->installed);
-
-end:
-	parser->destroy(parser);
-	return success;
-}
+	enumerator->destroy(enumerator);
 
-/**
- *  Release an ietfAttribute, free it if count reaches zero
- */
-static void release_ietfAttr(ietfAttr_t* attr)
-{
-	if (--attr->count == 0)
+	if (cert)
 	{
-		ietfAttrList_t **plist = &ietfAttributes;
-		ietfAttrList_t *list = *plist;
-
-		while (list->attr != attr)
-		{
-			plist = &list->next;
-			list = *plist;
-		}
-		*plist = list->next;
-		
-		free(attr->value.ptr);
-		free(attr);
-		free(list);
+		acerts->insert_last(acerts, cert);
 	}
 }
 
 /**
- *  Free an ietfAttrList
+ * Check if at least one peer attribute matches a connection attribute
  */
-void free_ietfAttrList(ietfAttrList_t* list)
+bool match_group_membership(ietf_attributes_t *peer_attributes, char *conn,
+							ietf_attributes_t *conn_attributes)
 {
-	while (list != NULL)
-	{
-		ietfAttrList_t *el = list;
-
-		release_ietfAttr(el->attr);
-		list = list->next;
-		free(el);
-	}
-}
+	bool match;
 
-/**
- *  Free a X.509 attribute certificate
- */
-void free_acert(x509acert_t *ac)
-{
-	if (ac != NULL)
+	if (conn_attributes == NULL)
 	{
-		free_ietfAttrList(ac->charging);
-		free_ietfAttrList(ac->groups);
-		free(ac->certificate.ptr);
-		free(ac);
-	}
-}
-
-/**
- *  Free first X.509 attribute certificate in the chained list
- */
-static void free_first_acert(void)
-{
-	x509acert_t *first = x509acerts;
-	x509acerts = first->next;
-	free_acert(first);
-}
-
-/**
- * Free all attribute certificates in the chained list
- */
-void free_acerts(void)
-{ 
-	while (x509acerts != NULL)
-		free_first_acert();
-}
-
-/**
- *  Get a X.509 attribute certificate for a given holder
- */
-x509acert_t* get_x509acert(chunk_t issuer, chunk_t serial)
-{
-	x509acert_t *ac = x509acerts;
-	x509acert_t *prev_ac = NULL;
-
-	while (ac != NULL)
-	{
-		if (same_dn(issuer, ac->holderIssuer)
-		&&  same_serial(serial, ac->holderSerial))
-		{
-			if (ac!= x509acerts)
-			{
-				/* bring the certificate up front */
-				prev_ac->next = ac->next;
-				ac->next = x509acerts;
-				x509acerts = ac;
-			}
-			return ac;
-		}
-		prev_ac = ac;
-		ac = ac->next;
-	}
-	return NULL;
-}
-
-/**
- *  Add a X.509 attribute certificate to the chained list
- */
-static void add_acert(x509acert_t *ac)
-{
-	x509acert_t *old_ac = get_x509acert(ac->holderIssuer, ac->holderSerial);
-
-	if (old_ac != NULL)
-	{
-		if (ac->notBefore >old_ac->notBefore)
-		{
-			/* delete the old attribute cert */
-			free_first_acert();
-			DBG(DBG_CONTROL,
-				DBG_log("attribute cert is newer - existing cert deleted")
-			)
-		}
-		else
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("attribute cert is not newer - existing cert kept");
-			)
-			free_acert(ac);
-			return;
-		}
+		return TRUE;
 	}
-	plog("attribute cert added");
 
-	/* insert new attribute cert at the root of the chain */
-	ac->next = x509acerts;
-	x509acerts = ac;
-}
+	match = conn_attributes->matches(conn_attributes, peer_attributes);
+	DBG1("%s: peer with attributes '%s' is %sa member of the groups '%s'",
+		 conn, peer_attributes->get_string(peer_attributes),
+		 match ? "" : "not ", conn_attributes->get_string(conn_attributes));
 
-/**
- * Verify the validity of an attribute certificate by
- * checking the notBefore and notAfter dates
- */
-static err_t check_ac_validity(const x509acert_t *ac)
-{
-	time_t current_time;
-
-	time(&current_time);
-	DBG(DBG_CONTROL | DBG_PARSING,
-		DBG_log("  not before  : %T", &ac->notBefore, TRUE);
-		DBG_log("  current time: %T", &current_time, TRUE);
-		DBG_log("  not after   : %T", &ac->notAfter, TRUE);
-	)
-
-	if (current_time < ac->notBefore)
-		return "attribute certificate is not valid yet";
-	if (current_time > ac->notAfter)
-		return "attribute certificate has expired";
-	else
-		return NULL;
+	return match;
 }
 
 /**
- * verifies a X.509 attribute certificate
+ * Loads X.509 attribute certificates
  */
-bool verify_x509acert(x509acert_t *ac, bool strict)
+void ac_load_certs(void)
 {
-	u_char buf[BUF_LEN];
-	x509cert_t *aacert;
-	err_t ugh = NULL;
-	time_t valid_until = ac->notAfter;
-
-	DBG(DBG_CONTROL,
-		dntoa(buf, BUF_LEN, ac->entityName);
-		DBG_log("holder: '%s'",buf);
-		dntoa(buf, BUF_LEN, ac->issuerName);
-		DBG_log("issuer: '%s'",buf);
-	)
-	
-	ugh = check_ac_validity(ac);
-
-	if (ugh != NULL)
-	{
-		plog("%s", ugh);
-		return FALSE;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("attribute certificate is valid")
-	)
+	enumerator_t *enumerator;
+	struct stat st;
+	char *file;
 
-	lock_authcert_list("verify_x509acert");
-	aacert = get_authcert(ac->issuerName, ac->authKeySerialNumber
-		, ac->authKeyID, AUTH_AA);
-	unlock_authcert_list("verify_x509acert");
-
-	if (aacert == NULL)
-	{
-		plog("issuer aacert not found");
-		return FALSE;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("issuer aacert found")
-	)
+	DBG1("loading attribute certificates from '%s'", A_CERT_PATH);
 
-	if (!x509_check_signature(ac->certificateInfo, ac->signature, ac->algorithm,
-							  aacert))
+	enumerator = enumerator_create_directory(A_CERT_PATH);
+	if (!enumerator)
 	{
-		plog("attribute certificate signature is invalid");
-		return FALSE;
+		return;
 	}
-	DBG(DBG_CONTROL,
-		DBG_log("attribute certificate signature is valid");
-	)
-
-	return verify_x509cert(aacert, strict, &valid_until);
-}
-
-/**
- * Loads X.509 attribute certificates
- */
-void load_acerts(void)
-{
-	u_char buf[BUF_LEN];
-
-	/* change directory to specified path */
-	u_char *save_dir = getcwd(buf, BUF_LEN);
 
-	if (!chdir(A_CERT_PATH))
+	while (enumerator->enumerate(enumerator, NULL, &file, &st))
 	{
-		struct dirent **filelist;
-		int n;
+		certificate_t *cert;
 
-		plog("Changing to directory '%s'",A_CERT_PATH);
-		n = scandir(A_CERT_PATH, &filelist, file_select, alphasort);
-
-		if (n > 0)
+		if (!S_ISREG(st.st_mode))
 		{
-			while (n--)
-			{
-				chunk_t blob = chunk_empty;
-				bool pgp = FALSE;
-
-				if (load_coded_file(filelist[n]->d_name, NULL, "acert", &blob, &pgp))
-				{
-					x509acert_t *ac = malloc_thing(x509acert_t);
-					
-					*ac = empty_ac;
-
-					if (parse_ac(blob, ac)
-					&& verify_x509acert(ac, FALSE))
-						add_acert(ac);
-					else
-						free_acert(ac);
-				}
-				free(filelist[n]);
-			}
-			free(filelist);
+			/* skip special file */
+			continue;
 		}
-	}
-	/* restore directory path */
-	ignore_result(chdir(save_dir));
-}
-
-/**
- * lists group attributes separated by commas on a single line
- */
-void format_groups(const ietfAttrList_t *list, char *buf, int len)
-{
-	bool first_group = TRUE;
-
-	while (list != NULL && len > 0)
-	{
-		ietfAttr_t *attr = list->attr;
-
-		if (attr->kind == IETF_ATTRIBUTE_OCTETS
-		||  attr->kind == IETF_ATTRIBUTE_STRING)
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+								  BUILD_FROM_FILE, file, BUILD_END);
+		if (cert)
 		{
-			int written = snprintf(buf, len, "%s%.*s"
-							, (first_group)? "" : ", "
-							, (int)attr->value.len, attr->value.ptr);
-
-			first_group = FALSE;
-			
-			/* return value of snprintf() up to glibc 2.0.6 */
-			if (written < 0)
-				break;
-
-			buf += written;
-			len -= written;
+			DBG1("  loaded attribute certificate from '%s'", file);
+			ac_add_cert(cert);
 		}
-		list = list->next;
 	}
+	enumerator->destroy(enumerator);
 }
 
 /**
- *  list all X.509 attribute certificates in the chained list
+ *  List all X.509 attribute certificates in the chained list
  */
-void list_acerts(bool utc)
+void ac_list_certs(bool utc)
 {
-	x509acert_t *ac = x509acerts;
+	enumerator_t *enumerator;
+	certificate_t *cert;
 	time_t now;
 
 	/* determine the current time */
 	time(&now);
 
-	if (ac != NULL)
+	if (acerts->get_count(acerts) > 0)
 	{
 		whack_log(RC_COMMENT, " ");
 		whack_log(RC_COMMENT, "List of X.509 Attribute Certificates:");
-		whack_log(RC_COMMENT, " ");
 	}
 
-	while (ac != NULL)
+	enumerator = acerts->create_enumerator(acerts);
+	while (enumerator->enumerate(enumerator, &cert))
 	{
-		u_char buf[BUF_LEN];
+		ac_t *ac = (ac_t*)cert;
+		identification_t *entityName, *holderIssuer, *issuer;
+		chunk_t holderSerial, serial, authKeyID;
+		time_t notBefore, notAfter;
+		ietf_attributes_t *groups;
 
-		whack_log(RC_COMMENT, "%T", &ac->installed, utc);
-		if (ac->entityName.ptr != NULL)
-		{
-			dntoa(buf, BUF_LEN, ac->entityName);
-			whack_log(RC_COMMENT, "       holder:   '%s'", buf);
-		}
-		if (ac->holderIssuer.ptr != NULL)
-		{
-			dntoa(buf, BUF_LEN, ac->holderIssuer);
-			whack_log(RC_COMMENT, "       hissuer:  '%s'", buf);
-		}
-		if (ac->holderSerial.ptr != NULL)
+		whack_log(RC_COMMENT, " ");
+
+		entityName = cert->get_subject(cert);
+		if (entityName)
 		{
-			datatot(ac->holderSerial.ptr, ac->holderSerial.len, ':'
-				, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       hserial:   %s", buf);
+			whack_log(RC_COMMENT, "  holder:   \"%Y\"", entityName);
 		}
-		if (ac->groups != NULL)
+
+		holderIssuer = ac->get_holderIssuer(ac);
+		if (holderIssuer)
 		{
-			format_groups(ac->groups, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       groups:    %s", buf);
+			whack_log(RC_COMMENT, "  hissuer:  \"%Y\"", holderIssuer);
 		}
-		dntoa(buf, BUF_LEN, ac->issuerName);
-		whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
-		datatot(ac->serialNumber.ptr, ac->serialNumber.len, ':'
-			, buf, BUF_LEN);
-		whack_log(RC_COMMENT, "       serial:    %s", buf);
-		whack_log(RC_COMMENT, "       validity:  not before %T %s",
-				&ac->notBefore, utc,
-				(ac->notBefore < now)?"ok":"fatal (not valid yet)");
-		whack_log(RC_COMMENT, "                  not after  %T %s",
-				&ac->notAfter, utc,
-				check_expiry(ac->notAfter, ACERT_WARNING_INTERVAL, TRUE));
-		if (ac->authKeyID.ptr != NULL)
+
+		holderSerial = ac->get_holderSerial(ac);
+		if (holderSerial.ptr)
 		{
-			datatot(ac->authKeyID.ptr, ac->authKeyID.len, ':'
-				, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       authkey:   %s", buf);
+			whack_log(RC_COMMENT, "  hserial:   %#B", &holderSerial);
 		}
-		if (ac->authKeySerialNumber.ptr != NULL)
+
+		groups = ac->get_groups(ac);		
+		if (groups)
 		{
-			datatot(ac->authKeySerialNumber.ptr, ac->authKeySerialNumber.len, ':'
-				, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       aserial:   %s", buf);
+			whack_log(RC_COMMENT, "  groups:    %s", groups->get_string(groups));
+			groups->destroy(groups);
 		}
 
-		ac = ac->next;
-	}
-}
+		issuer = cert->get_issuer(cert);
+		whack_log(RC_COMMENT, "  issuer:   \"%Y\"", issuer);
 
-/**
- *  list all group attributes in alphabetical order
- */
-void list_groups(bool utc)
-{
-	ietfAttrList_t *list = ietfAttributes;
-	
-	if (list != NULL)
-	{
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of Group Attributes:");
-		whack_log(RC_COMMENT, " ");
-	}
+		serial = ac->get_serial(ac);
+		whack_log(RC_COMMENT, "  serial:    %#B", &serial);
 
-	while (list != NULL)
-	{
-		ietfAttr_t *attr = list->attr;
+		cert->get_validity(cert, &now, &notBefore, &notAfter);
+		whack_log(RC_COMMENT, "  validity:  not before %T %s",
+				&notBefore, utc,
+				(notBefore < now)?"ok":"fatal (not valid yet)");
+		whack_log(RC_COMMENT, "             not after  %T %s", &notAfter, utc,
+				check_expiry(notAfter, ACERT_WARNING_INTERVAL, TRUE));
 
-		whack_log(RC_COMMENT, "%T, count: %d", &attr->installed, utc, attr->count);
-		
-		switch (attr->kind)
+		authKeyID = ac->get_authKeyIdentifier(ac);
+		if (authKeyID.ptr)
 		{
-		case IETF_ATTRIBUTE_OCTETS:
-		case IETF_ATTRIBUTE_STRING:
-			whack_log(RC_COMMENT, "       %.*s", (int)attr->value.len, attr->value.ptr);
-			break;
-		case IETF_ATTRIBUTE_OID:
-			whack_log(RC_COMMENT, "       OID");
-			break;
-		default:
-			break;
+			whack_log(RC_COMMENT, "  authkey:   %#B", &authKeyID);
 		}
-
-		list = list->next;
 	}
+	enumerator->destroy(enumerator);
 }
+
diff --git a/src/pluto/ac.h b/src/pluto/ac.h
index bee016143..d4e0c1590 100644
--- a/src/pluto/ac.h
+++ b/src/pluto/ac.h
@@ -1,7 +1,7 @@
 /* Support of X.509 attribute certificates
  * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
  * Copyright (C) 2003 Martin Berner, Lukas Suter
-
+ * Copyright (C) 2009 Andreas Steffen
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -17,85 +17,23 @@
 #ifndef _AC_H
 #define _AC_H
 
-/* definition of ietfAttribute kinds */
-
-typedef enum {
-	IETF_ATTRIBUTE_OCTETS =     0,
-	IETF_ATTRIBUTE_OID =        1,
-	IETF_ATTRIBUTE_STRING =     2
-} ietfAttribute_t;
-
-/* access structure for an ietfAttribute */
-
-typedef struct ietfAttr ietfAttr_t;
-
-struct ietfAttr {
-  time_t           installed;
-  int              count;
-  ietfAttribute_t  kind;
-  chunk_t          value;
-};
-
-typedef struct ietfAttrList ietfAttrList_t;
-
-struct ietfAttrList {
-  ietfAttrList_t   *next;
-  ietfAttr_t       *attr;
-};
-
+#include <utils/identification.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/ietf_attributes/ietf_attributes.h>
 
 /* access structure for an X.509 attribute certificate */
 
-typedef struct x509acert x509acert_t;
-
-struct x509acert {
-  x509acert_t    *next;
-  time_t         installed;
-  chunk_t        certificate;
-  chunk_t          certificateInfo;
-  u_int              version;
-				/*   holder */
-				/*     baseCertificateID */
-  chunk_t                holderIssuer;
-  chunk_t                holderSerial;
-  chunk_t                entityName;
-				/*   v2Form */
-  chunk_t              issuerName;
-				/*   signature */
-  int                  sigAlg;
-  chunk_t            serialNumber;
-				/*   attrCertValidityPeriod */
-  time_t               notBefore;
-  time_t               notAfter;
-				/*   attributes */
-  ietfAttrList_t       *charging;
-  ietfAttrList_t       *groups;
-				/*   extensions */
-  chunk_t              authKeyID;
-  chunk_t              authKeySerialNumber;
-  bool                 noRevAvail;
-				/* signatureAlgorithm */
-  int                algorithm;
-  chunk_t          signature;
-};
+extern void ac_initialize(void);
+extern void ac_finalize(void);
+extern void ac_load_certs(void);
+extern void ac_list_certs(bool utc);
 
-/* used for initialization */
-extern const x509acert_t empty_ac;
+extern certificate_t* ac_get_cert(identification_t *issuer, chunk_t serial);
 
-extern void unshare_ietfAttrList(ietfAttrList_t **listp);
-extern void free_ietfAttrList(ietfAttrList_t *list);
-extern void decode_groups(char *groups, ietfAttrList_t **listp);
-extern bool group_membership(const ietfAttrList_t *my_list
-	, const char *conn, const ietfAttrList_t *conn_list);
-extern bool parse_ac(chunk_t blob, x509acert_t *ac);
-extern bool verify_x509acert(x509acert_t *ac, bool strict);
-extern x509acert_t* get_x509acert(chunk_t issuer, chunk_t serial);
-extern void load_acerts(void);
-extern void free_acert(x509acert_t *ac);
-extern void free_acerts(void);
-extern void list_acerts(bool utc);
-extern void list_groups(bool utc);
-extern void format_groups(const ietfAttrList_t *list, char *buf, int len);
+extern bool ac_verify_cert(certificate_t *ac, bool strict);
 
+extern bool match_group_membership(ietf_attributes_t *peer_attributes,
+								   char *conn,
+								   ietf_attributes_t *conn_attributes);
 
-#endif /* _AH_H */
+#endif /* _AC_H */
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index c25418fc1..edecf14c6 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -51,19 +51,13 @@ int alg_info_esp_aa2sadb(int auth)
 {
 	int sadb_aalg = 0;
 
-	switch(auth) {
+	switch(auth)
+	{
 		case AUTH_ALGORITHM_HMAC_MD5:
 		case AUTH_ALGORITHM_HMAC_SHA1:
 			sadb_aalg = auth + 1;
 			break;
-		case AUTH_ALGORITHM_HMAC_SHA2_256:
-		case AUTH_ALGORITHM_HMAC_SHA2_384:
-		case AUTH_ALGORITHM_HMAC_SHA2_512:
-		case AUTH_ALGORITHM_HMAC_RIPEMD:
-			sadb_aalg = auth;
-			break;
 		default:
-			/* loose ... */
 			sadb_aalg = auth;
 	}
 	return sadb_aalg;
@@ -73,20 +67,13 @@ int alg_info_esp_sadb2aa(int sadb_aalg)
 {
 	int auth = 0;
 
-	switch(sadb_aalg) {
+	switch(sadb_aalg)
+	{
 		case SADB_AALG_MD5HMAC:
 		case SADB_AALG_SHA1HMAC:
 			auth = sadb_aalg - 1;
 			break;
-		/* since they are the same ...  :)  */
-		case AUTH_ALGORITHM_HMAC_SHA2_256:
-		case AUTH_ALGORITHM_HMAC_SHA2_384:
-		case AUTH_ALGORITHM_HMAC_SHA2_512:
-		case AUTH_ALGORITHM_HMAC_RIPEMD:
-			auth = sadb_aalg;
-			break;
 		default:
-			/* loose ... */
 			auth = sadb_aalg;
 	}
 	return auth;
@@ -133,7 +120,7 @@ static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id,
 
 	DBG(DBG_CRYPT,
 		DBG_log("esp alg added: %s_%d/%s, cnt=%d",
-				enum_show(&esp_transformid_names, ealg_id), ek_bits,
+				enum_show(&esp_transform_names, ealg_id), ek_bits,
 				enum_show(&auth_alg_names, aalg_id),
 				alg_info->alg_info_cnt)
 	)
@@ -238,12 +225,12 @@ static void __alg_info_ike_add (struct alg_info_ike *alg_info, int ealg_id,
  * merging alg_info (ike_info) contents
  */
 
-static int default_ike_groups[] = { 
+static int default_ike_groups[] = {
 	MODP_1536_BIT,
 	MODP_1024_BIT
 };
 
-/*      
+/*
  *      Add IKE alg info _with_ logic (policy):
  */
 static void alg_info_ike_add (struct alg_info *alg_info, int ealg_id,
@@ -258,7 +245,7 @@ static void alg_info_ike_add (struct alg_info *alg_info, int ealg_id,
 		n_groups=0;
 		goto in_loop;
 	}
-		
+
 	for (; n_groups--; i++)
 	{
 		modp_id = default_ike_groups[i];
@@ -372,7 +359,7 @@ static status_t alg_info_parse_str(struct alg_info *alg_info, char *alg_str)
 
 		eat_whitespace(&string);
 
-		if (string.len > 0) 
+		if (string.len > 0)
 		{
 			chunk_t alg;
 
@@ -397,7 +384,7 @@ static status_t alg_info_parse_str(struct alg_info *alg_info, char *alg_str)
 			{
 				case PROTO_IPSEC_ESP:
 					alg_info_esp_add(alg_info, ealg, ealg_keysize,
-								 			   aalg, aalg_keysize);
+											   aalg, aalg_keysize);
 					break;
 				case PROTO_ISAKMP:
 					alg_info_ike_add(alg_info, ealg, ealg_keysize,
@@ -461,12 +448,16 @@ struct alg_info_esp *alg_info_esp_create_from_str(char *alg_str)
 	status = alg_info_parse_str((struct alg_info *)alg_info_esp, alg_str);
 
 out:
-	if (status != SUCCESS)
+	if (status == SUCCESS)
+	{
+		alg_info_esp->ref_cnt = 1;
+		return alg_info_esp;
+	}
+	else
 	{
 		free(alg_info_esp);
-		alg_info_esp = NULL;
+		return NULL;
 	}
-	return alg_info_esp;
 }
 
 struct alg_info_ike *alg_info_ike_create_from_str(char *alg_str)
@@ -481,12 +472,16 @@ struct alg_info_ike *alg_info_ike_create_from_str(char *alg_str)
 	zero(alg_info_ike);
 	alg_info_ike->alg_info_protoid = PROTO_ISAKMP;
 
-	if (alg_info_parse_str((struct alg_info *)alg_info_ike, alg_str) != SUCCESS)
+	if (alg_info_parse_str((struct alg_info *)alg_info_ike, alg_str) == SUCCESS)
+	{
+		alg_info_ike->ref_cnt = 1;	
+		return alg_info_ike;
+	}
+	else
 	{
 		free(alg_info_ike);
 		return NULL;
 	}
-	return alg_info_ike;
 }
 
 /*
@@ -494,7 +489,7 @@ struct alg_info_ike *alg_info_ike_create_from_str(char *alg_str)
  *      several connections instances,
  *      handle free() with ref_cnts
  */
-void 
+void
 alg_info_addref(struct alg_info *alg_info)
 {
 	if (alg_info != NULL)
@@ -529,7 +524,7 @@ alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info)
 	struct esp_info *esp_info;
 	struct ike_info *ike_info;
 	int cnt;
-		
+
 	switch (alg_info->alg_info_protoid) {
 	case PROTO_IPSEC_ESP:
 		{
@@ -538,7 +533,7 @@ alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info)
 			ALG_INFO_ESP_FOREACH(alg_info_esp, esp_info, cnt)
 			{
 				np = snprintf(ptr, buflen, "%s",
-						enum_show(&esp_transformid_names, esp_info->esp_ealg_id));
+						enum_show(&esp_transform_names, esp_info->esp_ealg_id));
 				ptr += np;
 				buflen -= np;
 				if (esp_info->esp_ealg_keylen)
@@ -608,7 +603,7 @@ out:
 			, "buffer space exhausted in alg_info_snprint_ike(), buflen=%d"
 			, buflen);
 	}
-		
+
 	return ptr - buf;
 }
 
diff --git a/src/pluto/alg_info.h b/src/pluto/alg_info.h
index fcf7efca0..85b88ddff 100644
--- a/src/pluto/alg_info.h
+++ b/src/pluto/alg_info.h
@@ -74,7 +74,7 @@ extern int alg_info_snprint_esp(char *buf, int buflen
 extern int alg_info_snprint_ike(char *buf, int buflen
 	, struct alg_info_ike *alg_info);
 #define ALG_INFO_ESP_FOREACH(ai, ai_esp, i) \
-		for (i=(ai)->alg_info_cnt,ai_esp=(ai)->esp; i--; ai_esp++) 
+		for (i=(ai)->alg_info_cnt,ai_esp=(ai)->esp; i--; ai_esp++)
 #define ALG_INFO_IKE_FOREACH(ai, ai_ike, i) \
-		for (i=(ai)->alg_info_cnt,ai_ike=(ai)->ike; i--; ai_ike++) 
+		for (i=(ai)->alg_info_cnt,ai_ike=(ai)->ike; i--; ai_ike++)
 #endif /* ALG_INFO_H */
diff --git a/src/pluto/builder.c b/src/pluto/builder.c
new file mode 100644
index 000000000..0cba32bcf
--- /dev/null
+++ b/src/pluto/builder.c
@@ -0,0 +1,150 @@
+/* Pluto certificate/CRL/AC builder hooks.
+ * Copyright (C) 2002-2009 Andreas Steffen
+ * Copyright (C) 2009 Martin Willi
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "builder.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <time.h>
+
+#include <freeswan.h>
+
+#include <library.h>
+#include <credentials/certificates/certificate.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "certs.h"
+#include "crl.h"
+
+/**
+ * Load a certificate
+ */
+static cert_t *builder_load_cert(certificate_type_t type, va_list args)
+{
+	x509_flag_t flags = 0;
+	chunk_t blob = chunk_empty;
+	bool pgp = FALSE;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_PGP:
+				pgp = TRUE;
+				/* FALL */
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_X509_FLAG:
+				flags |= va_arg(args, x509_flag_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.ptr)
+	{
+		cert_t *cert = malloc_thing(cert_t);
+
+		*cert = cert_empty;
+
+		if (pgp)
+		{
+			cert->cert = lib->creds->create(lib->creds,
+							  			   CRED_CERTIFICATE, CERT_GPG,
+							  			   BUILD_BLOB_PGP, blob,
+							  			   BUILD_END);
+		}
+		else
+		{
+			cert->cert = lib->creds->create(lib->creds,
+							  			   CRED_CERTIFICATE, CERT_X509,
+							  			   BUILD_BLOB_ASN1_DER, blob,
+										   BUILD_X509_FLAG, flags,
+							  			   BUILD_END);
+		}
+		if (cert->cert)
+		{
+			return cert;
+		}
+		plog("  error in X.509 certificate");
+		cert_free(cert);
+	}
+	return NULL;
+}
+
+/**
+ * Load a CRL
+ */
+static x509crl_t *builder_load_crl(certificate_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+	x509crl_t *crl;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.ptr)
+	{
+		crl = malloc_thing(x509crl_t);
+		crl->next = NULL;
+		crl->distributionPoints = linked_list_create();
+		crl->crl = lib->creds->create(lib->creds,
+							  		  CRED_CERTIFICATE, CERT_X509_CRL,
+							  		  BUILD_BLOB_ASN1_DER, blob,
+							  		  BUILD_END);
+		if (crl->crl)
+		{
+			return crl;
+		}
+		plog("  error in X.509 crl");
+		free_crl(crl);
+	}
+	return NULL;
+}
+
+void init_builder(void)
+{
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
+							(builder_function_t)builder_load_cert);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
+							(builder_function_t)builder_load_crl);
+}
+
+void free_builder(void)
+{
+	lib->creds->remove_builder(lib->creds, (builder_function_t)builder_load_cert);
+	lib->creds->remove_builder(lib->creds, (builder_function_t)builder_load_crl);
+}
+
diff --git a/src/pluto/builder.h b/src/pluto/builder.h
new file mode 100644
index 000000000..784751b7c
--- /dev/null
+++ b/src/pluto/builder.h
@@ -0,0 +1,24 @@
+/* Pluto certificate/CRL/AC builder hooks.
+ * Copyright (C) 2009 Martin Willi
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef _BUILDER_H
+#define _BUILDER_H
+
+/* register credential builder hooks */
+extern void init_builder();
+/* unregister credential builder hooks */
+extern void free_builder();
+
+#endif /* _BUILDER_H */
diff --git a/src/pluto/ca.c b/src/pluto/ca.c
index 4fdb8cfe7..e25e7f6f5 100644
--- a/src/pluto/ca.c
+++ b/src/pluto/ca.c
@@ -15,11 +15,14 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
-#include <unistd.h>
-#include <dirent.h>
 #include <time.h>
+#include <sys/stat.h>
 #include <sys/types.h>
 
+#include <debug.h>
+#include <utils/enumerator.h>
+#include <credentials/certificates/x509.h>
+
 #include <freeswan.h>
 
 #include "constants.h"
@@ -34,21 +37,7 @@
 
 /* chained list of X.509 authority certificates (ca, aa, and ocsp) */
 
-static x509cert_t *x509authcerts = NULL;
-
-const ca_info_t empty_ca_info = {
-	  NULL        ,  /* next */
-	  NULL        ,  /* name */
-	UNDEFINED_TIME,
-	{ NULL, 0 }   ,  /* authName */
-	{ NULL, 0 }   ,  /* authKeyID */
-	{ NULL, 0 }   ,  /* authKey SerialNumber */
-	  NULL        ,  /* ldaphost */
-	  NULL        ,  /* ldapbase */
-	  NULL        ,  /* ocspori */
-	  NULL        ,  /* crluri */
-	  FALSE          /* strictcrlpolicy */
-};
+static cert_t *x509authcerts = NULL;
 
 /* chained list of X.509 certification authority information records */
 
@@ -57,53 +46,71 @@ static ca_info_t *ca_infos = NULL;
 /*
  * Checks if CA a is trusted by CA b
  */
-bool
-trusted_ca(chunk_t a, chunk_t b, int *pathlen)
+bool trusted_ca(identification_t *a, identification_t *b, int *pathlen)
 {
 	bool match = FALSE;
 
 	/* no CA b specified -> any CA a is accepted */
-	if (b.ptr == NULL)
+	if (b == NULL)
 	{
-		*pathlen = (a.ptr == NULL)? 0 : MAX_CA_PATH_LEN;
+		*pathlen = (a == NULL) ? 0 : X509_MAX_PATH_LEN;
 		return TRUE;
 	}
 
 	/* no CA a specified -> trust cannot be established */
-	if (a.ptr == NULL)
+	if (a == NULL)
 	{
-		*pathlen = MAX_CA_PATH_LEN;
+		*pathlen = X509_MAX_PATH_LEN;
 		return FALSE;
 	}
 
 	*pathlen = 0;
 
 	/* CA a equals CA b -> we have a match */
-	if (same_dn(a, b))
+	if (a->equals(a, b))
+	{
 		return TRUE;
+	}
 
 	/* CA a might be a subordinate CA of b */
 	lock_authcert_list("trusted_ca");
 
-	while ((*pathlen)++ < MAX_CA_PATH_LEN)
+	while ((*pathlen)++ < X509_MAX_PATH_LEN)
 	{
-		x509cert_t *cacert = get_authcert(a, chunk_empty, chunk_empty, AUTH_CA);
+		certificate_t *certificate;
+		identification_t *issuer;
+		cert_t *cacert;
 
-		/* cacert not found or self-signed root cacert-> exit */
-		if (cacert == NULL || same_dn(cacert->issuer, a))
+		cacert = get_authcert(a, chunk_empty, X509_CA);
+		if (cacert == NULL)
+		{
 			break;
+		}
+		certificate = cacert->cert;
+		
+		/* is the certificate self-signed? */
+		{
+			x509_t *x509 = (x509_t*)certificate;
+
+			if (x509->get_flags(x509) & X509_SELF_SIGNED)
+			{
+				break;
+			}
+		}
 
 		/* does the issuer of CA a match CA b? */
-		match = same_dn(cacert->issuer, b);
+		issuer = certificate->get_issuer(certificate);
+		match = b->equals(b, issuer);
 
 		/* we have a match and exit the loop */
 		if (match)
+		{
 			break;
-
+		}
 		/* go one level up in the CA chain */
-		a = cacert->issuer;
+		a = issuer;
 	}
-	
+
 	unlock_authcert_list("trusted_ca");
 	return match;
 }
@@ -111,33 +118,36 @@ trusted_ca(chunk_t a, chunk_t b, int *pathlen)
 /*
  * does our CA match one of the requested CAs?
  */
-bool
-match_requested_ca(generalName_t *requested_ca, chunk_t our_ca, int *our_pathlen)
+bool match_requested_ca(linked_list_t *requested_ca, identification_t *our_ca,
+						int *our_pathlen)
 {
+	identification_t *ca;
+	enumerator_t *enumerator;
+
 	/* if no ca is requested than any ca will match */
-	if (requested_ca == NULL)
+	if (requested_ca == NULL || requested_ca->get_count(requested_ca) == 0)
 	{
 		*our_pathlen = 0;
 		return TRUE;
 	}
 
-	*our_pathlen = MAX_CA_PATH_LEN + 1;
+	*our_pathlen = X509_MAX_PATH_LEN + 1;
 
-	while (requested_ca != NULL)
+	enumerator = requested_ca->create_enumerator(requested_ca);
+	while (enumerator->enumerate(enumerator, &ca))
 	{
 		int pathlen;
 
-		if (trusted_ca(our_ca, requested_ca->name, &pathlen)
-		&& pathlen < *our_pathlen)
+		if (trusted_ca(our_ca, ca, &pathlen) && pathlen < *our_pathlen)
 		{
 			*our_pathlen = pathlen;
 		}
-		requested_ca = requested_ca->next;
 	}
+	enumerator->destroy(enumerator);
 
-	if (*our_pathlen > MAX_CA_PATH_LEN)
+	if (*our_pathlen > X509_MAX_PATH_LEN)
 	{
-		*our_pathlen = MAX_CA_PATH_LEN;
+		*our_pathlen = X509_MAX_PATH_LEN;
 		return FALSE;
 	}
 	else
@@ -149,55 +159,80 @@ match_requested_ca(generalName_t *requested_ca, chunk_t our_ca, int *our_pathlen
 /*
  *  free the first authority certificate in the chain
  */
-static void
-free_first_authcert(void)
+static void free_first_authcert(void)
 {
-	x509cert_t *first = x509authcerts;
+	cert_t *first = x509authcerts;
+
 	x509authcerts = first->next;
-	free_x509cert(first);
+	cert_free(first);
 }
 
 /*
  *  free  all CA certificates
  */
-void
-free_authcerts(void)
+void free_authcerts(void)
 {
 	lock_authcert_list("free_authcerts");
 
 	while (x509authcerts != NULL)
+	{
 		free_first_authcert();
-
+	}
 	unlock_authcert_list("free_authcerts");
 }
 
 /*
  *  get a X.509 authority certificate with a given subject or keyid
  */
-x509cert_t*
-get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid, u_char auth_flags)
+cert_t* get_authcert(identification_t *subject, chunk_t keyid,
+						 x509_flag_t auth_flags)
 {
-	x509cert_t *cert = x509authcerts;
-	x509cert_t *prev_cert = NULL;
+	cert_t *cert, *prev_cert = NULL;
+
+	/* the authority certificate list is empty */
+	if (x509authcerts == NULL)
+	{
+		return NULL;
+	}
 
-	while (cert != NULL)
+	for (cert = x509authcerts; cert != NULL; prev_cert = cert, cert = cert->next)
 	{
-		if (cert->authority_flags & auth_flags
-		&& ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID)
-			: (same_dn(subject, cert->subject)
-			   && same_serial(serial, cert->serialNumber))))
+		certificate_t *certificate = cert->cert;
+		x509_t *x509 = (x509_t*)certificate;
+
+		/* skip non-matching types of authority certificates */
+		if (!(x509->get_flags(x509) & auth_flags))
+		{
+			continue;
+		}
+
+		/* compare the keyid with the certificate's subjectKeyIdentifier */
+		if (keyid.ptr)
 		{
-			if (cert != x509authcerts)
+			chunk_t subjectKeyId;
+
+			subjectKeyId = x509->get_subjectKeyIdentifier(x509);
+			if (subjectKeyId.ptr && !chunk_equals(keyid, subjectKeyId))
 			{
-				/* bring the certificate up front */
-				prev_cert->next = cert->next;
-				cert->next = x509authcerts;
-				x509authcerts = cert;
+				continue;
 			}
-			return cert;
 		}
-		prev_cert = cert;
-		cert = cert->next;
+
+		/* compare the subjectDistinguishedNames */
+		if (!certificate->has_subject(certificate, subject))
+		{
+			continue;
+		}
+
+		/* found the authcert */
+		if (cert != x509authcerts)
+		{
+			/* bring the certificate up front */
+			prev_cert->next = cert->next;
+			cert->next = x509authcerts;
+			x509authcerts = cert;
+		}
+		return cert;
 	}
 	return NULL;
 }
@@ -205,31 +240,27 @@ get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid, u_char auth_flags)
 /*
  * add an authority certificate to the chained list
  */
-x509cert_t*
-add_authcert(x509cert_t *cert, u_char auth_flags)
+cert_t* add_authcert(cert_t *cert, x509_flag_t auth_flags)
 {
-	x509cert_t *old_cert;
-
-	/* set authority flags */
-	cert->authority_flags |= auth_flags;
+	certificate_t *certificate = cert->cert;
+	x509_t *x509 = (x509_t*)certificate;
+	cert_t *old_cert;
 
 	lock_authcert_list("add_authcert");
 
-	old_cert = get_authcert(cert->subject, cert->serialNumber
-		, cert->subjectKeyID, auth_flags);
-
-	if (old_cert != NULL)
+	old_cert = get_authcert(certificate->get_subject(certificate), 
+							x509->get_subjectKeyIdentifier(x509),
+							auth_flags);
+	if (old_cert)
 	{
-		if (same_x509cert(cert, old_cert))
+		if (certificate->equals(certificate, old_cert->cert))
 		{
-			/* cert is already present, just add additional authority flags */
-			old_cert->authority_flags |= cert->authority_flags;
 			DBG(DBG_CONTROL | DBG_PARSING ,
 				DBG_log("  authcert is already present and identical")
 			)
 			unlock_authcert_list("add_authcert");
 
-			free_x509cert(cert);
+			cert_free(cert);
 			return old_cert;
 		}
 		else
@@ -245,7 +276,7 @@ add_authcert(x509cert_t *cert, u_char auth_flags)
 	/* add new authcert to chained list */
 	cert->next = x509authcerts;
 	x509authcerts = cert;
-	share_x509cert(cert);  /* set count to one */
+	cert_share(cert);  /* set count to one */
 	DBG(DBG_CONTROL | DBG_PARSING,
 		DBG_log("  authcert inserted")
 	)
@@ -256,51 +287,43 @@ add_authcert(x509cert_t *cert, u_char auth_flags)
 /*
  *  Loads authority certificates
  */
-void
-load_authcerts(const char *type, const char *path, u_char auth_flags)
+void load_authcerts(char *type, char *path, x509_flag_t auth_flags)
 {
-	struct dirent **filelist;
-	u_char buf[BUF_LEN];
-	u_char *save_dir;
-	int n;
+	enumerator_t *enumerator;
+	struct stat st;
+	char *file;
 
-	/* change directory to specified path */
-	save_dir = getcwd(buf, BUF_LEN);
+	DBG1("loading %s certificates from '%s'", type, path);
 
-	if (chdir(path))
+	enumerator = enumerator_create_directory(path);
+	if (!enumerator)
 	{
-		plog("Could not change to directory '%s'", path);
+		DBG1("  reading directory '%s' failed");
+		return;
 	}
-	else
+
+	while (enumerator->enumerate(enumerator, NULL, &file, &st))
 	{
-		plog("Changing to directory '%s'", path);
-		n = scandir(path, &filelist, file_select, alphasort);
+		cert_t *cert;
 
-		if (n < 0)
-			plog("  scandir() error");
-		else
+		if (!S_ISREG(st.st_mode))
 		{
-			while (n--)
-			{
-				cert_t cert;
-
-				if (load_cert(filelist[n]->d_name, type, &cert))
-					add_authcert(cert.u.x509, auth_flags);
-
-				free(filelist[n]);
-			}
-			free(filelist);
+			/* skip special file */
+			continue;
+		}
+		cert = load_cert(file, type, auth_flags);
+		if (cert)
+		{
+			add_authcert(cert, auth_flags);
 		}
 	}
-	/* restore directory path */
-	ignore_result(chdir(save_dir));
+	enumerator->destroy(enumerator);
 }
 
 /*
  *  list all X.509 authcerts with given auth flags in a chained list
  */
-void
-list_authcerts(const char *caption, u_char auth_flags, bool utc)
+void list_authcerts(const char *caption, x509_flag_t auth_flags, bool utc)
 {
 	lock_authcert_list("list_authcerts");
 	list_x509cert_chain(caption, x509authcerts, auth_flags, utc);
@@ -310,19 +333,38 @@ list_authcerts(const char *caption, u_char auth_flags, bool utc)
 /*
  * get a cacert with a given subject or keyid from an alternative list
  */
-static const x509cert_t*
-get_alt_cacert(chunk_t subject, chunk_t serial, chunk_t keyid
-	, const x509cert_t *cert)
+static const cert_t* get_alt_cacert(identification_t *subject, chunk_t keyid,
+										const cert_t *cert)
 {
-	while (cert != NULL)
+	if (cert == NULL)
 	{
-		if ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID)
-			: (same_dn(subject, cert->subject)
-			   && same_serial(serial, cert->serialNumber)))
+		return NULL;
+	}
+	for (; cert != NULL; cert = cert->next)
+	{
+		certificate_t *certificate = cert->cert;
+
+		/* compare the keyid with the certificate's subjectKeyIdentifier */
+		if (keyid.ptr)
+		{
+			x509_t *x509 = (x509_t*)certificate;
+			chunk_t subjectKeyId;
+
+			subjectKeyId = x509->get_subjectKeyIdentifier(x509);
+			if (subjectKeyId.ptr && !chunk_equals(keyid, subjectKeyId))
+			{
+				continue;
+			}
+		}
+
+		/* compare the subjectDistinguishedNames */
+		if (!certificate->has_subject(certificate, subject))
 		{
-			return cert;
+			continue;
 		}
-		cert = cert->next;
+
+		/* we found the cacert */
+		return cert;
 	}
 	return NULL;
 }
@@ -330,34 +372,32 @@ get_alt_cacert(chunk_t subject, chunk_t serial, chunk_t keyid
 /* establish trust into a candidate authcert by going up the trust chain.
  * validity and revocation status are not checked.
  */
-bool
-trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain)
+bool trust_authcert_candidate(const cert_t *cert, const cert_t *alt_chain)
 {
 	int pathlen;
 
 	lock_authcert_list("trust_authcert_candidate");
 
-	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+	for (pathlen = 0; pathlen < X509_MAX_PATH_LEN; pathlen++)
 	{
-		const x509cert_t *authcert = NULL;
-		u_char buf[BUF_LEN];
+		certificate_t *certificate = cert->cert;
+		x509_t *x509 = (x509_t*)certificate;
+		identification_t *subject = certificate->get_subject(certificate);
+		identification_t *issuer = certificate->get_issuer(certificate);
+		chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
+		const cert_t *authcert = NULL;
 
 		DBG(DBG_CONTROL,
-			dntoa(buf, BUF_LEN, cert->subject);
-			DBG_log("subject: '%s'",buf);
-			dntoa(buf, BUF_LEN, cert->issuer);
-			DBG_log("issuer:  '%s'",buf);
-			if (cert->authKeyID.ptr != NULL)
+			DBG_log("subject: '%Y'", subject);
+			DBG_log("issuer:  '%Y'", issuer);
+			if (authKeyID.ptr != NULL)
 			{
-				datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
-					, buf, BUF_LEN);
-				DBG_log("authkey:  %s", buf);
+				DBG_log("authkey:  %#B", &authKeyID);
 			}
 		)
 
 		/* search in alternative chain first */
-		authcert = get_alt_cacert(cert->issuer, cert->authKeySerialNumber
-			, cert->authKeyID, alt_chain);
+		authcert = get_alt_cacert(issuer, authKeyID, alt_chain);
 
 		if (authcert != NULL)
 		{
@@ -368,8 +408,7 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain)
 		else
 		{
 			/* search in trusted chain */
-			authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
-				, cert->authKeyID, AUTH_CA);
+			authcert = get_authcert(issuer, authKeyID, X509_CA);
 
 			if (authcert != NULL)
 			{
@@ -385,8 +424,7 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain)
 			}
 		}
 
-		if (!x509_check_signature(cert->tbsCertificate, cert->signature,
-								  cert->algorithm, authcert))
+		if (!certificate->issued_by(certificate, authcert->cert))
 		{
 			plog("certificate signature is invalid");
 			unlock_authcert_list("trust_authcert_candidate");
@@ -397,7 +435,7 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain)
 		)
 
 		/* check if cert is a self-signed root ca */
-		if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
+		if (pathlen > 0 && (x509->get_flags(x509) & X509_SELF_SIGNED))
 		{
 			DBG(DBG_CONTROL,
 				DBG_log("reached self-signed root ca")
@@ -409,7 +447,7 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain)
 		/* go up one step in the trust chain */
 		cert = authcert;
 	}
-	plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	plog("maximum ca path length of %d levels exceeded", X509_MAX_PATH_LEN);
 	unlock_authcert_list("trust_authcert_candidate");
 	return FALSE;
 }
@@ -417,16 +455,14 @@ trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain)
 /*
  *  get a CA info record with a given authName or authKeyID
  */
-ca_info_t*
-get_ca_info(chunk_t authname, chunk_t serial, chunk_t keyid)
+ca_info_t* get_ca_info(identification_t *name, chunk_t keyid)
 {
 	ca_info_t *ca= ca_infos;
 
-	while (ca!= NULL)
+	while (ca != NULL)
 	{
-		if ((keyid.ptr != NULL) ? same_keyid(keyid, ca->authKeyID)
-			: (same_dn(authname, ca->authName)
-			   && same_serial(serial, ca->authKeySerialNumber)))
+		if ((keyid.ptr) ? same_keyid(keyid, ca->authKeyID)
+			: name->equals(name, ca->authName))
 		{
 			return ca;
 		}
@@ -443,24 +479,23 @@ static void
 free_ca_info(ca_info_t* ca_info)
 {
 	if (ca_info == NULL)
+	{
 		return;
-
+	}
+	ca_info->crluris->destroy_function(ca_info->crluris, free);
+	DESTROY_IF(ca_info->authName);
 	free(ca_info->name);
 	free(ca_info->ldaphost);
 	free(ca_info->ldapbase);
 	free(ca_info->ocspuri);
-	free(ca_info->authName.ptr);
 	free(ca_info->authKeyID.ptr);
-	free(ca_info->authKeySerialNumber.ptr);
-	free_generalNames(ca_info->crluri, TRUE);
 	free(ca_info);
 }
 
 /*
  *  free  all CA certificates
  */
-void
-free_ca_infos(void)
+void free_ca_infos(void)
 {
 	while (ca_infos != NULL)
 	{
@@ -474,8 +509,7 @@ free_ca_infos(void)
 /*
  * find a CA information record by name and optionally delete it
  */
-bool
-find_ca_info_by_name(const char *name, bool delete)
+bool find_ca_info_by_name(const char *name, bool delete)
 {
 	ca_info_t **ca_p = &ca_infos;
 	ca_info_t *ca = *ca_p;
@@ -501,16 +535,26 @@ find_ca_info_by_name(const char *name, bool delete)
 	return FALSE;
 }
 
+/*
+ * Create an empty ca_info_t record
+ */
+ca_info_t* create_ca_info(void)
+{
+	ca_info_t *ca_info = malloc_thing(ca_info_t);
+
+	memset(ca_info, 0, sizeof(ca_info_t));
+	ca_info->crluris = linked_list_create();
 
- /*
- * adds a CA description to a chained list
+	return ca_info;
+}
+
+/**
+ * Adds a CA description to a chained list
  */
-void
-add_ca_info(const whack_message_t *msg)
+void add_ca_info(const whack_message_t *msg)
 {
 	smartcard_t *sc = NULL;
-	cert_t cert;
-	bool valid_cert = FALSE;
+	cert_t *cert = NULL;
 	bool cached_cert = FALSE;
 
 	if (find_ca_info_by_name(msg->name, FALSE))
@@ -522,60 +566,54 @@ add_ca_info(const whack_message_t *msg)
 	if (scx_on_smartcard(msg->cacert))
 	{
 		/* load CA cert from smartcard */
-		valid_cert = scx_load_cert(msg->cacert, &sc, &cert, &cached_cert);
+		cert = scx_load_cert(msg->cacert, &sc, &cached_cert);
 	}
 	else
 	{
 		/* load CA cert from file */
-		valid_cert = load_ca_cert(msg->cacert, &cert);
+		cert = load_ca_cert(msg->cacert);
 	}
 
-	if (valid_cert)
+	if (cert)
 	{
-		char buf[BUF_LEN];
-		x509cert_t *cacert = cert.u.x509;
+		certificate_t *certificate = cert->cert;
+		x509_t *x509 = (x509_t*)certificate;
+		identification_t *subject = certificate->get_subject(certificate);
+		chunk_t subjectKeyID = x509->get_subjectKeyIdentifier(x509);
 		ca_info_t *ca = NULL;
 
 		/* does the authname already exist? */
-		ca = get_ca_info(cacert->subject, cacert->serialNumber
-				, cacert->subjectKeyID);
-		
+		ca = get_ca_info(subject, subjectKeyID);
+
 		if (ca != NULL)
 		{
 			/* ca_info is already present */
 			loglog(RC_DUPNAME, "  duplicate ca information in record \"%s\" found,"
 							   "ignoring \"%s\"", ca->name, msg->name);
-			free_x509cert(cacert);
+			cert_free(cert);
 			return;
 		}
 
 		plog("added ca description \"%s\"", msg->name);
 
 		/* create and initialize new ca_info record */
-		ca = malloc_thing(ca_info_t);
-		*ca = empty_ca_info;
+		ca = create_ca_info();
 
 		/* name */
 		ca->name = clone_str(msg->name);
-			
+
 		/* authName */
-		ca->authName = chunk_clone(cacert->subject);
-		dntoa(buf, BUF_LEN, ca->authName);
+		ca->authName = subject->clone(subject);
 		DBG(DBG_CONTROL,
-			DBG_log("authname: '%s'", buf)
+			DBG_log("authname: '%Y'", subject)
 		)
 
-		/* authSerialNumber */
-		ca->authKeySerialNumber = chunk_clone(cacert->serialNumber);
-
 		/* authKeyID */
-		if (cacert->subjectKeyID.ptr != NULL)
+		if (subjectKeyID.ptr)
 		{
-			ca->authKeyID = chunk_clone(cacert->subjectKeyID);
-			datatot(cacert->subjectKeyID.ptr, cacert->subjectKeyID.len, ':'
-				, buf, BUF_LEN);
+			ca->authKeyID = chunk_clone(subjectKeyID);
 			DBG(DBG_CONTROL | DBG_PARSING ,
-				DBG_log("authkey:  %s", buf)
+				DBG_log("authkey:  %#B", &subjectKeyID)
 			)
 		}
 
@@ -594,23 +632,9 @@ add_ca_info(const whack_message_t *msg)
 				plog("  ignoring ocspuri with unkown protocol");
 		}
 
-		/* crluri2*/
-		if (msg->crluri2 != NULL)
-		{
-			generalName_t gn =
-				{ NULL, GN_URI, {msg->crluri2, strlen(msg->crluri2)} };
-
-			add_distribution_points(&gn, &ca->crluri);
-		}
-
-		/* crluri */
-		if (msg->crluri != NULL)
-		{
-			generalName_t gn =
-				{ NULL, GN_URI, {msg->crluri, strlen(msg->crluri)} };
-
-			add_distribution_points(&gn, &ca->crluri);
-		}
+		/* add crl uris */
+		add_distribution_point(ca->crluris, msg->crluri);
+		add_distribution_point(ca->crluris, msg->crluri2);
 
 		/* strictrlpolicy */
 		ca->strictcrlpolicy = msg->whack_strict;
@@ -620,17 +644,19 @@ add_ca_info(const whack_message_t *msg)
 
 		ca->next = ca_infos;
 		ca_infos = ca;
-		ca->installed = time(NULL);
-		
+
 		unlock_ca_info_list("add_ca_info");
 
 		/* add cacert to list of authcerts */
+		cert = add_authcert(cert, X509_CA);
 		if (!cached_cert && sc != NULL)
 		{
-			if (sc->last_cert.type == CERT_X509_SIGNATURE)
-				sc->last_cert.u.x509->count--;
-			sc->last_cert.u.x509 = add_authcert(cacert, AUTH_CA);
-			share_cert(sc->last_cert);
+			if (sc->last_cert != NULL)
+			{
+				sc->last_cert->count--;
+			}
+			sc->last_cert = cert;
+			cert_share(sc->last_cert);
 		}
 		if (sc != NULL)
 			time(&sc->last_load);
@@ -640,54 +666,46 @@ add_ca_info(const whack_message_t *msg)
 /*
  * list all ca_info records in the chained list
  */
-void
-list_ca_infos(bool utc)
+void list_ca_infos(bool utc)
 {
 	ca_info_t *ca = ca_infos;
-	
+
 	if (ca != NULL)
 	{
 		whack_log(RC_COMMENT, " ");
 		whack_log(RC_COMMENT, "List of X.509 CA Information Records:");
-		whack_log(RC_COMMENT, " ");
 	}
 
 	while (ca != NULL)
 	{
-		u_char buf[BUF_LEN];
-
 		/* strictpolicy per CA not supported yet
 		 *
 		whack_log(RC_COMMENT, "%T, \"%s\", strictcrlpolicy: %s"
 				, &ca->installed, utc, ca->name
 				, ca->strictcrlpolicy? "yes":"no");
 		*/
-		whack_log(RC_COMMENT, "%T, \"%s\"", &ca->installed, utc, ca->name);
-		dntoa(buf, BUF_LEN, ca->authName);
-		whack_log(RC_COMMENT, "       authname: '%s'", buf);
-		if (ca->ldaphost != NULL)
-			whack_log(RC_COMMENT, "       ldaphost: '%s'", ca->ldaphost);
-		if (ca->ldapbase != NULL)
-			whack_log(RC_COMMENT, "       ldapbase: '%s'", ca->ldapbase);
-		if (ca->ocspuri != NULL)
-			whack_log(RC_COMMENT, "       ocspuri:  '%s'", ca->ocspuri);
-
-		list_distribution_points(ca->crluri);
-
-		if (ca->authKeyID.ptr != NULL)
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "  authname: \"%Y\"", ca->authName);
+		if (ca->ldaphost)
+		{
+			whack_log(RC_COMMENT, "  ldaphost: '%s'", ca->ldaphost);
+		}
+		if (ca->ldapbase)
 		{
-			datatot(ca->authKeyID.ptr, ca->authKeyID.len, ':'
-				, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       authkey:   %s", buf);
+			whack_log(RC_COMMENT, "  ldapbase: '%s'", ca->ldapbase);
 		}
-		if (ca->authKeySerialNumber.ptr != NULL)
+		if (ca->ocspuri)
 		{
-			datatot(ca->authKeySerialNumber.ptr, ca->authKeySerialNumber.len, ':'
-				, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       aserial:   %s", buf);
+			whack_log(RC_COMMENT, "  ocspuri:  '%s'", ca->ocspuri);
+		}
+
+		list_distribution_points(ca->crluris);
+
+		if (ca->authKeyID.ptr)
+		{
+			whack_log(RC_COMMENT, "  authkey:   %#B", &ca->authKeyID);
 		}
 		ca = ca->next;
 	}
 }
 
-
diff --git a/src/pluto/ca.h b/src/pluto/ca.h
index 44d079b4c..d964a694a 100644
--- a/src/pluto/ca.h
+++ b/src/pluto/ca.h
@@ -15,49 +15,39 @@
 #ifndef _CA_H
 #define _CA_H
 
-#include "x509.h"
-#include "whack.h"
-
-#define MAX_CA_PATH_LEN         7
+#include <utils/linked_list.h>
+#include <utils/identification.h>
 
-/* authority flags */
-
-#define AUTH_NONE       0x00    /* no authorities */
-#define AUTH_CA         0x01    /* certification authority */
-#define AUTH_AA         0x02    /* authorization authority */
-#define AUTH_OCSP       0x04    /* ocsp signing authority */
+#include "certs.h"
+#include "whack.h"
 
 /* CA info structures */
 
 typedef struct ca_info ca_info_t;
 
 struct ca_info {
-	ca_info_t       *next;
-	char            *name;
-	time_t          installed;
-	chunk_t         authName;
-	chunk_t         authKeyID;
-	chunk_t         authKeySerialNumber;
-	char            *ldaphost;
-	char            *ldapbase;
-	char            *ocspuri;
-	generalName_t   *crluri;
-	bool            strictcrlpolicy;
+	ca_info_t        *next;
+	char             *name;
+	identification_t *authName;
+	chunk_t           authKeyID;
+	char             *ldaphost;
+	char             *ldapbase;
+	char             *ocspuri;
+	linked_list_t    *crluris;
+	bool              strictcrlpolicy;
 };
 
-extern bool trusted_ca(chunk_t a, chunk_t b, int *pathlen);
-extern bool match_requested_ca(generalName_t *requested_ca
-	, chunk_t our_ca, int *our_pathlen);
-extern x509cert_t* get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid
-	, u_char auth_flags);
-extern void load_authcerts(const char *type, const char *path
-	, u_char auth_flags);
-extern x509cert_t* add_authcert(x509cert_t *cert, u_char auth_flags);
+extern bool trusted_ca(identification_t *a, identification_t *b, int *pathlen);
+extern bool match_requested_ca(linked_list_t *requested_ca,
+							   identification_t *our_ca, int *our_pathlen);
+extern cert_t* get_authcert(identification_t *subject, chunk_t keyid,
+								x509_flag_t auth_flags);
+extern void load_authcerts(char *type, char *path, x509_flag_t auth_flags);
+extern cert_t* add_authcert(cert_t *cert, x509_flag_t auth_flags);
 extern void free_authcerts(void);
-extern void list_authcerts(const char *caption, u_char auth_flags, bool utc);
-extern bool trust_authcert_candidate(const x509cert_t *cert
-	, const x509cert_t *alt_chain);
-extern ca_info_t* get_ca_info(chunk_t name, chunk_t serial, chunk_t keyid);
+extern void list_authcerts(const char *caption, x509_flag_t auth_flags, bool utc);
+extern bool trust_authcert_candidate(const cert_t *cert, const cert_t *alt_chain);
+extern ca_info_t* get_ca_info(identification_t *name, chunk_t keyid);
 extern bool find_ca_info_by_name(const char *name, bool delete);
 extern void add_ca_info(const whack_message_t *msg);
 extern void delete_ca_info(const char *name);
diff --git a/src/pluto/certs.c b/src/pluto/certs.c
index ca3019b9b..8bce4c5c2 100644
--- a/src/pluto/certs.c
+++ b/src/pluto/certs.c
@@ -17,153 +17,166 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
+#include <unistd.h>
+#include <time.h>
 
 #include <freeswan.h>
 
-#include "library.h"
-#include "asn1/asn1.h"
+#include <library.h>
+#include <asn1/asn1.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/pgp_certificate.h>
 
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
-#include "id.h"
-#include "pem.h"
 #include "certs.h"
+#include "whack.h"
+#include "fetch.h"
+#include "keys.h"
+#include "builder.h"
 
 /**
- * used for initializatin of certs
+ * Initialization
  */
-const cert_t cert_empty = {CERT_NONE, {NULL}};
+const cert_t cert_empty = {
+	NULL   , /* cert */
+	NULL   , /* *next */
+	  0    , /* count */
+	FALSE    /* smartcard */
+};
 
 /**
- * extracts the certificate to be sent to the peer
+ * Chained lists of X.509 and PGP end entity certificates
  */
-chunk_t cert_get_encoding(cert_t cert)
-{
-	switch (cert.type)
-	{
-	case CERT_PGP:
-		return cert.u.pgp->certificate;
-	case CERT_X509_SIGNATURE:
-		return cert.u.x509->certificate;
-	default:
-		return chunk_empty;
-	}
-}
+static cert_t *certs = NULL;
 
-public_key_t* cert_get_public_key(const cert_t cert)
+/**
+ *  Free a pluto certificate
+ */
+void cert_free(cert_t *cert)
 {
-	switch (cert.type)
+	if (cert)
 	{
-		case CERT_PGP:
-			return cert.u.pgp->public_key;
-			break;
-		case CERT_X509_SIGNATURE:
-			return cert.u.x509->public_key;
-			break;
-		default:
-			return NULL;
+		certificate_t *certificate = cert->cert;
+
+		if (certificate)
+		{
+			certificate->destroy(certificate);
+		}
+		free(cert);
 	}
 }
 
-/* load a coded key or certificate file with autodetection
- * of binary DER or base64 PEM ASN.1 formats and armored PGP format
+/**
+ *  Add a pluto end entity certificate to the chained list
  */
-bool load_coded_file(char *filename, prompt_pass_t *pass, const char *type,
-					 chunk_t *blob, bool *pgp)
+cert_t* cert_add(cert_t *cert)
 {
-	err_t ugh = NULL;
-
-	FILE *fd = fopen(filename, "r");
+	certificate_t *certificate = cert->cert;
+	cert_t *c = certs;
 
-	if (fd)
+	while (c != NULL)
 	{
-		int bytes;
-		fseek(fd, 0, SEEK_END );
-		blob->len = ftell(fd);
-		rewind(fd);
-		blob->ptr = malloc(blob->len);
-		bytes = fread(blob->ptr, 1, blob->len, fd);
-		fclose(fd);
-		plog("  loaded %s file '%s' (%d bytes)", type, filename, bytes);
-
-		*pgp = FALSE;
-
-		/* try DER format */
-		if (is_asn1(*blob))
+		if (certificate->equals(certificate, c->cert)) /* already in chain, free cert */
 		{
-			DBG(DBG_PARSING,
-				DBG_log("  file coded in DER format");
-			)
-			return TRUE;
+			cert_free(cert);
+			return c;
 		}
+		c = c->next;
+	}
 
-		/* try PEM format */
-		ugh = pemtobin(blob, pass, filename, pgp);
+	/* insert new cert at the root of the chain */
+	lock_certs_and_keys("cert_add");
+	cert->next = certs;
+	certs = cert;
+	DBG(DBG_CONTROL | DBG_PARSING,
+		DBG_log("  cert inserted")
+	)
+	unlock_certs_and_keys("cert_add");
+	return cert;
+}
 
-		if (ugh == NULL)
-		{
-			if (*pgp)
-			{
-				DBG(DBG_PARSING,
-					DBG_log("  file coded in armored PGP format");
-				)
-				return TRUE;
-			}
-			if (is_asn1(*blob))
-			{
-				DBG(DBG_PARSING,
-					DBG_log("  file coded in PEM format");
-				)
-				return TRUE;
-			}
-			ugh = "file coded in unknown format, discarded";
-		}
+/**
+ * Passphrase callback to read from whack fd
+ */
+chunk_t whack_pass_cb(prompt_pass_t *pass, int try)
+{
+	int n;
 
-		/* a conversion error has occured */
-		plog("  %s", ugh);
-		free(blob->ptr);
-		*blob = chunk_empty;
+	if (try > MAX_PROMPT_PASS_TRIALS)
+	{
+		whack_log(RC_LOG_SERIOUS, "invalid passphrase, too many trials");
+		return chunk_empty;
+	}
+	if (try == 1)
+	{
+		whack_log(RC_ENTERSECRET, "need passphrase for 'private key'");
 	}
 	else
 	{
-		plog("  could not open %s file '%s'", type, filename);
+		whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
+	}
+
+	n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
+
+	if (n == -1)
+	{
+		whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
+		return chunk_empty;
 	}
-	return FALSE;
+
+	pass->secret[n-1] = '\0';
+
+	if (strlen(pass->secret) == 0)
+	{
+		whack_log(RC_LOG_SERIOUS, "no passphrase entered, aborted");
+		return chunk_empty;
+	}
+	return chunk_create(pass->secret, strlen(pass->secret));
 }
 
 /**
- *  Loads a PKCS#1 or PGP privatekey file
+ *  Loads a PKCS#1 or PGP private key file
  */
 private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
 								key_type_t type)
 {
 	private_key_t *key = NULL;
-	chunk_t blob = chunk_empty;
-	bool pgp = FALSE;
-
-	char *path = concatenate_paths(PRIVATE_KEY_PATH, filename);
+	char *path;
 
-	if (load_coded_file(path, pass, "private key", &blob, &pgp))
-	{
-		if (pgp)
-		{
- 			parse_pgp(blob, NULL, &key);
-		}
-		else
+	path = concatenate_paths(PRIVATE_KEY_PATH, filename);
+	if (pass && pass->prompt && pass->fd != NULL_FD)
+	{	/* use passphrase callback */
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path,
+								 BUILD_PASSPHRASE_CALLBACK, whack_pass_cb, pass,
+								 BUILD_END);
+		if (key)
 		{
-			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 	 BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+			whack_log(RC_SUCCESS, "valid passphrase");
 		}
-		if (key == NULL)
-		{
-			plog("  syntax error in %s private key file", pgp ? "PGP":"PKCS#");
-		}			
-		free(blob.ptr);
+	}
+	else if (pass)
+	{	/* use a given passphrase */
+		chunk_t password = chunk_create(pass->secret, strlen(pass->secret));
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path,
+								 BUILD_PASSPHRASE, password, BUILD_END);
+	}
+	else
+	{	/* no passphrase */
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+
+	}
+	if (key)
+	{
+		plog("  loaded private key from '%s'", filename);
 	}
 	else
 	{
-		plog("  error loading private key file");
+		plog("  syntax error in private key file");
 	}
 	return key;
 }
@@ -171,125 +184,166 @@ private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
 /**
  *  Loads a X.509 or OpenPGP certificate
  */
-bool load_cert(char *filename, const char *label, cert_t *cert)
+cert_t* load_cert(char *filename, const char *label, x509_flag_t flags)
 {
-	bool pgp = FALSE;
-	chunk_t blob = chunk_empty;
-
-	/* initialize cert struct */
-	cert->type = CERT_NONE;
-	cert->u.x509 = NULL;
+	cert_t *cert;
 
-	if (load_coded_file(filename, NULL, label, &blob, &pgp))
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
+							  BUILD_FROM_FILE, filename,
+							  BUILD_X509_FLAG, flags,
+							  BUILD_END);
+	if (cert)
 	{
-		if (pgp)
-		{
-			pgpcert_t *pgpcert = malloc_thing(pgpcert_t);
-			*pgpcert = pgpcert_empty;
-			if (parse_pgp(blob, pgpcert, NULL))
-			{
-				cert->type = CERT_PGP;
-				cert->u.pgp = pgpcert;
-				return TRUE;
-			}
-			else
-			{
-				plog("  error in OpenPGP certificate");
-				free_pgpcert(pgpcert);
-				return FALSE;
-			}
-		}
-		else
-		{
-			x509cert_t *x509cert = malloc_thing(x509cert_t);
-			*x509cert = empty_x509cert;
-			if (parse_x509cert(blob, 0, x509cert))
-			{
-				cert->type = CERT_X509_SIGNATURE;
-				cert->u.x509 = x509cert;
-				return TRUE;
-			}
-			else
-			{
-				plog("  error in X.509 certificate");
-				free_x509cert(x509cert);
-				return FALSE;
-			}
-		}
+		plog("  loaded %s certificate from '%s'", label, filename);
 	}
-	return FALSE;
+	return cert;
 }
 
 /**
  *  Loads a host certificate
  */
-bool load_host_cert(char *filename, cert_t *cert)
+cert_t* load_host_cert(char *filename)
 {
 	char *path = concatenate_paths(HOST_CERT_PATH, filename);
 
-	return load_cert(path, "host cert", cert);
+	return load_cert(path, "host", X509_NONE);
 }
 
 /**
  *  Loads a CA certificate
  */
-bool load_ca_cert(char *filename, cert_t *cert)
+cert_t* load_ca_cert(char *filename)
 {
 	char *path = concatenate_paths(CA_CERT_PATH, filename);
 
-	return load_cert(path, "CA cert", cert);
+	return load_cert(path, "CA", X509_NONE);
 }
 
 /**
- * establish equality of two certificates
+ * for each link pointing to the certificate increase the count by one
  */
-bool same_cert(const cert_t *a, const cert_t *b)
+void cert_share(cert_t *cert)
 {
-	return a->type == b->type && a->u.x509 == b->u.x509;
+	if (cert != NULL)
+	{
+		cert->count++;
+	}
+}
+
+/*  release of a certificate decreases the count by one
+ *  the certificate is freed when the counter reaches zero
+ */
+void cert_release(cert_t *cert)
+{
+	if (cert && --cert->count == 0)
+	{
+		cert_t **pp = &certs;
+		while (*pp != cert)
+		{
+			pp = &(*pp)->next;
+		}
+		*pp = cert->next;
+		cert_free(cert);
+	}
 }
 
 /**
- * for each link pointing to the certificate increase the count by one
+ * Get a X.509 certificate with a given issuer found at a certain position
  */
-void share_cert(cert_t cert)
+cert_t* get_x509cert(identification_t *issuer, chunk_t keyid, cert_t *chain)
 {
-	switch (cert.type)
+	cert_t *cert = chain ? chain->next : certs;
+
+	while (cert)
 	{
-	case CERT_PGP:
-		share_pgpcert(cert.u.pgp);
-		break;
-	case CERT_X509_SIGNATURE:
-		share_x509cert(cert.u.x509);
-		break;
-	default:
-		break;
+		certificate_t *certificate = cert->cert;
+		x509_t *x509 = (x509_t*)certificate;
+		chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
+
+		if (keyid.ptr ? same_keyid(keyid, authKeyID) :
+			certificate->has_issuer(certificate, issuer))
+		{
+			return cert;
+		}
+		cert = cert->next;
 	}
+	return NULL;
 }
 
-/*  release of a certificate decreases the count by one
- "  the certificate is freed when the counter reaches zero
+/**
+ *  List all PGP end certificates in a chained list
  */
-void
-release_cert(cert_t cert)
+void list_pgp_end_certs(bool utc)
 {
-   switch (cert.type)
+	cert_t *cert = certs;
+	time_t now = time(NULL);
+	bool first = TRUE;
+
+
+	while (cert != NULL)
 	{
-	case CERT_PGP:
-		release_pgpcert(cert.u.pgp);
-		break;
-	case CERT_X509_SIGNATURE:
-		release_x509cert(cert.u.x509);
-		break;
-	default:
-		break;
+		certificate_t *certificate = cert->cert;
+
+		if (certificate->get_type(certificate) == CERT_GPG)
+		{
+			time_t created, until;
+			public_key_t *key;
+			identification_t *userid = certificate->get_subject(certificate);
+			pgp_certificate_t *pgp_cert = (pgp_certificate_t*)certificate;
+			chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
+
+			if (first)
+			{
+				whack_log(RC_COMMENT, " ");
+				whack_log(RC_COMMENT, "List of PGP End Entity Certificates:");
+				first = false;
+			}
+			whack_log(RC_COMMENT, " ");
+			whack_log(RC_COMMENT, "  userid:   '%Y'", userid);
+			whack_log(RC_COMMENT, "  digest:    %#B", &fingerprint);
+
+			/* list validity */
+			certificate->get_validity(certificate, &now, &created, &until);
+			whack_log(RC_COMMENT, "  created:   %T", &created, utc);
+			whack_log(RC_COMMENT, "  until:     %T %s%s", &until, utc,
+					check_expiry(until, CA_CERT_WARNING_INTERVAL, TRUE),
+					(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
+
+			key = certificate->get_public_key(certificate);
+			if (key)
+			{
+				chunk_t keyid;
+
+				whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
+						key_type_names, key->get_type(key),
+						key->get_keysize(key) * BITS_PER_BYTE,
+						has_private_key(cert)? ", has private key" : "");
+				if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+				{
+					whack_log(RC_COMMENT, "  keyid:     %#B", &keyid);
+				}
+				if (key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &keyid))
+				{
+					whack_log(RC_COMMENT, "  subjkey:   %#B", &keyid);
+				}
+			}
+		}
+		cert = cert->next;
 	}
 }
 
-/*
+/**
+ * List all X.509 end certificates in a chained list
+ */
+void list_x509_end_certs(bool utc)
+{
+	list_x509cert_chain("End Entity", certs, X509_NONE, utc);
+}
+
+/**
  *  list all X.509 and OpenPGP end certificates
  */
-void
-list_certs(bool utc)
+void cert_list(bool utc)
 {
 	list_x509_end_certs(utc);
 	list_pgp_end_certs(utc);
diff --git a/src/pluto/certs.h b/src/pluto/certs.h
index 0810c52fa..21e856a3c 100644
--- a/src/pluto/certs.h
+++ b/src/pluto/certs.h
@@ -18,9 +18,12 @@
 #define _CERTS_H
 
 #include <credentials/keys/private_key.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
 
-#include "x509.h"
-#include "pgpcert.h"
+#include <freeswan.h>
+
+#include "defs.h"
 
 /* path definitions for private keys, end certs,
  * cacerts, attribute certs and crls
@@ -43,16 +46,16 @@
 #define CRL_WARNING_INTERVAL             7 /* days */
 #define ACERT_WARNING_INTERVAL           1 /* day */
 
-/* certificate access structure
- * currently X.509 and OpenPGP certificates are supported
- */
-typedef struct {
-	u_char type;
-	union {
-		x509cert_t *x509;
-		pgpcert_t  *pgp;
-	} u;
-} cert_t;
+/* access structure for a pluto certificate */
+
+typedef struct cert_t cert_t;
+
+struct cert_t {
+	certificate_t  *cert;
+	cert_t         *next;
+	int             count;
+	bool            smartcard;
+};
 
 /* used for initialization */
 extern const cert_t cert_empty;
@@ -62,19 +65,17 @@ extern const cert_t cert_empty;
  */
 extern bool no_cr_send;
 
-extern public_key_t* cert_get_public_key(const cert_t cert);
-extern chunk_t cert_get_encoding(cert_t cert);
 extern private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
 									   key_type_t type);
-extern bool load_coded_file(char *filename, prompt_pass_t *pass,
-							const char *type, chunk_t *blob, bool *pgp);
-extern bool load_cert(char *filename, const char *label, cert_t *cert);
-extern bool load_host_cert(char *filename, cert_t *cert);
-extern bool load_ca_cert(char *filename, cert_t *cert);
-extern bool same_cert(const cert_t *a, const cert_t *b);
-extern void share_cert(cert_t cert);
-extern void release_cert(cert_t cert);
-extern void list_certs(bool utc);
+extern cert_t* load_cert(char *filename, const char *label, x509_flag_t flags);
+extern cert_t* load_host_cert(char *filename);
+extern cert_t* load_ca_cert(char *filename);
+extern cert_t* cert_add(cert_t *cert);
+extern void cert_free(cert_t *cert);
+extern void cert_share(cert_t *cert);
+extern void cert_release(cert_t *cert);
+extern void cert_list(bool utc);
+extern cert_t* get_x509cert(identification_t *issuer, chunk_t keyid, cert_t* chain);
 
 #endif /* _CERTS_H */
 
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index b800b1665..fece34eec 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -30,15 +30,15 @@
 #include <freeswan.h>
 #include "kameipsec.h"
 
+#include <credentials/certificates/ac.h>
 #include <credentials/keys/private_key.h>
 
 #include "constants.h"
 #include "defs.h"
-#include "id.h"
+#include "myid.h"
 #include "x509.h"
 #include "ca.h"
 #include "crl.h"
-#include "pgpcert.h"
 #include "certs.h"
 #include "ac.h"
 #include "smartcard.h"
@@ -62,9 +62,9 @@
 #include "nat_traversal.h"
 #include "virtual.h"
 
-static void flush_pending_by_connection(struct connection *c);  /* forward */
+static void flush_pending_by_connection(connection_t *c);  /* forward */
 
-static struct connection *connections = NULL;
+static connection_t *connections = NULL;
 
 /* struct host_pair: a nexus of information about a pair of hosts.
  * A host is an IP address, UDP port pair.  This is a debatable choice:
@@ -82,34 +82,62 @@ struct host_pair {
 		u_int16_t port; /* host order */
 	} me, him;
 	bool initial_connection_sent;
-	struct connection *connections;     /* connections with this pair */
+	connection_t *connections;     /* connections with this pair */
 	struct pending *pending;    /* awaiting Keying Channel */
 	struct host_pair *next;
 };
 
 static struct host_pair *host_pairs = NULL;
 
-static struct connection *unoriented_connections = NULL;
+static connection_t *unoriented_connections = NULL;
 
-/* check to see that Ids of peers match */
-bool
-same_peer_ids(const struct connection *c, const struct connection *d
-, const struct id *his_id)
+/**
+ * Check if an id was instantiated by assigning to it the current IP address
+ */
+bool his_id_was_instantiated(const connection_t *c)
 {
-	return same_id(&c->spd.this.id, &d->spd.this.id)
-		&& same_id(his_id == NULL? &c->spd.that.id : his_id, &d->spd.that.id);
+	if (c->kind != CK_INSTANCE)
+	{
+		return FALSE;
+	}
+	if (id_is_ipaddr(c->spd.that.id))
+	{
+		identification_t *host;
+		bool equal;
+	
+		host = identification_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_addr);
+		equal = host->equals(host, c->spd.that.id);
+		host->destroy(host);
+		return equal;
+	}
+	else
+	{
+		return TRUE;
+	} 
 }
 
-static struct host_pair *
-find_host_pair(const ip_address *myaddr, u_int16_t myport
-, const ip_address *hisaddr, u_int16_t hisport)
+/**
+ * Check to see that IDs of peers match
+ */
+bool same_peer_ids(const connection_t *c, const connection_t *d,
+				   identification_t *his_id)
+{
+	return d->spd.this.id->equals(d->spd.this.id, c->spd.this.id) &&
+		   d->spd.that.id->equals(d->spd.that.id,
+								  his_id ? his_id : c->spd.that.id);
+}
+
+static struct host_pair *find_host_pair(const ip_address *myaddr,
+										u_int16_t myport,
+										const ip_address *hisaddr,
+										u_int16_t hisport)
 {
 	struct host_pair *p, *prev;
 
 	/* default hisaddr to an appropriate any */
 	if (hisaddr == NULL)
 		hisaddr = aftoinfo(addrtypeof(myaddr))->any;
-		
+
 	if (nat_traversal_enabled)
 	{
 		/**
@@ -125,7 +153,7 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
 		if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport
 		&&  sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
 		{
-			if (prev != NULL)
+			if (prev)
 			{
 				prev->next = p->next;   /* remove p from list */
 				p->next = host_pairs;   /* and stick it on front */
@@ -138,15 +166,16 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
 }
 
 /* find head of list of connections with this pair of hosts */
-static struct connection *
-find_host_pair_connections(const ip_address *myaddr, u_int16_t myport
-, const ip_address *hisaddr, u_int16_t hisport)
+static connection_t *find_host_pair_connections(const ip_address *myaddr,
+													 u_int16_t myport,
+													 const ip_address *hisaddr,
+														u_int16_t hisport)
 {
 	struct host_pair *hp = find_host_pair(myaddr, myport, hisaddr, hisport);
 
 	if (nat_traversal_enabled && hp && hisaddr)
 	{
-		struct connection *c;
+		connection_t *c;
 
 		for (c = hp->connections; c != NULL; c = c->hp_next)
 		{
@@ -158,8 +187,7 @@ find_host_pair_connections(const ip_address *myaddr, u_int16_t myport
 	return hp == NULL? NULL : hp->connections;
 }
 
-static void
-connect_to_host_pair(struct connection *c)
+static void connect_to_host_pair(connection_t *c)
 {
 	if (oriented(*c))
 	{
@@ -206,10 +234,9 @@ connect_to_host_pair(struct connection *c)
  * Move the winner (if any) to the front.
  * If none is found, and strict, a diagnostic is logged to whack.
  */
-struct connection *
-con_by_name(const char *nm, bool strict)
+connection_t *con_by_name(const char *nm, bool strict)
 {
-	struct connection *p, *prev;
+	connection_t *p, *prev;
 
 	for (prev = NULL, p = connections; ; prev = p, p = p->ac_next)
 	{
@@ -223,7 +250,7 @@ con_by_name(const char *nm, bool strict)
 		if (streq(p->name, nm)
 		&& (!strict || p->kind != CK_INSTANCE))
 		{
-			if (prev != NULL)
+			if (prev)
 			{
 				prev->ac_next = p->ac_next;     /* remove p from list */
 				p->ac_next = connections;       /* and stick it on front */
@@ -235,8 +262,7 @@ con_by_name(const char *nm, bool strict)
 	return p;
 }
 
-void
-release_connection(struct connection *c, bool relations)
+void release_connection(connection_t *c, bool relations)
 {
 	if (c->kind == CK_INSTANCE)
 	{
@@ -264,10 +290,9 @@ release_connection(struct connection *c, bool relations)
 	}
 
 
-void
-delete_connection(struct connection *c, bool relations)
+void delete_connection(connection_t *c, bool relations)
 {
-	struct connection *old_cur_connection
+	connection_t *old_cur_connection
 		= cur_connection == c? NULL : cur_connection;
 #ifdef DEBUG
 	lset_t old_cur_debugging = cur_debugging;
@@ -294,26 +319,30 @@ delete_connection(struct connection *c, bool relations)
 	release_connection(c, relations);   /* won't delete c */
 
 	if (c->kind == CK_GROUP)
+	{
 		delete_group(c);
+	}
 
 	/* free up any logging resources */
 	perpeer_logfree(c);
 
 	/* find and delete c from connections list */
-	list_rm(struct connection, ac_next, c, connections);
+	list_rm(connection_t, ac_next, c, connections);
 	cur_connection = old_cur_connection;
 
 	/* find and delete c from the host pair list */
 	if (c->host_pair == NULL)
 	{
 		if (c->ikev1)
-			list_rm(struct connection, hp_next, c, unoriented_connections);
+		{
+			list_rm(connection_t, hp_next, c, unoriented_connections);
+		}
 	}
 	else
 	{
 		struct host_pair *hp = c->host_pair;
 
-		list_rm(struct connection, hp_next, c, hp->connections);
+		list_rm(connection_t, hp_next, c, hp->connections);
 		c->host_pair = NULL;    /* redundant, but safe */
 
 		/* if there are no more connections with this host_pair
@@ -332,25 +361,45 @@ delete_connection(struct connection *c, bool relations)
 	{
 		free(c->spd.that.virt);
 	}
+
+	/* release virtual IP address lease if any */
+	if (c->spd.that.modecfg && c->spd.that.pool &&
+		!isanyaddr(&c->spd.that.host_srcip))
+	{
+		host_t *vip;
+
+		vip = host_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_srcip);
+		lib->attributes->release_address(lib->attributes, c->spd.that.pool,
+										 vip, c->spd.that.id);
+		vip->destroy(vip);
+	}
+
+	/* free internal data */
 #ifdef DEBUG
 	cur_debugging = old_cur_debugging;
 #endif
 	free(c->name);
-	free_id_content(&c->spd.this.id);
+	DESTROY_IF(c->spd.this.id);
+	DESTROY_IF(c->spd.this.ca);
+	DESTROY_IF(c->spd.this.groups);
 	free(c->spd.this.updown);
-	free(c->spd.this.ca.ptr);
-	free_ietfAttrList(c->spd.this.groups);
-	free_id_content(&c->spd.that.id);
+	free(c->spd.this.pool);
+	DESTROY_IF(c->spd.that.id);
+	DESTROY_IF(c->spd.that.ca);
+	DESTROY_IF(c->spd.that.groups);
 	free(c->spd.that.updown);
-	free(c->spd.that.ca.ptr);
-	free_ietfAttrList(c->spd.that.groups);
-	free_generalNames(c->requested_ca, TRUE);
+	free(c->spd.that.pool);
+	if (c->requested_ca)
+	{
+		c->requested_ca->destroy_offset(c->requested_ca,
+										offsetof(identification_t, destroy));
+	}
 	gw_delref(&c->gw_info);
 
 	lock_certs_and_keys("delete_connection");
-	release_cert(c->spd.this.cert);
+	cert_release(c->spd.this.cert);
 	scx_release(c->spd.this.sc);
-	release_cert(c->spd.that.cert);
+	cert_release(c->spd.that.cert);
 	scx_release(c->spd.that.sc);
 	unlock_certs_and_keys("delete_connection");
 
@@ -361,30 +410,29 @@ delete_connection(struct connection *c, bool relations)
 }
 
 /* Delete connections with the specified name */
-void
-delete_connections_by_name(const char *name, bool strict)
+void delete_connections_by_name(const char *name, bool strict)
 {
-	struct connection *c = con_by_name(name, strict);
+	connection_t *c = con_by_name(name, strict);
 
 	for (; c != NULL; c = con_by_name(name, FALSE))
 		delete_connection(c, FALSE);
 }
 
-void
-delete_every_connection(void)
+void delete_every_connection(void)
 {
-	while (connections != NULL)
+	while (connections)
+	{
 		delete_connection(connections, TRUE);
+	}
 }
 
-void
-release_dead_interfaces(void)
+void release_dead_interfaces(void)
 {
 	struct host_pair *hp;
 
 	for (hp = host_pairs; hp != NULL; hp = hp->next)
 	{
-		struct connection **pp
+		connection_t **pp
 			, *p;
 
 		for (pp = &hp->connections; (p = *pp) != NULL; )
@@ -427,18 +475,17 @@ release_dead_interfaces(void)
 }
 
 /* adjust orientations of connections to reflect newly added interfaces */
-void
-check_orientations(void)
+void check_orientations(void)
 {
 	/* try to orient all the unoriented connections */
 	{
-		struct connection *c = unoriented_connections;
+		connection_t *c = unoriented_connections;
 
 		unoriented_connections = NULL;
 
-		while (c != NULL)
+		while (c)
 		{
-			struct connection *nxt = c->hp_next;
+			connection_t *nxt = c->hp_next;
 
 			(void)orient(c);
 			connect_to_host_pair(c);
@@ -472,12 +519,12 @@ check_orientations(void)
 						 * cost of leaving it is slight and cannot
 						 * be induced by a foe).
 						 */
-						struct connection *c = hp->connections;
+						connection_t *c = hp->connections;
 
 						hp->connections = NULL;
-						while (c != NULL)
+						while (c)
 						{
-							struct connection *nxt = c->hp_next;
+							connection_t *nxt = c->hp_next;
 
 							c->interface = NULL;
 							(void)orient(c);
@@ -491,34 +538,38 @@ check_orientations(void)
 	}
 }
 
-static err_t
-default_end(struct end *e, ip_address *dflt_nexthop)
+static err_t default_end(struct end *e, ip_address *dflt_nexthop)
 {
 	err_t ugh = NULL;
-	const struct af_info *afi = aftoinfo(addrtypeof(&e->host_addr));
+	int af = addrtypeof(&e->host_addr);
 
-	if (afi == NULL)
+	if (af != AF_INET && af != AF_INET6)
+	{
 		return "unknown address family in default_end";
+	}
 
 	/* default ID to IP (but only if not NO_IP -- WildCard) */
-	if (e->id.kind == ID_ANY && !isanyaddr(&e->host_addr))
+	if (e->id->get_type(e->id) == ID_ANY && !isanyaddr(&e->host_addr))
 	{
-		e->id.kind = afi->id_addr;
-		e->id.ip_addr = e->host_addr;
+		e->id->destroy(e->id);
+		e->id = identification_create_from_sockaddr((sockaddr_t*)&e->host_addr);
 		e->has_id_wildcards = FALSE;
 	}
 
 	/* default nexthop to other side */
 	if (isanyaddr(&e->host_nexthop))
+	{
 		e->host_nexthop = *dflt_nexthop;
+	}
 
 	/* default client to subnet containing only self
 	 * XXX This may mean that the client's address family doesn't match
 	 * tunnel_addr_family.
 	 */
 	if (!e->has_client)
+	{
 		ugh = addrtosubnet(&e->host_addr, &e->client);
-
+	}
 	return ugh;
 }
 
@@ -527,15 +578,10 @@ default_end(struct end *e, ip_address *dflt_nexthop)
  * Note: if that==NULL, skip nexthop
  * Returns strlen of formated result (length excludes NUL at end).
  */
-size_t
-format_end(char *buf
-, size_t buf_len
-, const struct end *this
-, const struct end *that
-, bool is_left
-, lset_t policy)
+size_t format_end(char *buf, size_t buf_len, const struct end *this,
+				 const struct end *that, bool is_left, lset_t policy)
 {
-	char client[SUBNETTOT_BUF];
+	char client[BUF_LEN];
 	const char *client_sep = "";
 	char protoport[sizeof(":255/65535")];
 	const char *host = NULL;
@@ -591,17 +637,24 @@ format_end(char *buf
 
 		if (isanyaddr(&client_net) && isanyaddr(&client_mask)
 		&& (policy & (POLICY_GROUP | POLICY_OPPO)))
+		{
 			client_sep = "";    /* boring case */
+		}
 		else if (subnetisnone(&this->client))
+		{
 			strcpy(client, "?");
+		}
 		else
+		{
 			subnettot(&this->client, 0, client, sizeof(client));
+		}
 	}
 	else if (this->modecfg && isanyaddr(&this->host_srcip))
 	{
-		/* we are mode config client */
+		/* we are mode config client, or a server with a pool */
 		client_sep = "===";
-		strcpy(client, "%modecfg");
+		client[0] = '%';
+		strcpy(client+1, this->pool ? this->pool : "modecfg");
 	}
 
 	/* host */
@@ -613,53 +666,50 @@ format_end(char *buf
 
 	host_port[0] = '\0';
 	if (this->host_port != IKE_UDP_PORT)
-		snprintf(host_port, sizeof(host_port), ":%u"
-			, this->host_port);
+	{
+		snprintf(host_port, sizeof(host_port), ":%u", this->host_port);
+	}
 
 	/* payload portocol and port */
 	protoport[0] = '\0';
 	if (this->has_port_wildcard)
+	{
 		snprintf(protoport, sizeof(protoport), ":%u/%%any", this->protocol);
+	}
 	else if (this->port || this->protocol)
+	{
 		snprintf(protoport, sizeof(protoport), ":%u/%u", this->protocol
 			, this->port);
-
-	/* id, if different from host */
-	host_id[0] = '\0';
-	if (this->id.kind == ID_MYID)
-	{
-		strcpy(host_id, "[%myid]");
 	}
-	else if (!(this->id.kind == ID_ANY
-	|| (id_is_ipaddr(&this->id) && sameaddr(&this->id.ip_addr, &this->host_addr))))
-	{
-		int len = idtoa(&this->id, host_id+1, sizeof(host_id)-2);
 
-		host_id[0] = '[';
-		strcpy(&host_id[len < 0? (ptrdiff_t)sizeof(host_id)-2 : 1 + len], "]");
-	}
+	/* id */
+	snprintf(host_id, sizeof(host_id), "[%Y]", this->id); 
 
 	/* [---hop] */
 	hop[0] = '\0';
 	hop_sep = "";
-	if (that != NULL && !sameaddr(&this->host_nexthop, &that->host_addr))
+	if (that && !sameaddr(&this->host_nexthop, &that->host_addr))
 	{
 		addrtot(&this->host_nexthop, 0, hop, sizeof(hop));
 		hop_sep = "---";
 	}
 
 	if (is_left)
+	{
 		snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s%s"
 			, open_brackets, client, close_brackets, client_sep
 			, this->allow_any? "%":""
 			, host, host_port, host_id, protoport
 			, hop_sep, hop);
+	}
 	else
+	{
 		snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s%s"
 			, hop, hop_sep
 			, this->allow_any? "%":""
 			, host, host_port, host_id, protoport, client_sep
 			, open_brackets, client, close_brackets);
+	}
 	return strlen(buf);
 }
 
@@ -668,10 +718,9 @@ format_end(char *buf
  */
 #define CONNECTION_BUF  (2 * (END_BUF - 1) + 4)
 
-static size_t
-format_connection(char *buf, size_t buf_len
-				  , const struct connection *c
-				  , struct spd_route *sr)
+static size_t format_connection(char *buf, size_t buf_len,
+								const connection_t *c,
+								struct spd_route *sr)
 {
 	size_t w = format_end(buf, buf_len, &sr->this, &sr->that, TRUE, LEMPTY);
 
@@ -679,22 +728,35 @@ format_connection(char *buf, size_t buf_len
 	return w + format_end(buf + w, buf_len - w, &sr->that, &sr->this, FALSE, c->policy);
 }
 
-static void
-unshare_connection_strings(struct connection *c)
+static void unshare_connection_strings(connection_t *c)
 {
 	c->name = clone_str(c->name);
-
-	unshare_id_content(&c->spd.this.id);
+	c->spd.this.id = c->spd.this.id->clone(c->spd.this.id);
+	c->spd.this.pool = clone_str(c->spd.this.pool);
 	c->spd.this.updown = clone_str(c->spd.this.updown);
 	scx_share(c->spd.this.sc);
-	share_cert(c->spd.this.cert);
-	c->spd.this.ca = chunk_clone(c->spd.this.ca);
-
-	unshare_id_content(&c->spd.that.id);
+	cert_share(c->spd.this.cert);
+	if (c->spd.this.ca)
+	{
+		c->spd.this.ca = c->spd.this.ca->clone(c->spd.this.ca);
+	}
+	if (c->spd.this.groups)
+	{
+		c->spd.this.groups = c->spd.this.groups->get_ref(c->spd.this.groups);
+	}
+	c->spd.that.id = c->spd.that.id->clone(c->spd.that.id);
+	c->spd.that.pool = clone_str(c->spd.that.pool);
 	c->spd.that.updown = clone_str(c->spd.that.updown);
 	scx_share(c->spd.that.sc);
-	share_cert(c->spd.that.cert);
-	c->spd.that.ca = chunk_clone(c->spd.that.ca);
+	cert_share(c->spd.that.cert);
+	if (c->spd.that.ca)
+	{
+		c->spd.that.ca = c->spd.that.ca->clone(c->spd.that.ca);
+	}
+	if (c->spd.that.groups)
+	{
+		c->spd.that.groups = c->spd.that.groups->get_ref(c->spd.that.groups);
+	}
 
 	/* increment references to algo's */
 	alg_info_addref((struct alg_info *)c->alg_info_esp);
@@ -703,137 +765,116 @@ unshare_connection_strings(struct connection *c)
 
 static void load_end_certificate(char *filename, struct end *dst)
 {
-	time_t valid_until;
-	cert_t cert;
-	bool valid_cert = FALSE;
+	time_t notBefore, notAfter;
+	cert_t *cert = NULL;
+	certificate_t *certificate;
 	bool cached_cert = FALSE;
-
+	
 	/* initialize end certificate */
-	dst->cert.type = CERT_NONE;
-	dst->cert.u.x509 = NULL;
+	dst->cert = NULL;
 
 	/* initialize smartcard info record */
 	dst->sc = NULL;
 
-	if (filename != NULL)
+	if (filename)
 	{
 		if (scx_on_smartcard(filename))
 		{
 			/* load cert from smartcard */
-			valid_cert = scx_load_cert(filename, &dst->sc, &cert, &cached_cert);
+			cert = scx_load_cert(filename, &dst->sc, &cached_cert);
 		}
 		else
 		{
 			/* load cert from file */
-			valid_cert = load_host_cert(filename, &cert);
+			cert = load_host_cert(filename);
 		}
 	}
 
-	if (valid_cert)
+	if (cert)
 	{
-		err_t ugh = NULL;
+		certificate = cert->cert;
 
-		switch (cert.type)
+		if (dst->id->get_type(dst->id) == ID_ANY ||
+			!certificate->has_subject(certificate, dst->id))
 		{
-		case CERT_PGP:
-			select_pgpcert_id(cert.u.pgp, &dst->id);
+			plog( "  id '%Y' not confirmed by certificate, defaulting to '%Y'",
+				 dst->id, certificate->get_subject(certificate));
+			dst->id->destroy(dst->id);
+			dst->id = certificate->get_subject(certificate);
+			dst->id = dst->id->clone(dst->id);
+		}
 
-			if (cached_cert)
-				dst->cert = cert;
-			else
+		if (cached_cert)
+		{
+			dst->cert = cert;
+		}
+		else
+		{
+			if (!certificate->get_validity(certificate, NULL, &notBefore, &notAfter))
 			{
-				valid_until = cert.u.pgp->until;
-				add_pgp_public_key(cert.u.pgp, cert.u.pgp->until, DAL_LOCAL);
-				dst->cert.type = cert.type;
-				dst->cert.u.pgp = add_pgpcert(cert.u.pgp);
+				plog("certificate is invalid (valid from %T to %T)",
+					 &notBefore, FALSE, &notAfter, FALSE);
+				cert_free(cert);
+				return;
 			}
-			break;
-		case CERT_X509_SIGNATURE:
-			select_x509cert_id(cert.u.x509, &dst->id);
+			DBG(DBG_CONTROL,
+				DBG_log("certificate is valid")
+			)
+			add_public_key_from_cert(cert, notAfter, DAL_LOCAL);
+			dst->cert = cert_add(cert);
+		}
+		certificate = dst->cert->cert;
 
-			if (cached_cert)
-				dst->cert = cert;
-			else
-			{
-				/* check validity of cert */
-				valid_until = cert.u.x509->notAfter;
-				ugh = check_validity(cert.u.x509, &valid_until);
-				if (ugh != NULL)
-				{
-					plog("  %s", ugh);
-					free_x509cert(cert.u.x509);
-					break;
-				}
+		/* if no CA is defined, use issuer as default */
+		if (dst->ca == NULL && certificate->get_type(certificate) == CERT_X509)
+		{
+			identification_t *issuer;
 
-				DBG(DBG_CONTROL,
-					DBG_log("certificate is valid")
-				)
-				add_x509_public_key(cert.u.x509, valid_until, DAL_LOCAL);
-				dst->cert.type = cert.type;
-				dst->cert.u.x509 = add_x509cert(cert.u.x509);
-			}
-			/* if no CA is defined, use issuer as default */
-			if (dst->ca.ptr == NULL)
-				dst->ca = dst->cert.u.x509->issuer;
-			break;
-		default:
-			break;
+			issuer = certificate->get_issuer(certificate);
+			dst->ca = issuer->clone(issuer);
 		}
 
 		/* cache the certificate that was last retrieved from the smartcard */
-		if (dst->sc != NULL)
+		if (dst->sc)
 		{
-			if (!same_cert(&dst->sc->last_cert, &dst->cert))
+			if (!certificate->equals(certificate, dst->sc->last_cert->cert))
 			{
 				lock_certs_and_keys("load_end_certificates");
-				release_cert(dst->sc->last_cert);
+				cert_release(dst->sc->last_cert);
 				dst->sc->last_cert = dst->cert;
-				share_cert(dst->cert);
+				cert_share(dst->cert);
 				unlock_certs_and_keys("load_end_certificates");
 			}
 			time(&dst->sc->last_load);
 		}
 	}
+	scx_share(dst->sc);
+	cert_share(dst->cert);
 }
 
-static bool
-extract_end(struct end *dst, const whack_end_t *src, const char *which)
+static bool extract_end(struct end *dst, const whack_end_t *src,
+						const char *which)
 {
 	bool same_ca = FALSE;
 
-	/* decode id, if any */
-	if (src->id == NULL)
-	{
-		dst->id.kind = ID_ANY;
-	}
-	else
-	{
-		err_t ugh = atoid(src->id, &dst->id, TRUE);
-
-		if (ugh != NULL)
-		{
-			loglog(RC_BADID, "bad %s --id: %s (ignored)", which, ugh);
-			dst->id = empty_id; /* ignore bad one */
-		}
-	}
-
-	dst->ca = chunk_empty;
+	dst->id = identification_create_from_string(src->id);
+	dst->ca = NULL;
 
 	/* decode CA distinguished name, if any */
-	if (src->ca != NULL)
+	if (src->ca)
 	{
 		if streq(src->ca, "%same")
+		{
 			same_ca = TRUE;
+		}
 		else if (!streq(src->ca, "%any"))
 		{
-			err_t ugh;
-
-			dst->ca.ptr = temporary_cyclic_buffer();
-			ugh = atodn(src->ca, &dst->ca);
-			if (ugh != NULL)
+			dst->ca = identification_create_from_string(src->ca);
+			if (dst->ca->get_type(dst->ca) != ID_DER_ASN1_DN)
 			{
-				plog("bad CA string '%s': %s (ignored)", src->ca, ugh);
-				dst->ca = chunk_empty;
+				plog("bad CA string '%s', ignored", src->ca);
+				dst->ca->destroy(dst->ca);
+				dst->ca = NULL;
 			}
 		}
 	}
@@ -842,10 +883,13 @@ extract_end(struct end *dst, const whack_end_t *src, const char *which)
 	load_end_certificate(src->cert, dst);
 
 	/* does id has wildcards? */
-	dst->has_id_wildcards = id_count_wildcards(&dst->id) > 0;
+	dst->has_id_wildcards = dst->id->contains_wildcards(dst->id);
 
 	/* decode group attributes, if any */
-	decode_groups(src->groups, &dst->groups);
+	if (src->groups)
+	{
+		dst->groups = ietf_attributes_create_from_string(src->groups);
+	}
 
 	/* the rest is simple copying of corresponding fields */
 	dst->host_addr = src->host_addr;
@@ -863,30 +907,38 @@ extract_end(struct end *dst, const whack_end_t *src, const char *which)
 	dst->hostaccess = src->hostaccess;
 	dst->allow_any = src->allow_any;
 	dst->sendcert = src->sendcert;
-	dst->updown = src->updown;
+	dst->updown = clone_str(src->updown);
 	dst->host_port = src->host_port;
 
+	/* if the sourceip netmask is zero a named pool exists */
+	if (src->sourceip_mask == 0)
+	{
+		dst->pool = clone_str(src->sourceip);
+	}
+
 	/* if host sourceip is defined but no client is present
 	 * behind the host then set client to sourceip/32
 	 */
-	if (addrbytesptr(&dst->host_srcip, NULL)
-	&& !isanyaddr(&dst->host_srcip)
-	&& !dst->has_natip
-	&& !dst->has_client)
+	if (addrbytesptr(&dst->host_srcip, NULL) &&
+		!isanyaddr(&dst->host_srcip) && !dst->has_natip && !dst->has_client)
 	{
 		err_t ugh = addrtosubnet(&dst->host_srcip, &dst->client);
 
-		if (ugh != NULL)
+		if (ugh)
+		{
 			plog("could not assign host sourceip to client subnet");
+		}
 		else
+		{
 			dst->has_client = TRUE;
+		}
 	}
 	return same_ca;
 }
 
-static bool
-check_connection_end(const whack_end_t *this, const whack_end_t *that
-, const whack_message_t *wm)
+static bool check_connection_end(const whack_end_t *this,
+								 const whack_end_t *that,
+								 const whack_message_t *wm)
 {
 	if (wm->addr_family != addrtypeof(&this->host_addr)
 	|| wm->addr_family != addrtypeof(&this->host_nexthop)
@@ -921,23 +973,23 @@ check_connection_end(const whack_end_t *this, const whack_end_t *that
 	return TRUE;        /* happy */
 }
 
-struct connection *
-find_connection_by_reqid(uint32_t reqid)
+connection_t *find_connection_by_reqid(uint32_t reqid)
 {
-	struct connection *c;
+	connection_t *c;
 
 	reqid &= ~3;
 	for (c = connections; c != NULL; c = c->ac_next)
 	{
 		if (c->spd.reqid == reqid)
+		{
 			return c;
+		}
 	}
 
 	return NULL;
 }
 
-static uint32_t
-gen_reqid(void)
+static uint32_t gen_reqid(void)
 {
 	uint32_t start;
 	static uint32_t reqid = IPSEC_MANUAL_REQID_MAX & ~3;
@@ -946,17 +998,20 @@ gen_reqid(void)
 	do {
 		reqid += 4;
 		if (reqid == 0)
+		{
 			reqid = (IPSEC_MANUAL_REQID_MAX & ~3) + 4;
+		}
 		if (!find_connection_by_reqid(reqid))
+		{
 			return reqid;
+		}
 	} while (reqid != start);
 
 	exit_log("unable to allocate reqid");
 	return 0; /* never reached ... */
 }
 
-void
-add_connection(const whack_message_t *wm)
+void add_connection(const whack_message_t *wm)
 {
 	if (con_by_name(wm->name, FALSE) != NULL)
 	{
@@ -973,45 +1028,50 @@ add_connection(const whack_message_t *wm)
 	&& check_connection_end(&wm->left, &wm->right, wm))
 	{
 		bool same_rightca, same_leftca;
-		struct connection *c = malloc_thing(struct connection);
+		connection_t *c = malloc_thing(connection_t);
 
 		zero(c);
-		c->name   = wm->name;
+		c->name   = clone_str(wm->name);
 		c->ikev1  = wm->ikev1;
 		c->policy = wm->policy;
 
 		if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp)
+		{
 			loglog(RC_COMMENT
 				, "ignoring --compress in \"%s\" because KLIPS is not configured to do IPCOMP"
 				, c->name);
+		}
 
 		if (wm->esp)
 		{
 			 DBG(DBG_CONTROL,
 				DBG_log("from whack: got --esp=%s", wm->esp ? wm->esp: "NULL")
 			)
-			c->alg_info_esp= alg_info_esp_create_from_str(wm->esp? wm->esp : "");
+			c->alg_info_esp = alg_info_esp_create_from_str(wm->esp? wm->esp : "");
 
 			DBG(DBG_CRYPT|DBG_CONTROL,
 				static char buf[BUF_LEN]="<NULL>";
 
 				if (c->alg_info_esp)
+				{
 					alg_info_snprint(buf, sizeof(buf)
 							,(struct alg_info *)c->alg_info_esp);
+				}
 				DBG_log("esp proposal: %s", buf);
 			)
 			if (c->alg_info_esp)
 			{
-				if (c->alg_info_esp->alg_info_cnt==0)
-					 loglog(RC_LOG_SERIOUS
-							, "got 0 transforms for esp=\"%s\"", wm->esp);
+				if (c->alg_info_esp->alg_info_cnt == 0)
+				{
+					 loglog(RC_LOG_SERIOUS, "got 0 esp transforms");
+				}
 			}
 			else
 			{
-				loglog(RC_LOG_SERIOUS, "esp string error");
+				loglog(RC_LOG_SERIOUS, "syntax error in esp string");
 			}
 		}
-		
+
 		if (wm->ike)
 		{
 			DBG(DBG_CONTROL,
@@ -1023,22 +1083,25 @@ add_connection(const whack_message_t *wm)
 				static char buf[BUF_LEN]="<NULL>";
 
 				if (c->alg_info_ike)
+				{
 					alg_info_snprint(buf, sizeof(buf)
 							, (struct alg_info *)c->alg_info_ike);
+				}
 				DBG_log("ike proposal: %s", buf);
 			)
 			if (c->alg_info_ike)
 			{
-				if (c->alg_info_ike->alg_info_cnt==0)
-					loglog(RC_LOG_SERIOUS
-						   , "got 0 transforms for ike=\"%s\"", wm->ike);
+				if (c->alg_info_ike->alg_info_cnt == 0)
+				{
+					loglog(RC_LOG_SERIOUS, "got 0 ike transforms");
+				}
 			}
 			else
 			{
-				loglog(RC_LOG_SERIOUS, "ike string error:");
+				loglog(RC_LOG_SERIOUS, "syntax error in ike string");
 			}
 		}
-		
+
 		c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
 		c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
 		c->sa_rekey_margin = wm->sa_rekey_margin;
@@ -1059,9 +1122,13 @@ add_connection(const whack_message_t *wm)
 		same_rightca = extract_end(&c->spd.that, &wm->right, "right");
 
 		if (same_rightca)
-			c->spd.that.ca = c->spd.this.ca;
+		{
+			c->spd.that.ca = c->spd.this.ca->clone(c->spd.this.ca);
+		}
 		else if (same_leftca)
-			c->spd.this.ca = c->spd.that.ca;
+		{
+			c->spd.this.ca = c->spd.that.ca->clone(c->spd.that.ca);
+		}
 
 		default_end(&c->spd.this, &c->spd.that.host_addr);
 		default_end(&c->spd.that, &c->spd.this.host_addr);
@@ -1127,16 +1194,17 @@ add_connection(const whack_message_t *wm)
 				c->spd.that.has_client = TRUE;
 		}
 
-		unshare_connection_strings(c);
 		(void)orient(c);
 
 		if (c->ikev1)
+		{
 			connect_to_host_pair(c);
+		}
 
 		/* log all about this connection */
 		plog("added connection description \"%s\"", c->name);
 		DBG(DBG_CONTROL,
-			char topo[CONNECTION_BUF];
+			char topo[BUF_LEN];
 
 			(void) format_connection(topo, sizeof(topo), c, &c->spd);
 
@@ -1172,12 +1240,10 @@ add_connection(const whack_message_t *wm)
  * Returns name of new connection.  May be NULL.
  * Caller is responsible for freeing.
  */
-char *
-add_group_instance(struct connection *group, const ip_subnet *target)
+char *add_group_instance(connection_t *group, const ip_subnet *target)
 {
-	char namebuf[100]
-		, targetbuf[SUBNETTOT_BUF];
-	struct connection *t;
+	char namebuf[100], targetbuf[SUBNETTOT_BUF];
+	connection_t *t;
 	char *name = NULL;
 
 	passert(group->kind == CK_GROUP);
@@ -1213,7 +1279,7 @@ add_group_instance(struct connection *group, const ip_subnet *target)
 		if (t->spd.that.virt)
 		{
 			DBG_log("virtual_ip not supported in group instance");
-			t->spd.that.virt = NULL;    
+			t->spd.that.virt = NULL;
 		}
 
 		/* add to connections list */
@@ -1234,9 +1300,8 @@ add_group_instance(struct connection *group, const ip_subnet *target)
 }
 
 /* an old target has disappeared for a group: delete instance */
-void
-remove_group_instance(const struct connection *group USED_BY_DEBUG
-, const char *name)
+void remove_group_instance(const connection_t *group USED_BY_DEBUG,
+						   const char *name)
 {
 	passert(group->kind == CK_GROUP);
 	passert(oriented(*group));
@@ -1254,13 +1319,10 @@ remove_group_instance(const struct connection *group USED_BY_DEBUG
  *
  * Note that instantiate can only deal with a single SPD/eroute.
  */
-static struct connection *
-instantiate(struct connection *c, const ip_address *him
-, u_int16_t his_port
-, const struct id *his_id)
+static connection_t *instantiate(connection_t *c, const ip_address *him,
+								 u_int16_t his_port, identification_t *his_id)
 {
-	struct connection *d;
-	int wildcards;
+	connection_t *d;
 
 	passert(c->kind == CK_TEMPLATE);
 	passert(c->spd.next == NULL);
@@ -1269,15 +1331,20 @@ instantiate(struct connection *c, const ip_address *him
 	d = clone_thing(*c);
 	d->spd.that.allow_any = FALSE;
 
-	if (his_id != NULL)
+	if (his_id)
 	{
-		passert(match_id(his_id, &d->spd.that.id, &wildcards));
-		d->spd.that.id = *his_id;
+		d->spd.that.id = his_id;
 		d->spd.that.has_id_wildcards = FALSE;
 	}
 	unshare_connection_strings(d);
-	unshare_ietfAttrList(&d->spd.this.groups);
-	unshare_ietfAttrList(&d->spd.that.groups);
+	if (d->spd.this.groups)
+	{
+		d->spd.this.groups = d->spd.this.groups->get_ref(d->spd.this.groups);
+	}
+	if (d->spd.that.groups)
+	{
+		d->spd.that.groups = d->spd.that.groups->get_ref(d->spd.that.groups);
+	}
 	d->kind = CK_INSTANCE;
 
 	passert(oriented(*d));
@@ -1318,11 +1385,11 @@ instantiate(struct connection *c, const ip_address *him
 	}
 }
 
-struct connection *
-rw_instantiate(struct connection *c, const ip_address *him, u_int16_t his_port
-, const ip_subnet *his_net, const struct id *his_id)
+connection_t *rw_instantiate(connection_t *c, const ip_address *him,
+							 u_int16_t his_port, const ip_subnet *his_net,
+							 identification_t *his_id)
 {
-	struct connection *d = instantiate(c, him, his_port, his_id);
+	connection_t *d = instantiate(c, him, his_port, his_id);
 
 	if (d && his_net && is_virtual_connection(c))
 	{
@@ -1345,15 +1412,12 @@ rw_instantiate(struct connection *c, const ip_address *him, u_int16_t his_port
 	return d;
 }
 
-struct connection *
-oppo_instantiate(struct connection *c
-, const ip_address *him
-, const struct id *his_id
-, struct gw_info *gw
-, const ip_address *our_client USED_BY_DEBUG
-, const ip_address *peer_client)
+connection_t *oppo_instantiate(connection_t *c, const ip_address *him,
+							   identification_t *his_id, struct gw_info *gw,
+							   const ip_address *our_client USED_BY_DEBUG,
+							   const ip_address *peer_client)
 {
-	struct connection *d = instantiate(c, him, 0, his_id);
+	connection_t *d = instantiate(c, him, 0, his_id);
 
 	passert(d->spd.next == NULL);
 
@@ -1407,7 +1471,7 @@ oppo_instantiate(struct connection *c
 		d->instance_initiation_ok = TRUE;
 
 	DBG(DBG_CONTROL,
-		char topo[CONNECTION_BUF];
+		char topo[BUF_LEN];
 
 		(void) format_connection(topo, sizeof(topo), d, &d->spd);
 		DBG_log("instantiated \"%s\": %s", d->name, topo);
@@ -1416,14 +1480,17 @@ oppo_instantiate(struct connection *c
 }
 
 /* priority formatting */
-void
-fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
+void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
 {
 	if (pp == BOTTOM_PRIO)
+	{
 		snprintf(buf, POLICY_PRIO_BUF, "0");
+	}
 	else
+	{
 		snprintf(buf, POLICY_PRIO_BUF, "%lu,%lu"
 			, pp>>16, (pp & ~(~(policy_prio_t)0 << 16)) >> 8);
+	}
 }
 
 /* Format any information needed to identify an instance of a connection.
@@ -1431,8 +1498,8 @@ fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
  * Road Warrior: peer's IP address
  * Opportunistic: [" " myclient "==="] " ..." peer ["===" hisclient] '\0'
  */
-static size_t
-fmt_client(const ip_subnet *client, const ip_address *gw, const char *prefix, char buf[ADDRTOT_BUF])
+static size_t fmt_client(const ip_subnet *client, const ip_address *gw,
+						 const char *prefix, char buf[ADDRTOT_BUF])
 {
 	if (subnetisaddr(client, gw))
 	{
@@ -1452,8 +1519,7 @@ fmt_client(const ip_subnet *client, const ip_address *gw, const char *prefix, ch
 	return strlen(buf);
 }
 
-void
-fmt_conn_instance(const struct connection *c, char buf[CONN_INST_BUF])
+void fmt_conn_instance(const connection_t *c, char buf[CONN_INST_BUF])
 {
 	char *p = buf;
 
@@ -1510,13 +1576,12 @@ fmt_conn_instance(const struct connection *c, char buf[CONN_INST_BUF])
  *
  * See also build_outgoing_opportunistic_connection.
  */
-struct connection *
-find_connection_for_clients(struct spd_route **srp,
-							const ip_address *our_client,
-							const ip_address *peer_client,
-							int transport_proto)
+connection_t *find_connection_for_clients(struct spd_route **srp,
+										  const ip_address *our_client,
+										  const ip_address *peer_client,
+										  int transport_proto)
 {
-	struct connection *c = connections, *best = NULL;
+	connection_t *c = connections, *best = NULL;
 	policy_prio_t best_prio = BOTTOM_PRIO;
 	struct spd_route *sr;
 	struct spd_route *best_sr = NULL;
@@ -1540,7 +1605,9 @@ find_connection_for_clients(struct spd_route **srp,
 	for (c = connections; c != NULL; c = c->ac_next)
 	{
 		if (c->kind == CK_GROUP)
+		{
 			continue;
+		}
 
 		for (sr = &c->spd; best!=c && sr; sr = sr->next)
 		{
@@ -1605,11 +1672,14 @@ find_connection_for_clients(struct spd_route **srp,
 		}
 	}
 
-	if (best!= NULL && NEVER_NEGOTIATE(best->policy))
+	if (best && NEVER_NEGOTIATE(best->policy))
+	{
 		best = NULL;
-
-	if (srp != NULL && best != NULL)
+	}
+	if (srp && best)
+	{
 		*srp = best_sr;
+	}
 
 #ifdef DEBUG
 	if (DBGP(DBG_CONTROL))
@@ -1654,25 +1724,18 @@ find_connection_for_clients(struct spd_route **srp,
  * find_connection_for_clients.  In this case, we know the gateways
  * that we need to instantiate an opportunistic connection.
  */
-struct connection *
-build_outgoing_opportunistic_connection(struct gw_info *gw
-										,const ip_address *our_client
-										,const ip_address *peer_client)
+connection_t *build_outgoing_opportunistic_connection(struct gw_info *gw,
+											const ip_address *our_client,
+											const ip_address *peer_client)
 {
 	struct iface *p;
-	struct connection *best = NULL;
+	connection_t *best = NULL;
 	struct spd_route *sr, *bestsr;
 	char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
 
 	addrtot(our_client, 0, ocb, sizeof(ocb));
 	addrtot(peer_client, 0, pcb, sizeof(pcb));
 
-	passert(!isanyaddr(our_client) && !isanyaddr(peer_client));
-
-	/* We don't know his ID yet, so gw id must be an ipaddr */
-	passert(gw->key != NULL);
-	passert(id_is_ipaddr(&gw->gw_id));
-
 	/* for each of our addresses... */
 	for (p = interfaces; p != NULL; p = p->next)
 	{
@@ -1680,8 +1743,8 @@ build_outgoing_opportunistic_connection(struct gw_info *gw
 		 * We cannot know what port the peer would use, so we assume
 		 * that it is pluto_port (makes debugging easier).
 		 */
-		struct connection *c = find_host_pair_connections(&p->addr
-			, pluto_port, (ip_address *)NULL, pluto_port);
+		connection_t *c = find_host_pair_connections(&p->addr, pluto_port,
+										 (ip_address *)NULL, pluto_port);
 
 		for (; c != NULL; c = c->hp_next)
 		{
@@ -1723,18 +1786,25 @@ build_outgoing_opportunistic_connection(struct gw_info *gw
 		}
 	}
 
-	if (best == NULL
-	|| NEVER_NEGOTIATE(best->policy)
-	|| (best->policy & POLICY_OPPO) == LEMPTY
-	|| best->kind != CK_TEMPLATE)
+	if (best == NULL || NEVER_NEGOTIATE(best->policy) ||
+	   (best->policy & POLICY_OPPO) == LEMPTY || best->kind != CK_TEMPLATE)
+	{
 		return NULL;
+	}
 	else
-		return oppo_instantiate(best, &gw->gw_id.ip_addr, NULL, gw
-							  , our_client, peer_client);
+	{
+		chunk_t encoding = gw->gw_id->get_encoding(gw->gw_id);
+		id_type_t type   = gw->gw_id->get_type(gw->gw_id); 
+		ip_address ip_addr;
+
+		initaddr(encoding.ptr, encoding.len,
+				(type == ID_IPV4_ADDR) ? AF_INET : AF_INET6, &ip_addr);
+
+		return oppo_instantiate(best, &ip_addr, NULL, gw, our_client, peer_client);
+	}
 }
 
-bool
-orient(struct connection *c)
+bool orient(connection_t *c)
 {
 	struct spd_route *sr;
 
@@ -1750,7 +1820,9 @@ orient(struct connection *c)
 			for (p = interfaces; p != NULL; p = p->next)
 			{
 				if (p->ike_float)
+				{
 					continue;
+				}
 
 				for (;;)
 				{
@@ -1796,12 +1868,11 @@ orient(struct connection *c)
 	return oriented(*c);
 }
 
-void
-initiate_connection(const char *name, int whackfd)
+void initiate_connection(const char *name, int whackfd)
 {
-	struct connection *c = con_by_name(name, TRUE);
+	connection_t *c = con_by_name(name, TRUE);
 
-	if (c != NULL && c->ikev1)
+	if (c && c->ikev1)
 	{
 		set_cur_connection(c);
 		if (!oriented(*c))
@@ -1823,11 +1894,11 @@ initiate_connection(const char *name, int whackfd)
 		else
 		{
 			/* do we have to prompt for a PIN code? */
-			if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD)
+			if (c->spd.this.sc && !c->spd.this.sc->valid && whackfd != NULL_FD)
 			{
 				scx_get_pin(c->spd.this.sc, whackfd);
 			}
-			if (c->spd.this.sc != NULL && !c->spd.this.sc->valid)
+			if (c->spd.this.sc && !c->spd.this.sc->valid)
 			{
 				loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
 			}
@@ -1836,8 +1907,8 @@ initiate_connection(const char *name, int whackfd)
 
 				if (c->spd.that.allow_any)
 				{
-					c = instantiate(c, &c->spd.that.host_addr, c->spd.that.host_port
-								  , &c->spd.that.id);
+					c = instantiate(c, &c->spd.that.host_addr,
+									c->spd.that.host_port, c->spd.that.id);
 				}
 
 				/* We will only request an IPsec SA if policy isn't empty
@@ -1928,10 +1999,7 @@ struct find_oppo_continuation {
 	struct find_oppo_bundle b;
 };
 
-static void
-cannot_oppo(struct connection *c
-			, struct find_oppo_bundle *b
-			, err_t ugh)
+static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh)
 {
 	char pcb[ADDRTOT_BUF];
 	char ocb[ADDRTOT_BUF];
@@ -1946,11 +2014,11 @@ cannot_oppo(struct connection *c
 		, "Can't Opportunistically initiate for %s to %s: %s"
 		, ocb, pcb, ugh);
 
-	if (c != NULL && c->policy_next != NULL)
+	if (c && c->policy_next)
 	{
 		/* there is some policy that comes afterwards */
 		struct spd_route *shunt_spd;
-		struct connection *nc = c->policy_next;
+		connection_t *nc = c->policy_next;
 		struct state *st;
 
 		passert(c->kind == CK_TEMPLATE);
@@ -2048,12 +2116,9 @@ cannot_oppo(struct connection *c
 static void initiate_opportunistic_body(struct find_oppo_bundle *b
 	, struct adns_continuation *ac, err_t ac_ugh);      /* forward */
 
-void
-initiate_opportunistic(const ip_address *our_client
-, const ip_address *peer_client
-, int transport_proto
-, bool held
-, int whackfd)
+void initiate_opportunistic(const ip_address *our_client,
+							const ip_address *peer_client, int transport_proto,
+							bool held, int whackfd)
 {
 	struct find_oppo_bundle b;
 
@@ -2070,11 +2135,10 @@ initiate_opportunistic(const ip_address *our_client
 	initiate_opportunistic_body(&b, NULL, NULL);
 }
 
-static void
-continue_oppo(struct adns_continuation *acr, err_t ugh)
+static void continue_oppo(struct adns_continuation *acr, err_t ugh)
 {
 	struct find_oppo_continuation *cr = (void *)acr;    /* inherit, damn you! */
-	struct connection *c;
+	connection_t *c;
 	bool was_held = cr->b.held;
 	int whackfd = cr->b.whackfd;
 
@@ -2095,7 +2159,7 @@ continue_oppo(struct adns_continuation *acr, err_t ugh)
 
 #ifdef DEBUG
 	/* if we're going to ignore the error, at least note it in debugging log */
-	if (cr->b.failure_ok && ugh != NULL)
+	if (cr->b.failure_ok && ugh)
 	{
 		DBG(DBG_CONTROL | DBG_DNS,
 			{
@@ -2110,7 +2174,7 @@ continue_oppo(struct adns_continuation *acr, err_t ugh)
 	}
 #endif
 
-	if (!cr->b.failure_ok && ugh != NULL)
+	if (!cr->b.failure_ok && ugh)
 	{
 		c = find_connection_for_clients(NULL, &cr->b.our_client, &cr->b.peer_client
 			, cr->b.transport_proto);
@@ -2145,10 +2209,8 @@ continue_oppo(struct adns_continuation *acr, err_t ugh)
 }
 
 #ifdef USE_KEYRR
-static err_t
-check_key_recs(enum myid_state try_state
-, const struct connection *c
-, struct adns_continuation *ac)
+static err_t check_key_recs(enum myid_state try_state, const connection_t *c,
+							struct adns_continuation *ac)
 {
 	/* Check if KEY lookup yielded good results.
 	 * Looking up based on our ID.  Used if
@@ -2194,14 +2256,15 @@ check_key_recs(enum myid_state try_state
 			}
 		}
 	}
-	if (ugh != NULL)
+	if (ugh)
+	{
 		myid_state = old_myid_state;
+	}
 	return ugh;
 }
 #endif /* USE_KEYRR */
 
-static err_t check_txt_recs(enum myid_state try_state,
-							const struct connection *c,
+static err_t check_txt_recs(enum myid_state try_state, const connection_t *c,
 							struct adns_continuation *ac)
 {
 	/* Check if TXT lookup yielded good results.
@@ -2226,7 +2289,7 @@ static err_t check_txt_recs(enum myid_state try_state,
 	{
 		ugh = "we don't know our own RSA key";
 	}
-	else if (!same_id(&ac->id, &c->spd.this.id))
+	else if (!ac->id->equals(ac->id, c->spd.this.id))
 	{
 		ugh = "our ID changed underfoot";
 	}
@@ -2251,7 +2314,7 @@ static err_t check_txt_recs(enum myid_state try_state,
 			}
 		}
 	}
-	if (ugh != NULL)
+	if (ugh)
 	{
 		myid_state = old_myid_state;
 	}
@@ -2260,12 +2323,11 @@ static err_t check_txt_recs(enum myid_state try_state,
 
 
 /* note: gateways_from_dns must be NULL iff this is the first call */
-static void
-initiate_opportunistic_body(struct find_oppo_bundle *b
-, struct adns_continuation *ac
-, err_t ac_ugh)
+static void initiate_opportunistic_body(struct find_oppo_bundle *b,
+										struct adns_continuation *ac,
+										err_t ac_ugh)
 {
-	struct connection *c;
+	connection_t *c;
 	struct spd_route *sr;
 
 	/* What connection shall we use?
@@ -2353,17 +2415,11 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 		char mycredentialstr[BUF_LEN];
 		char cib[CONN_INST_BUF];
 
-		DBG(DBG_CONTROL, DBG_log("creating new instance from \"%s\"%s"
-								 , c->name
-								 , (fmt_conn_instance(c, cib), cib)));
-								
-
-		idtoa(&sr->this.id, mycredentialstr, sizeof(mycredentialstr));
-
-		passert(c->policy & POLICY_OPPO);   /* can't initiate Road Warrior connections */
+		DBG(DBG_CONTROL, DBG_log("creating new instance from \"%s\"%s",
+								 c->name, (fmt_conn_instance(c, cib), cib)));
+		snprintf(mycredentialstr, BUF_LEN, "%Y", sr->this.id);
 
 		/* handle any DNS answer; select next step */
-
 		switch (b->step)
 		{
 		case fos_start:
@@ -2373,18 +2429,17 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 
 		case fos_myid_ip_txt:   /* TXT for our default IP address as %myid */
 			ugh = check_txt_recs(MYID_IP, c, ac);
-			if (ugh != NULL)
+			if (ugh)
 			{
 				/* cannot use our IP as OE identitiy for initiation */
-				DBG(DBG_OPPO, DBG_log("can not use our IP (%s:TXT) as identity: %s"
-									  , myid_str[MYID_IP]
-									  , ugh));
+				DBG(DBG_OPPO,
+					DBG_log("can not use our IP (%Y:TXT) as identity: %s",
+							myids[MYID_IP], ugh));
 				if (!logged_myid_ip_txt_warning)
 				{
-					loglog(RC_LOG_SERIOUS
-						   , "can not use our IP (%s:TXT) as identity: %s"
-						   , myid_str[MYID_IP]
-						   , ugh);
+					loglog(RC_LOG_SERIOUS,
+							"can not use our IP (%Y:TXT) as identity: %s",
+							myids[MYID_IP], ugh);
 					logged_myid_ip_txt_warning = TRUE;
 				}
 
@@ -2396,9 +2451,9 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 				/* we can use our IP as OE identity for initiation */
 				if (!logged_myid_ip_txt_warning)
 				{
-					loglog(RC_LOG_SERIOUS
-						   , "using our IP (%s:TXT) as identity!"
-						   , myid_str[MYID_IP]);
+					loglog(RC_LOG_SERIOUS,
+							"using our IP (%Y:TXT) as identity!",
+							myids[MYID_IP]);
 					logged_myid_ip_txt_warning = TRUE;
 				}
 
@@ -2408,18 +2463,17 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 
 		case fos_myid_hostname_txt:     /* TXT for our hostname as %myid */
 			ugh = check_txt_recs(MYID_HOSTNAME, c, ac);
-			if (ugh != NULL)
+			if (ugh)
 			{
 				/* cannot use our hostname as OE identitiy for initiation */
-				DBG(DBG_OPPO, DBG_log("can not use our hostname (%s:TXT) as identity: %s"
-									  , myid_str[MYID_HOSTNAME]
-									  , ugh));
+				DBG(DBG_OPPO,
+					DBG_log("can not use our hostname (%Y:TXT) as identity: %s",
+							myids[MYID_HOSTNAME], ugh));
 				if (!logged_myid_fqdn_txt_warning)
 				{
-					loglog(RC_LOG_SERIOUS
-						   , "can not use our hostname (%s:TXT) as identity: %s"
-						   , myid_str[MYID_HOSTNAME]
-						   , ugh);
+					loglog(RC_LOG_SERIOUS,
+							"can not use our hostname (%Y:TXT) as identity: %s",
+							myids[MYID_HOSTNAME], ugh);
 					logged_myid_fqdn_txt_warning = TRUE;
 				}
 #ifdef USE_KEYRR
@@ -2432,9 +2486,9 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 				/* we can use our hostname as OE identity for initiation */
 				if (!logged_myid_fqdn_txt_warning)
 				{
-					loglog(RC_LOG_SERIOUS
-						   , "using our hostname (%s:TXT) as identity!"
-						   , myid_str[MYID_HOSTNAME]);
+					loglog(RC_LOG_SERIOUS,
+							"using our hostname (%Y:TXT) as identity!",
+							myids[MYID_HOSTNAME]);
 					logged_myid_fqdn_txt_warning = TRUE;
 				}
 				next_step = fos_our_client;
@@ -2444,18 +2498,17 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 #ifdef USE_KEYRR
 		case fos_myid_ip_key:   /* KEY for our default IP address as %myid */
 			ugh = check_key_recs(MYID_IP, c, ac);
-			if (ugh != NULL)
+			if (ugh)
 			{
 				/* cannot use our IP as OE identitiy for initiation */
-				DBG(DBG_OPPO, DBG_log("can not use our IP (%s:KEY) as identity: %s"
-									  , myid_str[MYID_IP]
-									  , ugh));
+				DBG(DBG_OPPO,
+					DBG_log("can not use our IP (%Y:KEY) as identity: %s",
+							myids[MYID_IP], ugh));
 				if (!logged_myid_ip_key_warning)
 				{
-					loglog(RC_LOG_SERIOUS
-						   , "can not use our IP (%s:KEY) as identity: %s"
-						   , myid_str[MYID_IP]
-						   , ugh);
+					loglog(RC_LOG_SERIOUS,
+							"can not use our IP (%Y:KEY) as identity: %s",
+							myids[MYID_IP], ugh);
 					logged_myid_ip_key_warning = TRUE;
 				}
 
@@ -2467,9 +2520,9 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 				/* we can use our IP as OE identity for initiation */
 				if (!logged_myid_ip_key_warning)
 				{
-					loglog(RC_LOG_SERIOUS
-						   , "using our IP (%s:KEY) as identity!"
-						   , myid_str[MYID_IP]);
+					loglog(RC_LOG_SERIOUS,
+							"using our IP (%Y:KEY) as identity!",
+							myids[MYID_IP]);
 					logged_myid_ip_key_warning = TRUE;
 				}
 				next_step = fos_our_client;
@@ -2478,21 +2531,19 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 
 		case fos_myid_hostname_key:     /* KEY for our hostname as %myid */
 			ugh = check_key_recs(MYID_HOSTNAME, c, ac);
-			if (ugh != NULL)
+			if (ugh)
 			{
 				/* cannot use our IP as OE identitiy for initiation */
-				DBG(DBG_OPPO, DBG_log("can not use our hostname (%s:KEY) as identity: %s"
-									  , myid_str[MYID_HOSTNAME]
-									  , ugh));
+				DBG(DBG_OPPO,
+					DBG_log("can not use our hostname (%Y:KEY) as identity: %s",
+							myids[MYID_HOSTNAME], ugh));
 				if (!logged_myid_fqdn_key_warning)
 				{
-					loglog(RC_LOG_SERIOUS
-						   , "can not use our hostname (%s:KEY) as identity: %s"
-						   , myid_str[MYID_HOSTNAME]
-						   , ugh);
+					loglog(RC_LOG_SERIOUS,
+							"can not use our hostname (%Y:KEY) as identity: %s",
+							myids[MYID_HOSTNAME], ugh);
 					logged_myid_fqdn_key_warning = TRUE;
 				}
-
 				next_step = fos_myid_hostname_key;
 				ugh = NULL;     /* failure can be recovered from */
 			}
@@ -2501,9 +2552,9 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 				/* we can use our IP as OE identity for initiation */
 				if (!logged_myid_fqdn_key_warning)
 				{
-					loglog(RC_LOG_SERIOUS
-						   , "using our hostname (%s:KEY) as identity!"
-						   , myid_str[MYID_HOSTNAME]);
+					loglog(RC_LOG_SERIOUS,
+							"using our hostname (%Y:KEY) as identity!",
+							myids[MYID_HOSTNAME]);
 					logged_myid_fqdn_key_warning = TRUE;
 				}
 				next_step = fos_our_client;
@@ -2522,8 +2573,6 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 
 				next_step = fos_his_client;     /* normal situation */
 
-				passert(sr != NULL);
-
 				if (private == NULL)
 				{
 					ugh = "we don't know our own RSA key";
@@ -2533,7 +2582,7 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 					/* this wasn't true when we started -- bail */
 					ugh = "our IP address changed underfoot";
 				}
-				else if (!same_id(&ac->sgw_id, &sr->this.id))
+				else if (!ac->sgw_id->equals(ac->sgw_id, sr->this.id))
 				{
 					/* this wasn't true when we started -- bail */
 					ugh = "our ID changed underfoot";
@@ -2548,8 +2597,6 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 					ugh = "no TXT RR for our client delegates us";
 					for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
 					{
-						passert(same_id(&gwp->gw_id, &sr->this.id));
-
 						ugh = "TXT RR for our client has wrong key";
 						/* If there is a key from the TXT record,
 						 * we count it as a win if we match the key.
@@ -2592,7 +2639,7 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 				{
 					ugh = "we don't know our own RSA key";
 				}
-				else if (!same_id(&ac->id, &c->spd.this.id))
+				else if (!ac->id->equals(ac->id, c->spd.this.id))
 				{
 					ugh = "our ID changed underfoot";
 				}
@@ -2606,8 +2653,6 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 					ugh = "no TXT RR for us";
 					for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
 					{
-						passert(same_id(&gwp->gw_id, &sr->this.id));
-
 						ugh = "TXT RR for us has wrong key";
 						if (gwp->gw_key_present &&
 							private->belongs_to(private, gwp->key->public_key))
@@ -2620,7 +2665,7 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 						}
 					}
 #ifdef USE_KEYRR
-					if (ugh != NULL)
+					if (ugh)
 					{
 						/* if no TXT with right key, try KEY */
 						DBG(DBG_CONTROL,
@@ -2707,18 +2752,14 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 					/* We cannot seem to instantiate a suitable connection:
 					 * complain clearly.
 					 */
-					char ocb[ADDRTOT_BUF]
-						, pcb[ADDRTOT_BUF]
-						, pb[ADDRTOT_BUF];
+					char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
 
 					addrtot(&b->our_client, 0, ocb, sizeof(ocb));
 					addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
-					passert(id_is_ipaddr(&ac->gateways_from_dns->gw_id));
-					addrtot(&ac->gateways_from_dns->gw_id.ip_addr, 0, pb, sizeof(pb));
-					loglog(RC_OPPOFAILURE
-						, "no suitable connection for opportunism"
-						  " between %s and %s with %s as peer"
-						, ocb, pcb, pb);
+					loglog(RC_OPPOFAILURE,
+							"no suitable connection for opportunism "
+						  	"between %s and %s with %Y as peer",
+							 ocb, pcb, ac->gateways_from_dns->gw_id);
 
 #ifdef KLIPS
 					if (b->held)
@@ -2774,7 +2815,7 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 					, ours, his, oppo_step_name[b->step], ugh ? ugh : "ok");
 		});
 
-		if (ugh != NULL)
+		if (ugh)
 		{
 			b->policy_prio = c->prio;
 			b->failure_shunt = shunt_policy_spi(c, FALSE);
@@ -2788,7 +2829,7 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 		{
 			/* set up the next query */
 			struct find_oppo_continuation *cr = malloc_thing(struct find_oppo_continuation);
-			struct id id;
+			identification_t *id;
 
 			b->policy_prio = c->prio;
 			b->failure_shunt = shunt_policy_spi(c, FALSE);
@@ -2829,23 +2870,20 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 			switch (next_step)
 			{
 			case fos_myid_ip_txt:
-				if (c->spd.this.id.kind == ID_MYID
+				if (c->spd.this.id->get_type(c->spd.this.id) == ID_MYID
 				&& myid_state != MYID_SPECIFIED)
 				{
 					cr->b.failure_ok = TRUE;
 					cr->b.want = b->want = "TXT record for IP address as %myid";
-					ugh = start_adns_query(&myids[MYID_IP]
-						, &myids[MYID_IP]
-						, T_TXT
-						, continue_oppo
-						, &cr->ac);
+					ugh = start_adns_query(myids[MYID_IP], myids[MYID_IP],
+										   T_TXT, continue_oppo, &cr->ac);
 					break;
 				}
 				cr->b.step = fos_myid_hostname_txt;
 				/* fall through */
 
 			case fos_myid_hostname_txt:
-				if (c->spd.this.id.kind == ID_MYID
+				if (c->spd.this.id->get_type(c->spd.this.id) == ID_MYID
 				&& myid_state != MYID_SPECIFIED)
 				{
 #ifdef USE_KEYRR
@@ -2854,11 +2892,9 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 					cr->b.failure_ok = FALSE;
 #endif
 					cr->b.want = b->want = "TXT record for hostname as %myid";
-					ugh = start_adns_query(&myids[MYID_HOSTNAME]
-						, &myids[MYID_HOSTNAME]
-						, T_TXT
-						, continue_oppo
-						, &cr->ac);
+					ugh = start_adns_query(myids[MYID_HOSTNAME],
+										   myids[MYID_HOSTNAME],
+										   T_TXT, continue_oppo, &cr->ac);
 					break;
 				}
 
@@ -2872,11 +2908,8 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 				{
 					cr->b.failure_ok = TRUE;
 					cr->b.want = b->want = "KEY record for IP address as %myid (no good TXT)";
-					ugh = start_adns_query(&myids[MYID_IP]
-						, (const struct id *) NULL      /* security gateway meaningless */
-						, T_KEY
-						, continue_oppo
-						, &cr->ac);
+					ugh = start_adns_query(myids[MYID_IP], NULL, /* security gateway meaningless */
+										   T_KEY, continue_oppo, &cr->ac);
 					break;
 				}
 				cr->b.step = fos_myid_hostname_key;
@@ -2888,11 +2921,8 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 				{
 					cr->b.failure_ok = FALSE;           /* last attempt! */
 					cr->b.want = b->want = "KEY record for hostname as %myid (no good TXT)";
-					ugh = start_adns_query(&myids[MYID_HOSTNAME]
-						, (const struct id *) NULL      /* security gateway meaningless */
-						, T_KEY
-						, continue_oppo
-						, &cr->ac);
+					ugh = start_adns_query(myids[MYID_HOSTNAME], NULL, /* security gateway meaningless */
+										   T_KEY, continue_oppo, &cr->ac);
 					break;
 				}
 #endif
@@ -2906,12 +2936,10 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 					 * Note: {unshare|free}_id_content not needed for id: ephemeral.
 					 */
 					cr->b.want = b->want = "our client's TXT record";
-					iptoid(&b->our_client, &id);
-					ugh = start_adns_query(&id
-						, &c->spd.this.id       /* we are the security gateway */
-						, T_TXT
-						, continue_oppo
-						, &cr->ac);
+					id = identification_create_from_sockaddr((sockaddr_t*)&b->our_client);
+					ugh = start_adns_query(id, c->spd.this.id, /* we are the security gateway */
+										   T_TXT, continue_oppo, &cr->ac);
+					id->destroy(id);
 					break;
 				}
 				cr->b.step = fos_our_txt;
@@ -2920,22 +2948,16 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 			case fos_our_txt:   /* TXT for us */
 				cr->b.failure_ok = b->failure_ok = TRUE;
 				cr->b.want = b->want = "our TXT record";
-				ugh = start_adns_query(&sr->this.id
-					, &sr->this.id             /* we are the security gateway XXX - maybe ignore? mcr */
-					, T_TXT
-					, continue_oppo
-					, &cr->ac);
+				ugh = start_adns_query(sr->this.id, sr->this.id, /* we are the security gateway */
+									   T_TXT, continue_oppo, &cr->ac);
 				break;
 
 #ifdef USE_KEYRR
 			case fos_our_key:   /* KEY for us */
 				cr->b.want = b->want = "our KEY record";
 				cr->b.failure_ok = b->failure_ok = FALSE;
-				ugh = start_adns_query(&sr->this.id
-					, (const struct id *) NULL  /* security gateway meaningless */
-					, T_KEY
-					, continue_oppo
-					, &cr->ac);
+				ugh = start_adns_query(sr->this.id, NULL,  /* security gateway meaningless */
+									   T_KEY, continue_oppo, &cr->ac);
 				break;
 #endif /* USE_KEYRR */
 
@@ -2943,12 +2965,10 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 				/* note: {unshare|free}_id_content not needed for id: ephemeral */
 				cr->b.want = b->want = "target's TXT record";
 				cr->b.failure_ok = b->failure_ok = FALSE;
-				iptoid(&b->peer_client, &id);
-				ugh = start_adns_query(&id
-					, (const struct id *) NULL  /* security gateway unconstrained */
-					, T_TXT
-					, continue_oppo
-					, &cr->ac);
+				id = identification_create_from_sockaddr((sockaddr_t*)&b->peer_client);
+				ugh = start_adns_query(id, NULL, /* security gateway unconstrained */
+									   T_TXT, continue_oppo, &cr->ac);
+				id->destroy(id);
 				break;
 
 			default:
@@ -2964,20 +2984,19 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 	close_any(b->whackfd);
 }
 
-void
-terminate_connection(const char *nm)
+void terminate_connection(const char *nm)
 {
 	/* Loop because more than one may match (master and instances)
 	 * But at least one is required (enforced by con_by_name).
 	 */
-	struct connection *c = con_by_name(nm, TRUE);
+	connection_t *c = con_by_name(nm, TRUE);
 
 	if (c == NULL || !c->ikev1)
 		return;
 
 	do
 	{
-		struct connection *n = c->ac_next;  /* grab this before c might disappear */
+		connection_t *n = c->ac_next;  /* grab this before c might disappear */
 
 		if (streq(c->name, nm)
 		&& c->kind >= CK_PERMANENT
@@ -2993,7 +3012,7 @@ terminate_connection(const char *nm)
 			reset_cur_connection();
 		}
 		c = n;
-	} while (c != NULL);
+	} while (c);
 }
 
 /* an ISAKMP SA has been established.
@@ -3002,8 +3021,7 @@ terminate_connection(const char *nm)
  */
 bool uniqueIDs = FALSE; /* --uniqueids? */
 
-void
-ISAKMP_SA_established(struct connection *c, so_serial_t serial)
+void ISAKMP_SA_established(connection_t *c, so_serial_t serial)
 {
 	c->newest_isakmp_sa = serial;
 
@@ -3011,23 +3029,25 @@ ISAKMP_SA_established(struct connection *c, so_serial_t serial)
 	 * whether we are a mode config server with a virtual IP to send.
 	 */
 	if (!isanyaddr(&c->spd.that.host_srcip) && !c->spd.that.has_natip)
+	{
 		c->spd.that.modecfg = TRUE;
-		
+	}
+
 	if (uniqueIDs)
 	{
 		/* for all connections: if the same Phase 1 IDs are used
 		 * for a different IP address, unorient that connection.
 		 */
-		struct connection *d;
+		connection_t *d;
 
 		for (d = connections; d != NULL; )
 		{
-			struct connection *next = d->ac_next;       /* might move underneath us */
+			connection_t *next = d->ac_next;       /* might move underneath us */
 
-			if (d->kind >= CK_PERMANENT
-			&& same_id(&c->spd.this.id, &d->spd.this.id)
-			&& same_id(&c->spd.that.id, &d->spd.that.id)
-			&& !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
+			if (d->kind >= CK_PERMANENT &&
+				c->spd.this.id->equals(c->spd.this.id, d->spd.this.id) &&
+				c->spd.that.id->equals(c->spd.that.id, d->spd.that.id) &&
+				!sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
 			{
 				release_connection(d, FALSE);
 			}
@@ -3047,13 +3067,10 @@ ISAKMP_SA_established(struct connection *c, so_serial_t serial)
  * The return value is used to find other connections sharing a route.
  * *erop is used to find other connections sharing an eroute.
  */
-struct connection *
-route_owner(struct connection *c
-			, struct spd_route **srp
-			, struct connection **erop
-			, struct spd_route **esrp)
+connection_t *route_owner(connection_t *c, struct spd_route **srp,
+						  connection_t **erop, struct spd_route **esrp)
 {
-	struct connection *d
+	connection_t *d
 		, *best_ro = c
 		, *best_ero = c;
 	struct spd_route *srd, *src;
@@ -3076,11 +3093,17 @@ route_owner(struct connection *c
 			for (src = &c->spd; src; src=src->next)
 			{
 				if (!samesubnet(&src->that.client, &srd->that.client))
+				{
 					continue;
+				}
 				if (src->that.protocol != srd->that.protocol)
+				{
 					continue;
+				}
 				if (src->that.port != srd->that.port)
+				{
 					continue;
+				}
 				passert(oriented(*d));
 				if (srd->routing > best_routing)
 				{
@@ -3090,11 +3113,17 @@ route_owner(struct connection *c
 				}
 
 				if (!samesubnet(&src->this.client, &srd->this.client))
+				{
 					continue;
+				}
 				if (src->this.protocol != srd->this.protocol)
+				{
 					continue;
+				}
 				if (src->this.port != srd->this.port)
+				{
 					continue;
+				}
 				if (srd->routing > best_erouting)
 				{
 					best_ero = d;
@@ -3123,7 +3152,7 @@ route_owner(struct connection *c
 					, (fmt_conn_instance(best_ro, cib), cib)
 					, enum_name(&routing_story, best_ro->spd.routing));
 
-			if (erop != NULL)
+			if (erop)
 			{
 				m = builddiag("%s; eroute owner:", m);
 				if (!erouted(best_ero->spd.routing))
@@ -3140,14 +3169,17 @@ route_owner(struct connection *c
 			DBG_log("%s", m);
 		});
 
-	if (erop != NULL)
+	if (erop)
+	{
 		*erop = erouted(best_erouting)? best_ero : NULL;
-
-	if (srp != NULL )
+	}
+	if (srp)
 	{
 		*srp = best_sr;
-		if (esrp != NULL )
+		if (esrp)
+		{
 			*esrp = best_esr;
+		}
 	}
 
 	return routed(best_routing)? best_ro : NULL;
@@ -3157,10 +3189,9 @@ route_owner(struct connection *c
  * There ought to be only one.
  * This might get to be a bottleneck -- try hashing if it does.
  */
-struct connection *
-shunt_owner(const ip_subnet *ours, const ip_subnet *his)
+connection_t *shunt_owner(const ip_subnet *ours, const ip_subnet *his)
 {
-	struct connection *c;
+	connection_t *c;
 	struct spd_route *sr;
 
 	for (c = connections; c != NULL; c = c->ac_next)
@@ -3180,11 +3211,11 @@ shunt_owner(const ip_subnet *ours, const ip_subnet *his)
  * We don't know enough to chose amongst those available.
  * ??? no longer usefully different from find_host_pair_connections
  */
-struct connection *
-find_host_connection(const ip_address *me, u_int16_t my_port
-, const ip_address *him, u_int16_t his_port, lset_t policy)
+connection_t *find_host_connection(const ip_address *me, u_int16_t my_port,
+								   const ip_address *him, u_int16_t his_port,
+								   lset_t policy)
 {
-	struct connection *c = find_host_pair_connections(me, my_port, him, his_port);
+	connection_t *c = find_host_pair_connections(me, my_port, him, his_port);
 
 	if (policy != LEMPTY)
 	{
@@ -3193,7 +3224,7 @@ find_host_connection(const ip_address *me, u_int16_t my_port
 		/* if we have requirements for the policy,
 		 * choose the first matching connection.
 		 */
-		while (c != NULL)
+		while (c)
 		{
 			if (c->policy & auth_requested)
 			{
@@ -3266,25 +3297,25 @@ find_host_connection(const ip_address *me, u_int16_t my_port
  */
 #define PRIO_NO_MATCH_FOUND     2048
 
-struct connection *
-refine_host_connection(const struct state *st, const struct id *peer_id
-, chunk_t peer_ca)
+connection_t *refine_host_connection(const struct state *st,
+									 identification_t *peer_id,
+									 identification_t *peer_ca)
 {
-	struct connection *c = st->st_connection;
-	struct connection *d;
-	struct connection *best_found = NULL;
+	connection_t *c = st->st_connection;
+	connection_t *d;
+	connection_t *best_found = NULL;
 	u_int16_t auth = st->st_oakley.auth;
 	lset_t auth_policy = POLICY_PSK;
 	const chunk_t *psk = NULL;
 	bool wcpip; /* wildcard Peer IP? */
 	int best_prio = PRIO_NO_MATCH_FOUND;
-	int wildcards, our_pathlen, peer_pathlen;
+	int our_pathlen, peer_pathlen;
 
-	if (same_id(&c->spd.that.id, peer_id)
-	&& trusted_ca(peer_ca, c->spd.that.ca, &peer_pathlen)
-	&& peer_pathlen == 0
-	&& match_requested_ca(c->requested_ca, c->spd.this.ca, &our_pathlen)
-	&& our_pathlen == 0)
+	if (c->spd.that.id->equals(c->spd.that.id, peer_id) &&
+		trusted_ca(peer_ca, c->spd.that.ca, &peer_pathlen) &&
+		peer_pathlen == 0 &&
+		match_requested_ca(c->requested_ca, c->spd.this.ca, &our_pathlen) &&
+		our_pathlen == 0)
 	{
 		DBG(DBG_CONTROL,
 			DBG_log("current connection is a full match"
@@ -3345,8 +3376,10 @@ refine_host_connection(const struct state *st, const struct id *peer_id
 		{
 			const char *match_name[] = {"no", "ok"};
 
-			bool matching_id = match_id(peer_id
-										, &d->spd.that.id, &wildcards);
+			id_match_t match_level = peer_id->matches(peer_id, d->spd.that.id);
+
+			bool matching_id = match_level > ID_MATCH_NONE;
+				
 			bool matching_auth = (d->policy & auth_policy) != LEMPTY;
 
 			bool matching_trust = trusted_ca(peer_ca
@@ -3355,10 +3388,11 @@ refine_host_connection(const struct state *st, const struct id *peer_id
 										, d->spd.this.ca, &our_pathlen);
 			bool match = matching_id && matching_auth && matching_trust;
 
-			int prio = (MAX_WILDCARDS + 1) * !matching_request + wildcards;
+			int prio = (ID_MATCH_PERFECT) * !matching_request +
+						ID_MATCH_PERFECT - match_level;
 
-			prio = (MAX_CA_PATH_LEN + 1) * prio + peer_pathlen;
-			prio = (MAX_CA_PATH_LEN + 1) * prio + our_pathlen;
+			prio = (X509_MAX_PATH_LEN + 1) * prio + peer_pathlen;
+			prio = (X509_MAX_PATH_LEN + 1) * prio + our_pathlen;
 
 			DBG(DBG_CONTROLMORE,
 				DBG_log("%s: %s match (id: %s, auth: %s, trust: %s, request: %s, prio: %4d)"
@@ -3373,11 +3407,15 @@ refine_host_connection(const struct state *st, const struct id *peer_id
 
 			/* do we have a match? */
 			if (!match)
+			{
 				continue;
+			}
 
 			/* ignore group connections */
 			if (d->policy & POLICY_GROUP)
+			{
 				continue;
+			}
 
 			if (c->spd.that.host_port != d->spd.that.host_port
 			&& d->kind == CK_INSTANCE)
@@ -3395,12 +3433,17 @@ refine_host_connection(const struct state *st, const struct id *peer_id
 					const chunk_t *dpsk = get_preshared_secret(d);
 
 					if (dpsk == NULL)
+					{
 						continue;       /* no secret */
-
+					}
 					if (psk != dpsk)
+					{
 						if (psk->len != dpsk->len
 						|| memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
+						{
 							continue;   /* different secret */
+						}
+					}
 				}
 				break;
 
@@ -3415,7 +3458,9 @@ refine_host_connection(const struct state *st, const struct id *peer_id
 				.*/
 				if (d->spd.this.sc == NULL              /* no smartcard */
 				&& get_private_key(d) == NULL)      /* no private key */
+				{
 					continue;
+				}
 				break;
 
 			default:
@@ -3456,10 +3501,10 @@ refine_host_connection(const struct state *st, const struct id *peer_id
  * With virtual addressing, we must not allow someone to use an already
  * used (by another id) addr/net.
  */
-static bool
-is_virtual_net_used(const ip_subnet *peer_net, const struct id *peer_id)
+static bool is_virtual_net_used(const ip_subnet *peer_net,
+								identification_t *peer_id)
 {
-	struct connection *d;
+	connection_t *d;
 
 	for (d = connections; d != NULL; d = d->ac_next)
 	{
@@ -3469,16 +3514,15 @@ is_virtual_net_used(const ip_subnet *peer_net, const struct id *peer_id)
 		case CK_INSTANCE:
 			if ((subnetinsubnet(peer_net,&d->spd.that.client) ||
 				 subnetinsubnet(&d->spd.that.client,peer_net))
-			&& !same_id(&d->spd.that.id, peer_id))
+			&& !d->spd.that.id->equals(d->spd.that.id, peer_id))
 			{
-				char buf[BUF_LEN];
 				char client[SUBNETTOT_BUF];
 
 				subnettot(peer_net, 0, client, sizeof(client));
-				idtoa(&d->spd.that.id, buf, sizeof(buf));
-				plog("Virtual IP %s is already used by '%s'", client, buf);
-				idtoa(peer_id, buf, sizeof(buf));
-				plog("Your ID is '%s'", buf);
+				plog("Virtual IP %s is already used by '%Y'",
+						 client, d->spd.that.id);
+				plog("Your ID is '%Y'", peer_id);
+
 				return TRUE; /* already used by another one */
 			}
 			break;
@@ -3516,27 +3560,27 @@ is_virtual_net_used(const ip_subnet *peer_net, const struct id *peer_id)
  */
 
 #define PATH_WEIGHT     1
-#define WILD_WEIGHT     (MAX_CA_PATH_LEN+1)
-#define PRIO_WEIGHT     (MAX_WILDCARDS+1)*WILD_WEIGHT
+#define WILD_WEIGHT     (X509_MAX_PATH_LEN+1)
+#define PRIO_WEIGHT     (ID_MATCH_PERFECT+1) * WILD_WEIGHT
 
 /* fc_try: a helper function for find_client_connection */
-static struct connection *
-fc_try(const struct connection *c
-, struct host_pair *hp
-, const struct id *peer_id
-, const ip_subnet *our_net
-, const ip_subnet *peer_net
-, const u_int8_t our_protocol
-, const u_int16_t our_port
-, const u_int8_t peer_protocol
-, const u_int16_t peer_port
-, chunk_t peer_ca
-, const ietfAttrList_t *peer_list)
+static connection_t *fc_try(const connection_t *c, struct host_pair *hp,
+							identification_t *peer_id,
+							const ip_subnet *our_net,
+							const ip_subnet *peer_net,
+							const u_int8_t our_protocol,
+							const u_int16_t our_port,
+							const u_int8_t peer_protocol,
+							const u_int16_t peer_port,
+							identification_t *peer_ca,
+							ietf_attributes_t *peer_attributes)
 {
-	struct connection *d;
-	struct connection *best = NULL;
+	connection_t *d;
+	connection_t *best = NULL;
 	policy_prio_t best_prio = BOTTOM_PRIO;
-	int wildcards, pathlen;
+	id_match_t match_level;
+	int pathlen;
+	
 
 	const bool peer_net_is_host = subnetisaddr(peer_net, &c->spd.that.host_addr);
 
@@ -3545,20 +3589,28 @@ fc_try(const struct connection *c
 		struct spd_route *sr;
 
 		if (d->policy & POLICY_GROUP)
+		{
 			continue;
+		}
 
-		if (!(same_id(&c->spd.this.id, &d->spd.this.id)
-		&& match_id(&c->spd.that.id, &d->spd.that.id, &wildcards)
-		&& trusted_ca(peer_ca, d->spd.that.ca, &pathlen)
-		&& group_membership(peer_list, d->name, d->spd.that.groups)))
+		match_level = c->spd.that.id->matches(c->spd.that.id, d->spd.that.id);
+
+		if (!(c->spd.this.id->equals(c->spd.this.id, d->spd.this.id) &&
+			(match_level > ID_MATCH_NONE) &&
+			trusted_ca(peer_ca, d->spd.that.ca, &pathlen) &&
+			match_group_membership(peer_attributes, d->name, d->spd.that.groups)))
+		{
 			continue;
+		}
 
 		/* compare protocol and ports */
 		if (d->spd.this.protocol != our_protocol
 		||  d->spd.this.port != our_port
 		||  d->spd.that.protocol != peer_protocol
 		|| (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
+		{
 			continue;
+		}
 
 		/* non-Opportunistic case:
 		 * our_client must match.
@@ -3595,29 +3647,38 @@ fc_try(const struct connection *c
 #endif /* DEBUG */
 
 			if (!samesubnet(&sr->this.client, our_net))
+			{
 				continue;
-
+			}
 			if (sr->that.has_client)
 			{
 				if (sr->that.has_client_wildcard)
 				{
 					if (!subnetinsubnet(peer_net, &sr->that.client))
+					{
 						continue;
+					}
 				}
 				else
 				{
 					if (!samesubnet(&sr->that.client, peer_net) && !is_virtual_connection(d))
+					{
 						continue;
+					}
 					if (is_virtual_connection(d)
 					&& (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr)
-						|| is_virtual_net_used(peer_net, peer_id?peer_id:&c->spd.that.id)))
-							continue;
+						|| is_virtual_net_used(peer_net, peer_id?peer_id:c->spd.that.id)))
+					{
+						continue;
+					}
 				}
 			}
 			else
 			{
 				if (!peer_net_is_host)
+				{
 					continue;
+				}
 			}
 
 			/* We've run the gauntlet -- success:
@@ -3629,8 +3690,8 @@ fc_try(const struct connection *c
 			 * - given that, the shortest CA pathlength is preferred
 			 */
 			prio = PRIO_WEIGHT * routed(sr->routing)
-				 + WILD_WEIGHT * (MAX_WILDCARDS - wildcards)
-				 + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen)
+				 + WILD_WEIGHT * match_level
+				 + PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen)
 				 + 1;
 			if (prio > best_prio)
 			{
@@ -3640,9 +3701,10 @@ fc_try(const struct connection *c
 		}
 	}
 
-	if (best != NULL && NEVER_NEGOTIATE(best->policy))
+	if (best && NEVER_NEGOTIATE(best->policy))
+	{
 		best = NULL;
-
+	}
 	DBG(DBG_CONTROLMORE,
 		DBG_log("  fc_try concluding with %s [%ld]"
 				, (best ? best->name : "none"), best_prio)
@@ -3650,22 +3712,22 @@ fc_try(const struct connection *c
 	return best;
 }
 
-static struct connection *
-fc_try_oppo(const struct connection *c
-, struct host_pair *hp
-, const ip_subnet *our_net
-, const ip_subnet *peer_net
-, const u_int8_t our_protocol
-, const u_int16_t our_port
-, const u_int8_t peer_protocol
-, const u_int16_t peer_port
-, chunk_t peer_ca
-, const ietfAttrList_t *peer_list)
+static connection_t *fc_try_oppo(const connection_t *c,
+								 struct host_pair *hp,
+								 const ip_subnet *our_net,
+								 const ip_subnet *peer_net,
+								 const u_int8_t our_protocol,
+								 const u_int16_t our_port,
+								 const u_int8_t peer_protocol,
+								 const u_int16_t peer_port,
+								 identification_t *peer_ca,
+								 ietf_attributes_t *peer_attributes)
 {
-	struct connection *d;
-	struct connection *best = NULL;
+	connection_t *d;
+	connection_t *best = NULL;
 	policy_prio_t best_prio = BOTTOM_PRIO;
-	int wildcards, pathlen;
+	id_match_t match_level;
+	int pathlen;
 
 	for (d = hp->connections; d != NULL; d = d->hp_next)
 	{
@@ -3673,20 +3735,27 @@ fc_try_oppo(const struct connection *c
 		policy_prio_t prio;
 
 		if (d->policy & POLICY_GROUP)
+		{
 			continue;
+		}
+		match_level = c->spd.that.id->matches(c->spd.that.id, c->spd.that.id);
 
-		if (!(same_id(&c->spd.this.id, &d->spd.this.id)
-		&& match_id(&c->spd.that.id, &d->spd.that.id, &wildcards)
-		&& trusted_ca(peer_ca, d->spd.that.ca, &pathlen)
-		&& group_membership(peer_list, d->name, d->spd.that.groups)))
+		if (!(c->spd.this.id->equals(c->spd.this.id, d->spd.this.id) &&
+			(match_level > ID_MATCH_NONE) &&
+			trusted_ca(peer_ca, d->spd.that.ca, &pathlen) &&
+			match_group_membership(peer_attributes, d->name, d->spd.that.groups)))
+		{
 			continue;
+		}
 
 		/* compare protocol and ports */
 		if (d->spd.this.protocol != our_protocol
 		||  d->spd.this.port != our_port
 		||  d->spd.that.protocol != peer_protocol
 		|| (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
+		{
 			continue;
+		}
 
 		/* Opportunistic case:
 		 * our_net must be inside d->spd.this.client
@@ -3714,7 +3783,9 @@ fc_try_oppo(const struct connection *c
 
 			if (!subnetinsubnet(our_net, &sr->this.client)
 			|| !subnetinsubnet(peer_net, &sr->that.client))
+			{
 				continue;
+			}
 
 			/* The connection is feasible, but we continue looking for the best.
 			 * The highest priority wins, implementing eroute-like rule.
@@ -3725,8 +3796,8 @@ fc_try_oppo(const struct connection *c
 			 * - given that, the shortest CA pathlength is preferred
 			 */
 			prio = PRIO_WEIGHT * (d->prio + routed(sr->routing))
-				 + WILD_WEIGHT * (MAX_WILDCARDS - wildcards)
-				 + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen);
+				 + WILD_WEIGHT * match_level
+				 + PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen);
 			if (prio > best_prio)
 			{
 				best = d;
@@ -3736,9 +3807,8 @@ fc_try_oppo(const struct connection *c
 	}
 
 	/* if the best wasn't opportunistic, we fail: it must be a shunt */
-	if (best != NULL
-	&& (NEVER_NEGOTIATE(best->policy)
-		|| (best->policy & POLICY_OPPO) == LEMPTY))
+	if (best && (NEVER_NEGOTIATE(best->policy) ||
+	   (best->policy & POLICY_OPPO) == LEMPTY))
 	{
 		best = NULL;
 	}
@@ -3754,44 +3824,52 @@ fc_try_oppo(const struct connection *c
 /*
  * get the peer's CA and group attributes
  */
-chunk_t
-get_peer_ca_and_groups(struct connection *c, const ietfAttrList_t **peer_list)
+void get_peer_ca_and_groups(connection_t *c,
+							identification_t **peer_ca,
+							ietf_attributes_t **peer_attributes)
 {
-	struct state *p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
+	struct state *p1st;
 
-	*peer_list = NULL;
+	*peer_ca = NULL;
+	*peer_attributes = NULL;
 
-	if (p1st != NULL
-	&&  p1st->st_peer_pubkey != NULL
-	&&  p1st->st_peer_pubkey->issuer.ptr != NULL)
+	p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
+	if (p1st && p1st->st_peer_pubkey && p1st->st_peer_pubkey->issuer)
 	{
-		x509acert_t *ac = get_x509acert(p1st->st_peer_pubkey->issuer
-									  , p1st->st_peer_pubkey->serial);;
+		certificate_t *cert;
 
-		if (ac != NULL && verify_x509acert(ac, strict_crl_policy))
-			*peer_list = ac->groups;
+		cert = ac_get_cert(p1st->st_peer_pubkey->issuer,
+						   p1st->st_peer_pubkey->serial);
+		if (cert && ac_verify_cert(cert, strict_crl_policy))
+		{
+			ac_t *ac = (ac_t*)cert;
+		
+			*peer_attributes = ac->get_groups(ac);
+		}
 		else
 		{
 			DBG(DBG_CONTROL,
 				DBG_log("no valid attribute cert found")
 			)
 		}
-		return p1st->st_peer_pubkey->issuer;
+		*peer_ca = p1st->st_peer_pubkey->issuer;
 	}
-	return chunk_empty;
 }
 
-struct connection *
-find_client_connection(struct connection *c
-, const ip_subnet *our_net, const ip_subnet *peer_net
-, const u_int8_t our_protocol, const u_int16_t our_port
-, const u_int8_t peer_protocol, const u_int16_t peer_port)
+connection_t *find_client_connection(connection_t *c,
+									 const ip_subnet *our_net,
+									 const ip_subnet *peer_net,
+									 const u_int8_t our_protocol,
+									 const u_int16_t our_port,
+									 const u_int8_t peer_protocol,
+									 const u_int16_t peer_port)
 {
-	struct connection *d;
+	connection_t *d;
 	struct spd_route *sr;
+	ietf_attributes_t *peer_attributes = NULL;
+	identification_t *peer_ca;
 
-	const ietfAttrList_t *peer_list = NULL;
-	chunk_t peer_ca = get_peer_ca_and_groups(c, &peer_list);
+	get_peer_ca_and_groups(c, &peer_ca, &peer_attributes);
 
 #ifdef DEBUG
 	if (DBGP(DBG_CONTROLMORE))
@@ -3813,7 +3891,7 @@ find_client_connection(struct connection *c
 	 * but even greater priority to a routed concrete connection
 	 */
 	{
-		struct connection *unrouted = NULL;
+		connection_t *unrouted = NULL;
 		int srnum = -1;
 
 		for (sr = &c->spd; unrouted == NULL && sr != NULL; sr = sr->next)
@@ -3838,12 +3916,14 @@ find_client_connection(struct connection *c
 			&& sr->this.port == our_port
 			&& sr->that.protocol == peer_protocol
 			&& sr->that.port == peer_port
-			&& group_membership(peer_list, c->name, sr->that.groups))
+			&& match_group_membership(peer_attributes, c->name, sr->that.groups))
 			{
 				passert(oriented(*c));
 				if (routed(sr->routing))
+				{
+					DESTROY_IF(peer_attributes);
 					return c;
-
+				}
 				unrouted = c;
 			}
 		}
@@ -3851,7 +3931,7 @@ find_client_connection(struct connection *c
 		/* exact match? */
 		d = fc_try(c, c->host_pair, NULL, our_net, peer_net
 			, our_protocol, our_port, peer_protocol, peer_port
-			, peer_ca, peer_list);
+			, peer_ca, peer_attributes);
 
 		DBG(DBG_CONTROLMORE,
 			DBG_log("  fc_try %s gives %s"
@@ -3860,7 +3940,9 @@ find_client_connection(struct connection *c
 		)
 
 		if (d == NULL)
+		{
 			d = unrouted;
+		}
 	}
 
 	if (d == NULL)
@@ -3890,12 +3972,12 @@ find_client_connection(struct connection *c
 #endif /* DEBUG */
 		}
 
-		if (hp != NULL)
+		if (hp)
 		{
 			/* RW match with actual peer_id or abstract peer_id? */
 			d = fc_try(c, hp, NULL, our_net, peer_net
 				, our_protocol, our_port, peer_protocol, peer_port
-				, peer_ca, peer_list);
+				, peer_ca, peer_attributes);
 
 			if (d == NULL
 			&& subnetishost(our_net)
@@ -3907,7 +3989,7 @@ find_client_connection(struct connection *c
 				 */
 				d = fc_try_oppo(c, hp, our_net, peer_net
 					, our_protocol, our_port, peer_protocol, peer_port
-					, peer_ca, peer_list);
+					, peer_ca, peer_attributes);
 			}
 		}
 	}
@@ -3916,24 +3998,27 @@ find_client_connection(struct connection *c
 		DBG_log("  concluding with d = %s"
 				, (d ? d->name : "none"))
 	)
+	DESTROY_IF(peer_attributes);
 	return d;
 }
 
-int
-connection_compare(const struct connection *ca
-, const struct connection *cb)
+int connection_compare(const connection_t *ca, const connection_t *cb)
 {
 	int ret;
 
 	/* DBG_log("comparing %s to %s", ca->name, cb->name);  */
 
 	ret = strcasecmp(ca->name, cb->name);
-	if (ret != 0)
+	if (ret)
+	{
 		return ret;
+	}
 
 	ret = ca->kind - cb->kind;  /* note: enum connection_kind behaves like int */
-	if (ret != 0)
+	if (ret)
+	{
 		return ret;
+	}
 
 	/* same name, and same type */
 	switch (ca->kind)
@@ -3950,19 +4035,17 @@ connection_compare(const struct connection *ca
 	}
 }
 
-static int
-connection_compare_qsort(const void *a, const void *b)
+static int connection_compare_qsort(const void *a, const void *b)
 {
-	return connection_compare(*(const struct connection *const *)a
-							, *(const struct connection *const *)b);
+	return connection_compare(*(const connection_t *const *)a
+							, *(const connection_t *const *)b);
 }
 
-void
-show_connections_status(bool all, const char *name)
+void show_connections_status(bool all, const char *name)
 {
-	struct connection *c;
+	connection_t *c;
 	int count, i;
-	struct connection **array;
+	connection_t **array;
 
 	/* make an array of connections, and sort it */
 	count = 0;
@@ -3971,7 +4054,7 @@ show_connections_status(bool all, const char *name)
 		if (c->ikev1 && (name == NULL || streq(c->name, name)))
 			count++;
 	}
-	array = malloc(sizeof(struct connection *)*count);
+	array = malloc(sizeof(connection_t *)*count);
 
 	count=0;
 	for (c = connections; c != NULL; c = c->ac_next)
@@ -3981,7 +4064,7 @@ show_connections_status(bool all, const char *name)
 	}
 
 	/* sort it! */
-	qsort(array, count, sizeof(struct connection *), connection_compare_qsort);
+	qsort(array, count, sizeof(connection_t *), connection_compare_qsort);
 
 	for (i = 0; i < count; i++)
 	{
@@ -3999,11 +4082,11 @@ show_connections_status(bool all, const char *name)
 
 		/* show topology */
 		{
-			char topo[CONNECTION_BUF];
+			char topo[BUF_LEN];
 			struct spd_route *sr = &c->spd;
 			int num=0;
 
-			while (sr != NULL)
+			while (sr)
 			{
 				(void) format_connection(topo, sizeof(topo), c, sr);
 				whack_log(RC_COMMENT, "\"%s\"%s: %s; %s; eroute owner: #%lu"
@@ -4018,32 +4101,30 @@ show_connections_status(bool all, const char *name)
 		if (all)
 		{
 			/* show CAs if defined */
-			if (c->spd.this.ca.ptr != NULL || c->spd.that.ca.ptr != NULL)
+			if (c->spd.this.ca && c->spd.that.ca)
 			{
-				char this_ca[BUF_LEN], that_ca[BUF_LEN];
-
-				dntoa_or_null(this_ca, BUF_LEN, c->spd.this.ca, "%any");
-				dntoa_or_null(that_ca, BUF_LEN, c->spd.that.ca, "%any");
+				whack_log(RC_COMMENT, "\"%s\"%s:   CAs: \"%Y\"...\"%Y\"",
+						  c->name, instance, c->spd.this.ca, c->spd.that.ca);
+			}
+			else if (c->spd.this.ca)
+			{
+				whack_log(RC_COMMENT, "\"%s\"%s:   CAs: \"%Y\"...%%any",
+						  c->name, instance, c->spd.this.ca);
 
-				whack_log(RC_COMMENT
-					, "\"%s\"%s:   CAs: '%s'...'%s'"
-					, c->name
-					, instance
-					, this_ca
-					, that_ca);
+			}
+			else if (c->spd.that.ca)
+			{
+				whack_log(RC_COMMENT, "\"%s\"%s:   CAs: %%any...\"%Y\"",
+						  c->name, instance, c->spd.that.ca);
 			}
 
 			/* show group attributes if defined */
-			if (c->spd.that.groups != NULL)
+			if (c->spd.that.groups)
 			{
-				char buf[BUF_LEN];
-		
-				format_groups(c->spd.that.groups, buf, BUF_LEN);
-				whack_log(RC_COMMENT
-					, "\"%s\"%s:   groups: %s"
+				whack_log(RC_COMMENT, "\"%s\"%s:   groups: %s"
 					, c->name
 					, instance
-					, buf);
+					, c->spd.that.groups->get_string(c->spd.that.groups));
 			}
 
 			whack_log(RC_COMMENT
@@ -4058,7 +4139,7 @@ show_connections_status(bool all, const char *name)
 				, (unsigned long) c->sa_keying_tries);
 
 			/* show DPD parameters if defined */
-		
+
 			if (c->dpd_action != DPD_ACTION_NONE)
 				whack_log(RC_COMMENT
 					, "\"%s\"%s:   dpd_action: %N;"
@@ -4095,7 +4176,7 @@ show_connections_status(bool all, const char *name)
 			, instance
 			, c->newest_isakmp_sa
 			, c->newest_ipsec_sa);
-			
+
 		if (all)
 		{
 			ike_alg_show_connection(c, instance);
@@ -4116,7 +4197,7 @@ show_connections_status(bool all, const char *name)
 struct pending {
 	int whack_sock;
 	struct state *isakmp_sa;
-	struct connection *connection;
+	connection_t *connection;
 	lset_t policy;
 	unsigned long try;
 	so_serial_t replacing;
@@ -4125,18 +4206,13 @@ struct pending {
 };
 
 /* queue a Quick Mode negotiation pending completion of a suitable Main Mode */
-void
-add_pending(int whack_sock
-, struct state *isakmp_sa
-, struct connection *c
-, lset_t policy
-, unsigned long try
-, so_serial_t replacing)
+void add_pending(int whack_sock, struct state *isakmp_sa, connection_t *c,
+				 lset_t policy, unsigned long try, so_serial_t replacing)
 {
 	bool already_queued = FALSE;
 	struct pending *p = c->host_pair->pending;
 
-	while (p != NULL)
+	while (p)
 	{
 		if (streq(c->name, p->connection->name))
 		{
@@ -4169,8 +4245,7 @@ add_pending(int whack_sock
  * This is accomplished by closing all the whack socket file descriptors.
  * We go to a lot of trouble to tell each whack, but to not tell it twice.
  */
-void
-release_pending_whacks(struct state *st, err_t story)
+void release_pending_whacks(struct state *st, err_t story)
 {
 	struct pending *p;
 	struct stat stst;
@@ -4202,20 +4277,20 @@ release_pending_whacks(struct state *st, err_t story)
 	}
 }
 
-static void
-delete_pending(struct pending **pp)
+static void delete_pending(struct pending **pp)
 {
 	struct pending *p = *pp;
 
 	*pp = p->next;
-	if (p->connection != NULL)
+	if (p->connection)
+	{
 		connection_discard(p->connection);
+	}
 	close_any(p->whack_sock);
 	free(p);
 }
 
-void
-unpend(struct state *st)
+void unpend(struct state *st)
 {
 	struct pending **pp
 		, *p;
@@ -4241,8 +4316,7 @@ unpend(struct state *st)
 }
 
 /* a Main Mode negotiation has been replaced; update any pending */
-void
-update_pending(struct state *os, struct state *ns)
+void update_pending(struct state *os, struct state *ns)
 {
 	struct pending *p;
 
@@ -4259,12 +4333,11 @@ update_pending(struct state *os, struct state *ns)
 }
 
 /* a Main Mode negotiation has failed; discard any pending */
-void
-flush_pending_by_state(struct state *st)
+void flush_pending_by_state(struct state *st)
 {
 	struct host_pair *hp = st->st_connection->host_pair;
 
-	if (hp != NULL)
+	if (hp)
 	{
 		struct pending **pp
 			, *p;
@@ -4280,10 +4353,9 @@ flush_pending_by_state(struct state *st)
 }
 
 /* a connection has been deleted; discard any related pending */
-static void
-flush_pending_by_connection(struct connection *c)
+static void flush_pending_by_connection(connection_t *c)
 {
-	if (c->host_pair != NULL)
+	if (c->host_pair)
 	{
 		struct pending **pp
 			, *p;
@@ -4303,8 +4375,7 @@ flush_pending_by_connection(struct connection *c)
 	}
 }
 
-void
-show_pending_phase2(const struct host_pair *hp, const struct state *st)
+void show_pending_phase2(const struct host_pair *hp, const struct state *st)
 {
 	const struct pending *p;
 
@@ -4329,8 +4400,7 @@ show_pending_phase2(const struct host_pair *hp, const struct state *st)
  * We must be careful to avoid circularity:
  * we don't touch it if it is CK_GOING_AWAY.
  */
-void
-connection_discard(struct connection *c)
+void connection_discard(connection_t *c)
 {
 	if (c->kind == CK_INSTANCE)
 	{
@@ -4354,28 +4424,26 @@ connection_discard(struct connection *c)
 
 long eclipse_count = 0;
 
-struct connection *
-eclipsed(struct connection *c, struct spd_route **esrp)
+connection_t *eclipsed(connection_t *c, struct spd_route **esrp)
 {
-	struct connection *ue;
+	connection_t *ue;
 	struct spd_route *sr1 = &c->spd;
 
 	ue = NULL;
 
-	while (sr1 != NULL && ue != NULL)
+	while (sr1 && ue)
 	{
 		for (ue = connections; ue != NULL; ue = ue->ac_next)
 		{
 			struct spd_route *srue = &ue->spd;
 
-			while (srue != NULL
-			&& srue->routing == RT_ROUTED_ECLIPSED
+			while (srue	&& srue->routing == RT_ROUTED_ECLIPSED
 			&& !(samesubnet(&sr1->this.client, &srue->this.client)
 				 && samesubnet(&sr1->that.client, &srue->that.client)))
 			{
 				srue = srue->next;
 			}
-			if (srue != NULL && srue->routing==RT_ROUTED_ECLIPSED)
+			if (srue && srue->routing == RT_ROUTED_ECLIPSED)
 			{
 				*esrp = srue;
 				break;
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
index 16cbbfd72..ee2e00da6 100644
--- a/src/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -1,5 +1,6 @@
 /* information about connections between hosts and clients
  * Copyright (C) 1998-2001  D. Hugh Redelmeier
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -17,9 +18,11 @@
 
 #include <sys/queue.h>
 
-#include "id.h"
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <credentials/ietf_attributes/ietf_attributes.h>
+
 #include "certs.h"
-#include "ac.h"
 #include "smartcard.h"
 #include "whack.h"
 
@@ -127,7 +130,7 @@ extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]);
 struct virtual_t;
 
 struct end {
-	struct id id;
+	identification_t *id;
 	ip_address
 		host_addr,
 		host_nexthop,
@@ -144,13 +147,14 @@ struct end {
 	u_int16_t host_port;        /* host order */
 	u_int16_t port;             /* host order */
 	u_int8_t protocol;
-	cert_t cert;                /* end certificate */
-	chunk_t ca;                 /* CA distinguished name */
-	struct ietfAttrList *groups;/* access control groups */
+	cert_t *cert;               /* end certificate */
+	identification_t *ca;       /* CA distinguished name */
+	ietf_attributes_t *groups;  /* access control groups */
 	smartcard_t *sc;            /* smartcard reader and key info */
 	struct virtual_t *virt;
 	bool modecfg;               /* this end: request local address from server */
 								/* that end: give local addresses to clients */
+	char *pool;					/* name of an associated virtual IP address pool */
 	bool hostaccess;            /* allow access to host via iptables INPUT/OUTPUT */
 								/* rules if client behind host is a subnet */
 	bool allow_any;             /* IP address is subject to change */
@@ -166,6 +170,8 @@ struct spd_route {
 	uint32_t reqid;
 };
 
+typedef struct connection connection_t;
+
 struct connection {
 	char *name;
 	bool ikev1;
@@ -182,10 +188,10 @@ struct connection {
 	time_t dpd_timeout;
 	dpd_action_t dpd_action;
 
-	char              *log_file_name;       /* name of log file */
-	FILE              *log_file;            /* possibly open FILE */
+	char              *log_file_name;     /* name of log file */
+	FILE              *log_file;          /* possibly open FILE */
 	TAILQ_ENTRY(connection) log_link;     /* linked list of open conns */
-	bool               log_file_err;        /* only bitch once */
+	bool               log_file_err;      /* only bitch once */
 
 	struct spd_route spd;
 
@@ -210,119 +216,110 @@ struct connection {
 	sa_family_t addr_family;            /* between gateways */
 	sa_family_t tunnel_addr_family;     /* between clients */
 
-	struct connection *policy_next;     /* if multiple policies,
+	connection_t *policy_next;          /* if multiple policies,
 										   next one to apply */
-
 	struct gw_info *gw_info;
 	struct alg_info_esp *alg_info_esp;
 	struct alg_info_ike *alg_info_ike;
-
 	struct host_pair *host_pair;
-	struct connection *hp_next;         /* host pair list link */
-
-	struct connection *ac_next;         /* all connections list link */
-
-	generalName_t *requested_ca;        /* collected certificate requests */
+	connection_t *hp_next;              /* host pair list link */
+	connection_t *ac_next;              /* all connections list link */
+	linked_list_t *requested_ca;        /* collected certificate requests */
 	bool got_certrequest;
 };
 
 #define oriented(c) ((c).interface != NULL)
-extern bool orient(struct connection *c);
+extern bool orient(connection_t *c);
 
-extern bool same_peer_ids(const struct connection *c
-	, const struct connection *d, const struct id *his_id);
+extern bool same_peer_ids(const connection_t *c, const connection_t *d,
+						  identification_t *his_id);
 
 /* Format the topology of a connection end, leaving out defaults.
  * Largest left end looks like: client === host : port [ host_id ] --- hop
  * Note: if that==NULL, skip nexthop
  */
 #define END_BUF (SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF + 10)
-extern size_t format_end(char *buf, size_t buf_len
-	, const struct end *this, const struct end *that
-	, bool is_left, lset_t policy);
+extern size_t format_end(char *buf, size_t buf_len, const struct end *this,
+						 const struct end *that, bool is_left, lset_t policy);
 
 extern void add_connection(const whack_message_t *wm);
 extern void initiate_connection(const char *name, int whackfd);
-extern void initiate_opportunistic(const ip_address *our_client
-	, const ip_address *peer_client, int transport_proto, bool held, int whackfd);
+extern void initiate_opportunistic(const ip_address *our_client,
+								   const ip_address *peer_client,
+								   int transport_proto, bool held, int whackfd);
 extern void terminate_connection(const char *nm);
-extern void release_connection(struct connection *c, bool relations);
-extern void delete_connection(struct connection *c, bool relations);
+extern void release_connection(connection_t *c, bool relations);
+extern void delete_connection(connection_t *c, bool relations);
 extern void delete_connections_by_name(const char *name, bool strict);
 extern void delete_every_connection(void);
-extern char *add_group_instance(struct connection *group, const ip_subnet *target);
-extern void remove_group_instance(const struct connection *group, const char *name);
+extern char *add_group_instance(connection_t *group, const ip_subnet *target);
+extern void remove_group_instance(const connection_t *group, const char *name);
 extern void release_dead_interfaces(void);
 extern void check_orientations(void);
-extern struct connection *route_owner(struct connection *c
-									  , struct spd_route **srp
-									  , struct connection **erop
-									  , struct spd_route **esrp);
-extern struct connection *shunt_owner(const ip_subnet *ours
-	, const ip_subnet *his);
+extern connection_t *route_owner(connection_t *c, struct spd_route **srp,
+								 connection_t **erop, struct spd_route **esrp);
+extern connection_t *shunt_owner(const ip_subnet *ours, const ip_subnet *his);
 
 extern bool uniqueIDs;  /* --uniqueids? */
-extern void ISAKMP_SA_established(struct connection *c, so_serial_t serial);
+extern void ISAKMP_SA_established(connection_t *c, so_serial_t serial);
 
-#define his_id_was_instantiated(c) ((c)->kind == CK_INSTANCE \
-	&& (id_is_ipaddr(&(c)->spd.that.id)? \
-	sameaddr(&(c)->spd.that.id.ip_addr, &(c)->spd.that.host_addr) : TRUE))
+#define id_is_ipaddr(id) ((id)->get_type(id) == ID_IPV4_ADDR || \
+						  (id)->get_type(id) == ID_IPV6_ADDR)
+extern bool his_id_was_instantiated(const connection_t *c);
 
 struct state;   /* forward declaration of tag (defined in state.h) */
-extern struct connection
-	*con_by_name(const char *nm, bool strict),
-	*find_host_connection(const ip_address *me, u_int16_t my_port
-		, const ip_address *him, u_int16_t his_port, lset_t policy),
-	*refine_host_connection(const struct state *st, const struct id *id
-		, chunk_t peer_ca),
-	*find_client_connection(struct connection *c
-		, const ip_subnet *our_net
-		, const ip_subnet *peer_net
-		, const u_int8_t our_protocol
-		, const u_int16_t out_port
-		, const u_int8_t peer_protocol
-		, const u_int16_t peer_port),
-	*find_connection_by_reqid(uint32_t reqid);
-
-extern struct connection *
-find_connection_for_clients(struct spd_route **srp
-							, const ip_address *our_client
-							, const ip_address *peer_client
-							, int transport_proto);
-
-extern chunk_t get_peer_ca_and_groups(struct connection *c
-	, const ietfAttrList_t **peer_list);
-	
+
+extern connection_t* con_by_name(const char *nm, bool strict);
+extern connection_t* find_host_connection(const ip_address *me,
+										  u_int16_t my_port,
+										  const ip_address *him,
+										  u_int16_t his_port, lset_t policy);
+extern connection_t* refine_host_connection(const struct state *st,
+											identification_t *id,
+											identification_t *peer_ca);
+extern connection_t* find_client_connection(connection_t *c,
+											const ip_subnet *our_net,
+											const ip_subnet *peer_net,
+											const u_int8_t our_protocol,
+											const u_int16_t out_port,
+											const u_int8_t peer_protocol,
+											const u_int16_t peer_port);
+extern connection_t* find_connection_by_reqid(uint32_t reqid);
+extern connection_t* find_connection_for_clients(struct spd_route **srp,
+												 const ip_address *our_client,
+												 const ip_address *peer_client,
+												 int transport_proto);
+extern void get_peer_ca_and_groups(connection_t *c,
+								   identification_t **peer_ca, 
+								   ietf_attributes_t **peer_attributes);
+
 /* instantiating routines
  * Note: connection_discard() is in state.h because all its work
  * is looking through state objects.
  */
 struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
 struct alg_info;        /* forward declaration of tag (defined in alg_info.h) */
-extern struct connection *rw_instantiate(struct connection *c
-										 , const ip_address *him
-										 , u_int16_t his_port
-										 , const ip_subnet *his_net
-										 , const struct id *his_id);
-
-extern struct connection *oppo_instantiate(struct connection *c
-										   , const ip_address *him
-										   , const struct id *his_id
-										   , struct gw_info *gw
-										   , const ip_address *our_client
-										   , const ip_address *peer_client);
-
-extern struct connection
-  *build_outgoing_opportunistic_connection(struct gw_info *gw
-										   , const ip_address *our_client
-										   , const ip_address *peer_client);
-
-/* worst case: "[" serial "] " myclient "=== ..." peer "===" hisclient '\0' */
-#define CONN_INST_BUF \
-	(2 + 10 + 1 + SUBNETTOT_BUF + 7 + ADDRTOT_BUF + 3 + SUBNETTOT_BUF + 1)
-
-extern void fmt_conn_instance(const struct connection *c
-	, char buf[CONN_INST_BUF]);
+extern connection_t *rw_instantiate(connection_t *c,
+									const ip_address *him,
+									u_int16_t his_port,
+									const ip_subnet *his_net,
+									identification_t *his_id);
+
+extern connection_t *oppo_instantiate(connection_t *c,
+									  const ip_address *him,
+									  identification_t *his_id,
+									  struct gw_info *gw,
+									  const ip_address *our_client,
+									  const ip_address *peer_client);
+
+extern connection_t
+  *build_outgoing_opportunistic_connection(struct gw_info *gw,
+										   const ip_address *our_client,
+										   const ip_address *peer_client);
+
+#define CONN_INST_BUF	BUF_LEN
+
+extern void fmt_conn_instance(const connection_t *c, char buf[CONN_INST_BUF]);
 
 /* operations on "pending", the structure representing Quick Mode
  * negotiations delayed until a Keying Channel has been negotiated.
@@ -330,12 +327,9 @@ extern void fmt_conn_instance(const struct connection *c
 
 struct pending; /* forward declaration (opaque outside connections.c) */
 
-extern void add_pending(int whack_sock
-	, struct state *isakmp_sa
-	, struct connection *c
-	, lset_t policy
-	, unsigned long try
-	, so_serial_t replacing);
+extern void add_pending(int whack_sock, struct state *isakmp_sa,
+						connection_t *c, lset_t policy, unsigned long try,
+						so_serial_t replacing);
 
 extern void release_pending_whacks(struct state *st, err_t story);
 extern void unpend(struct state *st);
@@ -343,7 +337,7 @@ extern void update_pending(struct state *os, struct state *ns);
 extern void flush_pending_by_state(struct state *st);
 extern void show_pending_phase2(const struct host_pair *hp, const struct state *st);
 
-extern void connection_discard(struct connection *c);
+extern void connection_discard(connection_t *c);
 
 /* A template connection's eroute can be eclipsed by
  * either a %hold or an eroute for an instance iff
@@ -351,15 +345,15 @@ extern void connection_discard(struct connection *c);
  */
 #define eclipsable(sr) (subnetishost(&(sr)->this.client) && subnetishost(&(sr)->that.client))
 extern long eclipse_count;
-extern struct connection *eclipsed(struct connection *c, struct spd_route **);
+extern connection_t *eclipsed(connection_t *c, struct spd_route **);
 
 
 /* print connection status */
 
 extern void show_connections_status(bool all, const char *name);
-extern int  connection_compare(const struct connection *ca
-	, const struct connection *cb);
-extern void update_host_pair(const char *why, struct connection *c
+extern int  connection_compare(const connection_t *ca
+	, const connection_t *cb);
+extern void update_host_pair(const char *why, connection_t *c
 	, const ip_address *myaddr, u_int16_t myport
 	, const ip_address *hisaddr, u_int16_t hisport);
 
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index e46728d84..6f991fd69 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -25,6 +25,8 @@
 
 #include <freeswan.h>
 
+#include <attributes/attributes.h>
+
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
@@ -61,20 +63,6 @@ enum_names version_names =
 		ISAKMP_MAJOR_VERSION<<ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION,
 		version_name, NULL };
 
-/* RFC 2459 CRL reason codes */
-
-ENUM(crl_reason_names, REASON_UNSPECIFIED, REASON_REMOVE_FROM_CRL,
-	"unspecified",
-	"key compromise",
-	"ca compromise",
-	"affiliation changed",
-	"superseded",
-	"cessation of operation",
-	"certificate hold",
-	"reason #7",
-	"remove from crl"
-);
-
 /* RFC 3706 Dead Peer Detection */
 
 ENUM(dpd_action_names, DPD_ACTION_NONE, DPD_ACTION_RESTART,
@@ -82,8 +70,8 @@ ENUM(dpd_action_names, DPD_ACTION_NONE, DPD_ACTION_RESTART,
 	"clear",
 	"hold",
 	"restart"
-);	
-	
+);
+
 /* Timer events */
 
 ENUM(timer_event_names, EVENT_NULL, EVENT_LOG_DAILY,
@@ -288,7 +276,7 @@ const char *const payload_name_nat_d[] = {
 
 static enum_names payload_names_nat_d =
 	{ ISAKMP_NEXT_NATD_DRAFTS, ISAKMP_NEXT_NATOA_DRAFTS, payload_name_nat_d, NULL };
-		
+
 enum_names payload_names =
 	{ ISAKMP_NEXT_NONE, ISAKMP_NEXT_NATOA_RFC, payload_name, &payload_names_nat_d };
 
@@ -364,11 +352,21 @@ static const char *const ah_transform_name[] = {
 	"HMAC_SHA2_512",
 	"HMAC_RIPEMD",
 	"AES_XCBC_96",
-	"SIG_RSA"
+	"SIG_RSA",
+	"AES_128_GMAC",
+	"AES_192_GMAC",
+	"AES_256_GMAC"
+};
+
+static const char *const ah_transform_name_high[] = {
+	"HMAC_SHA2_256_96"
 };
 
-enum_names ah_transformid_names =
-	{ AH_MD5, AH_RSA, ah_transform_name, NULL };
+enum_names ah_transform_names_high =
+	{ AH_SHA2_256_96, AH_SHA2_256_96, ah_transform_name_high, NULL };
+
+enum_names ah_transform_names =
+	{ AH_MD5, AH_AES_256_GMAC, ah_transform_name, &ah_transform_names_high };
 
 /* IPsec ESP transform values */
 
@@ -402,11 +400,11 @@ static const char *const esp_transform_name_high[] = {
 	"TWOFISH_CBC"
 };
 
-enum_names esp_transformid_names_high =
+enum_names esp_transform_names_high =
 	{ ESP_SERPENT, ESP_TWOFISH, esp_transform_name_high, NULL };
 
-enum_names esp_transformid_names =
-	{ ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transformid_names_high };
+enum_names esp_transform_names =
+	{ ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transform_names_high };
 
 /* IPCOMP transform values */
 
@@ -677,15 +675,17 @@ static const char *const auth_alg_name[] = {
 };
 
 static const char *const extended_auth_alg_name[] = {
-	"NULL"
-	};
+	"NULL",
+	"HMAC_SHA2_256_96"
+};
 
 enum_names extended_auth_alg_names =
-	{ AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL };
+	{ AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_HMAC_SHA2_256_96,
+		extended_auth_alg_name, NULL };
 
 enum_names auth_alg_names =
-	{ AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
-		, &extended_auth_alg_names };
+	{ AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_SIG_RSA,
+		auth_alg_name, &extended_auth_alg_names };
 
 /* From draft-beaulieu-ike-xauth */
 static const char *const xauth_type_name[] = {
@@ -859,7 +859,7 @@ static const char *const oakley_auth_name1[] = {
 	"ECDSA signature",
 	"ECDSA-256 signature",
 	"ECDSA-384 signature",
-	"ECDSA-521-signature",   
+	"ECDSA-521-signature",
 };
 
 static const char *const oakley_auth_name2[] = {
@@ -936,7 +936,7 @@ enum_names oakley_group_names_rfc3526 =
 			oakley_group_name_rfc3526, &oakley_group_names_rfc4753 };
 
 enum_names oakley_group_names =
-	{ MODP_768_BIT, MODP_1536_BIT, 
+	{ MODP_768_BIT, MODP_1536_BIT,
 			oakley_group_name, &oakley_group_names_rfc3526 };
 
 /* Oakley Group Type attribute */
@@ -1000,20 +1000,28 @@ static const char *const notification_dpd_name[] = {
 	"R_U_THERE_ACK",
 };
 
+static const char *const notification_juniper_name[] = {
+	"NS_NHTB_INFORM",
+};
+
+enum_names notification_juniper_names =
+	{ NS_NHTB_INFORM, NS_NHTB_INFORM,
+		notification_juniper_name, NULL };
+
 enum_names notification_dpd_names =
 	{ R_U_THERE, R_U_THERE_ACK,
-		notification_dpd_name, NULL };
+		notification_dpd_name, &notification_juniper_names };
 
 enum_names ipsec_notification_names =
 	{ IPSEC_RESPONDER_LIFETIME, IPSEC_INITIAL_CONTACT,
 		ipsec_notification_name, &notification_dpd_names };
 
 enum_names notification_status_names =
-	{ CONNECTED, CONNECTED,
+	{ ISAKMP_CONNECTED, ISAKMP_CONNECTED,
 		notification_status_name, &ipsec_notification_names };
 
 enum_names notification_names =
-	{ INVALID_PAYLOAD_TYPE, UNEQUAL_PAYLOAD_LENGTHS,
+	{ ISAKMP_INVALID_PAYLOAD_TYPE, ISAKMP_UNEQUAL_PAYLOAD_LENGTHS,
 		notification_name, &notification_status_names };
 
 /* MODECFG
@@ -1167,7 +1175,7 @@ const char *const natt_type_bitnames[] = {
 	"4",   "5",   "6",   "7",
 	"8",   "9",   "10",  "11",
 	"12",  "13",  "14",  "15",
-	"16",  "17",  "18",  "19", 
+	"16",  "17",  "18",  "19",
 	"20",  "21",  "22",  "23",
 	"24",  "25",  "26",  "27",
 	"28",  "29",
@@ -1210,8 +1218,8 @@ enum_show(enum_names *ed, unsigned long val)
 
 static char bitnamesbuf[200];   /* only one!  I hope that it is big enough! */
 
-int 
-enum_search(enum_names *ed, const char *str) 
+int
+enum_search(enum_names *ed, const char *str)
 {
 	enum_names  *p;
 	const char *ptr;
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index 5fe936e08..8c574ebc5 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -16,6 +16,8 @@
 #ifndef _CONSTANTS_H
 #define _CONSTANTS_H
 
+#include <freeswan.h>
+
 #include <utils.h>
 #include <utils/identification.h>
 #include <crypto/hashers/hasher.h>
@@ -135,19 +137,23 @@ extern const char sparse_end[];
  * and in http://www.iana.org/assignments/isakmp-registry
  */
 enum ipsec_authentication_algo {
-  AH_NONE         = 0,
-  AH_MD5          = 2,
-  AH_SHA          = 3,
-  AH_DES          = 4,
-  AH_SHA2_256     = 5,
-  AH_SHA2_384     = 6,
-  AH_SHA2_512     = 7,
-  AH_RIPEMD       = 8,
-  AH_AES_XCBC_MAC = 9,
-  AH_RSA          = 10
+	AH_NONE         = 0,
+	AH_MD5          = 2,
+	AH_SHA          = 3,
+	AH_DES          = 4,
+	AH_SHA2_256     = 5,
+	AH_SHA2_384     = 6,
+	AH_SHA2_512     = 7,
+	AH_RIPEMD       = 8,
+	AH_AES_XCBC_MAC = 9,
+	AH_RSA          = 10,
+	AH_AES_128_GMAC = 11,
+	AH_AES_192_GMAC = 12,
+	AH_AES_256_GMAC = 13,
+	AH_SHA2_256_96  = 252  
 };
 
-extern enum_names ah_transformid_names;
+extern enum_names ah_transform_names;
 
 /* IPsec ESP transform values
  * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
@@ -155,45 +161,45 @@ extern enum_names ah_transformid_names;
  */
 
 enum ipsec_cipher_algo {
-  ESP_NONE          = 0,
-  ESP_DES_IV64      = 1,
-  ESP_DES           = 2,
-  ESP_3DES          = 3,
-  ESP_RC5           = 4,
-  ESP_IDEA          = 5,
-  ESP_CAST          = 6,
-  ESP_BLOWFISH      = 7,
-  ESP_3IDEA         = 8,
-  ESP_DES_IV32      = 9,
-  ESP_RC4           = 10,
-  ESP_NULL          = 11,
-  ESP_AES           = 12,
-  ESP_AES_CTR       = 13,
-  ESP_AES_CCM_8     = 14,
-  ESP_AES_CCM_12    = 15,
-  ESP_AES_CCM_16    = 16,
-  ESP_UNASSIGNED_17 = 17,
-  ESP_AES_GCM_8     = 18,
-  ESP_AES_GCM_12    = 19,
-  ESP_AES_GCM_16    = 20,
-  ESP_SEED_CBC      = 21,
-  ESP_CAMELLIA      = 22,
-  ESP_SERPENT       = 252,
-  ESP_TWOFISH       = 253
+	ESP_NONE          = 0,
+	ESP_DES_IV64      = 1,
+	ESP_DES           = 2,
+	ESP_3DES          = 3,
+	ESP_RC5           = 4,
+	ESP_IDEA          = 5,
+	ESP_CAST          = 6,
+	ESP_BLOWFISH      = 7,
+	ESP_3IDEA         = 8,
+	ESP_DES_IV32      = 9,
+	ESP_RC4           = 10,
+	ESP_NULL          = 11,
+	ESP_AES           = 12,
+	ESP_AES_CTR       = 13,
+	ESP_AES_CCM_8     = 14,
+	ESP_AES_CCM_12    = 15,
+	ESP_AES_CCM_16    = 16,
+	ESP_UNASSIGNED_17 = 17,
+	ESP_AES_GCM_8     = 18,
+	ESP_AES_GCM_12    = 19,
+	ESP_AES_GCM_16    = 20,
+	ESP_SEED_CBC      = 21,
+	ESP_CAMELLIA      = 22,
+	ESP_SERPENT       = 252,
+	ESP_TWOFISH       = 253
 };
 
-extern enum_names esp_transformid_names;
+extern enum_names esp_transform_names;
 
 /* IPCOMP transform values
  * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
  */
 
 enum ipsec_comp_algo {
-  IPSCOMP_NONE   = 0,
-  IPCOMP_OUI     = 1,
-  IPCOMP_DEFLATE = 2,
-  IPCOMP_LZS     = 3,
-  IPCOMP_LZJH    = 4
+	IPSCOMP_NONE   = 0,
+	IPCOMP_OUI     = 1,
+	IPCOMP_DEFLATE = 2,
+	IPCOMP_LZS     = 3,
+	IPCOMP_LZJH    = 4
 };
 
 extern enum_names ipcomp_transformid_names;
@@ -202,18 +208,18 @@ extern enum_names ipcomp_transformid_names;
  * RFC 2408 ISAKMP, chapter 3.9
  */
 enum ipsec_cert_type {
-  CERT_NONE=                0,
-  CERT_PKCS7_WRAPPED_X509=  1,
-  CERT_PGP=                 2,
-  CERT_DNS_SIGNED_KEY=      3,
-  CERT_X509_SIGNATURE=      4,
-  CERT_X509_KEY_EXCHANGE=   5,
-  CERT_KERBEROS_TOKENS=     6,
-  CERT_CRL=                 7,
-  CERT_ARL=                 8,
-  CERT_SPKI=                9,
-  CERT_X509_ATTRIBUTE=      10,
-  CERT_RAW_RSA_KEY=         11
+	CERT_NONE=                0,
+	CERT_PKCS7_WRAPPED_X509=  1,
+	CERT_PGP=                 2,
+	CERT_DNS_SIGNED_KEY=      3,
+	CERT_X509_SIGNATURE=      4,
+	CERT_X509_KEY_EXCHANGE=   5,
+	CERT_KERBEROS_TOKENS=     6,
+	CERT_CRL=                 7,
+	CERT_ARL=                 8,
+	CERT_SPKI=                9,
+	CERT_X509_ATTRIBUTE=      10,
+	CERT_RAW_RSA_KEY=         11
 };
 
 /* RFC 2560 OCSP - certificate status */
@@ -225,21 +231,6 @@ typedef enum {
 	CERT_UNDEFINED =    3
 } cert_status_t;
 
-/* RFC 2459 CRL reason codes */
-
-extern enum_name_t *crl_reason_names;
-
-typedef enum {
-	REASON_UNSPECIFIED =                0,
-	REASON_KEY_COMPROMISE =             1,
-	REASON_CA_COMPROMISE =              2,
-	REASON_AFFILIATION_CHANGED =        3,
-	REASON_SUPERSEDED =                 4,
-	REASON_CESSATION_OF_OPERATON =      5,
-	REASON_CERTIFICATE_HOLD =           6,
-	REASON_REMOVE_FROM_CRL =            8
-} crl_reason_t;
-
 /* RFC 3706 Dead Peer Detection */
 
 extern enum_name_t *dpd_action_names;
@@ -549,24 +540,6 @@ extern const char *const payload_name[];
 
 extern enum_names attr_msg_type_names;
 
-/* Mode Config attribute values */
-#define    INTERNAL_IP4_ADDRESS        1
-#define    INTERNAL_IP4_NETMASK        2
-#define    INTERNAL_IP4_DNS            3
-#define    INTERNAL_IP4_NBNS           4
-#define    INTERNAL_ADDRESS_EXPIRY     5
-#define    INTERNAL_IP4_DHCP           6
-#define    APPLICATION_VERSION         7
-#define    INTERNAL_IP6_ADDRESS        8
-#define    INTERNAL_IP6_NETMASK        9
-#define    INTERNAL_IP6_DNS           10
-#define    INTERNAL_IP6_NBNS          11
-#define    INTERNAL_IP6_DHCP          12
-#define    INTERNAL_IP4_SUBNET        13
-#define    SUPPORTED_ATTRIBUTES       14
-#define    INTERNAL_IP6_SUBNET        15
-
-
 extern enum_names modecfg_attr_names;
 
 /* XAUTH attribute values */
@@ -704,10 +677,10 @@ extern enum_name_t *cert_policy_names;
 
 typedef enum certpolicy {
 	CERT_ALWAYS_SEND   = 0,
-	CERT_SEND_IF_ASKED = 1, 
+	CERT_SEND_IF_ASKED = 1,
 	CERT_NEVER_SEND    = 2,
 
- 	CERT_YES_SEND      = 3,       /* synonym for CERT_ALWAYS_SEND */
+	CERT_YES_SEND      = 3,       /* synonym for CERT_ALWAYS_SEND */
 	CERT_NO_SEND       = 4        /* synonym for CERT_NEVER_SEND  */
 } certpolicy_t;
 
@@ -883,18 +856,22 @@ extern enum_names enc_mode_names;
 
 extern enum_names auth_alg_names, extended_auth_alg_names;
 
-#define AUTH_ALGORITHM_NONE             0  /* our private designation */
-#define AUTH_ALGORITHM_HMAC_MD5         1
-#define AUTH_ALGORITHM_HMAC_SHA1        2
-#define AUTH_ALGORITHM_DES_MAC          3
-#define AUTH_ALGORITHM_KPDK             4
-#define AUTH_ALGORITHM_HMAC_SHA2_256    5
-#define AUTH_ALGORITHM_HMAC_SHA2_384    6
-#define AUTH_ALGORITHM_HMAC_SHA2_512    7
-#define AUTH_ALGORITHM_HMAC_RIPEMD      8
-#define AUTH_ALGORITHM_AES_XCBC_MAC     9
-#define AUTH_ALGORITHM_SIG_RSA          10
-#define AUTH_ALGORITHM_NULL             251
+#define AUTH_ALGORITHM_NONE                0  /* our private designation */
+#define AUTH_ALGORITHM_HMAC_MD5            1
+#define AUTH_ALGORITHM_HMAC_SHA1           2
+#define AUTH_ALGORITHM_DES_MAC             3
+#define AUTH_ALGORITHM_KPDK                4
+#define AUTH_ALGORITHM_HMAC_SHA2_256       5
+#define AUTH_ALGORITHM_HMAC_SHA2_384       6
+#define AUTH_ALGORITHM_HMAC_SHA2_512       7
+#define AUTH_ALGORITHM_HMAC_RIPEMD         8
+#define AUTH_ALGORITHM_AES_XCBC_MAC        9
+#define AUTH_ALGORITHM_SIG_RSA            10
+#define AUTH_ALGORITHM_AES_128_GMAC       11
+#define AUTH_ALGORITHM_AES_192_GMAC       12
+#define AUTH_ALGORITHM_AES_256_GMAC       13
+#define AUTH_ALGORITHM_NULL              251
+#define AUTH_ALGORITHM_HMAC_SHA2_256_96  252
 
 /* Oakley Lifetime Type attribute
  * draft-ietf-ipsec-ike-01.txt appendix A
@@ -1026,52 +1003,55 @@ extern enum_names notification_names;
 extern enum_names ipsec_notification_names;
 
 typedef enum {
-	NOTHING_WRONG =             0,  /* unofficial! */
-
-	INVALID_PAYLOAD_TYPE =       1,
-	DOI_NOT_SUPPORTED =          2,
-	SITUATION_NOT_SUPPORTED =    3,
-	INVALID_COOKIE =             4,
-	INVALID_MAJOR_VERSION =      5,
-	INVALID_MINOR_VERSION =      6,
-	INVALID_EXCHANGE_TYPE =      7,
-	INVALID_FLAGS =              8,
-	INVALID_MESSAGE_ID =         9,
-	INVALID_PROTOCOL_ID =       10,
-	INVALID_SPI =               11,
-	INVALID_TRANSFORM_ID =      12,
-	ATTRIBUTES_NOT_SUPPORTED =  13,
-	NO_PROPOSAL_CHOSEN =        14,
-	BAD_PROPOSAL_SYNTAX =       15,
-	PAYLOAD_MALFORMED =         16,
-	INVALID_KEY_INFORMATION =   17,
-	INVALID_ID_INFORMATION =    18,
-	INVALID_CERT_ENCODING =     19,
-	INVALID_CERTIFICATE =       20,
-	CERT_TYPE_UNSUPPORTED =     21,
-	INVALID_CERT_AUTHORITY =    22,
-	INVALID_HASH_INFORMATION =  23,
-	AUTHENTICATION_FAILED =     24,
-	INVALID_SIGNATURE =         25,
-	ADDRESS_NOTIFICATION =      26,
-	NOTIFY_SA_LIFETIME =        27,
-	CERTIFICATE_UNAVAILABLE =   28,
-	UNSUPPORTED_EXCHANGE_TYPE = 29,
-	UNEQUAL_PAYLOAD_LENGTHS =   30,
+	ISAKMP_NOTHING_WRONG =              0,  /* unofficial! */
+
+	ISAKMP_INVALID_PAYLOAD_TYPE =       1,
+	ISAKMP_DOI_NOT_SUPPORTED =          2,
+	ISAKMP_SITUATION_NOT_SUPPORTED =    3,
+	ISAKMP_INVALID_COOKIE =             4,
+	ISAKMP_INVALID_MAJOR_VERSION =      5,
+	ISAKMP_INVALID_MINOR_VERSION =      6,
+	ISAKMP_INVALID_EXCHANGE_TYPE =      7,
+	ISAKMP_INVALID_FLAGS =              8,
+	ISAKMP_INVALID_MESSAGE_ID =         9,
+	ISAKMP_INVALID_PROTOCOL_ID =       10,
+	ISAKMP_INVALID_SPI =               11,
+	ISAKMP_INVALID_TRANSFORM_ID =      12,
+	ISAKMP_ATTRIBUTES_NOT_SUPPORTED =  13,
+	ISAKMP_NO_PROPOSAL_CHOSEN =        14,
+	ISAKMP_BAD_PROPOSAL_SYNTAX =       15,
+	ISAKMP_PAYLOAD_MALFORMED =         16,
+	ISAKMP_INVALID_KEY_INFORMATION =   17,
+	ISAKMP_INVALID_ID_INFORMATION =    18,
+	ISAKMP_INVALID_CERT_ENCODING =     19,
+	ISAKMP_INVALID_CERTIFICATE =       20,
+	ISAKMP_CERT_TYPE_UNSUPPORTED =     21,
+	ISAKMP_INVALID_CERT_AUTHORITY =    22,
+	ISAKMP_INVALID_HASH_INFORMATION =  23,
+	ISAKMP_AUTHENTICATION_FAILED =     24,
+	ISAKMP_INVALID_SIGNATURE =         25,
+	ISAKMP_ADDRESS_NOTIFICATION =      26,
+	ISAKMP_NOTIFY_SA_LIFETIME =        27,
+	ISAKMP_CERTIFICATE_UNAVAILABLE =   28,
+	ISAKMP_UNSUPPORTED_EXCHANGE_TYPE = 29,
+	ISAKMP_UNEQUAL_PAYLOAD_LENGTHS =   30,
 
 	/* ISAKMP status type */
-	CONNECTED =              16384,
+	ISAKMP_CONNECTED =              16384,
 
 	/* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
 	 * These must be sent under the protection of an ISAKMP SA.
 	 */
-	IPSEC_RESPONDER_LIFETIME = 24576,
-	IPSEC_REPLAY_STATUS =      24577,
-	IPSEC_INITIAL_CONTACT =    24578,
+	IPSEC_RESPONDER_LIFETIME =      24576,
+	IPSEC_REPLAY_STATUS =           24577,
+	IPSEC_INITIAL_CONTACT =         24578,
 
 	/* RFC 3706 DPD */
-	R_U_THERE =                36136,
-	R_U_THERE_ACK =            36137
+	R_U_THERE =                     36136,
+	R_U_THERE_ACK =                 36137,
+
+	/* Juniper SRX private use */
+	NS_NHTB_INFORM =                40001
 
 	} notification_t;
 
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index c800f2acc..84fe77554 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -24,11 +24,6 @@
 
 #include <freeswan.h>
 
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <asn1/oid.h>
-#include <crypto/hashers/hasher.h>
-
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
@@ -39,145 +34,53 @@
 #include "keys.h"
 #include "whack.h"
 #include "fetch.h"
+#include "builder.h"
 
 
 /* chained lists of X.509 crls */
 
-static x509crl_t  *x509crls      = NULL;
-
-/**
-  * ASN.1 definition of an X.509 certificate revocation list
- */
-static const asn1Object_t crlObjects[] = {
-	{ 0, "certificateList",				ASN1_SEQUENCE,     ASN1_OBJ  }, /*  0 */
-	{ 1,   "tbsCertList",				ASN1_SEQUENCE,     ASN1_OBJ  }, /*  1 */
-	{ 2,     "version",					ASN1_INTEGER,      ASN1_OPT |
-														   ASN1_BODY }, /*  2 */
-	{ 2,     "end opt",					ASN1_EOC,          ASN1_END  }, /*  3 */
-	{ 2,     "signature",				ASN1_EOC,          ASN1_RAW  }, /*  4 */	
-	{ 2,     "issuer",					ASN1_SEQUENCE,     ASN1_OBJ  }, /*  5 */
-	{ 2,     "thisUpdate",				ASN1_EOC,          ASN1_RAW  }, /*  6 */
-	{ 2,     "nextUpdate",				ASN1_EOC,          ASN1_RAW  }, /*  7 */
-	{ 2,     "revokedCertificates",		ASN1_SEQUENCE,     ASN1_OPT |
-														   ASN1_LOOP }, /*  8 */
-	{ 3,       "certList",				ASN1_SEQUENCE,     ASN1_NONE }, /*  9 */
-	{ 4,         "userCertificate",		ASN1_INTEGER,      ASN1_BODY }, /* 10 */
-	{ 4,         "revocationDate",		ASN1_EOC,          ASN1_RAW  }, /* 11 */
-	{ 4,         "crlEntryExtensions",  ASN1_SEQUENCE,     ASN1_OPT |
-							   							   ASN1_LOOP }, /* 12 */
-	{ 5,           "extension",			ASN1_SEQUENCE,	   ASN1_NONE }, /* 13 */
-	{ 6,             "extnID",			ASN1_OID,          ASN1_BODY }, /* 14 */
-	{ 6,             "critical",		ASN1_BOOLEAN,      ASN1_DEF |
-														   ASN1_BODY }, /* 15 */
-	{ 6,             "extnValue",		ASN1_OCTET_STRING, ASN1_BODY }, /* 16 */
-	{ 4,         "end opt or loop",		ASN1_EOC,          ASN1_END  }, /* 17 */
-	{ 2,     "end opt or loop",			ASN1_EOC,          ASN1_END  }, /* 18 */
-	{ 2,     "optional extensions",		ASN1_CONTEXT_C_0,  ASN1_OPT  }, /* 19 */
-	{ 3,       "crlExtensions",			ASN1_SEQUENCE,     ASN1_LOOP }, /* 20 */
-	{ 4,         "extension",			ASN1_SEQUENCE,     ASN1_NONE }, /* 21 */
-	{ 5,           "extnID",			ASN1_OID,          ASN1_BODY }, /* 22 */
-	{ 5,           "critical",			ASN1_BOOLEAN,      ASN1_DEF |
-														   ASN1_BODY }, /* 23 */
-	{ 5,           "extnValue",			ASN1_OCTET_STRING, ASN1_BODY }, /* 24 */
-	{ 3,       "end loop",				ASN1_EOC,          ASN1_END  }, /* 25 */
-	{ 2,     "end opt",					ASN1_EOC,          ASN1_END  }, /* 26 */
-	{ 1,   "signatureAlgorithm",		ASN1_EOC,          ASN1_RAW  }, /* 27 */
-	{ 1,   "signatureValue",			ASN1_BIT_STRING,   ASN1_BODY }, /* 28 */
-	{ 0, "exit",						ASN1_EOC,		   ASN1_EXIT }
-};
-
-#define CRL_OBJ_CERTIFICATE_LIST         0
-#define CRL_OBJ_TBS_CERT_LIST			 1
-#define CRL_OBJ_VERSION					 2
-#define CRL_OBJ_SIG_ALG					 4
-#define CRL_OBJ_ISSUER					 5
-#define CRL_OBJ_THIS_UPDATE				 6
-#define CRL_OBJ_NEXT_UPDATE				 7
-#define CRL_OBJ_USER_CERTIFICATE		10
-#define CRL_OBJ_REVOCATION_DATE			11
-#define CRL_OBJ_CRL_ENTRY_EXTN_ID		14
-#define CRL_OBJ_CRL_ENTRY_CRITICAL		15
-#define CRL_OBJ_CRL_ENTRY_EXTN_VALUE	16
-#define CRL_OBJ_EXTN_ID					22
-#define CRL_OBJ_CRITICAL				23
-#define CRL_OBJ_EXTN_VALUE				24
-#define CRL_OBJ_ALGORITHM				27
-#define CRL_OBJ_SIGNATURE				28
-
-const x509crl_t empty_x509crl = {
-	  NULL        , /* *next */
-	UNDEFINED_TIME, /* installed */
-	  NULL        , /* distributionPoints */
-	{ NULL, 0 }   , /* certificateList */
-	{ NULL, 0 }   , /*   tbsCertList */
-			1     , /*     version */
-	OID_UNKNOWN   , /*     sigAlg */
-	{ NULL, 0 }   , /*     issuer */
-	UNDEFINED_TIME, /*     thisUpdate */
-	UNDEFINED_TIME, /*     nextUpdate */
-	  NULL        , /*     revokedCertificates */
-					/*     crlExtensions */
-					/*       extension */
-					/*         extnID */
-					/*         critical */
-					/*         extnValue */
-	{ NULL, 0 }   , /*           authKeyID */
-	{ NULL, 0 }   , /*           authKeySerialNumber */
-	{ NULL, 0 }   , /*           crlNumber */
-	OID_UNKNOWN   , /*   algorithm */
-	{ NULL, 0 }     /*   signature */
-};
+static x509crl_t  *x509crls = NULL;
 
 /**
  *  Get the X.509 CRL with a given issuer
  */
-static x509crl_t* get_x509crl(chunk_t issuer, chunk_t serial, chunk_t keyid)
+static x509crl_t* get_x509crl(identification_t *issuer, chunk_t keyid)
 {
-	x509crl_t *crl = x509crls;
+	x509crl_t *x509crl = x509crls;
 	x509crl_t *prev_crl = NULL;
 
-	while (crl != NULL)
+	while (x509crl != NULL)
 	{
-		if ((keyid.ptr != NULL && crl->authKeyID.ptr != NULL)
-		? same_keyid(keyid, crl->authKeyID)
-		: (same_dn(crl->issuer, issuer) && same_serial(serial, crl->authKeySerialNumber)))
+		certificate_t *cert_crl = x509crl->crl;
+		crl_t *crl = (crl_t*)cert_crl;
+		identification_t *crl_issuer = cert_crl->get_issuer(cert_crl);
+		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
+
+		if ((keyid.ptr && authKeyID.ptr)? same_keyid(keyid, authKeyID) :
+			issuer->equals(issuer, crl_issuer))
 		{
-			if (crl != x509crls)
+			if (x509crl != x509crls)
 			{
 				/* bring the CRL up front */
-				prev_crl->next = crl->next;
-				crl->next = x509crls;
-				x509crls = crl;
+				prev_crl->next = x509crl->next;
+				x509crl->next = x509crls;
+				x509crls = x509crl;
 			}
-			return crl;
+			return x509crl;
 		}
-		prev_crl = crl;
-		crl = crl->next;
+		prev_crl = x509crl;
+		x509crl = x509crl->next;
 	}
 	return NULL;
 }
 
-/**
- *  Free the dynamic memory used to store revoked certificates
- */
-static void free_revoked_certs(revokedCert_t* revokedCerts)
-{
-	while (revokedCerts != NULL)
-	{
-		revokedCert_t * revokedCert = revokedCerts;
-		revokedCerts = revokedCert->next;
-		free(revokedCert);
-	}
-}
-
 /**
  *  Free the dynamic memory used to store CRLs
  */
 void free_crl(x509crl_t *crl)
 {
-	free_revoked_certs(crl->revokedCertificates);
-	free_generalNames(crl->distributionPoints, TRUE);
-	free(crl->certificateList.ptr);
+	DESTROY_IF(crl->crl);
+	crl->distributionPoints->destroy_function(crl->distributionPoints, free);
 	free(crl);
 }
 
@@ -194,7 +97,9 @@ void free_crls(void)
 	lock_crl_list("free_crls");
 
 	while (x509crls != NULL)
+	{
 		free_first_crl();
+	}
 
 	unlock_crl_list("free_crls");
 }
@@ -202,127 +107,109 @@ void free_crls(void)
 /**
  * Insert X.509 CRL into chained list
  */
-bool insert_crl(chunk_t blob, chunk_t crl_uri, bool cache_crl)
+bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
 {
-	x509crl_t *crl = malloc_thing(x509crl_t);
+	certificate_t *cert_crl = x509crl->crl;
+	crl_t *crl = (crl_t*)cert_crl;
+	identification_t *issuer = cert_crl->get_issuer(cert_crl);
+	chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
+	cert_t *issuer_cert;
+	x509crl_t *oldcrl;
+	time_t now, nextUpdate;
+	bool valid_sig;
+
+	/* add distribution point */
+	add_distribution_point(x509crl->distributionPoints, crl_uri);
+
+	lock_authcert_list("insert_crl");
+
+	/* get the issuer cacert */
+	issuer_cert = get_authcert(issuer, authKeyID, X509_CA);
+	if (issuer_cert == NULL)
+	{
+		plog("crl issuer cacert not found");
+		free_crl(x509crl);
+		unlock_authcert_list("insert_crl");
+		return FALSE;
+	}
+	DBG(DBG_CONTROL,
+		DBG_log("crl issuer cacert found")
+	)
 
-	*crl = empty_x509crl;
+	/* check the issuer's signature of the crl */
+	valid_sig = cert_crl->issued_by(cert_crl, issuer_cert->cert);
+	unlock_authcert_list("insert_crl");
 
-	if (parse_x509crl(blob, 0, crl))
+	if (!valid_sig)
 	{
-		x509cert_t *issuer_cert;
-		x509crl_t *oldcrl;
-		bool valid_sig;
-		generalName_t *gn;
-
-		/* add distribution point */
-		gn = malloc_thing(generalName_t);
-		gn->kind = GN_URI;
-		gn->name = crl_uri;
-		gn->next = crl->distributionPoints;
-		crl->distributionPoints = gn;
-
-		lock_authcert_list("insert_crl");
-		/* get the issuer cacert */
-		issuer_cert = get_authcert(crl->issuer, crl->authKeySerialNumber,
-			crl->authKeyID, AUTH_CA);
-		if (issuer_cert == NULL)
-		{
-			plog("crl issuer cacert not found");
-			free_crl(crl);
-			unlock_authcert_list("insert_crl");
-			return FALSE;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("crl issuer cacert found")
-		)
+		free_crl(x509crl);
+		return FALSE;
+	}
+	DBG(DBG_CONTROL,
+		DBG_log("crl signature is valid")
+	)
 
-		/* check the issuer's signature of the crl */
-		valid_sig = x509_check_signature(crl->tbsCertList, crl->signature,
-										 crl->algorithm, issuer_cert);
-		unlock_authcert_list("insert_crl");
+	/* note the current time */
+	time(&now);
 
-		if (!valid_sig)
-		{
-			free_crl(crl);
-			return FALSE;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("crl signature is valid")
-		)
+	lock_crl_list("insert_crl");
+	oldcrl = get_x509crl(issuer, authKeyID);
 
-		lock_crl_list("insert_crl");
-		oldcrl = get_x509crl(crl->issuer, crl->authKeySerialNumber
-			, crl->authKeyID);
+	if (oldcrl != NULL)
+	{
+		certificate_t *old_cert_crl = oldcrl->crl;
 
-		if (oldcrl != NULL)
+		if (cert_crl->is_newer(cert_crl, old_cert_crl))
 		{
-			if (crl->thisUpdate > oldcrl->thisUpdate)
-			{
-				/* keep any known CRL distribution points */
-				add_distribution_points(oldcrl->distributionPoints
-					, &crl->distributionPoints);
+			/* keep any known CRL distribution points */
+			add_distribution_points(x509crl->distributionPoints,
+					 				oldcrl->distributionPoints);
 
-				/* now delete the old CRL */
-				free_first_crl();
-				DBG(DBG_CONTROL,
-					DBG_log("thisUpdate is newer - existing crl deleted")
-				)
-			}
-			else
-			{
-				unlock_crl_list("insert_crls");
-				DBG(DBG_CONTROL,
-					DBG_log("thisUpdate is not newer - existing crl not replaced");
-				)
-				free_crl(crl);
-				return oldcrl->nextUpdate - time(NULL) > 2*crl_check_interval;
-			}
+			/* now delete the old CRL */
+			free_first_crl();
+			DBG(DBG_CONTROL,
+				DBG_log("thisUpdate is newer - existing crl deleted")
+			)
 		}
-
-		/* insert new CRL */
-		crl->next = x509crls;
-		x509crls = crl;
-
-		unlock_crl_list("insert_crl");
-
-		/* If crl caching is enabled then the crl is saved locally.
-		 * Only http or ldap URIs are cached but not local file URIs.
-		 * The issuer's subjectKeyID is used as a unique filename
-		 */
-		if (cache_crl && strncasecmp(crl_uri.ptr, "file", 4) != 0)
+		else
 		{
-			char path[BUF_LEN], buf[BUF_LEN];
-			char digest_buf[HASH_SIZE_SHA1];
-			chunk_t subjectKeyID = chunk_from_buf(digest_buf);
-			bool has_keyID;
-			
-			if (issuer_cert->subjectKeyID.ptr == NULL)
-			{
-				has_keyID = compute_subjectKeyID(issuer_cert, subjectKeyID);
-			}
-			else
-			{
-				subjectKeyID = issuer_cert->subjectKeyID;
-				has_keyID = TRUE;
-			}
-			if (has_keyID)
-			{
-				datatot(subjectKeyID.ptr, subjectKeyID.len, 16, buf, BUF_LEN);
-				snprintf(path, BUF_LEN, "%s/%s.crl", CRL_PATH, buf);
-				chunk_write(crl->certificateList, path, "crl",  0022, TRUE);
-			}
+			unlock_crl_list("insert_crls");
+			DBG(DBG_CONTROL,
+				DBG_log("thisUpdate is not newer - existing crl not replaced");
+			)
+			free_crl(x509crl);
+			old_cert_crl->get_validity(old_cert_crl, &now, NULL, &nextUpdate);
+			return nextUpdate - now > 2*crl_check_interval;
 		}
-
-		/* is the fetched crl valid? */
-		return crl->nextUpdate - time(NULL) > 2*crl_check_interval;
 	}
-	else
+
+	/* insert new CRL */
+	x509crl->next = x509crls;
+	x509crls = x509crl;
+
+	unlock_crl_list("insert_crl");
+
+	/* If crl caching is enabled then the crl is saved locally.
+	 * Only http or ldap URIs are cached but not local file URIs.
+	 * The CRL's authorityKeyIdentifier is used as a unique filename
+	 */
+	if (cache_crl && strncasecmp(crl_uri, "file", 4) != 0)
 	{
-		plog("  error in X.509 crl");
-		free_crl(crl);
-		return FALSE;
+		char buf[BUF_LEN];
+		chunk_t hex, encoding;
+
+		hex = chunk_to_hex(crl->get_authKeyIdentifier(crl), NULL, FALSE);
+		snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex);
+		free(hex.ptr);
+
+		encoding = cert_crl->get_encoding(cert_crl);
+		chunk_write(encoding, buf, "crl", 022, TRUE);
+		free(encoding.ptr);
 	}
+
+	/* is the fetched crl valid? */
+	cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate);
+	return nextUpdate - now > 2*crl_check_interval;
 }
 
 /**
@@ -352,22 +239,19 @@ void load_crls(void)
 		{
 			while (n--)
 			{
-				bool pgp = FALSE;
-				chunk_t blob = chunk_empty;
 				char *filename = filelist[n]->d_name;
+				x509crl_t *x509crl;
 
-				if (load_coded_file(filename, NULL, "crl", &blob, &pgp))
+				x509crl = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+										 CERT_PLUTO_CRL,
+										 BUILD_FROM_FILE, filename, BUILD_END);
+				if (x509crl)
 				{
-					chunk_t crl_uri;
-
-					crl_uri.len = 7 + sizeof(CRL_PATH) + strlen(filename);
-					crl_uri.ptr = malloc(crl_uri.len + 1);
+					char crl_uri[BUF_LEN];
 
-					/* build CRL file URI */
-					snprintf(crl_uri.ptr, crl_uri.len + 1, "file://%s/%s"
-						, CRL_PATH, filename);
-
-					insert_crl(blob, crl_uri, FALSE);
+					plog("  loaded crl from '%s'", filename);
+					snprintf(crl_uri, BUF_LEN, "file://%s/%s", CRL_PATH, filename);
+					insert_crl(x509crl, crl_uri, FALSE);
 				}
 				free(filelist[n]);
 			}
@@ -378,212 +262,77 @@ void load_crls(void)
 	ignore_result(chdir(save_dir));
 }
 
-/**
- * Parses a CRL revocation reason code
- */
-static crl_reason_t parse_crl_reasonCode(chunk_t object)
-{
-	crl_reason_t reason = REASON_UNSPECIFIED;
-
-	if (*object.ptr == ASN1_ENUMERATED
-	&&  asn1_length(&object) == 1)
-	{
-		reason = *object.ptr;
-	}
-
-	DBG(DBG_PARSING,
-		DBG_log("  '%N'", crl_reason_names, reason)
-	)
-	return reason;
-}
-
-/*
- *  Parses an X.509 CRL
- */
-bool parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl)
-{
-	u_char buf[BUF_LEN];
-	asn1_parser_t *parser;
-	chunk_t extnID;
-	chunk_t userCertificate = chunk_empty;
-	chunk_t object;
-	int objectID;
-	bool success = FALSE;
-	bool critical;
-
-	parser = asn1_parser_create(crlObjects, blob);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		u_int level = parser->get_level(parser)+1;
-
-		switch (objectID) {
-		case CRL_OBJ_CERTIFICATE_LIST:
-			crl->certificateList = object;
-			break;
-		case CRL_OBJ_TBS_CERT_LIST:
-			crl->tbsCertList = object;
-			break;
-		case CRL_OBJ_VERSION:
-			crl->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
-			DBG(DBG_PARSING,
-				DBG_log("  v%d", crl->version);
-			)
-			break;
-		case CRL_OBJ_SIG_ALG:
-			crl->sigAlg = asn1_parse_algorithmIdentifier(object, level, NULL);
-			break;
-		case CRL_OBJ_ISSUER:
-			crl->issuer = object;
-			DBG(DBG_PARSING,
-				dntoa(buf, BUF_LEN, object);
-				DBG_log("  '%s'",buf)
-			)
-			break;
-		case CRL_OBJ_THIS_UPDATE:
-			crl->thisUpdate = asn1_parse_time(object, level);
-			break;
-		case CRL_OBJ_NEXT_UPDATE:
-			crl->nextUpdate = asn1_parse_time(object, level);
-			break;
-		case CRL_OBJ_USER_CERTIFICATE:
-			userCertificate = object;
-			break;
-		case CRL_OBJ_REVOCATION_DATE:
-			{
-				/* put all the serial numbers and the revocation date in a chained list
-				   with revocedCertificates pointing to the first revoked certificate */
-
-				revokedCert_t *revokedCert = malloc_thing(revokedCert_t);
-				revokedCert->userCertificate = userCertificate;
-				revokedCert->revocationDate = asn1_parse_time(object, level);
-				revokedCert->revocationReason = REASON_UNSPECIFIED;
-				revokedCert->next = crl->revokedCertificates;
-				crl->revokedCertificates = revokedCert;
-			}
-			break;
-		case CRL_OBJ_CRL_ENTRY_EXTN_ID:
-		case CRL_OBJ_EXTN_ID:
-			extnID = object;
-			break;
-		case CRL_OBJ_CRL_ENTRY_CRITICAL:
-		case CRL_OBJ_CRITICAL:
-			critical = object.len && *object.ptr;
-			DBG(DBG_PARSING,
-				DBG_log("  %s",(critical)?"TRUE":"FALSE");
-			)
-			break;
-		case CRL_OBJ_CRL_ENTRY_EXTN_VALUE:
-		case CRL_OBJ_EXTN_VALUE:
-			{
-				u_int extn_oid = asn1_known_oid(extnID);
-
-				if (extn_oid == OID_CRL_REASON_CODE)
-				{
-					crl->revokedCertificates->revocationReason =
-						parse_crl_reasonCode(object);
-				}
-				else if (extn_oid == OID_AUTHORITY_KEY_ID)
-				{
-					parse_authorityKeyIdentifier(object, level
-						, &crl->authKeyID, &crl->authKeySerialNumber);
-				}
-				else if (extn_oid == OID_CRL_NUMBER)
-				{
-					if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
-												  level, "crlNumber"))
-					{
-						goto end;
-					}
-					crl->crlNumber = object;
-				}
-			}
-			break;
-		case CRL_OBJ_ALGORITHM:
-			crl->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
-			break;
-		case CRL_OBJ_SIGNATURE:
-			crl->signature = object;
-			break;
-		default:
-			break;
-		}
-	}
-	success = parser->success(parser);
-	time(&crl->installed);
-
-end:
-	parser->destroy(parser);
-	return success;
-}
 
 /*  Checks if the current certificate is revoked. It goes through the
  *  list of revoked certificates of the corresponding crl. Either the
  *  status CERT_GOOD or CERT_REVOKED is returned
  */
-static cert_status_t
-check_revocation(const x509crl_t *crl, chunk_t serial
-, time_t *revocationDate, crl_reason_t * revocationReason)
+static cert_status_t check_revocation(crl_t *crl, chunk_t cert_serial,
+									  time_t *revocationDate,
+									  crl_reason_t *revocationReason)
 {
-	revokedCert_t *revokedCert = crl->revokedCertificates;
+	enumerator_t *enumerator;
+	cert_status_t status;
+	chunk_t serial;
 
-	*revocationDate = UNDEFINED_TIME;
-	*revocationReason = REASON_UNSPECIFIED;
-	
 	DBG(DBG_CONTROL,
-		DBG_dump_chunk("serial number:", serial)
+		DBG_log("serial number: %#B", &cert_serial)
 	)
+	*revocationDate = UNDEFINED_TIME;
+	*revocationReason = CRL_REASON_UNSPECIFIED;
+	status = CERT_GOOD;
 
-	while(revokedCert != NULL)
+	enumerator = crl->create_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &serial,
+								 revocationDate, revocationReason))
 	{
-		/* compare serial numbers */
-		if (revokedCert->userCertificate.len == serial.len &&
-			memeq(revokedCert->userCertificate.ptr, serial.ptr, serial.len))
+		if (chunk_equals(serial, cert_serial))
 		{
-			*revocationDate = revokedCert->revocationDate;
-			*revocationReason = revokedCert->revocationReason;
-			return CERT_REVOKED;
+			status = CERT_REVOKED;
+			break;
 		}
-		revokedCert = revokedCert->next;
 	}
-	return CERT_GOOD;
+	enumerator->destroy(enumerator);
+	return status;
 }
 
 /*
  * check if any crls are about to expire
  */
-void
-check_crls(void)
+void check_crls(void)
 {
-	x509crl_t *crl;
+	x509crl_t *x509crl;
+	time_t now, nextUpdate, time_left;
 
 	lock_crl_list("check_crls");
-	crl = x509crls;
+	time(&now);
+	x509crl = x509crls;
 
-	while (crl != NULL)
+	while (x509crl != NULL)
 	{
-		time_t time_left = crl->nextUpdate - time(NULL);
-		u_char buf[BUF_LEN];
+		certificate_t *cert_crl = x509crl->crl;
+		crl_t *crl = (crl_t*)cert_crl;
+		identification_t *issuer = cert_crl->get_issuer(cert_crl);
+		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);		
+
+		cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate);
+		time_left = nextUpdate - now;
 
 		DBG(DBG_CONTROL,
-			dntoa(buf, BUF_LEN, crl->issuer);
-			DBG_log("issuer: '%s'",buf);
-			if (crl->authKeyID.ptr != NULL)
+			DBG_log("issuer: '%Y'", issuer);
+			if (authKeyID.ptr)
 			{
-				datatot(crl->authKeyID.ptr, crl->authKeyID.len, ':'
-					, buf, BUF_LEN);
-				DBG_log("authkey: %s", buf);
+				DBG_log("authkey: %#B", &authKeyID);
 			}
 			DBG_log("%ld seconds left", time_left)
 		)
 		if (time_left < 2*crl_check_interval)
 		{
-			fetch_req_t *req = build_crl_fetch_request(crl->issuer
-				, crl->authKeySerialNumber
-				, crl->authKeyID, crl->distributionPoints);
+			fetch_req_t *req = build_crl_fetch_request(issuer, authKeyID,
+											x509crl->distributionPoints);
 			add_crl_fetch_request(req);
 		}
-		crl = crl->next;
+		x509crl = x509crl->next;
 	}
 	unlock_crl_list("check_crls");
 }
@@ -591,112 +340,131 @@ check_crls(void)
 /*
  * verify if a cert hasn't been revoked by a crl
  */
-cert_status_t
-verify_by_crl(const x509cert_t *cert, time_t *until, time_t *revocationDate
-, crl_reason_t *revocationReason)
+cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
+							crl_reason_t *revocationReason)
 {
-	x509crl_t *crl;
-
-	ca_info_t *ca = get_ca_info(cert->issuer, cert->authKeySerialNumber
-							  , cert->authKeyID);
-
-	generalName_t *crluri = (ca == NULL)? NULL : ca->crluri;
-
+	certificate_t *certificate = cert->cert;
+	x509_t *x509 = (x509_t*)certificate;
+	identification_t *issuer = certificate->get_issuer(certificate);
+	chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
+	x509crl_t *x509crl;
+	ca_info_t *ca;
+	enumerator_t *enumerator;
+	char *point;
+
+	ca = get_ca_info(issuer, authKeyID);
+	
 	*revocationDate = UNDEFINED_TIME;
-	*revocationReason = REASON_UNSPECIFIED;
+	*revocationReason = CRL_REASON_UNSPECIFIED;
 
 	lock_crl_list("verify_by_crl");
-	crl = get_x509crl(cert->issuer, cert->authKeySerialNumber, cert->authKeyID);
+	x509crl = get_x509crl(issuer, authKeyID);
 
-	if (crl == NULL)
+	if (x509crl == NULL)
 	{
+		linked_list_t *crluris;
+
 		unlock_crl_list("verify_by_crl");
 		plog("crl not found");
 
-		if (cert->crlDistributionPoints != NULL)
+		crluris = linked_list_create();
+		if (ca)
 		{
-			fetch_req_t *req = build_crl_fetch_request(cert->issuer
-				, cert->authKeySerialNumber
-				, cert->authKeyID, cert->crlDistributionPoints);
-			add_crl_fetch_request(req);
+			add_distribution_points(crluris, ca->crluris);
 		}
 
-		if (crluri != NULL)
+		enumerator = x509->create_crl_uri_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &point))
 		{
-			fetch_req_t *req = build_crl_fetch_request(cert->issuer
-				, cert->authKeySerialNumber
-				, cert->authKeyID, crluri);
-			add_crl_fetch_request(req);
+			add_distribution_point(crluris, point);
 		}
+		enumerator->destroy(enumerator);
 
-		if (cert->crlDistributionPoints != 0 || crluri != NULL)
+		if (crluris->get_count(crluris) > 0)
 		{
+			fetch_req_t *req;
+
+			req = build_crl_fetch_request(issuer, authKeyID, crluris);
+			crluris->destroy_function(crluris, free);
+			add_crl_fetch_request(req);
 			wake_fetch_thread("verify_by_crl");
 			return CERT_UNKNOWN;
 		}
 		else
+		{
+			crluris->destroy(crluris);
 			return CERT_UNDEFINED;
+		}
 	}
 	else
 	{
-		x509cert_t *issuer_cert;
-		bool valid;
+		certificate_t *cert_crl = x509crl->crl;
+		crl_t *crl = (crl_t*)cert_crl;
+		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
+		cert_t *issuer_cert;
+		bool trusted, valid;
 
 		DBG(DBG_CONTROL,
 			DBG_log("crl found")
 		)
 
-		add_distribution_points(cert->crlDistributionPoints
-				, &crl->distributionPoints);
+		if (ca)
+		{
+			add_distribution_points(x509crl->distributionPoints, ca->crluris);
+		}
 
-		add_distribution_points(crluri
-				, &crl->distributionPoints);
+		enumerator = x509->create_crl_uri_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &point))
+		{
+			add_distribution_point(x509crl->distributionPoints, point);
+		}
+		enumerator->destroy(enumerator);
 
 		lock_authcert_list("verify_by_crl");
 
-		issuer_cert = get_authcert(crl->issuer, crl->authKeySerialNumber
-				, crl->authKeyID, AUTH_CA);
-		valid = x509_check_signature(crl->tbsCertList, crl->signature,
-									 crl->algorithm, issuer_cert);
-		
+		issuer_cert = get_authcert(issuer, authKeyID, X509_CA);
+		trusted = cert_crl->issued_by(cert_crl, issuer_cert->cert);
+
 		unlock_authcert_list("verify_by_crl");
 
-		if (valid)
+		if (trusted)
 		{
 			cert_status_t status;
 
 			DBG(DBG_CONTROL,
 				DBG_log("crl signature is valid")
 			)
-		   /* return the expiration date */
-			*until = crl->nextUpdate;
+
+			/* return the expiration date */
+			valid = cert_crl->get_validity(cert_crl, NULL, NULL, until);
 
 			/* has the certificate been revoked? */
-			status = check_revocation(crl, cert->serialNumber, revocationDate
+			status = check_revocation(crl, x509->get_serial(x509), revocationDate
 								, revocationReason);
 
-			if (*until < time(NULL))
+			if (valid)
+			{
+				unlock_crl_list("verify_by_crl");
+				DBG(DBG_CONTROL,
+					DBG_log("crl is valid: until %T", until, FALSE)
+				)
+			}
+			else
 			{
 				fetch_req_t *req;
 
-				plog("crl update is overdue since %T", until, TRUE);
+				DBG(DBG_CONTROL,
+					DBG_log("crl is stale: since %T", until, FALSE)
+				)
 
 				/* try to fetch a crl update */
-				req = build_crl_fetch_request(crl->issuer
-								, crl->authKeySerialNumber
-								, crl->authKeyID, crl->distributionPoints);
+				req = build_crl_fetch_request(issuer, authKeyID,
+											  x509crl->distributionPoints);
 				unlock_crl_list("verify_by_crl");
 
 				add_crl_fetch_request(req);
 				wake_fetch_thread("verify_by_crl");
 			}
-			else
-			{
-				unlock_crl_list("verify_by_crl");
-				DBG(DBG_CONTROL,
-					DBG_log("crl is valid")
-				)
-			}
 			return status;
 		}
 		else
@@ -711,65 +479,59 @@ verify_by_crl(const x509cert_t *cert, time_t *until, time_t *revocationDate
 /*
  *  list all X.509 crls in the chained list
  */
-void
-list_crls(bool utc, bool strict)
+void list_crls(bool utc, bool strict)
 {
-	x509crl_t *crl;
+	x509crl_t *x509crl;
 
 	lock_crl_list("list_crls");
-	crl = x509crls;
+	x509crl = x509crls;
 
-	if (crl != NULL)
+	if (x509crl)
 	{
 		whack_log(RC_COMMENT, " ");
 		whack_log(RC_COMMENT, "List of X.509 CRLs:");
-		whack_log(RC_COMMENT, " ");
 	}
 
-	while (crl != NULL)
+	while (x509crl)
 	{
-		u_char buf[BUF_LEN];
+		certificate_t *cert_crl = x509crl->crl;
+		crl_t *crl = (crl_t*)cert_crl;
+		chunk_t serial, authKeyID;
+		time_t thisUpdate, nextUpdate;
 		u_int revoked = 0;
-		revokedCert_t *revokedCert = crl->revokedCertificates;
+		enumerator_t *enumerator;
 
-		/* count number of revoked certificates in CRL */
-		while (revokedCert != NULL)
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "  issuer:   \"%Y\"",
+				cert_crl->get_issuer(cert_crl));
+		serial = crl->get_serial(crl);
+		if (serial.ptr)
 		{
-			revoked++;
-			revokedCert = revokedCert->next;
+			whack_log(RC_COMMENT, "  serial:    %#B", &serial);
 		}
 
-		whack_log(RC_COMMENT, "%T, revoked certs: %d",
-				&crl->installed, utc, revoked);
-		dntoa(buf, BUF_LEN, crl->issuer);
-		whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
-		if (crl->crlNumber.ptr != NULL)
-		{
-			datatot(crl->crlNumber.ptr, crl->crlNumber.len, ':'
-				, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       crlnumber: %s", buf);
-		}
-		list_distribution_points(crl->distributionPoints);
-
-		whack_log(RC_COMMENT, "       updates:   this %T",
-				&crl->thisUpdate, utc);
-		whack_log(RC_COMMENT, "                  next %T %s",
-				&crl->nextUpdate, utc,
-				check_expiry(crl->nextUpdate, CRL_WARNING_INTERVAL, strict));
-		if (crl->authKeyID.ptr != NULL)
+		/* count number of revoked certificates in CRL */
+		enumerator = crl->create_enumerator(crl);
+		while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
 		{
-			datatot(crl->authKeyID.ptr, crl->authKeyID.len, ':'
-				, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       authkey:   %s", buf);
+			revoked++;
 		}
-		if (crl->authKeySerialNumber.ptr != NULL)
+		enumerator->destroy(enumerator);
+		whack_log(RC_COMMENT, "  revoked:   %d certificates", revoked);
+
+		list_distribution_points(x509crl->distributionPoints);
+
+		cert_crl->get_validity(cert_crl, NULL, &thisUpdate, &nextUpdate);
+		whack_log(RC_COMMENT, "  updates:   this %T", &thisUpdate, utc);
+		whack_log(RC_COMMENT, "             next %T %s", &nextUpdate, utc,
+				check_expiry(nextUpdate, CRL_WARNING_INTERVAL, strict));
+		authKeyID = crl->get_authKeyIdentifier(crl);
+		if (authKeyID.ptr)
 		{
-			datatot(crl->authKeySerialNumber.ptr, crl->authKeySerialNumber.len, ':'
-				, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       aserial:   %s", buf);
+			whack_log(RC_COMMENT, "  authkey:   %#B", &authKeyID);
 		}
 
-		crl = crl->next;
+		x509crl = x509crl->next;
 	}
 	unlock_crl_list("list_crls");
 }
diff --git a/src/pluto/crl.h b/src/pluto/crl.h
index 7c110ad5a..43bafe145 100644
--- a/src/pluto/crl.h
+++ b/src/pluto/crl.h
@@ -14,47 +14,18 @@
 
 #include "constants.h"
 
-/* access structure for a revoked serial number */
-
-typedef struct revokedCert revokedCert_t;
-
-struct revokedCert{
-  revokedCert_t *next;
-  chunk_t       userCertificate;
-  time_t        revocationDate;
-  crl_reason_t  revocationReason;
-};
+#include <utils/linked_list.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/crl.h>
 
 /* storage structure for an X.509 CRL */
 
 typedef struct x509crl x509crl_t;
 
 struct x509crl {
-  x509crl_t     *next;
-  time_t         installed;
-  generalName_t *distributionPoints;
-  chunk_t        certificateList;
-  chunk_t          tbsCertList;
-  u_int              version;
-				 /*  signature */
-  int                  sigAlg;
-  chunk_t            issuer;
-  time_t             thisUpdate;
-  time_t             nextUpdate;
-  revokedCert_t      *revokedCertificates;
-				/*   v2 extensions */
-				/*   crlExtensions */
-				/*     extension */
-				/*       extnID */
-				/*       critical */
-				/*       extnValue */
-  chunk_t                authKeyID;
-  chunk_t                authKeySerialNumber;
-  chunk_t                crlNumber;
-
-				/* signatureAlgorithm */
-  int                algorithm;
-  chunk_t          signature;
+	certificate_t *crl;
+	x509crl_t     *next;
+	linked_list_t *distributionPoints;
 };
 
 /* apply a strict CRL policy
@@ -69,18 +40,14 @@ extern bool cache_crls;
 
 /*
  * check periodically for expired crls
- */ 
+ */
 extern long crl_check_interval;
-
-/* used for initialization */
-extern const x509crl_t  empty_x509crl;
-
-extern bool parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl);
 extern void load_crls(void);
 extern void check_crls(void);
-extern bool insert_crl(chunk_t blob, chunk_t crl_uri, bool cache_crl);
-extern cert_status_t verify_by_crl(const x509cert_t *cert, time_t *until
-	, time_t *revocationDate, crl_reason_t *revocationReason);
+extern bool insert_crl(x509crl_t *crl, char *crl_uri, bool cache_crl);
+extern cert_status_t verify_by_crl(cert_t *cert, time_t *until,
+								   time_t *revocationDate,
+								   crl_reason_t *revocationReason);
 extern void list_crls(bool utc, bool strict);
 extern void free_crls(void);
 extern void free_crl(x509crl_t *crl);
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index f47ad1eeb..2113cecbc 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -21,12 +21,12 @@
 #include "log.h"
 
 static struct encrypt_desc encrypt_desc_3des =
-{       
+{
 	algo_type:       IKE_ALG_ENCRYPT,
-	algo_id:         OAKLEY_3DES_CBC, 
+	algo_id:         OAKLEY_3DES_CBC,
 	algo_next:       NULL,
 
-	enc_blocksize:	 DES_BLOCK_SIZE, 
+	enc_blocksize:	 DES_BLOCK_SIZE,
 	keydeflen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
 	keyminlen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
 	keymaxlen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
@@ -40,7 +40,7 @@ static struct encrypt_desc encrypt_desc_aes =
 {
 	algo_type: 	     IKE_ALG_ENCRYPT,
 	algo_id:   	     OAKLEY_AES_CBC,
-	algo_next: 	     NULL, 
+	algo_next: 	     NULL,
 
 	enc_blocksize: 	 AES_BLOCK_SIZE,
 	keyminlen: 		 AES_KEY_MIN_LEN,
@@ -48,6 +48,22 @@ static struct encrypt_desc encrypt_desc_aes =
 	keymaxlen: 		 AES_KEY_MAX_LEN,
 };
 
+#define  CAMELLIA_KEY_MIN_LEN	128
+#define  CAMELLIA_KEY_DEF_LEN	128
+#define  CAMELLIA_KEY_MAX_LEN	256
+
+static struct encrypt_desc encrypt_desc_camellia =
+{
+	algo_type: 	     IKE_ALG_ENCRYPT,
+	algo_id:   	     OAKLEY_CAMELLIA_CBC,
+	algo_next: 	     NULL,
+
+	enc_blocksize: 	 CAMELLIA_BLOCK_SIZE,
+	keyminlen: 		 CAMELLIA_KEY_MIN_LEN,
+	keydeflen: 		 CAMELLIA_KEY_DEF_LEN,
+	keymaxlen: 		 CAMELLIA_KEY_MAX_LEN,
+};
+
 #define  BLOWFISH_KEY_MIN_LEN	128
 #define  BLOWFISH_KEY_MAX_LEN	448
 
@@ -55,7 +71,7 @@ static struct encrypt_desc encrypt_desc_blowfish =
 {
 	algo_type:       IKE_ALG_ENCRYPT,
 	algo_id:         OAKLEY_BLOWFISH_CBC,
-	algo_next:       NULL, 
+	algo_next:       NULL,
 
 	enc_blocksize:	 BLOWFISH_BLOCK_SIZE,
 	keyminlen:		 BLOWFISH_KEY_MIN_LEN,
@@ -83,7 +99,7 @@ static struct encrypt_desc encrypt_desc_serpent =
 #define  TWOFISH_KEY_DEF_LEN	128
 #define  TWOFISH_KEY_MAX_LEN	256
 
-static struct encrypt_desc encrypt_desc_twofish = 
+static struct encrypt_desc encrypt_desc_twofish =
 {
 	algo_type: 	     IKE_ALG_ENCRYPT,
 	algo_id:   	     OAKLEY_TWOFISH_CBC,
@@ -108,18 +124,18 @@ static struct encrypt_desc encrypt_desc_twofish_ssh =
 };
 
 static struct hash_desc hash_desc_md5 =
-{       
+{
 	algo_type: IKE_ALG_HASH,
 	algo_id:   OAKLEY_MD5,
-	algo_next: NULL, 
+	algo_next: NULL,
 	hash_digest_size: HASH_SIZE_MD5,
 };
 
 static struct hash_desc hash_desc_sha1 =
-{       
+{
 	algo_type: IKE_ALG_HASH,
 	algo_id:   OAKLEY_SHA,
-	algo_next: NULL, 
+	algo_next: NULL,
 	hash_digest_size: HASH_SIZE_SHA1,
 };
 
@@ -146,91 +162,91 @@ static struct hash_desc hash_desc_sha2_512 = {
 
 const struct dh_desc unset_group = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_NONE, 
+	algo_id:    MODP_NONE,
 	algo_next:  NULL,
 	ke_size:    0
 };
 
-static struct dh_desc dh_desc_modp_1024 = {       
+static struct dh_desc dh_desc_modp_1024 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_1024_BIT, 
+	algo_id:    MODP_1024_BIT,
 	algo_next:  NULL,
 	ke_size:    1024 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_modp_1536 = {       
+static struct dh_desc dh_desc_modp_1536 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_1536_BIT, 
+	algo_id:    MODP_1536_BIT,
 	algo_next:  NULL,
 	ke_size:    1536 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_modp_2048 = {       
+static struct dh_desc dh_desc_modp_2048 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_2048_BIT, 
+	algo_id:    MODP_2048_BIT,
 	algo_next:  NULL,
 	ke_size:    2048 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_modp_3072 = {       
+static struct dh_desc dh_desc_modp_3072 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_3072_BIT, 
+	algo_id:    MODP_3072_BIT,
 	algo_next:  NULL,
 	ke_size:    3072 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_modp_4096 = {       
+static struct dh_desc dh_desc_modp_4096 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_4096_BIT, 
+	algo_id:    MODP_4096_BIT,
 	algo_next:  NULL,
 	ke_size:    4096 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_modp_6144 = {       
+static struct dh_desc dh_desc_modp_6144 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_6144_BIT, 
+	algo_id:    MODP_6144_BIT,
 	algo_next:  NULL,
 	ke_size:    6144 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_modp_8192 = {       
+static struct dh_desc dh_desc_modp_8192 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_8192_BIT, 
+	algo_id:    MODP_8192_BIT,
 	algo_next:  NULL,
 	ke_size:    8192 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_ecp_256 = {       
+static struct dh_desc dh_desc_ecp_256 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    ECP_256_BIT, 
+	algo_id:    ECP_256_BIT,
 	algo_next:  NULL,
 	ke_size:    2*256 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_ecp_384 = {       
+static struct dh_desc dh_desc_ecp_384 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    ECP_384_BIT, 
+	algo_id:    ECP_384_BIT,
 	algo_next:  NULL,
 	ke_size:    2*384 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_ecp_521 = {       
+static struct dh_desc dh_desc_ecp_521 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    ECP_521_BIT, 
+	algo_id:    ECP_521_BIT,
 	algo_next:  NULL,
 	ke_size:    2*528 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_ecp_192 = {       
+static struct dh_desc dh_desc_ecp_192 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    ECP_192_BIT, 
+	algo_id:    ECP_192_BIT,
 	algo_next:  NULL,
 	ke_size:    2*192 / BITS_PER_BYTE
 };
 
-static struct dh_desc dh_desc_ecp_224 = {       
+static struct dh_desc dh_desc_ecp_224 = {
 	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    ECP_224_BIT, 
+	algo_id:    ECP_224_BIT,
 	algo_next:  NULL,
 	ke_size:    2*224 / BITS_PER_BYTE
 };
@@ -283,12 +299,12 @@ bool init_crypto(void)
 			 (no_md5) ? "MD5" : "");
 		return FALSE;
 	}
-		
+
 	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &encryption_alg))
 	{
 		const struct encrypt_desc *desc;
- 
+
 		switch (encryption_alg)
 		{
 			case ENCR_3DES:
@@ -300,6 +316,9 @@ bool init_crypto(void)
 			case ENCR_AES_CBC:
 				desc = &encrypt_desc_aes;
 				break;
+			case ENCR_CAMELLIA_CBC:
+				desc = &encrypt_desc_camellia;
+				break;
 			case ENCR_TWOFISH_CBC:
 				desc = &encrypt_desc_twofish;
 				ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh);
@@ -308,7 +327,7 @@ bool init_crypto(void)
 				desc = &encrypt_desc_serpent;
 				break;
 			default:
-				continue;			
+				continue;
 		}
 		ike_alg_add((struct ike_alg *)desc);
 	}
@@ -381,7 +400,7 @@ encryption_algorithm_t oakley_to_encryption_algorithm(int alg)
 		case OAKLEY_DES_CBC:
 			return ENCR_DES;
 		case OAKLEY_IDEA_CBC:
-			return ENCR_IDEA; 
+			return ENCR_IDEA;
 		case OAKLEY_BLOWFISH_CBC:
 			return ENCR_BLOWFISH;
 		case OAKLEY_RC5_R16_B64_CBC:
@@ -392,6 +411,8 @@ encryption_algorithm_t oakley_to_encryption_algorithm(int alg)
 			return ENCR_CAST;
 		case OAKLEY_AES_CBC:
 			return ENCR_AES_CBC;
+		case OAKLEY_CAMELLIA_CBC:
+			return ENCR_CAMELLIA_CBC;
 		case OAKLEY_SERPENT_CBC:
 			return ENCR_SERPENT_CBC;
 		case OAKLEY_TWOFISH_CBC:
@@ -491,7 +512,7 @@ int oakley_from_encryption_algorithm(encryption_algorithm_t alg)
 			return OAKLEY_CAMELLIA_CBC;
 		case ENCR_SERPENT_CBC:
 			return OAKLEY_SERPENT_CBC;
-    	case ENCR_TWOFISH_CBC:
+	case ENCR_TWOFISH_CBC:
 			return OAKLEY_TWOFISH_CBC;
 		default:
 			return 0;
@@ -561,7 +582,7 @@ int esp_from_encryption_algorithm(encryption_algorithm_t alg)
 			return ESP_CAMELLIA;
 		case ENCR_SERPENT_CBC:
 			return ESP_SERPENT;
-    	case ENCR_TWOFISH_CBC:
+	case ENCR_TWOFISH_CBC:
 			return ESP_TWOFISH;
 		default:
 			return 0;
@@ -581,12 +602,20 @@ int esp_from_integrity_algorithm(integrity_algorithm_t alg)
 			return AUTH_ALGORITHM_HMAC_SHA1;
 		case AUTH_AES_XCBC_96:
 			return AUTH_ALGORITHM_AES_XCBC_MAC;
+		case AUTH_HMAC_SHA2_256_96:
+			return AUTH_ALGORITHM_HMAC_SHA2_256_96;
 		case AUTH_HMAC_SHA2_256_128:
 			return AUTH_ALGORITHM_HMAC_SHA2_256;
 		case AUTH_HMAC_SHA2_384_192:
 			return AUTH_ALGORITHM_HMAC_SHA2_384;
 		case AUTH_HMAC_SHA2_512_256:
 			return AUTH_ALGORITHM_HMAC_SHA2_512;
+		case AUTH_AES_128_GMAC:
+			return AUTH_ALGORITHM_AES_128_GMAC;
+		case AUTH_AES_192_GMAC:
+			return AUTH_ALGORITHM_AES_192_GMAC;
+		case AUTH_AES_256_GMAC:
+			return AUTH_ALGORITHM_AES_256_GMAC;
 		default:
 			return 0;
 	}
diff --git a/src/pluto/db_ops.c b/src/pluto/db_ops.c
index 4ba4fa324..547ea5f22 100644
--- a/src/pluto/db_ops.c
+++ b/src/pluto/db_ops.c
@@ -1,6 +1,6 @@
 /* Dynamic db (proposal, transforms, attributes) handling.
  * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -12,11 +12,11 @@
  * for more details.
  */
 
-/* 
+/*
  * The stratedy is to have (full contained) struct db_prop in db_context
  * pointing to ONE dynamically sizable transform vector (trans0).
  * Each transform stores attrib. in ONE dyn. sizable attribute vector (attrs0)
- * in a "serialized" way (attributes storage is used in linear sequence for 
+ * in a "serialized" way (attributes storage is used in linear sequence for
  * subsecuent transforms).
  *
  * Resizing for both trans0 and attrs0 is supported:
@@ -24,7 +24,7 @@
  *               also update trans_cur (by offset)
  * - For attrs0: after allocating and copying attrs, I must rewrite each
  *               trans->attrs present in trans0; to achieve this, calculate
- *               attrs pointer offset (new minus old) and iterate over 
+ *               attrs pointer offset (new minus old) and iterate over
  *               each transform "adding" this difference.
  *               also update attrs_cur (by offset)
  *
@@ -70,7 +70,7 @@
 #ifdef NOT_YET
 /*
  *      Allocator cache:
- *      Because of the single-threaded nature of pluto/spdb.c, 
+ *      Because of the single-threaded nature of pluto/spdb.c,
  *      alloc()/free() is exercised many times with very small
  *      lifetime objects.
  *      Just caching last object (currently it will select the
@@ -84,9 +84,9 @@ struct db_ops_alloc_cache {
 #endif
 
 #ifndef NO_DB_OPS_STATS
-/*      
- *      stats: do account for allocations       
- *      displayed in db_ops_show_status() 
+/*
+ *      stats: do account for allocations
+ *      displayed in db_ops_show_status()
  */
 struct db_ops_stats {
 		int st_curr_cnt;        /* current number of allocations */
@@ -100,7 +100,7 @@ struct db_ops_stats {
 static struct db_ops_stats db_context_st = DB_OPS_ZERO;
 static struct db_ops_stats db_trans_st = DB_OPS_ZERO;
 static struct db_ops_stats db_attrs_st = DB_OPS_ZERO;
-static __inline__ void *malloc_bytes_st(size_t size, struct db_ops_stats *st) 
+static __inline__ void *malloc_bytes_st(size_t size, struct db_ops_stats *st)
 {
 		void *ptr = malloc(size);
 		if (ptr)
@@ -108,7 +108,7 @@ static __inline__ void *malloc_bytes_st(size_t size, struct db_ops_stats *st)
 				st->st_curr_cnt++;
 				st->st_total_cnt++;
 				if (size > st->st_maxsz) st->st_maxsz=size;
-		}       
+		}
 		return ptr;
 }
 #define ALLOC_BYTES_ST(z,st) malloc_bytes_st(z, &st);
@@ -125,13 +125,13 @@ static __inline__ void *malloc_bytes_st(size_t size, struct db_ops_stats *st)
  *      as a result of "add" operations
  */
 int
-db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs) 
+db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs)
 {
 		ctx->trans0 = NULL;
 		ctx->attrs0 = NULL;
 
 		if (max_trans > 0) { /* quite silly if not */
-				ctx->trans0 = ALLOC_BYTES_ST ( sizeof(struct db_trans) * max_trans, 
+				ctx->trans0 = ALLOC_BYTES_ST ( sizeof(struct db_trans) * max_trans,
 								db_trans_st);
 				memset(ctx->trans0, '\0', sizeof(struct db_trans) * max_trans);
 		}
@@ -162,12 +162,12 @@ db_trans_expand(struct db_context *ctx, int delta_trans)
 		int offset;
 
 		old_trans = ctx->trans0;
-		new_trans = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans, 
+		new_trans = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans,
 						db_trans_st);
 		if (!new_trans)
 				goto out;
 		memcpy(new_trans, old_trans, ctx->max_trans * sizeof(struct db_trans));
-		
+
 		/* update trans0 (obviously) */
 		ctx->trans0 = ctx->prop.trans = new_trans;
 		/* update trans_cur (by offset) */
@@ -175,7 +175,7 @@ db_trans_expand(struct db_context *ctx, int delta_trans)
 
 		{
 		  char *cctx = (char *)(ctx->trans_cur);
-		
+
 		  cctx += offset;
 		  ctx->trans_cur = (struct db_trans *)cctx;
 		}
@@ -186,7 +186,7 @@ db_trans_expand(struct db_context *ctx, int delta_trans)
 out:
 		return ret;
 }
-/*      
+/*
  *      Expand storage for attributes by delta_attrs number AND
  *      rewrite trans->attr pointers
  */
@@ -201,22 +201,22 @@ db_attrs_expand(struct db_context *ctx, int delta_attrs)
 		int offset;
 
 		old_attrs = ctx->attrs0;
-		new_attrs = ALLOC_BYTES_ST ( sizeof (struct db_attr) * max_attrs, 
+		new_attrs = ALLOC_BYTES_ST ( sizeof (struct db_attr) * max_attrs,
 						db_attrs_st);
 		if (!new_attrs)
 				goto out;
 
 		memcpy(new_attrs, old_attrs, ctx->max_attrs * sizeof(struct db_attr));
-		
+
 		/* update attrs0 and attrs_cur (obviously) */
 		offset = (char *)(new_attrs) - (char *)(old_attrs);
-		
+
 		{
 		  char *actx = (char *)(ctx->attrs0);
-		
+
 		  actx += offset;
 		  ctx->attrs0 = (struct db_attr *)actx;
-		
+
 		  actx = (char *)ctx->attrs_cur;
 		  actx += offset;
 		  ctx->attrs_cur = (struct db_attr *)actx;
@@ -237,13 +237,13 @@ out:
 		return ret;
 }
 /*      Allocate a new db object */
-struct db_context * 
-db_prop_new(u_int8_t protoid, int max_trans, int max_attrs) 
+struct db_context *
+db_prop_new(u_int8_t protoid, int max_trans, int max_attrs)
 {
 		struct db_context *ctx;
 		ctx = ALLOC_BYTES_ST ( sizeof (struct db_context), db_context_st);
 		if (!ctx) goto out;
-		
+
 		if (db_prop_init(ctx, protoid, max_trans, max_attrs) < 0) {
 				PFREE_ST(ctx, db_context_st);
 				ctx=NULL;
@@ -266,8 +266,8 @@ db_trans_add(struct db_context *ctx, u_int8_t transid)
 		/*      skip incrementing current trans pointer the 1st time*/
 		if (ctx->trans_cur && ctx->trans_cur->attr_cnt)
 				ctx->trans_cur++;
-		/*      
-		 *      Strategy: if more space is needed, expand by 
+		/*
+		 *      Strategy: if more space is needed, expand by
 		 *                <current_size>/2 + 1
 		 *
 		 *      This happens to produce a "reasonable" sequence
@@ -287,10 +287,10 @@ db_trans_add(struct db_context *ctx, u_int8_t transid)
 }
 /*      Add attr copy to current transform, expanding attrs0 if needed */
 int
-db_attr_add(struct db_context *ctx, const struct db_attr *a) 
+db_attr_add(struct db_context *ctx, const struct db_attr *a)
 {
-		/*      
-		 *      Strategy: if more space is needed, expand by 
+		/*
+		 *      Strategy: if more space is needed, expand by
 		 *                <current_size>/2 + 1
 		 */
 		if ((ctx->attrs_cur - ctx->attrs0) >= ctx->max_attrs) {
@@ -302,7 +302,7 @@ db_attr_add(struct db_context *ctx, const struct db_attr *a)
 		ctx->trans_cur->attr_cnt++;
 		return 0;
 }
-/*      Add attr copy (by value) to current transform, 
+/*      Add attr copy (by value) to current transform,
  *      expanding attrs0 if needed, just calls db_attr_add().
  */
 int
@@ -317,7 +317,7 @@ db_attr_add_values(struct db_context *ctx,  u_int16_t type, u_int16_t val)
 int
 db_ops_show_status(void)
 {
-		whack_log(RC_COMMENT, "stats " __FILE__ ": " 
+		whack_log(RC_COMMENT, "stats " __FILE__ ": "
 						DB_OPS_STATS_DESC " :"
 						DB_OPS_STATS_STR("context")
 						DB_OPS_STATS_STR("trans")
@@ -329,7 +329,7 @@ db_ops_show_status(void)
 		return 0;
 }
 #endif /* NO_DB_OPS_STATS */
-/* 
+/*
  * From below to end just testing stuff ....
  */
 #ifdef TEST
@@ -349,7 +349,7 @@ static void db_prop_print(struct db_prop *p)
 						default:
 								continue;
 				}
-				printf("  transid=\"%s\"\n", 
+				printf("  transid=\"%s\"\n",
 						enum_name(n, t->transid));
 				for (ai=0, a=t->attrs; ai < t->attr_cnt; ai++, a++) {
 						int i;
@@ -367,16 +367,16 @@ static void db_prop_print(struct db_prop *p)
 								default:
 										continue;
 						}
-						printf("    type=\"%s\" value=\"%s\"\n", 
+						printf("    type=\"%s\" value=\"%s\"\n",
 								enum_name(n_at, i),
 								enum_name(n_av, a->val));
 				}
 		}
 
 }
-static void db_print(struct db_context *ctx) 
+static void db_print(struct db_context *ctx)
 {
-		printf("trans_cur diff=%d, attrs_cur diff=%d\n", 
+		printf("trans_cur diff=%d, attrs_cur diff=%d\n",
 						ctx->trans_cur - ctx->trans0,
 						ctx->attrs_cur - ctx->attrs0);
 		db_prop_print(&ctx->prop);
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
index 3cfc909af..fad1450cd 100644
--- a/src/pluto/demux.c
+++ b/src/pluto/demux.c
@@ -819,7 +819,7 @@ check_msg_errqueue(const struct iface *ifp, short interest)
 bool
 send_packet(struct state *st, const char *where)
 {
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 	int port_buf;
 	bool err;
 	u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
@@ -1258,16 +1258,16 @@ process_packet(struct msg_digest **mdp)
 			struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
 			if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION)
 			{
-				SEND_NOTIFICATION(INVALID_MAJOR_VERSION);
+				SEND_NOTIFICATION(ISAKMP_INVALID_MAJOR_VERSION);
 				return;
 			}
 			else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION)
 			{
-				SEND_NOTIFICATION(INVALID_MINOR_VERSION);
+				SEND_NOTIFICATION(ISAKMP_INVALID_MINOR_VERSION);
 				return;
 			}
 		}
-		SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+		SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
 		return;
 	}
 
@@ -1295,14 +1295,14 @@ process_packet(struct msg_digest **mdp)
 		{
 			plog("Message ID was 0x%08lx but should be zero in Main Mode",
 				(unsigned long) md->hdr.isa_msgid);
-			SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+			SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
 			return;
 		}
 
 		if (is_zero_cookie(md->hdr.isa_icookie))
 		{
 			plog("Initiator Cookie must not be zero in Main Mode message");
-			SEND_NOTIFICATION(INVALID_COOKIE);
+			SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
 			return;
 		}
 
@@ -1315,7 +1315,7 @@ process_packet(struct msg_digest **mdp)
 			{
 				plog("initial Main Mode message is invalid:"
 					" its Encrypted Flag is on");
-				SEND_NOTIFICATION(INVALID_FLAGS);
+				SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
 				return;
 			}
 
@@ -1399,7 +1399,7 @@ process_packet(struct msg_digest **mdp)
 			{
 				memcpy(st->st_ph1_iv, st->st_new_iv, st->st_new_iv_len);
 				st->st_ph1_iv_len = st->st_new_iv_len;
-				
+
 				/* backup new_iv */
 				new_iv_len = st->st_new_iv_len;
 				passert(new_iv_len <= MAX_DIGEST_LEN)
@@ -1429,7 +1429,7 @@ process_packet(struct msg_digest **mdp)
 		{
 			plog("Quick Mode message is invalid because"
 				" it has an Initiator Cookie of 0");
-			SEND_NOTIFICATION(INVALID_COOKIE);
+			SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
 			return;
 		}
 
@@ -1437,7 +1437,7 @@ process_packet(struct msg_digest **mdp)
 		{
 			plog("Quick Mode message is invalid because"
 				" it has a Responder Cookie of 0");
-			SEND_NOTIFICATION(INVALID_COOKIE);
+			SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
 			return;
 		}
 
@@ -1445,7 +1445,7 @@ process_packet(struct msg_digest **mdp)
 		{
 			plog("Quick Mode message is invalid because"
 				" it has a Message ID of 0");
-			SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+			SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
 			return;
 		}
 
@@ -1475,7 +1475,7 @@ process_packet(struct msg_digest **mdp)
 			{
 				loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because"
 					" it is for an incomplete ISAKMP SA");
-				SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
+				SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED /* XXX ? */);
 				return;
 			}
 
@@ -1486,7 +1486,7 @@ process_packet(struct msg_digest **mdp)
 					" it uses a previously used Message ID 0x%08lx"
 					" (perhaps this is a duplicated packet)"
 					, (unsigned long) md->hdr.isa_msgid);
-				SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+				SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
 				return;
 			}
 
@@ -1498,7 +1498,7 @@ process_packet(struct msg_digest **mdp)
 		}
 		else
 		{
-			set_cur_state(st);  
+			set_cur_state(st);
 			from_state = st->st_state;
 		}
 
@@ -1635,7 +1635,7 @@ process_packet(struct msg_digest **mdp)
 	default:
 		plog("unsupported exchange type %s in message"
 			, enum_show(&exchange_names, md->hdr.isa_xchg));
-		SEND_NOTIFICATION(UNSUPPORTED_EXCHANGE_TYPE);
+		SEND_NOTIFICATION(ISAKMP_UNSUPPORTED_EXCHANGE_TYPE);
 		return;
 	}
 
@@ -1681,7 +1681,7 @@ process_packet(struct msg_digest **mdp)
 		default:
 			auth = st->st_oakley.auth;
 		}
-		
+
 		while (!LHAS(smc->flags, auth))
 		{
 			smc++;
@@ -1748,14 +1748,14 @@ process_packet(struct msg_digest **mdp)
 		if (st == NULL)
 		{
 			plog("discarding encrypted message for an unknown ISAKMP SA");
-			SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
+			SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED /* XXX ? */);
 			return;
 		}
 		if (st->st_skeyid_e.ptr == (u_char *) NULL)
 		{
 			loglog(RC_LOG_SERIOUS, "discarding encrypted message"
 				" because we haven't yet negotiated keying materiel");
-			SEND_NOTIFICATION(INVALID_FLAGS);
+			SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
 			return;
 		}
 
@@ -1795,7 +1795,7 @@ process_packet(struct msg_digest **mdp)
 			if (pbs_left(&md->message_pbs) % crypter_block_size != 0)
 			{
 				loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize");
-				SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+				SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
 				return;
 			}
 
@@ -1823,11 +1823,11 @@ process_packet(struct msg_digest **mdp)
 			memcpy(new_iv, data.ptr + data.len - crypter_block_size,
 				   crypter_block_size);
 
-			crypter->set_key(crypter, st->st_enc_key);	
+			crypter->set_key(crypter, st->st_enc_key);
 			crypter->decrypt(crypter, data, iv, NULL);
 			crypter->destroy(crypter);
 
-    		memcpy(st->st_new_iv, new_iv, crypter_block_size);
+		memcpy(st->st_new_iv, new_iv, crypter_block_size);
 			if (restore_iv)
 			{
 				memcpy(st->st_new_iv, new_iv, new_iv_len);
@@ -1848,7 +1848,7 @@ process_packet(struct msg_digest **mdp)
 		if (smc->flags & SMF_INPUT_ENCRYPTED)
 		{
 			loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
-			SEND_NOTIFICATION(INVALID_FLAGS);
+			SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
 			return;
 		}
 	}
@@ -1875,7 +1875,7 @@ process_packet(struct msg_digest **mdp)
 			if (pd == &md->digest[PAYLIMIT])
 			{
 				loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT);
-				SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+				SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
 				return;
 			}
 
@@ -1915,7 +1915,7 @@ process_packet(struct msg_digest **mdp)
 					loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
 						" unexpected payload type (%s) at the outermost level"
 						, excuse, enum_show(&payload_names, np));
-					SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
+					SEND_NOTIFICATION(ISAKMP_INVALID_PAYLOAD_TYPE);
 					return;
 				}
 			}
@@ -1929,7 +1929,7 @@ process_packet(struct msg_digest **mdp)
 					loglog(RC_LOG_SERIOUS, "%smessage ignored because it "
 						   "contains an unexpected payload type (%s)"
 						, excuse, enum_show(&payload_names, np));
-					SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
+					SEND_NOTIFICATION(ISAKMP_INVALID_PAYLOAD_TYPE);
 					return;
 				}
 				needed &= ~s;
@@ -1939,7 +1939,7 @@ process_packet(struct msg_digest **mdp)
 			{
 				loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse);
 				if (md->hdr.isa_xchg != ISAKMP_XCHG_INFO)
-					SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+					SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
 				return;
 			}
 
@@ -1979,7 +1979,7 @@ process_packet(struct msg_digest **mdp)
 			loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s"
 				, enum_show(&state_names, from_state)
 				, bitnamesof(payload_name, needed));
-			SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+			SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
 			return;
 		}
 	}
@@ -1995,7 +1995,7 @@ process_packet(struct msg_digest **mdp)
 		&& md->hdr.isa_np != ISAKMP_NEXT_SA)
 		{
 			loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload");
-			SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+			SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
 			return;
 		}
 	}
@@ -2019,7 +2019,7 @@ process_packet(struct msg_digest **mdp)
 		if (md->hdr.isa_np != ISAKMP_NEXT_HASH)
 		{
 			loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload");
-			SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+			SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
 			return;
 		}
 
@@ -2033,7 +2033,7 @@ process_packet(struct msg_digest **mdp)
 				if (p != &md->digest[i])
 				{
 					loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position");
-					SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+					SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
 					return;
 				}
 			}
@@ -2054,14 +2054,14 @@ process_packet(struct msg_digest **mdp)
 					loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
 						" if any ID payload is present,"
 						" there must be exactly two");
-					SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+					SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
 					return;
 				}
 				if (id+1 != id->next)
 				{
 					loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
 						" the ID payloads are not adjacent");
-					SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+					SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
 					return;
 				}
 			}
@@ -2192,7 +2192,7 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
 				time_t delay = UNDEFINED_TIME;
 				enum event_type kind = smc->timeout_event;
 				bool agreed_time = FALSE;
-				struct connection *c = st->st_connection;
+				connection_t *c = st->st_connection;
 
 				switch (kind)
 				{
@@ -2310,7 +2310,7 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
 				const char *story = state_story[st->st_state - STATE_MAIN_R0];
 				enum rc_type w = RC_NEW_STATE + st->st_state;
 				char sadetails[128];
-				
+
 				sadetails[0]='\0';
 
 				if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
diff --git a/src/pluto/dnskey.c b/src/pluto/dnskey.c
index ed901ade5..ec56b8530 100644
--- a/src/pluto/dnskey.c
+++ b/src/pluto/dnskey.c
@@ -36,7 +36,7 @@
 #include "adns.h"       /* needs <resolv.h> */
 #include "defs.h"
 #include "log.h"
-#include "id.h"
+#include "myid.h"
 #include "connections.h"
 #include "keys.h"           /* needs connections.h */
 #include "dnskey.h"
@@ -238,62 +238,30 @@ stop_adns(void)
 #define our_TXT_attr_string "X-IPsec-Server"
 static const char our_TXT_attr[] = our_TXT_attr_string;
 
-static err_t
-decode_iii(u_char **pp, struct id *gw_id)
+identification_t* decode_iii(u_char **pp)
 {
+	identification_t *gw_id;
 	u_char *p = *pp + strspn(*pp, " \t");
 	u_char *e = p + strcspn(p, " \t");
 	u_char under = *e;
 
 	if (p == e)
 	{
-		return "TXT " our_TXT_attr_string " badly formed (no gateway specified)";
+		return NULL;
 	}
 	*e = '\0';
-	if (*p == '@')
-	{
-		/* gateway specification in this record is @FQDN */
-		err_t ugh = atoid(p, gw_id, FALSE);
-
-		if (ugh != NULL)
-		{
-			return builddiag("malformed FQDN in TXT " our_TXT_attr_string ": %s"
-				, ugh);
-		}
-	}
-	else
-	{
-		/* gateway specification is numeric */
-		ip_address ip;
-		err_t ugh = tnatoaddr(p, e-p
-			, strchr(p, ':') == NULL? AF_INET : AF_INET6
-			, &ip);
-
-		if (ugh != NULL)
-		{
-			return builddiag("malformed IP address in TXT " our_TXT_attr_string ": %s"
-				, ugh);
-		}
-		if (isanyaddr(&ip))
-		{
-			return "gateway address must not be 0.0.0.0 or 0::0";
-		}
-		iptoid(&ip, gw_id);
-	}
-
+	gw_id = identification_create_from_string(p);
 	*e = under;
 	*pp = e + strspn(e, " \t");
 
-	return NULL;
+	return gw_id;
 }
 
-static err_t
-process_txt_rr_body(u_char *str
-, bool doit     /* should we capture information? */
-, enum dns_auth_level dns_auth_level
-, struct adns_continuation *const cr)
+static err_t process_txt_rr_body(u_char *str, bool doit,
+								 enum dns_auth_level dns_auth_level,
+								 struct adns_continuation *const cr)
 {
-	const struct id *client_id = &cr->id;       /* subject of query */
+	identification_t *client_id = cr->id;   /* subject of query */
 	u_char *p = str;
 	unsigned long pref = 0;
 	struct gw_info gi;
@@ -349,10 +317,13 @@ process_txt_rr_body(u_char *str
 	p += strspn(p, " \t");
 
 	/* Decode iii (Security Gateway ID). */
-
 	zero(&gi);  /* before first use */
 
-	TRY(decode_iii(&p, &gi.gw_id));     /* will need to unshare_id_content */
+	gi.gw_id = decode_iii(&p);
+	if (gi.gw_id == NULL)
+	{
+		return "TXT " our_TXT_attr_string " badly formed (no gateway specified)";
+	}
 
 	if (!cr->sgw_specified)
 	{
@@ -360,19 +331,14 @@ process_txt_rr_body(u_char *str
 		 * and we don't know who to initiate with.
 		 * So we're looking for gateway specs with an IP address
 		 */
-		if (!id_is_ipaddr(&gi.gw_id))
+		if (gi.gw_id->get_type(gi.gw_id) != ID_IPV4_ADDR &&
+			gi.gw_id->get_type(gi.gw_id) != ID_IPV6_ADDR)
 		{
 			DBG(DBG_DNS,
-				{
-					char cidb[BUF_LEN];
-					char gwidb[BUF_LEN];
-
-					idtoa(client_id, cidb, sizeof(cidb));
-					idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
-					DBG_log("TXT %s record for %s: security gateway %s;"
-						" ignored because gateway's IP is unspecified"
-						, our_TXT_attr, cidb, gwidb);
-				});
+				DBG_log("TXT %s record for '%Y': security gateway '%Y';"
+						" ignored because gateway's IP is unspecified",
+						our_TXT_attr, client_id, gi.gw_id);
+				)
 			return NULL;        /* we cannot use this record, but it isn't wrong */
 		}
 	}
@@ -381,23 +347,15 @@ process_txt_rr_body(u_char *str
 		/* We do know the peer's ID (because we are responding)
 		 * So we're looking for gateway specs specifying this known ID.
 		 */
-		const struct id *peer_id = &cr->sgw_id;
+		identification_t *peer_id = cr->sgw_id;
 
-		if (!same_id(peer_id, &gi.gw_id))
+		if (!peer_id->equals(peer_id, gi.gw_id))
 		{
 			DBG(DBG_DNS,
-				{
-					char cidb[BUF_LEN];
-					char gwidb[BUF_LEN];
-					char pidb[BUF_LEN];
-
-					idtoa(client_id, cidb, sizeof(cidb));
-					idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
-					idtoa(peer_id, pidb, sizeof(pidb));
-					DBG_log("TXT %s record for %s: security gateway %s;"
-						" ignored -- looking to confirm %s as gateway"
-						, our_TXT_attr, cidb, gwidb, pidb);
-				});
+				DBG_log("TXT %s record for '%Y': security gateway '%Y';"
+						" ignored -- looking to confirm '%Y' as gateway",
+						our_TXT_attr, client_id, gi.gw_id, peer_id);
+				)
 			return NULL;        /* we cannot use this record, but it isn't wrong */
 		}
 	}
@@ -407,7 +365,7 @@ process_txt_rr_body(u_char *str
 		/* really accept gateway */
 		struct gw_info **gwip;  /* gateway insertion point */
 
-		gi.client_id = *client_id;      /* will need to unshare_id_content */
+		gi.client_id = client_id;      /* will need to unshare_id_content */
 
 		/* decode optional kkk: base 64 encoding of key */
 
@@ -436,7 +394,7 @@ process_txt_rr_body(u_char *str
 			}
 			rfc3110_chunk = chunk_create(buf, sz);
 			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-										BUILD_BLOB_RFC_3110, rfc3110_chunk,
+										BUILD_BLOB_DNSKEY, rfc3110_chunk,
 										BUILD_END);
 			if (key == NULL)
 			{
@@ -462,32 +420,26 @@ process_txt_rr_body(u_char *str
 
 		DBG(DBG_DNS,
 			{
-				char cidb[BUF_LEN];
-				char gwidb[BUF_LEN];
-				identification_t *keyid;
-				public_key_t *pub_key;
-
-				idtoa(client_id, cidb, sizeof(cidb));
-				idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
-				pub_key = gi.key->public_key;
-				keyid = pub_key->get_id(pub_key, ID_PUBKEY_SHA1);
+				chunk_t keyid;
+				public_key_t *key = gi.key->public_key;
 
-				if (gi.gw_key_present)
+				if (gi.gw_key_present &&
+					key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &keyid))
 				{
-					DBG_log("gateway for %s is %s with key %Y"
-						, cidb, gwidb, keyid);
+					DBG_log("gateway for %s is %s with key %#B",
+							client_id, gi.gw_id, &keyid);
 				}
 				else
 				{
-					DBG_log("gateway for %s is %s; no key specified"
-						, cidb, gwidb);
+					DBG_log("gateway for '%Y' is '%Y'; no key specified",
+							client_id, gi.gw_id);
 				}
 			});
 
 		gi.next = *gwip;
 		*gwip = clone_thing(gi);
-		unshare_id_content(&(*gwip)->gw_id);
-		unshare_id_content(&(*gwip)->client_id);
+		(*gwip)->gw_id = (*gwip)->gw_id->clone((*gwip)->gw_id);
+		(*gwip)->client_id = (*gwip)->client_id->clone((*gwip)->client_id);
 	}
 
 	return NULL;
@@ -1271,75 +1223,62 @@ process_dns_answer(struct adns_continuation *const cr
 
 /****************************************************************/
 
-static err_t
-build_dns_name(u_char name_buf[NS_MAXDNAME + 2]
-, unsigned long serial USED_BY_DEBUG
-, const struct id *id
-, const char *typename USED_BY_DEBUG
-, const char *gwname   USED_BY_DEBUG)
+static err_t build_dns_name(u_char name_buf[NS_MAXDNAME + 2],
+							unsigned long serial USED_BY_DEBUG,
+							identification_t *id,
+							const char *typename USED_BY_DEBUG,
+							identification_t *gw USED_BY_DEBUG)
 {
 	/* note: all end in "." to suppress relative searches */
 	id = resolve_myid(id);
-	switch (id->kind)
-	{
-	case ID_IPV4_ADDR:
-	{
-		/* XXX: this is really ugly and only temporary until addrtot can
-		 *      generate the correct format
-		 */
-		const unsigned char *b;
-		size_t bl USED_BY_DEBUG = addrbytesptr(&id->ip_addr, &b);
 
-		passert(bl == 4);
-		snprintf(name_buf, NS_MAXDNAME + 2, "%d.%d.%d.%d.in-addr.arpa."
-			, b[3], b[2], b[1], b[0]);
-		break;
-	}
-
-	case ID_IPV6_ADDR:
+	switch (id->get_type(id))
 	{
-		/* ??? is this correct? */
-		const unsigned char *b;
-		size_t bl;
-		u_char *op = name_buf;
-		static const char suffix[] = "IP6.INT.";
-
-		for (bl = addrbytesptr(&id->ip_addr, &b); bl-- != 0; )
+		case ID_IPV4_ADDR:
 		{
-			if (op + 4 + sizeof(suffix) >= name_buf + NS_MAXDNAME + 1)
-				return "IPv6 reverse name too long";
-			op += sprintf(op, "%x.%x.", b[bl] & 0xF, b[bl] >> 4);
-		}
-		strcpy(op, suffix);
-		break;
-	}
+			chunk_t b = id->get_encoding(id);
 
-	case ID_FQDN:
-		/* strip trailing "." characters, then add one */
+			snprintf(name_buf, NS_MAXDNAME + 2, "%d.%d.%d.%d.in-addr.arpa.",
+							   b.ptr[3], b.ptr[2], b.ptr[1], b.ptr[0]);
+			break;
+		}
+		case ID_IPV6_ADDR:
 		{
-			size_t il = id->name.len;
+			chunk_t b = id->get_encoding(id);
+			size_t bl;
+			u_char *op = name_buf;
+			static const char suffix[] = "IP6.INT.";
 
-			while (il > 0 && id->name.ptr[il - 1] == '.')
-				il--;
-			if (il > NS_MAXDNAME)
+			for (bl = b.len; bl-- != 0; )
+			{
+				if (op + 4 + sizeof(suffix) >= name_buf + NS_MAXDNAME + 1)
+				{
+					return "IPv6 reverse name too long";
+				}
+				op += sprintf(op, "%x.%x.", b.ptr[bl] & 0xF, b.ptr[bl] >> 4);
+			}
+			strcpy(op, suffix);
+			break;
+		}
+		case ID_FQDN:
+		{
+			if (snprintf(name_buf, NS_MAXDNAME + 2, "%Y.", id) > NS_MAXDNAME + 1)
+			{
 				return "FQDN too long for domain name";
-
-			memcpy(name_buf, id->name.ptr, il);
-			strcpy(name_buf + il, ".");
+			}
+			break;
 		}
-		break;
-
-	default:
-		return "can only query DNS for key for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR";
+		default:
+			return "can only query DNS for key for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR";
 	}
 
-	DBG(DBG_CONTROL | DBG_DNS, DBG_log("DNS query %lu for %s for %s (gw: %s)"
-		, serial, typename, name_buf, gwname));
+	DBG(DBG_CONTROL | DBG_DNS,
+		DBG_log("DNS query %lu for %s for %s (gw: %Y)",	serial, typename, name_buf, gw)
+	)
 	return NULL;
 }
 
-void
-gw_addref(struct gw_info *gw)
+void gw_addref(struct gw_info *gw)
 {
 	if (gw != NULL)
 	{
@@ -1348,8 +1287,7 @@ gw_addref(struct gw_info *gw)
 	}
 }
 
-void
-gw_delref(struct gw_info **gwp)
+void gw_delref(struct gw_info **gwp)
 {
 	struct gw_info *gw = *gwp;
 
@@ -1361,10 +1299,12 @@ gw_delref(struct gw_info **gwp)
 		gw->refcnt--;
 		if (gw->refcnt == 0)
 		{
-			free_id_content(&gw->client_id);
-			free_id_content(&gw->gw_id);
+			DESTROY_IF(gw->client_id);
+			DESTROY_IF(gw->gw_id);
 			if (gw->gw_key_present)
+			{
 				unreference_key(&gw->key);
+			}
 			gw_delref(&gw->next);
 			free(gw);   /* trickery could make this a tail-call */
 		}
@@ -1414,68 +1354,61 @@ static int adns_in_flight = 0;  /* queries outstanding */
 static struct adns_continuation *continuations = NULL;  /* newest of queue */
 static struct adns_continuation *next_query = NULL;     /* oldest not sent */
 
-static struct adns_continuation *
-continuation_for_qtid(unsigned long qtid)
+static struct adns_continuation *continuation_for_qtid(unsigned long qtid)
 {
 	struct adns_continuation *cr = NULL;
 
 	if (qtid != 0)
+	{
 		for (cr = continuations; cr != NULL && cr->qtid != qtid; cr = cr->previous)
 			;
+	}
 	return cr;
 }
 
-static void
-release_adns_continuation(struct adns_continuation *cr)
+static void release_adns_continuation(struct adns_continuation *cr)
 {
 	passert(cr != next_query);
 	gw_delref(&cr->gateways_from_dns);
 #ifdef USE_KEYRR
 	free_public_keys(&cr->keys_from_dns);
 #endif /* USE_KEYRR */
-	unshare_id_content(&cr->id);
-	unshare_id_content(&cr->sgw_id);
+	cr->id = cr->id->clone(cr->id);
+	cr->sgw_id = cr->sgw_id->clone(cr->sgw_id);
 
 	/* unlink from doubly-linked list */
 	if (cr->next == NULL)
 	{
-		passert(continuations == cr);
 		continuations = cr->previous;
 	}
 	else
 	{
-		passert(cr->next->previous == cr);
 		cr->next->previous = cr->previous;
 	}
 
 	if (cr->previous != NULL)
 	{
-		passert(cr->previous->next == cr);
 		cr->previous->next = cr->next;
 	}
 
 	free(cr);
 }
 
-err_t
-start_adns_query(const struct id *id    /* domain to query */
-, const struct id *sgw_id       /* if non-null, any accepted gw_info must match */
-, int type      /* T_TXT or T_KEY, selecting rr type of interest */
-, cont_fn_t cont_fn
-, struct adns_continuation *cr)
+err_t start_adns_query(identification_t *id,     /* domain to query */
+					   identification_t *sgw_id, /* if non-null, any accepted gw_info must match */
+					   int type,                 /* T_TXT or T_KEY, selecting rr type of interest */
+					   cont_fn_t cont_fn,
+					   struct adns_continuation *cr)
 {
 	static unsigned long qtid = 1;      /* query transaction id; NOTE: static */
 	const char *typename = rr_typename(type);
-	char gwidb[BUF_LEN];
 
-	if(adns_pid == 0
-	   && adns_restart_count < ADNS_RESTART_MAX)
+	if(adns_pid == 0 && adns_restart_count < ADNS_RESTART_MAX)
 	{
 		plog("ADNS helper was not running. Restarting attempt %d",adns_restart_count);
 		init_adns();
 	}
 
-
 	/* Splice this in at head of doubly-linked list of continuations.
 	 * Note: this must be done before any release_adns_continuation().
 	 */
@@ -1483,7 +1416,6 @@ start_adns_query(const struct id *id    /* domain to query */
 	cr->previous = continuations;
 	if (continuations != NULL)
 	{
-		passert(continuations->next == NULL);
 		continuations->next = cr;
 	}
 	continuations = cr;
@@ -1491,11 +1423,11 @@ start_adns_query(const struct id *id    /* domain to query */
 	cr->qtid = qtid++;
 	cr->type = type;
 	cr->cont_fn = cont_fn;
-	cr->id = *id;
-	unshare_id_content(&cr->id);
-	cr->sgw_specified = sgw_id != NULL;
-	cr->sgw_id = cr->sgw_specified? *sgw_id : empty_id;
-	unshare_id_content(&cr->sgw_id);
+	cr->id = id->clone(id);
+	cr->sgw_specified = (sgw_id != NULL);
+	cr->sgw_id = cr->sgw_specified ?
+						sgw_id->clone(sgw_id) :
+				 		identification_create_from_string("%any");
 	cr->gateways_from_dns = NULL;
 #ifdef USE_KEYRR
 	cr->keys_from_dns = NULL;
@@ -1507,15 +1439,12 @@ start_adns_query(const struct id *id    /* domain to query */
 	cr->debugging = LEMPTY;
 #endif
 
-	idtoa(&cr->sgw_id, gwidb, sizeof(gwidb));
-
 	zero(&cr->query);
-
 	{
-		err_t ugh = build_dns_name(cr->query.name_buf, cr->qtid
-			, id, typename, gwidb);
+		err_t ugh = build_dns_name(cr->query.name_buf, cr->qtid, id,
+								   typename, cr->sgw_id);
 
-		if (ugh != NULL)
+		if (ugh)
 		{
 			release_adns_continuation(cr);
 			return ugh;
@@ -1620,8 +1549,7 @@ send_unsent_ADNS_queries(void)
  * Returns with error message iff lwdnsq result is malformed.
  * Most errors will be in DNS data and will be handled by cr->cont_fn.
  */
-static err_t
-process_lwdnsq_answer(char *ts)
+static err_t process_lwdnsq_answer(char *ts)
 {
 	err_t ugh = NULL;
 	char *rest;
@@ -1813,11 +1741,10 @@ process_lwdnsq_answer(char *ts)
 }
 #endif /* USE_LWRES */
 
-static void
-recover_adns_die(void)
+static void recover_adns_die(void)
 {
 	struct adns_continuation *cr = NULL;
-	
+
 	adns_pid = 0;
 	if(adns_restart_count < ADNS_RESTART_MAX) {
 		adns_restart_count++;
@@ -1834,7 +1761,7 @@ recover_adns_die(void)
 		if(continuations != NULL) {
 			for (; cr->previous != NULL; cr = cr->previous);
 		}
-			
+
 		next_query = cr;
 
 		if(next_query != NULL) {
@@ -1848,8 +1775,7 @@ void reset_adns_restart_count(void)
 	adns_restart_count=0;
 }
 
-void
-handle_adns_answer(void)
+void handle_adns_answer(void)
 {
   /* These are retained across calls to handle_adns_answer. */
 	static size_t buflen = 0;   /* bytes in answer buffer */
diff --git a/src/pluto/dnskey.h b/src/pluto/dnskey.h
index 976c715bf..d26a0e64f 100644
--- a/src/pluto/dnskey.h
+++ b/src/pluto/dnskey.h
@@ -12,9 +12,10 @@
  * for more details.
  */
 
-extern int
-	adns_qfd,   /* file descriptor for sending queries to adns */
-	adns_afd;   /* file descriptor for receiving answers from adns */
+#include <utils/identification.h>
+
+extern int adns_qfd;   /* file descriptor for sending queries to adns */
+extern int adns_afd;   /* file descriptor for receiving answers from adns */
 extern const char *pluto_adns_option;   /* path from --pluto_adns */
 extern void init_adns(void);
 extern void stop_adns(void);
@@ -33,13 +34,13 @@ struct adns_continuation;       /* forward declaration (not far!) */
 typedef void (*cont_fn_t)(struct adns_continuation *cr, err_t ugh);
 
 struct adns_continuation {
-	unsigned long qtid; /* query transaction id number */
-	int type;   /* T_TXT or T_KEY, selecting rr type of interest */
-	cont_fn_t cont_fn;  /* function to carry on suspended work */
-	struct id id;       /* subject of query */
+	unsigned long qtid;    /* query transaction id number */
+	int type;              /* T_TXT or T_KEY, selecting rr type of interest */
+	cont_fn_t cont_fn;     /* function to carry on suspended work */
+	identification_t *id;  /* subject of query */
 	bool sgw_specified;
-	struct id sgw_id;   /* peer, if constrained */
-	lset_t debugging;   /* only used #ifdef DEBUG, but don't want layout to change */
+	identification_t *sgw_id; /* peer, if constrained */
+	lset_t debugging;      /* only used #ifdef DEBUG, but don't want layout to change */
 	struct gw_info *gateways_from_dns;  /* answer, if looking for our TXT rrs */
 #ifdef USE_KEYRR
 	struct pubkey_list *keys_from_dns;  /* answer, if looking for KEY rrs */
@@ -47,7 +48,7 @@ struct adns_continuation {
 	struct adns_continuation *previous, *next;
 	struct pubkey *last_info;  /* the last structure we accumulated */
 #ifdef USE_LWRES
-	bool used;  /* have we called the cont_fn yet? */
+	bool used;             /* have we called the cont_fn yet? */
 	struct {
 		u_char name_buf[NS_MAXDNAME + 2];
 	} query;
@@ -56,8 +57,8 @@ struct adns_continuation {
 #endif /* ! USE_LWRES */
 };
 
-extern err_t start_adns_query(const struct id *id       /* domain to query */
-	, const struct id *sgw_id   /* if non-null, any accepted gw_info must match */
+extern err_t start_adns_query(identification_t *id       /* domain to query */
+	, identification_t *sgw_id   /* if non-null, any accepted gw_info must match */
 	, int type  /* T_TXT or T_KEY, selecting rr type of interest */
 	, cont_fn_t cont_fn /* continuation function */
 	, struct adns_continuation *cr);
@@ -65,18 +66,17 @@ extern err_t start_adns_query(const struct id *id       /* domain to query */
 
 /* Gateway info gleaned from reverse DNS of client */
 struct gw_info {
-	unsigned refcnt;    /* reference counted! */
-	unsigned pref;      /* preference: lower is better */
-#define NO_TIME ((time_t) -2)   /* time_t value meaning "not_yet" */
-	struct id client_id;        /* id of client of peer */
-	struct id gw_id;    /* id of peer (if id_is_ipaddr, .ip_addr is address) */
+	unsigned refcnt;             /* reference counted! */
+	unsigned pref;               /* preference: lower is better */
+#define NO_TIME ((time_t) -2)    /* time_t value meaning "not_yet" */
+	identification_t* client_id; /* id of client of peer */
+	identification_t* gw_id;     /* id of peer (if id_is_ipaddr, .ip_addr is address) */
 	bool gw_key_present;
 	struct pubkey *key;
 	struct gw_info *next;
 };
 
-extern void gw_addref(struct gw_info *gw)
-	, gw_delref(struct gw_info **gwp);
-
+extern void gw_addref(struct gw_info *gw);
+extern void gw_delref(struct gw_info **gwp);
 extern void reset_adns_restart_count(void);
 
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
index 6f7f1215f..6172165bd 100644
--- a/src/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -28,27 +28,27 @@
 #include <library.h>
 #include <debug.h>
 #include <asn1/asn1.h>
-#include <asn1/pem.h>
+#include <credentials/certificates/certificate.h>
+#ifdef THREADS
+#include <threading/thread.h>
+#endif
 
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
-#include "id.h"
-#include "pem.h"
 #include "x509.h"
 #include "ca.h"
 #include "whack.h"
 #include "ocsp.h"
 #include "crl.h"
 #include "fetch.h"
+#include "builder.h"
 
 fetch_req_t empty_fetch_req = {
 	NULL    , /* next */
-		  0 , /* installed */
 		  0 , /* trials */
-  { NULL, 0}, /* issuer */
+    NULL    , /* issuer */
   { NULL, 0}, /* authKeyID */
-  { NULL, 0}, /* authKeySerialNumber */
 	NULL      /* distributionPoints */
 };
 
@@ -59,7 +59,7 @@ static fetch_req_t *crl_fetch_reqs  = NULL;
 static ocsp_location_t *ocsp_fetch_reqs = NULL;
 
 #ifdef THREADS
-static pthread_t thread;
+static thread_t *thread;
 static pthread_mutex_t certs_and_keys_mutex  = PTHREAD_MUTEX_INITIALIZER;
 static pthread_mutex_t authcert_list_mutex   = PTHREAD_MUTEX_INITIALIZER;
 static pthread_mutex_t crl_list_mutex        = PTHREAD_MUTEX_INITIALIZER;
@@ -251,10 +251,9 @@ void wake_fetch_thread(const char *who)
  */
 static void free_fetch_request(fetch_req_t *req)
 {
-	free(req->issuer.ptr);
-	free(req->authKeySerialNumber.ptr);
+	req->distributionPoints->destroy_function(req->distributionPoints, free);
+	DESTROY_IF(req->issuer);
 	free(req->authKeyID.ptr);
-	free_generalNames(req->distributionPoints, TRUE);
 	free(req);
 }
 
@@ -262,86 +261,63 @@ static void free_fetch_request(fetch_req_t *req)
 /**
  * Fetch an ASN.1 blob coded in PEM or DER format from a URL
  */
-bool fetch_asn1_blob(char *url, chunk_t *blob)
+x509crl_t* fetch_crl(char *url)
 {
+	x509crl_t *crl;
+	chunk_t blob;
+
 	DBG1("  fetching crl from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, blob, FETCH_END) != SUCCESS)
+	if (lib->fetcher->fetch(lib->fetcher, url, &blob, FETCH_END) != SUCCESS)
 	{
 		DBG1("crl fetching failed");
 		return FALSE;
 	}
-
-	if (is_asn1(*blob))
+	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
+							 BUILD_BLOB_PEM, blob, BUILD_END);
+	free(blob.ptr);
+	if (!crl)
 	{
-		DBG2("  fetched blob coded in DER format");
+		DBG1("crl fetched successfully but data coded in unknown format");
 	}
-	else
-	{
-		bool pgp = FALSE;
-
-		if (pem_to_bin(blob, chunk_empty, &pgp) != SUCCESS)
-		{
-			free(blob->ptr);
-			return FALSE;
-		}
-		if (is_asn1(*blob))
-		{
-			DBG2("  fetched blob coded in PEM format");
-		}
-		else
-		{
-			DBG1("crl fetched successfully but data coded in unknown format");
-			free(blob->ptr);
-			return FALSE;
-		}
-	}
-	return TRUE;
+	return crl;
 }
 
 /**
  * Complete a distributionPoint URI with ca information
  */
-static char* complete_uri(chunk_t distPoint, const char *ldaphost)
+static char* complete_uri(char *distPoint, const char *ldaphost)
 {
-	char *uri;
-	char *ptr  = distPoint.ptr;
-	size_t len = distPoint.len;
+	char *symbol = strchr(distPoint, ':');
 
-	char *symbol = memchr(ptr, ':', len);
-
-	if (symbol != NULL)
+	if (symbol)
 	{
-		size_t type_len = symbol - ptr;
-		
-		if (type_len >= 4 && strncasecmp(ptr, "ldap", 4) == 0)
+		int type_len = symbol - distPoint;
+
+		if (type_len >= 4 && strncasecmp(distPoint, "ldap", 4) == 0)
 		{
-			ptr = symbol + 1;
-			len -= (type_len + 1);
+			char *ptr  = symbol + 1;
+			int len = strlen(distPoint) - (type_len + 1);
 
 			if (len > 2 && *ptr++ == '/' && *ptr++ == '/')
 			{
 				len -= 2;
-				symbol = memchr(ptr, '/', len);
-				
-				if (symbol != NULL && symbol - ptr == 0 && ldaphost != NULL)
+				symbol = strchr(ptr, '/');
+
+				if (symbol && symbol - ptr == 0 && ldaphost)
 				{
-					uri = malloc(distPoint.len + strlen(ldaphost) + 1);
+					char uri[BUF_LEN];
 
 					/* insert the ldaphost into the uri */
-					sprintf(uri, "%.*s%s%.*s"
-						, (int)(distPoint.len - len), distPoint.ptr
-						, ldaphost
-						, (int)len, symbol);
-					return uri;
+					snprintf(uri, BUF_LEN, "%.*s%s%.*s", strlen(distPoint)-len,
+							 distPoint, ldaphost, len, symbol);
+					return strdup(uri);
 				}
 			}
 		}
 	}
-	
+
 	/* default action:  copy distributionPoint without change */
-	uri = malloc(distPoint.len + 1);
-	sprintf(uri, "%.*s", (int)distPoint.len, distPoint.ptr);
-	return uri;
+	return strdup(distPoint);
 }
 
 /**
@@ -358,39 +334,40 @@ static void fetch_crls(bool cache_crls)
 
 	while (req != NULL)
 	{
+		enumerator_t *enumerator;
+		char *point;
 		bool valid_crl = FALSE;
-		chunk_t blob = chunk_empty;
-		generalName_t *gn = req->distributionPoints;
 		const char *ldaphost;
 		ca_info_t *ca;
 
 		lock_ca_info_list("fetch_crls");
 
-		ca = get_ca_info(req->issuer, req->authKeySerialNumber, req->authKeyID);
+		ca = get_ca_info(req->issuer, req->authKeyID);
 		ldaphost = (ca == NULL)? NULL : ca->ldaphost;
 
-		while (gn != NULL)
+		enumerator = req->distributionPoints->create_enumerator(req->distributionPoints);
+		while (enumerator->enumerate(enumerator, &point))
 		{
-			char *uri = complete_uri(gn->name, ldaphost);
+			x509crl_t *crl;
+			char *uri;
 
-			if (fetch_asn1_blob(uri, &blob))
-			{
-				chunk_t crl_uri = chunk_clone(gn->name);
+			uri = complete_uri(point, ldaphost);
+			crl = fetch_crl(uri);
+			free(uri);
 
-				if (insert_crl(blob, crl_uri, cache_crls))
+			if (crl)
+			{
+				if (insert_crl(crl, point, cache_crls))
 				{
 					DBG(DBG_CONTROL,
 						DBG_log("we have a valid crl")
 					)
 					valid_crl = TRUE;
-					free(uri);
 					break;
 				}
 			}
-			free(uri);
-			gn = gn->next;
 		}
-
+		enumerator->destroy(enumerator);
 		unlock_ca_info_list("fetch_crls");
 
 		if (valid_crl)
@@ -415,19 +392,11 @@ static void fetch_crls(bool cache_crls)
 
 static void fetch_ocsp_status(ocsp_location_t* location)
 {
-	chunk_t request, response;
-	char *uri;
+	chunk_t request = build_ocsp_request(location);
+	chunk_t response = chunk_empty;
 
-	request = build_ocsp_request(location);
-	response = chunk_empty;
-
-	/* we need a null terminated string for curl */
-	uri = malloc(location->uri.len + 1);
-	memcpy(uri, location->uri.ptr, location->uri.len);
-	*(uri + location->uri.len) = '\0';
-
-	DBG1("  requesting ocsp status from '%s' ...", uri);
-	if (lib->fetcher->fetch(lib->fetcher, uri, &response, 
+	DBG1("  requesting ocsp status from '%s' ...", location->uri);
+	if (lib->fetcher->fetch(lib->fetcher, location->uri, &response,
 							FETCH_REQUEST_DATA, request,
 							FETCH_REQUEST_TYPE, "application/ocsp-request",
 							FETCH_END) == SUCCESS)
@@ -436,17 +405,16 @@ static void fetch_ocsp_status(ocsp_location_t* location)
 	}
 	else
 	{
-		DBG1("ocsp request to %s failed", uri);
+		DBG1("ocsp request to %s failed", location->uri);
 	}
 
-	free(uri);
 	free(request.ptr);
 	chunk_free(&location->nonce);
 
 	/* increment the trial counter of the unresolved fetch requests */
 	{
 		ocsp_certinfo_t *certinfo = location->certinfo;
-		
+
 		while (certinfo != NULL)
 		{
 			certinfo->trials++;
@@ -482,6 +450,9 @@ static void* fetch_thread(void *arg)
 {
 	struct timespec wait_interval;
 
+	/* the fetching thread is only cancellable while waiting for new events */
+	thread_cancelability(FALSE);
+
 	DBG(DBG_CONTROL,
 		DBG_log("fetch thread started")
 	)
@@ -498,8 +469,11 @@ static void* fetch_thread(void *arg)
 		DBG(DBG_CONTROL,
 			DBG_log("next regular crl check in %ld seconds", crl_check_interval)
 		)
+
+		thread_cancelability(TRUE);
 		status = pthread_cond_timedwait(&fetch_wake_cond, &fetch_wake_mutex
 										, &wait_interval);
+		thread_cancelability(FALSE);
 
 		if (status == ETIMEDOUT)
 		{
@@ -519,22 +493,22 @@ static void* fetch_thread(void *arg)
 		fetch_ocsp();
 		fetch_crls(cache_crls);
 	}
+	return NULL;
 }
 #endif /* THREADS*/
 
 /**
  * Initializes curl and starts the fetching thread
  */
-void init_fetch(void)
+void fetch_initialize(void)
 {
 	if (crl_check_interval > 0)
 	{
 #ifdef THREADS
-		int status = pthread_create( &thread, NULL, fetch_thread, NULL);
-
-		if (status != 0)
+		thread = thread_create((thread_main_t)fetch_thread, NULL);
+		if (thread == NULL)
 		{
-			plog("fetching thread could not be started, status = %d", status);
+			plog("fetching thread could not be started");
 		}
 #else   /* !THREADS */
 		plog("warning: not compiled with pthread support");
@@ -542,6 +516,23 @@ void init_fetch(void)
 	}
 }
 
+/**
+ * Terminates the fetching thread
+ */
+void fetch_finalize(void)
+{
+	if (crl_check_interval > 0)
+	{
+#ifdef THREADS
+		if (thread)
+		{
+			thread->cancel(thread);
+			thread->join(thread);
+		}
+#endif
+	}
+}
+
 void free_crl_fetch(void)
 {
    lock_crl_fetch_list("free_crl_fetch");
@@ -567,63 +558,94 @@ void free_ocsp_fetch(void)
 }
 
 
+/**
+ * Add an additional distribution point
+ */
+void add_distribution_point(linked_list_t *points, char *new_point)
+{
+	char *point;
+	bool add = TRUE;
+	enumerator_t *enumerator;
+
+	if (new_point == NULL || *new_point == '\0')
+	{
+		return;
+	}
+
+	enumerator = points->create_enumerator(points);
+	while (enumerator->enumerate(enumerator, &point))
+	{
+		if (streq(point, new_point))
+		{
+			add = FALSE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (add)
+	{
+		points->insert_last(points, strdup(new_point));
+	}
+}
+
 /**
  * Add additional distribution points
  */
-void add_distribution_points(const generalName_t *newPoints ,generalName_t **distributionPoints)
+void add_distribution_points(linked_list_t *points, linked_list_t *new_points)
 {
-	while (newPoints != NULL)
+	char *new_point;
+	enumerator_t *enumerator;
+
+	enumerator = new_points->create_enumerator(new_points);
+	while (enumerator->enumerate(enumerator, &new_point))
 	{
-		/* skip empty distribution point */
-		if (newPoints->name.len > 0)
-		{       
-			bool add = TRUE;
-			generalName_t *gn = *distributionPoints;
+		bool add = TRUE;
+		char *point;
+		enumerator_t *enumerator;
 
-			while (gn != NULL)
+		enumerator = points->create_enumerator(points);
+		while (enumerator->enumerate(enumerator, &point))
+		{
+			if (streq(point, new_point))
 			{
-				if (gn->kind == newPoints->kind
-				&& gn->name.len == newPoints->name.len
-				&& memeq(gn->name.ptr, newPoints->name.ptr, gn->name.len))
-				{
-					/* skip if the distribution point is already present */
-					add = FALSE;
-					break;
-				}
-				gn = gn->next;
+				add = FALSE;
+				break;
 			}
+		}
+		enumerator->destroy(enumerator);
 
-			if (add)
-			{
-				/* clone additional distribution point */
-				gn = clone_thing(*newPoints);
-				gn->name = chunk_clone(newPoints->name);
-
-				/* insert additional CRL distribution point */
-				gn->next = *distributionPoints;
-				*distributionPoints = gn;
-			}
+		if (add)
+		{
+			points->insert_last(points, strdup(new_point));
 		}
-		newPoints = newPoints->next;
 	}
+	enumerator->destroy(enumerator);
 }
 
-fetch_req_t* build_crl_fetch_request(chunk_t issuer, chunk_t authKeySerialNumber,
-									 chunk_t authKeyID, const generalName_t *gn)
+fetch_req_t* build_crl_fetch_request(identification_t *issuer,
+									 chunk_t authKeyID,
+									 linked_list_t *distributionPoints)
 {
+	char *point;
+	enumerator_t *enumerator;
 	fetch_req_t *req = malloc_thing(fetch_req_t);
-	*req = empty_fetch_req;
 
-	/* note current time */
-	req->installed = time(NULL);
+	memset(req, 0, sizeof(fetch_req_t));
+	req->distributionPoints = linked_list_create();
 
 	/* clone fields */
-	req->issuer = chunk_clone(issuer);
-	req->authKeySerialNumber =  chunk_clone(authKeySerialNumber);
+	req->issuer = issuer->clone(issuer);
 	req->authKeyID = chunk_clone(authKeyID);
 
 	/* copy distribution points */
-	add_distribution_points(gn, &req->distributionPoints);
+	enumerator = distributionPoints->create_enumerator(distributionPoints);
+	while (enumerator->enumerate(enumerator, &point))
+	{
+		req->distributionPoints->insert_last(req->distributionPoints,
+											 strdup(point));
+	}
+	enumerator->destroy(enumerator);
 
 	return req;
 }
@@ -640,9 +662,8 @@ void add_crl_fetch_request(fetch_req_t *req)
 
 	while (r != NULL)
 	{
-		if ((req->authKeyID.ptr != NULL)? same_keyid(req->authKeyID, r->authKeyID)
-				: (same_dn(req->issuer, r->issuer)
-				&& same_serial(req->authKeySerialNumber, r->authKeySerialNumber)))
+		if (req->authKeyID.ptr ? same_keyid(req->authKeyID, r->authKeyID) :
+			req->issuer->equals(req->issuer, r->issuer))
 		{
 			/* there is already a fetch request */
 			DBG(DBG_CONTROL,
@@ -650,7 +671,8 @@ void add_crl_fetch_request(fetch_req_t *req)
 			)
 
 			/* there might be new distribution points */
-			add_distribution_points(req->distributionPoints, &r->distributionPoints);
+			add_distribution_points(r->distributionPoints,
+									req->distributionPoints);
 
 			unlock_crl_fetch_list("add_crl_fetch_request");
 			free_fetch_request(req);
@@ -686,17 +708,20 @@ void add_ocsp_fetch_request(ocsp_location_t *location, chunk_t serialNumber)
 /**
  * List all distribution points
  */
-void list_distribution_points(const generalName_t *gn)
+void list_distribution_points(linked_list_t *distributionPoints)
 {
-	bool first_gn = TRUE;
+	char *point;
+	bool first_point = TRUE;
+	enumerator_t *enumerator;
 
-	while (gn != NULL)
+	enumerator = distributionPoints->create_enumerator(distributionPoints);
+	while (enumerator->enumerate(enumerator, &point))
 	{
-		whack_log(RC_COMMENT, "       %s '%.*s'", (first_gn)? "distPts: "
-			:"         ", (int)gn->name.len, gn->name.ptr);
-		first_gn = FALSE;
-		gn = gn->next;
+		whack_log(RC_COMMENT, "  %s '%s'",
+				 (first_point)? "distPts: " : "         ", point);
+		first_point = FALSE;
 	}
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -712,29 +737,17 @@ void list_crl_fetch_requests(bool utc)
 	if (req != NULL)
 	{
 		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of CRL fetch requests:");
-		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "List of CRL Fetch Requests:");
 	}
 
 	while (req != NULL)
 	{
-		u_char buf[BUF_LEN];
-
-		whack_log(RC_COMMENT, "%T, trials: %d"
-			, &req->installed, utc, req->trials);
-		dntoa(buf, BUF_LEN, req->issuer);
-		whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
-		if (req->authKeyID.ptr != NULL)
-		{
-			datatot(req->authKeyID.ptr, req->authKeyID.len, ':'
-				, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       authkey:   %s", buf);
-		}
-		if (req->authKeySerialNumber.ptr != NULL)
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "  trials:    %d", req->trials);
+		whack_log(RC_COMMENT, "  issuer:   \"%Y\"", req->issuer);
+		if (req->authKeyID.ptr)
 		{
-			datatot(req->authKeySerialNumber.ptr, req->authKeySerialNumber.len, ':'
-				, buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       aserial:   %s", buf);
+			whack_log(RC_COMMENT, "  authkey:   %#B", &req->authKeyID);
 		}
 		list_distribution_points(req->distributionPoints);
 		req = req->next;
diff --git a/src/pluto/fetch.h b/src/pluto/fetch.h
index f7b4eb074..265dc5fe7 100644
--- a/src/pluto/fetch.h
+++ b/src/pluto/fetch.h
@@ -13,6 +13,9 @@
  * for more details.
  */
 
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
 #include "x509.h"
 
 #define FETCH_CMD_TIMEOUT       10      /* seconds */
@@ -27,13 +30,11 @@ typedef enum {
 typedef struct fetch_req fetch_req_t;
 
 struct fetch_req {
-	fetch_req_t   *next;
-	time_t        installed;
-	int           trials;
-	chunk_t       issuer;
-	chunk_t       authKeyID;
-	chunk_t       authKeySerialNumber;
-	generalName_t *distributionPoints;
+	fetch_req_t      *next;
+	int               trials;
+	identification_t *issuer;
+	chunk_t           authKeyID;
+	linked_list_t    *distributionPoints;
 };
 
 #ifdef THREADS
@@ -61,16 +62,20 @@ extern void wake_fetch_thread(const char *who);
 #define unlock_certs_and_keys(who)  /* do nothing */
 #define wake_fetch_thread(who)      /* do nothing */
 #endif
-extern void init_fetch(void);
+extern void fetch_initialize(void);
+extern void fetch_finalize(void);
 extern void free_crl_fetch(void);
 extern void free_ocsp_fetch(void);
-extern void add_distribution_points(const generalName_t *newPoints
-	, generalName_t **distributionPoints);
-extern fetch_req_t* build_crl_fetch_request(chunk_t issuer, chunk_t authKeySerialNumber
-	, chunk_t authKeyID, const generalName_t *gn);
+extern void add_distribution_point(linked_list_t *points, char* new_point);
+extern void add_distribution_points(linked_list_t *points,
+									linked_list_t *new_points);
+extern fetch_req_t* build_crl_fetch_request(identification_t *issuer,
+											chunk_t authKeyID,
+											linked_list_t *distributionPoints);
 extern void add_crl_fetch_request(fetch_req_t *req);
-extern void add_ocsp_fetch_request(struct ocsp_location *location, chunk_t serialNumber);
-extern void list_distribution_points(const generalName_t *gn);
+extern void add_ocsp_fetch_request(struct ocsp_location *location,
+								   chunk_t serialNumber);
+extern void list_distribution_points(linked_list_t *distributionPoints);
 extern void list_crl_fetch_requests(bool utc);
 extern void list_ocsp_fetch_requests(bool utc);
 extern size_t write_buffer(void *ptr, size_t size, size_t nmemb, void *data);
diff --git a/src/pluto/foodgroups.c b/src/pluto/foodgroups.c
index ed9853fc4..e4f9a1d01 100644
--- a/src/pluto/foodgroups.c
+++ b/src/pluto/foodgroups.c
@@ -48,7 +48,7 @@ static size_t fg_path_space = 0;
 
 struct fg_groups {
 	struct fg_groups *next;
-	struct connection *connection;
+	connection_t *connection;
 };
 
 static struct fg_groups *groups = NULL;
@@ -78,8 +78,7 @@ struct fg_targets *new_targets;
  * It returns -1, 0, or +1 if a is, respectively,
  * less than, equal to, or greater than b.
  */
-static int
-ipcmp(ip_address *a, ip_address *b)
+static int ipcmp(ip_address *a, ip_address *b)
 {
 	if (addrtypeof(a) != addrtypeof(b))
 	{
@@ -105,8 +104,7 @@ ipcmp(ip_address *a, ip_address *b)
  * It returns -1, 0, or +1 if a is, respectively,
  * less than, equal to, or greater than b.
  */
-static int
-subnetcmp(const ip_subnet *a, const ip_subnet *b)
+static int subnetcmp(const ip_subnet *a, const ip_subnet *b)
 {
 	ip_address neta, maska, netb, maskb;
 	int r;
@@ -121,8 +119,7 @@ subnetcmp(const ip_subnet *a, const ip_subnet *b)
 	return r;
 }
 
-static void
-read_foodgroup(struct fg_groups *g)
+static void read_foodgroup(struct fg_groups *g)
 {
 	const char *fgn = g->connection->name;
 	const ip_subnet *lsn = &g->connection->spd.this.client;
@@ -244,8 +241,7 @@ read_foodgroup(struct fg_groups *g)
 	}
 }
 
-static void
-free_targets(void)
+static void free_targets(void)
 {
 	while (targets != NULL)
 	{
@@ -257,8 +253,7 @@ free_targets(void)
 	}
 }
 
-void
-load_groups(void)
+void load_groups(void)
 {
 	passert(new_targets == NULL);
 
@@ -341,8 +336,7 @@ load_groups(void)
 }
 
 
-void
-add_group(struct connection *c)
+void add_group(connection_t *c)
 {
 	struct fg_groups *g = malloc_thing(struct fg_groups);
 
@@ -352,8 +346,7 @@ add_group(struct connection *c)
 	g->connection = c;
 }
 
-static struct fg_groups *
-find_group(const struct connection *c)
+static struct fg_groups *find_group(const connection_t *c)
 {
 	struct fg_groups *g;
 
@@ -362,8 +355,7 @@ find_group(const struct connection *c)
 	return g;
 }
 
-void
-route_group(struct connection *c)
+void route_group(connection_t *c)
 {
 	/* it makes no sense to route a connection that is ISAKMP-only */
 	if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
@@ -381,7 +373,7 @@ route_group(struct connection *c)
 		{
 			if (t->group == g)
 			{
-				struct connection *ci = con_by_name(t->name, FALSE);
+				connection_t *ci = con_by_name(t->name, FALSE);
 
 				if (ci != NULL)
 				{
@@ -395,8 +387,7 @@ route_group(struct connection *c)
 	}
 }
 
-void
-unroute_group(struct connection *c)
+void unroute_group(connection_t *c)
 {
 	struct fg_groups *g = find_group(c);
 	struct fg_targets *t;
@@ -407,7 +398,7 @@ unroute_group(struct connection *c)
 	{
 		if (t->group == g)
 		{
-			struct connection *ci = con_by_name(t->name, FALSE);
+			connection_t *ci = con_by_name(t->name, FALSE);
 
 			if (ci != NULL)
 			{
@@ -419,8 +410,7 @@ unroute_group(struct connection *c)
 	}
 }
 
-void
-delete_group(const struct connection *c)
+void delete_group(const connection_t *c)
 {
 	struct fg_groups *g;
 
diff --git a/src/pluto/id.c b/src/pluto/id.c
deleted file mode 100644
index f34775e68..000000000
--- a/src/pluto/id.c
+++ /dev/null
@@ -1,523 +0,0 @@
-/* identity representation, as in IKE ID Payloads (RFC 2407 DOI 4.6.2.1)
- * Copyright (C) 1999-2001  D. Hugh Redelmeier
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <errno.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <unistd.h>
-#ifndef HOST_NAME_MAX   /* POSIX 1003.1-2001 says <unistd.h> defines this */
-# define HOST_NAME_MAX  255 /* upper bound, according to SUSv2 */
-#endif
-#include <sys/queue.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "id.h"
-#include "log.h"
-#include "connections.h"
-#include "packet.h"
-#include "whack.h"
-
-const struct id empty_id;       /* ID_ANY */
-
-enum myid_state myid_state = MYID_UNKNOWN;
-struct id myids[MYID_SPECIFIED+1];      /* %myid */
-char *myid_str[MYID_SPECIFIED+1];     /* string form of IDs */
-
-/* initialize id module
- * Fills in myid from environment variable IPSECmyid or defaultrouteaddr
- */
-void
-init_id(void)
-{
-	passert(empty_id.kind == ID_ANY);
-	myid_state = MYID_UNKNOWN;
-	{
-		enum myid_state s;
-
-		for (s = MYID_UNKNOWN; s <= MYID_SPECIFIED; s++)
-		{
-			myids[s] = empty_id;
-			myid_str[s] = NULL;
-		}
-	}
-	set_myid(MYID_SPECIFIED, getenv("IPSECmyid"));
-	set_myid(MYID_IP, getenv("defaultrouteaddr"));
-	set_myFQDN();
-}
-
-/*
- *  free id module
- */
-void
-free_id(void)
-{
-	enum myid_state s;
-
-	for (s = MYID_UNKNOWN; s <= MYID_SPECIFIED; s++)
-	{
-		free_id_content(&myids[s]);
-		free(myid_str[s]);
-	}
-}
-
-static void
-calc_myid_str(enum myid_state s)
-{
-	/* preformat the ID name */
-	char buf[BUF_LEN];
-
-	idtoa(&myids[s], buf, BUF_LEN);
-	replace(myid_str[s], clone_str(buf));
-}
-
-
-void
-set_myid(enum myid_state s, char *idstr)
-{
-	if (idstr != NULL)
-	{
-		struct id id;
-		err_t ugh = atoid(idstr, &id, FALSE);
-
-		if (ugh != NULL)
-		{
-			loglog(RC_BADID, "myid malformed: %s \"%s\"", ugh, idstr);
-		}
-		else
-		{
-			free_id_content(&myids[s]);
-			unshare_id_content(&id);
-			myids[s] = id;
-			if (s == MYID_SPECIFIED)
-				myid_state = MYID_SPECIFIED;
-
-			calc_myid_str(s);
-		}
-	}
-}
-
-void
-set_myFQDN(void)
-{
-	char FQDN[HOST_NAME_MAX + 1];
-	int r = gethostname(FQDN, sizeof(FQDN));
-
-	free_id_content(&myids[MYID_HOSTNAME]);
-	myids[MYID_HOSTNAME] = empty_id;
-	if (r != 0)
-	{
-		log_errno((e, "gethostname() failed in set_myFQDN"));
-	}
-	else
-	{
-		FQDN[sizeof(FQDN) - 1] = '\0';  /* insurance */
-
-		{
-			size_t len = strlen(FQDN);
-
-			if (len > 0 && FQDN[len-1] == '.')
-			{
-				/* nuke trailing . */
-				FQDN[len-1]='\0';
-			}
-		}
-
-		if (!strcaseeq(FQDN, "localhost.localdomain"))
-		{
-			chunk_t myid_name = { FQDN, strlen(FQDN) };
-
-			myids[MYID_HOSTNAME].name = chunk_clone(myid_name);
-			myids[MYID_HOSTNAME].kind = ID_FQDN;
-			calc_myid_str(MYID_HOSTNAME);
-		}
-	}
-}
-
-void
-show_myid_status(void)
-{
-	char idstr[BUF_LEN];
-
-	(void)idtoa(&myids[myid_state], idstr, sizeof(idstr));
-	whack_log(RC_COMMENT, "%%myid = %s", idstr);
-}
-
-/* Convert textual form of id into a (temporary) struct id.
- * Note that if the id is to be kept, unshare_id_content will be necessary.
- */
-err_t
-atoid(char *src, struct id *id, bool myid_ok)
-{
-	err_t ugh = NULL;
-
-	*id = empty_id;
-
-	if (myid_ok && streq("%myid", src))
-	{
-		id->kind = ID_MYID;
-	}
-	else if (strchr(src, '=') != NULL)
-	{
-		/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN */
-		id->kind = ID_DER_ASN1_DN;
-		id->name.ptr = temporary_cyclic_buffer(); /* assign temporary buffer */
-		id->name.len = 0;
-		/* convert from LDAP style or openssl x509 -subject style to ASN.1 DN
-		 * discard optional @ character in front of DN
-		 */
-		ugh = atodn((*src == '@')?src+1:src, &id->name);
-	}
-	else if (strchr(src, '@') == NULL)
-	{
-		if (streq(src, "%any") || streq(src, "0.0.0.0"))
-		{
-			/* any ID will be accepted */
-			id->kind = ID_ANY;
-		}
-		else
-		{
-		   /* !!! this test is not sufficient for distinguishing address families.
-			* We need a notation to specify that a FQDN is to be resolved to IPv6.
-			*/
-		   const struct af_info *afi = strchr(src, ':') == NULL
-		? &af_inet4_info: &af_inet6_info;
-
-		   id->kind = afi->id_addr;
-		   ugh = ttoaddr(src, 0, afi->af, &id->ip_addr);
-		}
-	}
-	else
-	{
-		if (*src == '@')
-		{
-			if (*(src+1) == '#')
-			{
-				/* if there is a second specifier (#) on the line
-				 * we interprete this as ID_KEY_ID
-				 */
-				id->kind = ID_KEY_ID;
-				id->name.ptr = src;
-				/* discard @~, convert from hex to bin */
-				ugh = ttodata(src+2, 0, 16, id->name.ptr, strlen(src), &id->name.len);
-			}
-			else if (*(src+1) == '~')
-			{
-				/* if there is a second specifier (~) on the line
-				* we interprete this as a binary ID_DER_ASN1_DN
-				*/
-				id->kind = ID_DER_ASN1_DN;
-				id->name.ptr = src;
-				/* discard @~, convert from hex to bin */
-				ugh = ttodata(src+2, 0, 16, id->name.ptr, strlen(src), &id->name.len);
-			}
-			else
-			{
-				id->kind = ID_FQDN;
-				id->name.ptr = src+1;   /* discard @ */
-				id->name.len = strlen(src)-1;
-			}
-		}
-		else
-		{
-			/* We leave in @, as per DOI 4.6.2.4
-			 * (but DNS wants . instead).
-			 */
-			id->kind = ID_USER_FQDN;
-			id->name.ptr = src;
-			id->name.len = strlen(src);
-		}
-	}
-	return ugh;
-}
-
-
-/*
- *  Converts a binary key ID into hexadecimal format
- */
-int
-keyidtoa(char *dst, size_t dstlen, chunk_t keyid)
-{
-	int n = datatot(keyid.ptr, keyid.len, 'x', dst, dstlen);
-	return (((size_t)n < dstlen)? n : dstlen) - 1;
-}
-
-void
-iptoid(const ip_address *ip, struct id *id)
-{
-	*id = empty_id;
-
-	switch (addrtypeof(ip))
-	{
-	case AF_INET:
-		id->kind = ID_IPV4_ADDR;
-		break;
-	case AF_INET6:
-		id->kind = ID_IPV6_ADDR;
-		break;
-	default:
-		bad_case(addrtypeof(ip));
-	}
-	id->ip_addr = *ip;
-}
-
-int
-idtoa(const struct id *id, char *dst, size_t dstlen)
-{
-	int n;
-
-	id = resolve_myid(id);
-	switch (id->kind)
-	{
-	case ID_ANY:
-		n = snprintf(dst, dstlen, "(none)");
-		break;
-	case ID_IPV4_ADDR:
-	case ID_IPV6_ADDR:
-		n = (int)addrtot(&id->ip_addr, 0, dst, dstlen) - 1;
-		break;
-	case ID_FQDN:
-		n = snprintf(dst, dstlen, "@%.*s", (int)id->name.len, id->name.ptr);
-		break;
-	case ID_USER_FQDN:
-		n = snprintf(dst, dstlen, "%.*s", (int)id->name.len, id->name.ptr);
-		break;
-	case ID_DER_ASN1_DN:
-		n = dntoa(dst, dstlen, id->name);
-		break;
-	case ID_KEY_ID:
-		n = keyidtoa(dst, dstlen, id->name);
-		break;
-	default:
-		n = snprintf(dst, dstlen, "unknown id kind %d", id->kind);
-		break;
-	}
-
-	/* "Sanitize" string so that log isn't endangered:
-	 * replace unprintable characters with '?'.
-	 */
-	if (n > 0)
-	{
-		for ( ; *dst != '\0'; dst++)
-			if (!isprint(*dst))
-				*dst = '?';
-	}
-
-	return n;
-}
-
-/* Replace the shell metacharacters ', \, ", `, and $ in a character string
- * by escape sequences consisting of their octal values
- */
-void
-escape_metachar(const char *src, char *dst, size_t dstlen)
-{
-	while (*src != '\0' && dstlen > 4)
-	{
-		switch (*src)
-		{
-		case '\'':
-		case '\\':
-		case '"':
-		case '`':
-		case '$':
-			sprintf(dst,"\\%s%o", (*src < 64)?"0":"", *src);
-			dst += 4;
-			dstlen -= 4;
-			break;
-		default:
-			*dst++ = *src;
-			dstlen--;
-		}
-		src++;
-	}
-	*dst = '\0';
-}
-
-
-/* Make private copy of string in struct id.
- * This is needed if the result of atoid is to be kept.
- */
-void
-unshare_id_content(struct id *id)
-{
-	switch (id->kind)
-	{
-	case ID_FQDN:
-	case ID_USER_FQDN:
-	case ID_DER_ASN1_DN:
-	case ID_KEY_ID:
-		id->name = chunk_clone(id->name);
-		break;
-	case ID_MYID:
-	case ID_ANY:
-	case ID_IPV4_ADDR:
-	case ID_IPV6_ADDR:
-		break;
-	default:
-		bad_case(id->kind);
-	}
-}
-
-void
-free_id_content(struct id *id)
-{
-	switch (id->kind)
-	{
-	case ID_FQDN:
-	case ID_USER_FQDN:
-	case ID_DER_ASN1_DN:
-	case ID_KEY_ID:
-		free(id->name.ptr);
-		break;
-	case ID_MYID:
-	case ID_ANY:
-	case ID_IPV4_ADDR:
-	case ID_IPV6_ADDR:
-		break;
-	default:
-		bad_case(id->kind);
-	}
-}
-
-/* compare two struct id values */
-bool
-same_id(const struct id *a, const struct id *b)
-{
-	a = resolve_myid(a);
-	b = resolve_myid(b);
-	if (a->kind != b->kind)
-		return FALSE;
-	switch (a->kind)
-	{
-	case ID_ANY:
-		return TRUE;    /* kind of vacuous */
-
-	case ID_IPV4_ADDR:
-	case ID_IPV6_ADDR:
-		return sameaddr(&a->ip_addr, &b->ip_addr);
-
-	case ID_FQDN:
-	case ID_USER_FQDN:
-		/* assumptions:
-		 * - case should be ignored
-		 * - trailing "." should be ignored (even if the only character?)
-		 */
-		{
-			size_t al = a->name.len
-				, bl = b->name.len;
-
-			while (al > 0 && a->name.ptr[al - 1] == '.')
-				al--;
-			while (bl > 0 && b->name.ptr[bl - 1] == '.')
-				bl--;
-			return al == bl
-				&& strncasecmp(a->name.ptr, b->name.ptr, al) == 0;
-		}
-
-	case ID_DER_ASN1_DN:
-		return same_dn(a->name, b->name);
-
-	case ID_KEY_ID:
-		return a->name.len == b->name.len
-			&& memeq(a->name.ptr, b->name.ptr, a->name.len);
-
-	default:
-		bad_case(a->kind);
-	}
-	return FALSE;
-}
-
-/* compare two struct id values, DNs can contain wildcards */
-bool
-match_id(const struct id *a, const struct id *b, int *wildcards)
-{
-	if (b->kind == ID_ANY)
-	{
-		*wildcards = MAX_WILDCARDS;
-		return TRUE;
-	}
-	if (a->kind != b->kind)
-		return FALSE;
-	if (a->kind == ID_DER_ASN1_DN)
-		return match_dn(a->name, b->name, wildcards);
-	else
-	{
-		*wildcards = 0;
-		return same_id(a, b);
-	}
-}
-
-/* count the numer of wildcards in an id */
-int
-id_count_wildcards(const struct id *id)
-{
-	switch (id->kind)
-	{
-	case ID_ANY:
-		return MAX_WILDCARDS;
-	case ID_DER_ASN1_DN:
-		return dn_count_wildcards(id->name);
-	default:
-		return 0;
-	}
-}
-
-/* build an ID payload
- * Note: no memory is allocated for the body of the payload (tl->ptr).
- * We assume it will end up being a pointer into a sufficiently
- * stable datastructure.  It only needs to last a short time.
- */
-void
-build_id_payload(struct isakmp_ipsec_id *hd, chunk_t *tl, struct end *end)
-{
-	const struct id *id = resolve_myid(&end->id);
-
-	zero(hd);
-	hd->isaiid_idtype = id->kind;
-	switch (id->kind)
-	{
-	case ID_ANY:
-		hd->isaiid_idtype = aftoinfo(addrtypeof(&end->host_addr))->id_addr;
-		tl->len = addrbytesptr(&end->host_addr
-			, (const unsigned char **)&tl->ptr);        /* sets tl->ptr too */
-		break;
-	case ID_FQDN:
-	case ID_USER_FQDN:
-	case ID_DER_ASN1_DN:
-	case ID_KEY_ID:
-		*tl = id->name;
-		break;
-	case ID_IPV4_ADDR:
-	case ID_IPV6_ADDR:
-		tl->len = addrbytesptr(&id->ip_addr
-			, (const unsigned char **)&tl->ptr);        /* sets tl->ptr too */
-		break;
-	default:
-		bad_case(id->kind);
-	}
-}
-
-/*
- * Local Variables:
- * c-basic-offset:4
- * c-style: pluto
- * End:
- */
diff --git a/src/pluto/id.h b/src/pluto/id.h
deleted file mode 100644
index dc2dcdfa6..000000000
--- a/src/pluto/id.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/* identity representation, as in IKE ID Payloads (RFC 2407 DOI 4.6.2.1)
- * Copyright (C) 1999-2001  D. Hugh Redelmeier
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _ID_H
-#define _ID_H
-
-#include "defs.h"
-
-struct id {
-	int kind;           /* ID_* value */
-	ip_address ip_addr; /* ID_IPV4_ADDR, ID_IPV6_ADDR */
-	chunk_t name;       /* ID_FQDN, ID_USER_FQDN (with @) */
-						/* ID_KEY_ID, ID_DER_ASN_DN       */
-};
-
-extern void init_id(void);
-extern void free_id(void);
-extern const struct id empty_id;        /* ID_NONE */
-
-enum myid_state {
-	MYID_UNKNOWN,       /* not yet figured out */
-	MYID_HOSTNAME,      /* our current hostname */
-	MYID_IP,            /* our default IP address */
-	MYID_SPECIFIED      /* as specified by ipsec.conf */
-};
-
-extern enum myid_state myid_state;
-extern struct id myids[MYID_SPECIFIED+1];       /* %myid */
-extern char *myid_str[MYID_SPECIFIED+1];      /* strings */
-extern void set_myid(enum myid_state s, char *);
-extern void show_myid_status(void);
-#define resolve_myid(id) ((id)->kind == ID_MYID? &myids[myid_state] : (id))
-extern void set_myFQDN(void);
-
-extern err_t atoid(char *src, struct id *id, bool myid_ok);
-extern int keyidtoa(char *dst, size_t dstlen, chunk_t keyid);
-extern void iptoid(const ip_address *ip, struct id *id);
-extern int idtoa(const struct id *id, char *dst, size_t dstlen);
-#define IDTOA_BUF       512
-extern void escape_metachar(const char *src, char *dst, size_t dstlen);
-struct end;     /* forward declaration of tag (defined in connections.h) */
-extern void unshare_id_content(struct id *id);
-extern void free_id_content(struct id *id);
-extern bool same_id(const struct id *a, const struct id *b);
-#define MAX_WILDCARDS   15
-extern bool match_id(const struct id *a, const struct id *b, int *wildcards);
-extern int id_count_wildcards(const struct id *id);
-#define id_is_ipaddr(id) ((id)->kind == ID_IPV4_ADDR || (id)->kind == ID_IPV6_ADDR)
-
-struct isakmp_ipsec_id; /* forward declaration of tag (defined in packet.h) */
-extern void
-	build_id_payload(struct isakmp_ipsec_id *hd, chunk_t *tl, struct end *end);
-
-#endif /* _ID_H */
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c
index f833f85b5..7521dd33b 100644
--- a/src/pluto/ike_alg.c
+++ b/src/pluto/ike_alg.c
@@ -23,6 +23,8 @@
 
 #include <library.h>
 #include <debug.h>
+#include <credentials/keys/public_key.h>
+#include <credentials/keys/private_key.h>
 #include <crypto/hashers/hasher.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/prfs/prf.h>
@@ -126,7 +128,7 @@ struct dh_desc *ike_alg_get_dh_group(u_int alg)
 /**
  * Get pfsgroup for this connection
  */
-const struct dh_desc *ike_alg_pfsgroup(struct connection *c, lset_t policy)
+const struct dh_desc *ike_alg_pfsgroup(connection_t *c, lset_t policy)
 {
 	const struct dh_desc *ret = NULL;
 
@@ -141,7 +143,7 @@ const struct dh_desc *ike_alg_pfsgroup(struct connection *c, lset_t policy)
 /**
  * Create an OAKLEY proposal based on alg_info and policy
  */
-struct db_context *ike_alg_db_new(struct connection *c, lset_t policy)
+struct db_context *ike_alg_db_new(connection_t *c, lset_t policy)
 {
 	struct alg_info_ike *ai = c->alg_info_ike;
 	struct db_context *db_ctx = NULL;
@@ -176,13 +178,13 @@ struct db_context *ike_alg_db_new(struct connection *c, lset_t policy)
 					enum_show(&oakley_enc_names, ealg));
 			continue;
 		}
-		if (!ike_alg_get_hasher(halg)) 
+		if (!ike_alg_get_hasher(halg))
 		{
 			plog("ike alg: hasher %s not present",
 					enum_show(&oakley_hash_names, halg));
 			continue;
 		}
-		if (!ike_alg_get_dh_group(modp)) 
+		if (!ike_alg_get_dh_group(modp))
 		{
 			plog("ike alg: dh group %s not present",
 					enum_show(&oakley_group_names, modp));
@@ -193,20 +195,43 @@ struct db_context *ike_alg_db_new(struct connection *c, lset_t policy)
 		if (policy & POLICY_PUBKEY)
 		{
 			int auth_method = 0;
-			private_key_t *key = get_private_key(c);
+			size_t key_size = 0;
+			key_type_t key_type = KEY_ANY;
 
-			if (key == NULL)
+
+			if (c->spd.this.cert)
+			{
+				certificate_t *certificate = c->spd.this.cert->cert;
+				public_key_t *key = certificate->get_public_key(certificate);
+
+				if (key == NULL)
+				{				
+					plog("ike alg: unable to retrieve my public key");
+					continue;
+				}
+				key_type = key->get_type(key);
+				key_size = key->get_keysize(key);
+				key->destroy(key);
+			}
+			else
 			{
-				plog("ike alg: unable to locate my private key");
-				continue;
+				private_key_t *key = get_private_key(c);
+
+				if (key == NULL)
+				{
+					plog("ike alg: unable to retrieve my private key");
+					continue;
+				}
+				key_type = key->get_type(key);
+				key_size = key->get_keysize(key);
 			}
-			switch (key->get_type(key))
+			switch (key_type)
 			{
 				case KEY_RSA:
 					auth_method = OAKLEY_RSA_SIG;
 					break;
 				case KEY_ECDSA:
-					switch (key->get_keysize(key))
+					switch (key_size)
 					{
 						case 32:
 							auth_method = OAKLEY_ECDSA_256;
@@ -344,7 +369,7 @@ void ike_alg_list(void)
  * Show IKE algorithms for this connection (result from ike= string)
  * and newest SA
  */
-void ike_alg_show_connection(struct connection *c, const char *instance)
+void ike_alg_show_connection(connection_t *c, const char *instance)
 {
 	struct state *st = state_with_serialno(c->newest_isakmp_sa);
 
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 57f4fb54b..1f8917d79 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -25,7 +25,6 @@
 #include <resolv.h>
 #include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
 #include <sys/queue.h>
-#include <sys/time.h>           /* for gettimeofday */
 
 #include <freeswan.h>
 
@@ -36,12 +35,14 @@
 #include <crypto/rngs/rng.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
+#include <utils/identification.h>
 
 #include "constants.h"
 #include "defs.h"
+#include "myid.h"
 #include "state.h"
-#include "id.h"
 #include "x509.h"
+#include "ac.h"
 #include "crl.h"
 #include "ca.h"
 #include "certs.h"
@@ -101,21 +102,24 @@
  * and return from the ENCLOSING stf_status returning function if it fails.
  */
 #define RETURN_STF_FAILURE(f) \
-	{ int r = (f); if (r != NOTHING_WRONG) return STF_FAIL + r; }
+	{ int r = (f); if (r != ISAKMP_NOTHING_WRONG) return STF_FAIL + r; }
 
 /* create output HDR as replica of input HDR */
-void
-echo_hdr(struct msg_digest *md, bool enc, u_int8_t np)
+void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np)
 {
 	struct isakmp_hdr r_hdr = md->hdr;  /* mostly same as incoming header */
 
 	r_hdr.isa_flags &= ~ISAKMP_FLAG_COMMIT;     /* we won't ever turn on this bit */
 	if (enc)
+	{
 		r_hdr.isa_flags |= ISAKMP_FLAG_ENCRYPTION;
+	}
 	/* some day, we may have to set r_hdr.isa_version */
 	r_hdr.isa_np = np;
 	if (!out_struct(&r_hdr, &isakmp_hdr_desc, &md->reply, &md->rbody))
+	{
 		impossible();   /* surely must have room and be well-formed */
+	}
 }
 
 /* Compute DH shared secret from our local secret and the peer's public value.
@@ -172,13 +176,13 @@ static notification_t accept_KE(chunk_t *dest, const char *val_name,
 		loglog(RC_LOG_SERIOUS, "KE has %u byte DH public value; %u required"
 			, (unsigned) pbs_left(pbs), gr->ke_size);
 		/* XXX Could send notification back */
-		return INVALID_KEY_INFORMATION;
+		return ISAKMP_INVALID_KEY_INFORMATION;
 	}
 	free(dest->ptr);
 	*dest = chunk_create(pbs->cur, pbs_left(pbs));
 	*dest = chunk_clone(*dest);
 	DBG_cond_dump_chunk(DBG_CRYPT, "DH public value received:\n", *dest);
-	return NOTHING_WRONG;
+	return ISAKMP_NOTHING_WRONG;
 }
 
 /* accept_PFS_KE
@@ -197,7 +201,7 @@ static notification_t accept_PFS_KE(struct msg_digest *md, chunk_t *dest,
 		if (st->st_pfs_group != NULL)
 		{
 			loglog(RC_LOG_SERIOUS, "missing KE payload in %s message", msg_name);
-			return INVALID_KEY_INFORMATION;
+			return ISAKMP_INVALID_KEY_INFORMATION;
 		}
 	}
 	else
@@ -206,16 +210,16 @@ static notification_t accept_PFS_KE(struct msg_digest *md, chunk_t *dest,
 		{
 			loglog(RC_LOG_SERIOUS, "%s message KE payload requires a GROUP_DESCRIPTION attribute in SA"
 				, msg_name);
-			return INVALID_KEY_INFORMATION;
+			return ISAKMP_INVALID_KEY_INFORMATION;
 		}
 		if (ke_pd->next != NULL)
 		{
 			loglog(RC_LOG_SERIOUS, "%s message contains several KE payloads; we accept at most one", msg_name);
-			return INVALID_KEY_INFORMATION;     /* ??? */
+			return ISAKMP_INVALID_KEY_INFORMATION;     /* ??? */
 		}
 		return accept_KE(dest, val_name, st->st_pfs_group, &ke_pd->pbs);
 	}
-	return NOTHING_WRONG;
+	return ISAKMP_NOTHING_WRONG;
 }
 
 static bool build_and_ship_nonce(chunk_t *n, pb_stream *outs, u_int8_t np,
@@ -231,39 +235,42 @@ static bool build_and_ship_nonce(chunk_t *n, pb_stream *outs, u_int8_t np,
 	return out_generic_chunk(np, &isakmp_nonce_desc, outs, *n, name);
 }
 
-static bool collect_rw_ca_candidates(struct msg_digest *md, generalName_t **top)
+static linked_list_t* collect_rw_ca_candidates(struct msg_digest *md)
 {
-	struct connection *d = find_host_connection(&md->iface->addr
-		, pluto_port, (ip_address*)NULL, md->sender_port, LEMPTY);
+	linked_list_t *list = linked_list_create();
+	connection_t *d;
+
+	d = find_host_connection(&md->iface->addr, pluto_port, (ip_address*)NULL,
+							  md->sender_port, LEMPTY);
 
 	for (; d != NULL; d = d->hp_next)
 	{
 		/* must be a road warrior connection */
-		if (d->kind == CK_TEMPLATE && !(d->policy & POLICY_OPPO)
-		&& d->spd.that.ca.ptr != NULL)
+		if (d->kind == CK_TEMPLATE && !(d->policy & POLICY_OPPO) &&
+			d->spd.that.ca)
 		{
-			generalName_t *gn;
+			enumerator_t *enumerator;
+			identification_t *ca;
 			bool new_entry = TRUE;
 
-			for (gn = *top; gn != NULL; gn = gn->next)
+			enumerator = list->create_enumerator(list);
+			while (enumerator->enumerate(enumerator, &ca))
 			{
-				if (same_dn(gn->name, d->spd.that.ca))
+				if (ca->equals(ca, d->spd.that.ca))
 				{
 					new_entry = FALSE;
 					break;
-				}
+				}					
 			}
+			enumerator->destroy(enumerator);
+
 			if (new_entry)
 			{
-				gn = malloc_thing(generalName_t);
-				gn->kind = GN_DIRECTORY_NAME;
-				gn->name = d->spd.that.ca;
-				gn->next = *top;
-				*top = gn;
+				list->insert_last(list, d->spd.that.ca->clone(d->spd.that.ca));
 			}
 		}
 	}
-	return *top != NULL;
+	return list;
 }
 
 static bool build_and_ship_CR(u_int8_t type, chunk_t ca, pb_stream *outs,
@@ -276,8 +283,9 @@ static bool build_and_ship_CR(u_int8_t type, chunk_t ca, pb_stream *outs,
 
 	/* build CR header */
 	if (!out_struct(&cr_hd, &isakmp_ipsec_cert_req_desc, outs, &cr_pbs))
+	{
 		return FALSE;
-
+	}
 	if (ca.ptr != NULL)
 	{
 		/* build CR body containing the distinguished name of the CA */
@@ -323,24 +331,33 @@ static void send_notification(struct state *sndst, u_int16_t type,
 		hdr.isa_msgid = msgid;
 		hdr.isa_flags = encst ? ISAKMP_FLAG_ENCRYPTION : 0;
 		if (icookie)
+		{
 			memcpy(hdr.isa_icookie, icookie, COOKIE_SIZE);
+		}
 		if (rcookie)
+		{
 			memcpy(hdr.isa_rcookie, rcookie, COOKIE_SIZE);
+		}
 		if (!out_struct(&hdr, &isakmp_hdr_desc, &pbs, &r_hdr_pbs))
+		{
 			impossible();
+		}
 	}
 
 	/* HASH -- value to be filled later */
 	if (encst)
 	{
 		pb_stream hash_pbs;
-		if (!out_generic(ISAKMP_NEXT_N, &isakmp_hash_desc, &r_hdr_pbs,
-			&hash_pbs))
+		if (!out_generic(ISAKMP_NEXT_N, &isakmp_hash_desc, &r_hdr_pbs, &hash_pbs))
+		{
 			impossible();
+		}
 		r_hashval = hash_pbs.cur;  /* remember where to plant value */
 		if (!out_zero(
 		encst->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH"))
+		{
 			impossible();
+		}
 		close_output_pbs(&hash_pbs);
 		r_hash_start = r_hdr_pbs.cur; /* hash from after HASH */
 	}
@@ -358,7 +375,9 @@ static void send_notification(struct state *sndst, u_int16_t type,
 
 		if (!out_struct(&isan, &isakmp_notification_desc, &r_hdr_pbs, &not_pbs)
 			|| !out_raw(spi, spisize, &not_pbs, "spi"))
+		{
 			impossible();
+		}
 		close_output_pbs(&not_pbs);
 	}
 
@@ -393,8 +412,9 @@ static void send_notification(struct state *sndst, u_int16_t type,
 		u_int new_iv_len = encst->st_new_iv_len;
 
 		if (old_iv_len > MAX_DIGEST_LEN || new_iv_len > MAX_DIGEST_LEN)
+		{
 			impossible();
-
+		}
 		memcpy(old_iv, encst->st_iv, old_iv_len);
 		memcpy(new_iv, encst->st_new_iv, new_iv_len);
 
@@ -405,8 +425,10 @@ static void send_notification(struct state *sndst, u_int16_t type,
 		}
 		init_phase2_iv(encst, &msgid);
 		if (!encrypt_message(&r_hdr_pbs, encst))
+		{
 			impossible();
-			
+		}
+
 		/* restore preserved st_iv and st_new_iv */
 		memcpy(encst->st_iv, old_iv, old_iv_len);
 		memcpy(encst->st_new_iv, new_iv, new_iv_len);
@@ -475,7 +497,7 @@ void send_notification_from_md(struct msg_digest *md, u_int16_t type)
 	 *   st_connection->interface
 	 */
 	struct state st;
-	struct connection cnx;
+	connection_t cnx;
 
 	passert(md);
 
@@ -569,10 +591,14 @@ void send_delete(struct state *st)
 		pb_stream hash_pbs;
 
 		if (!out_generic(ISAKMP_NEXT_D, &isakmp_hash_desc, &r_hdr_pbs, &hash_pbs))
+		{
 			impossible();
+		}
 		r_hashval = hash_pbs.cur;       /* remember where to plant value */
 		if (!out_zero(p1st->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH(1)"))
+		{
 			impossible();
+		}
 		close_output_pbs(&hash_pbs);
 		r_hash_start = r_hdr_pbs.cur;   /* hash from after HASH(1) */
 	}
@@ -595,7 +621,9 @@ void send_delete(struct state *st)
 
 		if (!out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, &del_pbs)
 		|| !out_raw(&isakmp_spi, (2*COOKIE_SIZE), &del_pbs, "delete payload"))
+		{
 			impossible();
+		}
 		close_output_pbs(&del_pbs);
 	}
 	else
@@ -615,7 +643,9 @@ void send_delete(struct state *st)
 			isad.isad_nospi = 1;
 			if (!out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, &del_pbs)
 			|| !out_raw(&ns->spi, sizeof(ipsec_spi_t), &del_pbs, "delete payload"))
+			{
 				impossible();
+			}
 			close_output_pbs(&del_pbs);
 		}
 	}
@@ -656,8 +686,9 @@ void send_delete(struct state *st)
 		init_phase2_iv(p1st, &msgid);
 
 		if (!encrypt_message(&r_hdr_pbs, p1st))
+		{
 			impossible();
-
+		}
 		p1st->st_tpacket = chunk_create(reply_pbs.start, pbs_offset(&reply_pbs));
 		send_packet(p1st, "delete notify");
 		p1st->st_tpacket = saved_tpacket;
@@ -755,14 +786,15 @@ void accept_delete(struct state *st, struct msg_digest *md,
 			}
 			else
 			{
-				struct connection *oldc;
-				
+				connection_t *oldc;
+
 				oldc = cur_connection;
 				set_cur_connection(dst->st_connection);
 
 				if (nat_traversal_enabled)
+				{
 					nat_traversal_change_port_lookup(md, dst);
-
+				}
 				loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
 					"deleting ISAKMP State #%lu", dst->st_serialno);
 				delete_state(dst);
@@ -790,18 +822,19 @@ void accept_delete(struct state *st, struct msg_digest *md,
 			}
 			else
 			{
-				struct connection *rc = dst->st_connection;
-				struct connection *oldc;
-				
+				connection_t *rc = dst->st_connection;
+				connection_t *oldc;
+
 				oldc = cur_connection;
 				set_cur_connection(rc);
 
 				if (nat_traversal_enabled)
+				{
 					nat_traversal_change_port_lookup(md, dst);
-
+				}
 				if (rc->newest_ipsec_sa == dst->st_serialno
 				&& (rc->policy & POLICY_UP))
-					{
+				{
 					/* Last IPSec SA for a permanent connection that we
 					 * have initiated.  Replace it in a few seconds.
 					 *
@@ -855,7 +888,9 @@ void close_message(pb_stream *pbs)
 	size_t padding =  pad_up(pbs_offset(pbs), 4);
 
 	if (padding != 0)
+	{
 		(void) out_zero(padding, pbs, "message padding");
+	}
 	close_output_pbs(pbs);
 }
 
@@ -864,15 +899,14 @@ void close_message(pb_stream *pbs)
  * Note: this is not called from demux.c
  */
 static stf_status
-main_outI1(int whack_sock, struct connection *c, struct state *predecessor
+main_outI1(int whack_sock, connection_t *c, struct state *predecessor
 	, lset_t policy, unsigned long try)
 {
 	struct state *st = new_state();
 	pb_stream reply;    /* not actually a reply, but you know what I mean */
 	pb_stream rbody;
-
 	int vids_to_send = 0;
-	
+
 	/* set up new state */
 	st->st_connection = c;
 	set_cur_state(st);  /* we must reset before exit */
@@ -883,30 +917,48 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
 
 	/* determine how many Vendor ID payloads we will be sending */
 	if (SEND_PLUTO_VID)
+	{
 		vids_to_send++;
+	}
 	if (SEND_CISCO_UNITY_VID)
+	{
 		vids_to_send++;
-	if (c->spd.this.cert.type == CERT_PGP)
+	}
+	if (c->spd.this.cert &&
+		c->spd.this.cert->cert->get_type(c->spd.this.cert->cert) == CERT_GPG)
+	{
 		vids_to_send++;
+	}
 	if (SEND_XAUTH_VID)
+	{
 		vids_to_send++;
+	}
+
 	/* always send DPD Vendor ID */
-		vids_to_send++;
+	vids_to_send++;
+
 	if (nat_traversal_enabled)
+	{
 		vids_to_send++;
+	}
 
    get_cookie(TRUE, st->st_icookie, COOKIE_SIZE, &c->spd.that.host_addr);
 
 	insert_state(st);   /* needs cookies, connection, and msgid (0) */
 
 	if (HAS_IPSEC_POLICY(policy))
+	{
 		add_pending(dup_any(whack_sock), st, c, policy, 1
 			, predecessor == NULL? SOS_NOBODY : predecessor->st_serialno);
-
+	}
 	if (predecessor == NULL)
+	{
 		plog("initiating Main Mode");
+	}
 	else
+	{
 		plog("initiating Main Mode to replace #%lu", predecessor->st_serialno);
+	}
 
 	/* set up reply */
 	init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
@@ -970,7 +1022,8 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
 	/* if we  have an OpenPGP certificate we assume an
 	 * OpenPGP peer and have to send the Vendor ID
 	 */
-	if (c->spd.this.cert.type == CERT_PGP)
+	if (c->spd.this.cert &&
+		c->spd.this.cert->cert->get_type(c->spd.this.cert->cert) == CERT_GPG)
 	{
 		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
 		, &rbody, VID_OPENPGP))
@@ -1042,7 +1095,7 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
 	return STF_OK;
 }
 
-void ipsecdoi_initiate(int whack_sock, struct connection *c, lset_t policy,
+void ipsecdoi_initiate(int whack_sock, connection_t *c, lset_t policy,
 					   unsigned long try, so_serial_t replacing)
 {
 	/* If there's already an ISAKMP SA established, use that and
@@ -1155,7 +1208,7 @@ static bool skeyid_preshared(struct state *st)
 		{
 			loglog(RC_LOG_SERIOUS, "%N not available to compute skeyid",
 									pseudo_random_function_names, prf_alg);
-		return FALSE;
+			return FALSE;
 		}
 		free(st->st_skeyid.ptr);
 		prf->set_key(prf, *pss);
@@ -1166,8 +1219,7 @@ static bool skeyid_preshared(struct state *st)
 	}
 }
 
-static bool
-skeyid_digisig(struct state *st)
+static bool skeyid_digisig(struct state *st)
 {
 	chunk_t nir;
 	pseudo_random_function_t prf_alg;
@@ -1234,12 +1286,9 @@ static bool generate_skeyids_iv(struct state *st)
 
 	/* generate SKEYID_* from SKEYID */
 	{
-		char buf_skeyid_d[] = { 0x00 };
-		char buf_skeyid_a[] = { 0x01 };
-		char buf_skeyid_e[] = { 0x02 };
-		chunk_t seed_skeyid_d = chunk_from_buf(buf_skeyid_d);
-		chunk_t seed_skeyid_a = chunk_from_buf(buf_skeyid_a);
-		chunk_t seed_skeyid_e = chunk_from_buf(buf_skeyid_e);
+		chunk_t seed_skeyid_d = chunk_from_chars(0x00);
+		chunk_t seed_skeyid_a = chunk_from_chars(0x01);
+		chunk_t seed_skeyid_e = chunk_from_chars(0x02);
 		chunk_t icookie = { st->st_icookie, COOKIE_SIZE };
 		chunk_t rcookie = { st->st_rcookie, COOKIE_SIZE };
 		pseudo_random_function_t prf_alg;
@@ -1254,7 +1303,7 @@ static bool generate_skeyids_iv(struct state *st)
 		prf->allocate_bytes(prf, st->st_shared, NULL);
 		prf->allocate_bytes(prf, icookie, NULL);
 		prf->allocate_bytes(prf, rcookie, NULL);
-		prf->allocate_bytes(prf, seed_skeyid_d, &st->st_skeyid_d); 
+		prf->allocate_bytes(prf, seed_skeyid_d, &st->st_skeyid_d);
 
 		/* SKEYID_A */
 		free(st->st_skeyid_a.ptr);
@@ -1262,7 +1311,7 @@ static bool generate_skeyids_iv(struct state *st)
 		prf->allocate_bytes(prf, st->st_shared, NULL);
 		prf->allocate_bytes(prf, icookie, NULL);
 		prf->allocate_bytes(prf, rcookie, NULL);
-		prf->allocate_bytes(prf, seed_skeyid_a, &st->st_skeyid_a); 
+		prf->allocate_bytes(prf, seed_skeyid_a, &st->st_skeyid_a);
 
 		/* SKEYID_E */
 		free(st->st_skeyid_e.ptr);
@@ -1270,7 +1319,7 @@ static bool generate_skeyids_iv(struct state *st)
 		prf->allocate_bytes(prf, st->st_shared, NULL);
 		prf->allocate_bytes(prf, icookie, NULL);
 		prf->allocate_bytes(prf, rcookie, NULL);
-		prf->allocate_bytes(prf, seed_skeyid_e, &st->st_skeyid_e); 
+		prf->allocate_bytes(prf, seed_skeyid_e, &st->st_skeyid_e);
 
 		prf->destroy(prf);
 	}
@@ -1289,7 +1338,7 @@ static bool generate_skeyids_iv(struct state *st)
 			DBG_dump_chunk("DH_i:", st->st_gi);
 			DBG_dump_chunk("DH_r:", st->st_gr);
 		);
-		
+
 		hasher->get_hash(hasher, st->st_gi, NULL);
 		hasher->get_hash(hasher, st->st_gr, st->st_new_iv);
 		hasher->destroy(hasher);
@@ -1302,15 +1351,14 @@ static bool generate_skeyids_iv(struct state *st)
 	 */
 	{
 		size_t keysize = st->st_oakley.enckeylen/BITS_PER_BYTE;
- 
+
 		/* free any existing key */
 		free(st->st_enc_key.ptr);
 
 		if (keysize > st->st_skeyid_e.len)
 		{
 			u_char keytemp[MAX_OAKLEY_KEY_LEN + MAX_DIGEST_LEN];
-			char seed_buf[] = { 0x00 };
-			chunk_t seed = chunk_from_buf(seed_buf);
+			chunk_t seed = chunk_from_chars(0x00);
 			size_t prf_block_size, i;
 			pseudo_random_function_t prf_alg;
 			prf_t *prf;
@@ -1319,7 +1367,7 @@ static bool generate_skeyids_iv(struct state *st)
 			prf = lib->crypto->create_prf(lib->crypto, prf_alg);
 			prf->set_key(prf, st->st_skeyid_e);
 			prf_block_size = prf->get_block_size(prf);
-			
+
 			for (i = 0;;)
 			{
 				prf->get_bytes(prf, seed, &keytemp[i]);
@@ -1336,7 +1384,7 @@ static bool generate_skeyids_iv(struct state *st)
 		else
 		{
 			st->st_enc_key = chunk_create(st->st_skeyid_e.ptr, keysize);
-		}			
+		}
 		st->st_enc_key = chunk_clone(st->st_enc_key);
 	}
 
@@ -1421,7 +1469,7 @@ static bool generate_skeyids_iv(struct state *st)
  * Use PKCS#1 version 1.5 encryption of hash (called
  * RSAES-PKCS1-V1_5) in PKCS#2.
  */
-static size_t sign_hash(signature_scheme_t scheme, struct connection *c,
+static size_t sign_hash(signature_scheme_t scheme, connection_t *c,
 						u_char sig_val[RSA_MAX_OCTETS], chunk_t hash)
 {
 	size_t sz = 0;
@@ -1469,7 +1517,9 @@ static size_t sign_hash(signature_scheme_t scheme, struct connection *c,
 		)
 		sz = scx_sign_hash(sc, hash.ptr, hash.len, sig_val, sz) ? sz : 0;
 		if (!pkcs11_keep_state)
+		{
 			scx_release_context(sc);
+		}
 		unlock_certs_and_keys("sign_hash");
 	}
 	return sz;
@@ -1487,7 +1537,7 @@ static size_t sign_hash(signature_scheme_t scheme, struct connection *c,
  */
 struct tac_state {
 	struct state *st;
-	chunk_t hash;	
+	chunk_t hash;
 	chunk_t sig;
 	int tried_cnt;      /* number of keys tried */
 };
@@ -1495,17 +1545,18 @@ struct tac_state {
 static bool take_a_crack(struct tac_state *s, pubkey_t *kr)
 {
 	public_key_t *pub_key = kr->public_key;
-	identification_t *keyid = pub_key->get_id(pub_key, ID_PUBKEY_INFO_SHA1);
+	chunk_t keyid = chunk_empty;
 	signature_scheme_t scheme;
 
 	s->tried_cnt++;
 	scheme = oakley_to_signature_scheme(s->st->st_oakley.auth);
+	pub_key->get_fingerprint(pub_key, KEY_ID_PUBKEY_INFO_SHA1, &keyid);
 
 	if (pub_key->verify(pub_key, scheme, s->hash, s->sig))
 	{
 		DBG(DBG_CRYPT | DBG_CONTROL,
-			DBG_log("%s check passed with keyid %Y",
-					enum_show(&oakley_auth_names, s->st->st_oakley.auth), keyid)
+			DBG_log("%s check passed with keyid %#B",
+					enum_show(&oakley_auth_names, s->st->st_oakley.auth), &keyid)
 		)
 		unreference_key(&s->st->st_peer_pubkey);
 		s->st->st_peer_pubkey = reference_key(kr);
@@ -1514,14 +1565,14 @@ static bool take_a_crack(struct tac_state *s, pubkey_t *kr)
 	else
 	{
 		DBG(DBG_CRYPT,
-			DBG_log("%s check failed with keyid %Y",
-					enum_show(&oakley_auth_names, s->st->st_oakley.auth), keyid)
+			DBG_log("%s check failed with keyid %#B",
+					enum_show(&oakley_auth_names, s->st->st_oakley.auth), &keyid)
 		)
 		return FALSE;
 	}
 }
 
-static stf_status check_signature(key_type_t key_type, const struct id* peer,
+static stf_status check_signature(key_type_t key_type, identification_t* peer,
 								  struct state *st, chunk_t hash,
 								  const pb_stream *sig_pbs,
 #ifdef USE_KEYRR
@@ -1529,7 +1580,7 @@ static stf_status check_signature(key_type_t key_type, const struct id* peer,
 #endif /* USE_KEYRR */
 								  const struct gw_info *gateways_from_dns)
 {
-	const struct connection *c = st->st_connection;
+	const connection_t *c = st->st_connection;
 	struct tac_state s;
 
 	s.st = st;
@@ -1545,7 +1596,8 @@ static stf_status check_signature(key_type_t key_type, const struct id* peer,
 		for (gw = c->gw_info; gw != NULL; gw = gw->next)
 		{
 			/* only consider entries that have a key and are for our peer */
-			if (gw->gw_key_present && same_id(&gw->gw_id, &c->spd.that.id)&&
+			if (gw->gw_key_present &&
+				gw->gw_id->equals(gw->gw_id, c->spd.that.id) &&
 				take_a_crack(&s, gw->key))
 			{
 				return STF_OK;
@@ -1564,7 +1616,7 @@ static stf_status check_signature(key_type_t key_type, const struct id* peer,
 			pubkey_t *key = p->key;
 			key_type_t type = key->public_key->get_type(key->public_key);
 
-			if (type == key_type && same_id(peer, &key->id))
+			if (type == key_type && peer->equals(peer, key->id))
 			{
 				time_t now = time(NULL);
 
@@ -1576,7 +1628,6 @@ static stf_status check_signature(key_type_t key_type, const struct id* peer,
 					*pp = free_public_keyentry(p);
 					continue; /* continue with next public key */
 				}
-
 				if (take_a_crack(&s, key))
 				{
 					return STF_OK;
@@ -1628,34 +1679,30 @@ static stf_status check_signature(key_type_t key_type, const struct id* peer,
 
 	/* no acceptable key was found: diagnose */
 	{
-		char id_buf[BUF_LEN];   /* arbitrary limit on length of ID reported */
-
-		idtoa(peer, id_buf, sizeof(id_buf));
-
 		if (s.tried_cnt == 0)
 		{
-			loglog(RC_LOG_SERIOUS, "no public key known for '%s'", id_buf);
+			loglog(RC_LOG_SERIOUS, "no public key known for '%Y'", peer);
 		}
 		else if (s.tried_cnt == 1)
 		{
-			loglog(RC_LOG_SERIOUS, "signature check for '%s' failed: "
-					" wrong key?; tried %d", id_buf, s.tried_cnt);
+			loglog(RC_LOG_SERIOUS, "signature check for '%Y' failed: "
+					" wrong key?; tried %d", peer, s.tried_cnt);
 			DBG(DBG_CONTROL,
-				DBG_log("public key for '%s' failed: "
-						"decrypted SIG payload into a malformed ECB", id_buf)
+				DBG_log("public key for '%Y' failed: "
+						"decrypted SIG payload into a malformed ECB", peer)
 			)
 		}
 		else
 		{
-			loglog(RC_LOG_SERIOUS, "signature check for '%s' failed: "
-					  "tried %d keys but none worked.", id_buf, s.tried_cnt);
+			loglog(RC_LOG_SERIOUS, "signature check for '%Y' failed: "
+					  "tried %d keys but none worked.", peer, s.tried_cnt);
 			DBG(DBG_CONTROL,
-				DBG_log("all %d public keys for '%s' failed: "
+				DBG_log("all %d public keys for '%Y' failed: "
 						"best decrypted SIG payload into a malformed ECB",
-						s.tried_cnt, id_buf)
+						s.tried_cnt, peer)
 			)
 		}
-		return STF_FAIL + INVALID_KEY_INFORMATION;
+		return STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
 	}
 }
 
@@ -1669,12 +1716,12 @@ static notification_t accept_nonce(struct msg_digest *md, chunk_t *dest,
 	{
 		loglog(RC_LOG_SERIOUS, "%s length not between %d and %d"
 			, name , MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE);
-		return PAYLOAD_MALFORMED;       /* ??? */
+		return ISAKMP_PAYLOAD_MALFORMED;       /* ??? */
 	}
 	free(dest->ptr);
 	*dest = chunk_create(nonce_pbs->cur, len);
 	*dest = chunk_clone(*dest);
-	return NOTHING_WRONG;
+	return ISAKMP_NOTHING_WRONG;
 }
 
 /* encrypt message, sans fixed part of header
@@ -1682,8 +1729,7 @@ static notification_t accept_nonce(struct msg_digest *md, chunk_t *dest,
  * The theory is that there will be no "backing out", so we commit to IV.
  * We also close the pbs.
  */
-bool
-encrypt_message(pb_stream *pbs, struct state *st)
+bool encrypt_message(pb_stream *pbs, struct state *st)
 {
 	u_int8_t *enc_start = pbs->start + sizeof(struct isakmp_hdr);
 	size_t enc_len = pbs_offset(pbs) - sizeof(struct isakmp_hdr);
@@ -1723,7 +1769,7 @@ encrypt_message(pb_stream *pbs, struct state *st)
 	crypter->set_key(crypter, st->st_enc_key);
 	crypter->encrypt(crypter, data, iv, NULL);
 	crypter->destroy(crypter);
- 
+
 	new_iv = data.ptr + data.len - crypter_block_size;
 	memcpy(st->st_new_iv, new_iv, crypter_block_size);
 	update_iv(st);
@@ -1755,7 +1801,7 @@ static size_t quick_mode_hash12(u_char *dest, u_char *start, u_char *roof,
 	if (hash2)
 	{
 		prf->get_bytes(prf, st->st_ni, NULL); /* include Ni_b in the hash */
-	}     
+	}
 	prf->get_bytes(prf, msg_chunk, dest);
 	prf_block_size = prf->get_block_size(prf);
 	prf->destroy(prf);
@@ -1775,13 +1821,12 @@ static size_t quick_mode_hash12(u_char *dest, u_char *start, u_char *roof,
  */
 static size_t quick_mode_hash3(u_char *dest, struct state *st)
 {
-	char seed_buf[] = { 0x00 };
-	chunk_t seed_chunk = chunk_from_buf(seed_buf);
+	chunk_t seed_chunk = chunk_from_chars(0x00);
 	chunk_t msgid_chunk = chunk_from_thing(st->st_msgid);
 	pseudo_random_function_t prf_alg;
 	prf_t *prf;
 	size_t prf_block_size;
-	
+
 	prf_alg = oakley_to_prf(st->st_oakley.hash);
 	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
 	prf->set_key(prf, st->st_skeyid_a);
@@ -1814,7 +1859,7 @@ void init_phase2_iv(struct state *st, const msgid_t *msgid)
 
 	st->st_new_iv_len = hasher->get_hash_size(hasher);
 	passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
-		
+
 	hasher->get_hash(hasher, iv_chunk, NULL);
 	hasher->get_hash(hasher, msgid_chunk, st->st_new_iv);
 	hasher->destroy(hasher);
@@ -1846,27 +1891,30 @@ static bool emit_subnet_id(ip_subnet *net, u_int8_t np, u_int8_t protoid,
 	id.isaiid_port = port;
 
 	if (!out_struct(&id, &isakmp_ipsec_identification_desc, outs, &id_pbs))
+	{
 		return FALSE;
-
+	}
 	networkof(net, &ta);
 	tal = addrbytesptr(&ta, &tbp);
 	if (!out_raw(tbp, tal, &id_pbs, "client network"))
+	{
 		return FALSE;
-
+	}
 	if (!subnetishost(net))
 	{
 		maskof(net, &ta);
 		tal = addrbytesptr(&ta, &tbp);
 		if (!out_raw(tbp, tal, &id_pbs, "client mask"))
+		{
 			return FALSE;
+		}
 	}
-
 	close_output_pbs(&id_pbs);
 	return TRUE;
 }
 
 stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
-					   struct connection *c, lset_t policy, unsigned long try,
+					   connection_t *c, lset_t policy, unsigned long try,
 					   so_serial_t replacing)
 {
 	struct state *st = duplicate_state(isakmp_sa);
@@ -1878,10 +1926,27 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
 	bool has_client = c->spd.this.has_client || c->spd.that.has_client ||
 					  c->spd.this.protocol || c->spd.that.protocol ||
 					  c->spd.this.port || c->spd.that.port;
-	
+
 	bool send_natoa = FALSE;
 	u_int8_t np = ISAKMP_NEXT_NONE;
 
+	if (c->spd.this.modecfg && !c->spd.this.has_client &&
+		isanyaddr(&c->spd.this.host_srcip))
+	{
+		connection_t *ph1_c = isakmp_sa->st_connection;
+
+		if (ph1_c->spd.this.modecfg && !isanyaddr(&ph1_c->spd.this.host_srcip))
+		{
+			char srcip[ADDRTOT_BUF];
+
+			c->spd.this.host_srcip = ph1_c->spd.this.host_srcip;
+			c->spd.this.client = ph1_c->spd.this.client;
+			c->spd.this.has_client = TRUE;
+			addrtot(&c->spd.this.host_srcip, 0, srcip, sizeof(srcip));
+			plog("inheriting virtual IP source address %s from ModeCfg", srcip);
+		}
+	}
+
 	st->st_whack_sock = whack_sock;
 	st->st_connection = c;
 	set_cur_state(st);  /* we must reset before exit */
@@ -1899,27 +1964,30 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
 	insert_state(st);   /* needs cookies, connection, and msgid */
 
 	if (replacing == SOS_NOBODY)
-		plog("initiating Quick Mode %s {using isakmp#%lu}"
-			 , prettypolicy(policy)
-			 , isakmp_sa->st_serialno);
+	{
+		plog("initiating Quick Mode %s {using isakmp#%lu}",
+			 prettypolicy(policy), isakmp_sa->st_serialno);
+	}
 	else
-		plog("initiating Quick Mode %s to replace #%lu {using isakmp#%lu}"
-			 , prettypolicy(policy)
-			 , replacing
-			 , isakmp_sa->st_serialno);
-
+	{
+		plog("initiating Quick Mode %s to replace #%lu {using isakmp#%lu}",
+			 prettypolicy(policy), replacing, isakmp_sa->st_serialno);
+	}
 	if (isakmp_sa->nat_traversal & NAT_T_DETECTED)
 	{
 		/* Duplicate nat_traversal status in new state */
 		st->nat_traversal = isakmp_sa->nat_traversal;
 
 		if (isakmp_sa->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+		{
 			has_client = TRUE;
-
+		}
 	   nat_traversal_change_port_lookup(NULL, st);
 	}
 	else
+	{
 		st->nat_traversal = 0;
+	}
 
 	/* are we going to send a NAT-OA payload? */
 	if ((st->nat_traversal & NAT_T_WITH_NATOA)
@@ -1957,13 +2025,15 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
 
 	/* SA out */
 
-	/* 
+	/*
 	 * See if pfs_group has been specified for this conn,
 	 * if not, fallback to old use-same-as-P1 behaviour
 	 */
 #ifndef NO_IKE_ALG
 	if (st->st_connection)
+	{
 			st->st_pfs_group = ike_alg_pfsgroup(st->st_connection, policy);
+	}
 	if (!st->st_pfs_group)
 #endif
 	/* If PFS specified, use the same group as during Phase 1:
@@ -1979,11 +2049,12 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
 		lset_t pm = POLICY_ENCRYPT | POLICY_AUTHENTICATE;
 
 		if (can_do_IPcomp)
+		{
 			pm |= POLICY_COMPRESS;
-
-		if (!out_sa(&rbody
-		, &ipsec_sadb[(st->st_policy & pm) >> POLICY_IPSEC_SHIFT]
-		, st, FALSE, ISAKMP_NEXT_NONCE))
+		}
+		if (!out_sa(&rbody,
+			&ipsec_sadb[(st->st_policy & pm) >> POLICY_IPSEC_SHIFT],
+			st, FALSE, ISAKMP_NEXT_NONCE))
 		{
 			reset_cur_state();
 			return STF_INTERNAL_ERROR;
@@ -2063,14 +2134,18 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
 	event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
 
 	if (replacing == SOS_NOBODY)
+	{
 		whack_log(RC_NEW_STATE + STATE_QUICK_I1
 			, "%s: initiate"
 			, enum_name(&state_names, st->st_state));
+	}
 	else
+	{
 		whack_log(RC_NEW_STATE + STATE_QUICK_I1
 			, "%s: initiate to replace #%lu"
 			, enum_name(&state_names, st->st_state)
 			, replacing);
+	}
 	reset_cur_state();
 	return STF_OK;
 }
@@ -2092,35 +2167,45 @@ static void decode_cert(struct msg_digest *md)
 		blob.len = pbs_left(&p->pbs);
 		if (cert->isacert_type == CERT_X509_SIGNATURE)
 		{
-			x509cert_t cert = empty_x509cert;
-			if (parse_x509cert(blob, 0, &cert))
+			cert_t x509cert = cert_empty;
+
+			x509cert.cert = lib->creds->create(lib->creds,
+							  				   CRED_CERTIFICATE, CERT_X509,
+							  				   BUILD_BLOB_ASN1_DER, blob,
+							  				   BUILD_END);
+			if (x509cert.cert)
 			{
-				if (verify_x509cert(&cert, strict_crl_policy, &valid_until))
+				if (verify_x509cert(&x509cert, strict_crl_policy, &valid_until))
 				{
 					DBG(DBG_PARSING,
 						DBG_log("Public key validated")
 					)
-					add_x509_public_key(&cert, valid_until, DAL_SIGNED);
+					add_public_key_from_cert(&x509cert, valid_until, DAL_SIGNED);
 				}
 				else
 				{
 					plog("X.509 certificate rejected");
 				}
-				DESTROY_IF(cert.public_key);
-				free_generalNames(cert.subjectAltName, FALSE);
-				free_generalNames(cert.crlDistributionPoints, FALSE);
+				x509cert.cert->destroy(x509cert.cert);
 			}
 			else
+			{
 				plog("Syntax error in X.509 certificate");
+			}
 		}
 		else if (cert->isacert_type == CERT_PKCS7_WRAPPED_X509)
 		{
-			x509cert_t *cert = NULL;
+			linked_list_t *certs = linked_list_create();
 
-			if (pkcs7_parse_signedData(blob, NULL, &cert, NULL, NULL))
-				store_x509certs(&cert, strict_crl_policy);
+			if (pkcs7_parse_signedData(blob, NULL, certs, NULL, NULL))
+			{
+				store_x509certs(certs, strict_crl_policy);
+			}
 			else
+			{
 				plog("Syntax error in PKCS#7 wrapped X.509 certificates");
+			}
+			certs->destroy_offset(certs, offsetof(certificate_t, destroy));
 		}
 		else
 		{
@@ -2134,7 +2219,7 @@ static void decode_cert(struct msg_digest *md)
 /*
  * Decode the CR payload of Phase 1.
  */
-static void decode_cr(struct msg_digest *md, struct connection *c)
+static void decode_cr(struct msg_digest *md, connection_t *c)
 {
 	struct payload_digest *p;
 
@@ -2142,7 +2227,7 @@ static void decode_cr(struct msg_digest *md, struct connection *c)
 	{
 		struct isakmp_cr *const cr = &p->payload.cr;
 		chunk_t ca_name;
-		
+
 		ca_name.len = pbs_left(&p->pbs);
 		ca_name.ptr = (ca_name.len > 0)? p->pbs.cur : NULL;
 
@@ -2150,32 +2235,37 @@ static void decode_cr(struct msg_digest *md, struct connection *c)
 
 		if (cr->isacr_type == CERT_X509_SIGNATURE)
 		{
-			char buf[BUF_LEN];
-
 			if (ca_name.len > 0)
 			{
-				generalName_t *gn;
-				
+				identification_t *ca;
+
 				if (!is_asn1(ca_name))
+				{
 					continue;
-
-				gn = malloc_thing(generalName_t);
-				ca_name = chunk_clone(ca_name);
-				gn->kind = GN_DIRECTORY_NAME;
-				gn->name = ca_name;
-				gn->next = c->requested_ca;
-				c->requested_ca = gn;
+				}
+				if (c->requested_ca == NULL)
+				{
+					c->requested_ca = linked_list_create();
+				}
+				ca = identification_create_from_encoding(ID_DER_ASN1_DN, ca_name);
+				c->requested_ca->insert_last(c->requested_ca, ca);
+				DBG(DBG_PARSING | DBG_CONTROL,
+					DBG_log("requested CA: \"%Y\"", ca)
+				)
+			}
+			else
+			{
+				DBG(DBG_PARSING | DBG_CONTROL,
+					DBG_log("requested CA: %%any")
+				)
 			}
 			c->got_certrequest = TRUE;
-
-			DBG(DBG_PARSING | DBG_CONTROL,
-				dntoa_or_null(buf, BUF_LEN, ca_name, "%any");
-				DBG_log("requested CA: '%s'", buf);
-			)
 		}
 		else
+		{
 			loglog(RC_LOG_SERIOUS, "ignoring %s certificate request payload",
 				   enum_show(&cert_type_names, cr->isacr_type));
+		}
 	}
 }
 
@@ -2184,12 +2274,13 @@ static void decode_cr(struct msg_digest *md, struct connection *c)
  * We must be called before SIG or HASH are decoded since we
  * may change the peer's public key or ID.
  */
-static bool decode_peer_id(struct msg_digest *md, struct id *peer)
+static bool decode_peer_id(struct msg_digest *md, identification_t **peer)
 {
 	struct state *const st = md->st;
 	struct payload_digest *const id_pld = md->chain[ISAKMP_NEXT_ID];
 	const pb_stream *const id_pbs = &id_pld->pbs;
 	struct isakmp_id *const id = &id_pld->payload.id;
+	chunk_t id_payload;
 
 	/* I think that RFC2407 (IPSEC DOI) 4.6.2 is confused.
 	 * It talks about the protocol ID and Port fields of the ID
@@ -2218,74 +2309,50 @@ static bool decode_peer_id(struct msg_digest *md, struct id *peer)
 		return FALSE;
 	}
 
-	peer->kind = id->isaid_idtype;
+	id_payload = chunk_create(id_pbs->cur, pbs_left(id_pbs));
 
-	switch (peer->kind)
+	switch (id->isaid_idtype)
 	{
-	case ID_IPV4_ADDR:
-	case ID_IPV6_ADDR:
-		/* failure mode for initaddr is probably inappropriate address length */
-		{
-			err_t ugh = initaddr(id_pbs->cur, pbs_left(id_pbs)
-				, peer->kind == ID_IPV4_ADDR? AF_INET : AF_INET6
-				, &peer->ip_addr);
-
-			if (ugh != NULL)
+		case ID_IPV4_ADDR:
+			if (id_payload.len != 4)
 			{
-				loglog(RC_LOG_SERIOUS, "improper %s identification payload: %s"
-					, enum_show(&ident_names, peer->kind), ugh);
-				/* XXX Could send notification back */
+				loglog(RC_LOG_SERIOUS, "improper %s Phase 1 ID payload",
+								enum_show(&ident_names, id->isaid_idtype));
 				return FALSE;
 			}
-		}
-		break;
-
-	case ID_USER_FQDN:
-		if (memchr(id_pbs->cur, '@', pbs_left(id_pbs)) == NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "peer's ID_USER_FQDN contains no @");
-			return FALSE;
-		}
-		/* FALLTHROUGH */
-	case ID_FQDN:
-		if (memchr(id_pbs->cur, '\0', pbs_left(id_pbs)) != NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "Phase 1 ID Payload of type %s contains a NUL"
-				, enum_show(&ident_names, peer->kind));
+			break;
+		case ID_IPV6_ADDR:
+			if (id_payload.len != 16)
+			{
+				loglog(RC_LOG_SERIOUS, "improper %s Phase 1 ID payload",
+								enum_show(&ident_names, id->isaid_idtype));
+				return FALSE;
+			}
+			break;
+		case ID_USER_FQDN:
+		case ID_FQDN:
+			if (memchr(id_payload.ptr, '\0', id_payload.len) != NULL)
+			{
+				loglog(RC_LOG_SERIOUS, "%s Phase 1 ID payload contains "
+									   "a NUL character",
+								enum_show(&ident_names, id->isaid_idtype));
+				return FALSE;
+			}
+			break;
+		case ID_KEY_ID:
+		case ID_DER_ASN1_DN:
+			break;
+		default:
+			/* XXX Could send notification back */
+			loglog(RC_LOG_SERIOUS, "unacceptable identity type (%s) "
+								   "in Phase 1 ID payload",
+								enum_show(&ident_names, id->isaid_idtype));
 			return FALSE;
-		}
-
-		/* ??? ought to do some more sanity check, but what? */
-
-		peer->name = chunk_create(id_pbs->cur, pbs_left(id_pbs));
-		break;
-
-	case ID_KEY_ID:
-		peer->name = chunk_create(id_pbs->cur, pbs_left(id_pbs));
-		DBG(DBG_PARSING,
-			DBG_dump_chunk("KEY ID:", peer->name));
-		break;
-
-	case ID_DER_ASN1_DN:
-		peer->name = chunk_create(id_pbs->cur, pbs_left(id_pbs));
-		DBG(DBG_PARSING,
-			DBG_dump_chunk("DER ASN1 DN:", peer->name));
-		break;
-
-	default:
-		/* XXX Could send notification back */
-		loglog(RC_LOG_SERIOUS, "Unacceptable identity type (%s) in Phase 1 ID Payload"
-			, enum_show(&ident_names, peer->kind));
-		return FALSE;
 	}
+	*peer = identification_create_from_encoding(id->isaid_idtype, id_payload);
 
-	{
-		char buf[BUF_LEN];
-
-		idtoa(peer, buf, sizeof(buf));
-		plog("Peer ID is %s: '%s'",
-			enum_show(&ident_names, id->isaid_idtype), buf);
-	}
+	plog("Peer ID is %s: '%Y'",	enum_show(&ident_names, id->isaid_idtype),
+								*peer);
 
 	/* check for certificates */
 	decode_cert(md);
@@ -2298,45 +2365,51 @@ static bool decode_peer_id(struct msg_digest *md, struct id *peer)
  * - if the initiation was explicit, we'd be ignoring user's intent
  * - if opportunistic, we'll lose our HOLD info
  */
-static bool switch_connection(struct msg_digest *md, struct id *peer,
+static bool switch_connection(struct msg_digest *md, identification_t *peer,
 							  bool initiator)
 {
 	struct state *const st = md->st;
-	struct connection *c = st->st_connection;
-
-	chunk_t peer_ca = (st->st_peer_pubkey != NULL)
-					 ? st->st_peer_pubkey->issuer : chunk_empty;
+	connection_t *c = st->st_connection;
+	identification_t *peer_ca;
 
-	DBG(DBG_CONTROL,
-		char buf[BUF_LEN];
-
-		dntoa_or_null(buf, BUF_LEN, peer_ca, "%none");
-		DBG_log("peer CA:      '%s'", buf);
-	)
+	peer_ca = st->st_peer_pubkey ? st->st_peer_pubkey->issuer : NULL;
+	if (peer_ca)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("peer CA:      \"%Y\"", peer_ca)
+		)
+	}
+	else
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("peer CA:      %%none")
+		)
+	}
 
 	if (initiator)
 	{
 		int pathlen;
 
-		if (!same_id(&c->spd.that.id, peer))
+		if (!peer->equals(peer, c->spd.that.id))
 		{
-			char expect[BUF_LEN]
-				, found[BUF_LEN];
-
-			idtoa(&c->spd.that.id, expect, sizeof(expect));
-			idtoa(peer, found, sizeof(found));
-			loglog(RC_LOG_SERIOUS
-				, "we require peer to have ID '%s', but peer declares '%s'"
-				, expect, found);
+			loglog(RC_LOG_SERIOUS,
+					"we require peer to have ID '%Y', but peer declares '%Y'",
+					c->spd.that.id, peer);
 			return FALSE;
 		}
 
-		DBG(DBG_CONTROL,
-			char buf[BUF_LEN];
-
-			dntoa_or_null(buf, BUF_LEN, c->spd.that.ca, "%none");
-			DBG_log("required CA:  '%s'", buf);
-		)
+		if (c->spd.that.ca)
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("required CA:  \"%s\"", c->spd.that.ca);
+			)
+		}
+		else
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("required CA:  %%none");
+			)
+		}
 
 		if (!trusted_ca(peer_ca, c->spd.that.ca, &pathlen))
 		{
@@ -2347,7 +2420,7 @@ static bool switch_connection(struct msg_digest *md, struct id *peer,
 	}
 	else
 	{
-		struct connection *r;
+		connection_t *r;
 
 		/* check for certificate requests */
 		decode_cr(md, c);
@@ -2355,24 +2428,31 @@ static bool switch_connection(struct msg_digest *md, struct id *peer,
 		r = refine_host_connection(st, peer, peer_ca);
 
 		/* delete the collected certificate requests */
-		free_generalNames(c->requested_ca, TRUE);
-		c->requested_ca = NULL;
+		if (c->requested_ca)
+		{
+			c->requested_ca->destroy_offset(c->requested_ca,
+									 offsetof(identification_t, destroy));
+			c->requested_ca = NULL;
+		}
 
 		if (r == NULL)
 		{
-			char buf[BUF_LEN];
-
-			idtoa(peer, buf, sizeof(buf));
-			loglog(RC_LOG_SERIOUS, "no suitable connection for peer '%s'", buf);
+			loglog(RC_LOG_SERIOUS, "no suitable connection for peer '%Y'", peer);
 			return FALSE;
 		}
 
-		DBG(DBG_CONTROL,
-			char buf[BUF_LEN];
-
-			dntoa_or_null(buf, BUF_LEN, r->spd.this.ca, "%none");
-			DBG_log("offered CA:   '%s'", buf);
-		)
+		if (r->spd.this.ca)
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("offered CA:   \"%Y\"", r->spd.this.ca)
+			)
+		}
+		else
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("offered CA:   %%none")
+			)
+		}
 
 		if (r != c)
 		{
@@ -2396,10 +2476,9 @@ static bool switch_connection(struct msg_digest *md, struct id *peer,
 		}
 		else if (c->spd.that.has_id_wildcards)
 		{
-			free_id_content(&c->spd.that.id);
-			c->spd.that.id = *peer;
+			c->spd.that.id->destroy(c->spd.that.id);
+			c->spd.that.id = peer->clone(peer);
 			c->spd.that.has_id_wildcards = FALSE;
-			unshare_id_content(&c->spd.that.id);
 		}
 	}
 	return TRUE;
@@ -2489,13 +2568,19 @@ static bool decode_net_id(struct isakmp_ipsec_id *id, pb_stream *id_pbs,
 			ugh = initaddr(id_pbs->cur
 				, afi->ia_sz, afi->af, &temp_address);
 			if (ugh == NULL)
+			{
 				ugh = initaddr(id_pbs->cur + afi->ia_sz
 					, afi->ia_sz, afi->af, &temp_mask);
+			}
 			if (ugh == NULL)
+			{
 				ugh = initsubnet(&temp_address, masktocount(&temp_mask)
 					, '0', net);
+			}
 			if (ugh == NULL && subnetisnone(net))
+			{
 				ugh = "contains only anyaddr";
+			}
 			if (ugh != NULL)
 			{
 				loglog(RC_LOG_SERIOUS, "%s ID payload %s bad subnet in Quick I1 (%s)"
@@ -2528,8 +2613,10 @@ static bool decode_net_id(struct isakmp_ipsec_id *id, pb_stream *id_pbs,
 			}
 			ugh = initaddr(id_pbs->cur, afi->ia_sz, afi->af, &temp_address_from);
 			if (ugh == NULL)
+			{
 				ugh = initaddr(id_pbs->cur + afi->ia_sz
 					, afi->ia_sz, afi->af, &temp_address_to);
+			}
 			if (ugh != NULL)
 			{
 				loglog(RC_LOG_SERIOUS, "%s ID payload %s malformed (%s) in Quick I1"
@@ -2540,7 +2627,9 @@ static bool decode_net_id(struct isakmp_ipsec_id *id, pb_stream *id_pbs,
 
 			ugh = rangetosubnet(&temp_address_from, &temp_address_to, net);
 			if (ugh == NULL && subnetisnone(net))
+			{
 				ugh = "contains only anyaddr";
+			}
 			if (ugh != NULL)
 			{
 				char temp_buff1[ADDRTOT_BUF], temp_buff2[ADDRTOT_BUF];
@@ -2582,8 +2671,9 @@ static bool check_net_id(struct isakmp_ipsec_id *id, pb_stream *id_pbs,
 	ip_subnet net_temp;
 
 	if (!decode_net_id(id, id_pbs, &net_temp, which))
+	{
 		return FALSE;
-
+	}
 	if (!samesubnet(net, &net_temp)
 	|| *protoid != id->isaiid_protoid || *port != id->isaiid_port)
 	{
@@ -2598,7 +2688,7 @@ static bool check_net_id(struct isakmp_ipsec_id *id, pb_stream *id_pbs,
  */
 static bool has_preloaded_public_key(struct state *st)
 {
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 
 	/* do not consider rw connections since
 	 * the peer's identity must be known
@@ -2613,7 +2703,8 @@ static bool has_preloaded_public_key(struct state *st)
 			pubkey_t *key = p->key;
 			key_type_t type = key->public_key->get_type(key->public_key);
 
-			if (type == KEY_RSA && same_id(&c->spd.that.id, &key->id) &&
+			if (type == KEY_RSA &&
+				c->spd.that.id->equals(c->spd.that.id, key->id) &&
 				key->until_time == UNDEFINED_TIME)
 			{
 				/* found a preloaded public key */
@@ -2646,7 +2737,7 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid,
 			if (needed_len && pi->attrs.key_len)
 			{
 				needed_len = pi->attrs.key_len / BITS_PER_BYTE;
-			}	
+			}
 
 			switch (pi->attrs.transid)
 			{
@@ -2745,7 +2836,7 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid,
 			char *keymat_i_peer = pi->peer_keymat + i;
 			chunk_t keymat_our  = { keymat_i_our,  prf_block_size };
 			chunk_t keymat_peer = { keymat_i_peer, prf_block_size };
-			
+
 			if (st->st_shared.ptr != NULL)
 			{
 				/* PFS: include the g^xy */
@@ -2785,9 +2876,13 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid,
 static void compute_keymats(struct state *st)
 {
 	if (st->st_ah.present)
+	{
 		compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah);
+	}
 	if (st->st_esp.present)
+	{
 		compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp);
+	}
 }
 
 static bool uses_pubkey_auth(int auth)
@@ -2807,6 +2902,38 @@ static bool uses_pubkey_auth(int auth)
 	}
 }
 
+/* build an ID payload
+ * Note: no memory is allocated for the body of the payload (tl->ptr).
+ * We assume it will end up being a pointer into a sufficiently
+ * stable datastructure.  It only needs to last a short time.
+ */
+static void build_id_payload(struct isakmp_ipsec_id *hd, chunk_t *tl, struct end *end)
+{
+	identification_t *id = resolve_myid(end->id);
+
+	zero(hd);
+	hd->isaiid_idtype = id->get_type(id);
+
+	switch (id->get_type(id))
+	{
+		case ID_ANY:
+			hd->isaiid_idtype = aftoinfo(addrtypeof(&end->host_addr))->id_addr;
+			tl->len = addrbytesptr(&end->host_addr,
+						(const unsigned char **)&tl->ptr); /* sets tl->ptr too */
+			break;
+		case ID_IPV4_ADDR:
+		case ID_IPV6_ADDR:
+		case ID_FQDN:
+		case ID_USER_FQDN:
+		case ID_DER_ASN1_DN:
+		case ID_KEY_ID:
+			*tl = id->get_encoding(id);
+			break;
+		default:
+			bad_case(id->get_type(id));
+	}
+}
+
 /* State Transition Functions.
  *
  * The definition of state_microcode_table in demux.c is a good
@@ -2833,7 +2960,7 @@ stf_status main_inI1_outR1(struct msg_digest *md)
 {
 	struct payload_digest *const sa_pd = md->chain[ISAKMP_NEXT_SA];
 	struct state *st;
-	struct connection *c;
+	connection_t *c;
 	struct isakmp_proposal proposal;
 	pb_stream proposal_pbs;
 	pb_stream r_sa_pbs;
@@ -2877,7 +3004,7 @@ stf_status main_inI1_outR1(struct msg_digest *md)
 		 * but Food Groups kind of assumes one.
 		 */
 		{
-			struct connection *d;
+			connection_t *d;
 
 			d = find_host_connection(&md->iface->addr
 				, pluto_port, (ip_address*)NULL, md->sender_port, policy);
@@ -2936,7 +3063,7 @@ stf_status main_inI1_outR1(struct msg_digest *md)
 		/* Create an instance
 		 * This is a rare case: wildcard peer ID but static peer IP address
 		 */
-		 c = rw_instantiate(c, &md->sender, md->sender_port, NULL, &c->spd.that.id);
+		 c = rw_instantiate(c, &md->sender, md->sender_port, NULL, c->spd.that.id);
 	}
 
 	/* Set up state */
@@ -3126,7 +3253,7 @@ stf_status main_inR1_outI2(struct msg_digest *md)
 		{
 			loglog(RC_LOG_SERIOUS, "a single Transform is required in a selecting Oakley Proposal; found %u"
 			, (unsigned)proposal.isap_notrans);
-			RETURN_STF_FAILURE(BAD_PROPOSAL_SYNTAX);
+			RETURN_STF_FAILURE(ISAKMP_BAD_PROPOSAL_SYNTAX);
 		}
 		RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit
 			, &proposal_pbs, &proposal, NULL, st, TRUE));
@@ -3155,35 +3282,46 @@ stf_status main_inR1_outI2(struct msg_digest *md)
 	/* KE out */
 	if (!build_and_ship_KE(st, &st->st_gi, st->st_oakley.group
 	, &md->rbody, ISAKMP_NEXT_NONCE))
+	{
 		return STF_INTERNAL_ERROR;
+	}
 
 #ifdef DEBUG
 	/* Ni out */
 	if (!build_and_ship_nonce(&st->st_ni, &md->rbody
 	, (cur_debugging & IMPAIR_BUST_MI2)? ISAKMP_NEXT_VID : np, "Ni"))
+	{
 		return STF_INTERNAL_ERROR;
-
+	}
 	if (cur_debugging & IMPAIR_BUST_MI2)
 	{
 		/* generate a pointless large VID payload to push message over MTU */
 		pb_stream vid_pbs;
 
 		if (!out_generic(np, &isakmp_vendor_id_desc, &md->rbody, &vid_pbs))
+		{
 			return STF_INTERNAL_ERROR;
+		}
 		if (!out_zero(1500 /*MTU?*/, &vid_pbs, "Filler VID"))
+		{
 			return STF_INTERNAL_ERROR;
+		}
 		close_output_pbs(&vid_pbs);
 	}
 #else
 	/* Ni out */
 	if (!build_and_ship_nonce(&st->st_ni, &md->rbody, np, "Ni"))
+	{
 		return STF_INTERNAL_ERROR;
+	}
 #endif
 
 	if (st->nat_traversal & NAT_T_WITH_NATD)
 	{
 		if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
+		{
 			return STF_INTERNAL_ERROR;
+		}
 	}
 
 	/* finish message */
@@ -3251,15 +3389,18 @@ stf_status main_inI2_outR2(struct msg_digest *md)
 	/* KE out */
 	if (!build_and_ship_KE(st, &st->st_gr, st->st_oakley.group
 	, &md->rbody, ISAKMP_NEXT_NONCE))
+	{
 		return STF_INTERNAL_ERROR;
+	}
 
 #ifdef DEBUG
 	/* Nr out */
-	if (!build_and_ship_nonce(&st->st_nr, &md->rbody
-	, (cur_debugging & IMPAIR_BUST_MR2)? ISAKMP_NEXT_VID
+	if (!build_and_ship_nonce(&st->st_nr, &md->rbody,
+	   (cur_debugging & IMPAIR_BUST_MR2)? ISAKMP_NEXT_VID
 		: (send_cr? ISAKMP_NEXT_CR : np), "Nr"))
+	{
 		return STF_INTERNAL_ERROR;
-
+	}
 	if (cur_debugging & IMPAIR_BUST_MR2)
 	{
 		/* generate a pointless large VID payload to push message over MTU */
@@ -3267,9 +3408,13 @@ stf_status main_inI2_outR2(struct msg_digest *md)
 
 		if (!out_generic((send_cr)? ISAKMP_NEXT_CR : np,
 			&isakmp_vendor_id_desc, &md->rbody, &vid_pbs))
+		{
 			return STF_INTERNAL_ERROR;
+		}
 		if (!out_zero(1500 /*MTU?*/, &vid_pbs, "Filler VID"))
+		{
 			return STF_INTERNAL_ERROR;
+		}
 		close_output_pbs(&vid_pbs);
 	}
 #else
@@ -3284,33 +3429,50 @@ stf_status main_inI2_outR2(struct msg_digest *md)
 	{
 		if (st->st_connection->kind == CK_PERMANENT)
 		{
-			if (!build_and_ship_CR(CERT_X509_SIGNATURE
-			, st->st_connection->spd.that.ca
-			, &md->rbody, np))
+			identification_t *ca = st->st_connection->spd.that.ca;
+			chunk_t cr = (ca) ? ca->get_encoding(ca) : chunk_empty;
+
+			if (!build_and_ship_CR(CERT_X509_SIGNATURE, cr, &md->rbody, np))
+			{
 				return STF_INTERNAL_ERROR;
+			}
 		}
 		else
 		{
-			generalName_t *ca = NULL;
+			linked_list_t *list = collect_rw_ca_candidates(md);
+			int count = list->get_count(list);
+			bool error = FALSE;
 
-			if (collect_rw_ca_candidates(md, &ca))
+			if (count)
 			{
-				generalName_t *gn;
+				enumerator_t *enumerator;
+				identification_t *ca;
 
-				for (gn = ca; gn != NULL; gn = gn->next)
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &ca))
 				{
-					if (!build_and_ship_CR(CERT_X509_SIGNATURE, gn->name
-					, &md->rbody
-					, gn->next == NULL ? np : ISAKMP_NEXT_CR))
-						return STF_INTERNAL_ERROR;
+					if (!build_and_ship_CR(CERT_X509_SIGNATURE,
+										   ca->get_encoding(ca), &md->rbody,
+										   --count ? ISAKMP_NEXT_CR : np))
+					{
+						error = TRUE;
+						break;
+					}
 				}
-				free_generalNames(ca, FALSE);
+				enumerator->destroy(enumerator);
 			}
 			else
 			{
-				if (!build_and_ship_CR(CERT_X509_SIGNATURE, chunk_empty
-				, &md->rbody, np))
-					return STF_INTERNAL_ERROR;
+				if (!build_and_ship_CR(CERT_X509_SIGNATURE, chunk_empty,
+									   &md->rbody, np))
+				{
+					error = TRUE;
+				}
+			}
+			list->destroy_offset(list, offsetof(identification_t, destroy));
+			if (error)
+			{
+				return STF_INTERNAL_ERROR;
 			}
 		}
 	}
@@ -3318,7 +3480,9 @@ stf_status main_inI2_outR2(struct msg_digest *md)
 	if (st->nat_traversal & NAT_T_WITH_NATD)
 	{
 	   if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
+		{
 		   return STF_INTERNAL_ERROR;
+		}
 	}
 
 	/* finish message */
@@ -3329,7 +3493,9 @@ stf_status main_inI2_outR2(struct msg_digest *md)
 	 */
 	compute_dh_shared(st, st->st_gi);
 	if (!generate_skeyids_iv(st))
-		return STF_FAIL + AUTHENTICATION_FAILED;
+	{
+		return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
+	}
 	update_iv(st);
 
 	return STF_OK;
@@ -3350,9 +3516,10 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 	struct state *const st = md->st;
 	pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
 	pb_stream id_pbs;   /* ID Payload; also used for hash calculation */
-
-	certpolicy_t cert_policy = st->st_connection->spd.this.sendcert;
-	cert_t mycert = st->st_connection->spd.this.cert;
+	
+	connection_t *c = st->st_connection;
+	certpolicy_t cert_policy = c->spd.this.sendcert;
+	cert_t *mycert = c->spd.this.cert;
 	bool requested, send_cert, send_cr;
 	bool pubkey_auth = uses_pubkey_auth(st->st_oakley.auth);
 
@@ -3365,22 +3532,26 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 	RETURN_STF_FAILURE(accept_nonce(md, &st->st_nr, "Nr"));
 
 	/* decode certificate requests */
-	st->st_connection->got_certrequest = FALSE;
-	decode_cr(md, st->st_connection);
+	c->got_certrequest = FALSE;
+	decode_cr(md, c);
 
 	/* free collected certificate requests since as initiator
 	 * we don't heed them anyway
 	 */
-	free_generalNames(st->st_connection->requested_ca, TRUE);
-	st->st_connection->requested_ca = NULL;
+	if (c->requested_ca)
+	{
+		c->requested_ca->destroy_offset(c->requested_ca,
+								 offsetof(identification_t, destroy));
+		c->requested_ca = NULL;
+	}
 
 	/* send certificate if auth is RSA, we have one and we want
 	 * or are requested to send it
 	 */
-	requested = cert_policy == CERT_SEND_IF_ASKED
-				&& st->st_connection->got_certrequest;
-	send_cert = pubkey_auth && mycert.type != CERT_NONE
-				&& (cert_policy == CERT_ALWAYS_SEND || requested);
+	requested = cert_policy == CERT_SEND_IF_ASKED && c->got_certrequest;
+	send_cert = pubkey_auth && mycert &&
+				mycert->cert->get_type(mycert->cert) == CERT_X509 &&
+				(cert_policy == CERT_ALWAYS_SEND || requested);
 
 	/* send certificate request if we don't have a preloaded RSA public key */
 	send_cr = !no_cr_send && send_cert && !has_preloaded_public_key(st);
@@ -3388,8 +3559,9 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 	/* done parsing; initialize crypto  */
 	compute_dh_shared(st, st->st_gr);
 	if (!generate_skeyids_iv(st))
-		return STF_FAIL + AUTHENTICATION_FAILED;
-
+	{
+		return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
+	}
 	if (st->nat_traversal & NAT_T_WITH_NATD)
 	{
 		nat_traversal_natd_lookup(md);
@@ -3413,11 +3585,13 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 		struct isakmp_ipsec_id id_hd;
 		chunk_t id_b;
 
-		build_id_payload(&id_hd, &id_b, &st->st_connection->spd.this);
+		build_id_payload(&id_hd, &id_b, &c->spd.this);
 		id_hd.isaiid_np = (send_cert)? ISAKMP_NEXT_CERT : auth_payload;
 		if (!out_struct(&id_hd, &isakmp_ipsec_identification_desc, &md->rbody, &id_pbs)
 		|| !out_chunk(id_b, &id_pbs, "my identity"))
+		{
 			return STF_INTERNAL_ERROR;
+		}
 		close_output_pbs(&id_pbs);
 	}
 
@@ -3427,12 +3601,14 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 		DBG(DBG_CONTROL,
 			DBG_log("our certificate policy is %N", cert_policy_names, cert_policy)
 		)
-		if (mycert.type != CERT_NONE)
+		if (mycert && mycert->cert->get_type(mycert->cert) == CERT_X509)
 		{
 			const char *request_text = "";
 
 			if (cert_policy == CERT_SEND_IF_ASKED)
+			{
 				request_text = (send_cert)? "upon request":"without request";
+			}
 			plog("we have a cert %s sending it %s"
 				, send_cert? "and are":"but are not", request_text);
 		}
@@ -3443,31 +3619,43 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 	}
 	if (send_cert)
 	{
+		bool success;
+		chunk_t cert_encoding;	
 		pb_stream cert_pbs;
 
 		struct isakmp_cert cert_hd;
 		cert_hd.isacert_np = (send_cr)? ISAKMP_NEXT_CR : ISAKMP_NEXT_SIG;
-		cert_hd.isacert_type = mycert.type;
+		cert_hd.isacert_type = CERT_X509_SIGNATURE;
 
 		if (!out_struct(&cert_hd, &isakmp_ipsec_certificate_desc, &md->rbody, &cert_pbs))
+		{
 			return STF_INTERNAL_ERROR;
-		if (!out_chunk(cert_get_encoding(mycert), &cert_pbs, "CERT"))
+		}
+		cert_encoding = mycert->cert->get_encoding(mycert->cert);
+		success = out_chunk(cert_encoding, &cert_pbs, "CERT");
+		free(cert_encoding.ptr);
+		if (!success)	
+		{
 			return STF_INTERNAL_ERROR;
+		}
 		close_output_pbs(&cert_pbs);
 	}
 
 	/* CR out */
 	if (send_cr)
 	{
-		if (!build_and_ship_CR(mycert.type, st->st_connection->spd.that.ca
-		, &md->rbody, ISAKMP_NEXT_SIG))
+		identification_t *ca = st->st_connection->spd.that.ca;
+		chunk_t cr = (ca) ? ca->get_encoding(ca) : chunk_empty;
+
+		if (!build_and_ship_CR(CERT_X509_SIGNATURE, cr, &md->rbody, ISAKMP_NEXT_SIG))
+		{
 			return STF_INTERNAL_ERROR;
+		}
 	}
 
    /* HASH_I or SIG_I out */
 	{
-		u_char hash_buf[MAX_DIGEST_LEN];
-		chunk_t hash = chunk_from_buf(hash_buf);
+		chunk_t hash = chunk_alloca(MAX_DIGEST_LEN);
 
 		main_mode_hash(st, &hash, TRUE, &id_pbs);
 
@@ -3489,16 +3677,18 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 
 			scheme = oakley_to_signature_scheme(st->st_oakley.auth);
 
-			sig_len = sign_hash(scheme, st->st_connection, sig_val, hash);
+			sig_len = sign_hash(scheme, c, sig_val, hash);
 			if (sig_len == 0)
 			{
 				loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature");
-				return STF_FAIL + AUTHENTICATION_FAILED;
+				return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
 			}
 
 			if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
 			, &md->rbody, sig_val, sig_len, "SIG_I"))
+			{
 				return STF_INTERNAL_ERROR;
+			}
 		}
 	}
 
@@ -3506,8 +3696,9 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 
 	/* st_new_iv was computed by generate_skeyids_iv */
 	if (!encrypt_message(&md->rbody, st))
+	{
 		return STF_INTERNAL_ERROR;      /* ??? we may be partly committed */
-
+	}
 	return STF_OK;
 }
 
@@ -3534,13 +3725,10 @@ struct key_continuation {
 typedef stf_status (key_tail_fn)(struct msg_digest *md
 								  , struct key_continuation *kc);
 
-static void report_key_dns_failure(struct id *id, err_t ugh)
+static void report_key_dns_failure(identification_t *id, err_t ugh)
 {
-	char id_buf[BUF_LEN];       /* arbitrary limit on length of ID reported */
-
-	(void) idtoa(id, id_buf, sizeof(id_buf));
-	loglog(RC_LOG_SERIOUS, "no RSA public key known for '%s'"
-		"; DNS search for KEY failed (%s)", id_buf, ugh);
+	loglog(RC_LOG_SERIOUS, "no RSA public key known for '%Y'"
+		"; DNS search for KEY failed (%s)", id, ugh);
 }
 
 
@@ -3558,15 +3746,16 @@ main_id_and_auth(struct msg_digest *md
 				 , const struct key_continuation *kc    /* current state, can be NULL */
 )
 {
-	u_char hash_buf[MAX_DIGEST_LEN];
-	chunk_t hash = chunk_from_buf(hash_buf);
+	chunk_t hash = chunk_alloca(MAX_DIGEST_LEN);
 	struct state *st = md->st;
-	struct id peer;
+	identification_t *peer;
 	stf_status r = STF_OK;
 
 	/* ID Payload in */
 	if (!decode_peer_id(md, &peer))
-		return STF_FAIL + INVALID_ID_INFORMATION;
+	{
+		return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
+	}
 
 	/* Hash the ID Payload.
 	 * main_mode_hash requires idpl->cur to be at end of payload
@@ -3596,7 +3785,7 @@ main_id_and_auth(struct msg_digest *md
 					, hash_pbs->cur, pbs_left(hash_pbs));
 				loglog(RC_LOG_SERIOUS, "received Hash Payload does not match computed value");
 				/* XXX Could send notification back */
-				r = STF_FAIL + INVALID_HASH_INFORMATION;
+				r = STF_FAIL + ISAKMP_INVALID_HASH_INFORMATION;
 			}
 		}
 		break;
@@ -3604,14 +3793,14 @@ main_id_and_auth(struct msg_digest *md
 	case OAKLEY_RSA_SIG:
 	case XAUTHInitRSA:
 	case XAUTHRespRSA:
-		r = check_signature(KEY_RSA, &peer, st, hash,
-				 &md->chain[ISAKMP_NEXT_SIG]->pbs,
+		r = check_signature(KEY_RSA, peer, st, hash,
+				 			&md->chain[ISAKMP_NEXT_SIG]->pbs,
 #ifdef USE_KEYRR
-				kc == NULL? NULL : kc->ac.keys_from_dns,
+							kc == NULL ? NULL : kc->ac.keys_from_dns,
 #endif /* USE_KEYRR */
-				kc == NULL? NULL : kc->ac.gateways_from_dns
+							kc == NULL ? NULL : kc->ac.gateways_from_dns
 			);
-	
+
 		if (r == STF_SUSPEND)
 		{
 			/* initiate/resume asynchronous DNS lookup for key */
@@ -3634,22 +3823,14 @@ main_id_and_auth(struct msg_digest *md
 #ifdef USE_KEYRR
 				nkc->failure_ok = TRUE;
 #endif
-				ugh = start_adns_query(&peer
-									   , &peer  /* SG itself */
-									   , T_TXT
-									   , cont_fn
-									   , &nkc->ac);
+				ugh = start_adns_query(peer, peer, T_TXT, cont_fn, &nkc->ac);
 				break;
 
 #ifdef USE_KEYRR
 			case kos_his_txt:
 				/* second try: look for the KEY records */
 				nkc->step = kos_his_key;
-				ugh = start_adns_query(&peer
-									   , NULL   /* no sgw for KEY */
-									   , T_KEY
-									   , cont_fn
-									   , &nkc->ac);
+				ugh = start_adns_query(peer, NULL, T_KEY, cont_fn, &nkc->ac);
 				break;
 #endif /* USE_KEYRR */
 
@@ -3659,9 +3840,9 @@ main_id_and_auth(struct msg_digest *md
 
 			if (ugh != NULL)
 			{
-				report_key_dns_failure(&peer, ugh);
+				report_key_dns_failure(peer, ugh);
 				st->st_suspended_md = NULL;
-				r = STF_FAIL + INVALID_KEY_INFORMATION;
+				r = STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
 			}
 		}
 		break;
@@ -3669,7 +3850,7 @@ main_id_and_auth(struct msg_digest *md
 	case OAKLEY_ECDSA_256:
 	case OAKLEY_ECDSA_384:
 	case OAKLEY_ECDSA_521:
-		r = check_signature(KEY_ECDSA, &peer, st, hash,
+		r = check_signature(KEY_ECDSA, peer, st, hash,
 							&md->chain[ISAKMP_NEXT_SIG]->pbs,
 #ifdef USE_KEYRR
 							NULL,
@@ -3681,16 +3862,20 @@ main_id_and_auth(struct msg_digest *md
 		bad_case(st->st_oakley.auth);
 	}
 	if (r != STF_OK)
+	{
+		peer->destroy(peer);
 		return r;
-
+	}
 	DBG(DBG_CRYPT, DBG_log("authentication succeeded"));
 
 	/*
 	 * With the peer ID known, let's see if we need to switch connections.
 	 */
-	if (!switch_connection(md, &peer, initiator))
-		return STF_FAIL + INVALID_ID_INFORMATION;
-
+	if (!switch_connection(md, peer, initiator))
+	{
+		r = STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
+	}
+	peer->destroy(peer);
 	return r;
 }
 
@@ -3715,7 +3900,7 @@ main_id_and_auth(struct msg_digest *md
  * to find authentication, or we run out of things
  * to try.
  */
-static void key_continue(struct adns_continuation *cr, err_t ugh, 
+static void key_continue(struct adns_continuation *cr, err_t ugh,
 						 key_tail_fn *tail)
 {
 	struct key_continuation *kc = (void *)cr;
@@ -3734,8 +3919,8 @@ static void key_continue(struct adns_continuation *cr, err_t ugh,
 
 		if (!kc->failure_ok && ugh != NULL)
 		{
-			report_key_dns_failure(&st->st_connection->spd.that.id, ugh);
-			r = STF_FAIL + INVALID_KEY_INFORMATION;
+			report_key_dns_failure(st->st_connection->spd.that.id, ugh);
+			r = STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
 		}
 		else
 		{
@@ -3751,7 +3936,9 @@ static void key_continue(struct adns_continuation *cr, err_t ugh,
 		complete_state_transition(&kc->md, r);
 	}
 	if (kc->md != NULL)
+	{
 		release_md(kc->md);
+	}
 	cur_state = NULL;
 }
 
@@ -3786,7 +3973,7 @@ main_inI3_outR3_tail(struct msg_digest *md
 	u_int8_t auth_payload;
 	pb_stream r_id_pbs; /* ID Payload; also used for hash calculation */
 	certpolicy_t cert_policy;
-	cert_t mycert;
+	cert_t *mycert;
 	bool pubkey_auth, send_cert, requested;
 
 	/* ID and HASH_I or SIG_I in
@@ -3798,7 +3985,9 @@ main_inI3_outR3_tail(struct msg_digest *md
 										, kc);
 
 		if (r != STF_OK)
+		{
 			return r;
+		}
 	}
 
 	/* send certificate if pubkey authentication is used, we have one
@@ -3809,7 +3998,8 @@ main_inI3_outR3_tail(struct msg_digest *md
 	requested = cert_policy == CERT_SEND_IF_ASKED
 				&& st->st_connection->got_certrequest;
 	pubkey_auth = uses_pubkey_auth(st->st_oakley.auth);
-	send_cert = pubkey_auth	&& mycert.type != CERT_NONE &&
+	send_cert = pubkey_auth	&& mycert &&
+				mycert->cert->get_type(mycert->cert) == CERT_X509 &&
 				(cert_policy == CERT_ALWAYS_SEND || requested);
 
 	/*************** build output packet HDR*;IDir;HASH/SIG_R ***************/
@@ -3840,7 +4030,9 @@ main_inI3_outR3_tail(struct msg_digest *md
 		id_hd.isaiid_np = (send_cert)? ISAKMP_NEXT_CERT : auth_payload;
 		if (!out_struct(&id_hd, &isakmp_ipsec_identification_desc, &md->rbody, &r_id_pbs)
 		|| !out_chunk(id_b, &r_id_pbs, "my identity"))
+		{
 			return STF_INTERNAL_ERROR;
+		}
 		close_output_pbs(&r_id_pbs);
 	}
 
@@ -3850,12 +4042,14 @@ main_inI3_outR3_tail(struct msg_digest *md
 		DBG(DBG_CONTROL,
 			DBG_log("our certificate policy is %N", cert_policy_names, cert_policy)
 		)
-		if (mycert.type != CERT_NONE)
+		if (mycert && mycert->cert->get_type(mycert->cert) == CERT_X509)
 		{
 			const char *request_text = "";
 
 			if (cert_policy == CERT_SEND_IF_ASKED)
+			{
 				request_text = (send_cert)? "upon request":"without request";
+			}
 			plog("we have a cert %s sending it %s"
 				, send_cert? "and are":"but are not", request_text);
 		}
@@ -3866,23 +4060,31 @@ main_inI3_outR3_tail(struct msg_digest *md
 	}
 	if (send_cert)
 	{
+		bool success;
+		chunk_t cert_encoding;
 		pb_stream cert_pbs;
-
 		struct isakmp_cert cert_hd;
+
 		cert_hd.isacert_np = ISAKMP_NEXT_SIG;
-		cert_hd.isacert_type = mycert.type;
+		cert_hd.isacert_type = CERT_X509_SIGNATURE;
 
 		if (!out_struct(&cert_hd, &isakmp_ipsec_certificate_desc, &md->rbody, &cert_pbs))
-		return STF_INTERNAL_ERROR;
-		if (!out_chunk(cert_get_encoding(mycert), &cert_pbs, "CERT"))
+		{
+			return STF_INTERNAL_ERROR;
+		}
+		cert_encoding = mycert->cert->get_encoding(mycert->cert);
+		success = out_chunk(cert_encoding, &cert_pbs, "CERT");
+		free(cert_encoding.ptr);
+		if (!success)
+		{	
 			return STF_INTERNAL_ERROR;
+		}
 		close_output_pbs(&cert_pbs);
 	}
 
 	/* HASH_R or SIG_R out */
 	{
-		u_char hash_buf[MAX_DIGEST_LEN];
-		chunk_t hash = chunk_from_buf(hash_buf);
+		chunk_t hash = chunk_alloca(MAX_DIGEST_LEN);
 
 		main_mode_hash(st, &hash, FALSE, &r_id_pbs);
 
@@ -3908,19 +4110,23 @@ main_inI3_outR3_tail(struct msg_digest *md
 			if (sig_len == 0)
 			{
 				loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature");
-				return STF_FAIL + AUTHENTICATION_FAILED;
+				return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
 			}
 
 			if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
 			, &md->rbody, sig_val, sig_len, "SIG_R"))
+			{
 				return STF_INTERNAL_ERROR;
+			}
 		}
 	}
 
 	/* encrypt message, sans fixed part of header */
 
 	if (!encrypt_message(&md->rbody, st))
+	{
 		return STF_INTERNAL_ERROR;      /* ??? we may be partly committed */
+	}
 
 	/* Last block of Phase 1 (R3), kept for Phase 2 IV generation */
 	DBG_cond_dump(DBG_CRYPT, "last encrypted block of Phase 1:"
@@ -3969,7 +4175,9 @@ static stf_status main_inR3_tail(struct msg_digest *md,
 		stf_status r = main_id_and_auth(md, TRUE, main_inR3_continue, kc);
 
 		if (r != STF_OK)
+		{
 			return r;
+		}
 	}
 
 	/**************** done input ****************/
@@ -4103,7 +4311,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b
 stf_status quick_inI1_outR1(struct msg_digest *md)
 {
 	const struct state *const p1st = md->st;
-	struct connection *c = p1st->st_connection;
+	connection_t *c = p1st->st_connection;
 	struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
 	struct verify_oppo_bundle b;
 
@@ -4127,12 +4335,16 @@ stf_status quick_inI1_outR1(struct msg_digest *md)
 
 		if (!decode_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
 		, &b.his.net, "peer client"))
-			return STF_FAIL + INVALID_ID_INFORMATION;
+		{
+			return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
+		}
 
 		/* Hack for MS 818043 NAT-T Update */
 
 		if (id_pd->payload.ipsec_id.isaiid_idtype == ID_FQDN)
+		{
 			happy(addrtosubnet(&c->spd.that.host_addr, &b.his.net));
+		}
 
 		/* End Hack for MS 818043 NAT-T Update */
 
@@ -4144,8 +4356,9 @@ stf_status quick_inI1_outR1(struct msg_digest *md)
 
 		if (!decode_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
 		, &b.my.net, "our client"))
-			return STF_FAIL + INVALID_ID_INFORMATION;
-		
+		{
+			return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
+		}
 		b.my.proto = id_pd->next->payload.ipsec_id.isaiid_protoid;
 		b.my.port = id_pd->next->payload.ipsec_id.isaiid_port;
 		b.my.net.addr.u.v4.sin_port = htons(b.my.port);
@@ -4154,8 +4367,9 @@ stf_status quick_inI1_outR1(struct msg_digest *md)
 	{
 		/* implicit IDci and IDcr: peer and self */
 		if (!sameaddrtype(&c->spd.this.host_addr, &c->spd.that.host_addr))
+		{
 			return STF_FAIL;
-
+		}
 		happy(addrtosubnet(&c->spd.this.host_addr, &b.my.net));
 		happy(addrtosubnet(&c->spd.that.host_addr, &b.his.net));
 		b.his.proto = b.my.proto = 0;
@@ -4224,7 +4438,7 @@ static void quick_inI1_outR1_continue(struct adns_continuation *cr, err_t ugh)
 		if (!b->failure_ok && ugh != NULL)
 		{
 			report_verify_failure(b, ugh);
-			r = STF_FAIL + INVALID_ID_INFORMATION;
+			r = STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
 		}
 		else
 		{
@@ -4233,7 +4447,9 @@ static void quick_inI1_outR1_continue(struct adns_continuation *cr, err_t ugh)
 		complete_state_transition(&b->md, r);
 	}
 	if (b->md != NULL)
+	{
 		release_md(b->md);
+	}
 	cur_state = NULL;
 }
 
@@ -4242,11 +4458,11 @@ static stf_status quick_inI1_outR1_start_query(struct verify_oppo_bundle *b,
 {
 	struct msg_digest *md = b->md;
 	struct state *p1st = md->st;
-	struct connection *c = p1st->st_connection;
+	connection_t *c = p1st->st_connection;
 	struct verify_oppo_continuation *vc = malloc_thing(struct verify_oppo_continuation);
-	struct id id        /* subject of query */
-		, *our_id       /* needed for myid playing */
-		, our_id_space; /* ephemeral: no need for unshare_id_content */
+	identification_t *id;           /* subject of query */
+	identification_t *our_id;       /* needed for myid playing */
+	identification_t *our_id_space; /* ephemeral: no need for unshare_id_content */
 	ip_address client;
 	err_t ugh = NULL;
 
@@ -4282,20 +4498,20 @@ static stf_status quick_inI1_outR1_start_query(struct verify_oppo_bundle *b,
 	 * %myid makes no sense for the other side (but it is syntactically
 	 * legal).
 	 */
-	our_id = resolve_myid(&c->spd.this.id);
-	if (our_id->kind == ID_ANY)
+	our_id = resolve_myid(c->spd.this.id);
+	if (our_id->get_type(our_id) == ID_ANY)
 	{
-		iptoid(&c->spd.this.host_addr, &our_id_space);
-		our_id = &our_id_space;
+		our_id_space = identification_create_from_sockaddr((sockaddr_t*)&c->spd.this.host_addr);
+		our_id = our_id_space;
 	}
 
 	switch (next_step)
 	{
 	case vos_our_client:
 		networkof(&b->my.net, &client);
-		iptoid(&client, &id);
+		id = identification_create_from_sockaddr((sockaddr_t*)&client);
 		vc->b.failure_ok = b->failure_ok = FALSE;
-		ugh = start_adns_query(&id
+		ugh = start_adns_query(id
 			, our_id
 			, T_TXT
 			, quick_inI1_outR1_continue
@@ -4324,10 +4540,10 @@ static stf_status quick_inI1_outR1_start_query(struct verify_oppo_bundle *b,
 
 	case vos_his_client:
 		networkof(&b->his.net, &client);
-		iptoid(&client, &id);
+		id = identification_create_from_sockaddr((sockaddr_t*)&client);
 		vc->b.failure_ok = b->failure_ok = FALSE;
-		ugh = start_adns_query(&id
-			, &c->spd.that.id
+		ugh = start_adns_query(id
+			, c->spd.that.id
 			, T_TXT
 			, quick_inI1_outR1_continue
 			, &vc->ac);
@@ -4345,7 +4561,7 @@ static stf_status quick_inI1_outR1_start_query(struct verify_oppo_bundle *b,
 		 */
 		report_verify_failure(b, ugh);
 		p1st->st_suspended_md = NULL;
-		return STF_FAIL + INVALID_ID_INFORMATION;
+		return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
 	}
 	else
 	{
@@ -4358,7 +4574,7 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer(
 										struct adns_continuation *ac,
 										struct state *p1st)
 {
-	struct connection *c = p1st->st_connection;
+	connection_t *c = p1st->st_connection;
 	enum verify_oppo_step next_step = vos_our_client;
 	err_t ugh = NULL;
 
@@ -4491,14 +4707,12 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer(
 		next_step = vos_done;
 		{
 			public_key_t *pub_key;
-			identification_t *p1st_keyid;
 			struct gw_info *gwp;
-		
+
 			/* check that the public key that authenticated
 			 * the ISAKMP SA (p1st) will do for this gateway.
 			 */
 			pub_key = p1st->st_peer_pubkey->public_key;
-			p1st_keyid = pub_key->get_id(pub_key, ID_PUBKEY_INFO_SHA1);
 
 			ugh = "peer's client does not delegate to peer";
 			for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
@@ -4510,10 +4724,8 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer(
 				 * it implies fetching a KEY from the same
 				 * place we must have gotten it.
 				 */
-				if (!gwp->gw_key_present || p1st_keyid->equals(p1st_keyid,
-					 gwp->key->public_key->get_id(gwp->key->public_key,
-												  ID_PUBKEY_INFO_SHA1))
-				   )
+				if (!gwp->gw_key_present ||
+					pub_key->equals(pub_key, gwp->key->public_key))
 				{
 					ugh = NULL; /* good! */
 					break;
@@ -4539,7 +4751,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 {
 	struct msg_digest *md = b->md;
 	struct state *const p1st = md->st;
-	struct connection *c = p1st->st_connection;
+	connection_t *c = p1st->st_connection;
 	struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
 	ip_subnet *our_net = &b->my.net
 		, *his_net = &b->his.net;
@@ -4552,7 +4764,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 	 * a suitable connection (our current one only matches for hosts).
 	 */
 	{
-		struct connection *p = find_client_connection(c
+		connection_t *p = find_client_connection(c
 			, our_net, his_net, b->my.proto, b->my.port, b->his.proto, b->his.port);
 
 		if (p == NULL)
@@ -4582,7 +4794,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 			plog("cannot respond to IPsec SA request"
 				" because no connection is known for %s"
 				, buf);
-			return STF_FAIL + INVALID_ID_INFORMATION;
+			return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
 		}
 		else if (p != c)
 		{
@@ -4609,14 +4821,18 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 
 					next_step = quick_inI1_outR1_process_answer(b, ac, p1st);
 					if (next_step == vos_fail)
-						return STF_FAIL + INVALID_ID_INFORMATION;
+					{
+						return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
+					}
 
 					/* short circuit: if peer's client is self,
 					 * accept that we've verified delegation in Phase 1
 					 */
 					if (next_step == vos_his_client
 					&& sameaddr(&c->spd.that.host_addr, &his_client))
+					{
 						next_step = vos_done;
+					}
 
 					/* the second chunk: initiate the next DNS query (if any) */
 					DBG(DBG_CONTROL,
@@ -4633,7 +4849,9 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 
 					/* start next DNS query and suspend (if necessary) */
 					if (next_step != vos_done)
+					{
 						return quick_inI1_outR1_start_query(b, next_step);
+					}
 
 					/* Instantiate inbound Opportunistic connection,
 					 * carrying over authenticated peer ID
@@ -4643,7 +4861,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 					 * We should record DNS sec use, if any -- belongs in
 					 * state during perhaps.
 					 */
-					p = oppo_instantiate(p, &c->spd.that.host_addr, &c->spd.that.id
+					p = oppo_instantiate(p, &c->spd.that.host_addr, c->spd.that.id
 						, NULL, &our_client, &his_client);
 				}
 				else
@@ -4652,7 +4870,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 					 * instantiate, carrying over authenticated peer ID
 					 */
 					p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
-								, his_net, &c->spd.that.id);
+								, his_net, c->spd.that.id);
 				}
 			}
 #ifdef DEBUG
@@ -4680,7 +4898,9 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 			c->spd.that.client = *his_net;
 			c->spd.that.virt = NULL;
 			if (subnetishost(his_net) && addrinsubnet(&c->spd.that.host_addr, his_net))
+			{
 				c->spd.that.has_client = FALSE;
+			}
 		}
 
 		/* fill in the client's true port */
@@ -4708,7 +4928,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 
 		if (st->st_connection != c)
 		{
-			struct connection *t = st->st_connection;
+			connection_t *t = st->st_connection;
 
 			st->st_connection = c;
 			set_cur_connection(c);
@@ -4781,7 +5001,9 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 			/* sa header is unchanged -- except for np */
 			sa.isasa_np = ISAKMP_NEXT_NONCE;
 			if (!out_struct(&sa, &isakmp_sa_desc, &md->rbody, &r_sa_pbs))
+			{
 				return STF_INTERNAL_ERROR;
+			}
 
 			/* parse and accept body */
 			st->st_pfs_group = &unset_group;
@@ -4794,7 +5016,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 		if ((st->st_policy & POLICY_PFS) && st->st_pfs_group == NULL)
 		{
 			loglog(RC_LOG_SERIOUS, "we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION");
-			return STF_FAIL + NO_PROPOSAL_CHOSEN;       /* ??? */
+			return STF_FAIL + ISAKMP_NO_PROPOSAL_CHOSEN;
 		}
 
 		/* Ni in */
@@ -4811,7 +5033,9 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 		if (!build_and_ship_nonce(&st->st_nr, &md->rbody
 		, st->st_pfs_group != NULL? ISAKMP_NEXT_KE : id_pd != NULL? ISAKMP_NEXT_ID : ISAKMP_NEXT_NONE
 		, "Nr"))
+		 {
 			return STF_INTERNAL_ERROR;
+		}
 
 		/* [ KE ] out (for PFS) */
 
@@ -4819,7 +5043,9 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 		{
 			if (!build_and_ship_KE(st, &st->st_gr, st->st_pfs_group
 			, &md->rbody, id_pd != NULL? ISAKMP_NEXT_ID : ISAKMP_NEXT_NONE))
-					return STF_INTERNAL_ERROR;
+			{
+				return STF_INTERNAL_ERROR;
+			}
 
 			/* MPZ-Operations might be done after sending the packet... */
 			compute_dh_shared(st, st->st_gi);
@@ -4831,13 +5057,17 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 			struct isakmp_ipsec_id *p = (void *)md->rbody.cur;  /* UGH! */
 
 			if (!out_raw(id_pd->pbs.start, pbs_room(&id_pd->pbs), &md->rbody, "IDci"))
+			{
 				return STF_INTERNAL_ERROR;
+			}
 			p->isaiid_np = ISAKMP_NEXT_ID;
 
 			p = (void *)md->rbody.cur;  /* UGH! */
 
 			if (!out_raw(id_pd->next->pbs.start, pbs_room(&id_pd->next->pbs), &md->rbody, "IDcr"))
+			{
 				return STF_INTERNAL_ERROR;
+			}
 			p->isaiid_np = ISAKMP_NEXT_NONE;
 		}
 
@@ -4873,12 +5103,16 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 		 * failure won't look like success.
 		 */
 		if (!install_inbound_ipsec_sa(st))
+		{
 			return STF_INTERNAL_ERROR;  /* ??? we may be partly committed */
+		}
 
 		/* encrypt message, except for fixed part of header */
 
 		if (!encrypt_message(&md->rbody, st))
+		{
 			return STF_INTERNAL_ERROR;  /* ??? we may be partly committed */
+		}
 
 		return STF_OK;
 	}
@@ -4891,14 +5125,16 @@ static void dpd_init(struct state *st)
 {
 	struct state *p1st = find_state(st->st_icookie, st->st_rcookie
 								, &st->st_connection->spd.that.host_addr, 0);
-	
+
 	if (p1st == NULL)
+	{
 		loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD");
+	}
 	else if (p1st->st_dpd)
 	{
 		plog("Dead Peer Detection (RFC 3706) enabled");
 		/* randomize the first DPD event */
-		
+
 		event_schedule(EVENT_DPD
 			, (0.5 + rand()/(RAND_MAX + 1.E0)) * st->st_connection->dpd_delay
 			, st);
@@ -4914,7 +5150,7 @@ static void dpd_init(struct state *st)
 stf_status quick_inR1_outI2(struct msg_digest *md)
 {
 	struct state *const st = md->st;
-	const struct connection *c = st->st_connection;
+	const connection_t *c = st->st_connection;
 
 	/* HASH(2) in */
 	CHECK_QUICK_HASH(md
@@ -4937,7 +5173,9 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
 	RETURN_STF_FAILURE(accept_PFS_KE(md, &st->st_gr, "Gr", "Quick Mode R1"));
 
 	if (st->st_pfs_group != NULL)
+	{
 		compute_dh_shared(st, st->st_gr);
+	}
 
 	/* [ IDci, IDcr ] in; these must match what we sent */
 
@@ -4954,7 +5192,9 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
 			, &st->st_myuserprotoid, &st->st_myuserport
 			, &st->st_connection->spd.this.client
 			, "our client"))
-				return STF_FAIL + INVALID_ID_INFORMATION;
+			{
+				return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
+			}
 
 			/* IDcr (responder is peer) */
 
@@ -4962,7 +5202,9 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
 			, &st->st_peeruserprotoid, &st->st_peeruserport
 			, &st->st_connection->spd.that.client
 			, "peer client"))
-				return STF_FAIL + INVALID_ID_INFORMATION;
+			{
+				return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
+			}
 		}
 		else
 		{
@@ -4972,35 +5214,40 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
 			{
 				loglog(RC_LOG_SERIOUS, "IDci, IDcr payloads missing in message"
 					" but default does not match proposal");
-				return STF_FAIL + INVALID_ID_INFORMATION;
+				return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
 			}
 		}
 	}
 
 	/* check the peer's group attributes */
-	
 	{
-		const ietfAttrList_t *peer_list = NULL;
-		
-		get_peer_ca_and_groups(st->st_connection, &peer_list);
+		identification_t *peer_ca = NULL;
+		ietf_attributes_t *peer_attributes = NULL;
+		bool match;
 
-		if (!group_membership(peer_list, st->st_connection->name
-				, st->st_connection->spd.that.groups))
+		get_peer_ca_and_groups(st->st_connection, &peer_ca, &peer_attributes);
+		match = match_group_membership(peer_attributes,
+									   st->st_connection->name,
+									   st->st_connection->spd.that.groups);
+		DESTROY_IF(peer_attributes);
+
+		if (!match)
 		{
-			char buf[BUF_LEN];
+			ietf_attributes_t *groups = st->st_connection->spd.that.groups;
 
-			format_groups(st->st_connection->spd.that.groups, buf, BUF_LEN);
-			loglog(RC_LOG_SERIOUS, "peer is not member of one of the groups: %s"
-				, buf);
-			return STF_FAIL + INVALID_ID_INFORMATION;
+			loglog(RC_LOG_SERIOUS,
+				   "peer with attributes '%s' is not a member of the groups '%s'",
+					peer_attributes->get_string(peer_attributes),
+					groups->get_string(groups));
+			return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
 		}
 	}
 
-		if ((st->nat_traversal & NAT_T_DETECTED)
-		&&  (st->nat_traversal & NAT_T_WITH_NATOA))
-		{
-			nat_traversal_natoa_lookup(md);
-		}
+	if ((st->nat_traversal & NAT_T_DETECTED)
+	&&  (st->nat_traversal & NAT_T_WITH_NATOA))
+	{
+		nat_traversal_natoa_lookup(md);
+	}
 
 	/* ??? We used to copy the accepted proposal into the state, but it was
 	 * never used.  From sa_pd->pbs.start, length pbs_room(&sa_pd->pbs).
@@ -5029,32 +5276,37 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
 	 * failure won't look like success.
 	 */
 	if (!install_ipsec_sa(st, TRUE))
+	{
 		return STF_INTERNAL_ERROR;
+	}
 
 	/* encrypt message, except for fixed part of header */
 
 	if (!encrypt_message(&md->rbody, st))
-		return STF_INTERNAL_ERROR;      /* ??? we may be partly committed */
-
 	{
-	  DBG(DBG_CONTROLMORE, DBG_log("inR1_outI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
+		return STF_INTERNAL_ERROR;      /* ??? we may be partly committed */
+	}
+	DBG(DBG_CONTROLMORE,
+		DBG_log("inR1_outI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
 							   , st->st_connection->name
 							   , st->st_connection->instance_serial
 							   , st->st_serialno
 							   , st->st_connection->newest_ipsec_sa
-							   , st->st_connection->spd.eroute_owner));
-	}
-	
+							   , st->st_connection->spd.eroute_owner)
+	)
 	st->st_connection->newest_ipsec_sa = st->st_serialno;
 
 	/* note (presumed) success */
 	if (c->gw_info != NULL)
+	{
 		c->gw_info->key->last_worked_time = now();
+	}
 
 	/* If we want DPD on this connection then initialize it */
 	if (st->st_connection->dpd_action != DPD_ACTION_NONE)
+	{
 		dpd_init(st);
-
+	}
 	return STF_OK;
 }
 
@@ -5078,17 +5330,17 @@ stf_status quick_inI2(struct msg_digest *md)
 	 * failure won't look like success.
 	 */
 	if (!install_ipsec_sa(st, FALSE))
-		return STF_INTERNAL_ERROR;
-
 	{
-	  DBG(DBG_CONTROLMORE, DBG_log("inI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
+		return STF_INTERNAL_ERROR;
+	}
+	DBG(DBG_CONTROLMORE,
+		DBG_log("inI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
 							   , st->st_connection->name
 							   , st->st_connection->instance_serial
 							   , st->st_serialno
 							   , st->st_connection->newest_ipsec_sa
-							   , st->st_connection->spd.eroute_owner));
-	}
-
+							   , st->st_connection->spd.eroute_owner)
+	)
 	st->st_connection->newest_ipsec_sa = st->st_serialno;
 
 	update_iv(st);      /* not actually used, but tidy */
@@ -5098,13 +5350,16 @@ stf_status quick_inI2(struct msg_digest *md)
 		struct gw_info *gw = st->st_connection->gw_info;
 
 		if (gw != NULL)
+		{
 			gw->key->last_worked_time = now();
+		}
 	}
 
 	/* If we want DPD on this connection then initialize it */
 	if (st->st_connection->dpd_action != DPD_ACTION_NONE)
+	{
 		dpd_init(st);
-
+	}
 	return STF_OK;
 }
 
@@ -5117,9 +5372,9 @@ static stf_status send_isakmp_notification(struct state *st, u_int16_t type,
 	u_char
 		*r_hashval,     /* where in reply to jam hash value */
 		*r_hash_start;  /* start of what is to be hashed */
-		
+
 	msgid = generate_msgid(st);
-	
+
 	init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "ISAKMP notify");
 
 	/* HDR* */
@@ -5134,7 +5389,9 @@ static stf_status send_isakmp_notification(struct state *st, u_int16_t type,
 		memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
 		memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
 		if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
+		{
 			impossible();
+		}
 	}
 	/* HASH -- create and note space to be filled later */
 	START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_N);
@@ -5147,22 +5404,32 @@ static stf_status send_isakmp_notification(struct state *st, u_int16_t type,
 		isan.isan_np = ISAKMP_NEXT_NONE;
 		isan.isan_doi = ISAKMP_DOI_IPSEC;
 		isan.isan_protoid = PROTO_ISAKMP;
-		isan.isan_spisize = COOKIE_SIZE * 2;  
+		isan.isan_spisize = COOKIE_SIZE * 2;
 		isan.isan_type = type;
 		if (!out_struct(&isan, &isakmp_notification_desc, &rbody, &notify_pbs))
+		{
 			return STF_INTERNAL_ERROR;
+		}
 		if (!out_raw(st->st_icookie, COOKIE_SIZE, &notify_pbs, "notify icookie"))
-			return STF_INTERNAL_ERROR;  
+		{
+			return STF_INTERNAL_ERROR;
+		}
 		if (!out_raw(st->st_rcookie, COOKIE_SIZE, &notify_pbs, "notify rcookie"))
-			return STF_INTERNAL_ERROR;  
+		{
+			return STF_INTERNAL_ERROR;
+		}
 		if (data != NULL && len > 0)
+		{
 			if (!out_raw(data, len, &notify_pbs, "notify data"))
-				return STF_INTERNAL_ERROR;    
+			{
+				return STF_INTERNAL_ERROR;
+			}
+		}
 		close_output_pbs(&notify_pbs);
 	}
-			
+
 	{
-		/* finish computing HASH */     
+		/* finish computing HASH */
 		chunk_t msgid_chunk = chunk_from_thing(msgid);
 		chunk_t msg_chunk = { r_hash_start, rbody.cur-r_hash_start };
 		pseudo_random_function_t prf_alg;
@@ -5197,8 +5464,10 @@ static stf_status send_isakmp_notification(struct state *st, u_int16_t type,
 
 		init_phase2_iv(st, &msgid);
 		if (!encrypt_message(&rbody, st))
+		{
 			return STF_INTERNAL_ERROR;
-	
+		}
+
 		/* restore preserved st_iv and st_new_iv */
 		memcpy(st->st_iv, old_iv, old_iv_len);
 		memcpy(st->st_new_iv, new_iv, new_iv_len);
@@ -5241,7 +5510,9 @@ void dpd_outI(struct state *p2st)
 
 	/* If no DPD, then get out of here */
 	if (!st->st_dpd)
+	{
 		return;
+	}
 
 	/* schedule the next periodic DPD event */
 	event_schedule(EVENT_DPD, delay, p2st);
@@ -5329,7 +5600,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
 	if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
 	{
 		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid SPI length (%d)", n->isan_spisize);
-		return STF_FAIL + PAYLOAD_MALFORMED;
+		return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
 	}
 
 	if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
@@ -5338,7 +5609,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
 		/* Ignore it, cisco sends odd icookies */
 #else
 		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid icookie (broken Cisco?)");
-		return STF_FAIL + INVALID_COOKIE;
+		return STF_FAIL + ISAKMP_INVALID_COOKIE;
 #endif
 	}
 	pbs->cur += COOKIE_SIZE;
@@ -5346,7 +5617,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
 	if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
 	{
 		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid rcookie (broken Cisco?)");
-		return STF_FAIL + INVALID_COOKIE;
+		return STF_FAIL + ISAKMP_INVALID_COOKIE;
 	}
 	pbs->cur += COOKIE_SIZE;
 
@@ -5354,7 +5625,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
 	{
 		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid data length (%d)"
 			, (int) pbs_left(pbs));
-		return STF_FAIL + PAYLOAD_MALFORMED;
+		return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
 	}
 
 	seqno = ntohl(*(u_int32_t *)pbs->cur);
@@ -5403,7 +5674,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
 		loglog(RC_LOG_SERIOUS
 			, "DPD: R_U_THERE_ACK has invalid SPI length (%d)"
 			, n->isan_spisize);
-		return STF_FAIL + PAYLOAD_MALFORMED;
+		return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
 	}
 
 	if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
@@ -5412,7 +5683,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
 		/* Ignore it, cisco sends odd icookies */
 #else
 		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid icookie");
-		return STF_FAIL + INVALID_COOKIE;
+		return STF_FAIL + ISAKMP_INVALID_COOKIE;
 #endif
 	}
 	pbs->cur += COOKIE_SIZE;
@@ -5423,7 +5694,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
 		/* Ignore it, cisco sends odd icookies */
 #else
 		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid rcookie");
-		return STF_FAIL + INVALID_COOKIE;
+		return STF_FAIL + ISAKMP_INVALID_COOKIE;
 #endif
 	}
 	pbs->cur += COOKIE_SIZE;
@@ -5433,7 +5704,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
 		loglog(RC_LOG_SERIOUS
 			, " DPD: R_U_THERE_ACK has invalid data length (%d)"
 			, (int) pbs_left(pbs));
-		return STF_FAIL + PAYLOAD_MALFORMED;
+		return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
 	}
 
 	seqno = ntohl(*(u_int32_t *)pbs->cur);
@@ -5447,7 +5718,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
 		loglog(RC_LOG_SERIOUS
 			, "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)"
 			, seqno, st->st_dpd_expectseqno);
-		return STF_FAIL + PAYLOAD_MALFORMED;
+		return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
 	}
 
 	st->st_dpd_expectseqno = 0;
@@ -5466,7 +5737,7 @@ void
 dpd_timeout(struct state *st)
 {
 	struct state *newest_phase1_st;
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 	int action = st->st_connection->dpd_action;
 	char cname[BUF_LEN];
 
@@ -5501,14 +5772,18 @@ dpd_timeout(struct state *st)
 		 */
 		loglog(RC_LOG_SERIOUS, "DPD: Putting connection \"%s\" into %%trap", c->name);
 		if (c->kind == CK_INSTANCE)
+		{
 			delete_connection(c, TRUE);
+		}
 		break;
 	case DPD_ACTION_CLEAR:
 		/* dpdaction=clear - Wipe the SA & eroute - everything */
 		loglog(RC_LOG_SERIOUS, "DPD: Clearing connection \"%s\"", c->name);
 		unroute_connection(c);
 		if (c->kind == CK_INSTANCE)
+		{
 			delete_connection(c, TRUE);
+		}
 		break;
 	case DPD_ACTION_RESTART:
 		/* dpdaction=restart - Restart connection,
@@ -5521,7 +5796,9 @@ dpd_timeout(struct state *st)
 		strncpy(cname, c->name, BUF_LEN);
 
 		if (c->kind == CK_INSTANCE)
+		{
 			delete_connection(c, TRUE);
+		}
 		initiate_connection(cname, NULL_FD);
 		break;
 	default:
diff --git a/src/pluto/ipsec_doi.h b/src/pluto/ipsec_doi.h
index 2e242e903..c11edaa94 100644
--- a/src/pluto/ipsec_doi.h
+++ b/src/pluto/ipsec_doi.h
@@ -12,6 +12,11 @@
  * for more details.
  */
 
+#ifndef _IPSEC_DOI_H
+#define _IPSEC_DOI_H
+
+#include "defs.h"
+
 extern void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np);
 
 extern void ipsecdoi_initiate(int whack_sock, struct connection *c
@@ -95,8 +100,9 @@ extern void dpd_timeout(struct state *st);
 			DBG_cond_dump(DBG_CRYPT, "received " hash_name ":", hash_pbs->cur, pbs_left(hash_pbs)); \
 			loglog(RC_LOG_SERIOUS, "received " hash_name " does not match computed value in " msg_name); \
 			/* XXX Could send notification back */ \
-			return STF_FAIL + INVALID_HASH_INFORMATION; \
+			return STF_FAIL + ISAKMP_INVALID_HASH_INFORMATION; \
 		} \
 	}
 
+#endif /* _IPSEC_DOI_H */
 
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index 46edac1cd..fe4655d3f 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -45,7 +45,6 @@
 
 #include "constants.h"
 #include "defs.h"
-#include "id.h"
 #include "connections.h"
 #include "state.h"
 #include "timer.h"
@@ -151,7 +150,7 @@ static void DBG_bare_shunt(const char *op, const struct bare_shunt *bs)
 struct eroute_info *orphaned_holds = NULL;
 
 /* forward declaration */
-static bool shunt_eroute(struct connection *c, struct spd_route *sr,
+static bool shunt_eroute(connection_t *c, struct spd_route *sr,
 						 enum routing_t rt_kind, unsigned int op,
 						 const char *opname);
 
@@ -347,14 +346,43 @@ ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel)
 	latest_cpi++;
 
 	if (latest_cpi == first_busy_cpi)
+	{
 		find_my_cpi_gap(&latest_cpi, &first_busy_cpi);
-
+	}
 	if (latest_cpi > IPCOMP_LAST_NEGOTIATED)
+	{
 		latest_cpi = IPCOMP_FIRST_NEGOTIATED;
-
+	}
 	return htonl((ipsec_spi_t)latest_cpi);
 }
 
+/* Replace the shell metacharacters ', \, ", `, and $ in a character string
+ * by escape sequences consisting of their octal values
+ */
+static void escape_metachar(const char *src, char *dst, size_t dstlen)
+{
+	while (*src != '\0' && dstlen > 4)
+	{
+		switch (*src)
+		{
+		case '\'':
+		case '\\':
+		case '"':
+		case '`':
+		case '$':
+			sprintf(dst,"\\%s%o", (*src < 64)?"0":"", *src);
+			dst += 4;
+			dstlen -= 4;
+			break;
+		default:
+			*dst++ = *src;
+			dstlen--;
+		}
+		src++;
+	}
+	*dst = '\0';
+}
+
 /* invoke the updown script to do the routing and firewall commands required
  *
  * The user-specified updown script is run.  Parameters are fed to it in
@@ -392,7 +420,7 @@ ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel)
 # define DEFAULT_UPDOWN "ipsec _updown"
 #endif
 
-static bool do_command(struct connection *c, struct spd_route *sr,
+static bool do_command(connection_t *c, struct spd_route *sr,
 					   const char *verb)
 {
 	char cmd[1536];     /* arbitrary limit on shell command length */
@@ -469,7 +497,7 @@ static bool do_command(struct connection *c, struct spd_route *sr,
 		}
 
 		addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
-		idtoa(&sr->this.id, myid_str, sizeof(myid_str));
+		snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id);
 		escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
 		subnettot(&sr->this.client, 0, myclient_str, sizeof(myclientnet_str));
 		networkof(&sr->this.client, &ta);
@@ -478,7 +506,7 @@ static bool do_command(struct connection *c, struct spd_route *sr,
 		addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
 
 		addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
-		idtoa(&sr->that.id, peerid_str, sizeof(peerid_str));
+		snprintf(peerid_str, sizeof(peerid_str), "%Y", sr->that.id);
 		escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
 		subnettot(&sr->that.client, 0, peerclient_str, sizeof(peerclientnet_str));
 		networkof(&sr->that.client, &ta);
@@ -492,11 +520,19 @@ static bool do_command(struct connection *c, struct spd_route *sr,
 			key_type_t type = key->public_key->get_type(key->public_key);
 			int pathlen;
 
-			if (type == KEY_RSA && same_id(&sr->that.id, &key->id) &&
+			if (type == KEY_RSA &&
+				sr->that.id->equals(sr->that.id, key->id) &&
 				trusted_ca(key->issuer, sr->that.ca, &pathlen))
 			{
-				dntoa_or_null(peerca_str, BUF_LEN, key->issuer, "");
-				escape_metachar(peerca_str, secure_peerca_str, sizeof(secure_peerca_str));
+				if (key->issuer)
+				{
+					snprintf(peerca_str, BUF_LEN, "%Y", key->issuer);	
+					escape_metachar(peerca_str, secure_peerca_str, BUF_LEN);
+				}
+				else
+				{
+					secure_peerca_str[0] = '\0';
+				}
 				break;
 			}
 		}
@@ -653,10 +689,10 @@ enum routability {
 	route_farconflict = 3
 };
 
-static enum routability could_route(struct connection *c)
+static enum routability could_route(connection_t *c)
 {
 	struct spd_route *esr, *rosr;
-	struct connection *ero      /* who, if anyone, owns our eroute? */
+	connection_t *ero      /* who, if anyone, owns our eroute? */
 		, *ro = route_owner(c, &rosr, &ero, &esr); /* who owns our route? */
 
 	/* it makes no sense to route a connection that is ISAKMP-only */
@@ -710,8 +746,8 @@ static enum routability could_route(struct connection *c)
 	/* if there is an eroute for another connection, there is a problem */
 	if (ero != NULL && ero != c)
 	{
-		struct connection *ero2, *ero_top;
-		struct connection *inside, *outside;
+		connection_t *ero2, *ero_top;
+		connection_t *inside, *outside;
 
 		/*
 		 * note, wavesec (PERMANENT) goes *outside* and
@@ -797,7 +833,7 @@ static enum routability could_route(struct connection *c)
 	return route_easy;
 }
 
-bool trap_connection(struct connection *c)
+bool trap_connection(connection_t *c)
 {
 	switch (could_route(c))
 	{
@@ -825,7 +861,7 @@ bool trap_connection(struct connection *c)
 /**
  * Delete any eroute for a connection and unroute it if route isn't shared
  */
-void unroute_connection(struct connection *c)
+void unroute_connection(connection_t *c)
 {
 	struct spd_route *sr;
 	enum routing_t cr;
@@ -847,7 +883,9 @@ void unroute_connection(struct connection *c)
 
 		/* only unroute if no other connection shares it */
 		if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
+		{
 			(void) do_command(c, sr, "unroute");
+		}
 	}
 }
 
@@ -868,7 +906,7 @@ static void set_text_said(char *text_said, const ip_address *dst,
  * this allows the entry to be deleted.
  */
 static struct bare_shunt** bare_shunt_ptr(const ip_subnet *ours,
-										  const ip_subnet *his, 
+										  const ip_subnet *his,
 										  int transport_proto)
 {
 	struct bare_shunt *p, **pp;
@@ -942,8 +980,8 @@ static bool raw_eroute(const ip_address *this_host,
 					   const ip_subnet *this_client,
 					   const ip_address *that_host,
 					   const ip_subnet *that_client,
-		   			   ipsec_spi_t spi,
-		   			   unsigned int proto,
+					   ipsec_spi_t spi,
+					   unsigned int proto,
 					   unsigned int satype,
 					   unsigned int transport_proto,
 					   const struct pfkey_proto_info *proto_info,
@@ -1072,8 +1110,9 @@ static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
 			 , "eroute_connection %s", opname);
 
 	if (proto == SA_INT)
+	{
 		peer = aftoinfo(addrtypeof(peer))->any;
-
+	}
 	return raw_eroute(&sr->this.host_addr, &sr->this.client
 					  , peer
 					  , &sr->that.client
@@ -1083,7 +1122,7 @@ static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
 
 /* assign a bare hold to a connection */
 
-bool assign_hold(struct connection *c USED_BY_DEBUG, struct spd_route *sr,
+bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr,
 				 int transport_proto,
 				 const ip_address *src,
 				 const ip_address *dst)
@@ -1225,7 +1264,7 @@ static bool sag_eroute(struct state *st, struct spd_route *sr,
 
 /* compute a (host-order!) SPI to implement the policy in connection c */
 ipsec_spi_t
-shunt_policy_spi(struct connection *c, bool prospective)
+shunt_policy_spi(connection_t *c, bool prospective)
 {
 	/* note: these are in host order :-( */
 	static const ipsec_spi_t shunt_spi[] =
@@ -1256,7 +1295,7 @@ shunt_policy_spi(struct connection *c, bool prospective)
  * If negotiation has failed, the choice between %trap/%pass/%drop/%reject
  * is specified in the policy of connection c.
  */
-static bool shunt_eroute(struct connection *c, struct spd_route *sr,
+static bool shunt_eroute(connection_t *c, struct spd_route *sr,
 						 enum routing_t rt_kind,
 						 unsigned int op, const char *opname)
 {
@@ -1316,7 +1355,7 @@ static bool shunt_eroute(struct connection *c, struct spd_route *sr,
 	{
 		/* maybe we are uneclipsing something */
 		struct spd_route *esr;
-		struct connection *ue = eclipsed(c, &esr);
+		connection_t *ue = eclipsed(c, &esr);
 
 		if (ue != NULL)
 		{
@@ -1359,15 +1398,20 @@ static const char *read_proto(const char * s, size_t * len, int * transport_prot
 
 	l = *len;
 	p = memchr(s, ':', l);
-	if (p == 0) {
+	if (p == 0)
+	{
 		*transport_proto = 0;
 		return 0;
 	}
 	ugh = ttoul(p+1, l-((p-s)+1), 10, &proto);
 	if (ugh != 0)
+	{
 		return ugh;
+	}
 	if (proto > 65535)
+	{
 		return "protocol number is too large, legal range is 0-65535";
+	}
 	*len = p-s;
 	*transport_proto = proto;
 	return 0;
@@ -1429,7 +1473,9 @@ void scan_proc_shunts(void)
 
 	f = fopen(procname, "r");
 	if (f == NULL)
+	{
 		return;
+	}
 
 	/* for each line... */
 	for (lino = 1; ; lino++)
@@ -1445,7 +1491,9 @@ void scan_proc_shunts(void)
 
 		cp = fgets(buf, sizeof(buf), f);
 		if (cp == NULL)
+		{
 			break;
+		}
 
 		/* break out each field
 		 * Note: if there are too many fields, just stop;
@@ -1461,7 +1509,9 @@ void scan_proc_shunts(void)
 			field[fi] = chunk_create(cp, w);
 			cp += w;
 			if (w == 0)
+			{
 				break;
+			}
 		}
 
 		/* This odd do-hickey is to share error reporting code.
@@ -1473,9 +1523,13 @@ void scan_proc_shunts(void)
 			 * check if things are as they should be.
 			 */
 			if (fi == 5)
+			{
 				ff = &field[0]; /* old form, with no count */
+			}
 			else if (fi == 6)
+			{
 				ff = &field[1]; /* new form, with count */
+			}
 			else
 			{
 				ugh = "has wrong number of fields";
@@ -1501,7 +1555,9 @@ void scan_proc_shunts(void)
 				context = "count field is malformed: ";
 				ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count);
 				if (ugh != NULL)
+				{
 					break;
+				}
 			}
 
 			/* our client */
@@ -1509,21 +1565,27 @@ void scan_proc_shunts(void)
 			context = "source subnet field malformed: ";
 			ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours);
 			if (ugh != NULL)
+			{
 				break;
+			}
 
 			/* his client */
 
 			context = "destination subnet field malformed: ";
 			ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his);
 			if (ugh != NULL)
+			{
 				break;
+			}
 
 			/* SAID */
 
 			context = "SA ID field malformed: ";
 			ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto);
 			if (ugh != NULL)
+			{
 				break;
+			}
 			ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said);
 		} while (FALSE);
 
@@ -1666,7 +1728,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 {
 	/* Build an inbound or outbound SA */
 
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 	ip_subnet src, dst;
 	ip_subnet src_client, dst_client;
 	ipsec_spi_t inner_spi = 0;
@@ -1738,9 +1800,13 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 
 			ipip_spi = htonl(++last_tunnel_spi);
 			if (inbound)
+			{
 				st->st_tunnel_in_spi = ipip_spi;
+			}
 			else
+			{
 				st->st_tunnel_out_spi = ipip_spi;
+			}
 		}
 
 		set_text_said(text_said
@@ -1797,10 +1863,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 		said_next->text_said = text_said;
 
 		if (!kernel_ops->add_sa(said_next, replace))
+		{
 			goto fail;
-
+		}
 		said_next++;
-
 		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
 	}
 
@@ -1861,7 +1927,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 			if (ei == &esp_info[countof(esp_info)])
 			{
 				/* Check for additional kernel alg */
-				if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid, 
+				if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid,
 										st->st_esp.attrs.auth))!=NULL)
 				{
 					break;
@@ -1873,7 +1939,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 				 * assuming the name will be found.
 				 */
 				loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet"
-					, enum_name(&esp_transformid_names, st->st_esp.attrs.transid)
+					, enum_name(&esp_transform_names, st->st_esp.attrs.transid)
 					, enum_name(&auth_alg_names, st->st_esp.attrs.auth));
 				goto fail;
 			}
@@ -1892,7 +1958,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 			if (key_len > ei->enckeylen)
 			{
 				loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
-					enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
+					enum_name(&esp_transform_names, st->st_esp.attrs.transid),
 					(int)key_len, (int)ei->enckeylen);
 				goto fail;
 			}
@@ -1906,7 +1972,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 		{
 			case ESP_3DES:
 				/* 168 bits in kernel, need 192 bits for keymat_len */
-				if (key_len == 21) 
+				if (key_len == 21)
 				{
 					key_len = 24;
 				}
@@ -1914,7 +1980,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 			case ESP_DES:
 				/* 56 bits in kernel, need 64 bits for keymat_len */
 				if (key_len == 7)
-				{ 
+				{
 					key_len = 8;
 				}
 				break;
@@ -1930,7 +1996,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 				key_len += 4;
 				break;
 			default:
-				break;			
+				break;
 		}
 
 		/* divide up keying material */
@@ -2032,7 +2098,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 		{
 			struct pfkey_proto_info proto_info[4];
 			int i = 0;
-			
+
 			if (st->st_ipcomp.present)
 			{
 				proto_info[i].proto = IPPROTO_COMP;
@@ -2040,7 +2106,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 				proto_info[i].reqid = c->spd.reqid + 2;
 				i++;
 			}
-			
+
 			if (st->st_esp.present)
 			{
 				proto_info[i].proto = IPPROTO_ESP;
@@ -2048,7 +2114,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 				proto_info[i].reqid = c->spd.reqid + 1;
 				i++;
 			}
-			
+
 			if (st->st_ah.present)
 			{
 				proto_info[i].proto = IPPROTO_AH;
@@ -2056,9 +2122,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 				proto_info[i].reqid = c->spd.reqid;
 				i++;
 			}
-			
+
 			proto_info[i].proto = 0;
-			
+
 			if (kernel_ops->inbound_eroute
 				&& encapsulation == ENCAPSULATION_MODE_TUNNEL)
 			{
@@ -2068,7 +2134,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 					proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
 				}
 			}
-			
+
 			/* MCR - should be passed a spd_eroute structure here */
 			(void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
 							  , &c->spd.this.host_addr, &c->spd.this.client
@@ -2079,11 +2145,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 	}
 
 	/* If there are multiple SPIs, group them. */
-	
+
 	if (kernel_ops->grp_sa && said_next > &said[1])
 	{
 		struct kernel_sa *s;
-		
+
 		/* group SAs, two at a time, inner to outer (backwards in said[])
 		 * The grouping is by pairs.  So if said[] contains ah esp ipip,
 		 * the grouping would be ipip:esp, esp:ah.
@@ -2095,15 +2161,15 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 				text_said1[SATOT_BUF];
 
 			/* group s[1] and s[0], in that order */
-			
+
 			set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto);
 			set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto);
-			
+
 			DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0));
-			
+
 			s[0].text_said = text_said0;
 			s[1].text_said = text_said1;
-			
+
 			if (!kernel_ops->grp_sa(s + 1, s))
 			{
 				goto fail;
@@ -2135,7 +2201,7 @@ static bool teardown_half_ipsec_sa(struct state *st, bool inbound)
 	 * so deleting any one will do.  So we just delete the
 	 * first one found.  It may or may not be the only one.
 	 */
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 	struct {
 		unsigned proto;
 		struct ipsec_proto_info *info;
@@ -2227,7 +2293,7 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
 {
 	char text_said[SATOT_BUF];
 	struct kernel_sa sa;
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 
 	*use_time = UNDEFINED_TIME;
 
@@ -2353,7 +2419,7 @@ void init_kernel(void)
  */
 bool install_inbound_ipsec_sa(struct state *st)
 {
-	struct connection *const c = st->st_connection;
+	connection_t *const c = st->st_connection;
 
 	/* If our peer has a fixed-address client, check if we already
 	 * have a route for that client that conflicts.  We will take this
@@ -2367,7 +2433,7 @@ bool install_inbound_ipsec_sa(struct state *st)
 		for (;;)
 		{
 			struct spd_route *esr;
-			struct connection *o = route_owner(c, &esr, NULL, NULL);
+			connection_t *o = route_owner(c, &esr, NULL, NULL);
 
 			if (o == NULL)
 			{
@@ -2417,20 +2483,20 @@ bool install_inbound_ipsec_sa(struct state *st)
  * Any SA Group must have already been created.
  * On failure, steps will be unwound.
  */
-bool route_and_eroute(struct connection *c USED_BY_KLIPS,
+bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 					  struct spd_route *sr USED_BY_KLIPS,
 					  struct state *st USED_BY_KLIPS)
 {
 #ifdef KLIPS
 	struct spd_route *esr;
 	struct spd_route *rosr;
-	struct connection *ero      /* who, if anyone, owns our eroute? */
+	connection_t *ero      /* who, if anyone, owns our eroute? */
 		, *ro = route_owner(c, &rosr, &ero, &esr);
 	bool eroute_installed = FALSE
 		, firewall_notified = FALSE
 		, route_installed = FALSE;
 
-	struct connection *ero_top;
+	connection_t *ero_top;
 	struct bare_shunt **bspp;
 
 	DBG(DBG_CONTROLMORE,
@@ -2438,7 +2504,7 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
 				, c->name
 				, (c->policy_next ? c->policy_next->name : "none")
 				, ero ? ero->name : "null"
-				, esr 
+				, esr
 				, ro ? ro->name : "null"
 				, rosr
 				, st ? st->st_serialno : 0));
@@ -2472,11 +2538,14 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
 
 		/* if no state provided, then install a shunt for later */
 		if (st == NULL)
+		{
 			eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
 											, ERO_REPLACE, "replace");
+		}
 		else
+		{
 			eroute_installed = sag_eroute(st, sr, ERO_REPLACE, "replace");
-
+		}
 #if 0
 		/* XXX - MCR. I previously felt that this was a bogus check */
 		if (ero != NULL && ero != c && esr != sr)
@@ -2588,7 +2657,7 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
 		else if (ero != NULL && ero != c)
 		{
 			/* check if ero is an ancestor of c. */
-			struct connection *ero2;
+			connection_t *ero2;
 
 			for (ero2 = c; ero2 != NULL && ero2 != c; ero2 = ero2->policy_next)
 				;
@@ -2788,7 +2857,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
 		/* If the state is the eroute owner, we must adjust
 		 * the routing for the connection.
 		 */
-		struct connection *c = st->st_connection;
+		connection_t *c = st->st_connection;
 		struct spd_route *sr;
 
 		passert(st->st_connection);
@@ -2837,9 +2906,9 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
 #ifdef KLIPS
 static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
 {
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 	char text_said[SATOT_BUF];
-	struct kernel_sa sa;        
+	struct kernel_sa sa;
 	ip_address
 		src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
 		dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
@@ -2924,7 +2993,7 @@ bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
 			ret = *idle_time >= idle_max;
 		}
 	}
-	else 
+	else
 	{
 		while (f != NULL)
 		{
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index 7e7d25872..bf67315e6 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -90,7 +90,7 @@ static struct sadb_alg* sadb_alg_ptr (int satype, int exttype, int alg_id,
 	default:
 		return NULL;
 	}
-	
+
 	return alg_p;
 }
 
@@ -154,7 +154,7 @@ bool kernel_alg_esp_enc_ok(u_int alg_id, u_int key_len,
 	if (!ret) goto out;
 
 	alg_p = &esp_ealg[alg_id];
-	
+
 	/*
 	 * test #2: if key_len specified, it must be in range
 	 */
@@ -195,8 +195,8 @@ out:
 	return ret;
 }
 
-/* 
- * ML: make F_STRICT logic consider enc,auth algorithms 
+/*
+ * ML: make F_STRICT logic consider enc,auth algorithms
  */
 bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
 							 struct alg_info_esp *alg_info)
@@ -237,14 +237,14 @@ bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
 					{
 						loglog(RC_LOG_SERIOUS
 							, "You should NOT use insecure ESP algorithms [%s (%d)]!"
-							, enum_name(&esp_transformid_names, ealg), key_len);
+							, enum_name(&esp_transform_names, ealg), key_len);
 					}
 					return TRUE;
 				}
 			}
 		}
 		plog("IPSec Transform [%s (%d), %s] refused due to %s",
-				enum_name(&esp_transformid_names, ealg), key_len,
+				enum_name(&esp_transform_names, ealg), key_len,
 				enum_name(&auth_alg_names, aalg),
 				ealg_insecure ? "insecure key_len and enc. alg. not listed in \"esp\" string" : "strict flag");
 		return FALSE;
@@ -252,7 +252,7 @@ bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
 	return TRUE;
 }
 
-/**      
+/**
  * Load kernel_alg arrays from /proc used in manual mode from klips/utils/spi.c
  */
 int kernel_alg_proc_read(void)
@@ -312,7 +312,7 @@ int kernel_alg_proc_read(void)
 	return 0;
 }
 
-/**     
+/**
  * Load kernel_alg arrays pluto's SADB_REGISTER user by pluto/kernel.c
  */
 void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
@@ -380,6 +380,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 			)
 			/* if AES_CBC is registered then also register AES_CCM and AES_GCM */
 			if (satype == SADB_SATYPE_ESP &&
+				supp_exttype == SADB_EXT_SUPPORTED_ENCRYPT &&
 				sadb.alg->sadb_alg_id == SADB_X_EALG_AESCBC)
 			{
 				struct sadb_alg alg = *sadb.alg;
@@ -395,6 +396,16 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 					}
 				}
 			}
+			/* if SHA2_256 is registered then also register SHA2_256_96 */
+			if (satype == SADB_SATYPE_ESP &&
+				supp_exttype == SADB_EXT_SUPPORTED_AUTH &&
+				sadb.alg->sadb_alg_id == SADB_X_AALG_SHA2_256HMAC)
+			{
+				struct sadb_alg alg = *sadb.alg;
+
+				alg.sadb_alg_id = SADB_X_AALG_SHA2_256_96HMAC;
+				kernel_alg_add(satype, supp_exttype, &alg);
+			}
 		}
 	}
 }
@@ -422,7 +433,7 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id)
 			break;
 	}
 
-none:   
+none:
 	DBG(DBG_KLIPS,
 		DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d",
 				alg_id, keylen)
@@ -461,7 +472,7 @@ void kernel_alg_list(void)
 		if (ESP_EALG_PRESENT(sadb_id))
 		{
 			n = snprintf(pos, len, " %s",
-						 enum_name(&esp_transformid_names, sadb_id));
+						 enum_name(&esp_transform_names, sadb_id));
 			pos += n;
 			len -= n;
 			if (len <= 0)
@@ -471,7 +482,7 @@ void kernel_alg_list(void)
 		}
 	}
 	whack_log(RC_COMMENT, "  encryption:%s", buf);
-	
+
 	pos = buf;
 	*pos = '\0';
 	len = BUF_LEN;
@@ -493,7 +504,7 @@ void kernel_alg_list(void)
 	whack_log(RC_COMMENT, "  integrity: %s", buf);
 }
 
-void kernel_alg_show_connection(struct connection *c, const char *instance)
+void kernel_alg_show_connection(connection_t *c, const char *instance)
 {
 	struct state *st = state_with_serialno(c->newest_ipsec_sa);
 
@@ -502,12 +513,12 @@ void kernel_alg_show_connection(struct connection *c, const char *instance)
 		const char *aalg_name, *pfsgroup_name;
 
 		aalg_name = (c->policy & POLICY_AUTHENTICATE) ?
-					enum_show(&ah_transformid_names, st->st_ah.attrs.transid):
+					enum_show(&ah_transform_names, st->st_ah.attrs.transid):
 					enum_show(&auth_alg_names, st->st_esp.attrs.auth);
 
 		pfsgroup_name = (c->policy & POLICY_PFS) ?
-						(c->alg_info_esp->esp_pfsgroup) ?
-							enum_show(&oakley_group_names, 
+						(c->alg_info_esp && c->alg_info_esp->esp_pfsgroup) ?
+							enum_show(&oakley_group_names,
 										  c->alg_info_esp->esp_pfsgroup) :
 							"<Phase1>" : "<N/A>";
 
@@ -516,7 +527,7 @@ void kernel_alg_show_connection(struct connection *c, const char *instance)
 			whack_log(RC_COMMENT, "\"%s\"%s:   ESP%s proposal: %s_%u/%s/%s",
 				c->name, instance,
 				(st->st_ah.present) ? "/AH" : "",
-				enum_show(&esp_transformid_names, st->st_esp.attrs.transid),
+				enum_show(&esp_transform_names, st->st_esp.attrs.transid),
 				st->st_esp.attrs.key_len, aalg_name, pfsgroup_name);
 		}
 		else
@@ -524,7 +535,7 @@ void kernel_alg_show_connection(struct connection *c, const char *instance)
 			whack_log(RC_COMMENT, "\"%s\"%s:   ESP%s proposal: %s/%s/%s",
 				c->name, instance,
 				(st->st_ah.present) ? "/AH" : "",
-				enum_show(&esp_transformid_names, st->st_esp.attrs.transid),
+				enum_show(&esp_transform_names, st->st_esp.attrs.transid),
 				aalg_name, pfsgroup_name);
 		}
 	}
@@ -634,7 +645,7 @@ static bool kernel_alg_db_add(struct db_context *db_ctx,
 		DBG_log("kernel_alg_db_add() kernel enc ealg_id=%d not present", ealg_id);
 		return FALSE;
 	}
-	
+
 	if (!(policy & POLICY_AUTHENTICATE) &&    /* skip ESP auth attrs for AH */
 		esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE)
 	{
@@ -666,11 +677,11 @@ static bool kernel_alg_db_add(struct db_context *db_ctx,
 	{
 		db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen);
 	}
-		
+
 	return TRUE;
 }
 
-/*      
+/*
  *      Create proposal with runtime kernel algos, merging
  *      with passed proposal if not NULL
  *
@@ -694,12 +705,6 @@ struct db_context* kernel_alg_db_new(struct alg_info_esp *alg_info,
 	/* pass aprox. number of transforms and attributes */
 	ctx_new = db_prop_new(PROTO_IPSEC_ESP, trans_cnt, trans_cnt * 2);
 
-	/*
-	 * Loop: for each element (struct esp_info) of alg_info,
-	 *       if kernel support is present then build the transform (and attrs)
-	 *       if NULL alg_info, propose everything ...
-	 */
-
 	if (alg_info)
 	{
 		int i;
@@ -710,28 +715,6 @@ struct db_context* kernel_alg_db_new(struct alg_info_esp *alg_info,
 			kernel_alg_db_add(ctx_new, &tmp_esp_info, policy);
 		}
 	}
-	else
-	{
-		u_int ealg_id;
-		
-		ESP_EALG_FOR_EACH_UPDOWN(ealg_id)
-		{
-			u_int aalg_id;
-
-			tmp_esp_info.esp_ealg_id = ealg_id;
-			tmp_esp_info.esp_ealg_keylen = 0;
-
-			for (aalg_id = 1; aalg_id <= SADB_AALG_MAX; aalg_id++)
-			{
-				if (ESP_AALG_PRESENT(aalg_id))
-				{
-					tmp_esp_info.esp_aalg_id = alg_info_esp_sadb2aa(aalg_id);
-					tmp_esp_info.esp_aalg_keylen = 0;
-					kernel_alg_db_add(ctx_new, &tmp_esp_info, policy);
-				}
-			}
-		}
-	}
 	prop = db_prop_get(ctx_new);
 	return ctx_new;
 }
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index 0376e817b..289714b50 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -40,6 +40,11 @@
 #include "whack.h"      /* for RC_LOG_SERIOUS */
 #include "kernel_alg.h"
 
+/** required for Linux 2.6.26 kernel and later */
+#ifndef XFRM_STATE_AF_UNSPEC
+#define XFRM_STATE_AF_UNSPEC	32
+#endif
+
 /* Minimum priority number in SPD used by pluto. */
 #define MIN_SPD_PRIORITY 1024
 
@@ -80,15 +85,15 @@ static sparse_names xfrm_type_names = {
 
 /* Authentication algorithms */
 static sparse_names aalg_list = {
-	{ SADB_X_AALG_NULL,          "digest_null" },
-	{ SADB_AALG_MD5HMAC,         "md5" },
-	{ SADB_AALG_SHA1HMAC,        "sha1" },
-	{ SADB_X_AALG_SHA2_256HMAC,  "sha256" },
-	{ SADB_X_AALG_SHA2_384HMAC,  "sha384" },
-	{ SADB_X_AALG_SHA2_512HMAC,  "sha512" },
-	{ SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
-	{ SADB_X_AALG_AES_XCBC_MAC,  "xcbc(aes)"},
-	{ SADB_X_AALG_NULL,          "null" },
+	{ SADB_X_AALG_NULL,            "digest_null" },
+	{ SADB_AALG_MD5HMAC,           "md5" },
+	{ SADB_AALG_SHA1HMAC,          "sha1" },
+	{ SADB_X_AALG_SHA2_256_96HMAC, "sha256" },
+	{ SADB_X_AALG_SHA2_256HMAC,    "hmac(sha256)" },
+	{ SADB_X_AALG_SHA2_384HMAC,    "hmac(sha384)" },
+	{ SADB_X_AALG_SHA2_512HMAC,    "hmac(sha512)" },
+	{ SADB_X_AALG_RIPEMD160HMAC,   "ripemd160" },
+	{ SADB_X_AALG_AES_XCBC_MAC,    "xcbc(aes)"},
 	{ 0, sparse_end }
 };
 
@@ -183,7 +188,7 @@ static void init_netlink(void)
  * @param hdr - Data to be sent.
  * @param rbuf - Return Buffer - contains data returned from the send.
  * @param rbuf_len - Length of rbuf
- * @param description - String - user friendly description of what is 
+ * @param description - String - user friendly description of what is
  *                      being attempted.  Used for diagnostics
  * @param text_said - String
  * @return bool True if the message was succesfully sent.
@@ -343,6 +348,7 @@ static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok,
 	struct {
 		struct nlmsghdr n;
 		struct nlmsgerr e;
+		char data[1024];
 	} rsp;
 	int error;
 
@@ -382,7 +388,7 @@ static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok,
  * @param proto int (Currently unused) Contains protocol (u=tcp, 17=udp, etc...)
  * @param transport_proto int (Currently unused) 0=tunnel, 1=transport
  * @param satype int
- * @param proto_info 
+ * @param proto_info
  * @param lifetime (Currently unused)
  * @param ip int
  * @return boolean True if successful
@@ -518,9 +524,9 @@ static bool netlink_raw_eroute(const ip_address *this_host
 			tmpl[i].optional =
 				proto_info[i].proto == IPPROTO_COMP && dir != XFRM_POLICY_OUT;
 			tmpl[i].aalgos = tmpl[i].ealgos = tmpl[i].calgos = ~0;
+			tmpl[i].family = that_host->u.v4.sin_family;
 			tmpl[i].mode =
 				proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-
 			if (!tmpl[i].mode)
 			{
 				continue;
@@ -590,7 +596,7 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 		char data[1024];
 	} req;
 	struct rtattr *attr;
-	u_int16_t icv_size = 64;	
+	u_int16_t icv_size = 64;
 
 	memset(&req, 0, sizeof(req));
 	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
@@ -602,7 +608,15 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 	req.p.id.spi = sa->spi;
 	req.p.id.proto = satype2proto(sa->satype);
 	req.p.family = sa->src->u.v4.sin_family;
-	req.p.mode = (sa->encapsulation == ENCAPSULATION_MODE_TUNNEL);
+	if (sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
+	{
+		req.p.mode = XFRM_MODE_TUNNEL;
+		req.p.flags |= XFRM_STATE_AF_UNSPEC;
+	}
+	else
+	{
+		req.p.mode = XFRM_MODE_TRANSPORT;
+	}
 	req.p.replay_window = sa->replay_window;
 	req.p.reqid = sa->reqid;
 	req.p.lft.soft_byte_limit = XFRM_INF;
@@ -616,7 +630,6 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 
 	if (sa->authalg)
 	{
-		struct xfrm_algo algo;
 		const char *name;
 
 		name = sparse_name(aalg_list, sa->authalg);
@@ -632,16 +645,37 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 					sa->authkeylen * BITS_PER_BYTE)
 			)
 
-		strcpy(algo.alg_name, name);
-		algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+		if (sa->authalg == SADB_X_AALG_SHA2_256HMAC)
+		{
+			struct xfrm_algo_auth algo;
 
-		attr->rta_type = XFRMA_ALG_AUTH;
-		attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
+			/* the kernel uses SHA256 with 96 bit truncation by default,
+			 * use specified truncation size supported by newer kernels */
+			strcpy(algo.alg_name, name);
+			algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+			algo.alg_trunc_len = 128;
 
-		memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-		memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
-			, sa->authkeylen);
+			attr->rta_type = XFRMA_ALG_AUTH_TRUNC;
+			attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
+
+			memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+			memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
+				, sa->authkeylen);
+		}
+		else
+		{
+			struct xfrm_algo algo;
+
+			strcpy(algo.alg_name, name);
+			algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
 
+			attr->rta_type = XFRMA_ALG_AUTH;
+			attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
+
+			memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+			memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
+				, sa->authkeylen);
+		}
 		req.n.nlmsg_len += attr->rta_len;
 		attr = (struct rtattr *)((char *)attr + attr->rta_len);
 	}
@@ -674,19 +708,19 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 			}
 			DBG(DBG_CRYPT,
 				DBG_log("configured esp encryption algorithm %s with key size %d",
-						enum_show(&esp_transformid_names, sa->encalg),
+						enum_show(&esp_transform_names, sa->encalg),
 						sa->enckeylen * BITS_PER_BYTE)
 			)
 			attr->rta_type = XFRMA_ALG_AEAD;
 			attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen);
 			req.n.nlmsg_len += attr->rta_len;
-			
+
 			algo = (struct xfrm_algo_aead*)RTA_DATA(attr);
 			algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
 			algo->alg_icv_len = icv_size;
 			strcpy(algo->alg_name, name);
 			memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
-			
+
 			attr = (struct rtattr *)((char *)attr + attr->rta_len);
 			break;
 		}
@@ -704,7 +738,7 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 			}
 			DBG(DBG_CRYPT,
 				DBG_log("configured esp encryption algorithm %s with key size %d",
-						enum_show(&esp_transformid_names, sa->encalg),
+						enum_show(&esp_transform_names, sa->encalg),
 						sa->enckeylen * BITS_PER_BYTE)
 			)
 			attr->rta_type = XFRMA_ALG_CRYPT;
@@ -962,7 +996,7 @@ static void linux_pfkey_register(void)
 
 /** Create ip_address out of xfrm_address_t.
  *
- * @param family 
+ * @param family
  * @param src xfrm formatted IP address
  * @param dst ip_address formatted destination
  * @return err_t NULL if okay, otherwise an error
@@ -1001,7 +1035,7 @@ static err_t xfrm_sel_to_ip_pair(const struct xfrm_selector *sel,
 
 	if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src))
 		|| (ugh = xfrm_to_ip_address(family, &sel->daddr, dst)))
-	{	
+	{
 		return ugh;
 	}
 
diff --git a/src/pluto/kernel_noklips.c b/src/pluto/kernel_noklips.c
index 82a6ab648..e99efe062 100644
--- a/src/pluto/kernel_noklips.c
+++ b/src/pluto/kernel_noklips.c
@@ -107,7 +107,7 @@ noklips_del_sa(const struct kernel_sa *sa UNUSED)
 const struct kernel_ops noklips_kernel_ops = {
 		type: KERNEL_TYPE_NONE,
 		async_fdp: NULL,
-		
+
 		init: init_noklips,
 		pfkey_register: noklips_register,
 		pfkey_register_response: noklips_register_response,
diff --git a/src/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c
index 7ac405fd4..99ba4ff30 100644
--- a/src/pluto/kernel_pfkey.c
+++ b/src/pluto/kernel_pfkey.c
@@ -73,7 +73,7 @@ static sparse_names pfkey_type_names = {
 		NE(SADB_X_DELFLOW),
 		NE(SADB_X_DEBUG),
 		NE(SADB_X_NAT_T_NEW_MAPPING),
-		NE(SADB_MAX),   
+		NE(SADB_MAX),
 		{ 0, sparse_end }
 };
 
@@ -531,7 +531,7 @@ pfkeyext_protocol(int transport_proto
 , const char *text_said
 , struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
-	return (transport_proto == 0)? TRUE 
+	return (transport_proto == 0)? TRUE
 		: pfkey_build(
 			pfkey_x_protocol_build(extensions + SADB_X_EXT_PROTOCOL, transport_proto)
 			, description, text_said, extensions);
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index 516872e8e..8cf28ace1 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -36,12 +36,11 @@
 
 #include <library.h>
 #include <asn1/asn1.h>
+#include <credentials/certificates/pgp_certificate.h>
 
 #include "constants.h"
 #include "defs.h"
-#include "id.h"
 #include "x509.h"
-#include "pgpcert.h"
 #include "certs.h"
 #include "smartcard.h"
 #include "connections.h"
@@ -61,7 +60,7 @@ const char *shared_secrets_file = SHARED_SECRETS_FILE;
 typedef struct id_list id_list_t;
 
 struct id_list {
-	struct id id;
+	identification_t *id;
 	id_list_t *next;
 };
 
@@ -84,9 +83,9 @@ struct secret {
  */
 static void free_public_key(pubkey_t *pk)
 {
+	DESTROY_IF(pk->id);
 	DESTROY_IF(pk->public_key);
-	free_id_content(&pk->id);
-	free(pk->issuer.ptr);
+	DESTROY_IF(pk->issuer);
 	free(pk->serial.ptr);
 	free(pk);
 }
@@ -97,7 +96,7 @@ secret_t *secrets = NULL;
  * me and the peer.  We match the Id (if none, the IP address).
  * Failure is indicated by a NULL.
  */
-static const secret_t* get_secret(const struct connection *c,
+static const secret_t* get_secret(const connection_t *c,
 								  enum PrivateKeyKind kind, bool asym)
 {
 	enum {      /* bits */
@@ -109,14 +108,14 @@ static const secret_t* get_secret(const struct connection *c,
 	unsigned int best_match = 0;
 	secret_t *best = NULL;
 	secret_t *s;
-	const struct id *my_id  = &c->spd.this.id
-				  , *his_id = &c->spd.that.id;
-	struct id rw_id;
+	identification_t *my_id, *his_id;
 
 	/* is there a certificate assigned to this connection? */
-	if (kind == PPK_PUBKEY && c->spd.this.cert.type != CERT_NONE)
+	if (kind == PPK_PUBKEY && c->spd.this.cert)
 	{
-		public_key_t *pub_key = cert_get_public_key(c->spd.this.cert);
+		certificate_t *certificate = c->spd.this.cert->cert;
+
+		public_key_t *pub_key = certificate->get_public_key(certificate);
 
 		for (s = secrets; s != NULL; s = s->next)
 		{
@@ -127,26 +126,28 @@ static const secret_t* get_secret(const struct connection *c,
 				break; /* we have found the private key - no sense in searching further */
 			}
 		}
+		pub_key->destroy(pub_key);
 		return best;
 	}
 
+	my_id  = c->spd.this.id;
+
 	if (his_id_was_instantiated(c))
 	{
 		/* roadwarrior: replace him with 0.0.0.0 */
-		rw_id.kind = c->spd.that.id.kind;
-		rw_id.name = chunk_empty;
-		happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
-		his_id = &rw_id;
+		his_id = identification_create_from_string("%any");
 	}
-	else if (kind == PPK_PSK
-	&& (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK))
-	&& ((c->kind == CK_TEMPLATE && c->spd.that.id.kind == ID_ANY) ||
-		(c->kind == CK_INSTANCE && id_is_ipaddr(&c->spd.that.id))))
+	else if (kind == PPK_PSK && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK)) &&
+		((c->kind == CK_TEMPLATE &&
+		 c->spd.that.id->get_type(c->spd.that.id) == ID_ANY) ||
+		(c->kind == CK_INSTANCE && id_is_ipaddr(c->spd.that.id))))
 	{
 		/* roadwarrior: replace him with 0.0.0.0 */
-		rw_id.kind = ID_IPV4_ADDR;
-		happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
-		his_id = &rw_id;
+		his_id = identification_create_from_string("%any");
+	}
+	else
+	{
+		his_id = c->spd.that.id->clone(c->spd.that.id);
 	}
 
 	for (s = secrets; s != NULL; s = s->next)
@@ -169,11 +170,11 @@ static const secret_t* get_secret(const struct connection *c,
 
 				for (i = s->ids; i != NULL; i = i->next)
 				{
-					if (same_id(my_id, &i->id))
+					if (my_id->equals(my_id, i->id))
 					{
 						match |= match_me;
 					}
-					if (same_id(his_id, &i->id))
+					if (his_id->equals(his_id, i->id))
 					{
 						match |= match_him;
 					}
@@ -239,6 +240,7 @@ static const secret_t* get_secret(const struct connection *c,
 			}
 		}
 	}
+	his_id->destroy(his_id);
 	return best;
 }
 
@@ -246,7 +248,7 @@ static const secret_t* get_secret(const struct connection *c,
  * Failure is indicated by a NULL pointer.
  * Note: the result is not to be freed by the caller.
  */
-const chunk_t* get_preshared_secret(const struct connection *c)
+const chunk_t* get_preshared_secret(const connection_t *c)
 {
 	const secret_t *s = get_secret(c, PPK_PSK, FALSE);
 
@@ -262,11 +264,11 @@ const chunk_t* get_preshared_secret(const struct connection *c)
 /* check the existence of a private key matching a public key contained
  * in an X.509 or OpenPGP certificate
  */
-bool has_private_key(cert_t cert)
+bool has_private_key(cert_t *cert)
 {
 	secret_t *s;
 	bool has_key = FALSE;
-	public_key_t *pub_key = cert_get_public_key(cert);
+	public_key_t *pub_key = cert->cert->get_public_key(cert->cert);
 
 	for (s = secrets; s != NULL; s = s->next)
 	{
@@ -277,31 +279,37 @@ bool has_private_key(cert_t cert)
 			break;
 		}
 	}
+	pub_key->destroy(pub_key);
 	return has_key;
 }
 
 /*
  * get the matching private key belonging to a given X.509 certificate
  */
-private_key_t* get_x509_private_key(const x509cert_t *cert)
+private_key_t* get_x509_private_key(const cert_t *cert)
 {
+	public_key_t *public_key = cert->cert->get_public_key(cert->cert);
+	private_key_t *private_key = NULL;
 	secret_t *s;
 
 	for (s = secrets; s != NULL; s = s->next)
 	{
+
 		if (s->kind == PPK_PUBKEY &&
-			s->u.private_key->belongs_to(s->u.private_key, cert->public_key))
+			s->u.private_key->belongs_to(s->u.private_key, public_key))
 		{
-			return s->u.private_key;
+			private_key = s->u.private_key;
+			break;
 		}
 	}
-	return NULL;
+	public_key->destroy(public_key);
+	return private_key;
 }
 
 /* find the appropriate private key (see get_secret).
  * Failure is indicated by a NULL pointer.
  */
-private_key_t* get_private_key(const struct connection *c)
+private_key_t* get_private_key(const connection_t *c)
 {
 	const secret_t *s = get_secret(c, PPK_PUBKEY, TRUE);
 
@@ -392,7 +400,7 @@ enum rsa_private_key_part_t {
 	RSA_PART_EXPONENT1        = 5,
 	RSA_PART_EXPONENT2        = 6,
 	RSA_PART_COEFFICIENT      = 7
-}; 
+};
 
 const char *rsa_private_key_part_names[] = {
 	"Modulus",
@@ -408,20 +416,17 @@ const char *rsa_private_key_part_names[] = {
 /**
  * Parse fields of an RSA private key in BIND 8.2's representation
  * consistiong of a braced list of keyword and value pairs in required order.
- * Conversion into ASN.1 DER encoded PKCS#1 representation.
  */
 static err_t process_rsa_secret(private_key_t **key)
 {
-	chunk_t asn1_chunk[countof(rsa_private_key_part_names)];
-	chunk_t pkcs1_chunk;
+	chunk_t rsa_chunk[countof(rsa_private_key_part_names)];
 	u_char buf[RSA_MAX_ENCODING_BYTES];   /* limit on size of binary representation of key */
 	rsa_private_key_part_t part, p;
-	size_t sz, len = 0;
+	size_t sz;
 	err_t ugh;
 
 	for (part = RSA_PART_MODULUS; part <= RSA_PART_COEFFICIENT; part++)
 	{
-		chunk_t rsa_private_key_part;
 		const char *keyword = rsa_private_key_part_names[part];
 
 		if (!shift())
@@ -448,9 +453,8 @@ static err_t process_rsa_secret(private_key_t **key)
 			part++;
 			goto end;
 		}
-		rsa_private_key_part = chunk_create(buf, sz);
-		asn1_chunk[part] = asn1_integer("c", rsa_private_key_part);
-		len += asn1_chunk[part].len;
+		rsa_chunk[part] = chunk_create(buf, sz);
+		rsa_chunk[part] = chunk_clone(rsa_chunk[part]);
 	}
 
 	/* We require an (indented) '}' and the end of the record.
@@ -468,21 +472,17 @@ static err_t process_rsa_secret(private_key_t **key)
 		goto end;
 	}
 
-	pkcs1_chunk = asn1_wrap(ASN1_SEQUENCE, "ccccccccc",
-					 		ASN1_INTEGER_0,
-							asn1_chunk[RSA_PART_MODULUS],
-							asn1_chunk[RSA_PART_PUBLIC_EXPONENT],
-							asn1_chunk[RSA_PART_PRIVATE_EXPONENT],
-							asn1_chunk[RSA_PART_PRIME1],
-							asn1_chunk[RSA_PART_PRIME2],
-							asn1_chunk[RSA_PART_EXPONENT1],
-							asn1_chunk[RSA_PART_EXPONENT2],
-							asn1_chunk[RSA_PART_COEFFICIENT]);
-
 	*key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-										  BUILD_BLOB_ASN1_DER, pkcs1_chunk,
-										  BUILD_END);
-	free(pkcs1_chunk.ptr);
+					BUILD_RSA_MODULUS,  rsa_chunk[RSA_PART_MODULUS],
+					BUILD_RSA_PUB_EXP,  rsa_chunk[RSA_PART_PUBLIC_EXPONENT],
+					BUILD_RSA_PRIV_EXP, rsa_chunk[RSA_PART_PRIVATE_EXPONENT],
+					BUILD_RSA_PRIME1,   rsa_chunk[RSA_PART_PRIME1],
+					BUILD_RSA_PRIME2,   rsa_chunk[RSA_PART_PRIME2],
+					BUILD_RSA_EXP1,     rsa_chunk[RSA_PART_EXPONENT1],
+					BUILD_RSA_EXP2,     rsa_chunk[RSA_PART_EXPONENT2],
+					BUILD_RSA_COEFF,    rsa_chunk[RSA_PART_COEFFICIENT],
+					BUILD_END);
+
 	if (*key == NULL)
 	{
 		ugh = "parsing of RSA private key failed";
@@ -492,9 +492,9 @@ end:
 	/* clean up and return */
 	for (p = RSA_PART_MODULUS ; p < part; p++)
 	{
-		free(asn1_chunk[p].ptr);
+		chunk_clear(&rsa_chunk[p]);
 	}
-	return ugh;	
+	return ugh;
 }
 
 /**
@@ -722,7 +722,7 @@ static err_t process_pin(secret_t *s, int whackfd)
 		}
 	}
 	else
-	{   
+	{
 		/* we read the pin directly from ipsec.secrets */
 		err_t ugh = process_psk_secret(&sc->pin);
 		if (ugh != NULL)
@@ -762,16 +762,12 @@ static void log_psk(secret_t *s)
 	{
 		do
 		{
-			n += idtoa(&id_list->id, buf + n, BUF_LEN - n);
+			n += snprintf(buf + n, BUF_LEN - n, "%Y ", id_list->id);
 			if (n >= BUF_LEN)
 			{
 				n = BUF_LEN - 1;
 				break;
 			}
-			else if (n < BUF_LEN - 1)
-			{
-				n += snprintf(buf + n, BUF_LEN - n, " ");
-			}
 			id_list = id_list->next;
 		}
 		while (id_list);
@@ -948,42 +944,12 @@ static void process_secret_records(int whackfd)
 					/* an id
 					 * See RFC2407 IPsec Domain of Interpretation 4.6.2
 					 */
-					struct id id;
-					err_t ugh;
+					id_list_t *i = malloc_thing(id_list_t);
 
-					if (tokeq("%any"))
-					{
-						id = empty_id;
-						id.kind = ID_IPV4_ADDR;
-						ugh = anyaddr(AF_INET, &id.ip_addr);
-					}
-					else if (tokeq("%any6"))
-					{
-						id = empty_id;
-						id.kind = ID_IPV6_ADDR;
-						ugh = anyaddr(AF_INET6, &id.ip_addr);
-					}
-					else
-					{
-						ugh = atoid(tok, &id, FALSE);
-					}
+					i->id = identification_create_from_string(tok);
+					i->next = s->ids;
+					s->ids = i;
 
-					if (ugh != NULL)
-					{
-						loglog(RC_LOG_SERIOUS
-							, "ERROR \"%s\" line %d: index \"%s\" %s"
-							, flp->filename, flp->lino, tok, ugh);
-					}
-					else
-					{
-						id_list_t *i = malloc_thing(id_list_t);
-
-						i->id = id;
-						unshare_id_content(&i->id);
-						i->next = s->ids;
-						s->ids = i;
-						/* DBG_log("id type %d: %s %.*s", i->kind, ip_str(&i->ip_addr), (int)i->name.len, i->name.ptr); */
-					}
 					if (!shift())
 					{
 						/* unexpected Record Boundary or EOF */
@@ -1071,11 +1037,11 @@ void free_preshared_secrets(void)
 		{
 			id_list_t *i, *ni;
 
-			ns = s->next;       /* grab before freeing s */
+			ns = s->next;
 			for (i = s->ids; i != NULL; i = ni)
 			{
-				ni = i->next;   /* grab before freeing i */
-				free_id_content(&i->id);
+				ni = i->next; 
+				i->id->destroy(i->id);
 				free(i);
 			}
 			switch (s->kind)
@@ -1119,8 +1085,8 @@ pubkey_t* public_key_from_rsa(public_key_t *key)
 	pubkey_t *p = malloc_thing(pubkey_t);
 
 	zero(p);
-	p->id = empty_id;   /* don't know, doesn't matter */
-	p->issuer = chunk_empty;
+	p->id = identification_create_from_string("%any");  /* don't know, doesn't matter */
+	p->issuer = NULL;
 	p->serial = chunk_empty;
 	p->public_key = key;
 
@@ -1128,7 +1094,6 @@ pubkey_t* public_key_from_rsa(public_key_t *key)
 	 * invariant: recount > 0.
 	 */
 	p->refcnt = 1;
-	time(&p->installed_time);
 	return p;
 }
 
@@ -1207,25 +1172,14 @@ static void install_public_key(pubkey_t *pk, pubkey_list_t **head)
 {
 	pubkey_list_t *p = malloc_thing(pubkey_list_t);
 
-	unshare_id_content(&pk->id);
-
-	/* copy issuer dn */
-	pk->issuer = chunk_clone(pk->issuer);
-
-	/* copy serial number */
-	pk->serial = chunk_clone(pk->serial);
-
-	/* store the time the public key was installed */
-	time(&pk->installed_time);
-
 	/* install new key at front */
 	p->key = reference_key(pk);
 	p->next = *head;
 	*head = p;
 }
 
-void delete_public_keys(const struct id *id, key_type_t type,
-						chunk_t issuer, chunk_t serial)
+void delete_public_keys(identification_t *id, key_type_t type,
+						identification_t *issuer, chunk_t serial)
 {
 	pubkey_list_t **pp, *p;
 	pubkey_t *pk;
@@ -1236,10 +1190,10 @@ void delete_public_keys(const struct id *id, key_type_t type,
 		pk = p->key;
 		pk_type = pk->public_key->get_type(pk->public_key);
 
-		if (same_id(id, &pk->id) && pk_type == type
-		&& (issuer.ptr == NULL || pk->issuer.ptr == NULL
-			|| same_dn(issuer, pk->issuer))
-		&& same_serial(serial, pk->serial))
+		if (id->equals(id, pk->id) && pk_type == type
+		&& (issuer == NULL || pk->issuer == NULL
+			|| issuer->equals(issuer, pk->issuer))
+		&& (serial.ptr == NULL || chunk_equals(serial, pk->serial)))
 		{
 			*pp = free_public_keyentry(p);
 		}
@@ -1252,25 +1206,26 @@ void delete_public_keys(const struct id *id, key_type_t type,
 
 pubkey_t* reference_key(pubkey_t *pk)
 {
+	DBG(DBG_CONTROLMORE,
+		DBG_log("  ref key: %p %p cnt %d '%Y'",
+				 pk, pk->public_key, pk->refcnt, pk->id)
+	)
 	pk->refcnt++;
 	return pk;
 }
 
-void
-unreference_key(pubkey_t **pkp)
+void unreference_key(pubkey_t **pkp)
 {
 	pubkey_t *pk = *pkp;
-	char b[BUF_LEN];
 
 	if (pk == NULL)
 	{
 		return;
 	}
 
-	/* print stuff */
 	DBG(DBG_CONTROLMORE,
-		idtoa(&pk->id, b, sizeof(b));
-		DBG_log("unreference key: %p %s cnt %d--", pk, b, pk->refcnt)
+		DBG_log("unref key: %p %p cnt %d '%Y'",
+				 pk, pk->public_key, pk->refcnt, pk->id)
 	)
 
 	/* cancel out the pointer */
@@ -1284,7 +1239,7 @@ unreference_key(pubkey_t **pkp)
 	}
 }
 
-bool add_public_key(const struct id *id, enum dns_auth_level dns_auth_level,
+bool add_public_key(identification_t *id, enum dns_auth_level dns_auth_level,
 					enum pubkey_alg alg, chunk_t rfc3110_key,
 					pubkey_list_t **head)
 {
@@ -1296,7 +1251,7 @@ bool add_public_key(const struct id *id, enum dns_auth_level dns_auth_level,
 	{
 		case PUBKEY_ALG_RSA:
 			key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-										BUILD_BLOB_RFC_3110, rfc3110_key,
+										BUILD_BLOB_DNSKEY, rfc3110_key,
 										BUILD_END);
 			if (key == NULL)
 			{
@@ -1310,90 +1265,97 @@ bool add_public_key(const struct id *id, enum dns_auth_level dns_auth_level,
 	pk = malloc_thing(pubkey_t);
 	zero(pk);
 	pk->public_key = key;
-	pk->id = *id;
+	pk->id = id->clone(id);
 	pk->dns_auth_level = dns_auth_level;
 	pk->until_time = UNDEFINED_TIME;
-	pk->issuer = chunk_empty;
+	pk->issuer = NULL;
 	pk->serial = chunk_empty;
 	install_public_key(pk, head);
 	return TRUE;
 }
 
-/* extract id and public key from x.509 certificate and
- * insert it into a pubkeyrec
+/**
+ * Extract id and public key a certificate and insert it into a pubkeyrec
  */
-void add_x509_public_key(x509cert_t *cert , time_t until,
-						 enum dns_auth_level dns_auth_level)
+void add_public_key_from_cert(cert_t *cert , time_t until,
+							  enum dns_auth_level dns_auth_level)
 {
-	generalName_t *gn;
+	certificate_t *certificate = cert->cert;
+	identification_t *subject = certificate->get_subject(certificate);
+	identification_t *issuer = NULL;
+	identification_t *id;
+	chunk_t serialNumber = chunk_empty;
 	pubkey_t *pk;
 	key_type_t pk_type;
 
 	/* ID type: ID_DER_ASN1_DN  (X.509 subject field) */
 	pk = malloc_thing(pubkey_t);
 	zero(pk);
-	pk->public_key = cert->public_key->get_ref(cert->public_key);
-	pk->id.kind = ID_DER_ASN1_DN;
-	pk->id.name = cert->subject;
+	pk->public_key = certificate->get_public_key(certificate);
+	pk_type = pk->public_key->get_type(pk->public_key);
+	pk->id = subject->clone(subject);
 	pk->dns_auth_level = dns_auth_level;
 	pk->until_time = until;
-	pk->issuer = cert->issuer;
-	pk->serial = cert->serialNumber;
-	pk_type = pk->public_key->get_type(pk->public_key);
-	delete_public_keys(&pk->id, pk_type, pk->issuer, pk->serial);
-	install_public_key(pk, &pubkeys);
+	if (certificate->get_type(certificate) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)certificate;
 
-	gn = cert->subjectAltName;
+		issuer = certificate->get_issuer(certificate);
+		serialNumber = x509->get_serial(x509);
+		pk->issuer = issuer->clone(issuer);
+		pk->serial = chunk_clone(serialNumber);
+	}
+	delete_public_keys(pk->id, pk_type, pk->issuer, pk->serial);
+	install_public_key(pk, &pubkeys);
 
-	while (gn != NULL) /* insert all subjectAltNames */
+	if (certificate->get_type(certificate) == CERT_X509)
 	{
-		struct id id = empty_id;
+		x509_t *x509 = (x509_t*)certificate;
+		enumerator_t *enumerator;
 
-		gntoid(&id, gn);
-		if (id.kind != ID_ANY)
+		/* insert all subjectAltNames from X.509 certificates */
+		enumerator = x509->create_subjectAltName_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &id)) 
 		{
-			pk = malloc_thing(pubkey_t);
-			zero(pk);
-			pk->public_key = cert->public_key->get_ref(cert->public_key);
-			pk->id = id;
-			pk->dns_auth_level = dns_auth_level;
-			pk->until_time = until;
-			pk->issuer = cert->issuer;
-			pk->serial = cert->serialNumber;
-			delete_public_keys(&pk->id, pk_type, pk->issuer, pk->serial);
-			install_public_key(pk, &pubkeys);
+			if (id->get_type(id) != ID_ANY)
+			{
+				pk = malloc_thing(pubkey_t);
+				zero(pk);
+				pk->id = id->clone(id);
+				pk->public_key = certificate->get_public_key(certificate);
+				pk->dns_auth_level = dns_auth_level;
+				pk->until_time = until;
+				pk->issuer = issuer->clone(issuer);
+				pk->serial = chunk_clone(serialNumber);
+				delete_public_keys(pk->id, pk_type, pk->issuer, pk->serial);
+				install_public_key(pk, &pubkeys);
+			}
 		}
-		gn = gn->next;
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		pgp_certificate_t *pgp_cert = (pgp_certificate_t*)certificate;
+		chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
+
+		/* add v3 or v4 PGP fingerprint */
+		pk = malloc_thing(pubkey_t);
+		zero(pk);
+		pk->id = identification_create_from_encoding(ID_KEY_ID, fingerprint);
+		pk->public_key = certificate->get_public_key(certificate);
+		pk->dns_auth_level = dns_auth_level;
+		pk->until_time = until;
+		delete_public_keys(pk->id, pk_type, pk->issuer, pk->serial);
+		install_public_key(pk, &pubkeys);
 	}
-}
-
-/* extract id and public key from OpenPGP certificate and
- * insert it into a pubkeyrec
- */
-void add_pgp_public_key(pgpcert_t *cert , time_t until,
-						enum dns_auth_level dns_auth_level)
-{
-	pubkey_t *pk;
-	key_type_t pk_type;
-
-	pk = malloc_thing(pubkey_t);
-	zero(pk);
-	pk->public_key = cert->public_key->get_ref(cert->public_key);
-	pk->id.kind = ID_KEY_ID;
-	pk->id.name = cert->fingerprint->get_encoding(cert->fingerprint);
-	pk->dns_auth_level = dns_auth_level;
-	pk->until_time = until;
-	pk_type = pk->public_key->get_type(pk->public_key);
-	delete_public_keys(&pk->id, pk_type, chunk_empty, chunk_empty);
-	install_public_key(pk, &pubkeys);
 }
 
 /*  when a X.509 certificate gets revoked, all instances of
  *  the corresponding public key must be removed
  */
-void remove_x509_public_key(const x509cert_t *cert)
+void remove_x509_public_key(const cert_t *cert)
 {
-	public_key_t *revoked_key = cert->public_key;
+	public_key_t *revoked_key = cert->cert->get_public_key(cert->cert);
 	pubkey_list_t *p, **pp;
 
 	p  = pubkeys;
@@ -1413,6 +1375,7 @@ void remove_x509_public_key(const x509cert_t *cert)
 		}
 		p =*pp;
 	}
+	revoked_key->destroy(revoked_key);
 }
 
 /*
@@ -1426,34 +1389,32 @@ void list_public_keys(bool utc)
 	{
 		whack_log(RC_COMMENT, " ");
 		whack_log(RC_COMMENT, "List of Public Keys:");
-		whack_log(RC_COMMENT, " ");
 	}
 
 	while (p != NULL)
 	{
 		pubkey_t *key = p->key;
 		public_key_t *public = key->public_key;
-		identification_t *keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-		char buf[BUF_LEN];
+		chunk_t keyid;
 
-		idtoa(&key->id, buf, BUF_LEN);
-		whack_log(RC_COMMENT,"%T, '%s'", &key->installed_time, utc, buf);
-		whack_log(RC_COMMENT, "       pubkey:  %N %4d bits, until %T %s",
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "  identity: '%Y'", key->id);
+		whack_log(RC_COMMENT, "  pubkey:    %N %4d bits, until %T %s",
 			key_type_names, public->get_type(public),
 			public->get_keysize(public) * BITS_PER_BYTE,
 			&key->until_time, utc,
 			check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
-		whack_log(RC_COMMENT,"       keyid:   %Y", keyid);
-		if (key->issuer.len > 0)
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+		{
+			whack_log(RC_COMMENT,"  keyid:     %#B", &keyid);
+		}
+		if (key->issuer)
 		{
-			dntoa(buf, BUF_LEN, key->issuer);
-			whack_log(RC_COMMENT,"       issuer: '%s'", buf);
+			whack_log(RC_COMMENT,"  issuer:   \"%Y\"", key->issuer);
 		}
-		if (key->serial.len > 0)
+		if (key->serial.len)
 		{
-			datatot(key->serial.ptr, key->serial.len, ':'
-					, buf, BUF_LEN);
-			whack_log(RC_COMMENT,"       serial:  %s", buf);
+			whack_log(RC_COMMENT,"  serial:    %#B", &key->serial);
 		}
 		p = p->next;
 	}
diff --git a/src/pluto/keys.h b/src/pluto/keys.h
index 8bc94d839..d856c0009 100644
--- a/src/pluto/keys.h
+++ b/src/pluto/keys.h
@@ -16,6 +16,7 @@
 #ifndef _KEYS_H
 #define _KEYS_H
 
+#include <utils/identification.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
 
@@ -44,22 +45,19 @@ struct connection;
 
 extern const chunk_t *get_preshared_secret(const struct connection *c);
 extern private_key_t *get_private_key(const struct connection *c);
-extern private_key_t *get_x509_private_key(const x509cert_t *cert);
+extern private_key_t *get_x509_private_key(const cert_t *cert);
 
 /* public key machinery  */
 
 typedef struct pubkey pubkey_t;
 
 struct pubkey {
-	struct id id;
+	identification_t *id;
 	unsigned refcnt;    /* reference counted! */
 	enum dns_auth_level dns_auth_level;
 	char *dns_sig;
-	time_t installed_time
-		, last_tried_time
-		, last_worked_time
-		, until_time;
-	chunk_t issuer;
+	time_t last_tried_time, last_worked_time, until_time;
+	identification_t *issuer;
 	chunk_t serial;
 	public_key_t *public_key;
 };
@@ -77,23 +75,19 @@ extern pubkey_t *public_key_from_rsa(public_key_t *key);
 extern pubkey_list_t *free_public_keyentry(pubkey_list_t *p);
 extern void free_public_keys(pubkey_list_t **keys);
 extern void free_remembered_public_keys(void);
-extern void delete_public_keys(const struct id *id, key_type_t type,
-							   chunk_t issuer, chunk_t serial);
+extern void delete_public_keys(identification_t *id, key_type_t type,
+							   identification_t *issuer, chunk_t serial);
 extern pubkey_t *reference_key(pubkey_t *pk);
 extern void unreference_key(pubkey_t **pkp);
-
-extern bool add_public_key(const struct id *id,
+extern bool add_public_key(identification_t *id,
 						   enum dns_auth_level dns_auth_level,
 						   enum pubkey_alg alg,
 						   chunk_t rfc3110_key,
 						   pubkey_list_t **head);
-
-extern bool has_private_key(cert_t cert);
-extern void add_x509_public_key(x509cert_t *cert, time_t until
-	, enum dns_auth_level dns_auth_level);
-extern void add_pgp_public_key(pgpcert_t *cert, time_t until
-	, enum dns_auth_level dns_auth_level);
-extern void remove_x509_public_key(const x509cert_t *cert);
+extern bool has_private_key(cert_t *cert);
+extern void add_public_key_from_cert(cert_t *cert, time_t until,
+									 enum dns_auth_level dns_auth_level);
+extern void remove_x509_public_key(const cert_t *cert);
 extern void list_public_keys(bool utc);
 
 struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
diff --git a/src/pluto/log.c b/src/pluto/log.c
index e34409f1c..2f3536ff3 100644
--- a/src/pluto/log.c
+++ b/src/pluto/log.c
@@ -38,12 +38,13 @@
 #include "server.h"
 #include "state.h"
 #include "connections.h"
+#include "myid.h"
 #include "kernel.h"
 #include "whack.h"      /* needs connections.h */
 #include "timer.h"
 
 /* close one per-peer log */
-static void perpeer_logclose(struct connection *c);     /* forward */
+static void perpeer_logclose(connection_t *c);     /* forward */
 
 
 bool
@@ -77,7 +78,7 @@ static TAILQ_HEAD(perpeer, connection) perpeer_list;
  */
 int whack_log_fd = NULL_FD;     /* only set during whack_handle() */
 struct state *cur_state = NULL; /* current state, for diagnostics */
-struct connection *cur_connection = NULL;       /* current connection, for diagnostics */
+connection_t *cur_connection = NULL;       /* current connection, for diagnostics */
 const ip_address *cur_from = NULL;      /* source of current current message */
 u_int16_t cur_from_port;        /* host order */
 
@@ -99,12 +100,12 @@ static void pluto_dbg(int level, char *fmt, ...)
 	else if (cur_debugging & DBG_RAW)
 	{
 		debug_level = 3;
-	}	
+	}
 	else if (cur_debugging & DBG_PARSING)
 	{
 		debug_level = 2;
 	}
-	else 
+	else
 	{
 		debug_level = 1;
 	}
@@ -245,7 +246,7 @@ fmt_log(char *buf, size_t buf_len, const char *fmt, va_list ap)
 {
 	bool reproc = *fmt == '~';
 	size_t ps;
-	struct connection *c = cur_state != NULL ? cur_state->st_connection
+	connection_t *c = cur_state != NULL ? cur_state->st_connection
 		: cur_connection;
 
 	buf[0] = '\0';
@@ -293,7 +294,7 @@ fmt_log(char *buf, size_t buf_len, const char *fmt, va_list ap)
 }
 
 static void
-perpeer_logclose(struct connection *c)
+perpeer_logclose(connection_t *c)
 {
 	/* only free/close things if we had used them! */
 	if (c->log_file != NULL)
@@ -308,7 +309,7 @@ perpeer_logclose(struct connection *c)
 }
 
 void
-perpeer_logfree(struct connection *c)
+perpeer_logfree(connection_t *c)
 {
 	perpeer_logclose(c);
 	if (c->log_file_name != NULL)
@@ -321,7 +322,7 @@ perpeer_logfree(struct connection *c)
 
 /* open the per-peer log */
 static void
-open_peerlog(struct connection *c)
+open_peerlog(connection_t *c)
 {
 	syslog(LOG_INFO, "opening log file for conn %s", c->name);
 
@@ -725,7 +726,7 @@ lset_t
 	cur_debugging =  DBG_NONE;
 
 void
-extra_debugging(const struct connection *c)
+extra_debugging(const connection_t *c)
 {
 	if(c == NULL)
 	{
@@ -835,8 +836,8 @@ static void show_loaded_plugins()
 	char buf[BUF_LEN], *plugin;
 	int len = 0;
 	enumerator_t *enumerator;
-	
-	buf[0] = '\0';	
+
+	buf[0] = '\0';
 	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
 	while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
 	{
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index 228827f2a..03ec7f41f 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -26,6 +26,7 @@
 #include <freeswan.h>
 
 #include <library.h>
+#include <attributes/attributes.h>
 #include <crypto/prfs/prf.h>
 
 #include "constants.h"
@@ -81,11 +82,10 @@ struct internal_addr
 	bool       xauth_status;
 };
 
-/*
+/**
  * Initialize an internal_addr struct
  */
-static void
-init_internal_addr(internal_addr_t *ia)
+static void init_internal_addr(internal_addr_t *ia)
 {
 	int i;
 
@@ -106,46 +106,65 @@ init_internal_addr(internal_addr_t *ia)
 		anyaddr(AF_INET, &ia->dns[i]);
 	}
 
-	/* initialize WINS server information */
+	/* initialize NBNS server information */
 	for (i = 0; i < NBNS_SERVER_MAX; i++)
 	{
 		anyaddr(AF_INET, &ia->nbns[i]);
 	}
 }
 
-/*
- * get internal IP address for a connection
+/**
+ * Get internal IP address for a connection
  */
-static void
-get_internal_addr(struct connection *c, internal_addr_t *ia)
+static void get_internal_addr(connection_t *c, host_t *requested_vip,
+							  internal_addr_t *ia)
 {
 	int i, dns_idx = 0, nbns_idx = 0;
+	enumerator_t *enumerator;
+	configuration_attribute_type_t type;
+	chunk_t value;
+	host_t *vip = NULL;
 
 	if (isanyaddr(&c->spd.that.host_srcip))
 	{
-		/* not defined in connection - fetch it from LDAP */
+		if (c->spd.that.pool)
+		{
+			vip = lib->attributes->acquire_address(lib->attributes,
+										c->spd.that.pool, c->spd.that.id,
+										requested_vip);
+			if (vip)
+			{
+				chunk_t addr = vip->get_address(vip);
+		
+				plog("assigning virtual IP %H to peer", vip);
+				initaddr(addr.ptr, addr.len, vip->get_family(vip), &ia->ipaddr);
+
+			}
+		}
+		else
+		{
+			plog("no virtual IP found");
+		}
 	}
 	else
 	{
-		char srcip[ADDRTOT_BUF];
-
 		ia->ipaddr = c->spd.that.host_srcip;
-
-		addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
-		plog("assigning virtual IP source address %s", srcip);
+		vip = host_create_from_sockaddr((sockaddr_t*)&ia->ipaddr);
+		plog("assigning virtual IP  %H to peer", vip);
 	}
 
 	if (!isanyaddr(&ia->ipaddr))        /* We got an IP address, send it */
 	{
+		c->spd.that.host_srcip      = ia->ipaddr;
 		c->spd.that.client.addr     = ia->ipaddr;
 		c->spd.that.client.maskbits = 32;
 		c->spd.that.has_client      = TRUE;
-		
+
 		ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS)
 					 | LELEM(INTERNAL_IP4_NETMASK);
 	}
 
-	/* assign DNS servers */
+	/* assign DNS servers from strongswan.conf */
 	for (i = 1; i <= DNS_SERVER_MAX; i++)
 	{
 		char dns_key[16], *dns_str;
@@ -158,20 +177,20 @@ get_internal_addr(struct connection *c, internal_addr_t *ia)
 			sa_family_t family = strchr(dns_str, ':') ? AF_INET6 : AF_INET;
 
 			ugh = ttoaddr(dns_str, 0, family, &ia->dns[dns_idx]);
-			if (ugh != NULL)
+			if (ugh)
 			{
 				plog("error in DNS server address: %s", ugh);
 				continue;
 			}
 			plog("assigning DNS server %s to peer", dns_str);
 
-			/* differentiate between IP4 and IP6 in modecfg_build_msg() */ 
+			/* differentiate between IP4 and IP6 in modecfg_build_msg() */
 			ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
 			dns_idx++;
 		}
 	}
 
-	/* assign WINS servers */
+	/* assign NBNS servers from strongswan.conf */
 	for (i = 1; i <= NBNS_SERVER_MAX; i++)
 	{
 		char nbns_key[16], *nbns_str;
@@ -184,26 +203,93 @@ get_internal_addr(struct connection *c, internal_addr_t *ia)
 			sa_family_t family = strchr(nbns_str, ':') ? AF_INET6 : AF_INET;
 
 			ugh = ttoaddr(nbns_str, 0, family, &ia->nbns[nbns_idx]);
-			if (ugh != NULL)
+			if (ugh)
 			{
-				plog("error in WINS server address: %s", ugh);
+				plog("error in NBNS server address: %s", ugh);
 				continue;
 			}
 			plog("assigning NBNS server %s to peer", nbns_str);
 
-			/* differentiate between IP4 and IP6 in modecfg_build_msg() */ 
+			/* differentiate between IP4 and IP6 in modecfg_build_msg() */
 			ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
 			nbns_idx++;
 		}
 	}
+
+	/* assign attributes from registered providers */
+	enumerator = lib->attributes->create_responder_enumerator(lib->attributes,
+											c->spd.that.id, vip);
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		err_t ugh;
+		host_t *server;
+		sa_family_t family = AF_INET;
+		
+		switch (type)
+		{
+			case INTERNAL_IP6_DNS:
+				family = AF_INET6;
+				/* fallthrough */
+			case INTERNAL_IP4_DNS:
+				if (dns_idx >= DNS_SERVER_MAX)
+				{
+					plog("exceeded the maximum number of %d DNS servers",
+						 DNS_SERVER_MAX);
+					break;
+				}
+				ugh = initaddr(value.ptr, value.len, family, &ia->dns[dns_idx]);
+				if (ugh)
+				{
+					plog("error in DNS server address: %s", ugh);
+					break;
+				}
+				server = host_create_from_chunk(family, value, 0);
+				plog("assigning DNS server %H to peer", server);
+				server->destroy(server);
+
+				/* differentiate between IP4 and IP6 in modecfg_build_msg() */
+				ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
+				dns_idx++;
+				break;
+
+			case INTERNAL_IP6_NBNS:
+				family = AF_INET6;
+				/* fallthrough */
+			case INTERNAL_IP4_NBNS:
+				if (nbns_idx >= NBNS_SERVER_MAX)
+ 				{
+					plog("exceeded the maximum number of %d NBNS servers",
+						 NBNS_SERVER_MAX);
+					break;
+				}
+				ugh = initaddr(value.ptr, value.len, family, &ia->nbns[nbns_idx]);
+				if (ugh)
+				{
+					plog("error in NBNS server address: %s", ugh);
+					break;
+				}
+				server = host_create_from_chunk(family, value, 0);
+				plog("assigning NBNS server %H to peer", server);
+				server->destroy(server);
+
+				/* differentiate between IP4 and IP6 in modecfg_build_msg() */
+				ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
+				nbns_idx++;
+				break;
+
+			default:
+				break;
+		}			
+	}
+	enumerator->destroy(enumerator);
+	DESTROY_IF(vip);
 }
 
 
-/*
+/**
  * Set srcip and client subnet to internal IP address
  */
-static bool
-set_internal_addr(struct connection *c, internal_addr_t *ia)
+static bool set_internal_addr(connection_t *c, internal_addr_t *ia)
 {
 	if (ia->attr_set & LELEM(INTERNAL_IP4_ADDRESS)
 	&& !isanyaddr(&ia->ipaddr))
@@ -227,7 +313,7 @@ set_internal_addr(struct connection *c, internal_addr_t *ia)
 			plog("replacing virtual IP source address %s by %s"
 				, old_srcip, new_srcip);
 		}
-		
+
 		/* setting srcip */
 		c->spd.this.host_srcip = ia->ipaddr;
 
@@ -240,7 +326,7 @@ set_internal_addr(struct connection *c, internal_addr_t *ia)
 	return FALSE;
 }
 
-/*
+/**
  * Compute HASH of Mode Config.
  */
 static size_t modecfg_hash(u_char *dest, u_char *start, u_char *roof,
@@ -263,19 +349,18 @@ static size_t modecfg_hash(u_char *dest, u_char *start, u_char *roof,
 	DBG(DBG_CRYPT,
 		DBG_log("ModeCfg HASH computed:");
 		DBG_dump("", dest, prf_block_size)
-	) 
+	)
 	return prf_block_size;
 }
 
 
-/* 
+/**
  * Generate an IKE message containing ModeCfg information (eg: IP, DNS, WINS)
  */
-static stf_status
-modecfg_build_msg(struct state *st, pb_stream *rbody
-								  , u_int16_t msg_type
-								  , internal_addr_t *ia
-								  , u_int16_t ap_id)
+static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody,
+									u_int16_t msg_type,
+									internal_addr_t *ia,
+									u_int16_t ap_id)
 {
 	u_char *r_hash_start, *r_hashval;
 
@@ -322,7 +407,7 @@ modecfg_build_msg(struct state *st, pb_stream *rbody
 					is_unity_attr_set = FALSE;
 				}
 			}
-		
+
 			dont_advance = FALSE;
 
 			if (attr_set & 1)
@@ -384,7 +469,7 @@ modecfg_build_msg(struct state *st, pb_stream *rbody
 								mask[t] = 0xff;
 							m -= 8;
 						}
-#endif                              
+#endif
 						if (st->st_connection->spd.this.client.maskbits == 0)
 						{
 							mask = 0;
@@ -491,11 +576,11 @@ modecfg_build_msg(struct state *st, pb_stream *rbody
 	return STF_OK;
 }
 
-/*
+/**
  * Send ModeCfg message
  */
-static stf_status
-modecfg_send_msg(struct state *st, int isama_type, internal_addr_t *ia)
+static stf_status modecfg_send_msg(struct state *st, int isama_type,
+								   internal_addr_t *ia)
 {
 	pb_stream msg;
 	pb_stream rbody;
@@ -549,11 +634,10 @@ modecfg_send_msg(struct state *st, int isama_type, internal_addr_t *ia)
 	return STF_OK;
 }
 
-/*
+/**
  * Parse a ModeCfg attribute payload
  */
-static stf_status
-modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
+static stf_status modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
 {
 	struct isakmp_attribute attr;
 	pb_stream strattr;
@@ -610,12 +694,12 @@ modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
 				ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->nbns[nbns_idx]);
 				if (ugh != NULL)
 				{
-					plog("received invalid IPv4 WINS server address: %s", ugh);
+					plog("received invalid IPv4 NBNS server address: %s", ugh);
 				}
 				else
 				{
 					addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN);
-					plog("received IPv4 WINS server address %s", buf);
+					plog("received IPv4 NBNS server address %s", buf);
 					nbns_idx++;
 				}
 			}
@@ -644,12 +728,12 @@ modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
 				ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->nbns[nbns_idx]);
 				if (ugh != NULL)
 				{
-					plog("received invalid IPv6 WINS server address: %s", ugh);
+					plog("received invalid IPv6 NBNS server address: %s", ugh);
 				}
 				else
 				{
 					addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN);
-					plog("received IPv6 WINS server address %s", buf);
+					plog("received IPv6 NBNS server address %s", buf);
 					nbns_idx++;
 				}
 			}
@@ -735,12 +819,11 @@ modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
 	return STF_OK;
 }
 
-/* 
+/**
  * Parse a ModeCfg message
  */
-static stf_status
-modecfg_parse_msg(struct msg_digest *md, int isama_type, u_int16_t *isama_id
-				, internal_addr_t *ia)
+static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type,
+									u_int16_t *isama_id, internal_addr_t *ia)
 {
 	struct state *const st = md->st;
 	struct payload_digest *p;
@@ -788,12 +871,12 @@ modecfg_parse_msg(struct msg_digest *md, int isama_type, u_int16_t *isama_id
 	return STF_IGNORE;
 }
 
-/*
+/**
  * Send ModeCfg request message from client to server in pull mode
  */
-stf_status
-modecfg_send_request(struct state *st)
+stf_status modecfg_send_request(struct state *st)
 {
+	connection_t *c = st->st_connection;
 	stf_status stat;
 	internal_addr_t ia;
 
@@ -801,6 +884,7 @@ modecfg_send_request(struct state *st)
 
 	ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS)
 				| LELEM(INTERNAL_IP4_NETMASK);
+	ia.ipaddr = c->spd.this.host_srcip;
 
 	plog("sending ModeCfg request");
 	st->st_state = STATE_MODE_CFG_I1;
@@ -817,14 +901,14 @@ modecfg_send_request(struct state *st)
  *
  * used in ModeCfg pull mode, on the server (responder)
  */
-stf_status
-modecfg_inR0(struct msg_digest *md)
+stf_status modecfg_inR0(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
 	internal_addr_t ia;
 	bool want_unity_banner;
 	stf_status stat, stat_build;
+	host_t *requested_vip;
 
 	stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
 	if (stat != STF_OK)
@@ -832,9 +916,20 @@ modecfg_inR0(struct msg_digest *md)
 		return stat;
 	}
 
+	if (ia.attr_set & LELEM(INTERNAL_IP4_ADDRESS))
+	{
+		requested_vip = host_create_from_sockaddr((sockaddr_t*)&ia.ipaddr);
+	}
+	else
+	{
+		requested_vip = host_create_any(AF_INET);
+	}
+	plog("peer requested virtual IP %H", requested_vip);
+
 	want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY;
 	init_internal_addr(&ia);
-	get_internal_addr(st->st_connection, &ia);
+	get_internal_addr(st->st_connection, requested_vip, &ia);
+	requested_vip->destroy(requested_vip);
 
 	if (want_unity_banner)
 	{
@@ -859,10 +954,9 @@ modecfg_inR0(struct msg_digest *md)
 /* STATE_MODE_CFG_I1:
  * HDR*, HASH, ATTR(REPLY=IP)
  *
- * used in ModeCfg pull mode, on the client (initiator) 
+ * used in ModeCfg pull mode, on the client (initiator)
  */
-stf_status
-modecfg_inI1(struct msg_digest *md)
+stf_status modecfg_inI1(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
@@ -882,17 +976,19 @@ modecfg_inI1(struct msg_digest *md)
 }
 
 
-/*
+/**
  * Send ModeCfg set message from server to client in push mode
  */
-stf_status
-modecfg_send_set(struct state *st)
+stf_status modecfg_send_set(struct state *st)
 {
 	stf_status stat;
 	internal_addr_t ia;
+	host_t *vip;
 
 	init_internal_addr(&ia);
-	get_internal_addr(st->st_connection, &ia);
+	vip = host_create_any(AF_INET);
+	get_internal_addr(st->st_connection, vip, &ia);
+	vip->destroy(vip);
 
 #ifdef CISCO_QUIRKS
 	ia.unity_banner = UNITY_BANNER_STR;
@@ -914,8 +1010,7 @@ modecfg_send_set(struct state *st)
  *
  * used in ModeCfg push mode, on the client (initiator).
  */
-stf_status
-modecfg_inI0(struct msg_digest *md)
+stf_status modecfg_inI0(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
@@ -958,8 +1053,7 @@ modecfg_inI0(struct msg_digest *md)
  *
  * used in ModeCfg push mode, on the server (responder)
  */
-stf_status
-modecfg_inR3(struct msg_digest *md)
+stf_status modecfg_inR3(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
@@ -977,11 +1071,10 @@ modecfg_inR3(struct msg_digest *md)
 	return STF_OK;
 }
 
-/*
+/**
  * Send XAUTH credentials request (username + password)
  */
-stf_status
-xauth_send_request(struct state *st)
+stf_status xauth_send_request(struct state *st)
 {
 	stf_status stat;
 	internal_addr_t ia;
@@ -1005,8 +1098,7 @@ xauth_send_request(struct state *st)
  *
  * used on the XAUTH client (initiator)
  */
-stf_status
-xauth_inI0(struct msg_digest *md)
+stf_status xauth_inI0(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
@@ -1111,8 +1203,7 @@ xauth_inI0(struct msg_digest *md)
  *
  *  used on the XAUTH server (responder)
  */
-stf_status
-xauth_inR1(struct msg_digest *md)
+stf_status xauth_inR1(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
@@ -1148,13 +1239,14 @@ xauth_inR1(struct msg_digest *md)
 		plog("user password attribute is missing in XAUTH reply");
 		st->st_xauth.status = FALSE;
 	}
-	else 
+	else
 	{
 		xauth_peer_t peer;
 
 		peer.conn_name = st->st_connection->name;
 		addrtot(&md->sender, 0, peer.ip_address, sizeof(peer.ip_address));
-		idtoa(&md->st->st_connection->spd.that.id, peer.id, sizeof(peer.id));
+		snprintf(peer.id, sizeof(peer.id), "%Y",
+				 md->st->st_connection->spd.that.id);
 
 		DBG(DBG_CONTROL,
 			DBG_log("peer xauth user name is '%.*s'"
@@ -1191,8 +1283,7 @@ xauth_inR1(struct msg_digest *md)
  *
  * used on the XAUTH client (initiator)
  */
-stf_status
-xauth_inI1(struct msg_digest *md)
+stf_status xauth_inI1(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
@@ -1204,7 +1295,7 @@ xauth_inI1(struct msg_digest *md)
 	if (stat != STF_OK)
 	{
 		/* notification payload - not exactly the right choice, but okay */
-		md->note = ATTRIBUTES_NOT_SUPPORTED;
+		md->note = ISAKMP_ATTRIBUTES_NOT_SUPPORTED;
 		return stat;
 	}
 
@@ -1243,8 +1334,7 @@ xauth_inI1(struct msg_digest *md)
  *
  * used on the XAUTH server (responder)
  */
-stf_status
-xauth_inR2(struct msg_digest *md)
+stf_status xauth_inR2(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
diff --git a/src/pluto/modecfg.h b/src/pluto/modecfg.h
index 86bfc6ed2..bc1443012 100644
--- a/src/pluto/modecfg.h
+++ b/src/pluto/modecfg.h
@@ -1,7 +1,7 @@
 /* Mode Config related functions
  * Copyright (C) 2001-2002 Colubris Networks
  * Copyright (C) 2003-2004 Xelerance Corporation
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
diff --git a/src/pluto/myid.c b/src/pluto/myid.c
new file mode 100644
index 000000000..ad4eefd15
--- /dev/null
+++ b/src/pluto/myid.c
@@ -0,0 +1,121 @@
+/* identity representation, as in IKE ID Payloads (RFC 2407 DOI 4.6.2.1)
+ * Copyright (C) 1999-2001  D. Hugh Redelmeier
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#ifndef HOST_NAME_MAX        /* POSIX 1003.1-2001 says <unistd.h> defines this */
+# define HOST_NAME_MAX  255 /* upper bound, according to SUSv2 */
+#endif
+
+#include <utils/identification.h>
+
+#include <freeswan.h>
+
+#include "myid.h"
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "connections.h"
+#include "packet.h"
+#include "whack.h"
+
+enum myid_state myid_state = MYID_UNKNOWN;
+
+identification_t *myids[MYID_SPECIFIED+1];    /* %myid */
+
+/**
+ * Fills in myid from environment variable IPSECmyid or defaultrouteaddr
+ */
+void init_myid(void)
+{
+	myid_state = MYID_UNKNOWN;
+	{
+		enum myid_state s;
+
+		for (s = MYID_UNKNOWN; s <= MYID_SPECIFIED; s++)
+		{
+			myids[s] = identification_create_from_string("%any");
+		}
+	}
+	set_myid(MYID_SPECIFIED, getenv("IPSECmyid"));
+	set_myid(MYID_IP, getenv("defaultrouteaddr"));
+	set_myFQDN();
+}
+
+/**
+ *  Free myid module
+ */
+void free_myid(void)
+{
+	enum myid_state s;
+
+	for (s = MYID_UNKNOWN; s <= MYID_SPECIFIED; s++)
+	{
+		DESTROY_IF(myids[s]);
+	}
+}
+
+void set_myid(enum myid_state s, char *idstr)
+{
+	if (idstr)
+	{
+		myids[s]->destroy(myids[s]);
+ 		myids[s] = identification_create_from_string(idstr);
+		if (s == MYID_SPECIFIED)
+		{
+				myid_state = MYID_SPECIFIED;
+		}
+	}
+}
+
+void set_myFQDN(void)
+{
+	char FQDN[HOST_NAME_MAX + 1];
+	int r = gethostname(FQDN, sizeof(FQDN));
+	size_t len;
+
+	if (r != 0)
+	{
+		log_errno((e, "gethostname() failed in set_myFQDN"));
+	}
+	else
+	{
+		FQDN[sizeof(FQDN) - 1] = '\0';  /* insurance */
+		len = strlen(FQDN);
+
+		if (len > 0 && FQDN[len-1] == '.')
+		{
+			/* nuke trailing . */
+			FQDN[len-1] = '\0';
+		}
+		if (!strcaseeq(FQDN, "localhost.localdomain"))
+		{
+			myids[MYID_HOSTNAME]->destroy(myids[MYID_HOSTNAME]);
+			myids[MYID_HOSTNAME] = identification_create_from_string(FQDN);
+		}
+	}
+}
+
+void show_myid_status(void)
+{
+	whack_log(RC_COMMENT, "%%myid = '%Y'", myids[myid_state]);
+}
+
+/*
+ * Local Variables:
+ * c-basic-offset:4
+ * c-style: pluto
+ * End:
+ */
diff --git a/src/pluto/myid.h b/src/pluto/myid.h
new file mode 100644
index 000000000..012a34968
--- /dev/null
+++ b/src/pluto/myid.h
@@ -0,0 +1,38 @@
+/* identity representation, as in IKE ID Payloads (RFC 2407 DOI 4.6.2.1)
+ * Copyright (C) 1999-2001  D. Hugh Redelmeier
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef _MYID_H
+#define _MYID_H
+
+#include <utils/identification.h>
+
+extern void init_myid(void);
+extern void free_myid(void);
+
+enum myid_state {
+	MYID_UNKNOWN,       /* not yet figured out */
+	MYID_HOSTNAME,      /* our current hostname */
+	MYID_IP,            /* our default IP address */
+	MYID_SPECIFIED      /* as specified by ipsec.conf */
+};
+
+extern enum myid_state myid_state;
+extern identification_t* myids[MYID_SPECIFIED+1];  /* %myid */
+extern void set_myid(enum myid_state s, char *);
+extern void show_myid_status(void);
+extern void set_myFQDN(void);
+
+#define resolve_myid(id) ((id)->get_type(id) == ID_MYID? myids[myid_state] : (id))
+
+#endif /* _MYID_H */
diff --git a/src/pluto/nat_traversal.c b/src/pluto/nat_traversal.c
index de3972fe2..feedf2aad 100644
--- a/src/pluto/nat_traversal.c
+++ b/src/pluto/nat_traversal.c
@@ -147,7 +147,7 @@ static void _natd_hash(const struct hash_desc *oakley_hasher, char *hash,
 				addr_chunk = chunk_from_thing(ip->u.v6.sin6_addr.s6_addr);
 				break;
 			default:
-				addr_chunk = chunk_empty; /* should never occur */ 
+				addr_chunk = chunk_empty; /* should never occur */
 		}
 		hasher->get_hash(hasher, addr_chunk, NULL);
 		hasher->get_hash(hasher, port_chunk, hash);
@@ -310,7 +310,7 @@ bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
 	DBG(DBG_EMITTING,
 		DBG_log("sending NATD payloads")
 	)
-		
+
 	/*
 	 * First one with sender IP & port
 	 */
@@ -348,7 +348,7 @@ bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
 
 /*
  * nat_traversal_natoa_lookup()
- * 
+ *
  * Look for NAT-OA in message
  */
 void nat_traversal_natoa_lookup(struct msg_digest *md)
@@ -435,7 +435,7 @@ void nat_traversal_natoa_lookup(struct msg_digest *md)
 		{
 			char ip_t[ADDRTOT_BUF];
 			addrtot(&ip, 0, ip_t, sizeof(ip_t));
-		
+
 			DBG_log("received NAT-OA: %s", ip_t);
 		}
 	)
@@ -514,7 +514,7 @@ void nat_traversal_show_result (u_int32_t nt, u_int16_t sport)
 		mth = natt_type_bitnames[2];
 		break;
 	}
-	
+
 	switch (nt & NAT_T_DETECTED)
 	{
 	case 0:
@@ -600,7 +600,7 @@ static void nat_traversal_send_ka (struct state *st)
 static void nat_traversal_ka_event_state (struct state *st, void *data)
 {
 	unsigned int *_kap_st = (unsigned int *)data;
-	const struct connection *c = st->st_connection;
+	const connection_t *c = st->st_connection;
 
 	if (!c)
 		return;
@@ -658,7 +658,7 @@ struct _new_mapp_nfo {
 
 static void nat_traversal_find_new_mapp_state (struct state *st, void *data)
 {
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 	struct _new_mapp_nfo *nfo = (struct _new_mapp_nfo *)data;
 
 	if (c != NULL
@@ -720,7 +720,7 @@ static int nat_traversal_new_mapping(const ip_address *src, u_int16_t sport,
 
 void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st)
 {
-	struct connection *c = st ? st->st_connection : NULL;
+	connection_t *c = st ? st->st_connection : NULL;
 	struct iface *i = NULL;
 
 	if ((st == NULL) || (c == NULL))
@@ -804,7 +804,7 @@ struct _new_klips_mapp_nfo {
 
 static void nat_t_new_klips_mapp (struct state *st, void *data)
 {
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 	struct _new_klips_mapp_nfo *nfo = (struct _new_klips_mapp_nfo *)data;
 
 	if (c != NULL && st->st_esp.present
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index 8e428a759..b1f558ebf 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -67,19 +67,19 @@ static const char *const response_status_names[] = {
 typedef struct response response_t;
 
 struct response {
-	chunk_t  tbs;
-	chunk_t  responder_id_name;
-	chunk_t  responder_id_key;
-	time_t   produced_at;
-	chunk_t  responses;
-	chunk_t  nonce;
-	int      algorithm;
-	chunk_t  signature;
+	chunk_t          tbs;
+	identification_t *responder_id_name;
+	chunk_t           responder_id_key;
+	time_t            produced_at;
+	chunk_t           responses;
+	chunk_t           nonce;
+	int               algorithm;
+	chunk_t           signature;
 };
 
 const response_t empty_response = {
 	{ NULL, 0 }   ,     /* tbs */
-	{ NULL, 0 }   ,     /* responder_id_name */
+	  NULL        ,     /* responder_id_name */
 	{ NULL, 0 }   ,     /* responder_id_key */
 	UNDEFINED_TIME,     /* produced_at */
 	{ NULL, 0 }   ,     /* single_response */
@@ -105,16 +105,16 @@ struct single_response {
 };
 
 const single_response_t empty_single_response = {
-	  NULL            , /* *next */
-	OID_UNKNOWN       , /* hash_algorithm */
-	{ NULL, 0 }       , /* issuer_name_hash */
-	{ NULL, 0 }       , /* issuer_key_hash */
-	{ NULL, 0 }       , /* serial_number */
-	CERT_UNDEFINED    , /* status */
-	UNDEFINED_TIME    , /* revocationTime */
-	REASON_UNSPECIFIED, /* revocationReason */
-	UNDEFINED_TIME    , /* this_update */
-	UNDEFINED_TIME      /* next_update */
+	  NULL                , /* *next */
+	OID_UNKNOWN           , /* hash_algorithm */
+	{ NULL, 0 }           , /* issuer_name_hash */
+	{ NULL, 0 }           , /* issuer_key_hash */
+	{ NULL, 0 }           , /* serial_number */
+	CERT_UNDEFINED        , /* status */
+	UNDEFINED_TIME        , /* revocationTime */
+	CRL_REASON_UNSPECIFIED, /* revocationReason */
+	UNDEFINED_TIME        , /* this_update */
+	UNDEFINED_TIME          /* next_update */
 };
 
 
@@ -126,26 +126,17 @@ struct request_list {
 };
 
 /* some OCSP specific prefabricated ASN.1 constants */
-
-static u_char ASN1_nonce_oid_str[] = {
+static const chunk_t ASN1_nonce_oid = chunk_from_chars(
 	0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
-};
-
-static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
-
-static u_char ASN1_response_oid_str[] = {
+);
+static const chunk_t ASN1_response_oid = chunk_from_chars(
 	0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
-};
-
-static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
-
-static u_char ASN1_response_content_str[] = {
+);
+static const chunk_t ASN1_response_content = chunk_from_chars(
 	0x04, 0x0D,
 		  0x30, 0x0B,
 				0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
-};
-
-static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
+);
 
 /* default OCSP uri */
 static chunk_t ocsp_default_uri;
@@ -154,7 +145,7 @@ static chunk_t ocsp_default_uri;
 static ocsp_location_t *ocsp_cache = NULL;
 
 /* static temporary storage for ocsp requestor information */
-static x509cert_t *ocsp_requestor_cert = NULL;
+static cert_t *ocsp_requestor_cert = NULL;
 
 static smartcard_t *ocsp_requestor_sc = NULL;
 
@@ -290,27 +281,38 @@ static const asn1Object_t singleResponseObjects[] = {
  * Build an ocsp location from certificate information
  * without unsharing its contents
  */
-static bool build_ocsp_location(const x509cert_t *cert, ocsp_location_t *location)
+static bool build_ocsp_location(const cert_t *cert, ocsp_location_t *location)
 {
+	certificate_t *certificate = cert->cert;
+	identification_t *issuer = certificate->get_issuer(certificate);
+	x509_t *x509 = (x509_t*)certificate;
+	chunk_t issuer_dn = issuer->get_encoding(issuer);
+	chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
 	hasher_t *hasher;
 	static u_char digest[HASH_SIZE_SHA1];  /* temporary storage */
-	
-	location->uri = cert->accessLocation;
 
-	if (location->uri.ptr == NULL)
+	enumerator_t *enumerator = x509->create_ocsp_uri_enumerator(x509);
+
+	location->uri = NULL;
+	while (enumerator->enumerate(enumerator, &location->uri))
+	{
+		break;
+	}
+	enumerator->destroy(enumerator);
+
+	if (location->uri == NULL)
 	{
-		ca_info_t *ca = get_ca_info(cert->issuer, cert->authKeySerialNumber
-				, cert->authKeyID);
-		if (ca != NULL && ca->ocspuri != NULL)
+		ca_info_t *ca = get_ca_info(issuer, authKeyID);
+		if (ca && ca->ocspuri)
 		{
-			location->uri = chunk_create(ca->ocspuri, strlen(ca->ocspuri));
+			location->uri = ca->ocspuri;
 		}
 		else
 		{   /* abort if no ocsp location uri is defined */
 			return FALSE;
 		}
 	}
-	
+
 	/* compute authNameID from as SHA-1 hash of issuer DN */
 	location->authNameID = chunk_create(digest, HASH_SIZE_SHA1);
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
@@ -318,23 +320,22 @@ static bool build_ocsp_location(const x509cert_t *cert, ocsp_location_t *locatio
 	{
 		return FALSE;
 	}
- 	hasher->get_hash(hasher, cert->issuer, digest);
+	hasher->get_hash(hasher, issuer_dn, digest);
 	hasher->destroy(hasher);
 
 	location->next = NULL;
-	location->issuer = cert->issuer;
-	location->authKeyID = cert->authKeyID;
-	location->authKeySerialNumber = cert->authKeySerialNumber;
-	
-	if (cert->authKeyID.ptr == NULL) 
+	location->issuer = issuer;
+	location->authKeyID = authKeyID;
+
+	if (authKeyID.ptr == NULL)
 	{
-		x509cert_t *authcert = get_authcert(cert->issuer
-				, cert->authKeySerialNumber, cert->authKeyID, AUTH_CA);
+		cert_t *authcert = get_authcert(issuer, authKeyID, X509_CA);
 
-		if (authcert != NULL)
+		if (authcert)
 		{
-			location->authKeyID = authcert->subjectKeyID;
-			location->authKeySerialNumber = authcert->serialNumber;
+			x509_t *x509 = (x509_t*)authcert->cert;
+
+			location->authKeyID = x509->get_subjectKeyIdentifier(x509);
 		}
 	}
 
@@ -349,11 +350,10 @@ static bool build_ocsp_location(const x509cert_t *cert, ocsp_location_t *locatio
  */
 static bool same_ocsp_location(const ocsp_location_t *a, const ocsp_location_t *b)
 {
-	return ((a->authKeyID.ptr != NULL)
+	return ((a->authKeyID.ptr)
 				? same_keyid(a->authKeyID, b->authKeyID)
-				: (same_dn(a->issuer, b->issuer)
-					&& same_serial(a->authKeySerialNumber, b->authKeySerialNumber)))
-			&& chunk_equals(a->uri, b->uri);
+				: a->issuer->equals(a->issuer, b->issuer))
+			&& streq(a->uri, b->uri);
 }
 
 /**
@@ -362,7 +362,7 @@ static bool same_ocsp_location(const ocsp_location_t *a, const ocsp_location_t *
 ocsp_location_t* get_ocsp_location(const ocsp_location_t * loc, ocsp_location_t *chain)
 {
 
-	while (chain != NULL)
+	while (chain)
 	{
 		if (same_ocsp_location(loc, chain))
 			return chain;
@@ -393,7 +393,7 @@ static cert_status_t get_ocsp_status(const ocsp_location_t *loc,
 	certinfop = &location->certinfo;
 	certinfo = *certinfop;
 
-	while (certinfo != NULL)
+	while (certinfo)
 	{
 		cmp = chunk_compare(serialNumber, certinfo->serialNumber);
 		if (cmp <= 0)
@@ -416,30 +416,34 @@ static cert_status_t get_ocsp_status(const ocsp_location_t *loc,
 /**
  * Verify the ocsp status of a certificate
  */
-cert_status_t verify_by_ocsp(const x509cert_t *cert, time_t *until,
+cert_status_t verify_by_ocsp(const cert_t *cert, time_t *until,
 							 time_t *revocationDate,
 							 crl_reason_t *revocationReason)
 {
+	x509_t *x509 = (x509_t*)cert->cert;
+	chunk_t serialNumber = x509->get_serial(x509);
 	cert_status_t status;
 	ocsp_location_t location;
-	time_t nextUpdate = 0;
+	time_t nextUpdate = UNDEFINED_TIME;
 
 	*revocationDate = UNDEFINED_TIME;
-	*revocationReason = REASON_UNSPECIFIED;
-	
+	*revocationReason = CRL_REASON_UNSPECIFIED;
+
 	/* is an ocsp location defined? */
 	if (!build_ocsp_location(cert, &location))
+	{
 		return CERT_UNDEFINED;
+	}
 
 	lock_ocsp_cache("verify_by_ocsp");
-	status = get_ocsp_status(&location, cert->serialNumber, &nextUpdate
+	status = get_ocsp_status(&location, serialNumber, &nextUpdate
 		, revocationDate, revocationReason);
 	unlock_ocsp_cache("verify_by_ocsp");
 
 	if (status == CERT_UNDEFINED || nextUpdate < time(NULL))
 	{
 		plog("ocsp status is stale or not in cache");
-		add_ocsp_fetch_request(&location, cert->serialNumber);
+		add_ocsp_fetch_request(&location, serialNumber);
 
 		/* inititate fetching of ocsp status */
 		wake_fetch_thread("verify_by_ocsp");
@@ -457,14 +461,14 @@ void check_ocsp(void)
 
 	lock_ocsp_cache("check_ocsp");
 	location = ocsp_cache;
-	
-	while (location != NULL)
+
+	while (location)
 	{
 		char buf[BUF_LEN];
 		bool first = TRUE;
 		ocsp_certinfo_t *certinfo = location->certinfo;
 
-		while (certinfo != NULL)
+		while (certinfo)
 		{
 			if (!certinfo->once)
 			{
@@ -473,9 +477,8 @@ void check_ocsp(void)
 				DBG(DBG_CONTROL,
 					if (first)
 					{
-						dntoa(buf, BUF_LEN, location->issuer);
-						DBG_log("issuer: '%s'", buf);
-						if (location->authKeyID.ptr != NULL)
+						DBG_log("issuer: \"%Y\"", location->issuer);
+						if (location->authKeyID.ptr)
 						{
 							datatot(location->authKeyID.ptr, location->authKeyID.len
 								, ':', buf, BUF_LEN);
@@ -514,7 +517,7 @@ static void free_certinfos(ocsp_certinfo_t *chain)
 {
 	ocsp_certinfo_t *certinfo;
 
-	while (chain != NULL)
+	while (chain)
 	{
 		certinfo = chain;
 		chain = chain->next;
@@ -527,11 +530,10 @@ static void free_certinfos(ocsp_certinfo_t *chain)
  */
 static void free_ocsp_location(ocsp_location_t* location)
 {
-	free(location->issuer.ptr);
+	DESTROY_IF(location->issuer);
 	free(location->authNameID.ptr);
 	free(location->authKeyID.ptr);
-	free(location->authKeySerialNumber.ptr);
-	free(location->uri.ptr);
+	free(location->uri);
 	free_certinfos(location->certinfo);
 	free(location);
 }
@@ -541,7 +543,7 @@ static void free_ocsp_location(ocsp_location_t* location)
  */
 void free_ocsp_locations(ocsp_location_t **chain)
 {
-	while (*chain != NULL)
+	while (*chain)
 	{
 		ocsp_location_t *location = *chain;
 		*chain = location->next;
@@ -576,73 +578,55 @@ void list_ocsp_locations(ocsp_location_t *location, bool requests,
 {
 	bool first = TRUE;
 
-	while (location != NULL)
+	while (location)
 	{
 		ocsp_certinfo_t *certinfo = location->certinfo;
 
-		if (certinfo != NULL)
+		if (certinfo)
 		{
-			u_char buf[BUF_LEN];
-
 			if (first)
 			{
 				whack_log(RC_COMMENT, " ");
-				whack_log(RC_COMMENT, "List of OCSP %s:", requests?
-					"fetch requests":"responses");
+				whack_log(RC_COMMENT, "List of OCSP %s:", requests ?
+					"Fetch Requests" : "Responses");
 				first = FALSE;
 			}
 			whack_log(RC_COMMENT, " ");
-			if (location->issuer.ptr != NULL)
-			{
-				dntoa(buf, BUF_LEN, location->issuer);
-				whack_log(RC_COMMENT, "       issuer:  '%s'", buf);
-			}
-			whack_log(RC_COMMENT, "       uri:     '%.*s'", (int)location->uri.len
-				, location->uri.ptr);
-			if (location->authNameID.ptr != NULL)
+			if (location->issuer)
 			{
-				datatot(location->authNameID.ptr, location->authNameID.len, ':'
-					, buf, BUF_LEN);
-				whack_log(RC_COMMENT, "       authname: %s", buf);
+				whack_log(RC_COMMENT, "  issuer:   \"%Y\"", location->issuer);
 			}
-			if (location->authKeyID.ptr != NULL)
+			whack_log(RC_COMMENT, "  uri:      '%s'", location->uri);
+			if (location->authNameID.ptr)
 			{
-				datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
-					, buf, BUF_LEN);
-				whack_log(RC_COMMENT, "       authkey:  %s", buf);
+				whack_log(RC_COMMENT, "  authname:  %#B", &location->authNameID);
 			}
-			if (location->authKeySerialNumber.ptr != NULL)
+			if (location->authKeyID.ptr)
 			{
-				datatot(location->authKeySerialNumber.ptr
-					, location->authKeySerialNumber.len, ':', buf, BUF_LEN);
-				whack_log(RC_COMMENT, "       aserial:  %s", buf);
+				whack_log(RC_COMMENT, "  authkey:   %#B", &location->authKeyID);
 			}
-			while (certinfo != NULL)
+			while (certinfo)
 			{
-				char thisUpdate[BUF_LEN];
-
-				snprintf(thisUpdate, BUF_LEN, "%T", &certinfo->thisUpdate, utc);
-
 				if (requests)
 				{
-					whack_log(RC_COMMENT, "%s, trials: %d", thisUpdate
-						, certinfo->trials);
+					whack_log(RC_COMMENT, "  serial:    %#B, %d trials",
+						 &certinfo->serialNumber, certinfo->trials);
 				}
 				else if (certinfo->once)
 				{
-					whack_log(RC_COMMENT, "%s, onetime use%s", thisUpdate
-						, (certinfo->nextUpdate < time(NULL))? " (expired)": "");
+					whack_log(RC_COMMENT, "  serial:    %#B, %s, once%s",
+						&certinfo->serialNumber,
+						cert_status_names[certinfo->status],
+						(certinfo->nextUpdate < time(NULL))? " (expired)": "");
 				}
 				else
 				{
-					whack_log(RC_COMMENT, "%s, until %T %s", thisUpdate
-						, &certinfo->nextUpdate, utc
-						, check_expiry(certinfo->nextUpdate, OCSP_WARNING_INTERVAL, strict));
+					whack_log(RC_COMMENT, "  serial:    %#B, %s, until %T %s", 
+						&certinfo->serialNumber,
+						cert_status_names[certinfo->status],
+ 						&certinfo->nextUpdate, utc,
+						check_expiry(certinfo->nextUpdate, OCSP_WARNING_INTERVAL, strict));
 				}
-				datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len, ':'
-					, buf, BUF_LEN);
-				whack_log(RC_COMMENT, "       serial:   %s, %s", buf
-					, cert_status_names[certinfo->status]);
 				certinfo = certinfo->next;
 			}
 		}
@@ -662,7 +646,7 @@ void list_ocsp_cache(bool utc, bool strict)
 
 static bool get_ocsp_requestor_cert(ocsp_location_t *location)
 {
-	x509cert_t *cert = NULL;
+	cert_t *cert = NULL;
 
 	/* initialize temporary static storage */
 	ocsp_requestor_cert = NULL;
@@ -671,17 +655,17 @@ static bool get_ocsp_requestor_cert(ocsp_location_t *location)
 
 	for (;;)
 	{
-		char buf[BUF_LEN];
+		certificate_t *certificate;
 
 		/* looking for a certificate from the same issuer */
-		cert = get_x509cert(location->issuer, location->authKeySerialNumber
-					,location->authKeyID, cert);
+		cert = get_x509cert(location->issuer, location->authKeyID, cert);
 		if (cert == NULL)
+		{
 			break;
-
+		}
+		certificate = cert->cert;
 		DBG(DBG_CONTROL,
-			dntoa(buf, BUF_LEN, cert->subject);
-			DBG_log("candidate: '%s'", buf);
+			DBG_log("candidate: '%Y'", certificate->get_subject(certificate));
 		)
 
 		if (cert->smartcard)
@@ -689,7 +673,7 @@ static bool get_ocsp_requestor_cert(ocsp_location_t *location)
 			/* look for a matching private key on a smartcard */
 			smartcard_t *sc = scx_get(cert);
 
-			if (sc != NULL)
+			if (sc)
 			{
 				DBG(DBG_CONTROL,
 					DBG_log("matching smartcard found")
@@ -708,7 +692,7 @@ static bool get_ocsp_requestor_cert(ocsp_location_t *location)
 			/* look for a matching private key in the chained list */
 			private_key_t *private = get_x509_private_key(cert);
 
-			if (private != NULL)
+			if (private)
 			{
 				DBG(DBG_CONTROL,
 					DBG_log("matching private key found")
@@ -726,8 +710,7 @@ static chunk_t sc_build_sha1_signature(chunk_t tbs, smartcard_t *sc)
 {
 	hasher_t *hasher;
 	u_char *pos;
-	u_char digest_buf[HASH_SIZE_SHA1];
-	chunk_t digest = chunk_from_buf(digest_buf);
+	chunk_t digest;
 	chunk_t digest_info, sigdata;
 	size_t siglen = 0;
 
@@ -756,15 +739,15 @@ static chunk_t sc_build_sha1_signature(chunk_t tbs, smartcard_t *sc)
 	{
 		return chunk_empty;
 	}
- 	hasher->get_hash(hasher, tbs, digest_buf);
+	hasher->allocate_hash(hasher, tbs, &digest);
 	hasher->destroy(hasher);
 
 	/* according to PKCS#1 v2.1 digest must be packaged into
 	 * an ASN.1 structure for encryption
 	 */
-	digest_info = asn1_wrap(ASN1_SEQUENCE, "cm"
+	digest_info = asn1_wrap(ASN1_SEQUENCE, "mm"
 		, asn1_algorithmIdentifier(OID_SHA1)
-		, asn1_simple_object(ASN1_OCTET_STRING, digest));
+		, asn1_wrap(ASN1_OCTET_STRING, "m", digest));
 
 	pos = asn1_build_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
 	*pos++ = 0x00;
@@ -784,9 +767,9 @@ static chunk_t sc_build_sha1_signature(chunk_t tbs, smartcard_t *sc)
  */
 static chunk_t build_signature(chunk_t tbsRequest)
 {
-	chunk_t sigdata, certs;
+	chunk_t sigdata, cert, certs;
 
-	if (ocsp_requestor_sc != NULL)
+	if (ocsp_requestor_sc)
 	{
 		/* RSA signature is done on smartcard */
 		sigdata = sc_build_sha1_signature(tbsRequest, ocsp_requestor_sc);
@@ -803,15 +786,13 @@ static chunk_t build_signature(chunk_t tbsRequest)
 	}
 
 	/* include our certificate */
-	certs = asn1_wrap(ASN1_CONTEXT_C_0, "m"
-				, asn1_simple_object(ASN1_SEQUENCE
-					, ocsp_requestor_cert->certificate
-				  )
-			);
+	cert = ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert);
+	certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
+				asn1_wrap(ASN1_SEQUENCE, "m", cert));
 
 	/* build signature comprising algorithm, signature and cert */
 	return asn1_wrap(ASN1_CONTEXT_C_0, "m"
-				, asn1_wrap(ASN1_SEQUENCE, "cmm"
+				, asn1_wrap(ASN1_SEQUENCE, "mmm"
 					, asn1_algorithmIdentifier(OID_SHA1_WITH_RSA)
 					, sigdata
 					, certs
@@ -825,7 +806,7 @@ static chunk_t build_signature(chunk_t tbsRequest)
  */
 static chunk_t build_request(ocsp_location_t *location, ocsp_certinfo_t *certinfo)
 {
-	chunk_t reqCert = asn1_wrap(ASN1_SEQUENCE, "cmmm"
+	chunk_t reqCert = asn1_wrap(ASN1_SEQUENCE, "mmmm"
 				, asn1_algorithmIdentifier(OID_SHA1)
 				, asn1_simple_object(ASN1_OCTET_STRING, location->authNameID)
 				, asn1_simple_object(ASN1_OCTET_STRING, location->authKeyID)
@@ -847,7 +828,7 @@ static chunk_t build_request_list(ocsp_location_t *location)
 	size_t datalen = 0;
 
 	/* build content */
-	while (certinfo != NULL)
+	while (certinfo)
 	{
 		/* build request for every certificate in list
 		 * and store them in a chained list
@@ -865,7 +846,7 @@ static chunk_t build_request_list(ocsp_location_t *location)
 	pos = asn1_build_object(&requestList, ASN1_SEQUENCE, datalen);
 
 	/* copy all in chained list, free list afterwards */
-	while (reqs != NULL)
+	while (reqs)
 	{
 		request_list_t *req = reqs;
 
@@ -882,9 +863,12 @@ static chunk_t build_request_list(ocsp_location_t *location)
  */
 static chunk_t build_requestor_name(void)
 {
+	certificate_t *certificate = ocsp_requestor_cert->cert;
+	identification_t *subject = certificate->get_subject(certificate);
+
 	return asn1_wrap(ASN1_CONTEXT_C_1, "m"
 				, asn1_simple_object(ASN1_CONTEXT_C_4
-					, ocsp_requestor_cert->subject));
+					, subject->get_encoding(subject)));
 }
 
 /**
@@ -944,17 +928,13 @@ chunk_t build_ocsp_request(ocsp_location_t *location)
 {
 	bool has_requestor_cert;
 	chunk_t tbsRequest, signature;
-	char buf[BUF_LEN];
 
 	DBG(DBG_CONTROL,
 		DBG_log("assembling ocsp request");
-		dntoa(buf, BUF_LEN, location->issuer);
-		DBG_log("issuer: '%s'", buf);
-		if (location->authKeyID.ptr != NULL)
+		DBG_log("issuer: \"%Y\"", location->issuer);
+		if (location->authKeyID.ptr)
 		{
-			datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
-				, buf, BUF_LEN);
-			DBG_log("authkey: %s", buf);
+			DBG_log("authkey: %#B", &location->authKeyID);
 		}
 	)
 	lock_certs_and_keys("build_ocsp_request");
@@ -981,14 +961,13 @@ chunk_t build_ocsp_request(ocsp_location_t *location)
  */
 static bool valid_ocsp_response(response_t *res)
 {
-	int pathlen;
-	x509cert_t *authcert;
+	int pathlen, pathlen_constraint;
+	cert_t *authcert;
 
 	lock_authcert_list("valid_ocsp_response");
 
-	authcert = get_authcert(res->responder_id_name, chunk_empty
-					, res->responder_id_key, AUTH_OCSP | AUTH_CA);
-
+	authcert = get_authcert(res->responder_id_name, res->responder_id_key,
+							X509_OCSP_SIGNER | X509_CA);
 	if (authcert == NULL)
 	{
 		plog("no matching ocsp signer cert found");
@@ -999,7 +978,8 @@ static bool valid_ocsp_response(response_t *res)
 		DBG_log("ocsp signer cert found")
 	)
 
-	if (!x509_check_signature(res->tbs, res->signature, res->algorithm, authcert))
+	if (!x509_check_signature(res->tbs, res->signature, res->algorithm,
+							  authcert->cert))
 	{
 		plog("signature of ocsp response is invalid");
 		unlock_authcert_list("valid_ocsp_response");
@@ -1010,43 +990,38 @@ static bool valid_ocsp_response(response_t *res)
 	)
 
 
-	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+	for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++)
 	{
-		u_char buf[BUF_LEN];
-		err_t ugh = NULL;
-		time_t until;
-
-		x509cert_t *cert = authcert;
+		cert_t *cert = authcert;
+		certificate_t *certificate = cert->cert;
+		x509_t *x509 = (x509_t*)certificate;
+		identification_t *subject = certificate->get_subject(certificate);
+		identification_t *issuer  = certificate->get_issuer(certificate);
+		chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
+		time_t not_before, not_after;
 
 		DBG(DBG_CONTROL,
-			dntoa(buf, BUF_LEN, cert->subject);
-			DBG_log("subject: '%s'",buf);
-			dntoa(buf, BUF_LEN, cert->issuer);
-			DBG_log("issuer:  '%s'",buf);
-			if (cert->authKeyID.ptr != NULL)
+			DBG_log("subject: '%Y'", subject);
+			DBG_log("issuer:  '%Y'", issuer);
+			if (authKeyID.ptr)
 			{
-				datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
-					, buf, BUF_LEN);
-				DBG_log("authkey:  %s", buf);
+				DBG_log("authkey:  %#B", &authKeyID);
 			}
 		)
 
-		ugh = check_validity(authcert, &until);
-
-		if (ugh != NULL)
+		if (!certificate->get_validity(certificate, NULL, &not_before, &not_after))
 		{
-			plog("%s", ugh);
+			plog("certificate is invalid (valid from %T to %T)",
+				 &not_before, FALSE, &not_after, FALSE);
+			
 			unlock_authcert_list("valid_ocsp_response");
 			return FALSE;
 		}
-		
 		DBG(DBG_CONTROL,
 			DBG_log("certificate is valid")
 		)
-		
-		authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
-			, cert->authKeyID, AUTH_CA);
 
+		authcert = get_authcert(issuer, authKeyID, X509_CA);
 		if (authcert == NULL)
 		{
 			plog("issuer cacert not found");
@@ -1057,8 +1032,7 @@ static bool valid_ocsp_response(response_t *res)
 			DBG_log("issuer cacert found")
 		)
 
-		if (!x509_check_signature(cert->tbsCertificate, cert->signature,
-								  cert->algorithm, authcert))
+		if (!certificate->issued_by(certificate, authcert->cert))
 		{
 			plog("certificate signature is invalid");
 			unlock_authcert_list("valid_ocsp_response");
@@ -1068,17 +1042,28 @@ static bool valid_ocsp_response(response_t *res)
 			DBG_log("certificate signature is valid")
 		)
 
+		/* check path length constraint */
+		pathlen_constraint = x509->get_pathLenConstraint(x509);
+		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+			pathlen > pathlen_constraint)
+		{
+			plog("path length of %d violates constraint of %d",
+				 pathlen, pathlen_constraint);
+			return FALSE;
+		}
+
 		/* check if cert is self-signed */
-		if (same_dn(cert->issuer, cert->subject))
+		if (x509->get_flags(x509) & X509_SELF_SIGNED)
 		{
 			DBG(DBG_CONTROL,
-				DBG_log("reached self-signed root ca")
+				DBG_log("reached self-signed root ca with a path length of %d",
+						pathlen)
 			)
 			unlock_authcert_list("valid_ocsp_response");
 			return TRUE;
 		}
 	}
-	plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN);
 	unlock_authcert_list("valid_ocsp_response");
 	return FALSE;
 }
@@ -1091,7 +1076,6 @@ static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
 	asn1_parser_t *parser;
 	chunk_t object;
 	u_int version;
-	u_char buf[BUF_LEN];
 	int objectID;
 	int extn_oid = OID_UNKNOWN;
 	bool success = FALSE;
@@ -1116,10 +1100,10 @@ static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
 			}
 			break;
 		case BASIC_RESPONSE_ID_BY_NAME:
-			res->responder_id_name = object;
+			res->responder_id_name = identification_create_from_encoding(
+										ID_DER_ASN1_DN, object);
 			DBG(DBG_PARSING,
-				dntoa(buf, BUF_LEN, object);
-				DBG_log("  '%s'",buf)
+				DBG_log("  '%Y'", res->responder_id_name)
 			)
 			break;
 		case BASIC_RESPONSE_ID_BY_KEY:
@@ -1153,23 +1137,35 @@ static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
 			break;
 		case BASIC_RESPONSE_CERTIFICATE:
 			{
-				chunk_t blob = chunk_clone(object);
-				x509cert_t *cert = malloc_thing(x509cert_t);
-
-				*cert = empty_x509cert;
-
-				if (parse_x509cert(blob, parser->get_level(parser)+1, cert)
-				&& cert->isOcspSigner
-				&& trust_authcert_candidate(cert, NULL))
+				cert_t *cert = malloc_thing(cert_t);
+				x509_t *x509;
+
+				*cert = cert_empty;
+				cert->cert = lib->creds->create(lib->creds,
+								  		  CRED_CERTIFICATE, CERT_X509,
+								  		  BUILD_BLOB_ASN1_DER, object,
+								  		  BUILD_END);
+				if (cert->cert == NULL)
+				{
+					DBG(DBG_CONTROL | DBG_PARSING,
+						DBG_log("parsing of embedded ocsp certificate failed")
+					)
+					cert_free(cert);
+					break;
+				}
+				x509 = (x509_t*)cert->cert;
+				
+				if ((x509->get_flags(x509) & X509_OCSP_SIGNER) &&
+					trust_authcert_candidate(cert, NULL))
 				{
-					add_authcert(cert, AUTH_OCSP);
+					add_authcert(cert, X509_OCSP_SIGNER);
 				}
 				else
 				{
 					DBG(DBG_CONTROL | DBG_PARSING,
 						DBG_log("embedded ocsp certificate rejected")
 					)
-					free_x509cert(cert);
+					cert_free(cert);
 				}
 			}
 			break;
@@ -1292,7 +1288,7 @@ static bool parse_ocsp_single_response(chunk_t blob, int level0,
 			break;
 		case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
 			sres->revocationReason = (object.len == 1)
-				? *object.ptr : REASON_UNSPECIFIED;
+				? *object.ptr : CRL_REASON_UNSPECIFIED;
 			break;
 		case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
 			sres->status = CERT_UNKNOWN;
@@ -1329,11 +1325,10 @@ ocsp_location_t* add_ocsp_location(const ocsp_location_t *loc,
 	ocsp_location_t *location = malloc_thing(ocsp_location_t);
 
 	/* unshare location fields */
-	location->issuer = chunk_clone(loc->issuer);
+	location->issuer = loc->issuer->clone(loc->issuer);
 	location->authNameID = chunk_clone(loc->authNameID);
 	location->authKeyID = chunk_clone(loc->authKeyID);
-	location->authKeySerialNumber = chunk_clone(loc->authKeySerialNumber);
-	location->uri = chunk_clone(loc->uri);
+	location->uri = strdup(loc->uri);
 	location->certinfo = NULL;
 
 	/* insert new ocsp location in front of chain */
@@ -1369,7 +1364,7 @@ void add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info,
 	certinfop = &location->certinfo;
 	certinfo = *certinfop;
 
-	while (certinfo != NULL)
+	while (certinfo)
 	{
 		cmp = chunk_compare(info->serialNumber, certinfo->serialNumber);
 		if (cmp <= 0)
@@ -1385,10 +1380,11 @@ void add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info,
 
 		cnew->serialNumber = chunk_clone(info->serialNumber);
 		cnew->next = certinfo;
+		cnew->trials = 0;
 		*certinfop = cnew;
 		certinfo = cnew;
 	}
-		
+
 	DBG(DBG_CONTROL,
 		datatot(info->serialNumber.ptr, info->serialNumber.len, ':'
 			, buf, BUF_LEN);
@@ -1403,7 +1399,7 @@ void add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info,
 	if (request)
 	{
 		certinfo->status = CERT_UNDEFINED;
-		
+
 		if (cmp != 0)
 		{
 			certinfo->thisUpdate = now;
@@ -1415,7 +1411,7 @@ void add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info,
 		certinfo->status = info->status;
 		certinfo->revocationTime = info->revocationTime;
 		certinfo->revocationReason = info->revocationReason;
-		
+
 		certinfo->thisUpdate = (info->thisUpdate != UNDEFINED_TIME)?
 			info->thisUpdate : now;
 
@@ -1446,12 +1442,12 @@ static void process_single_response(ocsp_location_t *location,
 		plog("ocsp single response has wrong issuer");
 		return;
 	}
-	
+
 	/* traverse list of certinfos in increasing order */
 	certinfop = &location->certinfo;
 	certinfo = *certinfop;
 
-	while (certinfo != NULL)
+	while (certinfo)
 	{
 		cmp = chunk_compare(sres->serialNumber, certinfo->serialNumber);
 		if (cmp <= 0)
@@ -1468,14 +1464,14 @@ static void process_single_response(ocsp_location_t *location,
 
 	/* unlink cert from ocsp fetch request list */
 	*certinfop = certinfo->next;
-	
+
 	/* update certinfo using the single response information */
 	certinfo->thisUpdate = sres->thisUpdate;
 	certinfo->nextUpdate = sres->nextUpdate;
 	certinfo->status = sres->status;
 	certinfo->revocationTime = sres->revocationTime;
 	certinfo->revocationReason = sres->revocationReason;
-	
+
 	/* add or update certinfo in ocsp cache */
 	lock_ocsp_cache("process_single_response");
 	add_certinfo(location, certinfo, &ocsp_cache, FALSE);
@@ -1485,6 +1481,14 @@ static void process_single_response(ocsp_location_t *location,
 	free_certinfo(certinfo);
 }
 
+/**
+ *  Destroy a response_t object
+ */
+static void free_response(response_t *res)
+{
+	DESTROY_IF(res->responder_id_name);
+}
+
 /**
  *  Parse and verify ocsp response and update the ocsp cache
  */
@@ -1498,24 +1502,24 @@ void parse_ocsp(ocsp_location_t *location, chunk_t blob)
 	if (status != STATUS_SUCCESSFUL)
 	{
 		plog("error in ocsp response");
-		return;
+		goto free;
 	}
 	/* check if there was a nonce in the request */
-	if (location->nonce.ptr != NULL && res.nonce.ptr == NULL)
+	if (location->nonce.ptr && res.nonce.ptr == NULL)
 	{
 		plog("ocsp response contains no nonce, replay attack possible");
 	}
 	/* check if the nonce is identical */
-	if (res.nonce.ptr != NULL && !chunk_equals(res.nonce, location->nonce))
+	if (res.nonce.ptr && !chunk_equals(res.nonce, location->nonce))
 	{
 		plog("invalid nonce in ocsp response");
-		return;
+		goto free;
 	}
 	/* check if the response is signed by a trusted key */
 	if (!valid_ocsp_response(&res))
 	{
 		plog("invalid ocsp response");
-		return;
+		goto free;
 	}
 	DBG(DBG_CONTROL,
 		DBG_log("valid ocsp response")
@@ -1536,7 +1540,7 @@ void parse_ocsp(ocsp_location_t *location, chunk_t blob)
 				single_response_t sres = empty_single_response;
 
 				if (!parse_ocsp_single_response(object,
-						 				parser->get_level(parser)+1, &sres))
+										parser->get_level(parser)+1, &sres))
 				{
 					goto end;
 				}
@@ -1546,4 +1550,7 @@ void parse_ocsp(ocsp_location_t *location, chunk_t blob)
 end:
 		parser->destroy(parser);
 	}
+
+free:
+	free_response(&res);
 }
diff --git a/src/pluto/ocsp.h b/src/pluto/ocsp.h
index d8ee7bd8c..977cca3c8 100644
--- a/src/pluto/ocsp.h
+++ b/src/pluto/ocsp.h
@@ -15,6 +15,8 @@
 
 #include "constants.h"
 
+#include <credentials/certificates/crl.h>
+
 /* constants */
 
 #define OCSP_BASIC_RESPONSE_VERSION     1
@@ -52,12 +54,11 @@ typedef struct ocsp_location ocsp_location_t;
 
 struct ocsp_location {
 	ocsp_location_t  *next;
-	chunk_t          issuer;
-	chunk_t          authNameID;
-	chunk_t          authKeyID;
-	chunk_t          authKeySerialNumber;
-	chunk_t          uri;
-	chunk_t          nonce;
+	identification_t *issuer;
+	chunk_t           authNameID;
+	chunk_t           authKeyID;
+	chunk_t           nonce;
+	char             *uri;
 	ocsp_certinfo_t  *certinfo;
 };
 
@@ -68,11 +69,11 @@ extern ocsp_location_t* add_ocsp_location(const ocsp_location_t *loc
 extern void add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info
 	, ocsp_location_t **chain, bool request);
 extern void check_ocsp(void);
-extern cert_status_t verify_by_ocsp(const x509cert_t *cert, time_t *until
+extern cert_status_t verify_by_ocsp(const cert_t *cert, time_t *until
 	, time_t *revocationTime, crl_reason_t *revocationReason);
 extern bool ocsp_set_request_cert(char* path);
 extern void ocsp_set_default_uri(char* uri);
-extern void ocsp_cache_add_cert(const x509cert_t* cert);
+extern void ocsp_cache_add_cert(const cert_t* cert);
 extern chunk_t build_ocsp_request(ocsp_location_t* location);
 extern void parse_ocsp(ocsp_location_t* location, chunk_t blob);
 extern void list_ocsp_locations(ocsp_location_t *location, bool requests
diff --git a/src/pluto/packet.c b/src/pluto/packet.c
index 01967efed..35fc4afcc 100644
--- a/src/pluto/packet.c
+++ b/src/pluto/packet.c
@@ -227,7 +227,7 @@ static field_desc isat_fields_ah[] = {
 	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
 	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
 	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &ah_transformid_names },
+	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &ah_transform_names },
 	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
 	{ ft_end, 0, NULL, NULL }
 };
@@ -242,7 +242,7 @@ static field_desc isat_fields_esp[] = {
 	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
 	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
 	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &esp_transformid_names },
+	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &esp_transform_names },
 	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
 	{ ft_end, 0, NULL, NULL }
 };
@@ -535,7 +535,7 @@ struct_desc isakmp_vendor_id_desc = { "ISAKMP Vendor ID Payload", isag_fields, s
 	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 	 ! Next Payload  !   RESERVED    !         Payload Length        !
 	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	 !     Type      !   RESERVED    !           Identifier          ! 
+	 !     Type      !   RESERVED    !           Identifier          !
 	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 	 !                                                               !
 	 ~                           Attributes                          ~
diff --git a/src/pluto/pem.c b/src/pluto/pem.c
deleted file mode 100644
index 1a4a99af7..000000000
--- a/src/pluto/pem.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/* Loading of PEM encoded files with optional encryption
- * Copyright (C) 2001-2009 Andreas Steffen
- *
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/* decrypt a PEM encoded data block using DES-EDE3-CBC
- * see RFC 1423 PEM: Algorithms, Modes and Identifiers
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <errno.h>
-#include <string.h>
-#include <stddef.h>
-#include <sys/types.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <asn1/pem.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "whack.h"
-#include "pem.h"
-
-/**
- *  Converts a PEM encoded file into its binary form
- *  RFC 1421 Privacy Enhancement for Electronic Mail, February 1993
- *  RFC 934 Message Encapsulation, January 1985
- */
-err_t pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label, bool *pgp)
-{
-	chunk_t password = chunk_empty;
-
-	/* do we prompt for the passphrase? */
-	if (pass && pass->prompt && pass->fd != NULL_FD)
-	{
-		int i;
-		chunk_t blob_copy;
-		err_t ugh = "invalid passphrase, too many trials";
-		status_t status;
-
-		whack_log(RC_ENTERSECRET, "need passphrase for '%s'", label);
-
-		for (i = 0; i < MAX_PROMPT_PASS_TRIALS; i++)
-		{
-			int n;
-
-			if (i > 0)
-			{
-				whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
-			}
-			n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
-
-			if (n == -1)
-			{
-				err_t ugh = "read(whackfd) failed";
-
-				whack_log(RC_LOG_SERIOUS,ugh);
-				return ugh;
-			}
-
-			pass->secret[n-1] = '\0';
-			
-			if (strlen(pass->secret) == 0)
-			{
-				err_t ugh = "no passphrase entered, aborted";
-
-				whack_log(RC_LOG_SERIOUS, ugh);
-				return ugh;
-			}
-
-			blob_copy = chunk_clone(*blob);
-			password = chunk_create(pass->secret, strlen(pass->secret));
-
-			status = pem_to_bin(blob, password, pgp);
-			if (status != INVALID_ARG)
-			{
-				if (status == SUCCESS)
-				{
-					whack_log(RC_SUCCESS, "valid passphrase");
-				}
-				else
-				{
-					whack_log(RC_LOG_SERIOUS, "%N, aborted", status_names, status);
-				}
-				free(blob_copy.ptr);
-				return NULL;
-			}
-			
-			/* blob is useless after wrong decryption, restore the original */
-			free(blob->ptr);
-			*blob = blob_copy;
-		}
-		whack_log(RC_LOG_SERIOUS, ugh);
-		return ugh;
-	}
-	else
-	{
-		if (pass)
-		{
-			password = chunk_create(pass->secret, strlen(pass->secret));
-		}
-		if (pem_to_bin(blob, password, pgp) == SUCCESS)
-		{
-			return NULL;
-		}
-		else
-		{
-			return "pem to bin conversion failed";
-		}
-	}	
-}
diff --git a/src/pluto/pem.h b/src/pluto/pem.h
deleted file mode 100644
index 5e97b99ed..000000000
--- a/src/pluto/pem.h
+++ /dev/null
@@ -1,18 +0,0 @@
-/* Loading of PEM encoded files with optional encryption
- * Copyright (C) 2001-2009 Andreas Steffen
- *
- * Hochschule fuer Technik Rapperswil 
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-extern err_t pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label,
-					  bool *pgp);
diff --git a/src/pluto/pgpcert.c b/src/pluto/pgpcert.c
deleted file mode 100644
index 1d5b14b26..000000000
--- a/src/pluto/pgpcert.c
+++ /dev/null
@@ -1,514 +0,0 @@
-/* Support of OpenPGP certificates
- * Copyright (C) 2002-2009 Andreas Steffen
- *
- * HSR - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <pgp/pgp.h>
-#include <crypto/hashers/hasher.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "id.h"
-#include "pgpcert.h"
-#include "certs.h"
-#include "whack.h"
-#include "keys.h"
-
-/**
- * Chained list of OpenPGP end certificates
- */
-static pgpcert_t *pgpcerts   = NULL;
-
-/**
- * Size of PGP Key ID
- */
-#define PGP_KEYID_SIZE          8
-
-const pgpcert_t pgpcert_empty = {
-	  NULL     , /* next */
-            0  , /* version */
-			0  , /* installed */
-			0  , /* count */
-	{ NULL, 0 }, /* certificate */
-			0  , /* created */
-			0  , /* until */
-	  NULL     , /* public key */
-	  NULL       /* fingerprint */
-};
-
-
-/**
- * Extracts the length of a PGP packet
- */
-static size_t pgp_old_packet_length(chunk_t *blob)
-{
-	/* bits 0 and 1 define the packet length type */
-	int len_type = 0x03 & *blob->ptr++;
-
-	blob->len--;
-
-	/* len_type: 0 -> 1 byte, 1 -> 2 bytes, 2 -> 4 bytes */
-	return pgp_length(blob, (len_type == 0)? 1: len_type << 1);
-}
-
-/**
- * Extracts PGP packet version (V3 or V4)
- */
-static u_char pgp_version(chunk_t *blob)
-{
-	u_char version = *blob->ptr++;
-	blob->len--;
-	DBG(DBG_PARSING,
-		DBG_log("L3 - version:");
-		DBG_log("  V%d", version)
-	)
-	return version;
-}
-
-/**
- * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 4880
- */
-static bool parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert)
-{
-	time_t created;
-	chunk_t keyid;
-	u_char  sig_type;
-	u_char version = pgp_version(packet);
-
-	/* we parse only V3 signature packets */
-	if (version != 3)
-	{
-		return TRUE;
-	}
-
-	/* size byte must have the value 5 */
-	if (pgp_length(packet, 1) != 5)
-	{
-		plog("  size must be 5");
-		return FALSE;
-	}
-
-	/* signature type - 1 byte */
-	sig_type = (u_char)pgp_length(packet, 1);
-	DBG(DBG_PARSING,
-		DBG_log("L3 - signature type:  0x%2x", sig_type)
-	)
-
-	/* creation date - 4 bytes */
-	created = (time_t)pgp_length(packet, 4);
-	DBG(DBG_PARSING,
-		DBG_log("L3 - created:");
-		DBG_log("  %T", &cert->created, TRUE)
-	)
-
-	/* key ID of signer - 8 bytes */
-	keyid.ptr = packet->ptr;
-	keyid.len = PGP_KEYID_SIZE;
-	DBG_cond_dump_chunk(DBG_PARSING, "L3 - key ID of signer", keyid);
-
-   return TRUE;
-}
-
-/**
- * Parses the version and validity of an OpenPGP public key packet
- */
-static bool parse_pgp_pubkey_version_validity(chunk_t *packet, pgpcert_t *cert)
-{
-	cert->version = pgp_version(packet);
-
-	if (cert->version < 3 || cert->version > 4)
-	{
-		plog("OpenPGP packet version V%d not supported", cert->version);
-		return FALSE;
-	}
-
-	/* creation date - 4 bytes */
-	cert->created = (time_t)pgp_length(packet, 4);
-	DBG(DBG_PARSING,
-		DBG_log("L3 - created:");
-		DBG_log("  %T", &cert->created, TRUE)
-	)
-
-	if (cert->version == 3)
-	{
-		/* validity in days - 2 bytes */
-		cert->until   = (time_t)pgp_length(packet, 2);
-
-		/* validity of 0 days means that the key never expires */
-		if (cert->until > 0)
-		{
-			cert->until = cert->created + 24*3600*cert->until;
-		}
-		DBG(DBG_PARSING,
-			DBG_log("L3 - until:");
-			DBG_log("  %T", &cert->until, TRUE);
-		)
-	}
-	return TRUE;
-}
-
-/**
- * Parse OpenPGP public key packet defined in section 5.5.2 of RFC 4880
- */
-static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
-{
-	chunk_t pubkey_packet = *packet;
- 	pgp_pubkey_alg_t pubkey_alg;
-
-	if (!parse_pgp_pubkey_version_validity(packet, cert))
-	{
-		return FALSE;
-	}
-
-	/* public key algorithm - 1 byte */
-	pubkey_alg = pgp_length(packet, 1);
-	DBG(DBG_PARSING,
-		DBG_log("L3 - public key algorithm:");
-		DBG_log("  %N", pgp_pubkey_alg_names, pubkey_alg)
-	)
-	
-	switch (pubkey_alg)
-	{
-		case PGP_PUBKEY_ALG_RSA:
-		case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
-			cert->public_key = lib->creds->create(lib->creds,
-									CRED_PUBLIC_KEY, KEY_RSA,
-									BUILD_BLOB_PGP, *packet,
-									BUILD_END);
-			if (cert->public_key == NULL)
-			{
-				return FALSE;
-			}
-			break;
-	 	default:
-			plog("  non RSA public keys not supported");
-			return FALSE;
-	}
-
-	/* compute V4 or V3 fingerprint according to section 12.2 of RFC 4880 */
-	if (cert->version == 4)
-	{
-		char pubkey_packet_header_buf[] = {
-				0x99, pubkey_packet.len / 256, pubkey_packet.len % 256
-			 };
-		chunk_t pubkey_packet_header = chunk_from_buf(pubkey_packet_header_buf);
-		chunk_t hash;
-		hasher_t *hasher;
-
-		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-		if (hasher == NULL)
-		{
-			plog("no SHA-1 hasher available");
-			return FALSE;
-		}
-		hasher->allocate_hash(hasher, pubkey_packet_header, NULL);
-		hasher->allocate_hash(hasher, pubkey_packet, &hash);
-		hasher->destroy(hasher);
-		cert->fingerprint = identification_create_from_encoding(ID_KEY_ID, hash);
-		free(hash.ptr);
-	}
-	else
-	{
-		/* V3 fingerprint is computed by public_key_t class */
-		cert->fingerprint = cert->public_key->get_id(cert->public_key, ID_KEY_ID);
-		if (cert->fingerprint == NULL)
-		{
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-/*
- * Parse OpenPGP secret key packet defined in section 5.5.3 of RFC 4880
- */
-static bool parse_pgp_secretkey_packet(chunk_t *packet, private_key_t **key)
-{
-	pgp_pubkey_alg_t pubkey_alg;
-	pgpcert_t cert = pgpcert_empty;
-
-	if (!parse_pgp_pubkey_version_validity(packet, &cert))
-	{
-		return FALSE;
-	}
-
-	/* public key algorithm - 1 byte */
-	pubkey_alg = pgp_length(packet, 1);
-	DBG(DBG_PARSING,
-		DBG_log("L3 - public key algorithm:");
-		DBG_log("  %N", pgp_pubkey_alg_names, pubkey_alg)
-	)
-	
-	switch (pubkey_alg)
-	{
-		case PGP_PUBKEY_ALG_RSA:
-		case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
-			*key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-												  BUILD_BLOB_PGP, *packet,
-												  BUILD_END);
-			break;
-	 	default:
-			plog("  non RSA private keys not supported");
-			return FALSE;
-	}
-	return (*key != NULL);
-}
-
-bool parse_pgp(chunk_t blob, pgpcert_t *cert, private_key_t **key)
-{
-	DBG(DBG_PARSING,
-		DBG_log("L0 - PGP file:")
-	)
-	DBG_cond_dump_chunk(DBG_RAW, "", blob);
-
-	if (cert != NULL)
-	{
-		/* parse a PGP certificate file */
-		cert->certificate = blob;
-		time(&cert->installed);
-	}
-	else if (key == NULL)
-	{
-		/* should not occur, nothing to parse */
-		return FALSE;
-	}
-
-	while (blob.len > 0)
-	{
-		chunk_t packet = chunk_empty;
-		u_char packet_tag = *blob.ptr;
-
-		DBG(DBG_PARSING,
-			DBG_log("L1 - PGP packet:  tag= 0x%2x", packet_tag)
-		)
-
-		/* bit 7 must be set */
-		if (!(packet_tag & 0x80))
-		{
-			plog("  incorrect Packet Tag");
-			return FALSE;
-		}
-
-		/* bit 6 set defines new packet format */
-		if (packet_tag & 0x40)
-		{
-			plog("  new PGP packet format not supported");
-			return FALSE;
-		}
-		else
-		{
-			int packet_type = (packet_tag & 0x3C) >> 2;
-
-			packet.len = pgp_old_packet_length(&blob);
-			packet.ptr = blob.ptr;
-			blob.ptr += packet.len;
-			blob.len -= packet.len;
-			DBG(DBG_PARSING,
-				DBG_log("  %N (%d), old format, %u bytes",
-						pgp_packet_tag_names, packet_type,
-						packet_type, packet.len);
-				DBG_log("L2 - body:")
-			)
-			DBG_cond_dump_chunk(DBG_RAW, "", packet);
-
-			if (cert != NULL)
-			{
-				/* parse a PGP certificate */
-				switch (packet_type)
-				{
-					case PGP_PKT_PUBLIC_KEY:
-						if (!parse_pgp_pubkey_packet(&packet, cert))
-						{
-							return FALSE;
-						}
-						break;
-					case PGP_PKT_SIGNATURE:
-						if (!parse_pgp_signature_packet(&packet, cert))
-						{
-							return FALSE;
-						}
-						break;
-					case PGP_PKT_USER_ID:
-						DBG(DBG_PARSING,
-							DBG_log("L3 - user ID:");
-							DBG_log("  '%.*s'", (int)packet.len, packet.ptr)
-						)
-						break;
-					default:
-						break;
-				}
-			}
-			else
-			{
-				/* parse a PGP private key file */
-				switch (packet_type)
-				{
-					case PGP_PKT_SECRET_KEY:
-						if (!parse_pgp_secretkey_packet(&packet, key))
-						{
-							return FALSE;
-						}
-						break;
-					case PGP_PKT_USER_ID:
-						DBG(DBG_PARSING,
-							DBG_log("L3 - user ID:");
-							DBG_log("  '%.*s'", (int)packet.len, packet.ptr)
-						)
-						break;
-					default:
-						break;
-				}
-
-			}
-		}
-	}
-	return TRUE;
-}
-
-/**
- *  Compare two OpenPGP certificates
- */
-static bool same_pgpcert(pgpcert_t *a, pgpcert_t *b)
-{
-	return a->certificate.len == b->certificate.len &&
-		memeq(a->certificate.ptr, b->certificate.ptr, b->certificate.len);
-}
-
-/**
- * For each link pointing to the certificate increase the count by one
- */
-void share_pgpcert(pgpcert_t *cert)
-{
-	if (cert != NULL)
-	{
-		cert->count++;
-	}
-}
-
-/**
- * Select the OpenPGP keyid as ID
- */
-void select_pgpcert_id(pgpcert_t *cert, struct id *end_id)
-{
-	end_id->kind = ID_KEY_ID;
-	end_id->name = cert->fingerprint->get_encoding(cert->fingerprint);
-}
-
-/**
- *  Add an OpenPGP user/host certificate to the chained list
- */
-pgpcert_t* add_pgpcert(pgpcert_t *cert)
-{
-	pgpcert_t *c = pgpcerts;
-
-	while (c != NULL)
-	{
-		if (same_pgpcert(c, cert)) /* already in chain, free cert */
-		{
-			free_pgpcert(cert);
-			return c;
-		}
-		c = c->next;
-	}
-
-	/* insert new cert at the root of the chain */
-	cert->next = pgpcerts;
-	pgpcerts = cert;
-	DBG(DBG_CONTROL | DBG_PARSING,
-		DBG_log("  pgp cert inserted")
-	)
-	return cert;
-}
-
-/**
- *  Release of a certificate decreases the count by one.
- *  The certificate is freed when the counter reaches zero
- */
-void release_pgpcert(pgpcert_t *cert)
-{
-	if (cert != NULL && --cert->count == 0)
-	{
-		pgpcert_t **pp = &pgpcerts;
-		while (*pp != cert)
-		{
-			pp = &(*pp)->next;
-		}
-		*pp = cert->next;
-		free_pgpcert(cert);
-	}
-}
-
-/**
- *  Free a PGP certificate
- */
-void free_pgpcert(pgpcert_t *cert)
-{
-	if (cert != NULL)
-	{
-		DESTROY_IF(cert->public_key);
-		DESTROY_IF(cert->fingerprint);
-		free(cert->certificate.ptr);
-		free(cert);
-	}
-}
-
-/**
- *  List all PGP end certificates in a chained list
- */
-void list_pgp_end_certs(bool utc)
-{
-   pgpcert_t *cert = pgpcerts;
-   time_t now;
-
-	/* determine the current time */
-	time(&now);
-
-	if (cert != NULL)
-	{
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of PGP End certificates:");
-		whack_log(RC_COMMENT, " ");
-	}
-
-	while (cert != NULL)
-	{
-		public_key_t *key = cert->public_key;
-		cert_t c;
-
-		c.type = CERT_PGP;
-		c.u.pgp = cert;
-
-		whack_log(RC_COMMENT, "%T, count: %d", &cert->installed, utc, cert->count);
-		whack_log(RC_COMMENT, "       digest:   %Y", cert->fingerprint);
-		whack_log(RC_COMMENT, "       created:  %T", &cert->created, utc);
-		whack_log(RC_COMMENT, "       until:    %T %s", &cert->until, utc,
-				check_expiry(cert->until, CA_CERT_WARNING_INTERVAL, TRUE));
-		whack_log(RC_COMMENT, "       pubkey:   %N %4d bits%s",
-				key_type_names, key->get_type(key),
-				key->get_keysize(key) * BITS_PER_BYTE,				
-				has_private_key(c)? ", has private key" : "");
-		whack_log(RC_COMMENT, "       keyid:    %Y",
-				key->get_id(key, ID_PUBKEY_INFO_SHA1));
-		cert = cert->next;
-	}
-}
-
diff --git a/src/pluto/pgpcert.h b/src/pluto/pgpcert.h
deleted file mode 100644
index 727648391..000000000
--- a/src/pluto/pgpcert.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/* Support of OpenPGP certificates
- * Copyright (C) 2002-2009 Andreas Steffen
- *
- * HSR - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _PGPCERT_H
-#define _PGPCERT_H
-
-#include <crypto/hashers/hasher.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/keys/public_key.h>
-
-/*
- * Length of PGP V3 fingerprint
- */
-#define PGP_FINGERPRINT_SIZE    HASH_SIZE_MD5
-
-typedef char fingerprint_t[PGP_FINGERPRINT_SIZE];
-
-/* access structure for an OpenPGP certificate */
-
-typedef struct pgpcert pgpcert_t;
-
-struct pgpcert {
-	pgpcert_t        *next;
-	int              version;
-	time_t           installed;
-	int              count;
-	chunk_t          certificate;
-	time_t           created;
-	time_t           until;
-	public_key_t     *public_key;
-	identification_t *fingerprint;
-};
-
-extern const pgpcert_t pgpcert_empty;
-extern bool parse_pgp(chunk_t blob, pgpcert_t *cert, private_key_t **key);
-extern void share_pgpcert(pgpcert_t *cert);
-extern void select_pgpcert_id(pgpcert_t *cert, struct id *end_id);
-extern pgpcert_t* add_pgpcert(pgpcert_t *cert);
-extern void list_pgp_end_certs(bool utc);
-extern void release_pgpcert(pgpcert_t *cert);
-extern void free_pgpcert(pgpcert_t *cert);
-
-#endif /* _PGPCERT_H */
diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c
index 7248b042f..733dd2623 100644
--- a/src/pluto/pkcs7.c
+++ b/src/pluto/pkcs7.c
@@ -17,8 +17,7 @@
 
 #include <stdlib.h>
 #include <string.h>
-
-#include <freeswan.h>
+#include <time.h>
 
 #include <library.h>
 #include <debug.h>
@@ -27,11 +26,8 @@
 #include <asn1/oid.h>
 #include <crypto/rngs/rng.h>
 #include <crypto/crypters/crypter.h>
+#include <credentials/certificates/x509.h>
 
-#include "constants.h"
-#include "defs.h"
-#include "x509.h"
-#include "certs.h"
 #include "pkcs7.h"
 
 const contentInfo_t empty_contentInfo = {
@@ -84,10 +80,12 @@ static const asn1Object_t signedDataObjects[] = {
 	{ 1,   "end loop",                      ASN1_EOC,          ASN1_END           }, /* 25 */
 	{ 0, "exit",                            ASN1_EOC,          ASN1_EXIT          }
 };
+#define PKCS7_SIGNED_VERSION             1
 #define PKCS7_DIGEST_ALG                 3
 #define PKCS7_SIGNED_CONTENT_INFO        5
 #define PKCS7_SIGNED_CERT                7
 #define PKCS7_SIGNER_INFO               13
+#define PKCS7_SIGNER_INFO_VERSION       14
 #define PKCS7_SIGNED_ISSUER             16
 #define PKCS7_SIGNED_SERIAL_NUMBER      17
 #define PKCS7_DIGEST_ALGORITHM          18
@@ -127,81 +125,6 @@ static const asn1Object_t envelopedDataObjects[] = {
 #define PKCS7_ENCRYPTED_CONTENT         14
 #define PKCS7_ENVELOPED_ROOF            15
 
-/**
- * PKCS7 contentInfo OIDs
- */
-
-static u_char ASN1_pkcs7_data_oid_str[] = {
-	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01
-};
-
-static u_char ASN1_pkcs7_signed_data_oid_str[] = {
-	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02
-};
-
-static u_char ASN1_pkcs7_enveloped_data_oid_str[] = {
-	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x03
-};
-
-static u_char ASN1_pkcs7_signed_enveloped_data_oid_str[] = {
-	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x04
-};
-
-static u_char ASN1_pkcs7_digested_data_oid_str[] = {
-	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05
-};
-
-static char ASN1_pkcs7_encrypted_data_oid_str[] = {
-	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06
-};
-
-static const chunk_t ASN1_pkcs7_data_oid = 
-						chunk_from_buf(ASN1_pkcs7_data_oid_str);
-static const chunk_t ASN1_pkcs7_signed_data_oid =
-						chunk_from_buf(ASN1_pkcs7_signed_data_oid_str);
-static const chunk_t ASN1_pkcs7_enveloped_data_oid =
-						chunk_from_buf(ASN1_pkcs7_enveloped_data_oid_str);
-static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid = 
-						chunk_from_buf(ASN1_pkcs7_signed_enveloped_data_oid_str);
-static const chunk_t ASN1_pkcs7_digested_data_oid =
-						chunk_from_buf(ASN1_pkcs7_digested_data_oid_str);
-static const chunk_t ASN1_pkcs7_encrypted_data_oid =
-						chunk_from_buf(ASN1_pkcs7_encrypted_data_oid_str);
-
-/**
- * 3DES and DES encryption OIDs
- */
-
-static u_char ASN1_3des_ede_cbc_oid_str[] = {
-	0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x03, 0x07
-};
-
-static u_char ASN1_des_cbc_oid_str[] = {
-	0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x07
-};
-
-static const chunk_t ASN1_3des_ede_cbc_oid = 
-						chunk_from_buf(ASN1_3des_ede_cbc_oid_str);
-static const chunk_t ASN1_des_cbc_oid =
-						chunk_from_buf(ASN1_des_cbc_oid_str);
-
-/**
- * PKCS#7 attribute type OIDs
- */
-
-static u_char ASN1_contentType_oid_str[] = {
-	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03
-};
-
-static u_char ASN1_messageDigest_oid_str[] = {
-	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04
-};
-
-static const chunk_t ASN1_contentType_oid =
-						chunk_from_buf(ASN1_contentType_oid_str);
-static const chunk_t ASN1_messageDigest_oid =
-						chunk_from_buf(ASN1_messageDigest_oid_str);
-
 /**
  * Parse PKCS#7 ContentInfo object
  */
@@ -242,15 +165,16 @@ end:
 /**
  * Parse a PKCS#7 signedData object
  */
-bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert,
-							chunk_t *attributes, const x509cert_t *cacert)
+bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
+							linked_list_t *certs,
+							chunk_t *attributes, certificate_t *cacert)
 {
-	u_char buf[BUF_LEN];
 	asn1_parser_t *parser;
 	chunk_t object;
 	int digest_alg = OID_UNKNOWN;
 	int enc_alg    = OID_UNKNOWN;
 	int signerInfos = 0;
+	int version;
 	int objectID;
 	bool success = FALSE;
 
@@ -267,7 +191,7 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
 		return FALSE;
 	}
 
-	parser = asn1_parser_create(signedDataObjects, blob);
+	parser = asn1_parser_create(signedDataObjects, cInfo.content);
 	parser->set_top_level(parser, 2);
 
 	while (parser->iterate(parser, &objectID, &object))
@@ -276,6 +200,10 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
 
 		switch (objectID)
 		{
+		case PKCS7_SIGNED_VERSION:
+			version = object.len ? (int)*object.ptr : 0;
+			DBG2("  v%d", version);
+			break;
 		case PKCS7_DIGEST_ALG:
 			digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
 			break;
@@ -286,33 +214,36 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
 			}
 			break;
 		case PKCS7_SIGNED_CERT:
-			if (cert != NULL)
 			{
-				chunk_t cert_blob = chunk_clone(object);
-				x509cert_t *newcert = malloc_thing(x509cert_t);
-
-				*newcert = empty_x509cert;
+				certificate_t *cert;
 
 				DBG2("  parsing pkcs7-wrapped certificate");
-				if (parse_x509cert(cert_blob, level+1, newcert))
-				{
-					newcert->next = *cert;
-					*cert = newcert;
-				}
-				else
+				cert = lib->creds->create(lib->creds,
+								  		  CRED_CERTIFICATE, CERT_X509,
+								  		  BUILD_BLOB_ASN1_DER, object,
+								  		  BUILD_END);
+				if (cert)
 				{
-					free_x509cert(newcert);
+					certs->insert_last(certs, cert);
 				}
 			}
 			break;
 		case PKCS7_SIGNER_INFO:
 			signerInfos++;
 			DBG2("  signer #%d", signerInfos);
-			break;      
-		case PKCS7_SIGNED_ISSUER:
-			dntoa(buf, BUF_LEN, object);
-			DBG2("  '%s'",buf);
 			break;
+		case PKCS7_SIGNER_INFO_VERSION:
+			version = object.len ? (int)*object.ptr : 0;
+			DBG2("  v%d", version);
+			break;
+		case PKCS7_SIGNED_ISSUER:
+			{
+				identification_t *issuer = identification_create_from_encoding(
+													ID_DER_ASN1_DN, object);
+				DBG2("  \"%Y\"", issuer);
+				issuer->destroy(issuer);
+				break;
+			}
 		case PKCS7_AUTH_ATTRIBUTES:
 			if (attributes != NULL)
 			{
@@ -340,9 +271,15 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
 	/* check the signature only if a cacert is available */
 	if (cacert != NULL)
 	{
-		public_key_t *key = cacert->public_key;
-		signature_scheme_t scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+		public_key_t *key;
+		signature_scheme_t scheme;
 
+		scheme = signature_scheme_from_oid(digest_alg);
+		if (scheme == SIGN_UNKNOWN)
+		{
+			DBG1("unsupported signature scheme");
+			return FALSE;
+		}
 		if (signerInfos == 0)
 		{
 			DBG1("no signerInfo object found");
@@ -364,11 +301,11 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
 			return FALSE;
 		}
 
-		/* determine signature scheme */
-		scheme = signature_scheme_from_oid(digest_alg);
-
-		if (scheme == SIGN_UNKNOWN)
+		/* verify the signature */
+		key = cacert->get_public_key(cacert);
+		if (key == NULL)
 		{
+			DBG1("no public key found in CA certificate");
 			return FALSE;
 		}
 		if (key->verify(key, scheme, *attributes, encrypted_digest))
@@ -378,10 +315,11 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
 		else
 		{
 			DBG1("invalid signature");
-			return FALSE;
+			success = FALSE;
 		}
+		key->destroy(key);
 	}
-	return TRUE;
+	return success;
 }
 
 /**
@@ -399,9 +337,9 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
 
 	crypter_t *crypter = NULL;
 
-	u_char buf[BUF_LEN];
 	int enc_alg         = OID_UNKNOWN;
 	int content_enc_alg = OID_UNKNOWN;
+	int version;
 	int objectID;
 	bool success = FALSE;
 
@@ -428,37 +366,45 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
 		switch (objectID)
 		{
 		case PKCS7_ENVELOPED_VERSION:
-		if (*object.ptr != 0)
-		{
-			DBG1("envelopedData version is not 0");
-			goto end;
-		}
-		break;
+			version = object.len ? (int)*object.ptr : 0;
+			DBG2("  v%d", version);
+			if (version != 0)
+			{
+				DBG1("envelopedData version is not 0");
+				goto end;
+			}
+			break;
 		case PKCS7_RECIPIENT_INFO_VERSION:
-			if (*object.ptr != 0)
+			version = object.len ? (int)*object.ptr : 0;
+			DBG2("  v%d", version);
+			if (version != 0)
 			{
 				DBG1("recipient info version is not 0");
 				goto end;
 			}
 			break;
 		case PKCS7_ISSUER:
-			dntoa(buf, BUF_LEN, object);
-			DBG2("  '%s'", buf);
-			break;      
+			{
+				identification_t *issuer = identification_create_from_encoding(
+													ID_DER_ASN1_DN, object);
+				DBG2("  \"%Y\"", issuer);
+				issuer->destroy(issuer);
+				break;
+			}
 		case PKCS7_SERIAL_NUMBER:
 			if (!chunk_equals(serialNumber, object))
 			{
 				DBG1("serial numbers do not match");
 				goto end;
-			}   
-			break;      
+			}
+			break;
 		case PKCS7_ENCRYPTION_ALG:
 			enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
 			if (enc_alg != OID_RSA_ENCRYPTION)
 			{
 				DBG1("only rsa encryption supported");
 				goto end;
-			} 
+			}
 			break;
 		case PKCS7_ENCRYPTED_KEY:
 			if (!key->decrypt(key, object, &symmetric_key))
@@ -477,7 +423,7 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
 			break;
 		case PKCS7_CONTENT_ENC_ALGORITHM:
 			content_enc_alg = asn1_parse_algorithmIdentifier(object, level, &iv);
-	
+
 			if (content_enc_alg == OID_UNKNOWN)
 			{
 				DBG1("unknown content encryption algorithm");
@@ -578,19 +524,20 @@ failed:
  */
 chunk_t pkcs7_contentType_attribute(void)
 {
-	return asn1_wrap(ASN1_SEQUENCE, "cm"
-				, ASN1_contentType_oid
-				, asn1_simple_object(ASN1_SET, ASN1_pkcs7_data_oid));
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_build_known_oid(OID_PKCS9_CONTENT_TYPE),
+						asn1_wrap(ASN1_SET, "m",
+							asn1_build_known_oid(OID_PKCS7_DATA)));
 }
 
 /**
  * @brief Builds a messageDigest attribute
- * 
- * 
+ *
+ *
  * @param[in] blob content to create digest of
  * @param[in] digest_alg digest algorithm to be used
  * @return ASN.1 encoded messageDigest attribute
- * 
+ *
  */
 chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg)
 {
@@ -603,12 +550,10 @@ chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg)
 	hasher->allocate_hash(hasher, content, &digest);
 	hasher->destroy(hasher);
 
-	return asn1_wrap(ASN1_SEQUENCE, "cm",
-				ASN1_messageDigest_oid,
-					asn1_wrap(ASN1_SET, "m",
-						asn1_wrap(ASN1_OCTET_STRING, "m", digest)
-					)
-				);
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+				asn1_build_known_oid(OID_PKCS9_MESSAGE_DIGEST),
+				asn1_wrap(ASN1_SET, "m",
+					asn1_wrap(ASN1_OCTET_STRING, "m", digest)));
 }
 
 /**
@@ -616,83 +561,59 @@ chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg)
  */
 static chunk_t pkcs7_build_contentInfo(contentInfo_t *cInfo)
 {
-	chunk_t content_type;
-
-	/* select DER-encoded OID for pkcs7 contentInfo type */
-	switch(cInfo->type)
-	{
-	case OID_PKCS7_DATA:
-		content_type = ASN1_pkcs7_data_oid;
-		break;
-	case OID_PKCS7_SIGNED_DATA:
-		content_type = ASN1_pkcs7_signed_data_oid;
-		break;
-	case OID_PKCS7_ENVELOPED_DATA:
-		content_type = ASN1_pkcs7_enveloped_data_oid;
-		break;
-	case OID_PKCS7_SIGNED_ENVELOPED_DATA:
-		content_type = ASN1_pkcs7_signed_enveloped_data_oid;
-		break;
-	case OID_PKCS7_DIGESTED_DATA:
-		content_type = ASN1_pkcs7_digested_data_oid;
-		break;
-	case OID_PKCS7_ENCRYPTED_DATA:
-		content_type = ASN1_pkcs7_encrypted_data_oid;
-		break;
-	case OID_UNKNOWN:
-	default:
-		DBG1("invalid pkcs7 contentInfo type");
-		return chunk_empty;
-	}
-
-	return (cInfo->content.ptr == NULL)
-		? asn1_simple_object(ASN1_SEQUENCE, content_type)
-		: asn1_wrap(ASN1_SEQUENCE, "cm"
-			, content_type
-			, asn1_simple_object(ASN1_CONTEXT_C_0, cInfo->content)
-		  );
+	return (cInfo->content.ptr) ?
+				asn1_wrap(ASN1_SEQUENCE, "mm",
+					asn1_build_known_oid(cInfo->type),
+					asn1_simple_object(ASN1_CONTEXT_C_0, cInfo->content)) :
+				asn1_build_known_oid(cInfo->type);
 }
 
 /**
  * build issuerAndSerialNumber object
  */
-chunk_t pkcs7_build_issuerAndSerialNumber(const x509cert_t *cert)
+chunk_t pkcs7_build_issuerAndSerialNumber(certificate_t *cert)
 {
-	return asn1_wrap(ASN1_SEQUENCE, "cm"
-				, cert->issuer
-				, asn1_integer("c", cert->serialNumber));
+	identification_t *issuer = cert->get_issuer(cert);
+	x509_t *x509 = (x509_t*)cert;
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+					 issuer->get_encoding(issuer),
+					 asn1_integer("c", x509->get_serial(x509)));
 }
 
 /**
  * create a signed pkcs7 contentInfo object
  */
 chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
-							   const x509cert_t *cert, int digest_alg,
+							   certificate_t *cert, int digest_alg,
 							   private_key_t *key)
 {
 	contentInfo_t pkcs7Data, signedData;
-	chunk_t authenticatedAttributes, encryptedDigest, signerInfo, cInfo;
-
-	chunk_t digestAlgorithm = asn1_algorithmIdentifier(digest_alg);
+	chunk_t authenticatedAttributes = chunk_empty;
+	chunk_t encryptedDigest = chunk_empty;
+	chunk_t signerInfo, cInfo, signature;
+	signature_scheme_t scheme = signature_scheme_from_oid(digest_alg);
 
-	if (attributes.ptr != NULL)
+	if (attributes.ptr)
 	{
-		encryptedDigest = x509_build_signature(attributes, digest_alg, key,
-											   FALSE);
-		authenticatedAttributes = chunk_clone(attributes);
-		*authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
+		if (key->sign(key, scheme, attributes, &signature))
+		{
+			encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", signature);
+			authenticatedAttributes = chunk_clone(attributes);
+			*authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
+		}
 	}
-	else
+	else if (data.ptr)
 	{
-		encryptedDigest = (data.ptr == NULL)? chunk_empty
-				: x509_build_signature(data, digest_alg, key, FALSE);
-		authenticatedAttributes = chunk_empty;
+		if (key->sign(key, scheme, data, &signature))
+		{
+			encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", signature);
+		}
 	}
-
-	signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmcmcm"
+	signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmmmmm"
 				, ASN1_INTEGER_1
 				, pkcs7_build_issuerAndSerialNumber(cert)
-				, digestAlgorithm
+				, asn1_algorithmIdentifier(digest_alg)
 				, authenticatedAttributes
 				, asn1_algorithmIdentifier(OID_RSA_ENCRYPTION)
 				, encryptedDigest);
@@ -704,9 +625,9 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
 	signedData.type = OID_PKCS7_SIGNED_DATA;
 	signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm"
 				, ASN1_INTEGER_1
-				, asn1_simple_object(ASN1_SET, digestAlgorithm)
+				, asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_alg))
 				, pkcs7_build_contentInfo(&pkcs7Data)
-				, asn1_simple_object(ASN1_CONTEXT_C_0, cert->certificate)
+				, asn1_wrap(ASN1_CONTEXT_C_0, "m", cert->get_encoding(cert))
 				, asn1_wrap(ASN1_SET, "m", signerInfo));
 
 	cInfo = pkcs7_build_contentInfo(&signedData);
@@ -720,7 +641,7 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
 /**
  * create a symmetrically encrypted pkcs7 contentInfo object
  */
-chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int enc_alg)
+chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg)
 {
 	encryption_algorithm_t alg;
 	size_t alg_key_size;
@@ -739,7 +660,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int enc_
 	/* generate a true random symmetric encryption key and a pseudo-random iv */
 	{
 		rng_t *rng;
-		
+
 		rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
 		rng->allocate_bytes(rng, crypter->get_key_size(crypter), &symmetricKey);
 		DBG4("symmetric encryption key %B", &symmetricKey);
@@ -760,7 +681,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int enc_
 		in.ptr = malloc(in.len);
 
 		DBG2("padding %u bytes of data to multiple block size of %u bytes",
-		 	 data.len, in.len);
+			 data.len, in.len);
 
 		/* copy data */
 		memcpy(in.ptr, data.ptr, data.len);
@@ -773,26 +694,41 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int enc_
 	crypter->set_key(crypter, symmetricKey);
 	crypter->encrypt(crypter, in, iv, &out);
 	crypter->destroy(crypter);
+	chunk_clear(&in);
     DBG3("encrypted data %B", &out);
 
-	cert->public_key->encrypt(cert->public_key, symmetricKey, &protectedKey);
+	/* protect symmetric key by public key encryption */
+	{
+		public_key_t *key = cert->get_public_key(cert);
 
-	/* build pkcs7 enveloped data object */ 
+		if (key == NULL)
+		{
+			DBG1("public key not found in encryption certificate");
+			chunk_clear(&symmetricKey);
+			chunk_free(&iv);
+			chunk_free(&out);
+			return chunk_empty;
+		}
+		key->encrypt(key, symmetricKey, &protectedKey);
+		key->destroy(key);
+	}
+
+	/* build pkcs7 enveloped data object */
 	{
-		
+
 		chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm"
 					, asn1_build_known_oid(enc_alg)
 					, asn1_simple_object(ASN1_OCTET_STRING, iv));
-		
-		chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm"
-					, ASN1_pkcs7_data_oid
+
+		chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "mmm"
+					, asn1_build_known_oid(OID_PKCS7_DATA)
 					, contentEncryptionAlgorithm
 					, asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
 
 		chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m"
 					, protectedKey);
 
-		chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmcm"
+		chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm"
 					, ASN1_INTEGER_0
 					, pkcs7_build_issuerAndSerialNumber(cert)
 					, asn1_algorithmIdentifier(OID_RSA_ENCRYPTION)
@@ -810,10 +746,9 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int enc_
 		cInfo = pkcs7_build_contentInfo(&envelopedData);
 		DBG3("envelopedData %B", &cInfo);
 
-		free(envelopedData.content.ptr);
-		free(symmetricKey.ptr);
-		free(in.ptr);
-		free(iv.ptr);
+		chunk_free(&envelopedData.content);
+		chunk_free(&iv);
+		chunk_clear(&symmetricKey);
 		return cInfo;
 	}
 }
diff --git a/src/pluto/pkcs7.h b/src/pluto/pkcs7.h
index 028822dfe..1743ea9c4 100644
--- a/src/pluto/pkcs7.h
+++ b/src/pluto/pkcs7.h
@@ -18,10 +18,10 @@
 #ifndef _PKCS7_H
 #define _PKCS7_H
 
+#include <utils/linked_list.h>
 #include <crypto/crypters/crypter.h>
 #include <credentials/keys/private_key.h>
-#include "defs.h"
-#include "x509.h"
+#include <credentials/certificates/certificate.h>
 
 /* Access structure for a PKCS#7 ContentInfo object */
 
@@ -35,17 +35,19 @@ struct contentInfo {
 extern const contentInfo_t empty_contentInfo;
 
 extern bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0,
-	contentInfo_t *cInfo);
+									contentInfo_t *cInfo);
 extern bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
-	x509cert_t **cert, chunk_t *attributes, const x509cert_t *cacert);
+								   linked_list_t *cert, chunk_t *attributes,
+								   certificate_t *cacert);
 extern bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
-	chunk_t serialNumber, private_key_t *key);
+									  chunk_t serialNumber, private_key_t *key);
 extern chunk_t pkcs7_contentType_attribute(void);
 extern chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg);
-extern chunk_t pkcs7_build_issuerAndSerialNumber(const x509cert_t *cert);
+extern chunk_t pkcs7_build_issuerAndSerialNumber(certificate_t *cert);
 extern chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
-	const x509cert_t *cert, int digest_alg, private_key_t *key);
-extern chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert,
-	int enc_alg);
+									  certificate_t *cert, int digest_alg,
+									  private_key_t *key);
+extern chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert,
+										 int enc_alg);
 
 #endif /* _PKCS7_H */
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index 5d0e008f3..8b922df8c 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -48,7 +48,7 @@
 
 #include "constants.h"
 #include "defs.h"
-#include "id.h"
+#include "myid.h"
 #include "ca.h"
 #include "certs.h"
 #include "ac.h"
@@ -73,6 +73,7 @@
 #include "virtual.h"
 #include "timer.h"
 #include "vendor.h"
+#include "builder.h"
 
 static void usage(const char *mess)
 {
@@ -128,7 +129,7 @@ static void usage(const char *mess)
 			" [--debug-private]"
 			" [--debug-natt]"
 #endif
- 		    " \\\n\t"
+		    " \\\n\t"
 			"[--nat_traversal] [--keep_alive <delay_sec>]"
 			" \\\n\t"
 			"[--force_keepalive] [--disable_port_floating]"
@@ -233,8 +234,8 @@ static void print_plugins()
 	char buf[BUF_LEN], *plugin;
 	int len = 0;
 	enumerator_t *enumerator;
-	
-	buf[0] = '\0';	
+
+	buf[0] = '\0';
 	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
 	while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
 	{
@@ -260,7 +261,7 @@ int main(int argc, char **argv)
 #endif /* CAPABILITIES */
 
 	/* initialize library and optionsfrom */
-	if (!library_init(STRONGSWAN_CONF))
+	if (!library_init(NULL))
 	{
 		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
@@ -651,10 +652,14 @@ int main(int argc, char **argv)
 	}
 
 	/* load plugins, further infrastructure may need it */
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
-		lib->settings->get_str(lib->settings, "pluto.load", PLUGINS));
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "pluto.load", PLUGINS)))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
 	print_plugins();
 
+	init_builder();
 	if (!init_secret() || !init_crypto())
 	{
 		plog("initialization failed - aborting pluto");
@@ -668,12 +673,13 @@ int main(int argc, char **argv)
 	init_demux();
 	init_kernel();
 	init_adns();
-	init_id();
-	init_fetch();
+	init_myid();
+	fetch_initialize();
+	ac_initialize();
 
 	/* drop unneeded capabilities and change UID/GID */
 	prctl(PR_SET_KEEPCAPS, 1);
-		
+
 #ifdef IPSEC_GROUP
 	{
 		struct group group, *grp;
@@ -715,15 +721,15 @@ int main(int argc, char **argv)
 #endif /* CAPABILITIES */
 
 	/* loading X.509 CA certificates */
-	load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
+	load_authcerts("ca", CA_CERT_PATH, X509_CA);
 	/* loading X.509 AA certificates */
-	load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
+	load_authcerts("aa", AA_CERT_PATH, X509_AA);
 	/* loading X.509 OCSP certificates */
-	load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
+	load_authcerts("ocsp", OCSP_CERT_PATH, X509_OCSP_SIGNER);
 	/* loading X.509 CRLs */
 	load_crls();
 	/* loading attribute certificates (experimental) */
-	load_acerts();
+	ac_load_certs();
 
 	daily_log_event();
 	call_server();
@@ -744,22 +750,24 @@ void exit_pluto(int status)
 	free_preshared_secrets();
 	free_remembered_public_keys();
 	delete_every_connection();
+	fetch_finalize();           /* stop fetching thread */
 	free_crl_fetch();           /* free chain of crl fetch requests */
 	free_ocsp_fetch();          /* free chain of ocsp fetch requests */
 	free_authcerts();           /* free chain of X.509 authority certificates */
 	free_crls();                /* free chain of X.509 CRLs */
-	free_acerts();              /* free chain of X.509 attribute certificates */
 	free_ca_infos();            /* free chain of X.509 CA information records */
 	free_ocsp();                /* free ocsp cache */
 	free_ifaces();
+	ac_finalize();              /* free X.509 attribute certificates */
 	scx_finalize();             /* finalize and unload PKCS #11 module */
 	xauth_finalize();           /* finalize and unload XAUTH module */
 	stop_adns();
 	free_md_pool();
 	free_crypto();
-	free_id();                  /* free myids */
+	free_myid();                /* free myids */
 	free_events();              /* free remaining events */
-	free_vendorid();			/* free all vendor id records */
+	free_vendorid();            /* free all vendor id records */
+	free_builder();
 	delete_lock();
 	options->destroy(options);
 	library_deinit();
diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c
index 013deb446..826a1aa6e 100644
--- a/src/pluto/rcv_whack.c
+++ b/src/pluto/rcv_whack.c
@@ -33,7 +33,6 @@
 
 #include "constants.h"
 #include "defs.h"
-#include "id.h"
 #include "ca.h"
 #include "certs.h"
 #include "ac.h"
@@ -55,16 +54,16 @@
 #include "fetch.h"
 #include "ocsp.h"
 #include "crl.h"
-
+#include "myid.h"
 #include "kernel_alg.h"
 #include "ike_alg.h"
+
 /* helper variables and function to decode strings from whack message */
 
 static char *next_str
 	, *str_roof;
 
-static bool
-unpack_str(char **p)
+static bool unpack_str(char **p)
 {
 	char *end = memchr(next_str, '\0', str_roof - next_str);
 
@@ -103,19 +102,13 @@ struct key_add_continuation {
 	enum key_add_attempt lookingfor;
 };
 
-static void
-key_add_ugh(const struct id *keyid, err_t ugh)
+static void key_add_ugh(identification_t *keyid, err_t ugh)
 {
-	char name[BUF_LEN]; /* longer IDs will be truncated in message */
-
-	(void)idtoa(keyid, name, sizeof(name));
-	loglog(RC_NOKEY
-		, "failure to fetch key for %s from DNS: %s", name, ugh);
+	loglog(RC_NOKEY, "failure to fetch key for %'Y' from DNS: %s", keyid, ugh);
 }
 
 /* last one out: turn out the lights */
-static void
-key_add_merge(struct key_add_common *oc, const struct id *keyid)
+static void key_add_merge(struct key_add_common *oc, identification_t *keyid)
 {
 	if (oc->refCount == 0)
 	{
@@ -123,9 +116,12 @@ key_add_merge(struct key_add_common *oc, const struct id *keyid)
 
 		/* if no success, print all diagnostics */
 		if (!oc->success)
+		{
 			for (kaa = ka_TXT; kaa != ka_roof; kaa++)
+			{
 				key_add_ugh(keyid, oc->diag[kaa]);
-
+			}
+		}
 		for (kaa = ka_TXT; kaa != ka_roof; kaa++)
 		{
 			free(oc->diag[kaa]);
@@ -135,8 +131,7 @@ key_add_merge(struct key_add_common *oc, const struct id *keyid)
 	}
 }
 
-static void
-key_add_continue(struct adns_continuation *ac, err_t ugh)
+static void key_add_continue(struct adns_continuation *ac, err_t ugh)
 {
 	struct key_add_continuation *kc = (void *) ac;
 	struct key_add_common *oc = kc->common;
@@ -159,95 +154,87 @@ key_add_continue(struct adns_continuation *ac, err_t ugh)
 	}
 
 	oc->refCount--;
-	key_add_merge(oc, &ac->id);
+	key_add_merge(oc, ac->id);
 	whack_log_fd = NULL_FD;
 }
 
-static void
-key_add_request(const whack_message_t *msg)
+static void key_add_request(const whack_message_t *msg)
 {
-	struct id keyid;
-	err_t ugh = atoid(msg->keyid, &keyid, FALSE);
+	identification_t *key_id;
 
-	if (ugh != NULL)
+	key_id = identification_create_from_string(msg->keyid);
+
+	if (!msg->whack_addkey)
 	{
-		loglog(RC_BADID, "bad --keyid \"%s\": %s", msg->keyid, ugh);
+		delete_public_keys(key_id, msg->pubkey_alg, NULL, chunk_empty);
 	}
-	else
+	if (msg->keyval.len == 0)
 	{
-		if (!msg->whack_addkey)
-			delete_public_keys(&keyid, msg->pubkey_alg
-				, chunk_empty, chunk_empty);
+		struct key_add_common *oc = malloc_thing(struct key_add_common);
+		enum key_add_attempt kaa;
+		err_t ugh;
 
-		if (msg->keyval.len == 0)
+		/* initialize state shared by queries */
+		oc->refCount = 0;
+		oc->whack_fd = dup_any(whack_log_fd);
+		oc->success = FALSE;
+
+		for (kaa = ka_TXT; kaa != ka_roof; kaa++)
 		{
-			struct key_add_common *oc = malloc_thing(struct key_add_common);
-			enum key_add_attempt kaa;
+			struct key_add_continuation *kc;
 
-			/* initialize state shared by queries */
-			oc->refCount = 0;
-			oc->whack_fd = dup_any(whack_log_fd);
-			oc->success = FALSE;
+			oc->diag[kaa] = NULL;
+			oc->refCount++;
+			kc = malloc_thing(struct key_add_continuation);
+			kc->common = oc;
+			kc->lookingfor = kaa;
 
-			for (kaa = ka_TXT; kaa != ka_roof; kaa++)
+			switch (kaa)
 			{
-				struct key_add_continuation *kc;
-
-				oc->diag[kaa] = NULL;
-				oc->refCount++;
-				kc = malloc_thing(struct key_add_continuation);
-				kc->common = oc;
-				kc->lookingfor = kaa;
-
-				switch (kaa)
-				{
 				case ka_TXT:
-					ugh = start_adns_query(&keyid
-						, &keyid        /* same */
-						, T_TXT
-						, key_add_continue
-						, &kc->ac);
+					ugh = start_adns_query(key_id
+							, key_id        /* same */
+							, T_TXT
+							, key_add_continue
+							, &kc->ac);
 					break;
 #ifdef USE_KEYRR
 				case ka_KEY:
-					ugh = start_adns_query(&keyid
-						, NULL
-						, T_KEY
-						, key_add_continue
-						, &kc->ac);
+					ugh = start_adns_query(key_id
+							, NULL
+							, T_KEY
+							, key_add_continue
+							, &kc->ac);
 					break;
 #endif /* USE_KEYRR */
 				default:
 					bad_case(kaa);      /* suppress gcc warning */
-				}
-				if (ugh != NULL)
-				{
-					oc->diag[kaa] = clone_str(ugh);
-					oc->refCount--;
-				}
 			}
-
-			/* Done launching queries.
-			 * Handle total failure case.
-			 */
-			key_add_merge(oc, &keyid);
-		}
-		else
-		{
-			if (!add_public_key(&keyid, DAL_LOCAL, msg->pubkey_alg, msg->keyval,
-				&pubkeys))
+			if (ugh)
 			{
-				loglog(RC_LOG_SERIOUS, "failed to add public key");
+				oc->diag[kaa] = clone_str(ugh);
+				oc->refCount--;
 			}
 		}
+
+		/* Done launching queries. Handle total failure case. */
+		key_add_merge(oc, key_id);
+	}
+	else
+	{
+		if (!add_public_key(key_id, DAL_LOCAL, msg->pubkey_alg, msg->keyval,
+			&pubkeys))
+		{
+			loglog(RC_LOG_SERIOUS, "failed to add public key");
+		}
 	}
+	key_id->destroy(key_id);
 }
 
 /* Handle a kernel request. Supposedly, there's a message in
  * the kernelsock socket.
  */
-void
-whack_handle(int whackctlfd)
+void whack_handle(int whackctlfd)
 {
 	whack_message_t msg;
 	struct sockaddr_un whackaddr;
@@ -319,24 +306,26 @@ whack_handle(int whackctlfd)
 		|| !unpack_str(&msg.left.ca)            /* string  4 */
 		|| !unpack_str(&msg.left.groups)        /* string  5 */
 		|| !unpack_str(&msg.left.updown)        /* string  6 */
-		|| !unpack_str(&msg.left.virt)          /* string  7 */
-		|| !unpack_str(&msg.right.id)           /* string  8 */
-		|| !unpack_str(&msg.right.cert)         /* string  9 */
-		|| !unpack_str(&msg.right.ca)           /* string 10 */
-		|| !unpack_str(&msg.right.groups)       /* string 11 */
-		|| !unpack_str(&msg.right.updown)       /* string 12 */
-		|| !unpack_str(&msg.right.virt)         /* string 13 */
-		|| !unpack_str(&msg.keyid)              /* string 14 */
-		|| !unpack_str(&msg.myid)               /* string 15 */
-		|| !unpack_str(&msg.cacert)             /* string 16 */
-		|| !unpack_str(&msg.ldaphost)           /* string 17 */
-		|| !unpack_str(&msg.ldapbase)           /* string 18 */
-		|| !unpack_str(&msg.crluri)             /* string 19 */
-		|| !unpack_str(&msg.crluri2)            /* string 20 */
-		|| !unpack_str(&msg.ocspuri)            /* string 21 */
-		|| !unpack_str(&msg.ike)                /* string 22 */
-		|| !unpack_str(&msg.esp)                /* string 23 */
-		|| !unpack_str(&msg.sc_data)            /* string 24 */
+		|| !unpack_str(&msg.left.sourceip)      /* string  7 */
+		|| !unpack_str(&msg.left.virt)          /* string  8 */
+		|| !unpack_str(&msg.right.id)           /* string  9 */
+		|| !unpack_str(&msg.right.cert)         /* string 10 */
+		|| !unpack_str(&msg.right.ca)           /* string 11 */
+		|| !unpack_str(&msg.right.groups)       /* string 12 */
+		|| !unpack_str(&msg.right.updown)       /* string 13 */
+		|| !unpack_str(&msg.right.sourceip)     /* string 14 */
+		|| !unpack_str(&msg.right.virt)         /* string 15 */
+		|| !unpack_str(&msg.keyid)              /* string 16 */
+		|| !unpack_str(&msg.myid)               /* string 17 */
+		|| !unpack_str(&msg.cacert)             /* string 18 */
+		|| !unpack_str(&msg.ldaphost)           /* string 19 */
+		|| !unpack_str(&msg.ldapbase)           /* string 20 */
+		|| !unpack_str(&msg.crluri)             /* string 21 */
+		|| !unpack_str(&msg.crluri2)            /* string 22 */
+		|| !unpack_str(&msg.ocspuri)            /* string 23 */
+		|| !unpack_str(&msg.ike)                /* string 24 */
+		|| !unpack_str(&msg.esp)                /* string 25 */
+		|| !unpack_str(&msg.sc_data)            /* string 26 */
 		|| str_roof - next_str != (ptrdiff_t)msg.keyval.len)    /* check chunk */
 		{
 			ugh = "message from whack contains bad string";
@@ -372,7 +361,7 @@ whack_handle(int whackctlfd)
 		}
 		else if (!msg.whack_connection)
 		{
-			struct connection *c = con_by_name(msg.name, TRUE);
+			connection_t *c = con_by_name(msg.name, TRUE);
 
 			if (c != NULL)
 			{
@@ -424,7 +413,7 @@ whack_handle(int whackctlfd)
 
 	if (msg.whack_ca && msg.cacert != NULL)
 		add_ca_info(&msg);
-		
+
 	/* process "listen" before any operation that could require it */
 	if (msg.whack_listen)
 	{
@@ -451,22 +440,22 @@ whack_handle(int whackctlfd)
 
 	if (msg.whack_reread & REREAD_CACERTS)
 	{
-		load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
+		load_authcerts("ca", CA_CERT_PATH, X509_CA);
 	}
 
 	if (msg.whack_reread & REREAD_AACERTS)
 	{
-		load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
+		load_authcerts("aa", AA_CERT_PATH, X509_AA);
 	}
 
 	if (msg.whack_reread & REREAD_OCSPCERTS)
 	{
-		load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
+		load_authcerts("ocsp", OCSP_CERT_PATH, X509_OCSP_SIGNER);
 	}
 
 	if (msg.whack_reread & REREAD_ACERTS)
 	{
-		load_acerts();
+		ac_load_certs();
 	}
 
 	if (msg.whack_reread & REREAD_CRLS)
@@ -487,32 +476,27 @@ whack_handle(int whackctlfd)
 
 	if (msg.whack_list & LIST_CERTS)
 	{
-		list_certs(msg.whack_utc);
+		cert_list(msg.whack_utc);
 	}
 
 	if (msg.whack_list & LIST_CACERTS)
 	{
-		list_authcerts("CA", AUTH_CA, msg.whack_utc);
+		list_authcerts("CA", X509_CA, msg.whack_utc);
 	}
 
 	if (msg.whack_list & LIST_AACERTS)
 	{
-		list_authcerts("AA", AUTH_AA, msg.whack_utc);
+		list_authcerts("AA", X509_AA, msg.whack_utc);
 	}
 
 	if (msg.whack_list & LIST_OCSPCERTS)
 	{
-		list_authcerts("OCSP", AUTH_OCSP, msg.whack_utc);
+		list_authcerts("OCSP", X509_OCSP_SIGNER, msg.whack_utc);
 	}
 
 	if (msg.whack_list & LIST_ACERTS)
 	{
-		list_acerts(msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_GROUPS)
-	{
-		list_groups(msg.whack_utc);
+		ac_list_certs(msg.whack_utc);
 	}
 
 	if (msg.whack_list & LIST_CAINFOS)
@@ -562,7 +546,7 @@ whack_handle(int whackctlfd)
 		}
 		else
 		{
-			struct connection *c = con_by_name(msg.name, TRUE);
+			connection_t *c = con_by_name(msg.name, TRUE);
 
 			if (c != NULL && c->ikev1)
 			{
@@ -588,7 +572,7 @@ whack_handle(int whackctlfd)
 		}
 		else
 		{
-			struct connection *c = con_by_name(msg.name, TRUE);
+			connection_t *c = con_by_name(msg.name, TRUE);
 
 			if (c != NULL && c->ikev1)
 			{
diff --git a/src/pluto/rsaref/pkcs11.h b/src/pluto/rsaref/pkcs11.h
index 9261e1e4c..3283bdc89 100644
--- a/src/pluto/rsaref/pkcs11.h
+++ b/src/pluto/rsaref/pkcs11.h
@@ -7,10 +7,10 @@
 
  * License is also granted to make and use derivative works provided that
  * such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
  * referencing the derived work.
 
- * RSA Security Inc. makes no representations concerning either the 
+ * RSA Security Inc. makes no representations concerning either the
  * merchantability of this software or the suitability of this software for
  * any particular purpose. It is provided "as is" without express or implied
  * warranty of any kind.
@@ -275,7 +275,7 @@ extern "C" {
 
 #define CK_PKCS11_FUNCTION_INFO(name) \
   __PASTE(CK_,name) name;
-  
+
 struct CK_FUNCTION_LIST {
 
   CK_VERSION    version;  /* Cryptoki version */
diff --git a/src/pluto/rsaref/pkcs11f.h b/src/pluto/rsaref/pkcs11f.h
index dec6315dd..54b884aed 100644
--- a/src/pluto/rsaref/pkcs11f.h
+++ b/src/pluto/rsaref/pkcs11f.h
@@ -7,10 +7,10 @@
 
  * License is also granted to make and use derivative works provided that
  * such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
  * referencing the derived work.
 
- * RSA Security Inc. makes no representations concerning either the 
+ * RSA Security Inc. makes no representations concerning either the
  * merchantability of this software or the suitability of this software for
  * any particular purpose. It is provided "as is" without express or implied
  * warranty of any kind.
@@ -564,7 +564,7 @@ CK_PKCS11_FUNCTION_INFO(C_Sign)
 
 
 /* C_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data, 
+ * where the signature is (will be) an appendix to the data,
  * and plaintext cannot be recovered from the signature. */
 CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
 #ifdef CK_NEED_ARG_LIST
@@ -576,7 +576,7 @@ CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
 #endif
 
 
-/* C_SignFinal finishes a multiple-part signature operation, 
+/* C_SignFinal finishes a multiple-part signature operation,
  * returning the signature. */
 CK_PKCS11_FUNCTION_INFO(C_SignFinal)
 #ifdef CK_NEED_ARG_LIST
@@ -625,12 +625,12 @@ CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
 (
   CK_SESSION_HANDLE hSession,    /* the session's handle */
   CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */ 
+  CK_OBJECT_HANDLE  hKey         /* verification key */
 );
 #endif
 
 
-/* C_Verify verifies a signature in a single-part operation, 
+/* C_Verify verifies a signature in a single-part operation,
  * where the signature is an appendix to the data, and plaintext
  * cannot be recovered from the signature. */
 CK_PKCS11_FUNCTION_INFO(C_Verify)
@@ -646,7 +646,7 @@ CK_PKCS11_FUNCTION_INFO(C_Verify)
 
 
 /* C_VerifyUpdate continues a multiple-part verification
- * operation, where the signature is an appendix to the data, 
+ * operation, where the signature is an appendix to the data,
  * and plaintext cannot be recovered from the signature. */
 CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
 #ifdef CK_NEED_ARG_LIST
@@ -772,7 +772,7 @@ CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
 #endif
 
 
-/* C_GenerateKeyPair generates a public-key/private-key pair, 
+/* C_GenerateKeyPair generates a public-key/private-key pair,
  * creating new key objects. */
 CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
 #ifdef CK_NEED_ARG_LIST
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
index 7e4452d89..f1a3932a6 100644
--- a/src/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -31,6 +31,7 @@
 
 #include <asn1/asn1.h>
 #include <credentials/keys/public_key.h>
+#include <credentials/certificates/x509.h>
 
 #include "constants.h"
 
@@ -58,21 +59,21 @@ static smartcard_t *smartcards   = NULL;
 static int sc_number = 0;
 
 const smartcard_t empty_sc = {
-	  NULL               , /* next */
-			0            , /* last_load */
-	{ CERT_NONE, {NULL} }, /* last_cert */
-			0            , /* count */
-			0            , /* number */
-	   999999            , /* slot */
-	  NULL               , /* id */
-	  NULL               , /* label */
-	{ NULL, 0 }          , /* pin */
-	  FALSE              , /* pinpad */
-	  FALSE              , /* valid */
-	  FALSE              , /* session_opened */
-	  FALSE              , /* logged_in */
-	  TRUE               , /* any_slot */
-			0L           , /* session */
+	  NULL         , /* next */
+			0      , /* last_load */
+	  NULL         , /* last_cert */
+			0      , /* count */
+			0      , /* number */
+	  999999       , /* slot */
+	  NULL         , /* id */
+	  NULL         , /* label */
+	{ NULL, 0 }    , /* pin */
+	  FALSE        , /* pinpad */
+	  FALSE        , /* valid */
+	  FALSE        , /* session_opened */
+	  FALSE        , /* logged_in */
+	  TRUE         , /* any_slot */
+			0L     , /* session */
 };
 
 #ifdef SMARTCARD        /* compile with smartcard support */
@@ -115,7 +116,7 @@ static const char *const pkcs11_return_name_10[] = {
 	};
 
 static const char *const pkcs11_return_name_20[] = {
-		"CKR_DATA_INVALID", 
+		"CKR_DATA_INVALID",
 		"CKR_DATA_LEN_RANGE"
 	};
 
@@ -386,8 +387,7 @@ static enum_names pkcs11_return_names =
  * The calling application is responsible for cleaning up
  * and calling C_Finalize()
  */
-static CK_RV
-scx_unload_pkcs11_module(scx_pkcs11_module_t *mod)
+static CK_RV scx_unload_pkcs11_module(scx_pkcs11_module_t *mod)
 {
 	if (!mod || mod->_magic != SCX_MAGIC)
 		return CKR_ARGUMENTS_BAD;
@@ -400,8 +400,8 @@ scx_unload_pkcs11_module(scx_pkcs11_module_t *mod)
 	return CKR_OK;
 }
 
-static scx_pkcs11_module_t*
-scx_load_pkcs11_module(const char *name, CK_FUNCTION_LIST_PTR_PTR funcs)
+static scx_pkcs11_module_t* scx_load_pkcs11_module(const char *name,
+								 CK_FUNCTION_LIST_PTR_PTR funcs)
 {
 	CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR);
 	scx_pkcs11_module_t *mod;
@@ -437,14 +437,13 @@ failed: scx_unload_pkcs11_module(mod);
 /*
  * retrieve a certificate object
  */
-static bool
-scx_find_cert_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object
-, smartcard_t *sc, cert_t *cert)
+static cert_t* scx_find_cert_object(CK_SESSION_HANDLE session,
+									CK_OBJECT_HANDLE object, smartcard_t *sc)
 {
 	size_t hex_len, label_len;
 	u_char *hex_id = NULL;
+	cert_t *cert;
 	chunk_t blob;
-	x509cert_t *x509cert;
 
 	CK_ATTRIBUTE attr[] = {
 		{ CKA_ID,    NULL_PTR, 0L },
@@ -452,16 +451,13 @@ scx_find_cert_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object
 		{ CKA_VALUE, NULL_PTR, 0L }
 	};
 
-	/* initialize the return argument */
-	*cert = cert_empty;
-
 	/* get the length of the attributes first */
 	CK_RV rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
 	if (rv != CKR_OK)
 	{
 		plog("couldn't read the attribute sizes: %s"
 			, enum_show(&pkcs11_return_names, rv));
-		return FALSE;
+		return NULL;
 	}
 
 	free(sc->label);
@@ -486,7 +482,7 @@ scx_find_cert_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object
 		free(hex_id);
 		free(sc->label);
 		free(blob.ptr);
-		return FALSE;
+		return NULL;
 	}
 
 	free(sc->id);
@@ -500,26 +496,30 @@ scx_find_cert_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object
 	sc->label[label_len] = '\0';
 
 	/* parse the retrieved cert */
-	x509cert = malloc_thing(x509cert_t);
-	*x509cert = empty_x509cert;
-	x509cert->smartcard = TRUE;
 
-	if (!parse_x509cert(blob, 0, x509cert))
+	/* initialize the return argument */
+	cert = malloc_thing(cert_t);
+	*cert = cert_empty;
+	cert->smartcard = TRUE;
+	cert->cert = lib->creds->create(lib->creds,
+							  		CRED_CERTIFICATE, CERT_X509,
+							  		BUILD_BLOB_ASN1_DER, blob,
+							  		BUILD_END);
+	if (cert->cert)
 	{
-		plog("failed to load cert from smartcard, error in X.509 certificate");
-		free_x509cert(x509cert);
-		return FALSE;
+		return cert;
 	}
-	cert->type = CERT_X509_SIGNATURE;
-	cert->u.x509 = x509cert;
-	return TRUE;
+
+	plog("failed to load cert from smartcard, error in X.509 certificate");
+	cert_free(cert);
+	return NULL;
 }
 
+
 /*
  * search a given slot for PKCS#11 certificate objects
  */
-static void
-scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
+static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 {
 	CK_RV rv;
 	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
@@ -537,10 +537,10 @@ scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 	{
 		CK_OBJECT_HANDLE object;
 		CK_ULONG obj_count = 0;
-		err_t ugh;
 		time_t valid_until;
 		smartcard_t *sc;
-		x509cert_t *cert;
+		certificate_t *certificate;
+		x509_t *x509;
 
 		rv = pkcs11_functions->C_FindObjects(session, &object, 1, &obj_count);
 		if (rv != CKR_OK)
@@ -559,8 +559,8 @@ scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 		*sc = empty_sc;
 		sc->any_slot = FALSE;
 		sc->slot  = slot;
-
-		if (!scx_find_cert_object(session, object, sc, &sc->last_cert))
+		sc->last_cert = scx_find_cert_object(session, object, sc);
+		if (sc->last_cert == NULL)
 		{
 			scx_free(sc);
 			continue;
@@ -571,37 +571,31 @@ scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 		)
 
 		/* check validity of certificate */
-		cert = sc->last_cert.u.x509;
-		valid_until = cert->notAfter;
-		ugh = check_validity(cert, &valid_until);
-		if (ugh != NULL)
+		certificate = sc->last_cert->cert;
+		if (!certificate->get_validity(certificate, NULL, NULL, &valid_until))
 		{
-			plog("  %s", ugh);
-			free_x509cert(cert);
 			scx_free(sc);
 			continue;
 		}
-		else
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("  certificate is valid")
-			)
-		}
+		DBG(DBG_CONTROL,
+			DBG_log("  certificate is valid")
+		)
 
 		sc = scx_add(sc);
+		x509 = (x509_t*)certificate;
 
 		/* put end entity and ca certificates into different chains */
-		if (cert->isCA)
+		if (x509->get_flags(x509) & X509_CA)
 		{
-			sc->last_cert.u.x509 = add_authcert(cert, AUTH_CA);
+			sc->last_cert = add_authcert(sc->last_cert, X509_CA);
 		}
 		else
 		{
-			add_x509_public_key(cert, valid_until, DAL_LOCAL);
-			sc->last_cert.u.x509 = add_x509cert(cert);
+			add_public_key_from_cert(sc->last_cert, valid_until, DAL_LOCAL);
+			sc->last_cert = cert_add(sc->last_cert);
 		}
 
-		share_cert(sc->last_cert);
+		cert_share(sc->last_cert);
 		time(&sc->last_load);
 	}
 
@@ -616,8 +610,7 @@ scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 /*
  * search all slots for PKCS#11 certificate objects
  */
-static void
-scx_find_all_cert_objects(void)
+static void scx_find_all_cert_objects(void)
 {
 	CK_RV rv;
 	CK_SLOT_ID_PTR slots = NULL_PTR;
@@ -659,7 +652,7 @@ scx_find_all_cert_objects(void)
 				, enum_show(&pkcs11_return_names, rv));
 			continue;
 		}
-		
+
 		if (!(info.flags & CKF_TOKEN_PRESENT))
 		{
 			plog("no token present in slot %lu", slot);
@@ -696,8 +689,7 @@ scx_find_all_cert_objects(void)
  * init_args should be unused when we have a PKCS#11 compliant module,
  * but NSS softoken breaks that API.
  */
-void
-scx_init(const char* module, const char *init_args)
+void scx_init(const char* module, const char *init_args)
 {
 #ifdef SMARTCARD
 	CK_C_INITIALIZE_ARGS args = { .pReserved = (char *)init_args, };
@@ -750,10 +742,9 @@ scx_init(const char* module, const char *init_args)
 }
 
 /*
- * finalize and unload PKCS#11 cryptoki module 
+ * finalize and unload PKCS#11 cryptoki module
  */
-void
-scx_finalize(void)
+void scx_finalize(void)
 {
 #ifdef SMARTCARD
 	while (smartcards != NULL)
@@ -783,21 +774,18 @@ scx_finalize(void)
 /*
  * does a filename contain the token %smartcard?
  */
-bool
-scx_on_smartcard(const char *filename)
+bool scx_on_smartcard(const char *filename)
 {
 	return strneq(filename, SCX_TOKEN, strlen(SCX_TOKEN));
 }
 
 #ifdef SMARTCARD
 /*
- * find a specific object on the smartcard 
+ * find a specific object on the smartcard
  */
-static bool
-scx_pkcs11_find_object( CK_SESSION_HANDLE session, 
-						CK_OBJECT_HANDLE_PTR object, 
-						CK_OBJECT_CLASS class, 
-						const char* id)
+static bool scx_pkcs11_find_object(CK_SESSION_HANDLE session,
+								   CK_OBJECT_HANDLE_PTR object,
+								   CK_OBJECT_CLASS class, const char* id)
 {
 	size_t len;
 	char buf[BUF_LEN];
@@ -848,8 +836,7 @@ scx_pkcs11_find_object( CK_SESSION_HANDLE session,
 /*
  * check if a given certificate object id is found in a slot
  */
-static bool
-scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot)
+static bool scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot)
 {
 	CK_SESSION_HANDLE session;
 	CK_OBJECT_HANDLE object;
@@ -863,7 +850,7 @@ scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot)
 			, enum_show(&pkcs11_return_names, rv));
 		 return FALSE;
 	}
-		
+
 	if (!(info.flags & CKF_TOKEN_PRESENT))
 	{
 		plog("no token present in slot %lu", slot);
@@ -891,7 +878,7 @@ scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot)
 		sc->session_opened = TRUE;
 		return TRUE;
 	}
-		
+
 	rv = pkcs11_functions->C_CloseSession(session);
 	if (rv != CKR_OK)
 	{
@@ -905,8 +892,7 @@ scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot)
 /*
  * Connect to the smart card in the reader and select the correct slot
  */
-bool
-scx_establish_context(smartcard_t *sc)
+bool scx_establish_context(smartcard_t *sc)
 {
 #ifdef SMARTCARD
 	bool id_found = FALSE;
@@ -983,8 +969,7 @@ scx_establish_context(smartcard_t *sc)
 /*
  * log in to a session
  */
-bool
-scx_login(smartcard_t *sc)
+bool scx_login(smartcard_t *sc)
 {
 #ifdef SMARTCARD
 	CK_RV rv;
@@ -996,7 +981,7 @@ scx_login(smartcard_t *sc)
 		)
 		return TRUE;
 	}
-		
+
 	if (sc->pin.ptr == NULL)
 	{
 		plog("unable to log in without PIN!");
@@ -1009,7 +994,7 @@ scx_login(smartcard_t *sc)
 		return FALSE;
 	}
 
-	rv = pkcs11_functions->C_Login(sc->session, CKU_USER 
+	rv = pkcs11_functions->C_Login(sc->session, CKU_USER
 								, (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
 	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
 	{
@@ -1031,11 +1016,10 @@ scx_login(smartcard_t *sc)
 /*
  * logout from a session
  */
-static void
-scx_logout(smartcard_t *sc)
+static void scx_logout(smartcard_t *sc)
 {
 	CK_RV rv;
-	
+
 	rv = pkcs11_functions->C_Logout(sc->session);
 	if (rv != CKR_OK)
 		plog("error in C_Logout: %s"
@@ -1052,8 +1036,7 @@ scx_logout(smartcard_t *sc)
 /*
  * Release context and disconnect from card
  */
-void
-scx_release_context(smartcard_t *sc)
+void scx_release_context(smartcard_t *sc)
 {
 #ifdef SMARTCARD
 	CK_RV rv;
@@ -1067,7 +1050,7 @@ scx_release_context(smartcard_t *sc)
 			scx_logout(sc);
 
 		sc->session_opened = FALSE;
-		
+
 		rv = pkcs11_functions->C_CloseSession(sc->session);
 		if (rv != CKR_OK)
 			plog("error in C_CloseSession: %s"
@@ -1083,68 +1066,66 @@ scx_release_context(smartcard_t *sc)
 /*
  * Load host certificate from smartcard
  */
-bool
-scx_load_cert(const char *filename, smartcard_t **scp, cert_t *cert
-, bool *cached)
+cert_t* scx_load_cert(const char *filename, smartcard_t **scp, bool *cached)
 {
 #ifdef SMARTCARD        /* compile with smartcard support */
-	CK_OBJECT_HANDLE object;
-
 	const char *number_slot_id = filename + strlen(SCX_TOKEN);
-
-	smartcard_t *sc = scx_add(scx_parse_number_slot_id(number_slot_id));
+	CK_OBJECT_HANDLE object;
+	smartcard_t *sc;
+	cert_t *cert = NULL;
 
 	/* return the smartcard object */
-	*scp = sc;
+	*scp = sc = scx_add(scx_parse_number_slot_id(number_slot_id));
 
 	/* is there a cached smartcard certificate? */
-	*cached = sc->last_cert.type != CERT_NONE
-			  && (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL;
+	*cached = sc->last_cert && 
+			  (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL;
 
 	if (*cached)
 	{
-		*cert = sc->last_cert;
 		plog("  using cached cert from smartcard #%d (%s, id: %s, label: '%s')"
 				, sc->number
 				, scx_print_slot(sc, "")
 				, sc->id
 				, sc->label);
-		return TRUE;
+		return sc->last_cert;
 	}
 
 	if (!scx_establish_context(sc))
 	{
 		scx_release_context(sc);
-		return FALSE;
+		return NULL;
 	}
 
 	/* find the certificate object */
 	if (!scx_pkcs11_find_object(sc->session, &object, CKO_CERTIFICATE, sc->id))
 	{
 		scx_release_context(sc);
-		return FALSE;
+		return NULL;
 	}
 
 	/* retrieve the certificate object */
-	if (!scx_find_cert_object(sc->session, object, sc, cert))
+	cert = scx_find_cert_object(sc->session, object, sc);
+	if (cert == NULL)
 	{
 		scx_release_context(sc);
-		return FALSE;
+		return NULL;
 	}
 
 	if (!pkcs11_keep_state)
+	{
 		scx_release_context(sc);
-
+	}
 	plog("  loaded cert from smartcard #%d (%s, id: %s, label: '%s')"
 		, sc->number
 		, scx_print_slot(sc, "")
 		, sc->id
 		, sc->label);
 
-	return TRUE;
+	return cert;
 #else
 	plog("  warning: SMARTCARD support is deactivated in pluto/Makefile!");
-	return FALSE;
+	return NULL;
 #endif
 }
 
@@ -1158,8 +1139,7 @@ scx_load_cert(const char *filename, smartcard_t **scp, cert_t *cert
  * %smartcard:45   -       -     45
  * %smartcard0:45  -       0     45
  */
-smartcard_t*
-scx_parse_number_slot_id(const char *number_slot_id)
+smartcard_t* scx_parse_number_slot_id(const char *number_slot_id)
 {
 	int len = strlen(number_slot_id);
 	smartcard_t *sc = malloc_thing(smartcard_t);
@@ -1169,7 +1149,7 @@ scx_parse_number_slot_id(const char *number_slot_id)
 
 	if (len == 0)                       /* default: use certificate #1 */
 	{
-		sc->number = 1; 
+		sc->number = 1;
 	}
 	else if (*number_slot_id == '#')    /* #number scheme */
 	{
@@ -1218,12 +1198,11 @@ scx_parse_number_slot_id(const char *number_slot_id)
 /*
  * Verify pin on card
  */
-bool
-scx_verify_pin(smartcard_t *sc)
+bool scx_verify_pin(smartcard_t *sc)
 {
 #ifdef SMARTCARD
 	CK_RV rv;
-	
+
 	if (!sc->pinpad)
 		sc->valid = FALSE;
 
@@ -1270,9 +1249,8 @@ scx_verify_pin(smartcard_t *sc)
 /*
  * Sign hash on smartcard
  */
-bool
-scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen
-, u_char *out, size_t outlen)
+bool scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen, u_char *out,
+				   size_t outlen)
 {
 #ifdef SMARTCARD
 	CK_RV rv;
@@ -1377,12 +1355,11 @@ scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen
 #endif
 }
 
-/* 
+/*
  * encrypt data block with an RSA public key
  */
-bool
-scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
-, u_char *out, size_t *outlen)
+bool scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen, u_char *out,
+				 size_t *outlen)
 {
 #ifdef SMARTCARD
 	CK_RV rv;
@@ -1423,7 +1400,7 @@ scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
 		scx_release_context(sc);
 		return FALSE;
 	}
-		
+
 	/* there must be enough space left for the PKCS#1 v1.5 padding */
 	if (inlen > attr[0].ulValueLen - 11)
 	{
@@ -1467,7 +1444,7 @@ scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
 			rsa_key = asn1_wrap(ASN1_SEQUENCE, "mm",
 								asn1_integer("m", rsa_modulus),
 								asn1_integer("m", rsa_exponent));
-			key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,	
+			key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
 								BUILD_BLOB_ASN1_DER, rsa_key, BUILD_END);
 			free(rsa_key.ptr);
 			if (key == NULL)
@@ -1527,12 +1504,11 @@ scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
 	return FALSE;
 #endif
 }
-/* 
+/*
  * decrypt a data block with an RSA private key
  */
-bool
-scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
-, u_char *out, size_t *outlen)
+bool scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen, u_char *out,
+				 size_t *outlen)
 {
 #ifdef SMARTCARD
 	CK_RV rv;
@@ -1570,7 +1546,7 @@ scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
 		scx_release_context(sc);
 		return FALSE;
 	}
-		
+
 	DBG(DBG_CONTROL,
 		DBG_log("doing RSA decryption on smartcard")
 	)
@@ -1606,9 +1582,8 @@ scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
  * decrypt it using a private RSA key and
  * return the decrypted data block via whack
  */
-bool
-scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op
-, const char* keyid, int whackfd)
+bool scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op,
+					  const char* keyid, int whackfd)
 {
 	char inbuf[RSA_MAX_OCTETS];
 	char outbuf[2*RSA_MAX_OCTETS + 1];
@@ -1680,7 +1655,7 @@ scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op
 		DBG_dump("smartcard output data:\n", inbuf, outlen)
 	)
 
-	if (outbase == 0)  /* use default base */ 
+	if (outbase == 0)  /* use default base */
 		outbase = DEFAULT_BASE;
 
 	if (outbase == 256) /* ascii plain text */
@@ -1701,8 +1676,7 @@ scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op
  /*
  * get length of RSA key in bytes
  */
-size_t
-scx_get_keylength(smartcard_t *sc)
+size_t scx_get_keylength(smartcard_t *sc)
 {
 #ifdef SMARTCARD
 	CK_RV rv;
@@ -1737,8 +1711,7 @@ scx_get_keylength(smartcard_t *sc)
 /*
  * prompt for pin and verify it
  */
-bool
-scx_get_pin(smartcard_t *sc, int whackfd)
+bool scx_get_pin(smartcard_t *sc, int whackfd)
 {
 #ifdef SMARTCARD
 	char pin[BUF_LEN];
@@ -1796,8 +1769,7 @@ scx_get_pin(smartcard_t *sc, int whackfd)
 /*
  * free the pin code
  */
-void
-scx_free_pin(chunk_t *pin)
+void scx_free_pin(chunk_t *pin)
 {
 	if (pin->ptr != NULL)
 	{
@@ -1811,12 +1783,12 @@ scx_free_pin(chunk_t *pin)
 /*
  * frees a smartcard record
  */
-void
-scx_free(smartcard_t *sc)
+void scx_free(smartcard_t *sc)
 {
 	if (sc != NULL)
 	{
 		scx_release_context(sc);
+		cert_release(sc->last_cert);
 		free(sc->id);
 		free(sc->label);
 		scx_free_pin(&sc->pin);
@@ -1827,8 +1799,7 @@ scx_free(smartcard_t *sc)
 /*  release of a smartcard record decreases the count by one
  "  the record is freed when the counter reaches zero
  */
-void
-scx_release(smartcard_t *sc)
+void scx_release(smartcard_t *sc)
 {
 	if (sc != NULL && --sc->count == 0)
 	{
@@ -1836,7 +1807,6 @@ scx_release(smartcard_t *sc)
 		while (*pp != sc)
 			pp = &(*pp)->next;
 		*pp = sc->next;
-		release_cert(sc->last_cert);
 		scx_free(sc);
 	}
 }
@@ -1844,8 +1814,7 @@ scx_release(smartcard_t *sc)
 /*
  *  compare two smartcard records by comparing their slots and ids
  */
-static bool
-scx_same(smartcard_t *a, smartcard_t *b)
+static bool scx_same(smartcard_t *a, smartcard_t *b)
 {
 	if  (a->number && b->number)
 	{
@@ -1863,8 +1832,7 @@ scx_same(smartcard_t *a, smartcard_t *b)
 /*  for each link pointing to the smartcard record
  "  increase the count by one
  */
-void
-scx_share(smartcard_t *sc)
+void scx_share(smartcard_t *sc)
 {
 	if (sc != NULL)
 		sc->count++;
@@ -1873,8 +1841,7 @@ scx_share(smartcard_t *sc)
 /*
  *  adds a smartcard record to the chained list
  */
-smartcard_t*
-scx_add(smartcard_t *smartcard)
+smartcard_t* scx_add(smartcard_t *smartcard)
 {
 	smartcard_t *sc = smartcards;
 	smartcard_t **psc = &smartcards;
@@ -1903,15 +1870,16 @@ scx_add(smartcard_t *smartcard)
 /*
  * get the smartcard that belongs to an X.509 certificate
  */
-smartcard_t*
-scx_get(x509cert_t *cert)
+smartcard_t* scx_get(cert_t *cert)
 {
 	smartcard_t *sc = smartcards;
 
 	while (sc != NULL)
 	{
-		if (sc->last_cert.u.x509 == cert)
+		if (sc->last_cert == cert)
+		{
 			return sc;
+		}
 		sc = sc->next;
 	}
 	return NULL;
@@ -1920,8 +1888,7 @@ scx_get(x509cert_t *cert)
 /*
  * prints either the slot number or 'any slot'
  */
-char *
-scx_print_slot(smartcard_t *sc, const char *whitespace)
+char *scx_print_slot(smartcard_t *sc, const char *whitespace)
 {
 	char *buf = temporary_cyclic_buffer();
 
@@ -1935,8 +1902,7 @@ scx_print_slot(smartcard_t *sc, const char *whitespace)
 /*
  *  list all smartcard info records in a chained list
  */
-void
-scx_list(bool utc)
+void scx_list(bool utc)
 {
 	smartcard_t *sc = smartcards;
 
@@ -1944,32 +1910,28 @@ scx_list(bool utc)
 	{
 		whack_log(RC_COMMENT, " ");
 		whack_log(RC_COMMENT, "List of Smartcard Objects:");
-		whack_log(RC_COMMENT, " ");
 	}
 
 	while (sc != NULL)
 	{
-		whack_log(RC_COMMENT, "%T, #%d, count: %d"
-			, &sc->last_load, utc
-			, sc->number
-			, sc->count);
-		whack_log(RC_COMMENT, "       %s, session %s, logged %s, has %s"
+		whack_log(RC_COMMENT, " ");
+		whack_log(RC_COMMENT, "  %s, session %s, logged %s, has %s"
 			, scx_print_slot(sc, "    ")
 			, sc->session_opened? "opened" : "closed"
 			, sc->logged_in? "in" : "out"
-			, sc->pinpad? "pin pad" 
+			, sc->pinpad? "pin pad"
 				: ((sc->pin.ptr == NULL)? "no pin"
 					: sc->valid? "valid pin" : "invalid pin"));
 		if (sc->id != NULL)
-			whack_log(RC_COMMENT, "       id:       %s", sc->id);
+			whack_log(RC_COMMENT, "  id:       %s", sc->id);
 		if (sc->label != NULL)
-			whack_log(RC_COMMENT, "       label:   '%s'", sc->label);
-		if (sc->last_cert.type == CERT_X509_SIGNATURE)
+			whack_log(RC_COMMENT, "  label:   '%s'", sc->label);
+		if (sc->last_cert)
 		{
-			char buf[BUF_LEN];
+			certificate_t *certificate = sc->last_cert->cert;
 
-			dntoa(buf, BUF_LEN, sc->last_cert.u.x509->subject);
-			whack_log(RC_COMMENT, "       subject: '%s'", buf);
+			whack_log(RC_COMMENT, "  subject: '%Y'",
+					  certificate->get_subject(certificate));
 		}
 		sc = sc->next;
 	}
diff --git a/src/pluto/smartcard.h b/src/pluto/smartcard.h
index 60a0fccfc..7a2229794 100644
--- a/src/pluto/smartcard.h
+++ b/src/pluto/smartcard.h
@@ -42,7 +42,7 @@ typedef struct smartcard smartcard_t;
 struct smartcard {
 	smartcard_t  *next;
 	time_t        last_load;
-	cert_t        last_cert;
+	cert_t        *last_cert;
 	int           count;
 	int           number;
 	unsigned long slot;
@@ -75,8 +75,7 @@ extern void scx_finalize(void);
 extern bool scx_establish_context(smartcard_t *sc);
 extern bool scx_login(smartcard_t *sc);
 extern bool scx_on_smartcard(const char *filename);
-extern bool scx_load_cert(const char *filename, smartcard_t **scp
-	, cert_t *cert, bool *cached);
+extern cert_t* scx_load_cert(const char *filename, smartcard_t **scp, bool *cached);
 extern bool scx_verify_pin(smartcard_t *sc);
 extern void scx_share(smartcard_t *sc);
 extern bool scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen
@@ -90,7 +89,7 @@ extern bool scx_op_via_whack(const char* msg, int inbase, int outbase
 extern bool scx_get_pin(smartcard_t *sc, int whackfd);
 extern size_t scx_get_keylength(smartcard_t *sc);
 extern smartcard_t* scx_add(smartcard_t *sc);
-extern smartcard_t* scx_get(x509cert_t *cert);
+extern smartcard_t* scx_get(cert_t *cert);
 extern void scx_release(smartcard_t *sc);
 extern void scx_release_context(smartcard_t *sc);
 extern void scx_free_pin(chunk_t *pin);
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index a86c9f215..cdf2cb21b 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -24,7 +24,6 @@
 
 #include "constants.h"
 #include "defs.h"
-#include "id.h"
 #include "connections.h"
 #include "state.h"
 #include "packet.h"
@@ -607,7 +606,7 @@ static u_int32_t decode_long_duration(pb_stream *pbs)
 }
 
 /* Preparse the body of an ISAKMP SA Payload and
- * return body of ISAKMP Proposal Payload 
+ * return body of ISAKMP Proposal Payload
  *
  * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
  * Error response is rudimentary.
@@ -624,20 +623,20 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
 	{
 		loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
 		/* XXX Could send notification back */
-		return DOI_NOT_SUPPORTED;
+		return ISAKMP_DOI_NOT_SUPPORTED;
 	}
 
 	/* Situation */
 	if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
 	{
-		return SITUATION_NOT_SUPPORTED;
+		return ISAKMP_SITUATION_NOT_SUPPORTED;
 	}
 	if (*ipsecdoisit != SIT_IDENTITY_ONLY)
 	{
 		loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
 			, bitnamesof(sit_bit_names, *ipsecdoisit));
 		/* XXX Could send notification back */
-		return SITUATION_NOT_SUPPORTED;
+		return ISAKMP_SITUATION_NOT_SUPPORTED;
 	}
 
 	/* The rules for ISAKMP SAs are scattered.
@@ -647,20 +646,20 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
 	 */
 	if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
 	{
-		return PAYLOAD_MALFORMED;
+		return ISAKMP_PAYLOAD_MALFORMED;
 	}
 	if (proposal->isap_np != ISAKMP_NEXT_NONE)
 	{
 		loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
 			, enum_show(&payload_names, proposal->isap_np));
-		return PAYLOAD_MALFORMED;
+		return ISAKMP_PAYLOAD_MALFORMED;
 	}
 
 	if (proposal->isap_protoid != PROTO_ISAKMP)
 	{
 		loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal"
 			, enum_show(&protocol_names, proposal->isap_protoid));
-		return INVALID_PROTOCOL_ID;
+		return ISAKMP_INVALID_PROTOCOL_ID;
 	}
 
 	/* Just what should we accept for the SPI field?
@@ -694,15 +693,15 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
 		u_char junk_spi[MAX_ISAKMP_SPI_SIZE];
 
 		if (!in_raw(junk_spi, proposal->isap_spisize, proposal_pbs, "Oakley SPI"))
-			return PAYLOAD_MALFORMED;
+			return ISAKMP_PAYLOAD_MALFORMED;
 	}
 	else
 	{
 		loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal"
 			, (unsigned)proposal->isap_spisize);
-		return INVALID_SPI;
+		return ISAKMP_INVALID_SPI;
 	}
-	return NOTHING_WRONG;
+	return ISAKMP_NOTHING_WRONG;
 }
 
 static struct {
@@ -750,14 +749,14 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
 
 		if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
 		{
-			return BAD_PROPOSAL_SYNTAX;
+			return ISAKMP_BAD_PROPOSAL_SYNTAX;
 		}
 		if (trans.isat_transnum <= last_transnum)
 		{
 			/* picky, picky, picky */
 			loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing"
 				" in Oakley Proposal");
-			return BAD_PROPOSAL_SYNTAX;
+			return ISAKMP_BAD_PROPOSAL_SYNTAX;
 		}
 		last_transnum = trans.isat_transnum;
 
@@ -765,7 +764,7 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
 		{
 			loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform"
 				, enum_show(&isakmp_transformid_names, trans.isat_transid));
-			return INVALID_TRANSFORM_ID;
+			return ISAKMP_INVALID_TRANSFORM_ID;
 		}
 
 		attr_start = trans_pbs.cur;
@@ -779,7 +778,7 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
 
 			if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
 			{
-				return BAD_PROPOSAL_SYNTAX;
+				return ISAKMP_BAD_PROPOSAL_SYNTAX;
 			}
 			passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
 
@@ -822,7 +821,7 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
 		DBG_log("preparse_isakmp_policy: peer requests %s authentication"
 				, prettypolicy(*policy))
 	)
-	return NOTHING_WRONG;
+	return ISAKMP_NOTHING_WRONG;
 }
 
 /**
@@ -831,23 +830,22 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
 static err_t find_preshared_key(struct state* st)
 {
 	err_t ugh = NULL;
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 
 	if (get_preshared_secret(c) == NULL)
 	{
-		char my_id[BUF_LEN], his_id[BUF_LEN];
+		char his_id[BUF_LEN];
 
-		idtoa(&c->spd.this.id, my_id, sizeof(my_id));
 		if (his_id_was_instantiated(c))
 		{
 			strcpy(his_id, "%any");
 		}
 		else
 		{
-			idtoa(&c->spd.that.id, his_id, sizeof(his_id));
+			snprintf(his_id, sizeof(his_id), "%Y", c->spd.that.id);
 		}
-		ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
-						, my_id, his_id);
+		ugh = builddiag("Can't authenticate: no preshared key found "
+						"for '%Y' and '%s'", c->spd.this.id, his_id);
 	}
 	return ugh;
 }
@@ -868,7 +866,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
 									struct state *st,
 									bool initiator)
 {
-	struct connection *c = st->st_connection;
+	connection_t *c = st->st_connection;
 	unsigned no_trans_left;
 
 	/* for each transform payload... */
@@ -892,7 +890,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
 		if (no_trans_left == 0)
 		{
 			loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
-			return BAD_PROPOSAL_SYNTAX;
+			return ISAKMP_BAD_PROPOSAL_SYNTAX;
 		}
 
 		in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs);
@@ -908,7 +906,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
 			u_int32_t val;      /* room for larger values */
 
 			if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
-				return BAD_PROPOSAL_SYNTAX;
+				return ISAKMP_BAD_PROPOSAL_SYNTAX;
 
 			passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
 
@@ -917,7 +915,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
 				loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u"
 					, enum_show(&oakley_attr_names, a.isaat_af_type)
 					, trans.isat_transnum);
-				return BAD_PROPOSAL_SYNTAX;
+				return ISAKMP_BAD_PROPOSAL_SYNTAX;
 			}
 
 			seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
@@ -1071,7 +1069,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
 						loglog(RC_LOG_SERIOUS
 								, "attribute OAKLEY_LIFE_TYPE value %s repeated"
 								, enum_show(&oakley_lifetime_names, val));
-						return BAD_PROPOSAL_SYNTAX;
+						return ISAKMP_BAD_PROPOSAL_SYNTAX;
 					}
 					seen_durations |= LELEM(val);
 					life_type = val;
@@ -1114,7 +1112,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
 										, (long) val
 										, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
 #endif
-					}   
+					}
 					ta.life_seconds = val;
 					break;
 				case OAKLEY_LIFE_KILOBYTES:
@@ -1210,7 +1208,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
 					loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u"
 						, bitnamesof(oakley_attr_bit_names, missing)
 						, trans.isat_transnum);
-					return BAD_PROPOSAL_SYNTAX;
+					return ISAKMP_BAD_PROPOSAL_SYNTAX;
 				}
 			}
 			/* We must have liked this transform.
@@ -1264,7 +1262,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
 
 			/* copy over the results */
 			st->st_oakley = ta;
-			return NOTHING_WRONG;
+			return ISAKMP_NOTHING_WRONG;
 		}
 
 		/* on to next transform */
@@ -1275,7 +1273,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
 			if (no_trans_left != 0)
 			{
 				loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
-				return BAD_PROPOSAL_SYNTAX;
+				return ISAKMP_BAD_PROPOSAL_SYNTAX;
 			}
 			break;
 		}
@@ -1283,11 +1281,11 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
 		{
 			loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal"
 				, enum_show(&payload_names, proposal->isap_np));
-			return BAD_PROPOSAL_SYNTAX;
+			return ISAKMP_BAD_PROPOSAL_SYNTAX;
 		}
 	}
 	loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform");
-	return NO_PROPOSAL_CHOSEN;
+	return ISAKMP_NO_PROPOSAL_CHOSEN;
 }
 
 /* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode).
@@ -1712,7 +1710,7 @@ parse_ipsec_sa_body(
 	bool selection,             /* if this SA is a selection, only one transform may appear */
 	struct state *st)           /* current state object */
 {
-	const struct connection *c = st->st_connection;
+	const connection_t *c = st->st_connection;
 	u_int32_t ipsecdoisit;
 	pb_stream next_proposal_pbs;
 
@@ -1726,19 +1724,19 @@ parse_ipsec_sa_body(
 	{
 		loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
 		/* XXX Could send notification back */
-		return DOI_NOT_SUPPORTED;
+		return ISAKMP_DOI_NOT_SUPPORTED;
 	}
 
 	/* Situation */
 	if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
-		return SITUATION_NOT_SUPPORTED;
+		return ISAKMP_SITUATION_NOT_SUPPORTED;
 
 	if (ipsecdoisit != SIT_IDENTITY_ONLY)
 	{
 		loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
 			, bitnamesof(sit_bit_names, ipsecdoisit));
 		/* XXX Could send notification back */
-		return SITUATION_NOT_SUPPORTED;
+		return ISAKMP_SITUATION_NOT_SUPPORTED;
 	}
 
 	/* The rules for IPsec SAs are scattered.
@@ -1755,7 +1753,7 @@ parse_ipsec_sa_body(
 	 */
 
 	if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
-		return BAD_PROPOSAL_SYNTAX;
+		return ISAKMP_BAD_PROPOSAL_SYNTAX;
 
 	/* for each conjunction of proposals... */
 	while (next_full)
@@ -1797,13 +1795,13 @@ parse_ipsec_sa_body(
 					if (!in_raw(filler, sizeof(filler)
 					 , &next_proposal_pbs, "CPI filler")
 					|| !all_zero(filler, sizeof(filler)))
-						return INVALID_SPI;
+						return ISAKMP_INVALID_SPI;
 				}
 				else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE)
 				{
 					loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)"
 						, next_proposal.isap_spisize);
-					return INVALID_SPI;
+					return ISAKMP_INVALID_SPI;
 				}
 
 				/* We store CPI in the low order of a network order
@@ -1813,7 +1811,7 @@ parse_ipsec_sa_body(
 				if (!in_raw((u_char *)&next_spi
 				  + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
 				, IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI"))
-					return INVALID_SPI;
+					return ISAKMP_INVALID_SPI;
 
 				/* If sanity ruled, CPIs would have to be such that
 				 * the SAID (the triple (CPI, IPCOM, destination IP))
@@ -1832,7 +1830,7 @@ parse_ipsec_sa_body(
 					{
 						loglog(RC_LOG_SERIOUS
 							, "IPsec Proposal contains well-known CPI that I cannot uniquify");
-						return INVALID_SPI;
+						return ISAKMP_INVALID_SPI;
 					}
 					break;
 				default:
@@ -1841,7 +1839,7 @@ parse_ipsec_sa_body(
 					{
 						loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
 							, (unsigned long) ntohl(next_spi));
-						return INVALID_SPI;
+						return ISAKMP_INVALID_SPI;
 					}
 					break;
 				}
@@ -1853,11 +1851,11 @@ parse_ipsec_sa_body(
 				{
 					loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)"
 						, next_proposal.isap_spisize);
-					return INVALID_SPI;
+					return ISAKMP_INVALID_SPI;
 				}
 
 				if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI"))
-					return INVALID_SPI;
+					return ISAKMP_INVALID_SPI;
 
 				/* SPI value 0 is invalid and values 1-255 are reserved to IANA.
 				 * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
@@ -1867,14 +1865,14 @@ parse_ipsec_sa_body(
 				{
 					loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)"
 						, (unsigned long) ntohl(next_spi));
-					return INVALID_SPI;
+					return ISAKMP_INVALID_SPI;
 				}
 			}
 
 			if (next_proposal.isap_notrans == 0)
 			{
 				loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms");
-				return BAD_PROPOSAL_SYNTAX;
+				return ISAKMP_BAD_PROPOSAL_SYNTAX;
 			}
 
 			switch (next_proposal.isap_protoid)
@@ -1883,7 +1881,7 @@ parse_ipsec_sa_body(
 				if (ah_seen)
 				{
 					loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals");
-					return BAD_PROPOSAL_SYNTAX;
+					return ISAKMP_BAD_PROPOSAL_SYNTAX;
 				}
 				ah_seen = TRUE;
 				ah_prop_pbs = next_proposal_pbs;
@@ -1895,7 +1893,7 @@ parse_ipsec_sa_body(
 				if (esp_seen)
 				{
 					loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals");
-					return BAD_PROPOSAL_SYNTAX;
+					return ISAKMP_BAD_PROPOSAL_SYNTAX;
 				}
 				esp_seen = TRUE;
 				esp_prop_pbs = next_proposal_pbs;
@@ -1907,7 +1905,7 @@ parse_ipsec_sa_body(
 				if (ipcomp_seen)
 				{
 					loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals");
-					return BAD_PROPOSAL_SYNTAX;
+					return ISAKMP_BAD_PROPOSAL_SYNTAX;
 				}
 				ipcomp_seen = TRUE;
 				ipcomp_prop_pbs = next_proposal_pbs;
@@ -1918,7 +1916,7 @@ parse_ipsec_sa_body(
 			default:
 				loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal"
 					, enum_show(&protocol_names, next_proposal.isap_protoid));
-				return INVALID_PROTOCOL_ID;
+				return ISAKMP_INVALID_PROTOCOL_ID;
 			}
 
 			/* refill next_proposal */
@@ -1931,11 +1929,11 @@ parse_ipsec_sa_body(
 			{
 				loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s"
 					, enum_show(&payload_names, next_proposal.isap_np));
-				return BAD_PROPOSAL_SYNTAX;
+				return ISAKMP_BAD_PROPOSAL_SYNTAX;
 			}
 
 			if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
-				return BAD_PROPOSAL_SYNTAX;
+				return ISAKMP_BAD_PROPOSAL_SYNTAX;
 		} while (next_proposal.isap_proposal == propno);
 
 		/* Now that we have all conjuncts, we should try
@@ -1968,7 +1966,7 @@ parse_ipsec_sa_body(
 				, tn == ah_proposal.isap_notrans - 1
 				, FALSE
 				, st))
-					return BAD_PROPOSAL_SYNTAX;
+					return ISAKMP_BAD_PROPOSAL_SYNTAX;
 
 				previous_transnum = ah_trans.isat_transnum;
 
@@ -1988,7 +1986,7 @@ parse_ipsec_sa_body(
 				{
 					case AUTH_ALGORITHM_NONE:
 						loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform");
-						return BAD_PROPOSAL_SYNTAX;
+						return ISAKMP_BAD_PROPOSAL_SYNTAX;
 
 					case AUTH_ALGORITHM_HMAC_MD5:
 						ok_auth = TRUE;
@@ -2010,8 +2008,8 @@ parse_ipsec_sa_body(
 				{
 					loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
 						, enum_name(&auth_alg_names, ah_attrs.auth)
-						, enum_show(&ah_transformid_names, ah_attrs.transid));
-					return BAD_PROPOSAL_SYNTAX;
+						, enum_show(&ah_transform_names, ah_attrs.transid));
+					return ISAKMP_BAD_PROPOSAL_SYNTAX;
 				}
 				if (!ok_auth)
 				{
@@ -2019,7 +2017,7 @@ parse_ipsec_sa_body(
 						, DBG_log("%s attribute unsupported"
 							" in %s Transform from %s"
 							, enum_name(&auth_alg_names, ah_attrs.auth)
-							, enum_show(&ah_transformid_names, ah_attrs.transid)
+							, enum_show(&ah_transform_names, ah_attrs.transid)
 							, ip_str(&c->spd.that.host_addr)));
 					continue;   /* try another */
 				}
@@ -2050,7 +2048,7 @@ parse_ipsec_sa_body(
 				, tn == esp_proposal.isap_notrans - 1
 				, FALSE
 				, st))
-					return BAD_PROPOSAL_SYNTAX;
+					return ISAKMP_BAD_PROPOSAL_SYNTAX;
 
 				previous_transnum = esp_trans.isat_transnum;
 
@@ -2087,7 +2085,7 @@ parse_ipsec_sa_body(
 					default:
 						DBG(DBG_CONTROL | DBG_CRYPT
 							, DBG_log("unsupported ESP Transform %s from %s"
-								, enum_show(&esp_transformid_names, esp_attrs.transid)
+								, enum_show(&esp_transform_names, esp_attrs.transid)
 								, ip_str(&c->spd.that.host_addr)));
 						continue;   /* try another */
 					}
@@ -2138,7 +2136,7 @@ parse_ipsec_sa_body(
 			}
 			if (tn == esp_proposal.isap_notrans)
 				continue;       /* we didn't find a nice one */
-			
+
 			esp_attrs.spi = esp_spi;
 			inner_proto = IPPROTO_ESP;
 			if (esp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
@@ -2186,7 +2184,7 @@ parse_ipsec_sa_body(
 			if (well_known_cpi != 0 && !ah_seen && !esp_seen)
 			{
 				plog("illegal proposal: bare IPCOMP used with well-known CPI");
-				return BAD_PROPOSAL_SYNTAX;
+				return ISAKMP_BAD_PROPOSAL_SYNTAX;
 			}
 
 			for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++)
@@ -2201,14 +2199,14 @@ parse_ipsec_sa_body(
 				, tn == ipcomp_proposal.isap_notrans - 1
 				, TRUE
 				, st))
-					return BAD_PROPOSAL_SYNTAX;
+					return ISAKMP_BAD_PROPOSAL_SYNTAX;
 
 				previous_transnum = ipcomp_trans.isat_transnum;
 
 				if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi)
 				{
 					plog("illegal proposal: IPCOMP well-known CPI disagrees with transform");
-					return BAD_PROPOSAL_SYNTAX;
+					return ISAKMP_BAD_PROPOSAL_SYNTAX;
 				}
 
 				switch (ipcomp_attrs.transid)
@@ -2309,9 +2307,9 @@ parse_ipsec_sa_body(
 		if (ipcomp_seen)
 			st->st_ipcomp.attrs = ipcomp_attrs;
 
-		return NOTHING_WRONG;
+		return ISAKMP_NOTHING_WRONG;
 	}
 
 	loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA");
-	return NO_PROPOSAL_CHOSEN;
+	return ISAKMP_NO_PROPOSAL_CHOSEN;
 }
diff --git a/src/pluto/state.c b/src/pluto/state.c
index 5bef36c5c..29d78fb3d 100644
--- a/src/pluto/state.c
+++ b/src/pluto/state.c
@@ -277,7 +277,7 @@ void release_whack(struct state *st)
  */
 void delete_state(struct state *st)
 {
-	struct connection *const c = st->st_connection;
+	connection_t *const c = st->st_connection;
 	struct state *old_cur_state = cur_state == st? NULL : cur_state;
 
 	set_cur_state(st);
@@ -371,7 +371,7 @@ void delete_state(struct state *st)
 /**
  * Is a connection in use by some state?
  */
-bool states_use_connection(struct connection *c)
+bool states_use_connection(connection_t *c)
 {
 	/* are there any states still using it? */
 	struct state *st = NULL;
@@ -390,7 +390,7 @@ bool states_use_connection(struct connection *c)
  * if relations == TRUE, then also delete states that share
  * the same phase 1 SA.
  */
-void delete_states_by_connection(struct connection *c, bool relations)
+void delete_states_by_connection(connection_t *c, bool relations)
 {
 	int pass;
 	/* this kludge avoids an n^2 algorithm */
@@ -448,7 +448,7 @@ void delete_states_by_connection(struct connection *c, bool relations)
 			}
 		}
 	}
-	
+
 	sr = &c->spd;
 	while (sr != NULL)
 	{
@@ -480,7 +480,7 @@ void delete_states_by_peer(ip_address *peer)
 		{
 			struct state *this = st;
 			struct spd_route *sr;
-			struct connection *c = this->st_connection;
+			connection_t *c = this->st_connection;
 
 			st = st->st_hashchain_next; /* before this is deleted */
 
@@ -521,7 +521,7 @@ struct state *duplicate_state(struct state *st)
 
 	memcpy(nst->st_icookie, st->st_icookie, COOKIE_SIZE);
 	memcpy(nst->st_rcookie, st->st_rcookie, COOKIE_SIZE);
-	
+
 	nst->st_connection = st->st_connection;
 	nst->st_doi = st->st_doi;
 	nst->st_situation = st->st_situation;
@@ -646,7 +646,7 @@ struct state *find_phase2_state_to_delete(const struct state *p1st,
 /**
  * Find newest Phase 1 negotiation state object for suitable for connection c
  */
-struct state *find_phase1_state(const struct connection *c, lset_t ok_states)
+struct state *find_phase1_state(const connection_t *c, lset_t ok_states)
 {
 	struct state
 		*st,
@@ -674,7 +674,7 @@ void state_eroute_usage(ip_subnet *ours, ip_subnet *his, unsigned long count,
 	{
 		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
 		{
-			struct connection *c = st->st_connection;
+			connection_t *c = st->st_connection;
 
 			/* XXX spd-enum */
 			if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
@@ -708,7 +708,7 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
 			   size_t state_buf_len, char *state_buf2, size_t state_buf2_len)
 {
 	/* what the heck is interesting about a state? */
-	const struct connection *c = st->st_connection;
+	const connection_t *c = st->st_connection;
 
 	long delta = st->st_event->ev_time >= n
 		? (long)(st->st_event->ev_time - n)
@@ -724,7 +724,7 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
 		? "; eroute owner" : "";
 	const char *dpd = (all && st->st_dpd && c->dpd_action != DPD_ACTION_NONE)
 					  ? "; DPD active" : "";
-	
+
 	passert(st->st_event != 0);
 
 	fmt_conn_instance(c, inst);
@@ -824,9 +824,9 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
 static int state_compare(const void *a, const void *b)
 {
 	const struct state *sap = *(const struct state *const *)a;
-	struct connection *ca = sap->st_connection;
+	connection_t *ca = sap->st_connection;
 	const struct state *sbp = *(const struct state *const *)b;
-	struct connection *cb = sbp->st_connection;
+	connection_t *cb = sbp->st_connection;
 
 	/* DBG_log("comparing %s to %s", ca->name, cb->name); */
 
diff --git a/src/pluto/state.h b/src/pluto/state.h
index a059c52b4..35ffe5a5b 100644
--- a/src/pluto/state.h
+++ b/src/pluto/state.h
@@ -21,6 +21,7 @@
 
 #include <crypto/diffie_hellman.h>
 
+#include "defs.h"
 #include "connections.h"
 
 /* Message ID mechanism.
diff --git a/src/pluto/timer.c b/src/pluto/timer.c
index 89082f88e..74806a40c 100644
--- a/src/pluto/timer.c
+++ b/src/pluto/timer.c
@@ -143,7 +143,7 @@ void event_schedule(enum event_type type, time_t tm, struct state *st)
 bool init_secret(void)
 {
 	rng_t *rng;
-	 
+
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 
 	if (rng == NULL)
@@ -166,7 +166,7 @@ void handle_timer_event(void)
 	struct event *ev = evlist;
 	int type;
 	struct state *st;
-	struct connection *c = NULL;
+	connection_t *c = NULL;
 	ip_address peer;
 
 	if (ev == (struct event *) NULL)    /* Just paranoid */
@@ -216,7 +216,7 @@ void handle_timer_event(void)
 			passert(st->st_dpd_event == ev);
 			st->st_dpd_event = NULL;
 		}
-		else 
+		else
 		{
 			passert(st->st_event == ev);
 			st->st_event = NULL;
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index a532e50f2..7d3c96c87 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -158,7 +158,7 @@ static struct vid_struct _vid_tab[] = {
 		{ VID_CISCO3K, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "Cisco VPN 3000 Series" ,
 		  { "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50", 14 } },
 
-		{ VID_CISCO_IOS, VID_KEEP | VID_SUBSTRING_MATCH, 
+		{ VID_CISCO_IOS, VID_KEEP | VID_SUBSTRING_MATCH,
 		  NULL, "Cisco IOS Device", { "\x3e\x98\x40\x48", 4 } },
 
 		/*
@@ -197,7 +197,9 @@ static struct vid_struct _vid_tab[] = {
 		/*
 		 * strongSwan
 		 */
-		DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.3.4")
+		DEC_MD5_VID(STRONGSWAN,       "strongSwan")
+		DEC_MD5_VID(STRONGSWAN_4_3_5, "strongSwan 4.3.5")
+		DEC_MD5_VID(STRONGSWAN_4_3_4, "strongSwan 4.3.4")
 		DEC_MD5_VID(STRONGSWAN_4_3_3, "strongSwan 4.3.3")
 		DEC_MD5_VID(STRONGSWAN_4_3_2, "strongSwan 4.3.2")
 		DEC_MD5_VID(STRONGSWAN_4_3_1, "strongSwan 4.3.1")
@@ -296,7 +298,7 @@ static struct vid_struct _vid_tab[] = {
 		DEC_MD5_VID(NATT_RFC, "RFC 3947")
 
 		/* misc */
-		
+
 		{ VID_MISC_XAUTH, VID_KEEP, NULL, "XAUTH",
 			{ "\x09\x00\x26\x89\xdf\xd6\xb7\x12", 8 } },
 
@@ -304,7 +306,7 @@ static struct vid_struct _vid_tab[] = {
 			{ "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00", 16 } },
 
 		DEC_MD5_VID(MISC_FRAGMENTATION, "FRAGMENTATION")
-		
+
 		DEC_MD5_VID(INITIAL_CONTACT, "Vid-Initial-Contact")
 
 		/**
@@ -338,9 +340,9 @@ void init_vendorid(void)
 		else if (vid->flags & VID_MD5HASH)
 		{
 			chunk_t vid_data = { (u_char *)vid->data, strlen(vid->data) };
-			
+
 			/** VendorID is a string to hash with MD5 **/
-		 	hasher->allocate_hash(hasher, vid_data, &vid->vid);
+			hasher->allocate_hash(hasher, vid_data, &vid->vid);
 		}
 
 		if (vid->descr == NULL)
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 8aa2f6348..3df1a8196 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -138,6 +138,8 @@ enum known_vendorid {
   VID_STRONGSWAN_4_3_1          =119,
   VID_STRONGSWAN_4_3_2          =120,
   VID_STRONGSWAN_4_3_3          =121,
+  VID_STRONGSWAN_4_3_4          =122,
+  VID_STRONGSWAN_4_3_5          =123,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01          =151,
diff --git a/src/pluto/virtual.c b/src/pluto/virtual.c
index 2067bde01..3e8d5fcba 100644
--- a/src/pluto/virtual.c
+++ b/src/pluto/virtual.c
@@ -180,7 +180,7 @@ init_virtual_ip(const char *private_list)
  * ex: vhost:%no,%dhcp,%priv,%v4:192.168.1.0/24
  */
 struct virtual_t
-*create_virtual(const struct connection *c, const char *string)
+*create_virtual(const connection_t *c, const char *string)
 {
 	unsigned short flags=0, n_net=0, i;
 	const char *str = string, *next, *first_net=NULL;
@@ -227,7 +227,7 @@ struct virtual_t
 		}
 		else
 			goto fail;
-		
+
 		str = *next ? next+1 : NULL;
 	}
 
@@ -267,14 +267,13 @@ is_virtual_end(const struct end *that)
 }
 
 bool
-is_virtual_connection(const struct connection *c)
+is_virtual_connection(const connection_t *c)
 {
 	return ((c->spd.that.virt)?TRUE:FALSE);
 }
 
-static bool
-net_in_list(const ip_subnet *peer_net, const ip_subnet *list,
-	unsigned short len)
+static bool net_in_list(const ip_subnet *peer_net, const ip_subnet *list,
+						unsigned short len)
 {
 	unsigned short i;
 
@@ -289,9 +288,8 @@ net_in_list(const ip_subnet *peer_net, const ip_subnet *list,
 	return FALSE;
 }
 
-bool
-is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net,
-		const ip_address *his_addr)
+bool is_virtual_net_allowed(const connection_t *c, const ip_subnet *peer_net,
+							const ip_address *his_addr)
 {
 	if (c->spd.that.virt == NULL)
 		return FALSE;
@@ -312,7 +310,7 @@ is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net,
 	if (c->spd.that.virt->n_net
 	&&  net_in_list(peer_net, c->spd.that.virt->net, c->spd.that.virt->n_net))
 		return TRUE;
-	
+
 	if (c->spd.that.virt->flags & F_VIRTUAL_ALL)
 	{
 		/** %all must only be used for testing - log it **/
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index 0953f18f5..d8e887955 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -26,14 +26,13 @@
 #include <freeswan.h>
 
 #include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <asn1/oid.h>
 #include <crypto/hashers/hasher.h>
+#include <utils/enumerator.h>
+#include <utils/identification.h>
 
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
-#include "id.h"
 #include "x509.h"
 #include "crl.h"
 #include "ca.h"
@@ -44,1277 +43,130 @@
 #include "ocsp.h"
 
 /**
- * Chained lists of X.509 end certificates
- */
-static x509cert_t *x509certs     = NULL;
-
-/**
- * ASN.1 definition of a basicConstraints extension 
- */
-static const asn1Object_t basicConstraintsObjects[] = {
-	{ 0, "basicConstraints",	ASN1_SEQUENCE, ASN1_NONE          }, /*  0 */
-	{ 1,   "CA",				ASN1_BOOLEAN,  ASN1_DEF|ASN1_BODY }, /*  1 */
-	{ 1,   "pathLenConstraint",	ASN1_INTEGER,  ASN1_OPT|ASN1_BODY }, /*  2 */
-	{ 1,   "end opt",			ASN1_EOC,      ASN1_END           }, /*  3 */
-	{ 0, "exit",				ASN1_EOC,      ASN1_EXIT          }
-};
-#define BASIC_CONSTRAINTS_CA	1
-
-/**
- * ASN.1 definition of a authorityKeyIdentifier extension 
- */
-static const asn1Object_t authKeyIdentifierObjects[] = {
-	{ 0, "authorityKeyIdentifier",		ASN1_SEQUENCE,	  ASN1_NONE          }, /* 0 */
-	{ 1,   "keyIdentifier",				ASN1_CONTEXT_S_0, ASN1_OPT|ASN1_BODY }, /* 1 */
-	{ 1,   "end opt",					ASN1_EOC,		  ASN1_END           }, /* 2 */
-	{ 1,   "authorityCertIssuer",		ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_OBJ  }, /* 3 */
-	{ 1,   "end opt",					ASN1_EOC,		  ASN1_END           }, /* 4 */
-	{ 1,   "authorityCertSerialNumber",	ASN1_CONTEXT_S_2, ASN1_OPT|ASN1_BODY }, /* 5 */
-	{ 1,   "end opt",					ASN1_EOC,		  ASN1_END           }, /* 6 */
-	{ 0, "exit",						ASN1_EOC,		  ASN1_EXIT          }
-};
-#define AUTH_KEY_ID_KEY_ID			1
-#define AUTH_KEY_ID_CERT_ISSUER		3
-#define AUTH_KEY_ID_CERT_SERIAL		5
-
-/**
- * ASN.1 definition of a authorityInfoAccess extension 
- */
-static const asn1Object_t authInfoAccessObjects[] = {
-	{ 0, "authorityInfoAccess",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
-	{ 1,   "accessDescription",	ASN1_SEQUENCE,	ASN1_NONE }, /* 1 */
-	{ 2,     "accessMethod",	ASN1_OID,		ASN1_BODY }, /* 2 */
-	{ 2,     "accessLocation",	ASN1_EOC,		ASN1_RAW  }, /* 3 */
-	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }, /* 4 */
-	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
-};
-#define AUTH_INFO_ACCESS_METHOD		2
-#define AUTH_INFO_ACCESS_LOCATION	3
-
-/**
- * ASN.1 definition of a extendedKeyUsage extension
- */
-static const asn1Object_t extendedKeyUsageObjects[] = {
-	{ 0, "extendedKeyUsage",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
-	{ 1,   "keyPurposeID",		ASN1_OID,		ASN1_BODY }, /* 1 */
-	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }, /* 2 */
-	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
-};
-#define EXT_KEY_USAGE_PURPOSE_ID	1
-
-/**
- * ASN.1 definition of generalNames 
- */
-static const asn1Object_t generalNamesObjects[] = {
-	{ 0, "generalNames",	ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
-	{ 1,   "generalName",	ASN1_EOC,		ASN1_RAW  }, /* 1 */
-	{ 0, "end loop",		ASN1_EOC,		ASN1_END  }, /* 2 */
-	{ 0, "exit",			ASN1_EOC,		ASN1_EXIT }
-};
-#define GENERAL_NAMES_GN	1
-
-/**
- * ASN.1 definition of generalName 
- */
-static const asn1Object_t generalNameObjects[] = {
-	{ 0, "otherName",		ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_BODY	}, /*  0 */
-	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  1 */
-	{ 0, "rfc822Name",		ASN1_CONTEXT_S_1,  ASN1_OPT|ASN1_BODY	}, /*  2 */
-	{ 0, "end choice",		ASN1_EOC,          ASN1_END 			}, /*  3 */
-	{ 0, "dnsName",			ASN1_CONTEXT_S_2,  ASN1_OPT|ASN1_BODY	}, /*  4 */
-	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  5 */
-	{ 0, "x400Address",		ASN1_CONTEXT_S_3,  ASN1_OPT|ASN1_BODY	}, /*  6 */
-	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  7 */
-	{ 0, "directoryName",	ASN1_CONTEXT_C_4,  ASN1_OPT|ASN1_BODY	}, /*  8 */
-	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /*  9 */
-	{ 0, "ediPartyName",	ASN1_CONTEXT_C_5,  ASN1_OPT|ASN1_BODY	}, /* 10 */
-	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 11 */
-	{ 0, "URI",				ASN1_CONTEXT_S_6,  ASN1_OPT|ASN1_BODY	}, /* 12 */
-	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 13 */
-	{ 0, "ipAddress",		ASN1_CONTEXT_S_7,  ASN1_OPT|ASN1_BODY	}, /* 14 */
-	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 15 */
-	{ 0, "registeredID",	ASN1_CONTEXT_S_8,  ASN1_OPT|ASN1_BODY	}, /* 16 */
-	{ 0, "end choice",		ASN1_EOC,          ASN1_END				}, /* 17 */
-	{ 0, "exit",			ASN1_EOC,          ASN1_EXIT			}
-};
-#define GN_OBJ_OTHER_NAME	 	 0
-#define GN_OBJ_RFC822_NAME	 	 2
-#define GN_OBJ_DNS_NAME		 	 4
-#define GN_OBJ_X400_ADDRESS	 	 6
-#define GN_OBJ_DIRECTORY_NAME	 8
-#define GN_OBJ_EDI_PARTY_NAME	10
-#define GN_OBJ_URI				12
-#define GN_OBJ_IP_ADDRESS		14
-#define GN_OBJ_REGISTERED_ID	16
-
-/**
- * ASN.1 definition of otherName 
- */
-static const asn1Object_t otherNameObjects[] = {
-	{0, "type-id",	ASN1_OID,			ASN1_BODY	}, /* 0 */
-	{0, "value",	ASN1_CONTEXT_C_0,	ASN1_BODY	}, /* 1 */
-	{0, "exit",		ASN1_EOC,			ASN1_EXIT	}
-};
-#define ON_OBJ_ID_TYPE		0
-#define ON_OBJ_VALUE		1
-
-/**
- * ASN.1 definition of crlDistributionPoints
- */
-static const asn1Object_t crlDistributionPointsObjects[] = {
-	{ 0, "crlDistributionPoints",	ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
-	{ 1,   "DistributionPoint",		ASN1_SEQUENCE,		ASN1_NONE			}, /*  1 */
-	{ 2,     "distributionPoint",	ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_LOOP	}, /*  2 */
-	{ 3,       "fullName",			ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_OBJ	}, /*  3 */
-	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  4 */
-	{ 3,       "nameRelToCRLIssuer",ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_BODY	}, /*  5 */
-	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  6 */
-	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /*  7 */
-	{ 2,     "reasons",				ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_BODY	}, /*  8 */
-	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /*  9 */
-	{ 2,     "crlIssuer",			ASN1_CONTEXT_C_2,	ASN1_OPT|ASN1_BODY	}, /* 10 */
-	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 11 */
-	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /* 12 */
-	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
-};
-#define CRL_DIST_POINTS_FULLNAME	 3
-
-/**
- * ASN.1 definition of an X.509v3 x509_cert
- */
-static const asn1Object_t certObjects[] = {
-	{ 0, "x509",					ASN1_SEQUENCE,     ASN1_OBJ           }, /*  0 */
-	{ 1,   "tbsCertificate",		ASN1_SEQUENCE,     ASN1_OBJ           }, /*  1 */
-	{ 2,     "DEFAULT v1",			ASN1_CONTEXT_C_0,  ASN1_DEF           }, /*  2 */
-	{ 3,       "version",			ASN1_INTEGER,      ASN1_BODY          }, /*  3 */
-	{ 2,     "serialNumber",		ASN1_INTEGER,      ASN1_BODY          }, /*  4 */
-	{ 2,     "signature",			ASN1_EOC,          ASN1_RAW           }, /*  5 */
-	{ 2,     "issuer",				ASN1_SEQUENCE,     ASN1_OBJ           }, /*  6 */
-	{ 2,     "validity",			ASN1_SEQUENCE,     ASN1_NONE          }, /*  7 */
-	{ 3,       "notBefore",			ASN1_EOC,          ASN1_RAW           }, /*  8 */
-	{ 3,       "notAfter",			ASN1_EOC,          ASN1_RAW           }, /*  9 */
-	{ 2,     "subject",				ASN1_SEQUENCE,     ASN1_OBJ           }, /* 10 */
-	{ 2,     "subjectPublicKeyInfo",ASN1_SEQUENCE,	   ASN1_RAW           }, /* 11 */
-	{ 2,     "issuerUniqueID",		ASN1_CONTEXT_C_1,  ASN1_OPT           }, /* 12 */
-	{ 2,     "end opt",				ASN1_EOC,          ASN1_END           }, /* 13 */
-	{ 2,     "subjectUniqueID",		ASN1_CONTEXT_C_2,  ASN1_OPT           }, /* 14 */
-	{ 2,     "end opt",				ASN1_EOC,          ASN1_END           }, /* 15 */
-	{ 2,     "optional extensions",	ASN1_CONTEXT_C_3,  ASN1_OPT           }, /* 16 */
-	{ 3,       "extensions",		ASN1_SEQUENCE,     ASN1_LOOP          }, /* 17 */
-	{ 4,         "extension",		ASN1_SEQUENCE,     ASN1_NONE          }, /* 18 */
-	{ 5,           "extnID",		ASN1_OID,          ASN1_BODY          }, /* 19 */
-	{ 5,           "critical",		ASN1_BOOLEAN,      ASN1_DEF|ASN1_BODY }, /* 20 */
-	{ 5,           "extnValue",		ASN1_OCTET_STRING, ASN1_BODY          }, /* 21 */
-	{ 3,       "end loop",			ASN1_EOC,          ASN1_END           }, /* 22 */
-	{ 2,     "end opt",				ASN1_EOC,          ASN1_END           }, /* 23 */
-	{ 1,   "signatureAlgorithm",	ASN1_EOC,          ASN1_RAW           }, /* 24 */
-	{ 1,   "signatureValue",		ASN1_BIT_STRING,   ASN1_BODY          }, /* 25 */
-	{ 0, "exit",					ASN1_EOC,          ASN1_EXIT          }
-};
-#define X509_OBJ_CERTIFICATE                     0
-#define X509_OBJ_TBS_CERTIFICATE                 1
-#define X509_OBJ_VERSION                         3
-#define X509_OBJ_SERIAL_NUMBER                   4
-#define X509_OBJ_SIG_ALG                         5
-#define X509_OBJ_ISSUER                          6
-#define X509_OBJ_NOT_BEFORE                      8
-#define X509_OBJ_NOT_AFTER                       9
-#define X509_OBJ_SUBJECT                        10
-#define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO        11
-#define X509_OBJ_EXTN_ID                        19
-#define X509_OBJ_CRITICAL                       20
-#define X509_OBJ_EXTN_VALUE                     21
-#define X509_OBJ_ALGORITHM                      24
-#define X509_OBJ_SIGNATURE                      25
-
-const x509cert_t empty_x509cert = {
-	  NULL        , /* *next */
-	UNDEFINED_TIME, /* installed */
-			0     , /* count */
-	  FALSE       , /* smartcard */
-	 AUTH_NONE    , /* authority_flags */
-	{ NULL, 0 }   , /* certificate */
-	{ NULL, 0 }   , /*   tbsCertificate */
-			1     , /*     version */
-	{ NULL, 0 }   , /*     serialNumber */
-	OID_UNKNOWN   , /*     sigAlg */
-	{ NULL, 0 }   , /*     issuer */
-					/*     validity */
-			0     , /*       notBefore */
-			0     , /*       notAfter */
-	{ NULL, 0 }   , /*     subject */
-	  NULL        , /*     public_key */
-					/*     issuerUniqueID */
-					/*     subjectUniqueID */
-					/*     extensions */
-					/*       extension */
-					/*         extnID */
-					/*         critical */
-					/*         extnValue */
-	  FALSE       , /*           isCA */
-	  FALSE       , /*           isOcspSigner */
-	{ NULL, 0 }   , /*           subjectKeyID */
-	{ NULL, 0 }   , /*           authKeyID */
-	{ NULL, 0 }   , /*           authKeySerialNumber */
-	{ NULL, 0 }   , /*           accessLocation */
-	  NULL        , /*           subjectAltName */
-	  NULL        , /*           crlDistributionPoints */
-	OID_UNKNOWN   , /*   algorithm */
-	{ NULL, 0 }     /*   signature */
-};
-
-/* coding of X.501 distinguished name */
-
-typedef struct {
-	const u_char *name;
-	chunk_t oid;
-	u_char type;
-} x501rdn_t;
-
-/* X.501 acronyms for well known object identifiers (OIDs) */
-
-static u_char oid_ND[]  = {0x02, 0x82, 0x06, 0x01,
-						   0x0A, 0x07, 0x14};
-static u_char oid_UID[] = {0x09, 0x92, 0x26, 0x89, 0x93,
-						   0xF2, 0x2C, 0x64, 0x01, 0x01};
-static u_char oid_DC[]  = {0x09, 0x92, 0x26, 0x89, 0x93,
-						   0xF2, 0x2C, 0x64, 0x01, 0x19};
-static u_char oid_CN[]  = {0x55, 0x04, 0x03};
-static u_char oid_S[]   = {0x55, 0x04, 0x04};
-static u_char oid_SN[]  = {0x55, 0x04, 0x05};
-static u_char oid_C[]   = {0x55, 0x04, 0x06};
-static u_char oid_L[]   = {0x55, 0x04, 0x07};
-static u_char oid_ST[]  = {0x55, 0x04, 0x08};
-static u_char oid_O[]   = {0x55, 0x04, 0x0A};
-static u_char oid_OU[]  = {0x55, 0x04, 0x0B};
-static u_char oid_T[]   = {0x55, 0x04, 0x0C};
-static u_char oid_D[]   = {0x55, 0x04, 0x0D};
-static u_char oid_N[]   = {0x55, 0x04, 0x29};
-static u_char oid_G[]   = {0x55, 0x04, 0x2A};
-static u_char oid_I[]   = {0x55, 0x04, 0x2B};
-static u_char oid_ID[]  = {0x55, 0x04, 0x2D};
-static u_char oid_EN[]  = {0x60, 0x86, 0x48, 0x01, 0x86,
-						   0xF8, 0x42, 0x03, 0x01, 0x03};
-static u_char oid_E[]   = {0x2A, 0x86, 0x48, 0x86, 0xF7,
-						   0x0D, 0x01, 0x09, 0x01};
-static u_char oid_UN[]  = {0x2A, 0x86, 0x48, 0x86, 0xF7,
-						   0x0D, 0x01, 0x09, 0x02};
-static u_char oid_TCGID[] = {0x2B, 0x06, 0x01, 0x04, 0x01, 0x89,
-							 0x31, 0x01, 0x01, 0x02, 0x02, 0x4B};
-
-static const x501rdn_t x501rdns[] = {
-  {"ND"              , {oid_ND,     7}, ASN1_PRINTABLESTRING},
-  {"UID"             , {oid_UID,   10}, ASN1_PRINTABLESTRING},
-  {"DC"              , {oid_DC,    10}, ASN1_PRINTABLESTRING},
-  {"CN"              , {oid_CN,     3}, ASN1_PRINTABLESTRING},
-  {"S"               , {oid_S,      3}, ASN1_PRINTABLESTRING},
-  {"SN"              , {oid_SN,     3}, ASN1_PRINTABLESTRING},
-  {"serialNumber"    , {oid_SN,     3}, ASN1_PRINTABLESTRING},
-  {"C"               , {oid_C,      3}, ASN1_PRINTABLESTRING},
-  {"L"               , {oid_L,      3}, ASN1_PRINTABLESTRING},
-  {"ST"              , {oid_ST,     3}, ASN1_PRINTABLESTRING},
-  {"O"               , {oid_O,      3}, ASN1_PRINTABLESTRING},
-  {"OU"              , {oid_OU,     3}, ASN1_PRINTABLESTRING},
-  {"T"               , {oid_T,      3}, ASN1_PRINTABLESTRING},
-  {"D"               , {oid_D,      3}, ASN1_PRINTABLESTRING},
-  {"N"               , {oid_N,      3}, ASN1_PRINTABLESTRING},
-  {"G"               , {oid_G,      3}, ASN1_PRINTABLESTRING},
-  {"I"               , {oid_I,      3}, ASN1_PRINTABLESTRING},
-  {"ID"              , {oid_ID,     3}, ASN1_PRINTABLESTRING},
-  {"EN"              , {oid_EN,    10}, ASN1_PRINTABLESTRING},
-  {"employeeNumber"  , {oid_EN,    10}, ASN1_PRINTABLESTRING},
-  {"E"               , {oid_E,      9}, ASN1_IA5STRING},
-  {"Email"           , {oid_E,      9}, ASN1_IA5STRING},
-  {"emailAddress"    , {oid_E,      9}, ASN1_IA5STRING},
-  {"UN"              , {oid_UN,     9}, ASN1_IA5STRING},
-  {"unstructuredName", {oid_UN,     9}, ASN1_IA5STRING},
-  {"TCGID"           , {oid_TCGID, 12}, ASN1_PRINTABLESTRING}
-};
-
-#define X501_RDN_ROOF   26
-
-static u_char ASN1_subjectAltName_oid_str[] = {
-	0x06, 0x03, 0x55, 0x1D, 0x11
-};
-
-static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_subjectAltName_oid_str);
-
-static void update_chunk(chunk_t *ch, int n)
-{
-	n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
-	ch->ptr += n; ch->len -= n;
-}
-
-
-/**
- *  Pointer is set to the first RDN in a DN
- */
-static err_t init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
-{
-	*rdn = chunk_empty;
-	*attribute = chunk_empty;
-
-	/* a DN is a SEQUENCE OF RDNs */
-
-	if (*dn.ptr != ASN1_SEQUENCE)
-	{
-		return "DN is not a SEQUENCE";
-	}
-
-	rdn->len = asn1_length(&dn);
-
-	if (rdn->len == ASN1_INVALID_LENGTH)
-	{
-		return "Invalid RDN length";
-	}
-	rdn->ptr = dn.ptr;
-
-	/* are there any RDNs ? */
-	*next = rdn->len > 0;
-
-	return NULL;
-}
-
-/**
- *  Fetches the next RDN in a DN
- */
-static err_t get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid,
-						  chunk_t *value, asn1_t *type, bool *next)
-{
-	chunk_t body;
-
-	/* initialize return values */
-	*oid   = chunk_empty;
-	*value = chunk_empty;
-
-	/* if all attributes have been parsed, get next rdn */
-	if (attribute->len <= 0)
-	{
-		/* an RDN is a SET OF attributeTypeAndValue */
-		if (*rdn->ptr != ASN1_SET)
-		{
-			return "RDN is not a SET";
-		}
-		attribute->len = asn1_length(rdn);
-		
-		if (attribute->len == ASN1_INVALID_LENGTH)
-		{
-			return "Invalid attribute length";
-		}
-		attribute->ptr = rdn->ptr;
-
-		/* advance to start of next RDN */
-		rdn->ptr += attribute->len;
-		rdn->len -= attribute->len;
-	}
-
-	/* an attributeTypeAndValue is a SEQUENCE */
-	if (*attribute->ptr != ASN1_SEQUENCE)
-	{
-		return "attributeTypeAndValue is not a SEQUENCE";
-	}
-
-	/* extract the attribute body */
-	body.len = asn1_length(attribute);
-	
-	if (body.len == ASN1_INVALID_LENGTH)
-	{
-		return "Invalid attribute body length";
-	}
-	body.ptr = attribute->ptr;
-	
-	/* advance to start of next attribute */
-	attribute->ptr += body.len;
-	attribute->len -= body.len;
-
-	/* attribute type is an OID */
-	if (*body.ptr != ASN1_OID)
-	{
-		return "attributeType is not an OID";
-	}
-
-	/* extract OID */
-	oid->len = asn1_length(&body);
-	
-	if (oid->len == ASN1_INVALID_LENGTH)  
-	{
-		return "Invalid attribute OID length";
-	}
-	oid->ptr = body.ptr;
-
-	/* advance to the attribute value */
-	body.ptr += oid->len;
-	body.len -= oid->len;
-
-	/* extract string type */
-	*type = *body.ptr;
-
-	/* extract string value */
-	value->len = asn1_length(&body);
-	
-	if (value->len == ASN1_INVALID_LENGTH)
-	{
-		return "Invalid attribute string length";
-	}
-	value->ptr = body.ptr;
-
-	/* are there any RDNs left? */
-	*next = rdn->len > 0 || attribute->len > 0;
-
-	return NULL;
-}
-
-/**
- *  Parses an ASN.1 distinguished name int its OID/value pairs
- */
-static err_t dn_parse(chunk_t dn, chunk_t *str)
-{
-	chunk_t rdn, oid, attribute, value;
-	asn1_t type;
-	int oid_code;
-	bool next;
-	bool first = TRUE;
-
-	err_t ugh = init_rdn(dn, &rdn, &attribute, &next);
-
-	if (ugh != NULL) /* a parsing error has occured */
-	{
-		return ugh;
-	}
-
-	while (next)
-	{
-		ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
-
-		if (ugh != NULL) /* a parsing error has occured */
-		{
-			return ugh;
-		}
-
-		if (first)              /* first OID/value pair */
-		{
-			first = FALSE;
-		}
-		else                    /* separate OID/value pair by a comma */
-		{
-			update_chunk(str, snprintf(str->ptr,str->len,", "));
-		}
-
-		/* print OID */
-		oid_code = asn1_known_oid(oid);
-		if (oid_code == OID_UNKNOWN)    /* OID not found in list */
-		{
-			hex_str(oid, str);
-		}
-		else
-		{
-			update_chunk(str, snprintf(str->ptr,str->len,"%s",
-							  oid_names[oid_code].name));
-		}
-
-		/* print value */
-		update_chunk(str, snprintf(str->ptr,str->len,"=%.*s",
-							  (int)value.len,value.ptr));
-	}
-	return NULL;
-}
-
-/**
- *  Count the number of wildcard RDNs in a distinguished name
- */
-int dn_count_wildcards(chunk_t dn)
-{
-	chunk_t rdn, attribute, oid, value;
-	asn1_t type;
-	bool next;
-	int wildcards = 0;
-
-	err_t ugh = init_rdn(dn, &rdn, &attribute, &next);
-
-	if (ugh != NULL) /* a parsing error has occured */
-	{
-		return -1;
-	}
-
-	while (next)
-	{
-		ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
-
-		if (ugh != NULL) /* a parsing error has occured */
-		{
-			return -1;
-		}
-		if (value.len == 1 && *value.ptr == '*')
-		{
-			wildcards++; /* we have found a wildcard RDN */
-		}
-	}
-	return wildcards;
-}
-
-/**
- * Prints a binary string in hexadecimal form
- */
-void hex_str(chunk_t bin, chunk_t *str)
-{
-	u_int i;
-	update_chunk(str, snprintf(str->ptr,str->len,"0x"));
-	for (i=0; i < bin.len; i++)
-		update_chunk(str, snprintf(str->ptr,str->len,"%02X",*bin.ptr++));
-}
-
-
-/** Converts a binary DER-encoded ASN.1 distinguished name
- *  into LDAP-style human-readable ASCII format
- */
-int dntoa(char *dst, size_t dstlen, chunk_t dn)
-{
-	err_t ugh = NULL;
-	chunk_t str;
-
-	str.ptr = dst;
-	str.len = dstlen;
-	ugh = dn_parse(dn, &str);
-
-	if (ugh != NULL) /* error, print DN as hex string */
-	{
-		DBG(DBG_PARSING,
-			DBG_log("error in DN parsing: %s", ugh)
-		)
-		str.ptr = dst;
-		str.len = dstlen;
-		hex_str(dn, &str);
-	}
-	return (int)(dstlen - str.len);
-}
-
-/**
- * Same as dntoa but prints a special string for a null dn
- */
-int dntoa_or_null(char *dst, size_t dstlen, chunk_t dn, const char* null_dn)
-{
-	if (dn.ptr == NULL)
-	{
-		return snprintf(dst, dstlen, "%s", null_dn);
-	}
-	else
-	{
-		return dntoa(dst, dstlen, dn);
-	}
-}
-
-
-/**
- * Codes ASN.1 lengths up to a size of 16'777'215 bytes
- */
-static void code_asn1_length(size_t length, chunk_t *code)
-{
-    if (length < 128)
-    {
-	code->ptr[0] = length;
-	code->len = 1;
-    }
-    else if (length < 256)
-    {
-	code->ptr[0] = 0x81;
-	code->ptr[1] = (u_char) length;
-	code->len = 2;
-    }
-    else if (length < 65536)
-    {
-	code->ptr[0] = 0x82;
-	code->ptr[1] = length >> 8;
-	code->ptr[2] = length & 0x00ff;
-	code->len = 3;
-    }
-    else
-    {
-	code->ptr[0] = 0x83;
-	code->ptr[1] = length >> 16;
-	code->ptr[2] = (length >> 8) & 0x00ff;
-	code->ptr[3] = length & 0x0000ff;
-	code->len = 4;
-    }
-}
-
-/**
- *  Converts an LDAP-style human-readable ASCII-encoded
- *  ASN.1 distinguished name into binary DER-encoded format
- */
-err_t atodn(char *src, chunk_t *dn)
-{
-  /* finite state machine for atodn */
-
-	typedef enum {
-		SEARCH_OID =    0,
-		READ_OID =      1,
-		SEARCH_NAME =   2,
-		READ_NAME =     3,
-		UNKNOWN_OID =   4
-	} state_t;
-
-	u_char oid_len_buf[3];
-	u_char name_len_buf[3];
-	u_char rdn_seq_len_buf[3];
-	u_char rdn_set_len_buf[3];
-	u_char dn_seq_len_buf[3];
-
-	chunk_t asn1_oid_len     = { oid_len_buf,     0 };
-	chunk_t asn1_name_len    = { name_len_buf,    0 };
-	chunk_t asn1_rdn_seq_len = { rdn_seq_len_buf, 0 };
-	chunk_t asn1_rdn_set_len = { rdn_set_len_buf, 0 };
-	chunk_t asn1_dn_seq_len  = { dn_seq_len_buf,  0 };
-	chunk_t oid  = chunk_empty;
-	chunk_t name = chunk_empty;
-
-	int whitespace  = 0;
-	int rdn_seq_len = 0;
-	int rdn_set_len = 0;
-	int dn_seq_len  = 0;
-	int pos         = 0;
-
-	err_t ugh = NULL;
-
-	u_char *dn_ptr = dn->ptr + 4;
-
-	state_t state = SEARCH_OID;
-
-	do
-	{
-		switch (state)
-		{
-		case SEARCH_OID:
-			if (*src != ' ' && *src != '/' && *src !=  ',')
-			{
-				oid.ptr = src;
-				oid.len = 1;
-				state = READ_OID;
-			}
-			break;
-		case READ_OID:
-			if (*src != ' ' && *src != '=')
-			{
-				oid.len++;
-			}
-			else
-			{
-				for (pos = 0; pos < X501_RDN_ROOF; pos++)
-				{
-					if (strlen(x501rdns[pos].name) == oid.len &&
-						strncasecmp(x501rdns[pos].name, oid.ptr, oid.len) == 0)
-					{
-						break; /* found a valid OID */
-					}
-				}
-				if (pos == X501_RDN_ROOF)
-				{
-					ugh = "unknown OID in distinguished name";
-					state = UNKNOWN_OID;
-					break;
-				}
-				code_asn1_length(x501rdns[pos].oid.len, &asn1_oid_len);
-
-				/* reset oid and change state */
-				oid = chunk_empty;
-				state = SEARCH_NAME;
-			}
-			break;
-		case SEARCH_NAME:
-			if (*src != ' ' && *src != '=')
-			{
-				name.ptr = src;
-				name.len = 1;
-				whitespace = 0;
-				state = READ_NAME;
-			}
-			break;
-		case READ_NAME:
-			if (*src != ',' && *src != '/' && *src != '\0')
-			{
-				name.len++;
-				if (*src == ' ')
-				{
-					whitespace++;
-				}
-				else
-				{
-					whitespace = 0;
-				}
-			}
-			else
-			{
-				name.len -= whitespace;
-				code_asn1_length(name.len, &asn1_name_len);
-
-				/* compute the length of the relative distinguished name sequence */
-				rdn_seq_len = 1 + asn1_oid_len.len + x501rdns[pos].oid.len +
-							  1 + asn1_name_len.len + name.len;
-				code_asn1_length(rdn_seq_len, &asn1_rdn_seq_len);
-
-				/* compute the length of the relative distinguished name set */
-				rdn_set_len = 1 + asn1_rdn_seq_len.len + rdn_seq_len;
-				code_asn1_length(rdn_set_len, &asn1_rdn_set_len);
-
-				/* encode the relative distinguished name */
-				*dn_ptr++ = ASN1_SET;
-				chunkcpy(dn_ptr, asn1_rdn_set_len);
-				*dn_ptr++ = ASN1_SEQUENCE;
-				chunkcpy(dn_ptr, asn1_rdn_seq_len);
-				*dn_ptr++ = ASN1_OID;
-				chunkcpy(dn_ptr, asn1_oid_len);
-				chunkcpy(dn_ptr, x501rdns[pos].oid);
-				/* encode the ASN.1 character string type of the name */
-				*dn_ptr++ = (x501rdns[pos].type == ASN1_PRINTABLESTRING
-					&& !asn1_is_printablestring(name))? ASN1_T61STRING : x501rdns[pos].type;
-				chunkcpy(dn_ptr, asn1_name_len);
-				chunkcpy(dn_ptr, name);
-
-				/* accumulate the length of the distinguished name sequence */
-				dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len;
-
-				/* reset name and change state */
-				name = chunk_empty;
-				state = SEARCH_OID;
-			}
-			break;
-		case UNKNOWN_OID:
-			break;
-		}
-	} while (*src++ != '\0');
-
-	/* complete the distinguished name sequence*/
-	code_asn1_length(dn_seq_len, &asn1_dn_seq_len);
-	dn->ptr += 3 - asn1_dn_seq_len.len;
-	dn->len =  1 + asn1_dn_seq_len.len + dn_seq_len;
-	dn_ptr = dn->ptr;
-	*dn_ptr++ = ASN1_SEQUENCE;
-	chunkcpy(dn_ptr, asn1_dn_seq_len);
-	return ugh;
-}
-
-/**
- * compare two distinguished names by comparing the individual RDNs
- */
-bool same_dn(chunk_t a, chunk_t b)
-{
-	chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
-	chunk_t oid_a, oid_b, value_a, value_b;
-	asn1_t type_a, type_b;
-	bool next_a, next_b;
-
-	/* same lengths for the DNs */
-	if (a.len != b.len)
-	{
-		return FALSE;
-	}
-
-	/* try a binary comparison first */
-	if (memeq(a.ptr, b.ptr, b.len))
-	{
-		return TRUE;
-	}
-
-	/* initialize DN parsing */
-	if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL
-	||  init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL)
-	{
-		return FALSE;
-	}
-
-	/* fetch next RDN pair */
-	while (next_a && next_b)
-	{
-		/* parse next RDNs and check for errors */
-		if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != NULL
-		||  get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != NULL)
-		{
-			return FALSE;
-		}
-
-		/* OIDs must agree */
-		if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
-		{
-			return FALSE;
-		}
-
-		/* same lengths for values */
-		if (value_a.len != value_b.len)
-		{
-			return FALSE;
-		}
-
-		/* printableStrings and email RDNs require uppercase comparison */
-		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
-		   (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
-		{
-			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
-			{
-				return FALSE;
-			}
-		}
-		else
-		{
-			if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
-			{
-				return FALSE;
-			}
-		}
-	}
-	/* both DNs must have same number of RDNs */
-	if (next_a || next_b)
-	{
-		return FALSE;
-	}
-
-	/* the two DNs are equal! */
-	return TRUE;
-}
-
-
-/**
- *  Compare two distinguished names by comparing the individual RDNs.
- *  A single'*' character designates a wildcard RDN in DN b.
- */
-bool match_dn(chunk_t a, chunk_t b, int *wildcards)
-{
-	chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
-	chunk_t oid_a, oid_b, value_a, value_b;
-	asn1_t type_a,  type_b;
-	bool next_a, next_b;
-
-	/* initialize wildcard counter */
-	*wildcards = 0;
-
-	/* initialize DN parsing */
-	if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL
-	||  init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL)
-	{
-		return FALSE;
-	}
-
-	/* fetch next RDN pair */
-	while (next_a && next_b)
-	{
-		/* parse next RDNs and check for errors */
-		if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != NULL
-		||  get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != NULL)
-		{
-			return FALSE;
-		}
-
-		/* OIDs must agree */
-		if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
-		{
-			return FALSE;
-		}
-
-		/* does rdn_b contain a wildcard? */
-		if (value_b.len == 1 && *value_b.ptr == '*')
-		{
-			(*wildcards)++;
-			continue;
-		}
-
-		/* same lengths for values */
-		if (value_a.len != value_b.len)
-		{
-			return FALSE;
-		}
-
-		/* printableStrings and email RDNs require uppercase comparison */
-		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
-		   (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
-		{
-			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
-			{
-				return FALSE;
-			}
-		}
-		else
-		{
-			if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
-			{
-				return FALSE;
-			}
-		}
-	}
-
-	/* both DNs must have same number of RDNs */
-	if (next_a || next_b)
-	{
-		return FALSE;
-	}
-
-	/* the two DNs match! */
-	return TRUE;
-}
-
-/**
- *  Compare two X.509 certificates by comparing their signatures
- */
-bool same_x509cert(const x509cert_t *a, const x509cert_t *b)
-{
-	return chunk_equals(a->signature, b->signature);
-}
-
-/**
- * For each link pointing to the certificate increase the count by one
- */
-void share_x509cert(x509cert_t *cert)
-{
-	if (cert != NULL)
-	{
-		cert->count++;
-	}
-}
-
-/**
- *  Add a X.509 user/host certificate to the chained list
- */
-x509cert_t* add_x509cert(x509cert_t *cert)
-{
-	x509cert_t *c = x509certs;
-
-	while (c != NULL)
-	{
-		if (same_x509cert(c, cert)) /* already in chain, free cert */
-		{
-			free_x509cert(cert);
-			return c;
-		}
-		c = c->next;
-	}
-
-	/* insert new cert at the root of the chain */
-	lock_certs_and_keys("add_x509cert");
-	cert->next = x509certs;
-	x509certs = cert;
-	DBG(DBG_CONTROL | DBG_PARSING,
-		DBG_log("  x509 cert inserted")
-	)
-	unlock_certs_and_keys("add_x509cert");
-	return cert;
-}
-
-/**
- * Choose either subject DN or a subjectAltName as connection end ID
- */
-void select_x509cert_id(x509cert_t *cert, struct id *end_id)
-{
-	bool copy_subject_dn = TRUE;         /* ID is subject DN */
-
-	if (end_id->kind != ID_ANY) /* check for matching subjectAltName */
-	{
-		generalName_t *gn = cert->subjectAltName;
-
-		while (gn != NULL)
-		{
-			struct id id = empty_id;
-
-			gntoid(&id, gn);
-			if (same_id(&id, end_id))
-			{
-				copy_subject_dn = FALSE; /* take subjectAltName instead */
-				break;
-			}
-			gn = gn->next;
-		}
-	}
-
-	if (copy_subject_dn)
-	{
-		if (end_id->kind != ID_ANY && end_id->kind != ID_DER_ASN1_DN)
-		{
-			 char buf[BUF_LEN];
-
-			 idtoa(end_id, buf, BUF_LEN);
-			 plog("  no subjectAltName matches ID '%s', replaced by subject DN", buf);
-		}
-		end_id->kind = ID_DER_ASN1_DN;
-		end_id->name.len = cert->subject.len;
-		end_id->name.ptr = temporary_cyclic_buffer();
-		memcpy(end_id->name.ptr, cert->subject.ptr, cert->subject.len);
-	}
-}
-
-/**
- * Check for equality between two key identifiers
- */
-bool same_keyid(chunk_t a, chunk_t b)
-{
-	if (a.ptr == NULL || b.ptr == NULL)
-	{
-		return FALSE;
-	}
-	return chunk_equals(a, b);
-}
-
-/**
- * Check for equality between two serial numbers
- */
-bool same_serial(chunk_t a, chunk_t b)
-{
-	/* do not compare serial numbers if one of them is not defined */
-	if (a.ptr == NULL || b.ptr == NULL)
-	{
-		return TRUE;
-	}
-	return chunk_equals(a, b);
-}
-
-/**
- * Get a X.509 certificate with a given issuer found at a certain position
- */
-x509cert_t* get_x509cert(chunk_t issuer, chunk_t serial, chunk_t keyid,
-						 x509cert_t *chain)
-{
-	x509cert_t *cert = (chain != NULL)? chain->next : x509certs;
-
-	while (cert != NULL)
-	{
-		if ((keyid.ptr != NULL) ? same_keyid(keyid, cert->authKeyID)
-			: (same_dn(issuer, cert->issuer)
-			   && same_serial(serial, cert->authKeySerialNumber)))
-		{
-			return cert;
-		}
-		cert = cert->next;
-	}
-	return NULL;
-}
-
-/**
- * Encode a linked list of subjectAltNames
- */
-chunk_t build_subjectAltNames(generalName_t *subjectAltNames)
-{
-	u_char *pos;
-	chunk_t names;
-	size_t len = 0;
-	generalName_t *gn = subjectAltNames;
-		
-   /* compute the total size of the ASN.1 attributes object */
-	while (gn != NULL)
-	{
-		len += gn->name.len;
-		gn = gn->next;
-	}
-
-	pos = asn1_build_object(&names, ASN1_SEQUENCE, len);
-
-	gn = subjectAltNames;
-	while (gn != NULL)
-	{
-		chunkcpy(pos, gn->name);
-		gn = gn->next;
-	}
-
-	return asn1_wrap(ASN1_SEQUENCE, "cm"
-				, ASN1_subjectAltName_oid
-				, asn1_wrap(ASN1_OCTET_STRING, "m", names));
-}
-
-/**
- * Build a to-be-signed X.509 certificate body
- */
-static chunk_t build_tbs_x509cert(x509cert_t *cert, public_key_t *rsa)
-{
-	/* version is always X.509v3 */
-	chunk_t version = asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2);
-
-	chunk_t extensions = chunk_empty;
-
-	chunk_t key = rsa->get_encoding(rsa);
-
-	chunk_t keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
-							asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), 
-							asn1_bitstring("m", key));	
-
-	if (cert->subjectAltName != NULL)
-	{
-		extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m"
-				, asn1_wrap(ASN1_SEQUENCE, "m"
-				, build_subjectAltNames(cert->subjectAltName)));
-	}
-
-	return asn1_wrap(ASN1_SEQUENCE, "mmccmcmm"
-				, version
-				, asn1_integer("c", cert->serialNumber)
-				, asn1_algorithmIdentifier(cert->sigAlg)
-				, cert->issuer
-				, asn1_wrap(ASN1_SEQUENCE, "mm"
-					, asn1_from_time(&cert->notBefore, ASN1_UTCTIME) 
-					, asn1_from_time(&cert->notAfter,  ASN1_UTCTIME)
-				  )
-				, cert->subject
-				, keyInfo
-				, extensions
-		   );
-}
-
-/**
- * Build a DER-encoded X.509 certificate
- */
-void build_x509cert(x509cert_t *cert, public_key_t *cert_key,
-					private_key_t *signer_key)
-{
-	chunk_t tbs_cert = build_tbs_x509cert(cert, cert_key);
-
-	chunk_t signature = x509_build_signature(tbs_cert, cert->sigAlg
-								, signer_key, TRUE);
-
-	cert->certificate = asn1_wrap(ASN1_SEQUENCE, "mcm"
-								, tbs_cert
-								, asn1_algorithmIdentifier(cert->sigAlg)
-								, signature);
-}
-
-/**
- * Free the dynamic memory used to store generalNames
- */
-void free_generalNames(generalName_t* gn, bool free_name)
-{
-	while (gn != NULL)
-	{
-		generalName_t *gn_top = gn;
-		if (free_name)
-		{
-			free(gn->name.ptr);
-		}
-		gn = gn->next;
-		free(gn_top);
-	}
-}
-
-/**
- *  Free a X.509 certificate
- */
-void free_x509cert(x509cert_t *cert)
-{
-	if (cert != NULL)
-	{
-		DESTROY_IF(cert->public_key);
-		free_generalNames(cert->subjectAltName, FALSE);
-		free_generalNames(cert->crlDistributionPoints, FALSE);
-		free(cert->certificate.ptr);
-		free(cert);
-		cert = NULL;
-	}
-}
-
-/**
- * Release of a certificate decreases the count by one
- * the certificate is freed when the counter reaches zero
+ * Check for equality between two key identifiers
  */
-void release_x509cert(x509cert_t *cert)
+bool same_keyid(chunk_t a, chunk_t b)
 {
-	if (cert != NULL && --cert->count == 0)
+	if (a.ptr == NULL || b.ptr == NULL)
 	{
-		x509cert_t **pp = &x509certs;
-		while (*pp != cert)
-		{
-			pp = &(*pp)->next;
-		}
-		*pp = cert->next;
-		free_x509cert(cert);
+		return FALSE;
 	}
+	return chunk_equals(a, b);
 }
 
 /**
  * Stores a chained list of end certs and CA certs
  */
-void store_x509certs(x509cert_t **firstcert, bool strict)
+void store_x509certs(linked_list_t *certs, bool strict)
 {
-	x509cert_t *cacerts = NULL;
-	x509cert_t **pp = firstcert;
+	cert_t *x509cert, *cacerts = NULL;
+	certificate_t *cert;
+	enumerator_t *enumerator;
 
-	/* first extract CA certs, discarding root CA certs */
+	/* first extract CA certs, ignoring self-signed root CA certs */
 
-	while (*pp != NULL)
+	enumerator = certs->create_enumerator(certs);
+	while (enumerator->enumerate(enumerator, &cert))
 	{
-		x509cert_t *cert = *pp;
+		x509_t *x509 = (x509_t*)cert;
+		x509_flag_t flags;
 
-		if (cert->isCA)
+		flags = x509->get_flags(x509);
+		if (flags & X509_CA)
 		{
-			*pp = cert->next;
-			
 			/* we don't accept self-signed CA certs */
-			if (same_dn(cert->issuer, cert->subject))
+			if (flags & X509_SELF_SIGNED)
 			{
 				plog("self-signed cacert rejected");
-				free_x509cert(cert);
 			}
 			else
 			{
 				/* insertion into temporary chain of candidate CA certs */
-				cert->next = cacerts;
-				cacerts = cert;
+				x509cert = malloc_thing(cert_t);
+				*x509cert = cert_empty;
+				x509cert->cert = cert->get_ref(cert);
+				x509cert->next = cacerts;
+				cacerts = x509cert;
 			}
 		}
-		else
-		{
-			pp = &cert->next;
-		}
 	}
+	enumerator->destroy(enumerator);
 
 	/* now verify the candidate CA certs */
-	
-	while (cacerts != NULL)
+
+	while (cacerts)
 	{
-		x509cert_t *cert = cacerts;
-		
+		cert_t *cert = cacerts;
+
 		cacerts = cacerts->next;
 
 		if (trust_authcert_candidate(cert, cacerts))
 		{
-			add_authcert(cert, AUTH_CA);
+			add_authcert(cert, X509_CA);
 		}
 		else
 		{
 			plog("intermediate cacert rejected");
-			free_x509cert(cert);
+			cert_free(cert);
 		}
 	}
-	
-	/* now verify the end certificates */
 
-	pp = firstcert;
+	/* now verify the end certificates */
 
-	while (*pp != NULL)
+	enumerator = certs->create_enumerator(certs);
+	while (enumerator->enumerate(enumerator, &cert))
 	{
 		time_t valid_until;
-		x509cert_t *cert = *pp;
+		x509_t *x509 = (x509_t*)cert;
 
-		if (verify_x509cert(cert, strict, &valid_until))
+		if (!(x509->get_flags(x509) & X509_CA))
 		{
-			DBG(DBG_CONTROL | DBG_PARSING,
-				DBG_log("public key validated")
-			)
-			add_x509_public_key(cert, valid_until, DAL_SIGNED);
-		}
-		else
-		{
-			plog("X.509 certificate rejected");
+			x509cert = malloc_thing(cert_t);
+			*x509cert = cert_empty;
+			x509cert->cert = cert->get_ref(cert);
+
+			if (verify_x509cert(x509cert, strict, &valid_until))
+			{
+				DBG(DBG_CONTROL | DBG_PARSING,
+					DBG_log("public key validated")
+				)
+				add_public_key_from_cert(x509cert, valid_until, DAL_SIGNED);
+			}
+			else
+			{
+				plog("X.509 certificate rejected");
+				cert_free(x509cert);
+			}
 		}
-		*pp = cert->next;
-		free_x509cert(cert);
 	}
+	enumerator->destroy(enumerator);
 }
 
 /**
  * Check if a signature over binary blob is genuine
  */
 bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
-						  const x509cert_t *issuer_cert)
+						  certificate_t *issuer_cert)
 {
-	public_key_t *key = issuer_cert->public_key;
-	signature_scheme_t scheme = signature_scheme_from_oid(algorithm);
+	bool success;
+	public_key_t *key;
+	signature_scheme_t scheme;
 
+	scheme = signature_scheme_from_oid(algorithm);
 	if (scheme == SIGN_UNKNOWN)
 	{
 		return FALSE;
 	}
-	return key->verify(key, scheme, tbs, sig); 
+
+	key = issuer_cert->get_public_key(issuer_cert);
+	if (key == NULL)
+	{
+		return FALSE;
+	}
+	success = key->verify(key, scheme, tbs, sig);
+	key->destroy(key);
+
+	return success;
 }
 
 /**
@@ -1329,631 +181,58 @@ chunk_t x509_build_signature(chunk_t tbs, int algorithm, private_key_t *key,
 	if (scheme == SIGN_UNKNOWN || !key->sign(key, scheme, tbs, &signature))
 	{
 		return chunk_empty;
-	} 
+	}
 	return (bit_string) ? asn1_bitstring("m", signature)
 						: asn1_wrap(ASN1_OCTET_STRING, "m", signature);
 }
 
-/**
- * Extracts the basicConstraints extension
- */
-static bool parse_basicConstraints(chunk_t blob, int level0)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	bool isCA = FALSE;
-
-	parser = asn1_parser_create(basicConstraintsObjects, blob);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		if (objectID == BASIC_CONSTRAINTS_CA)
-		{
-			isCA = object.len && *object.ptr;
-			DBG(DBG_PARSING,
-				DBG_log("  %s",(isCA)?"TRUE":"FALSE");
-			)
-		}
-	}
-	parser->destroy(parser);
-
-	return isCA;
-}
-
-/**
- *  Converts a X.500 generalName into an ID
- */
-void gntoid(struct id *id, const generalName_t *gn)
-{
-	switch(gn->kind)
-	{
-	case GN_DNS_NAME:           /* ID type: ID_FQDN */
-		id->kind = ID_FQDN;
-		id->name = gn->name;
-		break;
-	case GN_IP_ADDRESS:         /* ID type: ID_IPV4_ADDR */
-		{
-			const struct af_info *afi = &af_inet4_info;
-			err_t ugh = NULL;
-
-			id->kind = afi->id_addr;
-			ugh = initaddr(gn->name.ptr, gn->name.len, afi->af, &id->ip_addr);
-		}
-		break;
-	case GN_RFC822_NAME:        /* ID type: ID_USER_FQDN */
-		id->kind = ID_USER_FQDN;
-		id->name = gn->name;
-		break;
-	default:
-		id->kind = ID_ANY;
-		id->name = chunk_empty;
-	}
-}
-
-/**
- * Compute the subjectKeyIdentifier according to section 4.2.1.2 of RFC 3280
- * as the 160 bit SHA-1 hash of the public key
- */
-bool compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID)
-{
-	identification_t *keyid;
-	chunk_t encoding;
-
-	keyid = cert->public_key->get_id(cert->public_key, ID_PUBKEY_SHA1);
-	if (keyid == NULL)
-	{
-		plog("  unable to compute subjectKeyID");
-		return FALSE;
-	}
-	encoding = keyid->get_encoding(keyid);
-	memcpy(subjectKeyID.ptr, encoding.ptr, subjectKeyID.len);
-	return TRUE;
-}
-
-/**
- * Extracts an otherName
- */
-static bool parse_otherName(chunk_t blob, int level0)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	int oid = OID_UNKNOWN;
-	bool success = FALSE;
-
-	parser = asn1_parser_create(otherNameObjects, blob);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-		case ON_OBJ_ID_TYPE:
-			oid = asn1_known_oid(object);
-			break;
-		case ON_OBJ_VALUE:
-			if (oid == OID_XMPP_ADDR)
-			{
-				if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
-							parser->get_level(parser) + 1, "xmppAddr"))
-				{
-					goto end;
-				}
-			}
-			break;
-		default:
-			break;
-		}
-	}
-	success = parser->success(parser);
-	
-end:
-	parser->destroy(parser);
-	return success;
-}
-
-
-/**
- * Extracts a generalName
- */
-static generalName_t* parse_generalName(chunk_t blob, int level0)
-{
-	u_char buf[BUF_LEN];
-	asn1_parser_t *parser;
-	chunk_t object;
-	generalName_t *gn = NULL;
-	int objectID;
-
-	parser = asn1_parser_create(generalNameObjects, blob);
-	parser->set_top_level(parser, level0);
-	
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		bool valid_gn = FALSE;
-		
-		switch (objectID) {
-		case GN_OBJ_RFC822_NAME:
-		case GN_OBJ_DNS_NAME:
-		case GN_OBJ_URI:
-			DBG(DBG_PARSING,
-				DBG_log("  '%.*s'", (int)object.len, object.ptr);
-			)
-			valid_gn = TRUE;
-			break;
-		case GN_OBJ_DIRECTORY_NAME:
-			DBG(DBG_PARSING,
-				dntoa(buf, BUF_LEN, object);
-				DBG_log("  '%s'", buf)
-			)
-			valid_gn = TRUE;
-			break;
-		case GN_OBJ_IP_ADDRESS:
-			DBG(DBG_PARSING,
-				DBG_log("  '%d.%d.%d.%d'", *object.ptr, *(object.ptr+1),
-									  *(object.ptr+2), *(object.ptr+3));
-			)
-			valid_gn = TRUE;
-			break;
-		case GN_OBJ_OTHER_NAME:
-			if (!parse_otherName(object, parser->get_level(parser)+1))
-			{
-				goto end;
-			}
-			break;
-		case GN_OBJ_X400_ADDRESS:
-		case GN_OBJ_EDI_PARTY_NAME:
-		case GN_OBJ_REGISTERED_ID:
-			break;
-		default:
-			break;
-		}
-
-		if (valid_gn)
-		{
-			gn = malloc_thing(generalName_t);
-			gn->kind = (objectID - GN_OBJ_OTHER_NAME) / 2;
-			gn->name = object;
-			gn->next = NULL;
-			goto end;
-		}
-	}
-	
-end:
-	parser->destroy(parser);
-	return gn;
-}
-
-/**
- * Extracts one or several GNs and puts them into a chained list
- */
-static generalName_t* parse_generalNames(chunk_t blob, int level0, bool implicit)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	generalName_t *top_gn = NULL;
-
-	parser = asn1_parser_create(generalNamesObjects, blob);
-	parser->set_top_level(parser, level0);
-	parser->set_flags(parser, implicit, FALSE);
-	
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		if (objectID == GENERAL_NAMES_GN)
-		{
-			generalName_t *gn = parse_generalName(object,
-										parser->get_level(parser)+1);
-			if (gn)
-			{
-				gn->next = top_gn;
-				top_gn = gn;
-			}
-		}
-	}
-	parser->destroy(parser);
-
-	return top_gn;
-}
-
-/**
- * Returns a directoryName
- */
-chunk_t get_directoryName(chunk_t blob, int level, bool implicit)
-{
-	chunk_t name = chunk_empty;
-	generalName_t * gn = parse_generalNames(blob, level, implicit);
-
-	if (gn != NULL && gn->kind == GN_DIRECTORY_NAME)
-	{
-		name= gn->name;
-	}
-	free_generalNames(gn, FALSE);
-	return name;
-}
-
-/**
- * Extracts an authoritykeyIdentifier
- */
-void parse_authorityKeyIdentifier(chunk_t blob, int level0,
-								  chunk_t *authKeyID,
-								  chunk_t *authKeySerialNumber)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-
-	parser = asn1_parser_create(authKeyIdentifierObjects, blob);
-	parser->set_top_level(parser, level0);
-	
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-		case AUTH_KEY_ID_KEY_ID:
-			*authKeyID = object;
-			break;
-		case AUTH_KEY_ID_CERT_ISSUER:
-			{
-				generalName_t * gn = parse_generalNames(object,
-					 					parser->get_level(parser) + 1, TRUE);
-
-				free_generalNames(gn, FALSE);
-			}
-			break;
-		case AUTH_KEY_ID_CERT_SERIAL:
-			*authKeySerialNumber = object;
-			break;
-		default:
-			break;
-		}
-	}
-	parser->destroy(parser);
-}
-
-/**
- * Extracts an authorityInfoAcess location
- */
-static void parse_authorityInfoAccess(chunk_t blob, int level0,
-									  chunk_t *accessLocation)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	int accessMethod = OID_UNKNOWN;
-
-	parser = asn1_parser_create(authInfoAccessObjects, blob);
-	parser->set_top_level(parser, level0);
-	
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-		case AUTH_INFO_ACCESS_METHOD:
-			accessMethod = asn1_known_oid(object);
-			break;
-		case AUTH_INFO_ACCESS_LOCATION:
-			{
-				switch (accessMethod)
-				{
-				case OID_OCSP:
-					if (*object.ptr == ASN1_CONTEXT_S_6)
-					{
-						if (asn1_length(&object) == ASN1_INVALID_LENGTH)
-						{
-							goto end;
-						}
-						DBG(DBG_PARSING,
-							DBG_log("  '%.*s'",(int)object.len, object.ptr)
-						)
-
-						/* only HTTP(S) URIs accepted */
-						if (strncasecmp(object.ptr, "http", 4) == 0)
-						{
-							*accessLocation = object;
-							goto end;
-						}
-					}
-					plog("warning: ignoring OCSP InfoAccessLocation with unkown protocol");
-					break;
-				default:
-					/* unkown accessMethod, ignoring */
-					break;
-				}
-			}
-			break;
-		default:
-			break;
-		}
-	}
-	
-end:
-	parser->destroy(parser);
-}
-
-/**
- * Extracts extendedKeyUsage OIDs
- */
-static bool parse_extendedKeyUsage(chunk_t blob, int level0)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	bool ocsp_signing = FALSE;
-
-	parser = asn1_parser_create(extendedKeyUsageObjects, blob);
-	parser->set_top_level(parser, level0);
-	
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		if (objectID == EXT_KEY_USAGE_PURPOSE_ID
-		&& asn1_known_oid(object) == OID_OCSP_SIGNING)
-		{
-			ocsp_signing = TRUE;
-		}
-	}
-	parser->destroy(parser);
-
-	return ocsp_signing;
-}
-
-/**
- * Extracts one or several crlDistributionPoints
- * and puts them into a chained list
- */
-static generalName_t* parse_crlDistributionPoints(chunk_t blob, int level0)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-
-	generalName_t *top_gn = NULL;      /* top of the chained list */
-	generalName_t **tail_gn = &top_gn; /* tail of the chained list */
-
-	parser = asn1_parser_create(crlDistributionPointsObjects, blob);
-	parser->set_top_level(parser, level0);
-	
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		if (objectID == CRL_DIST_POINTS_FULLNAME)
-		{
-			generalName_t *gn;
-
-			gn = parse_generalNames(object, parser->get_level(parser)+1, TRUE);
-			/* append extracted generalNames to existing chained list */
-			*tail_gn = gn;
-			/* find new tail of the chained list */
-			while (gn != NULL)
-			{
-				tail_gn = &gn->next;  gn = gn->next;
-			}
-		}
-	}
-	parser->destroy(parser);
-
-	return top_gn;
-}
-
-/**
- *  Parses an X.509v3 certificate
- */
-bool parse_x509cert(chunk_t blob, u_int level0, x509cert_t *cert)
-{
-	u_char  buf[BUF_LEN];
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	int extn_oid = OID_UNKNOWN;
-	bool critical;
-	bool success = FALSE;
-
-	parser = asn1_parser_create(certObjects, blob);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		u_int level = parser->get_level(parser) + 1;
-		
-		switch (objectID) {
-		case X509_OBJ_CERTIFICATE:
-			cert->certificate = object;
-			break;
-		case X509_OBJ_TBS_CERTIFICATE:
-			cert->tbsCertificate = object;
-			break;
-		case X509_OBJ_VERSION:
-			cert->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
-			DBG(DBG_PARSING,
-				DBG_log("  v%d", cert->version);
-			)
-			break;
-		case X509_OBJ_SERIAL_NUMBER:
-			cert->serialNumber = object;
-			break;
-		case X509_OBJ_SIG_ALG:
-			cert->sigAlg = asn1_parse_algorithmIdentifier(object, level, NULL);
-			break;
-		case X509_OBJ_ISSUER:
-			cert->issuer = object;
-			DBG(DBG_PARSING,
-				dntoa(buf, BUF_LEN, object);
-				DBG_log("  '%s'",buf)
-			)
-			break;
-		case X509_OBJ_NOT_BEFORE:
-			cert->notBefore = asn1_parse_time(object, level);
-			break;
-		case X509_OBJ_NOT_AFTER:
-			cert->notAfter = asn1_parse_time(object, level);
-			break;
-		case X509_OBJ_SUBJECT:
-			cert->subject = object;
-			DBG(DBG_PARSING,
-				dntoa(buf, BUF_LEN, object);
-				DBG_log("  '%s'",buf)
-			)
-			break;
-		case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
-			cert->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
-						KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
-			if (cert->public_key == NULL)
-			{
-				goto end;
-			}
-			break;
-		case X509_OBJ_EXTN_ID:
-			extn_oid = asn1_known_oid(object);
-			break;
-		case X509_OBJ_CRITICAL:
-			critical = object.len && *object.ptr;
-			DBG(DBG_PARSING,
-				DBG_log("  %s",(critical)?"TRUE":"FALSE");
-			)
-			break;
-		case X509_OBJ_EXTN_VALUE:
-			{
-				switch (extn_oid) {
-				case OID_SUBJECT_KEY_ID:
-					if (!asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
-												  level, "keyIdentifier"))
-					{
-						goto end;
-					}
-					cert->subjectKeyID = object;
-					break;
-				case OID_SUBJECT_ALT_NAME:
-					cert->subjectAltName =
-						parse_generalNames(object, level, FALSE);
-					break;
-				case OID_BASIC_CONSTRAINTS:
-					cert->isCA =
-						parse_basicConstraints(object, level);
-					break;
-				case OID_CRL_DISTRIBUTION_POINTS:
-					cert->crlDistributionPoints =
-						parse_crlDistributionPoints(object, level);
-					break;
-				 case OID_AUTHORITY_KEY_ID:
-					parse_authorityKeyIdentifier(object, level
-						, &cert->authKeyID, &cert->authKeySerialNumber);
-					break;
-				case OID_AUTHORITY_INFO_ACCESS:
-					parse_authorityInfoAccess(object, level, &cert->accessLocation);
-					break;
-				case OID_EXTENDED_KEY_USAGE:
-					cert->isOcspSigner = parse_extendedKeyUsage(object, level);
-					break;
-				case OID_NS_REVOCATION_URL:
-				case OID_NS_CA_REVOCATION_URL:
-				case OID_NS_CA_POLICY_URL:
-				case OID_NS_COMMENT:
-					if (!asn1_parse_simple_object(&object, ASN1_IA5STRING
-					, level, oid_names[extn_oid].name))
-					{
-						goto end;
-					}
-					break;
-				default:
-					break;
-				}
-			}
-			break;
-		case X509_OBJ_ALGORITHM:
-			cert->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
-			break;
-		case X509_OBJ_SIGNATURE:
-			cert->signature = object;
-			break;
-		default:
-			break;
-		}
-	}
-	success = parser->success(parser);
-	time(&cert->installed);
-
-end:
-	parser->destroy(parser);
-	return success;
-}
-
-/**
- * Verify the validity of a certificate by
- * checking the notBefore and notAfter dates
- */
-err_t check_validity(const x509cert_t *cert, time_t *until)
-{
-	time_t current_time;
-
-	time(&current_time);
-	DBG(DBG_CONTROL | DBG_PARSING ,
-		DBG_log("  not before  : %T", &cert->notBefore, TRUE);
-		DBG_log("  current time: %T", &current_time, TRUE);
-		DBG_log("  not after   : %T", &cert->notAfter, TRUE);
-	)
-
-	if (cert->notAfter < *until)
-	{
-		*until = cert->notAfter;
-	}
-	if (current_time < cert->notBefore)
-	{
-		return "certificate is not valid yet";
-	}
-	if (current_time > cert->notAfter)
-	{
-		return "certificate has expired";
-	}
-	else
-	{
-		return NULL;
-	}
-}
-
 /**
  * Verifies a X.509 certificate
  */
-bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
+bool verify_x509cert(cert_t *cert, bool strict, time_t *until)
 {
-	int pathlen;
+	int pathlen, pathlen_constraint;
 
-	*until = cert->notAfter;
+	*until = 0;
 
-	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+	for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++)
 	{
-		x509cert_t *issuer_cert;
-		u_char buf[BUF_LEN];
-		err_t ugh = NULL;
+		certificate_t *certificate = cert->cert;
+		identification_t *subject = certificate->get_subject(certificate);
+		identification_t *issuer  = certificate->get_issuer(certificate);
+		x509_t *x509 = (x509_t*)certificate;
+		chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
+		cert_t *issuer_cert;
+		time_t notBefore, notAfter;
+		bool valid;
 
 		DBG(DBG_CONTROL,
-			dntoa(buf, BUF_LEN, cert->subject);
-			DBG_log("subject: '%s'",buf);
-			dntoa(buf, BUF_LEN, cert->issuer);
-			DBG_log("issuer:  '%s'",buf);
-			if (cert->authKeyID.ptr != NULL)
+			DBG_log("subject: '%Y'", subject);
+			DBG_log("issuer:  '%Y'", issuer);
+			if (authKeyID.ptr)
 			{
-				datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
-					, buf, BUF_LEN);
-				DBG_log("authkey:  %s", buf);
+				DBG_log("authkey:  %#B", &authKeyID);
 			}
 		)
 
-		ugh = check_validity(cert, until);
-
-		if (ugh != NULL)
+		valid = certificate->get_validity(certificate, NULL,
+										  &notBefore, &notAfter);
+		if (*until == UNDEFINED_TIME || notAfter < *until)
+		{
+			*until = notAfter;
+		}
+		if (!valid)
 		{
-			plog("%s", ugh);
+			plog("certificate is invalid (valid from %T to %T)",
+				 &notBefore, FALSE, &notAfter, FALSE);
 			return FALSE;
 		}
-
 		DBG(DBG_CONTROL,
 			DBG_log("certificate is valid")
 		)
 
 		lock_authcert_list("verify_x509cert");
-		issuer_cert = get_authcert(cert->issuer, cert->authKeySerialNumber
-			, cert->authKeyID, AUTH_CA);
-
+		issuer_cert = get_authcert(issuer, authKeyID, X509_CA);
 		if (issuer_cert == NULL)
 		{
 			plog("issuer cacert not found");
@@ -1964,8 +243,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 			DBG_log("issuer cacert found")
 		)
 
-		if (!x509_check_signature(cert->tbsCertificate, cert->signature,
-								  cert->algorithm, issuer_cert))
+		if (!certificate->issued_by(certificate, issuer_cert->cert))
 		{
 			plog("certificate signature is invalid");
 			unlock_authcert_list("verify_x509cert");
@@ -1976,11 +254,22 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 		)
 		unlock_authcert_list("verify_x509cert");
 
+		/* check path length constraint */
+		pathlen_constraint = x509->get_pathLenConstraint(x509);
+		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+			pathlen > pathlen_constraint)
+		{
+			plog("path length of %d violates constraint of %d",
+				 pathlen, pathlen_constraint);
+			return FALSE;
+		}
+
 		/* check if cert is a self-signed root ca */
-		if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
+		if (pathlen >= 0 && (x509->get_flags(x509) & X509_SELF_SIGNED))
 		{
 			DBG(DBG_CONTROL,
-				DBG_log("reached self-signed root ca")
+				DBG_log("reached self-signed root ca with a path length of %d",
+						 pathlen)
 			)
 			return TRUE;
 		}
@@ -1988,7 +277,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 		{
 			time_t nextUpdate = *until;
 			time_t revocationDate = UNDEFINED_TIME;
-			crl_reason_t revocationReason = REASON_UNSPECIFIED;
+			crl_reason_t revocationReason = CRL_REASON_UNSPECIFIED;
 
 			/* first check certificate revocation using ocsp */
 			cert_status_t status = verify_by_ocsp(cert, &nextUpdate
@@ -2017,7 +306,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 				DBG(DBG_CONTROL,
 					DBG_log("certificate is good")
 				)
-				
+
 				/* with strict crl policy the public key must have the same
 				 * lifetime as the validity of the ocsp status or crl lifetime
 				 */
@@ -2048,15 +337,15 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 		/* go up one step in the trust chain */
 		cert = issuer_cert;
 	}
-	plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN);
 	return FALSE;
 }
 
 /**
  * List all X.509 certs in a chained list
  */
-void list_x509cert_chain(const char *caption, x509cert_t* cert,
-						 u_char auth_flags, bool utc)
+void list_x509cert_chain(const char *caption, cert_t* cert,
+						 x509_flag_t flags, bool utc)
 {
 	bool first = TRUE;
 	time_t now;
@@ -2064,74 +353,107 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert,
 	/* determine the current time */
 	time(&now);
 
-	while (cert != NULL)
+	while (cert)
 	{
-		if (auth_flags == AUTH_NONE || (auth_flags & cert->authority_flags))
-		{
-			u_char buf[BUF_LEN];
-			public_key_t *key = cert->public_key;
-			cert_t c;
+		certificate_t *certificate = cert->cert;
+		x509_t *x509 = (x509_t*)certificate;
 
-			c.type = CERT_X509_SIGNATURE;
-			c.u.x509 = cert;
+		if (certificate->get_type(certificate) == CERT_X509 &&
+		   (flags == X509_NONE || (flags & x509->get_flags(x509))))
+		{
+			enumerator_t *enumerator;
+			char buf[BUF_LEN];
+			char *pos = buf;
+			int len = BUF_LEN, pathlen;
+			bool first_altName = TRUE;
+			identification_t *id;
+			time_t notBefore, notAfter;
+			public_key_t *key;
+			chunk_t serial, keyid, subjkey, authkey;
 
 			if (first)
 			{
 				whack_log(RC_COMMENT, " ");
 				whack_log(RC_COMMENT, "List of X.509 %s Certificates:", caption);
-				whack_log(RC_COMMENT, " ");
 				first = FALSE;
 			}
+			whack_log(RC_COMMENT, " ");
+
+			enumerator = x509->create_subjectAltName_enumerator(x509);
+			while (enumerator->enumerate(enumerator, &id))
+			{
+				int written;
+
+				if (first_altName)
+				{
+					written = snprintf(pos, len, "%Y", id);
+					first_altName = FALSE;
+				}
+				else
+				{
+					written = snprintf(pos, len, ", %Y", id);
+				}
+				pos += written;
+				len -= written;
+			}
+			enumerator->destroy(enumerator);
+			if (!first_altName)
+			{
+				whack_log(RC_COMMENT, "  altNames:  %s", buf);
+			}
 
-			whack_log(RC_COMMENT, "%T, count: %d", &cert->installed, utc,
-				cert->count);
-			dntoa(buf, BUF_LEN, cert->subject);
-			whack_log(RC_COMMENT, "       subject:  '%s'", buf);
-			dntoa(buf, BUF_LEN, cert->issuer);
-			whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
-			datatot(cert->serialNumber.ptr, cert->serialNumber.len, ':',
-				 buf, BUF_LEN);
-			whack_log(RC_COMMENT, "       serial:    %s", buf);
-			whack_log(RC_COMMENT, "       validity:  not before %T %s",
-				&cert->notBefore, utc,
-				(cert->notBefore < now)?"ok":"fatal (not valid yet)");
-			whack_log(RC_COMMENT, "                  not after  %T %s",
-				&cert->notAfter, utc,
-				check_expiry(cert->notAfter, CA_CERT_WARNING_INTERVAL, TRUE));
-			whack_log(RC_COMMENT, "       pubkey:    %N %4d bits%s",
-				key_type_names, key->get_type(key),
-				key->get_keysize(key) * BITS_PER_BYTE,				
-				cert->smartcard ? ", on smartcard" :
-				(has_private_key(c)? ", has private key" : ""));
-			whack_log(RC_COMMENT, "       keyid:     %Y",
-				key->get_id(key, ID_PUBKEY_INFO_SHA1));
-			if (cert->subjectKeyID.ptr != NULL)
+			whack_log(RC_COMMENT, "  subject:  \"%Y\"",
+				certificate->get_subject(certificate));
+			whack_log(RC_COMMENT, "  issuer:   \"%Y\"",
+				certificate->get_issuer(certificate));
+				serial = x509->get_serial(x509);
+			whack_log(RC_COMMENT, "  serial:    %#B", &serial);
+
+			/* list validity */
+			certificate->get_validity(certificate, &now, &notBefore, &notAfter);
+			whack_log(RC_COMMENT, "  validity:  not before %T %s",
+				&notBefore, utc,
+				(notBefore < now)?"ok":"fatal (not valid yet)");
+			whack_log(RC_COMMENT, "             not after  %T %s",
+				&notAfter, utc,
+				check_expiry(notAfter, CA_CERT_WARNING_INTERVAL, TRUE));
+
+			key = certificate->get_public_key(certificate);
+			if (key);
 			{
-				datatot(cert->subjectKeyID.ptr, cert->subjectKeyID.len, ':',
-						buf, BUF_LEN);
-				whack_log(RC_COMMENT, "       subjkey:   %s", buf);
+				whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
+					key_type_names, key->get_type(key),
+					key->get_keysize(key) * BITS_PER_BYTE,				
+					cert->smartcard ? ", on smartcard" :
+					(has_private_key(cert)? ", has private key" : ""));
+
+				if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+				{
+					whack_log(RC_COMMENT, "  keyid:     %#B", &keyid);
+				}
+				if (key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &subjkey))
+				{
+					whack_log(RC_COMMENT, "  subjkey:   %#B", &subjkey);
+				}
+				key->destroy(key);
 			}
-			if (cert->authKeyID.ptr != NULL)
+
+			/* list optional authorityKeyIdentifier */
+			authkey = x509->get_authKeyIdentifier(x509);
+			if (authkey.ptr)
 			{
-				datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':',
-						buf, BUF_LEN);
-				whack_log(RC_COMMENT, "       authkey:   %s", buf);
+				whack_log(RC_COMMENT, "  authkey:   %#B", &authkey);
 			}
-			if (cert->authKeySerialNumber.ptr != NULL)
+
+			/* list optional pathLenConstraint */
+			pathlen = x509->get_pathLenConstraint(x509);
+			if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
 			{
-				datatot(cert->authKeySerialNumber.ptr,
-						cert->authKeySerialNumber.len, ':', buf, BUF_LEN);
-				whack_log(RC_COMMENT, "       aserial:   %s", buf);
+				whack_log(RC_COMMENT, "  pathlen:   %d", pathlen);
 			}
+
 		}
 		cert = cert->next;
 	}
 }
 
-/**
- * List all X.509 end certificates in a chained list
- */
-void list_x509_end_certs(bool utc)
-{
-	list_x509cert_chain("End", x509certs, AUTH_NONE, utc);
-}
diff --git a/src/pluto/x509.h b/src/pluto/x509.h
index ab0fbac9e..e904618b3 100644
--- a/src/pluto/x509.h
+++ b/src/pluto/x509.h
@@ -18,122 +18,23 @@
 #ifndef _X509_H
 #define _X509_H
 
-#include <credentials/keys/public_key.h>
+#include <utils/identification.h>
+#include <utils/linked_list.h>
 #include <credentials/keys/private_key.h>
+#include <credentials/certificates/x509.h>
 
 #include "constants.h"
-#include "id.h"
+#include "certs.h"
 
-/* Definition of generalNames kinds */
-
-typedef enum {
-	GN_OTHER_NAME =             0,
-	GN_RFC822_NAME =            1,
-	GN_DNS_NAME =               2,
-	GN_X400_ADDRESS =           3,
-	GN_DIRECTORY_NAME =         4,
-	GN_EDI_PARTY_NAME =         5,
-	GN_URI =                    6,
-	GN_IP_ADDRESS =             7,
-	GN_REGISTERED_ID =          8
-} generalNames_t;
-
-/* access structure for a GeneralName */
-
-typedef struct generalName generalName_t;
-
-struct generalName {
-	generalName_t   *next;
-	generalNames_t  kind;
-	chunk_t         name;
-};
-
-/* access structure for an X.509v3 certificate */
-
-typedef struct x509cert x509cert_t;
-
-struct x509cert {
-	x509cert_t     *next;
-	time_t         installed;
-	int            count;
-	bool           smartcard;
-	u_char         authority_flags;
-	chunk_t        certificate;
-	chunk_t          tbsCertificate;
-	u_int              version;
-	chunk_t            serialNumber;
-				  /*   signature */
-	int                  sigAlg;
-  	chunk_t            issuer;
-				  /*   validity */
-	time_t               notBefore;
-	time_t               notAfter;
-	chunk_t            subject;
-	public_key_t       *public_key;  
-				  /*   issuerUniqueID */
-				  /*   subjectUniqueID */
-				  /*   v3 extensions */
-				  /*   extension */
-				  /*     extension */
-				  /*       extnID */
-				  /*       critical */
-				  /*       extnValue */
-	bool                     isCA;
-	bool                     isOcspSigner; /* ocsp */
-	chunk_t                  subjectKeyID;
-	chunk_t                  authKeyID;
-	chunk_t                  authKeySerialNumber;
-	chunk_t                  accessLocation; /* ocsp */
-	generalName_t            *subjectAltName;
-	generalName_t            *crlDistributionPoints;
-				  /* signatureAlgorithm */
-	int                algorithm;
-	chunk_t          signature;
-};
-
-/* used for initialization */
-extern const x509cert_t empty_x509cert;
-
-extern bool same_serial(chunk_t a, chunk_t b);
 extern bool same_keyid(chunk_t a, chunk_t b);
-extern bool same_dn(chunk_t a, chunk_t b);
-extern bool match_dn(chunk_t a, chunk_t b, int *wildcards);
-extern bool same_x509cert(const x509cert_t *a, const x509cert_t *b);
-extern void hex_str(chunk_t bin, chunk_t *str);
-extern int dn_count_wildcards(chunk_t dn);
-extern int dntoa(char *dst, size_t dstlen, chunk_t dn);
-extern int dntoa_or_null(char *dst, size_t dstlen, chunk_t dn,
-						 const char* null_dn);
-extern err_t atodn(char *src, chunk_t *dn);
-extern void gntoid(struct id *id, const generalName_t *gn);
-extern bool compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID);
-extern void select_x509cert_id(x509cert_t *cert, struct id *end_id);
-extern bool parse_x509cert(chunk_t blob, u_int level0, x509cert_t *cert);
-extern time_t parse_time(chunk_t blob, int level0);
-extern void parse_authorityKeyIdentifier(chunk_t blob, int level0
-	, chunk_t *authKeyID, chunk_t *authKeySerialNumber);
-extern chunk_t get_directoryName(chunk_t blob, int level, bool implicit);
-extern err_t check_validity(const x509cert_t *cert, time_t *until);
-
 extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
-								 const x509cert_t *issuer_cert);
+								 certificate_t *issuer_cert);
 extern chunk_t x509_build_signature(chunk_t tbs, int algorithm,
 									private_key_t *key, bool bit_string);
-
-extern bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until);
-extern x509cert_t* add_x509cert(x509cert_t *cert);
-extern x509cert_t* get_x509cert(chunk_t issuer, chunk_t serial, chunk_t keyid,
-								x509cert_t* chain);
-extern void build_x509cert(x509cert_t *cert, public_key_t *cert_key,
-						   private_key_t *signer_key);
-extern chunk_t build_subjectAltNames(generalName_t *subjectAltNames);
-extern void share_x509cert(x509cert_t *cert);
-extern void release_x509cert(x509cert_t *cert);
-extern void free_x509cert(x509cert_t *cert);
-extern void store_x509certs(x509cert_t **firstcert, bool strict);
-extern void list_x509cert_chain(const char *caption, x509cert_t* cert,
-								u_char auth_flags, bool utc);
+extern bool verify_x509cert(cert_t *cert, bool strict, time_t *until);
+extern void store_x509certs(linked_list_t *certs, bool strict);
+extern void list_x509cert_chain(const char *caption, cert_t* cert,
+								x509_flag_t flags, bool utc);
 extern void list_x509_end_certs(bool utc);
-extern void free_generalNames(generalName_t* gn, bool free_name);
 
 #endif /* _X509_H */
diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c
index af2d72d71..2086a92cc 100644
--- a/src/pluto/xauth.c
+++ b/src/pluto/xauth.c
@@ -1,7 +1,7 @@
 /* Initialization and finalization of the dynamic XAUTH module
  * Copyright (C) 2006 Andreas Steffen
  * Hochschule fuer Technik Rapperswil, Switzerland
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -23,7 +23,7 @@
 #include "keys.h"
 #include "log.h"
 
-void 
+void
 xauth_init(void)
 {
 #ifdef XAUTH_DEFAULT_LIB
diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h
index 8ab125ac4..23cae3ed8 100644
--- a/src/pluto/xauth.h
+++ b/src/pluto/xauth.h
@@ -1,7 +1,7 @@
 /* Interface definition of the XAUTH server and|or client module
  * Copyright (C) 2006 Andreas Steffen
  * Hochschule fuer Technik Rapperswil, Switzerland
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index 20bf76065..3693b7532 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -1,5 +1,5 @@
 ipsec_PROGRAMS = scepclient
-scepclient_SOURCES = scepclient.c pkcs10.c pkcs10.h scep.c scep.h loglite.c 
+scepclient_SOURCES = scepclient.c scep.c scep.h loglite.c
 
 PLUTODIR=$(top_srcdir)/src/pluto
 OPENACDIR=$(top_srcdir)/src/openac
@@ -16,18 +16,15 @@ INCLUDES = \
 -I$(WHACKDIR)
 
 AM_CFLAGS = \
--DIPSEC_CONFDIR=\"${confdir}\" \
--DIPSEC_PLUGINDIR=\"${plugindir}\" \
+-DIPSEC_CONFDIR=\"${sysconfdir}\" \
 -DPLUGINS=\""${pluto_plugins}\"" \
--DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
 -DDEBUG -DNO_PLUTO
 
 LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan
 LIBFREESWANBUILDDIR=$(top_builddir)/src/libfreeswan
 
 scepclient_LDADD = \
-ca.o crl.o certs.o constants.o defs.o fetch.o id.o keys.o lex.o \
-ocsp.o pem.o pgpcert.o pkcs7.o smartcard.o x509.o \
+constants.o defs.o lex.o pkcs7.o \
 $(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
 $(LIBFREESWANBUILDDIR)/libfreeswan.a
 
@@ -39,47 +36,15 @@ endif
 
 dist_man_MANS = scepclient.8
 
-ca.o :		$(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-certs.o :	$(PLUTODIR)/certs.c $(PLUTODIR)/certs.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-crl.o : 	$(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-fetch.o : 	$(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-id.o : 		$(PLUTODIR)/id.c $(PLUTODIR)/id.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-keys.o :	$(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-ocsp.o :	$(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-pem.o :		$(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-pgpcert.o :		$(PLUTODIR)/pgpcert.c $(PLUTODIR)/pgpcert.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-smartcard.o :	$(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-x509.o :	$(PLUTODIR)/x509.c $(PLUTODIR)/x509.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 72cefb3b6..8438b81f9 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -41,26 +43,33 @@ subdir = src/scepclient
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
-am_scepclient_OBJECTS = scepclient.$(OBJEXT) pkcs10.$(OBJEXT) \
-	scep.$(OBJEXT) loglite.$(OBJEXT)
+am_scepclient_OBJECTS = scepclient.$(OBJEXT) scep.$(OBJEXT) \
+	loglite.$(OBJEXT)
 scepclient_OBJECTS = $(am_scepclient_OBJECTS)
 am__DEPENDENCIES_1 =
 @USE_SMARTCARD_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1)
-scepclient_DEPENDENCIES = ca.o crl.o certs.o constants.o defs.o \
-	fetch.o id.o keys.o lex.o ocsp.o pem.o pgpcert.o pkcs7.o \
-	smartcard.o x509.o $(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
+scepclient_DEPENDENCIES = constants.o defs.o lex.o pkcs7.o \
+	$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
 	$(LIBFREESWANBUILDDIR)/libfreeswan.a $(am__DEPENDENCIES_2)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -72,6 +81,27 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(scepclient_SOURCES)
 DIST_SOURCES = $(scepclient_SOURCES)
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -111,25 +141,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -141,11 +168,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -174,9 +204,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -199,7 +229,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -207,6 +237,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -215,10 +246,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -226,9 +259,10 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-scepclient_SOURCES = scepclient.c pkcs10.c pkcs10.h scep.c scep.h loglite.c 
+scepclient_SOURCES = scepclient.c scep.c scep.h loglite.c
 PLUTODIR = $(top_srcdir)/src/pluto
 OPENACDIR = $(top_srcdir)/src/openac
 WHACKDIR = $(top_srcdir)/src/whack
@@ -242,15 +276,12 @@ INCLUDES = \
 -I$(LIBCRYPTODIR) \
 -I$(WHACKDIR)
 
-AM_CFLAGS = -DIPSEC_CONFDIR=\"${confdir}\" \
-	-DIPSEC_PLUGINDIR=\"${plugindir}\" \
-	-DPLUGINS=\""${pluto_plugins}\"" \
-	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DDEBUG -DNO_PLUTO \
+AM_CFLAGS = -DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${pluto_plugins}\"" -DDEBUG -DNO_PLUTO \
 	$(am__append_1)
 LIBSTRONGSWANBUILDDIR = $(top_builddir)/src/libstrongswan
 LIBFREESWANBUILDDIR = $(top_builddir)/src/libfreeswan
-scepclient_LDADD = ca.o crl.o certs.o constants.o defs.o fetch.o id.o \
-	keys.o lex.o ocsp.o pem.o pgpcert.o pkcs7.o smartcard.o x509.o \
+scepclient_LDADD = constants.o defs.o lex.o pkcs7.o \
 	$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
 	$(LIBFREESWANBUILDDIR)/libfreeswan.a $(am__append_2)
 dist_man_MANS = scepclient.8
@@ -267,9 +298,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/scepclient/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/scepclient/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/scepclient/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/scepclient/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -287,34 +318,50 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-ipsecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) 
 	@rm -f scepclient$(EXEEXT)
 	$(LINK) $(scepclient_OBJECTS) $(scepclient_LDADD) $(LIBS)
@@ -326,27 +373,26 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs10.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scep.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scepclient.Po@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -356,51 +402,44 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(man8_MANS) $(man_MANS)
+install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
+	@list=''; test -n "$(man8dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.8[a-z]*$$/p'; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man8:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	@list=''; test -n "$(man8dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.8[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -414,7 +453,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -422,34 +461,52 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -465,13 +522,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -502,6 +563,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -523,6 +585,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -531,18 +595,28 @@ install-data-am: install-ipsecPROGRAMS install-man
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man: install-man8
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -585,50 +659,18 @@ uninstall-man: uninstall-man8
 	uninstall-man uninstall-man8
 
 
-ca.o :		$(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-certs.o :	$(PLUTODIR)/certs.c $(PLUTODIR)/certs.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-crl.o : 	$(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-fetch.o : 	$(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-id.o : 		$(PLUTODIR)/id.c $(PLUTODIR)/id.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-keys.o :	$(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-ocsp.o :	$(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-pem.o :		$(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-pgpcert.o :		$(PLUTODIR)/pgpcert.c $(PLUTODIR)/pgpcert.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-smartcard.o :	$(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-x509.o :	$(PLUTODIR)/x509.c $(PLUTODIR)/x509.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c
index 87041f114..539bb5f72 100644
--- a/src/scepclient/loglite.c
+++ b/src/scepclient/loglite.c
@@ -56,12 +56,12 @@ static void scepclient_dbg(int level, char *fmt, ...)
 	else if (cur_debugging & DBG_RAW)
 	{
 		debug_level = 3;
-	}	
+	}
 	else if (cur_debugging & DBG_PARSING)
 	{
 		debug_level = 2;
 	}
-	else 
+	else
 	{
 		debug_level = 1;
 	}
diff --git a/src/scepclient/pkcs10.c b/src/scepclient/pkcs10.c
deleted file mode 100644
index cdd68431e..000000000
--- a/src/scepclient/pkcs10.c
+++ /dev/null
@@ -1,224 +0,0 @@
-/**
- * @file pkcs10.c
- * @brief Functions to build PKCS#10 requests
- *
- * Contains functions to build DER encoded pkcs#10 certificate requests
- */
-
-/* Copyright (C) 2005 Jan Hutter, Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <freeswan.h>
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-#include "../pluto/x509.h"
-
-#include "pkcs10.h"
-
-/* some pre-coded OIDs */
-
-static u_char ASN1_challengePassword_oid_str[] = {
-	0x06,0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x07
-};
-
-static const chunk_t ASN1_challengePassword_oid = chunk_from_buf(ASN1_challengePassword_oid_str);
-
-static u_char ASN1_extensionRequest_oid_str[] = {
-	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x0E
-};
-
-static const chunk_t ASN1_extensionRequest_oid = chunk_from_buf(ASN1_extensionRequest_oid_str);
-
-/** 
- * @brief Adds a subjectAltName in DER-coded form to a linked list
- * 
- * @param[in,out]       subjectAltNames head of the linked list of subjectAltNames
- * @param[in]           kind            type of the subjectAltName (which is a generalName)
- * @param[in]           value           value of the subjectAltName as an ASCII string
- */
-void
-pkcs10_add_subjectAltName(generalName_t **subjectAltNames, generalNames_t kind
-, char *value) 
-{
-	generalName_t *gn;
-	asn1_t asn1_type = ASN1_EOC;
-	chunk_t name = { value, strlen(value) };
-
-	switch (kind)
-	{
-	case GN_RFC822_NAME:
-		asn1_type = ASN1_CONTEXT_S_1;
-		break;
-	case GN_DNS_NAME:
-		asn1_type = ASN1_CONTEXT_S_2;
-		break;
-	case GN_IP_ADDRESS:
-		{
-			struct in_addr addr;
-
-			/* convert an ASCII dotted IPv4 address (e.g. 123.456.78.90)
-			 * to a byte representation in network order
-			 */
-			if (!inet_aton(value, &addr))
-			{
-				fprintf(stderr, "error in IPv4 subjectAltName\n");
-				return;
-			}
-			asn1_type = ASN1_CONTEXT_S_7;
-			name.ptr = (u_char *) &addr.s_addr;
-			name.len = sizeof(addr.s_addr);
-			break;
-		}
-	default:
-		break;
-	}
-
-	gn = malloc_thing(generalName_t);
-	gn->kind = kind;
-	gn->name = asn1_simple_object(asn1_type, name);
-	gn->next = *subjectAltNames;
-	*subjectAltNames = gn;
-}
-
-/**
- * @brief Builds the requestInfoAttributes of the certificationRequestInfo-field 
- * 
- * challenge password ans subjectAltNames are only included,
- * when avaiable in given #pkcs10_t structure
- *
- * @param[in]   pkcs10          Pointer to a #pkcs10_t structure
- * @return                                      1 if succeeded, 0 otherwise
- */
-static chunk_t
-build_req_info_attributes(pkcs10_t* pkcs10)
-{
-
-	chunk_t subjectAltNames   = chunk_empty;
-	chunk_t challengePassword = chunk_empty;
-
-	if (pkcs10->subjectAltNames != NULL) 
-	{
-
-		subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "cm"
-				, ASN1_extensionRequest_oid
-				, asn1_wrap(ASN1_SET, "m"
-					, asn1_wrap(ASN1_SEQUENCE, "m"
-						, build_subjectAltNames(pkcs10->subjectAltNames)
-					  )
-				  )
-			);
-	}
-
-	if (pkcs10->challengePassword.len > 0)
-	{
-		asn1_t type = asn1_is_printablestring(pkcs10->challengePassword)
-					  ? ASN1_PRINTABLESTRING : ASN1_T61STRING;
-
-		challengePassword = asn1_wrap(ASN1_SEQUENCE, "cm"
-				, ASN1_challengePassword_oid
-				, asn1_wrap(ASN1_SET, "m"
-					, asn1_simple_object(type, pkcs10->challengePassword)
-				  )
-			);
-	}
-
-	return asn1_wrap(ASN1_CONTEXT_C_0, "mm"
-				, subjectAltNames
-				, challengePassword);
-}
-
-/**
- * @brief Builds a DER-code pkcs#10 certificate request
- *
- * @param[in]   pkcs10          pointer to a pkcs10_t struct
- * @return                      DER-code pkcs10 request
- */
-static chunk_t
-pkcs10_build_request(pkcs10_t *pkcs10, int signature_alg)
-{
-	chunk_t key = pkcs10->public_key->get_encoding(pkcs10->public_key);
-
-	chunk_t keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
-							asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), 
-							asn1_bitstring("m", key));	
-
-	chunk_t cert_req_info = asn1_wrap(ASN1_SEQUENCE, "ccmm",
-								ASN1_INTEGER_0,
-								pkcs10->subject,
-								keyInfo,
-								build_req_info_attributes(pkcs10));
-
-	chunk_t signature = x509_build_signature(cert_req_info, signature_alg,
-											 pkcs10->private_key, TRUE);
-
-	return asn1_wrap(ASN1_SEQUENCE, "mcm",
-				cert_req_info,
-				asn1_algorithmIdentifier(signature_alg),
-				signature);
-}
-
-/**
- * @brief Creates a pkcs#10 certificate request object
- *
- * To create a certificate request, the RSA key and the
- * names to be included as subject in the certificate request
- * (e.g. commonName, organization) are needed. An optional challenge
- * password or some subjectAltNames may be included.
- *
- * @param[in]   key                     rsakey of type #rsakey_t
- * @param[in]   subject                 DER-coded subject distinguished name
- * @param[in]   challengePassword       challenge password or chunk_empty
- * @param[in]   subjectAltNames         linked list of subjectAltNames or NULL
- * @return                              pointer to a #pkcs10_t object
- */
-pkcs10_t* pkcs10_build(private_key_t *private, public_key_t *public,
-					   chunk_t subject, chunk_t challengePassword,
-					   generalName_t *subjectAltNames, int signature_alg)
-{
-	pkcs10_t *pkcs10 = malloc_thing(pkcs10_t);
-
-	pkcs10->subject = subject;
-	pkcs10->private_key = private;
-	pkcs10->public_key = public;
-	pkcs10->challengePassword = challengePassword;
-	pkcs10->subjectAltNames = subjectAltNames;
-
-	pkcs10->request = pkcs10_build_request(pkcs10, signature_alg);
-	return pkcs10;
-}
-
-/**
- * @brief Frees the resources used by an #pkcs10_t object
- *
- * @param[in]   pkcs10          #pkcs10_t to free
- */
-void
-pkcs10_free(pkcs10_t *pkcs10)
-{
-	if (pkcs10 != NULL)
-	{
-		free(pkcs10->request.ptr);
-		free(pkcs10);
-	}
-}
diff --git a/src/scepclient/pkcs10.h b/src/scepclient/pkcs10.h
deleted file mode 100644
index 3f29f019a..000000000
--- a/src/scepclient/pkcs10.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * @file pkcs10.h
- * @brief Functions to build PKCS#10 Request's
- * 
- * Contains functions to build DER encoded pkcs#10 certificate requests
- */
-
-/*
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Hochschule fuer Technik Rapperswil
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _PKCS10_H
-#define _PKCS10_H
-
-#include <credentials/keys/private_key.h>
-#include <credentials/keys/public_key.h>
-
-#include "../pluto/defs.h"
-#include "../pluto/x509.h"
-
-typedef struct pkcs10_struct pkcs10_t;
-
-/**
- * @brief type representating a pkcs#10 request.
- *
- * A pkcs#10 request contains a distinguished name, an optional 
- * challenge password, a public key and optional subjectAltNames.
- * 
- * The RSA private key is needed to compute the signature of the given request
- */
-struct pkcs10_struct {
-	private_key_t  *private_key;
-	public_key_t   *public_key;
-	chunk_t         request;
-	chunk_t         subject;
-	chunk_t         challengePassword;
-	generalName_t  *subjectAltNames;
-};
-
-extern const pkcs10_t empty_pkcs10;
-
-extern void pkcs10_add_subjectAltName(generalName_t **subjectAltNames,
-									  generalNames_t kind, char *value);
-extern pkcs10_t* pkcs10_build(private_key_t *private, public_key_t *public,
-							  chunk_t subject, chunk_t challengePassword,
-							  generalName_t *subjectAltNames, int signature_alg);
-extern void pkcs10_free(pkcs10_t *pkcs10);
-
-#endif /* _PKCS10_H */
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index a788c6f41..598705636 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -1,7 +1,7 @@
 /**
  * @file scep.c
  * @brief SCEP specific functions
- * 
+ *
  * Contains functions to build SCEP request's and to parse SCEP reply's.
  */
 
@@ -39,24 +39,15 @@
 
 #include "scep.h"
 
-static char ASN1_messageType_oid_str[] = {
+static const chunk_t ASN1_messageType_oid = chunk_from_chars(
 	0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02
-};
-
-static char ASN1_senderNonce_oid_str[] = {
+);
+static const chunk_t ASN1_senderNonce_oid = chunk_from_chars(
 	0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05
-};
-
-static char ASN1_transId_oid_str[] = {
+);
+static const chunk_t ASN1_transId_oid = chunk_from_chars(
 	0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07
-};
-
-static const chunk_t ASN1_messageType_oid =
-						chunk_from_buf(ASN1_messageType_oid_str);
-static const chunk_t ASN1_senderNonce_oid =
-						chunk_from_buf(ASN1_senderNonce_oid_str);
-static const chunk_t ASN1_transId_oid =
-						chunk_from_buf(ASN1_transId_oid_str);
+);
 
 static const char *pkiStatus_values[] = { "0", "2", "3" };
 
@@ -239,7 +230,7 @@ bool parse_attributes(chunk_t blob, scep_attributes_t *attrs)
 	DBG(DBG_CONTROL | DBG_PARSING,
 		DBG_log("parsing attributes")
 	)
-	
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		switch (objectID)
@@ -255,24 +246,23 @@ bool parse_attributes(chunk_t blob, scep_attributes_t *attrs)
 		}
 	}
 	success = parser->success(parser);
-	
+
 end:
 	parser->destroy(parser);
 	return success;
 }
 
 /**
- * Generates a unique fingerprint of the pkcs10 request 
+ * Generates a unique fingerprint of the pkcs10 request
  * by computing an MD5 hash over it
  */
 chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10)
 {
-	char digest_buf[HASH_SIZE_MD5];
-	chunk_t digest = chunk_from_buf(digest_buf);
+	chunk_t digest = chunk_alloca(HASH_SIZE_MD5);
 	hasher_t *hasher;
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-	hasher->get_hash(hasher, pkcs10, digest_buf);
+	hasher->get_hash(hasher, pkcs10, digest.ptr);
 	hasher->destroy(hasher);
 
 	return chunk_to_hex(digest, NULL, FALSE);
@@ -285,21 +275,20 @@ chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10)
 void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 								  chunk_t *serialNumber)
 {
-	char digest_buf[HASH_SIZE_MD5];
-	chunk_t digest = chunk_from_buf(digest_buf);
-	chunk_t keyEncoding, keyInfo;
+	chunk_t digest = chunk_alloca(HASH_SIZE_MD5);
+	chunk_t keyEncoding = chunk_empty, keyInfo;
 	hasher_t *hasher;
 	bool msb_set;
 	u_char *pos;
-	
-	keyEncoding = key->get_encoding(key);
 
-	keyInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
-						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), 
-						asn1_bitstring("m", keyEncoding));	
+	key->get_encoding(key, KEY_PUB_ASN1_DER, &keyEncoding);
+
+	keyInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+						asn1_bitstring("m", keyEncoding));
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-	hasher->get_hash(hasher, keyInfo, digest_buf);
+	hasher->get_hash(hasher, keyInfo, digest.ptr);
 	hasher->destroy(hasher);
 	free(keyInfo.ptr);
 
@@ -381,8 +370,8 @@ chunk_t scep_senderNonce_attribute(void)
  * Builds a pkcs7 enveloped and signed scep request
  */
 chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
-						   const x509cert_t *enc_cert, int enc_alg,
-						   const x509cert_t *signer_cert, int digest_alg,
+						   certificate_t *enc_cert, int enc_alg,
+						   certificate_t *signer_cert, int digest_alg,
 						   private_key_t *private_key)
 {
 	chunk_t envelopedData, attributes, request;
@@ -497,7 +486,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 			free(escaped_req);
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
-										 FETCH_HTTP_VERSION_1_0, 
+										 FETCH_HTTP_VERSION_1_0,
 										 FETCH_REQUEST_HEADER, "Pragma:",
 										 FETCH_REQUEST_HEADER, "Host:",
 										 FETCH_REQUEST_HEADER, "Accept:",
@@ -510,7 +499,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 			complete_url = malloc(len);
 			snprintf(complete_url, len, "%s?operation=%s", url, operation);
 
-			status = lib->fetcher->fetch(lib->fetcher, complete_url, response, 
+			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 										 FETCH_REQUEST_DATA, pkcs7,
 										 FETCH_REQUEST_TYPE, "",
 										 FETCH_REQUEST_HEADER, "Expect:",
@@ -527,7 +516,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 		snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier"
 				, url, operation);
 
-		status = lib->fetcher->fetch(lib->fetcher, complete_url, response, 
+		status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 									 FETCH_END);
 	}
 
@@ -536,7 +525,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 }
 
 err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data,
-						  scep_attributes_t *attrs, x509cert_t *signer_cert)
+						  scep_attributes_t *attrs, certificate_t *signer_cert)
 {
 	chunk_t attributes;
 
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index e8dc87591..f64c6b1cc 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -1,7 +1,7 @@
 /**
  * @file scep.h
  * @brief SCEP specific functions
- * 
+ *
  * Contains functions to build and parse SCEP requests and replies
  */
 
@@ -23,6 +23,8 @@
 #ifndef _SCEP_H
 #define _SCEP_H
 
+#include <credentials/certificates/certificate.h>
+
 #include "../pluto/defs.h"
 #include "../pluto/pkcs7.h"
 
@@ -81,13 +83,13 @@ extern chunk_t scep_transId_attribute(chunk_t transaction_id);
 extern chunk_t scep_messageType_attribute(scep_msg_t m);
 extern chunk_t scep_senderNonce_attribute(void);
 extern chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
-								  const x509cert_t *enc_cert, int enc_alg,
-								  const x509cert_t *signer_cert, int digest_alg,
+								  certificate_t *enc_cert, int enc_alg,
+								  certificate_t *signer_cert, int digest_alg,
 								  private_key_t *private_key);
 extern bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 							  bool http_get_request, chunk_t *response);
 extern err_t scep_parse_response(chunk_t response, chunk_t transID,
 								 contentInfo_t *data, scep_attributes_t *attrs,
-								 x509cert_t *signer_cert);
+								 certificate_t *signer_cert);
 
 #endif /* _SCEP_H */
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 6c0166d66..576ce1dc5 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -41,18 +41,22 @@
 #include <asn1/oid.h>
 #include <utils/optionsfrom.h>
 #include <utils/enumerator.h>
+#include <utils/linked_list.h>
+#include <crypto/hashers/hasher.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/proposal/proposal_keywords.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/pkcs10.h>
 
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
 #include "../pluto/log.h"
-#include "../pluto/pkcs7.h"
 #include "../pluto/certs.h"
+#include "../pluto/pkcs7.h"
 
-#include "pkcs10.h"
 #include "scep.h"
 
 /*
@@ -121,26 +125,27 @@ options_t *options;
  * Global variables
  */
 
-private_key_t *private_key = NULL;
-public_key_t *public_key = NULL;
-
 chunk_t pkcs1;
 chunk_t pkcs7;
-chunk_t subject;
 chunk_t challengePassword;
 chunk_t serialNumber;
 chunk_t transID;
 chunk_t fingerprint;
+chunk_t encoding;
+chunk_t pkcs10_encoding;
 chunk_t issuerAndSubject;
 chunk_t getCertInitial;
 chunk_t scep_response;
-cert_t cert;
 
-x509cert_t *x509_signer        = NULL;
-x509cert_t *x509_ca_enc        = NULL;
-x509cert_t *x509_ca_sig        = NULL;
-generalName_t *subjectAltNames = NULL;
-pkcs10_t *pkcs10               = NULL;
+linked_list_t *subjectAltNames;
+
+identification_t *subject      = NULL;
+private_key_t *private_key     = NULL;
+public_key_t *public_key       = NULL;
+certificate_t *x509_signer     = NULL;
+certificate_t *x509_ca_enc     = NULL;
+certificate_t *x509_ca_sig     = NULL;
+certificate_t *pkcs10_req      = NULL;
 
 /**
  * @brief exit scepclient
@@ -152,27 +157,25 @@ exit_scepclient(err_t message, ...)
 {
 	int status = 0;
 
+	DESTROY_IF(subject);
 	DESTROY_IF(private_key);
 	DESTROY_IF(public_key);
+	DESTROY_IF(x509_signer);
+	DESTROY_IF(x509_ca_enc);
+	DESTROY_IF(x509_ca_sig);
+	DESTROY_IF(pkcs10_req);
+	subjectAltNames->destroy_offset(subjectAltNames,
+								   offsetof(identification_t, destroy));
 	free(pkcs1.ptr);
 	free(pkcs7.ptr);
-	free(subject.ptr);
 	free(serialNumber.ptr);
 	free(transID.ptr);
 	free(fingerprint.ptr);
+	free(encoding.ptr);
+	free(pkcs10_encoding.ptr);
 	free(issuerAndSubject.ptr);
 	free(getCertInitial.ptr);
 	free(scep_response.ptr);
-
-	free_generalNames(subjectAltNames, TRUE);
-	if (x509_signer != NULL)
-	{
-		x509_signer->subjectAltName = NULL;
-	}
-	free_x509cert(x509_signer);
-	free_x509cert(x509_ca_enc);
-	free_x509cert(x509_ca_sig);
-	pkcs10_free(pkcs10);
 	options->destroy(options);
 
 	/* print any error message to stderr */
@@ -279,7 +282,7 @@ static void print_plugins()
 	char buf[BUF_LEN], *plugin;
 	int len = 0;
 	enumerator_t *enumerator;
-	
+
 	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
 	while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
 	{
@@ -357,8 +360,8 @@ int main(int argc, char **argv)
 	/* digest algorithm used by pkcs7, default is SHA-1 */
 	int pkcs7_digest_alg = OID_SHA1;
 
-	/* signature algorithm used by pkcs10, default is SHA-1 with RSA encryption */
-	int pkcs10_signature_alg = OID_SHA1;
+	/* signature algorithm used by pkcs10, default is SHA-1 */
+	hash_algorithm_t pkcs10_signature_alg = HASH_SHA1;
 
 	/* URL of the SCEP-Server */
 	char *scep_url = NULL;
@@ -374,20 +377,8 @@ int main(int argc, char **argv)
 
 	err_t ugh = NULL;
 
-	/* initialize global variables */
-	pkcs1             = chunk_empty;
-	pkcs7             = chunk_empty;
-	serialNumber      = chunk_empty;
-	transID           = chunk_empty;
-	fingerprint       = chunk_empty;
-	issuerAndSubject  = chunk_empty;
-	challengePassword = chunk_empty;
-	getCertInitial    = chunk_empty;
-	scep_response     = chunk_empty;
-	log_to_stderr     = TRUE;
-
 	/* initialize library */
-	if (!library_init(STRONGSWAN_CONF))
+	if (!library_init(NULL))
 	{
 		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
@@ -400,8 +391,21 @@ int main(int argc, char **argv)
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
 
-	/* initialize optionsfrom */
-	options = options_create();
+	/* initialize global variables */
+	pkcs1             = chunk_empty;
+	pkcs7             = chunk_empty;
+	serialNumber      = chunk_empty;
+	transID           = chunk_empty;
+	fingerprint       = chunk_empty;
+	encoding          = chunk_empty;
+	pkcs10_encoding   = chunk_empty; 
+	issuerAndSubject  = chunk_empty;
+	challengePassword = chunk_empty;
+	getCertInitial    = chunk_empty;
+	scep_response     = chunk_empty;
+	subjectAltNames   = linked_list_create();
+	options           = options_create();
+	log_to_stderr     = TRUE;
 
 	for (;;)
 	{
@@ -544,7 +548,7 @@ int main(int argc, char **argv)
 				}
 				continue;
 			}
-		
+
 		case 'f':       /* --force */
 			force = TRUE;
 			continue;
@@ -614,7 +618,6 @@ int main(int argc, char **argv)
 
 		case 's':       /* --subjectAltName */
 			{
-				generalNames_t kind;
 				char *value = strstr(optarg, "=");
 
 				if (value)
@@ -625,25 +628,19 @@ int main(int argc, char **argv)
 					value++;
 				}
 
-				if (strcaseeq("email", optarg))
-				{       
-					kind = GN_RFC822_NAME;
-				}
-				else if (strcaseeq("dns", optarg))
+				if (strcaseeq("email", optarg) ||
+					strcaseeq("dns", optarg)   ||
+					strcaseeq("ip", optarg))
 				{
-					kind = GN_DNS_NAME;
-				}
-				else if (strcaseeq("ip", optarg))
-				{
-					kind = GN_IP_ADDRESS;
+					subjectAltNames->insert_last(subjectAltNames,
+								 identification_create_from_string(value));
+					continue;
 				}
 				else
 				{
 					usage("invalid --subjectAltName type");
 					continue;
 				}
-				pkcs10_add_subjectAltName(&subjectAltNames, kind, value);
-				continue;
 			}
 
 		case 'p':       /* --password */
@@ -748,7 +745,7 @@ int main(int argc, char **argv)
 			base_debugging |= DBG_PRIVATE;
 			continue;
 #endif
-		default: 
+		default:
 			usage("unknown option");
 		}
 		/* break from loop */
@@ -759,8 +756,11 @@ int main(int argc, char **argv)
 	init_log("scepclient");
 
 	/* load plugins, further infrastructure may need it */
-	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
-		lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS));
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
+	{
+		exit_scepclient("plugin loading failed");
+	}
 	print_plugins();
 
 	if ((filetype_out == 0) && (!request_ca_certificate))
@@ -787,18 +787,18 @@ int main(int argc, char **argv)
 	/*
 	 * input of PKCS#1 file
 	 */
-	if (filetype_in & PKCS1)    /* load an RSA key pair from file */ 
+	if (filetype_in & PKCS1)    /* load an RSA key pair from file */
 	{
-		prompt_pass_t pass = { "", FALSE, STDIN_FILENO };
 		char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1);
 
-		private_key = load_private_key(path, &pass, KEY_RSA);
+		private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+										 BUILD_FROM_FILE, path, BUILD_END);
 	}
 	else                                /* generate an RSA key pair */
 	{
 		private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 										 BUILD_KEY_SIZE, rsa_keylength,
- 										 BUILD_END);
+										 BUILD_END);
 	}
 	if (private_key == NULL)
 	{
@@ -828,11 +828,6 @@ int main(int argc, char **argv)
 	}
 	else
 	{
-		char buf[IDTOA_BUF];
-		chunk_t dn = chunk_empty;
-
-		dn.ptr = buf;
-
 		if (distinguishedName == NULL)
 		{
 			char buf[BUF_LEN];
@@ -850,34 +845,43 @@ int main(int argc, char **argv)
 		DBG(DBG_CONTROL,
 			DBG_log("dn: '%s'", distinguishedName);
 		)
-		ugh = atodn(distinguishedName, &dn);
-		if (ugh != NULL)
+		subject = identification_create_from_string(distinguishedName);
+		if (subject->get_type(subject) != ID_DER_ASN1_DN)
 		{
-			exit_scepclient(ugh);
+			exit_scepclient("parsing of distinguished name failed");
 		}
 
-		subject = chunk_clone(dn);
-
 		DBG(DBG_CONTROL,
 			DBG_log("building pkcs10 object:")
 		)
-		pkcs10 = pkcs10_build(private_key, public_key, subject,
-							  challengePassword, subjectAltNames,
-							  pkcs10_signature_alg);
-		fingerprint = scep_generate_pkcs10_fingerprint(pkcs10->request);
+		pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+						CERT_PKCS10_REQUEST,
+						BUILD_SIGNING_KEY, private_key,
+						BUILD_SUBJECT, subject,
+						BUILD_SUBJECT_ALTNAMES, subjectAltNames,
+						BUILD_PASSPHRASE, challengePassword,
+						BUILD_DIGEST_ALG, pkcs10_signature_alg,
+						BUILD_END);
+		if (!pkcs10_req)
+		{
+			exit_scepclient("generating pkcs10 request failed");
+		}
+		pkcs10_encoding = pkcs10_req->get_encoding(pkcs10_req);
+		fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
 		plog("  fingerprint:    %s", fingerprint.ptr);
 	}
 
-	/* 
+	/*
 	 * output of PKCS#10 file
 	 */
 	if (filetype_out & PKCS10)
 	{
 		char *path = concatenate_paths(REQ_PATH, file_out_pkcs10);
 
-		if (!chunk_write(pkcs10->request, path, "pkcs10",  0022, force))
+		if (!chunk_write(pkcs10_encoding, path, "pkcs10",  0022, force))
+		{
 			exit_scepclient("could not write pkcs10 file '%s'", path);
-
+		}
 		filetype_out &= ~PKCS10;   /* delete PKCS10 flag */
 	}
 
@@ -896,11 +900,11 @@ int main(int argc, char **argv)
 		DBG(DBG_CONTROL,
 			DBG_log("building pkcs1 object:")
 		)
-		pkcs1 = private_key->get_encoding(private_key);
-
-		if (!chunk_write(pkcs1, path, "pkcs1", 0066, force))
+		if (!private_key->get_encoding(private_key, KEY_PRIV_ASN1_DER, &pkcs1) ||
+			!chunk_write(pkcs1, path, "pkcs1", 0066, force))
+		{
 			exit_scepclient("could not write pkcs1 file '%s'", path);
-
+		}
 		filetype_out &= ~PKCS1;   /* delete PKCS1 flag */
 	}
 
@@ -912,19 +916,23 @@ int main(int argc, char **argv)
 	scep_generate_transaction_id(public_key, &transID, &serialNumber);
 	plog("  transaction ID: %.*s", (int)transID.len, transID.ptr);
 
+	notBefore = notBefore ? notBefore : time(NULL);
+	notAfter  = notAfter  ? notAfter  : (notBefore + validity);
+
 	/* generate a self-signed X.509 certificate */
-	x509_signer = malloc_thing(x509cert_t);
-	*x509_signer = empty_x509cert;
-	x509_signer->serialNumber = serialNumber;
-	x509_signer->sigAlg = OID_SHA1_WITH_RSA;
-	x509_signer->issuer = subject;
-	x509_signer->notBefore = (notBefore)? notBefore
-										: time(NULL);
-	x509_signer->notAfter = (notAfter)? notAfter
-									  : x509_signer->notBefore + validity;
-	x509_signer->subject = subject;
-	x509_signer->subjectAltName = subjectAltNames;
-	build_x509cert(x509_signer, public_key, private_key);
+	x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_SIGNING_KEY, private_key,
+						BUILD_PUBLIC_KEY, public_key,
+						BUILD_SUBJECT, subject,
+						BUILD_NOT_BEFORE_TIME, notBefore,
+						BUILD_NOT_AFTER_TIME, notAfter,
+						BUILD_SERIAL, serialNumber,
+						BUILD_SUBJECT_ALTNAMES, subjectAltNames,
+						BUILD_END);
+	if (!x509_signer)
+	{
+		exit_scepclient("generating certificate failed");
+	}
 
 	/*
 	 * output of self-signed X.509 certificate file
@@ -933,9 +941,16 @@ int main(int argc, char **argv)
 	{
 		char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
 
-		if (!chunk_write(x509_signer->certificate, path, "self-signed cert", 0022, force))
+		encoding = x509_signer->get_encoding(x509_signer);
+		if (!encoding.ptr)
+		{
+			exit_scepclient("encoding certificate failed");
+		}
+		if (!chunk_write(encoding, path, "self-signed cert", 0022, force))
+		{
 			exit_scepclient("could not write self-signed cert file '%s'", path);
-;
+		}
+		chunk_free(&encoding);
 		filetype_out &= ~CERT_SELF;   /* delete CERT_SELF flag */
 	}
 
@@ -949,16 +964,16 @@ int main(int argc, char **argv)
 	 */
 	{
 		char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc);
-		cert_t cert;
-
-		if (!load_cert(path, "encryption cacert", &cert))
+	
+		x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+										 BUILD_FROM_FILE, path, BUILD_END);
+		if (!x509_ca_enc)
 		{
 			exit_scepclient("could not load encryption cacert file '%s'", path);
 		}
-		x509_ca_enc = cert.u.x509;
 	}
 
-	/* 
+	/*
 	 * input of PKCS#7 file
 	 */
 	if (filetype_in & PKCS7)
@@ -976,10 +991,10 @@ int main(int argc, char **argv)
 		DBG(DBG_CONTROL,
 			DBG_log("building pkcs7 request")
 		)
-		pkcs7 = scep_build_request(pkcs10->request
-					, transID, SCEP_PKCSReq_MSG
-					, x509_ca_enc, pkcs7_symmetric_cipher
-					, x509_signer, pkcs7_digest_alg, private_key);
+		pkcs7 = scep_build_request(pkcs10_encoding,
+						transID, SCEP_PKCSReq_MSG,
+						x509_ca_enc, pkcs7_symmetric_cipher,
+						x509_signer, pkcs7_digest_alg, private_key);
 	}
 
 	/*
@@ -1005,19 +1020,23 @@ int main(int argc, char **argv)
 	 */
 	if (filetype_out & CERT)
 	{
+		certificate_t *cert;
+		enumerator_t  *enumerator;
 		char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig);
-		cert_t cert;
-		time_t poll_start;
+		time_t poll_start = 0;
 
-		x509cert_t       *certs         = NULL;
+		linked_list_t    *certs         = linked_list_create();
 		chunk_t           envelopedData = chunk_empty;
 		chunk_t           certData      = chunk_empty;
 		contentInfo_t     data          = empty_contentInfo;
 		scep_attributes_t attrs         = empty_scep_attributes;
 
-		if (!load_cert(path, "signature cacert", &cert))
+		x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+										 BUILD_FROM_FILE, path, BUILD_END);
+		if (!x509_ca_sig)
+		{
 			exit_scepclient("could not load signature cacert file '%s'", path);
-		x509_ca_sig = cert.u.x509;
+		}
 
 		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
 			http_get_request, &scep_response))
@@ -1034,17 +1053,19 @@ int main(int argc, char **argv)
 		/* in case of manual mode, we are going into a polling loop */
 		if (attrs.pkiStatus == SCEP_PENDING)
 		{
+			identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig);
+
 			plog("  scep request pending, polling every %d seconds"
 				, poll_interval);
-			time(&poll_start);
-			issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc"
-								   , x509_ca_sig->subject
-								   , subject);
+			poll_start = time_monotonic(NULL);
+			issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
+									issuer->get_encoding(issuer),
+									subject);
 		}
 		while (attrs.pkiStatus == SCEP_PENDING)
 		{
 			if (max_poll_time > 0
-			&& (time(NULL) - poll_start >= max_poll_time))
+			&& (time_monotonic(NULL) - poll_start >= max_poll_time))
 			{
 				exit_scepclient("maximum poll time reached: %d seconds"
 							   , max_poll_time);
@@ -1096,7 +1117,7 @@ int main(int argc, char **argv)
 		{
 			exit_scepclient("could not decrypt envelopedData");
 		}
-		if (!pkcs7_parse_signedData(certData, NULL, &certs, NULL, NULL))
+		if (!pkcs7_parse_signedData(certData, NULL, certs, NULL, NULL))
 		{
 			exit_scepclient("error parsing the scep response");
 		}
@@ -1104,22 +1125,29 @@ int main(int argc, char **argv)
 
 		/* store the end entity certificate */
 		path = concatenate_paths(HOST_CERT_PATH, file_out_cert);
-		while (certs != NULL)
+
+		enumerator = certs->create_enumerator(certs);
+		while (enumerator->enumerate(enumerator, &cert))
 		{
 			bool stored = FALSE;
-			x509cert_t *cert = certs;
+			x509_t *x509 = (x509_t*)cert;
 
-			if (!cert->isCA)
+			if (!(x509->get_flags(x509) & X509_CA))
 			{
 				if (stored)
+				{
 					exit_scepclient("multiple certs received, only first stored");
-				if (!chunk_write(cert->certificate, path, "requested cert", 0022, force))
+				}
+				encoding = cert->get_encoding(cert);
+				if (!chunk_write(encoding, path, "requested cert", 0022, force))
+				{
 					exit_scepclient("could not write cert file '%s'", path);
+				}
+				chunk_free(&encoding);
 				stored = TRUE;
 			}
-			certs = certs->next;
-			free_x509cert(cert);
 		}
+		certs->destroy_offset(certs, offsetof(certificate_t, destroy));
 		filetype_out &= ~CERT;   /* delete CERT flag */
 	}
 
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 3355b3afb..7524b5f26 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -6,7 +6,7 @@ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
 exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
 
 INCLUDES = \
--I${linuxdir} \
+-I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
 -I$(top_srcdir)/src/pluto \
@@ -15,9 +15,11 @@ INCLUDES = \
 
 AM_CFLAGS = \
 -DIPSEC_DIR=\"${ipsecdir}\" \
--DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_CONFDIR=\"${sysconfdir}\" \
 -DIPSEC_PIDDIR=\"${piddir}\" \
 -DIPSEC_EAPDIR=\"${eapdir}\" \
+-DDEV_RANDOM=\"${random_device}\" \
+-DDEV_URANDOM=\"${urandom_device}\" \
 -DDEBUG
 
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
@@ -37,7 +39,7 @@ if USE_CHARON
 endif
 
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h
-		$(LEX) $(srcdir)/parser.l 
+		$(LEX) $(srcdir)/parser.l
 
 y.tab.c:	$(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
 		$(YACC) -v -d $(srcdir)/parser.y
@@ -51,7 +53,7 @@ keywords.c:	$(srcdir)/keywords.txt $(srcdir)/keywords.h
 defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
 
-install-exec-local :	
+install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index a839c20b1..79ea9de32 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -39,14 +41,21 @@ subdir = src/starter
 DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
 	"$(DESTDIR)$(man8dir)"
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
 	starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \
@@ -63,6 +72,7 @@ starter_DEPENDENCIES = defs.o \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -74,6 +84,27 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(starter_SOURCES)
 DIST_SOURCES = $(starter_SOURCES)
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 NROFF = nroff
@@ -114,25 +145,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -144,11 +172,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -177,9 +208,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -202,7 +233,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -210,6 +241,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -218,10 +250,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -229,6 +263,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \
@@ -238,16 +273,18 @@ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
 exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
 
 INCLUDES = \
--I${linuxdir} \
+-I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
 -I$(top_srcdir)/src/pluto \
 -I$(top_srcdir)/src/whack \
 -I$(top_srcdir)/src/stroke
 
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
-	-DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \
-	-DDEBUG $(am__append_1) $(am__append_2)
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
+	-DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \
+	-DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \
+	$(am__append_2)
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
 dist_man_MANS = ipsec.conf.5 starter.8
@@ -267,9 +304,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/starter/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/starter/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/starter/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/starter/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -287,34 +324,50 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-ipsecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) 
 	@rm -f starter$(EXEEXT)
 	$(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
@@ -344,21 +397,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -368,96 +421,82 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man5: $(man5_MANS) $(man_MANS)
+install-man5: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.5*) list="$$list $$i" ;; \
-	  esac; \
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    5*) ;; \
-	    *) ext='5' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man5:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.5*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    5*) ;; \
-	    *) ext='5' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
-	done
-install-man8: $(man8_MANS) $(man_MANS)
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
+install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
+	@list=''; test -n "$(man8dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.8[a-z]*$$/p'; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $$i; then file=$$i; \
-	  else file=$(srcdir)/$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man8:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.8*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    8*) ;; \
-	    *) ext='8' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
-	done
+	@list=''; test -n "$(man8dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.8[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -471,7 +510,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -479,34 +518,52 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -522,13 +579,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -559,6 +620,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -581,6 +643,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -589,18 +653,28 @@ install-data-am: install-ipsecPROGRAMS install-man
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am: install-exec-local
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man: install-man5 install-man8
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -645,7 +719,7 @@ uninstall-man: uninstall-man5 uninstall-man8
 
 
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h
-		$(LEX) $(srcdir)/parser.l 
+		$(LEX) $(srcdir)/parser.l
 
 y.tab.c:	$(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
 		$(YACC) -v -d $(srcdir)/parser.y
@@ -659,7 +733,7 @@ keywords.c:	$(srcdir)/keywords.txt $(srcdir)/keywords.h
 defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
 
-install-exec-local :	
+install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
@@ -670,6 +744,7 @@ install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
 		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/starter/args.c b/src/starter/args.c
index 990d7588b..ebbd42cc8 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -36,6 +36,7 @@ typedef enum {
 	ARG_UINT,
 	ARG_TIME,
 	ARG_ULNG,
+	ARG_ULLI,
 	ARG_PCNT,
 	ARG_STR,
 	ARG_LST,
@@ -111,6 +112,11 @@ static const char *LST_pfsgroup[] = {
 	"modp4096",
 	"modp6144",
 	"modp8192",
+	"ecp192",
+	"ecp224",
+	"ecp256",
+	"ecp384",
+	"ecp521",
 	 NULL
 };
 
@@ -207,6 +213,10 @@ static const token_info_t token_info[] =
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
+	{ ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_life_bytes), NULL                },
+	{ ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_margin_bytes), NULL              },
+	{ ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_life_packets), NULL              },
+	{ ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_margin_packets), NULL            },
 	{ ARG_MISC, 0, NULL  /* KW_KEYINGTRIES */                                      },
 	{ ARG_PCNT, offsetof(starter_conn_t, sa_rekey_fuzz), NULL                      },
 	{ ARG_MISC, 0, NULL  /* KW_REKEY */                                            },
@@ -217,6 +227,7 @@ static const token_info_t token_info[] =
 	{ ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL                          },
 	{ ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL                        },
 	{ ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action               },
+	{ ARG_TIME, offsetof(starter_conn_t, inactivity), NULL                         },
 	{ ARG_MISC, 0, NULL  /* KW_MODECONFIG */                                       },
 	{ ARG_MISC, 0, NULL  /* KW_XAUTH */                                            },
 	{ ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool                   },
@@ -241,7 +252,7 @@ static const token_info_t token_info[] =
 	{ ARG_STR, offsetof(starter_end_t, subnet), NULL                               },
 	{ ARG_MISC, 0, NULL  /* KW_SUBNETWITHIN */                                     },
 	{ ARG_MISC, 0, NULL  /* KW_PROTOPORT */                                        },
-	{ ARG_STR, offsetof(starter_end_t, srcip), NULL                                },
+	{ ARG_MISC, 0, NULL  /* KW_SOURCEIP */		                                   },
 	{ ARG_MISC, 0, NULL  /* KW_NATIP */                                            },
 	{ ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool                        },
 	{ ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool                      },
@@ -391,7 +402,7 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 	case ARG_UINT:
 		{
 			char *endptr;
-			u_int *u = (u_int *)p; 
+			u_int *u = (u_int *)p;
 
 			*u = strtoul(kw->value, &endptr, 10);
 
@@ -429,6 +440,20 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 
 		}
 		break;
+	case ARG_ULLI:
+		{
+			char *endptr;
+			unsigned long long *ll = (unsigned long long *)p;
+
+			*ll = strtoull(kw->value, &endptr, 10);
+
+			if (*endptr != '\0')
+			{
+				plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+				return FALSE;
+			}
+		}
+		break;
 	case ARG_TIME:
 		{
 			char *endptr;
@@ -490,12 +515,12 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 			{
 				char ** lst;
 
-				for (lst = *listp; lst && *lst; lst++) 
+				for (lst = *listp; lst && *lst; lst++)
 				{
 					bool match = FALSE;
 
 					list = token_info[token].list;
-				
+
 					while (*list != NULL && !match)
 					{
 						match = streq(*lst, *list++);
@@ -659,6 +684,17 @@ bool cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 				}
 			}
 			break;
+		case ARG_ULLI:
+			{
+				unsigned long long *ll1 = (unsigned long long *)p1;
+				unsigned long long *ll2 = (unsigned long long *)p2;
+
+				if (*ll1 != *ll2)
+				{
+					return FALSE;
+				}
+			}
+			break;
 		case ARG_TIME:
 			{
 				time_t *t1 = (time_t *)p1;
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 5fd2b9fbf..07cc11503 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -119,7 +119,7 @@ load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
 		bool assigned = FALSE;
 
 		kw_token_t token = kw->entry->token;
- 
+
 		if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
 		{
 			plog("# unsupported keyword '%s' in config setup", kw->entry->name);
@@ -136,9 +136,8 @@ load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
 	}
 }
 
-static void
-kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
-    , kw_list_t *kw, char *conn_name, starter_config_t *cfg)
+static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
+				   kw_list_t *kw, char *conn_name, starter_config_t *cfg)
 {
 	err_t ugh = NULL;
 	bool assigned = FALSE;
@@ -165,10 +164,10 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 			ip_subnet net;
 			char *pos;
 			int len = 0;
-			
+
 			end->has_client = TRUE;
 			conn->tunnel_addr_family = ip_version(value);
-			
+
 			pos = strchr(value, ',');
 			if (pos)
 			{
@@ -188,31 +187,54 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 			plog("# natip and sourceip cannot be defined at the same time");
 			goto err;
 		}
-		if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
-			streq(value, "%config") || streq(value, "%cfg"))
+		if (value[0] == '%')
 		{
-			free(end->srcip);
-			end->srcip = NULL;
+			if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
+				streq(value, "%config") || streq(value, "%cfg"))
+			{
+				/* request ip via config payload */
+				end->sourceip = NULL;
+				end->sourceip_mask = 1;
+			}
+			else
+			{	/* %poolname, strip %, serve ip requests */
+				end->sourceip = clone_str(value+1);
+				end->sourceip_mask = 0;
+			}
 			end->modecfg = TRUE;
 		}
 		else
 		{
+			char *pos;
 			ip_address addr;
 			ip_subnet net;
-		
+
 			conn->tunnel_addr_family = ip_version(value);
-			if (strchr(value, '/'))
+			pos = strchr(value, '/');
+
+			if (pos)
 			{	/* CIDR notation, address pool */
 				ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net);
+				if (ugh != NULL)
+				{
+					plog("# bad subnet: %s=%s [%s]", name, value, ugh);
+					goto err;
+				 }
+				*pos = '\0';
+				end->sourceip = clone_str(value);
+				end->sourceip_mask = atoi(pos + 1);
 			}
-			else if (value[0] != '%')
-			{	/* old style fixed srcip, a %poolname otherwise */
+			else
+			{	/* fixed srcip */
 				ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
-			}
-			if (ugh != NULL)
-			{
-				plog("# bad addr: %s=%s [%s]", name, value, ugh);
-				goto err;
+				if (ugh != NULL)
+				{
+					plog("# bad addr: %s=%s [%s]", name, value, ugh);
+					goto err;
+				}
+				end->sourceip = clone_str(value);
+				end->sourceip_mask = (conn->tunnel_addr_family == AF_INET) ?
+									  32 : 128;
 			}
 		}
 		conn->policy |= POLICY_TUNNEL;
@@ -245,6 +267,10 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 				end->addr    = cfg->defaultroute.addr;
 				end->nexthop = cfg->defaultroute.nexthop;
 			}
+			else if (!cfg->defaultroute.supported)
+			{
+				plog("%%defaultroute not supported, fallback to %%any");
+			}
 			else
 			{
 				plog("# default route not known: %s=%s", name, value);
@@ -298,7 +324,9 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 		if (streq(value, "%defaultroute"))
 		{
 			if (cfg->defaultroute.defined)
+			{
 				end->nexthop = cfg->defaultroute.nexthop;
+			}
 			else
 			{
 				plog("# default route not known: %s=%s", name, value);
@@ -323,7 +351,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 	case KW_SUBNETWITHIN:
 	{
 		ip_subnet net;
-		
+
 		end->has_client = TRUE;
 		end->has_client_wildcard = TRUE;
 		conn->tunnel_addr_family = ip_version(value);
@@ -342,7 +370,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 		end->has_port_wildcard = has_port_wildcard;
 		break;
 	case KW_NATIP:
-		if (end->srcip)
+		if (end->sourceip)
 		{
 			plog("# natip and sourceip cannot be defined at the same time");
 			goto err;
@@ -350,11 +378,11 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 		if (streq(value, "%defaultroute"))
 		{
 			char buf[64];
-		
+
 			if (cfg->defaultroute.defined)
 			{
 				addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
-				end->srcip = clone_str(buf);
+				end->sourceip = clone_str(buf);
 			}
 			else
 			{
@@ -365,7 +393,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 		else
 		{
 			ip_address addr;
-			
+
 			conn->tunnel_addr_family = ip_version(value);
 			ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
 			if (ugh != NULL)
@@ -373,7 +401,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 				plog("# bad addr: %s=%s [%s]", name, value, ugh);
 				goto err;
 			}
-			end->srcip = clone_str(value);
+			end->sourceip = clone_str(value);
 		}
 		end->has_natip = TRUE;
 		conn->policy |= POLICY_TUNNEL;
@@ -510,8 +538,8 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 			}
 			else if (streq(kw->value, "transport_proxy"))
 			{
-				conn->policy |= POLICY_PROXY;			
-			}	
+				conn->policy |= POLICY_PROXY;
+			}
 			else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
 			{
 				conn->policy |= POLICY_SHUNT_PASS;
@@ -535,10 +563,10 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 			break;
 		case KW_COMPRESS:
 			KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
-			break; 
+			break;
 		case KW_AUTH:
 			KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
-			break; 
+			break;
 		case KW_AUTHBY:
 			conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
 
@@ -591,7 +619,7 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 		case KW_EAP:
 		{
 			char *sep;
-		
+
 			/* check for vendor-type format */
 			sep = strchr(kw->value, '-');
 			if (sep)
@@ -922,7 +950,7 @@ confread_free_ca(starter_ca_t *ca)
 /*
  * free the memory used by a starter_config_t object
  */
-void 
+void
 confread_free(starter_config_t *cfg)
 {
 	starter_conn_t *conn = cfg->conn_first;
@@ -1046,7 +1074,7 @@ confread_load(const char *file)
 	for (ca = cfg->ca_first; ca; ca = ca->next)
 	{
 		also_t *also = ca->also;
-	
+
 		while (also != NULL)
 		{
 			kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
@@ -1080,7 +1108,7 @@ confread_load(const char *file)
 	for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
 	{
 		u_int previous_err;
-		
+
 		/* skip %default conn section */
 		if (streq(sconn->name, "%default"))
 			continue;
@@ -1093,7 +1121,7 @@ confread_load(const char *file)
 		conn_default(sconn->name, conn, &cfg->conn_default);
 		conn->kw =  sconn->kw;
 		conn->next = NULL;
-		
+
 		previous_err = cfg->err;
 		load_conn(conn, conn->kw, cfg);
 		if (cfg->err > previous_err)
diff --git a/src/starter/confread.h b/src/starter/confread.h
index b20c2e0d3..7f3211628 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -82,7 +82,8 @@ struct starter_end {
 		char            *updown;
 		u_int16_t       port;
 		u_int8_t        protocol;
-		char            *srcip;
+		char            *sourceip;
+		int				sourceip_mask;
 };
 
 typedef struct also also_t;
@@ -112,6 +113,10 @@ struct starter_conn {
 		time_t          sa_ike_life_seconds;
 		time_t          sa_ipsec_life_seconds;
 		time_t          sa_rekey_margin;
+		u_int64_t	sa_ipsec_life_bytes;
+		u_int64_t	sa_ipsec_margin_bytes;
+		u_int64_t	sa_ipsec_life_packets;
+		u_int64_t	sa_ipsec_margin_packets;
 		unsigned long   sa_keying_tries;
 		unsigned long   sa_rekey_fuzz;
 		sa_family_t     addr_family;
@@ -124,12 +129,14 @@ struct starter_conn {
 		char            *esp;
 		char            *ike;
 		char            *pfsgroup;
-		
+
 		time_t          dpd_delay;
 		time_t          dpd_timeout;
 		dpd_action_t    dpd_action;
 		int             dpd_count;
-		
+
+		time_t          inactivity;
+
 		bool            me_mediation;
 		char            *me_mediated_by;
 		char            *me_peerid;
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
index 3fff65be7..92b2c74a4 100644
--- a/src/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -1,5 +1,6 @@
 /* strongSwan IPsec interfaces management
  * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
+ *               2009 Heiko Hund - Astaro AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -12,12 +13,6 @@
  * for more details.
  */
 
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#ifdef HAVE_SYS_SOCKIO_H
-#include <sys/sockio.h>
-#endif
-
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
@@ -33,120 +28,185 @@
 #include "exec.h"
 #include "files.h"
 
+#ifdef START_PLUTO
+
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <linux/rtnetlink.h>
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif
+
 /*
- * discover the default route via /proc/net/route
+ * Get the default route information via rtnetlink
  */
 void
 get_defaultroute(defaultroute_t *defaultroute)
 {
-	FILE *fd;
-	char line[BUF_LEN];
-	bool first = TRUE;
-
-	memset(defaultroute, 0, sizeof(defaultroute_t));
+	union {
+		struct {
+			struct nlmsghdr nh;
+			struct rtmsg    rt;
+		} m;
+		char buf[4096];
+	} rtu;
+
+	struct nlmsghdr *nh;
+	uint32_t best_metric = ~0;
+	ssize_t msglen;
+	int fd;
+
+	bzero(&rtu, sizeof(rtu));
+	rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt));
+	rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
+	rtu.m.nh.nlmsg_type = RTM_GETROUTE;
+	rtu.m.rt.rtm_family = AF_INET;
+	rtu.m.rt.rtm_table = RT_TABLE_UNSPEC;
+	rtu.m.rt.rtm_protocol = RTPROT_UNSPEC;
+	rtu.m.rt.rtm_type = RTN_UNICAST;
+
+	fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
+	if (fd == -1)
+	{
+		plog("could not create rtnetlink socket");
+		return;
+	}
 
-	fd = fopen("/proc/net/route", "r");
+	if (send(fd, &rtu, rtu.m.nh.nlmsg_len, 0) == -1)
+	{
+		plog("could not write to rtnetlink socket");
+		close(fd);
+		return;
+	}
 
-	if (!fd)
+	msglen = recv(fd, &rtu, sizeof(rtu), MSG_WAITALL);
+	if (msglen == -1)
 	{
-		plog("could not open 'proc/net/route'");
+		plog("could not read from rtnetlink socket");
+		close(fd);
 		return;
 	}
 
-	while (fgets(line, sizeof(line), fd) != 0)
+	close(fd);
+
+	for (nh = &rtu.m.nh; NLMSG_OK(nh, msglen); nh = NLMSG_NEXT(nh, msglen))
 	{
-		char iface[11];
-		char destination[9];
-		char gateway[11];
-		char flags[5];
-		char mask[9];
-
-		int refcnt;
-		int use;
-		int metric;
-		int items;
-
-		/* proc/net/route returns IP addresses in host order */
-		strcpy(gateway, "0h");
-
-		/* skip the header line */
-		if (first)
+		struct rtmsg *rt;
+		struct rtattr *rta;
+		uint32_t rtalen, metric = 0;
+		struct in_addr gw = { .s_addr = INADDR_ANY };
+		int iface_idx = -1;
+
+		if (nh->nlmsg_type == NLMSG_ERROR)
 		{
-			first = FALSE;
-			continue;
+			plog("error from rtnetlink");
+			return;
 		}
 
-		/* parsing a single line of proc/net/route */
-		items = sscanf(line, "%10s\t%8s\t%8s\t%5s\t%d\t%d\t%d\t%8s\t"
-					 , iface, destination, gateway+2, flags, &refcnt, &use, &metric, mask);
-		if (items < 8)
-		{
-			plog("parsing error while scanning /proc/net/route");
+		if (nh->nlmsg_type == NLMSG_DONE)
+			break;
+
+		rt = NLMSG_DATA(nh);
+		if ( rt->rtm_dst_len != 0
+		||  (rt->rtm_table != RT_TABLE_MAIN
+		  && rt->rtm_table != RT_TABLE_DEFAULT) )
 			continue;
+
+		rta = RTM_RTA(rt);
+		rtalen = RTM_PAYLOAD(nh);
+		while ( RTA_OK(rta, rtalen) )
+		{
+			switch (rta->rta_type)
+			{
+			case RTA_GATEWAY:
+				gw = *(struct in_addr *) RTA_DATA(rta);
+				break;
+			case RTA_OIF:
+				iface_idx = *(int *) RTA_DATA(rta);
+				break;
+			case RTA_PRIORITY:
+				metric = *(uint32_t *) RTA_DATA(rta);
+				break;
+			}
+			rta = RTA_NEXT(rta, rtalen);
 		}
 
-		/* check for defaultroute (destination 0.0.0.0 and mask 0.0.0.0) */
-		if (streq(destination, "00000000") && streq(mask, "00000000"))
+		if (metric < best_metric
+		&&  iface_idx != -1)
 		{
-			if (defaultroute->defined)
+			struct ifreq req;
+
+			fd = socket(AF_INET, SOCK_DGRAM, 0);
+			if (fd < 0)
+			{
+				plog("could not open AF_INET socket");
+				break;
+			}
+			bzero(&req, sizeof(req));
+			req.ifr_ifindex = iface_idx;
+			if (ioctl(fd, SIOCGIFNAME, &req) < 0 ||
+				ioctl(fd, SIOCGIFADDR, &req) < 0)
 			{
-				plog("multiple default routes - cannot cope with %%defaultroute!!!");
-				defaultroute->defined = FALSE;
-				fclose(fd);
-				return;
+				plog("could not read interface data, ignoring route");
+				close(fd);
+				break;
 			}
-			ttoaddr(gateway, strlen(gateway), AF_INET, &defaultroute->nexthop);
-			strncpy(defaultroute->iface, iface, IFNAMSIZ);
+
+			strncpy(defaultroute->iface, req.ifr_name, IFNAMSIZ);
+			defaultroute->addr.u.v4 = *((struct sockaddr_in *) &req.ifr_addr);
+			defaultroute->nexthop.u.v4.sin_family = AF_INET;
+
+			if (gw.s_addr == INADDR_ANY)
+			{
+				if (ioctl(fd, SIOCGIFDSTADDR, &req) < 0 ||
+					((struct sockaddr_in*) &req.ifr_dstaddr)->sin_addr.s_addr == INADDR_ANY)
+				{
+					DBG_log("Ignoring default route to device %s because we can't get it's destination",
+							req.ifr_name);
+					close(fd);
+					break;
+				}
+
+				defaultroute->nexthop.u.v4 = *((struct sockaddr_in *) &req.ifr_dstaddr);
+			}
+			else
+				defaultroute->nexthop.u.v4.sin_addr = gw;
+
+			close(fd);
+
+			DBG(DBG_CONTROL,
+				char addr[20];
+				char nexthop[20];
+				addrtot(&defaultroute->addr, 0, addr, sizeof(addr));
+				addrtot(&defaultroute->nexthop, 0, nexthop, sizeof(nexthop));
+
+				DBG_log(
+					( !defaultroute->defined
+					? "Default route found: iface=%s, addr=%s, nexthop=%s"
+					: "Better default route: iface=%s, addr=%s, nexthop=%s"
+					), defaultroute->iface, addr, nexthop
+				)
+			);
+
+			best_metric = metric;
 			defaultroute->defined = TRUE;
 		}
 	}
-	fclose(fd);
+	defaultroute->supported = TRUE;
 
 	if (!defaultroute->defined)
-	{
 		plog("no default route - cannot cope with %%defaultroute!!!");
-	}
-	else
-	{
-		char addr_buf[20], nexthop_buf[20];
-		struct ifreq physreq;
+}
 
-		int sock = socket(AF_INET, SOCK_DGRAM, 0);
+#else /* !START_PLUTO */
 
-		/* determine IP address of iface */
-		if (sock < 0)
-		{
-			plog("could not open SOCK_DGRAM socket");
-			defaultroute->defined = FALSE;
-			return;
-		}
-		memset ((void*)&physreq, 0, sizeof(physreq));
-		strncpy(physreq.ifr_name, defaultroute->iface, IFNAMSIZ);
-		ioctl(sock, SIOCGIFADDR, &physreq);
-		close(sock);
-		defaultroute->addr.u.v4 = *((struct sockaddr_in *)&physreq.ifr_addr);
-
-		addrtot(&defaultroute->addr, 0, addr_buf, sizeof(addr_buf));
-		addrtot(&defaultroute->nexthop, 0, nexthop_buf, sizeof(nexthop_buf));
-
-		DBG(DBG_CONTROL,
-			DBG_log("Default route found: iface=%s, addr=%s, nexthop=%s"
-				, defaultroute->iface, addr_buf, nexthop_buf)
-		)
-
-		/* for backwards-compatibility with the awk shell scripts
-		 * store the defaultroute in /var/run/ipsec.info
-		 */
-		fd = fopen(INFO_FILE, "w");
-
-		if (fd)
-		{
-			fprintf(fd, "defaultroutephys=%s\n", defaultroute->iface );
-			fprintf(fd, "defaultroutevirt=ipsec0\n");
-			fprintf(fd, "defaultrouteaddr=%s\n", addr_buf);
-			fprintf(fd, "defaultroutenexthop=%s\n", nexthop_buf);
-			fclose(fd);
-		}
-	}
-	return;
+/**
+ * Pluto disabled, fall back to %any
+ */
+void
+get_defaultroute(defaultroute_t *defaultroute)
+{
+	defaultroute->supported = FALSE;
 }
+#endif /* START_PLUTO */
+
diff --git a/src/starter/interfaces.h b/src/starter/interfaces.h
index abe4c8f9c..ff8535f0e 100644
--- a/src/starter/interfaces.h
+++ b/src/starter/interfaces.h
@@ -23,6 +23,7 @@
 
 typedef struct {
 	bool defined;
+	bool supported;
 	char iface[IFNAMSIZ];
 	ip_address addr;
 	ip_address nexthop;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 1eb2a0332..f8aa5e6a9 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -127,7 +127,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
 	};
-	
+
 	if (attach_gdb)
 	{
 		argc = 0;
@@ -163,7 +163,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 			{
 				break;
 			}
-		
+
 			/* get next */
 			pos = strchr(pos, ',');
 			if (pos)
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index 08fb0657a..f91f4b6c9 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -94,7 +94,7 @@ starter_stop_pluto (void)
 		/* be more and more aggressive */
 		for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
 		{
-			
+
 			if (i < 10)
 			{
 				kill(pid, SIGTERM);
@@ -103,7 +103,7 @@ starter_stop_pluto (void)
 			{
 				kill(pid, SIGKILL);
 				plog("starter_stop_pluto(): pluto does not respond, sending KILL");
-			}           
+			}
 			else
 			{
 				kill(pid, SIGKILL);
@@ -147,7 +147,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 		};
 
 	printf ("starter_start_pluto entered\n");
-	
+
 	if (attach_gdb)
 	{
 		argc = 0;
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 31e676324..d4dd7238f 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -248,7 +248,7 @@ for Elliptic Curve DSA signatures.
 .B never
 can be used if negotiation is never to be attempted or accepted (useful for
 shunt-only conns).
-Digital signatures are superior in every way to shared secrets. 
+Digital signatures are superior in every way to shared secrets.
 IKEv1 additionally supports the values
 .B xauthpsk
 and
@@ -256,7 +256,7 @@ and
 that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
 based on shared secrets  or digital RSA signatures, respectively.
 This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the 
+to agree on an authentication method. Use the
 .B leftauth
 parameter instead to define authentication methods in IKEv2.
 .TP
@@ -282,7 +282,7 @@ and
 loads a connection and brings it up immediatly.
 .B ignore
 ignores the connection. This is equal to delete a connection from the config
-file. 
+file.
 Relevant only locally, other end need not agree on it
 (but in general, for an intended-to-be-permanent connection,
 both ends should use
@@ -314,7 +314,7 @@ are periodically sent in order to check the
 liveliness of the IPsec peer. The values
 .BR clear ,
 .BR hold ,
-and 
+and
 .B restart
 all activate DPD. If no activity is detected, all connections with a dead peer
 are stopped and unrouted (
@@ -348,19 +348,23 @@ defines the timeout interval, after which all connections to a peer are deleted
 in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
 .TP
+.B inactivity
+defines the timeout interval, after which a CHILD_SA is closed if it did
+not send or receive any traffic. Currently supported in IKEv2 connections only.
+.TP
 .B eap
 defines the EAP type to propose as server if the client requests EAP
 authentication. This parameter is deprecated in the favour of
 .B leftauth.
 
 To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set 
+set
 .B eap=radius
 .TP
 .B eap_identity
 defines the identity the client uses to reply to a EAP Identity request.
 If defined on the EAP server, the defined identity will be used as peer
-identity during EAP authentication. The special value 
+identity during EAP authentication. The special value
 .B %identity
 uses the EAP Identity method to ask the client for a EAP identity. If not
 defined, the IKEv2 identity will be used as EAP identity.
@@ -374,7 +378,7 @@ and rekeying include a separate diffe hellman exchange (IKEv2 only).
 .TP
 .B forceencaps
 Force UDP encapsulation for ESP packets even if no NAT situation is detected.
-This may help to hurdle restrictive firewalls. To enforce the peer to 
+This may help to hurdle restrictive firewalls. To enforce the peer to
 encapsulate packets, NAT detection payloads are faked (IKEv2 only).
 .TP
 .B ike
@@ -403,8 +407,8 @@ which protocol should be used to initialize the connection. Connections marked w
 .B ikev1
 are initiated with pluto, those marked with
 .B ikev2
-with charon. An incoming request from the remote peer is handled by the correct 
-daemon, unaffected from the 
+with charon. An incoming request from the remote peer is handled by the correct
+daemon, unaffected from the
 .B keyexchange
 setting. The default value
 .B ike
@@ -421,30 +425,8 @@ means 'never give up'.
 Relevant only locally, other end need not agree on it.
 .TP
 .B keylife
-how long a particular instance of a connection
-(a set of encryption/authentication keys for user packets) should last,
-from successful negotiation to expiry;
-acceptable values are an integer optionally followed by
-.BR s
-(a time in seconds)
-or a decimal number followed by
-.BR m ,
-.BR h ,
-or
-.B d
-(a time
-in minutes, hours, or days respectively)
-(default
-.BR 1h ,
-maximum
-.BR 24h ).
-Normally, the connection is renegotiated (via the keying channel)
-before it expires.
-The two ends need not exactly agree on
-.BR keylife ,
-although if they do not,
-there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer.
+synonym for
+.BR lifetime .
 .TP
 .B left
 (required)
@@ -494,14 +476,14 @@ and
 .TP
 .B leftauth
 Authentication method to use (local) or require (remote) in this connection.
-This parameter is supported in IKEv2 only. Acceptable values are 
+This parameter is supported in IKEv2 only. Acceptable values are
 .B pubkey
-for public key authentication (RSA/ECDSA), 
+for public key authentication (RSA/ECDSA),
 .B psk
 for pre-shared key authentication and
 .B eap
 to (require the) use of the Extensible Authentication Protocol. In the case
-of 
+of
 .B eap,
 an optional EAP method can be appended. Currently defined methods are
 .B eap-aka, eap-sim, eap-gtc, eap-md5
@@ -515,7 +497,7 @@ EAP methods are defined in the form
 ).
 .TP
 .B leftauth2
-Same as 
+Same as
 .B leftauth,
 but defines an additional authentication exchange. IKEv2 supports multiple
 authentication rounds using "Multiple Authentication Exchanges" defined
@@ -525,7 +507,7 @@ of host and user (IKEv2 only).
 .B leftca
 the distinguished name of a certificate authority which is required to
 lie in the trust path going from the left participant's certificate up
-to the root certification authority. 
+to the root certification authority.
 .TP
 .B leftca2
 Same as
@@ -538,7 +520,7 @@ PEM or DER format. OpenPGP certificates are supported as well.
 Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
 are accepted. By default
 .B leftcert
-sets 
+sets
 .B leftid
 to the distinguished name of the certificate's subject and
 .B leftca
@@ -679,7 +661,7 @@ or
 .B %cfg,
 an address is requested from the peer. In IKEv2, a defined address is requested,
 but the server may change it. If the server does not support it, the address
-is enforced. 
+is enforced.
 .TP
 .B rightsourceip
 The internal source IP to use in a tunnel for the remote peer. If the
@@ -724,6 +706,61 @@ Relevant only locally, other end need not agree on it. IKEv2 uses the updown
 script to insert firewall rules only. Routing is not support and will be
 implemented directly into Charon.
 .TP
+.B lifebytes
+the number of bytes transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.B lifepackets
+the number of packets transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.B lifetime
+how long a particular instance of a connection
+(a set of encryption/authentication keys for user packets) should last,
+from successful negotiation to expiry;
+acceptable values are an integer optionally followed by
+.BR s
+(a time in seconds)
+or a decimal number followed by
+.BR m ,
+.BR h ,
+or
+.B d
+(a time
+in minutes, hours, or days respectively)
+(default
+.BR 1h ,
+maximum
+.BR 24h ).
+Normally, the connection is renegotiated (via the keying channel)
+before it expires (see
+.BR margintime ).
+The two ends need not exactly agree on
+.BR lifetime ,
+although if they do not,
+there will be some clutter of superseded connections on the end
+which thinks the lifetime is longer.
+.TP
+.B marginbytes
+how many bytes before IPsec SA expiry (see
+.BR lifebytes )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.B marginpackets
+how many packets before IPsec SA expiry (see
+.BR lifepackets )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.B margintime
+how long before connection expiry or keying-channel expiry
+should attempts to
+negotiate a replacement
+begin; acceptable values as for
+.B lifetime
+(default
+.BR 9m ).
+Relevant only locally, other end need not agree on it.
+.TP
 .B mobike
 enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
 .B yes
@@ -759,7 +796,7 @@ PFS is enforced by defining a Diffie-Hellman modp group in the
 .B esp
 parameter.
 .TP
-.B pfsgroup 
+.B pfsgroup
 defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
 differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
 .TP
@@ -789,35 +826,35 @@ will be largely ineffective unless both ends agree on it.
 .TP
 .B rekeyfuzz
 maximum percentage by which
-.B rekeymargin
+.BR marginbytes ,
+.B marginpackets
+and
+.B margintime
 should be randomly increased to randomize rekeying intervals
 (important for hosts with many connections);
 acceptable values are an integer,
 which may exceed 100,
 followed by a `%'
-(default set by
-.IR pluto (8),
-currently
+(defaults to
 .BR 100% ).
 The value of
-.BR rekeymargin ,
+.BR marginTYPE ,
 after this random increase,
 must not exceed
-.BR keylife .
+.B lifeTYPE
+(where TYPE is one of
+.IR bytes ,
+.I packets
+or
+.IR time ).
 The value
 .B 0%
-will suppress time randomization.
+will suppress randomization.
 Relevant only locally, other end need not agree on it.
 .TP
 .B rekeymargin
-how long before connection expiry or keying-channel expiry
-should attempts to
-negotiate a replacement
-begin; acceptable values as for
-.B keylife
-(default
-.BR 9m ).
-Relevant only locally, other end need not agree on it.
+synonym for
+.BR margintime .
 .TP
 .B type
 the type of the connection; currently the accepted values
@@ -854,7 +891,7 @@ and
 (the default).
 
 .SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
-The following parameters are relevant to IKEv2 Mediation Extension 
+The following parameters are relevant to IKEv2 Mediation Extension
 operation only.
 .TP 14
 .B mediation
@@ -884,7 +921,7 @@ of this connection will be used as peer ID.
 
 .SH "CA SECTIONS"
 This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA). These parameters are not 
+parameters to a Certification Authority (CA). These parameters are not
 supported in IKEv2 yet.
 .TP 10
 .B auto
@@ -892,10 +929,10 @@ currently can have either the value
 .B ignore
 or
 .B add
-. 
+.
 .TP
 .B cacert
-defines a path to the CA certificate either relative to 
+defines a path to the CA certificate either relative to
 \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
 .TP
 .B crluri
@@ -970,7 +1007,7 @@ Accepted values are
 .B yes
 or
 .BR no .
-The default is 
+The default is
 .B yes
 if starter was compiled with IKEv2 support.
 .TP
@@ -987,7 +1024,7 @@ Accepted values are
 .B yes
 or
 .BR no .
-The default is 
+The default is
 .B yes
 if starter was compiled with IKEv1 support.
 .TP
@@ -1192,7 +1229,7 @@ value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
 overriding IPsec's (large) default.
 .SH CHOOSING A CONNECTION
 .PP
-When choosing a connection to apply to an outbound packet caught with a 
+When choosing a connection to apply to an outbound packet caught with a
 .BR %trap,
 the system prefers the one with the most specific eroute that
 includes the packet's source and destination IP addresses.
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 3ca7a92f6..e379f78e9 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 112
+#define TOTAL_KEYWORDS 119
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 13
-#define MAX_HASH_VALUE 200
-/* maximum key range = 188, duplicates = 0 */
+#define MIN_HASH_VALUE 17
+#define MAX_HASH_VALUE 215
+/* maximum key range = 199, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201,   3,
-       42, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201,   1, 201,   9, 201,   5,
-       39,   1,  64,  47,  62,   1, 201,  88,   5,  83,
-       39,  30,  21, 201,   1,  10,   6,  44,  14, 201,
-        4,  54,   4, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
-      201, 201, 201, 201, 201, 201
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216,  12,
+       78, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216,   4, 216,  20, 216,  45,
+       55,   4,  77,  14,  78,   4, 216, 119,   4,  89,
+       46,  34,  29, 216,   6,  12,   5,  56,  34, 216,
+        4,  20,   5, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+      216, 216, 216, 216, 216, 216
     };
   register int hval = len;
 
@@ -124,143 +124,151 @@ hash (str, len)
 
 static const struct kw_entry wordlist[] =
   {
-    {"right",             KW_RIGHT},
-    {"crluri",            KW_CRLURI},
     {"left",              KW_LEFT},
-    {"crluri1",           KW_CRLURI},
-    {"certuribase",       KW_CERTURIBASE},
+    {"right",             KW_RIGHT},
+    {"lifetime",          KW_KEYLIFE},
     {"leftcert",          KW_LEFTCERT,},
-    {"rightcert",         KW_RIGHTCERT},
-    {"rightca",           KW_RIGHTCA},
     {"leftfirewall",      KW_LEFTFIREWALL},
     {"leftsendcert",      KW_LEFTSENDCERT},
     {"leftprotoport",     KW_LEFTPROTOPORT},
+    {"type",              KW_TYPE},
+    {"rekey",             KW_REKEY},
     {"leftgroups",        KW_LEFTGROUPS},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
     {"rightsubnet",       KW_RIGHTSUBNET},
-    {"leftca",            KW_LEFTCA},
     {"rightsendcert",     KW_RIGHTSENDCERT},
-    {"cacert",            KW_CACERT},
-    {"eap",               KW_EAP},
+    {"leftallowany",      KW_LEFTALLOWANY},
+    {"rightgroups",       KW_RIGHTGROUPS},
     {"esp",               KW_ESP},
-    {"cachecrls",         KW_CACHECRLS},
+    {"lifebytes",         KW_LIFEBYTES},
+    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"lifepackets",       KW_LIFEPACKETS},
     {"leftnexthop",       KW_LEFTNEXTHOP},
-    {"virtual_private",   KW_VIRTUAL_PRIVATE},
+    {"leftrsasigkey",     KW_LEFTRSASIGKEY},
+    {"leftca",            KW_LEFTCA},
+    {"eap",               KW_EAP},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
     {"rightprotoport",    KW_RIGHTPROTOPORT},
-    {"ocspuri",           KW_OCSPURI},
-    {"leftnatip",         KW_LEFTNATIP},
-    {"rightsourceip",     KW_RIGHTSOURCEIP},
-    {"ocspuri1",          KW_OCSPURI},
-    {"also",              KW_ALSO},
-    {"rightid",           KW_RIGHTID},
     {"plutostart",        KW_PLUTOSTART},
-    {"rightid2",          KW_RIGHTID2},
-    {"compress",          KW_COMPRESS},
-    {"packetdefault",     KW_PACKETDEFAULT},
-    {"crluri2",           KW_CRLURI2},
-    {"rightca2",          KW_RIGHTCA2},
-    {"leftcert2",         KW_LEFTCERT2,},
-    {"rightcert2",        KW_RIGHTCERT2},
+    {"also",              KW_ALSO},
+    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"rightsourceip",     KW_RIGHTSOURCEIP},
+    {"crluri",            KW_CRLURI},
+    {"leftnatip",         KW_LEFTNATIP},
     {"lefthostaccess",    KW_LEFTHOSTACCESS},
-    {"rekey",             KW_REKEY},
-    {"ldapbase",          KW_LDAPBASE},
-    {"rightauth2",        KW_RIGHTAUTH2},
-    {"leftca2",           KW_LEFTCA2},
-    {"type",              KW_TYPE},
+    {"rightcert",         KW_RIGHTCERT},
+    {"certuribase",       KW_CERTURIBASE},
+    {"packetdefault",     KW_PACKETDEFAULT},
+    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
+    {"crluri1",           KW_CRLURI},
+    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
+    {"rightid",           KW_RIGHTID},
+    {"virtual_private",   KW_VIRTUAL_PRIVATE},
     {"leftsubnet",        KW_LEFTSUBNET},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
+    {"cacert",            KW_CACERT},
+    {"rightca",           KW_RIGHTCA},
     {"leftsourceip",      KW_LEFTSOURCEIP},
-    {"rightgroups",       KW_RIGHTGROUPS},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"inactivity",        KW_INACTIVITY},
+    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
+    {"installpolicy",     KW_INSTALLPOLICY},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
+    {"ldapbase",          KW_LDAPBASE},
+    {"leftupdown",        KW_LEFTUPDOWN},
     {"rightnatip",        KW_RIGHTNATIP},
+    {"ocspuri",           KW_OCSPURI},
     {"rightnexthop",      KW_RIGHTNEXTHOP},
-    {"leftupdown",        KW_LEFTUPDOWN},
-    {"leftallowany",      KW_LEFTALLOWANY},
-    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"leftcert2",         KW_LEFTCERT2,},
+    {"rightid2",          KW_RIGHTID2},
     {"rekeyfuzz",         KW_REKEYFUZZ},
-    {"xauth",             KW_XAUTH},
-    {"rightauth",         KW_RIGHTAUTH},
-    {"leftrsasigkey",     KW_LEFTRSASIGKEY},
+    {"compress",          KW_COMPRESS},
     {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"ocspuri2",          KW_OCSPURI2},
-    {"auto",              KW_AUTO},
+    {"ocspuri1",          KW_OCSPURI},
     {"ldaphost",          KW_LDAPHOST},
+    {"xauth",             KW_XAUTH},
+    {"postpluto",         KW_POSTPLUTO},
+    {"eap_identity",      KW_EAP_IDENTITY},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"leftca2",           KW_LEFTCA2},
+    {"auto",              KW_AUTO},
     {"righthostaccess",   KW_RIGHTHOSTACCESS},
+    {"dpddelay",          KW_DPDDELAY},
+    {"rightauth",         KW_RIGHTAUTH},
+    {"rightauth2",        KW_RIGHTAUTH2},
+    {"pfs",               KW_PFS},
+    {"authby",            KW_AUTHBY},
+    {"rightupdown",       KW_RIGHTUPDOWN},
     {"leftid",            KW_LEFTID},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
+    {"uniqueids",         KW_UNIQUEIDS},
     {"dumpdir",           KW_DUMPDIR},
+    {"mediated_by",       KW_MEDIATED_BY},
     {"ike",               KW_IKE},
-    {"leftid2",           KW_LEFTID2},
-    {"postpluto",         KW_POSTPLUTO},
-    {"rightupdown",       KW_RIGHTUPDOWN},
-    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
-    {"pfs",               KW_PFS},
-    {"fragicmp",          KW_FRAGICMP},
-    {"overridemtu",       KW_OVERRIDEMTU},
-    {"leftauth2",         KW_LEFTAUTH2},
-    {"uniqueids",         KW_UNIQUEIDS},
+    {"cachecrls",         KW_CACHECRLS},
     {"prepluto",          KW_PREPLUTO},
-    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {"keyexchange",       KW_KEYEXCHANGE},
-    {"keep_alive",        KW_KEEP_ALIVE},
-    {"hidetos",           KW_HIDETOS},
     {"force_keepalive",   KW_FORCE_KEEPALIVE},
-    {"installpolicy",     KW_INSTALLPOLICY},
-    {"dpdaction",         KW_DPDACTION},
-    {"eap_identity",      KW_EAP_IDENTITY},
+    {"hidetos",           KW_HIDETOS},
+    {"mobike",	           KW_MOBIKE},
     {"forceencaps",       KW_FORCEENCAPS},
+    {"overridemtu",       KW_OVERRIDEMTU},
+    {"crluri2",           KW_CRLURI2},
+    {"rightca2",          KW_RIGHTCA2},
+    {"rightcert2",        KW_RIGHTCERT2},
+    {"dpdaction",         KW_DPDACTION},
     {"nocrsend",          KW_NOCRSEND},
-    {"auth",              KW_AUTH},
-    {"leftauth",          KW_LEFTAUTH},
-    {"mobike",	           KW_MOBIKE},
-    {"plutodebug",        KW_PLUTODEBUG},
-    {"charonstart",       KW_CHARONSTART},
+    {"leftid2",           KW_LEFTID2},
     {"interfaces",        KW_INTERFACES},
+    {"leftauth",          KW_LEFTAUTH},
+    {"leftauth2",         KW_LEFTAUTH2},
+    {"mediation",         KW_MEDIATION},
+    {"rekeymargin",       KW_REKEYMARGIN},
+    {"keep_alive",        KW_KEEP_ALIVE},
+    {"auth",              KW_AUTH},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"me_peerid",         KW_ME_PEERID},
+    {"fragicmp",          KW_FRAGICMP},
+    {"margintime",        KW_REKEYMARGIN},
+    {"ocspuri2",          KW_OCSPURI2},
+    {"reauth",            KW_REAUTH},
     {"pkcs11module",      KW_PKCS11MODULE},
-    {"dpddelay",          KW_DPDDELAY},
+    {"pfsgroup",          KW_PFSGROUP},
+    {"marginbytes",       KW_MARGINBYTES},
     {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
-    {"reauth",            KW_REAUTH},
-    {"me_peerid",         KW_ME_PEERID},
-    {"rekeymargin",       KW_REKEYMARGIN},
+    {"marginpackets",     KW_MARGINPACKETS},
+    {"modeconfig",        KW_MODECONFIG},
+    {"keyexchange",       KW_KEYEXCHANGE},
+    {"charonstart",       KW_CHARONSTART},
     {"pkcs11initargs",    KW_PKCS11INITARGS},
-    {"mediation",         KW_MEDIATION},
-    {"pfsgroup",          KW_PFSGROUP},
-    {"mediated_by",       KW_MEDIATED_BY},
-    {"keyingtries",       KW_KEYINGTRIES},
     {"dpdtimeout",        KW_DPDTIMEOUT},
-    {"keylife",           KW_KEYLIFE},
-    {"charondebug",       KW_CHARONDEBUG},
-    {"ikelifetime",       KW_IKELIFETIME},
-    {"authby",            KW_AUTHBY},
     {"pkcs11proxy",       KW_PKCS11PROXY},
+    {"charondebug",       KW_CHARONDEBUG},
     {"klipsdebug",        KW_KLIPSDEBUG},
-    {"modeconfig",        KW_MODECONFIG}
+    {"keylife",           KW_KEYLIFE},
+    {"ikelifetime",       KW_IKELIFETIME}
   };
 
 static const short lookup[] =
   {
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,   0,   1,  -1,   2,   3,  -1,   4,
-     -1,   5,   6,   7,   8,   9,  10,  11,  12,  13,
-     14,  15,  16,  -1,  17,  18,  -1,  -1,  19,  20,
-     21,  -1,  -1,  22,  23,  24,  25,  26,  27,  28,
-     -1,  -1,  29,  30,  31,  32,  33,  34,  35,  36,
-     37,  38,  39,  40,  41,  42,  43,  44,  45,  46,
-     47,  48,  49,  -1,  50,  -1,  51,  52,  53,  54,
-     55,  -1,  56,  57,  58,  -1,  59,  60,  61,  62,
-     63,  64,  65,  66,  67,  68,  69,  70,  71,  72,
-     73,  74,  -1,  75,  76,  77,  78,  -1,  -1,  79,
-     80,  81,  82,  -1,  83,  84,  85,  86,  -1,  87,
-     88,  89,  90,  91,  92,  93,  -1,  94,  95,  -1,
-     -1,  -1,  96,  97,  -1,  98,  99,  -1, 100,  -1,
-     -1,  -1,  -1,  -1, 101,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1, 102,  -1, 103,  -1, 104,
-     -1, 105,  -1,  -1, 106, 107,  -1, 108,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1, 109,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 110,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-    111
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,  -1,  -1,
+      1,  -1,  -1,  -1,   2,   3,  -1,  -1,   4,   5,
+     -1,  -1,   6,   7,  -1,   8,   9,  -1,  10,  -1,
+     11,  -1,  -1,  -1,  12,  -1,  -1,  13,  14,  15,
+     16,  17,  18,  19,  20,  -1,  21,  22,  23,  -1,
+     24,  -1,  25,  26,  27,  28,  29,  -1,  30,  31,
+     32,  -1,  33,  34,  35,  36,  37,  38,  -1,  39,
+     -1,  40,  41,  42,  43,  44,  -1,  45,  -1,  46,
+     -1,  47,  -1,  48,  -1,  49,  50,  51,  -1,  52,
+     53,  54,  -1,  55,  56,  57,  58,  59,  -1,  -1,
+     60,  61,  62,  63,  64,  65,  66,  67,  68,  -1,
+     -1,  69,  70,  71,  72,  -1,  73,  74,  75,  76,
+     77,  78,  -1,  79,  80,  81,  -1,  82,  83,  84,
+     85,  86,  -1,  87,  88,  -1,  -1,  89,  90,  91,
+     92,  93,  -1,  94,  -1,  -1,  95,  96,  97,  -1,
+     98,  99,  -1,  -1,  -1, 100,  -1,  -1,  -1, 101,
+     -1, 102, 103,  -1,  -1,  -1, 104, 105, 106, 107,
+    108, 109,  -1, 110,  -1, 111, 112,  -1, 113,  -1,
+     -1, 114,  -1,  -1, 115,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1, 116,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1, 117,  -1,  -1,  -1, 118
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 3a115d15d..8be31d148 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -66,7 +66,7 @@ typedef enum {
 	KW_TYPE,
 	KW_PFS,
 	KW_COMPRESS,
-		KW_INSTALLPOLICY,
+	KW_INSTALLPOLICY,
 	KW_AUTH,
 	KW_AUTHBY,
 	KW_EAP,
@@ -76,6 +76,10 @@ typedef enum {
 	KW_IKELIFETIME,
 	KW_KEYLIFE,
 	KW_REKEYMARGIN,
+	KW_LIFEBYTES,
+	KW_MARGINBYTES,
+	KW_LIFEPACKETS,
+	KW_MARGINPACKETS,
 	KW_KEYINGTRIES,
 	KW_REKEYFUZZ,
 	KW_REKEY,
@@ -86,6 +90,7 @@ typedef enum {
 	KW_DPDDELAY,
 	KW_DPDTIMEOUT,
 	KW_DPDACTION,
+	KW_INACTIVITY,
 	KW_MODECONFIG,
 	KW_XAUTH,
 	KW_MEDIATION,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 66c894850..adf3069bf 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -64,6 +64,12 @@ auth,              KW_AUTH
 authby,            KW_AUTHBY
 keylife,           KW_KEYLIFE
 rekeymargin,       KW_REKEYMARGIN
+lifetime,          KW_KEYLIFE
+margintime,        KW_REKEYMARGIN
+lifebytes,         KW_LIFEBYTES
+marginbytes,       KW_MARGINBYTES
+lifepackets,       KW_LIFEPACKETS
+marginpackets,     KW_MARGINPACKETS
 ikelifetime,       KW_IKELIFETIME
 keyingtries,       KW_KEYINGTRIES
 rekeyfuzz,         KW_REKEYFUZZ
@@ -75,6 +81,7 @@ pfsgroup,          KW_PFSGROUP
 dpddelay,          KW_DPDDELAY
 dpdtimeout,        KW_DPDTIMEOUT
 dpdaction,         KW_DPDACTION
+inactivity,        KW_INACTIVITY
 modeconfig,        KW_MODECONFIG
 xauth,             KW_XAUTH
 mediation,         KW_MEDIATION
diff --git a/src/starter/klips.c b/src/starter/klips.c
index 061dee50c..79bd25c44 100644
--- a/src/starter/klips.c
+++ b/src/starter/klips.c
@@ -46,7 +46,7 @@ starter_klips_init(void)
 			return FALSE;
 		}
 	}
-	
+
 	/* load crypto algorithm modules */
 	ignore_result(system("modprobe -qv ipsec_aes"));
 	ignore_result(system("modprobe -qv ipsec_blowfish"));
@@ -55,7 +55,7 @@ starter_klips_init(void)
 	DBG(DBG_CONTROL,
 		DBG_log("Found KLIPS IPsec stack")
 	)
-	
+
 	return TRUE;
 }
 
diff --git a/src/starter/klips.h b/src/starter/klips.h
index e93348df1..1a527d108 100644
--- a/src/starter/klips.h
+++ b/src/starter/klips.h
@@ -1,4 +1,4 @@
-/* strongSwan KLIPS initialization and cleanup 
+/* strongSwan KLIPS initialization and cleanup
  * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
  *
  * This program is free software; you can redistribute it and/or modify it
diff --git a/src/starter/netkey.h b/src/starter/netkey.h
index 55f6a7c47..c12924174 100644
--- a/src/starter/netkey.h
+++ b/src/starter/netkey.h
@@ -1,4 +1,4 @@
-/* strongSwan netkey initialization and cleanup 
+/* strongSwan netkey initialization and cleanup
  * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
  *
  * This program is free software; you can redistribute it and/or modify it
diff --git a/src/starter/starter.c b/src/starter/starter.c
index b675ccf1c..0aab76d43 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -163,7 +163,7 @@ static void fsig(int signal)
 static void generate_selfcert()
 {
 	struct stat stb;
-	
+
 		/* if ipsec.secrets file is missing then generate RSA default key pair */
 		if (stat(SECRETS_FILE, &stb) != 0)
 		{
@@ -176,7 +176,7 @@ static void generate_selfcert()
 			{
 				char buf[1024];
 				struct group group, *grp;
-				
+
 				if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 &&	grp)
 				{
 					gid = grp->gr_gid;
@@ -187,7 +187,7 @@ static void generate_selfcert()
 			{
 				char buf[1024];
 				struct passwd passwd, *pwp;
-				
+
 				if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 &&	pwp)
 				{
 					uid = pwp->pw_uid;
@@ -353,14 +353,14 @@ int main (int argc, char **argv)
 		}
 	}
 
-	last_reload = time(NULL);
+	last_reload = time_monotonic(NULL);
 
 	if (stat(STARTER_PID_FILE, &stb) == 0)
 	{
 		plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
 		exit(LSB_RC_SUCCESS);
 	}
-	
+
 	generate_selfcert();
 
 	/* fork if we're not debugging stuff */
@@ -381,7 +381,7 @@ int main (int argc, char **argv)
 					dup2(fnull, STDERR_FILENO);
 					close(fnull);
 				}
-				setsid(); 
+				setsid();
 			}
 			break;
 			case -1:
@@ -491,7 +491,7 @@ int main (int argc, char **argv)
 					_action_ |= FLAG_ACTION_LISTEN;
 				}
 
-				if (!starter_cmp_pluto(cfg, new_cfg)) 
+				if (!starter_cmp_pluto(cfg, new_cfg))
 				{
 					plog("Pluto has changed");
 					if (starter_pluto_pid())
@@ -582,7 +582,7 @@ int main (int argc, char **argv)
 				}
 			}
 			_action_ &= ~FLAG_ACTION_UPDATE;
-			last_reload = time(NULL);
+			last_reload = time_monotonic(NULL);
 		}
 
 		/*
@@ -620,7 +620,7 @@ int main (int argc, char **argv)
 					conn->state = STATE_TO_ADD;
 			}
 		}
-		
+
 		/*
 		 * Start charon
 		 */
@@ -736,7 +736,7 @@ int main (int argc, char **argv)
 		 */
 		if (auto_update)
 		{
-			time_t now = time(NULL);
+			time_t now = time_monotonic(NULL);
 
 			tv.tv_sec = (now < last_reload + auto_update)
 					? (last_reload + auto_update-now) : 0;
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 054e37fa7..665350c00 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -81,7 +81,7 @@ static int send_stroke_msg (stroke_msg_t *msg)
 
 	ctl_addr.sun_family = AF_UNIX;
 	strcpy(ctl_addr.sun_path, CHARON_CTL_FILE);
-	
+
 	/* starter is not called from commandline, and therefore absolutely silent */
 	msg->output_verbosity = -1;
 
@@ -173,7 +173,7 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len)
 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
 {
 	char buffer[INET6_ADDRSTRLEN];
-	
+
 	msg_end->auth = push_string(msg, conn_end->auth);
 	msg_end->auth2 = push_string(msg, conn_end->auth2);
 	msg_end->id = push_string(msg, conn_end->id);
@@ -187,45 +187,13 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
 	msg_end->address = push_string(msg, buffer);
 	msg_end->subnets = push_string(msg, conn_end->subnet);
+	msg_end->sourceip = push_string(msg, conn_end->sourceip);
+	msg_end->sourceip_mask = conn_end->sourceip_mask;
 	msg_end->sendcert = conn_end->sendcert;
 	msg_end->hostaccess = conn_end->hostaccess;
 	msg_end->tohost = !conn_end->has_client;
 	msg_end->protocol = conn_end->protocol;
 	msg_end->port = conn_end->port;
-	if (conn_end->srcip)
-	{
-		if (conn_end->srcip[0] == '%')
-		{	/* %poolname, strip % */
-			msg_end->sourceip_size = 0;
-			msg_end->sourceip = push_string(msg, conn_end->srcip + 1);
-		}
-		else
-		{
-			char *pos = strchr(conn_end->srcip, '/');
-			if (pos)
-			{	/* CIDR subnet definition */
-				snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip);
-				msg_end->sourceip = push_string(msg, buffer);
-				msg_end->sourceip_size = atoi(pos + 1);
-			}
-			else
-			{	/* a single address */
-				msg_end->sourceip = push_string(msg, conn_end->srcip);
-				if (strchr(conn_end->srcip, ':'))
-				{	/* IPv6 */
-					msg_end->sourceip_size = 128;
-				}
-				else
-				{	/* IPv4 */
-					msg_end->sourceip_size = 32;
-				}
-			}
-		}
-	}
-	else if (conn_end->modecfg)
-	{
-		msg_end->sourceip_size = 1;
-	}
 }
 
 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
@@ -237,7 +205,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
 	msg.add_conn.name = push_string(&msg, connection_name(conn));
-	
+
 	/* PUBKEY is preferred to PSK and EAP */
 	if (conn->policy & POLICY_PUBKEY)
 	{
@@ -254,7 +222,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.eap_type = conn->eap_type;
 	msg.add_conn.eap_vendor = conn->eap_vendor;
 	msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
-	
+
 	if (conn->policy & POLICY_TUNNEL)
 	{
 		msg.add_conn.mode = MODE_TUNNEL;
@@ -267,7 +235,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	{
 		msg.add_conn.mode = MODE_TRANSPORT;
 		msg.add_conn.proxy_mode = TRUE;
-	} 
+	}
 	else
 	{
 		msg.add_conn.mode = MODE_TRANSPORT;
@@ -279,12 +247,16 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 		msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
 		msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
 		msg.add_conn.rekey.margin = conn->sa_rekey_margin;
+		msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
+		msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
+		msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
+		msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
 		msg.add_conn.rekey.tries = conn->sa_keying_tries;
 		msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
 	}
-	msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
-	msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP;
-	msg.add_conn.ipcomp = conn->policy & POLICY_COMPRESS;
+	msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0;
+	msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0;
+	msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0;
 	msg.add_conn.install_policy = conn->install_policy;
 	msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
 	msg.add_conn.unique = cfg->setup.uniqueids;
@@ -292,6 +264,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
 	msg.add_conn.dpd.delay = conn->dpd_delay;
 	msg.add_conn.dpd.action = conn->dpd_action;
+	msg.add_conn.inactivity = conn->inactivity;
 	msg.add_conn.ikeme.mediation = conn->me_mediation;
 	msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
 	msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
@@ -361,7 +334,7 @@ int starter_stroke_del_ca(starter_ca_t *ca)
 int starter_stroke_configure(starter_config_t *cfg)
 {
 	stroke_msg_t msg;
-    
+
 	if (cfg->setup.cachecrls)
 	{
 		msg.type = STR_CONFIG;
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 44b442ae2..67916395f 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -33,8 +33,7 @@
 
 #define ip_version(string)      (strchr(string, '.') ? AF_INET : AF_INET6)
 
-static int
-pack_str (char **p, char **next, char **roof)
+static int pack_str (char **p, char **next, char **roof)
 {
 	const char *s = (*p==NULL) ? "" : *p;    /* note: NULL becomes ""! */
 	size_t len = strlen(s) + 1;
@@ -52,8 +51,7 @@ pack_str (char **p, char **next, char **roof)
 	}
 }
 
-static int
-send_whack_msg (whack_message_t *msg)
+static int send_whack_msg (whack_message_t *msg)
 {
 	struct sockaddr_un ctl_addr;
 	int sock;
@@ -67,37 +65,41 @@ send_whack_msg (whack_message_t *msg)
 	str_next = (char *)msg->string;
 	str_roof = (char *)&msg->string[sizeof(msg->string)];
 
-	if (!pack_str(&msg->name,         &str_next, &str_roof)
-	||  !pack_str(&msg->left.id,      &str_next, &str_roof)
-	||  !pack_str(&msg->left.cert,    &str_next, &str_roof)
-	||  !pack_str(&msg->left.ca,      &str_next, &str_roof)
-	||  !pack_str(&msg->left.groups,  &str_next, &str_roof)
-	||  !pack_str(&msg->left.updown,  &str_next, &str_roof)
-	||  !pack_str(&msg->left.virt,    &str_next, &str_roof)
-	||  !pack_str(&msg->right.id,     &str_next, &str_roof)
-	||  !pack_str(&msg->right.cert,   &str_next, &str_roof)
-	||  !pack_str(&msg->right.ca,     &str_next, &str_roof)
-	||  !pack_str(&msg->right.groups, &str_next, &str_roof)
-	||  !pack_str(&msg->right.updown, &str_next, &str_roof)
-	|| !pack_str(&msg->right.virt,    &str_next, &str_roof)
-	|| !pack_str(&msg->keyid,         &str_next, &str_roof)
-	|| !pack_str(&msg->myid,          &str_next, &str_roof)
-	|| !pack_str(&msg->cacert,        &str_next, &str_roof)
-	|| !pack_str(&msg->ldaphost,      &str_next, &str_roof)
-	|| !pack_str(&msg->ldapbase,      &str_next, &str_roof)
-	|| !pack_str(&msg->crluri,        &str_next, &str_roof)
-	|| !pack_str(&msg->crluri2,       &str_next, &str_roof)
-	|| !pack_str(&msg->ocspuri,       &str_next, &str_roof)
-	|| !pack_str(&msg->ike,           &str_next, &str_roof)
-	|| !pack_str(&msg->esp,           &str_next, &str_roof)
-	|| !pack_str(&msg->sc_data,       &str_next, &str_roof)
-	|| (str_roof - str_next < msg->keyval.len))
+	if (!pack_str(&msg->name,           &str_next, &str_roof)
+	||  !pack_str(&msg->left.id,        &str_next, &str_roof)
+	||  !pack_str(&msg->left.cert,      &str_next, &str_roof)
+	||  !pack_str(&msg->left.ca,        &str_next, &str_roof)
+	||  !pack_str(&msg->left.groups,    &str_next, &str_roof)
+	||  !pack_str(&msg->left.updown,    &str_next, &str_roof)
+	||  !pack_str(&msg->left.sourceip,  &str_next, &str_roof)
+	||  !pack_str(&msg->left.virt,      &str_next, &str_roof)
+	||  !pack_str(&msg->right.id,       &str_next, &str_roof)
+	||  !pack_str(&msg->right.cert,     &str_next, &str_roof)
+	||  !pack_str(&msg->right.ca,       &str_next, &str_roof)
+	||  !pack_str(&msg->right.groups,   &str_next, &str_roof)
+	||  !pack_str(&msg->right.updown,   &str_next, &str_roof)
+	||  !pack_str(&msg->right.sourceip, &str_next, &str_roof)
+	||  !pack_str(&msg->right.virt,     &str_next, &str_roof)
+	||  !pack_str(&msg->keyid,          &str_next, &str_roof)
+	||  !pack_str(&msg->myid,           &str_next, &str_roof)
+	||  !pack_str(&msg->cacert,         &str_next, &str_roof)
+	||  !pack_str(&msg->ldaphost,       &str_next, &str_roof)
+	||  !pack_str(&msg->ldapbase,       &str_next, &str_roof)
+	||  !pack_str(&msg->crluri,         &str_next, &str_roof)
+	||  !pack_str(&msg->crluri2,        &str_next, &str_roof)
+	||  !pack_str(&msg->ocspuri,        &str_next, &str_roof)
+	||  !pack_str(&msg->ike,            &str_next, &str_roof)
+	||  !pack_str(&msg->esp,            &str_next, &str_roof)
+	||  !pack_str(&msg->sc_data,        &str_next, &str_roof)
+	||  (str_roof - str_next < msg->keyval.len))
 	{
 		plog("send_wack_msg(): can't pack strings");
 		return -1;
 	}
 	if (msg->keyval.ptr)
+	{
 		memcpy(str_next, msg->keyval.ptr, msg->keyval.len);
+	}
 	msg->keyval.ptr = NULL;
 	str_next += msg->keyval.len;
 	len = str_next - (char *)msg;
@@ -130,15 +132,13 @@ send_whack_msg (whack_message_t *msg)
 	return 0;
 }
 
-static void
-init_whack_msg(whack_message_t *msg)
+static void init_whack_msg(whack_message_t *msg)
 {
 	memset(msg, 0, sizeof(whack_message_t));
 	msg->magic = WHACK_MAGIC;
 }
 
-static char *
-connection_name(starter_conn_t *conn)
+static char *connection_name(starter_conn_t *conn)
 {
 	/* if connection name is '%auto', create a new name like conn_xxxxx */
 	static char buf[32];
@@ -151,34 +151,26 @@ connection_name(starter_conn_t *conn)
 	return conn->name;
 }
 
-static void
-set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
-{   
-	if (end->srcip && end->srcip[0] != '%')
-	{
-		int len = 0;
-		char *pos;
-
-		pos = strchr(end->srcip, '/');
-		if (pos)
-		{
-			/* use first address only for pluto */
-			len = pos - end->srcip;
-		}
-		w->has_srcip = !end->has_natip;
-		ttoaddr(end->srcip, len, ip_version(end->srcip), &w->host_srcip);
-	}
-	else
-	{
-		anyaddr(AF_INET, &w->host_srcip);       
-	}
-	
+static void set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
+{
 	w->id                  = end->id;
 	w->cert                = end->cert;
 	w->ca                  = end->ca;
 	w->groups              = end->groups;
 	w->host_addr           = end->addr;
 	w->has_client          = end->has_client;
+	w->sourceip            = end->sourceip;
+	w->sourceip_mask       = end->sourceip_mask;
+	
+	if (end->sourceip && end->sourceip_mask > 0)
+	{
+		ttoaddr(end->sourceip, 0, ip_version(end->sourceip), &w->host_srcip);
+		w->has_srcip = !end->has_natip;
+	}
+	else
+	{
+		anyaddr(AF_INET, &w->host_srcip);
+	}
 
 	if (family == AF_INET6 && isanyaddr(&end->nexthop))
 	{
@@ -234,13 +226,14 @@ starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end
 {
 	const char *err;
 	static char keyspace[1024 + 4];
+	char buf[ADDRTOT_BUF];
 	whack_message_t msg;
 
 	init_whack_msg(&msg);
 
 	msg.whack_key = TRUE;
 	msg.pubkey_alg = PUBKEY_ALG_RSA;
-	if (end->id && end->rsakey)
+	if (end->rsakey)
 	{
 		/* special values to ignore */
 		if (streq(end->rsakey, "")
@@ -250,24 +243,28 @@ starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end
 		{
 			return 0;
 		}
-		msg.keyid = end->id;
 		err = atobytes(end->rsakey, 0, keyspace, sizeof(keyspace), &msg.keyval.len);
 		if (err)
 		{
 			plog("conn %s/%s: rsakey malformed [%s]", connection_name(conn), lr, err);
 			return 1;
 		}
+		if (end->id)
+		{
+			msg.keyid = end->id;
+		}
 		else
 		{
-			msg.keyval.ptr = keyspace;
-			return send_whack_msg(&msg);
+			addrtot(&end->addr, 0, buf, sizeof(buf));
+			msg.keyid = buf;
 		}
+		msg.keyval.ptr = keyspace;
+		return send_whack_msg(&msg);
 	}
 	return 0;
 }
 
-int
-starter_whack_add_conn(starter_conn_t *conn)
+int starter_whack_add_conn(starter_conn_t *conn)
 {
 	whack_message_t msg;
 	int r;
@@ -332,8 +329,7 @@ starter_whack_add_conn(starter_conn_t *conn)
 	return r;
 }
 
-int
-starter_whack_del_conn(starter_conn_t *conn)
+int starter_whack_del_conn(starter_conn_t *conn)
 {
 	whack_message_t msg;
 
@@ -343,8 +339,7 @@ starter_whack_del_conn(starter_conn_t *conn)
 	return send_whack_msg(&msg);
 }
 
-int
-starter_whack_route_conn(starter_conn_t *conn)
+int starter_whack_route_conn(starter_conn_t *conn)
 {
 	whack_message_t msg;
 
@@ -354,8 +349,7 @@ starter_whack_route_conn(starter_conn_t *conn)
 	return send_whack_msg(&msg);
 }
 
-int
-starter_whack_initiate_conn(starter_conn_t *conn)
+int starter_whack_initiate_conn(starter_conn_t *conn)
 {
 	whack_message_t msg;
 
@@ -366,8 +360,7 @@ starter_whack_initiate_conn(starter_conn_t *conn)
 	return send_whack_msg(&msg);
 }
 
-int
-starter_whack_listen(void)
+int starter_whack_listen(void)
 {
 	whack_message_t msg;
 	init_whack_msg(&msg);
@@ -384,8 +377,7 @@ int starter_whack_shutdown(void)
 	return send_whack_msg(&msg);
 }
 
-int
-starter_whack_add_ca(starter_ca_t *ca)
+int starter_whack_add_ca(starter_ca_t *ca)
 {
 	whack_message_t msg;
 
@@ -404,8 +396,7 @@ starter_whack_add_ca(starter_ca_t *ca)
 	return send_whack_msg(&msg);
 }
 
-int
-starter_whack_del_ca(starter_ca_t *ca)
+int starter_whack_del_ca(starter_ca_t *ca)
 {
 	whack_message_t msg;
 
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index e2ed28afe..82f2be13d 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -36,13 +38,20 @@ ipsec_PROGRAMS = stroke$(EXEEXT)
 subdir = src/stroke
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am_stroke_OBJECTS = stroke.$(OBJEXT) stroke_keywords.$(OBJEXT)
 stroke_OBJECTS = $(am_stroke_OBJECTS)
@@ -53,6 +62,7 @@ stroke_DEPENDENCIES =  \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -100,25 +110,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -130,11 +137,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -163,9 +173,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -188,7 +198,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -196,6 +206,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -204,10 +215,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -215,6 +228,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
@@ -238,9 +252,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/stroke/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/stroke/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/stroke/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/stroke/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -258,34 +272,50 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-ipsecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 stroke$(EXEEXT): $(stroke_OBJECTS) $(stroke_DEPENDENCIES) 
 	@rm -f stroke$(EXEEXT)
 	$(LINK) $(stroke_OBJECTS) $(stroke_LDADD) $(LIBS)
@@ -301,21 +331,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -338,7 +368,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -346,29 +376,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -389,13 +424,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -428,6 +467,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -451,6 +491,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -459,18 +501,28 @@ install-data-am: install-ipsecPROGRAMS
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -493,7 +545,7 @@ ps-am:
 
 uninstall-am: uninstall-ipsecPROGRAMS
 
-.MAKE: install-am install-strip
+.MAKE: all check install install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
 	clean-ipsecPROGRAMS clean-libtool ctags distclean \
@@ -512,6 +564,7 @@ uninstall-am: uninstall-ipsecPROGRAMS
 
 stroke_keywords.c:	$(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h
 		$(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index c27a8ca3e..955e49535 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -55,14 +55,14 @@ static int send_stroke_msg (stroke_msg_t *msg)
 {
 	struct sockaddr_un ctl_addr;
 	int sock;
-	char buffer[64];
+	char buffer[512];
 	int byte_count;
 
 	ctl_addr.sun_family = AF_UNIX;
 	strcpy(ctl_addr.sun_path, STROKE_SOCKET);
-	
+
 	msg->output_verbosity = 1; /* CONTROL */
-	
+
 	sock = socket(AF_UNIX, SOCK_STREAM, 0);
 	if (sock < 0)
 	{
@@ -76,7 +76,7 @@ static int send_stroke_msg (stroke_msg_t *msg)
 		close(sock);
 		return -1;
 	}
-	
+
 	/* send message */
 	if (write(sock, msg, msg->length) != msg->length)
 	{
@@ -84,56 +84,66 @@ static int send_stroke_msg (stroke_msg_t *msg)
 		close(sock);
 		return -1;
 	}
-	
+
 	while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
 	{
 		buffer[byte_count] = '\0';
 		printf("%s", buffer);
+
+		/* we prompt if we receive the "Passphrase:" magic keyword */
+		if (byte_count >= 12 &&
+			strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0)
+		{
+			if (fgets(buffer, sizeof(buffer), stdin))
+			{
+				if (write(sock, buffer, strlen(buffer)));
+			}
+		}
 	}
 	if (byte_count < 0)
 	{
 		fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
 	}
-	
+
 	close(sock);
 	return 0;
 }
 
 static int add_connection(char *name,
-						  char *my_id, char *other_id, 
+						  char *my_id, char *other_id,
 						  char *my_addr, char *other_addr,
 						  char *my_nets, char *other_nets)
 {
 	stroke_msg_t msg;
-	
+
 	memset(&msg, 0, sizeof(msg));
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.type = STR_ADD_CONN;
-	
+
 	msg.add_conn.name = push_string(&msg, name);
 	msg.add_conn.ikev2 = 1;
 	msg.add_conn.auth_method = 2;
 	msg.add_conn.mode = 1;
 	msg.add_conn.mobike = 1;
 	msg.add_conn.dpd.action = 1;
-	
+
 	msg.add_conn.me.id = push_string(&msg, my_id);
 	msg.add_conn.me.address = push_string(&msg, my_addr);
 	msg.add_conn.me.subnets = push_string(&msg, my_nets);
 	msg.add_conn.me.sendcert = 1;
-	
+
 	msg.add_conn.other.id = push_string(&msg, other_id);
 	msg.add_conn.other.address = push_string(&msg, other_addr);
 	msg.add_conn.other.subnets = push_string(&msg, other_nets);
 	msg.add_conn.other.sendcert = 1;
-	
+
 	return send_stroke_msg(&msg);
 }
 
 static int del_connection(char *name)
 {
 	stroke_msg_t msg;
-	
+
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.type = STR_DEL_CONN;
 	msg.initiate.name = push_string(&msg, name);
@@ -143,7 +153,7 @@ static int del_connection(char *name)
 static int initiate_connection(char *name)
 {
 	stroke_msg_t msg;
-	
+
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.type = STR_INITIATE;
 	msg.initiate.name = push_string(&msg, name);
@@ -153,7 +163,7 @@ static int initiate_connection(char *name)
 static int terminate_connection(char *name)
 {
 	stroke_msg_t msg;
-	
+
 	msg.type = STR_TERMINATE;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.initiate.name = push_string(&msg, name);
@@ -163,7 +173,7 @@ static int terminate_connection(char *name)
 static int terminate_connection_srcip(char *start, char *end)
 {
 	stroke_msg_t msg;
-	
+
 	msg.type = STR_TERMINATE_SRCIP;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.terminate_srcip.start = push_string(&msg, start);
@@ -174,7 +184,7 @@ static int terminate_connection_srcip(char *start, char *end)
 static int route_connection(char *name)
 {
 	stroke_msg_t msg;
-	
+
 	msg.type = STR_ROUTE;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.route.name = push_string(&msg, name);
@@ -184,7 +194,7 @@ static int route_connection(char *name)
 static int unroute_connection(char *name)
 {
 	stroke_msg_t msg;
-	
+
 	msg.type = STR_UNROUTE;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.unroute.name = push_string(&msg, name);
@@ -194,7 +204,7 @@ static int unroute_connection(char *name)
 static int show_status(stroke_keyword_t kw, char *connection)
 {
 	stroke_msg_t msg;
-	
+
 	msg.type = (kw == STROKE_STATUS)? STR_STATUS:STR_STATUS_ALL;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.status.name = push_string(&msg, connection);
@@ -219,7 +229,7 @@ static int list_flags[] = {
 static int list(stroke_keyword_t kw, int utc)
 {
 	stroke_msg_t msg;
-	
+
 	msg.type = STR_LIST;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.list.utc = utc;
@@ -240,7 +250,7 @@ static int reread_flags[] = {
 static int reread(stroke_keyword_t kw)
 {
 	stroke_msg_t msg;
-	
+
 	msg.type = STR_REREAD;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.reread.flags = reread_flags[kw - STROKE_REREAD_FIRST];
@@ -255,7 +265,7 @@ static int purge_flags[] = {
 static int purge(stroke_keyword_t kw)
 {
 	stroke_msg_t msg;
-	
+
 	msg.type = STR_PURGE;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.purge.flags = purge_flags[kw - STROKE_PURGE_FIRST];
@@ -266,7 +276,7 @@ static int leases(stroke_keyword_t kw, char *pool, char *address)
 {
 
 	stroke_msg_t msg;
-	
+
 	msg.type = STR_LEASES;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.leases.pool = push_string(&msg, pool);
@@ -277,7 +287,7 @@ static int leases(stroke_keyword_t kw, char *pool, char *address)
 static int set_loglevel(char *type, u_int level)
 {
 	stroke_msg_t msg;
-	
+
 	msg.type = STR_LOGLEVEL;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.loglevel.type = push_string(&msg, type);
@@ -349,7 +359,7 @@ int main(int argc, char *argv[])
 	{
 		exit_usage(NULL);
 	}
-	
+
 	token = in_word_set(argv[1], strlen(argv[1]));
 
 	if (token == NULL)
@@ -365,8 +375,8 @@ int main(int argc, char *argv[])
 				exit_usage("\"add\" needs more parameters...");
 			}
 			res = add_connection(argv[2],
-								 argv[3], argv[4], 
-								 argv[5], argv[6], 
+								 argv[3], argv[4],
+								 argv[5], argv[6],
 								 argv[7], argv[8]);
 			break;
 		case STROKE_DELETE:
@@ -417,7 +427,7 @@ int main(int argc, char *argv[])
 			{
 				exit_usage("\"logtype\" needs more parameters...");
 			}
-			res = set_loglevel(argv[2], atoi(argv[3])); 
+			res = set_loglevel(argv[2], atoi(argv[3]));
 			break;
 		case STROKE_STATUS:
 		case STROKE_STATUSALL:
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index abf285a86..56a7a158f 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -138,7 +138,7 @@ struct stroke_end_t {
 	char *updown;
 	char *address;
 	char *sourceip;
-	int sourceip_size;
+	int sourceip_mask;
 	char *subnets;
 	int sendcert;
 	int hostaccess;
@@ -194,7 +194,7 @@ struct stroke_msg_t {
 		STR_LEASES,
 		/* more to come */
 	} type;
-	
+
 	/* verbosity of output returned from charon (-from -1=silent to 4=private)*/
 	int output_verbosity;
 
@@ -203,7 +203,7 @@ struct stroke_msg_t {
 		struct {
 			char *name;
 		} initiate, route, unroute, terminate, status, del_conn, del_ca;
-		
+
 		/* data for STR_TERMINATE_SRCIP */
 		struct {
 			char *start;
@@ -223,6 +223,7 @@ struct stroke_msg_t {
 			int mobike;
 			int force_encap;
 			int ipcomp;
+			time_t inactivity;
 			int proxy_mode;
 			int install_policy;
 
@@ -237,6 +238,10 @@ struct stroke_msg_t {
 				time_t ipsec_lifetime;
 				time_t ike_lifetime;
 				time_t margin;
+				u_int64_t life_bytes;
+				u_int64_t margin_bytes;
+				u_int64_t life_packets;
+				u_int64_t margin_packets;
 				unsigned long tries;
 				unsigned long fuzz;
 			} rekey;
@@ -268,7 +273,7 @@ struct stroke_msg_t {
 			char *type;
 			int level;
 		} loglevel;
-		
+
 		/* data for STR_CONFIG */
 		struct {
 			int cachecrl;
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index 88b066379..eb6238d80 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -36,13 +38,20 @@ ipsec_PROGRAMS = whack$(EXEEXT)
 subdir = src/whack
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am_whack_OBJECTS = whack.$(OBJEXT)
 whack_OBJECTS = $(am_whack_OBJECTS)
@@ -52,6 +61,7 @@ whack_DEPENDENCIES =  \
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -99,25 +109,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -129,11 +136,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -162,9 +172,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -187,7 +197,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -195,6 +205,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -203,10 +214,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -214,6 +227,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 whack_SOURCES = whack.c whack.h
@@ -240,9 +254,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/whack/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  src/whack/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/whack/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/whack/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -260,34 +274,50 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-ipsecPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
 
 clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 whack$(EXEEXT): $(whack_OBJECTS) $(whack_DEPENDENCIES) 
 	@rm -f whack$(EXEEXT)
 	$(LINK) $(whack_OBJECTS) $(whack_LDADD) $(LIBS)
@@ -302,21 +332,21 @@ distclean-compile:
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
 @am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
@@ -339,7 +369,7 @@ tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -347,29 +377,34 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -390,13 +425,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -427,6 +466,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -448,6 +488,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -456,18 +498,28 @@ install-data-am: install-ipsecPROGRAMS
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -506,6 +558,7 @@ uninstall-am: uninstall-ipsecPROGRAMS
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
 
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/whack/whack.c b/src/whack/whack.c
index 28112500e..c458d6760 100644
--- a/src/whack/whack.c
+++ b/src/whack/whack.c
@@ -393,7 +393,7 @@ enum {
 	END_SRCIP,
 	END_HOSTACCESS,
 	END_UPDOWN,
-		
+
 #define END_LAST  END_UPDOWN    /* last end description*/
 
 /* Connection Description options -- segregated */
@@ -431,7 +431,7 @@ enum {
 	CD_DPDTIMEOUT,
 	CD_IKE,
 	CD_PFSGROUP,
-	CD_ESP,     
+	CD_ESP,
 
 #   define CD_LAST CD_ESP       /* last connection description */
 
@@ -861,7 +861,7 @@ int main(int argc, char **argv)
 
 	msg.addr_family = AF_INET;
 	msg.tunnel_addr_family = AF_INET;
-	
+
 	msg.cacert = NULL;
 	msg.ldaphost = NULL;
 	msg.ldapbase = NULL;
@@ -1017,7 +1017,7 @@ int main(int argc, char **argv)
 			if (!options->from(options, optarg, &argc, &argv, optind))
 			{
 				fprintf(stderr, "optionsfrom failed");
-				whack_exit(RC_WHACK_PROBLEM);				
+				whack_exit(RC_WHACK_PROBLEM);
 			}
 			continue;
 
@@ -1134,7 +1134,7 @@ int main(int argc, char **argv)
 		case OPT_STATUS:        /* --status */
 			msg.whack_status = TRUE;
 			continue;
-		
+
 		case OPT_SHUTDOWN:      /* --shutdown */
 			msg.whack_shutdown = TRUE;
 			continue;
@@ -1180,7 +1180,7 @@ int main(int argc, char **argv)
 					base = 256;
 				else
 					diagq("not a valid base", optarg);
-				
+
 				if (c == SC_INBASE)
 					msg.inbase = base;
 				else
@@ -1472,7 +1472,7 @@ int main(int argc, char **argv)
 		case CD_IKE:    /* --ike <ike_alg1,ike_alg2,...> */
 			msg.ike = optarg;
 			continue;
-			
+
 		case CD_PFSGROUP:       /* --pfsgroup modpXXXX */
 			msg.pfsgroup = optarg;
 			continue;
@@ -1726,10 +1726,10 @@ int main(int argc, char **argv)
 	{
 		if (msg.dpd_delay <= 0)
 			diag("dpddelay must be larger than zero");
-		
+
 		if (msg.dpd_timeout <= 0)
 			diag("dpdtimeout must be larger than zero");
-		
+
 		if (msg.dpd_timeout <= msg.dpd_delay)
 			diag("dpdtimeout must be larger than dpddelay");
 	}
@@ -1740,36 +1740,38 @@ int main(int argc, char **argv)
 
 	/* build esp message as esp="<esp>;<pfsgroup>" */
 	if (msg.pfsgroup) {
-			snprintf(esp_buf, sizeof (esp_buf), "%s;%s", 
+			snprintf(esp_buf, sizeof (esp_buf), "%s;%s",
 					msg.esp ? msg.esp : "",
 					msg.pfsgroup ? msg.pfsgroup : "");
 			msg.esp=esp_buf;
 	}
-	if (!pack_str(&msg.name)            /* string  1 */
-	|| !pack_str(&msg.left.id)          /* string  2 */
-	|| !pack_str(&msg.left.cert)        /* string  3 */
-	|| !pack_str(&msg.left.ca)          /* string  4 */
-	|| !pack_str(&msg.left.groups)      /* string  5 */
-	|| !pack_str(&msg.left.updown)      /* string  6 */
-	|| !pack_str(&msg.left.virt)        /* string  7 */
-	|| !pack_str(&msg.right.id)         /* string  8 */
-	|| !pack_str(&msg.right.cert)       /* string  9 */
-	|| !pack_str(&msg.right.ca)         /* string 10 */
-	|| !pack_str(&msg.right.groups)     /* string 11 */
-	|| !pack_str(&msg.right.updown)     /* string 12 */
-	|| !pack_str(&msg.right.virt)       /* string 13 */
-	|| !pack_str(&msg.keyid)            /* string 14 */
-	|| !pack_str(&msg.myid)             /* string 15 */
-	|| !pack_str(&msg.cacert)           /* string 16 */
-	|| !pack_str(&msg.ldaphost)         /* string 17 */
-	|| !pack_str(&msg.ldapbase)         /* string 18 */
-	|| !pack_str(&msg.crluri)           /* string 19 */
-	|| !pack_str(&msg.crluri2)          /* string 20 */
-	|| !pack_str(&msg.ocspuri)          /* string 21 */
-	|| !pack_str(&msg.ike)              /* string 22 */
-	|| !pack_str(&msg.esp)              /* string 23 */
-	|| !pack_str(&msg.sc_data)          /* string 24 */
-	|| str_roof - next_str < (ptrdiff_t)msg.keyval.len)    /* chunk (sort of string 5) */
+	if (!pack_str(&msg.name)             /* string  1 */
+	||  !pack_str(&msg.left.id)          /* string  2 */
+	||  !pack_str(&msg.left.cert)        /* string  3 */
+	||  !pack_str(&msg.left.ca)          /* string  4 */
+	||  !pack_str(&msg.left.groups)      /* string  5 */
+	||  !pack_str(&msg.left.updown)      /* string  6 */
+	||  !pack_str(&msg.left.sourceip)    /* string  7 */
+	||  !pack_str(&msg.left.virt)        /* string  8 */
+	||  !pack_str(&msg.right.id)         /* string  9 */
+	||  !pack_str(&msg.right.cert)       /* string 10 */
+	||  !pack_str(&msg.right.ca)         /* string 11 */
+	||  !pack_str(&msg.right.groups)     /* string 12 */
+	||  !pack_str(&msg.right.updown)     /* string 13 */
+	||  !pack_str(&msg.right.sourceip)   /* string 14 */
+	||  !pack_str(&msg.right.virt)       /* string 15 */
+	||  !pack_str(&msg.keyid)            /* string 16 */
+	||  !pack_str(&msg.myid)             /* string 17 */
+	||  !pack_str(&msg.cacert)           /* string 18 */
+	||  !pack_str(&msg.ldaphost)         /* string 19 */
+	||  !pack_str(&msg.ldapbase)         /* string 20 */
+	||  !pack_str(&msg.crluri)           /* string 21 */
+	||  !pack_str(&msg.crluri2)          /* string 22 */
+	||  !pack_str(&msg.ocspuri)          /* string 23 */
+	||  !pack_str(&msg.ike)              /* string 24 */
+	||  !pack_str(&msg.esp)              /* string 25 */
+	||  !pack_str(&msg.sc_data)          /* string 26 */
+	||  str_roof - next_str < (ptrdiff_t)msg.keyval.len)
 		diag("too many bytes of strings to fit in message to pluto");
 
 	memcpy(next_str, msg.keyval.ptr, msg.keyval.len);
diff --git a/src/whack/whack.h b/src/whack/whack.h
index 79d115262..3f66a7b4f 100644
--- a/src/whack/whack.h
+++ b/src/whack/whack.h
@@ -17,6 +17,9 @@
 
 #include <freeswan.h>
 
+#include <defs.h>
+#include <constants.h>
+
 /* copy of smartcard operations, defined in smartcard.h */
 #ifndef SC_OP_T
 #define SC_OP_T
@@ -58,12 +61,12 @@ struct whack_end {
 	char *cert;         /* path string (if any) -- loaded by pluto  */
 	char *ca;           /* distinguished name string (if any) -- parsed by pluto */
 	char *groups;       /* access control groups (if any) -- parsed by pluto */
-	ip_address
-		host_addr,
-		host_nexthop,
-		host_srcip;
+	char *sourceip;		/* source IP address or pool identifier -- parsed by pluto */
+	int   sourceip_mask;
+	ip_address host_addr;
+	ip_address host_nexthop;
+	ip_address host_srcip;	
 	ip_subnet client;
-
 	bool key_from_DNS_on_demand;
 	bool has_client;
 	bool has_client_wildcard;
@@ -280,7 +283,7 @@ enum rc_type {
 
 	/* entry of secrets */
 	RC_ENTERSECRET = 40,
-	
+
 	/* progress: start of range for successful state transition.
 	 * Actual value is RC_NEW_STATE plus the new state code.
 	 */
diff --git a/testing/INSTALL b/testing/INSTALL
index e70edf44f..68e13d84a 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,14 +53,14 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.30.2.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.31.5.tar.bz2
 
-    * The Linux kernel 2.6.29 does not require any patches for the uml guest kernel
+    * The Linux kernel 2.6.31 does not require any patches for the uml guest kernel
       to successfully start up.
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.30
+      http://download.strongswan.org/uml/.config-2.6.31
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
@@ -68,7 +68,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.3.4.tar.bz2
+      http://download.strongswan.org/strongswan-4.3.6.tar.bz2
 
 
 3. Creating the environment
diff --git a/testing/Makefile.am b/testing/Makefile.am
index ad8d5042a..130b87b43 100644
--- a/testing/Makefile.am
+++ b/testing/Makefile.am
@@ -5,7 +5,7 @@ EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
 
 do-tests : do-tests.in
 	sed \
-	-e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \
+	-e "s:\@routing_table\@:$(routing_table):" \
 	$(srcdir)/$@.in > $@
 	chmod +x $@
 
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 3ace3a55f..6a5fd31f2 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -36,11 +38,19 @@ subdir = testing
 DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	INSTALL
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 SCRIPTS = $(noinst_SCRIPTS)
 SOURCES =
 DIST_SOURCES =
@@ -78,25 +88,22 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -108,11 +115,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
+RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
@@ -141,9 +151,9 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
-confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -166,7 +176,7 @@ ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
 libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
@@ -174,6 +184,7 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 piddir = @piddir@
@@ -182,10 +193,12 @@ pluto_plugins = @pluto_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+random_device = @random_device@
 resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
-simreader = @simreader@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -193,6 +206,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 noinst_SCRIPTS = do-tests
@@ -212,9 +226,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  testing/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu  testing/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu testing/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu testing/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -232,6 +246,7 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -261,13 +276,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -296,6 +315,7 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -314,6 +334,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -322,18 +344,28 @@ install-data-am:
 
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am:
 
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man:
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -370,9 +402,10 @@ uninstall-am:
 
 do-tests : do-tests.in
 	sed \
-	-e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \
+	-e "s:\@routing_table\@:$(routing_table):" \
 	$(srcdir)/$@.in > $@
 	chmod +x $@
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/testing/do-tests.in b/testing/do-tests.in
index 3a66f4548..7dbb5487a 100755
--- a/testing/do-tests.in
+++ b/testing/do-tests.in
@@ -46,7 +46,7 @@ TESTRESULTSHTML=$TODAYDIR/all.html
 INDEX=$TODAYDIR/index.html
 DEFAULTTESTSDIR=$UMLTESTDIR/testing/tests
 
-SOURCEIP_ROUTING_TABLE=@IPSEC_ROUTING_TABLE@
+SOURCEIP_ROUTING_TABLE=@routing_table@
 
 testnumber="0"
 failed_cnt="0"
@@ -245,9 +245,17 @@ do
 
 	if [ $SUBDIR = "ipv6" -o $name = "rw-psk-ipv6" ]
 	then
-	    IPTABLES="ip6tables"
+	    IPTABLES_CMD="ip6tables -v -n -L"
+	    IPTABLES_DSP="ip6tables -L"
 	else
-	    IPTABLES="iptables"
+	    IPTABLES_CMD="iptables -v -n -L"
+	    IPTABLES_DSP="iptables -L"
+	fi
+
+	if [ $name = "net2net-ip4-in-ip6-ikev2" -o $name = "net2net-ip6-in-ip4-ikev2" ]
+	then
+	    IPTABLES_CMD="iptables -v -n -L ; echo ; ip6tables -v -n -L"
+	    IPTABLES_DSP="iptables -L ; ip6tables -L"
 	fi
 
 	[ -f $DEFAULTTESTSDIR/${testname}/description.txt ] || die "!! File 'description.txt' is missing"
@@ -476,7 +484,7 @@ do
 		    > $TESTRESULTDIR/${host}.ip.state 2>/dev/null
 	    ssh $HOSTLOGIN ip route list table $SOURCEIP_ROUTING_TABLE \
 		    > $TESTRESULTDIR/${host}.ip.route 2>/dev/null
-	    ssh $HOSTLOGIN $IPTABLES -v -n -L \
+	    ssh $HOSTLOGIN $IPTABLES_CMD \
 		    > $TESTRESULTDIR/${host}.iptables 2>/dev/null
 	    chmod a+r $TESTRESULTDIR/*
 	    cat >> $TESTRESULTDIR/index.html <<@EOF
@@ -504,7 +512,7 @@ do
 	    <li><a href="$host.ip.policy">ip -s xfrm policy</a></li>
 	    <li><a href="$host.ip.state">ip -s xfrm state</a></li>
 	    <li><a href="$host.ip.route">ip route list table $SOURCEIP_ROUTING_TABLE</a></li>
-	    <li><a href="$host.iptables">$IPTABLES -L</a></li>
+	    <li><a href="$host.iptables">$IPTABLES_DSP</a></li>
 	  </ul>
       </td>
     </tr>
@@ -623,6 +631,17 @@ do
   </tr>
 @EOF
 
+
+	##########################################################################
+	# remove any charon.pid files that still may exist
+	#
+
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+	    ssh $HOSTLOGIN 'if [ -f /var/run/charon.pid ]; then rm /var/run/charon.pid; echo "    removed charon.pid on `hostname`"; fi'
+	done
+
     done
 
 done
diff --git a/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem
index 0de3b268d..0865ad22e 100644
--- a/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
 Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
 X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
@@ -9,14 +9,14 @@ FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
 4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
 7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
 gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem b/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem
index e99ae8ec7..49fe4b80b 100644
--- a/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem
+++ b/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEHzCCAwegAwIBAgIBGTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwMDcyNFoXDTE0MDgyNjEwMDcyNFowVzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
-GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
-FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
-6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
-v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
-KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
-60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
+BQADggEPADCCAQoCggEBANiNakgR5pct0NqirfPJEb9e3YZkYHvqZ/RUJ6Ea9ZGE
+8KuQxGAHuLWqaf/3GrL/LYIs1fTJ7JTNMu+PSec8kf9I5AxItPzb+uSwI9hXQxhl
+NJ8V+Zjs9Q3GX/59wS3DcHF4i8b88I/f7aLGwHOoRyT/UZPXPGIrHS9UWh/50//Q
+/GLreivoW65Cfj7oNi3wMTYwZB5MyPY5q9MRcYyEPa0GNM0GzzYfIEkQz8nuSL/q
+WQrmLmlS6Ktw5L3HXsUaKinGt0xI7jLGWh4ysnrjMNxKzRt2LITqSPtoTTR2JB6a
+5/6544mB2FGErpSd/LgGTmwzOgloZLpsQgsN6xjpUvsCAwEAAaOCAQYwggECMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQF2gQgjAL0KEcKz2x3LQZm
+E9qGPDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
 A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
 cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
 Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
-2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
-AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
-D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
-CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
-6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
-JGhV
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBWv4PhHGVpiLF5M3Rn
+qQLSoRFjKqn3N9We81RWwVRpBzwoUEaHizelaVct9FJg6t7Fk/D8F0wag5EFKlcg
+KQ8fd/0qLE393uwGb4Dvql2w49NFFDUsk5FC+pMUDAYsWHyFu26WKY5kfaMwNMNJ
+HK6e4m6+Wmoy5ulkatwDJRDqkyG11YJ/p0n0HAG1DBJoL9079U+xQxT+9a2f7TaO
+B/UbQNOvOgqaddk5uUDTjqnY/bltbAAuuI1ZNMrPCCNUorcdhySJb1tlF/JXTTB6
+N60XqYRYnk5T1yftNU0AA26ggskv4MMDwgYCGsyZuCX9vW+XsArRQJ5fsSZDiO7R
+8FT2
 -----END CERTIFICATE-----
diff --git a/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem b/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem
index 045ef0405..51f9c0d92 100644
--- a/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem
+++ b/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEArsXK+QTXz+i6MJpN3wZcE04f4K+jLSJsnyPaw2wGt6sZLWWD
-FGzzNpV8r1+ixp27RRl5Ygew4qR7Dnjr2w++QorZIYYf6m77H7E7++5oQbgWWQC7
-yIYVYtDJwu3oEl9yrDsVPyvA24PXxdcFeY/uFFq+L9MQSVtVgds7uWbxPlbqFOv+
-xh12JIHtf39trskHLqXGYFxQDHluOKIctpb+WV5+SrKFzp3Dme89nYNyG8e/8da8
-sX1uy/FsGQdTT/P8ISxG4wEjsQ8QvivHdSqa4JQCqIwlNLcisNoiV8k4tZwqVuyc
-TqEenCa32gMH2JYFj1Z5lRIC0kYXDhvsUJm9DQIDAQABAoIBAEsjnnARNPeeBu5+
-aJxKD6v9Gpdu66ir9Cc3MwZxmzG7zcdGrWRKswX0nvaHF2Rsy+aZXSZYSCQosv81
-3bEAw7u4FkHjeDVCIZUujatyhEA89N6vAgzkGK2zNgsoXW4IuzRw8mGGXhQCSvIz
-z5bD2ofFu560D3x6V/jMWJENQQqbfWuD27OI+bZp92K2DGM6MoSbdNnd886F2oWR
-4pQfrwoxmSm7JFFARoe4t6pZPy4G+5jjnrhB3kblxONaV297nvSby9Ctfke7oOkM
-A3JpzNzEmrjjb2M8GKkYmbm6P+0ARdYIToD0sFpbRCdjJAKLadwNNnk2kijxPvQh
-HNHGy8ECgYEA2uD922oiNaIvBR+rJ/zRsJg7Dth+upGePiieOZdS0S/dZUFEXuK7
-PdLZOcelQP2fIFRdODLEpkkOii292Ej3zixgzu9QYSfCdhcOoeV+RiAC7XEBBMqc
-gFI1DdL91KGSmMNZ+B8yocA31pwQQsVFDUpvgqpA8fxsZkRI9oVSiOsCgYEAzGna
-At/Kk9AQfiM7fpjBygYUt1ZErHsPJhLPVXmqx7+FuB2+RQvTMBS4sRdG6yC4Kd1y
-CNIo83Yzv2IQGyNOCcGr60OPeqzTSQ6AUn7VxMY5EJZ880nfXBud7mj+CbyFi48V
-Sh2qziF18aUYm7z4eJCTpLlFjPzHcoU1ORM0U+cCgYEAzCWp4Kp/OdMJVBgThXpz
-AekavGAE43LKS2OLIGAZqG6iaryTToTe62zrms6xPYrQjlDhmXcQn5/oZc0AEukL
-6ErQCHKBX/y7jXU3+pyYSEO3N0t9DcEEc1M5lKlEgrwohT8/fQNsMB2edxacvApO
-u3S/yPmPFaTAXio2e2gicP0CgYEAp3PjM02PDu14RUypdTjAL7YxjErwcPdSXpc0
-H8pOm9mKOlyrPLbGJ3IiJnhyETW5iBovS4iWIXNoStSTaxfN2vI72rt6sz0WzJdD
-idD7X3oezzboXwjaIANDqkV6LhGwuLXa898/yCLjErRzZ0kzptiRCnT3w9pjrK3w
-/rN7v2sCgYAEwfgrwjb7+JUaSSaf6TlbM9/ZuTRBVN0OTQz2JVhokeAePeFjHzXt
-nzJI2ETYlIu6e1VaFzHb6dp84PzWfLV7Kk8hZqJeCQN4RmQ04oNBllWoOZPbN7oa
-8pAMk/DCsBxcM/GvnDQJlDVLQRyY64zJU8EI0rF1t+zosIyGtXom/A==
+MIIEpAIBAAKCAQEA2I1qSBHmly3Q2qKt88kRv17dhmRge+pn9FQnoRr1kYTwq5DE
+YAe4tapp//casv8tgizV9MnslM0y749J5zyR/0jkDEi0/Nv65LAj2FdDGGU0nxX5
+mOz1DcZf/n3BLcNwcXiLxvzwj9/tosbAc6hHJP9Rk9c8YisdL1RaH/nT/9D8Yut6
+K+hbrkJ+Pug2LfAxNjBkHkzI9jmr0xFxjIQ9rQY0zQbPNh8gSRDPye5Iv+pZCuYu
+aVLoq3DkvcdexRoqKca3TEjuMsZaHjKyeuMw3ErNG3YshOpI+2hNNHYkHprn/rnj
+iYHYUYSulJ38uAZObDM6CWhkumxCCw3rGOlS+wIDAQABAoIBAFh3/ZGP7pqYlxib
+GWHdJSj/gpTi8R/utaV1s/L3ZpearhAJRpDM1sMw6bkupHO4GEl0M7ybudFYu5Ru
+/4w+jI60oqX6FiavYCKJazt4+uo+fm73tU6qj7qe7pyzl3YwwAE7dC9JKqY8n4K+
+m+UkPFx7CkLRzdN1NakeVut1TwzU/cUtAV8iY1yEtw/KyiyL/I7aJ3zZ1pg+5kRS
+JLKDrRlf0xQ+I7AY12XrSimbLqxmyVmWq74Fm/YAWGgvi/Nx04Zg/C4wp4A+izFt
+N8zWjktY1brRrCnRfUEcevv5hPqFxfOPFmB9x7mX/8eH5v2T+XR9swoF92xWHxQ5
+7tcB4NECgYEA69dBy4God5TW1FyT7DbgKHd7BVtOVLjsbQxc8UNBN/mHemUGMs1v
+lemW0ZPddU2/rqd3jlZuP4zv/6D9OZ0omi8auejO2WwAbut6JBX+dlvF9+owyU3h
+CraycFaxZIMn+JzXbIunmVUrVE1QvpBFaNXlC47cO8CmQlMV0nChzZ8CgYEA6xAV
+F1L0iqISsCu0q1iM4LtHVT944o815B8RlREOPxROXJaJQ8phVQgT5PXRkHZDn55Z
+mKqkAX2KwjBQj0KfUvmJ6D8T6OZOe08/oSwiBrBpSQsH3AA7mmDXyT3gRsma0jnj
+cNGjecG9VXbJiZnBetGdLuvSnVYfdkcw4atthSUCgYEAhaFMaJEo8cjmCSIDtt5J
+GOTKUfiwY5T8cbWFnDatZ5f9yb4gSvzYcysOB+Yun17Uc5P0TDRw95VWD5Qap2CD
+NwnlrN1bBxsJC9BlPrkvm8TYYWbTCd0U3Es0xC57CSa/qUDFV32yE1GM4ZGFZNS+
+X26C/4+M/lZkXkRRoxGqvKUCgYEAugOyDRESf5qeG1ea03Vxlm3dlzJxYShfRzTm
+3wXuNjDFijN+UG0Y9Qc9ZxS4UA+ml+vhjxSKULueUOmW9qeMGUdrwKQaB1YpiR8/
+hTW9f3me97SI9aohgJteZ9xVXO8xW2d/+smLClEsmTM1bXSFTcIPFxB7TRLYNutD
+XXIhaxkCgYBEQECMTKNZcGf67fjmA6PMpMGlwbVGmyXYYK4I+IRNUFWyrpNalmr/
+LXj7m1EYcx4BK7BrpDUgnm8q37BAwYOioLJFWLK58iW1B+Qvg6jlwnr+ZaYhZx94
+D/SL9GuQQTQtxlFex4Wale7R8xNdt7xuVJD6pE3mFVkXN4+OrI+EWQ==
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/alice/etc/strongswan.conf b/testing/hosts/alice/etc/strongswan.conf
index 4e52c6a6b..ba5dbdd1d 100644
--- a/testing/hosts/alice/etc/strongswan.conf
+++ b/testing/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem
index 0de3b268d..0865ad22e 100644
--- a/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
 Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
 X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
@@ -9,14 +9,14 @@ FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
 4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
 7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
 gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem b/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem
index 199d3eee2..00ecd5a2d 100644
--- a/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem
+++ b/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEHjCCAwagAwIBAgIBGjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwMDgxOFoXDTE0MDgyNjEwMDgxOFowWDELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY
-27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB
-fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg
-xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF
-ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E
-5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl
-+27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+AQUAA4IBDwAwggEKAoIBAQDXwxTtozmxKaUhC0T5HvxVShfM5jQQKwIzSVAZeXUp
+BgQ2uLT9Hn/J7boaUIE1Xf11zCRIlcy5Xkupha2gfqEmRbefYAOr/NFuC4pPEDeJ
+jWg/miCZo9/DH2iWvCvU4GCcrY/LKDeDoKL9fc9H5FTtA/Y1ugbooOO1yoV04eot
+MmvmYcqUtCX+h/Of9xM0w0m6aoDIXAhjcKEPMg/WL5acWuVVaWONa+x7HoQUDe+9
+MgoB1VmaoB77VYaK72jBhbvonF8GjEb3RiukfuMIOk5yN9OHzA9ODJbTDvSmmQkt
+h/oEHAL/tzOQ2zjEptsKvwq/3drGbdREO/cp39I5/ZRFAgMBAAGjggEEMIIBADAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUYUK/uIcou7BS8ODHk9Ro
+PGJP1FcwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
 BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
 dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u
 b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv
-c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z
-TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq
-0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI
-5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN
-NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw
-7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE
-Mto=
+c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQADggEBAEIkmrK7GPm4H/FAEVCN
+775XpuofsfGjT/bO/aPCqb+uPwwcKeUfxzICQDEqMv+mtxGuLjtfmTWwUcoPMgN+
+2HZDJGa1+kK2VLUz3QBIQXSdusbITb0ND/xCvbGwsk9y/0DGBnAo3xNBNM73ZQ8k
+/A7mQ2nnQfzI9gQ342FOuTTb/kwrVNixQI3dhvf6Th5Dj5rZfQs6c09+9jRLGBFx
+g7qQ1gej0fi6XYX4cSNwluu/Vo6xT5epEeTU5KoYn0mtOqFx6AY8xzIqQLvY4m8g
+viGoGRqId1gqNiEfshb8KICPI29WyiBRzMKO6reeb+446A9CSLgMW0Ze3SCRXrjr
+2nQ=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem b/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem
index 42af98bb0..e74392bce 100644
--- a/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem
+++ b/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAwCWno0t/5SX0B4MNJ876LYEkEvHsv+rb28e7OUbFmNu8fSuc
-XeOGj67z9kKcqt+CF0WOrj5SKnlE0DexCqS61gsTDk9+seTdAqPSeVFkQXyQteNQ
-/vPtUcCff22hCHnKQr29Bnwzl9BlzeZbXCZPNoWYxOMtchwtRTe1d83UYMZpaLqT
-7qJ/l9205sjEPdzSpIOPAkBrarX8ENDKj4jlrvDAYXc7XzsrumltxIL4hYrYS3NN
-knjc5aagdzPBg31/pq9zlQ4YYQtjiPlUZWc8+ysSddw1EdipLy2UfAJOBOZUY5FJ
-02Hf39zkGMX4wvInVJo+aI0ehW9MdbbFf4Jc1wIDAQABAoIBAGbSP5jUiAYZfzKd
-4GZTDfFXz/QLXcN9bFV51ihaRNb9jyn0MmLTpGgzGP3Iu4l8vWKyqB154AI2jqpV
-gvnNGOX9Wx8nTwbnD5WgELs24M1iWRXcJLWp1m8PAsrv4WJlueRpIEPeJsWwkSnT
-gUQYg/8LEqsZXnJXvanym7sWe/Wkh8i/UyMQJv7zwS+TZ5qeKRfSVo8/9622Ppsh
-n+zKFKnTUhiICUHFed4qZWyVR6NVyuzIYjeQy+VmBa5AOzmF549Izg6llwNrvJ8g
-DiIKSdtblMrN5OlmTra8LGn2QmlETipRb+4qx+MasbVI8pM1VMMQtBGAJYjhpC51
-rX/RLLECgYEA/Qk9PlUfw2aTA7I6a93pcjhUFTnKFVe9RdrwY7mds5t7dOAPcRBj
-5wnIv+OhVszoEo/uOPrgWmBu3ifkmcpPTe4NREFEVA99NOadiJDI/7oAj/Is4c5t
-CEb/zHTqKtYMVDrjwhszuPD3m2KNIJ38y4gkkrWT071xQBciztWhvYUCgYEAwmXV
-DFoNagTrNhf7Ep5sUek0O3nXPXY/cYKnKhlloUP41ftLbNvZ02qBQ6zqxPHtjGlB
-5sPeRQMFbVbmyb+97oa3Mrui1TPiTa5IBPyD36Gg0nFx+xLeXTsy8O8leoFcq02D
-1SDSye+fEdj2uYr+f33CIknQHUR4/xkOikgSQasCgYEAzTjOHBzsGw25VLkbmtqr
-eIDo6SIqnS7BCsPsTeWAWuhSs9L5kyjI7dxIniEffIfJ/SwQ+NO4XHRz1ugiBv1H
-Xpwg1Gfe5BJ/6QTVZaqP6qBPzm+LKUTDt3/l/Uwhk8Zwz2vHx2lKhMei+rpuXbLl
-EaoEh5yPHZ87F9Dr4Tbw7AUCgYAjtFpmE2AlWdPtsofdypUwkjmStvUuh7ptWcbk
-N5fv/7EDdE1NKDAg4Y3uZSMVmy27PVXqUY1QdZaYl356DaqP1dRuEAJ/UDE/fUQj
-DlIWT/Re0pFRwQxwaUAY+oOStZHUsL8G9SliB43a1FO0jm/h8LIoZBBCX+ItUGfY
-RBZ+UwKBgCToB2oPwDfrfCkScNozV7GPfcmHTR5bvvpYgRMGyuE1hAwLIWW9V4u9
-1Bp1vCR/C4kiUSBpYsGXLRqJ1GURueQoEbREE4ZvkmNV+t40uX3Fd8/OchAGi934
-0jYmd3dvN4MtF7O02YwpBzuH/wAwdxK0iDbdv+KEZb7TLdL37IN1
+MIIEpQIBAAKCAQEA18MU7aM5sSmlIQtE+R78VUoXzOY0ECsCM0lQGXl1KQYENri0
+/R5/ye26GlCBNV39dcwkSJXMuV5LqYWtoH6hJkW3n2ADq/zRbguKTxA3iY1oP5og
+maPfwx9olrwr1OBgnK2Pyyg3g6Ci/X3PR+RU7QP2NboG6KDjtcqFdOHqLTJr5mHK
+lLQl/ofzn/cTNMNJumqAyFwIY3ChDzIP1i+WnFrlVWljjWvsex6EFA3vvTIKAdVZ
+mqAe+1WGiu9owYW76JxfBoxG90YrpH7jCDpOcjfTh8wPTgyW0w70ppkJLYf6BBwC
+/7czkNs4xKbbCr8Kv93axm3URDv3Kd/SOf2URQIDAQABAoIBAQC/GZwptk5c6ePF
+1rNqatVXvV5DLwmh4FX8ksyNI5Rvl1KYHRTAtAi/Ev2oXPF0ESFy+jKQz40aCbi+
+FxZndoDI4yr10BaweCYOb846pMRr4oEZBCwnqIuByQnbqCKyU2F+pAMeDyrMPLTg
+DFRQ+p11p/KkN3XzCL1mwE9f7NB64fIwIaoAPb5EzELq3SXbBn1MCDPcvZEeyqUW
+jW9OGe2hmen7Vk7JLE+2XU6Wyo6X4RWkj2lpOxofuxff4pI+xoiWmZxV93FzZoCo
+R55TP0AtgyRUQyRrSgSV8T34sZI79ZBt1N6JBdnOl8sl4niQu5laBKJGKWnEiiPE
+w7vUmHLBAoGBAP45AScORw0eb8K4Xy1UAaWZnSzN4z35QxkjelQ05Hkd9lrpwRBz
+Us2Yo35spvaI+/sYmnYC6vdnFRTdhVfHY4uTyODWOawhMM1mnWoRo0MohCyBBOjZ
+XGeOROWV4uGld6dLj4zoKfDWyw2y9ChT8kxidSmJajxese6DovTv1ov5AoGBANlF
+PgRyOCUZK5I1XTzkbt4GMUrRh3gAnTM84enjJHtxo+IZuwhVA8wgfl6k+LXAP49k
+si3HnmsAAezqFJOapbBf9zZSCTPTYDFk9qyu8TXw32K48obhb3Ns80Ba4sqVCixo
+K3NpOE5OaNxEdBHmi39RJf1fyUNZ+u+cz4xXdiWtAoGAChXo3cvLNdIHTQpTfFDg
+39kAS06/vS2uY8jsiXqvtb5ij6jGaAirOEzd754P4af9lzCasCPdfoMwaut+5sSa
+RmdOiNz23MVUUlHH3PVmLLvmwn073KEC8XjLcvBHV/xgitqMj2KGh29+DsUSuqbZ
+7f3Z+BPjixGWrYe7Z0w8jsECgYEA1a/MNwM/RP1kZQAnG2Rvxd3BTRyWZ+fytBoE
+9st3bhFuZUl5MdCrU3AB2YPXOKpD2PvoYi4aGJKBUklGw4UtwDIiKUK12kriKLJs
+CZplke+9RJMxtIaz3oohFAJPW38J6nLpiTDLN/jWGQ0aOyDLwgRFoNU8VQmCS3em
+iRjcEmECgYEAgyrUsD+qScWzS3GvkZITcy20+iCVfxXH8ZznNVHGFoFZ+3uu/kH+
+u0yXPXPux2t5P2+Ybm4ojV09/QWaJgHVoL7PBiyk5AhXO0A1EK0NG8uJeYaMthJk
+D6RrYXqdmKrSEDTh2DvE6W149sRgO2Z3b0FGgzjYjhSFF/ePZxAFiIQ=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/bob/etc/strongswan.conf b/testing/hosts/bob/etc/strongswan.conf
index 4e52c6a6b..ba5dbdd1d 100644
--- a/testing/hosts/bob/etc/strongswan.conf
+++ b/testing/hosts/bob/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
index 0de3b268d..0865ad22e 100644
--- a/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
 Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
 X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
@@ -9,14 +9,14 @@ FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
 4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
 7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
 gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 8492fbd45..6c41df9c7 100644
--- a/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
-T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
-vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
-S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
-LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
-YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
-j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
+6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
+Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
+Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
+I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
+x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
+tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
 EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
 d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
-U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
-2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
-HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
-hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
-C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
-omBYfxqp
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
+GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
+ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
+F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
+L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
+ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
+Rf5Z0GOR
 -----END CERTIFICATE-----
diff --git a/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5a41744f6..41a139954 100644
--- a/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,30 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,1E1991A43D0778B7
+DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
 
-MAsd1YBlHz54KjvBvhpwDBewinBkxBo/NmdsMetLIcV8Ag87YcKtTXYju+fbW21y
-DI12iPDQeS9tk17tS8qE5ubWmx/8n0fa5VCdLZ06JK6eeASXNoomXZh5rGsd42It
-sj0irWAnbIA3nFFWQl+Uz5pGZMse7aDSNyk1zs3xtywFIaditYIBsRhrTVmJ/bCK
-waVr++S2pwUHJ/phKoZQ8pwgF5KtYOZxdNtYIzfOZNMoplESR3+WYBYSuW8BKuOc
-QAign/BL2JVJLD4OpHQ68D8Su2sbh6ZYA5jslZLDgG9O7eiMbkCE+N8DmKO6wNAr
-zB5ILb4u5dIyTqun32tOENEhpZqDdMQtZZ34fRBze4IoMx9LrEOAHdZAQyyERP80
-iJCnH8BNf6FerA+XeDs4LVd1yrCklXKFINatqSRP/tNY3kruKw2Q7cAi2AFf+Rv6
-1lrvwK4MiLSHFtzcgEJuxm2bxeceIwXLJ2AVlfLBJvK/yJlq0MPedFbl6E6UwKfw
-cMLokF3sa1XrfwpJ93enGLqdpJrkR3dTzrsshjIhjQqfc8lqLwRlbMGc9u+V0ZsK
-OJ8e26wc/4l5D7CQ1vmgT/R/tuydBtUskgH96anhNJj1M95odkoh4Zicmm5iLgy2
-kluVYiEk0Fs7hc5Qtv8ZLN7ZoBRvZfJZWhXHDXmh71g1aoVYacIkFwiTMX4NoDy5
-QVq9tFUZ1TW4VrNIzfq++rLoz4XlgVy0Yz8jNWKuB0KRuHPNSsQUY2NHkDX+wOjq
-MP1SfNDxqPoqrmCqbgMw/9DmeOj9gyiTyjZhPZTxFOp67FYEYzYtR6bLQKEhdgf6
-iOVROZyrFHMZdBiUgV8GECds1th6ZYWmNRGdvxYjSjExIYgkDrcWbowTqD0bFC9b
-zClaSqrxR6GHUzbUVOBuCP+RmUx4j6gPvMRLUcIn5RmpbGtPE0ixeB5sFB0IuRRW
-6u2YToCiuq3EG1iJRmxjnBa/zj1aBO6OlsE/aPc0Sx+Jhm+MUbDioxUAriX96bJ+
-DEB4zgDhC0vIvkkUVAzQMkWPX479nPDmiZLpMqUIfqUh75WDpHbCladyGMgSkEo0
-IKq96oAWHJC8WLH0UMxMNuf8Ut+TsSpIO6G0RPl/cx3+hQqSUC5oUB7R3ZAWYx+6
-mawjkNJEx72yeJmQtGiZYEfeMt0Svm10PypMXFu0+2JjiS2eRj2K1yqrUnuL6AnY
-GYYmTmR74dnVAd35bRYJjY1XHGC9MyqBn4jLqKZm1BKO3sFsctGDy6vybnvAgPD7
-LioGQHPiOZmQe9Q5mMLedE9NAUCzlR8BHRbWtlnajQWcC0JcVu/mBQsjOt/KHh/V
-CY4aFXE56lRH2OpqZQxFpBFOSFDcuVX+zcEBGmKfk65n2MFL4McAJUhVRZL561Zx
-r9BvILv1Ld6/hECbodq0sUqvbDYHzv25zxAVKSIk1xy85mP5aNbk8xuGHmm860wg
-YOqdePwBEcDHoio+ov/uFYB7+4gt40vV90EzSiyfdq8x9RFMViJU430IkIBcvByo
-tFFcbN8ucBozxtl4AX495GVSRI7V0XXBtEdOIwJIzPBylZOHxCuTnA==
+mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
+i18EuCZHkdMBc8+lY0iEpNwbs3UbCP73lGn+IIjlOrS0xi4PP9iV1jxg/k+WF4rH
+jhIUhi3wc1cAaFLLj8bBvnx6t4mF3nTZZ119wSsa5ewy5RZGWcdN8NKtyNgFYTFx
+m5ACRErFuq8aFmcKVgwzLZH+e9fd7xKHS7XoP9vla7+iKkW5bzfkGP5E8irbOqce
+pyUE81FrD8irD0uK4mnrMRDDGrD02mYNSMGyhT5o1RDQJbaRupih9nU+SaTR2Kxq
+J/ScYak4EwmCIXixwuhwokDPTB1EuyQ1h5ywarkgt1TCZKoI2odqoILB2Dbrsmdf
+dKLqI8Q/kR4h5meCc0e3401VXIaOJWk5GMbxz+6641uWnTdLKedzC5gWCI7QIDFB
+h5n5m3tsSe6LRksqJpgPL/+vV/r+OrNEi4KGK9NxETZxeb/7gBSVFWbDXH5AO+wC
+/RlPYHaoDt+peRm3LUDBGQBPtvZUDiDHlW4v8wtgCEZXAPZPdaFRUSDYMYdbbebY
+EsxWa6G00Gau08EOPSgFIReGuACRkP4diiSE4ZTiC9HD2cuUN/D01ck+SD6UgdHV
+pyf6tHej/AdVG3HD5dRCmCCyfucW0gS7R+/+C4DzVHwZKAXJRSxmXLOHT0Gk8Woe
+sM8gbHOoV8OfLAfZDwibvnDq7rc82q5sSiGOKH7Fg5LYIjRB0UazCToxGVtxfWMz
+kPrzZiQT45QDa3gQdkHzF21s+fNpx/cZ1V1Mv+1E3KAX9XsAm/sNl0NAZ6G0AbFk
+gHIWoseiKxouTCDGNe/gC40r9XNhZdFCEzzJ9A77eScu0aTa5FHrC2w9YO2wHcja
+OT2AyZrVqOWB1/hIwAqk8ApXA3FwJbnQE0FxyLcYiTvCNM+XYIPLstD09axLFb53
+D4DXEncmvW4+axDg8G3s84olPGLgJL3E8pTFPYWHKsJgqsloAc/GD2Qx0PCinySM
+bVQckgzpVL3SvxeRRfx8SHl9F9z+GS4gZtM/gT9cDgcVOpVQpOcln5AR/mF/aoyo
+BW96LSmEk5l4yeBBba63Qcz1HRr2NSvXJuqdjw6qTZNBWtjmSxHywKZYRlSqzNZx
+7B6DGHTIOfGNhcy2wsd4cuftVYByGxfFjw7bHIDa4/ySdDykL7J+REfg8QidlCJB
+UN/2VjaNipQo38RczWLUfloMkMMrWYpXOm9koes+Vldm7Bco+eCONIS50DJDOhZs
+H037A+UMElXmtCrHPJGxQf8k1Qirn6BWOuRmXg8sXqeblIrPlZU+DghYXzA/nRxB
+y+nUx+Ipbj022uJNVtFwhP70TIqYm/O6Ol/zRbo6yRsR6uEnnb4wRi5IxHnM/iGA
+zWPzLRDSeVPkhu2pZ7JygabCiXbbgFTN1enJvLWvIAcB0LS8wQz0yKQ7oj32T0Ty
+AD3c/qS8kmsrZDe3H+lEfMCcJRnHUrR/SBChSdx7LF9mnLlWuJLLHmrz87x7Z2o6
+nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/carol/etc/strongswan.conf b/testing/hosts/carol/etc/strongswan.conf
index 4e52c6a6b..ba5dbdd1d 100644
--- a/testing/hosts/carol/etc/strongswan.conf
+++ b/testing/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
index 0de3b268d..0865ad22e 100644
--- a/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
 Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
 X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
@@ -9,14 +9,14 @@ FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
 4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
 7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
 gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index abd1554e5..f212e19cf 100644
--- a/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIjCCAwqgAwIBAgIBHDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwMzczOVoXDTE0MDgyNjEwMzczOVowWzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
 bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx
-2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2
-LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE
-RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF
-UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/
-98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB
-ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq
-+Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
+DQEBAQUAA4IBDwAwggEKAoIBAQDAB/JTbwVY5oNF0+8Behdbc0NOeX+bl0SOcgpZ
+ha6nbMBQO41jtOI5r5Xbg9sK9l+DYOnZQZEsEhIVZDoK8yGI/FIEE+gWRf+OLmI8
+k2K+G1dklTC/VP2tZWMQYQWs6UnX3iiVpHccI3CQqqJWe9fZsIsq0J9j9hu6h9dG
+IEbon6RXDLPI5DIiIKc3r0jDHNDsIUDzcjuUdCxKFCMuHUCfa1PBiqpj5pP6XT0G
+gI6UjbgnNWPTPb2axE7P1x5gQmVwiFiYs+VTh2fq9O9xNxnn/YmzLk4/YNly7xYX
+Q31NuhSvRpH7jsJ1p4VSuunYqvccPUKsp5PvCtCeGvNT2qt1AgMBAAGjggEFMIIB
+ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU7n842u6huBpBd394
+8mdL6EOdjg4wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
 CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
 ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
 d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy
-8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9
-Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR
-P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV
-UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt
-0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT
-5qILUTmI
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAyAbxrpMtTARw3
+jvBwuapaHXnTppz+TkWyfXVpgTwtPlf3rbhPk4DjhT2ygyMTI1azoqProf2aBbDr
+DldCSQPsZAcuzOdruKKMo2CQwgLuBFXL+JUX0hiIpFS1ZZHA2aDKyUw4OyADOvDU
+8r1/WiwRb91TdYP9nEu9qP30k0vkUg8DCbCmPI1/MVaxVzh9LRAFyOHrnKSCXG7o
+StmVFm2Yf3pE4HS1W6DtommyPs7aUD5XAaQdr3DYKI/TazoU6t5g2aEqigu+pj2M
+qk5idJkx5VCFvUU1hlChyX6NNNjJNnV6u5YiuatcdYQhpCTBsxnBoM+w0BvNOCl+
+1PdgEy1K
 -----END CERTIFICATE-----
diff --git a/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 1cbaa183f..c0a5b42d1 100644
--- a/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAxmwplGOop4q+9f+kVnm3oHC1E5g0sUaqUTjQ8diEVBLhEuRC
-nO6rI0c+OV6Ko4ssAkEY2Ft931BBGOq+35x5O9AslJ1nmcq+7+A/9i4wTd7JgxOv
-2Wa88T8fsaYZVIoGDhf77eIFIltXTmea3J8Rvfnja0i+oFjTYNYrhEX5Uk25h1ek
-1ZhlNjxnXShmel36ln3QPuojotvqMqsOmh+LuIX14ScjEThDoS3QBVL81PVIsxF0
-qrJhDkqHUvb8qVSUWE22XMe9HvUO4NjIIR77UGOplYAcwMGpAwQrf/fJQJSg3l1z
-kKj3KgGUnNlYxvIBJpK9XbpvMLCcPAtpYihkRQIDAQABAoIBAQCQP7nKotjNVFSX
-Sg4Sv9H61XUOlaxY5GKVQZTE/P7WkBMIROEYbXoE35og4tYvJtILoX+KapkLa7Cn
-iKDSt1J7ZU/DitryNy6v/HsDYXjEY55jqEBC8CmTyKwl3fa0OtNEE7OWsKXC4FyM
-J02x7gJb9fqa1/udXnXtBEYGl0g1x/vDmuhLgKyq6eliTm/orAyjGK2KfRxu06eS
-YUZObr25wC7yDLHCBsWHGNVC7ZyxQoxcPOu9WNwlWYu92ZJMdf3+rIgZSeXxCn3U
-3CWAC9tL1HnKC/twbyWEc2Gy0lZaQSgTJzaRtKOlqBTc5Szb4l1ibmyeAA7NanXK
-wnUYfiZRAoGBAOWW0+4lzZhWOxK/cYwM5+eoI66MhPECFVK2sL8iC34BKGFRCrSd
-YS/nugWiAu30knIBrw8z9BN0gYEfiE/EZyP5TbjtabKDN28xQa1+bw9Sr+5g5TcR
-HFvZRkJWSYGoIuVO22eXUh+1hwx3KZP/UX6pwkrc2dxQLxNk0mo/BexPAoGBAN0/
-geik9GNIjbKwSPLvIIwcmO4TZja2RJy9NCTJOrJZFpCII6HvOiO0eYx3+So+KblG
-n4AUxrhi4jq1/mAA+VUt4B9ywKH8xzGwhno78dJ1lvydpuzXSTHOEgsWh9Kme05P
-syt/t1C0ZkWqOKsBGk1f7dU9IOWuOkpVUbbMX10rAoGBALp0S5lUyiu1nDQVljmP
-IadZPeE77ZttfbO2+sO++mZSumCOWItmZM9q+gApGwf1YBmGlI1cPBSwwZwD58gg
-UUM97IkLBpQbTKHY9uXXkIp5NLf7qSuXkdhmFFE7kmbiDbT83eK7Wc62tf7Bp9qx
-t5WOeGQkCCqMVC8D6n6uwDixAoGABV4jErfdzgLWnT01p98xVPTkqPIDitRFOeBF
-QZc4O1d5+quy4ZziNjeMs2G9w86aSIp0GDFo2NRdVLtRnpande+U/m5UShnN42C7
-AoAtz8NWlG5mvFxExFaRjX9QcEXlu/KnECkbE3Qs/wewNEXkk3f+VywSfkAJ3f/P
-6bVvot0CgYBA1B9SXYhclR3KNZJPRuTn9OQ/TqLmcCMN62dIhPW4WZo2ixZH3YdS
-PE/bYmYfZUPt7MnOSNSnuLKineIf1Dipz0gjuSyFGAs5DE+N+8GWYo00n+0e3TLL
-pcBj4nOdIVPTZ31IFeVbi06dCYmzLPAGDeLe1M1Z7fakNky1Wv+Sdg==
+MIIEpQIBAAKCAQEAwAfyU28FWOaDRdPvAXoXW3NDTnl/m5dEjnIKWYWup2zAUDuN
+Y7TiOa+V24PbCvZfg2Dp2UGRLBISFWQ6CvMhiPxSBBPoFkX/ji5iPJNivhtXZJUw
+v1T9rWVjEGEFrOlJ194olaR3HCNwkKqiVnvX2bCLKtCfY/YbuofXRiBG6J+kVwyz
+yOQyIiCnN69IwxzQ7CFA83I7lHQsShQjLh1An2tTwYqqY+aT+l09BoCOlI24JzVj
+0z29msROz9ceYEJlcIhYmLPlU4dn6vTvcTcZ5/2Jsy5OP2DZcu8WF0N9TboUr0aR
++47CdaeFUrrp2Kr3HD1CrKeT7wrQnhrzU9qrdQIDAQABAoIBAQCB4t4dYPKU9xXD
+nV4D+bjiukvEQJn3e5F7Z9doReukgwJxQlaYIjkCG6mZGM6H0603B84kjRzMWkyw
++2HnFhyQs1omN/C7YA1C9kyr/GTFgWjTN7YJNEuBhRpEcduM4R55TGLXFK8b8Tyq
+HUBAjvOo4qi/BO1Kh6Spvkf1vs83d9clTParD/Tz4QkjUzR5awMKHgOVGgrmTiJL
+Miao6ZF0gl6qh377xc3gzQdWh6kIb2RWVL2lR/iSdDP47s2ez8ubMO1v9mu05bc0
+H5YmCVeY4nkzjlVARdCuPulKHxBkStiPEOfnGZkj1F1fjfIoOFnD9MQSYkJuZUoE
+6JWiG7QBAoGBAOouYy7W0xRlXGTrahjU9JL+o3nKCRQmvX84Hxy9fx95tz1pS5U4
+7Gk7JFmS9qKhspInnblpjqxA5D3zqoO2gspatg7QfQJpLhbGXLqR7pqp92jbK+mh
+4KITqTZRpohtzTWqPxFupzKHo5qDDMJ3m8ArnIVmxM+M0lzpn6Awq5ZVAoGBANHs
+NR2voz//E6ZMSpgKb2l3NecFwdwqQQtzghD0wFnNBYV55DJNRuW7DB5t9EdtGgAg
+b2bPG+I2RdsZPGnL0EU5+H4rP0YXBGAxoVdaFqjnG5mIRN8mAdnWeVhCH3XBmUP1
+OFe1aghYMyC0ioXe8Vt1yaxeSiMjY4JKtma2DKChAoGBAIedv4CDlg/Mt1oWXwXs
+ZYqu/nrsPp+1463GEXZyYykWMsDUtpm/MmGqh118V2pNW/16BcQ3VhF5LvSVpNzM
+GCgZqi8gHBUGVlOIInFFS7mzznyh2GdfgJg77JVxaZC+jcWTRxzQSPFhTaSQWhZQ
+cBk06Fr07esIMVbvUKrTJLtVAoGBAIFCMsqetaTYSZ8iZuQLuOJ19wjTsLUCh56n
+dzU9n5sr9PRlQ6/9iWQ3spSiG8JHWbUuQ6pIaOD3jjgE6AA08X9O3MXDl2hvD9Cz
+fqcs37sM4x+8mrvUyVr7ByjjPj/h/5+qxRCssieFN6YxxQH9bxxkANRUEs5kIge+
+PWYtPsVBAoGAVako4J2YAfaD67Yl5u2XOWrBzVWzWNeqBsiAF1nCpR1RfeH4jFN/
+Uy/qbPVjdm14GNwd5wtI0xwBAsrTVit78DoxC2MUKMIuq9xVVakKX8UxBmCnldkW
+uhtXwJWH9pfQncCSrEaecfDkL8YVPDX/4XeJjqHpKqbyjTuGv+MK1Yw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/dave/etc/strongswan.conf b/testing/hosts/dave/etc/strongswan.conf
index 4e52c6a6b..ba5dbdd1d 100644
--- a/testing/hosts/dave/etc/strongswan.conf
+++ b/testing/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql
index 269709542..a7c5f1d81 100644
--- a/testing/hosts/default/etc/ipsec.d/tables.sql
+++ b/testing/hosts/default/etc/ipsec.d/tables.sql
@@ -183,6 +183,13 @@ CREATE TABLE leases (
   released INTEGER NOT NULL
 );
 
+DROP TABLE IF EXISTS attributes;
+CREATE TABLE attributes (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  value BLOB NOT NULL
+);
+
 DROP TABLE IF EXISTS ike_sas;
 CREATE TABLE ike_sas (
   local_spi BLOB NOT NULL PRIMARY KEY,
diff --git a/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
index 0de3b268d..0865ad22e 100644
--- a/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
 Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
 X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
@@ -9,14 +9,14 @@ FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
 4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
 7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
 gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index d8fbfa1c9..d5c970f41 100644
--- a/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,24 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEDTCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIjCCAwqgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMTcyNVoXDTA5MDkwOTExMTcyNVowRjELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwMDMzMloXDTE0MDgyNjEwMDMzMlowRjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u
-c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
-ri4QmsCnG0N7bxqeUZTQhcmZ/iyN4RsmHwFsiOc06xpnZ7Fbx9gzi/OswU6KGL+F
-f9PfvOY36bDTZU8V2QaL30RQUXz3JlG+jUyP9zjqlhsvVYS/cImvqgo3uUkQ0YCD
-v2SafTlaQfBOaPFElNEP/H2YSiyB6X80IcHsOMYpskVqPY8785FehjF+pxuyRCK+
-9HXmd+iWdnC09u4qgKRa3L0IamU3q1/BK/afkHK2IAIN4YgM7GzepHVD0f7Exf9U
-esJEeh4hDZwSjcMzdybrY9XBxzGqLGPOF128jr+5weUZiBW+RzeBw/gsK1nSPeuX
-Od2lPJjTGj+6V3YK6qibAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE
-AwIDqDAdBgNVHQ4EFgQU5eQQh2wqxL6thUlCpt52WDA6n8EwbQYDVR0jBGYwZIAU
+c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK
+L2M91Lu6BYYhWxWgMS9z9TMSTwszm5rhO7ZIsCtMRo4PAeYw+++SGXt3CPXb/+p+
+SWKGlm11rPE71eQ3ehgh2C3hAurfmWO0iQQaCw+fdreeIVCqOQIOP6UqZ327h5yY
+YpHk8VQv4vBJTpxclU1PqnWheqe1ZlLxsW773LRml/fQt/UgvJkCBTZZONLNMfK+
+7TDnYaVsAtncgvDN78nUNEe2qY92KK7SrBJ6SpUEg49m51F+XgsGcsgWVHS85on3
+Om/G48crLEVJjdu8CxewSRVgb+lPJWzHd8QsU0Vg/7vlqs3ZRMyNtNKrr4opSvVb
+A6agGlTXhDCreDiXU8KHAgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIDqDAdBgNVHQ4EFgQUapx00fiJeYn2WpTpifH6w2SdKS4wbQYDVR0jBGYwZIAU
 XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK
 ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC
-AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g
-LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G
-CSqGSIb3DQEBBAUAA4IBAQAvLykhZnqldrsMcbYB36WzWKk+hOihr5dU3fv8Z4ec
-tsa3gzxXSefDCxGoezVJ4QXdpdNxxFn31A+r1gxKyGI5JL6EyWz6Y462zp9lE7nW
-EIC4ldJwxAXqzDEMcJphO29hApyU9TWsWDa4kL5AKtLFLwH3/Uv/jAzAy+qXIO8h
-wLtB+wcmhSo8OFY9kX/cyhht7eb7yD/r2e3wVBOCRk7jePe4yWhN8NJAKwfrEd1K
-iGq15ymdmeomhplHRsLZwA2VsCspUNZ/eXjG21s3nEoxcCOcQUz3Q7q4ZgBTZoCW
-kAc6FQ5zxoZrmzNWFqzb06jmUVlt7baGtdjT7rEt+dcp
+AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggr
+BgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCctXg2xeMozaTV
+jiBL1P8MY9uEH5JtU0EceQ1RbI5/2vGRdnECND9oADY5vamaaE2Mdq2Qh/vlXnML
+o3ii5ELjsQlYdTYZOcMOdcUUXYvbbFX1cwpkBhyBl1H25KptHcgQ/HnceKp3kOuq
+wYOYjgwePXulcpWXx0E2QtQCFQQZFPyEWeNJxH0oglg53QPXfHY9I2/Gukj5V0bz
+p7ME0Gs8KdnYdmbbDqzQgPsta96/m+HoJlsrVF+4Gqihj6BWMBQ2ybjPWZdG3oH9
+25cE8v60Ry98D0Z/tygbAUFnh5oOvaf642paVgc3aoA77I8U+UZjECxISoiHultY
+7QTufOwP
 -----END CERTIFICATE-----
diff --git a/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 89197a447..4d99866f7 100644
--- a/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAr64uEJrApxtDe28anlGU0IXJmf4sjeEbJh8BbIjnNOsaZ2ex
-W8fYM4vzrMFOihi/hX/T37zmN+mw02VPFdkGi99EUFF89yZRvo1Mj/c46pYbL1WE
-v3CJr6oKN7lJENGAg79kmn05WkHwTmjxRJTRD/x9mEosgel/NCHB7DjGKbJFaj2P
-O/ORXoYxfqcbskQivvR15nfolnZwtPbuKoCkWty9CGplN6tfwSv2n5BytiACDeGI
-DOxs3qR1Q9H+xMX/VHrCRHoeIQ2cEo3DM3cm62PVwccxqixjzhddvI6/ucHlGYgV
-vkc3gcP4LCtZ0j3rlzndpTyY0xo/uld2CuqomwIDAQABAoIBAECAVQ1npCA2lFo3
-erByB49f75sIhVc6NPuUGrO8uBbn0vPwUGAASdLzKW5eMvXlDDx5qFLXSjdxJ6kV
-4ymEWzDzsmNC5/zeJtkti9S30j/fCPAiF/Ep4oOKjOHUt4zjPqoglVFbdLk8yHwh
-b6Pcd73E2GAXq6uvDTMYydhvJ+KaozAfbXmQ9vf3HbneI6xmgAug209Cu+gpMspW
-4IunMMY/668neRmM7jh+4JNLMqJhCrmQpLkIlRux2yNFzxkF8RrqptGzaLf4KxNF
-rRRUThHUfWmB/EvggzJgUMuVA2Pa0bKNvBbbQuwPqXMxLHMGBjvJ8wimsLzJZeXL
-fgsyPKECgYEA5x//2cmlKL3LbprRpfSzVOPqM3OSeEqseQtPun9Gs7WNVZZVc/ZJ
-O2hjdc9qDGjak3lDSwVbYl8B1kqfGTTLB1sl2171aDJQOWdNV3WQtexUKEhC4Ewn
-yXEDoVGAXJtiCj34QYHjoMEHUqfabKyWKUcaK8hbMsOhYPOorfLXg9MCgYEAwpaP
-W68NJGu5Zxsdz62rOiPNb58cuoxLDZsJ1sMKJO7BdPIqTZ0oGNdgt5phyc3ROBSH
-cjqZdzpim1gXGm4ocGvwg3APNQN6DLBknJNZmHzPd7RLSz2UxhTHRTfHAltQPcmW
-cJVBHsrsS0QnvDndXfzLuLq12S6UZasR5eBdcxkCgYEAizBuOI6DdGG4nceG8lbH
-mRwY8xtq3h66d7skLMBxp9ByaVS76bYsrCZVn6Fl0EtlNuMUb52uRzPIO3F9FwUA
-MFHoHpC1YibKwYdAwKcAm07T7950x/eVDm+NLB2VHDBHfruLQogiubEF4/VKSaA2
-Xm1/iVaD9bJzAZw7vWY9/BkCgYB/Xe9uErGmgkB0BaLIuiNWxfKFOn+id4v01uNk
-yHtOW10TgCNCdDi3sdpjs1CIuAhXDdDuav7itLuwdMOCkFI16+EdF29Mwv7TaW4h
-sq01i5R9BO03zZIg6Z7ZZr4Dg+OM3fNzs65RSn/KcE0V/kYwa/So8MVw5/VIauYn
-MmnYmQKBgDEFWQPyPH242olRqtE0yDp8qVHEjJp7mU822YFbyCyAUnttqOS+/5/u
-Z7H95QZHGaQESL1tcNnaiRASJAKDWjKOdM/TTotWjCn65v+DHvgk/IJeYJVHoGBS
-pBE+wJ8AZJu3t9GVp3PxFxHIjxUrEKG0rli7bYv8F245+Wx8DeXI
+MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
+MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ
+qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1
+ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR
+fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN
+2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9
+K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7
+mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc
+ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f
+XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy
+Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx
+J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj
+zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0
+8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT
+61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo
+PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug
+bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b
+eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1
+ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am
+DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt
+v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0
+fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw
+y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC
+h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2
+cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/moon/etc/strongswan.conf b/testing/hosts/moon/etc/strongswan.conf
index 4e52c6a6b..ba5dbdd1d 100644
--- a/testing/hosts/moon/etc/strongswan.conf
+++ b/testing/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
index 0de3b268d..0865ad22e 100644
--- a/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
 Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
 X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
@@ -9,14 +9,14 @@ FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
 4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
 7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
 gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem
index e7825e3db..d0937bab8 100644
--- a/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem
+++ b/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -1,24 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIDCCAwigAwIBAgIBFjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzA5NTkwNFoXDTE0MDgyNjA5NTkwNFowRTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
-dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8
-foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS
-Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC
-AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe
-zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n
-HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G
-N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+V
+VIpn6Q5jaU//EN6p6A5cSfUfhBK0mFa2laFFZh/Y0h66AXqqrQ3X917h7YNsSk68
+oowY9h9I3gOx7hNVBsJr2VjdYC+b0q5NTha09/A5mimv/prYj6o0yawxoPjoDs9Y
+h7D7Kf+F8fkgk0stlHJZX66J7dNrFXbg1xBld+Ep5Or2FbEZ9QWUpRQTuhdpNt/4
+9YuxQ59DemY9IRbwsrKCHH0mGrJsDdqeb0ap+8QvSXHjCt1fr9MNKWaAFAQLKQI4
+e0da1ntPCEQLeE833+NNRBgGufk0KqGT3eAXqrxa9AEIUJnVcPexQdqUMjcUpXFb
+8WNzRWB8Egh3BDK6FsECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBRW1p4v2qihzRlcI1PnxbZwluML+zBtBgNVHSMEZjBkgBRd
 p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
 EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
-ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg
-KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq
-hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i
-ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP
-Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S
-5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE
-JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk
-Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA==
+ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAo37LYT9Awx0MK/nA
+FZpPJqUr0Ey+O5Ukcsdx7nd00SlmpiQRY8KmuRXCBQnDEgdLstd3slQjT0pJEgWF
+0pzxybnI6eOzYAhLfhart+X1hURiNGbXjggm2s4I5+K32bVIkNEqlsYnd/6F9oo5
+ZNO0/eTTruLZfkNe/zchBGKe/Z7MacVwlYWWCbMtBV4K1d5dGcRRgpQ9WivDlmat
+Nh9wlscDSgSGk3HJkbxnq695VN7zUbDWAUvWWhV5bIDjlAR/xyT9ApqIxiyVVRul
+fYrE7U05Hbt6GgAroAKLp6qJup9+TxQAKSjKIwJ0hf7OuYyQ8TZtVHS7AOhm+T/5
+G/jGGA==
 -----END CERTIFICATE-----
diff --git a/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem
index de63615a6..d8fad9aad 100644
--- a/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA5Dx+gH2HkFn3aADkmRBMk26gXoUDOir3UaHtOjbv+DvinTX5
-JSexJoF8+Y18anhq91ITDLZ1YwD/u6PQNt7wwQqyw3O2nQlC5unazufyautAsayo
-HpgBLT2XvlcONLfKpMIC0fWQPjMCX+P8DJ5AG4tHgLIkSYL+uoPf9r6mvjYJqWO4
-UGAFGkJNSlTiaWyVlJ7O/3C7rU/BMXFvxUOUEdR3+XCRdOEqBTe4SFZHEtqGlKV0
-QaaJNObHfST9ds4wXacc5sQe3kRj25ZEYZuPzVlFaI2TR021umd5Qe/8291Ytzn3
-UzxwQYRB1ZbZdNVsvYY3ruryF3MaAi9vtAk8xwIDAQABAoIBACOnh6OO+KSGSW4H
-5a47q5rEh2z8nnpxx90KzMJxXp+Ky2X/zoINZ1E6nUlm3u7LDPrB6ZPs1P24ZDrt
-5lMMFNQzVaXO59I0Zi0ojzQPbAFj6uFWtZTB7j0hCBmGBAQcSh3e6Q3frL7qvQ45
-0WAvQJiM84iZS63oNt7wRwaG1gmUn/k6j34y4qUkD5FfzGhFkekzDS54bRGwjhTA
-7XBUPAcsdNoIPcihokgLXwcdA8l6LBGsk48HN7O+CYOdh4xb6oQ4msgPED3pDIMo
-QRptqcPQ6y1qJaiM/D8SvdX2ZTFm/bh2jlGvcm5sWG8VdSDRqq9r0YCi4KlQzA1g
-OAyrMeECgYEA9dAVEegvRrFm4V6hC9CAwyS6fiOqx/l0xd354Xv4V6vR6n6rKwDF
-kv96A4sMH+mdNf6MwzFFCNW9zZV7noEIvAyPAc7jM7t/Hmt5M41DiDe0RJpWKEdQ
-lEj2qd8FqcY4YVDEH/TdchwIvoWHlD2sykW7eoseCY5mYEoQN4Ciwj8CgYEA7bHv
-qdaz2SoG9lyj8Mz7XthjYZLeaxKu7cpqP5bqzuRSkVFvib0WKoJfwsewzO5hCHnf
-8yMD3Wp4Ap2FYoN2XfV/jQyHvlpMlkxv+bU39/HLosdhzKbOJsru9kbBCaARHAVi
-av3O3JfV2/G+cwR6nPCNjcTsIcqtEpUO7kOfU3kCgYAKYNmy4tm0I2NTmpo0FH6L
-Pq69CqZ4QPkELaYSNhi7It7/BpAVhbfRyAWPxrwhUMy5beDlkNv4ToXv+yK4A3yp
-6+HR0rlXAtCQKTt5yLoUMz3iM531n2UwjZAUhf0IOP1CZpWRP9ZlrfdUi/C4eo4k
-ECOlPeBryN5brGTY4w58IwKBgQC0ukRF2I+qoP/mNg4Yu2KtfM4jlG4072G+P9eF
-PhSO9p+pCkhKbFD8RWDWUsslJmL09OXIkmkP4zIYmvieLOLFEjLHZi2YGER/SuMg
-9B74EQsKW5sK5hF9AXOsIaQI04Hu0lFAlHbC11euAiMShOdNiMG4d3ArSVVK+bb+
-hsAP0QKBgHcJuTJ6dv77evW3MFZPRjFH25pike40PWmSLgCt5PV25DRL2UG0pOut
-uybN9biQK5v377/3GD7eOL+acxHODjWmmfeEFW0YlJ1oUb/P8NlqsSnHvUoIqa24
-JmTXS/XzjgxQFFfzo0c1/1JLdG6r5CLTWxHq1EhIOJsowTlrCzX/
+MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB
+eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+
+mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV
+sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK
+3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ
+mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl
+QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw
+HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH
+eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54
+/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/
+RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc
+Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY
+Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/
+Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h
+BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv
+NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF
+wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc
+JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78
+5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf
+mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi
+N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr
+r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX
+jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy
+gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV
+zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ==
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/sun/etc/strongswan.conf b/testing/hosts/sun/etc/strongswan.conf
index 4e52c6a6b..ba5dbdd1d 100644
--- a/testing/hosts/sun/etc/strongswan.conf
+++ b/testing/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem
index 0de3b268d..0865ad22e 100644
--- a/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem
+++ b/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
 Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
 X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
@@ -9,14 +9,14 @@ FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
 4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
 7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
 gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem b/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem
index 25a6941b0..c383667e6 100644
--- a/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem
+++ b/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEDzCCAvegAwIBAgIBGDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwMDUyMloXDTE0MDgyNjEwMDUyMlowRzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz
 LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy
-Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ
-thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON
-FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H
-wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/
-nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E
-BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA
+s0UsstkyjuvNkpx/vmZlKpBITJyGmfTfFjl01uU4dUVwzE3yhllGPLN3ijLSteHP
+3opUbDNd5dG4eVsa9DUiqIJlk/g+tnKS5IdQbA6yUf1nIHr39tVukOtX66sMeHBU
++M46KD7r4RRrGSBYT1FsyIv47D2uk24nBZ7Sf2+LoVQZfMIVdydIGfHxmQJxymzS
+80mh57EN2y70oH9HMwn/bbGb8WrysN09WVbNbT2vdeYX3OJXi0xsmT/Ynev1VD9B
+2mbA/XCf4c45xFL1HxKQ/+RTlmY6z6m4rBFuFGCscLPba5g290mXqrpMSpuWUagI
+RZmOaeoyd3x25qbYwNe5QwIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCA6gwHQYDVR0OBBYEFI9cCmyxR/wbUXCARuBjbHpUAS1nMG0GA1UdIwRmMGSA
 FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE
 ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB
 ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw
 LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww
-DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN
-rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX
-PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B
-fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid
-hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh
-wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA=
+DQYJKoZIhvcNAQELBQADggEBAK5Pi/g5Y234tEcTFWE0Vdg4cKxIfZRewFOOZI1z
+/RWfzoqPZ6YzD15B1toKZrAGsqyhdJ4yQ/BwxJpdgNCscMelkzMubcLXL9QugPS4
+hz4MLkJR2tDCZA/mFUTEbAQwdNSCxSo/l0vZ5KXUg9y5zZhCWpZiHJBXnz/567wn
+K16J3x9TYtdh4sT+y+0vHgvosUs2srRTkK2WDDxlh9XTch7DZyrLuiRRFrWjc6y9
+ThVH/qQNXwEBq2t9UYjQUVyx77gVQmiLrPU7UjL4IBoZmBNV/VJ10+rmGj1eG1nD
+pgq6oBTrbEsv8Ix7y/MziTB8POj3dKjl2UZmRVBwMbnNqYk=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem b/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem
index 6c4aff0ad..0477f698a 100644
--- a/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem
+++ b/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAmlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFC
-dhoDg6cxrsIvPAWyGs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3s
-DdvZFbyfmQTWSEyJthrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHO
-jpVNHn3BPUiL99ONFiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iO
-vRGtJa/MfOWX6L/HwquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjy
-Gxw1lORlDQlZy2w/nu0BAbXS1pb/2AiF8jDpbQIDAQABAoIBAFyVMMvn9YzGmeCq
-e5MD9Dt30kPyAffu/stFwc5yOTfC8OHijhBzwq/0WWXRsKx9bj+PaZjGWWIE6PVU
-u6ymvDdcBj7w6pM/ZY2siZ6uzUpXiy32G+qkfTMBGW2e7T4qTGMm8tuy69jmtn+u
-SxXunYaXckfOATu8GxWhoP1dvKMbCrlQxxmduP04au8HhpLTQgDZ28PrvyqUR6AW
-D+PDGACLbCFzmaMLgv6yv2+GNQpBEDr/VUjOOBvzZhUm9ku81dSdYNhHx8vbT/DG
-GkERG9tE2PA51sWB5cUh13ZItWmbW/NoWiykxJb7J7VkjXAn57jw4suSbNEQnA/E
-bg/5WwECgYEAyqEWS7cUCLheHuyWHOxkL7ACoko4wS8QO3Q4ohPlqZb7pca7FIqU
-WzXEUcyYZPkKTAKx/Vd0Xv6raGImi1QluuwLULACvZ7Ei5uLsMxUCJKyLX7wunTb
-64aH8jONNMAXX4K9eVj7EghBGjdnVc4HRAzm/QyH8F6hmXGT7Ulw3JECgYEAwvpU
-AkrUGb5UgVG/tNtlOlCqVGyvWOITDEsxLPCTlC6Ls6EIYKvc/21oRNL7n/ssfvS/
-DbyVTatiCXaF/MDbx0msbxJbq3sGTY16/XMb1PeTRdQm4xsUEQB1Fi3MnhLmPzV1
-jdKSKvKoxTfZKUg9eP/aVs4abRyHsIXc7BRznR0CgYBB86qBHGa969xerlyxr1Nw
-nhZNYmEUp8/duhdQ0a8XwtfHfmaX6f8drONoSHJ1swVh9iKetd9fp/58bC3lfY8G
-RxvruE48D7gjRI50Dh1v6OdrnXyXA8As6c3HzHWybK9u2+v12jtmBB/Ee7H7oKKG
-yLhKNtDsMLDic7BVNGkysQKBgHjzr0+oucCqiGOcoc8A1uABEFjE/1WlEOnsbzoQ
-l4wx/6nT+I13r+WoKimftEZ/GxA6pZZQ6VHAQlXad63eubf75QMWIVXUQIm1fZli
-Yd6QIoUL4X+62YzeesPib2+UC88kS6NKADCyTa3iQk3QqYm5Nenpew06yJXhxLWS
-zlGlAoGACEbPUlQB+ouInOFyVcFf1kHsMBcmg54MVi2J6x95149rq5FlY5kbmZcs
-6wlSBkAzzKb7WbPNgbGLMAYP+EXKODe+f1nzP+oojmJlCdTLfrudREFA2ZGGOKDX
-0o2EhnGL7VB4Upuw5ddMs7s1v6pqUKQXrZQUb24AX8w/1n+0PEM=
+MIIEogIBAAKCAQEAs0UsstkyjuvNkpx/vmZlKpBITJyGmfTfFjl01uU4dUVwzE3y
+hllGPLN3ijLSteHP3opUbDNd5dG4eVsa9DUiqIJlk/g+tnKS5IdQbA6yUf1nIHr3
+9tVukOtX66sMeHBU+M46KD7r4RRrGSBYT1FsyIv47D2uk24nBZ7Sf2+LoVQZfMIV
+dydIGfHxmQJxymzS80mh57EN2y70oH9HMwn/bbGb8WrysN09WVbNbT2vdeYX3OJX
+i0xsmT/Ynev1VD9B2mbA/XCf4c45xFL1HxKQ/+RTlmY6z6m4rBFuFGCscLPba5g2
+90mXqrpMSpuWUagIRZmOaeoyd3x25qbYwNe5QwIDAQABAoIBAC9F9I2NHPn3UJRy
+1HTfB5p7xbT+Kbh7jECOEjOA6qxyDVayz1uCOzVSlhlJYas4ytoCXFTUDtTFwwGt
+dqQjRupsyGCGu/Lcr8O3swtrrLZWPlWgV7ctfSSWCu9IgddYt++MYmWuggEuozdT
+AjaYYDlaP9/8PAcAqyWeRh/4yDdYRpEHshePE/uZaIDH1xgQ72v8Ks6fnz3sTYK6
+dJZfZ2EMUS2CsdbqYX+X7CSLkM7FVs+O0xFz00AF7xyfID9RP+nSGkPny60/O5Vk
+qO3dC1pXCs3aAXlTUBsP0aHWHFHXIIfJA95fQy0V7gqDxXHRPRInlFdERYkebM4S
+ctnfxYECgYEA6vFH8Vzc9G99LIZGX2EfODfwJ62TzDPOgqubUMpQRqydTxA9GaPG
+KyoF7GEYK3K8sji/uH1qcogUS46vXNcvm5xe7B5OPgfTLF6tfMaVeBvA6PfGOirx
+qzvrFDTp+DdInOOO9KwvVULKvWtIehSIT12EjKXPxnMCh/vTN2ngg2ECgYEAw1aA
+Z7iBrOPSTFf3S+rMgEMSv3s578YTg6hlaNfDvTEC9zQEDg7k4MxffRyBKLqidLUl
+ZZrcTszdO25c56w7xjFwcLwlFZuaoulFn+ON77/eudtCAjGjnmxUQuruzmoh8YyL
+zBB0oEGzm4u46BK3/ODIzQxpZL0MUUTXliLfoyMCgYA5KwrxfUI6rGJOEkJPdSeO
+m3XxgbgkCTsn6q/5YbFU8S26Dl5/va071ZbpZNrnv5yQ1WQ5dTMQuXIOzKJ5OddY
+yx0B4YHycB7/fe5DHWNDfaVcSuZOQyLZItRZ72I7RuCBZJHlkXxXB9CjdNaG9jYQ
+8dWOD87WICguhKVpp3a9IQKBgGLZByl1iMmAkA7qBM56Bvpw9q/HH85iIcXiFU80
+wGygvKtzuwmSJ+hKA5hAMGv35fXBJSeBcjK+IMXOV101HxpwMkIaM3n3wAzolr8O
+W+kS4xaSCZkqnW2xzAIA+M+jjYG6aZPeT+Y42TbBQdTOhCSHa5W3zi2YLP+DIsVq
+6FiZAoGAUGZttRZOFMZ1paEKtJzvbf7bYNkqW1iIY5AVAN84g4AEJ3910WHxXh7+
+uFWyBU4fUy0Qgk9HihSRbfnq2lvwNNWUeMQmt8t1WpEGUDT6FH4LoDD3fvHbmxY0
+y5QBbDvalkeIe6ESdW1uhLzxCzCRZSkANtMfiVCKvQOOBjxbfeo=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/venus/etc/strongswan.conf b/testing/hosts/venus/etc/strongswan.conf
index 4e52c6a6b..ba5dbdd1d 100644
--- a/testing/hosts/venus/etc/strongswan.conf
+++ b/testing/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/winnetou/etc/openssl/certs/160769ece9ead9c1c4d89c34aa004c3b66402081 b/testing/hosts/winnetou/etc/openssl/certs/160769ece9ead9c1c4d89c34aa004c3b66402081
new file mode 100644
index 000000000..eb21aa751
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/160769ece9ead9c1c4d89c34aa004c3b66402081 differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/442b7162c7a4c27bd0f1076e345c5664bed53c7c b/testing/hosts/winnetou/etc/openssl/certs/442b7162c7a4c27bd0f1076e345c5664bed53c7c
new file mode 100644
index 000000000..2b48d673b
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/442b7162c7a4c27bd0f1076e345c5664bed53c7c differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/45b967b2f9b4a8855235b2d01249cd1e079348aa b/testing/hosts/winnetou/etc/openssl/certs/45b967b2f9b4a8855235b2d01249cd1e079348aa
new file mode 100644
index 000000000..c5d60508b
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/45b967b2f9b4a8855235b2d01249cd1e079348aa differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/644c5cc8c42a6c8cfe62f6a83bb0dbb43f0f0fb4 b/testing/hosts/winnetou/etc/openssl/certs/644c5cc8c42a6c8cfe62f6a83bb0dbb43f0f0fb4
new file mode 100644
index 000000000..10a5268a7
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/644c5cc8c42a6c8cfe62f6a83bb0dbb43f0f0fb4 differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/c45be2b38883548967f4f959fd5ec0822f65237b b/testing/hosts/winnetou/etc/openssl/certs/c45be2b38883548967f4f959fd5ec0822f65237b
new file mode 100644
index 000000000..bee738de2
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/c45be2b38883548967f4f959fd5ec0822f65237b differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/dbb808e4f319d815aadd8dab6f6ae5b717800e83 b/testing/hosts/winnetou/etc/openssl/certs/dbb808e4f319d815aadd8dab6f6ae5b717800e83
new file mode 100644
index 000000000..a0bf27344
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/dbb808e4f319d815aadd8dab6f6ae5b717800e83 differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/de106e5254cbafddb683117f90174910f43b5ae3 b/testing/hosts/winnetou/etc/openssl/certs/de106e5254cbafddb683117f90174910f43b5ae3
new file mode 100644
index 000000000..01b0f6c9d
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/de106e5254cbafddb683117f90174910f43b5ae3 differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/de216601f06d10a41171392fdfc9127f0bb9d5b0 b/testing/hosts/winnetou/etc/openssl/certs/de216601f06d10a41171392fdfc9127f0bb9d5b0
new file mode 100644
index 000000000..002aaa25c
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/de216601f06d10a41171392fdfc9127f0bb9d5b0 differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/edde495f4fb6db4e3eff85bcaecda2a3ccc58fcf b/testing/hosts/winnetou/etc/openssl/certs/edde495f4fb6db4e3eff85bcaecda2a3ccc58fcf
new file mode 100644
index 000000000..32ceccedc
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/edde495f4fb6db4e3eff85bcaecda2a3ccc58fcf differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261
new file mode 100644
index 000000000..c98775369
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261 differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1
new file mode 100644
index 000000000..0f2a0ec8d
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1 differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da
new file mode 100644
index 000000000..489030d9f
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488
new file mode 100644
index 000000000..863f65237
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488 differ
diff --git a/testing/hosts/winnetou/etc/openssl/crlnumber b/testing/hosts/winnetou/etc/openssl/crlnumber
index 9e22bcb8e..eeee65ec4 100644
--- a/testing/hosts/winnetou/etc/openssl/crlnumber
+++ b/testing/hosts/winnetou/etc/openssl/crlnumber
@@ -1 +1 @@
-02
+05
diff --git a/testing/hosts/winnetou/etc/openssl/crlnumber.old b/testing/hosts/winnetou/etc/openssl/crlnumber.old
index 8a0f05e16..64969239d 100644
--- a/testing/hosts/winnetou/etc/openssl/crlnumber.old
+++ b/testing/hosts/winnetou/etc/openssl/crlnumber.old
@@ -1 +1 @@
-01
+04
diff --git a/testing/hosts/winnetou/etc/openssl/duck/.rand b/testing/hosts/winnetou/etc/openssl/duck/.rand
new file mode 100644
index 000000000..49c56672c
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/duck/.rand differ
diff --git a/testing/hosts/winnetou/etc/openssl/duck/crlnumber b/testing/hosts/winnetou/etc/openssl/duck/crlnumber
new file mode 100644
index 000000000..8a0f05e16
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/duck/crlnumber
@@ -0,0 +1 @@
+01
diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem b/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
new file mode 100644
index 000000000..bb205a0fd
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
+M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
+MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
+ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
+UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
+h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
+i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
+KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
+AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
+YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
+rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
+1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
+wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
+DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem b/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
new file mode 100644
index 000000000..5fff90708
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNuMfyRDsc7m1KRDVt8N4h/
+EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKaub5AgsRa2fOOR9xfyf0Q
+7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsOUHOJAPZNoGPey5UL9Zjj
+sN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKDh/pliP7uZANd0ZpPcrIc
+68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeYi9wFLnS2tgV3ID4LzEEI
+CSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQABAoIBADfb0r6cpnRsnSKF
+5RBfReyu6vo4GB0lNGSeRqFRgivU+vMoiG2S58t7AQi2FyTNYbNDFdh31LS8WLbI
+OkWv2HehijN4FO4pqmI9JtSHnbLNJEHEizDBTASLz/9irisX3HCXMVORh4oEb2Ko
+QdmulOjePSJDZbLv6H/JI0bpYsgiAw26KEoB8cnHwiApF69a4uPJA6gW98nsabyq
+9NQVW5QAmUFDnzA6upFRBUeBBpufYMvP82zfntFx72yLBmXgBnyZW23WwZfQZSzw
+FChhl40mwykOE8jpeGgxmdWyPc29roF+kuvaOUaSF2nmyl4qhLCISdr0eHXHAGDH
+2RjVJ6ECgYEA0YW38d4309J1QegK5vhPWehnxpZHpK86DENevYaS7zRcCu1BRZc0
+aBAceTYCZHYofOWmeIns0qtMfzzuemPCiOZWy9VYgJrJ0YkmNin3DM1/13pWiKqn
+EkQCFa6K5AiB0umTOwJoAHlJYlJ2k4bw7Rm/LtiHC2fnRq2KJeKmg60CgYEAyP30
+5D8sUkih9rRfZRHAPo0x1qJpJQC+cFUBMIuOXFIz37TqbZcGDkRRb+ewywNxT73t
+TfVDvR7tD3cYTi78dVz539Dwl9mt10QLGsQJ4825uY/LQqUe8F2qz+E3lWqoo+yJ
+WlTAqbHI2a4g4CjFC4/+i6lKQ+NpmJLZIPz3HAUCgYEAiduy4Ti2gPAb6OZ1re05
+wM1y4q5kq04EIqd9QbS3Hx7TZPkgllpbyBC5u2M3BcTc9PjhpLQTl7XQGnQL8YmM
+KSlteKaCmfO+0NitxLut6sWX1T6Qi1HFpfYLbRqwFkQmr5CyKAR4S7+B8miRzpXe
+FhN3wKoFiRKvkMiEelL7/u0CgYEAnh4TWsBL+MuFBxTs+xDU4SCotYZ9GwwTxUFK
+N0uCiiRtBK9JwT8PF4gtXNCzZ3Jk4Ou0VSD+0jgTHJh/eXpDR30GYkn4DC3GMdQo
+vDy+3wSH+HAj4mEODuBRMUqnNJd85cB+aZ7FFnpzXLQ8zrukEC2OfYaHkxLDjrDv
+uaDoMZUCgYEAhD89Cj849LXbJEmjX0MGUCCBO9EBR2Ux2nbuB+TQnvwz7VT0Jkds
+Db1IfljoDefqzyFfH/0Z3bNg4EpidAG3BMC4MwY7WzR1rfnXwNluaWM5gmUzFNw0
+mBGXonIf6nRMIO9eeTFI8VfFb6BYvosNxz+9QA/5rpamGN1cKdMjgPc=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckReq.pem b/testing/hosts/winnetou/etc/openssl/duck/duckReq.pem
new file mode 100644
index 000000000..b5d3bcffd
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/duck/duckReq.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICmzCCAYMCAQAwVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xETAPBgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNo
+IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZ
+o4PtFnENkHNuMfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwD
+YY0sX+qrpQKaub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFd
+XLNY3r60tBsOUHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7u
+lsSkO9BrfqKDh/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGq
+S2jctrjSieeYi9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu
++5J+YQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAIDZVgYXbPT9NMLOv5Uc6w06
+D5bvQ3/j3W4J8bMpYM/kbvIjwnsNmVggxhYeMmRDhidUcj849ybKRoJo7zrzTfvK
+BR1v9xCenB+0mnJQWfxIt1aspEW0Y6Z9g3jW47WOxSQagS5BVKVCcw1qxLJ4q3JS
+QqZJeQheHYNu9BQCa2w2rJeE0TT2WohcHxt0RpERZyjMfAlOOEUOB/m8Yx1N7/Zd
+wJIWCd3o+HYoDqUCS11y3EN+VO6H/+8gcRANe7tKE5+gqc9+7gDpKLTL7hc0S6sh
+e3yYo2CHZ8U2hsJGRFz7sFnZpwFi5KeI4+sKgyUurM2lxvcCzTC3DplG+4Wtcls=
+-----END CERTIFICATE REQUEST-----
diff --git a/testing/hosts/winnetou/etc/openssl/duck/index.txt b/testing/hosts/winnetou/etc/openssl/duck/index.txt
new file mode 100644
index 000000000..759a85b80
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/duck/index.txt
@@ -0,0 +1 @@
+V	141103162335Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Duck Research/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/duck/index.txt.attr b/testing/hosts/winnetou/etc/openssl/duck/index.txt.attr
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/duck/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testing/hosts/winnetou/etc/openssl/duck/index.txt.old b/testing/hosts/winnetou/etc/openssl/duck/index.txt.old
new file mode 100644
index 000000000..e69de29bb
diff --git a/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
new file mode 100644
index 000000000..4e13b52d0
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
+MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
+IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
+30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
+jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
+veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
+ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
+7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
+jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
+IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
+TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
+4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
+Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
+3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
+BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
new file mode 100644
index 000000000..8b5511e9d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf
@@ -0,0 +1,178 @@
+# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
+# Mario Strasser <mario.strasser@zhwin.ch>
+#	
+
+# This definitions were set by the ca_init script DO NOT change
+# them manualy.
+CAHOME			= /etc/openssl/duck
+RANDFILE		= $CAHOME/.rand
+
+# Extra OBJECT IDENTIFIER info:
+oid_section		= new_oids
+
+[ new_oids ]
+SmartcardLogin		= 1.3.6.1.4.1.311.20.2
+ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
+
+####################################################################
+
+[ ca ]
+default_ca	= root_ca		# The default ca section
+
+####################################################################
+
+[ root_ca ]				
+
+dir		= $CAHOME
+certs		= $dir/certs		  # Where the issued certs are kept
+crl_dir		= $dir/crl                # Where the issued crl are kept
+database	= $dir/index.txt          # database index file.
+new_certs_dir   = $dir/newcerts           # default place for new certs.
+
+certificate     = $dir/duckCert.pem       # The CA certificate
+serial          = $dir/serial             # The current serial number
+crl             = $dir/crl.pem            # The current CRL
+crlnumber       = $dir/crlnumber          # The current CRL serial number
+private_key     = $dir/duckKey.pem        # The private key
+RANDFILE        = $dir/.rand              # private random number file
+
+x509_extensions = host_ext		  # The extentions to add to the cert
+
+crl_extensions	= crl_ext  		  # The extentions to add to the CRL
+
+default_days    = 1825                    # how long to certify for
+default_crl_days= 30			  # how long before next CRL
+default_md      = sha256                  # which md to use.
+preserve        = no                      # keep passed DN ordering
+email_in_dn	= no			  # allow/forbid EMail in DN
+
+policy          = policy_match		  # specifying how similar the request must look
+
+####################################################################
+
+# the 'match' policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= optional
+localityName            = optional
+organizationName	= match
+organizationalUnitName	= optional
+userId			= optional
+commonName		= supplied
+emailAddress		= optional
+
+# the 'anything' policy
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= ca_ext	# The extentions to add to the self signed cert
+# req_extensions 	= v3_req 	# The extensions to add to a certificate request
+
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask 			= nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+####################################################################
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= CH
+countryName_min			= 2
+countryName_max			= 2
+
+#stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= ZH
+
+#localityName			= Locality Name (eg, city)
+#localityName_default		= Winterthur
+
+organizationName		= Organization Name (eg, company)
+organizationName_default	= Linux strongSwan
+
+0.organizationalUnitName		= Organizational Unit Name (eg, section)
+0.organizationalUnitName_default	= Duck Research
+
+#1.organizationalUnitName	= Type (eg, Staff)
+#1.organizationalUnitName_default = Staff
+
+#userId				= UID 
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= $ENV::COMMON_NAME
+commonName_max			= 64
+
+#0.emailAddress			= Email Address (eg, foo@bar.com)
+#0.emailAddress_min              = 0
+#0.emailAddress_max              = 40
+
+#1.emailAddress                  = Second Email Address (eg, foo@bar.com)
+#1.emailAddress_min              = 0
+#1.emailAddress_max              = 40
+
+####################################################################
+
+[ req_attributes ]
+
+####################################################################
+
+[ host_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName			= DNS:$ENV::COMMON_NAME
+#extendedKeyUsage		= OCSPSigning
+
+####################################################################
+
+[ user_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName                  = email:$ENV::COMMON_NAME 
+
+####################################################################
+
+[ ca_ext ]
+
+basicConstraints               	= critical, CA:TRUE
+keyUsage                        = cRLSign, keyCertSign
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid, issuer:always
+
+####################################################################
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+#issuerAltName			= issuer:copy
+authorityKeyIdentifier		= keyid:always, issuer:always
+
+# eof
diff --git a/testing/hosts/winnetou/etc/openssl/duck/serial b/testing/hosts/winnetou/etc/openssl/duck/serial
new file mode 100644
index 000000000..9e22bcb8e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/duck/serial
@@ -0,0 +1 @@
+02
diff --git a/testing/hosts/winnetou/etc/openssl/duck/serial.old b/testing/hosts/winnetou/etc/openssl/duck/serial.old
new file mode 100644
index 000000000..8a0f05e16
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/duck/serial.old
@@ -0,0 +1 @@
+01
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 7776876c1..60e53a0a4 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -38,4 +38,8 @@ cd /etc/openssl/monster
 openssl ca -gencrl -crldays 15 -config /etc/openssl/monster/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan-monster.crl
 cp strongswan-monster.crl /var/www/localhost/htdocs/
+cd /etc/openssl/rfc3779
+openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl.pem
+openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl
+cp strongswan_rfc3779.crl /var/www/localhost/htdocs/
 
diff --git a/testing/hosts/winnetou/etc/openssl/generate-hash-and-url b/testing/hosts/winnetou/etc/openssl/generate-hash-and-url
new file mode 100755
index 000000000..08208ed65
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/generate-hash-and-url
@@ -0,0 +1,13 @@
+#! /bin/bash
+#
+# generates the SHA-1 hash required by the RFC 4306 
+# HASH_AND_URL certificate fetching scheme
+#
+
+for cert in $@
+do
+  openssl x509 -in $cert -outform der -out cert.der
+  hash=`sha1sum cert.der | awk '{ print $1 }'`
+  cp cert.der "$hash"
+done
+rm cert.der
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 9e5194ebc..abdbb857b 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -1,17 +1,17 @@
-V	090909111334Z		01	unknown	/C=CH/O=Linux strongSwan/CN=mars.strongswan.org
-V	090909111553Z		02	unknown	/C=CH/O=Linux strongSwan/CN=sun.strongswan.org
-V	090909111725Z		03	unknown	/C=CH/O=Linux strongSwan/CN=moon.strongswan.org
-V	090909111826Z		04	unknown	/C=CH/O=Linux strongSwan/CN=venus.strongswan.org
-V	090909112439Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org
-V	090909112534Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
-R	090909112548Z	041226135423Z	07	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V	090909112651Z		08	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
-V	091118162928Z		09	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
-V	091231214318Z		0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+R	090909111334Z	090827094721Z,cessationOfOperation	01	unknown	/C=CH/O=Linux strongSwan/CN=mars.strongswan.org
+R	090909111553Z	090827094730Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/CN=sun.strongswan.org
+R	090909111725Z	090827094735Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/CN=moon.strongswan.org
+R	090909111826Z	090827094738Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/CN=venus.strongswan.org
+R	090909112439Z	090827094746Z,superseded	05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org
+R	090909112534Z	090827094749Z,superseded	06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
+R	090909112548Z	041226135423Z,keyCompromise	07	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+R	090909112651Z	090827094754Z,superseded	08	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
+R	091118162928Z	091124124946Z,superseded	09	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+R	091231214318Z	090827113123Z,superseded	0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	100216084430Z		0B	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
-R	140321062536Z	050621195214Z	0C	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+R	140321062536Z	050621195214Z,CACompromise	0C	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	140321062916Z		0D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
-R	100607191714Z	070427213122Z	0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
+R	100607191714Z	070427213122Z,superseded	0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
 V	100620195806Z		0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	111007105811Z		10	unknown	/C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
 V	111007121250Z		11	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
@@ -19,3 +19,12 @@ V	111007122112Z		12	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongsw
 V	120224075857Z		13	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
 V	120425210745Z		14	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
 V	140406120117Z		15	unknown	/C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol@strongswan.org
+V	140826095904Z		16	unknown	/C=CH/O=Linux strongSwan/CN=sun.strongswan.org
+V	140826100332Z		17	unknown	/C=CH/O=Linux strongSwan/CN=moon.strongswan.org
+V	140826100522Z		18	unknown	/C=CH/O=Linux strongSwan/CN=venus.strongswan.org
+V	140826100724Z		19	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org
+V	140826100818Z		1A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
+R	140826103106Z	090827103405Z,keyCompromise	1B	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	140826103739Z		1C	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
+V	140826104451Z		1D	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	141123125153Z		1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index 64b725536..67a737e0e 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -1,20 +1,29 @@
-V	090909111334Z		01	unknown	/C=CH/O=Linux strongSwan/CN=mars.strongswan.org
-V	090909111553Z		02	unknown	/C=CH/O=Linux strongSwan/CN=sun.strongswan.org
-V	090909111725Z		03	unknown	/C=CH/O=Linux strongSwan/CN=moon.strongswan.org
-V	090909111826Z		04	unknown	/C=CH/O=Linux strongSwan/CN=venus.strongswan.org
-V	090909112439Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org
-V	090909112534Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
-R	090909112548Z	041226135423Z	07	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V	090909112651Z		08	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
-V	091118162928Z		09	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
-V	091231214318Z		0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+R	090909111334Z	090827094721Z,cessationOfOperation	01	unknown	/C=CH/O=Linux strongSwan/CN=mars.strongswan.org
+R	090909111553Z	090827094730Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/CN=sun.strongswan.org
+R	090909111725Z	090827094735Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/CN=moon.strongswan.org
+R	090909111826Z	090827094738Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/CN=venus.strongswan.org
+R	090909112439Z	090827094746Z,superseded	05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org
+R	090909112534Z	090827094749Z,superseded	06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
+R	090909112548Z	041226135423Z,keyCompromise	07	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+R	090909112651Z	090827094754Z,superseded	08	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
+R	091118162928Z	091124124946Z,superseded	09	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+R	091231214318Z	090827113123Z,superseded	0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	100216084430Z		0B	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
-R	140321062536Z	050621195214Z	0C	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+R	140321062536Z	050621195214Z,CACompromise	0C	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	140321062916Z		0D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
-R	100607191714Z	070427213122Z	0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
+R	100607191714Z	070427213122Z,superseded	0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
 V	100620195806Z		0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	111007105811Z		10	unknown	/C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
 V	111007121250Z		11	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
 V	111007122112Z		12	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
 V	120224075857Z		13	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
 V	120425210745Z		14	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
+V	140406120117Z		15	unknown	/C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol@strongswan.org
+V	140826095904Z		16	unknown	/C=CH/O=Linux strongSwan/CN=sun.strongswan.org
+V	140826100332Z		17	unknown	/C=CH/O=Linux strongSwan/CN=moon.strongswan.org
+V	140826100522Z		18	unknown	/C=CH/O=Linux strongSwan/CN=venus.strongswan.org
+V	140826100724Z		19	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org
+V	140826100818Z		1A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
+R	140826103106Z	090827103405Z,keyCompromise	1B	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	140826103739Z		1C	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
+V	140826104451Z		1D	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/16.pem b/testing/hosts/winnetou/etc/openssl/newcerts/16.pem
new file mode 100644
index 000000000..d0937bab8
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/16.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBFjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzA5NTkwNFoXDTE0MDgyNjA5NTkwNFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+V
+VIpn6Q5jaU//EN6p6A5cSfUfhBK0mFa2laFFZh/Y0h66AXqqrQ3X917h7YNsSk68
+oowY9h9I3gOx7hNVBsJr2VjdYC+b0q5NTha09/A5mimv/prYj6o0yawxoPjoDs9Y
+h7D7Kf+F8fkgk0stlHJZX66J7dNrFXbg1xBld+Ep5Or2FbEZ9QWUpRQTuhdpNt/4
+9YuxQ59DemY9IRbwsrKCHH0mGrJsDdqeb0ap+8QvSXHjCt1fr9MNKWaAFAQLKQI4
+e0da1ntPCEQLeE833+NNRBgGufk0KqGT3eAXqrxa9AEIUJnVcPexQdqUMjcUpXFb
+8WNzRWB8Egh3BDK6FsECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBRW1p4v2qihzRlcI1PnxbZwluML+zBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAo37LYT9Awx0MK/nA
+FZpPJqUr0Ey+O5Ukcsdx7nd00SlmpiQRY8KmuRXCBQnDEgdLstd3slQjT0pJEgWF
+0pzxybnI6eOzYAhLfhart+X1hURiNGbXjggm2s4I5+K32bVIkNEqlsYnd/6F9oo5
+ZNO0/eTTruLZfkNe/zchBGKe/Z7MacVwlYWWCbMtBV4K1d5dGcRRgpQ9WivDlmat
+Nh9wlscDSgSGk3HJkbxnq695VN7zUbDWAUvWWhV5bIDjlAR/xyT9ApqIxiyVVRul
+fYrE7U05Hbt6GgAroAKLp6qJup9+TxQAKSjKIwJ0hf7OuYyQ8TZtVHS7AOhm+T/5
+G/jGGA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/17.pem b/testing/hosts/winnetou/etc/openssl/newcerts/17.pem
new file mode 100644
index 000000000..d5c970f41
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/17.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMDMzMloXDTE0MDgyNjEwMDMzMlowRjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u
+c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK
+L2M91Lu6BYYhWxWgMS9z9TMSTwszm5rhO7ZIsCtMRo4PAeYw+++SGXt3CPXb/+p+
+SWKGlm11rPE71eQ3ehgh2C3hAurfmWO0iQQaCw+fdreeIVCqOQIOP6UqZ327h5yY
+YpHk8VQv4vBJTpxclU1PqnWheqe1ZlLxsW773LRml/fQt/UgvJkCBTZZONLNMfK+
+7TDnYaVsAtncgvDN78nUNEe2qY92KK7SrBJ6SpUEg49m51F+XgsGcsgWVHS85on3
+Om/G48crLEVJjdu8CxewSRVgb+lPJWzHd8QsU0Vg/7vlqs3ZRMyNtNKrr4opSvVb
+A6agGlTXhDCreDiXU8KHAgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIDqDAdBgNVHQ4EFgQUapx00fiJeYn2WpTpifH6w2SdKS4wbQYDVR0jBGYwZIAU
+XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK
+ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC
+AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggr
+BgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCctXg2xeMozaTV
+jiBL1P8MY9uEH5JtU0EceQ1RbI5/2vGRdnECND9oADY5vamaaE2Mdq2Qh/vlXnML
+o3ii5ELjsQlYdTYZOcMOdcUUXYvbbFX1cwpkBhyBl1H25KptHcgQ/HnceKp3kOuq
+wYOYjgwePXulcpWXx0E2QtQCFQQZFPyEWeNJxH0oglg53QPXfHY9I2/Gukj5V0bz
+p7ME0Gs8KdnYdmbbDqzQgPsta96/m+HoJlsrVF+4Gqihj6BWMBQ2ybjPWZdG3oH9
+25cE8v60Ry98D0Z/tygbAUFnh5oOvaf642paVgc3aoA77I8U+UZjECxISoiHultY
+7QTufOwP
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/18.pem b/testing/hosts/winnetou/etc/openssl/newcerts/18.pem
new file mode 100644
index 000000000..c383667e6
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/18.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDzCCAvegAwIBAgIBGDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMDUyMloXDTE0MDgyNjEwMDUyMlowRzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz
+LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+s0UsstkyjuvNkpx/vmZlKpBITJyGmfTfFjl01uU4dUVwzE3yhllGPLN3ijLSteHP
+3opUbDNd5dG4eVsa9DUiqIJlk/g+tnKS5IdQbA6yUf1nIHr39tVukOtX66sMeHBU
++M46KD7r4RRrGSBYT1FsyIv47D2uk24nBZ7Sf2+LoVQZfMIVdydIGfHxmQJxymzS
+80mh57EN2y70oH9HMwn/bbGb8WrysN09WVbNbT2vdeYX3OJXi0xsmT/Ynev1VD9B
+2mbA/XCf4c45xFL1HxKQ/+RTlmY6z6m4rBFuFGCscLPba5g290mXqrpMSpuWUagI
+RZmOaeoyd3x25qbYwNe5QwIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCA6gwHQYDVR0OBBYEFI9cCmyxR/wbUXCARuBjbHpUAS1nMG0GA1UdIwRmMGSA
+FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE
+ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB
+ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw
+LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww
+DQYJKoZIhvcNAQELBQADggEBAK5Pi/g5Y234tEcTFWE0Vdg4cKxIfZRewFOOZI1z
+/RWfzoqPZ6YzD15B1toKZrAGsqyhdJ4yQ/BwxJpdgNCscMelkzMubcLXL9QugPS4
+hz4MLkJR2tDCZA/mFUTEbAQwdNSCxSo/l0vZ5KXUg9y5zZhCWpZiHJBXnz/567wn
+K16J3x9TYtdh4sT+y+0vHgvosUs2srRTkK2WDDxlh9XTch7DZyrLuiRRFrWjc6y9
+ThVH/qQNXwEBq2t9UYjQUVyx77gVQmiLrPU7UjL4IBoZmBNV/VJ10+rmGj1eG1nD
+pgq6oBTrbEsv8Ix7y/MziTB8POj3dKjl2UZmRVBwMbnNqYk=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/19.pem b/testing/hosts/winnetou/etc/openssl/newcerts/19.pem
new file mode 100644
index 000000000..49fe4b80b
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/19.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBGTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMDcyNFoXDTE0MDgyNjEwMDcyNFowVzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBANiNakgR5pct0NqirfPJEb9e3YZkYHvqZ/RUJ6Ea9ZGE
+8KuQxGAHuLWqaf/3GrL/LYIs1fTJ7JTNMu+PSec8kf9I5AxItPzb+uSwI9hXQxhl
+NJ8V+Zjs9Q3GX/59wS3DcHF4i8b88I/f7aLGwHOoRyT/UZPXPGIrHS9UWh/50//Q
+/GLreivoW65Cfj7oNi3wMTYwZB5MyPY5q9MRcYyEPa0GNM0GzzYfIEkQz8nuSL/q
+WQrmLmlS6Ktw5L3HXsUaKinGt0xI7jLGWh4ysnrjMNxKzRt2LITqSPtoTTR2JB6a
+5/6544mB2FGErpSd/LgGTmwzOgloZLpsQgsN6xjpUvsCAwEAAaOCAQYwggECMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQF2gQgjAL0KEcKz2x3LQZm
+E9qGPDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
+cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBWv4PhHGVpiLF5M3Rn
+qQLSoRFjKqn3N9We81RWwVRpBzwoUEaHizelaVct9FJg6t7Fk/D8F0wag5EFKlcg
+KQ8fd/0qLE393uwGb4Dvql2w49NFFDUsk5FC+pMUDAYsWHyFu26WKY5kfaMwNMNJ
+HK6e4m6+Wmoy5ulkatwDJRDqkyG11YJ/p0n0HAG1DBJoL9079U+xQxT+9a2f7TaO
+B/UbQNOvOgqaddk5uUDTjqnY/bltbAAuuI1ZNMrPCCNUorcdhySJb1tlF/JXTTB6
+N60XqYRYnk5T1yftNU0AA26ggskv4MMDwgYCGsyZuCX9vW+XsArRQJ5fsSZDiO7R
+8FT2
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/1A.pem b/testing/hosts/winnetou/etc/openssl/newcerts/1A.pem
new file mode 100644
index 000000000..00ecd5a2d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/1A.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHjCCAwagAwIBAgIBGjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMDgxOFoXDTE0MDgyNjEwMDgxOFowWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDXwxTtozmxKaUhC0T5HvxVShfM5jQQKwIzSVAZeXUp
+BgQ2uLT9Hn/J7boaUIE1Xf11zCRIlcy5Xkupha2gfqEmRbefYAOr/NFuC4pPEDeJ
+jWg/miCZo9/DH2iWvCvU4GCcrY/LKDeDoKL9fc9H5FTtA/Y1ugbooOO1yoV04eot
+MmvmYcqUtCX+h/Of9xM0w0m6aoDIXAhjcKEPMg/WL5acWuVVaWONa+x7HoQUDe+9
+MgoB1VmaoB77VYaK72jBhbvonF8GjEb3RiukfuMIOk5yN9OHzA9ODJbTDvSmmQkt
+h/oEHAL/tzOQ2zjEptsKvwq/3drGbdREO/cp39I5/ZRFAgMBAAGjggEEMIIBADAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUYUK/uIcou7BS8ODHk9Ro
+PGJP1FcwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u
+b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv
+c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQADggEBAEIkmrK7GPm4H/FAEVCN
+775XpuofsfGjT/bO/aPCqb+uPwwcKeUfxzICQDEqMv+mtxGuLjtfmTWwUcoPMgN+
+2HZDJGa1+kK2VLUz3QBIQXSdusbITb0ND/xCvbGwsk9y/0DGBnAo3xNBNM73ZQ8k
+/A7mQ2nnQfzI9gQ342FOuTTb/kwrVNixQI3dhvf6Th5Dj5rZfQs6c09+9jRLGBFx
+g7qQ1gej0fi6XYX4cSNwluu/Vo6xT5epEeTU5KoYn0mtOqFx6AY8xzIqQLvY4m8g
+viGoGRqId1gqNiEfshb8KICPI29WyiBRzMKO6reeb+446A9CSLgMW0Ze3SCRXrjr
+2nQ=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/1B.pem b/testing/hosts/winnetou/etc/openssl/newcerts/1B.pem
new file mode 100644
index 000000000..a92610c4f
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/1B.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
+lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
+e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
+Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
++BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
+TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
+ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
+jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
+nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
+6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
+cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
+q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
+0xafBd5x
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/1C.pem b/testing/hosts/winnetou/etc/openssl/newcerts/1C.pem
new file mode 100644
index 000000000..f212e19cf
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/1C.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBHDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMzczOVoXDTE0MDgyNjEwMzczOVowWzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
+bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDAB/JTbwVY5oNF0+8Behdbc0NOeX+bl0SOcgpZ
+ha6nbMBQO41jtOI5r5Xbg9sK9l+DYOnZQZEsEhIVZDoK8yGI/FIEE+gWRf+OLmI8
+k2K+G1dklTC/VP2tZWMQYQWs6UnX3iiVpHccI3CQqqJWe9fZsIsq0J9j9hu6h9dG
+IEbon6RXDLPI5DIiIKc3r0jDHNDsIUDzcjuUdCxKFCMuHUCfa1PBiqpj5pP6XT0G
+gI6UjbgnNWPTPb2axE7P1x5gQmVwiFiYs+VTh2fq9O9xNxnn/YmzLk4/YNly7xYX
+Q31NuhSvRpH7jsJ1p4VSuunYqvccPUKsp5PvCtCeGvNT2qt1AgMBAAGjggEFMIIB
+ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU7n842u6huBpBd394
+8mdL6EOdjg4wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAyAbxrpMtTARw3
+jvBwuapaHXnTppz+TkWyfXVpgTwtPlf3rbhPk4DjhT2ygyMTI1azoqProf2aBbDr
+DldCSQPsZAcuzOdruKKMo2CQwgLuBFXL+JUX0hiIpFS1ZZHA2aDKyUw4OyADOvDU
+8r1/WiwRb91TdYP9nEu9qP30k0vkUg8DCbCmPI1/MVaxVzh9LRAFyOHrnKSCXG7o
+StmVFm2Yf3pE4HS1W6DtommyPs7aUD5XAaQdr3DYKI/TazoU6t5g2aEqigu+pj2M
+qk5idJkx5VCFvUU1hlChyX6NNNjJNnV6u5YiuatcdYQhpCTBsxnBoM+w0BvNOCl+
+1PdgEy1K
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/1D.pem b/testing/hosts/winnetou/etc/openssl/newcerts/1D.pem
new file mode 100644
index 000000000..6c41df9c7
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/1D.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
+6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
+Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
+Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
+I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
+x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
+tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
+GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
+ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
+F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
+L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
+ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
+Rf5Z0GOR
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/1E.pem b/testing/hosts/winnetou/etc/openssl/newcerts/1E.pem
new file mode 100644
index 000000000..f84d1a877
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/1E.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQzCCAyugAwIBAgIBHjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MTEyNDEyNTE1M1oXDTE0MTEyMzEyNTE1M1owZzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag
+U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8BT5LvsaxM0gOw9QM74ML
+vbxXXxTv9W0L//oBnPohbVyueSl0/r2rcIeYa0g1eePgwRRBHwr356Om2mv/zXTp
+lQA4qtY6YMZkoeYCOVhO/fJ4CGO213qWeWIYOe4njTuiPUiI20PWancgaic5UOAC
+UBnyes94I5kB1OWx0THma4Sv0HdBRoWwO+ZqAA87fpV/Wagi6ElJBcjLbO5Hpy3J
+dFvrjNWZwuJw2+qHQ4QOT4McpusfIjgXaZtyEpVIcbJ7knNSq+MapdP0RBS6wzXa
+kWx9tMIAB9gKUfENTNl60ZnmqI0KgKiR3Yqia/bbsD7JcangOcOjWA2H0LKnnLdp
+AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU
+NJFukTK/NSVDzCh074LCV5J5E3MwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
+YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT
+d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT
+b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E
+MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u
+Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBteNdmkKbr3bUJSKTaJ/qssbyPjL7MjAmi
+QA1sSq5yIh7Ir23xEq/XQFF51N2yDNuXhLYk1fWou8BL+X9x97BlQkp9/nZ+BdJG
+uH2zOUxcsfq57jtwMzlXGrmVUTMAJRtMqrSnVa9jbW+IF2p/sJfeSRRqJ2qwQoDW
+ppvvBF4RfdWOVCCidtRmWKycEtP1ylSYyiHswVWhL2gLXQRQ0l5wJdgT2URRDopC
+CBiE5mHOWn17gTWQw9SdGbY37o9jXNrY8GRgOeubHFRmdXa1Cli5P5HhIZygUBWX
+tn5BvNDEIUz11/AT+HfpdMSKDiAXMq44wqWoYoUXsaLTIp+Vt6NM
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/ocspCert.pem
index 6ca9a58a4..f84d1a877 100644
--- a/testing/hosts/winnetou/etc/openssl/ocspCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/ocspCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEQzCCAyugAwIBAgIBCTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEQzCCAyugAwIBAgIBHjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MTExOTE2MjkyOFoXDTA5MTExODE2MjkyOFowZzELMAkGA1UE
+b290IENBMB4XDTA5MTEyNDEyNTE1M1oXDTE0MTEyMzEyNTE1M1owZzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag
 U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqJ0y0yhF4iEygd8M73wNC
-8RO590BqiD3Z3x9/5GSVCgfm+ao4hcg6CogNGicu4ybzgPoHt0V/El4D8JRkM8QB
-pg/R7WI4L1ndSZGgTHcQ1vViXGr4PUsIiUR/EgVCSFs8+6Z73J4bJeMomy27Hn9w
-s4leHbrqK87btA2TETV3UlCaDXC6NF8321ZH+D+8OFQaQ0SqKrThKMVYSTf+QdpX
-BlI9vtce1SyS6Kiy4WLdXAt8mO7x+UjaVEzFNyi6SXb9FAGVvO9OXi3+mxm9eK2g
-+s1kA4jqDvL17JftvJLKzFZ5irEuTe2+wHdQbwtlOkW1JFAsGL4O+r4NIoBuMBZF
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8BT5LvsaxM0gOw9QM74ML
+vbxXXxTv9W0L//oBnPohbVyueSl0/r2rcIeYa0g1eePgwRRBHwr356Om2mv/zXTp
+lQA4qtY6YMZkoeYCOVhO/fJ4CGO213qWeWIYOe4njTuiPUiI20PWancgaic5UOAC
+UBnyes94I5kB1OWx0THma4Sv0HdBRoWwO+ZqAA87fpV/Wagi6ElJBcjLbO5Hpy3J
+dFvrjNWZwuJw2+qHQ4QOT4McpusfIjgXaZtyEpVIcbJ7knNSq+MapdP0RBS6wzXa
+kWx9tMIAB9gKUfENTNl60ZnmqI0KgKiR3Yqia/bbsD7JcangOcOjWA2H0LKnnLdp
 AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU
-iAcKuK7HwQdcvmhqxKV/gR83tVYwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
+NJFukTK/NSVDzCh074LCV5J5E3MwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
 YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT
 d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT
 b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E
 MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u
-Y3JsMA0GCSqGSIb3DQEBBAUAA4IBAQA4jOyh+neFCkXMZ1gK0o98qkBr3vYEO2a0
-wb2hDv8Alx6T5kwLgdhAzZ5urZpAdiWF3NWE+z9KnEWnpep9MRDXNM8uBglgBO2v
-SAmV1BXNw2ZDe63w6QvQnezgUuWkrTShfduEDmb8j5jVdzoY+kTKwjLYHPG0Ec79
-Os3PPqXlfeUOkzWnhGVP2EtHCj8SppMdA/XIuwIq8aLN14SITi6gvo/cDMa5N6sT
-Q/UBAOWsxbLReaD7l5OXnAJOg3t/RM36vpRqPseGaAgrKy8805QDU2RxsCHrxwzF
-Wi/17J6nmX3e4PuwqPAI/4MsHlFdExRvSq/gXBN/Ib4AHGkUr0/q
+Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBteNdmkKbr3bUJSKTaJ/qssbyPjL7MjAmi
+QA1sSq5yIh7Ir23xEq/XQFF51N2yDNuXhLYk1fWou8BL+X9x97BlQkp9/nZ+BdJG
+uH2zOUxcsfq57jtwMzlXGrmVUTMAJRtMqrSnVa9jbW+IF2p/sJfeSRRqJ2qwQoDW
+ppvvBF4RfdWOVCCidtRmWKycEtP1ylSYyiHswVWhL2gLXQRQ0l5wJdgT2URRDopC
+CBiE5mHOWn17gTWQw9SdGbY37o9jXNrY8GRgOeubHFRmdXa1Cli5P5HhIZygUBWX
+tn5BvNDEIUz11/AT+HfpdMSKDiAXMq44wqWoYoUXsaLTIp+Vt6NM
 -----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/ocspKey.pem
index aa04e24c6..d25396b09 100644
--- a/testing/hosts/winnetou/etc/openssl/ocspKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/ocspKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAqidMtMoReIhMoHfDO98DQvETufdAaog92d8ff+RklQoH5vmq
-OIXIOgqIDRonLuMm84D6B7dFfxJeA/CUZDPEAaYP0e1iOC9Z3UmRoEx3ENb1Ylxq
-+D1LCIlEfxIFQkhbPPume9yeGyXjKJstux5/cLOJXh266ivO27QNkxE1d1JQmg1w
-ujRfN9tWR/g/vDhUGkNEqiq04SjFWEk3/kHaVwZSPb7XHtUskuiosuFi3VwLfJju
-8flI2lRMxTcoukl2/RQBlbzvTl4t/psZvXitoPrNZAOI6g7y9eyX7bySysxWeYqx
-Lk3tvsB3UG8LZTpFtSRQLBi+Dvq+DSKAbjAWRQIDAQABAoIBAC9SnMfPR0qhhcY/
-aMIXBT4x9E2NUZIPcDxPDOCx8bNtxcLcfxYXRxe1ZB9YvbsRm/yvS1qoAyETR6iK
-2YqAxyu6Nr4o6l879B9SXbkaayb40ehYUbvWuC6Ylr9MkL/dhdqRFr1uH17ni6T4
-e6CGG+WJWVQeqqSEKJT8H6Zea+NSQi9UOsVgKIMiXr52j3hj8LraH/4FoOPlgg3r
-mqrVcQlDYLtt+cufpFJLGzJhTylqlWCRWA6nwKFl8zZqGNaCswKkC3Ql47vlAmQT
-ETl4MMpVsmezC8OcursRmgPJzRudnGg6RLyfTff9b/wFmIujvJLYeN/ILRFvFGkq
-kiIWNIUCgYEA27y3N6lHJ8ommqquoyAVfQpc5Y1gFFXoE8VzkO1ts5B0N6r2DVvy
-DFUT3cSWdBOsF2MykTnyAC0dVXRXTCTEI2AqdmgITOzs3Ydr0XlOPmuM3dOO060F
-I9x4GsCpVcV/zWBZfJyUhNQqxpozrWNvHVgxrEc8pjD29iMLf+EsP2cCgYEAxjvP
-9uQjRxWv3/5ZVEOpBnecZe+ysg0CgK0zt+nogTAn7ET27FFeW8BjcR6g+r57n9cu
-X6EGdxuLexwoqvt3dO/rBF74knTe4ElDzEhcAoxnZPnJrJ6aST0KZ7lGoX5UW7wp
-eyW7HXKpd1THY40v7aHhaSr4362kMTFpPvxxrXMCgYAkDa2+Kz8qjyeQXwryZvQ/
-pPCjFXQ7QfEnNVGF6P8D5GK9M4bVoE1xqo/s5jGNcCDfYX5Nh8VmNADJIaKlMq8f
-4sp0zRL3lDQ1EOAm6ZFl+n2NdAXOQ2hBfw4RzaS7FwGmL/Xe1U4lES7HkUuDWnpD
-xVG5I6MW3ZfXwN5FKCv7ZwKBgByIVWmq8qzzoSnzeTYYuwZ0Ru2hL65TEw4kX/JT
-16RoowZt8sCXAabhLS8GApO0wSSDm2gmTEDulQf2SKA7q7kII2KwrMSfz8imovyP
-WbcAMI2nKnEPLxPllk7RqynpfgjqL2pLRwB5FY1YhY59ru1cRI6XodTIMH7oJsbr
-HQ2jAoGADHlVLAf9hQTYMrLCaO4mjOlJwRa19e1l47o4Lt1H+cGh96Jc4i7Hfkmv
-e/j/ZF4XqtjvmZIR2xevL2+/pPVuMYV0hEWyDQzoUgM6OXF4smSG3N+SrDTSmM8I
-XE9Ohc2JL3IKWN8SarsTUCrqle7UakmbYTUJqH9bJwGyvm3Ro1o=
+MIIEowIBAAKCAQEAvAU+S77GsTNIDsPUDO+DC728V18U7/VtC//6AZz6IW1crnkp
+dP69q3CHmGtINXnj4MEUQR8K9+ejptpr/8106ZUAOKrWOmDGZKHmAjlYTv3yeAhj
+ttd6lnliGDnuJ407oj1IiNtD1mp3IGonOVDgAlAZ8nrPeCOZAdTlsdEx5muEr9B3
+QUaFsDvmagAPO36Vf1moIuhJSQXIy2zuR6ctyXRb64zVmcLicNvqh0OEDk+DHKbr
+HyI4F2mbchKVSHGye5JzUqvjGqXT9EQUusM12pFsfbTCAAfYClHxDUzZetGZ5qiN
+CoCokd2Komv227A+yXGp4DnDo1gNh9Cyp5y3aQIDAQABAoIBACKheJrs9Z3XyzLl
+AN6tEt8LwG/7VFjqRH6MVFkNt8iGYybDrE4fSYIVRPRe9jrbS4yvI3LnK9cDdFIc
+Mv43sov/ZL4LQVAZWRFZ/Ip2U3yhK5LOQMeBotOqYdYCfYoNaml0jjKe6DzK+Uwg
+IT9eVRQ3+r99vU7sh5cdxnzdAirlXAGdy2QxdF1lyC/49H6jxS7qxuxHPqI0P8VR
+9xVKIXaAKaxcijg47slC386/yEbO96morZuJX+F+iaQ37T0nV3tTergbwDtit3xo
+cOdsHan9zGHE1ayKh8DkBinD+BpiLZdapRvcSm2wAKlamXfI3GIAB5r/3B1NW9yb
+rsThgc0CgYEA4CN+fNaFYQmLMK33wZfXvcadaktSWWXmnqPVLIWRddUH3SA5qEJB
+RwuuLgcfmlmZqBqSOj4pDTtAoNooqA9Ryi0Ugzpvmn5iPevfixQoLix4mn1/bvbF
+bo4CX7Vb7mUdfXpu7PwVNALNfaW6fgKM79LoqX4yZ4k/yFuYl+JTIGcCgYEA1r9k
+mTi/5royyVX0vV7uwyKrXQ8VRVhnVeT2nG1KkuQqUraUQG8WD9J9uxvbZxhsrax1
+Hg1iCAobzlEL2XoX2y+dN+81o2tm9qcy3L7+g6M/+7nQmU+fbGdBkcWq72dZC4ev
+K6grD+gl0uQmdVc7m+3lErojNAlvxTSK1BKrR68CgYA2CxjijO8YGK8BC9FjUnNo
+hM1L5eFzQMi8k5BA7evG15jPzodYdLE8qipTWtBZ7STJja6YcIiBcjoBDtkivJ7h
++sCpa5uhSrvxZkA+Tpvpljt2NLBXVxT/tSoJXbdO4f6cVLsOVTHfmpVlqGIxI/hL
+kzUaOR16LXO9oahHZwDYHQKBgHPg60PS35p9NxJ1k47sPyKE/rtEfFHjFj+/QWO/
+hdIl1MC1TOJIDzuSdc4Vhhrnjx1YRgplZlS4P7DhAufjfiQEWW3pYqRAPFs0dbmw
+Rl56JPiMmAdic8BnJ3all0uAFQinutpv8Gyw9FgMTMRcwgmuIUIttvlJbkqXw6IU
+QOB5AoGBAJkTG5alPABxJG9ZuEE+iWCPAV1671FXT115D5wlKOY3CImuhsEW085X
+uGZz7WDZWFZJres8RiRlpK035MAg6lUG3trC9+wOluRNehT6h0Vwru8TxjLBxPcc
+yjdSVDH61FQLSKWIGLH9VVLX03NXqi3qxVGrrulUSW5h/HR2s3f7
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
index 4a4027072..6433c7a24 100644
--- a/testing/hosts/winnetou/etc/openssl/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -42,7 +42,7 @@ crl_extensions	= crl_ext  		  # The extentions to add to the CRL
 
 default_days    = 1825                    # how long to certify for
 default_crl_days= 30			  # how long before next CRL
-default_md      = sha1                    # which md to use.
+default_md      = sha256                  # which md to use.
 preserve        = no                      # keep passed DN ordering
 email_in_dn	= no			  # allow/forbid EMail in DN
 
@@ -146,6 +146,7 @@ subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
 subjectAltName			= DNS:$ENV::COMMON_NAME
 #extendedKeyUsage		= OCSPSigning
+#extendedKeyUsage		= serverAuth
 crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan.crl
 
 ####################################################################
@@ -164,10 +165,10 @@ crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan.crl
 
 [ ca_ext ]
 
-basicConstraints               	= critical, CA:TRUE
+basicConstraints               	= critical, CA:TRUE, pathlen:1
 keyUsage                        = cRLSign, keyCertSign
-subjectKeyIdentifier           = hash
-authorityKeyIdentifier         = keyid, issuer:always
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid, issuer:always
 
 ####################################################################
 
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 26e68d4f3..75e87f2c9 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -2,3 +2,4 @@ V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strong
 V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
 V	140323203747Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
+V	151103161503Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 2ccf6489c..26e68d4f3 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -1,3 +1,4 @@
 V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+V	140323203747Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/05.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/05.pem
new file mode 100644
index 000000000..bb205a0fd
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/05.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
+M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
+MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
+ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
+UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
+h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
+i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
+KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
+AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
+YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
+rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
+1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
+wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
+DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index eeee65ec4..cd672a533 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-05
+06
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index 64969239d..eeee65ec4 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-04
+05
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/.rand b/testing/hosts/winnetou/etc/openssl/rfc3779/.rand
new file mode 100644
index 000000000..20107f5f6
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/rfc3779/.rand differ
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/crl.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/crl.pem
new file mode 100644
index 000000000..70a9d4c87
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/crl.pem
@@ -0,0 +1,15 @@
+-----BEGIN X509 CRL-----
+MIICRTCCAS0CAQEwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQ0gxGTAXBgNV
+BAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMT
+FXN0cm9uZ1N3YW4gUkZDMzc3OSBDQRcNMDkxMjIzMDk0MjUxWhcNMTAwMTA3MDk0
+MjUxWqCBnjCBmzCBjAYDVR0jBIGEMIGBgBQhf6frN9CjCx+h3EIGHhFfPNIQFKFe
+pFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAO
+BgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3YW4gUkZDMzc3OSBDQYIJ
+AMxcts8OCFQAMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEBCwUAA4IBAQDLEmxXy56A
+UkZSg59BlPW1R2Fv9fBWiup4OoC1vBcSpPzbiBcD68h62T7hFMx935maBoYa4eLw
+sADS2TkRCBEZzAhYkAMQi72jCtPfJwYUJewlQ+V2As3cygkErBm2Vvo3Om37GKil
+uQaHvHlBSFGrC5IxeIxR2FOH1BeBD6MM9p7yRJ9yEt++jH2dLiGFYX1cmJ6m8aFr
+09tfjTwzw5VclQBjjXaqhrzr33hjAEv0thpx0VQVngq+8WX6HQv/QS1xNJVq8bes
+9GChW+MdNIx0ZH4Tb1hv8dafnSyHIVYzY8UuL4X/+LJDSPjyS8wtZWuj1k+cA9u2
+3TDt0F6MgNAH
+-----END X509 CRL-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/crlnumber b/testing/hosts/winnetou/etc/openssl/rfc3779/crlnumber
new file mode 100644
index 000000000..75016ea36
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/crlnumber
@@ -0,0 +1 @@
+03
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/crlnumber.old b/testing/hosts/winnetou/etc/openssl/rfc3779/crlnumber.old
new file mode 100644
index 000000000..9e22bcb8e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/crlnumber.old
@@ -0,0 +1 @@
+02
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
new file mode 100644
index 000000000..9adf263bf
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
@@ -0,0 +1,4 @@
+V	141222133356Z		01	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+V	141222133521Z		02	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+V	141222133612Z		03	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+V	141222133736Z		04	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.attr b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.attr
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.attr.old b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.attr.old
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.attr.old
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
new file mode 100644
index 000000000..be48eeee4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
@@ -0,0 +1,3 @@
+V	141222133356Z		01	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+V	141222133521Z		02	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+V	141222133612Z		03	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/01.pem
new file mode 100644
index 000000000..7f5f8d703
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/01.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
+MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
+RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
+aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
+BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
+lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
+wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
+vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
+Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
+MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
+bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
+QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
+smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
+Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
+vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
+kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
+Y0Y2hqCja6SsIjVc
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/02.pem
new file mode 100644
index 000000000..9ccd47a2c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/02.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0
+MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE
+CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k
+XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H
+k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC
+VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno
+Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr
+6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
+RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA
+mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j
+C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd
+4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ
+TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ
+Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E
+dXN+1axy9zQ34g==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/03.pem
new file mode 100644
index 000000000..3243bc294
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/03.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEojCCA4qgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzYxMloXDTE0
+MTIyMjEzMzYxMlowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3
+YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArD8OrNy0w+T2
+cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTrz4FskqN39sFxDFDSre1bps+F7jW/
+zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeBNBk4b6VAIKPaYmO3UIoZZ4SPnnVZ
+P7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWYPDOkTS+1sbRQHkgdZvw4fYno+Rd+
+hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8T2zI0aI6L8g57j4cX1XYQwM3tkHM
+2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9A0gqmbnF9//wvSmwpDpSkDoHZ5O3
+Ur6HZ8mByQIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFL9rU6QFDLvUOEIFNZROVYWN5v++MIGMBgNVHSMEgYQwgYGAFCF/p+s3
+0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw
+MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA
+ABAwDQYJKoZIhvcNAQELBQADggEBAHhgG8qqLZX3uXDVX9uBZM8jErI78pyL9F8q
+ibTW5UPp+rbbMDY7tphBbFkg5Q0pzJhOzB6I6Oy/QWVVEC20DE7lhOpMu7auS3Gn
+z1t6DCIDR9NYXtKs6UXcMA0PSQ1r7iHQWvtZ0uD998k6UQfZCCOwBbonng2DAp/m
+FKkaCYiZmJw2YBwf+oVNLQp2fHI61uoguiiRQ4AV5Htho0z6MDqpMyrg2F7Uf2cq
+kQY/ZyvMe8VG5KuiaMJPIMdJPnRED2R4qiyHe8eDXgGYHsNhkt7VHRRgo3izqIdG
+1oCv+CHQ2XSK+4dA42U0Vw7V/ExmcLy99bZfCEZwNWG6Y/5Qwww=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/04.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/04.pem
new file mode 100644
index 000000000..dffbc67e9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/04.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEoDCCA4igAwIBAgIBBDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzczNloXDTE0
+MTIyMjEzMzczNlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPLwvUPUNIZnbX
+eyz8U0COp5RM7ZLFT2iJmSGxznZ30phUNHSy3WX9V8h2kQ2fBks2x0KYWEg8Lh2y
+ggZipePRpuHRnZlcll5/HY/YOUgdV2GE6euNiWKcDB6uE51sxZ+on5KasI9EJMdp
+hJpytYUFjx6pExsoqWMQLigrT6A4bYogkweOZHiUyHiqgtUQcHnmmKwxgeUAkZCb
+00dk7CYnXNQZ1uHj/08TDwrS37SGXfWEIcBGEx/awqlF+s2HTI6zw7NC2HhQsiSp
+Yo1nz8TBr/8XnO9KyYUg04TMkcQqBFDt/qiUswLRLapn9HSyd43BxaF+YuvJ1+ip
+M4G05K1nAgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUJ/+79KP+Ea9vdAIMkUYx++cu6R0wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u
+Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh
+bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw
+FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg
+MA0GCSqGSIb3DQEBCwUAA4IBAQBlOlqceKqgr0putV9fUf2vekg5QtZGDtHFUOTH
+0gDIe2DJ60bWY5IXpjj2KtzRdoP448fpPaprrh8VEljWoVvAF8LaePKGggqwcG+D
+Z7ioDYlnV1j+/NnbZGM/hPqa841dh5jesTuTAF2giMod6P6eMiiRcnl9X3ltgSWp
+Ahk5C8CNYw+sISJcCHtFQHdKOM4QN7wAWksvpjMWkSDQgf/rnDUgW8DXAwX/9K4V
+G2etJ6/8drpjB115p6h+GYz8xFG28/MSf9BqNX03dBs5oyko2+FgSrb3ACK+pAO4
+Cpi2NKZfUH+M7Loo4baI+f5iavpDjDfar8KTiV610DAp0W2S
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
new file mode 100644
index 000000000..133b2ea71
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
@@ -0,0 +1,214 @@
+# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
+# Mario Strasser <mario.strasser@zhwin.ch>
+#	
+
+# This definitions were set by the ca_init script DO NOT change
+# them manualy.
+CAHOME			= /etc/openssl/rfc3779 
+RANDFILE		= $CAHOME/.rand
+
+# Extra OBJECT IDENTIFIER info:
+oid_section		= new_oids
+
+[ new_oids ]
+SmartcardLogin		= 1.3.6.1.4.1.311.20.2
+ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
+
+####################################################################
+
+[ ca ]
+default_ca	= root_ca		# The default ca section
+
+####################################################################
+
+[ root_ca ]				
+
+dir		= $CAHOME
+certs		= $dir/certs		  # Where the issued certs are kept
+crl_dir		= $dir/crl                # Where the issued crl are kept
+database	= $dir/index.txt          # database index file.
+new_certs_dir   = $dir/newcerts           # default place for new certs.
+
+certificate     = $dir/strongswanCert.pem # The CA certificate
+serial          = $dir/serial             # The current serial number
+crl             = $dir/crl.pem            # The current CRL
+crlnumber	= $dir/crlnumber	  # The current CRL serial number
+private_key     = $dir/strongswanKey.pem  # The private key
+RANDFILE        = $dir/.rand              # private random number file
+
+x509_extensions = host_ext		  # The extentions to add to the cert
+
+crl_extensions	= crl_ext  		  # The extentions to add to the CRL
+
+default_days    = 1825                    # how long to certify for
+default_crl_days= 30			  # how long before next CRL
+default_md      = sha256                  # which md to use.
+preserve        = no                      # keep passed DN ordering
+email_in_dn	= no			  # allow/forbid EMail in DN
+
+policy          = policy_match		  # specifying how similar the request must look
+
+####################################################################
+
+# the 'match' policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= optional
+localityName            = optional
+organizationName	= match
+organizationalUnitName	= optional
+userId			= optional
+serialNumber		= optional
+commonName		= supplied
+emailAddress		= optional
+
+# the 'anything' policy
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= ca_ext	# The extentions to add to the self signed cert
+# req_extensions 	= v3_req 	# The extensions to add to a certificate request
+
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask 			= nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+####################################################################
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= CH
+countryName_min			= 2
+countryName_max			= 2
+
+#stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= ZH
+
+#localityName			= Locality Name (eg, city)
+#localityName_default		= Winterthur
+
+organizationName		= Organization Name (eg, company)
+organizationName_default	= Linux strongSwan
+
+0.organizationalUnitName		= Organizational Unit Name (eg, section)
+0.organizationalUnitName_default	= RFC3779 
+
+#1.organizationalUnitName	= Type (eg, Staff)
+#1.organizationalUnitName_default = Staff
+
+#userId				= UID 
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= $ENV::COMMON_NAME
+commonName_max			= 64
+
+#0.emailAddress			= Email Address (eg, foo@bar.com)
+#0.emailAddress_min              = 0
+#0.emailAddress_max              = 40
+
+#1.emailAddress                  = Second Email Address (eg, foo@bar.com)
+#1.emailAddress_min              = 0
+#1.emailAddress_max              = 40
+
+####################################################################
+
+[ req_attributes ]
+
+####################################################################
+
+[ host_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName			= DNS:$ENV::COMMON_NAME
+#extendedKeyUsage		= OCSPSigning
+extendedKeyUsage		= serverAuth
+crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan_rfc3779.crl
+
+sbgp-ipAddrBlock = critical, @host-addr-section
+
+[host-addr-section]
+
+IPv4.0 = 192.168.0.2
+IPv4.1 = 10.2.0.0/16
+IPv6.0 = fec0::2
+IPv6.1 = fec2::/16
+
+####################################################################
+
+[ user_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName                  = email:$ENV::COMMON_NAME 
+#authorityInfoAccess		= OCSP;URI:http://ocsp.strongswan.org:8880
+crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan_rfc3779.crl
+
+#sbgp-ipAddrBlock = critical, IPv4:192.168.0.0/24, IPv6:inherit
+
+sbgp-ipAddrBlock = critical, @user-addr-section
+
+[user-addr-section]
+
+IPv4.0 = 192.168.0.200
+IPv4.1 = 10.3.0.2
+IPv6.0 = fec0::20
+
+####################################################################
+
+[ ca_ext ]
+
+basicConstraints               	= critical, CA:TRUE, pathlen:1
+keyUsage                        = cRLSign, keyCertSign
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid, issuer:always
+
+sbgp-ipAddrBlock = critical, @ca-addr-section
+
+[ca-addr-section]
+
+IPv4.0 = 192.168.0.0/24
+IPv4.1 = 10.1.0.0/16
+IPv4.2 = 10.2.0.0/16
+IPv4.3 = 10.3.0.1 - 10.3.3.232
+IPv6.0 = fec0::/16
+IPv6.1 = fec1::/16
+IPv6.2 = fec2::/16
+
+####################################################################
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+#issuerAltName			= issuer:copy
+authorityKeyIdentifier		= keyid:always, issuer:always
+
+# eof
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/serial b/testing/hosts/winnetou/etc/openssl/rfc3779/serial
new file mode 100644
index 000000000..eeee65ec4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/serial
@@ -0,0 +1 @@
+05
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old b/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
new file mode 100644
index 000000000..64969239d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
@@ -0,0 +1 @@
+04
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/strongswanCert.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/strongswanCert.pem
new file mode 100644
index 000000000..8e872d89f
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz
+Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz
+MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ
+Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr
+b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y
+GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF
+Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU
+EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB
+ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM
+BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3
+OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI
+KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK
+AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB
+ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm
+uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud
+rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS
+Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA
+MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX
+fN8iF5kHn7S+Nd9ZFlf3S1w=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/strongswanKey.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/strongswanKey.pem
new file mode 100644
index 000000000..95897a2fe
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/strongswanKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAzP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZf
+bnECZqoK5obWPkQJCp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qR
+w49IPs9k+Uf1OHVrb3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbL
+TsbgiplImgi/ZG7YGE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ
+78BA1IgMsNZs8cQFAvg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHS
+pyBa/zzSDXsP01PUEKNZhloVQVt9NX3MCUItfQIDAQABAoIBAQC4iI1I/BmhVL8q
+qNZV5xTor8HaFZWsk3gWCh4VzfLFNrYHPxehX/H9YU12wCLU4oIRIGtxVSjEUn+N
+8lFjiEzfl2jVLxrU737mxAdzYGjJL0lOfWtCVBWBFUmcbf592JXiQL6ctOhz3a9+
+cCfkVtsXsAXM4YF0vWEEIpwPgeja/zKX9M0vRBgIfXdeh2cYQKDGxmEspbfMnTyW
+XVGmTbgDHQGkvN88OyJEOPulYwmZ1BgsQ2buQgR6OlxzulUmH1VOO+Xm8O6rA0Qn
+SjQRd6Q38KLPSEKXucHUIzpQemGdar3ziUoCgUiHJkl79h50W+WIIZTNv1LUR48u
+u14aT5eBAoGBAPZDaOK7/w5639WBG84iqLDMiFIuzKADjxrQqmVJXXH3nf1wnS93
+Iy9iAelUmq/He6aruvLJf8GdkFfC/sj4vdnlbvtT1wHiFznLxO49craxgr1J0SXO
+HLE5RvyrJrAArWQr33oy6YSOMob95imK58kwMwfpoQuWK3CZaVdMfbzFAoGBANUZ
+Ebo/N8bl9Opo/81zYcFpkUlxBP3vJR8aJ5Bx/0fbXCSwvt1AEHqnYiLBStfMyUTC
+N4MWCUoZ1H6yRyxqPg+QFnYFCqX/Y3DFhkV5d9kTRWvzxc+mumh81+bRsNU6AyxD
+9VFWpAkSA+K8IWCjx5fQ+jeLc7GQ1EjYpSiaEClZAoGBALL6tS0ssyfD+BBFQH8l
+w3KThHQuXTviukwj4eOxWX/uFl5PTX5k2Saj1X3OpoogsmalIz83YWnHaVPPfbt0
+xQ6raGizO22782NnDJ6V/Fx5UOrfzmjqjwHi/gu/HGQIafyGwmoevIdBjcl8mJ4S
+vXkEVeJnU0uHfdTdOqlfB3d9AoGALimZGoSZW5/zF1iZmXMWSSTKUWOHVk8Y9oze
+5z6as4FEi7oyDpHTQA7Ehozi3q7BJwD/r4j1iDTiQHP0UR3OxeZLx1M+REl3zDUt
+6hzvJnozPrh3MI2IshvhVWI1cWt4xn0ORomDTWe2qcZhYKL6GNwvaBrwfBXItuMf
+nBULzTkCgYAcK5LKu6dwUlnv9iro6Jff24qb3P32HdSC2uZTZMcaTXqqUBO/lST2
+elKAHqQxjGGxFf5buQwfFrOKfNlMhQRHppo2/gJLiiChZ7R3GaF49f/4I5YJOo2a
+k/bv70YB3Zf/8p+ip9w9H6N65YAyvzu5yUfoFXgKQQNv0y0B5rtZsw==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index b6a7d89c6..33c1ce6c7 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-16
+1F
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index 60d3b2f4a..e28e17eb7 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-15
+1E
diff --git a/testing/hosts/winnetou/etc/openssl/strongswanCert.pem b/testing/hosts/winnetou/etc/openssl/strongswanCert.pem
index 0de3b268d..0865ad22e 100644
--- a/testing/hosts/winnetou/etc/openssl/strongswanCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/strongswanCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
 Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
 X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
@@ -9,14 +9,14 @@ FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
 4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
 7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
 gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
 -----END CERTIFICATE-----
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index 30dfc00ef..4a561b857 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -141,6 +141,7 @@ fi
 if [ "$USE_EAP_AKA" = "yes" ]
 then
     echo -n " --enable-eap-aka" >> $INSTALLSHELL
+    echo -n " --enable-eap-aka-3gpp2" >> $INSTALLSHELL
 fi
 
 if [ "$USE_EAP_SIM" = "yes" ]
diff --git a/testing/testing.conf b/testing/testing.conf
index 1a62d7cac..e86f60ae2 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.30.2.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.31.5.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.30
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.31
 
 # Bzipped uml patch for kernel
 #UMLPATCH=$UMLTESTDIR/aead_init.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.3.4.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.3.6.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/description.txt b/testing/tests/gcrypt-ikev1/alg-camellia/description.txt
new file mode 100644
index 000000000..a9633ee84
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
+<b>CAMELLIA_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and 
+<b>CAMELLIA_CBC_128 / HMAC_SHA2_256_128 </b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-camellia/evaltest.dat
new file mode 100644
index 000000000..93f82906e
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/evaltest.dat
@@ -0,0 +1,11 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
+moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a24c69735
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=camellia128-sha256-modp2048!
+	esp=camellia128-sha256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..afc3806b5
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = pem pkcs1 x509 gcrypt hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a8e09f8ff
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+       
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=camellia128-sha256-modp2048!
+	esp=camellia128-sha256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..afc3806b5
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = pem pkcs1 x509 gcrypt hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev1/alg-camellia/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev1/alg-camellia/pretest.dat
new file mode 100644
index 000000000..6d2eeb5f9
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf b/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
new file mode 100644
index 000000000..fd33cfb57
--- /dev/null
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt
index 604fb45df..982efa5ea 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
 <b>SERPENT_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
-<b>SERPENT_CBC_256 / HMAC_SHA2_256 </b> for ESP packets. A ping from <b>carol</b> to
+<b>SERPENT_CBC_256 / HMAC_SHA2_512_256 </b> for ESP packets. A ping from <b>carol</b> to
 <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
index 2be8f675f..d9964314b 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
@@ -2,9 +2,10 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES
 moon::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_256::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_512::YES
+moon::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_512::YES
 carol::ip xfrm state::enc cbc(serpent)::YES
 moon::ip xfrm state::enc cbc(serpent)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
index b050f022a..0848c3696 100755
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	ike=serpent256-sha2_512-modp4096!
-	esp=serpent256-sha2_256!
+	esp=serpent256-sha2_512!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
index 0c6fd2c9f..afc3806b5 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = gcrypt hmac pubkey curl
+  load = pem pkcs1 x509 gcrypt hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
index 75830f043..05edfc7d0 100755
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	ike=serpent256-sha2_512-modp4096!
-	esp=serpent256-sha2_256!
+	esp=serpent256-sha2_512!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
index 0c6fd2c9f..afc3806b5 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = gcrypt hmac pubkey curl
+  load = pem pkcs1 x509 gcrypt hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
index a6c8f026c..fd33cfb57 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
index b65ea7b8d..f3fc61fe6 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
 <b>TWOFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
-<b>TWOFISH_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>TWOFISH_CBC_256 / HMAC_SHA2_512_256</b> for ESP packets. A ping from <b>carol</b> to
 <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
index 34c9d1c65..c69355b81 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
@@ -2,9 +2,10 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
 moon::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_256::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_512::YES
+moon::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_512::YES
 carol::ip xfrm state::enc cbc(twofish)::YES
 moon::ip xfrm state::enc cbc(twofish)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
index 71ed47519..838291f80 100755
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	ike=twofish256-sha2_512-modp4096!
-	esp=twofish256-sha2_256!
+	esp=twofish256-sha2_512!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
index 0c6fd2c9f..afc3806b5 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = gcrypt hmac pubkey curl
+  load = pem pkcs1 x509 gcrypt hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
index ba739f887..c2ef12853 100755
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	ike=twofish256-sha2_512-modp4096!
-	esp=twofish256-sha2_256!
+	esp=twofish256-sha2_512!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
index 0c6fd2c9f..afc3806b5 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = gcrypt hmac pubkey curl
+  load = pem pkcs1 x509 gcrypt hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
index a6c8f026c..fd33cfb57 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 9536a85be..77491cfd8 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors gcrypt pubkey hmac curl
+  load = test-vectors pem pkcs1 x509 gcrypt hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 80952cb41..7d8cd1781 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors aes des sha1 sha2 md5 gmp pubkey random hmac curl
+  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 9536a85be..77491cfd8 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors gcrypt pubkey hmac curl
+  load = test-vectors pem pkcs1 x509 gcrypt hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
index aad3becc7..d77c4806e 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
@@ -2,8 +2,10 @@ moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
 moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 moon::ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index 70c473005..586a3dc5e 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl gcrypt x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index 70c473005..586a3dc5e 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl gcrypt x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 6cf472ed3..b15a55fa5 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors gcrypt x509 pubkey hmac stroke kernel-netlink updown
+  load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index b946aa004..ab6f08e2d 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 6cf472ed3..b15a55fa5 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors gcrypt x509 pubkey hmac stroke kernel-netlink updown
+  load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
index ac4b8d589..c2d2b14ac 100644
--- a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
index 263978c99..6f4ec2510 100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index 147e381b1..ff3faf993 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random pubkey hmac x509 xcbc stroke kernel-netlink
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink
 }
 
 pluto {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random pubkey hmac
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index 8dcb265b7..cf4893014 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random pubkey hmac x509 xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink
 }
 
 pluto {
-  load = curl aes des sha1 sha2 md5 gmp random pubkey hmac
+  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
 }
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt
index 7d8f245ab..7b14287f7 100644
--- a/testing/tests/ikev1/alg-blowfish/description.txt
+++ b/testing/tests/ikev1/alg-blowfish/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
 <b>BLOWFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
-<b>BLOWFISH_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>BLOWFISH_CBC_256 / HMAC_SHA2_512</b> for ESP packets. A ping from <b>carol</b> to
 <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat
index fd46cdb9d..4ea613d3d 100644
--- a/testing/tests/ikev1/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat
@@ -2,9 +2,10 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
 moon::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_256::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_512::YES
+moon::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_512::YES
 carol::ip xfrm state::enc cbc(blowfish)::YES
 moon::ip xfrm state::enc cbc(blowfish)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
index 175349c41..3517077f9 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	ike=blowfish256-sha2_512-modp4096!
-	esp=blowfish256-sha2_256!
+	esp=blowfish256-sha2_512!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
index f5401f260..28dd532b3 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des blowfish hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
index 89dbee0af..1b4cca222 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	ike=blowfish256-sha2_512-modp4096!
-	esp=blowfish256-sha2_256!
+	esp=blowfish256-sha2_512!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
index f5401f260..28dd532b3 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des blowfish hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat
index 6d2eeb5f9..5e1e80e1d 100644
--- a/testing/tests/ikev1/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev1/alg-blowfish/pretest.dat
@@ -3,3 +3,4 @@ carol::ipsec start
 moon::ipsec start
 carol::sleep 2 
 carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf
index a6c8f026c..fd33cfb57 100644
--- a/testing/tests/ikev1/alg-blowfish/test.conf
+++ b/testing/tests/ikev1/alg-blowfish/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev1/alg-sha256-96/description.txt b/testing/tests/ikev1/alg-sha256-96/description.txt
new file mode 100644
index 000000000..c5ab23e51
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256-96/description.txt
@@ -0,0 +1,5 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_128 / HMAC_SHA2_256_96</b> with 96 bit instead of the standard 128 bit
+truncation, allowing compatibility with Linux kernels older than 2.6.33
+by defining <b>esp=aes128-sha256_96!</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha256-96/evaltest.dat b/testing/tests/ikev1/alg-sha256-96/evaltest.dat
new file mode 100644
index 000000000..6e8715b1f
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256-96/evaltest.dat
@@ -0,0 +1,12 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
+carol::ip xfrm state::auth hmac(sha256)::YES
+moon::ip xfrm state::auth hmac(sha256)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..2611115cd
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes128-sha256-modp2048!
+	esp=aes128-sha256_96!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..758c7a29a
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes128-sha256-modp2048!
+	esp=aes128-sha256_96!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/alg-sha256-96/posttest.dat b/testing/tests/ikev1/alg-sha256-96/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256-96/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-sha256-96/pretest.dat b/testing/tests/ikev1/alg-sha256-96/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256-96/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha256-96/test.conf b/testing/tests/ikev1/alg-sha256-96/test.conf
new file mode 100644
index 000000000..fd33cfb57
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256-96/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/alg-sha256/description.txt b/testing/tests/ikev1/alg-sha256/description.txt
new file mode 100644
index 000000000..628101921
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
+<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and 
+<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat
new file mode 100644
index 000000000..00fcb8862
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/evaltest.dat
@@ -0,0 +1,12 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
+carol::ip xfrm state::auth hmac(sha256)::YES
+moon::ip xfrm state::auth hmac(sha256)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
+
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..0e1db6fbe
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes128-sha256-modp2048!
+	esp=aes128-sha256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..584ffda19
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes128-sha256-modp2048!
+	esp=aes128-sha256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/alg-sha256/posttest.dat b/testing/tests/ikev1/alg-sha256/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev1/alg-sha256/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf
new file mode 100644
index 000000000..fd33cfb57
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/alg-sha2_256/description.txt b/testing/tests/ikev1/alg-sha2_256/description.txt
deleted file mode 100644
index e0af2e2f7..000000000
--- a/testing/tests/ikev1/alg-sha2_256/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the rather strong cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_1536</b> for the IKE protocol and 
-<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha2_256/evaltest.dat b/testing/tests/ikev1/alg-sha2_256/evaltest.dat
deleted file mode 100644
index b8a83e0fb..000000000
--- a/testing/tests/ikev1/alg-sha2_256/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_1536::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_1536::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
diff --git a/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 0c5980ed3..000000000
--- a/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=aes128-sha2_256-modp1536!
-	esp=aes128-sha2_256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1770e5313..000000000
--- a/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=aes128-sha2_256-modp1536!
-	esp=aes128-sha2_256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/alg-sha2_256/posttest.dat b/testing/tests/ikev1/alg-sha2_256/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/alg-sha2_256/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-sha2_256/pretest.dat b/testing/tests/ikev1/alg-sha2_256/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/alg-sha2_256/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha2_256/test.conf b/testing/tests/ikev1/alg-sha2_256/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/alg-sha2_256/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/alg-sha384/description.txt b/testing/tests/ikev1/alg-sha384/description.txt
new file mode 100644
index 000000000..251e2e6a2
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
+<b>AES_CBC_192 / HMAC_SHA2_384 / MODP_3072</b> for the IKE protocol and 
+<b>AES_CBC_192 / HMAC_SHA2_384</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat
new file mode 100644
index 000000000..4da5ec5e7
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/evaltest.dat
@@ -0,0 +1,12 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_3072::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_384::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_384::YES
+carol::ip xfrm state::auth hmac(sha384)::YES
+moon::ip xfrm state::auth hmac(sha384)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
+
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c60c6615c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes192-sha384-modp3072!
+	esp=aes192-sha384!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2d361b38a
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes192-sha384-modp3072!
+	esp=aes192-sha384!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/alg-sha384/posttest.dat b/testing/tests/ikev1/alg-sha384/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev1/alg-sha384/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev1/alg-sha384/test.conf
new file mode 100644
index 000000000..fd33cfb57
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/alg-sha512/description.txt b/testing/tests/ikev1/alg-sha512/description.txt
new file mode 100644
index 000000000..adfc548b8
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
+<b>AES_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
+<b>AES_CBC_256 / HMAC_SHA2_512</b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha512/evaltest.dat b/testing/tests/ikev1/alg-sha512/evaltest.dat
new file mode 100644
index 000000000..7e928d30b
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/evaltest.dat
@@ -0,0 +1,12 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+moon::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_512::YES
+moon::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_512::YES
+carol::ip xfrm state::auth hmac(sha512)::YES
+moon::ip xfrm state::auth hmac(sha512)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
+
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..6bd3ac8c7
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a28269155
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/alg-sha512/posttest.dat b/testing/tests/ikev1/alg-sha512/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev1/alg-sha512/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev1/alg-sha512/test.conf
new file mode 100644
index 000000000..fd33cfb57
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/attr-cert/evaltest.dat b/testing/tests/ikev1/attr-cert/evaltest.dat
index 59f6eb76a..c6c3c66c3 100644
--- a/testing/tests/ikev1/attr-cert/evaltest.dat
+++ b/testing/tests/ikev1/attr-cert/evaltest.dat
@@ -1,12 +1,12 @@
 carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::alice.*peer matches group 'Research'::YES
+moon::cat /var/log/auth.log::alice.*peer with attributes .*Research.* is a member of the groups .*Research::YES
 moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::venus.*peer doesn't match any group::YES
+moon::cat /var/log/auth.log::venus.*peer with attributes .*Research.* is not a member of the groups .*Accounting::YES
 moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
 dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::venus.*peer matches group 'Accounting'::YES
+moon::cat /var/log/auth.log::venus.*peer with attributes .*Accounting.* is a member of the groups .*Accounting::YES
 moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
 dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::alice.*peer doesn't match any group::YES
+moon::cat /var/log/auth.log::alice.*peer with attributes .*Accounting.* is not a member of the groups .*Research::YES
 moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem
index 8492fbd45..6c41df9c7 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
-T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
-vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
-S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
-LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
-YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
-j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
+6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
+Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
+Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
+I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
+x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
+tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
 EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
 d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
-U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
-2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
-HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
-hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
-C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
-omBYfxqp
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
+GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
+ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
+F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
+L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
+ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
+Rf5Z0GOR
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem
index abd1554e5..f212e19cf 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIjCCAwqgAwIBAgIBHDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwMzczOVoXDTE0MDgyNjEwMzczOVowWzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
 bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx
-2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2
-LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE
-RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF
-UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/
-98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB
-ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq
-+Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
+DQEBAQUAA4IBDwAwggEKAoIBAQDAB/JTbwVY5oNF0+8Behdbc0NOeX+bl0SOcgpZ
+ha6nbMBQO41jtOI5r5Xbg9sK9l+DYOnZQZEsEhIVZDoK8yGI/FIEE+gWRf+OLmI8
+k2K+G1dklTC/VP2tZWMQYQWs6UnX3iiVpHccI3CQqqJWe9fZsIsq0J9j9hu6h9dG
+IEbon6RXDLPI5DIiIKc3r0jDHNDsIUDzcjuUdCxKFCMuHUCfa1PBiqpj5pP6XT0G
+gI6UjbgnNWPTPb2axE7P1x5gQmVwiFiYs+VTh2fq9O9xNxnn/YmzLk4/YNly7xYX
+Q31NuhSvRpH7jsJ1p4VSuunYqvccPUKsp5PvCtCeGvNT2qt1AgMBAAGjggEFMIIB
+ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU7n842u6huBpBd394
+8mdL6EOdjg4wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
 CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
 ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
 d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy
-8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9
-Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR
-P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV
-UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt
-0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT
-5qILUTmI
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAyAbxrpMtTARw3
+jvBwuapaHXnTppz+TkWyfXVpgTwtPlf3rbhPk4DjhT2ygyMTI1azoqProf2aBbDr
+DldCSQPsZAcuzOdruKKMo2CQwgLuBFXL+JUX0hiIpFS1ZZHA2aDKyUw4OyADOvDU
+8r1/WiwRb91TdYP9nEu9qP30k0vkUg8DCbCmPI1/MVaxVzh9LRAFyOHrnKSCXG7o
+StmVFm2Yf3pE4HS1W6DtommyPs7aUD5XAaQdr3DYKI/TazoU6t5g2aEqigu+pj2M
+qk5idJkx5VCFvUU1hlChyX6NNNjJNnV6u5YiuatcdYQhpCTBsxnBoM+w0BvNOCl+
+1PdgEy1K
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
index 343221385..53d719d9d 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,9 @@
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 openac {
-  load = sha1 sha2 md5 gmp random x509 pubkey
+  load = sha1 sha2 md5 pem pkcs1 x509 gmp random x509
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/crl-from-cache/evaltest.dat b/testing/tests/ikev1/crl-from-cache/evaltest.dat
index dd200c8ef..bdceddb79 100644
--- a/testing/tests/ikev1/crl-from-cache/evaltest.dat
+++ b/testing/tests/ikev1/crl-from-cache/evaltest.dat
@@ -1,5 +1,5 @@
-moon::cat /var/log/auth.log::loaded crl file::YES
-carol::cat /var/log/auth.log::loaded crl file::YES
+moon::cat /var/log/auth.log::loaded crl from::YES
+carol::cat /var/log/auth.log::loaded crl from::YES
 moon::cat /var/log/auth.log::X.509 certificate rejected::NO
 carol::cat /var/log/auth.log::X.509 certificate rejected::NO
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat
index 730614c66..80a84e1ef 100644
--- a/testing/tests/ikev1/crl-ldap/evaltest.dat
+++ b/testing/tests/ikev1/crl-ldap/evaltest.dat
@@ -1,7 +1,7 @@
-moon::cat /var/log/auth.log::loaded crl file::YES
-carol::cat /var/log/auth.log::loaded crl file::YES
-moon::cat /var/log/auth.log::crl update is overdue::YES
-carol::cat /var/log/auth.log::crl update is overdue::YES
+moon::cat /var/log/auth.log::loaded crl from::YES
+carol::cat /var/log/auth.log::loaded crl from::YES
+moon::cat /var/log/auth.log::crl is stale::YES
+carol::cat /var/log/auth.log::crl is stale::YES
 moon::cat /var/log/auth.log::X.509 certificate rejected::YES
 carol::cat /var/log/auth.log::X.509 certificate rejected::YES
 moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
index b15cf2d3f..4d916ab36 100644
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
index b15cf2d3f..4d916ab36 100644
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
index 5b742fc9e..a92610c4f 100644
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
-mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
-5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
-VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
-IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
-K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
-OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
+lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
+e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
+Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
++BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
+TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
+ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
 EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
 d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
-56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
-2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
-O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
-LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
-wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
-9IcgYi5x
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
+jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
+nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
+6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
+cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
+q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
+0xafBd5x
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
index 8aefcc5a6..60e7fdfa9 100644
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
-hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
-v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
-HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
-vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
-UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
-WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
-OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
-og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
-MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
-khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
-uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
-a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
-7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
-rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
-ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
-IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
-CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
-baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
-TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
-r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
-jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
-46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
-o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
-9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
+MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB
+msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf
+AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B
+hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F
+dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9
+dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O
+fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH
+Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc
+M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI
+0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2
+oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH
+VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx
+ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm
+VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g
+I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0
+bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD
+yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2
+u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN
+dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12
+coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx
+VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f
+YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4
+lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6
+95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P
+b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
index 52fd0c788..737117cc9 100644
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
index 52fd0c788..737117cc9 100644
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
index 8492fbd45..6c41df9c7 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
-T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
-vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
-S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
-LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
-YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
-j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
+6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
+Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
+Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
+I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
+x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
+tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
 EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
 d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
-U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
-2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
-HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
-hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
-C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
-omBYfxqp
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
+GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
+ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
+F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
+L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
+ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
+Rf5Z0GOR
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
index 5a41744f6..41a139954 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
@@ -1,30 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,1E1991A43D0778B7
+DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
 
-MAsd1YBlHz54KjvBvhpwDBewinBkxBo/NmdsMetLIcV8Ag87YcKtTXYju+fbW21y
-DI12iPDQeS9tk17tS8qE5ubWmx/8n0fa5VCdLZ06JK6eeASXNoomXZh5rGsd42It
-sj0irWAnbIA3nFFWQl+Uz5pGZMse7aDSNyk1zs3xtywFIaditYIBsRhrTVmJ/bCK
-waVr++S2pwUHJ/phKoZQ8pwgF5KtYOZxdNtYIzfOZNMoplESR3+WYBYSuW8BKuOc
-QAign/BL2JVJLD4OpHQ68D8Su2sbh6ZYA5jslZLDgG9O7eiMbkCE+N8DmKO6wNAr
-zB5ILb4u5dIyTqun32tOENEhpZqDdMQtZZ34fRBze4IoMx9LrEOAHdZAQyyERP80
-iJCnH8BNf6FerA+XeDs4LVd1yrCklXKFINatqSRP/tNY3kruKw2Q7cAi2AFf+Rv6
-1lrvwK4MiLSHFtzcgEJuxm2bxeceIwXLJ2AVlfLBJvK/yJlq0MPedFbl6E6UwKfw
-cMLokF3sa1XrfwpJ93enGLqdpJrkR3dTzrsshjIhjQqfc8lqLwRlbMGc9u+V0ZsK
-OJ8e26wc/4l5D7CQ1vmgT/R/tuydBtUskgH96anhNJj1M95odkoh4Zicmm5iLgy2
-kluVYiEk0Fs7hc5Qtv8ZLN7ZoBRvZfJZWhXHDXmh71g1aoVYacIkFwiTMX4NoDy5
-QVq9tFUZ1TW4VrNIzfq++rLoz4XlgVy0Yz8jNWKuB0KRuHPNSsQUY2NHkDX+wOjq
-MP1SfNDxqPoqrmCqbgMw/9DmeOj9gyiTyjZhPZTxFOp67FYEYzYtR6bLQKEhdgf6
-iOVROZyrFHMZdBiUgV8GECds1th6ZYWmNRGdvxYjSjExIYgkDrcWbowTqD0bFC9b
-zClaSqrxR6GHUzbUVOBuCP+RmUx4j6gPvMRLUcIn5RmpbGtPE0ixeB5sFB0IuRRW
-6u2YToCiuq3EG1iJRmxjnBa/zj1aBO6OlsE/aPc0Sx+Jhm+MUbDioxUAriX96bJ+
-DEB4zgDhC0vIvkkUVAzQMkWPX479nPDmiZLpMqUIfqUh75WDpHbCladyGMgSkEo0
-IKq96oAWHJC8WLH0UMxMNuf8Ut+TsSpIO6G0RPl/cx3+hQqSUC5oUB7R3ZAWYx+6
-mawjkNJEx72yeJmQtGiZYEfeMt0Svm10PypMXFu0+2JjiS2eRj2K1yqrUnuL6AnY
-GYYmTmR74dnVAd35bRYJjY1XHGC9MyqBn4jLqKZm1BKO3sFsctGDy6vybnvAgPD7
-LioGQHPiOZmQe9Q5mMLedE9NAUCzlR8BHRbWtlnajQWcC0JcVu/mBQsjOt/KHh/V
-CY4aFXE56lRH2OpqZQxFpBFOSFDcuVX+zcEBGmKfk65n2MFL4McAJUhVRZL561Zx
-r9BvILv1Ld6/hECbodq0sUqvbDYHzv25zxAVKSIk1xy85mP5aNbk8xuGHmm860wg
-YOqdePwBEcDHoio+ov/uFYB7+4gt40vV90EzSiyfdq8x9RFMViJU430IkIBcvByo
-tFFcbN8ucBozxtl4AX495GVSRI7V0XXBtEdOIwJIzPBylZOHxCuTnA==
+mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
+i18EuCZHkdMBc8+lY0iEpNwbs3UbCP73lGn+IIjlOrS0xi4PP9iV1jxg/k+WF4rH
+jhIUhi3wc1cAaFLLj8bBvnx6t4mF3nTZZ119wSsa5ewy5RZGWcdN8NKtyNgFYTFx
+m5ACRErFuq8aFmcKVgwzLZH+e9fd7xKHS7XoP9vla7+iKkW5bzfkGP5E8irbOqce
+pyUE81FrD8irD0uK4mnrMRDDGrD02mYNSMGyhT5o1RDQJbaRupih9nU+SaTR2Kxq
+J/ScYak4EwmCIXixwuhwokDPTB1EuyQ1h5ywarkgt1TCZKoI2odqoILB2Dbrsmdf
+dKLqI8Q/kR4h5meCc0e3401VXIaOJWk5GMbxz+6641uWnTdLKedzC5gWCI7QIDFB
+h5n5m3tsSe6LRksqJpgPL/+vV/r+OrNEi4KGK9NxETZxeb/7gBSVFWbDXH5AO+wC
+/RlPYHaoDt+peRm3LUDBGQBPtvZUDiDHlW4v8wtgCEZXAPZPdaFRUSDYMYdbbebY
+EsxWa6G00Gau08EOPSgFIReGuACRkP4diiSE4ZTiC9HD2cuUN/D01ck+SD6UgdHV
+pyf6tHej/AdVG3HD5dRCmCCyfucW0gS7R+/+C4DzVHwZKAXJRSxmXLOHT0Gk8Woe
+sM8gbHOoV8OfLAfZDwibvnDq7rc82q5sSiGOKH7Fg5LYIjRB0UazCToxGVtxfWMz
+kPrzZiQT45QDa3gQdkHzF21s+fNpx/cZ1V1Mv+1E3KAX9XsAm/sNl0NAZ6G0AbFk
+gHIWoseiKxouTCDGNe/gC40r9XNhZdFCEzzJ9A77eScu0aTa5FHrC2w9YO2wHcja
+OT2AyZrVqOWB1/hIwAqk8ApXA3FwJbnQE0FxyLcYiTvCNM+XYIPLstD09axLFb53
+D4DXEncmvW4+axDg8G3s84olPGLgJL3E8pTFPYWHKsJgqsloAc/GD2Qx0PCinySM
+bVQckgzpVL3SvxeRRfx8SHl9F9z+GS4gZtM/gT9cDgcVOpVQpOcln5AR/mF/aoyo
+BW96LSmEk5l4yeBBba63Qcz1HRr2NSvXJuqdjw6qTZNBWtjmSxHywKZYRlSqzNZx
+7B6DGHTIOfGNhcy2wsd4cuftVYByGxfFjw7bHIDa4/ySdDykL7J+REfg8QidlCJB
+UN/2VjaNipQo38RczWLUfloMkMMrWYpXOm9koes+Vldm7Bco+eCONIS50DJDOhZs
+H037A+UMElXmtCrHPJGxQf8k1Qirn6BWOuRmXg8sXqeblIrPlZU+DghYXzA/nRxB
+y+nUx+Ipbj022uJNVtFwhP70TIqYm/O6Ol/zRbo6yRsR6uEnnb4wRi5IxHnM/iGA
+zWPzLRDSeVPkhu2pZ7JygabCiXbbgFTN1enJvLWvIAcB0LS8wQz0yKQ7oj32T0Ty
+AD3c/qS8kmsrZDe3H+lEfMCcJRnHUrR/SBChSdx7LF9mnLlWuJLLHmrz87x7Z2o6
+nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem
index 8492fbd45..6c41df9c7 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
-T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
-vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
-S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
-LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
-YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
-j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
+6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
+Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
+Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
+I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
+x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
+tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
 EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
 d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
-U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
-2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
-HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
-hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
-C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
-omBYfxqp
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
+GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
+ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
+F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
+L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
+ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
+Rf5Z0GOR
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem
index 5a41744f6..41a139954 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem
@@ -1,30 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,1E1991A43D0778B7
+DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
 
-MAsd1YBlHz54KjvBvhpwDBewinBkxBo/NmdsMetLIcV8Ag87YcKtTXYju+fbW21y
-DI12iPDQeS9tk17tS8qE5ubWmx/8n0fa5VCdLZ06JK6eeASXNoomXZh5rGsd42It
-sj0irWAnbIA3nFFWQl+Uz5pGZMse7aDSNyk1zs3xtywFIaditYIBsRhrTVmJ/bCK
-waVr++S2pwUHJ/phKoZQ8pwgF5KtYOZxdNtYIzfOZNMoplESR3+WYBYSuW8BKuOc
-QAign/BL2JVJLD4OpHQ68D8Su2sbh6ZYA5jslZLDgG9O7eiMbkCE+N8DmKO6wNAr
-zB5ILb4u5dIyTqun32tOENEhpZqDdMQtZZ34fRBze4IoMx9LrEOAHdZAQyyERP80
-iJCnH8BNf6FerA+XeDs4LVd1yrCklXKFINatqSRP/tNY3kruKw2Q7cAi2AFf+Rv6
-1lrvwK4MiLSHFtzcgEJuxm2bxeceIwXLJ2AVlfLBJvK/yJlq0MPedFbl6E6UwKfw
-cMLokF3sa1XrfwpJ93enGLqdpJrkR3dTzrsshjIhjQqfc8lqLwRlbMGc9u+V0ZsK
-OJ8e26wc/4l5D7CQ1vmgT/R/tuydBtUskgH96anhNJj1M95odkoh4Zicmm5iLgy2
-kluVYiEk0Fs7hc5Qtv8ZLN7ZoBRvZfJZWhXHDXmh71g1aoVYacIkFwiTMX4NoDy5
-QVq9tFUZ1TW4VrNIzfq++rLoz4XlgVy0Yz8jNWKuB0KRuHPNSsQUY2NHkDX+wOjq
-MP1SfNDxqPoqrmCqbgMw/9DmeOj9gyiTyjZhPZTxFOp67FYEYzYtR6bLQKEhdgf6
-iOVROZyrFHMZdBiUgV8GECds1th6ZYWmNRGdvxYjSjExIYgkDrcWbowTqD0bFC9b
-zClaSqrxR6GHUzbUVOBuCP+RmUx4j6gPvMRLUcIn5RmpbGtPE0ixeB5sFB0IuRRW
-6u2YToCiuq3EG1iJRmxjnBa/zj1aBO6OlsE/aPc0Sx+Jhm+MUbDioxUAriX96bJ+
-DEB4zgDhC0vIvkkUVAzQMkWPX479nPDmiZLpMqUIfqUh75WDpHbCladyGMgSkEo0
-IKq96oAWHJC8WLH0UMxMNuf8Ut+TsSpIO6G0RPl/cx3+hQqSUC5oUB7R3ZAWYx+6
-mawjkNJEx72yeJmQtGiZYEfeMt0Svm10PypMXFu0+2JjiS2eRj2K1yqrUnuL6AnY
-GYYmTmR74dnVAd35bRYJjY1XHGC9MyqBn4jLqKZm1BKO3sFsctGDy6vybnvAgPD7
-LioGQHPiOZmQe9Q5mMLedE9NAUCzlR8BHRbWtlnajQWcC0JcVu/mBQsjOt/KHh/V
-CY4aFXE56lRH2OpqZQxFpBFOSFDcuVX+zcEBGmKfk65n2MFL4McAJUhVRZL561Zx
-r9BvILv1Ld6/hECbodq0sUqvbDYHzv25zxAVKSIk1xy85mP5aNbk8xuGHmm860wg
-YOqdePwBEcDHoio+ov/uFYB7+4gt40vV90EzSiyfdq8x9RFMViJU430IkIBcvByo
-tFFcbN8ucBozxtl4AX495GVSRI7V0XXBtEdOIwJIzPBylZOHxCuTnA==
+mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
+i18EuCZHkdMBc8+lY0iEpNwbs3UbCP73lGn+IIjlOrS0xi4PP9iV1jxg/k+WF4rH
+jhIUhi3wc1cAaFLLj8bBvnx6t4mF3nTZZ119wSsa5ewy5RZGWcdN8NKtyNgFYTFx
+m5ACRErFuq8aFmcKVgwzLZH+e9fd7xKHS7XoP9vla7+iKkW5bzfkGP5E8irbOqce
+pyUE81FrD8irD0uK4mnrMRDDGrD02mYNSMGyhT5o1RDQJbaRupih9nU+SaTR2Kxq
+J/ScYak4EwmCIXixwuhwokDPTB1EuyQ1h5ywarkgt1TCZKoI2odqoILB2Dbrsmdf
+dKLqI8Q/kR4h5meCc0e3401VXIaOJWk5GMbxz+6641uWnTdLKedzC5gWCI7QIDFB
+h5n5m3tsSe6LRksqJpgPL/+vV/r+OrNEi4KGK9NxETZxeb/7gBSVFWbDXH5AO+wC
+/RlPYHaoDt+peRm3LUDBGQBPtvZUDiDHlW4v8wtgCEZXAPZPdaFRUSDYMYdbbebY
+EsxWa6G00Gau08EOPSgFIReGuACRkP4diiSE4ZTiC9HD2cuUN/D01ck+SD6UgdHV
+pyf6tHej/AdVG3HD5dRCmCCyfucW0gS7R+/+C4DzVHwZKAXJRSxmXLOHT0Gk8Woe
+sM8gbHOoV8OfLAfZDwibvnDq7rc82q5sSiGOKH7Fg5LYIjRB0UazCToxGVtxfWMz
+kPrzZiQT45QDa3gQdkHzF21s+fNpx/cZ1V1Mv+1E3KAX9XsAm/sNl0NAZ6G0AbFk
+gHIWoseiKxouTCDGNe/gC40r9XNhZdFCEzzJ9A77eScu0aTa5FHrC2w9YO2wHcja
+OT2AyZrVqOWB1/hIwAqk8ApXA3FwJbnQE0FxyLcYiTvCNM+XYIPLstD09axLFb53
+D4DXEncmvW4+axDg8G3s84olPGLgJL3E8pTFPYWHKsJgqsloAc/GD2Qx0PCinySM
+bVQckgzpVL3SvxeRRfx8SHl9F9z+GS4gZtM/gT9cDgcVOpVQpOcln5AR/mF/aoyo
+BW96LSmEk5l4yeBBba63Qcz1HRr2NSvXJuqdjw6qTZNBWtjmSxHywKZYRlSqzNZx
+7B6DGHTIOfGNhcy2wsd4cuftVYByGxfFjw7bHIDa4/ySdDykL7J+REfg8QidlCJB
+UN/2VjaNipQo38RczWLUfloMkMMrWYpXOm9koes+Vldm7Bco+eCONIS50DJDOhZs
+H037A+UMElXmtCrHPJGxQf8k1Qirn6BWOuRmXg8sXqeblIrPlZU+DghYXzA/nRxB
+y+nUx+Ipbj022uJNVtFwhP70TIqYm/O6Ol/zRbo6yRsR6uEnnb4wRi5IxHnM/iGA
+zWPzLRDSeVPkhu2pZ7JygabCiXbbgFTN1enJvLWvIAcB0LS8wQz0yKQ7oj32T0Ty
+AD3c/qS8kmsrZDe3H+lEfMCcJRnHUrR/SBChSdx7LF9mnLlWuJLLHmrz87x7Z2o6
+nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
index 27a5207a1..14d576909 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
@@ -1,5 +1,7 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::AES_CCM_12_128::YES
 carol::ipsec statusall::AES_CCM_12_128::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
index 6f1cd4c49..c7992fbe4 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
@@ -1,7 +1,9 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES
 carol::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES
 moon::ip xfrm state::rfc3686(ctr(aes))::YES
 carol::ip xfrm state::rfc3686(ctr(aes))::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
index d7d4666ed..e1fbe4653 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
@@ -1,5 +1,7 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::AES_GCM_16_256::YES
 carol::ipsec statusall::AES_GCM_16_256::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
index 872962de4..5cee96b08 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
@@ -1,9 +1,10 @@
-
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
 carol::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
 moon::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
 carol::ip xfrm state::auth xcbc(aes)::YES
 moon::ip xfrm state::auth xcbc(aes)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
 
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
index a6c8f026c..fd33cfb57 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev1/esp-alg-camellia/description.txt b/testing/tests/ikev1/esp-alg-camellia/description.txt
deleted file mode 100644
index b679d03ec..000000000
--- a/testing/tests/ikev1/esp-alg-camellia/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>CAMELLIA_CBC_192 / HMAC_SHA2_256</b> by defining <b>esp=camellia192-sha2_256</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
-the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat
deleted file mode 100644
index 1b0f3a12b..000000000
--- a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_256::YES
-carol::ip xfrm state::enc cbc(camellia)::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 9af94a18e..000000000
--- a/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=aes192-sha2_256-modp2048!
-	esp=camellia192-sha2_256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 3501319a5..000000000
--- a/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=aes192-sha2_256-modp2048!
-	esp=camellia192-sha2_256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-camellia/posttest.dat b/testing/tests/ikev1/esp-alg-camellia/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-camellia/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-camellia/pretest.dat b/testing/tests/ikev1/esp-alg-camellia/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/esp-alg-camellia/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-camellia/test.conf b/testing/tests/ikev1/esp-alg-camellia/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/esp-alg-camellia/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat
index 57d09a488..8e42707a2 100644
--- a/testing/tests/ikev1/esp-alg-des/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-des/evaltest.dat
@@ -1,8 +1,9 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
 moon::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
 carol::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
 moon::ip xfrm state::enc cbc(des)::YES
 carol::ip xfrm state::enc cbc(des)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf
index a6c8f026c..fd33cfb57 100644
--- a/testing/tests/ikev1/esp-alg-des/test.conf
+++ b/testing/tests/ikev1/esp-alg-des/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat
index 8c748a54c..a259e6d09 100644
--- a/testing/tests/ikev1/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat
@@ -1,7 +1,9 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
 carol::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
 moon::ip xfrm state::enc ecb(cipher_null)::YES
 carol::ip xfrm state::enc ecb(cipher_null)::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES
diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf
index a6c8f026c..fd33cfb57 100644
--- a/testing/tests/ikev1/esp-alg-null/test.conf
+++ b/testing/tests/ikev1/esp-alg-null/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/description.txt b/testing/tests/ikev1/ike-alg-sha2_384/description.txt
deleted file mode 100644
index a0bda209c..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_384/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
-<b>AES_CBC_192 / HMAC_SHA2_384 / MODP4096</b> for the IKE protocol and
-<b>AES_CBC_192 /HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
deleted file mode 100644
index a4cc39150..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_4096::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_4096::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_256::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 52fc94b51..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=aes192-sha2_384-modp4096!
-	esp=aes192-sha2_256!
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 97e552a6a..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=aes192-sha2_384-modp4096!
-	esp=aes192-sha2_256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/posttest.dat b/testing/tests/ikev1/ike-alg-sha2_384/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_384/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/pretest.dat b/testing/tests/ikev1/ike-alg-sha2_384/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_384/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/test.conf b/testing/tests/ikev1/ike-alg-sha2_384/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_384/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/description.txt b/testing/tests/ikev1/ike-alg-sha2_512/description.txt
deleted file mode 100644
index 240b8f2b0..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_512/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the paranoid cipher suite
-<b>AES_CBC_256 / HMAC_SHA2_512 / MODP_8192</b> for the IKE protocol and
-<b>AES_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
deleted file mode 100644
index 10929457f..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_8192::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_8192::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_256::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index cf9309223..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=aes256-sha2_512-modp8192!
-	esp=aes256-sha2_256!
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index d47ad7696..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=aes256-sha2_512-modp8192!
-	esp=aes256-sha2_256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/posttest.dat b/testing/tests/ikev1/ike-alg-sha2_512/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_512/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat b/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/test.conf b/testing/tests/ikev1/ike-alg-sha2_512/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/ike-alg-sha2_512/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/ip-pool-db-push/description.txt b/testing/tests/ikev1/ip-pool-db-push/description.txt
new file mode 100644
index 000000000..dc510e21a
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/description.txt
@@ -0,0 +1,4 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Using Mode Config push mode (<b>modeconfig=push</b>) the gateway <b>moon</b> assigns virtual
+IP addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
+<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
diff --git a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat
new file mode 100644
index 000000000..92ef9fc55
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat
@@ -0,0 +1,33 @@
+carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
+carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES
+carol::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES
+carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status::home.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
+dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES
+dave::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES
+dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave::ipsec status::home.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::cat /var/log/auth.log::starting ModeCfg server in push mode::YES
+moon::cat /var/log/auth.log::acquired new lease for address.*in pool.*bigpool::YES
+moon::cat /var/log/auth.log::assigning virtual IP::YES
+moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
+moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
+moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon::ipsec status::rw.*IPsec SA established::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5e7cc89a7
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	modeconfig=push
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d6460a291
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..e1c864e58
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	modeconfig=push
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..d6460a291
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..c365004bf
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	rekey=no
+	keyexchange=ikev1
+	modeconfig=push
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsourceip=%bigpool
+	auto=add
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5a444f19c
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+}
+
+libstrongswan {
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev1/ip-pool-db-push/posttest.dat b/testing/tests/ikev1/ip-pool-db-push/posttest.dat
new file mode 100644
index 000000000..5022c6cf1
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/posttest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
+moon::ipsec pool --del bigpool 2> /dev/null
+moon::ipsec pool --del dns 2> /dev/null
+moon::ipsec pool --del nbns 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-pool-db-push/pretest.dat b/testing/tests/ikev1/ip-pool-db-push/pretest.dat
new file mode 100644
index 000000000..332280acd
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/pretest.dat
@@ -0,0 +1,16 @@
+moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
+moon::ipsec pool --add dns  --server PH_IP_WINNETOU 2> /dev/null
+moon::ipsec pool --add dns  --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/ip-pool-db-push/test.conf b/testing/tests/ikev1/ip-pool-db-push/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db-push/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/ip-pool-db/description.txt b/testing/tests/ikev1/ip-pool-db/description.txt
new file mode 100644
index 000000000..364b96cd7
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual IP
+addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
+<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
+tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
+<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the
+virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat
new file mode 100644
index 000000000..357e01b2d
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat
@@ -0,0 +1,33 @@
+carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
+carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES
+carol::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES
+carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status::home.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
+dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES
+dave::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES
+dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave::ipsec status::home.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::cat /var/log/auth.log::peer requested virtual IP %any::YES
+moon::cat /var/log/auth.log::acquired new lease for address.*in pool.*bigpool::YES
+moon::cat /var/log/auth.log::assigning virtual IP::YES
+moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
+moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
+moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon::ipsec status::rw.*IPsec SA established::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..0c770de9f
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d6460a291
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..163c19516
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..d6460a291
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0cefb7ab0
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	rekey=no
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsourceip=%bigpool
+	auto=add
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5a444f19c
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+}
+
+libstrongswan {
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat
new file mode 100644
index 000000000..5022c6cf1
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/posttest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
+moon::ipsec pool --del bigpool 2> /dev/null
+moon::ipsec pool --del dns 2> /dev/null
+moon::ipsec pool --del nbns 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat
new file mode 100644
index 000000000..332280acd
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/pretest.dat
@@ -0,0 +1,16 @@
+moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
+moon::ipsec pool --add dns  --server PH_IP_WINNETOU 2> /dev/null
+moon::ipsec pool --add dns  --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool-db/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/mode-config-multiple/description.txt b/testing/tests/ikev1/mode-config-multiple/description.txt
new file mode 100644
index 000000000..6be00e744
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-multiple/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
+by using the <b>leftsourceip=%modeconfig</b> parameter. After setting up an IPsec SA to reach
+the hosts <b>alice</b> and <b>venus</b>, respectively, both roadwarriors set up a second 
+IPsec SA to <b>venus</b> and <b>alice</b>, respectively, inheriting the virtual IP address
+from the previous Mode Config negotiation.
diff --git a/testing/tests/ikev1/mode-config-multiple/evaltest.dat b/testing/tests/ikev1/mode-config-multiple/evaltest.dat
new file mode 100644
index 000000000..735345315
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-multiple/evaltest.dat
@@ -0,0 +1,29 @@
+carol::cat /var/log/auth.log::alice.*setting virtual IP source address to PH_IP_CAROL1::YES
+carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::cat /var/log/auth.log::venus.*inheriting virtual IP source address PH_IP_CAROL1 from ModeCfg::YES
+carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::cat /var/log/auth.log::venus.*setting virtual IP source address to PH_IP_DAVE1::YES
+dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::cat /var/log/auth.log::alice.*inheriting virtual IP source address PH_IP_DAVE1 from ModeCfg::YES
+dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::carol-alice.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::carol-venus.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::dave-venus.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::dave-alice.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+venus::tcpdump::IP carol1.strongswan.org > venus.strongswan.org: ICMP echo request::YES
+venus::tcpdump::IP venus.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+venus::tcpdump::IP dave1.strongswan.org > venus.strongswan.org: ICMP echo request::YES
+venus::tcpdump::IP venus.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..f05916614
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn alice
+	also=home
+	rightsubnet=10.1.0.10/32
+	auto=add
+
+conn venus
+	also=home
+	rightsubnet=10.1.0.20/32
+	auto=add
+
+conn home
+	left=192.168.0.100
+	leftsourceip=%modeconfig
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=192.168.0.1
+	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..44644f2af
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn alice
+        also=home
+        rightsubnet=10.1.0.10/32
+        auto=add
+
+conn venus
+        also=home
+        rightsubnet=10.1.0.20/32
+        auto=add
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%modeconfig
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2f772cfdd
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,49 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=192.168.0.1
+	leftsourceip=10.1.0.1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn carol-alice
+	also=carol
+	leftsubnet=10.1.0.10/32
+	auto=add
+
+conn carol-venus
+	also=carol
+	leftsubnet=10.1.0.20/32
+	auto=add
+	
+conn carol
+	right=%any
+	rightid=carol@strongswan.org
+	rightsourceip=10.3.0.1
+
+conn dave-alice
+        also=dave
+        leftsubnet=10.1.0.10/32
+        auto=add
+
+conn dave-venus
+        also=dave
+        leftsubnet=10.1.0.20/32
+        auto=add
+
+conn dave
+        right=%any
+        rightid=dave@strongswan.org
+        rightsourceip=10.3.0.2
+
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..83cdb0d28
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP6_VENUS
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/mode-config-multiple/posttest.dat b/testing/tests/ikev1/mode-config-multiple/posttest.dat
new file mode 100644
index 000000000..42fa8359b
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-multiple/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/mode-config-multiple/pretest.dat b/testing/tests/ikev1/mode-config-multiple/pretest.dat
new file mode 100644
index 000000000..63f52e274
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-multiple/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+carol::ipsec up venus 
+dave::ipsec up venus
+dave::ipsec up alice
+carol::sleep 1
diff --git a/testing/tests/ikev1/mode-config-multiple/test.conf b/testing/tests/ikev1/mode-config-multiple/test.conf
new file mode 100644
index 000000000..d8fa5162d
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-multiple/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice venus"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
index 3e950c81d..83cdb0d28 100644
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP6_VENUS
 }
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index b15cf2d3f..4d916ab36 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index b15cf2d3f..4d916ab36 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index b15cf2d3f..4d916ab36 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
index 781a7b4ac..524846109 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
@@ -1,3 +1,3 @@
-moon::cat /var/log/auth.log::maximum ca path length of 7 levels exceeded::YES
+moon::cat /var/log/auth.log::maximum path length of 7 exceeded::YES
 carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
 moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/description.txt b/testing/tests/ikev1/multi-level-ca-pathlen/description.txt
new file mode 100644
index 000000000..1852f7157
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/description.txt
@@ -0,0 +1,5 @@
+The <b>strongSwan Root CA</b> constrains the path length to <b>one</b> intermediate CA
+but the <b>Research CA</b> creates a subsidiary <b>Duck Research CA</b> which in turn
+issues an end entity certificate to roadwarrior <b>carol</b> so that the total
+path length becomes <b>two</b>. This is detected by gateway <b>moon</b> which aborts
+the negotiation.
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat
new file mode 100644
index 000000000..235b7672e
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat
@@ -0,0 +1,4 @@
+moon::cat /var/log/auth.log::path length of 2 violates constraint of 1::YES
+carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
+moon::ipsec status::duck.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..1da39e483
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
+
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..4e13b52d0
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
+MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
+IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
+30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
+jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
+veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
+ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
+7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
+jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
+IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
+TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
+4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
+Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
+3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
+BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..48727ed9d
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
+Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
+w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
+rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
+UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
+aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
+33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
+ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
+zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
+DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
+QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
+5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
+44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
+Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
+2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
+PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
+LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
+Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
+VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
+Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
+6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
+Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
+Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
+Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
+QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..8e41bb124
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn duck 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftsendcert=ifasked
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA"
+	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
new file mode 100644
index 000000000..bb205a0fd
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
+M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
+MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
+ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
+UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
+h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
+i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
+KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
+AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
+YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
+rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
+1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
+wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
+DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat
new file mode 100644
index 000000000..f84b7e37b
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat
@@ -0,0 +1,3 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat
new file mode 100644
index 000000000..9f0232a7b
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home 
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/test.conf b/testing/tests/ikev1/multi-level-ca-pathlen/test.conf
new file mode 100644
index 000000000..b118cb7dc
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/nat-two-rw/evaltest.dat b/testing/tests/ikev1/nat-two-rw/evaltest.dat
index b1a7d59ee..03c6d8ae6 100644
--- a/testing/tests/ikev1/nat-two-rw/evaltest.dat
+++ b/testing/tests/ikev1/nat-two-rw/evaltest.dat
@@ -2,7 +2,7 @@ alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
 venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
 sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
 sun::ipsec status::nat-t.*alice@strongswan.org::YES
-sun::ipsec status::nat-t.*@venus.strongswan.org::YES
+sun::ipsec status::nat-t.*venus.strongswan.org::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
 venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
index a54482489..83d2b268a 100755
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
+	plutodebug="control parsing"
 	nocrsend=yes
 	charonstart=no
 
@@ -15,6 +15,7 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftcert=moonCert.asc
+	leftid=@#71270432cd763a18020ac988c0e75aed
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..30c802be8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
index 419adc2f2..d5b7c39fa 100755
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -19,4 +19,5 @@ conn net-net
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightcert=moonCert.asc
+	rightid=@#71270432cd763a18020ac988c0e75aed
 	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..30c802be8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
index a54482489..bbd1f3a06 100755
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
+	plutodebug="control parsing"
 	nocrsend=yes
 	charonstart=no
 
@@ -19,4 +19,5 @@ conn net-net
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightcert=sunCert.asc
+	rightid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3
 	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..30c802be8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
index 419adc2f2..abe91e6ee 100755
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
@@ -15,6 +15,7 @@ conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftcert=sunCert.asc
+	leftid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..30c802be8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4bf0f97aa
--- /dev/null
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..4bf0f97aa
--- /dev/null
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/no-priv-key/evaltest.dat b/testing/tests/ikev1/no-priv-key/evaltest.dat
index c2612167a..e5a8de0b9 100644
--- a/testing/tests/ikev1/no-priv-key/evaltest.dat
+++ b/testing/tests/ikev1/no-priv-key/evaltest.dat
@@ -1,4 +1,3 @@
 carol::cat /var/log/auth.log::unable to locate my private key::YES
-carol::cat /var/log/auth.log::empty ISAKMP SA proposal to send::YES
 moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
 carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
index 5b742fc9e..a92610c4f 100644
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
-mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
-5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
-VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
-IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
-K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
-OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
+lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
+e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
+Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
++BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
+TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
+ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
 EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
 d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
-56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
-2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
-O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
-LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
-wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
-9IcgYi5x
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
+jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
+nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
+6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
+cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
+q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
+0xafBd5x
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
index 8aefcc5a6..60e7fdfa9 100644
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
-hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
-v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
-HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
-vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
-UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
-WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
-OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
-og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
-MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
-khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
-uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
-a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
-7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
-rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
-ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
-IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
-CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
-baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
-TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
-r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
-jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
-46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
-o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
-9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
+MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB
+msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf
+AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B
+hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F
+dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9
+dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O
+fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH
+Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc
+M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI
+0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2
+oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH
+VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx
+ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm
+VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g
+I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0
+bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD
+yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2
+u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN
+dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12
+coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx
+VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f
+YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4
+lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6
+95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P
+b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
index 52fd0c788..737117cc9 100644
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
index 52fd0c788..737117cc9 100644
--- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index ac4b8d589..c2d2b14ac 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index ac4b8d589..3ec745baa 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 x509 gmp random curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
index 52fd0c788..737117cc9 100644
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
index 52fd0c788..737117cc9 100644
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/alg-3des-md5/description.txt b/testing/tests/ikev2/alg-3des-md5/description.txt
new file mode 100644
index 000000000..4c39d0b04
--- /dev/null
+++ b/testing/tests/ikev2/alg-3des-md5/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
+<b>3DES_CBC / HMAC_MD5_96</b> by defining <b>esp=3des-md5-modp1024!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-3des-md5/evaltest.dat b/testing/tests/ikev2/alg-3des-md5/evaltest.dat
new file mode 100644
index 000000000..6f598c6f3
--- /dev/null
+++ b/testing/tests/ikev2/alg-3des-md5/evaltest.dat
@@ -0,0 +1,13 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ipsec statusall::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::ipsec statusall::rw.*3DES_CBC/HMAC_MD5_96,::YES
+carol::ipsec statusall::home.*3DES_CBC/HMAC_MD5_96,::YES
+moon::ip xfrm state::enc cbc(des3_ede)::YES
+carol::ip xfrm state::enc cbc(des3_ede)::YES
+moon::ip xfrm state::auth hmac(md5)::YES
+carol::ip xfrm state::auth hmac(md5)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..f2c71061d
--- /dev/null
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=3des-md5-modp1024!
+	esp=3des-md5-modp1024!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..06b1e9f48
--- /dev/null
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..c4fd80fc0
--- /dev/null
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=3des-md5-modp1024!
+	esp=3des-md5-modp1024!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..06b1e9f48
--- /dev/null
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-3des-md5/posttest.dat b/testing/tests/ikev2/alg-3des-md5/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/alg-3des-md5/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/alg-3des-md5/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev2/alg-3des-md5/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/ikev2/alg-3des-md5/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-xcbc/description.txt b/testing/tests/ikev2/alg-aes-xcbc/description.txt
index cce0e1cd6..c71d7493f 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/description.txt
+++ b/testing/tests/ikev2/alg-aes-xcbc/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
-in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>.
+<b>AES_CBC_128 / AES_XCBC_96</b> by defining <b>esp=aes128-aesxcbc-modp2048!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
 A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
index 5217c18df..24e36eb77 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
@@ -1,9 +1,12 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-moon::ipsec statusall::rw.*AES_CBC_256/AES_XCBC_96,::YES
-carol::ipsec statusall::home.*AES_CBC_256/AES_XCBC_96,::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::ipsec statusall::rw.*AES_CBC_128/AES_XCBC_96,::YES
+carol::ipsec statusall::home.*AES_CBC_128/AES_XCBC_96,::YES
 moon::ip xfrm state::auth xcbc(aes)::YES
 carol::ip xfrm state::auth xcbc(aes)::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index edd0aaaf8..33e6a842b 100755
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -11,8 +11,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-aesxcbc-modp2048!
-	esp=aes256-aesxcbc-modp2048!
+	ike=aes128-aesxcbc-modp2048!
+	esp=aes128-aesxcbc-modp2048!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index 18618929f..208477deb 100755
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -11,8 +11,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-aesxcbc-modp2048!
-	esp=aes256-aesxcbc-modp2048!
+	ike=aes128-aesxcbc-modp2048!
+	esp=aes128-aesxcbc-modp2048!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat
index a1f9f6a8e..f1b33895b 100644
--- a/testing/tests/ikev2/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev2/alg-blowfish/evaltest.dat
@@ -1,16 +1,16 @@
 moon::ipsec statusall::rw.*ESTABLISHED::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256::YES
-carol::ipsec statusall::BLOWFISH_CBC_192.*,::YES
+carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
 dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128::YES
-dave::ipsec statusall::BLOWFISH_CBC_128.*,::YES
+dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
+dave::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ipsec statusall::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
 dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 180::YES
 
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index e9829d508..95ec73753 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index e9829d508..95ec73753 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index e9829d508..95ec73753 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/alg-sha256-96/description.txt b/testing/tests/ikev2/alg-sha256-96/description.txt
new file mode 100644
index 000000000..e1d591625
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256-96/description.txt
@@ -0,0 +1,5 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_128 / HMAC_SHA2_256_96</b> which uses 96 bit instead of the 
+standard 128 bit truncation, allowing compatibility with Linux kernels older than 2.6.33 
+by defining <b>esp=aes128-sha256_96-modp2048!</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
new file mode 100644
index 000000000..7ec47aadf
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
@@ -0,0 +1,13 @@
+moon::cat /var/log/daemon.log::received strongSwan vendor id::YES
+carol::cat /var/log/daemon.log::received strongSwan vendor id::YES
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::ipsec statusall::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
+carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
+moon::ip xfrm state::auth hmac(sha256)::YES
+carol::ip xfrm state::auth hmac(sha256)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..47cf1e12c
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-modp2048!
+	esp=aes128-sha256_96-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..4ae78cec5
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d340aaf70
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-modp2048!
+	esp=aes128-sha256_96-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4ae78cec5
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev2/alg-sha256-96/posttest.dat b/testing/tests/ikev2/alg-sha256-96/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256-96/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256-96/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256-96/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha256/description.txt b/testing/tests/ikev2/alg-sha256/description.txt
new file mode 100644
index 000000000..826a8f10b
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-modp2048!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat
new file mode 100644
index 000000000..2d1cc92bb
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::ipsec statusall::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+moon::ip xfrm state::auth hmac(sha256)::YES
+carol::ip xfrm state::auth hmac(sha256)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..d2b763a1b
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-modp2048!
+	esp=aes128-sha256-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..06b1e9f48
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0e38bbb84
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-modp2048!
+	esp=aes128-sha256-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..06b1e9f48
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-sha256/posttest.dat b/testing/tests/ikev2/alg-sha256/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha256/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha384/description.txt b/testing/tests/ikev2/alg-sha384/description.txt
new file mode 100644
index 000000000..2255fe8fb
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha384/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-modp3072!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha384/evaltest.dat b/testing/tests/ikev2/alg-sha384/evaltest.dat
new file mode 100644
index 000000000..31bb64c5e
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha384/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::ipsec statusall::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+moon::ip xfrm state::auth hmac(sha384)::YES
+carol::ip xfrm state::auth hmac(sha384)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..d38b7dfcf
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha384-modp3072!
+	esp=aes192-sha384-modp3072!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..06b1e9f48
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ea84cd8a4
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha384-modp3072!
+	esp=aes192-sha384-modp3072!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..06b1e9f48
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-sha384/posttest.dat b/testing/tests/ikev2/alg-sha384/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha384/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha384/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha384/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha512/description.txt b/testing/tests/ikev2/alg-sha512/description.txt
new file mode 100644
index 000000000..bf79a3bff
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha512/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_256 / HMAC_SHA2_512_256</b> by defining <b>esp=aes256-sha512-modp4096!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha512/evaltest.dat b/testing/tests/ikev2/alg-sha512/evaltest.dat
new file mode 100644
index 000000000..e0f5fb7a3
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha512/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::ipsec statusall::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+carol::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+moon::ip xfrm state::auth hmac(sha512)::YES
+carol::ip xfrm state::auth hmac(sha512)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..583522d1b
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..06b1e9f48
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..40fec93c0
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..06b1e9f48
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/alg-sha512/posttest.dat b/testing/tests/ikev2/alg-sha512/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha512/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha512/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/ikev2/alg-sha512/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
index 66a6137cb..86a0257ad 100644
--- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
index 66a6137cb..86a0257ad 100644
--- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
index 66a6137cb..86a0257ad 100644
--- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
index 66a6137cb..86a0257ad 100644
--- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/config-payload/evaltest.dat b/testing/tests/ikev2/config-payload/evaltest.dat
index 40624e3ef..3451112cc 100644
--- a/testing/tests/ikev2/config-payload/evaltest.dat
+++ b/testing/tests/ikev2/config-payload/evaltest.dat
@@ -1,8 +1,8 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
 carol::ipsec status::home.*INSTALLED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
index ae5e4f72b..ff38e227b 100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown resolve
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
index ae5e4f72b..ff38e227b 100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown resolve
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index a6036a5da..51810734d 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown attr
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown attr
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat
index f15196024..2f4cf7afa 100644
--- a/testing/tests/ikev2/crl-from-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat
@@ -1,8 +1,8 @@
-moon::cat /var/log/daemon.log::loaded crl file::YES
+moon::cat /var/log/daemon.log::loaded crl from::YES
 moon::cat /var/log/daemon.log::crl is valid::YES
 moon::cat /var/log/daemon.log::certificate status is good::YES
 moon::ipsec listcrls:: ok::YES
-carol::cat /var/log/daemon.log::loaded crl file::YES
+carol::cat /var/log/daemon.log::loaded crl from::YES
 carol::cat /var/log/daemon.log::crl is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
 carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat
index d98df8c7c..5ab094401 100644
--- a/testing/tests/ikev2/crl-ldap/evaltest.dat
+++ b/testing/tests/ikev2/crl-ldap/evaltest.dat
@@ -1,9 +1,9 @@
-moon::cat /var/log/daemon.log::loaded crl file::YES
+moon::cat /var/log/daemon.log::loaded crl from::YES
 moon::cat /var/log/daemon.log::crl is stale::YES
 moon::cat /var/log/daemon.log::fetching crl from.*ldap::YES
 moon::cat /var/log/daemon.log::crl is valid::YES
 moon::cat /var/log/daemon.log::certificate status is good::YES
-carol::cat /var/log/daemon.log::loaded crl file::YES
+carol::cat /var/log/daemon.log::loaded crl from::YES
 carol::cat /var/log/daemon.log::crl is stale::YES
 carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES
 carol::cat /var/log/daemon.log::crl is valid::YES
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
index 7ab4e2a42..c9e6722ae 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
index 7ab4e2a42..c9e6722ae 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
index 5b742fc9e..a92610c4f 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
-mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
-5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
-VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
-IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
-K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
-OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
+lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
+e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
+Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
++BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
+TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
+ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
 EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
 d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
-56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
-2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
-O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
-LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
-wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
-9IcgYi5x
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
+jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
+nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
+6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
+cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
+q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
+0xafBd5x
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
index 8aefcc5a6..60e7fdfa9 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
-hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
-v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
-HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
-vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
-UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
-WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
-OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
-og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
-MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
-khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
-uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
-a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
-7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
-rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
-ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
-IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
-CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
-baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
-TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
-r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
-jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
-46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
-o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
-9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
+MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB
+msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf
+AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B
+hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F
+dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9
+dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O
+fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH
+Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc
+M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI
+0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2
+oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH
+VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx
+ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm
+VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g
+I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0
+bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD
+yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2
+u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN
+dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12
+coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx
+VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f
+YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4
+lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6
+95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P
+b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
index 6cb8c1369..c466dc8cf 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
index 6cb8c1369..c466dc8cf 100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac gmp pubkey random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
 }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
index 9a1c6b8e9..86ef872c0 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
@@ -1,5 +1,7 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::AES_CCM_12_128::YES
 carol::ipsec statusall::AES_CCM_12_128::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf b/testing/tests/ikev2/esp-alg-aes-ccm/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
index d5260da68..6b5d0ba0b 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
@@ -1,7 +1,10 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES
 carol::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES
 moon::ip xfrm state::rfc3686(ctr(aes))::YES
 carol::ip xfrm state::rfc3686(ctr(aes))::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
+
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf b/testing/tests/ikev2/esp-alg-aes-ctr/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
index 12a2dab3c..9805c654c 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
@@ -1,5 +1,7 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::AES_GCM_16_256::YES
 carol::ipsec statusall::AES_GCM_16_256::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf b/testing/tests/ikev2/esp-alg-aes-gcm/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev2/esp-alg-camellia/description.txt b/testing/tests/ikev2/esp-alg-camellia/description.txt
deleted file mode 100644
index e79bc4f87..000000000
--- a/testing/tests/ikev2/esp-alg-camellia/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-camellia/evaltest.dat b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat
deleted file mode 100644
index a8a78e25b..000000000
--- a/testing/tests/ikev2/esp-alg-camellia/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
-carol::ip xfrm state::enc cbc(camellia)::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 74562cd3c..000000000
--- a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha1-modp2048!
-	esp=camellia192-sha1!
-
-conn home
-	left=PH_IP_CAROL
-	leftfirewall=yes
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 40eb84b8a..000000000
--- a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
-}
diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index a9ce15802..000000000
--- a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha1-modp2048!
-	esp=camellia192-sha1!
-
-conn rw
-	left=PH_IP_MOON
-	leftfirewall=yes
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 40eb84b8a..000000000
--- a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
-}
diff --git a/testing/tests/ikev2/esp-alg-camellia/posttest.dat b/testing/tests/ikev2/esp-alg-camellia/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev2/esp-alg-camellia/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-camellia/pretest.dat b/testing/tests/ikev2/esp-alg-camellia/pretest.dat
deleted file mode 100644
index 3c3df0196..000000000
--- a/testing/tests/ikev2/esp-alg-camellia/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1 
-carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/esp-alg-camellia/test.conf b/testing/tests/ikev2/esp-alg-camellia/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev2/esp-alg-camellia/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-null/evaltest.dat b/testing/tests/ikev2/esp-alg-null/evaltest.dat
index dc50f11e0..bebca1f61 100644
--- a/testing/tests/ikev2/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-null/evaltest.dat
@@ -1,7 +1,9 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::NULL/HMAC_SHA1_96::YES
 carol::ipsec statusall::NULL/HMAC_SHA1_96::YES
 moon::ip xfrm state::enc ecb(cipher_null)::YES
 carol::ip xfrm state::enc ecb(cipher_null)::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat
index f360351e1..3c3df0196 100644
--- a/testing/tests/ikev2/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-null/pretest.dat
@@ -4,3 +4,4 @@ moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
 carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/ikev2/esp-alg-null/test.conf
+++ b/testing/tests/ikev2/esp-alg-null/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
index 4731a81d2..9af403198 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
index 4731a81d2..9af403198 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/inactivity-timeout/description.txt b/testing/tests/ikev2/inactivity-timeout/description.txt
new file mode 100644
index 000000000..df155b1c3
--- /dev/null
+++ b/testing/tests/ikev2/inactivity-timeout/description.txt
@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> establishes an IPsec tunnel to gateway <b>moon</b> and sets
+an inactivity timeout of 10 seconds. Thus after 10 seconds of inactivity the CHILD_SA
+is automatically deleted by <b>carol</b>.
diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
new file mode 100644
index 000000000..a8975481f
--- /dev/null
+++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
@@ -0,0 +1,8 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::sleep 15::NO
+carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES
+moon::ipsec statusall::rw.*INSTALLED::NO
+carol::ipsec statusall::home.*INSTALLED::NO
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5fbb99617
--- /dev/null
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	inactivity=10
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..06b1e9f48
--- /dev/null
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..c3d417302
--- /dev/null
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..06b1e9f48
--- /dev/null
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ikev2/inactivity-timeout/posttest.dat b/testing/tests/ikev2/inactivity-timeout/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/inactivity-timeout/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2/inactivity-timeout/pretest.dat
new file mode 100644
index 000000000..3c3df0196
--- /dev/null
+++ b/testing/tests/ikev2/inactivity-timeout/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/inactivity-timeout/test.conf b/testing/tests/ikev2/inactivity-timeout/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/ikev2/inactivity-timeout/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat
index 9ce2c44a8..f9d0cbb37 100644
--- a/testing/tests/ikev2/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat
@@ -1,9 +1,15 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status::home.*INSTALLED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 dave::ip addr list dev eth0::PH_IP_DAVE1::YES
 dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave::ipsec status::home.*INSTALLED::YES
@@ -11,6 +17,8 @@ dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
+moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
+moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
 moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
index 40eb84b8a..ff38e227b 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown resolve
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
index 40eb84b8a..ff38e227b 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown resolve
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index b77ff97fb..b7c598fca 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,15 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink sqlite attr-sql updown
+}
+
+libstrongswan {
   plugins {
-    sql {
-      database = sqlite:///etc/ipsec.d/ipsec.db 
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql updown
 }
 
 pool {
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
index 1505a77ba..1c955057a 100644
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -5,4 +5,6 @@ moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
 moon::ipsec pool --del bigpool 2> /dev/null
+moon::ipsec pool --del dns 2> /dev/null
+moon::ipsec pool --del nbns 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat
index 1765538a3..332280acd 100644
--- a/testing/tests/ikev2/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -1,6 +1,9 @@
 moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
+moon::ipsec pool --add dns  --server PH_IP_WINNETOU 2> /dev/null
+moon::ipsec pool --add dns  --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index b77ff97fb..b7c598fca 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,15 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink sqlite attr-sql updown
+}
+
+libstrongswan {
   plugins {
-    sql {
-      database = sqlite:///etc/ipsec.d/ipsec.db 
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql updown
 }
 
 pool {
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
index 1b5257ccc..1ce52a848 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,15 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink updown
+}
+
+libstrongswan {
   plugins {
-    sql {
-      database = sqlite:///etc/ipsec.d/ipsec.db 
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql kernel-netlink updown
 }
 
 pool {
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index 1b5257ccc..1ce52a848 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,15 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink updown
+}
+
+libstrongswan {
   plugins {
-    sql {
-      database = sqlite:///etc/ipsec.d/ipsec.db 
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql kernel-netlink updown
 }
 
 pool {
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/mobike-nat/description.txt b/testing/tests/ikev2/mobike-nat/description.txt
index ba8fc5bf0..428ac0883 100644
--- a/testing/tests/ikev2/mobike-nat/description.txt
+++ b/testing/tests/ikev2/mobike-nat/description.txt
@@ -1,5 +1,5 @@
 The roadwarrior <b>alice</b> is sitting behind the NAT router <b>moon</b> but
-at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network
+at the outset of the scenario is also directly connected to the 192.168.0.0/24 network
 via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b>
 in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface
 goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change 
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
index db18182a3..cf0d65c58 100755
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
@@ -17,6 +17,10 @@ start() {
 	/sbin/iptables -P OUTPUT DROP
 	/sbin/iptables -P FORWARD DROP
 
+        # allow IPsec tunnel traffic
+        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
 	# allow esp
 	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
 	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
index 5c93d1462..ed670efb1 100755
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn mobike
 	leftsourceip=%config
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
-	leftfirewall=yes
 	right=PH_IP_SUN
 	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
index 40eb84b8a..572cf39cb 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
new file mode 100755
index 000000000..642c414d5
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow IPsec tunnel traffic
+	iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+	iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+        # allow NAT-T 
+	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
index d6121511e..ca4d84e16 100755
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn mobike
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
-	leftfirewall=yes
 	leftsubnet=10.2.0.0/16
 	right=%any
 	rightsourceip=10.3.0.3
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
index 40eb84b8a..572cf39cb 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
index db18182a3..cf0d65c58 100755
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
@@ -17,6 +17,10 @@ start() {
 	/sbin/iptables -P OUTPUT DROP
 	/sbin/iptables -P FORWARD DROP
 
+        # allow IPsec tunnel traffic
+        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
 	# allow esp
 	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
 	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
index 5c93d1462..ed670efb1 100755
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn mobike
 	leftsourceip=%config
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
-	leftfirewall=yes
 	right=PH_IP_SUN
 	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
index 40eb84b8a..572cf39cb 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
new file mode 100755
index 000000000..642c414d5
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow IPsec tunnel traffic
+	iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+	iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+        # allow NAT-T 
+	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
index 18a67cde0..1c8be1db4 100755
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn mobike
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
-	leftfirewall=yes
 	leftsubnet=10.2.0.0/16
 	right=PH_IP_ALICE1
 	rightsourceip=10.3.0.3
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
index 40eb84b8a..572cf39cb 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
index 40eb84b8a..572cf39cb 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
new file mode 100755
index 000000000..6934b1948
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
@@ -0,0 +1,90 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+        # enable IP forwarding
+        echo 1 > /proc/sys/net/ipv4/ip_forward
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow IPsec tunnel traffic
+        iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+        iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
index 1367e784f..4806cd9c8 100755
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn mobike
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
-	leftfirewall=yes
 	leftsubnet=10.2.0.0/16
 	right=PH_IP_ALICE1
 	rightid=alice@strongswan.org
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
index 40eb84b8a..572cf39cb 100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
index cc451fc8d..49f69ff0c 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
index cc451fc8d..49f69ff0c 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
index 10414b29a..9f3c6bfa3 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius eap-identity updown
   plugins {
-    eap_radius {
-      secret = gv6URkSs 
+    eap-radius {
+      secret = gv6URkSs
       server = PH_IP_ALICE
     }
   }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index c234f3a32..3db5e8aef 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index c234f3a32..3db5e8aef 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index 7ab4e2a42..c9e6722ae 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
index 0b7b02801..6b77a8161 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::maximum ca path length of 7 levels reached::YES
+moon::cat /var/log/daemon.log::maximum path length of 7 exceeded::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 carol::ipsec status::alice.*INSTALLED::NO
 moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/description.txt b/testing/tests/ikev2/multi-level-ca-pathlen/description.txt
new file mode 100644
index 000000000..1852f7157
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/description.txt
@@ -0,0 +1,5 @@
+The <b>strongSwan Root CA</b> constrains the path length to <b>one</b> intermediate CA
+but the <b>Research CA</b> creates a subsidiary <b>Duck Research CA</b> which in turn
+issues an end entity certificate to roadwarrior <b>carol</b> so that the total
+path length becomes <b>two</b>. This is detected by gateway <b>moon</b> which aborts
+the negotiation.
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat
new file mode 100644
index 000000000..266f0d0da
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat
@@ -0,0 +1,4 @@
+moon::cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+carol::ipsec status::home.*INSTALLED::NO
+moon::ipsec status::duck.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..64539ccc2
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
+
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..4e13b52d0
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
+MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
+IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
+30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
+jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
+veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
+ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
+7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
+jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
+IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
+TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
+4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
+Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
+3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
+BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..48727ed9d
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
+Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
+w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
+rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
+UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
+aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
+33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
+ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
+zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
+DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
+QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
+5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
+44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
+Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
+2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
+PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
+LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
+Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
+VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
+Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
+6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
+Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
+Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
+Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
+QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..572cf39cb
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..528dda39b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn duck 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftsendcert=ifasked
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA"
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
new file mode 100644
index 000000000..bb205a0fd
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
+M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
+MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
+ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
+UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
+h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
+i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
+KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
+AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
+YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
+rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
+1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
+wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
+DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..572cf39cb
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+}
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/posttest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/posttest.dat
new file mode 100644
index 000000000..f84b7e37b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/posttest.dat
@@ -0,0 +1,3 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
new file mode 100644
index 000000000..9f0232a7b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home 
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
new file mode 100644
index 000000000..b118cb7dc
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
index 8a6df98fa..77f09f216 100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   keep_alive = 1d 
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index 4731a81d2..9af403198 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index 4731a81d2..9af403198 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-pgp-v3/description.txt b/testing/tests/ikev2/net2net-pgp-v3/description.txt
new file mode 100644
index 000000000..bd680b57a
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
new file mode 100644
index 000000000..1a3759e34
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*INSTALLED::YES
+sun::ipsec status::net-net.*INSTALLED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..405cd06bf
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.asc
+	leftid=@#71270432cd763a18020ac988c0e75aed
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightcert=sunCert.asc
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..135cfaec0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
+vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
+f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
+t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
+=oaBj
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..32f204b10
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
+A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
+0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
+lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
+=lLvB
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
new file mode 100644
index 000000000..6524773e0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
@@ -0,0 +1,19 @@
+Type Bits/KeyID    Date       User ID
+sec  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP SECRET KEY BLOCK-----
+Version: 2.6.3i
+
+lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
+JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
+FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
+7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
+0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
+8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
+QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
+biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
+=YFQm
+-----END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..afb1ff927
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..39d7154e2
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink updown
+}
+
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..4460106de
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftcert=sunCert.asc
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightcert=moonCert.asc
+	rightid=@#71270432cd763a18020ac988c0e75aed
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..135cfaec0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
+RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
+tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
+vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
+f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
+t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
+=oaBj
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..32f204b10
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,15 @@
+Type Bits/KeyID    Date       User ID
+pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
+A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
+0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
+lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
+=lLvB
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
new file mode 100644
index 000000000..de2393649
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
@@ -0,0 +1,19 @@
+Type Bits/KeyID    Date       User ID
+sec  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
+
+-----BEGIN PGP SECRET KEY BLOCK-----
+Version: 2.6.3i
+
+lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
+rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
+I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
+AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
+Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
+GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
+vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
+LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
+2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
+xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
+IDxzdW4uc3Ryb25nc3dhbi5vcmc+
+=DwEu
+-----END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..ee98b1611
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..39d7154e2
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink updown
+}
+
diff --git a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
new file mode 100644
index 000000000..fafcde975
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+sun::rm /etc/ipsec.d/certs/*
+sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
new file mode 100644
index 000000000..9e40684ab
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-pgp-v3/test.conf b/testing/tests/ikev2/net2net-pgp-v3/test.conf
new file mode 100644
index 000000000..f74d0f7d6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v3/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pgp-v4/description.txt b/testing/tests/ikev2/net2net-pgp-v4/description.txt
new file mode 100644
index 000000000..c82eec9ba
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>OpenPGP V4 keys</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
new file mode 100644
index 000000000..1a3759e34
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*INSTALLED::YES
+sun::ipsec status::net-net.*INSTALLED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d059cb1da
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.asc
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightcert=sunCert.asc
+	rightid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..a512f8f52
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
+UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
+nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
+6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
+I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
+JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh
+bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA
+CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K
+N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K
+1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y
+D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk
+/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv
+1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK
+CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc
+ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt
+21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX
+mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb
+G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D
+spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz
+=j2hu
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..5117cbb04
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
+QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
+/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
+CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
+B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
+4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu
+Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK
+CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g
+0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0
+eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D
+RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG
+6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j
+vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ
+EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg
+Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t
+mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m
+t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT
+gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf
+lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o=
+=tAh4
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
new file mode 100644
index 000000000..59de821d6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
@@ -0,0 +1,32 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+lQOYBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
+UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
+nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
+6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
+I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
+JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAEAB/42Vsa7NTpAgwe92+gx
+nscTQsjTs9xf5VSQV6gRKWmUAQYNZoNDue2Ot5AeBJFWV8x++fWAZfrrkLJUkwu/
+Z8UcPbSuJhEsrG4F5B3owTy8cBPbNYd9c6JZAKFPBY8W5l9M5OQyUF1amiuk/1jX
+BNPEN6SBK3j0IhZvQ2bIgCJrxUH9igvOig2HmfOYv11UMzOErSA/eGRSA+TrM+QK
+BDCG1ae3dLe/pXtIuh1/jkLo7Byk0ofgv2+Ty/LSwBCj0vtUjtMHHRNZFRYFrNiN
+S6FyrS7+Q9BJolNkuXT83i4dm208+6bKQBPxV3ZaLgf2y19/g5av8f745ercygQI
+MdGBBADaWGKpev55Oom2gNV4jaQFaAc4K4OqW1IbsXk8QSl1iaoHmt9VlGP+A+8O
+GG+h0cfIlUHnAC29Hs5lDnlByqdTnG9zTyOrnzZEY1+jFGGgs+O/ehS3riGI5dB8
+mwReZfY/aqp7naLkkymHuIAizmxkYORPZtTugyi99Zha4m8j4QQA+39fTOthVIYi
+RXMzGknEjh9fMLvCkx33ghapCtc4ftJRACfaatQJVBG2li7LHbPg9fboIyG/x/Ey
+iyGtPxwBLo7MJige6xpzVB4Qk+zLDCKouca29uY1rGQzZ0FTmMMtu3Rm+dKh9lLv
+vg7ZJNTfhxldC+R/L/gOIBWEzy/iXaMD/2A+wQuKDLDRb9/sOiq/6z7Ryl6FPbTC
+AvvNU3hJtRImfmHodob//zzYYgOY7exY/qubC6FsDW4AN+2iHesCdIzCrAG7v9X3
+Rn1WPq96FfY2y5b6qEl8Tx+a71TZi5RJRtoWPe3IolausE0T3IjRbWI4XgMu/T5o
+Rmv/f5gyc5OxPpG0E21vb24uc3Ryb25nc3dhbi5vcmeJATcEEwECACEFAkpg0UQC
+GwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AACgkQ9djQiWs7dNHHNQf/UiwJPioL
+ef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8KN2yl6/L8djIdox0jw3yCYhCWxf94
+N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K1niLPYmJf5sMWXPAmetT6tNEHNhk
+mE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1YD4HulHK0nfMxf1gVmFhRFtGpzrGS
+26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk/EoRdO7hDOAEk80Gp23bDX6ygnvs
+AqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv1I5GZ96wAo+s+KZAXaHlxFvq7r6O
+MzxgEWTtyNTtGw==
+=Vb4y
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..afb1ff927
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..39d7154e2
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink updown
+}
+
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..198f2a8a8
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftcert=sunCert.asc
+        leftid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightcert=moonCert.asc
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
new file mode 100644
index 000000000..a512f8f52
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
+UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
+nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
+6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
+I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
+JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh
+bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA
+CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K
+N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K
+1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y
+D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk
+/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv
+1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK
+CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc
+ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt
+21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX
+mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb
+G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D
+spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz
+=j2hu
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
new file mode 100644
index 000000000..5117cbb04
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
+QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
+/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
+CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
+B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
+4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu
+Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK
+CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g
+0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0
+eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D
+RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG
+6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j
+vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ
+EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg
+Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t
+mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m
+t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT
+gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf
+lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o=
+=tAh4
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
new file mode 100644
index 000000000..68899ae37
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
@@ -0,0 +1,32 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+lQOYBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
+QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
+/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
+CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
+B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
+4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAEAB/0XU57hkU9R6mSoALnt
+Qh+aqsDjOEvEllPTGmH+icFipJP9g0lr+B8EQ0egCUyj3Kb36mS7Yw+0Bv4WDxlh
+9bm7Iohhn7vIWz9Y4HvjSWi+vGJLiWI+TkkqLz0zUAGemTjU2snKzNfwDrd3WFRn
+VsZxKxpiBAITzk+nWSHGp+yCfl3NVaA/MYAI+FgiQlq/qTCRreEsexAJ09weDLGN
+P95V4E6LACRy+wiy7X0lRzS1047UUtTcZUF6c5ERfgAGT5NKT/ZA4THZy5pPrSOw
+bRIHbozSlWbnrZNz8DNa4iyHsEw/42IvjU/LflmGWL2hvVxA40ezlxGVi5ea5gFV
+5q9dBADWGXToEaHMqie/HAC4+1/VCTmAvqIKcegNWHCL1PGYBBfRonF/TDcbkawy
+0ATlk+rkyTaRvkapb1LdqE1qThGQWC6iLb3v8E2UEizCM1VFo2EqcKxbCoJdsEtR
+mrK/zIqZ/h/4iEu/ekLPeDwdIWWdBlfYTtTwdMH40eoPOLyo/QQA7+dSOQcAUp8H
+1NuNpyK+9M3/mkpXRF3cqdiY7AnHIf4WWDtgDUHugtO8HlAkq4cL27QYBojVHCqB
+P+NLJo6A35nNbt2IPqAotCgk8NlgtsA+oJ9tvWGarOLMnIt0eBv80blqa5PGeoFt
+EuYxYO2bRAE2cQtMXPMLKpl3VKSRMR8EAKINBJ81zq2twDG1qvRg40XAz2LOKkFd
+B+fNAd0JSC8+qx4MMdn0iL6WaCIN6t1wzI7l1whLUc7f3MPF2dwrsrB9j3MgHppr
+GBLl0A3a1tIkWPAejMcpSgFR63ooQQgoX+XH0woST3wgHTZT6fF+zFn3eaGJ3wqv
+JNcE4vcbJf1COoi0EnN1bi5zdHJvbmdzd2FuLm9yZ4kBNwQTAQIAIQUCSmDRuAIb
+AwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAKCRCXegSsjRY407LCCACqHrnT1xqs
+QRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g0P+Scnu84xj1o5bRWX2WyPYZUgDY
+6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0eNYmehGoIes4JfQm08UM7roywGaa
+WAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/DRLu5rvCB6m5u62RncmppraAYuQWR
+jZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG6XXcCnBr/34g/bQXWRxBhbf91ewV
+aDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97jvnvvZKUwbd/TRFJkorkhkRpA1wSr
+J0tAsvODgc8b
+=QOF4
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..ee98b1611
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.asc
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..39d7154e2
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink updown
+}
+
diff --git a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
new file mode 100644
index 000000000..fafcde975
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+sun::rm /etc/ipsec.d/certs/*
+sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
new file mode 100644
index 000000000..9e40684ab
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-pgp-v4/test.conf b/testing/tests/ikev2/net2net-pgp-v4/test.conf
new file mode 100644
index 000000000..f74d0f7d6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pgp-v4/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
index 454aed12c..87fa5b2e9 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
index 454aed12c..87fa5b2e9 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-rfc3779/description.txt b/testing/tests/ikev2/net2net-rfc3779/description.txt
new file mode 100644
index 000000000..1e56ce687
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/description.txt
@@ -0,0 +1,11 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> containing <b>RFC 3779 IP address
+block constraints</b>. Both <b>moon</b> and <b>sun</b> set <b>rightsubnet=0.0.0.0/0</b> thus
+allowing the peers to narrow down the address range to their actual subnets <b>10.1.0.0/16</b>
+and <b>10.2.0.0/16</b>, respectively. These unilaterally proposed traffic selectors must be
+validated by corresponding IP address block constraints.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
new file mode 100644
index 000000000..149cf727a
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
@@ -0,0 +1,15 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
+moon::cat /var/log/daemon.log::subject address block 192.168.0.2/32 is contained in issuer address block 192.168.0.0/24::YES 
+moon::cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+moon::cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+sun::cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
+sun::cat /var/log/daemon.log::subject address block 192.168.0.1/32 is contained in issuer address block 192.168.0.0/24::YES 
+sun::cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+sun::cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+moon::cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES
+sun::cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ce59d849c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="cfg 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..8e872d89f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz
+Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz
+MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ
+Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr
+b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y
+GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF
+Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU
+EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB
+ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM
+BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3
+OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI
+KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK
+AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB
+ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm
+uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud
+rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS
+Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA
+MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX
+fN8iF5kHn7S+Nd9ZFlf3S1w=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..7f5f8d703
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
+MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
+RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
+aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
+BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
+lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
+wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
+vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
+Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
+MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
+bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
+QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
+smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
+Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
+vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
+kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
+Y0Y2hqCja6SsIjVc
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..8295f97c1
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
+t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
+rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
+B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
+aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
+81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
+teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
+B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
+p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
+yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
++IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
+zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
+AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
+dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
+UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
+1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
+yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
+fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
+3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
+reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
+zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
+3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
+uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
+OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
+gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9af403198
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..afc2e399e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="cfg 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..8e872d89f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz
+Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz
+MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ
+Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr
+b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y
+GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF
+Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU
+EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB
+ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM
+BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3
+OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI
+KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK
+AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB
+ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm
+uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud
+rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS
+Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA
+MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX
+fN8iF5kHn7S+Nd9ZFlf3S1w=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
new file mode 100644
index 000000000..9ccd47a2c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0
+MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE
+CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k
+XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H
+k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC
+VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno
+Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr
+6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
+RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA
+mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j
+C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd
+4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ
+TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ
+Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E
+dXN+1axy9zQ34g==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 000000000..6e047af69
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho
+K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ
+SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+
+NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3
+IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU
+RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1
+K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7
+nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D
+feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL
+/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2
+K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B
+UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc
+T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm
+7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb
+t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs
+cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o
+WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn
+qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP
+U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX
+6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp
+ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq
+b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF
+TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v
+h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE
+FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..9af403198
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-rfc3779/posttest.dat b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
new file mode 100644
index 000000000..a4c96e10f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
new file mode 100644
index 000000000..545a3690e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ikev2/net2net-rfc3779/test.conf b/testing/tests/ikev2/net2net-rfc3779/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rfc3779/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
index 4731a81d2..9af403198 100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
index 4731a81d2..9af403198 100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
index 4731a81d2..9af403198 100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
index 4731a81d2..9af403198 100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
index 0425d7cf4..0d7cf5928 100755
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftcert=carolCert-revoked.pem
+	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
 
 conn home
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert-revoked.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert-revoked.pem
deleted file mode 100644
index 5b742fc9e..000000000
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert-revoked.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
-mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
-5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
-VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
-IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
-K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
-OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
-56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
-2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
-O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
-LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
-wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
-9IcgYi5x
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
new file mode 100644
index 000000000..a92610c4f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
+lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
+e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
+Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
++BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
+TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
+ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
+jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
+nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
+6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
+cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
+q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
+0xafBd5x
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey-revoked.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey-revoked.pem
deleted file mode 100644
index 8aefcc5a6..000000000
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey-revoked.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
-hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
-v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
-HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
-vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
-UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
-WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
-OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
-og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
-MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
-khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
-uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
-a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
-7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
-rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
-ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
-IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
-CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
-baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
-TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
-r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
-jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
-46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
-o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
-9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
new file mode 100644
index 000000000..60e7fdfa9
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB
+msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf
+AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B
+hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F
+dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9
+dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O
+fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH
+Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc
+M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI
+0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2
+oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH
+VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx
+ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm
+VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g
+I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0
+bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD
+yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2
+u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN
+dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12
+coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx
+VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f
+YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4
+lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6
+95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P
+b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets
index 22f06e662..8e31be4cb 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA carolKey-revoked.pem
+: RSA carolRevokedKey.pem
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index da8d70ed7..3361ca6a4 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index da8d70ed7..3361ca6a4 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index da8d70ed7..3361ca6a4 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
index 831d9e663..5e93e0fe7 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
index 831d9e663..5e93e0fe7 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka eapidentity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index e12643ef7..3064f02a6 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -2,7 +2,7 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA
 carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES
+moon::ipsec statusall::rw-eap-aka.*ESTABLISHED::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index 42619b3ee..cc2bb91d2 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-aka eap-aka-3gpp2 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
index 459414516..3a1fd98d3 100755
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 
-conn rw-eapaka
+conn rw-eap-aka
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index 42619b3ee..cc2bb91d2 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapaka updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-aka eap-aka-3gpp2 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
index b856adc9e..6922ecc15 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5 eapidentity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
index 10414b29a..9f3c6bfa3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius eap-identity updown
   plugins {
-    eap_radius {
-      secret = gv6URkSs 
+    eap-radius {
+      secret = gv6URkSs
       server = PH_IP_ALICE
     }
   }
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
index a53e44f50..6495d6f6a 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
index cae56a7f6..af2bc1675 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius updown
   plugins {
-    eap_radius {
+    eap-radius {
       secret = gv6URkSs 
       server = PH_IP_ALICE
     }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
index a53e44f50..6495d6f6a 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
index a53e44f50..6495d6f6a 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmd5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
index 26ccc84ce..921db4c51 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmschapv2 eapidentity updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-mschapv2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
index 26ccc84ce..921db4c51 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapmschapv2 eapidentity updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-mschapv2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
index 2a750029f..c167ba940 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat
@@ -1,3 +1,3 @@
-232420100000015,30000000000000000000000000000000,30112233,305566778899AABB
-232420100000015,31000000000000000000000000000000,31112233,315566778899AABB
-232420100000015,32000000000000000000000000000000,32112233,325566778899AABB
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
index cc451fc8d..49f69ff0c 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
index 10414b29a..9f3c6bfa3 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius eap-identity updown
   plugins {
-    eap_radius {
-      secret = gv6URkSs 
+    eap-radius {
+      secret = gv6URkSs
       server = PH_IP_ALICE
     }
   }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
new file mode 100644
index 000000000..d50175664
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt
@@ -0,0 +1,14 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The gateway <b>moon</b> does not send an AUTH payload thus signalling
+a mutual <b>EAP-only</b> authentication.
+<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with a <i>GSM Subscriber Identity Module</i>
+(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
+In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
+are used instead of a physical SIM card on the client <b>carol</b>.
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses a static triplets file.
+<p>
+The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
+the radius server <b>alice</b> returns an <b>Access-Reject</b> message
+and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. 	
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
new file mode 100644
index 000000000..ff3e67459
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
@@ -0,0 +1,15 @@
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..a2020424e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim 
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..d77b818fe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,123 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+  sim_files {
+    simtriplets = "/etc/raddb/triplets.dat"
+  }
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..dfceb037d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,62 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat
new file mode 100644
index 000000000..fd0eb19b9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat
@@ -0,0 +1,7 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
+dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
+
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..e69de29bb
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..11b9f0d71
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	leftauth=eap
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..83906807f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..fa662875d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..dca65c09f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	leftauth=eap
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..a02a42c0d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..fa662875d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e3f4694bd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=eap
+	leftfirewall=yes
+	rightid=*@strongswan.org
+	rightsendcert=never
+	rightauth=eap-radius
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ac8f98b70
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius updown
+  send_vendor_id = yes
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
new file mode 100644
index 000000000..dbe56013a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
new file mode 100644
index 000000000..6a30756b7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -0,0 +1,18 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+alice::cat /etc/raddb/clients.conf
+alice::cat /etc/raddb/eap.conf
+alice::cat /etc/raddb/proxy.conf
+alice::cat /etc/raddb/triplets.dat
+alice::/etc/init.d/radiusd start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
index e2388268c..fcb1cf201 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
index e2388268c..fcb1cf201 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
index cae56a7f6..af2bc1675 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius updown
   plugins {
-    eap_radius {
+    eap-radius {
       secret = gv6URkSs 
       server = PH_IP_ALICE
     }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
index 194434a1e..53c7e71ce 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
@@ -1,7 +1,7 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eapsim.*ESTABLISHED::YES
+moon::ipsec statusall::rw-eap-sim.*ESTABLISHED::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat
index 759585439..83906807f 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat
@@ -1,3 +1,3 @@
-moon.strongswan.org,100,210,310
-moon.strongswan.org,200,220,320
-moon.strongswan.org,300,230,330
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index e2388268c..fcb1cf201 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
index 53ecb4d70..ea62749be 100755
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 
-conn rw-eapsim
+conn rw-eap-sim
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat
index b15a1dd72..83906807f 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat
@@ -1,3 +1,3 @@
-carol@strongswan.org,100,210,310
-carol@strongswan.org,200,220,320
-carol@strongswan.org,300,230,330
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index e2388268c..fcb1cf201 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
index 8451ac81a..4732113fa 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
index 8451ac81a..4732113fa 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
index 8451ac81a..4732113fa 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
index ef63f7262..572cf39cb 100644
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
index 25074a0f1..b3509f8df 100755
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
index ccc8037b5..930ae5785 100755
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	crlcheckinterval=180
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4732113fa 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
index 25074a0f1..b3509f8df 100755
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
index 1ec8b49d6..d7653f1c3 100755
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	crlcheckinterval=180
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4732113fa 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/pretest.dat b/testing/tests/ipv6/host2host-ikev2/pretest.dat
index 3536fd886..7e97e7783 100644
--- a/testing/tests/ipv6/host2host-ikev2/pretest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/pretest.dat
@@ -4,3 +4,4 @@ moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
 moon::ipsec up host-host
+moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
index 25074a0f1..b3509f8df 100755
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf
index 651e17e90..155cf1d4c 100755
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	crlcheckinterval=180
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4732113fa 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
index 25074a0f1..b3509f8df 100755
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf
index 4ba0bcbc0..09abc7b02 100755
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	crlcheckinterval=180
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4732113fa 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ikev2/pretest.dat
index e360bfbaa..8a8af2ccb 100644
--- a/testing/tests/ipv6/net2net-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/pretest.dat
@@ -8,3 +8,4 @@ moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
 moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/description.txt b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/description.txt
new file mode 100644
index 000000000..62fff0b30
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/description.txt
@@ -0,0 +1,4 @@
+An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
+It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on
+X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client <b>alice</b> behind <b>moon</b>
+sends an IPv4 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping command.
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
new file mode 100644
index 000000000..077899e36
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net.net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
+sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..25074a0f1
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,107 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow last UDP fragment
+	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..1781313cc
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	crlcheckinterval=180
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	mobike=no
+
+conn net-net
+	also=host-host
+	leftsubnet=10.1.0.0/16
+	rightsubnet=10.2.0.0/16
+
+conn host-host
+	left=PH_IP6_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	right=PH_IP6_SUN
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
new file mode 100755
index 000000000..25074a0f1
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
@@ -0,0 +1,107 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow last UDP fragment
+	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..2caf09104
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	crlcheckinterval=180
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	mobike=no
+
+conn net-net
+	also=host-host
+	leftsubnet=10.2.0.0/16
+	rightsubnet=10.1.0.0/16
+
+conn host-host
+	left=PH_IP6_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	right=PH_IP6_MOON
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
new file mode 100644
index 000000000..dff181797
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+sun::ipsec stop
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
new file mode 100644
index 000000000..a96b719bf
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
@@ -0,0 +1,7 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+moon::ipsec up net-net
+moon::sleep 2 
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
new file mode 100644
index 000000000..cab801a1c
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b-ip4-in-ip6.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
index 25074a0f1..b3509f8df 100755
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
index ddc965c01..c47ff8059 100755
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	crlcheckinterval=180
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
@@ -22,6 +28,7 @@ conn host-host
 	left=PH_IP6_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftfirewall=yes
 	right=PH_IP6_SUN
 	rightid=@sun.strongswan.org
 	auto=add
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
index ef63f7262..4732113fa 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
index 25074a0f1..b3509f8df 100755
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
index b02136ffe..c1041bd87 100755
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	crlcheckinterval=180
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
@@ -22,6 +28,7 @@ conn host-host
 	left=PH_IP6_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
+	leftfirewall=yes
 	right=PH_IP6_MOON
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
index ef63f7262..4732113fa 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
index dff181797..5a9150bc8 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
index 071827b66..a88456d52 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
@@ -1,6 +1,7 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
 moon::ipsec up net-net
+moon::sleep 2 
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt
new file mode 100644
index 000000000..5952ecc2d
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt
@@ -0,0 +1,6 @@
+An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
+It connects the two subnets hiding behind their respective gateways. The authentication is based on
+X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
+In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b>
+sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command.
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
new file mode 100644
index 000000000..2f73ef7d8
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net.net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..25074a0f1
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,107 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow last UDP fragment
+	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..773d2ed48
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	crlcheckinterval=180
+	plutodebug=control
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn net-net 
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftsubnet=fec1::0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	right=PH_IP_SUN
+	rightsubnet=fec2::0/16
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4e73b5292
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+}
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
new file mode 100755
index 000000000..25074a0f1
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
@@ -0,0 +1,107 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow last UDP fragment
+	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..bb3f4f765
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	crlcheckinterval=180
+	plutodebug=control
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn net-net
+	left=PH_IP_SUN
+	leftnexthop=%direct
+	leftsubnet=fec2::0/16
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=fec1::0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..825ae1264
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac 
+}
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
new file mode 100644
index 000000000..7a8af32bc
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+alice::"ip route del fec2:\:/16 via fec1:\:1"
+moon::"ip route del fec2:\:/16 via fec0:\:2" 
+sun::"ip route del fec1:\:/16 via fec0:\:1" 
+bob::"ip route del fec1:\:/16 via fec2:\:1"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
new file mode 100644
index 000000000..130058a40
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
@@ -0,0 +1,11 @@
+moon::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+sun::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+alice::"ip route add fec2:\:/16 via fec1:\:1"
+moon::"ip route add fec2:\:/16 via fec0:\:2" 
+sun::"ip route add fec1:\:/16 via fec0:\:1" 
+bob::"ip route add fec1:\:/16 via fec2:\:1"
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
new file mode 100644
index 000000000..d5d55c749
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b-ip6-in-ip4.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
index 25074a0f1..d556762b7 100755
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
@@ -26,27 +26,16 @@ start() {
 	/sbin/ip6tables -P FORWARD DROP
 
 	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
 
 	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
 	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
 	# allow crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
@@ -56,6 +45,14 @@ start() {
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
 	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
 
+        # allow ICMPv6 neighbor-solicitations
+        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+        # allow ICMPv6 neighbor-advertisements
+        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
 	# log dropped packets
 	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
 	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
index 468322544..a452c7a35 100755
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
@@ -18,6 +18,7 @@ conn net-net
 	leftsubnet=fec1::0/16
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=fec2::0/16
 	rightid=@sun.strongswan.org
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
index 9aedf04b9..c77902caa 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
   install_routes = no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
index 25074a0f1..21ff88d0d 100755
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
@@ -26,27 +26,16 @@ start() {
 	/sbin/ip6tables -P FORWARD DROP
 
 	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
 
 	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
 	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
 	# allow crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
@@ -56,6 +45,18 @@ start() {
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
 	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
 
+        # allow ICMPv6 neighbor-solicitations
+        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+        # allow ICMPv6 neighbor-advertisements
+        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+        # allow crl fetch from winnetou
+        iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
 	# log dropped packets
 	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
 	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
index 03b7bc680..448cccbb7 100755
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
@@ -18,6 +18,7 @@ conn net-net
 	leftsubnet=fec2::0/16
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=fec1::0/16
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
index d6774b266..6e9280e41 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
   install_routes=no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
index 7a8af32bc..c78d884ee 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
@@ -4,3 +4,5 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2" 
 sun::"ip route del fec1:\:/16 via fec0:\:1" 
 bob::"ip route del fec1:\:/16 via fec2:\:1"
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
index ae300697e..7781f9b9f 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
@@ -1,5 +1,5 @@
-moon::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-sun::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2" 
 sun::"ip route add fec1:\:/16 via fec0:\:1" 
@@ -8,3 +8,4 @@ moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
 moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt b/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt
new file mode 100644
index 000000000..ebcc00724
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt
@@ -0,0 +1,11 @@
+An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
+It connects the two subnets hiding behind their respective gateways. The authentication is based on
+<b>X.509 certificates</b> containing <b>RFC 3779 IP address block constraints</b>.
+Both <b>moon</b> and <b>sun</b> set <b>rightsubnet=::/0</b> thus allowing the peers to narrow down
+the address range to their actual subnets <b>fec1::/16</b> and <b>fec2::/16</b>, respectively.
+These unilaterally proposed traffic selectors must be validated by corresponding IP address block constraints.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
+In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b>
+sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command.
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
new file mode 100644
index 000000000..a311992b7
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status::net-net.*INSTALLED::YES
+sun::ipsec status::net.net.*INSTALLED::YES
+moon::cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES
+sun::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
+alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
+sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
+sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..b3509f8df
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,104 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..846a3f794
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	crlcheckinterval=180
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	also=host-host
+	leftsubnet=fec1::0/16
+	rightsubnet=0::0/0
+
+conn host-host
+	left=PH_IP6_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP6_SUN
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..8e872d89f
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz
+Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz
+MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ
+Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr
+b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y
+GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF
+Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU
+EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB
+ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM
+BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3
+OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI
+KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK
+AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB
+ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm
+uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud
+rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS
+Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA
+MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX
+fN8iF5kHn7S+Nd9ZFlf3S1w=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..7f5f8d703
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
+MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
+RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
+aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
+BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
+lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
+wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
+vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
+Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
+MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
+bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
+QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
+smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
+Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
+vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
+kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
+Y0Y2hqCja6SsIjVc
+-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..8295f97c1
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
+t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
+rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
+B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
+aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
+81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
+teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
+B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
+p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
+yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
++IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
+zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
+AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
+dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
+UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
+1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
+yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
+fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
+3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
+reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
+zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
+3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
+uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
+OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
+gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4732113fa
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
new file mode 100755
index 000000000..b3509f8df
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
@@ -0,0 +1,104 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..adf411da5
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	crlcheckinterval=180
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	also=host-host
+	leftsubnet=fec2::0/16
+	rightsubnet=0::0/0
+
+conn host-host
+	left=PH_IP6_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP6_MOON
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..8e872d89f
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz
+Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz
+MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ
+Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr
+b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y
+GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF
+Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU
+EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB
+ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM
+BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3
+OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI
+KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK
+AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB
+ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm
+uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud
+rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS
+Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA
+MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX
+fN8iF5kHn7S+Nd9ZFlf3S1w=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
new file mode 100644
index 000000000..9ccd47a2c
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0
+MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE
+CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k
+XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H
+k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC
+VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno
+Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr
+6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
+RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA
+mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j
+C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd
+4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ
+TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ
+Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E
+dXN+1axy9zQ34g==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 000000000..6e047af69
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho
+K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ
+SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+
+NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3
+IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU
+RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1
+K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7
+nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D
+feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL
+/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2
+K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B
+UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc
+T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm
+7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb
+t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs
+cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o
+WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn
+qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP
+U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX
+6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp
+ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq
+b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF
+TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v
+h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE
+FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..4732113fa
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
new file mode 100644
index 000000000..4c95e2afe
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+alice::"ip route del fec2:\:/16 via fec1:\:1"
+moon::"ip route del fec2:\:/16 via fec0:\:2"
+sun::"ip route del fec1:\:/16 via fec0:\:1"
+bob::"ip route del fec1:\:/16 via fec2:\:1"
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
new file mode 100644
index 000000000..8a8af2ccb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
@@ -0,0 +1,11 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+alice::"ip route add fec2:\:/16 via fec1:\:1"
+moon::"ip route add fec2:\:/16 via fec0:\:2"
+sun::"ip route add fec1:\:/16 via fec0:\:1"
+bob::"ip route add fec1:\:/16 via fec2:\:1"
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
new file mode 100644
index 000000000..991d884db
--- /dev/null
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b-ip6.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
index 25074a0f1..b3509f8df 100755
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf
index 92388586a..e544e948f 100755
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	strictcrlpolicy=no
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
index 40eb84b8a..4732113fa 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
index 25074a0f1..b3509f8df 100755
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf
index ed1eb39ca..58bc25b0b 100755
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	strictcrlpolicy=no
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
index 40eb84b8a..4732113fa 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
index 25074a0f1..b3509f8df 100755
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf
index f78ba45e0..378e7bfd7 100755
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	strictcrlpolicy=no
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4732113fa 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/pretest.dat b/testing/tests/ipv6/rw-ikev2/pretest.dat
index dea60a040..7da0c1028 100644
--- a/testing/tests/ipv6/rw-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-ikev2/pretest.dat
@@ -10,3 +10,4 @@ dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
+dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
index 25074a0f1..6c437fe03 100755
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,10 +45,6 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
 	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
index 25074a0f1..6c437fe03 100755
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,10 +45,6 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
 	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
index 25074a0f1..6c437fe03 100755
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,10 +45,6 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
 	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
index 20c58007c..f82f32d1d 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
index 07b0ebd7d..e3040d125 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
@@ -13,3 +13,4 @@ dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/description.txt b/testing/tests/ipv6/rw-rfc3779-ikev2/description.txt
new file mode 100644
index 000000000..1c2492d78
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/description.txt
@@ -0,0 +1,12 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>
+containing <b>RFC 3779 IP address block constraints</b>. All three hosts set
+<b>rightsubnet=::/0</b> thus allowing the peers to narrow down the address range to
+their actual subnets or IP addresses. These unilaterally proposed traffic selectors
+must be validated by corresponding IP address block constraints.
+<p/>
+Upon the successful establishment of the IPv6 ESP tunnels, <b>leftfirewall=yes</b>
+automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send
+an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
+using the ping6 command.
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
new file mode 100644
index 000000000..4ed973ca4
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
@@ -0,0 +1,14 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block constraint fec0:\:10/128::YES
+moon::cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES
+carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
+dave::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
new file mode 100755
index 000000000..b3509f8df
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
@@ -0,0 +1,104 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b4138be8d
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP6_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP6_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0::0/0
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..8e872d89f
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz
+Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz
+MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ
+Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr
+b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y
+GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF
+Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU
+EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB
+ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM
+BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3
+OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI
+KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK
+AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB
+ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm
+uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud
+rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS
+Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA
+MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX
+fN8iF5kHn7S+Nd9ZFlf3S1w=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..3243bc294
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEojCCA4qgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzYxMloXDTE0
+MTIyMjEzMzYxMlowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3
+YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArD8OrNy0w+T2
+cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTrz4FskqN39sFxDFDSre1bps+F7jW/
+zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeBNBk4b6VAIKPaYmO3UIoZZ4SPnnVZ
+P7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWYPDOkTS+1sbRQHkgdZvw4fYno+Rd+
+hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8T2zI0aI6L8g57j4cX1XYQwM3tkHM
+2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9A0gqmbnF9//wvSmwpDpSkDoHZ5O3
+Ur6HZ8mByQIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFL9rU6QFDLvUOEIFNZROVYWN5v++MIGMBgNVHSMEgYQwgYGAFCF/p+s3
+0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw
+MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA
+ABAwDQYJKoZIhvcNAQELBQADggEBAHhgG8qqLZX3uXDVX9uBZM8jErI78pyL9F8q
+ibTW5UPp+rbbMDY7tphBbFkg5Q0pzJhOzB6I6Oy/QWVVEC20DE7lhOpMu7auS3Gn
+z1t6DCIDR9NYXtKs6UXcMA0PSQ1r7iHQWvtZ0uD998k6UQfZCCOwBbonng2DAp/m
+FKkaCYiZmJw2YBwf+oVNLQp2fHI61uoguiiRQ4AV5Htho0z6MDqpMyrg2F7Uf2cq
+kQY/ZyvMe8VG5KuiaMJPIMdJPnRED2R4qiyHe8eDXgGYHsNhkt7VHRRgo3izqIdG
+1oCv+CHQ2XSK+4dA42U0Vw7V/ExmcLy99bZfCEZwNWG6Y/5Qwww=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..275162721
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArD8OrNy0w+T2cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTr
+z4FskqN39sFxDFDSre1bps+F7jW/zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeB
+NBk4b6VAIKPaYmO3UIoZZ4SPnnVZP7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWY
+PDOkTS+1sbRQHkgdZvw4fYno+Rd+hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8
+T2zI0aI6L8g57j4cX1XYQwM3tkHM2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9
+A0gqmbnF9//wvSmwpDpSkDoHZ5O3Ur6HZ8mByQIDAQABAoIBAQCSb+WlFtpjtPPF
+JUwxVzqz4Cx510gwkU+GzUemDGdvfZhsWjNEri7FGE70LQ9UPh5vGd2SmtmtZGrW
+J4wjWus6LFYuCa1sl4BlzfFLTjqF8XLUm0twJITzfhVf6o3OmiIOSepBNNT5DaE7
+4R8NgxRU8bG5cnuEWF9VklBl8tR04/VHIfTHltt1p69aQ6UoECBLd+/8RBIj+L/P
+TzXbgLJn7dT8DrOA9rv1p0G1reADwvclKfag4S/xyC54anRsmMNWQLE0D+QzKL29
+nXqU1wjIHBtgY7uM0svtyrMXiNi0XEBWqDdOMwCZ66TU6eGIzDDevG+q8PXmuW6v
+NGxoipcRAoGBANJy4uNj2SnMTdIyoe0wFjmjntKb7DX2Ie0aZr3kygQ7VJUH6w7Z
+mZXNhRf8CpaD20lnyqRjhgq1gwOrLZWpAajNPJ6uCHUVSI8+qwdMVdPSZyxRlal9
+gshsGofkiqEGa/5BW4+yDgi1C4BV+lmN8jn4ilKe4JvFGuz+F31ntDXlAoGBANGH
+WKCq4u9MCxM2R2ESKkLM+vlTxRB4meMt6iPn9e0yJ1BVXTILRp7hfUwKc4ivI/SO
+rc4UA3I5i6QR7TVPOVreqw/CDEmjQLhTSOWY3lHbNz1q53p8Yh6JdytaA4YYgm+I
+pFL+Hh/UpPEAY1ZzsSP7KhBd7ViKblz7/Act614VAoGAXTkFJqNpZGmbI3zIXBBM
+GBZR2Yu2dCTm3GgwkPfTQVKi4i2Sw45Cyagzx+8fJZOdRQQUMQPhMcc8FRjz5XLr
+SEI6EzSWjH70GHgzPNVkw6NVjr1JJb5ye6PfkMj9W91DY2rCS4IdU2AXiy8K6jbF
+0UY2x+iXKImEpuzbrPKOUr0CgYB1lHdGyj7JPKomYNpTfecbT34zdi/rG1J4Kybu
+eVgHgJKRQSYoVC2QMUen6WGGPYp2za55K7/3VJWpP6oWtVuhQ71I/YL5u9Qw3APX
+XB6+Xr80Bw7ZLH2/VzL5r+y0ToK75jkYnaP4BtN8rtQQCqJIZ8TmJF9xxVVDduCq
+grlHNQKBgF06eOplOy8W7euuhvEfoxv05ZVjcFv3bFzlYPb0fBfq4Ziw97SzidH9
+Wbq3gujut9gJCKZT6BJfZtqrPeVhWp+S2SD3bDCsjNZLRBEdzdyRB5CpmDE5OQBH
+EtzpR4nQa/2RJ7wRP/306PE1sQPtTpNvGIgBIUxWvt5gzyVhO1sG
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..4732113fa
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
new file mode 100755
index 000000000..b3509f8df
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
@@ -0,0 +1,104 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..cc7e09b4e
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP6_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP6_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0::0/0
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..8e872d89f
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz
+Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz
+MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ
+Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr
+b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y
+GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF
+Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU
+EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB
+ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM
+BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3
+OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI
+KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK
+AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB
+ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm
+uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud
+rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS
+Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA
+MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX
+fN8iF5kHn7S+Nd9ZFlf3S1w=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..dffbc67e9
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEoDCCA4igAwIBAgIBBDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzczNloXDTE0
+MTIyMjEzMzczNlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPLwvUPUNIZnbX
+eyz8U0COp5RM7ZLFT2iJmSGxznZ30phUNHSy3WX9V8h2kQ2fBks2x0KYWEg8Lh2y
+ggZipePRpuHRnZlcll5/HY/YOUgdV2GE6euNiWKcDB6uE51sxZ+on5KasI9EJMdp
+hJpytYUFjx6pExsoqWMQLigrT6A4bYogkweOZHiUyHiqgtUQcHnmmKwxgeUAkZCb
+00dk7CYnXNQZ1uHj/08TDwrS37SGXfWEIcBGEx/awqlF+s2HTI6zw7NC2HhQsiSp
+Yo1nz8TBr/8XnO9KyYUg04TMkcQqBFDt/qiUswLRLapn9HSyd43BxaF+YuvJ1+ip
+M4G05K1nAgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUJ/+79KP+Ea9vdAIMkUYx++cu6R0wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u
+Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh
+bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw
+FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg
+MA0GCSqGSIb3DQEBCwUAA4IBAQBlOlqceKqgr0putV9fUf2vekg5QtZGDtHFUOTH
+0gDIe2DJ60bWY5IXpjj2KtzRdoP448fpPaprrh8VEljWoVvAF8LaePKGggqwcG+D
+Z7ioDYlnV1j+/NnbZGM/hPqa841dh5jesTuTAF2giMod6P6eMiiRcnl9X3ltgSWp
+Ahk5C8CNYw+sISJcCHtFQHdKOM4QN7wAWksvpjMWkSDQgf/rnDUgW8DXAwX/9K4V
+G2etJ6/8drpjB115p6h+GYz8xFG28/MSf9BqNX03dBs5oyko2+FgSrb3ACK+pAO4
+Cpi2NKZfUH+M7Loo4baI+f5iavpDjDfar8KTiV610DAp0W2S
+-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..e79cbdd9f
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAzy8L1D1DSGZ213ss/FNAjqeUTO2SxU9oiZkhsc52d9KYVDR0
+st1l/VfIdpENnwZLNsdCmFhIPC4dsoIGYqXj0abh0Z2ZXJZefx2P2DlIHVdhhOnr
+jYlinAwerhOdbMWfqJ+SmrCPRCTHaYSacrWFBY8eqRMbKKljEC4oK0+gOG2KIJMH
+jmR4lMh4qoLVEHB55pisMYHlAJGQm9NHZOwmJ1zUGdbh4/9PEw8K0t+0hl31hCHA
+RhMf2sKpRfrNh0yOs8OzQth4ULIkqWKNZ8/Ewa//F5zvSsmFINOEzJHEKgRQ7f6o
+lLMC0S2qZ/R0sneNwcWhfmLrydfoqTOBtOStZwIDAQABAoIBAQCW49qnnl6MMiPH
+V6wxsKhJvP6i8Dt+fBDUdbQ2fPmG1teeK/357ojC89XJlGbpNHo+0OxNa65gNe3m
+/g+MdOjw3auFMFRrPBBiX7NNdJpy1Brv5DVrhW1N3P3TJfH3MA7RjjYFdyVAKdEZ
+pjud41mX7N4VoRacjJDbTeJveLRlowB2gPcxhNZlF6gPP1ZaHwR/b1+0qOTcsxj3
+hqC7zdmMM8UGQ38S3ba7dldlCVAvJgylRX+LPTx5x32wMntaSmBy0cdRqfHtznij
+MZQnJiUuAvlQyjCbt0j7jycBZrMfgS+hESHaUG7wdJUraL40hlX2L4RfIyMtriwB
+9Xe5fVABAoGBAP3Bphf6k/QxbCrVyyw3Q13MMug63bj3mqhjwOJUoEu+3O4+5Qcw
+bIKEOxDFy82lwVHEnYU2tyxVcLBoXP0kMVkrWQIuDSPrneSQxIO1npBZTvBIvWSr
+Yh3kJa15zlF4JxljwXfjLskInRlL45gBiG8FbSuDtXTxPJBtlrIHE0lnAoGBANED
+/Ct5cocPPTYDGq7FxkGEOFoZM1OTsnL68NmcOhp69uWOAgNCIZEifYBz/SSx1ISJ
+QjDdie3BQ0zp2CZe5Fujtz0oT4VPsrJUcND6fZnG79aA2P2S4tXOdVbElB4fOWuT
+Sd1WOmgOFAn+B907PsP2BEh2BPO2/eqy3hN38PwBAoGAZzAJ9JJG+/PlAn4xwmcu
+k8Pnp5vYcdDuKS93ThIPpP2WJaOZypSca26N/kIQoC2ZMUD8tSEM15Be5L1rotzG
+3HXOGh7T5Rl4+WsNHmoKcrR+byOFMJyop3MRBzwS8/oiHCb+k1vkuIcyKwk7IaLt
+8geI3zsN3OIEOM73iqlp5F0CgYBbSWFGX4l8oVQ7lcl+kZRQIv41o5H+K6ChhSXR
+9OCPlirlAUuxvp1IdQbZJk9mSmCl7gjBrNBDzcel/O/RelpEB9HM3SE1+SPzrNuE
++hIHKpKvXaDnxtJZTQ2EcuC58ysx56c4CyQBNDzeTFuE7Q4xqe4e86SgCMkHS02g
+tR7EAQKBgQCRoTsOFcCK2jXBhfcuwcrnrTJmf6LFxW08Mfl9qxKUjz20bx6jgv7f
+TrRUHavmVrrGkAc6eTtoa+2cC5ffSBWHeCD48omb+DZGPF54UbEYyRUb5umKbfI3
+M3WiHTTpeTOx2MmPwiAHhPuaWMV9jWkRG01+wIX4HybGYeEAVHE9lg==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..4732113fa
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..b3509f8df
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,104 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	/sbin/ip6tables -P INPUT DROP
+	/sbin/ip6tables -P OUTPUT DROP
+	/sbin/ip6tables -P FORWARD DROP
+
+	# allow esp
+	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow ICMPv6 neighbor-solicitations
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+	
+	# allow ICMPv6 neighbor-advertisements
+	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# log dropped packets
+	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
+	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/ip6tables -t filter -P INPUT ACCEPT
+				/sbin/ip6tables -t filter -P FORWARD ACCEPT
+				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
+
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/ip6tables -F -t $a
+			/sbin/ip6tables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..4832bb89f
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP6_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=fec1::/16
+	leftfirewall=yes
+	right=%any
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..8e872d89f
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz
+Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz
+MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ
+Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr
+b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y
+GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF
+Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU
+EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB
+ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM
+BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3
+OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI
+KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK
+AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB
+ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm
+uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud
+rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS
+Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA
+MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX
+fN8iF5kHn7S+Nd9ZFlf3S1w=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..7f5f8d703
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
+MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
+RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
+aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
+BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
+lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
+wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
+vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
+Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
+MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
+bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
+QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
+smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
+Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
+vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
+kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
+Y0Y2hqCja6SsIjVc
+-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..8295f97c1
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
+t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
+rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
+B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
+aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
+81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
+teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
+B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
+p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
+yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
++IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
+zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
+AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
+dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
+UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
+1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
+yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
+fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
+3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
+reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
+zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
+3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
+uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
+OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
+gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4732113fa
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+}
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
new file mode 100644
index 000000000..07e89d7da
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
@@ -0,0 +1,9 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+alice::"ip route del fec0:\:/16 via fec1:\:1"
+carol::"ip route del fec1:\:/16 via fec0:\:1"
+dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
new file mode 100644
index 000000000..7da0c1028
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
@@ -0,0 +1,13 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::"ip route add fec0:\:/16 via fec1:\:1"
+carol::"ip route add fec1:\:/16 via fec0:\:1"
+dave::"ip route add fec1:\:/16 via fec0:\:1"
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
new file mode 100644
index 000000000..80cf5e3a1
--- /dev/null
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-ip6.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
index 25074a0f1..b1e7073af 100755
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certficate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf
index 7df72bd4f..0d9e275b7 100755
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	crlcheckinterval=180
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
index 40eb84b8a..4732113fa 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
index 25074a0f1..b3509f8df 100755
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
@@ -37,9 +37,6 @@ start() {
 	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
 	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
 
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
 	# allow ICMPv6 neighbor-solicitations
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
@@ -48,9 +45,9 @@ start() {
 	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
 
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	# allow crl and certificate fetch from winnetou
+	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
+	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
 
 	# allow ssh
 	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf
index b306ec666..26949985e 100755
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf
@@ -5,6 +5,12 @@ config setup
 	crlcheckinterval=180
 	plutostart=no
 
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
index 40eb84b8a..4732113fa 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/pretest.dat b/testing/tests/ipv6/transport-ikev2/pretest.dat
index 3536fd886..7e97e7783 100644
--- a/testing/tests/ipv6/transport-ikev2/pretest.dat
+++ b/testing/tests/ipv6/transport-ikev2/pretest.dat
@@ -4,3 +4,4 @@ moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
 moon::ipsec up host-host
+moon::sleep 1
diff --git a/testing/tests/openssl-ikev1/alg-camellia/description.txt b/testing/tests/openssl-ikev1/alg-camellia/description.txt
new file mode 100644
index 000000000..915e6c211
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
+<b>CAMELLIA_CBC_192 / HMAC_SHA2_384 / MODP_3072</b> for the IKE protocol and 
+<b>CAMELLIA_CBC_192 / HMAC_SHA2_384_192 </b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
new file mode 100644
index 000000000..a3360e5a5
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
@@ -0,0 +1,11 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_192/HMAC_SHA2_384/MODP_3072::YES
+moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_192/HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_384::YES
+moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_384::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c226d97d0
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=camellia192-sha384-modp3072!
+	esp=camellia192-sha384!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85684b1c9
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = pem pkcs1 x509 openssl random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e26d972f0
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+       
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=camellia192-sha384-modp3072!
+	esp=camellia192-sha384!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85684b1c9
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = pem pkcs1 x509 openssl random hmac curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
new file mode 100644
index 000000000..6d2eeb5f9
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
new file mode 100644
index 000000000..fd33cfb57
--- /dev/null
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 9836736c3..85684b1c9 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = openssl pubkey random hmac curl
+  load = pem pkcs1 x509 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
index c4211619b..3562ddc67 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl
+  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 9836736c3..85684b1c9 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = openssl pubkey random hmac curl
+  load = pem pkcs1 x509 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 668998653..2247496db 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = openssl pubkey random hmac curl 
+  load = pem pkcs1 x509 openssl random hmac curl 
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
index c4211619b..3562ddc67 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl
+  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 668998653..2247496db 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = openssl pubkey random hmac curl 
+  load = pem pkcs1 x509 openssl random hmac curl 
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 9836736c3..85684b1c9 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = openssl pubkey random hmac curl
+  load = pem pkcs1 x509 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
index c4211619b..3562ddc67 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl
+  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 9836736c3..85684b1c9 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = openssl pubkey random hmac curl
+  load = pem pkcs1 x509 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index ef1b92f3c..e4d41df39 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors openssl pubkey random hmac curl
+  load = test-vectors pem pkcs1 x509 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 825f6fee8..2da706ef7 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors aes des sha1 sha2 md5 gmp pubkey random hmac curl
+  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index a3ad70a45..1531d9933 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors openssl pubkey random hmac curl
+  load = test-vectors pem pkcs1 x509 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
index a1f9f6a8e..f1b33895b 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
@@ -1,16 +1,16 @@
 moon::ipsec statusall::rw.*ESTABLISHED::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256::YES
-carol::ipsec statusall::BLOWFISH_CBC_192.*,::YES
+carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
 dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128::YES
-dave::ipsec statusall::BLOWFISH_CBC_128.*,::YES
+dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
+dave::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ipsec statusall::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
 dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 180::YES
 
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index e10230384..97526cf99 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index e10230384..97526cf99 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index e10230384..97526cf99 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
index aad3becc7..d77c4806e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
@@ -2,8 +2,10 @@ moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
 moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 moon::ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index c110dd516..dd817a963 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index c110dd516..dd817a963 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 81dfac334..52a4e0d52 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index eb0ba532d..20d891cdc 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 81dfac334..52a4e0d52 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 81dfac334..52a4e0d52 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index eb0ba532d..20d891cdc 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 81dfac334..52a4e0d52 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
index e10230384..97526cf99 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index e10230384..97526cf99 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
index e10230384..97526cf99 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 4e8a1219d..06480bae6 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index b946aa004..ab6f08e2d 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index ebecace94..dbb64dbb4 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors openssl random x509 pubkey hmac stroke kernel-netlink updown
+  load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
index 40eb84b8a..06b1e9f48 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/description.txt b/testing/tests/pfkey/alg-aes-xcbc/description.txt
index cce0e1cd6..c71d7493f 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/description.txt
+++ b/testing/tests/pfkey/alg-aes-xcbc/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
-in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>.
+<b>AES_CBC_128 / AES_XCBC_96</b> by defining <b>esp=aes128-aesxcbc-modp2048!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
 A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
index 5217c18df..24e36eb77 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
@@ -1,9 +1,12 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-moon::ipsec statusall::rw.*AES_CBC_256/AES_XCBC_96,::YES
-carol::ipsec statusall::home.*AES_CBC_256/AES_XCBC_96,::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::ipsec statusall::rw.*AES_CBC_128/AES_XCBC_96,::YES
+carol::ipsec statusall::home.*AES_CBC_128/AES_XCBC_96,::YES
 moon::ip xfrm state::auth xcbc(aes)::YES
 carol::ip xfrm state::auth xcbc(aes)::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index edd0aaaf8..33e6a842b 100755
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -11,8 +11,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-aesxcbc-modp2048!
-	esp=aes256-aesxcbc-modp2048!
+	ike=aes128-aesxcbc-modp2048!
+	esp=aes128-aesxcbc-modp2048!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index 18618929f..208477deb 100755
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -11,8 +11,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-aesxcbc-modp2048!
-	esp=aes256-aesxcbc-modp2048!
+	ike=aes128-aesxcbc-modp2048!
+	esp=aes128-aesxcbc-modp2048!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/test.conf b/testing/tests/pfkey/alg-aes-xcbc/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/test.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/pfkey/alg-sha384/description.txt b/testing/tests/pfkey/alg-sha384/description.txt
new file mode 100644
index 000000000..2255fe8fb
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha384/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-modp3072!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/pfkey/alg-sha384/evaltest.dat b/testing/tests/pfkey/alg-sha384/evaltest.dat
new file mode 100644
index 000000000..31bb64c5e
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha384/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::ipsec statusall::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+moon::ip xfrm state::auth hmac(sha384)::YES
+carol::ip xfrm state::auth hmac(sha384)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..d38b7dfcf
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha384-modp3072!
+	esp=aes192-sha384-modp3072!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0768c2bb5
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ea84cd8a4
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha384-modp3072!
+	esp=aes192-sha384-modp3072!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0768c2bb5
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/alg-sha384/posttest.dat b/testing/tests/pfkey/alg-sha384/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha384/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/pfkey/alg-sha384/pretest.dat b/testing/tests/pfkey/alg-sha384/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha384/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/pfkey/alg-sha384/test.conf b/testing/tests/pfkey/alg-sha384/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha384/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-sha512/description.txt b/testing/tests/pfkey/alg-sha512/description.txt
new file mode 100644
index 000000000..bf79a3bff
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha512/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_256 / HMAC_SHA2_512_256</b> by defining <b>esp=aes256-sha512-modp4096!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/pfkey/alg-sha512/evaltest.dat b/testing/tests/pfkey/alg-sha512/evaltest.dat
new file mode 100644
index 000000000..e0f5fb7a3
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha512/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::ipsec statusall::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+carol::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+moon::ip xfrm state::auth hmac(sha512)::YES
+carol::ip xfrm state::auth hmac(sha512)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..583522d1b
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0768c2bb5
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..40fec93c0
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0768c2bb5
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+}
diff --git a/testing/tests/pfkey/alg-sha512/posttest.dat b/testing/tests/pfkey/alg-sha512/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha512/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/pfkey/alg-sha512/pretest.dat b/testing/tests/pfkey/alg-sha512/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha512/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/pfkey/alg-sha512/test.conf b/testing/tests/pfkey/alg-sha512/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/pfkey/alg-sha512/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/esp-alg-null/evaltest.dat b/testing/tests/pfkey/esp-alg-null/evaltest.dat
index dc50f11e0..d5c0a64c4 100644
--- a/testing/tests/pfkey/esp-alg-null/evaltest.dat
+++ b/testing/tests/pfkey/esp-alg-null/evaltest.dat
@@ -1,7 +1,9 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::NULL/HMAC_SHA1_96::YES
 carol::ipsec statusall::NULL/HMAC_SHA1_96::YES
 moon::ip xfrm state::enc ecb(cipher_null)::YES
 carol::ip xfrm state::enc ecb(cipher_null)::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length::YES
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/esp-alg-null/test.conf b/testing/tests/pfkey/esp-alg-null/test.conf
index 2b240d895..acb73b06f 100644
--- a/testing/tests/pfkey/esp-alg-null/test.conf
+++ b/testing/tests/pfkey/esp-alg-null/test.conf
@@ -13,7 +13,7 @@ DIAGRAM="m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS=""
+TCPDUMPHOSTS="moon"
 
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
index db6fa7486..0768c2bb5 100644
--- a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index 8ee0ad955..867d256bb 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index 8ee0ad955..867d256bb 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index 8ee0ad955..867d256bb 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql
index ca813d44f..9afa1b15d 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+  11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */
-  1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9'
+  1, 1, X'308204223082030aa00302010202011d300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130343435315a170d3134303832363130343435315a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad510203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604141fa1a988d9648cb5a0a2546439b4f23d745d6e7c306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100bca6a5f72ab4b329eba519dcf2740578846c180775a2074da82769e1e4c241bbb2742a7e08564bcb507492661491c71e79b5065f758aad5d54bb66ec86fbaad5eec6f9f794884707e42c07636efbf4c99225e31c7c8f9d0adf2311fbd6975b535218f1246fc06305432b1769231933aaa26a3c388cf2237ebdcfd909aed1219d2dfb9c771da5ec190b5c077167c9eb077dc319b3d9d5579a05502f60635ddfc17292c56880b887b8cc5d0e455118e753b2bdc526b84fc3e947a16b42139c218057029f781a233c26a98a641194a5e3feddccb88b70d5d7c2b2afae10e17665ce164294d138dec80caa25fcf1d737ce7a43cd3ed3e758fe77ef6445fe59d06391'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+  1, X'308204a40201000282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad51020301000102820101008a86f560a12fd9b2c6b5646395b757db116b7108c1ebe399f3a43275f213d0f4b743a5fa9e1a0dee1823f6b30f984b3ecf0b20330e8aa7515d1adf7fe6915d1a0e17e6a0911cf4823ef5fe6adb8c6f3a86da86d9579f1b6dc622bd4320e79fc411e1a72360e4e1023ce8d60df2aa5cf3a420361ba5bc9b34f6d8e578fc8067aef457ff2a5a91f7c7c8a4f242cc46ab1cff18d6d1a4d8b82b5791df1f18a04b8cb2da235c3a795900fa7ffbbcb4b1d079a504673794eeca5e75c8c16ad2558965453515f57180b8dc518710aa874cd3bcdeddf109d5b553c27a351437f9c1bcdf8940f3ff8632dd59f6c8e01107b4bbf49c6c5409b6e9ecb29eada333800fa5d102818100f5537045d067df4d786df67e1cfea01ce3ca6de3f06be48efd8b4dc48c1ec19a711003875ee202343c851c8f970d2160a2e4d1108da6437af6bccfae803f61fc450582a89aa0906cba65fc7033aa584c1a2a17e96b2f368951aedaa5261f6e1c14999cfa7f4c4091890eff281cb4e6f37209f4b6d5778607caeca0a15137746d02818100d96e379ba5b4ed604d84a7ed71678a1f23391b749a697289bd3bee5d17985af89264f5ec35d3e37b1e44d6fdafec8a78ae199e0bb680f59f9800bb894ba5b31ee964f3ddc142f361835cf49a1edb75330f44f33c26c56e0752ae3fe0df760838b6437b99a131cb544d64da996baf3bc3f5709cc75f134b048cdebbf8bed1a5f502818017e2d8e2a34909cff432d8b62cc289fa661f7695a3fa0d55f2cfd67195a704f8b19b7a8c7aab8cc563431ea5c87249d6abe595898411352ecac9557b4b1760c5fc3e6e1b567addb5086d17a8210fabeb34fcf6390eeb98e6c3e23f7da6f99671fb7b7d725264ad40be548c796e5a1ac6874afaddb6691dceb26e59b17b43e7fd02818100ac90cb559f089fb56510b9eebba8bf78c30dd9fa8b6ad15afc738a551c1af1688357d9cea5520c2374fc91dd3a38f4159fa7f945b68d576458d18c0605a1f72dbb734211680768fea5b1aaf87f31122d7a1af12976640f55848b836b482f778afb2d47f5c077b2b6afce31a8be4c8f949141d54c6eeaf309237ccb973a6b4dd902818025ec4178c7f7c017c46a93fbdb72e2e3b199ae33c9fa6834f81b75b481cd6756124c744c821b126b07ea9852dc58de40cc87f160209d8af3b4bac4862778d3e21cbfdfcdbbfaad8911500f43a43041b88eefb27c66adfffeb9c8add95d1a4ed05f0bd81a4eda79fd4a0885a4a3bad0dcddecf83401c19df721d6cc7163c4125e'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql
index 5233806c7..425c180a1 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+  11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */
-  1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988'
+  1, 1, X'308204223082030aa00302010202011c300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130333733395a170d3134303832363130333733395a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414ee7f38daeea1b81a41777f78f2674be8439d8e0e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101003201bc6ba4cb53011c378ef070b9aa5a1d79d3a69cfe4e45b27d7569813c2d3e57f7adb84f9380e3853db28323132356b3a2a3eba1fd9a05b0eb0e57424903ec64072ecce76bb8a28ca36090c202ee0455cbf89517d21888a454b56591c0d9a0cac94c383b20033af0d4f2bd7f5a2c116fdd537583fd9c4bbda8fdf4934be4520f0309b0a63c8d7f3156b157387d2d1005c8e1eb9ca4825c6ee84ad995166d987f7a44e074b55ba0eda269b23eceda503e5701a41daf70d8288fd36b3a14eade60d9a12a8a0bbea63d8caa4e62749931e55085bd45358650a1c97e8d34d8c936757abb9622b9ab5c758421a424c1b319c1a0cfb0d01bcd38297ed4f760132d4a'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+  1, X'308204a50201000282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001028201010081e2de1d60f294f715c39d5e03f9b8e2ba4bc44099f77b917b67d76845eba48302714256982239021ba99918ce87d3ad3707ce248d1ccc5a4cb0fb61e7161c90b35a2637f0bb600d42f64cabfc64c58168d337b609344b81851a4471db8ce11e794c62d714af1bf13caa1d40408ef3a8e2a8bf04ed4a87a4a9be47f5becf3777d7254cf6ab0ff4f3e109235334796b030a1e03951a0ae64e224b3226a8e99174825eaa877efbc5cde0cd075687a9086f645654bda547f8927433f8eecd9ecfcb9b30ed6ff66bb4e5b7341f9626095798e279338e554045d0ae3ee94a1f10644ad88f10e7e7199923d45d5f8df2283859c3f4c41262426e654a04e895a21bb40102818100ea2e632ed6d314655c64eb6a18d4f492fea379ca091426bd7f381f1cbd7f1f79b73d694b9538ec693b245992f6a2a1b292279db9698eac40e43df3aa83b682ca5ab60ed07d02692e16c65cba91ee9aa9f768db2be9a1e0a213a93651a6886dcd35aa3f116ea73287a39a830cc2779bc02b9c8566c4cf8cd25ce99fa030ab965502818100d1ec351dafa33fff13a64c4a980a6f697735e705c1dc2a410b738210f4c059cd058579e4324d46e5bb0c1e6df4476d1a00206f66cf1be23645db193c69cbd04539f87e2b3f4617046031a1575a16a8e71b998844df2601d9d67958421f75c19943f53857b56a08583320b48a85def15b75c9ac5e4a232363824ab666b60ca0a102818100879dbf8083960fccb75a165f05ec658aaefe7aec3e9fb5e3adc611767263291632c0d4b699bf3261aa875d7c576a4d5bfd7a05c4375611792ef495a4dccc182819aa2f201c15065653882271454bb9b3ce7ca1d8675f80983bec95716990be8dc593471cd048f1614da4905a1650701934e85af4edeb083156ef50aad324bb5502818100814232ca9eb5a4d8499f2266e40bb8e275f708d3b0b502879ea777353d9f9b2bf4f46543affd896437b294a21bc24759b52e43aa4868e0f78e3804e80034f17f4edcc5c397686f0fd0b37ea72cdfbb0ce31fbc9abbd4c95afb0728e33e3fe1ff9faac510acb2278537a631c501fd6f1c6400d45412ce642207be3d662d3ec54102818055a928e09d9801f683ebb625e6ed97396ac1cd55b358d7aa06c8801759c2a51d517de1f88c537f532fea6cf563766d7818dc1de70b48d31c0102cad3562b7bf03a310b631428c22eabdc5555a90a5fc5310660a795d916ba1b57c09587f697d09dc092ac469e71f0e42fc6153c35ffe177898ea1e92aa6f28d3b86bfe30ad58c'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
index 83c2353f6..8f5a5ece8 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
@@ -59,7 +59,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
-  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
 );
 
 INSERT INTO certificate_identity (
@@ -91,7 +91,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index a747a6cb1..e377047a4 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,15 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql attr-sql
+}
+
+libstrongswan {
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
 }
 
 pool {
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql
index ca813d44f..9afa1b15d 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+  11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */
-  1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9'
+  1, 1, X'308204223082030aa00302010202011d300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130343435315a170d3134303832363130343435315a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad510203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604141fa1a988d9648cb5a0a2546439b4f23d745d6e7c306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100bca6a5f72ab4b329eba519dcf2740578846c180775a2074da82769e1e4c241bbb2742a7e08564bcb507492661491c71e79b5065f758aad5d54bb66ec86fbaad5eec6f9f794884707e42c07636efbf4c99225e31c7c8f9d0adf2311fbd6975b535218f1246fc06305432b1769231933aaa26a3c388cf2237ebdcfd909aed1219d2dfb9c771da5ec190b5c077167c9eb077dc319b3d9d5579a05502f60635ddfc17292c56880b887b8cc5d0e455118e753b2bdc526b84fc3e947a16b42139c218057029f781a233c26a98a641194a5e3feddccb88b70d5d7c2b2afae10e17665ce164294d138dec80caa25fcf1d737ce7a43cd3ed3e758fe77ef6445fe59d06391'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+  1, X'308204a40201000282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad51020301000102820101008a86f560a12fd9b2c6b5646395b757db116b7108c1ebe399f3a43275f213d0f4b743a5fa9e1a0dee1823f6b30f984b3ecf0b20330e8aa7515d1adf7fe6915d1a0e17e6a0911cf4823ef5fe6adb8c6f3a86da86d9579f1b6dc622bd4320e79fc411e1a72360e4e1023ce8d60df2aa5cf3a420361ba5bc9b34f6d8e578fc8067aef457ff2a5a91f7c7c8a4f242cc46ab1cff18d6d1a4d8b82b5791df1f18a04b8cb2da235c3a795900fa7ffbbcb4b1d079a504673794eeca5e75c8c16ad2558965453515f57180b8dc518710aa874cd3bcdeddf109d5b553c27a351437f9c1bcdf8940f3ff8632dd59f6c8e01107b4bbf49c6c5409b6e9ecb29eada333800fa5d102818100f5537045d067df4d786df67e1cfea01ce3ca6de3f06be48efd8b4dc48c1ec19a711003875ee202343c851c8f970d2160a2e4d1108da6437af6bccfae803f61fc450582a89aa0906cba65fc7033aa584c1a2a17e96b2f368951aedaa5261f6e1c14999cfa7f4c4091890eff281cb4e6f37209f4b6d5778607caeca0a15137746d02818100d96e379ba5b4ed604d84a7ed71678a1f23391b749a697289bd3bee5d17985af89264f5ec35d3e37b1e44d6fdafec8a78ae199e0bb680f59f9800bb894ba5b31ee964f3ddc142f361835cf49a1edb75330f44f33c26c56e0752ae3fe0df760838b6437b99a131cb544d64da996baf3bc3f5709cc75f134b048cdebbf8bed1a5f502818017e2d8e2a34909cff432d8b62cc289fa661f7695a3fa0d55f2cfd67195a704f8b19b7a8c7aab8cc563431ea5c87249d6abe595898411352ecac9557b4b1760c5fc3e6e1b567addb5086d17a8210fabeb34fcf6390eeb98e6c3e23f7da6f99671fb7b7d725264ad40be548c796e5a1ac6874afaddb6691dceb26e59b17b43e7fd02818100ac90cb559f089fb56510b9eebba8bf78c30dd9fa8b6ad15afc738a551c1af1688357d9cea5520c2374fc91dd3a38f4159fa7f945b68d576458d18c0605a1f72dbb734211680768fea5b1aaf87f31122d7a1af12976640f55848b836b482f778afb2d47f5c077b2b6afce31a8be4c8f949141d54c6eeaf309237ccb973a6b4dd902818025ec4178c7f7c017c46a93fbdb72e2e3b199ae33c9fa6834f81b75b481cd6756124c744c821b126b07ea9852dc58de40cc87f160209d8af3b4bac4862778d3e21cbfdfcdbbfaad8911500f43a43041b88eefb27c66adfffeb9c8add95d1a4ed05f0bd81a4eda79fd4a0885a4a3bad0dcddecf83401c19df721d6cc7163c4125e'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql
index 5233806c7..425c180a1 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+  11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */
-  1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988'
+  1, 1, X'308204223082030aa00302010202011c300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130333733395a170d3134303832363130333733395a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414ee7f38daeea1b81a41777f78f2674be8439d8e0e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101003201bc6ba4cb53011c378ef070b9aa5a1d79d3a69cfe4e45b27d7569813c2d3e57f7adb84f9380e3853db28323132356b3a2a3eba1fd9a05b0eb0e57424903ec64072ecce76bb8a28ca36090c202ee0455cbf89517d21888a454b56591c0d9a0cac94c383b20033af0d4f2bd7f5a2c116fdd537583fd9c4bbda8fdf4934be4520f0309b0a63c8d7f3156b157387d2d1005c8e1eb9ca4825c6ee84ad995166d987f7a44e074b55ba0eda269b23eceda503e5701a41daf70d8288fd36b3a14eade60d9a12a8a0bbea63d8caa4e62749931e55085bd45358650a1c97e8d34d8c936757abb9622b9ab5c758421a424c1b319c1a0cfb0d01bcd38297ed4f760132d4a'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+  1, X'308204a50201000282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001028201010081e2de1d60f294f715c39d5e03f9b8e2ba4bc44099f77b917b67d76845eba48302714256982239021ba99918ce87d3ad3707ce248d1ccc5a4cb0fb61e7161c90b35a2637f0bb600d42f64cabfc64c58168d337b609344b81851a4471db8ce11e794c62d714af1bf13caa1d40408ef3a8e2a8bf04ed4a87a4a9be47f5becf3777d7254cf6ab0ff4f3e109235334796b030a1e03951a0ae64e224b3226a8e99174825eaa877efbc5cde0cd075687a9086f645654bda547f8927433f8eecd9ecfcb9b30ed6ff66bb4e5b7341f9626095798e279338e554045d0ae3ee94a1f10644ad88f10e7e7199923d45d5f8df2283859c3f4c41262426e654a04e895a21bb40102818100ea2e632ed6d314655c64eb6a18d4f492fea379ca091426bd7f381f1cbd7f1f79b73d694b9538ec693b245992f6a2a1b292279db9698eac40e43df3aa83b682ca5ab60ed07d02692e16c65cba91ee9aa9f768db2be9a1e0a213a93651a6886dcd35aa3f116ea73287a39a830cc2779bc02b9c8566c4cf8cd25ce99fa030ab965502818100d1ec351dafa33fff13a64c4a980a6f697735e705c1dc2a410b738210f4c059cd058579e4324d46e5bb0c1e6df4476d1a00206f66cf1be23645db193c69cbd04539f87e2b3f4617046031a1575a16a8e71b998844df2601d9d67958421f75c19943f53857b56a08583320b48a85def15b75c9ac5e4a232363824ab666b60ca0a102818100879dbf8083960fccb75a165f05ec658aaefe7aec3e9fb5e3adc611767263291632c0d4b699bf3261aa875d7c576a4d5bfd7a05c4375611792ef495a4dccc182819aa2f201c15065653882271454bb9b3ce7ca1d8675f80983bec95716990be8dc593471cd048f1614da4905a1650701934e85af4edeb083156ef50aad324bb5502818100814232ca9eb5a4d8499f2266e40bb8e275f708d3b0b502879ea777353d9f9b2bf4f46543affd896437b294a21bc24759b52e43aa4868e0f78e3804e80034f17f4edcc5c397686f0fd0b37ea72cdfbb0ce31fbc9abbd4c95afb0728e33e3fe1ff9faac510acb2278537a631c501fd6f1c6400d45412ce642207be3d662d3ec54102818055a928e09d9801f683ebb625e6ed97396ac1cd55b358d7aa06c8801759c2a51d517de1f88c537f532fea6cf563766d7818dc1de70b48d31c0102cad3562b7bf03a310b631428c22eabdc5555a90a5fc5310660a795d916ba1b57c09587f697d09dc092ac469e71f0e42fc6153c35ffe177898ea1e92aa6f28d3b86bfe30ad58c'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
index a55e82501..8e11c6a20 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
@@ -53,7 +53,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
-  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
 );
 
 INSERT INTO certificate_identity (
@@ -85,7 +85,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index a747a6cb1..e377047a4 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,15 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql attr-sql
+}
+
+libstrongswan {
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
 }
 
 pool {
diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat
index 49051ed22..11be09d38 100644
--- a/testing/tests/sql/ip-pool-db/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db/evaltest.dat
@@ -1,9 +1,18 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+carol::cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status::home.*INSTALLED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave::cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES
 dave::ip addr list dev eth0::PH_IP_DAVE1::YES
 dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave::ipsec status::home.*INSTALLED::YES
@@ -11,6 +20,8 @@ dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon::cat /var/log/daemon.log::assigning virtual IP::YES
+moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
+moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
 moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql
index ca813d44f..5dc82a942 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+  11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */
-  1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9'
+  1, 1, X'308204223082030aa00302010202011d300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130343435315a170d3134303832363130343435315a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad510203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604141fa1a988d9648cb5a0a2546439b4f23d745d6e7c306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100bca6a5f72ab4b329eba519dcf2740578846c180775a2074da82769e1e4c241bbb2742a7e08564bcb507492661491c71e79b5065f758aad5d54bb66ec86fbaad5eec6f9f794884707e42c07636efbf4c99225e31c7c8f9d0adf2311fbd6975b535218f1246fc06305432b1769231933aaa26a3c388cf2237ebdcfd909aed1219d2dfb9c771da5ec190b5c077167c9eb077dc319b3d9d5579a05502f60635ddfc17292c56880b887b8cc5d0e455118e753b2bdc526b84fc3e947a16b42139c218057029f781a233c26a98a641194a5e3feddccb88b70d5d7c2b2afae10e17665ce164294d138dec80caa25fcf1d737ce7a43cd3ed3e758fe77ef6445fe59d06391'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+  1, X'308204a40201000282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad51020301000102820101008a86f560a12fd9b2c6b5646395b757db116b7108c1ebe399f3a43275f213d0f4b743a5fa9e1a0dee1823f6b30f984b3ecf0b20330e8aa7515d1adf7fe6915d1a0e17e6a0911cf4823ef5fe6adb8c6f3a86da86d9579f1b6dc622bd4320e79fc411e1a72360e4e1023ce8d60df2aa5cf3a420361ba5bc9b34f6d8e578fc8067aef457ff2a5a91f7c7c8a4f242cc46ab1cff18d6d1a4d8b82b5791df1f18a04b8cb2da235c3a795900fa7ffbbcb4b1d079a504673794eeca5e75c8c16ad2558965453515f57180b8dc518710aa874cd3bcdeddf109d5b553c27a351437f9c1bcdf8940f3ff8632dd59f6c8e01107b4bbf49c6c5409b6e9ecb29eada333800fa5d102818100f5537045d067df4d786df67e1cfea01ce3ca6de3f06be48efd8b4dc48c1ec19a711003875ee202343c851c8f970d2160a2e4d1108da6437af6bccfae803f61fc450582a89aa0906cba65fc7033aa584c1a2a17e96b2f368951aedaa5261f6e1c14999cfa7f4c4091890eff281cb4e6f37209f4b6d5778607caeca0a15137746d02818100d96e379ba5b4ed604d84a7ed71678a1f23391b749a697289bd3bee5d17985af89264f5ec35d3e37b1e44d6fdafec8a78ae199e0bb680f59f9800bb894ba5b31ee964f3ddc142f361835cf49a1edb75330f44f33c26c56e0752ae3fe0df760838b6437b99a131cb544d64da996baf3bc3f5709cc75f134b048cdebbf8bed1a5f502818017e2d8e2a34909cff432d8b62cc289fa661f7695a3fa0d55f2cfd67195a704f8b19b7a8c7aab8cc563431ea5c87249d6abe595898411352ecac9557b4b1760c5fc3e6e1b567addb5086d17a8210fabeb34fcf6390eeb98e6c3e23f7da6f99671fb7b7d725264ad40be548c796e5a1ac6874afaddb6691dceb26e59b17b43e7fd02818100ac90cb559f089fb56510b9eebba8bf78c30dd9fa8b6ad15afc738a551c1af1688357d9cea5520c2374fc91dd3a38f4159fa7f945b68d576458d18c0605a1f72dbb734211680768fea5b1aaf87f31122d7a1af12976640f55848b836b482f778afb2d47f5c077b2b6afce31a8be4c8f949141d54c6eeaf309237ccb973a6b4dd902818025ec4178c7f7c017c46a93fbdb72e2e3b199ae33c9fa6834f81b75b481cd6756124c744c821b126b07ea9852dc58de40cc87f160209d8af3b4bac4862778d3e21cbfdfcdbbfaad8911500f43a43041b88eefb27c66adfffeb9c8add95d1a4ed05f0bd81a4eda79fd4a0885a4a3bad0dcddecf83401c19df721d6cc7163c4125e'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
index 29e2395e8..9df154ee2 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql
index 5233806c7..329cac53b 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+  11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */
-  1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988'
+  1, 1, X'308204223082030aa00302010202011c300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130333733395a170d3134303832363130333733395a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414ee7f38daeea1b81a41777f78f2674be8439d8e0e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101003201bc6ba4cb53011c378ef070b9aa5a1d79d3a69cfe4e45b27d7569813c2d3e57f7adb84f9380e3853db28323132356b3a2a3eba1fd9a05b0eb0e57424903ec64072ecce76bb8a28ca36090c202ee0455cbf89517d21888a454b56591c0d9a0cac94c383b20033af0d4f2bd7f5a2c116fdd537583fd9c4bbda8fdf4934be4520f0309b0a63c8d7f3156b157387d2d1005c8e1eb9ca4825c6ee84ad995166d987f7a44e074b55ba0eda269b23eceda503e5701a41daf70d8288fd36b3a14eade60d9a12a8a0bbea63d8caa4e62749931e55085bd45358650a1c97e8d34d8c936757abb9622b9ab5c758421a424c1b319c1a0cfb0d01bcd38297ed4f760132d4a'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+  1, X'308204a50201000282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001028201010081e2de1d60f294f715c39d5e03f9b8e2ba4bc44099f77b917b67d76845eba48302714256982239021ba99918ce87d3ad3707ce248d1ccc5a4cb0fb61e7161c90b35a2637f0bb600d42f64cabfc64c58168d337b609344b81851a4471db8ce11e794c62d714af1bf13caa1d40408ef3a8e2a8bf04ed4a87a4a9be47f5becf3777d7254cf6ab0ff4f3e109235334796b030a1e03951a0ae64e224b3226a8e99174825eaa877efbc5cde0cd075687a9086f645654bda547f8927433f8eecd9ecfcb9b30ed6ff66bb4e5b7341f9626095798e279338e554045d0ae3ee94a1f10644ad88f10e7e7199923d45d5f8df2283859c3f4c41262426e654a04e895a21bb40102818100ea2e632ed6d314655c64eb6a18d4f492fea379ca091426bd7f381f1cbd7f1f79b73d694b9538ec693b245992f6a2a1b292279db9698eac40e43df3aa83b682ca5ab60ed07d02692e16c65cba91ee9aa9f768db2be9a1e0a213a93651a6886dcd35aa3f116ea73287a39a830cc2779bc02b9c8566c4cf8cd25ce99fa030ab965502818100d1ec351dafa33fff13a64c4a980a6f697735e705c1dc2a410b738210f4c059cd058579e4324d46e5bb0c1e6df4476d1a00206f66cf1be23645db193c69cbd04539f87e2b3f4617046031a1575a16a8e71b998844df2601d9d67958421f75c19943f53857b56a08583320b48a85def15b75c9ac5e4a232363824ab666b60ca0a102818100879dbf8083960fccb75a165f05ec658aaefe7aec3e9fb5e3adc611767263291632c0d4b699bf3261aa875d7c576a4d5bfd7a05c4375611792ef495a4dccc182819aa2f201c15065653882271454bb9b3ce7ca1d8675f80983bec95716990be8dc593471cd048f1614da4905a1650701934e85af4edeb083156ef50aad324bb5502818100814232ca9eb5a4d8499f2266e40bb8e275f708d3b0b502879ea777353d9f9b2bf4f46543affd896437b294a21bc24759b52e43aa4868e0f78e3804e80034f17f4edcc5c397686f0fd0b37ea72cdfbb0ce31fbc9abbd4c95afb0728e33e3fe1ff9faac510acb2278537a631c501fd6f1c6400d45412ce642207be3d662d3ec54102818055a928e09d9801f683ebb625e6ed97396ac1cd55b358d7aa06c8801759c2a51d517de1f88c537f532fea6cf563766d7818dc1de70b48d31c0102cad3562b7bf03a310b631428c22eabdc5555a90a5fc5310660a795d916ba1b57c09587f697d09dc092ac469e71f0e42fc6153c35ffe177898ea1e92aa6f28d3b86bfe30ad58c'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
index 29e2395e8..9df154ee2 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
index 0d9399b5a..82a9e43fe 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
-  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
@@ -181,3 +181,28 @@ INSERT INTO addresses (
 ) VALUES (
   1, X'0a030006'
 );
+
+INSERT INTO attributes ( 
+  type, value
+) VALUES (
+  3, X'c0a80096'
+);
+
+INSERT INTO attributes (
+  type, value
+) VALUES (
+  3, X'0a010014'
+);
+
+INSERT INTO attributes (
+  type, value
+) VALUES (
+  4, X'0a010014'
+);
+
+INSERT INTO attributes (
+  type, value
+) VALUES (
+  7, X'7374726f6e675377616e20342e332e36'
+);
+
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index a747a6cb1..e377047a4 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,15 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql attr-sql
+}
+
+libstrongswan {
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
 }
 
 pool {
diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat
index 76316f33d..a5d786b3f 100644
--- a/testing/tests/sql/ip-pool-db/pretest.dat
+++ b/testing/tests/sql/ip-pool-db/pretest.dat
@@ -16,3 +16,4 @@ dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
index ca813d44f..9afa1b15d 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+  11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */
-  1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9'
+  1, 1, X'308204223082030aa00302010202011d300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130343435315a170d3134303832363130343435315a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad510203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604141fa1a988d9648cb5a0a2546439b4f23d745d6e7c306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100bca6a5f72ab4b329eba519dcf2740578846c180775a2074da82769e1e4c241bbb2742a7e08564bcb507492661491c71e79b5065f758aad5d54bb66ec86fbaad5eec6f9f794884707e42c07636efbf4c99225e31c7c8f9d0adf2311fbd6975b535218f1246fc06305432b1769231933aaa26a3c388cf2237ebdcfd909aed1219d2dfb9c771da5ec190b5c077167c9eb077dc319b3d9d5579a05502f60635ddfc17292c56880b887b8cc5d0e455118e753b2bdc526b84fc3e947a16b42139c218057029f781a233c26a98a641194a5e3feddccb88b70d5d7c2b2afae10e17665ce164294d138dec80caa25fcf1d737ce7a43cd3ed3e758fe77ef6445fe59d06391'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+  1, X'308204a40201000282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad51020301000102820101008a86f560a12fd9b2c6b5646395b757db116b7108c1ebe399f3a43275f213d0f4b743a5fa9e1a0dee1823f6b30f984b3ecf0b20330e8aa7515d1adf7fe6915d1a0e17e6a0911cf4823ef5fe6adb8c6f3a86da86d9579f1b6dc622bd4320e79fc411e1a72360e4e1023ce8d60df2aa5cf3a420361ba5bc9b34f6d8e578fc8067aef457ff2a5a91f7c7c8a4f242cc46ab1cff18d6d1a4d8b82b5791df1f18a04b8cb2da235c3a795900fa7ffbbcb4b1d079a504673794eeca5e75c8c16ad2558965453515f57180b8dc518710aa874cd3bcdeddf109d5b553c27a351437f9c1bcdf8940f3ff8632dd59f6c8e01107b4bbf49c6c5409b6e9ecb29eada333800fa5d102818100f5537045d067df4d786df67e1cfea01ce3ca6de3f06be48efd8b4dc48c1ec19a711003875ee202343c851c8f970d2160a2e4d1108da6437af6bccfae803f61fc450582a89aa0906cba65fc7033aa584c1a2a17e96b2f368951aedaa5261f6e1c14999cfa7f4c4091890eff281cb4e6f37209f4b6d5778607caeca0a15137746d02818100d96e379ba5b4ed604d84a7ed71678a1f23391b749a697289bd3bee5d17985af89264f5ec35d3e37b1e44d6fdafec8a78ae199e0bb680f59f9800bb894ba5b31ee964f3ddc142f361835cf49a1edb75330f44f33c26c56e0752ae3fe0df760838b6437b99a131cb544d64da996baf3bc3f5709cc75f134b048cdebbf8bed1a5f502818017e2d8e2a34909cff432d8b62cc289fa661f7695a3fa0d55f2cfd67195a704f8b19b7a8c7aab8cc563431ea5c87249d6abe595898411352ecac9557b4b1760c5fc3e6e1b567addb5086d17a8210fabeb34fcf6390eeb98e6c3e23f7da6f99671fb7b7d725264ad40be548c796e5a1ac6874afaddb6691dceb26e59b17b43e7fd02818100ac90cb559f089fb56510b9eebba8bf78c30dd9fa8b6ad15afc738a551c1af1688357d9cea5520c2374fc91dd3a38f4159fa7f945b68d576458d18c0605a1f72dbb734211680768fea5b1aaf87f31122d7a1af12976640f55848b836b482f778afb2d47f5c077b2b6afce31a8be4c8f949141d54c6eeaf309237ccb973a6b4dd902818025ec4178c7f7c017c46a93fbdb72e2e3b199ae33c9fa6834f81b75b481cd6756124c744c821b126b07ea9852dc58de40cc87f160209d8af3b4bac4862778d3e21cbfdfcdbbfaad8911500f43a43041b88eefb27c66adfffeb9c8add95d1a4ed05f0bd81a4eda79fd4a0885a4a3bad0dcddecf83401c19df721d6cc7163c4125e'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
index 5233806c7..425c180a1 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+  11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */
-  1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988'
+  1, 1, X'308204223082030aa00302010202011c300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130333733395a170d3134303832363130333733395a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414ee7f38daeea1b81a41777f78f2674be8439d8e0e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101003201bc6ba4cb53011c378ef070b9aa5a1d79d3a69cfe4e45b27d7569813c2d3e57f7adb84f9380e3853db28323132356b3a2a3eba1fd9a05b0eb0e57424903ec64072ecce76bb8a28ca36090c202ee0455cbf89517d21888a454b56591c0d9a0cac94c383b20033af0d4f2bd7f5a2c116fdd537583fd9c4bbda8fdf4934be4520f0309b0a63c8d7f3156b157387d2d1005c8e1eb9ca4825c6ee84ad995166d987f7a44e074b55ba0eda269b23eceda503e5701a41daf70d8288fd36b3a14eade60d9a12a8a0bbea63d8caa4e62749931e55085bd45358650a1c97e8d34d8c936757abb9622b9ab5c758421a424c1b319c1a0cfb0d01bcd38297ed4f760132d4a'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+  1, X'308204a50201000282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001028201010081e2de1d60f294f715c39d5e03f9b8e2ba4bc44099f77b917b67d76845eba48302714256982239021ba99918ce87d3ad3707ce248d1ccc5a4cb0fb61e7161c90b35a2637f0bb600d42f64cabfc64c58168d337b609344b81851a4471db8ce11e794c62d714af1bf13caa1d40408ef3a8e2a8bf04ed4a87a4a9be47f5becf3777d7254cf6ab0ff4f3e109235334796b030a1e03951a0ae64e224b3226a8e99174825eaa877efbc5cde0cd075687a9086f645654bda547f8927433f8eecd9ecfcb9b30ed6ff66bb4e5b7341f9626095798e279338e554045d0ae3ee94a1f10644ad88f10e7e7199923d45d5f8df2283859c3f4c41262426e654a04e895a21bb40102818100ea2e632ed6d314655c64eb6a18d4f492fea379ca091426bd7f381f1cbd7f1f79b73d694b9538ec693b245992f6a2a1b292279db9698eac40e43df3aa83b682ca5ab60ed07d02692e16c65cba91ee9aa9f768db2be9a1e0a213a93651a6886dcd35aa3f116ea73287a39a830cc2779bc02b9c8566c4cf8cd25ce99fa030ab965502818100d1ec351dafa33fff13a64c4a980a6f697735e705c1dc2a410b738210f4c059cd058579e4324d46e5bb0c1e6df4476d1a00206f66cf1be23645db193c69cbd04539f87e2b3f4617046031a1575a16a8e71b998844df2601d9d67958421f75c19943f53857b56a08583320b48a85def15b75c9ac5e4a232363824ab666b60ca0a102818100879dbf8083960fccb75a165f05ec658aaefe7aec3e9fb5e3adc611767263291632c0d4b699bf3261aa875d7c576a4d5bfd7a05c4375611792ef495a4dccc182819aa2f201c15065653882271454bb9b3ce7ca1d8675f80983bec95716990be8dc593471cd048f1614da4905a1650701934e85af4edeb083156ef50aad324bb5502818100814232ca9eb5a4d8499f2266e40bb8e275f708d3b0b502879ea777353d9f9b2bf4f46543affd896437b294a21bc24759b52e43aa4868e0f78e3804e80034f17f4edcc5c397686f0fd0b37ea72cdfbb0ce31fbc9abbd4c95afb0728e33e3fe1ff9faac510acb2278537a631c501fd6f1c6400d45412ce642207be3d662d3ec54102818055a928e09d9801f683ebb625e6ed97396ac1cd55b358d7aa06c8801759c2a51d517de1f88c537f532fea6cf563766d7818dc1de70b48d31c0102cad3562b7bf03a310b631428c22eabdc5555a90a5fc5310660a795d916ba1b57c09587f697d09dc092ac469e71f0e42fc6153c35ffe177898ea1e92aa6f28d3b86bfe30ad58c'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
index 2170e41af..ac776f39d 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
@@ -53,7 +53,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
-  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
 );
 
 INSERT INTO certificate_identity (
@@ -85,7 +85,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
index a747a6cb1..e377047a4 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,15 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql attr-sql
+}
+
+libstrongswan {
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
 }
 
 pool {
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
index ca813d44f..9afa1b15d 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+  11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */
-  1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9'
+  1, 1, X'308204223082030aa00302010202011d300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130343435315a170d3134303832363130343435315a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad510203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604141fa1a988d9648cb5a0a2546439b4f23d745d6e7c306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100bca6a5f72ab4b329eba519dcf2740578846c180775a2074da82769e1e4c241bbb2742a7e08564bcb507492661491c71e79b5065f758aad5d54bb66ec86fbaad5eec6f9f794884707e42c07636efbf4c99225e31c7c8f9d0adf2311fbd6975b535218f1246fc06305432b1769231933aaa26a3c388cf2237ebdcfd909aed1219d2dfb9c771da5ec190b5c077167c9eb077dc319b3d9d5579a05502f60635ddfc17292c56880b887b8cc5d0e455118e753b2bdc526b84fc3e947a16b42139c218057029f781a233c26a98a641194a5e3feddccb88b70d5d7c2b2afae10e17665ce164294d138dec80caa25fcf1d737ce7a43cd3ed3e758fe77ef6445fe59d06391'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+  1, X'308204a40201000282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad51020301000102820101008a86f560a12fd9b2c6b5646395b757db116b7108c1ebe399f3a43275f213d0f4b743a5fa9e1a0dee1823f6b30f984b3ecf0b20330e8aa7515d1adf7fe6915d1a0e17e6a0911cf4823ef5fe6adb8c6f3a86da86d9579f1b6dc622bd4320e79fc411e1a72360e4e1023ce8d60df2aa5cf3a420361ba5bc9b34f6d8e578fc8067aef457ff2a5a91f7c7c8a4f242cc46ab1cff18d6d1a4d8b82b5791df1f18a04b8cb2da235c3a795900fa7ffbbcb4b1d079a504673794eeca5e75c8c16ad2558965453515f57180b8dc518710aa874cd3bcdeddf109d5b553c27a351437f9c1bcdf8940f3ff8632dd59f6c8e01107b4bbf49c6c5409b6e9ecb29eada333800fa5d102818100f5537045d067df4d786df67e1cfea01ce3ca6de3f06be48efd8b4dc48c1ec19a711003875ee202343c851c8f970d2160a2e4d1108da6437af6bccfae803f61fc450582a89aa0906cba65fc7033aa584c1a2a17e96b2f368951aedaa5261f6e1c14999cfa7f4c4091890eff281cb4e6f37209f4b6d5778607caeca0a15137746d02818100d96e379ba5b4ed604d84a7ed71678a1f23391b749a697289bd3bee5d17985af89264f5ec35d3e37b1e44d6fdafec8a78ae199e0bb680f59f9800bb894ba5b31ee964f3ddc142f361835cf49a1edb75330f44f33c26c56e0752ae3fe0df760838b6437b99a131cb544d64da996baf3bc3f5709cc75f134b048cdebbf8bed1a5f502818017e2d8e2a34909cff432d8b62cc289fa661f7695a3fa0d55f2cfd67195a704f8b19b7a8c7aab8cc563431ea5c87249d6abe595898411352ecac9557b4b1760c5fc3e6e1b567addb5086d17a8210fabeb34fcf6390eeb98e6c3e23f7da6f99671fb7b7d725264ad40be548c796e5a1ac6874afaddb6691dceb26e59b17b43e7fd02818100ac90cb559f089fb56510b9eebba8bf78c30dd9fa8b6ad15afc738a551c1af1688357d9cea5520c2374fc91dd3a38f4159fa7f945b68d576458d18c0605a1f72dbb734211680768fea5b1aaf87f31122d7a1af12976640f55848b836b482f778afb2d47f5c077b2b6afce31a8be4c8f949141d54c6eeaf309237ccb973a6b4dd902818025ec4178c7f7c017c46a93fbdb72e2e3b199ae33c9fa6834f81b75b481cd6756124c744c821b126b07ea9852dc58de40cc87f160209d8af3b4bac4862778d3e21cbfdfcdbbfaad8911500f43a43041b88eefb27c66adfffeb9c8add95d1a4ed05f0bd81a4eda79fd4a0885a4a3bad0dcddecf83401c19df721d6cc7163c4125e'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
index 5233806c7..425c180a1 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+  11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */
-  1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988'
+  1, 1, X'308204223082030aa00302010202011c300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130333733395a170d3134303832363130333733395a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414ee7f38daeea1b81a41777f78f2674be8439d8e0e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101003201bc6ba4cb53011c378ef070b9aa5a1d79d3a69cfe4e45b27d7569813c2d3e57f7adb84f9380e3853db28323132356b3a2a3eba1fd9a05b0eb0e57424903ec64072ecce76bb8a28ca36090c202ee0455cbf89517d21888a454b56591c0d9a0cac94c383b20033af0d4f2bd7f5a2c116fdd537583fd9c4bbda8fdf4934be4520f0309b0a63c8d7f3156b157387d2d1005c8e1eb9ca4825c6ee84ad995166d987f7a44e074b55ba0eda269b23eceda503e5701a41daf70d8288fd36b3a14eade60d9a12a8a0bbea63d8caa4e62749931e55085bd45358650a1c97e8d34d8c936757abb9622b9ab5c758421a424c1b319c1a0cfb0d01bcd38297ed4f760132d4a'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+  1, X'308204a50201000282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001028201010081e2de1d60f294f715c39d5e03f9b8e2ba4bc44099f77b917b67d76845eba48302714256982239021ba99918ce87d3ad3707ce248d1ccc5a4cb0fb61e7161c90b35a2637f0bb600d42f64cabfc64c58168d337b609344b81851a4471db8ce11e794c62d714af1bf13caa1d40408ef3a8e2a8bf04ed4a87a4a9be47f5becf3777d7254cf6ab0ff4f3e109235334796b030a1e03951a0ae64e224b3226a8e99174825eaa877efbc5cde0cd075687a9086f645654bda547f8927433f8eecd9ecfcb9b30ed6ff66bb4e5b7341f9626095798e279338e554045d0ae3ee94a1f10644ad88f10e7e7199923d45d5f8df2283859c3f4c41262426e654a04e895a21bb40102818100ea2e632ed6d314655c64eb6a18d4f492fea379ca091426bd7f381f1cbd7f1f79b73d694b9538ec693b245992f6a2a1b292279db9698eac40e43df3aa83b682ca5ab60ed07d02692e16c65cba91ee9aa9f768db2be9a1e0a213a93651a6886dcd35aa3f116ea73287a39a830cc2779bc02b9c8566c4cf8cd25ce99fa030ab965502818100d1ec351dafa33fff13a64c4a980a6f697735e705c1dc2a410b738210f4c059cd058579e4324d46e5bb0c1e6df4476d1a00206f66cf1be23645db193c69cbd04539f87e2b3f4617046031a1575a16a8e71b998844df2601d9d67958421f75c19943f53857b56a08583320b48a85def15b75c9ac5e4a232363824ab666b60ca0a102818100879dbf8083960fccb75a165f05ec658aaefe7aec3e9fb5e3adc611767263291632c0d4b699bf3261aa875d7c576a4d5bfd7a05c4375611792ef495a4dccc182819aa2f201c15065653882271454bb9b3ce7ca1d8675f80983bec95716990be8dc593471cd048f1614da4905a1650701934e85af4edeb083156ef50aad324bb5502818100814232ca9eb5a4d8499f2266e40bb8e275f708d3b0b502879ea777353d9f9b2bf4f46543affd896437b294a21bc24759b52e43aa4868e0f78e3804e80034f17f4edcc5c397686f0fd0b37ea72cdfbb0ce31fbc9abbd4c95afb0728e33e3fe1ff9faac510acb2278537a631c501fd6f1c6400d45412ce642207be3d662d3ec54102818055a928e09d9801f683ebb625e6ed97396ac1cd55b358d7aa06c8801759c2a51d517de1f88c537f532fea6cf563766d7818dc1de70b48d31c0102cad3562b7bf03a310b631428c22eabdc5555a90a5fc5310660a795d916ba1b57c09587f697d09dc092ac469e71f0e42fc6153c35ffe177898ea1e92aa6f28d3b86bfe30ad58c'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
index 51704fc98..a062ac167 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
-  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index a747a6cb1..e377047a4 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,15 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql attr-sql
+}
+
+libstrongswan {
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
 }
 
 pool {
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
index a5e0afcd7..c4424bd89 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -27,7 +27,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 /* Certificates */
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
-  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
index 0d772ef10..d70481715 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -27,7 +27,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
-  202, X'da9c6fa72dc33363ac09b99af29085bedd48dc27'
+  11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb'
  );
 
 /* Certificates */
@@ -41,7 +41,8 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */
-  1, 1, X'3082040b308202f3a003020102020102300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313535335a170d3039303930393131313535335a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b30190603550403131273756e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43c7e807d879059f76800e499104c936ea05e85033a2af751a1ed3a36eff83be29d35f92527b126817cf98d7c6a786af752130cb6756300ffbba3d036def0c10ab2c373b69d0942e6e9dacee7f26aeb40b1aca81e98012d3d97be570e34b7caa4c202d1f5903e33025fe3fc0c9e401b8b4780b2244982feba83dff6bea6be3609a963b85060051a424d4a54e2696c95949eceff70bbad4fc131716fc5439411d477f9709174e12a0537b848564712da8694a57441a68934e6c77d24fd76ce305da71ce6c41ede4463db9644619b8fcd5945688d93474db5ba677941effcdbdd58b739f7533c70418441d596d974d56cbd8637aeeaf217731a022f6fb4093cc70203010001a38201043082010030090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604143dc4b9320816f242645eb74bef575160eb3e6ad8306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301d0603551d1104163014821273756e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010019042ba2201ad12c30849a6b19dece33eadf0490066ec6b70cfcc509f1d7d51ee26720ecf5aa61d432be22051adfbec4bf553ba01d0495da663a8249ba00a3b4d2dfa56dedd515c11112ff41fa4edbe54f5addd27d9d0eab8f238aa0753152cc6513c22026444234f8b09dc762ce59bae72ebe8c5e331deb4381f152d1ed303dd2e4934cc05162397023c88cab4e56fb62e4494d3e6113e466b3c1944395e7b7bcca67bc9fa122c5cf2d3f70b14f750bc4240ef0f1cace0c26690e010a547572516bb2b753b8e8ddf27547c3727289a10f475879b7c426c37b1e4c1d39ef9b59644adc7bd4218ced313a54fcb4dbc525ad2c3426a130095c2cb5e8b670ccf080');
+  1, 1, X'3082042030820308a003020102020116300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373039353930345a170d3134303832363039353930345a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b30190603550403131273756e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c10203010001a38201193082011530090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041456d69e2fdaa8a1cd195c2353e7c5b67096e30bfb306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301d0603551d1104163014821273756e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100a37ecb613f40c31d0c2bf9c0159a4f26a52bd04cbe3b952472c771ee7774d12966a6241163c2a6b915c20509c312074bb2d777b254234f4a49120585d29cf1c9b9c8e9e3b360084b7e16abb7e5f58544623466d78e0826dace08e7e2b7d9b54890d12a96c62777fe85f68a3964d3b4fde4d3aee2d97e435eff372104629efd9ecc69c57095859609b32d055e0ad5de5d19c45182943d5a2bc39666ad361f7096c7034a04869371c991bc67abaf7954def351b0d6014bd65a15796c80e394047fc724fd029a88c62c95551ba57d8ac4ed4d391dbb7a1a002ba0028ba7aa89ba9f7e4f14002928ca23027485feceb98c90f1366d5474bb00e866f93ff91bf8c618'
+);
 
 INSERT INTO certificate_identity (
   certificate, identity
@@ -72,7 +73,8 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
-  1, X'308204a30201000282010100e43c7e807d879059f76800e499104c936ea05e85033a2af751a1ed3a36eff83be29d35f92527b126817cf98d7c6a786af752130cb6756300ffbba3d036def0c10ab2c373b69d0942e6e9dacee7f26aeb40b1aca81e98012d3d97be570e34b7caa4c202d1f5903e33025fe3fc0c9e401b8b4780b2244982feba83dff6bea6be3609a963b85060051a424d4a54e2696c95949eceff70bbad4fc131716fc5439411d477f9709174e12a0537b848564712da8694a57441a68934e6c77d24fd76ce305da71ce6c41ede4463db9644619b8fcd5945688d93474db5ba677941effcdbdd58b739f7533c70418441d596d974d56cbd8637aeeaf217731a022f6fb4093cc702030100010282010023a787a38ef8a486496e07e5ae3bab9ac4876cfc9e7a71c7dd0accc2715e9f8acb65ffce820d67513a9d4966deeecb0cfac1e993ecd4fdb8643aede6530c14d43355a5cee7d234662d288f340f6c0163eae156b594c1ee3d2108198604041c4a1ddee90ddfacbeeabd0e39d1602f40988cf388994bade836def0470686d609949ff93a8f7e32e2a5240f915fcc684591e9330d2e786d11b08e14c0ed70543c072c74da083dc8a1a2480b5f071d03c97a2c11ac938f0737b3be09839d878c5bea84389ac80f103de90c8328411a6da9c3d0eb2d6a25a88cfc3f12bdd5f6653166fdb8768e51af726e6c586f157520d1aaaf6bd180a2e0a950cc0d60380cab31e102818100f5d01511e82f46b166e15ea10bd080c324ba7e23aac7f974c5ddf9e17bf857abd1ea7eab2b00c592ff7a038b0c1fe99d35fe8cc3314508d5bdcd957b9e8108bc0c8f01cee333bb7f1e6b79338d438837b4449a562847509448f6a9df05a9c6386150c41ff4dd721c08be8587943dacca45bb7a8b1e098e66604a103780a2c23f02818100edb1efa9d6b3d92a06f65ca3f0ccfb5ed8636192de6b12aeedca6a3f96eacee45291516f89bd162a825fc2c7b0ccee610879dff32303dd6a78029d856283765df57f8d0c87be5a4c964c6ff9b537f7f1cba2c761cca6ce26caeef646c109a0111c05626afdcedc97d5dbf1be73047a9cf08d8dc4ec21caad12950eee439f53790281800a60d9b2e2d9b42363539a9a34147e8b3eaebd0aa67840f9042da6123618bb22deff06901585b7d1c8058fc6bc2150ccb96de0e590dbf84e85effb22b8037ca9ebe1d1d2b95702d090293b79c8ba14333de2339df59f65308d901485fd0838fd426695913fd665adf7548bf0b87a8e241023a53de06bc8de5bac64d8e30e7c2302818100b4ba4445d88faaa0ffe6360e18bb62ad7cce23946e34ef61be3fd7853e148ef69fa90a484a6c50fc4560d652cb252662f4f4e5c892690fe332189af89e2ce2c51232c7662d9818447f4ae320f41ef8110b0a5b9b0ae6117d0173ac21a408d381eed251409476c2d757ae02231284e74d88c1b877702b49554af9b6fe86c00fd10281807709b9327a76fefb7af5b730564f463147db9a6291ee343d69922e00ade4f576e4344bd941b4a4ebadbb26cdf5b8902b9bf7efbff7183ede38bf9a7311ce0e35a699f784156d18949d6851bfcff0d96ab129c7bd4a08a9adb82664d74bf5f38e0c501457f3a34735ff524b746eabe422d35b11ead44848389b28c1396b0b35ff');
+  1, X'308204a40201000282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c102030100010282010031f9d618cddb393d1d5825426713016cdc5227b970b321acff8cf66b42f0ede3702c30158e8ec1f9db314f031f2d0632a1e0e6507c6fdf545153f01cb0338c3c3f11291cea9819b381048494ecc492ecbd39de3e01ecb048325e75dfee045512a2643e885fcbe672d140877885105e2325390ef183b883321c0d6be51d592b79dfd0f3b522a29509f6c5d3d98c59cc4f4fe9aef978340ffc667e78fd27560eae7245d2d66fa10ad55ef2277ebcec65d1d63cc6b60cbb4d7ba77142554d8817ed174fd539fa8160fc60043f45f4f40dd5989b85874a049bf7f356f250591f6cb2de183e94d8287d712f4df0643b94325b7d4b22bd2d095eb384921c63d33168a502818100f6c92d6977e13cb7b41028dd79010eab910ab83ac2be248a08eb8057804348eb1dc3afb92d67d855bfe891ef0def494bdd109b95c8f5a4e296522d8efd2a4425d0d176e8b0da033d717b77fdb0a14931c2e13b08c7137f0dbf4e1a0ef6919e2c458e40bbecf20004180705e1156bb1d7de09939a8ad096e5346f49e5032a643702818100e7ee610601d43043bea5d304e6502249ce4f70d4de8e903a8fe3a2902878fc7157cb70bf74bc7e0acd7e7a0c3ae1cf2255a22f344a3b9fb13d2347b75ea6a73d15e1327051acffb7f4e56c58f999d7c2e2d878bce0ac09ca2f18d759775c93aa698a45c0c554b99a7147475f1b993fe46c13fed12499006094e806de6db350c702818100e26dd577d6a1579769e405caa7329c26388f3057e1c49a3bf85133d19502a74dea6258c1bbf272e0c292fe0aebab28822dd4061cd964e123712ef75421defce601819eeb8310953674000829413dcaad9894151949a70ec52b48dac9eddbcfd7e8fdcb5161e6ecb2d4e4e4b50f755f98a3c5ffa325489b9ab39084a9564d37e302818047f5087b21a42099541404a55783732fece76ebd4c9374a206b47c62377c59ee1c6c0cfe098cd59a2a695c1a61465fca6a41185e23cddddcd27818af0699b3f75acb74a7ae5f7b332ab2e76baf7d1098f162720b3fb580900f0ea8f9a3f3c008b617e54e4aaadfaed0086a5752abb84bf95036d5d281f9c0fd5203978cf77e4f028181009b29e83640d4b6aa13c81bd79aa890d13aec66c5bff4eddece05cb60320c55bca86a5bd856e364b2809e7d7f2cf94231416927dc39d7f88242b211ac15a38e7fabaca6210537ed1e2f178096f59dc27da21bc09a7b2dc1d5cc7d3bb28fc736c66e6ba19609208b254e4c782462673936445892f4a21a2cfe2066776fe255ce89'
+);
 
 INSERT INTO private_key_identity (
   private_key, identity
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
index 0595de2f9..4d7891f5c 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
index 0595de2f9..4d7891f5c 100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql
index ef9c228e1..983f1bf35 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+  11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */
-  1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9'
+  1, 1, X'308204223082030aa00302010202011d300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130343435315a170d3134303832363130343435315a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad510203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604141fa1a988d9648cb5a0a2546439b4f23d745d6e7c306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100bca6a5f72ab4b329eba519dcf2740578846c180775a2074da82769e1e4c241bbb2742a7e08564bcb507492661491c71e79b5065f758aad5d54bb66ec86fbaad5eec6f9f794884707e42c07636efbf4c99225e31c7c8f9d0adf2311fbd6975b535218f1246fc06305432b1769231933aaa26a3c388cf2237ebdcfd909aed1219d2dfb9c771da5ec190b5c077167c9eb077dc319b3d9d5579a05502f60635ddfc17292c56880b887b8cc5d0e455118e753b2bdc526b84fc3e947a16b42139c218057029f781a233c26a98a641194a5e3feddccb88b70d5d7c2b2afae10e17665ce164294d138dec80caa25fcf1d737ce7a43cd3ed3e758fe77ef6445fe59d06391'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
-  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+  1, X'308204a40201000282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad51020301000102820101008a86f560a12fd9b2c6b5646395b757db116b7108c1ebe399f3a43275f213d0f4b743a5fa9e1a0dee1823f6b30f984b3ecf0b20330e8aa7515d1adf7fe6915d1a0e17e6a0911cf4823ef5fe6adb8c6f3a86da86d9579f1b6dc622bd4320e79fc411e1a72360e4e1023ce8d60df2aa5cf3a420361ba5bc9b34f6d8e578fc8067aef457ff2a5a91f7c7c8a4f242cc46ab1cff18d6d1a4d8b82b5791df1f18a04b8cb2da235c3a795900fa7ffbbcb4b1d079a504673794eeca5e75c8c16ad2558965453515f57180b8dc518710aa874cd3bcdeddf109d5b553c27a351437f9c1bcdf8940f3ff8632dd59f6c8e01107b4bbf49c6c5409b6e9ecb29eada333800fa5d102818100f5537045d067df4d786df67e1cfea01ce3ca6de3f06be48efd8b4dc48c1ec19a711003875ee202343c851c8f970d2160a2e4d1108da6437af6bccfae803f61fc450582a89aa0906cba65fc7033aa584c1a2a17e96b2f368951aedaa5261f6e1c14999cfa7f4c4091890eff281cb4e6f37209f4b6d5778607caeca0a15137746d02818100d96e379ba5b4ed604d84a7ed71678a1f23391b749a697289bd3bee5d17985af89264f5ec35d3e37b1e44d6fdafec8a78ae199e0bb680f59f9800bb894ba5b31ee964f3ddc142f361835cf49a1edb75330f44f33c26c56e0752ae3fe0df760838b6437b99a131cb544d64da996baf3bc3f5709cc75f134b048cdebbf8bed1a5f502818017e2d8e2a34909cff432d8b62cc289fa661f7695a3fa0d55f2cfd67195a704f8b19b7a8c7aab8cc563431ea5c87249d6abe595898411352ecac9557b4b1760c5fc3e6e1b567addb5086d17a8210fabeb34fcf6390eeb98e6c3e23f7da6f99671fb7b7d725264ad40be548c796e5a1ac6874afaddb6691dceb26e59b17b43e7fd02818100ac90cb559f089fb56510b9eebba8bf78c30dd9fa8b6ad15afc738a551c1af1688357d9cea5520c2374fc91dd3a38f4159fa7f945b68d576458d18c0605a1f72dbb734211680768fea5b1aaf87f31122d7a1af12976640f55848b836b482f778afb2d47f5c077b2b6afce31a8be4c8f949141d54c6eeaf309237ccb973a6b4dd902818025ec4178c7f7c017c46a93fbdb72e2e3b199ae33c9fa6834f81b75b481cd6756124c744c821b126b07ea9852dc58de40cc87f160209d8af3b4bac4862778d3e21cbfdfcdbbfaad8911500f43a43041b88eefb27c66adfffeb9c8add95d1a4ed05f0bd81a4eda79fd4a0885a4a3bad0dcddecf83401c19df721d6cc7163c4125e'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index afbc20ab0..66be5fab4 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql
index 5a4bbd5c0..9ccee6ce8 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+  11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */
-  1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988'
+  1, 1, X'308204223082030aa00302010202011c300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130333733395a170d3134303832363130333733395a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414ee7f38daeea1b81a41777f78f2674be8439d8e0e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101003201bc6ba4cb53011c378ef070b9aa5a1d79d3a69cfe4e45b27d7569813c2d3e57f7adb84f9380e3853db28323132356b3a2a3eba1fd9a05b0eb0e57424903ec64072ecce76bb8a28ca36090c202ee0455cbf89517d21888a454b56591c0d9a0cac94c383b20033af0d4f2bd7f5a2c116fdd537583fd9c4bbda8fdf4934be4520f0309b0a63c8d7f3156b157387d2d1005c8e1eb9ca4825c6ee84ad995166d987f7a44e074b55ba0eda269b23eceda503e5701a41daf70d8288fd36b3a14eade60d9a12a8a0bbea63d8caa4e62749931e55085bd45358650a1c97e8d34d8c936757abb9622b9ab5c758421a424c1b319c1a0cfb0d01bcd38297ed4f760132d4a'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
-  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+  1, X'308204a50201000282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001028201010081e2de1d60f294f715c39d5e03f9b8e2ba4bc44099f77b917b67d76845eba48302714256982239021ba99918ce87d3ad3707ce248d1ccc5a4cb0fb61e7161c90b35a2637f0bb600d42f64cabfc64c58168d337b609344b81851a4471db8ce11e794c62d714af1bf13caa1d40408ef3a8e2a8bf04ed4a87a4a9be47f5becf3777d7254cf6ab0ff4f3e109235334796b030a1e03951a0ae64e224b3226a8e99174825eaa877efbc5cde0cd075687a9086f645654bda547f8927433f8eecd9ecfcb9b30ed6ff66bb4e5b7341f9626095798e279338e554045d0ae3ee94a1f10644ad88f10e7e7199923d45d5f8df2283859c3f4c41262426e654a04e895a21bb40102818100ea2e632ed6d314655c64eb6a18d4f492fea379ca091426bd7f381f1cbd7f1f79b73d694b9538ec693b245992f6a2a1b292279db9698eac40e43df3aa83b682ca5ab60ed07d02692e16c65cba91ee9aa9f768db2be9a1e0a213a93651a6886dcd35aa3f116ea73287a39a830cc2779bc02b9c8566c4cf8cd25ce99fa030ab965502818100d1ec351dafa33fff13a64c4a980a6f697735e705c1dc2a410b738210f4c059cd058579e4324d46e5bb0c1e6df4476d1a00206f66cf1be23645db193c69cbd04539f87e2b3f4617046031a1575a16a8e71b998844df2601d9d67958421f75c19943f53857b56a08583320b48a85def15b75c9ac5e4a232363824ab666b60ca0a102818100879dbf8083960fccb75a165f05ec658aaefe7aec3e9fb5e3adc611767263291632c0d4b699bf3261aa875d7c576a4d5bfd7a05c4375611792ef495a4dccc182819aa2f201c15065653882271454bb9b3ce7ca1d8675f80983bec95716990be8dc593471cd048f1614da4905a1650701934e85af4edeb083156ef50aad324bb5502818100814232ca9eb5a4d8499f2266e40bb8e275f708d3b0b502879ea777353d9f9b2bf4f46543affd896437b294a21bc24759b52e43aa4868e0f78e3804e80034f17f4edcc5c397686f0fd0b37ea72cdfbb0ce31fbc9abbd4c95afb0728e33e3fe1ff9faac510acb2278537a631c501fd6f1c6400d45412ce642207be3d662d3ec54102818055a928e09d9801f683ebb625e6ed97396ac1cd55b358d7aa06c8801759c2a51d517de1f88c537f532fea6cf563766d7818dc1de70b48d31c0102cad3562b7bf03a310b631428c22eabdc5555a90a5fc5310660a795d916ba1b57c09587f697d09dc092ac469e71f0e42fc6153c35ffe177898ea1e92aa6f28d3b86bfe30ad58c'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index afbc20ab0..66be5fab4 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql
index 67570add2..b239402e4 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
@@ -41,7 +41,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
-  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
 );
 
 INSERT INTO certificate_identity (
@@ -73,7 +73,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index afbc20ab0..66be5fab4 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
index 5de841c03..aca7b045b 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
@@ -1,7 +1,7 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES
+moon::ipsec statusall::rw-eap-aka.*ESTABLISHED::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
index 2ea4f598f..d574e380a 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index d0bbaf726..c45b3ebd8 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -3,8 +3,8 @@
 charon {
   plugins {
     sql {
-      database = sqlite:///etc/ipsec.d/ipsec.db 
+      database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = curl aes des sha1 sha2 md5 fips-prf gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql eapaka
+  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
index 5d262877f..2cd45fbf0 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
@@ -47,7 +47,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
-  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
 );
 
 INSERT INTO certificate_identity (
@@ -79,7 +79,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
@@ -98,20 +98,20 @@ INSERT INTO private_key_identity (
 
 INSERT INTO shared_secrets (
   type, data
-) VALUES ( 
+) VALUES (
   2, X'4172336574546e703031716c704f6762'
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 3 
+  1, 3
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 6 
+  1, 6
 );
 
 /* Configurations */
@@ -125,13 +125,13 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, eap_type
 ) VALUES (
-  'rw-eapaka', 1, 3, 5, 23
+  'rw-eap-aka', 1, 3, 5, 23
 );
 
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw-eapaka', 'ipsec _updown iptables'
+  'rw-eap-aka', 'ipsec _updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index 32e183aa8..d892e54ad 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -3,8 +3,8 @@
 charon {
   plugins {
     sql {
-      database = sqlite:///etc/ipsec.d/ipsec.db 
+      database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 fips-prf gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql eapaka
+  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 0595de2f9..4d7891f5c 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 0595de2f9..4d7891f5c 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 0595de2f9..4d7891f5c 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
index 0595de2f9..4d7891f5c 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
index 0595de2f9..4d7891f5c 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
index 0595de2f9..4d7891f5c 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql
index 31c6bf81f..bb6a9ec80 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql
index e12ca449d..42082f400 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql
index 4f66841fa..35598e97d 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql
@@ -9,7 +9,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
-  202, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
 INSERT INTO identities (
@@ -21,7 +21,7 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
@@ -53,7 +53,7 @@ INSERT INTO certificates (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
-  1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729'
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
 );
 
 INSERT INTO certificate_identity (
@@ -85,7 +85,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index 29e2395e8..f66e8ba8a 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/evaltest.dat b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
index ff52c91d9..941df6ac9 100644
--- a/testing/tests/sql/rw-rsa-keyid/evaltest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec statusall::rw.*ESTABLISHED.*d7:0d:.*:ca:95.*98:5c:.*:d4:82::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*d7:0d:.*:ca:95.*f6:51:.*:ea:25::YES
-carol::ipsec statusall::home.*ESTABLISHED.*98:5c:.*:d4:82.*d7:0d:.*:ca:95::YES
-dave::ipsec statusall::home.*ESTABLISHED.*f6:51:.*:ea:25.*d7:0d:.*:ca:95::YES
+moon::ipsec statusall::rw.*ESTABLISHED.*6a:9c:.*:29:2e.*1f:a1:.*:6e:7c::YES
+moon::ipsec statusall::rw.*ESTABLISHED.*6a:9c:.*:29:2e.*ee:7f:.*:8e:0e::YES
+carol::ipsec statusall::home.*ESTABLISHED.*1f:a1:.*:6e:7c.*6a:9c:.*:29:2e::YES
+dave::ipsec statusall::home.*ESTABLISHED.*ee:7f:.*:8e:0e.*6a:9c:.*:29:2e::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
index bdb963542..f5d06eaba 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
@@ -15,13 +15,13 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of carol@strongswan.org */
-  11, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+  11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of moon.strongswan.org */
-  11, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 /* Certificates */
@@ -29,13 +29,13 @@ INSERT INTO identities (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* carol@strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad510203010001'
 );
 
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* moon.strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001'
 );
 
 INSERT INTO certificate_identity (
@@ -67,7 +67,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of carol@strongswan.org' */
-  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+  1, X'308204a40201000282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad51020301000102820101008a86f560a12fd9b2c6b5646395b757db116b7108c1ebe399f3a43275f213d0f4b743a5fa9e1a0dee1823f6b30f984b3ecf0b20330e8aa7515d1adf7fe6915d1a0e17e6a0911cf4823ef5fe6adb8c6f3a86da86d9579f1b6dc622bd4320e79fc411e1a72360e4e1023ce8d60df2aa5cf3a420361ba5bc9b34f6d8e578fc8067aef457ff2a5a91f7c7c8a4f242cc46ab1cff18d6d1a4d8b82b5791df1f18a04b8cb2da235c3a795900fa7ffbbcb4b1d079a504673794eeca5e75c8c16ad2558965453515f57180b8dc518710aa874cd3bcdeddf109d5b553c27a351437f9c1bcdf8940f3ff8632dd59f6c8e01107b4bbf49c6c5409b6e9ecb29eada333800fa5d102818100f5537045d067df4d786df67e1cfea01ce3ca6de3f06be48efd8b4dc48c1ec19a711003875ee202343c851c8f970d2160a2e4d1108da6437af6bccfae803f61fc450582a89aa0906cba65fc7033aa584c1a2a17e96b2f368951aedaa5261f6e1c14999cfa7f4c4091890eff281cb4e6f37209f4b6d5778607caeca0a15137746d02818100d96e379ba5b4ed604d84a7ed71678a1f23391b749a697289bd3bee5d17985af89264f5ec35d3e37b1e44d6fdafec8a78ae199e0bb680f59f9800bb894ba5b31ee964f3ddc142f361835cf49a1edb75330f44f33c26c56e0752ae3fe0df760838b6437b99a131cb544d64da996baf3bc3f5709cc75f134b048cdebbf8bed1a5f502818017e2d8e2a34909cff432d8b62cc289fa661f7695a3fa0d55f2cfd67195a704f8b19b7a8c7aab8cc563431ea5c87249d6abe595898411352ecac9557b4b1760c5fc3e6e1b567addb5086d17a8210fabeb34fcf6390eeb98e6c3e23f7da6f99671fb7b7d725264ad40be548c796e5a1ac6874afaddb6691dceb26e59b17b43e7fd02818100ac90cb559f089fb56510b9eebba8bf78c30dd9fa8b6ad15afc738a551c1af1688357d9cea5520c2374fc91dd3a38f4159fa7f945b68d576458d18c0605a1f72dbb734211680768fea5b1aaf87f31122d7a1af12976640f55848b836b482f778afb2d47f5c077b2b6afce31a8be4c8f949141d54c6eeaf309237ccb973a6b4dd902818025ec4178c7f7c017c46a93fbdb72e2e3b199ae33c9fa6834f81b75b481cd6756124c744c821b126b07ea9852dc58de40cc87f160209d8af3b4bac4862778d3e21cbfdfcdbbfaad8911500f43a43041b88eefb27c66adfffeb9c8add95d1a4ed05f0bd81a4eda79fd4a0885a4a3bad0dcddecf83401c19df721d6cc7163c4125e'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
index 29e2395e8..ab0431b00 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
index fc7af4dec..2e9acf5f6 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
@@ -15,13 +15,13 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of dave@strongswan.org */
-  11, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+  11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of moon.strongswan.org */
-  11, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 /* Certificates */
@@ -29,13 +29,13 @@ INSERT INTO identities (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* dave@strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001'
 );
 
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* moon.strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001'
 );
 
 INSERT INTO certificate_identity (
@@ -43,7 +43,8 @@ INSERT INTO certificate_identity (
 ) VALUES (
   1, 1
 );
-$INSERT INTO certificate_identity (
+
+INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
   1, 3
@@ -66,7 +67,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of dave@strongswan.org */
-  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+  1, X'308204a50201000282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001028201010081e2de1d60f294f715c39d5e03f9b8e2ba4bc44099f77b917b67d76845eba48302714256982239021ba99918ce87d3ad3707ce248d1ccc5a4cb0fb61e7161c90b35a2637f0bb600d42f64cabfc64c58168d337b609344b81851a4471db8ce11e794c62d714af1bf13caa1d40408ef3a8e2a8bf04ed4a87a4a9be47f5becf3777d7254cf6ab0ff4f3e109235334796b030a1e03951a0ae64e224b3226a8e99174825eaa877efbc5cde0cd075687a9086f645654bda547f8927433f8eecd9ecfcb9b30ed6ff66bb4e5b7341f9626095798e279338e554045d0ae3ee94a1f10644ad88f10e7e7199923d45d5f8df2283859c3f4c41262426e654a04e895a21bb40102818100ea2e632ed6d314655c64eb6a18d4f492fea379ca091426bd7f381f1cbd7f1f79b73d694b9538ec693b245992f6a2a1b292279db9698eac40e43df3aa83b682ca5ab60ed07d02692e16c65cba91ee9aa9f768db2be9a1e0a213a93651a6886dcd35aa3f116ea73287a39a830cc2779bc02b9c8566c4cf8cd25ce99fa030ab965502818100d1ec351dafa33fff13a64c4a980a6f697735e705c1dc2a410b738210f4c059cd058579e4324d46e5bb0c1e6df4476d1a00206f66cf1be23645db193c69cbd04539f87e2b3f4617046031a1575a16a8e71b998844df2601d9d67958421f75c19943f53857b56a08583320b48a85def15b75c9ac5e4a232363824ab666b60ca0a102818100879dbf8083960fccb75a165f05ec658aaefe7aec3e9fb5e3adc611767263291632c0d4b699bf3261aa875d7c576a4d5bfd7a05c4375611792ef495a4dccc182819aa2f201c15065653882271454bb9b3ce7ca1d8675f80983bec95716990be8dc593471cd048f1614da4905a1650701934e85af4edeb083156ef50aad324bb5502818100814232ca9eb5a4d8499f2266e40bb8e275f708d3b0b502879ea777353d9f9b2bf4f46543affd896437b294a21bc24759b52e43aa4868e0f78e3804e80034f17f4edcc5c397686f0fd0b37ea72cdfbb0ce31fbc9abbd4c95afb0728e33e3fe1ff9faac510acb2278537a631c501fd6f1c6400d45412ce642207be3d662d3ec54102818055a928e09d9801f683ebb625e6ed97396ac1cd55b358d7aa06c8801759c2a51d517de1f88c537f532fea6cf563766d7818dc1de70b48d31c0102cad3562b7bf03a310b631428c22eabdc5555a90a5fc5310660a795d916ba1b57c09587f697d09dc092ac469e71f0e42fc6153c35ffe177898ea1e92aa6f28d3b86bfe30ad58c'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
index 29e2395e8..ab0431b00 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
index bb82bdac2..ee7586925 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
@@ -27,19 +27,19 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of moon.strongswan.org */
-  11, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of carol@strongswan.org */
-  11, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+  11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of dave@strongswan.org */
-  11, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+  11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 /* Raw RSA public keys */
@@ -47,19 +47,19 @@ INSERT INTO identities (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* moon.strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001'
 );
 
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* carol@strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad510203010001'
 );
 
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* dave@strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001'
 );
 
 INSERT INTO certificate_identity (
@@ -103,7 +103,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
index 29e2395e8..ab0431b00 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
index 7c7e5e095..bf086ad42 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -15,13 +15,13 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of carol@strongswan.org */
-  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+  11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of moon.strongswan.org */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 /* Certificates */
@@ -29,13 +29,13 @@ INSERT INTO identities (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* carol@strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad510203010001'
 );
 
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* moon.strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001'
 );
 
 INSERT INTO certificate_identity (
@@ -67,7 +67,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of carol@strongswan.org' */
-  1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca'
+  1, X'308204a40201000282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad51020301000102820101008a86f560a12fd9b2c6b5646395b757db116b7108c1ebe399f3a43275f213d0f4b743a5fa9e1a0dee1823f6b30f984b3ecf0b20330e8aa7515d1adf7fe6915d1a0e17e6a0911cf4823ef5fe6adb8c6f3a86da86d9579f1b6dc622bd4320e79fc411e1a72360e4e1023ce8d60df2aa5cf3a420361ba5bc9b34f6d8e578fc8067aef457ff2a5a91f7c7c8a4f242cc46ab1cff18d6d1a4d8b82b5791df1f18a04b8cb2da235c3a795900fa7ffbbcb4b1d079a504673794eeca5e75c8c16ad2558965453515f57180b8dc518710aa874cd3bcdeddf109d5b553c27a351437f9c1bcdf8940f3ff8632dd59f6c8e01107b4bbf49c6c5409b6e9ecb29eada333800fa5d102818100f5537045d067df4d786df67e1cfea01ce3ca6de3f06be48efd8b4dc48c1ec19a711003875ee202343c851c8f970d2160a2e4d1108da6437af6bccfae803f61fc450582a89aa0906cba65fc7033aa584c1a2a17e96b2f368951aedaa5261f6e1c14999cfa7f4c4091890eff281cb4e6f37209f4b6d5778607caeca0a15137746d02818100d96e379ba5b4ed604d84a7ed71678a1f23391b749a697289bd3bee5d17985af89264f5ec35d3e37b1e44d6fdafec8a78ae199e0bb680f59f9800bb894ba5b31ee964f3ddc142f361835cf49a1edb75330f44f33c26c56e0752ae3fe0df760838b6437b99a131cb544d64da996baf3bc3f5709cc75f134b048cdebbf8bed1a5f502818017e2d8e2a34909cff432d8b62cc289fa661f7695a3fa0d55f2cfd67195a704f8b19b7a8c7aab8cc563431ea5c87249d6abe595898411352ecac9557b4b1760c5fc3e6e1b567addb5086d17a8210fabeb34fcf6390eeb98e6c3e23f7da6f99671fb7b7d725264ad40be548c796e5a1ac6874afaddb6691dceb26e59b17b43e7fd02818100ac90cb559f089fb56510b9eebba8bf78c30dd9fa8b6ad15afc738a551c1af1688357d9cea5520c2374fc91dd3a38f4159fa7f945b68d576458d18c0605a1f72dbb734211680768fea5b1aaf87f31122d7a1af12976640f55848b836b482f778afb2d47f5c077b2b6afce31a8be4c8f949141d54c6eeaf309237ccb973a6b4dd902818025ec4178c7f7c017c46a93fbdb72e2e3b199ae33c9fa6834f81b75b481cd6756124c744c821b126b07ea9852dc58de40cc87f160209d8af3b4bac4862778d3e21cbfdfcdbbfaad8911500f43a43041b88eefb27c66adfffeb9c8add95d1a4ed05f0bd81a4eda79fd4a0885a4a3bad0dcddecf83401c19df721d6cc7163c4125e'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
index 29e2395e8..ab0431b00 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
index 9e7d6d5a3..cbd2ae2e0 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
@@ -15,13 +15,13 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of dave@strongswan.org */
-  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+  11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of moon.strongswan.org */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 /* Certificates */
@@ -29,13 +29,13 @@ INSERT INTO identities (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* dave@strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001'
 );
 
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* moon.strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001'
 );
 
 INSERT INTO certificate_identity (
@@ -66,7 +66,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of dave@strongswan.org */
-  1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276'
+  1, X'308204a50201000282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001028201010081e2de1d60f294f715c39d5e03f9b8e2ba4bc44099f77b917b67d76845eba48302714256982239021ba99918ce87d3ad3707ce248d1ccc5a4cb0fb61e7161c90b35a2637f0bb600d42f64cabfc64c58168d337b609344b81851a4471db8ce11e794c62d714af1bf13caa1d40408ef3a8e2a8bf04ed4a87a4a9be47f5becf3777d7254cf6ab0ff4f3e109235334796b030a1e03951a0ae64e224b3226a8e99174825eaa877efbc5cde0cd075687a9086f645654bda547f8927433f8eecd9ecfcb9b30ed6ff66bb4e5b7341f9626095798e279338e554045d0ae3ee94a1f10644ad88f10e7e7199923d45d5f8df2283859c3f4c41262426e654a04e895a21bb40102818100ea2e632ed6d314655c64eb6a18d4f492fea379ca091426bd7f381f1cbd7f1f79b73d694b9538ec693b245992f6a2a1b292279db9698eac40e43df3aa83b682ca5ab60ed07d02692e16c65cba91ee9aa9f768db2be9a1e0a213a93651a6886dcd35aa3f116ea73287a39a830cc2779bc02b9c8566c4cf8cd25ce99fa030ab965502818100d1ec351dafa33fff13a64c4a980a6f697735e705c1dc2a410b738210f4c059cd058579e4324d46e5bb0c1e6df4476d1a00206f66cf1be23645db193c69cbd04539f87e2b3f4617046031a1575a16a8e71b998844df2601d9d67958421f75c19943f53857b56a08583320b48a85def15b75c9ac5e4a232363824ab666b60ca0a102818100879dbf8083960fccb75a165f05ec658aaefe7aec3e9fb5e3adc611767263291632c0d4b699bf3261aa875d7c576a4d5bfd7a05c4375611792ef495a4dccc182819aa2f201c15065653882271454bb9b3ce7ca1d8675f80983bec95716990be8dc593471cd048f1614da4905a1650701934e85af4edeb083156ef50aad324bb5502818100814232ca9eb5a4d8499f2266e40bb8e275f708d3b0b502879ea777353d9f9b2bf4f46543affd896437b294a21bc24759b52e43aa4868e0f78e3804e80034f17f4edcc5c397686f0fd0b37ea72cdfbb0ce31fbc9abbd4c95afb0728e33e3fe1ff9faac510acb2278537a631c501fd6f1c6400d45412ce642207be3d662d3ec54102818055a928e09d9801f683ebb625e6ed97396ac1cd55b358d7aa06c8801759c2a51d517de1f88c537f532fea6cf563766d7818dc1de70b48d31c0102cad3562b7bf03a310b631428c22eabdc5555a90a5fc5310660a795d916ba1b57c09587f697d09dc092ac469e71f0e42fc6153c35ffe177898ea1e92aa6f28d3b86bfe30ad58c'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
index 29e2395e8..ab0431b00 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
index 95dbc6e3d..545708e67 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -27,19 +27,19 @@ INSERT INTO identities (
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of moon.strongswan.org */
-  202, X'd70dbd46d5133519064f12f100525ead0802ca95'
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of carol@strongswan.org */
-  202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482'
+  11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of dave@strongswan.org */
-  202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25'
+  11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 /* Raw RSA public keys */
@@ -47,19 +47,19 @@ INSERT INTO identities (
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* moon.strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001'
 );
 
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* carol@strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100d05d594f8117bc78972a3ec479ebe1400e53cf72410b93e6f74fa17cf1ea444fb23600bae92d81747e49a2e4407c3f6118033d22a3e67ce69a53907ffad646bfbc3b6abe0bdd9a5080a690dbd919a9a8e70d9694e319e93e5d9361eff9033ac53fc6cd6c95af574c62effbb72c03d41c3b696fc7aa4444483bbaabde555aef8bce0e9797108d11ecf462c66b37f7c2e812f6ab3280a8c05b207156f0e3a787e9c4638205e40ce466716bc35d8623bd99f3cda9c3dee5c8ac19852cff18c405049c7eae735dc393f5209c13946e4f51da030ad7bf31caf58a203eccea2fc79e71d46a06c5dba85d65397a0adfd4cb5a9517fd3dcf17af8ab7584293026b19ad510203010001'
 );
 
 INSERT INTO certificates (
    type, keytype, data
 ) VALUES ( /* dave@strongswan.org */
-  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001'
+  6, 1, X'30820122300d06092a864886f70d01010105000382010f003082010a0282010100c007f2536f0558e68345d3ef017a175b73434e797f9b97448e720a5985aea76cc0503b8d63b4e239af95db83db0af65f8360e9d941912c121215643a0af32188fc520413e81645ff8e2e623c9362be1b57649530bf54fdad6563106105ace949d7de2895a4771c237090aaa2567bd7d9b08b2ad09f63f61bba87d7462046e89fa4570cb3c8e4322220a737af48c31cd0ec2140f3723b94742c4a14232e1d409f6b53c18aaa63e693fa5d3d06808e948db8273563d33dbd9ac44ecfd71e60426570885898b3e5538767eaf4ef713719e7fd89b32e4e3f60d972ef1617437d4dba14af4691fb8ec275a78552bae9d8aaf71c3d42aca793ef0ad09e1af353daab750203010001'
 );
 
 INSERT INTO certificate_identity (
@@ -103,7 +103,7 @@ INSERT INTO certificate_identity (
 INSERT INTO private_keys (
    type, data
 ) VALUES ( /* key of CN=moon.strongswan.org' */
-  1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8'
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
 );
 
 INSERT INTO private_key_identity (
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
index 29e2395e8..ab0431b00 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
 }
-- 
cgit v1.2.3


From 1ac70afcc1f7d6d2738a34308810719b0976d29f Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Tue, 25 May 2010 19:01:36 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.4.0)

---
 Android.mk                                         |   64 +
 Android.mk.in                                      |   64 +
 Doxyfile.in                                        |    3 +-
 Makefile.am                                        |    9 +-
 Makefile.in                                        |   26 +-
 NEWS                                               |   49 +
 configure                                          |  818 +++++-
 configure.in                                       |  155 +-
 m4/macros/enable-disable.m4                        |   12 +-
 scripts/Makefile.am                                |    4 +
 scripts/Makefile.in                                |    5 +
 scripts/dh_speed.c                                 |   29 +-
 src/Makefile.am                                    |    8 +-
 src/Makefile.in                                    |   36 +-
 src/_copyright/Makefile.in                         |    1 +
 src/_updown/Makefile.in                            |    1 +
 src/_updown_espmark/Makefile.in                    |    1 +
 src/charon/Android.mk                              |   27 +
 src/charon/Makefile.am                             |  281 +-
 src/charon/Makefile.in                             | 2158 +---------------
 src/charon/bus/bus.c                               |  753 ------
 src/charon/bus/bus.h                               |  338 ---
 src/charon/bus/listeners/file_logger.c             |  125 -
 src/charon/bus/listeners/file_logger.h             |   60 -
 src/charon/bus/listeners/listener.h                |  178 --
 src/charon/bus/listeners/sys_logger.c              |  121 -
 src/charon/bus/listeners/sys_logger.h              |   62 -
 src/charon/charon.c                                |  417 +++
 src/charon/config/auth_cfg.c                       |  768 ------
 src/charon/config/auth_cfg.h                       |  201 --
 src/charon/config/backend.h                        |   83 -
 src/charon/config/backend_manager.c                |  444 ----
 src/charon/config/backend_manager.h                |  114 -
 src/charon/config/child_cfg.c                      |  552 ----
 src/charon/config/child_cfg.h                      |  310 ---
 src/charon/config/ike_cfg.c                        |  286 ---
 src/charon/config/ike_cfg.h                        |  145 --
 src/charon/config/peer_cfg.c                       |  699 -----
 src/charon/config/peer_cfg.h                       |  358 ---
 src/charon/config/proposal.c                       |  945 -------
 src/charon/config/proposal.h                       |  226 --
 src/charon/control/controller.c                    |  455 ----
 src/charon/control/controller.h                    |  140 -
 src/charon/credentials/credential_manager.c        | 1681 ------------
 src/charon/credentials/credential_manager.h        |  203 --
 src/charon/credentials/credential_set.h            |  108 -
 src/charon/credentials/sets/auth_cfg_wrapper.c     |  223 --
 src/charon/credentials/sets/auth_cfg_wrapper.h     |   53 -
 src/charon/credentials/sets/cert_cache.c           |  390 ---
 src/charon/credentials/sets/cert_cache.h           |   71 -
 .../credentials/sets/ocsp_response_wrapper.c       |  147 --
 .../credentials/sets/ocsp_response_wrapper.h       |   53 -
 src/charon/daemon.c                                |  807 ------
 src/charon/daemon.h                                |  326 ---
 src/charon/encoding/generator.c                    |  888 -------
 src/charon/encoding/generator.h                    |   85 -
 src/charon/encoding/message.c                      | 1726 -------------
 src/charon/encoding/message.h                      |  359 ---
 src/charon/encoding/parser.c                       |  862 -------
 src/charon/encoding/parser.h                       |   79 -
 src/charon/encoding/payloads/auth_payload.c        |  259 --
 src/charon/encoding/payloads/auth_payload.h        |  102 -
 src/charon/encoding/payloads/cert_payload.c        |  340 ---
 src/charon/encoding/payloads/cert_payload.h        |  137 -
 src/charon/encoding/payloads/certreq_payload.c     |  298 ---
 src/charon/encoding/payloads/certreq_payload.h     |   90 -
 .../encoding/payloads/configuration_attribute.c    |  264 --
 .../encoding/payloads/configuration_attribute.h    |   85 -
 src/charon/encoding/payloads/cp_payload.c          |  273 --
 src/charon/encoding/payloads/cp_payload.h          |  108 -
 src/charon/encoding/payloads/delete_payload.c      |  292 ---
 src/charon/encoding/payloads/delete_payload.h      |   84 -
 src/charon/encoding/payloads/eap_payload.c         |  302 ---
 src/charon/encoding/payloads/eap_payload.h         |  129 -
 src/charon/encoding/payloads/encodings.c           |   58 -
 src/charon/encoding/payloads/encodings.h           |  515 ----
 src/charon/encoding/payloads/encryption_payload.c  |  619 -----
 src/charon/encoding/payloads/encryption_payload.h  |  173 --
 src/charon/encoding/payloads/endpoint_notify.c     |  422 ----
 src/charon/encoding/payloads/endpoint_notify.h     |  173 --
 src/charon/encoding/payloads/id_payload.c          |  293 ---
 src/charon/encoding/payloads/id_payload.h          |  122 -
 src/charon/encoding/payloads/ike_header.c          |  415 ---
 src/charon/encoding/payloads/ike_header.h          |  227 --
 src/charon/encoding/payloads/ke_payload.c          |  270 --
 src/charon/encoding/payloads/ke_payload.h          |  104 -
 src/charon/encoding/payloads/nonce_payload.c       |  225 --
 src/charon/encoding/payloads/nonce_payload.h       |   78 -
 src/charon/encoding/payloads/notify_payload.c      |  617 -----
 src/charon/encoding/payloads/notify_payload.h      |  232 --
 src/charon/encoding/payloads/payload.c             |  184 --
 src/charon/encoding/payloads/payload.h             |  272 --
 .../encoding/payloads/proposal_substructure.c      |  598 -----
 .../encoding/payloads/proposal_substructure.h      |  173 --
 src/charon/encoding/payloads/sa_payload.c          |  368 ---
 src/charon/encoding/payloads/sa_payload.h          |  115 -
 .../payloads/traffic_selector_substructure.c       |  276 --
 .../payloads/traffic_selector_substructure.h       |  151 --
 src/charon/encoding/payloads/transform_attribute.c |  325 ---
 src/charon/encoding/payloads/transform_attribute.h |  132 -
 .../encoding/payloads/transform_substructure.c     |  402 ---
 .../encoding/payloads/transform_substructure.h     |  174 --
 src/charon/encoding/payloads/ts_payload.c          |  334 ---
 src/charon/encoding/payloads/ts_payload.h          |  127 -
 src/charon/encoding/payloads/unknown_payload.c     |  201 --
 src/charon/encoding/payloads/unknown_payload.h     |   79 -
 src/charon/encoding/payloads/vendor_id_payload.c   |  195 --
 src/charon/encoding/payloads/vendor_id_payload.h   |   70 -
 src/charon/kernel/kernel_interface.c               |  430 ----
 src/charon/kernel/kernel_interface.h               |  389 ---
 src/charon/kernel/kernel_ipsec.c                   |   29 -
 src/charon/kernel/kernel_ipsec.h                   |  273 --
 src/charon/kernel/kernel_net.h                     |  143 --
 src/charon/network/packet.c                        |  159 --
 src/charon/network/packet.h                        |  115 -
 src/charon/network/receiver.c                      |  389 ---
 src/charon/network/receiver.h                      |   70 -
 src/charon/network/sender.c                        |  153 --
 src/charon/network/sender.h                        |   62 -
 src/charon/network/socket-raw.c                    |  761 ------
 src/charon/network/socket.c                        |  685 -----
 src/charon/network/socket.h                        |  102 -
 src/charon/plugins/attr/Makefile.am                |    9 -
 src/charon/plugins/attr/Makefile.in                |  569 -----
 src/charon/plugins/attr/attr_plugin.c              |   63 -
 src/charon/plugins/attr/attr_plugin.h              |   47 -
 src/charon/plugins/attr/attr_provider.c            |  236 --
 src/charon/plugins/attr/attr_provider.h            |   49 -
 src/charon/plugins/eap_aka/Makefile.am             |   14 -
 src/charon/plugins/eap_aka/Makefile.in             |  577 -----
 src/charon/plugins/eap_aka/eap_aka_peer.c          |  583 -----
 src/charon/plugins/eap_aka/eap_aka_peer.h          |   49 -
 src/charon/plugins/eap_aka/eap_aka_plugin.c        |   51 -
 src/charon/plugins/eap_aka/eap_aka_plugin.h        |   50 -
 src/charon/plugins/eap_aka/eap_aka_server.c        |  700 -----
 src/charon/plugins/eap_aka/eap_aka_server.h        |   49 -
 src/charon/plugins/eap_aka_3gpp2/Makefile.am       |   15 -
 src/charon/plugins/eap_aka_3gpp2/Makefile.in       |  579 -----
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c     |  178 --
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h     |   53 -
 .../eap_aka_3gpp2/eap_aka_3gpp2_functions.c        |  394 ---
 .../eap_aka_3gpp2/eap_aka_3gpp2_functions.h        |  125 -
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c   |   87 -
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h   |   62 -
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c |  204 --
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h |   52 -
 src/charon/plugins/eap_gtc/Makefile.am             |   10 -
 src/charon/plugins/eap_gtc/Makefile.in             |  568 -----
 src/charon/plugins/eap_gtc/eap_gtc.c               |  327 ---
 src/charon/plugins/eap_gtc/eap_gtc.h               |   60 -
 src/charon/plugins/eap_gtc/eap_gtc_plugin.c        |   56 -
 src/charon/plugins/eap_gtc/eap_gtc_plugin.h        |   47 -
 src/charon/plugins/eap_identity/Makefile.am        |   10 -
 src/charon/plugins/eap_identity/Makefile.in        |  572 -----
 src/charon/plugins/eap_identity/eap_identity.c     |  218 --
 src/charon/plugins/eap_identity/eap_identity.h     |   59 -
 .../plugins/eap_identity/eap_identity_plugin.c     |   50 -
 .../plugins/eap_identity/eap_identity_plugin.h     |   47 -
 src/charon/plugins/eap_md5/Makefile.am             |   10 -
 src/charon/plugins/eap_md5/Makefile.in             |  568 -----
 src/charon/plugins/eap_md5/eap_md5.c               |  303 ---
 src/charon/plugins/eap_md5/eap_md5.h               |   57 -
 src/charon/plugins/eap_md5/eap_md5_plugin.c        |   50 -
 src/charon/plugins/eap_md5/eap_md5_plugin.h        |   47 -
 src/charon/plugins/eap_mschapv2/Makefile.am        |   12 -
 src/charon/plugins/eap_mschapv2/Makefile.in        |  573 -----
 src/charon/plugins/eap_mschapv2/eap_mschapv2.c     | 1233 ---------
 src/charon/plugins/eap_mschapv2/eap_mschapv2.h     |   57 -
 .../plugins/eap_mschapv2/eap_mschapv2_plugin.c     |   50 -
 .../plugins/eap_mschapv2/eap_mschapv2_plugin.h     |   47 -
 src/charon/plugins/eap_radius/Makefile.am          |   14 -
 src/charon/plugins/eap_radius/Makefile.in          |  577 -----
 src/charon/plugins/eap_radius/eap_radius.c         |  312 ---
 src/charon/plugins/eap_radius/eap_radius.h         |   48 -
 src/charon/plugins/eap_radius/eap_radius_plugin.c  |   54 -
 src/charon/plugins/eap_radius/eap_radius_plugin.h  |   50 -
 src/charon/plugins/eap_radius/radius_client.c      |  495 ----
 src/charon/plugins/eap_radius/radius_client.h      |   88 -
 src/charon/plugins/eap_radius/radius_message.c     |  476 ----
 src/charon/plugins/eap_radius/radius_message.h     |  276 --
 src/charon/plugins/eap_sim/Makefile.am             |   14 -
 src/charon/plugins/eap_sim/Makefile.in             |  577 -----
 src/charon/plugins/eap_sim/eap_sim_peer.c          |  654 -----
 src/charon/plugins/eap_sim/eap_sim_peer.h          |   57 -
 src/charon/plugins/eap_sim/eap_sim_plugin.c        |   51 -
 src/charon/plugins/eap_sim/eap_sim_plugin.h        |   47 -
 src/charon/plugins/eap_sim/eap_sim_server.c        |  611 -----
 src/charon/plugins/eap_sim/eap_sim_server.h        |   57 -
 src/charon/plugins/eap_sim_file/Makefile.am        |   14 -
 src/charon/plugins/eap_sim_file/Makefile.in        |  578 -----
 .../plugins/eap_sim_file/eap_sim_file_card.c       |  107 -
 .../plugins/eap_sim_file/eap_sim_file_card.h       |   53 -
 .../plugins/eap_sim_file/eap_sim_file_plugin.c     |   90 -
 .../plugins/eap_sim_file/eap_sim_file_plugin.h     |   47 -
 .../plugins/eap_sim_file/eap_sim_file_provider.c   |   93 -
 .../plugins/eap_sim_file/eap_sim_file_provider.h   |   50 -
 .../plugins/eap_sim_file/eap_sim_file_triplets.c   |  260 --
 .../plugins/eap_sim_file/eap_sim_file_triplets.h   |   56 -
 .../plugins/eap_simaka_pseudonym/Makefile.am       |   13 -
 .../plugins/eap_simaka_pseudonym/Makefile.in       |  577 -----
 .../eap_simaka_pseudonym_card.c                    |  154 --
 .../eap_simaka_pseudonym_card.h                    |   49 -
 .../eap_simaka_pseudonym_plugin.c                  |   81 -
 .../eap_simaka_pseudonym_plugin.h                  |   47 -
 .../eap_simaka_pseudonym_provider.c                |  182 --
 .../eap_simaka_pseudonym_provider.h                |   49 -
 src/charon/plugins/eap_simaka_reauth/Makefile.am   |   13 -
 src/charon/plugins/eap_simaka_reauth/Makefile.in   |  576 -----
 .../eap_simaka_reauth/eap_simaka_reauth_card.c     |  170 --
 .../eap_simaka_reauth/eap_simaka_reauth_card.h     |   49 -
 .../eap_simaka_reauth/eap_simaka_reauth_plugin.c   |   79 -
 .../eap_simaka_reauth/eap_simaka_reauth_plugin.h   |   47 -
 .../eap_simaka_reauth/eap_simaka_reauth_provider.c |  209 --
 .../eap_simaka_reauth/eap_simaka_reauth_provider.h |   49 -
 src/charon/plugins/kernel_klips/Makefile.am        |   10 -
 src/charon/plugins/kernel_klips/Makefile.in        |  572 -----
 .../plugins/kernel_klips/kernel_klips_ipsec.c      | 2671 --------------------
 .../plugins/kernel_klips/kernel_klips_ipsec.h      |   46 -
 .../plugins/kernel_klips/kernel_klips_plugin.c     |   56 -
 .../plugins/kernel_klips/kernel_klips_plugin.h     |   47 -
 src/charon/plugins/kernel_klips/pfkeyv2.h          |  322 ---
 src/charon/plugins/kernel_netlink/Makefile.am      |   13 -
 src/charon/plugins/kernel_netlink/Makefile.in      |  579 -----
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  | 2069 ---------------
 .../plugins/kernel_netlink/kernel_netlink_ipsec.h  |   46 -
 .../plugins/kernel_netlink/kernel_netlink_net.c    | 1424 -----------
 .../plugins/kernel_netlink/kernel_netlink_net.h    |   46 -
 .../plugins/kernel_netlink/kernel_netlink_plugin.c |   59 -
 .../plugins/kernel_netlink/kernel_netlink_plugin.h |   47 -
 .../plugins/kernel_netlink/kernel_netlink_shared.c |  298 ---
 .../plugins/kernel_netlink/kernel_netlink_shared.h |   77 -
 src/charon/plugins/kernel_pfkey/Makefile.am        |   10 -
 src/charon/plugins/kernel_pfkey/Makefile.in        |  572 -----
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      | 2215 ----------------
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.h      |   46 -
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.c     |   56 -
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.h     |   47 -
 src/charon/plugins/kernel_pfroute/Makefile.am      |   10 -
 src/charon/plugins/kernel_pfroute/Makefile.in      |  572 -----
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |  712 ------
 .../plugins/kernel_pfroute/kernel_pfroute_net.h    |   46 -
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.c |   58 -
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.h |   47 -
 src/charon/plugins/load_tester/Makefile.am         |   17 -
 src/charon/plugins/load_tester/Makefile.in         |  583 -----
 .../plugins/load_tester/load_tester_config.c       |  316 ---
 .../plugins/load_tester/load_tester_config.h       |   51 -
 src/charon/plugins/load_tester/load_tester_creds.c |  313 ---
 src/charon/plugins/load_tester/load_tester_creds.h |   51 -
 .../load_tester/load_tester_diffie_hellman.c       |   67 -
 .../load_tester/load_tester_diffie_hellman.h       |   48 -
 src/charon/plugins/load_tester/load_tester_ipsec.c |  176 --
 src/charon/plugins/load_tester/load_tester_ipsec.h |   46 -
 .../plugins/load_tester/load_tester_listener.c     |  102 -
 .../plugins/load_tester/load_tester_listener.h     |   52 -
 .../plugins/load_tester/load_tester_plugin.c       |  230 --
 .../plugins/load_tester/load_tester_plugin.h       |   49 -
 src/charon/plugins/medcli/Makefile.am              |   12 -
 src/charon/plugins/medcli/Makefile.in              |  575 -----
 src/charon/plugins/medcli/medcli_config.c          |  405 ---
 src/charon/plugins/medcli/medcli_config.h          |   53 -
 src/charon/plugins/medcli/medcli_creds.c           |  243 --
 src/charon/plugins/medcli/medcli_creds.h           |   53 -
 src/charon/plugins/medcli/medcli_listener.c        |  133 -
 src/charon/plugins/medcli/medcli_listener.h        |   53 -
 src/charon/plugins/medcli/medcli_plugin.c          |  109 -
 src/charon/plugins/medcli/medcli_plugin.h          |   47 -
 src/charon/plugins/medsrv/Makefile.am              |   11 -
 src/charon/plugins/medsrv/Makefile.in              |  573 -----
 src/charon/plugins/medsrv/medsrv_config.c          |  153 --
 src/charon/plugins/medsrv/medsrv_config.h          |   53 -
 src/charon/plugins/medsrv/medsrv_creds.c           |  163 --
 src/charon/plugins/medsrv/medsrv_creds.h           |   53 -
 src/charon/plugins/medsrv/medsrv_plugin.c          |   99 -
 src/charon/plugins/medsrv/medsrv_plugin.h          |   47 -
 src/charon/plugins/nm/Makefile.am                  |   14 -
 src/charon/plugins/nm/Makefile.in                  |  579 -----
 src/charon/plugins/nm/nm_creds.c                   |  447 ----
 src/charon/plugins/nm/nm_creds.h                   |   85 -
 src/charon/plugins/nm/nm_handler.c                 |  193 --
 src/charon/plugins/nm/nm_handler.h                 |   62 -
 src/charon/plugins/nm/nm_plugin.c                  |  129 -
 src/charon/plugins/nm/nm_plugin.h                  |   47 -
 src/charon/plugins/nm/nm_service.c                 |  628 -----
 src/charon/plugins/nm/nm_service.h                 |   55 -
 src/charon/plugins/resolve/Makefile.am             |   13 -
 src/charon/plugins/resolve/Makefile.in             |  574 -----
 src/charon/plugins/resolve/resolve_handler.c       |  251 --
 src/charon/plugins/resolve/resolve_handler.h       |   49 -
 src/charon/plugins/resolve/resolve_plugin.c        |   62 -
 src/charon/plugins/resolve/resolve_plugin.h        |   47 -
 src/charon/plugins/smp/Makefile.am                 |   10 -
 src/charon/plugins/smp/Makefile.in                 |  568 -----
 src/charon/plugins/smp/smp.c                       |  768 ------
 src/charon/plugins/smp/smp.h                       |   50 -
 src/charon/plugins/sql/Makefile.am                 |   12 -
 src/charon/plugins/sql/Makefile.in                 |  575 -----
 src/charon/plugins/sql/sql_config.c                |  534 ----
 src/charon/plugins/sql/sql_config.h                |   53 -
 src/charon/plugins/sql/sql_cred.c                  |  365 ---
 src/charon/plugins/sql/sql_cred.h                  |   53 -
 src/charon/plugins/sql/sql_logger.c                |  145 --
 src/charon/plugins/sql/sql_logger.h                |   53 -
 src/charon/plugins/sql/sql_plugin.c                |  107 -
 src/charon/plugins/sql/sql_plugin.h                |   47 -
 src/charon/plugins/stroke/Makefile.am              |   22 -
 src/charon/plugins/stroke/Makefile.in              |  590 -----
 src/charon/plugins/stroke/stroke_attribute.c       |  546 ----
 src/charon/plugins/stroke/stroke_attribute.h       |   86 -
 src/charon/plugins/stroke/stroke_ca.c              |  458 ----
 src/charon/plugins/stroke/stroke_ca.h              |   80 -
 src/charon/plugins/stroke/stroke_config.c          |  949 -------
 src/charon/plugins/stroke/stroke_config.h          |   66 -
 src/charon/plugins/stroke/stroke_control.c         |  491 ----
 src/charon/plugins/stroke/stroke_control.h         |   88 -
 src/charon/plugins/stroke/stroke_cred.c            | 1174 ---------
 src/charon/plugins/stroke/stroke_cred.h            |   84 -
 src/charon/plugins/stroke/stroke_list.c            | 1230 ---------
 src/charon/plugins/stroke/stroke_list.h            |   74 -
 src/charon/plugins/stroke/stroke_plugin.c          |   65 -
 src/charon/plugins/stroke/stroke_plugin.h          |   50 -
 src/charon/plugins/stroke/stroke_shared_key.c      |  140 -
 src/charon/plugins/stroke/stroke_shared_key.h      |   60 -
 src/charon/plugins/stroke/stroke_socket.c          |  670 -----
 src/charon/plugins/stroke/stroke_socket.h          |   42 -
 src/charon/plugins/uci/Makefile.am                 |   14 -
 src/charon/plugins/uci/Makefile.in                 |  576 -----
 src/charon/plugins/uci/uci_config.c                |  359 ---
 src/charon/plugins/uci/uci_config.h                |   55 -
 src/charon/plugins/uci/uci_control.c               |  301 ---
 src/charon/plugins/uci/uci_control.h               |   42 -
 src/charon/plugins/uci/uci_creds.c                 |  174 --
 src/charon/plugins/uci/uci_creds.h                 |   55 -
 src/charon/plugins/uci/uci_parser.c                |  186 --
 src/charon/plugins/uci/uci_parser.h                |   59 -
 src/charon/plugins/uci/uci_plugin.c                |   93 -
 src/charon/plugins/uci/uci_plugin.h                |   48 -
 src/charon/plugins/unit_tester/Makefile.am         |   24 -
 src/charon/plugins/unit_tester/Makefile.in         |  690 -----
 src/charon/plugins/unit_tester/tests.h             |   43 -
 src/charon/plugins/unit_tester/tests/test_agent.c  |   67 -
 .../plugins/unit_tester/tests/test_auth_info.c     |  140 -
 src/charon/plugins/unit_tester/tests/test_cert.c   |  108 -
 src/charon/plugins/unit_tester/tests/test_chunk.c  |   82 -
 src/charon/plugins/unit_tester/tests/test_curl.c   |   44 -
 .../plugins/unit_tester/tests/test_enumerator.c    |  306 ---
 src/charon/plugins/unit_tester/tests/test_id.c     |  249 --
 src/charon/plugins/unit_tester/tests/test_med_db.c |   54 -
 src/charon/plugins/unit_tester/tests/test_mutex.c  |  100 -
 src/charon/plugins/unit_tester/tests/test_mysql.c  |   89 -
 src/charon/plugins/unit_tester/tests/test_pool.c   |   93 -
 .../plugins/unit_tester/tests/test_rsa_gen.c       |  120 -
 src/charon/plugins/unit_tester/tests/test_sqlite.c |   93 -
 src/charon/plugins/unit_tester/unit_tester.c       |  116 -
 src/charon/plugins/unit_tester/unit_tester.h       |   49 -
 src/charon/plugins/updown/Makefile.am              |   12 -
 src/charon/plugins/updown/Makefile.in              |  572 -----
 src/charon/plugins/updown/updown_listener.c        |  294 ---
 src/charon/plugins/updown/updown_listener.h        |   49 -
 src/charon/plugins/updown/updown_plugin.c          |   63 -
 src/charon/plugins/updown/updown_plugin.h          |   47 -
 src/charon/processing/jobs/acquire_job.c           |   86 -
 src/charon/processing/jobs/acquire_job.h           |   54 -
 src/charon/processing/jobs/callback_job.c          |  267 --
 src/charon/processing/jobs/callback_job.h          |  118 -
 src/charon/processing/jobs/delete_child_sa_job.c   |  100 -
 src/charon/processing/jobs/delete_child_sa_job.h   |   59 -
 src/charon/processing/jobs/delete_ike_sa_job.c     |  116 -
 src/charon/processing/jobs/delete_ike_sa_job.h     |   57 -
 src/charon/processing/jobs/inactivity_job.c        |  150 --
 src/charon/processing/jobs/inactivity_job.h        |   53 -
 .../processing/jobs/initiate_mediation_job.c       |  271 --
 .../processing/jobs/initiate_mediation_job.h       |   62 -
 src/charon/processing/jobs/job.h                   |   52 -
 src/charon/processing/jobs/mediation_job.c         |  195 --
 src/charon/processing/jobs/mediation_job.h         |   74 -
 src/charon/processing/jobs/migrate_job.c           |  150 --
 src/charon/processing/jobs/migrate_job.h           |   61 -
 src/charon/processing/jobs/process_message_job.c   |  106 -
 src/charon/processing/jobs/process_message_job.h   |   49 -
 src/charon/processing/jobs/rekey_child_sa_job.c    |   97 -
 src/charon/processing/jobs/rekey_child_sa_job.h    |   57 -
 src/charon/processing/jobs/rekey_ike_sa_job.c      |  104 -
 src/charon/processing/jobs/rekey_ike_sa_job.h      |   51 -
 src/charon/processing/jobs/retransmit_job.c        |   93 -
 src/charon/processing/jobs/retransmit_job.h        |   55 -
 src/charon/processing/jobs/roam_job.c              |  106 -
 src/charon/processing/jobs/roam_job.h              |   52 -
 src/charon/processing/jobs/send_dpd_job.c          |   88 -
 src/charon/processing/jobs/send_dpd_job.h          |   52 -
 src/charon/processing/jobs/send_keepalive_job.c    |   82 -
 src/charon/processing/jobs/send_keepalive_job.h    |   51 -
 src/charon/processing/jobs/update_sa_job.c         |   96 -
 src/charon/processing/jobs/update_sa_job.h         |   50 -
 src/charon/processing/processor.c                  |  273 --
 src/charon/processing/processor.h                  |   94 -
 src/charon/processing/scheduler.c                  |  358 ---
 src/charon/processing/scheduler.h                  |  130 -
 src/charon/sa/authenticators/authenticator.c       |  100 -
 src/charon/sa/authenticators/authenticator.h       |  178 --
 src/charon/sa/authenticators/eap/eap_manager.c     |  170 --
 src/charon/sa/authenticators/eap/eap_manager.h     |   82 -
 src/charon/sa/authenticators/eap/eap_method.c      |  107 -
 src/charon/sa/authenticators/eap/eap_method.h      |  205 --
 src/charon/sa/authenticators/eap/sim_manager.c     |  541 ----
 src/charon/sa/authenticators/eap/sim_manager.h     |  515 ----
 src/charon/sa/authenticators/eap_authenticator.c   |  705 ------
 src/charon/sa/authenticators/eap_authenticator.h   |   98 -
 src/charon/sa/authenticators/psk_authenticator.c   |  201 --
 src/charon/sa/authenticators/psk_authenticator.h   |   61 -
 .../sa/authenticators/pubkey_authenticator.c       |  265 --
 .../sa/authenticators/pubkey_authenticator.h       |   62 -
 src/charon/sa/child_sa.c                           | 1015 --------
 src/charon/sa/child_sa.h                           |  337 ---
 src/charon/sa/connect_manager.c                    | 1623 ------------
 src/charon/sa/connect_manager.h                    |  126 -
 src/charon/sa/ike_sa.c                             | 2192 ----------------
 src/charon/sa/ike_sa.h                             |  913 -------
 src/charon/sa/ike_sa_id.c                          |  179 --
 src/charon/sa/ike_sa_id.h                          |  126 -
 src/charon/sa/ike_sa_manager.c                     | 1741 -------------
 src/charon/sa/ike_sa_manager.h                     |  220 --
 src/charon/sa/keymat.c                             |  616 -----
 src/charon/sa/keymat.h                             |  163 --
 src/charon/sa/mediation_manager.c                  |  341 ---
 src/charon/sa/mediation_manager.h                  |   90 -
 src/charon/sa/task_manager.c                       | 1082 --------
 src/charon/sa/task_manager.h                       |  173 --
 src/charon/sa/tasks/child_create.c                 | 1351 ----------
 src/charon/sa/tasks/child_create.h                 |   83 -
 src/charon/sa/tasks/child_delete.c                 |  402 ---
 src/charon/sa/tasks/child_delete.h                 |   60 -
 src/charon/sa/tasks/child_rekey.c                  |  430 ----
 src/charon/sa/tasks/child_rekey.h                  |   64 -
 src/charon/sa/tasks/ike_auth.c                     | 1041 --------
 src/charon/sa/tasks/ike_auth.h                     |   57 -
 src/charon/sa/tasks/ike_auth_lifetime.c            |  182 --
 src/charon/sa/tasks/ike_auth_lifetime.h            |   53 -
 src/charon/sa/tasks/ike_cert_post.c                |  261 --
 src/charon/sa/tasks/ike_cert_post.h                |   53 -
 src/charon/sa/tasks/ike_cert_pre.c                 |  524 ----
 src/charon/sa/tasks/ike_cert_pre.h                 |   53 -
 src/charon/sa/tasks/ike_config.c                   |  479 ----
 src/charon/sa/tasks/ike_config.h                   |   51 -
 src/charon/sa/tasks/ike_delete.c                   |  210 --
 src/charon/sa/tasks/ike_delete.h                   |   50 -
 src/charon/sa/tasks/ike_dpd.c                      |   99 -
 src/charon/sa/tasks/ike_dpd.h                      |   51 -
 src/charon/sa/tasks/ike_init.c                     |  600 -----
 src/charon/sa/tasks/ike_init.h                     |   60 -
 src/charon/sa/tasks/ike_me.c                       |  856 -------
 src/charon/sa/tasks/ike_me.h                       |  100 -
 src/charon/sa/tasks/ike_mobike.c                   |  637 -----
 src/charon/sa/tasks/ike_mobike.h                   |   88 -
 src/charon/sa/tasks/ike_natd.c                     |  487 ----
 src/charon/sa/tasks/ike_natd.h                     |   59 -
 src/charon/sa/tasks/ike_reauth.c                   |  196 --
 src/charon/sa/tasks/ike_reauth.h                   |   51 -
 src/charon/sa/tasks/ike_rekey.c                    |  409 ---
 src/charon/sa/tasks/ike_rekey.h                    |   61 -
 src/charon/sa/tasks/ike_vendor.c                   |  139 -
 src/charon/sa/tasks/ike_vendor.h                   |   49 -
 src/charon/sa/tasks/task.c                         |   58 -
 src/charon/sa/tasks/task.h                         |  150 --
 src/charon/sa/trap_manager.c                       |  403 ---
 src/charon/sa/trap_manager.h                       |   81 -
 src/checksum/Makefile.am                           |   17 +-
 src/checksum/Makefile.in                           |   30 +-
 src/checksum/checksum_builder.c                    |   29 +-
 src/dumm/Makefile.in                               |    1 +
 src/dumm/bridge.c                                  |   22 +-
 src/dumm/cowfs.c                                   |   16 +-
 src/dumm/dumm.c                                    |   11 +-
 src/dumm/guest.c                                   |   20 +-
 src/dumm/iface.c                                   |   14 +-
 src/dumm/mconsole.c                                |   22 +-
 src/include/Makefile.am                            |    2 +-
 src/include/Makefile.in                            |    3 +-
 src/include/linux/jhash.h                          |  143 ++
 src/include/linux/pfkeyv2.h                        |    1 +
 src/ipsec/Makefile.in                              |    1 +
 src/ipsec/ipsec.in                                 |   31 +-
 src/libcharon/Android.mk                           |  174 ++
 src/libcharon/Makefile.am                          |  418 +++
 src/libcharon/Makefile.in                          | 1994 +++++++++++++++
 src/libcharon/bus/bus.c                            |  727 ++++++
 src/libcharon/bus/bus.h                            |  286 +++
 src/libcharon/bus/listeners/file_logger.c          |  125 +
 src/libcharon/bus/listeners/file_logger.h          |   60 +
 src/libcharon/bus/listeners/listener.h             |  178 ++
 src/libcharon/bus/listeners/sys_logger.c           |  121 +
 src/libcharon/bus/listeners/sys_logger.h           |   62 +
 src/libcharon/config/auth_cfg.c                    |  768 ++++++
 src/libcharon/config/auth_cfg.h                    |  201 ++
 src/libcharon/config/backend.h                     |   83 +
 src/libcharon/config/backend_manager.c             |  444 ++++
 src/libcharon/config/backend_manager.h             |  114 +
 src/libcharon/config/child_cfg.c                   |  552 ++++
 src/libcharon/config/child_cfg.h                   |  310 +++
 src/libcharon/config/ike_cfg.c                     |  294 +++
 src/libcharon/config/ike_cfg.h                     |  161 ++
 src/libcharon/config/peer_cfg.c                    |  699 +++++
 src/libcharon/config/peer_cfg.h                    |  358 +++
 src/libcharon/config/proposal.c                    |  949 +++++++
 src/libcharon/config/proposal.h                    |  226 ++
 src/libcharon/control/controller.c                 |  455 ++++
 src/libcharon/control/controller.h                 |  140 +
 src/libcharon/credentials/credential_manager.c     | 1681 ++++++++++++
 src/libcharon/credentials/credential_manager.h     |  203 ++
 src/libcharon/credentials/credential_set.h         |  108 +
 src/libcharon/credentials/sets/auth_cfg_wrapper.c  |  223 ++
 src/libcharon/credentials/sets/auth_cfg_wrapper.h  |   53 +
 src/libcharon/credentials/sets/cert_cache.c        |  390 +++
 src/libcharon/credentials/sets/cert_cache.h        |   71 +
 .../credentials/sets/ocsp_response_wrapper.c       |  147 ++
 .../credentials/sets/ocsp_response_wrapper.h       |   53 +
 src/libcharon/daemon.c                             |  443 ++++
 src/libcharon/daemon.h                             |  341 +++
 src/libcharon/encoding/generator.c                 |  888 +++++++
 src/libcharon/encoding/generator.h                 |   85 +
 src/libcharon/encoding/message.c                   | 1723 +++++++++++++
 src/libcharon/encoding/message.h                   |  359 +++
 src/libcharon/encoding/parser.c                    |  862 +++++++
 src/libcharon/encoding/parser.h                    |   79 +
 src/libcharon/encoding/payloads/auth_payload.c     |  259 ++
 src/libcharon/encoding/payloads/auth_payload.h     |  102 +
 src/libcharon/encoding/payloads/cert_payload.c     |  340 +++
 src/libcharon/encoding/payloads/cert_payload.h     |  137 +
 src/libcharon/encoding/payloads/certreq_payload.c  |  298 +++
 src/libcharon/encoding/payloads/certreq_payload.h  |   90 +
 .../encoding/payloads/configuration_attribute.c    |  264 ++
 .../encoding/payloads/configuration_attribute.h    |   85 +
 src/libcharon/encoding/payloads/cp_payload.c       |  273 ++
 src/libcharon/encoding/payloads/cp_payload.h       |  108 +
 src/libcharon/encoding/payloads/delete_payload.c   |  292 +++
 src/libcharon/encoding/payloads/delete_payload.h   |   84 +
 src/libcharon/encoding/payloads/eap_payload.c      |  302 +++
 src/libcharon/encoding/payloads/eap_payload.h      |  129 +
 src/libcharon/encoding/payloads/encodings.c        |   58 +
 src/libcharon/encoding/payloads/encodings.h        |  515 ++++
 .../encoding/payloads/encryption_payload.c         |  619 +++++
 .../encoding/payloads/encryption_payload.h         |  173 ++
 src/libcharon/encoding/payloads/endpoint_notify.c  |  422 ++++
 src/libcharon/encoding/payloads/endpoint_notify.h  |  173 ++
 src/libcharon/encoding/payloads/id_payload.c       |  293 +++
 src/libcharon/encoding/payloads/id_payload.h       |  122 +
 src/libcharon/encoding/payloads/ike_header.c       |  415 +++
 src/libcharon/encoding/payloads/ike_header.h       |  227 ++
 src/libcharon/encoding/payloads/ke_payload.c       |  270 ++
 src/libcharon/encoding/payloads/ke_payload.h       |  104 +
 src/libcharon/encoding/payloads/nonce_payload.c    |  225 ++
 src/libcharon/encoding/payloads/nonce_payload.h    |   78 +
 src/libcharon/encoding/payloads/notify_payload.c   |  617 +++++
 src/libcharon/encoding/payloads/notify_payload.h   |  232 ++
 src/libcharon/encoding/payloads/payload.c          |  184 ++
 src/libcharon/encoding/payloads/payload.h          |  272 ++
 .../encoding/payloads/proposal_substructure.c      |  598 +++++
 .../encoding/payloads/proposal_substructure.h      |  173 ++
 src/libcharon/encoding/payloads/sa_payload.c       |  368 +++
 src/libcharon/encoding/payloads/sa_payload.h       |  115 +
 .../payloads/traffic_selector_substructure.c       |  276 ++
 .../payloads/traffic_selector_substructure.h       |  151 ++
 .../encoding/payloads/transform_attribute.c        |  325 +++
 .../encoding/payloads/transform_attribute.h        |  132 +
 .../encoding/payloads/transform_substructure.c     |  402 +++
 .../encoding/payloads/transform_substructure.h     |  174 ++
 src/libcharon/encoding/payloads/ts_payload.c       |  334 +++
 src/libcharon/encoding/payloads/ts_payload.h       |  127 +
 src/libcharon/encoding/payloads/unknown_payload.c  |  201 ++
 src/libcharon/encoding/payloads/unknown_payload.h  |   79 +
 .../encoding/payloads/vendor_id_payload.c          |  195 ++
 .../encoding/payloads/vendor_id_payload.h          |   70 +
 src/libcharon/kernel/kernel_interface.c            |  386 +++
 src/libcharon/kernel/kernel_interface.h            |  398 +++
 src/libcharon/kernel/kernel_ipsec.c                |   29 +
 src/libcharon/kernel/kernel_ipsec.h                |  282 +++
 src/libcharon/kernel/kernel_net.h                  |  143 ++
 src/libcharon/network/packet.c                     |  138 +
 src/libcharon/network/packet.h                     |  115 +
 src/libcharon/network/receiver.c                   |  402 +++
 src/libcharon/network/receiver.h                   |   70 +
 src/libcharon/network/sender.c                     |  165 ++
 src/libcharon/network/sender.h                     |   62 +
 src/libcharon/network/socket.h                     |   64 +
 src/libcharon/network/socket_manager.c             |  129 +
 src/libcharon/network/socket_manager.h             |   74 +
 src/libcharon/plugins/android/Makefile.am          |   18 +
 src/libcharon/plugins/android/Makefile.in          |  590 +++++
 src/libcharon/plugins/android/android_handler.c    |  225 ++
 src/libcharon/plugins/android/android_handler.h    |   50 +
 src/libcharon/plugins/android/android_plugin.c     |   66 +
 src/libcharon/plugins/android/android_plugin.h     |   42 +
 src/libcharon/plugins/dhcp/Makefile.am             |   18 +
 src/libcharon/plugins/dhcp/Makefile.in             |  590 +++++
 src/libcharon/plugins/dhcp/dhcp_plugin.c           |   81 +
 src/libcharon/plugins/dhcp/dhcp_plugin.h           |   42 +
 src/libcharon/plugins/dhcp/dhcp_provider.c         |  194 ++
 src/libcharon/plugins/dhcp/dhcp_provider.h         |   54 +
 src/libcharon/plugins/dhcp/dhcp_socket.c           |  758 ++++++
 src/libcharon/plugins/dhcp/dhcp_socket.h           |   60 +
 src/libcharon/plugins/dhcp/dhcp_transaction.c      |  184 ++
 src/libcharon/plugins/dhcp/dhcp_transaction.h      |  109 +
 src/libcharon/plugins/eap_aka/Makefile.am          |   19 +
 src/libcharon/plugins/eap_aka/Makefile.in          |  593 +++++
 src/libcharon/plugins/eap_aka/eap_aka_peer.c       |  583 +++++
 src/libcharon/plugins/eap_aka/eap_aka_peer.h       |   49 +
 src/libcharon/plugins/eap_aka/eap_aka_plugin.c     |   51 +
 src/libcharon/plugins/eap_aka/eap_aka_plugin.h     |   45 +
 src/libcharon/plugins/eap_aka/eap_aka_server.c     |  700 +++++
 src/libcharon/plugins/eap_aka/eap_aka_server.h     |   49 +
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.am    |   20 +
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |  596 +++++
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c     |  178 ++
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h     |   53 +
 .../eap_aka_3gpp2/eap_aka_3gpp2_functions.c        |  394 +++
 .../eap_aka_3gpp2/eap_aka_3gpp2_functions.h        |  125 +
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c   |   87 +
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h   |   57 +
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c |  204 ++
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h |   52 +
 src/libcharon/plugins/eap_gtc/Makefile.am          |   16 +
 src/libcharon/plugins/eap_gtc/Makefile.in          |  587 +++++
 src/libcharon/plugins/eap_gtc/eap_gtc.c            |  327 +++
 src/libcharon/plugins/eap_gtc/eap_gtc.h            |   60 +
 src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c     |   56 +
 src/libcharon/plugins/eap_gtc/eap_gtc_plugin.h     |   42 +
 src/libcharon/plugins/eap_identity/Makefile.am     |   16 +
 src/libcharon/plugins/eap_identity/Makefile.in     |  589 +++++
 src/libcharon/plugins/eap_identity/eap_identity.c  |  218 ++
 src/libcharon/plugins/eap_identity/eap_identity.h  |   59 +
 .../plugins/eap_identity/eap_identity_plugin.c     |   50 +
 .../plugins/eap_identity/eap_identity_plugin.h     |   42 +
 src/libcharon/plugins/eap_md5/Makefile.am          |   16 +
 src/libcharon/plugins/eap_md5/Makefile.in          |  587 +++++
 src/libcharon/plugins/eap_md5/eap_md5.c            |  303 +++
 src/libcharon/plugins/eap_md5/eap_md5.h            |   57 +
 src/libcharon/plugins/eap_md5/eap_md5_plugin.c     |   50 +
 src/libcharon/plugins/eap_md5/eap_md5_plugin.h     |   42 +
 src/libcharon/plugins/eap_mschapv2/Makefile.am     |   17 +
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |  590 +++++
 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c  | 1250 +++++++++
 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h  |   57 +
 .../plugins/eap_mschapv2/eap_mschapv2_plugin.c     |   50 +
 .../plugins/eap_mschapv2/eap_mschapv2_plugin.h     |   42 +
 src/libcharon/plugins/eap_radius/Makefile.am       |   19 +
 src/libcharon/plugins/eap_radius/Makefile.in       |  594 +++++
 src/libcharon/plugins/eap_radius/eap_radius.c      |  312 +++
 src/libcharon/plugins/eap_radius/eap_radius.h      |   48 +
 .../plugins/eap_radius/eap_radius_plugin.c         |   54 +
 .../plugins/eap_radius/eap_radius_plugin.h         |   45 +
 src/libcharon/plugins/eap_radius/radius_client.c   |  495 ++++
 src/libcharon/plugins/eap_radius/radius_client.h   |   88 +
 src/libcharon/plugins/eap_radius/radius_message.c  |  476 ++++
 src/libcharon/plugins/eap_radius/radius_message.h  |  276 ++
 src/libcharon/plugins/eap_sim/Makefile.am          |   19 +
 src/libcharon/plugins/eap_sim/Makefile.in          |  593 +++++
 src/libcharon/plugins/eap_sim/eap_sim_peer.c       |  654 +++++
 src/libcharon/plugins/eap_sim/eap_sim_peer.h       |   57 +
 src/libcharon/plugins/eap_sim/eap_sim_plugin.c     |   51 +
 src/libcharon/plugins/eap_sim/eap_sim_plugin.h     |   42 +
 src/libcharon/plugins/eap_sim/eap_sim_server.c     |  611 +++++
 src/libcharon/plugins/eap_sim/eap_sim_server.h     |   57 +
 src/libcharon/plugins/eap_sim_file/Makefile.am     |   19 +
 src/libcharon/plugins/eap_sim_file/Makefile.in     |  595 +++++
 .../plugins/eap_sim_file/eap_sim_file_card.c       |  107 +
 .../plugins/eap_sim_file/eap_sim_file_card.h       |   53 +
 .../plugins/eap_sim_file/eap_sim_file_plugin.c     |   90 +
 .../plugins/eap_sim_file/eap_sim_file_plugin.h     |   42 +
 .../plugins/eap_sim_file/eap_sim_file_provider.c   |   93 +
 .../plugins/eap_sim_file/eap_sim_file_provider.h   |   50 +
 .../plugins/eap_sim_file/eap_sim_file_triplets.c   |  260 ++
 .../plugins/eap_sim_file/eap_sim_file_triplets.h   |   56 +
 .../plugins/eap_simaka_pseudonym/Makefile.am       |   18 +
 .../plugins/eap_simaka_pseudonym/Makefile.in       |  594 +++++
 .../eap_simaka_pseudonym_card.c                    |  154 ++
 .../eap_simaka_pseudonym_card.h                    |   49 +
 .../eap_simaka_pseudonym_plugin.c                  |   81 +
 .../eap_simaka_pseudonym_plugin.h                  |   42 +
 .../eap_simaka_pseudonym_provider.c                |  182 ++
 .../eap_simaka_pseudonym_provider.h                |   49 +
 .../plugins/eap_simaka_reauth/Makefile.am          |   18 +
 .../plugins/eap_simaka_reauth/Makefile.in          |  593 +++++
 .../eap_simaka_reauth/eap_simaka_reauth_card.c     |  170 ++
 .../eap_simaka_reauth/eap_simaka_reauth_card.h     |   49 +
 .../eap_simaka_reauth/eap_simaka_reauth_plugin.c   |   79 +
 .../eap_simaka_reauth/eap_simaka_reauth_plugin.h   |   42 +
 .../eap_simaka_reauth/eap_simaka_reauth_provider.c |  209 ++
 .../eap_simaka_reauth/eap_simaka_reauth_provider.h |   49 +
 src/libcharon/plugins/farp/Makefile.am             |   16 +
 src/libcharon/plugins/farp/Makefile.in             |  587 +++++
 src/libcharon/plugins/farp/farp_listener.c         |  154 ++
 src/libcharon/plugins/farp/farp_listener.h         |   58 +
 src/libcharon/plugins/farp/farp_plugin.c           |   77 +
 src/libcharon/plugins/farp/farp_plugin.h           |   42 +
 src/libcharon/plugins/farp/farp_spoofer.c          |  198 ++
 src/libcharon/plugins/farp/farp_spoofer.h          |   47 +
 src/libcharon/plugins/ha/Makefile.am               |   25 +
 src/libcharon/plugins/ha/Makefile.in               |  604 +++++
 src/libcharon/plugins/ha/ha_child.c                |  170 ++
 src/libcharon/plugins/ha/ha_child.h                |   57 +
 src/libcharon/plugins/ha/ha_ctl.c                  |  132 +
 src/libcharon/plugins/ha/ha_ctl.h                  |   47 +
 src/libcharon/plugins/ha/ha_dispatcher.c           |  737 ++++++
 src/libcharon/plugins/ha/ha_dispatcher.h           |   50 +
 src/libcharon/plugins/ha/ha_ike.c                  |  280 ++
 src/libcharon/plugins/ha/ha_ike.h                  |   57 +
 src/libcharon/plugins/ha/ha_kernel.c               |  229 ++
 src/libcharon/plugins/ha/ha_kernel.h               |   70 +
 src/libcharon/plugins/ha/ha_message.c              |  663 +++++
 src/libcharon/plugins/ha/ha_message.h              |  205 ++
 src/libcharon/plugins/ha/ha_plugin.c               |  163 ++
 src/libcharon/plugins/ha/ha_plugin.h               |   47 +
 src/libcharon/plugins/ha/ha_segments.c             |  503 ++++
 src/libcharon/plugins/ha/ha_segments.h             |  111 +
 src/libcharon/plugins/ha/ha_socket.c               |  234 ++
 src/libcharon/plugins/ha/ha_socket.h               |   60 +
 src/libcharon/plugins/ha/ha_tunnel.c               |  298 +++
 src/libcharon/plugins/ha/ha_tunnel.h               |   57 +
 src/libcharon/plugins/kernel_klips/Makefile.am     |   17 +
 src/libcharon/plugins/kernel_klips/Makefile.in     |  590 +++++
 .../plugins/kernel_klips/kernel_klips_ipsec.c      | 2657 +++++++++++++++++++
 .../plugins/kernel_klips/kernel_klips_ipsec.h      |   46 +
 .../plugins/kernel_klips/kernel_klips_plugin.c     |   56 +
 .../plugins/kernel_klips/kernel_klips_plugin.h     |   42 +
 src/libcharon/plugins/kernel_klips/pfkeyv2.h       |  322 +++
 src/libcharon/plugins/kernel_netlink/Makefile.am   |   20 +
 src/libcharon/plugins/kernel_netlink/Makefile.in   |  597 +++++
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  | 2032 +++++++++++++++
 .../plugins/kernel_netlink/kernel_netlink_ipsec.h  |   46 +
 .../plugins/kernel_netlink/kernel_netlink_net.c    | 1506 +++++++++++
 .../plugins/kernel_netlink/kernel_netlink_net.h    |   46 +
 .../plugins/kernel_netlink/kernel_netlink_plugin.c |   59 +
 .../plugins/kernel_netlink/kernel_netlink_plugin.h |   42 +
 .../plugins/kernel_netlink/kernel_netlink_shared.c |  306 +++
 .../plugins/kernel_netlink/kernel_netlink_shared.h |   77 +
 src/libcharon/plugins/kernel_pfkey/Makefile.am     |   17 +
 src/libcharon/plugins/kernel_pfkey/Makefile.in     |  590 +++++
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      | 2175 ++++++++++++++++
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.h      |   46 +
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.c     |   56 +
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.h     |   42 +
 src/libcharon/plugins/kernel_pfroute/Makefile.am   |   17 +
 src/libcharon/plugins/kernel_pfroute/Makefile.in   |  590 +++++
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |  729 ++++++
 .../plugins/kernel_pfroute/kernel_pfroute_net.h    |   46 +
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.c |   58 +
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.h |   42 +
 src/libcharon/plugins/load_tester/Makefile.am      |   21 +
 src/libcharon/plugins/load_tester/Makefile.in      |  600 +++++
 .../plugins/load_tester/load_tester_config.c       |  333 +++
 .../plugins/load_tester/load_tester_config.h       |   51 +
 .../plugins/load_tester/load_tester_creds.c        |  313 +++
 .../plugins/load_tester/load_tester_creds.h        |   51 +
 .../load_tester/load_tester_diffie_hellman.c       |   67 +
 .../load_tester/load_tester_diffie_hellman.h       |   48 +
 .../plugins/load_tester/load_tester_ipsec.c        |  176 ++
 .../plugins/load_tester/load_tester_ipsec.h        |   46 +
 .../plugins/load_tester/load_tester_listener.c     |  102 +
 .../plugins/load_tester/load_tester_listener.h     |   52 +
 .../plugins/load_tester/load_tester_plugin.c       |  230 ++
 .../plugins/load_tester/load_tester_plugin.h       |   44 +
 src/libcharon/plugins/medcli/Makefile.am           |   19 +
 src/libcharon/plugins/medcli/Makefile.in           |  593 +++++
 src/libcharon/plugins/medcli/medcli_config.c       |  407 +++
 src/libcharon/plugins/medcli/medcli_config.h       |   53 +
 src/libcharon/plugins/medcli/medcli_creds.c        |  243 ++
 src/libcharon/plugins/medcli/medcli_creds.h        |   53 +
 src/libcharon/plugins/medcli/medcli_listener.c     |  133 +
 src/libcharon/plugins/medcli/medcli_listener.h     |   53 +
 src/libcharon/plugins/medcli/medcli_plugin.c       |  109 +
 src/libcharon/plugins/medcli/medcli_plugin.h       |   42 +
 src/libcharon/plugins/medsrv/Makefile.am           |   18 +
 src/libcharon/plugins/medsrv/Makefile.in           |  591 +++++
 src/libcharon/plugins/medsrv/medsrv_config.c       |  154 ++
 src/libcharon/plugins/medsrv/medsrv_config.h       |   53 +
 src/libcharon/plugins/medsrv/medsrv_creds.c        |  163 ++
 src/libcharon/plugins/medsrv/medsrv_creds.h        |   53 +
 src/libcharon/plugins/medsrv/medsrv_plugin.c       |   99 +
 src/libcharon/plugins/medsrv/medsrv_plugin.h       |   42 +
 src/libcharon/plugins/nm/Makefile.am               |   21 +
 src/libcharon/plugins/nm/Makefile.in               |  595 +++++
 src/libcharon/plugins/nm/nm_creds.c                |  447 ++++
 src/libcharon/plugins/nm/nm_creds.h                |   85 +
 src/libcharon/plugins/nm/nm_handler.c              |  193 ++
 src/libcharon/plugins/nm/nm_handler.h              |   62 +
 src/libcharon/plugins/nm/nm_plugin.c               |  130 +
 src/libcharon/plugins/nm/nm_plugin.h               |   42 +
 src/libcharon/plugins/nm/nm_service.c              |  629 +++++
 src/libcharon/plugins/nm/nm_service.h              |   55 +
 src/libcharon/plugins/resolve/Makefile.am          |   18 +
 src/libcharon/plugins/resolve/Makefile.in          |  591 +++++
 src/libcharon/plugins/resolve/resolve_handler.c    |  251 ++
 src/libcharon/plugins/resolve/resolve_handler.h    |   49 +
 src/libcharon/plugins/resolve/resolve_plugin.c     |   62 +
 src/libcharon/plugins/resolve/resolve_plugin.h     |   42 +
 src/libcharon/plugins/smp/Makefile.am              |   17 +
 src/libcharon/plugins/smp/Makefile.in              |  586 +++++
 src/libcharon/plugins/smp/smp.c                    |  768 ++++++
 src/libcharon/plugins/smp/smp.h                    |   45 +
 src/libcharon/plugins/socket_default/Makefile.am   |   17 +
 src/libcharon/plugins/socket_default/Makefile.in   |  590 +++++
 .../plugins/socket_default/socket_default_plugin.c |   69 +
 .../plugins/socket_default/socket_default_plugin.h |   42 +
 .../plugins/socket_default/socket_default_socket.c |  631 +++++
 .../plugins/socket_default/socket_default_socket.h |   49 +
 src/libcharon/plugins/socket_dynamic/Makefile.am   |   17 +
 src/libcharon/plugins/socket_dynamic/Makefile.in   |  590 +++++
 .../plugins/socket_dynamic/socket_dynamic_plugin.c |   69 +
 .../plugins/socket_dynamic/socket_dynamic_plugin.h |   42 +
 .../plugins/socket_dynamic/socket_dynamic_socket.c |  620 +++++
 .../plugins/socket_dynamic/socket_dynamic_socket.h |   49 +
 src/libcharon/plugins/socket_raw/Makefile.am       |   17 +
 src/libcharon/plugins/socket_raw/Makefile.in       |  590 +++++
 .../plugins/socket_raw/socket_raw_plugin.c         |   69 +
 .../plugins/socket_raw/socket_raw_plugin.h         |   42 +
 .../plugins/socket_raw/socket_raw_socket.c         |  709 ++++++
 .../plugins/socket_raw/socket_raw_socket.h         |   55 +
 src/libcharon/plugins/sql/Makefile.am              |   18 +
 src/libcharon/plugins/sql/Makefile.in              |  591 +++++
 src/libcharon/plugins/sql/sql_config.c             |  535 ++++
 src/libcharon/plugins/sql/sql_config.h             |   53 +
 src/libcharon/plugins/sql/sql_cred.c               |  365 +++
 src/libcharon/plugins/sql/sql_cred.h               |   53 +
 src/libcharon/plugins/sql/sql_logger.c             |  145 ++
 src/libcharon/plugins/sql/sql_logger.h             |   53 +
 src/libcharon/plugins/sql/sql_plugin.c             |  107 +
 src/libcharon/plugins/sql/sql_plugin.h             |   42 +
 src/libcharon/plugins/stroke/Makefile.am           |   27 +
 src/libcharon/plugins/stroke/Makefile.in           |  608 +++++
 src/libcharon/plugins/stroke/stroke_attribute.c    |  226 ++
 src/libcharon/plugins/stroke/stroke_attribute.h    |   86 +
 src/libcharon/plugins/stroke/stroke_ca.c           |  458 ++++
 src/libcharon/plugins/stroke/stroke_ca.h           |   80 +
 src/libcharon/plugins/stroke/stroke_config.c       |  949 +++++++
 src/libcharon/plugins/stroke/stroke_config.h       |   66 +
 src/libcharon/plugins/stroke/stroke_control.c      |  491 ++++
 src/libcharon/plugins/stroke/stroke_control.h      |   88 +
 src/libcharon/plugins/stroke/stroke_cred.c         | 1175 +++++++++
 src/libcharon/plugins/stroke/stroke_cred.h         |   84 +
 src/libcharon/plugins/stroke/stroke_list.c         | 1230 +++++++++
 src/libcharon/plugins/stroke/stroke_list.h         |   74 +
 src/libcharon/plugins/stroke/stroke_plugin.c       |   65 +
 src/libcharon/plugins/stroke/stroke_plugin.h       |   45 +
 src/libcharon/plugins/stroke/stroke_shared_key.c   |  140 +
 src/libcharon/plugins/stroke/stroke_shared_key.h   |   60 +
 src/libcharon/plugins/stroke/stroke_socket.c       |  671 +++++
 src/libcharon/plugins/stroke/stroke_socket.h       |   42 +
 src/libcharon/plugins/uci/Makefile.am              |   19 +
 src/libcharon/plugins/uci/Makefile.in              |  592 +++++
 src/libcharon/plugins/uci/uci_config.c             |  361 +++
 src/libcharon/plugins/uci/uci_config.h             |   55 +
 src/libcharon/plugins/uci/uci_control.c            |  301 +++
 src/libcharon/plugins/uci/uci_control.h            |   42 +
 src/libcharon/plugins/uci/uci_creds.c              |  174 ++
 src/libcharon/plugins/uci/uci_creds.h              |   55 +
 src/libcharon/plugins/uci/uci_parser.c             |  186 ++
 src/libcharon/plugins/uci/uci_parser.h             |   59 +
 src/libcharon/plugins/uci/uci_plugin.c             |   93 +
 src/libcharon/plugins/uci/uci_plugin.h             |   43 +
 src/libcharon/plugins/unit_tester/Makefile.am      |   29 +
 src/libcharon/plugins/unit_tester/Makefile.in      |  708 ++++++
 src/libcharon/plugins/unit_tester/tests.h          |   43 +
 .../plugins/unit_tester/tests/test_agent.c         |   67 +
 .../plugins/unit_tester/tests/test_auth_info.c     |  140 +
 .../plugins/unit_tester/tests/test_cert.c          |  108 +
 .../plugins/unit_tester/tests/test_chunk.c         |   82 +
 .../plugins/unit_tester/tests/test_curl.c          |   44 +
 .../plugins/unit_tester/tests/test_enumerator.c    |  306 +++
 src/libcharon/plugins/unit_tester/tests/test_id.c  |  249 ++
 .../plugins/unit_tester/tests/test_med_db.c        |   54 +
 .../plugins/unit_tester/tests/test_mutex.c         |  100 +
 .../plugins/unit_tester/tests/test_mysql.c         |   89 +
 .../plugins/unit_tester/tests/test_pool.c          |   93 +
 .../plugins/unit_tester/tests/test_rsa_gen.c       |  120 +
 .../plugins/unit_tester/tests/test_sqlite.c        |   93 +
 src/libcharon/plugins/unit_tester/unit_tester.c    |  116 +
 src/libcharon/plugins/unit_tester/unit_tester.h    |   44 +
 src/libcharon/plugins/updown/Makefile.am           |   17 +
 src/libcharon/plugins/updown/Makefile.in           |  589 +++++
 src/libcharon/plugins/updown/updown_listener.c     |  294 +++
 src/libcharon/plugins/updown/updown_listener.h     |   49 +
 src/libcharon/plugins/updown/updown_plugin.c       |   63 +
 src/libcharon/plugins/updown/updown_plugin.h       |   42 +
 src/libcharon/processing/jobs/acquire_job.c        |   86 +
 src/libcharon/processing/jobs/acquire_job.h        |   54 +
 src/libcharon/processing/jobs/callback_job.c       |  271 ++
 src/libcharon/processing/jobs/callback_job.h       |  118 +
 .../processing/jobs/delete_child_sa_job.c          |  100 +
 .../processing/jobs/delete_child_sa_job.h          |   59 +
 src/libcharon/processing/jobs/delete_ike_sa_job.c  |  116 +
 src/libcharon/processing/jobs/delete_ike_sa_job.h  |   57 +
 src/libcharon/processing/jobs/inactivity_job.c     |  150 ++
 src/libcharon/processing/jobs/inactivity_job.h     |   53 +
 .../processing/jobs/initiate_mediation_job.c       |  271 ++
 .../processing/jobs/initiate_mediation_job.h       |   62 +
 src/libcharon/processing/jobs/job.h                |   52 +
 src/libcharon/processing/jobs/mediation_job.c      |  195 ++
 src/libcharon/processing/jobs/mediation_job.h      |   74 +
 src/libcharon/processing/jobs/migrate_job.c        |  150 ++
 src/libcharon/processing/jobs/migrate_job.h        |   61 +
 .../processing/jobs/process_message_job.c          |  106 +
 .../processing/jobs/process_message_job.h          |   49 +
 src/libcharon/processing/jobs/rekey_child_sa_job.c |   97 +
 src/libcharon/processing/jobs/rekey_child_sa_job.h |   57 +
 src/libcharon/processing/jobs/rekey_ike_sa_job.c   |  104 +
 src/libcharon/processing/jobs/rekey_ike_sa_job.h   |   51 +
 src/libcharon/processing/jobs/retransmit_job.c     |   93 +
 src/libcharon/processing/jobs/retransmit_job.h     |   55 +
 src/libcharon/processing/jobs/roam_job.c           |  106 +
 src/libcharon/processing/jobs/roam_job.h           |   52 +
 src/libcharon/processing/jobs/send_dpd_job.c       |   88 +
 src/libcharon/processing/jobs/send_dpd_job.h       |   52 +
 src/libcharon/processing/jobs/send_keepalive_job.c |   82 +
 src/libcharon/processing/jobs/send_keepalive_job.h |   51 +
 src/libcharon/processing/jobs/update_sa_job.c      |   96 +
 src/libcharon/processing/jobs/update_sa_job.h      |   50 +
 src/libcharon/processing/processor.c               |  273 ++
 src/libcharon/processing/processor.h               |   94 +
 src/libcharon/processing/scheduler.c               |  358 +++
 src/libcharon/processing/scheduler.h               |  130 +
 src/libcharon/sa/authenticators/authenticator.c    |  100 +
 src/libcharon/sa/authenticators/authenticator.h    |  178 ++
 src/libcharon/sa/authenticators/eap/eap_manager.c  |  170 ++
 src/libcharon/sa/authenticators/eap/eap_manager.h  |   82 +
 src/libcharon/sa/authenticators/eap/eap_method.c   |  107 +
 src/libcharon/sa/authenticators/eap/eap_method.h   |  205 ++
 src/libcharon/sa/authenticators/eap/sim_manager.c  |  534 ++++
 src/libcharon/sa/authenticators/eap/sim_manager.h  |  514 ++++
 .../sa/authenticators/eap_authenticator.c          |  705 ++++++
 .../sa/authenticators/eap_authenticator.h          |   98 +
 .../sa/authenticators/psk_authenticator.c          |  201 ++
 .../sa/authenticators/psk_authenticator.h          |   61 +
 .../sa/authenticators/pubkey_authenticator.c       |  265 ++
 .../sa/authenticators/pubkey_authenticator.h       |   62 +
 src/libcharon/sa/child_sa.c                        | 1015 ++++++++
 src/libcharon/sa/child_sa.h                        |  337 +++
 src/libcharon/sa/connect_manager.c                 | 1623 ++++++++++++
 src/libcharon/sa/connect_manager.h                 |  126 +
 src/libcharon/sa/ike_sa.c                          | 2227 ++++++++++++++++
 src/libcharon/sa/ike_sa.h                          |  921 +++++++
 src/libcharon/sa/ike_sa_id.c                       |  179 ++
 src/libcharon/sa/ike_sa_id.h                       |  126 +
 src/libcharon/sa/ike_sa_manager.c                  | 1741 +++++++++++++
 src/libcharon/sa/ike_sa_manager.h                  |  220 ++
 src/libcharon/sa/keymat.c                          |  617 +++++
 src/libcharon/sa/keymat.h                          |  163 ++
 src/libcharon/sa/mediation_manager.c               |  341 +++
 src/libcharon/sa/mediation_manager.h               |   90 +
 src/libcharon/sa/task_manager.c                    | 1083 ++++++++
 src/libcharon/sa/task_manager.h                    |  173 ++
 src/libcharon/sa/tasks/child_create.c              | 1351 ++++++++++
 src/libcharon/sa/tasks/child_create.h              |   83 +
 src/libcharon/sa/tasks/child_delete.c              |  402 +++
 src/libcharon/sa/tasks/child_delete.h              |   60 +
 src/libcharon/sa/tasks/child_rekey.c               |  430 ++++
 src/libcharon/sa/tasks/child_rekey.h               |   64 +
 src/libcharon/sa/tasks/ike_auth.c                  | 1041 ++++++++
 src/libcharon/sa/tasks/ike_auth.h                  |   57 +
 src/libcharon/sa/tasks/ike_auth_lifetime.c         |  182 ++
 src/libcharon/sa/tasks/ike_auth_lifetime.h         |   53 +
 src/libcharon/sa/tasks/ike_cert_post.c             |  261 ++
 src/libcharon/sa/tasks/ike_cert_post.h             |   53 +
 src/libcharon/sa/tasks/ike_cert_pre.c              |  524 ++++
 src/libcharon/sa/tasks/ike_cert_pre.h              |   53 +
 src/libcharon/sa/tasks/ike_config.c                |  448 ++++
 src/libcharon/sa/tasks/ike_config.h                |   51 +
 src/libcharon/sa/tasks/ike_delete.c                |  210 ++
 src/libcharon/sa/tasks/ike_delete.h                |   50 +
 src/libcharon/sa/tasks/ike_dpd.c                   |   99 +
 src/libcharon/sa/tasks/ike_dpd.h                   |   51 +
 src/libcharon/sa/tasks/ike_init.c                  |  600 +++++
 src/libcharon/sa/tasks/ike_init.h                  |   60 +
 src/libcharon/sa/tasks/ike_me.c                    |  856 +++++++
 src/libcharon/sa/tasks/ike_me.h                    |  100 +
 src/libcharon/sa/tasks/ike_mobike.c                |  659 +++++
 src/libcharon/sa/tasks/ike_mobike.h                |   88 +
 src/libcharon/sa/tasks/ike_natd.c                  |  490 ++++
 src/libcharon/sa/tasks/ike_natd.h                  |   59 +
 src/libcharon/sa/tasks/ike_reauth.c                |  196 ++
 src/libcharon/sa/tasks/ike_reauth.h                |   51 +
 src/libcharon/sa/tasks/ike_rekey.c                 |  409 +++
 src/libcharon/sa/tasks/ike_rekey.h                 |   61 +
 src/libcharon/sa/tasks/ike_vendor.c                |  139 +
 src/libcharon/sa/tasks/ike_vendor.h                |   49 +
 src/libcharon/sa/tasks/task.c                      |   58 +
 src/libcharon/sa/tasks/task.h                      |  150 ++
 src/libcharon/sa/trap_manager.c                    |  403 +++
 src/libcharon/sa/trap_manager.h                    |   81 +
 src/libfast/Makefile.am                            |    2 +-
 src/libfast/Makefile.in                            |    6 +-
 src/libfast/request.c                              |   41 +-
 src/libfast/request.h                              |    9 +-
 src/libfast/session.c                              |    4 +-
 src/libfast/smtp.c                                 |  185 ++
 src/libfast/smtp.h                                 |   56 +
 src/libfreeswan/Makefile.in                        |    1 +
 src/libfreeswan/pfkeyv2.h                          |    1 +
 src/libhydra/Android.mk                            |   34 +
 src/libhydra/Makefile.am                           |   42 +
 src/libhydra/Makefile.in                           |  762 ++++++
 src/libhydra/attributes/attribute_handler.h        |   72 +
 src/libhydra/attributes/attribute_manager.c        |  374 +++
 src/libhydra/attributes/attribute_manager.h        |  149 ++
 src/libhydra/attributes/attribute_provider.h       |   67 +
 src/libhydra/attributes/attributes.c               |   43 +
 src/libhydra/attributes/attributes.h               |   62 +
 src/libhydra/attributes/mem_pool.c                 |  451 ++++
 src/libhydra/attributes/mem_pool.h                 |  110 +
 src/libhydra/hydra.c                               |   73 +
 src/libhydra/hydra.h                               |   76 +
 src/libhydra/plugins/attr/Makefile.am              |   17 +
 src/libhydra/plugins/attr/Makefile.in              |  586 +++++
 src/libhydra/plugins/attr/attr_plugin.c            |   63 +
 src/libhydra/plugins/attr/attr_plugin.h            |   42 +
 src/libhydra/plugins/attr/attr_provider.c          |  240 ++
 src/libhydra/plugins/attr/attr_provider.h          |   49 +
 src/libhydra/plugins/attr_sql/Makefile.am          |   23 +
 src/libhydra/plugins/attr_sql/Makefile.in          |  649 +++++
 src/libhydra/plugins/attr_sql/attr_sql_plugin.c    |   88 +
 src/libhydra/plugins/attr_sql/attr_sql_plugin.h    |   42 +
 src/libhydra/plugins/attr_sql/pool.c               | 1402 ++++++++++
 src/libhydra/plugins/attr_sql/sql_attribute.c      |  384 +++
 src/libhydra/plugins/attr_sql/sql_attribute.h      |   50 +
 src/libsimaka/Makefile.am                          |    2 +-
 src/libsimaka/Makefile.in                          |    3 +-
 src/libsimaka/simaka_message.c                     |   22 +-
 src/libsimaka/simaka_message.h                     |    1 -
 src/libstrongswan/Android.mk                       |  121 +
 src/libstrongswan/AndroidConfigLocal.h             |    9 +
 src/libstrongswan/Makefile.am                      |   99 +-
 src/libstrongswan/Makefile.in                      |  187 +-
 src/libstrongswan/asn1/asn1.c                      |   36 +-
 src/libstrongswan/asn1/asn1.h                      |    3 +-
 src/libstrongswan/asn1/asn1_parser.c               |   19 +-
 src/libstrongswan/asn1/asn1_parser.h               |    6 +-
 src/libstrongswan/asn1/oid.h                       |    1 +
 src/libstrongswan/asn1/oid.txt                     |    2 +-
 src/libstrongswan/attributes/attribute_handler.h   |   72 -
 src/libstrongswan/attributes/attribute_manager.c   |  374 ---
 src/libstrongswan/attributes/attribute_manager.h   |  149 --
 src/libstrongswan/attributes/attribute_provider.h  |   67 -
 src/libstrongswan/attributes/attributes.c          |   43 -
 src/libstrongswan/attributes/attributes.h          |   62 -
 src/libstrongswan/chunk.c                          |   14 +-
 src/libstrongswan/chunk.h                          |    2 +-
 src/libstrongswan/credentials/credential_factory.c |    2 +-
 src/libstrongswan/credentials/keys/key_encoding.h  |    2 +-
 src/libstrongswan/credentials/keys/shared_key.h    |    2 +
 src/libstrongswan/crypto/crypto_factory.c          |    2 +-
 src/libstrongswan/crypto/crypto_tester.c           |   40 +-
 src/libstrongswan/crypto/diffie_hellman.c          |  407 ++-
 src/libstrongswan/crypto/diffie_hellman.h          |   45 +-
 .../crypto/proposal/proposal_keywords.c            |  263 +-
 .../crypto/proposal/proposal_keywords.txt          |  184 +-
 src/libstrongswan/debug.c                          |   34 +-
 src/libstrongswan/debug.h                          |   83 +-
 src/libstrongswan/enum.h                           |    2 +-
 src/libstrongswan/fetcher/fetcher_manager.c        |    2 +-
 src/libstrongswan/integrity_checker.c              |   41 +-
 src/libstrongswan/integrity_checker.h              |    4 +-
 src/libstrongswan/library.c                        |   18 +-
 src/libstrongswan/library.h                        |   28 +-
 src/libstrongswan/plugins/aes/Makefile.am          |    9 +-
 src/libstrongswan/plugins/aes/Makefile.in          |   52 +-
 src/libstrongswan/plugins/aes/aes_plugin.c         |    2 +-
 src/libstrongswan/plugins/aes/aes_plugin.h         |    5 -
 src/libstrongswan/plugins/agent/Makefile.am        |   10 +-
 src/libstrongswan/plugins/agent/Makefile.in        |   54 +-
 src/libstrongswan/plugins/agent/agent_plugin.c     |    2 +-
 src/libstrongswan/plugins/agent/agent_plugin.h     |    5 -
 .../plugins/agent/agent_private_key.c              |   26 +-
 src/libstrongswan/plugins/attr_sql/Makefile.am     |   15 -
 src/libstrongswan/plugins/attr_sql/Makefile.in     |  633 -----
 .../plugins/attr_sql/attr_sql_plugin.c             |   88 -
 .../plugins/attr_sql/attr_sql_plugin.h             |   47 -
 src/libstrongswan/plugins/attr_sql/pool.c          | 1050 --------
 src/libstrongswan/plugins/attr_sql/sql_attribute.c |  384 ---
 src/libstrongswan/plugins/attr_sql/sql_attribute.h |   50 -
 src/libstrongswan/plugins/blowfish/Makefile.am     |   10 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |   53 +-
 .../plugins/blowfish/blowfish_plugin.c             |    2 +-
 .../plugins/blowfish/blowfish_plugin.h             |    5 -
 src/libstrongswan/plugins/curl/Makefile.am         |    9 +-
 src/libstrongswan/plugins/curl/Makefile.in         |   52 +-
 src/libstrongswan/plugins/curl/curl_fetcher.c      |    4 +-
 src/libstrongswan/plugins/curl/curl_plugin.c       |    4 +-
 src/libstrongswan/plugins/curl/curl_plugin.h       |    5 -
 src/libstrongswan/plugins/des/Makefile.am          |    9 +-
 src/libstrongswan/plugins/des/Makefile.in          |   52 +-
 src/libstrongswan/plugins/des/des_plugin.c         |    2 +-
 src/libstrongswan/plugins/des/des_plugin.h         |    5 -
 src/libstrongswan/plugins/dnskey/Makefile.am       |   10 +-
 src/libstrongswan/plugins/dnskey/Makefile.in       |   54 +-
 src/libstrongswan/plugins/dnskey/dnskey_builder.c  |    9 +-
 src/libstrongswan/plugins/dnskey/dnskey_plugin.c   |    2 +-
 src/libstrongswan/plugins/dnskey/dnskey_plugin.h   |    5 -
 src/libstrongswan/plugins/fips_prf/Makefile.am     |    9 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |   53 +-
 src/libstrongswan/plugins/fips_prf/fips_prf.c      |    6 +-
 .../plugins/fips_prf/fips_prf_plugin.c             |    2 +-
 .../plugins/fips_prf/fips_prf_plugin.h             |    5 -
 src/libstrongswan/plugins/gcrypt/Makefile.am       |    7 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |   52 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c  |    2 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_dh.c       |  351 +--
 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c   |    2 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c   |   10 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.h   |    5 -
 .../plugins/gcrypt/gcrypt_rsa_private_key.c        |   32 +-
 .../plugins/gcrypt/gcrypt_rsa_public_key.c         |   28 +-
 src/libstrongswan/plugins/gmp/Makefile.am          |   16 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |   57 +-
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c |  392 +--
 src/libstrongswan/plugins/gmp/gmp_plugin.c         |    8 +-
 src/libstrongswan/plugins/gmp/gmp_plugin.h         |    5 -
 .../plugins/gmp/gmp_rsa_private_key.c              |   29 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |   40 +-
 src/libstrongswan/plugins/hmac/Makefile.am         |    9 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |   51 +-
 src/libstrongswan/plugins/hmac/hmac_plugin.c       |    2 +-
 src/libstrongswan/plugins/hmac/hmac_plugin.h       |    5 -
 src/libstrongswan/plugins/ldap/Makefile.am         |    9 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |   52 +-
 src/libstrongswan/plugins/ldap/ldap_fetcher.c      |   17 +-
 src/libstrongswan/plugins/ldap/ldap_plugin.c       |    2 +-
 src/libstrongswan/plugins/ldap/ldap_plugin.h       |    5 -
 src/libstrongswan/plugins/md4/Makefile.am          |    9 +-
 src/libstrongswan/plugins/md4/Makefile.in          |   52 +-
 src/libstrongswan/plugins/md4/md4_plugin.c         |    2 +-
 src/libstrongswan/plugins/md4/md4_plugin.h         |    5 -
 src/libstrongswan/plugins/md5/Makefile.am          |    9 +-
 src/libstrongswan/plugins/md5/Makefile.in          |   52 +-
 src/libstrongswan/plugins/md5/md5_plugin.c         |    2 +-
 src/libstrongswan/plugins/md5/md5_plugin.h         |    5 -
 src/libstrongswan/plugins/mysql/Makefile.am        |   10 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |   52 +-
 src/libstrongswan/plugins/mysql/mysql_database.c   |   28 +-
 src/libstrongswan/plugins/mysql/mysql_plugin.c     |    4 +-
 src/libstrongswan/plugins/mysql/mysql_plugin.h     |    5 -
 src/libstrongswan/plugins/openssl/Makefile.am      |    8 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |   61 +-
 .../plugins/openssl/openssl_diffie_hellman.c       |   78 +-
 .../plugins/openssl/openssl_ec_diffie_hellman.c    |    4 +-
 .../plugins/openssl/openssl_ec_private_key.c       |   27 +-
 .../plugins/openssl/openssl_ec_public_key.c        |   25 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |   15 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.h |    5 -
 .../plugins/openssl/openssl_rsa_private_key.c      |   58 +-
 .../plugins/openssl/openssl_rsa_public_key.c       |   21 +-
 .../plugins/openssl/openssl_sha1_prf.c             |  139 +
 .../plugins/openssl/openssl_sha1_prf.h             |   48 +
 src/libstrongswan/plugins/padlock/Makefile.am      |    9 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |   52 +-
 src/libstrongswan/plugins/padlock/padlock_plugin.c |    6 +-
 src/libstrongswan/plugins/padlock/padlock_plugin.h |    5 -
 src/libstrongswan/plugins/pem/Makefile.am          |   11 +-
 src/libstrongswan/plugins/pem/Makefile.in          |   58 +-
 src/libstrongswan/plugins/pem/pem_builder.c        |   35 +-
 src/libstrongswan/plugins/pem/pem_builder.h        |    6 +-
 src/libstrongswan/plugins/pem/pem_encoder.c        |  138 +
 src/libstrongswan/plugins/pem/pem_encoder.h        |   33 +
 src/libstrongswan/plugins/pem/pem_plugin.c         |    7 +-
 src/libstrongswan/plugins/pem/pem_plugin.h         |    5 -
 src/libstrongswan/plugins/pgp/Makefile.am          |   16 +-
 src/libstrongswan/plugins/pgp/Makefile.in          |   59 +-
 src/libstrongswan/plugins/pgp/pgp_builder.c        |   13 +-
 src/libstrongswan/plugins/pgp/pgp_cert.c           |   32 +-
 src/libstrongswan/plugins/pgp/pgp_encoder.c        |    3 +-
 src/libstrongswan/plugins/pgp/pgp_plugin.c         |    2 +-
 src/libstrongswan/plugins/pgp/pgp_plugin.h         |    5 -
 src/libstrongswan/plugins/pgp/pgp_utils.c          |   18 +-
 src/libstrongswan/plugins/pkcs1/Makefile.am        |   12 +-
 src/libstrongswan/plugins/pkcs1/Makefile.in        |   56 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_builder.c    |    6 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_builder.h    |    2 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c    |    3 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c     |    2 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_plugin.h     |    5 -
 src/libstrongswan/plugins/plugin.h                 |    4 +-
 src/libstrongswan/plugins/plugin_loader.c          |   74 +-
 src/libstrongswan/plugins/pubkey/Makefile.am       |   10 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |   54 +-
 src/libstrongswan/plugins/pubkey/pubkey_plugin.c   |    2 +-
 src/libstrongswan/plugins/pubkey/pubkey_plugin.h   |    5 -
 src/libstrongswan/plugins/random/Makefile.am       |   11 +-
 src/libstrongswan/plugins/random/Makefile.in       |   54 +-
 src/libstrongswan/plugins/random/random_plugin.c   |    2 +-
 src/libstrongswan/plugins/random/random_plugin.h   |    5 -
 src/libstrongswan/plugins/random/random_rng.c      |    4 +-
 src/libstrongswan/plugins/sha1/Makefile.am         |    9 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |   51 +-
 src/libstrongswan/plugins/sha1/sha1_plugin.c       |    2 +-
 src/libstrongswan/plugins/sha1/sha1_plugin.h       |    5 -
 src/libstrongswan/plugins/sha2/Makefile.am         |    9 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |   52 +-
 src/libstrongswan/plugins/sha2/sha2_plugin.c       |    2 +-
 src/libstrongswan/plugins/sha2/sha2_plugin.h       |    5 -
 src/libstrongswan/plugins/sqlite/Makefile.am       |   10 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |   52 +-
 src/libstrongswan/plugins/sqlite/sqlite_database.c |   15 +-
 src/libstrongswan/plugins/sqlite/sqlite_plugin.c   |    2 +-
 src/libstrongswan/plugins/sqlite/sqlite_plugin.h   |    5 -
 src/libstrongswan/plugins/test_vectors/Makefile.am |    6 +-
 src/libstrongswan/plugins/test_vectors/Makefile.in |   49 +-
 .../plugins/test_vectors/test_vectors/rng.c        |    6 +-
 .../plugins/test_vectors/test_vectors_plugin.c     |    2 +-
 .../plugins/test_vectors/test_vectors_plugin.h     |    5 -
 src/libstrongswan/plugins/x509/Makefile.am         |   21 +-
 src/libstrongswan/plugins/x509/Makefile.in         |   63 +-
 src/libstrongswan/plugins/x509/x509_ac.c           |   35 +-
 src/libstrongswan/plugins/x509/x509_cert.c         |   78 +-
 src/libstrongswan/plugins/x509/x509_crl.c          |   15 +-
 src/libstrongswan/plugins/x509/x509_ocsp_request.c |   15 +-
 .../plugins/x509/x509_ocsp_response.c              |   20 +-
 src/libstrongswan/plugins/x509/x509_pkcs10.c       |   27 +-
 src/libstrongswan/plugins/x509/x509_plugin.c       |    2 +-
 src/libstrongswan/plugins/x509/x509_plugin.h       |    5 -
 src/libstrongswan/plugins/xcbc/Makefile.am         |    9 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |   51 +-
 src/libstrongswan/plugins/xcbc/xcbc_plugin.c       |    2 +-
 src/libstrongswan/plugins/xcbc/xcbc_plugin.h       |    5 -
 src/libstrongswan/printf_hook.c                    |   12 +-
 src/libstrongswan/selectors/traffic_selector.h     |   28 +-
 src/libstrongswan/settings.c                       |   14 +-
 src/libstrongswan/settings.h                       |    4 +-
 src/libstrongswan/threading/mutex.c                |    4 +-
 src/libstrongswan/threading/rwlock.c               |    6 +-
 src/libstrongswan/threading/thread.c               |   14 +-
 src/libstrongswan/threading/thread.h               |    6 +
 src/libstrongswan/utils.c                          |   34 +-
 src/libstrongswan/utils.h                          |   18 +-
 src/libstrongswan/utils/enumerator.c               |   15 +-
 src/libstrongswan/utils/enumerator.h               |    2 +-
 src/libstrongswan/utils/host.c                     |    2 +-
 src/libstrongswan/utils/identification.c           |    4 +-
 src/libstrongswan/utils/leak_detective.c           |    1 +
 src/libstrongswan/utils/optionsfrom.c              |    7 +-
 src/manager/Makefile.am                            |    3 +-
 src/manager/Makefile.in                            |    9 +-
 src/manager/main.c                                 |    3 +-
 src/medsrv/Makefile.am                             |    3 +-
 src/medsrv/Makefile.in                             |    8 +-
 src/openac/Makefile.am                             |    2 +-
 src/openac/Makefile.in                             |    2 +
 src/openac/openac.c                                |   13 +-
 src/pki/Makefile.am                                |    4 +-
 src/pki/Makefile.in                                |    4 +-
 src/pki/commands/gen.c                             |    2 +-
 src/pki/commands/issue.c                           |   13 +-
 src/pki/commands/self.c                            |    5 +
 src/pluto/Makefile.am                              |    6 +
 src/pluto/Makefile.in                              |   20 +-
 src/pluto/ac.c                                     |   27 +-
 src/pluto/alg_info.c                               |    3 +-
 src/pluto/ca.c                                     |    4 +-
 src/pluto/connections.c                            |   55 +-
 src/pluto/connections.h                            |    1 +
 src/pluto/constants.c                              |   10 +-
 src/pluto/constants.h                              |    7 +-
 src/pluto/crypto.c                                 |   34 +-
 src/pluto/demux.h                                  |    1 +
 src/pluto/fetch.c                                  |   11 +-
 src/pluto/ipsec_doi.c                              |   44 +-
 src/pluto/kernel.c                                 |    1 +
 src/pluto/kernel_alg.c                             |    4 +
 src/pluto/kernel_netlink.c                         |    2 +
 src/pluto/lex.c                                    |    2 +-
 src/pluto/log.c                                    |    6 +-
 src/pluto/modecfg.c                                |   69 +-
 src/pluto/pkcs7.c                                  |   88 +-
 src/pluto/plutomain.c                              |   15 +-
 src/pluto/rcv_whack.c                              |   46 +-
 src/pluto/timer.c                                  |    2 +-
 src/pluto/vendor.c                                 |  131 +-
 src/pluto/vendor.h                                 |   64 +-
 src/pluto/whack_attribute.c                        |  365 +++
 src/pluto/whack_attribute.h                        |  111 +
 src/pluto/x509.c                                   |    4 +-
 src/scepclient/Makefile.am                         |    4 +
 src/scepclient/Makefile.in                         |    5 +
 src/scepclient/loglite.c                           |    2 +-
 src/scepclient/scepclient.c                        |    2 +-
 src/starter/Makefile.am                            |    2 +-
 src/starter/Makefile.in                            |    3 +-
 src/starter/args.c                                 |    3 +-
 src/starter/cmp.c                                  |    1 +
 src/starter/confread.c                             |   64 +-
 src/starter/confread.h                             |    1 +
 src/starter/ipsec.conf.5                           |    7 +
 src/starter/keywords.c                             |  224 +-
 src/starter/keywords.h                             |    3 +
 src/starter/keywords.txt                           |    2 +
 src/starter/lex.yy.c                               |   44 +-
 src/starter/parser.l                               |    4 +-
 src/starter/parser.y                               |   16 +-
 src/starter/starter.c                              |   11 +-
 src/starter/starterstroke.c                        |    1 +
 src/starter/starterwhack.c                         |   29 +-
 src/starter/y.tab.c                                |  325 +--
 src/starter/y.tab.h                                |   42 +-
 src/stroke/Makefile.in                             |    1 +
 src/stroke/stroke.c                                |    9 +-
 src/stroke/stroke_msg.h                            |    1 +
 src/whack/Makefile.in                              |    1 +
 src/whack/whack.c                                  |   41 +-
 src/whack/whack.h                                  |    6 +-
 testing/Makefile.in                                |    1 +
 testing/do-tests.in                                |    2 +-
 testing/hosts/default/etc/hosts                    |    4 +
 testing/hosts/default/etc/ipsec.d/tables.sql       |    4 +-
 testing/hosts/winnetou/etc/openssl/index.txt       |    9 +-
 testing/hosts/winnetou/etc/openssl/index.txt.old   |    9 +-
 testing/hosts/winnetou/etc/openssl/newcerts/1F.pem |   25 +
 testing/hosts/winnetou/etc/openssl/newcerts/20.pem |   84 +
 testing/hosts/winnetou/etc/openssl/newcerts/21.pem |   83 +
 .../hosts/winnetou/etc/openssl/research/index.txt  |    3 +-
 .../winnetou/etc/openssl/research/index.txt.old    |    3 +-
 .../winnetou/etc/openssl/research/newcerts/06.pem  |   25 +
 .../winnetou/etc/openssl/research/openssl.cnf      |    4 +-
 .../winnetou/etc/openssl/research/researchCert.der |  Bin 965 -> 965 bytes
 .../winnetou/etc/openssl/research/researchCert.pem |   18 +-
 testing/hosts/winnetou/etc/openssl/research/serial |    2 +-
 .../hosts/winnetou/etc/openssl/research/serial.old |    2 +-
 testing/hosts/winnetou/etc/openssl/sales/index.txt |    3 +-
 .../winnetou/etc/openssl/sales/index.txt.attr.old  |    1 +
 .../hosts/winnetou/etc/openssl/sales/index.txt.old |    3 +-
 .../winnetou/etc/openssl/sales/newcerts/05.pem     |   24 +
 .../hosts/winnetou/etc/openssl/sales/openssl.cnf   |    4 +-
 .../hosts/winnetou/etc/openssl/sales/salesCert.der |  Bin 959 -> 959 bytes
 .../hosts/winnetou/etc/openssl/sales/salesCert.pem |   16 +-
 testing/hosts/winnetou/etc/openssl/sales/serial    |    2 +-
 .../hosts/winnetou/etc/openssl/sales/serial.old    |    2 +-
 testing/hosts/winnetou/etc/openssl/serial          |    2 +-
 testing/hosts/winnetou/etc/openssl/serial.old      |    2 +-
 testing/scripts/build-umlrootfs                    |   24 +-
 testing/testing.conf                               |   16 +-
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 .../ike/rw-cert/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ike/rw-cert/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw_v1-net_v2/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf |    2 +-
 testing/tests/ike2/description.txt                 |    6 +
 testing/tests/ike2/evaltest.dat                    |    8 +
 testing/tests/ike2/hosts/bob/etc/hosts             |   70 +
 testing/tests/ike2/hosts/moon/etc/ipsec.conf       |   25 +
 testing/tests/ike2/hosts/moon/etc/nat_updown       |  152 ++
 testing/tests/ike2/hosts/moon/etc/strongswan.conf  |    6 +
 testing/tests/ike2/hosts/sun/etc/ipsec.conf        |   25 +
 testing/tests/ike2/hosts/sun/etc/strongswan.conf   |    6 +
 testing/tests/ike2/posttest.dat                    |    5 +
 testing/tests/ike2/pretest.dat                     |    9 +
 testing/tests/ike2/test.conf                       |   21 +
 .../tests/ikev1/alg-modp-subgroup/description.txt  |   14 +
 testing/tests/ikev1/alg-modp-subgroup/evaltest.dat |   13 +
 .../alg-modp-subgroup/hosts/carol/etc/ipsec.conf   |   25 +
 .../alg-modp-subgroup/hosts/dave/etc/ipsec.conf    |   25 +
 .../alg-modp-subgroup/hosts/moon/etc/ipsec.conf    |   24 +
 testing/tests/ikev1/alg-modp-subgroup/posttest.dat |    6 +
 testing/tests/ikev1/alg-modp-subgroup/pretest.dat  |    9 +
 testing/tests/ikev1/alg-modp-subgroup/test.conf    |   21 +
 .../hosts/moon/etc/ipsec.d/aacerts/aaCert.pem      |   34 +-
 .../attr-cert/hosts/moon/etc/openac/aaKey.pem      |   50 +-
 .../tests/ikev1/esp-alg-aes-gmac/description.txt   |    4 +
 testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat  |    7 +
 .../esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf    |   26 +
 .../esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf     |   25 +
 testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat  |    4 +
 testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat   |    6 +
 testing/tests/ikev1/esp-alg-aes-gmac/test.conf     |   21 +
 .../ip-pool-db-push/hosts/moon/etc/strongswan.conf |    2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    2 +-
 testing/tests/ikev1/ip-pool/description.txt        |   10 +
 testing/tests/ikev1/ip-pool/evaltest.dat           |   26 +
 .../tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf |   25 +
 .../ikev1/ip-pool/hosts/carol/etc/strongswan.conf  |   11 +
 .../tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf  |   25 +
 .../ikev1/ip-pool/hosts/dave/etc/strongswan.conf   |   11 +
 .../tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf  |   24 +
 .../ikev1/ip-pool/hosts/moon/etc/strongswan.conf   |   11 +
 testing/tests/ikev1/ip-pool/posttest.dat           |    8 +
 testing/tests/ikev1/ip-pool/pretest.dat            |   10 +
 testing/tests/ikev1/ip-pool/test.conf              |   21 +
 .../tests/ikev1/ip-two-pools-mixed/description.txt |    9 +
 .../tests/ikev1/ip-two-pools-mixed/evaltest.dat    |   17 +
 .../hosts/alice/etc/init.d/iptables                |   78 +
 .../ip-two-pools-mixed/hosts/alice/etc/ipsec.conf  |   24 +
 .../hosts/alice/etc/strongswan.conf                |   11 +
 .../ip-two-pools-mixed/hosts/carol/etc/ipsec.conf  |   24 +
 .../hosts/carol/etc/strongswan.conf                |   11 +
 .../hosts/moon/etc/init.d/iptables                 |   91 +
 .../ip-two-pools-mixed/hosts/moon/etc/ipsec.conf   |   28 +
 .../hosts/moon/etc/strongswan.conf                 |   17 +
 .../tests/ikev1/ip-two-pools-mixed/posttest.dat    |   13 +
 testing/tests/ikev1/ip-two-pools-mixed/pretest.dat |   15 +
 testing/tests/ikev1/ip-two-pools-mixed/test.conf   |   21 +
 testing/tests/ikev1/ip-two-pools/description.txt   |    9 +
 testing/tests/ikev1/ip-two-pools/evaltest.dat      |   18 +
 .../ip-two-pools/hosts/alice/etc/init.d/iptables   |   78 +
 .../ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf  |   24 +
 .../ip-two-pools/hosts/alice/etc/strongswan.conf   |   11 +
 .../ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf  |   24 +
 .../ip-two-pools/hosts/carol/etc/strongswan.conf   |   11 +
 .../ip-two-pools/hosts/moon/etc/init.d/iptables    |   91 +
 .../ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf   |   28 +
 .../ip-two-pools/hosts/moon/etc/strongswan.conf    |   11 +
 testing/tests/ikev1/ip-two-pools/posttest.dat      |   12 +
 testing/tests/ikev1/ip-two-pools/pretest.dat       |   12 +
 testing/tests/ikev1/ip-two-pools/test.conf         |   21 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../mode-config/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   34 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   50 +-
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |   18 +-
 .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem   |   16 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |   18 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   34 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   50 +-
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |   18 +-
 .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem   |   16 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   34 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   50 +-
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |   18 +-
 .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem   |   16 +-
 testing/tests/ikev1/protoport-route/pretest.dat    |    6 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../alg-3des-md5/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-3des-md5/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |    2 +-
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |    2 +-
 .../tests/ikev2/alg-modp-subgroup/description.txt  |   14 +
 testing/tests/ikev2/alg-modp-subgroup/evaltest.dat |   15 +
 .../alg-modp-subgroup/hosts/carol/etc/ipsec.conf   |   24 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../alg-modp-subgroup/hosts/dave/etc/ipsec.conf    |   24 +
 .../hosts/dave/etc/strongswan.conf                 |    5 +
 .../alg-modp-subgroup/hosts/moon/etc/ipsec.conf    |   23 +
 .../hosts/moon/etc/strongswan.conf                 |    5 +
 testing/tests/ikev2/alg-modp-subgroup/posttest.dat |    6 +
 testing/tests/ikev2/alg-modp-subgroup/pretest.dat  |    9 +
 testing/tests/ikev2/alg-modp-subgroup/test.conf    |   21 +
 .../alg-sha256-96/hosts/carol/etc/strongswan.conf  |    2 +-
 .../alg-sha256-96/hosts/moon/etc/strongswan.conf   |    2 +-
 .../alg-sha256/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha256/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |    2 +-
 .../any-interface/hosts/alice/etc/strongswan.conf  |    2 +-
 .../any-interface/hosts/bob/etc/strongswan.conf    |    2 +-
 .../any-interface/hosts/moon/etc/strongswan.conf   |    2 +-
 .../any-interface/hosts/sun/etc/strongswan.conf    |    2 +-
 .../ikev2/compress/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/compress/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../config-payload/hosts/carol/etc/strongswan.conf |    2 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |    2 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |    2 +-
 .../crl-from-cache/hosts/carol/etc/strongswan.conf |    2 +-
 .../crl-from-cache/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ikev2/crl-ldap/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/crl-ldap/hosts/moon/etc/strongswan.conf  |    2 +-
 .../crl-revoked/hosts/carol/etc/strongswan.conf    |    2 +-
 .../crl-revoked/hosts/moon/etc/strongswan.conf     |    2 +-
 .../crl-to-cache/hosts/carol/etc/strongswan.conf   |    2 +-
 .../crl-to-cache/hosts/moon/etc/strongswan.conf    |    2 +-
 .../default-keys/hosts/carol/etc/strongswan.conf   |    2 +-
 .../default-keys/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/ikev2/dhcp-dynamic/description.txt   |    8 +
 testing/tests/ikev2/dhcp-dynamic/evaltest.dat      |   22 +
 .../ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf  |   24 +
 .../dhcp-dynamic/hosts/carol/etc/strongswan.conf   |    5 +
 .../ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf   |   24 +
 .../dhcp-dynamic/hosts/dave/etc/strongswan.conf    |    5 +
 .../ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf   |    9 +
 .../dhcp-dynamic/hosts/moon/etc/init.d/iptables    |   91 +
 .../ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf   |   23 +
 .../dhcp-dynamic/hosts/moon/etc/strongswan.conf    |   10 +
 .../ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf  |   14 +
 .../dhcp-dynamic/hosts/venus/etc/dnsmasq.conf      |    7 +
 .../dhcp-dynamic/hosts/venus/etc/init.d/dhcpd      |   24 +
 testing/tests/ikev2/dhcp-dynamic/posttest.dat      |   10 +
 testing/tests/ikev2/dhcp-dynamic/pretest.dat       |   12 +
 testing/tests/ikev2/dhcp-dynamic/test.conf         |   21 +
 .../ikev2/dhcp-static-client-id/description.txt    |   11 +
 .../tests/ikev2/dhcp-static-client-id/evaltest.dat |   22 +
 .../hosts/carol/etc/ipsec.conf                     |   24 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../hosts/dave/etc/ipsec.conf                      |   24 +
 .../hosts/dave/etc/strongswan.conf                 |    5 +
 .../hosts/moon/etc/dhcpd.conf                      |    9 +
 .../hosts/moon/etc/init.d/iptables                 |   91 +
 .../hosts/moon/etc/ipsec.conf                      |   23 +
 .../hosts/moon/etc/strongswan.conf                 |   10 +
 .../hosts/venus/etc/dhcpd.conf                     |   25 +
 .../hosts/venus/etc/dnsmasq.conf                   |    9 +
 .../hosts/venus/etc/init.d/dhcpd                   |   24 +
 .../tests/ikev2/dhcp-static-client-id/posttest.dat |    9 +
 .../tests/ikev2/dhcp-static-client-id/pretest.dat  |   12 +
 .../tests/ikev2/dhcp-static-client-id/test.conf    |   21 +
 .../tests/ikev2/dhcp-static-mac/description.txt    |   12 +
 testing/tests/ikev2/dhcp-static-mac/evaltest.dat   |   22 +
 .../dhcp-static-mac/hosts/carol/etc/ipsec.conf     |   24 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../dhcp-static-mac/hosts/dave/etc/ipsec.conf      |   24 +
 .../dhcp-static-mac/hosts/dave/etc/strongswan.conf |    5 +
 .../dhcp-static-mac/hosts/moon/etc/dhcpd.conf      |    9 +
 .../dhcp-static-mac/hosts/moon/etc/init.d/iptables |   91 +
 .../dhcp-static-mac/hosts/moon/etc/ipsec.conf      |   23 +
 .../dhcp-static-mac/hosts/moon/etc/strongswan.conf |   11 +
 .../dhcp-static-mac/hosts/venus/etc/dhcpd.conf     |   25 +
 .../dhcp-static-mac/hosts/venus/etc/dnsmasq.conf   |    9 +
 .../dhcp-static-mac/hosts/venus/etc/init.d/dhcpd   |   24 +
 testing/tests/ikev2/dhcp-static-mac/posttest.dat   |    9 +
 testing/tests/ikev2/dhcp-static-mac/pretest.dat    |   12 +
 testing/tests/ikev2/dhcp-static-mac/test.conf      |   21 +
 .../double-nat-net/hosts/alice/etc/strongswan.conf |    2 +-
 .../double-nat-net/hosts/bob/etc/strongswan.conf   |    2 +-
 .../double-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/double-nat/hosts/bob/etc/strongswan.conf |    2 +-
 .../dpd-clear/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/dpd-clear/hosts/moon/etc/strongswan.conf |    2 +-
 .../ikev2/dpd-hold/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/dpd-hold/hosts/moon/etc/strongswan.conf  |    2 +-
 .../dpd-restart/hosts/carol/etc/strongswan.conf    |    2 +-
 .../dpd-restart/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf |    2 +-
 .../tests/ikev2/esp-alg-aes-gmac/description.txt   |    4 +
 testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat  |    7 +
 .../esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf    |   25 +
 .../hosts/carol/etc/strongswan.conf                |    5 +
 .../esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf     |   24 +
 .../hosts/moon/etc/strongswan.conf                 |    5 +
 testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat  |    4 +
 testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat   |    6 +
 testing/tests/ikev2/esp-alg-aes-gmac/test.conf     |   21 +
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |    2 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/ikev2/farp/description.txt           |    6 +
 testing/tests/ikev2/farp/evaltest.dat              |   22 +
 .../tests/ikev2/farp/hosts/carol/etc/ipsec.conf    |   24 +
 .../ikev2/farp/hosts/carol/etc/strongswan.conf     |    5 +
 testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf |   24 +
 .../ikev2/farp/hosts/dave/etc/strongswan.conf      |    5 +
 testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf |   30 +
 .../ikev2/farp/hosts/moon/etc/strongswan.conf      |    7 +
 testing/tests/ikev2/farp/posttest.dat              |    6 +
 testing/tests/ikev2/farp/pretest.dat               |   12 +
 testing/tests/ikev2/farp/test.conf                 |   21 +
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../force-udp-encaps/hosts/sun/etc/strongswan.conf |    2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    4 +-
 .../ip-pool-wish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-pool-wish/hosts/dave/etc/strongswan.conf    |    2 +-
 .../ip-pool-wish/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ikev2/ip-pool/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/ip-pool/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/ip-pool/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ip-two-pools-db/hosts/dave/etc/strongswan.conf |    2 +-
 .../ip-two-pools-db/hosts/moon/etc/strongswan.conf |    4 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../ip-two-pools/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/moon/etc/strongswan.conf    |    2 +-
 .../mobike-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/mobike-nat/hosts/sun/etc/strongswan.conf |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ikev2/mobike/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ikev2/mobike/hosts/sun/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../carol/etc/ipsec.d/cacerts/researchCert.pem     |   18 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/cacerts/salesCert.pem   |   16 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   34 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   50 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../carol/etc/ipsec.d/cacerts/researchCert.pem     |   18 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/cacerts/salesCert.pem   |   16 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   34 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   50 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   34 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   50 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |   18 +-
 .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem   |   16 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |   18 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   34 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   50 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |   18 +-
 .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem   |   16 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../multi-level-ca/hosts/carol/etc/strongswan.conf |    2 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   34 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   50 +-
 .../multi-level-ca/hosts/dave/etc/strongswan.conf  |    2 +-
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |   18 +-
 .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem   |   16 +-
 .../multi-level-ca/hosts/moon/etc/strongswan.conf  |    2 +-
 .../nat-one-rw/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf |    2 +-
 .../nat-two-rw-psk/hosts/alice/etc/strongswan.conf |    2 +-
 .../nat-two-rw-psk/hosts/sun/etc/strongswan.conf   |    2 +-
 .../nat-two-rw-psk/hosts/venus/etc/strongswan.conf |    2 +-
 .../nat-two-rw/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf |    2 +-
 .../nat-two-rw/hosts/venus/etc/strongswan.conf     |    2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    2 +-
 .../net2net-pgp-v3/hosts/moon/etc/strongswan.conf  |    2 +-
 .../net2net-pgp-v3/hosts/sun/etc/strongswan.conf   |    2 +-
 .../net2net-pgp-v4/hosts/moon/etc/strongswan.conf  |    2 +-
 .../net2net-pgp-v4/hosts/sun/etc/strongswan.conf   |    2 +-
 .../net2net-psk/hosts/moon/etc/strongswan.conf     |    2 +-
 .../net2net-psk/hosts/sun/etc/strongswan.conf      |    2 +-
 .../net2net-rfc3779/hosts/moon/etc/strongswan.conf |    2 +-
 .../net2net-rfc3779/hosts/sun/etc/strongswan.conf  |    2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    2 +-
 .../net2net-start/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-start/hosts/sun/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ocsp-local-cert/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   38 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   50 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/certs/daveCert.pem      |   34 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   50 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |   18 +-
 .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem   |   16 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ocsp-revoked/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ocsp-revoked/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ocsp-root-cert/hosts/carol/etc/strongswan.conf |    2 +-
 .../ocsp-root-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../moon/etc/ipsec.d/cacerts/researchCert.pem      |   18 +-
 .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem   |   16 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |    2 +-
 .../reauth-early/hosts/carol/etc/strongswan.conf   |    2 +-
 .../reauth-early/hosts/moon/etc/strongswan.conf    |    2 +-
 .../reauth-late/hosts/carol/etc/strongswan.conf    |    2 +-
 .../reauth-late/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-hash-and-url/hosts/dave/etc/strongswan.conf |    2 +-
 .../rw-hash-and-url/hosts/moon/etc/strongswan.conf |    2 +-
 .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-psk-no-idr/hosts/carol/etc/strongswan.conf  |    2 +-
 .../rw-psk-no-idr/hosts/dave/etc/strongswan.conf   |    2 +-
 .../rw-psk-no-idr/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../two-certs/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/two-certs/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../virtual-ip/hosts/carol/etc/strongswan.conf     |    2 +-
 .../virtual-ip/hosts/dave/etc/strongswan.conf      |    2 +-
 .../virtual-ip/hosts/moon/etc/strongswan.conf      |    2 +-
 .../wildcards/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/wildcards/hosts/dave/etc/strongswan.conf |    2 +-
 .../ikev2/wildcards/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev2/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev2/hosts/sun/etc/strongswan.conf  |    2 +-
 .../net2net-ikev2/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-ikev2/hosts/sun/etc/strongswan.conf    |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf   |    2 +-
 .../rw-psk-ikev2/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw-psk-ikev2/hosts/dave/etc/strongswan.conf    |    2 +-
 .../rw-psk-ikev2/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../transport-ikev2/hosts/moon/etc/strongswan.conf |    2 +-
 .../transport-ikev2/hosts/sun/etc/strongswan.conf  |    2 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |    2 +-
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-ecp-high/hosts/dave/etc/strongswan.conf    |    2 +-
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-ecp-low/hosts/dave/etc/strongswan.conf     |    2 +-
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../medsrv-psk/hosts/alice/etc/strongswan.conf     |    2 +-
 .../medsrv-psk/hosts/bob/etc/strongswan.conf       |    2 +-
 .../medsrv-psk/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |    2 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |    2 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../nat-two-rw/hosts/alice/etc/strongswan.conf     |    2 +-
 .../pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf |    2 +-
 .../nat-two-rw/hosts/venus/etc/strongswan.conf     |    2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |    2 +-
 .../pfkey/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../pfkey/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../pfkey/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 testing/tests/sql/ip-pool-db-restart/pretest.dat   |    1 +
 .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf |    2 +-
 .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf  |    2 +-
 .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf  |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../sql/net2net-cert/hosts/sun/etc/strongswan.conf |    2 +-
 .../sql/net2net-psk/hosts/moon/etc/strongswan.conf |    2 +-
 .../sql/net2net-psk/hosts/sun/etc/strongswan.conf  |    2 +-
 .../sql/rw-cert/hosts/carol/etc/strongswan.conf    |    2 +-
 .../sql/rw-cert/hosts/dave/etc/strongswan.conf     |    2 +-
 .../sql/rw-cert/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |    2 +-
 .../sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf |    2 +-
 .../sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf |    2 +-
 .../rw-psk-ipv6/hosts/carol/etc/strongswan.conf    |    2 +-
 .../sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf |    2 +-
 .../sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-rsa-keyid/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw-rsa-keyid/hosts/dave/etc/strongswan.conf    |    2 +-
 .../rw-rsa-keyid/hosts/moon/etc/strongswan.conf    |    2 +-
 .../sql/rw-rsa/hosts/carol/etc/strongswan.conf     |    2 +-
 .../sql/rw-rsa/hosts/dave/etc/strongswan.conf      |    2 +-
 .../sql/rw-rsa/hosts/moon/etc/strongswan.conf      |    2 +-
 1895 files changed, 144709 insertions(+), 123872 deletions(-)
 create mode 100644 Android.mk
 create mode 100644 Android.mk.in
 create mode 100644 src/charon/Android.mk
 delete mode 100644 src/charon/bus/bus.c
 delete mode 100644 src/charon/bus/bus.h
 delete mode 100644 src/charon/bus/listeners/file_logger.c
 delete mode 100644 src/charon/bus/listeners/file_logger.h
 delete mode 100644 src/charon/bus/listeners/listener.h
 delete mode 100644 src/charon/bus/listeners/sys_logger.c
 delete mode 100644 src/charon/bus/listeners/sys_logger.h
 create mode 100644 src/charon/charon.c
 delete mode 100644 src/charon/config/auth_cfg.c
 delete mode 100644 src/charon/config/auth_cfg.h
 delete mode 100644 src/charon/config/backend.h
 delete mode 100644 src/charon/config/backend_manager.c
 delete mode 100644 src/charon/config/backend_manager.h
 delete mode 100644 src/charon/config/child_cfg.c
 delete mode 100644 src/charon/config/child_cfg.h
 delete mode 100644 src/charon/config/ike_cfg.c
 delete mode 100644 src/charon/config/ike_cfg.h
 delete mode 100644 src/charon/config/peer_cfg.c
 delete mode 100644 src/charon/config/peer_cfg.h
 delete mode 100644 src/charon/config/proposal.c
 delete mode 100644 src/charon/config/proposal.h
 delete mode 100644 src/charon/control/controller.c
 delete mode 100644 src/charon/control/controller.h
 delete mode 100644 src/charon/credentials/credential_manager.c
 delete mode 100644 src/charon/credentials/credential_manager.h
 delete mode 100644 src/charon/credentials/credential_set.h
 delete mode 100644 src/charon/credentials/sets/auth_cfg_wrapper.c
 delete mode 100644 src/charon/credentials/sets/auth_cfg_wrapper.h
 delete mode 100644 src/charon/credentials/sets/cert_cache.c
 delete mode 100644 src/charon/credentials/sets/cert_cache.h
 delete mode 100644 src/charon/credentials/sets/ocsp_response_wrapper.c
 delete mode 100644 src/charon/credentials/sets/ocsp_response_wrapper.h
 delete mode 100644 src/charon/daemon.c
 delete mode 100644 src/charon/daemon.h
 delete mode 100644 src/charon/encoding/generator.c
 delete mode 100644 src/charon/encoding/generator.h
 delete mode 100644 src/charon/encoding/message.c
 delete mode 100644 src/charon/encoding/message.h
 delete mode 100644 src/charon/encoding/parser.c
 delete mode 100644 src/charon/encoding/parser.h
 delete mode 100644 src/charon/encoding/payloads/auth_payload.c
 delete mode 100644 src/charon/encoding/payloads/auth_payload.h
 delete mode 100644 src/charon/encoding/payloads/cert_payload.c
 delete mode 100644 src/charon/encoding/payloads/cert_payload.h
 delete mode 100644 src/charon/encoding/payloads/certreq_payload.c
 delete mode 100644 src/charon/encoding/payloads/certreq_payload.h
 delete mode 100644 src/charon/encoding/payloads/configuration_attribute.c
 delete mode 100644 src/charon/encoding/payloads/configuration_attribute.h
 delete mode 100644 src/charon/encoding/payloads/cp_payload.c
 delete mode 100644 src/charon/encoding/payloads/cp_payload.h
 delete mode 100644 src/charon/encoding/payloads/delete_payload.c
 delete mode 100644 src/charon/encoding/payloads/delete_payload.h
 delete mode 100644 src/charon/encoding/payloads/eap_payload.c
 delete mode 100644 src/charon/encoding/payloads/eap_payload.h
 delete mode 100644 src/charon/encoding/payloads/encodings.c
 delete mode 100644 src/charon/encoding/payloads/encodings.h
 delete mode 100644 src/charon/encoding/payloads/encryption_payload.c
 delete mode 100644 src/charon/encoding/payloads/encryption_payload.h
 delete mode 100644 src/charon/encoding/payloads/endpoint_notify.c
 delete mode 100644 src/charon/encoding/payloads/endpoint_notify.h
 delete mode 100644 src/charon/encoding/payloads/id_payload.c
 delete mode 100644 src/charon/encoding/payloads/id_payload.h
 delete mode 100644 src/charon/encoding/payloads/ike_header.c
 delete mode 100644 src/charon/encoding/payloads/ike_header.h
 delete mode 100644 src/charon/encoding/payloads/ke_payload.c
 delete mode 100644 src/charon/encoding/payloads/ke_payload.h
 delete mode 100644 src/charon/encoding/payloads/nonce_payload.c
 delete mode 100644 src/charon/encoding/payloads/nonce_payload.h
 delete mode 100644 src/charon/encoding/payloads/notify_payload.c
 delete mode 100644 src/charon/encoding/payloads/notify_payload.h
 delete mode 100644 src/charon/encoding/payloads/payload.c
 delete mode 100644 src/charon/encoding/payloads/payload.h
 delete mode 100644 src/charon/encoding/payloads/proposal_substructure.c
 delete mode 100644 src/charon/encoding/payloads/proposal_substructure.h
 delete mode 100644 src/charon/encoding/payloads/sa_payload.c
 delete mode 100644 src/charon/encoding/payloads/sa_payload.h
 delete mode 100644 src/charon/encoding/payloads/traffic_selector_substructure.c
 delete mode 100644 src/charon/encoding/payloads/traffic_selector_substructure.h
 delete mode 100644 src/charon/encoding/payloads/transform_attribute.c
 delete mode 100644 src/charon/encoding/payloads/transform_attribute.h
 delete mode 100644 src/charon/encoding/payloads/transform_substructure.c
 delete mode 100644 src/charon/encoding/payloads/transform_substructure.h
 delete mode 100644 src/charon/encoding/payloads/ts_payload.c
 delete mode 100644 src/charon/encoding/payloads/ts_payload.h
 delete mode 100644 src/charon/encoding/payloads/unknown_payload.c
 delete mode 100644 src/charon/encoding/payloads/unknown_payload.h
 delete mode 100644 src/charon/encoding/payloads/vendor_id_payload.c
 delete mode 100644 src/charon/encoding/payloads/vendor_id_payload.h
 delete mode 100644 src/charon/kernel/kernel_interface.c
 delete mode 100644 src/charon/kernel/kernel_interface.h
 delete mode 100644 src/charon/kernel/kernel_ipsec.c
 delete mode 100644 src/charon/kernel/kernel_ipsec.h
 delete mode 100644 src/charon/kernel/kernel_net.h
 delete mode 100644 src/charon/network/packet.c
 delete mode 100644 src/charon/network/packet.h
 delete mode 100644 src/charon/network/receiver.c
 delete mode 100644 src/charon/network/receiver.h
 delete mode 100644 src/charon/network/sender.c
 delete mode 100644 src/charon/network/sender.h
 delete mode 100644 src/charon/network/socket-raw.c
 delete mode 100644 src/charon/network/socket.c
 delete mode 100644 src/charon/network/socket.h
 delete mode 100644 src/charon/plugins/attr/Makefile.am
 delete mode 100644 src/charon/plugins/attr/Makefile.in
 delete mode 100644 src/charon/plugins/attr/attr_plugin.c
 delete mode 100644 src/charon/plugins/attr/attr_plugin.h
 delete mode 100644 src/charon/plugins/attr/attr_provider.c
 delete mode 100644 src/charon/plugins/attr/attr_provider.h
 delete mode 100644 src/charon/plugins/eap_aka/Makefile.am
 delete mode 100644 src/charon/plugins/eap_aka/Makefile.in
 delete mode 100644 src/charon/plugins/eap_aka/eap_aka_peer.c
 delete mode 100644 src/charon/plugins/eap_aka/eap_aka_peer.h
 delete mode 100644 src/charon/plugins/eap_aka/eap_aka_plugin.c
 delete mode 100644 src/charon/plugins/eap_aka/eap_aka_plugin.h
 delete mode 100644 src/charon/plugins/eap_aka/eap_aka_server.c
 delete mode 100644 src/charon/plugins/eap_aka/eap_aka_server.h
 delete mode 100644 src/charon/plugins/eap_aka_3gpp2/Makefile.am
 delete mode 100644 src/charon/plugins/eap_aka_3gpp2/Makefile.in
 delete mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
 delete mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h
 delete mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
 delete mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
 delete mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
 delete mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h
 delete mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
 delete mode 100644 src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h
 delete mode 100644 src/charon/plugins/eap_gtc/Makefile.am
 delete mode 100644 src/charon/plugins/eap_gtc/Makefile.in
 delete mode 100644 src/charon/plugins/eap_gtc/eap_gtc.c
 delete mode 100644 src/charon/plugins/eap_gtc/eap_gtc.h
 delete mode 100644 src/charon/plugins/eap_gtc/eap_gtc_plugin.c
 delete mode 100644 src/charon/plugins/eap_gtc/eap_gtc_plugin.h
 delete mode 100644 src/charon/plugins/eap_identity/Makefile.am
 delete mode 100644 src/charon/plugins/eap_identity/Makefile.in
 delete mode 100644 src/charon/plugins/eap_identity/eap_identity.c
 delete mode 100644 src/charon/plugins/eap_identity/eap_identity.h
 delete mode 100644 src/charon/plugins/eap_identity/eap_identity_plugin.c
 delete mode 100644 src/charon/plugins/eap_identity/eap_identity_plugin.h
 delete mode 100644 src/charon/plugins/eap_md5/Makefile.am
 delete mode 100644 src/charon/plugins/eap_md5/Makefile.in
 delete mode 100644 src/charon/plugins/eap_md5/eap_md5.c
 delete mode 100644 src/charon/plugins/eap_md5/eap_md5.h
 delete mode 100644 src/charon/plugins/eap_md5/eap_md5_plugin.c
 delete mode 100644 src/charon/plugins/eap_md5/eap_md5_plugin.h
 delete mode 100644 src/charon/plugins/eap_mschapv2/Makefile.am
 delete mode 100644 src/charon/plugins/eap_mschapv2/Makefile.in
 delete mode 100644 src/charon/plugins/eap_mschapv2/eap_mschapv2.c
 delete mode 100644 src/charon/plugins/eap_mschapv2/eap_mschapv2.h
 delete mode 100644 src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
 delete mode 100644 src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
 delete mode 100644 src/charon/plugins/eap_radius/Makefile.am
 delete mode 100644 src/charon/plugins/eap_radius/Makefile.in
 delete mode 100644 src/charon/plugins/eap_radius/eap_radius.c
 delete mode 100644 src/charon/plugins/eap_radius/eap_radius.h
 delete mode 100644 src/charon/plugins/eap_radius/eap_radius_plugin.c
 delete mode 100644 src/charon/plugins/eap_radius/eap_radius_plugin.h
 delete mode 100644 src/charon/plugins/eap_radius/radius_client.c
 delete mode 100644 src/charon/plugins/eap_radius/radius_client.h
 delete mode 100644 src/charon/plugins/eap_radius/radius_message.c
 delete mode 100644 src/charon/plugins/eap_radius/radius_message.h
 delete mode 100644 src/charon/plugins/eap_sim/Makefile.am
 delete mode 100644 src/charon/plugins/eap_sim/Makefile.in
 delete mode 100644 src/charon/plugins/eap_sim/eap_sim_peer.c
 delete mode 100644 src/charon/plugins/eap_sim/eap_sim_peer.h
 delete mode 100644 src/charon/plugins/eap_sim/eap_sim_plugin.c
 delete mode 100644 src/charon/plugins/eap_sim/eap_sim_plugin.h
 delete mode 100644 src/charon/plugins/eap_sim/eap_sim_server.c
 delete mode 100644 src/charon/plugins/eap_sim/eap_sim_server.h
 delete mode 100644 src/charon/plugins/eap_sim_file/Makefile.am
 delete mode 100644 src/charon/plugins/eap_sim_file/Makefile.in
 delete mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_card.c
 delete mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_card.h
 delete mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
 delete mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
 delete mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
 delete mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
 delete mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
 delete mode 100644 src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
 delete mode 100644 src/charon/plugins/eap_simaka_pseudonym/Makefile.am
 delete mode 100644 src/charon/plugins/eap_simaka_pseudonym/Makefile.in
 delete mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
 delete mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h
 delete mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
 delete mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h
 delete mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
 delete mode 100644 src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h
 delete mode 100644 src/charon/plugins/eap_simaka_reauth/Makefile.am
 delete mode 100644 src/charon/plugins/eap_simaka_reauth/Makefile.in
 delete mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
 delete mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h
 delete mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
 delete mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h
 delete mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
 delete mode 100644 src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h
 delete mode 100644 src/charon/plugins/kernel_klips/Makefile.am
 delete mode 100644 src/charon/plugins/kernel_klips/Makefile.in
 delete mode 100644 src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
 delete mode 100644 src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
 delete mode 100644 src/charon/plugins/kernel_klips/kernel_klips_plugin.c
 delete mode 100644 src/charon/plugins/kernel_klips/kernel_klips_plugin.h
 delete mode 100644 src/charon/plugins/kernel_klips/pfkeyv2.h
 delete mode 100644 src/charon/plugins/kernel_netlink/Makefile.am
 delete mode 100644 src/charon/plugins/kernel_netlink/Makefile.in
 delete mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
 delete mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
 delete mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_net.c
 delete mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_net.h
 delete mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
 delete mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
 delete mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
 delete mode 100644 src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
 delete mode 100644 src/charon/plugins/kernel_pfkey/Makefile.am
 delete mode 100644 src/charon/plugins/kernel_pfkey/Makefile.in
 delete mode 100644 src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
 delete mode 100644 src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
 delete mode 100644 src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
 delete mode 100644 src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
 delete mode 100644 src/charon/plugins/kernel_pfroute/Makefile.am
 delete mode 100644 src/charon/plugins/kernel_pfroute/Makefile.in
 delete mode 100644 src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
 delete mode 100644 src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
 delete mode 100644 src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
 delete mode 100644 src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
 delete mode 100644 src/charon/plugins/load_tester/Makefile.am
 delete mode 100644 src/charon/plugins/load_tester/Makefile.in
 delete mode 100644 src/charon/plugins/load_tester/load_tester_config.c
 delete mode 100644 src/charon/plugins/load_tester/load_tester_config.h
 delete mode 100644 src/charon/plugins/load_tester/load_tester_creds.c
 delete mode 100644 src/charon/plugins/load_tester/load_tester_creds.h
 delete mode 100644 src/charon/plugins/load_tester/load_tester_diffie_hellman.c
 delete mode 100644 src/charon/plugins/load_tester/load_tester_diffie_hellman.h
 delete mode 100644 src/charon/plugins/load_tester/load_tester_ipsec.c
 delete mode 100644 src/charon/plugins/load_tester/load_tester_ipsec.h
 delete mode 100644 src/charon/plugins/load_tester/load_tester_listener.c
 delete mode 100644 src/charon/plugins/load_tester/load_tester_listener.h
 delete mode 100644 src/charon/plugins/load_tester/load_tester_plugin.c
 delete mode 100644 src/charon/plugins/load_tester/load_tester_plugin.h
 delete mode 100644 src/charon/plugins/medcli/Makefile.am
 delete mode 100644 src/charon/plugins/medcli/Makefile.in
 delete mode 100644 src/charon/plugins/medcli/medcli_config.c
 delete mode 100644 src/charon/plugins/medcli/medcli_config.h
 delete mode 100644 src/charon/plugins/medcli/medcli_creds.c
 delete mode 100644 src/charon/plugins/medcli/medcli_creds.h
 delete mode 100644 src/charon/plugins/medcli/medcli_listener.c
 delete mode 100644 src/charon/plugins/medcli/medcli_listener.h
 delete mode 100644 src/charon/plugins/medcli/medcli_plugin.c
 delete mode 100644 src/charon/plugins/medcli/medcli_plugin.h
 delete mode 100644 src/charon/plugins/medsrv/Makefile.am
 delete mode 100644 src/charon/plugins/medsrv/Makefile.in
 delete mode 100644 src/charon/plugins/medsrv/medsrv_config.c
 delete mode 100644 src/charon/plugins/medsrv/medsrv_config.h
 delete mode 100644 src/charon/plugins/medsrv/medsrv_creds.c
 delete mode 100644 src/charon/plugins/medsrv/medsrv_creds.h
 delete mode 100644 src/charon/plugins/medsrv/medsrv_plugin.c
 delete mode 100644 src/charon/plugins/medsrv/medsrv_plugin.h
 delete mode 100644 src/charon/plugins/nm/Makefile.am
 delete mode 100644 src/charon/plugins/nm/Makefile.in
 delete mode 100644 src/charon/plugins/nm/nm_creds.c
 delete mode 100644 src/charon/plugins/nm/nm_creds.h
 delete mode 100644 src/charon/plugins/nm/nm_handler.c
 delete mode 100644 src/charon/plugins/nm/nm_handler.h
 delete mode 100644 src/charon/plugins/nm/nm_plugin.c
 delete mode 100644 src/charon/plugins/nm/nm_plugin.h
 delete mode 100644 src/charon/plugins/nm/nm_service.c
 delete mode 100644 src/charon/plugins/nm/nm_service.h
 delete mode 100644 src/charon/plugins/resolve/Makefile.am
 delete mode 100644 src/charon/plugins/resolve/Makefile.in
 delete mode 100644 src/charon/plugins/resolve/resolve_handler.c
 delete mode 100644 src/charon/plugins/resolve/resolve_handler.h
 delete mode 100644 src/charon/plugins/resolve/resolve_plugin.c
 delete mode 100644 src/charon/plugins/resolve/resolve_plugin.h
 delete mode 100644 src/charon/plugins/smp/Makefile.am
 delete mode 100644 src/charon/plugins/smp/Makefile.in
 delete mode 100644 src/charon/plugins/smp/smp.c
 delete mode 100644 src/charon/plugins/smp/smp.h
 delete mode 100644 src/charon/plugins/sql/Makefile.am
 delete mode 100644 src/charon/plugins/sql/Makefile.in
 delete mode 100644 src/charon/plugins/sql/sql_config.c
 delete mode 100644 src/charon/plugins/sql/sql_config.h
 delete mode 100644 src/charon/plugins/sql/sql_cred.c
 delete mode 100644 src/charon/plugins/sql/sql_cred.h
 delete mode 100644 src/charon/plugins/sql/sql_logger.c
 delete mode 100644 src/charon/plugins/sql/sql_logger.h
 delete mode 100644 src/charon/plugins/sql/sql_plugin.c
 delete mode 100644 src/charon/plugins/sql/sql_plugin.h
 delete mode 100644 src/charon/plugins/stroke/Makefile.am
 delete mode 100644 src/charon/plugins/stroke/Makefile.in
 delete mode 100644 src/charon/plugins/stroke/stroke_attribute.c
 delete mode 100644 src/charon/plugins/stroke/stroke_attribute.h
 delete mode 100644 src/charon/plugins/stroke/stroke_ca.c
 delete mode 100644 src/charon/plugins/stroke/stroke_ca.h
 delete mode 100644 src/charon/plugins/stroke/stroke_config.c
 delete mode 100644 src/charon/plugins/stroke/stroke_config.h
 delete mode 100644 src/charon/plugins/stroke/stroke_control.c
 delete mode 100644 src/charon/plugins/stroke/stroke_control.h
 delete mode 100644 src/charon/plugins/stroke/stroke_cred.c
 delete mode 100644 src/charon/plugins/stroke/stroke_cred.h
 delete mode 100644 src/charon/plugins/stroke/stroke_list.c
 delete mode 100644 src/charon/plugins/stroke/stroke_list.h
 delete mode 100644 src/charon/plugins/stroke/stroke_plugin.c
 delete mode 100644 src/charon/plugins/stroke/stroke_plugin.h
 delete mode 100644 src/charon/plugins/stroke/stroke_shared_key.c
 delete mode 100644 src/charon/plugins/stroke/stroke_shared_key.h
 delete mode 100644 src/charon/plugins/stroke/stroke_socket.c
 delete mode 100644 src/charon/plugins/stroke/stroke_socket.h
 delete mode 100644 src/charon/plugins/uci/Makefile.am
 delete mode 100644 src/charon/plugins/uci/Makefile.in
 delete mode 100644 src/charon/plugins/uci/uci_config.c
 delete mode 100644 src/charon/plugins/uci/uci_config.h
 delete mode 100644 src/charon/plugins/uci/uci_control.c
 delete mode 100644 src/charon/plugins/uci/uci_control.h
 delete mode 100644 src/charon/plugins/uci/uci_creds.c
 delete mode 100644 src/charon/plugins/uci/uci_creds.h
 delete mode 100644 src/charon/plugins/uci/uci_parser.c
 delete mode 100644 src/charon/plugins/uci/uci_parser.h
 delete mode 100644 src/charon/plugins/uci/uci_plugin.c
 delete mode 100644 src/charon/plugins/uci/uci_plugin.h
 delete mode 100644 src/charon/plugins/unit_tester/Makefile.am
 delete mode 100644 src/charon/plugins/unit_tester/Makefile.in
 delete mode 100644 src/charon/plugins/unit_tester/tests.h
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_agent.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_auth_info.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_cert.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_chunk.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_curl.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_enumerator.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_id.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_med_db.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_mutex.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_mysql.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_pool.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_rsa_gen.c
 delete mode 100644 src/charon/plugins/unit_tester/tests/test_sqlite.c
 delete mode 100644 src/charon/plugins/unit_tester/unit_tester.c
 delete mode 100644 src/charon/plugins/unit_tester/unit_tester.h
 delete mode 100644 src/charon/plugins/updown/Makefile.am
 delete mode 100644 src/charon/plugins/updown/Makefile.in
 delete mode 100644 src/charon/plugins/updown/updown_listener.c
 delete mode 100644 src/charon/plugins/updown/updown_listener.h
 delete mode 100644 src/charon/plugins/updown/updown_plugin.c
 delete mode 100644 src/charon/plugins/updown/updown_plugin.h
 delete mode 100644 src/charon/processing/jobs/acquire_job.c
 delete mode 100644 src/charon/processing/jobs/acquire_job.h
 delete mode 100644 src/charon/processing/jobs/callback_job.c
 delete mode 100644 src/charon/processing/jobs/callback_job.h
 delete mode 100644 src/charon/processing/jobs/delete_child_sa_job.c
 delete mode 100644 src/charon/processing/jobs/delete_child_sa_job.h
 delete mode 100644 src/charon/processing/jobs/delete_ike_sa_job.c
 delete mode 100644 src/charon/processing/jobs/delete_ike_sa_job.h
 delete mode 100644 src/charon/processing/jobs/inactivity_job.c
 delete mode 100644 src/charon/processing/jobs/inactivity_job.h
 delete mode 100644 src/charon/processing/jobs/initiate_mediation_job.c
 delete mode 100644 src/charon/processing/jobs/initiate_mediation_job.h
 delete mode 100644 src/charon/processing/jobs/job.h
 delete mode 100644 src/charon/processing/jobs/mediation_job.c
 delete mode 100644 src/charon/processing/jobs/mediation_job.h
 delete mode 100644 src/charon/processing/jobs/migrate_job.c
 delete mode 100644 src/charon/processing/jobs/migrate_job.h
 delete mode 100644 src/charon/processing/jobs/process_message_job.c
 delete mode 100644 src/charon/processing/jobs/process_message_job.h
 delete mode 100644 src/charon/processing/jobs/rekey_child_sa_job.c
 delete mode 100644 src/charon/processing/jobs/rekey_child_sa_job.h
 delete mode 100644 src/charon/processing/jobs/rekey_ike_sa_job.c
 delete mode 100644 src/charon/processing/jobs/rekey_ike_sa_job.h
 delete mode 100644 src/charon/processing/jobs/retransmit_job.c
 delete mode 100644 src/charon/processing/jobs/retransmit_job.h
 delete mode 100644 src/charon/processing/jobs/roam_job.c
 delete mode 100644 src/charon/processing/jobs/roam_job.h
 delete mode 100644 src/charon/processing/jobs/send_dpd_job.c
 delete mode 100644 src/charon/processing/jobs/send_dpd_job.h
 delete mode 100644 src/charon/processing/jobs/send_keepalive_job.c
 delete mode 100644 src/charon/processing/jobs/send_keepalive_job.h
 delete mode 100644 src/charon/processing/jobs/update_sa_job.c
 delete mode 100644 src/charon/processing/jobs/update_sa_job.h
 delete mode 100644 src/charon/processing/processor.c
 delete mode 100644 src/charon/processing/processor.h
 delete mode 100644 src/charon/processing/scheduler.c
 delete mode 100644 src/charon/processing/scheduler.h
 delete mode 100644 src/charon/sa/authenticators/authenticator.c
 delete mode 100644 src/charon/sa/authenticators/authenticator.h
 delete mode 100644 src/charon/sa/authenticators/eap/eap_manager.c
 delete mode 100644 src/charon/sa/authenticators/eap/eap_manager.h
 delete mode 100644 src/charon/sa/authenticators/eap/eap_method.c
 delete mode 100644 src/charon/sa/authenticators/eap/eap_method.h
 delete mode 100644 src/charon/sa/authenticators/eap/sim_manager.c
 delete mode 100644 src/charon/sa/authenticators/eap/sim_manager.h
 delete mode 100644 src/charon/sa/authenticators/eap_authenticator.c
 delete mode 100644 src/charon/sa/authenticators/eap_authenticator.h
 delete mode 100644 src/charon/sa/authenticators/psk_authenticator.c
 delete mode 100644 src/charon/sa/authenticators/psk_authenticator.h
 delete mode 100644 src/charon/sa/authenticators/pubkey_authenticator.c
 delete mode 100644 src/charon/sa/authenticators/pubkey_authenticator.h
 delete mode 100644 src/charon/sa/child_sa.c
 delete mode 100644 src/charon/sa/child_sa.h
 delete mode 100644 src/charon/sa/connect_manager.c
 delete mode 100644 src/charon/sa/connect_manager.h
 delete mode 100644 src/charon/sa/ike_sa.c
 delete mode 100644 src/charon/sa/ike_sa.h
 delete mode 100644 src/charon/sa/ike_sa_id.c
 delete mode 100644 src/charon/sa/ike_sa_id.h
 delete mode 100644 src/charon/sa/ike_sa_manager.c
 delete mode 100644 src/charon/sa/ike_sa_manager.h
 delete mode 100644 src/charon/sa/keymat.c
 delete mode 100644 src/charon/sa/keymat.h
 delete mode 100644 src/charon/sa/mediation_manager.c
 delete mode 100644 src/charon/sa/mediation_manager.h
 delete mode 100644 src/charon/sa/task_manager.c
 delete mode 100644 src/charon/sa/task_manager.h
 delete mode 100644 src/charon/sa/tasks/child_create.c
 delete mode 100644 src/charon/sa/tasks/child_create.h
 delete mode 100644 src/charon/sa/tasks/child_delete.c
 delete mode 100644 src/charon/sa/tasks/child_delete.h
 delete mode 100644 src/charon/sa/tasks/child_rekey.c
 delete mode 100644 src/charon/sa/tasks/child_rekey.h
 delete mode 100644 src/charon/sa/tasks/ike_auth.c
 delete mode 100644 src/charon/sa/tasks/ike_auth.h
 delete mode 100644 src/charon/sa/tasks/ike_auth_lifetime.c
 delete mode 100644 src/charon/sa/tasks/ike_auth_lifetime.h
 delete mode 100644 src/charon/sa/tasks/ike_cert_post.c
 delete mode 100644 src/charon/sa/tasks/ike_cert_post.h
 delete mode 100644 src/charon/sa/tasks/ike_cert_pre.c
 delete mode 100644 src/charon/sa/tasks/ike_cert_pre.h
 delete mode 100644 src/charon/sa/tasks/ike_config.c
 delete mode 100644 src/charon/sa/tasks/ike_config.h
 delete mode 100644 src/charon/sa/tasks/ike_delete.c
 delete mode 100644 src/charon/sa/tasks/ike_delete.h
 delete mode 100644 src/charon/sa/tasks/ike_dpd.c
 delete mode 100644 src/charon/sa/tasks/ike_dpd.h
 delete mode 100644 src/charon/sa/tasks/ike_init.c
 delete mode 100644 src/charon/sa/tasks/ike_init.h
 delete mode 100644 src/charon/sa/tasks/ike_me.c
 delete mode 100644 src/charon/sa/tasks/ike_me.h
 delete mode 100644 src/charon/sa/tasks/ike_mobike.c
 delete mode 100644 src/charon/sa/tasks/ike_mobike.h
 delete mode 100644 src/charon/sa/tasks/ike_natd.c
 delete mode 100644 src/charon/sa/tasks/ike_natd.h
 delete mode 100644 src/charon/sa/tasks/ike_reauth.c
 delete mode 100644 src/charon/sa/tasks/ike_reauth.h
 delete mode 100644 src/charon/sa/tasks/ike_rekey.c
 delete mode 100644 src/charon/sa/tasks/ike_rekey.h
 delete mode 100644 src/charon/sa/tasks/ike_vendor.c
 delete mode 100644 src/charon/sa/tasks/ike_vendor.h
 delete mode 100644 src/charon/sa/tasks/task.c
 delete mode 100644 src/charon/sa/tasks/task.h
 delete mode 100644 src/charon/sa/trap_manager.c
 delete mode 100644 src/charon/sa/trap_manager.h
 create mode 100644 src/include/linux/jhash.h
 create mode 100644 src/libcharon/Android.mk
 create mode 100644 src/libcharon/Makefile.am
 create mode 100644 src/libcharon/Makefile.in
 create mode 100644 src/libcharon/bus/bus.c
 create mode 100644 src/libcharon/bus/bus.h
 create mode 100644 src/libcharon/bus/listeners/file_logger.c
 create mode 100644 src/libcharon/bus/listeners/file_logger.h
 create mode 100644 src/libcharon/bus/listeners/listener.h
 create mode 100644 src/libcharon/bus/listeners/sys_logger.c
 create mode 100644 src/libcharon/bus/listeners/sys_logger.h
 create mode 100644 src/libcharon/config/auth_cfg.c
 create mode 100644 src/libcharon/config/auth_cfg.h
 create mode 100644 src/libcharon/config/backend.h
 create mode 100644 src/libcharon/config/backend_manager.c
 create mode 100644 src/libcharon/config/backend_manager.h
 create mode 100644 src/libcharon/config/child_cfg.c
 create mode 100644 src/libcharon/config/child_cfg.h
 create mode 100644 src/libcharon/config/ike_cfg.c
 create mode 100644 src/libcharon/config/ike_cfg.h
 create mode 100644 src/libcharon/config/peer_cfg.c
 create mode 100644 src/libcharon/config/peer_cfg.h
 create mode 100644 src/libcharon/config/proposal.c
 create mode 100644 src/libcharon/config/proposal.h
 create mode 100644 src/libcharon/control/controller.c
 create mode 100644 src/libcharon/control/controller.h
 create mode 100644 src/libcharon/credentials/credential_manager.c
 create mode 100644 src/libcharon/credentials/credential_manager.h
 create mode 100644 src/libcharon/credentials/credential_set.h
 create mode 100644 src/libcharon/credentials/sets/auth_cfg_wrapper.c
 create mode 100644 src/libcharon/credentials/sets/auth_cfg_wrapper.h
 create mode 100644 src/libcharon/credentials/sets/cert_cache.c
 create mode 100644 src/libcharon/credentials/sets/cert_cache.h
 create mode 100644 src/libcharon/credentials/sets/ocsp_response_wrapper.c
 create mode 100644 src/libcharon/credentials/sets/ocsp_response_wrapper.h
 create mode 100644 src/libcharon/daemon.c
 create mode 100644 src/libcharon/daemon.h
 create mode 100644 src/libcharon/encoding/generator.c
 create mode 100644 src/libcharon/encoding/generator.h
 create mode 100644 src/libcharon/encoding/message.c
 create mode 100644 src/libcharon/encoding/message.h
 create mode 100644 src/libcharon/encoding/parser.c
 create mode 100644 src/libcharon/encoding/parser.h
 create mode 100644 src/libcharon/encoding/payloads/auth_payload.c
 create mode 100644 src/libcharon/encoding/payloads/auth_payload.h
 create mode 100644 src/libcharon/encoding/payloads/cert_payload.c
 create mode 100644 src/libcharon/encoding/payloads/cert_payload.h
 create mode 100644 src/libcharon/encoding/payloads/certreq_payload.c
 create mode 100644 src/libcharon/encoding/payloads/certreq_payload.h
 create mode 100644 src/libcharon/encoding/payloads/configuration_attribute.c
 create mode 100644 src/libcharon/encoding/payloads/configuration_attribute.h
 create mode 100644 src/libcharon/encoding/payloads/cp_payload.c
 create mode 100644 src/libcharon/encoding/payloads/cp_payload.h
 create mode 100644 src/libcharon/encoding/payloads/delete_payload.c
 create mode 100644 src/libcharon/encoding/payloads/delete_payload.h
 create mode 100644 src/libcharon/encoding/payloads/eap_payload.c
 create mode 100644 src/libcharon/encoding/payloads/eap_payload.h
 create mode 100644 src/libcharon/encoding/payloads/encodings.c
 create mode 100644 src/libcharon/encoding/payloads/encodings.h
 create mode 100644 src/libcharon/encoding/payloads/encryption_payload.c
 create mode 100644 src/libcharon/encoding/payloads/encryption_payload.h
 create mode 100644 src/libcharon/encoding/payloads/endpoint_notify.c
 create mode 100644 src/libcharon/encoding/payloads/endpoint_notify.h
 create mode 100644 src/libcharon/encoding/payloads/id_payload.c
 create mode 100644 src/libcharon/encoding/payloads/id_payload.h
 create mode 100644 src/libcharon/encoding/payloads/ike_header.c
 create mode 100644 src/libcharon/encoding/payloads/ike_header.h
 create mode 100644 src/libcharon/encoding/payloads/ke_payload.c
 create mode 100644 src/libcharon/encoding/payloads/ke_payload.h
 create mode 100644 src/libcharon/encoding/payloads/nonce_payload.c
 create mode 100644 src/libcharon/encoding/payloads/nonce_payload.h
 create mode 100644 src/libcharon/encoding/payloads/notify_payload.c
 create mode 100644 src/libcharon/encoding/payloads/notify_payload.h
 create mode 100644 src/libcharon/encoding/payloads/payload.c
 create mode 100644 src/libcharon/encoding/payloads/payload.h
 create mode 100644 src/libcharon/encoding/payloads/proposal_substructure.c
 create mode 100644 src/libcharon/encoding/payloads/proposal_substructure.h
 create mode 100644 src/libcharon/encoding/payloads/sa_payload.c
 create mode 100644 src/libcharon/encoding/payloads/sa_payload.h
 create mode 100644 src/libcharon/encoding/payloads/traffic_selector_substructure.c
 create mode 100644 src/libcharon/encoding/payloads/traffic_selector_substructure.h
 create mode 100644 src/libcharon/encoding/payloads/transform_attribute.c
 create mode 100644 src/libcharon/encoding/payloads/transform_attribute.h
 create mode 100644 src/libcharon/encoding/payloads/transform_substructure.c
 create mode 100644 src/libcharon/encoding/payloads/transform_substructure.h
 create mode 100644 src/libcharon/encoding/payloads/ts_payload.c
 create mode 100644 src/libcharon/encoding/payloads/ts_payload.h
 create mode 100644 src/libcharon/encoding/payloads/unknown_payload.c
 create mode 100644 src/libcharon/encoding/payloads/unknown_payload.h
 create mode 100644 src/libcharon/encoding/payloads/vendor_id_payload.c
 create mode 100644 src/libcharon/encoding/payloads/vendor_id_payload.h
 create mode 100644 src/libcharon/kernel/kernel_interface.c
 create mode 100644 src/libcharon/kernel/kernel_interface.h
 create mode 100644 src/libcharon/kernel/kernel_ipsec.c
 create mode 100644 src/libcharon/kernel/kernel_ipsec.h
 create mode 100644 src/libcharon/kernel/kernel_net.h
 create mode 100644 src/libcharon/network/packet.c
 create mode 100644 src/libcharon/network/packet.h
 create mode 100644 src/libcharon/network/receiver.c
 create mode 100644 src/libcharon/network/receiver.h
 create mode 100644 src/libcharon/network/sender.c
 create mode 100644 src/libcharon/network/sender.h
 create mode 100644 src/libcharon/network/socket.h
 create mode 100644 src/libcharon/network/socket_manager.c
 create mode 100644 src/libcharon/network/socket_manager.h
 create mode 100644 src/libcharon/plugins/android/Makefile.am
 create mode 100644 src/libcharon/plugins/android/Makefile.in
 create mode 100644 src/libcharon/plugins/android/android_handler.c
 create mode 100644 src/libcharon/plugins/android/android_handler.h
 create mode 100644 src/libcharon/plugins/android/android_plugin.c
 create mode 100644 src/libcharon/plugins/android/android_plugin.h
 create mode 100644 src/libcharon/plugins/dhcp/Makefile.am
 create mode 100644 src/libcharon/plugins/dhcp/Makefile.in
 create mode 100644 src/libcharon/plugins/dhcp/dhcp_plugin.c
 create mode 100644 src/libcharon/plugins/dhcp/dhcp_plugin.h
 create mode 100644 src/libcharon/plugins/dhcp/dhcp_provider.c
 create mode 100644 src/libcharon/plugins/dhcp/dhcp_provider.h
 create mode 100644 src/libcharon/plugins/dhcp/dhcp_socket.c
 create mode 100644 src/libcharon/plugins/dhcp/dhcp_socket.h
 create mode 100644 src/libcharon/plugins/dhcp/dhcp_transaction.c
 create mode 100644 src/libcharon/plugins/dhcp/dhcp_transaction.h
 create mode 100644 src/libcharon/plugins/eap_aka/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_aka/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_aka/eap_aka_peer.c
 create mode 100644 src/libcharon/plugins/eap_aka/eap_aka_peer.h
 create mode 100644 src/libcharon/plugins/eap_aka/eap_aka_plugin.c
 create mode 100644 src/libcharon/plugins/eap_aka/eap_aka_plugin.h
 create mode 100644 src/libcharon/plugins/eap_aka/eap_aka_server.c
 create mode 100644 src/libcharon/plugins/eap_aka/eap_aka_server.h
 create mode 100644 src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
 create mode 100644 src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h
 create mode 100644 src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
 create mode 100644 src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
 create mode 100644 src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
 create mode 100644 src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h
 create mode 100644 src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
 create mode 100644 src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h
 create mode 100644 src/libcharon/plugins/eap_gtc/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_gtc/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_gtc/eap_gtc.c
 create mode 100644 src/libcharon/plugins/eap_gtc/eap_gtc.h
 create mode 100644 src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c
 create mode 100644 src/libcharon/plugins/eap_gtc/eap_gtc_plugin.h
 create mode 100644 src/libcharon/plugins/eap_identity/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_identity/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_identity/eap_identity.c
 create mode 100644 src/libcharon/plugins/eap_identity/eap_identity.h
 create mode 100644 src/libcharon/plugins/eap_identity/eap_identity_plugin.c
 create mode 100644 src/libcharon/plugins/eap_identity/eap_identity_plugin.h
 create mode 100644 src/libcharon/plugins/eap_md5/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_md5/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_md5/eap_md5.c
 create mode 100644 src/libcharon/plugins/eap_md5/eap_md5.h
 create mode 100644 src/libcharon/plugins/eap_md5/eap_md5_plugin.c
 create mode 100644 src/libcharon/plugins/eap_md5/eap_md5_plugin.h
 create mode 100644 src/libcharon/plugins/eap_mschapv2/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_mschapv2/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
 create mode 100644 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h
 create mode 100644 src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
 create mode 100644 src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
 create mode 100644 src/libcharon/plugins/eap_radius/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_radius/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_radius/eap_radius.c
 create mode 100644 src/libcharon/plugins/eap_radius/eap_radius.h
 create mode 100644 src/libcharon/plugins/eap_radius/eap_radius_plugin.c
 create mode 100644 src/libcharon/plugins/eap_radius/eap_radius_plugin.h
 create mode 100644 src/libcharon/plugins/eap_radius/radius_client.c
 create mode 100644 src/libcharon/plugins/eap_radius/radius_client.h
 create mode 100644 src/libcharon/plugins/eap_radius/radius_message.c
 create mode 100644 src/libcharon/plugins/eap_radius/radius_message.h
 create mode 100644 src/libcharon/plugins/eap_sim/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_sim/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_sim/eap_sim_peer.c
 create mode 100644 src/libcharon/plugins/eap_sim/eap_sim_peer.h
 create mode 100644 src/libcharon/plugins/eap_sim/eap_sim_plugin.c
 create mode 100644 src/libcharon/plugins/eap_sim/eap_sim_plugin.h
 create mode 100644 src/libcharon/plugins/eap_sim/eap_sim_server.c
 create mode 100644 src/libcharon/plugins/eap_sim/eap_sim_server.h
 create mode 100644 src/libcharon/plugins/eap_sim_file/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_sim_file/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c
 create mode 100644 src/libcharon/plugins/eap_sim_file/eap_sim_file_card.h
 create mode 100644 src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.c
 create mode 100644 src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.h
 create mode 100644 src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.c
 create mode 100644 src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.h
 create mode 100644 src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
 create mode 100644 src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
 create mode 100644 src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
 create mode 100644 src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h
 create mode 100644 src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
 create mode 100644 src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h
 create mode 100644 src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
 create mode 100644 src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h
 create mode 100644 src/libcharon/plugins/eap_simaka_reauth/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_simaka_reauth/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
 create mode 100644 src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h
 create mode 100644 src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
 create mode 100644 src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h
 create mode 100644 src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
 create mode 100644 src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h
 create mode 100644 src/libcharon/plugins/farp/Makefile.am
 create mode 100644 src/libcharon/plugins/farp/Makefile.in
 create mode 100644 src/libcharon/plugins/farp/farp_listener.c
 create mode 100644 src/libcharon/plugins/farp/farp_listener.h
 create mode 100644 src/libcharon/plugins/farp/farp_plugin.c
 create mode 100644 src/libcharon/plugins/farp/farp_plugin.h
 create mode 100644 src/libcharon/plugins/farp/farp_spoofer.c
 create mode 100644 src/libcharon/plugins/farp/farp_spoofer.h
 create mode 100644 src/libcharon/plugins/ha/Makefile.am
 create mode 100644 src/libcharon/plugins/ha/Makefile.in
 create mode 100644 src/libcharon/plugins/ha/ha_child.c
 create mode 100644 src/libcharon/plugins/ha/ha_child.h
 create mode 100644 src/libcharon/plugins/ha/ha_ctl.c
 create mode 100644 src/libcharon/plugins/ha/ha_ctl.h
 create mode 100644 src/libcharon/plugins/ha/ha_dispatcher.c
 create mode 100644 src/libcharon/plugins/ha/ha_dispatcher.h
 create mode 100644 src/libcharon/plugins/ha/ha_ike.c
 create mode 100644 src/libcharon/plugins/ha/ha_ike.h
 create mode 100644 src/libcharon/plugins/ha/ha_kernel.c
 create mode 100644 src/libcharon/plugins/ha/ha_kernel.h
 create mode 100644 src/libcharon/plugins/ha/ha_message.c
 create mode 100644 src/libcharon/plugins/ha/ha_message.h
 create mode 100644 src/libcharon/plugins/ha/ha_plugin.c
 create mode 100644 src/libcharon/plugins/ha/ha_plugin.h
 create mode 100644 src/libcharon/plugins/ha/ha_segments.c
 create mode 100644 src/libcharon/plugins/ha/ha_segments.h
 create mode 100644 src/libcharon/plugins/ha/ha_socket.c
 create mode 100644 src/libcharon/plugins/ha/ha_socket.h
 create mode 100644 src/libcharon/plugins/ha/ha_tunnel.c
 create mode 100644 src/libcharon/plugins/ha/ha_tunnel.h
 create mode 100644 src/libcharon/plugins/kernel_klips/Makefile.am
 create mode 100644 src/libcharon/plugins/kernel_klips/Makefile.in
 create mode 100644 src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c
 create mode 100644 src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h
 create mode 100644 src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c
 create mode 100644 src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h
 create mode 100644 src/libcharon/plugins/kernel_klips/pfkeyv2.h
 create mode 100644 src/libcharon/plugins/kernel_netlink/Makefile.am
 create mode 100644 src/libcharon/plugins/kernel_netlink/Makefile.in
 create mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
 create mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
 create mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
 create mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
 create mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
 create mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
 create mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
 create mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
 create mode 100644 src/libcharon/plugins/kernel_pfkey/Makefile.am
 create mode 100644 src/libcharon/plugins/kernel_pfkey/Makefile.in
 create mode 100644 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
 create mode 100644 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
 create mode 100644 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
 create mode 100644 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
 create mode 100644 src/libcharon/plugins/kernel_pfroute/Makefile.am
 create mode 100644 src/libcharon/plugins/kernel_pfroute/Makefile.in
 create mode 100644 src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
 create mode 100644 src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
 create mode 100644 src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
 create mode 100644 src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
 create mode 100644 src/libcharon/plugins/load_tester/Makefile.am
 create mode 100644 src/libcharon/plugins/load_tester/Makefile.in
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_config.c
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_config.h
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_creds.c
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_creds.h
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_diffie_hellman.h
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_ipsec.c
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_ipsec.h
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_listener.c
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_listener.h
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_plugin.c
 create mode 100644 src/libcharon/plugins/load_tester/load_tester_plugin.h
 create mode 100644 src/libcharon/plugins/medcli/Makefile.am
 create mode 100644 src/libcharon/plugins/medcli/Makefile.in
 create mode 100644 src/libcharon/plugins/medcli/medcli_config.c
 create mode 100644 src/libcharon/plugins/medcli/medcli_config.h
 create mode 100644 src/libcharon/plugins/medcli/medcli_creds.c
 create mode 100644 src/libcharon/plugins/medcli/medcli_creds.h
 create mode 100644 src/libcharon/plugins/medcli/medcli_listener.c
 create mode 100644 src/libcharon/plugins/medcli/medcli_listener.h
 create mode 100644 src/libcharon/plugins/medcli/medcli_plugin.c
 create mode 100644 src/libcharon/plugins/medcli/medcli_plugin.h
 create mode 100644 src/libcharon/plugins/medsrv/Makefile.am
 create mode 100644 src/libcharon/plugins/medsrv/Makefile.in
 create mode 100644 src/libcharon/plugins/medsrv/medsrv_config.c
 create mode 100644 src/libcharon/plugins/medsrv/medsrv_config.h
 create mode 100644 src/libcharon/plugins/medsrv/medsrv_creds.c
 create mode 100644 src/libcharon/plugins/medsrv/medsrv_creds.h
 create mode 100644 src/libcharon/plugins/medsrv/medsrv_plugin.c
 create mode 100644 src/libcharon/plugins/medsrv/medsrv_plugin.h
 create mode 100644 src/libcharon/plugins/nm/Makefile.am
 create mode 100644 src/libcharon/plugins/nm/Makefile.in
 create mode 100644 src/libcharon/plugins/nm/nm_creds.c
 create mode 100644 src/libcharon/plugins/nm/nm_creds.h
 create mode 100644 src/libcharon/plugins/nm/nm_handler.c
 create mode 100644 src/libcharon/plugins/nm/nm_handler.h
 create mode 100644 src/libcharon/plugins/nm/nm_plugin.c
 create mode 100644 src/libcharon/plugins/nm/nm_plugin.h
 create mode 100644 src/libcharon/plugins/nm/nm_service.c
 create mode 100644 src/libcharon/plugins/nm/nm_service.h
 create mode 100644 src/libcharon/plugins/resolve/Makefile.am
 create mode 100644 src/libcharon/plugins/resolve/Makefile.in
 create mode 100644 src/libcharon/plugins/resolve/resolve_handler.c
 create mode 100644 src/libcharon/plugins/resolve/resolve_handler.h
 create mode 100644 src/libcharon/plugins/resolve/resolve_plugin.c
 create mode 100644 src/libcharon/plugins/resolve/resolve_plugin.h
 create mode 100644 src/libcharon/plugins/smp/Makefile.am
 create mode 100644 src/libcharon/plugins/smp/Makefile.in
 create mode 100644 src/libcharon/plugins/smp/smp.c
 create mode 100644 src/libcharon/plugins/smp/smp.h
 create mode 100644 src/libcharon/plugins/socket_default/Makefile.am
 create mode 100644 src/libcharon/plugins/socket_default/Makefile.in
 create mode 100644 src/libcharon/plugins/socket_default/socket_default_plugin.c
 create mode 100644 src/libcharon/plugins/socket_default/socket_default_plugin.h
 create mode 100644 src/libcharon/plugins/socket_default/socket_default_socket.c
 create mode 100644 src/libcharon/plugins/socket_default/socket_default_socket.h
 create mode 100644 src/libcharon/plugins/socket_dynamic/Makefile.am
 create mode 100644 src/libcharon/plugins/socket_dynamic/Makefile.in
 create mode 100644 src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
 create mode 100644 src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.h
 create mode 100644 src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
 create mode 100644 src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h
 create mode 100644 src/libcharon/plugins/socket_raw/Makefile.am
 create mode 100644 src/libcharon/plugins/socket_raw/Makefile.in
 create mode 100644 src/libcharon/plugins/socket_raw/socket_raw_plugin.c
 create mode 100644 src/libcharon/plugins/socket_raw/socket_raw_plugin.h
 create mode 100644 src/libcharon/plugins/socket_raw/socket_raw_socket.c
 create mode 100644 src/libcharon/plugins/socket_raw/socket_raw_socket.h
 create mode 100644 src/libcharon/plugins/sql/Makefile.am
 create mode 100644 src/libcharon/plugins/sql/Makefile.in
 create mode 100644 src/libcharon/plugins/sql/sql_config.c
 create mode 100644 src/libcharon/plugins/sql/sql_config.h
 create mode 100644 src/libcharon/plugins/sql/sql_cred.c
 create mode 100644 src/libcharon/plugins/sql/sql_cred.h
 create mode 100644 src/libcharon/plugins/sql/sql_logger.c
 create mode 100644 src/libcharon/plugins/sql/sql_logger.h
 create mode 100644 src/libcharon/plugins/sql/sql_plugin.c
 create mode 100644 src/libcharon/plugins/sql/sql_plugin.h
 create mode 100644 src/libcharon/plugins/stroke/Makefile.am
 create mode 100644 src/libcharon/plugins/stroke/Makefile.in
 create mode 100644 src/libcharon/plugins/stroke/stroke_attribute.c
 create mode 100644 src/libcharon/plugins/stroke/stroke_attribute.h
 create mode 100644 src/libcharon/plugins/stroke/stroke_ca.c
 create mode 100644 src/libcharon/plugins/stroke/stroke_ca.h
 create mode 100644 src/libcharon/plugins/stroke/stroke_config.c
 create mode 100644 src/libcharon/plugins/stroke/stroke_config.h
 create mode 100644 src/libcharon/plugins/stroke/stroke_control.c
 create mode 100644 src/libcharon/plugins/stroke/stroke_control.h
 create mode 100644 src/libcharon/plugins/stroke/stroke_cred.c
 create mode 100644 src/libcharon/plugins/stroke/stroke_cred.h
 create mode 100644 src/libcharon/plugins/stroke/stroke_list.c
 create mode 100644 src/libcharon/plugins/stroke/stroke_list.h
 create mode 100644 src/libcharon/plugins/stroke/stroke_plugin.c
 create mode 100644 src/libcharon/plugins/stroke/stroke_plugin.h
 create mode 100644 src/libcharon/plugins/stroke/stroke_shared_key.c
 create mode 100644 src/libcharon/plugins/stroke/stroke_shared_key.h
 create mode 100644 src/libcharon/plugins/stroke/stroke_socket.c
 create mode 100644 src/libcharon/plugins/stroke/stroke_socket.h
 create mode 100644 src/libcharon/plugins/uci/Makefile.am
 create mode 100644 src/libcharon/plugins/uci/Makefile.in
 create mode 100644 src/libcharon/plugins/uci/uci_config.c
 create mode 100644 src/libcharon/plugins/uci/uci_config.h
 create mode 100644 src/libcharon/plugins/uci/uci_control.c
 create mode 100644 src/libcharon/plugins/uci/uci_control.h
 create mode 100644 src/libcharon/plugins/uci/uci_creds.c
 create mode 100644 src/libcharon/plugins/uci/uci_creds.h
 create mode 100644 src/libcharon/plugins/uci/uci_parser.c
 create mode 100644 src/libcharon/plugins/uci/uci_parser.h
 create mode 100644 src/libcharon/plugins/uci/uci_plugin.c
 create mode 100644 src/libcharon/plugins/uci/uci_plugin.h
 create mode 100644 src/libcharon/plugins/unit_tester/Makefile.am
 create mode 100644 src/libcharon/plugins/unit_tester/Makefile.in
 create mode 100644 src/libcharon/plugins/unit_tester/tests.h
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_agent.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_auth_info.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_cert.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_chunk.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_curl.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_enumerator.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_id.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_med_db.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_mutex.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_mysql.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_pool.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_sqlite.c
 create mode 100644 src/libcharon/plugins/unit_tester/unit_tester.c
 create mode 100644 src/libcharon/plugins/unit_tester/unit_tester.h
 create mode 100644 src/libcharon/plugins/updown/Makefile.am
 create mode 100644 src/libcharon/plugins/updown/Makefile.in
 create mode 100644 src/libcharon/plugins/updown/updown_listener.c
 create mode 100644 src/libcharon/plugins/updown/updown_listener.h
 create mode 100644 src/libcharon/plugins/updown/updown_plugin.c
 create mode 100644 src/libcharon/plugins/updown/updown_plugin.h
 create mode 100644 src/libcharon/processing/jobs/acquire_job.c
 create mode 100644 src/libcharon/processing/jobs/acquire_job.h
 create mode 100644 src/libcharon/processing/jobs/callback_job.c
 create mode 100644 src/libcharon/processing/jobs/callback_job.h
 create mode 100644 src/libcharon/processing/jobs/delete_child_sa_job.c
 create mode 100644 src/libcharon/processing/jobs/delete_child_sa_job.h
 create mode 100644 src/libcharon/processing/jobs/delete_ike_sa_job.c
 create mode 100644 src/libcharon/processing/jobs/delete_ike_sa_job.h
 create mode 100644 src/libcharon/processing/jobs/inactivity_job.c
 create mode 100644 src/libcharon/processing/jobs/inactivity_job.h
 create mode 100644 src/libcharon/processing/jobs/initiate_mediation_job.c
 create mode 100644 src/libcharon/processing/jobs/initiate_mediation_job.h
 create mode 100644 src/libcharon/processing/jobs/job.h
 create mode 100644 src/libcharon/processing/jobs/mediation_job.c
 create mode 100644 src/libcharon/processing/jobs/mediation_job.h
 create mode 100644 src/libcharon/processing/jobs/migrate_job.c
 create mode 100644 src/libcharon/processing/jobs/migrate_job.h
 create mode 100644 src/libcharon/processing/jobs/process_message_job.c
 create mode 100644 src/libcharon/processing/jobs/process_message_job.h
 create mode 100644 src/libcharon/processing/jobs/rekey_child_sa_job.c
 create mode 100644 src/libcharon/processing/jobs/rekey_child_sa_job.h
 create mode 100644 src/libcharon/processing/jobs/rekey_ike_sa_job.c
 create mode 100644 src/libcharon/processing/jobs/rekey_ike_sa_job.h
 create mode 100644 src/libcharon/processing/jobs/retransmit_job.c
 create mode 100644 src/libcharon/processing/jobs/retransmit_job.h
 create mode 100644 src/libcharon/processing/jobs/roam_job.c
 create mode 100644 src/libcharon/processing/jobs/roam_job.h
 create mode 100644 src/libcharon/processing/jobs/send_dpd_job.c
 create mode 100644 src/libcharon/processing/jobs/send_dpd_job.h
 create mode 100644 src/libcharon/processing/jobs/send_keepalive_job.c
 create mode 100644 src/libcharon/processing/jobs/send_keepalive_job.h
 create mode 100644 src/libcharon/processing/jobs/update_sa_job.c
 create mode 100644 src/libcharon/processing/jobs/update_sa_job.h
 create mode 100644 src/libcharon/processing/processor.c
 create mode 100644 src/libcharon/processing/processor.h
 create mode 100644 src/libcharon/processing/scheduler.c
 create mode 100644 src/libcharon/processing/scheduler.h
 create mode 100644 src/libcharon/sa/authenticators/authenticator.c
 create mode 100644 src/libcharon/sa/authenticators/authenticator.h
 create mode 100644 src/libcharon/sa/authenticators/eap/eap_manager.c
 create mode 100644 src/libcharon/sa/authenticators/eap/eap_manager.h
 create mode 100644 src/libcharon/sa/authenticators/eap/eap_method.c
 create mode 100644 src/libcharon/sa/authenticators/eap/eap_method.h
 create mode 100644 src/libcharon/sa/authenticators/eap/sim_manager.c
 create mode 100644 src/libcharon/sa/authenticators/eap/sim_manager.h
 create mode 100644 src/libcharon/sa/authenticators/eap_authenticator.c
 create mode 100644 src/libcharon/sa/authenticators/eap_authenticator.h
 create mode 100644 src/libcharon/sa/authenticators/psk_authenticator.c
 create mode 100644 src/libcharon/sa/authenticators/psk_authenticator.h
 create mode 100644 src/libcharon/sa/authenticators/pubkey_authenticator.c
 create mode 100644 src/libcharon/sa/authenticators/pubkey_authenticator.h
 create mode 100644 src/libcharon/sa/child_sa.c
 create mode 100644 src/libcharon/sa/child_sa.h
 create mode 100644 src/libcharon/sa/connect_manager.c
 create mode 100644 src/libcharon/sa/connect_manager.h
 create mode 100644 src/libcharon/sa/ike_sa.c
 create mode 100644 src/libcharon/sa/ike_sa.h
 create mode 100644 src/libcharon/sa/ike_sa_id.c
 create mode 100644 src/libcharon/sa/ike_sa_id.h
 create mode 100644 src/libcharon/sa/ike_sa_manager.c
 create mode 100644 src/libcharon/sa/ike_sa_manager.h
 create mode 100644 src/libcharon/sa/keymat.c
 create mode 100644 src/libcharon/sa/keymat.h
 create mode 100644 src/libcharon/sa/mediation_manager.c
 create mode 100644 src/libcharon/sa/mediation_manager.h
 create mode 100644 src/libcharon/sa/task_manager.c
 create mode 100644 src/libcharon/sa/task_manager.h
 create mode 100644 src/libcharon/sa/tasks/child_create.c
 create mode 100644 src/libcharon/sa/tasks/child_create.h
 create mode 100644 src/libcharon/sa/tasks/child_delete.c
 create mode 100644 src/libcharon/sa/tasks/child_delete.h
 create mode 100644 src/libcharon/sa/tasks/child_rekey.c
 create mode 100644 src/libcharon/sa/tasks/child_rekey.h
 create mode 100644 src/libcharon/sa/tasks/ike_auth.c
 create mode 100644 src/libcharon/sa/tasks/ike_auth.h
 create mode 100644 src/libcharon/sa/tasks/ike_auth_lifetime.c
 create mode 100644 src/libcharon/sa/tasks/ike_auth_lifetime.h
 create mode 100644 src/libcharon/sa/tasks/ike_cert_post.c
 create mode 100644 src/libcharon/sa/tasks/ike_cert_post.h
 create mode 100644 src/libcharon/sa/tasks/ike_cert_pre.c
 create mode 100644 src/libcharon/sa/tasks/ike_cert_pre.h
 create mode 100644 src/libcharon/sa/tasks/ike_config.c
 create mode 100644 src/libcharon/sa/tasks/ike_config.h
 create mode 100644 src/libcharon/sa/tasks/ike_delete.c
 create mode 100644 src/libcharon/sa/tasks/ike_delete.h
 create mode 100644 src/libcharon/sa/tasks/ike_dpd.c
 create mode 100644 src/libcharon/sa/tasks/ike_dpd.h
 create mode 100644 src/libcharon/sa/tasks/ike_init.c
 create mode 100644 src/libcharon/sa/tasks/ike_init.h
 create mode 100644 src/libcharon/sa/tasks/ike_me.c
 create mode 100644 src/libcharon/sa/tasks/ike_me.h
 create mode 100644 src/libcharon/sa/tasks/ike_mobike.c
 create mode 100644 src/libcharon/sa/tasks/ike_mobike.h
 create mode 100644 src/libcharon/sa/tasks/ike_natd.c
 create mode 100644 src/libcharon/sa/tasks/ike_natd.h
 create mode 100644 src/libcharon/sa/tasks/ike_reauth.c
 create mode 100644 src/libcharon/sa/tasks/ike_reauth.h
 create mode 100644 src/libcharon/sa/tasks/ike_rekey.c
 create mode 100644 src/libcharon/sa/tasks/ike_rekey.h
 create mode 100644 src/libcharon/sa/tasks/ike_vendor.c
 create mode 100644 src/libcharon/sa/tasks/ike_vendor.h
 create mode 100644 src/libcharon/sa/tasks/task.c
 create mode 100644 src/libcharon/sa/tasks/task.h
 create mode 100644 src/libcharon/sa/trap_manager.c
 create mode 100644 src/libcharon/sa/trap_manager.h
 create mode 100644 src/libfast/smtp.c
 create mode 100644 src/libfast/smtp.h
 create mode 100644 src/libhydra/Android.mk
 create mode 100644 src/libhydra/Makefile.am
 create mode 100644 src/libhydra/Makefile.in
 create mode 100644 src/libhydra/attributes/attribute_handler.h
 create mode 100644 src/libhydra/attributes/attribute_manager.c
 create mode 100644 src/libhydra/attributes/attribute_manager.h
 create mode 100644 src/libhydra/attributes/attribute_provider.h
 create mode 100644 src/libhydra/attributes/attributes.c
 create mode 100644 src/libhydra/attributes/attributes.h
 create mode 100644 src/libhydra/attributes/mem_pool.c
 create mode 100644 src/libhydra/attributes/mem_pool.h
 create mode 100644 src/libhydra/hydra.c
 create mode 100644 src/libhydra/hydra.h
 create mode 100644 src/libhydra/plugins/attr/Makefile.am
 create mode 100644 src/libhydra/plugins/attr/Makefile.in
 create mode 100644 src/libhydra/plugins/attr/attr_plugin.c
 create mode 100644 src/libhydra/plugins/attr/attr_plugin.h
 create mode 100644 src/libhydra/plugins/attr/attr_provider.c
 create mode 100644 src/libhydra/plugins/attr/attr_provider.h
 create mode 100644 src/libhydra/plugins/attr_sql/Makefile.am
 create mode 100644 src/libhydra/plugins/attr_sql/Makefile.in
 create mode 100644 src/libhydra/plugins/attr_sql/attr_sql_plugin.c
 create mode 100644 src/libhydra/plugins/attr_sql/attr_sql_plugin.h
 create mode 100644 src/libhydra/plugins/attr_sql/pool.c
 create mode 100644 src/libhydra/plugins/attr_sql/sql_attribute.c
 create mode 100644 src/libhydra/plugins/attr_sql/sql_attribute.h
 create mode 100644 src/libstrongswan/Android.mk
 create mode 100644 src/libstrongswan/AndroidConfigLocal.h
 delete mode 100644 src/libstrongswan/attributes/attribute_handler.h
 delete mode 100644 src/libstrongswan/attributes/attribute_manager.c
 delete mode 100644 src/libstrongswan/attributes/attribute_manager.h
 delete mode 100644 src/libstrongswan/attributes/attribute_provider.h
 delete mode 100644 src/libstrongswan/attributes/attributes.c
 delete mode 100644 src/libstrongswan/attributes/attributes.h
 delete mode 100644 src/libstrongswan/plugins/attr_sql/Makefile.am
 delete mode 100644 src/libstrongswan/plugins/attr_sql/Makefile.in
 delete mode 100644 src/libstrongswan/plugins/attr_sql/attr_sql_plugin.c
 delete mode 100644 src/libstrongswan/plugins/attr_sql/attr_sql_plugin.h
 delete mode 100644 src/libstrongswan/plugins/attr_sql/pool.c
 delete mode 100644 src/libstrongswan/plugins/attr_sql/sql_attribute.c
 delete mode 100644 src/libstrongswan/plugins/attr_sql/sql_attribute.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_sha1_prf.h
 create mode 100644 src/libstrongswan/plugins/pem/pem_encoder.c
 create mode 100644 src/libstrongswan/plugins/pem/pem_encoder.h
 create mode 100644 src/pluto/whack_attribute.c
 create mode 100644 src/pluto/whack_attribute.h
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/1F.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/20.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/21.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/research/newcerts/06.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/sales/index.txt.attr.old
 create mode 100644 testing/hosts/winnetou/etc/openssl/sales/newcerts/05.pem
 create mode 100644 testing/tests/ike2/description.txt
 create mode 100644 testing/tests/ike2/evaltest.dat
 create mode 100644 testing/tests/ike2/hosts/bob/etc/hosts
 create mode 100755 testing/tests/ike2/hosts/moon/etc/ipsec.conf
 create mode 100755 testing/tests/ike2/hosts/moon/etc/nat_updown
 create mode 100644 testing/tests/ike2/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ike2/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ike2/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ike2/posttest.dat
 create mode 100644 testing/tests/ike2/pretest.dat
 create mode 100644 testing/tests/ike2/test.conf
 create mode 100644 testing/tests/ikev1/alg-modp-subgroup/description.txt
 create mode 100644 testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
 create mode 100755 testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/alg-modp-subgroup/posttest.dat
 create mode 100644 testing/tests/ikev1/alg-modp-subgroup/pretest.dat
 create mode 100644 testing/tests/ikev1/alg-modp-subgroup/test.conf
 create mode 100644 testing/tests/ikev1/esp-alg-aes-gmac/description.txt
 create mode 100644 testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
 create mode 100755 testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
 create mode 100644 testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
 create mode 100644 testing/tests/ikev1/esp-alg-aes-gmac/test.conf
 create mode 100644 testing/tests/ikev1/ip-pool/description.txt
 create mode 100644 testing/tests/ikev1/ip-pool/evaltest.dat
 create mode 100755 testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/ip-pool/posttest.dat
 create mode 100644 testing/tests/ikev1/ip-pool/pretest.dat
 create mode 100644 testing/tests/ikev1/ip-pool/test.conf
 create mode 100644 testing/tests/ikev1/ip-two-pools-mixed/description.txt
 create mode 100644 testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat
 create mode 100755 testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/ip-two-pools-mixed/posttest.dat
 create mode 100644 testing/tests/ikev1/ip-two-pools-mixed/pretest.dat
 create mode 100644 testing/tests/ikev1/ip-two-pools-mixed/test.conf
 create mode 100644 testing/tests/ikev1/ip-two-pools/description.txt
 create mode 100644 testing/tests/ikev1/ip-two-pools/evaltest.dat
 create mode 100755 testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/ip-two-pools/posttest.dat
 create mode 100644 testing/tests/ikev1/ip-two-pools/pretest.dat
 create mode 100644 testing/tests/ikev1/ip-two-pools/test.conf
 create mode 100644 testing/tests/ikev2/alg-modp-subgroup/description.txt
 create mode 100644 testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
 create mode 100755 testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-modp-subgroup/posttest.dat
 create mode 100644 testing/tests/ikev2/alg-modp-subgroup/pretest.dat
 create mode 100644 testing/tests/ikev2/alg-modp-subgroup/test.conf
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/description.txt
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/evaltest.dat
 create mode 100755 testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
 create mode 100755 testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
 create mode 100755 testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/posttest.dat
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/pretest.dat
 create mode 100644 testing/tests/ikev2/dhcp-dynamic/test.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/description.txt
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
 create mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf
 create mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
 create mode 100755 testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/posttest.dat
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/pretest.dat
 create mode 100644 testing/tests/ikev2/dhcp-static-client-id/test.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/description.txt
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/evaltest.dat
 create mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf
 create mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
 create mode 100755 testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/posttest.dat
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/pretest.dat
 create mode 100644 testing/tests/ikev2/dhcp-static-mac/test.conf
 create mode 100644 testing/tests/ikev2/esp-alg-aes-gmac/description.txt
 create mode 100644 testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
 create mode 100755 testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
 create mode 100644 testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
 create mode 100644 testing/tests/ikev2/esp-alg-aes-gmac/test.conf
 create mode 100644 testing/tests/ikev2/farp/description.txt
 create mode 100644 testing/tests/ikev2/farp/evaltest.dat
 create mode 100755 testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/farp/posttest.dat
 create mode 100644 testing/tests/ikev2/farp/pretest.dat
 create mode 100644 testing/tests/ikev2/farp/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/Android.mk b/Android.mk
new file mode 100644
index 000000000..0cda18302
--- /dev/null
+++ b/Android.mk
@@ -0,0 +1,64 @@
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+# this is the list of plugins that are built into libstrongswan and charon
+# also these plugins are loaded by default (if not changed in strongswan.conf)
+strongswan_PLUGINS := openssl fips-prf random x509 pubkey pkcs1 \
+	pem xcbc hmac kernel-netlink socket-default android
+
+# helper macros to only add source files for plugins included in the list above
+# source files are relative to the android.mk that called the macro
+plugin_enabled = $(findstring $(1), $(strongswan_PLUGINS))
+add_plugin = $(if $(call plugin_enabled,$(1)), \
+               $(patsubst $(LOCAL_PATH)/%,%, \
+                 $(wildcard \
+                   $(LOCAL_PATH)/plugins/$(subst -,_,$(strip $(1)))/*.c \
+                  ) \
+                ) \
+              )
+
+# includes
+strongswan_PATH := $(LOCAL_PATH)
+libvstr_PATH := external/strongswan-support/vstr/include
+libgmp_PATH := external/strongswan-support/gmp
+
+# CFLAGS (partially from a configure run using droid-gcc)
+strongswan_CFLAGS := \
+	-Wno-format \
+	-Wno-pointer-sign \
+	-Wno-pointer-arith \
+	-Wno-sign-compare \
+	-Wno-strict-aliasing \
+	-DHAVE___BOOL \
+	-DHAVE_STDBOOL_H \
+	-DHAVE_ALLOCA_H \
+	-DHAVE_ALLOCA \
+	-DHAVE_CLOCK_GETTIME \
+	-DHAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC \
+	-DHAVE_PRCTL \
+	-DHAVE_LINUX_UDP_H \
+	-DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY \
+	-DHAVE_IPSEC_MODE_BEET \
+	-DHAVE_IPSEC_DIR_FWD \
+	-DMONOLITHIC \
+	-DUSE_VSTR \
+	-DROUTING_TABLE=0 \
+	-DROUTING_TABLE_PRIO=220 \
+	-DVERSION=\"4.4.0\" \
+	-DPLUGINS='"$(strongswan_PLUGINS)"' \
+	-DIPSEC_DIR=\"/system/bin\" \
+	-DIPSEC_PIDDIR=\"/data/misc/vpn\" \
+	-DSTRONGSWAN_CONF=\"/system/etc/strongswan.conf\" \
+	-DDEV_RANDOM=\"/dev/random\" \
+	-DDEV_URANDOM=\"/dev/urandom\"
+
+# only for Android 2.0+
+strongswan_CFLAGS += \
+	-DHAVE_IN6ADDR_ANY
+
+include $(addprefix $(LOCAL_PATH)/src/,$(addsuffix /Android.mk, \
+		charon \
+		libcharon \
+		libhydra \
+		libstrongswan \
+	))
diff --git a/Android.mk.in b/Android.mk.in
new file mode 100644
index 000000000..4a4b7df96
--- /dev/null
+++ b/Android.mk.in
@@ -0,0 +1,64 @@
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+# this is the list of plugins that are built into libstrongswan and charon
+# also these plugins are loaded by default (if not changed in strongswan.conf)
+strongswan_PLUGINS := openssl fips-prf random x509 pubkey pkcs1 \
+	pem xcbc hmac kernel-netlink socket-default android
+
+# helper macros to only add source files for plugins included in the list above
+# source files are relative to the android.mk that called the macro
+plugin_enabled = $(findstring $(1), $(strongswan_PLUGINS))
+add_plugin = $(if $(call plugin_enabled,$(1)), \
+               $(patsubst $(LOCAL_PATH)/%,%, \
+                 $(wildcard \
+                   $(LOCAL_PATH)/plugins/$(subst -,_,$(strip $(1)))/*.c \
+                  ) \
+                ) \
+              )
+
+# includes
+strongswan_PATH := $(LOCAL_PATH)
+libvstr_PATH := external/strongswan-support/vstr/include
+libgmp_PATH := external/strongswan-support/gmp
+
+# CFLAGS (partially from a configure run using droid-gcc)
+strongswan_CFLAGS := \
+	-Wno-format \
+	-Wno-pointer-sign \
+	-Wno-pointer-arith \
+	-Wno-sign-compare \
+	-Wno-strict-aliasing \
+	-DHAVE___BOOL \
+	-DHAVE_STDBOOL_H \
+	-DHAVE_ALLOCA_H \
+	-DHAVE_ALLOCA \
+	-DHAVE_CLOCK_GETTIME \
+	-DHAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC \
+	-DHAVE_PRCTL \
+	-DHAVE_LINUX_UDP_H \
+	-DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY \
+	-DHAVE_IPSEC_MODE_BEET \
+	-DHAVE_IPSEC_DIR_FWD \
+	-DMONOLITHIC \
+	-DUSE_VSTR \
+	-DROUTING_TABLE=0 \
+	-DROUTING_TABLE_PRIO=220 \
+	-DVERSION=\"@PACKAGE_VERSION@\" \
+	-DPLUGINS='"$(strongswan_PLUGINS)"' \
+	-DIPSEC_DIR=\"/system/bin\" \
+	-DIPSEC_PIDDIR=\"/data/misc/vpn\" \
+	-DSTRONGSWAN_CONF=\"/system/etc/strongswan.conf\" \
+	-DDEV_RANDOM=\"/dev/random\" \
+	-DDEV_URANDOM=\"/dev/urandom\"
+
+# only for Android 2.0+
+strongswan_CFLAGS += \
+	-DHAVE_IN6ADDR_ANY
+
+include $(addprefix $(LOCAL_PATH)/src/,$(addsuffix /Android.mk, \
+		charon \
+		libcharon \
+		libhydra \
+		libstrongswan \
+	))
diff --git a/Doxyfile.in b/Doxyfile.in
index 8cb6e50a5..b79c9909d 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -528,7 +528,8 @@ WARN_LOGFILE           =
 # with spaces.
 
 INPUT                  = @SRC_DIR@/src/libstrongswan \
-                         @SRC_DIR@/src/charon \
+                         @SRC_DIR@/src/libhydra \
+                         @SRC_DIR@/src/libcharon \
                          @SRC_DIR@/src/libsimaka \
                          @SRC_DIR@/src/libfast \
                          @SRC_DIR@/src/manager
diff --git a/Makefile.am b/Makefile.am
index fcb2f2e7a..6ed121f67 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -6,8 +6,15 @@ endif
 
 ACLOCAL_AMFLAGS = -I m4/config
 
-EXTRA_DIST = Doxyfile.in CREDITS
+EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk
 CLEANFILES = apidoc Doxyfile
+BUILT_SOURCES = Android.mk
+MAINTAINERCLEANFILES = Android.mk
+
+Android.mk :	Android.mk.in configure.in
+		sed \
+		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
+		$(srcdir)/$@.in > $@
 
 Doxyfile :	Doxyfile.in
 		sed \
diff --git a/Makefile.in b/Makefile.in
index 6e97ac768..d4f18d054 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -229,6 +229,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -265,9 +266,12 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 SUBDIRS = src testing $(am__append_1)
 ACLOCAL_AMFLAGS = -I m4/config
-EXTRA_DIST = Doxyfile.in CREDITS
+EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk
 CLEANFILES = apidoc Doxyfile
-all: all-recursive
+BUILT_SOURCES = Android.mk
+MAINTAINERCLEANFILES = Android.mk
+all: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
 .SUFFIXES:
 am--refresh:
@@ -626,11 +630,13 @@ distcleancheck: distclean
 	       $(distcleancheck_listfiles) ; \
 	       exit 1; } >&2
 check-am: all-am
-check: check-recursive
+check: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) check-recursive
 all-am: Makefile
 installdirs: installdirs-recursive
 installdirs-am:
-install: install-recursive
+install: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) install-recursive
 install-exec: install-exec-recursive
 install-data: install-data-recursive
 uninstall: uninstall-recursive
@@ -656,6 +662,8 @@ distclean-generic:
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
 clean: clean-recursive
 
 clean-am: clean-generic clean-libtool mostlyclean-am
@@ -726,8 +734,9 @@ ps-am:
 
 uninstall-am:
 
-.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
-	install-am install-strip tags-recursive
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all check \
+	ctags-recursive install install-am install-strip \
+	tags-recursive
 
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am am--refresh check check-am clean clean-generic \
@@ -746,6 +755,11 @@ uninstall-am:
 	tags tags-recursive uninstall uninstall-am
 
 
+Android.mk :	Android.mk.in configure.in
+		sed \
+		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
+		$(srcdir)/$@.in > $@
+
 Doxyfile :	Doxyfile.in
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
diff --git a/NEWS b/NEWS
index 1ba8b7c49..bd4e770cd 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,52 @@
+strongswan-4.4.0
+----------------
+
+- The IKEv2 High Availability plugin has been integrated. It provides
+  load sharing and failover capabilities in a cluster of currently two nodes,
+  based on an extend ClusterIP kernel module. More information is available at
+  http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability.
+  The development of the High Availability functionality was sponsored by
+  secunet Security Networks AG.
+
+- Added IKEv1 and IKEv2 configuration support for the AES-GMAC
+  authentication-only ESP cipher. Our aes_gmac kernel patch or a Linux
+  2.6.34 kernel is required to make AES-GMAC available via the XFRM
+  kernel interface.
+
+- Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp, gcrypt
+  and openssl plugins, usable by both pluto and charon. The new proposal
+  keywords are modp1024s160, modp2048s224 and modp2048s256. Thanks to Joy Latten
+  from IBM for his contribution.
+
+- The IKEv1 pluto daemon supports RAM-based virtual IP pools using
+  the rightsourceip directive with a subnet from which addresses
+  are allocated.
+
+- The ipsec pki --gen and --pub commands now allow the output of
+  private and public keys in PEM format using the --outform pem
+  command line option.
+
+- The new DHCP plugin queries virtual IP addresses for clients from a DHCP
+  server using broadcasts, or a defined server using the
+  charon.plugins.dhcp.server strongswan.conf option. DNS/WINS server information
+  is additionally served to clients if the DHCP server provides such
+  information. The plugin is used in ipsec.conf configurations having
+  rightsourceip set to %dhcp.
+
+- A new plugin called farp fakes ARP responses for virtual IP addresses
+  handed out to clients from the IKEv2 daemon charon. The plugin lets a
+  road-warrior act as a client on the local LAN if it uses a virtual IP
+  from the responders subnet, e.g. acquired using the DHCP plugin.
+
+- The existing IKEv2 socket implementations have been migrated to the
+  socket-default and the socket-raw plugins. The new socket-dynamic plugin
+  binds sockets dynamically to ports configured via the left-/rightikeport
+  ipsec.conf connection parameters.
+
+- The android charon plugin stores received DNS server information as "net.dns"
+  system properties, as used by the Android platform.
+
+
 strongswan-4.3.6
 ----------------
 
diff --git a/configure b/configure
index e36ba904c..952734d15 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.64 for strongSwan 4.3.6.
+# Generated by GNU Autoconf 2.64 for strongSwan 4.4.0.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
 # 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software
@@ -695,8 +695,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.3.6'
-PACKAGE_STRING='strongSwan 4.3.6'
+PACKAGE_VERSION='4.4.0'
+PACKAGE_STRING='strongSwan 4.4.0'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -740,12 +740,16 @@ ac_subst_vars='am__EXEEXT_FALSE
 am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
+MONOLITHIC_FALSE
+MONOLITHIC_TRUE
 USE_SIMAKA_FALSE
 USE_SIMAKA_TRUE
 USE_VSTR_FALSE
 USE_VSTR_TRUE
 USE_FILE_CONFIG_FALSE
 USE_FILE_CONFIG_TRUE
+USE_LIBHYDRA_FALSE
+USE_LIBHYDRA_TRUE
 USE_LIBSTRONGSWAN_FALSE
 USE_LIBSTRONGSWAN_TRUE
 USE_SCRIPTS_FALSE
@@ -784,6 +788,14 @@ USE_CISCO_QUIRKS_FALSE
 USE_CISCO_QUIRKS_TRUE
 USE_SMARTCARD_FALSE
 USE_SMARTCARD_TRUE
+USE_FARP_FALSE
+USE_FARP_TRUE
+USE_SOCKET_DYNAMIC_FALSE
+USE_SOCKET_DYNAMIC_TRUE
+USE_SOCKET_RAW_FALSE
+USE_SOCKET_RAW_TRUE
+USE_SOCKET_DEFAULT_FALSE
+USE_SOCKET_DEFAULT_TRUE
 USE_KERNEL_KLIPS_FALSE
 USE_KERNEL_KLIPS_TRUE
 USE_KERNEL_PFROUTE_FALSE
@@ -814,12 +826,16 @@ USE_EAP_SIM_FILE_FALSE
 USE_EAP_SIM_FILE_TRUE
 USE_EAP_SIM_FALSE
 USE_EAP_SIM_TRUE
+USE_HA_FALSE
+USE_HA_TRUE
 USE_LOAD_TESTER_FALSE
 USE_LOAD_TESTER_TRUE
 USE_UNIT_TESTS_FALSE
 USE_UNIT_TESTS_TRUE
 USE_RESOLVE_FALSE
 USE_RESOLVE_TRUE
+USE_DHCP_FALSE
+USE_DHCP_TRUE
 USE_ATTR_FALSE
 USE_ATTR_TRUE
 USE_UPDOWN_FALSE
@@ -828,6 +844,8 @@ USE_SQL_FALSE
 USE_SQL_TRUE
 USE_SMP_FALSE
 USE_SMP_TRUE
+USE_ANDROID_FALSE
+USE_ANDROID_TRUE
 USE_UCI_FALSE
 USE_UCI_TRUE
 USE_NM_FALSE
@@ -895,6 +913,7 @@ USE_CURL_TRUE
 USE_TEST_VECTORS_FALSE
 USE_TEST_VECTORS_TRUE
 pluto_plugins
+libhydra_plugins
 libstrongswan_plugins
 nm_LIBS
 nm_CFLAGS
@@ -1058,6 +1077,7 @@ with_linux_headers
 with_routing_table
 with_routing_table_prio
 with_capabilities
+with_mpz_powm_sec
 with_xauth_module
 with_user
 with_group
@@ -1110,6 +1130,10 @@ enable_kernel_netlink
 enable_kernel_pfkey
 enable_kernel_pfroute
 enable_kernel_klips
+enable_socket_default
+enable_socket_raw
+enable_socket_dynamic
+enable_farp
 enable_nat_transport
 enable_vendor_id
 enable_xauth_vid
@@ -1126,14 +1150,18 @@ enable_scripts
 enable_updown
 enable_attr
 enable_attr_sql
+enable_dhcp
 enable_resolve
 enable_padlock
 enable_openssl
 enable_gcrypt
 enable_agent
 enable_uci
+enable_android
 enable_nm
+enable_ha
 enable_vstr
+enable_monolithic
 enable_dependency_tracking
 with_lib_prefix
 enable_shared
@@ -1702,7 +1730,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.3.6 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.4.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1772,7 +1800,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.3.6:";;
+     short | recursive ) echo "Configuration of strongSwan 4.4.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1843,6 +1871,13 @@ Optional Features:
   --enable-kernel-pfkey   enable the PF_KEY kernel interface.
   --enable-kernel-pfroute enable the PF_ROUTE kernel interface.
   --enable-kernel-klips   enable the KLIPS kernel interface.
+  --disable-socket-default
+                          disable default socket implementation for charon.
+  --enable-socket-raw     enable raw socket implementation of charon, enforced
+                          if pluto is enabled
+  --enable-socket-dynamic enable dynamic socket implementation for charon
+  --enable-farp           enable ARP faking plugin that responds to ARP
+                          requests to peers virtual IP
   --enable-nat-transport  enable NAT traversal with IPsec transport mode in
                           pluto.
   --disable-vendor-id     disable the sending of the strongSwan vendor ID in
@@ -1867,15 +1902,21 @@ Optional Features:
   --disable-attr          disable strongswan.conf based configuration
                           attribute plugin.
   --enable-attr-sql       enable SQL based configuration attribute plugin.
+  --enable-dhcp           enable DHCP based attribute provider plugin.
   --disable-resolve       disable resolve DNS handler plugin.
   --enable-padlock        enables VIA Padlock crypto plugin.
   --enable-openssl        enables the OpenSSL crypto plugin.
   --enable-gcrypt         enables the libgcrypt plugin.
   --enable-agent          enables the ssh-agent signing plugin.
   --enable-uci            enable OpenWRT UCI configuration plugin.
+  --enable-android        enable Android specific plugin.
   --enable-nm             enable NetworkManager plugin.
+  --enable-ha             enable high availability cluster plugin.
   --enable-vstr           enforce using the Vstr string library to replace
                           glibc-like printf hooks.
+  --enable-monolithic     build monolithic version of libstrongswan that
+                          includes all enabled plugins. Similarly, the plugins
+                          of charon are assembled in libcharon.
   --disable-dependency-tracking  speeds up one-time build
   --enable-dependency-tracking   do not reject slow dependency extractors
   --enable-shared[=PKGS]  build shared libraries [default=yes]
@@ -1919,6 +1960,8 @@ Optional Packages:
                           set priority for IPsec routing table (default: 220).
   --with-capabilities=arg set capability dropping library. Currently only the
                           value "libcap" is supported (default: no).
+  --with-mpz_powm_sec=arg use the more side-channel resistant mpz_powm_sec in
+                          libgmp, if available (default: yes).
   --with-xauth-module=lib set the path to the XAUTH module
   --with-user=user        change user of the daemons to "user" after startup
                           (default is "root").
@@ -2018,7 +2061,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.3.6
+strongSwan configure 4.4.0
 generated by GNU Autoconf 2.64
 
 Copyright (C) 2009 Free Software Foundation, Inc.
@@ -2494,7 +2537,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.3.6, which was
+It was created by strongSwan $as_me 4.4.0, which was
 generated by GNU Autoconf 2.64.  Invocation command line was
 
   $ $0 $@
@@ -3302,7 +3345,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.3.6'
+ VERSION='4.4.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3710,6 +3753,16 @@ fi
 
 
 
+# Check whether --with-mpz_powm_sec was given.
+if test "${with_mpz_powm_sec+set}" = set; then :
+  withval=$with_mpz_powm_sec; mpz_powm_sec="$withval"
+else
+  mpz_powm_sec=yes
+
+fi
+
+
+
 
 # Check whether --with-xauth-module was given.
 if test "${with_xauth_module+set}" = set; then :
@@ -3764,949 +3817,1215 @@ fi
 
 # Check whether --enable-curl was given.
 if test "${enable_curl+set}" = set; then :
-  enableval=$enable_curl; if test x$enableval = xyes; then
+  enableval=$enable_curl; curl_given=true
+		if test x$enableval = xyes; then
 			curl=true
 		 else
 			curl=false
 		fi
 else
   curl=false
+		curl_given=false
 
 fi
 
 
 # Check whether --enable-ldap was given.
 if test "${enable_ldap+set}" = set; then :
-  enableval=$enable_ldap; if test x$enableval = xyes; then
+  enableval=$enable_ldap; ldap_given=true
+		if test x$enableval = xyes; then
 			ldap=true
 		 else
 			ldap=false
 		fi
 else
   ldap=false
+		ldap_given=false
 
 fi
 
 
 # Check whether --enable-aes was given.
 if test "${enable_aes+set}" = set; then :
-  enableval=$enable_aes; if test x$enableval = xyes; then
+  enableval=$enable_aes; aes_given=true
+		if test x$enableval = xyes; then
 			aes=true
 		 else
 			aes=false
 		fi
 else
   aes=true
+		aes_given=false
 
 fi
 
 
 # Check whether --enable-des was given.
 if test "${enable_des+set}" = set; then :
-  enableval=$enable_des; if test x$enableval = xyes; then
+  enableval=$enable_des; des_given=true
+		if test x$enableval = xyes; then
 			des=true
 		 else
 			des=false
 		fi
 else
   des=true
+		des_given=false
 
 fi
 
 
 # Check whether --enable-blowfish was given.
 if test "${enable_blowfish+set}" = set; then :
-  enableval=$enable_blowfish; if test x$enableval = xyes; then
+  enableval=$enable_blowfish; blowfish_given=true
+		if test x$enableval = xyes; then
 			blowfish=true
 		 else
 			blowfish=false
 		fi
 else
   blowfish=false
+		blowfish_given=false
 
 fi
 
 
 # Check whether --enable-md4 was given.
 if test "${enable_md4+set}" = set; then :
-  enableval=$enable_md4; if test x$enableval = xyes; then
+  enableval=$enable_md4; md4_given=true
+		if test x$enableval = xyes; then
 			md4=true
 		 else
 			md4=false
 		fi
 else
   md4=false
+		md4_given=false
 
 fi
 
 
 # Check whether --enable-md5 was given.
 if test "${enable_md5+set}" = set; then :
-  enableval=$enable_md5; if test x$enableval = xyes; then
+  enableval=$enable_md5; md5_given=true
+		if test x$enableval = xyes; then
 			md5=true
 		 else
 			md5=false
 		fi
 else
   md5=true
+		md5_given=false
 
 fi
 
 
 # Check whether --enable-sha1 was given.
 if test "${enable_sha1+set}" = set; then :
-  enableval=$enable_sha1; if test x$enableval = xyes; then
+  enableval=$enable_sha1; sha1_given=true
+		if test x$enableval = xyes; then
 			sha1=true
 		 else
 			sha1=false
 		fi
 else
   sha1=true
+		sha1_given=false
 
 fi
 
 
 # Check whether --enable-sha2 was given.
 if test "${enable_sha2+set}" = set; then :
-  enableval=$enable_sha2; if test x$enableval = xyes; then
+  enableval=$enable_sha2; sha2_given=true
+		if test x$enableval = xyes; then
 			sha2=true
 		 else
 			sha2=false
 		fi
 else
   sha2=true
+		sha2_given=false
 
 fi
 
 
 # Check whether --enable-fips-prf was given.
 if test "${enable_fips_prf+set}" = set; then :
-  enableval=$enable_fips_prf; if test x$enableval = xyes; then
+  enableval=$enable_fips_prf; fips_prf_given=true
+		if test x$enableval = xyes; then
 			fips_prf=true
 		 else
 			fips_prf=false
 		fi
 else
   fips_prf=true
+		fips_prf_given=false
 
 fi
 
 
 # Check whether --enable-gmp was given.
 if test "${enable_gmp+set}" = set; then :
-  enableval=$enable_gmp; if test x$enableval = xyes; then
+  enableval=$enable_gmp; gmp_given=true
+		if test x$enableval = xyes; then
 			gmp=true
 		 else
 			gmp=false
 		fi
 else
   gmp=true
+		gmp_given=false
 
 fi
 
 
 # Check whether --enable-random was given.
 if test "${enable_random+set}" = set; then :
-  enableval=$enable_random; if test x$enableval = xyes; then
+  enableval=$enable_random; random_given=true
+		if test x$enableval = xyes; then
 			random=true
 		 else
 			random=false
 		fi
 else
   random=true
+		random_given=false
 
 fi
 
 
 # Check whether --enable-x509 was given.
 if test "${enable_x509+set}" = set; then :
-  enableval=$enable_x509; if test x$enableval = xyes; then
+  enableval=$enable_x509; x509_given=true
+		if test x$enableval = xyes; then
 			x509=true
 		 else
 			x509=false
 		fi
 else
   x509=true
+		x509_given=false
 
 fi
 
 
 # Check whether --enable-pubkey was given.
 if test "${enable_pubkey+set}" = set; then :
-  enableval=$enable_pubkey; if test x$enableval = xyes; then
+  enableval=$enable_pubkey; pubkey_given=true
+		if test x$enableval = xyes; then
 			pubkey=true
 		 else
 			pubkey=false
 		fi
 else
   pubkey=true
+		pubkey_given=false
 
 fi
 
 
 # Check whether --enable-pkcs1 was given.
 if test "${enable_pkcs1+set}" = set; then :
-  enableval=$enable_pkcs1; if test x$enableval = xyes; then
+  enableval=$enable_pkcs1; pkcs1_given=true
+		if test x$enableval = xyes; then
 			pkcs1=true
 		 else
 			pkcs1=false
 		fi
 else
   pkcs1=true
+		pkcs1_given=false
 
 fi
 
 
 # Check whether --enable-pgp was given.
 if test "${enable_pgp+set}" = set; then :
-  enableval=$enable_pgp; if test x$enableval = xyes; then
+  enableval=$enable_pgp; pgp_given=true
+		if test x$enableval = xyes; then
 			pgp=true
 		 else
 			pgp=false
 		fi
 else
   pgp=true
+		pgp_given=false
 
 fi
 
 
 # Check whether --enable-dnskey was given.
 if test "${enable_dnskey+set}" = set; then :
-  enableval=$enable_dnskey; if test x$enableval = xyes; then
+  enableval=$enable_dnskey; dnskey_given=true
+		if test x$enableval = xyes; then
 			dnskey=true
 		 else
 			dnskey=false
 		fi
 else
   dnskey=true
+		dnskey_given=false
 
 fi
 
 
 # Check whether --enable-pem was given.
 if test "${enable_pem+set}" = set; then :
-  enableval=$enable_pem; if test x$enableval = xyes; then
+  enableval=$enable_pem; pem_given=true
+		if test x$enableval = xyes; then
 			pem=true
 		 else
 			pem=false
 		fi
 else
   pem=true
+		pem_given=false
 
 fi
 
 
 # Check whether --enable-hmac was given.
 if test "${enable_hmac+set}" = set; then :
-  enableval=$enable_hmac; if test x$enableval = xyes; then
+  enableval=$enable_hmac; hmac_given=true
+		if test x$enableval = xyes; then
 			hmac=true
 		 else
 			hmac=false
 		fi
 else
   hmac=true
+		hmac_given=false
 
 fi
 
 
 # Check whether --enable-xcbc was given.
 if test "${enable_xcbc+set}" = set; then :
-  enableval=$enable_xcbc; if test x$enableval = xyes; then
+  enableval=$enable_xcbc; xcbc_given=true
+		if test x$enableval = xyes; then
 			xcbc=true
 		 else
 			xcbc=false
 		fi
 else
   xcbc=true
+		xcbc_given=false
 
 fi
 
 
 # Check whether --enable-test-vectors was given.
 if test "${enable_test_vectors+set}" = set; then :
-  enableval=$enable_test_vectors; if test x$enableval = xyes; then
+  enableval=$enable_test_vectors; test_vectors_given=true
+		if test x$enableval = xyes; then
 			test_vectors=true
 		 else
 			test_vectors=false
 		fi
 else
   test_vectors=false
+		test_vectors_given=false
 
 fi
 
 
 # Check whether --enable-mysql was given.
 if test "${enable_mysql+set}" = set; then :
-  enableval=$enable_mysql; if test x$enableval = xyes; then
+  enableval=$enable_mysql; mysql_given=true
+		if test x$enableval = xyes; then
 			mysql=true
 		 else
 			mysql=false
 		fi
 else
   mysql=false
+		mysql_given=false
 
 fi
 
 
 # Check whether --enable-sqlite was given.
 if test "${enable_sqlite+set}" = set; then :
-  enableval=$enable_sqlite; if test x$enableval = xyes; then
+  enableval=$enable_sqlite; sqlite_given=true
+		if test x$enableval = xyes; then
 			sqlite=true
 		 else
 			sqlite=false
 		fi
 else
   sqlite=false
+		sqlite_given=false
 
 fi
 
 
 # Check whether --enable-stroke was given.
 if test "${enable_stroke+set}" = set; then :
-  enableval=$enable_stroke; if test x$enableval = xyes; then
+  enableval=$enable_stroke; stroke_given=true
+		if test x$enableval = xyes; then
 			stroke=true
 		 else
 			stroke=false
 		fi
 else
   stroke=true
+		stroke_given=false
 
 fi
 
 
 # Check whether --enable-medsrv was given.
 if test "${enable_medsrv+set}" = set; then :
-  enableval=$enable_medsrv; if test x$enableval = xyes; then
+  enableval=$enable_medsrv; medsrv_given=true
+		if test x$enableval = xyes; then
 			medsrv=true
 		 else
 			medsrv=false
 		fi
 else
   medsrv=false
+		medsrv_given=false
 
 fi
 
 
 # Check whether --enable-medcli was given.
 if test "${enable_medcli+set}" = set; then :
-  enableval=$enable_medcli; if test x$enableval = xyes; then
+  enableval=$enable_medcli; medcli_given=true
+		if test x$enableval = xyes; then
 			medcli=true
 		 else
 			medcli=false
 		fi
 else
   medcli=false
+		medcli_given=false
 
 fi
 
 
 # Check whether --enable-smp was given.
 if test "${enable_smp+set}" = set; then :
-  enableval=$enable_smp; if test x$enableval = xyes; then
+  enableval=$enable_smp; smp_given=true
+		if test x$enableval = xyes; then
 			smp=true
 		 else
 			smp=false
 		fi
 else
   smp=false
+		smp_given=false
 
 fi
 
 
 # Check whether --enable-sql was given.
 if test "${enable_sql+set}" = set; then :
-  enableval=$enable_sql; if test x$enableval = xyes; then
+  enableval=$enable_sql; sql_given=true
+		if test x$enableval = xyes; then
 			sql=true
 		 else
 			sql=false
 		fi
 else
   sql=false
+		sql_given=false
 
 fi
 
 
 # Check whether --enable-smartcard was given.
 if test "${enable_smartcard+set}" = set; then :
-  enableval=$enable_smartcard; if test x$enableval = xyes; then
+  enableval=$enable_smartcard; smartcard_given=true
+		if test x$enableval = xyes; then
 			smartcard=true
 		 else
 			smartcard=false
 		fi
 else
   smartcard=false
+		smartcard_given=false
 
 fi
 
 
 # Check whether --enable-cisco-quirks was given.
 if test "${enable_cisco_quirks+set}" = set; then :
-  enableval=$enable_cisco_quirks; if test x$enableval = xyes; then
+  enableval=$enable_cisco_quirks; cisco_quirks_given=true
+		if test x$enableval = xyes; then
 			cisco_quirks=true
 		 else
 			cisco_quirks=false
 		fi
 else
   cisco_quirks=false
+		cisco_quirks_given=false
 
 fi
 
 
 # Check whether --enable-leak-detective was given.
 if test "${enable_leak_detective+set}" = set; then :
-  enableval=$enable_leak_detective; if test x$enableval = xyes; then
+  enableval=$enable_leak_detective; leak_detective_given=true
+		if test x$enableval = xyes; then
 			leak_detective=true
 		 else
 			leak_detective=false
 		fi
 else
   leak_detective=false
+		leak_detective_given=false
 
 fi
 
 
 # Check whether --enable-lock-profiler was given.
 if test "${enable_lock_profiler+set}" = set; then :
-  enableval=$enable_lock_profiler; if test x$enableval = xyes; then
+  enableval=$enable_lock_profiler; lock_profiler_given=true
+		if test x$enableval = xyes; then
 			lock_profiler=true
 		 else
 			lock_profiler=false
 		fi
 else
   lock_profiler=false
+		lock_profiler_given=false
 
 fi
 
 
 # Check whether --enable-unit-tests was given.
 if test "${enable_unit_tests+set}" = set; then :
-  enableval=$enable_unit_tests; if test x$enableval = xyes; then
+  enableval=$enable_unit_tests; unit_tests_given=true
+		if test x$enableval = xyes; then
 			unit_tests=true
 		 else
 			unit_tests=false
 		fi
 else
   unit_tests=false
+		unit_tests_given=false
 
 fi
 
 
 # Check whether --enable-load-tester was given.
 if test "${enable_load_tester+set}" = set; then :
-  enableval=$enable_load_tester; if test x$enableval = xyes; then
+  enableval=$enable_load_tester; load_tester_given=true
+		if test x$enableval = xyes; then
 			load_tester=true
 		 else
 			load_tester=false
 		fi
 else
   load_tester=false
+		load_tester_given=false
 
 fi
 
 
 # Check whether --enable-eap-sim was given.
 if test "${enable_eap_sim+set}" = set; then :
-  enableval=$enable_eap_sim; if test x$enableval = xyes; then
+  enableval=$enable_eap_sim; eap_sim_given=true
+		if test x$enableval = xyes; then
 			eap_sim=true
 		 else
 			eap_sim=false
 		fi
 else
   eap_sim=false
+		eap_sim_given=false
 
 fi
 
 
 # Check whether --enable-eap-sim-file was given.
 if test "${enable_eap_sim_file+set}" = set; then :
-  enableval=$enable_eap_sim_file; if test x$enableval = xyes; then
+  enableval=$enable_eap_sim_file; eap_sim_file_given=true
+		if test x$enableval = xyes; then
 			eap_sim_file=true
 		 else
 			eap_sim_file=false
 		fi
 else
   eap_sim_file=false
+		eap_sim_file_given=false
 
 fi
 
 
 # Check whether --enable-eap-simaka-pseudonym was given.
 if test "${enable_eap_simaka_pseudonym+set}" = set; then :
-  enableval=$enable_eap_simaka_pseudonym; if test x$enableval = xyes; then
+  enableval=$enable_eap_simaka_pseudonym; eap_simaka_pseudonym_given=true
+		if test x$enableval = xyes; then
 			eap_simaka_pseudonym=true
 		 else
 			eap_simaka_pseudonym=false
 		fi
 else
   eap_simaka_pseudonym=false
+		eap_simaka_pseudonym_given=false
 
 fi
 
 
 # Check whether --enable-eap-simaka-reauth was given.
 if test "${enable_eap_simaka_reauth+set}" = set; then :
-  enableval=$enable_eap_simaka_reauth; if test x$enableval = xyes; then
+  enableval=$enable_eap_simaka_reauth; eap_simaka_reauth_given=true
+		if test x$enableval = xyes; then
 			eap_simaka_reauth=true
 		 else
 			eap_simaka_reauth=false
 		fi
 else
   eap_simaka_reauth=false
+		eap_simaka_reauth_given=false
 
 fi
 
 
 # Check whether --enable-eap-identity was given.
 if test "${enable_eap_identity+set}" = set; then :
-  enableval=$enable_eap_identity; if test x$enableval = xyes; then
+  enableval=$enable_eap_identity; eap_identity_given=true
+		if test x$enableval = xyes; then
 			eap_identity=true
 		 else
 			eap_identity=false
 		fi
 else
   eap_identity=false
+		eap_identity_given=false
 
 fi
 
 
 # Check whether --enable-eap-md5 was given.
 if test "${enable_eap_md5+set}" = set; then :
-  enableval=$enable_eap_md5; if test x$enableval = xyes; then
+  enableval=$enable_eap_md5; eap_md5_given=true
+		if test x$enableval = xyes; then
 			eap_md5=true
 		 else
 			eap_md5=false
 		fi
 else
   eap_md5=false
+		eap_md5_given=false
 
 fi
 
 
 # Check whether --enable-eap-gtc was given.
 if test "${enable_eap_gtc+set}" = set; then :
-  enableval=$enable_eap_gtc; if test x$enableval = xyes; then
+  enableval=$enable_eap_gtc; eap_gtc_given=true
+		if test x$enableval = xyes; then
 			eap_gtc=true
 		 else
 			eap_gtc=false
 		fi
 else
   eap_gtc=false
+		eap_gtc_given=false
 
 fi
 
 
 # Check whether --enable-eap-aka was given.
 if test "${enable_eap_aka+set}" = set; then :
-  enableval=$enable_eap_aka; if test x$enableval = xyes; then
+  enableval=$enable_eap_aka; eap_aka_given=true
+		if test x$enableval = xyes; then
 			eap_aka=true
 		 else
 			eap_aka=false
 		fi
 else
   eap_aka=false
+		eap_aka_given=false
 
 fi
 
 
 # Check whether --enable-eap-aka-3gpp2 was given.
 if test "${enable_eap_aka_3gpp2+set}" = set; then :
-  enableval=$enable_eap_aka_3gpp2; if test x$enableval = xyes; then
+  enableval=$enable_eap_aka_3gpp2; eap_aka_3gpp2_given=true
+		if test x$enableval = xyes; then
 			eap_aka_3gpp2=true
 		 else
 			eap_aka_3gpp2=false
 		fi
 else
   eap_aka_3gpp2=false
+		eap_aka_3gpp2_given=false
 
 fi
 
 
 # Check whether --enable-eap-mschapv2 was given.
 if test "${enable_eap_mschapv2+set}" = set; then :
-  enableval=$enable_eap_mschapv2; if test x$enableval = xyes; then
+  enableval=$enable_eap_mschapv2; eap_mschapv2_given=true
+		if test x$enableval = xyes; then
 			eap_mschapv2=true
 		 else
 			eap_mschapv2=false
 		fi
 else
   eap_mschapv2=false
+		eap_mschapv2_given=false
 
 fi
 
 
 # Check whether --enable-eap-radius was given.
 if test "${enable_eap_radius+set}" = set; then :
-  enableval=$enable_eap_radius; if test x$enableval = xyes; then
+  enableval=$enable_eap_radius; eap_radius_given=true
+		if test x$enableval = xyes; then
 			eap_radius=true
 		 else
 			eap_radius=false
 		fi
 else
   eap_radius=false
+		eap_radius_given=false
 
 fi
 
 
 # Check whether --enable-kernel-netlink was given.
 if test "${enable_kernel_netlink+set}" = set; then :
-  enableval=$enable_kernel_netlink; if test x$enableval = xyes; then
+  enableval=$enable_kernel_netlink; kernel_netlink_given=true
+		if test x$enableval = xyes; then
 			kernel_netlink=true
 		 else
 			kernel_netlink=false
 		fi
 else
   kernel_netlink=true
+		kernel_netlink_given=false
 
 fi
 
 
 # Check whether --enable-kernel-pfkey was given.
 if test "${enable_kernel_pfkey+set}" = set; then :
-  enableval=$enable_kernel_pfkey; if test x$enableval = xyes; then
+  enableval=$enable_kernel_pfkey; kernel_pfkey_given=true
+		if test x$enableval = xyes; then
 			kernel_pfkey=true
 		 else
 			kernel_pfkey=false
 		fi
 else
   kernel_pfkey=false
+		kernel_pfkey_given=false
 
 fi
 
 
 # Check whether --enable-kernel-pfroute was given.
 if test "${enable_kernel_pfroute+set}" = set; then :
-  enableval=$enable_kernel_pfroute; if test x$enableval = xyes; then
+  enableval=$enable_kernel_pfroute; kernel_pfroute_given=true
+		if test x$enableval = xyes; then
 			kernel_pfroute=true
 		 else
 			kernel_pfroute=false
 		fi
 else
   kernel_pfroute=false
+		kernel_pfroute_given=false
 
 fi
 
 
 # Check whether --enable-kernel-klips was given.
 if test "${enable_kernel_klips+set}" = set; then :
-  enableval=$enable_kernel_klips; if test x$enableval = xyes; then
+  enableval=$enable_kernel_klips; kernel_klips_given=true
+		if test x$enableval = xyes; then
 			kernel_klips=true
 		 else
 			kernel_klips=false
 		fi
 else
   kernel_klips=false
+		kernel_klips_given=false
+
+fi
+
+
+# Check whether --enable-socket-default was given.
+if test "${enable_socket_default+set}" = set; then :
+  enableval=$enable_socket_default; socket_default_given=true
+		if test x$enableval = xyes; then
+			socket_default=true
+		 else
+			socket_default=false
+		fi
+else
+  socket_default=true
+		socket_default_given=false
+
+fi
+
+
+# Check whether --enable-socket-raw was given.
+if test "${enable_socket_raw+set}" = set; then :
+  enableval=$enable_socket_raw; socket_raw_given=true
+		if test x$enableval = xyes; then
+			socket_raw=true
+		 else
+			socket_raw=false
+		fi
+else
+  socket_raw=false
+		socket_raw_given=false
+
+fi
+
+
+# Check whether --enable-socket-dynamic was given.
+if test "${enable_socket_dynamic+set}" = set; then :
+  enableval=$enable_socket_dynamic; socket_dynamic_given=true
+		if test x$enableval = xyes; then
+			socket_dynamic=true
+		 else
+			socket_dynamic=false
+		fi
+else
+  socket_dynamic=false
+		socket_dynamic_given=false
+
+fi
+
+
+# Check whether --enable-farp was given.
+if test "${enable_farp+set}" = set; then :
+  enableval=$enable_farp; farp_given=true
+		if test x$enableval = xyes; then
+			farp=true
+		 else
+			farp=false
+		fi
+else
+  farp=false
+		farp_given=false
 
 fi
 
 
 # Check whether --enable-nat-transport was given.
 if test "${enable_nat_transport+set}" = set; then :
-  enableval=$enable_nat_transport; if test x$enableval = xyes; then
+  enableval=$enable_nat_transport; nat_transport_given=true
+		if test x$enableval = xyes; then
 			nat_transport=true
 		 else
 			nat_transport=false
 		fi
 else
   nat_transport=false
+		nat_transport_given=false
 
 fi
 
 
 # Check whether --enable-vendor-id was given.
 if test "${enable_vendor_id+set}" = set; then :
-  enableval=$enable_vendor_id; if test x$enableval = xyes; then
+  enableval=$enable_vendor_id; vendor_id_given=true
+		if test x$enableval = xyes; then
 			vendor_id=true
 		 else
 			vendor_id=false
 		fi
 else
   vendor_id=true
+		vendor_id_given=false
 
 fi
 
 
 # Check whether --enable-xauth-vid was given.
 if test "${enable_xauth_vid+set}" = set; then :
-  enableval=$enable_xauth_vid; if test x$enableval = xyes; then
+  enableval=$enable_xauth_vid; xauth_vid_given=true
+		if test x$enableval = xyes; then
 			xauth_vid=true
 		 else
 			xauth_vid=false
 		fi
 else
   xauth_vid=true
+		xauth_vid_given=false
 
 fi
 
 
 # Check whether --enable-dumm was given.
 if test "${enable_dumm+set}" = set; then :
-  enableval=$enable_dumm; if test x$enableval = xyes; then
+  enableval=$enable_dumm; dumm_given=true
+		if test x$enableval = xyes; then
 			dumm=true
 		 else
 			dumm=false
 		fi
 else
   dumm=false
+		dumm_given=false
 
 fi
 
 
 # Check whether --enable-fast was given.
 if test "${enable_fast+set}" = set; then :
-  enableval=$enable_fast; if test x$enableval = xyes; then
+  enableval=$enable_fast; fast_given=true
+		if test x$enableval = xyes; then
 			fast=true
 		 else
 			fast=false
 		fi
 else
   fast=false
+		fast_given=false
 
 fi
 
 
 # Check whether --enable-manager was given.
 if test "${enable_manager+set}" = set; then :
-  enableval=$enable_manager; if test x$enableval = xyes; then
+  enableval=$enable_manager; manager_given=true
+		if test x$enableval = xyes; then
 			manager=true
 		 else
 			manager=false
 		fi
 else
   manager=false
+		manager_given=false
 
 fi
 
 
 # Check whether --enable-mediation was given.
 if test "${enable_mediation+set}" = set; then :
-  enableval=$enable_mediation; if test x$enableval = xyes; then
+  enableval=$enable_mediation; mediation_given=true
+		if test x$enableval = xyes; then
 			mediation=true
 		 else
 			mediation=false
 		fi
 else
   mediation=false
+		mediation_given=false
 
 fi
 
 
 # Check whether --enable-integrity-test was given.
 if test "${enable_integrity_test+set}" = set; then :
-  enableval=$enable_integrity_test; if test x$enableval = xyes; then
+  enableval=$enable_integrity_test; integrity_test_given=true
+		if test x$enableval = xyes; then
 			integrity_test=true
 		 else
 			integrity_test=false
 		fi
 else
   integrity_test=false
+		integrity_test_given=false
 
 fi
 
 
 # Check whether --enable-pluto was given.
 if test "${enable_pluto+set}" = set; then :
-  enableval=$enable_pluto; if test x$enableval = xyes; then
+  enableval=$enable_pluto; pluto_given=true
+		if test x$enableval = xyes; then
 			pluto=true
 		 else
 			pluto=false
 		fi
 else
   pluto=true
+		pluto_given=false
 
 fi
 
 
 # Check whether --enable-threads was given.
 if test "${enable_threads+set}" = set; then :
-  enableval=$enable_threads; if test x$enableval = xyes; then
+  enableval=$enable_threads; threads_given=true
+		if test x$enableval = xyes; then
 			threads=true
 		 else
 			threads=false
 		fi
 else
   threads=true
+		threads_given=false
 
 fi
 
 
 # Check whether --enable-charon was given.
 if test "${enable_charon+set}" = set; then :
-  enableval=$enable_charon; if test x$enableval = xyes; then
+  enableval=$enable_charon; charon_given=true
+		if test x$enableval = xyes; then
 			charon=true
 		 else
 			charon=false
 		fi
 else
   charon=true
+		charon_given=false
 
 fi
 
 
 # Check whether --enable-tools was given.
 if test "${enable_tools+set}" = set; then :
-  enableval=$enable_tools; if test x$enableval = xyes; then
+  enableval=$enable_tools; tools_given=true
+		if test x$enableval = xyes; then
 			tools=true
 		 else
 			tools=false
 		fi
 else
   tools=true
+		tools_given=false
 
 fi
 
 
 # Check whether --enable-scripts was given.
 if test "${enable_scripts+set}" = set; then :
-  enableval=$enable_scripts; if test x$enableval = xyes; then
+  enableval=$enable_scripts; scripts_given=true
+		if test x$enableval = xyes; then
 			scripts=true
 		 else
 			scripts=false
 		fi
 else
   scripts=true
+		scripts_given=false
 
 fi
 
 
 # Check whether --enable-updown was given.
 if test "${enable_updown+set}" = set; then :
-  enableval=$enable_updown; if test x$enableval = xyes; then
+  enableval=$enable_updown; updown_given=true
+		if test x$enableval = xyes; then
 			updown=true
 		 else
 			updown=false
 		fi
 else
   updown=true
+		updown_given=false
 
 fi
 
 
 # Check whether --enable-attr was given.
 if test "${enable_attr+set}" = set; then :
-  enableval=$enable_attr; if test x$enableval = xyes; then
+  enableval=$enable_attr; attr_given=true
+		if test x$enableval = xyes; then
 			attr=true
 		 else
 			attr=false
 		fi
 else
   attr=true
+		attr_given=false
 
 fi
 
 
 # Check whether --enable-attr-sql was given.
 if test "${enable_attr_sql+set}" = set; then :
-  enableval=$enable_attr_sql; if test x$enableval = xyes; then
+  enableval=$enable_attr_sql; attr_sql_given=true
+		if test x$enableval = xyes; then
 			attr_sql=true
 		 else
 			attr_sql=false
 		fi
 else
   attr_sql=false
+		attr_sql_given=false
+
+fi
+
+
+# Check whether --enable-dhcp was given.
+if test "${enable_dhcp+set}" = set; then :
+  enableval=$enable_dhcp; dhcp_given=true
+		if test x$enableval = xyes; then
+			dhcp=true
+		 else
+			dhcp=false
+		fi
+else
+  dhcp=false
+		dhcp_given=false
 
 fi
 
 
 # Check whether --enable-resolve was given.
 if test "${enable_resolve+set}" = set; then :
-  enableval=$enable_resolve; if test x$enableval = xyes; then
+  enableval=$enable_resolve; resolve_given=true
+		if test x$enableval = xyes; then
 			resolve=true
 		 else
 			resolve=false
 		fi
 else
   resolve=true
+		resolve_given=false
 
 fi
 
 
 # Check whether --enable-padlock was given.
 if test "${enable_padlock+set}" = set; then :
-  enableval=$enable_padlock; if test x$enableval = xyes; then
+  enableval=$enable_padlock; padlock_given=true
+		if test x$enableval = xyes; then
 			padlock=true
 		 else
 			padlock=false
 		fi
 else
   padlock=false
+		padlock_given=false
 
 fi
 
 
 # Check whether --enable-openssl was given.
 if test "${enable_openssl+set}" = set; then :
-  enableval=$enable_openssl; if test x$enableval = xyes; then
+  enableval=$enable_openssl; openssl_given=true
+		if test x$enableval = xyes; then
 			openssl=true
 		 else
 			openssl=false
 		fi
 else
   openssl=false
+		openssl_given=false
 
 fi
 
 
 # Check whether --enable-gcrypt was given.
 if test "${enable_gcrypt+set}" = set; then :
-  enableval=$enable_gcrypt; if test x$enableval = xyes; then
+  enableval=$enable_gcrypt; gcrypt_given=true
+		if test x$enableval = xyes; then
 			gcrypt=true
 		 else
 			gcrypt=false
 		fi
 else
   gcrypt=false
+		gcrypt_given=false
 
 fi
 
 
 # Check whether --enable-agent was given.
 if test "${enable_agent+set}" = set; then :
-  enableval=$enable_agent; if test x$enableval = xyes; then
+  enableval=$enable_agent; agent_given=true
+		if test x$enableval = xyes; then
 			agent=true
 		 else
 			agent=false
 		fi
 else
   agent=false
+		agent_given=false
 
 fi
 
 
 # Check whether --enable-uci was given.
 if test "${enable_uci+set}" = set; then :
-  enableval=$enable_uci; if test x$enableval = xyes; then
+  enableval=$enable_uci; uci_given=true
+		if test x$enableval = xyes; then
 			uci=true
 		 else
 			uci=false
 		fi
 else
   uci=false
+		uci_given=false
+
+fi
+
+
+# Check whether --enable-android was given.
+if test "${enable_android+set}" = set; then :
+  enableval=$enable_android; android_given=true
+		if test x$enableval = xyes; then
+			android=true
+		 else
+			android=false
+		fi
+else
+  android=false
+		android_given=false
 
 fi
 
 
 # Check whether --enable-nm was given.
 if test "${enable_nm+set}" = set; then :
-  enableval=$enable_nm; if test x$enableval = xyes; then
+  enableval=$enable_nm; nm_given=true
+		if test x$enableval = xyes; then
 			nm=true
 		 else
 			nm=false
 		fi
 else
   nm=false
+		nm_given=false
+
+fi
+
+
+# Check whether --enable-ha was given.
+if test "${enable_ha+set}" = set; then :
+  enableval=$enable_ha; ha_given=true
+		if test x$enableval = xyes; then
+			ha=true
+		 else
+			ha=false
+		fi
+else
+  ha=false
+		ha_given=false
 
 fi
 
 
 # Check whether --enable-vstr was given.
 if test "${enable_vstr+set}" = set; then :
-  enableval=$enable_vstr; if test x$enableval = xyes; then
+  enableval=$enable_vstr; vstr_given=true
+		if test x$enableval = xyes; then
 			vstr=true
 		 else
 			vstr=false
 		fi
 else
   vstr=false
+		vstr_given=false
+
+fi
+
+
+# Check whether --enable-monolithic was given.
+if test "${enable_monolithic+set}" = set; then :
+  enableval=$enable_monolithic; monolithic_given=true
+		if test x$enableval = xyes; then
+			monolithic=true
+		 else
+			monolithic=false
+		fi
+else
+  monolithic=false
+		monolithic_given=false
 
 fi
 
@@ -6997,13 +7316,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:7000: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:7319: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7003: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:7322: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7006: output\"" >&5)
+  (eval echo "\"\$as_me:7325: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -8208,7 +8527,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8211 "configure"' > conftest.$ac_ext
+  echo '#line 8530 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9470,11 +9789,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9473: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9792: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9477: \$? = $ac_status" >&5
+   echo "$as_me:9796: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9809,11 +10128,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9812: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10131: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9816: \$? = $ac_status" >&5
+   echo "$as_me:10135: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9914,11 +10233,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9917: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10236: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9921: \$? = $ac_status" >&5
+   echo "$as_me:10240: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9969,11 +10288,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9972: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10291: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9976: \$? = $ac_status" >&5
+   echo "$as_me:10295: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12352,7 +12671,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12355 "configure"
+#line 12674 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12448,7 +12767,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12451 "configure"
+#line 12770 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13110,7 +13429,6 @@ fi
 
 if test x$eap_aka = xtrue; then
 	fips_prf=true;
-	sha1=true;
 	simaka=true;
 fi
 
@@ -13120,7 +13438,9 @@ if test x$eap_sim = xtrue; then
 fi
 
 if test x$fips_prf = xtrue; then
-	sha1=true;
+	if test x$openssl = xfalse; then
+		sha1=true;
+	fi
 fi
 
 if test x$smp = xtrue; then
@@ -13140,6 +13460,17 @@ if test x$medcli = xtrue; then
 	mediation=true
 fi
 
+if test x$pluto = xtrue; then
+	if test x$socket_raw = xfalse; then
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: Enforcing --enable-socket-raw, as pluto is enabled" >&5
+$as_echo "$as_me: Enforcing --enable-socket-raw, as pluto is enabled" >&6;}
+		socket_raw=true
+		if test x$socket_default_given = xfalse; then
+			socket_default=false
+		fi
+	fi
+fi
+
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdbool.h that conforms to C99" >&5
 $as_echo_n "checking for stdbool.h that conforms to C99... " >&6; }
@@ -14213,6 +14544,7 @@ ac_cv_lib_vstr=ac_cv_lib_vstr_main
 fi
 
 if test x$gmp = xtrue; then
+	saved_LIBS=$LIBS
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgmp" >&5
 $as_echo_n "checking for main in -lgmp... " >&6; }
 if test "${ac_cv_lib_gmp_main+set}" = set; then :
@@ -14244,12 +14576,48 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp_main" >&5
 $as_echo "$ac_cv_lib_gmp_main" >&6; }
 if test "x$ac_cv_lib_gmp_main" = x""yes; then :
-  LIBS="$LIBS"
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBGMP 1
+_ACEOF
+
+  LIBS="-lgmp $LIBS"
+
 else
   as_fn_error "GNU Multi Precision library gmp not found" "$LINENO" 5
 fi
 ac_cv_lib_gmp=ac_cv_lib_gmp_main
 
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking mpz_powm_sec" >&5
+$as_echo_n "checking mpz_powm_sec... " >&6; }
+	if test x$mpz_powm_sec = xyes; then
+		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include "gmp.h"
+int
+main ()
+{
+
+				void *x = mpz_powm_sec;
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; $as_echo "#define HAVE_MPZ_POWM_SEC 1" >>confdefs.h
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	else
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+	fi
+	LIBS=$saved_LIBS
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking gmp.h version >= 4.1.4" >&5
 $as_echo_n "checking gmp.h version >= 4.1.4... " >&6; }
 	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -15143,6 +15511,56 @@ else
 fi
 
 
+fi
+
+if test x$android = xtrue; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcutils" >&5
+$as_echo_n "checking for main in -lcutils... " >&6; }
+if test "${ac_cv_lib_cutils_main+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcutils  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_cutils_main=yes
+else
+  ac_cv_lib_cutils_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cutils_main" >&5
+$as_echo "$ac_cv_lib_cutils_main" >&6; }
+if test "x$ac_cv_lib_cutils_main" = x""yes; then :
+  LIBS="$LIBS"
+else
+  as_fn_error "Android library libcutils not found" "$LINENO" 5
+fi
+ac_cv_lib_cutils=ac_cv_lib_cutils_main
+
+	ac_fn_c_check_header_mongrel "$LINENO" "cutils/properties.h" "ac_cv_header_cutils_properties_h" "$ac_includes_default"
+if test "x$ac_cv_header_cutils_properties_h" = x""yes; then :
+
+else
+  as_fn_error "Android header cutils/properties.h not found!" "$LINENO" 5
+fi
+
+
+			DLLIB="-ldl"
+
 fi
 
 if test x$nm = xtrue; then
@@ -15488,6 +15906,7 @@ fi
 
 
 libstrongswan_plugins=
+libhydra_plugins=
 pluto_plugins=
 
 if test x$test_vectors = xtrue; then
@@ -15529,9 +15948,6 @@ if test x$md5 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" md5"
 	pluto_plugins=${pluto_plugins}" md5"
 fi
-if test x$fips_prf = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
-fi
 if test x$random = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" random"
 	pluto_plugins=${pluto_plugins}" random"
@@ -15568,10 +15984,6 @@ if test x$sqlite = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
 	pluto_plugins=${pluto_plugins}" sqlite"
 fi
-if test x$attr_sql = xtrue -o x$sql = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" attr-sql"
-	pluto_plugins=${pluto_plugins}" attr-sql"
-fi
 if test x$padlock = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
 fi
@@ -15583,6 +15995,9 @@ if test x$gcrypt = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" gcrypt"
 	pluto_plugins=${pluto_plugins}" gcrypt"
 fi
+if test x$fips_prf = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
+fi
 if test x$xcbc = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
 fi
@@ -15597,6 +16012,15 @@ if test x$gmp = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
 	pluto_plugins=${pluto_plugins}" gmp"
 fi
+if test x$attr = xtrue; then
+	libhydra_plugins=${libhydra_plugins}" attr"
+	pluto_plugins=${pluto_plugins}" attr"
+fi
+if test x$attr_sql = xtrue -o x$sql = xtrue; then
+	libhydra_plugins=${libhydra_plugins}" attr-sql"
+	pluto_plugins=${pluto_plugins}" attr-sql"
+fi
+
 
 
 
@@ -15867,6 +16291,14 @@ else
   USE_UCI_FALSE=
 fi
 
+ if test x$android = xtrue; then
+  USE_ANDROID_TRUE=
+  USE_ANDROID_FALSE='#'
+else
+  USE_ANDROID_TRUE='#'
+  USE_ANDROID_FALSE=
+fi
+
  if test x$smp = xtrue; then
   USE_SMP_TRUE=
   USE_SMP_FALSE='#'
@@ -15899,6 +16331,14 @@ else
   USE_ATTR_FALSE=
 fi
 
+ if test x$dhcp = xtrue; then
+  USE_DHCP_TRUE=
+  USE_DHCP_FALSE='#'
+else
+  USE_DHCP_TRUE='#'
+  USE_DHCP_FALSE=
+fi
+
  if test x$resolve = xtrue; then
   USE_RESOLVE_TRUE=
   USE_RESOLVE_FALSE='#'
@@ -15923,6 +16363,14 @@ else
   USE_LOAD_TESTER_FALSE=
 fi
 
+ if test x$ha = xtrue; then
+  USE_HA_TRUE=
+  USE_HA_FALSE='#'
+else
+  USE_HA_TRUE='#'
+  USE_HA_FALSE=
+fi
+
  if test x$eap_sim = xtrue; then
   USE_EAP_SIM_TRUE=
   USE_EAP_SIM_FALSE='#'
@@ -16043,6 +16491,38 @@ else
   USE_KERNEL_KLIPS_FALSE=
 fi
 
+ if test x$socket_default = xtrue; then
+  USE_SOCKET_DEFAULT_TRUE=
+  USE_SOCKET_DEFAULT_FALSE='#'
+else
+  USE_SOCKET_DEFAULT_TRUE='#'
+  USE_SOCKET_DEFAULT_FALSE=
+fi
+
+ if test x$socket_raw = xtrue; then
+  USE_SOCKET_RAW_TRUE=
+  USE_SOCKET_RAW_FALSE='#'
+else
+  USE_SOCKET_RAW_TRUE='#'
+  USE_SOCKET_RAW_FALSE=
+fi
+
+ if test x$socket_dynamic = xtrue; then
+  USE_SOCKET_DYNAMIC_TRUE=
+  USE_SOCKET_DYNAMIC_FALSE='#'
+else
+  USE_SOCKET_DYNAMIC_TRUE='#'
+  USE_SOCKET_DYNAMIC_FALSE=
+fi
+
+ if test x$farp = xtrue; then
+  USE_FARP_TRUE=
+  USE_FARP_FALSE='#'
+else
+  USE_FARP_TRUE='#'
+  USE_FARP_FALSE=
+fi
+
 
  if test x$smartcard = xtrue; then
   USE_SMARTCARD_TRUE=
@@ -16196,6 +16676,14 @@ else
   USE_LIBSTRONGSWAN_FALSE=
 fi
 
+ if test x$charon = xtrue -o x$pluto = xtrue; then
+  USE_LIBHYDRA_TRUE=
+  USE_LIBHYDRA_FALSE='#'
+else
+  USE_LIBHYDRA_TRUE='#'
+  USE_LIBHYDRA_FALSE=
+fi
+
  if test x$pluto = xtrue -o x$stroke = xtrue; then
   USE_FILE_CONFIG_TRUE=
   USE_FILE_CONFIG_FALSE='#'
@@ -16220,6 +16708,14 @@ else
   USE_SIMAKA_FALSE=
 fi
 
+ if test x$monolithic = xtrue; then
+  MONOLITHIC_TRUE=
+  MONOLITHIC_FALSE='#'
+else
+  MONOLITHIC_TRUE='#'
+  MONOLITHIC_FALSE=
+fi
+
 
 
 if test x$mediation = xtrue; then
@@ -16230,9 +16726,14 @@ if test x$capabilities = xlibcap; then
 	$as_echo "#define CAPABILITIES 1" >>confdefs.h
 
 fi
+if test x$monolithic = xtrue; then
+	$as_echo "#define MONOLITHIC 1" >>confdefs.h
+
+fi
+
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/attr_sql/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_aka_3gpp2/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_simaka_pseudonym/Makefile src/charon/plugins/eap_simaka_reauth/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/eap_radius/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_pfroute/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/attr/Makefile src/charon/plugins/resolve/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_klips/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -16516,6 +17017,10 @@ if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
   as_fn_error "conditional \"USE_UCI\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_ANDROID_TRUE}" && test -z "${USE_ANDROID_FALSE}"; then
+  as_fn_error "conditional \"USE_ANDROID\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_SMP_TRUE}" && test -z "${USE_SMP_FALSE}"; then
   as_fn_error "conditional \"USE_SMP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -16532,6 +17037,10 @@ if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then
   as_fn_error "conditional \"USE_ATTR\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_DHCP_TRUE}" && test -z "${USE_DHCP_FALSE}"; then
+  as_fn_error "conditional \"USE_DHCP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
   as_fn_error "conditional \"USE_RESOLVE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -16544,6 +17053,10 @@ if test -z "${USE_LOAD_TESTER_TRUE}" && test -z "${USE_LOAD_TESTER_FALSE}"; then
   as_fn_error "conditional \"USE_LOAD_TESTER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_HA_TRUE}" && test -z "${USE_HA_FALSE}"; then
+  as_fn_error "conditional \"USE_HA\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_EAP_SIM_TRUE}" && test -z "${USE_EAP_SIM_FALSE}"; then
   as_fn_error "conditional \"USE_EAP_SIM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -16604,6 +17117,22 @@ if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; th
   as_fn_error "conditional \"USE_KERNEL_KLIPS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_SOCKET_DEFAULT_TRUE}" && test -z "${USE_SOCKET_DEFAULT_FALSE}"; then
+  as_fn_error "conditional \"USE_SOCKET_DEFAULT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_SOCKET_RAW_TRUE}" && test -z "${USE_SOCKET_RAW_FALSE}"; then
+  as_fn_error "conditional \"USE_SOCKET_RAW\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_SOCKET_DYNAMIC_TRUE}" && test -z "${USE_SOCKET_DYNAMIC_FALSE}"; then
+  as_fn_error "conditional \"USE_SOCKET_DYNAMIC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_FARP_TRUE}" && test -z "${USE_FARP_FALSE}"; then
+  as_fn_error "conditional \"USE_FARP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
   as_fn_error "conditional \"USE_SMARTCARD\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -16680,6 +17209,10 @@ if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}";
   as_fn_error "conditional \"USE_LIBSTRONGSWAN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_LIBHYDRA_TRUE}" && test -z "${USE_LIBHYDRA_FALSE}"; then
+  as_fn_error "conditional \"USE_LIBHYDRA\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
   as_fn_error "conditional \"USE_FILE_CONFIG\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -16692,6 +17225,10 @@ if test -z "${USE_SIMAKA_TRUE}" && test -z "${USE_SIMAKA_FALSE}"; then
   as_fn_error "conditional \"USE_SIMAKA\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${MONOLITHIC_TRUE}" && test -z "${MONOLITHIC_FALSE}"; then
+  as_fn_error "conditional \"MONOLITHIC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 
 : ${CONFIG_STATUS=./config.status}
 ac_write_fail=0
@@ -17100,7 +17637,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.3.6, which was
+This file was extended by strongSwan $as_me 4.4.0, which was
 generated by GNU Autoconf 2.64.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -17155,7 +17692,7 @@ Report bugs to the package provider."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_version="\\
-strongSwan config.status 4.3.6
+strongSwan config.status 4.4.0
 configured by $0, generated by GNU Autoconf 2.64,
   with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
@@ -17548,44 +18085,53 @@ do
     "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;;
     "src/libstrongswan/plugins/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mysql/Makefile" ;;
     "src/libstrongswan/plugins/sqlite/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sqlite/Makefile" ;;
-    "src/libstrongswan/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/attr_sql/Makefile" ;;
     "src/libstrongswan/plugins/padlock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/padlock/Makefile" ;;
     "src/libstrongswan/plugins/openssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/openssl/Makefile" ;;
     "src/libstrongswan/plugins/gcrypt/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcrypt/Makefile" ;;
     "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
+    "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
+    "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;;
+    "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;;
     "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
     "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
     "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
     "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
     "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
-    "src/charon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_aka/Makefile" ;;
-    "src/charon/plugins/eap_aka_3gpp2/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_aka_3gpp2/Makefile" ;;
-    "src/charon/plugins/eap_identity/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_identity/Makefile" ;;
-    "src/charon/plugins/eap_md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_md5/Makefile" ;;
-    "src/charon/plugins/eap_gtc/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_gtc/Makefile" ;;
-    "src/charon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim/Makefile" ;;
-    "src/charon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_sim_file/Makefile" ;;
-    "src/charon/plugins/eap_simaka_pseudonym/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_simaka_pseudonym/Makefile" ;;
-    "src/charon/plugins/eap_simaka_reauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_simaka_reauth/Makefile" ;;
-    "src/charon/plugins/eap_mschapv2/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_mschapv2/Makefile" ;;
-    "src/charon/plugins/eap_radius/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/eap_radius/Makefile" ;;
-    "src/charon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_netlink/Makefile" ;;
-    "src/charon/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_pfkey/Makefile" ;;
-    "src/charon/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_pfroute/Makefile" ;;
-    "src/charon/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/kernel_klips/Makefile" ;;
-    "src/charon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/smp/Makefile" ;;
-    "src/charon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/sql/Makefile" ;;
-    "src/charon/plugins/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/medsrv/Makefile" ;;
-    "src/charon/plugins/medcli/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/medcli/Makefile" ;;
-    "src/charon/plugins/nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/nm/Makefile" ;;
-    "src/charon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/uci/Makefile" ;;
-    "src/charon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/stroke/Makefile" ;;
-    "src/charon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/updown/Makefile" ;;
-    "src/charon/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/attr/Makefile" ;;
-    "src/charon/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/resolve/Makefile" ;;
-    "src/charon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/unit_tester/Makefile" ;;
-    "src/charon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/plugins/load_tester/Makefile" ;;
+    "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;;
+    "src/libcharon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka/Makefile" ;;
+    "src/libcharon/plugins/eap_aka_3gpp2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka_3gpp2/Makefile" ;;
+    "src/libcharon/plugins/eap_identity/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_identity/Makefile" ;;
+    "src/libcharon/plugins/eap_md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_md5/Makefile" ;;
+    "src/libcharon/plugins/eap_gtc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_gtc/Makefile" ;;
+    "src/libcharon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_sim/Makefile" ;;
+    "src/libcharon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_sim_file/Makefile" ;;
+    "src/libcharon/plugins/eap_simaka_pseudonym/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_pseudonym/Makefile" ;;
+    "src/libcharon/plugins/eap_simaka_reauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_reauth/Makefile" ;;
+    "src/libcharon/plugins/eap_mschapv2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_mschapv2/Makefile" ;;
+    "src/libcharon/plugins/eap_radius/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_radius/Makefile" ;;
+    "src/libcharon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_netlink/Makefile" ;;
+    "src/libcharon/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_pfkey/Makefile" ;;
+    "src/libcharon/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_pfroute/Makefile" ;;
+    "src/libcharon/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_klips/Makefile" ;;
+    "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;;
+    "src/libcharon/plugins/socket_raw/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_raw/Makefile" ;;
+    "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;;
+    "src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;;
+    "src/libcharon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/smp/Makefile" ;;
+    "src/libcharon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/sql/Makefile" ;;
+    "src/libcharon/plugins/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/medsrv/Makefile" ;;
+    "src/libcharon/plugins/medcli/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/medcli/Makefile" ;;
+    "src/libcharon/plugins/nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/nm/Makefile" ;;
+    "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
+    "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
+    "src/libcharon/plugins/android/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android/Makefile" ;;
+    "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
+    "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;;
+    "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;;
+    "src/libcharon/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/resolve/Makefile" ;;
+    "src/libcharon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unit_tester/Makefile" ;;
+    "src/libcharon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/load_tester/Makefile" ;;
     "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
     "src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;;
     "src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;;
diff --git a/configure.in b/configure.in
index 8ba844e9b..efcccbb42 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.3.6)
+AC_INIT(strongSwan,4.4.0)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_CONFIG_MACRO_DIR([m4/config])
 PKG_PROG_PKG_CONFIG
@@ -41,6 +41,7 @@ ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec
 ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
 
 ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently only the value "libcap" is supported])
+ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
 
 AC_ARG_WITH(
 	[xauth-module],
@@ -113,6 +114,10 @@ ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
 ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
 ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
 ARG_ENABL_SET([kernel-klips],   [enable the KLIPS kernel interface.])
+ARG_DISBL_SET([socket-default], [disable default socket implementation for charon.])
+ARG_ENABL_SET([socket-raw],     [enable raw socket implementation of charon, enforced if pluto is enabled])
+ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon])
+ARG_ENABL_SET([farp],           [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
 ARG_ENABL_SET([nat-transport],  [enable NAT traversal with IPsec transport mode in pluto.])
 ARG_DISBL_SET([vendor-id],      [disable the sending of the strongSwan vendor ID in pluto.])
 ARG_DISBL_SET([xauth-vid],      [disable the sending of the XAUTH vendor ID.])
@@ -129,14 +134,18 @@ ARG_DISBL_SET([scripts],        [disable additional utilities (found in director
 ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
 ARG_DISBL_SET([attr],           [disable strongswan.conf based configuration attribute plugin.])
 ARG_ENABL_SET([attr-sql],       [enable SQL based configuration attribute plugin.])
+ARG_ENABL_SET([dhcp],           [enable DHCP based attribute provider plugin.])
 ARG_DISBL_SET([resolve],        [disable resolve DNS handler plugin.])
 ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
 ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
 ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
 ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
+ARG_ENABL_SET([android],        [enable Android specific plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager plugin.])
+ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
 ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
+ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
 
 dnl =========================
 dnl  set up compiler and flags
@@ -202,7 +211,6 @@ fi
 
 if test x$eap_aka = xtrue; then
 	fips_prf=true;
-	sha1=true;
 	simaka=true;
 fi
 
@@ -212,7 +220,9 @@ if test x$eap_sim = xtrue; then
 fi
 
 if test x$fips_prf = xtrue; then
-	sha1=true;
+	if test x$openssl = xfalse; then
+		sha1=true;
+	fi
 fi
 
 if test x$smp = xtrue; then
@@ -232,6 +242,16 @@ if test x$medcli = xtrue; then
 	mediation=true
 fi
 
+if test x$pluto = xtrue; then
+	if test x$socket_raw = xfalse; then
+		AC_MSG_NOTICE([Enforcing --enable-socket-raw, as pluto is enabled])
+		socket_raw=true
+		if test x$socket_default_given = xfalse; then
+			socket_default=false
+		fi
+	fi
+fi
+
 dnl ===========================================
 dnl  check required libraries and header files
 dnl ===========================================
@@ -431,7 +451,21 @@ if test x$vstr = xtrue; then
 fi
 
 if test x$gmp = xtrue; then
-	AC_HAVE_LIBRARY([gmp],[LIBS="$LIBS"],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])
+	saved_LIBS=$LIBS
+	AC_HAVE_LIBRARY([gmp],,[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])
+	AC_MSG_CHECKING([mpz_powm_sec])
+	if test x$mpz_powm_sec = xyes; then
+		AC_TRY_COMPILE(
+			[#include "gmp.h"],
+			[
+				void *x = mpz_powm_sec;
+			],
+			[AC_MSG_RESULT([yes]); AC_DEFINE(HAVE_MPZ_POWM_SEC)], [AC_MSG_RESULT([no])]
+		)
+	else
+		AC_MSG_RESULT([disabled])
+	fi
+	LIBS=$saved_LIBS
 	AC_MSG_CHECKING([gmp.h version >= 4.1.4])
 	AC_TRY_COMPILE(
 		[#include "gmp.h"],
@@ -554,6 +588,15 @@ if test x$uci = xtrue; then
 	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
 fi
 
+if test x$android = xtrue; then
+	AC_HAVE_LIBRARY([cutils],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])])
+	AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
+	dnl we have to force the use of libdl here because the autodetection
+	dnl above does not work correctly when cross-compiling for android.
+	DLLIB="-ldl"
+	AC_SUBST(DLLIB)
+fi
+
 if test x$nm = xtrue; then
 	PKG_CHECK_EXISTS([libnm-glib],
 		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn])],
@@ -592,11 +635,12 @@ if test x$integrity_test = xtrue; then
 	)
 fi
 
-dnl ======================================
-dnl  collect all plugins for libstrongswan
-dnl ======================================
+dnl ==========================================================
+dnl  collect all plugins for libstrongswan, libhydra and pluto
+dnl ==========================================================
 
 libstrongswan_plugins=
+libhydra_plugins=
 pluto_plugins=
 
 if test x$test_vectors = xtrue; then
@@ -638,9 +682,6 @@ if test x$md5 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" md5"
 	pluto_plugins=${pluto_plugins}" md5"
 fi
-if test x$fips_prf = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
-fi
 if test x$random = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" random"
 	pluto_plugins=${pluto_plugins}" random"
@@ -677,10 +718,6 @@ if test x$sqlite = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
 	pluto_plugins=${pluto_plugins}" sqlite"
 fi
-if test x$attr_sql = xtrue -o x$sql = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" attr-sql"
-	pluto_plugins=${pluto_plugins}" attr-sql"
-fi
 if test x$padlock = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
 fi
@@ -692,6 +729,9 @@ if test x$gcrypt = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" gcrypt"
 	pluto_plugins=${pluto_plugins}" gcrypt"
 fi
+if test x$fips_prf = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
+fi
 if test x$xcbc = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
 fi
@@ -706,8 +746,17 @@ if test x$gmp = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
 	pluto_plugins=${pluto_plugins}" gmp"
 fi
+if test x$attr = xtrue; then
+	libhydra_plugins=${libhydra_plugins}" attr"
+	pluto_plugins=${pluto_plugins}" attr"
+fi
+if test x$attr_sql = xtrue -o x$sql = xtrue; then
+	libhydra_plugins=${libhydra_plugins}" attr-sql"
+	pluto_plugins=${pluto_plugins}" attr-sql"
+fi
 
 AC_SUBST(libstrongswan_plugins)
+AC_SUBST(libhydra_plugins)
 AC_SUBST(pluto_plugins)
 
 dnl =========================
@@ -752,13 +801,16 @@ AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
 AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
 AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
 AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
+AM_CONDITIONAL(USE_ANDROID, test x$android = xtrue)
 AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
 AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
 AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
+AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
 AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
 AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tests = xtrue)
 AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
+AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
 AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue)
@@ -774,6 +826,10 @@ AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
 AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
+AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
+AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue)
+AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
+AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
 
 dnl other options
 dnl =============
@@ -796,9 +852,11 @@ AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
 AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
 AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue)
+AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
 AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
 AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
+AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
 
 dnl ==============================
 dnl  set global definitions
@@ -810,6 +868,10 @@ fi
 if test x$capabilities = xlibcap; then
 	AC_DEFINE(CAPABILITIES)
 fi
+if test x$monolithic = xtrue; then
+	AC_DEFINE(MONOLITHIC)
+fi
+
 
 dnl ==============================
 dnl  build Makefiles
@@ -842,44 +904,53 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/ldap/Makefile
 	src/libstrongswan/plugins/mysql/Makefile
 	src/libstrongswan/plugins/sqlite/Makefile
-	src/libstrongswan/plugins/attr_sql/Makefile
 	src/libstrongswan/plugins/padlock/Makefile
 	src/libstrongswan/plugins/openssl/Makefile
 	src/libstrongswan/plugins/gcrypt/Makefile
 	src/libstrongswan/plugins/agent/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
+	src/libhydra/Makefile
+	src/libhydra/plugins/attr/Makefile
+	src/libhydra/plugins/attr_sql/Makefile
 	src/libfreeswan/Makefile
 	src/libsimaka/Makefile
 	src/pluto/Makefile
 	src/whack/Makefile
 	src/charon/Makefile
-	src/charon/plugins/eap_aka/Makefile
-	src/charon/plugins/eap_aka_3gpp2/Makefile
-	src/charon/plugins/eap_identity/Makefile
-	src/charon/plugins/eap_md5/Makefile
-	src/charon/plugins/eap_gtc/Makefile
-	src/charon/plugins/eap_sim/Makefile
-	src/charon/plugins/eap_sim_file/Makefile
-	src/charon/plugins/eap_simaka_pseudonym/Makefile
-	src/charon/plugins/eap_simaka_reauth/Makefile
-	src/charon/plugins/eap_mschapv2/Makefile
-	src/charon/plugins/eap_radius/Makefile
-	src/charon/plugins/kernel_netlink/Makefile
-	src/charon/plugins/kernel_pfkey/Makefile
-	src/charon/plugins/kernel_pfroute/Makefile
-	src/charon/plugins/kernel_klips/Makefile
-	src/charon/plugins/smp/Makefile
-	src/charon/plugins/sql/Makefile
-	src/charon/plugins/medsrv/Makefile
-	src/charon/plugins/medcli/Makefile
-	src/charon/plugins/nm/Makefile
-	src/charon/plugins/uci/Makefile
-	src/charon/plugins/stroke/Makefile
-	src/charon/plugins/updown/Makefile
-	src/charon/plugins/attr/Makefile
-	src/charon/plugins/resolve/Makefile
-	src/charon/plugins/unit_tester/Makefile
-	src/charon/plugins/load_tester/Makefile
+	src/libcharon/Makefile
+	src/libcharon/plugins/eap_aka/Makefile
+	src/libcharon/plugins/eap_aka_3gpp2/Makefile
+	src/libcharon/plugins/eap_identity/Makefile
+	src/libcharon/plugins/eap_md5/Makefile
+	src/libcharon/plugins/eap_gtc/Makefile
+	src/libcharon/plugins/eap_sim/Makefile
+	src/libcharon/plugins/eap_sim_file/Makefile
+	src/libcharon/plugins/eap_simaka_pseudonym/Makefile
+	src/libcharon/plugins/eap_simaka_reauth/Makefile
+	src/libcharon/plugins/eap_mschapv2/Makefile
+	src/libcharon/plugins/eap_radius/Makefile
+	src/libcharon/plugins/kernel_netlink/Makefile
+	src/libcharon/plugins/kernel_pfkey/Makefile
+	src/libcharon/plugins/kernel_pfroute/Makefile
+	src/libcharon/plugins/kernel_klips/Makefile
+	src/libcharon/plugins/socket_default/Makefile
+	src/libcharon/plugins/socket_raw/Makefile
+	src/libcharon/plugins/socket_dynamic/Makefile
+	src/libcharon/plugins/farp/Makefile
+	src/libcharon/plugins/smp/Makefile
+	src/libcharon/plugins/sql/Makefile
+	src/libcharon/plugins/medsrv/Makefile
+	src/libcharon/plugins/medcli/Makefile
+	src/libcharon/plugins/nm/Makefile
+	src/libcharon/plugins/uci/Makefile
+	src/libcharon/plugins/ha/Makefile
+	src/libcharon/plugins/android/Makefile
+	src/libcharon/plugins/stroke/Makefile
+	src/libcharon/plugins/updown/Makefile
+	src/libcharon/plugins/dhcp/Makefile
+	src/libcharon/plugins/resolve/Makefile
+	src/libcharon/plugins/unit_tester/Makefile
+	src/libcharon/plugins/load_tester/Makefile
 	src/stroke/Makefile
 	src/ipsec/Makefile
 	src/starter/Makefile
diff --git a/m4/macros/enable-disable.m4 b/m4/macros/enable-disable.m4
index 6d7959e4e..3d423652f 100644
--- a/m4/macros/enable-disable.m4
+++ b/m4/macros/enable-disable.m4
@@ -6,12 +6,14 @@ AC_DEFUN([ARG_ENABL_SET],
 	[AC_ARG_ENABLE(
 		[$1],
 		AS_HELP_STRING([--enable-$1], [$2]),
-		[if test x$enableval = xyes; then
+		[patsubst([$1], [-], [_])_given=true
+		if test x$enableval = xyes; then
 			patsubst([$1], [-], [_])=true
 		 else
 			patsubst([$1], [-], [_])=false
 		fi],
-		patsubst([$1], [-], [_])=false
+		[patsubst([$1], [-], [_])=false
+		patsubst([$1], [-], [_])_given=false]
 	)]
 )
 
@@ -22,11 +24,13 @@ AC_DEFUN([ARG_DISBL_SET],
 	[AC_ARG_ENABLE(
 		[$1],
 		AS_HELP_STRING([--disable-$1], [$2]),
-		[if test x$enableval = xyes; then
+		[patsubst([$1], [-], [_])_given=true
+		if test x$enableval = xyes; then
 			patsubst([$1], [-], [_])=true
 		 else
 			patsubst([$1], [-], [_])=false
 		fi],
-		patsubst([$1], [-], [_])=true
+		[patsubst([$1], [-], [_])=true
+		patsubst([$1], [-], [_])_given=false]
 	)]
 )
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 24e3cd164..70a56f697 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -17,3 +17,7 @@ key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
+
+key2keyid.o :	$(top_builddir)/config.status
+
+keyid2sql.o :	$(top_builddir)/config.status
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 7d1af0803..6a75fa7ae 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -226,6 +226,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -585,6 +586,10 @@ uninstall-am:
 	pdf pdf-am ps ps-am tags uninstall uninstall-am
 
 
+key2keyid.o :	$(top_builddir)/config.status
+
+keyid2sql.o :	$(top_builddir)/config.status
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index b85bf1ad8..ce102491b 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -15,19 +15,22 @@ struct {
 	char *name;
 	diffie_hellman_group_t group;
 } groups[] = {
-	{"modp768",		MODP_768_BIT},
-	{"modp1024",	MODP_1024_BIT},
-	{"modp1536",	MODP_1536_BIT},
-	{"modp2048",	MODP_2048_BIT},
-	{"modp3072",	MODP_3072_BIT},
-	{"modp4096",	MODP_4096_BIT},
-	{"modp6144",	MODP_6144_BIT},
-	{"modp8192",	MODP_8192_BIT},
-	{"ecp256",		ECP_256_BIT},
-	{"ecp384",		ECP_384_BIT},
-	{"ecp521",		ECP_521_BIT},
-	{"ecp192",		ECP_192_BIT},
-	{"ecp224",		ECP_224_BIT},
+	{"modp768",			MODP_768_BIT},
+	{"modp1024",		MODP_1024_BIT},
+	{"modp1024s160",	MODP_1024_160},
+	{"modp1536",		MODP_1536_BIT},
+	{"modp2048",		MODP_2048_BIT},
+	{"modp2048s224",	MODP_2048_224},
+	{"modp2048s256",	MODP_2048_256},
+	{"modp3072",		MODP_3072_BIT},
+	{"modp4096",		MODP_4096_BIT},
+	{"modp6144",		MODP_6144_BIT},
+	{"modp8192",		MODP_8192_BIT},
+	{"ecp256",			ECP_256_BIT},
+	{"ecp384",			ECP_384_BIT},
+	{"ecp521",			ECP_521_BIT},
+	{"ecp192",			ECP_192_BIT},
+	{"ecp224",			ECP_224_BIT},
 };
 
 static void start_timing(struct timespec *start)
diff --git a/src/Makefile.am b/src/Makefile.am
index ae3ec8a20..8d4dd2e37 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -4,6 +4,10 @@ if USE_LIBSTRONGSWAN
   SUBDIRS += libstrongswan
 endif
 
+if USE_LIBHYDRA
+  SUBDIRS += libhydra
+endif
+
 if USE_SIMAKA
   SUBDIRS += libsimaka
 endif
@@ -17,7 +21,7 @@ if USE_PLUTO
 endif
 
 if USE_CHARON
-  SUBDIRS += charon
+  SUBDIRS += libcharon charon
 endif
 
 if USE_STROKE
@@ -29,7 +33,7 @@ if USE_UPDOWN
 endif
 
 if USE_TOOLS
-  SUBDIRS += openac scepclient pki
+  SUBDIRS += libfreeswan openac scepclient pki
 endif
 
 if USE_DUMM
diff --git a/src/Makefile.in b/src/Makefile.in
index 2e305f50a..2a04c8b19 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -34,18 +34,19 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 @USE_LIBSTRONGSWAN_TRUE@am__append_1 = libstrongswan
-@USE_SIMAKA_TRUE@am__append_2 = libsimaka
-@USE_FILE_CONFIG_TRUE@am__append_3 = libfreeswan starter ipsec _copyright
-@USE_PLUTO_TRUE@am__append_4 = pluto whack
-@USE_CHARON_TRUE@am__append_5 = charon
-@USE_STROKE_TRUE@am__append_6 = stroke
-@USE_UPDOWN_TRUE@am__append_7 = _updown _updown_espmark
-@USE_TOOLS_TRUE@am__append_8 = openac scepclient pki
-@USE_DUMM_TRUE@am__append_9 = dumm
-@USE_FAST_TRUE@am__append_10 = libfast
-@USE_MANAGER_TRUE@am__append_11 = manager
-@USE_MEDSRV_TRUE@am__append_12 = medsrv
-@USE_INTEGRITY_TEST_TRUE@am__append_13 = checksum
+@USE_LIBHYDRA_TRUE@am__append_2 = libhydra
+@USE_SIMAKA_TRUE@am__append_3 = libsimaka
+@USE_FILE_CONFIG_TRUE@am__append_4 = libfreeswan starter ipsec _copyright
+@USE_PLUTO_TRUE@am__append_5 = pluto whack
+@USE_CHARON_TRUE@am__append_6 = libcharon charon
+@USE_STROKE_TRUE@am__append_7 = stroke
+@USE_UPDOWN_TRUE@am__append_8 = _updown _updown_espmark
+@USE_TOOLS_TRUE@am__append_9 = libfreeswan openac scepclient pki
+@USE_DUMM_TRUE@am__append_10 = dumm
+@USE_FAST_TRUE@am__append_11 = libfast
+@USE_MANAGER_TRUE@am__append_12 = manager
+@USE_MEDSRV_TRUE@am__append_13 = medsrv
+@USE_INTEGRITY_TEST_TRUE@am__append_14 = checksum
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -78,10 +79,10 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . include libstrongswan libsimaka libfreeswan starter \
-	ipsec _copyright pluto whack charon stroke _updown \
-	_updown_espmark openac scepclient pki dumm libfast manager \
-	medsrv checksum
+DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libfreeswan \
+	starter ipsec _copyright pluto whack libcharon charon stroke \
+	_updown _updown_espmark openac scepclient pki dumm libfast \
+	manager medsrv checksum
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -228,6 +229,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -266,7 +268,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5) $(am__append_6) \
 	$(am__append_7) $(am__append_8) $(am__append_9) \
 	$(am__append_10) $(am__append_11) $(am__append_12) \
-	$(am__append_13)
+	$(am__append_13) $(am__append_14)
 EXTRA_DIST = strongswan.conf
 all: all-recursive
 
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index fe529a151..d4e1c157b 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -221,6 +221,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index e99238ed8..cf153461d 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -200,6 +200,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index ed88b67a6..a4379b44c 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -200,6 +200,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
diff --git a/src/charon/Android.mk b/src/charon/Android.mk
new file mode 100644
index 000000000..491d7f946
--- /dev/null
+++ b/src/charon/Android.mk
@@ -0,0 +1,27 @@
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+# copy-n-paste from Makefile.am
+LOCAL_SRC_FILES := \
+charon.c
+
+# build charon -----------------------------------------------------------------
+
+LOCAL_C_INCLUDES += \
+	$(libvstr_PATH) \
+	$(strongswan_PATH)/src/libhydra \
+	$(strongswan_PATH)/src/libcharon \
+	$(strongswan_PATH)/src/libstrongswan
+
+LOCAL_CFLAGS := $(strongswan_CFLAGS)
+
+LOCAL_MODULE := charon
+
+LOCAL_ARM_MODE := arm
+
+LOCAL_PRELINK_MODULE := false
+
+LOCAL_SHARED_LIBRARIES += libstrongswan libhydra libcharon
+
+include $(BUILD_EXECUTABLE)
+
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index e20d45cf8..6481947f1 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -1,275 +1,22 @@
 ipsec_PROGRAMS = charon
 
 charon_SOURCES = \
-bus/bus.c bus/bus.h \
-bus/listeners/listener.h \
-bus/listeners/file_logger.c bus/listeners/file_logger.h \
-bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
-config/backend_manager.c config/backend_manager.h config/backend.h \
-config/child_cfg.c config/child_cfg.h \
-config/ike_cfg.c config/ike_cfg.h \
-config/peer_cfg.c config/peer_cfg.h \
-config/proposal.c config/proposal.h \
-config/auth_cfg.c config/auth_cfg.h \
-control/controller.c control/controller.h \
-daemon.c daemon.h \
-encoding/generator.c encoding/generator.h \
-encoding/message.c encoding/message.h \
-encoding/parser.c encoding/parser.h \
-encoding/payloads/auth_payload.c encoding/payloads/auth_payload.h \
-encoding/payloads/cert_payload.c encoding/payloads/cert_payload.h \
-encoding/payloads/certreq_payload.c encoding/payloads/certreq_payload.h \
-encoding/payloads/configuration_attribute.c encoding/payloads/configuration_attribute.h \
-encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
-encoding/payloads/delete_payload.c encoding/payloads/delete_payload.h \
-encoding/payloads/eap_payload.c encoding/payloads/eap_payload.h \
-encoding/payloads/encodings.c encoding/payloads/encodings.h \
-encoding/payloads/encryption_payload.c encoding/payloads/encryption_payload.h \
-encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
-encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
-encoding/payloads/ke_payload.c  encoding/payloads/ke_payload.h \
-encoding/payloads/nonce_payload.c encoding/payloads/nonce_payload.h \
-encoding/payloads/notify_payload.c encoding/payloads/notify_payload.h \
-encoding/payloads/payload.c encoding/payloads/payload.h \
-encoding/payloads/proposal_substructure.c encoding/payloads/proposal_substructure.h \
-encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \
-encoding/payloads/traffic_selector_substructure.c encoding/payloads/traffic_selector_substructure.h \
-encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \
-encoding/payloads/transform_substructure.c encoding/payloads/transform_substructure.h \
-encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
-encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
-encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.h \
-network/packet.c network/packet.h \
-network/receiver.c network/receiver.h \
-network/sender.c network/sender.h \
-network/socket.h \
-processing/jobs/job.h \
-processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
-processing/jobs/callback_job.c processing/jobs/callback_job.h \
-processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
-processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
-processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
-processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
-processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
-processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
-processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
-processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
-processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
-processing/jobs/roam_job.c processing/jobs/roam_job.h \
-processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
-processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-processing/scheduler.c processing/scheduler.h \
-processing/processor.c processing/processor.h  \
-sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
-sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
-sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
-sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
-sa/authenticators/eap/sim_manager.c sa/authenticators/eap/sim_manager.h \
-sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
-sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
-sa/child_sa.c sa/child_sa.h \
-sa/ike_sa.c sa/ike_sa.h \
-sa/ike_sa_id.c sa/ike_sa_id.h \
-sa/ike_sa_manager.c sa/ike_sa_manager.h \
-sa/task_manager.c sa/task_manager.h \
-sa/keymat.c sa/keymat.h \
-sa/trap_manager.c sa/trap_manager.h \
-sa/tasks/child_create.c sa/tasks/child_create.h \
-sa/tasks/child_delete.c sa/tasks/child_delete.h \
-sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
-sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
-sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
-sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
-sa/tasks/ike_config.c sa/tasks/ike_config.h \
-sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
-sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
-sa/tasks/ike_init.c sa/tasks/ike_init.h \
-sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
-sa/tasks/ike_mobike.c sa/tasks/ike_mobike.h \
-sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
-sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
-sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
-sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
-sa/tasks/task.c sa/tasks/task.h \
-credentials/credential_manager.c credentials/credential_manager.h \
-credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
-credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
-credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-credentials/credential_set.h
+charon.c
 
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic \
-  -DIPSEC_DIR=\"${ipsecdir}\" \
-  -DIPSEC_PIDDIR=\"${piddir}\"
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
-# compile options
-#################
+AM_CFLAGS = \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
-# Use RAW socket if pluto gets built
-if USE_PLUTO
-  charon_SOURCES += network/socket-raw.c
-else
-  charon_SOURCES += network/socket.c
-endif
+charon_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	-lm $(PTHREADLIB) $(DLLIB)
 
-if USE_ME
-  charon_SOURCES += encoding/payloads/endpoint_notify.c encoding/payloads/endpoint_notify.h \
-    processing/jobs/initiate_mediation_job.c processing/jobs/initiate_mediation_job.h \
-    processing/jobs/mediation_job.c processing/jobs/mediation_job.h \
-    sa/connect_manager.c sa/connect_manager.h \
-    sa/mediation_manager.c sa/mediation_manager.h \
-    sa/tasks/ike_me.c sa/tasks/ike_me.h
-endif
-
-if USE_CAPABILITIES
-  charon_LDADD += -lcap
-endif
-
-
-# build optional plugins
-########################
-
-SUBDIRS = .
-PLUGINS = ${libstrongswan_plugins}
-
-if USE_LOAD_TESTER
-  SUBDIRS += plugins/load_tester
-  PLUGINS += load-tester
-endif
-
-if USE_KERNEL_PFKEY
-  SUBDIRS += plugins/kernel_pfkey
-  PLUGINS += kernel-pfkey
-endif
-
-if USE_KERNEL_PFROUTE
-  SUBDIRS += plugins/kernel_pfroute
-  PLUGINS += kernel-pfroute
-endif
-
-if USE_KERNEL_KLIPS
-  SUBDIRS += plugins/kernel_klips
-  PLUGINS += kernel-klips
-endif
-
-if USE_KERNEL_NETLINK
-  SUBDIRS += plugins/kernel_netlink
-  PLUGINS += kernel-netlink
-endif
-
-if USE_STROKE
-  SUBDIRS += plugins/stroke
-  PLUGINS += stroke
-endif
-
-if USE_SMP
-  SUBDIRS += plugins/smp
-  PLUGINS += smp
-endif
-
-if USE_SQL
-  SUBDIRS += plugins/sql
-  PLUGINS += sql
-endif
-
-if USE_UPDOWN
-  SUBDIRS += plugins/updown
-  PLUGINS += updown
-endif
-
-if USE_ATTR
-  SUBDIRS += plugins/attr
-  PLUGINS += attr
-endif
-
-if USE_EAP_IDENTITY
-  SUBDIRS += plugins/eap_identity
-  PLUGINS += eap-identity
-endif
-
-if USE_EAP_SIM
-  SUBDIRS += plugins/eap_sim
-  PLUGINS += eap-sim
-endif
-
-if USE_EAP_SIM_FILE
-  SUBDIRS += plugins/eap_sim_file
-  PLUGINS += eap-sim-file
-endif
-
-if USE_EAP_SIMAKA_PSEUDONYM
-  SUBDIRS += plugins/eap_simaka_pseudonym
-  PLUGINS += eap-simaka-pseudonym
-endif
-
-if USE_EAP_SIMAKA_REAUTH
-  SUBDIRS += plugins/eap_simaka_reauth
-  PLUGINS += eap-simaka-reauth
-endif
-
-if USE_EAP_MD5
-  SUBDIRS += plugins/eap_md5
-  PLUGINS += eap-md5
-endif
-
-if USE_EAP_GTC
-  SUBDIRS += plugins/eap_gtc
-  PLUGINS += eap-gtc
-endif
-
-if USE_EAP_AKA
-  SUBDIRS += plugins/eap_aka
-  PLUGINS += eap-aka
-endif
-
-if USE_EAP_AKA_3GPP2
-  SUBDIRS += plugins/eap_aka_3gpp2
-  PLUGINS += eap-aka-3gpp2
-endif
-
-if USE_EAP_MSCHAPV2
-  SUBDIRS += plugins/eap_mschapv2
-  PLUGINS += eap-mschapv2
-endif
-
-if USE_EAP_RADIUS
-  SUBDIRS += plugins/eap_radius
-  PLUGINS += eap-radius
-endif
-
-if USE_MEDSRV
-  SUBDIRS += plugins/medsrv
-  PLUGINS += medsrv
-endif
-
-if USE_MEDCLI
-  SUBDIRS += plugins/medcli
-  PLUGINS += medcli
-endif
-
-if USE_NM
-  SUBDIRS += plugins/nm
-  PLUGINS += nm
-endif
-
-if USE_RESOLVE
-  SUBDIRS += plugins/resolve
-  PLUGINS += resolve
-endif
-
-if USE_UCI
-  SUBDIRS += plugins/uci
-  PLUGINS += uci
-endif
-
-if USE_UNIT_TESTS
-  SUBDIRS += plugins/unit_tester
-  PLUGINS += unit-tester
-endif
-
-AM_CFLAGS += -DPLUGINS=\""${PLUGINS}\""
+EXTRA_DIST = Android.mk
 
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index d7339b226..66690a37a 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -35,75 +35,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = charon$(EXEEXT)
-
-# compile options
-#################
-
-# Use RAW socket if pluto gets built
-@USE_PLUTO_TRUE@am__append_1 = network/socket-raw.c
-@USE_PLUTO_FALSE@am__append_2 = network/socket.c
-@USE_ME_TRUE@am__append_3 = encoding/payloads/endpoint_notify.c encoding/payloads/endpoint_notify.h \
-@USE_ME_TRUE@    processing/jobs/initiate_mediation_job.c processing/jobs/initiate_mediation_job.h \
-@USE_ME_TRUE@    processing/jobs/mediation_job.c processing/jobs/mediation_job.h \
-@USE_ME_TRUE@    sa/connect_manager.c sa/connect_manager.h \
-@USE_ME_TRUE@    sa/mediation_manager.c sa/mediation_manager.h \
-@USE_ME_TRUE@    sa/tasks/ike_me.c sa/tasks/ike_me.h
-
-@USE_CAPABILITIES_TRUE@am__append_4 = -lcap
-@USE_LOAD_TESTER_TRUE@am__append_5 = plugins/load_tester
-@USE_LOAD_TESTER_TRUE@am__append_6 = load-tester
-@USE_KERNEL_PFKEY_TRUE@am__append_7 = plugins/kernel_pfkey
-@USE_KERNEL_PFKEY_TRUE@am__append_8 = kernel-pfkey
-@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute
-@USE_KERNEL_PFROUTE_TRUE@am__append_10 = kernel-pfroute
-@USE_KERNEL_KLIPS_TRUE@am__append_11 = plugins/kernel_klips
-@USE_KERNEL_KLIPS_TRUE@am__append_12 = kernel-klips
-@USE_KERNEL_NETLINK_TRUE@am__append_13 = plugins/kernel_netlink
-@USE_KERNEL_NETLINK_TRUE@am__append_14 = kernel-netlink
-@USE_STROKE_TRUE@am__append_15 = plugins/stroke
-@USE_STROKE_TRUE@am__append_16 = stroke
-@USE_SMP_TRUE@am__append_17 = plugins/smp
-@USE_SMP_TRUE@am__append_18 = smp
-@USE_SQL_TRUE@am__append_19 = plugins/sql
-@USE_SQL_TRUE@am__append_20 = sql
-@USE_UPDOWN_TRUE@am__append_21 = plugins/updown
-@USE_UPDOWN_TRUE@am__append_22 = updown
-@USE_ATTR_TRUE@am__append_23 = plugins/attr
-@USE_ATTR_TRUE@am__append_24 = attr
-@USE_EAP_IDENTITY_TRUE@am__append_25 = plugins/eap_identity
-@USE_EAP_IDENTITY_TRUE@am__append_26 = eap-identity
-@USE_EAP_SIM_TRUE@am__append_27 = plugins/eap_sim
-@USE_EAP_SIM_TRUE@am__append_28 = eap-sim
-@USE_EAP_SIM_FILE_TRUE@am__append_29 = plugins/eap_sim_file
-@USE_EAP_SIM_FILE_TRUE@am__append_30 = eap-sim-file
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_31 = plugins/eap_simaka_pseudonym
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_32 = eap-simaka-pseudonym
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_33 = plugins/eap_simaka_reauth
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_34 = eap-simaka-reauth
-@USE_EAP_MD5_TRUE@am__append_35 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_36 = eap-md5
-@USE_EAP_GTC_TRUE@am__append_37 = plugins/eap_gtc
-@USE_EAP_GTC_TRUE@am__append_38 = eap-gtc
-@USE_EAP_AKA_TRUE@am__append_39 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_40 = eap-aka
-@USE_EAP_AKA_3GPP2_TRUE@am__append_41 = plugins/eap_aka_3gpp2
-@USE_EAP_AKA_3GPP2_TRUE@am__append_42 = eap-aka-3gpp2
-@USE_EAP_MSCHAPV2_TRUE@am__append_43 = plugins/eap_mschapv2
-@USE_EAP_MSCHAPV2_TRUE@am__append_44 = eap-mschapv2
-@USE_EAP_RADIUS_TRUE@am__append_45 = plugins/eap_radius
-@USE_EAP_RADIUS_TRUE@am__append_46 = eap-radius
-@USE_MEDSRV_TRUE@am__append_47 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_48 = medsrv
-@USE_MEDCLI_TRUE@am__append_49 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_50 = medcli
-@USE_NM_TRUE@am__append_51 = plugins/nm
-@USE_NM_TRUE@am__append_52 = nm
-@USE_RESOLVE_TRUE@am__append_53 = plugins/resolve
-@USE_RESOLVE_TRUE@am__append_54 = resolve
-@USE_UCI_TRUE@am__append_55 = plugins/uci
-@USE_UCI_TRUE@am__append_56 = uci
-@USE_UNIT_TESTS_TRUE@am__append_57 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_58 = unit-tester
 subdir = src/charon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -122,186 +53,13 @@ CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
 PROGRAMS = $(ipsec_PROGRAMS)
-am__charon_SOURCES_DIST = bus/bus.c bus/bus.h bus/listeners/listener.h \
-	bus/listeners/file_logger.c bus/listeners/file_logger.h \
-	bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
-	config/backend_manager.c config/backend_manager.h \
-	config/backend.h config/child_cfg.c config/child_cfg.h \
-	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
-	config/peer_cfg.h config/proposal.c config/proposal.h \
-	config/auth_cfg.c config/auth_cfg.h control/controller.c \
-	control/controller.h daemon.c daemon.h encoding/generator.c \
-	encoding/generator.h encoding/message.c encoding/message.h \
-	encoding/parser.c encoding/parser.h \
-	encoding/payloads/auth_payload.c \
-	encoding/payloads/auth_payload.h \
-	encoding/payloads/cert_payload.c \
-	encoding/payloads/cert_payload.h \
-	encoding/payloads/certreq_payload.c \
-	encoding/payloads/certreq_payload.h \
-	encoding/payloads/configuration_attribute.c \
-	encoding/payloads/configuration_attribute.h \
-	encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
-	encoding/payloads/delete_payload.c \
-	encoding/payloads/delete_payload.h \
-	encoding/payloads/eap_payload.c \
-	encoding/payloads/eap_payload.h encoding/payloads/encodings.c \
-	encoding/payloads/encodings.h \
-	encoding/payloads/encryption_payload.c \
-	encoding/payloads/encryption_payload.h \
-	encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
-	encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
-	encoding/payloads/ke_payload.c encoding/payloads/ke_payload.h \
-	encoding/payloads/nonce_payload.c \
-	encoding/payloads/nonce_payload.h \
-	encoding/payloads/notify_payload.c \
-	encoding/payloads/notify_payload.h encoding/payloads/payload.c \
-	encoding/payloads/payload.h \
-	encoding/payloads/proposal_substructure.c \
-	encoding/payloads/proposal_substructure.h \
-	encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \
-	encoding/payloads/traffic_selector_substructure.c \
-	encoding/payloads/traffic_selector_substructure.h \
-	encoding/payloads/transform_attribute.c \
-	encoding/payloads/transform_attribute.h \
-	encoding/payloads/transform_substructure.c \
-	encoding/payloads/transform_substructure.h \
-	encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
-	encoding/payloads/unknown_payload.c \
-	encoding/payloads/unknown_payload.h \
-	encoding/payloads/vendor_id_payload.c \
-	encoding/payloads/vendor_id_payload.h \
-	kernel/kernel_interface.c kernel/kernel_interface.h \
-	kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-	kernel/kernel_net.h network/packet.c network/packet.h \
-	network/receiver.c network/receiver.h network/sender.c \
-	network/sender.h network/socket.h processing/jobs/job.h \
-	processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
-	processing/jobs/callback_job.c processing/jobs/callback_job.h \
-	processing/jobs/delete_child_sa_job.c \
-	processing/jobs/delete_child_sa_job.h \
-	processing/jobs/delete_ike_sa_job.c \
-	processing/jobs/delete_ike_sa_job.h \
-	processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
-	processing/jobs/process_message_job.c \
-	processing/jobs/process_message_job.h \
-	processing/jobs/rekey_child_sa_job.c \
-	processing/jobs/rekey_child_sa_job.h \
-	processing/jobs/rekey_ike_sa_job.c \
-	processing/jobs/rekey_ike_sa_job.h \
-	processing/jobs/retransmit_job.c \
-	processing/jobs/retransmit_job.h \
-	processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
-	processing/jobs/send_keepalive_job.c \
-	processing/jobs/send_keepalive_job.h \
-	processing/jobs/roam_job.c processing/jobs/roam_job.h \
-	processing/jobs/update_sa_job.c \
-	processing/jobs/update_sa_job.h \
-	processing/jobs/inactivity_job.c \
-	processing/jobs/inactivity_job.h processing/scheduler.c \
-	processing/scheduler.h processing/processor.c \
-	processing/processor.h sa/authenticators/authenticator.c \
-	sa/authenticators/authenticator.h \
-	sa/authenticators/eap_authenticator.c \
-	sa/authenticators/eap_authenticator.h \
-	sa/authenticators/eap/eap_method.c \
-	sa/authenticators/eap/eap_method.h \
-	sa/authenticators/eap/eap_manager.c \
-	sa/authenticators/eap/eap_manager.h \
-	sa/authenticators/eap/sim_manager.c \
-	sa/authenticators/eap/sim_manager.h \
-	sa/authenticators/psk_authenticator.c \
-	sa/authenticators/psk_authenticator.h \
-	sa/authenticators/pubkey_authenticator.c \
-	sa/authenticators/pubkey_authenticator.h sa/child_sa.c \
-	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
-	sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
-	sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
-	sa/trap_manager.c sa/trap_manager.h sa/tasks/child_create.c \
-	sa/tasks/child_create.h sa/tasks/child_delete.c \
-	sa/tasks/child_delete.h sa/tasks/child_rekey.c \
-	sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
-	sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
-	sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
-	sa/tasks/ike_config.c sa/tasks/ike_config.h \
-	sa/tasks/ike_delete.c sa/tasks/ike_delete.h sa/tasks/ike_dpd.c \
-	sa/tasks/ike_dpd.h sa/tasks/ike_init.c sa/tasks/ike_init.h \
-	sa/tasks/ike_natd.c sa/tasks/ike_natd.h sa/tasks/ike_mobike.c \
-	sa/tasks/ike_mobike.h sa/tasks/ike_rekey.c \
-	sa/tasks/ike_rekey.h sa/tasks/ike_reauth.c \
-	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
-	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
-	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	credentials/credential_manager.c \
-	credentials/credential_manager.h \
-	credentials/sets/auth_cfg_wrapper.c \
-	credentials/sets/auth_cfg_wrapper.h \
-	credentials/sets/ocsp_response_wrapper.c \
-	credentials/sets/ocsp_response_wrapper.h \
-	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-	credentials/credential_set.h network/socket-raw.c \
-	network/socket.c encoding/payloads/endpoint_notify.c \
-	encoding/payloads/endpoint_notify.h \
-	processing/jobs/initiate_mediation_job.c \
-	processing/jobs/initiate_mediation_job.h \
-	processing/jobs/mediation_job.c \
-	processing/jobs/mediation_job.h sa/connect_manager.c \
-	sa/connect_manager.h sa/mediation_manager.c \
-	sa/mediation_manager.h sa/tasks/ike_me.c sa/tasks/ike_me.h
-@USE_PLUTO_TRUE@am__objects_1 = socket-raw.$(OBJEXT)
-@USE_PLUTO_FALSE@am__objects_2 = socket.$(OBJEXT)
-@USE_ME_TRUE@am__objects_3 = endpoint_notify.$(OBJEXT) \
-@USE_ME_TRUE@	initiate_mediation_job.$(OBJEXT) \
-@USE_ME_TRUE@	mediation_job.$(OBJEXT) connect_manager.$(OBJEXT) \
-@USE_ME_TRUE@	mediation_manager.$(OBJEXT) ike_me.$(OBJEXT)
-am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
-	sys_logger.$(OBJEXT) backend_manager.$(OBJEXT) \
-	child_cfg.$(OBJEXT) ike_cfg.$(OBJEXT) peer_cfg.$(OBJEXT) \
-	proposal.$(OBJEXT) auth_cfg.$(OBJEXT) controller.$(OBJEXT) \
-	daemon.$(OBJEXT) generator.$(OBJEXT) message.$(OBJEXT) \
-	parser.$(OBJEXT) auth_payload.$(OBJEXT) cert_payload.$(OBJEXT) \
-	certreq_payload.$(OBJEXT) configuration_attribute.$(OBJEXT) \
-	cp_payload.$(OBJEXT) delete_payload.$(OBJEXT) \
-	eap_payload.$(OBJEXT) encodings.$(OBJEXT) \
-	encryption_payload.$(OBJEXT) id_payload.$(OBJEXT) \
-	ike_header.$(OBJEXT) ke_payload.$(OBJEXT) \
-	nonce_payload.$(OBJEXT) notify_payload.$(OBJEXT) \
-	payload.$(OBJEXT) proposal_substructure.$(OBJEXT) \
-	sa_payload.$(OBJEXT) traffic_selector_substructure.$(OBJEXT) \
-	transform_attribute.$(OBJEXT) transform_substructure.$(OBJEXT) \
-	ts_payload.$(OBJEXT) unknown_payload.$(OBJEXT) \
-	vendor_id_payload.$(OBJEXT) kernel_interface.$(OBJEXT) \
-	kernel_ipsec.$(OBJEXT) packet.$(OBJEXT) receiver.$(OBJEXT) \
-	sender.$(OBJEXT) acquire_job.$(OBJEXT) callback_job.$(OBJEXT) \
-	delete_child_sa_job.$(OBJEXT) delete_ike_sa_job.$(OBJEXT) \
-	migrate_job.$(OBJEXT) process_message_job.$(OBJEXT) \
-	rekey_child_sa_job.$(OBJEXT) rekey_ike_sa_job.$(OBJEXT) \
-	retransmit_job.$(OBJEXT) send_dpd_job.$(OBJEXT) \
-	send_keepalive_job.$(OBJEXT) roam_job.$(OBJEXT) \
-	update_sa_job.$(OBJEXT) inactivity_job.$(OBJEXT) \
-	scheduler.$(OBJEXT) processor.$(OBJEXT) \
-	authenticator.$(OBJEXT) eap_authenticator.$(OBJEXT) \
-	eap_method.$(OBJEXT) eap_manager.$(OBJEXT) \
-	sim_manager.$(OBJEXT) psk_authenticator.$(OBJEXT) \
-	pubkey_authenticator.$(OBJEXT) child_sa.$(OBJEXT) \
-	ike_sa.$(OBJEXT) ike_sa_id.$(OBJEXT) ike_sa_manager.$(OBJEXT) \
-	task_manager.$(OBJEXT) keymat.$(OBJEXT) trap_manager.$(OBJEXT) \
-	child_create.$(OBJEXT) child_delete.$(OBJEXT) \
-	child_rekey.$(OBJEXT) ike_auth.$(OBJEXT) \
-	ike_cert_pre.$(OBJEXT) ike_cert_post.$(OBJEXT) \
-	ike_config.$(OBJEXT) ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) \
-	ike_init.$(OBJEXT) ike_natd.$(OBJEXT) ike_mobike.$(OBJEXT) \
-	ike_rekey.$(OBJEXT) ike_reauth.$(OBJEXT) \
-	ike_auth_lifetime.$(OBJEXT) ike_vendor.$(OBJEXT) \
-	task.$(OBJEXT) credential_manager.$(OBJEXT) \
-	auth_cfg_wrapper.$(OBJEXT) ocsp_response_wrapper.$(OBJEXT) \
-	cert_cache.$(OBJEXT) $(am__objects_1) $(am__objects_2) \
-	$(am__objects_3)
+am_charon_OBJECTS = charon.$(OBJEXT)
 charon_OBJECTS = $(am_charon_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -317,57 +75,10 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(charon_SOURCES)
-DIST_SOURCES = $(am__charon_SOURCES_DIST)
-RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
-	html-recursive info-recursive install-data-recursive \
-	install-dvi-recursive install-exec-recursive \
-	install-html-recursive install-info-recursive \
-	install-pdf-recursive install-ps-recursive install-recursive \
-	installcheck-recursive installdirs-recursive pdf-recursive \
-	ps-recursive uninstall-recursive
-RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
-  distclean-recursive maintainer-clean-recursive
-AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
-	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
-	distdir
+DIST_SOURCES = $(charon_SOURCES)
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
-	plugins/kernel_pfroute plugins/kernel_klips \
-	plugins/kernel_netlink plugins/stroke plugins/smp plugins/sql \
-	plugins/updown plugins/attr plugins/eap_identity \
-	plugins/eap_sim plugins/eap_sim_file \
-	plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \
-	plugins/eap_md5 plugins/eap_gtc plugins/eap_aka \
-	plugins/eap_aka_3gpp2 plugins/eap_mschapv2 plugins/eap_radius \
-	plugins/medsrv plugins/medcli plugins/nm plugins/resolve \
-	plugins/uci plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-am__relativize = \
-  dir0=`pwd`; \
-  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
-  sed_rest='s,^[^/]*/*,,'; \
-  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
-  sed_butlast='s,/*[^/]*$$,,'; \
-  while test -n "$$dir1"; do \
-    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
-    if test "$$first" != "."; then \
-      if test "$$first" = ".."; then \
-        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
-        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
-      else \
-        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
-        if test "$$first2" = "$$first"; then \
-          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
-        else \
-          dir2="../$$dir2"; \
-        fi; \
-        dir0="$$dir0"/"$$first"; \
-      fi; \
-    fi; \
-    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
-  done; \
-  reldir="$$dir2"
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
@@ -488,6 +199,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -522,153 +234,26 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
-	bus/listeners/file_logger.c bus/listeners/file_logger.h \
-	bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
-	config/backend_manager.c config/backend_manager.h \
-	config/backend.h config/child_cfg.c config/child_cfg.h \
-	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
-	config/peer_cfg.h config/proposal.c config/proposal.h \
-	config/auth_cfg.c config/auth_cfg.h control/controller.c \
-	control/controller.h daemon.c daemon.h encoding/generator.c \
-	encoding/generator.h encoding/message.c encoding/message.h \
-	encoding/parser.c encoding/parser.h \
-	encoding/payloads/auth_payload.c \
-	encoding/payloads/auth_payload.h \
-	encoding/payloads/cert_payload.c \
-	encoding/payloads/cert_payload.h \
-	encoding/payloads/certreq_payload.c \
-	encoding/payloads/certreq_payload.h \
-	encoding/payloads/configuration_attribute.c \
-	encoding/payloads/configuration_attribute.h \
-	encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
-	encoding/payloads/delete_payload.c \
-	encoding/payloads/delete_payload.h \
-	encoding/payloads/eap_payload.c \
-	encoding/payloads/eap_payload.h encoding/payloads/encodings.c \
-	encoding/payloads/encodings.h \
-	encoding/payloads/encryption_payload.c \
-	encoding/payloads/encryption_payload.h \
-	encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
-	encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
-	encoding/payloads/ke_payload.c encoding/payloads/ke_payload.h \
-	encoding/payloads/nonce_payload.c \
-	encoding/payloads/nonce_payload.h \
-	encoding/payloads/notify_payload.c \
-	encoding/payloads/notify_payload.h encoding/payloads/payload.c \
-	encoding/payloads/payload.h \
-	encoding/payloads/proposal_substructure.c \
-	encoding/payloads/proposal_substructure.h \
-	encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \
-	encoding/payloads/traffic_selector_substructure.c \
-	encoding/payloads/traffic_selector_substructure.h \
-	encoding/payloads/transform_attribute.c \
-	encoding/payloads/transform_attribute.h \
-	encoding/payloads/transform_substructure.c \
-	encoding/payloads/transform_substructure.h \
-	encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
-	encoding/payloads/unknown_payload.c \
-	encoding/payloads/unknown_payload.h \
-	encoding/payloads/vendor_id_payload.c \
-	encoding/payloads/vendor_id_payload.h \
-	kernel/kernel_interface.c kernel/kernel_interface.h \
-	kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-	kernel/kernel_net.h network/packet.c network/packet.h \
-	network/receiver.c network/receiver.h network/sender.c \
-	network/sender.h network/socket.h processing/jobs/job.h \
-	processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
-	processing/jobs/callback_job.c processing/jobs/callback_job.h \
-	processing/jobs/delete_child_sa_job.c \
-	processing/jobs/delete_child_sa_job.h \
-	processing/jobs/delete_ike_sa_job.c \
-	processing/jobs/delete_ike_sa_job.h \
-	processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
-	processing/jobs/process_message_job.c \
-	processing/jobs/process_message_job.h \
-	processing/jobs/rekey_child_sa_job.c \
-	processing/jobs/rekey_child_sa_job.h \
-	processing/jobs/rekey_ike_sa_job.c \
-	processing/jobs/rekey_ike_sa_job.h \
-	processing/jobs/retransmit_job.c \
-	processing/jobs/retransmit_job.h \
-	processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
-	processing/jobs/send_keepalive_job.c \
-	processing/jobs/send_keepalive_job.h \
-	processing/jobs/roam_job.c processing/jobs/roam_job.h \
-	processing/jobs/update_sa_job.c \
-	processing/jobs/update_sa_job.h \
-	processing/jobs/inactivity_job.c \
-	processing/jobs/inactivity_job.h processing/scheduler.c \
-	processing/scheduler.h processing/processor.c \
-	processing/processor.h sa/authenticators/authenticator.c \
-	sa/authenticators/authenticator.h \
-	sa/authenticators/eap_authenticator.c \
-	sa/authenticators/eap_authenticator.h \
-	sa/authenticators/eap/eap_method.c \
-	sa/authenticators/eap/eap_method.h \
-	sa/authenticators/eap/eap_manager.c \
-	sa/authenticators/eap/eap_manager.h \
-	sa/authenticators/eap/sim_manager.c \
-	sa/authenticators/eap/sim_manager.h \
-	sa/authenticators/psk_authenticator.c \
-	sa/authenticators/psk_authenticator.h \
-	sa/authenticators/pubkey_authenticator.c \
-	sa/authenticators/pubkey_authenticator.h sa/child_sa.c \
-	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
-	sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
-	sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
-	sa/trap_manager.c sa/trap_manager.h sa/tasks/child_create.c \
-	sa/tasks/child_create.h sa/tasks/child_delete.c \
-	sa/tasks/child_delete.h sa/tasks/child_rekey.c \
-	sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
-	sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
-	sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
-	sa/tasks/ike_config.c sa/tasks/ike_config.h \
-	sa/tasks/ike_delete.c sa/tasks/ike_delete.h sa/tasks/ike_dpd.c \
-	sa/tasks/ike_dpd.h sa/tasks/ike_init.c sa/tasks/ike_init.h \
-	sa/tasks/ike_natd.c sa/tasks/ike_natd.h sa/tasks/ike_mobike.c \
-	sa/tasks/ike_mobike.h sa/tasks/ike_rekey.c \
-	sa/tasks/ike_rekey.h sa/tasks/ike_reauth.c \
-	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
-	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
-	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	credentials/credential_manager.c \
-	credentials/credential_manager.h \
-	credentials/sets/auth_cfg_wrapper.c \
-	credentials/sets/auth_cfg_wrapper.h \
-	credentials/sets/ocsp_response_wrapper.c \
-	credentials/sets/ocsp_response_wrapper.h \
-	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-	credentials/credential_set.h $(am__append_1) $(am__append_2) \
-	$(am__append_3)
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PIDDIR=\"${piddir}\" -DPLUGINS=\""${PLUGINS}\""
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lm \
-	$(PTHREADLIB) $(DLLIB) $(SOCKLIB) $(am__append_4)
-
-# build optional plugins
-########################
-SUBDIRS = . $(am__append_5) $(am__append_7) $(am__append_9) \
-	$(am__append_11) $(am__append_13) $(am__append_15) \
-	$(am__append_17) $(am__append_19) $(am__append_21) \
-	$(am__append_23) $(am__append_25) $(am__append_27) \
-	$(am__append_29) $(am__append_31) $(am__append_33) \
-	$(am__append_35) $(am__append_37) $(am__append_39) \
-	$(am__append_41) $(am__append_43) $(am__append_45) \
-	$(am__append_47) $(am__append_49) $(am__append_51) \
-	$(am__append_53) $(am__append_55) $(am__append_57)
-PLUGINS = ${libstrongswan_plugins} $(am__append_6) $(am__append_8) \
-	$(am__append_10) $(am__append_12) $(am__append_14) \
-	$(am__append_16) $(am__append_18) $(am__append_20) \
-	$(am__append_22) $(am__append_24) $(am__append_26) \
-	$(am__append_28) $(am__append_30) $(am__append_32) \
-	$(am__append_34) $(am__append_36) $(am__append_38) \
-	$(am__append_40) $(am__append_42) $(am__append_44) \
-	$(am__append_46) $(am__append_48) $(am__append_50) \
-	$(am__append_52) $(am__append_54) $(am__append_56) \
-	$(am__append_58)
-all: all-recursive
+charon_SOURCES = \
+charon.c
+
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+charon_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	-lm $(PTHREADLIB) $(DLLIB)
+
+EXTRA_DIST = Android.mk
+all: all-am
 
 .SUFFIXES:
 .SUFFIXES: .c .lo .o .obj
@@ -755,107 +340,7 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_create.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_delete.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_rekey.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_sa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configuration_attribute.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connect_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/controller.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cp_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_child_sa_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_ike_sa_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_authenticator.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_method.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encodings.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encryption_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/endpoint_notify.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file_logger.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/generator.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth_lifetime.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cert_post.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cert_pre.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cfg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_config.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_delete.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_dpd.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_header.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_init.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_me.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_mobike.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_natd.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_reauth.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_rekey.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_vendor.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_ipsec.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keymat.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/migrate_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/notify_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer_cfg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_message_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/processor.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_substructure.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk_authenticator.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_authenticator.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/receiver.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_child_sa_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_ike_sa_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retransmit_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/roam_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_dpd_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_keepalive_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sim_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket-raw.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/trap_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ts_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unknown_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/update_sa_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor_id_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/charon.Po@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -878,1482 +363,12 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
-bus.o: bus/bus.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.o -MD -MP -MF $(DEPDIR)/bus.Tpo -c -o bus.o `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/bus.c' object='bus.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.o `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
-
-bus.obj: bus/bus.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.obj -MD -MP -MF $(DEPDIR)/bus.Tpo -c -o bus.obj `if test -f 'bus/bus.c'; then $(CYGPATH_W) 'bus/bus.c'; else $(CYGPATH_W) '$(srcdir)/bus/bus.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/bus.c' object='bus.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.obj `if test -f 'bus/bus.c'; then $(CYGPATH_W) 'bus/bus.c'; else $(CYGPATH_W) '$(srcdir)/bus/bus.c'; fi`
-
-file_logger.o: bus/listeners/file_logger.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.o -MD -MP -MF $(DEPDIR)/file_logger.Tpo -c -o file_logger.o `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/file_logger.c' object='file_logger.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.o `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
-
-file_logger.obj: bus/listeners/file_logger.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.obj -MD -MP -MF $(DEPDIR)/file_logger.Tpo -c -o file_logger.obj `if test -f 'bus/listeners/file_logger.c'; then $(CYGPATH_W) 'bus/listeners/file_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/file_logger.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/file_logger.c' object='file_logger.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.obj `if test -f 'bus/listeners/file_logger.c'; then $(CYGPATH_W) 'bus/listeners/file_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/file_logger.c'; fi`
-
-sys_logger.o: bus/listeners/sys_logger.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.o -MD -MP -MF $(DEPDIR)/sys_logger.Tpo -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
-
-sys_logger.obj: bus/listeners/sys_logger.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.obj -MD -MP -MF $(DEPDIR)/sys_logger.Tpo -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`
-
-backend_manager.o: config/backend_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.o -MD -MP -MF $(DEPDIR)/backend_manager.Tpo -c -o backend_manager.o `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/backend_manager.c' object='backend_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.o `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
-
-backend_manager.obj: config/backend_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.obj -MD -MP -MF $(DEPDIR)/backend_manager.Tpo -c -o backend_manager.obj `if test -f 'config/backend_manager.c'; then $(CYGPATH_W) 'config/backend_manager.c'; else $(CYGPATH_W) '$(srcdir)/config/backend_manager.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/backend_manager.c' object='backend_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.obj `if test -f 'config/backend_manager.c'; then $(CYGPATH_W) 'config/backend_manager.c'; else $(CYGPATH_W) '$(srcdir)/config/backend_manager.c'; fi`
-
-child_cfg.o: config/child_cfg.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.o -MD -MP -MF $(DEPDIR)/child_cfg.Tpo -c -o child_cfg.o `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/child_cfg.c' object='child_cfg.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.o `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
-
-child_cfg.obj: config/child_cfg.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.obj -MD -MP -MF $(DEPDIR)/child_cfg.Tpo -c -o child_cfg.obj `if test -f 'config/child_cfg.c'; then $(CYGPATH_W) 'config/child_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/child_cfg.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/child_cfg.c' object='child_cfg.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.obj `if test -f 'config/child_cfg.c'; then $(CYGPATH_W) 'config/child_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/child_cfg.c'; fi`
-
-ike_cfg.o: config/ike_cfg.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.o -MD -MP -MF $(DEPDIR)/ike_cfg.Tpo -c -o ike_cfg.o `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/ike_cfg.c' object='ike_cfg.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.o `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
-
-ike_cfg.obj: config/ike_cfg.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.obj -MD -MP -MF $(DEPDIR)/ike_cfg.Tpo -c -o ike_cfg.obj `if test -f 'config/ike_cfg.c'; then $(CYGPATH_W) 'config/ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/ike_cfg.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/ike_cfg.c' object='ike_cfg.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.obj `if test -f 'config/ike_cfg.c'; then $(CYGPATH_W) 'config/ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/ike_cfg.c'; fi`
-
-peer_cfg.o: config/peer_cfg.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.o -MD -MP -MF $(DEPDIR)/peer_cfg.Tpo -c -o peer_cfg.o `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/peer_cfg.c' object='peer_cfg.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.o `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
-
-peer_cfg.obj: config/peer_cfg.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.obj -MD -MP -MF $(DEPDIR)/peer_cfg.Tpo -c -o peer_cfg.obj `if test -f 'config/peer_cfg.c'; then $(CYGPATH_W) 'config/peer_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/peer_cfg.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/peer_cfg.c' object='peer_cfg.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.obj `if test -f 'config/peer_cfg.c'; then $(CYGPATH_W) 'config/peer_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/peer_cfg.c'; fi`
-
-proposal.o: config/proposal.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.o -MD -MP -MF $(DEPDIR)/proposal.Tpo -c -o proposal.o `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/proposal.c' object='proposal.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.o `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
-
-proposal.obj: config/proposal.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.obj -MD -MP -MF $(DEPDIR)/proposal.Tpo -c -o proposal.obj `if test -f 'config/proposal.c'; then $(CYGPATH_W) 'config/proposal.c'; else $(CYGPATH_W) '$(srcdir)/config/proposal.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/proposal.c' object='proposal.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.obj `if test -f 'config/proposal.c'; then $(CYGPATH_W) 'config/proposal.c'; else $(CYGPATH_W) '$(srcdir)/config/proposal.c'; fi`
-
-auth_cfg.o: config/auth_cfg.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.o -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.o `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/auth_cfg.c' object='auth_cfg.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.o `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
-
-auth_cfg.obj: config/auth_cfg.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.obj -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.obj `if test -f 'config/auth_cfg.c'; then $(CYGPATH_W) 'config/auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/auth_cfg.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/auth_cfg.c' object='auth_cfg.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.obj `if test -f 'config/auth_cfg.c'; then $(CYGPATH_W) 'config/auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/auth_cfg.c'; fi`
-
-controller.o: control/controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.o -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.o `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/controller.c' object='controller.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o controller.o `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
-
-controller.obj: control/controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.obj -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.obj `if test -f 'control/controller.c'; then $(CYGPATH_W) 'control/controller.c'; else $(CYGPATH_W) '$(srcdir)/control/controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/controller.c' object='controller.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o controller.obj `if test -f 'control/controller.c'; then $(CYGPATH_W) 'control/controller.c'; else $(CYGPATH_W) '$(srcdir)/control/controller.c'; fi`
-
-generator.o: encoding/generator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.o -MD -MP -MF $(DEPDIR)/generator.Tpo -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
-
-generator.obj: encoding/generator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.obj -MD -MP -MF $(DEPDIR)/generator.Tpo -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`
-
-message.o: encoding/message.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.o -MD -MP -MF $(DEPDIR)/message.Tpo -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/message.Tpo $(DEPDIR)/message.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
-
-message.obj: encoding/message.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.obj -MD -MP -MF $(DEPDIR)/message.Tpo -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/message.Tpo $(DEPDIR)/message.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`
-
-parser.o: encoding/parser.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.o -MD -MP -MF $(DEPDIR)/parser.Tpo -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
-
-parser.obj: encoding/parser.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.obj -MD -MP -MF $(DEPDIR)/parser.Tpo -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`
-
-auth_payload.o: encoding/payloads/auth_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.o -MD -MP -MF $(DEPDIR)/auth_payload.Tpo -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
-
-auth_payload.obj: encoding/payloads/auth_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.obj -MD -MP -MF $(DEPDIR)/auth_payload.Tpo -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`
-
-cert_payload.o: encoding/payloads/cert_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.o -MD -MP -MF $(DEPDIR)/cert_payload.Tpo -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
-
-cert_payload.obj: encoding/payloads/cert_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.obj -MD -MP -MF $(DEPDIR)/cert_payload.Tpo -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`
-
-certreq_payload.o: encoding/payloads/certreq_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.o -MD -MP -MF $(DEPDIR)/certreq_payload.Tpo -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
-
-certreq_payload.obj: encoding/payloads/certreq_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.obj -MD -MP -MF $(DEPDIR)/certreq_payload.Tpo -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`
-
-configuration_attribute.o: encoding/payloads/configuration_attribute.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.o -MD -MP -MF $(DEPDIR)/configuration_attribute.Tpo -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
-
-configuration_attribute.obj: encoding/payloads/configuration_attribute.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.obj -MD -MP -MF $(DEPDIR)/configuration_attribute.Tpo -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`
-
-cp_payload.o: encoding/payloads/cp_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.o -MD -MP -MF $(DEPDIR)/cp_payload.Tpo -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
-
-cp_payload.obj: encoding/payloads/cp_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.obj -MD -MP -MF $(DEPDIR)/cp_payload.Tpo -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`
-
-delete_payload.o: encoding/payloads/delete_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.o -MD -MP -MF $(DEPDIR)/delete_payload.Tpo -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
-
-delete_payload.obj: encoding/payloads/delete_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.obj -MD -MP -MF $(DEPDIR)/delete_payload.Tpo -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`
-
-eap_payload.o: encoding/payloads/eap_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.o -MD -MP -MF $(DEPDIR)/eap_payload.Tpo -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
-
-eap_payload.obj: encoding/payloads/eap_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.obj -MD -MP -MF $(DEPDIR)/eap_payload.Tpo -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`
-
-encodings.o: encoding/payloads/encodings.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.o -MD -MP -MF $(DEPDIR)/encodings.Tpo -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
-
-encodings.obj: encoding/payloads/encodings.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.obj -MD -MP -MF $(DEPDIR)/encodings.Tpo -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`
-
-encryption_payload.o: encoding/payloads/encryption_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.o -MD -MP -MF $(DEPDIR)/encryption_payload.Tpo -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
-
-encryption_payload.obj: encoding/payloads/encryption_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.obj -MD -MP -MF $(DEPDIR)/encryption_payload.Tpo -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`
-
-id_payload.o: encoding/payloads/id_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.o -MD -MP -MF $(DEPDIR)/id_payload.Tpo -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
-
-id_payload.obj: encoding/payloads/id_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.obj -MD -MP -MF $(DEPDIR)/id_payload.Tpo -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`
-
-ike_header.o: encoding/payloads/ike_header.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.o -MD -MP -MF $(DEPDIR)/ike_header.Tpo -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
-
-ike_header.obj: encoding/payloads/ike_header.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.obj -MD -MP -MF $(DEPDIR)/ike_header.Tpo -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`
-
-ke_payload.o: encoding/payloads/ke_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.o -MD -MP -MF $(DEPDIR)/ke_payload.Tpo -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
-
-ke_payload.obj: encoding/payloads/ke_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.obj -MD -MP -MF $(DEPDIR)/ke_payload.Tpo -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`
-
-nonce_payload.o: encoding/payloads/nonce_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.o -MD -MP -MF $(DEPDIR)/nonce_payload.Tpo -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
-
-nonce_payload.obj: encoding/payloads/nonce_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.obj -MD -MP -MF $(DEPDIR)/nonce_payload.Tpo -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`
-
-notify_payload.o: encoding/payloads/notify_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.o -MD -MP -MF $(DEPDIR)/notify_payload.Tpo -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
-
-notify_payload.obj: encoding/payloads/notify_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.obj -MD -MP -MF $(DEPDIR)/notify_payload.Tpo -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`
-
-payload.o: encoding/payloads/payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.o -MD -MP -MF $(DEPDIR)/payload.Tpo -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
-
-payload.obj: encoding/payloads/payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.obj -MD -MP -MF $(DEPDIR)/payload.Tpo -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`
-
-proposal_substructure.o: encoding/payloads/proposal_substructure.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.o -MD -MP -MF $(DEPDIR)/proposal_substructure.Tpo -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
-
-proposal_substructure.obj: encoding/payloads/proposal_substructure.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.obj -MD -MP -MF $(DEPDIR)/proposal_substructure.Tpo -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`
-
-sa_payload.o: encoding/payloads/sa_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.o -MD -MP -MF $(DEPDIR)/sa_payload.Tpo -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
-
-sa_payload.obj: encoding/payloads/sa_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.obj -MD -MP -MF $(DEPDIR)/sa_payload.Tpo -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`
-
-traffic_selector_substructure.o: encoding/payloads/traffic_selector_substructure.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.o -MD -MP -MF $(DEPDIR)/traffic_selector_substructure.Tpo -c -o traffic_selector_substructure.o `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.o `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
-
-traffic_selector_substructure.obj: encoding/payloads/traffic_selector_substructure.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.obj -MD -MP -MF $(DEPDIR)/traffic_selector_substructure.Tpo -c -o traffic_selector_substructure.obj `if test -f 'encoding/payloads/traffic_selector_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/traffic_selector_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/traffic_selector_substructure.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.obj `if test -f 'encoding/payloads/traffic_selector_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/traffic_selector_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/traffic_selector_substructure.c'; fi`
-
-transform_attribute.o: encoding/payloads/transform_attribute.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.o -MD -MP -MF $(DEPDIR)/transform_attribute.Tpo -c -o transform_attribute.o `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_attribute.c' object='transform_attribute.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.o `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
-
-transform_attribute.obj: encoding/payloads/transform_attribute.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.obj -MD -MP -MF $(DEPDIR)/transform_attribute.Tpo -c -o transform_attribute.obj `if test -f 'encoding/payloads/transform_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/transform_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_attribute.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_attribute.c' object='transform_attribute.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.obj `if test -f 'encoding/payloads/transform_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/transform_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_attribute.c'; fi`
-
-transform_substructure.o: encoding/payloads/transform_substructure.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.o -MD -MP -MF $(DEPDIR)/transform_substructure.Tpo -c -o transform_substructure.o `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_substructure.c' object='transform_substructure.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.o `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
-
-transform_substructure.obj: encoding/payloads/transform_substructure.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.obj -MD -MP -MF $(DEPDIR)/transform_substructure.Tpo -c -o transform_substructure.obj `if test -f 'encoding/payloads/transform_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/transform_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_substructure.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_substructure.c' object='transform_substructure.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.obj `if test -f 'encoding/payloads/transform_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/transform_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_substructure.c'; fi`
-
-ts_payload.o: encoding/payloads/ts_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.o -MD -MP -MF $(DEPDIR)/ts_payload.Tpo -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
-
-ts_payload.obj: encoding/payloads/ts_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.obj -MD -MP -MF $(DEPDIR)/ts_payload.Tpo -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`
-
-unknown_payload.o: encoding/payloads/unknown_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.o -MD -MP -MF $(DEPDIR)/unknown_payload.Tpo -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
-
-unknown_payload.obj: encoding/payloads/unknown_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.obj -MD -MP -MF $(DEPDIR)/unknown_payload.Tpo -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`
-
-vendor_id_payload.o: encoding/payloads/vendor_id_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.o -MD -MP -MF $(DEPDIR)/vendor_id_payload.Tpo -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
-
-vendor_id_payload.obj: encoding/payloads/vendor_id_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.obj -MD -MP -MF $(DEPDIR)/vendor_id_payload.Tpo -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`
-
-kernel_interface.o: kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.o -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.o `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.o `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
-
-kernel_interface.obj: kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.obj -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.obj `if test -f 'kernel/kernel_interface.c'; then $(CYGPATH_W) 'kernel/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_interface.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.obj `if test -f 'kernel/kernel_interface.c'; then $(CYGPATH_W) 'kernel/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_interface.c'; fi`
-
-kernel_ipsec.o: kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.o -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.o `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.o `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
-
-kernel_ipsec.obj: kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.obj -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.obj `if test -f 'kernel/kernel_ipsec.c'; then $(CYGPATH_W) 'kernel/kernel_ipsec.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_ipsec.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.obj `if test -f 'kernel/kernel_ipsec.c'; then $(CYGPATH_W) 'kernel/kernel_ipsec.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_ipsec.c'; fi`
-
-packet.o: network/packet.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.o -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
-
-packet.obj: network/packet.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.obj -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`
-
-receiver.o: network/receiver.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.o -MD -MP -MF $(DEPDIR)/receiver.Tpo -c -o receiver.o `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/receiver.c' object='receiver.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.o `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
-
-receiver.obj: network/receiver.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.obj -MD -MP -MF $(DEPDIR)/receiver.Tpo -c -o receiver.obj `if test -f 'network/receiver.c'; then $(CYGPATH_W) 'network/receiver.c'; else $(CYGPATH_W) '$(srcdir)/network/receiver.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/receiver.c' object='receiver.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.obj `if test -f 'network/receiver.c'; then $(CYGPATH_W) 'network/receiver.c'; else $(CYGPATH_W) '$(srcdir)/network/receiver.c'; fi`
-
-sender.o: network/sender.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.o -MD -MP -MF $(DEPDIR)/sender.Tpo -c -o sender.o `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/sender.c' object='sender.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.o `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
-
-sender.obj: network/sender.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.obj -MD -MP -MF $(DEPDIR)/sender.Tpo -c -o sender.obj `if test -f 'network/sender.c'; then $(CYGPATH_W) 'network/sender.c'; else $(CYGPATH_W) '$(srcdir)/network/sender.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/sender.c' object='sender.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.obj `if test -f 'network/sender.c'; then $(CYGPATH_W) 'network/sender.c'; else $(CYGPATH_W) '$(srcdir)/network/sender.c'; fi`
-
-acquire_job.o: processing/jobs/acquire_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.o -MD -MP -MF $(DEPDIR)/acquire_job.Tpo -c -o acquire_job.o `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/acquire_job.c' object='acquire_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.o `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
-
-acquire_job.obj: processing/jobs/acquire_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.obj -MD -MP -MF $(DEPDIR)/acquire_job.Tpo -c -o acquire_job.obj `if test -f 'processing/jobs/acquire_job.c'; then $(CYGPATH_W) 'processing/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/acquire_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/acquire_job.c' object='acquire_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.obj `if test -f 'processing/jobs/acquire_job.c'; then $(CYGPATH_W) 'processing/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/acquire_job.c'; fi`
-
-callback_job.o: processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.o -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.o `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.o `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
-
-callback_job.obj: processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.obj -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.obj `if test -f 'processing/jobs/callback_job.c'; then $(CYGPATH_W) 'processing/jobs/callback_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/callback_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.obj `if test -f 'processing/jobs/callback_job.c'; then $(CYGPATH_W) 'processing/jobs/callback_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/callback_job.c'; fi`
-
-delete_child_sa_job.o: processing/jobs/delete_child_sa_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.o -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.o `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.o `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
-
-delete_child_sa_job.obj: processing/jobs/delete_child_sa_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.obj -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.obj `if test -f 'processing/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_child_sa_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.obj `if test -f 'processing/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_child_sa_job.c'; fi`
-
-delete_ike_sa_job.o: processing/jobs/delete_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.o -MD -MP -MF $(DEPDIR)/delete_ike_sa_job.Tpo -c -o delete_ike_sa_job.o `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.o `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
-
-delete_ike_sa_job.obj: processing/jobs/delete_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.obj -MD -MP -MF $(DEPDIR)/delete_ike_sa_job.Tpo -c -o delete_ike_sa_job.obj `if test -f 'processing/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_ike_sa_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.obj `if test -f 'processing/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_ike_sa_job.c'; fi`
-
-migrate_job.o: processing/jobs/migrate_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.o -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.o `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/migrate_job.c' object='migrate_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.o `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
-
-migrate_job.obj: processing/jobs/migrate_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.obj -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.obj `if test -f 'processing/jobs/migrate_job.c'; then $(CYGPATH_W) 'processing/jobs/migrate_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/migrate_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/migrate_job.c' object='migrate_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.obj `if test -f 'processing/jobs/migrate_job.c'; then $(CYGPATH_W) 'processing/jobs/migrate_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/migrate_job.c'; fi`
-
-process_message_job.o: processing/jobs/process_message_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.o -MD -MP -MF $(DEPDIR)/process_message_job.Tpo -c -o process_message_job.o `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/process_message_job.c' object='process_message_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.o `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
-
-process_message_job.obj: processing/jobs/process_message_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.obj -MD -MP -MF $(DEPDIR)/process_message_job.Tpo -c -o process_message_job.obj `if test -f 'processing/jobs/process_message_job.c'; then $(CYGPATH_W) 'processing/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/process_message_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/process_message_job.c' object='process_message_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.obj `if test -f 'processing/jobs/process_message_job.c'; then $(CYGPATH_W) 'processing/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/process_message_job.c'; fi`
-
-rekey_child_sa_job.o: processing/jobs/rekey_child_sa_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.o -MD -MP -MF $(DEPDIR)/rekey_child_sa_job.Tpo -c -o rekey_child_sa_job.o `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.o `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
-
-rekey_child_sa_job.obj: processing/jobs/rekey_child_sa_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.obj -MD -MP -MF $(DEPDIR)/rekey_child_sa_job.Tpo -c -o rekey_child_sa_job.obj `if test -f 'processing/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_child_sa_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.obj `if test -f 'processing/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_child_sa_job.c'; fi`
-
-rekey_ike_sa_job.o: processing/jobs/rekey_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.o -MD -MP -MF $(DEPDIR)/rekey_ike_sa_job.Tpo -c -o rekey_ike_sa_job.o `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.o `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
-
-rekey_ike_sa_job.obj: processing/jobs/rekey_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.obj -MD -MP -MF $(DEPDIR)/rekey_ike_sa_job.Tpo -c -o rekey_ike_sa_job.obj `if test -f 'processing/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_ike_sa_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.obj `if test -f 'processing/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_ike_sa_job.c'; fi`
-
-retransmit_job.o: processing/jobs/retransmit_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.o -MD -MP -MF $(DEPDIR)/retransmit_job.Tpo -c -o retransmit_job.o `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/retransmit_job.c' object='retransmit_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.o `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
-
-retransmit_job.obj: processing/jobs/retransmit_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.obj -MD -MP -MF $(DEPDIR)/retransmit_job.Tpo -c -o retransmit_job.obj `if test -f 'processing/jobs/retransmit_job.c'; then $(CYGPATH_W) 'processing/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/retransmit_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/retransmit_job.c' object='retransmit_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.obj `if test -f 'processing/jobs/retransmit_job.c'; then $(CYGPATH_W) 'processing/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/retransmit_job.c'; fi`
-
-send_dpd_job.o: processing/jobs/send_dpd_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.o -MD -MP -MF $(DEPDIR)/send_dpd_job.Tpo -c -o send_dpd_job.o `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_dpd_job.c' object='send_dpd_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.o `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
-
-send_dpd_job.obj: processing/jobs/send_dpd_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.obj -MD -MP -MF $(DEPDIR)/send_dpd_job.Tpo -c -o send_dpd_job.obj `if test -f 'processing/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'processing/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_dpd_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_dpd_job.c' object='send_dpd_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.obj `if test -f 'processing/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'processing/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_dpd_job.c'; fi`
-
-send_keepalive_job.o: processing/jobs/send_keepalive_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.o -MD -MP -MF $(DEPDIR)/send_keepalive_job.Tpo -c -o send_keepalive_job.o `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.o `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
-
-send_keepalive_job.obj: processing/jobs/send_keepalive_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.obj -MD -MP -MF $(DEPDIR)/send_keepalive_job.Tpo -c -o send_keepalive_job.obj `if test -f 'processing/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'processing/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_keepalive_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.obj `if test -f 'processing/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'processing/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_keepalive_job.c'; fi`
-
-roam_job.o: processing/jobs/roam_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.o -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.o `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/roam_job.c' object='roam_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.o `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
-
-roam_job.obj: processing/jobs/roam_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.obj -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.obj `if test -f 'processing/jobs/roam_job.c'; then $(CYGPATH_W) 'processing/jobs/roam_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/roam_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/roam_job.c' object='roam_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.obj `if test -f 'processing/jobs/roam_job.c'; then $(CYGPATH_W) 'processing/jobs/roam_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/roam_job.c'; fi`
-
-update_sa_job.o: processing/jobs/update_sa_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.o -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.o `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/update_sa_job.c' object='update_sa_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.o `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
-
-update_sa_job.obj: processing/jobs/update_sa_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.obj -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.obj `if test -f 'processing/jobs/update_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/update_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/update_sa_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/update_sa_job.c' object='update_sa_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.obj `if test -f 'processing/jobs/update_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/update_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/update_sa_job.c'; fi`
-
-inactivity_job.o: processing/jobs/inactivity_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT inactivity_job.o -MD -MP -MF $(DEPDIR)/inactivity_job.Tpo -c -o inactivity_job.o `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/inactivity_job.Tpo $(DEPDIR)/inactivity_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/inactivity_job.c' object='inactivity_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.o `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
-
-inactivity_job.obj: processing/jobs/inactivity_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT inactivity_job.obj -MD -MP -MF $(DEPDIR)/inactivity_job.Tpo -c -o inactivity_job.obj `if test -f 'processing/jobs/inactivity_job.c'; then $(CYGPATH_W) 'processing/jobs/inactivity_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/inactivity_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/inactivity_job.Tpo $(DEPDIR)/inactivity_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/inactivity_job.c' object='inactivity_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.obj `if test -f 'processing/jobs/inactivity_job.c'; then $(CYGPATH_W) 'processing/jobs/inactivity_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/inactivity_job.c'; fi`
-
-scheduler.o: processing/scheduler.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.o -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.o `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.o `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
-
-scheduler.obj: processing/scheduler.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.obj -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.obj `if test -f 'processing/scheduler.c'; then $(CYGPATH_W) 'processing/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/processing/scheduler.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.obj `if test -f 'processing/scheduler.c'; then $(CYGPATH_W) 'processing/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/processing/scheduler.c'; fi`
-
-processor.o: processing/processor.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.o -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.o `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.o `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
-
-processor.obj: processing/processor.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.obj -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.obj `if test -f 'processing/processor.c'; then $(CYGPATH_W) 'processing/processor.c'; else $(CYGPATH_W) '$(srcdir)/processing/processor.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.obj `if test -f 'processing/processor.c'; then $(CYGPATH_W) 'processing/processor.c'; else $(CYGPATH_W) '$(srcdir)/processing/processor.c'; fi`
-
-authenticator.o: sa/authenticators/authenticator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.o -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
-
-authenticator.obj: sa/authenticators/authenticator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.obj -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`
-
-eap_authenticator.o: sa/authenticators/eap_authenticator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.o -MD -MP -MF $(DEPDIR)/eap_authenticator.Tpo -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
-
-eap_authenticator.obj: sa/authenticators/eap_authenticator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.obj -MD -MP -MF $(DEPDIR)/eap_authenticator.Tpo -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`
-
-eap_method.o: sa/authenticators/eap/eap_method.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.o -MD -MP -MF $(DEPDIR)/eap_method.Tpo -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
-
-eap_method.obj: sa/authenticators/eap/eap_method.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.obj -MD -MP -MF $(DEPDIR)/eap_method.Tpo -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`
-
-eap_manager.o: sa/authenticators/eap/eap_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_manager.o -MD -MP -MF $(DEPDIR)/eap_manager.Tpo -c -o eap_manager.o `test -f 'sa/authenticators/eap/eap_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_manager.c' object='eap_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_manager.o `test -f 'sa/authenticators/eap/eap_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_manager.c
-
-eap_manager.obj: sa/authenticators/eap/eap_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_manager.obj -MD -MP -MF $(DEPDIR)/eap_manager.Tpo -c -o eap_manager.obj `if test -f 'sa/authenticators/eap/eap_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_manager.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_manager.c' object='eap_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_manager.obj `if test -f 'sa/authenticators/eap/eap_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_manager.c'; fi`
-
-sim_manager.o: sa/authenticators/eap/sim_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sim_manager.o -MD -MP -MF $(DEPDIR)/sim_manager.Tpo -c -o sim_manager.o `test -f 'sa/authenticators/eap/sim_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/sim_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sim_manager.Tpo $(DEPDIR)/sim_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/sim_manager.c' object='sim_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sim_manager.o `test -f 'sa/authenticators/eap/sim_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/sim_manager.c
-
-sim_manager.obj: sa/authenticators/eap/sim_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sim_manager.obj -MD -MP -MF $(DEPDIR)/sim_manager.Tpo -c -o sim_manager.obj `if test -f 'sa/authenticators/eap/sim_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/sim_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/sim_manager.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sim_manager.Tpo $(DEPDIR)/sim_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/sim_manager.c' object='sim_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sim_manager.obj `if test -f 'sa/authenticators/eap/sim_manager.c'; then $(CYGPATH_W) 'sa/authenticators/eap/sim_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/sim_manager.c'; fi`
-
-psk_authenticator.o: sa/authenticators/psk_authenticator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.o -MD -MP -MF $(DEPDIR)/psk_authenticator.Tpo -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
-
-psk_authenticator.obj: sa/authenticators/psk_authenticator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.obj -MD -MP -MF $(DEPDIR)/psk_authenticator.Tpo -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`
-
-pubkey_authenticator.o: sa/authenticators/pubkey_authenticator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_authenticator.o -MD -MP -MF $(DEPDIR)/pubkey_authenticator.Tpo -c -o pubkey_authenticator.o `test -f 'sa/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/pubkey_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/pubkey_authenticator.c' object='pubkey_authenticator.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_authenticator.o `test -f 'sa/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/pubkey_authenticator.c
-
-pubkey_authenticator.obj: sa/authenticators/pubkey_authenticator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_authenticator.obj -MD -MP -MF $(DEPDIR)/pubkey_authenticator.Tpo -c -o pubkey_authenticator.obj `if test -f 'sa/authenticators/pubkey_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/pubkey_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/pubkey_authenticator.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/pubkey_authenticator.c' object='pubkey_authenticator.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_authenticator.obj `if test -f 'sa/authenticators/pubkey_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/pubkey_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/pubkey_authenticator.c'; fi`
-
-child_sa.o: sa/child_sa.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.o -MD -MP -MF $(DEPDIR)/child_sa.Tpo -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
-
-child_sa.obj: sa/child_sa.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.obj -MD -MP -MF $(DEPDIR)/child_sa.Tpo -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`
-
-ike_sa.o: sa/ike_sa.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.o -MD -MP -MF $(DEPDIR)/ike_sa.Tpo -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
-
-ike_sa.obj: sa/ike_sa.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.obj -MD -MP -MF $(DEPDIR)/ike_sa.Tpo -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`
-
-ike_sa_id.o: sa/ike_sa_id.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.o -MD -MP -MF $(DEPDIR)/ike_sa_id.Tpo -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
-
-ike_sa_id.obj: sa/ike_sa_id.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.obj -MD -MP -MF $(DEPDIR)/ike_sa_id.Tpo -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`
-
-ike_sa_manager.o: sa/ike_sa_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.o -MD -MP -MF $(DEPDIR)/ike_sa_manager.Tpo -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
-
-ike_sa_manager.obj: sa/ike_sa_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.obj -MD -MP -MF $(DEPDIR)/ike_sa_manager.Tpo -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`
-
-task_manager.o: sa/task_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.o -MD -MP -MF $(DEPDIR)/task_manager.Tpo -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
-
-task_manager.obj: sa/task_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.obj -MD -MP -MF $(DEPDIR)/task_manager.Tpo -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`
-
-keymat.o: sa/keymat.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.o -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.o `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/keymat.c' object='keymat.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.o `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
-
-keymat.obj: sa/keymat.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.obj -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.obj `if test -f 'sa/keymat.c'; then $(CYGPATH_W) 'sa/keymat.c'; else $(CYGPATH_W) '$(srcdir)/sa/keymat.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/keymat.c' object='keymat.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.obj `if test -f 'sa/keymat.c'; then $(CYGPATH_W) 'sa/keymat.c'; else $(CYGPATH_W) '$(srcdir)/sa/keymat.c'; fi`
-
-trap_manager.o: sa/trap_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.o -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.o `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/trap_manager.c' object='trap_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.o `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
-
-trap_manager.obj: sa/trap_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.obj -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.obj `if test -f 'sa/trap_manager.c'; then $(CYGPATH_W) 'sa/trap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/trap_manager.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/trap_manager.c' object='trap_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.obj `if test -f 'sa/trap_manager.c'; then $(CYGPATH_W) 'sa/trap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/trap_manager.c'; fi`
-
-child_create.o: sa/tasks/child_create.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.o -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
-
-child_create.obj: sa/tasks/child_create.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.obj -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`
-
-child_delete.o: sa/tasks/child_delete.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.o -MD -MP -MF $(DEPDIR)/child_delete.Tpo -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
-
-child_delete.obj: sa/tasks/child_delete.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.obj -MD -MP -MF $(DEPDIR)/child_delete.Tpo -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`
-
-child_rekey.o: sa/tasks/child_rekey.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.o -MD -MP -MF $(DEPDIR)/child_rekey.Tpo -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
-
-child_rekey.obj: sa/tasks/child_rekey.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.obj -MD -MP -MF $(DEPDIR)/child_rekey.Tpo -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`
-
-ike_auth.o: sa/tasks/ike_auth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.o -MD -MP -MF $(DEPDIR)/ike_auth.Tpo -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
-
-ike_auth.obj: sa/tasks/ike_auth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.obj -MD -MP -MF $(DEPDIR)/ike_auth.Tpo -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`
-
-ike_cert_pre.o: sa/tasks/ike_cert_pre.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_pre.o -MD -MP -MF $(DEPDIR)/ike_cert_pre.Tpo -c -o ike_cert_pre.o `test -f 'sa/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_pre.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_pre.c' object='ike_cert_pre.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_pre.o `test -f 'sa/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_pre.c
-
-ike_cert_pre.obj: sa/tasks/ike_cert_pre.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_pre.obj -MD -MP -MF $(DEPDIR)/ike_cert_pre.Tpo -c -o ike_cert_pre.obj `if test -f 'sa/tasks/ike_cert_pre.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert_pre.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert_pre.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_pre.c' object='ike_cert_pre.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_pre.obj `if test -f 'sa/tasks/ike_cert_pre.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert_pre.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert_pre.c'; fi`
-
-ike_cert_post.o: sa/tasks/ike_cert_post.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_post.o -MD -MP -MF $(DEPDIR)/ike_cert_post.Tpo -c -o ike_cert_post.o `test -f 'sa/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_post.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_post.c' object='ike_cert_post.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_post.o `test -f 'sa/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_post.c
-
-ike_cert_post.obj: sa/tasks/ike_cert_post.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_post.obj -MD -MP -MF $(DEPDIR)/ike_cert_post.Tpo -c -o ike_cert_post.obj `if test -f 'sa/tasks/ike_cert_post.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert_post.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert_post.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_post.c' object='ike_cert_post.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_post.obj `if test -f 'sa/tasks/ike_cert_post.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert_post.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert_post.c'; fi`
-
-ike_config.o: sa/tasks/ike_config.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.o -MD -MP -MF $(DEPDIR)/ike_config.Tpo -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
-
-ike_config.obj: sa/tasks/ike_config.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.obj -MD -MP -MF $(DEPDIR)/ike_config.Tpo -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`
-
-ike_delete.o: sa/tasks/ike_delete.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.o -MD -MP -MF $(DEPDIR)/ike_delete.Tpo -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
-
-ike_delete.obj: sa/tasks/ike_delete.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.obj -MD -MP -MF $(DEPDIR)/ike_delete.Tpo -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`
-
-ike_dpd.o: sa/tasks/ike_dpd.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.o -MD -MP -MF $(DEPDIR)/ike_dpd.Tpo -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
-
-ike_dpd.obj: sa/tasks/ike_dpd.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.obj -MD -MP -MF $(DEPDIR)/ike_dpd.Tpo -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`
-
-ike_init.o: sa/tasks/ike_init.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.o -MD -MP -MF $(DEPDIR)/ike_init.Tpo -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
-
-ike_init.obj: sa/tasks/ike_init.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.obj -MD -MP -MF $(DEPDIR)/ike_init.Tpo -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`
-
-ike_natd.o: sa/tasks/ike_natd.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.o -MD -MP -MF $(DEPDIR)/ike_natd.Tpo -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
-
-ike_natd.obj: sa/tasks/ike_natd.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.obj -MD -MP -MF $(DEPDIR)/ike_natd.Tpo -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`
-
-ike_mobike.o: sa/tasks/ike_mobike.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.o -MD -MP -MF $(DEPDIR)/ike_mobike.Tpo -c -o ike_mobike.o `test -f 'sa/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/tasks/ike_mobike.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_mobike.c' object='ike_mobike.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.o `test -f 'sa/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/tasks/ike_mobike.c
-
-ike_mobike.obj: sa/tasks/ike_mobike.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.obj -MD -MP -MF $(DEPDIR)/ike_mobike.Tpo -c -o ike_mobike.obj `if test -f 'sa/tasks/ike_mobike.c'; then $(CYGPATH_W) 'sa/tasks/ike_mobike.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_mobike.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_mobike.c' object='ike_mobike.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.obj `if test -f 'sa/tasks/ike_mobike.c'; then $(CYGPATH_W) 'sa/tasks/ike_mobike.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_mobike.c'; fi`
-
-ike_rekey.o: sa/tasks/ike_rekey.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.o -MD -MP -MF $(DEPDIR)/ike_rekey.Tpo -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
-
-ike_rekey.obj: sa/tasks/ike_rekey.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.obj -MD -MP -MF $(DEPDIR)/ike_rekey.Tpo -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`
-
-ike_reauth.o: sa/tasks/ike_reauth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.o -MD -MP -MF $(DEPDIR)/ike_reauth.Tpo -c -o ike_reauth.o `test -f 'sa/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/tasks/ike_reauth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_reauth.c' object='ike_reauth.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.o `test -f 'sa/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/tasks/ike_reauth.c
-
-ike_reauth.obj: sa/tasks/ike_reauth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.obj -MD -MP -MF $(DEPDIR)/ike_reauth.Tpo -c -o ike_reauth.obj `if test -f 'sa/tasks/ike_reauth.c'; then $(CYGPATH_W) 'sa/tasks/ike_reauth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_reauth.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_reauth.c' object='ike_reauth.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.obj `if test -f 'sa/tasks/ike_reauth.c'; then $(CYGPATH_W) 'sa/tasks/ike_reauth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_reauth.c'; fi`
-
-ike_auth_lifetime.o: sa/tasks/ike_auth_lifetime.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_lifetime.o -MD -MP -MF $(DEPDIR)/ike_auth_lifetime.Tpo -c -o ike_auth_lifetime.o `test -f 'sa/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/tasks/ike_auth_lifetime.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth_lifetime.c' object='ike_auth_lifetime.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_lifetime.o `test -f 'sa/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/tasks/ike_auth_lifetime.c
-
-ike_auth_lifetime.obj: sa/tasks/ike_auth_lifetime.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_lifetime.obj -MD -MP -MF $(DEPDIR)/ike_auth_lifetime.Tpo -c -o ike_auth_lifetime.obj `if test -f 'sa/tasks/ike_auth_lifetime.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth_lifetime.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth_lifetime.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth_lifetime.c' object='ike_auth_lifetime.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_lifetime.obj `if test -f 'sa/tasks/ike_auth_lifetime.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth_lifetime.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth_lifetime.c'; fi`
-
-ike_vendor.o: sa/tasks/ike_vendor.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_vendor.o -MD -MP -MF $(DEPDIR)/ike_vendor.Tpo -c -o ike_vendor.o `test -f 'sa/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/tasks/ike_vendor.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_vendor.Tpo $(DEPDIR)/ike_vendor.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_vendor.c' object='ike_vendor.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_vendor.o `test -f 'sa/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/tasks/ike_vendor.c
-
-ike_vendor.obj: sa/tasks/ike_vendor.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_vendor.obj -MD -MP -MF $(DEPDIR)/ike_vendor.Tpo -c -o ike_vendor.obj `if test -f 'sa/tasks/ike_vendor.c'; then $(CYGPATH_W) 'sa/tasks/ike_vendor.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_vendor.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_vendor.Tpo $(DEPDIR)/ike_vendor.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_vendor.c' object='ike_vendor.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_vendor.obj `if test -f 'sa/tasks/ike_vendor.c'; then $(CYGPATH_W) 'sa/tasks/ike_vendor.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_vendor.c'; fi`
-
-task.o: sa/tasks/task.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.o -MD -MP -MF $(DEPDIR)/task.Tpo -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task.Tpo $(DEPDIR)/task.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
-
-task.obj: sa/tasks/task.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.obj -MD -MP -MF $(DEPDIR)/task.Tpo -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task.Tpo $(DEPDIR)/task.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`
-
-credential_manager.o: credentials/credential_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.o -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.o `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_manager.c' object='credential_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.o `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
-
-credential_manager.obj: credentials/credential_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.obj -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.obj `if test -f 'credentials/credential_manager.c'; then $(CYGPATH_W) 'credentials/credential_manager.c'; else $(CYGPATH_W) '$(srcdir)/credentials/credential_manager.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_manager.c' object='credential_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.obj `if test -f 'credentials/credential_manager.c'; then $(CYGPATH_W) 'credentials/credential_manager.c'; else $(CYGPATH_W) '$(srcdir)/credentials/credential_manager.c'; fi`
-
-auth_cfg_wrapper.o: credentials/sets/auth_cfg_wrapper.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.o -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.o `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.o `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
-
-auth_cfg_wrapper.obj: credentials/sets/auth_cfg_wrapper.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.obj -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.obj `if test -f 'credentials/sets/auth_cfg_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_cfg_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_cfg_wrapper.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.obj `if test -f 'credentials/sets/auth_cfg_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_cfg_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_cfg_wrapper.c'; fi`
-
-ocsp_response_wrapper.o: credentials/sets/ocsp_response_wrapper.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.o -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.o `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.o `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
-
-ocsp_response_wrapper.obj: credentials/sets/ocsp_response_wrapper.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.obj -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.obj `if test -f 'credentials/sets/ocsp_response_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/ocsp_response_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/ocsp_response_wrapper.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.obj `if test -f 'credentials/sets/ocsp_response_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/ocsp_response_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/ocsp_response_wrapper.c'; fi`
-
-cert_cache.o: credentials/sets/cert_cache.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.o -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.o `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/cert_cache.c' object='cert_cache.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.o `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
-
-cert_cache.obj: credentials/sets/cert_cache.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.obj -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.obj `if test -f 'credentials/sets/cert_cache.c'; then $(CYGPATH_W) 'credentials/sets/cert_cache.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/cert_cache.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/cert_cache.c' object='cert_cache.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.obj `if test -f 'credentials/sets/cert_cache.c'; then $(CYGPATH_W) 'credentials/sets/cert_cache.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/cert_cache.c'; fi`
-
-socket-raw.o: network/socket-raw.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket-raw.o -MD -MP -MF $(DEPDIR)/socket-raw.Tpo -c -o socket-raw.o `test -f 'network/socket-raw.c' || echo '$(srcdir)/'`network/socket-raw.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket-raw.Tpo $(DEPDIR)/socket-raw.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket-raw.c' object='socket-raw.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket-raw.o `test -f 'network/socket-raw.c' || echo '$(srcdir)/'`network/socket-raw.c
-
-socket-raw.obj: network/socket-raw.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket-raw.obj -MD -MP -MF $(DEPDIR)/socket-raw.Tpo -c -o socket-raw.obj `if test -f 'network/socket-raw.c'; then $(CYGPATH_W) 'network/socket-raw.c'; else $(CYGPATH_W) '$(srcdir)/network/socket-raw.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket-raw.Tpo $(DEPDIR)/socket-raw.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket-raw.c' object='socket-raw.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket-raw.obj `if test -f 'network/socket-raw.c'; then $(CYGPATH_W) 'network/socket-raw.c'; else $(CYGPATH_W) '$(srcdir)/network/socket-raw.c'; fi`
-
-socket.o: network/socket.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.o -MD -MP -MF $(DEPDIR)/socket.Tpo -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket.Tpo $(DEPDIR)/socket.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
-
-socket.obj: network/socket.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.obj -MD -MP -MF $(DEPDIR)/socket.Tpo -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket.Tpo $(DEPDIR)/socket.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`
-
-endpoint_notify.o: encoding/payloads/endpoint_notify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.o -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.o `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/endpoint_notify.c' object='endpoint_notify.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o endpoint_notify.o `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
-
-endpoint_notify.obj: encoding/payloads/endpoint_notify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.obj -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.obj `if test -f 'encoding/payloads/endpoint_notify.c'; then $(CYGPATH_W) 'encoding/payloads/endpoint_notify.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/endpoint_notify.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/endpoint_notify.c' object='endpoint_notify.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o endpoint_notify.obj `if test -f 'encoding/payloads/endpoint_notify.c'; then $(CYGPATH_W) 'encoding/payloads/endpoint_notify.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/endpoint_notify.c'; fi`
-
-initiate_mediation_job.o: processing/jobs/initiate_mediation_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_mediation_job.o -MD -MP -MF $(DEPDIR)/initiate_mediation_job.Tpo -c -o initiate_mediation_job.o `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/initiate_mediation_job.c' object='initiate_mediation_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_mediation_job.o `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
-
-initiate_mediation_job.obj: processing/jobs/initiate_mediation_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_mediation_job.obj -MD -MP -MF $(DEPDIR)/initiate_mediation_job.Tpo -c -o initiate_mediation_job.obj `if test -f 'processing/jobs/initiate_mediation_job.c'; then $(CYGPATH_W) 'processing/jobs/initiate_mediation_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/initiate_mediation_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/initiate_mediation_job.c' object='initiate_mediation_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_mediation_job.obj `if test -f 'processing/jobs/initiate_mediation_job.c'; then $(CYGPATH_W) 'processing/jobs/initiate_mediation_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/initiate_mediation_job.c'; fi`
-
-mediation_job.o: processing/jobs/mediation_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_job.o -MD -MP -MF $(DEPDIR)/mediation_job.Tpo -c -o mediation_job.o `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/mediation_job.c' object='mediation_job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_job.o `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
-
-mediation_job.obj: processing/jobs/mediation_job.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_job.obj -MD -MP -MF $(DEPDIR)/mediation_job.Tpo -c -o mediation_job.obj `if test -f 'processing/jobs/mediation_job.c'; then $(CYGPATH_W) 'processing/jobs/mediation_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/mediation_job.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/mediation_job.c' object='mediation_job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_job.obj `if test -f 'processing/jobs/mediation_job.c'; then $(CYGPATH_W) 'processing/jobs/mediation_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/mediation_job.c'; fi`
-
-connect_manager.o: sa/connect_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connect_manager.o -MD -MP -MF $(DEPDIR)/connect_manager.Tpo -c -o connect_manager.o `test -f 'sa/connect_manager.c' || echo '$(srcdir)/'`sa/connect_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/connect_manager.c' object='connect_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connect_manager.o `test -f 'sa/connect_manager.c' || echo '$(srcdir)/'`sa/connect_manager.c
-
-connect_manager.obj: sa/connect_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connect_manager.obj -MD -MP -MF $(DEPDIR)/connect_manager.Tpo -c -o connect_manager.obj `if test -f 'sa/connect_manager.c'; then $(CYGPATH_W) 'sa/connect_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/connect_manager.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/connect_manager.c' object='connect_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connect_manager.obj `if test -f 'sa/connect_manager.c'; then $(CYGPATH_W) 'sa/connect_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/connect_manager.c'; fi`
-
-mediation_manager.o: sa/mediation_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_manager.o -MD -MP -MF $(DEPDIR)/mediation_manager.Tpo -c -o mediation_manager.o `test -f 'sa/mediation_manager.c' || echo '$(srcdir)/'`sa/mediation_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/mediation_manager.c' object='mediation_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_manager.o `test -f 'sa/mediation_manager.c' || echo '$(srcdir)/'`sa/mediation_manager.c
-
-mediation_manager.obj: sa/mediation_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_manager.obj -MD -MP -MF $(DEPDIR)/mediation_manager.Tpo -c -o mediation_manager.obj `if test -f 'sa/mediation_manager.c'; then $(CYGPATH_W) 'sa/mediation_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/mediation_manager.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/mediation_manager.c' object='mediation_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_manager.obj `if test -f 'sa/mediation_manager.c'; then $(CYGPATH_W) 'sa/mediation_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/mediation_manager.c'; fi`
-
-ike_me.o: sa/tasks/ike_me.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_me.o -MD -MP -MF $(DEPDIR)/ike_me.Tpo -c -o ike_me.o `test -f 'sa/tasks/ike_me.c' || echo '$(srcdir)/'`sa/tasks/ike_me.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_me.c' object='ike_me.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_me.o `test -f 'sa/tasks/ike_me.c' || echo '$(srcdir)/'`sa/tasks/ike_me.c
-
-ike_me.obj: sa/tasks/ike_me.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_me.obj -MD -MP -MF $(DEPDIR)/ike_me.Tpo -c -o ike_me.obj `if test -f 'sa/tasks/ike_me.c'; then $(CYGPATH_W) 'sa/tasks/ike_me.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_me.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_me.c' object='ike_me.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_me.obj `if test -f 'sa/tasks/ike_me.c'; then $(CYGPATH_W) 'sa/tasks/ike_me.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_me.c'; fi`
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
 
-# This directory's subdirectories are mostly independent; you can cd
-# into them and run `make' without going through this Makefile.
-# To change the values of `make' variables: instead of editing Makefiles,
-# (1) if the variable is set in `config.status', edit `config.status'
-#     (which will cause the Makefiles to be regenerated when you run `make');
-# (2) otherwise, pass the desired values on the `make' command line.
-$(RECURSIVE_TARGETS):
-	@failcom='exit 1'; \
-	for f in x $$MAKEFLAGS; do \
-	  case $$f in \
-	    *=* | --[!k]*);; \
-	    *k*) failcom='fail=yes';; \
-	  esac; \
-	done; \
-	dot_seen=no; \
-	target=`echo $@ | sed s/-recursive//`; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    dot_seen=yes; \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done; \
-	if test "$$dot_seen" = "no"; then \
-	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
-	fi; test -z "$$fail"
-
-$(RECURSIVE_CLEAN_TARGETS):
-	@failcom='exit 1'; \
-	for f in x $$MAKEFLAGS; do \
-	  case $$f in \
-	    *=* | --[!k]*);; \
-	    *k*) failcom='fail=yes';; \
-	  esac; \
-	done; \
-	dot_seen=no; \
-	case "$@" in \
-	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
-	  *) list='$(SUBDIRS)' ;; \
-	esac; \
-	rev=''; for subdir in $$list; do \
-	  if test "$$subdir" = "."; then :; else \
-	    rev="$$subdir $$rev"; \
-	  fi; \
-	done; \
-	rev="$$rev ."; \
-	target=`echo $@ | sed s/-recursive//`; \
-	for subdir in $$rev; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done && test -z "$$fail"
-tags-recursive:
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
-	done
-ctags-recursive:
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
-	done
-
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -2364,23 +379,10 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	mkid -fID $$unique
 tags: TAGS
 
-TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	set x; \
 	here=`pwd`; \
-	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
-	  include_option=--etags-include; \
-	  empty_fix=.; \
-	else \
-	  include_option=--include; \
-	  empty_fix=; \
-	fi; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    test ! -f $$subdir/TAGS || \
-	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
-	  fi; \
-	done; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
@@ -2399,7 +401,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  fi; \
 	fi
 ctags: CTAGS
-CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -2449,51 +451,22 @@ distdir: $(DISTFILES)
 	    || exit 1; \
 	  fi; \
 	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
-	    $(am__relativize); \
-	    new_distdir=$$reldir; \
-	    dir1=$$subdir; dir2="$(top_distdir)"; \
-	    $(am__relativize); \
-	    new_top_distdir=$$reldir; \
-	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
-	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
-	    ($(am__cd) $$subdir && \
-	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$new_top_distdir" \
-	        distdir="$$new_distdir" \
-		am__remove_distdir=: \
-		am__skip_length_check=: \
-		am__skip_mode_fix=: \
-	        distdir) \
-	      || exit 1; \
-	  fi; \
-	done
 check-am: all-am
-check: check-recursive
+check: check-am
 all-am: Makefile $(PROGRAMS)
-installdirs: installdirs-recursive
-installdirs-am:
+installdirs:
 	for dir in "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
-install: install-recursive
-install-exec: install-exec-recursive
-install-data: install-data-recursive
-uninstall: uninstall-recursive
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
 
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 
-installcheck: installcheck-recursive
+installcheck: installcheck-am
 install-strip:
 	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
 	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
@@ -2510,95 +483,92 @@ distclean-generic:
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-recursive
+clean: clean-am
 
 clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
 	mostlyclean-am
 
-distclean: distclean-recursive
+distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
 
-dvi: dvi-recursive
+dvi: dvi-am
 
 dvi-am:
 
-html: html-recursive
+html: html-am
 
 html-am:
 
-info: info-recursive
+info: info-am
 
 info-am:
 
 install-data-am: install-ipsecPROGRAMS
 
-install-dvi: install-dvi-recursive
+install-dvi: install-dvi-am
 
 install-dvi-am:
 
 install-exec-am:
 
-install-html: install-html-recursive
+install-html: install-html-am
 
 install-html-am:
 
-install-info: install-info-recursive
+install-info: install-info-am
 
 install-info-am:
 
 install-man:
 
-install-pdf: install-pdf-recursive
+install-pdf: install-pdf-am
 
 install-pdf-am:
 
-install-ps: install-ps-recursive
+install-ps: install-ps-am
 
 install-ps-am:
 
 installcheck-am:
 
-maintainer-clean: maintainer-clean-recursive
+maintainer-clean: maintainer-clean-am
 	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
-mostlyclean: mostlyclean-recursive
+mostlyclean: mostlyclean-am
 
 mostlyclean-am: mostlyclean-compile mostlyclean-generic \
 	mostlyclean-libtool
 
-pdf: pdf-recursive
+pdf: pdf-am
 
 pdf-am:
 
-ps: ps-recursive
+ps: ps-am
 
 ps-am:
 
 uninstall-am: uninstall-ipsecPROGRAMS
 
-.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
-	install-am install-strip tags-recursive
-
-.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
-	all all-am check check-am clean clean-generic \
-	clean-ipsecPROGRAMS clean-libtool ctags ctags-recursive \
-	distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs installdirs-am \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags tags-recursive uninstall uninstall-am \
-	uninstall-ipsecPROGRAMS
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
deleted file mode 100644
index 524a77682..000000000
--- a/src/charon/bus/bus.c
+++ /dev/null
@@ -1,753 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "bus.h"
-
-#include <stdint.h>
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/thread_value.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-
-ENUM(debug_names, DBG_DMN, DBG_LIB,
-	"DMN",
-	"MGR",
-	"IKE",
-	"CHD",
-	"JOB",
-	"CFG",
-	"KNL",
-	"NET",
-	"ENC",
-	"LIB",
-);
-
-ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
-	"dmn",
-	"mgr",
-	"ike",
-	"chd",
-	"job",
-	"cfg",
-	"knl",
-	"net",
-	"enc",
-	"lib",
-);
-
-typedef struct private_bus_t private_bus_t;
-
-/**
- * Private data of a bus_t object.
- */
-struct private_bus_t {
-	/**
-	 * Public part of a bus_t object.
-	 */
-	bus_t public;
-
-	/**
-	 * List of registered listeners as entry_t's
-	 */
-	linked_list_t *listeners;
-
-	/**
-	 * mutex to synchronize active listeners, recursively
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Thread local storage the threads IKE_SA
-	 */
-	thread_value_t *thread_sa;
-};
-
-typedef struct entry_t entry_t;
-
-/**
- * a listener entry, either active or passive
- */
-struct entry_t {
-
-	/**
-	 * registered listener interface
-	 */
-	listener_t *listener;
-
-	/**
-	 * is this a active listen() call with a blocking thread
-	 */
-	bool blocker;
-
-	/**
-	 * are we currently calling this listener
-	 */
-	int calling;
-
-	/**
-	 * condvar where active listeners wait
-	 */
-	condvar_t *condvar;
-};
-
-/**
- * create a listener entry
- */
-static entry_t *entry_create(listener_t *listener, bool blocker)
-{
-	entry_t *this = malloc_thing(entry_t);
-
-	this->listener = listener;
-	this->blocker = blocker;
-	this->calling = 0;
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-
-	return this;
-}
-
-/**
- * destroy an entry_t
- */
-static void entry_destroy(entry_t *entry)
-{
-	entry->condvar->destroy(entry->condvar);
-	free(entry);
-}
-
-/**
- * Implementation of bus_t.add_listener.
- */
-static void add_listener(private_bus_t *this, listener_t *listener)
-{
-	this->mutex->lock(this->mutex);
-	this->listeners->insert_last(this->listeners, entry_create(listener, FALSE));
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of bus_t.remove_listener.
- */
-static void remove_listener(private_bus_t *this, listener_t *listener)
-{
-	enumerator_t *enumerator;
-	entry_t *entry;
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->listener == listener)
-		{
-			this->listeners->remove_at(this->listeners, enumerator);
-			entry_destroy(entry);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-typedef struct cleanup_data_t cleanup_data_t;
-
-/**
- * data to remove a listener using thread_cleanup_t handler
- */
-struct cleanup_data_t {
-	/** bus instance */
-	private_bus_t *this;
-	/** listener entry */
-	entry_t *entry;
-};
-
-/**
- * thread_cleanup_t handler to remove a listener
- */
-static void listener_cleanup(cleanup_data_t *data)
-{
-	data->this->listeners->remove(data->this->listeners, data->entry, NULL);
-	entry_destroy(data->entry);
-}
-
-/**
- * Implementation of bus_t.listen.
- */
-static void listen_(private_bus_t *this, listener_t *listener, job_t *job)
-{
-	bool old;
-	cleanup_data_t data;
-
-	data.this = this;
-	data.entry = entry_create(listener, TRUE);
-
-	this->mutex->lock(this->mutex);
-	this->listeners->insert_last(this->listeners, data.entry);
-	charon->processor->queue_job(charon->processor, job);
-	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
-	thread_cleanup_push((thread_cleanup_t)listener_cleanup, &data);
-	old = thread_cancelability(TRUE);
-	while (data.entry->blocker)
-	{
-		data.entry->condvar->wait(data.entry->condvar, this->mutex);
-	}
-	thread_cancelability(old);
-	thread_cleanup_pop(FALSE);
-	/* unlock mutex */
-	thread_cleanup_pop(TRUE);
-	entry_destroy(data.entry);
-}
-
-/**
- * Implementation of bus_t.set_sa.
- */
-static void set_sa(private_bus_t *this, ike_sa_t *ike_sa)
-{
-	this->thread_sa->set(this->thread_sa, ike_sa);
-}
-
-/**
- * Implementation of bus_t.get_sa
- */
-static ike_sa_t* get_sa(private_bus_t *this)
-{
-	return this->thread_sa->get(this->thread_sa);
-}
-
-/**
- * data associated to a signal, passed to callback
- */
-typedef struct {
-	/** associated IKE_SA */
-	ike_sa_t *ike_sa;
-	/** invoking thread */
-	long thread;
-	/** debug group */
-	debug_t group;
-	/** debug level */
-	level_t level;
-	/** format string */
-	char *format;
-	/** argument list */
-	va_list args;
-} log_data_t;
-
-/**
- * listener->log() invocation as a list remove callback
- */
-static bool log_cb(entry_t *entry, log_data_t *data)
-{
-	va_list args;
-
-	if (entry->calling || !entry->listener->log)
-	{	/* avoid recursive calls */
-		return FALSE;
-	}
-	entry->calling++;
-	va_copy(args, data->args);
-	if (!entry->listener->log(entry->listener, data->group, data->level,
-							  data->thread, data->ike_sa, data->format, args))
-	{
-		if (entry->blocker)
-		{
-			entry->blocker = FALSE;
-			entry->condvar->signal(entry->condvar);
-		}
-		else
-		{
-			entry_destroy(entry);
-		}
-		va_end(args);
-		entry->calling--;
-		return TRUE;
-	}
-	va_end(args);
-	entry->calling--;
-	return FALSE;
-}
-
-/**
- * Implementation of bus_t.vlog.
- */
-static void vlog(private_bus_t *this, debug_t group, level_t level,
-				 char* format, va_list args)
-{
-	log_data_t data;
-
-	data.ike_sa = this->thread_sa->get(this->thread_sa);
-	data.thread = thread_current_id();
-	data.group = group;
-	data.level = level;
-	data.format = format;
-	va_copy(data.args, args);
-
-	this->mutex->lock(this->mutex);
-	/* We use the remove() method to invoke all listeners. This is cheap and
-	 * does not require an allocation for this performance critical function. */
-	this->listeners->remove(this->listeners, &data, (void*)log_cb);
-	this->mutex->unlock(this->mutex);
-
-	va_end(data.args);
-}
-
-/**
- * Implementation of bus_t.log.
- */
-static void log_(private_bus_t *this, debug_t group, level_t level,
-				 char* format, ...)
-{
-	va_list args;
-
-	va_start(args, format);
-	vlog(this, group, level, format, args);
-	va_end(args);
-}
-
-/**
- * unregister a listener
- */
-static void unregister_listener(private_bus_t *this, entry_t *entry,
-								enumerator_t *enumerator)
-{
-	if (entry->blocker)
-	{
-		entry->blocker = FALSE;
-		entry->condvar->signal(entry->condvar);
-	}
-	else
-	{
-		entry_destroy(entry);
-	}
-	this->listeners->remove_at(this->listeners, enumerator);
-}
-
-/**
- * Implementation of bus_t.alert
- */
-static void alert(private_bus_t *this, alert_t alert, ...)
-{
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-	entry_t *entry;
-	va_list args;
-	bool keep;
-
-	ike_sa = this->thread_sa->get(this->thread_sa);
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->alert)
-		{
-			continue;
-		}
-		entry->calling++;
-		va_start(args, alert);
-		keep = entry->listener->alert(entry->listener, ike_sa, alert, args);
-		va_end(args);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of bus_t.ike_state_change
- */
-static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa,
-							 ike_sa_state_t state)
-{
-	enumerator_t *enumerator;
-	entry_t *entry;
-	bool keep;
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->ike_state_change)
-		{
-			continue;
-		}
-		entry->calling++;
-		keep = entry->listener->ike_state_change(entry->listener, ike_sa, state);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of bus_t.child_state_change
- */
-static void child_state_change(private_bus_t *this, child_sa_t *child_sa,
-							   child_sa_state_t state)
-{
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-	entry_t *entry;
-	bool keep;
-
-	ike_sa = this->thread_sa->get(this->thread_sa);
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->child_state_change)
-		{
-			continue;
-		}
-		entry->calling++;
-		keep = entry->listener->child_state_change(entry->listener, ike_sa,
-												   child_sa, state);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of bus_t.message
- */
-static void message(private_bus_t *this, message_t *message, bool incoming)
-{
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-	entry_t *entry;
-	bool keep;
-
-	ike_sa = this->thread_sa->get(this->thread_sa);
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->message)
-		{
-			continue;
-		}
-		entry->calling++;
-		keep = entry->listener->message(entry->listener, ike_sa,
-										message, incoming);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of bus_t.ike_keys
- */
-static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa,
-					 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
-					 ike_sa_t *rekey)
-{
-	enumerator_t *enumerator;
-	entry_t *entry;
-	bool keep;
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->ike_keys)
-		{
-			continue;
-		}
-		entry->calling++;
-		keep = entry->listener->ike_keys(entry->listener, ike_sa, dh,
-										 nonce_i, nonce_r, rekey);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of bus_t.child_keys
- */
-static void child_keys(private_bus_t *this, child_sa_t *child_sa,
-					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
-{
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-	entry_t *entry;
-	bool keep;
-
-	ike_sa = this->thread_sa->get(this->thread_sa);
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->child_keys)
-		{
-			continue;
-		}
-		entry->calling++;
-		keep = entry->listener->child_keys(entry->listener, ike_sa, child_sa,
-										   dh, nonce_i, nonce_r);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of bus_t.child_updown
- */
-static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up)
-{
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-	entry_t *entry;
-	bool keep;
-
-	ike_sa = this->thread_sa->get(this->thread_sa);
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->child_updown)
-		{
-			continue;
-		}
-		entry->calling++;
-		keep = entry->listener->child_updown(entry->listener,
-											 ike_sa, child_sa, up);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of bus_t.child_rekey
- */
-static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new)
-{
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-	entry_t *entry;
-	bool keep;
-
-	ike_sa = this->thread_sa->get(this->thread_sa);
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->child_rekey)
-		{
-			continue;
-		}
-		entry->calling++;
-		keep = entry->listener->child_rekey(entry->listener, ike_sa, old, new);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of bus_t.ike_updown
- */
-static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up)
-{
-	enumerator_t *enumerator;
-	entry_t *entry;
-	bool keep;
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->ike_updown)
-		{
-			continue;
-		}
-		entry->calling++;
-		keep = entry->listener->ike_updown(entry->listener, ike_sa, up);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-
-	/* a down event for IKE_SA implicitly downs all CHILD_SAs */
-	if (!up)
-	{
-		iterator_t *iterator;
-		child_sa_t *child_sa;
-
-		iterator = ike_sa->create_child_sa_iterator(ike_sa);
-		while (iterator->iterate(iterator, (void**)&child_sa))
-		{
-			child_updown(this, child_sa, FALSE);
-		}
-		iterator->destroy(iterator);
-	}
-}
-
-/**
- * Implementation of bus_t.ike_rekey
- */
-static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
-{
-	enumerator_t *enumerator;
-	entry_t *entry;
-	bool keep;
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->ike_rekey)
-		{
-			continue;
-		}
-		entry->calling++;
-		keep = entry->listener->ike_rekey(entry->listener, old, new);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of bus_t.authorize
- */
-static bool authorize(private_bus_t *this, bool final)
-{
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-	entry_t *entry;
-	bool keep, success = TRUE;
-
-	ike_sa = this->thread_sa->get(this->thread_sa);
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->listeners->create_enumerator(this->listeners);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->calling || !entry->listener->authorize)
-		{
-			continue;
-		}
-		entry->calling++;
-		keep = entry->listener->authorize(entry->listener, ike_sa,
-										  final, &success);
-		entry->calling--;
-		if (!keep)
-		{
-			unregister_listener(this, entry, enumerator);
-		}
-		if (!success)
-		{
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-	return success;
-}
-
-/**
- * Implementation of bus_t.destroy.
- */
-static void destroy(private_bus_t *this)
-{
-	this->thread_sa->destroy(this->thread_sa);
-	this->mutex->destroy(this->mutex);
-	this->listeners->destroy_function(this->listeners, (void*)entry_destroy);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-bus_t *bus_create()
-{
-	private_bus_t *this = malloc_thing(private_bus_t);
-
-	this->public.add_listener = (void(*)(bus_t*,listener_t*))add_listener;
-	this->public.remove_listener = (void(*)(bus_t*,listener_t*))remove_listener;
-	this->public.listen = (void(*)(bus_t*, listener_t *listener, job_t *job))listen_;
-	this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa;
-	this->public.get_sa = (ike_sa_t*(*)(bus_t*))get_sa;
-	this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_;
-	this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog;
-	this->public.alert = (void(*)(bus_t*, alert_t alert, ...))alert;
-	this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change;
-	this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change;
-	this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
-	this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
-	this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
-	this->public.ike_updown = (void(*)(bus_t*, ike_sa_t *ike_sa, bool up))ike_updown;
-	this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey;
-	this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown;
-	this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey;
-	this->public.authorize = (bool(*)(bus_t*, bool final))authorize;
-	this->public.destroy = (void(*)(bus_t*)) destroy;
-
-	this->listeners = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-	this->thread_sa = thread_value_create(NULL);
-
-	return &this->public;
-}
-
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
deleted file mode 100644
index af59a14a1..000000000
--- a/src/charon/bus/bus.h
+++ /dev/null
@@ -1,338 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup bus bus
- * @{ @ingroup charon
- */
-
-#ifndef BUS_H_
-#define BUS_H_
-
-typedef enum debug_t debug_t;
-typedef enum level_t level_t;
-typedef enum alert_t alert_t;
-typedef struct bus_t bus_t;
-
-#include <stdarg.h>
-
-#include <sa/ike_sa.h>
-#include <sa/child_sa.h>
-#include <processing/jobs/job.h>
-#include <bus/listeners/listener.h>
-
-/**
- * Debug message group.
- */
-enum debug_t {
-	/** daemon main loop */
-	DBG_DMN,
-	/** IKE_SA_MANAGER */
-	DBG_MGR,
-	/** IKE_SA */
-	DBG_IKE,
-	/** CHILD_SA */
-	DBG_CHD,
-	/** job processing */
-	DBG_JOB,
-	/** configuration backends */
-	DBG_CFG,
-	/** kernel interface */
-	DBG_KNL,
-	/** networking/sockets */
-	DBG_NET,
-	/** message encoding/decoding */
-	DBG_ENC,
-	/** libstrongswan via logging hook */
-	DBG_LIB,
-	/** number of groups */
-	DBG_MAX,
-	/** pseudo group with all groups */
-	DBG_ANY = DBG_MAX,
-};
-
-/**
- * short names of debug message group.
- */
-extern enum_name_t *debug_names;
-
-/**
- * short names of debug message group, lower case.
- */
-extern enum_name_t *debug_lower_names;
-
-/**
- * Debug levels used to control output verbosity.
- */
-enum level_t {
-	/** absolutely silent */
-	LEVEL_SILENT = 	-1,
-	/** most important auditing logs */
-	LEVEL_AUDIT = 	 0,
-	/** control flow */
-	LEVEL_CTRL = 	 1,
-	/** diagnose problems */
-	LEVEL_DIAG = 	 2,
-	/** raw binary blobs */
-	LEVEL_RAW = 	 3,
-	/** including sensitive data (private keys) */
-	LEVEL_PRIVATE =  4,
-};
-
-#ifndef DEBUG_LEVEL
-# define DEBUG_LEVEL 4
-#endif /* DEBUG_LEVEL */
-
-#if DEBUG_LEVEL >= 0
-#define DBG0(group, format, ...) charon->bus->log(charon->bus, group, 0, format, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL >= 0 */
-#if DEBUG_LEVEL >= 1
-#define DBG1(group, format, ...) charon->bus->log(charon->bus, group, 1, format, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL >= 1 */
-#if DEBUG_LEVEL >= 2
-#define DBG2(group, format, ...) charon->bus->log(charon->bus, group, 2, format, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL >= 2 */
-#if DEBUG_LEVEL >= 3
-#define DBG3(group, format, ...) charon->bus->log(charon->bus, group, 3, format, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL >= 3 */
-#if DEBUG_LEVEL >= 4
-#define DBG4(group, format, ...) charon->bus->log(charon->bus, group, 4, format, ##__VA_ARGS__)
-#endif /* DEBUG_LEVEL >= 4 */
-
-#ifndef DBG0
-# define DBG0(...) {}
-#endif /* DBG0 */
-#ifndef DBG1
-# define DBG1(...) {}
-#endif /* DBG1 */
-#ifndef DBG2
-# define DBG2(...) {}
-#endif /* DBG2 */
-#ifndef DBG3
-# define DBG3(...) {}
-#endif /* DBG3 */
-#ifndef DBG4
-# define DBG4(...) {}
-#endif /* DBG4 */
-
-/**
- * Kind of alerts to raise.
- */
-enum alert_t {
-	/* a RADIUS server did not respond, no additional arguments */
-	ALERT_RADIUS_NOT_RESPONDING,
-	/* a shutdown signal has been received, argument is a int with the signal */
-	ALERT_SHUTDOWN_SIGNAL,
-};
-
-/**
- * The bus receives events and sends them to all registered listeners.
- *
- * Any events sent to are delivered to all registered listeners. Threads
- * may wait actively to events using the blocking listen() call.
- */
-struct bus_t {
-
-	/**
-	 * Register a listener to the bus.
-	 *
-	 * A registered listener receives all events which are sent to the bus.
-	 * The listener is passive; the thread which emitted the event
-	 * processes the listener routine.
-	 *
-	 * @param listener	listener to register.
-	 */
-	void (*add_listener) (bus_t *this, listener_t *listener);
-
-	/**
-	 * Unregister a listener from the bus.
-	 *
-	 * @param listener	listener to unregister.
-	 */
-	void (*remove_listener) (bus_t *this, listener_t *listener);
-
-	/**
-	 * Register a listener and block the calling thread.
-	 *
-	 * This call registers a listener and blocks the calling thread until
-	 * its listeners function returns FALSE. This allows to wait for certain
-	 * events. The associated job is executed after the listener has been
-	 * registered: This allows to listen on events we initiate with the job,
-	 * without missing any events to job may fire.
-	 *
-	 * @param listener	listener to register
-	 * @param job		job to execute asynchronously when registered, or NULL
-	 */
-	void (*listen)(bus_t *this, listener_t *listener, job_t *job);
-
-	/**
-	 * Set the IKE_SA the calling thread is using.
-	 *
-	 * To associate an received log message to an IKE_SA without passing it as
-	 * parameter each time, the thread registers the currenlty used IKE_SA
-	 * during check-out. Before check-in, the thread unregisters the IKE_SA.
-	 * This IKE_SA is stored per-thread, so each thread has its own IKE_SA
-	 * registered.
-	 *
-	 * @param ike_sa	ike_sa to register, or NULL to unregister
-	 */
-	void (*set_sa) (bus_t *this, ike_sa_t *ike_sa);
-
-	/**
-	 * Get the IKE_SA the calling thread is currently using.
-	 *
-	 * If a thread currently does not know what IKE_SA it is processing,
-	 * it can call get_sa() to look up the SA set during checkout via set_sa().
-	 *
-	 * @return			registered ike_sa, NULL if none registered
-	 */
-	ike_sa_t* (*get_sa)(bus_t *this);
-
-	/**
-	 * Send a log message to the bus.
-	 *
-	 * The signal specifies the type of the event occured. The format string
-	 * specifies an additional informational or error message with a
-	 * printf() like variable argument list.
-	 * Use the DBG() macros.
-	 *
-	 * @param group		debugging group
-	 * @param level		verbosity level of the signal
-	 * @param format	printf() style format string
-	 * @param ...		printf() style argument list
-	 */
-	void (*log)(bus_t *this, debug_t group, level_t level, char* format, ...);
-
-	/**
-	 * Send a log message to the bus using va_list arguments.
-	 *
-	 * Same as bus_t.signal(), but uses va_list argument list.
-	 *
-	 * @param group		kind of the signal (up, down, rekeyed, ...)
-	 * @param level		verbosity level of the signal
-	 * @param format	printf() style format string
-	 * @param args		va_list arguments
-	 */
-	void (*vlog)(bus_t *this, debug_t group, level_t level,
-				 char* format, va_list args);
-
-	/**
-	 * Raise an alert over the bus.
-	 *
-	 * @param alert		kind of alert
-	 * @param ...		alert specific attributes
-	 */
-	void (*alert)(bus_t *this, alert_t alert, ...);
-
-	/**
-	 * Send a IKE_SA state change event to the bus.
-	 *
-	 * @param ike_sa	IKE_SA which changes its state
-	 * @param state		new state IKE_SA changes to
-	 */
-	void (*ike_state_change)(bus_t *this, ike_sa_t *ike_sa,
-							 ike_sa_state_t state);
-	/**
-	 * Send a CHILD_SA state change event to the bus.
-	 *
-	 * @param child_sa	CHILD_SA which changes its state
-	 * @param state		new state CHILD_SA changes to
-	 */
-	void (*child_state_change)(bus_t *this, child_sa_t *child_sa,
-							   child_sa_state_t state);
-	/**
-	 * Message send/receive hook.
-	 *
-	 * @param message	message to send/receive
-	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
-	 */
-	void (*message)(bus_t *this, message_t *message, bool incoming);
-
-	/**
-	 * IKE_SA authorization hook.
-	 *
-	 * @param final		TRUE if this is the final invocation
-	 * @return			TRUE to establish IKE_SA, FALSE to send AUTH_FAILED
-	 */
-	bool (*authorize)(bus_t *this, bool final);
-
-	/**
-	 * IKE_SA keymat hook.
-	 *
-	 * @param ike_sa	IKE_SA this keymat belongs to
-	 * @param dh		diffie hellman shared secret
-	 * @param nonce_i	initiators nonce
-	 * @param nonce_r	responders nonce
-	 * @param rekey		IKE_SA we are rekeying, if any
-	 */
-	void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
-					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
-	/**
-	 * CHILD_SA keymat hook.
-	 *
-	 * @param child_sa	CHILD_SA this keymat is used for
-	 * @param dh		diffie hellman shared secret
-	 * @param nonce_i	initiators nonce
-	 * @param nonce_r	responders nonce
-	 */
-	void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
-					   chunk_t nonce_i, chunk_t nonce_r);
-
-	/**
-	 * IKE_SA up/down hook.
-	 *
-	 * @param ike_sa	IKE_SA coming up/going down
-	 * @param up		TRUE for an up event, FALSE for a down event
-	 */
-	void (*ike_updown)(bus_t *this, ike_sa_t *ike_sa, bool up);
-
-	/**
-	 * IKE_SA rekeying hook.
-	 *
-	 * @param old		rekeyed and obsolete IKE_SA
-	 * @param new		new IKE_SA replacing old
-	 */
-	void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
-
-	/**
-	 * CHILD_SA up/down hook.
-	 *
-	 * @param child_sa	CHILD_SA coming up/going down
-	 * @param up		TRUE for an up event, FALSE for a down event
-	 */
-	void (*child_updown)(bus_t *this, child_sa_t *child_sa, bool up);
-
-	/**
-	 * CHILD_SA rekeying hook.
-	 *
-	 * @param old		rekeyed and obsolete CHILD_SA
-	 * @param new		new CHILD_SA replacing old
-	 */
-	void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new);
-
-	/**
-	 * Destroy the event bus.
-	 */
-	void (*destroy) (bus_t *this);
-};
-
-/**
- * Create the event bus which forwards events to its listeners.
- *
- * @return		event bus instance
- */
-bus_t *bus_create();
-
-#endif /** BUS_H_ @}*/
diff --git a/src/charon/bus/listeners/file_logger.c b/src/charon/bus/listeners/file_logger.c
deleted file mode 100644
index 12587deaf..000000000
--- a/src/charon/bus/listeners/file_logger.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include "file_logger.h"
-
-
-typedef struct private_file_logger_t private_file_logger_t;
-
-/**
- * Private data of a file_logger_t object
- */
-struct private_file_logger_t {
-
-	/**
-	 * Public data.
-	 */
-	file_logger_t public;
-
-	/**
-	 * output file
-	 */
-	FILE *out;
-
-	/**
-	 * Maximum level to log, for each group
-	 */
-	level_t levels[DBG_MAX];
-};
-
-/**
- * Implementation of bus_listener_t.log.
- */
-static bool log_(private_file_logger_t *this, debug_t group, level_t level,
-				 int thread, ike_sa_t* ike_sa, char *format, va_list args)
-{
-	if (level <= this->levels[group])
-	{
-		char buffer[8192];
-		char *current = buffer, *next;
-
-		/* write in memory buffer first */
-		vsnprintf(buffer, sizeof(buffer), format, args);
-
-		/* prepend a prefix in front of every line */
-		while (current)
-		{
-			next = strchr(current, '\n');
-			if (next)
-			{
-				*(next++) = '\0';
-			}
-			fprintf(this->out, "%.2d[%N] %s\n",
-					thread, debug_names, group, current);
-			current = next;
-		}
-	}
-	/* always stay registered */
-	return TRUE;
-}
-
-/**
- * Implementation of file_logger_t.set_level.
- */
-static void set_level(private_file_logger_t *this, debug_t group, level_t level)
-{
-	if (group < DBG_ANY)
-	{
-		this->levels[group] = level;
-	}
-	else
-	{
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			this->levels[group] = level;
-		}
-	}
-}
-
-/**
- * Implementation of file_logger_t.destroy.
- */
-static void destroy(private_file_logger_t *this)
-{
-	if (this->out != stdout && this->out != stderr)
-	{
-		fclose(this->out);
-	}
-	free(this);
-}
-
-/*
- * Described in header.
- */
-file_logger_t *file_logger_create(FILE *out)
-{
-	private_file_logger_t *this = malloc_thing(private_file_logger_t);
-
-	/* public functions */
-	memset(&this->public.listener, 0, sizeof(listener_t));
-	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
-	this->public.set_level = (void(*)(file_logger_t*,debug_t,level_t))set_level;
-	this->public.destroy = (void(*)(file_logger_t*))destroy;
-
-	/* private variables */
-	this->out = out;
-	set_level(this, DBG_ANY, LEVEL_SILENT);
-
-	return &this->public;
-}
-
diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h
deleted file mode 100644
index bd443fdb8..000000000
--- a/src/charon/bus/listeners/file_logger.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup file_logger file_logger
- * @{ @ingroup listeners
- */
-
-#ifndef FILE_LOGGER_H_
-#define FILE_LOGGER_H_
-
-#include <bus/listeners/listener.h>
-
-typedef struct file_logger_t file_logger_t;
-
-/**
- * Logger to files which implements listener_t.
- */
-struct file_logger_t {
-
-	/**
-	 * Implements the listener_t interface.
-	 */
-	listener_t listener;
-
-	/**
-	 * Set the loglevel for a debug group.
-	 *
-	 * @param group		debug group to set
-	 * @param level		max level to log (0..4)
-	 */
-	void (*set_level) (file_logger_t *this, debug_t group, level_t level);
-
-	/**
-	 * Destroys a file_logger_t object.
-	 */
-	void (*destroy) (file_logger_t *this);
-};
-
-/**
- * Constructor to create a file_logger_t object.
- *
- * @param out		FILE to write to
- * @return			file_logger_t object
- */
-file_logger_t *file_logger_create(FILE *out);
-
-#endif /** FILE_LOGGER_H_ @}*/
diff --git a/src/charon/bus/listeners/listener.h b/src/charon/bus/listeners/listener.h
deleted file mode 100644
index 67e36beeb..000000000
--- a/src/charon/bus/listeners/listener.h
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup listener listener
- * @{ @ingroup listeners
- */
-
-#ifndef LISTENER_H_
-#define LISTENER_H_
-
-typedef struct listener_t listener_t;
-
-#include <bus/bus.h>
-
-/**
- * Listener interface, listens to events if registered to the bus.
- */
-struct listener_t {
-
-	/**
-	 * Log a debugging message.
-	 *
-	 * The implementing signal function returns TRUE to stay registered
-	 * to the bus, or FALSE to unregister itself.
-	 * Calling bus_t.log() inside of a registered listener is possible,
-	 * but the bus does not invoke listeners recursively.
-	 *
-	 * @param group		kind of the signal (up, down, rekeyed, ...)
-	 * @param level		verbosity level of the signal
-	 * @param thread	ID of the thread raised this signal
-	 * @param ike_sa	IKE_SA associated to the event
-	 * @param format	printf() style format string
-	 * @param args		vprintf() style va_list argument list
-	 " @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*log)(listener_t *this, debug_t group, level_t level, int thread,
-				ike_sa_t *ike_sa, char* format, va_list args);
-
-	/**
-	 * Hook called if a critical alert is risen.
-	 *
-	 * @param ike_sa	IKE_SA associated to the alert, if any
-	 * @param alert		kind of alert
-	 * @param ...		alert specific argument list
-	 " @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*alert)(listener_t *this, ike_sa_t *ike_sa,
-				  alert_t alert, va_list args);
-
-	/**
-	 * Handle state changes in an IKE_SA.
-	 *
-	 * @param ike_sa	IKE_SA which changes its state
-	 * @param state		new IKE_SA state this IKE_SA changes to
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa,
-							 ike_sa_state_t state);
-
-	/**
-	 * Handle state changes in a CHILD_SA.
-	 *
-	 * @param ike_sa	IKE_SA containing the affected CHILD_SA
-	 * @param child_sa	CHILD_SA which changes its state
-	 * @param state		new CHILD_SA state this CHILD_SA changes to
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa,
-							   child_sa_t *child_sa, child_sa_state_t state);
-
-	/**
-	 * Hook called for received/sent messages of an IKE_SA.
-	 *
-	 * @param ike_sa	IKE_SA sending/receving a message
-	 * @param message	message object
-	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
-					bool incoming);
-
-	/**
-	 * Hook called with IKE_SA key material.
-	 *
-	 * @param ike_sa	IKE_SA this keymat belongs to
-	 * @param dh		diffie hellman shared secret
-	 * @param nonce_i	initiators nonce
-	 * @param nonce_r	responders nonce
-	 * @param rekey		IKE_SA we are rekeying, if any
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
-					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
-
-	/**
-	 * Hook called with CHILD_SA key material.
-	 *
-	 * @param ike_sa	IKE_SA the child sa belongs to
-	 * @param child_sa	CHILD_SA this keymat is used for
-	 * @param dh		diffie hellman shared secret
-	 * @param nonce_i	initiators nonce
-	 * @param nonce_r	responders nonce
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
-
-	/**
-	 * Hook called if an IKE_SA gets up or down.
-	 *
-	 * @param ike_sa	IKE_SA coming up/going down
-	 * @param up		TRUE for an up event, FALSE for a down event
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*ike_updown)(listener_t *this, ike_sa_t *ike_sa, bool up);
-
-	/**
-	 * Hook called when an IKE_SA gets rekeyed.
-	 *
-	 * @param old		rekeyed IKE_SA getting obsolete
-	 * @param new		new IKE_SA replacing old
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
-
-	/**
-	 * Hook called when a CHILD_SA gets up or down.
-	 *
-	 * @param ike_sa	IKE_SA containing the handled CHILD_SA
-	 * @param child_sa	CHILD_SA coming up/going down
-	 * @param up		TRUE for an up event, FALSE for a down event
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*child_updown)(listener_t *this, ike_sa_t *ike_sa,
-						 child_sa_t *child_sa, bool up);
-
-	/**
-	 * Hook called when an CHILD_SA gets rekeyed.
-	 *
-	 * @param ike_sa	IKE_SA containing the rekeyed CHILD_SA
-	 * @param old		rekeyed CHILD_SA getting obsolete
-	 * @param new		new CHILD_SA replacing old
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*child_rekey)(listener_t *this, ike_sa_t *ike_sa,
-						child_sa_t *old, child_sa_t *new);
-
-	/**
-	 * Hook called to invoke additional authorization rules.
-	 *
-	 * An authorization hook gets invoked several times: After each
-	 * authentication round, the hook gets invoked with with final = FALSE.
-	 * After authentication is complete and the peer configuration is selected,
-	 * it is invoked again, but with final = TRUE.
-	 *
-	 * @param ike_sa	IKE_SA to authorize
-	 * @param final		TRUE if this is the final hook invocation
-	 * @param success	set to TRUE to complete IKE_SA, FALSE abort
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*authorize)(listener_t *this, ike_sa_t *ike_sa,
-					  bool final, bool *success);
-};
-
-#endif /** LISTENER_H_ @}*/
diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c
deleted file mode 100644
index 11421ad05..000000000
--- a/src/charon/bus/listeners/sys_logger.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include "sys_logger.h"
-
-
-typedef struct private_sys_logger_t private_sys_logger_t;
-
-/**
- * Private data of a sys_logger_t object
- */
-struct private_sys_logger_t {
-
-	/**
-	 * Public data.
-	 */
-	sys_logger_t public;
-
-	/**
-	 * syslog facility to use
-	 */
-	int facility;
-
-	/**
-	 * Maximum level to log, for each group
-	 */
-	level_t levels[DBG_MAX];
-};
-
-/**
- * Implementation of listener_t.log.
- */
-static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
-				 int thread, ike_sa_t* ike_sa, char *format, va_list args)
-{
-	if (level <= this->levels[group])
-	{
-		char buffer[8192];
-		char *current = buffer, *next;
-
-		/* write in memory buffer first */
-		vsnprintf(buffer, sizeof(buffer), format, args);
-
-		/* do a syslog with every line */
-		while (current)
-		{
-			next = strchr(current, '\n');
-			if (next)
-			{
-				*(next++) = '\0';
-			}
-			syslog(this->facility|LOG_INFO, "%.2d[%N] %s\n",
-				   thread, debug_names, group, current);
-			current = next;
-		}
-	}
-	/* always stay registered */
-	return TRUE;
-}
-
-/**
- * Implementation of sys_logger_t.set_level.
- */
-static void set_level(private_sys_logger_t *this, debug_t group, level_t level)
-{
-	if (group < DBG_ANY)
-	{
-		this->levels[group] = level;
-	}
-	else
-	{
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			this->levels[group] = level;
-		}
-	}
-}
-
-/**
- * Implementation of sys_logger_t.destroy.
- */
-static void destroy(private_sys_logger_t *this)
-{
-	closelog();
-	free(this);
-}
-
-/*
- * Described in header.
- */
-sys_logger_t *sys_logger_create(int facility)
-{
-	private_sys_logger_t *this = malloc_thing(private_sys_logger_t);
-
-	/* public functions */
-	memset(&this->public.listener, 0, sizeof(listener_t));
-	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
-	this->public.set_level = (void(*)(sys_logger_t*,debug_t,level_t))set_level;
-	this->public.destroy = (void(*)(sys_logger_t*))destroy;
-
-	/* private variables */
-	this->facility = facility;
-	set_level(this, DBG_ANY, LEVEL_SILENT);
-
-	return &this->public;
-}
diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h
deleted file mode 100644
index 730890d68..000000000
--- a/src/charon/bus/listeners/sys_logger.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup sys_logger sys_logger
- * @{ @ingroup listeners
- */
-
-#ifndef SYS_LOGGER_H_
-#define SYS_LOGGER_H_
-
-#include <syslog.h>
-
-#include <bus/listeners/listener.h>
-
-typedef struct sys_logger_t sys_logger_t;
-
-/**
- * Logger for syslog which implements listener_t.
- */
-struct sys_logger_t {
-
-	/**
-	 * Implements the listener_t interface.
-	 */
-	listener_t listener;
-
-	/**
-	 * Set the loglevel for a debug group.
-	 *
-	 * @param group		debug group to set
-	 * @param level		max level to log (0..4)
-	 */
-	void (*set_level) (sys_logger_t *this, debug_t group, level_t level);
-
-	/**
-	 * Destroys a sys_logger_t object.
-	 */
-	void (*destroy) (sys_logger_t *this);
-};
-
-/**
- * Constructor to create a sys_logger_t object.
- *
- * @param facility	syslog facility to use
- * @return			sys_logger_t object
- */
-sys_logger_t *sys_logger_create(int facility);
-
-#endif /** SYS_LOGGER_H_ @}*/
diff --git a/src/charon/charon.c b/src/charon/charon.c
new file mode 100644
index 000000000..9b552fb62
--- /dev/null
+++ b/src/charon/charon.c
@@ -0,0 +1,417 @@
+/*
+ * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#ifdef HAVE_PRCTL
+#include <sys/prctl.h>
+#endif
+#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */
+#include <signal.h>
+#undef _POSIX_PTHREAD_SEMANTICS
+#include <pthread.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <getopt.h>
+#include <pwd.h>
+#include <grp.h>
+
+#include <hydra.h>
+#include <daemon.h>
+
+#include <library.h>
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+
+/**
+ * PID file, in which charon stores its process id
+ */
+#define PID_FILE IPSEC_PIDDIR "/charon.pid"
+
+/**
+ * hook in library for debugging messages
+ */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * Logging hook for library logs, using stderr output
+ */
+static void dbg_stderr(debug_t group, level_t level, char *fmt, ...)
+{
+	va_list args;
+
+	if (level <= 1)
+	{
+		va_start(args, fmt);
+		fprintf(stderr, "00[%N] ", debug_names, group);
+		vfprintf(stderr, fmt, args);
+		fprintf(stderr, "\n");
+		va_end(args);
+	}
+}
+
+/**
+ * Run the daemon and handle unix signals
+ */
+static void run()
+{
+	sigset_t set;
+
+	/* handle SIGINT, SIGHUP ans SIGTERM in this handler */
+	sigemptyset(&set);
+	sigaddset(&set, SIGINT);
+	sigaddset(&set, SIGHUP);
+	sigaddset(&set, SIGTERM);
+	sigprocmask(SIG_BLOCK, &set, NULL);
+
+	while (TRUE)
+	{
+		int sig;
+		int error;
+
+		error = sigwait(&set, &sig);
+		if (error)
+		{
+			DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+			return;
+		}
+		switch (sig)
+		{
+			case SIGHUP:
+			{
+				DBG1(DBG_DMN, "signal of type SIGHUP received. Ignored");
+				break;
+			}
+			case SIGINT:
+			{
+				DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return;
+			}
+			case SIGTERM:
+			{
+				DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return;
+			}
+			default:
+			{
+				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
+				break;
+			}
+		}
+	}
+}
+
+/**
+ * drop daemon capabilities
+ */
+static bool drop_capabilities()
+{
+#ifdef HAVE_PRCTL
+	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+#endif
+
+	if (setgid(charon->gid) != 0)
+	{
+		DBG1(DBG_DMN, "change to unprivileged group failed");
+		return FALSE;
+	}
+	if (setuid(charon->uid) != 0)
+	{
+		DBG1(DBG_DMN, "change to unprivileged user failed");
+		return FALSE;
+	}
+	if (!charon->drop_capabilities(charon))
+	{
+		DBG1(DBG_DMN, "unable to drop daemon capabilities");
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * lookup UID and GID
+ */
+static bool lookup_uid_gid()
+{
+#ifdef IPSEC_USER
+	{
+		char buf[1024];
+		struct passwd passwd, *pwp;
+
+		if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
+			pwp == NULL)
+		{
+			DBG1(DBG_DMN, "resolving user '"IPSEC_USER"' failed");
+			return FALSE;
+		}
+		charon->uid = pwp->pw_uid;
+	}
+#endif
+#ifdef IPSEC_GROUP
+	{
+		char buf[1024];
+		struct group group, *grp;
+
+		if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
+			grp == NULL)
+		{
+			DBG1(DBG_DMN, "resolving group '"IPSEC_GROUP"' failed");
+			return FALSE;
+		}
+		charon->gid = grp->gr_gid;
+	}
+#endif
+	return TRUE;
+}
+
+/**
+ * Handle SIGSEGV/SIGILL signals raised by threads
+ */
+static void segv_handler(int signal)
+{
+	backtrace_t *backtrace;
+
+	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
+	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, stderr);
+	backtrace->destroy(backtrace);
+
+	DBG1(DBG_DMN, "killing ourself, received critical signal");
+	abort();
+}
+
+/**
+ * Check/create PID file, return TRUE if already running
+ */
+static bool check_pidfile()
+{
+	struct stat stb;
+	FILE *file;
+
+	if (stat(PID_FILE, &stb) == 0)
+	{
+		file = fopen(PID_FILE, "r");
+		if (file)
+		{
+			char buf[64];
+			pid_t pid = 0;
+
+			memset(buf, 0, sizeof(buf));
+			if (fread(buf, 1, sizeof(buf), file))
+			{
+				pid = atoi(buf);
+			}
+			fclose(file);
+			if (pid && kill(pid, 0) == 0)
+			{	/* such a process is running */
+				return TRUE;
+			}
+		}
+		DBG1(DBG_DMN, "removing pidfile '"PID_FILE"', process not running");
+		unlink(PID_FILE);
+	}
+
+	/* create new pidfile */
+	file = fopen(PID_FILE, "w");
+	if (file)
+	{
+		fprintf(file, "%d\n", getpid());
+		ignore_result(fchown(fileno(file), charon->uid, charon->gid));
+		fclose(file);
+	}
+	return FALSE;
+}
+
+/**
+ * print command line usage and exit
+ */
+static void usage(const char *msg)
+{
+	if (msg != NULL && *msg != '\0')
+	{
+		fprintf(stderr, "%s\n", msg);
+	}
+	fprintf(stderr, "Usage: charon\n"
+					"         [--help]\n"
+					"         [--version]\n"
+					"         [--use-syslog]\n"
+					"         [--debug-<type> <level>]\n"
+					"           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n"
+					"           <level>: log verbosity (-1 = silent, 0 = audit, 1 = control,\n"
+					"                                    2 = controlmore, 3 = raw, 4 = private)\n"
+					"\n"
+		   );
+	exit(msg == NULL? 0 : 1);
+}
+
+/**
+ * Main function, starts the daemon.
+ */
+int main(int argc, char *argv[])
+{
+	struct sigaction action;
+	bool use_syslog = FALSE;
+	level_t levels[DBG_MAX];
+	int group, status = SS_RC_INITIALIZATION_FAILED;
+
+	/* logging for library during initialization, as we have no bus yet */
+	dbg = dbg_stderr;
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		library_deinit();
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "charon", argv[0]))
+	{
+		dbg_stderr(DBG_DMN, 1, "integrity check of charon failed");
+		library_deinit();
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
+
+	if (!libhydra_init("charon"))
+	{
+		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
+		libhydra_deinit();
+		library_deinit();
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	if (!libcharon_init())
+	{
+		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
+		goto deinit;
+	}
+
+	/* use CTRL loglevel for default */
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		levels[group] = LEVEL_CTRL;
+	}
+
+	/* handle arguments */
+	for (;;)
+	{
+		struct option long_opts[] = {
+			{ "help", no_argument, NULL, 'h' },
+			{ "version", no_argument, NULL, 'v' },
+			{ "use-syslog", no_argument, NULL, 'l' },
+			/* TODO: handle "debug-all" */
+			{ "debug-dmn", required_argument, &group, DBG_DMN },
+			{ "debug-mgr", required_argument, &group, DBG_MGR },
+			{ "debug-ike", required_argument, &group, DBG_IKE },
+			{ "debug-chd", required_argument, &group, DBG_CHD },
+			{ "debug-job", required_argument, &group, DBG_JOB },
+			{ "debug-cfg", required_argument, &group, DBG_CFG },
+			{ "debug-knl", required_argument, &group, DBG_KNL },
+			{ "debug-net", required_argument, &group, DBG_NET },
+			{ "debug-enc", required_argument, &group, DBG_ENC },
+			{ "debug-lib", required_argument, &group, DBG_LIB },
+			{ 0,0,0,0 }
+		};
+
+		int c = getopt_long(argc, argv, "", long_opts, NULL);
+		switch (c)
+		{
+			case EOF:
+				break;
+			case 'h':
+				usage(NULL);
+				break;
+			case 'v':
+				printf("Linux strongSwan %s\n", VERSION);
+				status = 0;
+				goto deinit;
+			case 'l':
+				use_syslog = TRUE;
+				continue;
+			case 0:
+				/* option is in group */
+				levels[group] = atoi(optarg);
+				continue;
+			default:
+				usage("");
+				break;
+		}
+		break;
+	}
+
+	if (!lookup_uid_gid())
+	{
+		dbg_stderr(DBG_DMN, 1, "invalid uid/gid - aborting charon");
+		goto deinit;
+	}
+
+	/* initialize daemon */
+	if (!charon->initialize(charon, use_syslog, levels))
+	{
+		DBG1(DBG_DMN, "initialization failed - aborting charon");
+		goto deinit;
+	}
+
+	if (check_pidfile())
+	{
+		DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
+		status = -1;
+		goto deinit;
+	}
+
+	if (!drop_capabilities())
+	{
+		DBG1(DBG_DMN, "capability dropping failed - aborting charon");
+		goto deinit;
+	}
+
+	/* add handler for SEGV and ILL,
+	 * INT, TERM and HUP are handled by sigwait() in run() */
+	action.sa_handler = segv_handler;
+	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaddset(&action.sa_mask, SIGINT);
+	sigaddset(&action.sa_mask, SIGTERM);
+	sigaddset(&action.sa_mask, SIGHUP);
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &action, NULL);
+
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+	/* start daemon (i.e. the threads in the thread-pool) */
+	charon->start(charon);
+
+	/* main thread goes to run loop */
+	run();
+
+	/* normal termination, cleanup and exit */
+	unlink(PID_FILE);
+	status = 0;
+
+deinit:
+	libcharon_deinit();
+	libhydra_deinit();
+	library_deinit();
+	return status;
+}
+
diff --git a/src/charon/config/auth_cfg.c b/src/charon/config/auth_cfg.c
deleted file mode 100644
index 94362c756..000000000
--- a/src/charon/config/auth_cfg.c
+++ /dev/null
@@ -1,768 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "auth_cfg.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-#include <credentials/certificates/certificate.h>
-
-ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
-	"RULE_IDENTITY",
-	"RULE_AUTH_CLASS",
-	"RULE_EAP_IDENTITY",
-	"RULE_EAP_TYPE",
-	"RULE_EAP_VENDOR",
-	"RULE_CA_CERT",
-	"RULE_IM_CERT",
-	"RULE_SUBJECT_CERT",
-	"RULE_CRL_VALIDATION",
-	"RULE_OCSP_VALIDATION",
-	"RULE_AC_GROUP",
-	"HELPER_IM_CERT",
-	"HELPER_SUBJECT_CERT",
-	"HELPER_IM_HASH_URL",
-	"HELPER_SUBJECT_HASH_URL",
-);
-
-typedef struct private_auth_cfg_t private_auth_cfg_t;
-
-/**
- * private data of item_set
- */
-struct private_auth_cfg_t {
-
-	/**
-	 * public functions
-	 */
-	auth_cfg_t public;
-
-	/**
-	 * list of entry_t
-	 */
-	linked_list_t *entries;
-};
-
-typedef struct entry_t entry_t;
-
-struct entry_t {
-	/** rule type */
-	auth_rule_t type;
-	/** associated value */
-	void *value;
-};
-
-/**
- * enumerator for auth_cfg_t.create_enumerator()
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** inner enumerator from linked_list_t */
-	enumerator_t *inner;
-	/** current entry */
-	entry_t *current;
-} entry_enumerator_t;
-
-/**
- * enumerate function for item_enumerator_t
- */
-static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value)
-{
-	entry_t *entry;
-
-	if (this->inner->enumerate(this->inner, &entry))
-	{
-		this->current = entry;
-		*type = entry->type;
-		*value = entry->value;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * destroy function for item_enumerator_t
- */
-static void entry_enumerator_destroy(entry_enumerator_t *this)
-{
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of auth_cfg_t.create_enumerator.
- */
-static enumerator_t* create_enumerator(private_auth_cfg_t *this)
-{
-	entry_enumerator_t *enumerator;
-
-	enumerator = malloc_thing(entry_enumerator_t);
-	enumerator->inner = this->entries->create_enumerator(this->entries);
-	enumerator->public.enumerate = (void*)enumerate;
-	enumerator->public.destroy = (void*)entry_enumerator_destroy;
-	enumerator->current = NULL;
-	return &enumerator->public;
-}
-
-/**
- * Destroy the value associated with an entry
- */
-static void destroy_entry_value(entry_t *entry)
-{
-	switch (entry->type)
-	{
-		case AUTH_RULE_IDENTITY:
-		case AUTH_RULE_EAP_IDENTITY:
-		case AUTH_RULE_AC_GROUP:
-		{
-			identification_t *id = (identification_t*)entry->value;
-			id->destroy(id);
-			break;
-		}
-		case AUTH_RULE_CA_CERT:
-		case AUTH_RULE_IM_CERT:
-		case AUTH_RULE_SUBJECT_CERT:
-		case AUTH_HELPER_IM_CERT:
-		case AUTH_HELPER_SUBJECT_CERT:
-		{
-			certificate_t *cert = (certificate_t*)entry->value;
-			cert->destroy(cert);
-			break;
-		}
-		case AUTH_HELPER_IM_HASH_URL:
-		case AUTH_HELPER_SUBJECT_HASH_URL:
-		{
-			free(entry->value);
-			break;
-		}
-		case AUTH_RULE_AUTH_CLASS:
-		case AUTH_RULE_EAP_TYPE:
-		case AUTH_RULE_EAP_VENDOR:
-		case AUTH_RULE_CRL_VALIDATION:
-		case AUTH_RULE_OCSP_VALIDATION:
-			break;
-	}
-}
-
-/**
- * Implementation of auth_cfg_t.replace.
- */
-static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
-					auth_rule_t type, ...)
-{
-	if (enumerator->current)
-	{
-		va_list args;
-
-		va_start(args, type);
-
-		destroy_entry_value(enumerator->current);
-		enumerator->current->type = type;
-		switch (type)
-		{
-			case AUTH_RULE_AUTH_CLASS:
-			case AUTH_RULE_EAP_TYPE:
-			case AUTH_RULE_EAP_VENDOR:
-			case AUTH_RULE_CRL_VALIDATION:
-			case AUTH_RULE_OCSP_VALIDATION:
-				/* integer type */
-				enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
-				break;
-			case AUTH_RULE_IDENTITY:
-			case AUTH_RULE_EAP_IDENTITY:
-			case AUTH_RULE_AC_GROUP:
-			case AUTH_RULE_CA_CERT:
-			case AUTH_RULE_IM_CERT:
-			case AUTH_RULE_SUBJECT_CERT:
-			case AUTH_HELPER_IM_CERT:
-			case AUTH_HELPER_SUBJECT_CERT:
-			case AUTH_HELPER_IM_HASH_URL:
-			case AUTH_HELPER_SUBJECT_HASH_URL:
-				/* pointer type */
-				enumerator->current->value = va_arg(args, void*);
-				break;
-		}
-		va_end(args);
-	}
-}
-
-/**
- * Implementation of auth_cfg_t.get.
- */
-static void* get(private_auth_cfg_t *this, auth_rule_t type)
-{
-	enumerator_t *enumerator;
-	void *current_value, *best_value = NULL;
-	auth_rule_t current_type;
-	bool found = FALSE;
-
-	enumerator = create_enumerator(this);
-	while (enumerator->enumerate(enumerator, &current_type, &current_value))
-	{
-		if (type == current_type)
-		{
-			if (type == AUTH_RULE_CRL_VALIDATION ||
-				type == AUTH_RULE_OCSP_VALIDATION)
-			{	/* for CRL/OCSP validation, always get() the highest value */
-				if (!found || current_value > best_value)
-				{
-					best_value = current_value;
-				}
-				found = TRUE;
-				continue;
-			}
-			best_value = current_value;
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (found)
-	{
-		return best_value;
-	}
-	switch (type)
-	{
-		/* use some sane defaults if we don't find an entry */
-		case AUTH_RULE_AUTH_CLASS:
-			return (void*)AUTH_CLASS_ANY;
-		case AUTH_RULE_EAP_TYPE:
-			return (void*)EAP_NAK;
-		case AUTH_RULE_EAP_VENDOR:
-			return (void*)0;
-		case AUTH_RULE_CRL_VALIDATION:
-		case AUTH_RULE_OCSP_VALIDATION:
-			return (void*)VALIDATION_FAILED;
-		case AUTH_RULE_IDENTITY:
-		case AUTH_RULE_EAP_IDENTITY:
-		case AUTH_RULE_AC_GROUP:
-		case AUTH_RULE_CA_CERT:
-		case AUTH_RULE_IM_CERT:
-		case AUTH_RULE_SUBJECT_CERT:
-		case AUTH_HELPER_IM_CERT:
-		case AUTH_HELPER_SUBJECT_CERT:
-		case AUTH_HELPER_IM_HASH_URL:
-		case AUTH_HELPER_SUBJECT_HASH_URL:
-		default:
-			return NULL;
-	}
-}
-
-/**
- * Implementation of auth_cfg_t.add.
- */
-static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
-{
-	entry_t *entry = malloc_thing(entry_t);
-	va_list args;
-
-	va_start(args, type);
-	entry->type = type;
-	switch (type)
-	{
-		case AUTH_RULE_AUTH_CLASS:
-		case AUTH_RULE_EAP_TYPE:
-		case AUTH_RULE_EAP_VENDOR:
-		case AUTH_RULE_CRL_VALIDATION:
-		case AUTH_RULE_OCSP_VALIDATION:
-			/* integer type */
-			entry->value = (void*)(uintptr_t)va_arg(args, u_int);
-			break;
-		case AUTH_RULE_IDENTITY:
-		case AUTH_RULE_EAP_IDENTITY:
-		case AUTH_RULE_AC_GROUP:
-		case AUTH_RULE_CA_CERT:
-		case AUTH_RULE_IM_CERT:
-		case AUTH_RULE_SUBJECT_CERT:
-		case AUTH_HELPER_IM_CERT:
-		case AUTH_HELPER_SUBJECT_CERT:
-		case AUTH_HELPER_IM_HASH_URL:
-		case AUTH_HELPER_SUBJECT_HASH_URL:
-			/* pointer type */
-			entry->value = va_arg(args, void*);
-			break;
-	}
-	va_end(args);
-	this->entries->insert_last(this->entries, entry);
-}
-
-/**
- * Implementation of auth_cfg_t.complies.
- */
-static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
-					 bool log_error)
-{
-	enumerator_t *e1, *e2;
-	bool success = TRUE;
-	auth_rule_t t1, t2;
-	void *value;
-
-	e1 = constraints->create_enumerator(constraints);
-	while (e1->enumerate(e1, &t1, &value))
-	{
-		switch (t1)
-		{
-			case AUTH_RULE_CA_CERT:
-			case AUTH_RULE_IM_CERT:
-			{
-				certificate_t *c1, *c2;
-
-				c1 = (certificate_t*)value;
-
-				success = FALSE;
-				e2 = create_enumerator(this);
-				while (e2->enumerate(e2, &t2, &c2))
-				{
-					if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
-						c1->equals(c1, c2))
-					{
-						success = TRUE;
-					}
-				}
-				e2->destroy(e2);
-				if (!success && log_error)
-				{
-					DBG1(DBG_CFG, "constraint check failed: peer not "
-						 "authenticated by CA '%Y'.", c1->get_subject(c1));
-				}
-				break;
-			}
-			case AUTH_RULE_SUBJECT_CERT:
-			{
-				certificate_t *c1, *c2;
-
-				c1 = (certificate_t*)value;
-				c2 = get(this, AUTH_RULE_SUBJECT_CERT);
-				if (!c2 || !c1->equals(c1, c2))
-				{
-					success = FALSE;
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "constraint check failed: peer not "
-							 "authenticated with peer cert '%Y'.",
-							 c1->get_subject(c1));
-					}
-				}
-				break;
-			}
-			case AUTH_RULE_CRL_VALIDATION:
-			case AUTH_RULE_OCSP_VALIDATION:
-			{
-				cert_validation_t validated, required;
-
-				required = (uintptr_t)value;
-				validated = (uintptr_t)get(this, t1);
-				switch (required)
-				{
-					case VALIDATION_FAILED:
-						/* no constraint */
-						break;
-					case VALIDATION_SKIPPED:
-						if (validated == VALIDATION_SKIPPED)
-						{
-							break;
-						}
-						/* FALL */
-					case VALIDATION_GOOD:
-						if (validated == VALIDATION_GOOD)
-						{
-							break;
-						}
-						/* FALL */
-					default:
-						success = FALSE;
-						if (log_error)
-						{
-							DBG1(DBG_CFG, "constraint check failed: %N is %N, "
-								 "but requires at least %N", auth_rule_names,
-								 t1, cert_validation_names, validated,
-								 cert_validation_names, required);
-						}
-						break;
-				}
-				break;
-			}
-			case AUTH_RULE_IDENTITY:
-			case AUTH_RULE_EAP_IDENTITY:
-			{
-				identification_t *id1, *id2;
-
-				id1 = (identification_t*)value;
-				id2 = get(this, t1);
-				if (!id2 || !id2->matches(id2, id1))
-				{
-					success = FALSE;
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'"
-							 " required ", t1 == AUTH_RULE_IDENTITY ? "" :
-							 "EAP ", id1);
-					}
-				}
-				break;
-			}
-			case AUTH_RULE_AUTH_CLASS:
-			{
-				if ((uintptr_t)value != AUTH_CLASS_ANY &&
-					(uintptr_t)value != (uintptr_t)get(this, t1))
-				{
-					success = FALSE;
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "constraint requires %N authentication, "
-							 "but %N was used", auth_class_names, (uintptr_t)value,
-							 auth_class_names, (uintptr_t)get(this, t1));
-					}
-				}
-				break;
-			}
-			case AUTH_RULE_EAP_TYPE:
-			{
-				if ((uintptr_t)value != (uintptr_t)get(this, t1))
-				{
-					success = FALSE;
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "constraint requires %N, "
-							 "but %N was used", eap_type_names, (uintptr_t)value,
-							 eap_type_names,  (uintptr_t)get(this, t1));
-					}
-				}
-				break;
-			}
-			case AUTH_RULE_EAP_VENDOR:
-			{
-				if ((uintptr_t)value != (uintptr_t)get(this, t1))
-				{
-					success = FALSE;
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "constraint requires EAP vendor %d, "
-							 "but %d was used", (uintptr_t)value,
-							 (uintptr_t)get(this, t1));
-					}
-				}
-				break;
-			}
-			case AUTH_RULE_AC_GROUP:
-			{
-				success = FALSE;
-				if (log_error)
-				{
-					DBG1(DBG_CFG, "constraint check %N not implemented!",
-						 auth_rule_names, t1);
-				}
-				break;
-			}
-			case AUTH_HELPER_IM_CERT:
-			case AUTH_HELPER_SUBJECT_CERT:
-			case AUTH_HELPER_IM_HASH_URL:
-			case AUTH_HELPER_SUBJECT_HASH_URL:
-				/* skip helpers */
-				continue;
-		}
-		if (!success)
-		{
-			break;
-		}
-	}
-	e1->destroy(e1);
-	return success;
-}
-
-/**
- * Implementation of auth_cfg_t.merge.
- */
-static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy)
-{
-	if (!other)
-	{	/* nothing to merge */
-		return;
-	}
-	if (copy)
-	{
-		enumerator_t *enumerator;
-		auth_rule_t type;
-		void *value;
-
-		enumerator = create_enumerator(other);
-		while (enumerator->enumerate(enumerator, &type, &value))
-		{
-			switch (type)
-			{
-				case AUTH_RULE_CA_CERT:
-				case AUTH_RULE_IM_CERT:
-				case AUTH_RULE_SUBJECT_CERT:
-				case AUTH_HELPER_IM_CERT:
-				case AUTH_HELPER_SUBJECT_CERT:
-				{
-					certificate_t *cert = (certificate_t*)value;
-
-					add(this, type, cert->get_ref(cert));
-					break;
-				}
-				case AUTH_RULE_CRL_VALIDATION:
-				case AUTH_RULE_OCSP_VALIDATION:
-				case AUTH_RULE_AUTH_CLASS:
-				case AUTH_RULE_EAP_TYPE:
-				case AUTH_RULE_EAP_VENDOR:
-				{
-					add(this, type, (uintptr_t)value);
-					break;
-				}
-				case AUTH_RULE_IDENTITY:
-				case AUTH_RULE_EAP_IDENTITY:
-				case AUTH_RULE_AC_GROUP:
-				{
-					identification_t *id = (identification_t*)value;
-
-					add(this, type, id->clone(id));
-					break;
-				}
-				case AUTH_HELPER_IM_HASH_URL:
-				case AUTH_HELPER_SUBJECT_HASH_URL:
-				{
-					add(this, type, strdup((char*)value));
-					break;
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	else
-	{
-		entry_t *entry;
-
-		while (other->entries->remove_first(other->entries,
-											(void**)&entry) == SUCCESS)
-		{
-			this->entries->insert_last(this->entries, entry);
-		}
-	}
-}
-
-/**
- * Implementation of auth_cfg_t.equals.
- */
-static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
-{
-	enumerator_t *e1, *e2;
-	entry_t *i1, *i2;
-	bool equal = TRUE, found;
-
-	if (this->entries->get_count(this->entries) !=
-		other->entries->get_count(other->entries))
-	{
-		return FALSE;
-	}
-	e1 = this->entries->create_enumerator(this->entries);
-	while (e1->enumerate(e1, &i1))
-	{
-		found = FALSE;
-		e2 = other->entries->create_enumerator(other->entries);
-		while (e2->enumerate(e2, &i2))
-		{
-			if (i1->type == i2->type)
-			{
-				switch (i1->type)
-				{
-					case AUTH_RULE_AUTH_CLASS:
-					case AUTH_RULE_EAP_TYPE:
-					case AUTH_RULE_EAP_VENDOR:
-					case AUTH_RULE_CRL_VALIDATION:
-					case AUTH_RULE_OCSP_VALIDATION:
-					{
-						if (i1->value == i2->value)
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-					case AUTH_RULE_CA_CERT:
-					case AUTH_RULE_IM_CERT:
-					case AUTH_RULE_SUBJECT_CERT:
-					case AUTH_HELPER_IM_CERT:
-					case AUTH_HELPER_SUBJECT_CERT:
-					{
-						certificate_t *c1, *c2;
-
-						c1 = (certificate_t*)i1->value;
-						c2 = (certificate_t*)i2->value;
-
-						if (c1->equals(c1, c2))
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-					case AUTH_RULE_IDENTITY:
-					case AUTH_RULE_EAP_IDENTITY:
-					case AUTH_RULE_AC_GROUP:
-					{
-						identification_t *id1, *id2;
-
-						id1 = (identification_t*)i1->value;
-						id2 = (identification_t*)i2->value;
-
-						if (id1->equals(id1, id2))
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-					case AUTH_HELPER_IM_HASH_URL:
-					case AUTH_HELPER_SUBJECT_HASH_URL:
-					{
-						if (streq(i1->value, i2->value))
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-				}
-				break;
-			}
-		}
-		e2->destroy(e2);
-		if (!found)
-		{
-			equal = FALSE;
-			break;
-		}
-	}
-	e1->destroy(e1);
-	return equal;
-}
-
-/**
- * Implementation of auth_cfg_t.purge
- */
-static void purge(private_auth_cfg_t *this, bool keep_ca)
-{
-	entry_t *entry;
-	linked_list_t *cas;
-
-	cas = linked_list_create();
-	while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
-	{
-		if (keep_ca && entry->type == AUTH_RULE_CA_CERT)
-		{
-			cas->insert_first(cas, entry);
-		}
-		else
-		{
-			destroy_entry_value(entry);
-			free(entry);
-		}
-	}
-	while (cas->remove_last(cas, (void**)&entry) == SUCCESS)
-	{
-		this->entries->insert_first(this->entries, entry);
-	}
-	cas->destroy(cas);
-}
-
-/**
- * Implementation of auth_cfg_t.clone
- */
-static auth_cfg_t* clone_(private_auth_cfg_t *this)
-{
-	enumerator_t *enumerator;
-	auth_cfg_t *clone;
-	entry_t *entry;
-
-	clone = auth_cfg_create();
-	enumerator = this->entries->create_enumerator(this->entries);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		switch (entry->type)
-		{
-			case AUTH_RULE_IDENTITY:
-			case AUTH_RULE_EAP_IDENTITY:
-			case AUTH_RULE_AC_GROUP:
-			{
-				identification_t *id = (identification_t*)entry->value;
-				clone->add(clone, entry->type, id->clone(id));
-				break;
-			}
-			case AUTH_RULE_CA_CERT:
-			case AUTH_RULE_IM_CERT:
-			case AUTH_RULE_SUBJECT_CERT:
-			case AUTH_HELPER_IM_CERT:
-			case AUTH_HELPER_SUBJECT_CERT:
-			{
-				certificate_t *cert = (certificate_t*)entry->value;
-				clone->add(clone, entry->type, cert->get_ref(cert));
-				break;
-			}
-			case AUTH_HELPER_IM_HASH_URL:
-			case AUTH_HELPER_SUBJECT_HASH_URL:
-			{
-				clone->add(clone, entry->type, strdup(entry->value));
-				break;
-			}
-			case AUTH_RULE_AUTH_CLASS:
-			case AUTH_RULE_EAP_TYPE:
-			case AUTH_RULE_EAP_VENDOR:
-			case AUTH_RULE_CRL_VALIDATION:
-			case AUTH_RULE_OCSP_VALIDATION:
-				clone->add(clone, entry->type, (uintptr_t)entry->value);
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return clone;
-}
-
-/**
- * Implementation of auth_cfg_t.destroy
- */
-static void destroy(private_auth_cfg_t *this)
-{
-	purge(this, FALSE);
-	this->entries->destroy(this->entries);
-	free(this);
-}
-
-/*
- * see header file
- */
-auth_cfg_t *auth_cfg_create()
-{
-	private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t);
-
-	this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add;
-	this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get;
-	this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator;
-	this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace;
-	this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies;
-	this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge;
-	this->public.purge = (void(*)(auth_cfg_t*,bool))purge;
-	this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals;
-	this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_;
-	this->public.destroy = (void(*)(auth_cfg_t*))destroy;
-
-	this->entries = linked_list_create();
-
-	return &this->public;
-}
-
diff --git a/src/charon/config/auth_cfg.h b/src/charon/config/auth_cfg.h
deleted file mode 100644
index 5e6215a4a..000000000
--- a/src/charon/config/auth_cfg.h
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup auth_cfg auth_cfg
- * @{ @ingroup config
- */
-
-#ifndef AUTH_CFG_H_
-#define AUTH_CFG_H_
-
-#include <utils/enumerator.h>
-
-typedef struct auth_cfg_t auth_cfg_t;
-typedef enum auth_rule_t auth_rule_t;
-
-/**
- * Authentication config to use during authentication process.
- *
- * Each authentication config contains a set of rules. These rule-sets are used
- * in two ways:
- * - For configs specifying local authentication behavior, the rules define
- *   which authentication method in which way.
- * - For configs specifying remote peer authentication, the rules define
- *   constraints the peer has to fullfill.
- *
- * Additionally to the rules, there is a set of helper items. These are used
- * to transport credentials during the authentication process.
- */
-enum auth_rule_t {
-
-	/** identity to use for IKEv2 authentication exchange, identification_t* */
-	AUTH_RULE_IDENTITY,
-	/** authentication class, auth_class_t */
-	AUTH_RULE_AUTH_CLASS,
-	/** EAP identity to use within EAP-Identity exchange, identification_t* */
-	AUTH_RULE_EAP_IDENTITY,
-	/** EAP type to propose for peer authentication, eap_type_t */
-	AUTH_RULE_EAP_TYPE,
-	/** EAP vendor for vendor specific type, u_int32_t */
-	AUTH_RULE_EAP_VENDOR,
-	/** certificate authority, certificate_t* */
-	AUTH_RULE_CA_CERT,
-	/** intermediate certificate in trustchain, certificate_t* */
-	AUTH_RULE_IM_CERT,
-	/** subject certificate, certificate_t* */
-	AUTH_RULE_SUBJECT_CERT,
-	/** result of a CRL validation, cert_validation_t */
-	AUTH_RULE_CRL_VALIDATION,
-	/** result of a OCSP validation, cert_validation_t */
-	AUTH_RULE_OCSP_VALIDATION,
-	/** subject is in attribute certificate group, identification_t* */
-	AUTH_RULE_AC_GROUP,
-
-	/** intermediate certificate, certificate_t* */
-	AUTH_HELPER_IM_CERT,
-	/** subject certificate, certificate_t* */
-	AUTH_HELPER_SUBJECT_CERT,
-	/** Hash and URL of a intermediate certificate, char* */
-	AUTH_HELPER_IM_HASH_URL,
-	/** Hash and URL of a end-entity certificate, char* */
-	AUTH_HELPER_SUBJECT_HASH_URL,
-};
-
-/**
- * enum name for auth_rule_t.
- */
-extern enum_name_t *auth_rule_names;
-
-/**
- * Authentication/Authorization round.
- *
- * RFC4739 defines multiple authentication rounds. This class defines such
- * a round from a configuration perspective, either for the local or the remote
- * peer. Local config are called "rulesets", as they define how we authenticate.
- * Remote peer configs are called "constraits", they define what is needed to
- * complete the authentication round successfully.
- *
- * @verbatim
-
-   [Repeat for each configuration]
-   +--------------------------------------------------+
-   |                                                  |
-   |                                                  |
-   |   +----------+     IKE_AUTH       +--------- +   |
-   |   |  config  |   ----------->     |          |   |
-   |   |  ruleset |                    |          |   |
-   |   +----------+ [ <----------- ]   |          |   |
-   |                [ optional EAP ]   |   Peer   |   |
-   |   +----------+ [ -----------> ]   |          |   |
-   |   |  config  |                    |          |   |
-   |   |  constr. |   <-----------     |          |   |
-   |   +----------+     IKE_AUTH       +--------- +   |
-   |                                                  |
-   |                                                  |
-   +--------------------------------------------------+
-
-   @endverbatim
- *
- * Values for each items are either pointers (casted to void*) or short
- * integers (use uintptr_t cast).
- */
-struct auth_cfg_t {
-
-	/**
-	 * Add an rule to the set.
-	 *
-	 * @param rule		rule type
-	 * @param ...		associated value to rule
-	 */
-	void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
-
-	/**
-	 * Get an rule value.
-	 *
-	 * @param rule		rule type
-	 * @return			bool if item has been found
-	 */
-	void* (*get)(auth_cfg_t *this, auth_rule_t rule);
-
-	/**
-	 * Create an enumerator over added rules.
-	 *
-	 * @return			enumerator over (auth_rule_t, union{void*,uintpr_t})
-	 */
-	enumerator_t* (*create_enumerator)(auth_cfg_t *this);
-
-	/**
-	 * Replace an rule at enumerator position.
-	 *
-	 * @param pos		enumerator position position
-	 * @param rule		rule type
-	 * @param ...		associated value to rule
-	 */
-	void (*replace)(auth_cfg_t *this, enumerator_t *pos,
-					auth_rule_t rule, ...);
-
-	/**
-	 * Check if a used config fulfills a set of configured constraints.
-	 *
-	 * @param constraints	required authorization rules
-	 * @param log_error		wheter to log compliance errors
-	 * @return				TRUE if this complies with constraints
-	 */
-	bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
-
-	/**
-	 * Merge items from other into this.
-	 *
-	 * @param other		items to read for merge
-	 * @param copy		TRUE to copy items, FALSE to move them
-	 */
-	void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
-
-	/**
-	 * Purge all rules in a config.
-	 *
-	 * @param keep_ca	wheter to keep AUTH_RULE_CA_CERT entries
-	 */
-	void (*purge)(auth_cfg_t *this, bool keep_ca);
-
-	/**
-	 * Check two configs for equality.
-	 *
-	 * @param other		other config to compaire against this
-	 * @return			TRUE if auth infos identical
-	 */
-	bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
-
-	/**
-	 * Clone a authentication config, including all rules.
-	 *
-	 * @return			cloned configuration
-	 */
-	auth_cfg_t* (*clone)(auth_cfg_t *this);
-
-	/**
-	 * Destroy a config with all associated rules/values.
-	 */
-	void (*destroy)(auth_cfg_t *this);
-};
-
-/**
- * Create a authentication config.
- */
-auth_cfg_t *auth_cfg_create();
-
-#endif /** AUTH_CFG_H_ @}*/
diff --git a/src/charon/config/backend.h b/src/charon/config/backend.h
deleted file mode 100644
index 458abc37f..000000000
--- a/src/charon/config/backend.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup backend backend
- * @{ @ingroup config
- */
-
-#ifndef BACKEND_H_
-#define BACKEND_H_
-
-typedef struct backend_t backend_t;
-
-#include <library.h>
-#include <config/ike_cfg.h>
-#include <config/peer_cfg.h>
-#include <utils/linked_list.h>
-
-/**
- * The interface for a configuration backend.
- *
- * A configuration backend is loaded into the backend_manager. It does the actual
- * configuration lookup for the method it implements. See backend_manager_t for
- * more information.
- */
-struct backend_t {
-
-	/**
-	 * Create an enumerator over all IKE configs matching two hosts.
-	 *
-	 * Hosts may be NULL to get all.
-	 *
-	 * There is no requirement for the backend to filter the configurations
-	 * using the supplied hosts; but it may do so if it increases lookup times
-	 * (e.g. include hosts in SQL query).
-	 *
-	 * @param me		address of local host
-	 * @param other		address of remote host
-	 * @return			enumerator over ike_cfg_t's
-	 */
-	enumerator_t* (*create_ike_cfg_enumerator)(backend_t *this,
-											   host_t *me, host_t *other);
-	/**
-	 * Create an enumerator over all peer configs matching two identities.
-	 *
-	 * IDs may be NULL to get all.
-	 *
-	 * As configurations are looked up in the first authentication round (when
-	 * multiple authentication), the backend implementation should compare
-	 * the identities to the first auth_cfgs only.
-	 * There is no requirement for the backend to filter the configurations
-	 * using the supplied identities; but it may do so if it increases lookup
-	 * times (e.g. include hosts in SQL query).
-	 *
-	 * @param me		identity of ourself
-	 * @param other		identity of remote host
-	 * @return			enumerator over peer_cfg_t
-	 */
-	enumerator_t* (*create_peer_cfg_enumerator)(backend_t *this,
-												identification_t *me,
-												identification_t *other);
-	/**
-	 * Get a peer_cfg identified by it's name, or a name of its children.
-	 *
-	 * @param name				name of peer/child cfg
-	 * @return					matching peer_config, or NULL if none found
-	 */
-	peer_cfg_t *(*get_peer_cfg_by_name)(backend_t *this, char *name);
-};
-
-#endif /** BACKEND_H_ @}*/
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
deleted file mode 100644
index 90ef58563..000000000
--- a/src/charon/config/backend_manager.c
+++ /dev/null
@@ -1,444 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "backend_manager.h"
-
-#include <sys/types.h>
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <threading/rwlock.h>
-
-
-typedef struct private_backend_manager_t private_backend_manager_t;
-
-/**
- * Private data of an backend_manager_t object.
- */
-struct private_backend_manager_t {
-
-	/**
-	 * Public part of backend_manager_t object.
-	 */
-	backend_manager_t public;
-
-	/**
-	 * list of registered backends
-	 */
-	linked_list_t *backends;
-
-	/**
-	 * rwlock for backends
-	 */
-	rwlock_t *lock;
-};
-
-/**
- * match of an ike_cfg
- */
-typedef enum ike_cfg_match_t {
-	MATCH_NONE  = 0x00,
-	MATCH_ANY   = 0x01,
-	MATCH_ME	= 0x04,
-	MATCH_OTHER = 0x08,
-} ike_cfg_match_t;
-
-/**
- * data to pass nested IKE enumerator
- */
-typedef struct {
-	private_backend_manager_t *this;
-	host_t *me;
-	host_t *other;
-} ike_data_t;
-
-/**
- * inner enumerator constructor for IKE cfgs
- */
-static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
-{
-	return backend->create_ike_cfg_enumerator(backend, data->me, data->other);
-}
-
-/**
- * get a match of a candidate ike_cfg for two hosts
- */
-static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
-{
-	host_t *me_cand, *other_cand;
-	ike_cfg_match_t match = MATCH_NONE;
-
-	if (me)
-	{
-		me_cand = host_create_from_dns(cand->get_my_addr(cand),
-									   me->get_family(me), 0);
-		if (!me_cand)
-		{
-			return MATCH_NONE;
-		}
-		if (me_cand->ip_equals(me_cand, me))
-		{
-			match += MATCH_ME;
-		}
-		else if (me_cand->is_anyaddr(me_cand))
-		{
-			match += MATCH_ANY;
-		}
-		me_cand->destroy(me_cand);
-	}
-	else
-	{
-		match += MATCH_ANY;
-	}
-
-	if (other)
-	{
-		other_cand = host_create_from_dns(cand->get_other_addr(cand),
-										  other->get_family(other), 0);
-		if (!other_cand)
-		{
-			return MATCH_NONE;
-		}
-		if (other_cand->ip_equals(other_cand, other))
-		{
-			match += MATCH_OTHER;
-		}
-		else if (other_cand->is_anyaddr(other_cand))
-		{
-			match += MATCH_ANY;
-		}
-		other_cand->destroy(other_cand);
-	}
-	else
-	{
-		match += MATCH_ANY;
-	}
-	return match;
-}
-
-/**
- * implements backend_manager_t.get_ike_cfg.
- */
-static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
-							  host_t *me, host_t *other)
-{
-	ike_cfg_t *current, *found = NULL;
-	enumerator_t *enumerator;
-	ike_cfg_match_t match, best = MATCH_ANY;
-	ike_data_t *data;
-
-	data = malloc_thing(ike_data_t);
-	data->this = this;
-	data->me = me;
-	data->other = other;
-
-	DBG2(DBG_CFG, "looking for an ike config for %H...%H", me, other);
-
-	this->lock->read_lock(this->lock);
-	enumerator = enumerator_create_nested(
-						this->backends->create_enumerator(this->backends),
-						(void*)ike_enum_create, data, (void*)free);
-	while (enumerator->enumerate(enumerator, (void**)&current))
-	{
-		match = get_ike_match(current, me, other);
-
-		if (match)
-		{
-			DBG2(DBG_CFG, "  candidate: %s...%s, prio %d",
-				 current->get_my_addr(current),
-				 current->get_other_addr(current), match);
-			if (match > best)
-			{
-				DESTROY_IF(found);
-				found = current;
-				found->get_ref(found);
-				best = match;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	if (found)
-	{
-		DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d",
-			 found->get_my_addr(found), found->get_other_addr(found), best);
-	}
-	return found;
-}
-
-/**
- * Get the best ID match in one of the configs auth_cfg
- */
-static id_match_t get_peer_match(identification_t *id,
-								 peer_cfg_t *cfg, bool local)
-{
-	enumerator_t *enumerator;
-	auth_cfg_t *auth;
-	identification_t *candidate;
-	id_match_t match = ID_MATCH_NONE;
-
-	if (!id)
-	{
-		return ID_MATCH_ANY;
-	}
-
-	/* compare first auth config only */
-	enumerator = cfg->create_auth_cfg_enumerator(cfg, local);
-	if (enumerator->enumerate(enumerator, &auth))
-	{
-		candidate = auth->get(auth, AUTH_RULE_IDENTITY);
-		if (candidate)
-		{
-			match = id->matches(id, candidate);
-			/* match vice-versa, as the proposed IDr might be ANY */
-			if (!match)
-			{
-				match = candidate->matches(candidate, id);
-			}
-		}
-		else
-		{
-			match = ID_MATCH_ANY;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return match;
-}
-
-/**
- * data to pass nested peer enumerator
- */
-typedef struct {
-	rwlock_t *lock;
-	identification_t *me;
-	identification_t *other;
-} peer_data_t;
-
-/**
- * list element to help sorting
- */
-typedef struct {
-	id_match_t match_peer;
-	ike_cfg_match_t match_ike;
-	peer_cfg_t *cfg;
-} match_entry_t;
-
-/**
- * inner enumerator constructor for peer cfgs
- */
-static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data)
-{
-	return backend->create_peer_cfg_enumerator(backend, data->me, data->other);
-}
-
-/**
- * unlock/cleanup peer enumerator
- */
-static void peer_enum_destroy(peer_data_t *data)
-{
-	data->lock->unlock(data->lock);
-	free(data);
-}
-
-/**
- * convert enumerator value from match_entry to config
- */
-static bool peer_enum_filter(linked_list_t *configs,
-							 match_entry_t **in, peer_cfg_t **out)
-{
-	*out = (*in)->cfg;
-	return TRUE;
-}
-
-/**
- * Clean up temporary config list
- */
-static void peer_enum_filter_destroy(linked_list_t *configs)
-{
-	match_entry_t *entry;
-
-	while (configs->remove_last(configs, (void**)&entry) == SUCCESS)
-	{
-		entry->cfg->destroy(entry->cfg);
-		free(entry);
-	}
-	configs->destroy(configs);
-}
-
-/**
- * Insert entry into match-sorted list, using helper
- */
-static void insert_sorted(match_entry_t *entry, linked_list_t *list,
-						  linked_list_t *helper)
-{
-	match_entry_t *current;
-
-	while (list->remove_first(list, (void**)&current) == SUCCESS)
-	{
-		helper->insert_last(helper, current);
-	}
-	while (helper->remove_first(helper, (void**)&current) == SUCCESS)
-	{
-		if (entry && (
-			 (entry->match_ike > current->match_ike &&
-			  entry->match_peer >= current->match_peer) ||
-			 (entry->match_ike >= current->match_ike &&
-			  entry->match_peer > current->match_peer)))
-		{
-			list->insert_last(list, entry);
-			entry = NULL;
-		}
-		list->insert_last(list, current);
-	}
-	if (entry)
-	{
-		list->insert_last(list, entry);
-	}
-}
-
-/**
- * Implements backend_manager_t.create_peer_cfg_enumerator.
- */
-static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
-							host_t *me, host_t *other, identification_t *my_id,
-							identification_t *other_id)
-{
-	enumerator_t *enumerator;
-	peer_data_t *data;
-	peer_cfg_t *cfg;
-	linked_list_t *configs, *helper;
-
-	data = malloc_thing(peer_data_t);
-	data->lock = this->lock;
-	data->me = my_id;
-	data->other = other_id;
-
-	/* create a sorted list with all matches */
-	this->lock->read_lock(this->lock);
-	enumerator = enumerator_create_nested(
-					this->backends->create_enumerator(this->backends),
-					(void*)peer_enum_create, data, (void*)peer_enum_destroy);
-
-	if (!me && !other && !my_id && !other_id)
-	{	/* shortcut if we are doing a "listall" */
-		return enumerator;
-	}
-
-	DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
-		 me, my_id, other, other_id);
-
-	configs = linked_list_create();
-	/* only once allocated helper list for sorting */
-	helper = linked_list_create();
-	while (enumerator->enumerate(enumerator, &cfg))
-	{
-		id_match_t match_peer_me, match_peer_other;
-		ike_cfg_match_t match_ike;
-		match_entry_t *entry;
-
-		match_peer_me = get_peer_match(my_id, cfg, TRUE);
-		match_peer_other = get_peer_match(other_id, cfg, FALSE);
-		match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other);
-
-		if (match_peer_me && match_peer_other && match_ike)
-		{
-			DBG2(DBG_CFG, "  candidate \"%s\", match: %d/%d/%d (me/other/ike)",
-				 cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
-
-			entry = malloc_thing(match_entry_t);
-			entry->match_peer = match_peer_me + match_peer_other;
-			entry->match_ike = match_ike;
-			entry->cfg = cfg->get_ref(cfg);
-			insert_sorted(entry, configs, helper);
-		}
-	}
-	enumerator->destroy(enumerator);
-	helper->destroy(helper);
-
-	return enumerator_create_filter(configs->create_enumerator(configs),
-									(void*)peer_enum_filter, configs,
-									(void*)peer_enum_filter_destroy);
-}
-
-/**
- * implements backend_manager_t.get_peer_cfg_by_name.
- */
-static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *name)
-{
-	backend_t *backend;
-	peer_cfg_t *config = NULL;
-	enumerator_t *enumerator;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->backends->create_enumerator(this->backends);
-	while (config == NULL && enumerator->enumerate(enumerator, (void**)&backend))
-	{
-		config = backend->get_peer_cfg_by_name(backend, name);
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	return config;
-}
-
-/**
- * Implementation of backend_manager_t.remove_backend.
- */
-static void remove_backend(private_backend_manager_t *this, backend_t *backend)
-{
-	this->lock->write_lock(this->lock);
-	this->backends->remove(this->backends, backend, NULL);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of backend_manager_t.add_backend.
- */
-static void add_backend(private_backend_manager_t *this, backend_t *backend)
-{
-	this->lock->write_lock(this->lock);
-	this->backends->insert_last(this->backends, backend);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of backend_manager_t.destroy.
- */
-static void destroy(private_backend_manager_t *this)
-{
-	this->backends->destroy(this->backends);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/*
- * Described in header-file
- */
-backend_manager_t *backend_manager_create()
-{
-	private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
-
-	this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
-	this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name;
-	this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator;
-	this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend;
-	this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend;
-	this->public.destroy = (void (*)(backend_manager_t*))destroy;
-
-	this->backends = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
-	return &this->public;
-}
-
diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h
deleted file mode 100644
index 5b394f791..000000000
--- a/src/charon/config/backend_manager.h
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup backend_manager backend_manager
- * @{ @ingroup config
- */
-
-#ifndef BACKEND_MANAGER_H_
-#define BACKEND_MANAGER_H_
-
-typedef struct backend_manager_t backend_manager_t;
-
-#include <library.h>
-#include <utils/host.h>
-#include <utils/identification.h>
-#include <config/ike_cfg.h>
-#include <config/peer_cfg.h>
-#include <config/backend.h>
-
-
-/**
- * A loader and multiplexer to use multiple backends.
- *
- * Charon allows the use of multiple configuration backends simultaneously. To
- * access all this backends by a single call, this class wraps multiple
- * backends behind a single object.
- * @verbatim
-
-   +---------+      +-----------+         +--------------+     |
-   |         |      |           |       +--------------+ |     |
-   | daemon  |----->| backend_- |     +--------------+ |-+  <==|==> IPC
-   |  core   |      | manager   |---->|   backends   |-+       |
-   |         |----->|           |     +--------------+         |
-   |         |      |           |                              |
-   +---------+      +-----------+                              |
-
-   @endverbatim
- */
-struct backend_manager_t {
-
-	/**
-	 * Get an ike_config identified by two hosts.
-	 *
-	 * @param my_host			address of own host
-	 * @param other_host		address of remote host
-	 * @return					matching ike_config, or NULL if none found
-	 */
-	ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this,
-							  host_t *my_host, host_t *other_host);
-
-	/**
-	 * Get a peer_config identified by it's name.
-	 *
-	 * @param name				name of the peer_config
-	 * @return					matching peer_config, or NULL if none found
-	 */
-	peer_cfg_t* (*get_peer_cfg_by_name)(backend_manager_t *this, char *name);
-
-	/**
-	 * Create an enumerator over all matching peer configs.
-	 *
-	 * Pass NULL as parameters to match any. The enumerator enumerates over
-	 * peer_cfgs, ordered by priority (best match first).
-	 *
-	 * @param me				local address
-	 * @param other				remote address
-	 * @param my_id				IDr in first authentication round
-	 * @param other_id			IDi in first authentication round
-	 * @return 					enumerator over peer_cfg_t
-	 */
-	enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this,
-							host_t *me, host_t *other, identification_t *my_id,
-							identification_t *other_id);
-	/**
-	 * Register a backend on the manager.
-	 *
-	 * @param backend			backend to register
-	 */
-	void (*add_backend)(backend_manager_t *this, backend_t *backend);
-
-	/**
-	 * Unregister a backend.
-	 *
-	 * @param backend			backend to unregister
-	 */
-	void (*remove_backend)(backend_manager_t *this, backend_t *backend);
-
-	/**
-	 * Destroys a backend_manager_t object.
-	 */
-	void (*destroy) (backend_manager_t *this);
-};
-
-/**
- * Create an instance of the backend manager
- *
- * @return		backend_manager instance
- */
-backend_manager_t* backend_manager_create(void);
-
-#endif /** BACKEND_MANAGER_H_ @}*/
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
deleted file mode 100644
index 8410b3fe5..000000000
--- a/src/charon/config/child_cfg.c
+++ /dev/null
@@ -1,552 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "child_cfg.h"
-
-#include <daemon.h>
-
-ENUM(action_names, ACTION_NONE, ACTION_RESTART,
-	"clear",
-	"hold",
-	"restart",
-);
-
-ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE,
-	"IPCOMP_NONE");
-ENUM_NEXT(ipcomp_transform_names, IPCOMP_OUI, IPCOMP_LZJH, IPCOMP_NONE,
-	"IPCOMP_OUI",
-	"IPCOMP_DEFLATE",
-	"IPCOMP_LZS",
-	"IPCOMP_LZJH");
-ENUM_END(ipcomp_transform_names, IPCOMP_LZJH);
-
-typedef struct private_child_cfg_t private_child_cfg_t;
-
-/**
- * Private data of an child_cfg_t object
- */
-struct private_child_cfg_t {
-
-	/**
-	 * Public part
-	 */
-	child_cfg_t public;
-
-	/**
-	 * Number of references hold by others to this child_cfg
-	 */
-	refcount_t refcount;
-
-	/**
-	 * Name of the child_cfg, used to query it
-	 */
-	char *name;
-
-	/**
-	 * list for all proposals
-	 */
-	linked_list_t *proposals;
-
-	/**
-	 * list for traffic selectors for my site
-	 */
-	linked_list_t *my_ts;
-
-	/**
-	 * list for traffic selectors for others site
-	 */
-	linked_list_t *other_ts;
-
-	/**
-	 * updown script
-	 */
-	char *updown;
-
-	/**
-	 * allow host access
-	 */
-	bool hostaccess;
-
-	/**
-	 * Mode to propose for a initiated CHILD: tunnel/transport
-	 */
-	ipsec_mode_t mode;
-
-	/**
-	 * action to take on DPD
-	 */
-	action_t dpd_action;
-
-	/**
-	 * action to take on CHILD_SA close
-	 */
-	action_t close_action;
-
-	/**
-	 * CHILD_SA lifetime config
-	 */
-	lifetime_cfg_t lifetime;
-
-	/**
-	 * enable IPComp
-	 */
-	bool use_ipcomp;
-
-	/**
-	 * Inactivity timeout
-	 */
-	u_int32_t inactivity;
-
-	/**
-	 * set up IPsec transport SA in MIPv6 proxy mode
-	 */
-	bool proxy_mode;
-
-	/**
-	 * enable installation and removal of kernel IPsec policies
-	 */
-	bool install_policy;
-};
-
-/**
- * Implementation of child_cfg_t.get_name.
- */
-static char *get_name(private_child_cfg_t *this)
-{
-	return this->name;
-}
-
-/**
- * Implementation of child_cfg_t.add_proposal.
- */
-static void add_proposal(private_child_cfg_t *this, proposal_t *proposal)
-{
-	this->proposals->insert_last(this->proposals, proposal);
-}
-
-/**
- * Implementation of child_cfg_t.get_proposals.
- */
-static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
-{
-	enumerator_t *enumerator;
-	proposal_t *current;
-	linked_list_t *proposals = linked_list_create();
-
-	enumerator = this->proposals->create_enumerator(this->proposals);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		current = current->clone(current);
-		if (strip_dh)
-		{
-			current->strip_dh(current);
-		}
-		proposals->insert_last(proposals, current);
-	}
-	enumerator->destroy(enumerator);
-
-	return proposals;
-}
-
-/**
- * Implementation of child_cfg_t.select_proposal.
- */
-static proposal_t* select_proposal(private_child_cfg_t*this,
-								   linked_list_t *proposals, bool strip_dh,
-								   bool private)
-{
-	enumerator_t *stored_enum, *supplied_enum;
-	proposal_t *stored, *supplied, *selected = NULL;
-
-	stored_enum = this->proposals->create_enumerator(this->proposals);
-	supplied_enum = proposals->create_enumerator(proposals);
-
-	/* compare all stored proposals with all supplied. Stored ones are preferred. */
-	while (stored_enum->enumerate(stored_enum, &stored))
-	{
-		stored = stored->clone(stored);
-		while (supplied_enum->enumerate(supplied_enum, &supplied))
-		{
-			if (strip_dh)
-			{
-				stored->strip_dh(stored);
-			}
-			selected = stored->select(stored, supplied, private);
-			if (selected)
-			{
-				DBG2(DBG_CFG, "received proposals: %#P", proposals);
-				DBG2(DBG_CFG, "configured proposals: %#P", this->proposals);
-				DBG2(DBG_CFG, "selected proposal: %P", selected);
-				break;
-			}
-		}
-		stored->destroy(stored);
-		if (selected)
-		{
-			break;
-		}
-		supplied_enum->destroy(supplied_enum);
-		supplied_enum = proposals->create_enumerator(proposals);
-	}
-	stored_enum->destroy(stored_enum);
-	supplied_enum->destroy(supplied_enum);
-	if (selected == NULL)
-	{
-		DBG1(DBG_CFG, "received proposals: %#P", proposals);
-		DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
-	}
-	return selected;
-}
-
-/**
- * Implementation of child_cfg_t.add_traffic_selector.
- */
-static void add_traffic_selector(private_child_cfg_t *this, bool local,
-								 traffic_selector_t *ts)
-{
-	if (local)
-	{
-		this->my_ts->insert_last(this->my_ts, ts);
-	}
-	else
-	{
-		this->other_ts->insert_last(this->other_ts, ts);
-	}
-}
-
-/**
- * Implementation of child_cfg_t.get_traffic_selectors.
- */
-static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool local,
-											linked_list_t *supplied,
-											host_t *host)
-{
-	enumerator_t *e1, *e2;
-	traffic_selector_t *ts1, *ts2, *selected;
-	linked_list_t *result = linked_list_create();
-
-	if (local)
-	{
-		e1 = this->my_ts->create_enumerator(this->my_ts);
-	}
-	else
-	{
-		e1 = this->other_ts->create_enumerator(this->other_ts);
-	}
-
-	/* no list supplied, just fetch the stored traffic selectors */
-	if (supplied == NULL)
-	{
-		DBG2(DBG_CFG, "proposing traffic selectors for %s:",
-			 local ? "us" : "other");
-		while (e1->enumerate(e1, &ts1))
-		{
-			/* we make a copy of the TS, this allows us to update dynamic TS' */
-			selected = ts1->clone(ts1);
-			if (host)
-			{
-				selected->set_address(selected, host);
-			}
-			DBG2(DBG_CFG, " %R (derived from %R)", selected, ts1);
-			result->insert_last(result, selected);
-		}
-		e1->destroy(e1);
-	}
-	else
-	{
-		DBG2(DBG_CFG, "selecting traffic selectors for %s:",
-			 local ? "us" : "other");
-		e2 = supplied->create_enumerator(supplied);
-		/* iterate over all stored selectors */
-		while (e1->enumerate(e1, &ts1))
-		{
-			/* we make a copy of the TS, as we have to update dynamic TS' */
-			ts1 = ts1->clone(ts1);
-			if (host)
-			{
-				ts1->set_address(ts1, host);
-			}
-
-			/* iterate over all supplied traffic selectors */
-			while (e2->enumerate(e2, &ts2))
-			{
-				selected = ts1->get_subset(ts1, ts2);
-				if (selected)
-				{
-					DBG2(DBG_CFG, " config: %R, received: %R => match: %R",
-						 ts1, ts2, selected);
-					result->insert_last(result, selected);
-				}
-				else
-				{
-					DBG2(DBG_CFG, " config: %R, received: %R => no match",
-						 ts1, ts2);
-				}
-			}
-			e2->destroy(e2);
-			e2 = supplied->create_enumerator(supplied);
-			ts1->destroy(ts1);
-		}
-		e1->destroy(e1);
-		e2->destroy(e2);
-	}
-
-	/* remove any redundant traffic selectors in the list */
-	e1 = result->create_enumerator(result);
-	e2 = result->create_enumerator(result);
-	while (e1->enumerate(e1, &ts1))
-	{
-		while (e2->enumerate(e2, &ts2))
-		{
-			if (ts1 != ts2)
-			{
-				if (ts2->is_contained_in(ts2, ts1))
-				{
-					result->remove_at(result, e2);
-					ts2->destroy(ts2);
-					e1->destroy(e1);
-					e1 = result->create_enumerator(result);
-					break;
-				}
-				if (ts1->is_contained_in(ts1, ts2))
-				{
-					result->remove_at(result, e1);
-					ts1->destroy(ts1);
-					e2->destroy(e2);
-					e2 = result->create_enumerator(result);
-					break;
-				}
-			}
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-
-	return result;
-}
-
-/**
- * Implementation of child_cfg_t.get_updown.
- */
-static char* get_updown(private_child_cfg_t *this)
-{
-	return this->updown;
-}
-
-/**
- * Implementation of child_cfg_t.get_hostaccess.
- */
-static bool get_hostaccess(private_child_cfg_t *this)
-{
-	return this->hostaccess;
-}
-
-/**
- * Applies jitter to the rekey value. Returns the new rekey value.
- * Note: The distribution of random values is not perfect, but it
- * should get the job done.
- */
-static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
-{
-	if (jitter == 0)
-	{
-		return rekey;
-	}
-	jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
-	return rekey - jitter * (random() / (RAND_MAX + 1.0));
-}
-#define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
-
-/**
- * Implementation of child_cfg_t.get_lifetime.
- */
-static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
-{
-	lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
-	memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
-	APPLY_JITTER(lft->time);
-	APPLY_JITTER(lft->bytes);
-	APPLY_JITTER(lft->packets);
-	return lft;
-}
-
-/**
- * Implementation of child_cfg_t.get_mode.
- */
-static ipsec_mode_t get_mode(private_child_cfg_t *this)
-{
-	return this->mode;
-}
-
-/**
- * Implementation of child_cfg_t.get_dpd_action.
- */
-static action_t get_dpd_action(private_child_cfg_t *this)
-{
-	return this->dpd_action;
-}
-
-/**
- * Implementation of child_cfg_t.get_close_action.
- */
-static action_t get_close_action(private_child_cfg_t *this)
-{
-	return this->close_action;
-}
-
-/**
- * Implementation of child_cfg_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this)
-{
-	enumerator_t *enumerator;
-	proposal_t *proposal;
-	u_int16_t dh_group = MODP_NONE;
-
-	enumerator = this->proposals->create_enumerator(this->proposals);
-	while (enumerator->enumerate(enumerator, &proposal))
-	{
-		if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &dh_group, NULL))
-		{
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return dh_group;
-}
-
-/**
- * Implementation of child_cfg_t.use_ipcomp.
- */
-static bool use_ipcomp(private_child_cfg_t *this)
-{
-	return this->use_ipcomp;
-}
-
-/**
- * Implementation of child_cfg_t.get_inactivity.
- */
-static u_int32_t get_inactivity(private_child_cfg_t *this)
-{
-	return this->inactivity;
-}
-
-/**
- * Implementation of child_cfg_t.set_mipv6_options.
- */
-static void set_mipv6_options(private_child_cfg_t *this, bool proxy_mode,
-														 bool install_policy)
-{
-	this->proxy_mode = proxy_mode;
-	this->install_policy = install_policy;
-}
-
-/**
- * Implementation of child_cfg_t.use_proxy_mode.
- */
-static bool use_proxy_mode(private_child_cfg_t *this)
-{
-	return this->proxy_mode;
-}
-
-/**
- * Implementation of child_cfg_t.install_policy.
- */
-static bool install_policy(private_child_cfg_t *this)
-{
-	return this->install_policy;
-}
-
-/**
- * Implementation of child_cfg_t.get_ref.
- */
-static child_cfg_t* get_ref(private_child_cfg_t *this)
-{
-	ref_get(&this->refcount);
-	return &this->public;
-}
-
-/**
- * Implements child_cfg_t.destroy.
- */
-static void destroy(private_child_cfg_t *this)
-{
-	if (ref_put(&this->refcount))
-	{
-		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
-		this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
-		this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
-		if (this->updown)
-		{
-			free(this->updown);
-		}
-		free(this->name);
-		free(this);
-	}
-}
-
-/*
- * Described in header-file
- */
-child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
-							  char *updown, bool hostaccess,
-							  ipsec_mode_t mode, action_t dpd_action,
-							  action_t close_action, bool ipcomp,
-							  u_int32_t inactivity)
-{
-	private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
-
-	this->public.get_name = (char* (*) (child_cfg_t*))get_name;
-	this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector;
-	this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
-	this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
-	this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
-	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool,bool))select_proposal;
-	this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
-	this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
-	this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
-	this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
-	this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
-	this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime;
-	this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
-	this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
-	this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
-	this->public.get_inactivity = (u_int32_t (*) (child_cfg_t *))get_inactivity;
-	this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode;
-	this->public.install_policy = (bool (*) (child_cfg_t *))install_policy;
-	this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref;
-	this->public.destroy = (void (*) (child_cfg_t*))destroy;
-
-	this->name = strdup(name);
-	this->updown = updown ? strdup(updown) : NULL;
-	this->hostaccess = hostaccess;
-	this->mode = mode;
-	this->dpd_action = dpd_action;
-	this->close_action = close_action;
-	this->use_ipcomp = ipcomp;
-	this->inactivity = inactivity;
-	this->proxy_mode = FALSE;
-	this->install_policy = TRUE;
-	this->refcount = 1;
-	this->proposals = linked_list_create();
-	this->my_ts = linked_list_create();
-	this->other_ts = linked_list_create();
-	memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t));
-
-	return &this->public;
-}
-
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
deleted file mode 100644
index c6186ea36..000000000
--- a/src/charon/config/child_cfg.h
+++ /dev/null
@@ -1,310 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup child_cfg child_cfg
- * @{ @ingroup config
- */
-
-#ifndef CHILD_CFG_H_
-#define CHILD_CFG_H_
-
-typedef enum action_t action_t;
-typedef enum ipcomp_transform_t ipcomp_transform_t;
-typedef struct lifetime_cfg_t lifetime_cfg_t;
-typedef struct child_cfg_t child_cfg_t;
-
-#include <library.h>
-#include <selectors/traffic_selector.h>
-#include <config/proposal.h>
-#include <kernel/kernel_ipsec.h>
-
-/**
- * Action to take when DPD detected/connection gets closed by peer.
- */
-enum action_t {
-	/** No action */
-	ACTION_NONE,
-	/** Route config to reestablish on demand */
-	ACTION_ROUTE,
-	/** Restart config immediately */
-	ACTION_RESTART,
-};
-
-/**
- * enum names for action_t.
- */
-extern enum_name_t *action_names;
-
-/**
- * IPComp transform IDs, as in RFC 4306
- */
-enum ipcomp_transform_t {
-	IPCOMP_NONE = 241,
-	IPCOMP_OUI = 1,
-	IPCOMP_DEFLATE = 2,
-	IPCOMP_LZS = 3,
-	IPCOMP_LZJH = 4,
-};
-
-/**
- * enum strings for ipcomp_transform_t.
- */
-extern enum_name_t *ipcomp_transform_names;
-
-/**
- * A lifetime_cfg_t defines the lifetime limits of a CHILD_SA.
- *
- * Set any of these values to 0 to ignore.
- */
-struct lifetime_cfg_t {
-	struct {
-		/** Limit before the CHILD_SA gets invalid. */
-		u_int64_t	life;
-		/** Limit before the CHILD_SA gets rekeyed. */
-		u_int64_t	rekey;
-		/** The range of a random value subtracted from rekey. */
-		u_int64_t	jitter;
-	} time, bytes, packets;
-};
-
-/**
- * A child_cfg_t defines the config template for a CHILD_SA.
- *
- * After creation, proposals and traffic selectors may be added to the config.
- * A child_cfg object is referenced multiple times, and is not thread save.
- * Reading from the object is save, adding things is not allowed while other
- * threads may access the object.
- * A reference counter handles the number of references hold to this config.
- *
- * @see peer_cfg_t to get an overview over the configurations.
- */
-struct child_cfg_t {
-
-	/**
-	 * Get the name of the child_cfg.
-	 *
-	 * @return				child_cfg's name
-	 */
-	char *(*get_name) (child_cfg_t *this);
-
-	/**
-	 * Add a proposal to the list.
-	 *
-	 * The proposals are stored by priority, first added
-	 * is the most prefered.
-	 * After add, proposal is owned by child_cfg.
-	 *
-	 * @param proposal		proposal to add
-	 */
-	void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
-
-	/**
-	 * Get the list of proposals for the CHILD_SA.
-	 *
-	 * Resulting list and all of its proposals must be freed after use.
-	 *
-	 * @param strip_dh		TRUE strip out diffie hellman groups
-	 * @return				list of proposals
-	 */
-	linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
-
-	/**
-	 * Select a proposal from a supplied list.
-	 *
-	 * Returned propsal is newly created and must be destroyed after usage.
-	 *
-	 * @param proposals		list from from wich proposals are selected
-	 * @param strip_dh		TRUE strip out diffie hellman groups
-	 * @param private		accept algorithms from a private range
-	 * @return				selected proposal, or NULL if nothing matches
-	 */
-	proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
-								   bool strip_dh, bool private);
-
-	/**
-	 * Add a traffic selector to the config.
-	 *
-	 * Use the "local" parameter to add it for the local or the remote side.
-	 * After add, traffic selector is owned by child_cfg.
-	 *
-	 * @param local			TRUE for local side, FALSE for remote
-	 * @param ts			traffic_selector to add
-	 */
-	void (*add_traffic_selector)(child_cfg_t *this, bool local,
-								 traffic_selector_t *ts);
-
-	/**
-	 * Get a list of traffic selectors to use for the CHILD_SA.
-	 *
-	 * The config contains two set of traffic selectors, one for the local
-	 * side, one for the remote side.
-	 * If a list with traffic selectors is supplied, these are used to narrow
-	 * down the traffic selector list to the greatest common divisor.
-	 * Some traffic selector may be "dymamic", meaning they are narrowed down
-	 * to a specific address (host-to-host or virtual-IP setups). Use
-	 * the "host" parameter to narrow such traffic selectors to that address.
-	 * Resulted list and its traffic selectors must be destroyed after use.
-	 *
-	 * @param local			TRUE for TS on local side, FALSE for remote
-	 * @param supplied		list with TS to select from, or NULL
-	 * @param host			address to use for narrowing "dynamic" TS', or NULL
-	 * @return				list containing the traffic selectors
-	 */
-	linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
-											linked_list_t *supplied,
-											host_t *host);
-	/**
-	 * Get the updown script to run for the CHILD_SA.
-	 *
-	 * @return				path to updown script
-	 */
-	char* (*get_updown)(child_cfg_t *this);
-
-	/**
-	 * Should we allow access to the local host (gateway)?
-	 *
-	 * @return				value of hostaccess flag
-	 */
-	bool (*get_hostaccess) (child_cfg_t *this);
-
-	/**
-	 * Get the lifetime configuration of a CHILD_SA.
-	 *
-	 * The rekey limits automatically contain a jitter to avoid simultaneous
-	 * rekeying. These values will change with each call to this function.
-	 *
-	 * @return				lifetime_cfg_t (has to be freed)
-	 */
-	lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
-
-	/**
-	 * Get the mode to use for the CHILD_SA.
-	 *
-	 * The mode is either tunnel, transport or BEET. The peer must agree
-	 * on the method, fallback is tunnel mode.
-	 *
-	 * @return				ipsec mode
-	 */
-	ipsec_mode_t (*get_mode) (child_cfg_t *this);
-
-	/**
-	 * Action to take on DPD.
-	 *
-	 * @return				DPD action
-	 */
-	action_t (*get_dpd_action) (child_cfg_t *this);
-
-	/**
-	 * Action to take if CHILD_SA gets closed.
-	 *
-	 * @return				close action
-	 */
-	action_t (*get_close_action) (child_cfg_t *this);
-
-	/**
-	 * Get the DH group to use for CHILD_SA setup.
-	 *
-	 * @return				dh group to use
-	 */
-	diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
-
-	/**
-	 * Check whether IPComp should be used, if the other peer supports it.
-	 *
-	 * @return				TRUE, if IPComp should be used
-	 * 						FALSE, otherwise
-	 */
-	bool (*use_ipcomp)(child_cfg_t *this);
-
-	/**
-	 * Get the inactivity timeout value.
-	 *
-	 * @return				inactivity timeout in s
-	 */
-	u_int32_t (*get_inactivity)(child_cfg_t *this);
-
-	/**
-	 * Sets two options needed for Mobile IPv6 interoperability
-	 *
-	 * @param proxy_mode	use IPsec transport proxy mode (default FALSE)
-	 * @param install_policy install IPsec kernel policies (default TRUE)
-	 */
-	void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mode,
-												 bool install_policy);
-
-	/**
-	 * Check whether IPsec transport SA should be set up in proxy mode
-	 *
-	 * @return				TRUE, if proxy mode should be used
-	 * 						FALSE, otherwise
-	 */
-	bool (*use_proxy_mode)(child_cfg_t *this);
-
-	/**
-	 * Check whether IPsec policies should be installed in the kernel
-	 *
-	 * @return				TRUE, if IPsec kernel policies should be installed
-	 * 						FALSE, otherwise
-	 */
-	bool (*install_policy)(child_cfg_t *this);
-
-	/**
-	 * Increase the reference count.
-	 *
-	 * @return				reference to this
-	 */
-	child_cfg_t* (*get_ref) (child_cfg_t *this);
-
-	/**
-	 * Destroys the child_cfg object.
-	 *
-	 * Decrements the internal reference counter and
-	 * destroys the child_cfg when it reaches zero.
-	 */
-	void (*destroy) (child_cfg_t *this);
-};
-
-/**
- * Create a configuration template for CHILD_SA setup.
- *
- * The "name" string gets cloned.
- *
- * The lifetime_cfg_t object gets cloned.
- * To prevent two peers to start rekeying at the same time, a jitter may be
- * specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
- *
- * After a call to create, a reference is obtained (refcount = 1).
- *
- * @param name				name of the child_cfg
- * @param lifetime			lifetime_cfg_t for this child_cfg
- * @param updown			updown script to execute on up/down event
- * @param hostaccess		TRUE to allow access to the local host
- * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
- * @param dpd_action		DPD action
- * @param close_action		close action
- * @param ipcomp			use IPComp, if peer supports it
- * @param inactivity		inactivity timeout in s before closing a CHILD_SA
- * @return 					child_cfg_t object
- */
-child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
-							  char *updown, bool hostaccess,
-							  ipsec_mode_t mode, action_t dpd_action,
-							  action_t close_action, bool ipcomp,
-							  u_int32_t inactivity);
-
-#endif /** CHILD_CFG_H_ @}*/
diff --git a/src/charon/config/ike_cfg.c b/src/charon/config/ike_cfg.c
deleted file mode 100644
index 2e748f511..000000000
--- a/src/charon/config/ike_cfg.c
+++ /dev/null
@@ -1,286 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_cfg.h"
-
-#include <string.h>
-
-#include <daemon.h>
-
-
-typedef struct private_ike_cfg_t private_ike_cfg_t;
-
-/**
- * Private data of an ike_cfg_t object
- */
-struct private_ike_cfg_t {
-
-	/**
-	 * Public part
-	 */
-	ike_cfg_t public;
-
-	/**
-	 * Number of references hold by others to this ike_cfg
-	 */
-	refcount_t refcount;
-
-	/**
-	 * Address of local host
-	 */
-	char *me;
-
-	/**
-	 * Address of remote host
-	 */
-	char *other;
-
-	/**
-	 * should we send a certificate request?
-	 */
-	bool certreq;
-
-	/**
-	 * enforce UDP encapsulation
-	 */
-	bool force_encap;
-
-	/**
-	 * List of proposals to use
-	 */
-	linked_list_t *proposals;
-};
-
-/**
- * Implementation of ike_cfg_t.certreq.
- */
-static bool send_certreq(private_ike_cfg_t *this)
-{
-	return this->certreq;
-}
-
-/**
- * Implementation of ike_cfg_t.force_encap.
- */
-static bool force_encap_meth(private_ike_cfg_t *this)
-{
-	return this->force_encap;
-}
-
-/**
- * Implementation of ike_cfg_t.get_my_addr.
- */
-static char *get_my_addr(private_ike_cfg_t *this)
-{
-	return this->me;
-}
-
-/**
- * Implementation of ike_cfg_t.get_other_addr.
- */
-static char *get_other_addr(private_ike_cfg_t *this)
-{
-	return this->other;
-}
-
-/**
- * Implementation of ike_cfg_t.add_proposal.
- */
-static void add_proposal(private_ike_cfg_t *this, proposal_t *proposal)
-{
-	this->proposals->insert_last(this->proposals, proposal);
-}
-
-/**
- * Implementation of ike_cfg_t.get_proposals.
- */
-static linked_list_t* get_proposals(private_ike_cfg_t *this)
-{
-	iterator_t *iterator;
-	proposal_t *current;
-	linked_list_t *proposals = linked_list_create();
-
-	iterator = this->proposals->create_iterator(this->proposals, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		current = current->clone(current);
-		proposals->insert_last(proposals, (void*)current);
-	}
-	iterator->destroy(iterator);
-
-	return proposals;
-}
-
-/**
- * Implementation of ike_cfg_t.select_proposal.
- */
-static proposal_t *select_proposal(private_ike_cfg_t *this,
-								   linked_list_t *proposals, bool private)
-{
-	iterator_t *stored_iter, *supplied_iter;
-	proposal_t *stored, *supplied, *selected;
-
-	stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
-	supplied_iter = proposals->create_iterator(proposals, TRUE);
-
-
-	/* compare all stored proposals with all supplied. Stored ones are preferred.*/
-	while (stored_iter->iterate(stored_iter, (void**)&stored))
-	{
-		supplied_iter->reset(supplied_iter);
-
-		while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
-		{
-			selected = stored->select(stored, supplied, private);
-			if (selected)
-			{
-				/* they match, return */
-				stored_iter->destroy(stored_iter);
-				supplied_iter->destroy(supplied_iter);
-				DBG2(DBG_CFG, "received proposals: %#P", proposals);
-				DBG2(DBG_CFG, "configured proposals: %#P", this->proposals);
-				DBG2(DBG_CFG, "selected proposal: %P", selected);
-				return selected;
-			}
-		}
-	}
-	/* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
-	stored_iter->destroy(stored_iter);
-	supplied_iter->destroy(supplied_iter);
-	DBG1(DBG_CFG, "received proposals: %#P", proposals);
-	DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
-
-	return NULL;
-}
-
-/**
- * Implementation of ike_cfg_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_ike_cfg_t *this)
-{
-	enumerator_t *enumerator;
-	proposal_t *proposal;
-	u_int16_t dh_group = MODP_NONE;
-
-	enumerator = this->proposals->create_enumerator(this->proposals);
-	while (enumerator->enumerate(enumerator, &proposal))
-	{
-		if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &dh_group, NULL))
-		{
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return dh_group;
-}
-
-/**
- * Implementation of ike_cfg_t.equals.
- */
-static bool equals(private_ike_cfg_t *this, private_ike_cfg_t *other)
-{
-	enumerator_t *e1, *e2;
-	proposal_t *p1, *p2;
-	bool eq = TRUE;
-
-	if (this == other)
-	{
-		return TRUE;
-	}
-	if (this->public.equals != other->public.equals)
-	{
-		return FALSE;
-	}
-	if (this->proposals->get_count(this->proposals) !=
-		other->proposals->get_count(other->proposals))
-	{
-		return FALSE;
-	}
-	e1 = this->proposals->create_enumerator(this->proposals);
-	e2 = this->proposals->create_enumerator(this->proposals);
-	while (e1->enumerate(e1, &p1) && e2->enumerate(e2, &p2))
-	{
-		if (!p1->equals(p1, p2))
-		{
-			eq = FALSE;
-			break;
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-
-	return (eq &&
-		this->certreq == other->certreq &&
-		this->force_encap == other->force_encap &&
-		streq(this->me, other->me) &&
-		streq(this->other, other->other));
-}
-
-/**
- * Implementation of ike_cfg_t.get_ref.
- */
-static ike_cfg_t* get_ref(private_ike_cfg_t *this)
-{
-	ref_get(&this->refcount);
-	return &this->public;
-}
-
-/**
- * Implementation of ike_cfg_t.destroy.
- */
-static void destroy(private_ike_cfg_t *this)
-{
-	if (ref_put(&this->refcount))
-	{
-		this->proposals->destroy_offset(this->proposals,
-										offsetof(proposal_t, destroy));
-		free(this->me);
-		free(this->other);
-		free(this);
-	}
-}
-
-/**
- * Described in header.
- */
-ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
-						  char *me, char *other)
-{
-	private_ike_cfg_t *this = malloc_thing(private_ike_cfg_t);
-
-	/* public functions */
-	this->public.send_certreq = (bool(*)(ike_cfg_t*))send_certreq;
-	this->public.force_encap = (bool (*) (ike_cfg_t *))force_encap_meth;
-	this->public.get_my_addr = (char*(*)(ike_cfg_t*))get_my_addr;
-	this->public.get_other_addr = (char*(*)(ike_cfg_t*))get_other_addr;
-	this->public.add_proposal = (void(*)(ike_cfg_t*, proposal_t*)) add_proposal;
-	this->public.get_proposals = (linked_list_t*(*)(ike_cfg_t*))get_proposals;
-	this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*,bool))select_proposal;
-	this->public.get_dh_group = (diffie_hellman_group_t(*)(ike_cfg_t*)) get_dh_group;
-	this->public.equals = (bool(*)(ike_cfg_t*,ike_cfg_t*)) equals;
-	this->public.get_ref = (ike_cfg_t*(*)(ike_cfg_t*))get_ref;
-	this->public.destroy = (void(*)(ike_cfg_t*))destroy;
-
-	/* private variables */
-	this->refcount = 1;
-	this->certreq = certreq;
-	this->force_encap = force_encap;
-	this->me = strdup(me);
-	this->other = strdup(other);
-	this->proposals = linked_list_create();
-
-	return &this->public;
-}
diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h
deleted file mode 100644
index eaac321b9..000000000
--- a/src/charon/config/ike_cfg.h
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_cfg ike_cfg
- * @{ @ingroup config
- */
-
-#ifndef IKE_CFG_H_
-#define IKE_CFG_H_
-
-typedef struct ike_cfg_t ike_cfg_t;
-
-#include <library.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-#include <config/proposal.h>
-#include <crypto/diffie_hellman.h>
-
-/**
- * An ike_cfg_t defines the rules to set up an IKE_SA.
- *
- * @see peer_cfg_t to get an overview over the configurations.
- */
-struct ike_cfg_t {
-
-	/**
-	 * Get own address.
-	 *
-	 * @return		string of address/DNS name
-	 */
-	char* (*get_my_addr) (ike_cfg_t *this);
-
-	/**
-	 * Get peers address.
-	 *
-	 * @return		string of address/DNS name
-	 */
-	char* (*get_other_addr) (ike_cfg_t *this);
-
-	/**
-	 * Adds a proposal to the list.
-	 *
-	 * The first added proposal has the highest priority, the last
-	 * added the lowest.
-	 *
-	 * @param proposal	proposal to add
-	 */
-	void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
-
-	/**
-	 * Returns a list of all supported proposals.
-	 *
-	 * Returned list and its proposals must be destroyed after use.
-	 *
-	 * @return 			list containing all the proposals
-	 */
-	linked_list_t* (*get_proposals) (ike_cfg_t *this);
-
-	/**
-	 * Select a proposed from suggested proposals.
-	 *
-	 * Returned proposal must be destroyed after use.
-	 *
-	 * @param proposals	list of proposals to select from
-	 * @param private	accept algorithms from a private range
-	 * @return			selected proposal, or NULL if none matches.
-	 */
-	proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
-									bool private);
-
-	/**
-	 * Should we send a certificate request in IKE_SA_INIT?
-	 *
-	 * @return			certificate request sending policy
-	 */
-	bool (*send_certreq) (ike_cfg_t *this);
-
-	/**
-	 * Enforce UDP encapsulation by faking NATD notifies?
-	 *
-	 * @return			TRUE to enfoce UDP encapsulation
-	 */
-	bool (*force_encap) (ike_cfg_t *this);
-
-	/**
-	 * Get the DH group to use for IKE_SA setup.
-	 *
-	 * @return			dh group to use for initialization
-	 */
-	diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
-
-	/**
-	 * Check if two IKE configs are equal.
-	 *
-	 * @param other		other to check for equality
-	 * @return			TRUE if other equal to this
-	 */
-	bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
-
-	/**
-	 * Increase reference count.
-	 *
-	 * @return			reference to this
-	 */
-	ike_cfg_t* (*get_ref) (ike_cfg_t *this);
-
-	/**
-	 * Destroys a ike_cfg_t object.
-	 *
-	 * Decrements the internal reference counter and
-	 * destroys the ike_cfg when it reaches zero.
-	 */
-	void (*destroy) (ike_cfg_t *this);
-};
-
-/**
- * Creates a ike_cfg_t object.
- *
- * Supplied hosts become owned by ike_cfg, the name gets cloned.
- *
- * @param certreq		TRUE to send a certificate request
- * @param force_encap	enforce UDP encapsulation by faking NATD notify
- * @param me			address/DNS name of local peer
- * @param other			address/DNS name of remote peer
- * @return 				ike_cfg_t object.
- */
-ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
-						  char *me, char *other);
-
-#endif /** IKE_CFG_H_ @}*/
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
deleted file mode 100644
index 9df14c9ae..000000000
--- a/src/charon/config/peer_cfg.c
+++ /dev/null
@@ -1,699 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "peer_cfg.h"
-
-#include <daemon.h>
-
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-
-ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
-	"CERT_ALWAYS_SEND",
-	"CERT_SEND_IF_ASKED",
-	"CERT_NEVER_SEND",
-);
-
-ENUM(unique_policy_names, UNIQUE_NO, UNIQUE_KEEP,
-	"UNIQUE_NO",
-	"UNIQUE_REPLACE",
-	"UNIQUE_KEEP",
-);
-
-typedef struct private_peer_cfg_t private_peer_cfg_t;
-
-/**
- * Private data of an peer_cfg_t object
- */
-struct private_peer_cfg_t {
-
-	/**
-	 * Public part
-	 */
-	peer_cfg_t public;
-
-	/**
-	 * Number of references hold by others to this peer_cfg
-	 */
-	refcount_t refcount;
-
-	/**
-	 * Name of the peer_cfg, used to query it
-	 */
-	char *name;
-
-	/**
-	 * IKE version to use for initiation
-	 */
-	u_int ike_version;
-
-	/**
-	 * IKE config associated to this peer config
-	 */
-	ike_cfg_t *ike_cfg;
-
-	/**
-	 * list of child configs associated to this peer config
-	 */
-	linked_list_t *child_cfgs;
-
-	/**
-	 * mutex to lock access to list of child_cfgs
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * should we send a certificate
-	 */
-	cert_policy_t cert_policy;
-
-	/**
-	 * uniqueness of an IKE_SA
-	 */
-	unique_policy_t unique;
-
-	/**
-	 * number of tries after giving up if peer does not respond
-	 */
-	u_int32_t keyingtries;
-
-	/**
-	 * enable support for MOBIKE
-	 */
-	bool use_mobike;
-
-	/**
-	 * Time before starting rekeying
-	 */
-	u_int32_t rekey_time;
-
-	/**
-	 * Time before starting reauthentication
-	 */
-	u_int32_t reauth_time;
-
-	/**
-	 * Time, which specifies the range of a random value substracted from above.
-	 */
-	u_int32_t jitter_time;
-
-	/**
-	 * Delay before deleting a rekeying/reauthenticating SA
-	 */
-	u_int32_t over_time;
-
-	/**
-	 * DPD check intervall
-	 */
-	u_int32_t dpd;
-
-	/**
-	 * virtual IP to use locally
-	 */
-	host_t *virtual_ip;
-
-	/**
-	 * pool to acquire configuration attributes from
-	 */
-	char *pool;
-
-	/**
-	 * local authentication configs (rulesets)
-	 */
-	linked_list_t *local_auth;
-
-	/**
-	 * remote authentication configs (constraints)
-	 */
-	linked_list_t *remote_auth;
-
-#ifdef ME
-	/**
-	 * Is this a mediation connection?
-	 */
-	bool mediation;
-
-	/**
-	 * Name of the mediation connection to mediate through
-	 */
-	peer_cfg_t *mediated_by;
-
-	/**
-	 * ID of our peer at the mediation server (= leftid of the peer's conn with
-	 * the mediation server)
-	 */
-	identification_t *peer_id;
-#endif /* ME */
-};
-
-/**
- * Implementation of peer_cfg_t.get_name
- */
-static char *get_name(private_peer_cfg_t *this)
-{
-	return this->name;
-}
-
-/**
- * Implementation of peer_cfg_t.get_ike_version
- */
-static u_int get_ike_version(private_peer_cfg_t *this)
-{
-	return this->ike_version;
-}
-
-/**
- * Implementation of peer_cfg_t.get_ike_cfg
- */
-static ike_cfg_t* get_ike_cfg(private_peer_cfg_t *this)
-{
-	return this->ike_cfg;
-}
-
-/**
- * Implementation of peer_cfg_t.add_child_cfg.
- */
-static void add_child_cfg(private_peer_cfg_t *this, child_cfg_t *child_cfg)
-{
-	this->mutex->lock(this->mutex);
-	this->child_cfgs->insert_last(this->child_cfgs, child_cfg);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * child_cfg enumerator
- */
-typedef struct {
-	enumerator_t public;
-	enumerator_t *wrapped;
-	mutex_t *mutex;
-} child_cfg_enumerator_t;
-
-/**
- * Implementation of peer_cfg_t.remove_child_cfg.
- */
-static void remove_child_cfg(private_peer_cfg_t *this,
-							 child_cfg_enumerator_t *enumerator)
-{
-	this->child_cfgs->remove_at(this->child_cfgs, enumerator->wrapped);
-}
-
-/**
- * Implementation of child_cfg_enumerator_t.destroy
- */
-static void child_cfg_enumerator_destroy(child_cfg_enumerator_t *this)
-{
-	this->mutex->unlock(this->mutex);
-	this->wrapped->destroy(this->wrapped);
-	free(this);
-}
-
-/**
- * Implementation of child_cfg_enumerator_t.enumerate
- */
-static bool child_cfg_enumerate(child_cfg_enumerator_t *this, child_cfg_t **chd)
-{
-	return this->wrapped->enumerate(this->wrapped, chd);
-}
-
-/**
- * Implementation of peer_cfg_t.create_child_cfg_enumerator.
- */
-static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this)
-{
-	child_cfg_enumerator_t *enumerator = malloc_thing(child_cfg_enumerator_t);
-
-	enumerator->public.enumerate = (void*)child_cfg_enumerate;
-	enumerator->public.destroy = (void*)child_cfg_enumerator_destroy;
-	enumerator->mutex = this->mutex;
-	enumerator->wrapped = this->child_cfgs->create_enumerator(this->child_cfgs);
-
-	this->mutex->lock(this->mutex);
-	return &enumerator->public;
-}
-
-/**
- * Check how good a list of TS matches a given child config
- */
-static int get_ts_match(child_cfg_t *cfg, bool local,
-						linked_list_t *sup_list, host_t *host)
-{
-	linked_list_t *cfg_list;
-	enumerator_t *sup_enum, *cfg_enum;
-	traffic_selector_t *sup_ts, *cfg_ts;
-	int match = 0, round;
-
-	/* fetch configured TS list, narrowing dynamic TS */
-	cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host);
-
-	/* use a round counter to rate leading TS with higher priority */
-	round = sup_list->get_count(sup_list);
-
-	sup_enum = sup_list->create_enumerator(sup_list);
-	while (sup_enum->enumerate(sup_enum, &sup_ts))
-	{
-		cfg_enum = cfg_list->create_enumerator(cfg_list);
-		while (cfg_enum->enumerate(cfg_enum, &cfg_ts))
-		{
-			if (cfg_ts->equals(cfg_ts, sup_ts))
-			{	/* equality is honored better than matches */
-				match += round * 5;
-			}
-			else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) ||
-					 sup_ts->is_contained_in(sup_ts, cfg_ts))
-			{
-				match += round * 1;
-			}
-		}
-		cfg_enum->destroy(cfg_enum);
-		round--;
-	}
-	sup_enum->destroy(sup_enum);
-
-	cfg_list->destroy_offset(cfg_list, offsetof(traffic_selector_t, destroy));
-
-	return match;
-}
-
-/**
- * Implementation of peer_cfg_t.select_child_cfg
- */
-static child_cfg_t* select_child_cfg(private_peer_cfg_t *this,
-									 linked_list_t *my_ts,
-									 linked_list_t *other_ts,
-									 host_t *my_host, host_t *other_host)
-{
-	child_cfg_t *current, *found = NULL;
-	enumerator_t *enumerator;
-	int best = 0;
-
-	DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);
-	enumerator = create_child_cfg_enumerator(this);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		int my_prio, other_prio;
-
-		my_prio = get_ts_match(current, TRUE, my_ts, my_host);
-		other_prio = get_ts_match(current, FALSE, other_ts, other_host);
-
-		if (my_prio && other_prio)
-		{
-			DBG2(DBG_CFG, "  candidate \"%s\" with prio %d+%d",
-				 current->get_name(current), my_prio, other_prio);
-			if (my_prio + other_prio > best)
-			{
-				best = my_prio + other_prio;
-				DESTROY_IF(found);
-				found = current->get_ref(current);
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (found)
-	{
-		DBG2(DBG_CFG, "found matching child config \"%s\" with prio %d",
-			 found->get_name(found), best);
-	}
-	return found;
-}
-
-/**
- * Implementation of peer_cfg_t.get_cert_policy.
- */
-static cert_policy_t get_cert_policy(private_peer_cfg_t *this)
-{
-	return this->cert_policy;
-}
-
-/**
- * Implementation of peer_cfg_t.get_unique_policy.
- */
-static unique_policy_t get_unique_policy(private_peer_cfg_t *this)
-{
-	return this->unique;
-}
-
-/**
- * Implementation of peer_cfg_t.get_keyingtries.
- */
-static u_int32_t get_keyingtries(private_peer_cfg_t *this)
-{
-	return this->keyingtries;
-}
-
-/**
- * Implementation of peer_cfg_t.get_rekey_time.
- */
-static u_int32_t get_rekey_time(private_peer_cfg_t *this)
-{
-	if (this->rekey_time == 0)
-	{
-		return 0;
-	}
-	if (this->jitter_time == 0)
-	{
-		return this->rekey_time;
-	}
-	return this->rekey_time - (random() % this->jitter_time);
-}
-
-/**
- * Implementation of peer_cfg_t.get_reauth_time.
- */
-static u_int32_t get_reauth_time(private_peer_cfg_t *this)
-{
-	if (this->reauth_time == 0)
-	{
-		return 0;
-	}
-	if (this->jitter_time == 0)
-	{
-		return this->reauth_time;
-	}
-	return this->reauth_time - (random() % this->jitter_time);
-}
-
-/**
- * Implementation of peer_cfg_t.get_over_time.
- */
-static u_int32_t get_over_time(private_peer_cfg_t *this)
-{
-	return this->over_time;
-}
-
-/**
- * Implementation of peer_cfg_t.use_mobike.
- */
-static bool use_mobike(private_peer_cfg_t *this)
-{
-	return this->use_mobike;
-}
-
-/**
- * Implements peer_cfg_t.get_dpd
- */
-static u_int32_t get_dpd(private_peer_cfg_t *this)
-{
-	return this->dpd;
-}
-
-/**
- * Implementation of peer_cfg_t.get_virtual_ip.
- */
-static host_t* get_virtual_ip(private_peer_cfg_t *this)
-{
-	return this->virtual_ip;
-}
-
-/**
- * Implementation of peer_cfg_t.get_pool.
- */
-static char* get_pool(private_peer_cfg_t *this)
-{
-	return this->pool;
-}
-
-/**
- * Implementation of peer_cfg_t.add_auth_cfg
- */
-static void add_auth_cfg(private_peer_cfg_t *this,
-						 auth_cfg_t *cfg, bool local)
-{
-	if (local)
-	{
-		this->local_auth->insert_last(this->local_auth, cfg);
-	}
-	else
-	{
-		this->remote_auth->insert_last(this->remote_auth, cfg);
-	}
-}
-
-/**
- * Implementation of peer_cfg_t.create_auth_cfg_enumerator
- */
-static enumerator_t* create_auth_cfg_enumerator(private_peer_cfg_t *this,
-												 bool local)
-{
-	if (local)
-	{
-		return this->local_auth->create_enumerator(this->local_auth);
-	}
-	return this->remote_auth->create_enumerator(this->remote_auth);
-}
-
-#ifdef ME
-/**
- * Implementation of peer_cfg_t.is_mediation.
- */
-static bool is_mediation(private_peer_cfg_t *this)
-{
-	return this->mediation;
-}
-
-/**
- * Implementation of peer_cfg_t.get_mediated_by.
- */
-static peer_cfg_t* get_mediated_by(private_peer_cfg_t *this)
-{
-	return this->mediated_by;
-}
-
-/**
- * Implementation of peer_cfg_t.get_peer_id.
- */
-static identification_t* get_peer_id(private_peer_cfg_t *this)
-{
-	return this->peer_id;
-}
-#endif /* ME */
-
-/**
- * check auth configs for equality
- */
-static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
-{
-	enumerator_t *e1, *e2;
-	auth_cfg_t *cfg1, *cfg2;
-	bool equal = TRUE;
-
-	if (this->local_auth->get_count(this->local_auth) !=
-		other->local_auth->get_count(other->local_auth))
-	{
-		return FALSE;
-	}
-	if (this->remote_auth->get_count(this->remote_auth) !=
-		other->remote_auth->get_count(other->remote_auth))
-	{
-		return FALSE;
-	}
-
-	e1 = this->local_auth->create_enumerator(this->local_auth);
-	e2 = other->local_auth->create_enumerator(other->local_auth);
-	while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
-	{
-		if (!cfg1->equals(cfg1, cfg2))
-		{
-			equal = FALSE;
-			break;
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-
-	if (!equal)
-	{
-		return FALSE;
-	}
-
-	e1 = this->remote_auth->create_enumerator(this->remote_auth);
-	e2 = other->remote_auth->create_enumerator(other->remote_auth);
-	while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
-	{
-		if (!cfg1->equals(cfg1, cfg2))
-		{
-			equal = FALSE;
-			break;
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-
-	return equal;
-}
-
-/**
- * Implementation of peer_cfg_t.equals.
- */
-static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
-{
-	if (this == other)
-	{
-		return TRUE;
-	}
-	if (this->public.equals != other->public.equals)
-	{
-		return FALSE;
-	}
-
-	return (
-		this->ike_version == other->ike_version &&
-		this->cert_policy == other->cert_policy &&
-		this->unique == other->unique &&
-		this->keyingtries == other->keyingtries &&
-		this->use_mobike == other->use_mobike &&
-		this->rekey_time == other->rekey_time &&
-		this->reauth_time == other->reauth_time &&
-		this->jitter_time == other->jitter_time &&
-		this->over_time == other->over_time &&
-		this->dpd == other->dpd &&
-		(this->virtual_ip == other->virtual_ip ||
-		 (this->virtual_ip && other->virtual_ip &&
-		  this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) &&
-		(this->pool == other->pool ||
-		 (this->pool && other->pool && streq(this->pool, other->pool))) &&
-		auth_cfg_equal(this, other)
-#ifdef ME
-		&& this->mediation == other->mediation &&
-		this->mediated_by == other->mediated_by &&
-		(this->peer_id == other->peer_id ||
-		 (this->peer_id && other->peer_id &&
-		  this->peer_id->equals(this->peer_id, other->peer_id)))
-#endif /* ME */
-		);
-}
-
-/**
- * Implements peer_cfg_t.get_ref.
- */
-static peer_cfg_t* get_ref(private_peer_cfg_t *this)
-{
-	ref_get(&this->refcount);
-	return &this->public;
-}
-
-/**
- * Implements peer_cfg_t.destroy.
- */
-static void destroy(private_peer_cfg_t *this)
-{
-	if (ref_put(&this->refcount))
-	{
-		this->ike_cfg->destroy(this->ike_cfg);
-		this->child_cfgs->destroy_offset(this->child_cfgs,
-										offsetof(child_cfg_t, destroy));
-		DESTROY_IF(this->virtual_ip);
-		this->local_auth->destroy_offset(this->local_auth,
-										offsetof(auth_cfg_t, destroy));
-		this->remote_auth->destroy_offset(this->remote_auth,
-										offsetof(auth_cfg_t, destroy));
-#ifdef ME
-		DESTROY_IF(this->mediated_by);
-		DESTROY_IF(this->peer_id);
-#endif /* ME */
-		this->mutex->destroy(this->mutex);
-		free(this->name);
-		free(this->pool);
-		free(this);
-	}
-}
-
-/*
- * Described in header-file
- */
-peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
-							cert_policy_t cert_policy, unique_policy_t unique,
-							u_int32_t keyingtries, u_int32_t rekey_time,
-							u_int32_t reauth_time, u_int32_t jitter_time,
-							u_int32_t over_time, bool mobike, u_int32_t dpd,
-							host_t *virtual_ip, char *pool,
-							bool mediation, peer_cfg_t *mediated_by,
-							identification_t *peer_id)
-{
-	private_peer_cfg_t *this = malloc_thing(private_peer_cfg_t);
-
-	/* public functions */
-	this->public.get_name = (char* (*) (peer_cfg_t *))get_name;
-	this->public.get_ike_version = (u_int(*) (peer_cfg_t *))get_ike_version;
-	this->public.get_ike_cfg = (ike_cfg_t* (*) (peer_cfg_t *))get_ike_cfg;
-	this->public.add_child_cfg = (void (*) (peer_cfg_t *, child_cfg_t*))add_child_cfg;
-	this->public.remove_child_cfg = (void(*)(peer_cfg_t*, enumerator_t*))remove_child_cfg;
-	this->public.create_child_cfg_enumerator = (enumerator_t* (*) (peer_cfg_t *))create_child_cfg_enumerator;
-	this->public.select_child_cfg = (child_cfg_t* (*) (peer_cfg_t *,linked_list_t*,linked_list_t*,host_t*,host_t*))select_child_cfg;
-	this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy;
-	this->public.get_unique_policy = (unique_policy_t (*) (peer_cfg_t *))get_unique_policy;
-	this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries;
-	this->public.get_rekey_time = (u_int32_t(*)(peer_cfg_t*))get_rekey_time;
-	this->public.get_reauth_time = (u_int32_t(*)(peer_cfg_t*))get_reauth_time;
-	this->public.get_over_time = (u_int32_t(*)(peer_cfg_t*))get_over_time;
-	this->public.use_mobike = (bool (*) (peer_cfg_t *))use_mobike;
-	this->public.get_dpd = (u_int32_t (*) (peer_cfg_t *))get_dpd;
-	this->public.get_virtual_ip = (host_t* (*) (peer_cfg_t *))get_virtual_ip;
-	this->public.get_pool = (char*(*)(peer_cfg_t*))get_pool;
-	this->public.add_auth_cfg = (void(*)(peer_cfg_t*, auth_cfg_t *cfg, bool local))add_auth_cfg;
-	this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(peer_cfg_t*, bool local))create_auth_cfg_enumerator;
-	this->public.equals = (bool(*)(peer_cfg_t*, peer_cfg_t *other))equals;
-	this->public.get_ref = (peer_cfg_t*(*)(peer_cfg_t *))get_ref;
-	this->public.destroy = (void(*)(peer_cfg_t *))destroy;
-#ifdef ME
-	this->public.is_mediation = (bool (*) (peer_cfg_t *))is_mediation;
-	this->public.get_mediated_by = (peer_cfg_t* (*) (peer_cfg_t *))get_mediated_by;
-	this->public.get_peer_id = (identification_t* (*) (peer_cfg_t *))get_peer_id;
-#endif /* ME */
-
-	/* apply init values */
-	this->name = strdup(name);
-	this->ike_version = ike_version;
-	this->ike_cfg = ike_cfg;
-	this->child_cfgs = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->cert_policy = cert_policy;
-	this->unique = unique;
-	this->keyingtries = keyingtries;
-	this->rekey_time = rekey_time;
-	this->reauth_time = reauth_time;
-	if (rekey_time && jitter_time > rekey_time)
-	{
-		jitter_time = rekey_time;
-	}
-	if (reauth_time && jitter_time > reauth_time)
-	{
-		jitter_time = reauth_time;
-	}
-	this->jitter_time = jitter_time;
-	this->over_time = over_time;
-	this->use_mobike = mobike;
-	this->dpd = dpd;
-	this->virtual_ip = virtual_ip;
-	this->pool = pool ? strdup(pool) : NULL;
-	this->local_auth = linked_list_create();
-	this->remote_auth = linked_list_create();
-	this->refcount = 1;
-#ifdef ME
-	this->mediation = mediation;
-	this->mediated_by = mediated_by;
-	this->peer_id = peer_id;
-#else /* ME */
-	DESTROY_IF(mediated_by);
-	DESTROY_IF(peer_id);
-#endif /* ME */
-
-	return &this->public;
-}
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
deleted file mode 100644
index 6855276f8..000000000
--- a/src/charon/config/peer_cfg.h
+++ /dev/null
@@ -1,358 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup peer_cfg peer_cfg
- * @{ @ingroup config
- */
-
-#ifndef PEER_CFG_H_
-#define PEER_CFG_H_
-
-typedef enum cert_policy_t cert_policy_t;
-typedef enum unique_policy_t unique_policy_t;
-typedef struct peer_cfg_t peer_cfg_t;
-
-#include <library.h>
-#include <utils/identification.h>
-#include <utils/enumerator.h>
-#include <selectors/traffic_selector.h>
-#include <config/proposal.h>
-#include <config/ike_cfg.h>
-#include <config/child_cfg.h>
-#include <sa/authenticators/authenticator.h>
-#include <sa/authenticators/eap/eap_method.h>
-#include <config/auth_cfg.h>
-
-/**
- * Certificate sending policy. This is also used for certificate
- * requests when using this definition for the other peer. If
- * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
- * included.
- *
- * @warning These definitions must be the same as in pluto/starter,
- * as they are sent over the stroke socket.
- */
-enum cert_policy_t {
-	/** always send certificates, even when not requested */
-	CERT_ALWAYS_SEND =		0,
-	/** send certificate upon cert request */
-	CERT_SEND_IF_ASKED =	1,
-	/** never send a certificate, even when requested */
-	CERT_NEVER_SEND =		2,
-};
-
-/**
- * enum strings for cert_policy_t
- */
-extern enum_name_t *cert_policy_names;
-
-/**
- * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
- */
-enum unique_policy_t {
-	/** do not check for client uniqueness */
-	UNIQUE_NO,
-	/** replace unique IKE_SAs if new ones get established */
-	UNIQUE_REPLACE,
-	/** keep existing IKE_SAs, close the new ones on connection attept */
-	UNIQUE_KEEP,
-};
-
-/**
- * enum strings for unique_policy_t
- */
-extern enum_name_t *unique_policy_names;
-
-/**
- * Configuration of a peer, specified by IDs.
- *
- * The peer config defines a connection between two given IDs. It contains
- * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
- * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
- * @verbatim
-                          +-------------------+        +---------------+
-   +---------------+      |     peer_cfg      |      +---------------+ |
-   |    ike_cfg    |      +-------------------+      |   child_cfg   | |
-   +---------------+      | - ids             |      +---------------+ |
-   | - hosts       | 1  1 | - cas             | 1  n | - proposals   | |
-   | - proposals   |<-----| - auth info       |----->| - traffic sel | |
-   | - ...         |      | - dpd config      |      | - ...         |-+
-   +---------------+      | - ...             |      +---------------+
-                          +-------------------+
-                             | 1         0 |
-                             |             |
-                             v n         n V
-             +-------------------+     +-------------------+
-           +-------------------+ |   +-------------------+ |
-           |     auth_cfg      | |   |     auth_cfg      | |
-           +-------------------+ |   +-------------------+ |
-           | - local rules     |-+   | - remote constr.  |-+
-           +-------------------+     +-------------------+
-   @endverbatim
- *
- * Each peer_cfg has two lists of authentication config attached. Local
- * authentication configs define how to authenticate ourself against the remote
- * peer. Each config is enforced using the multiple authentication extension
- * (RFC4739).
- * The remote authentication configs are handled as constraints. The peer has
- * to fullfill each of these rules (using multiple authentication, in any order)
- * to gain access to the configuration.
- */
-struct peer_cfg_t {
-
-	/**
-	 * Get the name of the peer_cfg.
-	 *
-	 * Returned object is not getting cloned.
-	 *
-	 * @return				peer_cfg's name
-	 */
-	char* (*get_name) (peer_cfg_t *this);
-
-	/**
-	 * Get the IKE version to use for initiating.
-	 *
-	 * @return 				IKE major version
-	 */
-	u_int (*get_ike_version)(peer_cfg_t *this);
-
-	/**
-	 * Get the IKE config to use for initiaton.
-	 *
-	 * @return				the IKE config to use
-	 */
-	ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
-
-	/**
-	 * Attach a CHILD config.
-	 *
-	 * @param child_cfg		CHILD config to add
-	 */
-	void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
-
-	/**
-	 * Detach a CHILD config, pointed to by an enumerator.
-	 *
-	 * @param enumerator	enumerator indicating element position
-	 */
-	void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
-
-	/**
-	 * Create an enumerator for all attached CHILD configs.
-	 *
-	 * @return				an enumerator over all CHILD configs.
-	 */
-	enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
-
-	/**
-	 * Select a CHILD config from traffic selectors.
-	 *
-	 * @param my_ts			TS for local side
-	 * @param other_ts		TS for remote side
-	 * @param my_host		host to narrow down dynamic TS for local side
-	 * @param other_host	host to narrow down dynamic TS for remote side
-	 * @return				selected CHILD config, or NULL if no match found
-	 */
-	child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
-									  linked_list_t *other_ts, host_t *my_host,
-									  host_t *other_host);
-
-	/**
-	 * Add an authentication config to the peer configuration.
-	 *
-	 * @param config		config to add
-	 * @param local			TRUE for local rules, FALSE for remote constraints
-	 */
-	void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
-
-	/**
-	 * Create an enumerator over registered authentication configs.
-	 *
-	 * @param local			TRUE for local rules, FALSE for remote constraints
-	 * @return				enumerator over auth_cfg_t*
-	 */
-	enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
-
-	/**
-	 * Should be sent a certificate for this connection?
-	 *
-	 * @return			certificate sending policy
-	 */
-	cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
-
-	/**
-	 * How to handle uniqueness of IKE_SAs?
-	 *
-	 * @return			unique policy
-	 */
-	unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
-
-	/**
-	 * Get the max number of retries after timeout.
-	 *
-	 * @return			max number retries
-	 */
-	u_int32_t (*get_keyingtries) (peer_cfg_t *this);
-
-	/**
-	 * Get a time to start rekeying (is randomized with jitter).
-	 *
-	 * @return			time in s when to start rekeying, 0 disables rekeying
-	 */
-	u_int32_t (*get_rekey_time)(peer_cfg_t *this);
-
-	/**
-	 * Get a time to start reauthentication (is randomized with jitter).
-	 *
-	 * @return			time in s when to start reauthentication, 0 disables it
-	 */
-	u_int32_t (*get_reauth_time)(peer_cfg_t *this);
-
-	/**
-	 * Get the timeout of a rekeying/reauthenticating SA.
-	 *
-	 * @return			timeout in s
-	 */
-	u_int32_t (*get_over_time)(peer_cfg_t *this);
-
-	/**
-	 * Use MOBIKE (RFC4555) if peer supports it?
-	 *
-	 * @return			TRUE to enable MOBIKE support
-	 */
-	bool (*use_mobike) (peer_cfg_t *this);
-
-	/**
-	 * Get the DPD check interval.
-	 *
-	 * @return			dpd_delay in seconds
-	 */
-	u_int32_t (*get_dpd) (peer_cfg_t *this);
-
-	/**
-	 * Get a virtual IP for the local peer.
-	 *
-	 * If no virtual IP should be used, NULL is returned. %any means to request
-	 * a virtual IP using configuration payloads. A specific address is also
-	 * used for a request and may be changed by the server.
-	 *
-	 * @param suggestion	NULL, %any or specific
-	 * @return				virtual IP, %any or NULL
-	 */
-	host_t* (*get_virtual_ip) (peer_cfg_t *this);
-
-	/**
-	 * Get the name of the pool to acquire configuration attributes from.
-	 *
-	 * @return				pool name, NULL if none defined
-	 */
-	char* (*get_pool)(peer_cfg_t *this);
-
-#ifdef ME
-	/**
-	 * Is this a mediation connection?
-	 *
-	 * @return				TRUE, if this is a mediation connection
-	 */
-	bool (*is_mediation) (peer_cfg_t *this);
-
-	/**
-	 * Get peer_cfg of the connection this one is mediated through.
-	 *
-	 * @return				the peer_cfg of the mediation connection
-	 */
-	peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
-
-	/**
-	 * Get the id of the other peer at the mediation server.
-	 *
-	 * This is the leftid of the peer's connection with the mediation server.
-	 *
-	 * If it is not configured, it is assumed to be the same as the right id
-	 * of this connection.
-	 *
-	 * @return				the id of the other peer
-	 */
-	identification_t* (*get_peer_id) (peer_cfg_t *this);
-#endif /* ME */
-
-	/**
-	 * Check if two peer configurations are equal.
-	 *
-	 * This method does not compare associated ike/child_cfg.
-	 *
-	 * @param other			candidate to check for equality against this
-	 * @return				TRUE if peer_cfg and ike_cfg are equal
-	 */
-	bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
-
-	/**
-	 * Increase reference count.
-	 *
-	 * @return				reference to this
-	 */
-	peer_cfg_t* (*get_ref) (peer_cfg_t *this);
-
-	/**
-	 * Destroys the peer_cfg object.
-	 *
-	 * Decrements the internal reference counter and
-	 * destroys the peer_cfg when it reaches zero.
-	 */
-	void (*destroy) (peer_cfg_t *this);
-};
-
-/**
- * Create a configuration object for IKE_AUTH and later.
- *
- * name-string gets cloned, ID's not.
- * Virtual IPs are used if they are != NULL. A %any host means the virtual
- * IP should be obtained from the other peer.
- * Lifetimes are in seconds. To prevent to peers to start rekeying at the
- * same time, a jitter may be specified. Rekeying of an SA starts at
- * (rekeylifetime - random(0, jitter)).
- *
- * @param name				name of the peer_cfg
- * @param ike_version		which IKE version we sould use for this peer
- * @param ike_cfg			IKE config to use when acting as initiator
- * @param cert_policy		should we send a certificate payload?
- * @param unique			uniqueness of an IKE_SA
- * @param keyingtries		how many keying tries should be done before giving up
- * @param rekey_time		timeout before starting rekeying
- * @param reauth_time		timeout before starting reauthentication
- * @param jitter_time		timerange to randomly substract from rekey/reauth time
- * @param over_time			maximum overtime before closing a rekeying/reauth SA
- * @param mobike			use MOBIKE (RFC4555) if peer supports it
- * @param dpd				DPD check interval, 0 to disable
- * @param virtual_ip		virtual IP for local host, or NULL
- * @param pool				pool name to get configuration attributes from, or NULL
- * @param mediation			TRUE if this is a mediation connection
- * @param mediated_by		peer_cfg_t of the mediation connection to mediate through
- * @param peer_id			ID that identifies our peer at the mediation server
- * @return 					peer_cfg_t object
- */
-peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
-							cert_policy_t cert_policy, unique_policy_t unique,
-							u_int32_t keyingtries, u_int32_t rekey_time,
-							u_int32_t reauth_time, u_int32_t jitter_time,
-							u_int32_t over_time, bool mobike, u_int32_t dpd,
-							host_t *virtual_ip, char *pool,
-							bool mediation, peer_cfg_t *mediated_by,
-							identification_t *peer_id);
-
-#endif /** PEER_CFG_H_ @}*/
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
deleted file mode 100644
index 6b3500b6e..000000000
--- a/src/charon/config/proposal.c
+++ /dev/null
@@ -1,945 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Tobias Brunner
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "proposal.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-#include <utils/lexparser.h>
-#include <crypto/transform.h>
-#include <crypto/prfs/prf.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
-#include <crypto/proposal/proposal_keywords.h>
-
-ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP,
-	"PROTO_NONE",
-	"IKE",
-	"AH",
-	"ESP",
-);
-
-ENUM(extended_sequence_numbers_names, NO_EXT_SEQ_NUMBERS, EXT_SEQ_NUMBERS,
-	"NO_EXT_SEQ",
-	"EXT_SEQ",
-);
-
-typedef struct private_proposal_t private_proposal_t;
-typedef struct algorithm_t algorithm_t;
-
-/**
- * Private data of an proposal_t object
- */
-struct private_proposal_t {
-
-	/**
-	 * Public part
-	 */
-	proposal_t public;
-
-	/**
-	 * protocol (ESP or AH)
-	 */
-	protocol_id_t protocol;
-
-	/**
-	 * priority ordered list of encryption algorithms
-	 */
-	linked_list_t *encryption_algos;
-
-	/**
-	 * priority ordered list of integrity algorithms
-	 */
-	linked_list_t *integrity_algos;
-
-	/**
-	 * priority ordered list of pseudo random functions
-	 */
-	linked_list_t *prf_algos;
-
-	/**
-	 * priority ordered list of dh groups
-	 */
-	linked_list_t *dh_groups;
-
-	/**
-	 * priority ordered list of extended sequence number flags
-	 */
-	linked_list_t *esns;
-
-	/**
-	 * senders SPI
-	 */
-	u_int64_t spi;
-};
-
-/**
- * Struct used to store different kinds of algorithms.
- */
-struct algorithm_t {
-	/**
-	 * Value from an encryption_algorithm_t/integrity_algorithm_t/...
-	 */
-	u_int16_t algorithm;
-
-	/**
-	 * the associated key size in bits, or zero if not needed
-	 */
-	u_int16_t key_size;
-};
-
-/**
- * Add algorithm/keysize to a algorithm list
- */
-static void add_algo(linked_list_t *list, u_int16_t algo, u_int16_t key_size)
-{
-	algorithm_t *algo_key;
-
-	algo_key = malloc_thing(algorithm_t);
-	algo_key->algorithm = algo;
-	algo_key->key_size = key_size;
-	list->insert_last(list, (void*)algo_key);
-}
-
-/**
- * Implements proposal_t.add_algorithm
- */
-static void add_algorithm(private_proposal_t *this, transform_type_t type,
-						  u_int16_t algo, u_int16_t key_size)
-{
-	switch (type)
-	{
-		case ENCRYPTION_ALGORITHM:
-			add_algo(this->encryption_algos, algo, key_size);
-			break;
-		case INTEGRITY_ALGORITHM:
-			add_algo(this->integrity_algos, algo, key_size);
-			break;
-		case PSEUDO_RANDOM_FUNCTION:
-			add_algo(this->prf_algos, algo, key_size);
-			break;
-		case DIFFIE_HELLMAN_GROUP:
-			add_algo(this->dh_groups, algo, 0);
-			break;
-		case EXTENDED_SEQUENCE_NUMBERS:
-			add_algo(this->esns, algo, 0);
-			break;
-		default:
-			break;
-	}
-}
-
-/**
- * filter function for peer configs
- */
-static bool alg_filter(void *null, algorithm_t **in, u_int16_t *alg,
-					   void **unused, u_int16_t *key_size)
-{
-	algorithm_t *algo = *in;
-	*alg = algo->algorithm;
-	if (key_size)
-	{
-		*key_size = algo->key_size;
-	}
-	return TRUE;
-}
-
-/**
- * Implements proposal_t.create_enumerator.
- */
-static enumerator_t *create_enumerator(private_proposal_t *this,
-									   transform_type_t type)
-{
-	linked_list_t *list;
-
-	switch (type)
-	{
-		case ENCRYPTION_ALGORITHM:
-			list = this->encryption_algos;
-			break;
-		case INTEGRITY_ALGORITHM:
-			list = this->integrity_algos;
-			break;
-		case PSEUDO_RANDOM_FUNCTION:
-			list = this->prf_algos;
-			break;
-		case DIFFIE_HELLMAN_GROUP:
-			list = this->dh_groups;
-			break;
-		case EXTENDED_SEQUENCE_NUMBERS:
-			list = this->esns;
-			break;
-		default:
-			return NULL;
-	}
-	return enumerator_create_filter(list->create_enumerator(list),
-									(void*)alg_filter, NULL, NULL);
-}
-
-/**
- * Implements proposal_t.get_algorithm.
- */
-static bool get_algorithm(private_proposal_t *this, transform_type_t type,
-						  u_int16_t *alg, u_int16_t *key_size)
-{
-	enumerator_t *enumerator;
-	bool found = FALSE;
-
-	enumerator = create_enumerator(this, type);
-	if (enumerator->enumerate(enumerator, alg, key_size))
-	{
-		found = TRUE;
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * Implements proposal_t.has_dh_group
- */
-static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group)
-{
-	bool result = FALSE;
-
-	if (this->dh_groups->get_count(this->dh_groups))
-	{
-		algorithm_t *current;
-		enumerator_t *enumerator;
-
-		enumerator = this->dh_groups->create_enumerator(this->dh_groups);
-		while (enumerator->enumerate(enumerator, (void**)&current))
-		{
-			if (current->algorithm == group)
-			{
-				result = TRUE;
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	else if (group == MODP_NONE)
-	{
-		result = TRUE;
-	}
-	return result;
-}
-
-/**
- * Implementation of proposal_t.strip_dh.
- */
-static void strip_dh(private_proposal_t *this)
-{
-	algorithm_t *alg;
-
-	while (this->dh_groups->remove_last(this->dh_groups, (void**)&alg) == SUCCESS)
-	{
-		free(alg);
-	}
-}
-
-/**
- * Returns true if the given alg is an authenticated encryption algorithm
- */
-static bool is_authenticated_encryption(u_int16_t alg)
-{
-	switch(alg)
-	{
-		case ENCR_AES_CCM_ICV8:
-		case ENCR_AES_CCM_ICV12:
-		case ENCR_AES_CCM_ICV16:
-		case ENCR_AES_GCM_ICV8:
-		case ENCR_AES_GCM_ICV12:
-		case ENCR_AES_GCM_ICV16:
-		case ENCR_CAMELLIA_CCM_ICV8:
-		case ENCR_CAMELLIA_CCM_ICV12:
-		case ENCR_CAMELLIA_CCM_ICV16:
-			return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Find a matching alg/keysize in two linked lists
- */
-static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
-						bool *add, u_int16_t *alg, size_t *key_size)
-{
-	enumerator_t *e1, *e2;
-	algorithm_t *alg1, *alg2;
-
-	/* if in both are zero algorithms specified, we HAVE a match */
-	if (first->get_count(first) == 0 && second->get_count(second) == 0)
-	{
-		*add = FALSE;
-		return TRUE;
-	}
-
-	e1 = first->create_enumerator(first);
-	e2 = second->create_enumerator(second);
-	/* compare algs, order of algs in "first" is preferred */
-	while (e1->enumerate(e1, &alg1))
-	{
-		e2->destroy(e2);
-		e2 = second->create_enumerator(second);
-		while (e2->enumerate(e2, &alg2))
-		{
-			if (alg1->algorithm == alg2->algorithm &&
-				alg1->key_size == alg2->key_size)
-			{
-				if (!priv && alg1->algorithm >= 1024)
-				{
-					/* accept private use algorithms only if requested */
-					DBG1(DBG_CFG, "an algorithm from private space would match, "
-						 "but peer implementation is unknown, skipped");
-					continue;
-				}
-				/* ok, we have an algorithm */
-				*alg = alg1->algorithm;
-				*key_size = alg1->key_size;
-				*add = TRUE;
-				e1->destroy(e1);
-				e2->destroy(e2);
-				return TRUE;
-			}
-		}
-	}
-	/* no match in all comparisons */
-	e1->destroy(e1);
-	e2->destroy(e2);
-	return FALSE;
-}
-
-/**
- * Implements proposal_t.select.
- */
-static proposal_t *select_proposal(private_proposal_t *this,
-								private_proposal_t *other, bool private)
-{
-	proposal_t *selected;
-	u_int16_t algo;
-	size_t key_size;
-	bool add;
-
-	DBG2(DBG_CFG, "selecting proposal:");
-
-	/* check protocol */
-	if (this->protocol != other->protocol)
-	{
-		DBG2(DBG_CFG, "  protocol mismatch, skipping");
-		return NULL;
-	}
-
-	selected = proposal_create(this->protocol);
-
-	/* select encryption algorithm */
-	if (select_algo(this->encryption_algos, other->encryption_algos, private,
-					&add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, ENCRYPTION_ALGORITHM,
-									algo, key_size);
-		}
-	}
-	else
-	{
-		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, ENCRYPTION_ALGORITHM);
-		return NULL;
-	}
-	/* select integrity algorithm */
-	if (!is_authenticated_encryption(algo))
-	{
-		if (select_algo(this->integrity_algos, other->integrity_algos, private,
-						&add, &algo, &key_size))
-		{
-			if (add)
-			{
-				selected->add_algorithm(selected, INTEGRITY_ALGORITHM,
-										algo, key_size);
-			}
-		}
-		else
-		{
-			selected->destroy(selected);
-			DBG2(DBG_CFG, "  no acceptable %N found",
-				 transform_type_names, INTEGRITY_ALGORITHM);
-			return NULL;
-		}
-	}
-	/* select prf algorithm */
-	if (select_algo(this->prf_algos, other->prf_algos, private,
-					&add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, PSEUDO_RANDOM_FUNCTION,
-									algo, key_size);
-		}
-	}
-	else
-	{
-		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
-		return NULL;
-	}
-	/* select a DH-group */
-	if (select_algo(this->dh_groups, other->dh_groups, private,
-					&add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, DIFFIE_HELLMAN_GROUP, algo, 0);
-		}
-	}
-	else
-	{
-		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, DIFFIE_HELLMAN_GROUP);
-		return NULL;
-	}
-	/* select if we use ESNs (has no private use space) */
-	if (select_algo(this->esns, other->esns, TRUE, &add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, EXTENDED_SEQUENCE_NUMBERS, algo, 0);
-		}
-	}
-	else
-	{
-		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, EXTENDED_SEQUENCE_NUMBERS);
-		return NULL;
-	}
-	DBG2(DBG_CFG, "  proposal matches");
-
-	/* apply SPI from "other" */
-	selected->set_spi(selected, other->spi);
-
-	/* everything matched, return new proposal */
-	return selected;
-}
-
-/**
- * Implements proposal_t.get_protocols.
- */
-static protocol_id_t get_protocol(private_proposal_t *this)
-{
-	return this->protocol;
-}
-
-/**
- * Implements proposal_t.set_spi.
- */
-static void set_spi(private_proposal_t *this, u_int64_t spi)
-{
-	this->spi = spi;
-}
-
-/**
- * Implements proposal_t.get_spi.
- */
-static u_int64_t get_spi(private_proposal_t *this)
-{
-	return this->spi;
-}
-
-/**
- * Clone a algorithm list
- */
-static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list)
-{
-	algorithm_t *algo, *clone_algo;
-	enumerator_t *enumerator;
-
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, &algo))
-	{
-		clone_algo = malloc_thing(algorithm_t);
-		memcpy(clone_algo, algo, sizeof(algorithm_t));
-		clone_list->insert_last(clone_list, (void*)clone_algo);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * check if an algorithm list equals
- */
-static bool algo_list_equals(linked_list_t *l1, linked_list_t *l2)
-{
-	enumerator_t *e1, *e2;
-	algorithm_t *alg1, *alg2;
-	bool equals = TRUE;
-
-	if (l1->get_count(l1) != l2->get_count(l2))
-	{
-		return FALSE;
-	}
-
-	e1 = l1->create_enumerator(l1);
-	e2 = l2->create_enumerator(l2);
-	while (e1->enumerate(e1, &alg1) && e2->enumerate(e2, &alg2))
-	{
-		if (alg1->algorithm != alg2->algorithm ||
-			alg1->key_size != alg2->key_size)
-		{
-			equals = FALSE;
-			break;
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-	return equals;
-}
-
-/**
- * Implementation of proposal_t.equals.
- */
-static bool equals(private_proposal_t *this, private_proposal_t *other)
-{
-	if (this == other)
-	{
-		return TRUE;
-	}
-	if (this->public.equals != other->public.equals)
-	{
-		return FALSE;
-	}
-	return (
-		algo_list_equals(this->encryption_algos, other->encryption_algos) &&
-		algo_list_equals(this->integrity_algos, other->integrity_algos) &&
-		algo_list_equals(this->prf_algos, other->prf_algos) &&
-		algo_list_equals(this->dh_groups, other->dh_groups) &&
-		algo_list_equals(this->esns, other->esns));
-}
-
-/**
- * Implements proposal_t.clone
- */
-static proposal_t *clone_(private_proposal_t *this)
-{
-	private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol);
-
-	clone_algo_list(this->encryption_algos, clone->encryption_algos);
-	clone_algo_list(this->integrity_algos, clone->integrity_algos);
-	clone_algo_list(this->prf_algos, clone->prf_algos);
-	clone_algo_list(this->dh_groups, clone->dh_groups);
-	clone_algo_list(this->esns, clone->esns);
-
-	clone->spi = this->spi;
-
-	return &clone->public;
-}
-
-/**
- * Checks the proposal read from a string.
- */
-static void check_proposal(private_proposal_t *this)
-{
-	enumerator_t *e;
-	algorithm_t *alg;
-	bool all_aead = TRUE;
-
-	e = this->encryption_algos->create_enumerator(this->encryption_algos);
-	while (e->enumerate(e, &alg))
-	{
-		if (!is_authenticated_encryption(alg->algorithm))
-		{
-			all_aead = FALSE;
-			break;
-		}
-	}
-	e->destroy(e);
-
-	if (all_aead)
-	{
-		/* if all encryption algorithms in the proposal are authenticated encryption
-		 * algorithms we MUST NOT propose any integrity algorithms */
-		while (this->integrity_algos->remove_last(this->integrity_algos,
-												  (void**)&alg) == SUCCESS)
-		{
-			free(alg);
-		}
-	}
-}
-
-/**
- * add a algorithm identified by a string to the proposal.
- */
-static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
-{
-	const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len);
-
-	if (token == NULL)
-	{
-		return FAILED;
-	}
-
-	add_algorithm(this, token->type, token->algorithm, token->keysize);
-
-	if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM)
-	{
-		pseudo_random_function_t prf;
-
-		switch (token->algorithm)
-		{
-			case AUTH_HMAC_SHA1_96:
-				prf = PRF_HMAC_SHA1;
-				break;
-			case AUTH_HMAC_SHA2_256_128:
-				prf = PRF_HMAC_SHA2_256;
-				break;
-			case AUTH_HMAC_SHA2_384_192:
-				prf = PRF_HMAC_SHA2_384;
-				break;
-			case AUTH_HMAC_SHA2_512_256:
-				prf = PRF_HMAC_SHA2_512;
-				break;
-			case AUTH_HMAC_MD5_96:
-				prf = PRF_HMAC_MD5;
-				break;
-			case AUTH_AES_XCBC_96:
-				prf = PRF_AES128_XCBC;
-				break;
-			default:
-				prf = PRF_UNDEFINED;
-		}
-		if (prf != PRF_UNDEFINED)
-		{
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
-		}
-	}
-	return SUCCESS;
-}
-
-/**
- * print all algorithms of a kind to buffer
- */
-static int print_alg(private_proposal_t *this, char **dst, size_t *len,
-					 u_int kind, void *names, bool *first)
-{
-	enumerator_t *enumerator;
-	size_t written = 0;
-	u_int16_t alg, size;
-
-	enumerator = create_enumerator(this, kind);
-	while (enumerator->enumerate(enumerator, &alg, &size))
-	{
-		if (*first)
-		{
-			written += print_in_hook(*dst, *len, "%N", names, alg);
-			*first = FALSE;
-		}
-		else
-		{
-			written += print_in_hook(*dst, *len, "/%N", names, alg);
-		}
-		if (size)
-		{
-			written += print_in_hook(*dst, *len, "_%u", size);
-		}
-	}
-	enumerator->destroy(enumerator);
-	return written;
-}
-
-/**
- * Described in header.
- */
-int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-						 const void *const *args)
-{
-	private_proposal_t *this = *((private_proposal_t**)(args[0]));
-	linked_list_t *list = *((linked_list_t**)(args[0]));
-	enumerator_t *enumerator;
-	size_t written = 0;
-	bool first = TRUE;
-
-	if (this == NULL)
-	{
-		return print_in_hook(dst, len, "(null)");
-	}
-
-	if (spec->hash)
-	{
-		enumerator = list->create_enumerator(list);
-		while (enumerator->enumerate(enumerator, &this))
-		{	/* call recursivly */
-			if (first)
-			{
-				written += print_in_hook(dst, len, "%P", this);
-				first = FALSE;
-			}
-			else
-			{
-				written += print_in_hook(dst, len, ", %P", this);
-			}
-		}
-		enumerator->destroy(enumerator);
-		return written;
-	}
-
-	written = print_in_hook(dst, len, "%N:", protocol_id_names, this->protocol);
-	written += print_alg(this, &dst, &len, ENCRYPTION_ALGORITHM,
-						 encryption_algorithm_names, &first);
-	written += print_alg(this, &dst, &len, INTEGRITY_ALGORITHM,
-						 integrity_algorithm_names, &first);
-	written += print_alg(this, &dst, &len, PSEUDO_RANDOM_FUNCTION,
-						 pseudo_random_function_names, &first);
-	written += print_alg(this, &dst, &len, DIFFIE_HELLMAN_GROUP,
-						 diffie_hellman_group_names, &first);
-	written += print_alg(this, &dst, &len, EXTENDED_SEQUENCE_NUMBERS,
-						 extended_sequence_numbers_names, &first);
-	return written;
-}
-
-/**
- * Implements proposal_t.destroy.
- */
-static void destroy(private_proposal_t *this)
-{
-	this->encryption_algos->destroy_function(this->encryption_algos, free);
-	this->integrity_algos->destroy_function(this->integrity_algos, free);
-	this->prf_algos->destroy_function(this->prf_algos, free);
-	this->dh_groups->destroy_function(this->dh_groups, free);
-	this->esns->destroy_function(this->esns, free);
-	free(this);
-}
-
-/*
- * Describtion in header-file
- */
-proposal_t *proposal_create(protocol_id_t protocol)
-{
-	private_proposal_t *this = malloc_thing(private_proposal_t);
-
-	this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,u_int16_t))add_algorithm;
-	this->public.create_enumerator = (enumerator_t* (*)(proposal_t*,transform_type_t))create_enumerator;
-	this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm;
-	this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group;
-	this->public.strip_dh = (void(*)(proposal_t*))strip_dh;
-	this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*,bool))select_proposal;
-	this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
-	this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
-	this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
-	this->public.equals = (bool(*)(proposal_t*, proposal_t *other))equals;
-	this->public.clone = (proposal_t*(*)(proposal_t*))clone_;
-	this->public.destroy = (void(*)(proposal_t*))destroy;
-
-	this->spi = 0;
-	this->protocol = protocol;
-
-	this->encryption_algos = linked_list_create();
-	this->integrity_algos = linked_list_create();
-	this->prf_algos = linked_list_create();
-	this->dh_groups = linked_list_create();
-	this->esns = linked_list_create();
-
-	return &this->public;
-}
-
-/**
- * Add supported IKE algorithms to proposal
- */
-static void proposal_add_supported_ike(private_proposal_t *this)
-{
-	enumerator_t *enumerator;
-	encryption_algorithm_t encryption;
-	integrity_algorithm_t integrity;
-	pseudo_random_function_t prf;
-	diffie_hellman_group_t group;
-
-	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &encryption))
-	{
-		switch (encryption)
-		{
-			case ENCR_AES_CBC:
-				/* we assume that we support all AES sizes */
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
-				break;
-			case ENCR_3DES:
-			case ENCR_AES_CTR:
-			case ENCR_AES_CCM_ICV8:
-			case ENCR_AES_CCM_ICV12:
-			case ENCR_AES_CCM_ICV16:
-			case ENCR_AES_GCM_ICV8:
-			case ENCR_AES_GCM_ICV12:
-			case ENCR_AES_GCM_ICV16:
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
-				break;
-			case ENCR_DES:
-				/* no, thanks */
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &integrity))
-	{
-		switch (integrity)
-		{
-			case AUTH_HMAC_SHA1_96:
-			case AUTH_HMAC_SHA2_256_128:
-			case AUTH_HMAC_SHA2_384_192:
-			case AUTH_HMAC_SHA2_512_256:
-			case AUTH_HMAC_MD5_96:
-			case AUTH_AES_XCBC_96:
-				add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &prf))
-	{
-		switch (prf)
-		{
-			case PRF_HMAC_SHA1:
-			case PRF_HMAC_SHA2_256:
-			case PRF_HMAC_SHA2_384:
-			case PRF_HMAC_SHA2_512:
-			case PRF_HMAC_MD5:
-			case PRF_AES128_XCBC:
-				add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &group))
-	{
-		switch (group)
-		{
-			case MODP_NULL:
-				/* only for testing purposes */
-				break;
-			case MODP_768_BIT:
-				/* weak */
-				break;
-			case MODP_1024_BIT:
-			case MODP_1536_BIT:
-			case MODP_2048_BIT:
-			case MODP_4096_BIT:
-			case MODP_8192_BIT:
-			case ECP_256_BIT:
-			case ECP_384_BIT:
-			case ECP_521_BIT:
-			case ECP_192_BIT:
-			case ECP_224_BIT:
-				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/*
- * Describtion in header-file
- */
-proposal_t *proposal_create_default(protocol_id_t protocol)
-{
-	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
-
-	switch (protocol)
-	{
-		case PROTO_IKE:
-			proposal_add_supported_ike(this);
-			break;
-		case PROTO_ESP:
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         192);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         256);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,              0);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_BLOWFISH,        256);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
-			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
-			break;
-		case PROTO_AH:
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
-			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
-			break;
-		default:
-			break;
-	}
-	return &this->public;
-}
-
-/*
- * Describtion in header-file
- */
-proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
-{
-	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
-	chunk_t string = {(void*)algs, strlen(algs)};
-	chunk_t alg;
-	status_t status = SUCCESS;
-
-	eat_whitespace(&string);
-	if (string.len < 1)
-	{
-		destroy(this);
-		return NULL;
-	}
-
-	/* get all tokens, separated by '-' */
-	while (extract_token(&alg, '-', &string))
-	{
-		status |= add_string_algo(this, alg);
-	}
-	if (string.len)
-	{
-		status |= add_string_algo(this, string);
-	}
-	if (status != SUCCESS)
-	{
-		destroy(this);
-		return NULL;
-	}
-
-	check_proposal(this);
-
-	if (protocol == PROTO_AH || protocol == PROTO_ESP)
-	{
-		add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
-	}
-	return &this->public;
-}
diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h
deleted file mode 100644
index 30f63b80d..000000000
--- a/src/charon/config/proposal.h
+++ /dev/null
@@ -1,226 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup proposal proposal
- * @{ @ingroup config
- */
-
-#ifndef PROPOSAL_H_
-#define PROPOSAL_H_
-
-typedef enum protocol_id_t protocol_id_t;
-typedef enum extended_sequence_numbers_t extended_sequence_numbers_t;
-typedef struct proposal_t proposal_t;
-
-#include <library.h>
-#include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <utils/host.h>
-#include <crypto/transform.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
-#include <crypto/diffie_hellman.h>
-#include <selectors/traffic_selector.h>
-
-/**
- * Protocol ID of a proposal.
- */
-enum protocol_id_t {
-	PROTO_NONE = 0,
-	PROTO_IKE = 1,
-	PROTO_AH = 2,
-	PROTO_ESP = 3,
-};
-
-/**
- * enum names for protocol_id_t
- */
-extern enum_name_t *protocol_id_names;
-
-/**
- * Extended sequence numbers, as in IKEv2 RFC 3.3.2.
- */
-enum extended_sequence_numbers_t {
-	NO_EXT_SEQ_NUMBERS = 0,
-	EXT_SEQ_NUMBERS = 1
-};
-
-/**
- * enum strings for extended_sequence_numbers_t.
- */
-extern enum_name_t *extended_sequence_numbers_names;
-
-/**
- * Stores a set of algorithms used for an SA.
- *
- * A proposal stores algorithms for a specific
- * protocol. It can store algorithms for one protocol.
- * Proposals with multiple protocols are not supported,
- * as it's not specified in RFC4301 anymore.
- */
-struct proposal_t {
-
-	/**
-	 * Add an algorithm to the proposal.
-	 *
-	 * The algorithms are stored by priority, first added
-	 * is the most preferred.
-	 * Key size is only needed for encryption algorithms
-	 * with variable key size (such as AES). Must be set
-	 * to zero if key size is not specified.
-	 * The alg parameter accepts encryption_algorithm_t,
-	 * integrity_algorithm_t, dh_group_number_t and
-	 * extended_sequence_numbers_t.
-	 *
-	 * @param type			kind of algorithm
-	 * @param alg			identifier for algorithm
-	 * @param key_size		key size to use
-	 */
-	void (*add_algorithm) (proposal_t *this, transform_type_t type,
-						   u_int16_t alg, u_int16_t key_size);
-
-	/**
-	 * Get an enumerator over algorithms for a specifc algo type.
-	 *
-	 * @param type			kind of algorithm
-	 * @return				enumerator over u_int16_t alg, u_int16_t key_size
-	 */
-	enumerator_t *(*create_enumerator) (proposal_t *this, transform_type_t type);
-
-	/**
-	 * Get the algorithm for a type to use.
-	 *
-	 * If there are multiple algorithms, only the first is returned.
-	 *
-	 * @param type			kind of algorithm
-	 * @param alg			pointer which receives algorithm
-	 * @param key_size		pointer which receives the key size
-	 * @return				TRUE if algorithm of this kind available
-	 */
-	bool (*get_algorithm) (proposal_t *this, transform_type_t type,
-						   u_int16_t *alg, u_int16_t *key_size);
-
-	/**
-	 * Check if the proposal has a specific DH group.
-	 *
-	 * @param group			group to check for
-	 * @return				TRUE if algorithm included
-	 */
-	bool (*has_dh_group) (proposal_t *this, diffie_hellman_group_t group);
-
-	/**
-	 * Strip DH groups from proposal to use it without PFS.
-	 */
-	void (*strip_dh)(proposal_t *this);
-
-	/**
-	 * Compare two proposal, and select a matching subset.
-	 *
-	 * If the proposals are for the same protocols (AH/ESP), they are
-	 * compared. If they have at least one algorithm of each type
-	 * in common, a resulting proposal of this kind is created.
-	 *
-	 * @param other			proposal to compair agains
-	 * @param private		accepts algorithms allocated in a private range
-	 * @return				selected proposal, NULL if proposals don't match
-	 */
-	proposal_t *(*select) (proposal_t *this, proposal_t *other, bool private);
-
-	/**
-	 * Get the protocol ID of the proposal.
-	 *
-	 * @return				protocol of the proposal
-	 */
-	protocol_id_t (*get_protocol) (proposal_t *this);
-
-	/**
-	 * Get the SPI of the proposal.
-	 *
-	 * @return				spi for proto
-	 */
-	u_int64_t (*get_spi) (proposal_t *this);
-
-	/**
-	 * Set the SPI of the proposal.
-	 *
-	 * @param spi			spi to set for proto
-	 */
-	void (*set_spi) (proposal_t *this, u_int64_t spi);
-
-	/**
-	 * Check for the eqality of two proposals.
-	 *
-	 * @param other			other proposal to check for equality
-	 * @return				TRUE if other equal to this
-	 */
-	bool (*equals)(proposal_t *this, proposal_t *other);
-
-	/**
-	 * Clone a proposal.
-	 *
-	 * @return				clone of proposal
-	 */
-	proposal_t *(*clone) (proposal_t *this);
-
-	/**
-	 * Destroys the proposal object.
-	 */
-	void (*destroy) (proposal_t *this);
-};
-
-/**
- * Create a child proposal for AH, ESP or IKE.
- *
- * @param protocol			protocol, such as PROTO_ESP
- * @return 					proposal_t object
- */
-proposal_t *proposal_create(protocol_id_t protocol);
-
-/**
- * Create a default proposal if nothing further specified.
- *
- * @param protocol			protocol, such as PROTO_ESP
- * @return 					proposal_t object
- */
-proposal_t *proposal_create_default(protocol_id_t protocol);
-
-/**
- * Create a proposal from a string identifying the algorithms.
- *
- * The string is in the same form as a in the ipsec.conf file.
- * E.g.:	aes128-sha2_256-modp2048
- *		  3des-md5
- * An additional '!' at the end of the string forces this proposal,
- * without it the peer may choose another algorithm we support.
- *
- * @param protocol			protocol, such as PROTO_ESP
- * @param algs				algorithms as string
- * @return 					proposal_t object
- */
-proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs);
-
-/**
- * printf hook function for proposal_t.
- *
- * Arguments are:
- *	proposal_t *proposal
- * With the #-specifier, arguments are:
- *	linked_list_t *list containing proposal_t*
- */
-int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-						 const void *const *args);
-
-#endif /** PROPOSAL_H_ @}*/
diff --git a/src/charon/control/controller.c b/src/charon/control/controller.c
deleted file mode 100644
index 94c64028c..000000000
--- a/src/charon/control/controller.c
+++ /dev/null
@@ -1,455 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "controller.h"
-
-#include <sys/types.h>
-#include <dirent.h>
-#include <sys/stat.h>
-#include <dlfcn.h>
-
-#include <daemon.h>
-#include <library.h>
-
-
-typedef struct private_controller_t private_controller_t;
-typedef struct interface_listener_t interface_listener_t;
-
-/**
- * Private data of an stroke_t object.
- */
-struct private_controller_t {
-
-	/**
-	 * Public part of stroke_t object.
-	 */
-	controller_t public;
-};
-
-/**
- * helper struct to map listener callbacks to interface callbacks
- */
-struct interface_listener_t {
-
-	/**
-	 * public bus listener interface
-	 */
-	listener_t public;
-
-	/**
-	 * status of the operation, return to method callers
-	 */
-	status_t status;
-
-	/**
-	 *  interface callback (listener gets redirected to here)
-	 */
-	controller_cb_t callback;
-
-	/**
-	 * user parameter to pass to callback
-	 */
-	void *param;
-
-	/**
-	 * child configuration, used for initiate
-	 */
-	child_cfg_t *child_cfg;
-
-	/**
-	 * peer configuration, used for initiate
-	 */
-	peer_cfg_t *peer_cfg;
-
-	/**
-	 * IKE_SA to handle
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * CHILD_SA to handle
-	 */
-	child_sa_t *child_sa;
-
-	/**
-	 * unique ID, used for various methods
-	 */
-	u_int32_t id;
-};
-
-
-typedef struct interface_job_t interface_job_t;
-
-/**
- * job for asynchronous listen operations
- */
-struct interface_job_t {
-	/**
-	 * job interface
-	 */
-	job_t public;
-
-	/**
-	 * associated listener
-	 */
-	interface_listener_t listener;
-};
-
-/**
- * listener log function
- */
-static bool listener_log(interface_listener_t *this, debug_t group,
-						 level_t level, int thread, ike_sa_t *ike_sa,
-						 char* format, va_list args)
-{
-	if (this->ike_sa == ike_sa)
-	{
-		if (!this->callback(this->param, group, level, ike_sa, format, args))
-		{
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of listener_t.ike_state_change
- */
-static bool listener_ike_state(interface_listener_t *this, ike_sa_t *ike_sa,
-							   ike_sa_state_t state)
-{
-	if (this->ike_sa == ike_sa)
-	{
-		switch (state)
-		{
-#ifdef ME
-			case IKE_ESTABLISHED:
-			{	/* mediation connections are complete without CHILD_SA */
-				peer_cfg_t *peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-
-				if (peer_cfg->is_mediation(peer_cfg))
-				{
-					this->status = SUCCESS;
-					return FALSE;
-				}
-				break;
-			}
-#endif /* ME */
-			case IKE_DESTROYING:
-				if (ike_sa->get_state(ike_sa) == IKE_DELETING)
-				{	/* proper termination */
-					this->status = SUCCESS;
-				}
-				return FALSE;
-			default:
-				break;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of listener_t.child_state_change
- */
-static bool listener_child_state(interface_listener_t *this, ike_sa_t *ike_sa,
-								 child_sa_t *child_sa, child_sa_state_t state)
-{
-	if (this->ike_sa == ike_sa)
-	{
-		switch (state)
-		{
-			case CHILD_INSTALLED:
-				this->status = SUCCESS;
-				return FALSE;
-			case CHILD_DESTROYING:
-				switch (child_sa->get_state(child_sa))
-				{
-					case CHILD_DELETING:
-						/* proper delete */
-						this->status = SUCCESS;
-						break;
-					default:
-						break;
-				}
-				return FALSE;
-			default:
-				break;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * cleanup job if job is never executed
- */
-static void recheckin(interface_job_t *job)
-{
-	if (job->listener.ike_sa)
-	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager,
-										job->listener.ike_sa);
-	}
-}
-
-/**
- * Implementation of controller_t.create_ike_sa_iterator.
- */
-static enumerator_t* create_ike_sa_enumerator(controller_t *this)
-{
-	return charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager);
-}
-
-/**
- * execute function for initiate
- */
-static status_t initiate_execute(interface_job_t *job)
-{
-	ike_sa_t *ike_sa;
-	interface_listener_t *listener = &job->listener;
-	peer_cfg_t *peer_cfg = listener->peer_cfg;
-
-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
-														peer_cfg);
-	listener->ike_sa = ike_sa;
-
-	if (ike_sa->get_peer_cfg(ike_sa) == NULL)
-	{
-		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
-	}
-	peer_cfg->destroy(peer_cfg);
-
-	if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS)
-	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		return SUCCESS;
-	}
-	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-	return FAILED;
-}
-
-/**
- * Implementation of controller_t.initiate.
- */
-static status_t initiate(private_controller_t *this,
-						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
-						 controller_cb_t callback, void *param)
-{
-	interface_job_t job = {
-		.listener = {
-			.public = {
-				.log = (void*)listener_log,
-				.ike_state_change = (void*)listener_ike_state,
-				.child_state_change = (void*)listener_child_state,
-			},
-			.callback = callback,
-			.param = param,
-			.status = FAILED,
-			.child_cfg = child_cfg,
-			.peer_cfg = peer_cfg,
-		},
-		.public = {
-			.execute = (void*)initiate_execute,
-			.destroy = (void*)recheckin,
-		},
-	};
-	if (callback == NULL)
-	{
-		return initiate_execute(&job);
-	}
-	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
-	return job.listener.status;
-}
-
-/**
- * execute function for terminate_ike
- */
-static status_t terminate_ike_execute(interface_job_t *job)
-{
-	interface_listener_t *listener = &job->listener;
-	ike_sa_t *ike_sa = listener->ike_sa;
-
-	charon->bus->set_sa(charon->bus, ike_sa);
-
-	if (ike_sa->delete(ike_sa) != DESTROY_ME)
-	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		/* delete failed */
-		return FAILED;
-	}
-	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-	return SUCCESS;
-}
-
-/**
- * Implementation of controller_t.terminate_ike.
- */
-static status_t terminate_ike(controller_t *this, u_int32_t unique_id,
-							  controller_cb_t callback, void *param)
-{
-	ike_sa_t *ike_sa;
-	interface_job_t job = {
-		.listener = {
-			.public = {
-				.log = (void*)listener_log,
-				.ike_state_change = (void*)listener_ike_state,
-				.child_state_change = (void*)listener_child_state,
-			},
-			.callback = callback,
-			.param = param,
-			.status = FAILED,
-			.id = unique_id,
-		},
-		.public = {
-			.execute = (void*)terminate_ike_execute,
-			.destroy = (void*)recheckin,
-		},
-	};
-
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													unique_id, FALSE);
-	if (ike_sa == NULL)
-	{
-		DBG1(DBG_IKE, "unable to terminate IKE_SA: ID %d not found", unique_id);
-		return NOT_FOUND;
-	}
-	job.listener.ike_sa = ike_sa;
-
-	if (callback == NULL)
-	{
-		return terminate_ike_execute(&job);
-	}
-	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
-	return job.listener.status;
-}
-
-/**
- * execute function for terminate_child
- */
-static status_t terminate_child_execute(interface_job_t *job)
-{
-	interface_listener_t *listener = &job->listener;
-	ike_sa_t *ike_sa = listener->ike_sa;
-	child_sa_t *child_sa = listener->child_sa;
-
-	charon->bus->set_sa(charon->bus, ike_sa);
-	if (ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa),
-								child_sa->get_spi(child_sa, TRUE)) != DESTROY_ME)
-	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		return SUCCESS;
-	}
-	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-	return FAILED;
-}
-
-/**
- * Implementation of controller_t.terminate_child.
- */
-static status_t terminate_child(controller_t *this, u_int32_t reqid,
-								controller_cb_t callback, void *param)
-{
-	ike_sa_t *ike_sa;
-	child_sa_t *child_sa;
-	iterator_t *iterator;
-	interface_job_t job = {
-		.listener = {
-			.public = {
-				.log = (void*)listener_log,
-				.ike_state_change = (void*)listener_ike_state,
-				.child_state_change = (void*)listener_child_state,
-			},
-			.callback = callback,
-			.param = param,
-			.status = FAILED,
-			.id = reqid,
-		},
-		.public = {
-			.execute = (void*)terminate_child_execute,
-			.destroy = (void*)recheckin,
-		},
-	};
-
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													reqid, TRUE);
-	if (ike_sa == NULL)
-	{
-		DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found",
-			 reqid);
-		return NOT_FOUND;
-	}
-	job.listener.ike_sa = ike_sa;
-
-	iterator = ike_sa->create_child_sa_iterator(ike_sa);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		if (child_sa->get_state(child_sa) != CHILD_ROUTED &&
-			child_sa->get_reqid(child_sa) == reqid)
-		{
-			break;
-		}
-		child_sa = NULL;
-	}
-	iterator->destroy(iterator);
-
-	if (child_sa == NULL)
-	{
-		DBG1(DBG_IKE, "unable to terminate, established "
-			 "CHILD_SA with ID %d not found", reqid);
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		return NOT_FOUND;
-	}
-	job.listener.child_sa = child_sa;
-
-	if (callback == NULL)
-	{
-		return terminate_child_execute(&job);
-	}
-	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
-	return job.listener.status;
-}
-
-/**
- * See header
- */
-bool controller_cb_empty(void *param, debug_t group, level_t level,
-					ike_sa_t *ike_sa, char *format, va_list args)
-{
-	return TRUE;
-}
-
-/**
- * Implementation of stroke_t.destroy.
- */
-static void destroy(private_controller_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header-file
- */
-controller_t *controller_create(void)
-{
-	private_controller_t *this = malloc_thing(private_controller_t);
-
-	this->public.create_ike_sa_enumerator = (enumerator_t*(*)(controller_t*))create_ike_sa_enumerator;
-	this->public.initiate = (status_t(*)(controller_t*,peer_cfg_t*,child_cfg_t*,controller_cb_t,void*))initiate;
-	this->public.terminate_ike = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void*))terminate_ike;
-	this->public.terminate_child = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void *param))terminate_child;
-	this->public.destroy = (void (*)(controller_t*))destroy;
-
-	return &this->public;
-}
-
diff --git a/src/charon/control/controller.h b/src/charon/control/controller.h
deleted file mode 100644
index 31b69c78c..000000000
--- a/src/charon/control/controller.h
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup controller_i controller
- * @{ @ingroup control
- */
-
-#ifndef CONTROLLER_H_
-#define CONTROLLER_H_
-
-#include <bus/bus.h>
-
-/**
- * callback to log things triggered by controller.
- *
- * @param param			echoed parameter supplied when function invoked
- * @param group			debugging group
- * @param level			verbosity level if log
- * @param ike_sa		associated IKE_SA, if any
- * @param format		printf like format string
- * @param args			list of arguments to use for format
- * @return				FALSE to return from invoked function
- */
-typedef bool(*controller_cb_t)(void* param, debug_t group, level_t level,
-							   ike_sa_t* ike_sa, char* format, va_list args);
-
-/**
- * Empty callback function for controller_t functions.
- *
- * If you want to do a synchronous call, but don't need a callback, pass
- * this function to the controllers methods.
- */
-bool controller_cb_empty(void *param, debug_t group, level_t level,
-						 ike_sa_t *ike_sa, char *format, va_list args);
-
-typedef struct controller_t controller_t;
-
-/**
- * The controller provides a simple interface to run actions.
- *
- * The controller starts actions by creating jobs. It then tries to
- * evaluate the result of the operation by listening on the bus.
- *
- * Passing NULL as callback to the managers function calls them asynchronously.
- * If a callback is specified, they are called synchronously. There is a default
- * callback "controller_cb_empty" if you wan't to call a function
- * synchronously, but don't need a callback.
- */
-struct controller_t {
-
-	/**
-	 * Create an enumerator for all IKE_SAs.
-	 *
-	 * The enumerator blocks the IKE_SA manager until it gets destroyed. Do
-	 * not call another interface/manager method while the iterator is alive.
-	 *
-	 * @return				enumerator, locks IKE_SA manager until destroyed
-	 */
-	enumerator_t* (*create_ike_sa_enumerator)(controller_t *this);
-
-	/**
-	 * Initiate a CHILD_SA, and if required, an IKE_SA.
-	 *
-	 * The initiate() function is synchronous and thus blocks until the
-	 * IKE_SA is established or failed. Because of this, the initiate() function
-	 * contains a thread cancellation point.
-	 *
-	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
-	 * @param child_cfg		child_cfg to set up CHILD_SA from
-	 * @param cb			logging callback
-	 * @param param			parameter to include in each call of cb
-	 * @return
-	 *						- SUCCESS, if CHILD_SA established
-	 *						- FAILED, if setup failed
-	 *						- NEED_MORE, if callback returned FALSE
-	 */
-	status_t (*initiate)(controller_t *this,
-						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
-						 controller_cb_t callback, void *param);
-
-	/**
-	 * Terminate an IKE_SA and all of its CHILD_SAs.
-	 *
-	 * The terminate() function is synchronous and thus blocks until the
-	 * IKE_SA is properly deleted, or the delete timed out.
-	 * The terminate() function contains a thread cancellation point.
-	 *
-	 * @param unique_id		unique id of the IKE_SA to terminate.
-	 * @param cb			logging callback
-	 * @param param			parameter to include in each call of cb
-	 * @return
-	 *						- SUCCESS, if CHILD_SA terminated
-	 *						- NOT_FOUND, if no such CHILD_SA found
-	 *						- NEED_MORE, if callback returned FALSE
-	 */
-	status_t (*terminate_ike)(controller_t *this, u_int32_t unique_id,
-							  controller_cb_t callback, void *param);
-
-	/**
-	 * Terminate a CHILD_SA.
-	 *
-	 * @param reqid			reqid of the CHILD_SA to terminate
-	 * @param cb			logging callback
-	 * @param param			parameter to include in each call of cb
-	 * @return
-	 *						- SUCCESS, if CHILD_SA terminated
-	 *						- NOT_FOUND, if no such CHILD_SA found
-	 *						- NEED_MORE, if callback returned FALSE
-	 */
-	status_t (*terminate_child)(controller_t *this, u_int32_t reqid,
-								controller_cb_t callback, void *param);
-
-	/**
-	 * Destroy a controller_t instance.
-	 */
-	void (*destroy) (controller_t *this);
-};
-
-
-/**
- * Creates a controller instance.
- *
- * @return 			controller_t object
- */
-controller_t *controller_create(void);
-
-#endif /** CONTROLLER_H_ @}*/
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
deleted file mode 100644
index adea0b4be..000000000
--- a/src/charon/credentials/credential_manager.c
+++ /dev/null
@@ -1,1681 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "credential_manager.h"
-
-#include <daemon.h>
-#include <threading/thread_value.h>
-#include <threading/mutex.h>
-#include <threading/rwlock.h>
-#include <utils/linked_list.h>
-#include <credentials/sets/cert_cache.h>
-#include <credentials/sets/auth_cfg_wrapper.h>
-#include <credentials/sets/ocsp_response_wrapper.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ocsp_request.h>
-#include <credentials/certificates/ocsp_response.h>
-
-typedef struct private_credential_manager_t private_credential_manager_t;
-
-/**
- * private data of credential_manager
- */
-struct private_credential_manager_t {
-
-	/**
-	 * public functions
-	 */
-	credential_manager_t public;
-
-	/**
-	 * list of credential sets
-	 */
-	linked_list_t *sets;
-
-	/**
-	 * thread local set of credentials, linked_list_t with credential_set_t's
-	 */
-	thread_value_t *local_sets;
-
-	/**
-	 * trust relationship and certificate cache
-	 */
-	cert_cache_t *cache;
-
-	/**
-	 * certificates queued for persistent caching
-	 */
-	linked_list_t *cache_queue;
-
-	/**
-	 * read-write lock to sets list
-	 */
-	rwlock_t *lock;
-
-	/**
-	 * mutex for cache queue
-	 */
-	mutex_t *queue_mutex;
-};
-
-/** data to pass to create_private_enumerator */
-typedef struct {
-	private_credential_manager_t *this;
-	key_type_t type;
-	identification_t* keyid;
-} private_data_t;
-
-/** data to pass to create_cert_enumerator */
-typedef struct {
-	private_credential_manager_t *this;
-	certificate_type_t cert;
-	key_type_t key;
-	identification_t *id;
-	bool trusted;
-} cert_data_t;
-
-/** data to pass to create_cdp_enumerator */
-typedef struct {
-	private_credential_manager_t *this;
-	certificate_type_t type;
-	identification_t *id;
-} cdp_data_t;
-
-/** data to pass to create_shared_enumerator */
-typedef struct {
-	private_credential_manager_t *this;
-	shared_key_type_t type;
-	identification_t *me;
-	identification_t *other;
-} shared_data_t;
-
-/** enumerator over local and global sets */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** enumerator over global sets */
-	enumerator_t *global;
-	/** enumerator over local sets */
-	enumerator_t *local;
-} sets_enumerator_t;
-
-/**
- * destroy a sets_enumerator_t
- */
-static void sets_enumerator_destroy(sets_enumerator_t *this)
-{
-	DESTROY_IF(this->global);
-	DESTROY_IF(this->local);
-	free(this);
-}
-
-/**
- * sets_enumerator_t.enumerate
- */
-static bool sets_enumerator_enumerate(sets_enumerator_t *this,
-									  credential_set_t **set)
-{
-	if (this->global)
-	{
-		if (this->global->enumerate(this->global, set))
-		{
-			return TRUE;
-		}
-		/* end of global sets, look for local */
-		this->global->destroy(this->global);
-		this->global = NULL;
-	}
-	if (this->local)
-	{
-		return this->local->enumerate(this->local, set);
-	}
-	return FALSE;
-}
-
-/**
- * create an enumerator over both, global and local sets
- */
-static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
-{
-	linked_list_t *local;
-	sets_enumerator_t *enumerator = malloc_thing(sets_enumerator_t);
-
-	enumerator->public.enumerate = (void*)sets_enumerator_enumerate;
-	enumerator->public.destroy = (void*)sets_enumerator_destroy;
-	enumerator->global = this->sets->create_enumerator(this->sets);
-	enumerator->local = NULL;
-	local = this->local_sets->get(this->local_sets);
-	if (local)
-	{
-		enumerator->local = local->create_enumerator(local);
-	}
-	return &enumerator->public;
-}
-
-/**
- * cleanup function for cert data
- */
-static void destroy_cert_data(cert_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * enumerator constructor for certificates
- */
-static enumerator_t *create_cert(credential_set_t *set, cert_data_t *data)
-{
-	return set->create_cert_enumerator(set, data->cert, data->key,
-									   data->id, data->trusted);
-}
-
-/**
- * Implementation of credential_manager_t.create_cert_enumerator.
- */
-static enumerator_t *create_cert_enumerator(private_credential_manager_t *this,
-						certificate_type_t certificate, key_type_t key,
-						identification_t *id, bool trusted)
-{
-	cert_data_t *data = malloc_thing(cert_data_t);
-	data->this = this;
-	data->cert = certificate;
-	data->key = key;
-	data->id = id;
-	data->trusted = trusted;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_nested(create_sets_enumerator(this),
-									(void*)create_cert, data,
-									(void*)destroy_cert_data);
-}
-
-/**
- * Implementation of credential_manager_t.get_cert.
- */
-static certificate_t *get_cert(private_credential_manager_t *this,
-						certificate_type_t cert, key_type_t key,
-						identification_t *id, bool trusted)
-{
-	certificate_t *current, *found = NULL;
-	enumerator_t *enumerator;
-
-	enumerator = create_cert_enumerator(this, cert, key, id, trusted);
-	if (enumerator->enumerate(enumerator, &current))
-	{
-		/* TODO: best match? order by keyid, subject, sualtname */
-		found = current->get_ref(current);
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-
-/**
- * cleanup function for cdp data
- */
-static void destroy_cdp_data(cdp_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * enumerator constructor for CDPs
- */
-static enumerator_t *create_cdp(credential_set_t *set, cdp_data_t *data)
-{
-	return set->create_cdp_enumerator(set, data->type, data->id);
-}
-/**
- * Implementation of credential_manager_t.create_cdp_enumerator.
- */
-static enumerator_t * create_cdp_enumerator(private_credential_manager_t *this,
-								certificate_type_t type, identification_t *id)
-{
-	cdp_data_t *data = malloc_thing(cdp_data_t);
-	data->this = this;
-	data->type = type;
-	data->id = id;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_nested(create_sets_enumerator(this),
-									(void*)create_cdp, data,
-									(void*)destroy_cdp_data);
-}
-
-/**
- * cleanup function for private data
- */
-static void destroy_private_data(private_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * enumerator constructor for private keys
- */
-static enumerator_t *create_private(credential_set_t *set, private_data_t *data)
-{
-	return set->create_private_enumerator(set, data->type, data->keyid);
-}
-
-/**
- * Implementation of credential_manager_t.create_private_enumerator.
- */
-static enumerator_t* create_private_enumerator(
-									private_credential_manager_t *this,
-									key_type_t key, identification_t *keyid)
-{
-	private_data_t *data;
-
-	data = malloc_thing(private_data_t);
-	data->this = this;
-	data->type = key;
-	data->keyid = keyid;
-	this->lock->read_lock(this->lock);
-	return enumerator_create_nested(create_sets_enumerator(this),
-									(void*)create_private, data,
-									(void*)destroy_private_data);
-}
-
-/**
- * Implementation of credential_manager_t.get_private_by_keyid.
- */
-static private_key_t *get_private_by_keyid(private_credential_manager_t *this,
-										key_type_t key, identification_t *keyid)
-{
-	private_key_t *found = NULL;
-	enumerator_t *enumerator;
-
-	enumerator = create_private_enumerator(this, key, keyid);
-	if (enumerator->enumerate(enumerator, &found))
-	{
-		found->get_ref(found);
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * cleanup function for shared data
- */
-static void destroy_shared_data(shared_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * enumerator constructor for shared keys
- */
-static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data)
-{
-	return set->create_shared_enumerator(set, data->type, data->me, data->other);
-}
-
-/**
- * Implementation of credential_manager_t.create_shared_enumerator.
- */
-static enumerator_t *create_shared_enumerator(private_credential_manager_t *this,
-						shared_key_type_t type,
-						identification_t *me, identification_t *other)
-{
-	shared_data_t *data = malloc_thing(shared_data_t);
-	data->this = this;
-	data->type = type;
-	data->me = me;
-	data->other = other;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_nested(create_sets_enumerator(this),
-									(void*)create_shared, data,
-									(void*)destroy_shared_data);
-}
-
-/**
- * Implementation of credential_manager_t.get_shared.
- */
-static shared_key_t *get_shared(private_credential_manager_t *this,
-								shared_key_type_t type,	identification_t *me,
-								identification_t *other)
-{
-	shared_key_t *current, *found = NULL;
-	id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE;
-	id_match_t *match_me, *match_other;
-	enumerator_t *enumerator;
-
-	enumerator = create_shared_enumerator(this, type, me, other);
-	while (enumerator->enumerate(enumerator, &current, &match_me, &match_other))
-	{
-		if (match_other > best_other ||
-			(match_other == best_other && match_me > best_me))
-		{
-			DESTROY_IF(found);
-			found = current->get_ref(current);
-			best_me = match_me;
-			best_other = match_other;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * add a credential set to the thread local list
- */
-static void add_local_set(private_credential_manager_t *this,
-						  credential_set_t *set)
-{
-	linked_list_t *sets;
-
-	sets = this->local_sets->get(this->local_sets);
-	if (!sets)
-	{	/* first invocation */
-		sets = linked_list_create();
-		this->local_sets->set(this->local_sets, sets);
-	}
-	sets->insert_last(sets, set);
-}
-
-/**
- * remove a credential set from the thread local list
- */
-static void remove_local_set(private_credential_manager_t *this,
-							 credential_set_t *set)
-{
-	linked_list_t *sets;
-
-	sets = this->local_sets->get(this->local_sets);
-	sets->remove(sets, set, NULL);
-}
-
-/**
- * Implementation of credential_manager_t.cache_cert.
- */
-static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
-{
-	credential_set_t *set;
-	enumerator_t *enumerator;
-
-	if (this->lock->try_write_lock(this->lock))
-	{
-		enumerator = this->sets->create_enumerator(this->sets);
-		while (enumerator->enumerate(enumerator, &set))
-		{
-			set->cache_cert(set, cert);
-		}
-		enumerator->destroy(enumerator);
-		this->lock->unlock(this->lock);
-	}
-	else
-	{	/* we can't cache now as other threads are active, queue for later */
-		this->queue_mutex->lock(this->queue_mutex);
-		this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert));
-		this->queue_mutex->unlock(this->queue_mutex);
-	}
-}
-
-/**
- * Try to cache certificates queued for caching
- */
-static void cache_queue(private_credential_manager_t *this)
-{
-	credential_set_t *set;
-	certificate_t *cert;
-	enumerator_t *enumerator;
-
-	this->queue_mutex->lock(this->queue_mutex);
-	if (this->cache_queue->get_count(this->cache_queue) > 0 &&
-		this->lock->try_write_lock(this->lock))
-	{
-		while (this->cache_queue->remove_last(this->cache_queue,
-											  (void**)&cert) == SUCCESS)
-		{
-			enumerator = this->sets->create_enumerator(this->sets);
-			while (enumerator->enumerate(enumerator, &set))
-			{
-				set->cache_cert(set, cert);
-			}
-			enumerator->destroy(enumerator);
-			cert->destroy(cert);
-		}
-		this->lock->unlock(this->lock);
-	}
-	this->queue_mutex->unlock(this->queue_mutex);
-}
-
-/**
- * forward declaration
- */
-static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
-					key_type_t type, identification_t *id, bool crl, bool ocsp);
-
-/**
- * Do an OCSP request
- */
-static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
-								 certificate_t *subject, certificate_t *issuer)
-{
-	certificate_t *request, *response;
-	chunk_t send, receive;
-
-	/* TODO: requestor name, signature */
-	request = lib->creds->create(lib->creds,
-						CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
-						BUILD_CA_CERT, issuer,
-						BUILD_CERT, subject, BUILD_END);
-	if (!request)
-	{
-		DBG1(DBG_CFG, "generating ocsp request failed");
-		return NULL;
-	}
-
-	send = request->get_encoding(request);
-	request->destroy(request);
-
-	DBG1(DBG_CFG, "  requesting ocsp status from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &receive,
-							FETCH_REQUEST_DATA, send,
-							FETCH_REQUEST_TYPE, "application/ocsp-request",
-							FETCH_END) != SUCCESS)
-	{
-		DBG1(DBG_CFG, "ocsp request to %s failed", url);
-		chunk_free(&send);
-		return NULL;
-	}
-	chunk_free(&send);
-
-	response = lib->creds->create(lib->creds,
-								  CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
-								  BUILD_BLOB_ASN1_DER, receive, BUILD_END);
-	chunk_free(&receive);
-	if (!response)
-	{
-		DBG1(DBG_CFG, "parsing ocsp response failed");
-		return NULL;
-	}
-	return response;
-}
-
-/**
- * check the signature of an OCSP response
- */
-static bool verify_ocsp(private_credential_manager_t *this,
-						ocsp_response_t *response)
-{
-	certificate_t *issuer, *subject;
-	identification_t *responder;
-	ocsp_response_wrapper_t *wrapper;
-	enumerator_t *enumerator;
-	bool verified = FALSE;
-
-	wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
-	add_local_set(this, &wrapper->set);
-
-	subject = &response->certificate;
-	responder = subject->get_issuer(subject);
-	enumerator = create_trusted_enumerator(this, KEY_ANY, responder, FALSE, FALSE);
-	while (enumerator->enumerate(enumerator, &issuer, NULL))
-	{
-		if (this->cache->issued_by(this->cache, subject, issuer))
-		{
-			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
-							 issuer->get_subject(issuer));
-			verified = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	remove_local_set(this, &wrapper->set);
-	wrapper->destroy(wrapper);
-	return verified;
-}
-
-/**
- * Get the better of two OCSP responses, and check for usable OCSP info
- */
-static certificate_t *get_better_ocsp(private_credential_manager_t *this,
-									  certificate_t *cand, certificate_t *best,
-									  x509_t *subject, x509_t *issuer,
-									  cert_validation_t *valid, bool cache)
-{
-	ocsp_response_t *response;
-	time_t revocation, this_update, next_update, valid_until;
-	crl_reason_t reason;
-	bool revoked = FALSE;
-
-	response = (ocsp_response_t*)cand;
-
-	/* check ocsp signature */
-	if (!verify_ocsp(this, response))
-	{
-		DBG1(DBG_CFG, "ocsp response verification failed");
-		cand->destroy(cand);
-		return best;
-	}
-	/* check if response contains our certificate */
-	switch (response->get_status(response, subject, issuer, &revocation, &reason,
-								 &this_update, &next_update))
-	{
-		case VALIDATION_REVOKED:
-			/* subject has been revoked by a valid OCSP response */
-			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
-						  &revocation, TRUE, crl_reason_names, reason);
-			revoked = TRUE;
-			break;
-		case VALIDATION_GOOD:
-			/* results in either good or stale */
-			break;
-		default:
-		case VALIDATION_FAILED:
-			/* candidate unusable, does not contain our cert */
-			DBG1(DBG_CFG, "  ocsp response contains no status on our certificate");
-			cand->destroy(cand);
-			return best;
-	}
-
-	/* select the better of the two responses */
-	if (best == NULL || cand->is_newer(cand, best))
-	{
-		DESTROY_IF(best);
-		best = cand;
-		if (best->get_validity(best, NULL, NULL, &valid_until))
-		{
-			DBG1(DBG_CFG, "  ocsp response is valid: until %T",
-							 &valid_until, FALSE);
-			*valid = VALIDATION_GOOD;
-			if (cache)
-			{	/* cache non-stale only, stale certs get refetched */
-				cache_cert(this, best);
-			}
-		}
-		else
-		{
-			DBG1(DBG_CFG, "  ocsp response is stale: since %T",
-							 &valid_until, FALSE);
-			*valid = VALIDATION_STALE;
-		}
-	}
-	else
-	{
-		*valid = VALIDATION_STALE;
-		cand->destroy(cand);
-	}
-	if (revoked)
-	{	/* revoked always counts, even if stale */
-		*valid = VALIDATION_REVOKED;
-	}
-	return best;
-}
-
-/**
- * validate a x509 certificate using OCSP
- */
-static cert_validation_t check_ocsp(private_credential_manager_t *this,
-									x509_t *subject, x509_t *issuer,
-									auth_cfg_t *auth)
-{
-	enumerator_t *enumerator;
-	cert_validation_t valid = VALIDATION_SKIPPED;
-	certificate_t *best = NULL, *current;
-	identification_t *keyid = NULL;
-	public_key_t *public;
-	chunk_t chunk;
-	char *uri = NULL;
-
-	/** lookup cache for valid OCSP responses */
-	enumerator = create_cert_enumerator(this, CERT_X509_OCSP_RESPONSE,
-										KEY_ANY, NULL, FALSE);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		current->get_ref(current);
-		best = get_better_ocsp(this, current, best, subject, issuer,
-							   &valid, FALSE);
-		if (best && valid != VALIDATION_STALE)
-		{
-			DBG1(DBG_CFG, "  using cached ocsp response");
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* derive the authorityKeyIdentifier from the issuer's public key */
-	current = &issuer->interface;
-	public = current->get_public_key(current);
-	if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
-	{
-		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
-	}
-	/** fetch from configured OCSP responder URLs */
-	if (keyid && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
-	{
-		enumerator = create_cdp_enumerator(this, CERT_X509_OCSP_RESPONSE, keyid);
-		while (enumerator->enumerate(enumerator, &uri))
-		{
-			current = fetch_ocsp(this, uri, &subject->interface,
-								 &issuer->interface);
-			if (current)
-			{
-				best = get_better_ocsp(this, current, best, subject, issuer,
-									   &valid, TRUE);
-				if (best && valid != VALIDATION_STALE)
-				{
-					break;
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	DESTROY_IF(public);
-	DESTROY_IF(keyid);
-
-	/* fallback to URL fetching from subject certificate's URIs */
-	if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
-	{
-		enumerator = subject->create_ocsp_uri_enumerator(subject);
-		while (enumerator->enumerate(enumerator, &uri))
-		{
-			current = fetch_ocsp(this, uri, &subject->interface,
-								 &issuer->interface);
-			if (current)
-			{
-				best = get_better_ocsp(this, current, best, subject, issuer,
-									   &valid, TRUE);
-				if (best && valid != VALIDATION_STALE)
-				{
-					break;
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	/* an uri was found, but no result. switch validation state to failed */
-	if (valid == VALIDATION_SKIPPED && uri)
-	{
-		valid = VALIDATION_FAILED;
-	}
-	if (auth)
-	{
-		auth->add(auth, AUTH_RULE_OCSP_VALIDATION, valid);
-		if (valid == VALIDATION_GOOD)
-		{	/* successful OCSP check fulfills also CRL constraint */
-			auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
-		}
-	}
-	DESTROY_IF(best);
-	return valid;
-}
-
-/**
- * fetch a CRL from an URL
- */
-static certificate_t* fetch_crl(private_credential_manager_t *this, char *url)
-{
-	certificate_t *crl;
-	chunk_t chunk;
-
-	DBG1(DBG_CFG, "  fetching crl from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &chunk, FETCH_END) != SUCCESS)
-	{
-		DBG1(DBG_CFG, "crl fetching failed");
-		return NULL;
-	}
-	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
-							 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-	chunk_free(&chunk);
-	if (!crl)
-	{
-		DBG1(DBG_CFG, "crl fetched successfully but parsing failed");
-		return NULL;
-	}
-	return crl;
-}
-
-/**
- * check the signature of an CRL
- */
-static bool verify_crl(private_credential_manager_t *this, certificate_t *crl)
-{
-	certificate_t *issuer;
-	enumerator_t *enumerator;
-	bool verified = FALSE;
-
-	enumerator = create_trusted_enumerator(this, KEY_ANY, crl->get_issuer(crl),
-										   FALSE, FALSE);
-	while (enumerator->enumerate(enumerator, &issuer, NULL))
-	{
-		if (this->cache->issued_by(this->cache, crl, issuer))
-		{
-			DBG1(DBG_CFG, "  crl correctly signed by \"%Y\"",
-						   issuer->get_subject(issuer));
-			verified = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	return verified;
-}
-
-/**
- * Get the better of two CRLs, and check for usable CRL info
- */
-static certificate_t *get_better_crl(private_credential_manager_t *this,
-									 certificate_t *cand, certificate_t *best,
-									 x509_t *subject, x509_t *issuer,
-									 cert_validation_t *valid, bool cache)
-{
-	enumerator_t *enumerator;
-	time_t revocation, valid_until;
-	crl_reason_t reason;
-	chunk_t serial;
-	crl_t *crl;
-
-	/* check CRL signature */
-	if (!verify_crl(this, cand))
-	{
-		DBG1(DBG_CFG, "crl response verification failed");
-		cand->destroy(cand);
-		return best;
-	}
-
-	crl = (crl_t*)cand;
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
-	{
-		if (chunk_equals(serial, subject->get_serial(subject)))
-		{
-			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
-				 &revocation, TRUE, crl_reason_names, reason);
-			*valid = VALIDATION_REVOKED;
-			enumerator->destroy(enumerator);
-			DESTROY_IF(best);
-			return cand;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* select the better of the two CRLs */
-	if (best == NULL || cand->is_newer(cand, best))
-	{
-		DESTROY_IF(best);
-		best = cand;
-		if (best->get_validity(best, NULL, NULL, &valid_until))
-		{
-			DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
-			*valid = VALIDATION_GOOD;
-			if (cache)
-			{	/* we cache non-stale crls only, as a stale crls are refetched */
-				cache_cert(this, best);
-			}
-		}
-		else
-		{
-			DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
-			*valid = VALIDATION_STALE;
-		}
-	}
-	else
-	{
-		*valid = VALIDATION_STALE;
-		cand->destroy(cand);
-	}
-	return best;
-}
-
-/**
- * validate a x509 certificate using CRL
- */
-static cert_validation_t check_crl(private_credential_manager_t *this,
-								   x509_t *subject, x509_t *issuer,
-								   auth_cfg_t *auth)
-{
-	cert_validation_t valid = VALIDATION_SKIPPED;
-	identification_t *keyid = NULL;
-	certificate_t *best = NULL;
-	certificate_t *current;
-	public_key_t *public;
-	enumerator_t *enumerator;
-	chunk_t chunk;
-	char *uri = NULL;
-
-	/* derive the authorityKeyIdentifier from the issuer's public key */
-	current = &issuer->interface;
-	public = current->get_public_key(current);
-	if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
-	{
-		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
-
-		/* find a cached crl by authorityKeyIdentifier */
-		enumerator = create_cert_enumerator(this, CERT_X509_CRL, KEY_ANY,
-											keyid, FALSE);
-		while (enumerator->enumerate(enumerator, &current))
-		{
-			current->get_ref(current);
-			best = get_better_crl(this, current, best, subject, issuer,
-								  &valid, FALSE);
-			if (best && valid != VALIDATION_STALE)
-			{
-				DBG1(DBG_CFG, "  using cached crl");
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-
-		/* fallback to fetching crls from credential sets cdps */
-		if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
-		{
-			enumerator = create_cdp_enumerator(this, CERT_X509_CRL, keyid);
-
-			while (enumerator->enumerate(enumerator, &uri))
-			{
-				current = fetch_crl(this, uri);
-				if (current)
-				{
-					best = get_better_crl(this, current, best, subject, issuer,
-										  &valid, TRUE);
-					if (best && valid != VALIDATION_STALE)
-					{
-						break;
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-		keyid->destroy(keyid);
-	}
-	DESTROY_IF(public);
-
-	/* fallback to fetching crls from cdps from subject's certificate */
-	if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
-	{
-		enumerator = subject->create_crl_uri_enumerator(subject);
-
-		while (enumerator->enumerate(enumerator, &uri))
-		{
-			current = fetch_crl(this, uri);
-			if (current)
-			{
-				best = get_better_crl(this, current, best, subject, issuer,
-									  &valid, TRUE);
-				if (best && valid != VALIDATION_STALE)
-				{
-					break;
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	/* an uri was found, but no result. switch validation state to failed */
-	if (valid == VALIDATION_SKIPPED && uri)
-	{
-		valid = VALIDATION_FAILED;
-	}
-	if (auth)
-	{
-		if (valid == VALIDATION_SKIPPED)
-		{	/* if we skipped CRL validation, we use the result of OCSP for
-			 * constraint checking */
-			auth->add(auth, AUTH_RULE_CRL_VALIDATION,
-					  auth->get(auth, AUTH_RULE_OCSP_VALIDATION));
-		}
-		else
-		{
-			auth->add(auth, AUTH_RULE_CRL_VALIDATION, valid);
-		}
-	}
-	DESTROY_IF(best);
-	return valid;
-}
-
-/**
- * check a certificate for optional IP address block constraints
- */
-static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
-{
-	bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
-	bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
-	bool contained = TRUE;
-
-	enumerator_t *subject_enumerator, *issuer_enumerator;
-	traffic_selector_t *subject_ts, *issuer_ts;
-
-	if (!subject_constraint && !issuer_constraint)
-	{
-		return TRUE;		
-	}
-	if (!subject_constraint)
-	{
-		DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
-		return FALSE;
-	}
-	if (!issuer_constraint)
-	{
-		DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
-		return FALSE;		
-	}
-	subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
-	while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
-	{
-		contained = FALSE;
-
-		issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
-		while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
-		{
-			if (subject_ts->is_contained_in(subject_ts, issuer_ts))
-			{
-				DBG2(DBG_CFG, "  subject address block %R is contained in "
-							  "issuer address block %R", subject_ts, issuer_ts);
-				contained = TRUE;
-				break;
-			}
-		}
-		issuer_enumerator->destroy(issuer_enumerator);
-		if (!contained)
-		{
-			DBG1(DBG_CFG, "subject address block %R is not contained in any "
-						  "issuer address block", subject_ts);
-			break;
-		}
-	}
-	subject_enumerator->destroy(subject_enumerator);
-	return contained;	
-}
-
-/**
- * check a certificate for its lifetime
- */
-static bool check_certificate(private_credential_manager_t *this,
-							  certificate_t *subject, certificate_t *issuer,
-							  bool crl, bool ocsp, auth_cfg_t *auth)
-{
-	time_t not_before, not_after;
-
-	if (!subject->get_validity(subject, NULL, &not_before, &not_after))
-	{
-		DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
-			 &not_before, FALSE, &not_after, FALSE);
-		return FALSE;
-	}
-	if (!issuer->get_validity(issuer, NULL, &not_before, &not_after))
-	{
-		DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)",
-			 &not_before, FALSE, &not_after, FALSE);
-		return FALSE;
-	}
-	if (issuer->get_type(issuer) == CERT_X509 &&
-		subject->get_type(subject) == CERT_X509)
-	{
-		if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer))
-		{
-			return FALSE;
-		}
-		if (ocsp || crl)
-		{
-			DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
-						   subject->get_subject(subject));
-		}
-		if (ocsp)
-		{
-			switch (check_ocsp(this, (x509_t*)subject, (x509_t*)issuer, auth))
-			{
-				case VALIDATION_GOOD:
-					DBG1(DBG_CFG, "certificate status is good");
-					return TRUE;
-				case VALIDATION_REVOKED:
-					/* has already been logged */
-					return FALSE;
-				case VALIDATION_SKIPPED:
-					DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
-					break;
-				case VALIDATION_STALE:
-					DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
-					break;
-				case VALIDATION_FAILED:
-					DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
-					break;
-			}
-		}
-		if (crl)
-		{
-			switch (check_crl(this, (x509_t*)subject, (x509_t*)issuer, auth))
-			{
-				case VALIDATION_GOOD:
-					DBG1(DBG_CFG, "certificate status is good");
-					return TRUE;
-				case VALIDATION_REVOKED:
-					/* has already been logged */
-					return FALSE;
-				case VALIDATION_FAILED:
-				case VALIDATION_SKIPPED:
-					DBG1(DBG_CFG, "certificate status is not available");
-					break;
-				case VALIDATION_STALE:
-					DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
-					break;
-			}
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Get a trusted certificate from a credential set
- */
-static certificate_t *get_pretrusted_cert(private_credential_manager_t *this,
-										  key_type_t type, identification_t *id)
-{
-	certificate_t *subject;
-	public_key_t *public;
-
-	subject = get_cert(this, CERT_ANY, type, id, TRUE);
-	if (!subject)
-	{
-		return NULL;
-	}
-	public = subject->get_public_key(subject);
-	if (!public)
-	{
-		subject->destroy(subject);
-		return NULL;
-	}
-	public->destroy(public);
-	return subject;
-}
-
-/**
- * Get the issuing certificate of a subject certificate
- */
-static certificate_t *get_issuer_cert(private_credential_manager_t *this,
-									  certificate_t *subject, bool trusted)
-{
-	enumerator_t *enumerator;
-	certificate_t *issuer = NULL, *candidate;
-
-	enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY,
-										subject->get_issuer(subject), trusted);
-	while (enumerator->enumerate(enumerator, &candidate))
-	{
-		if (this->cache->issued_by(this->cache, subject, candidate))
-		{
-			issuer = candidate->get_ref(candidate);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return issuer;
-}
-
-/**
- * try to verify the trust chain of subject, return TRUE if trusted
- */
-static bool verify_trust_chain(private_credential_manager_t *this,
-							   certificate_t *subject, auth_cfg_t *result,
-							   bool trusted, bool crl, bool ocsp)
-{
-	certificate_t *current, *issuer;
-	x509_t *x509;
-	auth_cfg_t *auth;
-	int pathlen, pathlen_constraint;
-
-	auth = auth_cfg_create();
-	current = subject->get_ref(subject);
-
-	for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++)
-	{
-		issuer = get_issuer_cert(this, current, TRUE);
-		if (issuer)
-		{
-			/* accept only self-signed CAs as trust anchor */
-			if (this->cache->issued_by(this->cache, issuer, issuer))
-			{
-				auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
-				DBG1(DBG_CFG, "  using trusted ca certificate \"%Y\"",
-							  issuer->get_subject(issuer));
-				trusted = TRUE;
-			}
-			else
-			{
-				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
-				DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
-					 "\"%Y\"", issuer->get_subject(issuer));
-			}
-		}
-		else
-		{
-			issuer = get_issuer_cert(this, current, FALSE);
-			if (issuer)
-			{
-				if (current->equals(current, issuer))
-				{
-					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not trusted",
-						 current->get_subject(current));
-					issuer->destroy(issuer);
-					break;
-				}
-				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
-				DBG1(DBG_CFG, "  using untrusted intermediate certificate "
-					 "\"%Y\"", issuer->get_subject(issuer));
-			}
-			else
-			{
-				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
-					 current->get_subject(current));
-				break;
-			}
-		}
-		if (!check_certificate(this, current, issuer, crl, ocsp,
-							   current == subject ? auth : NULL))
-		{
-			trusted = FALSE;
-			issuer->destroy(issuer);
-			break;
-		}
-
-		/* check path length constraint */
-		x509 = (x509_t*)issuer;
-		pathlen_constraint = x509->get_pathLenConstraint(x509);
-		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
-			pathlen > pathlen_constraint)
-		{
-			DBG1(DBG_CFG, "path length of %d violates constraint of %d",
-				 pathlen, pathlen_constraint);
-			trusted = FALSE;
-			issuer->destroy(issuer);
-			break;
-		}
-		current->destroy(current);
-		current = issuer;
-		if (trusted)
-		{
-			DBG1(DBG_CFG, "  reached self-signed root ca with a path length of %d",
-						  pathlen);
-			break;
-		}
-	}
-	current->destroy(current);
-	if (pathlen > X509_MAX_PATH_LEN)
-	{
-		DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN);
-	}
-	if (trusted)
-	{
-		result->merge(result, auth, FALSE);
-	}
-	auth->destroy(auth);
-	return trusted;
-}
-
-/**
- * enumerator for trusted certificates
- */
-typedef struct {
-	/** implements enumerator_t interface */
-	enumerator_t public;
-	/** enumerator over candidate peer certificates */
-	enumerator_t *candidates;
-	/** reference to the credential_manager */
-	private_credential_manager_t *this;
-	/** type of the requested key */
-	key_type_t type;
-	/** identity the requested key belongs to */
-	identification_t *id;
-	/** TRUE to do CRL checking */
-	bool crl;
-	/** TRUE to do OCSP checking */
-	bool ocsp;
-	/** pretrusted certificate we have served at first invocation */
-	certificate_t *pretrusted;
-	/** currently enumerating auth config */
-	auth_cfg_t *auth;
-} trusted_enumerator_t;
-
-/**
- * Implements trusted_enumerator_t.enumerate
- */
-static bool trusted_enumerate(trusted_enumerator_t *this,
-							  certificate_t **cert, auth_cfg_t **auth)
-{
-	certificate_t *current;
-
-	DESTROY_IF(this->auth);
-	this->auth = auth_cfg_create();
-
-	if (!this->candidates)
-	{
-		/* first invocation, build enumerator for next one */
-		this->candidates = create_cert_enumerator(this->this, CERT_ANY,
-												  this->type, this->id, FALSE);
-		/* check if we have a trusted certificate for that peer */
-		this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id);
-		if (this->pretrusted)
-		{
-			/* if we find a trusted self signed certificate, we just accept it.
-			 * However, in order to fulfill authorization rules, we try to build
-			 * the trust chain if it is not self signed */
-			if (this->this->cache->issued_by(this->this->cache,
-								   this->pretrusted, this->pretrusted) ||
-				verify_trust_chain(this->this, this->pretrusted, this->auth,
-								   TRUE, this->crl, this->ocsp))
-			{
-				this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
-								this->pretrusted->get_ref(this->pretrusted));
-				DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
-					 this->pretrusted->get_subject(this->pretrusted));
-				*cert = this->pretrusted;
-				if (auth)
-				{
-					*auth = this->auth;
-				}
-				return TRUE;
-			}
-		}
-	}
-	/* try to verify the trust chain for each certificate found */
-	while (this->candidates->enumerate(this->candidates, &current))
-	{
-		if (this->pretrusted &&
-			this->pretrusted->equals(this->pretrusted, current))
-		{	/* skip pretrusted certificate we already served */
-			continue;
-		}
-
-		DBG1(DBG_CFG, "  using certificate \"%Y\"",
-			 current->get_subject(current));
-		if (verify_trust_chain(this->this, current, this->auth, FALSE,
-							   this->crl, this->ocsp))
-		{
-			*cert = current;
-			if (auth)
-			{
-				*auth = this->auth;
-			}
-			return TRUE;
-		}
-	}
-	return FALSE;
-}
-
-/**
- * Implements trusted_enumerator_t.destroy
- */
-static void trusted_destroy(trusted_enumerator_t *this)
-{
-	DESTROY_IF(this->pretrusted);
-	DESTROY_IF(this->auth);
-	DESTROY_IF(this->candidates);
-	free(this);
-}
-
-/**
- * create an enumerator over trusted certificates and their trustchain
- */
-static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
-					key_type_t type, identification_t *id, bool crl, bool ocsp)
-{
-	trusted_enumerator_t *enumerator = malloc_thing(trusted_enumerator_t);
-
-	enumerator->public.enumerate = (void*)trusted_enumerate;
-	enumerator->public.destroy = (void*)trusted_destroy;
-
-	enumerator->candidates = NULL;
-	enumerator->this = this;
-	enumerator->type = type;
-	enumerator->id = id;
-	enumerator->crl = crl;
-	enumerator->ocsp = ocsp;
-	enumerator->pretrusted = NULL;
-	enumerator->auth = NULL;
-
-	return &enumerator->public;
-}
-
-/**
- * enumerator for public keys
- */
-typedef struct {
-	/** implements enumerator_t interface */
-	enumerator_t public;
-	/** enumerator over candidate peer certificates */
-	enumerator_t *inner;
-	/** reference to the credential_manager */
-	private_credential_manager_t *this;
-	/** currently enumerating key */
-	public_key_t *current;
-	/** credset wrapper around auth config */
-	auth_cfg_wrapper_t *wrapper;
-} public_enumerator_t;
-
-/**
- * Implements public_enumerator_t.enumerate
- */
-static bool public_enumerate(public_enumerator_t *this,
-							 public_key_t **key, auth_cfg_t **auth)
-{
-	certificate_t *cert;
-
-	while (this->inner->enumerate(this->inner, &cert, auth))
-	{
-		DESTROY_IF(this->current);
-		this->current = cert->get_public_key(cert);
-		if (this->current)
-		{
-			*key = this->current;
-			return TRUE;
-		}
-	}
-	return FALSE;
-}
-
-/**
- * Implements public_enumerator_t.destroy
- */
-static void public_destroy(public_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	if (this->wrapper)
-	{
-		remove_local_set(this->this, &this->wrapper->set);
-		this->wrapper->destroy(this->wrapper);
-	}
-	this->this->lock->unlock(this->this->lock);
-
-	/* check for delayed certificate cache queue */
-	cache_queue(this->this);
-	free(this);
-}
-
-/**
- * Implementation of credential_manager_t.create_public_enumerator.
- */
-static enumerator_t* create_public_enumerator(private_credential_manager_t *this,
-						key_type_t type, identification_t *id, auth_cfg_t *auth)
-{
-	public_enumerator_t *enumerator = malloc_thing(public_enumerator_t);
-
-	enumerator->public.enumerate = (void*)public_enumerate;
-	enumerator->public.destroy = (void*)public_destroy;
-	enumerator->inner = create_trusted_enumerator(this, type, id, TRUE, TRUE);
-	enumerator->this = this;
-	enumerator->current = NULL;
-	enumerator->wrapper = NULL;
-	if (auth)
-	{
-		enumerator->wrapper = auth_cfg_wrapper_create(auth);
-		add_local_set(this, &enumerator->wrapper->set);
-	}
-	this->lock->read_lock(this->lock);
-	return &enumerator->public;
-}
-
-/**
- * Check if a certificate's keyid is contained in the auth helper
- */
-static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert)
-{
-	enumerator_t *enumerator;
-	identification_t *value;
-	auth_rule_t type;
-	bool found = FALSE;
-
-	enumerator = auth->create_enumerator(auth);
-	while (enumerator->enumerate(enumerator, &type, &value))
-	{
-		if (type == AUTH_RULE_CA_CERT &&
-			cert->equals(cert, (certificate_t*)value))
-		{
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * build a trustchain from subject up to a trust anchor in trusted
- */
-static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
-									 certificate_t *subject, auth_cfg_t *auth)
-{
-	certificate_t *issuer, *current;
-	auth_cfg_t *trustchain;
-	int pathlen = 0;
-
-	trustchain = auth_cfg_create();
-
-	current = auth->get(auth, AUTH_RULE_CA_CERT);
-	if (!current)
-	{
-		/* no trust anchor specified, return this cert only */
-		trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT,
-						subject->get_ref(subject));
-		return trustchain;
-	}
-	current = subject->get_ref(subject);
-	while (TRUE)
-	{
-		if (auth_contains_cacert(auth, current))
-		{
-			trustchain->add(trustchain, AUTH_RULE_CA_CERT, current);
-			return trustchain;
-		}
-		if (subject == current)
-		{
-			trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current);
-		}
-		else
-		{
-			trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
-		}
-		issuer = get_issuer_cert(this, current, FALSE);
-		if (!issuer || issuer->equals(issuer, current) ||
-			pathlen > X509_MAX_PATH_LEN)
-		{
-			DESTROY_IF(issuer);
-			break;
-		}
-		current = issuer;
-		pathlen++;
-	}
-	trustchain->destroy(trustchain);
-	return NULL;
-}
-
-/**
- * find a private key of a give certificate
- */
-static private_key_t *get_private_by_cert(private_credential_manager_t *this,
-										  certificate_t *cert, key_type_t type)
-{
-	private_key_t *private = NULL;
-	identification_t *keyid;
-	chunk_t chunk;
-	public_key_t *public;
-
-	public = cert->get_public_key(cert);
-	if (public)
-	{
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
-		{
-			keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
-			private = get_private_by_keyid(this, type, keyid);
-			keyid->destroy(keyid);
-		}
-		public->destroy(public);
-	}
-	return private;
-}
-
-/**
- * Implementation of credential_manager_t.get_private.
- */
-static private_key_t *get_private(private_credential_manager_t *this,
-								  key_type_t type, identification_t *id,
-								  auth_cfg_t *auth)
-{
-	enumerator_t *enumerator;
-	certificate_t *cert;
-	private_key_t *private = NULL;
-	auth_cfg_t *trustchain;
-
-	/* check if this is a lookup by key ID, and do it if so */
-	if (id && id->get_type(id) == ID_KEY_ID)
-	{
-		private = get_private_by_keyid(this, type, id);
-		if (private)
-		{
-			return private;
-		}
-	}
-
-	/* if a specific certificate is preferred, check for a matching key */
-	cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
-	if (cert)
-	{
-		private = get_private_by_cert(this, cert, type);
-		if (private)
-		{
-			trustchain = build_trustchain(this, cert, auth);
-			if (trustchain)
-			{
-				auth->merge(auth, trustchain, FALSE);
-				trustchain->destroy(trustchain);
-			}
-			return private;
-		}
-	}
-
-	/* try to build a trust chain for each certificate found */
-	enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
-	while (enumerator->enumerate(enumerator, &cert))
-	{
-		private = get_private_by_cert(this, cert, type);
-		if (private)
-		{
-			trustchain = build_trustchain(this, cert, auth);
-			if (trustchain)
-			{
-				auth->merge(auth, trustchain, FALSE);
-				trustchain->destroy(trustchain);
-				break;
-			}
-			private->destroy(private);
-			private = NULL;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* if no valid trustchain was found, fall back to the first usable cert */
-	if (!private)
-	{
-		enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
-		while (enumerator->enumerate(enumerator, &cert))
-		{
-			private = get_private_by_cert(this, cert, type);
-			if (private)
-			{
-				auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	return private;
-}
-
-/**
- * Implementation of credential_manager_t.flush_cache.
- */
-static void flush_cache(private_credential_manager_t *this,
-						certificate_type_t type)
-{
-	this->cache->flush(this->cache, type);
-}
-
-/**
- * Implementation of credential_manager_t.add_set.
- */
-static void add_set(private_credential_manager_t *this,
-							   credential_set_t *set)
-{
-	this->lock->write_lock(this->lock);
-	this->sets->insert_last(this->sets, set);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of credential_manager_t.remove_set.
- */
-static void remove_set(private_credential_manager_t *this, credential_set_t *set)
-{
-	this->lock->write_lock(this->lock);
-	this->sets->remove(this->sets, set, NULL);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of credential_manager_t.destroy
- */
-static void destroy(private_credential_manager_t *this)
-{
-	cache_queue(this);
-	this->cache_queue->destroy(this->cache_queue);
-	this->sets->remove(this->sets, this->cache, NULL);
-	this->sets->destroy(this->sets);
-	this->local_sets->destroy(this->local_sets);
-	this->cache->destroy(this->cache);
-	this->lock->destroy(this->lock);
-	this->queue_mutex->destroy(this->queue_mutex);
-	free(this);
-}
-
-/*
- * see header file
- */
-credential_manager_t *credential_manager_create()
-{
-	private_credential_manager_t *this = malloc_thing(private_credential_manager_t);
-
-	this->public.create_cert_enumerator = (enumerator_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *id,bool))create_cert_enumerator;
-	this->public.create_shared_enumerator = (enumerator_t *(*)(credential_manager_t *this, shared_key_type_t type,identification_t *me, identification_t *other))create_shared_enumerator;
-	this->public.create_cdp_enumerator = (enumerator_t *(*)(credential_manager_t*, certificate_type_t type, identification_t *id))create_cdp_enumerator;
-	this->public.get_cert = (certificate_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *, bool))get_cert;
-	this->public.get_shared = (shared_key_t *(*)(credential_manager_t *this,shared_key_type_t type,identification_t *me, identification_t *other))get_shared;
-	this->public.get_private = (private_key_t*(*)(credential_manager_t*, key_type_t type, identification_t *, auth_cfg_t*))get_private;
-	this->public.create_public_enumerator = (enumerator_t*(*)(credential_manager_t*, key_type_t type, identification_t *id, auth_cfg_t *aut))create_public_enumerator;
-	this->public.flush_cache = (void(*)(credential_manager_t*, certificate_type_t type))flush_cache;
-	this->public.cache_cert = (void(*)(credential_manager_t*, certificate_t *cert))cache_cert;
-	this->public.add_set = (void(*)(credential_manager_t*, credential_set_t *set))add_set;
-	this->public.remove_set = (void(*)(credential_manager_t*, credential_set_t *set))remove_set;
-	this->public.destroy = (void(*)(credential_manager_t*))destroy;
-
-	this->sets = linked_list_create();
-	this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
-	this->cache = cert_cache_create();
-	this->cache_queue = linked_list_create();
-	this->sets->insert_first(this->sets, this->cache);
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	this->queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
-	return &this->public;
-}
-
diff --git a/src/charon/credentials/credential_manager.h b/src/charon/credentials/credential_manager.h
deleted file mode 100644
index 0448da992..000000000
--- a/src/charon/credentials/credential_manager.h
+++ /dev/null
@@ -1,203 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup credential_manager credential_manager
- * @{ @ingroup ccredentials
- */
-
-#ifndef CREDENTIAL_MANAGER_H_
-#define CREDENTIAL_MANAGER_H_
-
-#include <utils/identification.h>
-#include <utils/enumerator.h>
-#include <config/auth_cfg.h>
-#include <credentials/credential_set.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/keys/shared_key.h>
-#include <credentials/certificates/certificate.h>
-
-typedef struct credential_manager_t credential_manager_t;
-
-/**
- * Manages credentials using credential_sets.
- *
- * The credential manager is the entry point of the credential framework. It
- * uses so called "sets" to access credentials in a modular fashion, these
- * are implemented through the credential_set_t interface.
- * The manager additionally does trust chain verification and trust status
- * chaching. A set may call the managers methods if it needs credentials itself,
- * the manager uses recursive locking.
- *
- * @verbatim
-
-  +-------+        +----------------+
-  |   A   |        |                |          +------------------+
-  |   u   | -----> |                | ------>  |  +------------------+
-  |   t   |        |   credential-  |          |  |  +------------------+
-  |   h   | -----> |     manager    | ------>  +--|  |   credential-    | => IPC
-  |   e   |        |                |             +--|       sets       |
-  |   n   |   +--> |                | ------>        +------------------+
-  |   t   |   |    |                |                        |
-  |   i   |   |    |                |                        |
-  |   c   |   |    +----------------+                        |
-  |   a   |   |                                              |
-  |   t   |   +----------------------------------------------+
-  |   o   |                    may be recursive
-  |   r   |
-  +-------+
-
-   @endverbatim
- *
- * The credential manager uses rwlocks for performance reasons, credential
- * sets must be fully thread save.
- */
-struct credential_manager_t {
-
-	/**
-	 * Create an enumerator over all certificates.
-	 *
-	 * @param cert		kind of certificate
-	 * @param key		kind of key in certificate
-	 * @param id		subject this certificate belongs to
-	 * @param trusted	TRUE to list trusted certificates only
-	 * @return			enumerator over the certificates
-	 */
-	enumerator_t *(*create_cert_enumerator)(credential_manager_t *this,
-								certificate_type_t cert, key_type_t key,
-								identification_t *id, bool trusted);
-	/**
-	 * Create an enumerator over all shared keys.
-	 *
-	 * The enumerator enumerates over:
-	 *  shared_key_t*, id_match_t me, id_match_t other
-	 * But must accepts values for the id_matches.
-	 *
-	 * @param type		kind of requested shared key
-	 * @param first		first subject between key is shared
-	 * @param second	second subject between key is shared
-	 * @return			enumerator over shared keys
-	 */
-	enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
-								shared_key_type_t type,
-								identification_t *first, identification_t *second);
-	/**
-	 * Create an enumerator over all Certificate Distribution Points.
-	 *
-	 * @param type		kind of certificate the point distributes
-	 * @param id		identification of the distributed certificate
-	 * @return			enumerator of CDPs as char*
-	 */
-	enumerator_t *(*create_cdp_enumerator)(credential_manager_t *this,
-								certificate_type_t type, identification_t *id);
-	/**
-	 * Get a trusted or untrusted certificate.
-	 *
-	 * @param cert		kind of certificate
-	 * @param key		kind of key in certificate
-	 * @param id		subject this certificate belongs to
-	 * @param trusted	TRUE to get a trusted certificate only
-	 * @return			certificate, if found, NULL otherwise
-	 */
-	certificate_t *(*get_cert)(credential_manager_t *this,
-							   certificate_type_t cert, key_type_t key,
-							   identification_t *id, bool trusted);
-	/**
-	 * Get the best matching shared key for two IDs.
-	 *
-	 * @param type		kind of requested shared key
-	 * @param me		own identity
-	 * @param other		peers identity
-	 * @return			shared_key_t, NULL if none found
-	 */
-	shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
-								identification_t *me, identification_t *other);
-	/**
-	 * Get a private key to create a signature.
-	 *
-	 * The get_private() method gets a secret private key identified by either
-	 * the keyid itself or an id the key belongs to.
-	 * The auth parameter contains additional information, such as receipients
-	 * trusted CA certs. Auth gets filled with subject and CA certificates
-	 * needed to validate a created signature.
-	 *
-	 * @param type		type of the key to get
-	 * @param id		identification the key belongs to
-	 * @param auth		auth config, including trusted CA certificates
-	 * @return			private_key_t, NULL if none found
-	 */
-	private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
-								  identification_t *id, auth_cfg_t *auth);
-
-	/**
-	 * Create an enumerator over trusted public keys.
-	 *
-	 * This method gets a an enumerator over trusted public keys to verify a
-	 * signature created by id. The auth parameter contains additional
-	 * authentication infos, e.g. peer and intermediate certificates.
-	 * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
-	 * where the auth config helper contains rules for constraint checks.
-	 *
-	 * @param type		type of the key to get
-	 * @param id		owner of the key, signer of the signature
-	 * @param auth		authentication infos
-	 * @return			enumerator
-	 */
-	enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
-					key_type_t type, identification_t *id, auth_cfg_t *auth);
-
-	/**
-	 * Cache a certificate by invoking cache_cert() on all registerd sets.
-	 *
-	 * @param cert		certificate to cache
-	 */
-	void (*cache_cert)(credential_manager_t *this, certificate_t *cert);
-
-	/**
-	 * Flush the certificate cache.
-	 *
-	 * Only the managers local cache is flushed, but not the sets cache filled
-	 * by the cache_cert() method.
-	 *
-	 * @param type		type of certificate to flush, or CERT_ANY
-	 */
-	void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
-
-	/**
-	 * Register a credential set to the manager.
-	 *
-	 * @param set		set to register
-	 */
-	void (*add_set)(credential_manager_t *this, credential_set_t *set);
-
-	/**
-	 * Unregister a credential set from the manager.
-	 *
-	 * @param set		set to unregister
-	 */
-	void (*remove_set)(credential_manager_t *this, credential_set_t *set);
-
-	/**
-	 * Destroy a credential_manager instance.
-	 */
-	void (*destroy)(credential_manager_t *this);
-};
-
-/**
- * Create a credential_manager instance.
- */
-credential_manager_t *credential_manager_create();
-
-#endif /** CREDENTIAL_MANAGER_H_ @}*/
diff --git a/src/charon/credentials/credential_set.h b/src/charon/credentials/credential_set.h
deleted file mode 100644
index 274eb3feb..000000000
--- a/src/charon/credentials/credential_set.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup credential_set credential_set
- * @{ @ingroup ccredentials
- */
-
-#ifndef CREDENTIAL_SET_H_
-#define CREDENTIAL_SET_H_
-
-#include <credentials/keys/public_key.h>
-#include <credentials/keys/shared_key.h>
-#include <credentials/certificates/certificate.h>
-
-typedef struct credential_set_t credential_set_t;
-
-/**
- * A set of credentials.
- *
- * Contains private keys, shared keys and different kinds of certificates.
- * Enumerators are used because queries might return multiple matches.
- * Filter parameters restrict enumeration over specific items only.
- * See credential_manager_t for an overview of the credential framework.
- *
- * A credential set enumerator may not block the credential set, i.e. multiple
- * threads must be able to hold multiple enumerators, as the credential manager
- * is higly parallelized. The best way to achieve this is by using shared
- * read locks for the enumerators only. Otherwiese deadlocks will occur.
- * The writing cache_cert() routine is called by the manager only if no
- * enumerator is alive, so it is save to use a write lock there.
- */
-struct credential_set_t {
-
-	/**
-	 * Create an enumerator over private keys (private_key_t).
-	 *
-	 * The id is either a key identifier of the requested key, or an identity
-	 * of the key owner.
-	 *
-	 * @param type		type of requested private key
-	 * @param id		key identifier/owner
-	 * @return			enumerator over private_key_t's.
-	 */
-	enumerator_t *(*create_private_enumerator)(credential_set_t *this,
-						key_type_t type, identification_t *id);
-	/**
-	 * Create an enumerator over certificates (certificate_t).
-	 *
-	 * @param cert		kind of certificate
-	 * @param key		kind of key in certificate
-	 * @param id		identity (subject) this certificate belongs to
-	 * @param trusted	whether the certificate must be trustworthy
-	 * @return			enumerator as described above
-	 */
-	enumerator_t *(*create_cert_enumerator)(credential_set_t *this,
-						certificate_type_t cert, key_type_t key,
-						identification_t *id, bool trusted);
-	/**
-	 * Create an enumerator over shared keys (shared_key_t).
-	 *
-	 * The enumerator enumerates over:
-	 *  shared_key_t*, id_match_t me, id_match_t other
-	 * But must accept NULL values for the id_matches.
-	 *
-	 * @param type		kind of requested shared key
-	 * @param me		own identity
-	 * @param other		other identity who owns that secret
-	 * @return			enumerator as described above
-	 */
-	enumerator_t *(*create_shared_enumerator)(credential_set_t *this,
-						shared_key_type_t type,
-						identification_t *me, identification_t *other);
-
-	/**
-	 * Create an enumerator over certificate distribution points.
-	 *
-	 * @param type		type of the certificate to get a CDP
-	 * @param id		identification of the distributed certificate
-	 * @return			an enumerator over CDPs as char*
-	 */
-	enumerator_t *(*create_cdp_enumerator)(credential_set_t *this,
-						certificate_type_t type, identification_t *id);
-
-	/**
-	 * Cache a certificate in the credential set.
-	 *
-	 * The caching policy is implementation dependent, the sets may cache the
-	 * certificate in-memory, persistent on disk or not at all.
-	 *
-	 * @param cert		certificate to cache
-	 */
-	void (*cache_cert)(credential_set_t *this, certificate_t *cert);
-};
-
-#endif /** CREDENTIAL_SET_H_ @}*/
diff --git a/src/charon/credentials/sets/auth_cfg_wrapper.c b/src/charon/credentials/sets/auth_cfg_wrapper.c
deleted file mode 100644
index 82e33d283..000000000
--- a/src/charon/credentials/sets/auth_cfg_wrapper.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-
-#include "auth_cfg_wrapper.h"
-
-typedef struct private_auth_cfg_wrapper_t private_auth_cfg_wrapper_t;
-
-/**
- * private data of auth_cfg_wrapper
- */
-struct private_auth_cfg_wrapper_t {
-
-	/**
-	 * public functions
-	 */
-	auth_cfg_wrapper_t public;
-
-	/**
-	 * wrapped auth info
-	 */
-	auth_cfg_t *auth;
-};
-
-/**
- * enumerator for auth_cfg_wrapper_t.create_cert_enumerator()
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** inner enumerator from auth_cfg */
-	enumerator_t *inner;
-	/** wrapped auth round */
-	auth_cfg_t *auth;
-	/** enumerated cert type */
-	certificate_type_t cert;
-	/** enumerated key type */
-	key_type_t key;
-	/** enumerated id */
-	identification_t *id;
-} wrapper_enumerator_t;
-
-/**
- * Tries to fetch a certificate that was supplied as "Hash and URL"
- * (replaces rule type and value in place).
- */
-static bool fetch_cert(wrapper_enumerator_t *enumerator,
-					   auth_rule_t *rule, void **value)
-{
-	char *url = (char*)*value;
-	if (!url)
-	{
-		/* fetching the certificate previously failed */
-		return FALSE;
-	}
-
-	chunk_t data;
-	certificate_t *cert;
-
-	DBG1(DBG_CFG, "  fetching certificate from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
-	{
-		DBG1(DBG_CFG, "  fetching certificate failed");
-		/* we set the item to NULL, so we can skip it */
-		enumerator->auth->replace(enumerator->auth, enumerator->inner,
-								  *rule, NULL);
-		return FALSE;
-	}
-
-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							  BUILD_BLOB_ASN1_DER, data, BUILD_END);
-	free(data.ptr);
-
-	if (!cert)
-	{
-		DBG1(DBG_CFG, "  parsing fetched certificate failed");
-		/* we set the item to NULL, so we can skip it */
-		enumerator->auth->replace(enumerator->auth, enumerator->inner,
-								  *rule, NULL);
-		return FALSE;
-	}
-
-	DBG1(DBG_CFG, "  fetched certificate \"%Y\"", cert->get_subject(cert));
-	charon->credentials->cache_cert(charon->credentials, cert);
-
-	if (*rule == AUTH_HELPER_IM_HASH_URL)
-	{
-		*rule = AUTH_HELPER_IM_CERT;
-	}
-	else
-	{
-		*rule = AUTH_HELPER_SUBJECT_CERT;
-	}
-	*value = cert;
-	enumerator->auth->replace(enumerator->auth, enumerator->inner,
-							  *rule, cert->get_ref(cert));
-	return TRUE;
-}
-
-/**
- * enumerate function for wrapper_enumerator_t
- */
-static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
-{
-	auth_rule_t rule;
-	certificate_t *current;
-	public_key_t *public;
-
-	while (this->inner->enumerate(this->inner, &rule, &current))
-	{
-		if (rule == AUTH_HELPER_IM_HASH_URL ||
-			rule == AUTH_HELPER_SUBJECT_HASH_URL)
-		{	/* on-demand fetching of hash and url certificates */
-			if (!fetch_cert(this, &rule, (void**)&current))
-			{
-				continue;
-			}
-		}
-		else if (rule != AUTH_HELPER_SUBJECT_CERT &&
-				 rule != AUTH_HELPER_IM_CERT)
-		{	/* handle only HELPER certificates */
-			continue;
-		}
-		if (this->cert != CERT_ANY && this->cert != current->get_type(current))
-		{	/* CERT type requested, but does not match */
-			continue;
-		}
-		public = current->get_public_key(current);
-		if (this->key != KEY_ANY && !public)
-		{	/* key type requested, but no public key */
-			DESTROY_IF(public);
-			continue;
-		}
-		if (this->key != KEY_ANY && public && this->key != public->get_type(public))
-		{	/* key type requested, but public key has another type */
-			DESTROY_IF(public);
-			continue;
-		}
-		DESTROY_IF(public);
-		if (this->id && !current->has_subject(current, this->id))
-		{	/* subject requested, but does not match */
-			continue;
-		}
-		*cert = current;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * destroy function for wrapper_enumerator_t
- */
-static void wrapper_enumerator_destroy(wrapper_enumerator_t *this)
-{
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator
- */
-static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this,
-									   certificate_type_t cert, key_type_t key,
-									   identification_t *id, bool trusted)
-{
-	wrapper_enumerator_t *enumerator;
-
-	if (trusted)
-	{
-		return NULL;
-	}
-	enumerator = malloc_thing(wrapper_enumerator_t);
-	enumerator->auth = this->auth;
-	enumerator->cert = cert;
-	enumerator->key = key;
-	enumerator->id = id;
-	enumerator->inner = this->auth->create_enumerator(this->auth);
-	enumerator->public.enumerate = (void*)enumerate;
-	enumerator->public.destroy = (void*)wrapper_enumerator_destroy;
-	return &enumerator->public;
-}
-
-/**
- * Implementation of auth_cfg_wrapper_t.destroy
- */
-static void destroy(private_auth_cfg_wrapper_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth)
-{
-	private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t);
-
-	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)create_enumerator;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)nop;
-	this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy;
-
-	this->auth = auth;
-
-	return &this->public;
-}
-
diff --git a/src/charon/credentials/sets/auth_cfg_wrapper.h b/src/charon/credentials/sets/auth_cfg_wrapper.h
deleted file mode 100644
index 7653fcdbf..000000000
--- a/src/charon/credentials/sets/auth_cfg_wrapper.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup auth_cfg_wrapper auth_cfg_wrapper
- * @{ @ingroup sets
- */
-
-#ifndef AUTH_CFG_WRAPPER_H_
-#define AUTH_CFG_WRAPPER_H_
-
-#include <config/auth_cfg.h>
-#include <credentials/credential_set.h>
-
-typedef struct auth_cfg_wrapper_t auth_cfg_wrapper_t;
-
-/**
- * A wrapper around auth_cfg_t to handle it as a credential set.
- */
-struct auth_cfg_wrapper_t {
-
-	/**
-	 * implements credential_set_t
-	 */
-	credential_set_t set;
-
-	/**
-	 * Destroy a auth_cfg_wrapper instance.
-	 */
-	void (*destroy)(auth_cfg_wrapper_t *this);
-};
-
-/**
- * Create a auth_cfg_wrapper instance.
- *
- * @param auth		the wrapped auth info
- * @return			wrapper around auth
- */
-auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth);
-
-#endif /** AUTH_CFG_WRAPPER_H_ @}*/
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
deleted file mode 100644
index 176accce2..000000000
--- a/src/charon/credentials/sets/cert_cache.c
+++ /dev/null
@@ -1,390 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "cert_cache.h"
-
-#include <time.h>
-#include <sched.h>
-
-#include <daemon.h>
-#include <threading/rwlock.h>
-#include <utils/linked_list.h>
-
-/** cache size, a power of 2 for fast modulo */
-#define CACHE_SIZE 32
-
-/** attempts to acquire a cache lock */
-#define REPLACE_TRIES 5
-
-typedef struct private_cert_cache_t private_cert_cache_t;
-typedef struct relation_t relation_t;
-
-/**
- * A trusted relation between subject and issuer
- */
-struct relation_t {
-
-	/**
-	 * subject of this relation
-	 */
-	certificate_t *subject;
-
-	/**
-	 * issuer of this relation
-	 */
-	certificate_t *issuer;
-
-	/**
-	 * Cache hits
-	 */
-	u_int hits;
-
-	/**
-	 * Lock for this relation
-	 */
-	rwlock_t *lock;
-};
-
-/**
- * private data of cert_cache
- */
-struct private_cert_cache_t {
-
-	/**
-	 * public functions
-	 */
-	cert_cache_t public;
-
-	/**
-	 * array of trusted subject-issuer relations
-	 */
-	relation_t relations[CACHE_SIZE];
-};
-
-/**
- * Cache relation in a free slot/replace an other
- */
-static void cache(private_cert_cache_t *this,
-				  certificate_t *subject, certificate_t *issuer)
-{
-	relation_t *rel;
-	int i, offset, try;
-	u_int total_hits = 0;
-
-	/* check for a unused relation slot first */
-	for (i = 0; i < CACHE_SIZE; i++)
-	{
-		rel = &this->relations[i];
-
-		if (!rel->subject && rel->lock->try_write_lock(rel->lock))
-		{
-			/* double-check having lock */
-			if (!rel->subject)
-			{
-				rel->subject = subject->get_ref(subject);
-				rel->issuer = issuer->get_ref(issuer);
-				return rel->lock->unlock(rel->lock);
-			}
-			rel->lock->unlock(rel->lock);
-		}
-		total_hits += rel->hits;
-	}
-	/* run several attempts to replace a random slot, never block. */
-	for (try = 0; try < REPLACE_TRIES; try++)
-	{
-		/* replace a random relation */
-		offset = random();
-		for (i = 0; i < CACHE_SIZE; i++)
-		{
-			rel = &this->relations[(i + offset) % CACHE_SIZE];
-
-			if (rel->hits > total_hits / CACHE_SIZE)
-			{	/* skip often used slots */
-				continue;
-			}
-			if (rel->lock->try_write_lock(rel->lock))
-			{
-				if (rel->subject)
-				{
-					rel->subject->destroy(rel->subject);
-					rel->issuer->destroy(rel->issuer);
-				}
-				rel->subject = subject->get_ref(subject);
-				rel->issuer = issuer->get_ref(issuer);
-				rel->hits = 0;
-				return rel->lock->unlock(rel->lock);
-			}
-		}
-		/* give other threads a chance to release locks */
-		sched_yield();
-	}
-}
-
-/**
- * Implementation of cert_cache_t.issued_by.
- */
-static bool issued_by(private_cert_cache_t *this,
-					  certificate_t *subject, certificate_t *issuer)
-{
-	relation_t *found = NULL, *current;
-	int i;
-
-	for (i = 0; i < CACHE_SIZE; i++)
-	{
-		current = &this->relations[i];
-
-		current->lock->read_lock(current->lock);
-		if (current->subject)
-		{
-			/* check for equal issuer */
-			if (issuer->equals(issuer, current->issuer))
-			{
-				/* reuse issuer instance in cache() */
-				issuer = current->issuer;
-				if (subject->equals(subject, current->subject))
-				{
-					/* write hit counter is not locked, but not critical */
-					current->hits++;
-					found = current;
-				}
-			}
-		}
-		current->lock->unlock(current->lock);
-		if (found)
-		{
-			return TRUE;
-		}
-	}
-	/* no cache hit, check and cache signature */
-	if (subject->issued_by(subject, issuer))
-	{
-		cache(this, subject, issuer);
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * certificate enumerator implemenation
- */
-typedef struct {
-	/** implements enumerator_t interface */
-	enumerator_t public;
-	/** type of requested certificate */
-	certificate_type_t cert;
-	/** type of requested key */
-	key_type_t key;
-	/** ID to get a cert for */
-	identification_t *id;
-	/** cache */
-	relation_t *relations;
-	/** current position in array cache */
-	int index;
-	/** currently locked relation */
-	int locked;
-} cert_enumerator_t;
-
-/**
- * filter function for certs enumerator
- */
-static bool cert_enumerate(cert_enumerator_t *this, certificate_t **out)
-{
-	public_key_t *public;
-	relation_t *rel;
-
-	if (this->locked >= 0)
-	{
-		rel = &this->relations[this->locked];
-		rel->lock->unlock(rel->lock);
-		this->locked = -1;
-	}
-
-	while (++this->index < CACHE_SIZE)
-	{
-		rel = &this->relations[this->index];
-		rel->lock->read_lock(rel->lock);
-		this->locked = this->index;
-		if (rel->subject)
-		{
-			/* CRL lookup is done using issuer/authkeyidentifier */
-			if (this->key == KEY_ANY && this->id &&
-				(this->cert == CERT_ANY || this->cert == CERT_X509_CRL) &&
-				rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
-				rel->subject->has_issuer(rel->subject, this->id))
-			{
-				*out = rel->subject;
-				return TRUE;
-			}
-			if ((this->cert == CERT_ANY ||
-				 rel->subject->get_type(rel->subject) == this->cert) &&
-				(!this->id || rel->subject->has_subject(rel->subject, this->id)))
-			{
-				if (this->key == KEY_ANY)
-				{
-					*out = rel->subject;
-					return TRUE;
-				}
-				public = rel->subject->get_public_key(rel->subject);
-				if (public)
-				{
-					if (public->get_type(public) == this->key)
-					{
-						public->destroy(public);
-						*out = rel->subject;
-						return TRUE;
-					}
-					public->destroy(public);
-				}
-			}
-		}
-		this->locked = -1;
-		rel->lock->unlock(rel->lock);
-	}
-	return FALSE;
-}
-
-/**
- * clean up enumeration data
- */
-static void cert_enumerator_destroy(cert_enumerator_t *this)
-{
-	relation_t *rel;
-
-	if (this->locked >= 0)
-	{
-		rel = &this->relations[this->locked];
-		rel->lock->unlock(rel->lock);
-	}
-	free(this);
-}
-
-/**
- * implementation of credential_set_t.create_cert_enumerator
- */
-static enumerator_t *create_enumerator(private_cert_cache_t *this,
-									   certificate_type_t cert, key_type_t key,
-									   identification_t *id, bool trusted)
-{
-	cert_enumerator_t *enumerator;
-
-	if (trusted)
-	{
-		return NULL;
-	}
-	enumerator = malloc_thing(cert_enumerator_t);
-	enumerator->public.enumerate = (void*)cert_enumerate;
-	enumerator->public.destroy = (void*)cert_enumerator_destroy;
-	enumerator->cert = cert;
-	enumerator->key = key;
-	enumerator->id = id;
-	enumerator->relations = this->relations;
-	enumerator->index = -1;
-	enumerator->locked = -1;
-
-	return &enumerator->public;
-}
-
-/**
- * Implementation of cert_cache_t.flush.
- */
-static void flush(private_cert_cache_t *this, certificate_type_t type)
-{
-	relation_t *rel;
-	int i;
-
-	for (i = 0; i < CACHE_SIZE; i++)
-	{
-		rel = &this->relations[i];
-		if (!rel->subject)
-		{
-			continue;
-		}
-		/* check with cheap read lock first */
-		if (type != CERT_ANY)
-		{
-			rel->lock->read_lock(rel->lock);
-			if (!rel->subject || type != rel->subject->get_type(rel->subject))
-			{
-				rel->lock->unlock(rel->lock);
-				continue;
-			}
-			rel->lock->unlock(rel->lock);
-		}
-		/* double check in write lock */
-		rel->lock->write_lock(rel->lock);
-		if (rel->subject)
-		{
-			if (type == CERT_ANY || type == rel->subject->get_type(rel->subject))
-			{
-				rel->subject->destroy(rel->subject);
-				rel->issuer->destroy(rel->issuer);
-				rel->subject = NULL;
-				rel->issuer = NULL;
-				rel->hits = 0;
-			}
-		}
-		rel->lock->unlock(rel->lock);
-	}
-}
-
-/**
- * Implementation of cert_cache_t.destroy
- */
-static void destroy(private_cert_cache_t *this)
-{
-	relation_t *rel;
-	int i;
-
-	for (i = 0; i < CACHE_SIZE; i++)
-	{
-		rel = &this->relations[i];
-		if (rel->subject)
-		{
-			rel->subject->destroy(rel->subject);
-			rel->issuer->destroy(rel->issuer);
-		}
-		rel->lock->destroy(rel->lock);
-	}
-	free(this);
-}
-
-/*
- * see header file
- */
-cert_cache_t *cert_cache_create()
-{
-	private_cert_cache_t *this;
-	int i;
-
-	this = malloc_thing(private_cert_cache_t);
-	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)create_enumerator;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)nop;
-	this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
-	this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
-	this->public.destroy = (void(*)(cert_cache_t*))destroy;
-
-	for (i = 0; i < CACHE_SIZE; i++)
-	{
-		this->relations[i].subject = NULL;
-		this->relations[i].issuer = NULL;
-		this->relations[i].hits = 0;
-		this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	}
-	return &this->public;
-}
-
diff --git a/src/charon/credentials/sets/cert_cache.h b/src/charon/credentials/sets/cert_cache.h
deleted file mode 100644
index d2721866e..000000000
--- a/src/charon/credentials/sets/cert_cache.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup cert_cache cert_cache
- * @{ @ingroup sets
- */
-
-#ifndef CERT_CACHE_H_
-#define CERT_CACHE_H_
-
-#include <credentials/credential_set.h>
-
-typedef struct cert_cache_t cert_cache_t;
-
-/**
- * Certificate signature verification and certificate cache.
- *
- * This cache serves all certificates seen in its issued_by method
- * and serves them as untrusted through the credential set interface. Further,
- * it caches valid subject-issuer relationships to speed up the issued_by
- * method.
- */
-struct cert_cache_t {
-
-	/**
-	 * Implements credential_set_t.
-	 */
-	credential_set_t set;
-
-	/**
-	 * Caching wrapper around certificate_t.issued_by.
-	 *
-	 * @param subject		certificate to verify
-	 * @param issuer		issuing certificate to verify subject
-	 * @return				TRUE if subject issued by issuer
-	 */
-	bool (*issued_by)(cert_cache_t *this,
-					  certificate_t *subject, certificate_t *issuer);
-
-	/**
-	 * Flush the certificate cache.
-	 *
-	 * @param type			type of certificate to flush, or CERT_ANY
-	 */
-	void (*flush)(cert_cache_t *this, certificate_type_t type);
-
-	/**
-	 * Destroy a cert_cache instance.
-	 */
-	void (*destroy)(cert_cache_t *this);
-};
-
-/**
- * Create a cert_cache instance.
- */
-cert_cache_t *cert_cache_create();
-
-#endif /** CERT_CACHE_H_ @}*/
diff --git a/src/charon/credentials/sets/ocsp_response_wrapper.c b/src/charon/credentials/sets/ocsp_response_wrapper.c
deleted file mode 100644
index 82079209a..000000000
--- a/src/charon/credentials/sets/ocsp_response_wrapper.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ocsp_response_wrapper.h"
-
-typedef struct private_ocsp_response_wrapper_t private_ocsp_response_wrapper_t;
-
-/**
- * private data of ocsp_response_wrapper
- */
-struct private_ocsp_response_wrapper_t {
-
-	/**
-	 * public functions
-	 */
-	ocsp_response_wrapper_t public;
-
-	/**
-	 * wrapped OCSP response
-	 */
-	ocsp_response_t *response;
-};
-
-/**
- * enumerator for ocsp_response_wrapper_t.create_cert_enumerator()
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** enumerator over ocsp response */
-	enumerator_t *inner;
-	/** type of cert */
-	certificate_type_t cert;
-	/** type of key */
-	key_type_t key;
-	/** filtering identity */
-	identification_t *id;
-} wrapper_enumerator_t;
-
-/**
- * enumerate function wrapper_enumerator_t
- */
-static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
-{
-	certificate_t *current;
-	public_key_t *public;
-
-	while (this->inner->enumerate(this->inner, &current))
-	{
-		if (this->cert != CERT_ANY && this->cert != current->get_type(current))
-		{	/* CERT type requested, but does not match */
-			continue;
-		}
-		public = current->get_public_key(current);
-		if (this->key != KEY_ANY && !public)
-		{	/* key type requested, but no public key */
-			DESTROY_IF(public);
-			continue;
-		}
-		if (this->key != KEY_ANY && public && this->key != public->get_type(public))
-		{	/* key type requested, but public key has another type */
-			DESTROY_IF(public);
-			continue;
-		}
-		DESTROY_IF(public);
-		if (this->id && !current->has_subject(current, this->id))
-		{	/* subject requested, but does not match */
-			continue;
-		}
-		*cert = current;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * destroy function for wrapper_enumerator_t
- */
-static void enumerator_destroy(wrapper_enumerator_t *this)
-{
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * implementation of ocsp_response_wrapper_t.set.create_cert_enumerator
- */
-static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this,
-									   certificate_type_t cert, key_type_t key,
-									   identification_t *id, bool trusted)
-{
-	wrapper_enumerator_t *enumerator;
-
-	if (trusted)
-	{
-		return NULL;
-	}
-
-	enumerator = malloc_thing(wrapper_enumerator_t);
-	enumerator->cert = cert;
-	enumerator->key = key;
-	enumerator->id = id;
-	enumerator->inner = this->response->create_cert_enumerator(this->response);
-	enumerator->public.enumerate = (void*)enumerate;
-	enumerator->public.destroy = (void*)enumerator_destroy;
-	return &enumerator->public;
-}
-
-/**
- * Implementation of ocsp_response_wrapper_t.destroy
- */
-static void destroy(private_ocsp_response_wrapper_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response)
-{
-	private_ocsp_response_wrapper_t *this = malloc_thing(private_ocsp_response_wrapper_t);
-
-	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)create_enumerator;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)nop;
-	this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy;
-
-	this->response = response;
-
-	return &this->public;
-}
-
diff --git a/src/charon/credentials/sets/ocsp_response_wrapper.h b/src/charon/credentials/sets/ocsp_response_wrapper.h
deleted file mode 100644
index dc4b451df..000000000
--- a/src/charon/credentials/sets/ocsp_response_wrapper.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ocsp_response_wrapper ocsp_response_wrapper
- * @{ @ingroup sets
- */
-
-#ifndef OCSP_RESPONSE_WRAPPER_H_
-#define OCSP_RESPONSE_WRAPPER_H_
-
-#include <credentials/credential_set.h>
-#include <credentials/certificates/ocsp_response.h>
-
-typedef struct ocsp_response_wrapper_t ocsp_response_wrapper_t;
-
-/**
- * A wrapper around ocsp_response_t to handle it like a credential set.
- */
-struct ocsp_response_wrapper_t {
-
-	/**
-	 * implements credential_set_t
-	 */
-	credential_set_t set;
-
-	/**
-	 * Destroy a ocsp_response_wrapper instance.
-	 */
-	void (*destroy)(ocsp_response_wrapper_t *this);
-};
-
-/**
- * Create a ocsp_response_wrapper instance.
- *
- * @param response	the wrapped OCSP response
- * @return			wrapper around response
- */
-ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response);
-
-#endif /** OCSP_RESPONSE_WRAPPER_H_ @}*/
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
deleted file mode 100644
index e71225fd1..000000000
--- a/src/charon/daemon.c
+++ /dev/null
@@ -1,807 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#ifdef HAVE_PRCTL
-#include <sys/prctl.h>
-#endif
-#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */
-#include <signal.h>
-#undef _POSIX_PTHREAD_SEMANTICS
-#include <pthread.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <time.h>
-#include <string.h>
-#include <getopt.h>
-#include <errno.h>
-#include <pwd.h>
-#include <grp.h>
-#ifdef CAPABILITIES
-#include <sys/capability.h>
-#endif /* CAPABILITIES */
-
-#include "daemon.h"
-
-#include <library.h>
-#include <utils/backtrace.h>
-#include <threading/thread.h>
-#include <selectors/traffic_selector.h>
-#include <config/proposal.h>
-
-#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
-#define LOG_AUTHPRIV LOG_AUTH
-#endif
-
-typedef struct private_daemon_t private_daemon_t;
-
-/**
- * Private additions to daemon_t, contains threads and internal functions.
- */
-struct private_daemon_t {
-	/**
-	 * Public members of daemon_t.
-	 */
-	daemon_t public;
-
-	/**
-	 * Signal set used for signal handling.
-	 */
-	sigset_t signal_set;
-
-	/**
-	 * Reference to main thread.
-	 */
-	thread_t *main_thread;
-
-#ifdef CAPABILITIES
-	/**
-	 * capabilities to keep
-	 */
-	cap_t caps;
-#endif /* CAPABILITIES */
-};
-
-/**
- * One and only instance of the daemon.
- */
-daemon_t *charon;
-
-/**
- * hook in library for debugging messages
- */
-extern void (*dbg) (int level, char *fmt, ...);
-
-/**
- * Logging hook for library logs, spreads debug message over bus
- */
-static void dbg_bus(int level, char *fmt, ...)
-{
-	va_list args;
-
-	va_start(args, fmt);
-	charon->bus->vlog(charon->bus, DBG_LIB, level, fmt, args);
-	va_end(args);
-}
-
-/**
- * Logging hook for library logs, using stderr output
- */
-static void dbg_stderr(int level, char *fmt, ...)
-{
-	va_list args;
-
-	if (level <= 1)
-	{
-		va_start(args, fmt);
-		fprintf(stderr, "00[LIB] ");
-		vfprintf(stderr, fmt, args);
-		fprintf(stderr, "\n");
-		va_end(args);
-	}
-}
-
-/**
- * Run the daemon and handle unix signals
- */
-static void run(private_daemon_t *this)
-{
-	sigset_t set;
-
-	/* handle SIGINT, SIGHUP ans SIGTERM in this handler */
-	sigemptyset(&set);
-	sigaddset(&set, SIGINT);
-	sigaddset(&set, SIGHUP);
-	sigaddset(&set, SIGTERM);
-	sigprocmask(SIG_BLOCK, &set, NULL);
-
-	while (TRUE)
-	{
-		int sig;
-		int error;
-
-		error = sigwait(&set, &sig);
-		if (error)
-		{
-			DBG1(DBG_DMN, "error %d while waiting for a signal", error);
-			return;
-		}
-		switch (sig)
-		{
-			case SIGHUP:
-			{
-				DBG1(DBG_DMN, "signal of type SIGHUP received. Ignored");
-				break;
-			}
-			case SIGINT:
-			{
-				DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
-				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
-				return;
-			}
-			case SIGTERM:
-			{
-				DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
-				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
-				return;
-			}
-			default:
-			{
-				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
-				break;
-			}
-		}
-	}
-}
-
-/**
- * Clean up all daemon resources
- */
-static void destroy(private_daemon_t *this)
-{
-	/* terminate all idle threads */
-	if (this->public.processor)
-	{
-		this->public.processor->set_threads(this->public.processor, 0);
-	}
-	/* close all IKE_SAs */
-	if (this->public.ike_sa_manager)
-	{
-		this->public.ike_sa_manager->flush(this->public.ike_sa_manager);
-	}
-	/* unload plugins to release threads */
-	lib->plugins->unload(lib->plugins);
-#ifdef CAPABILITIES
-	cap_free(this->caps);
-#endif /* CAPABILITIES */
-	DESTROY_IF(this->public.traps);
-	DESTROY_IF(this->public.ike_sa_manager);
-	DESTROY_IF(this->public.kernel_interface);
-	DESTROY_IF(this->public.scheduler);
-	DESTROY_IF(this->public.controller);
-	DESTROY_IF(this->public.eap);
-	DESTROY_IF(this->public.sim);
-#ifdef ME
-	DESTROY_IF(this->public.connect_manager);
-	DESTROY_IF(this->public.mediation_manager);
-#endif /* ME */
-	DESTROY_IF(this->public.backends);
-	DESTROY_IF(this->public.credentials);
-	DESTROY_IF(this->public.sender);
-	DESTROY_IF(this->public.receiver);
-	DESTROY_IF(this->public.socket);
-	/* wait until all threads are gone */
-	DESTROY_IF(this->public.processor);
-
-	/* rehook library logging, shutdown logging */
-	dbg = dbg_stderr;
-	DESTROY_IF(this->public.bus);
-	this->public.file_loggers->destroy_offset(this->public.file_loggers,
-											offsetof(file_logger_t, destroy));
-	this->public.sys_loggers->destroy_offset(this->public.sys_loggers,
-											offsetof(sys_logger_t, destroy));
-	free(this);
-}
-
-/**
- * Enforce daemon shutdown, with a given reason to do so.
- */
-static void kill_daemon(private_daemon_t *this, char *reason)
-{
-	/* we send SIGTERM, so the daemon can cleanly shut down */
-	if (this->public.bus)
-	{
-		DBG1(DBG_DMN, "killing daemon: %s", reason);
-	}
-	else
-	{
-		fprintf(stderr, "killing daemon: %s\n", reason);
-	}
-	if (this->main_thread == thread_current())
-	{
-		/* initialization failed, terminate daemon */
-		unlink(PID_FILE);
-		exit(-1);
-	}
-	else
-	{
-		DBG1(DBG_DMN, "sending SIGTERM to ourself");
-		this->main_thread->kill(this->main_thread, SIGTERM);
-		/* thread must die, since he produced a ciritcal failure and can't continue */
-		thread_exit(NULL);
-	}
-}
-
-/**
- * drop daemon capabilities
- */
-static void drop_capabilities(private_daemon_t *this)
-{
-#ifdef HAVE_PRCTL
-	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
-#endif
-
-	if (setgid(charon->gid) != 0)
-	{
-		kill_daemon(this, "change to unprivileged group failed");
-	}
-	if (setuid(charon->uid) != 0)
-	{
-		kill_daemon(this, "change to unprivileged user failed");
-	}
-
-#ifdef CAPABILITIES
-	if (cap_set_proc(this->caps) != 0)
-	{
-		kill_daemon(this, "unable to drop daemon capabilities");
-	}
-#endif /* CAPABILITIES */
-}
-
-/**
- * Implementation of daemon_t.keep_cap
- */
-static void keep_cap(private_daemon_t *this, u_int cap)
-{
-#ifdef CAPABILITIES
-	cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
-	cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET);
-	cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET);
-#endif /* CAPABILITIES */
-}
-
-/**
- * lookup UID and GID
- */
-static void lookup_uid_gid(private_daemon_t *this)
-{
-#ifdef IPSEC_USER
-	{
-		char buf[1024];
-		struct passwd passwd, *pwp;
-
-		if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
-			pwp == NULL)
-		{
-			kill_daemon(this, "resolving user '"IPSEC_USER"' failed");
-		}
-		charon->uid = pwp->pw_uid;
-	}
-#endif
-#ifdef IPSEC_GROUP
-	{
-		char buf[1024];
-		struct group group, *grp;
-
-		if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
-			grp == NULL)
-		{
-			kill_daemon(this, "resolving group '"IPSEC_GROUP"' failed");
-		}
-		charon->gid = grp->gr_gid;
-	}
-#endif
-}
-
-/**
- * Log loaded plugins
- */
-static void print_plugins()
-{
-	char buf[512], *plugin;
-	int len = 0;
-	enumerator_t *enumerator;
-
-	buf[0] = '\0';
-	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
-	while (len < sizeof(buf) && enumerator->enumerate(enumerator, &plugin))
-	{
-		len += snprintf(&buf[len], sizeof(buf)-len, "%s ", plugin);
-	}
-	enumerator->destroy(enumerator);
-	DBG1(DBG_DMN, "loaded plugins: %s", buf);
-}
-
-/**
- * Initialize logging
- */
-static void initialize_loggers(private_daemon_t *this, bool use_stderr,
-							   level_t levels[])
-{
-	sys_logger_t *sys_logger;
-	file_logger_t *file_logger;
-	enumerator_t *enumerator;
-	char *facility, *filename;
-	int loggers_defined = 0;
-	debug_t group;
-	level_t  def;
-	bool append;
-	FILE *file;
-
-	/* setup sysloggers */
-	enumerator = lib->settings->create_section_enumerator(lib->settings,
-														  "charon.syslog");
-	while (enumerator->enumerate(enumerator, &facility))
-	{
-		loggers_defined++;
-		if (streq(facility, "daemon"))
-		{
-			sys_logger = sys_logger_create(LOG_DAEMON);
-		}
-		else if (streq(facility, "auth"))
-		{
-			sys_logger = sys_logger_create(LOG_AUTHPRIV);
-		}
-		else
-		{
-			continue;
-		}
-		def = lib->settings->get_int(lib->settings,
-									 "charon.syslog.%s.default", 1, facility);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			sys_logger->set_level(sys_logger, group,
-				lib->settings->get_int(lib->settings,
-									   "charon.syslog.%s.%N", def,
-									   facility, debug_lower_names, group));
-		}
-		this->public.sys_loggers->insert_last(this->public.sys_loggers,
-											  sys_logger);
-		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
-	}
-	enumerator->destroy(enumerator);
-
-	/* and file loggers */
-	enumerator = lib->settings->create_section_enumerator(lib->settings,
-														  "charon.filelog");
-	while (enumerator->enumerate(enumerator, &filename))
-	{
-		loggers_defined++;
-		if (streq(filename, "stderr"))
-		{
-			file = stderr;
-		}
-		else if (streq(filename, "stdout"))
-		{
-			file = stdout;
-		}
-		else
-		{
-			append = lib->settings->get_bool(lib->settings,
-									"charon.filelog.%s.append", TRUE, filename);
-			file = fopen(filename, append ? "a" : "w");
-			if (file == NULL)
-			{
-				DBG1(DBG_DMN, "opening file %s for logging failed: %s",
-					 filename, strerror(errno));
-				continue;
-			}
-		}
-		file_logger = file_logger_create(file);
-		def = lib->settings->get_int(lib->settings,
-									 "charon.filelog.%s.default", 1, filename);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			file_logger->set_level(file_logger, group,
-				lib->settings->get_int(lib->settings,
-									   "charon.filelog.%s.%N", def,
-									   filename, debug_lower_names, group));
-		}
-		this->public.file_loggers->insert_last(this->public.file_loggers,
-											   file_logger);
-		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
-
-	}
-	enumerator->destroy(enumerator);
-
-	/* set up legacy style default loggers provided via command-line */
-	if (!loggers_defined)
-	{
-		/* set up default stdout file_logger */
-		file_logger = file_logger_create(stdout);
-		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
-		this->public.file_loggers->insert_last(this->public.file_loggers,
-											   file_logger);
-		/* set up default daemon sys_logger */
-		sys_logger = sys_logger_create(LOG_DAEMON);
-		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
-		this->public.sys_loggers->insert_last(this->public.sys_loggers,
-											  sys_logger);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			sys_logger->set_level(sys_logger, group, levels[group]);
-			if (use_stderr)
-			{
-				file_logger->set_level(file_logger, group, levels[group]);
-			}
-		}
-
-		/* set up default auth sys_logger */
-		sys_logger = sys_logger_create(LOG_AUTHPRIV);
-		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
-		this->public.sys_loggers->insert_last(this->public.sys_loggers,
-											  sys_logger);
-		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
-	}
-}
-
-/**
- * Initialize the daemon
- */
-static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
-{
-	/* for uncritical pseudo random numbers */
-	srandom(time(NULL) + getpid());
-
-	/* setup bus and it's listeners first to enable log output */
-	this->public.bus = bus_create();
-	/* set up hook to log dbg message in library via charons message bus */
-	dbg = dbg_bus;
-
-	initialize_loggers(this, !syslog, levels);
-
-	DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")");
-
-	if (lib->integrity)
-	{
-		DBG1(DBG_DMN, "integrity tests enabled:");
-		DBG1(DBG_DMN, "lib    'libstrongswan': passed file and segment integrity tests");
-		DBG1(DBG_DMN, "daemon 'charon': passed file integrity test");
-	}
-
-	/* load secrets, ca certificates and crls */
-	this->public.processor = processor_create();
-	this->public.scheduler = scheduler_create();
-	this->public.credentials = credential_manager_create();
-	this->public.controller = controller_create();
-	this->public.eap = eap_manager_create();
-	this->public.sim = sim_manager_create();
-	this->public.backends = backend_manager_create();
-	this->public.kernel_interface = kernel_interface_create();
-	this->public.socket = socket_create();
-	this->public.traps = trap_manager_create();
-
-	/* load plugins, further infrastructure may need it */
-	if (!lib->plugins->load(lib->plugins, NULL,
-			lib->settings->get_str(lib->settings, "charon.load", PLUGINS)))
-	{
-		return FALSE;
-	}
-
-	print_plugins();
-
-	this->public.ike_sa_manager = ike_sa_manager_create();
-	if (this->public.ike_sa_manager == NULL)
-	{
-		return FALSE;
-	}
-	this->public.sender = sender_create();
-	this->public.receiver = receiver_create();
-	if (this->public.receiver == NULL)
-	{
-		return FALSE;
-	}
-
-#ifdef ME
-	this->public.connect_manager = connect_manager_create();
-	if (this->public.connect_manager == NULL)
-	{
-		return FALSE;
-	}
-	this->public.mediation_manager = mediation_manager_create();
-#endif /* ME */
-
-	return TRUE;
-}
-
-/**
- * Handle SIGSEGV/SIGILL signals raised by threads
- */
-static void segv_handler(int signal)
-{
-	backtrace_t *backtrace;
-
-	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
-	backtrace = backtrace_create(2);
-	backtrace->log(backtrace, stderr);
-	backtrace->destroy(backtrace);
-
-	DBG1(DBG_DMN, "killing ourself, received critical signal");
-	abort();
-}
-
-/**
- * Create the daemon.
- */
-private_daemon_t *daemon_create(void)
-{
-	struct sigaction action;
-	private_daemon_t *this = malloc_thing(private_daemon_t);
-
-	/* assign methods */
-	this->public.kill = (void (*) (daemon_t*,char*))kill_daemon;
-	this->public.keep_cap = (void(*)(daemon_t*, u_int cap))keep_cap;
-
-	/* NULL members for clean destruction */
-	this->public.socket = NULL;
-	this->public.ike_sa_manager = NULL;
-	this->public.traps = NULL;
-	this->public.credentials = NULL;
-	this->public.backends = NULL;
-	this->public.sender= NULL;
-	this->public.receiver = NULL;
-	this->public.scheduler = NULL;
-	this->public.kernel_interface = NULL;
-	this->public.processor = NULL;
-	this->public.controller = NULL;
-	this->public.eap = NULL;
-	this->public.sim = NULL;
-	this->public.bus = NULL;
-	this->public.file_loggers = linked_list_create();
-	this->public.sys_loggers = linked_list_create();
-#ifdef ME
-	this->public.connect_manager = NULL;
-	this->public.mediation_manager = NULL;
-#endif /* ME */
-	this->public.uid = 0;
-	this->public.gid = 0;
-
-	this->main_thread = thread_current();
-#ifdef CAPABILITIES
-	this->caps = cap_init();
-	keep_cap(this, CAP_NET_ADMIN);
-	if (lib->leak_detective)
-	{
-		keep_cap(this, CAP_SYS_NICE);
-	}
-#endif /* CAPABILITIES */
-
-	/* add handler for SEGV and ILL,
-	 * INT, TERM and HUP are handled by sigwait() in run() */
-	action.sa_handler = segv_handler;
-	action.sa_flags = 0;
-	sigemptyset(&action.sa_mask);
-	sigaddset(&action.sa_mask, SIGINT);
-	sigaddset(&action.sa_mask, SIGTERM);
-	sigaddset(&action.sa_mask, SIGHUP);
-	sigaction(SIGSEGV, &action, NULL);
-	sigaction(SIGILL, &action, NULL);
-	sigaction(SIGBUS, &action, NULL);
-	action.sa_handler = SIG_IGN;
-	sigaction(SIGPIPE, &action, NULL);
-
-	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
-
-	return this;
-}
-
-/**
- * Check/create PID file, return TRUE if already running
- */
-static bool check_pidfile()
-{
-	struct stat stb;
-	FILE *file;
-
-	if (stat(PID_FILE, &stb) == 0)
-	{
-		file = fopen(PID_FILE, "r");
-		if (file)
-		{
-			char buf[64];
-			pid_t pid = 0;
-
-			memset(buf, 0, sizeof(buf));
-			if (fread(buf, 1, sizeof(buf), file))
-			{
-				pid = atoi(buf);
-			}
-			fclose(file);
-			if (pid && kill(pid, 0) == 0)
-			{	/* such a process is running */
-				return TRUE;
-			}
-		}
-		DBG1(DBG_DMN, "removing pidfile '"PID_FILE"', process not running");
-		unlink(PID_FILE);
-	}
-
-	/* create new pidfile */
-	file = fopen(PID_FILE, "w");
-	if (file)
-	{
-		fprintf(file, "%d\n", getpid());
-		ignore_result(fchown(fileno(file), charon->uid, charon->gid));
-		fclose(file);
-	}
-	return FALSE;
-}
-
-/**
- * print command line usage and exit
- */
-static void usage(const char *msg)
-{
-	if (msg != NULL && *msg != '\0')
-	{
-		fprintf(stderr, "%s\n", msg);
-	}
-	fprintf(stderr, "Usage: charon\n"
-					"         [--help]\n"
-					"         [--version]\n"
-					"         [--use-syslog]\n"
-					"         [--debug-<type> <level>]\n"
-					"           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n"
-					"           <level>: log verbosity (-1 = silent, 0 = audit, 1 = control,\n"
-					"                                    2 = controlmore, 3 = raw, 4 = private)\n"
-					"\n"
-		   );
-	exit(msg == NULL? 0 : 1);
-}
-
-/**
- * Main function, manages the daemon.
- */
-int main(int argc, char *argv[])
-{
-	bool use_syslog = FALSE;
-	private_daemon_t *private_charon;
-	level_t levels[DBG_MAX];
-	int group;
-
-	/* logging for library during initialization, as we have no bus yet */
-	dbg = dbg_stderr;
-
-	/* initialize library */
-	if (!library_init(NULL))
-	{
-		library_deinit();
-		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
-	}
-
-	if (lib->integrity &&
-		!lib->integrity->check_file(lib->integrity, "charon", argv[0]))
-	{
-		dbg_stderr(1, "integrity check of charon failed");
-		library_deinit();
-		exit(SS_RC_DAEMON_INTEGRITY);
-	}
-
-	lib->printf_hook->add_handler(lib->printf_hook, 'R',
-								  traffic_selector_printf_hook,
-								  PRINTF_HOOK_ARGTYPE_POINTER,
-								  PRINTF_HOOK_ARGTYPE_END);
-	lib->printf_hook->add_handler(lib->printf_hook, 'P',
-								  proposal_printf_hook,
-								  PRINTF_HOOK_ARGTYPE_POINTER,
-								  PRINTF_HOOK_ARGTYPE_END);
-	private_charon = daemon_create();
-	charon = (daemon_t*)private_charon;
-
-	lookup_uid_gid(private_charon);
-
-	/* use CTRL loglevel for default */
-	for (group = 0; group < DBG_MAX; group++)
-	{
-		levels[group] = LEVEL_CTRL;
-	}
-
-	/* handle arguments */
-	for (;;)
-	{
-		struct option long_opts[] = {
-			{ "help", no_argument, NULL, 'h' },
-			{ "version", no_argument, NULL, 'v' },
-			{ "use-syslog", no_argument, NULL, 'l' },
-			/* TODO: handle "debug-all" */
-			{ "debug-dmn", required_argument, &group, DBG_DMN },
-			{ "debug-mgr", required_argument, &group, DBG_MGR },
-			{ "debug-ike", required_argument, &group, DBG_IKE },
-			{ "debug-chd", required_argument, &group, DBG_CHD },
-			{ "debug-job", required_argument, &group, DBG_JOB },
-			{ "debug-cfg", required_argument, &group, DBG_CFG },
-			{ "debug-knl", required_argument, &group, DBG_KNL },
-			{ "debug-net", required_argument, &group, DBG_NET },
-			{ "debug-enc", required_argument, &group, DBG_ENC },
-			{ "debug-lib", required_argument, &group, DBG_LIB },
-			{ 0,0,0,0 }
-		};
-
-		int c = getopt_long(argc, argv, "", long_opts, NULL);
-		switch (c)
-		{
-			case EOF:
-				break;
-			case 'h':
-				usage(NULL);
-				break;
-			case 'v':
-				printf("Linux strongSwan %s\n", VERSION);
-				exit(0);
-			case 'l':
-				use_syslog = TRUE;
-				continue;
-			case 0:
-				/* option is in group */
-				levels[group] = atoi(optarg);
-				continue;
-			default:
-				usage("");
-				break;
-		}
-		break;
-	}
-
-	/* initialize daemon */
-	if (!initialize(private_charon, use_syslog, levels))
-	{
-		DBG1(DBG_DMN, "initialization failed - aborting charon");
-		destroy(private_charon);
-		library_deinit();
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-
-	if (check_pidfile())
-	{
-		DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
-		destroy(private_charon);
-		library_deinit();
-		exit(-1);
-	}
-
-	/* drop the capabilities we won't need */
-	drop_capabilities(private_charon);
-
-	/* start the engine, go multithreaded */
-	charon->processor->set_threads(charon->processor,
-						lib->settings->get_int(lib->settings, "charon.threads",
-											   DEFAULT_THREADS));
-
-	/* run daemon */
-	run(private_charon);
-
-	/* normal termination, cleanup and exit */
-	destroy(private_charon);
-	unlink(PID_FILE);
-
-	library_deinit();
-
-	return 0;
-}
-
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
deleted file mode 100644
index cb5946d5d..000000000
--- a/src/charon/daemon.h
+++ /dev/null
@@ -1,326 +0,0 @@
-/*
- * Copyright (C) 2006-2007 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup charon charon
- *
- * @defgroup bus bus
- * @ingroup charon
- *
- * @defgroup listeners listeners
- * @ingroup bus
- *
- * @defgroup config config
- * @ingroup charon
- *
- * @defgroup attributes attributes
- * @ingroup config
- *
- * @defgroup control control
- * @ingroup charon
- *
- * @defgroup ccredentials credentials
- * @ingroup charon
- *
- * @defgroup sets sets
- * @ingroup ccredentials
- *
- * @defgroup encoding encoding
- * @ingroup charon
- *
- * @defgroup payloads payloads
- * @ingroup encoding
- *
- * @defgroup kernel kernel
- * @ingroup charon
- *
- * @defgroup network network
- * @ingroup charon
- *
- * @defgroup cplugins plugins
- * @ingroup charon
- *
- * @defgroup processing processing
- * @ingroup charon
- *
- * @defgroup jobs jobs
- * @ingroup processing
- *
- * @defgroup sa sa
- * @ingroup charon
- *
- * @defgroup authenticators authenticators
- * @ingroup sa
- *
- * @defgroup eap eap
- * @ingroup authenticators
- *
- * @defgroup tasks tasks
- * @ingroup sa
- *
- * @addtogroup charon
- * @{
- *
- * IKEv2 keying daemon.
- *
- * All IKEv2 stuff is handled in charon. It uses a newer and more flexible
- * architecture than pluto. Charon uses a thread-pool (called processor),
- * which allows parallel execution SA-management. All threads originate
- * from the processor. Work is delegated to the processor by queueing jobs
- * to it.
-   @verbatim
-
-      +---------------------------------+       +----------------------------+
-      |           controller            |       |          config            |
-      +---------------------------------+       +----------------------------+
-               |      |      |                           ^     ^    ^
-               V      V      V                           |     |    |
-
-       +----------+  +-----------+   +------+            +----------+    +----+
-       | receiver |  |           |   |      |  +------+  | CHILD_SA |    | K  |
-       +---+------+  | Scheduler |   | IKE- |  | IKE- |--+----------+    | e  |
-           |         |           |   | SA   |--| SA   |  | CHILD_SA |    | r  |
-    +------+---+     +-----------+   |      |  +------+  +----------+    | n  |
- <->|  socket  |           |         | Man- |                            | e  |
-    +------+---+     +-----------+   | ager |  +------+  +----------+    | l  |
-           |         |           |   |      |  | IKE- |--| CHILD_SA |    | -  |
-       +---+------+  | Processor |---|      |--| SA   |  +----------+    | I  |
-       |  sender  |  |           |   |      |  +------+                  | f  |
-       +----------+  +-----------+   +------+                            +----+
-
-               |      |      |                        |      |      |
-               V      V      V                        V      V      V
-      +---------------------------------+       +----------------------------+
-      |               Bus               |       |         credentials        |
-      +---------------------------------+       +----------------------------+
-
-   @endverbatim
- * The scheduler is responsible to execute timed events. Jobs may be queued to
- * the scheduler to get executed at a defined time (e.g. rekeying). The
- * scheduler does not execute the jobs itself, it queues them to the processor.
- *
- * The IKE_SA manager managers all IKE_SA. It further handles the
- * synchronization:
- * Each IKE_SA must be checked out strictly and checked in again after use. The
- * manager guarantees that only one thread may check out a single IKE_SA. This
- * allows us to write the (complex) IKE_SAs routines non-threadsave.
- * The IKE_SA contain the state and the logic of each IKE_SA and handle the
- * messages.
- *
- * The CHILD_SA contains state about a IPsec security association and manages
- * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
- * takes place here through the kernel interface.
- *
- * The kernel interface installs IPsec security associations, policies, routes
- * and virtual addresses. It further provides methods to enumerate interfaces
- * and may notify the daemon about state changes at lower layers.
- *
- * The bus receives signals from the different threads and relays them to
- * interested listeners. Debugging signals, but also important state changes or
- * error messages are sent over the bus.
- * Its listeners are not only for logging, but also to track the state of an
- * IKE_SA.
- *
- * The controller, credential_manager, bus and backend_manager (config) are
- * places where a plugin ca register itself to privide information or observe
- * and control the daemon.
- */
-
-#ifndef DAEMON_H_
-#define DAEMON_H_
-
-typedef struct daemon_t daemon_t;
-
-#include <network/sender.h>
-#include <network/receiver.h>
-#include <network/socket.h>
-#include <processing/scheduler.h>
-#include <processing/processor.h>
-#include <kernel/kernel_interface.h>
-#include <control/controller.h>
-#include <bus/bus.h>
-#include <bus/listeners/file_logger.h>
-#include <bus/listeners/sys_logger.h>
-#include <sa/ike_sa_manager.h>
-#include <sa/trap_manager.h>
-#include <config/backend_manager.h>
-#include <credentials/credential_manager.h>
-#include <sa/authenticators/eap/eap_manager.h>
-#include <sa/authenticators/eap/sim_manager.h>
-
-#ifdef ME
-#include <sa/connect_manager.h>
-#include <sa/mediation_manager.h>
-#endif /* ME */
-
-/**
- * Name of the daemon.
- */
-#define DAEMON_NAME "charon"
-
-/**
- * Number of threads in the thread pool, if not specified in config.
- */
-#define DEFAULT_THREADS 16
-
-/**
- * UDP Port on which the daemon will listen for incoming traffic.
- */
-#define IKEV2_UDP_PORT 500
-
-/**
- * UDP Port to which the daemon will float to if NAT is detected.
- */
-#define IKEV2_NATT_PORT 4500
-
-/**
- * PID file, in which charon stores its process id
- */
-#define PID_FILE IPSEC_PIDDIR "/charon.pid"
-
-
-/**
- * Main class of daemon, contains some globals.
- */
-struct daemon_t {
-
-	/**
-	 * A socket_t instance.
-	 */
-	socket_t *socket;
-
-	/**
-	 * A ike_sa_manager_t instance.
-	 */
-	ike_sa_manager_t *ike_sa_manager;
-
-	/**
-	 * Manager for triggering policies, called traps
-	 */
-	trap_manager_t *traps;
-
-	/**
-	 * Manager for the different configuration backends.
-	 */
-	backend_manager_t *backends;
-
-	/**
-	 * Manager for the credential backends
-	 */
-	credential_manager_t *credentials;
-
-	/**
-	 * The Sender-Thread.
-	 */
-	sender_t *sender;
-
-	/**
-	 * The Receiver-Thread.
-	 */
-	receiver_t *receiver;
-
-	/**
-	 * The Scheduler-Thread.
-	 */
-	scheduler_t *scheduler;
-
-	/**
-	 * Job processing using a thread pool.
-	 */
-	processor_t *processor;
-
-	/**
-	 * The signaling bus.
-	 */
-	bus_t *bus;
-
-	/**
-	 * A list of installed file_logger_t's
-	 */
-	linked_list_t *file_loggers;
-
-	/**
-	 * A list of installed sys_logger_t's
-	 */
-	linked_list_t *sys_loggers;
-
-	/**
-	 * Kernel Interface to communicate with kernel
-	 */
-	kernel_interface_t *kernel_interface;
-
-	/**
-	 * Controller to control the daemon
-	 */
-	controller_t *controller;
-
-	/**
-	 * EAP manager to maintain registered EAP methods
-	 */
-	eap_manager_t *eap;
-
-	/**
-	 * SIM manager to maintain (U)SIM cards/providers
-	 */
-	sim_manager_t *sim;
-
-#ifdef ME
-	/**
-	 * Connect manager
-	 */
-	connect_manager_t *connect_manager;
-
-	/**
-	 * Mediation manager
-	 */
-	mediation_manager_t *mediation_manager;
-#endif /* ME */
-
-	/**
-	 * User ID the daemon will user after initialization
-	 */
-	uid_t uid;
-
-	/**
-	 * Group ID the daemon will use after initialization
-	 */
-	gid_t gid;
-
-	/**
-	 * Do not drop a given capability after initialization.
-	 *
-	 * Some plugins might need additional capabilites. They tell the daemon
-	 * during plugin initialization which one they need, the daemon won't
-	 * drop these.
-	 */
-	void (*keep_cap)(daemon_t *this, u_int cap);
-
-	/**
-	 * Shut down the daemon.
-	 *
-	 * @param reason		describtion why it will be killed
-	 */
-	void (*kill) (daemon_t *this, char *reason);
-};
-
-/**
- * The one and only instance of the daemon.
- */
-extern daemon_t *charon;
-
-#endif /** DAEMON_H_ @}*/
diff --git a/src/charon/encoding/generator.c b/src/charon/encoding/generator.c
deleted file mode 100644
index 6485da492..000000000
--- a/src/charon/encoding/generator.c
+++ /dev/null
@@ -1,888 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-
-#include "generator.h"
-
-#include <library.h>
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/proposal_substructure.h>
-#include <encoding/payloads/transform_substructure.h>
-#include <encoding/payloads/sa_payload.h>
-#include <encoding/payloads/ke_payload.h>
-#include <encoding/payloads/notify_payload.h>
-#include <encoding/payloads/nonce_payload.h>
-#include <encoding/payloads/id_payload.h>
-#include <encoding/payloads/auth_payload.h>
-#include <encoding/payloads/cert_payload.h>
-#include <encoding/payloads/certreq_payload.h>
-#include <encoding/payloads/ts_payload.h>
-#include <encoding/payloads/delete_payload.h>
-#include <encoding/payloads/vendor_id_payload.h>
-#include <encoding/payloads/cp_payload.h>
-#include <encoding/payloads/configuration_attribute.h>
-#include <encoding/payloads/eap_payload.h>
-
-
-typedef struct private_generator_t private_generator_t;
-
-/**
- * Private part of a generator_t object.
- */
-struct private_generator_t {
-	/**
-	 * Public part of a generator_t object.
-	 */
-	 generator_t public;
-
-	/**
-	 * Buffer used to generate the data into.
-	 */
-	u_int8_t *buffer;
-
-	/**
-	 * Current write position in buffer (one byte aligned).
-	 */
-	u_int8_t *out_position;
-
-	/**
-	 * Position of last byte in buffer.
-	 */
-	u_int8_t *roof_position;
-
-	/**
-	 * Current bit writing to in current byte (between 0 and 7).
-	 */
-	u_int8_t current_bit;
-
-	/**
-	 * Associated data struct to read informations from.
-	 */
-	void *data_struct;
-
-	/*
-	 * Last payload length position offset in the buffer.
-	 */
-	u_int32_t last_payload_length_position_offset;
-
-	/**
-	 * Offset of the header length field in the buffer.
-	 */
-	u_int32_t header_length_position_offset;
-
-	/**
-	 * Last SPI size.
-	 */
-	u_int8_t last_spi_size;
-
-	/**
-	 * Attribute format of the last generated transform attribute.
-	 *
-	 * Used to check if a variable value field is used or not for
-	 * the transform attribute value.
-	 */
-	bool attribute_format;
-
-	/**
-	 * Depending on the value of attribute_format this field is used
-	 * to hold the length of the transform attribute in bytes.
-	 */
-	u_int16_t attribute_length;
-};
-
-/**
- * Get size of current buffer in bytes.
- */
-static int get_size(private_generator_t *this)
-{
-	return this->roof_position - this->buffer;
-}
-
-/**
- * Get free space of current buffer in bytes.
- */
-static int get_space(private_generator_t *this)
-{
-	return this->roof_position - this->out_position;
-}
-
-/**
- * Get length of data in buffer (in bytes).
- */
-static int get_length(private_generator_t *this)
-{
-	return this->out_position - this->buffer;
-}
-
-/**
- * Get current offset in buffer (in bytes).
- */
-static u_int32_t get_offset(private_generator_t *this)
-{
-	return this->out_position - this->buffer;
-}
-
-/**
- * Makes sure enough space is available in buffer to store amount of bits.
- */
-static void make_space_available(private_generator_t *this, int bits)
-{
-	while ((get_space(this) * 8 - this->current_bit) < bits)
-	{
-		int old_buffer_size, new_buffer_size, out_position_offset;
-
-		old_buffer_size = get_size(this);
-		new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
-		out_position_offset = this->out_position - this->buffer;
-
-		DBG2(DBG_ENC, "increasing gen buffer from %d to %d byte",
-			 old_buffer_size, new_buffer_size);
-
-		this->buffer = realloc(this->buffer,new_buffer_size);
-		this->out_position = (this->buffer + out_position_offset);
-		this->roof_position = (this->buffer + new_buffer_size);
-	}
-}
-
-/**
- * Writes a specific amount of byte into the buffer.
- */
-static void write_bytes_to_buffer(private_generator_t *this, void *bytes,
-								  int number_of_bytes)
-{
-	int i;
-	u_int8_t *read_position = (u_int8_t *)bytes;
-
-	make_space_available(this, number_of_bytes * 8);
-
-	for (i = 0; i < number_of_bytes; i++)
-	{
-		*(this->out_position) = *(read_position);
-		read_position++;
-		this->out_position++;
-	}
-}
-
-/**
- * Writes a specific amount of byte into the buffer at a specific offset.
- */
-static void write_bytes_to_buffer_at_offset(private_generator_t *this,
-						void *bytes, int number_of_bytes, u_int32_t offset)
-{
-	int i;
-	u_int8_t *read_position = (u_int8_t *)bytes;
-	u_int8_t *write_position;
-	u_int32_t free_space_after_offset = get_size(this) - offset;
-
-	/* check first if enough space for new data is available */
-	if (number_of_bytes > free_space_after_offset)
-	{
-		make_space_available(this,
-							 (number_of_bytes - free_space_after_offset) * 8);
-	}
-
-	write_position = this->buffer + offset;
-	for (i = 0; i < number_of_bytes; i++)
-	{
-		*write_position = *read_position;
-		read_position++;
-		write_position++;
-	}
-}
-
-/**
- * Generates a U_INT-Field type and writes it to buffer.
- */
-static void generate_u_int_type(private_generator_t *this,
-								encoding_type_t int_type,u_int32_t offset)
-{
-	int number_of_bits = 0;
-
-	/* find out number of bits of each U_INT type to check for enough space */
-	switch (int_type)
-	{
-		case U_INT_4:
-			number_of_bits = 4;
-			break;
-		case TS_TYPE:
-		case U_INT_8:
-			number_of_bits = 8;
-			break;
-		case U_INT_16:
-		case CONFIGURATION_ATTRIBUTE_LENGTH:
-			number_of_bits = 16;
-			break;
-		case U_INT_32:
-			number_of_bits = 32;
-			break;
-		case ATTRIBUTE_TYPE:
-			number_of_bits = 15;
-			break;
-		case IKE_SPI:
-			number_of_bits = 64;
-			break;
-		default:
-			DBG1(DBG_ENC, "U_INT Type %N is not supported",
-				 encoding_type_names, int_type);
-			return;
-	}
-	if ((number_of_bits % 8) == 0 && this->current_bit != 0)
-	{
-		DBG1(DBG_ENC, "U_INT Type %N is not 8 Bit aligned",
-			 encoding_type_names, int_type);
-		return;
-	}
-
-	make_space_available(this, number_of_bits);
-	switch (int_type)
-	{
-		case U_INT_4:
-		{
-			u_int8_t high, low;
-
-			if (this->current_bit == 0)
-			{
-				/* high of current byte in buffer has to be set to the new value*/
-				high = *((u_int8_t *)(this->data_struct + offset)) << 4;
-				/* low in buffer is not changed */
-				low = *(this->out_position) & 0x0F;
-				/* high is set, low_val is not changed */
-				*(this->out_position) = high | low;
-				DBG3(DBG_ENC, "   => %d", *(this->out_position));
-				/* write position is not changed, just bit position is moved */
-				this->current_bit = 4;
-			}
-			else if (this->current_bit == 4)
-			{
-				/* high in buffer is not changed */
-				high = *(this->out_position) & 0xF0;
-				/* low of current byte in buffer has to be set to the new value*/
-				low = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
-				*(this->out_position) = high | low;
-				DBG3(DBG_ENC, "   => %d", *(this->out_position));
-				this->out_position++;
-				this->current_bit = 0;
-			}
-			else
-			{
-				DBG1(DBG_ENC, "U_INT_4 Type is not 4 Bit aligned");
-				/* 4 Bit integers must have a 4 bit alignment */
-				return;
-			}
-			break;
-		}
-		case TS_TYPE:
-		case U_INT_8:
-		{
-			/* 8 bit values are written as they are */
-			*this->out_position = *((u_int8_t *)(this->data_struct + offset));
-			DBG3(DBG_ENC, "   => %d", *(this->out_position));
-			this->out_position++;
-			break;
-		}
-		case ATTRIBUTE_TYPE:
-		{
-			u_int8_t attribute_format_flag;
-			u_int16_t val;
-
-			/* attribute type must not change first bit of current byte */
-			if (this->current_bit != 1)
-			{
-				DBG1(DBG_ENC, "ATTRIBUTE FORMAT flag is not set");
-				return;
-			}
-			attribute_format_flag = *(this->out_position) & 0x80;
-			/* get attribute type value as 16 bit integer*/
-			val = *((u_int16_t*)(this->data_struct + offset));
-			/* unset most significant bit */
-			val &= 0x7FFF;
-			if (attribute_format_flag)
-			{
-				val |= 0x8000;
-			}
-			val = htons(val);
-			DBG3(DBG_ENC, "   => %d", val);
-			/* write bytes to buffer (set bit is overwritten) */
-			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
-			this->current_bit = 0;
-			break;
-
-		}
-		case U_INT_16:
-		case CONFIGURATION_ATTRIBUTE_LENGTH:
-		{
-			u_int16_t val = htons(*((u_int16_t*)(this->data_struct + offset)));
-			DBG3(DBG_ENC, "   => %b", &val, sizeof(u_int16_t));
-			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
-			break;
-		}
-		case U_INT_32:
-		{
-			u_int32_t val = htonl(*((u_int32_t*)(this->data_struct + offset)));
-			DBG3(DBG_ENC, "   => %b", &val, sizeof(u_int32_t));
-			write_bytes_to_buffer(this, &val, sizeof(u_int32_t));
-			break;
-		}
-		case IKE_SPI:
-		{
-			/* 64 bit are written as-is, no host order conversion */
-			write_bytes_to_buffer(this, this->data_struct + offset,
-								  sizeof(u_int64_t));
-			DBG3(DBG_ENC, "   => %b", this->data_struct + offset,
-				 sizeof(u_int64_t));
-			break;
-		}
-		default:
-		{
-			DBG1(DBG_ENC, "U_INT Type %N is not supported",
-				 encoding_type_names, int_type);
-			return;
-		}
-	}
-}
-
-/**
- * Generate a reserved bit or byte
- */
-static void generate_reserved_field(private_generator_t *this, int bits)
-{
-	/* only one bit or 8 bit fields are supported */
-	if (bits != 1 && bits != 8)
-	{
-		DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits);
-		return ;
-	}
-	make_space_available(this, bits);
-
-	if (bits == 1)
-	{
-		u_int8_t reserved_bit = ~(1 << (7 - this->current_bit));
-
-		*(this->out_position) = *(this->out_position) & reserved_bit;
-		if (this->current_bit == 0)
-		{
-			/* memory must be zero */
-			*(this->out_position) = 0x00;
-		}
-		this->current_bit++;
-		if (this->current_bit >= 8)
-		{
-			this->current_bit = this->current_bit % 8;
-			this->out_position++;
-		}
-	}
-	else
-	{
-		if (this->current_bit > 0)
-		{
-			DBG1(DBG_ENC, "reserved field cannot be written cause "
-				 "alignement of current bit is %d", this->current_bit);
-			return;
-		}
-		*(this->out_position) = 0x00;
-		this->out_position++;
-	}
-}
-
-/**
- * Generate a FLAG filed
- */
-static void generate_flag(private_generator_t *this, u_int32_t offset)
-{
-	u_int8_t flag_value;
-	u_int8_t flag;
-
-	flag_value = (*((bool *) (this->data_struct + offset))) ? 1 : 0;
-	/* get flag position */
-	flag = (flag_value << (7 - this->current_bit));
-
-	/* make sure one bit is available in buffer */
-	make_space_available(this, 1);
-	if (this->current_bit == 0)
-	{
-		/* memory must be zero */
-		*(this->out_position) = 0x00;
-	}
-
-	*(this->out_position) = *(this->out_position) | flag;
-	DBG3(DBG_ENC, "   => %d", *this->out_position);
-
-	this->current_bit++;
-	if (this->current_bit >= 8)
-	{
-		this->current_bit = this->current_bit % 8;
-		this->out_position++;
-	}
-}
-
-/**
- * Generates a bytestream from a chunk_t.
- */
-static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
-{
-	chunk_t *value;
-
-	if (this->current_bit != 0)
-	{
-		DBG1(DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit);
-		return ;
-	}
-
-	value = (chunk_t *)(this->data_struct + offset);
-	DBG3(DBG_ENC, "   => %B", value);
-
-	write_bytes_to_buffer(this, value->ptr, value->len);
-}
-
-/**
- * Implementation of private_generator_t.write_to_chunk.
- */
-static void write_to_chunk(private_generator_t *this,chunk_t *data)
-{
-	int data_length = get_length(this);
-	u_int32_t header_length_field = data_length;
-
-	/* write length into header length field */
-	if (this->header_length_position_offset > 0)
-	{
-		u_int32_t val = htonl(header_length_field);
-		write_bytes_to_buffer_at_offset(this, &val, sizeof(u_int32_t),
-										this->header_length_position_offset);
-	}
-
-	if (this->current_bit > 0)
-	{
-		data_length++;
-	}
-	*data = chunk_alloc(data_length);
-	memcpy(data->ptr, this->buffer, data_length);
-
-	DBG3(DBG_ENC, "generated data of this generator %B", data);
-}
-
-/**
- * Implementation of private_generator_t.generate_payload.
- */
-static void generate_payload (private_generator_t *this,payload_t *payload)
-{
-	int i, offset_start;
-	size_t rule_count;
-	encoding_rule_t *rules;
-	payload_type_t payload_type;
-
-	this->data_struct = payload;
-	payload_type = payload->get_type(payload);
-	/* spi size has to get reseted */
-	this->last_spi_size = 0;
-
-	offset_start = this->out_position - this->buffer;
-
-	DBG2(DBG_ENC, "generating payload of type %N",
-		 payload_type_names, payload_type);
-
-	/* each payload has its own encoding rules */
-	payload->get_encoding_rules(payload, &rules, &rule_count);
-
-	for (i = 0; i < rule_count;i++)
-	{
-		DBG2(DBG_ENC, "  generating rule %d %N",
-			 i, encoding_type_names, rules[i].type);
-		switch (rules[i].type)
-		{
-			case U_INT_4:
-			case U_INT_8:
-			case U_INT_16:
-			case U_INT_32:
-			case IKE_SPI:
-			case TS_TYPE:
-			case ATTRIBUTE_TYPE:
-			case CONFIGURATION_ATTRIBUTE_LENGTH:
-			{
-				generate_u_int_type(this, rules[i].type, rules[i].offset);
-				break;
-			}
-			case RESERVED_BIT:
-			{
-				generate_reserved_field(this, 1);
-				break;
-			}
-			case RESERVED_BYTE:
-			{
-				generate_reserved_field(this, 8);
-				break;
-			}
-			case FLAG:
-			{
-				generate_flag(this, rules[i].offset);
-				break;
-			}
-			case PAYLOAD_LENGTH:
-			{
-				this->last_payload_length_position_offset = get_offset(this);
-				generate_u_int_type(this, U_INT_16,rules[i].offset);
-				break;
-			}
-			case HEADER_LENGTH:
-			{
-				this->header_length_position_offset = get_offset(this);
-				generate_u_int_type(this ,U_INT_32, rules[i].offset);
-				break;
-			}
-			case SPI_SIZE:
-				generate_u_int_type(this, U_INT_8, rules[i].offset);
-				this->last_spi_size = *((u_int8_t *)(this->data_struct +
-													 rules[i].offset));
-				break;
-			case ADDRESS:
-			{
-				generate_from_chunk(this, rules[i].offset);
-				break;
-			}
-			case SPI:
-			{
-				generate_from_chunk(this, rules[i].offset);
-				break;
-			}
-			case KEY_EXCHANGE_DATA:
-			case NOTIFICATION_DATA:
-			case NONCE_DATA:
-			case ID_DATA:
-			case AUTH_DATA:
-			case CERT_DATA:
-			case CERTREQ_DATA:
-			case SPIS:
-			case CONFIGURATION_ATTRIBUTE_VALUE:
-			case VID_DATA:
-			case EAP_DATA:
-			{
-				u_int32_t payload_length_position_offset;
-				u_int16_t length_of_payload;
-				u_int16_t header_length = 0;
-				u_int16_t length_in_network_order;
-
-				switch(rules[i].type)
-				{
-					case KEY_EXCHANGE_DATA:
-						header_length = KE_PAYLOAD_HEADER_LENGTH;
-						break;
-					case NOTIFICATION_DATA:
-						header_length = NOTIFY_PAYLOAD_HEADER_LENGTH +
-														this->last_spi_size;
-						break;
-					case NONCE_DATA:
-						header_length = NONCE_PAYLOAD_HEADER_LENGTH;
-						break;
-					case ID_DATA:
-						header_length = ID_PAYLOAD_HEADER_LENGTH;
-						break;
-					case AUTH_DATA:
-						header_length = AUTH_PAYLOAD_HEADER_LENGTH;
-						break;
-					case CERT_DATA:
-						header_length = CERT_PAYLOAD_HEADER_LENGTH;
-						break;
-					case CERTREQ_DATA:
-						header_length = CERTREQ_PAYLOAD_HEADER_LENGTH;
-						break;
-					case SPIS:
-						header_length = DELETE_PAYLOAD_HEADER_LENGTH;
-						break;
-					case VID_DATA:
-						header_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH;
-						break;
-					case CONFIGURATION_ATTRIBUTE_VALUE:
-						header_length = CONFIGURATION_ATTRIBUTE_HEADER_LENGTH;
-						break;
-					case EAP_DATA:
-						header_length = EAP_PAYLOAD_HEADER_LENGTH;
-						break;
-					default:
-						break;
-				}
-				generate_from_chunk(this, rules[i].offset);
-
-				payload_length_position_offset =
-									this->last_payload_length_position_offset;
-
-				length_of_payload = header_length +
-						((chunk_t *)(this->data_struct + rules[i].offset))->len;
-
-				length_in_network_order = htons(length_of_payload);
-				write_bytes_to_buffer_at_offset(this, &length_in_network_order,
-							sizeof(u_int16_t), payload_length_position_offset);
-				break;
-			}
-			case PROPOSALS:
-			{
-				u_int32_t payload_length_position_offset =
-									this->last_payload_length_position_offset;
-				/* Length of SA_PAYLOAD is calculated */
-				u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH;
-				u_int16_t int16_val;
-				linked_list_t *proposals = *((linked_list_t **)
-										(this->data_struct + rules[i].offset));
-				iterator_t *iterator;
-				payload_t *current_proposal;
-
-				iterator = proposals->create_iterator(proposals,TRUE);
-				while (iterator->iterate(iterator, (void**)&current_proposal))
-				{
-					u_int32_t before_generate_position_offset;
-					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_offset(this);
-					generate_payload(this, current_proposal);
-					after_generate_position_offset = get_offset(this);
-					length_of_sa_payload += (after_generate_position_offset -
-											 before_generate_position_offset);
-				}
-				iterator->destroy(iterator);
-
-				int16_val = htons(length_of_sa_payload);
-				write_bytes_to_buffer_at_offset(this, &int16_val,
-							sizeof(u_int16_t),payload_length_position_offset);
-				break;
-			}
-			case TRANSFORMS:
-			{
-				u_int32_t payload_length_position_offset =
-									this->last_payload_length_position_offset;
-				u_int16_t length_of_proposal =
-					PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size;
-				u_int16_t int16_val;
-				linked_list_t *transforms = *((linked_list_t **)
-										(this->data_struct + rules[i].offset));
-				iterator_t *iterator;
-				payload_t *current_transform;
-
-				iterator = transforms->create_iterator(transforms,TRUE);
-				while (iterator->iterate(iterator, (void**)&current_transform))
-				{
-					u_int32_t before_generate_position_offset;
-					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_offset(this);
-					generate_payload(this, current_transform);
-					after_generate_position_offset = get_offset(this);
-
-					length_of_proposal += (after_generate_position_offset -
-										   before_generate_position_offset);
-				}
-				iterator->destroy(iterator);
-
-				int16_val = htons(length_of_proposal);
-				write_bytes_to_buffer_at_offset(this, &int16_val,
-							sizeof(u_int16_t), payload_length_position_offset);
-				break;
-			}
-			case TRANSFORM_ATTRIBUTES:
-			{
-				u_int32_t transform_length_position_offset =
-									this->last_payload_length_position_offset;
-				u_int16_t length_of_transform =
-									TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
-				u_int16_t int16_val;
-				linked_list_t *transform_attributes =*((linked_list_t **)
-									(this->data_struct + rules[i].offset));
-				iterator_t *iterator;
-				payload_t *current_attribute;
-
-				iterator = transform_attributes->create_iterator(
-													transform_attributes, TRUE);
-				while (iterator->iterate(iterator, (void**)&current_attribute))
-				{
-					u_int32_t before_generate_position_offset;
-					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_offset(this);
-					generate_payload(this, current_attribute);
-					after_generate_position_offset = get_offset(this);
-
-					length_of_transform += (after_generate_position_offset -
-											before_generate_position_offset);
-				}
-
-				iterator->destroy(iterator);
-
-				int16_val = htons(length_of_transform);
-				write_bytes_to_buffer_at_offset(this, &int16_val,
-							sizeof(u_int16_t),transform_length_position_offset);
-				break;
-			}
-			case CONFIGURATION_ATTRIBUTES:
-			{
-				u_int32_t configurations_length_position_offset =
-									this->last_payload_length_position_offset;
-				u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH;
-				u_int16_t int16_val;
-				linked_list_t *configuration_attributes = *((linked_list_t **)
-										(this->data_struct + rules[i].offset));
-				iterator_t *iterator;
-				payload_t *current_attribute;
-
-				iterator = configuration_attributes->create_iterator(
-												configuration_attributes,TRUE);
-				while (iterator->iterate(iterator, (void**)&current_attribute))
-				{
-					u_int32_t before_generate_position_offset;
-					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_offset(this);
-					generate_payload(this, current_attribute);
-					after_generate_position_offset = get_offset(this);
-
-					length_of_configurations += after_generate_position_offset -
-											before_generate_position_offset;
-				}
-
-				iterator->destroy(iterator);
-
-				int16_val = htons(length_of_configurations);
-				write_bytes_to_buffer_at_offset(this, &int16_val,
-					 sizeof(u_int16_t),configurations_length_position_offset);
-				break;
-			}
-			case ATTRIBUTE_FORMAT:
-			{
-				generate_flag(this, rules[i].offset);
-				/* Attribute format is a flag which is stored in context*/
-				this->attribute_format =
-							*((bool *)(this->data_struct + rules[i].offset));
-				break;
-			}
-
-			case ATTRIBUTE_LENGTH_OR_VALUE:
-			{
-				if (this->attribute_format == FALSE)
-				{
-					generate_u_int_type(this, U_INT_16, rules[i].offset);
-					/* this field hold the length of the attribute */
-					this->attribute_length =
-						*((u_int16_t *)(this->data_struct + rules[i].offset));
-				}
-				else
-				{
-					generate_u_int_type(this, U_INT_16, rules[i].offset);
-				}
-				break;
-			}
-			case ATTRIBUTE_VALUE:
-			{
-				if (this->attribute_format == FALSE)
-				{
-					DBG2(DBG_ENC, "attribute value has not fixed size");
-					/* the attribute value is generated */
-					generate_from_chunk(this, rules[i].offset);
-				}
-				break;
-			}
-			case TRAFFIC_SELECTORS:
-			{
-				u_int32_t payload_length_position_offset =
-									this->last_payload_length_position_offset;
-				u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH;
-				u_int16_t int16_val;
-				linked_list_t *traffic_selectors = *((linked_list_t **)
-										(this->data_struct + rules[i].offset));
-				iterator_t *iterator;
-				payload_t *current_tss;
-
-				iterator = traffic_selectors->create_iterator(
-													traffic_selectors,TRUE);
-				while (iterator->iterate(iterator, (void **)&current_tss))
-				{
-					u_int32_t before_generate_position_offset;
-					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_offset(this);
-					generate_payload(this, current_tss);
-					after_generate_position_offset = get_offset(this);
-
-					length_of_ts_payload += (after_generate_position_offset -
-											 before_generate_position_offset);
-				}
-				iterator->destroy(iterator);
-
-				int16_val = htons(length_of_ts_payload);
-				write_bytes_to_buffer_at_offset(this, &int16_val,
-							sizeof(u_int16_t),payload_length_position_offset);
-				break;
-			}
-
-			case ENCRYPTED_DATA:
-			{
-				generate_from_chunk(this, rules[i].offset);
-				break;
-			}
-			default:
-				DBG1(DBG_ENC, "field type %N is not supported",
-					 encoding_type_names, rules[i].type);
-				return;
-		}
-	}
-	DBG2(DBG_ENC, "generating %N payload finished",
-		 payload_type_names, payload_type);
-	DBG3(DBG_ENC, "generated data for this payload %b",
-		 this->buffer + offset_start,
-		 this->out_position - this->buffer - offset_start);
-}
-
-/**
- * Implementation of generator_t.destroy.
- */
-static status_t destroy(private_generator_t *this)
-{
-	free(this->buffer);
-	free(this);
-	return SUCCESS;
-}
-
-/*
- * Described in header
- */
-generator_t *generator_create()
-{
-	private_generator_t *this;
-
-	this = malloc_thing(private_generator_t);
-
-	/* initiate public functions */
-	this->public.generate_payload = (void(*)(generator_t*, payload_t *))generate_payload;
-	this->public.destroy = (void(*)(generator_t*)) destroy;
-	this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *))write_to_chunk;
-
-	/* allocate memory for buffer */
-	this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE);
-
-	/* initiate private variables */
-	this->out_position = this->buffer;
-	this->roof_position = this->buffer + GENERATOR_DATA_BUFFER_SIZE;
-	this->data_struct = NULL;
-	this->current_bit = 0;
-	this->last_payload_length_position_offset = 0;
-	this->header_length_position_offset = 0;
-	this->attribute_format = FALSE;
-	this->attribute_length = 0;
-
-	return &(this->public);
-}
-
diff --git a/src/charon/encoding/generator.h b/src/charon/encoding/generator.h
deleted file mode 100644
index 2221c84af..000000000
--- a/src/charon/encoding/generator.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup generator generator
- * @{ @ingroup encoding
- */
-
-#ifndef GENERATOR_H_
-#define GENERATOR_H_
-
-typedef struct generator_t generator_t;
-
-#include <library.h>
-#include <encoding/payloads/encodings.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * Generating is done in a data buffer.
- * This is the start size of this buffer in bytes.
- */
-#define GENERATOR_DATA_BUFFER_SIZE 500
-
-/**
- * Number of bytes to increase the buffer, if it is too small.
- */
-#define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500
-
-
-/**
- * A generator_t class used to generate IKEv2 payloads.
- *
- * After creation, multiple payloads can be generated with the generate_payload
- * method. The generated bytes are appended. After all payloads are added,
- * the write_to_chunk method writes out all generated data since
- * the creation of the generator. After that, the generator must be destroyed.
- * The generater uses a set of encoding rules, which it can get from
- * the supplied payload. With this rules, the generater can generate
- * the payload and all substructures automatically.
- */
-struct generator_t {
-
-	/**
-	 * Generates a specific payload from given payload object.
-	 *
-	 * Remember: Header and substructures are also handled as payloads.
-	 *
-	 * @param payload 		interface payload_t implementing object
-	 */
-	void (*generate_payload) (generator_t *this,payload_t *payload);
-
-	/**
-	 * Writes all generated data of the generator to a chunk.
-	 *
-	 * @param data 		chunk to write the data to
-	 */
-	void (*write_to_chunk) (generator_t *this,chunk_t *data);
-
-	/**
-	 * Destroys a generator_t object.
-	 */
-	void (*destroy) (generator_t *this);
-};
-
-/**
- * Constructor to create a generator.
- *
- * @return generator_t object.
- */
-generator_t *generator_create(void);
-
-#endif /** GENERATOR_H_ @}*/
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c
deleted file mode 100644
index 397a3c609..000000000
--- a/src/charon/encoding/message.c
+++ /dev/null
@@ -1,1726 +0,0 @@
-/*
- * Copyright (C) 2006-2007 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include "message.h"
-
-#include <library.h>
-#include <daemon.h>
-#include <sa/ike_sa_id.h>
-#include <encoding/generator.h>
-#include <encoding/parser.h>
-#include <utils/linked_list.h>
-#include <encoding/payloads/encodings.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/encryption_payload.h>
-#include <encoding/payloads/unknown_payload.h>
-
-/**
- * Max number of notify payloads per IKEv2 Message
- */
-#define MAX_NOTIFY_PAYLOADS 20
-
-/**
- * Max number of delete payloads per IKEv2 Message
- */
-#define MAX_DELETE_PAYLOADS 20
-
-
-typedef struct payload_rule_t payload_rule_t;
-
-/**
- * A payload rule defines the rules for a payload
- * in a specific message rule. It defines if and how
- * many times a payload must/can occur in a message
- * and if it must be encrypted.
- */
-struct payload_rule_t {
-	/**
-	 * Payload type.
-	 */
-	 payload_type_t payload_type;
-
-	 /**
-	  * Minimal occurence of this payload.
-	  */
-	 size_t min_occurence;
-
-	 /**
-	  * Max occurence of this payload.
-	  */
-	 size_t max_occurence;
-
-	 /**
-	  * TRUE if payload must be encrypted
-	  */
-	 bool encrypted;
-
-	 /**
-	  * If this payload occurs, the message rule is
-	  * fullfilled in any case. This applies e.g. to
-	  * notify_payloads.
-	  */
-	 bool sufficient;
-};
-
-typedef struct payload_order_t payload_order_t;
-
-/**
- * payload ordering structure allows us to reorder payloads according to RFC.
- */
-struct payload_order_t {
-
-	/**
-	 * payload type
-	 */
-	payload_type_t type;
-
-	/**
-	 * notify type, if payload == NOTIFY
-	 */
-	notify_type_t notify;
-};
-
-
-typedef struct message_rule_t message_rule_t;
-
-/**
- * A message rule defines the kind of a message,
- * if it has encrypted contents and a list
- * of payload ordering rules and payload parsing rules.
- */
-struct message_rule_t {
-	/**
-	 * Type of message.
-	 */
-	exchange_type_t exchange_type;
-
-	/**
-	 * Is message a request or response.
-	 */
-	bool is_request;
-
-	/**
-	 * Message contains encrypted content.
-	 */
-	bool encrypted_content;
-
-	/**
-	 * Number of payload rules which will follow
-	 */
-	int payload_rule_count;
-
-	/**
-	 * Pointer to first payload rule
-	 */
-	payload_rule_t *payload_rules;
-
-	/**
-	 * Number of payload order rules
-	 */
-	int payload_order_count;
-
-	/**
-	 * payload ordering rules
-	 */
-	payload_order_t *payload_order;
-};
-
-/**
- * Message rule for IKE_SA_INIT from initiator.
- */
-static payload_rule_t ike_sa_init_i_payload_rules[] = {
-/*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
-	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
-	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
-	{NONCE,							1,	1,						FALSE,	FALSE},
-	{VENDOR_ID,						0,	10,						FALSE,	FALSE},
-};
-
-/**
- * payload order for IKE_SA_INIT initiator
- */
-static payload_order_t ike_sa_init_i_payload_order[] = {
-/*	payload type					notify type */
-	{NOTIFY,						COOKIE},
-	{SECURITY_ASSOCIATION,			0},
-	{KEY_EXCHANGE,					0},
-	{NONCE,							0},
-	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
-	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
-	{NOTIFY,						0},
-	{VENDOR_ID,						0},
-};
-
-/**
- * Message rule for IKE_SA_INIT from responder.
- */
-static payload_rule_t ike_sa_init_r_payload_rules[] = {
-/*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	FALSE,	TRUE},
-	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
-	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
-	{NONCE,							1,	1,						FALSE,	FALSE},
-	{VENDOR_ID,						0,	10,						FALSE,	FALSE},
-};
-
-/**
- * payload order for IKE_SA_INIT responder
- */
-static payload_order_t ike_sa_init_r_payload_order[] = {
-/*	payload type					notify type */
-	{SECURITY_ASSOCIATION,			0},
-	{KEY_EXCHANGE,					0},
-	{NONCE,							0},
-	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
-	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
-	{NOTIFY,						HTTP_CERT_LOOKUP_SUPPORTED},
-	{CERTIFICATE_REQUEST,			0},
-	{NOTIFY,						0},
-	{VENDOR_ID,						0},
-};
-
-/**
- * Message rule for IKE_AUTH from initiator.
- */
-static payload_rule_t ike_auth_i_payload_rules[] = {
-/*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
-	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
-	{ID_INITIATOR,					0,	1,						TRUE,	FALSE},
-	{CERTIFICATE,					0,	4,						TRUE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						TRUE,	FALSE},
-	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
-#ifdef ME
-	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
-#else
-	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
-#endif /* ME */
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
-};
-
-/**
- * payload order for IKE_AUTH initiator
- */
-static payload_order_t ike_auth_i_payload_order[] = {
-/*	payload type					notify type */
-	{ID_INITIATOR,					0},
-	{CERTIFICATE,					0},
-	{NOTIFY,						INITIAL_CONTACT},
-	{NOTIFY,						HTTP_CERT_LOOKUP_SUPPORTED},
-	{CERTIFICATE_REQUEST,			0},
-	{ID_RESPONDER,					0},
-	{AUTHENTICATION,				0},
-	{EXTENSIBLE_AUTHENTICATION,		0},
-	{CONFIGURATION,					0},
-	{NOTIFY,						IPCOMP_SUPPORTED},
-	{NOTIFY,						USE_TRANSPORT_MODE},
-	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
-	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION,			0},
-	{TRAFFIC_SELECTOR_INITIATOR,	0},
-	{TRAFFIC_SELECTOR_RESPONDER,	0},
-	{NOTIFY,						MOBIKE_SUPPORTED},
-	{NOTIFY,						ADDITIONAL_IP4_ADDRESS},
-	{NOTIFY,						ADDITIONAL_IP6_ADDRESS},
-	{NOTIFY,						NO_ADDITIONAL_ADDRESSES},
-	{NOTIFY,						0},
-	{VENDOR_ID,						0},
-};
-
-/**
- * Message rule for IKE_AUTH from responder.
- */
-static payload_rule_t ike_auth_r_payload_rules[] = {
-/*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
-	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
-	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
-	{CERTIFICATE,					0,	4,						TRUE,	FALSE},
-	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
-	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
-};
-
-/**
- * payload order for IKE_AUTH responder
- */
-static payload_order_t ike_auth_r_payload_order[] = {
-/*	payload type					notify type */
-	{ID_RESPONDER,					0},
-	{CERTIFICATE,					0},
-	{AUTHENTICATION,				0},
-	{EXTENSIBLE_AUTHENTICATION,		0},
-	{CONFIGURATION,					0},
-	{NOTIFY,						IPCOMP_SUPPORTED},
-	{NOTIFY,						USE_TRANSPORT_MODE},
-	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
-	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION,			0},
-	{TRAFFIC_SELECTOR_INITIATOR,	0},
-	{TRAFFIC_SELECTOR_RESPONDER,	0},
-	{NOTIFY,						AUTH_LIFETIME},
-	{NOTIFY,						MOBIKE_SUPPORTED},
-	{NOTIFY,						ADDITIONAL_IP4_ADDRESS},
-	{NOTIFY,						ADDITIONAL_IP6_ADDRESS},
-	{NOTIFY,						NO_ADDITIONAL_ADDRESSES},
-	{NOTIFY,						0},
-	{VENDOR_ID,						0},
-};
-
-/**
- * Message rule for INFORMATIONAL from initiator.
- */
-static payload_rule_t informational_i_payload_rules[] = {
-/*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{DELETE,						0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
-	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
-};
-
-/**
- * payload order for INFORMATIONAL initiator
- */
-static payload_order_t informational_i_payload_order[] = {
-/*	payload type					notify type */
-	{NOTIFY,						UPDATE_SA_ADDRESSES},
-	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
-	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
-	{NOTIFY,						COOKIE2},
-	{NOTIFY,						0},
-	{DELETE,						0},
-	{CONFIGURATION,					0},
-};
-
-/**
- * Message rule for INFORMATIONAL from responder.
- */
-static payload_rule_t informational_r_payload_rules[] = {
-/*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{DELETE,						0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
-	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
-};
-
-/**
- * payload order for INFORMATIONAL responder
- */
-static payload_order_t informational_r_payload_order[] = {
-/*	payload type					notify type */
-	{NOTIFY,						UPDATE_SA_ADDRESSES},
-	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
-	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
-	{NOTIFY,						COOKIE2},
-	{NOTIFY,						0},
-	{DELETE,						0},
-	{CONFIGURATION,					0},
-};
-
-/**
- * Message rule for CREATE_CHILD_SA from initiator.
- */
-static payload_rule_t create_child_sa_i_payload_rules[] = {
-/*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
-	{NONCE,							1,	1,						TRUE,	FALSE},
-	{KEY_EXCHANGE,					0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
-};
-
-/**
- * payload order for CREATE_CHILD_SA from initiator.
- */
-static payload_order_t create_child_sa_i_payload_order[] = {
-/*	payload type					notify type */
-	{NOTIFY,						REKEY_SA},
-	{NOTIFY,						IPCOMP_SUPPORTED},
-	{NOTIFY,						USE_TRANSPORT_MODE},
-	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
-	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION,			0},
-	{NONCE,							0},
-	{KEY_EXCHANGE,					0},
-	{TRAFFIC_SELECTOR_INITIATOR,	0},
-	{TRAFFIC_SELECTOR_RESPONDER,	0},
-	{NOTIFY,						0},
-};
-
-/**
- * Message rule for CREATE_CHILD_SA from responder.
- */
-static payload_rule_t create_child_sa_r_payload_rules[] = {
-/*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
-	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
-	{NONCE,							1,	1,						TRUE,	FALSE},
-	{KEY_EXCHANGE,					0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
-};
-
-/**
- * payload order for CREATE_CHILD_SA from responder.
- */
-static payload_order_t create_child_sa_r_payload_order[] = {
-/*	payload type					notify type */
-	{NOTIFY,						IPCOMP_SUPPORTED},
-	{NOTIFY,						USE_TRANSPORT_MODE},
-	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
-	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION,			0},
-	{NONCE,							0},
-	{KEY_EXCHANGE,					0},
-	{TRAFFIC_SELECTOR_INITIATOR,	0},
-	{TRAFFIC_SELECTOR_RESPONDER,	0},
-	{NOTIFY,						ADDITIONAL_TS_POSSIBLE},
-	{NOTIFY,						0},
-};
-
-#ifdef ME
-/**
- * Message rule for ME_CONNECT from initiator.
- */
-static payload_rule_t me_connect_i_payload_rules[] = {
-/*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
-	{ID_PEER,						1,	1,						TRUE,	FALSE},
-	{VENDOR_ID,						0,	10,						TRUE,	FALSE}
-};
-
-/**
- * payload order for ME_CONNECT from initiator.
- */
-static payload_order_t me_connect_i_payload_order[] = {
-/*	payload type					notify type */
-	{NOTIFY,						0},
-	{ID_PEER,						0},
-	{VENDOR_ID,						0},
-};
-
-/**
- * Message rule for ME_CONNECT from responder.
- */
-static payload_rule_t me_connect_r_payload_rules[] = {
-/*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
-	{VENDOR_ID,						0,	10,						TRUE,	FALSE}
-};
-
-/**
- * payload order for ME_CONNECT from responder.
- */
-static payload_order_t me_connect_r_payload_order[] = {
-/*	payload type					notify type */
-	{NOTIFY,						0},
-	{VENDOR_ID,						0},
-};
-#endif /* ME */
-
-/**
- * Message rules, defines allowed payloads.
- */
-static message_rule_t message_rules[] = {
-	{IKE_SA_INIT,		TRUE,	FALSE,
-		(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
-		ike_sa_init_i_payload_rules,
-		(sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
-		ike_sa_init_i_payload_order,
-	},
-	{IKE_SA_INIT,		FALSE,	FALSE,
-		(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
-		ike_sa_init_r_payload_rules,
-		(sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
-		ike_sa_init_r_payload_order,
-	},
-	{IKE_AUTH,			TRUE,	TRUE,
-		(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
-		ike_auth_i_payload_rules,
-		(sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
-		ike_auth_i_payload_order,
-	},
-	{IKE_AUTH,			FALSE,	TRUE,
-		(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
-		ike_auth_r_payload_rules,
-		(sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
-		ike_auth_r_payload_order,
-	},
-	{INFORMATIONAL,		TRUE,	TRUE,
-		(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
-		informational_i_payload_rules,
-		(sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
-		informational_i_payload_order,
-	},
-	{INFORMATIONAL,		FALSE,	TRUE,
-		(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
-		informational_r_payload_rules,
-		(sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
-		informational_r_payload_order,
-	},
-	{CREATE_CHILD_SA,	TRUE,	TRUE,
-		(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
-		create_child_sa_i_payload_rules,
-		(sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
-		create_child_sa_i_payload_order,
-	},
-	{CREATE_CHILD_SA,	FALSE,	TRUE,
-		(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
-		create_child_sa_r_payload_rules,
-		(sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
-		create_child_sa_r_payload_order,
-	},
-#ifdef ME
-	{ME_CONNECT,		TRUE,	TRUE,
-		(sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
-		me_connect_i_payload_rules,
-		(sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
-		me_connect_i_payload_order,
-	},
-	{ME_CONNECT,		FALSE,	TRUE,
-		(sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
-		me_connect_r_payload_rules,
-		(sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
-		me_connect_r_payload_order,
-	},
-#endif /* ME */
-};
-
-
-typedef struct private_message_t private_message_t;
-
-/**
- * Private data of an message_t object.
- */
-struct private_message_t {
-
-	/**
-	 * Public part of a message_t object.
-	 */
-	message_t public;
-
-	/**
-	 * Minor version of message.
-	 */
-	u_int8_t major_version;
-
-	/**
-	 * Major version of message.
-	 */
-	u_int8_t minor_version;
-
-	/**
-	 * First Payload in message.
-	 */
-	payload_type_t first_payload;
-
-	/**
-	 * Assigned exchange type.
-	 */
-	exchange_type_t exchange_type;
-
-	/**
-	 * TRUE if message is a request, FALSE if a reply.
-	 */
-	bool is_request;
-
-	/**
-	 * Message ID of this message.
-	 */
-	u_int32_t message_id;
-
-	/**
-	 * ID of assigned IKE_SA.
-	 */
-	ike_sa_id_t *ike_sa_id;
-
-	/**
-	 * Assigned UDP packet, stores incoming packet or last generated one.
-	 */
-	packet_t *packet;
-
-	/**
-	 * Linked List where payload data are stored in.
-	 */
-	linked_list_t *payloads;
-
-	 /**
-	  * Assigned parser to parse Header and Body of this message.
-	  */
-	parser_t *parser;
-
-	/**
-	 * The message rule for this message instance
-	 */
-	message_rule_t *message_rule;
-};
-
-/**
- * Implementation of private_message_t.set_message_rule.
- */
-static  status_t set_message_rule(private_message_t *this)
-{
-	int i;
-
-	for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
-	{
-		if ((this->exchange_type == message_rules[i].exchange_type) &&
-			(this->is_request == message_rules[i].is_request))
-		{
-			/* found rule for given exchange_type*/
-			this->message_rule = &(message_rules[i]);
-			return SUCCESS;
-		}
-	}
-	this->message_rule = NULL;
-	return NOT_FOUND;
-}
-
-/**
- * Implementation of private_message_t.get_payload_rule.
- */
-static status_t get_payload_rule(private_message_t *this,
-					payload_type_t payload_type, payload_rule_t **payload_rule)
-{
-	int i;
-
-	for (i = 0; i < this->message_rule->payload_rule_count;i++)
-	{
-		if (this->message_rule->payload_rules[i].payload_type == payload_type)
-		{
-			*payload_rule = &(this->message_rule->payload_rules[i]);
-			return SUCCESS;
-		}
-	}
-
-	*payload_rule = NULL;
-	return NOT_FOUND;
-}
-
-/**
- * Implementation of message_t.set_ike_sa_id.
- */
-static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id)
-{
-	DESTROY_IF(this->ike_sa_id);
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-}
-
-/**
- * Implementation of message_t.get_ike_sa_id.
- */
-static ike_sa_id_t* get_ike_sa_id(private_message_t *this)
-{
-	return this->ike_sa_id;
-}
-
-/**
- * Implementation of message_t.set_message_id.
- */
-static void set_message_id(private_message_t *this,u_int32_t message_id)
-{
-	this->message_id = message_id;
-}
-
-/**
- * Implementation of message_t.get_message_id.
- */
-static u_int32_t get_message_id(private_message_t *this)
-{
-	return this->message_id;
-}
-
-/**
- * Implementation of message_t.get_initiator_spi.
- */
-static u_int64_t get_initiator_spi(private_message_t *this)
-{
-	return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
-}
-
-/**
- * Implementation of message_t.get_responder_spi.
- */
-static u_int64_t get_responder_spi(private_message_t *this)
-{
-	return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
-}
-
-/**
- * Implementation of message_t.set_major_version.
- */
-static void set_major_version(private_message_t *this,u_int8_t major_version)
-{
-	this->major_version = major_version;
-}
-
-/**
- * Implementation of message_t.set_major_version.
- */
-static u_int8_t get_major_version(private_message_t *this)
-{
-	return this->major_version;
-}
-
-/**
- * Implementation of message_t.set_minor_version.
- */
-static void set_minor_version(private_message_t *this,u_int8_t minor_version)
-{
-	this->minor_version = minor_version;
-}
-
-/**
- * Implementation of message_t.get_minor_version.
- */
-static u_int8_t get_minor_version(private_message_t *this)
-{
-	return this->minor_version;
-}
-
-/**
- * Implementation of message_t.set_exchange_type.
- */
-static void set_exchange_type(private_message_t *this,
-							  exchange_type_t exchange_type)
-{
-	this->exchange_type = exchange_type;
-}
-
-/**
- * Implementation of message_t.get_exchange_type.
- */
-static exchange_type_t get_exchange_type(private_message_t *this)
-{
-	return this->exchange_type;
-}
-
-/**
- * Implementation of message_t.get_first_payload_type.
- */
-static payload_type_t get_first_payload_type(private_message_t *this)
-{
-	return this->first_payload;
-}
-
-/**
- * Implementation of message_t.set_request.
- */
-static void set_request(private_message_t *this, bool request)
-{
-	this->is_request = request;
-}
-
-/**
- * Implementation of message_t.get_request.
- */
-static exchange_type_t get_request(private_message_t *this)
-{
-	return this->is_request;
-}
-
-/**
- * Is this message in an encoded form?
- */
-static bool is_encoded(private_message_t *this)
-{
-	chunk_t data = this->packet->get_data(this->packet);
-
-	if (data.ptr == NULL)
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of message_t.add_payload.
- */
-static void add_payload(private_message_t *this, payload_t *payload)
-{
-	payload_t *last_payload;
-
-	if (this->payloads->get_count(this->payloads) > 0)
-	{
-		this->payloads->get_last(this->payloads, (void **)&last_payload);
-		last_payload->set_next_type(last_payload, payload->get_type(payload));
-	}
-	else
-	{
-		this->first_payload = payload->get_type(payload);
-	}
-	payload->set_next_type(payload, NO_PAYLOAD);
-	this->payloads->insert_last(this->payloads, payload);
-
-	DBG2(DBG_ENC ,"added payload of type %N to message",
-		 payload_type_names, payload->get_type(payload));
-}
-
-/**
- * Implementation of message_t.add_notify.
- */
-static void add_notify(private_message_t *this, bool flush, notify_type_t type,
-					   chunk_t data)
-{
-	notify_payload_t *notify;
-	payload_t *payload;
-
-	if (flush)
-	{
-		while (this->payloads->remove_last(this->payloads,
-												(void**)&payload) == SUCCESS)
-		{
-			payload->destroy(payload);
-		}
-	}
-	notify = notify_payload_create();
-	notify->set_notify_type(notify, type);
-	notify->set_notification_data(notify, data);
-	add_payload(this, (payload_t*)notify);
-}
-
-/**
- * Implementation of message_t.set_source.
- */
-static void set_source(private_message_t *this, host_t *host)
-{
-	this->packet->set_source(this->packet, host);
-}
-
-/**
- * Implementation of message_t.set_destination.
- */
-static void set_destination(private_message_t *this, host_t *host)
-{
-	this->packet->set_destination(this->packet, host);
-}
-
-/**
- * Implementation of message_t.get_source.
- */
-static host_t* get_source(private_message_t *this)
-{
-	return this->packet->get_source(this->packet);
-}
-
-/**
- * Implementation of message_t.get_destination.
- */
-static host_t * get_destination(private_message_t *this)
-{
-	return this->packet->get_destination(this->packet);
-}
-
-/**
- * Implementation of message_t.create_payload_enumerator.
- */
-static enumerator_t *create_payload_enumerator(private_message_t *this)
-{
-	return this->payloads->create_enumerator(this->payloads);
-}
-
-/**
- * Implementation of message_t.get_payload.
- */
-static payload_t *get_payload(private_message_t *this, payload_type_t type)
-{
-	payload_t *current, *found = NULL;
-	enumerator_t *enumerator;
-
-	enumerator = create_payload_enumerator(this);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (current->get_type(current) == type)
-		{
-			found = current;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * Implementation of message_t.get_notify
- */
-static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
-{
-	enumerator_t *enumerator;
-	notify_payload_t *notify = NULL;
-	payload_t *payload;
-
-	enumerator = create_payload_enumerator(this);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify = (notify_payload_t*)payload;
-			if (notify->get_notify_type(notify) == type)
-			{
-				break;
-			}
-			notify = NULL;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return notify;
-}
-
-/**
- * get a string representation of the message
- */
-static char* get_string(private_message_t *this, char *buf, int len)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	int written;
-	char *pos = buf;
-
-	memset(buf, 0, len);
-	len--;
-
-	written = snprintf(pos, len, "%N %s %d [",
-					   exchange_type_names, this->exchange_type,
-					   this->is_request ? "request" : "response",
-					   this->message_id);
-	if (written >= len || written < 0)
-	{
-		return "";
-	}
-	pos += written;
-	len -= written;
-
-	enumerator = create_payload_enumerator(this);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		written = snprintf(pos, len, " %N", payload_type_short_names,
-						   payload->get_type(payload));
-		if (written >= len || written < 0)
-		{
-			return buf;
-		}
-		pos += written;
-		len -= written;
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify_payload_t *notify = (notify_payload_t*)payload;
-			written = snprintf(pos, len, "(%N)", notify_type_short_names,
-							   notify->get_notify_type(notify));
-			if (written >= len || written < 0)
-			{
-				return buf;
-			}
-			pos += written;
-			len -= written;
-		}
-		if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
-		{
-			eap_payload_t *eap = (eap_payload_t*)payload;
-			u_int32_t vendor;
-			eap_type_t type;
-			char method[64] = "";
-
-			type = eap->get_type(eap, &vendor);
-			if (type)
-			{
-				if (vendor)
-				{
-					snprintf(method, sizeof(method), "/%d-%d", type, vendor);
-				}
-				else
-				{
-					snprintf(method, sizeof(method), "/%N",
-							 eap_type_short_names, type);
-				}
-			}
-			written = snprintf(pos, len, "/%N%s", eap_code_short_names,
-							   eap->get_code(eap), method);
-			if (written >= len || written < 0)
-			{
-				return buf;
-			}
-			pos += written;
-			len -= written;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* remove last space */
-	snprintf(pos, len, " ]");
-	return buf;
-}
-
-/**
- * reorder payloads depending on reordering rules
- */
-static void order_payloads(private_message_t *this)
-{
-	linked_list_t *list;
-	payload_t *payload;
-	int i;
-
-	/* move to temp list */
-	list = linked_list_create();
-	while (this->payloads->remove_last(this->payloads,
-									   (void**)&payload) == SUCCESS)
-	{
-		list->insert_first(list, payload);
-	}
-	/* for each rule, ... */
-	for (i = 0; i < this->message_rule->payload_order_count; i++)
-	{
-		enumerator_t *enumerator;
-		notify_payload_t *notify;
-		payload_order_t order = this->message_rule->payload_order[i];
-
-		/* ... find all payload ... */
-		enumerator = list->create_enumerator(list);
-		while (enumerator->enumerate(enumerator, &payload))
-		{
-			/* ... with that type ... */
-			if (payload->get_type(payload) == order.type)
-			{
-				notify = (notify_payload_t*)payload;
-
-				/**... and check notify for type. */
-				if (order.type != NOTIFY || order.notify == 0 ||
-					order.notify == notify->get_notify_type(notify))
-				{
-					list->remove_at(list, enumerator);
-					add_payload(this, payload);
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	/* append all payloads without a rule to the end */
-	while (list->remove_last(list, (void**)&payload) == SUCCESS)
-	{
-		/* do not complain about payloads in private use space */
-		if (payload->get_type(payload) < 128)
-		{
-			DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
-				 payload_type_names, payload->get_type(payload),
-				 exchange_type_names, this->message_rule->exchange_type,
-				 this->message_rule->is_request ? "request" : "response");
-		}
-		add_payload(this, payload);
-	}
-	list->destroy(list);
-}
-
-/**
- * Implementation of private_message_t.encrypt_payloads.
- */
-static status_t encrypt_payloads(private_message_t *this,
-								 crypter_t *crypter, signer_t* signer)
-{
-	encryption_payload_t *encryption;
-	linked_list_t *payloads;
-	payload_t *current;
-	status_t status;
-
-	if (!this->message_rule->encrypted_content)
-	{
-		DBG2(DBG_ENC, "message doesn't have to be encrypted");
-		/* message contains no content to encrypt */
-		return SUCCESS;
-	}
-
-	if (!crypter || !signer)
-	{
-		DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
-		/* message contains no content to encrypt */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_ENC, "copy all payloads to a temporary list");
-	payloads = linked_list_create();
-
-	/* first copy all payloads in a temporary list */
-	while (this->payloads->get_count(this->payloads) > 0)
-	{
-		this->payloads->remove_first(this->payloads, (void**)&current);
-		payloads->insert_last(payloads, current);
-	}
-
-	encryption = encryption_payload_create();
-
-	DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
-	while (payloads->get_count(payloads) > 0)
-	{
-		payload_rule_t *rule;
-		payload_type_t type;
-		bool to_encrypt = TRUE;
-
-		payloads->remove_first(payloads, (void**)&current);
-
-		type = current->get_type(current);
-		if (get_payload_rule(this, type, &rule) == SUCCESS)
-		{
-			to_encrypt = rule->encrypted;
-		}
-		if (to_encrypt)
-		{
-			DBG2(DBG_ENC, "insert payload %N to encryption payload",
-				 payload_type_names, current->get_type(current));
-			encryption->add_payload(encryption, current);
-		}
-		else
-		{
-			DBG2(DBG_ENC, "insert payload %N unencrypted",
-				 payload_type_names, current->get_type(current));
-			add_payload(this, (payload_t*)current);
-		}
-	}
-
-	DBG2(DBG_ENC, "encrypting encryption payload");
-	encryption->set_transforms(encryption, crypter, signer);
-	status = encryption->encrypt(encryption);
-	DBG2(DBG_ENC, "add encrypted payload to payload list");
-	add_payload(this, (payload_t*)encryption);
-
-	payloads->destroy(payloads);
-
-	return status;
-}
-
-/**
- * Implementation of message_t.generate.
- */
-static status_t generate(private_message_t *this, crypter_t *crypter,
-						 signer_t* signer, packet_t **packet)
-{
-	generator_t *generator;
-	ike_header_t *ike_header;
-	payload_t *payload, *next_payload;
-	enumerator_t *enumerator;
-	status_t status;
-	chunk_t packet_data;
-	char str[256];
-
-	if (is_encoded(this))
-	{
-		/* already generated, return a new packet clone */
-		*packet = this->packet->clone(this->packet);
-		return SUCCESS;
-	}
-
-	if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
-	{
-		DBG1(DBG_ENC, "exchange type is not defined");
-		return INVALID_STATE;
-	}
-
-	if (this->packet->get_source(this->packet) == NULL ||
-		this->packet->get_destination(this->packet) == NULL)
-	{
-		DBG1(DBG_ENC, "%s not defined",
-			 !this->packet->get_source(this->packet) ? "source" : "destination");
-		return INVALID_STATE;
-	}
-
-	/* set the rules for this messge */
-	status = set_message_rule(this);
-	if (status != SUCCESS)
-	{
-		DBG1(DBG_ENC, "no message rules specified for this message type");
-		return NOT_SUPPORTED;
-	}
-
-	order_payloads(this);
-
-	DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
-
-	/* going to encrypt all content which have to be encrypted */
-	status = encrypt_payloads(this, crypter, signer);
-	if (status != SUCCESS)
-	{
-		DBG1(DBG_ENC, "payload encryption failed");
-		return status;
-	}
-
-	/* build ike header */
-	ike_header = ike_header_create();
-
-	ike_header->set_exchange_type(ike_header, this->exchange_type);
-	ike_header->set_message_id(ike_header, this->message_id);
-	ike_header->set_response_flag(ike_header, !this->is_request);
-	ike_header->set_initiator_flag(ike_header,
-						this->ike_sa_id->is_initiator(this->ike_sa_id));
-	ike_header->set_initiator_spi(ike_header,
-						this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
-	ike_header->set_responder_spi(ike_header,
-						this->ike_sa_id->get_responder_spi(this->ike_sa_id));
-
-	generator = generator_create();
-
-	payload = (payload_t*)ike_header;
-
-	/* generate every payload expect last one, this is done later*/
-	enumerator = create_payload_enumerator(this);
-	while (enumerator->enumerate(enumerator, &next_payload))
-	{
-		payload->set_next_type(payload, next_payload->get_type(next_payload));
-		generator->generate_payload(generator, payload);
-		payload = next_payload;
-	}
-	enumerator->destroy(enumerator);
-
-	/* last payload has no next payload*/
-	payload->set_next_type(payload, NO_PAYLOAD);
-
-	generator->generate_payload(generator, payload);
-
-	ike_header->destroy(ike_header);
-
-	/* build packet */
-	generator->write_to_chunk(generator, &packet_data);
-	generator->destroy(generator);
-
-	/* if last payload is of type encrypted, integrity checksum if necessary */
-	if (payload->get_type(payload) == ENCRYPTED)
-	{
-		DBG2(DBG_ENC, "build signature on whole message");
-		encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
-		status = encryption_payload->build_signature(encryption_payload, packet_data);
-		if (status != SUCCESS)
-		{
-			return status;
-		}
-	}
-
-	this->packet->set_data(this->packet, packet_data);
-
-	/* clone packet for caller */
-	*packet = this->packet->clone(this->packet);
-
-	DBG2(DBG_ENC, "message generated successfully");
-	return SUCCESS;
-}
-
-/**
- * Implementation of message_t.get_packet.
- */
-static packet_t *get_packet(private_message_t *this)
-{
-	if (this->packet == NULL)
-	{
-		return NULL;
-	}
-	return this->packet->clone(this->packet);
-}
-
-/**
- * Implementation of message_t.get_packet_data.
- */
-static chunk_t get_packet_data(private_message_t *this)
-{
-	if (this->packet == NULL)
-	{
-		return chunk_empty;
-	}
-	return chunk_clone(this->packet->get_data(this->packet));
-}
-
-/**
- * Implementation of message_t.parse_header.
- */
-static status_t parse_header(private_message_t *this)
-{
-	ike_header_t *ike_header;
-	status_t status;
-
-	DBG2(DBG_ENC, "parsing header of message");
-
-	this->parser->reset_context(this->parser);
-	status = this->parser->parse_payload(this->parser, HEADER,
-										 (payload_t**)&ike_header);
-	if (status != SUCCESS)
-	{
-		DBG1(DBG_ENC, "header could not be parsed");
-		return status;
-
-	}
-
-	/* verify payload */
-	status = ike_header->payload_interface.verify(
-										&ike_header->payload_interface);
-	if (status != SUCCESS)
-	{
-		DBG1(DBG_ENC, "header verification failed");
-		ike_header->destroy(ike_header);
-		return status;
-	}
-
-	if (this->ike_sa_id != NULL)
-	{
-		this->ike_sa_id->destroy(this->ike_sa_id);
-	}
-
-	this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
-									ike_header->get_responder_spi(ike_header),
-									ike_header->get_initiator_flag(ike_header));
-
-	this->exchange_type = ike_header->get_exchange_type(ike_header);
-	this->message_id = ike_header->get_message_id(ike_header);
-	this->is_request = (!(ike_header->get_response_flag(ike_header)));
-	this->major_version = ike_header->get_maj_version(ike_header);
-	this->minor_version = ike_header->get_min_version(ike_header);
-	this->first_payload = ike_header->payload_interface.get_next_type(
-												&ike_header->payload_interface);
-
-	DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
-		 this->is_request ? "request" : "response");
-
-	ike_header->destroy(ike_header);
-
-	/* get the rules for this messge */
-	status = set_message_rule(this);
-	if (status != SUCCESS)
-	{
-		DBG1(DBG_ENC, "no message rules specified for a %N %s",
-			 exchange_type_names, this->exchange_type,
-			 this->is_request ? "request" : "response");
-	}
-
-	return status;
-}
-
-/**
- * Implementation of private_message_t.decrypt_and_verify_payloads.
- */
-static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter,
-								 signer_t* signer)
-{
-	bool current_payload_was_encrypted = FALSE;
-	payload_t *previous_payload = NULL;
-	int payload_number = 1;
-	iterator_t *iterator;
-	payload_t *current_payload;
-	status_t status;
-
-	iterator = this->payloads->create_iterator(this->payloads,TRUE);
-
-	/* process each payload and decrypt a encryption payload */
-	while(iterator->iterate(iterator, (void**)&current_payload))
-	{
-		payload_rule_t *payload_rule;
-		payload_type_t current_payload_type;
-
-		/* needed to check */
-		current_payload_type = current_payload->get_type(current_payload);
-
-		DBG2(DBG_ENC, "process payload of type %N",
-			 payload_type_names, current_payload_type);
-
-		if (current_payload_type == ENCRYPTED)
-		{
-			encryption_payload_t *encryption_payload;
-			payload_t *current_encrypted_payload;
-
-			encryption_payload = (encryption_payload_t*)current_payload;
-
-			DBG2(DBG_ENC, "found an encryption payload");
-
-			if (payload_number != this->payloads->get_count(this->payloads))
-			{
-				/* encrypted payload is not last one */
-				DBG1(DBG_ENC, "encrypted payload is not last payload");
-				iterator->destroy(iterator);
-				return VERIFY_ERROR;
-			}
-			/* decrypt */
-			encryption_payload->set_transforms(encryption_payload,
-											   crypter, signer);
-			DBG2(DBG_ENC, "verify signature of encryption payload");
-			status = encryption_payload->verify_signature(encryption_payload,
-										this->packet->get_data(this->packet));
-			if (status != SUCCESS)
-			{
-				DBG1(DBG_ENC, "encryption payload signature invalid");
-				iterator->destroy(iterator);
-				return FAILED;
-			}
-			DBG2(DBG_ENC, "decrypting content of encryption payload");
-			status = encryption_payload->decrypt(encryption_payload);
-			if (status != SUCCESS)
-			{
-				DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
-				iterator->destroy(iterator);
-				return PARSE_ERROR;
-			}
-
-			/* needed later to find out if a payload was encrypted */
-			current_payload_was_encrypted = TRUE;
-
-			/* check if there are payloads contained in the encryption payload */
-			if (encryption_payload->get_payload_count(encryption_payload) == 0)
-			{
-				DBG2(DBG_ENC, "encrypted payload is empty");
-				/* remove the encryption payload, is not needed anymore */
-				iterator->remove(iterator);
-				/* encrypted payload contains no other payload */
-				current_payload_type = NO_PAYLOAD;
-			}
-			else
-			{
-				/* encryption_payload is replaced with first payload contained
-				 * in encryption_payload */
-				encryption_payload->remove_first_payload(encryption_payload,
-													&current_encrypted_payload);
-				iterator->replace(iterator, NULL,
-								  (void *)current_encrypted_payload);
-				current_payload_type = current_encrypted_payload->get_type(
-													current_encrypted_payload);
-			}
-
-			/* is the current paylad the first in the message? */
-			if (previous_payload == NULL)
-			{
-				/* yes, set the first payload type of the message to the
-				 * current type */
-				this->first_payload = current_payload_type;
-			}
-			else
-			{
-				/* no, set the next_type of the previous payload to the
-				 * current type */
-				previous_payload->set_next_type(previous_payload,
-												current_payload_type);
-			}
-
-			/* all encrypted payloads are added to the payload list */
-			while (encryption_payload->get_payload_count(encryption_payload) > 0)
-			{
-				encryption_payload->remove_first_payload(encryption_payload,
-													&current_encrypted_payload);
-				DBG2(DBG_ENC, "insert unencrypted payload of type "
-					 "%N at end of list", payload_type_names,
-					 current_encrypted_payload->get_type(
-											current_encrypted_payload));
-				this->payloads->insert_last(this->payloads,
-											current_encrypted_payload);
-			}
-
-			/* encryption payload is processed, payloads are moved. Destroy it. */
-			encryption_payload->destroy(encryption_payload);
-		}
-
-		/* we allow unknown payloads of any type and don't bother if it was
-		 * encrypted. Not our problem. */
-		if (current_payload_type != UNKNOWN_PAYLOAD &&
-			current_payload_type != NO_PAYLOAD)
-		{
-			/* get the ruleset for found payload */
-			status = get_payload_rule(this, current_payload_type, &payload_rule);
-			if (status != SUCCESS)
-			{
-				/* payload is not allowed */
-				DBG1(DBG_ENC, "payload type %N not allowed",
-								  payload_type_names, current_payload_type);
-				iterator->destroy(iterator);
-				return VERIFY_ERROR;
-			}
-
-			/* check if the payload was encrypted, and if it should been have
-			 * encrypted */
-			if (payload_rule->encrypted != current_payload_was_encrypted)
-			{
-				/* payload was not encrypted, but should have been.
-				 * or vice-versa */
-				DBG1(DBG_ENC, "payload type %N should be %s!",
-					 payload_type_names, current_payload_type,
-					 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
-				iterator->destroy(iterator);
-				return VERIFY_ERROR;
-			}
-		}
-		/* advance to the next payload */
-		payload_number++;
-		/* is stored to set next payload in case of found encryption payload */
-		previous_payload = current_payload;
-	}
-	iterator->destroy(iterator);
-	return SUCCESS;
-}
-
-/**
- * Implementation of private_message_t.verify.
- */
-static status_t verify(private_message_t *this)
-{
-	int i;
-	enumerator_t *enumerator;
-	payload_t *current_payload;
-	size_t total_found_payloads = 0;
-
-	DBG2(DBG_ENC, "verifying message structure");
-
-	/* check for payloads with wrong count*/
-	for (i = 0; i < this->message_rule->payload_rule_count; i++)
-	{
-		size_t found_payloads = 0;
-		payload_rule_t *rule;
-
-		rule = &this->message_rule->payload_rules[i];
-		enumerator = create_payload_enumerator(this);
-
-		/* check all payloads for specific rule */
-		while (enumerator->enumerate(enumerator, &current_payload))
-		{
-			payload_type_t current_payload_type;
-			unknown_payload_t *unknown_payload;
-
-			current_payload_type = current_payload->get_type(current_payload);
-			if (current_payload_type == UNKNOWN_PAYLOAD)
-			{
-				/* unknown payloads are ignored, IF they are not critical */
-				unknown_payload = (unknown_payload_t*)current_payload;
-				if (unknown_payload->is_critical(unknown_payload))
-				{
-					DBG1(DBG_ENC, "%N is not supported, but its critical!",
-						 payload_type_names, current_payload_type);
-					enumerator->destroy(enumerator);
-					return NOT_SUPPORTED;
-				}
-			}
-			else if (current_payload_type == rule->payload_type)
-			{
-				found_payloads++;
-				total_found_payloads++;
-				DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
-					 rule->payload_type);
-
-				/* as soon as ohe payload occures more then specified,
-				 * the verification fails */
-				if (found_payloads >
-					rule->max_occurence)
-				{
-					DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
-						 "occured in current message", payload_type_names,
-						 current_payload_type, rule->max_occurence,
-						 found_payloads);
-					enumerator->destroy(enumerator);
-					return VERIFY_ERROR;
-				}
-			}
-		}
-
-		if (found_payloads < rule->min_occurence)
-		{
-			DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
-				 payload_type_names, rule->payload_type, rule->min_occurence,
-				 found_payloads);
-			enumerator->destroy(enumerator);
-			return VERIFY_ERROR;
-		}
-		if (rule->sufficient &&
-			this->payloads->get_count(this->payloads) == total_found_payloads)
-		{
-			enumerator->destroy(enumerator);
-			return SUCCESS;
-		}
-		enumerator->destroy(enumerator);
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of message_t.parse_body.
- */
-static status_t parse_body(private_message_t *this, crypter_t *crypter,
-						   signer_t *signer)
-{
-	status_t status = SUCCESS;
-	payload_type_t current_payload_type;
-	char str[256];
-
-	current_payload_type = this->first_payload;
-
-	DBG2(DBG_ENC, "parsing body of message, first payload is %N",
-		 payload_type_names, current_payload_type);
-
-	/* parse payload for payload, while there are more available */
-	while ((current_payload_type != NO_PAYLOAD))
-	{
-		payload_t *current_payload;
-
-		DBG2(DBG_ENC, "starting parsing a %N payload",
-			 payload_type_names, current_payload_type);
-
-		/* parse current payload */
-		status = this->parser->parse_payload(this->parser, current_payload_type,
-											 (payload_t**)&current_payload);
-		if (status != SUCCESS)
-		{
-			DBG1(DBG_ENC, "payload type %N could not be parsed",
-				 payload_type_names, current_payload_type);
-			return PARSE_ERROR;
-		}
-
-		DBG2(DBG_ENC, "verifying payload of type %N",
-			 payload_type_names, current_payload_type);
-
-		/* verify it, stop parsig if its invalid */
-		status = current_payload->verify(current_payload);
-		if (status != SUCCESS)
-		{
-			DBG1(DBG_ENC, "%N payload verification failed",
-				 payload_type_names, current_payload_type);
-			current_payload->destroy(current_payload);
-			return VERIFY_ERROR;
-		}
-
-		DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
-			 payload_type_names, current_payload_type);
-		this->payloads->insert_last(this->payloads,current_payload);
-
-		/* an encryption payload is the last one, so STOP here. decryption is
-		 * done later */
-		if (current_payload_type == ENCRYPTED)
-		{
-			DBG2(DBG_ENC, "%N payload found. Stop parsing",
-				 payload_type_names, current_payload_type);
-			break;
-		}
-
-		/* get next payload type */
-		current_payload_type = current_payload->get_next_type(current_payload);
-	}
-
-	if (current_payload_type == ENCRYPTED)
-	{
-		status = decrypt_payloads(this,crypter,signer);
-		if (status != SUCCESS)
-		{
-			DBG1(DBG_ENC, "could not decrypt payloads");
-			return status;
-		}
-	}
-
-	status = verify(this);
-	if (status != SUCCESS)
-	{
-		return status;
-	}
-
-	DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of message_t.destroy.
- */
-static void destroy (private_message_t *this)
-{
-	DESTROY_IF(this->ike_sa_id);
-	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
-	this->packet->destroy(this->packet);
-	this->parser->destroy(this->parser);
-	free(this);
-}
-
-/*
- * Described in Header-File
- */
-message_t *message_create_from_packet(packet_t *packet)
-{
-	private_message_t *this = malloc_thing(private_message_t);
-
-	/* public functions */
-	this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
-	this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
-	this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
-	this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
-	this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
-	this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
-	this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
-	this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
-	this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
-	this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
-	this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
-	this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
-	this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
-	this->public.set_request = (void(*)(message_t*, bool))set_request;
-	this->public.get_request = (bool(*)(message_t*))get_request;
-	this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
-	this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
-	this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
-	this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
-	this->public.get_source = (host_t * (*) (message_t*)) get_source;
-	this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
-	this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
-	this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
-	this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
-	this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
-	this->public.parse_header = (status_t (*) (message_t *)) parse_header;
-	this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
-	this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
-	this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
-	this->public.destroy = (void(*)(message_t*))destroy;
-
-	/* private values */
-	this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
-	this->is_request = TRUE;
-	this->ike_sa_id = NULL;
-	this->first_payload = NO_PAYLOAD;
-	this->message_id = 0;
-
-	/* private values */
-	if (packet == NULL)
-	{
-		packet = packet_create();
-	}
-	this->message_rule = NULL;
-	this->packet = packet;
-	this->payloads = linked_list_create();
-
-	/* parser is created from data of packet */
-	this->parser = parser_create(this->packet->get_data(this->packet));
-
-	return (&this->public);
-}
-
-/*
- * Described in Header.
- */
-message_t *message_create()
-{
-	return message_create_from_packet(NULL);
-}
-
diff --git a/src/charon/encoding/message.h b/src/charon/encoding/message.h
deleted file mode 100644
index 2c7718f49..000000000
--- a/src/charon/encoding/message.h
+++ /dev/null
@@ -1,359 +0,0 @@
-/*
- * Copyright (C) 2006-2007 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup message message
- * @{ @ingroup encoding
- */
-
-#ifndef MESSAGE_H_
-#define MESSAGE_H_
-
-typedef struct message_t message_t;
-
-#include <library.h>
-#include <sa/ike_sa_id.h>
-#include <network/packet.h>
-#include <encoding/payloads/ike_header.h>
-#include <encoding/payloads/notify_payload.h>
-#include <utils/linked_list.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
-
-/**
- * This class is used to represent an IKEv2-Message.
- *
- * The message handles parsing and generation of payloads
- * via parser_t/generator_t. Encryption is done transparently
- * via the encryption_payload_t. A set of rules for messages
- * and payloads does check parsed messages.
- */
-struct message_t {
-
-	/**
-	 * Sets the IKE major version of the message.
-	 *
-	 * @param major_version	major version to set
-	 */
-	void (*set_major_version) (message_t *this,u_int8_t major_version);
-
-	/**
-	 * Gets the IKE major version of the message.
-	 *
-	 * @return				major version of the message
-	 */
-	u_int8_t (*get_major_version) (message_t *this);
-
-	/**
-	 * Sets the IKE minor version of the message.
-	 *
-	 * @param minor_version	minor version to set
-	 */
-	void (*set_minor_version) (message_t *this,u_int8_t minor_version);
-
-	/**
-	 * Gets the IKE minor version of the message.
-	 *
-	 * @return				minor version of the message
-	 */
-	u_int8_t (*get_minor_version) (message_t *this);
-
-	/**
-	 * Sets the Message ID of the message.
-	 *
-	 * @param message_id	message_id to set
-	 */
-	void (*set_message_id) (message_t *this,u_int32_t message_id);
-
-	/**
-	 * Gets the Message ID of the message.
-	 *
-	 * @return				message_id type of the message
-	 */
-	u_int32_t (*get_message_id) (message_t *this);
-
-	/**
-	 * Gets the initiator SPI of the message.
-	 *
-	 * @return				initiator spi of the message
-	 */
-	u_int64_t (*get_initiator_spi) (message_t *this);
-
-	/**
-	 * Gets the responder SPI of the message.
-	 *
-	 * @return				responder spi of the message
-	 */
-	u_int64_t (*get_responder_spi) (message_t *this);
-
-	/**
-	 * Sets the IKE_SA ID of the message.
-	 *
-	 * ike_sa_id gets cloned.
-	 *
-	 * @param ike_sa_id		ike_sa_id to set
-	 */
-	void (*set_ike_sa_id) (message_t *this, ike_sa_id_t * ike_sa_id);
-
-	/**
-	 * Gets the IKE_SA ID of the message.
-	 *
-	 * The ike_sa_id points to the message internal id, do not modify.
-	 *
-	 * @return				ike_sa_id of message
-	 */
-	ike_sa_id_t *(*get_ike_sa_id) (message_t *this);
-
-	/**
-	 * Sets the exchange type of the message.
-	 *
-	 * @param exchange_type	exchange_type to set
-	 */
-	void (*set_exchange_type) (message_t *this,exchange_type_t exchange_type);
-
-	/**
-	 * Gets the exchange type of the message.
-	 *
-	 * @return				exchange type of the message
-	 */
-	exchange_type_t (*get_exchange_type) (message_t *this);
-
-	/**
-	 * Gets the payload type of the first payload.
-	 *
-	 * @return				payload type of the first payload
-	 */
-	payload_type_t (*get_first_payload_type) (message_t *this);
-
-	/**
-	 * Sets the request flag.
-	 *
-	 * @param request		TRUE if message is a request, FALSE if it is a reply
-	 */
-	void (*set_request) (message_t *this, bool request);
-
-	/**
-	 * Gets request flag.
-	 *
-	 * @return				TRUE if message is a request, FALSE if it is a reply
-	 */
-	bool (*get_request) (message_t *this);
-
-	/**
-	 * Append a payload to the message.
-	 *
-	 * If the payload must be encrypted is not specified here. Encryption
-	 * of payloads is evaluated via internal rules for the messages and
-	 * is done before generation. The order of payloads may change, since
-	 * all payloads to encrypt are added to the encryption payload, which is
-	 * always the last one.
-	 *
-	 * @param payload 		payload to append
-	 */
-	void (*add_payload) (message_t *this, payload_t *payload);
-
-	/**
-	 * Build a notify payload and add it to the message.
-	 *
-	 * This is a helper method to create notify messages or add
-	 * notify payload to messages. The flush parameter specifies if existing
-	 * payloads should get removed before appending the notify.
-	 *
-	 * @param flush			TRUE to remove existing payloads
-	 * @param type			type of the notify
-	 * @param data			a chunk of data to add to the notify, gets cloned
-	 */
-	void (*add_notify) (message_t *this, bool flush, notify_type_t type,
-						chunk_t data);
-
-	/**
-	 * Parses header of message.
-	 *
-	 * Begins parisng of a message created via message_create_from_packet().
-	 * The parsing context is stored, so a subsequent call to parse_body()
-	 * will continue the parsing process.
-	 *
-	 * @return
-	 * 					- SUCCESS if header could be parsed
-	 *					- PARSE_ERROR if corrupted/invalid data found
-	 * 					- FAILED if consistence check of header failed
-	 */
-	status_t (*parse_header) (message_t *this);
-
-	/**
-	 * Parses body of message.
-	 *
-	 * The body gets not only parsed, but rather it gets verified.
-	 * All payloads are verified if they are allowed to exist in the message
-	 * of this type and if their own structure is ok.
-	 * If there are encrypted payloads, they get decrypted via the supplied
-	 * crypter. Also the message integrity gets verified with the supplied
-	 * signer.
-	 * Crypter/signer can be omitted (by passing NULL) when no encryption
-	 * payload is expected.
-	 *
-	 * @param crypter	crypter to decrypt encryption payloads
-	 * @param signer	signer to verifiy a message with an encryption payload
-	 * @return
-	 * 					- SUCCESS if parsing successful
-	 * 					- NOT_SUPPORTED if ciritcal unknown payloads found
-	 * 					- NOT_SUPPORTED if message type is not supported!
-	 *					- PARSE_ERROR if message parsing failed
-	 * 					- VERIFY_ERROR if message verification failed (bad syntax)
-	 * 					- FAILED if integrity check failed
-	 * 					- INVALID_STATE if crypter/signer not supplied, but needed
-	 */
-	status_t (*parse_body) (message_t *this, crypter_t *crypter, signer_t *signer);
-
-	/**
-	 * Generates the UDP packet of specific message.
-	 *
-	 * Payloads which must be encrypted are generated first and added to
-	 * an encryption payload. This encryption payload will get encrypted via
-	 * the supplied crypter. Then all other payloads and the header get generated.
-	 * After that, the checksum is added to the encryption payload over the full
-	 * message.
-	 * Crypter/signer can be omitted (by passing NULL) when no encryption
-	 * payload is expected.
-	 * Generation is only done once, multiple calls will just return a packet copy.
-	 *
-	 * @param crypter	crypter to use when a payload must be encrypted
-	 * @param signer	signer to build a mac
-	 * @param packet	copy of generated packet
-	 * @return
-	 * 					- SUCCESS if packet could be generated
-	 * 					- INVALID_STATE if exchange type is currently not set
-	 * 					- NOT_FOUND if no rules found for message generation
-	 * 					- INVALID_STATE if crypter/signer not supplied but needed.
-	 */
-	status_t (*generate) (message_t *this, crypter_t *crypter, signer_t *signer, packet_t **packet);
-
-	/**
-	 * Gets the source host informations.
-	 *
-	 * @warning Returned host_t object is not getting cloned,
-	 * do not destroy nor modify.
-	 *
-	 * @return			host_t object representing source host
-	 */
-	host_t * (*get_source) (message_t *this);
-
-	/**
-	 * Sets the source host informations.
-	 *
-	 * @warning host_t object is not getting cloned and gets destroyed by
-	 * 			message_t.destroy or next call of message_t.set_source.
-	 *
-	 * @param host		host_t object representing source host
-	 */
-	void (*set_source) (message_t *this, host_t *host);
-
-	/**
-	 * Gets the destination host informations.
-	 *
-	 * @warning Returned host_t object is not getting cloned,
-	 * do not destroy nor modify.
-	 *
-	 * @return			host_t object representing destination host
-	 */
-	host_t * (*get_destination) (message_t *this);
-
-	/**
-	 * Sets the destination host informations.
-	 *
-	 * @warning host_t object is not getting cloned and gets destroyed by
-	 * 			message_t.destroy or next call of message_t.set_destination.
-	 *
-	 * @param host		host_t object representing destination host
-	 */
-	void (*set_destination) (message_t *this, host_t *host);
-
-	/**
-	 * Create an enumerator over all payloads.
-	 *
-	 * @return			enumerator over payload_t
-	 */
-	enumerator_t * (*create_payload_enumerator) (message_t *this);
-
-	/**
-	 * Find a payload of a specific type.
-	 *
-	 * Returns the first occurance.
-	 *
-	 * @param type		type of the payload to find
-	 * @return			payload, or NULL if no such payload found
-	 */
-	payload_t* (*get_payload) (message_t *this, payload_type_t type);
-
-	/**
-	 * Get the first notify payload of a specific type.
-	 *
-	 * @param type		type of notification payload
-	 * @return			notify payload, NULL if no such notify found
-	 */
-	notify_payload_t* (*get_notify)(message_t *this, notify_type_t type);
-
-	/**
-	 * Returns a clone of the internal stored packet_t object.
-	 *
-	 * @return			packet_t object as clone of internal one
-	 */
-	packet_t * (*get_packet) (message_t *this);
-
-	/**
-	 * Returns a clone of the internal stored packet_t data.
-	 *
-	 * @return			clone of the internal stored packet_t data.
-	 */
-	chunk_t (*get_packet_data) (message_t *this);
-
-	/**
-	 * Destroys a message and all including objects.
-	 */
-	void (*destroy) (message_t *this);
-};
-
-/**
- * Creates an message_t object from a incoming UDP Packet.
- *
- * @warning the given packet_t object is not copied and gets
- *			destroyed in message_t's destroy call.
- *
- * - exchange_type is set to NOT_SET
- * - original_initiator is set to TRUE
- * - is_request is set to TRUE
- * Call message_t.parse_header afterwards.
- *
- * @param packet		packet_t object which is assigned to message
- * @return 				message_t object
- */
-message_t * message_create_from_packet(packet_t *packet);
-
-
-/**
- * Creates an empty message_t object.
- *
- * - exchange_type is set to NOT_SET
- * - original_initiator is set to TRUE
- * - is_request is set to TRUE
- *
- * @return message_t object
- */
-message_t * message_create(void);
-
-#endif /** MESSAGE_H_ @}*/
diff --git a/src/charon/encoding/parser.c b/src/charon/encoding/parser.c
deleted file mode 100644
index 9aa34b1bc..000000000
--- a/src/charon/encoding/parser.c
+++ /dev/null
@@ -1,862 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <arpa/inet.h>
-#include <string.h>
-
-#include "parser.h"
-
-#include <library.h>
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <encoding/payloads/encodings.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/sa_payload.h>
-#include <encoding/payloads/proposal_substructure.h>
-#include <encoding/payloads/transform_substructure.h>
-#include <encoding/payloads/transform_attribute.h>
-#include <encoding/payloads/ke_payload.h>
-#include <encoding/payloads/nonce_payload.h>
-#include <encoding/payloads/id_payload.h>
-#include <encoding/payloads/notify_payload.h>
-#include <encoding/payloads/encryption_payload.h>
-#include <encoding/payloads/auth_payload.h>
-#include <encoding/payloads/cert_payload.h>
-#include <encoding/payloads/certreq_payload.h>
-#include <encoding/payloads/ts_payload.h>
-#include <encoding/payloads/delete_payload.h>
-#include <encoding/payloads/vendor_id_payload.h>
-#include <encoding/payloads/cp_payload.h>
-#include <encoding/payloads/configuration_attribute.h>
-#include <encoding/payloads/eap_payload.h>
-#include <encoding/payloads/unknown_payload.h>
-
-
-typedef struct private_parser_t private_parser_t;
-
-/**
- * Private data stored in a context.
- *
- * Contains pointers and counters to store current state.
- */
-struct private_parser_t {
-	/**
-	 * Public members, see parser_t.
-	 */
-	parser_t public;
-
-	/**
-	 * Current bit for reading in input data.
-	 */
-	u_int8_t bit_pos;
-
-	/**
-	 * Current byte for reading in input data.
-	 */
-	u_int8_t *byte_pos;
-
-	/**
-	 * Input data to parse.
-	 */
-	u_int8_t *input;
-
-	/**
-	 * Roof of input, used for length-checking.
-	 */
-	u_int8_t *input_roof;
-
-	/**
-	 * Set of encoding rules for this parsing session.
-	 */
-	encoding_rule_t *rules;
-};
-
-/**
- * Forward declaration
- */
-static status_t parse_payload(private_parser_t *this,
-							  payload_type_t payload_type, payload_t **payload);
-
-/**
- * Log invalid length error
- */
-static bool short_input(private_parser_t *this, int number)
-{
-	DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
-		 number, encoding_type_names, this->rules[number].type);
-	return FALSE;
-}
-
-/**
- * Log unaligned rules
- */
-static bool bad_bitpos(private_parser_t *this, int number)
-{
-	DBG1(DBG_ENC, "  found rule %d %N on bitpos %d",
-		 number, encoding_type_names, this->rules[number].type, this->bit_pos);
-	return FALSE;
-}
-
-/**
- * Parse a 4-Bit unsigned integer from the current parsing position.
- */
-static bool parse_uint4(private_parser_t *this, int rule_number,
-						u_int8_t *output_pos)
-{
-	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
-	{
-		return short_input(this, rule_number);
-	}
-	switch (this->bit_pos)
-	{
-		case 0:
-			if (output_pos)
-			{
-				*output_pos = *(this->byte_pos) >> 4;
-			}
-			this->bit_pos = 4;
-			break;
-		case 4:
-			if (output_pos)
-			{
-				*output_pos = *(this->byte_pos) & 0x0F;
-			}
-			this->bit_pos = 0;
-			this->byte_pos++;
-			break;
-		default:
-			return bad_bitpos(this, rule_number);
-	}
-	if (output_pos)
-	{
-		DBG3(DBG_ENC, "   => %d", *output_pos);
-	}
-	return TRUE;
-}
-
-/**
- * Parse a 8-Bit unsigned integer from the current parsing position.
- */
-static bool parse_uint8(private_parser_t *this, int rule_number,
-						u_int8_t *output_pos)
-{
-	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
-	{
-		return short_input(this, rule_number);
-	}
-	if (this->bit_pos)
-	{
-		return bad_bitpos(this, rule_number);
-	}
-	if (output_pos)
-	{
-		*output_pos = *(this->byte_pos);
-		DBG3(DBG_ENC, "   => %d", *output_pos);
-	}
-	this->byte_pos++;
-	return TRUE;
-}
-
-/**
- * Parse a 15-Bit unsigned integer from the current parsing position.
- */
-static bool parse_uint15(private_parser_t *this, int rule_number,
-						 u_int16_t *output_pos)
-{
-	if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
-	{
-		return short_input(this, rule_number);
-	}
-	if (this->bit_pos != 1)
-	{
-		return bad_bitpos(this, rule_number);
-	}
-	if (output_pos)
-	{
-		memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
-		*output_pos = ntohs(*output_pos) & ~0x8000;
-		DBG3(DBG_ENC, "   => %d", *output_pos);
-	}
-	this->byte_pos += sizeof(u_int16_t);
-	this->bit_pos = 0;
-	return TRUE;
-}
-
-/**
- * Parse a 16-Bit unsigned integer from the current parsing position.
- */
-static bool parse_uint16(private_parser_t *this, int rule_number,
-						 u_int16_t *output_pos)
-{
-	if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
-	{
-		return short_input(this, rule_number);
-	}
-	if (this->bit_pos)
-	{
-		return bad_bitpos(this, rule_number);
-	}
-	if (output_pos)
-	{
-		memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
-		*output_pos = ntohs(*output_pos);
-		DBG3(DBG_ENC, "   => %d", *output_pos);
-	}
-	this->byte_pos += sizeof(u_int16_t);
-	return TRUE;
-}
-/**
- * Parse a 32-Bit unsigned integer from the current parsing position.
- */
-static bool parse_uint32(private_parser_t *this, int rule_number,
-						 u_int32_t *output_pos)
-{
-	if (this->byte_pos + sizeof(u_int32_t) > this->input_roof)
-	{
-		return short_input(this, rule_number);
-	}
-	if (this->bit_pos)
-	{
-		return bad_bitpos(this, rule_number);
-	}
-	if (output_pos)
-	{
-		memcpy(output_pos, this->byte_pos, sizeof(u_int32_t));
-		*output_pos = ntohl(*output_pos);
-		DBG3(DBG_ENC, "   => %d", *output_pos);
-	}
-	this->byte_pos += sizeof(u_int32_t);
-	return TRUE;
-}
-
-/**
- * Parse a given amount of bytes and writes them to a specific location
- */
-static bool parse_bytes(private_parser_t *this, int rule_number,
-						u_int8_t *output_pos, int bytes)
-{
-	if (this->byte_pos + bytes > this->input_roof)
-	{
-		return short_input(this, rule_number);
-	}
-	if (this->bit_pos)
-	{
-		return bad_bitpos(this, rule_number);
-	}
-	if (output_pos)
-	{
-		memcpy(output_pos, this->byte_pos, bytes);
-		DBG3(DBG_ENC, "   => %b", output_pos, bytes);
-	}
-	this->byte_pos += bytes;
-	return TRUE;
-}
-
-/**
- * Parse a single Bit from the current parsing position
- */
-static bool parse_bit(private_parser_t *this, int rule_number,
-					  bool *output_pos)
-{
-	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
-	{
-		return short_input(this, rule_number);
-	}
-	if (output_pos)
-	{
-		u_int8_t mask;
-		mask = 0x01 << (7 - this->bit_pos);
-		*output_pos = *this->byte_pos & mask;
-
-		if (*output_pos)
-		{	/* set to a "clean", comparable true */
-			*output_pos = TRUE;
-		}
-		DBG3(DBG_ENC, "   => %d", *output_pos);
-	}
-	this->bit_pos = (this->bit_pos + 1) % 8;
-	if (this->bit_pos == 0)
-	{
-		this->byte_pos++;
-	}
-	return TRUE;
-}
-
-/**
- * Parse substructures in a list.
- */
-static bool parse_list(private_parser_t *this, int rule_number,
-			linked_list_t **output_pos, payload_type_t payload_type, int length)
-{
-	linked_list_t *list = *output_pos;
-
-	if (length < 0)
-	{
-		return short_input(this, rule_number);
-	}
-	if (this->bit_pos)
-	{
-		return bad_bitpos(this, rule_number);
-	}
-	while (length > 0)
-	{
-		u_int8_t *pos_before = this->byte_pos;
-		payload_t *payload;
-
-		DBG2(DBG_ENC, "  %d bytes left, parsing recursively %N",
-			 length, payload_type_names, payload_type);
-
-		if (parse_payload(this, payload_type, &payload) != SUCCESS)
-		{
-			DBG1(DBG_ENC, "  parsing of a %N substructure failed",
-				 payload_type_names, payload_type);
-			return FALSE;
-		}
-		list->insert_last(list, payload);
-		length -= this->byte_pos - pos_before;
-	}
-	if (length != 0)
-	{	/* must yield exactly to zero */
-		DBG1(DBG_ENC, "  length of %N substructure list invalid",
-			 payload_type_names, payload_type);
-		return FALSE;
-	}
-	*output_pos = list;
-	return TRUE;
-}
-
-/**
- * Parse data from current parsing position in a chunk.
- */
-static bool parse_chunk(private_parser_t *this, int rule_number,
-						chunk_t *output_pos, int length)
-{
-	if (this->byte_pos + length > this->input_roof)
-	{
-		return short_input(this, rule_number);
-	}
-	if (this->bit_pos)
-	{
-		return bad_bitpos(this, rule_number);
-	}
-	if (output_pos)
-	{
-		*output_pos = chunk_alloc(length);
-		memcpy(output_pos->ptr, this->byte_pos, length);
-		DBG3(DBG_ENC, "   => %b", output_pos->ptr, length);
-	}
-	this->byte_pos += length;
-	return TRUE;
-}
-
-/**
- * Implementation of parser_t.parse_payload.
- */
-static status_t parse_payload(private_parser_t *this,
-							  payload_type_t payload_type, payload_t **payload)
-{
-	payload_t *pld;
-	void *output;
-	size_t rule_count;
-	int payload_length = 0, spi_size = 0, attribute_length = 0;
-	u_int16_t ts_type = 0;
-	bool attribute_format = FALSE;
-	int rule_number;
-	encoding_rule_t *rule;
-
-	/* create instance of the payload to parse */
-	pld = payload_create(payload_type);
-
-	DBG2(DBG_ENC, "parsing %N payload, %d bytes left",
-		 payload_type_names, payload_type, this->input_roof - this->byte_pos);
-
-	DBG3(DBG_ENC, "parsing payload from %b",
-		 this->byte_pos, this->input_roof - this->byte_pos);
-
-	if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
-	{
-		DBG1(DBG_ENC, "  payload type %d is unknown, handling as %N",
-			 payload_type, payload_type_names, UNKNOWN_PAYLOAD);
-	}
-
-	/* base pointer for output, avoids casting in every rule */
-	output = pld;
-
-	/* parse the payload with its own rulse */
-	pld->get_encoding_rules(pld, &this->rules, &rule_count);
-	for (rule_number = 0; rule_number < rule_count; rule_number++)
-	{
-		rule = &(this->rules[rule_number]);
-		DBG2(DBG_ENC, "  parsing rule %d %N",
-			 rule_number, encoding_type_names, rule->type);
-		switch (rule->type)
-		{
-			case U_INT_4:
-			{
-				if (!parse_uint4(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case U_INT_8:
-			{
-				if (!parse_uint8(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case U_INT_16:
-			{
-				if (!parse_uint16(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case U_INT_32:
-			{
-				if (!parse_uint32(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case IKE_SPI:
-			{
-				if (!parse_bytes(this, rule_number, output + rule->offset, 8))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case RESERVED_BIT:
-			{
-				if (!parse_bit(this, rule_number, NULL))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case RESERVED_BYTE:
-			{
-				if (!parse_uint8(this, rule_number, NULL))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case FLAG:
-			{
-				if (!parse_bit(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case PAYLOAD_LENGTH:
-			{
-				if (!parse_uint16(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				/* parsed u_int16 should be aligned */
-				payload_length = *(u_int16_t*)(output + rule->offset);
-				if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH)
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case HEADER_LENGTH:
-			{
-				if (!parse_uint32(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case SPI_SIZE:
-			{
-				if (!parse_uint8(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				spi_size = *(u_int8_t*)(output + rule->offset);
-				break;
-			}
-			case SPI:
-			{
-				if (!parse_chunk(this, rule_number, output + rule->offset,
-								 spi_size))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case PROPOSALS:
-			{
-				if (payload_length < SA_PAYLOAD_HEADER_LENGTH ||
-					!parse_list(this, rule_number, output + rule->offset,
-								PROPOSAL_SUBSTRUCTURE,
-								payload_length - SA_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case TRANSFORMS:
-			{
-				if (payload_length <
-							spi_size + PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH ||
-					!parse_list(this, rule_number, output + rule->offset,
-							TRANSFORM_SUBSTRUCTURE, payload_length - spi_size -
-										PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case TRANSFORM_ATTRIBUTES:
-			{
-				if (payload_length < TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH ||
-					!parse_list(this, rule_number, output + rule->offset,
-						TRANSFORM_ATTRIBUTE,
-						payload_length - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case CONFIGURATION_ATTRIBUTES:
-			{
-				if (payload_length < CP_PAYLOAD_HEADER_LENGTH ||
-					!parse_list(this, rule_number, output + rule->offset,
-								CONFIGURATION_ATTRIBUTE,
-								payload_length - CP_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case ATTRIBUTE_FORMAT:
-			{
-				if (!parse_bit(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				attribute_format = *(bool*)(output + rule->offset);
-				break;
-			}
-			case ATTRIBUTE_TYPE:
-			{
-				if (!parse_uint15(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case CONFIGURATION_ATTRIBUTE_LENGTH:
-			{
-				if (!parse_uint16(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				attribute_length = *(u_int16_t*)(output + rule->offset);
-				break;
-			}
-			case ATTRIBUTE_LENGTH_OR_VALUE:
-			{
-				if (!parse_uint16(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				attribute_length = *(u_int16_t*)(output + rule->offset);
-				break;
-			}
-			case ATTRIBUTE_VALUE:
-			{
-				if (attribute_format == FALSE &&
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 attribute_length))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case NONCE_DATA:
-			{
-				if (payload_length < NONCE_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - NONCE_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case ID_DATA:
-			{
-				if (payload_length < ID_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - ID_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case AUTH_DATA:
-			{
-				if (payload_length < AUTH_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - AUTH_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case CERT_DATA:
-			{
-				if (payload_length < CERT_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - CERT_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case CERTREQ_DATA:
-			{
-				if (payload_length < CERTREQ_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - CERTREQ_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case EAP_DATA:
-			{
-				if (payload_length < EAP_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - EAP_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case SPIS:
-			{
-				if (payload_length < DELETE_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - DELETE_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case VID_DATA:
-			{
-				if (payload_length < VENDOR_ID_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-							payload_length - VENDOR_ID_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case CONFIGURATION_ATTRIBUTE_VALUE:
-			{
-				if (!parse_chunk(this, rule_number, output + rule->offset,
-								 attribute_length))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case KEY_EXCHANGE_DATA:
-			{
-				if (payload_length < KE_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - KE_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case NOTIFICATION_DATA:
-			{
-				if (payload_length < NOTIFY_PAYLOAD_HEADER_LENGTH + spi_size ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-						payload_length - NOTIFY_PAYLOAD_HEADER_LENGTH - spi_size))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case ENCRYPTED_DATA:
-			{
-				if (payload_length < ENCRYPTION_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-							payload_length - ENCRYPTION_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case TS_TYPE:
-			{
-				if (!parse_uint8(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				ts_type = *(u_int8_t*)(output + rule->offset);
-				break;
-			}
-			case ADDRESS:
-			{
-				int address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-
-				if (!parse_chunk(this, rule_number, output + rule->offset,
-								 address_length))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case TRAFFIC_SELECTORS:
-			{
-				if (payload_length < TS_PAYLOAD_HEADER_LENGTH ||
-					!parse_list(this, rule_number, output + rule->offset,
-								TRAFFIC_SELECTOR_SUBSTRUCTURE,
-								payload_length - TS_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case UNKNOWN_DATA:
-			{
-				if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			default:
-			{
-				DBG1(DBG_ENC, "  no rule to parse rule %d %N",
-					 rule_number, encoding_type_names, rule->type);
-				pld->destroy(pld);
-				return PARSE_ERROR;
-			}
-		}
-		/* process next rulue */
-		rule++;
-	}
-
-	*payload = pld;
-	DBG2(DBG_ENC, "parsing %N payload finished",
-		 payload_type_names, payload_type);
-	return SUCCESS;
-}
-
-/**
- * Implementation of parser_t.get_remaining_byte_count.
- */
-static int get_remaining_byte_count (private_parser_t *this)
-{
-	return this->input_roof - this->byte_pos;
-}
-
-/**
- * Implementation of parser_t.reset_context.
- */
-static void reset_context (private_parser_t *this)
-{
-	this->byte_pos = this->input;
-	this->bit_pos = 0;
-}
-
-/**
- * Implementation of parser_t.destroy.
- */
-static void destroy(private_parser_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-parser_t *parser_create(chunk_t data)
-{
-	private_parser_t *this = malloc_thing(private_parser_t);
-
-	this->public.parse_payload = (status_t(*)(parser_t*,payload_type_t,payload_t**))parse_payload;
-	this->public.reset_context = (void(*)(parser_t*)) reset_context;
-	this->public.get_remaining_byte_count = (int (*) (parser_t *))get_remaining_byte_count;
-	this->public.destroy = (void(*)(parser_t*)) destroy;
-
-	this->input = data.ptr;
-	this->byte_pos = data.ptr;
-	this->bit_pos = 0;
-	this->input_roof = data.ptr + data.len;
-
-	return &this->public;
-}
-
diff --git a/src/charon/encoding/parser.h b/src/charon/encoding/parser.h
deleted file mode 100644
index 27c5f03fe..000000000
--- a/src/charon/encoding/parser.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup parser parser
- * @{ @ingroup encoding
- */
-
-#ifndef PARSER_H_
-#define PARSER_H_
-
-typedef struct parser_t parser_t;
-
-#include <library.h>
-#include <encoding/payloads/encodings.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * A parser_t class to parse IKEv2 payloads.
- *
- * A parser is used for parsing one chunk of data. Multiple
- * payloads can be parsed out of the chunk using parse_payload.
- * The parser remains the state until destroyed.
- */
-struct parser_t {
-
-	/**
-	 * Parses the next payload.
-	 *
-	 * @warning Caller is responsible for freeing allocated payload.
-	 *
-	 * Rules for parsing are described in the payload definition.
-	 *
-	 * @param payload_type	payload type to parse
-	 * @param payload		pointer where parsed payload was allocated
-	 * @return
-	 * 						- SUCCESSFUL if succeeded,
-	 * 						- PARSE_ERROR if corrupted/invalid data found
-	 */
-	status_t (*parse_payload) (parser_t *this, payload_type_t payload_type, payload_t **payload);
-
-	/**
-	 * Gets the remaining byte count which is not currently parsed.
-	 */
-	int (*get_remaining_byte_count) (parser_t *this);
-
-	/**
-	 * Resets the current parser context.
-	 */
-	void (*reset_context) (parser_t *this);
-
-	/**
-	 * Destroys a parser_t object.
-	 */
-	void (*destroy) (parser_t *this);
-};
-
-/**
- * Constructor to create a parser_t object.
- *
- * @param data		chunk of data to parse with this parser_t object
- * @return 			parser_t object
- */
-parser_t *parser_create(chunk_t data);
-
-#endif /** PARSER_H_ @}*/
diff --git a/src/charon/encoding/payloads/auth_payload.c b/src/charon/encoding/payloads/auth_payload.c
deleted file mode 100644
index d31208abb..000000000
--- a/src/charon/encoding/payloads/auth_payload.c
+++ /dev/null
@@ -1,259 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "auth_payload.h"
-
-#include <encoding/payloads/encodings.h>
-
-
-typedef struct private_auth_payload_t private_auth_payload_t;
-
-/**
- * Private data of an auth_payload_t object.
- *
- */
-struct private_auth_payload_t {
-
-	/**
-	 * Public auth_payload_t interface.
-	 */
-	auth_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Method of the AUTH Data.
-	 */
-	u_int8_t auth_method;
-
-	/**
-	 * The contained auth data value.
-	 */
-	chunk_t auth_data;
-};
-
-/**
- * Encoding rules to parse or generate a AUTH payload
- *
- * The defined offsets are the positions in a object of type
- * private_auth_payload_t.
- */
-encoding_rule_t auth_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_auth_payload_t, next_payload) 	},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_auth_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_auth_payload_t, payload_length)},
-	/* 1 Byte AUTH type*/
-	{ U_INT_8,			offsetof(private_auth_payload_t, auth_method)	},
-	/* 3 reserved bytes */
-	{ RESERVED_BYTE,	0 												},
-	{ RESERVED_BYTE,	0 												},
-	{ RESERVED_BYTE,	0 												},
-	/* some auth data bytes, length is defined in PAYLOAD_LENGTH */
-	{ AUTH_DATA,		offsetof(private_auth_payload_t, auth_data) 	}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Auth Method   !                RESERVED                       !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                      Authentication Data                      ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_auth_payload_t *this)
-{
-	if (this->auth_method == 0 ||
-		(this->auth_method >= 4 && this->auth_method <= 8) ||
-		(this->auth_method >= 12 && this->auth_method <= 200))
-	{
-		/* reserved IDs */
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of auth_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = auth_payload_encodings;
-	*rule_count = sizeof(auth_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_auth_payload_t *this)
-{
-	return AUTHENTICATION;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_auth_payload_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_auth_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_auth_payload_t *this)
-{
-	return this->payload_length;
-}
-
-/**
- * Implementation of auth_payload_t.set_auth_method.
- */
-static void set_auth_method (private_auth_payload_t *this, auth_method_t method)
-{
-	this->auth_method = method;
-}
-
-/**
- * Implementation of auth_payload_t.get_auth_method.
- */
-static auth_method_t get_auth_method (private_auth_payload_t *this)
-{
-	return (this->auth_method);
-}
-
-/**
- * Implementation of auth_payload_t.set_data.
- */
-static void set_data (private_auth_payload_t *this, chunk_t data)
-{
-	if (this->auth_data.ptr != NULL)
-	{
-		chunk_free(&(this->auth_data));
-	}
-	this->auth_data.ptr = clalloc(data.ptr,data.len);
-	this->auth_data.len = data.len;
-	this->payload_length = AUTH_PAYLOAD_HEADER_LENGTH + this->auth_data.len;
-}
-
-/**
- * Implementation of auth_payload_t.get_data.
- */
-static chunk_t get_data (private_auth_payload_t *this)
-{
-	return (this->auth_data);
-}
-
-/**
- * Implementation of auth_payload_t.get_data_clone.
- */
-static chunk_t get_data_clone (private_auth_payload_t *this)
-{
-	chunk_t cloned_data;
-	if (this->auth_data.ptr == NULL)
-	{
-		return (this->auth_data);
-	}
-	cloned_data.ptr = clalloc(this->auth_data.ptr,this->auth_data.len);
-	cloned_data.len = this->auth_data.len;
-	return cloned_data;
-}
-
-/**
- * Implementation of payload_t.destroy and auth_payload_t.destroy.
- */
-static void destroy(private_auth_payload_t *this)
-{
-	if (this->auth_data.ptr != NULL)
-	{
-		chunk_free(&(this->auth_data));
-	}
-
-	free(this);
-}
-
-/*
- * Described in header
- */
-auth_payload_t *auth_payload_create()
-{
-	private_auth_payload_t *this = malloc_thing(private_auth_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (auth_payload_t *)) destroy;
-	this->public.set_auth_method = (void (*) (auth_payload_t *,auth_method_t)) set_auth_method;
-	this->public.get_auth_method = (auth_method_t (*) (auth_payload_t *)) get_auth_method;
-	this->public.set_data = (void (*) (auth_payload_t *,chunk_t)) set_data;
-	this->public.get_data_clone = (chunk_t (*) (auth_payload_t *)) get_data_clone;
-	this->public.get_data = (chunk_t (*) (auth_payload_t *)) get_data;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length =AUTH_PAYLOAD_HEADER_LENGTH;
-	this->auth_data = chunk_empty;
-
-	return (&(this->public));
-}
diff --git a/src/charon/encoding/payloads/auth_payload.h b/src/charon/encoding/payloads/auth_payload.h
deleted file mode 100644
index 37ee149db..000000000
--- a/src/charon/encoding/payloads/auth_payload.h
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup auth_payload auth_payload
- * @{ @ingroup payloads
- */
-
-#ifndef AUTH_PAYLOAD_H_
-#define AUTH_PAYLOAD_H_
-
-typedef struct auth_payload_t auth_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Length of a auth payload without the auth data in bytes.
- */
-#define AUTH_PAYLOAD_HEADER_LENGTH 8
-
-/**
- * Class representing an IKEv2 AUTH payload.
- *
- * The AUTH payload format is described in RFC section 3.8.
- */
-struct auth_payload_t {
-
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Set the AUTH method.
-	 *
-	 * @param method		auth_method_t to use
-	 */
-	void (*set_auth_method) (auth_payload_t *this, auth_method_t method);
-
-	/**
-	 * Get the AUTH method.
-	 *
-	 * @return				auth_method_t used
-	 */
-	auth_method_t (*get_auth_method) (auth_payload_t *this);
-
-	/**
-	 * Set the AUTH data.
-	 *
-	 * Data gets cloned.
-	 *
-	 * @param data			AUTH data as chunk_t
-	 */
-	void (*set_data) (auth_payload_t *this, chunk_t data);
-
-	/**
-	 * Get the AUTH data.
-	 *
-	 * Returned data are a copy of the internal one.
-	 *
-	 * @return				AUTH data as chunk_t
-	 */
-	chunk_t (*get_data_clone) (auth_payload_t *this);
-
-	/**
-	 * Get the AUTH data.
-	 *
-	 * Returned data are NOT copied
-	 *
-	 * @return				AUTH data as chunk_t
-	 */
-	chunk_t (*get_data) (auth_payload_t *this);
-
-	/**
-	 * Destroys an auth_payload_t object.
-	 */
-	void (*destroy) (auth_payload_t *this);
-};
-
-/**
- * Creates an empty auth_payload_t object.
- *
- * @return auth_payload_t object
- */
-auth_payload_t *auth_payload_create(void);
-
-#endif /** AUTH_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/cert_payload.c b/src/charon/encoding/payloads/cert_payload.c
deleted file mode 100644
index 6dd3141f0..000000000
--- a/src/charon/encoding/payloads/cert_payload.c
+++ /dev/null
@@ -1,340 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-#include <ctype.h>
-
-#include <daemon.h>
-
-#include "cert_payload.h"
-
-ENUM(cert_encoding_names, ENC_PKCS7_WRAPPED_X509, ENC_OCSP_CONTENT,
-	"ENC_PKCS7_WRAPPED_X509",
-	"ENC_PGP",
-	"ENC_DNS_SIGNED_KEY",
-	"ENC_X509_SIGNATURE",
-	"ENC_X509_KEY_EXCHANGE",
-	"ENC_KERBEROS_TOKENS",
-	"ENC_CRL",
-	"ENC_ARL",
-	"ENC_SPKI",
-	"ENC_X509_ATTRIBUTE",
-	"ENC_RAW_RSA_KEY",
-	"ENC_X509_HASH_AND_URL",
-	"ENC_X509_HASH_AND_URL_BUNDLE",
-	"ENC_OCSP_CONTENT",
-);
-
-typedef struct private_cert_payload_t private_cert_payload_t;
-
-/**
- * Private data of an cert_payload_t object.
- *
- */
-struct private_cert_payload_t {
-	/**
-	 * Public cert_payload_t interface.
-	 */
-	cert_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Encoding of the CERT Data.
-	 */
-	u_int8_t encoding;
-
-	/**
-	 * The contained cert data value.
-	 */
-	chunk_t data;
-
-	/**
-	 * TRUE if the "Hash and URL" data is invalid
-	 */
-	bool invalid_hash_and_url;
-};
-
-/**
- * Encoding rules to parse or generate a CERT payload
- *
- * The defined offsets are the positions in a object of type
- * private_cert_payload_t.
- *
- */
-encoding_rule_t cert_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_cert_payload_t, next_payload) 	},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_cert_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_cert_payload_t, payload_length)},
-	/* 1 Byte CERT type*/
-	{ U_INT_8,			offsetof(private_cert_payload_t, encoding)		},
-	/* some cert data bytes, length is defined in PAYLOAD_LENGTH */
-	{ CERT_DATA,		offsetof(private_cert_payload_t, data) 			}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Cert Encoding !                                               !
-      +-+-+-+-+-+-+-+-+                                               !
-      ~                       Certificate Data                        ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_cert_payload_t *this)
-{
-	if (this->encoding == ENC_X509_HASH_AND_URL ||
-		this->encoding == ENC_X509_HASH_AND_URL_BUNDLE)
-	{
-		/* coarse verification of "Hash and URL" encoded certificates */
-		if (this->data.len <= 20)
-		{
-			DBG1(DBG_ENC, "invalid payload length for hash-and-url (%d), ignore",
-					this->data.len);
-			this->invalid_hash_and_url = TRUE;
-			return SUCCESS;
-		}
-
-		int i = 20; /* skipping the hash */
-		for (; i < this->data.len; ++i)
-		{
-			if (this->data.ptr[i] == '\0')
-			{
-				/* null terminated, fine */
-				return SUCCESS;
-			}
-			else if (!isprint(this->data.ptr[i]))
-			{
-				DBG1(DBG_ENC, "non printable characters in url of hash-and-url"
-						" encoded certificate payload, ignore");
-				this->invalid_hash_and_url = TRUE;
-				return SUCCESS;
-			}
-		}
-
-		/* URL is not null terminated, correct that */
-		chunk_t data = chunk_alloc(this->data.len + 1);
-		memcpy(data.ptr, this->data.ptr, this->data.len);
-		data.ptr[this->data.len] = '\0';
-		chunk_free(&this->data);
-		this->data = data;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of cert_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_cert_payload_t *this,
-							   encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = cert_payload_encodings;
-	*rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_cert_payload_t *this)
-{
-	return CERTIFICATE;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_cert_payload_t *this)
-{
-	return this->next_payload;
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_cert_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_cert_payload_t *this)
-{
-	return this->payload_length;
-}
-
-/**
- * Implementation of cert_payload_t.get_cert_encoding.
- */
-static cert_encoding_t get_cert_encoding(private_cert_payload_t *this)
-{
-	return this->encoding;
-}
-
-/**
- * Implementation of cert_payload_t.get_cert.
- */
-static certificate_t *get_cert(private_cert_payload_t *this)
-{
-	if (this->encoding != ENC_X509_SIGNATURE)
-	{
-		return NULL;
-	}
-	return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							  BUILD_BLOB_ASN1_DER, this->data,
-							  BUILD_END);
-}
-
-/**
- * Implementation of cert_payload_t.get_hash.
- */
-static chunk_t get_hash(private_cert_payload_t *this)
-{
-	chunk_t hash = chunk_empty;
-	if ((this->encoding != ENC_X509_HASH_AND_URL &&
-		this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) ||
-		this->invalid_hash_and_url)
-	{
-		return hash;
-	}
-	hash.ptr = this->data.ptr;
-	hash.len = 20;
-	return hash;
-}
-
-/**
- * Implementation of cert_payload_t.get_url.
- */
-static char *get_url(private_cert_payload_t *this)
-{
-	if ((this->encoding != ENC_X509_HASH_AND_URL &&
-		this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) ||
-		this->invalid_hash_and_url)
-	{
-		return NULL;
-	}
-	return (char*)this->data.ptr + 20;
-}
-
-/**
- * Implementation of payload_t.destroy and cert_payload_t.destroy.
- */
-static void destroy(private_cert_payload_t *this)
-{
-	chunk_free(&this->data);
-	free(this);
-}
-
-/*
- * Described in header
- */
-cert_payload_t *cert_payload_create()
-{
-	private_cert_payload_t *this = malloc_thing(private_cert_payload_t);
-
-	this->public.payload_interface.verify = (status_t (*) (payload_t*))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**, size_t*))get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
-
-	this->public.destroy = (void (*) (cert_payload_t*))destroy;
-	this->public.get_cert = (certificate_t* (*) (cert_payload_t*))get_cert;
-	this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t*))get_cert_encoding;
-	this->public.get_hash = (chunk_t (*) (cert_payload_t*))get_hash;
-	this->public.get_url = (char* (*) (cert_payload_t*))get_url;
-
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH;
-	this->data = chunk_empty;
-	this->encoding = 0;
-	this->invalid_hash_and_url = FALSE;
-
-	return &this->public;
-}
-
-/*
- * Described in header
- */
-cert_payload_t *cert_payload_create_from_cert(certificate_t *cert)
-{
-	private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create();
-
-	switch (cert->get_type(cert))
-	{
-		case CERT_X509:
-			this->encoding = ENC_X509_SIGNATURE;
-			break;
-		default:
-			DBG1(DBG_ENC, "embedding %N certificate in payload failed",
-				 certificate_type_names, cert->get_type(cert));
-			free(this);
-			return NULL;
-	}
-	this->data = cert->get_encoding(cert);
-	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
-	return &this->public;
-}
-
-/*
- * Described in header
- */
-cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url)
-{
-	private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create();
-
-	this->encoding = ENC_X509_HASH_AND_URL;
-	this->data = chunk_cat("cc", hash, chunk_create(url, strlen(url)));
-	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
-	return &this->public;
-}
-
diff --git a/src/charon/encoding/payloads/cert_payload.h b/src/charon/encoding/payloads/cert_payload.h
deleted file mode 100644
index aa1c7bf5a..000000000
--- a/src/charon/encoding/payloads/cert_payload.h
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup cert_payload cert_payload
- * @{ @ingroup payloads
- */
-
-#ifndef CERT_PAYLOAD_H_
-#define CERT_PAYLOAD_H_
-
-typedef struct cert_payload_t cert_payload_t;
-typedef enum cert_encoding_t cert_encoding_t;
-
-#include <library.h>
-#include <credentials/certificates/certificate.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * Length of a cert payload without the cert data in bytes.
- */
-#define CERT_PAYLOAD_HEADER_LENGTH 5
-
-/**
- * Certifcate encodings, as in RFC4306
- */
-enum cert_encoding_t {
-	ENC_PKCS7_WRAPPED_X509 =		 1,
-	ENC_PGP =						 2,
-	ENC_DNS_SIGNED_KEY =			 3,
-	ENC_X509_SIGNATURE =			 4,
-	ENC_KERBEROS_TOKEN	=			 6,
-	ENC_CRL =						 7,
-	ENC_ARL =						 8,
-	ENC_SPKI =						 9,
-	ENC_X509_ATTRIBUTE =			10,
-	ENC_RAW_RSA_KEY =				11,
-	ENC_X509_HASH_AND_URL =			12,
-	ENC_X509_HASH_AND_URL_BUNDLE =	13,
-	ENC_OCSP_CONTENT =				14,  /* from RFC 4806 */
-};
-
-/**
- * Enum names for cert_encoding_t
- */
-extern enum_name_t *cert_encoding_names;
-
-/**
- * Class representing an IKEv2 CERT payload.
- *
- * The CERT payload format is described in RFC section 3.6.
- */
-struct cert_payload_t {
-
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Get the playoads encoded certifcate.
-	 *
-	 * @return				certifcate copy
-	 */
-	certificate_t *(*get_cert)(cert_payload_t *this);
-
-	/**
-	 * Get the encoding of the certificate.
-	 *
-	 * @return				encoding
-	 */
-	cert_encoding_t (*get_cert_encoding)(cert_payload_t *this);
-
-	/**
-	 * Get the hash if this is a hash and URL encoded certificate.
-	 *
-	 * This function returns internal data, do not free.
-	 *
-	 * @return				hash
-	 */
-	chunk_t (*get_hash)(cert_payload_t *this);
-
-	/**
-	 * Get the URL if this is a hash and URL encoded certificate.
-	 *
-	 * This function returns internal data, do not free.
-	 *
-	 * @return				url
-	 */
-	char *(*get_url)(cert_payload_t *this);
-
-
-	/**
-	 * Destroys the cert_payload object.
-	 */
-	void (*destroy) (cert_payload_t *this);
-};
-
-/**
- * Creates an empty certificate payload.
- *
- * @return					cert_payload_t object
- */
-cert_payload_t *cert_payload_create(void);
-
-/**
- * Creates a certificate payload with an embedded certificate.
- *
- * @param cert				certificate to embed
- * @return					cert_payload_t object
- */
-cert_payload_t *cert_payload_create_from_cert(certificate_t *cert);
-
-/**
- * Creates a certificate payload with hash and URL encoding of a certificate.
- *
- * @param hash				hash of the DER encoded certificate (get's cloned)
- * @param url				the URL to locate the certificate (get's cloned)
- * @return					cert_payload_t object
- */
-cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url);
-
-#endif /** CERT_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/certreq_payload.c b/src/charon/encoding/payloads/certreq_payload.c
deleted file mode 100644
index 9ff0bdde0..000000000
--- a/src/charon/encoding/payloads/certreq_payload.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include <daemon.h>
-#include <crypto/hashers/hasher.h>
-#include <encoding/payloads/cert_payload.h>
-
-#include "certreq_payload.h"
-
-
-typedef struct private_certreq_payload_t private_certreq_payload_t;
-
-/**
- * Private data of an certreq_payload_t object.
- *
- */
-struct private_certreq_payload_t {
-	/**
-	 * Public certreq_payload_t interface.
-	 */
-	certreq_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Encoding of the CERT Data.
-	 */
-	u_int8_t encoding;
-
-	/**
-	 * The contained certreq data value.
-	 */
-	chunk_t data;
-};
-
-/**
- * Encoding rules to parse or generate a CERTREQ payload
- *
- * The defined offsets are the positions in a object of type
- * private_certreq_payload_t.
- *
- */
-encoding_rule_t certreq_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_certreq_payload_t, next_payload) 	},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_certreq_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_certreq_payload_t, payload_length)	},
-	/* 1 Byte CERTREQ type*/
-	{ U_INT_8,			offsetof(private_certreq_payload_t, encoding)		},
-	/* some certreq data bytes, length is defined in PAYLOAD_LENGTH */
-	{ CERTREQ_DATA,		offsetof(private_certreq_payload_t, data)			}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Cert Encoding !                                               !
-      +-+-+-+-+-+-+-+-+                                               !
-      ~                    Certification Authority                    ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_certreq_payload_t *this)
-{
-	if (this->encoding == ENC_X509_SIGNATURE)
-	{
-		if (this->data.len < HASH_SIZE_SHA1 ||
-			this->data.len % HASH_SIZE_SHA1)
-		{
-			DBG1(DBG_ENC, "invalid X509 hash length (%d) in certreq",
-				 this->data.len);
-			return FAILED;
-		}
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of certreq_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = certreq_payload_encodings;
-	*rule_count = sizeof(certreq_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_certreq_payload_t *this)
-{
-	return CERTIFICATE_REQUEST;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_certreq_payload_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_certreq_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_certreq_payload_t *this)
-{
-	return this->payload_length;
-}
-
-/**
- * Implementation of certreq_payload_t.add_keyid.
- */
-static void add_keyid(private_certreq_payload_t *this, chunk_t keyid)
-{
-	this->data = chunk_cat("mc", this->data, keyid);
-	this->payload_length += keyid.len;
-}
-
-typedef struct keyid_enumerator_t keyid_enumerator_t;
-
-/**
- * enumerator to enumerate keyids
- */
-struct keyid_enumerator_t  {
-	enumerator_t public;
-	chunk_t full;
-	u_char *pos;
-};
-
-/**
- * enumerate function for keyid_enumerator
- */
-static bool keyid_enumerate(keyid_enumerator_t *this, chunk_t *chunk)
-{
-	if (this->pos == NULL)
-	{
-		this->pos = this->full.ptr;
-	}
-	else
-	{
-		this->pos += HASH_SIZE_SHA1;
-		if (this->pos > (this->full.ptr + this->full.len - HASH_SIZE_SHA1))
-		{
-			this->pos = NULL;
-		}
-	}
-	if (this->pos)
-	{
-		chunk->ptr = this->pos;
-		chunk->len = HASH_SIZE_SHA1;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of certreq_payload_t.create_keyid_enumerator.
- */
-static enumerator_t* create_keyid_enumerator(private_certreq_payload_t *this)
-{
-	keyid_enumerator_t *enumerator = malloc_thing(keyid_enumerator_t);
-	enumerator->public.enumerate = (void*)keyid_enumerate;
-	enumerator->public.destroy = (void*)free;
-	enumerator->full = this->data;
-	enumerator->pos = NULL;
-	return &enumerator->public;
-}
-
-/**
- * Implementation of certreq_payload_t.get_cert_type.
- */
-static certificate_type_t get_cert_type(private_certreq_payload_t *this)
-{
-	switch (this->encoding)
-	{
-		case ENC_X509_SIGNATURE:
-			return CERT_X509;
-		default:
-			return CERT_ANY;
-	}
-}
-
-/**
- * Implementation of payload_t.destroy and certreq_payload_t.destroy.
- */
-static void destroy(private_certreq_payload_t *this)
-{
-	chunk_free(&this->data);
-	free(this);
-}
-
-/*
- * Described in header
- */
-certreq_payload_t *certreq_payload_create()
-{
-	private_certreq_payload_t *this = malloc_thing(private_certreq_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t*))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**,size_t*))get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (certreq_payload_t*)) destroy;
-	this->public.create_keyid_enumerator = (enumerator_t*(*)(certreq_payload_t*))create_keyid_enumerator;
-		this->public.get_cert_type = (certificate_type_t(*)(certreq_payload_t*))get_cert_type;
-	this->public.add_keyid = (void(*)(certreq_payload_t*, chunk_t keyid))add_keyid;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH;
-	this->data = chunk_empty;
-	this->encoding = 0;
-
-	return &this->public;
-}
-
-/*
- * Described in header
- */
-certreq_payload_t *certreq_payload_create_type(certificate_type_t type)
-{
-	private_certreq_payload_t *this = (private_certreq_payload_t*)certreq_payload_create();
-
-	switch (type)
-	{
-		case CERT_X509:
-			this->encoding = ENC_X509_SIGNATURE;
-			break;
-		default:
-			DBG1(DBG_ENC, "certificate type %N not supported in requests",
-				 certificate_type_names, type);
-			free(this);
-			return NULL;
-	}
-	return &this->public;
-}
-
diff --git a/src/charon/encoding/payloads/certreq_payload.h b/src/charon/encoding/payloads/certreq_payload.h
deleted file mode 100644
index 914063628..000000000
--- a/src/charon/encoding/payloads/certreq_payload.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup certreq_payload certreq_payload
- * @{ @ingroup payloads
- */
-
-#ifndef CERTREQ_PAYLOAD_H_
-#define CERTREQ_PAYLOAD_H_
-
-typedef struct certreq_payload_t certreq_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/cert_payload.h>
-
-/**
- * Length of a CERTREQ payload without the CERTREQ data in bytes.
- */
-#define CERTREQ_PAYLOAD_HEADER_LENGTH 5
-
-/**
- * Class representing an IKEv2 CERTREQ payload.
- *
- * The CERTREQ payload format is described in RFC section 3.7.
- */
-struct certreq_payload_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Create an enumerator over contained keyids.
-	 *
-	 * @return			enumerator over chunk_t's.
-	 */
-	enumerator_t* (*create_keyid_enumerator)(certreq_payload_t *this);
-
-	/**
-	 * Get the type of contained certificate keyids.
-	 *
-	 * @return			certificate keyid type
-	 */
-	certificate_type_t (*get_cert_type)(certreq_payload_t *this);
-
-	/**
-	 * Add a certificates keyid to the payload.
-	 *
-	 * @param keyid		keyid of the trusted certifcate
-	 * @return
-	 */
-	void (*add_keyid)(certreq_payload_t *this, chunk_t keyid);
-
-	/**
-	 * Destroys an certreq_payload_t object.
-	 */
-	void (*destroy) (certreq_payload_t *this);
-};
-
-/**
- * Creates an empty certreq_payload_t object.
- *
- * @return 				certreq payload
- */
-certreq_payload_t *certreq_payload_create(void);
-
-/**
- * Creates an empty certreq_payload_t for a kind of certificates.
- *
- * @param type			type of the added keyids
- * @return 				certreq payload
- */
-certreq_payload_t *certreq_payload_create_type(certificate_type_t type);
-
-#endif /** CERTREQ_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/configuration_attribute.c b/src/charon/encoding/payloads/configuration_attribute.c
deleted file mode 100644
index 9094fd44d..000000000
--- a/src/charon/encoding/payloads/configuration_attribute.c
+++ /dev/null
@@ -1,264 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "configuration_attribute.h"
-
-#include <encoding/payloads/encodings.h>
-#include <library.h>
-#include <daemon.h>
-
-
-typedef struct private_configuration_attribute_t private_configuration_attribute_t;
-
-/**
- * Private data of an configuration_attribute_t object.
- *
- */
-struct private_configuration_attribute_t {
-	/**
-	 * Public configuration_attribute_t interface.
-	 */
-	configuration_attribute_t public;
-
-	/**
-	 * Type of the attribute.
-	 */
-	u_int16_t type;
-
-	/**
-	 * Length of the attribute.
-	 */
-	u_int16_t length;
-
-	/**
-	 * Attribute value as chunk.
-	 */
-	chunk_t value;
-};
-
-/**
- * Encoding rules to parse or generate a configuration attribute.
- *
- * The defined offsets are the positions in a object of type
- * private_configuration_attribute_t.
- */
-encoding_rule_t configuration_attribute_encodings[] = {
-
-	{ RESERVED_BIT,						0													},
-	/* type of the attribute as 15 bit unsigned integer */
-	{ ATTRIBUTE_TYPE,					offsetof(private_configuration_attribute_t, type)	},
-	/* Length of attribute value */
-	{ CONFIGURATION_ATTRIBUTE_LENGTH,	offsetof(private_configuration_attribute_t, length)	},
-	/* Value of attribute if attribute format flag is zero */
-	{ CONFIGURATION_ATTRIBUTE_VALUE,	offsetof(private_configuration_attribute_t, value)	}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !R|         Attribute Type      !            Length             |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |                                                               |
-      ~                             Value                             ~
-      |                                                               |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_configuration_attribute_t *this)
-{
-	bool failed = FALSE;
-
-	if (this->length != this->value.len)
-	{
-		DBG1(DBG_ENC, "invalid attribute length");
-		return FAILED;
-	}
-
-	switch (this->type)
-	{
-		 case INTERNAL_IP4_ADDRESS:
-		 case INTERNAL_IP4_NETMASK:
-		 case INTERNAL_IP4_DNS:
-		 case INTERNAL_IP4_NBNS:
-		 case INTERNAL_ADDRESS_EXPIRY:
-		 case INTERNAL_IP4_DHCP:
-			if (this->length != 0 && this->length != 4)
-			{
-				failed = TRUE;
-			}
-			break;
-		 case INTERNAL_IP4_SUBNET:
-			if (this->length != 0 && this->length != 8)
-			{
-				failed = TRUE;
-			}
-			break;
-		 case INTERNAL_IP6_ADDRESS:
-		 case INTERNAL_IP6_SUBNET:
-			if (this->length != 0 && this->length != 17)
-			{
-				failed = TRUE;
-			}
-			break;
-		 case INTERNAL_IP6_DNS:
-		 case INTERNAL_IP6_NBNS:
-		 case INTERNAL_IP6_DHCP:
-			if (this->length != 0 && this->length != 16)
-			{
-				failed = TRUE;
-			}
-			break;
-		 case SUPPORTED_ATTRIBUTES:
-			if (this->length % 2)
-			{
-				failed = TRUE;
-			}
-			break;
-		 case APPLICATION_VERSION:
-			/* any length acceptable */
-			break;
-		 default:
-			DBG1(DBG_ENC, "unknown attribute type %N",
-				 configuration_attribute_type_names, this->type);
-			break;
-	}
-
-	if (failed)
-	{
-		DBG1(DBG_ENC, "invalid attribute length %d for %N",
-			 this->length, configuration_attribute_type_names, this->type);
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_configuration_attribute_t *this,
-							   encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = configuration_attribute_encodings;
-	*rule_count = sizeof(configuration_attribute_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_configuration_attribute_t *this)
-{
-	return CONFIGURATION_ATTRIBUTE;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_configuration_attribute_t *this)
-{
-	return NO_PAYLOAD;
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_configuration_attribute_t *this,
-						  payload_type_t type)
-{
-}
-
-/**
- * Implementation of configuration_attribute_t.get_length.
- */
-static size_t get_length(private_configuration_attribute_t *this)
-{
-	return this->value.len + CONFIGURATION_ATTRIBUTE_HEADER_LENGTH;
-}
-
-/**
- * Implementation of configuration_attribute_t.get_type.
- */
-static configuration_attribute_type_t get_configuration_attribute_type(
-									private_configuration_attribute_t *this)
-{
-	return this->type;
-}
-
-/**
- * Implementation of configuration_attribute_t.get_value.
- */
-static chunk_t get_value(private_configuration_attribute_t *this)
-{
-	return this->value;
-}
-
-/**
- * Implementation of configuration_attribute_t.destroy and payload_t.destroy.
- */
-static void destroy(private_configuration_attribute_t *this)
-{
-	free(this->value.ptr);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-configuration_attribute_t *configuration_attribute_create()
-{
-	private_configuration_attribute_t *this;
-
-	this = malloc_thing(private_configuration_attribute_t);
-	this->public.payload_interface.verify = (status_t(*)(payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void(*)(payload_t *, encoding_rule_t **, size_t *) )get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t(*)(payload_t *))get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t(*)(payload_t *))get_next_type;
-	this->public.payload_interface.set_next_type = (void(*)(payload_t *,payload_type_t))set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t(*)(payload_t *))get_type;
-	this->public.payload_interface.destroy = (void(*)(payload_t*))destroy;
-
-	this->public.get_value = (chunk_t(*)(configuration_attribute_t *))get_value;
-	this->public.get_type = (configuration_attribute_type_t(*)(configuration_attribute_t *))get_configuration_attribute_type;
-	this->public.destroy = (void (*)(configuration_attribute_t*))destroy;
-
-	this->type = 0;
-	this->value = chunk_empty;
-	this->length = 0;
-
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-configuration_attribute_t *configuration_attribute_create_value(
-							configuration_attribute_type_t type, chunk_t value)
-{
-	private_configuration_attribute_t *this;
-
-	this = (private_configuration_attribute_t*)configuration_attribute_create();
-	this->type = ((u_int16_t)type) & 0x7FFF;
-	this->value = chunk_clone(value);
-	this->length = value.len;
-
-	return &this->public;
-}
-
diff --git a/src/charon/encoding/payloads/configuration_attribute.h b/src/charon/encoding/payloads/configuration_attribute.h
deleted file mode 100644
index 6e4b018bb..000000000
--- a/src/charon/encoding/payloads/configuration_attribute.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup configuration_attribute configuration_attribute
- * @{ @ingroup payloads
- */
-
-#ifndef CONFIGURATION_ATTRIBUTE_H_
-#define CONFIGURATION_ATTRIBUTE_H_
-
-typedef struct configuration_attribute_t configuration_attribute_t;
-
-#include <library.h>
-#include <attributes/attributes.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * Configuration attribute header length in bytes.
- */
-#define CONFIGURATION_ATTRIBUTE_HEADER_LENGTH 4
-
-/**
- * Class representing an IKEv2-CONFIGURATION Attribute.
- *
- * The CONFIGURATION ATTRIBUTE format is described in RFC section 3.15.1.
- */
-struct configuration_attribute_t {
-
-	/**
-	 * Implements payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Get the type of the attribute.
-	 *
-	 * @return 		type of the configuration attribute
-	 */
-	configuration_attribute_type_t (*get_type)(configuration_attribute_t *this);
-
-	/**
-	 * Returns the value of the attribute.
-	 *
-	 * @return 		chunk_t pointing to the internal value
-	 */
-	chunk_t (*get_value) (configuration_attribute_t *this);
-
-	/**
-	 * Destroys an configuration_attribute_t object.
-	 */
-	void (*destroy) (configuration_attribute_t *this);
-};
-
-/**
- * Creates an empty configuration attribute.
- *
- * @return		created configuration attribute
- */
-configuration_attribute_t *configuration_attribute_create();
-
-/**
- * Creates a configuration attribute with type and value.
- *
- * @param type	type of configuration attribute
- * @param value	value, gets cloned
- * @return		created configuration attribute
- */
-configuration_attribute_t *configuration_attribute_create_value(
-							configuration_attribute_type_t type, chunk_t value);
-
-#endif /** CONFIGURATION_ATTRIBUTE_H_ @}*/
diff --git a/src/charon/encoding/payloads/cp_payload.c b/src/charon/encoding/payloads/cp_payload.c
deleted file mode 100644
index f0a26eee2..000000000
--- a/src/charon/encoding/payloads/cp_payload.c
+++ /dev/null
@@ -1,273 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "cp_payload.h"
-
-#include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
-
-ENUM(config_type_names, CFG_REQUEST, CFG_ACK,
-	"CFG_REQUEST",
-	"CFG_REPLY",
-	"CFG_SET",
-	"CFG_ACK",
-);
-
-typedef struct private_cp_payload_t private_cp_payload_t;
-
-/**
- * Private data of an cp_payload_t object.
- *
- */
-struct private_cp_payload_t {
-	/**
-	 * Public cp_payload_t interface.
-	 */
-	cp_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * List of attributes, as configuration_attribute_t
-	 */
-	linked_list_t *attributes;
-
-	/**
-	 * Config Type.
-	 */
-	u_int8_t type;
-};
-
-/**
- * Encoding rules to parse or generate a IKEv2-CP Payload
- *
- * The defined offsets are the positions in a object of type
- * private_cp_payload_t.
- *
- */
-encoding_rule_t cp_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,		offsetof(private_cp_payload_t, next_payload) 			},
-	/* the critical bit */
-	{ FLAG,			offsetof(private_cp_payload_t, critical) 				},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	/* Length of the whole CP payload*/
-	{ PAYLOAD_LENGTH,		offsetof(private_cp_payload_t, payload_length) 	},
-	/* Proposals are stored in a proposal substructure,
-	   offset points to a linked_list_t pointer */
-	{ U_INT_8,				offsetof(private_cp_payload_t, type)			},
-	{ RESERVED_BYTE,0 														},
-	{ RESERVED_BYTE,0														},
-	{ RESERVED_BYTE,0														},
-	{ CONFIGURATION_ATTRIBUTES,	offsetof(private_cp_payload_t, attributes)	}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C! RESERVED    !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !   CFG Type    !                    RESERVED                   !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                   Configuration Attributes                    ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_cp_payload_t *this)
-{
-	status_t status = SUCCESS;
-	enumerator_t *enumerator;
-	payload_t *attribute;
-
-	enumerator = this->attributes->create_enumerator(this->attributes);
-	while (enumerator->enumerate(enumerator, &attribute))
-	{
-		status = attribute->verify(attribute);
-		if (status != SUCCESS)
-		{
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return status;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_cp_payload_t *this,
-							   encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = cp_payload_encodings;
-	*rule_count = sizeof(cp_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_cp_payload_t *this)
-{
-	return CONFIGURATION;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_cp_payload_t *this)
-{
-	return this->next_payload;
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_cp_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * recompute the length of the payload.
- */
-static void compute_length(private_cp_payload_t *this)
-{
-	enumerator_t *enumerator;
-	payload_t *attribute;
-
-	this->payload_length = CP_PAYLOAD_HEADER_LENGTH;
-
-	enumerator = this->attributes->create_enumerator(this->attributes);
-	while (enumerator->enumerate(enumerator, &attribute))
-	{
-		this->payload_length += attribute->get_length(attribute);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_cp_payload_t *this)
-{
-	return this->payload_length;
-}
-
-/**
- * Implementation of cp_payload_t.create_attribute_enumerator.
- */
-static enumerator_t *create_attribute_enumerator(private_cp_payload_t *this)
-{
-	return this->attributes->create_enumerator(this->attributes);
-}
-
-/**
- * Implementation of cp_payload_t.add_attribute.
- */
-static void add_attribute(private_cp_payload_t *this,
-						  configuration_attribute_t *attribute)
-{
-	this->attributes->insert_last(this->attributes, attribute);
-	compute_length(this);
-}
-
-/**
- * Implementation of cp_payload_t.get_type.
- */
-static config_type_t get_config_type(private_cp_payload_t *this)
-{
-	return this->type;
-}
-
-/**
- * Implementation of payload_t.destroy and cp_payload_t.destroy.
- */
-static void destroy(private_cp_payload_t *this)
-{
-	this->attributes->destroy_offset(this->attributes,
-								offsetof(configuration_attribute_t, destroy));
-	free(this);
-}
-
-/*
- * Described in header.
- */
-cp_payload_t *cp_payload_create()
-{
-	private_cp_payload_t *this = malloc_thing(private_cp_payload_t);
-
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	this->public.create_attribute_enumerator = (enumerator_t*(*)(cp_payload_t *))create_attribute_enumerator;
-	this->public.add_attribute = (void (*) (cp_payload_t *,configuration_attribute_t*))add_attribute;
-	this->public.get_type = (config_type_t (*) (cp_payload_t *))get_config_type;
-	this->public.destroy = (void (*)(cp_payload_t *))destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = CP_PAYLOAD_HEADER_LENGTH;
-	this->attributes = linked_list_create();
-	this->type = CFG_REQUEST;
-
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-cp_payload_t *cp_payload_create_type(config_type_t type)
-{
-	private_cp_payload_t *this = (private_cp_payload_t*)cp_payload_create();
-
-	this->type = type;
-
-	return &this->public;
-}
-
diff --git a/src/charon/encoding/payloads/cp_payload.h b/src/charon/encoding/payloads/cp_payload.h
deleted file mode 100644
index c0760885a..000000000
--- a/src/charon/encoding/payloads/cp_payload.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup cp_payload cp_payload
- * @{ @ingroup payloads
- */
-
-#ifndef CP_PAYLOAD_H_
-#define CP_PAYLOAD_H_
-
-typedef enum config_type_t config_type_t;
-typedef struct cp_payload_t cp_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/configuration_attribute.h>
-#include <utils/enumerator.h>
-
-/**
- * CP_PAYLOAD length in bytes without any proposal substructure.
- */
-#define CP_PAYLOAD_HEADER_LENGTH 8
-
-/**
- * Config Type of an Configuration Payload.
- */
-enum config_type_t {
-	CFG_REQUEST = 1,
-	CFG_REPLY = 2,
-	CFG_SET = 3,
-	CFG_ACK = 4,
-};
-
-/**
- * enum name for config_type_t.
- */
-extern enum_name_t *config_type_names;
-
-/**
- * Class representing an IKEv2-CP Payload.
- *
- * The CP Payload format is described in RFC section 3.15.
- */
-struct cp_payload_t {
-
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Creates an iterator of stored configuration_attribute_t objects.
-	 *
-	 * @return			enumerator over configration_attribute_T
-	 */
-	enumerator_t *(*create_attribute_enumerator) (cp_payload_t *this);
-
-	/**
-	 * Adds a configuration attribute to the configuration payload.
-	 *
-	 * @param attribute	attribute to add
-	 */
-	void (*add_attribute)(cp_payload_t *this,
-						  configuration_attribute_t *attribute);
-
-	/**
-	 * Get the configuration payload type.
-	 *
-	 * @return			type of configuration payload
-	 */
-	config_type_t (*get_type) (cp_payload_t *this);
-
-	/**
-	 * Destroys an cp_payload_t object.
-	 */
-	void (*destroy) (cp_payload_t *this);
-};
-
-/**
- * Creates an empty configuration payload
- *
- * @return		empty configuration payload
- */
-cp_payload_t *cp_payload_create();
-
-/**
- * Creates an cp_payload_t with type and value
- *
- * @param type	type of configuration payload to create
- * @return		created configuration payload
- */
-cp_payload_t *cp_payload_create_type(config_type_t config_type);
-
-#endif /** CP_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/delete_payload.c b/src/charon/encoding/payloads/delete_payload.c
deleted file mode 100644
index 97b4743b2..000000000
--- a/src/charon/encoding/payloads/delete_payload.c
+++ /dev/null
@@ -1,292 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "delete_payload.h"
-
-
-typedef struct private_delete_payload_t private_delete_payload_t;
-
-/**
- * Private data of an delete_payload_t object.
- *
- */
-struct private_delete_payload_t {
-	/**
-	 * Public delete_payload_t interface.
-	 */
-	delete_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Protocol ID.
-	 */
-	u_int8_t protocol_id;
-
-	/**
-	 * SPI Size.
-	 */
-	u_int8_t spi_size;
-
-	/**
-	 * Number of SPI's.
-	 */
-	u_int16_t spi_count;
-
-	/**
-	 * The contained SPI's.
-	 */
-	chunk_t spis;
-
-	/**
-	 * List containing u_int32_t spis
-	 */
-	linked_list_t *spi_list;
-};
-
-/**
- * Encoding rules to parse or generate a DELETE payload
- *
- * The defined offsets are the positions in a object of type
- * private_delete_payload_t.
- *
- */
-encoding_rule_t delete_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_delete_payload_t, next_payload) 	},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_delete_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_delete_payload_t, payload_length)},
-	{ U_INT_8,			offsetof(private_delete_payload_t, protocol_id)		},
-	{ U_INT_8,			offsetof(private_delete_payload_t, spi_size)		},
-	{ U_INT_16,			offsetof(private_delete_payload_t, spi_count)		},
-	/* some delete data bytes, length is defined in PAYLOAD_LENGTH */
-	{ SPIS,			offsetof(private_delete_payload_t, spis) 				}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Protocol ID   !   SPI Size    !           # of SPIs           !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~               Security Parameter Index(es) (SPI)              ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_delete_payload_t *this)
-{
-	switch (this->protocol_id)
-	{
-		case PROTO_AH:
-		case PROTO_ESP:
-			if (this->spi_size != 4)
-			{
-				return FAILED;
-			}
-			break;
-		case PROTO_IKE:
-		case 0:
-			/* IKE deletion has no spi assigned! */
-			if (this->spi_size != 0)
-			{
-				return FAILED;
-			}
-			break;
-		default:
-			return FAILED;
-	}
-	if (this->spis.len != (this->spi_count * this->spi_size))
-	{
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of delete_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_delete_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = delete_payload_encodings;
-	*rule_count = sizeof(delete_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_delete_payload_t *this)
-{
-	return DELETE;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_delete_payload_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_delete_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_delete_payload_t *this)
-{
-	return this->payload_length;
-}
-
-/**
- * Implementation of delete_payload_t.get_protocol_id.
- */
-static protocol_id_t get_protocol_id (private_delete_payload_t *this)
-{
-	return (this->protocol_id);
-}
-
-/**
- * Implementation of delete_payload_t.add_spi.
- */
-static void add_spi(private_delete_payload_t *this, u_int32_t spi)
-{
-	/* only add SPIs if AH|ESP, ignore others */
-	if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP)
-	{
-		this->spi_count += 1;
-		this->spis.len += this->spi_size;
-		this->spis.ptr = realloc(this->spis.ptr, this->spis.len);
-		*(u_int32_t*)(this->spis.ptr + (this->spis.len / this->spi_size - 1)) = spi;
-		if (this->spi_list)
-		{
-			/* reset SPI iterator list */
-			this->spi_list->destroy(this->spi_list);
-			this->spi_list = NULL;
-		}
-	}
-}
-
-/**
- * Implementation of delete_payload_t.create_spi_iterator.
- */
-static iterator_t* create_spi_iterator(private_delete_payload_t *this)
-{
-	int i;
-
-	if (this->spi_list == NULL)
-	{
-		this->spi_list = linked_list_create();
-		/* only parse SPIs if AH|ESP */
-		if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP)
-		{
-			for (i = 0; i < this->spi_count; i++)
-			{
-				this->spi_list->insert_last(this->spi_list, this->spis.ptr + i *
-															this->spi_size);
-			}
-		}
-	}
-	return this->spi_list->create_iterator(this->spi_list, TRUE);
-}
-
-/**
- * Implementation of payload_t.destroy and delete_payload_t.destroy.
- */
-static void destroy(private_delete_payload_t *this)
-{
-	if (this->spis.ptr != NULL)
-	{
-		chunk_free(&this->spis);
-	}
-	if (this->spi_list)
-	{
-		this->spi_list->destroy(this->spi_list);
-	}
-	free(this);
-}
-
-/*
- * Described in header
- */
-delete_payload_t *delete_payload_create(protocol_id_t protocol_id)
-{
-	private_delete_payload_t *this = malloc_thing(private_delete_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (delete_payload_t *)) destroy;
-	this->public.get_protocol_id = (protocol_id_t (*) (delete_payload_t *)) get_protocol_id;
-	this->public.add_spi = (void (*) (delete_payload_t *,u_int32_t))add_spi;
-	this->public.create_spi_iterator = (iterator_t* (*) (delete_payload_t *)) create_spi_iterator;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = DELETE_PAYLOAD_HEADER_LENGTH;
-	this->protocol_id = protocol_id;
-	this->spi_size = protocol_id == PROTO_AH || protocol_id == PROTO_ESP ? 4 : 0;
-	this->spi_count = 0;
-	this->spis = chunk_empty;
-	this->spi_list = NULL;
-
-	return (&this->public);
-}
diff --git a/src/charon/encoding/payloads/delete_payload.h b/src/charon/encoding/payloads/delete_payload.h
deleted file mode 100644
index 3b62c1af1..000000000
--- a/src/charon/encoding/payloads/delete_payload.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup delete_payload delete_payload
- * @{ @ingroup payloads
- */
-
-#ifndef DELETE_PAYLOAD_H_
-#define DELETE_PAYLOAD_H_
-
-typedef struct delete_payload_t delete_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/proposal_substructure.h>
-
-/**
- * Length of a delete payload without the SPI in bytes.
- */
-#define DELETE_PAYLOAD_HEADER_LENGTH 8
-
-/**
- * Class representing an IKEv2 DELETE payload.
- *
- * The DELETE payload format is described in RFC section 3.11.
- */
-struct delete_payload_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Get the protocol ID.
-	 *
-	 * @return				protocol ID
-	 */
-	protocol_id_t (*get_protocol_id) (delete_payload_t *this);
-
-	/**
-	 * Add an SPI to the list of deleted SAs.
-	 *
-	 * @param spi			spi to add
-	 */
-	void (*add_spi) (delete_payload_t *this, u_int32_t spi);
-
-	/**
-	 * Get an iterator over the SPIs.
-	 *
-	 * The iterate() function returns a pointer to a u_int32_t SPI.
-	 *
-	 * @return				iterator over SPIs
-	 */
-	iterator_t *(*create_spi_iterator) (delete_payload_t *this);
-
-	/**
-	 * Destroys an delete_payload_t object.
-	 */
-	void (*destroy) (delete_payload_t *this);
-};
-
-/**
- * Creates an empty delete_payload_t object.
- *
- * @param protocol_id	protocol, such as AH|ESP
- * @return 				delete_payload_t object
- */
-delete_payload_t *delete_payload_create(protocol_id_t protocol_id);
-
-#endif /** DELETE_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/eap_payload.c b/src/charon/encoding/payloads/eap_payload.c
deleted file mode 100644
index 21f34a642..000000000
--- a/src/charon/encoding/payloads/eap_payload.c
+++ /dev/null
@@ -1,302 +0,0 @@
-/*
- * Copyright (C) 2005-2010 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "eap_payload.h"
-
-#include <daemon.h>
-
-typedef struct private_eap_payload_t private_eap_payload_t;
-
-/**
- * Private data of an eap_payload_t object.
- *
- */
-struct private_eap_payload_t {
-	/**
-	 * Public eap_payload_t interface.
-	 */
-	eap_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * EAP message data, if available
-	 */
-	chunk_t data;
-};
-
-/**
- * Encoding rules to parse or generate a EAP payload.
- *
- * The defined offsets are the positions in a object of type
- * private_eap_payload_t.
- *
- */
-static encoding_rule_t eap_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_eap_payload_t, next_payload) 	},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_eap_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_eap_payload_t, payload_length)	},
-	/* chunt to data, starting at "code" */
-	{ EAP_DATA,			offsetof(private_eap_payload_t, data)			},
-};
-
-/*
-                            1                   2                   3
-        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       ! Next Payload  !C!  RESERVED   !         Payload Length        !
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       !     Code      ! Identifier    !           Length              !
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       !     Type      ! Type_Data...
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-*/
-
-METHOD(payload_t, verify, status_t,
-	private_eap_payload_t *this)
-{
-	u_int16_t length;
-	u_int8_t code;
-
-	if (this->data.len < 4)
-	{
-		DBG1(DBG_ENC, "EAP payloads EAP message too short (%d)", this->data.len);
-		return FAILED;
-	}
-	length = untoh16(this->data.ptr + 2);
-	if (this->data.len != length)
-	{
-		DBG1(DBG_ENC, "EAP payload length (%d) does not match contained "
-			 "message length (%d)", this->data.len, length);
-		return FAILED;
-	}
-	code = this->data.ptr[0];
-	switch (code)
-	{
-		case EAP_REQUEST:
-		case EAP_RESPONSE:
-		{
-			if (this->data.len < 4)
-			{
-				DBG1(DBG_ENC, "EAP Request/Response does not have any data");
-				return FAILED;
-			}
-			break;
-		}
-		case EAP_SUCCESS:
-		case EAP_FAILURE:
-		{
-			if (this->data.len != 4)
-			{
-				DBG1(DBG_ENC, "EAP Success/Failure has data");
-				return FAILED;
-			}
-			break;
-		}
-		default:
-			return FAILED;
-	}
-	return SUCCESS;
-}
-
-METHOD(payload_t, get_encoding_rules, void,
-	private_eap_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = eap_payload_encodings;
-	*rule_count = sizeof(eap_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-METHOD(payload_t, get_payload_type, payload_type_t,
-	private_eap_payload_t *this)
-{
-	return EXTENSIBLE_AUTHENTICATION;
-}
-
-METHOD(payload_t, get_next_type, payload_type_t,
-	private_eap_payload_t *this)
-{
-	return (this->next_payload);
-}
-
-METHOD(payload_t, set_next_type, void,
-	private_eap_payload_t *this, payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-METHOD(payload_t, get_length, size_t,
-	private_eap_payload_t *this)
-{
-	return this->payload_length;
-}
-
-METHOD(eap_payload_t, get_data, chunk_t,
-	private_eap_payload_t *this)
-{
-	return this->data;
-}
-
-METHOD(eap_payload_t, set_data, void,
-	private_eap_payload_t *this, chunk_t data)
-{
-	free(this->data.ptr);
-	this->data = chunk_clone(data);
-	this->payload_length = this->data.len + 4;
-}
-
-METHOD(eap_payload_t, get_code, eap_code_t,
-	private_eap_payload_t *this)
-{
-	if (this->data.len > 0)
-	{
-		return this->data.ptr[0];
-	}
-	/* should not happen, as it is verified */
-	return 0;
-}
-
-METHOD(eap_payload_t, get_identifier, u_int8_t,
-	private_eap_payload_t *this)
-{
-	if (this->data.len > 1)
-	{
-		return this->data.ptr[1];
-	}
-	/* should not happen, as it is verified */
-	return 0;
-}
-
-METHOD(eap_payload_t, get_type, eap_type_t,
-	private_eap_payload_t *this, u_int32_t *vendor)
-{
-	eap_type_t type;
-
-	*vendor = 0;
-	if (this->data.len > 4)
-	{
-		type = this->data.ptr[4];
-		if (type != EAP_EXPANDED)
-		{
-			return type;
-		}
-		if (this->data.len >= 12)
-		{
-			*vendor = untoh32(this->data.ptr + 4) & 0x00FFFFFF;
-			return untoh32(this->data.ptr + 8);
-		}
-	}
-	return 0;
-}
-
-METHOD2(payload_t, eap_payload_t, destroy, void,
-	private_eap_payload_t *this)
-{
-	chunk_free(&this->data);
-	free(this);
-}
-
-/*
- * Described in header
- */
-eap_payload_t *eap_payload_create()
-{
-	private_eap_payload_t *this;
-
-	INIT(this,
-		.public = {
-			.payload_interface = {
-				.verify = _verify,
-				.get_encoding_rules = _get_encoding_rules,
-				.get_length = _get_length,
-				.get_next_type = _get_next_type,
-				.set_next_type = _set_next_type,
-				.get_type = _get_payload_type,
-				.destroy = _destroy,
-			},
-			.get_data = _get_data,
-			.set_data = _set_data,
-			.get_code = _get_code,
-			.get_identifier = _get_identifier,
-			.get_type = _get_type,
-			.destroy = _destroy,
-		},
-		.next_payload = NO_PAYLOAD,
-		.payload_length = EAP_PAYLOAD_HEADER_LENGTH,
-	);
-	return &this->public;
-}
-
-/*
- * Described in header
- */
-eap_payload_t *eap_payload_create_data(chunk_t data)
-{
-	eap_payload_t *this = eap_payload_create();
-
-	this->set_data(this, data);
-	return this;
-}
-
-/*
- * Described in header
- */
-eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier)
-{
-	chunk_t data;
-
-	data = chunk_from_chars(code, identifier, 0, 0);
-	htoun16(data.ptr + 2, data.len);
-	return eap_payload_create_data(data);
-}
-
-/*
- * Described in header
- */
-eap_payload_t *eap_payload_create_nak(u_int8_t identifier)
-{
-	chunk_t data;
-
-	data = chunk_from_chars(EAP_RESPONSE, identifier, 0, 0, EAP_NAK);
-	htoun16(data.ptr + 2, data.len);
-	return eap_payload_create_data(data);
-}
-
diff --git a/src/charon/encoding/payloads/eap_payload.h b/src/charon/encoding/payloads/eap_payload.h
deleted file mode 100644
index 0bde4b15e..000000000
--- a/src/charon/encoding/payloads/eap_payload.h
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_payload eap_payload
- * @{ @ingroup payloads
- */
-
-#ifndef EAP_PAYLOAD_H_
-#define EAP_PAYLOAD_H_
-
-typedef struct eap_payload_t eap_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-#include <sa/authenticators/eap/eap_method.h>
-
-/**
- * Length of a EAP payload without the EAP Message in bytes.
- */
-#define EAP_PAYLOAD_HEADER_LENGTH 4
-
-/**
- * Class representing an IKEv2 EAP payload.
- *
- * The EAP payload format is described in RFC section 3.16.
- */
-struct eap_payload_t {
-
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Set the contained EAP data.
-	 *
-	 * This contains the FULL EAP message starting with "code".
-	 * Chunk gets cloned.
-	 *
-	 * @param message	EAP data
-	 */
-	void (*set_data) (eap_payload_t *this, chunk_t data);
-
-	/**
-	 * Get the contained EAP data.
-	 *
-	 * This contains the FULL EAP message starting with "code".
-	 *
-	 * @return			EAP data (pointer to internal data)
-	 */
-	chunk_t (*get_data) (eap_payload_t *this);
-
-	/**
-	 * Get the EAP code.
-	 *
-	 * @return			EAP message as chunk_t
-	 */
-	eap_code_t (*get_code) (eap_payload_t *this);
-
-	/**
-	 * Get the EAP identifier.
-	 *
-	 * @return			unique identifier
-	 */
-	u_int8_t (*get_identifier) (eap_payload_t *this);
-
-	/**
-	 * Get the EAP method type.
-	 *
-	 * @param vendor	pointer receiving vendor identifier
-	 * @return			EAP method type, vendor specific if vendor != 0
-	 */
-	eap_type_t (*get_type) (eap_payload_t *this, u_int32_t *vendor);
-
-	/**
-	 * Destroys an eap_payload_t object.
-	 */
-	void (*destroy) (eap_payload_t *this);
-};
-
-/**
- * Creates an empty eap_payload_t object.
- *
- * @return eap_payload_t object
- */
-eap_payload_t *eap_payload_create(void);
-
-/**
- * Creates an eap_payload_t object with data.
- *
- * @return eap_payload_t object
- */
-eap_payload_t *eap_payload_create_data(chunk_t data);
-
-/**
- * Creates an eap_payload_t object with a code.
- *
- * Could should be either EAP_SUCCESS/EAP_FAILURE, use
- * constructor above otherwise.
- *
- * @param code			EAP status code
- * @param identifier	EAP identifier to use in payload
- * @return 				eap_payload_t object
- */
-eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier);
-
-/**
- * Creates an eap_payload_t EAP_RESPONSE containing an EAP_NAK.
- *
- * @param identifier	EAP identifier to use in payload
- * @return 				eap_payload_t object
- */
-eap_payload_t *eap_payload_create_nak(u_int8_t identifier);
-
-#endif /** EAP_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/encodings.c b/src/charon/encoding/payloads/encodings.c
deleted file mode 100644
index 85caeda82..000000000
--- a/src/charon/encoding/payloads/encodings.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "encodings.h"
-
-ENUM(encoding_type_names, U_INT_4, ENCRYPTED_DATA,
-	"U_INT_4",
-	"U_INT_8",
-	"U_INT_16",
-	"U_INT_32",
-	"RESERVED_BIT",
-	"RESERVED_BYTE",
-	"FLAG",
-	"PAYLOAD_LENGTH",
-	"HEADER_LENGTH",
-	"SPI_SIZE",
-	"SPI",
-	"KEY_EXCHANGE_DATA",
-	"NOTIFICATION_DATA",
-	"PROPOSALS",
-	"TRANSFORMS",
-	"TRANSFORM_ATTRIBUTES",
-	"CONFIGURATION_ATTRIBUTES",
-	"CONFIGURATION_ATTRIBUTE_VALUE",
-	"ATTRIBUTE_FORMAT",
-	"ATTRIBUTE_TYPE",
-	"ATTRIBUTE_LENGTH_OR_VALUE",
-	"CONFIGURATION_ATTRIBUTE_LENGTH",
-	"ATTRIBUTE_VALUE",
-	"TRAFFIC_SELECTORS",
-	"TS_TYPE",
-	"ADDRESS",
-	"NONCE_DATA",
-	"ID_DATA",
-	"AUTH_DATA",
-	"CERT_DATA",
-	"CERTREQ_DATA",
-	"EAP_DATA",
-	"SPIS",
-	"VID_DATA",
-	"UNKNOWN_DATA",
-	"IKE_SPI",
-	"ENCRYPTED_DATA",
-);
diff --git a/src/charon/encoding/payloads/encodings.h b/src/charon/encoding/payloads/encodings.h
deleted file mode 100644
index 52af4a984..000000000
--- a/src/charon/encoding/payloads/encodings.h
+++ /dev/null
@@ -1,515 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup encodings encodings
- * @{ @ingroup payloads
- */
-
-#ifndef ENCODINGS_H_
-#define ENCODINGS_H_
-
-typedef enum encoding_type_t encoding_type_t;
-typedef struct encoding_rule_t encoding_rule_t;
-
-#include <library.h>
-
-/**
- * All different kinds of encoding types.
- *
- * Each field of an IKEv2-Message (in header or payload)
- * which has to be parsed or generated differently has its own
- * type defined here.
- *
- * Header is parsed like a payload and gets its one payload_id
- * from PRIVATE USE space. Also the substructures
- * of specific payload types get their own payload_id
- * from PRIVATE_USE space. See IKEv2-Draft for more informations.
- */
-enum encoding_type_t {
-
-	/**
-	 * Representing a 4 Bit unsigned int value.
-	 *
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 4 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 4 bit forward afterwards.
-	 */
-	U_INT_4,
-
-	/**
-	 * Representing a 8 Bit unsigned int value.
-	 *
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 8 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 8 bit forward afterwards.
-	 */
-	U_INT_8,
-
-	/**
-	 * Representing a 16 Bit unsigned int value.
-	 *
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 16 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 16 bit forward afterwards.
-	 */
-	U_INT_16,
-
-	/**
-	 * Representing a 32 Bit unsigned int value.
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 32 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 32 bit forward afterwards.
-	 */
-	U_INT_32,
-
-	/**
-	 * represents a RESERVED_BIT used in FLAG-Bytes.
-	 *
-	 * When generating, the next bit is set to zero and the current write
-	 * position is moved one bit forward.
-	 * No value is read from the associated data struct.
-	 * The current write position is moved 1 bit forward afterwards.
-	 *
-	 * When parsing, the current read pointer is moved one bit forward.
-	 * No value is written to the associated data struct.
-	 * The current read pointer is moved 1 bit forward afterwards.
-	 */
-	RESERVED_BIT,
-
-	/**
-	 * represents a RESERVED_BYTE.
-	 *
-	 * When generating, the next byte is set to zero and the current write
-	 * position is moved one byte forward.
-	 * No value is read from the associated data struct.
-	 * The current write position is moved 1 byte forward afterwards.
-	 *
-	 * When parsing, the current read pointer is moved one byte forward.
-	 * No value is written to the associated data struct.
-	 * The current read pointer is moved 1 byte forward afterwards.
-	 */
-	RESERVED_BYTE,
-
-	/**
-	 * Representing a 1 Bit flag.
-	 *
-	 * When generation, the next bit is set to 1 if the associated value
-	 * in the data struct is TRUE, 0 otherwise. The current write position
-	 * is moved 1 bit forward afterwards.
-	 *
-	 * When parsing, the next bit is read and stored in the associated data
-	 * struct. 0 means FALSE, 1 means TRUE, The current read pointer
-	 * is moved 1 bit forward afterwards
-	 */
-	FLAG,
-
-	/**
-	 * Representating a length field of a payload.
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 16 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 16 bit forward afterwards.
-	 */
-	PAYLOAD_LENGTH,
-
-	/**
-	 * Representating a length field of a header.
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 32 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 32 bit forward afterwards.
-	 */
-	HEADER_LENGTH,
-
-	/**
-	 * Representating a spi size field.
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 8 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 8 bit forward afterwards.
-	 */
-	SPI_SIZE,
-
-	/**
-	 * Representating a spi field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
-	 */
-	SPI,
-
-	/**
-	 * Representating a Key Exchange Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
-	 */
-	KEY_EXCHANGE_DATA,
-
-	/**
-	 * Representating a Notification field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - spi size - 8) bytes are read and written into the chunk pointing to.
-	 */
-	NOTIFICATION_DATA,
-
-	/**
-	 * Representating one or more proposal substructures.
-	 *
-	 * The offset points to a linked_list_t pointer.
-	 *
-	 * When generating the proposal_substructure_t objects are stored
-	 * in the pointed linked_list.
-	 *
-	 * When parsing the parsed proposal_substructure_t objects have
-	 * to be stored in the pointed linked_list.
-	 */
-	PROPOSALS,
-
-	/**
-	 * Representating one or more transform substructures.
-	 *
-	 * The offset points to a linked_list_t pointer.
-	 *
-	 * When generating the transform_substructure_t objects are stored
-	 * in the pointed linked_list.
-	 *
-	 * When parsing the parsed transform_substructure_t objects have
-	 * to be stored in the pointed linked_list.
-	 */
-	TRANSFORMS,
-
-	/**
-	 * Representating one or more Attributes of a transform substructure.
-	 *
-	 * The offset points to a linked_list_t pointer.
-	 *
-	 * When generating the transform_attribute_t objects are stored
-	 * in the pointed linked_list.
-	 *
-	 * When parsing the parsed transform_attribute_t objects have
-	 * to be stored in the pointed linked_list.
-	 */
-	TRANSFORM_ATTRIBUTES,
-
-	/**
-	 * Representating one or more Attributes of a configuration payload.
-	 *
-	 * The offset points to a linked_list_t pointer.
-	 *
-	 * When generating the configuration_attribute_t objects are stored
-	 * in the pointed linked_list.
-	 *
-	 * When parsing the parsed configuration_attribute_t objects have
-	 * to be stored in the pointed linked_list.
-	 */
-	CONFIGURATION_ATTRIBUTES,
-
-	/**
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
-	 */
-	CONFIGURATION_ATTRIBUTE_VALUE,
-
-	/**
-	 * Representing a 1 Bit flag specifying the format of a transform attribute.
-	 *
-	 * When generation, the next bit is set to 1 if the associated value
-	 * in the data struct is TRUE, 0 otherwise. The current write position
-	 * is moved 1 bit forward afterwards.
-	 *
-	 * When parsing, the next bit is read and stored in the associated data
-	 * struct. 0 means FALSE, 1 means TRUE, The current read pointer
-	 * is moved 1 bit forward afterwards.
-	 */
-	ATTRIBUTE_FORMAT,
-	/**
-	 * Representing a 15 Bit unsigned int value used as attribute type
-	 * in an attribute transform.
-	 *
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 15 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 15 bit forward afterwards.
-	 */
-	ATTRIBUTE_TYPE,
-
-	/**
-	 * Depending on the field of type ATTRIBUTE_FORMAT
-	 * this field contains the length or the value of an transform attribute.
-	 * Its stored in a 16 unsigned integer field.
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 16 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 16 bit forward afterwards.
-	 */
-	ATTRIBUTE_LENGTH_OR_VALUE,
-
-	/**
-	 * This field contains the length or the value of an configuration attribute.
-	 * Its stored in a 16 unsigned integer field.
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 16 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 16 bit forward afterwards.
-	 */
-	CONFIGURATION_ATTRIBUTE_LENGTH,
-
-	/**
-	 * Depending on the field of type ATTRIBUTE_FORMAT
-	 * this field is available or missing and so parsed/generated
-	 * or not parsed/not generated.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
-	 */
-	ATTRIBUTE_VALUE,
-
-	/**
-	 * Representating one or more Traffic selectors of a TS payload.
-	 *
-	 * The offset points to a linked_list_t pointer.
-	 *
-	 * When generating the traffic_selector_substructure_t objects are stored
-	 * in the pointed linked_list.
-	 *
-	 * When parsing the parsed traffic_selector_substructure_t objects have
-	 * to be stored in the pointed linked_list.
-	 */
-	TRAFFIC_SELECTORS,
-
-	/**
-	 * Representating a Traffic selector type field.
-	 *
-	 * When generating it must be changed from host to network order.
-	 * The value is read from the associated data struct.
-	 * The current write position is moved 16 bit forward afterwards.
-	 *
-	 * When parsing it must be changed from network to host order.
-	 * The value is written to the associated data struct.
-	 * The current read pointer is moved 16 bit forward afterwards.
-	 */
-	TS_TYPE,
-
-	/**
-	 * Representating an address field in a traffic selector.
-	 *
-	 * Depending on the last field of type TS_TYPE
-	 * this field is either 4 or 16 byte long.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing 4 or 16 bytes are read and written into the chunk pointing to.
-	 */
-	ADDRESS,
-
-	/**
-	 * Representating a Nonce Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
-	 */
-	NONCE_DATA,
-
-	/**
-	 * Representating a ID Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
-	 */
-	ID_DATA,
-
-	/**
-	 * Representating a AUTH Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
-	 */
-	AUTH_DATA,
-
-	/**
-	 * Representating a CERT Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
-	 */
-	CERT_DATA,
-
-	/**
-	 * Representating a CERTREQ Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
-	 */
-	CERTREQ_DATA,
-
-	/**
-	 * Representating an EAP message field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
-	 */
-	EAP_DATA,
-
-	/**
-	 * Representating the SPIS field in a DELETE payload.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
-	 */
-	SPIS,
-
-	/**
-	 * Representating the VID DATA field in a VENDOR ID payload.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
-	 */
-	VID_DATA,
-
-	/**
-	 * Representating the DATA of an unknown payload.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
-	 */
-	UNKNOWN_DATA,
-
-	/**
-	 * Representating an IKE_SPI field in an IKEv2 Header.
-	 *
-	 * When generating the value of the u_int64_t pointing to
-	 * is written (host and networ order is not changed).
-	 *
-	 * When parsing 8 bytes are read and written into the u_int64_t pointing to.
-	 */
-	IKE_SPI,
-
-	/**
-	 * Representing the encrypted data body of a encryption payload.
-	 */
-	ENCRYPTED_DATA,
-};
-
-/**
- * enum name for encoding_type_t
- */
-extern enum_name_t *encoding_type_names;
-
-/**
- * Rule how to en-/decode a payload field.
- *
- * An encoding rule is a mapping of a specific encoding type to
- * a location in the data struct where the current field is stored to
- * or read from.
- * This rules are used by parser and generator.
- */
-struct encoding_rule_t {
-
-	/**
-	 * Encoding type.
-	 */
-	encoding_type_t type;
-
-	/**
-	 * Offset in the data struct.
-	 *
-	 * When parsing, data are written to this offset of the
-	 * data struct.
-	 *
-	 * When generating, data are read from this offset in the
-	 * data struct.
-	 */
-	u_int32_t offset;
-};
-
-#endif /** ENCODINGS_H_ @}*/
diff --git a/src/charon/encoding/payloads/encryption_payload.c b/src/charon/encoding/payloads/encryption_payload.c
deleted file mode 100644
index 389ab09d7..000000000
--- a/src/charon/encoding/payloads/encryption_payload.c
+++ /dev/null
@@ -1,619 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-#include <string.h>
-
-#include "encryption_payload.h"
-
-#include <daemon.h>
-#include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
-#include <encoding/generator.h>
-#include <encoding/parser.h>
-#include <utils/iterator.h>
-#include <crypto/signers/signer.h>
-
-
-typedef struct private_encryption_payload_t private_encryption_payload_t;
-
-/**
- * Private data of an encryption_payload_t' Object.
- *
- */
-struct private_encryption_payload_t {
-
-	/**
-	 * Public encryption_payload_t interface.
-	 */
-	encryption_payload_t public;
-
-	/**
-	 * There is no next payload for an encryption payload,
-	 * since encryption payload MUST be the last one.
-	 * next_payload means here the first payload of the
-	 * contained, encrypted payload.
-	 */
-	u_int8_t next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Chunk containing the iv, data, padding,
-	 * and (an eventually not calculated) signature.
-	 */
-	chunk_t encrypted;
-
-	/**
-	 * Chunk containing the data in decrypted (unpadded) form.
-	 */
-	chunk_t decrypted;
-
-	/**
-	 * Signer set by set_signer.
-	 */
-	signer_t *signer;
-
-	/**
-	 * Crypter, supplied by encrypt/decrypt
-	 */
-	crypter_t *crypter;
-
-	/**
-	 * Contained payloads of this encrpytion_payload.
-	 */
-	linked_list_t *payloads;
-};
-
-/**
- * Encoding rules to parse or generate a IKEv2-Encryption Payload.
- *
- * The defined offsets are the positions in a object of type
- * private_encryption_payload_t.
- *
- */
-encoding_rule_t encryption_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_encryption_payload_t, next_payload) 	},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_encryption_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,		0 														},
-	{ RESERVED_BIT,		0 														},
-	{ RESERVED_BIT,		0 														},
-	{ RESERVED_BIT,		0 														},
-	{ RESERVED_BIT,		0 														},
-	{ RESERVED_BIT,		0 														},
-	{ RESERVED_BIT,		0 														},
-	/* Length of the whole encryption payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_encryption_payload_t, payload_length) 	},
-	/* encrypted data, stored in a chunk. contains iv, data, padding */
-	{ ENCRYPTED_DATA,	offsetof(private_encryption_payload_t, encrypted)			},
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                     Initialization Vector                     !
-      !         (length is block size for encryption algorithm)       !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                    Encrypted IKE Payloads                     !
-      +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !               !             Padding (0-255 octets)            !
-      +-+-+-+-+-+-+-+-+                               +-+-+-+-+-+-+-+-+
-      !                                               !  Pad Length   !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ~                    Integrity Checksum Data                    ~
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_encryption_payload_t *this)
-{
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = encryption_payload_encodings;
-	*rule_count = sizeof(encryption_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_encryption_payload_t *this)
-{
-	return ENCRYPTED;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_encryption_payload_t *this)
-{
-	/* returns first contained payload here */
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
-{
-	/* set next type is not allowed, since this payload MUST be the last one
-	 * and so nothing is done in here*/
-}
-
-/**
- * (re-)compute the lenght of the whole payload
- */
-static void compute_length(private_encryption_payload_t *this)
-{
-	iterator_t *iterator;
-	payload_t *current_payload;
-	size_t block_size, length = 0;
-	iterator = this->payloads->create_iterator(this->payloads, TRUE);
-
-	/* count payload length */
-	while (iterator->iterate(iterator, (void **) &current_payload))
-	{
-		length += current_payload->get_length(current_payload);
-	}
-	iterator->destroy(iterator);
-
-	if (this->crypter && this->signer)
-	{
-		/* append one byte for padding length */
-		length++;
-		/* append padding */
-		block_size = this->crypter->get_block_size(this->crypter);
-		length += block_size - length % block_size;
-		/* add iv */
-		length += block_size;
-		/* add signature */
-		length += this->signer->get_block_size(this->signer);
-	}
-	length += ENCRYPTION_PAYLOAD_HEADER_LENGTH;
-	this->payload_length = length;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_encryption_payload_t *this)
-{
-	compute_length(this);
-	return this->payload_length;
-}
-
-/**
- * Implementation of payload_t.create_payload_iterator.
- */
-static  iterator_t *create_payload_iterator (private_encryption_payload_t *this, bool forward)
-{
-	return (this->payloads->create_iterator(this->payloads, forward));
-}
-
-/**
- * Implementation of payload_t.add_payload.
- */
-static void add_payload(private_encryption_payload_t *this, payload_t *payload)
-{
-	payload_t *last_payload;
-	if (this->payloads->get_count(this->payloads) > 0)
-	{
-		this->payloads->get_last(this->payloads,(void **) &last_payload);
-		last_payload->set_next_type(last_payload, payload->get_type(payload));
-	}
-	else
-	{
-		this->next_payload = payload->get_type(payload);
-	}
-	payload->set_next_type(payload, NO_PAYLOAD);
-	this->payloads->insert_last(this->payloads, (void*)payload);
-	compute_length(this);
-}
-
-/**
- * Implementation of encryption_payload_t.remove_first_payload.
- */
-static status_t remove_first_payload(private_encryption_payload_t *this, payload_t **payload)
-{
-	return this->payloads->remove_first(this->payloads, (void**)payload);
-}
-
-/**
- * Implementation of encryption_payload_t.get_payload_count.
- */
-static size_t get_payload_count(private_encryption_payload_t *this)
-{
-	return this->payloads->get_count(this->payloads);
-}
-
-/**
- * Generate payload before encryption.
- */
-static void generate(private_encryption_payload_t *this)
-{
-	payload_t *current_payload, *next_payload;
-	generator_t *generator;
-	iterator_t *iterator;
-
-	/* recalculate length before generating */
-	compute_length(this);
-
-	/* create iterator */
-	iterator = this->payloads->create_iterator(this->payloads, TRUE);
-
-	/* get first payload */
-	if (iterator->iterate(iterator, (void**)&current_payload))
-	{
-		this->next_payload = current_payload->get_type(current_payload);
-	}
-	else
-	{
-		/* no paylads? */
-		DBG2(DBG_ENC, "generating contained payloads, but none available");
-		free(this->decrypted.ptr);
-		this->decrypted = chunk_empty;
-		iterator->destroy(iterator);
-		return;
-	}
-
-	generator = generator_create();
-
-	/* build all payload, except last */
-	while(iterator->iterate(iterator, (void**)&next_payload))
-	{
-		current_payload->set_next_type(current_payload, next_payload->get_type(next_payload));
-		generator->generate_payload(generator, current_payload);
-		current_payload = next_payload;
-	}
-	iterator->destroy(iterator);
-
-	/* build last payload */
-	current_payload->set_next_type(current_payload, NO_PAYLOAD);
-	generator->generate_payload(generator, current_payload);
-
-	/* free already generated data */
-	free(this->decrypted.ptr);
-
-	generator->write_to_chunk(generator, &(this->decrypted));
-	generator->destroy(generator);
-	DBG2(DBG_ENC, "successfully generated content in encryption payload");
-}
-
-/**
- * Implementation of encryption_payload_t.encrypt.
- */
-static status_t encrypt(private_encryption_payload_t *this)
-{
-	chunk_t iv, padding, to_crypt, result;
-	rng_t *rng;
-	size_t block_size;
-
-	if (this->signer == NULL || this->crypter == NULL)
-	{
-		DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
-		return INVALID_STATE;
-	}
-
-	/* for random data in iv and padding */
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_ENC, "could not encrypt, no RNG found");
-		return FAILED;
-	}
-	/* build payload chunk */
-	generate(this);
-
-	DBG2(DBG_ENC, "encrypting payloads");
-	DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
-
-	/* build padding */
-	block_size = this->crypter->get_block_size(this->crypter);
-	padding.len = block_size - ((this->decrypted.len + 1) %  block_size);
-	rng->allocate_bytes(rng, padding.len, &padding);
-
-	/* concatenate payload data, padding, padding len */
-	to_crypt.len = this->decrypted.len + padding.len + 1;
-	to_crypt.ptr = malloc(to_crypt.len);
-
-	memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
-	memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
-	*(to_crypt.ptr + to_crypt.len - 1) = padding.len;
-
-	/* build iv */
-	iv.len = block_size;
-	rng->allocate_bytes(rng, iv.len, &iv);
-	rng->destroy(rng);
-
-	DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
-
-	/* encrypt to_crypt chunk */
-	free(this->encrypted.ptr);
-	this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
-	free(padding.ptr);
-	free(to_crypt.ptr);
-
-	DBG3(DBG_ENC, "data after encryption %B", &result);
-
-	/* build encrypted result with iv and signature */
-	this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
-	free(this->encrypted.ptr);
-	this->encrypted.ptr = malloc(this->encrypted.len);
-
-	/* fill in result, signature is left out */
-	memcpy(this->encrypted.ptr, iv.ptr, iv.len);
-	memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
-
-	free(result.ptr);
-	free(iv.ptr);
-	DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
-		 &this->encrypted);
-
-	return SUCCESS;
-}
-
-/**
- * Parse the payloads after decryption.
- */
-static status_t parse(private_encryption_payload_t *this)
-{
-	parser_t *parser;
-	status_t status;
-	payload_type_t current_payload_type;
-
-	/* build a parser on the decrypted data */
-	parser = parser_create(this->decrypted);
-
-	current_payload_type = this->next_payload;
-	/* parse all payloads */
-	while (current_payload_type != NO_PAYLOAD)
-	{
-		payload_t *current_payload;
-
-		status = parser->parse_payload(parser, current_payload_type, (payload_t**)&current_payload);
-		if (status != SUCCESS)
-		{
-			parser->destroy(parser);
-			return PARSE_ERROR;
-		}
-
-		status = current_payload->verify(current_payload);
-		if (status != SUCCESS)
-		{
-			DBG1(DBG_ENC, "%N verification failed",
-				 payload_type_names, current_payload->get_type(current_payload));
-			current_payload->destroy(current_payload);
-			parser->destroy(parser);
-			return VERIFY_ERROR;
-		}
-
-		/* get next payload type */
-		current_payload_type = current_payload->get_next_type(current_payload);
-
-		this->payloads->insert_last(this->payloads,current_payload);
-	}
-	parser->destroy(parser);
-	DBG2(DBG_ENC, "succesfully parsed content of encryption payload");
-	return SUCCESS;
-}
-
-/**
- * Implementation of encryption_payload_t.encrypt.
- */
-static status_t decrypt(private_encryption_payload_t *this)
-{
-	chunk_t iv, concatenated;
-	u_int8_t padding_length;
-
-	DBG2(DBG_ENC, "decrypting encryption payload");
-	DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
-		 &this->encrypted);
-
-	if (this->signer == NULL || this->crypter == NULL)
-	{
-		DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
-		return INVALID_STATE;
-	}
-
-	/* get IV */
-	iv.len = this->crypter->get_block_size(this->crypter);
-
-	iv.ptr = this->encrypted.ptr;
-
-	/* point concatenated to data + padding + padding_length*/
-	concatenated.ptr = this->encrypted.ptr + iv.len;
-	concatenated.len = this->encrypted.len - iv.len -
-								this->signer->get_block_size(this->signer);
-
-	/* concatenated must be a multiple of block_size of crypter */
-	if (concatenated.len < iv.len || concatenated.len % iv.len)
-	{
-		DBG1(DBG_ENC, "could not decrypt, invalid input");
-		return FAILED;
-	}
-
-	/* free previus data, if any */
-	free(this->decrypted.ptr);
-
-	DBG3(DBG_ENC, "data before decryption %B", &concatenated);
-
-	this->crypter->decrypt(this->crypter, concatenated, iv, &this->decrypted);
-
-	DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
-
-	/* get padding length, sits just bevore signature */
-	padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
-	/* add one byte to the padding length, since the padding_length field is
-	 * not included */
-	padding_length++;
-	this->decrypted.len -= padding_length;
-
-	/* check size again */
-	if (padding_length > concatenated.len || this->decrypted.len < 0)
-	{
-		DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
-		/* decryption failed :-/ */
-		return FAILED;
-	}
-
-	/* free padding */
-	this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
-	DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
-	DBG2(DBG_ENC, "decryption successful, trying to parse content");
-	return parse(this);
-}
-
-/**
- * Implementation of encryption_payload_t.set_transforms.
- */
-static void set_transforms(private_encryption_payload_t *this, crypter_t* crypter, signer_t* signer)
-{
-	this->signer = signer;
-	this->crypter = crypter;
-}
-
-/**
- * Implementation of encryption_payload_t.build_signature.
- */
-static status_t build_signature(private_encryption_payload_t *this, chunk_t data)
-{
-	chunk_t data_without_sig = data;
-	chunk_t sig;
-
-	if (this->signer == NULL)
-	{
-		DBG1(DBG_ENC, "unable to build signature, no signer set");
-		return INVALID_STATE;
-	}
-
-	sig.len = this->signer->get_block_size(this->signer);
-	data_without_sig.len -= sig.len;
-	sig.ptr = data.ptr + data_without_sig.len;
-	DBG2(DBG_ENC, "building signature");
-	this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
-	return SUCCESS;
-}
-
-/**
- * Implementation of encryption_payload_t.verify_signature.
- */
-static status_t verify_signature(private_encryption_payload_t *this, chunk_t data)
-{
-	chunk_t sig, data_without_sig;
-	bool valid;
-
-	if (this->signer == NULL)
-	{
-		DBG1(DBG_ENC, "unable to verify signature, no signer set");
-		return INVALID_STATE;
-	}
-	/* find signature in data chunk */
-	sig.len = this->signer->get_block_size(this->signer);
-	if (data.len <= sig.len)
-	{
-		DBG1(DBG_ENC, "unable to verify signature, invalid input");
-		return FAILED;
-	}
-	sig.ptr = data.ptr + data.len - sig.len;
-
-	/* verify it */
-	data_without_sig.len = data.len - sig.len;
-	data_without_sig.ptr = data.ptr;
-	valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
-
-	if (!valid)
-	{
-		DBG1(DBG_ENC, "signature verification failed");
-		return FAILED;
-	}
-
-	DBG2(DBG_ENC, "signature verification successful");
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.destroy.
- */
-static void destroy(private_encryption_payload_t *this)
-{
-	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
-	free(this->encrypted.ptr);
-	free(this->decrypted.ptr);
-	free(this);
-}
-
-/*
- * Described in header
- */
-encryption_payload_t *encryption_payload_create()
-{
-	private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
-
-	/* payload_t interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
-	this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
-	this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
-	this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
-
-	this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
-	this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
-	this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
-	this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
-	this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
-	this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH;
-	this->encrypted = chunk_empty;
-	this->decrypted = chunk_empty;
-	this->signer = NULL;
-	this->crypter = NULL;
-	this->payloads = linked_list_create();
-
-	return (&(this->public));
-}
diff --git a/src/charon/encoding/payloads/encryption_payload.h b/src/charon/encoding/payloads/encryption_payload.h
deleted file mode 100644
index ac5326b87..000000000
--- a/src/charon/encoding/payloads/encryption_payload.h
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup encryption_payload encryption_payload
- * @{ @ingroup payloads
- */
-
-#ifndef ENCRYPTION_PAYLOAD_H_
-#define ENCRYPTION_PAYLOAD_H_
-
-typedef struct encryption_payload_t encryption_payload_t;
-
-#include <library.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
-#include <encoding/payloads/payload.h>
-#include <utils/linked_list.h>
-
-/**
- * Encrpytion payload length in bytes without IV and following data.
- */
-#define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4
-
-
-/**
- * The encryption payload as described in RFC section 3.14.
- *
- * Before any crypt/decrypt/sign/verify operation can occur,
- * the transforms must be set. After that, a parsed encryption payload
- * can be decrypted, which also will parse the contained payloads.
- * Encryption is done the same way, added payloads will get generated
- * and then encrypted.
- * For signature building, there is the FULL packet needed. Meaning it
- * must be builded after generation of all payloads and the encryption
- * of the encryption payload.
- * Signature verificatin is done before decryption.
- */
-struct encryption_payload_t {
-	/**
-	 * Implements payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Creates an iterator for all contained payloads.
-	 *
-	 * iterator_t object has to get destroyed by the caller.
-	 *
-	 * @param forward 		iterator direction (TRUE: front to end)
-	 * return				created iterator_t object
-	 */
-	 iterator_t *(*create_payload_iterator) (encryption_payload_t *this, bool forward);
-
-	/**
-	 * Adds a payload to this encryption payload.
-	 *
-	 * @param payload		payload_t object to add
-	 */
-	void (*add_payload) (encryption_payload_t *this, payload_t *payload);
-
-	/**
-	 * Reove the last payload in the contained payload list.
-	 *
-	 * @param payload		removed payload
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- NOT_FOUND if list empty
-	 */
-	status_t (*remove_first_payload) (encryption_payload_t *this, payload_t **payload);
-
-	/**
-	 * Get the number of payloads.
-	 *
-	 * @return				number of contained payloads
-	 */
-	size_t (*get_payload_count) (encryption_payload_t *this);
-
-	/**
-	 * Set transforms to use.
-	 *
-	 * To decryption, encryption, signature building and verifying,
-	 * the payload needs a crypter and a signer object.
-	 *
-	 * @warning Do NOT call this function again after encryption, since
-	 * the signer must be the same while encrypting and signature building!
-	 *
-	 * @param crypter		crypter_t to use for data de-/encryption
-	 * @param signer		signer_t to use for data signing/verifying
-	 */
-	void (*set_transforms) (encryption_payload_t *this, crypter_t *crypter, signer_t *signer);
-
-	/**
-	 * Generate and encrypt contained payloads.
-	 *
-	 * This function generates the content for added payloads
-	 * and encrypts them. Signature is not built, since we need
-	 * additional data (the full message).
-	 *
-	 * @return				SUCCESS, or INVALID_STATE if transforms not set
-	 */
-	status_t (*encrypt) (encryption_payload_t *this);
-
-	/**
-	 * Decrypt and parse contained payloads.
-	 *
-	 * This function decrypts the contained data. After,
-	 * the payloads are parsed internally and are accessible
-	 * via the iterator.
-	 *
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- INVALID_STATE if transforms not set, or
-	 * 						- FAILED if data is invalid
-	 */
-	status_t (*decrypt) (encryption_payload_t *this);
-
-	/**
-	 * Build the signature.
-	 *
-	 * The signature is built over the FULL message, so the header
-	 * and every payload (inclusive this one) must already be generated.
-	 * The generated message is supplied via the data paramater.
-	 *
-	 * @param data			chunk contains the already generated message
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- INVALID_STATE if transforms not set
-	 */
-	status_t (*build_signature) (encryption_payload_t *this, chunk_t data);
-
-	/**
-	 * Verify the signature.
-	 *
-	 * Since the signature is built over the full message, we need
-	 * this data to do the verification. The message data
-	 * is supplied via the data argument.
-	 *
-	 * @param data			chunk contains the message
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- FAILED if signature invalid, or
-	 * 						- INVALID_STATE if transforms not set
-	 */
-	status_t (*verify_signature) (encryption_payload_t *this, chunk_t data);
-
-	/**
-	 * Destroys an encryption_payload_t object.
-	 */
-	void (*destroy) (encryption_payload_t *this);
-};
-
-/**
- * Creates an empty encryption_payload_t object.
- *
- * @return encryption_payload_t object
- */
-encryption_payload_t *encryption_payload_create(void);
-
-#endif /** ENCRYPTION_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/endpoint_notify.c b/src/charon/encoding/payloads/endpoint_notify.c
deleted file mode 100644
index faec1ea71..000000000
--- a/src/charon/encoding/payloads/endpoint_notify.c
+++ /dev/null
@@ -1,422 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "endpoint_notify.h"
-
-#include <math.h>
-
-#include <daemon.h>
-
-typedef struct private_endpoint_notify_t private_endpoint_notify_t;
-
-/**
- * Private data of an notify_payload_t object.
- */
-struct private_endpoint_notify_t {
-	/**
-	 * Public endpoint_notify_t interface.
-	 */
-	endpoint_notify_t public;
-
-	/**
-	 * Priority
-	 */
-	u_int32_t priority;
-
-	/**
-	 * Family
-	 */
-	me_endpoint_family_t family;
-
-	/**
-	 * Endpoint type
-	 */
-	me_endpoint_type_t type;
-
-	/**
-	 * Endpoint
-	 */
-	host_t *endpoint;
-
-	/**
-	 * Base (used for server reflexive endpoints)
-	 */
-	host_t *base;
-};
-
-/*    Notification data:
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                           Priority                            !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !     Family    !      Type     !              Port             !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                       IP Address (variable)                   !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-ENUM(me_endpoint_type_names, HOST, RELAYED,
-	"HOST",
-	"PEER_REFLEXIVE",
-	"SERVER_REFLEXIVE",
-	"RELAYED"
-);
-
-/**
- * Helper functions to parse integer values
- */
-static status_t parse_uint8(u_int8_t **cur, u_int8_t *top, u_int8_t *val)
-{
-	if (*cur + sizeof(u_int8_t) > top)
-	{
-		return FAILED;
-	}
-	*val =  *(u_int8_t*)*cur;
-	*cur += sizeof(u_int8_t);
-	return SUCCESS;
-}
-
-static status_t parse_uint16(u_int8_t **cur, u_int8_t *top, u_int16_t *val)
-{
-	if (*cur + sizeof(u_int16_t) > top)
-	{
-		return FAILED;
-	}
-	*val =  ntohs(*(u_int16_t*)*cur);
-	*cur += sizeof(u_int16_t);
-	return SUCCESS;
-}
-
-static status_t parse_uint32(u_int8_t **cur, u_int8_t *top, u_int32_t *val)
-{
-	if (*cur + sizeof(u_int32_t) > top)
-	{
-		return FAILED;
-	}
-	*val =  ntohl(*(u_int32_t*)*cur);
-	*cur += sizeof(u_int32_t);
-	return SUCCESS;
-}
-
-/**
- * Parses the notification data of a ME_ENDPOINT notify
- */
-static status_t parse_notification_data(private_endpoint_notify_t *this, chunk_t data)
-{
-	u_int8_t family, type, addr_family;
-	u_int16_t port;
-	chunk_t addr;
-	u_int8_t *cur = data.ptr;
-	u_int8_t *top = data.ptr + data.len;
-
-	DBG3(DBG_IKE, "me_endpoint_data %B", &data);
-
-	if (parse_uint32(&cur, top, &this->priority) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid priority");
-		return FAILED;
-	}
-
-	if (parse_uint8(&cur, top, &family) != SUCCESS || family >= MAX_FAMILY)
-	{
-		DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid family");
-		return FAILED;
-	}
-	this->family = (me_endpoint_family_t)family;
-
-	if (parse_uint8(&cur, top, &type) != SUCCESS ||
-		type == NO_TYPE || type >= MAX_TYPE)
-	{
-		DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid type");
-		return FAILED;
-	}
-	this->type = (me_endpoint_type_t)type;
-
-	addr_family = AF_INET;
-	addr.len = 4;
-
-	switch(this->family)
-	{
-		case IPv6:
-			addr_family = AF_INET6;
-			addr.len = 16;
-			/* fall-through */
-		case IPv4:
-			if (parse_uint16(&cur, top, &port) != SUCCESS)
-			{
-				DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid port");
-				return FAILED;
-			}
-
-			if (cur + addr.len > top)
-			{
-				DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid IP address");
-				return FAILED;
-			}
-
-			addr.ptr = cur;
-			this->endpoint = host_create_from_chunk(addr_family, addr, port);
-			break;
-		case NO_FAMILY:
-		default:
-			this->endpoint = NULL;
-			break;
-	}
-	return SUCCESS;
-}
-
-
-/**
- * Generates the notification data of a ME_ENDPOINT notify
- */
-static chunk_t build_notification_data(private_endpoint_notify_t *this)
-{
-	chunk_t prio_chunk, family_chunk, type_chunk, port_chunk, addr_chunk;
-	chunk_t data;
-	u_int32_t prio;
-	u_int16_t port;
-	u_int8_t family, type;
-
-	prio = htonl(this->priority);
-	prio_chunk = chunk_from_thing(prio);
-	family = this->family;
-	family_chunk = chunk_from_thing(family);
-	type = this->type;
-	type_chunk = chunk_from_thing(type);
-
-	if (this->endpoint)
-	{
-		port = htons(this->endpoint->get_port(this->endpoint));
-		addr_chunk = this->endpoint->get_address(this->endpoint);
-	}
-	else
-	{
-		port = 0;
-		addr_chunk = chunk_empty;
-	}
-	port_chunk = chunk_from_thing(port);
-
-	/* data = prio | family | type | port | addr */
-	data = chunk_cat("ccccc", prio_chunk, family_chunk, type_chunk,
-					 port_chunk, addr_chunk);
-	DBG3(DBG_IKE, "me_endpoint_data %B", &data);
-	return data;
-}
-
-/**
- * Implementation of endpoint_notify_t.build_notify
- */
-static notify_payload_t *build_notify(private_endpoint_notify_t *this)
-{
-	chunk_t data;
-	notify_payload_t *notify;
-
-	notify = notify_payload_create();
-	notify->set_notify_type(notify, ME_ENDPOINT);
-	data = build_notification_data(this);
-	notify->set_notification_data(notify, data);
-	chunk_free(&data);
-
-	return notify;
-}
-
-/**
- * Implementation of endpoint_notify_t.get_priority.
- */
-static u_int32_t get_priority(private_endpoint_notify_t *this)
-{
-	return this->priority;
-}
-
-/**
- * Implementation of endpoint_notify_t.set_priority.
- */
-static void set_priority(private_endpoint_notify_t *this, u_int32_t priority)
-{
-	this->priority = priority;
-}
-
-/**
- * Implementation of endpoint_notify_t.get_type.
- */
-static me_endpoint_type_t get_type(private_endpoint_notify_t *this)
-{
-	return this->type;
-}
-
-/**
- * Implementation of endpoint_notify_t.get_family.
- */
-static me_endpoint_family_t get_family(private_endpoint_notify_t *this)
-{
-	return this->family;
-}
-
-/**
- * Implementation of endpoint_notify_t.get_host.
- */
-static host_t *get_host(private_endpoint_notify_t *this)
-{
-	return this->endpoint;
-}
-
-/**
- * Implementation of endpoint_notify_t.get_base.
- */
-static host_t *get_base(private_endpoint_notify_t *this)
-{
-	return (!this->base) ? this->endpoint : this->base;
-}
-
-/**
- * Implementation of endpoint_notify_t.clone.
- */
-static endpoint_notify_t *_clone(private_endpoint_notify_t *this)
-{
-	private_endpoint_notify_t *clone = (private_endpoint_notify_t*)endpoint_notify_create();
-
-	clone->priority = this->priority;
-	clone->type = this->type;
-	clone->family = this->family;
-	if (this->endpoint)
-	{
-		clone->endpoint = this->endpoint->clone(this->endpoint);
-	}
-
-	if (this->base)
-	{
-		clone->base = this->base->clone(this->base);
-	}
-
-	return &clone->public;
-}
-
-/**
- * Implementation of endpoint_notify_t.destroy.
- */
-static status_t destroy(private_endpoint_notify_t *this)
-{
-	DESTROY_IF(this->endpoint);
-	DESTROY_IF(this->base);
-	free(this);
-	return SUCCESS;
-}
-
-/*
- * Described in header
- */
-endpoint_notify_t *endpoint_notify_create()
-{
-	private_endpoint_notify_t *this = malloc_thing(private_endpoint_notify_t);
-
-	/* public functions */
-	this->public.get_priority = (u_int32_t (*) (endpoint_notify_t *)) get_priority;
-	this->public.set_priority = (void (*) (endpoint_notify_t *, u_int32_t)) set_priority;
-	this->public.get_type = (me_endpoint_type_t (*) (endpoint_notify_t *)) get_type;
-	this->public.get_family = (me_endpoint_family_t (*) (endpoint_notify_t *)) get_family;
-	this->public.get_host = (host_t *(*) (endpoint_notify_t *)) get_host;
-	this->public.get_base = (host_t *(*) (endpoint_notify_t *)) get_base;
-	this->public.build_notify = (notify_payload_t *(*) (endpoint_notify_t *)) build_notify;
-	this->public.clone = (endpoint_notify_t *(*) (endpoint_notify_t *)) _clone;
-	this->public.destroy = (void (*) (endpoint_notify_t *)) destroy;
-
-	/* set default values of the fields */
-	this->priority = 0;
-	this->family = NO_FAMILY;
-	this->type = NO_TYPE;
-	this->endpoint = NULL;
-	this->base = NULL;
-
-	return &this->public;
-}
-
-/**
- * Described in header
- */
-endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type, host_t *host, host_t *base)
-{
-	private_endpoint_notify_t *this = (private_endpoint_notify_t*)endpoint_notify_create();
-
-	this->type = type;
-
-	switch(type)
-	{
-		case HOST:
-			this->priority = pow(2, 16) * ME_PRIO_HOST;
-			break;
-		case PEER_REFLEXIVE:
-			this->priority = pow(2, 16) * ME_PRIO_PEER;
-			break;
-		case SERVER_REFLEXIVE:
-			this->priority = pow(2, 16) * ME_PRIO_SERVER;
-			break;
-		case RELAYED:
-		default:
-			this->priority = pow(2, 16) * ME_PRIO_RELAY;
-			break;
-	}
-
-	/* FIXME: if there is more than one ip address we should vary this priority */
-	this->priority += 65535;
-
-	if (!host)
-	{
-		return &this->public;
-	}
-
-	switch(host->get_family(host))
-	{
-		case AF_INET:
-			this->family = IPv4;
-			break;
-		case AF_INET6:
-			this->family = IPv6;
-			break;
-		default:
-			/* unsupported family type, we do not set the host
-			 * (family is set to NO_FAMILY) */
-			return &this->public;
-	}
-
-	this->endpoint = host->clone(host);
-
-	if (base)
-	{
-		this->base = base->clone(base);
-	}
-
-	return &this->public;
-}
-
-/**
- * Described in header
- */
-endpoint_notify_t *endpoint_notify_create_from_payload(notify_payload_t *notify)
-{
-	if (notify->get_notify_type(notify) != ME_ENDPOINT)
-	{
-		return NULL;
-	}
-
-	private_endpoint_notify_t *this = (private_endpoint_notify_t*)endpoint_notify_create();
-	chunk_t data = notify->get_notification_data(notify);
-	if (parse_notification_data(this, data) != SUCCESS)
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
diff --git a/src/charon/encoding/payloads/endpoint_notify.h b/src/charon/encoding/payloads/endpoint_notify.h
deleted file mode 100644
index 120eef49a..000000000
--- a/src/charon/encoding/payloads/endpoint_notify.h
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup endpoint_notify endpoint_notify
- * @{ @ingroup payloads
- */
-
-#ifndef ENDPOINT_NOTIFY_H_
-#define ENDPOINT_NOTIFY_H_
-
-#define ME_PRIO_HOST   255
-#define ME_PRIO_PEER   128
-#define ME_PRIO_SERVER 64
-#define ME_PRIO_RELAY  0
-
-typedef enum me_endpoint_family_t me_endpoint_family_t;
-typedef enum me_endpoint_type_t me_endpoint_type_t;
-typedef struct endpoint_notify_t endpoint_notify_t;
-
-#include <encoding/payloads/notify_payload.h>
-
-/**
- * ME endpoint families.
- */
-enum me_endpoint_family_t {
-
-	NO_FAMILY = 0,
-
-	IPv4 = 1,
-
-	IPv6 = 2,
-
-	MAX_FAMILY = 3
-
-};
-
-/**
- * ME endpoint types.
- */
-enum me_endpoint_type_t {
-
-	NO_TYPE = 0,
-
-	HOST = 1,
-
-	PEER_REFLEXIVE = 2,
-
-	SERVER_REFLEXIVE = 3,
-
-	RELAYED = 4,
-
-	MAX_TYPE = 5
-
-};
-
-/**
- * enum name for me_endpoint_type_t.
- */
-extern enum_name_t *me_endpoint_type_names;
-
-/**
- * Class representing a ME_ENDPOINT Notify payload. In fact it's not
- * the notify per se, but the notification data of that notify that is
- * handled with this class.
- */
-struct endpoint_notify_t {
-	/**
-	 * Returns the priority of this endpoint.
-	 *
-	 * @return			priority
-	 */
-	u_int32_t (*get_priority) (endpoint_notify_t *this);
-
-	/**
-	 * Sets the priority of this endpoint.
-	 *
-	 * @param priority	priority
-	 */
-	void (*set_priority) (endpoint_notify_t *this, u_int32_t priority);
-
-	/**
-	 * Returns the endpoint type of this endpoint.
-	 *
-	 * @return			endpoint type
-	 */
-	me_endpoint_type_t (*get_type) (endpoint_notify_t *this);
-
-	/**
-	 * Returns the endpoint family of this endpoint.
-	 *
-	 * @return			endpoint family
-	 */
-	me_endpoint_family_t (*get_family) (endpoint_notify_t *this);
-
-	/**
-	 * Returns the host of this endpoint.
-	 *
-	 * @return			host
-	 */
-	host_t *(*get_host) (endpoint_notify_t *this);
-
-	/**
-	 * Returns the base of this endpoint.
-	 *
-	 * If this is not a SERVER_REFLEXIVE endpoint, the returned host is the same
-	 * as the one returned by get_host.
-	 *
-	 * @return			host
-	 */
-	host_t *(*get_base) (endpoint_notify_t *this);
-
-	/**
-	 * Generates a notification payload from this endpoint.
-	 *
-	 * @return 			built notify_payload_t
-	 */
-	notify_payload_t *(*build_notify) (endpoint_notify_t *this);
-
-	/**
-	 * Clones an endpoint_notify_t object.
-	 *
-	 * @return			cloned object
-	 */
-	endpoint_notify_t *(*clone) (endpoint_notify_t *this);
-
-	/**
-	 * Destroys an endpoint_notify_t object.
-	 */
-	void (*destroy) (endpoint_notify_t *this);
-};
-
-/**
- * Creates an empty endpoint_notify_t object.
- *
- * @return			created endpoint_notify_t object
- */
-endpoint_notify_t *endpoint_notify_create(void);
-
-
-/**
- * Creates an endpoint_notify_t object from a host.
- *
- * @param type		the endpoint type
- * @param host		host to base the notify on (gets cloned)
- * @param base		base of the endpoint, applies only to reflexive endpoints (gets cloned)
- * @return			created endpoint_notify_t object
- */
-endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type,
-													host_t *host, host_t *base);
-
-/**
- * Creates an endpoint_notify_t object from a notify payload.
- *
- * @param notify	the notify payload
- * @return			- created endpoint_notify_t object
- * 					- NULL if invalid payload
- */
-endpoint_notify_t *endpoint_notify_create_from_payload(notify_payload_t *notify);
-
-#endif /** ENDPOINT_NOTIFY_H_ @}*/
diff --git a/src/charon/encoding/payloads/id_payload.c b/src/charon/encoding/payloads/id_payload.c
deleted file mode 100644
index 4158c3e07..000000000
--- a/src/charon/encoding/payloads/id_payload.c
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- *
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "id_payload.h"
-
-#include <daemon.h>
-#include <encoding/payloads/encodings.h>
-
-typedef struct private_id_payload_t private_id_payload_t;
-
-/**
- * Private data of an id_payload_t object.
- *
- */
-struct private_id_payload_t {
-	/**
-	 * Public id_payload_t interface.
-	 */
-	id_payload_t public;
-
-	/**
-	 * one of ID_INITIATOR, ID_RESPONDER
-	 */
-	payload_type_t payload_type;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Type of the ID Data.
-	 */
-	u_int8_t id_type;
-
-	/**
-	 * The contained id data value.
-	 */
-	chunk_t id_data;
-};
-
-/**
- * Encoding rules to parse or generate a ID payload
- *
- * The defined offsets are the positions in a object of type
- * private_id_payload_t.
- *
- */
-encoding_rule_t id_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_id_payload_t, next_payload) 	},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_id_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_id_payload_t, payload_length) 	},
-	/* 1 Byte ID type*/
-	{ U_INT_8,			offsetof(private_id_payload_t, id_type)			},
-	/* 3 reserved bytes */
-	{ RESERVED_BYTE,	0 												},
-	{ RESERVED_BYTE,	0 												},
-	{ RESERVED_BYTE,	0 												},
-	/* some id data bytes, length is defined in PAYLOAD_LENGTH */
-	{ ID_DATA,			offsetof(private_id_payload_t, id_data) 		}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !   ID Type     !                 RESERVED                      |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                   Identification Data                         ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_id_payload_t *this)
-{
-	if ((this->id_type == 0) ||
-		(this->id_type == 4) ||
-		((this->id_type >= 6) && (this->id_type <= 8)) ||
-		((this->id_type >= 12) && (this->id_type <= 200)))
-	{
-		/* reserved IDs */
-		DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
-		return FAILED;
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of id_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = id_payload_encodings;
-	*rule_count = sizeof(id_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_id_payload_t *this)
-{
-	return this->payload_type;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_id_payload_t *this)
-{
-	return this->next_payload;
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_id_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_id_payload_t *this)
-{
-	return this->payload_length;
-}
-
-/**
- * Implementation of id_payload_t.set_type.
- */
-static void set_id_type (private_id_payload_t *this, id_type_t type)
-{
-	this->id_type = type;
-}
-
-/**
- * Implementation of id_payload_t.get_id_type.
- */
-static id_type_t get_id_type (private_id_payload_t *this)
-{
-	return (this->id_type);
-}
-
-/**
- * Implementation of id_payload_t.set_data.
- */
-static void set_data (private_id_payload_t *this, chunk_t data)
-{
-	if (this->id_data.ptr != NULL)
-	{
-		chunk_free(&(this->id_data));
-	}
-	this->id_data.ptr = clalloc(data.ptr,data.len);
-	this->id_data.len = data.len;
-	this->payload_length = ID_PAYLOAD_HEADER_LENGTH + this->id_data.len;
-}
-
-
-/**
- * Implementation of id_payload_t.get_data_clone.
- */
-static chunk_t get_data (private_id_payload_t *this)
-{
-	return (this->id_data);
-}
-
-/**
- * Implementation of id_payload_t.get_data_clone.
- */
-static chunk_t get_data_clone (private_id_payload_t *this)
-{
-	chunk_t cloned_data;
-	if (this->id_data.ptr == NULL)
-	{
-		return (this->id_data);
-	}
-	cloned_data.ptr = clalloc(this->id_data.ptr,this->id_data.len);
-	cloned_data.len = this->id_data.len;
-	return cloned_data;
-}
-
-/**
- * Implementation of id_payload_t.get_identification.
- */
-static identification_t *get_identification (private_id_payload_t *this)
-{
-	return identification_create_from_encoding(this->id_type,this->id_data);
-}
-
-/**
- * Implementation of payload_t.destroy and id_payload_t.destroy.
- */
-static void destroy(private_id_payload_t *this)
-{
-	if (this->id_data.ptr != NULL)
-	{
-		chunk_free(&(this->id_data));
-	}
-	free(this);
-}
-
-/*
- * Described in header.
- */
-id_payload_t *id_payload_create(payload_type_t payload_type)
-{
-	private_id_payload_t *this = malloc_thing(private_id_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (id_payload_t *)) destroy;
-	this->public.set_id_type = (void (*) (id_payload_t *,id_type_t)) set_id_type;
-	this->public.get_id_type = (id_type_t (*) (id_payload_t *)) get_id_type;
-	this->public.set_data = (void (*) (id_payload_t *,chunk_t)) set_data;
-	this->public.get_data = (chunk_t (*) (id_payload_t *)) get_data;
-	this->public.get_data_clone = (chunk_t (*) (id_payload_t *)) get_data_clone;
-
-	this->public.get_identification = (identification_t * (*) (id_payload_t *this)) get_identification;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length =ID_PAYLOAD_HEADER_LENGTH;
-	this->id_data = chunk_empty;
-	this->payload_type = payload_type;
-
-	return (&(this->public));
-}
-
-/*
- * Described in header.
- */
-id_payload_t *id_payload_create_from_identification(payload_type_t payload_type, identification_t *identification)
-{
-	id_payload_t *this= id_payload_create(payload_type);
-	this->set_data(this,identification->get_encoding(identification));
-	this->set_id_type(this,identification->get_type(identification));
-	return this;
-}
diff --git a/src/charon/encoding/payloads/id_payload.h b/src/charon/encoding/payloads/id_payload.h
deleted file mode 100644
index 5502dc961..000000000
--- a/src/charon/encoding/payloads/id_payload.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup id_payload id_payload
- * @{ @ingroup payloads
- */
-
-#ifndef ID_PAYLOAD_H_
-#define ID_PAYLOAD_H_
-
-typedef struct id_payload_t id_payload_t;
-
-#include <library.h>
-#include <utils/identification.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * Length of a id payload without the data in bytes.
- */
-#define ID_PAYLOAD_HEADER_LENGTH 8
-
-/**
- * Object representing an IKEv2 ID payload.
- *
- * The ID payload format is described in RFC section 3.5.
- */
-struct id_payload_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Set the ID type.
-	 *
-	 * @param type			Type of ID
-	 */
-	void (*set_id_type) (id_payload_t *this, id_type_t type);
-
-	/**
-	 * Get the ID type.
-	 *
-	 * @return				type of the ID
-	 */
-	id_type_t (*get_id_type) (id_payload_t *this);
-
-	/**
-	 * Set the ID data.
-	 *
-	 * Data are getting cloned.
-	 *
-	 * @param data			ID data as chunk_t
-	 */
-	void (*set_data) (id_payload_t *this, chunk_t data);
-
-	/**
-	 * Get the ID data.
-	 *
-	 * Returned data are a copy of the internal one
-	 *
-	 * @return				ID data as chunk_t
-	 */
-	chunk_t (*get_data_clone) (id_payload_t *this);
-
-	/**
-	 * Get the ID data.
-	 *
-	 * Returned data are NOT copied.
-	 *
-	 * @return				ID data as chunk_t
-	 */
-	chunk_t (*get_data) (id_payload_t *this);
-
-	/**
-	 * Creates an identification object of this id payload.
-	 *
-	 * Returned object has to get destroyed by the caller.
-	 *
-	 * @return				identification_t object
-	 */
-	identification_t *(*get_identification) (id_payload_t *this);
-
-	/**
-	 * Destroys an id_payload_t object.
-	 */
-	void (*destroy) (id_payload_t *this);
-};
-
-/**
- * Creates an empty id_payload_t object.
- *
- * @param payload_type	one of ID_INITIATOR, ID_RESPONDER
- * @return				id_payload_t object
- */
-id_payload_t *id_payload_create(payload_type_t payload_type);
-
-/**
- * Creates an id_payload_t from an existing identification_t object.
- *
- * @param payload_type		one of ID_INITIATOR, ID_RESPONDER
- * @param identification	identification_t object
- * @return					id_payload_t object
- */
-id_payload_t *id_payload_create_from_identification(payload_type_t payload_type,
-											identification_t *identification);
-
-#endif /** ID_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/ike_header.c b/src/charon/encoding/payloads/ike_header.c
deleted file mode 100644
index 735f01304..000000000
--- a/src/charon/encoding/payloads/ike_header.c
+++ /dev/null
@@ -1,415 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/* offsetof macro */
-#include <stddef.h>
-
-#include "ike_header.h"
-
-#include <encoding/payloads/encodings.h>
-
-
-typedef struct private_ike_header_t private_ike_header_t;
-
-/**
- * Private data of an ike_header_t object.
- */
-struct private_ike_header_t {
-	/**
-	 * Public interface.
-	 */
-	ike_header_t public;
-
-	/**
-	 * SPI of the initiator.
-	 */
-	u_int64_t initiator_spi;
-
-	/**
-	 * SPI of the responder.
-	 */
-	u_int64_t responder_spi;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-	/**
-	 * IKE major version.
-	 */
-	u_int8_t  maj_version;
-
-	/**
-	 * IKE minor version.
-	 */
-	u_int8_t  min_version;
-
-	/**
-	 * Exchange type .
-	 */
-	u_int8_t  exchange_type;
-
-	/**
-	 * Flags of the Message.
-	 */
-	struct {
-		/**
-		 * Sender is initiator of the associated IKE_SA_INIT-Exchange.
-		 */
-		bool initiator;
-
-		/**
-		 * Is protocol supporting higher version?
-		 */
-		bool version;
-
-		/**
-		 * TRUE, if this is a response, FALSE if its a Request.
-		 */
-		bool response;
-	} flags;
-
-	/**
-	 * Associated Message-ID.
-	 */
-	u_int32_t message_id;
-
-	/**
-	 * Length of the whole IKEv2-Message (header and all payloads).
-	 */
-	u_int32_t length;
-};
-
-ENUM_BEGIN(exchange_type_names, EXCHANGE_TYPE_UNDEFINED, EXCHANGE_TYPE_UNDEFINED,
-	"EXCHANGE_TYPE_UNDEFINED");
-ENUM_NEXT(exchange_type_names, IKE_SA_INIT, INFORMATIONAL, EXCHANGE_TYPE_UNDEFINED,
-	"IKE_SA_INIT",
-	"IKE_AUTH",
-	"CREATE_CHILD_SA",
-	"INFORMATIONAL");
-#ifdef ME
-ENUM_NEXT(exchange_type_names, ME_CONNECT, ME_CONNECT, INFORMATIONAL,
-	"ME_CONNECT");
-ENUM_END(exchange_type_names, ME_CONNECT);
-#else
-ENUM_END(exchange_type_names, INFORMATIONAL);
-#endif /* ME */
-
-/**
- * Encoding rules to parse or generate a IKEv2-Header.
- *
- * The defined offsets are the positions in a object of type
- * ike_header_t.
- */
-encoding_rule_t ike_header_encodings[] = {
-	/* 8 Byte SPI, stored in the field initiator_spi */
-	{ IKE_SPI,		offsetof(private_ike_header_t, initiator_spi)	},
-	/* 8 Byte SPI, stored in the field responder_spi */
-	{ IKE_SPI,		offsetof(private_ike_header_t, responder_spi) 	},
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,		offsetof(private_ike_header_t, next_payload) 	},
-	/* 4 Bit major version, stored in the field maj_version */
-	{ U_INT_4,		offsetof(private_ike_header_t, maj_version) 	},
-	/* 4 Bit minor version, stored in the field min_version */
-	{ U_INT_4,		offsetof(private_ike_header_t, min_version) 	},
-	/* 8 Bit for the exchange type */
-	{ U_INT_8,		offsetof(private_ike_header_t, exchange_type) 	},
-	/* 2 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 										},
-	{ RESERVED_BIT,	0 										},
-	/* 3 Bit flags, stored in the fields response, version and initiator */
-	{ FLAG,			offsetof(private_ike_header_t, flags.response) 	},
-	{ FLAG,			offsetof(private_ike_header_t, flags.version) 	},
-	{ FLAG,			offsetof(private_ike_header_t, flags.initiator) },
-	/* 3 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 										},
-	{ RESERVED_BIT,	0 										},
-	{ RESERVED_BIT,	0 										},
-	/* 4 Byte message id, stored in the field message_id */
-	{ U_INT_32,		offsetof(private_ike_header_t, message_id) 		},
-	/* 4 Byte length fied, stored in the field length */
-	{ HEADER_LENGTH,	offsetof(private_ike_header_t, length) 			}
-};
-
-
-/*                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                       IKE_SA Initiator's SPI                  !
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                       IKE_SA Responder's SPI                  !
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                          Message ID                           !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                            Length                             !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_ike_header_t *this)
-{
-	if ((this->exchange_type < IKE_SA_INIT) ||
-		((this->exchange_type > INFORMATIONAL)
-#ifdef ME
-			&& (this->exchange_type != ME_CONNECT)
-#endif /* ME */
-		))
-	{
-		/* unsupported exchange type */
-		return FAILED;
-	}
-
-	if (this->initiator_spi == 0
-#ifdef ME
-		/* we allow zero spi for INFORMATIONAL exchanges,
-		 * to allow connectivity checks */
-		&& this->exchange_type != INFORMATIONAL
-#endif /* ME */
-		)
-	{
-		/* initiator spi not set */
-		return FAILED;
-	}
-
-	/* verification of version is not done in here */
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(payload_t *this,payload_type_t type)
-{
-	((private_ike_header_t *)this)->next_payload = type;
-}
-/**
- * Implementation of ike_header_t.get_initiator_spi.
- */
-static u_int64_t get_initiator_spi(private_ike_header_t *this)
-{
-	return this->initiator_spi;
-}
-
-/**
- * Implementation of ike_header_t.set_initiator_spi.
- */
-static void set_initiator_spi(private_ike_header_t *this, u_int64_t initiator_spi)
-{
-	this->initiator_spi = initiator_spi;
-}
-
-/**
- * Implementation of ike_header_t.get_responder_spi.
- */
-static u_int64_t get_responder_spi(private_ike_header_t *this)
-{
-	return this->responder_spi;
-}
-
-/**
- * Implementation of ike_header_t.set_responder_spi.
- */
-static void set_responder_spi(private_ike_header_t *this, u_int64_t responder_spi)
-{
-	this->responder_spi = responder_spi;
-}
-
-/**
- * Implementation of ike_header_t.get_maj_version.
- */
-static u_int8_t get_maj_version(private_ike_header_t *this)
-{
-	return this->maj_version;
-}
-
-/**
- * Implementation of ike_header_t.get_min_version.
- */
-static u_int8_t get_min_version(private_ike_header_t *this)
-{
-	return this->min_version;
-}
-
-/**
- * Implementation of ike_header_t.get_response_flag.
- */
-static bool get_response_flag(private_ike_header_t *this)
-{
-	return this->flags.response;
-}
-
-/**
- * Implementation of ike_header_t.set_response_flag.
- */
-static void set_response_flag(private_ike_header_t *this, bool response)
-{
-	this->flags.response = response;
-}
-
-/**
- * Implementation of ike_header_t.get_version_flag.
- */
-static bool get_version_flag(private_ike_header_t *this)
-{
-	return this->flags.version;
-}
-
-/**
- * Implementation of ike_header_t.get_initiator_flag.
- */
-static bool get_initiator_flag(private_ike_header_t *this)
-{
-	return this->flags.initiator;
-}
-
-/**
- * Implementation of ike_header_t.set_initiator_flag.
- */
-static void set_initiator_flag(private_ike_header_t *this, bool initiator)
-{
-	this->flags.initiator = initiator;
-}
-
-/**
- * Implementation of ike_header_t.get_exchange_type.
- */
-static u_int8_t get_exchange_type(private_ike_header_t *this)
-{
-	return this->exchange_type;
-}
-
-/**
- * Implementation of ike_header_t.set_exchange_type.
- */
-static void set_exchange_type(private_ike_header_t *this, u_int8_t exchange_type)
-{
-	this->exchange_type = exchange_type;
-}
-
-/**
- * Implements ike_header_t's get_message_id function.
- * See #ike_header_t.get_message_id  for description.
- */
-static u_int32_t get_message_id(private_ike_header_t *this)
-{
-	return this->message_id;
-}
-
-/**
- * Implementation of ike_header_t.set_message_id.
- */
-static void set_message_id(private_ike_header_t *this, u_int32_t message_id)
-{
-	this->message_id = message_id;
-}
-
-/**
- * Implementation of ike_header_t.destroy and payload_t.destroy.
- */
-static void destroy(ike_header_t *this)
-{
-	free(this);
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = ike_header_encodings;
-	*rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(payload_t *this)
-{
-	return HEADER;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(payload_t *this)
-{
-	return (((private_ike_header_t*)this)->next_payload);
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(payload_t *this)
-{
-	return (((private_ike_header_t*)this)->length);
-}
-
-/*
- * Described in header.
- */
-ike_header_t *ike_header_create()
-{
-	private_ike_header_t *this = malloc_thing(private_ike_header_t);
-
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = get_encoding_rules;
-	this->public.payload_interface.get_length = get_length;
-	this->public.payload_interface.get_next_type = get_next_type;
-	this->public.payload_interface.set_next_type = set_next_type;
-	this->public.payload_interface.get_type = get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	this->public.destroy = destroy;
-
-	this->public.get_initiator_spi = (u_int64_t (*) (ike_header_t*))get_initiator_spi;
-	this->public.set_initiator_spi = (void (*) (ike_header_t*,u_int64_t))set_initiator_spi;
-	this->public.get_responder_spi = (u_int64_t (*) (ike_header_t*))get_responder_spi;
-	this->public.set_responder_spi = (void (*) (ike_header_t *,u_int64_t))set_responder_spi;
-	this->public.get_maj_version = (u_int8_t (*) (ike_header_t*))get_maj_version;
-	this->public.get_min_version = (u_int8_t (*) (ike_header_t*))get_min_version;
-	this->public.get_response_flag = (bool (*) (ike_header_t*))get_response_flag;
-	this->public.set_response_flag = (void (*) (ike_header_t*,bool))set_response_flag;
-	this->public.get_version_flag = (bool (*) (ike_header_t*))get_version_flag;
-	this->public.get_initiator_flag = (bool (*) (ike_header_t*))get_initiator_flag;
-	this->public.set_initiator_flag = (void (*) (ike_header_t*,bool))set_initiator_flag;
-	this->public.get_exchange_type = (u_int8_t (*) (ike_header_t*))get_exchange_type;
-	this->public.set_exchange_type = (void (*) (ike_header_t*,u_int8_t))set_exchange_type;
-	this->public.get_message_id = (u_int32_t (*) (ike_header_t*))get_message_id;
-	this->public.set_message_id = (void (*) (ike_header_t*,u_int32_t))set_message_id;
-
-	/* set default values of the fields */
-	this->initiator_spi = 0;
-	this->responder_spi = 0;
-	this->next_payload = 0;
-	this->maj_version = IKE_MAJOR_VERSION;
-	this->min_version = IKE_MINOR_VERSION;
-	this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
-	this->flags.initiator = TRUE;
-	this->flags.version = HIGHER_VERSION_SUPPORTED_FLAG;
-	this->flags.response = FALSE;
-	this->message_id = 0;
-	this->length = IKE_HEADER_LENGTH;
-
-	return (ike_header_t*)this;
-}
diff --git a/src/charon/encoding/payloads/ike_header.h b/src/charon/encoding/payloads/ike_header.h
deleted file mode 100644
index e63e8bf06..000000000
--- a/src/charon/encoding/payloads/ike_header.h
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_header ike_header
- * @{ @ingroup payloads
- */
-
-#ifndef IKE_HEADER_H_
-#define IKE_HEADER_H_
-
-typedef enum exchange_type_t exchange_type_t;
-typedef struct ike_header_t ike_header_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * Major Version of IKEv2.
- */
-#define IKE_MAJOR_VERSION 2
-
-/**
- * Minor Version of IKEv2.
- */
-#define IKE_MINOR_VERSION 0
-
-/**
- * Flag in IKEv2-Header. Always 0.
- */
-#define HIGHER_VERSION_SUPPORTED_FLAG 0
-
-/**
- * Length of IKE Header in Bytes.
- */
-#define IKE_HEADER_LENGTH 28
-
-/**
- * Different types of IKE-Exchanges.
- *
- * See RFC for different types.
- */
-enum exchange_type_t{
-
-	/**
-	 * EXCHANGE_TYPE_UNDEFINED. In private space, since not a official message type.
-	 */
-	EXCHANGE_TYPE_UNDEFINED = 255,
-
-	/**
-	 * IKE_SA_INIT.
-	 */
-	IKE_SA_INIT = 34,
-
-	/**
-	 * IKE_AUTH.
-	 */
-	IKE_AUTH = 35,
-
-	/**
-	 * CREATE_CHILD_SA.
-	 */
-	CREATE_CHILD_SA = 36,
-
-	/**
-	 * INFORMATIONAL.
-	 */
-	INFORMATIONAL = 37,
-#ifdef ME
-	/**
-	 * ME_CONNECT
-	 */
-	ME_CONNECT = 240
-#endif /* ME */
-};
-
-/**
- * enum name for exchange_type_t
- */
-extern enum_name_t *exchange_type_names;
-
-/**
- * An object of this type represents an IKEv2 header and is used to
- * generate and parse IKEv2 headers.
- *
- * The header format of an IKEv2-Message is compatible to the
- * ISAKMP-Header format to allow implementations supporting
- * both versions of the IKE-protocol.
- */
-struct ike_header_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Get the initiator spi.
-	 *
-	 * @return 				initiator_spi
-	 */
-	u_int64_t (*get_initiator_spi) (ike_header_t *this);
-
-	/**
-	 * Set the initiator spi.
-	 *
-	 * @param initiator_spi	initiator_spi
-	 */
-	void (*set_initiator_spi) (ike_header_t *this, u_int64_t initiator_spi);
-
-	/**
-	 * Get the responder spi.
-	 *
-	 * @return 				responder_spi
-	 */
-	u_int64_t (*get_responder_spi) (ike_header_t *this);
-
-	/**
-	 * Set the responder spi.
-	 *
-	 * @param responder_spi	responder_spi
-	 */
-	void (*set_responder_spi) (ike_header_t *this, u_int64_t responder_spi);
-
-	/**
-	 * Get the major version.
-	 *
-	 * @return 				major version
-	 */
-	u_int8_t (*get_maj_version) (ike_header_t *this);
-
-	/**
-	 * Get the minor version.
-	 *
-	 * @return 				minor version
-	 */
-	u_int8_t (*get_min_version) (ike_header_t *this);
-
-	/**
-	 * Get the response flag.
-	 *
-	 * @return 				response flag
-	 */
-	bool (*get_response_flag) (ike_header_t *this);
-
-	/**
-	 * Set the response flag-
-	 *
-	 * @param response		response flag
-	 */
-	void (*set_response_flag) (ike_header_t *this, bool response);
-	/**
-	 * Get "higher version supported"-flag.
-	 *
-	 * @return 				version flag
-	 */
-	bool (*get_version_flag) (ike_header_t *this);
-
-	/**
-	 * Get the initiator flag.
-	 *
-	 * @return 				initiator flag
-	 */
-	bool (*get_initiator_flag) (ike_header_t *this);
-
-	/**
-	 * Set the initiator flag.
-	 *
-	 * @param initiator		initiator flag
-	 */
-	void (*set_initiator_flag) (ike_header_t *this, bool initiator);
-
-	/**
-	 * Get the exchange type.
-	 *
-	 * @return 				exchange type
-	 */
-	u_int8_t (*get_exchange_type) (ike_header_t *this);
-
-	/**
-	 * Set the  exchange type.
-	 *
-	 * @param exchange_type	exchange type
-	 */
-	void (*set_exchange_type) (ike_header_t *this, u_int8_t exchange_type);
-
-	/**
-	 * Get the message id.
-	 *
-	 * @return 				message id
-	 */
-	u_int32_t (*get_message_id) (ike_header_t *this);
-
-	/**
-	 * Set the message id.
-	 *
-	 * @param initiator_spi	message id
-	 */
-	void (*set_message_id) (ike_header_t *this, u_int32_t message_id);
-
-	/**
-	 * Destroys a ike_header_t object.
-	 */
-	void (*destroy) (ike_header_t *this);
-};
-
-/**
- * Create an ike_header_t object
- *
- * @return ike_header_t object
- */
-ike_header_t *ike_header_create(void);
-
-#endif /** IKE_HEADER_H_ @}*/
diff --git a/src/charon/encoding/payloads/ke_payload.c b/src/charon/encoding/payloads/ke_payload.c
deleted file mode 100644
index 1bc79f084..000000000
--- a/src/charon/encoding/payloads/ke_payload.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "ke_payload.h"
-
-#include <encoding/payloads/encodings.h>
-
-
-typedef struct private_ke_payload_t private_ke_payload_t;
-
-/**
- * Private data of an ke_payload_t object.
- *
- */
-struct private_ke_payload_t {
-	/**
-	 * Public ke_payload_t interface.
-	 */
-	ke_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * DH Group Number.
-	 */
-	u_int16_t dh_group_number;
-
-	/**
-	 * Key Exchange Data of this KE payload.
-	 */
-	chunk_t key_exchange_data;
-};
-
-/**
- * Encoding rules to parse or generate a IKEv2-KE Payload.
- *
- * The defined offsets are the positions in a object of type
- * private_ke_payload_t.
- *
- */
-encoding_rule_t ke_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_ke_payload_t, next_payload) 		},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_ke_payload_t, critical) 			},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_ke_payload_t, payload_length) 		},
-	/* DH Group number as 16 bit field*/
-	{ U_INT_16,			offsetof(private_ke_payload_t, dh_group_number) 	},
-	{ RESERVED_BYTE,	0 													},
-	{ RESERVED_BYTE,	0 													},
-	/* Key Exchange Data is from variable size */
-	{ KEY_EXCHANGE_DATA,	offsetof(private_ke_payload_t, key_exchange_data)}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !          DH Group #           !           RESERVED            !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                       Key Exchange Data                       ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_ke_payload_t *this)
-{
-	/* dh group is not verified in here */
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.destroy.
- */
-static void destroy(private_ke_payload_t *this)
-{
-	if (this->key_exchange_data.ptr != NULL)
-	{
-		free(this->key_exchange_data.ptr);
-	}
-	free(this);
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = ke_payload_encodings;
-	*rule_count = sizeof(ke_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_ke_payload_t *this)
-{
-	return KEY_EXCHANGE;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_ke_payload_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_ke_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * recompute the length of the payload.
- */
-static void compute_length(private_ke_payload_t *this)
-{
-	size_t length = KE_PAYLOAD_HEADER_LENGTH;
-	if (this->key_exchange_data.ptr != NULL)
-	{
-		length += this->key_exchange_data.len;
-	}
-	this->payload_length = length;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_ke_payload_t *this)
-{
-	compute_length(this);
-	return this->payload_length;
-}
-
-/**
- * Implementation of ke_payload_t.get_key_exchange_data.
- */
-static chunk_t get_key_exchange_data(private_ke_payload_t *this)
-{
-	return (this->key_exchange_data);
-}
-
-/**
- * Implementation of ke_payload_t.set_key_exchange_data.
- */
-static void set_key_exchange_data(private_ke_payload_t *this, chunk_t key_exchange_data)
-{
-	/* destroy existing data first */
-	if (this->key_exchange_data.ptr != NULL)
-	{
-		/* free existing value */
-		free(this->key_exchange_data.ptr);
-		this->key_exchange_data.ptr = NULL;
-		this->key_exchange_data.len = 0;
-
-	}
-
-	this->key_exchange_data = chunk_clone(key_exchange_data);
-	compute_length(this);
-}
-
-/**
- * Implementation of ke_payload_t.get_dh_group_number.
- */
-static diffie_hellman_group_t get_dh_group_number(private_ke_payload_t *this)
-{
-	return this->dh_group_number;
-}
-
-/**
- * Implementation of ke_payload_t.set_dh_group_number.
- */
-static void set_dh_group_number(private_ke_payload_t *this, diffie_hellman_group_t dh_group_number)
-{
-	this->dh_group_number = dh_group_number;
-}
-
-/*
- * Described in header
- */
-ke_payload_t *ke_payload_create()
-{
-	private_ke_payload_t *this = malloc_thing(private_ke_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.get_key_exchange_data = (chunk_t (*) (ke_payload_t *)) get_key_exchange_data;
-	this->public.set_key_exchange_data = (void (*) (ke_payload_t *,chunk_t)) set_key_exchange_data;
-	this->public.get_dh_group_number = (diffie_hellman_group_t (*) (ke_payload_t *)) get_dh_group_number;
-	this->public.set_dh_group_number =(void (*) (ke_payload_t *,diffie_hellman_group_t)) set_dh_group_number;
-	this->public.destroy = (void (*) (ke_payload_t *)) destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = KE_PAYLOAD_HEADER_LENGTH;
-	this->key_exchange_data = chunk_empty;
-	this->dh_group_number = MODP_NONE;
-
-	return &this->public;
-}
-
-/*
- * Described in header
- */
-ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *dh)
-{
-	private_ke_payload_t *this = (private_ke_payload_t*)ke_payload_create();
-
-	dh->get_my_public_value(dh, &this->key_exchange_data);
-	this->dh_group_number = dh->get_dh_group(dh);
-	compute_length(this);
-
-	return &this->public;
-}
diff --git a/src/charon/encoding/payloads/ke_payload.h b/src/charon/encoding/payloads/ke_payload.h
deleted file mode 100644
index 3ca05009e..000000000
--- a/src/charon/encoding/payloads/ke_payload.h
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ke_payload ke_payload
- * @{ @ingroup payloads
- */
-
-#ifndef KE_PAYLOAD_H_
-#define KE_PAYLOAD_H_
-
-typedef struct ke_payload_t ke_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/transform_substructure.h>
-#include <utils/linked_list.h>
-#include <crypto/diffie_hellman.h>
-
-/**
- * KE payload length in bytes without any key exchange data.
- */
-#define KE_PAYLOAD_HEADER_LENGTH 8
-
-/**
- * Class representing an IKEv2-KE Payload.
- *
- * The KE Payload format is described in RFC section 3.4.
- */
-struct ke_payload_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Returns the currently set key exchange data of this KE payload.
-	 *
-	 * @warning Returned data are not copied.
-	 *
-	 * @return 		chunk_t pointing to the value
-	 */
-	chunk_t (*get_key_exchange_data) (ke_payload_t *this);
-
-	/**
-	 * Sets the key exchange data of this KE payload.
-	 *
-	 * Value is getting copied.
-	 *
-	 * @param key_exchange_data chunk_t pointing to the value to set
-	 */
-	void (*set_key_exchange_data) (ke_payload_t *this, chunk_t key_exchange_data);
-
-	/**
-	 * Gets the Diffie-Hellman Group Number of this KE payload.
-	 *
-	 * @return 					DH Group Number of this payload
-	 */
-	diffie_hellman_group_t (*get_dh_group_number) (ke_payload_t *this);
-
-	/**
-	 * Sets the Diffie-Hellman Group Number of this KE payload.
-	 *
-	 * @param dh_group_number	DH Group to set
-	 */
-	void (*set_dh_group_number) (ke_payload_t *this,
-								 diffie_hellman_group_t dh_group_number);
-
-	/**
-	 * Destroys an ke_payload_t object.
-	 */
-	void (*destroy) (ke_payload_t *this);
-};
-
-/**
- * Creates an empty ke_payload_t object
- *
- * @return ke_payload_t object
- */
-ke_payload_t *ke_payload_create(void);
-
-/**
- * Creates a ke_payload_t from a diffie_hellman_t
- *
- * @param diffie_hellman	diffie hellman object containing group and key
- * @return 					ke_payload_t object
- */
-ke_payload_t *ke_payload_create_from_diffie_hellman(
-											diffie_hellman_t *diffie_hellman);
-
-#endif /** KE_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/nonce_payload.c b/src/charon/encoding/payloads/nonce_payload.c
deleted file mode 100644
index 4ad5ce9dd..000000000
--- a/src/charon/encoding/payloads/nonce_payload.c
+++ /dev/null
@@ -1,225 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/* offsetof macro */
-#include <stddef.h>
-
-#include "nonce_payload.h"
-
-#include <encoding/payloads/encodings.h>
-
-
-typedef struct private_nonce_payload_t private_nonce_payload_t;
-
-/**
- * Private data of an nonce_payload_t object.
- *
- */
-struct private_nonce_payload_t {
-	/**
-	 * Public nonce_payload_t interface.
-	 */
-	nonce_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * The contained nonce value.
-	 */
-	chunk_t nonce;
-};
-
-/**
- * Encoding rules to parse or generate a nonce payload
- *
- * The defined offsets are the positions in a object of type
- * private_nonce_payload_t.
- *
- */
-encoding_rule_t nonce_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_nonce_payload_t, next_payload) 	},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_nonce_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	/* Length of the whole nonce payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_nonce_payload_t, payload_length) 	},
-	/* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */
-	{ NONCE_DATA,			offsetof(private_nonce_payload_t, nonce) 		}
-};
-
-/*                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                            Nonce Data                         ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_nonce_payload_t *this)
-{
-	if ((this->nonce.len < 16) || ((this->nonce.len > 256)))
-	{
-		/* nonce length is wrong */
-		return FAILED;
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of nonce_payload_t.set_nonce.
- */
-static status_t set_nonce(private_nonce_payload_t *this, chunk_t nonce)
-{
-	this->nonce.ptr = clalloc(nonce.ptr, nonce.len);
-	this->nonce.len = nonce.len;
-	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len;
-	return SUCCESS;
-}
-
-/**
- * Implementation of nonce_payload_t.get_nonce.
- */
-static chunk_t get_nonce(private_nonce_payload_t *this)
-{
-	chunk_t nonce;
-	nonce.ptr = clalloc(this->nonce.ptr,this->nonce.len);
-	nonce.len = this->nonce.len;
-	return nonce;
-}
-
-/**
- * Implementation of nonce_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = nonce_payload_encodings;
-	*rule_count = sizeof(nonce_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_nonce_payload_t *this)
-{
-	return NONCE;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_nonce_payload_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_nonce_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * recompute the length of the payload.
- */
-static void compute_length(private_nonce_payload_t *this)
-{
-	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + this->nonce.len;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_nonce_payload_t *this)
-{
-	compute_length(this);
-	return this->payload_length;
-}
-
-/**
- * Implementation of payload_t.destroy and nonce_payload_t.destroy.
- */
-static void destroy(private_nonce_payload_t *this)
-{
-	if (this->nonce.ptr != NULL)
-	{
-		free(this->nonce.ptr);
-	}
-
-	free(this);
-}
-
-/*
- * Described in header
- */
-nonce_payload_t *nonce_payload_create()
-{
-	private_nonce_payload_t *this = malloc_thing(private_nonce_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (nonce_payload_t *)) destroy;
-	this->public.set_nonce = (void (*) (nonce_payload_t *,chunk_t)) set_nonce;
-	this->public.get_nonce = (chunk_t (*) (nonce_payload_t *)) get_nonce;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH;
-	this->nonce.ptr = NULL;
-	this->nonce.len = 0;
-
-	return (&(this->public));
-}
-
-
diff --git a/src/charon/encoding/payloads/nonce_payload.h b/src/charon/encoding/payloads/nonce_payload.h
deleted file mode 100644
index e9212202e..000000000
--- a/src/charon/encoding/payloads/nonce_payload.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup nonce_payload nonce_payload
- * @{ @ingroup payloads
- */
-
-#ifndef NONCE_PAYLOAD_H_
-#define NONCE_PAYLOAD_H_
-
-typedef struct nonce_payload_t nonce_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * Nonce size in bytes for nonces sending to other peer.
- */
-#define NONCE_SIZE 32
-
-/**
- * Length of a nonce payload without a nonce in bytes.
- */
-#define NONCE_PAYLOAD_HEADER_LENGTH 4
-
-/**
- * Object representing an IKEv2 Nonce payload.
- *
- * The Nonce payload format is described in RFC section 3.3.
- */
-struct nonce_payload_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Set the nonce value.
-	 *
-	 * @param nonce			chunk containing the nonce, will be cloned
-	 */
-	void (*set_nonce) (nonce_payload_t *this, chunk_t nonce);
-
-	/**
-	 * Get the nonce value.
-	 *
-	 * @return				a chunk containing the cloned nonce
-	 */
-	chunk_t (*get_nonce) (nonce_payload_t *this);
-
-	/**
-	 * Destroys an nonce_payload_t object.
-	 */
-	void (*destroy) (nonce_payload_t *this);
-};
-
-/**
- * Creates an empty nonce_payload_t object
- *
- * @return nonce_payload_t object
- */
-nonce_payload_t *nonce_payload_create(void);
-
-#endif /** NONCE_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/notify_payload.c b/src/charon/encoding/payloads/notify_payload.c
deleted file mode 100644
index 469698ef5..000000000
--- a/src/charon/encoding/payloads/notify_payload.c
+++ /dev/null
@@ -1,617 +0,0 @@
-/*
- * Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "notify_payload.h"
-
-#include <daemon.h>
-#include <encoding/payloads/encodings.h>
-#include <crypto/hashers/hasher.h>
-
-ENUM_BEGIN(notify_type_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD,
-	"UNSUPPORTED_CRITICAL_PAYLOAD");
-ENUM_NEXT(notify_type_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, UNSUPPORTED_CRITICAL_PAYLOAD,
-	"INVALID_IKE_SPI",
-	"INVALID_MAJOR_VERSION");
-ENUM_NEXT(notify_type_names, INVALID_SYNTAX, INVALID_SYNTAX, INVALID_MAJOR_VERSION,
-	"INVALID_SYNTAX");
-ENUM_NEXT(notify_type_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVALID_SYNTAX,
-	"INVALID_MESSAGE_ID");
-ENUM_NEXT(notify_type_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
-	"INVALID_SPI");
-ENUM_NEXT(notify_type_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI,
-	"NO_PROPOSAL_CHOSEN");
-ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
-	"INVALID_KE_PAYLOAD");
-ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
-	"AUTHENTICATION_FAILED");
-ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED,
-	"SINGLE_PAIR_REQUIRED",
-	"NO_ADDITIONAL_SAS",
-	"INTERNAL_ADDRESS_FAILURE",
-	"FAILED_CP_REQUIRED",
-	"TS_UNACCEPTABLE",
-	"INVALID_SELECTORS",
-	"UNACCEPTABLE_ADDRESSES",
-	"UNEXPECTED_NAT_DETECTED",
-	"USE_ASSIGNED_HoA");
-ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA,
-	"ME_CONNECT_FAILED");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
-	"INITIAL_CONTACT",
-	"SET_WINDOW_SIZE",
-	"ADDITIONAL_TS_POSSIBLE",
-	"IPCOMP_SUPPORTED",
-	"NAT_DETECTION_SOURCE_IP",
-	"NAT_DETECTION_DESTINATION_IP",
-	"COOKIE",
-	"USE_TRANSPORT_MODE",
-	"HTTP_CERT_LOOKUP_SUPPORTED",
-	"REKEY_SA",
-	"ESP_TFC_PADDING_NOT_SUPPORTED",
-	"NON_FIRST_FRAGMENTS_ALSO",
-	"MOBIKE_SUPPORTED",
-	"ADDITIONAL_IP4_ADDRESS",
-	"ADDITIONAL_IP6_ADDRESS",
-	"NO_ADDITIONAL_ADDRESSES",
-	"UPDATE_SA_ADDRESSES",
-	"COOKIE2",
-	"NO_NATS_ALLOWED",
-	"AUTH_LIFETIME",
-	"MULTIPLE_AUTH_SUPPORTED",
-	"ANOTHER_AUTH_FOLLOWS",
-	"REDIRECT_SUPPORTED",
-	"REDIRECT",
-	"REDIRECTED_FROM",
-	"TICKET_LT_OPAQUE",
-	"TICKET_REQUEST",
-	"TICKET_ACK",
-	"TICKET_NACK",
-	"TICKET_OPAQUE",
-	"LINK_ID");
-ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID,
-	"EAP_ONLY_AUTHENTICATION");
-ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
-	"USE_BEET_MODE");
-ENUM_NEXT(notify_type_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE,
-	"ME_MEDIATION",
-	"ME_ENDPOINT",
-	"ME_CALLBACK",
-	"ME_CONNECTID",
-	"ME_CONNECTKEY",
-	"ME_CONNECTAUTH",
-	"ME_RESPONSE");
-ENUM_END(notify_type_names, ME_RESPONSE);
-
-
-ENUM_BEGIN(notify_type_short_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD,
-	"CRIT");
-ENUM_NEXT(notify_type_short_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, UNSUPPORTED_CRITICAL_PAYLOAD,
-	"INVAL_IKE_SPI",
-	"INVAL_MAJOR");
-ENUM_NEXT(notify_type_short_names, INVALID_SYNTAX, INVALID_SYNTAX, INVALID_MAJOR_VERSION,
-	"INVAL_SYN");
-ENUM_NEXT(notify_type_short_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVALID_SYNTAX,
-	"INVAL_MID");
-ENUM_NEXT(notify_type_short_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
-	"INVAL_SPI");
-ENUM_NEXT(notify_type_short_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI,
-	"NO_PROP");
-ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
-	"INVAL_KE");
-ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
-	"AUTH_FAILED");
-ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED,
-	"SINGLE_PAIR",
-	"NO_ADD_SAS",
-	"INT_ADDR_FAIL",
-	"FAIL_CP_REQ",
-	"TS_UNACCEPT",
-	"INVAL_SEL",
-	"UNACCEPT_ADDR",
-	"UNEXPECT_NAT",
-	"ASSIGNED_HoA");
-ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA,
-	"ME_CONN_FAIL");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
-	"INIT_CONTACT",
-	"SET_WINSIZE",
-	"ADD_TS_POSS",
-	"IPCOMP_SUPP",
-	"NATD_S_IP",
-	"NATD_D_IP",
-	"COOKIE",
-	"USE_TRANSP",
-	"HTTP_CERT_LOOK",
-	"REKEY_SA",
-	"ESP_TFC_PAD_N",
-	"NON_FIRST_FRAG",
-	"MOBIKE_SUP",
-	"ADD_4_ADDR",
-	"ADD_6_ADDR",
-	"NO_ADD_ADDR",
-	"UPD_SA_ADDR",
-	"COOKIE2",
-	"NO_NATS",
-	"AUTH_LFT",
-	"MULT_AUTH",
-	"AUTH_FOLLOWS",
-	"REDIR_SUP",
-	"REDIR",
-	"REDIR_FROM",
-	"TKT_LT_OPAK",
-	"TKT_REQ",
-	"TKT_ACK",
-	"TKT_NACK",
-	"TKT_OPAK",
-	"LINK_ID");
-ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID,
-	"EAP_ONLY");
-ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
-	"BEET_MODE");
-ENUM_NEXT(notify_type_short_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE,
-	"ME_MED",
-	"ME_EP",
-	"ME_CB",
-	"ME_CID",
-	"ME_CKEY",
-	"ME_CAUTH",
-	"ME_R");
-ENUM_END(notify_type_short_names, ME_RESPONSE);
-
-
-typedef struct private_notify_payload_t private_notify_payload_t;
-
-/**
- * Private data of an notify_payload_t object.
- *
- */
-struct private_notify_payload_t {
-	/**
-	 * Public notify_payload_t interface.
-	 */
-	notify_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Protocol id.
-	 */
-	u_int8_t protocol_id;
-
-	/**
-	 * Spi size.
-	 */
-	u_int8_t spi_size;
-
-	/**
-	 * Notify message type.
-	 */
-	u_int16_t notify_type;
-
-	/**
-	 * Security parameter index (spi).
-	 */
-	chunk_t spi;
-
-	/**
-	 * Notification data.
-	 */
-	chunk_t notification_data;
-};
-
-/**
- * Encoding rules to parse or generate a IKEv2-Notify Payload.
- *
- * The defined offsets are the positions in a object of type
- * private_notify_payload_t.
- *
- */
-encoding_rule_t notify_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload) 		},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_notify_payload_t, critical) 			},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length) 		},
-	/* Protocol ID as 8 bit field*/
-	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id) 			},
-	/* SPI Size as 8 bit field*/
-	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size) 			},
-	/* Notify message type as 16 bit field*/
-	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)	},
-	/* SPI as variable length field*/
-	{ SPI,				offsetof(private_notify_payload_t, spi)					},
-	/* Key Exchange Data is from variable size */
-	{ NOTIFICATION_DATA,	offsetof(private_notify_payload_t, notification_data) 	}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !  Protocol ID  !   SPI Size    !      Notify Message Type      !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                Security Parameter Index (SPI)                 ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                       Notification Data                       ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_notify_payload_t *this)
-{
-	bool bad_length = FALSE;
-
-	switch (this->protocol_id)
-	{
-		case PROTO_NONE:
-		case PROTO_IKE:
-		case PROTO_AH:
-		case PROTO_ESP:
-			break;
-		default:
-			DBG1(DBG_ENC, "Unknown protocol (%d)", this->protocol_id);
-			return FAILED;
-	}
-
-	switch (this->notify_type)
-	{
-		case INVALID_KE_PAYLOAD:
-		{
-			if (this->notification_data.len != 2)
-			{
-				bad_length = TRUE;
-			}
-			break;
-		}
-		case NAT_DETECTION_SOURCE_IP:
-		case NAT_DETECTION_DESTINATION_IP:
-		case ME_CONNECTAUTH:
-		{
-			if (this->notification_data.len != HASH_SIZE_SHA1)
-			{
-				bad_length = TRUE;
-			}
-			break;
-		}
-		case INVALID_SYNTAX:
-		case INVALID_MAJOR_VERSION:
-		case NO_PROPOSAL_CHOSEN:
-		{
-			if (this->notification_data.len != 0)
-			{
-				bad_length = TRUE;
-			}
-			break;
-		}
-		case ADDITIONAL_IP4_ADDRESS:
-		{
-			if (this->notification_data.len != 4)
-			{
-				bad_length = TRUE;
-			}
-			break;
-		}
-		case ADDITIONAL_IP6_ADDRESS:
-		{
-			if (this->notification_data.len != 16)
-			{
-				bad_length = TRUE;
-			}
-			break;
-		}
-		case AUTH_LIFETIME:
-		{
-			if (this->notification_data.len != 4)
-			{
-				bad_length = TRUE;
-			}
-			break;
-		}
-		case IPCOMP_SUPPORTED:
-		{
-			if (this->notification_data.len != 3)
-			{
-				bad_length = TRUE;
-			}
-			break;
-		}
-		case ME_ENDPOINT:
-			if (this->notification_data.len != 8 &&
-				this->notification_data.len != 12 &&
-				this->notification_data.len != 24)
-			{
-				bad_length = TRUE;
-			}
-			break;
-		case ME_CONNECTID:
-			if (this->notification_data.len < 4 ||
-				this->notification_data.len > 16)
-			{
-				bad_length = TRUE;
-			}
-			break;
-		case ME_CONNECTKEY:
-			if (this->notification_data.len < 16 ||
-				this->notification_data.len > 32)
-			{
-				bad_length = TRUE;
-			}
-			break;
-		default:
-			/* TODO: verify */
-			break;
-	}
-	if (bad_length)
-	{
-		DBG1(DBG_ENC, "invalid notify data length for %N (%d)",
-			 notify_type_names, this->notify_type,
-			 this->notification_data.len);
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = notify_payload_encodings;
-	*rule_count = sizeof(notify_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_notify_payload_t *this)
-{
-	return NOTIFY;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_notify_payload_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_notify_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * recompute the payloads length.
- */
-static void compute_length (private_notify_payload_t *this)
-{
-	size_t length = NOTIFY_PAYLOAD_HEADER_LENGTH;
-	if (this->notification_data.ptr != NULL)
-	{
-		length += this->notification_data.len;
-	}
-	if (this->spi.ptr != NULL)
-	{
-		length += this->spi.len;
-	}
-	this->payload_length = length;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_notify_payload_t *this)
-{
-	compute_length(this);
-	return this->payload_length;
-}
-
-/**
- * Implementation of notify_payload_t.get_protocol_id.
- */
-static u_int8_t get_protocol_id(private_notify_payload_t *this)
-{
-	return this->protocol_id;
-}
-
-/**
- * Implementation of notify_payload_t.set_protocol_id.
- */
-static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id)
-{
-	this->protocol_id = protocol_id;
-}
-
-/**
- * Implementation of notify_payload_t.get_notify_type.
- */
-static notify_type_t get_notify_type(private_notify_payload_t *this)
-{
-	return this->notify_type;
-}
-
-/**
- * Implementation of notify_payload_t.set_notify_type.
- */
-static void set_notify_type(private_notify_payload_t *this, u_int16_t notify_type)
-{
-	this->notify_type = notify_type;
-}
-
-/**
- * Implementation of notify_payload_t.get_spi.
- */
-static u_int32_t get_spi(private_notify_payload_t *this)
-{
-	switch (this->protocol_id)
-	{
-		case PROTO_AH:
-		case PROTO_ESP:
-			if (this->spi.len == 4)
-			{
-				return *((u_int32_t*)this->spi.ptr);
-			}
-		default:
-			break;
-	}
-	return 0;
-}
-
-/**
- * Implementation of notify_payload_t.set_spi.
- */
-static void set_spi(private_notify_payload_t *this, u_int32_t spi)
-{
-	chunk_free(&this->spi);
-	switch (this->protocol_id)
-	{
-		case PROTO_AH:
-		case PROTO_ESP:
-			this->spi = chunk_alloc(4);
-			*((u_int32_t*)this->spi.ptr) = spi;
-			break;
-		default:
-			break;
-	}
-	this->spi_size = this->spi.len;
-	compute_length(this);
-}
-
-/**
- * Implementation of notify_payload_t.get_notification_data.
- */
-static chunk_t get_notification_data(private_notify_payload_t *this)
-{
-	return (this->notification_data);
-}
-
-/**
- * Implementation of notify_payload_t.set_notification_data.
- */
-static status_t set_notification_data(private_notify_payload_t *this, chunk_t notification_data)
-{
-	chunk_free(&this->notification_data);
-	if (notification_data.len > 0)
-	{
-		this->notification_data = chunk_clone(notification_data);
-	}
-	compute_length(this);
-	return SUCCESS;
-}
-
-/**
- * Implementation of notify_payload_t.destroy and notify_payload_t.destroy.
- */
-static status_t destroy(private_notify_payload_t *this)
-{
-	chunk_free(&this->notification_data);
-	chunk_free(&this->spi);
-	free(this);
-	return SUCCESS;
-}
-
-/*
- * Described in header
- */
-notify_payload_t *notify_payload_create()
-{
-	private_notify_payload_t *this = malloc_thing(private_notify_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id;
-	this->public.set_protocol_id  = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id;
-	this->public.get_notify_type = (notify_type_t (*) (notify_payload_t *)) get_notify_type;
-	this->public.set_notify_type = (void (*) (notify_payload_t *,notify_type_t)) set_notify_type;
-	this->public.get_spi = (u_int32_t (*) (notify_payload_t *)) get_spi;
-	this->public.set_spi = (void (*) (notify_payload_t *,u_int32_t)) set_spi;
-	this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data;
-	this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data;
-	this->public.destroy = (void (*) (notify_payload_t *)) destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH;
-	this->protocol_id = 0;
-	this->notify_type = 0;
-	this->spi.ptr = NULL;
-	this->spi.len = 0;
-	this->spi_size = 0;
-	this->notification_data.ptr = NULL;
-	this->notification_data.len = 0;
-
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-notify_payload_t *notify_payload_create_from_protocol_and_type(protocol_id_t protocol_id, notify_type_t notify_type)
-{
-	notify_payload_t *notify = notify_payload_create();
-
-	notify->set_notify_type(notify,notify_type);
-	notify->set_protocol_id(notify,protocol_id);
-
-	return notify;
-}
diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h
deleted file mode 100644
index 0e1bc23b8..000000000
--- a/src/charon/encoding/payloads/notify_payload.h
+++ /dev/null
@@ -1,232 +0,0 @@
-/*
- * Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup notify_payload notify_payload
- * @{ @ingroup payloads
- */
-
-#ifndef NOTIFY_PAYLOAD_H_
-#define NOTIFY_PAYLOAD_H_
-
-typedef enum notify_type_t notify_type_t;
-typedef struct notify_payload_t notify_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/proposal_substructure.h>
-#include <utils/linked_list.h>
-
-/**
- * Notify payload length in bytes without any spi and notification data.
- */
-#define NOTIFY_PAYLOAD_HEADER_LENGTH 8
-
-/**
- * Notify message types.
- *
- * See IKEv2 RFC 3.10.1.
- */
-enum notify_type_t {
-	/* notify error messages */
-	UNSUPPORTED_CRITICAL_PAYLOAD = 1,
-	INVALID_IKE_SPI = 4,
-	INVALID_MAJOR_VERSION = 5,
-	INVALID_SYNTAX = 7,
-	INVALID_MESSAGE_ID = 9,
-	INVALID_SPI = 11,
-	NO_PROPOSAL_CHOSEN = 14,
-	INVALID_KE_PAYLOAD = 17,
-	AUTHENTICATION_FAILED = 24,
-	SINGLE_PAIR_REQUIRED = 34,
-	NO_ADDITIONAL_SAS = 35,
-	INTERNAL_ADDRESS_FAILURE = 36,
-	FAILED_CP_REQUIRED = 37,
-	TS_UNACCEPTABLE = 38,
-	INVALID_SELECTORS = 39,
-	/* mobile extension, RFC 4555 */
-	UNACCEPTABLE_ADDRESSES = 40,
-	UNEXPECTED_NAT_DETECTED = 41,
-	/* mobile IPv6 bootstrapping, RFC 5026 */
-	USE_ASSIGNED_HoA = 42,
-
-	/* IKE-ME, private use */
-	ME_CONNECT_FAILED = 8192,
-
-	/* notify status messages */
-	INITIAL_CONTACT = 16384,
-	SET_WINDOW_SIZE = 16385,
-	ADDITIONAL_TS_POSSIBLE = 16386,
-	IPCOMP_SUPPORTED = 16387,
-	NAT_DETECTION_SOURCE_IP = 16388,
-	NAT_DETECTION_DESTINATION_IP = 16389,
-	COOKIE = 16390,
-	USE_TRANSPORT_MODE = 16391,
-	HTTP_CERT_LOOKUP_SUPPORTED = 16392,
-	REKEY_SA = 16393,
-	ESP_TFC_PADDING_NOT_SUPPORTED = 16394,
-	NON_FIRST_FRAGMENTS_ALSO = 16395,
-	/* mobike extension, RFC4555 */
-	MOBIKE_SUPPORTED = 16396,
-	ADDITIONAL_IP4_ADDRESS = 16397,
-	ADDITIONAL_IP6_ADDRESS = 16398,
-	NO_ADDITIONAL_ADDRESSES = 16399,
-	UPDATE_SA_ADDRESSES = 16400,
-	COOKIE2 = 16401,
-	NO_NATS_ALLOWED = 16402,
-	/* repeated authentication extension, RFC4478 */
-	AUTH_LIFETIME = 16403,
-	/* multiple authentication exchanges, RFC 4739 */
-	MULTIPLE_AUTH_SUPPORTED = 16404,
-	ANOTHER_AUTH_FOLLOWS = 16405,
-	/* redirect mechanism, RFC 5685 */
-	REDIRECT_SUPPORTED = 16406,
-	REDIRECT = 16407,
-	REDIRECTED_FROM = 16408,
-	/* draft-ietf-ipsecme-ikev2-resumption, assigned by IANA */
-	TICKET_LT_OPAQUE = 16409,
-	TICKET_REQUEST = 16410,
-	TICKET_ACK = 16411,
-	TICKET_NACK = 16412,
-	TICKET_OPAQUE = 16413,
-	LINK_ID = 16414,
-
-	/* draft-eronen-ipsec-ikev2-eap-auth, not assigned by IANA yet */
-	EAP_ONLY_AUTHENTICATION = 40960,
-	/* BEET mode, not even a draft yet. private use */
-	USE_BEET_MODE = 40961,
-	/* IKE-ME, private use */
-	ME_MEDIATION = 40962,
-	ME_ENDPOINT = 40963,
-	ME_CALLBACK = 40964,
-	ME_CONNECTID = 40965,
-	ME_CONNECTKEY = 40966,
-	ME_CONNECTAUTH = 40967,
-	ME_RESPONSE = 40968
-};
-
-/**
- * enum name for notify_type_t.
- */
-extern enum_name_t *notify_type_names;
-
-/**
- * enum name for notify_type_t (shorter strings).
- */
-extern enum_name_t *notify_type_short_names;
-
-/**
- * Class representing an IKEv2-Notify Payload.
- *
- * The Notify Payload format is described in Draft section 3.10.
- */
-struct notify_payload_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Gets the protocol id of this payload.
-	 *
-	 * @return 			protocol id of this payload
-	 */
-	u_int8_t (*get_protocol_id) (notify_payload_t *this);
-
-	/**
-	 * Sets the protocol id of this payload.
-	 *
-	 * @param protocol_id	protocol id to set
-	 */
-	void (*set_protocol_id) (notify_payload_t *this, u_int8_t protocol_id);
-
-	/**
-	 * Gets the notify message type of this payload.
-	 *
-	 * @return 			notify message type of this payload
-	 */
-	notify_type_t (*get_notify_type) (notify_payload_t *this);
-
-	/**
-	 * Sets notify message type of this payload.
-	 *
-	 * @param type		notify message type to set
-	 */
-	void (*set_notify_type) (notify_payload_t *this, notify_type_t type);
-
-	/**
-	 * Returns the currently set spi of this payload.
-	 *
-	 * This is only valid for notifys with protocol AH|ESP
-	 *
-	 * @return 		SPI value
-	 */
-	u_int32_t (*get_spi) (notify_payload_t *this);
-
-	/**
-	 * Sets the spi of this payload.
-	 *
-	 * This is only valid for notifys with protocol AH|ESP
-	 *
-	 * @param spi	SPI value
-	 */
-	void (*set_spi) (notify_payload_t *this, u_int32_t spi);
-
-	/**
-	 * Returns the currently set notification data of payload.
-	 *
-	 * Returned data are not copied.
-	 *
-	 * @return 		chunk_t pointing to the value
-	 */
-	chunk_t (*get_notification_data) (notify_payload_t *this);
-
-	/**
-	 * Sets the notification data of this payload.
-	 *
-	 * @warning Value is getting copied.
-	 *
-	 * @param notification_data 	chunk_t pointing to the value to set
-	 */
-	void (*set_notification_data) (notify_payload_t *this,
-								   chunk_t notification_data);
-
-	/**
-	 * Destroys an notify_payload_t object.
-	 */
-	void (*destroy) (notify_payload_t *this);
-};
-
-/**
- * Creates an empty notify_payload_t object
- *
- * @return			created notify_payload_t object
- */
-notify_payload_t *notify_payload_create(void);
-
-/**
- * Creates an notify_payload_t object of specific type for specific protocol id.
- *
- * @param protocol_id			protocol id (IKE, AH or ESP)
- * @param type					notify type (see notify_type_t)
- * @return						notify_payload_t object
- */
-notify_payload_t *notify_payload_create_from_protocol_and_type(
-								protocol_id_t protocol_id, notify_type_t type);
-
-#endif /** NOTIFY_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/payload.c b/src/charon/encoding/payloads/payload.c
deleted file mode 100644
index 1cee6d2aa..000000000
--- a/src/charon/encoding/payloads/payload.c
+++ /dev/null
@@ -1,184 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "payload.h"
-
-#include <encoding/payloads/ike_header.h>
-#include <encoding/payloads/sa_payload.h>
-#include <encoding/payloads/nonce_payload.h>
-#include <encoding/payloads/id_payload.h>
-#include <encoding/payloads/ke_payload.h>
-#include <encoding/payloads/notify_payload.h>
-#include <encoding/payloads/auth_payload.h>
-#include <encoding/payloads/cert_payload.h>
-#include <encoding/payloads/certreq_payload.h>
-#include <encoding/payloads/encryption_payload.h>
-#include <encoding/payloads/ts_payload.h>
-#include <encoding/payloads/delete_payload.h>
-#include <encoding/payloads/vendor_id_payload.h>
-#include <encoding/payloads/cp_payload.h>
-#include <encoding/payloads/configuration_attribute.h>
-#include <encoding/payloads/eap_payload.h>
-#include <encoding/payloads/unknown_payload.h>
-
-
-ENUM_BEGIN(payload_type_names, NO_PAYLOAD, NO_PAYLOAD,
-	"NO_PAYLOAD");
-ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, NO_PAYLOAD,
-	"SECURITY_ASSOCIATION",
-	"KEY_EXCHANGE",
-	"ID_INITIATOR",
-	"ID_RESPONDER",
-	"CERTIFICATE",
-	"CERTIFICATE_REQUEST",
-	"AUTHENTICATION",
-	"NONCE",
-	"NOTIFY",
-	"DELETE",
-	"VENDOR_ID",
-	"TRAFFIC_SELECTOR_INITIATOR",
-	"TRAFFIC_SELECTOR_RESPONDER",
-	"ENCRYPTED",
-	"CONFIGURATION",
-	"EXTENSIBLE_AUTHENTICATION");
-#ifdef ME
-ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION,
-	"ID_PEER");
-ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER,
-	"HEADER",
-	"PROPOSAL_SUBSTRUCTURE",
-	"TRANSFORM_SUBSTRUCTURE",
-	"TRANSFORM_ATTRIBUTE",
-	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
-	"CONFIGURATION_ATTRIBUTE",
-	"UNKNOWN_PAYLOAD");
-#else
-ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION,
-	"HEADER",
-	"PROPOSAL_SUBSTRUCTURE",
-	"TRANSFORM_SUBSTRUCTURE",
-	"TRANSFORM_ATTRIBUTE",
-	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
-	"CONFIGURATION_ATTRIBUTE",
-	"UNKNOWN_PAYLOAD");
-#endif /* ME */
-ENUM_END(payload_type_names, UNKNOWN_PAYLOAD);
-
-/* short forms of payload names */
-ENUM_BEGIN(payload_type_short_names, NO_PAYLOAD, NO_PAYLOAD,
-	"--");
-ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, NO_PAYLOAD,
-	"SA",
-	"KE",
-	"IDi",
-	"IDr",
-	"CERT",
-	"CERTREQ",
-	"AUTH",
-	"No",
-	"N",
-	"D",
-	"V",
-	"TSi",
-	"TSr",
-	"E",
-	"CP",
-	"EAP");
-#ifdef ME
-ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION,
-	"IDp");
-ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER,
-	"HDR",
-	"PROP",
-	"TRANS",
-	"TRANSATTR",
-	"TSSUB",
-	"CPATTR",
-	"??");
-#else
-ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION,
-	"HDR",
-	"PROP",
-	"TRANS",
-	"TRANSATTR",
-	"TSSUB",
-	"CPATTR",
-	"??");
-#endif /* ME */
-ENUM_END(payload_type_short_names, UNKNOWN_PAYLOAD);
-
-/*
- * see header
- */
-payload_t *payload_create(payload_type_t type)
-{
-	switch (type)
-	{
-		case HEADER:
-			return (payload_t*)ike_header_create();
-		case SECURITY_ASSOCIATION:
-			return (payload_t*)sa_payload_create();
-		case PROPOSAL_SUBSTRUCTURE:
-			return (payload_t*)proposal_substructure_create();
-		case TRANSFORM_SUBSTRUCTURE:
-			return (payload_t*)transform_substructure_create();
-		case TRANSFORM_ATTRIBUTE:
-			return (payload_t*)transform_attribute_create();
-		case NONCE:
-			return (payload_t*)nonce_payload_create();
-		case ID_INITIATOR:
-			return (payload_t*)id_payload_create(ID_INITIATOR);
-		case ID_RESPONDER:
-			return (payload_t*)id_payload_create(ID_RESPONDER);
-#ifdef ME
-		case ID_PEER:
-			return (payload_t*)id_payload_create(ID_PEER);
-#endif /* ME */
-		case AUTHENTICATION:
-			return (payload_t*)auth_payload_create();
-		case CERTIFICATE:
-			return (payload_t*)cert_payload_create();
-		case CERTIFICATE_REQUEST:
-			return (payload_t*)certreq_payload_create();
-		case TRAFFIC_SELECTOR_SUBSTRUCTURE:
-			return (payload_t*)traffic_selector_substructure_create();
-		case TRAFFIC_SELECTOR_INITIATOR:
-			return (payload_t*)ts_payload_create(TRUE);
-		case TRAFFIC_SELECTOR_RESPONDER:
-			return (payload_t*)ts_payload_create(FALSE);
-		case KEY_EXCHANGE:
-			return (payload_t*)ke_payload_create();
-		case NOTIFY:
-			return (payload_t*)notify_payload_create();
-		case DELETE:
-			return (payload_t*)delete_payload_create(0);
-		case VENDOR_ID:
-			return (payload_t*)vendor_id_payload_create();
-		case CONFIGURATION:
-			return (payload_t*)cp_payload_create();
-		case CONFIGURATION_ATTRIBUTE:
-			return (payload_t*)configuration_attribute_create();
-		case EXTENSIBLE_AUTHENTICATION:
-			return (payload_t*)eap_payload_create();
-		case ENCRYPTED:
-			return (payload_t*)encryption_payload_create();
-		default:
-			return (payload_t*)unknown_payload_create();
-	}
-}
-
diff --git a/src/charon/encoding/payloads/payload.h b/src/charon/encoding/payloads/payload.h
deleted file mode 100644
index 2e783cb30..000000000
--- a/src/charon/encoding/payloads/payload.h
+++ /dev/null
@@ -1,272 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup payload payload
- * @{ @ingroup payloads
- */
-
-#ifndef PAYLOAD_H_
-#define PAYLOAD_H_
-
-typedef enum payload_type_t payload_type_t;
-typedef struct payload_t payload_t;
-
-#include <library.h>
-#include <encoding/payloads/encodings.h>
-
-
-/**
- * Payload-Types of a IKEv2-Message.
- *
- * Header and substructures are also defined as
- * payload types with values from PRIVATE USE space.
- */
-enum payload_type_t{
-
-	/**
-	 * End of payload list in next_payload
-	 */
-	NO_PAYLOAD = 0,
-
-	/**
-	 * The security association (SA) payload containing proposals.
-	 */
-	SECURITY_ASSOCIATION = 33,
-
-	/**
-	 * The key exchange (KE) payload containing diffie-hellman values.
-	 */
-	KEY_EXCHANGE = 34,
-
-	/**
-	 * Identification for the original initiator (IDi).
-	 */
-	ID_INITIATOR = 35,
-
-	/**
-	 * Identification for the original responder (IDr).
-	 */
-	ID_RESPONDER = 36,
-
-	/**
-	 * Certificate payload with certificates (CERT).
-	 */
-	CERTIFICATE = 37,
-
-	/**
-	 * Certificate request payload (CERTREQ).
-	 */
-	CERTIFICATE_REQUEST = 38,
-
-	/**
-	 * Authentication payload contains auth data (AUTH).
-	 */
-	AUTHENTICATION = 39,
-
-	/**
-	 * Nonces, for initator and responder (Ni, Nr, N)
-	 */
-	NONCE = 40,
-
-	/**
-	 * Notify paylaod (N).
-	 */
-	NOTIFY = 41,
-
-	/**
-	 * Delete payload (D)
-	 */
-	DELETE = 42,
-
-	/**
-	 * Vendor id paylpoad (V).
-	 */
-	VENDOR_ID = 43,
-
-	/**
-	 * Traffic selector for the original initiator (TSi).
-	 */
-	TRAFFIC_SELECTOR_INITIATOR = 44,
-
-	/**
-	 * Traffic selector for the original responser (TSr).
-	 */
-	TRAFFIC_SELECTOR_RESPONDER = 45,
-
-	/**
-	 * Encryption payload, contains other payloads (E).
-	 */
-	ENCRYPTED = 46,
-
-	/**
-	 * Configuration payload (CP).
-	 */
-	CONFIGURATION = 47,
-
-	/**
-	 * Extensible authentication payload (EAP).
-	 */
-	EXTENSIBLE_AUTHENTICATION = 48,
-
-#ifdef ME
-	/**
-	 * Identification payload for peers has a value from
-	 * the PRIVATE USE space.
-	 */
-	ID_PEER = 128,
-#endif /* ME */
-
-	/**
-	 * Header has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle IKEv2-Header like a payload.
-	 */
-	HEADER = 140,
-
-	/**
-	 * PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a proposal substructure like a payload.
-	 */
-	PROPOSAL_SUBSTRUCTURE = 141,
-
-	/**
-	 * TRANSFORM_SUBSTRUCTURE has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a transform substructure like a payload.
-	 */
-	TRANSFORM_SUBSTRUCTURE = 142,
-
-	/**
-	 * TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a transform attribute like a payload.
-	 */
-	TRANSFORM_ATTRIBUTE = 143,
-
-	/**
-	 * TRAFFIC_SELECTOR_SUBSTRUCTURE has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a transform selector like a payload.
-	 */
-	TRAFFIC_SELECTOR_SUBSTRUCTURE = 144,
-
-	/**
-	 * CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a transform attribute like a payload.
-	 */
-	CONFIGURATION_ATTRIBUTE = 145,
-
-	/**
-	 * A unknown payload has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a unknown payload.
-	 */
-	UNKNOWN_PAYLOAD = 146,
-};
-
-
-/**
- * enum names for payload_type_t.
- */
-extern enum_name_t *payload_type_names;
-
-/**
- * enum names for payload_type_t in a short form.
- */
-extern enum_name_t *payload_type_short_names;
-
-/**
- * Generic interface for all payload types (incl.header and substructures).
- *
- * To handle all kinds of payloads on a generic way, this interface must
- * be implemented by every payload. This allows parser_t/generator_t a simple
- * handling of all payloads.
- */
-struct payload_t {
-
-	/**
-	 * Get encoding rules for this payload.
-	 *
-	 * @param rules			location to store pointer of first rule
-	 * @param rule_count	location to store number of rules
-	 */
-	void (*get_encoding_rules) (payload_t *this, encoding_rule_t **rules, size_t *rule_count);
-
-	/**
-	 * Get type of payload.
-	 *
-	 * @return 				type of this payload
-	 */
-	payload_type_t (*get_type) (payload_t *this);
-
-	/**
-	 * Get type of next payload or NO_PAYLOAD (0) if this is the last one.
-	 *
-	 * @return 				type of next payload
-	 */
-	payload_type_t (*get_next_type) (payload_t *this);
-
-	/**
-	 * Set type of next payload.
-	 *
-	 * @param type 			type of next payload
-	 */
-	void (*set_next_type) (payload_t *this,payload_type_t type);
-
-	/**
-	 * Get length of payload.
-	 *
-	 * @return 				length of this payload
-	 */
-	size_t (*get_length) (payload_t *this);
-
-	/**
-	 * Verifies payload structure and makes consistence check.
-	 *
-	 * @return 				SUCCESS,  FAILED if consistence not given
-	 */
-	status_t (*verify) (payload_t *this);
-
-	/**
-	 * Destroys a payload and all included substructures.
-	 */
-	void (*destroy) (payload_t *this);
-};
-
-/**
- * Create an empty payload.
- *
- * Useful for the parser, who wants a generic constructor for all payloads.
- * It supports all payload_t methods. If a payload type is not known,
- * an unknwon_paylod is created with the chunk of data in it.
- *
- * @param type		type of the payload to create
- * @return			payload_t object
- */
-payload_t *payload_create(payload_type_t type);
-
-#endif /** PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/proposal_substructure.c b/src/charon/encoding/payloads/proposal_substructure.c
deleted file mode 100644
index c93f73a68..000000000
--- a/src/charon/encoding/payloads/proposal_substructure.c
+++ /dev/null
@@ -1,598 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "proposal_substructure.h"
-
-#include <encoding/payloads/encodings.h>
-#include <encoding/payloads/transform_substructure.h>
-#include <library.h>
-#include <utils/linked_list.h>
-#include <daemon.h>
-
-
-/**
- * IKEv1 Value for a proposal payload.
- */
-#define PROPOSAL_TYPE_VALUE 2
-
-
-typedef struct private_proposal_substructure_t private_proposal_substructure_t;
-
-/**
- * Private data of an proposal_substructure_t object.
- *
- */
-struct private_proposal_substructure_t {
-	/**
-	 * Public proposal_substructure_t interface.
-	 */
-	proposal_substructure_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t proposal_length;
-
-	/**
-	 * Proposal number.
-	 */
-	u_int8_t proposal_number;
-
-	/**
-	 * Protocol ID.
-	 */
-	u_int8_t protocol_id;
-
-	/**
-	 * SPI size of the following SPI.
-	 */
-	u_int8_t  spi_size;
-
-	/**
-	 * Number of transforms.
-	 */
-	u_int8_t  transforms_count;
-
-	/**
-	 * SPI is stored as chunk.
-	 */
-	chunk_t spi;
-
-	/**
-	 * Transforms are stored in a linked_list_t.
-	 */
-	linked_list_t * transforms;
-};
-
-/**
- * Encoding rules to parse or generate a Proposal substructure.
- *
- * The defined offsets are the positions in a object of type
- * private_proposal_substructure_t.
- */
-encoding_rule_t proposal_substructure_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload) 		},
-	/* Reserved Byte is skipped */
-	{ RESERVED_BYTE,		0															},
-	/* Length of the whole proposal substructure payload*/
-	{ PAYLOAD_LENGTH,		offsetof(private_proposal_substructure_t, proposal_length) 	},
-	/* proposal number is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_proposal_substructure_t, proposal_number) 	},
-	/* protocol ID is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_proposal_substructure_t, protocol_id)		},
-	/* SPI Size has its own type */
-	{ SPI_SIZE,				offsetof(private_proposal_substructure_t, spi_size)			},
-	/* Number of transforms is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_proposal_substructure_t, transforms_count)	},
-	/* SPI is a chunk of variable size*/
-	{ SPI,					offsetof(private_proposal_substructure_t, spi)				},
-	/* Transforms are stored in a transform substructure,
-	   offset points to a linked_list_t pointer */
-	{ TRANSFORMS,			offsetof(private_proposal_substructure_t, transforms) 		}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! 0 (last) or 2 !   RESERVED    !         Proposal Length       !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Proposal #    !  Protocol ID  !    SPI Size   !# of Transforms!
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ~                        SPI (variable)                         ~
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                        <Transforms>                           ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_proposal_substructure_t *this)
-{
-	status_t status = SUCCESS;
-	iterator_t *iterator;
-	payload_t *current_transform;
-
-	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 2))
-	{
-		/* must be 0 or 2 */
-		DBG1(DBG_ENC, "inconsistent next payload");
-		return FAILED;
-	}
-	if (this->transforms_count != this->transforms->get_count(this->transforms))
-	{
-		/* must be the same! */
-		DBG1(DBG_ENC, "transform count invalid");
-		return FAILED;
-	}
-
-	switch (this->protocol_id)
-	{
-		case PROTO_AH:
-		case PROTO_ESP:
-			if (this->spi.len != 4)
-			{
-				DBG1(DBG_ENC, "invalid SPI length in %N proposal",
-								  protocol_id_names, this->protocol_id);
-				return FAILED;
-			}
-			break;
-		case PROTO_IKE:
-			if (this->spi.len != 0 && this->spi.len  != 8)
-			{
-				DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
-				return FAILED;
-			}
-			break;
-		default:
-			DBG1(DBG_ENC, "invalid proposal protocol (%d)", this->protocol_id);
-			return FAILED;
-	}
-	if ((this->protocol_id == 0) || (this->protocol_id >= 4))
-	{
-		/* reserved are not supported */
-		DBG1(DBG_ENC, "invalid protocol");
-		return FAILED;
-	}
-
-	iterator = this->transforms->create_iterator(this->transforms,TRUE);
-	while(iterator->iterate(iterator, (void**)&current_transform))
-	{
-		status = current_transform->verify(current_transform);
-		if (status != SUCCESS)
-		{
-			DBG1(DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed");
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	/* proposal number is checked in SA payload */
-	return status;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_proposal_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = proposal_substructure_encodings;
-	*rule_count = sizeof(proposal_substructure_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_proposal_substructure_t *this)
-{
-	return PROPOSAL_SUBSTRUCTURE;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_proposal_substructure_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_proposal_substructure_t *this,payload_type_t type)
-{
-}
-
-/**
- * (re-)compute the length of the payload.
- */
-static void compute_length(private_proposal_substructure_t *this)
-{
-	iterator_t *iterator;
-	payload_t *current_transform;
-	size_t transforms_count = 0;
-	size_t length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH;
-
-	iterator = this->transforms->create_iterator(this->transforms,TRUE);
-	while (iterator->iterate(iterator, (void**)&current_transform))
-	{
-		length += current_transform->get_length(current_transform);
-		transforms_count++;
-	}
-	iterator->destroy(iterator);
-
-	length += this->spi.len;
-	this->transforms_count = transforms_count;
-	this->proposal_length = length;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_proposal_substructure_t *this)
-{
-	compute_length(this);
-	return this->proposal_length;
-}
-
-/**
- * Implementation of proposal_substructure_t.create_transform_substructure_iterator.
- */
-static iterator_t *create_transform_substructure_iterator (private_proposal_substructure_t *this,bool forward)
-{
-	return (this->transforms->create_iterator(this->transforms,forward));
-}
-
-/**
- * Implementation of proposal_substructure_t.add_transform_substructure.
- */
-static void add_transform_substructure (private_proposal_substructure_t *this,transform_substructure_t *transform)
-{
-	status_t status;
-	if (this->transforms->get_count(this->transforms) > 0)
-	{
-		transform_substructure_t *last_transform;
-		status = this->transforms->get_last(this->transforms,(void **) &last_transform);
-		/* last transform is now not anymore last one */
-		last_transform->set_is_last_transform(last_transform,FALSE);
-
-	}
-	transform->set_is_last_transform(transform,TRUE);
-
-	this->transforms->insert_last(this->transforms,(void *) transform);
-	compute_length(this);
-}
-
-/**
- * Implementation of proposal_substructure_t.proposal_substructure_t.
- */
-static void set_is_last_proposal (private_proposal_substructure_t *this, bool is_last)
-{
-	this->next_payload = (is_last) ? 0: PROPOSAL_TYPE_VALUE;
-}
-
-/**
- * Implementation of proposal_substructure_t.set_proposal_number.
- */
-static void set_proposal_number(private_proposal_substructure_t *this,u_int8_t proposal_number)
-{
-	this->proposal_number = proposal_number;
-}
-
-/**
- * Implementation of proposal_substructure_t.get_proposal_number.
- */
-static u_int8_t get_proposal_number (private_proposal_substructure_t *this)
-{
-	return (this->proposal_number);
-}
-
-/**
- * Implementation of proposal_substructure_t.set_protocol_id.
- */
-static void set_protocol_id(private_proposal_substructure_t *this,u_int8_t protocol_id)
-{
-	this->protocol_id = protocol_id;
-}
-
-/**
- * Implementation of proposal_substructure_t.get_protocol_id.
- */
-static u_int8_t get_protocol_id(private_proposal_substructure_t *this)
-{
-	return (this->protocol_id);
-}
-
-/**
- * Implementation of proposal_substructure_t.set_spi.
- */
-static void set_spi(private_proposal_substructure_t *this, chunk_t spi)
-{
-	/* first delete already set spi value */
-	if (this->spi.ptr != NULL)
-	{
-		free(this->spi.ptr);
-		this->spi.ptr = NULL;
-		this->spi.len = 0;
-		compute_length(this);
-	}
-
-	this->spi.ptr = clalloc(spi.ptr,spi.len);
-	this->spi.len = spi.len;
-	this->spi_size = spi.len;
-	compute_length(this);
-}
-
-/**
- * Implementation of proposal_substructure_t.get_spi.
- */
-static chunk_t get_spi(private_proposal_substructure_t *this)
-{
-	chunk_t spi;
-	spi.ptr = this->spi.ptr;
-	spi.len = this->spi.len;
-
-	return spi;
-}
-
-/**
- * Implementation of proposal_substructure_t.get_transform_count.
- */
-static size_t get_transform_count (private_proposal_substructure_t *this)
-{
-	return this->transforms->get_count(this->transforms);
-}
-
-/**
- * Implementation of proposal_substructure_t.get_spi_size.
- */
-static size_t get_spi_size (private_proposal_substructure_t *this)
-{
-	return this->spi.len;
-}
-
-/**
- * Implementation of proposal_substructure_t.get_proposal.
- */
-proposal_t* get_proposal(private_proposal_substructure_t *this)
-{
-	iterator_t *iterator;
-	transform_substructure_t *transform;
-	proposal_t *proposal;
-	u_int64_t spi;
-
-	proposal = proposal_create(this->protocol_id);
-
-	iterator = this->transforms->create_iterator(this->transforms, TRUE);
-	while (iterator->iterate(iterator, (void**)&transform))
-	{
-		transform_type_t transform_type;
-		u_int16_t transform_id;
-		u_int16_t key_length = 0;
-
-		transform_type = transform->get_transform_type(transform);
-		transform_id = transform->get_transform_id(transform);
-		transform->get_key_length(transform, &key_length);
-
-		proposal->add_algorithm(proposal, transform_type, transform_id, key_length);
-	}
-	iterator->destroy(iterator);
-
-	switch (this->spi.len)
-	{
-		case 4:
-			spi = *((u_int32_t*)this->spi.ptr);
-			break;
-		case 8:
-			spi = *((u_int64_t*)this->spi.ptr);
-			break;
-		default:
-			spi = 0;
-	}
-	proposal->set_spi(proposal, spi);
-
-	return proposal;
-}
-
-/**
- * Implementation of proposal_substructure_t.clone.
- */
-static private_proposal_substructure_t* clone_(private_proposal_substructure_t *this)
-{
-	private_proposal_substructure_t *clone;
-	iterator_t *transforms;
-	transform_substructure_t *current_transform;
-
-	clone = (private_proposal_substructure_t *) proposal_substructure_create();
-	clone->next_payload = this->next_payload;
-	clone->proposal_number = this->proposal_number;
-	clone->protocol_id = this->protocol_id;
-	clone->spi_size = this->spi_size;
-	if (this->spi.ptr != NULL)
-	{
-		clone->spi.ptr = clalloc(this->spi.ptr,this->spi.len);
-		clone->spi.len = this->spi.len;
-	}
-
-	transforms = this->transforms->create_iterator(this->transforms,FALSE);
-	while (transforms->iterate(transforms, (void**)&current_transform))
-	{
-		current_transform = current_transform->clone(current_transform);
-		clone->public.add_transform_substructure(&clone->public, current_transform);
-	}
-	transforms->destroy(transforms);
-
-	return clone;
-}
-
-/**
- * Implements payload_t's and proposal_substructure_t's destroy function.
- * See #payload_s.destroy or proposal_substructure_s.destroy for description.
- */
-static void destroy(private_proposal_substructure_t *this)
-{
-	this->transforms->destroy_offset(this->transforms,
-									 offsetof(transform_substructure_t, destroy));
-	chunk_free(&this->spi);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-proposal_substructure_t *proposal_substructure_create()
-{
-	private_proposal_substructure_t *this = malloc_thing(private_proposal_substructure_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-
-	/* public functions */
-	this->public.create_transform_substructure_iterator = (iterator_t* (*) (proposal_substructure_t *,bool)) create_transform_substructure_iterator;
-	this->public.add_transform_substructure = (void (*) (proposal_substructure_t *,transform_substructure_t *)) add_transform_substructure;
-	this->public.set_proposal_number = (void (*) (proposal_substructure_t *,u_int8_t))set_proposal_number;
-	this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number;
-	this->public.set_protocol_id = (void (*) (proposal_substructure_t *,u_int8_t))set_protocol_id;
-	this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
-	this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal;
-	this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal;
-	this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
-	this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
-	this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count;
-	this->public.get_spi_size = (size_t (*) (proposal_substructure_t *)) get_spi_size;
-	this->public.clone = (proposal_substructure_t * (*) (proposal_substructure_t *)) clone_;
-	this->public.destroy = (void (*) (proposal_substructure_t *)) destroy;
-
-	/* set default values of the fields */
-	this->next_payload = NO_PAYLOAD;
-	this->proposal_length = 0;
-	this->proposal_number = 0;
-	this->protocol_id = 0;
-	this->transforms_count = 0;
-	this->spi_size = 0;
-	this->spi.ptr = NULL;
-	this->spi.len = 0;
-
-	this->transforms = linked_list_create();
-
-	return (&(this->public));
-}
-
-/*
- * Described in header.
- */
-proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal)
-{
-	transform_substructure_t *transform;
-	private_proposal_substructure_t *this;
-	u_int16_t alg, key_size;
-	enumerator_t *enumerator;
-
-	this = (private_proposal_substructure_t*)proposal_substructure_create();
-
-	/* encryption algorithm is only availble in ESP */
-	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
-	while (enumerator->enumerate(enumerator, &alg, &key_size))
-	{
-		transform = transform_substructure_create_type(ENCRYPTION_ALGORITHM,
-													   alg, key_size);
-		add_transform_substructure(this, transform);
-	}
-	enumerator->destroy(enumerator);
-
-	/* integrity algorithms */
-	enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
-	while (enumerator->enumerate(enumerator, &alg, &key_size))
-	{
-		transform = transform_substructure_create_type(INTEGRITY_ALGORITHM,
-													   alg, key_size);
-		add_transform_substructure(this, transform);
-	}
-	enumerator->destroy(enumerator);
-
-	/* prf algorithms */
-	enumerator = proposal->create_enumerator(proposal, PSEUDO_RANDOM_FUNCTION);
-	while (enumerator->enumerate(enumerator, &alg, &key_size))
-	{
-		transform = transform_substructure_create_type(PSEUDO_RANDOM_FUNCTION,
-													   alg, key_size);
-		add_transform_substructure(this, transform);
-	}
-	enumerator->destroy(enumerator);
-
-	/* dh groups */
-	enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
-	while (enumerator->enumerate(enumerator, &alg, NULL))
-	{
-		transform = transform_substructure_create_type(DIFFIE_HELLMAN_GROUP,
-													   alg, 0);
-		add_transform_substructure(this, transform);
-	}
-	enumerator->destroy(enumerator);
-
-	/* extended sequence numbers */
-	enumerator = proposal->create_enumerator(proposal, EXTENDED_SEQUENCE_NUMBERS);
-	while (enumerator->enumerate(enumerator, &alg, NULL))
-	{
-		transform = transform_substructure_create_type(EXTENDED_SEQUENCE_NUMBERS,
-													   alg, 0);
-		add_transform_substructure(this, transform);
-	}
-	enumerator->destroy(enumerator);
-
-	/* add SPI, if necessary */
-	switch (proposal->get_protocol(proposal))
-	{
-		case PROTO_AH:
-		case PROTO_ESP:
-			this->spi_size = this->spi.len = 4;
-			this->spi.ptr = malloc(this->spi_size);
-			*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal);
-			break;
-		case PROTO_IKE:
-			if (proposal->get_spi(proposal))
-			{	/* IKE only uses SPIS when rekeying, but on initial setup */
-				this->spi_size = this->spi.len = 8;
-				this->spi.ptr = malloc(this->spi_size);
-				*((u_int64_t*)this->spi.ptr) = proposal->get_spi(proposal);
-			}
-			break;
-		default:
-			break;
-	}
-	this->proposal_number = 0;
-	this->protocol_id = proposal->get_protocol(proposal);
-
-	return &this->public;
-}
diff --git a/src/charon/encoding/payloads/proposal_substructure.h b/src/charon/encoding/payloads/proposal_substructure.h
deleted file mode 100644
index 4934802af..000000000
--- a/src/charon/encoding/payloads/proposal_substructure.h
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup proposal_substructure proposal_substructure
- * @{ @ingroup payloads
- */
-
-#ifndef PROPOSAL_SUBSTRUCTURE_H_
-#define PROPOSAL_SUBSTRUCTURE_H_
-
-typedef struct proposal_substructure_t proposal_substructure_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/transform_substructure.h>
-#include <config/proposal.h>
-#include <utils/linked_list.h>
-
-
-/**
- * Length of the proposal substructure header (without spi).
- */
-#define PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH 8
-
-/**
- * Class representing an IKEv2-PROPOSAL SUBSTRUCTURE.
- *
- * The PROPOSAL SUBSTRUCTURE format is described in RFC section 3.3.1.
- */
-struct proposal_substructure_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Creates an iterator of stored transform_substructure_t objects.
-	 *
-	 * @param forward		iterator direction (TRUE: front to end)
-	 * @return				created iterator_t object
-	 */
-	iterator_t *(*create_transform_substructure_iterator) (
-								proposal_substructure_t *this, bool forward);
-
-	/**
-	 * Adds a transform_substructure_t object to this object.
-	 *
-	 * @param transform 	transform_substructure_t object to add
-	 */
-	void (*add_transform_substructure) (proposal_substructure_t *this,
-										transform_substructure_t *transform);
-
-	/**
-	 * Sets the proposal number of current proposal.
-	 *
-	 * @param id			proposal number to set
-	 */
-	void (*set_proposal_number) (proposal_substructure_t *this,
-								 u_int8_t proposal_number);
-
-	/**
-	 * get proposal number of current proposal.
-	 *
-	 * @return 			proposal number of current proposal substructure.
-	 */
-	u_int8_t (*get_proposal_number) (proposal_substructure_t *this);
-
-	/**
-	 * get the number of transforms in current proposal.
-	 *
-	 * @return 			transform count in current proposal
-	 */
-	size_t (*get_transform_count) (proposal_substructure_t *this);
-
-	/**
-	 * get size of the set spi in bytes.
-	 *
-	 * @return 			size of the spi in bytes
-	 */
-	size_t (*get_spi_size) (proposal_substructure_t *this);
-
-	/**
-	 * Sets the protocol id of current proposal.
-	 *
-	 * @param id		protocol id to set
-	 */
-	void (*set_protocol_id) (proposal_substructure_t *this,
-							 u_int8_t protocol_id);
-
-	/**
-	 * get protocol id of current proposal.
-	 *
-	 * @return 			protocol id of current proposal substructure.
-	 */
-	u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
-
-	/**
-	 * Sets the next_payload field of this substructure
-	 *
-	 * If this is the last proposal, next payload field is set to 0,
-	 * otherwise to 2
-	 *
-	 * @param is_last	When TRUE, next payload field is set to 0, otherwise to 2
-	 */
-	void (*set_is_last_proposal) (proposal_substructure_t *this, bool is_last);
-
-	/**
-	 * Returns the currently set SPI of this proposal.
-	 *
-	 * @return 			chunk_t pointing to the value
-	 */
-	chunk_t (*get_spi) (proposal_substructure_t *this);
-
-	/**
-	 * Sets the SPI of the current proposal.
-	 *
-	 * @warning SPI is getting copied
-	 *
-	 * @param spi		chunk_t pointing to the value to set
-	 */
-	void (*set_spi) (proposal_substructure_t *this, chunk_t spi);
-
-	/**
-	 * Get a proposal_t from the propsal_substructure_t.
-	 *
-	 * @return			proposal_t
-	 */
-	proposal_t * (*get_proposal) (proposal_substructure_t *this);
-
-	/**
-	 * Clones an proposal_substructure_t object.
-	 *
-	 * @return		cloned object
-	 */
-	proposal_substructure_t* (*clone) (proposal_substructure_t *this);
-
-	/**
-	 * Destroys an proposal_substructure_t object.
-	 */
-	void (*destroy) (proposal_substructure_t *this);
-};
-
-/**
- * Creates an empty proposal_substructure_t object
- *
- * @return proposal_substructure_t object
- */
-proposal_substructure_t *proposal_substructure_create(void);
-
-/**
- * Creates a proposal_substructure_t from a proposal_t.
- *
- * @param proposal		proposal to build a substruct out of it
- * @return 				proposal_substructure_t object
- */
-proposal_substructure_t *proposal_substructure_create_from_proposal(
-														proposal_t *proposal);
-
-#endif /** PROPOSAL_SUBSTRUCTURE_H_ @}*/
diff --git a/src/charon/encoding/payloads/sa_payload.c b/src/charon/encoding/payloads/sa_payload.c
deleted file mode 100644
index 187a8fee0..000000000
--- a/src/charon/encoding/payloads/sa_payload.c
+++ /dev/null
@@ -1,368 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "sa_payload.h"
-
-#include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
-#include <daemon.h>
-
-
-typedef struct private_sa_payload_t private_sa_payload_t;
-
-/**
- * Private data of an sa_payload_t object.
- *
- */
-struct private_sa_payload_t {
-	/**
-	 * Public sa_payload_t interface.
-	 */
-	sa_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Proposals in this payload are stored in a linked_list_t.
-	 */
-	linked_list_t * proposals;
-};
-
-/**
- * Encoding rules to parse or generate a IKEv2-SA Payload
- *
- * The defined offsets are the positions in a object of type
- * private_sa_payload_t.
- *
- */
-encoding_rule_t sa_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,		offsetof(private_sa_payload_t, next_payload) 			},
-	/* the critical bit */
-	{ FLAG,			offsetof(private_sa_payload_t, critical) 				},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	/* Length of the whole SA payload*/
-	{ PAYLOAD_LENGTH,		offsetof(private_sa_payload_t, payload_length) 	},
-	/* Proposals are stored in a proposal substructure,
-	   offset points to a linked_list_t pointer */
-	{ PROPOSALS,		offsetof(private_sa_payload_t, proposals) 				}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                          <Proposals>                          ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_sa_payload_t *this)
-{
-	int expected_number = 1, current_number;
-	status_t status = SUCCESS;
-	iterator_t *iterator;
-	proposal_substructure_t *current_proposal;
-	bool first = TRUE;
-
-	/* check proposal numbering */
-	iterator = this->proposals->create_iterator(this->proposals,TRUE);
-
-	while(iterator->iterate(iterator, (void**)&current_proposal))
-	{
-		current_number = current_proposal->get_proposal_number(current_proposal);
-		if (current_number < expected_number)
-		{
-			if (current_number != (expected_number + 1))
-			{
-				DBG1(DBG_ENC, "proposal number is %d, expected %d or %d",
-					 current_number, expected_number, expected_number + 1);
-				status = FAILED;
-				break;
-			}
-		}
-		else if (current_number < expected_number)
-		{
-			/* must not be smaller then proceeding one */
-			DBG1(DBG_ENC, "proposal number smaller than that of previous proposal");
-			status = FAILED;
-			break;
-		}
-
-		status = current_proposal->payload_interface.verify(&(current_proposal->payload_interface));
-		if (status != SUCCESS)
-		{
-			DBG1(DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed");
-			break;
-		}
-		first = FALSE;
-		expected_number = current_number;
-	}
-
-	iterator->destroy(iterator);
-	return status;
-}
-
-
-/**
- * Implementation of payload_t.destroy and sa_payload_t.destroy.
- */
-static status_t destroy(private_sa_payload_t *this)
-{
-	this->proposals->destroy_offset(this->proposals,
-									offsetof(proposal_substructure_t, destroy));
-	free(this);
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_sa_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = sa_payload_encodings;
-	*rule_count = sizeof(sa_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_sa_payload_t *this)
-{
-	return SECURITY_ASSOCIATION;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_sa_payload_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_sa_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * recompute length of the payload.
- */
-static void compute_length (private_sa_payload_t *this)
-{
-	iterator_t *iterator;
-	payload_t *current_proposal;
-	size_t length = SA_PAYLOAD_HEADER_LENGTH;
-
-	iterator = this->proposals->create_iterator(this->proposals,TRUE);
-	while (iterator->iterate(iterator, (void **)&current_proposal))
-	{
-		length += current_proposal->get_length(current_proposal);
-	}
-	iterator->destroy(iterator);
-
-	this->payload_length = length;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_sa_payload_t *this)
-{
-	compute_length(this);
-	return this->payload_length;
-}
-
-/**
- * Implementation of sa_payload_t.create_proposal_substructure_iterator.
- */
-static iterator_t *create_proposal_substructure_iterator (private_sa_payload_t *this,bool forward)
-{
-	return this->proposals->create_iterator(this->proposals,forward);
-}
-
-/**
- * Implementation of sa_payload_t.add_proposal_substructure.
- */
-static void add_proposal_substructure(private_sa_payload_t *this,proposal_substructure_t *proposal)
-{
-	status_t status;
-	u_int proposal_count = this->proposals->get_count(this->proposals);
-
-	if (proposal_count > 0)
-	{
-		proposal_substructure_t *last_proposal;
-		status = this->proposals->get_last(this->proposals,(void **) &last_proposal);
-		/* last transform is now not anymore last one */
-		last_proposal->set_is_last_proposal(last_proposal, FALSE);
-	}
-	proposal->set_is_last_proposal(proposal, TRUE);
-	proposal->set_proposal_number(proposal, proposal_count + 1);
-	this->proposals->insert_last(this->proposals,(void *) proposal);
-	compute_length(this);
-}
-
-/**
- * Implementation of sa_payload_t.add_proposal.
- */
-static void add_proposal(private_sa_payload_t *this, proposal_t *proposal)
-{
-	proposal_substructure_t *substructure;
-
-	substructure = proposal_substructure_create_from_proposal(proposal);
-	add_proposal_substructure(this, substructure);
-}
-
-/**
- * Implementation of sa_payload_t.get_proposals.
- */
-static linked_list_t *get_proposals(private_sa_payload_t *this)
-{
-	int struct_number = 0;
-	int ignore_struct_number = 0;
-	iterator_t *iterator;
-	proposal_substructure_t *proposal_struct;
-	linked_list_t *proposal_list;
-
-	/* this list will hold our proposals */
-	proposal_list = linked_list_create();
-
-	/* we do not support proposals split up to two proposal substructures, as
-	 * AH+ESP bundles are not supported in RFC4301 anymore.
-	 * To handle such structures safely, we just skip proposals with multiple
-	 * protocols.
-	 */
-	iterator = this->proposals->create_iterator(this->proposals, TRUE);
-	while (iterator->iterate(iterator, (void **)&proposal_struct))
-	{
-		proposal_t *proposal;
-
-		/* check if a proposal has a single protocol */
-		if (proposal_struct->get_proposal_number(proposal_struct) == struct_number)
-		{
-			if (ignore_struct_number < struct_number)
-			{
-				/* remova an already added, if first of series */
-				proposal_list->remove_last(proposal_list, (void**)&proposal);
-				proposal->destroy(proposal);
-				ignore_struct_number = struct_number;
-			}
-			continue;
-		}
-		struct_number++;
-		proposal = proposal_struct->get_proposal(proposal_struct);
-		if (proposal)
-		{
-			proposal_list->insert_last(proposal_list, proposal);
-		}
-	}
-	iterator->destroy(iterator);
-	return proposal_list;
-}
-
-/*
- * Described in header.
- */
-sa_payload_t *sa_payload_create()
-{
-	private_sa_payload_t *this = malloc_thing(private_sa_payload_t);
-
-	/* public interface */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.create_proposal_substructure_iterator = (iterator_t* (*) (sa_payload_t *,bool)) create_proposal_substructure_iterator;
-	this->public.add_proposal_substructure = (void (*) (sa_payload_t *,proposal_substructure_t *)) add_proposal_substructure;
-	this->public.add_proposal = (void (*) (sa_payload_t*,proposal_t*))add_proposal;
-	this->public.get_proposals = (linked_list_t* (*) (sa_payload_t *)) get_proposals;
-	this->public.destroy = (void (*) (sa_payload_t *)) destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = SA_PAYLOAD_HEADER_LENGTH;
-	this->proposals = linked_list_create();
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
-{
-	iterator_t *iterator;
-	proposal_t *proposal;
-	sa_payload_t *sa_payload = sa_payload_create();
-
-	/* add every payload from the list */
-	iterator = proposals->create_iterator(proposals, TRUE);
-	while (iterator->iterate(iterator, (void**)&proposal))
-	{
-		add_proposal((private_sa_payload_t*)sa_payload, proposal);
-	}
-	iterator->destroy(iterator);
-
-	return sa_payload;
-}
-
-/*
- * Described in header.
- */
-sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal)
-{
-	sa_payload_t *sa_payload = sa_payload_create();
-
-	add_proposal((private_sa_payload_t*)sa_payload, proposal);
-
-	return sa_payload;
-}
diff --git a/src/charon/encoding/payloads/sa_payload.h b/src/charon/encoding/payloads/sa_payload.h
deleted file mode 100644
index 25f5a2407..000000000
--- a/src/charon/encoding/payloads/sa_payload.h
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup sa_payload sa_payload
- * @{ @ingroup payloads
- */
-
-#ifndef SA_PAYLOAD_H_
-#define SA_PAYLOAD_H_
-
-typedef struct sa_payload_t sa_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/proposal_substructure.h>
-#include <utils/linked_list.h>
-
-/**
- * SA_PAYLOAD length in bytes without any proposal substructure.
- */
-#define SA_PAYLOAD_HEADER_LENGTH 4
-
-/**
- * Class representing an IKEv2-SA Payload.
- *
- * The SA Payload format is described in RFC section 3.3.
- */
-struct sa_payload_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Creates an iterator of stored proposal_substructure_t objects.
-	 *
-	 * When deleting an proposal using this iterator,
-	 * the length of this transform substructure has to be refreshed
-	 * by calling get_length()!
-	 *
-	 * @param forward 		iterator direction (TRUE: front to end)
-	 * @return				created iterator_t object
-	 */
-	iterator_t *(*create_proposal_substructure_iterator) (sa_payload_t *this,
-														  bool forward);
-
-	/**
-	 * Adds a proposal_substructure_t object to this object.
-	 *
-	 * @param proposal  		proposal_substructure_t object to add
-	 */
-	void (*add_proposal_substructure) (sa_payload_t *this,
-									   proposal_substructure_t *proposal);
-
-	/**
-	 * Gets the proposals in this payload as a list.
-	 *
-	 * @return					a list containing proposal_t s
-	 */
-	linked_list_t *(*get_proposals) (sa_payload_t *this);
-
-	/**
-	 * Add a child proposal (AH/ESP) to the payload.
-	 *
-	 * @param proposal			child proposal to add to the payload
-	 */
-	void (*add_proposal) (sa_payload_t *this, proposal_t *proposal);
-
-	/**
-	 * Destroys an sa_payload_t object.
-	 */
-	void (*destroy) (sa_payload_t *this);
-};
-
-/**
- * Creates an empty sa_payload_t object
- *
- * @return					created sa_payload_t object
- */
-sa_payload_t *sa_payload_create(void);
-
-/**
- * Creates a sa_payload_t object from a list of proposals.
- *
- * @param proposals			list of proposals to build the payload from
- * @return					sa_payload_t object
- */
-sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals);
-
-/**
- * Creates a sa_payload_t object from a single proposal.
- *
- * This is only for convenience. Use sa_payload_create_from_proposal_list
- * if you want to add more than one proposal.
- *
- * @param proposal			proposal from which the payload should be built.
- * @return					sa_payload_t object
- */
-sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal);
-
-#endif /** SA_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.c b/src/charon/encoding/payloads/traffic_selector_substructure.c
deleted file mode 100644
index f24857591..000000000
--- a/src/charon/encoding/payloads/traffic_selector_substructure.c
+++ /dev/null
@@ -1,276 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "traffic_selector_substructure.h"
-
-#include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
-
-
-typedef struct private_traffic_selector_substructure_t private_traffic_selector_substructure_t;
-
-/**
- * Private data of an traffic_selector_substructure_t object.
- *
- */
-struct private_traffic_selector_substructure_t {
-	/**
-	 * Public traffic_selector_substructure_t interface.
-	 */
-	traffic_selector_substructure_t public;
-
-	/**
-	 * Type of traffic selector.
-	 */
-	u_int8_t ts_type;
-
-	/**
-	 * IP Protocol ID.
-	 */
-	u_int8_t ip_protocol_id;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Start port number.
-	 */
-	u_int16_t start_port;
-
-	/**
-	 * End port number.
-	 */
-	u_int16_t end_port;
-
-	/**
-	 * Starting address.
-	 */
-	chunk_t starting_address;
-
-	/**
-	 * Ending address.
-	 */
-	chunk_t ending_address;
-};
-
-/**
- * Encoding rules to parse or generate a TS payload
- *
- * The defined offsets are the positions in a object of type
- * private_traffic_selector_substructure_t.
- *
- */
-encoding_rule_t traffic_selector_substructure_encodings[] = {
-	/* 1 Byte next ts type*/
-	{ TS_TYPE,			offsetof(private_traffic_selector_substructure_t, ts_type) 			},
-	/* 1 Byte IP protocol id*/
-	{ U_INT_8,			offsetof(private_traffic_selector_substructure_t, ip_protocol_id) 	},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_traffic_selector_substructure_t, payload_length)		},
-	/* 2 Byte start port*/
-	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, start_port)			},
-	/* 2 Byte end port*/
-	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, end_port)			},
-	/* starting address is either 4 or 16 byte */
-	{ ADDRESS,			offsetof(private_traffic_selector_substructure_t, starting_address)	},
-	/* ending address is either 4 or 16 byte */
-	{ ADDRESS,			offsetof(private_traffic_selector_substructure_t, ending_address)		}
-
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !   TS Type     !IP Protocol ID*|       Selector Length         |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |           Start Port*         |           End Port*           |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                         Starting Address*                     ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                         Ending Address*                       ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_traffic_selector_substructure_t *this)
-{
-	if (this->start_port > this->end_port)
-	{
-		return FAILED;
-	}
-	switch (this->ts_type)
-	{
-		case TS_IPV4_ADDR_RANGE:
-		{
-			if ((this->starting_address.len != 4) ||
-				(this->ending_address.len != 4))
-			{
-				/* ipv4 address must be 4 bytes long */
-				return FAILED;
-			}
-			break;
-		}
-		case TS_IPV6_ADDR_RANGE:
-		{
-			if ((this->starting_address.len != 16) ||
-				(this->ending_address.len != 16))
-			{
-				/* ipv6 address must be 16 bytes long */
-				return FAILED;
-			}
-			break;
-		}
-		default:
-		{
-			/* not supported ts type */
-			return FAILED;
-		}
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of traffic_selector_substructure_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_traffic_selector_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = traffic_selector_substructure_encodings;
-	*rule_count = sizeof(traffic_selector_substructure_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_traffic_selector_substructure_t *this)
-{
-	return TRAFFIC_SELECTOR_SUBSTRUCTURE;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_traffic_selector_substructure_t *this)
-{
-	return 0;
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_traffic_selector_substructure_t *this,payload_type_t type)
-{
-
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_traffic_selector_substructure_t *this)
-{
-	return this->payload_length;
-}
-
-/**
- * Implementation of traffic_selector_substructure_t.get_traffic_selector.
- */
-static traffic_selector_t *get_traffic_selector(private_traffic_selector_substructure_t *this)
-{
-	traffic_selector_t *ts;
-	ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type,
-											this->starting_address, this->start_port,
-											this->ending_address, this->end_port);
-	return ts;
-}
-
-/**
- * recompute length field of the payload
- */
-void compute_length(private_traffic_selector_substructure_t *this)
-{
-	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH +
-			this->ending_address.len + this->starting_address.len;
-}
-
-/**
- * Implementation of payload_t.destroy and traffic_selector_substructure_t.destroy.
- */
-static void destroy(private_traffic_selector_substructure_t *this)
-{
-	free(this->starting_address.ptr);
-	free(this->ending_address.ptr);
-	free(this);
-}
-
-/*
- * Described in header
- */
-traffic_selector_substructure_t *traffic_selector_substructure_create()
-{
-	private_traffic_selector_substructure_t *this = malloc_thing(private_traffic_selector_substructure_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.get_traffic_selector = (traffic_selector_t* (*)(traffic_selector_substructure_t*))get_traffic_selector;
-	this->public.destroy = (void (*) (traffic_selector_substructure_t *)) destroy;
-
-	/* private variables */
-	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH;
-	this->start_port = 0;
-	this->end_port = 0;
-	this->starting_address = chunk_empty;
-	this->ending_address = chunk_empty;
-	this->ip_protocol_id = 0;
-	/* must be set to be valid */
-	this->ts_type = TS_IPV4_ADDR_RANGE;
-
-	return (&(this->public));
-}
-
-/*
- * Described in header
- */
-traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(traffic_selector_t *traffic_selector)
-{
-	private_traffic_selector_substructure_t *this = (private_traffic_selector_substructure_t*)traffic_selector_substructure_create();
-	this->ts_type = traffic_selector->get_type(traffic_selector);
-	this->ip_protocol_id = traffic_selector->get_protocol(traffic_selector);
-	this->start_port = traffic_selector->get_from_port(traffic_selector);
-	this->end_port = traffic_selector->get_to_port(traffic_selector);
-	this->starting_address = chunk_clone(traffic_selector->get_from_address(traffic_selector));
-	this->ending_address = chunk_clone(traffic_selector->get_to_address(traffic_selector));
-
-	compute_length(this);
-
-	return &(this->public);
-}
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.h b/src/charon/encoding/payloads/traffic_selector_substructure.h
deleted file mode 100644
index 0109fd7f5..000000000
--- a/src/charon/encoding/payloads/traffic_selector_substructure.h
+++ /dev/null
@@ -1,151 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup traffic_selector_substructure traffic_selector_substructure
- * @{ @ingroup payloads
- */
-
-#ifndef TRAFFIC_SELECTOR_SUBSTRUCTURE_H_
-#define TRAFFIC_SELECTOR_SUBSTRUCTURE_H_
-
-typedef struct traffic_selector_substructure_t traffic_selector_substructure_t;
-
-#include <library.h>
-#include <utils/host.h>
-#include <selectors/traffic_selector.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * Length of a TRAFFIC SELECTOR SUBSTRUCTURE without start and end address.
- */
-#define TRAFFIC_SELECTOR_HEADER_LENGTH 8
-
-/**
- * Class representing an IKEv2 TRAFFIC SELECTOR.
- *
- * The TRAFFIC SELECTOR format is described in RFC section 3.13.1.
- */
-struct traffic_selector_substructure_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Get the type of Traffic selector.
-	 *
-	 * @return			type of traffic selector
-	 *
-	 */
-	ts_type_t (*get_ts_type) (traffic_selector_substructure_t *this);
-
-	/**
-	 * Set the type of Traffic selector.
-	 *
-	 * @param ts_type	type of traffic selector
-	 */
-	void (*set_ts_type) (traffic_selector_substructure_t *this,
-						 ts_type_t ts_type);
-
-	/**
-	 * Get the IP protocol ID of Traffic selector.
-	 *
-	 * @return			type of traffic selector
-	 *
-	 */
-	u_int8_t (*get_protocol_id) (traffic_selector_substructure_t *this);
-
-	/**
-	 * Set the IP protocol ID of Traffic selector
-	 *
-	 * @param protocol_id	protocol ID of traffic selector
-	 */
-	void (*set_protocol_id) (traffic_selector_substructure_t *this,
-							  u_int8_t protocol_id);
-
-	/**
-	 * Get the start port and address as host_t object.
-	 *
-	 * Returned host_t object has to get destroyed by the caller.
-	 *
-	 * @return			start host as host_t object
-	 *
-	 */
-	host_t *(*get_start_host) (traffic_selector_substructure_t *this);
-
-	/**
-	 * Set the start port and address as host_t object.
-	 *
-	 * @param start_host	start host as host_t object
-	 */
-	void (*set_start_host) (traffic_selector_substructure_t *this,
-							host_t *start_host);
-
-	/**
-	 * Get the end port and address as host_t object.
-	 *
-	 * Returned host_t object has to get destroyed by the caller.
-	 *
-	 * @return			end host as host_t object
-	 *
-	 */
-	host_t *(*get_end_host) (traffic_selector_substructure_t *this);
-
-	/**
-	 * Set the end port and address as host_t object.
-	 *
-	 * @param end_host	end host as host_t object
-	 */
-	void (*set_end_host) (traffic_selector_substructure_t *this,
-						  host_t *end_host);
-
-	/**
-	 * Get a traffic_selector_t from this substructure.
-	 *
-	 * @warning traffic_selector_t must be destroyed after usage.
-	 *
-	 * @return			contained traffic_selector_t
-	 */
-	traffic_selector_t *(*get_traffic_selector) (
-										traffic_selector_substructure_t *this);
-
-	/**
-	 * Destroys an traffic_selector_substructure_t object.
-	 */
-	void (*destroy) (traffic_selector_substructure_t *this);
-};
-
-/**
- * Creates an empty traffic_selector_substructure_t object.
- *
- * TS type is set to default TS_IPV4_ADDR_RANGE!
- *
- * @return 					traffic_selector_substructure_t object
- */
-traffic_selector_substructure_t *traffic_selector_substructure_create(void);
-
-/**
- * Creates an initialized traffif selector substructure using
- * the values from a traffic_selector_t.
- *
- * @param traffic_selector	traffic_selector_t to use for initialization
- * @return					traffic_selector_substructure_t object
- */
-traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(
-										traffic_selector_t *traffic_selector);
-
-#endif /** TRAFFIC_SELECTOR_SUBSTRUCTURE_H_ @}*/
diff --git a/src/charon/encoding/payloads/transform_attribute.c b/src/charon/encoding/payloads/transform_attribute.c
deleted file mode 100644
index 8bf2ddef4..000000000
--- a/src/charon/encoding/payloads/transform_attribute.c
+++ /dev/null
@@ -1,325 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-#include <stddef.h>
-
-#include "transform_attribute.h"
-
-#include <encoding/payloads/encodings.h>
-#include <library.h>
-
-typedef struct private_transform_attribute_t private_transform_attribute_t;
-
-/**
- * Private data of an transform_attribute_t object.
- *
- */
-struct private_transform_attribute_t {
-	/**
-	 * Public transform_attribute_t interface.
-	 */
-	transform_attribute_t public;
-
-	/**
-	 * Attribute Format Flag.
-	 *
-	 * - TRUE means value is stored in attribute_length_or_value
-	 * - FALSE means value is stored in attribute_value
-	 */
-	bool attribute_format;
-
-	/**
-	 * Type of the attribute.
-	 */
-	u_int16_t attribute_type;
-
-	/**
-	 * Attribute Length if attribute_format is 0, attribute Value otherwise.
-	 */
-	u_int16_t attribute_length_or_value;
-
-	/**
-	 * Attribute value as chunk if attribute_format is 0 (FALSE).
-	 */
-	chunk_t attribute_value;
-};
-
-
-ENUM_BEGIN(transform_attribute_type_name, ATTRIBUTE_UNDEFINED, ATTRIBUTE_UNDEFINED,
-	"ATTRIBUTE_UNDEFINED");
-ENUM_NEXT(transform_attribute_type_name, KEY_LENGTH, KEY_LENGTH, ATTRIBUTE_UNDEFINED,
-	"KEY_LENGTH");
-ENUM_END(transform_attribute_type_name, KEY_LENGTH);
-
-/**
- * Encoding rules to parse or generate a Transform attribute.
- *
- * The defined offsets are the positions in a object of type
- * private_transform_attribute_t.
- *
- */
-encoding_rule_t transform_attribute_encodings[] = {
-	/* Flag defining the format of this payload */
-	{ ATTRIBUTE_FORMAT,			offsetof(private_transform_attribute_t, attribute_format) 			},
-	/* type of the attribute as 15 bit unsigned integer */
-	{ ATTRIBUTE_TYPE,			offsetof(private_transform_attribute_t, attribute_type)				},
-	/* Length or value, depending on the attribute format flag */
-	{ ATTRIBUTE_LENGTH_OR_VALUE,	offsetof(private_transform_attribute_t, attribute_length_or_value)	},
-	/* Value of attribute if attribute format flag is zero */
-	{ ATTRIBUTE_VALUE,			offsetof(private_transform_attribute_t, attribute_value) 			}
-};
-
-/*
-                          1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !A!       Attribute Type        !    AF=0  Attribute Length     !
-      !F!                             !    AF=1  Attribute Value      !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                   AF=0  Attribute Value                       !
-      !                   AF=1  Not Transmitted                       !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_transform_attribute_t *this)
-{
-	if (this->attribute_type != KEY_LENGTH)
-	{
-		return FAILED;
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_transform_attribute_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = transform_attribute_encodings;
-	*rule_count = sizeof(transform_attribute_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_transform_attribute_t *this)
-{
-	return TRANSFORM_ATTRIBUTE;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_transform_attribute_t *this)
-{
-	return (NO_PAYLOAD);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_transform_attribute_t *this,payload_type_t type)
-{
-}
-
-/**
- * Implementation of transform_attribute_t.get_length.
- */
-static size_t get_length(private_transform_attribute_t *this)
-{
-	if (this->attribute_format == TRUE)
-	{
-		/*Attribute size is only 4 byte */
-		return 4;
-	}
-	return (this->attribute_length_or_value + 4);
-}
-
-/**
- * Implementation of transform_attribute_t.set_value_chunk.
- */
-static void set_value_chunk(private_transform_attribute_t *this, chunk_t value)
-{
-	if (this->attribute_value.ptr != NULL)
-	{
-		/* free existing value */
-		free(this->attribute_value.ptr);
-		this->attribute_value.ptr = NULL;
-		this->attribute_value.len = 0;
-
-	}
-
-	if (value.len > 2)
-	{
-		this->attribute_value.ptr = clalloc(value.ptr,value.len);
-		this->attribute_value.len = value.len;
-		this->attribute_length_or_value = value.len;
-		/* attribute has not a fixed length */
-		this->attribute_format = FALSE;
-	}
-	else
-	{
-		memcpy(&(this->attribute_length_or_value),value.ptr,value.len);
-	}
-}
-
-/**
- * Implementation of transform_attribute_t.set_value.
- */
-static void set_value(private_transform_attribute_t *this, u_int16_t value)
-{
-	if (this->attribute_value.ptr != NULL)
-	{
-		/* free existing value */
-		free(this->attribute_value.ptr);
-		this->attribute_value.ptr = NULL;
-		this->attribute_value.len = 0;
-
-	}
-	this->attribute_length_or_value = value;
-}
-
-/**
- * Implementation of transform_attribute_t.get_value_chunk.
- */
-static chunk_t get_value_chunk (private_transform_attribute_t *this)
-{
-	chunk_t value;
-
-	if (this->attribute_format == FALSE)
-	{
-		value.ptr = this->attribute_value.ptr;
-		value.len = this->attribute_value.len;
-	}
-	else
-	{
-		value.ptr = (void *) &(this->attribute_length_or_value);
-		value.len = 2;
-	}
-
-	return value;
-}
-
-/**
- * Implementation of transform_attribute_t.get_value.
- */
-static u_int16_t get_value (private_transform_attribute_t *this)
-{
-	return this->attribute_length_or_value;
-}
-
-
-/**
- * Implementation of transform_attribute_t.set_attribute_type.
- */
-static void set_attribute_type (private_transform_attribute_t *this, u_int16_t type)
-{
-	this->attribute_type = type & 0x7FFF;
-}
-
-/**
- * Implementation of transform_attribute_t.get_attribute_type.
- */
-static u_int16_t get_attribute_type (private_transform_attribute_t *this)
-{
-	return this->attribute_type;
-}
-
-/**
- * Implementation of transform_attribute_t.clone.
- */
-static transform_attribute_t * _clone(private_transform_attribute_t *this)
-{
-	private_transform_attribute_t *new_clone;
-
-	new_clone = (private_transform_attribute_t *) transform_attribute_create();
-
-	new_clone->attribute_format = this->attribute_format;
-	new_clone->attribute_type = this->attribute_type;
-	new_clone->attribute_length_or_value = this->attribute_length_or_value;
-
-	if (!new_clone->attribute_format)
-	{
-		new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len);
-		new_clone->attribute_value.len = this->attribute_value.len;
-	}
-
-	return (transform_attribute_t *) new_clone;
-}
-
-/**
- * Implementation of transform_attribute_t.destroy and payload_t.destroy.
- */
-static void destroy(private_transform_attribute_t *this)
-{
-	if (this->attribute_value.ptr != NULL)
-	{
-		free(this->attribute_value.ptr);
-	}
-	free(this);
-}
-
-/*
- * Described in header.
- */
-transform_attribute_t *transform_attribute_create()
-{
-	private_transform_attribute_t *this = malloc_thing(private_transform_attribute_t);
-
-	/* payload interface */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.set_value_chunk = (void (*) (transform_attribute_t *,chunk_t)) set_value_chunk;
-	this->public.set_value = (void (*) (transform_attribute_t *,u_int16_t)) set_value;
-	this->public.get_value_chunk = (chunk_t (*) (transform_attribute_t *)) get_value_chunk;
-	this->public.get_value = (u_int16_t (*) (transform_attribute_t *)) get_value;
-	this->public.set_attribute_type = (void (*) (transform_attribute_t *,u_int16_t type)) set_attribute_type;
-	this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type;
-	this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) _clone;
-	this->public.destroy = (void (*) (transform_attribute_t *)) destroy;
-
-	/* set default values of the fields */
-	this->attribute_format = TRUE;
-	this->attribute_type = 0;
-	this->attribute_length_or_value = 0;
-	this->attribute_value.ptr = NULL;
-	this->attribute_value.len = 0;
-
-	return (&(this->public));
-}
-
-/*
- * Described in header.
- */
-transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length)
-{
-	transform_attribute_t *attribute = transform_attribute_create();
-	attribute->set_attribute_type(attribute,KEY_LENGTH);
-	attribute->set_value(attribute,key_length);
-	return attribute;
-}
diff --git a/src/charon/encoding/payloads/transform_attribute.h b/src/charon/encoding/payloads/transform_attribute.h
deleted file mode 100644
index a5fe0154b..000000000
--- a/src/charon/encoding/payloads/transform_attribute.h
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup transform_attribute transform_attribute
- * @{ @ingroup payloads
- */
-
-#ifndef TRANSFORM_ATTRIBUTE_H_
-#define TRANSFORM_ATTRIBUTE_H_
-
-typedef enum transform_attribute_type_t transform_attribute_type_t;
-typedef struct transform_attribute_t transform_attribute_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-
-
-/**
- * Type of the attribute, as in IKEv2 RFC 3.3.5.
- */
-enum transform_attribute_type_t {
-	ATTRIBUTE_UNDEFINED = 16384,
-	KEY_LENGTH = 14
-};
-
-/**
- * enum name for transform_attribute_type_t.
- */
-extern enum_name_t *transform_attribute_type_names;
-
-/**
- * Class representing an IKEv2- TRANSFORM Attribute.
- *
- * The TRANSFORM ATTRIBUTE format is described in RFC section 3.3.5.
- */
-struct transform_attribute_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Returns the currently set value of the attribute.
-	 *
-	 * Returned data are not copied.
-	 *
-	 * @return 		chunk_t pointing to the value
-	 */
-	chunk_t (*get_value_chunk) (transform_attribute_t *this);
-
-	/**
-	 * Returns the currently set value of the attribute.
-	 *
-	 * Returned data are not copied.
-	 *
-	 * @return 		value
-	 */
-	u_int16_t (*get_value) (transform_attribute_t *this);
-
-	/**
-	 * Sets the value of the attribute.
-	 *
-	 * Value is getting copied.
-	 *
-	 * @param value chunk_t pointing to the value to set
-	 */
-	void (*set_value_chunk) (transform_attribute_t *this, chunk_t value);
-
-	/**
-	 * Sets the value of the attribute.
-	 *
-	 * @param value value to set
-	 */
-	void (*set_value) (transform_attribute_t *this, u_int16_t value);
-
-	/**
-	 * Sets the type of the attribute.
-	 *
-	 * @param type	type to set (most significant bit is set to zero)
-	 */
-	void (*set_attribute_type) (transform_attribute_t *this, u_int16_t type);
-
-	/**
-	 * get the type of the attribute.
-	 *
-	 * @return 		type of the value
-	 */
-	u_int16_t (*get_attribute_type) (transform_attribute_t *this);
-
-	/**
-	 * Clones an transform_attribute_t object.
-	 *
-	 * @return		cloned transform_attribute_t object
-	 */
-	transform_attribute_t * (*clone) (transform_attribute_t *this);
-
-	/**
-	 * Destroys an transform_attribute_t object.
-	 */
-	void (*destroy) (transform_attribute_t *this);
-};
-
-/**
- * Creates an empty transform_attribute_t object.
- *
- * @return				transform_attribute_t object
- */
-transform_attribute_t *transform_attribute_create(void);
-
-/**
- * Creates an transform_attribute_t of type KEY_LENGTH.
- *
- * @param key_length	key length in bytes
- * @return				transform_attribute_t object
- */
-transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length);
-
-#endif /** TRANSFORM_ATTRIBUTE_H_ @}*/
diff --git a/src/charon/encoding/payloads/transform_substructure.c b/src/charon/encoding/payloads/transform_substructure.c
deleted file mode 100644
index c94f6c1a2..000000000
--- a/src/charon/encoding/payloads/transform_substructure.c
+++ /dev/null
@@ -1,402 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "transform_substructure.h"
-
-#include <encoding/payloads/transform_attribute.h>
-#include <encoding/payloads/encodings.h>
-#include <library.h>
-#include <utils/linked_list.h>
-#include <daemon.h>
-
-
-typedef struct private_transform_substructure_t private_transform_substructure_t;
-
-/**
- * Private data of an transform_substructure_t object.
- *
- */
-struct private_transform_substructure_t {
-	/**
-	 * Public transform_substructure_t interface.
-	 */
-	transform_substructure_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t transform_length;
-
-
-	/**
-	 * Type of the transform.
-	 */
-	u_int8_t transform_type;
-
-	/**
-	 * Transform ID.
-	 */
-	u_int16_t transform_id;
-
-	/**
-	 * Transforms Attributes are stored in a linked_list_t.
-	 */
-	linked_list_t *attributes;
-};
-
-
-/**
- * Encoding rules to parse or generate a Transform substructure.
- *
- * The defined offsets are the positions in a object of type
- * private_transform_substructure_t.
- *
- */
-encoding_rule_t transform_substructure_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_transform_substructure_t, next_payload) 		},
-	/* Reserved Byte is skipped */
-	{ RESERVED_BYTE,		0																},
-	/* Length of the whole transform substructure*/
-	{ PAYLOAD_LENGTH,		offsetof(private_transform_substructure_t, transform_length)	},
-	/* transform type is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_transform_substructure_t, transform_type) 	},
-	/* Reserved Byte is skipped */
-	{ RESERVED_BYTE,		0																},
-	/* tranform ID is a number of 8 bit */
-	{ U_INT_16,				offsetof(private_transform_substructure_t, transform_id)		},
-	/* Attributes are stored in a transform attribute,
-	   offset points to a linked_list_t pointer */
-	{ TRANSFORM_ATTRIBUTES,	offsetof(private_transform_substructure_t, attributes) 		}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! 0 (last) or 3 !   RESERVED    !        Transform Length       !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !Transform Type !   RESERVED    !          Transform ID         !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                      Transform Attributes                     ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_transform_substructure_t *this)
-{
-	status_t status = SUCCESS;
-	iterator_t *iterator;
-	payload_t *current_attributes;
-
-	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3))
-	{
-		/* must be 0 or 3 */
-		DBG1(DBG_ENC, "inconsistent next payload");
-		return FAILED;
-	}
-
-	switch (this->transform_type)
-	{
-		case ENCRYPTION_ALGORITHM:
-		case PSEUDO_RANDOM_FUNCTION:
-		case INTEGRITY_ALGORITHM:
-		case DIFFIE_HELLMAN_GROUP:
-		case EXTENDED_SEQUENCE_NUMBERS:
-			/* we don't check transform ID, we want to reply
-			 * cleanly with NO_PROPOSAL_CHOSEN or so if we don't support it */
-			break;
-		default:
-		{
-			DBG1(DBG_ENC, "invalid transform type: %d", this->transform_type);
-			return FAILED;
-		}
-	}
-	iterator = this->attributes->create_iterator(this->attributes,TRUE);
-
-	while(iterator->iterate(iterator, (void**)&current_attributes))
-	{
-		status = current_attributes->verify(current_attributes);
-		if (status != SUCCESS)
-		{
-			DBG1(DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed");
-		}
-	}
-	iterator->destroy(iterator);
-
-	/* proposal number is checked in SA payload */
-	return status;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_transform_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = transform_substructure_encodings;
-	*rule_count = sizeof(transform_substructure_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_transform_substructure_t *this)
-{
-	return TRANSFORM_SUBSTRUCTURE;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_transform_substructure_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * recompute the length of the payload.
- */
-static void compute_length (private_transform_substructure_t *this)
-{
-	iterator_t *iterator;
-	payload_t *current_attribute;
-	size_t length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
-
-	iterator = this->attributes->create_iterator(this->attributes,TRUE);
-	while (iterator->iterate(iterator, (void**)&current_attribute))
-	{
-		length += current_attribute->get_length(current_attribute);
-	}
-	iterator->destroy(iterator);
-
-	this->transform_length = length;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_transform_substructure_t *this)
-{
-	compute_length(this);
-	return this->transform_length;
-}
-
-/**
- * Implementation of transform_substructure_t.create_transform_attribute_iterator.
- */
-static iterator_t *create_transform_attribute_iterator (private_transform_substructure_t *this,bool forward)
-{
-	return this->attributes->create_iterator(this->attributes,forward);
-}
-
-/**
- * Implementation of transform_substructure_t.add_transform_attribute.
- */
-static void add_transform_attribute (private_transform_substructure_t *this,transform_attribute_t *attribute)
-{
-	this->attributes->insert_last(this->attributes,(void *) attribute);
-	compute_length(this);
-}
-
-/**
- * Implementation of transform_substructure_t.set_is_last_transform.
- */
-static void set_is_last_transform (private_transform_substructure_t *this, bool is_last)
-{
-	this->next_payload = (is_last) ? 0: TRANSFORM_TYPE_VALUE;
-}
-
-/**
- * Implementation of transform_substructure_t.get_is_last_transform.
- */
-static bool get_is_last_transform (private_transform_substructure_t *this)
-{
-	return ((this->next_payload == TRANSFORM_TYPE_VALUE) ? FALSE : TRUE);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_transform_substructure_t *this,payload_type_t type)
-{
-}
-
-/**
- * Implementation of transform_substructure_t.set_transform_type.
- */
-static void set_transform_type (private_transform_substructure_t *this,u_int8_t type)
-{
-	this->transform_type = type;
-}
-
-/**
- * Implementation of transform_substructure_t.get_transform_type.
- */
-static u_int8_t get_transform_type (private_transform_substructure_t *this)
-{
-	return this->transform_type;
-}
-
-/**
- * Implementation of transform_substructure_t.set_transform_id.
- */
-static void set_transform_id (private_transform_substructure_t *this,u_int16_t id)
-{
-	this->transform_id = id;
-}
-
-/**
- * Implementation of transform_substructure_t.get_transform_id.
- */
-static u_int16_t get_transform_id (private_transform_substructure_t *this)
-{
-	return this->transform_id;
-}
-
-/**
- * Implementation of transform_substructure_t.clone.
- */
-static transform_substructure_t *clone_(private_transform_substructure_t *this)
-{
-	private_transform_substructure_t *clone;
-	iterator_t *attributes;
-	transform_attribute_t *current_attribute;
-
-	clone = (private_transform_substructure_t *) transform_substructure_create();
-	clone->next_payload = this->next_payload;
-	clone->transform_type = this->transform_type;
-	clone->transform_id = this->transform_id;
-
-	attributes = this->attributes->create_iterator(this->attributes, FALSE);
-	while (attributes->iterate(attributes, (void**)&current_attribute))
-	{
-		current_attribute = current_attribute->clone(current_attribute);
-		clone->public.add_transform_attribute(&clone->public, current_attribute);
-	}
-	attributes->destroy(attributes);
-
-	return &clone->public;
-}
-
-
-/**
- * Implementation of transform_substructure_t.get_key_length.
- */
-static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length)
-{
-	iterator_t *attributes;
-	transform_attribute_t *current_attribute;
-
-	attributes = this->attributes->create_iterator(this->attributes, TRUE);
-	while (attributes->iterate(attributes, (void**)&current_attribute))
-	{
-		if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH)
-		{
-			*key_length = current_attribute->get_value(current_attribute);
-			attributes->destroy(attributes);
-			return SUCCESS;
-		}
-	}
-	attributes->destroy(attributes);
-	return FAILED;
-}
-
-
-/**
- * Implementation of transform_substructure_t.destroy and payload_t.destroy.
- */
-static void destroy(private_transform_substructure_t *this)
-{
-	this->attributes->destroy_offset(this->attributes,
-									 offsetof(transform_attribute_t, destroy));
-	free(this);
-}
-
-/*
- * Described in header.
- */
-transform_substructure_t *transform_substructure_create()
-{
-	private_transform_substructure_t *this = malloc_thing(private_transform_substructure_t);
-
-	/* payload interface */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.create_transform_attribute_iterator = (iterator_t * (*) (transform_substructure_t *,bool)) create_transform_attribute_iterator;
-	this->public.add_transform_attribute = (void (*) (transform_substructure_t *,transform_attribute_t *)) add_transform_attribute;
-	this->public.set_is_last_transform = (void (*) (transform_substructure_t *,bool)) set_is_last_transform;
-	this->public.get_is_last_transform = (bool (*) (transform_substructure_t *)) get_is_last_transform;
-	this->public.set_transform_type = (void (*) (transform_substructure_t *,u_int8_t)) set_transform_type;
-	this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type;
-	this->public.set_transform_id = (void (*) (transform_substructure_t *,u_int16_t)) set_transform_id;
-	this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id;
-	this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length;
-	this->public.clone = (transform_substructure_t* (*) (transform_substructure_t *)) clone_;
-	this->public.destroy = (void (*) (transform_substructure_t *)) destroy;
-
-	/* set default values of the fields */
-	this->next_payload = NO_PAYLOAD;
-	this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
-	this->transform_id = 0;
-	this->transform_type = 0;
-	this->attributes = linked_list_create();
-
-	return (&(this->public));
-}
-
-/*
- * Described in header
- */
-transform_substructure_t *transform_substructure_create_type(
-								transform_type_t transform_type,
-								u_int16_t transform_id, u_int16_t key_length)
-{
-	transform_substructure_t *transform = transform_substructure_create();
-
-	transform->set_transform_type(transform,transform_type);
-	transform->set_transform_id(transform,transform_id);
-
-	if (key_length)
-	{
-		transform_attribute_t *attribute;
-
-		attribute = transform_attribute_create_key_length(key_length);
-		transform->add_transform_attribute(transform, attribute);
-
-	}
-	return transform;
-}
-
diff --git a/src/charon/encoding/payloads/transform_substructure.h b/src/charon/encoding/payloads/transform_substructure.h
deleted file mode 100644
index 5d31f8c0a..000000000
--- a/src/charon/encoding/payloads/transform_substructure.h
+++ /dev/null
@@ -1,174 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup transform_substructure transform_substructure
- * @{ @ingroup payloads
- */
-
-#ifndef TRANSFORM_SUBSTRUCTURE_H_
-#define TRANSFORM_SUBSTRUCTURE_H_
-
-typedef struct transform_substructure_t transform_substructure_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/transform_attribute.h>
-#include <utils/linked_list.h>
-#include <crypto/diffie_hellman.h>
-#include <crypto/signers/signer.h>
-#include <crypto/prfs/prf.h>
-#include <crypto/crypters/crypter.h>
-#include <config/proposal.h>
-
-
-/**
- * IKEv1 Value for a transform payload.
- */
-#define TRANSFORM_TYPE_VALUE 3
-
-/**
- * Length of the transform substructure header in bytes.
- */
-#define TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH 8
-
-
-/**
- * Class representing an IKEv2- TRANSFORM SUBSTRUCTURE.
- *
- * The TRANSFORM SUBSTRUCTURE format is described in RFC section 3.3.2.
- */
-struct transform_substructure_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Creates an iterator of stored transform_attribute_t objects.
-	 *
-	 * When deleting an transform attribute using this iterator,
-	 * the length of this transform substructure has to be refreshed
-	 * by calling get_length().
-	 *
-	 * @param forward 		iterator direction (TRUE: front to end)
-	 * @return				created iterator_t object.
-	 */
-	iterator_t * (*create_transform_attribute_iterator) (
-								transform_substructure_t *this, bool forward);
-
-	/**
-	 * Adds a transform_attribute_t object to this object.
-	 *
-	 * @param proposal  transform_attribute_t object to add
-	 */
-	void (*add_transform_attribute) (transform_substructure_t *this,
-									 transform_attribute_t *attribute);
-
-	/**
-	 * Sets the next_payload field of this substructure
-	 *
-	 * If this is the last transform, next payload field is set to 0,
-	 * otherwise to 3
-	 *
-	 * @param is_last	When TRUE, next payload field is set to 0, otherwise to 3
-	 */
-	void (*set_is_last_transform) (transform_substructure_t *this, bool is_last);
-
-	/**
-	 * Checks if this is the last transform.
-	 *
-	 * @return 			TRUE if this is the last Transform, FALSE otherwise
-	 */
-	bool (*get_is_last_transform) (transform_substructure_t *this);
-
-	/**
-	 * Sets transform type of the current transform substructure.
-	 *
-	 * @param type		type value to set
-	 */
-	void (*set_transform_type) (transform_substructure_t *this, u_int8_t type);
-
-	/**
-	 * get transform type of the current transform.
-	 *
-	 * @return 			Transform type of current transform substructure.
-	 */
-	u_int8_t (*get_transform_type) (transform_substructure_t *this);
-
-	/**
-	 * Sets transform id of the current transform substructure.
-	 *
-	 * @param id		transform id to set
-	 */
-	void (*set_transform_id) (transform_substructure_t *this, u_int16_t id);
-
-	/**
-	 * get transform id of the current transform.
-	 *
-	 * @return 			Transform id of current transform substructure.
-	 */
-	u_int16_t (*get_transform_id) (transform_substructure_t *this);
-
-	/**
-	 * get transform id of the current transform.
-	 *
-	 * @param key_length	The key length is written to this location
-	 * @return
-	 * 						- SUCCESS if a key length attribute is contained
-	 * 						- FAILED if no key length attribute is part of this
-	 * 						  transform or key length uses more then 16 bit!
-	 */
-	status_t (*get_key_length) (transform_substructure_t *this,
-								u_int16_t *key_length);
-
-	/**
-	 * Clones an transform_substructure_t object.
-	 *
-	 * @return		cloned transform_substructure_t object
-	 */
-	transform_substructure_t* (*clone) (transform_substructure_t *this);
-
-	/**
-	 * Destroys an transform_substructure_t object.
-	 */
-	void (*destroy) (transform_substructure_t *this);
-};
-
-/**
- * Creates an empty transform_substructure_t object.
- *
- * @return			created transform_substructure_t object
- */
-transform_substructure_t *transform_substructure_create(void);
-
-/**
- * Creates an empty transform_substructure_t object.
- *
- * The key length is used for the transport types ENCRYPTION_ALGORITHM,
- * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all
- * other transport types the key_length parameter is not used
- *
- * @param transform_type	type of transform to create
- * @param transform_id		transform id specifying the specific algorithm of a transform type
- * @param key_length		Key length for key lenght attribute
- * @return					transform_substructure_t object
- */
-transform_substructure_t *transform_substructure_create_type(
-						transform_type_t transform_type, u_int16_t transform_id,
-						u_int16_t key_length);
-
-#endif /** TRANSFORM_SUBSTRUCTURE_H_ @}*/
diff --git a/src/charon/encoding/payloads/ts_payload.c b/src/charon/encoding/payloads/ts_payload.c
deleted file mode 100644
index 6bf3e4293..000000000
--- a/src/charon/encoding/payloads/ts_payload.c
+++ /dev/null
@@ -1,334 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "ts_payload.h"
-
-#include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
-
-typedef struct private_ts_payload_t private_ts_payload_t;
-
-/**
- * Private data of an ts_payload_t object.
- *
- */
-struct private_ts_payload_t {
-	/**
-	 * Public ts_payload_t interface.
-	 */
-	ts_payload_t public;
-
-	/**
-	 * TRUE if this TS payload is of type TSi, FALSE for TSr.
-	 */
-	bool is_initiator;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Number of traffic selectors
-	 */
-	u_int8_t number_of_traffic_selectors;
-
-	/**
-	 * Contains the traffic selectors of type traffic_selector_substructure_t.
-	 */
-	linked_list_t *traffic_selectors;
-};
-
-/**
- * Encoding rules to parse or generate a TS payload
- *
- * The defined offsets are the positions in a object of type
- * private_ts_payload_t.
- *
- */
-encoding_rule_t ts_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_ts_payload_t, next_payload) 				},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_ts_payload_t, critical) 					},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_ts_payload_t, payload_length)},
-	/* 1 Byte TS type*/
-	{ U_INT_8,			offsetof(private_ts_payload_t, number_of_traffic_selectors)	},
-	/* 3 reserved bytes */
-	{ RESERVED_BYTE,	0 															},
-	{ RESERVED_BYTE,	0 															},
-	{ RESERVED_BYTE,	0 															},
-	/* some ts data bytes, length is defined in PAYLOAD_LENGTH */
-	{ TRAFFIC_SELECTORS,	offsetof(private_ts_payload_t, traffic_selectors)		}
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Number of TSs !                 RESERVED                      !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                                                               !
-      ~                       <Traffic Selectors>                     ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_ts_payload_t *this)
-{
-	iterator_t *iterator;
-	payload_t *current_traffic_selector;
-	status_t status = SUCCESS;
-
-	if (this->number_of_traffic_selectors != (this->traffic_selectors->get_count(this->traffic_selectors)))
-	{
-		/* must be the same */
-		return FAILED;
-	}
-
-	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
-	while(iterator->iterate(iterator, (void**)&current_traffic_selector))
-	{
-		status = current_traffic_selector->verify(current_traffic_selector);
-		if (status != SUCCESS)
-		{
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	return status;
-}
-
-/**
- * Implementation of ts_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = ts_payload_encodings;
-	*rule_count = sizeof(ts_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_ts_payload_t *this)
-{
-	if (this->is_initiator)
-	{
-		return TRAFFIC_SELECTOR_INITIATOR;
-	}
-	else
-	{
-		return TRAFFIC_SELECTOR_RESPONDER;
-	}
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_ts_payload_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_ts_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * recompute the length of the payload.
- */
-static void compute_length (private_ts_payload_t *this)
-{
-	iterator_t *iterator;
-	size_t ts_count = 0;
-	size_t length = TS_PAYLOAD_HEADER_LENGTH;
-	payload_t *current_traffic_selector;
-
-	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
-	while (iterator->iterate(iterator, (void**)&current_traffic_selector))
-	{
-		length += current_traffic_selector->get_length(current_traffic_selector);
-		ts_count++;
-	}
-	iterator->destroy(iterator);
-
-	this->number_of_traffic_selectors= ts_count;
-	this->payload_length = length;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_ts_payload_t *this)
-{
-	compute_length(this);
-	return this->payload_length;
-}
-
-/**
- * Implementation of ts_payload_t.get_initiator.
- */
-static bool get_initiator (private_ts_payload_t *this)
-{
-	return (this->is_initiator);
-}
-
-/**
- * Implementation of ts_payload_t.set_initiator.
- */
-static void set_initiator (private_ts_payload_t *this,bool is_initiator)
-{
-	this->is_initiator = is_initiator;
-}
-
-/**
- * Implementation of ts_payload_t.add_traffic_selector_substructure.
- */
-static void add_traffic_selector_substructure (private_ts_payload_t *this,traffic_selector_substructure_t *traffic_selector)
-{
-	this->traffic_selectors->insert_last(this->traffic_selectors,traffic_selector);
-	this->number_of_traffic_selectors = this->traffic_selectors->get_count(this->traffic_selectors);
-}
-
-/**
- * Implementation of ts_payload_t.create_traffic_selector_substructure_iterator.
- */
-static iterator_t * create_traffic_selector_substructure_iterator (private_ts_payload_t *this, bool forward)
-{
-	return this->traffic_selectors->create_iterator(this->traffic_selectors,forward);
-}
-
-/**
- * Implementation of ts_payload_t.get_traffic_selectors.
- */
-static linked_list_t *get_traffic_selectors(private_ts_payload_t *this)
-{
-	traffic_selector_t *ts;
-	iterator_t *iterator;
-	traffic_selector_substructure_t *ts_substructure;
-	linked_list_t *ts_list = linked_list_create();
-
-	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors, TRUE);
-	while (iterator->iterate(iterator, (void**)&ts_substructure))
-	{
-		ts = ts_substructure->get_traffic_selector(ts_substructure);
-		ts_list->insert_last(ts_list, (void*)ts);
-	}
-	iterator->destroy(iterator);
-
-	return ts_list;
-}
-
-/**
- * Implementation of payload_t.destroy and ts_payload_t.destroy.
- */
-static void destroy(private_ts_payload_t *this)
-{
-	this->traffic_selectors->destroy_offset(this->traffic_selectors,
-											offsetof(payload_t, destroy));
-	free(this);
-}
-
-/*
- * Described in header
- */
-ts_payload_t *ts_payload_create(bool is_initiator)
-{
-	private_ts_payload_t *this = malloc_thing(private_ts_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (ts_payload_t *)) destroy;
-	this->public.get_initiator = (bool (*) (ts_payload_t *)) get_initiator;
-	this->public.set_initiator = (void (*) (ts_payload_t *,bool)) set_initiator;
-	this->public.add_traffic_selector_substructure = (void (*) (ts_payload_t *,traffic_selector_substructure_t *)) add_traffic_selector_substructure;
-	this->public.create_traffic_selector_substructure_iterator = (iterator_t* (*) (ts_payload_t *,bool)) create_traffic_selector_substructure_iterator;
-	this->public.get_traffic_selectors = (linked_list_t *(*) (ts_payload_t *)) get_traffic_selectors;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length =TS_PAYLOAD_HEADER_LENGTH;
-	this->is_initiator = is_initiator;
-	this->number_of_traffic_selectors = 0;
-	this->traffic_selectors = linked_list_create();
-
-	return &(this->public);
-}
-
-/*
- * Described in header
- */
-ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked_list_t *traffic_selectors)
-{
-	iterator_t *iterator;
-	traffic_selector_t *ts;
-	traffic_selector_substructure_t *ts_substructure;
-	private_ts_payload_t *this;
-
-	this = (private_ts_payload_t*)ts_payload_create(is_initiator);
-
-	iterator = traffic_selectors->create_iterator(traffic_selectors, TRUE);
-	while (iterator->iterate(iterator, (void**)&ts))
-	{
-		ts_substructure = traffic_selector_substructure_create_from_traffic_selector(ts);
-		this->public.add_traffic_selector_substructure(&(this->public), ts_substructure);
-	}
-	iterator->destroy(iterator);
-
-	return &(this->public);
-}
-
diff --git a/src/charon/encoding/payloads/ts_payload.h b/src/charon/encoding/payloads/ts_payload.h
deleted file mode 100644
index d322ff1a8..000000000
--- a/src/charon/encoding/payloads/ts_payload.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ts_payload ts_payload
- * @{ @ingroup payloads
- */
-
-
-#ifndef TS_PAYLOAD_H_
-#define TS_PAYLOAD_H_
-
-typedef struct ts_payload_t ts_payload_t;
-
-#include <library.h>
-#include <utils/linked_list.h>
-#include <selectors/traffic_selector.h>
-#include <encoding/payloads/payload.h>
-#include <encoding/payloads/traffic_selector_substructure.h>
-
-/**
- * Length of a TS payload without the Traffic selectors.
- */
-#define TS_PAYLOAD_HEADER_LENGTH 8
-
-
-/**
- * Class representing an IKEv2 TS payload.
- *
- * The TS payload format is described in RFC section 3.13.
- */
-struct ts_payload_t {
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Get the type of TSpayload (TSi or TSr).
-	 *
-	 * @return
-	 * 						- TRUE if this payload is of type TSi
-	 * 						- FALSE if this payload is of type TSr
-	 */
-	bool (*get_initiator) (ts_payload_t *this);
-
-	/**
-	 * Set the type of TS payload (TSi or TSr).
-	 *
-	 * @param is_initiator
-	 * 						- TRUE if this payload is of type TSi
-	 * 						- FALSE if this payload is of type TSr
-	 */
-	void (*set_initiator) (ts_payload_t *this,bool is_initiator);
-
-	/**
-	 * Adds a traffic_selector_substructure_t object to this object.
-	 *
-	 * @param traffic_selector  traffic_selector_substructure_t object to add
-	 */
-	void (*add_traffic_selector_substructure) (ts_payload_t *this,
-							traffic_selector_substructure_t *traffic_selector);
-
-	/**
-	 * Creates an iterator of stored traffic_selector_substructure_t objects.
-	 *
-	 * When removing an traffic_selector_substructure_t object
-	 * using this iterator, the length of this payload
-	 * has to get refreshed by calling payload_t.get_length!
-	 *
-	 * @param forward 		iterator direction (TRUE: front to end)
-	 * @return				created iterator_t object
-	 */
-	iterator_t *(*create_traffic_selector_substructure_iterator) (
-											ts_payload_t *this, bool forward);
-
-	/**
-	 * Get a list of nested traffic selectors as traffic_selector_t.
-	 *
-	 * Resulting list and its traffic selectors must be destroyed after usage
-	 *
-	 * @return				list of traffic selectors
-	 */
-	linked_list_t *(*get_traffic_selectors) (ts_payload_t *this);
-
-	/**
-	 * Destroys an ts_payload_t object.
-	 */
-	void (*destroy) (ts_payload_t *this);
-};
-
-/**
- * Creates an empty ts_payload_t object.
- *
- * @param is_initiator
- * 						- TRUE if this payload is of type TSi
- * 						- FALSE if this payload is of type TSr
- * @return				ts_payload_t object
- */
-ts_payload_t *ts_payload_create(bool is_initiator);
-
-/**
- * Creates ts_payload with a list of traffic_selector_t
- *
- * @param is_initiator
- * 							- TRUE if this payload is of type TSi
- * 							- FALSE if this payload is of type TSr
- * @param traffic_selectors	list of traffic selectors to include
- * @return					ts_payload_t object
- */
-ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator,
-											linked_list_t *traffic_selectors);
-
-#endif /** TS_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/unknown_payload.c b/src/charon/encoding/payloads/unknown_payload.c
deleted file mode 100644
index dd5547dc3..000000000
--- a/src/charon/encoding/payloads/unknown_payload.c
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "unknown_payload.h"
-
-
-
-typedef struct private_unknown_payload_t private_unknown_payload_t;
-
-/**
- * Private data of an unknown_payload_t object.
- */
-struct private_unknown_payload_t {
-
-	/**
-	 * Public unknown_payload_t interface.
-	 */
-	unknown_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * The contained data.
-	 */
-	chunk_t data;
-};
-
-/**
- * Encoding rules to parse an payload which is not further specified.
- *
- * The defined offsets are the positions in a object of type
- * private_unknown_payload_t.
- *
- */
-encoding_rule_t unknown_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_unknown_payload_t, next_payload)},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_unknown_payload_t, critical) 	},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_unknown_payload_t, payload_length)},
-	/* some unknown data bytes, length is defined in PAYLOAD_LENGTH */
-	{ UNKNOWN_DATA,		offsetof(private_unknown_payload_t, data) 		}
-};
-
-/*
-                           1                   2                   3
-        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       ! Next Payload  !C!  RESERVED   !         Payload Length        !
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       !                                                               !
-       ~                       Data of any type                        ~
-       !                                                               !
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_unknown_payload_t *this)
-{
-	/* can't do any checks, so we assume its good */
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = unknown_payload_encodings;
-	*rule_count = sizeof(unknown_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_unknown_payload_t *this)
-{
-	return UNKNOWN_PAYLOAD;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_unknown_payload_t *this)
-{
-	return (this->next_payload);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_unknown_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_unknown_payload_t *this)
-{
-	return this->payload_length;
-}
-
-/**
- * Implementation of unknown_payload_t.get_data.
- */
-static bool is_critical(private_unknown_payload_t *this)
-{
-	return this->critical;
-}
-
-/**
- * Implementation of unknown_payload_t.get_data.
- */
-static chunk_t get_data (private_unknown_payload_t *this)
-{
-	return (this->data);
-}
-
-/**
- * Implementation of payload_t.destroy and unknown_payload_t.destroy.
- */
-static void destroy(private_unknown_payload_t *this)
-{
-	if (this->data.ptr != NULL)
-	{
-		chunk_free(&(this->data));
-	}
-
-	free(this);
-}
-
-/*
- * Described in header
- */
-unknown_payload_t *unknown_payload_create()
-{
-	private_unknown_payload_t *this = malloc_thing(private_unknown_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (unknown_payload_t *)) destroy;
-	this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical;
-	this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH;
-	this->data = chunk_empty;
-
-	return (&(this->public));
-}
diff --git a/src/charon/encoding/payloads/unknown_payload.h b/src/charon/encoding/payloads/unknown_payload.h
deleted file mode 100644
index c761ed2b6..000000000
--- a/src/charon/encoding/payloads/unknown_payload.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup unknown_payload unknown_payload
- * @{ @ingroup payloads
- */
-
-#ifndef UNKNOWN_PAYLOAD_H_
-#define UNKNOWN_PAYLOAD_H_
-
-typedef struct unknown_payload_t unknown_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * Header length of the unknown payload.
- */
-#define UNKNOWN_PAYLOAD_HEADER_LENGTH 4
-
-/**
- * Payload which can't be processed further.
- *
- * When the parser finds an unknown payload, he builds an instance of
- * this class. This allows further processing of this payload, such as
- * a check for the critical bit in the header.
- */
-struct unknown_payload_t {
-
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Get the raw data of this payload, without
-	 * the generic payload header.
-	 *
-	 * Returned data are NOT copied and must not be freed.
-	 *
-	 * @return				data as chunk_t
-	 */
-	chunk_t (*get_data) (unknown_payload_t *this);
-
-	/**
-	 * Get the critical flag.
-	 *
-	 * @return				TRUE if payload is critical, FALSE if not
-	 */
-	bool (*is_critical) (unknown_payload_t *this);
-
-	/**
-	 * Destroys an unknown_payload_t object.
-	 */
-	void (*destroy) (unknown_payload_t *this);
-};
-
-/**
- * Creates an empty unknown_payload_t object.
- *
- * @return unknown_payload_t object
- */
-unknown_payload_t *unknown_payload_create(void);
-
-#endif /** UNKNOWN_PAYLOAD_H_ @}*/
diff --git a/src/charon/encoding/payloads/vendor_id_payload.c b/src/charon/encoding/payloads/vendor_id_payload.c
deleted file mode 100644
index bf33d2418..000000000
--- a/src/charon/encoding/payloads/vendor_id_payload.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-
-#include "vendor_id_payload.h"
-
-typedef struct private_vendor_id_payload_t private_vendor_id_payload_t;
-
-/**
- * Private data of an vendor_id_payload_t object.
- */
-struct private_vendor_id_payload_t {
-
-	/**
-	 * Public vendor_id_payload_t interface.
-	 */
-	vendor_id_payload_t public;
-
-	/**
-	 * Next payload type.
-	 */
-	u_int8_t  next_payload;
-
-	/**
-	 * Critical flag.
-	 */
-	bool critical;
-
-	/**
-	 * Length of this payload.
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * The contained data.
-	 */
-	chunk_t data;
-};
-
-/**
- * Encoding rules to parse or generate a VENDOR ID payload
- *
- * The defined offsets are the positions in a object of type
- * private_vendor_id_payload_t.
- */
-encoding_rule_t vendor_id_payload_encodings[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_vendor_id_payload_t, next_payload) },
-	/* the critical bit */
-	{ FLAG,				offsetof(private_vendor_id_payload_t, critical)		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_vendor_id_payload_t, payload_length)},
-	/* some vendor_id data bytes, length is defined in PAYLOAD_LENGTH */
-	{ VID_DATA,			offsetof(private_vendor_id_payload_t, data) }
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      +                                                               !
-      ~                            VID Data                           ~
-      !                                                               !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_vendor_id_payload_t *this)
-{
-	return SUCCESS;
-}
-
-/**
- * Implementation of vendor_id_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_vendor_id_payload_t *this,
-							   encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = vendor_id_payload_encodings;
-	*rule_count = sizeof(vendor_id_payload_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_vendor_id_payload_t *this)
-{
-	return VENDOR_ID;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_vendor_id_payload_t *this)
-{
-	return this->next_payload;
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_vendor_id_payload_t *this,payload_type_t type)
-{
-	this->next_payload = type;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_vendor_id_payload_t *this)
-{
-	return this->payload_length;
-}
-
-/**
- * Implementation of vendor_id_payload_t.get_data.
- */
-static chunk_t get_data(private_vendor_id_payload_t *this)
-{
-	return this->data;
-}
-
-/**
- * Implementation of payload_t.destroy and vendor_id_payload_t.destroy.
- */
-static void destroy(private_vendor_id_payload_t *this)
-{
-	free(this->data.ptr);
-	free(this);
-}
-
-/*
- * Described in header
- */
-vendor_id_payload_t *vendor_id_payload_create()
-{
-	private_vendor_id_payload_t *this = malloc_thing(private_vendor_id_payload_t);
-
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	this->public.get_data = (chunk_t (*) (vendor_id_payload_t *)) get_data;
-
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH;
-	this->data = chunk_empty;
-
-	return &this->public;
-}
-
-/*
- * Described in header
- */
-vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data)
-{
-	private_vendor_id_payload_t *this;
-
-	this = (private_vendor_id_payload_t*)vendor_id_payload_create();
-	this->payload_length += data.len;
-	this->data = data;
-
-	return &this->public;
-}
-
diff --git a/src/charon/encoding/payloads/vendor_id_payload.h b/src/charon/encoding/payloads/vendor_id_payload.h
deleted file mode 100644
index 241535cac..000000000
--- a/src/charon/encoding/payloads/vendor_id_payload.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup vendor_id_payload vendor_id_payload
- * @{ @ingroup payloads
- */
-
-#ifndef VENDOR_ID_PAYLOAD_H_
-#define VENDOR_ID_PAYLOAD_H_
-
-typedef struct vendor_id_payload_t vendor_id_payload_t;
-
-#include <library.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * Length of a VENDOR ID payload without the VID data in bytes.
- */
-#define VENDOR_ID_PAYLOAD_HEADER_LENGTH 4
-
-/**
- * Class representing an IKEv2 VENDOR ID payload.
- *
- * The VENDOR ID payload format is described in RFC section 3.12.
- */
-struct vendor_id_payload_t {
-
-	/**
-	 * The payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Get the VID data.
-	 *
-	 * @return		VID data, pointing to an internal chunk_t
-	 */
-	chunk_t (*get_data)(vendor_id_payload_t *this);
-};
-
-/**
- * Creates an empty Vendor ID payload.
- *
- * @return			vendor ID payload
- */
-vendor_id_payload_t *vendor_id_payload_create();
-
-/**
- * Creates a vendor ID payload using a chunk of data
- *
- * @param data		data to use in vendor ID payload, gets owned by payload
- * @return			vendor ID payload
- */
-vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data);
-
-#endif /** VENDOR_ID_PAYLOAD_H_ @}*/
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
deleted file mode 100644
index 99bf94e9b..000000000
--- a/src/charon/kernel/kernel_interface.c
+++ /dev/null
@@ -1,430 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "kernel_interface.h"
-
-#include <daemon.h>
-
-typedef struct private_kernel_interface_t private_kernel_interface_t;
-
-/**
- * Private data of a kernel_interface_t object.
- */
-struct private_kernel_interface_t {
-
-	/**
-	 * Public part of kernel_interface_t object.
-	 */
-	kernel_interface_t public;
-
-	/**
-	 * ipsec interface
-	 */
-	kernel_ipsec_t *ipsec;
-
-	/**
-	 * network interface
-	 */
-	kernel_net_t *net;
-};
-
-/**
- * Implementation of kernel_interface_t.get_spi
- */
-static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *dst,
-				 protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi);
-}
-
-/**
- * Implementation of kernel_interface_t.get_cpi
- */
-static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *dst,
-					u_int32_t reqid, u_int16_t *cpi)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi);
-}
-
-/**
- * Implementation of kernel_interface_t.add_sa
- */
-static status_t add_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
-				u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
-				lifetime_cfg_t *lifetime,
-				u_int16_t enc_alg, chunk_t enc_key,
-				u_int16_t int_alg, chunk_t int_key,
-				ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
-				bool inbound, traffic_selector_t *src_ts,
-				traffic_selector_t *dst_ts)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
-			lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi,
-			encap, inbound, src_ts, dst_ts);
-}
-
-/**
- * Implementation of kernel_interface_t.update_sa
- */
-static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
-				   protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst,
-				   host_t *new_src, host_t *new_dst, bool encap, bool new_encap)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
-			new_src, new_dst, encap, new_encap);
-}
-
-/**
- * Implementation of kernel_interface_t.query_sa
- */
-static status_t query_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
-						 u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, bytes);
-}
-
-/**
- * Implementation of kernel_interface_t.del_sa
- */
-static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
-				u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi);
-}
-
-/**
- * Implementation of kernel_interface_t.add_policy
- */
-static status_t add_policy(private_kernel_interface_t *this, host_t *src, host_t *dst,
-					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-					policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-					u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					bool routed)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-			direction, spi, protocol, reqid, mode, ipcomp, cpi, routed);
-}
-
-/**
- * Implementation of kernel_interface_t.query_policy
- */
-static status_t query_policy(private_kernel_interface_t *this,
-					  traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-					  policy_dir_t direction, u_int32_t *use_time)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts, direction, use_time);
-}
-
-/**
- * Implementation of kernel_interface_t.del_policy
- */
-static status_t del_policy(private_kernel_interface_t *this,
-					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-					policy_dir_t direction, bool unrouted)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts, direction, unrouted);
-}
-
-/**
- * Implementation of kernel_interface_t.get_source_addr
- */
-static host_t *get_source_addr(private_kernel_interface_t *this,
-							   host_t *dest, host_t *src)
-{
-	if (!this->net)
-	{
-		return NULL;
-	}
-	return this->net->get_source_addr(this->net, dest, src);
-}
-
-/**
- * Implementation of kernel_interface_t.get_nexthop
- */
-static host_t *get_nexthop(private_kernel_interface_t *this, host_t *dest)
-{
-	if (!this->net)
-	{
-		return NULL;
-	}
-	return this->net->get_nexthop(this->net, dest);
-}
-
-/**
- * Implementation of kernel_interface_t.get_interface
- */
-static char* get_interface(private_kernel_interface_t *this, host_t *host)
-{
-	if (!this->net)
-	{
-		return NULL;
-	}
-	return this->net->get_interface(this->net, host);
-}
-
-/**
- * Implementation of kernel_interface_t.create_address_enumerator
- */
-static enumerator_t *create_address_enumerator(private_kernel_interface_t *this,
-		bool include_down_ifaces, bool include_virtual_ips)
-{
-	if (!this->net)
-	{
-		return enumerator_create_empty();
-	}
-	return this->net->create_address_enumerator(this->net, include_down_ifaces,
-			include_virtual_ips);
-}
-
-/**
- * Implementation of kernel_interface_t.add_ip
- */
-static status_t add_ip(private_kernel_interface_t *this, host_t *virtual_ip,
-				host_t *iface_ip)
-{
-	if (!this->net)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->net->add_ip(this->net, virtual_ip, iface_ip);
-}
-
-/**
- * Implementation of kernel_interface_t.del_ip
- */
-static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
-{
-	if (!this->net)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->net->del_ip(this->net, virtual_ip);
-}
-
-/**
- * Implementation of kernel_interface_t.add_route
- */
-static status_t add_route(private_kernel_interface_t *this, chunk_t dst_net,
-		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	if (!this->net)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->net->add_route(this->net, dst_net, prefixlen, gateway, src_ip,
-			if_name);
-}
-
-/**
- * Implementation of kernel_interface_t.del_route
- */
-static status_t del_route(private_kernel_interface_t *this, chunk_t dst_net,
-		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	if (!this->net)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->net->del_route(this->net, dst_net, prefixlen, gateway, src_ip,
-			if_name);
-}
-
-
-/**
- * Implementation of kernel_interface_t.get_address_by_ts
- */
-static status_t get_address_by_ts(private_kernel_interface_t *this,
-								  traffic_selector_t *ts, host_t **ip)
-{
-	enumerator_t *addrs;
-	host_t *host;
-	int family;
-	bool found = FALSE;
-
-	DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
-
-	/* if we have a family which includes localhost, we do not
-	 * search for an IP, we use the default */
-	family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
-
-	if (family == AF_INET)
-	{
-		host = host_create_from_string("127.0.0.1", 0);
-	}
-	else
-	{
-		host = host_create_from_string("::1", 0);
-	}
-
-	if (ts->includes(ts, host))
-	{
-		*ip = host_create_any(family);
-		host->destroy(host);
-		DBG2(DBG_KNL, "using host %H", *ip);
-		return SUCCESS;
-	}
-	host->destroy(host);
-
-	addrs = create_address_enumerator(this, TRUE, TRUE);
-	while (addrs->enumerate(addrs, (void**)&host))
-	{
-		if (ts->includes(ts, host))
-		{
-			found = TRUE;
-			*ip = host->clone(host);
-			break;
-		}
-	}
-	addrs->destroy(addrs);
-
-	if (!found)
-	{
-		DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "using host %H", *ip);
-	return SUCCESS;
-}
-
-
-/**
- * Implementation of kernel_interface_t.add_ipsec_interface.
- */
-static void add_ipsec_interface(private_kernel_interface_t *this,
-		kernel_ipsec_constructor_t constructor)
-{
-	if (!this->ipsec)
-	{
-		this->ipsec = constructor();
-	}
-}
-
-/**
- * Implementation of kernel_interface_t.remove_ipsec_interface.
- */
-static void remove_ipsec_interface(private_kernel_interface_t *this,
-		kernel_ipsec_constructor_t constructor)
-{
-	/* TODO: replace if interface currently in use */
-}
-
-/**
- * Implementation of kernel_interface_t.add_net_interface.
- */
-static void add_net_interface(private_kernel_interface_t *this,
-		kernel_net_constructor_t constructor)
-{
-	if (!this->net)
-	{
-		this->net = constructor();
-	}
-}
-
-/**
- * Implementation of kernel_interface_t.remove_net_interface.
- */
-static void remove_net_interface(private_kernel_interface_t *this,
-		kernel_net_constructor_t constructor)
-{
-	/* TODO: replace if interface currently in use */
-}
-
-/**
- * Implementation of kernel_interface_t.destroy.
- */
-static void destroy(private_kernel_interface_t *this)
-{
-	DESTROY_IF(this->ipsec);
-	DESTROY_IF(this->net);
-	free(this);
-}
-
-/*
- * Described in header-file
- */
-kernel_interface_t *kernel_interface_create()
-{
-	private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
-
-	this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
-	this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
-	this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
-	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
-	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
-	this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
-	this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-
-	this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest, host_t *src))get_source_addr;
-	this->public.get_nexthop = (host_t*(*)(kernel_interface_t*, host_t *dest))get_nexthop;
-	this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface;
-	this->public.create_address_enumerator = (enumerator_t*(*)(kernel_interface_t*,bool,bool))create_address_enumerator;
-	this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
-	this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
-	this->public.add_route = (status_t(*)(kernel_interface_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
-	this->public.del_route = (status_t(*)(kernel_interface_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
-
-	this->public.get_address_by_ts = (status_t(*)(kernel_interface_t*,traffic_selector_t*,host_t**))get_address_by_ts;
-
-	this->public.add_ipsec_interface = (void(*)(kernel_interface_t*, kernel_ipsec_constructor_t))add_ipsec_interface;
-	this->public.remove_ipsec_interface = (void(*)(kernel_interface_t*, kernel_ipsec_constructor_t))remove_ipsec_interface;
-	this->public.add_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))add_net_interface;
-	this->public.remove_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))remove_net_interface;
-
-	this->public.destroy = (void (*)(kernel_interface_t*))destroy;
-
-	this->ipsec = NULL;
-	this->net = NULL;
-
-	return &this->public;
-}
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
deleted file mode 100644
index c39246e72..000000000
--- a/src/charon/kernel/kernel_interface.h
+++ /dev/null
@@ -1,389 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_interface kernel_interface
- * @{ @ingroup kernel
- */
-
-#ifndef KERNEL_INTERFACE_H_
-#define KERNEL_INTERFACE_H_
-
-typedef struct kernel_interface_t kernel_interface_t;
-
-#include <utils/host.h>
-#include <crypto/prf_plus.h>
-#include <encoding/payloads/proposal_substructure.h>
-
-#include <kernel/kernel_ipsec.h>
-#include <kernel/kernel_net.h>
-
-/**
- * Constructor function for ipsec kernel interface
- */
-typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void);
-
-/**
- * Constructor function for network kernel interface
- */
-typedef kernel_net_t* (*kernel_net_constructor_t)(void);
-
-/**
- * Manager and wrapper for different kernel interfaces.
- *
- * The kernel interface handles the communication with the kernel
- * for SA and policy management and interface and IP address management.
- */
-struct kernel_interface_t {
-
-	/**
-	 * Get a SPI from the kernel.
-	 *
-	 * @param src		source address of SA
-	 * @param dst		destination address of SA
-	 * @param protocol	protocol for SA (ESP/AH)
-	 * @param reqid		unique ID for this SA
-	 * @param spi		allocated spi
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
-
-	/**
-	 * Get a Compression Parameter Index (CPI) from the kernel.
-	 *
-	 * @param src		source address of SA
-	 * @param dst		destination address of SA
-	 * @param reqid		unique ID for the corresponding SA
-	 * @param cpi		allocated cpi
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi);
-
-	/**
-	 * Add an SA to the SAD.
-	 *
-	 * add_sa() may update an already allocated
-	 * SPI (via get_spi). In this case, the replace
-	 * flag must be set.
-	 * This function does install a single SA for a
-	 * single protocol in one direction.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param reqid			unique ID for this SA
-	 * @param lifetime		lifetime_cfg_t for this SA
-	 * @param enc_alg		Algorithm to use for encryption (ESP only)
-	 * @param enc_key		key to use for encryption
-	 * @param int_alg		Algorithm to use for integrity protection
-	 * @param int_key		key to use for integrity protection
-	 * @param mode			mode of the SA (tunnel, transport)
-	 * @param ipcomp		IPComp transform to use
-	 * @param cpi			CPI for IPComp
-	 * @param encap			enable UDP encapsulation for NAT traversal
-	 * @param inbound		TRUE if this is an inbound SA
-	 * @param src_ts		traffic selector with BEET source address
-	 * @param dst_ts		traffic selector with BEET destination address
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_sa) (kernel_interface_t *this,
-						host_t *src, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int32_t reqid,
-						lifetime_cfg_t *lifetime,
-						u_int16_t enc_alg, chunk_t enc_key,
-						u_int16_t int_alg, chunk_t int_key,
-						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						bool encap, bool inbound,
-						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
-
-	/**
-	 * Update the hosts on an installed SA.
-	 *
-	 * We cannot directly update the destination address as the kernel
-	 * requires the spi, the protocol AND the destination address (and family)
-	 * to identify SAs. Therefore if the destination address changed we
-	 * create a new SA and delete the old one.
-	 *
-	 * @param spi			SPI of the SA
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
-	 * @param src			current source address
-	 * @param dst			current destination address
-	 * @param new_src		new source address
-	 * @param new_dst		new destination address
-	 * @param encap			current use of UDP encapsulation
-	 * @param new_encap		new use of UDP encapsulation
-	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
-	 *					  the kernel interface can't update the SA
-	 */
-	status_t (*update_sa)(kernel_interface_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap);
-
-	/**
-	 * Query the number of bytes processed by an SA from the SAD.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param[out] bytes	the number of bytes processed by SA
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
-						  u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
-
-	/**
-	 * Delete a previously installed SA from the SAD.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp or 0
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
-
-	/**
-	 * Add a policy to the SPD.
-	 *
-	 * A policy is always associated to an SA. Traffic which matches a
-	 * policy is handled by the SA with the same reqid.
-	 *
-	 * @param src			source address of SA
-	 * @param dst			dest address of SA
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param spi			SPI of SA
-	 * @param protocol		protocol to use to protect traffic (AH/ESP)
-	 * @param reqid			unique ID of an SA to use to enforce policy
-	 * @param mode			mode of SA (tunnel, transport)
-	 * @param ipcomp		the IPComp transform used
-	 * @param cpi			CPI for IPComp
-	 * @param routed		TRUE, if this policy is routed in the kernel
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_policy) (kernel_interface_t *this,
-							host_t *src, host_t *dst,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction, u_int32_t spi,
-							protocol_id_t protocol, u_int32_t reqid,
-							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-							bool routed);
-
-	/**
-	 * Query the use time of a policy.
-	 *
-	 * The use time of a policy is the time the policy was used
-	 * for the last time.
-	 *
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param[out] use_time	the time of this SA's last use
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*query_policy) (kernel_interface_t *this,
-							  traffic_selector_t *src_ts,
-							  traffic_selector_t *dst_ts,
-							  policy_dir_t direction, u_int32_t *use_time);
-
-	/**
-	 * Remove a policy from the SPD.
-	 *
-	 * The kernel interface implements reference counting for policies.
-	 * If the same policy is installed multiple times (in the case of rekeying),
-	 * the reference counter is increased. del_policy() decreases the ref counter
-	 * and removes the policy only when no more references are available.
-	 *
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_policy) (kernel_interface_t *this,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction,
-							bool unrouted);
-
-	/**
-	 * Get our outgoing source address for a destination.
-	 *
-	 * Does a route lookup to get the source address used to reach dest.
-	 * The returned host is allocated and must be destroyed.
-	 * An optional src address can be used to check if a route is available
-	 * for given source to dest.
-	 *
-	 * @param dest			target destination address
-	 * @param src			source address to check, or NULL
-	 * @return				outgoing source address, NULL if unreachable
-	 */
-	host_t* (*get_source_addr)(kernel_interface_t *this,
-							   host_t *dest, host_t *src);
-
-	/**
-	 * Get the next hop for a destination.
-	 *
-	 * Does a route lookup to get the next hop used to reach dest.
-	 * The returned host is allocated and must be destroyed.
-	 *
-	 * @param dest			target destination address
-	 * @return				next hop address, NULL if unreachable
-	 */
-	host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest);
-
-	/**
-	 * Get the interface name of a local address.
-	 *
-	 * @param host			address to get interface name from
-	 * @return 				allocated interface name, or NULL if not found
-	 */
-	char* (*get_interface) (kernel_interface_t *this, host_t *host);
-
-	/**
-	 * Creates an enumerator over all local addresses.
-	 *
-	 * This function blocks an internal cached address list until the
-	 * enumerator gets destroyed.
-	 * The hosts are read-only, do not modify of free.
-	 *
-	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
-	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
-	 * @return						enumerator over host_t's
-	 */
-	enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
-						bool include_down_ifaces, bool include_virtual_ips);
-
-	/**
-	 * Add a virtual IP to an interface.
-	 *
-	 * Virtual IPs are attached to an interface. If an IP is added multiple
-	 * times, the IP is refcounted and not removed until del_ip() was called
-	 * as many times as add_ip().
-	 * The virtual IP is attached to the interface where the iface_ip is found.
-	 *
-	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to attach virtual IP
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
-
-	/**
-	 * Remove a virtual IP from an interface.
-	 *
-	 * The kernel interface uses refcounting, see add_ip().
-	 *
-	 * @param virtual_ip	virtual ip address to assign
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
-
-	/**
-	 * Add a route.
-	 *
-	 * @param dst_net		destination net
-	 * @param prefixlen		destination net prefix length
-	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
-	 * @param if_name		name of the interface the route is bound to
-	 * @return				SUCCESS if operation completed
-	 * 						ALREADY_DONE if the route already exists
-	 */
-	status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
-
-	/**
-	 * Delete a route.
-	 *
-	 * @param dst_net		destination net
-	 * @param prefixlen		destination net prefix length
-	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
-	 * @param if_name		name of the interface the route is bound to
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
-
-	/**
-	 * manager methods
-	 */
-
-	/**
-	 * Tries to find an ip address of a local interface that is included in the
-	 * supplied traffic selector.
-	 *
-	 * @param ts			traffic selector
-	 * @param ip			returned ip (has to be destroyed)
-	 * @return				SUCCESS if address found
-	 */
-	status_t (*get_address_by_ts) (kernel_interface_t *this,
-										traffic_selector_t *ts, host_t **ip);
-
-	/**
-	 * Register an ipsec kernel interface constructor on the manager.
-	 *
-	 * @param create			constructor to register
-	 */
-	void (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
-
-	/**
-	 * Unregister an ipsec kernel interface constructor.
-	 *
-	 * @param create			constructor to unregister
-	 */
-	void (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
-
-	/**
-	 * Register a network kernel interface constructor on the manager.
-	 *
-	 * @param create			constructor to register
-	 */
-	void (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
-
-	/**
-	 * Unregister a network kernel interface constructor.
-	 *
-	 * @param create			constructor to unregister
-	 */
-	void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
-
-	/**
-	 * Destroys a kernel_interface_manager_t object.
-	 */
-	void (*destroy) (kernel_interface_t *this);
-};
-
-/**
- * Creates an object of type kernel_interface_t.
- */
-kernel_interface_t *kernel_interface_create(void);
-
-#endif /** KERNEL_INTERFACE_H_ @}*/
diff --git a/src/charon/kernel/kernel_ipsec.c b/src/charon/kernel/kernel_ipsec.c
deleted file mode 100644
index 5b0335b16..000000000
--- a/src/charon/kernel/kernel_ipsec.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "kernel_ipsec.h"
-
-ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_BEET,
-	"TRANSPORT",
-	"TUNNEL",
-	"BEET",
-);
-
-ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
-	"in",
-	"out",
-	"fwd"
-);
-
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
deleted file mode 100644
index 73ad29b0e..000000000
--- a/src/charon/kernel/kernel_ipsec.h
+++ /dev/null
@@ -1,273 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_ipsec kernel_ipsec
- * @{ @ingroup kernel
- */
-
-#ifndef KERNEL_IPSEC_H_
-#define KERNEL_IPSEC_H_
-
-typedef enum ipsec_mode_t ipsec_mode_t;
-typedef enum policy_dir_t policy_dir_t;
-typedef struct kernel_ipsec_t kernel_ipsec_t;
-
-#include <utils/host.h>
-#include <crypto/prf_plus.h>
-#include <config/proposal.h>
-#include <config/child_cfg.h>
-
-/**
- * Mode of a CHILD_SA.
- */
-enum ipsec_mode_t {
-	/** transport mode, no inner address */
-	MODE_TRANSPORT = 1,
-	/** tunnel mode, inner and outer addresses */
-	MODE_TUNNEL,
-	/** BEET mode, tunnel mode but fixed, bound inner addresses */
-	MODE_BEET,
-};
-
-/**
- * enum names for ipsec_mode_t.
- */
-extern enum_name_t *ipsec_mode_names;
-
-/**
- * Direction of a policy. These are equal to those
- * defined in xfrm.h, but we want to stay implementation
- * neutral here.
- */
-enum policy_dir_t {
-	/** Policy for inbound traffic */
-	POLICY_IN = 0,
-	/** Policy for outbound traffic */
-	POLICY_OUT = 1,
-	/** Policy for forwarded traffic */
-	POLICY_FWD = 2,
-};
-
-/**
- * enum names for policy_dir_t.
- */
-extern enum_name_t *policy_dir_names;
-
-/**
- * Interface to the ipsec subsystem of the kernel.
- *
- * The kernel ipsec interface handles the communication with the kernel
- * for SA and policy management. It allows setup of these, and provides
- * further the handling of kernel events.
- * Policy information are cached in the interface. This is necessary to do
- * reference counting. The Linux kernel does not allow the same policy
- * installed twice, but we need this as CHILD_SA exist multiple times
- * when rekeying. Thats why we do reference counting of policies.
- */
-struct kernel_ipsec_t {
-
-	/**
-	 * Get a SPI from the kernel.
-	 *
-	 * @param src		source address of SA
-	 * @param dst		destination address of SA
-	 * @param protocol	protocol for SA (ESP/AH)
-	 * @param reqid		unique ID for this SA
-	 * @param spi		allocated spi
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
-
-	/**
-	 * Get a Compression Parameter Index (CPI) from the kernel.
-	 *
-	 * @param src		source address of SA
-	 * @param dst		destination address of SA
-	 * @param reqid		unique ID for the corresponding SA
-	 * @param cpi		allocated cpi
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi);
-
-	/**
-	 * Add an SA to the SAD.
-	 *
-	 * add_sa() may update an already allocated
-	 * SPI (via get_spi). In this case, the replace
-	 * flag must be set.
-	 * This function does install a single SA for a
-	 * single protocol in one direction.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param reqid			unique ID for this SA
-	 * @param lifetime		lifetime_cfg_t for this SA
-	 * @param enc_alg		Algorithm to use for encryption (ESP only)
-	 * @param enc_key		key to use for encryption
-	 * @param int_alg		Algorithm to use for integrity protection
-	 * @param int_key		key to use for integrity protection
-	 * @param mode			mode of the SA (tunnel, transport)
-	 * @param ipcomp		IPComp transform to use
-	 * @param cpi			CPI for IPComp
-	 * @param encap			enable UDP encapsulation for NAT traversal
-	 * @param inbound		TRUE if this is an inbound SA
-	 * @param src_ts		traffic selector with BEET source address
-	 * @param dst_ts		traffic selector with BEET destination address
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_sa) (kernel_ipsec_t *this,
-						host_t *src, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int32_t reqid,
-						lifetime_cfg_t *lifetime,
-						u_int16_t enc_alg, chunk_t enc_key,
-						u_int16_t int_alg, chunk_t int_key,
-						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						bool encap, bool inbound,
-						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
-
-	/**
-	 * Update the hosts on an installed SA.
-	 *
-	 * We cannot directly update the destination address as the kernel
-	 * requires the spi, the protocol AND the destination address (and family)
-	 * to identify SAs. Therefore if the destination address changed we
-	 * create a new SA and delete the old one.
-	 *
-	 * @param spi			SPI of the SA
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
-	 * @param src			current source address
-	 * @param dst			current destination address
-	 * @param new_src		new source address
-	 * @param new_dst		new destination address
-	 * @param encap			current use of UDP encapsulation
-	 * @param new_encap		new use of UDP encapsulation
-	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
-	 *					  the kernel interface can't update the SA
-	 */
-	status_t (*update_sa)(kernel_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap);
-
-	/**
-	 * Query the number of bytes processed by an SA from the SAD.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param[out] bytes	the number of bytes processed by SA
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
-						  u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
-
-	/**
-	 * Delete a previusly installed SA from the SAD.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp or 0
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
-
-	/**
-	 * Add a policy to the SPD.
-	 *
-	 * A policy is always associated to an SA. Traffic which matches a
-	 * policy is handled by the SA with the same reqid.
-	 *
-	 * @param src			source address of SA
-	 * @param dst			dest address of SA
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param spi			SPI of SA
-	 * @param protocol		protocol to use to protect traffic (AH/ESP)
-	 * @param reqid			unique ID of an SA to use to enforce policy
-	 * @param mode			mode of SA (tunnel, transport)
-	 * @param ipcomp		the IPComp transform used
-	 * @param cpi			CPI for IPComp
-	 * @param routed		TRUE, if this policy is routed in the kernel
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_policy) (kernel_ipsec_t *this,
-							host_t *src, host_t *dst,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction, u_int32_t spi,
-							protocol_id_t protocol, u_int32_t reqid,
-							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-							bool routed);
-
-	/**
-	 * Query the use time of a policy.
-	 *
-	 * The use time of a policy is the time the policy was used for the last
-	 * time. It is not the system time, but a monotonic timestamp as returned
-	 * by time_monotonic.
-	 *
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param[out] use_time	the monotonic timestamp of this SA's last use
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*query_policy) (kernel_ipsec_t *this,
-							  traffic_selector_t *src_ts,
-							  traffic_selector_t *dst_ts,
-							  policy_dir_t direction, u_int32_t *use_time);
-
-	/**
-	 * Remove a policy from the SPD.
-	 *
-	 * The kernel interface implements reference counting for policies.
-	 * If the same policy is installed multiple times (in the case of rekeying),
-	 * the reference counter is increased. del_policy() decreases the ref counter
-	 * and removes the policy only when no more references are available.
-	 *
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_policy) (kernel_ipsec_t *this,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction,
-							bool unrouted);
-
-	/**
-	 * Destroy the implementation.
-	 */
-	void (*destroy) (kernel_ipsec_t *this);
-};
-
-#endif /** KERNEL_IPSEC_H_ @}*/
diff --git a/src/charon/kernel/kernel_net.h b/src/charon/kernel/kernel_net.h
deleted file mode 100644
index efb221f88..000000000
--- a/src/charon/kernel/kernel_net.h
+++ /dev/null
@@ -1,143 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_net kernel_net
- * @{ @ingroup kernel
- */
-
-#ifndef KERNEL_NET_H_
-#define KERNEL_NET_H_
-
-typedef struct kernel_net_t kernel_net_t;
-
-#include <utils/enumerator.h>
-#include <utils/host.h>
-
-/**
- * Interface to the network subsystem of the kernel.
- *
- * The kernel network interface handles the communication with the kernel
- * for interface and IP address management.
- */
-struct kernel_net_t {
-
-	/**
-	 * Get our outgoing source address for a destination.
-	 *
-	 * Does a route lookup to get the source address used to reach dest.
-	 * The returned host is allocated and must be destroyed.
-	 * An optional src address can be used to check if a route is available
-	 * for given source to dest.
-	 *
-	 * @param dest			target destination address
-	 * @param src			source address to check, or NULL
-	 * @return				outgoing source address, NULL if unreachable
-	 */
-	host_t* (*get_source_addr)(kernel_net_t *this, host_t *dest, host_t *src);
-
-	/**
-	 * Get the next hop for a destination.
-	 *
-	 * Does a route lookup to get the next hop used to reach dest.
-	 * The returned host is allocated and must be destroyed.
-	 *
-	 * @param dest			target destination address
-	 * @return				next hop address, NULL if unreachable
-	 */
-	host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest);
-
-	/**
-	 * Get the interface name of a local address.
-	 *
-	 * @param host			address to get interface name from
-	 * @return 				allocated interface name, or NULL if not found
-	 */
-	char* (*get_interface) (kernel_net_t *this, host_t *host);
-
-	/**
-	 * Creates an enumerator over all local addresses.
-	 *
-	 * This function blocks an internal cached address list until the
-	 * enumerator gets destroyed.
-	 * The hosts are read-only, do not modify of free.
-	 *
-	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
-	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
-	 * @return						enumerator over host_t's
-	 */
-	enumerator_t *(*create_address_enumerator) (kernel_net_t *this,
-						bool include_down_ifaces, bool include_virtual_ips);
-
-	/**
-	 * Add a virtual IP to an interface.
-	 *
-	 * Virtual IPs are attached to an interface. If an IP is added multiple
-	 * times, the IP is refcounted and not removed until del_ip() was called
-	 * as many times as add_ip().
-	 * The virtual IP is attached to the interface where the iface_ip is found.
-	 *
-	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to attach virtual IP
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
-
-	/**
-	 * Remove a virtual IP from an interface.
-	 *
-	 * The kernel interface uses refcounting, see add_ip().
-	 *
-	 * @param virtual_ip	virtual ip address to assign
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip);
-
-	/**
-	 * Add a route.
-	 *
-	 * @param dst_net		destination net
-	 * @param prefixlen		destination net prefix length
-	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
-	 * @param if_name		name of the interface the route is bound to
-	 * @return				SUCCESS if operation completed
-	 * 						ALREADY_DONE if the route already exists
-	 */
-	status_t (*add_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
-
-	/**
-	 * Delete a route.
-	 *
-	 * @param dst_net		destination net
-	 * @param prefixlen		destination net prefix length
-	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
-	 * @param if_name		name of the interface the route is bound to
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
-
-	/**
-	 * Destroy the implementation.
-	 */
-	void (*destroy) (kernel_net_t *this);
-};
-
-#endif /** KERNEL_NET_H_ @}*/
diff --git a/src/charon/network/packet.c b/src/charon/network/packet.c
deleted file mode 100644
index 19a62603d..000000000
--- a/src/charon/network/packet.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "packet.h"
-
-typedef struct private_packet_t private_packet_t;
-
-/**
- * Private data of an packet_t object.
- */
-struct private_packet_t {
-
-	/**
-	 * Public part of a packet_t object.
-	 */
-	packet_t public;
-
-	/**
-	 * source address
-	 */
-	host_t *source;
-
-	/**
-	 * destination address
-	 */
-	host_t *destination;
-
-	 /**
-	  * message data
-	  */
-	chunk_t data;
-};
-
-/**
- * Implements packet_t.get_source
- */
-static void set_source(private_packet_t *this, host_t *source)
-{
-	DESTROY_IF(this->source);
-	this->source = source;
-}
-
-/**
- * Implements packet_t.set_destination
- */
-static void set_destination(private_packet_t *this, host_t *destination)
-{
-	DESTROY_IF(this->destination);
-	this->destination = destination;
-}
-
-/**
- * Implements packet_t.get_source
- */
-static host_t *get_source(private_packet_t *this)
-{
-	return this->source;
-}
-
-/**
- * Implements packet_t.get_destination
- */
-static host_t *get_destination(private_packet_t *this)
-{
-	return this->destination;
-}
-
-/**
- * Implements packet_t.get_data
- */
-static chunk_t get_data(private_packet_t *this)
-{
-	return this->data;
-}
-
-/**
- * Implements packet_t.set_data
- */
-static void set_data(private_packet_t *this, chunk_t data)
-{
-	free(this->data.ptr);
-	this->data = data;
-}
-
-/**
- * Implements packet_t.destroy.
- */
-static void destroy(private_packet_t *this)
-{
-	if (this->source != NULL)
-	{
-		this->source->destroy(this->source);
-	}
-	if (this->destination != NULL)
-	{
-		this->destination->destroy(this->destination);
-	}
-	free(this->data.ptr);
-	free(this);
-}
-
-/**
- * Implements packet_t.clone.
- */
-static packet_t *clone_(private_packet_t *this)
-{
-	private_packet_t *other = (private_packet_t*)packet_create();
-
-	if (this->destination != NULL)
-	{
-		other->destination = this->destination->clone(this->destination);
-	}
-	if (this->source != NULL)
-	{
-		other->source = this->source->clone(this->source);
-	}
-	if (this->data.ptr != NULL)
-	{
-		other->data.ptr = clalloc(this->data.ptr,this->data.len);
-		other->data.len = this->data.len;
-	}
-	return &(other->public);
-}
-
-/*
- * Documented in header
- */
-packet_t *packet_create(void)
-{
-	private_packet_t *this = malloc_thing(private_packet_t);
-
-	this->public.set_data = (void(*) (packet_t *,chunk_t)) set_data;
-	this->public.get_data = (chunk_t(*) (packet_t *)) get_data;
-	this->public.set_source = (void(*) (packet_t *,host_t*)) set_source;
-	this->public.get_source = (host_t*(*) (packet_t *)) get_source;
-	this->public.set_destination = (void(*) (packet_t *,host_t*)) set_destination;
-	this->public.get_destination = (host_t*(*) (packet_t *)) get_destination;
-	this->public.clone = (packet_t*(*) (packet_t *))clone_;
-	this->public.destroy = (void(*) (packet_t *)) destroy;
-
-	this->destination = NULL;
-	this->source = NULL;
-	this->data = chunk_empty;
-
-	return &(this->public);
-}
diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h
deleted file mode 100644
index 18d82c6fc..000000000
--- a/src/charon/network/packet.h
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup packet packet
- * @{ @ingroup network
- */
-
-#ifndef PACKET_H_
-#define PACKET_H_
-
-typedef struct packet_t packet_t;
-
-#include <library.h>
-#include <utils/host.h>
-
-/**
- * Abstraction of an UDP-Packet, contains data, sender and receiver.
- */
-struct packet_t {
-
-	/**
-	 * Set the source address.
-	 *
-	 * Set host_t is now owned by packet_t, it will destroy
-	 * it if necessary.
-	 *
-	 * @param source	address to set as source
-	 */
-	void (*set_source) (packet_t *packet, host_t *source);
-
-	/**
-	 * Set the destination address.
-	 *
-	 * Set host_t is now owned by packet_t, it will destroy
-	 * it if necessary.
-	 *
-	 * @param source	address to set as destination
-	 */
-	void (*set_destination) (packet_t *packet, host_t *destination);
-
-	/**
-	 * Get the source address.
-	 *
-	 * Set host_t is still owned by packet_t, clone it
-	 * if needed.
-	 *
-	 * @return			source address
-	 */
-	host_t *(*get_source) (packet_t *packet);
-
-	/**
-	 * Get the destination address.
-	 *
-	 * Set host_t is still owned by packet_t, clone it
-	 * if needed.
-	 *
-	 * @return			destination address
-	 */
-	host_t *(*get_destination) (packet_t *packet);
-
-	/**
-	 * Get the data from the packet.
-	 *
-	 * The data pointed by the chunk is still owned
-	 * by the packet. Clone it if needed.
-	 *
-	 * @return			chunk containing the data
-	 */
-	chunk_t (*get_data) (packet_t *packet);
-
-	/**
-	 * Set the data in the packet.
-	 *
-	 * Supplied chunk data is now owned by the
-	 * packet. It will free it.
-	 *
-	 * @param data		chunk with data to set
-	 */
-	void (*set_data) (packet_t *packet, chunk_t data);
-
-	/**
-	 * Clones a packet_t object.
-	 *
-	 * @param clone		clone of the packet
-	 */
-	packet_t* (*clone) (packet_t *packet);
-
-	/**
-	 * Destroy the packet, freeing contained data.
-	 */
-	void (*destroy) (packet_t *packet);
-};
-
-/**
- * create an empty packet
- *
- * @return packet_t object
- */
-packet_t *packet_create(void);
-
-#endif /** PACKET_H_ @}*/
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
deleted file mode 100644
index 6cd99439b..000000000
--- a/src/charon/network/receiver.c
+++ /dev/null
@@ -1,389 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "receiver.h"
-
-#include <daemon.h>
-#include <network/socket.h>
-#include <network/packet.h>
-#include <processing/jobs/job.h>
-#include <processing/jobs/process_message_job.h>
-#include <processing/jobs/callback_job.h>
-#include <crypto/hashers/hasher.h>
-
-/** lifetime of a cookie, in seconds */
-#define COOKIE_LIFETIME 10
-/** how many times to reuse the secret */
-#define COOKIE_REUSE 10000
-/** default value for private_receiver_t.cookie_threshold */
-#define COOKIE_THRESHOLD_DEFAULT 10
-/** default value for private_receiver_t.block_threshold */
-#define BLOCK_THRESHOLD_DEFAULT 5
-/** length of the secret to use for cookie calculation */
-#define SECRET_LENGTH 16
-
-typedef struct private_receiver_t private_receiver_t;
-
-/**
- * Private data of a receiver_t object.
- */
-struct private_receiver_t {
-	/**
-	 * Public part of a receiver_t object.
-	 */
-	receiver_t public;
-
-	/**
-	 * Threads job receiving packets
-	 */
-	callback_job_t *job;
-
-	/**
-	 * current secret to use for cookie calculation
-	 */
-	char secret[SECRET_LENGTH];
-
-	/**
-	 * previous secret used to verify older cookies
-	 */
-	char secret_old[SECRET_LENGTH];
-
-	/**
-	 * how many times we have used "secret" so far
-	 */
-	u_int32_t secret_used;
-
-	/**
-	 * time we did the cookie switch
-	 */
-	u_int32_t secret_switch;
-
-	/**
-	 * time offset to use, hides our system time
-	 */
-	u_int32_t secret_offset;
-
-	/**
-	 * the RNG to use for secret generation
-	 */
-	rng_t *rng;
-
-	/**
-	 * hasher to use for cookie calculation
-	 */
-	hasher_t *hasher;
-
-	/**
-	 * require cookies after this many half open IKE_SAs
-	 */
-	u_int32_t cookie_threshold;
-
-	/**
-	 * how many half open IKE_SAs per peer before blocking
-	 */
-	u_int32_t block_threshold;
-};
-
-/**
- * send a notify back to the sender
- */
-static void send_notify(message_t *request, notify_type_t type, chunk_t data)
-{
-	if (request->get_request(request) &&
-		request->get_exchange_type(request) == IKE_SA_INIT)
-	{
-		message_t *response;
-		host_t *src, *dst;
-		packet_t *packet;
-		ike_sa_id_t *ike_sa_id;
-
-		response = message_create();
-		dst = request->get_source(request);
-		src = request->get_destination(request);
-		response->set_source(response, src->clone(src));
-		response->set_destination(response, dst->clone(dst));
-		response->set_exchange_type(response, request->get_exchange_type(request));
-		response->set_request(response, FALSE);
-		response->set_message_id(response, 0);
-		ike_sa_id = request->get_ike_sa_id(request);
-		ike_sa_id->switch_initiator(ike_sa_id);
-		response->set_ike_sa_id(response, ike_sa_id);
-		response->add_notify(response, FALSE, type, data);
-		if (response->generate(response, NULL, NULL, &packet) == SUCCESS)
-		{
-			charon->sender->send(charon->sender, packet);
-			response->destroy(response);
-		}
-	}
-}
-
-/**
- * build a cookie
- */
-static chunk_t cookie_build(private_receiver_t *this, message_t *message,
-							u_int32_t t, chunk_t secret)
-{
-	u_int64_t spi = message->get_initiator_spi(message);
-	host_t *ip = message->get_source(message);
-	chunk_t input, hash;
-
-	/* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
-	input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
-					  chunk_from_thing(t), secret);
-	hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
-	this->hasher->get_hash(this->hasher, input, hash.ptr);
-	return chunk_cat("cc", chunk_from_thing(t), hash);
-}
-
-/**
- * verify a received cookie
- */
-static bool cookie_verify(private_receiver_t *this, message_t *message,
-						  chunk_t cookie)
-{
-	u_int32_t t, now;
-	chunk_t reference;
-	chunk_t secret;
-
-	now = time_monotonic(NULL);
-	t = *(u_int32_t*)cookie.ptr;
-
-	if (cookie.len != sizeof(u_int32_t) +
-			this->hasher->get_hash_size(this->hasher) ||
-		t < now - this->secret_offset - COOKIE_LIFETIME)
-	{
-		DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
-		return FALSE;
-	}
-
-	/* check if cookie is derived from old_secret */
-	if (t + this->secret_offset > this->secret_switch)
-	{
-		secret = chunk_from_thing(this->secret);
-	}
-	else
-	{
-		secret = chunk_from_thing(this->secret_old);
-	}
-
-	/* compare own calculation against received */
-	reference = cookie_build(this, message, t, secret);
-	if (chunk_equals(reference, cookie))
-	{
-		chunk_free(&reference);
-		return TRUE;
-	}
-	chunk_free(&reference);
-	return FALSE;
-}
-
-/**
- * check if cookies are required, and if so, a valid cookie is included
- */
-static bool cookie_required(private_receiver_t *this, message_t *message)
-{
-	bool failed = FALSE;
-
-	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
-												NULL) >= this->cookie_threshold)
-	{
-		/* check for a cookie. We don't use our parser here and do it
-		 * quick and dirty for performance reasons.
-		 * we assume the cookie is the first payload (which is a MUST), and
-		 * the cookie's SPI length is zero. */
-		packet_t *packet = message->get_packet(message);
-		chunk_t data = packet->get_data(packet);
-		if (data.len <
-			 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
-			 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
-			*(data.ptr + 16) != NOTIFY ||
-			*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
-		{
-			/* no cookie found */
-			failed = TRUE;
-		}
-		else
-		{
-			data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
-			data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher);
-			if (!cookie_verify(this, message, data))
-			{
-				DBG2(DBG_NET, "found cookie, but content invalid");
-				failed = TRUE;
-			}
-		}
-		packet->destroy(packet);
-	}
-	return failed;
-}
-
-/**
- * check if peer has to many half open IKE_SAs
- */
-static bool peer_to_aggressive(private_receiver_t *this, message_t *message)
-{
-	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
-						message->get_source(message)) >= this->block_threshold)
-	{
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of receiver_t.receive_packets.
- */
-static job_requeue_t receive_packets(private_receiver_t *this)
-{
-	packet_t *packet;
-	message_t *message;
-	job_t *job;
-
-	/* read in a packet */
-	if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
-	{
-		DBG2(DBG_NET, "receiving from socket failed!");
-		return JOB_REQUEUE_FAIR;
-	}
-
-	/* parse message header */
-	message = message_create_from_packet(packet);
-	if (message->parse_header(message) != SUCCESS)
-	{
-		DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
-			 packet->get_source(packet));
-		message->destroy(message);
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	/* check IKE major version */
-	if (message->get_major_version(message) != IKE_MAJOR_VERSION)
-	{
-		DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
-			 "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
-			 message->get_minor_version(message), packet->get_source(packet));
-		send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
-		message->destroy(message);
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	if (message->get_request(message) &&
-		message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		/* check for cookies */
-		if (this->cookie_threshold && cookie_required(this, message))
-		{
-			u_int32_t now = time_monotonic(NULL);
-			chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
-										  chunk_from_thing(this->secret));
-
-			DBG2(DBG_NET, "received packet from: %#H to %#H",
-				 message->get_source(message),
-				 message->get_destination(message));
-			DBG2(DBG_NET, "sending COOKIE notify to %H",
-				 message->get_source(message));
-			send_notify(message, COOKIE, cookie);
-			chunk_free(&cookie);
-			if (++this->secret_used > COOKIE_REUSE)
-			{
-				/* create new cookie */
-				DBG1(DBG_NET, "generating new cookie secret after %d uses",
-					 this->secret_used);
-				memcpy(this->secret_old, this->secret, SECRET_LENGTH);
-				this->rng->get_bytes(this->rng,	SECRET_LENGTH, this->secret);
-				this->secret_switch = now;
-				this->secret_used = 0;
-			}
-			message->destroy(message);
-			return JOB_REQUEUE_DIRECT;
-		}
-
-		/* check if peer has not too many IKE_SAs half open */
-		if (this->block_threshold && peer_to_aggressive(this, message))
-		{
-			DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
-				 "peer too aggressive", message->get_source(message));
-			message->destroy(message);
-			return JOB_REQUEUE_DIRECT;
-		}
-	}
-	job = (job_t*)process_message_job_create(message);
-	charon->processor->queue_job(charon->processor, job);
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Implementation of receiver_t.destroy.
- */
-static void destroy(private_receiver_t *this)
-{
-	this->job->cancel(this->job);
-	this->rng->destroy(this->rng);
-	this->hasher->destroy(this->hasher);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-receiver_t *receiver_create()
-{
-	private_receiver_t *this = malloc_thing(private_receiver_t);
-	u_int32_t now = time_monotonic(NULL);
-
-	this->public.destroy = (void(*)(receiver_t*)) destroy;
-
-	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
-	if (this->hasher == NULL)
-	{
-		DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
-		free(this);
-		return NULL;
-	}
-	this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-	if (this->rng == NULL)
-	{
-		DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported");
-		this->hasher->destroy(this->hasher);
-		free(this);
-		return NULL;
-	}
-	this->secret_switch = now;
-	this->secret_offset = random() % now;
-	this->secret_used = 0;
-	this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
-	memcpy(this->secret_old, this->secret, SECRET_LENGTH);
-	this->cookie_threshold = lib->settings->get_int(lib->settings,
-									"charon.cookie_threshold", COOKIE_THRESHOLD_DEFAULT);
-	this->block_threshold = lib->settings->get_int(lib->settings,
-									"charon.block_threshold", BLOCK_THRESHOLD_DEFAULT);
-	if (!lib->settings->get_bool(lib->settings, "charon.dos_protection", TRUE))
-	{
-		this->cookie_threshold = 0;
-		this->block_threshold = 0;
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)receive_packets,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
-
diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h
deleted file mode 100644
index 690d8dbab..000000000
--- a/src/charon/network/receiver.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup receiver receiver
- * @{ @ingroup network
- */
-
-#ifndef RECEIVER_H_
-#define RECEIVER_H_
-
-typedef struct receiver_t receiver_t;
-
-#include <library.h>
-#include <utils/host.h>
-
-/**
- * Receives packets from the socket and adds them to the job queue.
- *
- * The receiver starts a thread, wich reads on the blocking socket. A received
- * packet is preparsed and a process_message_job is queued in the job queue.
- *
- * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half
- * open. The calculation of cookies is slightly different from the proposed
- * method in RFC4306. We do not include a nonce, because we think the advantage
- * we gain does not justify the overhead to parse the whole message.
- * Instead of VersionIdOfSecret, we include a timestamp. This allows us to
- * find out wich key was used for cookie creation. Further, we can set a
- * lifetime for the cookie, which allows us to reuse the secret for a longer
- * time.
- *		 COOKIE = time | sha1( IPi | SPIi | time | secret )
- *
- * The secret is changed after a certain amount of cookies sent. The old
- * secret is stored to allow a clean migration between secret changes.
- *
- * Further, the number of half-initiated IKE_SAs is limited per peer. This
- * mades it impossible for a peer to flood the server with its real IP address.
- */
-struct receiver_t {
-
-	/**
-	 * Destroys a receiver_t object.
-	 */
-	void (*destroy) (receiver_t *receiver);
-};
-
-/**
- * Create a receiver_t object.
- *
- * The receiver thread will start working, get data
- * from the socket and add those packets to the job queue.
- *
- * @return	receiver_t object, NULL if initialization fails
- */
-receiver_t * receiver_create(void);
-
-#endif /** RECEIVER_H_ @}*/
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
deleted file mode 100644
index 3be5861dd..000000000
--- a/src/charon/network/sender.c
+++ /dev/null
@@ -1,153 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-
-#include "sender.h"
-
-#include <daemon.h>
-#include <network/socket.h>
-#include <processing/jobs/callback_job.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-
-
-typedef struct private_sender_t private_sender_t;
-
-/**
- * Private data of a sender_t object.
- */
-struct private_sender_t {
-	/**
-	 * Public part of a sender_t object.
-	 */
-	sender_t public;
-
-	/**
-	 * Sender threads job.
-	 */
-	callback_job_t *job;
-
-	/**
-	 * The packets are stored in a linked list
-	 */
-	linked_list_t *list;
-
-	/**
-	 * mutex to synchronize access to list
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * condvar to signal for packets added to list
-	 */
-	condvar_t *got;
-
-	/**
-	 * condvar to signal for packets sent
-	 */
-	condvar_t *sent;
-};
-
-/**
- * implements sender_t.send
- */
-static void send_(private_sender_t *this, packet_t *packet)
-{
-	host_t *src, *dst;
-
-	src = packet->get_source(packet);
-	dst = packet->get_destination(packet);
-	DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
-
-	this->mutex->lock(this->mutex);
-	this->list->insert_last(this->list, packet);
-	this->got->signal(this->got);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of private_sender_t.send_packets.
- */
-static job_requeue_t send_packets(private_sender_t * this)
-{
-	packet_t *packet;
-	bool oldstate;
-
-	this->mutex->lock(this->mutex);
-	while (this->list->get_count(this->list) == 0)
-	{
-		/* add cleanup handler, wait for packet, remove cleanup handler */
-		thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
-		oldstate = thread_cancelability(TRUE);
-
-		this->got->wait(this->got, this->mutex);
-
-		thread_cancelability(oldstate);
-		thread_cleanup_pop(FALSE);
-	}
-	this->list->remove_first(this->list, (void**)&packet);
-	this->sent->signal(this->sent);
-	this->mutex->unlock(this->mutex);
-
-	charon->socket->send(charon->socket, packet);
-	packet->destroy(packet);
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Implementation of sender_t.destroy.
- */
-static void destroy(private_sender_t *this)
-{
-	/* send all packets in the queue */
-	this->mutex->lock(this->mutex);
-	while (this->list->get_count(this->list))
-	{
-		this->sent->wait(this->sent, this->mutex);
-	}
-	this->mutex->unlock(this->mutex);
-	this->job->cancel(this->job);
-	this->list->destroy(this->list);
-	this->got->destroy(this->got);
-	this->sent->destroy(this->sent);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-sender_t * sender_create()
-{
-	private_sender_t *this = malloc_thing(private_sender_t);
-
-	this->public.send = (void(*)(sender_t*,packet_t*))send_;
-	this->public.destroy = (void(*)(sender_t*)) destroy;
-
-	this->list = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->got = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->sent = condvar_create(CONDVAR_TYPE_DEFAULT);
-
-	this->job = callback_job_create((callback_job_cb_t)send_packets,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
-
diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h
deleted file mode 100644
index f77fadab2..000000000
--- a/src/charon/network/sender.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup sender sender
- * @{ @ingroup network
- */
-
-#ifndef SENDER_H_
-#define SENDER_H_
-
-typedef struct sender_t sender_t;
-
-#include <library.h>
-#include <network/packet.h>
-
-/**
- * Thread responsible for sending packets over the socket.
- */
-struct sender_t {
-
-	/**
-	 * Send a packet over the network.
-	 *
-	 * This function is non blocking and adds the packet to a queue.
-	 * Whenever the sender thread thinks it's good to send the packet,
-	 * it'll do so.
-	 *
-	 * @param packet	packet to send
-	 */
-	void (*send) (sender_t *this, packet_t *packet);
-
-	/**
-	 * Destroys a sender object.
-	 */
-	void (*destroy) (sender_t *this);
-};
-
-/**
- * Create the sender thread.
- *
- * The thread will start to work, getting packets
- * from its queue and sends them out.
- *
- * @return		created sender object
- */
-sender_t * sender_create(void);
-
-#endif /** SENDER_H_ @}*/
diff --git a/src/charon/network/socket-raw.c b/src/charon/network/socket-raw.c
deleted file mode 100644
index 6cc0463b2..000000000
--- a/src/charon/network/socket-raw.c
+++ /dev/null
@@ -1,761 +0,0 @@
-/*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/* for struct in6_pktinfo */
-#define _GNU_SOURCE
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <string.h>
-#include <errno.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <netinet/ip6.h>
-#include <netinet/udp.h>
-#include <linux/types.h>
-#include <linux/filter.h>
-#include <net/if.h>
-
-#include "socket.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-
-/* constants for packet handling */
-#define IP_LEN sizeof(struct iphdr)
-#define IP6_LEN sizeof(struct ip6_hdr)
-#define UDP_LEN sizeof(struct udphdr)
-#define MARKER_LEN sizeof(u_int32_t)
-
-/* offsets for packet handling */
-#define IP_PROTO_OFFSET 9
-#define IP6_PROTO_OFFSET 6
-#define IKE_VERSION_OFFSET 17
-#define IKE_LENGTH_OFFSET 24
-
-/* from linux/udp.h */
-#ifndef UDP_ENCAP
-#define UDP_ENCAP 100
-#endif /*UDP_ENCAP*/
-
-#ifndef UDP_ENCAP_ESPINUDP
-#define UDP_ENCAP_ESPINUDP 2
-#endif /*UDP_ENCAP_ESPINUDP*/
-
-/* needed for older kernel headers */
-#ifndef IPV6_2292PKTINFO
-#define IPV6_2292PKTINFO 2
-#endif /*IPV6_2292PKTINFO*/
-
-typedef struct private_socket_t private_socket_t;
-
-/**
- * Private data of an socket_t object
- */
-struct private_socket_t{
-	/**
-	 * public functions
-	 */
-	 socket_t public;
-
-	 /**
-	  * regular port
-	  */
-	 int port;
-
-	 /**
-	  * port used for nat-t
-	  */
-	 int natt_port;
-
-	 /**
-	  * raw receiver socket for IPv4
-	  */
-	 int recv4;
-
-	 /**
-	  * raw receiver socket for IPv6
-	  */
-	 int recv6;
-
-	 /**
-	  * send socket on regular port for IPv4
-	  */
-	 int send4;
-
-	 /**
-	  * send socket on regular port for IPv6
-	  */
-	 int send6;
-
-	 /**
-	  * send socket on nat-t port for IPv4
-	  */
-	 int send4_natt;
-
-	 /**
-	  * send socket on nat-t port for IPv6
-	  */
-	 int send6_natt;
-};
-
-/**
- * implementation of socket_t.receive
- */
-static status_t receiver(private_socket_t *this, packet_t **packet)
-{
-	char buffer[MAX_PACKET];
-	chunk_t data;
-	packet_t *pkt;
-	struct udphdr *udp;
-	host_t *source = NULL, *dest = NULL;
-	int bytes_read = 0, data_offset;
-	bool oldstate;
-	fd_set rfds;
-
-	FD_ZERO(&rfds);
-
-	if (this->recv4)
-	{
-		FD_SET(this->recv4, &rfds);
-	}
-	if (this->recv6)
-	{
-		FD_SET(this->recv6, &rfds);
-	}
-
-	DBG2(DBG_NET, "waiting for data on raw sockets");
-
-	oldstate = thread_cancelability(TRUE);
-	if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0)
-	{
-		thread_cancelability(oldstate);
-		return FAILED;
-	}
-	thread_cancelability(oldstate);
-
-	if (this->recv4 && FD_ISSET(this->recv4, &rfds))
-	{
-		/* IPv4 raw sockets return the IP header. We read src/dest
-		 * information directly from the raw header */
-		struct iphdr *ip;
-		struct sockaddr_in src, dst;
-
-		bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
-		if (bytes_read < 0)
-		{
-			DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno));
-			return FAILED;
-		}
-		DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
-
-		/* read source/dest from raw IP/UDP header */
-		if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
-		{
-			DBG1(DBG_NET, "received IPv4 packet too short (%d bytes)",
-				 bytes_read);
-			return FAILED;
-		}
-		ip = (struct iphdr*) buffer;
-		udp = (struct udphdr*) (buffer + IP_LEN);
-		src.sin_family = AF_INET;
-		src.sin_addr.s_addr = ip->saddr;
-		src.sin_port = udp->source;
-		dst.sin_family = AF_INET;
-		dst.sin_addr.s_addr = ip->daddr;
-		dst.sin_port = udp->dest;
-		source = host_create_from_sockaddr((sockaddr_t*)&src);
-		dest = host_create_from_sockaddr((sockaddr_t*)&dst);
-
-		pkt = packet_create();
-		pkt->set_source(pkt, source);
-		pkt->set_destination(pkt, dest);
-		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
-		data_offset = IP_LEN + UDP_LEN;
-		/* remove non esp marker */
-		if (dest->get_port(dest) == IKEV2_NATT_PORT)
-		{
-			data_offset += MARKER_LEN;
-		}
-		/* fill in packet */
-		data.len = bytes_read - data_offset;
-		data.ptr = malloc(data.len);
-		memcpy(data.ptr, buffer + data_offset, data.len);
-		pkt->set_data(pkt, data);
-	}
-	else if (this->recv6 && FD_ISSET(this->recv6, &rfds))
-	{
-		/* IPv6 raw sockets return no IP header. We must query
-		 * src/dest via socket options/ancillary data */
-		struct msghdr msg;
-		struct cmsghdr *cmsgptr;
-		struct sockaddr_in6 src, dst;
-		struct iovec iov;
-		char ancillary[64];
-
-		msg.msg_name = &src;
-		msg.msg_namelen = sizeof(src);
-		iov.iov_base = buffer;
-		iov.iov_len = sizeof(buffer);
-		msg.msg_iov = &iov;
-		msg.msg_iovlen = 1;
-		msg.msg_control = ancillary;
-		msg.msg_controllen = sizeof(ancillary);
-		msg.msg_flags = 0;
-
-		bytes_read = recvmsg(this->recv6, &msg, 0);
-		if (bytes_read < 0)
-		{
-			DBG1(DBG_NET, "error reading from IPv6 socket: %s", strerror(errno));
-			return FAILED;
-		}
-		DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
-
-		if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
-		{
-			DBG3(DBG_NET, "received IPv6 packet too short (%d bytes)",
-				 bytes_read);
-			return FAILED;
-		}
-
-		/* read ancillary data to get destination address */
-		for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
-			 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
-		{
-			if (cmsgptr->cmsg_len == 0)
-			{
-				DBG1(DBG_NET, "error reading IPv6 ancillary data");
-				return FAILED;
-			}
-			if (cmsgptr->cmsg_level == SOL_IPV6 &&
-				cmsgptr->cmsg_type == IPV6_2292PKTINFO)
-			{
-				struct in6_pktinfo *pktinfo;
-				pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
-
-				memset(&dst, 0, sizeof(dst));
-				memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
-				dst.sin6_family = AF_INET6;
-				udp = (struct udphdr*) (buffer);
-				dst.sin6_port = udp->dest;
-				src.sin6_port = udp->source;
-				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
-			}
-		}
-		/* ancillary data missing? */
-		if (dest == NULL)
-		{
-			DBG1(DBG_NET, "error reading IPv6 packet header");
-			return FAILED;
-		}
-
-		source = host_create_from_sockaddr((sockaddr_t*)&src);
-
-		pkt = packet_create();
-		pkt->set_source(pkt, source);
-		pkt->set_destination(pkt, dest);
-		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
-		data_offset = UDP_LEN;
-		/* remove non esp marker */
-		if (dest->get_port(dest) == IKEV2_NATT_PORT)
-		{
-			data_offset += MARKER_LEN;
-		}
-		/* fill in packet */
-		data.len = bytes_read - data_offset;
-		data.ptr = malloc(data.len);
-		memcpy(data.ptr, buffer + data_offset, data.len);
-		pkt->set_data(pkt, data);
-	}
-	else
-	{
-		/* oops, shouldn't happen */
-		return FAILED;
-	}
-
-	/* return packet */
-	*packet = pkt;
-	return SUCCESS;
-}
-
-/**
- * implementation of socket_t.send
- */
-status_t sender(private_socket_t *this, packet_t *packet)
-{
-	int sport, skt, family;
-	ssize_t bytes_sent;
-	chunk_t data, marked;
-	host_t *src, *dst;
-	struct msghdr msg;
-	struct cmsghdr *cmsg;
-	struct iovec iov;
-
-	src = packet->get_source(packet);
-	dst = packet->get_destination(packet);
-	data = packet->get_data(packet);
-
-	DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
-
-	/* send data */
-	sport = src->get_port(src);
-	family = dst->get_family(dst);
-	if (sport == IKEV2_UDP_PORT)
-	{
-		if (family == AF_INET)
-		{
-			skt = this->send4;
-		}
-		else
-		{
-			skt = this->send6;
-		}
-	}
-	else if (sport == IKEV2_NATT_PORT)
-	{
-		if (family == AF_INET)
-		{
-			skt = this->send4_natt;
-		}
-		else
-		{
-			skt = this->send6_natt;
-		}
-		/* NAT keepalives without marker */
-		if (data.len != 1 || data.ptr[0] != 0xFF)
-		{
-			/* add non esp marker to packet */
-			if (data.len > MAX_PACKET - MARKER_LEN)
-			{
-				DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
-					 data.len);
-				return FAILED;
-			}
-			marked = chunk_alloc(data.len + MARKER_LEN);
-			memset(marked.ptr, 0, MARKER_LEN);
-			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
-			/* let the packet do the clean up for us */
-			packet->set_data(packet, marked);
-			data = marked;
-		}
-	}
-	else
-	{
-		DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
-		return FAILED;
-	}
-
-	memset(&msg, 0, sizeof(struct msghdr));
-	msg.msg_name = dst->get_sockaddr(dst);;
-	msg.msg_namelen = *dst->get_sockaddr_len(dst);
-	iov.iov_base = data.ptr;
-	iov.iov_len = data.len;
-	msg.msg_iov = &iov;
-	msg.msg_iovlen = 1;
-	msg.msg_flags = 0;
-
-	if (!src->is_anyaddr(src))
-	{
-		if (family == AF_INET)
-		{
-			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
-			struct in_pktinfo *pktinfo;
-			struct sockaddr_in *sin;
-
-			msg.msg_control = buf;
-			msg.msg_controllen = sizeof(buf);
-			cmsg = CMSG_FIRSTHDR(&msg);
-			cmsg->cmsg_level = SOL_IP;
-			cmsg->cmsg_type = IP_PKTINFO;
-			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
-			pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
-			memset(pktinfo, 0, sizeof(struct in_pktinfo));
-			sin = (struct sockaddr_in*)src->get_sockaddr(src);
-			memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
-		}
-		else
-		{
-			char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
-			struct in6_pktinfo *pktinfo;
-			struct sockaddr_in6 *sin;
-
-			msg.msg_control = buf;
-			msg.msg_controllen = sizeof(buf);
-			cmsg = CMSG_FIRSTHDR(&msg);
-			cmsg->cmsg_level = SOL_IPV6;
-			cmsg->cmsg_type = IPV6_2292PKTINFO;
-			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
-			pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
-			memset(pktinfo, 0, sizeof(struct in6_pktinfo));
-			sin = (struct sockaddr_in6*)src->get_sockaddr(src);
-			memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
-		}
-	}
-
-	bytes_sent = sendmsg(skt, &msg, 0);
-
-	if (bytes_sent != data.len)
-	{
-		DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * open a socket to send packets
- */
-static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
-{
-	int on = TRUE;
-	int type = UDP_ENCAP_ESPINUDP;
-	struct sockaddr_storage addr;
-	u_int sol;
-	int skt;
-
-	memset(&addr, 0, sizeof(addr));
-	/* precalculate constants depending on address family */
-	switch (family)
-	{
-		case AF_INET:
-		{
-			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
-			sin->sin_family = AF_INET;
-			sin->sin_addr.s_addr = INADDR_ANY;
-			sin->sin_port = htons(port);
-			sol = SOL_IP;
-			break;
-		}
-		case AF_INET6:
-		{
-			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
-			sin6->sin6_family = AF_INET6;
-			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
-			sin6->sin6_port = htons(port);
-			sol = SOL_IPV6;
-			break;
-		}
-		default:
-			return 0;
-	}
-
-	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
-	if (skt < 0)
-	{
-		DBG1(DBG_NET, "could not open send socket: %s", strerror(errno));
-		return 0;
-	}
-
-	if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
-	{
-		DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-
-	/* bind the send socket */
-	if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_NET, "unable to bind send socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-
-	if (family == AF_INET)
-	{
-		/* enable UDP decapsulation globally, only for one socket needed */
-		if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
-		{
-			DBG1(DBG_NET, "unable to set UDP_ENCAP: %s; NAT-T may fail",
-				 strerror(errno));
-		}
-	}
-
-	return skt;
-}
-
-/**
- * open a socket to receive packets
- */
-static int open_recv_socket(private_socket_t *this, int family)
-{
-	int skt;
-	int on = TRUE;
-	u_int proto_offset, ip_len, sol, udp_header, ike_header;
-
-	/* precalculate constants depending on address family */
-	switch (family)
-	{
-		case AF_INET:
-			proto_offset = IP_PROTO_OFFSET;
-			ip_len = IP_LEN;
-			sol = SOL_IP;
-			break;
-		case AF_INET6:
-			proto_offset = IP6_PROTO_OFFSET;
-			ip_len = 0; /* IPv6 raw sockets contain no IP header */
-			sol = SOL_IPV6;
-			break;
-		default:
-			return 0;
-	}
-	udp_header = ip_len;
-	ike_header = ip_len + UDP_LEN;
-
-	/* This filter code filters out all non-IKEv2 traffic on
-	 * a SOCK_RAW IP_PROTP_UDP socket. Handling of other
-	 * IKE versions is done in pluto.
-	 */
-	struct sock_filter ikev2_filter_code[] =
-	{
-		/* Destination Port must be either port or natt_port */
-		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, udp_header + 2),
-		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_UDP_PORT, 1, 0),
-		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_NATT_PORT, 5, 12),
-		/* port */
-			/* IKE version must be 2.0 */
-			BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + IKE_VERSION_OFFSET),
-			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 10),
-			/* packet length is length in IKEv2 header + ip header + udp header */
-			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + IKE_LENGTH_OFFSET),
-			BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN),
-			BPF_STMT(BPF_RET+BPF_A, 0),
-		/* natt_port */
-			/* nat-t: check for marker */
-			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header),
-			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 5),
-			/* nat-t: IKE version must be 2.0 */
-			BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + MARKER_LEN + IKE_VERSION_OFFSET),
-			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3),
-			/* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */
-			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + MARKER_LEN + IKE_LENGTH_OFFSET),
-			BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN + MARKER_LEN),
-			BPF_STMT(BPF_RET+BPF_A, 0),
-		/* packet doesn't match, ignore */
-		BPF_STMT(BPF_RET+BPF_K, 0),
-	};
-
-	/* Filter struct to use with setsockopt */
-	struct sock_fprog ikev2_filter = {
-		sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
-		ikev2_filter_code
-	};
-
-	/* set up a raw socket */
-	skt = socket(family, SOCK_RAW, IPPROTO_UDP);
-	if (skt < 0)
-	{
-		DBG1(DBG_NET, "unable to create raw socket: %s", strerror(errno));
-		return 0;
-	}
-
-	if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
-				   &ikev2_filter, sizeof(ikev2_filter)) < 0)
-	{
-		DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-
-	if (family == AF_INET6 &&
-		/* we use IPV6_2292PKTINFO, as IPV6_PKTINFO is defined as
-		 * 2 or 50 depending on kernel header version */
-		setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0)
-	{
-		DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-
-	return skt;
-}
-
-/**
- * enumerator for underlying sockets
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** sockets we enumerate */
-	private_socket_t *socket;
-	/** counter */
-	int index;
-} socket_enumerator_t;
-
-/**
- * enumerate function for socket_enumerator_t
- */
-static bool enumerate(socket_enumerator_t *this, int *fd, int *family, int *port)
-{
-	static const struct {
-		int fd_offset;
-		int family;
-		int port;
-	} sockets[] = {
-		{ offsetof(private_socket_t, recv4), AF_INET, IKEV2_UDP_PORT },
-		{ offsetof(private_socket_t, recv6), AF_INET6, IKEV2_UDP_PORT },
-		{ offsetof(private_socket_t, send4), AF_INET, IKEV2_UDP_PORT },
-		{ offsetof(private_socket_t, send6), AF_INET6, IKEV2_UDP_PORT },
-		{ offsetof(private_socket_t, send4_natt), AF_INET, IKEV2_NATT_PORT },
-		{ offsetof(private_socket_t, send6_natt), AF_INET6, IKEV2_NATT_PORT }
-	};
-
-	while(++this->index < countof(sockets))
-	{
-		int sock = *(int*)((char*)this->socket + sockets[this->index].fd_offset);
-		if (!sock)
-		{
-			continue;
-		}
-		*fd = sock;
-		*family = sockets[this->index].family;
-		*port = sockets[this->index].port;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * implementation of socket_t.create_enumerator
- */
-static enumerator_t *create_enumerator(private_socket_t *this)
-{
-	socket_enumerator_t *enumerator;
-
-	enumerator = malloc_thing(socket_enumerator_t);
-	enumerator->index = -1;
-	enumerator->socket = this;
-	enumerator->public.enumerate = (void*)enumerate;
-	enumerator->public.destroy = (void*)free;
-	return &enumerator->public;
-}
-
-/**
- * implementation of socket_t.destroy
- */
-static void destroy(private_socket_t *this)
-{
-	if (this->recv4)
-	{
-		close(this->recv4);
-	}
-	if (this->recv6)
-	{
-		close(this->recv6);
-	}
-	if (this->send4)
-	{
-		close(this->send4);
-	}
-	if (this->send6)
-	{
-		close(this->send6);
-	}
-	if (this->send4_natt)
-	{
-		close(this->send4_natt);
-	}
-	if (this->send6_natt)
-	{
-		close(this->send6_natt);
-	}
-	free(this);
-}
-
-/*
- * See header for description
- */
-socket_t *socket_create()
-{
-	private_socket_t *this = malloc_thing(private_socket_t);
-
-	/* public functions */
-	this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
-	this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
-	this->public.create_enumerator = (enumerator_t*(*)(socket_t*))create_enumerator;
-	this->public.destroy = (void(*)(socket_t*)) destroy;
-
-	this->recv4 = 0;
-	this->recv6 = 0;
-	this->send4 = 0;
-	this->send6 = 0;
-	this->send4_natt = 0;
-	this->send6_natt = 0;
-
-	this->recv4 = open_recv_socket(this, AF_INET);
-	if (this->recv4 == 0)
-	{
-		DBG1(DBG_NET, "could not open IPv4 receive socket, IPv4 disabled");
-	}
-	else
-	{
-		this->send4 = open_send_socket(this, AF_INET, IKEV2_UDP_PORT);
-		if (this->send4 == 0)
-		{
-			DBG1(DBG_NET, "could not open IPv4 send socket, IPv4 disabled");
-			close(this->recv4);
-		}
-		else
-		{
-			this->send4_natt = open_send_socket(this, AF_INET, IKEV2_NATT_PORT);
-			if (this->send4_natt == 0)
-			{
-				DBG1(DBG_NET, "could not open IPv4 NAT-T send socket");
-			}
-		}
-	}
-
-	this->recv6 = open_recv_socket(this, AF_INET6);
-	if (this->recv6 == 0)
-	{
-		DBG1(DBG_NET, "could not open IPv6 receive socket, IPv6 disabled");
-	}
-	else
-	{
-		this->send6 = open_send_socket(this, AF_INET6, IKEV2_UDP_PORT);
-		if (this->send6 == 0)
-		{
-			DBG1(DBG_NET, "could not open IPv6 send socket, IPv6 disabled");
-			close(this->recv6);
-		}
-		else
-		{
-			this->send6_natt = open_send_socket(this, AF_INET6, IKEV2_NATT_PORT);
-			if (this->send6_natt == 0)
-			{
-				DBG1(DBG_NET, "could not open IPv6 NAT-T send socket");
-			}
-		}
-	}
-
-	if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6))
-	{
-		DBG1(DBG_NET, "could not create any sockets");
-		destroy(this);
-		charon->kill(charon, "socket initialization failed");
-	}
-
-	return (socket_t*)this;
-}
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
deleted file mode 100644
index 81f860b15..000000000
--- a/src/charon/network/socket.c
+++ /dev/null
@@ -1,685 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/* for struct in6_pktinfo */
-#define _GNU_SOURCE
-#ifdef __sun
-#define _XPG4_2
-#define __EXTENSIONS__
-#endif
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <string.h>
-#include <errno.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <net/if.h>
-#ifdef __APPLE__
-#include <sys/sysctl.h>
-#endif
-
-#include "socket.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-
-/* length of non-esp marker */
-#define MARKER_LEN sizeof(u_int32_t)
-
-/* from linux/udp.h */
-#ifndef UDP_ENCAP
-#define UDP_ENCAP 100
-#endif /*UDP_ENCAP*/
-
-#ifndef UDP_ENCAP_ESPINUDP
-#define UDP_ENCAP_ESPINUDP 2
-#endif /*UDP_ENCAP_ESPINUDP*/
-
-/* these are not defined on some platforms */
-#ifndef SOL_IP
-#define SOL_IP IPPROTO_IP
-#endif
-#ifndef SOL_IPV6
-#define SOL_IPV6 IPPROTO_IPV6
-#endif
-#ifndef SOL_UDP
-#define SOL_UDP IPPROTO_UDP
-#endif
-
-/* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
- * previously defined IPV6_PKTINFO */
-#ifndef IPV6_RECVPKTINFO
-#define IPV6_RECVPKTINFO IPV6_PKTINFO
-#endif
-
-#ifndef IN6ADDR_ANY_INIT
-#define IN6ADDR_ANY_INIT {{{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}}
-#endif
-
-#ifndef HAVE_IN6ADDR_ANY
-static const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
-#endif
-
-typedef struct private_socket_t private_socket_t;
-
-/**
- * Private data of an socket_t object
- */
-struct private_socket_t {
-	/**
-	 * public functions
-	 */
-	socket_t public;
-
-	/**
-	 * IPv4 socket (500)
-	 */
-	int ipv4;
-
-	/**
-	 * IPv4 socket for NATT (4500)
-	 */
-	int ipv4_natt;
-
-	/**
-	 * IPv6 socket (500)
-	 */
-	int ipv6;
-
-	/**
-	 * IPv6 socket for NATT (4500)
-	 */
-	int ipv6_natt;
-};
-
-/**
- * implementation of socket_t.receive
- */
-static status_t receiver(private_socket_t *this, packet_t **packet)
-{
-	char buffer[MAX_PACKET];
-	chunk_t data;
-	packet_t *pkt;
-	host_t *source = NULL, *dest = NULL;
-	int bytes_read = 0, data_offset;
-	bool oldstate;
-
-	fd_set rfds;
-	int max_fd = 0, selected = 0;
-	u_int16_t port = 0;
-
-	FD_ZERO(&rfds);
-
-	if (this->ipv4)
-	{
-		FD_SET(this->ipv4, &rfds);
-	}
-	if (this->ipv4_natt)
-	{
-		FD_SET(this->ipv4_natt, &rfds);
-	}
-	if (this->ipv6)
-	{
-		FD_SET(this->ipv6, &rfds);
-	}
-	if (this->ipv6_natt)
-	{
-		FD_SET(this->ipv6_natt, &rfds);
-	}
-	max_fd = max(max(this->ipv4, this->ipv4_natt), max(this->ipv6, this->ipv6_natt));
-
-	DBG2(DBG_NET, "waiting for data on sockets");
-	oldstate = thread_cancelability(TRUE);
-	if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
-	{
-		thread_cancelability(oldstate);
-		return FAILED;
-	}
-	thread_cancelability(oldstate);
-
-	if (FD_ISSET(this->ipv4, &rfds))
-	{
-		port = IKEV2_UDP_PORT;
-		selected = this->ipv4;
-	}
-	if (FD_ISSET(this->ipv4_natt, &rfds))
-	{
-		port = IKEV2_NATT_PORT;
-		selected = this->ipv4_natt;
-	}
-	if (FD_ISSET(this->ipv6, &rfds))
-	{
-		port = IKEV2_UDP_PORT;
-		selected = this->ipv6;
-	}
-	if (FD_ISSET(this->ipv6_natt, &rfds))
-	{
-		port = IKEV2_NATT_PORT;
-		selected = this->ipv6_natt;
-	}
-	if (selected)
-	{
-		struct msghdr msg;
-		struct cmsghdr *cmsgptr;
-		struct iovec iov;
-		char ancillary[64];
-		union {
-			struct sockaddr_in in4;
-			struct sockaddr_in6 in6;
-		} src;
-
-		msg.msg_name = &src;
-		msg.msg_namelen = sizeof(src);
-		iov.iov_base = buffer;
-		iov.iov_len = sizeof(buffer);
-		msg.msg_iov = &iov;
-		msg.msg_iovlen = 1;
-		msg.msg_control = ancillary;
-		msg.msg_controllen = sizeof(ancillary);
-		msg.msg_flags = 0;
-		bytes_read = recvmsg(selected, &msg, 0);
-		if (bytes_read < 0)
-		{
-			DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
-			return FAILED;
-		}
-		DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
-
-		if (bytes_read < MARKER_LEN)
-		{
-			DBG3(DBG_NET, "received packet too short (%d bytes)",
-				 bytes_read);
-			return FAILED;
-		}
-
-		/* read ancillary data to get destination address */
-		for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
-			 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
-		{
-			if (cmsgptr->cmsg_len == 0)
-			{
-				DBG1(DBG_NET, "error reading ancillary data");
-				return FAILED;
-			}
-
-#ifdef HAVE_IN6_PKTINFO
-			if (cmsgptr->cmsg_level == SOL_IPV6 &&
-				cmsgptr->cmsg_type == IPV6_PKTINFO)
-			{
-				struct in6_pktinfo *pktinfo;
-				pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
-				struct sockaddr_in6 dst;
-
-				memset(&dst, 0, sizeof(dst));
-				memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
-				dst.sin6_family = AF_INET6;
-				dst.sin6_port = htons(port);
-				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
-			}
-#endif /* HAVE_IN6_PKTINFO */
-			if (cmsgptr->cmsg_level == SOL_IP &&
-#ifdef IP_PKTINFO
-				cmsgptr->cmsg_type == IP_PKTINFO
-#elif defined(IP_RECVDSTADDR)
-				cmsgptr->cmsg_type == IP_RECVDSTADDR
-#else
-				FALSE
-#endif
-				)
-			{
-				struct in_addr *addr;
-				struct sockaddr_in dst;
-
-#ifdef IP_PKTINFO
-				struct in_pktinfo *pktinfo;
-				pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
-				addr = &pktinfo->ipi_addr;
-#elif defined(IP_RECVDSTADDR)
-				addr = (struct in_addr*)CMSG_DATA(cmsgptr);
-#endif
-				memset(&dst, 0, sizeof(dst));
-				memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
-
-				dst.sin_family = AF_INET;
-				dst.sin_port = htons(port);
-				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
-			}
-			if (dest)
-			{
-				break;
-			}
-		}
-		if (dest == NULL)
-		{
-			DBG1(DBG_NET, "error reading IP header");
-			return FAILED;
-		}
-		source = host_create_from_sockaddr((sockaddr_t*)&src);
-
-		pkt = packet_create();
-		pkt->set_source(pkt, source);
-		pkt->set_destination(pkt, dest);
-		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
-		data_offset = 0;
-		/* remove non esp marker */
-		if (dest->get_port(dest) == IKEV2_NATT_PORT)
-		{
-			data_offset += MARKER_LEN;
-		}
-		/* fill in packet */
-		data.len = bytes_read - data_offset;
-		data.ptr = malloc(data.len);
-		memcpy(data.ptr, buffer + data_offset, data.len);
-		pkt->set_data(pkt, data);
-	}
-	else
-	{
-		/* oops, shouldn't happen */
-		return FAILED;
-	}
-	/* return packet */
-	*packet = pkt;
-	return SUCCESS;
-}
-
-/**
- * implementation of socket_t.send
- */
-status_t sender(private_socket_t *this, packet_t *packet)
-{
-	int sport, skt, family;
-	ssize_t bytes_sent;
-	chunk_t data, marked;
-	host_t *src, *dst;
-	struct msghdr msg;
-	struct cmsghdr *cmsg;
-	struct iovec iov;
-
-	src = packet->get_source(packet);
-	dst = packet->get_destination(packet);
-	data = packet->get_data(packet);
-
-	DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
-
-	/* send data */
-	sport = src->get_port(src);
-	family = dst->get_family(dst);
-	if (sport == IKEV2_UDP_PORT)
-	{
-		if (family == AF_INET)
-		{
-			skt = this->ipv4;
-		}
-		else
-		{
-			skt = this->ipv6;
-		}
-	}
-	else if (sport == IKEV2_NATT_PORT)
-	{
-		if (family == AF_INET)
-		{
-			skt = this->ipv4_natt;
-		}
-		else
-		{
-			skt = this->ipv6_natt;
-		}
-		/* NAT keepalives without marker */
-		if (data.len != 1 || data.ptr[0] != 0xFF)
-		{
-			/* add non esp marker to packet */
-			if (data.len > MAX_PACKET - MARKER_LEN)
-			{
-				DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
-					 data.len);
-				return FAILED;
-			}
-			marked = chunk_alloc(data.len + MARKER_LEN);
-			memset(marked.ptr, 0, MARKER_LEN);
-			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
-			/* let the packet do the clean up for us */
-			packet->set_data(packet, marked);
-			data = marked;
-		}
-	}
-	else
-	{
-		DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
-		return FAILED;
-	}
-
-	memset(&msg, 0, sizeof(struct msghdr));
-	msg.msg_name = dst->get_sockaddr(dst);;
-	msg.msg_namelen = *dst->get_sockaddr_len(dst);
-	iov.iov_base = data.ptr;
-	iov.iov_len = data.len;
-	msg.msg_iov = &iov;
-	msg.msg_iovlen = 1;
-	msg.msg_flags = 0;
-
-	if (!src->is_anyaddr(src))
-	{
-		if (family == AF_INET)
-		{
-#if defined(IP_PKTINFO) || defined(IP_SENDSRCADDR)
-			struct in_addr *addr;
-			struct sockaddr_in *sin;
-#ifdef IP_PKTINFO
-			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
-			struct in_pktinfo *pktinfo;
-#elif defined(IP_SENDSRCADDR)
-			char buf[CMSG_SPACE(sizeof(struct in_addr))];
-#endif
-			msg.msg_control = buf;
-			msg.msg_controllen = sizeof(buf);
-			cmsg = CMSG_FIRSTHDR(&msg);
-			cmsg->cmsg_level = SOL_IP;
-#ifdef IP_PKTINFO
-			cmsg->cmsg_type = IP_PKTINFO;
-			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
-			pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
-			memset(pktinfo, 0, sizeof(struct in_pktinfo));
-			addr = &pktinfo->ipi_spec_dst;
-#elif defined(IP_SENDSRCADDR)
-			cmsg->cmsg_type = IP_SENDSRCADDR;
-			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
-			addr = (struct in_addr*)CMSG_DATA(cmsg);
-#endif
-			sin = (struct sockaddr_in*)src->get_sockaddr(src);
-			memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
-#endif /* IP_PKTINFO || IP_SENDSRCADDR */
-		}
-#ifdef HAVE_IN6_PKTINFO
-		else
-		{
-			char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
-			struct in6_pktinfo *pktinfo;
-			struct sockaddr_in6 *sin;
-
-			msg.msg_control = buf;
-			msg.msg_controllen = sizeof(buf);
-			cmsg = CMSG_FIRSTHDR(&msg);
-			cmsg->cmsg_level = SOL_IPV6;
-			cmsg->cmsg_type = IPV6_PKTINFO;
-			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
-			pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
-			memset(pktinfo, 0, sizeof(struct in6_pktinfo));
-			sin = (struct sockaddr_in6*)src->get_sockaddr(src);
-			memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
-		}
-#endif /* HAVE_IN6_PKTINFO */
-	}
-
-	bytes_sent = sendmsg(skt, &msg, 0);
-
-	if (bytes_sent != data.len)
-	{
-		DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * open a socket to send and receive packets
- */
-static int open_socket(private_socket_t *this, int family, u_int16_t port)
-{
-	int on = TRUE;
-	struct sockaddr_storage addr;
-	socklen_t addrlen;
-	u_int sol, pktinfo = 0;
-	int skt;
-
-	memset(&addr, 0, sizeof(addr));
-	/* precalculate constants depending on address family */
-	switch (family)
-	{
-		case AF_INET:
-		{
-			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
-			sin->sin_family = AF_INET;
-			sin->sin_addr.s_addr = INADDR_ANY;
-			sin->sin_port = htons(port);
-			addrlen = sizeof(struct sockaddr_in);
-			sol = SOL_IP;
-#ifdef IP_PKTINFO
-			pktinfo = IP_PKTINFO;
-#elif defined(IP_RECVDSTADDR)
-			pktinfo = IP_RECVDSTADDR;
-#endif
-			break;
-		}
-		case AF_INET6:
-		{
-			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
-			sin6->sin6_family = AF_INET6;
-			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
-			sin6->sin6_port = htons(port);
-			addrlen = sizeof(struct sockaddr_in6);
-			sol = SOL_IPV6;
-			pktinfo = IPV6_RECVPKTINFO;
-			break;
-		}
-		default:
-			return 0;
-	}
-
-	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
-	if (skt < 0)
-	{
-		DBG1(DBG_NET, "could not open socket: %s", strerror(errno));
-		return 0;
-	}
-	if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
-	{
-		DBG1(DBG_NET, "unable to set SO_REUSEADDR on socket: %s", strerror(errno));
-		close(skt);
-		return 0;
-	}
-
-	/* bind the socket */
-	if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
-	{
-		DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
-		close(skt);
-		return 0;
-	}
-
-	/* get additional packet info on receive */
-	if (pktinfo > 0)
-	{
-		if (setsockopt(skt, sol, pktinfo, &on, sizeof(on)) < 0)
-		{
-			DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
-			close(skt);
-			return 0;
-		}
-	}
-
-#ifndef __APPLE__
-	{
-		/* enable UDP decapsulation globally, only for one socket needed */
-		int type = UDP_ENCAP_ESPINUDP;
-		if (family == AF_INET && port == IKEV2_NATT_PORT &&
-			setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
-		{
-			DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
-		}
-	}
-#endif
-	return skt;
-}
-
-/**
- * enumerator for underlying sockets
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** sockets we enumerate */
-	private_socket_t *socket;
-	/** counter */
-	int index;
-} socket_enumerator_t;
-
-/**
- * enumerate function for socket_enumerator_t
- */
-static bool enumerate(socket_enumerator_t *this, int *fd, int *family, int *port)
-{
-	static const struct {
-		int fd_offset;
-		int family;
-		int port;
-	} sockets[] = {
-		{ offsetof(private_socket_t, ipv4), AF_INET, IKEV2_UDP_PORT },
-		{ offsetof(private_socket_t, ipv6), AF_INET6, IKEV2_UDP_PORT },
-		{ offsetof(private_socket_t, ipv4_natt), AF_INET, IKEV2_NATT_PORT },
-		{ offsetof(private_socket_t, ipv6_natt), AF_INET6, IKEV2_NATT_PORT }
-	};
-
-	while(++this->index < countof(sockets))
-	{
-		int sock = *(int*)((char*)this->socket + sockets[this->index].fd_offset);
-		if (!sock)
-		{
-			continue;
-		}
-		*fd = sock;
-		*family = sockets[this->index].family;
-		*port = sockets[this->index].port;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * implementation of socket_t.create_enumerator
- */
-static enumerator_t *create_enumerator(private_socket_t *this)
-{
-	socket_enumerator_t *enumerator;
-
-	enumerator = malloc_thing(socket_enumerator_t);
-	enumerator->index = -1;
-	enumerator->socket = this;
-	enumerator->public.enumerate = (void*)enumerate;
-	enumerator->public.destroy = (void*)free;
-	return &enumerator->public;
-}
-
-/**
- * implementation of socket_t.destroy
- */
-static void destroy(private_socket_t *this)
-{
-	if (this->ipv4)
-	{
-		close(this->ipv4);
-	}
-	if (this->ipv4_natt)
-	{
-		close(this->ipv4_natt);
-	}
-	if (this->ipv6)
-	{
-		close(this->ipv6);
-	}
-	if (this->ipv6_natt)
-	{
-		close(this->ipv6_natt);
-	}
-	free(this);
-}
-
-/*
- * See header for description
- */
-socket_t *socket_create()
-{
-	private_socket_t *this = malloc_thing(private_socket_t);
-
-	/* public functions */
-	this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
-	this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
-	this->public.create_enumerator = (enumerator_t*(*)(socket_t*))create_enumerator;
-	this->public.destroy = (void(*)(socket_t*)) destroy;
-
-	this->ipv4 = 0;
-	this->ipv6 = 0;
-	this->ipv4_natt = 0;
-	this->ipv6_natt = 0;
-
-#ifdef __APPLE__
-	{
-		int natt_port = IKEV2_NATT_PORT;
-		if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &natt_port,
-						 sizeof(natt_port)) != 0)
-		{
-			DBG1(DBG_NET, "could not set net.inet.ipsec.esp_port to %d: %s",
-				 natt_port, strerror(errno));
-		}
-	}
-#endif
-
-	this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
-	if (this->ipv4 == 0)
-	{
-		DBG1(DBG_NET, "could not open IPv4 socket, IPv4 disabled");
-	}
-	else
-	{
-		this->ipv4_natt = open_socket(this, AF_INET, IKEV2_NATT_PORT);
-		if (this->ipv4_natt == 0)
-		{
-			DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
-		}
-	}
-
-	this->ipv6 = open_socket(this, AF_INET6, IKEV2_UDP_PORT);
-	if (this->ipv6 == 0)
-	{
-		DBG1(DBG_NET, "could not open IPv6 socket, IPv6 disabled");
-	}
-	else
-	{
-		this->ipv6_natt = open_socket(this, AF_INET6, IKEV2_NATT_PORT);
-		if (this->ipv6_natt == 0)
-		{
-			DBG1(DBG_NET, "could not open IPv6 NAT-T socket");
-		}
-	}
-
-	if (!this->ipv4 && !this->ipv6)
-	{
-		DBG1(DBG_NET, "could not create any sockets");
-		destroy(this);
-		charon->kill(charon, "socket initialization failed");
-	}
-	return (socket_t*)this;
-}
-
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
deleted file mode 100644
index 83bb9d4c9..000000000
--- a/src/charon/network/socket.h
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup socket socket
- * @{ @ingroup network
- */
-
-#ifndef SOCKET_H_
-#define SOCKET_H_
-
-typedef struct socket_t socket_t;
-
-#include <library.h>
-#include <network/packet.h>
-#include <utils/host.h>
-#include <utils/enumerator.h>
-
-/**
- * Maximum size of a packet.
- *
- * 3000 Bytes should be sufficient, see IKEv2 RFC. However, to run our
- * multi-CA test with 2 intermediate CAs, we increase that to 5000 bytes.
- */
-#define MAX_PACKET 5000
-
-/**
- * Abstraction of all sockets (IPv4/IPv6 send/receive).
- *
- * All available sockets are bound and the receive function
- * reads from them. There are actually two implementations:
- * The first uses raw sockets to allow binding of other daemons (pluto) to
- * UDP/500. An installed "Linux socket filter" filters out all non-IKEv2
- * traffic and handles just IKEv2 messages. An other daemon (pluto) must
- * handle all traffic separately, e.g. ignore IKEv2 traffic, since charon
- * handles that.
- * The other implementation uses normal sockets and is built if
- * --disable-pluto is given to the configure script.
- */
-struct socket_t {
-
-	/**
-	 * Receive a packet.
-	 *
-	 * Reads a packet from the socket and sets source/dest
-	 * appropriately.
-	 *
-	 * @param packet		pinter gets address from allocated packet_t
-	 * @return
-	 * 						- SUCCESS when packet successfully received
-	 * 						- FAILED when unable to receive
-	 */
-	status_t (*receive) (socket_t *this, packet_t **packet);
-
-	/**
-	 * Send a packet.
-	 *
-	 * Sends a packet to the net using source and destination addresses of
-	 * the packet.
-	 *
-	 * @param packet		packet_t to send
-	 * @return
-	 * 						- SUCCESS when packet successfully sent
-	 * 						- FAILED when unable to send
-	 */
-	status_t (*send) (socket_t *this, packet_t *packet);
-
-	/**
-	 * Enumerate all underlying socket file descriptors.
-	 *
-	 * @return				enumerator over (int fd, int family, int port)
-	 */
-	enumerator_t *(*create_enumerator) (socket_t *this);
-
-	/**
-	 * Destroy socket.
-	 */
-	void (*destroy) (socket_t *this);
-};
-
-/**
- * Create a socket_t, which binds multiple sockets.
- *
- * @return  				socket_t object
- */
-socket_t *socket_create();
-
-#endif /** SOCKET_H_ @}*/
diff --git a/src/charon/plugins/attr/Makefile.am b/src/charon/plugins/attr/Makefile.am
deleted file mode 100644
index b4b3b7da6..000000000
--- a/src/charon/plugins/attr/Makefile.am
+++ /dev/null
@@ -1,9 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-attr.la
-libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
-  attr_provider.h attr_provider.c
-libstrongswan_attr_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/attr/Makefile.in b/src/charon/plugins/attr/Makefile.in
deleted file mode 100644
index 689bb3244..000000000
--- a/src/charon/plugins/attr/Makefile.in
+++ /dev/null
@@ -1,569 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/attr
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_attr_la_LIBADD =
-am_libstrongswan_attr_la_OBJECTS = attr_plugin.lo attr_provider.lo
-libstrongswan_attr_la_OBJECTS = $(am_libstrongswan_attr_la_OBJECTS)
-libstrongswan_attr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_attr_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_attr_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_attr_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-attr.la
-libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
-  attr_provider.h attr_provider.c
-
-libstrongswan_attr_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/attr/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/attr/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) 
-	$(libstrongswan_attr_la_LINK) -rpath $(plugindir) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_provider.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/attr/attr_plugin.c b/src/charon/plugins/attr/attr_plugin.c
deleted file mode 100644
index 6dfb10271..000000000
--- a/src/charon/plugins/attr/attr_plugin.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "attr_plugin.h"
-#include "attr_provider.h"
-
-#include <daemon.h>
-
-typedef struct private_attr_plugin_t private_attr_plugin_t;
-
-/**
- * private data of attr plugin
- */
-struct private_attr_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	attr_plugin_t public;
-
-	/**
-	 * CFG attributes provider
-	 */
-	attr_provider_t *provider;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_attr_plugin_t *this)
-{
-	lib->attributes->remove_provider(lib->attributes, &this->provider->provider);
-	this->provider->destroy(this->provider);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->provider = attr_provider_create();
-	lib->attributes->add_provider(lib->attributes, &this->provider->provider);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/attr/attr_plugin.h b/src/charon/plugins/attr/attr_plugin.h
deleted file mode 100644
index 9f31b60e1..000000000
--- a/src/charon/plugins/attr/attr_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup attr attr
- * @ingroup cplugins
- *
- * @defgroup attr_plugin attr_plugin
- * @{ @ingroup attr
- */
-
-#ifndef ATTR_PLUGIN_H_
-#define ATTR_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct attr_plugin_t attr_plugin_t;
-
-/**
- * Plugin providing configuration attribute through strongswan.conf.
- */
-struct attr_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a attr_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** ATTR_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/attr/attr_provider.c b/src/charon/plugins/attr/attr_provider.c
deleted file mode 100644
index 548896f56..000000000
--- a/src/charon/plugins/attr/attr_provider.c
+++ /dev/null
@@ -1,236 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "attr_provider.h"
-
-#include <time.h>
-
-#include <daemon.h>
-
-#define SERVER_MAX		2
-
-typedef struct private_attr_provider_t private_attr_provider_t;
-typedef struct attribute_entry_t attribute_entry_t;
-
-/**
- * private data of attr_provider
- */
-struct private_attr_provider_t {
-
-	/**
-	 * public functions
-	 */
-	attr_provider_t public;
-
-	/**
-	 * List of attributes, attribute_entry_t
-	 */
-	linked_list_t *attributes;
-};
-
-struct attribute_entry_t {
-	/** type of attribute */
-	configuration_attribute_type_t type;
-	/** attribute value */
-	chunk_t value;
-};
-
-/**
- * convert enumerator value from attribute_entry
- */
-static bool attr_enum_filter(void *null, attribute_entry_t **in,
-			configuration_attribute_type_t *type, void* none, chunk_t *value)
-{
-	*type = (*in)->type;
-	*value = (*in)->value;
-	return TRUE;
-}
-
-/**
- * Implementation of attribute_provider_t.create_attribute_enumerator
- */
-static enumerator_t* create_attribute_enumerator(private_attr_provider_t *this,
-											identification_t *id, host_t *vip)
-{
-	if (vip)
-	{
-		return enumerator_create_filter(
-						this->attributes->create_enumerator(this->attributes),
-						(void*)attr_enum_filter, NULL, NULL);
-	}
-	return enumerator_create_empty();
-}
-
-/**
- * Implementation of attr_provider_t.destroy
- */
-static void destroy(private_attr_provider_t *this)
-{
-	attribute_entry_t *entry;
-
-	while (this->attributes->remove_last(this->attributes,
-										 (void**)&entry) == SUCCESS)
-	{
-		free(entry->value.ptr);
-		free(entry);
-	}
-	this->attributes->destroy(this->attributes);
-	free(this);
-}
-
-/**
- * Add an attribute entry to the list
- */
-static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
-							 configuration_attribute_type_t type)
-{
-	attribute_entry_t *entry;
-	host_t *host;
-	char *str;
-
-	str = lib->settings->get_str(lib->settings, "charon.%s%d", NULL, key, nr);
-	if (str)
-	{
-		host = host_create_from_string(str, 0);
-		if (host)
-		{
-			entry = malloc_thing(attribute_entry_t);
-
-			if (host->get_family(host) == AF_INET6)
-			{
-				switch (type)
-				{
-					case INTERNAL_IP4_DNS:
-						type = INTERNAL_IP6_DNS;
-						break;
-					case INTERNAL_IP4_NBNS:
-						type = INTERNAL_IP6_NBNS;
-						break;
-					default:
-						break;
-				}
-			}
-			entry->type = type;
-			entry->value = chunk_clone(host->get_address(host));
-			host->destroy(host);
-			this->attributes->insert_last(this->attributes, entry);
-		}
-	}
-}
-
-/**
- * Key to attribute type mappings, for v4 and v6 attributes
- */
-static struct {
-	char *name;
-	configuration_attribute_type_t v4;
-	configuration_attribute_type_t v6;
-} keys[] = {
-	{"address",		INTERNAL_IP4_ADDRESS,	INTERNAL_IP6_ADDRESS},
-	{"dns",			INTERNAL_IP4_DNS,		INTERNAL_IP6_DNS},
-	{"nbns",		INTERNAL_IP4_NBNS,		INTERNAL_IP6_NBNS},
-	{"dhcp",		INTERNAL_IP4_DHCP,		INTERNAL_IP6_DHCP},
-	{"netmask",		INTERNAL_IP4_NETMASK,	INTERNAL_IP6_NETMASK},
-	{"server",		INTERNAL_IP4_SERVER,	INTERNAL_IP6_SERVER},
-};
-
-/**
- * Load (numerical) entries from the plugins.attr namespace
- */
-static void load_entries(private_attr_provider_t *this)
-{
-	enumerator_t *enumerator, *tokens;
-	char *key, *value, *token;
-
-	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-														"charon.plugins.attr");
-	while (enumerator->enumerate(enumerator, &key, &value))
-	{
-		configuration_attribute_type_t type;
-		attribute_entry_t *entry;
-		host_t *host;
-		int i;
-
-		type = atoi(key);
-		tokens = enumerator_create_token(value, ",", " ");
-		while (tokens->enumerate(tokens, &token))
-		{
-			host = host_create_from_string(token, 0);
-			if (!host)
-			{
-				DBG1(DBG_CFG, "invalid host in key %s: %s", key, token);
-				continue;
-			}
-			if (!type)
-			{
-				for (i = 0; i < countof(keys); i++)
-				{
-					if (streq(key, keys[i].name))
-					{
-						if (host->get_family(host) == AF_INET)
-						{
-							type = keys[i].v4;
-						}
-						else
-						{
-							type = keys[i].v6;
-						}
-					}
-				}
-				if (!type)
-				{
-					DBG1(DBG_CFG, "mapping attribute type %s failed", key);
-					break;
-				}
-			}
-			entry = malloc_thing(attribute_entry_t);
-			entry->type = type;
-			entry->value = chunk_clone(host->get_address(host));
-			host->destroy(host);
-			this->attributes->insert_last(this->attributes, entry);
-		}
-		tokens->destroy(tokens);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/*
- * see header file
- */
-attr_provider_t *attr_provider_create(database_t *db)
-{
-	private_attr_provider_t *this;
-	int i;
-
-	this = malloc_thing(private_attr_provider_t);
-
-	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null;
-	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false;
-	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))create_attribute_enumerator;
-	this->public.destroy = (void(*)(attr_provider_t*))destroy;
-
-	this->attributes = linked_list_create();
-
-	for (i = 1; i <= SERVER_MAX; i++)
-	{
-		add_legacy_entry(this, "dns", i, INTERNAL_IP4_DNS);
-		add_legacy_entry(this, "nbns", i, INTERNAL_IP4_NBNS);
-	}
-
-	load_entries(this);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/attr/attr_provider.h b/src/charon/plugins/attr/attr_provider.h
deleted file mode 100644
index a41466718..000000000
--- a/src/charon/plugins/attr/attr_provider.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup attr_provider attr_provider
- * @{ @ingroup attr
- */
-
-#ifndef ATTR_PROVIDER_H_
-#define ATTR_PROVIDER_H_
-
-#include <attributes/attribute_provider.h>
-
-typedef struct attr_provider_t attr_provider_t;
-
-/**
- * Provide configuration attributes through static strongswan.conf definition.
- */
-struct attr_provider_t {
-
-	/**
-	 * Implements attribute provider interface
-	 */
-	attribute_provider_t provider;
-
-	/**
-	 * Destroy a attr_provider instance.
-	 */
-	void (*destroy)(attr_provider_t *this);
-};
-
-/**
- * Create a attr_provider instance.
- */
-attr_provider_t *attr_provider_create();
-
-#endif /** ATTR_PROVIDER @}*/
diff --git a/src/charon/plugins/eap_aka/Makefile.am b/src/charon/plugins/eap_aka/Makefile.am
deleted file mode 100644
index e007f5f00..000000000
--- a/src/charon/plugins/eap_aka/Makefile.am
+++ /dev/null
@@ -1,14 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon \
-  -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-eap-aka.la
-
-libstrongswan_eap_aka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c \
-  eap_aka_peer.h eap_aka_peer.c \
-  eap_aka_server.h eap_aka_server.c
-libstrongswan_eap_aka_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
-libstrongswan_eap_aka_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in
deleted file mode 100644
index d241e1ad0..000000000
--- a/src/charon/plugins/eap_aka/Makefile.in
+++ /dev/null
@@ -1,577 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_aka
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_aka_la_DEPENDENCIES =  \
-	$(top_builddir)/src/libsimaka/libsimaka.la
-am_libstrongswan_eap_aka_la_OBJECTS = eap_aka_plugin.lo \
-	eap_aka_peer.lo eap_aka_server.lo
-libstrongswan_eap_aka_la_OBJECTS =  \
-	$(am_libstrongswan_eap_aka_la_OBJECTS)
-libstrongswan_eap_aka_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_aka_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon \
-  -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eap-aka.la
-libstrongswan_eap_aka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c \
-  eap_aka_peer.h eap_aka_peer.c \
-  eap_aka_server.h eap_aka_server.c
-
-libstrongswan_eap_aka_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
-libstrongswan_eap_aka_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_aka/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_aka/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-aka.la: $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_DEPENDENCIES) 
-	$(libstrongswan_eap_aka_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_peer.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_server.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_aka/eap_aka_peer.c b/src/charon/plugins/eap_aka/eap_aka_peer.c
deleted file mode 100644
index 26546809d..000000000
--- a/src/charon/plugins/eap_aka/eap_aka_peer.c
+++ /dev/null
@@ -1,583 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_aka_peer.h"
-
-#include <library.h>
-#include <daemon.h>
-
-#include <simaka_message.h>
-#include <simaka_crypto.h>
-
-typedef struct private_eap_aka_peer_t private_eap_aka_peer_t;
-
-/**
- * Private data of an eap_aka_peer_t object.
- */
-struct private_eap_aka_peer_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_aka_peer_t public;
-
-	/**
-	 * EAP-AKA crypto helper
-	 */
-	simaka_crypto_t *crypto;
-
-	/**
-	 * permanent ID of peer
-	 */
-	identification_t *permanent;
-
-	/**
-	 * Pseudonym identity the peer uses
-	 */
-	identification_t *pseudonym;
-
-	/**
-	 * Reauthentication identity the peer uses
-	 */
-	identification_t *reauth;
-
-	/**
-	 * MSK
-	 */
-	chunk_t msk;
-
-	/**
-	 * Master key, if reauthentication is used
-	 */
-	char mk[HASH_SIZE_SHA1];
-
-	/**
-	 * Counter value if reauthentication is used
-	 */
-	u_int16_t counter;
-};
-
-/**
- * Create a AKA_CLIENT_ERROR: "Unable to process"
- */
-static eap_payload_t* create_client_error(private_eap_aka_peer_t *this,
-										  u_int8_t identifier)
-{
-	simaka_message_t *message;
-	eap_payload_t *out;
-	u_int16_t encoded;
-
-	DBG1(DBG_IKE, "sending client error '%N'",
-		 simaka_client_error_names, AKA_UNABLE_TO_PROCESS);
-
-	message = simaka_message_create(FALSE, identifier, EAP_AKA,
-									AKA_CLIENT_ERROR, this->crypto);
-	encoded = htons(AKA_UNABLE_TO_PROCESS);
-	message->add_attribute(message, AT_CLIENT_ERROR_CODE,
-						   chunk_create((char*)&encoded, sizeof(encoded)));
-	out = message->generate(message, chunk_empty);
-	message->destroy(message);
-	return out;
-}
-
-/**
- * process an EAP-AKA/Request/Identity message
- */
-static status_t process_identity(private_eap_aka_peer_t *this,
-								 simaka_message_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, id = chunk_empty;
-	simaka_attribute_t id_req = 0;
-
-	/* reset previously uses reauthentication/pseudonym data */
-	this->crypto->clear_keys(this->crypto);
-	DESTROY_IF(this->pseudonym);
-	this->pseudonym = NULL;
-	DESTROY_IF(this->reauth);
-	this->reauth = NULL;
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_ANY_ID_REQ:
-			case AT_FULLAUTH_ID_REQ:
-			case AT_PERMANENT_ID_REQ:
-				id_req = type;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					*out = create_client_error(this, in->get_identifier(in));
-					enumerator->destroy(enumerator);
-					return NEED_MORE;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	switch (id_req)
-	{
-		case AT_ANY_ID_REQ:
-			this->reauth = charon->sim->card_get_reauth(charon->sim,
-									this->permanent, this->mk, &this->counter);
-			if (this->reauth)
-			{
-				id = this->reauth->get_encoding(this->reauth);
-				break;
-			}
-			/* FALL */
-		case AT_FULLAUTH_ID_REQ:
-			this->pseudonym = charon->sim->card_get_pseudonym(charon->sim,
-															  this->permanent);
-			if (this->pseudonym)
-			{
-				id = this->pseudonym->get_encoding(this->pseudonym);
-				break;
-			}
-			/* FALL */
-		case AT_PERMANENT_ID_REQ:
-			id = this->permanent->get_encoding(this->permanent);
-			break;
-		default:
-			break;
-	}
-	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
-									AKA_IDENTITY, this->crypto);
-	if (id.len)
-	{
-		message->add_attribute(message, AT_IDENTITY, id);
-	}
-	*out = message->generate(message, chunk_empty);
-	message->destroy(message);
-
-	return NEED_MORE;
-}
-
-/**
- * Process an EAP-AKA/Request/Challenge message
- */
-static status_t process_challenge(private_eap_aka_peer_t *this,
-								  simaka_message_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, rand = chunk_empty, autn = chunk_empty, mk;
-	u_char res[AKA_RES_MAX], ck[AKA_CK_LEN], ik[AKA_IK_LEN], auts[AKA_AUTS_LEN];
-	int res_len;
-	identification_t *id;
-	status_t status;
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_RAND:
-				rand = data;
-				break;
-			case AT_AUTN:
-				autn = data;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					*out = create_client_error(this, in->get_identifier(in));
-					enumerator->destroy(enumerator);
-					return NEED_MORE;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (!rand.len || !autn.len)
-	{
-		DBG1(DBG_IKE, "received invalid EAP-AKA challenge message");
-		*out = create_client_error(this, in->get_identifier(in));
-		return NEED_MORE;
-	}
-
-	status = charon->sim->card_get_quintuplet(charon->sim, this->permanent,
-									rand.ptr, autn.ptr, ck, ik, res, &res_len);
-	if (status == INVALID_STATE &&
-		charon->sim->card_resync(charon->sim, this->permanent, rand.ptr, auts))
-	{
-		DBG1(DBG_IKE, "received SQN invalid, sending %N",
-			 simaka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
-		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
-									AKA_SYNCHRONIZATION_FAILURE, this->crypto);
-		message->add_attribute(message, AT_AUTS,
-							   chunk_create(auts, AKA_AUTS_LEN));
-		*out = message->generate(message, chunk_empty);
-		message->destroy(message);
-		return NEED_MORE;
-	}
-	if (status != SUCCESS)
-	{
-		DBG1(DBG_IKE, "no USIM found with quintuplets for '%Y', sending %N",
-			 this->permanent, simaka_subtype_names, AKA_AUTHENTICATION_REJECT);
-		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
-										AKA_AUTHENTICATION_REJECT, this->crypto);
-		*out = message->generate(message, chunk_empty);
-		message->destroy(message);
-		return NEED_MORE;
-	}
-
-	id = this->permanent;
-	if (this->pseudonym)
-	{
-		id = this->pseudonym;
-	}
-	data = chunk_cata("cc", chunk_create(ik, AKA_IK_LEN),
-					  chunk_create(ck, AKA_CK_LEN));
-	free(this->msk.ptr);
-	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
-	memcpy(this->mk, mk.ptr, mk.len);
-	free(mk.ptr);
-
-	/* Verify AT_MAC attribute and parse() again after key derivation,
-	 * reading encrypted attributes */
-	if (!in->verify(in, chunk_empty) || !in->parse(in))
-	{
-		*out = create_client_error(this, in->get_identifier(in));
-		return NEED_MORE;
-	}
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_NEXT_REAUTH_ID:
-				this->counter = 0;
-				id = identification_create_from_data(data);
-				charon->sim->card_set_reauth(charon->sim, this->permanent, id,
-											 this->mk, this->counter);
-				id->destroy(id);
-				break;
-			case AT_NEXT_PSEUDONYM:
-				id = identification_create_from_data(data);
-				charon->sim->card_set_pseudonym(charon->sim, this->permanent, id);
-				id->destroy(id);
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
-									AKA_CHALLENGE, this->crypto);
-	message->add_attribute(message, AT_RES, chunk_create(res, res_len));
-	*out = message->generate(message, chunk_empty);
-	message->destroy(message);
-	return NEED_MORE;
-}
-
-/**
- * Check if a received counter value is acceptable
- */
-static bool counter_too_small(private_eap_aka_peer_t *this, chunk_t chunk)
-{
-	u_int16_t counter;
-
-	memcpy(&counter, chunk.ptr, sizeof(counter));
-	counter = htons(counter);
-	return counter < this->counter;
-}
-
-/**
- * process an EAP-AKA/Request/Reauthentication message
- */
-static status_t process_reauthentication(private_eap_aka_peer_t *this,
-									simaka_message_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, counter = chunk_empty, nonce = chunk_empty, id = chunk_empty;
-
-	if (!this->reauth)
-	{
-		DBG1(DBG_IKE, "received %N, but not expected",
-			 simaka_subtype_names, AKA_REAUTHENTICATION);
-		*out = create_client_error(this, in->get_identifier(in));
-		return NEED_MORE;
-	}
-
-	this->crypto->derive_keys_reauth(this->crypto,
-									 chunk_create(this->mk, HASH_SIZE_SHA1));
-
-	/* verify MAC and parse again with decryption key */
-	if (!in->verify(in, chunk_empty) || !in->parse(in))
-	{
-		*out = create_client_error(this, in->get_identifier(in));
-		return NEED_MORE;
-	}
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_COUNTER:
-				counter = data;
-				break;
-			case AT_NONCE_S:
-				nonce = data;
-				break;
-			case AT_NEXT_REAUTH_ID:
-				id = data;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					*out = create_client_error(this, in->get_identifier(in));
-					enumerator->destroy(enumerator);
-					return NEED_MORE;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (!nonce.len || !counter.len)
-	{
-		DBG1(DBG_IKE, "EAP-AKA/Request/Reauthentication message incomplete");
-		*out = create_client_error(this, in->get_identifier(in));
-		return NEED_MORE;
-	}
-
-	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
-									AKA_REAUTHENTICATION, this->crypto);
-	if (counter_too_small(this, counter))
-	{
-		DBG1(DBG_IKE, "reauthentication counter too small");
-		message->add_attribute(message, AT_COUNTER_TOO_SMALL, chunk_empty);
-	}
-	else
-	{
-		free(this->msk.ptr);
-		this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
-										this->reauth, counter, nonce,
-										chunk_create(this->mk, HASH_SIZE_SHA1));
-		if (id.len)
-		{
-			identification_t *reauth;
-
-			reauth = identification_create_from_data(data);
-			charon->sim->card_set_reauth(charon->sim, this->permanent, reauth,
-							 this->mk, this->counter);
-			reauth->destroy(reauth);
-		}
-	}
-	message->add_attribute(message, AT_COUNTER, counter);
-	*out = message->generate(message, nonce);
-	message->destroy(message);
-	return NEED_MORE;
-}
-
-/**
- * Process an EAP-AKA/Request/Notification message
- */
-static status_t process_notification(private_eap_aka_peer_t *this,
-									 simaka_message_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data;
-	bool success = TRUE;
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		if (type == AT_NOTIFICATION)
-		{
-			u_int16_t code;
-
-			memcpy(&code, data.ptr, sizeof(code));
-			code = ntohs(code);
-
-			/* test success bit */
-			if (!(data.ptr[0] & 0x80))
-			{
-				success = FALSE;
-				DBG1(DBG_IKE, "received EAP-AKA notification error '%N'",
-					 simaka_notification_names, code);
-			}
-			else
-			{
-				DBG1(DBG_IKE, "received EAP-AKA notification '%N'",
-					 simaka_notification_names, code);
-			}
-		}
-		else if (!simaka_attribute_skippable(type))
-		{
-			success = FALSE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (success)
-	{	/* empty notification reply */
-		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
-										AKA_NOTIFICATION, this->crypto);
-		*out = message->generate(message, chunk_empty);
-		message->destroy(message);
-	}
-	else
-	{
-		*out = create_client_error(this, in->get_identifier(in));
-	}
-	return NEED_MORE;
-}
-
-
-/**
- * Implementation of eap_method_t.process
- */
-static status_t process(private_eap_aka_peer_t *this,
-						eap_payload_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	status_t status;
-
-	message = simaka_message_create_from_payload(in, this->crypto);
-	if (!message)
-	{
-		*out = create_client_error(this, in->get_identifier(in));
-		return NEED_MORE;
-	}
-	if (!message->parse(message))
-	{
-		message->destroy(message);
-		*out = create_client_error(this, in->get_identifier(in));
-		return NEED_MORE;
-	}
-	switch (message->get_subtype(message))
-	{
-		case AKA_IDENTITY:
-			status = process_identity(this, message, out);
-			break;
-		case AKA_CHALLENGE:
-			status = process_challenge(this, message, out);
-			break;
-		case AKA_REAUTHENTICATION:
-			status = process_reauthentication(this, message, out);
-			break;
-		case AKA_NOTIFICATION:
-			status = process_notification(this, message, out);
-			break;
-		default:
-			DBG1(DBG_IKE, "unable to process EAP-AKA subtype %N",
-				 simaka_subtype_names, message->get_subtype(message));
-			*out = create_client_error(this, in->get_identifier(in));
-			status = NEED_MORE;
-			break;
-	}
-	message->destroy(message);
-	return status;
-}
-
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_aka_peer_t *this, eap_payload_t **out)
-{
-	/* peer never initiates */
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_aka_peer_t *this, u_int32_t *vendor)
-{
-	*vendor = 0;
-	return EAP_AKA;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_aka_peer_t *this, chunk_t *msk)
-{
-	if (this->msk.ptr)
-	{
-		*msk = this->msk;
-		return SUCCESS;
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_aka_peer_t *this)
-{
-	return TRUE;
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_aka_peer_t *this)
-{
-	this->crypto->destroy(this->crypto);
-	this->permanent->destroy(this->permanent);
-	DESTROY_IF(this->pseudonym);
-	DESTROY_IF(this->reauth);
-	free(this->msk.ptr);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-eap_aka_peer_t *eap_aka_peer_create(identification_t *server,
-									identification_t *peer)
-{
-	private_eap_aka_peer_t *this = malloc_thing(private_eap_aka_peer_t);
-
-	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
-	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
-	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	this->crypto = simaka_crypto_create();
-	if (!this->crypto)
-	{
-		free(this);
-		return NULL;
-	}
-	this->permanent = peer->clone(peer);
-	this->pseudonym = NULL;
-	this->reauth = NULL;
-	this->msk = chunk_empty;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_aka/eap_aka_peer.h b/src/charon/plugins/eap_aka/eap_aka_peer.h
deleted file mode 100644
index 65a210406..000000000
--- a/src/charon/plugins/eap_aka/eap_aka_peer.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_aka_peer eap_aka_peer
- * @{ @ingroup eap_aka
- */
-
-#ifndef EAP_AKA_PEER_H_
-#define EAP_AKA_PEER_H_
-
-typedef struct eap_aka_peer_t eap_aka_peer_t;
-
-#include <sa/authenticators/eap/eap_method.h>
-
-/**
- * Implementation of the eap_method_t interface using EAP-AKA as a client.
- */
-struct eap_aka_peer_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t interface;
-};
-
-/**
- * Creates the peer implementation of the EAP method EAP-AKA.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_aka_peer_t object
- */
-eap_aka_peer_t *eap_aka_peer_create(identification_t *server,
-									identification_t *peer);
-
-#endif /** EAP_AKA_PEER_H_ @}*/
diff --git a/src/charon/plugins/eap_aka/eap_aka_plugin.c b/src/charon/plugins/eap_aka/eap_aka_plugin.c
deleted file mode 100644
index c44a08966..000000000
--- a/src/charon/plugins/eap_aka/eap_aka_plugin.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_aka_plugin.h"
-
-#include "eap_aka_peer.h"
-#include "eap_aka_server.h"
-
-#include <daemon.h>
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_aka_plugin_t *this)
-{
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_aka_server_create);
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_aka_peer_create);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	eap_aka_plugin_t *this = malloc_thing(eap_aka_plugin_t);
-
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_SERVER,
-							(eap_constructor_t)eap_aka_server_create);
-	charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_PEER,
-							(eap_constructor_t)eap_aka_peer_create);
-
-	return &this->plugin;
-}
-
diff --git a/src/charon/plugins/eap_aka/eap_aka_plugin.h b/src/charon/plugins/eap_aka/eap_aka_plugin.h
deleted file mode 100644
index 938e5ecbd..000000000
--- a/src/charon/plugins/eap_aka/eap_aka_plugin.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_aka eap_aka
- * @ingroup cplugins
- *
- * @defgroup eap_aka_plugin eap_aka_plugin
- * @{ @ingroup eap_aka
- */
-
-#ifndef EAP_AKA_PLUGIN_H_
-#define EAP_AKA_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_aka_plugin_t eap_aka_plugin_t;
-
-/**
- * EAP-AKA plugin.
- *
- * EAP-AKA uses 3rd generation mobile phone standard authentication
- * mechanism for authentication, as defined RFC4187.
- */
-struct eap_aka_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_aka_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_AKA_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_aka/eap_aka_server.c b/src/charon/plugins/eap_aka/eap_aka_server.c
deleted file mode 100644
index 9baff3e23..000000000
--- a/src/charon/plugins/eap_aka/eap_aka_server.c
+++ /dev/null
@@ -1,700 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_aka_server.h"
-
-#include <daemon.h>
-#include <library.h>
-
-#include <simaka_message.h>
-#include <simaka_crypto.h>
-
-/** length of the AT_NONCE_S value */
-#define NONCE_LEN 16
-
-typedef struct private_eap_aka_server_t private_eap_aka_server_t;
-
-/**
- * Private data of an eap_aka_server_t object.
- */
-struct private_eap_aka_server_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_aka_server_t public;
-
-	/**
-	 * EAP-AKA crypto helper
-	 */
-	simaka_crypto_t *crypto;
-
-	/**
-	 * permanent ID of the peer
-	 */
-	identification_t *permanent;
-
-	/**
-	 * pseudonym ID of peer
-	 */
-	identification_t *pseudonym;
-
-	/**
-	 * reauthentication ID of peer
-	 */
-	identification_t *reauth;
-
-	/**
-	 * EAP identifier value
-	 */
-	u_int8_t identifier;
-
-	/**
-	 * Expected Result XRES
-	 */
-	chunk_t xres;
-
-	/**
-	 * Random value RAND
-	 */
-	chunk_t rand;
-
-	/**
-	 * MSK
-	 */
-	chunk_t msk;
-
-	/**
-	 * Nonce value used in AT_NONCE_S
-	 */
-	chunk_t nonce;
-
-	/**
-	 * Counter value negotiated, network order
-	 */
-	chunk_t counter;
-
-	/**
-	 * Do we request fast reauthentication?
-	 */
-	bool use_reauth;
-
-	/**
-	 * Do we request pseudonym identities?
-	 */
-	bool use_pseudonym;
-
-	/**
-	 * Do we request permanent identities?
-	 */
-	bool use_permanent;
-
-	/**
-	 * EAP-AKA message we have initiated
-	 */
-	simaka_subtype_t pending;
-
-	/**
-	 * Did the client send a synchronize request?
-	 */
-	bool synchronized;
-};
-
-/**
- * Create EAP-AKA/Request/Identity message
- */
-static status_t identity(private_eap_aka_server_t *this, eap_payload_t **out)
-{
-	simaka_message_t *message;
-
-	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
-									AKA_IDENTITY, this->crypto);
-	if (this->use_reauth)
-	{
-		message->add_attribute(message, AT_ANY_ID_REQ, chunk_empty);
-	}
-	else if (this->use_pseudonym)
-	{
-		message->add_attribute(message, AT_FULLAUTH_ID_REQ, chunk_empty);
-	}
-	else if (this->use_permanent)
-	{
-		message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
-	}
-	*out = message->generate(message, chunk_empty);
-	message->destroy(message);
-
-	this->pending = AKA_IDENTITY;
-	return NEED_MORE;
-}
-
-/**
- * Create EAP-AKA/Request/Challenge message
- */
-static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	char rand[AKA_RAND_LEN], xres[AKA_RES_MAX];
-	char ck[AKA_CK_LEN], ik[AKA_IK_LEN], autn[AKA_AUTN_LEN];
-	int xres_len;
-	chunk_t data, mk;
-	identification_t *id;
-
-	if (!charon->sim->provider_get_quintuplet(charon->sim, this->permanent,
-										rand, xres, &xres_len, ck, ik, autn))
-	{
-		if (this->use_pseudonym)
-		{
-			/* probably received a pseudonym/reauth id we couldn't map */
-			DBG1(DBG_IKE, "failed to map pseudonym/reauth identity '%Y', "
-				 "fallback to permanent identity request", this->permanent);
-			this->use_pseudonym = FALSE;
-			DESTROY_IF(this->pseudonym);
-			this->pseudonym = NULL;
-			return identity(this, out);
-		}
-		return FAILED;
-	}
-	id = this->permanent;
-	if (this->pseudonym)
-	{
-		id = this->pseudonym;
-	}
-	data = chunk_cata("cc", chunk_create(ik, AKA_IK_LEN),
-					  chunk_create(ck, AKA_CK_LEN));
-	free(this->msk.ptr);
-	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
-	this->rand = chunk_clone(chunk_create(rand, AKA_RAND_LEN));
-	this->xres = chunk_clone(chunk_create(xres, xres_len));
-
-	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
-									AKA_CHALLENGE, this->crypto);
-	message->add_attribute(message, AT_RAND, this->rand);
-	message->add_attribute(message, AT_AUTN, chunk_create(autn, AKA_AUTN_LEN));
-	id = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk.ptr);
-	if (id)
-	{
-		message->add_attribute(message, AT_NEXT_REAUTH_ID,
-							   id->get_encoding(id));
-		id->destroy(id);
-	}
-	else
-	{
-		id = charon->sim->provider_gen_pseudonym(charon->sim, this->permanent);
-		if (id)
-		{
-			message->add_attribute(message, AT_NEXT_PSEUDONYM,
-								   id->get_encoding(id));
-			id->destroy(id);
-		}
-	}
-	*out = message->generate(message, chunk_empty);
-	message->destroy(message);
-
-	free(mk.ptr);
-	this->pending = AKA_CHALLENGE;
-	return NEED_MORE;
-}
-
-/**
- * Initiate  EAP-AKA/Request/Re-authentication message
- */
-static status_t reauthenticate(private_eap_aka_server_t *this,
-							   char mk[HASH_SIZE_SHA1], u_int16_t counter,
-							   eap_payload_t **out)
-{
-	simaka_message_t *message;
-	identification_t *next;
-	chunk_t mkc;
-	rng_t *rng;
-
-	DBG1(DBG_IKE, "initiating EAP-AKA reauthentication");
-
-	rng = this->crypto->get_rng(this->crypto);
-	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
-
-	mkc = chunk_create(mk, HASH_SIZE_SHA1);
-	counter = htons(counter);
-	this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter)));
-
-	this->crypto->derive_keys_reauth(this->crypto, mkc);
-	this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
-								this->reauth, this->counter, this->nonce, mkc);
-
-	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
-									AKA_REAUTHENTICATION, this->crypto);
-	message->add_attribute(message, AT_COUNTER, this->counter);
-	message->add_attribute(message, AT_NONCE_S, this->nonce);
-	next = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk);
-	if (next)
-	{
-		message->add_attribute(message, AT_NEXT_REAUTH_ID,
-							   next->get_encoding(next));
-		next->destroy(next);
-	}
-	*out = message->generate(message, chunk_empty);
-	message->destroy(message);
-
-	this->pending = SIM_REAUTHENTICATION;
-	return NEED_MORE;
-}
-
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_aka_server_t *this, eap_payload_t **out)
-{
-	if (this->use_permanent || this->use_pseudonym || this->use_reauth)
-	{
-		return identity(this, out);
-	}
-	return challenge(this, out);
-}
-
-/**
- * Process EAP-AKA/Response/Identity message
- */
-static status_t process_identity(private_eap_aka_server_t *this,
-								 simaka_message_t *in, eap_payload_t **out)
-{
-	identification_t *permanent, *id;
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, identity = chunk_empty;
-
-	if (this->pending != AKA_IDENTITY)
-	{
-		DBG1(DBG_IKE, "received %N, but not expected",
-			 simaka_subtype_names, AKA_IDENTITY);
-		return FAILED;
-	}
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_IDENTITY:
-				identity = data;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					enumerator->destroy(enumerator);
-					return FAILED;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (!identity.len)
-	{
-		DBG1(DBG_IKE, "received incomplete Identity response");
-		return FAILED;
-	}
-
-	id = identification_create_from_data(identity);
-	if (this->use_reauth)
-	{
-		char mk[HASH_SIZE_SHA1];
-		u_int16_t counter;
-
-		permanent = charon->sim->provider_is_reauth(charon->sim, id,
-													mk, &counter);
-		if (permanent)
-		{
-			this->permanent->destroy(this->permanent);
-			this->permanent = permanent;
-			this->reauth = id;
-			return reauthenticate(this, mk, counter, out);
-		}
-		/* unable to map, maybe a pseudonym? */
-		DBG1(DBG_IKE, "'%Y' is not a reauth identity", id);
-		this->use_reauth = FALSE;
-	}
-	if (this->use_pseudonym)
-	{
-		permanent = charon->sim->provider_is_pseudonym(charon->sim, id);
-		if (permanent)
-		{
-			this->permanent->destroy(this->permanent);
-			this->permanent = permanent;
-			this->pseudonym = id->clone(id);
-			/* we already have a new permanent identity now */
-			this->use_permanent = FALSE;
-		}
-		else
-		{
-			DBG1(DBG_IKE, "'%Y' is not a pseudonym", id);
-		}
-	}
-	if (!this->pseudonym && this->use_permanent)
-	{
-		/* got a permanent identity or a pseudonym reauth id wou couldn't map,
-		 * try to get quintuplets */
-		DBG1(DBG_IKE, "received identity '%Y'", id);
-		this->permanent->destroy(this->permanent);
-		this->permanent = id->clone(id);
-	}
-	id->destroy(id);
-
-	return challenge(this, out);
-}
-
-/**
- * Process EAP-AKA/Response/Challenge message
- */
-static status_t process_challenge(private_eap_aka_server_t *this,
-								  simaka_message_t *in)
-{
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, res = chunk_empty;
-
-	if (this->pending != AKA_CHALLENGE)
-	{
-		DBG1(DBG_IKE, "received %N, but not expected",
-			 simaka_subtype_names, AKA_CHALLENGE);
-		return FAILED;
-	}
-	/* verify MAC of EAP message, AT_MAC */
-	if (!in->verify(in, chunk_empty))
-	{
-		return FAILED;
-	}
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_RES:
-				res = data;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					enumerator->destroy(enumerator);
-					return FAILED;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* compare received RES against stored XRES */
-	if (!chunk_equals(res, this->xres))
-	{
-		DBG1(DBG_IKE, "received RES does not match XRES");
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * process an EAP-AKA/Response/Reauthentication message
- */
-static status_t process_reauthentication(private_eap_aka_server_t *this,
-									simaka_message_t *in, eap_payload_t **out)
-{
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, counter = chunk_empty;
-	bool too_small = FALSE;
-
-	if (this->pending != AKA_REAUTHENTICATION)
-	{
-		DBG1(DBG_IKE, "received %N, but not expected",
-			 simaka_subtype_names, AKA_REAUTHENTICATION);
-		return FAILED;
-	}
-	/* verify AT_MAC attribute, signature is over "EAP packet | NONCE_S"  */
-	if (!in->verify(in, this->nonce))
-	{
-		return FAILED;
-	}
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_COUNTER:
-				counter = data;
-				break;
-			case AT_COUNTER_TOO_SMALL:
-				too_small = TRUE;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					enumerator->destroy(enumerator);
-					return FAILED;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (too_small)
-	{
-		DBG1(DBG_IKE, "received %N, initiating full authentication",
-			 simaka_attribute_names, AT_COUNTER_TOO_SMALL);
-		this->use_reauth = FALSE;
-		this->crypto->clear_keys(this->crypto);
-		return challenge(this, out);
-	}
-	if (!chunk_equals(counter, this->counter))
-	{
-		DBG1(DBG_IKE, "received counter does not match");
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Process EAP-AKA/Response/SynchronizationFailure message
- */
-static status_t process_synchronize(private_eap_aka_server_t *this,
-									simaka_message_t *in, eap_payload_t **out)
-{
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, auts = chunk_empty;
-
-	if (this->synchronized)
-	{
-		DBG1(DBG_IKE, "received %N, but peer did already resynchronize",
-			 simaka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
-		return FAILED;
-	}
-
-	DBG1(DBG_IKE, "received synchronization request, retrying...");
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_AUTS:
-				auts = data;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					enumerator->destroy(enumerator);
-					return FAILED;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (!auts.len)
-	{
-		DBG1(DBG_IKE, "synchronization request didn't contain usable AUTS");
-		return FAILED;
-	}
-
-	if (!charon->sim->provider_resync(charon->sim, this->permanent,
-									  this->rand.ptr, auts.ptr))
-	{
-		DBG1(DBG_IKE, "no AKA provider found supporting "
-			 "resynchronization for '%Y'", this->permanent);
-		return FAILED;
-	}
-	this->synchronized = TRUE;
-	return challenge(this, out);
-}
-
-/**
- * Process EAP-AKA/Response/ClientErrorCode message
- */
-static status_t process_client_error(private_eap_aka_server_t *this,
-									 simaka_message_t *in)
-{
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data;
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		if (type == AT_CLIENT_ERROR_CODE)
-		{
-			u_int16_t code;
-
-			memcpy(&code, data.ptr, sizeof(code));
-			DBG1(DBG_IKE, "received EAP-AKA client error '%N'",
-				 simaka_client_error_names, ntohs(code));
-		}
-		else if (!simaka_attribute_skippable(type))
-		{
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return FAILED;
-}
-
-/**
- * Process EAP-AKA/Response/AuthenticationReject message
- */
-static status_t process_authentication_reject(private_eap_aka_server_t *this,
-											  simaka_message_t *in)
-{
-	DBG1(DBG_IKE, "received %N, authentication failed",
-		 simaka_subtype_names, in->get_subtype(in));
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.process
- */
-static status_t process(private_eap_aka_server_t *this,
-						eap_payload_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	status_t status;
-
-	message = simaka_message_create_from_payload(in, this->crypto);
-	if (!message)
-	{
-		return FAILED;
-	}
-	if (!message->parse(message))
-	{
-		message->destroy(message);
-		return FAILED;
-	}
-	switch (message->get_subtype(message))
-	{
-		case AKA_IDENTITY:
-			status = process_identity(this, message, out);
-			break;
-		case AKA_CHALLENGE:
-			status = process_challenge(this, message);
-			break;
-		case AKA_REAUTHENTICATION:
-			status = process_reauthentication(this, message, out);
-			break;
-		case AKA_SYNCHRONIZATION_FAILURE:
-			status = process_synchronize(this, message, out);
-			break;
-		case AKA_CLIENT_ERROR:
-			status = process_client_error(this, message);
-			break;
-		case AKA_AUTHENTICATION_REJECT:
-			status = process_authentication_reject(this, message);
-			break;
-		default:
-			DBG1(DBG_IKE, "unable to process EAP-AKA subtype %N",
-				 simaka_subtype_names, message->get_subtype(message));
-			status = FAILED;
-			break;
-	}
-	message->destroy(message);
-	return status;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_aka_server_t *this, u_int32_t *vendor)
-{
-	*vendor = 0;
-	return EAP_AKA;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_aka_server_t *this, chunk_t *msk)
-{
-	if (this->msk.ptr)
-	{
-		*msk = this->msk;
-		return SUCCESS;
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_aka_server_t *this)
-{
-	return TRUE;
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_aka_server_t *this)
-{
-	this->crypto->destroy(this->crypto);
-	this->permanent->destroy(this->permanent);
-	DESTROY_IF(this->pseudonym);
-	DESTROY_IF(this->reauth);
-	free(this->xres.ptr);
-	free(this->rand.ptr);
-	free(this->nonce.ptr);
-	free(this->msk.ptr);
-	free(this->counter.ptr);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-eap_aka_server_t *eap_aka_server_create(identification_t *server,
-										identification_t *peer)
-{
-	private_eap_aka_server_t *this = malloc_thing(private_eap_aka_server_t);
-
-	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
-	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
-	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	this->crypto = simaka_crypto_create();
-	if (!this->crypto)
-	{
-		free(this);
-		return NULL;
-	}
-	this->permanent = peer->clone(peer);
-	this->pseudonym = NULL;
-	this->reauth = NULL;
-	this->xres = chunk_empty;
-	this->rand = chunk_empty;
-	this->nonce = chunk_empty;
-	this->msk = chunk_empty;
-	this->counter = chunk_empty;
-	this->pending = 0;
-	this->synchronized = FALSE;
-	this->use_reauth = this->use_pseudonym = this->use_permanent =
-		lib->settings->get_bool(lib->settings,
-								"charon.plugins.eap-aka.request_identity", TRUE);
-	/* generate a non-zero identifier */
-	do {
-		this->identifier = random();
-	} while (!this->identifier);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_aka/eap_aka_server.h b/src/charon/plugins/eap_aka/eap_aka_server.h
deleted file mode 100644
index d48fc4c34..000000000
--- a/src/charon/plugins/eap_aka/eap_aka_server.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_aka_server eap_aka_server
- * @{ @ingroup eap_aka
- */
-
-#ifndef EAP_AKA_SERVER_H_
-#define EAP_AKA_SERVER_H_
-
-typedef struct eap_aka_server_t eap_aka_server_t;
-
-#include <sa/authenticators/eap/eap_method.h>
-
-/**
- * Implementation of the eap_method_t interface using EAP-AKA as server.
- */
-struct eap_aka_server_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t interface;
-};
-
-/**
- * Creates the server implementation of the EAP method EAP-AKA.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_aka_server_t object
- */
-eap_aka_server_t *eap_aka_server_create(identification_t *server,
-										identification_t *peer);
-
-#endif /** EAP_AKA_SERVER_H_ @}*/
diff --git a/src/charon/plugins/eap_aka_3gpp2/Makefile.am b/src/charon/plugins/eap_aka_3gpp2/Makefile.am
deleted file mode 100644
index 1a4a3765b..000000000
--- a/src/charon/plugins/eap_aka_3gpp2/Makefile.am
+++ /dev/null
@@ -1,15 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-eap-aka-3gpp2.la
-
-libstrongswan_eap_aka_3gpp2_la_SOURCES = \
-  eap_aka_3gpp2_plugin.h eap_aka_3gpp2_plugin.c \
-  eap_aka_3gpp2_card.h eap_aka_3gpp2_card.c \
-  eap_aka_3gpp2_provider.h eap_aka_3gpp2_provider.c \
-  eap_aka_3gpp2_functions.h eap_aka_3gpp2_functions.c
-libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
-libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp
-
diff --git a/src/charon/plugins/eap_aka_3gpp2/Makefile.in b/src/charon/plugins/eap_aka_3gpp2/Makefile.in
deleted file mode 100644
index b80f97f95..000000000
--- a/src/charon/plugins/eap_aka_3gpp2/Makefile.in
+++ /dev/null
@@ -1,579 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_aka_3gpp2
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES =
-am_libstrongswan_eap_aka_3gpp2_la_OBJECTS = eap_aka_3gpp2_plugin.lo \
-	eap_aka_3gpp2_card.lo eap_aka_3gpp2_provider.lo \
-	eap_aka_3gpp2_functions.lo
-libstrongswan_eap_aka_3gpp2_la_OBJECTS =  \
-	$(am_libstrongswan_eap_aka_3gpp2_la_OBJECTS)
-libstrongswan_eap_aka_3gpp2_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_aka_3gpp2_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eap-aka-3gpp2.la
-libstrongswan_eap_aka_3gpp2_la_SOURCES = \
-  eap_aka_3gpp2_plugin.h eap_aka_3gpp2_plugin.c \
-  eap_aka_3gpp2_card.h eap_aka_3gpp2_card.c \
-  eap_aka_3gpp2_provider.h eap_aka_3gpp2_provider.c \
-  eap_aka_3gpp2_functions.h eap_aka_3gpp2_functions.c
-
-libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
-libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_aka_3gpp2/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_aka_3gpp2/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-aka-3gpp2.la: $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) 
-	$(libstrongswan_eap_aka_3gpp2_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_card.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_functions.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_provider.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
deleted file mode 100644
index 5c0fe38ad..000000000
--- a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_aka_3gpp2_card.h"
-
-#include <daemon.h>
-
-typedef struct private_eap_aka_3gpp2_card_t private_eap_aka_3gpp2_card_t;
-
-/**
- * Private data of an eap_aka_3gpp2_card_t object.
- */
-struct private_eap_aka_3gpp2_card_t {
-
-	/**
-	 * Public eap_aka_3gpp2_card_t interface.
-	 */
-	eap_aka_3gpp2_card_t public;
-
-	/**
-	 * AKA functions
-	 */
-	eap_aka_3gpp2_functions_t *f;
-
-	/**
-	 * do sequence number checking?
-	 */
-	bool seq_check;
-
-	/**
-	 * SQN stored in this pseudo-USIM
-	 */
-	char sqn[AKA_SQN_LEN];
-};
-
-/**
- * Functions from eap_aka_3gpp2_provider.c
- */
-bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN]);
-void eap_aka_3gpp2_get_sqn(char sqn[AKA_SQN_LEN], int offset);
-
-/**
- * Implementation of sim_card_t.get_quintuplet
- */
-static status_t get_quintuplet(private_eap_aka_3gpp2_card_t *this,
-							   identification_t *id, char rand[AKA_RAND_LEN],
-							   char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
-							   char ik[AKA_IK_LEN], char res[AKA_RES_MAX],
-							   int *res_len)
-{
-	char *amf, *mac;
-	char k[AKA_K_LEN], ak[AKA_AK_LEN], sqn[AKA_SQN_LEN], xmac[AKA_MAC_LEN];
-
-	if (!eap_aka_3gpp2_get_k(id, k))
-	{
-		DBG1(DBG_IKE, "no EAP key found for %Y to authenticate with AKA", id);
-		return FAILED;
-	}
-
-	/* AUTN = SQN xor AK | AMF | MAC */
-	DBG3(DBG_IKE, "received autn %b", autn, AKA_AUTN_LEN);
-	DBG3(DBG_IKE, "using K %b", k, AKA_K_LEN);
-	DBG3(DBG_IKE, "using rand %b", rand, AKA_RAND_LEN);
-	memcpy(sqn, autn, AKA_SQN_LEN);
-	amf = autn + AKA_SQN_LEN;
-	mac = autn + AKA_SQN_LEN + AKA_AMF_LEN;
-
-	/* XOR anonymity key AK into SQN to decrypt it */
-	this->f->f5(this->f, k, rand, ak);
-	DBG3(DBG_IKE, "using ak %b", ak, AKA_AK_LEN);
-	memxor(sqn, ak, AKA_SQN_LEN);
-	DBG3(DBG_IKE, "using sqn %b", sqn, AKA_SQN_LEN);
-
-	/* calculate expected MAC and compare against received one */
-	this->f->f1(this->f, k, rand, sqn, amf, xmac);
-	if (!memeq(mac, xmac, AKA_MAC_LEN))
-	{
-		DBG1(DBG_IKE, "received MAC does not match XMAC");
-		DBG3(DBG_IKE, "MAC %b\nXMAC %b", mac, AKA_MAC_LEN, xmac, AKA_MAC_LEN);
-		return FAILED;
-	}
-
-	if (this->seq_check && memcmp(this->sqn, sqn, AKA_SQN_LEN) >= 0)
-	{
-		DBG3(DBG_IKE, "received SQN %b\ncurrent SQN %b",
-			 sqn, AKA_SQN_LEN, this->sqn, AKA_SQN_LEN);
-		return INVALID_STATE;
-	}
-
-	/* update stored SQN to the received one */
-	memcpy(this->sqn, sqn, AKA_SQN_LEN);
-
-	/* CK/IK */
-	this->f->f3(this->f, k, rand, ck);
-	this->f->f4(this->f, k, rand, ik);
-	/* calculate RES */
-	this->f->f2(this->f, k, rand, res);
-	*res_len = AKA_RES_MAX;
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of sim_card_t.resync
- */
-static bool resync(private_eap_aka_3gpp2_card_t *this, identification_t *id,
-				   char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
-{
-	char amf[AKA_AMF_LEN], k[AKA_K_LEN], aks[AKA_AK_LEN], macs[AKA_MAC_LEN];
-
-	if (!eap_aka_3gpp2_get_k(id, k))
-	{
-		DBG1(DBG_IKE, "no EAP key found for %Y to resync AKA", id);
-		return FALSE;
-	}
-
-	/* AMF is set to zero in resync */
-	memset(amf, 0, AKA_AMF_LEN);
-	this->f->f5star(this->f, k, rand, aks);
-	this->f->f1star(this->f, k, rand, this->sqn, amf, macs);
-	/* AUTS = SQN xor AKS | MACS */
-	memcpy(auts, this->sqn, AKA_SQN_LEN);
-	memxor(auts, aks, AKA_AK_LEN);
-	memcpy(auts + AKA_AK_LEN, macs, AKA_MAC_LEN);
-
-	return TRUE;
-}
-
-/**
- * Implementation of eap_aka_3gpp2_card_t.destroy.
- */
-static void destroy(private_eap_aka_3gpp2_card_t *this)
-{
-	free(this);
-}
-
-/**
- * See header
- */
-eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f)
-{
-	private_eap_aka_3gpp2_card_t *this = malloc_thing(private_eap_aka_3gpp2_card_t);
-
-	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
-	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
-	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))resync;
-	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *id))return_null;
-	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))nop;
-	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))return_null;
-	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))nop;
-	this->public.destroy = (void(*)(eap_aka_3gpp2_card_t*))destroy;
-
-	this->f = f;
-	this->seq_check = lib->settings->get_bool(lib->settings,
-									"charon.plugins.eap-aka-3gpp2.seq_check",
-#ifdef SEQ_CHECK /* handle legacy compile time configuration as default */
-									TRUE);
-#else /* !SEQ_CHECK */
-									FALSE);
-#endif /* SEQ_CHECK */
-
-	eap_aka_3gpp2_get_sqn(this->sqn, 0);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h
deleted file mode 100644
index b95bc52af..000000000
--- a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_aka_3gpp2_card eap_aka_3gpp2_card
- * @{ @ingroup eap_aka_3gpp2
- */
-
-#ifndef EAP_AKA_3GPP2_CARD_H_
-#define EAP_AKA_3GPP2_CARD_H_
-
-#include "eap_aka_3gpp2_functions.h"
-
-#include <sa/authenticators/eap/sim_manager.h>
-
-typedef struct eap_aka_3gpp2_card_t eap_aka_3gpp2_card_t;
-
-/**
- * SIM card implementation using a set of AKA functions.
- */
-struct eap_aka_3gpp2_card_t {
-
-	/**
-	 * Implements sim_card_t interface
-	 */
-	sim_card_t card;
-
-	/**
-	 * Destroy a eap_aka_3gpp2_card_t.
-	 */
-	void (*destroy)(eap_aka_3gpp2_card_t *this);
-};
-
-/**
- * Create a eap_aka_3gpp2_card instance.
- *
- * @param f		AKA functions
- */
-eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f);
-
-#endif /** EAP_AKA_3GPP2_CARD_H_ @}*/
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
deleted file mode 100644
index 1d3d246d1..000000000
--- a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
+++ /dev/null
@@ -1,394 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_aka_3gpp2_functions.h"
-
-#include <gmp.h>
-#include <limits.h>
-
-#include <daemon.h>
-
-typedef struct private_eap_aka_3gpp2_functions_t private_eap_aka_3gpp2_functions_t;
-
-/**
- * Private data of an eap_aka_3gpp2_functions_t object.
- */
-struct private_eap_aka_3gpp2_functions_t {
-
-	/**
-	 * Public eap_aka_3gpp2_functions_t interface.
-	 */
-	eap_aka_3gpp2_functions_t public;
-
-	/**
-	 * Used keyed SHA1 function, as PRF
-	 */
-	prf_t *prf;
-};
-
-#define AKA_PAYLOAD_LEN 64
-
-#define F1			  0x42
-#define F1STAR		  0x43
-#define F2			  0x44
-#define F3			  0x45
-#define F4			  0x46
-#define F5			  0x47
-#define F5STAR		  0x48
-
-/** Family key, as proposed in S.S0055 */
-static chunk_t fmk = chunk_from_chars(0x41, 0x48, 0x41, 0x47);
-
-/**
- * Binary represnation of the polynom T^160 + T^5 + T^3 + T^2 + 1
- */
-static u_int8_t g[] = {
-	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x2d
-};
-
-/**
- * Predefined random bits from the RAND Corporation book
- */
-static u_int8_t a[] = {
-	0x9d, 0xe9, 0xc9, 0xc8, 0xef, 0xd5, 0x78, 0x11,
-	0x48, 0x23, 0x14, 0x01, 0x90, 0x1f, 0x2d, 0x49,
-	0x3f, 0x4c, 0x63, 0x65
-};
-
-/**
- * Predefined random bits from the RAND Corporation book
- */
-static u_int8_t b[] = {
-	0x75, 0xef, 0xd1, 0x5c, 0x4b, 0x8f, 0x8f, 0x51,
-	0x4e, 0xf3, 0xbc, 0xc3, 0x79, 0x4a, 0x76, 0x5e,
-	0x7e, 0xec, 0x45, 0xe0
-};
-
-/**
- * Multiplicate two mpz_t with bits interpreted as polynoms.
- */
-static void mpz_mul_poly(mpz_t r, mpz_t a, mpz_t b)
-{
-	mpz_t bm, rm;
-	int current = 0, shifted = 0, shift;
-
-	mpz_init_set(bm, b);
-	mpz_init_set_ui(rm, 0);
-	/* scan through a, for each found bit: */
-	while ((current = mpz_scan1(a, current)) != ULONG_MAX)
-	{
-		/* XOR shifted b into r */
-		shift = current - shifted;
-		mpz_mul_2exp(bm, bm, shift);
-		shifted += shift;
-		mpz_xor(rm, rm, bm);
-		current++;
-	}
-
-	mpz_swap(r, rm);
-	mpz_clear(rm);
-	mpz_clear(bm);
-}
-
-/**
- * Calculate the sum of a + b interpreted as polynoms.
- */
-static void mpz_add_poly(mpz_t res, mpz_t a, mpz_t b)
-{
-	/* addition of polynominals is just the XOR */
-	mpz_xor(res, a, b);
-}
-
-/**
- * Calculate the remainder of a/b interpreted as polynoms.
- */
-static void mpz_mod_poly(mpz_t r, mpz_t a, mpz_t b)
-{
-	/* Example:
-	 * a = 10001010
-	 * b = 00000101
-	 */
-	int a_bit, b_bit, diff;
-	mpz_t bm, am;
-
-	mpz_init_set(am, a);
-	mpz_init(bm);
-
-	a_bit = mpz_sizeinbase(a, 2);
-	b_bit = mpz_sizeinbase(b, 2);
-
-	/* don't do anything if b > a */
-	if (a_bit >= b_bit)
-	{
-		/* shift b left to align up most signaficant "1" to a:
-		 * a = 10001010
-		 * b = 10100000
-		 */
-		mpz_mul_2exp(bm, b, a_bit - b_bit);
-		do
-		{
-			/* XOR b into a, this kills the most significant "1":
-			 * a = 00101010
-			 */
-			mpz_xor(am, am, bm);
-			/* find the next most significant "1" in a, and align up b:
-			 * a = 00101010
-			 * b = 00101000
-			 */
-			diff = a_bit - mpz_sizeinbase(am, 2);
-			mpz_div_2exp(bm, bm, diff);
-			a_bit -= diff;
-		}
-		while (b_bit <= mpz_sizeinbase(bm, 2));
-		/* While b is not shifted to its original value */
-	}
-	/* after another iteration:
-	 * a = 00000010
-	 * which is the polynomial modulo
-	 */
-
-	mpz_swap(r, am);
-	mpz_clear(am);
-	mpz_clear(bm);
-}
-
-/**
- * Step 3 of the various fx() functions:
- * XOR the key into the SHA1 IV
- */
-static void step3(prf_t *prf, u_char k[AKA_K_LEN],
-				  u_char payload[AKA_PAYLOAD_LEN], u_int8_t h[HASH_SIZE_SHA1])
-{
-	/* use the keyed hasher to build the hash */
-	prf->set_key(prf, chunk_create(k, AKA_K_LEN));
-	prf->get_bytes(prf, chunk_create(payload, AKA_PAYLOAD_LEN), h);
-}
-
-/**
- * Step 4 of the various fx() functions:
- * Polynomial whiten calculations
- */
-static void step4(u_char x[HASH_SIZE_SHA1])
-{
-	mpz_t xm, am, bm, gm;
-
-	mpz_init(xm);
-	mpz_init(am);
-	mpz_init(bm);
-	mpz_init(gm);
-
-	mpz_import(xm, HASH_SIZE_SHA1, 1, 1, 1, 0, x);
-	mpz_import(am, sizeof(a), 1, 1, 1, 0, a);
-	mpz_import(bm, sizeof(b), 1, 1, 1, 0, b);
-	mpz_import(gm, sizeof(g), 1, 1, 1, 0, g);
-
-	mpz_mul_poly(xm, am, xm);
-	mpz_add_poly(xm, bm, xm);
-	mpz_mod_poly(xm, xm, gm);
-
-	mpz_export(x, NULL, 1, HASH_SIZE_SHA1, 1, 0, xm);
-
-	mpz_clear(xm);
-	mpz_clear(am);
-	mpz_clear(bm);
-	mpz_clear(gm);
-}
-
-/**
- * Calculation function for f2(), f3(), f4()
- */
-static void fx(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
-			   u_char rand[AKA_RAND_LEN], u_char out[AKA_MAC_LEN])
-{
-	u_char payload[AKA_PAYLOAD_LEN];
-	u_char h[HASH_SIZE_SHA1];
-	u_char i;
-
-	for (i = 0; i < 2; i++)
-	{
-		memset(payload, 0x5c, AKA_PAYLOAD_LEN);
-		payload[11] ^= f;
-		memxor(payload + 12, fmk.ptr, fmk.len);
-		memxor(payload + 24, rand, AKA_RAND_LEN);
-
-		payload[3]  ^= i;
-		payload[19] ^= i;
-		payload[35] ^= i;
-		payload[51] ^= i;
-
-		step3(prf, k, payload, h);
-		step4(h);
-		memcpy(out + i * 8, h, 8);
-	}
-}
-
-/**
- * Calculation function of f1() and f1star()
- */
-static void f1x(prf_t *prf, u_int8_t f, u_char k[AKA_K_LEN],
-				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
-				u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN])
-{
-	/* generate MAC = f1(FMK, SQN, RAND, AMF)
-	 * K is loaded into hashers IV; FMK, RAND, SQN, AMF are XORed in a 512-bit
-	 * payload which gets hashed
-	 */
-	u_char payload[AKA_PAYLOAD_LEN];
-	u_char h[HASH_SIZE_SHA1];
-
-	memset(payload, 0x5c, AKA_PAYLOAD_LEN);
-	payload[11] ^= f;
-	memxor(payload + 12, fmk.ptr, fmk.len);
-	memxor(payload + 16, rand, AKA_RAND_LEN);
-	memxor(payload + 34, sqn, AKA_SQN_LEN);
-	memxor(payload + 42, amf, AKA_AMF_LEN);
-
-	step3(prf, k, payload, h);
-	step4(h);
-	memcpy(mac, h, AKA_MAC_LEN);
-}
-
-/**
- * Calculation function of f5() and f5star()
- */
-static void f5x(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
-				u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN])
-{
-	u_char payload[AKA_PAYLOAD_LEN];
-	u_char h[HASH_SIZE_SHA1];
-
-	memset(payload, 0x5c, AKA_PAYLOAD_LEN);
-	payload[11] ^= f;
-	memxor(payload + 12, fmk.ptr, fmk.len);
-	memxor(payload + 16, rand, AKA_RAND_LEN);
-
-	step3(prf, k, payload, h);
-	step4(h);
-	memcpy(ak, h, AKA_AK_LEN);
-}
-
-/**
- * Calculate MAC from RAND, SQN, AMF using K
- */
-static void f1(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-			   u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
-			   u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN])
-{
-	f1x(this->prf, F1, k, rand, sqn, amf, mac);
-	DBG3(DBG_IKE, "MAC %b", mac, AKA_MAC_LEN);
-}
-
-/**
- * Calculate MACS from RAND, SQN, AMF using K
- */
-static void f1star(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-				   u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
-				   u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN])
-{
-	f1x(this->prf, F1STAR, k, rand, sqn, amf, macs);
-	DBG3(DBG_IKE, "MACS %b", macs, AKA_MAC_LEN);
-}
-
-/**
- * Calculate RES from RAND using K
- */
-static void f2(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-			   u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX])
-{
-	fx(this->prf, F2, k, rand, res);
-	DBG3(DBG_IKE, "RES %b", res, AKA_RES_MAX);
-}
-
-/**
- * Calculate CK from RAND using K
- */
-static void f3(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-			   u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN])
-{
-	fx(this->prf, F3, k, rand, ck);
-	DBG3(DBG_IKE, "CK %b", ck, AKA_CK_LEN);
-}
-
-/**
- * Calculate IK from RAND using K
- */
-static void f4(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-			   u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN])
-{
-	fx(this->prf, F4, k, rand, ik);
-	DBG3(DBG_IKE, "IK %b", ik, AKA_IK_LEN);
-}
-
-/**
- * Calculate AK from a RAND using K
- */
-static void f5(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-			   u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN])
-{
-	f5x(this->prf, F5, k, rand, ak);
-	DBG3(DBG_IKE, "AK %b", ak, AKA_AK_LEN);
-}
-
-/**
- * Calculate AKS from a RAND using K
- */
-static void f5star(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-			   u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN])
-{
-	f5x(this->prf, F5STAR, k, rand, aks);
-	DBG3(DBG_IKE, "AKS %b", aks, AKA_AK_LEN);
-}
-
-
-/**
- * Implementation of eap_aka_3gpp2_functions_t.destroy.
- */
-static void destroy(private_eap_aka_3gpp2_functions_t *this)
-{
-	this->prf->destroy(this->prf);
-	free(this);
-}
-
-/**
- * See header
- */
-eap_aka_3gpp2_functions_t *eap_aka_3gpp2_functions_create()
-{
-	private_eap_aka_3gpp2_functions_t *this;
-
-	this = malloc_thing(private_eap_aka_3gpp2_functions_t);
-
-	this->public.f1 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN], u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN]))f1;
-	this->public.f1star = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN], u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN]))f1star;
-	this->public.f2 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX]))f2;
-	this->public.f3 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN]))f3;
-	this->public.f4 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN]))f4;
-	this->public.f5 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN]))f5;
-	this->public.f5star = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN]))f5star;
-	this->public.destroy = (void(*)(eap_aka_3gpp2_functions_t*))destroy;
-
-	this->prf = lib->crypto->create_prf(lib->crypto, PRF_KEYED_SHA1);
-	if (!this->prf)
-	{
-		DBG1(DBG_CFG, "%N not supported, unable to use 3GPP2 algorithm",
-			 pseudo_random_function_names, PRF_KEYED_SHA1);
-		free(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
deleted file mode 100644
index 95c6da6a9..000000000
--- a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_aka_3gpp2_functions eap_aka_3gpp2_functions
- * @{ @ingroup eap_aka_3gpp2
- */
-
-#ifndef EAP_AKA_3GPP2_FUNCTIONS_H_
-#define EAP_AKA_3GPP2_FUNCTIONS_H_
-
-#include <sa/authenticators/eap/sim_manager.h>
-
-#define AKA_SQN_LEN		 6
-#define AKA_K_LEN		16
-#define AKA_MAC_LEN 	 8
-#define AKA_AK_LEN		 6
-#define AKA_AMF_LEN		 2
-#define AKA_FMK_LEN		 4
-
-typedef struct eap_aka_3gpp2_functions_t eap_aka_3gpp2_functions_t;
-
-/**
- * f1-f5(), f1*() and f5*() functions from the 3GPP2 (S.S0055) standard.
- */
-struct eap_aka_3gpp2_functions_t {
-
-	/**
-	 * Calculate MAC from RAND, SQN, AMF using K.
-	 *
-	 * @param k		secret key K
-	 * @param rand	random value rand
-	 * @param sqn	sequence number
-	 * @param amf	authentication management field
-	 * @param mac	buffer receiving mac MAC
-	 */
-	void (*f1)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
-				u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN]);
-
-	/**
-	 * Calculate MACS from RAND, SQN, AMF using K
-	 *
-	 * @param k		secret key K
-	 * @param rand	random value RAND
-	 * @param sqn	sequence number
-	 * @param amf	authentication management field
-	 * @param macs	buffer receiving resynchronization mac MACS
-	 */
-	void (*f1star)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
-				u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN]);
-
-	/**
-	 * Calculate RES from RAND using K
-	 *
-	 * @param k		secret key K
-	 * @param rand	random value RAND
-	 * @param res	buffer receiving result RES, uses full 128 bit
-	 */
-	void (*f2)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-				u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX]);
-	/**
-	 * Calculate CK from RAND using K
-	 *
-	 * @param k		secret key K
-	 * @param rand	random value RAND
-	 * @param macs	buffer receiving encryption key CK
-	 */
-	void (*f3)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-				u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN]);
-	/**
-	 * Calculate IK from RAND using K
-	 *
-	 * @param k		secret key K
-	 * @param rand	random value RAND
-	 * @param macs	buffer receiving integrity key IK
-	 */
-	void (*f4)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-				u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN]);
-	/**
-	 * Calculate AK from a RAND using K
-	 *
-	 * @param k		secret key K
-	 * @param rand	random value RAND
-	 * @param macs	buffer receiving anonymity key AK
-	 */
-	void (*f5)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-				u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN]);
-	/**
-	 * Calculate AKS from a RAND using K
-	 *
-	 * @param k		secret key K
-	 * @param rand	random value RAND
-	 * @param macs	buffer receiving resynchronization anonymity key AKS
-	 */
-	void (*f5star)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
-				u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN]);
-
-	/**
-	 * Destroy a eap_aka_3gpp2_functions_t.
-	 */
-	void (*destroy)(eap_aka_3gpp2_functions_t *this);
-};
-
-/**
- * Create a eap_aka_3gpp2_functions instance.
- *
- * @return			function set, NULL on error
- */
-eap_aka_3gpp2_functions_t *eap_aka_3gpp2_functions_create();
-
-#endif /** EAP_AKA_3GPP2_FUNCTIONS_H_ @}*/
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
deleted file mode 100644
index 5286e0986..000000000
--- a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_aka_3gpp2_plugin.h"
-#include "eap_aka_3gpp2_card.h"
-#include "eap_aka_3gpp2_provider.h"
-#include "eap_aka_3gpp2_functions.h"
-
-#include <daemon.h>
-
-typedef struct private_eap_aka_3gpp2_t private_eap_aka_3gpp2_t;
-
-/**
- * Private data of an eap_aka_3gpp2_t object.
- */
-struct private_eap_aka_3gpp2_t {
-
-	/**
-	 * Public eap_aka_3gpp2_plugin_t interface.
-	 */
-	eap_aka_3gpp2_plugin_t public;
-
-	/**
-	 * SIM card
-	 */
-	eap_aka_3gpp2_card_t *card;
-
-	/**
-	 * SIM provider
-	 */
-	eap_aka_3gpp2_provider_t *provider;
-
-	/**
-	 * AKA functions
-	 */
-	eap_aka_3gpp2_functions_t *functions;
-};
-
-/**
- * Implementation of eap_aka_3gpp2_t.destroy.
- */
-static void destroy(private_eap_aka_3gpp2_t *this)
-{
-	charon->sim->remove_card(charon->sim, &this->card->card);
-	charon->sim->remove_provider(charon->sim, &this->provider->provider);
-	this->card->destroy(this->card);
-	this->provider->destroy(this->provider);
-	this->functions->destroy(this->functions);
-	free(this);
-}
-
-/**
- * See header
- */
-plugin_t *plugin_create()
-{
-	private_eap_aka_3gpp2_t *this = malloc_thing(private_eap_aka_3gpp2_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->functions = eap_aka_3gpp2_functions_create();
-	if (!this->functions)
-	{
-		free(this);
-		return NULL;
-	}
-	this->card = eap_aka_3gpp2_card_create(this->functions);
-	this->provider = eap_aka_3gpp2_provider_create(this->functions);
-
-	charon->sim->add_card(charon->sim, &this->card->card);
-	charon->sim->add_provider(charon->sim, &this->provider->provider);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h
deleted file mode 100644
index ed5c4cf3e..000000000
--- a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_aka_3gpp2 eap_aka_3gpp2
- * @ingroup cplugins
- *
- * @defgroup eap_aka_3gpp2_plugin eap_aka_3gpp2_plugin
- * @{ @ingroup eap_aka_3gpp2
- */
-
-#ifndef EAP_AKA_3GPP2_PLUGIN_H_
-#define EAP_AKA_3GPP2_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_aka_3gpp2_plugin_t eap_aka_3gpp2_plugin_t;
-
-/**
- * Plugin to provide a SIM card/provider using the 3GPP2 (S.S0055) standard.
- *
- * This plugin implements the standard of the 3GPP2 (S.S0055) and not the one
- * of 3GGP, completely in software using the libgmp library..
- * The shared key used for authentication is from ipsec.secrets. The
- * peers ID is used to query it.
- * The AKA mechanism uses sequence numbers to detect replay attacks. The
- * peer stores the sequence number normally in a USIM and accepts
- * incremental sequence numbers (incremental for lifetime of the USIM). To
- * prevent a complex sequence number management, this implementation uses
- * a sequence number derived from time. It is initialized to the startup
- * time of the daemon.
- * To enable time based SEQs, define SEQ_CHECK as 1. Default is to accept
- * any SEQ numbers. This allows an attacker to do replay attacks. But since
- * the server has proven his identity via IKE, such an attack is only
- * possible between server and AAA (if any).
- */
-struct eap_aka_3gpp2_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_aka_3gpp2_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_AKA_3GPP2_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
deleted file mode 100644
index 9817fff8f..000000000
--- a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_aka_3gpp2_provider.h"
-
-#include <daemon.h>
-#include <credentials/keys/shared_key.h>
-
-typedef struct private_eap_aka_3gpp2_provider_t private_eap_aka_3gpp2_provider_t;
-
-/**
- * Private data of an eap_aka_3gpp2_provider_t object.
- */
-struct private_eap_aka_3gpp2_provider_t {
-
-	/**
-	 * Public eap_aka_3gpp2_provider_t interface.
-	 */
-	eap_aka_3gpp2_provider_t public;
-
-	/**
-	 * AKA functions
-	 */
-	eap_aka_3gpp2_functions_t *f;
-
-	/**
-	 * time based SQN, we use the same for all peers
-	 */
-	char sqn[AKA_SQN_LEN];
-};
-
-/** Authentication management field */
-static char amf[AKA_AMF_LEN] = {0x00, 0x01};
-
-/**
- * Get a shared key K from the credential database
- */
-bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN])
-{
-	shared_key_t *shared;
-	chunk_t key;
-
-	shared = charon->credentials->get_shared(charon->credentials,
-											 SHARED_EAP, id, NULL);
-	if (shared == NULL)
-	{
-		return FALSE;
-	}
-	key = shared->get_key(shared);
-	memset(k, '\0', AKA_K_LEN);
-	memcpy(k, key.ptr, min(key.len, AKA_K_LEN));
-	shared->destroy(shared);
-	return TRUE;
-}
-
-/**
- * get SQN using current time
- */
-void eap_aka_3gpp2_get_sqn(char sqn[AKA_SQN_LEN], int offset)
-{
-	timeval_t time;
-
-	gettimeofday(&time, NULL);
-	/* set sqn to an integer containing 4 bytes seconds + 2 bytes usecs */
-	time.tv_sec = htonl(time.tv_sec + offset);
-	/* usec's are never larger than 0x000f423f, so we shift the 12 first bits */
-	time.tv_usec = htonl(time.tv_usec << 12);
-	memcpy(sqn, (char*)&time.tv_sec + sizeof(time_t) - 4, 4);
-	memcpy(sqn + 4, &time.tv_usec, 2);
-}
-
-/**
- * Implementation of usim_provider_t.get_quintuplet
- */
-static bool get_quintuplet(private_eap_aka_3gpp2_provider_t *this,
-						   identification_t *id, char rand[AKA_RAND_LEN],
-						   char xres[AKA_RES_MAX], int *xres_len,
-						   char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
-						   char autn[AKA_AUTN_LEN])
-{
-	rng_t *rng;
-	char mac[AKA_MAC_LEN], ak[AKA_AK_LEN], k[AKA_K_LEN];
-
-	/* generate RAND: we use a registered RNG, not f0() proposed in S.S0055 */
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_IKE, "generating RAND for AKA failed");
-		return FALSE;
-	}
-	rng->get_bytes(rng, AKA_RAND_LEN, rand);
-	rng->destroy(rng);
-
-	if (!eap_aka_3gpp2_get_k(id, k))
-	{
-		DBG1(DBG_IKE, "no EAP key found for %Y to authenticate with AKA", id);
-		return FALSE;
-	}
-
-	DBG3(DBG_IKE, "generated rand %b", rand, AKA_RAND_LEN);
-	DBG3(DBG_IKE, "using K %b", k, AKA_K_LEN);
-
-	/* MAC */
-	this->f->f1(this->f, k, rand, this->sqn, amf, mac);
-	/* AK */
-	this->f->f5(this->f, k, rand, ak);
-	/* XRES as expected from client */
-	this->f->f2(this->f, k, rand, xres);
-	*xres_len = AKA_RES_MAX;
-	/* AUTN = (SQN xor AK) || AMF || MAC */
-	memcpy(autn, this->sqn, AKA_SQN_LEN);
-	memxor(autn, ak, AKA_AK_LEN);
-	memcpy(autn + AKA_SQN_LEN, amf, AKA_AMF_LEN);
-	memcpy(autn + AKA_SQN_LEN + AKA_AMF_LEN, mac, AKA_MAC_LEN);
-	DBG3(DBG_IKE, "AUTN %b", autn, AKA_AUTN_LEN);
-	/* CK/IK */
-	this->f->f3(this->f, k, rand, ck);
-	this->f->f4(this->f, k, rand, ik);
-
-	return TRUE;
-}
-
-/**
- * Implementation of usim_provider_t.resync
- */
-static bool resync(private_eap_aka_3gpp2_provider_t *this,
-				   identification_t *id, char rand[AKA_RAND_LEN],
-				   char auts[AKA_AUTS_LEN])
-{
-	char *sqn, *macs;
-	char aks[AKA_AK_LEN], k[AKA_K_LEN], amf[AKA_AMF_LEN], xmacs[AKA_MAC_LEN];
-
-	if (!eap_aka_3gpp2_get_k(id, k))
-	{
-		DBG1(DBG_IKE, "no EAP key found for %Y to authenticate with AKA", id);
-		return FALSE;
-	}
-
-	/* AUTHS = (AK xor SQN) | MAC */
-	sqn = auts;
-	macs = auts + AKA_SQN_LEN;
-	this->f->f5star(this->f, k, rand, aks);
-	memxor(sqn, aks, AKA_AK_LEN);
-
-	/* verify XMACS, AMF of zero is used in resynchronization */
-	memset(amf, 0, AKA_AMF_LEN);
-	this->f->f1star(this->f, k, rand, sqn, amf, xmacs);
-	if (!memeq(macs, xmacs, AKA_MAC_LEN))
-	{
-		DBG1(DBG_IKE, "received MACS does not match XMACS");
-		DBG3(DBG_IKE, "MACS %b XMACS %b",
-			 macs, AKA_MAC_LEN, xmacs, AKA_MAC_LEN);
-		return FALSE;
-	}
-	/* update stored SQN to received SQN + 1 */
-	memcpy(this->sqn, sqn, AKA_SQN_LEN);
-	chunk_increment(chunk_create(this->sqn, AKA_SQN_LEN));
-	return TRUE;
-}
-
-/**
- * Implementation of eap_aka_3gpp2_provider_t.destroy.
- */
-static void destroy(private_eap_aka_3gpp2_provider_t *this)
-{
-	free(this);
-}
-
-/**
- * See header
- */
-eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create(
-												eap_aka_3gpp2_functions_t *f)
-{
-	private_eap_aka_3gpp2_provider_t *this = malloc_thing(private_eap_aka_3gpp2_provider_t);
-
-	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
-	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))get_quintuplet;
-	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))resync;
-	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
-	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
-	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))return_null;
-	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))return_null;
-	this->public.destroy = (void(*)(eap_aka_3gpp2_provider_t*))destroy;
-
-	this->f = f;
-	/* use an offset to accept clock skew between client/server without resync */
-	eap_aka_3gpp2_get_sqn(this->sqn, 180);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h b/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h
deleted file mode 100644
index 22ac0a96e..000000000
--- a/src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_aka_3gpp2_provider eap_aka_3gpp2_provider
- * @{ @ingroup eap_aka_3gpp2
- */
-
-#ifndef EAP_AKA_3GPP2_PROVIDER_H_
-#define EAP_AKA_3GPP2_PROVIDER_H_
-
-#include "eap_aka_3gpp2_functions.h"
-
-#include <sa/authenticators/eap/sim_manager.h>
-
-typedef struct eap_aka_3gpp2_provider_t eap_aka_3gpp2_provider_t;
-
-/**
- * SIM provider implementation using a set of AKA functions.
- */
-struct eap_aka_3gpp2_provider_t {
-
-	/**
-	 * Implements sim_provider_t interface.
-	 */
-	sim_provider_t provider;
-
-	/**
-	 * Destroy a eap_aka_3gpp2_provider_t.
-	 */
-	void (*destroy)(eap_aka_3gpp2_provider_t *this);
-};
-
-/**
- * Create a eap_aka_3gpp2_provider instance.
- */
-eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create(
-												eap_aka_3gpp2_functions_t *f);
-
-#endif /** EAP_AKA_3GPP2_PROVIDER_H_ @}*/
diff --git a/src/charon/plugins/eap_gtc/Makefile.am b/src/charon/plugins/eap_gtc/Makefile.am
deleted file mode 100644
index 0d938cacd..000000000
--- a/src/charon/plugins/eap_gtc/Makefile.am
+++ /dev/null
@@ -1,10 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-eap-gtc.la
-
-libstrongswan_eap_gtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
-libstrongswan_eap_gtc_la_LDFLAGS = -module -avoid-version -lpam
-
diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in
deleted file mode 100644
index f3662e1cd..000000000
--- a/src/charon/plugins/eap_gtc/Makefile.in
+++ /dev/null
@@ -1,568 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_gtc
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_gtc_la_LIBADD =
-am_libstrongswan_eap_gtc_la_OBJECTS = eap_gtc_plugin.lo eap_gtc.lo
-libstrongswan_eap_gtc_la_OBJECTS =  \
-	$(am_libstrongswan_eap_gtc_la_OBJECTS)
-libstrongswan_eap_gtc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_gtc_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eap-gtc.la
-libstrongswan_eap_gtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
-libstrongswan_eap_gtc_la_LDFLAGS = -module -avoid-version -lpam
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_gtc/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_gtc/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-gtc.la: $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_DEPENDENCIES) 
-	$(libstrongswan_eap_gtc_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_gtc.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_gtc_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c
deleted file mode 100644
index c7f55fa70..000000000
--- a/src/charon/plugins/eap_gtc/eap_gtc.c
+++ /dev/null
@@ -1,327 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_gtc.h"
-
-#include <daemon.h>
-#include <library.h>
-#include <crypto/hashers/hasher.h>
-
-#include <security/pam_appl.h>
-
-#define GTC_REQUEST_MSG "password"
-#define GTC_PAM_SERVICE "login"
-
-typedef struct private_eap_gtc_t private_eap_gtc_t;
-
-/**
- * Private data of an eap_gtc_t object.
- */
-struct private_eap_gtc_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_gtc_t public;
-
-	/**
-	 * ID of the server
-	 */
-	identification_t *server;
-
-	/**
-	 * ID of the peer
-	 */
-	identification_t *peer;
-
-	/**
-	 * EAP message identififier
-	 */
-	u_int8_t identifier;
-};
-
-typedef struct eap_gtc_header_t eap_gtc_header_t;
-
-/**
- * packed eap GTC header struct
- */
-struct eap_gtc_header_t {
-	/** EAP code (REQUEST/RESPONSE) */
-	u_int8_t code;
-	/** unique message identifier */
-	u_int8_t identifier;
-	/** length of whole message */
-	u_int16_t length;
-	/** EAP type */
-	u_int8_t type;
-	/** type data */
-	u_int8_t data[];
-} __attribute__((__packed__));
-
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t initiate_peer(private_eap_gtc_t *this, eap_payload_t **out)
-{
-	/* peer never initiates */
-	return FAILED;
-}
-
-/**
- * PAM conv callback function
- */
-static int auth_conv(int num_msg, const struct pam_message **msg,
-					 struct pam_response **resp, char *password)
-{
-	struct pam_response *response;
-
-	if (num_msg != 1)
-	{
-		return PAM_CONV_ERR;
-	}
-	response = malloc(sizeof(struct pam_response));
-	response->resp = strdup(password);
-	response->resp_retcode = 0;
-	*resp = response;
-	return PAM_SUCCESS;
-}
-
-/**
- * Authenticate a username/password using PAM
- */
-static bool authenticate(char *service, char *user, char *password)
-{
-	pam_handle_t *pamh = NULL;
-	static struct pam_conv conv;
-	int ret;
-
-	conv.conv = (void*)auth_conv;
-	conv.appdata_ptr = password;
-
-	ret = pam_start(service, user, &conv, &pamh);
-	if (ret != PAM_SUCCESS)
-	{
-		DBG1(DBG_IKE, "EAP-GTC pam_start failed: %s",
-			 pam_strerror(pamh, ret));
-		return FALSE;
-	}
-	ret = pam_authenticate(pamh, 0);
-	if (ret == PAM_SUCCESS)
-	{
-		ret = pam_acct_mgmt(pamh, 0);
-		if (ret != PAM_SUCCESS)
-		{
-			DBG1(DBG_IKE, "EAP-GTC pam_acct_mgmt failed: %s",
-				 pam_strerror(pamh, ret));
-		}
-	}
-	else
-	{
-		DBG1(DBG_IKE, "EAP-GTC pam_authenticate failed: %s",
-			 pam_strerror(pamh, ret));
-	}
-	pam_end(pamh, ret);
-	return ret == PAM_SUCCESS;
-}
-
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t initiate_server(private_eap_gtc_t *this, eap_payload_t **out)
-{
-	eap_gtc_header_t *req;
-	size_t len;
-
-	len = strlen(GTC_REQUEST_MSG);
-	req = alloca(sizeof(eap_gtc_header_t) + len);
-	req->length = htons(sizeof(eap_gtc_header_t) + len);
-	req->code = EAP_REQUEST;
-	req->identifier = this->identifier;
-	req->type = EAP_GTC;
-	memcpy(req->data, GTC_REQUEST_MSG, len);
-
-	*out = eap_payload_create_data(chunk_create((void*)req,
-								   sizeof(eap_gtc_header_t) + len));
-	return NEED_MORE;
-}
-
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t process_peer(private_eap_gtc_t *this,
-							 eap_payload_t *in, eap_payload_t **out)
-{
-	eap_gtc_header_t *res;
-	shared_key_t *shared;
-	chunk_t key;
-	size_t len;
-
-	shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP,
-											 this->peer, this->server);
-	if (shared == NULL)
-	{
-		DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",
-			 this->peer, this->server);
-		return FAILED;
-	}
-	key = shared->get_key(shared);
-	len = key.len;
-
-	/* TODO: According to the draft we should "SASLprep" password, RFC4013. */
-
-	res = alloca(sizeof(eap_gtc_header_t) + len);
-	res->length = htons(sizeof(eap_gtc_header_t) + len);
-	res->code = EAP_RESPONSE;
-	res->identifier = in->get_identifier(in);
-	res->type = EAP_GTC;
-	memcpy(res->data, key.ptr, len);
-
-	shared->destroy(shared);
-
-	*out = eap_payload_create_data(chunk_create((void*)res,
-								   sizeof(eap_gtc_header_t) + len));
-	return NEED_MORE;
-}
-
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t process_server(private_eap_gtc_t *this,
-							   eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t data, encoding;
-	char *user, *password, *service, *pos;
-
-	data = chunk_skip(in->get_data(in), 5);
-	if (this->identifier != in->get_identifier(in) || !data.len)
-	{
-		DBG1(DBG_IKE, "received invalid EAP-GTC message");
-		return FAILED;
-	}
-
-	encoding = this->peer->get_encoding(this->peer);
-	/* if a RFC822_ADDR id is provided, we use the username part only */
-	pos = memchr(encoding.ptr, '@', encoding.len);
-	if (pos)
-	{
-		encoding.len = (u_char*)pos - encoding.ptr;
-	}
-	user = alloca(encoding.len + 1);
-	memcpy(user, encoding.ptr, encoding.len);
-	user[encoding.len] = '\0';
-
-	password = alloca(data.len + 1);
-	memcpy(password, data.ptr, data.len);
-	password[data.len] = '\0';
-
-	service = lib->settings->get_str(lib->settings,
-						"charon.plugins.eap-gtc.pam_service", GTC_PAM_SERVICE);
-
-	if (!authenticate(service, user, password))
-	{
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_gtc_t *this, u_int32_t *vendor)
-{
-	*vendor = 0;
-	return EAP_GTC;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_gtc_t *this, chunk_t *msk)
-{
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_gtc_t *this)
-{
-	return FALSE;
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_gtc_t *this)
-{
-	this->peer->destroy(this->peer);
-	this->server->destroy(this->server);
-	free(this);
-}
-
-/**
- * Generic constructor
- */
-static private_eap_gtc_t *eap_gtc_create_generic(identification_t *server,
-												 identification_t *peer)
-{
-	private_eap_gtc_t *this = malloc_thing(private_eap_gtc_t);
-
-	this->public.eap_method_interface.initiate = NULL;
-	this->public.eap_method_interface.process = NULL;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	/* private data */
-	this->peer = peer->clone(peer);
-	this->server = server->clone(server);
-	this->identifier = 0;
-
-	return this;
-}
-
-/*
- * see header
- */
-eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer)
-{
-	private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
-
-	/* generate a non-zero identifier */
-	do {
-		this->identifier = random();
-	} while (!this->identifier);
-
-	return &this->public;
-}
-
-/*
- * see header
- */
-eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer)
-{
-	private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.h b/src/charon/plugins/eap_gtc/eap_gtc.h
deleted file mode 100644
index 2eb8482f8..000000000
--- a/src/charon/plugins/eap_gtc/eap_gtc.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_gtc_i eap_gtc
- * @{ @ingroup eap_gtc
- */
-
-#ifndef EAP_GTC_H_
-#define EAP_GTC_H_
-
-typedef struct eap_gtc_t eap_gtc_t;
-
-#include <sa/authenticators/eap/eap_method.h>
-
-/**
- * Implementation of the eap_method_t interface using EAP-GTC.
- *
- * This implementation of draft-sheffer-ikev2-gtc-00.txt uses PAM to
- * verify user credentials.
- */
-struct eap_gtc_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t eap_method_interface;
-};
-
-/**
- * Creates the EAP method EAP-GTC acting as server.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_gtc_t object
- */
-eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer);
-
-/**
- * Creates the EAP method EAP-GTC acting as peer.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_gtc_t object
- */
-eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer);
-
-#endif /** EAP_GTC_H_ @}*/
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
deleted file mode 100644
index 8550c254c..000000000
--- a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_gtc_plugin.h"
-
-#include "eap_gtc.h"
-
-#include <daemon.h>
-
-/* missing in cababilities.h */
-#define CAP_AUDIT_WRITE 29
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_gtc_plugin_t *this)
-{
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_gtc_create_server);
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_gtc_create_peer);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	eap_gtc_plugin_t *this = malloc_thing(eap_gtc_plugin_t);
-
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	/* required for PAM authentication */
-	charon->keep_cap(charon, CAP_AUDIT_WRITE);
-
-	charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_SERVER,
-							(eap_constructor_t)eap_gtc_create_server);
-	charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_PEER,
-							(eap_constructor_t)eap_gtc_create_peer);
-
-	return &this->plugin;
-}
-
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
deleted file mode 100644
index abb6bdcb6..000000000
--- a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_gtc eap_gtc
- * @ingroup cplugins
- *
- * @defgroup eap_gtc_plugin eap_gtc_plugin
- * @{ @ingroup eap_gtc
- */
-
-#ifndef EAP_GTC_PLUGIN_H_
-#define EAP_GTC_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_gtc_plugin_t eap_gtc_plugin_t;
-
-/**
- * EAP-GTC plugin
- */
-struct eap_gtc_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_gtc_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_GTC_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_identity/Makefile.am b/src/charon/plugins/eap_identity/Makefile.am
deleted file mode 100644
index 992eb43f7..000000000
--- a/src/charon/plugins/eap_identity/Makefile.am
+++ /dev/null
@@ -1,10 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-eap-identity.la
-libstrongswan_eap_identity_la_SOURCES = \
-  eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
-libstrongswan_eap_identity_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in
deleted file mode 100644
index 80709246f..000000000
--- a/src/charon/plugins/eap_identity/Makefile.in
+++ /dev/null
@@ -1,572 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_identity
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_identity_la_LIBADD =
-am_libstrongswan_eap_identity_la_OBJECTS = eap_identity_plugin.lo \
-	eap_identity.lo
-libstrongswan_eap_identity_la_OBJECTS =  \
-	$(am_libstrongswan_eap_identity_la_OBJECTS)
-libstrongswan_eap_identity_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_identity_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eap-identity.la
-libstrongswan_eap_identity_la_SOURCES = \
-  eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
-
-libstrongswan_eap_identity_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_identity/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_identity/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-identity.la: $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_DEPENDENCIES) 
-	$(libstrongswan_eap_identity_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_identity.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_identity_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_identity/eap_identity.c b/src/charon/plugins/eap_identity/eap_identity.c
deleted file mode 100644
index ab082a955..000000000
--- a/src/charon/plugins/eap_identity/eap_identity.c
+++ /dev/null
@@ -1,218 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_identity.h"
-
-#include <daemon.h>
-#include <library.h>
-
-typedef struct private_eap_identity_t private_eap_identity_t;
-
-/**
- * Private data of an eap_identity_t object.
- */
-struct private_eap_identity_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_identity_t public;
-
-	/**
-	 * ID of the peer
-	 */
-	identification_t *peer;
-
-	/**
-	 * received identity chunk
-	 */
-	chunk_t identity;
-};
-
-typedef struct eap_identity_header_t eap_identity_header_t;
-
-/**
- * packed EAP Identity header struct
- */
-struct eap_identity_header_t {
-	/** EAP code (REQUEST/RESPONSE) */
-	u_int8_t code;
-	/** unique message identifier */
-	u_int8_t identifier;
-	/** length of whole message */
-	u_int16_t length;
-	/** EAP type */
-	u_int8_t type;
-	/** identity data */
-	u_int8_t data[];
-} __attribute__((__packed__));
-
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t process_peer(private_eap_identity_t *this,
-							 eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t id;
-	eap_identity_header_t *hdr;
-	size_t len;
-
-	id = this->peer->get_encoding(this->peer);
-	len = sizeof(eap_identity_header_t) + id.len;
-
-	hdr = alloca(len);
-	hdr->code = EAP_RESPONSE;
-	hdr->identifier = in->get_identifier(in);
-	hdr->length = htons(len);
-	hdr->type = EAP_IDENTITY;
-	memcpy(hdr->data, id.ptr, id.len);
-
-	*out = eap_payload_create_data(chunk_create((u_char*)hdr, len));
-	return SUCCESS;
-}
-
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t initiate_peer(private_eap_identity_t *this, eap_payload_t **out)
-{
-	/* peer never initiates */
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t process_server(private_eap_identity_t *this,
-							   eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t data;
-
-	data = chunk_skip(in->get_data(in), 5);
-	if (data.len)
-	{
-		this->identity = chunk_clone(data);
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **out)
-{
-	eap_identity_header_t hdr;
-
-	hdr.code = EAP_REQUEST;
-	hdr.identifier = 0;
-	hdr.length = htons(sizeof(eap_identity_header_t));
-	hdr.type = EAP_IDENTITY;
-
-	*out = eap_payload_create_data(chunk_create((u_char*)&hdr,
-												sizeof(eap_identity_header_t)));
-	return NEED_MORE;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_identity_t *this, u_int32_t *vendor)
-{
-	*vendor = 0;
-	return EAP_IDENTITY;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_identity_t *this, chunk_t *msk)
-{
-	if (this->identity.ptr)
-	{
-		*msk = this->identity;
-		return SUCCESS;
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_identity_t *this)
-{
-	return FALSE;
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_identity_t *this)
-{
-	this->peer->destroy(this->peer);
-	free(this->identity.ptr);
-	free(this);
-}
-
-/**
- * Generic constructor
- */
-static private_eap_identity_t *eap_identity_create(identification_t *server,
-												   identification_t *peer)
-{
-	private_eap_identity_t *this = malloc_thing(private_eap_identity_t);
-
-	this->public.eap_method_interface.initiate = NULL;
-	this->public.eap_method_interface.process = NULL;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	this->peer = peer->clone(peer);
-	this->identity = chunk_empty;
-
-	return this;
-}
-
-/*
- * Described in header.
- */
-eap_identity_t *eap_identity_create_peer(identification_t *server,
-										 identification_t *peer)
-{
-	private_eap_identity_t *this = eap_identity_create(server, peer);
-
-	/* public functions */
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
-
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-eap_identity_t *eap_identity_create_server(identification_t *server,
-										   identification_t *peer)
-{
-	private_eap_identity_t *this = eap_identity_create(server, peer);
-
-	/* public functions */
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_identity/eap_identity.h b/src/charon/plugins/eap_identity/eap_identity.h
deleted file mode 100644
index 7364a8bda..000000000
--- a/src/charon/plugins/eap_identity/eap_identity.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_identity_i eap_identity
- * @{ @ingroup eap_identity
- */
-
-#ifndef EAP_IDENTITY_H_
-#define EAP_IDENTITY_H_
-
-typedef struct eap_identity_t eap_identity_t;
-
-#include <sa/authenticators/eap/eap_method.h>
-
-/**
- * Implementation of the eap_method_t interface using EAP Identity.
- */
-struct eap_identity_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t eap_method_interface;
-};
-
-/**
- * Creates the EAP method EAP Identity, acting as server.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_identity_t object
- */
-eap_identity_t *eap_identity_create_server(identification_t *server,
-										   identification_t *peer);
-
-/**
- * Creates the EAP method EAP Identity, acting as peer.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_identity_t object
- */
-eap_identity_t *eap_identity_create_peer(identification_t *server,
-										 identification_t *peer);
-
-#endif /** EAP_IDENTITY_H_ @}*/
diff --git a/src/charon/plugins/eap_identity/eap_identity_plugin.c b/src/charon/plugins/eap_identity/eap_identity_plugin.c
deleted file mode 100644
index a623e1951..000000000
--- a/src/charon/plugins/eap_identity/eap_identity_plugin.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_identity_plugin.h"
-
-#include "eap_identity.h"
-
-#include <daemon.h>
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_identity_plugin_t *this)
-{
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_identity_create_server);
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_identity_create_peer);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	eap_identity_plugin_t *this = malloc_thing(eap_identity_plugin_t);
-
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_SERVER,
-							(eap_constructor_t)eap_identity_create_server);
-	charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_PEER,
-							(eap_constructor_t)eap_identity_create_peer);
-
-	return &this->plugin;
-}
-
diff --git a/src/charon/plugins/eap_identity/eap_identity_plugin.h b/src/charon/plugins/eap_identity/eap_identity_plugin.h
deleted file mode 100644
index 0a7fb8228..000000000
--- a/src/charon/plugins/eap_identity/eap_identity_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_identity eap_identity
- * @ingroup cplugins
- *
- * @defgroup eap_identity_plugin eap_identity_plugin
- * @{ @ingroup eap_identity
- */
-
-#ifndef EAP_IDENTITY_PLUGIN_H_
-#define EAP_IDENTITY_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_identity_plugin_t eap_identity_plugin_t;
-
-/**
- * EAP-IDENTITY plugin.
- */
-struct eap_identity_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_identity_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_IDENTITY_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_md5/Makefile.am b/src/charon/plugins/eap_md5/Makefile.am
deleted file mode 100644
index f49928cd2..000000000
--- a/src/charon/plugins/eap_md5/Makefile.am
+++ /dev/null
@@ -1,10 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-eap-md5.la
-
-libstrongswan_eap_md5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
-libstrongswan_eap_md5_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in
deleted file mode 100644
index 21ac7fa92..000000000
--- a/src/charon/plugins/eap_md5/Makefile.in
+++ /dev/null
@@ -1,568 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_md5
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_md5_la_LIBADD =
-am_libstrongswan_eap_md5_la_OBJECTS = eap_md5_plugin.lo eap_md5.lo
-libstrongswan_eap_md5_la_OBJECTS =  \
-	$(am_libstrongswan_eap_md5_la_OBJECTS)
-libstrongswan_eap_md5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_md5_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eap-md5.la
-libstrongswan_eap_md5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
-libstrongswan_eap_md5_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_md5/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_md5/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-md5.la: $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_DEPENDENCIES) 
-	$(libstrongswan_eap_md5_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_md5.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_md5_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_md5/eap_md5.c b/src/charon/plugins/eap_md5/eap_md5.c
deleted file mode 100644
index 0eda8f755..000000000
--- a/src/charon/plugins/eap_md5/eap_md5.c
+++ /dev/null
@@ -1,303 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_md5.h"
-
-#include <daemon.h>
-#include <library.h>
-#include <crypto/hashers/hasher.h>
-
-typedef struct private_eap_md5_t private_eap_md5_t;
-
-/**
- * Private data of an eap_md5_t object.
- */
-struct private_eap_md5_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_md5_t public;
-
-	/**
-	 * ID of the server
-	 */
-	identification_t *server;
-
-	/**
-	 * ID of the peer
-	 */
-	identification_t *peer;
-
-	/**
-	 * challenge sent by the server
-	 */
-	chunk_t challenge;
-
-	/**
-	 * EAP message identififier
-	 */
-	u_int8_t identifier;
-};
-
-typedef struct eap_md5_header_t eap_md5_header_t;
-
-/**
- * packed eap MD5 header struct
- */
-struct eap_md5_header_t {
-	/** EAP code (REQUEST/RESPONSE) */
-	u_int8_t code;
-	/** unique message identifier */
-	u_int8_t identifier;
-	/** length of whole message */
-	u_int16_t length;
-	/** EAP type */
-	u_int8_t type;
-	/** length of value (challenge) */
-	u_int8_t value_size;
-	/** actual value */
-	u_int8_t value[];
-} __attribute__((__packed__));
-
-#define CHALLENGE_LEN 16
-#define PAYLOAD_LEN (CHALLENGE_LEN + sizeof(eap_md5_header_t))
-
-/**
- * Hash the challenge string, create response
- */
-static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response,
-							   identification_t *me, identification_t *other)
-{
-	shared_key_t *shared;
-	chunk_t concat;
-	hasher_t *hasher;
-
-	shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP,
-											 me, other);
-	if (shared == NULL)
-	{
-		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", me, other);
-		return NOT_FOUND;
-	}
-	concat = chunk_cata("ccc", chunk_from_thing(this->identifier),
-						shared->get_key(shared), this->challenge);
-	shared->destroy(shared);
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-	if (hasher == NULL)
-	{
-		DBG1(DBG_IKE, "EAP-MD5 failed, MD5 not supported");
-		return FAILED;
-	}
-	hasher->allocate_hash(hasher, concat, response);
-	hasher->destroy(hasher);
-	return SUCCESS;
-}
-
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t initiate_peer(private_eap_md5_t *this, eap_payload_t **out)
-{
-	/* peer never initiates */
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out)
-{
-	rng_t *rng;
-	eap_md5_header_t *req;
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		return FAILED;
-	}
-	rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
-	rng->destroy(rng);
-
-	req = alloca(PAYLOAD_LEN);
-	req->length = htons(PAYLOAD_LEN);
-	req->code = EAP_REQUEST;
-	req->identifier = this->identifier;
-	req->type = EAP_MD5;
-	req->value_size = this->challenge.len;
-	memcpy(req->value, this->challenge.ptr, this->challenge.len);
-
-	*out = eap_payload_create_data(chunk_create((void*)req, PAYLOAD_LEN));
-	return NEED_MORE;
-}
-
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t process_peer(private_eap_md5_t *this,
-							 eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t response;
-	chunk_t data;
-	eap_md5_header_t *req;
-
-	this->identifier = in->get_identifier(in);
-	data = in->get_data(in);
-	this->challenge = chunk_clone(chunk_skip(data, 6));
-	if (data.len < 6 || this->challenge.len < *(data.ptr + 5))
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MD5 message");
-		return FAILED;
-	}
-	if (hash_challenge(this, &response, this->peer, this->server) != SUCCESS)
-	{
-		return FAILED;
-	}
-	req = alloca(PAYLOAD_LEN);
-	req->length = htons(PAYLOAD_LEN);
-	req->code = EAP_RESPONSE;
-	req->identifier = this->identifier;
-	req->type = EAP_MD5;
-	req->value_size = response.len;
-	memcpy(req->value, response.ptr, response.len);
-	chunk_free(&response);
-
-	*out = eap_payload_create_data(chunk_create((void*)req, PAYLOAD_LEN));
-	return NEED_MORE;
-}
-
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t process_server(private_eap_md5_t *this,
-							   eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t response, expected;
-	chunk_t data;
-
-	if (this->identifier != in->get_identifier(in))
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MD5 message");
-		return FAILED;
-	}
-	if (hash_challenge(this, &expected, this->server, this->peer) != SUCCESS)
-	{
-		return FAILED;
-	}
-	data = in->get_data(in);
-	response = chunk_skip(data, 6);
-
-	if (response.len < expected.len ||
-		!memeq(response.ptr, expected.ptr, expected.len))
-	{
-		chunk_free(&expected);
-		DBG1(DBG_IKE, "EAP-MD5 verification failed");
-		return FAILED;
-	}
-	chunk_free(&expected);
-	return SUCCESS;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_md5_t *this, u_int32_t *vendor)
-{
-	*vendor = 0;
-	return EAP_MD5;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_md5_t *this, chunk_t *msk)
-{
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_md5_t *this)
-{
-	return FALSE;
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_md5_t *this)
-{
-	this->peer->destroy(this->peer);
-	this->server->destroy(this->server);
-	chunk_free(&this->challenge);
-	free(this);
-}
-
-/**
- * Generic constructor
- */
-static private_eap_md5_t *eap_md5_create_generic(identification_t *server,
-												 identification_t *peer)
-{
-	private_eap_md5_t *this = malloc_thing(private_eap_md5_t);
-
-	this->public.eap_method_interface.initiate = NULL;
-	this->public.eap_method_interface.process = NULL;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	/* private data */
-	this->peer = peer->clone(peer);
-	this->server = server->clone(server);
-	this->challenge = chunk_empty;
-	this->identifier = 0;
-
-	return this;
-}
-
-/*
- * see header
- */
-eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *peer)
-{
-	private_eap_md5_t *this = eap_md5_create_generic(server, peer);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
-
-	/* generate a non-zero identifier */
-	do {
-		this->identifier = random();
-	} while (!this->identifier);
-
-	return &this->public;
-}
-
-/*
- * see header
- */
-eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer)
-{
-	private_eap_md5_t *this = eap_md5_create_generic(server, peer);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_md5/eap_md5.h b/src/charon/plugins/eap_md5/eap_md5.h
deleted file mode 100644
index 3cff0dd79..000000000
--- a/src/charon/plugins/eap_md5/eap_md5.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_md5_i eap_md5
- * @{ @ingroup eap_md5
- */
-
-#ifndef EAP_MD5_H_
-#define EAP_MD5_H_
-
-typedef struct eap_md5_t eap_md5_t;
-
-#include <sa/authenticators/eap/eap_method.h>
-
-/**
- * Implementation of the eap_method_t interface using EAP-MD5 (CHAP).
- */
-struct eap_md5_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t eap_method_interface;
-};
-
-/**
- * Creates the EAP method EAP-MD5 acting as server.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_md5_t object
- */
-eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *peer);
-
-/**
- * Creates the EAP method EAP-MD5 acting as peer.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_md5_t object
- */
-eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer);
-
-#endif /** EAP_MD5_H_ @}*/
diff --git a/src/charon/plugins/eap_md5/eap_md5_plugin.c b/src/charon/plugins/eap_md5/eap_md5_plugin.c
deleted file mode 100644
index 629255ebf..000000000
--- a/src/charon/plugins/eap_md5/eap_md5_plugin.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_md5_plugin.h"
-
-#include "eap_md5.h"
-
-#include <daemon.h>
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_md5_plugin_t *this)
-{
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_md5_create_server);
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_md5_create_peer);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	eap_md5_plugin_t *this = malloc_thing(eap_md5_plugin_t);
-
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_SERVER,
-							(eap_constructor_t)eap_md5_create_server);
-	charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_PEER,
-							(eap_constructor_t)eap_md5_create_peer);
-
-	return &this->plugin;
-}
-
diff --git a/src/charon/plugins/eap_md5/eap_md5_plugin.h b/src/charon/plugins/eap_md5/eap_md5_plugin.h
deleted file mode 100644
index eb5b38e94..000000000
--- a/src/charon/plugins/eap_md5/eap_md5_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_md5 eap_md5
- * @ingroup cplugins
- *
- * @defgroup eap_md5_plugin eap_md5_plugin
- * @{ @ingroup eap_md5
- */
-
-#ifndef EAP_MD5_PLUGIN_H_
-#define EAP_MD5_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_md5_plugin_t eap_md5_plugin_t;
-
-/**
- * EAP-MD5 plugin
- */
-struct eap_md5_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_md5_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_MD5_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.am b/src/charon/plugins/eap_mschapv2/Makefile.am
deleted file mode 100644
index 4758ad5f3..000000000
--- a/src/charon/plugins/eap_mschapv2/Makefile.am
+++ /dev/null
@@ -1,12 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la
-
-libstrongswan_eap_mschapv2_la_SOURCES = \
-	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
-	eap_mschapv2.h eap_mschapv2.c
-libstrongswan_eap_mschapv2_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.in b/src/charon/plugins/eap_mschapv2/Makefile.in
deleted file mode 100644
index 001818481..000000000
--- a/src/charon/plugins/eap_mschapv2/Makefile.in
+++ /dev/null
@@ -1,573 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_mschapv2
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_mschapv2_la_LIBADD =
-am_libstrongswan_eap_mschapv2_la_OBJECTS = eap_mschapv2_plugin.lo \
-	eap_mschapv2.lo
-libstrongswan_eap_mschapv2_la_OBJECTS =  \
-	$(am_libstrongswan_eap_mschapv2_la_OBJECTS)
-libstrongswan_eap_mschapv2_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_mschapv2_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la
-libstrongswan_eap_mschapv2_la_SOURCES = \
-	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
-	eap_mschapv2.h eap_mschapv2.c
-
-libstrongswan_eap_mschapv2_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_mschapv2/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_mschapv2/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) 
-	$(libstrongswan_eap_mschapv2_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_mschapv2.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_mschapv2_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
deleted file mode 100644
index f0222840d..000000000
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
+++ /dev/null
@@ -1,1233 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_mschapv2.h"
-
-#include <ctype.h>
-#include <unistd.h>
-
-#include <daemon.h>
-#include <library.h>
-#include <utils/enumerator.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/hashers/hasher.h>
-
-typedef struct private_eap_mschapv2_t private_eap_mschapv2_t;
-
-/**
- * Private data of an eap_mschapv2_t object.
- */
-struct private_eap_mschapv2_t
-{
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_mschapv2_t public;
-
-	/**
-	 * ID of the server
-	 */
-	identification_t *server;
-
-	/**
-	 * ID of the peer
-	 */
-	identification_t *peer;
-
-	/**
-	 * challenge sent by the server
-	 */
-	chunk_t challenge;
-
-	/**
-	 * generated NT-Response
-	 */
-	chunk_t nt_response;
-
-	/**
-	 * generated Authenticator Response
-	 */
-	chunk_t auth_response;
-
-	/**
-	 * generated MSK
-	 */
-	chunk_t msk;
-
-	/**
-	 * EAP message identifier
-	 */
-	u_int8_t identifier;
-
-	/**
-	 * MS-CHAPv2-ID (session ID, increases with each retry)
-	 */
-	u_int8_t mschapv2id;
-
-	/**
-	 * Number of retries
-	 */
-	int retries;
-};
-
-/**
- * OpCodes
- */
-enum mschapv2_opcode_t
-{
-	MSCHAPV2_CHALLENGE = 1,
-	MSCHAPV2_RESPONSE = 2,
-	MSCHAPV2_SUCCESS = 3,
-	MSCHAPV2_FAILURE = 4,
-	MSCHAPV2_CHANGE_PASSWORD = 7,
-};
-
-/**
- * Names for OpCodes
- */
-ENUM_BEGIN(mschapv2_opcode_names, MSCHAPV2_CHALLENGE, MSCHAPV2_FAILURE,
-		"CHALLENGE",
-		"RESPONSE",
-		"SUCCESS",
-		"FAILURE");
-ENUM_NEXT(mschapv2_opcode_names, MSCHAPV2_CHANGE_PASSWORD, MSCHAPV2_CHANGE_PASSWORD, MSCHAPV2_FAILURE,
-		"CHANGE_PASSWORD");
-ENUM_END(mschapv2_opcode_names, MSCHAPV2_CHANGE_PASSWORD);
-
-/**
- * Error codes
- */
-enum mschapv2_error_t
-{
-	ERROR_RESTRICTED_LOGON_HOURS	= 646,
-	ERROR_ACCT_DISABLED				= 647,
-	ERROR_PASSWD_EXPIRED			= 648,
-	ERROR_NO_DIALIN_PERMISSION		= 649,
-	ERROR_AUTHENTICATION_FAILURE	= 691,
-	ERROR_CHANGING_PASSWORD			= 709,
-};
-
-/**
- * Names for error codes
- */
-ENUM_BEGIN(mschapv2_error_names, ERROR_RESTRICTED_LOGON_HOURS, ERROR_NO_DIALIN_PERMISSION,
-		"ERROR_RESTRICTED_LOGON_HOURS",
-		"ERROR_ACCT_DISABLED",
-		"ERROR_PASSWD_EXPIRED",
-		"ERROR_NO_DIALIN_PERMISSION");
-ENUM_NEXT(mschapv2_error_names, ERROR_AUTHENTICATION_FAILURE, ERROR_AUTHENTICATION_FAILURE, ERROR_NO_DIALIN_PERMISSION,
-		"ERROR_AUTHENTICATION_FAILURE");
-ENUM_NEXT(mschapv2_error_names, ERROR_CHANGING_PASSWORD, ERROR_CHANGING_PASSWORD, ERROR_AUTHENTICATION_FAILURE,
-		"ERROR_CHANGING_PASSWORD");
-ENUM_END(mschapv2_error_names, ERROR_CHANGING_PASSWORD);
-
-/* Length of the challenge */
-#define CHALLENGE_LEN 16
-/* Length of the response (see eap_mschapv2_response_t) */
-#define RESPONSE_LEN 49
-/* Length of the authenticator response string ("S=<...>") */
-#define AUTH_RESPONSE_LEN 42
-/* Name we send as authenticator */
-#define MSCHAPV2_HOST_NAME "strongSwan"
-/* Message sent on success */
-#define SUCCESS_MESSAGE " M=Welcome2strongSwan"
-/* Message sent on failure */
-#define FAILURE_MESSAGE "E=691 R=1 C="
-/* Length of the complete failure message */
-#define FAILURE_MESSAGE_LEN (sizeof(FAILURE_MESSAGE) + CHALLENGE_LEN * 2)
-
-/* Number of seconds to delay retries */
-#define RETRY_DELAY 2
-/* Maximum number of retries */
-#define MAX_RETRIES 2
-
-typedef struct eap_mschapv2_header_t eap_mschapv2_header_t;
-typedef struct eap_mschapv2_challenge_t eap_mschapv2_challenge_t;
-typedef struct eap_mschapv2_response_t eap_mschapv2_response_t;
-
-/**
- * packed EAP-MS-CHAPv2 header struct
- */
-struct eap_mschapv2_header_t
-{
-	/** EAP code (REQUEST/RESPONSE) */
-	u_int8_t code;
-	/** unique message identifier */
-	u_int8_t identifier;
-	/** length of whole message */
-	u_int16_t length;
-	/** EAP type */
-	u_int8_t type;
-	/** MS-CHAPv2 OpCode */
-	u_int8_t opcode;
-	/** MS-CHAPv2-ID (equals identifier) */
-	u_int8_t ms_chapv2_id;
-	/** MS-Length (defined as length - 5) */
-	u_int16_t ms_length;
-	/** packet data (determined by OpCode) */
-	u_int8_t data[];
-}__attribute__((__packed__));
-
-/**
- * packed data for a MS-CHAPv2 Challenge packet
- */
-struct eap_mschapv2_challenge_t
-{
-	/** Value-Size */
-	u_int8_t value_size;
-	/** Challenge */
-	u_int8_t challenge[CHALLENGE_LEN];
-	/** Name */
-	u_int8_t name[];
-}__attribute__((__packed__));
-
-/**
- * packed data for a MS-CHAPv2 Response packet
- */
-struct eap_mschapv2_response_t
-{
-	/** Value-Size */
-	u_int8_t value_size;
-	/** Response */
-	struct
-	{
-		/* Peer-Challenge*/
-		u_int8_t peer_challenge[CHALLENGE_LEN];
-		/* Reserved (=zero) */
-		u_int8_t peer_reserved[8];
-		/* NT-Response */
-		u_int8_t nt_response[24];
-		/* Flags (=zero) */
-		u_int8_t flags;
-	} response;
-	/** Name */
-	u_int8_t name[];
-}__attribute__((__packed__));
-
-/**
- * Length of the MS-CHAPv2 header
- */
-#define HEADER_LEN (sizeof(eap_mschapv2_header_t))
-
-/**
- * Length of the header for MS-CHAPv2 success/failure packets (does not include
- * MS-CHAPv2-ID and MS-Length, i.e. 3 octets)
- */
-#define SHORT_HEADER_LEN (HEADER_LEN - 3)
-
-/**
- * The minimum length of an MS-CHAPv2 Challenge packet (the name MUST be
- * at least one octet)
- */
-#define CHALLENGE_PAYLOAD_LEN (HEADER_LEN + sizeof(eap_mschapv2_challenge_t))
-
-/**
- * The minimum length of an MS-CHAPv2 Response packet
- */
-#define RESPONSE_PAYLOAD_LEN (HEADER_LEN + sizeof(eap_mschapv2_response_t))
-
-
-/**
- * Expand a 56-bit key to a 64-bit DES key by adding parity bits (odd parity)
- */
-static chunk_t ExpandDESKey(chunk_t key)
-{
-	static const u_char bitmask[] =	{ 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
-	int i;
-	u_char carry = 0;
-	chunk_t expanded;
-
-	/* expand the 7 octets to 8 octets */
-	expanded = chunk_alloc(8);
-	for (i = 0; i < 7; i++)
-	{
-		expanded.ptr[i] = ((key.ptr[i] & bitmask[i]) >> i) | (carry << (8 - i));
-		carry = key.ptr[i] & ~bitmask[i];
-	}
-	expanded.ptr[7] = carry << 1;
-
-	/* add parity bits to each octet */
-	for (i = 0; i < 8; i++)
-	{
-		u_char val = expanded.ptr[i];
-		val = (val ^ (val >> 4)) & 0x0f;
-		expanded.ptr[i] |= (0x9669 >> val) & 1;
-	}
-	return expanded;
-}
-
-/**
- * Calculate the NT password hash (i.e. hash the (unicode) password with MD4)
- */
-static status_t NtPasswordHash(chunk_t password, chunk_t *password_hash)
-{
-	hasher_t *hasher;
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD4);
-	if (hasher == NULL)
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no MD4 hasher available");
-		return FAILED;
-	}
-	hasher->allocate_hash(hasher, password, password_hash);
-	hasher->destroy(hasher);
-	return SUCCESS;
-}
-
-/**
- * Calculate the challenge hash (i.e. hash [peer_challenge | server_challenge |
- * username (without domain part)] with SHA1)
- */
-static status_t ChallengeHash(chunk_t peer_challenge, chunk_t server_challenge,
-							  chunk_t username, chunk_t *challenge_hash)
-{
-	chunk_t concat;
-	hasher_t *hasher;
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
-		return FAILED;
-	}
-	concat = chunk_cata("ccc", peer_challenge, server_challenge, username);
-	hasher->allocate_hash(hasher, concat, challenge_hash);
-	hasher->destroy(hasher);
-	/* we need only the first 8 octets */
-	challenge_hash->len = 8;
-	return SUCCESS;
-}
-
-/**
- * Calculate the challenge response (i.e. expand password_hash to three DES keys
- * and then encrypt the 8-octet challenge_hash with these keys and concatenate
- * the results).
- */
-static status_t ChallengeResponse(chunk_t challenge_hash, chunk_t password_hash,
-								  chunk_t *response)
-{
-	int i;
-	crypter_t *crypter;
-	chunk_t keys[3], z_password_hash;
-	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_DES_ECB, 8);
-	if (crypter == NULL)
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, DES-ECB not supported");
-		return FAILED;
-	}
-	/* prepare keys: first pad password_hash to 21 octets, these get then split
-	 * into 7-octet chunks, which then get expanded into 8-octet DES keys */
-	z_password_hash = chunk_alloca(21);
-	memset(z_password_hash.ptr, 0, z_password_hash.len);
-	memcpy(z_password_hash.ptr, password_hash.ptr, password_hash.len);
-	chunk_split(z_password_hash, "mmm", 7, &keys[0], 7, &keys[1], 7, &keys[2]);
-
-	*response = chunk_alloc(24);
-	for (i = 0; i < 3; i++)
-	{
-		chunk_t expanded, encrypted;
-		expanded = ExpandDESKey(keys[i]);
-		crypter->set_key(crypter, expanded);
-		crypter->encrypt(crypter, challenge_hash, chunk_empty, &encrypted);
-		memcpy(&response->ptr[i * 8], encrypted.ptr, encrypted.len);
-		chunk_clear(&encrypted);
-		chunk_clear(&expanded);
-	}
-	crypter->destroy(crypter);
-	return SUCCESS;
-}
-
-/**
- * Computes the authenticator response
- */
-static status_t AuthenticatorResponse(chunk_t password_hash_hash,
-		chunk_t challenge_hash, chunk_t nt_response, chunk_t *response)
-{
-	chunk_t magic1 = chunk_from_chars(
-		0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
-		0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
-		0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
-		0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74);
-	chunk_t magic2 = chunk_from_chars(
-		0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
-		0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
-		0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
-		0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
-		0x6E);
-	chunk_t digest = chunk_empty, concat;
-	hasher_t *hasher;
-
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
-		return FAILED;
-	}
-
-	concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
-	hasher->allocate_hash(hasher, concat, &digest);
-	concat = chunk_cata("ccc", digest, challenge_hash, magic2);
-	hasher->allocate_hash(hasher, concat, response);
-
-	hasher->destroy(hasher);
-	chunk_free(&digest);
-	return SUCCESS;
-}
-
-/**
- * Generate the master session key according to RFC3079
- */
-static status_t GenerateMSK(chunk_t password_hash_hash,
-							chunk_t nt_response, chunk_t *msk)
-{
-	chunk_t magic1 = chunk_from_chars(
-		0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
-		0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
-		0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79);
-	chunk_t magic2 = chunk_from_chars(
-		0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
-		0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
-		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
-		0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
-		0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
-		0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
-		0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
-		0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
-		0x6b, 0x65, 0x79, 0x2e);
-	chunk_t magic3 = chunk_from_chars(
-		0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
-		0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
-		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
-		0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
-		0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
-		0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
-		0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
-		0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
-		0x6b, 0x65, 0x79, 0x2e);
-	chunk_t shapad1 = chunk_from_chars(
-		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
-	chunk_t shapad2 = chunk_from_chars(
-		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
-		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
-		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
-		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2);
-	chunk_t keypad = chunk_from_chars(
-		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
-	chunk_t concat, master_key, master_receive_key, master_send_key;
-	hasher_t *hasher;
-
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
-		return FAILED;
-	}
-
-	concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
-	hasher->allocate_hash(hasher, concat, &master_key);
-	master_key.len = 16;
-
-	concat = chunk_cata("cccc", master_key, shapad1, magic2, shapad2);
-	hasher->allocate_hash(hasher, concat, &master_receive_key);
-	master_receive_key.len = 16;
-
-	concat = chunk_cata("cccc", master_key, shapad1, magic3, shapad2);
-	hasher->allocate_hash(hasher, concat, &master_send_key);
-	master_send_key.len = 16;
-
-	*msk = chunk_cat("cccc", master_receive_key, master_send_key, keypad, keypad);
-
-	hasher->destroy(hasher);
-	chunk_free(&master_key);
-	chunk_free(&master_receive_key);
-	chunk_free(&master_send_key);
-	return SUCCESS;
-}
-
-static status_t GenerateStuff(private_eap_mschapv2_t *this,
-							  chunk_t server_challenge, chunk_t peer_challenge,
-							  chunk_t username, chunk_t password)
-{
-	status_t status = FAILED;
-	chunk_t password_hash = chunk_empty, password_hash_hash = chunk_empty,
-			challenge_hash = chunk_empty;
-
-	if (NtPasswordHash(password, &password_hash) != SUCCESS)
-	{
-		goto error;
-	}
-	if (NtPasswordHash(password_hash, &password_hash_hash) != SUCCESS)
-	{
-		goto error;
-	}
-	if (ChallengeHash(peer_challenge, server_challenge, username,
-					  &challenge_hash) != SUCCESS)
-	{
-		goto error;
-	}
-
-	if (ChallengeResponse(challenge_hash, password_hash,
-						  &this->nt_response) != SUCCESS)
-	{
-		goto error;
-	}
-	if (AuthenticatorResponse(password_hash_hash, challenge_hash,
-							  this->nt_response, &this->auth_response) != SUCCESS)
-	{
-		goto error;
-	}
-	if (GenerateMSK(password_hash_hash, this->nt_response, &this->msk) != SUCCESS)
-	{
-		goto error;
-	}
-
-	status = SUCCESS;
-
-error:
-	chunk_free(&password_hash);
-	chunk_free(&password_hash_hash);
-	chunk_free(&challenge_hash);
-	return status;
-}
-
-/**
- * Converts an ASCII string into a UTF-16 (little-endian) string
- */
-static chunk_t ascii_to_unicode(chunk_t ascii)
-{
-	int i;
-	chunk_t unicode = chunk_alloc(ascii.len * 2);
-	for (i = 0; i < ascii.len; i++)
-	{
-		unicode.ptr[i * 2] = ascii.ptr[i];
-		unicode.ptr[i * 2 + 1] = 0;
-	}
-	return unicode;
-}
-
-/**
- * sanitize a string for printing
- */
-static char* sanitize(char *str)
-{
-	char *pos = str;
-
-	while (pos && *pos)
-	{
-		if (!isprint(*pos))
-		{
-			*pos = '?';
-		}
-		pos++;
-	}
-	return str;
-}
-
-/**
- * Returns a chunk of just the username part of the given user identity.
- * Note: the chunk points to internal data of the identification.
- */
-static chunk_t extract_username(identification_t* identification)
-{
-	char *has_domain;
-	chunk_t id;
-	id = identification->get_encoding(identification);
-	has_domain = (char*)memchr(id.ptr, '\\', id.len);
-	if (has_domain)
-	{
-		int len;
-		has_domain++; /* skip the backslash */
-		len = id.len - ((u_char*)has_domain - id.ptr);
-		return len > 0 ? chunk_create(has_domain, len) : chunk_empty;
-	}
-	return id;
-}
-
-/**
- * Set the ms_length field using aligned write
- */
-static void set_ms_length(eap_mschapv2_header_t *eap, u_int16_t len)
-{
-	len = htons(len - 5);
-	memcpy(&eap->ms_length, &len, sizeof(u_int16_t));
-}
-
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t initiate_peer(private_eap_mschapv2_t *this, eap_payload_t **out)
-{
-	/* peer never initiates */
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **out)
-{
-	rng_t *rng;
-	eap_mschapv2_header_t *eap;
-	eap_mschapv2_challenge_t *cha;
-	const char *name = MSCHAPV2_HOST_NAME;
-	u_int16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1;
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
-		return FAILED;
-	}
-	rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
-	rng->destroy(rng);
-
-	eap = alloca(len);
-	eap->code = EAP_REQUEST;
-	eap->identifier = this->identifier;
-	eap->length = htons(len);
-	eap->type = EAP_MSCHAPV2;
-	eap->opcode = MSCHAPV2_CHALLENGE;
-	eap->ms_chapv2_id = this->mschapv2id;
-	set_ms_length(eap, len);
-
-	cha = (eap_mschapv2_challenge_t*)eap->data;
-	cha->value_size = CHALLENGE_LEN;
-	memcpy(cha->challenge, this->challenge.ptr, this->challenge.len);
-	memcpy(cha->name, name, sizeof(MSCHAPV2_HOST_NAME) - 1);
-
-	*out = eap_payload_create_data(chunk_create((void*) eap, len));
-	return NEED_MORE;
-}
-
-
-/**
- * Process MS-CHAPv2 Challenge Requests
- */
-static status_t process_peer_challenge(private_eap_mschapv2_t *this,
-									   eap_payload_t *in, eap_payload_t **out)
-{
-	rng_t *rng;
-	eap_mschapv2_header_t *eap;
-	eap_mschapv2_challenge_t *cha;
-	eap_mschapv2_response_t *res;
-	shared_key_t *shared;
-	chunk_t data, peer_challenge, username, password;
-	u_int16_t len = RESPONSE_PAYLOAD_LEN;
-
-	data = in->get_data(in);
-	eap = (eap_mschapv2_header_t*)data.ptr;
-
-	/* the name MUST be at least one octet long */
-	if (data.len < CHALLENGE_PAYLOAD_LEN + 1)
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
-		return FAILED;
-	}
-
-	cha = (eap_mschapv2_challenge_t*)eap->data;
-
-	if (cha->value_size != CHALLENGE_LEN)
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
-			 "invalid challenge size");
-		return FAILED;
-	}
-
-	this->mschapv2id = eap->ms_chapv2_id;
-	this->challenge = chunk_clone(chunk_create(cha->challenge, CHALLENGE_LEN));
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
-		return FAILED;
-	}
-	peer_challenge = chunk_alloca(CHALLENGE_LEN);
-	rng->get_bytes(rng, CHALLENGE_LEN, peer_challenge.ptr);
-	rng->destroy(rng);
-
-	shared = charon->credentials->get_shared(charon->credentials,
-										SHARED_EAP, this->peer, this->server);
-	if (shared == NULL)
-	{
-		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
-			 this->server, this->peer);
-		return NOT_FOUND;
-	}
-
-	password = ascii_to_unicode(shared->get_key(shared));
-	shared->destroy(shared);
-
-	username = extract_username(this->peer);
-	len += username.len;
-
-	if (GenerateStuff(this, this->challenge, peer_challenge, username, password) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 generating NT-Response failed");
-		chunk_clear(&password);
-		return FAILED;
-	}
-	chunk_clear(&password);
-
-	eap = alloca(len);
-	eap->code = EAP_RESPONSE;
-	eap->identifier = this->identifier;
-	eap->length = htons(len);
-	eap->type = EAP_MSCHAPV2;
-	eap->opcode = MSCHAPV2_RESPONSE;
-	eap->ms_chapv2_id = this->mschapv2id;
-	set_ms_length(eap, len);
-
-	res = (eap_mschapv2_response_t*)eap->data;
-	res->value_size = RESPONSE_LEN;
-	memset(&res->response, 0, RESPONSE_LEN);
-	memcpy(res->response.peer_challenge, peer_challenge.ptr, peer_challenge.len);
-	memcpy(res->response.nt_response, this->nt_response.ptr, this->nt_response.len);
-
-	username = this->peer->get_encoding(this->peer);
-	memcpy(res->name, username.ptr, username.len);
-
-	*out = eap_payload_create_data(chunk_create((void*) eap, len));
-	return NEED_MORE;
-}
-
-/**
- * Process MS-CHAPv2 Success Requests
- */
-static status_t process_peer_success(private_eap_mschapv2_t *this,
-									  eap_payload_t *in, eap_payload_t **out)
-{
-	status_t status = FAILED;
-	enumerator_t *enumerator;
-	eap_mschapv2_header_t *eap;
-	chunk_t data, auth_string = chunk_empty;
-	char *message, *token, *msg = NULL;
-	int message_len;
-	u_int16_t len = SHORT_HEADER_LEN;
-
-	data = in->get_data(in);
-	eap = (eap_mschapv2_header_t*)data.ptr;
-
-	if (data.len < AUTH_RESPONSE_LEN)
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
-		return FAILED;
-	}
-
-	message_len = data.len - HEADER_LEN;
-	message = malloc(message_len + 1);
-	memcpy(message, eap->data, message_len);
-	message[message_len] = '\0';
-
-	/* S=<auth_string> M=<msg> */
-	enumerator = enumerator_create_token(message, " ", " ");
-	while (enumerator->enumerate(enumerator, &token))
-	{
-		if (strneq(token, "S=", 2))
-		{
-			chunk_t hex;
-			token += 2;
-			if (strlen(token) != AUTH_RESPONSE_LEN - 2)
-			{
-				DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
-					 "invalid auth string");
-				goto error;
-			}
-			hex = chunk_create(token, AUTH_RESPONSE_LEN - 2);
-			auth_string = chunk_from_hex(hex, NULL);
-		}
-		else if (strneq(token, "M=", 2))
-		{
-			token += 2;
-			msg = strdup(token);
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (auth_string.ptr == NULL)
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
-			 "auth string missing");
-		goto error;
-	}
-
-	if (!chunk_equals(this->auth_response, auth_string))
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
-		goto error;
-	}
-
-	DBG1(DBG_IKE, "EAP-MS-CHAPv2 succeeded: '%s'", sanitize(msg));
-
-	eap = alloca(len);
-	eap->code = EAP_RESPONSE;
-	eap->identifier = this->identifier;
-	eap->length = htons(len);
-	eap->type = EAP_MSCHAPV2;
-	eap->opcode = MSCHAPV2_SUCCESS;
-
-	*out = eap_payload_create_data(chunk_create((void*) eap, len));
-	status = NEED_MORE;
-
-error:
-	chunk_free(&auth_string);
-	free(message);
-	free(msg);
-	return status;
-}
-
-static status_t process_peer_failure(private_eap_mschapv2_t *this,
-									 eap_payload_t *in, eap_payload_t **out)
-{
-	status_t status = FAILED;
-	enumerator_t *enumerator;
-	eap_mschapv2_header_t *eap;
-	chunk_t data;
-	char *message, *token, *msg = NULL;
-	int message_len, error, retryable;
-	chunk_t challenge = chunk_empty;
-
-	data = in->get_data(in);
-	eap = (eap_mschapv2_header_t*)data.ptr;
-
-	if (data.len < 3) /* we want at least an error code: E=e */
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
-		return FAILED;
-	}
-
-	message_len = data.len - HEADER_LEN;
-	message = malloc(message_len + 1);
-	memcpy(message, eap->data, message_len);
-	message[message_len] = '\0';
-
-	/* E=eeeeeeeeee R=r C=cccccccccccccccccccccccccccccccc V=vvvvvvvvvv M=<msg> */
-	enumerator = enumerator_create_token(message, " ", " ");
-	while (enumerator->enumerate(enumerator, &token))
-	{
-		if (strneq(token, "E=", 2))
-		{
-			token += 2;
-			error = atoi(token);
-		}
-		else if (strneq(token, "R=", 2))
-		{
-			token += 2;
-			retryable = atoi(token);
-		}
-		else if (strneq(token, "C=", 2))
-		{
-			chunk_t hex;
-			token += 2;
-			if (strlen(token) != 2 * CHALLENGE_LEN)
-			{
-				DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message:"
-					 "invalid challenge");
-				goto error;
-			}
-			hex = chunk_create(token, 2 * CHALLENGE_LEN);
-			challenge = chunk_from_hex(hex, NULL);
-		}
-		else if (strneq(token, "V=", 2))
-		{
-			int version;
-			token += 2;
-			version = atoi(token);
-		}
-		else if (strneq(token, "M=", 2))
-		{
-			token += 2;
-			msg = strdup(token);
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed with error %N: '%s'",
-		 mschapv2_error_names, error, sanitize(msg));
-
-	/**
-	 * at this point, if the error is retryable, we MAY retry the authentication
-	 * or MAY send a Change Password packet.
-	 *
-	 * if the error is not retryable (or if we do neither of the above), we
-	 * SHOULD send a Failure Response packet.
-	 * windows clients don't do that, and since windows server 2008 r2 behaves
-	 * pretty odd if we do send a Failure Response, we just don't send one
-	 * either. windows 7 actually sends a delete notify (which, according to the
-	 * logs, results in an error on windows server 2008 r2).
-	 *
-	 * btw, windows server 2008 r2 does not send non-retryable errors for e.g.
-	 * a disabled account but returns the windows error code in a notify payload
-	 * of type 12345.
-	 */
-
-	status = FAILED;
-
-error:
-	chunk_free(&challenge);
-	free(message);
-	free(msg);
-	return status;
-}
-
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t process_peer(private_eap_mschapv2_t *this, eap_payload_t *in,
-		eap_payload_t **out)
-{
-	chunk_t data;
-	eap_mschapv2_header_t *eap;
-
-	this->identifier = in->get_identifier(in);
-	data = in->get_data(in);
-	if (data.len < SHORT_HEADER_LEN)
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message");
-		return FAILED;
-	}
-
-	eap = (eap_mschapv2_header_t*)data.ptr;
-
-	switch (eap->opcode)
-	{
-		case MSCHAPV2_CHALLENGE:
-		{
-			return process_peer_challenge(this, in, out);
-		}
-		case MSCHAPV2_SUCCESS:
-		{
-			return process_peer_success(this, in, out);
-		}
-		case MSCHAPV2_FAILURE:
-		{
-			return process_peer_failure(this, in, out);
-		}
-		default:
-		{
-			DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported "
-				 "OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
-			break;
-		}
-	}
-	return FAILED;
-}
-
-/**
- * Handles retries on the server
- */
-static status_t process_server_retry(private_eap_mschapv2_t *this,
-									 eap_payload_t **out)
-{
-	eap_mschapv2_header_t *eap;
-	rng_t *rng;
-	chunk_t hex;
-	char msg[FAILURE_MESSAGE_LEN];
-	u_int16_t len = HEADER_LEN + FAILURE_MESSAGE_LEN - 1; /* no null byte */
-
-	if (++this->retries > MAX_RETRIES)
-	{
-		/* we MAY send a Failure Request with R=0, but windows 7 does not
-		 * really like that and does not respond with a Failure Response.
-		 * so, to clean up our state we just fail with an EAP-Failure.
-		 * this gives an unknown error on the windows side, but is also fine
-		 * with the standard. */
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed: "
-			 "maximum number of retries reached");
-		return FAILED;
-	}
-
-	DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed, retry (%d)", this->retries);
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
-		return FAILED;
-	}
-	rng->get_bytes(rng, CHALLENGE_LEN, this->challenge.ptr);
-	rng->destroy(rng);
-
-	chunk_free(&this->nt_response);
-	chunk_free(&this->auth_response);
-	chunk_free(&this->msk);
-
-	eap = alloca(len);
-	eap->code = EAP_REQUEST;
-	eap->identifier = ++this->identifier;
-	eap->length = htons(len);
-	eap->type = EAP_MSCHAPV2;
-	eap->opcode = MSCHAPV2_FAILURE;
-	eap->ms_chapv2_id = this->mschapv2id++; /* increase for each retry */
-	set_ms_length(eap, len);
-
-	hex = chunk_to_hex(this->challenge, NULL, TRUE);
-	snprintf(msg, FAILURE_MESSAGE_LEN, "%s%s", FAILURE_MESSAGE, hex.ptr);
-	chunk_free(&hex);
-	memcpy(eap->data, msg, FAILURE_MESSAGE_LEN - 1); /* no null byte */
-	*out = eap_payload_create_data(chunk_create((void*) eap, len));
-
-	/* delay the response for some time to make brute-force attacks harder */
-	sleep(RETRY_DELAY);
-
-	return NEED_MORE;
-}
-
-/**
- * Process MS-CHAPv2 Response response packets
- */
-static status_t process_server_response(private_eap_mschapv2_t *this,
-										eap_payload_t *in, eap_payload_t **out)
-{
-	eap_mschapv2_header_t *eap;
-	eap_mschapv2_response_t *res;
-	chunk_t data, peer_challenge, username, password;
-	identification_t *userid;
-	shared_key_t *shared;
-	int name_len;
-	char buf[256];
-
-	data = in->get_data(in);
-	eap = (eap_mschapv2_header_t*)data.ptr;
-
-	if (data.len < RESPONSE_PAYLOAD_LEN)
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
-		return FAILED;
-	}
-
-	res = (eap_mschapv2_response_t*)eap->data;
-	peer_challenge = chunk_create(res->response.peer_challenge, CHALLENGE_LEN);
-
-	name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
-	snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
-	userid = identification_create_from_string(buf);
-	DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
-	username = extract_username(userid);
-
-	shared = charon->credentials->get_shared(charon->credentials,
-											 SHARED_EAP, this->server, userid);
-	if (shared == NULL)
-	{
-		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
-					  this->server, userid);
-		/* FIXME: windows 7 always sends the username that is first entered in
-		 * the username box, even, if the user changes it during retries (probably
-		 * to keep consistent with the EAP-Identity).
-		 * thus, we could actually fail here, because retries do not make much
-		 * sense. on the other hand, an attacker could guess usernames, if the
-		 * error messages were different. */
-		userid->destroy(userid);
-		return process_server_retry(this, out);
-	}
-
-	password = ascii_to_unicode(shared->get_key(shared));
-	shared->destroy(shared);
-
-	if (GenerateStuff(this, this->challenge, peer_challenge,
-					  username, password) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
-		userid->destroy(userid);
-		chunk_clear(&password);
-		return FAILED;
-	}
-	userid->destroy(userid);
-	chunk_clear(&password);
-
-	if (memeq(res->response.nt_response, this->nt_response.ptr, this->nt_response.len))
-	{
-		chunk_t hex;
-		char msg[AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)];
-		u_int16_t len = HEADER_LEN + AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE);
-
-		eap = alloca(len);
-		eap->code = EAP_REQUEST;
-		eap->identifier = ++this->identifier;
-		eap->length = htons(len);
-		eap->type = EAP_MSCHAPV2;
-		eap->opcode = MSCHAPV2_SUCCESS;
-		eap->ms_chapv2_id = this->mschapv2id;
-		set_ms_length(eap, len);
-
-		hex = chunk_to_hex(this->auth_response, NULL, TRUE);
-		snprintf(msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE),
-					  "S=%s%s", hex.ptr, SUCCESS_MESSAGE);
-		chunk_free(&hex);
-		memcpy(eap->data, msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE));
-		*out = eap_payload_create_data(chunk_create((void*) eap, len));
-		return NEED_MORE;
-	}
-
-	return process_server_retry(this, out);
-}
-
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in,
-		eap_payload_t **out)
-{
-	eap_mschapv2_header_t *eap;
-	chunk_t data;
-
-	if (this->identifier != in->get_identifier(in))
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
-			 "unexpected identifier");
-		return FAILED;
-	}
-
-	data = in->get_data(in);
-	if (data.len < SHORT_HEADER_LEN)
-	{
-		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
-		return FAILED;
-	}
-
-	eap = (eap_mschapv2_header_t*)data.ptr;
-
-	switch (eap->opcode)
-	{
-		case MSCHAPV2_RESPONSE:
-		{
-			return process_server_response(this, in, out);
-		}
-		case MSCHAPV2_SUCCESS:
-		{
-			return SUCCESS;
-		}
-		case MSCHAPV2_FAILURE:
-		{
-			return FAILED;
-		}
-		default:
-		{
-			DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported "
-				 "OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
-			break;
-		}
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_mschapv2_t *this, u_int32_t *vendor)
-{
-	*vendor = 0;
-	return EAP_MSCHAPV2;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_mschapv2_t *this, chunk_t *msk)
-{
-	if (this->msk.ptr)
-	{
-		*msk = this->msk;
-		return SUCCESS;
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_mschapv2_t *this)
-{
-	return FALSE;
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_mschapv2_t *this)
-{
-	this->peer->destroy(this->peer);
-	this->server->destroy(this->server);
-	chunk_free(&this->challenge);
-	chunk_free(&this->nt_response);
-	chunk_free(&this->auth_response);
-	chunk_free(&this->msk);
-	free(this);
-}
-
-/**
- * Generic constructor
- */
-static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *server, identification_t *peer)
-{
-	private_eap_mschapv2_t *this = malloc_thing(private_eap_mschapv2_t);
-
-	this->public.eap_method_interface.initiate = NULL;
-	this->public.eap_method_interface.process = NULL;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	/* private data */
-	this->peer = peer->clone(peer);
-	this->server = server->clone(server);
-	this->challenge = chunk_empty;
-	this->nt_response = chunk_empty;
-	this->auth_response = chunk_empty;
-	this->msk = chunk_empty;
-	this->identifier = 0;
-	this->mschapv2id = 0;
-	this->retries = 0;
-
-	return this;
-}
-
-/*
- * see header
- */
-eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identification_t *peer)
-{
-	private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_server;
-
-	/* generate a non-zero identifier */
-	do
-	{
-		this->identifier = random();
-	} while (!this->identifier);
-
-	this->mschapv2id = this->identifier;
-
-	return &this->public;
-}
-
-/*
- * see header
- */
-eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer)
-{
-	private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_peer;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.h b/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
deleted file mode 100644
index 34cc1141e..000000000
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_mschapv2_i eap_mschapv2
- * @{ @ingroup eap_mschapv2
- */
-
-#ifndef EAP_MSCHAPV2_H_
-#define EAP_MSCHAPV2_H_
-
-typedef struct eap_mschapv2_t eap_mschapv2_t;
-
-#include <sa/authenticators/eap/eap_method.h>
-
-/**
- * Implementation of the eap_method_t interface using EAP-MS-CHAPv2.
- */
-struct eap_mschapv2_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t eap_method_interface;
-};
-
-/**
- * Creates the EAP method EAP-MS-CHAPv2 acting as server.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_mschapv2_t object
- */
-eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identification_t *peer);
-
-/**
- * Creates the EAP method EAP-MS-CHAPv2 acting as peer.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_mschapv2_t object
- */
-eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer);
-
-#endif /** EAP_MSCHAPV2_H_ @}*/
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
deleted file mode 100644
index 404cecb20..000000000
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_mschapv2_plugin.h"
-
-#include "eap_mschapv2.h"
-
-#include <daemon.h>
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_mschapv2_plugin_t *this)
-{
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_mschapv2_create_server);
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_mschapv2_create_peer);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	eap_mschapv2_plugin_t *this = malloc_thing(eap_mschapv2_plugin_t);
-
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_SERVER,
-							(eap_constructor_t)eap_mschapv2_create_server);
-	charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_PEER,
-							(eap_constructor_t)eap_mschapv2_create_peer);
-
-	return &this->plugin;
-}
-
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
deleted file mode 100644
index 9048fc64e..000000000
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_mschapv2 eap_mschapv2
- * @ingroup cplugins
- *
- * @defgroup eap_mschapv2_plugin eap_mschapv2_plugin
- * @{ @ingroup eap_mschapv2
- */
-
-#ifndef EAP_MSCHAPV2_PLUGIN_H_
-#define EAP_MSCHAPV2_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_mschapv2_plugin_t eap_mschapv2_plugin_t;
-
-/**
- * EAP-MS-CHAPv2 plugin
- */
-struct eap_mschapv2_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_mschapv2_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_MSCHAPV2_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_radius/Makefile.am b/src/charon/plugins/eap_radius/Makefile.am
deleted file mode 100644
index e476fbed6..000000000
--- a/src/charon/plugins/eap_radius/Makefile.am
+++ /dev/null
@@ -1,14 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-eap-radius.la
-
-libstrongswan_eap_radius_la_SOURCES = \
-  eap_radius_plugin.h eap_radius_plugin.c \
-  eap_radius.h eap_radius.c \
-  radius_client.h radius_client.c \
-  radius_message.h radius_message.c
-libstrongswan_eap_radius_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/eap_radius/Makefile.in b/src/charon/plugins/eap_radius/Makefile.in
deleted file mode 100644
index eb135e750..000000000
--- a/src/charon/plugins/eap_radius/Makefile.in
+++ /dev/null
@@ -1,577 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_radius
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_radius_la_LIBADD =
-am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \
-	eap_radius.lo radius_client.lo radius_message.lo
-libstrongswan_eap_radius_la_OBJECTS =  \
-	$(am_libstrongswan_eap_radius_la_OBJECTS)
-libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_radius_la_LDFLAGS) \
-	$(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eap-radius.la
-libstrongswan_eap_radius_la_SOURCES = \
-  eap_radius_plugin.h eap_radius_plugin.c \
-  eap_radius.h eap_radius.c \
-  radius_client.h radius_client.c \
-  radius_message.h radius_message.c
-
-libstrongswan_eap_radius_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_radius/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_radius/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) 
-	$(libstrongswan_eap_radius_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_client.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_message.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c
deleted file mode 100644
index f041fda54..000000000
--- a/src/charon/plugins/eap_radius/eap_radius.c
+++ /dev/null
@@ -1,312 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_radius.h"
-
-#include "radius_message.h"
-#include "radius_client.h"
-
-#include <daemon.h>
-
-typedef struct private_eap_radius_t private_eap_radius_t;
-
-/**
- * Private data of an eap_radius_t object.
- */
-struct private_eap_radius_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_radius_t public;
-
-	/**
-	 * ID of the server
-	 */
-	identification_t *server;
-
-	/**
-	 * ID of the peer
-	 */
-	identification_t *peer;
-
-	/**
-	 * EAP method type we are proxying
-	 */
-	eap_type_t type;
-
-	/**
-	 * EAP vendor, if any
-	 */
-	u_int32_t vendor;
-
-	/**
-	 * EAP MSK, if method established one
-	 */
-	chunk_t msk;
-
-	/**
-	 * RADIUS client instance
-	 */
-	radius_client_t *client;
-
-	/**
-	 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
-	 */
-	bool eap_start;
-
-	/**
-	 * Prefix to prepend to EAP identity
-	 */
-	char *id_prefix;
-};
-
-/**
- * Add EAP-Identity to RADIUS message
- */
-static void add_eap_identity(private_eap_radius_t *this,
-							 radius_message_t *request)
-{
-	struct {
-		/** EAP code (REQUEST/RESPONSE) */
-		u_int8_t code;
-		/** unique message identifier */
-		u_int8_t identifier;
-		/** length of whole message */
-		u_int16_t length;
-		/** EAP type */
-		u_int8_t type;
-		/** identity data */
-		u_int8_t data[];
-	} __attribute__((__packed__)) *hdr;
-	chunk_t id, prefix;
-	size_t len;
-
-	id = this->peer->get_encoding(this->peer);
-	prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
-	len = sizeof(*hdr) + prefix.len + id.len;
-
-	hdr = alloca(len);
-	hdr->code = EAP_RESPONSE;
-	hdr->identifier = 0;
-	hdr->length = htons(len);
-	hdr->type = EAP_IDENTITY;
-	memcpy(hdr->data, prefix.ptr, prefix.len);
-	memcpy(hdr->data + prefix.len, id.ptr, id.len);
-
-	request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
-}
-
-/**
- * Copy EAP-Message attribute from RADIUS message to an new EAP payload
- */
-static bool radius2ike(private_eap_radius_t *this,
-					   radius_message_t *msg, eap_payload_t **out)
-{
-	enumerator_t *enumerator;
-	eap_payload_t *payload;
-	chunk_t data, message = chunk_empty;
-	int type;
-
-	enumerator = msg->create_enumerator(msg);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		if (type == RAT_EAP_MESSAGE && data.len)
-		{
-			message = chunk_cat("mc", message, data);
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (message.len)
-	{
-		*out = payload = eap_payload_create_data(message);
-		free(message.ptr);
-		/* apply EAP method selected by RADIUS server */
-		this->type = payload->get_type(payload, &this->vendor);
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
-{
-	radius_message_t *request, *response;
-	status_t status = FAILED;
-	chunk_t username;
-
-	request = radius_message_create_request();
-	username = chunk_create(this->id_prefix, strlen(this->id_prefix));
-	username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
-	request->add(request, RAT_USER_NAME, username);
-
-	if (this->eap_start)
-	{
-		request->add(request, RAT_EAP_MESSAGE, chunk_empty);
-	}
-	else
-	{
-		add_eap_identity(this, request);
-	}
-
-	response = this->client->request(this->client, request);
-	if (response)
-	{
-		if (radius2ike(this, response, out))
-		{
-			status = NEED_MORE;
-		}
-		response->destroy(response);
-	}
-	request->destroy(request);
-	return status;
-}
-
-/**
- * Implementation of eap_method_t.process
- */
-static status_t process(private_eap_radius_t *this,
-						eap_payload_t *in, eap_payload_t **out)
-{
-	radius_message_t *request, *response;
-	status_t status = FAILED;
-	chunk_t data;
-
-	request = radius_message_create_request();
-	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
-	data = in->get_data(in);
-	/* fragment data suitable for RADIUS (not more than 253 bytes) */
-	while (data.len > 253)
-	{
-		request->add(request, RAT_EAP_MESSAGE, chunk_create(data.ptr, 253));
-		data = chunk_skip(data, 253);
-	}
-	request->add(request, RAT_EAP_MESSAGE, data);
-
-	response = this->client->request(this->client, request);
-	if (response)
-	{
-		switch (response->get_code(response))
-		{
-			case RMC_ACCESS_CHALLENGE:
-				if (radius2ike(this, response, out))
-				{
-					status = NEED_MORE;
-					break;
-				}
-				status = FAILED;
-				break;
-			case RMC_ACCESS_ACCEPT:
-				this->msk = this->client->decrypt_msk(this->client,
-													  response, request);
-				status = SUCCESS;
-				break;
-			case RMC_ACCESS_REJECT:
-			default:
-				DBG1(DBG_CFG, "received %N from RADIUS server",
-					 radius_message_code_names, response->get_code(response));
-				status = FAILED;
-				break;
-		}
-		response->destroy(response);
-	}
-	request->destroy(request);
-	return status;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_radius_t *this, u_int32_t *vendor)
-{
-	*vendor = this->vendor;
-	return this->type;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_radius_t *this, chunk_t *msk)
-{
-	if (this->msk.ptr)
-	{
-		*msk = this->msk;
-		return SUCCESS;
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_radius_t *this)
-{
-	switch (this->type)
-	{
-		case EAP_AKA:
-		case EAP_SIM:
-			return TRUE;
-		default:
-			return FALSE;
-	}
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_radius_t *this)
-{
-	this->peer->destroy(this->peer);
-	this->server->destroy(this->server);
-	this->client->destroy(this->client);
-	chunk_clear(&this->msk);
-	free(this);
-}
-
-/**
- * Generic constructor
- */
-eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
-{
-	private_eap_radius_t *this = malloc_thing(private_eap_radius_t);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	this->client = radius_client_create();
-	if (!this->client)
-	{
-		free(this);
-		return NULL;
-	}
-	this->peer = peer->clone(peer);
-	this->server = server->clone(server);
-	/* initially EAP_RADIUS, but is set to the method selected by RADIUS */
-	this->type = EAP_RADIUS;
-	this->vendor = 0;
-	this->msk = chunk_empty;
-	this->eap_start = lib->settings->get_bool(lib->settings,
-								"charon.plugins.eap-radius.eap_start", FALSE);
-	this->id_prefix = lib->settings->get_str(lib->settings,
-								"charon.plugins.eap-radius.id_prefix", "");
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_radius/eap_radius.h b/src/charon/plugins/eap_radius/eap_radius.h
deleted file mode 100644
index 8eb9e8c2d..000000000
--- a/src/charon/plugins/eap_radius/eap_radius.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_radius_i eap_radius
- * @{ @ingroup eap_radius
- */
-
-#ifndef EAP_RADIUS_H_
-#define EAP_RADIUS_H_
-
-typedef struct eap_radius_t eap_radius_t;
-
-#include <sa/authenticators/eap/eap_method.h>
-
-/**
- * Implementation of the eap_method_t interface using a RADIUS server.
- */
-struct eap_radius_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t eap_method_interface;
-};
-
-/**
- * Create a EAP RADIUS proxy.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP client
- * @return			eap_radius_t object
- */
-eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer);
-
-#endif /** EAP_RADIUS_H_ @}*/
diff --git a/src/charon/plugins/eap_radius/eap_radius_plugin.c b/src/charon/plugins/eap_radius/eap_radius_plugin.c
deleted file mode 100644
index 51e6a69c8..000000000
--- a/src/charon/plugins/eap_radius/eap_radius_plugin.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_radius_plugin.h"
-
-#include "eap_radius.h"
-#include "radius_client.h"
-
-#include <daemon.h>
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_radius_plugin_t *this)
-{
-	charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_radius_create);
-	radius_client_cleanup();
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	eap_radius_plugin_t *this;
-
-	if (!radius_client_init())
-	{
-		DBG1(DBG_CFG, "RADIUS plugin initialization failed");
-		return NULL;
-	}
-
-	this = malloc_thing(eap_radius_plugin_t);
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->eap->add_method(charon->eap, EAP_RADIUS, 0,
-							EAP_SERVER, (eap_constructor_t)eap_radius_create);
-
-	return &this->plugin;
-}
-
diff --git a/src/charon/plugins/eap_radius/eap_radius_plugin.h b/src/charon/plugins/eap_radius/eap_radius_plugin.h
deleted file mode 100644
index a79640796..000000000
--- a/src/charon/plugins/eap_radius/eap_radius_plugin.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_radius eap_radius
- * @ingroup cplugins
- *
- * @defgroup eap_radius_plugin eap_radius_plugin
- * @{ @ingroup eap_radius
- */
-
-#ifndef EAP_RADIUS_PLUGIN_H_
-#define EAP_RADIUS_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_radius_plugin_t eap_radius_plugin_t;
-
-/**
- * EAP RADIUS proxy plugin.
- *
- * This plugin provides not a single EAP method, but a proxy to forwared
- * EAP packets to a RADIUS server. It only provides server implementations.
- */
-struct eap_radius_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_radius_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_RADIUS_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c
deleted file mode 100644
index 1d1f21742..000000000
--- a/src/charon/plugins/eap_radius/radius_client.c
+++ /dev/null
@@ -1,495 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "radius_client.h"
-
-#include <unistd.h>
-#include <errno.h>
-
-#include <daemon.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-
-/**
- * Default RADIUS server port, when not configured
- */
-#define RADIUS_PORT 1812
-
-/**
- * Vendor-Id of Microsoft specific attributes
- */
-#define VENDOR_ID_MICROSOFT 311
-
-/**
- * Microsoft specific vendor attributes
- */
-#define MS_MPPE_SEND_KEY 16
-#define MS_MPPE_RECV_KEY 17
-
-typedef struct private_radius_client_t private_radius_client_t;
-
-typedef struct entry_t entry_t;
-
-/**
- * A socket pool entry.
- */
-struct entry_t {
-	/** socket file descriptor */
-	int fd;
-	/** current RADIUS identifier */
-	u_int8_t identifier;
-	/** hasher to use for response verification */
-	hasher_t *hasher;
-	/** HMAC-MD5 signer to build Message-Authenticator attribute */
-	signer_t *signer;
-	/** random number generator for RADIUS request authenticator */
-	rng_t *rng;
-};
-
-/**
- * Private data of an radius_client_t object.
- */
-struct private_radius_client_t {
-
-	/**
-	 * Public radius_client_t interface.
-	 */
-	radius_client_t public;
-
-	/**
-	 * RADIUS servers State attribute
-	 */
-	chunk_t state;
-};
-
-/**
- * Global list of radius sockets, contains entry_t's
- */
-static linked_list_t *sockets;
-
-/**
- * mutex to lock sockets list
- */
-static mutex_t *mutex;
-
-/**
- * condvar to wait for sockets
- */
-static condvar_t *condvar;
-
-/**
- * RADIUS secret
- */
-static chunk_t secret;
-
-/**
- * NAS-Identifier
- */
-static chunk_t nas_identifier;
-
-/**
- * Clean up socket list
- */
-void radius_client_cleanup()
-{
-	entry_t *entry;
-
-	mutex->destroy(mutex);
-	condvar->destroy(condvar);
-	while (sockets->remove_last(sockets, (void**)&entry) == SUCCESS)
-	{
-		entry->rng->destroy(entry->rng);
-		entry->hasher->destroy(entry->hasher);
-		entry->signer->destroy(entry->signer);
-		close(entry->fd);
-		free(entry);
-	}
-	sockets->destroy(sockets);
-}
-
-/**
- * Initialize the socket list
- */
-bool radius_client_init()
-{
-	int i, count, fd;
-	u_int16_t port;
-	entry_t *entry;
-	host_t *host;
-	char *server;
-
-	nas_identifier.ptr = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-radius.nas_identifier", "strongSwan");
-	nas_identifier.len = strlen(nas_identifier.ptr);
-
-	secret.ptr = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-radius.secret", NULL);
-	if (!secret.ptr)
-	{
-		DBG1(DBG_CFG, "no RADUIS secret defined");
-		return FALSE;
-	}
-	secret.len = strlen(secret.ptr);
-	server = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-radius.server", NULL);
-	if (!server)
-	{
-		DBG1(DBG_CFG, "no RADUIS server defined");
-		return FALSE;
-	}
-	port = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-radius.port", RADIUS_PORT);
-	host = host_create_from_dns(server, 0, port);
-	if (!host)
-	{
-		return FALSE;
-	}
-	count = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-radius.sockets", 1);
-
-	sockets = linked_list_create();
-	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	for (i = 0; i < count; i++)
-	{
-		fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP);
-		if (fd < 0)
-		{
-			DBG1(DBG_CFG, "opening RADIUS socket failed");
-			host->destroy(host);
-			radius_client_cleanup();
-			return FALSE;
-		}
-		if (connect(fd, host->get_sockaddr(host),
-					*host->get_sockaddr_len(host)) < 0)
-		{
-			DBG1(DBG_CFG, "connecting RADIUS socket failed");
-			host->destroy(host);
-			radius_client_cleanup();
-			return FALSE;
-		}
-		entry = malloc_thing(entry_t);
-		entry->fd = fd;
-		/* we use per-socket crypto elements: this reduces overhead, but
-		 * is still thread-save. */
-		entry->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-		entry->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128);
-		entry->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		if (!entry->hasher || !entry->signer || !entry->rng)
-		{
-			DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
-			DESTROY_IF(entry->hasher);
-			DESTROY_IF(entry->signer);
-			DESTROY_IF(entry->rng);
-			free(entry);
-			host->destroy(host);
-			radius_client_cleanup();
-			return FALSE;
-		}
-		entry->signer->set_key(entry->signer, secret);
-		/* we use a random identifier, helps if we restart often (testing) */
-		entry->identifier = random();
-		sockets->insert_last(sockets, entry);
-	}
-	host->destroy(host);
-	return TRUE;
-}
-
-/**
- * Get a socket from the pool, block if none available
- */
-static entry_t* get_socket()
-{
-	entry_t *entry;
-
-	mutex->lock(mutex);
-	while (sockets->remove_first(sockets, (void**)&entry) != SUCCESS)
-	{
-		condvar->wait(condvar, mutex);
-	}
-	mutex->unlock(mutex);
-	return entry;
-}
-
-/**
- * Release a socket to the pool
- */
-static void put_socket(entry_t *entry)
-{
-	mutex->lock(mutex);
-	sockets->insert_last(sockets, entry);
-	mutex->unlock(mutex);
-	condvar->signal(condvar);
-}
-
-/**
- * Save the state attribute to include in further request
- */
-static void save_state(private_radius_client_t *this, radius_message_t *msg)
-{
-	enumerator_t *enumerator;
-	int type;
-	chunk_t data;
-
-	enumerator = msg->create_enumerator(msg);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		if (type == RAT_STATE)
-		{
-			free(this->state.ptr);
-			this->state = chunk_clone(data);
-			enumerator->destroy(enumerator);
-			return;
-		}
-	}
-	enumerator->destroy(enumerator);
-	/* no state attribute found, remove state */
-	chunk_free(&this->state);
-}
-
-/**
- * Implementation of radius_client_t.request
- */
-static radius_message_t* request(private_radius_client_t *this,
-								 radius_message_t *req)
-{
-	char virtual[] = {0x00,0x00,0x00,0x05};
-	entry_t *socket;
-	chunk_t data;
-	int i;
-
-	socket = get_socket();
-
-	/* set Message Identifier */
-	req->set_identifier(req, socket->identifier++);
-	/* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */
-	req->add(req, RAT_NAS_PORT_TYPE, chunk_create(virtual, sizeof(virtual)));
-	/* add our NAS-Identifier */
-	req->add(req, RAT_NAS_IDENTIFIER, nas_identifier);
-	/* add State attribute, if server sent one */
-	if (this->state.ptr)
-	{
-		req->add(req, RAT_STATE, this->state);
-	}
-	/* sign the request */
-	req->sign(req, socket->rng, socket->signer);
-
-	data = req->get_encoding(req);
-	/* timeout after 2, 3, 4, 5 seconds */
-	for (i = 2; i <= 5; i++)
-	{
-		radius_message_t *response;
-		bool retransmit = FALSE;
-		struct timeval tv;
-		char buf[4096];
-		fd_set fds;
-		int res;
-
-		if (send(socket->fd, data.ptr, data.len, 0) != data.len)
-		{
-			DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
-			put_socket(socket);
-			return NULL;
-		}
-		tv.tv_sec = i;
-		tv.tv_usec = 0;
-
-		while (TRUE)
-		{
-			FD_ZERO(&fds);
-			FD_SET(socket->fd, &fds);
-			res = select(socket->fd + 1, &fds, NULL, NULL, &tv);
-			/* TODO: updated tv to time not waited. Linux does this for us. */
-			if (res < 0)
-			{	/* failed */
-				DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
-					 strerror(errno));
-				break;
-			}
-			if (res == 0)
-			{	/* timeout */
-				DBG1(DBG_CFG, "retransmitting RADIUS message");
-				retransmit = TRUE;
-				break;
-			}
-			res = recv(socket->fd, buf, sizeof(buf), MSG_DONTWAIT);
-			if (res <= 0)
-			{
-				DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
-					 strerror(errno));
-				break;
-			}
-			response = radius_message_parse_response(chunk_create(buf, res));
-			if (response)
-			{
-				if (response->verify(response, req->get_authenticator(req),
-							secret, socket->hasher, socket->signer))
-				{
-					save_state(this, response);
-					put_socket(socket);
-					return response;
-				}
-				response->destroy(response);
-			}
-			DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
-		}
-		if (!retransmit)
-		{
-			break;
-		}
-	}
-	DBG1(DBG_CFG, "RADIUS server is not responding");
-	put_socket(socket);
-	charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
-	return NULL;
-}
-
-/**
- * Decrypt a MS-MPPE-Send/Recv-Key
- */
-static chunk_t decrypt_mppe_key(private_radius_client_t *this, u_int16_t salt,
-								chunk_t C, radius_message_t *request)
-{
-	chunk_t A, R, P, seed;
-	u_char *c, *p;
-	hasher_t *hasher;
-
-	/**
-	 * From RFC2548 (encryption):
-	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
-	 * b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
-	 *      . . .
-	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
-	 */
-
-	if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
-	{
-		return chunk_empty;
-	}
-
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-	if (!hasher)
-	{
-		return chunk_empty;
-	}
-
-	A = chunk_create((u_char*)&salt, sizeof(salt));
-	R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
-	P = chunk_alloca(C.len);
-	p = P.ptr;
-	c = C.ptr;
-
-	seed = chunk_cata("cc", R, A);
-
-	while (c < C.ptr + C.len)
-	{
-		/* b(i) = MD5(S + c(i-1)) */
-		hasher->get_hash(hasher, secret, NULL);
-		hasher->get_hash(hasher, seed, p);
-
-		/* p(i) = b(i) xor c(1) */
-		memxor(p, c, HASH_SIZE_MD5);
-
-		/* prepare next round */
-		seed = chunk_create(c, HASH_SIZE_MD5);
-		c += HASH_SIZE_MD5;
-		p += HASH_SIZE_MD5;
-	}
-	hasher->destroy(hasher);
-
-	/* remove truncation, first byte is key length */
-	if (*P.ptr >= P.len)
-	{	/* decryption failed? */
-		return chunk_empty;
-	}
-	return chunk_clone(chunk_create(P.ptr + 1, *P.ptr));
-}
-
-/**
- * Implementation of radius_client_t.decrypt_msk
- */
-static chunk_t decrypt_msk(private_radius_client_t *this,
-						   radius_message_t *response, radius_message_t *request)
-{
-	struct {
-		u_int32_t id;
-		u_int8_t type;
-		u_int8_t length;
-		u_int16_t salt;
-		u_int8_t key[];
-	} __attribute__((packed)) *mppe_key;
-	enumerator_t *enumerator;
-	chunk_t data, send = chunk_empty, recv = chunk_empty;
-	int type;
-
-	enumerator = response->create_enumerator(response);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		if (type == RAT_VENDOR_SPECIFIC &&
-			data.len > sizeof(*mppe_key))
-		{
-			mppe_key = (void*)data.ptr;
-			if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT &&
-				mppe_key->length == data.len - sizeof(mppe_key->id))
-			{
-				data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key));
-				if (mppe_key->type == MS_MPPE_SEND_KEY)
-				{
-					send = decrypt_mppe_key(this, mppe_key->salt, data, request);
-				}
-				if (mppe_key->type == MS_MPPE_RECV_KEY)
-				{
-					recv = decrypt_mppe_key(this, mppe_key->salt, data, request);
-				}
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (send.ptr && recv.ptr)
-	{
-		return chunk_cat("mm", recv, send);
-	}
-	chunk_clear(&send);
-	chunk_clear(&recv);
-	return chunk_empty;
-}
-
-/**
- * Implementation of radius_client_t.destroy.
- */
-static void destroy(private_radius_client_t *this)
-{
-	free(this->state.ptr);
-	free(this);
-}
-
-/**
- * See header
- */
-radius_client_t *radius_client_create()
-{
-	private_radius_client_t *this = malloc_thing(private_radius_client_t);
-
-	this->public.request = (radius_message_t*(*)(radius_client_t*, radius_message_t *msg))request;
-	this->public.decrypt_msk = (chunk_t(*)(radius_client_t*, radius_message_t *, radius_message_t *))decrypt_msk;
-	this->public.destroy = (void(*)(radius_client_t*))destroy;
-
-	this->state = chunk_empty;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_radius/radius_client.h b/src/charon/plugins/eap_radius/radius_client.h
deleted file mode 100644
index 77ba94807..000000000
--- a/src/charon/plugins/eap_radius/radius_client.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup radius_client radius_client
- * @{ @ingroup eap_radius
- */
-
-#ifndef RADIUS_CLIENT_H_
-#define RADIUS_CLIENT_H_
-
-#include "radius_message.h"
-
-typedef struct radius_client_t radius_client_t;
-
-/**
- * RADIUS client functionality.
- *
- * To communicate with a RADIUS server, create a client and send messages over
- * it. All instances share a fixed size pool of sockets. The client reserves
- * a socket during request() and releases it afterwards.
- */
-struct radius_client_t {
-
-	/**
-	 * Send a RADIUS request and wait for the response.
-	 *
-	 * The client fills in RADIUS Message identifier, NAS-Identifier,
-	 * NAS-Port-Type, builds a Request-Authenticator and calculates the
-	 * Message-Authenticator attribute.
-	 * The received response gets verified using the Response-Identifier
-	 * and the Message-Authenticator attribute.
-	 *
-	 * @param msg			RADIUS request message to send
-	 * @return				response, NULL if timed out/verification failed
-	 */
-	radius_message_t* (*request)(radius_client_t *this, radius_message_t *msg);
-
-	/**
-	 * Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key.
-	 *
-	 * @param response		RADIUS response message containing attributes
-	 * @param request		associated RADIUS request message
-	 * @return				allocated MSK, empty chunk if none found
-	 */
-	chunk_t (*decrypt_msk)(radius_client_t *this, radius_message_t *response,
-						   radius_message_t *request);
-
-	/**
-	 * Destroy the client, release the socket.
-	 */
-	void (*destroy)(radius_client_t *this);
-};
-
-/**
- * Create a RADIUS client, acquire a socket.
- *
- * This call might block if the socket pool is empty.
- *
- * @return			radius_client_t object
- */
-radius_client_t *radius_client_create();
-
-/**
- * Initialize the socket pool.
- *
- * @return 			TRUE if initialization successful
- */
-bool radius_client_init();
-
-/**
- * Cleanup the socket pool.
- */
-void radius_client_cleanup();
-
-#endif /** RADIUS_CLIENT_H_ @}*/
diff --git a/src/charon/plugins/eap_radius/radius_message.c b/src/charon/plugins/eap_radius/radius_message.c
deleted file mode 100644
index 11a1d8dfc..000000000
--- a/src/charon/plugins/eap_radius/radius_message.c
+++ /dev/null
@@ -1,476 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "radius_message.h"
-
-#include <daemon.h>
-#include <crypto/hashers/hasher.h>
-
-typedef struct private_radius_message_t private_radius_message_t;
-typedef struct rmsg_t rmsg_t;
-typedef struct rattr_t rattr_t;
-
-/**
- * RADIUS message header
- */
-struct rmsg_t {
-	/** message code, radius_message_code_t */
-	u_int8_t code;
-	/** message identifier */
-	u_int8_t identifier;
-	/** length of Code, Identifier, Length, Authenticator and Attributes */
-	u_int16_t length;
-	/** message authenticator, MD5 hash */
-	u_int8_t authenticator[HASH_SIZE_MD5];
-	/** variable list of packed attributes */
-	u_int8_t attributes[];
-} __attribute__((packed));
-
-/**
- * RADIUS message attribute.
- */
-struct rattr_t {
-	/** attribute type, radius_attribute_type_t */
-	u_int8_t type;
-	/** length of the attriubte, including the Type, Length and Value fields */
-	u_int8_t length;
-	/** variable length attribute value */
-	u_int8_t value[];
-} __attribute__((packed));
-
-/**
- * Private data of an radius_message_t object.
- */
-struct private_radius_message_t {
-
-	/**
-	 * Public radius_message_t interface.
-	 */
-	radius_message_t public;
-
-	/**
-	 * message data, allocated
-	 */
-	rmsg_t *msg;
-};
-
-ENUM_BEGIN(radius_message_code_names, RMC_ACCESS_REQUEST, RMC_ACCOUNTING_RESPONSE,
-	"Access-Request",
-	"Access-Accept",
-	"Access-Reject",
-	"Accounting-Request",
-	"Accounting-Response");
-ENUM_NEXT(radius_message_code_names, RMC_ACCESS_CHALLENGE, RMC_ACCESS_CHALLENGE, RMC_ACCOUNTING_RESPONSE,
-	"Access-Challenge");
-ENUM_END(radius_message_code_names, RMC_ACCESS_CHALLENGE);
-
-ENUM(radius_attribute_type_names, RAT_USER_NAME, RAT_MIP6_HOME_LINK_PREFIX,
-	"User-Name",
-	"User-Password",
-	"CHAP-Password",
-	"NAS-IP-Address",
-	"NAS-Port",
-	"Service-Type",
-	"Framed-Protocol",
-	"Framed-IP-Address",
-	"Framed-IP-Netmask",
-	"Framed-Routing",
-	"Filter-Id",
-	"Framed-MTU",
-	"Framed-Compression",
-	"Login-IP-Host",
-	"Login-Service",
-	"Login-TCP-Port",
-	"Unassigned",
-	"Reply-Message",
-	"Callback-Number",
-	"Callback-Id",
-	"Unassigned",
-	"Framed-Route",
-	"Framed-IPX-Network",
-	"State",
-	"Class",
-	"Vendor-Specific",
-	"Session-Timeout",
-	"Idle-Timeout",
-	"Termination-Action",
-	"Called-Station-Id",
-	"Calling-Station-Id",
-	"NAS-Identifier",
-	"Proxy-State",
-	"Login-LAT-Service",
-	"Login-LAT-Node",
-	"Login-LAT-Group",
-	"Framed-AppleTalk-Link",
-	"Framed-AppleTalk-Network",
-	"Framed-AppleTalk-Zone",
-	"Acct-Status-Type",
-	"Acct-Delay-Time",
-	"Acct-Input-Octets",
-	"Acct-Output-Octets",
-	"Acct-Session-Id",
-	"Acct-Authentic",
-	"Acct-Session-Time",
-	"Acct-Input-Packets",
-	"Acct-Output-Packets",
-	"Acct-Terminate-Cause",
-	"Acct-Multi-Session-Id",
-	"Acct-Link-Count",
-	"Acct-Input-Gigawords",
-	"Acct-Output-Gigawords",
-	"Unassigned",
-	"Event-Timestamp",
-	"Egress-VLANID",
-	"Ingress-Filters",
-	"Egress-VLAN-Name",
-	"User-Priority-Table",
-	"CHAP-Challenge",
-	"NAS-Port-Type",
-	"Port-Limit",
-	"Login-LAT-Port",
-	"Tunnel-Type",
-	"Tunnel-Medium-Type",
-	"Tunnel-Client-Endpoint",
-	"Tunnel-Server-Endpoint",
-	"Acct-Tunnel-Connection",
-	"Tunnel-Password",
-	"ARAP-Password",
-	"ARAP-Features",
-	"ARAP-Zone-Access",
-	"ARAP-Security",
-	"ARAP-Security-Data",
-	"Password-Retry",
-	"Prompt",
-	"Connect-Info",
-	"Configuration-Token",
-	"EAP-Message",
-	"Message-Authenticator",
-	"Tunnel-Private-Group-ID",
-	"Tunnel-Assignment-ID",
-	"Tunnel-Preference",
-	"ARAP-Challenge-Response",
-	"Acct-Interim-Interval",
-	"Acct-Tunnel-Packets-Lost",
-	"NAS-Port-Id",
-	"Framed-Pool",
-	"CUI",
-	"Tunnel-Client-Auth-ID",
-	"Tunnel-Server-Auth-ID",
-	"NAS-Filter-Rule",
-	"Unassigned",
-	"Originating-Line-Info",
-	"NAS-IPv6-Address",
-	"Framed-Interface-Id",
-	"Framed-IPv6-Prefix",
-	"Login-IPv6-Host",
-	"Framed-IPv6-Route",
-	"Framed-IPv6-Pool",
-	"Error-Cause",
-	"EAP-Key-Name",
-	"Digest-Response",
-	"Digest-Realm",
-	"Digest-Nonce",
-	"Digest-Response-Auth",
-	"Digest-Nextnonce",
-	"Digest-Method",
-	"Digest-URI",
-	"Digest-Qop",
-	"Digest-Algorithm",
-	"Digest-Entity-Body-Hash",
-	"Digest-CNonce",
-	"Digest-Nonce-Count",
-	"Digest-Username",
-	"Digest-Opaque",
-	"Digest-Auth-Param",
-	"Digest-AKA-Auts",
-	"Digest-Domain",
-	"Digest-Stale",
-	"Digest-HA1",
-	"SIP-AOR",
-	"Delegated-IPv6-Prefix",
-	"MIP6-Feature-Vector",
-	"MIP6-Home-Link-Prefix");
-
-/**
- * Attribute enumerator implementation
- */
-typedef struct {
-	/** implements enumerator interface */
-	enumerator_t public;
-	/** currently pointing attribute */
-	rattr_t *next;
-	/** bytes left */
-	int left;
-} attribute_enumerator_t;
-
-
-/**
- * Implementation of attribute_enumerator_t.enumerate
- */
-static bool attribute_enumerate(attribute_enumerator_t *this,
-								int *type, chunk_t *data)
-
-{
-	if (this->left == 0)
-	{
-		return FALSE;
-	}
-	if (this->left < sizeof(rattr_t) ||
-		this->left < this->next->length)
-	{
-		DBG1(DBG_IKE, "RADIUS message truncated");
-		return FALSE;
-	}
-	*type = this->next->type;
-	data->ptr = this->next->value;
-	data->len = this->next->length - sizeof(rattr_t);
-	this->left -= this->next->length;
-	this->next = ((void*)this->next) + this->next->length;
-	return TRUE;
-}
-
-/**
- * Implementation of radius_message_t.create_enumerator
- */
-static enumerator_t* create_enumerator(private_radius_message_t *this)
-{
-	attribute_enumerator_t *e;
-
-	if (ntohs(this->msg->length) < sizeof(rmsg_t) + sizeof(rattr_t))
-	{
-		return enumerator_create_empty();
-	}
-
-	e = malloc_thing(attribute_enumerator_t);
-	e->public.enumerate = (void*)attribute_enumerate;
-	e->public.destroy = (void*)free;
-	e->next = (rattr_t*)this->msg->attributes;
-	e->left = ntohs(this->msg->length) - sizeof(rmsg_t);
-	return &e->public;
-}
-
-/**
- * Implementation of radius_message_t.add
- */
-static void add(private_radius_message_t *this, radius_attribute_type_t type,
-				chunk_t data)
-{
-	rattr_t *attribute;
-
-	data.len = min(data.len, 253);
-	this->msg = realloc(this->msg,
-						ntohs(this->msg->length) + sizeof(rattr_t) + data.len);
-	attribute = ((void*)this->msg) + ntohs(this->msg->length);
-	attribute->type = type;
-	attribute->length = data.len + sizeof(rattr_t);
-	memcpy(attribute->value, data.ptr, data.len);
-	this->msg->length = htons(ntohs(this->msg->length) + attribute->length);
-}
-
-/**
- * Implementation of radius_message_t.sign
- */
-static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer)
-{
-	char buf[HASH_SIZE_MD5];
-
-	/* build Request-Authenticator */
-	rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
-
-	/* build Message-Authenticator attribute, using 16 null bytes */
-	memset(buf, 0, sizeof(buf));
-	add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
-	signer->get_signature(signer,
-				chunk_create((u_char*)this->msg, ntohs(this->msg->length)),
-				((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5);
-}
-
-/**
- * Implementation of radius_message_t.verify
- */
-static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
-				   chunk_t secret, hasher_t *hasher, signer_t *signer)
-{
-	char buf[HASH_SIZE_MD5], res_auth[HASH_SIZE_MD5];
-	enumerator_t *enumerator;
-	int type;
-	chunk_t data, msg;
-	bool has_eap = FALSE, has_auth = FALSE;
-
-	/* replace Response by Request Authenticator for verification */
-	memcpy(res_auth, this->msg->authenticator, HASH_SIZE_MD5);
-	memcpy(this->msg->authenticator, req_auth, HASH_SIZE_MD5);
-	msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
-
-	/* verify Response-Authenticator */
-	hasher->get_hash(hasher, msg, NULL);
-	hasher->get_hash(hasher, secret, buf);
-	if (!memeq(buf, res_auth, HASH_SIZE_MD5))
-	{
-		DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed");
-		return FALSE;
-	}
-
-	/* verify Message-Authenticator attribute */
-	enumerator = create_enumerator(this);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		if (type == RAT_MESSAGE_AUTHENTICATOR)
-		{
-			if (data.len != HASH_SIZE_MD5)
-			{
-				DBG1(DBG_CFG, "RADIUS Message-Authenticator invalid length");
-				enumerator->destroy(enumerator);
-				return FALSE;
-			}
-			memcpy(buf, data.ptr, data.len);
-			memset(data.ptr, 0, data.len);
-			if (signer->verify_signature(signer, msg,
-										 chunk_create(buf, sizeof(buf))))
-			{
-				/* restore Message-Authenticator */
-				memcpy(data.ptr, buf, data.len);
-				has_auth = TRUE;
-				break;
-			}
-			else
-			{
-				DBG1(DBG_CFG, "RADIUS Message-Authenticator verification failed");
-				enumerator->destroy(enumerator);
-				return FALSE;
-			}
-		}
-		else if (type == RAT_EAP_MESSAGE)
-		{
-			has_eap = TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	/* restore Response-Authenticator */
-	memcpy(this->msg->authenticator, res_auth, HASH_SIZE_MD5);
-
-	if (has_eap && !has_auth)
-	{	/* Message-Authenticator is required if we have an EAP-Message */
-		DBG1(DBG_CFG, "RADIUS Message-Authenticator attribute missing");
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of radius_message_t.get_code
- */
-static radius_message_code_t get_code(private_radius_message_t *this)
-{
-	return this->msg->code;
-}
-
-/**
- * Implementation of radius_message_t.get_identifier
- */
-static u_int8_t get_identifier(private_radius_message_t *this)
-{
-	return this->msg->identifier;
-}
-
-/**
- * Implementation of radius_message_t.set_identifier
- */
-static void set_identifier(private_radius_message_t *this, u_int8_t identifier)
-{
-	this->msg->identifier = identifier;
-}
-
-/**
- * Implementation of radius_message_t.get_authenticator
- */
-static u_int8_t* get_authenticator(private_radius_message_t *this)
-{
-	return this->msg->authenticator;
-}
-
-
-/**
- * Implementation of radius_message_t.get_encoding
- */
-static chunk_t get_encoding(private_radius_message_t *this)
-{
-	return chunk_create((u_char*)this->msg, ntohs(this->msg->length));
-}
-
-/**
- * Implementation of radius_message_t.destroy.
- */
-static void destroy(private_radius_message_t *this)
-{
-	free(this->msg);
-	free(this);
-}
-
-/**
- * Generic constructor
- */
-static private_radius_message_t *radius_message_create()
-{
-	private_radius_message_t *this = malloc_thing(private_radius_message_t);
-
-	this->public.create_enumerator = (enumerator_t*(*)(radius_message_t*))create_enumerator;
-	this->public.add = (void(*)(radius_message_t*, radius_attribute_type_t,chunk_t))add;
-	this->public.get_code = (radius_message_code_t(*)(radius_message_t*))get_code;
-	this->public.get_identifier = (u_int8_t(*)(radius_message_t*))get_identifier;
-	this->public.set_identifier = (void(*)(radius_message_t*, u_int8_t identifier))set_identifier;
-	this->public.get_authenticator = (u_int8_t*(*)(radius_message_t*))get_authenticator;
-	this->public.get_encoding = (chunk_t(*)(radius_message_t*))get_encoding;
-	this->public.sign = (void(*)(radius_message_t*, rng_t *rng, signer_t *signer))sign;
-	this->public.verify = (bool(*)(radius_message_t*, u_int8_t *req_auth, chunk_t secret, hasher_t *hasher, signer_t *signer))verify;
-	this->public.destroy = (void(*)(radius_message_t*))destroy;
-
-	return this;
-}
-
-/**
- * See header
- */
-radius_message_t *radius_message_create_request()
-{
-	private_radius_message_t *this = radius_message_create();
-
-	this->msg = malloc_thing(rmsg_t);
-	this->msg->code = RMC_ACCESS_REQUEST;
-	this->msg->identifier = 0;
-	this->msg->length = htons(sizeof(rmsg_t));
-
-	return &this->public;
-}
-
-/**
- * See header
- */
-radius_message_t *radius_message_parse_response(chunk_t data)
-{
-	private_radius_message_t *this = radius_message_create();
-
-	this->msg = malloc(data.len);
-	memcpy(this->msg, data.ptr, data.len);
-	if (data.len < sizeof(rmsg_t) ||
-		ntohs(this->msg->length) != data.len)
-	{
-		DBG1(DBG_IKE, "RADIUS message has invalid length");
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_radius/radius_message.h b/src/charon/plugins/eap_radius/radius_message.h
deleted file mode 100644
index 266839d3b..000000000
--- a/src/charon/plugins/eap_radius/radius_message.h
+++ /dev/null
@@ -1,276 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup radius_message radius_message
- * @{ @ingroup eap_radius
- */
-
-#ifndef RADIUS_MESSAGE_H_
-#define RADIUS_MESSAGE_H_
-
-#include <library.h>
-
-typedef struct radius_message_t radius_message_t;
-typedef enum radius_message_code_t radius_message_code_t;
-typedef enum radius_attribute_type_t radius_attribute_type_t;
-
-/**
- * RADIUS Message Codes.
- */
-enum radius_message_code_t {
-	RMC_ACCESS_REQUEST = 1,
-	RMC_ACCESS_ACCEPT = 2,
-	RMC_ACCESS_REJECT = 3,
-	RMC_ACCOUNTING_REQUEST = 4,
-	RMC_ACCOUNTING_RESPONSE = 5,
-	RMC_ACCESS_CHALLENGE = 11,
-};
-
-/**
- * Enum names for radius_attribute_type_t.
- */
-extern enum_name_t *radius_message_code_names;
-
-/**
- * RADIUS Attribute Types.
- */
-enum radius_attribute_type_t {
-	RAT_USER_NAME = 1,
-	RAT_USER_PASSWORD = 2,
-	RAT_CHAP_PASSWORD = 3,
-	RAT_NAS_IP_ADDRESS = 4,
-	RAT_NAS_PORT = 5,
-	RAT_SERVICE_TYPE = 6,
-	RAT_FRAMED_PROTOCOL = 7,
-	RAT_FRAMED_IP_ADDRESS = 8,
-	RAT_FRAMED_IP_NETMASK = 9,
-	RAT_FRAMED_ROUTING = 10,
-	RAT_FILTER_ID = 11,
-	RAT_FRAMED_MTU = 12,
-	RAT_FRAMED_COMPRESSION = 13,
-	RAT_LOGIN_IP_HOST = 14,
-	RAT_LOGIN_SERVICE = 15,
-	RAT_LOGIN_TCP_PORT = 16,
-	RAT_REPLY_MESSAGE = 18,
-	RAT_CALLBACK_NUMBER = 19,
-	RAT_CALLBACK_ID = 20,
-	RAT_FRAMED_ROUTE = 22,
-	RAT_FRAMED_IPX_NETWORK = 23,
-	RAT_STATE = 24,
-	RAT_CLASS = 25,
-	RAT_VENDOR_SPECIFIC = 26,
-	RAT_SESSION_TIMEOUT = 27,
-	RAT_IDLE_TIMEOUT = 28,
-	RAT_TERMINATION_ACTION = 29,
-	RAT_CALLED_STATION_ID = 30,
-	RAT_CALLING_STATION_ID = 31,
-	RAT_NAS_IDENTIFIER = 32,
-	RAT_PROXY_STATE = 33,
-	RAT_LOGIN_LAT_SERVICE = 34,
-	RAT_LOGIN_LAT_NODE = 35,
-	RAT_LOGIN_LAT_GROUP = 36,
-	RAT_FRAMED_APPLETALK_LINK = 37,
-	RAT_FRAMED_APPLETALK_NETWORK = 38,
-	RAT_FRAMED_APPLETALK_ZONE = 39,
-	RAT_ACCT_STATUS_TYPE = 40,
-	RAT_ACCT_DELAY_TIME = 41,
-	RAT_ACCT_INPUT_OCTETS = 42,
-	RAT_ACCT_OUTPUT_OCTETS = 43,
-	RAT_ACCT_SESSION_ID = 44,
-	RAT_ACCT_AUTHENTIC = 45,
-	RAT_ACCT_SESSION_TIME = 46,
-	RAT_ACCT_INPUT_PACKETS = 47,
-	RAT_ACCT_OUTPUT_PACKETS = 48,
-	RAT_ACCT_TERMINATE_CAUSE = 49,
-	RAT_ACCT_MULTI_SESSION_ID = 50,
-	RAT_ACCT_LINK_COUNT = 51,
-	RAT_ACCT_INPUT_GIGAWORDS = 52,
-	RAT_ACCT_OUTPUT_GIGAWORDS = 53,
-	RAT_EVENT_TIMESTAMP = 55,
-	RAT_EGRESS_VLANID = 56,
-	RAT_INGRESS_FILTERS = 57,
-	RAT_EGRESS_VLAN_NAME = 58,
-	RAT_USER_PRIORITY_TABLE = 59,
-	RAT_CHAP_CHALLENGE = 60,
-	RAT_NAS_PORT_TYPE = 61,
-	RAT_PORT_LIMIT = 62,
-	RAT_LOGIN_LAT_PORT = 63,
-	RAT_TUNNEL_TYPE = 64,
-	RAT_TUNNEL_MEDIUM_TYPE = 65,
-	RAT_TUNNEL_CLIENT_ENDPOINT = 66,
-	RAT_TUNNEL_SERVER_ENDPOINT = 67,
-	RAT_ACCT_TUNNEL_CONNECTION = 68,
-	RAT_TUNNEL_PASSWORD = 69,
-	RAT_ARAP_PASSWORD = 70,
-	RAT_ARAP_FEATURES = 71,
-	RAT_ARAP_ZONE_ACCESS = 72,
-	RAT_ARAP_SECURITY = 73,
-	RAT_ARAP_SECURITY_DATA = 74,
-	RAT_PASSWORD_RETRY = 75,
-	RAT_PROMPT = 76,
-	RAT_CONNECT_INFO = 77,
-	RAT_CONFIGURATION_TOKEN = 78,
-	RAT_EAP_MESSAGE = 79,
-	RAT_MESSAGE_AUTHENTICATOR = 80,
-	RAT_TUNNEL_PRIVATE_GROUP_ID = 81,
-	RAT_TUNNEL_ASSIGNMENT_ID = 82,
-	RAT_TUNNEL_PREFERENCE = 83,
-	RAT_ARAP_CHALLENGE_RESPONSE = 84,
-	RAT_ACCT_INTERIM_INTERVAL = 85,
-	RAT_ACCT_TUNNEL_PACKETS_LOST = 86,
-	RAT_NAS_PORT_ID = 87,
-	RAT_FRAMED_POOL = 88,
-	RAT_CUI = 89,
-	RAT_TUNNEL_CLIENT_AUTH_ID = 90,
-	RAT_TUNNEL_SERVER_AUTH_ID = 91,
-	RAT_NAS_FILTER_RULE = 92,
-	RAT_UNASSIGNED = 93,
-	RAT_ORIGINATING_LINE_INFO = 94,
-	RAT_NAS_IPV6_ADDRESS = 95,
-	RAT_FRAMED_INTERFACE_ID = 96,
-	RAT_FRAMED_IPV6_PREFIX = 97,
-	RAT_LOGIN_IPV6_HOST = 98,
-	RAT_FRAMED_IPV6_ROUTE = 99,
-	RAT_FRAMED_IPV6_POOL = 100,
-	RAT_ERROR_CAUSE = 101,
-	RAT_EAP_KEY_NAME = 102,
-	RAT_DIGEST_RESPONSE = 103,
-	RAT_DIGEST_REALM = 104,
-	RAT_DIGEST_NONCE = 105,
-	RAT_DIGEST_RESPONSE_AUTH = 106,
-	RAT_DIGEST_NEXTNONCE = 107,
-	RAT_DIGEST_METHOD = 108,
-	RAT_DIGEST_URI = 109,
-	RAT_DIGEST_QOP = 110,
-	RAT_DIGEST_ALGORITHM = 111,
-	RAT_DIGEST_ENTITY_BODY_HASH = 112,
-	RAT_DIGEST_CNONCE = 113,
-	RAT_DIGEST_NONCE_COUNT = 114,
-	RAT_DIGEST_USERNAME = 115,
-	RAT_DIGEST_OPAQUE = 116,
-	RAT_DIGEST_AUTH_PARAM = 117,
-	RAT_DIGEST_AKA_AUTS = 118,
-	RAT_DIGEST_DOMAIN = 119,
-	RAT_DIGEST_STALE = 120,
-	RAT_DIGEST_HA1 = 121,
-	RAT_SIP_AOR = 122,
-	RAT_DELEGATED_IPV6_PREFIX = 123,
-	RAT_MIP6_FEATURE_VECTOR = 124,
-	RAT_MIP6_HOME_LINK_PREFIX = 125,
-};
-
-/**
- * Enum names for radius_attribute_type_t.
- */
-extern enum_name_t *radius_attribute_type_names;
-
-/**
- * A RADIUS message, contains attributes.
- */
-struct radius_message_t {
-
-	/**
-	 * Create an enumerator over contained RADIUS attributes.
-	 *
-	 * @return				enumerator over (int type, chunk_t data)
-	 */
-	enumerator_t* (*create_enumerator)(radius_message_t *this);
-
-	/**
-	 * Add a RADIUS attribute to the message.
-	 *
-	 * @param type			type of attribute to add
-	 * @param				attribute data, gets cloned
-	 */
-	void (*add)(radius_message_t *this, radius_attribute_type_t type,
-				chunk_t data);
-
-	/**
-	 * Get the message type (code).
-	 *
-	 * @return				message code
-	 */
-	radius_message_code_t (*get_code)(radius_message_t *this);
-
-	/**
-	 * Get the message identifier.
-	 *
-	 * @return				message identifier
-	 */
-	u_int8_t (*get_identifier)(radius_message_t *this);
-
-	/**
-	 * Set the message identifier.
-	 *
-	 * @param identifier	message identifier
-	 */
-	void (*set_identifier)(radius_message_t *this, u_int8_t identifier);
-
-	/**
-	 * Get the 16 byte authenticator.
-	 *
-	 * @return				pointer to the Authenticator field
-	 */
-	u_int8_t* (*get_authenticator)(radius_message_t *this);
-
-	/**
-	 * Get the RADIUS message in its encoded form.
-	 *
-	 * @return				chunk pointing to internal RADIUS message.
-	 */
-	chunk_t (*get_encoding)(radius_message_t *this);
-
-	/**
-	 * Calculate and add the Message-Authenticator attribute to the message.
-	 *
-	 * @param rng			RNG to create Request-Authenticator
-	 * @param signer		HMAC-MD5 signer with secret set
-	 */
-	void (*sign)(radius_message_t *this, rng_t *rng, signer_t *signer);
-
-	/**
-	 * Verify the integrity of a received RADIUS response.
-	 *
-	 * @param req_auth		16 byte Authenticator of the corresponding request
-	 * @param secret		shared RADIUS secret
-	 * @param hasher		hasher to verify Response-Authenticator
-	 * @param signer		signer to verify Message-Authenticator attribute
-	 */
-	bool (*verify)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
-				   hasher_t *hasher, signer_t *signer);
-
-	/**
-	 * Destroy the message.
-	 */
-	void (*destroy)(radius_message_t *this);
-};
-
-/**
- * Create an empty RADIUS request message (RMT_ACCESS_REQUEST).
- *
- * @return				radius_message_t object
- */
-radius_message_t *radius_message_create_request();
-
-/**
- * Parse and verify a recevied RADIUS response.
- *
- * @param data			received message data
- * @return				radius_message_t object, NULL if length invalid
- */
-radius_message_t *radius_message_parse_response(chunk_t data);
-
-#endif /** RADIUS_MESSAGE_H_ @}*/
diff --git a/src/charon/plugins/eap_sim/Makefile.am b/src/charon/plugins/eap_sim/Makefile.am
deleted file mode 100644
index 74b9bb4e8..000000000
--- a/src/charon/plugins/eap_sim/Makefile.am
+++ /dev/null
@@ -1,14 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon \
-  -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-eap-sim.la
-
-libstrongswan_eap_sim_la_SOURCES = eap_sim_plugin.h eap_sim_plugin.c \
-  eap_sim_peer.h eap_sim_peer.c \
-  eap_sim_server.h eap_sim_server.c
-libstrongswan_eap_sim_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
-libstrongswan_eap_sim_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in
deleted file mode 100644
index d9b568a42..000000000
--- a/src/charon/plugins/eap_sim/Makefile.in
+++ /dev/null
@@ -1,577 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_sim
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_sim_la_DEPENDENCIES =  \
-	$(top_builddir)/src/libsimaka/libsimaka.la
-am_libstrongswan_eap_sim_la_OBJECTS = eap_sim_plugin.lo \
-	eap_sim_peer.lo eap_sim_server.lo
-libstrongswan_eap_sim_la_OBJECTS =  \
-	$(am_libstrongswan_eap_sim_la_OBJECTS)
-libstrongswan_eap_sim_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_sim_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon \
-  -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eap-sim.la
-libstrongswan_eap_sim_la_SOURCES = eap_sim_plugin.h eap_sim_plugin.c \
-  eap_sim_peer.h eap_sim_peer.c \
-  eap_sim_server.h eap_sim_server.c
-
-libstrongswan_eap_sim_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
-libstrongswan_eap_sim_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_sim/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_sim/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-sim.la: $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_DEPENDENCIES) 
-	$(libstrongswan_eap_sim_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_peer.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_server.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_sim/eap_sim_peer.c b/src/charon/plugins/eap_sim/eap_sim_peer.c
deleted file mode 100644
index 961cfd30d..000000000
--- a/src/charon/plugins/eap_sim/eap_sim_peer.c
+++ /dev/null
@@ -1,654 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_sim_peer.h"
-
-#include <daemon.h>
-
-#include <simaka_message.h>
-
-/* number of tries we do authenticate */
-#define MAX_TRIES 3
-
-/* number of triplets for one authentication */
-#define TRIPLET_COUNT 3
-
-/** length of the AT_NONCE_MT nonce value */
-#define NONCE_LEN 16
-
-typedef struct private_eap_sim_peer_t private_eap_sim_peer_t;
-
-/**
- * Private data of an eap_sim_peer_t object.
- */
-struct private_eap_sim_peer_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_sim_peer_t public;
-
-	/**
-	 * permanent ID of peer
-	 */
-	identification_t *permanent;
-
-	/**
-	 * Pseudonym identity the peer uses
-	 */
-	identification_t *pseudonym;
-
-	/**
-	 * Reauthentication identity the peer uses
-	 */
-	identification_t *reauth;
-
-	/**
-	 * EAP-SIM crypto helper
-	 */
-	simaka_crypto_t *crypto;
-
-	/**
-	 * how many times we try to authenticate
-	 */
-	int tries;
-
-	/**
-	 * version list received from server
-	 */
-	chunk_t version_list;
-
-	/**
-	 * Nonce value used in AT_NONCE_MT/AT_NONCE_S
-	 */
-	chunk_t nonce;
-
-	/**
-	 * MSK, used for EAP-SIM based IKEv2 authentication
-	 */
-	chunk_t msk;
-
-	/**
-	 * Master key, if reauthentication is used
-	 */
-	char mk[HASH_SIZE_SHA1];
-
-	/**
-	 * Counter value if reauthentication is used
-	 */
-	u_int16_t counter;
-};
-
-/* version of SIM protocol we speak */
-static chunk_t version = chunk_from_chars(0x00,0x01);
-
-/**
- * Create a SIM_CLIENT_ERROR
- */
-static eap_payload_t* create_client_error(private_eap_sim_peer_t *this,
-							u_int8_t identifier, simaka_client_error_t code)
-{
-	simaka_message_t *message;
-	eap_payload_t *out;
-	u_int16_t encoded;
-
-	DBG1(DBG_IKE, "sending client error '%N'", simaka_client_error_names, code);
-
-	message = simaka_message_create(FALSE, identifier, EAP_SIM,
-									SIM_CLIENT_ERROR, this->crypto);
-	encoded = htons(code);
-	message->add_attribute(message, AT_CLIENT_ERROR_CODE,
-						   chunk_create((char*)&encoded, sizeof(encoded)));
-	out = message->generate(message, chunk_empty);
-	message->destroy(message);
-	return out;
-}
-
-/**
- * process an EAP-SIM/Request/Start message
- */
-static status_t process_start(private_eap_sim_peer_t *this,
-							  simaka_message_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, id = chunk_empty;
-	rng_t *rng;
-	bool supported = FALSE;
-	simaka_attribute_t id_req = 0;
-
-	/* reset previously uses reauthentication/pseudonym data */
-	this->crypto->clear_keys(this->crypto);
-	DESTROY_IF(this->pseudonym);
-	this->pseudonym = NULL;
-	DESTROY_IF(this->reauth);
-	this->reauth = NULL;
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_VERSION_LIST:
-			{
-				free(this->version_list.ptr);
-				this->version_list = chunk_clone(data);
-				while (data.len >= version.len)
-				{
-					if (memeq(data.ptr, version.ptr, version.len))
-					{
-						supported = TRUE;
-						break;
-					}
-				}
-				break;
-			}
-			case AT_ANY_ID_REQ:
-			case AT_FULLAUTH_ID_REQ:
-			case AT_PERMANENT_ID_REQ:
-				id_req = type;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					*out = create_client_error(this, in->get_identifier(in),
-											   SIM_UNABLE_TO_PROCESS);
-					enumerator->destroy(enumerator);
-					return NEED_MORE;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (!supported)
-	{
-		DBG1(DBG_IKE, "server does not support EAP-SIM version number 1");
-		*out = create_client_error(this, in->get_identifier(in),
-								   SIM_UNSUPPORTED_VERSION);
-		return NEED_MORE;
-	}
-
-	switch (id_req)
-	{
-		case AT_ANY_ID_REQ:
-			this->reauth = charon->sim->card_get_reauth(charon->sim,
-									this->permanent, this->mk, &this->counter);
-			if (this->reauth)
-			{
-				id = this->reauth->get_encoding(this->reauth);
-				break;
-			}
-			/* FALL */
-		case AT_FULLAUTH_ID_REQ:
-			this->pseudonym = charon->sim->card_get_pseudonym(charon->sim,
-															  this->permanent);
-			if (this->pseudonym)
-			{
-				id = this->pseudonym->get_encoding(this->pseudonym);
-				break;
-			}
-			/* FALL */
-		case AT_PERMANENT_ID_REQ:
-			id = this->permanent->get_encoding(this->permanent);
-			break;
-		default:
-			break;
-	}
-
-	/* generate AT_NONCE_MT value */
-	rng = this->crypto->get_rng(this->crypto);
-	free(this->nonce.ptr);
-	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
-
-	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
-									SIM_START, this->crypto);
-	if (!this->reauth)
-	{
-		message->add_attribute(message, AT_SELECTED_VERSION, version);
-		message->add_attribute(message, AT_NONCE_MT, this->nonce);
-	}
-	if (id.len)
-	{
-		message->add_attribute(message, AT_IDENTITY, id);
-	}
-	*out = message->generate(message, chunk_empty);
-	message->destroy(message);
-
-	return NEED_MORE;
-}
-
-/**
- * process an EAP-SIM/Request/Challenge message
- */
-static status_t process_challenge(private_eap_sim_peer_t *this,
-								  simaka_message_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, rands = chunk_empty, kcs, kc, sreses, sres, mk;
-	identification_t *id;
-
-	if (this->tries-- <= 0)
-	{
-		/* give up without notification. This hack is required as some buggy
-		 * server implementations won't respect our client-error. */
-		return FAILED;
-	}
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_RAND:
-				rands = data;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					*out = create_client_error(this, in->get_identifier(in),
-											   SIM_UNABLE_TO_PROCESS);
-					enumerator->destroy(enumerator);
-					return NEED_MORE;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* excepting two or three RAND, each 16 bytes. We require two valid
-	 * and different RANDs */
-	if ((rands.len != 2 * SIM_RAND_LEN && rands.len != 3 * SIM_RAND_LEN) ||
-		memeq(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN))
-	{
-		DBG1(DBG_IKE, "no valid AT_RAND received");
-		*out = create_client_error(this, in->get_identifier(in),
-								   SIM_INSUFFICIENT_CHALLENGES);
-		return NEED_MORE;
-	}
-	/* get two or three KCs/SRESes from SIM using RANDs */
-	kcs = kc = chunk_alloca(rands.len / 2);
-	sreses = sres = chunk_alloca(rands.len / 4);
-	while (rands.len >= SIM_RAND_LEN)
-	{
-		if (!charon->sim->card_get_triplet(charon->sim, this->permanent,
-										   rands.ptr, sres.ptr, kc.ptr))
-		{
-			DBG1(DBG_IKE, "unable to get EAP-SIM triplet");
-			*out = create_client_error(this, in->get_identifier(in),
-									   SIM_UNABLE_TO_PROCESS);
-			return NEED_MORE;
-		}
-		DBG3(DBG_IKE, "got triplet for RAND %b\n  Kc %b\n  SRES %b",
-			 rands.ptr, SIM_RAND_LEN, sres.ptr, SIM_SRES_LEN, kc.ptr, SIM_KC_LEN);
-		kc = chunk_skip(kc, SIM_KC_LEN);
-		sres = chunk_skip(sres, SIM_SRES_LEN);
-		rands = chunk_skip(rands, SIM_RAND_LEN);
-	}
-
-	id = this->permanent;
-	if (this->pseudonym)
-	{
-		id = this->pseudonym;
-	}
-	data = chunk_cata("cccc", kcs, this->nonce, this->version_list, version);
-	free(this->msk.ptr);
-	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
-	memcpy(this->mk, mk.ptr, mk.len);
-	free(mk.ptr);
-
-	/* Verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT", and
-	 * parse() again after key derivation, reading encrypted attributes */
-	if (!in->verify(in, this->nonce) || !in->parse(in))
-	{
-		*out = create_client_error(this, in->get_identifier(in),
-								   SIM_UNABLE_TO_PROCESS);
-		return NEED_MORE;
-	}
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_NEXT_REAUTH_ID:
-				this->counter = 0;
-				id = identification_create_from_data(data);
-				charon->sim->card_set_reauth(charon->sim, this->permanent, id,
-											 this->mk, this->counter);
-				id->destroy(id);
-				break;
-			case AT_NEXT_PSEUDONYM:
-				id = identification_create_from_data(data);
-				charon->sim->card_set_pseudonym(charon->sim, this->permanent, id);
-				id->destroy(id);
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* build response with AT_MAC, built over "EAP packet | n*SRES" */
-	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
-									SIM_CHALLENGE, this->crypto);
-	*out = message->generate(message, sreses);
-	message->destroy(message);
-	return NEED_MORE;
-}
-
-/**
- * Check if a received counter value is acceptable
- */
-static bool counter_too_small(private_eap_sim_peer_t *this, chunk_t chunk)
-{
-	u_int16_t counter;
-
-	memcpy(&counter, chunk.ptr, sizeof(counter));
-	counter = htons(counter);
-	return counter < this->counter;
-}
-
-/**
- * process an EAP-SIM/Request/Re-Authentication message
- */
-static status_t process_reauthentication(private_eap_sim_peer_t *this,
-									simaka_message_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, counter = chunk_empty, nonce = chunk_empty, id = chunk_empty;
-
-	if (!this->reauth)
-	{
-		DBG1(DBG_IKE, "received %N, but not expected",
-			 simaka_subtype_names, SIM_REAUTHENTICATION);
-		*out = create_client_error(this, in->get_identifier(in),
-								   SIM_UNABLE_TO_PROCESS);
-		return NEED_MORE;
-	}
-
-	this->crypto->derive_keys_reauth(this->crypto,
-									 chunk_create(this->mk, HASH_SIZE_SHA1));
-
-	/* verify MAC and parse again with decryption key */
-	if (!in->verify(in, chunk_empty) || !in->parse(in))
-	{
-		*out = create_client_error(this, in->get_identifier(in),
-								   SIM_UNABLE_TO_PROCESS);
-		return NEED_MORE;
-	}
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_COUNTER:
-				counter = data;
-				break;
-			case AT_NONCE_S:
-				nonce = data;
-				break;
-			case AT_NEXT_REAUTH_ID:
-				id = data;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					*out = create_client_error(this, in->get_identifier(in),
-											   SIM_UNABLE_TO_PROCESS);
-					enumerator->destroy(enumerator);
-					return NEED_MORE;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (!nonce.len || !counter.len)
-	{
-		DBG1(DBG_IKE, "EAP-SIM/Request/Re-Authentication message incomplete");
-		*out = create_client_error(this, in->get_identifier(in),
-								   SIM_UNABLE_TO_PROCESS);
-		return NEED_MORE;
-	}
-
-	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
-									SIM_REAUTHENTICATION, this->crypto);
-	if (counter_too_small(this, counter))
-	{
-		DBG1(DBG_IKE, "reauthentication counter too small");
-		message->add_attribute(message, AT_COUNTER_TOO_SMALL, chunk_empty);
-	}
-	else
-	{
-		free(this->msk.ptr);
-		this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
-										this->reauth, counter, nonce,
-										chunk_create(this->mk, HASH_SIZE_SHA1));
-		if (id.len)
-		{
-			identification_t *reauth;
-
-			reauth = identification_create_from_data(data);
-			charon->sim->card_set_reauth(charon->sim, this->permanent, reauth,
-							 this->mk, this->counter);
-			reauth->destroy(reauth);
-		}
-	}
-	message->add_attribute(message, AT_COUNTER, counter);
-	*out = message->generate(message, nonce);
-	message->destroy(message);
-	return NEED_MORE;
-}
-
-/**
- * process an EAP-SIM/Request/Notification message
- */
-static status_t process_notification(private_eap_sim_peer_t *this,
-									 simaka_message_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data;
-	bool success = TRUE;
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		if (type == AT_NOTIFICATION)
-		{
-			u_int16_t code;
-
-			memcpy(&code, data.ptr, sizeof(code));
-			code = ntohs(code);
-
-			/* test success bit */
-			if (!(data.ptr[0] & 0x80))
-			{
-				success = FALSE;
-				DBG1(DBG_IKE, "received EAP-SIM notification error '%N'",
-					 simaka_notification_names, code);
-			}
-			else
-			{
-				DBG1(DBG_IKE, "received EAP-SIM notification '%N'",
-					 simaka_notification_names, code);
-			}
-		}
-		else if (!simaka_attribute_skippable(type))
-		{
-			success = FALSE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (success)
-	{	/* empty notification reply */
-		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
-										SIM_NOTIFICATION, this->crypto);
-		*out = message->generate(message, chunk_empty);
-		message->destroy(message);
-	}
-	else
-	{
-		*out = create_client_error(this, in->get_identifier(in),
-								   SIM_UNABLE_TO_PROCESS);
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of eap_method_t.process
- */
-static status_t process(private_eap_sim_peer_t *this,
-						eap_payload_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	status_t status;
-
-	message = simaka_message_create_from_payload(in, this->crypto);
-	if (!message)
-	{
-		*out = create_client_error(this, in->get_identifier(in),
-								   SIM_UNABLE_TO_PROCESS);
-		return NEED_MORE;
-	}
-	if (!message->parse(message))
-	{
-		message->destroy(message);
-		*out = create_client_error(this, in->get_identifier(in),
-								   SIM_UNABLE_TO_PROCESS);
-		return NEED_MORE;
-	}
-	switch (message->get_subtype(message))
-	{
-		case SIM_START:
-			status = process_start(this, message, out);
-			break;
-		case SIM_CHALLENGE:
-			status = process_challenge(this, message, out);
-			break;
-		case SIM_REAUTHENTICATION:
-			status = process_reauthentication(this, message, out);
-			break;
-		case SIM_NOTIFICATION:
-			status = process_notification(this, message, out);
-			break;
-		default:
-			DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N",
-				 simaka_subtype_names, message->get_subtype(message));
-			*out = create_client_error(this, in->get_identifier(in),
-									   SIM_UNABLE_TO_PROCESS);
-			status = NEED_MORE;
-			break;
-	}
-	message->destroy(message);
-	return status;
-}
-
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_sim_peer_t *this, eap_payload_t **out)
-{
-	/* peer never initiates */
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_sim_peer_t *this, u_int32_t *vendor)
-{
-	*vendor = 0;
-	return EAP_SIM;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_sim_peer_t *this, chunk_t *msk)
-{
-	if (this->msk.ptr)
-	{
-		*msk = this->msk;
-		return SUCCESS;
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_sim_peer_t *this)
-{
-	return TRUE;
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_sim_peer_t *this)
-{
-	this->permanent->destroy(this->permanent);
-	DESTROY_IF(this->pseudonym);
-	DESTROY_IF(this->reauth);
-	this->crypto->destroy(this->crypto);
-	free(this->version_list.ptr);
-	free(this->nonce.ptr);
-	free(this->msk.ptr);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-eap_sim_peer_t *eap_sim_peer_create(identification_t *server,
-									identification_t *peer)
-{
-	private_eap_sim_peer_t *this = malloc_thing(private_eap_sim_peer_t);
-
-	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
-	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
-	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	this->crypto = simaka_crypto_create();
-	if (!this->crypto)
-	{
-		free(this);
-		return NULL;
-	}
-	this->permanent = peer->clone(peer);
-	this->pseudonym = NULL;
-	this->reauth = NULL;
-	this->tries = MAX_TRIES;
-	this->version_list = chunk_empty;
-	this->nonce = chunk_empty;
-	this->msk = chunk_empty;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_sim/eap_sim_peer.h b/src/charon/plugins/eap_sim/eap_sim_peer.h
deleted file mode 100644
index 89f81301e..000000000
--- a/src/charon/plugins/eap_sim/eap_sim_peer.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_sim_peer eap_sim_peer
- * @{ @ingroup eap_sim
- */
-
-#ifndef EAP_SIM_PEER_H_
-#define EAP_SIM_PEER_H_
-
-#include <sa/authenticators/eap/eap_method.h>
-
-typedef struct eap_sim_peer_t eap_sim_peer_t;
-
-/**
- * EAP-SIM peer implementation.
- *
- * This EAP-SIM module uses sim_card_t implementations for triplet calculation,
- * found via the eap_sim_manager_t.
- */
-struct eap_sim_peer_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t interface;
-
-	/**
-	 * Destroy a eap_sim_peer_t.
-	 */
-	void (*destroy)(eap_sim_peer_t *this);
-};
-
-/**
- * Creates the EAP method EAP-SIM acting as peer.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP peer
- * @return			eap_sim_t object
- */
-eap_sim_peer_t *eap_sim_peer_create(identification_t *server,
-									identification_t *peer);
-
-#endif /** EAP_SIM_PEER_H_ @}*/
diff --git a/src/charon/plugins/eap_sim/eap_sim_plugin.c b/src/charon/plugins/eap_sim/eap_sim_plugin.c
deleted file mode 100644
index 1d2b9cf4f..000000000
--- a/src/charon/plugins/eap_sim/eap_sim_plugin.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_sim_plugin.h"
-
-#include "eap_sim_server.h"
-#include "eap_sim_peer.h"
-
-#include <daemon.h>
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_sim_plugin_t *this)
-{
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_sim_server_create);
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_sim_peer_create);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	eap_sim_plugin_t *this = malloc_thing(eap_sim_plugin_t);
-
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->eap->add_method(charon->eap, EAP_SIM, 0, EAP_SERVER,
-							(eap_constructor_t)eap_sim_server_create);
-	charon->eap->add_method(charon->eap, EAP_SIM, 0, EAP_PEER,
-							(eap_constructor_t)eap_sim_peer_create);
-
-	return &this->plugin;
-}
-
diff --git a/src/charon/plugins/eap_sim/eap_sim_plugin.h b/src/charon/plugins/eap_sim/eap_sim_plugin.h
deleted file mode 100644
index 767eb65a5..000000000
--- a/src/charon/plugins/eap_sim/eap_sim_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_sim eap_sim
- * @ingroup cplugins
- *
- * @defgroup eap_sim_plugin eap_sim_plugin
- * @{ @ingroup eap_sim
- */
-
-#ifndef EAP_SIM_PLUGIN_H_
-#define EAP_SIM_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_sim_plugin_t eap_sim_plugin_t;
-
-/**
- * EAP-SIM plugin.
- */
-struct eap_sim_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_sim_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_SIM_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_sim/eap_sim_server.c b/src/charon/plugins/eap_sim/eap_sim_server.c
deleted file mode 100644
index f6d5df09b..000000000
--- a/src/charon/plugins/eap_sim/eap_sim_server.c
+++ /dev/null
@@ -1,611 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_sim_server.h"
-
-#include <daemon.h>
-
-#include <simaka_message.h>
-#include <simaka_crypto.h>
-
-/* number of triplets for one authentication */
-#define TRIPLET_COUNT 3
-
-/** length of the AT_NONCE_S value */
-#define NONCE_LEN 16
-
-typedef struct private_eap_sim_server_t private_eap_sim_server_t;
-
-/**
- * Private data of an eap_sim_server_t object.
- */
-struct private_eap_sim_server_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_sim_server_t public;
-
-	/**
-	 * permanent ID of peer
-	 */
-	identification_t *permanent;
-
-	/**
-	 * pseudonym ID of peer
-	 */
-	identification_t *pseudonym;
-
-	/**
-	 * reauthentication ID of peer
-	 */
-	identification_t *reauth;
-
-	/**
-	 * EAP-SIM/AKA crypto helper
-	 */
-	simaka_crypto_t *crypto;
-
-	/**
-	 * unique EAP identifier
-	 */
-	u_int8_t identifier;
-
-	/**
-	 * concatenated SRES values
-	 */
-	chunk_t sreses;
-
-	/**
-	 * Nonce value used in AT_NONCE_S
-	 */
-	chunk_t nonce;
-
-	/**
-	 * Counter value negotiated, network order
-	 */
-	chunk_t counter;
-
-	/**
-	 * MSK, used for EAP-SIM based IKEv2 authentication
-	 */
-	chunk_t msk;
-
-	/**
-	 * Do we request fast reauthentication?
-	 */
-	bool use_reauth;
-
-	/**
-	 * Do we request pseudonym identities?
-	 */
-	bool use_pseudonym;
-
-	/**
-	 * Do we request permanent identities?
-	 */
-	bool use_permanent;
-
-	/**
-	 * EAP-SIM message we have initiated
-	 */
-	simaka_subtype_t pending;
-};
-
-/* version of SIM protocol we speak */
-static chunk_t version = chunk_from_chars(0x00,0x01);
-
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_sim_server_t *this, eap_payload_t **out)
-{
-	simaka_message_t *message;
-
-	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
-									SIM_START, this->crypto);
-	message->add_attribute(message, AT_VERSION_LIST, version);
-	if (this->use_reauth)
-	{
-		message->add_attribute(message, AT_ANY_ID_REQ, chunk_empty);
-	}
-	else if (this->use_pseudonym)
-	{
-		message->add_attribute(message, AT_FULLAUTH_ID_REQ, chunk_empty);
-	}
-	else if (this->use_permanent)
-	{
-		message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
-	}
-	*out = message->generate(message, chunk_empty);
-	message->destroy(message);
-
-	this->pending = SIM_START;
-	return NEED_MORE;
-}
-
-/**
- * Initiate  EAP-SIM/Request/Re-authentication message
- */
-static status_t reauthenticate(private_eap_sim_server_t *this,
-							   char mk[HASH_SIZE_SHA1], u_int16_t counter,
-							   eap_payload_t **out)
-{
-	simaka_message_t *message;
-	identification_t *next;
-	chunk_t mkc;
-	rng_t *rng;
-
-	DBG1(DBG_IKE, "initiating EAP-SIM reauthentication");
-
-	rng = this->crypto->get_rng(this->crypto);
-	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
-
-	mkc = chunk_create(mk, HASH_SIZE_SHA1);
-	counter = htons(counter);
-	this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter)));
-
-	this->crypto->derive_keys_reauth(this->crypto, mkc);
-	this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
-								this->reauth, this->counter, this->nonce, mkc);
-
-	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
-									SIM_REAUTHENTICATION, this->crypto);
-	message->add_attribute(message, AT_COUNTER, this->counter);
-	message->add_attribute(message, AT_NONCE_S, this->nonce);
-	next = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk);
-	if (next)
-	{
-		message->add_attribute(message, AT_NEXT_REAUTH_ID,
-							   next->get_encoding(next));
-		next->destroy(next);
-	}
-	*out = message->generate(message, chunk_empty);
-	message->destroy(message);
-
-	this->pending = SIM_REAUTHENTICATION;
-	return NEED_MORE;
-}
-
-/**
- * process an EAP-SIM/Response/Reauthentication message
- */
-static status_t process_reauthentication(private_eap_sim_server_t *this,
-									simaka_message_t *in, eap_payload_t **out)
-{
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, counter = chunk_empty;
-	bool too_small = FALSE;
-
-	if (this->pending != SIM_REAUTHENTICATION)
-	{
-		DBG1(DBG_IKE, "received %N, but not expected",
-			 simaka_subtype_names, SIM_REAUTHENTICATION);
-		return FAILED;
-	}
-	/* verify AT_MAC attribute, signature is over "EAP packet | NONCE_S"  */
-	if (!in->verify(in, this->nonce))
-	{
-		return FAILED;
-	}
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_COUNTER:
-				counter = data;
-				break;
-			case AT_COUNTER_TOO_SMALL:
-				too_small = TRUE;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					enumerator->destroy(enumerator);
-					return FAILED;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (too_small)
-	{
-		DBG1(DBG_IKE, "received %N, initiating full authentication",
-			 simaka_attribute_names, AT_COUNTER_TOO_SMALL);
-		this->use_reauth = FALSE;
-		this->crypto->clear_keys(this->crypto);
-		return initiate(this, out);
-	}
-	if (!chunk_equals(counter, this->counter))
-	{
-		DBG1(DBG_IKE, "received counter does not match");
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * process an EAP-SIM/Response/Start message
- */
-static status_t process_start(private_eap_sim_server_t *this,
-							  simaka_message_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data, identity = chunk_empty, nonce = chunk_empty, mk;
-	chunk_t rands, rand, kcs, kc, sreses, sres;
-	bool supported = FALSE;
-	identification_t *id;
-	int i;
-
-	if (this->pending != SIM_START)
-	{
-		DBG1(DBG_IKE, "received %N, but not expected",
-			 simaka_subtype_names, SIM_START);
-		return FAILED;
-	}
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		switch (type)
-		{
-			case AT_NONCE_MT:
-				nonce = data;
-				break;
-			case AT_SELECTED_VERSION:
-				if (chunk_equals(data, version))
-				{
-					supported = TRUE;
-				}
-				break;
-			case AT_IDENTITY:
-				identity = data;
-				break;
-			default:
-				if (!simaka_attribute_skippable(type))
-				{
-					enumerator->destroy(enumerator);
-					return FAILED;
-				}
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (identity.len)
-	{
-		identification_t *permanent;
-
-		id = identification_create_from_data(identity);
-		if (this->use_reauth && !nonce.len)
-		{
-			char mk[HASH_SIZE_SHA1];
-			u_int16_t counter;
-
-			permanent = charon->sim->provider_is_reauth(charon->sim, id,
-														mk, &counter);
-			if (permanent)
-			{
-				this->permanent->destroy(this->permanent);
-				this->permanent = permanent;
-				this->reauth = id;
-				return reauthenticate(this, mk, counter, out);
-			}
-			DBG1(DBG_IKE, "received unknown reauthentication identity '%Y', "
-				 "initiating full authentication", id);
-			this->use_reauth = FALSE;
-			id->destroy(id);
-			return initiate(this, out);
-		}
-		if (this->use_pseudonym)
-		{
-			permanent = charon->sim->provider_is_pseudonym(charon->sim, id);
-			if (permanent)
-			{
-				this->permanent->destroy(this->permanent);
-				this->permanent = permanent;
-				this->pseudonym = id->clone(id);
-				/* we already have a new permanent identity now */
-				this->use_permanent = FALSE;
-			}
-		}
-		if (!this->pseudonym && this->use_permanent)
-		{
-			DBG1(DBG_IKE, "received %spermanent identity '%Y'",
-				 this->use_pseudonym ? "pseudonym or " : "", id);
-			this->permanent->destroy(this->permanent);
-			this->permanent = id->clone(id);
-		}
-		id->destroy(id);
-	}
-
-	if (!supported || !nonce.len)
-	{
-		DBG1(DBG_IKE, "received incomplete EAP-SIM/Response/Start");
-		return FAILED;
-	}
-
-	/* read triplets from provider */
-	rand = rands = chunk_alloca(SIM_RAND_LEN * TRIPLET_COUNT);
-	kc = kcs = chunk_alloca(SIM_KC_LEN * TRIPLET_COUNT);
-	sres = sreses = chunk_alloca(SIM_SRES_LEN * TRIPLET_COUNT);
-	rands.len = kcs.len = sreses.len = 0;
-	for (i = 0; i < TRIPLET_COUNT; i++)
-	{
-		if (!charon->sim->provider_get_triplet(charon->sim, this->permanent,
-											   rand.ptr, sres.ptr, kc.ptr))
-		{
-			if (this->use_pseudonym)
-			{
-				/* probably received a pseudonym we couldn't map */
-				DBG1(DBG_IKE, "failed to map pseudonym identity '%Y', "
-					 "fallback to permanent identity request", this->permanent);
-				this->use_pseudonym = FALSE;
-				DESTROY_IF(this->pseudonym);
-				this->pseudonym = NULL;
-				return initiate(this, out);
-			}
-			return FAILED;
-		}
-		rands.len += SIM_RAND_LEN;
-		sreses.len += SIM_SRES_LEN;
-		kcs.len += SIM_KC_LEN;
-		rand = chunk_skip(rand, SIM_RAND_LEN);
-		sres = chunk_skip(sres, SIM_SRES_LEN);
-		kc = chunk_skip(kc, SIM_KC_LEN);
-	}
-	free(this->sreses.ptr);
-	this->sreses = chunk_clone(sreses);
-
-	data = chunk_cata("cccc", kcs, nonce, version, version);
-	free(this->msk.ptr);
-	id = this->permanent;
-	if (this->pseudonym)
-	{
-		id = this->pseudonym;
-	}
-	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
-
-	/* build response with AT_MAC, built over "EAP packet | NONCE_MT" */
-	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
-									SIM_CHALLENGE, this->crypto);
-	message->add_attribute(message, AT_RAND, rands);
-	id = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk.ptr);
-	if (id)
-	{
-		message->add_attribute(message, AT_NEXT_REAUTH_ID,
-							   id->get_encoding(id));
-		id->destroy(id);
-	}
-	else
-	{
-		id = charon->sim->provider_gen_pseudonym(charon->sim, this->permanent);
-		if (id)
-		{
-			message->add_attribute(message, AT_NEXT_PSEUDONYM,
-								   id->get_encoding(id));
-			id->destroy(id);
-		}
-	}
-	*out = message->generate(message, nonce);
-	message->destroy(message);
-
-	free(mk.ptr);
-	this->pending = SIM_CHALLENGE;
-	return NEED_MORE;
-}
-
-/**
- * process an EAP-SIM/Response/Challenge message
- */
-static status_t process_challenge(private_eap_sim_server_t *this,
-								  simaka_message_t *in, eap_payload_t **out)
-{
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data;
-
-	if (this->pending != SIM_CHALLENGE)
-	{
-		DBG1(DBG_IKE, "received %N, but not expected",
-			 simaka_subtype_names, SIM_CHALLENGE);
-		return FAILED;
-	}
-	/* verify AT_MAC attribute, signature is over "EAP packet | n*SRES"  */
-	if (!in->verify(in, this->sreses))
-	{
-		return FAILED;
-	}
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		if (!simaka_attribute_skippable(type))
-		{
-			enumerator->destroy(enumerator);
-			return FAILED;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	return SUCCESS;
-}
-
-/**
- * EAP-SIM/Response/ClientErrorCode message
- */
-static status_t process_client_error(private_eap_sim_server_t *this,
-									 simaka_message_t *in)
-{
-	enumerator_t *enumerator;
-	simaka_attribute_t type;
-	chunk_t data;
-
-	enumerator = in->create_attribute_enumerator(in);
-	while (enumerator->enumerate(enumerator, &type, &data))
-	{
-		if (type == AT_CLIENT_ERROR_CODE)
-		{
-			u_int16_t code;
-
-			memcpy(&code, data.ptr, sizeof(code));
-			DBG1(DBG_IKE, "received EAP-SIM client error '%N'",
-				 simaka_client_error_names, ntohs(code));
-		}
-		else if (!simaka_attribute_skippable(type))
-		{
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.process
- */
-static status_t process(private_eap_sim_server_t *this,
-						eap_payload_t *in, eap_payload_t **out)
-{
-	simaka_message_t *message;
-	status_t status;
-
-	message = simaka_message_create_from_payload(in, this->crypto);
-	if (!message)
-	{
-		return FAILED;
-	}
-	if (!message->parse(message))
-	{
-		message->destroy(message);
-		return FAILED;
-	}
-	switch (message->get_subtype(message))
-	{
-		case SIM_START:
-			status = process_start(this, message, out);
-			break;
-		case SIM_CHALLENGE:
-			status = process_challenge(this, message, out);
-			break;
-		case SIM_REAUTHENTICATION:
-			status = process_reauthentication(this, message, out);
-			break;
-		case SIM_CLIENT_ERROR:
-			status = process_client_error(this, message);
-			break;
-		default:
-			DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N",
-				 simaka_subtype_names, message->get_subtype(message));
-			status = FAILED;
-			break;
-	}
-	message->destroy(message);
-	return status;
-}
-
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_sim_server_t *this, u_int32_t *vendor)
-{
-	*vendor = 0;
-	return EAP_SIM;
-}
-
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_sim_server_t *this, chunk_t *msk)
-{
-	if (this->msk.ptr)
-	{
-		*msk = this->msk;
-		return SUCCESS;
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_sim_server_t *this)
-{
-	return TRUE;
-}
-
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_sim_server_t *this)
-{
-	this->crypto->destroy(this->crypto);
-	this->permanent->destroy(this->permanent);
-	DESTROY_IF(this->pseudonym);
-	DESTROY_IF(this->reauth);
-	free(this->sreses.ptr);
-	free(this->nonce.ptr);
-	free(this->msk.ptr);
-	free(this->counter.ptr);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-eap_sim_server_t *eap_sim_server_create(identification_t *server,
-										identification_t *peer)
-{
-	private_eap_sim_server_t *this = malloc_thing(private_eap_sim_server_t);
-
-	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
-	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
-	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	this->crypto = simaka_crypto_create();
-	if (!this->crypto)
-	{
-		free(this);
-		return NULL;
-	}
-	this->permanent = peer->clone(peer);
-	this->pseudonym = NULL;
-	this->reauth = NULL;
-	this->sreses = chunk_empty;
-	this->nonce = chunk_empty;
-	this->msk = chunk_empty;
-	this->counter = chunk_empty;
-	this->pending = 0;
-	this->use_reauth = this->use_pseudonym = this->use_permanent =
-		lib->settings->get_bool(lib->settings,
-								"charon.plugins.eap-sim.request_identity", TRUE);
-
-	/* generate a non-zero identifier */
-	do {
-		this->identifier = random();
-	} while (!this->identifier);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_sim/eap_sim_server.h b/src/charon/plugins/eap_sim/eap_sim_server.h
deleted file mode 100644
index 978e1e1e9..000000000
--- a/src/charon/plugins/eap_sim/eap_sim_server.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_sim_server eap_sim_server
- * @{ @ingroup eap_sim
- */
-
-#ifndef EAP_SIM_SERVER_H_
-#define EAP_SIM_SERVER_H_
-
-#include <sa/authenticators/eap/eap_method.h>
-
-typedef struct eap_sim_server_t eap_sim_server_t;
-
-/**
- * EAP-SIM server implementation.
- *
- * This EAP-SIM module uses sim_provider_t implementations for triplet
- * calculation, found via the eap_sim_manager_t.
- */
-struct eap_sim_server_t {
-
-	/**
-	 * Implemented eap_method_t interface.
-	 */
-	eap_method_t interface;
-
-	/**
-	 * Destroy a eap_sim_server_t.
-	 */
-	void (*destroy)(eap_sim_server_t *this);
-};
-
-/**
- * Creates the EAP method EAP-SIM acting as server.
- *
- * @param server	ID of the EAP server
- * @param peer		ID of the EAP peer
- * @return			eap_sim_t object
- */
-eap_sim_server_t *eap_sim_server_create(identification_t *server,
-										identification_t *peer);
-
-#endif /** EAP_SIM_SERVER_H_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/Makefile.am b/src/charon/plugins/eap_sim_file/Makefile.am
deleted file mode 100644
index 350d4244f..000000000
--- a/src/charon/plugins/eap_sim_file/Makefile.am
+++ /dev/null
@@ -1,14 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
-
-plugin_LTLIBRARIES = libstrongswan-eap-sim-file.la
-
-libstrongswan_eap_sim_file_la_SOURCES = \
-  eap_sim_file_plugin.h eap_sim_file_plugin.c \
-  eap_sim_file_card.h eap_sim_file_card.c \
-  eap_sim_file_provider.h eap_sim_file_provider.c \
-  eap_sim_file_triplets.h eap_sim_file_triplets.c
-libstrongswan_eap_sim_file_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in
deleted file mode 100644
index 232c2a133..000000000
--- a/src/charon/plugins/eap_sim_file/Makefile.in
+++ /dev/null
@@ -1,578 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_sim_file
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_sim_file_la_LIBADD =
-am_libstrongswan_eap_sim_file_la_OBJECTS = eap_sim_file_plugin.lo \
-	eap_sim_file_card.lo eap_sim_file_provider.lo \
-	eap_sim_file_triplets.lo
-libstrongswan_eap_sim_file_la_OBJECTS =  \
-	$(am_libstrongswan_eap_sim_file_la_OBJECTS)
-libstrongswan_eap_sim_file_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_sim_file_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
-plugin_LTLIBRARIES = libstrongswan-eap-sim-file.la
-libstrongswan_eap_sim_file_la_SOURCES = \
-  eap_sim_file_plugin.h eap_sim_file_plugin.c \
-  eap_sim_file_card.h eap_sim_file_card.c \
-  eap_sim_file_provider.h eap_sim_file_provider.c \
-  eap_sim_file_triplets.h eap_sim_file_triplets.c
-
-libstrongswan_eap_sim_file_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_sim_file/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_sim_file/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-sim-file.la: $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_DEPENDENCIES) 
-	$(libstrongswan_eap_sim_file_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_card.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_provider.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_triplets.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.c b/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
deleted file mode 100644
index d132a38f6..000000000
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_sim_file_card.h"
-
-#include <daemon.h>
-
-typedef struct private_eap_sim_file_card_t private_eap_sim_file_card_t;
-
-/**
- * Private data of an eap_sim_file_card_t object.
- */
-struct private_eap_sim_file_card_t {
-
-	/**
-	 * Public eap_sim_file_card_t interface.
-	 */
-	eap_sim_file_card_t public;
-
-	/**
-	 * source of triplets
-	 */
-	eap_sim_file_triplets_t *triplets;
-};
-
-/**
- * Implementation of sim_card_t.get_triplet
- */
-static bool get_triplet(private_eap_sim_file_card_t *this,
-						identification_t *id, char *rand, char *sres, char *kc)
-{
-	enumerator_t *enumerator;
-	identification_t *cand;
-	char *c_rand, *c_sres, *c_kc;
-
-	DBG2(DBG_CFG, "looking for triplet: %Y rand %b", id, rand, SIM_RAND_LEN);
-
-	enumerator = this->triplets->create_enumerator(this->triplets);
-	while (enumerator->enumerate(enumerator, &cand, &c_rand, &c_sres, &c_kc))
-	{
-		DBG2(DBG_CFG, "got a triplet: %Y rand %b\nsres %b\n kc %b", cand,
-			 c_rand, SIM_RAND_LEN, c_sres, SIM_SRES_LEN, c_kc, SIM_KC_LEN);
-		if (id->matches(id, cand))
-		{
-			if (memeq(c_rand, rand, SIM_RAND_LEN))
-			{
-				DBG2(DBG_CFG, "  => triplet matches");
-				memcpy(sres, c_sres, SIM_SRES_LEN);
-				memcpy(kc, c_kc, SIM_KC_LEN);
-				enumerator->destroy(enumerator);
-				return TRUE;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-	return FALSE;
-}
-
-/**
- * Implementation of sim_card_t.get_quintuplet
- */
-static status_t get_quintuplet()
-{
-	return NOT_SUPPORTED;
-}
-
-/**
- * Implementation of eap_sim_file_card_t.destroy.
- */
-static void destroy(private_eap_sim_file_card_t *this)
-{
-	free(this);
-}
-
-/**
- * See header
- */
-eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets)
-{
-	private_eap_sim_file_card_t *this = malloc_thing(private_eap_sim_file_card_t);
-
-	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))get_triplet;
-	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
-	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
-	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *perm))return_null;
-	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))nop;
-	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))return_null;
-	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))nop;
-	this->public.destroy = (void(*)(eap_sim_file_card_t*))destroy;
-
-	this->triplets = triplets;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
deleted file mode 100644
index 1a5470968..000000000
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_sim_file_card eap_sim_file_card
- * @{ @ingroup eap_sim_file
- */
-
-#ifndef EAP_SIM_FILE_CARD_H_
-#define EAP_SIM_FILE_CARD_H_
-
-#include "eap_sim_file_triplets.h"
-
-#include <sa/authenticators/eap/sim_manager.h>
-
-typedef struct eap_sim_file_card_t eap_sim_file_card_t;
-
-/**
- * SIM card implementation on top of a triplet file.
- */
-struct eap_sim_file_card_t {
-
-	/**
-	 * Implements sim_card_t interface
-	 */
-	sim_card_t card;
-
-	/**
-	 * Destroy a eap_sim_file_card_t.
-	 */
-	void (*destroy)(eap_sim_file_card_t *this);
-};
-
-/**
- * Create a eap_sim_file_card instance.
- *
- * @param triplets		source of triplets
- */
-eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets);
-
-#endif /** EAP_SIM_FILE_CARD_H_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
deleted file mode 100644
index 22ad31703..000000000
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_sim_file_plugin.h"
-#include "eap_sim_file_card.h"
-#include "eap_sim_file_provider.h"
-#include "eap_sim_file_triplets.h"
-
-#include <daemon.h>
-
-#define TRIPLET_FILE IPSEC_CONFDIR "/ipsec.d/triplets.dat"
-
-typedef struct private_eap_sim_file_t private_eap_sim_file_t;
-
-/**
- * Private data of an eap_sim_file_t object.
- */
-struct private_eap_sim_file_t {
-
-	/**
-	 * Public eap_sim_file_plugin_t interface.
-	 */
-	eap_sim_file_plugin_t public;
-
-	/**
-	 * SIM card
-	 */
-	eap_sim_file_card_t *card;
-
-	/**
-	 * SIM provider
-	 */
-	eap_sim_file_provider_t *provider;
-
-	/**
-	 * Triplet source
-	 */
-	eap_sim_file_triplets_t *triplets;
-};
-
-/**
- * Implementation of eap_sim_file_t.destroy.
- */
-static void destroy(private_eap_sim_file_t *this)
-{
-	charon->sim->remove_card(charon->sim, &this->card->card);
-	charon->sim->remove_provider(charon->sim, &this->provider->provider);
-	this->card->destroy(this->card);
-	this->provider->destroy(this->provider);
-	this->triplets->destroy(this->triplets);
-	free(this);
-}
-
-/**
- * See header
- */
-plugin_t *plugin_create()
-{
-	private_eap_sim_file_t *this = malloc_thing(private_eap_sim_file_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->triplets = eap_sim_file_triplets_create(TRIPLET_FILE);
-	this->provider = eap_sim_file_provider_create(this->triplets);
-	if (!this->provider)
-	{
-		this->triplets->destroy(this->triplets);
-		free(this);
-		return NULL;
-	}
-	this->card = eap_sim_file_card_create(this->triplets);
-
-	charon->sim->add_card(charon->sim, &this->card->card);
-	charon->sim->add_provider(charon->sim, &this->provider->provider);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
deleted file mode 100644
index 24857d0b0..000000000
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_sim_file eap_sim_file
- * @ingroup cplugins
- *
- * @defgroup eap_sim_file_plugin eap_sim_file_plugin
- * @{ @ingroup eap_sim_file
- */
-
-#ifndef EAP_SIM_FILE_PLUGIN_H_
-#define EAP_SIM_FILE_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_sim_file_plugin_t eap_sim_file_plugin_t;
-
-/**
- * Plugin to provide a SIM card/provider on top of a triplet file.
- */
-struct eap_sim_file_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_sim_file_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_SIM_FILE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
deleted file mode 100644
index 9bee31fc3..000000000
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_sim_file_provider.h"
-
-#include <daemon.h>
-
-typedef struct private_eap_sim_file_provider_t private_eap_sim_file_provider_t;
-
-/**
- * Private data of an eap_sim_file_provider_t object.
- */
-struct private_eap_sim_file_provider_t {
-
-	/**
-	 * Public eap_sim_file_provider_t interface.
-	 */
-	eap_sim_file_provider_t public;
-
-	/**
-	 * source of triplets
-	 */
-	eap_sim_file_triplets_t *triplets;
-};
-
-/**
- * Implementation of sim_provider_t.get_triplet
- */
-static bool get_triplet(private_eap_sim_file_provider_t *this,
-						identification_t *id, char *rand, char *sres, char *kc)
-{
-	enumerator_t *enumerator;
-	identification_t *cand;
-	char *c_rand, *c_sres, *c_kc;
-
-	enumerator = this->triplets->create_enumerator(this->triplets);
-	while (enumerator->enumerate(enumerator, &cand, &c_rand, &c_sres, &c_kc))
-	{
-		if (id->matches(id, cand))
-		{
-			memcpy(rand, c_rand, SIM_RAND_LEN);
-			memcpy(sres, c_sres, SIM_SRES_LEN);
-			memcpy(kc, c_kc, SIM_KC_LEN);
-			enumerator->destroy(enumerator);
-			return TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return FALSE;
-}
-
-/**
- * Implementation of eap_sim_file_provider_t.destroy.
- */
-static void destroy(private_eap_sim_file_provider_t *this)
-{
-	free(this);
-}
-
-/**
- * See header
- */
-eap_sim_file_provider_t *eap_sim_file_provider_create(
-											eap_sim_file_triplets_t *triplets)
-{
-	private_eap_sim_file_provider_t *this = malloc_thing(private_eap_sim_file_provider_t);
-
-	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))get_triplet;
-	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))return_false;
-	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
-	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
-	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
-	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))return_null;
-	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))return_null;
-	this->public.destroy = (void(*)(eap_sim_file_provider_t*))destroy;
-
-	this->triplets = triplets;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
deleted file mode 100644
index 10fda282a..000000000
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_sim_file_provider eap_sim_file_provider
- * @{ @ingroup eap_sim_file
- */
-
-#ifndef EAP_SIM_FILE_PROVIDER_H_
-#define EAP_SIM_FILE_PROVIDER_H_
-
-#include "eap_sim_file_triplets.h"
-
-typedef struct eap_sim_file_provider_t eap_sim_file_provider_t;
-
-/**
- * SIM provider implementation on top of triplets file.
- */
-struct eap_sim_file_provider_t {
-
-	/**
-	 * Implements sim_provider_t interface.
-	 */
-	sim_provider_t provider;
-
-	/**
-	 * Destroy a eap_sim_file_provider_t.
-	 */
-	void (*destroy)(eap_sim_file_provider_t *this);
-};
-
-/**
- * Create a eap_sim_file_provider instance.
- */
-eap_sim_file_provider_t *eap_sim_file_provider_create(
-											eap_sim_file_triplets_t *triplets);
-
-#endif /** EAP_SIM_FILE_PROVIDER_H_ @}*/
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
deleted file mode 100644
index 6b7d99fb7..000000000
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ /dev/null
@@ -1,260 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_sim_file_triplets.h"
-
-#include <stdio.h>
-#include <errno.h>
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <threading/mutex.h>
-
-typedef struct private_eap_sim_file_triplets_t private_eap_sim_file_triplets_t;
-
-/**
- * Private data of an eap_sim_file_triplets_t object.
- */
-struct private_eap_sim_file_triplets_t {
-
-	/**
-	 * Public eap_sim_file_triplets_t interface.
-	 */
-	eap_sim_file_triplets_t public;
-
-	/**
-	 * List of triplets, as triplet_t
-	 */
-	linked_list_t *triplets;
-
-	/**
-	 * mutex to lock triplets list
-	 */
-	mutex_t *mutex;
-};
-
-/**
- * A single triplet
- */
-typedef struct  {
-	identification_t *imsi;
-	char rand[SIM_RAND_LEN];
-	char sres[SIM_SRES_LEN];
-	char kc[SIM_KC_LEN];
-} triplet_t;
-
-/**
- * Destroy a triplet
- */
-static void triplet_destroy(triplet_t *this)
-{
-	DESTROY_IF(this->imsi);
-	free(this);
-}
-
-/**
- * triplet enumerator
- */
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** inner enumerator */
-	enumerator_t *inner;
-	/** current enumerating triplet */
-	triplet_t *current;
-	/** back ptr */
-	private_eap_sim_file_triplets_t *this;
-} triplet_enumerator_t;
-
-/**
- * destroy a triplet enumerator
- */
-static void enumerator_destroy(triplet_enumerator_t *e)
-{
-	if (e->current)
-	{
-		/* We assume that the current element is used on invocation if destroy.
-		 * We move that triplet to the end to avoid handout of the same triplet
-		 * next time. */
-		e->this->triplets->remove_at(e->this->triplets, e->inner);
-		e->this->triplets->insert_last(e->this->triplets, e->current);
-	}
-	e->inner->destroy(e->inner);
-	e->this->mutex->unlock(e->this->mutex);
-	free(e);
-}
-
-/**
- * enumerate through triplets
- */
-static bool enumerator_enumerate(triplet_enumerator_t *e, identification_t **imsi,
-								 char **rand, char **sres, char **kc)
-{
-	triplet_t *triplet;
-
-	if (e->inner->enumerate(e->inner, &triplet))
-	{
-		e->current = triplet;
-		*imsi = triplet->imsi;
-		*rand = triplet->rand;
-		*sres = triplet->sres;
-		*kc = triplet->kc;
-		return TRUE;
-	}
-	e->current = NULL;
-	return FALSE;
-}
-
-/**
- * Implementation of eap_sim_file_triplets_t.create_enumerator
- */
-static enumerator_t* create_enumerator(private_eap_sim_file_triplets_t *this)
-{
-	triplet_enumerator_t *enumerator = malloc_thing(triplet_enumerator_t);
-
-	this->mutex->lock(this->mutex);
-	enumerator->public.enumerate = (void*)enumerator_enumerate;
-	enumerator->public.destroy = (void*)enumerator_destroy;
-	enumerator->inner = this->triplets->create_enumerator(this->triplets);
-	enumerator->current = NULL;
-	enumerator->this = this;
-
-	return &enumerator->public;
-}
-
-/**
- * convert to token into the array
- */
-static void parse_token(char *to, char *from, size_t len)
-{
-	chunk_t chunk;
-
-	chunk = chunk_create(from, min(strlen(from), len * 2));
-	chunk = chunk_from_hex(chunk, NULL);
-	memset(to, 0, len);
-	memcpy(to + len - chunk.len, chunk.ptr, chunk.len);
-	free(chunk.ptr);
-}
-
-/**
- * Read the triplets from the file
- */
-static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
-{
-	char line[512];
-	FILE *file;
-	int i, nr = 0;
-
-	file = fopen(path, "r");
-	if (file == NULL)
-	{
-		DBG1(DBG_CFG, "opening triplet file %s failed: %s",
-			 path, strerror(errno));
-		return;
-	}
-
-	/* read line by line */
-	while (fgets(line, sizeof(line), file))
-	{
-		triplet_t *triplet;
-		enumerator_t *enumerator;
-		char *token;
-
-		nr++;
-		/* skip comments, empty lines */
-		switch (line[0])
-		{
-			case '\n':
-			case '\r':
-			case '#':
-			case '\0':
-				continue;
-			default:
-				break;
-		}
-		triplet = malloc_thing(triplet_t);
-		memset(triplet, 0, sizeof(triplet_t));
-
-		i = 0;
-		enumerator = enumerator_create_token(line, ",", " \n\r#");
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			switch (i++)
-			{
-				case 0: /* IMSI */
-					triplet->imsi = identification_create_from_string(token);
-					continue;
-				case 1: /* rand */
-					parse_token(triplet->rand, token, SIM_RAND_LEN);
-					continue;
-				case 2: /* sres */
-					parse_token(triplet->sres, token, SIM_SRES_LEN);
-					continue;
-				case 3: /* kc */
-					parse_token(triplet->kc, token, SIM_KC_LEN);
-					continue;
-				default:
-					break;;
-			}
-			break;
-		}
-		enumerator->destroy(enumerator);
-		if (i < 4)
-		{
-			DBG1(DBG_CFG, "error in triplet file, line %d", nr);
-			triplet_destroy(triplet);
-			continue;
-		}
-
-		DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b",
-			 triplet->imsi, triplet->rand, SIM_RAND_LEN,
-			 triplet->sres, SIM_SRES_LEN, triplet->kc, SIM_KC_LEN);
-
-		this->triplets->insert_last(this->triplets, triplet);
-	}
-	fclose(file);
-
-	DBG1(DBG_CFG, "read %d triplets from %s",
-		 this->triplets->get_count(this->triplets), path);
-}
-
-/**
- * Implementation of eap_sim_file_triplets_t.destroy.
- */
-static void destroy(private_eap_sim_file_triplets_t *this)
-{
-	this->triplets->destroy_function(this->triplets, (void*)triplet_destroy);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/**
- * See header
- */
-eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file)
-{
-	private_eap_sim_file_triplets_t *this = malloc_thing(private_eap_sim_file_triplets_t);
-
-	this->public.create_enumerator = (enumerator_t*(*)(eap_sim_file_triplets_t*))create_enumerator;
-	this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy;
-
-	this->triplets = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
-	read_triplets(this, file);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
deleted file mode 100644
index 8f8130810..000000000
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_sim_file_triplets eap_sim_file_triplets
- * @{ @ingroup eap_sim_file
- */
-
-#ifndef EAP_SIM_FILE_TRIPLETS_H_
-#define EAP_SIM_FILE_TRIPLETS_H_
-
-#include <sa/authenticators/eap/sim_manager.h>
-
-typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
-
-/**
- * Reads triplets from a triplets.dat file.
- *
- * The file is in freeradius triplet file syntax:
- * http://www.freeradius.org/radiusd/doc/rlm_sim_triplets
- */
-struct eap_sim_file_triplets_t {
-
-	/**
-	 * Create an enumerator over the file's triplets.
-	 *
-	 * @return			enumerator over (identity, rand, sres, kc)
-	 */
-	enumerator_t* (*create_enumerator)(eap_sim_file_triplets_t *this);
-
-	/**
-	 * Destroy a eap_sim_file_triplets_t.
-	 */
-	void (*destroy)(eap_sim_file_triplets_t *this);
-};
-
-/**
- * Create a eap_sim_file_triplets instance.
- *
- * @param file		triplet file to read from
- */
-eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file);
-
-#endif /** EAP_SIM_FILE_TRIPLETS_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_pseudonym/Makefile.am b/src/charon/plugins/eap_simaka_pseudonym/Makefile.am
deleted file mode 100644
index fe87d6d62..000000000
--- a/src/charon/plugins/eap_simaka_pseudonym/Makefile.am
+++ /dev/null
@@ -1,13 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
-
-libstrongswan_eap_simaka_pseudonym_la_SOURCES = \
-  eap_simaka_pseudonym_plugin.h eap_simaka_pseudonym_plugin.c \
-  eap_simaka_pseudonym_card.h eap_simaka_pseudonym_card.c \
-  eap_simaka_pseudonym_provider.h eap_simaka_pseudonym_provider.c
-libstrongswan_eap_simaka_pseudonym_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/eap_simaka_pseudonym/Makefile.in b/src/charon/plugins/eap_simaka_pseudonym/Makefile.in
deleted file mode 100644
index 392331fb1..000000000
--- a/src/charon/plugins/eap_simaka_pseudonym/Makefile.in
+++ /dev/null
@@ -1,577 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_simaka_pseudonym
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_simaka_pseudonym_la_LIBADD =
-am_libstrongswan_eap_simaka_pseudonym_la_OBJECTS =  \
-	eap_simaka_pseudonym_plugin.lo eap_simaka_pseudonym_card.lo \
-	eap_simaka_pseudonym_provider.lo
-libstrongswan_eap_simaka_pseudonym_la_OBJECTS =  \
-	$(am_libstrongswan_eap_simaka_pseudonym_la_OBJECTS)
-libstrongswan_eap_simaka_pseudonym_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_simaka_pseudonym_la_LDFLAGS) $(LDFLAGS) -o \
-	$@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
-libstrongswan_eap_simaka_pseudonym_la_SOURCES = \
-  eap_simaka_pseudonym_plugin.h eap_simaka_pseudonym_plugin.c \
-  eap_simaka_pseudonym_card.h eap_simaka_pseudonym_card.c \
-  eap_simaka_pseudonym_provider.h eap_simaka_pseudonym_provider.c
-
-libstrongswan_eap_simaka_pseudonym_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_simaka_pseudonym/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_simaka_pseudonym/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-simaka-pseudonym.la: $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) 
-	$(libstrongswan_eap_simaka_pseudonym_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_card.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_provider.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
deleted file mode 100644
index 9b0f1bc71..000000000
--- a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_simaka_pseudonym_card.h"
-
-#include <daemon.h>
-#include <utils/hashtable.h>
-
-typedef struct private_eap_simaka_pseudonym_card_t private_eap_simaka_pseudonym_card_t;
-
-/**
- * Private data of an eap_simaka_pseudonym_card_t object.
- */
-struct private_eap_simaka_pseudonym_card_t {
-
-	/**
-	 * Public eap_simaka_pseudonym_card_t interface.
-	 */
-	eap_simaka_pseudonym_card_t public;
-
-	/**
-	 * Permanent -> pseudonym mappings
-	 */
-	hashtable_t *pseudonym;
-
-	/**
-	 * Reverse pseudonym -> permanent mappings
-	 */
-	hashtable_t *permanent;
-};
-
-/**
- * hashtable hash function
- */
-static u_int hash(identification_t *key)
-{
-	return chunk_hash(key->get_encoding(key));
-}
-
-/**
- * hashtable equals function
- */
-static bool equals(identification_t *key1, identification_t *key2)
-{
-	return key1->equals(key1, key2);
-}
-
-/**
- * Implementation of sim_card_t.get_pseudonym
- */
-static identification_t *get_pseudonym(private_eap_simaka_pseudonym_card_t *this,
-									   identification_t *id)
-{
-	identification_t *pseudonym;
-
-	pseudonym = this->pseudonym->get(this->pseudonym, id);
-	if (pseudonym)
-	{
-		return pseudonym->clone(pseudonym);
-	}
-	return NULL;
-}
-
-/**
- * Implementation of sim_card_t.set_pseudonym
- */
-static void set_pseudonym(private_eap_simaka_pseudonym_card_t *this,
-						  identification_t *id, identification_t *pseudonym)
-{
-	identification_t *permanent;
-
-	/* create new entries */
-	id = id->clone(id);
-	pseudonym = pseudonym->clone(pseudonym);
-	permanent = this->permanent->put(this->permanent, pseudonym, id);
-	pseudonym = this->pseudonym->put(this->pseudonym, id, pseudonym);
-
-	/* delete old entries */
-	DESTROY_IF(permanent);
-	DESTROY_IF(pseudonym);
-}
-
-/**
- * Implementation of sim_card_t.get_quintuplet
- */
-static status_t get_quintuplet()
-{
-	return NOT_SUPPORTED;
-}
-
-/**
- * Implementation of eap_simaka_pseudonym_card_t.destroy.
- */
-static void destroy(private_eap_simaka_pseudonym_card_t *this)
-{
-	enumerator_t *enumerator;
-	identification_t *id;
-	void *key;
-
-	enumerator = this->pseudonym->create_enumerator(this->pseudonym);
-	while (enumerator->enumerate(enumerator, &key, &id))
-	{
-		id->destroy(id);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = this->permanent->create_enumerator(this->permanent);
-	while (enumerator->enumerate(enumerator, &key, &id))
-	{
-		id->destroy(id);
-	}
-	enumerator->destroy(enumerator);
-
-	this->pseudonym->destroy(this->pseudonym);
-	this->permanent->destroy(this->permanent);
-	free(this);
-}
-
-/**
- * See header
- */
-eap_simaka_pseudonym_card_t *eap_simaka_pseudonym_card_create()
-{
-	private_eap_simaka_pseudonym_card_t *this;
-
-	this = malloc_thing(private_eap_simaka_pseudonym_card_t);
-
-	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
-	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
-	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
-	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *perm))get_pseudonym;
-	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))set_pseudonym;
-	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))return_null;
-	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))nop;
-	this->public.destroy = (void(*)(eap_simaka_pseudonym_card_t*))destroy;
-
-	this->pseudonym = hashtable_create((void*)hash, (void*)equals, 0);
-	this->permanent = hashtable_create((void*)hash, (void*)equals, 0);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h
deleted file mode 100644
index 1b5940fdc..000000000
--- a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_simaka_pseudonym_card eap_simaka_pseudonym_card
- * @{ @ingroup eap_simaka_pseudonym
- */
-
-#ifndef EAP_SIMAKA_PSEUDONYM_CARD_H_
-#define EAP_SIMAKA_PSEUDONYM_CARD_H_
-
-#include <sa/authenticators/eap/sim_manager.h>
-
-typedef struct eap_simaka_pseudonym_card_t eap_simaka_pseudonym_card_t;
-
-/**
- * SIM card implementing volatile in-memory pseudonym storage.
- */
-struct eap_simaka_pseudonym_card_t {
-
-	/**
-	 * Implements sim_card_t interface
-	 */
-	sim_card_t card;
-
-	/**
-	 * Destroy a eap_simaka_pseudonym_card_t.
-	 */
-	void (*destroy)(eap_simaka_pseudonym_card_t *this);
-};
-
-/**
- * Create a eap_simaka_pseudonym_card instance.
- */
-eap_simaka_pseudonym_card_t *eap_simaka_pseudonym_card_create();
-
-#endif /** EAP_SIMAKA_PSEUDONYM_CARD_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
deleted file mode 100644
index e4e179a7d..000000000
--- a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_simaka_pseudonym_plugin.h"
-#include "eap_simaka_pseudonym_card.h"
-#include "eap_simaka_pseudonym_provider.h"
-
-#include <daemon.h>
-
-typedef struct private_eap_simaka_pseudonym_t private_eap_simaka_pseudonym_t;
-
-/**
- * Private data of an eap_simaka_pseudonym_t object.
- */
-struct private_eap_simaka_pseudonym_t {
-
-	/**
-	 * Public eap_simaka_pseudonym_plugin_t interface.
-	 */
-	eap_simaka_pseudonym_plugin_t public;
-
-	/**
-	 * SIM card
-	 */
-	eap_simaka_pseudonym_card_t *card;
-
-	/**
-	 * SIM provider
-	 */
-	eap_simaka_pseudonym_provider_t *provider;
-};
-
-/**
- * Implementation of eap_simaka_pseudonym_t.destroy.
- */
-static void destroy(private_eap_simaka_pseudonym_t *this)
-{
-	charon->sim->remove_card(charon->sim, &this->card->card);
-	charon->sim->remove_provider(charon->sim, &this->provider->provider);
-	this->card->destroy(this->card);
-	this->provider->destroy(this->provider);
-	free(this);
-}
-
-/**
- * See header
- */
-plugin_t *plugin_create()
-{
-	private_eap_simaka_pseudonym_t *this;
-
-	this = malloc_thing(private_eap_simaka_pseudonym_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->provider = eap_simaka_pseudonym_provider_create();
-	if (!this->provider)
-	{
-		free(this);
-		return NULL;
-	}
-	this->card = eap_simaka_pseudonym_card_create();
-
-	charon->sim->add_card(charon->sim, &this->card->card);
-	charon->sim->add_provider(charon->sim, &this->provider->provider);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h
deleted file mode 100644
index 032604eb1..000000000
--- a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_simaka_pseudonym eap_simaka_pseudonym
- * @ingroup cplugins
- *
- * @defgroup eap_simaka_pseudonym_plugin eap_simaka_pseudonym_plugin
- * @{ @ingroup eap_simaka_pseudonym
- */
-
-#ifndef EAP_SIMAKA_PSEUDONYM_PLUGIN_H_
-#define EAP_SIMAKA_PSEUDONYM_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_simaka_pseudonym_plugin_t eap_simaka_pseudonym_plugin_t;
-
-/**
- * Plugin to provide in-memory storage of EAP-SIM/AKA pseudonyms.
- */
-struct eap_simaka_pseudonym_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_simaka_pseudonym_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_SIMAKA_PSEUDONYM_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
deleted file mode 100644
index 0613b8807..000000000
--- a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
+++ /dev/null
@@ -1,182 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_simaka_pseudonym_provider.h"
-
-#include <utils/hashtable.h>
-
-typedef struct private_eap_simaka_pseudonym_provider_t private_eap_simaka_pseudonym_provider_t;
-
-/**
- * Private data of an eap_simaka_pseudonym_provider_t object.
- */
-struct private_eap_simaka_pseudonym_provider_t {
-
-	/**
-	 * Public eap_simaka_pseudonym_provider_t interface.
-	 */
-	eap_simaka_pseudonym_provider_t public;
-
-	/**
-	 * Permanent -> pseudonym mappings
-	 */
-	hashtable_t *pseudonym;
-
-	/**
-	 * Reverse pseudonym -> permanent mappings
-	 */
-	hashtable_t *permanent;
-
-	/**
-	 * RNG for pseudonyms/reauth identities
-	 */
-	rng_t *rng;
-};
-
-/**
- * hashtable hash function
- */
-static u_int hash(identification_t *key)
-{
-	return chunk_hash(key->get_encoding(key));
-}
-
-/**
- * hashtable equals function
- */
-static bool equals(identification_t *key1, identification_t *key2)
-{
-	return key1->equals(key1, key2);
-}
-
-/**
- * Implementation of sim_provider_t.is_pseudonym
- */
-static identification_t* is_pseudonym(
-			private_eap_simaka_pseudonym_provider_t *this, identification_t *id)
-{
-	identification_t *permanent;
-
-	permanent = this->permanent->get(this->permanent, id);
-	if (permanent)
-	{
-		return permanent->clone(permanent);
-	}
-	return NULL;
-}
-
-/**
- * Generate a random identity
- */
-static identification_t *gen_identity(
-								private_eap_simaka_pseudonym_provider_t *this)
-{
-	char buf[8], hex[sizeof(buf) * 2 + 1];
-
-	this->rng->get_bytes(this->rng, sizeof(buf), buf);
-	chunk_to_hex(chunk_create(buf, sizeof(buf)), hex, FALSE);
-
-	return identification_create_from_string(hex);
-}
-
-/**
- * Implementation of sim_provider_t.get_pseudonym
- */
-static identification_t* gen_pseudonym(
-			private_eap_simaka_pseudonym_provider_t *this, identification_t *id)
-{
-	identification_t *pseudonym, *permanent;
-
-	/* remove old entry */
-	pseudonym = this->pseudonym->remove(this->pseudonym, id);
-	if (pseudonym)
-	{
-		permanent = this->permanent->remove(this->permanent, pseudonym);
-		if (permanent)
-		{
-			permanent->destroy(permanent);
-		}
-		pseudonym->destroy(pseudonym);
-	}
-
-	pseudonym = gen_identity(this);
-
-	/* create new entries */
-	id = id->clone(id);
-	this->pseudonym->put(this->pseudonym, id, pseudonym);
-	this->permanent->put(this->permanent, pseudonym, id);
-
-	return pseudonym->clone(pseudonym);
-}
-
-/**
- * Implementation of eap_simaka_pseudonym_provider_t.destroy.
- */
-static void destroy(private_eap_simaka_pseudonym_provider_t *this)
-{
-	enumerator_t *enumerator;
-	identification_t *id;
-	void *key;
-
-	enumerator = this->pseudonym->create_enumerator(this->pseudonym);
-	while (enumerator->enumerate(enumerator, &key, &id))
-	{
-		id->destroy(id);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = this->permanent->create_enumerator(this->permanent);
-	while (enumerator->enumerate(enumerator, &key, &id))
-	{
-		id->destroy(id);
-	}
-	enumerator->destroy(enumerator);
-
-	this->pseudonym->destroy(this->pseudonym);
-	this->permanent->destroy(this->permanent);
-	this->rng->destroy(this->rng);
-	free(this);
-}
-
-/**
- * See header
- */
-eap_simaka_pseudonym_provider_t *eap_simaka_pseudonym_provider_create()
-{
-	private_eap_simaka_pseudonym_provider_t *this;
-
-	this = malloc_thing(private_eap_simaka_pseudonym_provider_t);
-
-	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
-	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))return_false;
-	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
-	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))is_pseudonym;
-	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))gen_pseudonym;
-	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))return_null;
-	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))return_null;
-	this->public.destroy = (void(*)(eap_simaka_pseudonym_provider_t*))destroy;
-
-	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!this->rng)
-	{
-		free(this);
-		return NULL;
-	}
-	this->pseudonym = hashtable_create((void*)hash, (void*)equals, 0);
-	this->permanent = hashtable_create((void*)hash, (void*)equals, 0);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h b/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h
deleted file mode 100644
index 5d8e6d221..000000000
--- a/src/charon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_simaka_pseudonym_provider eap_simaka_pseudonym_provider
- * @{ @ingroup eap_simaka_pseudonym
- */
-
-#ifndef EAP_SIMAKA_PSEDUONYM_PROVIDER_H_
-#define EAP_SIMAKA_PSEDUONYM_PROVIDER_H_
-
-#include <sa/authenticators/eap/sim_manager.h>
-
-typedef struct eap_simaka_pseudonym_provider_t eap_simaka_pseudonym_provider_t;
-
-/**
- * SIM provider implementing volatile in-memory pseudonym storage.
- */
-struct eap_simaka_pseudonym_provider_t {
-
-	/**
-	 * Implements sim_provider_t interface.
-	 */
-	sim_provider_t provider;
-
-	/**
-	 * Destroy a eap_simaka_pseudonym_provider_t.
-	 */
-	void (*destroy)(eap_simaka_pseudonym_provider_t *this);
-};
-
-/**
- * Create a eap_simaka_pseudonym_provider instance.
- */
-eap_simaka_pseudonym_provider_t *eap_simaka_pseudonym_provider_create();
-
-#endif /** EAP_SIMAKA_PSEDUONYM_PROVIDER_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_reauth/Makefile.am b/src/charon/plugins/eap_simaka_reauth/Makefile.am
deleted file mode 100644
index 0ba727136..000000000
--- a/src/charon/plugins/eap_simaka_reauth/Makefile.am
+++ /dev/null
@@ -1,13 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
-
-libstrongswan_eap_simaka_reauth_la_SOURCES = \
-  eap_simaka_reauth_plugin.h eap_simaka_reauth_plugin.c \
-  eap_simaka_reauth_card.h eap_simaka_reauth_card.c \
-  eap_simaka_reauth_provider.h eap_simaka_reauth_provider.c
-libstrongswan_eap_simaka_reauth_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/eap_simaka_reauth/Makefile.in b/src/charon/plugins/eap_simaka_reauth/Makefile.in
deleted file mode 100644
index d709acb70..000000000
--- a/src/charon/plugins/eap_simaka_reauth/Makefile.in
+++ /dev/null
@@ -1,576 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/eap_simaka_reauth
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_eap_simaka_reauth_la_LIBADD =
-am_libstrongswan_eap_simaka_reauth_la_OBJECTS =  \
-	eap_simaka_reauth_plugin.lo eap_simaka_reauth_card.lo \
-	eap_simaka_reauth_provider.lo
-libstrongswan_eap_simaka_reauth_la_OBJECTS =  \
-	$(am_libstrongswan_eap_simaka_reauth_la_OBJECTS)
-libstrongswan_eap_simaka_reauth_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_simaka_reauth_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
-libstrongswan_eap_simaka_reauth_la_SOURCES = \
-  eap_simaka_reauth_plugin.h eap_simaka_reauth_plugin.c \
-  eap_simaka_reauth_card.h eap_simaka_reauth_card.c \
-  eap_simaka_reauth_provider.h eap_simaka_reauth_provider.c
-
-libstrongswan_eap_simaka_reauth_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/eap_simaka_reauth/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/eap_simaka_reauth/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-eap-simaka-reauth.la: $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) 
-	$(libstrongswan_eap_simaka_reauth_la_LINK) -rpath $(plugindir) $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_card.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_provider.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
deleted file mode 100644
index 14d0416d9..000000000
--- a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_simaka_reauth_card.h"
-
-#include <daemon.h>
-#include <utils/hashtable.h>
-
-typedef struct private_eap_simaka_reauth_card_t private_eap_simaka_reauth_card_t;
-
-/**
- * Private data of an eap_simaka_reauth_card_t object.
- */
-struct private_eap_simaka_reauth_card_t {
-
-	/**
-	 * Public eap_simaka_reauth_card_t interface.
-	 */
-	eap_simaka_reauth_card_t public;
-
-	/**
-	 * Permanent -> reauth_data_t mappings
-	 */
-	hashtable_t *reauth;
-};
-
-/**
- * Data associated to a reauthentication identity
- */
-typedef struct {
-	/** currently used reauthentication identity */
-	identification_t *id;
-	/** associated permanent identity */
-	identification_t *permanent;
-	/** counter value */
-	u_int16_t counter;
-	/** master key */
-	char mk[HASH_SIZE_SHA1];
-} reauth_data_t;
-
-/**
- * hashtable hash function
- */
-static u_int hash(identification_t *key)
-{
-	return chunk_hash(key->get_encoding(key));
-}
-
-/**
- * hashtable equals function
- */
-static bool equals(identification_t *key1, identification_t *key2)
-{
-	return key1->equals(key1, key2);
-}
-
-/**
- * Implementation of sim_card_t.get_reauth
- */
-static identification_t *get_reauth(private_eap_simaka_reauth_card_t *this,
-								identification_t *id, char mk[HASH_SIZE_SHA1],
-								u_int16_t *counter)
-{
-	reauth_data_t *data;
-	identification_t *reauth;
-
-	/* look up reauthentication data */
-	data = this->reauth->remove(this->reauth, id);
-	if (!data)
-	{
-		return NULL;
-	}
-	*counter = ++data->counter;
-	memcpy(mk, data->mk, HASH_SIZE_SHA1);
-	reauth = data->id;
-	data->permanent->destroy(data->permanent);
-	free(data);
-	return reauth;
-}
-
-/**
- * Implementation of sim_card_t.set_reauth
- */
-static void set_reauth(private_eap_simaka_reauth_card_t *this,
-					   identification_t *id, identification_t* next,
-					   char mk[HASH_SIZE_SHA1], u_int16_t counter)
-{
-	reauth_data_t *data;
-
-	data = this->reauth->get(this->reauth, id);
-	if (data)
-	{
-		data->id->destroy(data->id);
-	}
-	else
-	{
-		data = malloc_thing(reauth_data_t);
-		data->permanent = id->clone(id);
-		this->reauth->put(this->reauth, data->permanent, data);
-	}
-	data->counter = counter;
-	data->id = next->clone(next);
-	memcpy(data->mk, mk, HASH_SIZE_SHA1);
-}
-
-/**
- * Implementation of sim_card_t.get_quintuplet
- */
-static status_t get_quintuplet()
-{
-	return NOT_SUPPORTED;
-}
-
-/**
- * Implementation of eap_simaka_reauth_card_t.destroy.
- */
-static void destroy(private_eap_simaka_reauth_card_t *this)
-{
-	enumerator_t *enumerator;
-	reauth_data_t *data;
-	void *key;
-
-	enumerator = this->reauth->create_enumerator(this->reauth);
-	while (enumerator->enumerate(enumerator, &key, &data))
-	{
-		data->id->destroy(data->id);
-		data->permanent->destroy(data->permanent);
-		free(data);
-	}
-	enumerator->destroy(enumerator);
-
-	this->reauth->destroy(this->reauth);
-	free(this);
-}
-
-/**
- * See header
- */
-eap_simaka_reauth_card_t *eap_simaka_reauth_card_create()
-{
-	private_eap_simaka_reauth_card_t *this;
-
-	this = malloc_thing(private_eap_simaka_reauth_card_t);
-
-	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_null;
-	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
-	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
-	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *perm))return_null;
-	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))nop;
-	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))get_reauth;
-	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))set_reauth;
-	this->public.destroy = (void(*)(eap_simaka_reauth_card_t*))destroy;
-
-	this->reauth = hashtable_create((void*)hash, (void*)equals, 0);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h
deleted file mode 100644
index f24dc8a15..000000000
--- a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_simaka_reauth_card eap_simaka_reauth_card
- * @{ @ingroup eap_simaka_reauth
- */
-
-#ifndef EAP_SIMAKA_REAUTH_CARD_H_
-#define EAP_SIMAKA_REAUTH_CARD_H_
-
-#include <sa/authenticators/eap/sim_manager.h>
-
-typedef struct eap_simaka_reauth_card_t eap_simaka_reauth_card_t;
-
-/**
- * SIM card implementing volatile in-memory reauthentication data storage.
- */
-struct eap_simaka_reauth_card_t {
-
-	/**
-	 * Implements sim_card_t interface
-	 */
-	sim_card_t card;
-
-	/**
-	 * Destroy a eap_simaka_reauth_card_t.
-	 */
-	void (*destroy)(eap_simaka_reauth_card_t *this);
-};
-
-/**
- * Create a eap_simaka_reauth_card instance.
- */
-eap_simaka_reauth_card_t *eap_simaka_reauth_card_create();
-
-#endif /** EAP_SIMAKA_REAUTH_CARD_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
deleted file mode 100644
index b2e853e21..000000000
--- a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_simaka_reauth_plugin.h"
-#include "eap_simaka_reauth_card.h"
-#include "eap_simaka_reauth_provider.h"
-
-#include <daemon.h>
-
-typedef struct private_eap_simaka_reauth_t private_eap_simaka_reauth_t;
-
-/**
- * Private data of an eap_simaka_reauth_t object.
- */
-struct private_eap_simaka_reauth_t {
-
-	/**
-	 * Public eap_simaka_reauth_plugin_t interface.
-	 */
-	eap_simaka_reauth_plugin_t public;
-
-	/**
-	 * SIM card
-	 */
-	eap_simaka_reauth_card_t *card;
-
-	/**
-	 * SIM provider
-	 */
-	eap_simaka_reauth_provider_t *provider;
-};
-
-/**
- * Implementation of eap_simaka_reauth_t.destroy.
- */
-static void destroy(private_eap_simaka_reauth_t *this)
-{
-	charon->sim->remove_card(charon->sim, &this->card->card);
-	charon->sim->remove_provider(charon->sim, &this->provider->provider);
-	this->card->destroy(this->card);
-	this->provider->destroy(this->provider);
-	free(this);
-}
-
-/**
- * See header
- */
-plugin_t *plugin_create()
-{
-	private_eap_simaka_reauth_t *this = malloc_thing(private_eap_simaka_reauth_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->provider = eap_simaka_reauth_provider_create();
-	if (!this->provider)
-	{
-		free(this);
-		return NULL;
-	}
-	this->card = eap_simaka_reauth_card_create();
-
-	charon->sim->add_card(charon->sim, &this->card->card);
-	charon->sim->add_provider(charon->sim, &this->provider->provider);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h
deleted file mode 100644
index e86832c0e..000000000
--- a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_simaka_reauth eap_simaka_reauth
- * @ingroup cplugins
- *
- * @defgroup eap_simaka_reauth_plugin eap_simaka_reauth_plugin
- * @{ @ingroup eap_simaka_reauth
- */
-
-#ifndef EAP_SIMAKA_REAUTH_PLUGIN_H_
-#define EAP_SIMAKA_REAUTH_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct eap_simaka_reauth_plugin_t eap_simaka_reauth_plugin_t;
-
-/**
- * Plugin to provide in-memory EAP-SIM/AKA reauthentication data storage.
- */
-struct eap_simaka_reauth_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a eap_simaka_reauth_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** EAP_SIMAKA_REAUTH_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
deleted file mode 100644
index f962b2d84..000000000
--- a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
+++ /dev/null
@@ -1,209 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_simaka_reauth_provider.h"
-
-#include <daemon.h>
-#include <utils/hashtable.h>
-
-typedef struct private_eap_simaka_reauth_provider_t private_eap_simaka_reauth_provider_t;
-
-/**
- * Private data of an eap_simaka_reauth_provider_t object.
- */
-struct private_eap_simaka_reauth_provider_t {
-
-	/**
-	 * Public eap_simaka_reauth_provider_t interface.
-	 */
-	eap_simaka_reauth_provider_t public;
-
-	/**
-	 * Permanent -> reauth_data_t mappings
-	 */
-	hashtable_t *reauth;
-
-	/**
-	 * Reverse reauth -> permanent mappings
-	 */
-	hashtable_t *permanent;
-
-	/**
-	 * RNG for pseudonyms/reauth identities
-	 */
-	rng_t *rng;
-};
-
-/**
- * Data associated to a reauthentication identity
- */
-typedef struct {
-	/** currently used reauthentication identity */
-	identification_t *id;
-	/** counter value */
-	u_int16_t counter;
-	/** master key */
-	char mk[HASH_SIZE_SHA1];
-} reauth_data_t;
-
-/**
- * hashtable hash function
- */
-static u_int hash(identification_t *key)
-{
-	return chunk_hash(key->get_encoding(key));
-}
-
-/**
- * hashtable equals function
- */
-static bool equals(identification_t *key1, identification_t *key2)
-{
-	return key1->equals(key1, key2);
-}
-
-/**
- * Generate a random identity
- */
-static identification_t *gen_identity(private_eap_simaka_reauth_provider_t *this)
-{
-	char buf[8], hex[sizeof(buf) * 2 + 1];
-
-	this->rng->get_bytes(this->rng, sizeof(buf), buf);
-	chunk_to_hex(chunk_create(buf, sizeof(buf)), hex, FALSE);
-
-	return identification_create_from_string(hex);
-}
-
-/**
- * Implementation of sim_provider_t.is_reauth
- */
-static identification_t *is_reauth(private_eap_simaka_reauth_provider_t *this,
-								identification_t *id, char mk[HASH_SIZE_SHA1],
-								u_int16_t *counter)
-{
-	identification_t *permanent;
-	reauth_data_t *data;
-
-	/* look up permanent identity */
-	permanent = this->permanent->get(this->permanent, id);
-	if (!permanent)
-	{
-		return NULL;
-	}
-	/* look up reauthentication data */
-	data = this->reauth->get(this->reauth, permanent);
-	if (!data)
-	{
-		return NULL;
-	}
-	*counter = ++data->counter;
-	memcpy(mk, data->mk, HASH_SIZE_SHA1);
-	return permanent->clone(permanent);
-}
-
-/**
- * Implementation of sim_provider_t.gen_reauth
- */
-static identification_t *gen_reauth(private_eap_simaka_reauth_provider_t *this,
-								identification_t *id, char mk[HASH_SIZE_SHA1])
-{
-	reauth_data_t *data;
-	identification_t *permanent;
-
-	data = this->reauth->get(this->reauth, id);
-	if (data)
-	{	/* update existing entry */
-		permanent = this->permanent->remove(this->permanent, data->id);
-		if (permanent)
-		{
-			data->id->destroy(data->id);
-			data->id = gen_identity(this);
-			this->permanent->put(this->permanent, data->id, permanent);
-		}
-	}
-	else
-	{	/* generate new entry */
-		data = malloc_thing(reauth_data_t);
-		data->counter = 0;
-		data->id = gen_identity(this);
-		id = id->clone(id);
-		this->reauth->put(this->reauth, id, data);
-		this->permanent->put(this->permanent, data->id, id);
-	}
-	memcpy(data->mk, mk, HASH_SIZE_SHA1);
-
-	return data->id->clone(data->id);
-}
-
-/**
- * Implementation of eap_simaka_reauth_provider_t.destroy.
- */
-static void destroy(private_eap_simaka_reauth_provider_t *this)
-{
-	enumerator_t *enumerator;
-	identification_t *id;
-	reauth_data_t *data;
-	void *key;
-
-	enumerator = this->permanent->create_enumerator(this->permanent);
-	while (enumerator->enumerate(enumerator, &key, &id))
-	{
-		id->destroy(id);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = this->reauth->create_enumerator(this->reauth);
-	while (enumerator->enumerate(enumerator, &key, &data))
-	{
-		data->id->destroy(data->id);
-		free(data);
-	}
-	enumerator->destroy(enumerator);
-
-	this->permanent->destroy(this->permanent);
-	this->reauth->destroy(this->reauth);
-	this->rng->destroy(this->rng);
-	free(this);
-}
-
-/**
- * See header
- */
-eap_simaka_reauth_provider_t *eap_simaka_reauth_provider_create()
-{
-	private_eap_simaka_reauth_provider_t *this = malloc_thing(private_eap_simaka_reauth_provider_t);
-
-	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
-	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))return_false;
-	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
-	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
-	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
-	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))is_reauth;
-	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))gen_reauth;
-	this->public.destroy = (void(*)(eap_simaka_reauth_provider_t*))destroy;
-
-	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!this->rng)
-	{
-		free(this);
-		return NULL;
-	}
-	this->permanent = hashtable_create((void*)hash, (void*)equals, 0);
-	this->reauth = hashtable_create((void*)hash, (void*)equals, 0);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h b/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h
deleted file mode 100644
index 7ae151a27..000000000
--- a/src/charon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_simaka_reauth_provider eap_simaka_reauth_provider
- * @{ @ingroup eap_simaka_reauth
- */
-
-#ifndef EAP_SIMAKA_REAUTH_PROVIDER_H_
-#define EAP_SIMAKA_REAUTH_PROVIDER_H_
-
-#include <sa/authenticators/eap/sim_manager.h>
-
-typedef struct eap_simaka_reauth_provider_t eap_simaka_reauth_provider_t;
-
-/**
- * SIM provider implementing volatile in-memory reauthentication data storage.
- */
-struct eap_simaka_reauth_provider_t {
-
-	/**
-	 * Implements sim_provider_t interface.
-	 */
-	sim_provider_t provider;
-
-	/**
-	 * Destroy a eap_simaka_reauth_provider_t.
-	 */
-	void (*destroy)(eap_simaka_reauth_provider_t *this);
-};
-
-/**
- * Create a eap_simaka_reauth_provider instance.
- */
-eap_simaka_reauth_provider_t *eap_simaka_reauth_provider_create();
-
-#endif /** EAP_SIMAKA_REAUTH_PROVIDER_H_ @}*/
diff --git a/src/charon/plugins/kernel_klips/Makefile.am b/src/charon/plugins/kernel_klips/Makefile.am
deleted file mode 100644
index a7ae06df1..000000000
--- a/src/charon/plugins/kernel_klips/Makefile.am
+++ /dev/null
@@ -1,10 +0,0 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
-
-libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
-	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
-libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in
deleted file mode 100644
index bf194ae16..000000000
--- a/src/charon/plugins/kernel_klips/Makefile.in
+++ /dev/null
@@ -1,572 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/kernel_klips
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_kernel_klips_la_LIBADD =
-am_libstrongswan_kernel_klips_la_OBJECTS = kernel_klips_plugin.lo \
-	kernel_klips_ipsec.lo
-libstrongswan_kernel_klips_la_OBJECTS =  \
-	$(am_libstrongswan_kernel_klips_la_OBJECTS)
-libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_kernel_klips_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
-libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
-	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
-
-libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_klips/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/kernel_klips/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_klips_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_ipsec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
deleted file mode 100644
index fea1b83a1..000000000
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ /dev/null
@@ -1,2671 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <stdint.h>
-#include "pfkeyv2.h"
-#include <linux/udp.h>
-#include <net/if.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-#include <errno.h>
-
-#include "kernel_klips_ipsec.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/mutex.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/acquire_job.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/delete_child_sa_job.h>
-#include <processing/jobs/update_sa_job.h>
-
-/** default timeout for generated SPIs (in seconds) */
-#define SPI_TIMEOUT 30
-
-/** buffer size for PF_KEY messages */
-#define PFKEY_BUFFER_SIZE 2048
-
-/** PF_KEY messages are 64 bit aligned */
-#define PFKEY_ALIGNMENT 8
-/** aligns len to 64 bits */
-#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
-/** calculates the properly padded length in 64 bit chunks */
-#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
-/** calculates user mode length i.e. in bytes */
-#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
-
-/** given a PF_KEY message header and an extension this updates the length in the header */
-#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
-/** given a PF_KEY message header this returns a pointer to the next extension */
-#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
-/** copy an extension and append it to a PF_KEY message */
-#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
-/** given a PF_KEY extension this returns a pointer to the next extension */
-#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
-/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
-#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
-/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
-#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
-				(ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
-				(ext)->sadb_ext_len <= (len))
-
-/** special SPI values used for policies in KLIPS */
-#define SPI_PASS 256
-#define SPI_DROP 257
-#define SPI_REJECT 258
-#define SPI_HOLD 259
-#define SPI_TRAP 260
-#define SPI_TRAPSUBNET 261
-
-/** the prefix of the name of KLIPS ipsec devices */
-#define IPSEC_DEV_PREFIX "ipsec"
-/** this is the default number of ipsec devices */
-#define DEFAULT_IPSEC_DEV_COUNT 4
-/** TRUE if the given name matches an ipsec device */
-#define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1))
-
-/** the following stuff is from ipsec_tunnel.h */
-struct ipsectunnelconf
-{
-	__u32	cf_cmd;
-	union
-	{
-		char	cfu_name[12];
-	} cf_u;
-#define cf_name cf_u.cfu_name
-};
-
-#define IPSEC_SET_DEV (SIOCDEVPRIVATE)
-#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1)
-#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2)
-
-typedef struct private_kernel_klips_ipsec_t private_kernel_klips_ipsec_t;
-
-/**
- * Private variables and functions of kernel_klips class.
- */
-struct private_kernel_klips_ipsec_t
-{
-	/**
-	 * Public part of the kernel_klips_t object.
-	 */
-	kernel_klips_ipsec_t public;
-
-	/**
-	 * mutex to lock access to various lists
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * List of installed policies (policy_entry_t)
-	 */
-	linked_list_t *policies;
-
-	/**
-	 * List of allocated SPIs without installed SA (sa_entry_t)
-	 */
-	linked_list_t *allocated_spis;
-
-	/**
-	 * List of installed SAs (sa_entry_t)
-	 */
-	linked_list_t *installed_sas;
-
-	/**
-	 * whether to install routes along policies
-	 */
-	bool install_routes;
-
-	/**
-	 * List of ipsec devices (ipsec_dev_t)
-	 */
-	linked_list_t *ipsec_devices;
-
-	/**
-	 * job receiving PF_KEY events
-	 */
-	callback_job_t *job;
-
-	/**
-	 * mutex to lock access to the PF_KEY socket
-	 */
-	mutex_t *mutex_pfkey;
-
-	/**
-	 * PF_KEY socket to communicate with the kernel
-	 */
-	int socket;
-
-	/**
-	 * PF_KEY socket to receive acquire and expire events
-	 */
-	int socket_events;
-
-	/**
-	 * sequence number for messages sent to the kernel
-	 */
-	int seq;
-
-};
-
-
-typedef struct ipsec_dev_t ipsec_dev_t;
-
-/**
- * ipsec device
- */
-struct ipsec_dev_t {
-	/** name of the virtual ipsec interface */
-	char name[IFNAMSIZ];
-
-	/** name of the physical interface */
-	char phys_name[IFNAMSIZ];
-
-	/** by how many CHILD_SA's this ipsec device is used */
-	u_int refcount;
-};
-
-/**
- * compare the given name with the virtual device name
- */
-static inline bool ipsec_dev_match_byname(ipsec_dev_t *current, char *name)
-{
-	return name && streq(current->name, name);
-}
-
-/**
- * compare the given name with the physical device name
- */
-static inline bool ipsec_dev_match_byphys(ipsec_dev_t *current, char *name)
-{
-	return name && streq(current->phys_name, name);
-}
-
-/**
- * matches free ipsec devices
- */
-static inline bool ipsec_dev_match_free(ipsec_dev_t *current)
-{
-	return current->refcount == 0;
-}
-
-/**
- * tries to find an ipsec_dev_t object by name
- */
-static status_t find_ipsec_dev(private_kernel_klips_ipsec_t *this, char *name,
-							   ipsec_dev_t **dev)
-{
-	linked_list_match_t match = (linked_list_match_t)(IS_IPSEC_DEV(name) ?
-								ipsec_dev_match_byname : ipsec_dev_match_byphys);
-	return this->ipsec_devices->find_first(this->ipsec_devices, match,
-												(void**)dev, name);
-}
-
-/**
- * attach an ipsec device to a physical interface
- */
-static status_t attach_ipsec_dev(char* name, char *phys_name)
-{
-	int sock;
-	struct ifreq req;
-	struct ipsectunnelconf *itc = (struct ipsectunnelconf*)&req.ifr_data;
-	short phys_flags;
-	int mtu;
-
-	DBG2(DBG_KNL, "attaching virtual interface %s to %s", name, phys_name);
-
-	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
-	{
-		return FAILED;
-	}
-
-	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
-	{
-		close(sock);
-		return FAILED;
-	}
-	phys_flags = req.ifr_flags;
-
-	strncpy(req.ifr_name, name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
-	{
-		close(sock);
-		return FAILED;
-	}
-
-	if (req.ifr_flags & IFF_UP)
-	{
-		/* if it's already up, it is already attached, detach it first */
-		ioctl(sock, IPSEC_DEL_DEV, &req);
-	}
-
-	/* attach it */
-	strncpy(req.ifr_name, name, IFNAMSIZ);
-	strncpy(itc->cf_name, phys_name, sizeof(itc->cf_name));
-	ioctl(sock, IPSEC_SET_DEV, &req);
-
-	/* copy address from physical to virtual */
-	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFADDR, &req) == 0)
-	{
-		strncpy(req.ifr_name, name, IFNAMSIZ);
-		ioctl(sock, SIOCSIFADDR, &req);
-	}
-
-	/* copy net mask from physical to virtual */
-	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
-	{
-		strncpy(req.ifr_name, name, IFNAMSIZ);
-		ioctl(sock, SIOCSIFNETMASK, &req);
-	}
-
-	/* copy other flags and addresses */
-	strncpy(req.ifr_name, name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
-	{
-		if (phys_flags & IFF_POINTOPOINT)
-		{
-			req.ifr_flags |= IFF_POINTOPOINT;
-			req.ifr_flags &= ~IFF_BROADCAST;
-			ioctl(sock, SIOCSIFFLAGS, &req);
-
-			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-			if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0)
-			{
-				strncpy(req.ifr_name, name, IFNAMSIZ);
-				ioctl(sock, SIOCSIFDSTADDR, &req);
-			}
-		}
-		else if (phys_flags & IFF_BROADCAST)
-		{
-			req.ifr_flags &= ~IFF_POINTOPOINT;
-			req.ifr_flags |= IFF_BROADCAST;
-			ioctl(sock, SIOCSIFFLAGS, &req);
-
-			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-			if (ioctl(sock, SIOCGIFBRDADDR, &req)==0)
-			{
-				strncpy(req.ifr_name, name, IFNAMSIZ);
-				ioctl(sock, SIOCSIFBRDADDR, &req);
-			}
-		}
-		else
-		{
-			req.ifr_flags &= ~IFF_POINTOPOINT;
-			req.ifr_flags &= ~IFF_BROADCAST;
-			ioctl(sock, SIOCSIFFLAGS, &req);
-		}
-	}
-
-	mtu = lib->settings->get_int(lib->settings,
-						"charon.plugins.kernel-klips.ipsec_dev_mtu", 0);
-	if (mtu <= 0)
-	{
-		/* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
-		 * ESP overhead      : 73 bytes
-		 * NAT-T overhead    :  8 bytes ==> 81 bytes
-		 *
-		 * assuming tunnel mode with AES encryption and integrity
-		 * outer IP header  : 20 bytes
-		 * (NAT-T UDP header:  8 bytes)
-		 * ESP header       :  8 bytes
-		 * IV               : 16 bytes
-		 * padding          : 15 bytes (worst-case)
-		 * pad len / NH     :  2 bytes
-		 * auth data        : 12 bytes
-		 */
-		strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-		ioctl(sock, SIOCGIFMTU, &req);
-		mtu = req.ifr_mtu - 81;
-	}
-
-	/* set MTU */
-	strncpy(req.ifr_name, name, IFNAMSIZ);
-	req.ifr_mtu = mtu;
-	ioctl(sock, SIOCSIFMTU, &req);
-
-	/* bring ipsec device UP */
-	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
-	{
-		req.ifr_flags |= IFF_UP;
-		ioctl(sock, SIOCSIFFLAGS, &req);
-	}
-
-	close(sock);
-	return SUCCESS;
-}
-
-/**
- * detach an ipsec device from a physical interface
- */
-static status_t detach_ipsec_dev(char* name, char *phys_name)
-{
-	int sock;
-	struct ifreq req;
-
-	DBG2(DBG_KNL, "detaching virtual interface %s from %s", name,
-			strlen(phys_name) ? phys_name : "any physical interface");
-
-	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
-	{
-		return FAILED;
-	}
-
-	strncpy(req.ifr_name, name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
-	{
-		close(sock);
-		return FAILED;
-	}
-
-	/* shutting interface down */
-	if (req.ifr_flags & IFF_UP)
-	{
-		req.ifr_flags &= ~IFF_UP;
-		ioctl(sock, SIOCSIFFLAGS, &req);
-	}
-
-	/* unset address */
-	memset(&req.ifr_addr, 0, sizeof(req.ifr_addr));
-	req.ifr_addr.sa_family = AF_INET;
-	ioctl(sock, SIOCSIFADDR, &req);
-
-	/* detach interface */
-	ioctl(sock, IPSEC_DEL_DEV, &req);
-
-	close(sock);
-	return SUCCESS;
-}
-
-/**
- * destroy an ipsec_dev_t object
- */
-static void ipsec_dev_destroy(ipsec_dev_t *this)
-{
-	detach_ipsec_dev(this->name, this->phys_name);
-	free(this);
-}
-
-
-typedef struct route_entry_t route_entry_t;
-
-/**
- * installed routing entry
- */
-struct route_entry_t {
-	/** Name of the interface the route is bound to */
-	char *if_name;
-
-	/** Source ip of the route */
-	host_t *src_ip;
-
-	/** Gateway for this route */
-	host_t *gateway;
-
-	/** Destination net */
-	chunk_t dst_net;
-
-	/** Destination net prefixlen */
-	u_int8_t prefixlen;
-};
-
-/**
- * destroy an route_entry_t object
- */
-static void route_entry_destroy(route_entry_t *this)
-{
-	free(this->if_name);
-	this->src_ip->destroy(this->src_ip);
-	this->gateway->destroy(this->gateway);
-	chunk_free(&this->dst_net);
-	free(this);
-}
-
-typedef struct policy_entry_t policy_entry_t;
-
-/**
- * installed kernel policy.
- */
-struct policy_entry_t {
-
-	/** reqid of this policy, if setup as trap */
-	u_int32_t reqid;
-
-	/** direction of this policy: in, out, forward */
-	u_int8_t direction;
-
-	/** parameters of installed policy */
-	struct {
-		/** subnet and port */
-		host_t *net;
-		/** subnet mask */
-		u_int8_t mask;
-		/** protocol */
-		u_int8_t proto;
-	} src, dst;
-
-	/** associated route installed for this policy */
-	route_entry_t *route;
-
-	/** by how many CHILD_SA's this policy is actively used */
-	u_int activecount;
-
-	/** by how many CHILD_SA's this policy is trapped */
-	u_int trapcount;
-};
-
-/**
- * convert a numerical netmask to a host_t
- */
-static host_t *mask2host(int family, u_int8_t mask)
-{
-	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
-	chunk_t chunk = chunk_alloca(family == AF_INET ? 4 : 16);
-	int bytes = mask / 8, bits = mask % 8;
-	memset(chunk.ptr, 0xFF, bytes);
-	memset(chunk.ptr + bytes, 0, chunk.len - bytes);
-	if (bits)
-	{
-		chunk.ptr[bytes] =  bitmask[bits];
-	}
-	return host_create_from_chunk(family, chunk, 0);
-}
-
-/**
- * check if a host is in a subnet (host with netmask in bits)
- */
-static bool is_host_in_net(host_t *host, host_t *net, u_int8_t mask)
-{
-	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
-	chunk_t host_chunk, net_chunk;
-	int bytes = mask / 8, bits = mask % 8;
-
-	host_chunk = host->get_address(host);
-	net_chunk = net->get_address(net);
-
-	if (host_chunk.len != net_chunk.len)
-	{
-		return FALSE;
-	}
-
-	if (memeq(host_chunk.ptr, net_chunk.ptr, bytes))
-	{
-		return (bits == 0) ||
-			   (host_chunk.ptr[bytes] & bitmask[bits]) ==
-				   (net_chunk.ptr[bytes] & bitmask[bits]);
-	}
-
-	return FALSE;
-}
-
-/**
- * create a policy_entry_t object
- */
-static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
-		traffic_selector_t *dst_ts, policy_dir_t dir)
-{
-	policy_entry_t *policy = malloc_thing(policy_entry_t);
-	policy->reqid = 0;
-	policy->direction = dir;
-	policy->route = NULL;
-	policy->activecount = 0;
-	policy->trapcount = 0;
-
-	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
-	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
-
-	/* src or dest proto may be "any" (0), use more restrictive one */
-	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
-	policy->src.proto = policy->src.proto ? policy->src.proto : 0;
-	policy->dst.proto = policy->src.proto;
-
-	return policy;
-}
-
-/**
- * destroy a policy_entry_t object
- */
-static void policy_entry_destroy(policy_entry_t *this)
-{
-	DESTROY_IF(this->src.net);
-	DESTROY_IF(this->dst.net);
-	if (this->route)
-	{
-		route_entry_destroy(this->route);
-	}
-	free(this);
-}
-
-/**
- * compares two policy_entry_t
- */
-static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
-{
-	return current->direction == policy->direction &&
-		   current->src.proto == policy->src.proto &&
-		   current->dst.proto == policy->dst.proto &&
-		   current->src.mask == policy->src.mask &&
-		   current->dst.mask == policy->dst.mask &&
-		   current->src.net->equals(current->src.net, policy->src.net) &&
-		   current->dst.net->equals(current->dst.net, policy->dst.net);
-}
-
-static inline bool policy_entry_match_byaddrs(policy_entry_t *current, host_t *src,
-		host_t *dst)
-{
-	return is_host_in_net(src, current->src.net, current->src.mask) &&
-			is_host_in_net(dst, current->dst.net, current->dst.mask);
-}
-
-typedef struct sa_entry_t sa_entry_t;
-
-/**
- * used for two things:
- * - allocated SPIs that have not yet resulted in an installed SA
- * - installed inbound SAs with enabled UDP encapsulation
- */
-struct sa_entry_t {
-
-	/** protocol of this SA */
-	protocol_id_t protocol;
-
-	/** reqid of this SA */
-	u_int32_t reqid;
-
-	/** SPI of this SA */
-	u_int32_t spi;
-
-	/** src address of this SA */
-	host_t *src;
-
-	/** dst address of this SA */
-	host_t *dst;
-
-	/** TRUE if this SA uses UDP encapsulation */
-	bool encap;
-
-	/** TRUE if this SA is inbound */
-	bool inbound;
-};
-
-/**
- * create an sa_entry_t object
- */
-static sa_entry_t *create_sa_entry(protocol_id_t protocol, u_int32_t spi,
-								   u_int32_t reqid, host_t *src, host_t *dst,
-								   bool encap, bool inbound)
-{
-	sa_entry_t *sa = malloc_thing(sa_entry_t);
-	sa->protocol = protocol;
-	sa->reqid = reqid;
-	sa->spi = spi;
-	sa->src = src ? src->clone(src) : NULL;
-	sa->dst = dst ? dst->clone(dst) : NULL;
-	sa->encap = encap;
-	sa->inbound = inbound;
-	return sa;
-}
-
-/**
- * destroy an sa_entry_t object
- */
-static void sa_entry_destroy(sa_entry_t *this)
-{
-	DESTROY_IF(this->src);
-	DESTROY_IF(this->dst);
-	free(this);
-}
-
-/**
- * match an sa_entry_t for an inbound SA that uses UDP encapsulation by spi and src (remote) address
- */
-static inline bool sa_entry_match_encapbysrc(sa_entry_t *current, u_int32_t *spi,
-		host_t *src)
-{
-	return current->encap && current->inbound &&
-		   current->spi == *spi && src->ip_equals(src, current->src);
-}
-
-/**
- * match an sa_entry_t by protocol, spi and dst address (as the kernel does it)
- */
-static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *protocol,
-		u_int32_t *spi, host_t *dst)
-{
-	return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst);
-}
-
-/**
- * match an sa_entry_t by protocol, reqid and spi
- */
-static inline bool sa_entry_match_byid(sa_entry_t *current, protocol_id_t *protocol,
-		u_int32_t *spi, u_int32_t *reqid)
-{
-	return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid;
-}
-
-typedef struct pfkey_msg_t pfkey_msg_t;
-
-struct pfkey_msg_t
-{
-	/**
-	 * PF_KEY message base
-	 */
-	struct sadb_msg *msg;
-
-
-	/**
-	 * PF_KEY message extensions
-	 */
-	union {
-		struct sadb_ext *ext[SADB_EXT_MAX + 1];
-		struct {
-			struct sadb_ext *reserved;				/* SADB_EXT_RESERVED */
-			struct sadb_sa *sa;						/* SADB_EXT_SA */
-			struct sadb_lifetime *lft_current;		/* SADB_EXT_LIFETIME_CURRENT */
-			struct sadb_lifetime *lft_hard;			/* SADB_EXT_LIFETIME_HARD */
-			struct sadb_lifetime *lft_soft;			/* SADB_EXT_LIFETIME_SOFT */
-			struct sadb_address *src;				/* SADB_EXT_ADDRESS_SRC */
-			struct sadb_address *dst;				/* SADB_EXT_ADDRESS_DST */
-			struct sadb_address *proxy;				/* SADB_EXT_ADDRESS_PROXY */
-			struct sadb_key *key_auth;				/* SADB_EXT_KEY_AUTH */
-			struct sadb_key *key_encr;				/* SADB_EXT_KEY_ENCRYPT */
-			struct sadb_ident *id_src;				/* SADB_EXT_IDENTITY_SRC */
-			struct sadb_ident *id_dst;				/* SADB_EXT_IDENTITY_DST */
-			struct sadb_sens *sensitivity;			/* SADB_EXT_SENSITIVITY */
-			struct sadb_prop *proposal;				/* SADB_EXT_PROPOSAL */
-			struct sadb_supported *supported_auth;	/* SADB_EXT_SUPPORTED_AUTH */
-			struct sadb_supported *supported_encr;	/* SADB_EXT_SUPPORTED_ENCRYPT */
-			struct sadb_spirange *spirange;			/* SADB_EXT_SPIRANGE */
-			struct sadb_x_kmprivate *x_kmprivate;	/* SADB_X_EXT_KMPRIVATE */
-			struct sadb_ext *x_policy;				/* SADB_X_EXT_SATYPE2 */
-			struct sadb_ext *x_sa2;					/* SADB_X_EXT_SA2 */
-			struct sadb_address *x_dst2;			/* SADB_X_EXT_ADDRESS_DST2 */
-			struct sadb_address *x_src_flow;		/* SADB_X_EXT_ADDRESS_SRC_FLOW */
-			struct sadb_address *x_dst_flow;		/* SADB_X_EXT_ADDRESS_DST_FLOW */
-			struct sadb_address *x_src_mask;		/* SADB_X_EXT_ADDRESS_SRC_MASK */
-			struct sadb_address *x_dst_mask;		/* SADB_X_EXT_ADDRESS_DST_MASK */
-			struct sadb_x_debug *x_debug;			/* SADB_X_EXT_DEBUG */
-			struct sadb_protocol *x_protocol;		/* SADB_X_EXT_PROTOCOL */
-			struct sadb_x_nat_t_type *x_natt_type;	/* SADB_X_EXT_NAT_T_TYPE */
-			struct sadb_x_nat_t_port *x_natt_sport;	/* SADB_X_EXT_NAT_T_SPORT */
-			struct sadb_x_nat_t_port *x_natt_dport;	/* SADB_X_EXT_NAT_T_DPORT */
-			struct sadb_address *x_natt_oa;			/* SADB_X_EXT_NAT_T_OA */
-		} __attribute__((__packed__));
-	};
-};
-
-/**
- * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
- */
-static u_int8_t proto_ike2satype(protocol_id_t proto)
-{
-	switch (proto)
-	{
-		case PROTO_ESP:
-			return SADB_SATYPE_ESP;
-		case PROTO_AH:
-			return SADB_SATYPE_AH;
-		case IPPROTO_COMP:
-			return SADB_X_SATYPE_COMP;
-		default:
-			return proto;
-	}
-}
-
-/**
- * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
- */
-static protocol_id_t proto_satype2ike(u_int8_t proto)
-{
-	switch (proto)
-	{
-		case SADB_SATYPE_ESP:
-			return PROTO_ESP;
-		case SADB_SATYPE_AH:
-			return PROTO_AH;
-		case SADB_X_SATYPE_COMP:
-			return IPPROTO_COMP;
-		default:
-			return proto;
-	}
-}
-
-typedef struct kernel_algorithm_t kernel_algorithm_t;
-
-/**
- * Mapping of IKEv2 algorithms to PF_KEY algorithms
- */
-struct kernel_algorithm_t {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2;
-
-	/**
-	 * Identifier as defined in pfkeyv2.h
-	 */
-	int kernel;
-};
-
-#define END_OF_LIST -1
-
-/**
- * Algorithms for encryption
- */
-static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64,				0							}, */
-	{ENCR_DES,					SADB_EALG_DESCBC			},
-	{ENCR_3DES,					SADB_EALG_3DESCBC			},
-/*	{ENCR_RC5,					0							}, */
-/*	{ENCR_IDEA,					0							}, */
-/*	{ENCR_CAST,					0							}, */
-	{ENCR_BLOWFISH,				SADB_EALG_BFCBC				},
-/*	{ENCR_3IDEA,				0							}, */
-/*	{ENCR_DES_IV32,				0							}, */
-	{ENCR_NULL,					SADB_EALG_NULL				},
-	{ENCR_AES_CBC,				SADB_EALG_AESCBC			},
-/*	{ENCR_AES_CTR,				0							}, */
-/*	{ENCR_AES_CCM_ICV8,			0							}, */
-/*	{ENCR_AES_CCM_ICV12,		0							}, */
-/*	{ENCR_AES_CCM_ICV16,		0							}, */
-/*	{ENCR_AES_GCM_ICV8,			0							}, */
-/*	{ENCR_AES_GCM_ICV12,		0							}, */
-/*	{ENCR_AES_GCM_ICV16,		0							}, */
-	{END_OF_LIST,				0							},
-};
-
-/**
- * Algorithms for integrity protection
- */
-static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
-	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
-	{AUTH_HMAC_SHA2_256_128,	SADB_AALG_SHA256_HMAC		},
-	{AUTH_HMAC_SHA2_384_192,	SADB_AALG_SHA384_HMAC		},
-	{AUTH_HMAC_SHA2_512_256,	SADB_AALG_SHA512_HMAC		},
-/*	{AUTH_DES_MAC,				0,							}, */
-/*	{AUTH_KPDK_MD5,				0,							}, */
-/*	{AUTH_AES_XCBC_96,			0,							}, */
-	{END_OF_LIST,				0,							},
-};
-
-#if 0
-/**
- * Algorithms for IPComp, unused yet
- */
-static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI,				0							}, */
-	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
-	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
-/*	{IPCOMP_LZJH,				0							}, */
-	{END_OF_LIST,				0							},
-};
-#endif
-
-/**
- * Look up a kernel algorithm ID and its key size
- */
-static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
-{
-	while (list->ikev2 != END_OF_LIST)
-	{
-		if (ikev2 == list->ikev2)
-		{
-			return list->kernel;
-		}
-		list++;
-	}
-	return 0;
-}
-
-/**
- * add a host behind a sadb_address extension
- */
-static void host2ext(host_t *host, struct sadb_address *ext)
-{
-	sockaddr_t *host_addr = host->get_sockaddr(host);
-	socklen_t *len = host->get_sockaddr_len(host);
-	memcpy((char*)(ext + 1), host_addr, *len);
-	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
-}
-
-/**
- * add a host to the given sadb_msg
- */
-static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type)
-{
-	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = type;
-	host2ext(host, addr);
-	PFKEY_EXT_ADD(msg, addr);
-}
-
-/**
- * adds an empty address extension to the given sadb_msg
- */
-static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
-{
-	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
-										  sizeof(struct sockaddr_in6);
-	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = type;
-	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
-	saddr->sa_family = family;
-	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
-	PFKEY_EXT_ADD(msg, addr);
-}
-
-/**
- * add udp encap extensions to a sadb_msg
- */
-static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst,
-							bool ports_only)
-{
-	struct sadb_x_nat_t_type* nat_type;
-	struct sadb_x_nat_t_port* nat_port;
-
-	if (!ports_only)
-	{
-		nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
-		nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
-		nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
-		nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
-		PFKEY_EXT_ADD(msg, nat_type);
-	}
-
-	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
-	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
-	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
-	nat_port->sadb_x_nat_t_port_port = src->get_port(src);
-	PFKEY_EXT_ADD(msg, nat_port);
-
-	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
-	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
-	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
-	nat_port->sadb_x_nat_t_port_port = dst->get_port(dst);
-	PFKEY_EXT_ADD(msg, nat_port);
-}
-
-/**
- * build an SADB_X_ADDFLOW msg
- */
-static void build_addflow(struct sadb_msg *msg, u_int8_t satype, u_int32_t spi,
-		host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
-		host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
-{
-	struct sadb_sa *sa;
-	struct sadb_protocol *proto;
-	host_t *host;
-
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_X_ADDFLOW;
-	msg->sadb_msg_satype = satype;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_flags = replace ? SADB_X_SAFLAGS_REPLACEFLOW : 0;
-	PFKEY_EXT_ADD(msg, sa);
-
-	if (!src)
-	{
-		add_anyaddr_ext(msg, src_net->get_family(src_net), SADB_EXT_ADDRESS_SRC);
-	}
-	else
-	{
-		add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
-	}
-
-	if (!dst)
-	{
-		add_anyaddr_ext(msg, dst_net->get_family(dst_net), SADB_EXT_ADDRESS_DST);
-	}
-	else
-	{
-		add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-	}
-
-	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
-	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
-
-	host = mask2host(src_net->get_family(src_net), src_mask);
-	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
-	host->destroy(host);
-
-	host = mask2host(dst_net->get_family(dst_net), dst_mask);
-	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
-	host->destroy(host);
-
-	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
-	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
-	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
-	proto->sadb_protocol_proto = protocol;
-	PFKEY_EXT_ADD(msg, proto);
-}
-
-/**
- * build an SADB_X_DELFLOW msg
- */
-static void build_delflow(struct sadb_msg *msg, u_int8_t satype,
-		host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
-		u_int8_t protocol)
-{
-	struct sadb_protocol *proto;
-	host_t *host;
-
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_X_DELFLOW;
-	msg->sadb_msg_satype = satype;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
-	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
-
-	host = mask2host(src_net->get_family(src_net),
-					 src_mask);
-	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
-	host->destroy(host);
-
-	host = mask2host(dst_net->get_family(dst_net),
-					 dst_mask);
-	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
-	host->destroy(host);
-
-	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
-	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
-	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
-	proto->sadb_protocol_proto = protocol;
-	PFKEY_EXT_ADD(msg, proto);
-}
-
-/**
- * Parses a pfkey message received from the kernel
- */
-static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
-{
-	struct sadb_ext* ext;
-	size_t len;
-
-	memset(out, 0, sizeof(pfkey_msg_t));
-	out->msg = msg;
-
-	len = msg->sadb_msg_len;
-	len -= PFKEY_LEN(sizeof(struct sadb_msg));
-
-	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
-
-	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
-	{
-		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
-			ext->sadb_ext_len > len)
-		{
-			DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
-			break;
-		}
-
-		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
-		{
-			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
-			break;
-		}
-
-		if (out->ext[ext->sadb_ext_type])
-		{
-			DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);
-			break;
-		}
-
-		out->ext[ext->sadb_ext_type] = ext;
-		ext = PFKEY_EXT_NEXT_LEN(ext, len);
-	}
-
-	if (len)
-	{
-		DBG1(DBG_KNL, "PF_KEY message length is invalid");
-		return FAILED;
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Send a message to a specific PF_KEY socket and handle the response.
- */
-static status_t pfkey_send_socket(private_kernel_klips_ipsec_t *this, int socket,
-					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
-{
-	unsigned char buf[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg;
-	int in_len, len;
-
-	this->mutex_pfkey->lock(this->mutex_pfkey);
-
-	in->sadb_msg_seq = ++this->seq;
-	in->sadb_msg_pid = getpid();
-
-	in_len = PFKEY_USER_LEN(in->sadb_msg_len);
-
-	while (TRUE)
-	{
-		len = send(socket, in, in_len, 0);
-
-		if (len != in_len)
-		{
-			switch (errno)
-			{
-				case EINTR:
-					/* interrupted, try again */
-					continue;
-				case EINVAL:
-				case EEXIST:
-				case ESRCH:
-					/* we should also get a response for these from KLIPS */
-					break;
-				default:
-					this->mutex_pfkey->unlock(this->mutex_pfkey);
-					DBG1(DBG_KNL, "error sending to PF_KEY socket: %s (%d)",
-							strerror(errno), errno);
-					return FAILED;
-			}
-		}
-		break;
-	}
-
-	while (TRUE)
-	{
-		msg = (struct sadb_msg*)buf;
-
-		len = recv(socket, buf, sizeof(buf), 0);
-
-		if (len < 0)
-		{
-			if (errno == EINTR)
-			{
-				DBG1(DBG_KNL, "got interrupted");
-				/* interrupted, try again */
-				continue;
-			}
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
-			return FAILED;
-		}
-		if (len < sizeof(struct sadb_msg) ||
-			msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
-		{
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			DBG1(DBG_KNL, "received corrupted PF_KEY message");
-			return FAILED;
-		}
-		if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
-		{
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
-			return FAILED;
-		}
-		if (msg->sadb_msg_pid != in->sadb_msg_pid)
-		{
-			DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
-			continue;
-		}
-		if (msg->sadb_msg_seq != this->seq)
-		{
-			DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number,"
-					" was %d expected %d", msg->sadb_msg_seq, this->seq);
-			if (msg->sadb_msg_seq < this->seq)
-			{
-				continue;
-			}
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			return FAILED;
-		}
-		if (msg->sadb_msg_type != in->sadb_msg_type)
-		{
-			DBG2(DBG_KNL, "received PF_KEY message of wrong type,"
-					" was %d expected %d, ignoring",
-					msg->sadb_msg_type, in->sadb_msg_type);
-		}
-		break;
-	}
-
-	*out_len = len;
-	*out = (struct sadb_msg*)malloc(len);
-	memcpy(*out, buf, len);
-
-	this->mutex_pfkey->unlock(this->mutex_pfkey);
-
-	return SUCCESS;
-}
-
-/**
- * Send a message to the default PF_KEY socket.
- */
-static status_t pfkey_send(private_kernel_klips_ipsec_t *this,
-					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
-{
-	return pfkey_send_socket(this, this->socket, in, out, out_len);
-}
-
-/**
- * Send a message to the default PF_KEY socket and handle the response.
- */
-static status_t pfkey_send_ack(private_kernel_klips_ipsec_t *this, struct sadb_msg *in)
-{
-	struct sadb_msg *out;
-	size_t len;
-
-	if (pfkey_send(this, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "PF_KEY error: %s (%d)",
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * Add an eroute to KLIPS
- */
-static status_t add_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
-		u_int32_t spi, host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
-		host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg = (struct sadb_msg*)request;
-
-	memset(&request, 0, sizeof(request));
-
-	build_addflow(msg, satype, spi, src, dst, src_net, src_mask,
-			dst_net, dst_mask, protocol, replace);
-
-	return pfkey_send_ack(this, msg);
-}
-
-/**
- * Delete an eroute fom KLIPS
- */
-static status_t del_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
-		host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
-		u_int8_t protocol)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg = (struct sadb_msg*)request;
-
-	memset(&request, 0, sizeof(request));
-
-	build_delflow(msg, satype, src_net, src_mask, dst_net, dst_mask, protocol);
-
-	return pfkey_send_ack(this, msg);
-}
-
-/**
- * Process a SADB_ACQUIRE message from the kernel
- */
-static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	host_t *src, *dst;
-	u_int32_t reqid;
-	u_int8_t proto;
-	policy_entry_t *policy;
-	job_t *job;
-
-	switch (msg->sadb_msg_satype)
-	{
-		case SADB_SATYPE_UNSPEC:
-		case SADB_SATYPE_ESP:
-		case SADB_SATYPE_AH:
-			break;
-		default:
-			/* acquire for AH/ESP only */
-			return;
-	}
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
-		return;
-	}
-
-	/* KLIPS provides us only with the source and destination address,
-	 * and the transport protocol of the packet that triggered the policy.
-	 * we use this information to find a matching policy in our cache.
-	 * because KLIPS installs a narrow %hold eroute covering only this information,
-	 * we replace both the %trap and this %hold eroutes with a broader %hold
-	 * eroute covering the whole policy */
-	src = host_create_from_sockaddr((sockaddr_t*)(response.src + 1));
-	dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
-	proto = response.src->sadb_address_proto;
-	if (!src || !dst || src->get_family(src) != dst->get_family(dst))
-	{
-		DBG1(DBG_KNL, "received an SADB_ACQUIRE with invalid hosts");
-		return;
-	}
-
-	DBG2(DBG_KNL, "received an SADB_ACQUIRE for %H == %H : %d", src, dst, proto);
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_match_byaddrs,
-				(void**)&policy, src, dst) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but found no matching policy");
-		return;
-	}
-	if ((reqid = policy->reqid) == 0)
-	{
-		this->mutex->unlock(this->mutex);
-		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but policy is not routed anymore");
-		return;
-	}
-
-	/* add a broad %hold eroute that replaces the %trap eroute */
-	add_eroute(this, SADB_X_SATYPE_INT, htonl(SPI_HOLD), NULL, NULL,
-			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
-			policy->src.proto, TRUE);
-
-	/* remove the narrow %hold eroute installed by KLIPS */
-	del_eroute(this, SADB_X_SATYPE_INT, src, 32, dst, 32, proto);
-
-	this->mutex->unlock(this->mutex);
-
-	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
-	DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
-	job = (job_t*)acquire_job_create(reqid, NULL, NULL);
-	charon->processor->queue_job(charon->processor, job);
-}
-
-/**
- * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
- */
-static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	u_int32_t spi, reqid;
-	host_t *old_src, *new_src;
-	job_t *job;
-
-	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
-		return;
-	}
-
-	spi = response.sa->sadb_sa_spi;
-
-	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
-	{
-		sa_entry_t *sa;
-		sockaddr_t *addr = (sockaddr_t*)(response.src + 1);
-		old_src = host_create_from_sockaddr(addr);
-
-		this->mutex->lock(this->mutex);
-		if (!old_src || this->installed_sas->find_first(this->installed_sas,
-				(linked_list_match_t)sa_entry_match_encapbysrc,
-					(void**)&sa, &spi, old_src) != SUCCESS)
-		{
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING, but found no matching SA");
-			return;
-		}
-		reqid = sa->reqid;
-		this->mutex->unlock(this->mutex);
-
-		addr = (sockaddr_t*)(response.dst + 1);
-		switch (addr->sa_family)
-		{
-			case AF_INET:
-			{
-				struct sockaddr_in *sin = (struct sockaddr_in*)addr;
-				sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
-			}
-			case AF_INET6:
-			{
-				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr;
-				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
-			}
-			default:
-				break;
-		}
-		new_src = host_create_from_sockaddr(addr);
-		if (new_src)
-		{
-			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and"
-				" reqid {%d} changed, queuing update job", ntohl(spi), reqid);
-			job = (job_t*)update_sa_job_create(reqid, new_src);
-			charon->processor->queue_job(charon->processor, job);
-		}
-	}
-}
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
-{
-	unsigned char buf[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg = (struct sadb_msg*)buf;
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recv(this->socket_events, buf, sizeof(buf), 0);
-	thread_cancelability(oldstate);
-
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-
-	if (len < sizeof(struct sadb_msg) ||
-		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
-	{
-		DBG2(DBG_KNL, "received corrupted PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
-	}
-	if (msg->sadb_msg_pid != 0)
-	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
-	}
-	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
-	{
-		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	switch (msg->sadb_msg_type)
-	{
-		case SADB_ACQUIRE:
-			process_acquire(this, msg);
-			break;
-		case SADB_EXPIRE:
-			/* SADB_EXPIRE events in KLIPS are only triggered by traffic (even for
-			 * the time based limits). So if there is no traffic for a longer
-			 * period than configured as hard limit, we wouldn't be able to rekey
-			 * the SA and just receive the hard expire and thus delete the SA.
-			 * To avoid this behavior and to make charon behave as with the other
-			 * kernel plugins, we implement the expiration of SAs ourselves. */
-			break;
-		case SADB_X_NAT_T_NEW_MAPPING:
-			process_mapping(this, msg);
-			break;
-		default:
-			break;
-	}
-
-	return JOB_REQUEUE_DIRECT;
-}
-
-typedef enum {
-	/** an SPI has expired */
-	EXPIRE_TYPE_SPI,
-	/** a CHILD_SA has to be rekeyed */
-	EXPIRE_TYPE_SOFT,
-	/** a CHILD_SA has to be deleted */
-	EXPIRE_TYPE_HARD
-} expire_type_t;
-
-typedef struct sa_expire_t sa_expire_t;
-
-struct sa_expire_t {
-	/** kernel interface */
-	private_kernel_klips_ipsec_t *this;
-	/** the SPI of the expiring SA */
-	u_int32_t spi;
-	/** the protocol of the expiring SA */
-	protocol_id_t protocol;
-	/** the reqid of the expiring SA*/
-	u_int32_t reqid;
-	/** what type of expire this is */
-	expire_type_t type;
-};
-
-/**
- * Called when an SA expires
- */
-static job_requeue_t sa_expires(sa_expire_t *expire)
-{
-	private_kernel_klips_ipsec_t *this = expire->this;
-	protocol_id_t protocol = expire->protocol;
-	u_int32_t spi = expire->spi, reqid = expire->reqid;
-	bool hard = expire->type != EXPIRE_TYPE_SOFT;
-	sa_entry_t *cached_sa;
-	linked_list_t *list;
-	job_t *job;
-
-	/* for an expired SPI we first check whether the CHILD_SA got installed
-	 * in the meantime, for expired SAs we check whether they are still installed */
-	list = expire->type == EXPIRE_TYPE_SPI ? this->allocated_spis : this->installed_sas;
-
-	this->mutex->lock(this->mutex);
-	if (list->find_first(list, (linked_list_match_t)sa_entry_match_byid,
-			(void**)&cached_sa, &protocol, &spi, &reqid) != SUCCESS)
-	{
-		/* we found no entry:
-		 * - for SPIs, a CHILD_SA has been installed
-		 * - for SAs, the CHILD_SA has already been deleted */
-		this->mutex->unlock(this->mutex);
-		return JOB_REQUEUE_NONE;
-	}
-	else
-	{
-		list->remove(list, cached_sa, NULL);
-		sa_entry_destroy(cached_sa);
-	}
-	this->mutex->unlock(this->mutex);
-
-	DBG2(DBG_KNL, "%N CHILD_SA with SPI %.8x and reqid {%d} expired",
-			protocol_id_names, protocol, ntohl(spi), reqid);
-
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
-		 hard ? "delete" : "rekey",  protocol_id_names,
-		 protocol, ntohl(spi), reqid);
-	if (hard)
-	{
-		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
-	}
-	else
-	{
-		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
-	}
-	charon->processor->queue_job(charon->processor, job);
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Schedule an expire job for an SA. Time is in seconds.
- */
-static void schedule_expire(private_kernel_klips_ipsec_t *this,
-							protocol_id_t protocol, u_int32_t spi,
-							u_int32_t reqid, expire_type_t type, u_int32_t time)
-{
-	callback_job_t *job;
-	sa_expire_t *expire = malloc_thing(sa_expire_t);
-	expire->this = this;
-	expire->protocol = protocol;
-	expire->spi = spi;
-	expire->reqid = reqid;
-	expire->type = type;
-	job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL);
-	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time);
-}
-
-/**
- * Implementation of kernel_interface_t.get_spi.
- */
-static status_t get_spi(private_kernel_klips_ipsec_t *this,
-						host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid,
-						u_int32_t *spi)
-{
-	/* we cannot use SADB_GETSPI because KLIPS does not allow us to set the
-	 * NAT-T type in an SADB_UPDATE which we would have to use to update the
-	 * implicitly created SA.
-	 */
-	rng_t *rng;
-	u_int32_t spi_gen;
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_KNL, "allocating SPI failed: no RNG");
-		return FAILED;
-	}
-	rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen);
-	rng->destroy(rng);
-
-	/* charon's SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
-	spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF);
-
-	DBG2(DBG_KNL, "allocated SPI %.8x for %N SA between %#H..%#H",
-			spi_gen, protocol_id_names, protocol, src, dst);
-
-	*spi = htonl(spi_gen);
-
-	this->mutex->lock(this->mutex);
-	this->allocated_spis->insert_last(this->allocated_spis,
-			create_sa_entry(protocol, *spi, reqid, NULL, NULL, FALSE, TRUE));
-	this->mutex->unlock(this->mutex);
-	schedule_expire(this, protocol, *spi, reqid, EXPIRE_TYPE_SPI, SPI_TIMEOUT);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.get_cpi.
- */
-static status_t get_cpi(private_kernel_klips_ipsec_t *this,
-						host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi)
-{
-	return FAILED;
-}
-
-/**
- * Add a pseudo IPIP SA for tunnel mode with KLIPS.
- */
-static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this,
-					   host_t *src, host_t *dst, u_int32_t spi, u_int32_t reqid)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "adding pseudo IPIP SA with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_ADD;
-	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_state = SADB_SASTATE_MATURE;
-	PFKEY_EXT_ADD(msg, sa);
-
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * group the IPIP SA required for tunnel mode with the outer SA
- */
-static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
-					   host_t *src, host_t *dst, u_int32_t spi,
-					   protocol_id_t protocol, u_int32_t reqid)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	struct sadb_x_satype *satype;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "grouping SAs with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_X_GRPSA;
-	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_state = SADB_SASTATE_MATURE;
-	PFKEY_EXT_ADD(msg, sa);
-
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
-	satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg);
-	satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
-	satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype));
-	satype->sadb_x_satype_satype = proto_ike2satype(protocol);
-	PFKEY_EXT_ADD(msg, satype);
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_X_EXT_SA2;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_state = SADB_SASTATE_MATURE;
-	PFKEY_EXT_ADD(msg, sa);
-
-	add_addr_ext(msg, dst, SADB_X_EXT_ADDRESS_DST2);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.add_sa.
- */
-static status_t add_sa(private_kernel_klips_ipsec_t *this,
-					   host_t *src, host_t *dst, u_int32_t spi,
-					   protocol_id_t protocol, u_int32_t reqid,
-					   lifetime_cfg_t *lifetime,
-					   u_int16_t enc_alg, chunk_t enc_key,
-					   u_int16_t int_alg, chunk_t int_key,
-					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound, traffic_selector_t *src_ts,
-					   traffic_selector_t *dst_ts)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	struct sadb_key *key;
-	size_t len;
-
-	if (inbound)
-	{
-		/* for inbound SAs we allocated an SPI via get_spi, so we first check
-		 * whether that SPI has already expired (race condition) */
-		sa_entry_t *alloc_spi;
-		this->mutex->lock(this->mutex);
-		if (this->allocated_spis->find_first(this->allocated_spis,
-				(linked_list_match_t)sa_entry_match_byid, (void**)&alloc_spi,
-					&protocol, &spi, &reqid) != SUCCESS)
-		{
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_KNL, "allocated SPI %.8x has already expired", ntohl(spi));
-			return FAILED;
-		}
-		else
-		{
-			this->allocated_spis->remove(this->allocated_spis, alloc_spi, NULL);
-			sa_entry_destroy(alloc_spi);
-		}
-		this->mutex->unlock(this->mutex);
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_ADD;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_state = SADB_SASTATE_MATURE;
-	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
-	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
-	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
-	PFKEY_EXT_ADD(msg, sa);
-
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
-	if (enc_alg != ENCR_UNDEFINED)
-	{
-		if (!sa->sadb_sa_encrypt)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-				 encryption_algorithm_names, enc_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
-		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
-		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
-		key->sadb_key_bits = enc_key.len * 8;
-		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
-		memcpy(key + 1, enc_key.ptr, enc_key.len);
-
-		PFKEY_EXT_ADD(msg, key);
-	}
-
-	if (int_alg != AUTH_UNDEFINED)
-	{
-		if (!sa->sadb_sa_auth)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 integrity_algorithm_names, int_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
-			 integrity_algorithm_names, int_alg, int_key.len * 8);
-
-		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
-		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
-		key->sadb_key_bits = int_key.len * 8;
-		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
-		memcpy(key + 1, int_key.ptr, int_key.len);
-
-		PFKEY_EXT_ADD(msg, key);
-	}
-
-	if (ipcomp != IPCOMP_NONE)
-	{
-		/*TODO*/
-	}
-
-	if (encap)
-	{
-		add_encap_ext(msg, src, dst, FALSE);
-	}
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	/* for tunnel mode SAs we have to install an additional IPIP SA and
-	 * group the two SAs together */
-	if (mode == MODE_TUNNEL)
-	{
-		if (add_ipip_sa(this, src, dst, spi, reqid) != SUCCESS ||
-			group_ipip_sa(this, src, dst, spi, protocol, reqid) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
-			return FAILED;
-		}
-	}
-
-	this->mutex->lock(this->mutex);
-	/* we cache this SA for two reasons:
-	 * - in case an SADB_X_NAT_T_MAPPING_NEW event occurs (we need to find the reqid then)
-	 * - to decide if an expired SA is still installed */
-	this->installed_sas->insert_last(this->installed_sas,
-				create_sa_entry(protocol, spi, reqid, src, dst, encap, inbound));
-	this->mutex->unlock(this->mutex);
-
-	/* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime
-	 * of SAs manually in the plugin. Refer to the comments in receive_events()
-	 * for details. */
-	if (lifetime->time.rekey)
-	{
-		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, lifetime->time.rekey);
-	}
-
-	if (lifetime->time.life)
-	{
-		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, lifetime->time.life);
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.update_sa.
- */
-static status_t update_sa(private_kernel_klips_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	size_t len;
-
-	/* we can't update the SA if any of the ip addresses have changed.
-	 * that's because we can't use SADB_UPDATE and by deleting and readding the
-	 * SA the sequence numbers would get lost */
-	if (!src->ip_equals(src, new_src) ||
-		!dst->ip_equals(dst, new_dst))
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
-				" are not supported", ntohl(spi));
-		return NOT_SUPPORTED;
-	}
-
-	/* because KLIPS does not allow us to change the NAT-T type in an SADB_UPDATE,
-	 * we can't update the SA if the encap flag has changed since installing it */
-	if (encap != new_encap)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: change of UDP"
-				" encapsulation is not supported", ntohl(spi));
-		return NOT_SUPPORTED;
-	}
-
-	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
-		 ntohl(spi), src, dst, new_src, new_dst);
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_UPDATE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_encrypt = SADB_EALG_AESCBC; /* ignored */
-	sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; /* ignored */
-	sa->sadb_sa_state = SADB_SASTATE_MATURE;
-	PFKEY_EXT_ADD(msg, sa);
-
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
-	add_encap_ext(msg, new_src, new_dst, TRUE);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.query_sa.
- */
-static status_t query_sa(private_kernel_klips_ipsec_t *this, host_t *src,
-						 host_t *dst, u_int32_t spi, protocol_id_t protocol,
-						 u_int64_t *bytes)
-{
-	return NOT_SUPPORTED;  /* TODO */
-}
-
-/**
- * Implementation of kernel_interface_t.del_sa.
- */
-static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
-					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
-					   u_int16_t cpi)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	sa_entry_t *cached_sa;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	/* all grouped SAs are automatically deleted by KLIPS as soon as
-	 * one of them is deleted, therefore we delete only the main one */
-	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-
-	this->mutex->lock(this->mutex);
-	/* this should not fail, but we don't care if it does, let the kernel decide
-	 * whether this SA exists or not */
-	if (this->installed_sas->find_first(this->installed_sas,
-			(linked_list_match_t)sa_entry_match_bydst, (void**)&cached_sa,
-			&protocol, &spi, dst) == SUCCESS)
-	{
-		this->installed_sas->remove(this->installed_sas, cached_sa, NULL);
-		sa_entry_destroy(cached_sa);
-	}
-	this->mutex->unlock(this->mutex);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_DELETE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	PFKEY_EXT_ADD(msg, sa);
-
-	/* the kernel wants an SADB_EXT_ADDRESS_SRC to be present even though
-	 * it is not used for anything. */
-	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.add_policy.
- */
-static status_t add_policy(private_kernel_klips_ipsec_t *this,
-						   host_t *src, host_t *dst,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, u_int32_t spi,
-						   protocol_id_t protocol, u_int32_t reqid,
-						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						   bool routed)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	policy_entry_t *policy, *found = NULL;
-	u_int8_t satype;
-	size_t len;
-
-	if (direction == POLICY_FWD)
-	{
-		/* no forward policies for KLIPS */
-		return SUCCESS;
-	}
-
-	/* tunnel mode policies direct the packets into the pseudo IPIP SA */
-	satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
-									 proto_ike2satype(protocol);
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
-	{
-		/* use existing policy */
-		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing"
-					  " refcount", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		policy = found;
-	}
-	else
-	{
-		/* apply the new one, if we have no such policy */
-		this->policies->insert_last(this->policies, policy);
-	}
-
-	if (routed)
-	{
-		/* we install this as a %trap eroute in the kernel, later to be
-		 * triggered by packets matching the policy (-> ACQUIRE). */
-		spi = htonl(SPI_TRAP);
-		satype = SADB_X_SATYPE_INT;
-
-		/* the reqid is always set to the latest child SA that trapped this
-		 * policy. we will need this reqid upon receiving an acquire. */
-		policy->reqid = reqid;
-
-		/* increase the trap counter */
-		policy->trapcount++;
-
-		if (policy->activecount)
-		{
-			/* we do not replace the current policy in the kernel while a
-			 * policy is actively used */
-			this->mutex->unlock(this->mutex);
-			return SUCCESS;
-		}
-	}
-	else
-	{
-		/* increase the reference counter */
-		policy->activecount++;
-	}
-
-	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-
-	/* FIXME: SADB_X_SAFLAGS_INFLOW may be required, if we add an inbound policy for an IPIP SA */
-	build_addflow(msg, satype, spi, routed ? NULL : src, routed ? NULL : dst,
-			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
-			policy->src.proto, found != NULL);
-
-	this->mutex->unlock(this->mutex);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
-					   policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	this->mutex->lock(this->mutex);
-
-	/* we try to find the policy again and install the route if needed */
-	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		DBG2(DBG_KNL, "the policy %R === %R %N is already gone, ignoring",
-				src_ts, dst_ts, policy_dir_names, direction);
-		return SUCCESS;
-	}
-
-	/* KLIPS requires a special route that directs traffic that matches this
-	 * policy to one of the virtual ipsec interfaces. The virtual interface
-	 * has to be attached to the physical one the traffic runs over.
-	 * This is a special case of the source route we install in other kernel
-	 * interfaces.
-	 * In the following cases we do NOT install a source route (but just a
-	 * regular route):
-	 * - we are not in tunnel mode
-	 * - we are using IPv6 (does not work correctly yet!)
-	 * - routing is disabled via strongswan.conf
-	 */
-	if (policy->route == NULL && direction == POLICY_OUT)
-	{
-		char *iface;
-		ipsec_dev_t *dev;
-		route_entry_t *route = malloc_thing(route_entry_t);
-		route->src_ip = NULL;
-
-		if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
-			this->install_routes)
-		{
-			charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
-						src_ts, &route->src_ip);
-		}
-
-		if (!route->src_ip)
-		{
-			route->src_ip = host_create_any(src->get_family(src));
-		}
-
-		/* find the virtual interface */
-		iface = charon->kernel_interface->get_interface(charon->kernel_interface,
-														src);
-		if (find_ipsec_dev(this, iface, &dev) == SUCCESS)
-		{
-			/* above, we got either the name of a virtual or a physical
-			 * interface. for both cases it means we already have the devices
-			 * properly attached (assuming that we are exclusively attaching
-			 * ipsec devices). */
-			dev->refcount++;
-		}
-		else
-		{
-			/* there is no record of a mapping with the returned interface.
-			 * thus, we attach the first free virtual interface we find to
-			 * it. As above we assume we are the only client fiddling with
-			 * ipsec devices. */
-			if (this->ipsec_devices->find_first(this->ipsec_devices,
-					(linked_list_match_t)ipsec_dev_match_free,
-						(void**)&dev) == SUCCESS)
-			{
-				if (attach_ipsec_dev(dev->name, iface) == SUCCESS)
-				{
-					strncpy(dev->phys_name, iface, IFNAMSIZ);
-					dev->refcount = 1;
-				}
-				else
-				{
-					DBG1(DBG_KNL, "failed to attach virtual interface %s"
-							" to %s", dev->name, iface);
-					this->mutex->unlock(this->mutex);
-					free(iface);
-					return FAILED;
-				}
-			}
-			else
-			{
-				this->mutex->unlock(this->mutex);
-				DBG1(DBG_KNL, "failed to attach a virtual interface to %s: no"
-						" virtual interfaces left", iface);
-				free(iface);
-				return FAILED;
-			}
-		}
-		free(iface);
-		route->if_name = strdup(dev->name);
-
-		/* get the nexthop to dst */
-		route->gateway = charon->kernel_interface->get_nexthop(
-										charon->kernel_interface, dst);
-		route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net));
-		route->prefixlen = policy->dst.mask;
-
-		switch (charon->kernel_interface->add_route(charon->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name))
-		{
-			default:
-				DBG1(DBG_KNL, "unable to install route for policy %R === %R",
-					 src_ts, dst_ts);
-				/* FALL */
-			case ALREADY_DONE:
-				/* route exists, do not uninstall */
-				route_entry_destroy(route);
-				break;
-			case SUCCESS:
-				/* cache the installed route */
-				policy->route = route;
-				break;
-		}
-	}
-
-	this->mutex->unlock(this->mutex);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.query_policy.
- */
-static status_t query_policy(private_kernel_klips_ipsec_t *this,
-							 traffic_selector_t *src_ts,
-							 traffic_selector_t *dst_ts,
-							 policy_dir_t direction, u_int32_t *use_time)
-{
-	#define IDLE_PREFIX "idle="
-	static const char *path_eroute = "/proc/net/ipsec_eroute";
-	static const char *path_spi = "/proc/net/ipsec_spi";
-	FILE *file;
-	char line[1024], src[INET6_ADDRSTRLEN + 9], dst[INET6_ADDRSTRLEN + 9];
-	char *said = NULL, *pos;
-	policy_entry_t *policy, *found = NULL;
-	status_t status = FAILED;
-
-	if (direction == POLICY_FWD)
-	{
-		/* we do not install forward policies */
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		return NOT_FOUND;
-	}
-	policy_entry_destroy(policy);
-	policy = found;
-
-	/* src and dst selectors in KLIPS are of the form NET_ADDR/NETBITS:PROTO */
-	snprintf(src, sizeof(src), "%H/%d:%d", policy->src.net, policy->src.mask,
-			policy->src.proto);
-	src[sizeof(src) - 1] = '\0';
-	snprintf(dst, sizeof(dst), "%H/%d:%d", policy->dst.net, policy->dst.mask,
-			policy->dst.proto);
-	dst[sizeof(dst) - 1] = '\0';
-
-	this->mutex->unlock(this->mutex);
-
-	/* we try to find the matching eroute first */
-	file = fopen(path_eroute, "r");
-	if (file == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
-				dst_ts, policy_dir_names, direction, strerror(errno), errno);
-		return FAILED;
-	}
-
-	/* read line by line where each line looks like:
-	 * packets  src  ->  dst  =>  said */
-	while (fgets(line, sizeof(line), file))
-	{
-		enumerator_t *enumerator;
-		char *token;
-		int i = 0;
-
-		enumerator = enumerator_create_token(line, " \t", " \t\n");
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			switch (i++)
-			{
-				case 0: /* packets */
-					continue;
-				case 1: /* src */
-					if (streq(token, src))
-					{
-						continue;
-					}
-					break;
-				case 2: /* -> */
-					continue;
-				case 3: /* dst */
-					if (streq(token, dst))
-					{
-						continue;
-					}
-					break;
-				case 4: /* => */
-					continue;
-				case 5: /* said */
-					said = strdup(token);
-					break;
-			}
-			break;
-		}
-		enumerator->destroy(enumerator);
-
-		if (i == 5)
-		{
-			/* eroute matched */
-			break;
-		}
-	}
-	fclose(file);
-
-	if (said == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: found no matching"
-				" eroute", src_ts, dst_ts, policy_dir_names, direction);
-		return FAILED;
-	}
-
-	/* compared with the one in the spi entry the SA ID from the eroute entry
-	 * has an additional ":PROTO" appended, which we need to cut off */
-	pos = strrchr(said, ':');
-	*pos = '\0';
-
-	/* now we try to find the matching spi entry */
-	file = fopen(path_spi, "r");
-	if (file == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
-				dst_ts, policy_dir_names, direction, strerror(errno), errno);
-		return FAILED;
-	}
-
-	while (fgets(line, sizeof(line), file))
-	{
-		if (strneq(line, said, strlen(said)))
-		{
-			/* fine we found the correct line, now find the idle time */
-			u_int32_t idle_time;
-			pos = strstr(line, IDLE_PREFIX);
-			if (pos == NULL)
-			{
-				/* no idle time, i.e. this SA has not been used yet */
-				break;
-			}
-			if (sscanf(pos, IDLE_PREFIX"%u", &idle_time) <= 0)
-			{
-				/* idle time not valid */
-				break;
-			}
-
-			*use_time = time_monotonic(NULL) - idle_time;
-			status = SUCCESS;
-			break;
-		}
-	}
-	fclose(file);
-	free(said);
-
-	return status;
-}
-
-/**
- * Implementation of kernel_interface_t.del_policy.
- */
-static status_t del_policy(private_kernel_klips_ipsec_t *this,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, bool unrouted)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg = (struct sadb_msg*)request, *out;
-	policy_entry_t *policy, *found = NULL;
-	route_entry_t *route;
-	size_t len;
-
-	if (direction == POLICY_FWD)
-	{
-		/* no forward policies for KLIPS */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		return NOT_FOUND;
-	}
-	policy_entry_destroy(policy);
-
-	/* decrease appropriate counter */
-	unrouted ? found->trapcount-- : found->activecount--;
-
-	if (found->trapcount == 0)
-	{
-		/* if this policy is finally unrouted, we reset the reqid because it
-		 * may still be actively used and there might be a pending acquire for
-		 * this policy. */
-		found->reqid = 0;
-	}
-
-	if (found->activecount > 0)
-	{
-		/* is still used by SAs, keep in kernel */
-		this->mutex->unlock(this->mutex);
-		DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
-		return SUCCESS;
-	}
-	else if (found->activecount == 0 && found->trapcount > 0)
-	{
-		/* for a policy that is not used actively anymore, but is still trapped
-		 * by another child SA we replace the current eroute with a %trap eroute */
-		DBG2(DBG_KNL, "policy still routed by another CHILD_SA, not removed");
-		memset(&request, 0, sizeof(request));
-		build_addflow(msg, SADB_X_SATYPE_INT, htonl(SPI_TRAP), NULL, NULL,
-				found->src.net, found->src.mask, found->dst.net,
-				found->dst.mask, found->src.proto, TRUE);
-		this->mutex->unlock(this->mutex);
-		return pfkey_send_ack(this, msg);
-	}
-
-	/* remove if last reference */
-	this->policies->remove(this->policies, found, NULL);
-	policy = found;
-
-	this->mutex->unlock(this->mutex);
-
-	memset(&request, 0, sizeof(request));
-
-	build_delflow(msg, 0, policy->src.net, policy->src.mask, policy->dst.net,
-			policy->dst.mask, policy->src.proto);
-
-	route = policy->route;
-	policy->route = NULL;
-	policy_entry_destroy(policy);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
-					   dst_ts, policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	if (route)
-	{
-		ipsec_dev_t *dev;
-
-		if (charon->kernel_interface->del_route(charon->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "error uninstalling route installed with"
-						  " policy %R === %R %N", src_ts, dst_ts,
-						   policy_dir_names, direction);
-		}
-
-		/* we have to detach the ipsec interface from the physical one over which
-		 * this SA ran (if it is not used by any other) */
-		this->mutex->lock(this->mutex);
-
-		if (find_ipsec_dev(this, route->if_name, &dev) == SUCCESS)
-		{
-			/* fine, we found a matching device object, let's check if we have
-			 * to detach it. */
-			if (--dev->refcount == 0)
-			{
-				if (detach_ipsec_dev(dev->name, dev->phys_name) != SUCCESS)
-				{
-					DBG1(DBG_KNL, "failed to detach virtual interface %s"
-							" from %s", dev->name, dev->phys_name);
-				}
-				dev->phys_name[0] = '\0';
-			}
-		}
-
-		this->mutex->unlock(this->mutex);
-
-		route_entry_destroy(route);
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Initialize the list of ipsec devices
- */
-static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
-{
-	int i, count = lib->settings->get_int(lib->settings,
-						"charon.plugins.kernel-klips.ipsec_dev_count",
-						DEFAULT_IPSEC_DEV_COUNT);
-
-	for (i = 0; i < count; ++i)
-	{
-		ipsec_dev_t *dev = malloc_thing(ipsec_dev_t);
-		snprintf(dev->name, IFNAMSIZ, IPSEC_DEV_PREFIX"%d", i);
-		dev->name[IFNAMSIZ - 1] = '\0';
-		dev->phys_name[0] = '\0';
-		dev->refcount = 0;
-		this->ipsec_devices->insert_last(this->ipsec_devices, dev);
-
-		/* detach any previously attached ipsec device */
-		detach_ipsec_dev(dev->name, dev->phys_name);
-	}
-}
-
-/**
- * Register a socket for AQUIRE/EXPIRE messages
- */
-static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8_t satype)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_REGISTER;
-	msg->sadb_msg_satype = satype;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY socket");
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.destroy.
- */
-static void destroy(private_kernel_klips_ipsec_t *this)
-{
-	this->job->cancel(this->job);
-	close(this->socket);
-	close(this->socket_events);
-	this->mutex_pfkey->destroy(this->mutex_pfkey);
-	this->mutex->destroy(this->mutex);
-	this->ipsec_devices->destroy_function(this->ipsec_devices, (void*)ipsec_dev_destroy);
-	this->installed_sas->destroy_function(this->installed_sas, (void*)sa_entry_destroy);
-	this->allocated_spis->destroy_function(this->allocated_spis, (void*)sa_entry_destroy);
-	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-kernel_klips_ipsec_t *kernel_klips_ipsec_create()
-{
-	private_kernel_klips_ipsec_t *this = malloc_thing(private_kernel_klips_ipsec_t);
-
-	/* public functions */
-	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
-	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
-	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
-	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
-	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
-	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-
-	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
-
-	/* private members */
-	this->policies = linked_list_create();
-	this->allocated_spis = linked_list_create();
-	this->installed_sas = linked_list_create();
-	this->ipsec_devices = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE);
-	this->seq = 0;
-
-	/* initialize ipsec devices */
-	init_ipsec_devices(this);
-
-	/* create a PF_KEY socket to communicate with the kernel */
-	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (this->socket <= 0)
-	{
-		charon->kill(charon, "unable to create PF_KEY socket");
-	}
-
-	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
-	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (this->socket_events <= 0)
-	{
-		charon->kill(charon, "unable to create PF_KEY event socket");
-	}
-
-	/* register the event socket */
-	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
-		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
-	{
-		charon->kill(charon, "unable to register PF_KEY event socket");
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
deleted file mode 100644
index 306ec0ada..000000000
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_klips_ipsec_i kernel_klips_ipsec
- * @{ @ingroup kernel_klips
- */
-
-#ifndef KERNEL_KLIPS_IPSEC_H_
-#define KERNEL_KLIPS_IPSEC_H_
-
-#include <kernel/kernel_ipsec.h>
-
-typedef struct kernel_klips_ipsec_t kernel_klips_ipsec_t;
-
-/**
- * Implementation of the kernel ipsec interface using PF_KEY.
- */
-struct kernel_klips_ipsec_t {
-
-	/**
-	 * Implements kernel_ipsec_t interface
-	 */
-	kernel_ipsec_t interface;
-};
-
-/**
- * Create a PF_KEY kernel ipsec interface instance.
- *
- * @return			kernel_klips_ipsec_t instance
- */
-kernel_klips_ipsec_t *kernel_klips_ipsec_create();
-
-#endif /** KERNEL_KLIPS_IPSEC_H_ @}*/
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.c b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
deleted file mode 100644
index b0117c10c..000000000
--- a/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "kernel_klips_plugin.h"
-
-#include "kernel_klips_ipsec.h"
-
-#include <daemon.h>
-
-typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t;
-
-/**
- * private data of kernel PF_KEY plugin
- */
-struct private_kernel_klips_plugin_t {
-	/**
-	 * implements plugin interface
-	 */
-	kernel_klips_plugin_t public;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_klips_plugin_t *this)
-{
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
-
-	return &this->public.plugin;
-}
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.h b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
deleted file mode 100644
index 123550bf5..000000000
--- a/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_klips kernel_klips
- * @ingroup cplugins
- *
- * @defgroup kernel_klips_plugin kernel_klips_plugin
- * @{ @ingroup kernel_klips
- */
-
-#ifndef KERNEL_KLIPS_PLUGIN_H_
-#define KERNEL_KLIPS_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct kernel_klips_plugin_t kernel_klips_plugin_t;
-
-/**
- * PF_KEY kernel interface plugin
- */
-struct kernel_klips_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a kernel_klips_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** KERNEL_KLIPS_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/kernel_klips/pfkeyv2.h b/src/charon/plugins/kernel_klips/pfkeyv2.h
deleted file mode 100644
index 20d1c298d..000000000
--- a/src/charon/plugins/kernel_klips/pfkeyv2.h
+++ /dev/null
@@ -1,322 +0,0 @@
-/*
-RFC 2367               PF_KEY Key Management API               July 1998
-
-
-Appendix D: Sample Header File
-
-This file defines structures and symbols for the PF_KEY Version 2
-key management interface. It was written at the U.S. Naval Research
-Laboratory. This file is in the public domain. The authors ask that
-you leave this credit intact on any copies of this file.
-*/
-#ifndef __PFKEY_V2_H
-#define __PFKEY_V2_H 1
-
-#define PF_KEY_V2 2
-#define PFKEYV2_REVISION        199806L
-
-#define SADB_RESERVED    0
-#define SADB_GETSPI      1
-#define SADB_UPDATE      2
-#define SADB_ADD         3
-#define SADB_DELETE      4
-#define SADB_GET         5
-#define SADB_ACQUIRE     6
-#define SADB_REGISTER    7
-#define SADB_EXPIRE      8
-#define SADB_FLUSH       9
-#define SADB_DUMP       10
-#define SADB_X_PROMISC  11
-#define SADB_X_PCHANGE  12
-#define SADB_X_GRPSA    13
-#define SADB_X_ADDFLOW	14
-#define SADB_X_DELFLOW	15
-#define SADB_X_DEBUG	16
-#define SADB_X_NAT_T_NEW_MAPPING  17
-#define SADB_MAX                  17
-
-struct sadb_msg {
-  uint8_t sadb_msg_version;
-  uint8_t sadb_msg_type;
-  uint8_t sadb_msg_errno;
-  uint8_t sadb_msg_satype;
-  uint16_t sadb_msg_len;
-  uint16_t sadb_msg_reserved;
-  uint32_t sadb_msg_seq;
-  uint32_t sadb_msg_pid;
-};
-
-struct sadb_ext {
-  uint16_t sadb_ext_len;
-  uint16_t sadb_ext_type;
-};
-
-struct sadb_sa {
-  uint16_t sadb_sa_len;
-  uint16_t sadb_sa_exttype;
-  uint32_t sadb_sa_spi;
-  uint8_t sadb_sa_replay;
-  uint8_t sadb_sa_state;
-  uint8_t sadb_sa_auth;
-  uint8_t sadb_sa_encrypt;
-  uint32_t sadb_sa_flags;
-};
-
-struct sadb_lifetime {
-  uint16_t sadb_lifetime_len;
-  uint16_t sadb_lifetime_exttype;
-  uint32_t sadb_lifetime_allocations;
-  uint64_t sadb_lifetime_bytes;
-  uint64_t sadb_lifetime_addtime;
-  uint64_t sadb_lifetime_usetime;
-  uint32_t sadb_x_lifetime_packets;
-  uint32_t sadb_x_lifetime_reserved;
-};
-
-struct sadb_address {
-  uint16_t sadb_address_len;
-  uint16_t sadb_address_exttype;
-  uint8_t sadb_address_proto;
-  uint8_t sadb_address_prefixlen;
-  uint16_t sadb_address_reserved;
-};
-
-struct sadb_key {
-  uint16_t sadb_key_len;
-  uint16_t sadb_key_exttype;
-  uint16_t sadb_key_bits;
-  uint16_t sadb_key_reserved;
-};
-
-struct sadb_ident {
-  uint16_t sadb_ident_len;
-  uint16_t sadb_ident_exttype;
-  uint16_t sadb_ident_type;
-  uint16_t sadb_ident_reserved;
-  uint64_t sadb_ident_id;
-};
-
-struct sadb_sens {
-  uint16_t sadb_sens_len;
-  uint16_t sadb_sens_exttype;
-  uint32_t sadb_sens_dpd;
-  uint8_t sadb_sens_sens_level;
-  uint8_t sadb_sens_sens_len;
-  uint8_t sadb_sens_integ_level;
-  uint8_t sadb_sens_integ_len;
-  uint32_t sadb_sens_reserved;
-};
-
-struct sadb_prop {
-  uint16_t sadb_prop_len;
-  uint16_t sadb_prop_exttype;
-  uint8_t sadb_prop_replay;
-  uint8_t sadb_prop_reserved[3];
-};
-
-struct sadb_comb {
-  uint8_t sadb_comb_auth;
-  uint8_t sadb_comb_encrypt;
-  uint16_t sadb_comb_flags;
-  uint16_t sadb_comb_auth_minbits;
-  uint16_t sadb_comb_auth_maxbits;
-  uint16_t sadb_comb_encrypt_minbits;
-  uint16_t sadb_comb_encrypt_maxbits;
-  uint32_t sadb_comb_reserved;
-  uint32_t sadb_comb_soft_allocations;
-  uint32_t sadb_comb_hard_allocations;
-  uint64_t sadb_comb_soft_bytes;
-  uint64_t sadb_comb_hard_bytes;
-  uint64_t sadb_comb_soft_addtime;
-  uint64_t sadb_comb_hard_addtime;
-  uint64_t sadb_comb_soft_usetime;
-  uint64_t sadb_comb_hard_usetime;
-  uint32_t sadb_x_comb_soft_packets;
-  uint32_t sadb_x_comb_hard_packets;
-};
-
-struct sadb_supported {
-  uint16_t sadb_supported_len;
-  uint16_t sadb_supported_exttype;
-  uint32_t sadb_supported_reserved;
-};
-
-struct sadb_alg {
-  uint8_t sadb_alg_id;
-  uint8_t sadb_alg_ivlen;
-  uint16_t sadb_alg_minbits;
-  uint16_t sadb_alg_maxbits;
-  uint16_t sadb_alg_reserved;
-};
-
-struct sadb_spirange {
-  uint16_t sadb_spirange_len;
-  uint16_t sadb_spirange_exttype;
-  uint32_t sadb_spirange_min;
-  uint32_t sadb_spirange_max;
-  uint32_t sadb_spirange_reserved;
-};
-
-struct sadb_x_kmprivate {
-  uint16_t sadb_x_kmprivate_len;
-  uint16_t sadb_x_kmprivate_exttype;
-  uint32_t sadb_x_kmprivate_reserved;
-};
-
-struct sadb_x_satype {
-  uint16_t sadb_x_satype_len;
-  uint16_t sadb_x_satype_exttype;
-  uint8_t sadb_x_satype_satype;
-  uint8_t sadb_x_satype_reserved[3];
-};
-
-struct sadb_x_debug {
-  uint16_t sadb_x_debug_len;
-  uint16_t sadb_x_debug_exttype;
-  uint32_t sadb_x_debug_tunnel;
-  uint32_t sadb_x_debug_netlink;
-  uint32_t sadb_x_debug_xform;
-  uint32_t sadb_x_debug_eroute;
-  uint32_t sadb_x_debug_spi;
-  uint32_t sadb_x_debug_radij;
-  uint32_t sadb_x_debug_esp;
-  uint32_t sadb_x_debug_ah;
-  uint32_t sadb_x_debug_rcv;
-  uint32_t sadb_x_debug_pfkey;
-  uint32_t sadb_x_debug_ipcomp;
-  uint32_t sadb_x_debug_verbose;
-  uint8_t sadb_x_debug_reserved[4];
-};
-
-struct sadb_x_nat_t_type {
-  uint16_t sadb_x_nat_t_type_len;
-  uint16_t sadb_x_nat_t_type_exttype;
-  uint8_t sadb_x_nat_t_type_type;
-  uint8_t sadb_x_nat_t_type_reserved[3];
-};
-struct sadb_x_nat_t_port {
-  uint16_t sadb_x_nat_t_port_len;
-  uint16_t sadb_x_nat_t_port_exttype;
-  uint16_t sadb_x_nat_t_port_port;
-  uint16_t sadb_x_nat_t_port_reserved;
-};
-
-/*
- * A protocol structure for passing through the transport level
- * protocol.  It contains more fields than are actually used/needed
- * but it is this way to be compatible with the structure used in
- * OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
- */
-struct sadb_protocol {
-  uint16_t sadb_protocol_len;
-  uint16_t sadb_protocol_exttype;
-  uint8_t  sadb_protocol_proto;
-  uint8_t  sadb_protocol_direction;
-  uint8_t  sadb_protocol_flags;
-  uint8_t  sadb_protocol_reserved2;
-};
-
-#define SADB_EXT_RESERVED             0
-#define SADB_EXT_SA                   1
-#define SADB_EXT_LIFETIME_CURRENT     2
-#define SADB_EXT_LIFETIME_HARD        3
-#define SADB_EXT_LIFETIME_SOFT        4
-#define SADB_EXT_ADDRESS_SRC          5
-#define SADB_EXT_ADDRESS_DST          6
-#define SADB_EXT_ADDRESS_PROXY        7
-#define SADB_EXT_KEY_AUTH             8
-#define SADB_EXT_KEY_ENCRYPT          9
-#define SADB_EXT_IDENTITY_SRC         10
-#define SADB_EXT_IDENTITY_DST         11
-#define SADB_EXT_SENSITIVITY          12
-#define SADB_EXT_PROPOSAL             13
-#define SADB_EXT_SUPPORTED_AUTH       14
-#define SADB_EXT_SUPPORTED_ENCRYPT    15
-#define SADB_EXT_SPIRANGE             16
-#define SADB_X_EXT_KMPRIVATE          17
-#define SADB_X_EXT_SATYPE2            18
-#define SADB_X_EXT_SA2                19
-#define SADB_X_EXT_ADDRESS_DST2       20
-#define SADB_X_EXT_ADDRESS_SRC_FLOW   21
-#define SADB_X_EXT_ADDRESS_DST_FLOW   22
-#define SADB_X_EXT_ADDRESS_SRC_MASK   23
-#define SADB_X_EXT_ADDRESS_DST_MASK   24
-#define SADB_X_EXT_DEBUG              25
-#define SADB_X_EXT_PROTOCOL           26
-#define SADB_X_EXT_NAT_T_TYPE         27
-#define SADB_X_EXT_NAT_T_SPORT        28
-#define SADB_X_EXT_NAT_T_DPORT        29
-#define SADB_X_EXT_NAT_T_OA           30
-#define SADB_EXT_MAX                  30
-
-/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
-#define SADB_X_EXT_ADDRESS_DELFLOW \
-	( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
-	| (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
-	| (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
-	| (1<<SADB_X_EXT_ADDRESS_DST_MASK))
-
-#define SADB_SATYPE_UNSPEC    0
-#define SADB_SATYPE_AH        2
-#define SADB_SATYPE_ESP       3
-#define SADB_SATYPE_RSVP      5
-#define SADB_SATYPE_OSPFV2    6
-#define SADB_SATYPE_RIPV2     7
-#define SADB_SATYPE_MIP       8
-#define SADB_X_SATYPE_IPIP    9
-#define SADB_X_SATYPE_COMP    10
-#define SADB_X_SATYPE_INT     11
-#define SADB_SATYPE_MAX       11
-
-#define SADB_SASTATE_LARVAL   0
-#define SADB_SASTATE_MATURE   1
-#define SADB_SASTATE_DYING    2
-#define SADB_SASTATE_DEAD     3
-#define SADB_SASTATE_MAX      3
-
-#define SADB_SAFLAGS_PFS		1
-#define SADB_X_SAFLAGS_REPLACEFLOW	2
-#define SADB_X_SAFLAGS_CLEARFLOW	4
-#define SADB_X_SAFLAGS_INFLOW		8
-
-#define SADB_AALG_NONE        0
-#define SADB_AALG_MD5HMAC     2
-#define SADB_AALG_SHA1HMAC    3
-#define	SADB_AALG_SHA256_HMAC    5
-#define	SADB_AALG_SHA384_HMAC    6
-#define	SADB_AALG_SHA512_HMAC    7
-#define	SADB_AALG_RIPEMD160HMAC      8
-#define	SADB_AALG_MAX         15
-
-#define SADB_EALG_NONE        0
-#define SADB_EALG_DESCBC      2
-#define SADB_EALG_3DESCBC     3
-#define SADB_EALG_BFCBC	      7
-#define SADB_EALG_NULL        11
-#define SADB_EALG_AESCBC      12
-#define SADB_EALG_MAX         255
-
-#define SADB_X_CALG_NONE          0
-#define SADB_X_CALG_OUI           1
-#define SADB_X_CALG_DEFLATE       2
-#define SADB_X_CALG_LZS           3
-#define SADB_X_CALG_V42BIS        4
-#define SADB_X_CALG_MAX           4
-
-#define SADB_X_TALG_NONE          0
-#define SADB_X_TALG_IPv4_in_IPv4  1
-#define SADB_X_TALG_IPv6_in_IPv4  2
-#define SADB_X_TALG_IPv4_in_IPv6  3
-#define SADB_X_TALG_IPv6_in_IPv6  4
-#define SADB_X_TALG_MAX           4
-
-
-#define SADB_IDENTTYPE_RESERVED   0
-#define SADB_IDENTTYPE_PREFIX     1
-#define SADB_IDENTTYPE_FQDN       2
-#define SADB_IDENTTYPE_USERFQDN   3
-#define SADB_X_IDENTTYPE_CONNECTION 4
-#define SADB_IDENTTYPE_MAX        4
-
-#define SADB_KEY_FLAGS_MAX     0
-#endif /* __PFKEY_V2_H */
diff --git a/src/charon/plugins/kernel_netlink/Makefile.am b/src/charon/plugins/kernel_netlink/Makefile.am
deleted file mode 100644
index 31d9c6d5c..000000000
--- a/src/charon/plugins/kernel_netlink/Makefile.am
+++ /dev/null
@@ -1,13 +0,0 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic \
--DROUTING_TABLE=${routing_table} \
--DROUTING_TABLE_PRIO=${routing_table_prio}
-
-plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
-
-libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \
-	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
-	kernel_netlink_shared.h kernel_netlink_shared.c
-libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in
deleted file mode 100644
index 09be50587..000000000
--- a/src/charon/plugins/kernel_netlink/Makefile.in
+++ /dev/null
@@ -1,579 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/kernel_netlink
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_kernel_netlink_la_LIBADD =
-am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \
-	kernel_netlink_ipsec.lo kernel_netlink_net.lo \
-	kernel_netlink_shared.lo
-libstrongswan_kernel_netlink_la_OBJECTS =  \
-	$(am_libstrongswan_kernel_netlink_la_OBJECTS)
-libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_kernel_netlink_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic \
--DROUTING_TABLE=${routing_table} \
--DROUTING_TABLE_PRIO=${routing_table_prio}
-
-plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
-libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \
-	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
-	kernel_netlink_shared.h kernel_netlink_shared.c
-
-libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_netlink/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/kernel_netlink/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_netlink_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_ipsec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
deleted file mode 100644
index 850876b9d..000000000
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ /dev/null
@@ -1,2069 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2008 Andreas Steffen
- * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <stdint.h>
-#include <linux/ipsec.h>
-#include <linux/netlink.h>
-#include <linux/rtnetlink.h>
-#include <linux/xfrm.h>
-#include <linux/udp.h>
-#include <unistd.h>
-#include <time.h>
-#include <errno.h>
-#include <string.h>
-#include <fcntl.h>
-
-#include "kernel_netlink_ipsec.h"
-#include "kernel_netlink_shared.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/mutex.h>
-#include <utils/hashtable.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/acquire_job.h>
-#include <processing/jobs/migrate_job.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/delete_child_sa_job.h>
-#include <processing/jobs/update_sa_job.h>
-
-/** required for Linux 2.6.26 kernel and later */
-#ifndef XFRM_STATE_AF_UNSPEC
-#define XFRM_STATE_AF_UNSPEC	32
-#endif
-
-/** from linux/in.h */
-#ifndef IP_XFRM_POLICY
-#define IP_XFRM_POLICY 17
-#endif
-
-/* missing on uclibc */
-#ifndef IPV6_XFRM_POLICY
-#define IPV6_XFRM_POLICY 34
-#endif /*IPV6_XFRM_POLICY*/
-
-/** default priority of installed policies */
-#define PRIO_LOW 3000
-#define PRIO_HIGH 2000
-
-/**
- * map the limit for bytes and packets to XFRM_INF per default
- */
-#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
-
-/**
- * Create ORable bitfield of XFRM NL groups
- */
-#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
-
-/**
- * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
- * 'usual' netlink data x like 'struct xfrm_usersa_info'
- */
-#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
-/**
- * returns a pointer to the next rtattr following rta.
- * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
- */
-#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
-/**
- * returns the total size of attached rta data
- * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
- */
-#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
-
-typedef struct kernel_algorithm_t kernel_algorithm_t;
-
-/**
- * Mapping of IKEv2 kernel identifier to linux crypto API names
- */
-struct kernel_algorithm_t {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2;
-
-	/**
-	 * Name of the algorithm in linux crypto API
-	 */
-	char *name;
-};
-
-ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
-	"XFRM_MSG_NEWSA",
-	"XFRM_MSG_DELSA",
-	"XFRM_MSG_GETSA",
-	"XFRM_MSG_NEWPOLICY",
-	"XFRM_MSG_DELPOLICY",
-	"XFRM_MSG_GETPOLICY",
-	"XFRM_MSG_ALLOCSPI",
-	"XFRM_MSG_ACQUIRE",
-	"XFRM_MSG_EXPIRE",
-	"XFRM_MSG_UPDPOLICY",
-	"XFRM_MSG_UPDSA",
-	"XFRM_MSG_POLEXPIRE",
-	"XFRM_MSG_FLUSHSA",
-	"XFRM_MSG_FLUSHPOLICY",
-	"XFRM_MSG_NEWAE",
-	"XFRM_MSG_GETAE",
-	"XFRM_MSG_REPORT",
-	"XFRM_MSG_MIGRATE",
-	"XFRM_MSG_NEWSADINFO",
-	"XFRM_MSG_GETSADINFO",
-	"XFRM_MSG_NEWSPDINFO",
-	"XFRM_MSG_GETSPDINFO",
-	"XFRM_MSG_MAPPING"
-);
-
-ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
-	"XFRMA_UNSPEC",
-	"XFRMA_ALG_AUTH",
-	"XFRMA_ALG_CRYPT",
-	"XFRMA_ALG_COMP",
-	"XFRMA_ENCAP",
-	"XFRMA_TMPL",
-	"XFRMA_SA",
-	"XFRMA_POLICY",
-	"XFRMA_SEC_CTX",
-	"XFRMA_LTIME_VAL",
-	"XFRMA_REPLAY_VAL",
-	"XFRMA_REPLAY_THRESH",
-	"XFRMA_ETIMER_THRESH",
-	"XFRMA_SRCADDR",
-	"XFRMA_COADDR",
-	"XFRMA_LASTUSED",
-	"XFRMA_POLICY_TYPE",
-	"XFRMA_MIGRATE",
-	"XFRMA_ALG_AEAD",
-	"XFRMA_KMADDRESS"
-);
-
-#define END_OF_LIST -1
-
-/**
- * Algorithms for encryption
- */
-static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64,				"***"				}, */
-	{ENCR_DES,					"des"				},
-	{ENCR_3DES,					"des3_ede"			},
-/*	{ENCR_RC5,					"***"				}, */
-/*	{ENCR_IDEA,					"***"				}, */
-	{ENCR_CAST,					"cast128"			},
-	{ENCR_BLOWFISH,				"blowfish"			},
-/*	{ENCR_3IDEA,				"***"				}, */
-/*	{ENCR_DES_IV32,				"***"				}, */
-	{ENCR_NULL,					"cipher_null"		},
-	{ENCR_AES_CBC,				"aes"				},
-	{ENCR_AES_CTR,				"rfc3686(ctr(aes))"	},
-	{ENCR_AES_CCM_ICV8,			"rfc4309(ccm(aes))"	},
-	{ENCR_AES_CCM_ICV12,		"rfc4309(ccm(aes))"	},
-	{ENCR_AES_CCM_ICV16,		"rfc4309(ccm(aes))"	},
-	{ENCR_AES_GCM_ICV8,			"rfc4106(gcm(aes))"	},
-	{ENCR_AES_GCM_ICV12,		"rfc4106(gcm(aes))"	},
-	{ENCR_AES_GCM_ICV16,		"rfc4106(gcm(aes))"	},
-/*	{ENCR_NULL_AUTH_AES_GMAC,	"***"				}, */
-	{ENCR_CAMELLIA_CBC,			"cbc(camellia)"		},
-/*	{ENCR_CAMELLIA_CTR,			"***"				}, */
-/*	{ENCR_CAMELLIA_CCM_ICV8,	"***"				}, */
-/*	{ENCR_CAMELLIA_CCM_ICV12,	"***"				}, */
-/*	{ENCR_CAMELLIA_CCM_ICV16,	"***"				}, */
-	{END_OF_LIST,				NULL				}
-};
-
-/**
- * Algorithms for integrity protection
- */
-static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96,			"md5"				},
-	{AUTH_HMAC_SHA1_96,			"sha1"				},
-	{AUTH_HMAC_SHA2_256_96,		"sha256"			},
-	{AUTH_HMAC_SHA2_256_128,	"hmac(sha256)"		},
-	{AUTH_HMAC_SHA2_384_192,	"hmac(sha384)"		},
-	{AUTH_HMAC_SHA2_512_256,	"hmac(sha512)"		},
-/*	{AUTH_DES_MAC,				"***"				}, */
-/*	{AUTH_KPDK_MD5,				"***"				}, */
-	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
-	{END_OF_LIST,				NULL				}
-};
-
-/**
- * Algorithms for IPComp
- */
-static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI,				"***"				}, */
-	{IPCOMP_DEFLATE,			"deflate"			},
-	{IPCOMP_LZS,				"lzs"				},
-	{IPCOMP_LZJH,				"lzjh"				},
-	{END_OF_LIST,				NULL				}
-};
-
-/**
- * Look up a kernel algorithm name and its key size
- */
-static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
-{
-	while (list->ikev2 != END_OF_LIST)
-	{
-		if (list->ikev2 == ikev2)
-		{
-			return list->name;
-		}
-		list++;
-	}
-	return NULL;
-}
-
-typedef struct route_entry_t route_entry_t;
-
-/**
- * installed routing entry
- */
-struct route_entry_t {
-	/** Name of the interface the route is bound to */
-	char *if_name;
-
-	/** Source ip of the route */
-	host_t *src_ip;
-
-	/** gateway for this route */
-	host_t *gateway;
-
-	/** Destination net */
-	chunk_t dst_net;
-
-	/** Destination net prefixlen */
-	u_int8_t prefixlen;
-};
-
-/**
- * destroy an route_entry_t object
- */
-static void route_entry_destroy(route_entry_t *this)
-{
-	free(this->if_name);
-	this->src_ip->destroy(this->src_ip);
-	DESTROY_IF(this->gateway);
-	chunk_free(&this->dst_net);
-	free(this);
-}
-
-typedef struct policy_entry_t policy_entry_t;
-
-/**
- * installed kernel policy.
- */
-struct policy_entry_t {
-
-	/** direction of this policy: in, out, forward */
-	u_int8_t direction;
-
-	/** parameters of installed policy */
-	struct xfrm_selector sel;
-
-	/** associated route installed for this policy */
-	route_entry_t *route;
-
-	/** by how many CHILD_SA's this policy is used */
-	u_int refcount;
-};
-
-/**
- * Hash function for policy_entry_t objects
- */
-static u_int policy_hash(policy_entry_t *key)
-{
-	chunk_t chunk = chunk_create((void*)&key->sel, sizeof(struct xfrm_selector));
-	return chunk_hash(chunk);
-}
-
-/**
- * Equality function for policy_entry_t objects
- */
-static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
-{
-	return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
-		   key->direction == other_key->direction;
-}
-
-typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
-
-/**
- * Private variables and functions of kernel_netlink class.
- */
-struct private_kernel_netlink_ipsec_t {
-	/**
-	 * Public part of the kernel_netlink_t object.
-	 */
-	kernel_netlink_ipsec_t public;
-
-	/**
-	 * mutex to lock access to various lists
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Hash table of installed policies (policy_entry_t)
-	 */
-	hashtable_t *policies;
-
-	/**
-	 * job receiving netlink events
-	 */
-	callback_job_t *job;
-
-	/**
-	 * Netlink xfrm socket (IPsec)
-	 */
-	netlink_socket_t *socket_xfrm;
-
-	/**
-	 * netlink xfrm socket to receive acquire and expire events
-	 */
-	int socket_xfrm_events;
-
-	/**
-	 * whether to install routes along policies
-	 */
-	bool install_routes;
-};
-
-/**
- * convert a IKEv2 specific protocol identifier to the kernel one
- */
-static u_int8_t proto_ike2kernel(protocol_id_t proto)
-{
-	switch (proto)
-	{
-		case PROTO_ESP:
-			return IPPROTO_ESP;
-		case PROTO_AH:
-			return IPPROTO_AH;
-		default:
-			return proto;
-	}
-}
-
-/**
- * reverse of ike2kernel
- */
-static protocol_id_t proto_kernel2ike(u_int8_t proto)
-{
-	switch (proto)
-	{
-		case IPPROTO_ESP:
-			return PROTO_ESP;
-		case IPPROTO_AH:
-			return PROTO_AH;
-		default:
-			return proto;
-	}
-}
-
-/**
- * convert the general ipsec mode to the one defined in xfrm.h
- */
-static u_int8_t mode2kernel(ipsec_mode_t mode)
-{
-	switch (mode)
-	{
-		case MODE_TRANSPORT:
-			return XFRM_MODE_TRANSPORT;
-		case MODE_TUNNEL:
-			return XFRM_MODE_TUNNEL;
-		case MODE_BEET:
-			return XFRM_MODE_BEET;
-		default:
-			return mode;
-	}
-}
-
-/**
- * convert a host_t to a struct xfrm_address
- */
-static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
-{
-	chunk_t chunk = host->get_address(host);
-	memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
-}
-
-/**
- * convert a struct xfrm_address to a host_t
- */
-static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
-{
-	chunk_t chunk;
-
-	switch (family)
-	{
-		case AF_INET:
-			chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
-			break;
-		case AF_INET6:
-			chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
-			break;
-		default:
-			return NULL;
-	}
-	return host_create_from_chunk(family, chunk, ntohs(port));
-}
-
-/**
- * convert a traffic selector address range to subnet and its mask.
- */
-static void ts2subnet(traffic_selector_t* ts,
-					  xfrm_address_t *net, u_int8_t *mask)
-{
-	host_t *net_host;
-	chunk_t net_chunk;
-
-	ts->to_subnet(ts, &net_host, mask);
-	net_chunk = net_host->get_address(net_host);
-	memcpy(net, net_chunk.ptr, net_chunk.len);
-	net_host->destroy(net_host);
-}
-
-/**
- * convert a traffic selector port range to port/portmask
- */
-static void ts2ports(traffic_selector_t* ts,
-					 u_int16_t *port, u_int16_t *mask)
-{
-	/* linux does not seem to accept complex portmasks. Only
-	 * any or a specific port is allowed. We set to any, if we have
-	 * a port range, or to a specific, if we have one port only.
-	 */
-	u_int16_t from, to;
-
-	from = ts->get_from_port(ts);
-	to = ts->get_to_port(ts);
-
-	if (from == to)
-	{
-		*port = htons(from);
-		*mask = ~0;
-	}
-	else
-	{
-		*port = 0;
-		*mask = 0;
-	}
-}
-
-/**
- * convert a pair of traffic_selectors to a xfrm_selector
- */
-static struct xfrm_selector ts2selector(traffic_selector_t *src,
-										traffic_selector_t *dst)
-{
-	struct xfrm_selector sel;
-
-	memset(&sel, 0, sizeof(sel));
-	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-	/* src or dest proto may be "any" (0), use more restrictive one */
-	sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
-	ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
-	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
-	ts2ports(dst, &sel.dport, &sel.dport_mask);
-	ts2ports(src, &sel.sport, &sel.sport_mask);
-	sel.ifindex = 0;
-	sel.user = 0;
-
-	return sel;
-}
-
-/**
- * convert a xfrm_selector to a src|dst traffic_selector
- */
-static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
-{
-	u_char *addr;
-	u_int8_t prefixlen;
-	u_int16_t port = 0;
-	host_t *host = NULL;
-
-	if (src)
-	{
-		addr = (u_char*)&sel->saddr;
-		prefixlen = sel->prefixlen_s;
-		if (sel->sport_mask)
-		{
-			port = htons(sel->sport);
-		}
-	}
-	else
-	{
-		addr = (u_char*)&sel->daddr;
-		prefixlen = sel->prefixlen_d;
-		if (sel->dport_mask)
-		{
-			port = htons(sel->dport);
-		}
-	}
-
-	/* The Linux 2.6 kernel does not set the selector's family field,
-	 * so as a kludge we additionally test the prefix length.
-	 */
-	if (sel->family == AF_INET || sel->prefixlen_s == 32)
-	{
-		host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
-	}
-	else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
-	{
-		host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
-	}
-
-	if (host)
-	{
-		return traffic_selector_create_from_subnet(host, prefixlen,
-												   sel->proto, port);
-	}
-	return NULL;
-}
-
-/**
- * process a XFRM_MSG_ACQUIRE from kernel
- */
-static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
-{
-	u_int32_t reqid = 0;
-	int proto = 0;
-	traffic_selector_t *src_ts, *dst_ts;
-	struct xfrm_user_acquire *acquire;
-	struct rtattr *rta;
-	size_t rtasize;
-	job_t *job;
-
-	acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
-	rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
-	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
-
-	DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
-
-	while (RTA_OK(rta, rtasize))
-	{
-		DBG2(DBG_KNL, "  %N", xfrm_attr_type_names, rta->rta_type);
-
-		if (rta->rta_type == XFRMA_TMPL)
-		{
-			struct xfrm_user_tmpl* tmpl;
-
-			tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
-			reqid = tmpl->reqid;
-			proto = tmpl->id.proto;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-	switch (proto)
-	{
-		case 0:
-		case IPPROTO_ESP:
-		case IPPROTO_AH:
-			break;
-		default:
-			/* acquire for AH/ESP only, not for IPCOMP */
-			return;
-	}
-	src_ts = selector2ts(&acquire->sel, TRUE);
-	dst_ts = selector2ts(&acquire->sel, FALSE);
-	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
-					src_ts, dst_ts, reqid);
-	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
-	charon->processor->queue_job(charon->processor, job);
-}
-
-/**
- * process a XFRM_MSG_EXPIRE from kernel
- */
-static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
-{
-	job_t *job;
-	protocol_id_t protocol;
-	u_int32_t spi, reqid;
-	struct xfrm_user_expire *expire;
-
-	expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
-	protocol = proto_kernel2ike(expire->state.id.proto);
-	spi = expire->state.id.spi;
-	reqid = expire->state.reqid;
-
-	DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
-
-	if (protocol != PROTO_ESP && protocol != PROTO_AH)
-	{
-		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
-					  "which is not a CHILD_SA", ntohl(spi), reqid);
-		return;
-	}
-
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
-		 expire->hard ? "delete" : "rekey",  protocol_id_names,
-		 protocol, ntohl(spi), reqid);
-	if (expire->hard)
-	{
-		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
-	}
-	else
-	{
-		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
-	}
-	charon->processor->queue_job(charon->processor, job);
-}
-
-/**
- * process a XFRM_MSG_MIGRATE from kernel
- */
-static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
-{
-	traffic_selector_t *src_ts, *dst_ts;
-	host_t *local = NULL, *remote = NULL;
-	host_t *old_src = NULL, *old_dst = NULL;
-	host_t *new_src = NULL, *new_dst = NULL;
-	struct xfrm_userpolicy_id *policy_id;
-	struct rtattr *rta;
-	size_t rtasize;
-	u_int32_t reqid = 0;
-	policy_dir_t dir;
-	job_t *job;
-
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
-	rta     = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
-	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
-
-	DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
-
-	src_ts = selector2ts(&policy_id->sel, TRUE);
-	dst_ts = selector2ts(&policy_id->sel, FALSE);
-	dir = (policy_dir_t)policy_id->dir;
-
-	DBG2(DBG_KNL, "  policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
-
-	while (RTA_OK(rta, rtasize))
-	{
-		DBG2(DBG_KNL, "  %N", xfrm_attr_type_names, rta->rta_type);
-		if (rta->rta_type == XFRMA_KMADDRESS)
-		{
-			struct xfrm_user_kmaddress *kmaddress;
-
-			kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
-			local  = xfrm2host(kmaddress->family, &kmaddress->local, 0);
-			remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
-			DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
-		}
-		else if (rta->rta_type == XFRMA_MIGRATE)
-		{
-			struct xfrm_user_migrate *migrate;
-			protocol_id_t proto;
-
-			migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
-			old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
-			old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
-			new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
-			new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
-			proto = proto_kernel2ike(migrate->proto);
-			reqid = migrate->reqid;
-			DBG2(DBG_KNL, "  migrate %N %H...%H to %H...%H, reqid {%u}",
-							 protocol_id_names, proto, old_src, old_dst,
-							 new_src, new_dst, reqid);
-			DESTROY_IF(old_src);
-			DESTROY_IF(old_dst);
-			DESTROY_IF(new_src);
-			DESTROY_IF(new_dst);
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-
-	if (src_ts && dst_ts && local && remote)
-	{
-		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
-					   src_ts, dst_ts, policy_dir_names, dir, reqid, local);
-		job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
-										 local, remote);
-		charon->processor->queue_job(charon->processor, job);
-	}
-	else
-	{
-		DESTROY_IF(src_ts);
-		DESTROY_IF(dst_ts);
-		DESTROY_IF(local);
-		DESTROY_IF(remote);
-	}
-}
-
-/**
- * process a XFRM_MSG_MAPPING from kernel
- */
-static void process_mapping(private_kernel_netlink_ipsec_t *this,
-							struct nlmsghdr *hdr)
-{
-	job_t *job;
-	u_int32_t spi, reqid;
-	struct xfrm_user_mapping *mapping;
-	host_t *host;
-
-	mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
-	spi = mapping->id.spi;
-	reqid = mapping->reqid;
-
-	DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
-
-	if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
-	{
-		host = xfrm2host(mapping->id.family, &mapping->new_saddr,
-						 mapping->new_sport);
-		if (host)
-		{
-			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
-				"reqid {%u} changed, queuing update job", ntohl(spi), reqid);
-			job = (job_t*)update_sa_job_create(reqid, host);
-			charon->processor->queue_job(charon->processor, job);
-		}
-	}
-}
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
-{
-	char response[1024];
-	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
-	struct sockaddr_nl addr;
-	socklen_t addr_len = sizeof(addr);
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
-				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
-
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from xfrm event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-
-	if (addr.nl_pid != 0)
-	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	while (NLMSG_OK(hdr, len))
-	{
-		switch (hdr->nlmsg_type)
-		{
-			case XFRM_MSG_ACQUIRE:
-				process_acquire(this, hdr);
-				break;
-			case XFRM_MSG_EXPIRE:
-				process_expire(this, hdr);
-				break;
-			case XFRM_MSG_MIGRATE:
-				process_migrate(this, hdr);
-				break;
-			case XFRM_MSG_MAPPING:
-				process_mapping(this, hdr);
-				break;
-			default:
-				DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
-				break;
-		}
-		hdr = NLMSG_NEXT(hdr, len);
-	}
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Get an SPI for a specific protocol from the kernel.
- */
-static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
-		host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
-		u_int32_t reqid, u_int32_t *spi)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr, *out;
-	struct xfrm_userspi_info *userspi;
-	u_int32_t received_spi = 0;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
-
-	userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
-	host2xfrm(src, &userspi->info.saddr);
-	host2xfrm(dst, &userspi->info.id.daddr);
-	userspi->info.id.proto = proto;
-	userspi->info.mode = XFRM_MODE_TUNNEL;
-	userspi->info.reqid = reqid;
-	userspi->info.family = src->get_family(src);
-	userspi->min = min;
-	userspi->max = max;
-
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWSA:
-				{
-					struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
-					received_spi = usersa->id.spi;
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-
-					DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-		free(out);
-	}
-
-	if (received_spi == 0)
-	{
-		return FAILED;
-	}
-
-	*spi = received_spi;
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.get_spi.
- */
-static status_t get_spi(private_kernel_netlink_ipsec_t *this,
-						host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid,
-						u_int32_t *spi)
-{
-	DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-
-	if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
-			0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.get_cpi.
- */
-static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
-						host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi)
-{
-	u_int32_t received_spi = 0;
-
-	DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
-
-	if (get_spi_internal(this, src, dst,
-			IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
-		return FAILED;
-	}
-
-	*cpi = htons((u_int16_t)ntohl(received_spi));
-
-	DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.add_sa.
- */
-static status_t add_sa(private_kernel_netlink_ipsec_t *this,
-					   host_t *src, host_t *dst, u_int32_t spi,
-					   protocol_id_t protocol, u_int32_t reqid,
-					   lifetime_cfg_t *lifetime,
-					   u_int16_t enc_alg, chunk_t enc_key,
-					   u_int16_t int_alg, chunk_t int_key,
-					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound,
-					   traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
-{
-	netlink_buf_t request;
-	char *alg_name;
-	struct nlmsghdr *hdr;
-	struct xfrm_usersa_info *sa;
-	u_int16_t icv_size = 64;
-
-	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
-	 * we are in the recursive call below */
-	if (ipcomp != IPCOMP_NONE && cpi != 0)
-	{
-		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
-		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft,
-			   ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
-			   mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
-		ipcomp = IPCOMP_NONE;
-		/* use transport mode ESP SA, IPComp uses tunnel mode */
-		mode = MODE_TRANSPORT;
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
-		 ntohl(spi), reqid);
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-
-	sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
-	host2xfrm(src, &sa->saddr);
-	host2xfrm(dst, &sa->id.daddr);
-	sa->id.spi = spi;
-	sa->id.proto = proto_ike2kernel(protocol);
-	sa->family = src->get_family(src);
-	sa->mode = mode2kernel(mode);
-	switch (mode)
-	{
-		case MODE_TUNNEL:
-			sa->flags |= XFRM_STATE_AF_UNSPEC;
-			break;
-		case MODE_BEET:
-			if(src_ts && dst_ts)
-			{
-				sa->sel = ts2selector(src_ts, dst_ts);
-			}
-			break;
-		default:
-			break;
-	}
-
-	sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
-	sa->reqid = reqid;
-	sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
-	sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
-	sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
-	sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
-	/* we use lifetimes since added, not since used */
-	sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
-	sa->lft.hard_add_expires_seconds = lifetime->time.life;
-	sa->lft.soft_use_expires_seconds = 0;
-	sa->lft.hard_use_expires_seconds = 0;
-
-	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
-
-	switch (enc_alg)
-	{
-		case ENCR_UNDEFINED:
-			/* no encryption */
-			break;
-		case ENCR_AES_CCM_ICV16:
-		case ENCR_AES_GCM_ICV16:
-		case ENCR_CAMELLIA_CCM_ICV16:
-			icv_size += 32;
-			/* FALL */
-		case ENCR_AES_CCM_ICV12:
-		case ENCR_AES_GCM_ICV12:
-		case ENCR_CAMELLIA_CCM_ICV12:
-			icv_size += 32;
-			/* FALL */
-		case ENCR_AES_CCM_ICV8:
-		case ENCR_AES_GCM_ICV8:
-		case ENCR_CAMELLIA_CCM_ICV8:
-		{
-			struct xfrm_algo_aead *algo;
-
-			alg_name = lookup_algorithm(encryption_algs, enc_alg);
-			if (alg_name == NULL)
-			{
-				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 encryption_algorithm_names, enc_alg);
-				return FAILED;
-			}
-			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
-			rthdr->rta_type = XFRMA_ALG_AEAD;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
-			hdr->nlmsg_len += rthdr->rta_len;
-			if (hdr->nlmsg_len > sizeof(request))
-			{
-				return FAILED;
-			}
-
-			algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
-			algo->alg_key_len = enc_key.len * 8;
-			algo->alg_icv_len = icv_size;
-			strcpy(algo->alg_name, alg_name);
-			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-
-			rthdr = XFRM_RTA_NEXT(rthdr);
-			break;
-		}
-		default:
-		{
-			struct xfrm_algo *algo;
-
-			alg_name = lookup_algorithm(encryption_algs, enc_alg);
-			if (alg_name == NULL)
-			{
-				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 encryption_algorithm_names, enc_alg);
-				return FAILED;
-			}
-			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
-			rthdr->rta_type = XFRMA_ALG_CRYPT;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
-			hdr->nlmsg_len += rthdr->rta_len;
-			if (hdr->nlmsg_len > sizeof(request))
-			{
-				return FAILED;
-			}
-
-			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-			algo->alg_key_len = enc_key.len * 8;
-			strcpy(algo->alg_name, alg_name);
-			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-
-			rthdr = XFRM_RTA_NEXT(rthdr);
-		}
-	}
-
-	if (int_alg  != AUTH_UNDEFINED)
-	{
-		alg_name = lookup_algorithm(integrity_algs, int_alg);
-		if (alg_name == NULL)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-				 integrity_algorithm_names, int_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
-			 integrity_algorithm_names, int_alg, int_key.len * 8);
-
-		if (int_alg == AUTH_HMAC_SHA2_256_128)
-		{
-			struct xfrm_algo_auth* algo;
-
-			/* the kernel uses SHA256 with 96 bit truncation by default,
-			 * use specified truncation size supported by newer kernels */
-			rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len);
-
-			hdr->nlmsg_len += rthdr->rta_len;
-			if (hdr->nlmsg_len > sizeof(request))
-			{
-				return FAILED;
-			}
-
-			algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
-			algo->alg_key_len = int_key.len * 8;
-			algo->alg_trunc_len = 128;
-			strcpy(algo->alg_name, alg_name);
-			memcpy(algo->alg_key, int_key.ptr, int_key.len);
-		}
-		else
-		{
-			struct xfrm_algo* algo;
-
-			rthdr->rta_type = XFRMA_ALG_AUTH;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
-
-			hdr->nlmsg_len += rthdr->rta_len;
-			if (hdr->nlmsg_len > sizeof(request))
-			{
-				return FAILED;
-			}
-
-			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-			algo->alg_key_len = int_key.len * 8;
-			strcpy(algo->alg_name, alg_name);
-			memcpy(algo->alg_key, int_key.ptr, int_key.len);
-		}
-		rthdr = XFRM_RTA_NEXT(rthdr);
-	}
-
-	if (ipcomp != IPCOMP_NONE)
-	{
-		rthdr->rta_type = XFRMA_ALG_COMP;
-		alg_name = lookup_algorithm(compression_algs, ipcomp);
-		if (alg_name == NULL)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-				 ipcomp_transform_names, ipcomp);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using compression algorithm %N",
-			 ipcomp_transform_names, ipcomp);
-
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-		algo->alg_key_len = 0;
-		strcpy(algo->alg_name, alg_name);
-
-		rthdr = XFRM_RTA_NEXT(rthdr);
-	}
-
-	if (encap)
-	{
-		rthdr->rta_type = XFRMA_ENCAP;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
-		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
-		tmpl->encap_sport = htons(src->get_port(src));
-		tmpl->encap_dport = htons(dst->get_port(dst));
-		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-		/* encap_oa could probably be derived from the
-		 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
-		 * pluto does the same as we do here but it uses encap_oa in the
-		 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
-		 * the kernel ignores it anyway
-		 *   -> does that mean that NAT-T encap doesn't work in transport mode?
-		 * No. The reason the kernel ignores NAT-OA is that it recomputes
-		 * (or, rather, just ignores) the checksum. If packets pass
-		 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
-		rthdr = XFRM_RTA_NEXT(rthdr);
-	}
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Get the replay state (i.e. sequence numbers) of an SA.
- */
-static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, host_t *dst,
-						  struct xfrm_replay_state *replay)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr, *out = NULL;
-	struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
-	size_t len;
-	struct rtattr *rta;
-	size_t rtasize;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETAE;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
-
-	aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
-	aevent_id->flags = XFRM_AE_RVAL;
-
-	host2xfrm(dst, &aevent_id->sa_id.daddr);
-	aevent_id->sa_id.spi = spi;
-	aevent_id->sa_id.proto = proto_ike2kernel(protocol);
-	aevent_id->sa_id.family = dst->get_family(dst);
-
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWAE:
-				{
-					out_aevent = NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-
-	if (out_aevent == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
-					  ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-
-	rta = XFRM_RTA(out, struct xfrm_aevent_id);
-	rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
-	while(RTA_OK(rta, rtasize))
-	{
-		if (rta->rta_type == XFRMA_REPLAY_VAL &&
-			RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
-		{
-			memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
-			free(out);
-			return SUCCESS;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-
-	DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
-				  ntohl(spi));
-	free(out);
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_interface_t.query_sa.
- */
-static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
-						 host_t *dst, u_int32_t spi, protocol_id_t protocol,
-						 u_int64_t *bytes)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *out = NULL, *hdr;
-	struct xfrm_usersa_id *sa_id;
-	struct xfrm_usersa_info *sa = NULL;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
-	sa_id->family = dst->get_family(dst);
-
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWSA:
-				{
-					sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)",
-						 ntohl(spi), strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-
-	if (sa == NULL)
-	{
-		DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-	*bytes = sa->curlft.bytes;
-
-	free(out);
-	return SUCCESS;
-}
-/**
- * Implementation of kernel_interface_t.del_sa.
- */
-static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
-					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
-					   u_int16_t cpi)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr;
-	struct xfrm_usersa_id *sa_id;
-
-	/* if IPComp was used, we first delete the additional IPComp SA */
-	if (cpi)
-	{
-		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = XFRM_MSG_DELSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
-	sa_id->family = dst->get_family(dst);
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.update_sa.
- */
-static status_t update_sa(private_kernel_netlink_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool old_encap, bool new_encap)
-{
-	netlink_buf_t request;
-	u_char *pos;
-	struct nlmsghdr *hdr, *out = NULL;
-	struct xfrm_usersa_id *sa_id;
-	struct xfrm_usersa_info *out_sa = NULL, *sa;
-	size_t len;
-	struct rtattr *rta;
-	size_t rtasize;
-	struct xfrm_encap_tmpl* tmpl = NULL;
-	bool got_replay_state = FALSE;
-	struct xfrm_replay_state replay;
-
-	/* if IPComp is used, we first update the IPComp SA */
-	if (cpi)
-	{
-		update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
-				  src, dst, new_src, new_dst, FALSE, FALSE);
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
-
-	/* query the existing SA first */
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
-	sa_id->family = dst->get_family(dst);
-
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWSA:
-				{
-					out_sa = NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-	if (out_sa == NULL)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-
-	/* try to get the replay state */
-	if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
-	{
-		got_replay_state = TRUE;
-	}
-
-	/* delete the old SA (without affecting the IPComp SA) */
-	if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
-		 ntohl(spi), src, dst, new_src, new_dst);
-	/* copy over the SA from out to request */
-	hdr = (struct nlmsghdr*)request;
-	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = XFRM_MSG_NEWSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-	sa = NLMSG_DATA(hdr);
-	sa->family = new_dst->get_family(new_dst);
-
-	if (!src->ip_equals(src, new_src))
-	{
-		host2xfrm(new_src, &sa->saddr);
-	}
-	if (!dst->ip_equals(dst, new_dst))
-	{
-		host2xfrm(new_dst, &sa->id.daddr);
-	}
-
-	rta = XFRM_RTA(out, struct xfrm_usersa_info);
-	rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
-	pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
-	while(RTA_OK(rta, rtasize))
-	{
-		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
-		if (rta->rta_type != XFRMA_ENCAP || new_encap)
-		{
-			if (rta->rta_type == XFRMA_ENCAP)
-			{	/* update encap tmpl */
-				tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
-				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
-				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
-			}
-			memcpy(pos, rta, rta->rta_len);
-			pos += RTA_ALIGN(rta->rta_len);
-			hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-
-	rta = (struct rtattr*)pos;
-	if (tmpl == NULL && new_encap)
-	{	/* add tmpl if we are enabling it */
-		rta->rta_type = XFRMA_ENCAP;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-
-		hdr->nlmsg_len += rta->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
-		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
-		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
-		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
-		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-
-		rta = XFRM_RTA_NEXT(rta);
-	}
-
-	if (got_replay_state)
-	{	/* copy the replay data if available */
-		rta->rta_type = XFRMA_REPLAY_VAL;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
-
-		hdr->nlmsg_len += rta->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-		memcpy(RTA_DATA(rta), &replay, sizeof(replay));
-
-		rta = XFRM_RTA_NEXT(rta);
-	}
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.add_policy.
- */
-static status_t add_policy(private_kernel_netlink_ipsec_t *this,
-						   host_t *src, host_t *dst,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, u_int32_t spi,
-						   protocol_id_t protocol, u_int32_t reqid,
-						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						   bool routed)
-{
-	policy_entry_t *current, *policy;
-	bool found = FALSE;
-	netlink_buf_t request;
-	struct xfrm_userpolicy_info *policy_info;
-	struct nlmsghdr *hdr;
-
-	/* create a policy */
-	policy = malloc_thing(policy_entry_t);
-	memset(policy, 0, sizeof(policy_entry_t));
-	policy->sel = ts2selector(src_ts, dst_ts);
-	policy->direction = direction;
-
-	/* find the policy, which matches EXACTLY */
-	this->mutex->lock(this->mutex);
-	current = this->policies->get(this->policies, policy);
-	if (current)
-	{
-		/* use existing policy */
-		current->refcount++;
-		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
-					  "refcount", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		free(policy);
-		policy = current;
-		found = TRUE;
-	}
-	else
-	{	/* apply the new one, if we have no such policy */
-		this->policies->put(this->policies, policy, policy);
-		policy->refcount = 1;
-	}
-
-	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	memset(&request, 0, sizeof(request));
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
-
-	policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
-	policy_info->sel = policy->sel;
-	policy_info->dir = policy->direction;
-	/* calculate priority based on source selector size, small size = high prio */
-	policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
-	policy_info->priority -= policy->sel.prefixlen_s * 10;
-	policy_info->priority -= policy->sel.proto ? 2 : 0;
-	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
-	policy_info->action = XFRM_POLICY_ALLOW;
-	policy_info->share = XFRM_SHARE_ANY;
-	this->mutex->unlock(this->mutex);
-
-	/* policies don't expire */
-	policy_info->lft.soft_byte_limit = XFRM_INF;
-	policy_info->lft.soft_packet_limit = XFRM_INF;
-	policy_info->lft.hard_byte_limit = XFRM_INF;
-	policy_info->lft.hard_packet_limit = XFRM_INF;
-	policy_info->lft.soft_add_expires_seconds = 0;
-	policy_info->lft.hard_add_expires_seconds = 0;
-	policy_info->lft.soft_use_expires_seconds = 0;
-	policy_info->lft.hard_use_expires_seconds = 0;
-
-	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
-	rthdr->rta_type = XFRMA_TMPL;
-	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-
-	hdr->nlmsg_len += rthdr->rta_len;
-	if (hdr->nlmsg_len > sizeof(request))
-	{
-		return FAILED;
-	}
-
-	struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
-
-	if (ipcomp != IPCOMP_NONE)
-	{
-		tmpl->reqid = reqid;
-		tmpl->id.proto = IPPROTO_COMP;
-		tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-		tmpl->mode = mode2kernel(mode);
-		tmpl->optional = direction != POLICY_OUT;
-		tmpl->family = src->get_family(src);
-
-		host2xfrm(src, &tmpl->saddr);
-		host2xfrm(dst, &tmpl->id.daddr);
-
-		/* add an additional xfrm_user_tmpl */
-		rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-		hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		tmpl++;
-
-		/* use transport mode for ESP if we have a tunnel mode IPcomp SA */
-		mode = MODE_TRANSPORT;
-	}
-	else
-	{
-		/* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
-		host2xfrm(src, &tmpl->saddr);
-		host2xfrm(dst, &tmpl->id.daddr);
-	}
-
-	tmpl->reqid = reqid;
-	tmpl->id.proto = proto_ike2kernel(protocol);
-	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-	tmpl->mode = mode2kernel(mode);
-	tmpl->family = src->get_family(src);
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-
-	/* install a route, if:
-	 * - we are NOT updating a policy
-	 * - this is a forward policy (to just get one for each child)
-	 * - we are in tunnel/BEET mode
-	 * - routing is not disabled via strongswan.conf
-	 */
-	if (policy->route == NULL && direction == POLICY_FWD &&
-		mode != MODE_TRANSPORT && this->install_routes)
-	{
-		route_entry_t *route = malloc_thing(route_entry_t);
-
-		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
-				dst_ts, &route->src_ip) == SUCCESS)
-		{
-			/* get the nexthop to src (src as we are in POLICY_FWD).*/
-			route->gateway = charon->kernel_interface->get_nexthop(
-												charon->kernel_interface, src);
-			/* install route via outgoing interface */
-			route->if_name = charon->kernel_interface->get_interface(
-												charon->kernel_interface, dst);
-			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
-			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
-			route->prefixlen = policy->sel.prefixlen_s;
-
-			if (route->if_name)
-			{
-				switch (charon->kernel_interface->add_route(
-									charon->kernel_interface, route->dst_net,
-									route->prefixlen, route->gateway,
-									route->src_ip, route->if_name))
-				{
-					default:
-						DBG1(DBG_KNL, "unable to install source route for %H",
-							 route->src_ip);
-						/* FALL */
-					case ALREADY_DONE:
-						/* route exists, do not uninstall */
-						route_entry_destroy(route);
-						break;
-					case SUCCESS:
-						/* cache the installed route */
-						policy->route = route;
-						break;
-				}
-			}
-			else
-			{
-				route_entry_destroy(route);
-			}
-		}
-		else
-		{
-			free(route);
-		}
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.query_policy.
- */
-static status_t query_policy(private_kernel_netlink_ipsec_t *this,
-							 traffic_selector_t *src_ts,
-							 traffic_selector_t *dst_ts,
-							 policy_dir_t direction, u_int32_t *use_time)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *out = NULL, *hdr;
-	struct xfrm_userpolicy_id *policy_id;
-	struct xfrm_userpolicy_info *policy = NULL;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
-
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
-	policy_id->sel = ts2selector(src_ts, dst_ts);
-	policy_id->dir = direction;
-
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWPOLICY:
-				{
-					policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying policy failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-
-	if (policy == NULL)
-	{
-		DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		free(out);
-		return FAILED;
-	}
-
-	if (policy->curlft.use_time)
-	{
-		/* we need the monotonic time, but the kernel returns system time. */
-		*use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
-	}
-	else
-	{
-		*use_time = 0;
-	}
-
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.del_policy.
- */
-static status_t del_policy(private_kernel_netlink_ipsec_t *this,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, bool unrouted)
-{
-	policy_entry_t *current, policy, *to_delete = NULL;
-	route_entry_t *route;
-	netlink_buf_t request;
-	struct nlmsghdr *hdr;
-	struct xfrm_userpolicy_id *policy_id;
-
-	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	/* create a policy */
-	memset(&policy, 0, sizeof(policy_entry_t));
-	policy.sel = ts2selector(src_ts, dst_ts);
-	policy.direction = direction;
-
-	/* find the policy */
-	this->mutex->lock(this->mutex);
-	current = this->policies->get(this->policies, &policy);
-	if (current)
-	{
-		to_delete = current;
-		if (--to_delete->refcount > 0)
-		{
-			/* is used by more SAs, keep in kernel */
-			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
-			this->mutex->unlock(this->mutex);
-			return SUCCESS;
-		}
-		/* remove if last reference */
-		this->policies->remove(this->policies, to_delete);
-	}
-	this->mutex->unlock(this->mutex);
-	if (!to_delete)
-	{
-		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
-		return NOT_FOUND;
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
-
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
-	policy_id->sel = to_delete->sel;
-	policy_id->dir = direction;
-
-	route = to_delete->route;
-	free(to_delete);
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-
-	if (route)
-	{
-		if (charon->kernel_interface->del_route(charon->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "error uninstalling route installed with "
-						  "policy %R === %R %N", src_ts, dst_ts,
-						   policy_dir_names, direction);
-		}
-		route_entry_destroy(route);
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.destroy.
- */
-static void destroy(private_kernel_netlink_ipsec_t *this)
-{
-	enumerator_t *enumerator;
-	policy_entry_t *policy;
-
-	this->job->cancel(this->job);
-	close(this->socket_xfrm_events);
-	this->socket_xfrm->destroy(this->socket_xfrm);
-	enumerator = this->policies->create_enumerator(this->policies);
-	while (enumerator->enumerate(enumerator, &policy, &policy))
-	{
-		free(policy);
-	}
-	enumerator->destroy(enumerator);
-	this->policies->destroy(this->policies);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/**
- * Add bypass policies for IKE on the sockets used by charon
- */
-static bool add_bypass_policies()
-{
-	int fd, family, port;
-	enumerator_t *sockets;
-	bool status = TRUE;
-
-	sockets = charon->socket->create_enumerator(charon->socket);
-	while (sockets->enumerate(sockets, &fd, &family, &port))
-	{
-		struct xfrm_userpolicy_info policy;
-		u_int sol, ipsec_policy;
-
-		switch (family)
-		{
-			case AF_INET:
-				sol = SOL_IP;
-				ipsec_policy = IP_XFRM_POLICY;
-				break;
-			case AF_INET6:
-				sol = SOL_IPV6;
-				ipsec_policy = IPV6_XFRM_POLICY;
-				break;
-			default:
-				continue;
-		}
-
-		memset(&policy, 0, sizeof(policy));
-		policy.action = XFRM_POLICY_ALLOW;
-		policy.sel.family = family;
-
-		policy.dir = XFRM_POLICY_OUT;
-		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-		{
-			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-				 strerror(errno));
-			status = FALSE;
-			break;
-		}
-		policy.dir = XFRM_POLICY_IN;
-		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-		{
-			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-				 strerror(errno));
-			status = FALSE;
-			break;
-		}
-	}
-	sockets->destroy(sockets);
-	return status;
-}
-
-/*
- * Described in header.
- */
-kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
-{
-	private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
-	struct sockaddr_nl addr;
-	int fd;
-
-	/* public functions */
-	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
-	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
-	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
-	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
-	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
-	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
-
-	/* private members */
-	this->policies = hashtable_create((hashtable_hash_t)policy_hash,
-									  (hashtable_equals_t)policy_equals, 32);
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->install_routes = lib->settings->get_bool(lib->settings,
-					"charon.install_routes", TRUE);
-
-	/* disable lifetimes for allocated SPIs in kernel */
-	fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
-	if (fd)
-	{
-		ignore_result(write(fd, "165", 3));
-		close(fd);
-	}
-
-	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
-
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-
-	/* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
-	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
-	if (this->socket_xfrm_events <= 0)
-	{
-		charon->kill(charon, "unable to create XFRM event socket");
-	}
-	addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
-					 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
-	if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		charon->kill(charon, "unable to bind XFRM event socket");
-	}
-
-	/* add bypass policies on the sockets used by charon */
-	if (!add_bypass_policies())
-	{
-		charon->kill(charon, "unable to add bypass policies on sockets");
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
deleted file mode 100644
index 3a45cce06..000000000
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_netlink_ipsec_i kernel_netlink_ipsec
- * @{ @ingroup kernel_netlink
- */
-
-#ifndef KERNEL_NETLINK_IPSEC_H_
-#define KERNEL_NETLINK_IPSEC_H_
-
-#include <kernel/kernel_ipsec.h>
-
-typedef struct kernel_netlink_ipsec_t kernel_netlink_ipsec_t;
-
-/**
- * Implementation of the kernel ipsec interface using Netlink.
- */
-struct kernel_netlink_ipsec_t {
-
-	/**
-	 * Implements kernel_ipsec_t interface
-	 */
-	kernel_ipsec_t interface;
-};
-
-/**
- * Create a netlink kernel ipsec interface instance.
- *
- * @return			kernel_netlink_ipsec_t instance
- */
-kernel_netlink_ipsec_t *kernel_netlink_ipsec_create();
-
-#endif /** KERNEL_NETLINK_IPSEC_H_ @}*/
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
deleted file mode 100644
index 4a9fdf69a..000000000
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
+++ /dev/null
@@ -1,1424 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/socket.h>
-#include <linux/netlink.h>
-#include <linux/rtnetlink.h>
-#include <unistd.h>
-#include <errno.h>
-#include <net/if.h>
-
-#include "kernel_netlink_net.h"
-#include "kernel_netlink_shared.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/roam_job.h>
-
-/** delay before firing roam jobs (ms) */
-#define ROAM_DELAY 100
-
-typedef struct addr_entry_t addr_entry_t;
-
-/**
- * IP address in an inface_entry_t
- */
-struct addr_entry_t {
-
-	/** The ip address */
-	host_t *ip;
-
-	/** virtual IP managed by us */
-	bool virtual;
-
-	/** scope of the address */
-	u_char scope;
-
-	/** Number of times this IP is used, if virtual */
-	u_int refcount;
-};
-
-/**
- * destroy a addr_entry_t object
- */
-static void addr_entry_destroy(addr_entry_t *this)
-{
-	this->ip->destroy(this->ip);
-	free(this);
-}
-
-typedef struct iface_entry_t iface_entry_t;
-
-/**
- * A network interface on this system, containing addr_entry_t's
- */
-struct iface_entry_t {
-
-	/** interface index */
-	int ifindex;
-
-	/** name of the interface */
-	char ifname[IFNAMSIZ];
-
-	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
-	u_int flags;
-
-	/** list of addresses as host_t */
-	linked_list_t *addrs;
-};
-
-/**
- * destroy an interface entry
- */
-static void iface_entry_destroy(iface_entry_t *this)
-{
-	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
-	free(this);
-}
-
-typedef struct private_kernel_netlink_net_t private_kernel_netlink_net_t;
-
-/**
- * Private variables and functions of kernel_netlink_net class.
- */
-struct private_kernel_netlink_net_t {
-	/**
-	 * Public part of the kernel_netlink_net_t object.
-	 */
-	kernel_netlink_net_t public;
-
-	/**
-	 * mutex to lock access to various lists
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * condition variable to signal virtual IP add/removal
-	 */
-	condvar_t *condvar;
-
-	/**
-	 * Cached list of interfaces and its addresses (iface_entry_t)
-	 */
-	linked_list_t *ifaces;
-
-	/**
-	 * job receiving netlink events
-	 */
-	callback_job_t *job;
-
-	/**
-	 * netlink rt socket (routing)
-	 */
-	netlink_socket_t *socket;
-
-	/**
-	 * Netlink rt socket to receive address change events
-	 */
-	int socket_events;
-
-	/**
-	 * time of the last roam_job
-	 */
-	timeval_t last_roam;
-
-	/**
-	 * routing table to install routes
-	 */
-	int routing_table;
-
-	/**
-	 * priority of used routing table
-	 */
-	int routing_table_prio;
-
-	/**
-	 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
-	 */
-	bool process_route;
-
-	/**
-	 * whether to actually install virtual IPs
-	 */
-	bool install_virtual_ip;
-};
-
-/**
- * get the refcount of a virtual ip
- */
-static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
-{
-	iterator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	int refcount = 0;
-
-	ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
-	while (ifaces->iterate(ifaces, (void**)&iface))
-	{
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
-		{
-			if (addr->virtual && (iface->flags & IFF_UP) &&
-				ip->ip_equals(ip, addr->ip))
-			{
-				refcount = addr->refcount;
-				break;
-			}
-		}
-		addrs->destroy(addrs);
-		if (refcount)
-		{
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-
-	return refcount;
-}
-
-/**
- * start a roaming job. We delay it for a second and fire only one job
- * for multiple events. Otherwise we would create two many jobs.
- */
-static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
-{
-	timeval_t now;
-
-	time_monotonic(&now);
-	if (timercmp(&now, &this->last_roam, >))
-	{
-		now.tv_usec += ROAM_DELAY * 1000;
-		while (now.tv_usec > 1000000)
-		{
-			now.tv_sec++;
-			now.tv_usec -= 1000000;
-		}
-		this->last_roam = now;
-		charon->scheduler->schedule_job_ms(charon->scheduler,
-				(job_t*)roam_job_create(address), ROAM_DELAY);
-	}
-}
-
-/**
- * process RTM_NEWLINK/RTM_DELLINK from kernel
- */
-static void process_link(private_kernel_netlink_net_t *this,
-						 struct nlmsghdr *hdr, bool event)
-{
-	struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
-	struct rtattr *rta = IFLA_RTA(msg);
-	size_t rtasize = IFLA_PAYLOAD (hdr);
-	enumerator_t *enumerator;
-	iface_entry_t *current, *entry = NULL;
-	char *name = NULL;
-	bool update = FALSE;
-
-	while(RTA_OK(rta, rtasize))
-	{
-		switch (rta->rta_type)
-		{
-			case IFLA_IFNAME:
-				name = RTA_DATA(rta);
-				break;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-	if (!name)
-	{
-		name = "(unknown)";
-	}
-
-	this->mutex->lock(this->mutex);
-	switch (hdr->nlmsg_type)
-	{
-		case RTM_NEWLINK:
-		{
-			if (msg->ifi_flags & IFF_LOOPBACK)
-			{	/* ignore loopback interfaces */
-				break;
-			}
-			enumerator = this->ifaces->create_enumerator(this->ifaces);
-			while (enumerator->enumerate(enumerator, &current))
-			{
-				if (current->ifindex == msg->ifi_index)
-				{
-					entry = current;
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-			if (!entry)
-			{
-				entry = malloc_thing(iface_entry_t);
-				entry->ifindex = msg->ifi_index;
-				entry->flags = 0;
-				entry->addrs = linked_list_create();
-				this->ifaces->insert_last(this->ifaces, entry);
-			}
-			memcpy(entry->ifname, name, IFNAMSIZ);
-			entry->ifname[IFNAMSIZ-1] = '\0';
-			if (event)
-			{
-				if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
-				{
-					update = TRUE;
-					DBG1(DBG_KNL, "interface %s activated", name);
-				}
-				if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
-				{
-					update = TRUE;
-					DBG1(DBG_KNL, "interface %s deactivated", name);
-				}
-			}
-			entry->flags = msg->ifi_flags;
-			break;
-		}
-		case RTM_DELLINK:
-		{
-			enumerator = this->ifaces->create_enumerator(this->ifaces);
-			while (enumerator->enumerate(enumerator, &current))
-			{
-				if (current->ifindex == msg->ifi_index)
-				{
-					/* we do not remove it, as an address may be added to a
-					 * "down" interface and we wan't to know that. */
-					current->flags = msg->ifi_flags;
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-			break;
-		}
-	}
-	this->mutex->unlock(this->mutex);
-
-	/* send an update to all IKE_SAs */
-	if (update && event)
-	{
-		fire_roam_job(this, TRUE);
-	}
-}
-
-/**
- * process RTM_NEWADDR/RTM_DELADDR from kernel
- */
-static void process_addr(private_kernel_netlink_net_t *this,
-						 struct nlmsghdr *hdr, bool event)
-{
-	struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
-	struct rtattr *rta = IFA_RTA(msg);
-	size_t rtasize = IFA_PAYLOAD (hdr);
-	host_t *host = NULL;
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	chunk_t local = chunk_empty, address = chunk_empty;
-	bool update = FALSE, found = FALSE, changed = FALSE;
-
-	while(RTA_OK(rta, rtasize))
-	{
-		switch (rta->rta_type)
-		{
-			case IFA_LOCAL:
-				local.ptr = RTA_DATA(rta);
-				local.len = RTA_PAYLOAD(rta);
-				break;
-			case IFA_ADDRESS:
-				address.ptr = RTA_DATA(rta);
-				address.len = RTA_PAYLOAD(rta);
-				break;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-
-	/* For PPP interfaces, we need the IFA_LOCAL address,
-	 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
-	 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
-	if (local.ptr)
-	{
-		host = host_create_from_chunk(msg->ifa_family, local, 0);
-	}
-	else if (address.ptr)
-	{
-		host = host_create_from_chunk(msg->ifa_family, address, 0);
-	}
-
-	if (host == NULL)
-	{	/* bad family? */
-		return;
-	}
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->ifindex == msg->ifa_index)
-		{
-			addrs = iface->addrs->create_enumerator(iface->addrs);
-			while (addrs->enumerate(addrs, &addr))
-			{
-				if (host->ip_equals(host, addr->ip))
-				{
-					found = TRUE;
-					if (hdr->nlmsg_type == RTM_DELADDR)
-					{
-						iface->addrs->remove_at(iface->addrs, addrs);
-						if (!addr->virtual)
-						{
-							changed = TRUE;
-							DBG1(DBG_KNL, "%H disappeared from %s",
-								 host, iface->ifname);
-						}
-						addr_entry_destroy(addr);
-					}
-					else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
-					{
-						addr->refcount = 1;
-					}
-				}
-			}
-			addrs->destroy(addrs);
-
-			if (hdr->nlmsg_type == RTM_NEWADDR)
-			{
-				if (!found)
-				{
-					found = TRUE;
-					changed = TRUE;
-					addr = malloc_thing(addr_entry_t);
-					addr->ip = host->clone(host);
-					addr->virtual = FALSE;
-					addr->refcount = 1;
-					addr->scope = msg->ifa_scope;
-
-					iface->addrs->insert_last(iface->addrs, addr);
-					if (event)
-					{
-						DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
-					}
-				}
-			}
-			if (found && (iface->flags & IFF_UP))
-			{
-				update = TRUE;
-			}
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-	host->destroy(host);
-
-	/* send an update to all IKE_SAs */
-	if (update && event && changed)
-	{
-		fire_roam_job(this, TRUE);
-	}
-}
-
-/**
- * process RTM_NEWROUTE and RTM_DELROUTE from kernel
- */
-static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr)
-{
-	struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
-	struct rtattr *rta = RTM_RTA(msg);
-	size_t rtasize = RTM_PAYLOAD(hdr);
-	host_t *host = NULL;
-
-	/* ignore routes added by us */
-	if (msg->rtm_table && msg->rtm_table == this->routing_table)
-	{
-		return;
-	}
-
-	while (RTA_OK(rta, rtasize))
-	{
-		switch (rta->rta_type)
-		{
-			case RTA_PREFSRC:
-				host = host_create_from_chunk(msg->rtm_family,
-							chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
-				break;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-	if (host)
-	{
-		this->mutex->lock(this->mutex);
-		if (!get_vip_refcount(this, host))
-		{	/* ignore routes added for virtual IPs */
-			fire_roam_job(this, FALSE);
-		}
-		this->mutex->unlock(this->mutex);
-		host->destroy(host);
-	}
-}
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
-{
-	char response[1024];
-	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
-	struct sockaddr_nl addr;
-	socklen_t addr_len = sizeof(addr);
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, response, sizeof(response), 0,
-				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
-
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from rt event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-
-	if (addr.nl_pid != 0)
-	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	while (NLMSG_OK(hdr, len))
-	{
-		/* looks good so far, dispatch netlink message */
-		switch (hdr->nlmsg_type)
-		{
-			case RTM_NEWADDR:
-			case RTM_DELADDR:
-				process_addr(this, hdr, TRUE);
-				this->condvar->broadcast(this->condvar);
-				break;
-			case RTM_NEWLINK:
-			case RTM_DELLINK:
-				process_link(this, hdr, TRUE);
-				this->condvar->broadcast(this->condvar);
-				break;
-			case RTM_NEWROUTE:
-			case RTM_DELROUTE:
-				if (this->process_route)
-				{
-					process_route(this, hdr);
-				}
-				break;
-			default:
-				break;
-		}
-		hdr = NLMSG_NEXT(hdr, len);
-	}
-	return JOB_REQUEUE_DIRECT;
-}
-
-/** enumerator over addresses */
-typedef struct {
-	private_kernel_netlink_net_t* this;
-	/** whether to enumerate down interfaces */
-	bool include_down_ifaces;
-	/** whether to enumerate virtual ip addresses */
-	bool include_virtual_ips;
-} address_enumerator_t;
-
-/**
- * cleanup function for address enumerator
- */
-static void address_enumerator_destroy(address_enumerator_t *data)
-{
-	data->this->mutex->unlock(data->this->mutex);
-	free(data);
-}
-
-/**
- * filter for addresses
- */
-static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
-{
-	if (!data->include_virtual_ips && (*in)->virtual)
-	{	/* skip virtual interfaces added by us */
-		return FALSE;
-	}
-	if ((*in)->scope >= RT_SCOPE_LINK)
-	{	/* skip addresses with a unusable scope */
-		return FALSE;
-	}
-	*out = (*in)->ip;
-	return TRUE;
-}
-
-/**
- * enumerator constructor for interfaces
- */
-static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
-{
-	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
-				(void*)filter_addresses, data, NULL);
-}
-
-/**
- * filter for interfaces
- */
-static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
-{
-	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
-	{	/* skip interfaces not up */
-		return FALSE;
-	}
-	*out = *in;
-	return TRUE;
-}
-
-/**
- * implementation of kernel_net_t.create_address_enumerator
- */
-static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *this,
-		bool include_down_ifaces, bool include_virtual_ips)
-{
-	address_enumerator_t *data = malloc_thing(address_enumerator_t);
-	data->this = this;
-	data->include_down_ifaces = include_down_ifaces;
-	data->include_virtual_ips = include_virtual_ips;
-
-	this->mutex->lock(this->mutex);
-	return enumerator_create_nested(
-				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
-							(void*)filter_interfaces, data, NULL),
-				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
-}
-
-/**
- * implementation of kernel_net_t.get_interface_name
- */
-static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
-{
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	char *name = NULL;
-
-	DBG2(DBG_KNL, "getting interface name for %H", ip);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
-		{
-			if (ip->ip_equals(ip, addr->ip))
-			{
-				name = strdup(iface->ifname);
-				break;
-			}
-		}
-		addrs->destroy(addrs);
-		if (name)
-		{
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	if (name)
-	{
-		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "%H is not a local address", ip);
-	}
-	return name;
-}
-
-/**
- * get the index of an interface by name
- */
-static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
-{
-	enumerator_t *ifaces;
-	iface_entry_t *iface;
-	int ifindex = 0;
-
-	DBG2(DBG_KNL, "getting iface index for %s", name);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (streq(name, iface->ifname))
-		{
-			ifindex = iface->ifindex;
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	if (ifindex == 0)
-	{
-		DBG1(DBG_KNL, "unable to get interface index for %s", name);
-	}
-	return ifindex;
-}
-
-/**
- * Check if an interface with a given index is up
- */
-static bool is_interface_up(private_kernel_netlink_net_t *this, int index)
-{
-	enumerator_t *ifaces;
-	iface_entry_t *iface;
-	/* default to TRUE for interface we do not monitor (e.g. lo) */
-	bool up = TRUE;
-
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->ifindex == index)
-		{
-			up = iface->flags & IFF_UP;
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	return up;
-}
-
-/**
- * check if an address (chunk) addr is in subnet (net with net_len net bits)
- */
-static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
-{
-	static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
-	int byte = 0;
-
-	if (net_len == 0)
-	{	/* any address matches a /0 network */
-		return TRUE;
-	}
-	if (addr.len != net.len || net_len > 8 * net.len )
-	{
-		return FALSE;
-	}
-	/* scan through all bytes in network order */
-	while (net_len > 0)
-	{
-		if (net_len < 8)
-		{
-			return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
-		}
-		else
-		{
-			if (addr.ptr[byte] != net.ptr[byte])
-			{
-				return FALSE;
-			}
-			byte++;
-			net_len -= 8;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
- */
-static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
-						 bool nexthop, host_t *candidate)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr, *out, *current;
-	struct rtmsg *msg;
-	chunk_t chunk;
-	size_t len;
-	int best = -1;
-	host_t *src = NULL, *gtw = NULL;
-
-	DBG2(DBG_KNL, "getting address to reach %H", dest);
-
-	memset(&request, 0, sizeof(request));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	if (dest->get_family(dest) == AF_INET)
-	{
-		/* We dump all addresses for IPv4, as we want to ignore IPsec specific
-		 * routes installed by us. But the kernel does not return source
-		 * addresses in a IPv6 dump, so fall back to get() for v6 routes. */
-		hdr->nlmsg_flags |= NLM_F_ROOT | NLM_F_DUMP;
-	}
-	hdr->nlmsg_type = RTM_GETROUTE;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
-
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
-	msg->rtm_family = dest->get_family(dest);
-	if (candidate)
-	{
-		chunk = candidate->get_address(candidate);
-		netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
-	}
-	chunk = dest->get_address(dest);
-	netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
-
-	if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "getting address to %H failed", dest);
-		return NULL;
-	}
-	this->mutex->lock(this->mutex);
-
-	for (current = out; NLMSG_OK(current, len);
-		 current = NLMSG_NEXT(current, len))
-	{
-		switch (current->nlmsg_type)
-		{
-			case NLMSG_DONE:
-				break;
-			case RTM_NEWROUTE:
-			{
-				struct rtattr *rta;
-				size_t rtasize;
-				chunk_t rta_gtw, rta_src, rta_dst;
-				u_int32_t rta_oif = 0;
-				host_t *new_src, *new_gtw;
-
-				rta_gtw = rta_src = rta_dst = chunk_empty;
-				msg = (struct rtmsg*)(NLMSG_DATA(current));
-				rta = RTM_RTA(msg);
-				rtasize = RTM_PAYLOAD(current);
-				while (RTA_OK(rta, rtasize))
-				{
-					switch (rta->rta_type)
-					{
-						case RTA_PREFSRC:
-							rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_GATEWAY:
-							rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_DST:
-							rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_OIF:
-							if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
-							{
-								rta_oif = *(u_int32_t*)RTA_DATA(rta);
-							}
-							break;
-					}
-					rta = RTA_NEXT(rta, rtasize);
-				}
-				if (msg->rtm_dst_len <= best)
-				{	/* not better than a previous one */
-					continue;
-				}
-				if (this->routing_table != 0 &&
-					msg->rtm_table == this->routing_table)
-				{	/* route is from our own ipsec routing table */
-					continue;
-				}
-				if (rta_oif && !is_interface_up(this, rta_oif))
-				{	/* interface is down */
-					continue;
-				}
-				if (!addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))
-				{	/* route destination does not contain dest */
-					continue;
-				}
-
-				if (nexthop)
-				{
-					/* nexthop lookup, return gateway if any */
-					DESTROY_IF(gtw);
-					gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
-					best = msg->rtm_dst_len;
-					continue;
-				}
-				if (rta_src.ptr)
-				{
-					/* got a source address */
-					new_src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
-					if (new_src)
-					{
-						if (get_vip_refcount(this, new_src))
-						{	/* skip source address if it is installed by us */
-							new_src->destroy(new_src);
-						}
-						else
-						{
-							DESTROY_IF(src);
-							src = new_src;
-							best = msg->rtm_dst_len;
-						}
-					}
-					continue;
-				}
-				if (rta_gtw.ptr)
-				{	/* no source, but a gateway. Lookup source to reach gtw. */
-					new_gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
-					new_src = get_route(this, new_gtw, FALSE, candidate);
-					new_gtw->destroy(new_gtw);
-					if (new_src)
-					{
-						DESTROY_IF(src);
-						src = new_src;
-						best = msg->rtm_dst_len;
-					}
-					continue;
-				}
-				continue;
-			}
-			default:
-				continue;
-		}
-		break;
-	}
-	free(out);
-	this->mutex->unlock(this->mutex);
-
-	if (nexthop)
-	{
-		if (gtw)
-		{
-			return gtw;
-		}
-		return dest->clone(dest);
-	}
-	return src;
-}
-
-/**
- * Implementation of kernel_net_t.get_source_addr.
- */
-static host_t* get_source_addr(private_kernel_netlink_net_t *this,
-							   host_t *dest, host_t *src)
-{
-	return get_route(this, dest, FALSE, src);
-}
-
-/**
- * Implementation of kernel_net_t.get_nexthop.
- */
-static host_t* get_nexthop(private_kernel_netlink_net_t *this, host_t *dest)
-{
-	return get_route(this, dest, TRUE, NULL);
-}
-
-/**
- * Manages the creation and deletion of ip addresses on an interface.
- * By setting the appropriate nlmsg_type, the ip will be set or unset.
- */
-static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
-							  int flags, int if_index, host_t *ip)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr;
-	struct ifaddrmsg *msg;
-	chunk_t chunk;
-
-	memset(&request, 0, sizeof(request));
-
-	chunk = ip->get_address(ip);
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
-	hdr->nlmsg_type = nlmsg_type;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
-
-	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
-	msg->ifa_family = ip->get_family(ip);
-	msg->ifa_flags = 0;
-	msg->ifa_prefixlen = 8 * chunk.len;
-	msg->ifa_scope = RT_SCOPE_UNIVERSE;
-	msg->ifa_index = if_index;
-
-	netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
-
-	return this->socket->send_ack(this->socket, hdr);
-}
-
-/**
- * Implementation of kernel_net_t.add_ip.
- */
-static status_t add_ip(private_kernel_netlink_net_t *this,
-						host_t *virtual_ip, host_t *iface_ip)
-{
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	enumerator_t *addrs, *ifaces;
-	int ifindex;
-
-	if (!this->install_virtual_ip)
-	{	/* disabled by config */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		bool iface_found = FALSE;
-
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
-		{
-			if (iface_ip->ip_equals(iface_ip, addr->ip))
-			{
-				iface_found = TRUE;
-			}
-			else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
-			{
-				addr->refcount++;
-				DBG2(DBG_KNL, "virtual IP %H already installed on %s",
-					 virtual_ip, iface->ifname);
-				addrs->destroy(addrs);
-				ifaces->destroy(ifaces);
-				this->mutex->unlock(this->mutex);
-				return SUCCESS;
-			}
-		}
-		addrs->destroy(addrs);
-
-		if (iface_found)
-		{
-			ifindex = iface->ifindex;
-			addr = malloc_thing(addr_entry_t);
-			addr->ip = virtual_ip->clone(virtual_ip);
-			addr->refcount = 0;
-			addr->virtual = TRUE;
-			addr->scope = RT_SCOPE_UNIVERSE;
-			iface->addrs->insert_last(iface->addrs, addr);
-
-			if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
-							  ifindex, virtual_ip) == SUCCESS)
-			{
-				while (get_vip_refcount(this, virtual_ip) == 0)
-				{	/* wait until address appears */
-					this->condvar->wait(this->condvar, this->mutex);
-				}
-				ifaces->destroy(ifaces);
-				this->mutex->unlock(this->mutex);
-				return SUCCESS;
-			}
-			ifaces->destroy(ifaces);
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
-			return FAILED;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	DBG1(DBG_KNL, "interface address %H not found, unable to install"
-		 "virtual IP %H", iface_ip, virtual_ip);
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_net_t.del_ip.
- */
-static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
-{
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	enumerator_t *addrs, *ifaces;
-	status_t status;
-	int ifindex;
-
-	if (!this->install_virtual_ip)
-	{	/* disabled by config */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
-		{
-			if (virtual_ip->ip_equals(virtual_ip, addr->ip))
-			{
-				ifindex = iface->ifindex;
-				if (addr->refcount == 1)
-				{
-					status = manage_ipaddr(this, RTM_DELADDR, 0,
-										   ifindex, virtual_ip);
-					if (status == SUCCESS)
-					{	/* wait until the address is really gone */
-						while (get_vip_refcount(this, virtual_ip) > 0)
-						{
-							this->condvar->wait(this->condvar, this->mutex);
-						}
-					}
-					addrs->destroy(addrs);
-					ifaces->destroy(ifaces);
-					this->mutex->unlock(this->mutex);
-					return status;
-				}
-				else
-				{
-					addr->refcount--;
-				}
-				DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
-					 virtual_ip);
-				addrs->destroy(addrs);
-				ifaces->destroy(ifaces);
-				this->mutex->unlock(this->mutex);
-				return SUCCESS;
-			}
-		}
-		addrs->destroy(addrs);
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
-	return FAILED;
-}
-
-/**
- * Manages source routes in the routing table.
- * By setting the appropriate nlmsg_type, the route gets added or removed.
- */
-static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_type,
-								int flags, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr;
-	struct rtmsg *msg;
-	int ifindex;
-	chunk_t chunk;
-
-	/* if route is 0.0.0.0/0, we can't install it, as it would
-	 * overwrite the default route. Instead, we add two routes:
-	 * 0.0.0.0/1 and 128.0.0.0/1 */
-	if (this->routing_table == 0 && prefixlen == 0)
-	{
-		chunk_t half_net;
-		u_int8_t half_prefixlen;
-		status_t status;
-
-		half_net = chunk_alloca(dst_net.len);
-		memset(half_net.ptr, 0, half_net.len);
-		half_prefixlen = 1;
-
-		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
-					gateway, src_ip, if_name);
-		half_net.ptr[0] |= 0x80;
-		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
-					gateway, src_ip, if_name);
-		return status;
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
-	hdr->nlmsg_type = nlmsg_type;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
-
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
-	msg->rtm_family = src_ip->get_family(src_ip);
-	msg->rtm_dst_len = prefixlen;
-	msg->rtm_table = this->routing_table;
-	msg->rtm_protocol = RTPROT_STATIC;
-	msg->rtm_type = RTN_UNICAST;
-	msg->rtm_scope = RT_SCOPE_UNIVERSE;
-
-	netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request));
-	chunk = src_ip->get_address(src_ip);
-	netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
-	if (gateway && gateway->get_family(gateway) == src_ip->get_family(src_ip))
-	{
-		chunk = gateway->get_address(gateway);
-		netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
-	}
-	ifindex = get_interface_index(this, if_name);
-	chunk.ptr = (char*)&ifindex;
-	chunk.len = sizeof(ifindex);
-	netlink_add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
-
-	return this->socket->send_ack(this->socket, hdr);
-}
-
-/**
- * Implementation of kernel_net_t.add_route.
- */
-static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
-		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
-				dst_net, prefixlen, gateway, src_ip, if_name);
-}
-
-/**
- * Implementation of kernel_net_t.del_route.
- */
-static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
-		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
-				gateway, src_ip, if_name);
-}
-
-/**
- * Initialize a list of local addresses.
- */
-static status_t init_address_list(private_kernel_netlink_net_t *this)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *out, *current, *in;
-	struct rtgenmsg *msg;
-	size_t len;
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-
-	DBG1(DBG_KNL, "listening on interfaces:");
-
-	memset(&request, 0, sizeof(request));
-
-	in = (struct nlmsghdr*)&request;
-	in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
-	in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
-	msg = (struct rtgenmsg*)NLMSG_DATA(in);
-	msg->rtgen_family = AF_UNSPEC;
-
-	/* get all links */
-	in->nlmsg_type = RTM_GETLINK;
-	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	current = out;
-	while (NLMSG_OK(current, len))
-	{
-		switch (current->nlmsg_type)
-		{
-			case NLMSG_DONE:
-				break;
-			case RTM_NEWLINK:
-				process_link(this, current, FALSE);
-				/* fall through */
-			default:
-				current = NLMSG_NEXT(current, len);
-				continue;
-		}
-		break;
-	}
-	free(out);
-
-	/* get all interface addresses */
-	in->nlmsg_type = RTM_GETADDR;
-	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	current = out;
-	while (NLMSG_OK(current, len))
-	{
-		switch (current->nlmsg_type)
-		{
-			case NLMSG_DONE:
-				break;
-			case RTM_NEWADDR:
-				process_addr(this, current, FALSE);
-				/* fall through */
-			default:
-				current = NLMSG_NEXT(current, len);
-				continue;
-		}
-		break;
-	}
-	free(out);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->flags & IFF_UP)
-		{
-			DBG1(DBG_KNL, "  %s", iface->ifname);
-			addrs = iface->addrs->create_enumerator(iface->addrs);
-			while (addrs->enumerate(addrs, (void**)&addr))
-			{
-				DBG1(DBG_KNL, "    %H", addr->ip);
-			}
-			addrs->destroy(addrs);
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-	return SUCCESS;
-}
-
-/**
- * create or delete a rule to use our routing table
- */
-static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
-							int family, u_int32_t table, u_int32_t prio)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr;
-	struct rtmsg *msg;
-	chunk_t chunk;
-
-	memset(&request, 0, sizeof(request));
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = nlmsg_type;
-	if (nlmsg_type == RTM_NEWRULE)
-	{
-		hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
-	}
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
-
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
-	msg->rtm_table = table;
-	msg->rtm_family = family;
-	msg->rtm_protocol = RTPROT_BOOT;
-	msg->rtm_scope = RT_SCOPE_UNIVERSE;
-	msg->rtm_type = RTN_UNICAST;
-
-	chunk = chunk_from_thing(prio);
-	netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
-
-	return this->socket->send_ack(this->socket, hdr);
-}
-
-/**
- * Implementation of kernel_netlink_net_t.destroy.
- */
-static void destroy(private_kernel_netlink_net_t *this)
-{
-	if (this->routing_table)
-	{
-		manage_rule(this, RTM_DELRULE, AF_INET, this->routing_table,
-					this->routing_table_prio);
-		manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table,
-					this->routing_table_prio);
-	}
-
-	this->job->cancel(this->job);
-	close(this->socket_events);
-	this->socket->destroy(this->socket);
-	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
-	this->condvar->destroy(this->condvar);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-kernel_netlink_net_t *kernel_netlink_net_create()
-{
-	private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t);
-	struct sockaddr_nl addr;
-
-	/* public functions */
-	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
-	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
-	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
-	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
-	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
-	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
-	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
-	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
-	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
-
-	/* private members */
-	this->ifaces = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	timerclear(&this->last_roam);
-	this->routing_table = lib->settings->get_int(lib->settings,
-					"charon.routing_table", ROUTING_TABLE);
-	this->routing_table_prio = lib->settings->get_int(lib->settings,
-					"charon.routing_table_prio", ROUTING_TABLE_PRIO);
-	this->process_route = lib->settings->get_bool(lib->settings,
-					"charon.process_route", TRUE);
-	this->install_virtual_ip = lib->settings->get_bool(lib->settings,
-					"charon.install_virtual_ip", TRUE);
-
-	this->socket = netlink_socket_create(NETLINK_ROUTE);
-
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-
-	/* create and bind RT socket for events (address/interface/route changes) */
-	this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
-	if (this->socket_events <= 0)
-	{
-		charon->kill(charon, "unable to create RT event socket");
-	}
-	addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
-					 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
-	if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		charon->kill(charon, "unable to bind RT event socket");
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	if (init_address_list(this) != SUCCESS)
-	{
-		charon->kill(charon, "unable to get interface list");
-	}
-
-	if (this->routing_table)
-	{
-		if (manage_rule(this, RTM_NEWRULE, AF_INET, this->routing_table,
-						this->routing_table_prio) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "unable to create IPv4 routing table rule");
-		}
-		if (manage_rule(this, RTM_NEWRULE, AF_INET6, this->routing_table,
-						this->routing_table_prio) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "unable to create IPv6 routing table rule");
-		}
-	}
-
-	return &this->public;
-}
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
deleted file mode 100644
index ff9831d3c..000000000
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_netlink_net_i kernel_netlink_net
- * @{ @ingroup kernel_netlink
- */
-
-#ifndef KERNEL_NETLINK_NET_H_
-#define KERNEL_NETLINK_NET_H_
-
-#include <kernel/kernel_net.h>
-
-typedef struct kernel_netlink_net_t kernel_netlink_net_t;
-
-/**
- * Implementation of the kernel network interface using Netlink.
- */
-struct kernel_netlink_net_t {
-
-	/**
-	 * Implements kernel_net_t interface
-	 */
-	kernel_net_t interface;
-};
-
-/**
- * Create a netlink kernel network interface instance.
- *
- * @return			kernel_netlink_net_t instance
- */
-kernel_netlink_net_t *kernel_netlink_net_create();
-
-#endif /** KERNEL_NETLINK_NET_H_ @}*/
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
deleted file mode 100644
index cdf20f14a..000000000
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "kernel_netlink_plugin.h"
-
-#include "kernel_netlink_ipsec.h"
-#include "kernel_netlink_net.h"
-
-#include <daemon.h>
-
-typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
-
-/**
- * private data of kernel netlink plugin
- */
-struct private_kernel_netlink_plugin_t {
-	/**
-	 * implements plugin interface
-	 */
-	kernel_netlink_plugin_t public;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_netlink_plugin_t *this)
-{
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
-	charon->kernel_interface->remove_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
-	charon->kernel_interface->add_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
-
-	return &this->public.plugin;
-}
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
deleted file mode 100644
index ec6036b98..000000000
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_netlink kernel_netlink
- * @ingroup cplugins
- *
- * @defgroup kernel_netlink_plugin kernel_netlink_plugin
- * @{ @ingroup kernel_netlink
- */
-
-#ifndef KERNEL_NETLINK_PLUGIN_H_
-#define KERNEL_NETLINK_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct kernel_netlink_plugin_t kernel_netlink_plugin_t;
-
-/**
- * netlink kernel interface plugin
- */
-struct kernel_netlink_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a kernel_netlink_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** KERNEL_NETLINK_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
deleted file mode 100644
index b96186a3a..000000000
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/socket.h>
-#include <linux/netlink.h>
-#include <linux/rtnetlink.h>
-#include <errno.h>
-#include <unistd.h>
-
-#include "kernel_netlink_shared.h"
-
-#include <daemon.h>
-#include <threading/mutex.h>
-
-typedef struct private_netlink_socket_t private_netlink_socket_t;
-
-/**
- * Private variables and functions of netlink_socket_t class.
- */
-struct private_netlink_socket_t {
-	/**
-	 * public part of the netlink_socket_t object.
-	 */
-	netlink_socket_t public;
-
-	/**
-	 * mutex to lock access to netlink socket
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * current sequence number for netlink request
-	 */
-	int seq;
-
-	/**
-	 * netlink socket protocol
-	 */
-	int protocol;
-
-	/**
-	 * netlink socket
-	 */
-	int socket;
-};
-
-/**
- * Imported from kernel_netlink_ipsec.c
- */
-extern enum_name_t *xfrm_msg_names;
-
-/**
- * Implementation of netlink_socket_t.send
- */
-static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in,
-			  struct nlmsghdr **out, size_t *out_len)
-{
-	int len, addr_len;
-	struct sockaddr_nl addr;
-	chunk_t result = chunk_empty, tmp;
-	struct nlmsghdr *msg, peek;
-
-	this->mutex->lock(this->mutex);
-
-	in->nlmsg_seq = ++this->seq;
-	in->nlmsg_pid = getpid();
-
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-	addr.nl_pid = 0;
-	addr.nl_groups = 0;
-
-	if (this->protocol == NETLINK_XFRM)
-	{
-		chunk_t in_chunk = { (u_char*)in, in->nlmsg_len };
-
-		DBG3(DBG_KNL, "sending %N: %B", xfrm_msg_names, in->nlmsg_type, &in_chunk);
-	}
-
-	while (TRUE)
-	{
-		len = sendto(this->socket, in, in->nlmsg_len, 0,
-					 (struct sockaddr*)&addr, sizeof(addr));
-
-		if (len != in->nlmsg_len)
-		{
-			if (errno == EINTR)
-			{
-				/* interrupted, try again */
-				continue;
-			}
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
-			return FAILED;
-		}
-		break;
-	}
-
-	while (TRUE)
-	{
-		char buf[4096];
-		tmp.len = sizeof(buf);
-		tmp.ptr = buf;
-		msg = (struct nlmsghdr*)tmp.ptr;
-
-		memset(&addr, 0, sizeof(addr));
-		addr.nl_family = AF_NETLINK;
-		addr.nl_pid = getpid();
-		addr.nl_groups = 0;
-		addr_len = sizeof(addr);
-
-		len = recvfrom(this->socket, tmp.ptr, tmp.len, 0,
-					   (struct sockaddr*)&addr, &addr_len);
-
-		if (len < 0)
-		{
-			if (errno == EINTR)
-			{
-				DBG1(DBG_KNL, "got interrupted");
-				/* interrupted, try again */
-				continue;
-			}
-			DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
-			this->mutex->unlock(this->mutex);
-			free(result.ptr);
-			return FAILED;
-		}
-		if (!NLMSG_OK(msg, len))
-		{
-			DBG1(DBG_KNL, "received corrupted netlink message");
-			this->mutex->unlock(this->mutex);
-			free(result.ptr);
-			return FAILED;
-		}
-		if (msg->nlmsg_seq != this->seq)
-		{
-			DBG1(DBG_KNL, "received invalid netlink sequence number");
-			if (msg->nlmsg_seq < this->seq)
-			{
-				continue;
-			}
-			this->mutex->unlock(this->mutex);
-			free(result.ptr);
-			return FAILED;
-		}
-
-		tmp.len = len;
-		result.ptr = realloc(result.ptr, result.len + tmp.len);
-		memcpy(result.ptr + result.len, tmp.ptr, tmp.len);
-		result.len += tmp.len;
-
-		/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
-		 * numbers to detect multi header messages */
-		len = recvfrom(this->socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
-					   (struct sockaddr*)&addr, &addr_len);
-
-		if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
-		{
-			/* seems to be multipart */
-			continue;
-		}
-		break;
-	}
-
-	*out_len = result.len;
-	*out = (struct nlmsghdr*)result.ptr;
-
-	this->mutex->unlock(this->mutex);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of netlink_socket_t.send_ack.
- */
-static status_t netlink_send_ack(private_netlink_socket_t *this, struct nlmsghdr *in)
-{
-	struct nlmsghdr *out, *hdr;
-	size_t len;
-
-	if (netlink_send(this, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	hdr = out;
-	while (NLMSG_OK(hdr, len))
-	{
-		switch (hdr->nlmsg_type)
-		{
-			case NLMSG_ERROR:
-			{
-				struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
-
-				if (err->error)
-				{
-					if (-err->error == EEXIST)
-					{	/* do not report existing routes */
-						free(out);
-						return ALREADY_DONE;
-					}
-					DBG1(DBG_KNL, "received netlink error: %s (%d)",
-						 strerror(-err->error), -err->error);
-					free(out);
-					return FAILED;
-				}
-				free(out);
-				return SUCCESS;
-			}
-			default:
-				hdr = NLMSG_NEXT(hdr, len);
-				continue;
-			case NLMSG_DONE:
-				break;
-		}
-		break;
-	}
-	DBG1(DBG_KNL, "netlink request not acknowledged");
-	free(out);
-	return FAILED;
-}
-
-/**
- * Implementation of netlink_socket_t.destroy.
- */
-static void destroy(private_netlink_socket_t *this)
-{
-	close(this->socket);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/**
- * Described in header.
- */
-netlink_socket_t *netlink_socket_create(int protocol) {
-	private_netlink_socket_t *this = malloc_thing(private_netlink_socket_t);
-	struct sockaddr_nl addr;
-
-	/* public functions */
-	this->public.send = (status_t(*)(netlink_socket_t*,struct nlmsghdr*, struct nlmsghdr**, size_t*))netlink_send;
-	this->public.send_ack = (status_t(*)(netlink_socket_t*,struct nlmsghdr*))netlink_send_ack;
-	this->public.destroy = (void(*)(netlink_socket_t*))destroy;
-
-	/* private members */
-	this->seq = 200;
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-
-	this->protocol = protocol;
-	this->socket = socket(AF_NETLINK, SOCK_RAW, protocol);
-	if (this->socket <= 0)
-	{
-		charon->kill(charon, "unable to create netlink socket");
-	}
-
-	addr.nl_groups = 0;
-	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		charon->kill(charon, "unable to bind netlink socket");
-	}
-
-	return &this->public;
-}
-
-/**
- * Described in header.
- */
-void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
-						  size_t buflen)
-{
-	struct rtattr *rta;
-
-	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
-	{
-		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
-		return;
-	}
-
-	rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
-	rta->rta_type = rta_type;
-	rta->rta_len = RTA_LENGTH(data.len);
-	memcpy(RTA_DATA(rta), data.ptr, data.len);
-	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
-}
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
deleted file mode 100644
index dfd27a21a..000000000
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef KERNEL_NETLINK_SHARED_H_
-#define KERNEL_NETLINK_SHARED_H_
-
-#include <library.h>
-
-#include <linux/rtnetlink.h>
-
-/**
- * General purpose netlink buffer.
- *
- * 1024 byte is currently sufficient for all operations. Some platform
- * require an enforced aligment to four bytes (e.g. ARM).
- */
-typedef u_char netlink_buf_t[1024] __attribute__((aligned(RTA_ALIGNTO)));
-
-typedef struct netlink_socket_t netlink_socket_t;
-
-/**
- * Wrapper around a netlink socket.
- */
-struct netlink_socket_t {
-
-	/**
-	 * Send a netlink message and wait for a reply.
-	 *
-	 * @param	in		netlink message to send
-	 * @param	out 	received netlink message
-	 * @param	out_len	length of the received message
-	 */
-	status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len);
-
-	/**
-	 * Send a netlink message and wait for its acknowledge.
-	 *
-	 * @param	in		netlink message to send
-	 */
-	status_t (*send_ack)(netlink_socket_t *this, struct nlmsghdr *in);
-
-	/**
-	 * Destroy the socket.
-	 */
-	void (*destroy)(netlink_socket_t *this);
-};
-
-/**
- * Create a netlink_socket_t object.
- *
- * @param	protocol	protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
- */
-netlink_socket_t *netlink_socket_create(int protocol);
-
-/**
- * Creates an rtattr and adds it to the given netlink message.
- *
- * @param	hdr			netlink message
- * @param	rta_type	type of the rtattr
- * @param	data		data to add to the rtattr
- * @param	buflen		length of the netlink message buffer
- */
-void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, size_t buflen);
-
-#endif /* KERNEL_NETLINK_SHARED_H_ */
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.am b/src/charon/plugins/kernel_pfkey/Makefile.am
deleted file mode 100644
index a72c6a999..000000000
--- a/src/charon/plugins/kernel_pfkey/Makefile.am
+++ /dev/null
@@ -1,10 +0,0 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
-
-libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
-	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
-libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in
deleted file mode 100644
index 8a0961a7d..000000000
--- a/src/charon/plugins/kernel_pfkey/Makefile.in
+++ /dev/null
@@ -1,572 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/kernel_pfkey
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_kernel_pfkey_la_LIBADD =
-am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \
-	kernel_pfkey_ipsec.lo
-libstrongswan_kernel_pfkey_la_OBJECTS =  \
-	$(am_libstrongswan_kernel_pfkey_la_OBJECTS)
-libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
-libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
-	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
-
-libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfkey/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfkey/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_pfkey_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_ipsec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
deleted file mode 100644
index 9c50746ac..000000000
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ /dev/null
@@ -1,2215 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Tobias Brunner
- * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#ifdef __FreeBSD__
-#include <limits.h> /* for LONG_MAX */
-#endif
-
-#ifdef HAVE_NET_PFKEYV2_H
-#include <net/pfkeyv2.h>
-#else
-#include <stdint.h>
-#include <linux/pfkeyv2.h>
-#endif
-
-#ifdef SADB_X_EXT_NAT_T_TYPE
-#define HAVE_NATT
-#endif
-
-#ifdef HAVE_NETIPSEC_IPSEC_H
-#include <netipsec/ipsec.h>
-#elif defined(HAVE_NETINET6_IPSEC_H)
-#include <netinet6/ipsec.h>
-#else
-#include <linux/ipsec.h>
-#endif
-
-#ifdef HAVE_NATT
-#ifdef HAVE_LINUX_UDP_H
-#include <linux/udp.h>
-#else
-#include <netinet/udp.h>
-#endif /*HAVE_LINUX_UDP_H*/
-#endif /*HAVE_NATT*/
-
-#include <unistd.h>
-#include <time.h>
-#include <errno.h>
-
-#include "kernel_pfkey_ipsec.h"
-
-#include <daemon.h>
-#include <utils/host.h>
-#include <threading/thread.h>
-#include <threading/mutex.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/acquire_job.h>
-#include <processing/jobs/migrate_job.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/delete_child_sa_job.h>
-#include <processing/jobs/update_sa_job.h>
-
-/** non linux specific */
-#ifndef IPPROTO_COMP
-#define IPPROTO_COMP IPPROTO_IPCOMP
-#endif
-
-#ifndef SADB_X_AALG_SHA2_256HMAC
-#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
-#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
-#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
-#endif
-
-#ifndef SADB_X_EALG_AESCBC
-#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
-#endif
-
-#ifndef SADB_X_EALG_CASTCBC
-#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
-#endif
-
-#ifndef SOL_IP
-#define SOL_IP IPPROTO_IP
-#define SOL_IPV6 IPPROTO_IPV6
-#endif
-
-/** from linux/in.h */
-#ifndef IP_IPSEC_POLICY
-#define IP_IPSEC_POLICY 16
-#endif
-
-/** missing on uclibc */
-#ifndef IPV6_IPSEC_POLICY
-#define IPV6_IPSEC_POLICY 34
-#endif
-
-/** default priority of installed policies */
-#define PRIO_LOW 3000
-#define PRIO_HIGH 2000
-
-#ifdef __APPLE__
-/** from xnu/bsd/net/pfkeyv2.h */
-#define SADB_X_EXT_NATT 0x002
-	struct sadb_sa_2 {
-		struct sadb_sa	sa;
-		u_int16_t		sadb_sa_natt_port;
-		u_int16_t		sadb_reserved0;
-		u_int32_t		sadb_reserved1;
-	};
-#endif
-
-/** buffer size for PF_KEY messages */
-#define PFKEY_BUFFER_SIZE 4096
-
-/** PF_KEY messages are 64 bit aligned */
-#define PFKEY_ALIGNMENT 8
-/** aligns len to 64 bits */
-#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
-/** calculates the properly padded length in 64 bit chunks */
-#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
-/** calculates user mode length i.e. in bytes */
-#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
-
-/** given a PF_KEY message header and an extension this updates the length in the header */
-#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
-/** given a PF_KEY message header this returns a pointer to the next extension */
-#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
-/** copy an extension and append it to a PF_KEY message */
-#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
-/** given a PF_KEY extension this returns a pointer to the next extension */
-#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
-/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
-#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
-/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
-#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
-				(ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
-				(ext)->sadb_ext_len <= (len))
-
-typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
-
-/**
- * Private variables and functions of kernel_pfkey class.
- */
-struct private_kernel_pfkey_ipsec_t
-{
-	/**
-	 * Public part of the kernel_pfkey_t object.
-	 */
-	kernel_pfkey_ipsec_t public;
-
-	/**
-	 * mutex to lock access to various lists
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * List of installed policies (policy_entry_t)
-	 */
-	linked_list_t *policies;
-
-	/**
-	 * whether to install routes along policies
-	 */
-	bool install_routes;
-
-	/**
-	 * job receiving PF_KEY events
-	 */
-	callback_job_t *job;
-
-	/**
-	 * mutex to lock access to the PF_KEY socket
-	 */
-	mutex_t *mutex_pfkey;
-
-	/**
-	 * PF_KEY socket to communicate with the kernel
-	 */
-	int socket;
-
-	/**
-	 * PF_KEY socket to receive acquire and expire events
-	 */
-	int socket_events;
-
-	/**
-	 * sequence number for messages sent to the kernel
-	 */
-	int seq;
-};
-
-typedef struct route_entry_t route_entry_t;
-
-/**
- * installed routing entry
- */
-struct route_entry_t {
-	/** Name of the interface the route is bound to */
-	char *if_name;
-
-	/** Source ip of the route */
-	host_t *src_ip;
-
-	/** gateway for this route */
-	host_t *gateway;
-
-	/** Destination net */
-	chunk_t dst_net;
-
-	/** Destination net prefixlen */
-	u_int8_t prefixlen;
-};
-
-/**
- * destroy an route_entry_t object
- */
-static void route_entry_destroy(route_entry_t *this)
-{
-	free(this->if_name);
-	DESTROY_IF(this->src_ip);
-	DESTROY_IF(this->gateway);
-	chunk_free(&this->dst_net);
-	free(this);
-}
-
-typedef struct policy_entry_t policy_entry_t;
-
-/**
- * installed kernel policy.
- */
-struct policy_entry_t {
-
-	/** reqid of this policy */
-	u_int32_t reqid;
-
-	/** index assigned by the kernel */
-	u_int32_t index;
-
-	/** direction of this policy: in, out, forward */
-	u_int8_t direction;
-
-	/** parameters of installed policy */
-	struct {
-		/** subnet and port */
-		host_t *net;
-		/** subnet mask */
-		u_int8_t mask;
-		/** protocol */
-		u_int8_t proto;
-	} src, dst;
-
-	/** associated route installed for this policy */
-	route_entry_t *route;
-
-	/** by how many CHILD_SA's this policy is used */
-	u_int refcount;
-};
-
-/**
- * create a policy_entry_t object
- */
-static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
-		traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
-{
-	policy_entry_t *policy = malloc_thing(policy_entry_t);
-	policy->reqid = reqid;
-	policy->index = 0;
-	policy->direction = dir;
-	policy->route = NULL;
-	policy->refcount = 0;
-
-	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
-	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
-
-	/* src or dest proto may be "any" (0), use more restrictive one */
-	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
-	policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
-	policy->dst.proto = policy->src.proto;
-
-	return policy;
-}
-
-/**
- * destroy a policy_entry_t object
- */
-static void policy_entry_destroy(policy_entry_t *this)
-{
-	DESTROY_IF(this->src.net);
-	DESTROY_IF(this->dst.net);
-	if (this->route)
-	{
-		route_entry_destroy(this->route);
-	}
-	free(this);
-}
-
-/**
- * compares two policy_entry_t
- */
-static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
-{
-	return current->direction == policy->direction &&
-		   current->src.proto == policy->src.proto &&
-		   current->dst.proto == policy->dst.proto &&
-		   current->src.mask == policy->src.mask &&
-		   current->dst.mask == policy->dst.mask &&
-		   current->src.net->equals(current->src.net, policy->src.net) &&
-		   current->dst.net->equals(current->dst.net, policy->dst.net);
-}
-
-/**
- * compare the given kernel index with that of a policy
- */
-static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
-{
-	return current->index == *index;
-}
-
-typedef struct pfkey_msg_t pfkey_msg_t;
-
-struct pfkey_msg_t
-{
-	/**
-	 * PF_KEY message base
-	 */
-	struct sadb_msg *msg;
-
-	/**
-	 * PF_KEY message extensions
-	 */
-	union {
-		struct sadb_ext *ext[SADB_EXT_MAX + 1];
-		struct {
-			struct sadb_ext *reserved;				/* SADB_EXT_RESERVED */
-			struct sadb_sa *sa;						/* SADB_EXT_SA */
-			struct sadb_lifetime *lft_current;		/* SADB_EXT_LIFETIME_CURRENT */
-			struct sadb_lifetime *lft_hard;			/* SADB_EXT_LIFETIME_HARD */
-			struct sadb_lifetime *lft_soft;			/* SADB_EXT_LIFETIME_SOFT */
-			struct sadb_address *src;				/* SADB_EXT_ADDRESS_SRC */
-			struct sadb_address *dst;				/* SADB_EXT_ADDRESS_DST */
-			struct sadb_address *proxy;				/* SADB_EXT_ADDRESS_PROXY */
-			struct sadb_key *key_auth;				/* SADB_EXT_KEY_AUTH */
-			struct sadb_key *key_encr;				/* SADB_EXT_KEY_ENCRYPT */
-			struct sadb_ident *id_src;				/* SADB_EXT_IDENTITY_SRC */
-			struct sadb_ident *id_dst;				/* SADB_EXT_IDENTITY_DST */
-			struct sadb_sens *sensitivity;			/* SADB_EXT_SENSITIVITY */
-			struct sadb_prop *proposal;				/* SADB_EXT_PROPOSAL */
-			struct sadb_supported *supported_auth;	/* SADB_EXT_SUPPORTED_AUTH */
-			struct sadb_supported *supported_encr;	/* SADB_EXT_SUPPORTED_ENCRYPT */
-			struct sadb_spirange *spirange;			/* SADB_EXT_SPIRANGE */
-			struct sadb_x_kmprivate *x_kmprivate;	/* SADB_X_EXT_KMPRIVATE */
-			struct sadb_x_policy *x_policy;			/* SADB_X_EXT_POLICY */
-			struct sadb_x_sa2 *x_sa2;				/* SADB_X_EXT_SA2 */
-			struct sadb_x_nat_t_type *x_natt_type;	/* SADB_X_EXT_NAT_T_TYPE */
-			struct sadb_x_nat_t_port *x_natt_sport;	/* SADB_X_EXT_NAT_T_SPORT */
-			struct sadb_x_nat_t_port *x_natt_dport;	/* SADB_X_EXT_NAT_T_DPORT */
-			struct sadb_address *x_natt_oa;			/* SADB_X_EXT_NAT_T_OA */
-			struct sadb_x_sec_ctx *x_sec_ctx;		/* SADB_X_EXT_SEC_CTX */
-			struct sadb_x_kmaddress *x_kmaddress;	/* SADB_X_EXT_KMADDRESS */
-		} __attribute__((__packed__));
-	};
-};
-
-ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
-	"SADB_EXT_RESERVED",
-	"SADB_EXT_SA",
-	"SADB_EXT_LIFETIME_CURRENT",
-	"SADB_EXT_LIFETIME_HARD",
-	"SADB_EXT_LIFETIME_SOFT",
-	"SADB_EXT_ADDRESS_SRC",
-	"SADB_EXT_ADDRESS_DST",
-	"SADB_EXT_ADDRESS_PROXY",
-	"SADB_EXT_KEY_AUTH",
-	"SADB_EXT_KEY_ENCRYPT",
-	"SADB_EXT_IDENTITY_SRC",
-	"SADB_EXT_IDENTITY_DST",
-	"SADB_EXT_SENSITIVITY",
-	"SADB_EXT_PROPOSAL",
-	"SADB_EXT_SUPPORTED_AUTH",
-	"SADB_EXT_SUPPORTED_ENCRYPT",
-	"SADB_EXT_SPIRANGE",
-	"SADB_X_EXT_KMPRIVATE",
-	"SADB_X_EXT_POLICY",
-	"SADB_X_EXT_SA2",
-	"SADB_X_EXT_NAT_T_TYPE",
-	"SADB_X_EXT_NAT_T_SPORT",
-	"SADB_X_EXT_NAT_T_DPORT",
-	"SADB_X_EXT_NAT_T_OA",
-	"SADB_X_EXT_SEC_CTX",
-	"SADB_X_EXT_KMADDRESS"
-);
-
-/**
- * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
- */
-static u_int8_t proto_ike2satype(protocol_id_t proto)
-{
-	switch (proto)
-	{
-		case PROTO_ESP:
-			return SADB_SATYPE_ESP;
-		case PROTO_AH:
-			return SADB_SATYPE_AH;
-		case IPPROTO_COMP:
-			return SADB_X_SATYPE_IPCOMP;
-		default:
-			return proto;
-	}
-}
-
-/**
- * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
- */
-static protocol_id_t proto_satype2ike(u_int8_t proto)
-{
-	switch (proto)
-	{
-		case SADB_SATYPE_ESP:
-			return PROTO_ESP;
-		case SADB_SATYPE_AH:
-			return PROTO_AH;
-		case SADB_X_SATYPE_IPCOMP:
-			return IPPROTO_COMP;
-		default:
-			return proto;
-	}
-}
-
-/**
- * convert a IKEv2 specific protocol identifier to the IP protocol identifier
- */
-static u_int8_t proto_ike2ip(protocol_id_t proto)
-{
-	switch (proto)
-	{
-		case PROTO_ESP:
-			return IPPROTO_ESP;
-		case PROTO_AH:
-			return IPPROTO_AH;
-		default:
-			return proto;
-	}
-}
-
-/**
- * convert the general ipsec mode to the one defined in ipsec.h
- */
-static u_int8_t mode2kernel(ipsec_mode_t mode)
-{
-	switch (mode)
-	{
-		case MODE_TRANSPORT:
-			return IPSEC_MODE_TRANSPORT;
-		case MODE_TUNNEL:
-			return IPSEC_MODE_TUNNEL;
-#ifdef HAVE_IPSEC_MODE_BEET
-		case MODE_BEET:
-			return IPSEC_MODE_BEET;
-#endif
-		default:
-			return mode;
-	}
-}
-
-/**
- * convert the general policy direction to the one defined in ipsec.h
- */
-static u_int8_t dir2kernel(policy_dir_t dir)
-{
-	switch (dir)
-	{
-		case POLICY_IN:
-			return IPSEC_DIR_INBOUND;
-		case POLICY_OUT:
-			return IPSEC_DIR_OUTBOUND;
-#ifdef HAVE_IPSEC_DIR_FWD
-		case POLICY_FWD:
-			return IPSEC_DIR_FWD;
-#endif
-		default:
-			return IPSEC_DIR_INVALID;
-	}
-}
-
-#ifdef SADB_X_MIGRATE
-/**
- * convert the policy direction in ipsec.h to the general one.
- */
-static policy_dir_t kernel2dir(u_int8_t  dir)
-{
-	switch (dir)
-	{
-		case IPSEC_DIR_INBOUND:
-			return POLICY_IN;
-		case IPSEC_DIR_OUTBOUND:
-			return POLICY_OUT;
-#ifdef HAVE_IPSEC_DIR_FWD
-		case IPSEC_DIR_FWD:
-			return POLICY_FWD;
-#endif
-		default:
-			return dir;
-	}
-}
-#endif /*SADB_X_MIGRATE*/
-
-typedef struct kernel_algorithm_t kernel_algorithm_t;
-
-/**
- * Mapping of IKEv2 algorithms to PF_KEY algorithms
- */
-struct kernel_algorithm_t {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2;
-
-	/**
-	 * Identifier as defined in pfkeyv2.h
-	 */
-	int kernel;
-};
-
-#define END_OF_LIST -1
-
-/**
- * Algorithms for encryption
- */
-static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64,				0							}, */
-	{ENCR_DES,					SADB_EALG_DESCBC			},
-	{ENCR_3DES,					SADB_EALG_3DESCBC			},
-/*	{ENCR_RC5,					0							}, */
-/*	{ENCR_IDEA,					0							}, */
-	{ENCR_CAST,					SADB_X_EALG_CASTCBC			},
-	{ENCR_BLOWFISH,				SADB_X_EALG_BLOWFISHCBC		},
-/*	{ENCR_3IDEA,				0							}, */
-/*	{ENCR_DES_IV32,				0							}, */
-	{ENCR_NULL,					SADB_EALG_NULL				},
-	{ENCR_AES_CBC,				SADB_X_EALG_AESCBC			},
-/*	{ENCR_AES_CTR,				SADB_X_EALG_AESCTR			}, */
-/*  {ENCR_AES_CCM_ICV8,			SADB_X_EALG_AES_CCM_ICV8	}, */
-/*	{ENCR_AES_CCM_ICV12,		SADB_X_EALG_AES_CCM_ICV12	}, */
-/*	{ENCR_AES_CCM_ICV16,		SADB_X_EALG_AES_CCM_ICV16	}, */
-/*	{ENCR_AES_GCM_ICV8,			SADB_X_EALG_AES_GCM_ICV8	}, */
-/*	{ENCR_AES_GCM_ICV12,		SADB_X_EALG_AES_GCM_ICV12	}, */
-/*	{ENCR_AES_GCM_ICV16,		SADB_X_EALG_AES_GCM_ICV16	}, */
-	{END_OF_LIST,				0							},
-};
-
-/**
- * Algorithms for integrity protection
- */
-static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
-	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
-	{AUTH_HMAC_SHA2_256_128,	SADB_X_AALG_SHA2_256HMAC	},
-	{AUTH_HMAC_SHA2_384_192,	SADB_X_AALG_SHA2_384HMAC	},
-	{AUTH_HMAC_SHA2_512_256,	SADB_X_AALG_SHA2_512HMAC	},
-/*	{AUTH_DES_MAC,				0,							}, */
-/*	{AUTH_KPDK_MD5,				0,							}, */
-#ifdef SADB_X_AALG_AES_XCBC_MAC
-	{AUTH_AES_XCBC_96,			SADB_X_AALG_AES_XCBC_MAC,	},
-#endif
-	{END_OF_LIST,				0,							},
-};
-
-#if 0
-/**
- * Algorithms for IPComp, unused yet
- */
-static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI,				0							}, */
-	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
-	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
-	{IPCOMP_LZJH,				SADB_X_CALG_LZJH			},
-	{END_OF_LIST,				0							},
-};
-#endif
-
-/**
- * Look up a kernel algorithm ID and its key size
- */
-static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
-{
-	while (list->ikev2 != END_OF_LIST)
-	{
-		if (ikev2 == list->ikev2)
-		{
-			return list->kernel;
-		}
-		list++;
-	}
-	return 0;
-}
-
-/**
- * add a host behind a sadb_address extension
- */
-static void host2ext(host_t *host, struct sadb_address *ext)
-{
-	sockaddr_t *host_addr = host->get_sockaddr(host);
-	socklen_t *len = host->get_sockaddr_len(host);
-#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
-	host_addr->sa_len = *len;
-#endif
-	memcpy((char*)(ext + 1), host_addr, *len);
-	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
-}
-
-/**
- * add a host to the given sadb_msg
- */
-static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
-						 u_int8_t proto, u_int8_t prefixlen)
-{
-	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = type;
-	addr->sadb_address_proto = proto;
-	addr->sadb_address_prefixlen = prefixlen;
-	host2ext(host, addr);
-	PFKEY_EXT_ADD(msg, addr);
-}
-
-/**
- * adds an empty address extension to the given sadb_msg
- */
-static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
-{
-	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
-										  sizeof(struct sockaddr_in6);
-	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = type;
-	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
-	saddr->sa_family = family;
-#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
-	saddr->sa_len = len;
-#endif
-	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
-	PFKEY_EXT_ADD(msg, addr);
-}
-
-#ifdef HAVE_NATT
-/**
- * add udp encap extensions to a sadb_msg
- */
-static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
-{
-	struct sadb_x_nat_t_type* nat_type;
-	struct sadb_x_nat_t_port* nat_port;
-
-	nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
-	nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
-	nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
-	nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
-	PFKEY_EXT_ADD(msg, nat_type);
-
-	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
-	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
-	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
-	nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
-	PFKEY_EXT_ADD(msg, nat_port);
-
-	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
-	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
-	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
-	nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
-	PFKEY_EXT_ADD(msg, nat_port);
-}
-#endif /*HAVE_NATT*/
-
-/**
- * Convert a sadb_address to a traffic_selector
- */
-static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
-{
-	traffic_selector_t *ts;
-	host_t *host;
-
-	/* The Linux 2.6 kernel does not set the protocol and port information
-	 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
-	 */
-	host = host_create_from_sockaddr((sockaddr_t*)&address[1])	;
-	ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
-				address->sadb_address_proto, host->get_port(host));
-	return ts;
-}
-
-/**
- * Parses a pfkey message received from the kernel
- */
-static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
-{
-	struct sadb_ext* ext;
-	size_t len;
-
-	memset(out, 0, sizeof(pfkey_msg_t));
-	out->msg = msg;
-
-	len = msg->sadb_msg_len;
-	len -= PFKEY_LEN(sizeof(struct sadb_msg));
-
-	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
-
-	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
-	{
-		DBG3(DBG_KNL, "  %N", sadb_ext_type_names, ext->sadb_ext_type);
-		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
-			ext->sadb_ext_len > len)
-		{
-			DBG1(DBG_KNL, "length of %N extension is invalid",
-						   sadb_ext_type_names, ext->sadb_ext_type);
-			break;
-		}
-
-		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
-		{
-			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
-			break;
-		}
-
-		if (out->ext[ext->sadb_ext_type])
-		{
-			DBG1(DBG_KNL, "duplicate %N extension",
-						   sadb_ext_type_names, ext->sadb_ext_type);
-			break;
-		}
-
-		out->ext[ext->sadb_ext_type] = ext;
-		ext = PFKEY_EXT_NEXT_LEN(ext, len);
-	}
-
-	if (len)
-	{
-		DBG1(DBG_KNL, "PF_KEY message length is invalid");
-		return FAILED;
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Send a message to a specific PF_KEY socket and handle the response.
- */
-static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
-					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
-{
-	unsigned char buf[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg;
-	int in_len, len;
-
-	this->mutex_pfkey->lock(this->mutex_pfkey);
-
-	/* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
-	 * in particular the behavior in response to an SADB_ACQUIRE. */
-	in->sadb_msg_seq = ++this->seq;
-	in->sadb_msg_pid = getpid();
-
-	in_len = PFKEY_USER_LEN(in->sadb_msg_len);
-
-	while (TRUE)
-	{
-		len = send(socket, in, in_len, 0);
-
-		if (len != in_len)
-		{
-			if (errno == EINTR)
-			{
-				/* interrupted, try again */
-				continue;
-			}
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
-			return FAILED;
-		}
-		break;
-	}
-
-	while (TRUE)
-	{
-		msg = (struct sadb_msg*)buf;
-
-		len = recv(socket, buf, sizeof(buf), 0);
-
-		if (len < 0)
-		{
-			if (errno == EINTR)
-			{
-				DBG1(DBG_KNL, "got interrupted");
-				/* interrupted, try again */
-				continue;
-			}
-			DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			return FAILED;
-		}
-		if (len < sizeof(struct sadb_msg) ||
-			msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
-		{
-			DBG1(DBG_KNL, "received corrupted PF_KEY message");
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			return FAILED;
-		}
-		if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
-		{
-			DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			return FAILED;
-		}
-		if (msg->sadb_msg_pid != in->sadb_msg_pid)
-		{
-			DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
-			continue;
-		}
-		if (msg->sadb_msg_seq != this->seq)
-		{
-			DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
-				 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
-			if (msg->sadb_msg_seq == 0)
-			{
-				/* FreeBSD and Mac OS X do this for the response to
-				 * SADB_X_SPDGET (but not for the response to SADB_GET).
-				 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
-			}
-			else if (msg->sadb_msg_seq < this->seq)
-			{
-				continue;
-			}
-			else
-			{
-				this->mutex_pfkey->unlock(this->mutex_pfkey);
-				return FAILED;
-			}
-		}
-		if (msg->sadb_msg_type != in->sadb_msg_type)
-		{
-			DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
-					"was %d expected %d, ignoring",
-					msg->sadb_msg_type, in->sadb_msg_type);
-		}
-		break;
-	}
-
-	*out_len = len;
-	*out = (struct sadb_msg*)malloc(len);
-	memcpy(*out, buf, len);
-
-	this->mutex_pfkey->unlock(this->mutex_pfkey);
-
-	return SUCCESS;
-}
-
-/**
- * Send a message to the default PF_KEY socket and handle the response.
- */
-static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
-					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
-{
-	return pfkey_send_socket(this, this->socket, in, out, out_len);
-}
-
-/**
- * Process a SADB_ACQUIRE message from the kernel
- */
-static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	u_int32_t index, reqid = 0;
-	traffic_selector_t *src_ts, *dst_ts;
-	policy_entry_t *policy;
-	job_t *job;
-
-	switch (msg->sadb_msg_satype)
-	{
-		case SADB_SATYPE_UNSPEC:
-		case SADB_SATYPE_ESP:
-		case SADB_SATYPE_AH:
-			break;
-		default:
-			/* acquire for AH/ESP only */
-			return;
-	}
-	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
-		return;
-	}
-
-	index = response.x_policy->sadb_x_policy_id;
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
-	{
-		reqid = policy->reqid;
-	}
-	else
-	{
-		DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
-					   index);
-	}
-	src_ts = sadb_address2ts(response.src);
-	dst_ts = sadb_address2ts(response.dst);
-	this->mutex->unlock(this->mutex);
-
-	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
-				   src_ts, dst_ts, reqid);
-	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
-	charon->processor->queue_job(charon->processor, job);
-}
-
-/**
- * Process a SADB_EXPIRE message from the kernel
- */
-static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	protocol_id_t protocol;
-	u_int32_t spi, reqid;
-	bool hard;
-	job_t *job;
-
-	DBG2(DBG_KNL, "received an SADB_EXPIRE");
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
-		return;
-	}
-
-	protocol = proto_satype2ike(msg->sadb_msg_satype);
-	spi = response.sa->sadb_sa_spi;
-	reqid = response.x_sa2->sadb_x_sa2_reqid;
-	hard = response.lft_hard != NULL;
-
-	if (protocol != PROTO_ESP && protocol != PROTO_AH)
-	{
-		DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
-					  "which is not a CHILD_SA", ntohl(spi), reqid);
-		return;
-	}
-
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
-		 hard ? "delete" : "rekey",  protocol_id_names,
-		 protocol, ntohl(spi), reqid);
-	if (hard)
-	{
-		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
-	}
-	else
-	{
-		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
-	}
-	charon->processor->queue_job(charon->processor, job);
-}
-
-#ifdef SADB_X_MIGRATE
-/**
- * Process a SADB_X_MIGRATE message from the kernel
- */
-static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	traffic_selector_t *src_ts, *dst_ts;
-	policy_dir_t dir;
-	u_int32_t reqid = 0;
-	host_t *local = NULL, *remote = NULL;
-	job_t *job;
-
-	DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
-		return;
-	}
-	src_ts = sadb_address2ts(response.src);
-	dst_ts = sadb_address2ts(response.dst);
-	dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
-	DBG2(DBG_KNL, "  policy %R === %R %N, id %u", src_ts, dst_ts,
-					 policy_dir_names, dir);
-
-	/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
-	if (response.x_kmaddress)
-	{
-		sockaddr_t *local_addr, *remote_addr;
-		u_int32_t local_len;
-
-		local_addr  = (sockaddr_t*)&response.x_kmaddress[1];
-		local = host_create_from_sockaddr(local_addr);
-		local_len = (local_addr->sa_family == AF_INET6)?
-					sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
-		remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
-		remote = host_create_from_sockaddr(remote_addr);
-		DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
-	}
-
-	if (src_ts && dst_ts && local && remote)
-	{
-		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
-					   src_ts, dst_ts, policy_dir_names, dir, reqid, local);
-		job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
-										 local, remote);
-		charon->processor->queue_job(charon->processor, job);
-	}
-	else
-	{
-		DESTROY_IF(src_ts);
-		DESTROY_IF(dst_ts);
-		DESTROY_IF(local);
-		DESTROY_IF(remote);
-	}
-}
-#endif /*SADB_X_MIGRATE*/
-
-#ifdef HAVE_NATT
-/**
- * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
- */
-static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	u_int32_t spi, reqid;
-	host_t *host;
-	job_t *job;
-
-	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
-		return;
-	}
-
-	if (!response.x_sa2)
-	{
-		DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
-		return;
-	}
-
-	spi = response.sa->sadb_sa_spi;
-	reqid = response.x_sa2->sadb_x_sa2_reqid;
-
-	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
-	{
-		sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
-		switch (sa->sa_family)
-		{
-			case AF_INET:
-			{
-				struct sockaddr_in *sin = (struct sockaddr_in*)sa;
-				sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
-			}
-			case AF_INET6:
-			{
-				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
-				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
-			}
-			default:
-				break;
-		}
-		host = host_create_from_sockaddr(sa);
-		if (host)
-		{
-			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
-				"reqid {%u} changed, queuing update job", ntohl(spi), reqid);
-			job = (job_t*)update_sa_job_create(reqid, host);
-			charon->processor->queue_job(charon->processor, job);
-		}
-	}
-}
-#endif /*HAVE_NATT*/
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
-{
-	unsigned char buf[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg = (struct sadb_msg*)buf;
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-	thread_cancelability(oldstate);
-
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-
-	if (len < sizeof(struct sadb_msg) ||
-		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
-	{
-		DBG2(DBG_KNL, "received corrupted PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
-	}
-	if (msg->sadb_msg_pid != 0)
-	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
-	}
-	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
-	{
-		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	switch (msg->sadb_msg_type)
-	{
-		case SADB_ACQUIRE:
-			process_acquire(this, msg);
-			break;
-		case SADB_EXPIRE:
-			process_expire(this, msg);
-			break;
-#ifdef SADB_X_MIGRATE
-		case SADB_X_MIGRATE:
-			process_migrate(this, msg);
-			break;
-#endif /*SADB_X_MIGRATE*/
-#ifdef HAVE_NATT
-		case SADB_X_NAT_T_NEW_MAPPING:
-			process_mapping(this, msg);
-			break;
-#endif /*HAVE_NATT*/
-		default:
-			break;
-	}
-
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Implementation of kernel_interface_t.get_spi.
- */
-static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
-						host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid,
-						u_int32_t *spi)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_x_sa2 *sa2;
-	struct sadb_spirange *range;
-	pfkey_msg_t response;
-	u_int32_t received_spi = 0;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_GETSPI;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
-	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
-	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
-	sa2->sadb_x_sa2_reqid = reqid;
-	PFKEY_EXT_ADD(msg, sa2);
-
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
-	range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
-	range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
-	range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
-	range->sadb_spirange_min = 0xc0000000;
-	range->sadb_spirange_max = 0xcFFFFFFF;
-	PFKEY_EXT_ADD(msg, range);
-
-	if (pfkey_send(this, msg, &out, &len) == SUCCESS)
-	{
-		if (out->sadb_msg_errno)
-		{
-			DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
-					strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		}
-		else if (parse_pfkey_message(out, &response) == SUCCESS)
-		{
-			received_spi = response.sa->sadb_sa_spi;
-		}
-		free(out);
-	}
-
-	if (received_spi == 0)
-	{
-		return FAILED;
-	}
-
-	*spi = received_spi;
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.get_cpi.
- */
-static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
-						host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi)
-{
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_interface_t.add_sa.
- */
-static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
-					   host_t *src, host_t *dst, u_int32_t spi,
-					   protocol_id_t protocol, u_int32_t reqid,
-					   lifetime_cfg_t *lifetime,
-					   u_int16_t enc_alg, chunk_t enc_key,
-					   u_int16_t int_alg, chunk_t int_key,
-					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound, traffic_selector_t *src_ts,
-					   traffic_selector_t *dst_ts)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	struct sadb_x_sa2 *sa2;
-	struct sadb_lifetime *lft;
-	struct sadb_key *key;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-#ifdef __APPLE__
-	if (encap)
-	{
-		struct sadb_sa_2 *sa_2;
-		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
-		sa_2->sadb_sa_natt_port = dst->get_port(dst);
-		sa = &sa_2->sa;
-		sa->sadb_sa_flags |= SADB_X_EXT_NATT;
-		len = sizeof(struct sadb_sa_2);
-	}
-	else
-#endif
-	{
-		sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-		len = sizeof(struct sadb_sa);
-	}
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(len);
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
-	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
-	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
-	PFKEY_EXT_ADD(msg, sa);
-
-	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
-	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
-	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
-	sa2->sadb_x_sa2_mode = mode2kernel(mode);
-	sa2->sadb_x_sa2_reqid = reqid;
-	PFKEY_EXT_ADD(msg, sa2);
-
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
-	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
-	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
-	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-	lft->sadb_lifetime_allocations = lifetime->packets.rekey;
-	lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
-	lft->sadb_lifetime_addtime = lifetime->time.rekey;
-	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
-	PFKEY_EXT_ADD(msg, lft);
-
-	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
-	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
-	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-	lft->sadb_lifetime_allocations = lifetime->packets.life;
-	lft->sadb_lifetime_bytes = lifetime->bytes.life;
-	lft->sadb_lifetime_addtime = lifetime->time.life;
-	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
-	PFKEY_EXT_ADD(msg, lft);
-
-	if (enc_alg != ENCR_UNDEFINED)
-	{
-		if (!sa->sadb_sa_encrypt)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-				 encryption_algorithm_names, enc_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
-		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
-		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
-		key->sadb_key_bits = enc_key.len * 8;
-		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
-		memcpy(key + 1, enc_key.ptr, enc_key.len);
-
-		PFKEY_EXT_ADD(msg, key);
-	}
-
-	if (int_alg != AUTH_UNDEFINED)
-	{
-		if (!sa->sadb_sa_auth)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 integrity_algorithm_names, int_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
-			 integrity_algorithm_names, int_alg, int_key.len * 8);
-
-		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
-		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
-		key->sadb_key_bits = int_key.len * 8;
-		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
-		memcpy(key + 1, int_key.ptr, int_key.len);
-
-		PFKEY_EXT_ADD(msg, key);
-	}
-
-	if (ipcomp != IPCOMP_NONE)
-	{
-		/*TODO*/
-	}
-
-#ifdef HAVE_NATT
-	if (encap)
-	{
-		add_encap_ext(msg, src, dst);
-	}
-#endif /*HAVE_NATT*/
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.update_sa.
- */
-static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	pfkey_msg_t response;
-	size_t len;
-
-	/* we can't update the SA if any of the ip addresses have changed.
-	 * that's because we can't use SADB_UPDATE and by deleting and readding the
-	 * SA the sequence numbers would get lost */
-	if (!src->ip_equals(src, new_src) ||
-		!dst->ip_equals(dst, new_dst))
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
-				" are not supported", ntohl(spi));
-		return NOT_SUPPORTED;
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_GET;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	PFKEY_EXT_ADD(msg, sa);
-
-	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
-	 * it is not used for anything. */
-	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
-				ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
-			ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	else if (parse_pfkey_message(out, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
-				"from kernel failed", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
-		 ntohl(spi), src, dst, new_src, new_dst);
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_UPDATE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-#ifdef __APPLE__
-	{
-		struct sadb_sa_2 *sa_2;
-		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
-		sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
-		memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
-		if (encap)
-		{
-			sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
-			sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
-		}
-	}
-#else
-	PFKEY_EXT_COPY(msg, response.sa);
-#endif
-	PFKEY_EXT_COPY(msg, response.x_sa2);
-
-	PFKEY_EXT_COPY(msg, response.src);
-	PFKEY_EXT_COPY(msg, response.dst);
-
-	PFKEY_EXT_COPY(msg, response.lft_soft);
-	PFKEY_EXT_COPY(msg, response.lft_hard);
-
-	if (response.key_encr)
-	{
-		PFKEY_EXT_COPY(msg, response.key_encr);
-	}
-
-	if (response.key_auth)
-	{
-		PFKEY_EXT_COPY(msg, response.key_auth);
-	}
-
-#ifdef HAVE_NATT
-	if (new_encap)
-	{
-		add_encap_ext(msg, new_src, new_dst);
-	}
-#endif /*HAVE_NATT*/
-
-	free(out);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.query_sa.
- */
-static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
-						 host_t *dst, u_int32_t spi, protocol_id_t protocol,
-						 u_int64_t *bytes)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	pfkey_msg_t response;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_GET;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	PFKEY_EXT_ADD(msg, sa);
-
-	/* the Linux Kernel doesn't care for the src address, but other systems do
-	 * (e.g. FreeBSD)
-	 */
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	else if (parse_pfkey_message(out, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-	*bytes = response.lft_current->sadb_lifetime_bytes;
-
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.del_sa.
- */
-static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
-					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
-					   u_int16_t cpi)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_DELETE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	PFKEY_EXT_ADD(msg, sa);
-
-	/* the Linux Kernel doesn't care for the src address, but other systems do
-	 * (e.g. FreeBSD)
-	 */
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.add_policy.
- */
-static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
-						   host_t *src, host_t *dst,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, u_int32_t spi,
-						   protocol_id_t protocol, u_int32_t reqid,
-						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						   bool routed)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_x_policy *pol;
-	struct sadb_x_ipsecrequest *req;
-	policy_entry_t *policy, *found = NULL;
-	pfkey_msg_t response;
-	size_t len;
-
-	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
-	{
-		/* FWD policies are not supported on all platforms */
-		return SUCCESS;
-	}
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
-	{
-		/* use existing policy */
-		found->refcount++;
-		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
-					  "refcount", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		policy = found;
-	}
-	else
-	{
-		/* apply the new one, if we have no such policy */
-		this->policies->insert_last(this->policies, policy);
-		policy->refcount = 1;
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
-	msg->sadb_msg_satype = 0;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
-	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
-	pol->sadb_x_policy_id = 0;
-	pol->sadb_x_policy_dir = dir2kernel(direction);
-	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
-#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
-	/* calculate priority based on source selector size, small size = high prio */
-	pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
-	pol->sadb_x_policy_priority -= policy->src.mask * 10;
-	pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
-	pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
-#endif
-
-	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
-	req = (struct sadb_x_ipsecrequest*)(pol + 1);
-	req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
-	/* !!! the length of this struct MUST be in octets instead of 64 bit words */
-	req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
-	req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
-	req->sadb_x_ipsecrequest_reqid = reqid;
-	req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
-	if (mode == MODE_TUNNEL)
-	{
-		sockaddr_t *sa;
-		socklen_t sl;
-		sa = src->get_sockaddr(src);
-		sl = *src->get_sockaddr_len(src);
-		memcpy(req + 1, sa, sl);
-		sa = dst->get_sockaddr(dst);
-		memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
-		req->sadb_x_ipsecrequest_len += sl * 2;
-	}
-
-	pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
-	PFKEY_EXT_ADD(msg, pol);
-
-	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
-				 policy->src.mask);
-	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
-				 policy->dst.mask);
-
-#ifdef __FreeBSD__
-	{	/* on FreeBSD a lifetime has to be defined to be able to later query
-		 * the current use time. */
-		struct sadb_lifetime *lft;
-		lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
-		lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
-		lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-		lft->sadb_lifetime_addtime = LONG_MAX;
-		PFKEY_EXT_ADD(msg, lft);
-	}
-#endif
-
-	this->mutex->unlock(this->mutex);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
-					   policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	else if (parse_pfkey_message(out, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
-				"from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
-		free(out);
-		return FAILED;
-	}
-
-	this->mutex->lock(this->mutex);
-
-	/* we try to find the policy again and update the kernel index */
-	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
-	{
-		DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
-				"already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
-		this->mutex->unlock(this->mutex);
-		free(out);
-		return SUCCESS;
-	}
-	policy->index = response.x_policy->sadb_x_policy_id;
-	free(out);
-
-	/* install a route, if:
-	 * - we are NOT updating a policy
-	 * - this is a forward policy (to just get one for each child)
-	 * - we are in tunnel mode
-	 * - we are not using IPv6 (does not work correctly yet!)
-	 * - routing is not disabled via strongswan.conf
-	 */
-	if (policy->route == NULL && direction == POLICY_FWD &&
-		mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
-		this->install_routes)
-	{
-		route_entry_t *route = malloc_thing(route_entry_t);
-
-		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
-				dst_ts, &route->src_ip) == SUCCESS)
-		{
-			/* get the nexthop to src (src as we are in POLICY_FWD).*/
-			route->gateway = charon->kernel_interface->get_nexthop(
-									charon->kernel_interface, src);
-			route->if_name = charon->kernel_interface->get_interface(
-									charon->kernel_interface, dst);
-			route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
-			route->prefixlen = policy->src.mask;
-
-			switch (charon->kernel_interface->add_route(charon->kernel_interface,
-					route->dst_net, route->prefixlen, route->gateway,
-					route->src_ip, route->if_name))
-			{
-				default:
-					DBG1(DBG_KNL, "unable to install source route for %H",
-						 route->src_ip);
-					/* FALL */
-				case ALREADY_DONE:
-					/* route exists, do not uninstall */
-					route_entry_destroy(route);
-					break;
-				case SUCCESS:
-					/* cache the installed route */
-					policy->route = route;
-					break;
-			}
-		}
-		else
-		{
-			free(route);
-		}
-	}
-
-	this->mutex->unlock(this->mutex);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.query_policy.
- */
-static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
-							 traffic_selector_t *src_ts,
-							 traffic_selector_t *dst_ts,
-							 policy_dir_t direction, u_int32_t *use_time)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_x_policy *pol;
-	policy_entry_t *policy, *found = NULL;
-	pfkey_msg_t response;
-	size_t len;
-
-	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
-	{
-		/* FWD policies are not supported on all platforms */
-		return NOT_FOUND;
-	}
-
-	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		this->mutex->unlock(this->mutex);
-		return NOT_FOUND;
-	}
-	policy_entry_destroy(policy);
-	policy = found;
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_X_SPDGET;
-	msg->sadb_msg_satype = 0;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
-	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	pol->sadb_x_policy_id = policy->index;
-	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
-	pol->sadb_x_policy_dir = dir2kernel(direction);
-	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
-	PFKEY_EXT_ADD(msg, pol);
-
-	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
-				 policy->src.mask);
-	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
-				 policy->dst.mask);
-
-	this->mutex->unlock(this->mutex);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
-					   dst_ts, policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	else if (parse_pfkey_message(out, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
-				"from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
-		free(out);
-		return FAILED;
-	}
-	else if (response.lft_current == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
-			 "use time", src_ts, dst_ts, policy_dir_names, direction);
-		free(out);
-		return FAILED;
-	}
-	/* we need the monotonic time, but the kernel returns system time. */
-	if (response.lft_current->sadb_lifetime_usetime)
-	{
-		*use_time = time_monotonic(NULL) -
-					(time(NULL) - response.lft_current->sadb_lifetime_usetime);
-	}
-	else
-	{
-		*use_time = 0;
-	}
-	free(out);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.del_policy.
- */
-static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, bool unrouted)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_x_policy *pol;
-	policy_entry_t *policy, *found = NULL;
-	route_entry_t *route;
-	size_t len;
-
-	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
-	{
-		/* FWD policies are not supported on all platforms */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
-	{
-		if (--found->refcount > 0)
-		{
-			/* is used by more SAs, keep in kernel */
-			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
-			policy_entry_destroy(policy);
-			this->mutex->unlock(this->mutex);
-			return SUCCESS;
-		}
-		/* remove if last reference */
-		this->policies->remove(this->policies, found, NULL);
-		policy_entry_destroy(policy);
-		policy = found;
-	}
-	else
-	{
-		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		this->mutex->unlock(this->mutex);
-		return NOT_FOUND;
-	}
-	this->mutex->unlock(this->mutex);
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_X_SPDDELETE;
-	msg->sadb_msg_satype = 0;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
-	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
-	pol->sadb_x_policy_dir = dir2kernel(direction);
-	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
-	PFKEY_EXT_ADD(msg, pol);
-
-	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
-				 policy->src.mask);
-	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
-				 policy->dst.mask);
-
-	route = policy->route;
-	policy->route = NULL;
-	policy_entry_destroy(policy);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
-					   dst_ts, policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	if (route)
-	{
-		if (charon->kernel_interface->del_route(charon->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "error uninstalling route installed with "
-						  "policy %R === %R %N", src_ts, dst_ts,
-						   policy_dir_names, direction);
-		}
-		route_entry_destroy(route);
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Register a socket for AQUIRE/EXPIRE messages
- */
-static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_REGISTER;
-	msg->sadb_msg_satype = satype;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY socket");
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.destroy.
- */
-static void destroy(private_kernel_pfkey_ipsec_t *this)
-{
-	this->job->cancel(this->job);
-	close(this->socket);
-	close(this->socket_events);
-	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
-	this->mutex->destroy(this->mutex);
-	this->mutex_pfkey->destroy(this->mutex_pfkey);
-	free(this);
-}
-
-/**
- * Add bypass policies for IKE on the sockets of charon
- */
-static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
-{
-	int fd, family, port;
-	enumerator_t *sockets;
-	bool status = TRUE;
-
-	sockets = charon->socket->create_enumerator(charon->socket);
-	while (sockets->enumerate(sockets, &fd, &family, &port))
-	{
-		struct sadb_x_policy policy;
-		u_int sol, ipsec_policy;
-
-		switch (family)
-		{
-			case AF_INET:
-			{
-				sol = SOL_IP;
-				ipsec_policy = IP_IPSEC_POLICY;
-				break;
-			}
-			case AF_INET6:
-			{
-				sol = SOL_IPV6;
-				ipsec_policy = IPV6_IPSEC_POLICY;
-				break;
-			}
-			default:
-				continue;
-		}
-
-		memset(&policy, 0, sizeof(policy));
-		policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
-		policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-		policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-
-		policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
-		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-		{
-			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-				 strerror(errno));
-			status = FALSE;
-			break;
-		}
-		policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-		{
-			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-				 strerror(errno));
-			status = FALSE;
-			break;
-		}
-	}
-	sockets->destroy(sockets);
-	return status;
-}
-
-/*
- * Described in header.
- */
-kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
-{
-	private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
-
-	/* public functions */
-	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
-	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
-	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
-	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
-	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
-	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-
-	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
-
-	/* private members */
-	this->policies = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->install_routes = lib->settings->get_bool(lib->settings,
-												"charon.install_routes", TRUE);
-	this->seq = 0;
-
-	/* create a PF_KEY socket to communicate with the kernel */
-	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (this->socket <= 0)
-	{
-		charon->kill(charon, "unable to create PF_KEY socket");
-	}
-
-	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
-	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (this->socket_events <= 0)
-	{
-		charon->kill(charon, "unable to create PF_KEY event socket");
-	}
-
-	/* add bypass policies on the sockets used by charon */
-	if (!add_bypass_policies(this))
-	{
-		charon->kill(charon, "unable to add bypass policies on sockets");
-	}
-
-	/* register the event socket */
-	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
-		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
-	{
-		charon->kill(charon, "unable to register PF_KEY event socket");
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
deleted file mode 100644
index 649f93733..000000000
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_pfkey_ipsec_i kernel_pfkey_ipsec
- * @{ @ingroup kernel_pfkey
- */
-
-#ifndef KERNEL_PFKEY_IPSEC_H_
-#define KERNEL_PFKEY_IPSEC_H_
-
-#include <kernel/kernel_ipsec.h>
-
-typedef struct kernel_pfkey_ipsec_t kernel_pfkey_ipsec_t;
-
-/**
- * Implementation of the kernel ipsec interface using PF_KEY.
- */
-struct kernel_pfkey_ipsec_t {
-
-	/**
-	 * Implements kernel_ipsec_t interface
-	 */
-	kernel_ipsec_t interface;
-};
-
-/**
- * Create a PF_KEY kernel ipsec interface instance.
- *
- * @return			kernel_pfkey_ipsec_t instance
- */
-kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create();
-
-#endif /** KERNEL_PFKEY_IPSEC_H_ @}*/
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
deleted file mode 100644
index 3380c328c..000000000
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "kernel_pfkey_plugin.h"
-
-#include "kernel_pfkey_ipsec.h"
-
-#include <daemon.h>
-
-typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t;
-
-/**
- * private data of kernel PF_KEY plugin
- */
-struct private_kernel_pfkey_plugin_t {
-	/**
-	 * implements plugin interface
-	 */
-	kernel_pfkey_plugin_t public;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_pfkey_plugin_t *this)
-{
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
-
-	return &this->public.plugin;
-}
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
deleted file mode 100644
index 2f168aa9c..000000000
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_pfkey kernel_pfkey
- * @ingroup cplugins
- *
- * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin
- * @{ @ingroup kernel_pfkey
- */
-
-#ifndef KERNEL_PFKEY_PLUGIN_H_
-#define KERNEL_PFKEY_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct kernel_pfkey_plugin_t kernel_pfkey_plugin_t;
-
-/**
- * PF_KEY kernel interface plugin
- */
-struct kernel_pfkey_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a kernel_pfkey_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** KERNEL_PFKEY_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am
deleted file mode 100644
index 0065d9b0a..000000000
--- a/src/charon/plugins/kernel_pfroute/Makefile.am
+++ /dev/null
@@ -1,10 +0,0 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
-
-libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
-	kernel_pfroute_net.h kernel_pfroute_net.c
-libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.in b/src/charon/plugins/kernel_pfroute/Makefile.in
deleted file mode 100644
index da8c7585f..000000000
--- a/src/charon/plugins/kernel_pfroute/Makefile.in
+++ /dev/null
@@ -1,572 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/kernel_pfroute
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_kernel_pfroute_la_LIBADD =
-am_libstrongswan_kernel_pfroute_la_OBJECTS = kernel_pfroute_plugin.lo \
-	kernel_pfroute_net.lo
-libstrongswan_kernel_pfroute_la_OBJECTS =  \
-	$(am_libstrongswan_kernel_pfroute_la_OBJECTS)
-libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_kernel_pfroute_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
-libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
-	kernel_pfroute_net.h kernel_pfroute_net.c
-
-libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfroute/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfroute/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_pfroute_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_net.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
deleted file mode 100644
index 9f1baf5b5..000000000
--- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ /dev/null
@@ -1,712 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <net/if.h>
-#include <ifaddrs.h>
-#include <net/route.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include "kernel_pfroute_net.h"
-
-#include <daemon.h>
-#include <utils/host.h>
-#include <threading/thread.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/roam_job.h>
-
-#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
-#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
-#endif
-
-/** delay before firing roam jobs (ms) */
-#define ROAM_DELAY 100
-
-/** buffer size for PF_ROUTE messages */
-#define PFROUTE_BUFFER_SIZE 4096
-
-typedef struct addr_entry_t addr_entry_t;
-
-/**
- * IP address in an inface_entry_t
- */
-struct addr_entry_t {
-
-	/** The ip address */
-	host_t *ip;
-
-	/** virtual IP managed by us */
-	bool virtual;
-
-	/** Number of times this IP is used, if virtual */
-	u_int refcount;
-};
-
-/**
- * destroy a addr_entry_t object
- */
-static void addr_entry_destroy(addr_entry_t *this)
-{
-	this->ip->destroy(this->ip);
-	free(this);
-}
-
-typedef struct iface_entry_t iface_entry_t;
-
-/**
- * A network interface on this system, containing addr_entry_t's
- */
-struct iface_entry_t {
-
-	/** interface index */
-	int ifindex;
-
-	/** name of the interface */
-	char ifname[IFNAMSIZ];
-
-	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
-	u_int flags;
-
-	/** list of addresses as host_t */
-	linked_list_t *addrs;
-};
-
-/**
- * destroy an interface entry
- */
-static void iface_entry_destroy(iface_entry_t *this)
-{
-	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
-	free(this);
-}
-
-
-typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
-
-/**
- * Private variables and functions of kernel_pfroute class.
- */
-struct private_kernel_pfroute_net_t
-{
-	/**
-	 * Public part of the kernel_pfroute_t object.
-	 */
-	kernel_pfroute_net_t public;
-
-	/**
-	 * mutex to lock access to various lists
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Cached list of interfaces and their addresses (iface_entry_t)
-	 */
-	linked_list_t *ifaces;
-
-	/**
-	 * job receiving PF_ROUTE events
-	 */
-	callback_job_t *job;
-
-	/**
-	 * mutex to lock access to the PF_ROUTE socket
-	 */
-	mutex_t *mutex_pfroute;
-
-	/**
-	 * PF_ROUTE socket to communicate with the kernel
-	 */
-	int socket;
-
-	/**
-	 * PF_ROUTE socket to receive events
-	 */
-	int socket_events;
-
-	/**
-	 * sequence number for messages sent to the kernel
-	 */
-	int seq;
-
-	/**
-	 * time of last roam job
-	 */
-	timeval_t last_roam;
-};
-
-/**
- * Start a roaming job. We delay it a bit and fire only one job
- * for multiple events. Otherwise we would create too many jobs.
- */
-static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
-{
-	timeval_t now;
-
-	time_monotonic(&now);
-	if (timercmp(&now, &this->last_roam, >))
-	{
-		now.tv_usec += ROAM_DELAY * 1000;
-		while (now.tv_usec > 1000000)
-		{
-			now.tv_sec++;
-			now.tv_usec -= 1000000;
-		}
-		this->last_roam = now;
-		charon->scheduler->schedule_job_ms(charon->scheduler,
-			(job_t*)roam_job_create(address), ROAM_DELAY);
-	}
-}
-
-/**
- * Process an RTM_*ADDR message from the kernel
- */
-static void process_addr(private_kernel_pfroute_net_t *this,
-						 struct rt_msghdr *msg)
-{
-	struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
-	sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
-	host_t *host = NULL;
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	bool found = FALSE, changed = FALSE, roam = FALSE;
-	int i;
-
-	for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
-	{
-		if (ifa->ifam_addrs & i)
-		{
-			if (RTA_IFA & i)
-			{
-				host = host_create_from_sockaddr(sockaddr);
-				break;
-			}
-			sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
-		}
-	}
-
-	if (!host)
-	{
-		return;
-	}
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->ifindex == ifa->ifam_index)
-		{
-			addrs = iface->addrs->create_enumerator(iface->addrs);
-			while (addrs->enumerate(addrs, &addr))
-			{
-				if (host->ip_equals(host, addr->ip))
-				{
-					found = TRUE;
-					if (ifa->ifam_type == RTM_DELADDR)
-					{
-						iface->addrs->remove_at(iface->addrs, addrs);
-						if (!addr->virtual)
-						{
-							changed = TRUE;
-							DBG1(DBG_KNL, "%H disappeared from %s",
-								 host, iface->ifname);
-						}
-						addr_entry_destroy(addr);
-					}
-					else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
-					{
-						addr->refcount = 1;
-					}
-				}
-			}
-			addrs->destroy(addrs);
-
-			if (!found && ifa->ifam_type == RTM_NEWADDR)
-			{
-				changed = TRUE;
-				addr = malloc_thing(addr_entry_t);
-				addr->ip = host->clone(host);
-				addr->virtual = FALSE;
-				addr->refcount = 1;
-				iface->addrs->insert_last(iface->addrs, addr);
-				DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
-			}
-
-			if (changed && (iface->flags & IFF_UP))
-			{
-				roam = TRUE;
-			}
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-	host->destroy(host);
-
-	if (roam)
-	{
-		fire_roam_job(this, TRUE);
-	}
-}
-
-/**
- * Process an RTM_IFINFO message from the kernel
- */
-static void process_link(private_kernel_pfroute_net_t *this,
-						 struct rt_msghdr *hdr)
-{
-	struct if_msghdr *msg = (struct if_msghdr*)hdr;
-	enumerator_t *enumerator;
-	iface_entry_t *iface;
-	bool roam = FALSE;
-
-	if (msg->ifm_flags & IFF_LOOPBACK)
-	{	/* ignore loopback interfaces */
-		return;
-	}
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->ifaces->create_enumerator(this->ifaces);
-	while (enumerator->enumerate(enumerator, &iface))
-	{
-		if (iface->ifindex == msg->ifm_index)
-		{
-			if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
-			{
-				roam = TRUE;
-				DBG1(DBG_KNL, "interface %s activated", iface->ifname);
-			}
-			else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
-			{
-				roam = TRUE;
-				DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
-			}
-			iface->flags = msg->ifm_flags;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-
-	if (roam)
-	{
-		fire_roam_job(this, TRUE);
-	}
-}
-
-/**
- * Process an RTM_*ROUTE message from the kernel
- */
-static void process_route(private_kernel_pfroute_net_t *this,
-						  struct rt_msghdr *msg)
-{
-
-}
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
-{
-	unsigned char buf[PFROUTE_BUFFER_SIZE];
-	struct rt_msghdr *msg = (struct rt_msghdr*)buf;
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-	thread_cancelability(oldstate);
-
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-
-	if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
-		msg->rtm_version != RTM_VERSION)
-	{
-		DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	switch (msg->rtm_type)
-	{
-		case RTM_NEWADDR:
-		case RTM_DELADDR:
-			process_addr(this, msg);
-			break;
-		case RTM_IFINFO:
-		/*case RTM_IFANNOUNCE <- what about this*/
-			process_link(this, msg);
-			break;
-		case RTM_ADD:
-		case RTM_DELETE:
-			process_route(this, msg);
-		default:
-			break;
-	}
-
-	return JOB_REQUEUE_DIRECT;
-}
-
-
-/** enumerator over addresses */
-typedef struct {
-	private_kernel_pfroute_net_t* this;
-	/** whether to enumerate down interfaces */
-	bool include_down_ifaces;
-	/** whether to enumerate virtual ip addresses */
-	bool include_virtual_ips;
-} address_enumerator_t;
-
-/**
- * cleanup function for address enumerator
- */
-static void address_enumerator_destroy(address_enumerator_t *data)
-{
-	data->this->mutex->unlock(data->this->mutex);
-	free(data);
-}
-
-/**
- * filter for addresses
- */
-static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
-{
-	host_t *ip;
-	if (!data->include_virtual_ips && (*in)->virtual)
-	{   /* skip virtual interfaces added by us */
-		return FALSE;
-	}
-	ip = (*in)->ip;
-	if (ip->get_family(ip) == AF_INET6)
-	{
-		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip);
-		if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
-		{   /* skip addresses with a unusable scope */
-			return FALSE;
-		}
-	}
-	*out = ip;
-	return TRUE;
-}
-
-/**
- * enumerator constructor for interfaces
- */
-static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
-{
-	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
-									(void*)filter_addresses, data, NULL);
-}
-
-/**
- * filter for interfaces
- */
-static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
-{
-	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
-	{   /* skip interfaces not up */
-		return FALSE;
-	}
-	*out = *in;
-	return TRUE;
-}
-
-/**
- * implementation of kernel_net_t.create_address_enumerator
- */
-static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this,
-		bool include_down_ifaces, bool include_virtual_ips)
-{
-	address_enumerator_t *data = malloc_thing(address_enumerator_t);
-	data->this = this;
-	data->include_down_ifaces = include_down_ifaces;
-	data->include_virtual_ips = include_virtual_ips;
-
-	this->mutex->lock(this->mutex);
-	return enumerator_create_nested(
-				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
-						(void*)filter_interfaces, data, NULL),
-				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
-}
-
-/**
- * implementation of kernel_net_t.get_interface_name
- */
-static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
-{
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	char *name = NULL;
-
-	DBG2(DBG_KNL, "getting interface name for %H", ip);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
-		{
-			if (ip->ip_equals(ip, addr->ip))
-			{
-				name = strdup(iface->ifname);
-				break;
-			}
-		}
-		addrs->destroy(addrs);
-		if (name)
-		{
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	if (name)
-	{
-		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "%H is not a local address", ip);
-	}
-	return name;
-}
-
-/**
- * Implementation of kernel_net_t.get_source_addr.
- */
-static host_t* get_source_addr(private_kernel_pfroute_net_t *this,
-							   host_t *dest, host_t *src)
-{
-	return NULL;
-}
-
-/**
- * Implementation of kernel_net_t.get_nexthop.
- */
-static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest)
-{
-	return NULL;
-}
-
-/**
- * Implementation of kernel_net_t.add_ip.
- */
-static status_t add_ip(private_kernel_pfroute_net_t *this,
-						host_t *virtual_ip, host_t *iface_ip)
-{
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_net_t.del_ip.
- */
-static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip)
-{
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_net_t.add_route.
- */
-static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
-		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_net_t.del_route.
- */
-static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
-		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	return FAILED;
-}
-
-/**
- * Initialize a list of local addresses.
- */
-static status_t init_address_list(private_kernel_pfroute_net_t *this)
-{
-	struct ifaddrs *ifap, *ifa;
-	iface_entry_t *iface, *current;
-	addr_entry_t *addr;
-	enumerator_t *ifaces, *addrs;
-
-	DBG1(DBG_KNL, "listening on interfaces:");
-
-	if (getifaddrs(&ifap) < 0)
-	{
-		DBG1(DBG_KNL, "  failed to get interfaces!");
-		return FAILED;
-	}
-
-	for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
-	{
-		if (ifa->ifa_addr == NULL)
-		{
-			continue;
-		}
-		switch(ifa->ifa_addr->sa_family)
-		{
-			case AF_LINK:
-			case AF_INET:
-			case AF_INET6:
-			{
-				if (ifa->ifa_flags & IFF_LOOPBACK)
-				{	/* ignore loopback interfaces */
-					continue;
-				}
-
-				iface = NULL;
-				ifaces = this->ifaces->create_enumerator(this->ifaces);
-				while (ifaces->enumerate(ifaces, &current))
-				{
-					if (streq(current->ifname, ifa->ifa_name))
-					{
-						iface = current;
-						break;
-					}
-				}
-				ifaces->destroy(ifaces);
-
-				if (!iface)
-				{
-					iface = malloc_thing(iface_entry_t);
-					memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
-					iface->ifindex = if_nametoindex(ifa->ifa_name);
-					iface->flags = ifa->ifa_flags;
-					iface->addrs = linked_list_create();
-					this->ifaces->insert_last(this->ifaces, iface);
-				}
-
-				if (ifa->ifa_addr->sa_family != AF_LINK)
-				{
-					addr = malloc_thing(addr_entry_t);
-					addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
-					addr->virtual = FALSE;
-					addr->refcount = 1;
-					iface->addrs->insert_last(iface->addrs, addr);
-				}
-			}
-		}
-	}
-	freeifaddrs(ifap);
-
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->flags & IFF_UP)
-		{
-			DBG1(DBG_KNL, "  %s", iface->ifname);
-			addrs = iface->addrs->create_enumerator(iface->addrs);
-			while (addrs->enumerate(addrs, (void**)&addr))
-			{
-				DBG1(DBG_KNL, "    %H", addr->ip);
-			}
-			addrs->destroy(addrs);
-		}
-	}
-	ifaces->destroy(ifaces);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_netlink_net_t.destroy.
- */
-static void destroy(private_kernel_pfroute_net_t *this)
-{
-	this->job->cancel(this->job);
-	close(this->socket);
-	close(this->socket_events);
-	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
-	this->mutex->destroy(this->mutex);
-	this->mutex_pfroute->destroy(this->mutex_pfroute);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-kernel_pfroute_net_t *kernel_pfroute_net_create()
-{
-	private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
-
-	/* public functions */
-	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
-	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
-	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
-	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
-	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
-	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
-	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
-	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
-
-	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
-
-	/* private members */
-	this->ifaces = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT);
-
-	this->seq = 0;
-
-	/* create a PF_ROUTE socket to communicate with the kernel */
-	this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
-	if (this->socket <= 0)
-	{
-		charon->kill(charon, "unable to create PF_ROUTE socket");
-	}
-
-	/* create a PF_ROUTE socket to receive events */
-	this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
-	if (this->socket_events <= 0)
-	{
-		charon->kill(charon, "unable to create PF_ROUTE event socket");
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	if (init_address_list(this) != SUCCESS)
-	{
-		charon->kill(charon, "unable to get interface list");
-	}
-
-	return &this->public;
-}
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
deleted file mode 100644
index 10c3c9eb7..000000000
--- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_pfroute_net_i kernel_pfroute_net
- * @{ @ingroup kernel_pfroute
- */
-
-#ifndef KERNEL_PFROUTE_NET_H_
-#define KERNEL_PFROUTE_NET_H_
-
-#include <kernel/kernel_net.h>
-
-typedef struct kernel_pfroute_net_t kernel_pfroute_net_t;
-
-/**
- * Implementation of the kernel net interface using PF_ROUTE.
- */
-struct kernel_pfroute_net_t {
-
-	/**
-	 * Implements kernel_net_t interface
-	 */
-	kernel_net_t interface;
-};
-
-/**
- * Create a PF_ROUTE kernel net interface instance.
- *
- * @return			kernel_pfroute_net_t instance
- */
-kernel_pfroute_net_t *kernel_pfroute_net_create();
-
-#endif /** KERNEL_PFROUTE_NET_H_ @}*/
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
deleted file mode 100644
index e73cbeafb..000000000
--- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "kernel_pfroute_plugin.h"
-
-#include "kernel_pfroute_net.h"
-
-#include <daemon.h>
-
-typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
-
-/**
- * private data of kernel PF_ROUTE plugin
- */
-struct private_kernel_pfroute_plugin_t {
-	/**
-	 * implements plugin interface
-	 */
-	kernel_pfroute_plugin_t public;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_pfroute_plugin_t *this)
-{
-	charon->kernel_interface->remove_net_interface(charon->kernel_interface,
-						(kernel_net_constructor_t)kernel_pfroute_net_create);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->kernel_interface->add_net_interface(charon->kernel_interface,
-						(kernel_net_constructor_t)kernel_pfroute_net_create);
-
-	return &this->public.plugin;
-}
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
deleted file mode 100644
index 6caf097c6..000000000
--- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_pfroute kernel_pfroute
- * @ingroup cplugins
- *
- * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
- * @{ @ingroup kernel_pfroute
- */
-
-#ifndef KERNEL_PFROUTE_PLUGIN_H_
-#define KERNEL_PFROUTE_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t;
-
-/**
- * PF_ROUTE kernel interface plugin
- */
-struct kernel_pfroute_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a kernel_pfroute_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/load_tester/Makefile.am b/src/charon/plugins/load_tester/Makefile.am
deleted file mode 100644
index e6e04229a..000000000
--- a/src/charon/plugins/load_tester/Makefile.am
+++ /dev/null
@@ -1,17 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-load-tester.la
-
-libstrongswan_load_tester_la_SOURCES = \
-  load_tester_plugin.c load_tester_plugin.h \
-  load_tester_config.c load_tester_config.h \
-  load_tester_creds.c load_tester_creds.h \
-  load_tester_ipsec.c load_tester_ipsec.h \
-  load_tester_listener.c load_tester_listener.h \
-  load_tester_diffie_hellman.c load_tester_diffie_hellman.h
-
-libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in
deleted file mode 100644
index 70c7d3c99..000000000
--- a/src/charon/plugins/load_tester/Makefile.in
+++ /dev/null
@@ -1,583 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/load_tester
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_load_tester_la_LIBADD =
-am_libstrongswan_load_tester_la_OBJECTS = load_tester_plugin.lo \
-	load_tester_config.lo load_tester_creds.lo \
-	load_tester_ipsec.lo load_tester_listener.lo \
-	load_tester_diffie_hellman.lo
-libstrongswan_load_tester_la_OBJECTS =  \
-	$(am_libstrongswan_load_tester_la_OBJECTS)
-libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_load_tester_la_LDFLAGS) \
-	$(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_load_tester_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-load-tester.la
-libstrongswan_load_tester_la_SOURCES = \
-  load_tester_plugin.c load_tester_plugin.h \
-  load_tester_config.c load_tester_config.h \
-  load_tester_creds.c load_tester_creds.h \
-  load_tester_ipsec.c load_tester_ipsec.h \
-  load_tester_listener.c load_tester_listener.h \
-  load_tester_diffie_hellman.c load_tester_diffie_hellman.h
-
-libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/load_tester/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/load_tester/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES) 
-	$(libstrongswan_load_tester_la_LINK) -rpath $(plugindir) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_config.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_diffie_hellman.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_ipsec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_listener.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/load_tester/load_tester_config.c b/src/charon/plugins/load_tester/load_tester_config.c
deleted file mode 100644
index 82f408d45..000000000
--- a/src/charon/plugins/load_tester/load_tester_config.c
+++ /dev/null
@@ -1,316 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "load_tester_config.h"
-
-#include <daemon.h>
-
-typedef struct private_load_tester_config_t private_load_tester_config_t;
-
-/**
- * Private data of an load_tester_config_t object
- */
-struct private_load_tester_config_t {
-
-	/**
-	 * Public part
-	 */
-	load_tester_config_t public;
-
-	/**
-	 * peer config
-	 */
-	peer_cfg_t *peer_cfg;
-
-	/**
-	 * virtual IP, if any
-	 */
-	host_t *vip;
-
-	/**
-	 * Remote address
-	 */
-	char *remote;
-
-	/**
-	 * IP address pool
-	 */
-	char *pool;
-
-	/**
-	 * IKE proposal
-	 */
-	proposal_t *proposal;
-
-	/**
-	 * Authentication method(s) to use/expect from initiator
-	 */
-	char *initiator_auth;
-
-	/**
-	 * Authentication method(s) use/expected from responder
-	 */
-	char *responder_auth;
-
-	/**
-	 * IKE_SA rekeying delay
-	 */
-	u_int ike_rekey;
-
-	/**
-	 * CHILD_SA rekeying delay
-	 */
-	u_int child_rekey;
-
-	/**
-	 * incremental numbering of generated configs
-	 */
-	u_int num;
-};
-
-/**
- * Generate auth config from string
- */
-static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
-							  peer_cfg_t *peer_cfg, bool local, int num)
-{
-	enumerator_t *enumerator;
-	auth_cfg_t *auth;
-	identification_t *id;
-	auth_class_t class;
-	eap_type_t type;
-	char buf[128];
-	int rnd = 0;
-
-	enumerator = enumerator_create_token(str, "|", " ");
-	while (enumerator->enumerate(enumerator, &str))
-	{
-		auth = auth_cfg_create();
-		rnd++;
-
-		if (streq(str, "psk"))
-		{	/* PSK authentication, use FQDNs */
-			class = AUTH_CLASS_PSK;
-			if ((local && !num) || (!local && num))
-			{
-				id = identification_create_from_string("srv.strongswan.org");
-			}
-			else if (local)
-			{
-				snprintf(buf, sizeof(buf), "c%d-r%d.strongswan.org", num, rnd);
-				id = identification_create_from_string(buf);
-			}
-			else
-			{
-				id = identification_create_from_string("*.strongswan.org");
-			}
-		}
-		else if (strneq(str, "eap", strlen("eap")))
-		{	/* EAP authentication, use a NAI */
-			class = AUTH_CLASS_EAP;
-			if (*(str + strlen("eap")) == '-')
-			{
-				type = eap_type_from_string(str + strlen("eap-"));
-				if (type)
-				{
-					auth->add(auth, AUTH_RULE_EAP_TYPE, type);
-				}
-			}
-			if (local && num)
-			{
-				snprintf(buf, sizeof(buf), "1%.10d%.4d@strongswan.org", num, rnd);
-				id = identification_create_from_string(buf);
-			}
-			else
-			{
-				id = identification_create_from_encoding(ID_ANY, chunk_empty);
-			}
-		}
-		else
-		{
-			if (!streq(str, "pubkey"))
-			{
-				DBG1(DBG_CFG, "invalid authentication: '%s', fallback to pubkey",
-					 str);
-			}
-			/* certificate authentication, use distinguished names */
-			class = AUTH_CLASS_PUBKEY;
-			if ((local && !num) || (!local && num))
-			{
-				id = identification_create_from_string(
-							"CN=srv, OU=load-test, O=strongSwan");
-			}
-			else if (local)
-			{
-				snprintf(buf, sizeof(buf),
-						 "CN=c%d-r%d, OU=load-test, O=strongSwan", num, rnd);
-				id = identification_create_from_string(buf);
-			}
-			else
-			{
-				id = identification_create_from_string(
-								"CN=*, OU=load-test, O=strongSwan");
-			}
-		}
-		auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
-		auth->add(auth, AUTH_RULE_IDENTITY, id);
-		peer_cfg->add_auth_cfg(peer_cfg, auth, local);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Generate a new initiator config, num = 0 for responder config
- */
-static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
-{
-	ike_cfg_t *ike_cfg;
-	child_cfg_t *child_cfg;
-	peer_cfg_t *peer_cfg;
-	traffic_selector_t *ts;
-	proposal_t *proposal;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = this->child_rekey * 2,
-			.rekey = this->child_rekey,
-			.jitter = 0
-		}
-	};
-
-	ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", this->remote);
-	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
-	peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
-							   CERT_SEND_IF_ASKED, UNIQUE_NO, 1, /* keytries */
-							   this->ike_rekey, 0, /* rekey, reauth */
-							   0, this->ike_rekey, /* jitter, overtime */
-							   FALSE, 0, /* mobike, dpddelay */
-							   this->vip ? this->vip->clone(this->vip) : NULL,
-							   this->pool, FALSE, NULL, NULL);
-	if (num)
-	{	/* initiator */
-		generate_auth_cfg(this, this->initiator_auth, peer_cfg, TRUE, num);
-		generate_auth_cfg(this, this->responder_auth, peer_cfg, FALSE, num);
-	}
-	else
-	{	/* responder */
-		generate_auth_cfg(this, this->responder_auth, peer_cfg, TRUE, num);
-		generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
-	}
-
-	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE,
-								 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0);
-	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
-	child_cfg->add_proposal(child_cfg, proposal);
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
-	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-	return peer_cfg;
-}
-
-/**
- * Implementation of backend_t.create_peer_cfg_enumerator.
- */
-static enumerator_t* create_peer_cfg_enumerator(private_load_tester_config_t *this,
-												identification_t *me,
-												identification_t *other)
-{
-	return enumerator_create_single(this->peer_cfg, NULL);
-}
-
-/**
- * Implementation of backend_t.create_ike_cfg_enumerator.
- */
-static enumerator_t* create_ike_cfg_enumerator(private_load_tester_config_t *this,
-											   host_t *me, host_t *other)
-{
-	ike_cfg_t *ike_cfg;
-
-	ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
-	return enumerator_create_single(ike_cfg, NULL);
-}
-
-/**
- * implements backend_t.get_peer_cfg_by_name.
- */
-static peer_cfg_t *get_peer_cfg_by_name(private_load_tester_config_t *this,
-										char *name)
-{
-	if (streq(name, "load-test"))
-	{
-		return generate_config(this, this->num++);
-	}
-	return NULL;
-}
-
-/**
- * Implementation of load_tester_config_t.destroy.
- */
-static void destroy(private_load_tester_config_t *this)
-{
-	this->peer_cfg->destroy(this->peer_cfg);
-	DESTROY_IF(this->proposal);
-	DESTROY_IF(this->vip);
-	free(this);
-}
-
-/**
- * Described in header.
- */
-load_tester_config_t *load_tester_config_create()
-{
-	private_load_tester_config_t *this = malloc_thing(private_load_tester_config_t);
-
-	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
-	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
-	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
-	this->public.destroy = (void(*)(load_tester_config_t*))destroy;
-
-	this->vip = NULL;
-	if (lib->settings->get_bool(lib->settings,
-				"charon.plugins.load-tester.request_virtual_ip", FALSE))
-	{
-		this->vip = host_create_from_string("0.0.0.0", 0);
-	}
-	this->pool = lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.pool", NULL);
-	this->remote = lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.remote", "127.0.0.1");
-
-	this->proposal = proposal_create_from_string(PROTO_IKE,
-			lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.proposal", "aes128-sha1-modp768"));
-	if (!this->proposal)
-	{	/* fallback */
-		this->proposal = proposal_create_from_string(PROTO_IKE,
-													 "aes128-sha1-modp768");
-	}
-	this->ike_rekey = lib->settings->get_int(lib->settings,
-				"charon.plugins.load-tester.ike_rekey", 0);
-	this->child_rekey = lib->settings->get_int(lib->settings,
-				"charon.plugins.load-tester.child_rekey", 600);
-
-	this->initiator_auth = lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.initiator_auth", "pubkey");
-	this->responder_auth = lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.responder_auth", "pubkey");
-
-	this->num = 1;
-	this->peer_cfg = generate_config(this, 0);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/load_tester/load_tester_config.h b/src/charon/plugins/load_tester/load_tester_config.h
deleted file mode 100644
index c22387743..000000000
--- a/src/charon/plugins/load_tester/load_tester_config.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup load_tester_config_t load_tester_config
- * @{ @ingroup load_tester
- */
-
-#ifndef LOAD_TESTER_CONFIG_H_
-#define LOAD_TESTER_CONFIG_H_
-
-#include <config/backend.h>
-
-typedef struct load_tester_config_t load_tester_config_t;
-
-/**
- * Provide configurations for load testing.
- */
-struct load_tester_config_t {
-
-	/**
-	 * Implements backend_t interface
-	 */
-	backend_t backend;
-
-	/**
-	 * Destroy the backend.
-	 */
-	void (*destroy)(load_tester_config_t *this);
-};
-
-/**
- * Create a configuration backend for load testing.
- *
- * @return			configuration backend
- */
-load_tester_config_t *load_tester_config_create();
-
-#endif /** LOAD_TESTER_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_creds.c b/src/charon/plugins/load_tester/load_tester_creds.c
deleted file mode 100644
index 890703c1a..000000000
--- a/src/charon/plugins/load_tester/load_tester_creds.c
+++ /dev/null
@@ -1,313 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "load_tester_creds.h"
-
-#include <time.h>
-
-#include <daemon.h>
-#include <credentials/keys/shared_key.h>
-#include <credentials/certificates/x509.h>
-#include <utils/identification.h>
-
-typedef struct private_load_tester_creds_t private_load_tester_creds_t;
-
-/**
- * Private data of an load_tester_creds_t object
- */
-struct private_load_tester_creds_t {
-	/**
-	 * Public part
-	 */
-	load_tester_creds_t public;
-
-	/**
-	 * Private key to create signatures
-	 */
-	private_key_t *private;
-
-	/**
-	 * CA certificate, to issue/verify peer certificates
-	 */
-	certificate_t *ca;
-
-	/**
-	 * serial number to issue certificates
-	 */
-	u_int32_t serial;
-
-	/**
-	 * Preshared key
-	 */
-	shared_key_t *shared;
-};
-
-/**
- * 1024-bit RSA key:
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDQXr7poAPYZLxmTCqR51STGRuk9Hc5SWtTcs6b2RzpnP8EVRLx
-JEVxOKE9Mw6n7mD1pNrupCpnpGRdLAV5VznTPhSQ6k7ppJJrxosRYg0pHTZqBUEC
-7nQFwAe10g8q0UnM1wa4lJzGxDH78d21cVweJgbkxAeyriS0jhNs7gO5nQIDAQAB
-AoGACVACtkxJf7VY2jWTPXwaQoy/uIqYfX3zhwI9i6eTbDlxCE+JDi/xzpKaWjLa
-99RmjvP0OPArWQB239ck03x7gAm2obutosGbqbKzJZS5cyIayzyW9djZDHBdt9Ho
-quKB39aspWit3xPzkrr+QeIkiggtmBKALTBxTwxAU+P6euECQQD4IPdrzKbCrO79
-LKvoPrQQtTjL6ogag9rI9n2ZuoK3/XVybh2byOXT8tA5G5jSz9Ac8XeVOsnH9gT5
-3WXeaLOFAkEA1vrm/hVSEasp5eATgQ7ig9CF+GGKqhTwXp/uOSl/h3IRmStu5J0C
-9AkYyx0bn3j5R8iUEX/C00KSE1kQNh4NOQJAVOsLYlRG2idPH0xThQc4nuM2jes1
-K0Xm8ZISSDNhm1BeCoyPC4rExTW7d1/vfG5svgsRrvvQpOOYrl7MB0Lz9QJBALhg
-AWJiyLsskEd90Vx7dpvUaEHo7jMGuEx/X6GYzK5Oj3dNP9NEMfc4IhJ5SWqRJ0KA
-bTVA3MexLXT4iqXPSkkCQQDSjLhBwvEnSuW4ElIMzBwLbu7573z2gzU82Mj6trrw
-Osoox/vmcepT1Wjy4AvPZHgxp7vEXNSeS+M5L29QNTp8
------END RSA PRIVATE KEY-----
- */
-static char private[] = {
-  0x30,0x82,0x02,0x5d,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xd0,0x5e,0xbe,0xe9,0xa0,
-  0x03,0xd8,0x64,0xbc,0x66,0x4c,0x2a,0x91,0xe7,0x54,0x93,0x19,0x1b,0xa4,0xf4,0x77,
-  0x39,0x49,0x6b,0x53,0x72,0xce,0x9b,0xd9,0x1c,0xe9,0x9c,0xff,0x04,0x55,0x12,0xf1,
-  0x24,0x45,0x71,0x38,0xa1,0x3d,0x33,0x0e,0xa7,0xee,0x60,0xf5,0xa4,0xda,0xee,0xa4,
-  0x2a,0x67,0xa4,0x64,0x5d,0x2c,0x05,0x79,0x57,0x39,0xd3,0x3e,0x14,0x90,0xea,0x4e,
-  0xe9,0xa4,0x92,0x6b,0xc6,0x8b,0x11,0x62,0x0d,0x29,0x1d,0x36,0x6a,0x05,0x41,0x02,
-  0xee,0x74,0x05,0xc0,0x07,0xb5,0xd2,0x0f,0x2a,0xd1,0x49,0xcc,0xd7,0x06,0xb8,0x94,
-  0x9c,0xc6,0xc4,0x31,0xfb,0xf1,0xdd,0xb5,0x71,0x5c,0x1e,0x26,0x06,0xe4,0xc4,0x07,
-  0xb2,0xae,0x24,0xb4,0x8e,0x13,0x6c,0xee,0x03,0xb9,0x9d,0x02,0x03,0x01,0x00,0x01,
-  0x02,0x81,0x80,0x09,0x50,0x02,0xb6,0x4c,0x49,0x7f,0xb5,0x58,0xda,0x35,0x93,0x3d,
-  0x7c,0x1a,0x42,0x8c,0xbf,0xb8,0x8a,0x98,0x7d,0x7d,0xf3,0x87,0x02,0x3d,0x8b,0xa7,
-  0x93,0x6c,0x39,0x71,0x08,0x4f,0x89,0x0e,0x2f,0xf1,0xce,0x92,0x9a,0x5a,0x32,0xda,
-  0xf7,0xd4,0x66,0x8e,0xf3,0xf4,0x38,0xf0,0x2b,0x59,0x00,0x76,0xdf,0xd7,0x24,0xd3,
-  0x7c,0x7b,0x80,0x09,0xb6,0xa1,0xbb,0xad,0xa2,0xc1,0x9b,0xa9,0xb2,0xb3,0x25,0x94,
-  0xb9,0x73,0x22,0x1a,0xcb,0x3c,0x96,0xf5,0xd8,0xd9,0x0c,0x70,0x5d,0xb7,0xd1,0xe8,
-  0xaa,0xe2,0x81,0xdf,0xd6,0xac,0xa5,0x68,0xad,0xdf,0x13,0xf3,0x92,0xba,0xfe,0x41,
-  0xe2,0x24,0x8a,0x08,0x2d,0x98,0x12,0x80,0x2d,0x30,0x71,0x4f,0x0c,0x40,0x53,0xe3,
-  0xfa,0x7a,0xe1,0x02,0x41,0x00,0xf8,0x20,0xf7,0x6b,0xcc,0xa6,0xc2,0xac,0xee,0xfd,
-  0x2c,0xab,0xe8,0x3e,0xb4,0x10,0xb5,0x38,0xcb,0xea,0x88,0x1a,0x83,0xda,0xc8,0xf6,
-  0x7d,0x99,0xba,0x82,0xb7,0xfd,0x75,0x72,0x6e,0x1d,0x9b,0xc8,0xe5,0xd3,0xf2,0xd0,
-  0x39,0x1b,0x98,0xd2,0xcf,0xd0,0x1c,0xf1,0x77,0x95,0x3a,0xc9,0xc7,0xf6,0x04,0xf9,
-  0xdd,0x65,0xde,0x68,0xb3,0x85,0x02,0x41,0x00,0xd6,0xfa,0xe6,0xfe,0x15,0x52,0x11,
-  0xab,0x29,0xe5,0xe0,0x13,0x81,0x0e,0xe2,0x83,0xd0,0x85,0xf8,0x61,0x8a,0xaa,0x14,
-  0xf0,0x5e,0x9f,0xee,0x39,0x29,0x7f,0x87,0x72,0x11,0x99,0x2b,0x6e,0xe4,0x9d,0x02,
-  0xf4,0x09,0x18,0xcb,0x1d,0x1b,0x9f,0x78,0xf9,0x47,0xc8,0x94,0x11,0x7f,0xc2,0xd3,
-  0x42,0x92,0x13,0x59,0x10,0x36,0x1e,0x0d,0x39,0x02,0x40,0x54,0xeb,0x0b,0x62,0x54,
-  0x46,0xda,0x27,0x4f,0x1f,0x4c,0x53,0x85,0x07,0x38,0x9e,0xe3,0x36,0x8d,0xeb,0x35,
-  0x2b,0x45,0xe6,0xf1,0x92,0x12,0x48,0x33,0x61,0x9b,0x50,0x5e,0x0a,0x8c,0x8f,0x0b,
-  0x8a,0xc4,0xc5,0x35,0xbb,0x77,0x5f,0xef,0x7c,0x6e,0x6c,0xbe,0x0b,0x11,0xae,0xfb,
-  0xd0,0xa4,0xe3,0x98,0xae,0x5e,0xcc,0x07,0x42,0xf3,0xf5,0x02,0x41,0x00,0xb8,0x60,
-  0x01,0x62,0x62,0xc8,0xbb,0x2c,0x90,0x47,0x7d,0xd1,0x5c,0x7b,0x76,0x9b,0xd4,0x68,
-  0x41,0xe8,0xee,0x33,0x06,0xb8,0x4c,0x7f,0x5f,0xa1,0x98,0xcc,0xae,0x4e,0x8f,0x77,
-  0x4d,0x3f,0xd3,0x44,0x31,0xf7,0x38,0x22,0x12,0x79,0x49,0x6a,0x91,0x27,0x42,0x80,
-  0x6d,0x35,0x40,0xdc,0xc7,0xb1,0x2d,0x74,0xf8,0x8a,0xa5,0xcf,0x4a,0x49,0x02,0x41,
-  0x00,0xd2,0x8c,0xb8,0x41,0xc2,0xf1,0x27,0x4a,0xe5,0xb8,0x12,0x52,0x0c,0xcc,0x1c,
-  0x0b,0x6e,0xee,0xf9,0xef,0x7c,0xf6,0x83,0x35,0x3c,0xd8,0xc8,0xfa,0xb6,0xba,0xf0,
-  0x3a,0xca,0x28,0xc7,0xfb,0xe6,0x71,0xea,0x53,0xd5,0x68,0xf2,0xe0,0x0b,0xcf,0x64,
-  0x78,0x31,0xa7,0xbb,0xc4,0x5c,0xd4,0x9e,0x4b,0xe3,0x39,0x2f,0x6f,0x50,0x35,0x3a,
-  0x7c,
-};
-
-/**
- * And an associated self-signed certificate
------BEGIN CERTIFICATE-----
-MIIB9DCCAV2gAwIBAgIBADANBgkqhkiG9w0BAQUFADA3MQwwCgYDVQQDEwNzcnYx
-EjAQBgNVBAsTCWxvYWQtdGVzdDETMBEGA1UEChMKc3Ryb25nU3dhbjAeFw0wODEy
-MDgxODU4NDhaFw0xODEyMDYxODU4NDhaMDcxDDAKBgNVBAMTA3NydjESMBAGA1UE
-CxMJbG9hZC10ZXN0MRMwEQYDVQQKEwpzdHJvbmdTd2FuMIGfMA0GCSqGSIb3DQEB
-AQUAA4GNADCBiQKBgQDQXr7poAPYZLxmTCqR51STGRuk9Hc5SWtTcs6b2RzpnP8E
-VRLxJEVxOKE9Mw6n7mD1pNrupCpnpGRdLAV5VznTPhSQ6k7ppJJrxosRYg0pHTZq
-BUEC7nQFwAe10g8q0UnM1wa4lJzGxDH78d21cVweJgbkxAeyriS0jhNs7gO5nQID
-AQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAF39Xedyk2wj
-qOcaaZ7ypb8RDlLvS0uaJMVtLtIhtb2weMMlgdmOnKXEYrJL2/mbp14Fhe+XYME9
-nZLAnmUnX8bQWCsQlajb7YGE8w6QDMwXUVgSXTMhRl+PRX2CMIUzU21h1EIx65Po
-CwMLbJ7vQqwPHXRitDmNkEOK9H+vRnDf
------END CERTIFICATE-----
-
- */
-char cert[] = {
-  0x30,0x82,0x01,0xf4,0x30,0x82,0x01,0x5d,0xa0,0x03,0x02,0x01,0x02,0x02,0x01,0x00,
-  0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,
-  0x37,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x03,0x13,0x03,0x73,0x72,0x76,0x31,
-  0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x0b,0x13,0x09,0x6c,0x6f,0x61,0x64,0x2d,0x74,
-  0x65,0x73,0x74,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,
-  0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x30,0x1e,0x17,0x0d,0x30,0x38,0x31,0x32,
-  0x30,0x38,0x31,0x38,0x35,0x38,0x34,0x38,0x5a,0x17,0x0d,0x31,0x38,0x31,0x32,0x30,
-  0x36,0x31,0x38,0x35,0x38,0x34,0x38,0x5a,0x30,0x37,0x31,0x0c,0x30,0x0a,0x06,0x03,
-  0x55,0x04,0x03,0x13,0x03,0x73,0x72,0x76,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,
-  0x0b,0x13,0x09,0x6c,0x6f,0x61,0x64,0x2d,0x74,0x65,0x73,0x74,0x31,0x13,0x30,0x11,
-  0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,
-  0x6e,0x30,0x81,0x9f,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
-  0x01,0x05,0x00,0x03,0x81,0x8d,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xd0,0x5e,
-  0xbe,0xe9,0xa0,0x03,0xd8,0x64,0xbc,0x66,0x4c,0x2a,0x91,0xe7,0x54,0x93,0x19,0x1b,
-  0xa4,0xf4,0x77,0x39,0x49,0x6b,0x53,0x72,0xce,0x9b,0xd9,0x1c,0xe9,0x9c,0xff,0x04,
-  0x55,0x12,0xf1,0x24,0x45,0x71,0x38,0xa1,0x3d,0x33,0x0e,0xa7,0xee,0x60,0xf5,0xa4,
-  0xda,0xee,0xa4,0x2a,0x67,0xa4,0x64,0x5d,0x2c,0x05,0x79,0x57,0x39,0xd3,0x3e,0x14,
-  0x90,0xea,0x4e,0xe9,0xa4,0x92,0x6b,0xc6,0x8b,0x11,0x62,0x0d,0x29,0x1d,0x36,0x6a,
-  0x05,0x41,0x02,0xee,0x74,0x05,0xc0,0x07,0xb5,0xd2,0x0f,0x2a,0xd1,0x49,0xcc,0xd7,
-  0x06,0xb8,0x94,0x9c,0xc6,0xc4,0x31,0xfb,0xf1,0xdd,0xb5,0x71,0x5c,0x1e,0x26,0x06,
-  0xe4,0xc4,0x07,0xb2,0xae,0x24,0xb4,0x8e,0x13,0x6c,0xee,0x03,0xb9,0x9d,0x02,0x03,
-  0x01,0x00,0x01,0xa3,0x10,0x30,0x0e,0x30,0x0c,0x06,0x03,0x55,0x1d,0x13,0x04,0x05,
-  0x30,0x03,0x01,0x01,0xff,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,
-  0x01,0x05,0x05,0x00,0x03,0x81,0x81,0x00,0x5d,0xfd,0x5d,0xe7,0x72,0x93,0x6c,0x23,
-  0xa8,0xe7,0x1a,0x69,0x9e,0xf2,0xa5,0xbf,0x11,0x0e,0x52,0xef,0x4b,0x4b,0x9a,0x24,
-  0xc5,0x6d,0x2e,0xd2,0x21,0xb5,0xbd,0xb0,0x78,0xc3,0x25,0x81,0xd9,0x8e,0x9c,0xa5,
-  0xc4,0x62,0xb2,0x4b,0xdb,0xf9,0x9b,0xa7,0x5e,0x05,0x85,0xef,0x97,0x60,0xc1,0x3d,
-  0x9d,0x92,0xc0,0x9e,0x65,0x27,0x5f,0xc6,0xd0,0x58,0x2b,0x10,0x95,0xa8,0xdb,0xed,
-  0x81,0x84,0xf3,0x0e,0x90,0x0c,0xcc,0x17,0x51,0x58,0x12,0x5d,0x33,0x21,0x46,0x5f,
-  0x8f,0x45,0x7d,0x82,0x30,0x85,0x33,0x53,0x6d,0x61,0xd4,0x42,0x31,0xeb,0x93,0xe8,
-  0x0b,0x03,0x0b,0x6c,0x9e,0xef,0x42,0xac,0x0f,0x1d,0x74,0x62,0xb4,0x39,0x8d,0x90,
-  0x43,0x8a,0xf4,0x7f,0xaf,0x46,0x70,0xdf,
-};
-
-
-/**
- * A preshared key
- */
-static char psk[] = {
-  0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
-};
-
-/**
- * Implements credential_set_t.create_private_enumerator
- */
-static enumerator_t* create_private_enumerator(private_load_tester_creds_t *this,
-							key_type_t type, identification_t *id)
-{
-	if (this->private == NULL)
-	{
-		return NULL;
-	}
-	if (type != KEY_ANY && type != KEY_RSA)
-	{
-		return NULL;
-	}
-	if (id)
-	{
-		if (!this->private->has_fingerprint(this->private, id->get_encoding(id)))
-		{
-			return NULL;
-		}
-	}
-	return enumerator_create_single(this->private, NULL);
-}
-
-/**
- * Implements credential_set_t.create_cert_enumerator
- */
-static enumerator_t* create_cert_enumerator(private_load_tester_creds_t *this,
-							certificate_type_t cert, key_type_t key,
-							identification_t *id, bool trusted)
-{
-	certificate_t *peer_cert;
-	public_key_t *peer_key, *ca_key;
-	u_int32_t serial;
-	time_t now;
-
-	if (this->ca == NULL)
-	{
-		return NULL;
-	}
-	if (cert != CERT_ANY && cert != CERT_X509)
-	{
-		return NULL;
-	}
-	if (key != KEY_ANY && key != KEY_RSA)
-	{
-		return NULL;
-	}
-	if (!id)
-	{
-		return enumerator_create_single(this->ca, NULL);
-	}
-	ca_key = this->ca->get_public_key(this->ca);
-	if (ca_key)
-	{
-		if (ca_key->has_fingerprint(ca_key, id->get_encoding(id)))
-		{
-			ca_key->destroy(ca_key);
-			return enumerator_create_single(this->ca, NULL);
-		}
-		ca_key->destroy(ca_key);
-	}
-	if (this->ca->has_subject(this->ca, id))
-	{
-		return enumerator_create_single(this->ca, NULL);
-	}
-	if (!trusted)
-	{
-		/* peer certificate, generate on demand */
-		serial = htonl(++this->serial);
-		now = time(NULL);
-		peer_key = this->private->get_public_key(this->private);
-		peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-									BUILD_SIGNING_KEY, this->private,
-									BUILD_SIGNING_CERT, this->ca,
-									BUILD_PUBLIC_KEY, peer_key,
-									BUILD_SUBJECT, id,
-									BUILD_NOT_BEFORE_TIME, now - 60 * 60 * 24,
-									BUILD_NOT_AFTER_TIME, now + 60 * 60 * 24,
-									BUILD_SERIAL, chunk_from_thing(serial),
-									BUILD_END);
-		peer_key->destroy(peer_key);
-		if (peer_cert)
-		{
-			return enumerator_create_single(peer_cert, (void*)peer_cert->destroy);
-		}
-	}
-	return NULL;
-}
-
-/**
- * Implements credential_set_t.create_shared_enumerator
- */
-static enumerator_t* create_shared_enumerator(private_load_tester_creds_t *this,
-							shared_key_type_t type,	identification_t *me,
-							identification_t *other)
-{
-	return enumerator_create_single(this->shared, NULL);
-}
-
-/**
- * Implementation of load_tester_creds_t.destroy
- */
-static void destroy(private_load_tester_creds_t *this)
-{
-	DESTROY_IF(this->private);
-	DESTROY_IF(this->ca);
-	this->shared->destroy(this->shared);
-	free(this);
-}
-
-load_tester_creds_t *load_tester_creds_create()
-{
-	private_load_tester_creds_t *this = malloc_thing(private_load_tester_creds_t);
-
-	this->public.credential_set.create_shared_enumerator = (enumerator_t*(*)(credential_set_t*, shared_key_type_t, identification_t*, identification_t*))create_shared_enumerator;
-	this->public.credential_set.create_private_enumerator = (enumerator_t*(*) (credential_set_t*, key_type_t, identification_t*))create_private_enumerator;
-	this->public.credential_set.create_cert_enumerator = (enumerator_t*(*) (credential_set_t*,	certificate_type_t, key_type_t,identification_t *, bool))create_cert_enumerator;
-	this->public.credential_set.create_cdp_enumerator  = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
-	this->public.credential_set.cache_cert = (void (*)(credential_set_t *, certificate_t *))nop;
-	this->public.destroy = (void(*) (load_tester_creds_t*))destroy;
-
-	this->private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-				BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
-				BUILD_END);
-
-	this->ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-				BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
-				BUILD_X509_FLAG, X509_CA,
-				BUILD_END);
-
-	this->shared = shared_key_create(SHARED_IKE,
-									 chunk_clone(chunk_create(psk, sizeof(psk))));
-	this->serial = 0;
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/load_tester/load_tester_creds.h b/src/charon/plugins/load_tester/load_tester_creds.h
deleted file mode 100644
index fb3541164..000000000
--- a/src/charon/plugins/load_tester/load_tester_creds.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup load_tester_creds_t load_tester_creds
- * @{ @ingroup load_tester
- */
-
-#ifndef LOAD_TESTER_CREDS_H_
-#define LOAD_TESTER_CREDS_H_
-
-#include <credentials/credential_set.h>
-
-typedef struct load_tester_creds_t load_tester_creds_t;
-
-/**
- * Provide hard-coded credentials for load testing.
- */
-struct load_tester_creds_t {
-
-	/**
-	 * Implements credential set interface.
-	 */
-	credential_set_t credential_set;
-
-	/**
-	 * Destroy the backend.
-	 */
-	void (*destroy)(load_tester_creds_t *this);
-};
-
-/**
- * Create a credential set for load testing.
- *
- * @return			credential set
- */
-load_tester_creds_t *load_tester_creds_create();
-
-#endif /** LOAD_TESTER_CREDS_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.c b/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
deleted file mode 100644
index d5ec3599b..000000000
--- a/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "load_tester_diffie_hellman.h"
-
-/**
- * Implementation of gmp_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(load_tester_diffie_hellman_t *this,
-								chunk_t *value)
-{
-	*value = chunk_empty;
-}
-
-/**
- * Implementation of gmp_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(load_tester_diffie_hellman_t *this,
-								  chunk_t *secret)
-{
-	*secret = chunk_empty;
-	return SUCCESS;
-}
-
-/**
- * Implementation of gmp_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(load_tester_diffie_hellman_t *this)
-{
-	return MODP_NULL;
-}
-
-/**
- * See header
- */
-load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
-												diffie_hellman_group_t group)
-{
-	load_tester_diffie_hellman_t *this;
-
-	if (group != MODP_NULL)
-	{
-		return NULL;
-	}
-
-	this = malloc_thing(load_tester_diffie_hellman_t);
-
-	this->dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *))get_shared_secret;
-	this->dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t ))nop;
-	this->dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *))get_my_public_value;
-	this->dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *))get_dh_group;
-	this->dh.destroy = (void (*)(diffie_hellman_t *))free;
-
-	return this;
-}
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
deleted file mode 100644
index 672157fb8..000000000
--- a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup load_tester_diffie_hellman load_tester_diffie_hellman
- * @{ @ingroup load_tester
- */
-
-#ifndef LOAD_TESTER_DIFFIE_HELLMAN_H_
-#define LOAD_TESTER_DIFFIE_HELLMAN_H_
-
-#include <crypto/diffie_hellman.h>
-
-typedef struct load_tester_diffie_hellman_t load_tester_diffie_hellman_t;
-
-/**
- * A NULL Diffie Hellman implementation to avoid calculation overhead in tests.
- */
-struct load_tester_diffie_hellman_t {
-
-	/**
-	 * Implements diffie_hellman_t interface.
-	 */
-	diffie_hellman_t dh;
-};
-
-/**
- * Creates a new gmp_diffie_hellman_t object.
- *
- * @param group			Diffie Hellman group, supports MODP_NULL only
- * @return				gmp_diffie_hellman_t object
- */
-load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
-												diffie_hellman_group_t group);
-
-#endif /** LOAD_TESTER_DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c
deleted file mode 100644
index 1218443cc..000000000
--- a/src/charon/plugins/load_tester/load_tester_ipsec.c
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "load_tester_ipsec.h"
-
-#include <time.h>
-
-typedef struct private_load_tester_ipsec_t private_load_tester_ipsec_t;
-
-/**
- * Private variables and functions of kernel_pfkey class.
- */
-struct private_load_tester_ipsec_t {
-	/**
-	 * Public interface.
-	 */
-	load_tester_ipsec_t public;
-
-	/**
-	 * faked SPI counter
-	 */
-	u_int32_t spi;
-};
-
-/**
- * Implementation of kernel_interface_t.get_spi.
- */
-static status_t get_spi(private_load_tester_ipsec_t *this,
-						host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid,
-						u_int32_t *spi)
-{
-	*spi = ++this->spi;
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.get_cpi.
- */
-static status_t get_cpi(private_load_tester_ipsec_t *this,
-						host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi)
-{
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_interface_t.add_sa.
- */
-static status_t add_sa(private_load_tester_ipsec_t *this,
-					   host_t *src, host_t *dst, u_int32_t spi,
-					   protocol_id_t protocol, u_int32_t reqid,
-					   lifetime_cfg_t *lifetime,
-					   u_int16_t enc_alg, chunk_t enc_key,
-					   u_int16_t int_alg, chunk_t int_key,
-					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound, traffic_selector_t *src_ts,
-					   traffic_selector_t *dst_ts)
-{
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.update_sa.
- */
-static status_t update_sa(private_load_tester_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap)
-{
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.query_sa.
- */
-static status_t query_sa(private_load_tester_ipsec_t *this, host_t *src,
-						 host_t *dst, u_int32_t spi, protocol_id_t protocol,
-						 u_int64_t *bytes)
-{
-	return NOT_SUPPORTED;
-}
-
-/**
- * Implementation of kernel_interface_t.del_sa.
- */
-static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src,
-					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
-					   u_int16_t cpi)
-{
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.add_policy.
- */
-static status_t add_policy(private_load_tester_ipsec_t *this,
-						   host_t *src, host_t *dst,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, u_int32_t spi,
-						   protocol_id_t protocol, u_int32_t reqid,
-						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						   bool routed)
-{
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.query_policy.
- */
-static status_t query_policy(private_load_tester_ipsec_t *this,
-							 traffic_selector_t *src_ts,
-							 traffic_selector_t *dst_ts,
-							 policy_dir_t direction, u_int32_t *use_time)
-{
-	*use_time = time_monotonic(NULL);
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.del_policy.
- */
-static status_t del_policy(private_load_tester_ipsec_t *this,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, bool unrouted)
-{
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.destroy.
- */
-static void destroy(private_load_tester_ipsec_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-load_tester_ipsec_t *load_tester_ipsec_create()
-{
-	private_load_tester_ipsec_t *this = malloc_thing(private_load_tester_ipsec_t);
-
-	/* public functions */
-	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
-	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
-	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
-	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
-	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
-	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
-
-	this->spi = 0;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.h b/src/charon/plugins/load_tester/load_tester_ipsec.h
deleted file mode 100644
index 1e1bff84a..000000000
--- a/src/charon/plugins/load_tester/load_tester_ipsec.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup load_tester_ipsec_i load_tester_ipsec
- * @{ @ingroup load_tester
- */
-
-#ifndef LOAD_TESTER_IPSEC_H_
-#define LOAD_TESTER_IPSEC_H_
-
-#include <kernel/kernel_ipsec.h>
-
-typedef struct load_tester_ipsec_t load_tester_ipsec_t;
-
-/**
- * Implementation of a fake kernel ipsec interface for load testing.
- */
-struct load_tester_ipsec_t {
-
-	/**
-	 * Implements kernel_ipsec_t interface
-	 */
-	kernel_ipsec_t interface;
-};
-
-/**
- * Create a faked kernel ipsec interface instance.
- *
- * @return			kernel_load_tester_ipsec_t instance
- */
-load_tester_ipsec_t *load_tester_ipsec_create();
-
-#endif /** LOAD_TESTER_IPSEC_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_listener.c b/src/charon/plugins/load_tester/load_tester_listener.c
deleted file mode 100644
index 96b0cf1ec..000000000
--- a/src/charon/plugins/load_tester/load_tester_listener.c
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "load_tester_listener.h"
-
-#include <signal.h>
-
-#include <daemon.h>
-#include <processing/jobs/delete_ike_sa_job.h>
-
-typedef struct private_load_tester_listener_t private_load_tester_listener_t;
-
-/**
- * Private data of an load_tester_listener_t object
- */
-struct private_load_tester_listener_t {
-	/**
-	 * Public part
-	 */
-	load_tester_listener_t public;
-
-	/**
-	 * Delete IKE_SA after it has been established
-	 */
-	bool delete_after_established;
-
-	/**
-	 * Number of established SAs
-	 */
-	u_int established;
-
-	/**
-	 * Shutdown the daemon if we have established this SA count
-	 */
-	u_int shutdown_on;
-};
-
-/**
- * Implementation of listener_t.ike_state_change
- */
-static bool ike_state_change(private_load_tester_listener_t *this,
-							 ike_sa_t *ike_sa, ike_sa_state_t state)
-{
-	if (state == IKE_ESTABLISHED)
-	{
-		ike_sa_id_t *id = ike_sa->get_id(ike_sa);
-
-		if (this->delete_after_established)
-		{
-			charon->processor->queue_job(charon->processor,
-									(job_t*)delete_ike_sa_job_create(id, TRUE));
-		}
-
-		if (id->is_initiator(id))
-		{
-			if (this->shutdown_on == ++this->established)
-			{
-				DBG1(DBG_CFG, "load-test complete, raising SIGTERM");
-				kill(0, SIGTERM);
-			}
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of load_tester_listener_t.destroy
- */
-static void destroy(private_load_tester_listener_t *this)
-{
-	free(this);
-}
-
-load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
-{
-	private_load_tester_listener_t *this = malloc_thing(private_load_tester_listener_t);
-
-	memset(&this->public.listener, 0, sizeof(listener_t));
-	this->public.listener.ike_state_change = (void*)ike_state_change;
-	this->public.destroy = (void(*) (load_tester_listener_t*))destroy;
-
-	this->delete_after_established = lib->settings->get_bool(lib->settings,
-				"charon.plugins.load-tester.delete_after_established", FALSE);
-
-	this->shutdown_on = shutdown_on;
-	this->established = 0;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/load_tester/load_tester_listener.h b/src/charon/plugins/load_tester/load_tester_listener.h
deleted file mode 100644
index b9599294c..000000000
--- a/src/charon/plugins/load_tester/load_tester_listener.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup load_tester_listener_t load_tester_listener
- * @{ @ingroup load_tester
- */
-
-#ifndef LOAD_TESTER_LISTENER_H_
-#define LOAD_TESTER_LISTENER_H_
-
-#include <bus/bus.h>
-
-typedef struct load_tester_listener_t load_tester_listener_t;
-
-/**
- * Provide hard-coded credentials for load testing.
- */
-struct load_tester_listener_t {
-
-	/**
-	 * Implements listener set interface.
-	 */
-	listener_t listener;
-
-	/**
-	 * Destroy the backend.
-	 */
-	void (*destroy)(load_tester_listener_t *this);
-};
-
-/**
- * Create a listener to handle special events during load test
- *
- * @param shutdown_on	shut down the daemon after this many SAs are established
- * @return				listener
- */
-load_tester_listener_t *load_tester_listener_create(u_int shutdown_on);
-
-#endif /** LOAD_TESTER_LISTENER_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c
deleted file mode 100644
index e25f97423..000000000
--- a/src/charon/plugins/load_tester/load_tester_plugin.c
+++ /dev/null
@@ -1,230 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "load_tester_plugin.h"
-#include "load_tester_config.h"
-#include "load_tester_creds.h"
-#include "load_tester_ipsec.h"
-#include "load_tester_listener.h"
-#include "load_tester_diffie_hellman.h"
-
-#include <unistd.h>
-
-#include <daemon.h>
-#include <processing/jobs/callback_job.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-
-typedef struct private_load_tester_plugin_t private_load_tester_plugin_t;
-
-/**
- * private data of load_tester plugin
- */
-struct private_load_tester_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	load_tester_plugin_t public;
-
-	/**
-	 * load_tester configuration backend
-	 */
-	load_tester_config_t *config;
-
-	/**
-	 * load_tester credential set implementation
-	 */
-	load_tester_creds_t *creds;
-
-	/**
-	 * event handler, listens on bus
-	 */
-	load_tester_listener_t *listener;
-
-	/**
-	 * number of iterations per thread
-	 */
-	int iterations;
-
-	/**
-	 * number desired initiator threads
-	 */
-	int initiators;
-
-	/**
-	 * currenly running initiators
-	 */
-	int running;
-
-	/**
-	 * delay between initiations, in ms
-	 */
-	int delay;
-
-	/**
-	 * mutex to lock running field
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * condvar to wait for initiators
-	 */
-	condvar_t *condvar;
-};
-
-/**
- * Begin the load test
- */
-static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
-{
-	int i, s = 0, ms = 0;
-
-	this->mutex->lock(this->mutex);
-	if (!this->running)
-	{
-		this->running = this->initiators;
-	}
-	this->mutex->unlock(this->mutex);
-	if (this->delay)
-	{
-		s = this->delay / 1000;
-		ms = this->delay % 1000;
-	}
-
-	for (i = 0; this->iterations == 0 || i < this->iterations; i++)
-	{
-		peer_cfg_t *peer_cfg;
-		child_cfg_t *child_cfg = NULL;
-		enumerator_t *enumerator;
-
-		peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
-														  "load-test");
-		if (!peer_cfg)
-		{
-			break;
-		}
-		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
-		if (!enumerator->enumerate(enumerator, &child_cfg))
-		{
-			enumerator->destroy(enumerator);
-			break;
-		}
-		enumerator->destroy(enumerator);
-
-		charon->controller->initiate(charon->controller,
-					peer_cfg, child_cfg->get_ref(child_cfg),
-					NULL, NULL);
-		if (s)
-		{
-			sleep(s);
-		}
-		if (ms)
-		{
-			usleep(ms * 1000);
-		}
-	}
-	this->mutex->lock(this->mutex);
-	this->running--;
-	this->mutex->unlock(this->mutex);
-	this->condvar->signal(this->condvar);
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_load_tester_plugin_t *this)
-{
-	this->iterations = -1;
-	this->mutex->lock(this->mutex);
-	while (this->running)
-	{
-		this->condvar->wait(this->condvar, this->mutex);
-	}
-	this->mutex->unlock(this->mutex);
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface,
-						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->credentials->remove_set(charon->credentials, &this->creds->credential_set);
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
-	this->config->destroy(this->config);
-	this->creds->destroy(this->creds);
-	this->listener->destroy(this->listener);
-	lib->crypto->remove_dh(lib->crypto,
-						(dh_constructor_t)load_tester_diffie_hellman_create);
-	this->mutex->destroy(this->mutex);
-	this->condvar->destroy(this->condvar);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_load_tester_plugin_t *this;
-	u_int i, shutdown_on = 0;
-
-	if (!lib->settings->get_bool(lib->settings,
-								 "charon.plugins.load-tester.enable", FALSE))
-	{
-		DBG1(DBG_CFG, "disabling load-tester plugin, not configured");
-		return NULL;
-	}
-
-	this = malloc_thing(private_load_tester_plugin_t);
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	lib->crypto->add_dh(lib->crypto, MODP_NULL,
-						(dh_constructor_t)load_tester_diffie_hellman_create);
-
-	this->delay = lib->settings->get_int(lib->settings,
-					"charon.plugins.load-tester.delay", 0);
-	this->iterations = lib->settings->get_int(lib->settings,
-					"charon.plugins.load-tester.iterations", 1);
-	this->initiators = lib->settings->get_int(lib->settings,
-					"charon.plugins.load-tester.initiators", 0);
-	if (lib->settings->get_bool(lib->settings,
-					"charon.plugins.load-tester.shutdown_when_complete", 0))
-	{
-		shutdown_on = this->iterations * this->initiators;
-	}
-
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->config = load_tester_config_create();
-	this->creds = load_tester_creds_create();
-	this->listener = load_tester_listener_create(shutdown_on);
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
-	if (lib->settings->get_bool(lib->settings,
-					"charon.plugins.load-tester.fake_kernel", FALSE))
-	{
-		charon->kernel_interface->add_ipsec_interface(charon->kernel_interface,
-						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
-	}
-	this->running = 0;
-	for (i = 0; i < this->initiators; i++)
-	{
-		charon->processor->queue_job(charon->processor,
-					(job_t*)callback_job_create((callback_job_cb_t)do_load_test,
-												this, NULL, NULL));
-	}
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.h b/src/charon/plugins/load_tester/load_tester_plugin.h
deleted file mode 100644
index e33f06ac7..000000000
--- a/src/charon/plugins/load_tester/load_tester_plugin.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup load_tester load_tester
- * @ingroup cplugins
- *
- * @defgroup load_tester_plugin load_tester_plugin
- * @{ @ingroup load_tester
- */
-
-#ifndef LOAD_TESTER_PLUGIN_H_
-#define LOAD_TESTER_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct load_tester_plugin_t load_tester_plugin_t;
-
-/**
- * Load tester plugin to inspect system core under high load.
- *
- * This plugin
- */
-struct load_tester_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a load_tester_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** LOAD_TESTER_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/medcli/Makefile.am b/src/charon/plugins/medcli/Makefile.am
deleted file mode 100644
index a5f018f82..000000000
--- a/src/charon/plugins/medcli/Makefile.am
+++ /dev/null
@@ -1,12 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-medcli.la
-libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \
-			      medcli_creds.h medcli_creds.c \
-			      medcli_config.h medcli_config.c \
-			      medcli_listener.h medcli_listener.c
-libstrongswan_medcli_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in
deleted file mode 100644
index 47eeecd5b..000000000
--- a/src/charon/plugins/medcli/Makefile.in
+++ /dev/null
@@ -1,575 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/medcli
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_medcli_la_LIBADD =
-am_libstrongswan_medcli_la_OBJECTS = medcli_plugin.lo medcli_creds.lo \
-	medcli_config.lo medcli_listener.lo
-libstrongswan_medcli_la_OBJECTS =  \
-	$(am_libstrongswan_medcli_la_OBJECTS)
-libstrongswan_medcli_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_medcli_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_medcli_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_medcli_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-medcli.la
-libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \
-			      medcli_creds.h medcli_creds.c \
-			      medcli_config.h medcli_config.c \
-			      medcli_listener.h medcli_listener.c
-
-libstrongswan_medcli_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/medcli/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/medcli/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-medcli.la: $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_DEPENDENCIES) 
-	$(libstrongswan_medcli_la_LINK) -rpath $(plugindir) $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medcli_config.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medcli_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medcli_listener.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medcli_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/medcli/medcli_config.c b/src/charon/plugins/medcli/medcli_config.c
deleted file mode 100644
index 2e49ebbf7..000000000
--- a/src/charon/plugins/medcli/medcli_config.c
+++ /dev/null
@@ -1,405 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <string.h>
-
-#include "medcli_config.h"
-
-#include <daemon.h>
-#include <processing/jobs/callback_job.h>
-
-typedef struct private_medcli_config_t private_medcli_config_t;
-
-/**
- * Private data of an medcli_config_t object
- */
-struct private_medcli_config_t {
-
-	/**
-	 * Public part
-	 */
-	medcli_config_t public;
-
-	/**
-	 * database connection
-	 */
-	database_t *db;
-
-	/**
-	 * rekey time
-	 */
-	int rekey;
-
-	/**
-	 * dpd delay
-	 */
-	int dpd;
-
-	/**
-	 * default ike config
-	 */
-	ike_cfg_t *ike;
-};
-
-/**
- * create a traffic selector from a CIDR notation string
- */
-static traffic_selector_t *ts_from_string(char *str)
-{
-	if (str)
-	{
-		int netbits = 32;
-		host_t *net;
-		char *pos;
-
-		str = strdupa(str);
-		pos = strchr(str, '/');
-		if (pos)
-		{
-			*pos++ = '\0';
-			netbits = atoi(pos);
-		}
-		else
-		{
-			if (strchr(str, ':'))
-			{
-				netbits = 128;
-			}
-		}
-		net = host_create_from_string(str, 0);
-		if (net)
-		{
-			return traffic_selector_create_from_subnet(net, netbits, 0, 0);
-		}
-	}
-	return traffic_selector_create_dynamic(0, 0, 65535);
-}
-
-/**
- * implements backend_t.get_peer_cfg_by_name.
- */
-static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *name)
-{
-	enumerator_t *e;
-	peer_cfg_t *peer_cfg, *med_cfg;
-	auth_cfg_t *auth;
-	ike_cfg_t *ike_cfg;
-	child_cfg_t *child_cfg;
-	chunk_t me, other;
-	char *address, *local_net, *remote_net;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = this->rekey * 60 + this->rekey,
-			.rekey = this->rekey,
-			.jitter = this->rekey
-		}
-	};
-
-	/* query mediation server config:
-	 * - build ike_cfg/peer_cfg for mediation connection on-the-fly
-	 */
-	e = this->db->query(this->db,
-			"SELECT Address, ClientConfig.KeyId, MediationServerConfig.KeyId "
-			"FROM MediationServerConfig JOIN ClientConfig",
-			DB_TEXT, DB_BLOB, DB_BLOB);
-	if (!e || !e->enumerate(e, &address, &me, &other))
-	{
-		DESTROY_IF(e);
-		return NULL;
-	}
-	ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", address);
-	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	med_cfg = peer_cfg_create(
-		"mediation", 2, ike_cfg,
-		CERT_NEVER_SEND, UNIQUE_REPLACE,
-		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
-		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
-		TRUE, this->dpd, 				/* mobike, dpddelay */
-		NULL, NULL, 					/* vip, pool */
-		TRUE, NULL, NULL); 				/* mediation, med by, peer id */
-	e->destroy(e);
-
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	auth->add(auth, AUTH_RULE_IDENTITY,
-			  identification_create_from_encoding(ID_KEY_ID, me));
-	med_cfg->add_auth_cfg(med_cfg, auth, TRUE);
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	auth->add(auth, AUTH_RULE_IDENTITY,
-			  identification_create_from_encoding(ID_KEY_ID, other));
-	med_cfg->add_auth_cfg(med_cfg, auth, FALSE);
-
-	/* query mediated config:
-	 * - use any-any ike_cfg
-	 * - build peer_cfg on-the-fly using med_cfg
-	 * - add a child_cfg
-	 */
-	e = this->db->query(this->db,
-			"SELECT ClientConfig.KeyId, Connection.KeyId, "
-			"Connection.LocalSubnet, Connection.RemoteSubnet "
-			"FROM ClientConfig JOIN Connection "
-			"WHERE Active AND Alias = ?", DB_TEXT, name,
-			DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT);
-	if (!e || !e->enumerate(e, &me, &other, &local_net, &remote_net))
-	{
-		DESTROY_IF(e);
-		return NULL;
-	}
-	peer_cfg = peer_cfg_create(
-		name, 2, this->ike->get_ref(this->ike),
-		CERT_NEVER_SEND, UNIQUE_REPLACE,
-		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
-		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
-		TRUE, this->dpd, 				/* mobike, dpddelay */
-		NULL, NULL, 					/* vip, pool */
-		FALSE, med_cfg,					/* mediation, med by */
-		identification_create_from_encoding(ID_KEY_ID, other));
-
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	auth->add(auth, AUTH_RULE_IDENTITY,
-			  identification_create_from_encoding(ID_KEY_ID, me));
-	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	auth->add(auth, AUTH_RULE_IDENTITY,
-			  identification_create_from_encoding(ID_KEY_ID, other));
-	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-
-	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE,
-							  MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0);
-	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
-	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-	e->destroy(e);
-	return peer_cfg;
-}
-
-/**
- * Implementation of backend_t.create_ike_cfg_enumerator.
- */
-static enumerator_t* create_ike_cfg_enumerator(private_medcli_config_t *this,
-											   host_t *me, host_t *other)
-{
-	return enumerator_create_single(this->ike, NULL);
-}
-
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** inner SQL enumerator */
-	enumerator_t *inner;
-	/** currently enumerated peer config */
-	peer_cfg_t *current;
-	/** ike cfg to use in peer cfg */
-	ike_cfg_t *ike;
-	/** rekey time */
-	int rekey;
-	/** dpd time */
-	int dpd;
-} peer_enumerator_t;
-
-/**
- * Implementation of peer_enumerator_t.public.enumerate
- */
-static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
-{
-	char *name, *local_net, *remote_net;
-	chunk_t me, other;
-	child_cfg_t *child_cfg;
-	auth_cfg_t *auth;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = this->rekey * 60 + this->rekey,
-			.rekey = this->rekey,
-			.jitter = this->rekey
-		}
-	};
-
-	DESTROY_IF(this->current);
-	if (!this->inner->enumerate(this->inner, &name, &me, &other,
-								&local_net, &remote_net))
-	{
-		this->current = NULL;
-		return FALSE;
-	}
-	this->current = peer_cfg_create(
-				name, 2, this->ike->get_ref(this->ike),
-				CERT_NEVER_SEND, UNIQUE_REPLACE,
-				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
-				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
-				TRUE, this->dpd, 				/* mobike, dpddelay */
-				NULL, NULL, 					/* vip, pool */
-				FALSE, NULL, NULL); 			/* mediation, med by, peer id */
-
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	auth->add(auth, AUTH_RULE_IDENTITY,
-			  identification_create_from_encoding(ID_KEY_ID, me));
-	this->current->add_auth_cfg(this->current, auth, TRUE);
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	auth->add(auth, AUTH_RULE_IDENTITY,
-			  identification_create_from_encoding(ID_KEY_ID, other));
-	this->current->add_auth_cfg(this->current, auth, FALSE);
-
-	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, FALSE, 0);
-	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
-	this->current->add_child_cfg(this->current, child_cfg);
-	*cfg = this->current;
-	return TRUE;
-}
-
-/**
- * Implementation of peer_enumerator_t.public.destroy
- */
-static void peer_enumerator_destroy(peer_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of backend_t.create_peer_cfg_enumerator.
- */
-static enumerator_t* create_peer_cfg_enumerator(private_medcli_config_t *this,
-												identification_t *me,
-												identification_t *other)
-{
-	peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
-
-	e->current = NULL;
-	e->ike = this->ike;
-	e->rekey = this->rekey;
-	e->dpd = this->dpd;
-	e->public.enumerate = (void*)peer_enumerator_enumerate;
-	e->public.destroy = (void*)peer_enumerator_destroy;
-
-	/* filter on IDs: NULL or ANY or matching KEY_ID */
-	e->inner = this->db->query(this->db,
-			"SELECT Alias, ClientConfig.KeyId, Connection.KeyId, "
-			"Connection.LocalSubnet, Connection.RemoteSubnet "
-			"FROM ClientConfig JOIN Connection "
-			"WHERE Active AND "
-			"(? OR ClientConfig.KeyId = ?) AND (? OR Connection.KeyId = ?)",
-			DB_INT, me == NULL || me->get_type(me) == ID_ANY,
-			DB_BLOB, me && me->get_type(me) == ID_KEY_ID ?
-				me->get_encoding(me) : chunk_empty,
-			DB_INT, other == NULL || other->get_type(other) == ID_ANY,
-			DB_BLOB, other && other->get_type(other) == ID_KEY_ID ?
-				other->get_encoding(other) : chunk_empty,
-			DB_TEXT, DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT);
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * initiate a peer config
- */
-static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
-{
-	enumerator_t *enumerator;
-	child_cfg_t *child_cfg = NULL;;
-
-	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
-	enumerator->enumerate(enumerator, &child_cfg);
-	if (child_cfg)
-	{
-		child_cfg->get_ref(child_cfg);
-		peer_cfg->get_ref(peer_cfg);
-		enumerator->destroy(enumerator);
-		charon->controller->initiate(charon->controller,
-									 peer_cfg, child_cfg, NULL, NULL);
-	}
-	else
-	{
-		enumerator->destroy(enumerator);
-	}
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * schedule initation of all "active" connections
- */
-static void schedule_autoinit(private_medcli_config_t *this)
-{
-	enumerator_t *e;
-	char *name;
-
-	e = this->db->query(this->db, "SELECT Alias FROM Connection WHERE Active",
-						DB_TEXT);
-	if (e)
-	{
-		while (e->enumerate(e, &name))
-		{
-			peer_cfg_t *peer_cfg;
-
-			peer_cfg = get_peer_cfg_by_name(this, name);
-			if (peer_cfg)
-			{
-				/* schedule asynchronous initiation job */
-				charon->processor->queue_job(charon->processor,
-						(job_t*)callback_job_create(
-									(callback_job_cb_t)initiate_config,
-									peer_cfg, (void*)peer_cfg->destroy, NULL));
-			}
-		}
-		e->destroy(e);
-	}
-}
-
-/**
- * Implementation of medcli_config_t.destroy.
- */
-static void destroy(private_medcli_config_t *this)
-{
-	this->ike->destroy(this->ike);
-	free(this);
-}
-
-/**
- * Described in header.
- */
-medcli_config_t *medcli_config_create(database_t *db)
-{
-	private_medcli_config_t *this = malloc_thing(private_medcli_config_t);
-
-	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
-	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
-	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
-	this->public.destroy = (void(*)(medcli_config_t*))destroy;
-
-	this->db = db;
-	this->rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200);
-	this->dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300);
-	this->ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", "0.0.0.0");
-	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
-
-	schedule_autoinit(this);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/medcli/medcli_config.h b/src/charon/plugins/medcli/medcli_config.h
deleted file mode 100644
index 36c20adf7..000000000
--- a/src/charon/plugins/medcli/medcli_config.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup medcli_config_i medcli_config
- * @{ @ingroup medcli
- */
-
-#ifndef MEDCLI_CONFIG_H_
-#define MEDCLI_CONFIG_H_
-
-#include <config/backend.h>
-#include <database/database.h>
-
-typedef struct medcli_config_t medcli_config_t;
-
-/**
- * Mediation client configuration backend.
- */
-struct medcli_config_t {
-
-	/**
-	 * Implements backend_t interface
-	 */
-	backend_t backend;
-
-	/**
-	 * Destroy the backend.
-	 */
-	void (*destroy)(medcli_config_t *this);
-};
-
-/**
- * Create a medcli_config backend instance.
- *
- * @param db		underlying database
- * @return			backend instance
- */
-medcli_config_t *medcli_config_create(database_t *db);
-
-#endif /** MEDCLI_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/medcli/medcli_creds.c b/src/charon/plugins/medcli/medcli_creds.c
deleted file mode 100644
index 9729df3f5..000000000
--- a/src/charon/plugins/medcli/medcli_creds.c
+++ /dev/null
@@ -1,243 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "medcli_creds.h"
-
-#include <daemon.h>
-#include <library.h>
-#include <utils/enumerator.h>
-
-typedef struct private_medcli_creds_t private_medcli_creds_t;
-
-/**
- * Private data of an medcli_creds_t object
- */
-struct private_medcli_creds_t {
-
-	/**
-	 * Public part
-	 */
-	medcli_creds_t public;
-
-	/**
-	 * underlying database handle
-	 */
-	database_t *db;
-};
-
-/**
- * enumerator over private keys
- */
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** inner SQL enumerator */
-	enumerator_t *inner;
-	/** currently enumerated private key */
-	private_key_t *current;
-} private_enumerator_t;
-
-/**
- * Implementation of private_enumerator_t.public.enumerate
- */
-static bool private_enumerator_enumerate(private_enumerator_t *this,
-										 private_key_t **key)
-{
-	chunk_t chunk;
-
-	DESTROY_IF(this->current);
-	while (this->inner->enumerate(this->inner, &chunk))
-	{
-		this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-										   BUILD_BLOB_ASN1_DER, chunk,
-										   BUILD_END);
-		if (this->current)
-		{
-			*key = this->current;
-			return TRUE;
-		}
-	}
-	this->current = NULL;
-	return FALSE;
-}
-
-/**
- * Implementation of private_enumerator_t.public.destroy
- */
-static void private_enumerator_destroy(private_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of credential_set_t.create_private_enumerator.
- */
-static enumerator_t* create_private_enumerator(private_medcli_creds_t *this,
-										key_type_t type, identification_t *id)
-{
-	private_enumerator_t *e;
-
-	if ((type != KEY_RSA && type != KEY_ANY) ||
-		id == NULL || id->get_type(id) != ID_KEY_ID)
-	{
-		DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id);
-		return NULL;
-	}
-
-	e = malloc_thing(private_enumerator_t);
-	e->current = NULL;
-	e->public.enumerate = (void*)private_enumerator_enumerate;
-	e->public.destroy = (void*)private_enumerator_destroy;
-	e->inner = this->db->query(this->db,
-						"SELECT PrivateKey FROM ClientConfig WHERE KeyId = ?",
-						DB_BLOB, id->get_encoding(id),
-						DB_BLOB);
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * enumerator over certificates
- */
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** inner SQL enumerator */
-	enumerator_t *inner;
-	/** currently enumerated cert */
-	certificate_t *current;
-	/** type of requested key */
-	key_type_t type;
-} cert_enumerator_t;
-
-/**
- * Implementation of cert_enumerator_t.public.enumerate
- */
-static bool cert_enumerator_enumerate(cert_enumerator_t *this,
-									  certificate_t **cert)
-{
-	public_key_t *public;
-	chunk_t chunk;
-
-	DESTROY_IF(this->current);
-	while (this->inner->enumerate(this->inner, &chunk))
-	{
-		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-									BUILD_BLOB_ASN1_DER, chunk,
-									BUILD_END);
-		if (public)
-		{
-			if (this->type == KEY_ANY || this->type == public->get_type(public))
-			{
-				this->current = lib->creds->create(lib->creds,
-										CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
-										BUILD_PUBLIC_KEY, public, BUILD_END);
-				public->destroy(public);
-				if (this->current)
-				{
-					*cert = this->current;
-					return TRUE;
-				}
-			}
-			else
-			{
-				public->destroy(public);
-			}
-		}
-	}
-	this->current = NULL;
-	return FALSE;
-}
-
-/**
- * Implementation of cert_enumerator_t.public.destroy
- */
-static void cert_enumerator_destroy(cert_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of credential_set_t.create_cert_enumerator.
- */
-static enumerator_t* create_cert_enumerator(private_medcli_creds_t *this,
-										certificate_type_t cert, key_type_t key,
-										identification_t *id, bool trusted)
-{
-	cert_enumerator_t *e;
-
-	if ((cert != CERT_TRUSTED_PUBKEY && cert != CERT_ANY) ||
-		id == NULL || id->get_type(id) != ID_KEY_ID)
-	{
-		return NULL;
-	}
-
-	e = malloc_thing(cert_enumerator_t);
-	e->current = NULL;
-	e->type = key;
-	e->public.enumerate = (void*)cert_enumerator_enumerate;
-	e->public.destroy = (void*)cert_enumerator_destroy;
-	e->inner = this->db->query(this->db,
-			"SELECT PublicKey FROM ClientConfig WHERE KeyId = ? UNION "
-			"SELECT PublicKey FROM MediationServerConfig WHERE KeyId = ? UNION "
-			"SELECT PublicKey FROM Connection WHERE KeyId = ?",
-			DB_BLOB, id->get_encoding(id),
-			DB_BLOB, id->get_encoding(id),
-			DB_BLOB, id->get_encoding(id),
-			DB_BLOB);
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * Implementation of backend_t.destroy.
- */
-static void destroy(private_medcli_creds_t *this)
-{
-	free(this);
-}
-
-/**
- * Described in header.
- */
-medcli_creds_t *medcli_creds_create(database_t *db)
-{
-	private_medcli_creds_t *this = malloc_thing(private_medcli_creds_t);
-
-	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
-	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)nop;
-
-	this->public.destroy = (void (*)(medcli_creds_t*))destroy;
-
-	this->db = db;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/medcli/medcli_creds.h b/src/charon/plugins/medcli/medcli_creds.h
deleted file mode 100644
index 4b5402653..000000000
--- a/src/charon/plugins/medcli/medcli_creds.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup medcli_creds_i medcli_creds
- * @{ @ingroup medcli
- */
-
-#ifndef MEDCLI_CREDS_H_
-#define MEDCLI_CREDS_H_
-
-#include <credentials/credential_set.h>
-#include <database/database.h>
-
-typedef struct medcli_creds_t medcli_creds_t;
-
-/**
- * Mediation client credentials database.
- */
-struct medcli_creds_t {
-
-	/**
-	 * Implements credential_set_t interface
-	 */
-	credential_set_t set;
-
-	/**
-	 * Destroy the credentials databse.
-	 */
-	void (*destroy)(medcli_creds_t *this);
-};
-
-/**
- * Create the medcli credential set.
- *
- * @param database		underlying database
- * @return				credential set implementation on that database
- */
-medcli_creds_t *medcli_creds_create(database_t *database);
-
-#endif /** MEDCLI_CREDS_H_ @}*/
diff --git a/src/charon/plugins/medcli/medcli_listener.c b/src/charon/plugins/medcli/medcli_listener.c
deleted file mode 100644
index 142f02e6c..000000000
--- a/src/charon/plugins/medcli/medcli_listener.c
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "medcli_listener.h"
-
-#include <daemon.h>
-#include <library.h>
-
-typedef struct private_medcli_listener_t private_medcli_listener_t;
-typedef enum mediated_state_t mediated_state_t;
-
-/**
- * state of a mediated connection
- */
-enum mediated_state_t {
-	STATE_DOWN = 1,
-	STATE_CONNECTING = 2,
-	STATE_UP = 3,
-};
-
-/**
- * Private data of an medcli_listener_t object
- */
-struct private_medcli_listener_t {
-
-	/**
-	 * Public part
-	 */
-	medcli_listener_t public;
-
-	/**
-	 * underlying database handle
-	 */
-	database_t *db;
-};
-
-/**
- * Implementation of bus_listener_t.signal.
- */
-static void set_state(private_medcli_listener_t *this, char *alias,
-					  mediated_state_t state)
-{
-	this->db->execute(this->db, NULL,
-					  "UPDATE Connection SET Status = ? WHERE Alias = ?",
-					  DB_UINT, state, DB_TEXT, alias);
-}
-/**
- * Implementation of listener_t.ike_state_change
- */
-static bool ike_state_change(private_medcli_listener_t *this,
-							 ike_sa_t *ike_sa, ike_sa_state_t state)
-{
-	if (ike_sa)
-	{
-		switch (state)
-		{
-			case IKE_CONNECTING:
-				set_state(this, ike_sa->get_name(ike_sa), STATE_CONNECTING);
-				break;
-			case IKE_DESTROYING:
-				set_state(this, ike_sa->get_name(ike_sa), STATE_DOWN);
-			default:
-				break;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of listener_t.child_state_change
- */
-static bool child_state_change(private_medcli_listener_t *this,
-				ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state)
-{
-	if (ike_sa && child_sa)
-	{
-		switch (state)
-		{
-			case CHILD_INSTALLED:
-				set_state(this, child_sa->get_name(child_sa), STATE_UP);
-				break;
-			case CHILD_DESTROYING:
-				set_state(this, child_sa->get_name(child_sa), STATE_DOWN);
-				break;
-			default:
-				break;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of backend_t.destroy.
- */
-static void destroy(private_medcli_listener_t *this)
-{
-	this->db->execute(this->db, NULL, "UPDATE Connection SET Status = ?",
-					  DB_UINT, STATE_DOWN);
-	free(this);
-}
-
-/**
- * Described in header.
- */
-medcli_listener_t *medcli_listener_create(database_t *db)
-{
-	private_medcli_listener_t *this = malloc_thing(private_medcli_listener_t);
-
-	memset(&this->public.listener, 0, sizeof(listener_t));
-
-	this->public.listener.ike_state_change = (void*)ike_state_change;
-	this->public.listener.child_state_change = (void*)child_state_change;
-	this->public.destroy = (void (*)(medcli_listener_t*))destroy;
-
-	this->db = db;
-	db->execute(db, NULL, "UPDATE Connection SET Status = ?",
-				DB_UINT, STATE_DOWN);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/medcli/medcli_listener.h b/src/charon/plugins/medcli/medcli_listener.h
deleted file mode 100644
index 4768beccd..000000000
--- a/src/charon/plugins/medcli/medcli_listener.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup medcli_listener_i medcli_listener
- * @{ @ingroup medcli
- */
-
-#ifndef MEDCLI_LISTENER_H_
-#define MEDCLI_LISTENER_H_
-
-#include <bus/bus.h>
-#include <database/database.h>
-
-typedef struct medcli_listener_t medcli_listener_t;
-
-/**
- * Mediation client listener, writes connection status to database
- */
-struct medcli_listener_t {
-
-	/**
-	 * Implements bus_listener_t interface
-	 */
-	listener_t listener;
-
-	/**
-	 * Destroy the credentials databse.
-	 */
-	void (*destroy)(medcli_listener_t *this);
-};
-
-/**
- * Create the medcli credential set.
- *
- * @param database		underlying database
- * @return				listener
- */
-medcli_listener_t *medcli_listener_create(database_t *database);
-
-#endif /** MEDCLI_LISTENER_H_ @}*/
diff --git a/src/charon/plugins/medcli/medcli_plugin.c b/src/charon/plugins/medcli/medcli_plugin.c
deleted file mode 100644
index 148eded61..000000000
--- a/src/charon/plugins/medcli/medcli_plugin.c
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "medcli_plugin.h"
-
-#include "medcli_creds.h"
-#include "medcli_config.h"
-#include "medcli_listener.h"
-
-#include <daemon.h>
-
-typedef struct private_medcli_plugin_t private_medcli_plugin_t;
-
-/**
- * private data of medcli plugin
- */
-struct private_medcli_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	medcli_plugin_t public;
-
-	/**
-	 * database connection instance
-	 */
-	database_t *db;
-
-	/**
-	 * medcli credential set instance
-	 */
-	medcli_creds_t *creds;
-
-	/**
-	 * medcli config database
-	 */
-	medcli_config_t *config;
-
-	/**
-	 * Listener to update database connection state
-	 */
-	medcli_listener_t *listener;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_medcli_plugin_t *this)
-{
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->credentials->remove_set(charon->credentials, &this->creds->set);
-	this->listener->destroy(this->listener);
-	this->config->destroy(this->config);
-	this->creds->destroy(this->creds);
-	this->db->destroy(this->db);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	char *uri;
-	private_medcli_plugin_t *this = malloc_thing(private_medcli_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	uri = lib->settings->get_str(lib->settings,
-								 "medcli.database", NULL);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "mediation client database URI not defined, skipped");
-		free(this);
-		return NULL;
-	}
-
-	this->db = lib->db->create(lib->db, uri);
-	if (this->db == NULL)
-	{
-		DBG1(DBG_CFG, "opening mediation client database failed");
-		free(this);
-		return NULL;
-	}
-
-	this->creds = medcli_creds_create(this->db);
-	this->config = medcli_config_create(this->db);
-	this->listener = medcli_listener_create(this->db);
-
-	charon->credentials->add_set(charon->credentials, &this->creds->set);
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/medcli/medcli_plugin.h b/src/charon/plugins/medcli/medcli_plugin.h
deleted file mode 100644
index 06f674b37..000000000
--- a/src/charon/plugins/medcli/medcli_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup medcli medcli
- * @ingroup cplugins
- *
- * @defgroup medcli_plugin medcli_plugin
- * @{ @ingroup medcli
- */
-
-#ifndef MEDCLI_PLUGIN_H_
-#define MEDCLI_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct medcli_plugin_t medcli_plugin_t;
-
-/**
- * Mediation client database plugin.
- */
-struct medcli_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a medcli_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** MEDCLI_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/medsrv/Makefile.am b/src/charon/plugins/medsrv/Makefile.am
deleted file mode 100644
index f3611a79e..000000000
--- a/src/charon/plugins/medsrv/Makefile.am
+++ /dev/null
@@ -1,11 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-medsrv.la
-libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \
-			      medsrv_creds.h medsrv_creds.c \
-			      medsrv_config.h medsrv_config.c
-libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in
deleted file mode 100644
index c72887889..000000000
--- a/src/charon/plugins/medsrv/Makefile.in
+++ /dev/null
@@ -1,573 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/medsrv
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_medsrv_la_LIBADD =
-am_libstrongswan_medsrv_la_OBJECTS = medsrv_plugin.lo medsrv_creds.lo \
-	medsrv_config.lo
-libstrongswan_medsrv_la_OBJECTS =  \
-	$(am_libstrongswan_medsrv_la_OBJECTS)
-libstrongswan_medsrv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_medsrv_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_medsrv_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_medsrv_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-medsrv.la
-libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \
-			      medsrv_creds.h medsrv_creds.c \
-			      medsrv_config.h medsrv_config.c
-
-libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/medsrv/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/medsrv/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-medsrv.la: $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_DEPENDENCIES) 
-	$(libstrongswan_medsrv_la_LINK) -rpath $(plugindir) $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medsrv_config.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medsrv_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medsrv_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/medsrv/medsrv_config.c b/src/charon/plugins/medsrv/medsrv_config.c
deleted file mode 100644
index 3df720967..000000000
--- a/src/charon/plugins/medsrv/medsrv_config.c
+++ /dev/null
@@ -1,153 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "medsrv_config.h"
-
-#include <daemon.h>
-
-typedef struct private_medsrv_config_t private_medsrv_config_t;
-
-/**
- * Private data of an medsrv_config_t object
- */
-struct private_medsrv_config_t {
-
-	/**
-	 * Public part
-	 */
-	medsrv_config_t public;
-
-	/**
-	 * database connection
-	 */
-	database_t *db;
-
-	/**
-	 * rekey time
-	 */
-	int rekey;
-
-	/**
-	 * dpd delay
-	 */
-	int dpd;
-
-	/**
-	 * default ike config
-	 */
-	ike_cfg_t *ike;
-};
-
-/**
- * implements backend_t.get_peer_cfg_by_name.
- */
-static peer_cfg_t *get_peer_cfg_by_name(private_medsrv_config_t *this, char *name)
-{
-	return NULL;
-}
-
-/**
- * Implementation of backend_t.create_ike_cfg_enumerator.
- */
-static enumerator_t* create_ike_cfg_enumerator(private_medsrv_config_t *this,
-											   host_t *me, host_t *other)
-{
-	return enumerator_create_single(this->ike, NULL);
-}
-
-/**
- * Implementation of backend_t.create_peer_cfg_enumerator.
- */
-static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
-												identification_t *me,
-												identification_t *other)
-{
-	enumerator_t *e;
-
-	if (!me || !other || other->get_type(other) != ID_KEY_ID)
-	{
-		return NULL;
-	}
-	e = this->db->query(this->db,
-			"SELECT CONCAT(peer.alias, CONCAT('@', user.login)) FROM "
-			"peer JOIN user ON peer.user = user.id "
-			"WHERE peer.keyid = ?", DB_BLOB, other->get_encoding(other),
-			DB_TEXT);
-	if (e)
-	{
-		peer_cfg_t *peer_cfg;
-		auth_cfg_t *auth;
-		char *name;
-
-		if (e->enumerate(e, &name))
-		{
-			peer_cfg = peer_cfg_create(
-				name, 2, this->ike->get_ref(this->ike),
-				CERT_NEVER_SEND, UNIQUE_REPLACE,
-				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
-				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
-				TRUE, this->dpd, 				/* mobike, dpddelay */
-				NULL, NULL, 					/* vip, pool */
-				TRUE, NULL, NULL); 				/* mediation, med by, peer id */
-			e->destroy(e);
-
-			auth = auth_cfg_create();
-			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-			auth->add(auth, AUTH_RULE_IDENTITY, me->clone(me));
-			peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-			auth = auth_cfg_create();
-			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-			auth->add(auth, AUTH_RULE_IDENTITY, other->clone(other));
-			peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-
-			return enumerator_create_single(peer_cfg, (void*)peer_cfg->destroy);
-		}
-		e->destroy(e);
-	}
-	return NULL;
-}
-
-/**
- * Implementation of medsrv_config_t.destroy.
- */
-static void destroy(private_medsrv_config_t *this)
-{
-	this->ike->destroy(this->ike);
-	free(this);
-}
-
-/**
- * Described in header.
- */
-medsrv_config_t *medsrv_config_create(database_t *db)
-{
-	private_medsrv_config_t *this = malloc_thing(private_medsrv_config_t);
-
-	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
-	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
-	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
-	this->public.destroy = (void(*)(medsrv_config_t*))destroy;
-
-	this->db = db;
-	this->rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200);
-	this->dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300);
-	this->ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", "0.0.0.0");
-	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/medsrv/medsrv_config.h b/src/charon/plugins/medsrv/medsrv_config.h
deleted file mode 100644
index fc8b0e972..000000000
--- a/src/charon/plugins/medsrv/medsrv_config.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup medsrv_config_i medsrv_config
- * @{ @ingroup medsrv
- */
-
-#ifndef MEDSRV_CONFIG_H_
-#define MEDSRV_CONFIG_H_
-
-#include <config/backend.h>
-#include <database/database.h>
-
-typedef struct medsrv_config_t medsrv_config_t;
-
-/**
- * Mediation server configuration backend.
- */
-struct medsrv_config_t {
-
-	/**
-	 * Implements backend_t interface
-	 */
-	backend_t backend;
-
-	/**
-	 * Destroy the backend.
-	 */
-	void (*destroy)(medsrv_config_t *this);
-};
-
-/**
- * Create a medsrv_config backend instance.
- *
- * @param db		underlying database
- * @return			backend instance
- */
-medsrv_config_t *medsrv_config_create(database_t *db);
-
-#endif /** MEDSRV_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/medsrv/medsrv_creds.c b/src/charon/plugins/medsrv/medsrv_creds.c
deleted file mode 100644
index 8d1643908..000000000
--- a/src/charon/plugins/medsrv/medsrv_creds.c
+++ /dev/null
@@ -1,163 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "medsrv_creds.h"
-
-#include <daemon.h>
-#include <library.h>
-#include <utils/enumerator.h>
-
-typedef struct private_medsrv_creds_t private_medsrv_creds_t;
-
-/**
- * Private data of an medsrv_creds_t object
- */
-struct private_medsrv_creds_t {
-
-	/**
-	 * Public part
-	 */
-	medsrv_creds_t public;
-
-	/**
-	 * underlying database handle
-	 */
-	database_t *db;
-};
-
-/**
- * enumerator over certificates
- */
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** inner SQL enumerator */
-	enumerator_t *inner;
-	/** currently enumerated cert */
-	certificate_t *current;
-	/** type of requested key */
-	key_type_t type;
-} cert_enumerator_t;
-
-/**
- * Implementation of cert_enumerator_t.public.enumerate
- */
-static bool cert_enumerator_enumerate(cert_enumerator_t *this,
-									  certificate_t **cert)
-{
-	certificate_t *trusted;
-	public_key_t *public;
-	chunk_t chunk;
-
-	DESTROY_IF(this->current);
-	while (this->inner->enumerate(this->inner, &chunk))
-	{
-		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-									BUILD_BLOB_ASN1_DER, chunk,
-									BUILD_END);
-		if (public)
-		{
-			if (this->type == KEY_ANY || this->type == public->get_type(public))
-			{
-				trusted = lib->creds->create(lib->creds,
-										CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
-										BUILD_PUBLIC_KEY, public, BUILD_END);
-				public->destroy(public);
-				if (trusted)
-				{
-					*cert = this->current = trusted;
-					return TRUE;
-				}
-			}
-			else
-			{
-				public->destroy(public);
-			}
-		}
-	}
-	this->current = NULL;
-	return FALSE;
-}
-
-/**
- * Implementation of cert_enumerator_t.public.destroy
- */
-static void cert_enumerator_destroy(cert_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of credential_set_t.create_cert_enumerator.
- */
-static enumerator_t* create_cert_enumerator(private_medsrv_creds_t *this,
-										certificate_type_t cert, key_type_t key,
-										identification_t *id, bool trusted)
-{
-	cert_enumerator_t *e;
-
-	if ((cert != CERT_TRUSTED_PUBKEY && cert != CERT_ANY) ||
-		id == NULL || id->get_type(id) != ID_KEY_ID)
-	{
-		return NULL;
-	}
-
-	e = malloc_thing(cert_enumerator_t);
-	e->current = NULL;
-	e->type = key;
-	e->public.enumerate = (void*)cert_enumerator_enumerate;
-	e->public.destroy = (void*)cert_enumerator_destroy;
-	e->inner = this->db->query(this->db,
-							   "SELECT public_key FROM peer WHERE keyid = ?",
-							   DB_BLOB, id->get_encoding(id),
-							   DB_BLOB);
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * Implementation of backend_t.destroy.
- */
-static void destroy(private_medsrv_creds_t *this)
-{
-	free(this);
-}
-
-/**
- * Described in header.
- */
-medsrv_creds_t *medsrv_creds_create(database_t *db)
-{
-	private_medsrv_creds_t *this = malloc_thing(private_medsrv_creds_t);
-
-	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)nop;
-
-	this->public.destroy = (void (*)(medsrv_creds_t*))destroy;
-
-	this->db = db;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/medsrv/medsrv_creds.h b/src/charon/plugins/medsrv/medsrv_creds.h
deleted file mode 100644
index d08adf3bf..000000000
--- a/src/charon/plugins/medsrv/medsrv_creds.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup medsrv_creds_i medsrv_creds
- * @{ @ingroup medsrv
- */
-
-#ifndef MEDSRV_CREDS_H_
-#define MEDSRV_CREDS_H_
-
-#include <credentials/credential_set.h>
-#include <database/database.h>
-
-typedef struct medsrv_creds_t medsrv_creds_t;
-
-/**
- * Mediation credentials database.
- */
-struct medsrv_creds_t {
-
-	/**
-	 * Implements credential_set_t interface
-	 */
-	credential_set_t set;
-
-	/**
-	 * Destroy the credentials databse.
-	 */
-	void (*destroy)(medsrv_creds_t *this);
-};
-
-/**
- * Create the medsrv credentials db.
- *
- * @param database		underlying database
- * @return				credential set implementation on that database
- */
-medsrv_creds_t *medsrv_creds_create(database_t *database);
-
-#endif /** MEDSRV_CREDS_H_ @}*/
diff --git a/src/charon/plugins/medsrv/medsrv_plugin.c b/src/charon/plugins/medsrv/medsrv_plugin.c
deleted file mode 100644
index 7c533f10e..000000000
--- a/src/charon/plugins/medsrv/medsrv_plugin.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "medsrv_plugin.h"
-
-#include "medsrv_creds.h"
-#include "medsrv_config.h"
-
-#include <daemon.h>
-
-typedef struct private_medsrv_plugin_t private_medsrv_plugin_t;
-
-/**
- * private data of medsrv plugin
- */
-struct private_medsrv_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	medsrv_plugin_t public;
-
-	/**
-	 * database connection instance
-	 */
-	database_t *db;
-
-	/**
-	 * medsrv credential set instance
-	 */
-	medsrv_creds_t *creds;
-
-	/**
-	 * medsrv config database
-	 */
-	medsrv_config_t *config;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_medsrv_plugin_t *this)
-{
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->credentials->remove_set(charon->credentials, &this->creds->set);
-	this->config->destroy(this->config);
-	this->creds->destroy(this->creds);
-	this->db->destroy(this->db);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	char *uri;
-	private_medsrv_plugin_t *this = malloc_thing(private_medsrv_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	uri = lib->settings->get_str(lib->settings,
-								 "medsrv.database", NULL);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "mediation database URI not defined, skipped");
-		free(this);
-		return NULL;
-	}
-
-	this->db = lib->db->create(lib->db, uri);
-	if (this->db == NULL)
-	{
-		DBG1(DBG_CFG, "opening mediation server database failed");
-		free(this);
-		return NULL;
-	}
-
-	this->creds = medsrv_creds_create(this->db);
-	this->config = medsrv_config_create(this->db);
-
-	charon->credentials->add_set(charon->credentials, &this->creds->set);
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/medsrv/medsrv_plugin.h b/src/charon/plugins/medsrv/medsrv_plugin.h
deleted file mode 100644
index 4b183994f..000000000
--- a/src/charon/plugins/medsrv/medsrv_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup medsrv medsrv
- * @ingroup cplugins
- *
- * @defgroup medsrv_plugin medsrv_plugin
- * @{ @ingroup medsrv
- */
-
-#ifndef MEDSRV_PLUGIN_H_
-#define MEDSRV_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct medsrv_plugin_t medsrv_plugin_t;
-
-/**
- * Mediation server database plugin.
- */
-struct medsrv_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a medsrv_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** MEDSRV_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
deleted file mode 100644
index 56eae6e00..000000000
--- a/src/charon/plugins/nm/Makefile.am
+++ /dev/null
@@ -1,14 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFLAGS}
-
-AM_CFLAGS = -rdynamic \
-  -DNM_CA_DIR=\"${nm_ca_dir}\"
-
-plugin_LTLIBRARIES = libstrongswan-nm.la
-libstrongswan_nm_la_SOURCES = \
-  nm_plugin.h nm_plugin.c \
-  nm_service.h nm_service.c \
-  nm_creds.h nm_creds.c \
-  nm_handler.h nm_handler.c
-libstrongswan_nm_la_LDFLAGS = -module -avoid-version
-libstrongswan_nm_la_LIBADD = ${nm_LIBS}
diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in
deleted file mode 100644
index 90a50cfae..000000000
--- a/src/charon/plugins/nm/Makefile.in
+++ /dev/null
@@ -1,579 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/nm
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-libstrongswan_nm_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
-am_libstrongswan_nm_la_OBJECTS = nm_plugin.lo nm_service.lo \
-	nm_creds.lo nm_handler.lo
-libstrongswan_nm_la_OBJECTS = $(am_libstrongswan_nm_la_OBJECTS)
-libstrongswan_nm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_nm_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_nm_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_nm_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFLAGS}
-AM_CFLAGS = -rdynamic \
-  -DNM_CA_DIR=\"${nm_ca_dir}\"
-
-plugin_LTLIBRARIES = libstrongswan-nm.la
-libstrongswan_nm_la_SOURCES = \
-  nm_plugin.h nm_plugin.c \
-  nm_service.h nm_service.c \
-  nm_creds.h nm_creds.c \
-  nm_handler.h nm_handler.c
-
-libstrongswan_nm_la_LDFLAGS = -module -avoid-version
-libstrongswan_nm_la_LIBADD = ${nm_LIBS}
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/nm/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/nm/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-nm.la: $(libstrongswan_nm_la_OBJECTS) $(libstrongswan_nm_la_DEPENDENCIES) 
-	$(libstrongswan_nm_la_LINK) -rpath $(plugindir) $(libstrongswan_nm_la_OBJECTS) $(libstrongswan_nm_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_handler.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_service.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c
deleted file mode 100644
index 193838e6b..000000000
--- a/src/charon/plugins/nm/nm_creds.c
+++ /dev/null
@@ -1,447 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "nm_creds.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-
-#include <daemon.h>
-#include <threading/rwlock.h>
-#include <credentials/certificates/x509.h>
-
-typedef struct private_nm_creds_t private_nm_creds_t;
-
-/**
- * private data of nm_creds
- */
-struct private_nm_creds_t {
-
-	/**
-	 * public functions
-	 */
-	nm_creds_t public;
-
-	/**
-	 * List of trusted certificates, certificate_t*
-	 */
-	linked_list_t *certs;
-
-	/**
-	 * User name
-	 */
-	identification_t *user;
-
-	/**
-	 * User password
-	 */
-	char *pass;
-
-	/**
-	 * users certificate
-	 */
-	certificate_t *usercert;
-
-	/**
-	 * users private key
-	 */
-	private_key_t *key;
-
-	/**
-	 * read/write lock
-	 */
-	rwlock_t *lock;
-};
-
-/**
- * Enumerator for user certificate
- */
-static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
-							certificate_type_t cert, key_type_t key)
-{
-	public_key_t *public;
-
-	if (cert != CERT_ANY && cert != this->usercert->get_type(this->usercert))
-	{
-		return NULL;
-	}
-	if (key != KEY_ANY)
-	{
-		public = this->usercert->get_public_key(this->usercert);
-		if (!public)
-		{
-			return NULL;
-		}
-		if (public->get_type(public) != key)
-		{
-			public->destroy(public);
-			return NULL;
-		}
-		public->destroy(public);
-	}
-	this->lock->read_lock(this->lock);
-	return enumerator_create_cleaner(
-								enumerator_create_single(this->usercert, NULL),
-								(void*)this->lock->unlock, this->lock);
-}
-
-/**
- * CA certificate enumerator data
- */
-typedef struct {
-	/** ref to credential credential store */
-	private_nm_creds_t *this;
-	/** type of key we are looking for */
-	key_type_t key;
-	/** CA certificate ID */
-	identification_t *id;
-} cert_data_t;
-
-/**
- * Destroy CA certificate enumerator data
- */
-static void cert_data_destroy(cert_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * Filter function for certificates enumerator
- */
-static bool cert_filter(cert_data_t *data, certificate_t **in,
-						 certificate_t **out)
-{
-	certificate_t *cert = *in;
-	public_key_t *public;
-
-	public = cert->get_public_key(cert);
-	if (!public)
-	{
-		return FALSE;
-	}
-	if (data->key != KEY_ANY && public->get_type(public) != data->key)
-	{
-		public->destroy(public);
-		return FALSE;
-	}
-	if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
-		public->has_fingerprint(public, data->id->get_encoding(data->id)))
-	{
-		public->destroy(public);
-		*out = cert;
-		return TRUE;
-	}
-	public->destroy(public);
-	if (data->id && !cert->has_subject(cert, data->id))
-	{
-		return FALSE;
-	}
-	*out = cert;
-	return TRUE;
-}
-
-/**
- * Create enumerator for trusted certificates
- */
-static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this,
-										key_type_t key, identification_t *id)
-{
-	cert_data_t *data = malloc_thing(cert_data_t);
-
-	data->this = this;
-	data->id = id;
-	data->key = key;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(
-					this->certs->create_enumerator(this->certs),
-					(void*)cert_filter, data, (void*)cert_data_destroy);
-}
-
-/**
- * Implements credential_set_t.create_cert_enumerator
- */
-static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
-							certificate_type_t cert, key_type_t key,
-							identification_t *id, bool trusted)
-{
-	if (id && this->usercert &&
-		id->equals(id, this->usercert->get_subject(this->usercert)))
-	{
-		return create_usercert_enumerator(this, cert, key);
-	}
-	if (cert == CERT_X509 || cert == CERT_ANY)
-	{
-		return create_trusted_cert_enumerator(this, key, id);
-	}
-	return NULL;
-}
-
-/**
- * Implements credential_set_t.create_cert_enumerator
- */
-static enumerator_t* create_private_enumerator(private_nm_creds_t *this,
-										key_type_t type, identification_t *id)
-{
-	if (this->key == NULL)
-	{
-		return NULL;
-	}
-	if (type != KEY_ANY && type != this->key->get_type(this->key))
-	{
-		return NULL;
-	}
-	if (id && id->get_type(id) != ID_ANY)
-	{
-		if (id->get_type(id) != ID_KEY_ID ||
-			!this->key->has_fingerprint(this->key, id->get_encoding(id)))
-		{
-			return NULL;
-		}
-	}
-	this->lock->read_lock(this->lock);
-	return enumerator_create_cleaner(enumerator_create_single(this->key, NULL),
-									 (void*)this->lock->unlock, this->lock);
-}
-
-/**
- * shared key enumerator implementation
- */
-typedef struct {
-	enumerator_t public;
-	private_nm_creds_t *this;
-	shared_key_t *key;
-	bool done;
-} shared_enumerator_t;
-
-/**
- * enumerate function for shared enumerator
- */
-static bool shared_enumerate(shared_enumerator_t *this, shared_key_t **key,
-							 id_match_t *me, id_match_t *other)
-{
-	if (this->done)
-	{
-		return FALSE;
-	}
-	*key = this->key;
-	*me = ID_MATCH_PERFECT;
-	*other = ID_MATCH_ANY;
-	this->done = TRUE;
-	return TRUE;
-}
-
-/**
- * Destroy function for shared enumerator
- */
-static void shared_destroy(shared_enumerator_t *this)
-{
-	this->key->destroy(this->key);
-	this->this->lock->unlock(this->this->lock);
-	free(this);
-}
-/**
- * Implements credential_set_t.create_cert_enumerator
- */
-static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
-							shared_key_type_t type,	identification_t *me,
-							identification_t *other)
-{
-	shared_enumerator_t *enumerator;
-
-	if (!this->pass || !this->user)
-	{
-		return NULL;
-	}
-	if (type != SHARED_EAP && type != SHARED_IKE)
-	{
-		return NULL;
-	}
-	if (me && !me->equals(me, this->user))
-	{
-		return NULL;
-	}
-
-	enumerator = malloc_thing(shared_enumerator_t);
-	enumerator->public.enumerate = (void*)shared_enumerate;
-	enumerator->public.destroy = (void*)shared_destroy;
-	enumerator->this = this;
-	enumerator->done = FALSE;
-	this->lock->read_lock(this->lock);
-	enumerator->key = shared_key_create(type,
-										chunk_clone(chunk_create(this->pass,
-													strlen(this->pass))));
-	return &enumerator->public;
-}
-
-/**
- * Implementation of nm_creds_t.add_certificate
- */
-static void add_certificate(private_nm_creds_t *this, certificate_t *cert)
-{
-	this->lock->write_lock(this->lock);
-	this->certs->insert_last(this->certs, cert);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Load a certificate file
- */
-static void load_ca_file(private_nm_creds_t *this, char *file)
-{
-	certificate_t *cert;
-
-	/* We add the CA constraint, as many CAs miss it */
-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							  BUILD_FROM_FILE, file, BUILD_END);
-	if (!cert)
-	{
-		DBG1(DBG_CFG, "loading CA certificate '%s' failed", file);
-	}
-	else
-	{
-		DBG2(DBG_CFG, "loaded CA certificate '%Y'", cert->get_subject(cert));
-		x509_t *x509 = (x509_t*)cert;
-		if (!(x509->get_flags(x509) & X509_SELF_SIGNED))
-		{
-			DBG1(DBG_CFG, "%Y is not self signed", cert->get_subject(cert));
-		}
-		this->certs->insert_last(this->certs, cert);
-	}
-}
-
-/**
- * Implementation of nm_creds_t.load_ca_dir
- */
-static void load_ca_dir(private_nm_creds_t *this, char *dir)
-{
-	enumerator_t *enumerator;
-	char *rel, *abs;
-	struct stat st;
-
-	enumerator = enumerator_create_directory(dir);
-	if (enumerator)
-	{
-		while (enumerator->enumerate(enumerator, &rel, &abs, &st))
-		{
-			/* skip '.', '..' and hidden files */
-			if (rel[0] != '.')
-			{
-				if (S_ISDIR(st.st_mode))
-				{
-					load_ca_dir(this, abs);
-				}
-				else if (S_ISREG(st.st_mode))
-				{
-					load_ca_file(this, abs);
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-}
-
-/**
- * Implementation of nm_creds_t.set_password
- */
-static void set_username_password(private_nm_creds_t *this, identification_t *id,
-						 char *password)
-{
-	this->lock->write_lock(this->lock);
-	DESTROY_IF(this->user);
-	this->user = id->clone(id);
-	free(this->pass);
-	this->pass = password ? strdup(password) : NULL;
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of nm_creds_t.set_cert_and_key
- */
-static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
-							 private_key_t *key)
-{
-	this->lock->write_lock(this->lock);
-	DESTROY_IF(this->key);
-	DESTROY_IF(this->usercert);
-	this->key = key;
-	this->usercert = cert;
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of nm_creds_t.clear
- */
-static void clear(private_nm_creds_t *this)
-{
-	certificate_t *cert;
-
-	while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
-	{
-		cert->destroy(cert);
-	}
-	DESTROY_IF(this->user);
-	free(this->pass);
-	DESTROY_IF(this->usercert);
-	DESTROY_IF(this->key);
-	this->key = NULL;
-	this->usercert = NULL;
-	this->pass = NULL;
-	this->user = NULL;
-}
-
-/**
- * Implementation of nm_creds_t.destroy
- */
-static void destroy(private_nm_creds_t *this)
-{
-	clear(this);
-	this->certs->destroy(this->certs);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/*
- * see header file
- */
-nm_creds_t *nm_creds_create()
-{
-	private_nm_creds_t *this = malloc_thing(private_nm_creds_t);
-
-	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
-	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
-	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)nop;
-	this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate;
-	this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir;
-	this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
-	this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
-	this->public.clear = (void(*)(nm_creds_t*))clear;
-	this->public.destroy = (void(*)(nm_creds_t*))destroy;
-
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
-	this->certs = linked_list_create();
-	this->user = NULL;
-	this->pass = NULL;
-	this->usercert = NULL;
-	this->key = NULL;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/nm/nm_creds.h b/src/charon/plugins/nm/nm_creds.h
deleted file mode 100644
index b55cff31e..000000000
--- a/src/charon/plugins/nm/nm_creds.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup nm_creds nm_creds
- * @{ @ingroup nm
- */
-
-#ifndef NM_CREDS_H_
-#define NM_CREDS_H_
-
-#include <credentials/keys/private_key.h>
-#include <credentials/credential_set.h>
-
-typedef struct nm_creds_t nm_creds_t;
-
-/**
- * NetworkManager credentials helper.
- */
-struct nm_creds_t {
-
-	/**
-	 * Implements credential_set_t
-	 */
-	credential_set_t set;
-
-	/**
-	 * Add a trusted gateway certificate to serve by this set.
-	 *
-	 * @param cert		certificate to serve
-	 */
-	void (*add_certificate)(nm_creds_t *this, certificate_t *cert);
-
-	/**
-	 * Load CA certificates recursively from a directory.
-	 *
-	 * @param dir		directory to PEM encoded CA certificates
-	 */
-	void (*load_ca_dir)(nm_creds_t *this, char *dir);
-
-	/**
-	 * Set the username/password for authentication.
-	 *
-	 * @param id		ID of the user
-	 * @param password	password to use for authentication
-	 */
-	void (*set_username_password)(nm_creds_t *this, identification_t *id,
-								  char *password);
-	/**
-	 * Set the certificate and private key to use for client authentication.
-	 *
-	 * @param cert		client certificate
-	 * @param key		associated private key
-	 */
-	void (*set_cert_and_key)(nm_creds_t *this, certificate_t *cert,
-							 private_key_t *key);
-	/**
-	 * Clear the stored credentials.
-	 */
-	void (*clear)(nm_creds_t *this);
-
-	/**
-	 * Destroy a nm_creds instance.
-	 */
-	void (*destroy)(nm_creds_t *this);
-};
-
-/**
- * Create a nm_creds instance.
- */
-nm_creds_t *nm_creds_create();
-
-#endif /** NM_CREDS_H_ @}*/
diff --git a/src/charon/plugins/nm/nm_handler.c b/src/charon/plugins/nm/nm_handler.c
deleted file mode 100644
index eacb54dda..000000000
--- a/src/charon/plugins/nm/nm_handler.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "nm_handler.h"
-
-#include <daemon.h>
-
-typedef struct private_nm_handler_t private_nm_handler_t;
-
-/**
- * Private data of an nm_handler_t object.
- */
-struct private_nm_handler_t {
-
-	/**
-	 * Public nm_handler_t interface.
-	 */
-	nm_handler_t public;
-
-	/**
-	 * list of received DNS server attributes, pointer to 4 byte data
-	 */
-	linked_list_t *dns;
-
-	/**
-	 * list of received NBNS server attributes, pointer to 4 byte data
-	 */
-	linked_list_t *nbns;
-};
-
-/**
- * Implementation of attribute_handler_t.handle
- */
-static bool handle(private_nm_handler_t *this, identification_t *server,
-				   configuration_attribute_type_t type, chunk_t data)
-{
-	linked_list_t *list;
-
-	switch (type)
-	{
-		case INTERNAL_IP4_DNS:
-			list = this->dns;
-			break;
-		case INTERNAL_IP4_NBNS:
-			list = this->nbns;
-			break;
-		default:
-			return FALSE;
-	}
-	if (data.len != 4)
-	{
-		return FALSE;
-	}
-	list->insert_last(list, chunk_clone(data).ptr);
-	return TRUE;
-}
-
-/**
- * Implementation of create_attribute_enumerator().enumerate() for WINS
- */
-static bool enumerate_nbns(enumerator_t *this,
-						   configuration_attribute_type_t *type, chunk_t *data)
-{
-	*type = INTERNAL_IP4_NBNS;
-	*data = chunk_empty;
-	/* done */
-	this->enumerate = (void*)return_false;
-	return TRUE;
-}
-
-/**
- * Implementation of create_attribute_enumerator().enumerate() for DNS
- */
-static bool enumerate_dns(enumerator_t *this,
-						  configuration_attribute_type_t *type, chunk_t *data)
-{
-	*type = INTERNAL_IP4_DNS;
-	*data = chunk_empty;
-	/* enumerate WINS server as next attribute ... */
-	this->enumerate = (void*)enumerate_nbns;
-	return TRUE;
-}
-
-/**
- * Implementation of attribute_handler_t.create_attribute_enumerator
- */
-static enumerator_t* create_attribute_enumerator(private_nm_handler_t *this,
-										identification_t *server, host_t *vip)
-{
-	if (vip && vip->get_family(vip) == AF_INET)
-	{	/* no IPv6 attributes yet */
-		enumerator_t *enumerator = malloc_thing(enumerator_t);
-		/* enumerate DNS attribute first ... */
-		enumerator->enumerate = (void*)enumerate_dns;
-		enumerator->destroy = (void*)free;
-
-		return enumerator;
-	}
-	return enumerator_create_empty();
-}
-
-/**
- * convert plain byte ptrs to handy chunk during enumeration
- */
-static bool filter_chunks(void* null, char **in, chunk_t *out)
-{
-	*out = chunk_create(*in, 4);
-	return TRUE;
-}
-
-/**
- * Implementation of nm_handler_t.create_enumerator
- */
-static enumerator_t* create_enumerator(private_nm_handler_t *this,
-									   configuration_attribute_type_t type)
-{
-	linked_list_t *list;
-
-	switch (type)
-	{
-		case INTERNAL_IP4_DNS:
-			list = this->dns;
-			break;
-		case INTERNAL_IP4_NBNS:
-			list = this->nbns;
-			break;
-		default:
-			return enumerator_create_empty();
-	}
-	return enumerator_create_filter(list->create_enumerator(list),
-						(void*)filter_chunks, NULL, NULL);
-}
-
-/**
- * Implementation of nm_handler_t.reset
- */
-static void reset(private_nm_handler_t *this)
-{
-	void *data;
-
-	while (this->dns->remove_last(this->dns, (void**)&data) == SUCCESS)
-	{
-		free(data);
-	}
-	while (this->nbns->remove_last(this->nbns, (void**)&data) == SUCCESS)
-	{
-		free(data);
-	}
-}
-
-/**
- * Implementation of nm_handler_t.destroy.
- */
-static void destroy(private_nm_handler_t *this)
-{
-	reset(this);
-	this->dns->destroy(this->dns);
-	this->nbns->destroy(this->nbns);
-	free(this);
-}
-
-/**
- * See header
- */
-nm_handler_t *nm_handler_create()
-{
-	private_nm_handler_t *this = malloc_thing(private_nm_handler_t);
-
-	this->public.handler.handle = (bool(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))handle;
-	this->public.handler.release = (void(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))nop;
-	this->public.handler.create_attribute_enumerator = (enumerator_t*(*)(attribute_handler_t*, identification_t *server, host_t *vip))create_attribute_enumerator;
-	this->public.create_enumerator = (enumerator_t*(*)(nm_handler_t*, configuration_attribute_type_t type))create_enumerator;
-	this->public.reset = (void(*)(nm_handler_t*))reset;
-	this->public.destroy = (void(*)(nm_handler_t*))destroy;
-
-	this->dns = linked_list_create();
-	this->nbns = linked_list_create();
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/nm/nm_handler.h b/src/charon/plugins/nm/nm_handler.h
deleted file mode 100644
index bb35ce767..000000000
--- a/src/charon/plugins/nm/nm_handler.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup nm_handler nm_handler
- * @{ @ingroup nm
- */
-
-#ifndef NM_HANDLER_H_
-#define NM_HANDLER_H_
-
-#include <attributes/attribute_handler.h>
-
-typedef struct nm_handler_t nm_handler_t;
-
-/**
- * Handles DNS/NBNS attributes to pass to NM.
- */
-struct nm_handler_t {
-
-	/**
-	 * Implements attribute handler interface
-	 */
-	attribute_handler_t handler;
-
-	/**
-	 * Create an enumerator over received attributes of a given kind.
-	 *
-	 * @param type		type of attributes to enumerate
-	 * @return			enumerator over attribute data (chunk_t)
-	 */
-	enumerator_t* (*create_enumerator)(nm_handler_t *this,
-									   configuration_attribute_type_t type);
-	/**
-	 * Reset state, flush all received attributes.
-	 */
-	void (*reset)(nm_handler_t *this);
-
-	/**
-	 * Destroy a nm_handler_t.
-	 */
-	void (*destroy)(nm_handler_t *this);
-};
-
-/**
- * Create a nm_handler instance.
- */
-nm_handler_t *nm_handler_create();
-
-#endif /** NM_HANDLER_H_ @}*/
diff --git a/src/charon/plugins/nm/nm_plugin.c b/src/charon/plugins/nm/nm_plugin.c
deleted file mode 100644
index daf2cc660..000000000
--- a/src/charon/plugins/nm/nm_plugin.c
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "nm_plugin.h"
-#include "nm_service.h"
-#include "nm_creds.h"
-#include "nm_handler.h"
-
-#include <daemon.h>
-#include <processing/jobs/callback_job.h>
-
-#define CAP_DAC_OVERRIDE 1
-
-typedef struct private_nm_plugin_t private_nm_plugin_t;
-
-/**
- * private data of nm plugin
- */
-struct private_nm_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	nm_plugin_t public;
-
-	/**
-	 * NetworkManager service (VPNPlugin)
-	 */
-	NMStrongswanPlugin *plugin;
-
-	/**
-	 * Glib main loop for a thread, handles DBUS calls
-	 */
-	GMainLoop *loop;
-
-	/**
-	 * credential set registered at the daemon
-	 */
-	nm_creds_t *creds;
-
-	/**
-	 * attribute handler regeisterd at the daemon
-	 */
-	nm_handler_t *handler;
-};
-
-/**
- * NM plugin processing routine, creates and handles NMVPNPlugin
- */
-static job_requeue_t run(private_nm_plugin_t *this)
-{
-	this->loop = g_main_loop_new(NULL, FALSE);
-	g_main_loop_run(this->loop);
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_nm_plugin_t *this)
-{
-	if (this->loop)
-	{
-		if (g_main_loop_is_running(this->loop))
-		{
-			g_main_loop_quit(this->loop);
-		}
-		g_main_loop_unref(this->loop);
-	}
-	if (this->plugin)
-	{
-		g_object_unref(this->plugin);
-	}
-	charon->credentials->remove_set(charon->credentials, &this->creds->set);
-	lib->attributes->remove_handler(lib->attributes, &this->handler->handler);
-	this->creds->destroy(this->creds);
-	this->handler->destroy(this->handler);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_nm_plugin_t *this = malloc_thing(private_nm_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->loop = NULL;
-	g_type_init ();
-	if (!g_thread_supported())
-	{
-		g_thread_init(NULL);
-	}
-
-	this->creds = nm_creds_create();
-	this->handler = nm_handler_create();
-	lib->attributes->add_handler(lib->attributes, &this->handler->handler);
-	charon->credentials->add_set(charon->credentials, &this->creds->set);
-	this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
-	if (!this->plugin)
-	{
-		DBG1(DBG_CFG, "DBUS binding failed");
-		destroy(this);
-		return NULL;
-	}
-
-	/* bypass file permissions to read from users ssh-agent */
-	charon->keep_cap(charon, CAP_DAC_OVERRIDE);
-
-	charon->processor->queue_job(charon->processor,
-		 (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL));
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/nm/nm_plugin.h b/src/charon/plugins/nm/nm_plugin.h
deleted file mode 100644
index 18d053e11..000000000
--- a/src/charon/plugins/nm/nm_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup nm nm
- * @ingroup cplugins
- *
- * @defgroup nm_plugin nm_plugin
- * @{ @ingroup nm
- */
-
-#ifndef NM_PLUGIN_H_
-#define NM_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct nm_plugin_t nm_plugin_t;
-
-/**
- * NetworkManager integration plugin.
- */
-struct nm_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a nm_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** NM_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
deleted file mode 100644
index b05383c2b..000000000
--- a/src/charon/plugins/nm/nm_service.c
+++ /dev/null
@@ -1,628 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <nm-setting-vpn.h>
-#include <nm-setting-connection.h>
-#include "nm_service.h"
-
-#include <daemon.h>
-#include <utils/host.h>
-#include <utils/identification.h>
-#include <config/peer_cfg.h>
-#include <credentials/certificates/x509.h>
-
-#include <stdio.h>
-
-G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
-
-/**
- * Private data of NMStrongswanPlugin
- */
-typedef struct {
-	/* implements bus listener interface */
-	listener_t listener;
-	/* IKE_SA we are listening on */
-	ike_sa_t *ike_sa;
-	/* backref to public plugin */
-	NMVPNPlugin *plugin;
-	/* credentials to use for authentication */
-	nm_creds_t *creds;
-	/* attribute handler for DNS/NBNS server information */
-	nm_handler_t *handler;
-	/* name of the connection */
-	char *name;
-} NMStrongswanPluginPrivate;
-
-#define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
-			(G_TYPE_INSTANCE_GET_PRIVATE ((o), \
-				NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
-
-/**
- * convert enumerated handler chunks to a UINT_ARRAY GValue
- */
-static GValue* handler_to_val(nm_handler_t *handler,
-							 configuration_attribute_type_t type)
-{
-	GValue *val;
-	GArray *array;
-	enumerator_t *enumerator;
-	chunk_t chunk;
-
-	enumerator = handler->create_enumerator(handler, type);
-	array = g_array_new (FALSE, TRUE, sizeof (guint32));
-	while (enumerator->enumerate(enumerator, &chunk))
-	{
-		g_array_append_val (array, *(u_int32_t*)chunk.ptr);
-	}
-	enumerator->destroy(enumerator);
-	val = g_slice_new0 (GValue);
-	g_value_init (val, DBUS_TYPE_G_UINT_ARRAY);
-	g_value_set_boxed (val, array);
-
-	return val;
-}
-
-/**
- * signal IPv4 config to NM, set connection as established
- */
-static void signal_ipv4_config(NMVPNPlugin *plugin,
-							   ike_sa_t *ike_sa, child_sa_t *child_sa)
-{
-	GValue *val;
-	GHashTable *config;
-	host_t *me, *other;
-	nm_handler_t *handler;
-
-	config = g_hash_table_new(g_str_hash, g_str_equal);
-	me = ike_sa->get_my_host(ike_sa);
-	other = ike_sa->get_other_host(ike_sa);
-	handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
-
-	/* NM requires a tundev, but netkey does not use one. Passing an invalid
-	 * iface makes NM complain, but it accepts it without fiddling on eth0. */
-	val = g_slice_new0 (GValue);
-	g_value_init (val, G_TYPE_STRING);
-	g_value_set_string (val, "none");
-	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
-
-	val = g_slice_new0(GValue);
-	g_value_init(val, G_TYPE_UINT);
-	g_value_set_uint(val, *(u_int32_t*)me->get_address(me).ptr);
-	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
-
-	val = g_slice_new0(GValue);
-	g_value_init(val, G_TYPE_UINT);
-	g_value_set_uint(val, me->get_address(me).len * 8);
-	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
-
-	val = handler_to_val(handler, INTERNAL_IP4_DNS);
-	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
-
-	val = handler_to_val(handler, INTERNAL_IP4_NBNS);
-	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NBNS, val);
-
-	handler->reset(handler);
-
-	nm_vpn_plugin_set_ip4_config(plugin, config);
-}
-
-/**
- * signal failure to NM, connecting failed
- */
-static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure)
-{
-	nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
-
-	handler->reset(handler);
-
-	/* TODO: NM does not handle this failure!? */
-	nm_vpn_plugin_failure(plugin, failure);
-	nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
-}
-
-/**
- * Implementation of listener_t.ike_state_change
- */
-static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
-							 ike_sa_state_t state)
-{
-	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-
-	if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
-	{
-		signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of listener_t.child_state_change
- */
-static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
-							   child_sa_t *child_sa, child_sa_state_t state)
-{
-	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-
-	if (private->ike_sa == ike_sa && state == CHILD_DESTROYING)
-	{
-		signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of listener_t.child_updown
- */
-static bool child_updown(listener_t *listener, ike_sa_t *ike_sa,
-						 child_sa_t *child_sa, bool up)
-{
-	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-
-	if (private->ike_sa == ike_sa)
-	{
-		if (up)
-		{	/* disable initiate-failure-detection hooks */
-			private->listener.ike_state_change = NULL;
-			private->listener.child_state_change = NULL;
-			signal_ipv4_config(private->plugin, ike_sa, child_sa);
-		}
-		else
-		{
-			signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of listener_t.ike_rekey
- */
-static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
-{
-	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-
-	if (private->ike_sa == old)
-	{	/* follow a rekeyed IKE_SA */
-		private->ike_sa = new;
-	}
-	return TRUE;
-}
-
-/**
- * Connect function called from NM via DBUS
- */
-static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
-						 GError **err)
-{
-	NMStrongswanPluginPrivate *priv;
-	NMSettingConnection *conn;
-	NMSettingVPN *vpn;
-	identification_t *user = NULL, *gateway = NULL;
-	const char *address, *str;
-	bool virtual, encap, ipcomp;
-	ike_cfg_t *ike_cfg;
-	peer_cfg_t *peer_cfg;
-	child_cfg_t *child_cfg;
-	traffic_selector_t *ts;
-	ike_sa_t *ike_sa;
-	auth_cfg_t *auth;
-	auth_class_t auth_class = AUTH_CLASS_EAP;
-	certificate_t *cert = NULL;
-	x509_t *x509;
-	bool agent = FALSE;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = 10800 /* 3h */,
-			.rekey = 10200 /* 2h50min */,
-			.jitter = 300 /* 5min */
-		}
-	};
-
-	/**
-	 * Read parameters
-	 */
-	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
-	conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection,
-												NM_TYPE_SETTING_CONNECTION));
-	vpn = NM_SETTING_VPN(nm_connection_get_setting(connection,
-												NM_TYPE_SETTING_VPN));
-	if (priv->name)
-	{
-		free(priv->name);
-	}
-	priv->name = strdup(nm_setting_connection_get_id(conn));
-	DBG1(DBG_CFG, "received initiate for NetworkManager connection %s",
-		 priv->name);
-	DBG4(DBG_CFG, "%s",
-		 nm_setting_to_string(NM_SETTING(vpn)));
-	address = nm_setting_vpn_get_data_item(vpn, "address");
-	if (!address || !*address)
-	{
-		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-					"Gateway address missing.");
-		return FALSE;
-	}
-	str = nm_setting_vpn_get_data_item(vpn, "virtual");
-	virtual = str && streq(str, "yes");
-	str = nm_setting_vpn_get_data_item(vpn, "encap");
-	encap = str && streq(str, "yes");
-	str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
-	ipcomp = str && streq(str, "yes");
-	str = nm_setting_vpn_get_data_item(vpn, "method");
-	if (str)
-	{
-		if (streq(str, "psk"))
-		{
-			auth_class = AUTH_CLASS_PSK;
-		}
-		else if (streq(str, "agent"))
-		{
-			auth_class = AUTH_CLASS_PUBKEY;
-			agent = TRUE;
-		}
-		else if (streq(str, "key"))
-		{
-			auth_class = AUTH_CLASS_PUBKEY;
-		}
-	}
-
-	/**
-	 * Register credentials
-	 */
-	priv->creds->clear(priv->creds);
-
-	/* gateway/CA cert */
-	str = nm_setting_vpn_get_data_item(vpn, "certificate");
-	if (str)
-	{
-		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-								  BUILD_FROM_FILE, str, BUILD_END);
-		if (!cert)
-		{
-			g_set_error(err, NM_VPN_PLUGIN_ERROR,
-						NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-						"Loading gateway certificate failed.");
-			return FALSE;
-		}
-		priv->creds->add_certificate(priv->creds, cert);
-
-		x509 = (x509_t*)cert;
-		if (!(x509->get_flags(x509) & X509_CA))
-		{	/* For a gateway certificate, we use the cert subject as identity. */
-			gateway = cert->get_subject(cert);
-			gateway = gateway->clone(gateway);
-			DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
-		}
-	}
-	else
-	{
-		/* no certificate defined, fall back to system-wide CA certificates */
-		priv->creds->load_ca_dir(priv->creds, NM_CA_DIR);
-	}
-	if (!gateway)
-	{
-		/* If the user configured a CA certificate, we use the IP/DNS
-		 * of the gateway as its identity. This identity will be used for
-		 * certificate lookup and requires the configured IP/DNS to be
-		 * included in the gateway certificate. */
-		gateway = identification_create_from_string((char*)address);
-		DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
-	}
-
-	if (auth_class == AUTH_CLASS_EAP)
-	{
-		/* username/password authentication ... */
-		str = nm_setting_vpn_get_data_item(vpn, "user");
-		if (str)
-		{
-			user = identification_create_from_string((char*)str);
-			str = nm_setting_vpn_get_secret(vpn, "password");
-			priv->creds->set_username_password(priv->creds, user, (char*)str);
-		}
-	}
-
-	if (auth_class == AUTH_CLASS_PUBKEY)
-	{
-		/* ... or certificate/private key authenitcation */
-		str = nm_setting_vpn_get_data_item(vpn, "usercert");
-		if (str)
-		{
-			public_key_t *public;
-			private_key_t *private = NULL;
-
-			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-									  BUILD_FROM_FILE, str, BUILD_END);
-			if (!cert)
-			{
-				g_set_error(err, NM_VPN_PLUGIN_ERROR,
-							NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-							"Loading peer certificate failed.");
-				gateway->destroy(gateway);
-				return FALSE;
-			}
-			/* try agent */
-			str = nm_setting_vpn_get_secret(vpn, "agent");
-			if (agent && str)
-			{
-				public = cert->get_public_key(cert);
-				if (public)
-				{
-					private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-												 public->get_type(public),
-												 BUILD_AGENT_SOCKET, str,
-												 BUILD_PUBLIC_KEY, public,
-												 BUILD_END);
-					public->destroy(public);
-				}
-				if (!private)
-				{
-					g_set_error(err, NM_VPN_PLUGIN_ERROR,
-								NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-								"Connecting to SSH agent failed.");
-				}
-			}
-			/* ... or key file */
-			str = nm_setting_vpn_get_data_item(vpn, "userkey");
-			if (!agent && str)
-			{
-				chunk_t secret;
-
-				secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
-				if (secret.ptr)
-				{
-					secret.len = strlen(secret.ptr);
-				}
-				private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								KEY_RSA, BUILD_FROM_FILE, str,
-								BUILD_PASSPHRASE, secret, BUILD_END);
-				if (!private)
-				{
-					g_set_error(err, NM_VPN_PLUGIN_ERROR,
-								NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-								"Loading private key failed.");
-				}
-			}
-			if (private)
-			{
-				user = cert->get_subject(cert);
-				user = user->clone(user);
-				priv->creds->set_cert_and_key(priv->creds, cert, private);
-			}
-			else
-			{
-				DESTROY_IF(cert);
-				gateway->destroy(gateway);
-				return FALSE;
-			}
-		}
-	}
-
-	if (!user)
-	{
-		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-					"Configuration parameters missing.");
-		gateway->destroy(gateway);
-		return FALSE;
-	}
-
-	/**
-	 * Set up configurations
-	 */
-	ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address);
-	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	peer_cfg = peer_cfg_create(priv->name, 2, ike_cfg,
-					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
-					36000, 0, /* rekey 10h, reauth none */
-					600, 600, /* jitter, over 10min */
-					TRUE, 0, /* mobike, DPD */
-					virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
-					NULL, FALSE, NULL, NULL); /* pool, mediation */
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_class);
-	auth->add(auth, AUTH_RULE_IDENTITY, user);
-	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
-	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-
-	child_cfg = child_cfg_create(priv->name, &lifetime,
-								 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
-								 ACTION_NONE, ACTION_NONE, ipcomp, 0);
-	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
-											 "0.0.0.0", 0,
-											 "255.255.255.255", 65535);
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
-	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-
-	/**
-	 * Prepare IKE_SA
-	 */
-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
-														peer_cfg);
-	if (!ike_sa->get_peer_cfg(ike_sa))
-	{
-		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
-	}
-	peer_cfg->destroy(peer_cfg);
-
-	/**
-	 * Register listener, enable  initiate-failure-detection hooks
-	 */
-	priv->ike_sa = ike_sa;
-	priv->listener.ike_state_change = ike_state_change;
-	priv->listener.child_state_change = child_state_change;
-	charon->bus->add_listener(charon->bus, &priv->listener);
-
-	/**
-	 * Initiate
-	 */
-	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
-	{
-		charon->bus->remove_listener(charon->bus, &priv->listener);
-		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-
-		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
-					"Initiating failed.");
-		return FALSE;
-	}
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	return TRUE;
-}
-
-/**
- * NeedSecrets called from NM via DBUS
- */
-static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
-							 char **setting_name, GError **error)
-{
-	NMSettingVPN *settings;
-	const char *method, *path;
-
-	settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
-														NM_TYPE_SETTING_VPN));
-	method = nm_setting_vpn_get_data_item(settings, "method");
-	if (method)
-	{
-		if (streq(method, "eap"))
-		{
-			if (nm_setting_vpn_get_secret(settings, "password"))
-			{
-				return FALSE;
-			}
-		}
-		else if (streq(method, "agent"))
-		{
-			if (nm_setting_vpn_get_secret(settings, "agent"))
-			{
-				return FALSE;
-			}
-		}
-		else if (streq(method, "key"))
-		{
-			path = nm_setting_vpn_get_data_item(settings, "userkey");
-			if (path)
-			{
-				private_key_t *key;
-				chunk_t secret;
-
-				secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
-				if (secret.ptr)
-				{
-					secret.len = strlen(secret.ptr);
-				}
-				/* try to load/decrypt the private key */
-				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								KEY_RSA, BUILD_FROM_FILE, path,
-								BUILD_PASSPHRASE, secret, BUILD_END);
-				if (key)
-				{
-					key->destroy(key);
-					return FALSE;
-				}
-			}
-		}
-	}
-	*setting_name = NM_SETTING_VPN_SETTING_NAME;
-	return TRUE;
-}
-
-/**
- * Disconnect called from NM via DBUS
- */
-static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
-{
-	NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-	u_int id;
-
-	/* our ike_sa pointer might be invalid, lookup sa */
-	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
-	while (enumerator->enumerate(enumerator, &ike_sa))
-	{
-		if (priv->ike_sa == ike_sa)
-		{
-			id = ike_sa->get_unique_id(ike_sa);
-			enumerator->destroy(enumerator);
-			charon->controller->terminate_ike(charon->controller, id,
-											  controller_cb_empty, NULL);
-			return TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_GENERAL,
-				"Connection not found.");
-	return FALSE;
-}
-
-/**
- * Initializer
- */
-static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
-{
-	NMStrongswanPluginPrivate *priv;
-
-	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
-	priv->plugin = NM_VPN_PLUGIN(plugin);
-	memset(&priv->listener.log, 0, sizeof(listener_t));
-	priv->listener.child_updown = child_updown;
-	priv->listener.ike_rekey = ike_rekey;
-}
-
-/**
- * Class constructor
- */
-static void nm_strongswan_plugin_class_init(
-									NMStrongswanPluginClass *strongswan_class)
-{
-	NMVPNPluginClass *parent_class = NM_VPN_PLUGIN_CLASS(strongswan_class);
-
-	g_type_class_add_private(G_OBJECT_CLASS(strongswan_class),
-							 sizeof(NMStrongswanPluginPrivate));
-	parent_class->connect = connect_;
-	parent_class->need_secrets = need_secrets;
-	parent_class->disconnect = disconnect;
-}
-
-/**
- * Object constructor
- */
-NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
-											 nm_handler_t *handler)
-{
-	NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_object_new (
-					NM_TYPE_STRONGSWAN_PLUGIN,
-					NM_VPN_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
-					NULL);
-	if (plugin)
-	{
-		NMStrongswanPluginPrivate *priv;
-
-		priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
-		priv->creds = creds;
-		priv->handler = handler;
-		priv->name = NULL;
-	}
-	return plugin;
-}
-
diff --git a/src/charon/plugins/nm/nm_service.h b/src/charon/plugins/nm/nm_service.h
deleted file mode 100644
index b00000b6f..000000000
--- a/src/charon/plugins/nm/nm_service.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup nm_service nm_service
- * @{ @ingroup nm
- */
-
-#ifndef NM_SERVICE_H_
-#define NM_SERVICE_H_
-
-#include <glib/gtypes.h>
-#include <glib-object.h>
-#include <nm-vpn-plugin.h>
-
-#include "nm_creds.h"
-#include "nm_handler.h"
-
-#define NM_TYPE_STRONGSWAN_PLUGIN            (nm_strongswan_plugin_get_type ())
-#define NM_STRONGSWAN_PLUGIN(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPlugin))
-#define NM_STRONGSWAN_PLUGIN_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPluginClass))
-#define NM_IS_STRONGSWAN_PLUGIN(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_STRONGSWAN_PLUGIN))
-#define NM_IS_STRONGSWAN_PLUGIN_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((obj), NM_TYPE_STRONGSWAN_PLUGIN))
-#define NM_STRONGSWAN_PLUGIN_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPluginClass))
-
-#define NM_DBUS_SERVICE_STRONGSWAN    "org.freedesktop.NetworkManager.strongswan"
-#define NM_DBUS_INTERFACE_STRONGSWAN  "org.freedesktop.NetworkManager.strongswan"
-#define NM_DBUS_PATH_STRONGSWAN       "/org/freedesktop/NetworkManager/strongswan"
-
-typedef struct {
-	NMVPNPlugin parent;
-} NMStrongswanPlugin;
-
-typedef struct {
-	NMVPNPluginClass parent;
-} NMStrongswanPluginClass;
-
-GType nm_strongswan_plugin_get_type(void);
-
-NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
-											 nm_handler_t *handler);
-
-#endif /** NM_SERVICE_H_ @}*/
diff --git a/src/charon/plugins/resolve/Makefile.am b/src/charon/plugins/resolve/Makefile.am
deleted file mode 100644
index 9d18b00b4..000000000
--- a/src/charon/plugins/resolve/Makefile.am
+++ /dev/null
@@ -1,13 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic \
-  -DRESOLV_CONF=\"${resolv_conf}\"
-
-plugin_LTLIBRARIES = libstrongswan-resolve.la
-libstrongswan_resolve_la_SOURCES = \
-  resolve_plugin.h resolve_plugin.c \
-  resolve_handler.h resolve_handler.c
-libstrongswan_resolve_la_LDFLAGS = -module -avoid-version
-
-
diff --git a/src/charon/plugins/resolve/Makefile.in b/src/charon/plugins/resolve/Makefile.in
deleted file mode 100644
index 478935752..000000000
--- a/src/charon/plugins/resolve/Makefile.in
+++ /dev/null
@@ -1,574 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/resolve
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_resolve_la_LIBADD =
-am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \
-	resolve_handler.lo
-libstrongswan_resolve_la_OBJECTS =  \
-	$(am_libstrongswan_resolve_la_OBJECTS)
-libstrongswan_resolve_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_resolve_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_resolve_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic \
-  -DRESOLV_CONF=\"${resolv_conf}\"
-
-plugin_LTLIBRARIES = libstrongswan-resolve.la
-libstrongswan_resolve_la_SOURCES = \
-  resolve_plugin.h resolve_plugin.c \
-  resolve_handler.h resolve_handler.c
-
-libstrongswan_resolve_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/resolve/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/resolve/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) 
-	$(libstrongswan_resolve_la_LINK) -rpath $(plugindir) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_handler.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/resolve/resolve_handler.c b/src/charon/plugins/resolve/resolve_handler.c
deleted file mode 100644
index 714c751a6..000000000
--- a/src/charon/plugins/resolve/resolve_handler.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "resolve_handler.h"
-
-#include <unistd.h>
-
-#include <daemon.h>
-#include <threading/mutex.h>
-
-typedef struct private_resolve_handler_t private_resolve_handler_t;
-
-/**
- * Private data of an resolve_handler_t object.
- */
-struct private_resolve_handler_t {
-
-	/**
-	 * Public resolve_handler_t interface.
-	 */
-	resolve_handler_t public;
-
-	/**
-	 * resolv.conf file to use
-	 */
-	char *file;
-
-	/**
-	 * Mutex to access file exclusively
-	 */
-	mutex_t *mutex;
-};
-
-/**
- * Implementation of attribute_handler_t.handle
- */
-static bool handle(private_resolve_handler_t *this, identification_t *server,
-				   configuration_attribute_type_t type, chunk_t data)
-{
-	FILE *in, *out;
-	char buf[1024];
-	host_t *addr;
-	size_t len;
-	bool handled = FALSE;
-
-	switch (type)
-	{
-		case INTERNAL_IP4_DNS:
-			addr = host_create_from_chunk(AF_INET, data, 0);
-			break;
-		case INTERNAL_IP6_DNS:
-			addr = host_create_from_chunk(AF_INET6, data, 0);
-			break;
-		default:
-			return FALSE;
-	}
-
-	if (!addr || addr->is_anyaddr(addr))
-	{
-		DESTROY_IF(addr);
-		return FALSE;
-	}
-	this->mutex->lock(this->mutex);
-
-	in = fopen(this->file, "r");
-	/* allows us to stream from in to out */
-	unlink(this->file);
-	out = fopen(this->file, "w");
-	if (out)
-	{
-		fprintf(out, "nameserver %H   # by strongSwan, from %Y\n", addr, server);
-		DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
-		handled = TRUE;
-
-		/* copy rest of the file */
-		if (in)
-		{
-			while ((len = fread(buf, 1, sizeof(buf), in)))
-			{
-				ignore_result(fwrite(buf, 1, len, out));
-			}
-		}
-		fclose(out);
-	}
-	if (in)
-	{
-		fclose(in);
-	}
-	this->mutex->unlock(this->mutex);
-	addr->destroy(addr);
-
-	if (!handled)
-	{
-		DBG1(DBG_IKE, "adding DNS server failed", this->file);
-	}
-	return handled;
-}
-
-/**
- * Implementation of attribute_handler_t.release
- */
-static void release(private_resolve_handler_t *this, identification_t *server,
-					configuration_attribute_type_t type, chunk_t data)
-{
-	FILE *in, *out;
-	char line[1024], matcher[512], *pos;
-	host_t *addr;
-	int family;
-
-	switch (type)
-	{
-		case INTERNAL_IP4_DNS:
-			family = AF_INET;
-			break;
-		case INTERNAL_IP6_DNS:
-			family = AF_INET6;
-			break;
-		default:
-			return;
-	}
-
-	this->mutex->lock(this->mutex);
-
-	in = fopen(this->file, "r");
-	if (in)
-	{
-		/* allows us to stream from in to out */
-		unlink(this->file);
-		out = fopen(this->file, "w");
-		if (out)
-		{
-			addr = host_create_from_chunk(family, data, 0);
-			snprintf(matcher, sizeof(matcher),
-					 "nameserver %H   # by strongSwan, from %Y\n",
-					 addr, server);
-
-			/* copy all, but matching line */
-			while ((pos = fgets(line, sizeof(line), in)))
-			{
-				if (strneq(line, matcher, strlen(matcher)))
-				{
-					DBG1(DBG_IKE, "removing DNS server %H from %s",
-						 addr, this->file);
-				}
-				else
-				{
-					fputs(line, out);
-				}
-			}
-			addr->destroy(addr);
-			fclose(out);
-		}
-		fclose(in);
-	}
-
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Attribute enumerator implementation
- */
-typedef struct {
-	/** implements enumerator_t interface */
-	enumerator_t public;
-	/** virtual IP we are requesting */
-	host_t *vip;
-} attribute_enumerator_t;
-
-/**
- * Implementation of create_attribute_enumerator().enumerate()
- */
-static bool attribute_enumerate(attribute_enumerator_t *this,
-						configuration_attribute_type_t *type, chunk_t *data)
-{
-	switch (this->vip->get_family(this->vip))
-	{
-		case AF_INET:
-			*type = INTERNAL_IP4_DNS;
-			break;
-		case AF_INET6:
-			*type = INTERNAL_IP6_DNS;
-			break;
-		default:
-			return FALSE;
-	}
-	*data = chunk_empty;
-	/* enumerate only once */
-	this->public.enumerate = (void*)return_false;
-	return TRUE;
-}
-
-/**
- * Implementation of attribute_handler_t.create_attribute_enumerator
- */
-static enumerator_t* create_attribute_enumerator(private_resolve_handler_t *this,
-										identification_t *server, host_t *vip)
-{
-	if (vip)
-	{
-		attribute_enumerator_t *enumerator;
-
-		enumerator = malloc_thing(attribute_enumerator_t);
-		enumerator->public.enumerate = (void*)attribute_enumerate;
-		enumerator->public.destroy = (void*)free;
-		enumerator->vip = vip;
-
-		return &enumerator->public;
-	}
-	return enumerator_create_empty();
-}
-
-/**
- * Implementation of resolve_handler_t.destroy.
- */
-static void destroy(private_resolve_handler_t *this)
-{
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/**
- * See header
- */
-resolve_handler_t *resolve_handler_create()
-{
-	private_resolve_handler_t *this = malloc_thing(private_resolve_handler_t);
-
-	this->public.handler.handle = (bool(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))handle;
-	this->public.handler.release = (void(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))release;
-	this->public.handler.create_attribute_enumerator = (enumerator_t*(*)(attribute_handler_t*, identification_t *server, host_t *vip))create_attribute_enumerator;
-	this->public.destroy = (void(*)(resolve_handler_t*))destroy;
-
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->file = lib->settings->get_str(lib->settings,
-								"charon.plugins.resolve.file", RESOLV_CONF);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/resolve/resolve_handler.h b/src/charon/plugins/resolve/resolve_handler.h
deleted file mode 100644
index 77bf9781c..000000000
--- a/src/charon/plugins/resolve/resolve_handler.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup resolve_handler resolve_handler
- * @{ @ingroup resolve
- */
-
-#ifndef RESOLVE_HANDLER_H_
-#define RESOLVE_HANDLER_H_
-
-#include <attributes/attribute_handler.h>
-
-typedef struct resolve_handler_t resolve_handler_t;
-
-/**
- * Handle DNS configuration attributes by mangling a resolv.conf file.
- */
-struct resolve_handler_t {
-
-	/**
-	 * Implements the attribute_handler_t interface
-	 */
-	attribute_handler_t handler;
-
-	/**
-	 * Destroy a resolve_handler_t.
-	 */
-	void (*destroy)(resolve_handler_t *this);
-};
-
-/**
- * Create a resolve_handler instance.
- */
-resolve_handler_t *resolve_handler_create();
-
-#endif /** RESOLVE_HANDLER_H_ @}*/
diff --git a/src/charon/plugins/resolve/resolve_plugin.c b/src/charon/plugins/resolve/resolve_plugin.c
deleted file mode 100644
index c564981ef..000000000
--- a/src/charon/plugins/resolve/resolve_plugin.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "resolve_plugin.h"
-#include "resolve_handler.h"
-
-#include <daemon.h>
-
-typedef struct private_resolve_plugin_t private_resolve_plugin_t;
-
-/**
- * private data of resolve plugin
- */
-struct private_resolve_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	resolve_plugin_t public;
-
-	/**
-	 * The registerd DNS attribute handler
-	 */
-	resolve_handler_t *handler;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_resolve_plugin_t *this)
-{
-	lib->attributes->remove_handler(lib->attributes, &this->handler->handler);
-	this->handler->destroy(this->handler);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	this->handler = resolve_handler_create();
-	lib->attributes->add_handler(lib->attributes, &this->handler->handler);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/resolve/resolve_plugin.h b/src/charon/plugins/resolve/resolve_plugin.h
deleted file mode 100644
index d7e09f284..000000000
--- a/src/charon/plugins/resolve/resolve_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup resolve resolve
- * @ingroup cplugins
- *
- * @defgroup resolve_plugin resolve_plugin
- * @{ @ingroup resolve
- */
-
-#ifndef RESOLVE_PLUGIN_H_
-#define RESOLVE_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct resolve_plugin_t resolve_plugin_t;
-
-/**
- * Plugin that writes received DNS servers in a resolv.conf file.
- */
-struct resolve_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a resolve_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** RESOLVE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/smp/Makefile.am b/src/charon/plugins/smp/Makefile.am
deleted file mode 100644
index a434b388b..000000000
--- a/src/charon/plugins/smp/Makefile.am
+++ /dev/null
@@ -1,10 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${xml_CFLAGS}
-
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
-
-plugin_LTLIBRARIES = libstrongswan-smp.la
-libstrongswan_smp_la_SOURCES = smp.h smp.c
-libstrongswan_smp_la_LDFLAGS = -module -avoid-version
-libstrongswan_smp_la_LIBADD = ${xml_LIBS}
-
diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in
deleted file mode 100644
index 7512cd2f7..000000000
--- a/src/charon/plugins/smp/Makefile.in
+++ /dev/null
@@ -1,568 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/smp
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-libstrongswan_smp_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
-am_libstrongswan_smp_la_OBJECTS = smp.lo
-libstrongswan_smp_la_OBJECTS = $(am_libstrongswan_smp_la_OBJECTS)
-libstrongswan_smp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_smp_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_smp_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_smp_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${xml_CFLAGS}
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
-plugin_LTLIBRARIES = libstrongswan-smp.la
-libstrongswan_smp_la_SOURCES = smp.h smp.c
-libstrongswan_smp_la_LDFLAGS = -module -avoid-version
-libstrongswan_smp_la_LIBADD = ${xml_LIBS}
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/smp/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/smp/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-smp.la: $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_DEPENDENCIES) 
-	$(libstrongswan_smp_la_LINK) -rpath $(plugindir) $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smp.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c
deleted file mode 100644
index 21e682a0a..000000000
--- a/src/charon/plugins/smp/smp.c
+++ /dev/null
@@ -1,768 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-
-#include "smp.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <unistd.h>
-#include <errno.h>
-#include <signal.h>
-#include <libxml/xmlreader.h>
-#include <libxml/xmlwriter.h>
-
-#include <library.h>
-#include <daemon.h>
-#include <threading/thread.h>
-#include <processing/jobs/callback_job.h>
-
-
-typedef struct private_smp_t private_smp_t;
-
-/**
- * Private data of an smp_t object.
- */
-struct private_smp_t {
-
-	/**
-	 * Public part of smp_t object.
-	 */
-	smp_t public;
-
-	/**
-	 * XML unix socket fd
-	 */
-	int socket;
-
-	/**
-	 * job accepting stroke messages
-	 */
-	callback_job_t *job;
-};
-
-ENUM(ike_sa_state_lower_names, IKE_CREATED, IKE_DELETING,
-	"created",
-	"connecting",
-	"established",
-	"rekeying",
-	"deleting",
-);
-
-/**
- * write a bool into element
- */
-static void write_bool(xmlTextWriterPtr writer, char *element, bool val)
-{
-	xmlTextWriterWriteElement(writer, element, val ? "true" : "false");
-}
-
-/**
- * write a identification_t into element
- */
-static void write_id(xmlTextWriterPtr writer, char *element, identification_t *id)
-{
-	xmlTextWriterStartElement(writer, element);
-	switch (id->get_type(id))
-	{
-		{
-			char *type = "";
-			while (TRUE)
-			{
-				case ID_ANY:
-					type = "any";
-					break;
-				case ID_IPV4_ADDR:
-					type = "ipv4";
-					break;
-				case ID_IPV6_ADDR:
-					type = "ipv6";
-					break;
-				case ID_FQDN:
-					type = "fqdn";
-					break;
-				case ID_RFC822_ADDR:
-					type = "email";
-					break;
-				case ID_DER_ASN1_DN:
-					type = "asn1dn";
-					break;
-				case ID_DER_ASN1_GN:
-					type = "asn1gn";
-					break;
-			}
-			xmlTextWriterWriteAttribute(writer, "type", type);
-			xmlTextWriterWriteFormatString(writer, "%Y", id);
-			break;
-		}
-		default:
-			/* TODO: base64 keyid */
-			xmlTextWriterWriteAttribute(writer, "type", "keyid");
-			break;
-	}
-	xmlTextWriterEndElement(writer);
-}
-
-/**
- * write a host_t address into an element
- */
-static void write_address(xmlTextWriterPtr writer, char *element, host_t *host)
-{
-	xmlTextWriterStartElement(writer, element);
-	xmlTextWriterWriteAttribute(writer, "type",
-						host->get_family(host) == AF_INET ? "ipv4" : "ipv6");
-	if (host->is_anyaddr(host))
-	{	/* do not use %any for XML */
-		xmlTextWriterWriteFormatString(writer, "%s",
-						host->get_family(host) == AF_INET ? "0.0.0.0" : "::");
-	}
-	else
-	{
-		xmlTextWriterWriteFormatString(writer, "%H", host);
-	}
-	xmlTextWriterEndElement(writer);
-}
-
-/**
- * write networks element
- */
-static void write_networks(xmlTextWriterPtr writer, char *element,
-						   linked_list_t *list)
-{
-	enumerator_t *enumerator;
-	traffic_selector_t *ts;
-
-	xmlTextWriterStartElement(writer, element);
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, (void**)&ts))
-	{
-		xmlTextWriterStartElement(writer, "network");
-		xmlTextWriterWriteAttribute(writer, "type",
-						ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? "ipv4" : "ipv6");
-		xmlTextWriterWriteFormatString(writer, "%R", ts);
-		xmlTextWriterEndElement(writer);
-	}
-	enumerator->destroy(enumerator);
-	xmlTextWriterEndElement(writer);
-}
-
-/**
- * write a childEnd
- */
-static void write_childend(xmlTextWriterPtr writer, child_sa_t *child, bool local)
-{
-	linked_list_t *list;
-
-	xmlTextWriterWriteFormatElement(writer, "spi", "%lx",
-									htonl(child->get_spi(child, local)));
-	list = child->get_traffic_selectors(child, local);
-	write_networks(writer, "networks", list);
-}
-
-/**
- * write a child_sa_t
- */
-static void write_child(xmlTextWriterPtr writer, child_sa_t *child)
-{
-	child_cfg_t *config;
-
-	config = child->get_config(child);
-
-	xmlTextWriterStartElement(writer, "childsa");
-	xmlTextWriterWriteFormatElement(writer, "reqid", "%d",
-									child->get_reqid(child));
-	xmlTextWriterWriteFormatElement(writer, "childconfig", "%s",
-									config->get_name(config));
-	xmlTextWriterStartElement(writer, "local");
-	write_childend(writer, child, TRUE);
-	xmlTextWriterEndElement(writer);
-	xmlTextWriterStartElement(writer, "remote");
-	write_childend(writer, child, FALSE);
-	xmlTextWriterEndElement(writer);
-	xmlTextWriterEndElement(writer);
-}
-
-/**
- * process a ikesalist query request message
- */
-static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
-{
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-
-	/* <ikesalist> */
-	xmlTextWriterStartElement(writer, "ikesalist");
-
-	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
-	while (enumerator->enumerate(enumerator, &ike_sa))
-	{
-		ike_sa_id_t *id;
-		host_t *local, *remote;
-		iterator_t *children;
-		child_sa_t *child_sa;
-
-		id = ike_sa->get_id(ike_sa);
-
-		xmlTextWriterStartElement(writer, "ikesa");
-		xmlTextWriterWriteFormatElement(writer, "id", "%d",
-							ike_sa->get_unique_id(ike_sa));
-		xmlTextWriterWriteFormatElement(writer, "status", "%N",
-							ike_sa_state_lower_names, ike_sa->get_state(ike_sa));
-		xmlTextWriterWriteElement(writer, "role",
-							id->is_initiator(id) ? "initiator" : "responder");
-		xmlTextWriterWriteElement(writer, "peerconfig", ike_sa->get_name(ike_sa));
-
-		/* <local> */
-		local = ike_sa->get_my_host(ike_sa);
-		xmlTextWriterStartElement(writer, "local");
-		xmlTextWriterWriteFormatElement(writer, "spi", "%.16llx",
-							id->is_initiator(id) ? id->get_initiator_spi(id)
-												 : id->get_responder_spi(id));
-		write_id(writer, "identification", ike_sa->get_my_id(ike_sa));
-		write_address(writer, "address", local);
-		xmlTextWriterWriteFormatElement(writer, "port", "%d",
-							local->get_port(local));
-		if (ike_sa->supports_extension(ike_sa, EXT_NATT))
-		{
-			write_bool(writer, "nat", ike_sa->has_condition(ike_sa, COND_NAT_HERE));
-		}
-		xmlTextWriterEndElement(writer);
-		/* </local> */
-
-		/* <remote> */
-		remote = ike_sa->get_other_host(ike_sa);
-		xmlTextWriterStartElement(writer, "remote");
-		xmlTextWriterWriteFormatElement(writer, "spi", "%.16llx",
-							id->is_initiator(id) ? id->get_responder_spi(id)
-												 : id->get_initiator_spi(id));
-		write_id(writer, "identification", ike_sa->get_other_id(ike_sa));
-		write_address(writer, "address", remote);
-		xmlTextWriterWriteFormatElement(writer, "port", "%d",
-							remote->get_port(remote));
-		if (ike_sa->supports_extension(ike_sa, EXT_NATT))
-		{
-			write_bool(writer, "nat", ike_sa->has_condition(ike_sa, COND_NAT_THERE));
-		}
-		xmlTextWriterEndElement(writer);
-		/* </remote> */
-
-		/* <childsalist> */
-		xmlTextWriterStartElement(writer, "childsalist");
-		children = ike_sa->create_child_sa_iterator(ike_sa);
-		while (children->iterate(children, (void**)&child_sa))
-		{
-			write_child(writer, child_sa);
-		}
-		children->destroy(children);
-		/* </childsalist> */
-		xmlTextWriterEndElement(writer);
-
-		/* </ikesa> */
-		xmlTextWriterEndElement(writer);
-	}
-	enumerator->destroy(enumerator);
-
-	/* </ikesalist> */
-	xmlTextWriterEndElement(writer);
-}
-
-/**
- * process a configlist query request message
- */
-static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
-{
-	enumerator_t *enumerator;
-	peer_cfg_t *peer_cfg;
-
-	/* <configlist> */
-	xmlTextWriterStartElement(writer, "configlist");
-
-	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
-														NULL, NULL, NULL, NULL);
-	while (enumerator->enumerate(enumerator, &peer_cfg))
-	{
-		enumerator_t *children;
-		child_cfg_t *child_cfg;
-		ike_cfg_t *ike_cfg;
-		linked_list_t *list;
-
-		if (peer_cfg->get_ike_version(peer_cfg) != 2)
-		{	/* only IKEv2 connections yet */
-			continue;
-		}
-
-		/* <peerconfig> */
-		xmlTextWriterStartElement(writer, "peerconfig");
-		xmlTextWriterWriteElement(writer, "name", peer_cfg->get_name(peer_cfg));
-
-		/* TODO: write auth_cfgs */
-
-		/* <ikeconfig> */
-		ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
-		xmlTextWriterStartElement(writer, "ikeconfig");
-		xmlTextWriterWriteElement(writer, "local", ike_cfg->get_my_addr(ike_cfg));
-		xmlTextWriterWriteElement(writer, "remote", ike_cfg->get_other_addr(ike_cfg));
-		xmlTextWriterEndElement(writer);
-		/* </ikeconfig> */
-
-		/* <childconfiglist> */
-		xmlTextWriterStartElement(writer, "childconfiglist");
-		children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
-		while (children->enumerate(children, &child_cfg))
-		{
-			/* <childconfig> */
-			xmlTextWriterStartElement(writer, "childconfig");
-			xmlTextWriterWriteElement(writer, "name",
-									  child_cfg->get_name(child_cfg));
-			list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
-			write_networks(writer, "local", list);
-			list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
-			list = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
-			write_networks(writer, "remote", list);
-			list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
-			xmlTextWriterEndElement(writer);
-			/* </childconfig> */
-		}
-		children->destroy(children);
-		/* </childconfiglist> */
-		xmlTextWriterEndElement(writer);
-		/* </peerconfig> */
-		xmlTextWriterEndElement(writer);
-	}
-	enumerator->destroy(enumerator);
-	/* </configlist> */
-	xmlTextWriterEndElement(writer);
-}
-
-/**
- * callback which logs to a XML writer
- */
-static bool xml_callback(xmlTextWriterPtr writer, debug_t group, level_t level,
-						 ike_sa_t* ike_sa, char* format, va_list args)
-{
-	if (level <= 1)
-	{
-		/* <item> */
-		xmlTextWriterStartElement(writer, "item");
-		xmlTextWriterWriteFormatAttribute(writer, "level", "%d", level);
-		xmlTextWriterWriteFormatAttribute(writer, "source", "%N", debug_names, group);
-		xmlTextWriterWriteFormatAttribute(writer, "thread", "%u", thread_current_id());
-		xmlTextWriterWriteVFormatString(writer, format, args);
-		xmlTextWriterEndElement(writer);
-		/* </item> */
-	}
-	return TRUE;
-}
-
-/**
- * process a *terminate control request message
- */
-static void request_control_terminate(xmlTextReaderPtr reader,
-									  xmlTextWriterPtr writer, bool ike)
-{
-	if (xmlTextReaderRead(reader) &&
-		xmlTextReaderNodeType(reader) == XML_READER_TYPE_TEXT)
-	{
-		const char *str;
-		u_int32_t id;
-		status_t status;
-
-		str = xmlTextReaderConstValue(reader);
-		if (str == NULL)
-		{
-			DBG1(DBG_CFG, "error parsing XML id string");
-			return;
-		}
-		id = atoi(str);
-		if (!id)
-		{
-			enumerator_t *enumerator;
-			ike_sa_t *ike_sa;
-
-			enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
-			while (enumerator->enumerate(enumerator, &ike_sa))
-			{
-				if (streq(str, ike_sa->get_name(ike_sa)))
-				{
-					ike = TRUE;
-					id = ike_sa->get_unique_id(ike_sa);
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-		if (!id)
-		{
-			DBG1(DBG_CFG, "error parsing XML id string");
-			return;
-		}
-
-		DBG1(DBG_CFG, "terminating %s_SA %d", ike ? "IKE" : "CHILD", id);
-
-		/* <log> */
-		xmlTextWriterStartElement(writer, "log");
-		if (ike)
-		{
-			status = charon->controller->terminate_ike(
-					charon->controller,	id,
-					(controller_cb_t)xml_callback, writer);
-		}
-		else
-		{
-			status = charon->controller->terminate_child(
-					charon->controller,	id,
-					(controller_cb_t)xml_callback, writer);
-		}
-		/* </log> */
-		xmlTextWriterEndElement(writer);
-		xmlTextWriterWriteFormatElement(writer, "status", "%d", status);
-	}
-}
-
-/**
- * process a *initiate control request message
- */
-static void request_control_initiate(xmlTextReaderPtr reader,
-									  xmlTextWriterPtr writer, bool ike)
-{
-	if (xmlTextReaderRead(reader) &&
-		xmlTextReaderNodeType(reader) == XML_READER_TYPE_TEXT)
-	{
-		const char *str;
-		status_t status = FAILED;
-		peer_cfg_t *peer;
-		child_cfg_t *child = NULL;
-		enumerator_t *enumerator;
-
-		str = xmlTextReaderConstValue(reader);
-		if (str == NULL)
-		{
-			DBG1(DBG_CFG, "error parsing XML config name string");
-			return;
-		}
-		DBG1(DBG_CFG, "initiating %s_SA %s", ike ? "IKE" : "CHILD", str);
-
-		/* <log> */
-		xmlTextWriterStartElement(writer, "log");
-		peer = charon->backends->get_peer_cfg_by_name(charon->backends, (char*)str);
-		if (peer)
-		{
-			enumerator = peer->create_child_cfg_enumerator(peer);
-			if (ike)
-			{
-				if (!enumerator->enumerate(enumerator, &child))
-				{
-					child = NULL;
-				}
-				child->get_ref(child);
-			}
-			else
-			{
-				while (enumerator->enumerate(enumerator, &child))
-				{
-					if (streq(child->get_name(child), str))
-					{
-						child->get_ref(child);
-						break;
-					}
-					child = NULL;
-				}
-			}
-			enumerator->destroy(enumerator);
-			if (child)
-			{
-				status = charon->controller->initiate(charon->controller,
-							peer, child, (controller_cb_t)xml_callback,
-							writer);
-			}
-			else
-			{
-				peer->destroy(peer);
-			}
-		}
-		/* </log> */
-		xmlTextWriterEndElement(writer);
-		xmlTextWriterWriteFormatElement(writer, "status", "%d", status);
-	}
-}
-
-/**
- * process a query request
- */
-static void request_query(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
-{
-	/* <query> */
-	xmlTextWriterStartElement(writer, "query");
-	while (xmlTextReaderRead(reader))
-	{
-		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT)
-		{
-			if (streq(xmlTextReaderConstName(reader), "ikesalist"))
-			{
-				request_query_ikesa(reader, writer);
-				break;
-			}
-			if (streq(xmlTextReaderConstName(reader), "configlist"))
-			{
-				request_query_config(reader, writer);
-				break;
-			}
-		}
-	}
-	/* </query> */
-	xmlTextWriterEndElement(writer);
-}
-
-/**
- * process a control request
- */
-static void request_control(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
-{
-	/* <control> */
-	xmlTextWriterStartElement(writer, "control");
-	while (xmlTextReaderRead(reader))
-	{
-		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT)
-		{
-			if (streq(xmlTextReaderConstName(reader), "ikesaterminate"))
-			{
-				request_control_terminate(reader, writer, TRUE);
-				break;
-			}
-			if (streq(xmlTextReaderConstName(reader), "childsaterminate"))
-			{
-				request_control_terminate(reader, writer, FALSE);
-				break;
-			}
-			if (streq(xmlTextReaderConstName(reader), "ikesainitiate"))
-			{
-				request_control_initiate(reader, writer, TRUE);
-				break;
-			}
-			if (streq(xmlTextReaderConstName(reader), "childsainitiate"))
-			{
-				request_control_initiate(reader, writer, FALSE);
-				break;
-			}
-		}
-	}
-	/* </control> */
-	xmlTextWriterEndElement(writer);
-}
-
-/**
- * process a request message
- */
-static void request(xmlTextReaderPtr reader, char *id, int fd)
-{
-	xmlTextWriterPtr writer;
-
-	writer = xmlNewTextWriter(xmlOutputBufferCreateFd(fd, NULL));
-	if (writer == NULL)
-	{
-		DBG1(DBG_CFG, "opening SMP XML writer failed");
-		return;
-	}
-
-	xmlTextWriterStartDocument(writer, NULL, NULL, NULL);
-	/* <message xmlns="http://www.strongswan.org/smp/1.0"
-		id="id" type="response"> */
-	xmlTextWriterStartElement(writer, "message");
-	xmlTextWriterWriteAttribute(writer, "xmlns",
-								"http://www.strongswan.org/smp/1.0");
-	xmlTextWriterWriteAttribute(writer, "id", id);
-	xmlTextWriterWriteAttribute(writer, "type", "response");
-
-	while (xmlTextReaderRead(reader))
-	{
-		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT)
-		{
-			if (streq(xmlTextReaderConstName(reader), "query"))
-			{
-				request_query(reader, writer);
-				break;
-			}
-			if (streq(xmlTextReaderConstName(reader), "control"))
-			{
-				request_control(reader, writer);
-				break;
-			}
-		}
-	}
-	/*   </message> and close document */
-	xmlTextWriterEndDocument(writer);
-	xmlFreeTextWriter(writer);
-}
-
-/**
- * cleanup helper function for open file descriptors
- */
-static void closefdp(int *fd)
-{
-	close(*fd);
-}
-
-/**
- * read from a opened connection and process it
- */
-static job_requeue_t process(int *fdp)
-{
-	int fd = *fdp;
-	bool oldstate;
-	char buffer[4096];
-	size_t len;
-	xmlTextReaderPtr reader;
-	char *id = NULL, *type = NULL;
-
-	thread_cleanup_push((thread_cleanup_t)closefdp, (void*)&fd);
-	oldstate = thread_cancelability(TRUE);
-	len = read(fd, buffer, sizeof(buffer));
-	thread_cancelability(oldstate);
-	thread_cleanup_pop(FALSE);
-	if (len <= 0)
-	{
-		close(fd);
-		DBG2(DBG_CFG, "SMP XML connection closed");
-		return JOB_REQUEUE_NONE;
-	}
-	DBG3(DBG_CFG, "got XML request: %b", buffer, len);
-
-	reader = xmlReaderForMemory(buffer, len, NULL, NULL, 0);
-	if (reader == NULL)
-	{
-		DBG1(DBG_CFG, "opening SMP XML reader failed");
-		return JOB_REQUEUE_FAIR;;
-	}
-
-	/* read message type and id */
-	while (xmlTextReaderRead(reader))
-	{
-		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT &&
-			streq(xmlTextReaderConstName(reader), "message"))
-		{
-			id = xmlTextReaderGetAttribute(reader, "id");
-			type = xmlTextReaderGetAttribute(reader, "type");
-			break;
-		}
-	}
-
-	/* process message */
-	if (id && type)
-	{
-		if (streq(type, "request"))
-		{
-			request(reader, id, fd);
-		}
-		else
-		{
-			/* response(reader, id) */
-		}
-	}
-	xmlFreeTextReader(reader);
-	return JOB_REQUEUE_FAIR;;
-}
-
-/**
- * accept from XML socket and create jobs to process connections
- */
-static job_requeue_t dispatch(private_smp_t *this)
-{
-	struct sockaddr_un strokeaddr;
-	int fd, *fdp, strokeaddrlen = sizeof(strokeaddr);
-	callback_job_t *job;
-	bool oldstate;
-
-	/* wait for connections, but allow thread to terminate */
-	oldstate = thread_cancelability(TRUE);
-	fd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
-	thread_cancelability(oldstate);
-
-	if (fd < 0)
-	{
-		DBG1(DBG_CFG, "accepting SMP XML socket failed: %s", strerror(errno));
-		sleep(1);
-		return JOB_REQUEUE_FAIR;;
-	}
-
-	fdp = malloc_thing(int);
-	*fdp = fd;
-	job = callback_job_create((callback_job_cb_t)process, fdp, free, this->job);
-	charon->processor->queue_job(charon->processor, (job_t*)job);
-
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Implementation of itnerface_t.destroy.
- */
-static void destroy(private_smp_t *this)
-{
-	this->job->cancel(this->job);
-	close(this->socket);
-	free(this);
-}
-
-/*
- * Described in header file
- */
-plugin_t *plugin_create()
-{
-	struct sockaddr_un unix_addr = { AF_UNIX, IPSEC_PIDDIR "/charon.xml"};
-	private_smp_t *this = malloc_thing(private_smp_t);
-	mode_t old;
-
-	this->public.plugin.destroy = (void (*)(plugin_t*))destroy;
-
-	/* set up unix socket */
-	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "could not create XML socket");
-		free(this);
-		return NULL;
-	}
-
-	unlink(unix_addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr *)&unix_addr, sizeof(unix_addr)) < 0)
-	{
-		DBG1(DBG_CFG, "could not bind XML socket: %s", strerror(errno));
-		close(this->socket);
-		free(this);
-		return NULL;
-	}
-	umask(old);
-	if (chown(unix_addr.sun_path, charon->uid, charon->gid) != 0)
-	{
-		DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
-	}
-
-	if (listen(this->socket, 5) < 0)
-	{
-		DBG1(DBG_CFG, "could not listen on XML socket: %s", strerror(errno));
-		close(this->socket);
-		free(this);
-		return NULL;
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/smp/smp.h b/src/charon/plugins/smp/smp.h
deleted file mode 100644
index 5ec9f3bf8..000000000
--- a/src/charon/plugins/smp/smp.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup smp smp
- * @ingroup cplugins
- *
- * @defgroup smp_i smp
- * @{ @ingroup smp
- */
-
-#ifndef SMP_H_
-#define SMP_H_
-
-#include <plugins/plugin.h>
-
-typedef struct smp_t smp_t;
-
-/**
- * SMP configuration and control interface.
- *
- * The SMP interface uses a socket and a to communicate. The syntax is strict
- * XML, defined in the schema.xml specification.
- */
-struct smp_t {
-
-	/**
-	 * implements the plugin interface.
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a smp plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** XML_H_ @}*/
diff --git a/src/charon/plugins/sql/Makefile.am b/src/charon/plugins/sql/Makefile.am
deleted file mode 100644
index 60135bf08..000000000
--- a/src/charon/plugins/sql/Makefile.am
+++ /dev/null
@@ -1,12 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
-
-plugin_LTLIBRARIES = libstrongswan-sql.la
-libstrongswan_sql_la_SOURCES = \
-  sql_plugin.h sql_plugin.c sql_config.h sql_config.c \
-  sql_cred.h sql_cred.c sql_logger.h sql_logger.c
-libstrongswan_sql_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in
deleted file mode 100644
index ef9c33a1c..000000000
--- a/src/charon/plugins/sql/Makefile.in
+++ /dev/null
@@ -1,575 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/sql
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_sql_la_LIBADD =
-am_libstrongswan_sql_la_OBJECTS = sql_plugin.lo sql_config.lo \
-	sql_cred.lo sql_logger.lo
-libstrongswan_sql_la_OBJECTS = $(am_libstrongswan_sql_la_OBJECTS)
-libstrongswan_sql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_sql_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_sql_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_sql_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
-
-plugin_LTLIBRARIES = libstrongswan-sql.la
-libstrongswan_sql_la_SOURCES = \
-  sql_plugin.h sql_plugin.c sql_config.h sql_config.c \
-  sql_cred.h sql_cred.c sql_logger.h sql_logger.c
-
-libstrongswan_sql_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/sql/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/sql/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-sql.la: $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_DEPENDENCIES) 
-	$(libstrongswan_sql_la_LINK) -rpath $(plugindir) $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_config.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_cred.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_logger.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c
deleted file mode 100644
index afee0896c..000000000
--- a/src/charon/plugins/sql/sql_config.c
+++ /dev/null
@@ -1,534 +0,0 @@
-/*
- * Copyright (C) 2006-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "sql_config.h"
-
-#include <daemon.h>
-
-typedef struct private_sql_config_t private_sql_config_t;
-
-/**
- * Private data of an sql_config_t object
- */
-struct private_sql_config_t {
-
-	/**
-	 * Public part
-	 */
-	sql_config_t public;
-
-	/**
-	 * database connection
-	 */
-	database_t *db;
-};
-
-/**
- * forward declaration
- */
-static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
-								  identification_t *me, identification_t *other);
-
-/**
- * build a traffic selector from a SQL query
- */
-static traffic_selector_t *build_traffic_selector(private_sql_config_t *this,
-												  enumerator_t *e, bool *local)
-{
-	int type, protocol, start_port, end_port;
-	chunk_t start_addr, end_addr;
-	traffic_selector_t *ts;
-	enum {
-		TS_LOCAL = 0,
-		TS_REMOTE = 1,
-		TS_LOCAL_DYNAMIC = 2,
-		TS_REMOTE_DYNAMIC = 3,
-	} kind;
-
-	while (e->enumerate(e, &kind, &type, &protocol,
-						&start_addr, &end_addr, &start_port, &end_port))
-	{
-		*local = FALSE;
-		switch (kind)
-		{
-			case TS_LOCAL:
-				*local = TRUE;
-				/* FALL */
-			case TS_REMOTE:
-				ts = traffic_selector_create_from_bytes(protocol, type,
-								start_addr, start_port,	end_addr, end_port);
-				break;
-			case TS_LOCAL_DYNAMIC:
-				*local = TRUE;
-				/* FALL */
-			case TS_REMOTE_DYNAMIC:
-				ts = traffic_selector_create_dynamic(protocol,
-								start_port, end_port);
-				break;
-			default:
-				continue;
-		}
-		if (ts)
-		{
-			return ts;
-		}
-	}
-	return NULL;
-}
-
-/**
- * Add traffic selectors to a child config
- */
-static void add_traffic_selectors(private_sql_config_t *this,
-								  child_cfg_t *child, int id)
-{
-	enumerator_t *e;
-	traffic_selector_t *ts;
-	bool local;
-
-	e = this->db->query(this->db,
-			"SELECT kind, type, protocol, "
-			"start_addr, end_addr, start_port, end_port "
-			"FROM traffic_selectors JOIN child_config_traffic_selector "
-			"ON id = traffic_selector WHERE child_cfg = ?",
-			DB_INT, id,
-			DB_INT, DB_INT, DB_INT,
-			DB_BLOB, DB_BLOB, DB_INT, DB_INT);
-	if (e)
-	{
-		while ((ts = build_traffic_selector(this, e, &local)))
-		{
-			child->add_traffic_selector(child, local, ts);
-		}
-		e->destroy(e);
-	}
-}
-
-/**
- * build a Child configuration from a SQL query
- */
-static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
-{
-	int id, lifetime, rekeytime, jitter, hostaccess, mode, dpd, close, ipcomp;
-	char *name, *updown;
-	child_cfg_t *child_cfg;
-
-	if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter,
-						&updown, &hostaccess, &mode, &dpd, &close, &ipcomp))
-	{
-		lifetime_cfg_t lft = {
-			.time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
-		};
-		child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
-									 dpd, close, ipcomp, 0);
-		/* TODO: read proposal from db */
-		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
-		add_traffic_selectors(this, child_cfg, id);
-		return child_cfg;
-	}
-	return NULL;
-}
-
-/**
- * Add child configs to peer config
- */
-static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id)
-{
-	enumerator_t *e;
-	child_cfg_t *child_cfg;
-
-	e = this->db->query(this->db,
-			"SELECT id, name, lifetime, rekeytime, jitter, "
-			"updown, hostaccess, mode, dpd_action, close_action, ipcomp "
-			"FROM child_configs JOIN peer_config_child_config ON id = child_cfg "
-			"WHERE peer_cfg = ?",
-			DB_INT, id,
-			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT,
-			DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT);
-	if (e)
-	{
-		while ((child_cfg = build_child_cfg(this, e)))
-		{
-			peer->add_child_cfg(peer, child_cfg);
-		}
-		e->destroy(e);
-	}
-}
-
-/**
- * build a ike configuration from a SQL query
- */
-static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e,
-								host_t *my_host, host_t *other_host)
-{
-	int certreq, force_encap;
-	char *local, *remote;
-
-	while (e->enumerate(e, &certreq, &force_encap, &local, &remote))
-	{
-		ike_cfg_t *ike_cfg;
-
-		ike_cfg = ike_cfg_create(certreq, force_encap, local, remote);
-		/* TODO: read proposal from db */
-		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-		return ike_cfg;
-	}
-	return NULL;
-}
-
-/**
- * Query a IKE config by its id
- */
-static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id)
-{
-	enumerator_t *e;
-	ike_cfg_t *ike_cfg = NULL;
-
-	e = this->db->query(this->db,
-			"SELECT certreq, force_encap, local, remote "
-			"FROM ike_configs WHERE id = ?",
-			DB_INT, id,
-			DB_INT, DB_INT, DB_TEXT, DB_TEXT);
-	if (e)
-	{
-		ike_cfg = build_ike_cfg(this, e, NULL, NULL);
-		e->destroy(e);
-	}
-	return ike_cfg;
-}
-
-/**
- * Query a peer config by its id
- */
-static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id)
-{
-	enumerator_t *e;
-	peer_cfg_t *peer_cfg = NULL;
-
-	e = this->db->query(this->db,
-			"SELECT c.id, name, ike_cfg, l.type, l.data, r.type, r.data, "
-			"cert_policy, uniqueid, auth_method, eap_type, eap_vendor, "
-			"keyingtries, rekeytime, reauthtime, jitter, overtime, mobike, "
-			"dpd_delay, virtual, pool, "
-			"mediation, mediated_by, COALESCE(p.type, 0), p.data "
-			"FROM peer_configs AS c "
-			"JOIN identities AS l ON local_id = l.id "
-			"JOIN identities AS r ON remote_id = r.id "
-			"LEFT JOIN identities AS p ON peer_id = p.id "
-			"WHERE id = ?",
-			DB_INT, id,
-			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB,
-			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
-			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
-			DB_INT, DB_TEXT, DB_TEXT,
-			DB_INT, DB_INT, DB_INT, DB_BLOB);
-	if (e)
-	{
-		peer_cfg = build_peer_cfg(this, e, NULL, NULL);
-		e->destroy(e);
-	}
-	return peer_cfg;
-}
-
-/**
- * build a peer configuration from a SQL query
- */
-static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
-								  identification_t *me, identification_t *other)
-{
-	int id, ike_cfg, l_type, r_type,
-		cert_policy, uniqueid, auth_method, eap_type, eap_vendor, keyingtries,
-		rekeytime, reauthtime, jitter, overtime, mobike, dpd_delay,
-		mediation, mediated_by, p_type;
-	chunk_t l_data, r_data, p_data;
-	char *name, *virtual, *pool;
-
-	while (e->enumerate(e,
-			&id, &name, &ike_cfg, &l_type, &l_data, &r_type, &r_data,
-			&cert_policy, &uniqueid, &auth_method, &eap_type, &eap_vendor,
-			&keyingtries, &rekeytime, &reauthtime, &jitter, &overtime, &mobike,
-			&dpd_delay,	&virtual, &pool,
-			&mediation, &mediated_by, &p_type, &p_data))
-	{
-		identification_t *local_id, *remote_id, *peer_id = NULL;
-		peer_cfg_t *peer_cfg, *mediated_cfg;
-		ike_cfg_t *ike;
-		host_t *vip = NULL;
-		auth_cfg_t *auth;
-
-		local_id = identification_create_from_encoding(l_type, l_data);
-		remote_id = identification_create_from_encoding(r_type, r_data);
-		if ((me && !me->matches(me, local_id)) ||
-			(other && !other->matches(other, remote_id)))
-		{
-			local_id->destroy(local_id);
-			remote_id->destroy(remote_id);
-			continue;
-		}
-		ike = get_ike_cfg_by_id(this, ike_cfg);
-		mediated_cfg = mediated_by ? get_peer_cfg_by_id(this, mediated_by) : NULL;
-		if (p_type)
-		{
-			peer_id = identification_create_from_encoding(p_type, p_data);
-		}
-		if (virtual)
-		{
-			vip = host_create_from_string(virtual, 0);
-		}
-		if (ike)
-		{
-			peer_cfg = peer_cfg_create(
-					name, 2, ike, cert_policy, uniqueid,
-					keyingtries, rekeytime, reauthtime, jitter, overtime,
-					mobike,	dpd_delay, vip, pool,
-					mediation, mediated_cfg, peer_id);
-			auth = auth_cfg_create();
-			auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
-			auth->add(auth, AUTH_RULE_IDENTITY, local_id);
-			peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-			auth = auth_cfg_create();
-			auth->add(auth, AUTH_RULE_IDENTITY, remote_id);
-			if (eap_type)
-			{
-				auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-				auth->add(auth, AUTH_RULE_EAP_TYPE, eap_type);
-				if (eap_vendor)
-				{
-					auth->add(auth, AUTH_RULE_EAP_VENDOR, eap_vendor);
-				}
-			}
-			peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-			add_child_cfgs(this, peer_cfg, id);
-			return peer_cfg;
-		}
-		DESTROY_IF(ike);
-		DESTROY_IF(mediated_cfg);
-		DESTROY_IF(peer_id);
-		DESTROY_IF(local_id);
-		DESTROY_IF(remote_id);
-	}
-	return NULL;
-}
-
-/**
- * implements backend_t.get_peer_cfg_by_name.
- */
-static peer_cfg_t *get_peer_cfg_by_name(private_sql_config_t *this, char *name)
-{
-	enumerator_t *e;
-	peer_cfg_t *peer_cfg = NULL;
-
-	e = this->db->query(this->db,
-			"SELECT c.id, name, ike_cfg, l.type, l.data, r.type, r.data, "
-			"cert_policy, uniqueid, auth_method, eap_type, eap_vendor, "
-			"keyingtries, rekeytime, reauthtime, jitter, overtime, mobike, "
-			"dpd_delay, virtual, pool, "
-			"mediation, mediated_by, COALESCE(p.type, 0), p.data "
-			"FROM peer_configs AS c "
-			"JOIN identities AS l ON local_id = l.id "
-			"JOIN identities AS r ON remote_id = r.id "
-			"LEFT JOIN identities AS p ON peer_id = p.id "
-			"WHERE ike_version = ? AND name = ?",
-			DB_INT, 2, DB_TEXT, name,
-			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB,
-			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
-			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
-			DB_INT, DB_TEXT, DB_TEXT,
-			DB_INT, DB_INT,	DB_INT, DB_BLOB);
-	if (e)
-	{
-		peer_cfg = build_peer_cfg(this, e, NULL, NULL);
-		e->destroy(e);
-	}
-	return peer_cfg;
-}
-
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** reference to context */
-	private_sql_config_t *this;
-	/** filtering own host */
-	host_t *me;
-	/** filtering remote host */
-	host_t *other;
-	/** inner SQL enumerator */
-	enumerator_t *inner;
-	/** currently enumerated peer config */
-	ike_cfg_t *current;
-} ike_enumerator_t;
-
-/**
- * Implementation of ike_enumerator_t.public.enumerate
- */
-static bool ike_enumerator_enumerate(ike_enumerator_t *this, ike_cfg_t **cfg)
-{
-	DESTROY_IF(this->current);
-	this->current = build_ike_cfg(this->this, this->inner, this->me, this->other);
-	if (this->current)
-	{
-		*cfg = this->current;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of ike_enumerator_t.public.destroy
- */
-static void ike_enumerator_destroy(ike_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of backend_t.create_ike_cfg_enumerator.
- */
-static enumerator_t* create_ike_cfg_enumerator(private_sql_config_t *this,
-											   host_t *me, host_t *other)
-{
-	ike_enumerator_t *e = malloc_thing(ike_enumerator_t);
-
-	e->this = this;
-	e->me = me;
-	e->other = other;
-	e->current = NULL;
-	e->public.enumerate = (void*)ike_enumerator_enumerate;
-	e->public.destroy = (void*)ike_enumerator_destroy;
-
-	e->inner = this->db->query(this->db,
-			"SELECT certreq, force_encap, local, remote "
-			"FROM ike_configs",
-			DB_INT, DB_INT, DB_TEXT, DB_TEXT);
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** reference to context */
-	private_sql_config_t *this;
-	/** filtering own identity */
-	identification_t *me;
-	/** filtering remote identity */
-	identification_t *other;
-	/** inner SQL enumerator */
-	enumerator_t *inner;
-	/** currently enumerated peer config */
-	peer_cfg_t *current;
-} peer_enumerator_t;
-
-/**
- * Implementation of peer_enumerator_t.public.enumerate
- */
-static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
-{
-	DESTROY_IF(this->current);
-	this->current = build_peer_cfg(this->this, this->inner, this->me, this->other);
-	if (this->current)
-	{
-		*cfg = this->current;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of peer_enumerator_t.public.destroy
- */
-static void peer_enumerator_destroy(peer_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of backend_t.create_peer_cfg_enumerator.
- */
-static enumerator_t* create_peer_cfg_enumerator(private_sql_config_t *this,
-												identification_t *me,
-												identification_t *other)
-{
-	peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
-
-	e->this = this;
-	e->me = me;
-	e->other = other;
-	e->current = NULL;
-	e->public.enumerate = (void*)peer_enumerator_enumerate;
-	e->public.destroy = (void*)peer_enumerator_destroy;
-
-	/* TODO: only get configs whose IDs match exactly or contain wildcards */
-	e->inner = this->db->query(this->db,
-			"SELECT c.id, name, ike_cfg, l.type, l.data, r.type, r.data, "
-			"cert_policy, uniqueid, auth_method, eap_type, eap_vendor, "
-			"keyingtries, rekeytime, reauthtime, jitter, overtime, mobike, "
-			"dpd_delay, virtual, pool, "
-			"mediation, mediated_by, COALESCE(p.type, 0), p.data "
-			"FROM peer_configs AS c "
-			"JOIN identities AS l ON local_id = l.id "
-			"JOIN identities AS r ON remote_id = r.id "
-			"LEFT JOIN identities AS p ON peer_id = p.id "
-			"WHERE ike_version = ?",
-			DB_INT, 2,
-			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB,
-			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
-			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
-			DB_INT,	DB_TEXT, DB_TEXT,
-			DB_INT, DB_INT, DB_INT, DB_BLOB);
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * Implementation of sql_config_t.destroy.
- */
-static void destroy(private_sql_config_t *this)
-{
-	free(this);
-}
-
-/**
- * Described in header.
- */
-sql_config_t *sql_config_create(database_t *db)
-{
-	private_sql_config_t *this = malloc_thing(private_sql_config_t);
-
-	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
-	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
-	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
-	this->public.destroy = (void(*)(sql_config_t*))destroy;
-
-	this->db = db;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/sql/sql_config.h b/src/charon/plugins/sql/sql_config.h
deleted file mode 100644
index 700d00a97..000000000
--- a/src/charon/plugins/sql/sql_config.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup sql_config_i sql_config
- * @{ @ingroup sql
- */
-
-#ifndef SQL_CONFIG_H_
-#define SQL_CONFIG_H_
-
-#include <config/backend.h>
-#include <database/database.h>
-
-typedef struct sql_config_t sql_config_t;
-
-/**
- * SQL database configuration backend.
- */
-struct sql_config_t {
-
-	/**
-	 * Implements backend_t interface
-	 */
-	backend_t backend;
-
-	/**
-	 * Destry the backend.
-	 */
-	void (*destroy)(sql_config_t *this);
-};
-
-/**
- * Create a sql_config backend instance.
- *
- * @param db		underlying database
- * @return			backend instance
- */
-sql_config_t *sql_config_create(database_t *db);
-
-#endif /** SQL_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/sql/sql_cred.c b/src/charon/plugins/sql/sql_cred.c
deleted file mode 100644
index 12f4ab045..000000000
--- a/src/charon/plugins/sql/sql_cred.c
+++ /dev/null
@@ -1,365 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "sql_cred.h"
-
-#include <daemon.h>
-
-typedef struct private_sql_cred_t private_sql_cred_t;
-
-/**
- * Private data of an sql_cred_t object
- */
-struct private_sql_cred_t {
-
-	/**
-	 * Public part
-	 */
-	sql_cred_t public;
-
-	/**
-	 * database connection
-	 */
-	database_t *db;
-};
-
-/**
- * enumerator over private keys
- */
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** inner SQL enumerator */
-	enumerator_t *inner;
-	/** currently enumerated private key */
-	private_key_t *current;
-} private_enumerator_t;
-
-/**
- * Implementation of private_enumerator_t.public.enumerate
- */
-static bool private_enumerator_enumerate(private_enumerator_t *this,
-										 private_key_t **key)
-{
-	chunk_t blob;
-	int type;
-
-	DESTROY_IF(this->current);
-	while (this->inner->enumerate(this->inner, &type, &blob))
-	{
-		this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-										   BUILD_BLOB_ASN1_DER, blob,
-										   BUILD_END);
-		if (this->current)
-		{
-			*key = this->current;
-			return TRUE;
-		}
-	}
-	this->current = NULL;
-	return FALSE;
-}
-
-/**
- * Implementation of private_enumerator_t.public.destroy
- */
-static void private_enumerator_destroy(private_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of credential_set_t.create_private_enumerator.
- */
-static enumerator_t* create_private_enumerator(private_sql_cred_t *this,
-											   key_type_t type,
-											   identification_t *id)
-{
-	private_enumerator_t *e;
-
-	e = malloc_thing(private_enumerator_t);
-	e->current = NULL;
-	e->public.enumerate = (void*)private_enumerator_enumerate;
-	e->public.destroy = (void*)private_enumerator_destroy;
-	if (id && id->get_type(id) != ID_ANY)
-	{
-		e->inner = this->db->query(this->db,
-				"SELECT p.type, p.data FROM private_keys AS p "
-				"JOIN private_key_identity AS pi ON p.id = pi.private_key "
-				"JOIN identities AS i ON pi.identity = i.id "
-				"WHERE i.type = ? AND i.data = ? AND (? OR p.type = ?)",
-				DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
-				DB_INT, type == KEY_ANY, DB_INT, type,
-				DB_INT, DB_BLOB);
-	}
-	else
-	{
-		e->inner = this->db->query(this->db,
-				"SELECT type, data FROM private_keys WHERE (? OR type = ?)",
-				DB_INT, type == KEY_ANY, DB_INT, type,
-				DB_INT, DB_BLOB);
-	}
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * enumerator over certificates
- */
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** inner SQL enumerator */
-	enumerator_t *inner;
-	/** currently enumerated cert */
-	certificate_t *current;
-} cert_enumerator_t;
-
-/**
- * Implementation of cert_enumerator_t.public.enumerate
- */
-static bool cert_enumerator_enumerate(cert_enumerator_t *this,
-									  certificate_t **cert)
-{
-	chunk_t blob;
-	int type;
-
-	DESTROY_IF(this->current);
-	while (this->inner->enumerate(this->inner, &type, &blob))
-	{
-		this->current = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
-										   BUILD_BLOB_ASN1_DER, blob,
-										   BUILD_END);
-		if (this->current)
-		{
-			*cert = this->current;
-			return TRUE;
-		}
-	}
-	this->current = NULL;
-	return FALSE;
-}
-
-/**
- * Implementation of cert_enumerator_t.public.destroy
- */
-static void cert_enumerator_destroy(cert_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of credential_set_t.create_cert_enumerator.
- */
-static enumerator_t* create_cert_enumerator(private_sql_cred_t *this,
-										certificate_type_t cert, key_type_t key,
-										identification_t *id, bool trusted)
-{
-	cert_enumerator_t *e;
-
-	e = malloc_thing(cert_enumerator_t);
-	e->current = NULL;
-	e->public.enumerate = (void*)cert_enumerator_enumerate;
-	e->public.destroy = (void*)cert_enumerator_destroy;
-	if (id && id->get_type(id) != ID_ANY)
-	{
-		e->inner = this->db->query(this->db,
-				"SELECT c.type, c.data FROM certificates AS c "
-				"JOIN certificate_identity AS ci ON c.id = ci.certificate "
-				"JOIN identities AS i ON ci.identity = i.id "
-				"WHERE i.type = ? AND i.data = ? AND "
-				"(? OR c.type = ?) AND (? OR c.keytype = ?)",
-				DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
-				DB_INT, cert == CERT_ANY, DB_INT, cert,
-				DB_INT, key == KEY_ANY, DB_INT, key,
-				DB_INT, DB_BLOB);
-	}
-	else
-	{
-		e->inner = this->db->query(this->db,
-				"SELECT type, data FROM certificates WHERE "
-				"(? OR type = ?) AND (? OR keytype = ?)",
-				DB_INT, cert == CERT_ANY, DB_INT, cert,
-				DB_INT, key == KEY_ANY, DB_INT, key,
-				DB_INT, DB_BLOB);
-	}
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * enumerator over shared keys
- */
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** inner SQL enumerator */
-	enumerator_t *inner;
-	/** own identity */
-	identification_t *me;
-	/** remote identity */
-	identification_t *other;
-	/** currently enumerated private key */
-	shared_key_t *current;
-} shared_enumerator_t;
-
-/**
- * Implementation of shared_enumerator_t.public.enumerate
- */
-static bool shared_enumerator_enumerate(shared_enumerator_t *this,
-										shared_key_t **shared,
-										id_match_t *me, id_match_t *other)
-{
-	chunk_t blob;
-	int type;
-
-	DESTROY_IF(this->current);
-	while (this->inner->enumerate(this->inner, &type, &blob))
-	{
-		this->current = shared_key_create(type, chunk_clone(blob));
-		if (this->current)
-		{
-			*shared = this->current;
-			if (me)
-			{
-				*me = this->me ? ID_MATCH_PERFECT : ID_MATCH_ANY;
-			}
-			if (other)
-			{
-				*other = this->other ? ID_MATCH_PERFECT : ID_MATCH_ANY;
-			}
-			return TRUE;
-		}
-	}
-	this->current = NULL;
-	return FALSE;
-}
-
-/**
- * Implementation of shared_enumerator_t.public.destroy
- */
-static void shared_enumerator_destroy(shared_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of credential_set_t.create_shared_enumerator.
- */
-static enumerator_t* create_shared_enumerator(private_sql_cred_t *this,
-								  shared_key_type_t type,
-								  identification_t *me, identification_t *other)
-{
-	shared_enumerator_t *e;
-
-	e = malloc_thing(shared_enumerator_t);
-	e->me = me;
-	e->other = other;
-	e->current = NULL;
-	e->public.enumerate = (void*)shared_enumerator_enumerate;
-	e->public.destroy = (void*)shared_enumerator_destroy;
-	if (!me && !other)
-	{
-		e->inner = this->db->query(this->db,
-				"SELECT type, data FROM shared_secrets WHERE  (? OR type = ?)",
-				DB_INT, type == SHARED_ANY, DB_INT, type,
-				DB_INT, DB_BLOB);
-	}
-	else if (me && other)
-	{
-		e->inner = this->db->query(this->db,
-				"SELECT s.type, s.data FROM shared_secrets AS s "
-				"JOIN shared_secret_identity AS sm ON s.id = sm.shared_secret "
-				"JOIN identities AS m ON sm.identity = m.id "
-				"JOIN shared_secret_identity AS so ON s.id = so.shared_secret "
-				"JOIN identities AS o ON so.identity = o.id "
-				"WHERE m.type = ? AND m.data = ? AND o.type = ? AND o.data = ? "
-				"AND (? OR s.type = ?)",
-				DB_INT, me->get_type(me), DB_BLOB, me->get_encoding(me),
-				DB_INT, other->get_type(other), DB_BLOB, other->get_encoding(other),
-				DB_INT, type == SHARED_ANY, DB_INT, type,
-				DB_INT, DB_BLOB);
-	}
-	else
-	{
-		identification_t *id = me ? me : other;
-
-		e->inner = this->db->query(this->db,
-				"SELECT s.type, s.data FROM shared_secrets AS s "
-				"JOIN shared_secret_identity AS si ON s.id = si.shared_secret "
-				"JOIN identities AS i ON si.identity = i.id "
-				"WHERE i.type = ? AND i.data = ? AND (? OR s.type = ?)",
-				DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
-				DB_INT, type == SHARED_ANY, DB_INT, type,
-				DB_INT, DB_BLOB);
-	}
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * Implementation of credential_set_t.cache_cert.
- */
-static void cache_cert(private_sql_cred_t *this, certificate_t *cert)
-{
-	/* TODO: implement CRL caching to database */
-}
-
-/**
- * Implementation of sql_cred_t.destroy.
- */
-static void destroy(private_sql_cred_t *this)
-{
-	free(this);
-}
-/**
- * Described in header.
- */
-sql_cred_t *sql_cred_create(database_t *db)
-{
-	private_sql_cred_t *this = malloc_thing(private_sql_cred_t);
-
-	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
-	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
-	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)cache_cert;
-	this->public.destroy = (void(*)(sql_cred_t*))destroy;
-
-	this->db = db;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/sql/sql_cred.h b/src/charon/plugins/sql/sql_cred.h
deleted file mode 100644
index 7f387398e..000000000
--- a/src/charon/plugins/sql/sql_cred.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup sql_cred_i sql_cred
- * @{ @ingroup sql
- */
-
-#ifndef SQL_CRED_H_
-#define SQL_CRED_H_
-
-#include <credentials/credential_set.h>
-#include <database/database.h>
-
-typedef struct sql_cred_t sql_cred_t;
-
-/**
- * SQL database credential set.
- */
-struct sql_cred_t {
-
-	/**
-	 * Implements credential_set_t interface
-	 */
-	credential_set_t set;
-
-	/**
-	 * Destry the backend.
-	 */
-	void (*destroy)(sql_cred_t *this);
-};
-
-/**
- * Create a sql_cred backend instance.
- *
- * @param db		underlying database
- * @return			credential set
- */
-sql_cred_t *sql_cred_create(database_t *db);
-
-#endif /** SQL_CRED_H_ @}*/
diff --git a/src/charon/plugins/sql/sql_logger.c b/src/charon/plugins/sql/sql_logger.c
deleted file mode 100644
index d350c4c3d..000000000
--- a/src/charon/plugins/sql/sql_logger.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "sql_logger.h"
-
-#include <daemon.h>
-
-typedef struct private_sql_logger_t private_sql_logger_t;
-
-/**
- * Private data of an sql_logger_t object
- */
-struct private_sql_logger_t {
-
-	/**
-	 * Public part
-	 */
-	sql_logger_t public;
-
-	/**
-	 * database connection
-	 */
-	database_t *db;
-
-	/**
-	 * logging level
-	 */
-	int level;
-
-	/**
-	 * avoid recursive logging
-	 */
-	bool recursive;
-};
-
-/**
- * Implementation of bus_listener_t.log.
- */
-static bool log_(private_sql_logger_t *this, debug_t group, level_t level,
-				 int thread, ike_sa_t* ike_sa, char *format, va_list args)
-{
-	if (this->recursive)
-	{
-		return TRUE;
-	}
-	this->recursive = TRUE;
-
-	if (ike_sa && level <= this->level)
-	{
-		char buffer[8192];
-		chunk_t local_spi, remote_spi;
-		host_t *local_host, *remote_host;
-		identification_t *local_id, *remote_id;
-		u_int64_t ispi, rspi;
-		ike_sa_id_t *id;
-
-		id = ike_sa->get_id(ike_sa);
-		ispi = id->get_initiator_spi(id);
-		rspi = id->get_responder_spi(id);
-		if (id->is_initiator(id))
-		{
-			local_spi.ptr = (char*)&ispi;
-			remote_spi.ptr = (char*)&rspi;
-		}
-		else
-		{
-			local_spi.ptr = (char*)&rspi;
-			remote_spi.ptr = (char*)&ispi;
-		}
-		local_spi.len = remote_spi.len = sizeof(ispi);
-		local_id = ike_sa->get_my_id(ike_sa);
-		remote_id = ike_sa->get_other_id(ike_sa);
-		local_host = ike_sa->get_my_host(ike_sa);
-		remote_host = ike_sa->get_other_host(ike_sa);
-
-		vsnprintf(buffer, sizeof(buffer), format, args);
-
-		this->db->execute(this->db, NULL, "REPLACE INTO ike_sas ("
-						  "local_spi, remote_spi, id, initiator, "
-						  "local_id_type, local_id_data, "
-						  "remote_id_type, remote_id_data, "
-						  "host_family, local_host_data, remote_host_data) "
-						  "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
-						  DB_BLOB, local_spi, DB_BLOB, remote_spi,
-						  DB_INT, ike_sa->get_unique_id(ike_sa),
-						  DB_INT, id->is_initiator(id),
-						  DB_INT, local_id->get_type(local_id),
-						  DB_BLOB, local_id->get_encoding(local_id),
-						  DB_INT, remote_id->get_type(remote_id),
-						  DB_BLOB, remote_id->get_encoding(remote_id),
-						  DB_INT, local_host->get_family(local_host),
-						  DB_BLOB, local_host->get_address(local_host),
-						  DB_BLOB, remote_host->get_address(remote_host));
-		this->db->execute(this->db, NULL, "INSERT INTO logs ("
-						  "local_spi, signal, level, msg) VALUES (?, ?, ?, ?)",
-						  DB_BLOB, local_spi, DB_INT, group, DB_INT, level,
-						  DB_TEXT, buffer);
-	}
-	this->recursive = FALSE;
-	/* always stay registered */
-	return TRUE;
-}
-
-/**
- * Implementation of sql_logger_t.destroy.
- */
-static void destroy(private_sql_logger_t *this)
-{
-	free(this);
-}
-
-/**
- * Described in header.
- */
-sql_logger_t *sql_logger_create(database_t *db)
-{
-	private_sql_logger_t *this = malloc_thing(private_sql_logger_t);
-
-	memset(&this->public.listener, 0, sizeof(listener_t));
-	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
-	this->public.destroy = (void(*)(sql_logger_t*))destroy;
-
-	this->db = db;
-	this->recursive = FALSE;
-
-	this->level = lib->settings->get_int(lib->settings,
-										 "charon.plugins.sql.loglevel", -1);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/sql/sql_logger.h b/src/charon/plugins/sql/sql_logger.h
deleted file mode 100644
index a933705da..000000000
--- a/src/charon/plugins/sql/sql_logger.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup sql_logger_i sql_logger
- * @{ @ingroup sql
- */
-
-#ifndef SQL_LOGGER_H_
-#define SQL_LOGGER_H_
-
-#include <bus/bus.h>
-#include <database/database.h>
-
-typedef struct sql_logger_t sql_logger_t;
-
-/**
- * SQL database logger.
- */
-struct sql_logger_t {
-
-	/**
-	 * Implements bus_listener_t interface
-	 */
-	listener_t listener;
-
-	/**
-	 * Destry the backend.
-	 */
-	void (*destroy)(sql_logger_t *this);
-};
-
-/**
- * Create a sql_logger instance.
- *
- * @param db		underlying database
- * @return			logger instance
- */
-sql_logger_t *sql_logger_create(database_t *db);
-
-#endif /** SQL_LOGGER_H_ @}*/
diff --git a/src/charon/plugins/sql/sql_plugin.c b/src/charon/plugins/sql/sql_plugin.c
deleted file mode 100644
index e2e410a8a..000000000
--- a/src/charon/plugins/sql/sql_plugin.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "sql_plugin.h"
-
-#include <daemon.h>
-#include "sql_config.h"
-#include "sql_cred.h"
-#include "sql_logger.h"
-
-typedef struct private_sql_plugin_t private_sql_plugin_t;
-
-/**
- * private data of sql plugin
- */
-struct private_sql_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	sql_plugin_t public;
-
-	/**
-	 * database connection instance
-	 */
-	database_t *db;
-
-	/**
-	 * configuration backend
-	 */
-	sql_config_t *config;
-
-	/**
-	 * credential set
-	 */
-	sql_cred_t *cred;
-
-	/**
-	 * bus listener/logger
-	 */
-	sql_logger_t *logger;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_sql_plugin_t *this)
-{
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->credentials->remove_set(charon->credentials, &this->cred->set);
-	charon->bus->remove_listener(charon->bus, &this->logger->listener);
-	this->config->destroy(this->config);
-	this->cred->destroy(this->cred);
-	this->logger->destroy(this->logger);
-	this->db->destroy(this->db);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	char *uri;
-	private_sql_plugin_t *this;
-
-	uri = lib->settings->get_str(lib->settings, "charon.plugins.sql.database", NULL);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "sql plugin: database URI not set");
-		return NULL;
-	}
-
-	this = malloc_thing(private_sql_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->db = lib->db->create(lib->db, uri);
-	if (!this->db)
-	{
-		DBG1(DBG_CFG, "sql plugin failed to connect to database");
-		free(this);
-		return NULL;
-	}
-	this->config = sql_config_create(this->db);
-	this->cred = sql_cred_create(this->db);
-	this->logger = sql_logger_create(this->db);
-
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	charon->credentials->add_set(charon->credentials, &this->cred->set);
-	charon->bus->add_listener(charon->bus, &this->logger->listener);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/sql/sql_plugin.h b/src/charon/plugins/sql/sql_plugin.h
deleted file mode 100644
index 8de04a891..000000000
--- a/src/charon/plugins/sql/sql_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup sql sql
- * @ingroup cplugins
- *
- * @defgroup sql_plugin sql_plugin
- * @{ @ingroup sql
- */
-
-#ifndef SQL_PLUGIN_H_
-#define SQL_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct sql_plugin_t sql_plugin_t;
-
-/**
- * SQL database configuration plugin
- */
-struct sql_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a sql_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** SQL_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am
deleted file mode 100644
index 94d311609..000000000
--- a/src/charon/plugins/stroke/Makefile.am
+++ /dev/null
@@ -1,22 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
-
-AM_CFLAGS = \
--rdynamic \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DIPSEC_PIDDIR=\"${piddir}\"
-
-plugin_LTLIBRARIES = libstrongswan-stroke.la
-
-libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \
-  stroke_socket.h stroke_socket.c \
-  stroke_config.h stroke_config.c \
-  stroke_control.h stroke_control.c \
-  stroke_cred.h stroke_cred.c \
-  stroke_ca.h stroke_ca.c \
-  stroke_attribute.h stroke_attribute.c \
-  stroke_list.h stroke_list.c \
-  stroke_shared_key.h stroke_shared_key.c
-
-libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in
deleted file mode 100644
index 6e6b3b813..000000000
--- a/src/charon/plugins/stroke/Makefile.in
+++ /dev/null
@@ -1,590 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/stroke
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_stroke_la_LIBADD =
-am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \
-	stroke_config.lo stroke_control.lo stroke_cred.lo stroke_ca.lo \
-	stroke_attribute.lo stroke_list.lo stroke_shared_key.lo
-libstrongswan_stroke_la_OBJECTS =  \
-	$(am_libstrongswan_stroke_la_OBJECTS)
-libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_stroke_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_stroke_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_stroke_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
-AM_CFLAGS = \
--rdynamic \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DIPSEC_PIDDIR=\"${piddir}\"
-
-plugin_LTLIBRARIES = libstrongswan-stroke.la
-libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \
-  stroke_socket.h stroke_socket.c \
-  stroke_config.h stroke_config.c \
-  stroke_control.h stroke_control.c \
-  stroke_cred.h stroke_cred.c \
-  stroke_ca.h stroke_ca.c \
-  stroke_attribute.h stroke_attribute.c \
-  stroke_list.h stroke_list.c \
-  stroke_shared_key.h stroke_shared_key.c
-
-libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-stroke.la: $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_DEPENDENCIES) 
-	$(libstrongswan_stroke_la_LINK) -rpath $(plugindir) $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_attribute.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_ca.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_config.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_control.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_cred.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_list.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_shared_key.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_socket.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
deleted file mode 100644
index 7a5ce683e..000000000
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ /dev/null
@@ -1,546 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "stroke_attribute.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
-#include <threading/mutex.h>
-
-#define POOL_LIMIT (sizeof(uintptr_t)*8)
-
-typedef struct private_stroke_attribute_t private_stroke_attribute_t;
-
-/**
- * private data of stroke_attribute
- */
-struct private_stroke_attribute_t {
-
-	/**
-	 * public functions
-	 */
-	stroke_attribute_t public;
-
-	/**
-	 * list of pools, contains pool_t
-	 */
-	linked_list_t *pools;
-
-	/**
-	 * mutex to lock access to pools
-	 */
-	mutex_t *mutex;
-};
-
-typedef struct {
-	/** name of the pool */
-	char *name;
-	/** base address of the pool */
-	host_t *base;
-	/** size of the pool */
-	int size;
-	/** next unused address */
-	int unused;
-	/** hashtable [identity => offset], for online leases */
-	hashtable_t *online;
-	/** hashtable [identity => offset], for offline leases */
-	hashtable_t *offline;
-	/** hashtable [identity => identity], handles identity references */
-	hashtable_t *ids;
-} pool_t;
-
-/**
- * hashtable hash function for identities
- */
-static u_int id_hash(identification_t *id)
-{
-	return chunk_hash(id->get_encoding(id));
-}
-
-/**
- * hashtable equals function for identities
- */
-static bool id_equals(identification_t *a, identification_t *b)
-{
-	return a->equals(a, b);
-}
-
-/**
- * destroy a pool_t
- */
-static void pool_destroy(pool_t *this)
-{
-	enumerator_t *enumerator;
-	identification_t *id;
-
-	enumerator = this->ids->create_enumerator(this->ids);
-	while (enumerator->enumerate(enumerator, &id, NULL))
-	{
-		id->destroy(id);
-	}
-	enumerator->destroy(enumerator);
-	this->ids->destroy(this->ids);
-	this->online->destroy(this->online);
-	this->offline->destroy(this->offline);
-	DESTROY_IF(this->base);
-	free(this->name);
-	free(this);
-}
-
-/**
- * find a pool by name
- */
-static pool_t *find_pool(private_stroke_attribute_t *this, char *name)
-{
-	enumerator_t *enumerator;
-	pool_t *current, *found = NULL;
-
-	enumerator = this->pools->create_enumerator(this->pools);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (streq(name, current->name))
-		{
-			found = current;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * convert an pool offset to an address
- */
-host_t* offset2host(pool_t *pool, int offset)
-{
-	chunk_t addr;
-	host_t *host;
-	u_int32_t *pos;
-
-	offset--;
-	if (offset > pool->size)
-	{
-		return NULL;
-	}
-
-	addr = chunk_clone(pool->base->get_address(pool->base));
-	if (pool->base->get_family(pool->base) == AF_INET6)
-	{
-		pos = (u_int32_t*)(addr.ptr + 12);
-	}
-	else
-	{
-		pos = (u_int32_t*)addr.ptr;
-	}
-	*pos = htonl(offset + ntohl(*pos));
-	host = host_create_from_chunk(pool->base->get_family(pool->base), addr, 0);
-	free(addr.ptr);
-	return host;
-}
-
-/**
- * convert a host to a pool offset
- */
-int host2offset(pool_t *pool, host_t *addr)
-{
-	chunk_t host, base;
-	u_int32_t hosti, basei;
-
-	if (addr->get_family(addr) != pool->base->get_family(pool->base))
-	{
-		return -1;
-	}
-	host = addr->get_address(addr);
-	base = pool->base->get_address(pool->base);
-	if (addr->get_family(addr) == AF_INET6)
-	{
-		/* only look at last /32 block */
-		if (!memeq(host.ptr, base.ptr, 12))
-		{
-			return -1;
-		}
-		host = chunk_skip(host, 12);
-		base = chunk_skip(base, 12);
-	}
-	hosti = ntohl(*(u_int32_t*)(host.ptr));
-	basei = ntohl(*(u_int32_t*)(base.ptr));
-	if (hosti > basei + pool->size)
-	{
-		return -1;
-	}
-	return hosti - basei + 1;
-}
-
-/**
- * Implementation of attribute_provider_t.acquire_address
- */
-static host_t* acquire_address(private_stroke_attribute_t *this,
-							   char *name, identification_t *id,
-							   host_t *requested)
-{
-	pool_t *pool;
-	uintptr_t offset = 0;
-	enumerator_t *enumerator;
-	identification_t *old_id;
-
-	this->mutex->lock(this->mutex);
-	pool = find_pool(this, name);
-	while (pool)
-	{
-		/* handle %config case by mirroring requested address */
-		if (pool->size == 0)
-		{
-			this->mutex->unlock(this->mutex);
-			return requested->clone(requested);
-		}
-
-		if (!requested->is_anyaddr(requested) &&
-			requested->get_family(requested) !=
-			pool->base->get_family(pool->base))
-		{
-			DBG1(DBG_CFG, "IP pool address family mismatch");
-			break;
-		}
-
-		/* check for a valid offline lease, refresh */
-		offset = (uintptr_t)pool->offline->remove(pool->offline, id);
-		if (offset)
-		{
-			id = pool->ids->get(pool->ids, id);
-			if (id)
-			{
-				DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
-				pool->online->put(pool->online, id, (void*)offset);
-				break;
-			}
-		}
-
-		/* check for a valid online lease, reassign */
-		offset = (uintptr_t)pool->online->get(pool->online, id);
-		if (offset && offset == host2offset(pool, requested))
-		{
-			DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
-			break;
-		}
-
-		if (pool->unused < pool->size)
-		{
-			/* assigning offset, starting by 1. Handling 0 in hashtable
-			 * is difficult. */
-			offset = ++pool->unused;
-			id = id->clone(id);
-			pool->ids->put(pool->ids, id, id);
-			pool->online->put(pool->online, id, (void*)offset);
-			DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
-			break;
-		}
-		/* no more addresses, replace the first found offline lease */
-		enumerator = pool->offline->create_enumerator(pool->offline);
-		if (enumerator->enumerate(enumerator, &old_id, &offset))
-		{
-			offset = (uintptr_t)pool->offline->remove(pool->offline, old_id);
-			if (offset)
-			{
-				/* destroy reference to old ID */
-				old_id = pool->ids->remove(pool->ids, old_id);
-				DBG1(DBG_CFG, "reassigning existing offline lease by '%Y' to '%Y'",
-					 old_id, id);
-				if (old_id)
-				{
-					old_id->destroy(old_id);
-				}
-				id = id->clone(id);
-				pool->ids->put(pool->ids, id, id);
-				pool->online->put(pool->online, id, (void*)offset);
-				enumerator->destroy(enumerator);
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-
-		DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", name);
-		break;
-	}
-	this->mutex->unlock(this->mutex);
-	if (offset)
-	{
-		return offset2host(pool, offset);
-	}
-	return NULL;
-}
-
-/**
- * Implementation of attribute_provider_t.release_address
- */
-static bool release_address(private_stroke_attribute_t *this,
-							char *name, host_t *address, identification_t *id)
-{
-	pool_t *pool;
-	bool found = FALSE;
-	uintptr_t offset;
-
-	this->mutex->lock(this->mutex);
-	pool = find_pool(this, name);
-	if (pool)
-	{
-		if (pool->size != 0)
-		{
-			offset = (uintptr_t)pool->online->remove(pool->online, id);
-			if (offset)
-			{
-				id = pool->ids->get(pool->ids, id);
-				if (id)
-				{
-					DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id);
-					pool->offline->put(pool->offline, id, (void*)offset);
-					found = TRUE;
-				}
-			}
-		}
-	}
-	this->mutex->unlock(this->mutex);
-	return found;
-}
-
-/**
- * Implementation of stroke_attribute_t.add_pool.
- */
-static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
-{
-	if (msg->add_conn.other.sourceip_mask)
-	{
-		pool_t *pool;
-
-		pool = malloc_thing(pool_t);
-		pool->base = NULL;
-		pool->size = 0;
-		pool->unused = 0;
-		pool->name = strdup(msg->add_conn.name);
-		pool->online = hashtable_create((hashtable_hash_t)id_hash,
-										(hashtable_equals_t)id_equals, 16);
-		pool->offline = hashtable_create((hashtable_hash_t)id_hash,
-										(hashtable_equals_t)id_equals, 16);
-		pool->ids = hashtable_create((hashtable_hash_t)id_hash,
-										(hashtable_equals_t)id_equals, 16);
-
-		/* if %config, add an empty pool, otherwise */
-		if (msg->add_conn.other.sourceip)
-		{
-			u_int32_t bits;
-			int family;
-
-			DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d",
-				 msg->add_conn.name, msg->add_conn.other.sourceip,
-				 msg->add_conn.other.sourceip_mask);
-
-			pool->base = host_create_from_string(msg->add_conn.other.sourceip, 0);
-			if (!pool->base)
-			{
-				pool_destroy(pool);
-				DBG1(DBG_CFG, "virtual IP address invalid, discarded");
-				return;
-			}
-			family = pool->base->get_family(pool->base);
-			bits = (family == AF_INET ? 32 : 128) - msg->add_conn.other.sourceip_mask;
-			if (bits > POOL_LIMIT)
-			{
-				bits = POOL_LIMIT;
-				DBG1(DBG_CFG, "virtual IP pool to large, limiting to %s/%d",
-					 msg->add_conn.other.sourceip,
-					 (family == AF_INET ? 32 : 128) - bits);
-			}
-			pool->size = 1 << (bits);
-
-			if (pool->size > 2)
-			{	/* do not use first and last addresses of a block */
-				pool->unused++;
-				pool->size--;
-			}
-		}
-		this->mutex->lock(this->mutex);
-		this->pools->insert_last(this->pools, pool);
-		this->mutex->unlock(this->mutex);
-	}
-}
-
-/**
- * Implementation of stroke_attribute_t.del_pool.
- */
-static void del_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
-{
-	enumerator_t *enumerator;
-	pool_t *pool;
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->pools->create_enumerator(this->pools);
-	while (enumerator->enumerate(enumerator, &pool))
-	{
-		if (streq(msg->del_conn.name, pool->name))
-		{
-			this->pools->remove_at(this->pools, enumerator);
-			pool_destroy(pool);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Pool enumerator filter function, converts pool_t to name, size, ...
- */
-static bool pool_filter(void *mutex, pool_t **poolp, char **name,
-						void *d1, u_int *size, void *d2, u_int *online,
-						void *d3, u_int *offline)
-{
-	pool_t *pool = *poolp;
-
-	*name = pool->name;
-	*size = pool->size;
-	*online = pool->online->get_count(pool->online);
-	*offline = pool->offline->get_count(pool->offline);
-	return TRUE;
-}
-
-/**
- * Implementation of stroke_attribute_t.create_pool_enumerator
- */
-static enumerator_t* create_pool_enumerator(private_stroke_attribute_t *this)
-{
-	this->mutex->lock(this->mutex);
-	return enumerator_create_filter(this->pools->create_enumerator(this->pools),
-									(void*)pool_filter,
-									this->mutex, (void*)this->mutex->unlock);
-}
-
-/**
- * lease enumerator
- */
-typedef struct {
-	/** implemented enumerator interface */
-	enumerator_t public;
-	/** inner hash-table enumerator */
-	enumerator_t *inner;
-	/** enumerated pool */
-	pool_t *pool;
-	/** mutex to unlock on destruction */
-	mutex_t *mutex;
-	/** currently enumerated lease address */
-	host_t *current;
-} lease_enumerator_t;
-
-/**
- * Implementation of lease_enumerator_t.enumerate
- */
-static bool lease_enumerate(lease_enumerator_t *this, identification_t **id_out,
-							host_t **addr_out, bool *online)
-{
-	identification_t *id;
-	uintptr_t offset;
-
-	DESTROY_IF(this->current);
-	this->current = NULL;
-
-	if (this->inner->enumerate(this->inner, &id, NULL))
-	{
-		offset = (uintptr_t)this->pool->online->get(this->pool->online, id);
-		if (offset)
-		{
-			*id_out = id;
-			*addr_out = this->current = offset2host(this->pool, offset);
-			*online = TRUE;
-			return TRUE;
-		}
-		offset = (uintptr_t)this->pool->offline->get(this->pool->offline, id);
-		if (offset)
-		{
-			*id_out = id;
-			*addr_out = this->current = offset2host(this->pool, offset);
-			*online = FALSE;
-			return TRUE;
-		}
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of lease_enumerator_t.destroy
- */
-static void lease_enumerator_destroy(lease_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	this->mutex->unlock(this->mutex);
-	free(this);
-}
-
-/**
- * Implementation of stroke_attribute_t.create_lease_enumerator
- */
-static enumerator_t* create_lease_enumerator(private_stroke_attribute_t *this,
-											 char *pool)
-{
-	lease_enumerator_t *enumerator;
-
-	this->mutex->lock(this->mutex);
-	enumerator = malloc_thing(lease_enumerator_t);
-	enumerator->pool = find_pool(this, pool);
-	if (!enumerator->pool)
-	{
-		this->mutex->unlock(this->mutex);
-		free(enumerator);
-		return NULL;
-	}
-	enumerator->public.enumerate = (void*)lease_enumerate;
-	enumerator->public.destroy = (void*)lease_enumerator_destroy;
-	enumerator->inner = enumerator->pool->ids->create_enumerator(enumerator->pool->ids);
-	enumerator->mutex = this->mutex;
-	enumerator->current = NULL;
-	return &enumerator->public;
-}
-
-/**
- * Implementation of stroke_attribute_t.destroy
- */
-static void destroy(private_stroke_attribute_t *this)
-{
-	this->mutex->destroy(this->mutex);
-	this->pools->destroy_function(this->pools, (void*)pool_destroy);
-	free(this);
-}
-
-/*
- * see header file
- */
-stroke_attribute_t *stroke_attribute_create()
-{
-	private_stroke_attribute_t *this = malloc_thing(private_stroke_attribute_t);
-
-	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,host_t *))acquire_address;
-	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
-	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))enumerator_create_empty;
-	this->public.add_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))add_pool;
-	this->public.del_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))del_pool;
-	this->public.create_pool_enumerator = (enumerator_t*(*)(stroke_attribute_t*))create_pool_enumerator;
-	this->public.create_lease_enumerator = (enumerator_t*(*)(stroke_attribute_t*, char *pool))create_lease_enumerator;
-	this->public.destroy = (void(*)(stroke_attribute_t*))destroy;
-
-	this->pools = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/stroke/stroke_attribute.h b/src/charon/plugins/stroke/stroke_attribute.h
deleted file mode 100644
index cf6c950a6..000000000
--- a/src/charon/plugins/stroke/stroke_attribute.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup stroke_attribute stroke_attribute
- * @{ @ingroup stroke
- */
-
-#ifndef STROKE_ATTRIBUTE_H_
-#define STROKE_ATTRIBUTE_H_
-
-#include <stroke_msg.h>
-#include <attributes/attribute_provider.h>
-
-typedef struct stroke_attribute_t stroke_attribute_t;
-
-/**
- * Stroke IKEv2 cfg attribute provider
- */
-struct stroke_attribute_t {
-
-	/**
-	 * Implements attribute provider interface
-	 */
-	attribute_provider_t provider;
-
-	/**
-	 * Add a virtual IP address.
-	 *
-	 * @param msg		stroke message
-	 * @param end		end of stroke message that contains virtual IP.
-	 */
-	void (*add_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
-
-	/**
-	 * Remove a virtual IP address.
-	 *
-	 * @param msg		stroke message
-	 */
-	void (*del_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
-
-	/**
-	 * Create an enumerator over installed pools.
-	 *
-	 * Enumerator enumerates over
-	 * char *pool, u_int size, u_int offline, u_int online.
-	 *
-	 * @return			enumerator
-	 */
-	enumerator_t* (*create_pool_enumerator)(stroke_attribute_t *this);
-
-	/**
-	 * Create an enumerator over the leases of a pool.
-	 *
-	 * Enumerator enumerates over
-	 * identification_t *id, host_t *address, bool online
-	 *
-	 * @param pool		name of the pool to enumerate
-	 * @return 			enumerator, NULL if pool not found
-	 */
-	enumerator_t* (*create_lease_enumerator)(stroke_attribute_t *this,
-											 char *pool);
-	/**
-	 * Destroy a stroke_attribute instance.
-	 */
-	void (*destroy)(stroke_attribute_t *this);
-};
-
-/**
- * Create a stroke_attribute instance.
- */
-stroke_attribute_t *stroke_attribute_create();
-
-#endif /** STROKE_ATTRIBUTE_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
deleted file mode 100644
index 49146f18b..000000000
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ /dev/null
@@ -1,458 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "stroke_ca.h"
-#include "stroke_cred.h"
-
-#include <threading/rwlock.h>
-#include <utils/linked_list.h>
-#include <crypto/hashers/hasher.h>
-
-#include <daemon.h>
-
-typedef struct private_stroke_ca_t private_stroke_ca_t;
-
-/**
- * private data of stroke_ca
- */
-struct private_stroke_ca_t {
-
-	/**
-	 * public functions
-	 */
-	stroke_ca_t public;
-
-	/**
-	 * read-write lock to lists
-	 */
-	rwlock_t *lock;
-
-	/**
-	 * list of starters CA sections and its certificates (ca_section_t)
-	 */
-	linked_list_t *sections;
-
-	/**
-	 * stroke credentials, stores our CA certificates
-	 */
-	stroke_cred_t *cred;
-};
-
-typedef struct ca_section_t ca_section_t;
-
-/**
- * loaded ipsec.conf CA sections
- */
-struct ca_section_t {
-
-	/**
-	 * name of the CA section
-	 */
-	char *name;
-
-	/**
-	 * reference to cert in trusted_credential_t
-	 */
-	certificate_t *cert;
-
-	/**
-	 * CRL URIs
-	 */
-	linked_list_t *crl;
-
-	/**
-	 * OCSP URIs
-	 */
-	linked_list_t *ocsp;
-
-	/**
-	 * Hashes of certificates issued by this CA
-	 */
-	linked_list_t *hashes;
-
-	/**
-	 * Base URI used for certificates from this CA
-	 */
-	char *certuribase;
-};
-
-/**
- * create a new CA section
- */
-static ca_section_t *ca_section_create(char *name, certificate_t *cert)
-{
-	ca_section_t *ca = malloc_thing(ca_section_t);
-
-	ca->name = strdup(name);
-	ca->crl = linked_list_create();
-	ca->ocsp = linked_list_create();
-	ca->cert = cert;
-	ca->hashes = linked_list_create();
-	ca->certuribase = NULL;
-	return ca;
-}
-
-/**
- * destroy a ca section entry
- */
-static void ca_section_destroy(ca_section_t *this)
-{
-	this->crl->destroy_function(this->crl, free);
-	this->ocsp->destroy_function(this->ocsp, free);
-	this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy));
-	free(this->certuribase);
-	free(this->name);
-	free(this);
-}
-
-/**
- * data to pass to create_inner_cdp
- */
-typedef struct {
-	private_stroke_ca_t *this;
-	certificate_type_t type;
-	identification_t *id;
-} cdp_data_t;
-
-/**
- * destroy cdp enumerator data and unlock list
- */
-static void cdp_data_destroy(cdp_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * inner enumerator constructor for CDP URIs
- */
-static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
-{
-	public_key_t *public;
-	enumerator_t *enumerator = NULL;
-	linked_list_t *list;
-
-	if (data->type == CERT_X509_OCSP_RESPONSE)
-	{
-		list = section->ocsp;
-	}
-	else
-	{
-		list = section->crl;
-	}
-
-	public = section->cert->get_public_key(section->cert);
-	if (public)
-	{
-		if (!data->id)
-		{
-			enumerator = list->create_enumerator(list);
-		}
-		else
-		{
-			if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
-			{
-				enumerator = list->create_enumerator(list);
-			}
-		}
-		public->destroy(public);
-	}
-	return enumerator;
-}
-
-/**
- * inner enumerator constructor for "Hash and URL"
- */
-static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data_t *data)
-{
-	enumerator_t *enumerator = NULL, *hash_enum;
-	identification_t *current;
-
-	if (!data->id || !section->certuribase)
-	{
-		return NULL;
-	}
-
-	hash_enum = section->hashes->create_enumerator(section->hashes);
-	while (hash_enum->enumerate(hash_enum, &current))
-	{
-		if (current->matches(current, data->id))
-		{
-			char *url, *hash;
-
-			url = malloc(strlen(section->certuribase) + 40 + 1);
-			strcpy(url, section->certuribase);
-			hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr;
-			strncat(url, hash, 40);
-			free(hash);
-
-			enumerator = enumerator_create_single(url, free);
-			break;
-		}
-	}
-	hash_enum->destroy(hash_enum);
-	return enumerator;
-}
-
-/**
- * Implementation of credential_set_t.create_cdp_enumerator.
- */
-static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this,
-								certificate_type_t type, identification_t *id)
-{
-	cdp_data_t *data;
-
-	switch (type)
-	{	/* we serve CRLs, OCSP responders and URLs for "Hash and URL" */
-		case CERT_X509:
-		case CERT_X509_CRL:
-		case CERT_X509_OCSP_RESPONSE:
-		case CERT_ANY:
-			break;
-		default:
-			return NULL;
-	}
-	data = malloc_thing(cdp_data_t);
-	data->this = this;
-	data->type = type;
-	data->id = id;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_nested(this->sections->create_enumerator(this->sections),
-			(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp,
-			data, (void*)cdp_data_destroy);
-}
-/**
- * Implementation of stroke_ca_t.add.
- */
-static void add(private_stroke_ca_t *this, stroke_msg_t *msg)
-{
-	certificate_t *cert;
-	ca_section_t *ca;
-
-	if (msg->add_ca.cacert == NULL)
-	{
-		DBG1(DBG_CFG, "missing cacert parameter");
-		return;
-	}
-	cert = this->cred->load_ca(this->cred, msg->add_ca.cacert);
-	if (cert)
-	{
-		ca = ca_section_create(msg->add_ca.name, cert);
-		if (msg->add_ca.crluri)
-		{
-			ca->crl->insert_last(ca->crl, strdup(msg->add_ca.crluri));
-		}
-		if (msg->add_ca.crluri2)
-		{
-			ca->crl->insert_last(ca->crl, strdup(msg->add_ca.crluri2));
-		}
-		if (msg->add_ca.ocspuri)
-		{
-			ca->ocsp->insert_last(ca->ocsp, strdup(msg->add_ca.ocspuri));
-		}
-		if (msg->add_ca.ocspuri2)
-		{
-			ca->ocsp->insert_last(ca->ocsp, strdup(msg->add_ca.ocspuri2));
-		}
-		if (msg->add_ca.certuribase)
-		{
-			ca->certuribase = strdup(msg->add_ca.certuribase);
-		}
-		this->lock->write_lock(this->lock);
-		this->sections->insert_last(this->sections, ca);
-		this->lock->unlock(this->lock);
-		DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name);
-	}
-}
-
-/**
- * Implementation of stroke_ca_t.del.
- */
-static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
-{
-	enumerator_t *enumerator;
-	ca_section_t *ca = NULL;
-
-	this->lock->write_lock(this->lock);
-	enumerator = this->sections->create_enumerator(this->sections);
-	while (enumerator->enumerate(enumerator, &ca))
-	{
-		if (streq(ca->name, msg->del_ca.name))
-		{
-			this->sections->remove_at(this->sections, enumerator);
-			break;
-		}
-		ca = NULL;
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	if (ca == NULL)
-	{
-		DBG1(DBG_CFG, "no ca named '%s' found\n", msg->del_ca.name);
-		return;
-	}
-	ca_section_destroy(ca);
-	/* TODO: flush cached certs */
-}
-
-/**
- * list crl or ocsp URIs
- */
-static void list_uris(linked_list_t *list, char *label, FILE *out)
-{
-	bool first = TRUE;
-	char *uri;
-	enumerator_t *enumerator;
-
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, (void**)&uri))
-	{
-		if (first)
-		{
-			fprintf(out, label);
-			first = FALSE;
-		}
-		else
-		{
-			fprintf(out, "            ");
-		}
-		fprintf(out, "'%s'\n", uri);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of stroke_ca_t.check_for_hash_and_url.
- */
-static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cert)
-{
-	ca_section_t *section;
-	enumerator_t *enumerator;
-
-	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
-		return;
-	}
-
-	this->lock->write_lock(this->lock);
-	enumerator = this->sections->create_enumerator(this->sections);
-	while (enumerator->enumerate(enumerator, (void**)&section))
-	{
-		if (section->certuribase && cert->issued_by(cert, section->cert))
-		{
-			chunk_t hash, encoded = cert->get_encoding(cert);
-			hasher->allocate_hash(hasher, encoded, &hash);
-			section->hashes->insert_last(section->hashes,
-					identification_create_from_encoding(ID_KEY_ID, hash));
-			chunk_free(&hash);
-			chunk_free(&encoded);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-
-	hasher->destroy(hasher);
-}
-
-/**
- * Implementation of stroke_ca_t.list.
- */
-static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
-{
-	bool first = TRUE;
-	ca_section_t *section;
-	enumerator_t *enumerator;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->sections->create_enumerator(this->sections);
-	while (enumerator->enumerate(enumerator, (void**)&section))
-	{
-		certificate_t *cert = section->cert;
-		public_key_t *public = cert->get_public_key(cert);
-		chunk_t chunk;
-
-		if (first)
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of CA Information Sections:\n");
-			first = FALSE;
-		}
-		fprintf(out, "\n");
-		fprintf(out, "  authname:    \"%Y\"\n", cert->get_subject(cert));
-
-		/* list authkey and keyid */
-		if (public)
-		{
-			if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
-			{
-				fprintf(out, "  authkey:      %#B\n", &chunk);
-			}
-			if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
-			{
-				fprintf(out, "  keyid:        %#B\n", &chunk);
-			}
-			public->destroy(public);
-		}
-		list_uris(section->crl, "  crluris:     ", out);
-		list_uris(section->ocsp, "  ocspuris:    ", out);
-		if (section->certuribase)
-		{
-			fprintf(out, "  certuribase: '%s'\n", section->certuribase);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of stroke_ca_t.destroy
- */
-static void destroy(private_stroke_ca_t *this)
-{
-	this->sections->destroy_function(this->sections, (void*)ca_section_destroy);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/*
- * see header file
- */
-stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
-{
-	private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t);
-
-	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)return_null;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)create_cdp_enumerator;
-	this->public.set.cache_cert = (void*)nop;
-	this->public.add = (void(*)(stroke_ca_t*, stroke_msg_t *msg))add;
-	this->public.del = (void(*)(stroke_ca_t*, stroke_msg_t *msg))del;
-	this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list;
-	this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url;
-	this->public.destroy = (void(*)(stroke_ca_t*))destroy;
-
-	this->sections = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	this->cred = cred;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/stroke/stroke_ca.h b/src/charon/plugins/stroke/stroke_ca.h
deleted file mode 100644
index 21af912ea..000000000
--- a/src/charon/plugins/stroke/stroke_ca.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup stroke_ca stroke_ca
- * @{ @ingroup stroke
- */
-
-#ifndef STROKE_CA_H_
-#define STROKE_CA_H_
-
-#include <stroke_msg.h>
-
-#include "stroke_cred.h"
-
-typedef struct stroke_ca_t stroke_ca_t;
-
-/**
- * ipsec.conf ca section handling.
- */
-struct stroke_ca_t {
-
-	/**
-	 * Implements credential_set_t
-	 */
-	credential_set_t set;
-
-	/**
-	 * Add a CA to the set using a stroke_msg_t.
-	 *
-	 * @param msg		stroke message containing CA info
-	 */
-	void (*add)(stroke_ca_t *this, stroke_msg_t *msg);
-
-	/**
-	 * Remove a CA from the set using a stroke_msg_t.
-	 *
-	 * @param msg		stroke message containing CA info
-	 */
-	void (*del)(stroke_ca_t *this, stroke_msg_t *msg);
-
-	/**
-	 * List CA sections to stroke console.
-	 *
-	 * @param msg		stroke message
-	 */
-	void (*list)(stroke_ca_t *this, stroke_msg_t *msg, FILE *out);
-
-	/**
-	 * Check if a certificate can be made available through hash and URL.
-	 *
-	 * @param cert		peer certificate
-	 */
-	void (*check_for_hash_and_url)(stroke_ca_t *this, certificate_t* cert);
-
-	/**
-	 * Destroy a stroke_ca instance.
-	 */
-	void (*destroy)(stroke_ca_t *this);
-};
-
-/**
- * Create a stroke_ca instance.
- */
-stroke_ca_t *stroke_ca_create(stroke_cred_t *cred);
-
-#endif /** STROKE_CA_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
deleted file mode 100644
index 0752f3c93..000000000
--- a/src/charon/plugins/stroke/stroke_config.c
+++ /dev/null
@@ -1,949 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "stroke_config.h"
-
-#include <daemon.h>
-#include <threading/mutex.h>
-#include <utils/lexparser.h>
-
-typedef struct private_stroke_config_t private_stroke_config_t;
-
-/**
- * private data of stroke_config
- */
-struct private_stroke_config_t {
-
-	/**
-	 * public functions
-	 */
-	stroke_config_t public;
-
-	/**
-	 * list of peer_cfg_t
-	 */
-	linked_list_t *list;
-
-	/**
-	 * mutex to lock config list
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * ca sections
-	 */
-	stroke_ca_t *ca;
-
-	/**
-	 * credentials
-	 */
-	stroke_cred_t *cred;
-};
-
-/**
- * Implementation of backend_t.create_peer_cfg_enumerator.
- */
-static enumerator_t* create_peer_cfg_enumerator(private_stroke_config_t *this,
-												identification_t *me,
-												identification_t *other)
-{
-	this->mutex->lock(this->mutex);
-	return enumerator_create_cleaner(this->list->create_enumerator(this->list),
-									 (void*)this->mutex->unlock, this->mutex);
-}
-
-/**
- * filter function for ike configs
- */
-static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out)
-{
-	*out = (*in)->get_ike_cfg(*in);
-	return TRUE;
-}
-
-/**
- * Implementation of backend_t.create_ike_cfg_enumerator.
- */
-static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this,
-											   host_t *me, host_t *other)
-{
-	this->mutex->lock(this->mutex);
-	return enumerator_create_filter(this->list->create_enumerator(this->list),
-									(void*)ike_filter, this->mutex,
-									(void*)this->mutex->unlock);
-}
-
-/**
- * implements backend_t.get_peer_cfg_by_name.
- */
-static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *name)
-{
-	enumerator_t *e1, *e2;
-	peer_cfg_t *current, *found = NULL;
-	child_cfg_t *child;
-
-	this->mutex->lock(this->mutex);
-	e1 = this->list->create_enumerator(this->list);
-	while (e1->enumerate(e1, &current))
-	{
-		/* compare peer_cfgs name first */
-		if (streq(current->get_name(current), name))
-		{
-			found = current;
-			found->get_ref(found);
-			break;
-		}
-		/* compare all child_cfg names otherwise */
-		e2 = current->create_child_cfg_enumerator(current);
-		while (e2->enumerate(e2, &child))
-		{
-			if (streq(child->get_name(child), name))
-			{
-				found = current;
-				found->get_ref(found);
-				break;
-			}
-		}
-		e2->destroy(e2);
-		if (found)
-		{
-			break;
-		}
-	}
-	e1->destroy(e1);
-	this->mutex->unlock(this->mutex);
-	return found;
-}
-
-/**
- * parse a proposal string, either into ike_cfg or child_cfg
- */
-static void add_proposals(private_stroke_config_t *this, char *string,
-						  ike_cfg_t *ike_cfg, child_cfg_t *child_cfg)
-{
-	if (string)
-	{
-		char *single;
-		char *strict;
-		proposal_t *proposal;
-		protocol_id_t proto = PROTO_ESP;
-
-		if (ike_cfg)
-		{
-			proto = PROTO_IKE;
-		}
-		strict = string + strlen(string) - 1;
-		if (*strict == '!')
-		{
-			*strict = '\0';
-		}
-		else
-		{
-			strict = NULL;
-		}
-		while ((single = strsep(&string, ",")))
-		{
-			proposal = proposal_create_from_string(proto, single);
-			if (proposal)
-			{
-				if (ike_cfg)
-				{
-					ike_cfg->add_proposal(ike_cfg, proposal);
-				}
-				else
-				{
-					child_cfg->add_proposal(child_cfg, proposal);
-				}
-				continue;
-			}
-			DBG1(DBG_CFG, "skipped invalid proposal string: %s", single);
-		}
-		if (strict)
-		{
-			return;
-		}
-		/* add default porposal to the end if not strict */
-	}
-	if (ike_cfg)
-	{
-		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	}
-	else
-	{
-		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
-	}
-}
-
-/**
- * Build an IKE config from a stroke message
- */
-static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg)
-{
-	stroke_end_t tmp_end;
-	ike_cfg_t *ike_cfg;
-	char *interface;
-	host_t *host;
-
-	host = host_create_from_dns(msg->add_conn.other.address, 0, 0);
-	if (host)
-	{
-		interface = charon->kernel_interface->get_interface(
-												charon->kernel_interface, host);
-		host->destroy(host);
-		if (interface)
-		{
-			DBG2(DBG_CFG, "left is other host, swapping ends");
-			tmp_end = msg->add_conn.me;
-			msg->add_conn.me = msg->add_conn.other;
-			msg->add_conn.other = tmp_end;
-			free(interface);
-		}
-		else
-		{
-			host = host_create_from_dns(msg->add_conn.me.address, 0, 0);
-			if (host)
-			{
-				interface = charon->kernel_interface->get_interface(
-												charon->kernel_interface, host);
-				host->destroy(host);
-				if (!interface)
-				{
-					DBG1(DBG_CFG, "left nor right host is our side, "
-						 "assuming left=local");
-				}
-				else
-				{
-					free(interface);
-				}
-
-			}
-		}
-	}
-	ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
-							 msg->add_conn.force_encap,
-							 msg->add_conn.me.address,
-							 msg->add_conn.other.address);
-	add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
-	return ike_cfg;
-}
-
-/**
- * Add CRL constraint to config
- */
-static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
-{
-	/* CRL/OCSP policy, for remote config only */
-	if (!local)
-	{
-		switch (policy)
-		{
-			case CRL_STRICT_YES:
-				/* if yes, we require a GOOD validation */
-				cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
-				break;
-			case CRL_STRICT_IFURI:
-				/* for ifuri, a SKIPPED validation is sufficient */
-				cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_SKIPPED);
-				break;
-			default:
-				break;
-		}
-	}
-}
-
-/**
- * build authentication config
- */
-static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
-								  stroke_msg_t *msg, bool local, bool primary)
-{
-	identification_t *identity;
-	certificate_t *certificate;
-	char *auth, *id, *cert, *ca;
-	stroke_end_t *end, *other_end;
-	auth_cfg_t *cfg;
-	char eap_buf[32];
-
-	/* select strings */
-	if (local)
-	{
-		end = &msg->add_conn.me;
-		other_end = &msg->add_conn.other;
-	}
-	else
-	{
-		end = &msg->add_conn.other;
-		other_end = &msg->add_conn.me;
-	}
-	if (primary)
-	{
-		auth = end->auth;
-		id = end->id;
-		if (!id)
-		{	/* leftid/rightid fallback to address */
-			id = end->address;
-		}
-		cert = end->cert;
-		ca = end->ca;
-		if (ca && streq(ca, "%same"))
-		{
-			ca = other_end->ca;
-		}
-	}
-	else
-	{
-		auth = end->auth2;
-		id = end->id2;
-		if (local && !id)
-		{	/* leftid2 falls back to leftid */
-			id = end->id;
-		}
-		cert = end->cert2;
-		ca = end->ca2;
-		if (ca && streq(ca, "%same"))
-		{
-			ca = other_end->ca2;
-		}
-	}
-
-	if (!auth)
-	{
-		if (primary)
-		{
-			if (local)
-			{	/* "leftauth" not defined, fall back to deprecated "authby" */
-				switch (msg->add_conn.auth_method)
-				{
-					default:
-					case AUTH_CLASS_PUBKEY:
-						auth = "pubkey";
-						break;
-					case AUTH_CLASS_PSK:
-						auth = "psk";
-						break;
-					case AUTH_CLASS_EAP:
-						auth = "eap";
-						break;
-				}
-			}
-			else
-			{	/* "rightauth" not defined, fall back to deprecated "eap" */
-				if (msg->add_conn.eap_type)
-				{
-					if (msg->add_conn.eap_vendor)
-					{
-						snprintf(eap_buf, sizeof(eap_buf), "eap-%d-%d",
-								 msg->add_conn.eap_type,
-								 msg->add_conn.eap_vendor);
-					}
-					else
-					{
-						snprintf(eap_buf, sizeof(eap_buf), "eap-%d",
-								 msg->add_conn.eap_type);
-					}
-					auth = eap_buf;
-				}
-				else
-				{	/* not EAP => no constraints for this peer */
-					auth = "any";
-				}
-			}
-		}
-		else
-		{	/* no second authentication round, fine */
-			return NULL;
-		}
-	}
-
-	cfg = auth_cfg_create();
-
-	/* add identity and peer certifcate */
-	identity = identification_create_from_string(id);
-	if (cert)
-	{
-		certificate = this->cred->load_peer(this->cred, cert);
-		if (certificate)
-		{
-			if (local)
-			{
-				this->ca->check_for_hash_and_url(this->ca, certificate);
-			}
-			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
-			if (identity->get_type(identity) == ID_ANY ||
-				!certificate->has_subject(certificate, identity))
-			{
-				DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
-					 "defaulting to '%Y'", identity,
-					 certificate->get_subject(certificate));
-				identity->destroy(identity);
-				identity = certificate->get_subject(certificate);
-				identity = identity->clone(identity);
-			}
-		}
-	}
-	cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
-
-	/* CA constraint */
-	if (ca)
-	{
-		identity = identification_create_from_string(ca);
-		certificate = charon->credentials->get_cert(charon->credentials,
-											CERT_X509, KEY_ANY, identity, TRUE);
-		identity->destroy(identity);
-		if (certificate)
-		{
-			cfg->add(cfg, AUTH_RULE_CA_CERT, certificate);
-		}
-		else
-		{
-			DBG1(DBG_CFG, "CA certificate %s not found, discarding CA "
-				 "constraint", ca);
-		}
-	}
-
-	/* AC groups */
-	if (end->groups)
-	{
-		enumerator_t *enumerator;
-		char *group;
-
-		enumerator = enumerator_create_token(end->groups, ",", " ");
-		while (enumerator->enumerate(enumerator, &group))
-		{
-			identity = identification_create_from_encoding(ID_IETF_ATTR_STRING,
-											chunk_create(group, strlen(group)));
-			cfg->add(cfg, AUTH_RULE_AC_GROUP, identity);
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	/* authentication metod (class, actually) */
-	if (streq(auth, "pubkey") ||
-		streq(auth, "rsasig") || streq(auth, "rsa") ||
-		streq(auth, "ecdsasig") || streq(auth, "ecdsa"))
-	{
-		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
-	}
-	else if (streq(auth, "psk") || streq(auth, "secret"))
-	{
-		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
-	}
-	else if (strneq(auth, "eap", 3))
-	{
-		enumerator_t *enumerator;
-		char *str;
-		int i = 0, type = 0, vendor;
-
-		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-
-		/* parse EAP string, format: eap[-type[-vendor]] */
-		enumerator = enumerator_create_token(auth, "-", " ");
-		while (enumerator->enumerate(enumerator, &str))
-		{
-			switch (i)
-			{
-				case 1:
-					type = eap_type_from_string(str);
-					if (!type)
-					{
-						type = atoi(str);
-						if (!type)
-						{
-							DBG1(DBG_CFG, "unknown EAP method: %s", str);
-							break;
-						}
-					}
-					cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
-					break;
-				case 2:
-					if (type)
-					{
-						vendor = atoi(str);
-						if (vendor)
-						{
-							cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
-						}
-						else
-						{
-							DBG1(DBG_CFG, "unknown EAP vendor: %s", str);
-						}
-					}
-					break;
-				default:
-					break;
-			}
-			i++;
-		}
-		enumerator->destroy(enumerator);
-
-		if (msg->add_conn.eap_identity)
-		{
-			if (streq(msg->add_conn.eap_identity, "%identity"))
-			{
-				identity = identification_create_from_encoding(ID_ANY,
-															   chunk_empty);
-			}
-			else
-			{
-				identity = identification_create_from_string(
-													msg->add_conn.eap_identity);
-			}
-			cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
-		}
-	}
-	else
-	{
-		if (!streq(auth, "any"))
-		{
-			DBG1(DBG_CFG, "authentication method %s unknown, fallback to any",
-				 auth);
-		}
-		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
-	}
-	return cfg;
-}
-
-/**
- * build a peer_cfg from a stroke msg
- */
-static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
-								  stroke_msg_t *msg, ike_cfg_t *ike_cfg)
-{
-	identification_t *peer_id = NULL;
-	peer_cfg_t *mediated_by = NULL;
-	host_t *vip = NULL;
-	unique_policy_t unique;
-	u_int32_t rekey = 0, reauth = 0, over, jitter;
-	peer_cfg_t *peer_cfg;
-	auth_cfg_t *auth_cfg;
-
-#ifdef ME
-	if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
-	{
-		DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection "
-			 "at the same time, aborting");
-		return NULL;
-	}
-
-	if (msg->add_conn.ikeme.mediation)
-	{
-		/* force unique connections for mediation connections */
-		msg->add_conn.unique = 1;
-	}
-
-	if (msg->add_conn.ikeme.mediated_by)
-	{
-		mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
-											msg->add_conn.ikeme.mediated_by);
-		if (!mediated_by)
-		{
-			DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
-				 msg->add_conn.ikeme.mediated_by);
-			return NULL;
-		}
-		if (!mediated_by->is_mediation(mediated_by))
-		{
-			DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is "
-				 "no mediation connection, aborting",
-				 msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
-			mediated_by->destroy(mediated_by);
-			return NULL;
-		}
-		if (msg->add_conn.ikeme.peerid)
-		{
-			peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
-		}
-		else if (msg->add_conn.other.id)
-		{
-			peer_id = identification_create_from_string(msg->add_conn.other.id);
-		}
-	}
-#endif /* ME */
-
-	jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
-	over = msg->add_conn.rekey.margin;
-	if (msg->add_conn.rekey.reauth)
-	{
-		reauth = msg->add_conn.rekey.ike_lifetime - over;
-	}
-	else
-	{
-		rekey = msg->add_conn.rekey.ike_lifetime - over;
-	}
-	if (msg->add_conn.me.sourceip_mask)
-	{
-		if (msg->add_conn.me.sourceip)
-		{
-			vip = host_create_from_string(msg->add_conn.me.sourceip, 0);
-		}
-		if (!vip)
-		{	/* if it is set to something like %poolname, request an address */
-			if (msg->add_conn.me.subnets)
-			{	/* use the same address as in subnet, if any */
-				if (strchr(msg->add_conn.me.subnets, '.'))
-				{
-					vip = host_create_any(AF_INET);
-				}
-				else
-				{
-					vip = host_create_any(AF_INET6);
-				}
-			}
-			else
-			{
-				if (strchr(ike_cfg->get_my_addr(ike_cfg), ':'))
-				{
-					vip = host_create_any(AF_INET6);
-				}
-				else
-				{
-					vip = host_create_any(AF_INET);
-				}
-			}
-		}
-	}
-	switch (msg->add_conn.unique)
-	{
-		case 1: /* yes */
-		case 2: /* replace */
-			unique = UNIQUE_REPLACE;
-			break;
-		case 3: /* keep */
-			unique = UNIQUE_KEEP;
-			break;
-		default: /* no */
-			unique = UNIQUE_NO;
-			break;
-	}
-	if (msg->add_conn.dpd.action == 0)
-	{	/* dpdaction=none disables DPD */
-		msg->add_conn.dpd.delay = 0;
-	}
-
-	/* other.sourceip is managed in stroke_attributes. If it is set, we define
-	 * the pool name as the connection name, which the attribute provider
-	 * uses to serve pool addresses. */
-	peer_cfg = peer_cfg_create(msg->add_conn.name,
-		msg->add_conn.ikev2 ? 2 : 1, ike_cfg,
-		msg->add_conn.me.sendcert, unique,
-		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
-		msg->add_conn.mobike, msg->add_conn.dpd.delay,
-		vip, msg->add_conn.other.sourceip_mask ?
-							msg->add_conn.name : msg->add_conn.other.sourceip,
-		msg->add_conn.ikeme.mediation, mediated_by, peer_id);
-
-	/* build leftauth= */
-	auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
-	if (auth_cfg)
-	{
-		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
-	}
-	else
-	{	/* we require at least one config on our side */
-		peer_cfg->destroy(peer_cfg);
-		return NULL;
-	}
-	/* build leftauth2= */
-	auth_cfg = build_auth_cfg(this, msg, TRUE, FALSE);
-	if (auth_cfg)
-	{
-		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
-	}
-	/* build rightauth= */
-	auth_cfg = build_auth_cfg(this, msg, FALSE, TRUE);
-	if (auth_cfg)
-	{
-		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
-	}
-	/* build rightauth2= */
-	auth_cfg = build_auth_cfg(this, msg, FALSE, FALSE);
-	if (auth_cfg)
-	{
-		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
-	}
-	return peer_cfg;
-}
-
-/**
- * build a traffic selector from a stroke_end
- */
-static void add_ts(private_stroke_config_t *this,
-				   stroke_end_t *end, child_cfg_t *child_cfg, bool local)
-{
-	traffic_selector_t *ts;
-
-	if (end->tohost)
-	{
-		ts = traffic_selector_create_dynamic(end->protocol,
-					end->port ? end->port : 0, end->port ? end->port : 65535);
-		child_cfg->add_traffic_selector(child_cfg, local, ts);
-	}
-	else
-	{
-		host_t *net;
-
-		if (!end->subnets)
-		{
-			net = host_create_from_string(end->address, IKEV2_UDP_PORT);
-			if (net)
-			{
-				ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
-														 end->port);
-				child_cfg->add_traffic_selector(child_cfg, local, ts);
-			}
-		}
-		else
-		{
-			char *del, *start, *bits;
-
-			start = end->subnets;
-			do
-			{
-				int intbits = 0;
-
-				del = strchr(start, ',');
-				if (del)
-				{
-					*del = '\0';
-				}
-				bits = strchr(start, '/');
-				if (bits)
-				{
-					*bits = '\0';
-					intbits = atoi(bits + 1);
-				}
-
-				net = host_create_from_string(start, IKEV2_UDP_PORT);
-				if (net)
-				{
-					ts = traffic_selector_create_from_subnet(net, intbits,
-												end->protocol, end->port);
-					child_cfg->add_traffic_selector(child_cfg, local, ts);
-				}
-				else
-				{
-					DBG1(DBG_CFG, "invalid subnet: %s, skipped", start);
-				}
-				start = del + 1;
-			}
-			while (del);
-		}
-	}
-}
-
-/**
- * build a child config from the stroke message
- */
-static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
-									stroke_msg_t *msg)
-{
-	child_cfg_t *child_cfg;
-	action_t dpd;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = msg->add_conn.rekey.ipsec_lifetime,
-			.rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
-			.jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
-		},
-		.bytes = {
-			.life = msg->add_conn.rekey.life_bytes,
-			.rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
-			.jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
-		},
-		.packets = {
-			.life = msg->add_conn.rekey.life_packets,
-			.rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
-			.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
-		}
-	};
-
-	switch (msg->add_conn.dpd.action)
-	{	/* map startes magic values to our action type */
-		case 2: /* =hold */
-			dpd = ACTION_ROUTE;
-			break;
-		case 3: /* =restart */
-			dpd = ACTION_RESTART;
-			break;
-		default:
-			dpd = ACTION_NONE;
-			break;
-	}
-
-	child_cfg = child_cfg_create(
-				msg->add_conn.name, &lifetime,
-				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
-				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
-				msg->add_conn.inactivity);
-	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
-											msg->add_conn.install_policy);
-	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
-	add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
-
-	add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg);
-
-	return child_cfg;
-}
-
-/**
- * Implementation of stroke_config_t.add.
- */
-static void add(private_stroke_config_t *this, stroke_msg_t *msg)
-{
-	ike_cfg_t *ike_cfg, *existing_ike;
-	peer_cfg_t *peer_cfg, *existing;
-	child_cfg_t *child_cfg;
-	enumerator_t *enumerator;
-	bool use_existing = FALSE;
-
-	ike_cfg = build_ike_cfg(this, msg);
-	if (!ike_cfg)
-	{
-		return;
-	}
-	peer_cfg = build_peer_cfg(this, msg, ike_cfg);
-	if (!peer_cfg)
-	{
-		ike_cfg->destroy(ike_cfg);
-		return;
-	}
-
-	enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
-	while (enumerator->enumerate(enumerator, &existing))
-	{
-		existing_ike = existing->get_ike_cfg(existing);
-		if (existing->equals(existing, peer_cfg) &&
-			existing_ike->equals(existing_ike, peer_cfg->get_ike_cfg(peer_cfg)))
-		{
-			use_existing = TRUE;
-			peer_cfg->destroy(peer_cfg);
-			peer_cfg = existing;
-			peer_cfg->get_ref(peer_cfg);
-			DBG1(DBG_CFG, "added child to existing configuration '%s'",
-				 peer_cfg->get_name(peer_cfg));
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	child_cfg = build_child_cfg(this, msg);
-	if (!child_cfg)
-	{
-		peer_cfg->destroy(peer_cfg);
-		return;
-	}
-	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-
-	if (use_existing)
-	{
-		peer_cfg->destroy(peer_cfg);
-	}
-	else
-	{
-		/* add config to backend */
-		DBG1(DBG_CFG, "added configuration '%s'", msg->add_conn.name);
-		this->mutex->lock(this->mutex);
-		this->list->insert_last(this->list, peer_cfg);
-		this->mutex->unlock(this->mutex);
-	}
-}
-
-/**
- * Implementation of stroke_config_t.del.
- */
-static void del(private_stroke_config_t *this, stroke_msg_t *msg)
-{
-	enumerator_t *enumerator, *children;
-	peer_cfg_t *peer;
-	child_cfg_t *child;
-	bool deleted = FALSE;
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->list->create_enumerator(this->list);
-	while (enumerator->enumerate(enumerator, (void**)&peer))
-	{
-		bool keep = FALSE;
-
-		/* remove any child with such a name */
-		children = peer->create_child_cfg_enumerator(peer);
-		while (children->enumerate(children, &child))
-		{
-			if (streq(child->get_name(child), msg->del_conn.name))
-			{
-				peer->remove_child_cfg(peer, children);
-				child->destroy(child);
-				deleted = TRUE;
-			}
-			else
-			{
-				keep = TRUE;
-			}
-		}
-		children->destroy(children);
-
-		/* if peer config matches, or has no children anymore, remove it */
-		if (!keep || streq(peer->get_name(peer), msg->del_conn.name))
-		{
-			this->list->remove_at(this->list, enumerator);
-			peer->destroy(peer);
-			deleted = TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-
-	if (deleted)
-	{
-		DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
-	}
-	else
-	{
-		DBG1(DBG_CFG, "connection '%s' not found", msg->del_conn.name);
-	}
-}
-
-/**
- * Implementation of stroke_config_t.destroy
- */
-static void destroy(private_stroke_config_t *this)
-{
-	this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy));
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/*
- * see header file
- */
-stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred)
-{
-	private_stroke_config_t *this = malloc_thing(private_stroke_config_t);
-
-	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
-	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
-	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
-	this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add;
-	this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del;
-	this->public.destroy = (void(*)(stroke_config_t*))destroy;
-
-	this->list = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-	this->ca = ca;
-	this->cred = cred;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/stroke/stroke_config.h b/src/charon/plugins/stroke/stroke_config.h
deleted file mode 100644
index 05e4665ca..000000000
--- a/src/charon/plugins/stroke/stroke_config.h
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup stroke_config stroke_config
- * @{ @ingroup stroke
- */
-
-#ifndef STROKE_CONFIG_H_
-#define STROKE_CONFIG_H_
-
-#include <config/backend.h>
-#include <stroke_msg.h>
-#include "stroke_ca.h"
-#include "stroke_cred.h"
-
-typedef struct stroke_config_t stroke_config_t;
-
-/**
- * Stroke in-memory configuration backend
- */
-struct stroke_config_t {
-
-	/**
-	 * Implements the backend_t interface
-	 */
-	backend_t backend;
-
-	/**
-	 * Add a configuration to the backend.
-	 *
-	 * @param msg		received stroke message containing config
-	 */
-	void (*add)(stroke_config_t *this, stroke_msg_t *msg);
-
-	/**
-	 * Remove a configuration from the backend.
-	 *
-	 * @param msg		received stroke message containing config name
-	 */
-	void (*del)(stroke_config_t *this, stroke_msg_t *msg);
-
-	/**
-	 * Destroy a stroke_config instance.
-	 */
-	void (*destroy)(stroke_config_t *this);
-};
-
-/**
- * Create a stroke_config instance.
- */
-stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred);
-
-#endif /** STROKE_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c
deleted file mode 100644
index a03aef697..000000000
--- a/src/charon/plugins/stroke/stroke_control.c
+++ /dev/null
@@ -1,491 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "stroke_control.h"
-
-#include <daemon.h>
-#include <processing/jobs/delete_ike_sa_job.h>
-
-typedef struct private_stroke_control_t private_stroke_control_t;
-
-/**
- * private data of stroke_control
- */
-struct private_stroke_control_t {
-
-	/**
-	 * public functions
-	 */
-	stroke_control_t public;
-};
-
-
-typedef struct stroke_log_info_t stroke_log_info_t;
-
-/**
- * helper struct to say what and where to log when using controller callback
- */
-struct stroke_log_info_t {
-
-	/**
-	 * level to log up to
-	 */
-	level_t level;
-
-	/**
-	 * where to write log
-	 */
-	FILE* out;
-};
-
-/**
- * logging to the stroke interface
- */
-static bool stroke_log(stroke_log_info_t *info, debug_t group, level_t level,
-					   ike_sa_t *ike_sa, char *format, va_list args)
-{
-	if (level <= info->level)
-	{
-		if (vfprintf(info->out, format, args) < 0 ||
-			fprintf(info->out, "\n") < 0 ||
-			fflush(info->out) != 0)
-		{
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * get the child_cfg with the same name as the peer cfg
- */
-static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
-{
-	child_cfg_t *current, *found = NULL;
-	enumerator_t *enumerator;
-
-	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (streq(current->get_name(current), name))
-		{
-			found = current;
-			found->get_ref(found);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * Implementation of stroke_control_t.initiate.
- */
-static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
-{
-	peer_cfg_t *peer_cfg;
-	child_cfg_t *child_cfg;
-	stroke_log_info_t info;
-
-	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
-													  msg->initiate.name);
-	if (peer_cfg == NULL)
-	{
-		DBG1(DBG_CFG, "no config named '%s'\n", msg->initiate.name);
-		return;
-	}
-	if (peer_cfg->get_ike_version(peer_cfg) != 2)
-	{
-		DBG1(DBG_CFG, "ignoring initiation request for IKEv%d config",
-			 peer_cfg->get_ike_version(peer_cfg));
-		peer_cfg->destroy(peer_cfg);
-		return;
-	}
-
-	child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
-	if (child_cfg == NULL)
-	{
-		DBG1(DBG_CFG, "no child config named '%s'\n", msg->initiate.name);
-		peer_cfg->destroy(peer_cfg);
-		return;
-	}
-
-	if (msg->output_verbosity < 0)
-	{
-		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-									 NULL, NULL);
-	}
-	else
-	{
-		info.out = out;
-		info.level = msg->output_verbosity;
-		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-									 (controller_cb_t)stroke_log, &info);
-	}
-}
-
-/**
- * Implementation of stroke_control_t.terminate.
- */
-static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
-{
-	char *string, *pos = NULL, *name = NULL;
-	u_int32_t id = 0;
-	bool child, all = FALSE;
-	int len;
-	ike_sa_t *ike_sa;
-	enumerator_t *enumerator;
-	linked_list_t *ike_list, *child_list;
-	stroke_log_info_t info;
-	uintptr_t del;
-
-	string = msg->terminate.name;
-
-	len = strlen(string);
-	if (len < 1)
-	{
-		DBG1(DBG_CFG, "error parsing string");
-		return;
-	}
-	switch (string[len-1])
-	{
-		case '}':
-			child = TRUE;
-			pos = strchr(string, '{');
-			break;
-		case ']':
-			child = FALSE;
-			pos = strchr(string, '[');
-			break;
-		default:
-			name = string;
-			child = FALSE;
-			break;
-	}
-
-	if (name)
-	{
-		/* is a single name */
-	}
-	else if (pos == string + len - 2)
-	{	/* is name[] or name{} */
-		string[len-2] = '\0';
-		name = string;
-	}
-	else
-	{
-		if (*(pos + 1) == '*')
-		{	/* is name[*] */
-			all = TRUE;
-			*pos = '\0';
-			name = string;
-		}
-		else
-		{	/* is name[123] or name{23} */
-			id = atoi(pos + 1);
-			if (id == 0)
-			{
-				DBG1(DBG_CFG, "error parsing string");
-				return;
-			}
-		}
-	}
-
-	info.out = out;
-	info.level = msg->output_verbosity;
-
-	if (id)
-	{
-		if (child)
-		{
-			charon->controller->terminate_child(charon->controller, id,
-									(controller_cb_t)stroke_log, &info);
-		}
-		else
-		{
-			charon->controller->terminate_ike(charon->controller, id,
-									(controller_cb_t)stroke_log, &info);
-		}
-		return;
-	}
-
-	ike_list = linked_list_create();
-	child_list = linked_list_create();
-	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
-	while (enumerator->enumerate(enumerator, &ike_sa))
-	{
-		child_sa_t *child_sa;
-		iterator_t *children;
-
-		if (child)
-		{
-			children = ike_sa->create_child_sa_iterator(ike_sa);
-			while (children->iterate(children, (void**)&child_sa))
-			{
-				if (streq(name, child_sa->get_name(child_sa)))
-				{
-					child_list->insert_last(child_list,
-							(void*)(uintptr_t)child_sa->get_reqid(child_sa));
-					if (!all)
-					{
-						break;
-					}
-				}
-			}
-			children->destroy(children);
-			if (child_list->get_count(child_list) && !all)
-			{
-				break;
-			}
-		}
-		else if (streq(name, ike_sa->get_name(ike_sa)))
-		{
-			ike_list->insert_last(ike_list,
-						(void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
-			if (!all)
-			{
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = child_list->create_enumerator(child_list);
-	while (enumerator->enumerate(enumerator, &del))
-	{
-		charon->controller->terminate_child(charon->controller, del,
-									(controller_cb_t)stroke_log, &info);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = ike_list->create_enumerator(ike_list);
-	while (enumerator->enumerate(enumerator, &del))
-	{
-		charon->controller->terminate_ike(charon->controller, del,
-									(controller_cb_t)stroke_log, &info);
-	}
-	enumerator->destroy(enumerator);
-
-	if (child_list->get_count(child_list) == 0 &&
-		ike_list->get_count(ike_list) == 0)
-	{
-		DBG1(DBG_CFG, "no %s_SA named '%s' found",
-			 child ? "CHILD" : "IKE", name);
-	}
-	ike_list->destroy(ike_list);
-	child_list->destroy(child_list);
-}
-
-/**
- * Implementation of stroke_control_t.terminate_srcip.
- */
-static void terminate_srcip(private_stroke_control_t *this,
-							stroke_msg_t *msg, FILE *out)
-{
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-	host_t *start = NULL, *end = NULL, *vip;
-	chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
-
-	if (msg->terminate_srcip.start)
-	{
-		start = host_create_from_string(msg->terminate_srcip.start, 0);
-	}
-	if (!start)
-	{
-		DBG1(DBG_CFG, "invalid start address: %s", msg->terminate_srcip.start);
-		return;
-	}
-	chunk_start = start->get_address(start);
-	if (msg->terminate_srcip.end)
-	{
-		end = host_create_from_string(msg->terminate_srcip.end, 0);
-		if (!end)
-		{
-			DBG1(DBG_CFG, "invalid end address: %s", msg->terminate_srcip.end);
-			start->destroy(start);
-			return;
-		}
-		chunk_end = end->get_address(end);
-	}
-
-	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
-	while (enumerator->enumerate(enumerator, &ike_sa))
-	{
-		vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
-		if (!vip)
-		{
-			continue;
-		}
-		if (!end)
-		{
-			if (!vip->ip_equals(vip, start))
-			{
-				continue;
-			}
-		}
-		else
-		{
-			chunk_vip = vip->get_address(vip);
-			if (chunk_vip.len != chunk_start.len ||
-				chunk_vip.len != chunk_end.len ||
-				memcmp(chunk_vip.ptr, chunk_start.ptr, chunk_vip.len) < 0 ||
-				memcmp(chunk_vip.ptr, chunk_end.ptr, chunk_vip.len) > 0)
-			{
-				continue;
-			}
-		}
-
-		/* schedule delete asynchronously */
-		charon->processor->queue_job(charon->processor, (job_t*)
-						delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
-	}
-	enumerator->destroy(enumerator);
-	start->destroy(start);
-	DESTROY_IF(end);
-}
-
-/**
- * Implementation of stroke_control_t.purge_ike
- */
-static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
-{
-	enumerator_t *enumerator;
-	iterator_t *iterator;
-	ike_sa_t *ike_sa;
-	child_sa_t *child_sa;
-	linked_list_t *list;
-	uintptr_t del;
-	stroke_log_info_t info;
-
-	info.out = out;
-	info.level = msg->output_verbosity;
-
-	list = linked_list_create();
-	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
-	while (enumerator->enumerate(enumerator, &ike_sa))
-	{
-		iterator = ike_sa->create_child_sa_iterator(ike_sa);
-		if (!iterator->iterate(iterator, (void**)&child_sa))
-		{
-			list->insert_last(list,
-						(void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
-		}
-		iterator->destroy(iterator);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, &del))
-	{
-		charon->controller->terminate_ike(charon->controller, del,
-									(controller_cb_t)stroke_log, &info);
-	}
-	enumerator->destroy(enumerator);
-	list->destroy(list);
-}
-
-/**
- * Implementation of stroke_control_t.route.
- */
-static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
-{
-	peer_cfg_t *peer_cfg;
-	child_cfg_t *child_cfg;
-
-	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
-													  msg->route.name);
-	if (peer_cfg == NULL)
-	{
-		fprintf(out, "no config named '%s'\n", msg->route.name);
-		return;
-	}
-	if (peer_cfg->get_ike_version(peer_cfg) != 2)
-	{
-		peer_cfg->destroy(peer_cfg);
-		return;
-	}
-
-	child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
-	if (child_cfg == NULL)
-	{
-		fprintf(out, "no child config named '%s'\n", msg->route.name);
-		peer_cfg->destroy(peer_cfg);
-		return;
-	}
-
-	if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
-	{
-		fprintf(out, "configuration '%s' routed\n", msg->route.name);
-	}
-	else
-	{
-		fprintf(out, "routing configuration '%s' failed\n", msg->route.name);
-	}
-	peer_cfg->destroy(peer_cfg);
-	child_cfg->destroy(child_cfg);
-}
-
-/**
- * Implementation of stroke_control_t.unroute.
- */
-static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
-{
-	child_sa_t *child_sa;
-	enumerator_t *enumerator;
-	u_int32_t id;
-
-	enumerator = charon->traps->create_enumerator(charon->traps);
-	while (enumerator->enumerate(enumerator, NULL, &child_sa))
-	{
-		if (streq(msg->unroute.name, child_sa->get_name(child_sa)))
-		{
-			id = child_sa->get_reqid(child_sa);
-			enumerator->destroy(enumerator);
-			charon->traps->uninstall(charon->traps, id);
-			fprintf(out, "configuration '%s' unrouted\n", msg->unroute.name);
-			return;
-		}
-	}
-	enumerator->destroy(enumerator);
-	fprintf(out, "configuration '%s' not found\n", msg->unroute.name);
-}
-
-/**
- * Implementation of stroke_control_t.destroy
- */
-static void destroy(private_stroke_control_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-stroke_control_t *stroke_control_create()
-{
-	private_stroke_control_t *this = malloc_thing(private_stroke_control_t);
-
-	this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate;
-	this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate;
-	this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip;
-	this->public.purge_ike = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))purge_ike;
-	this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route;
-	this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute;
-	this->public.destroy = (void(*)(stroke_control_t*))destroy;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/stroke/stroke_control.h b/src/charon/plugins/stroke/stroke_control.h
deleted file mode 100644
index 9b49bdc31..000000000
--- a/src/charon/plugins/stroke/stroke_control.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup stroke_control stroke_control
- * @{ @ingroup stroke
- */
-
-#ifndef STROKE_CONTROL_H_
-#define STROKE_CONTROL_H_
-
-#include <stroke_msg.h>
-#include <library.h>
-#include <stdio.h>
-
-typedef struct stroke_control_t stroke_control_t;
-
-/**
- * Process stroke control messages
- */
-struct stroke_control_t {
-
-	/**
-	 * Initiate a connection.
-	 *
-	 * @param msg		stroke message
-	 */
-	void (*initiate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
-	/**
-	 * Terminate a connection.
-	 *
-	 * @param msg		stroke message
-	 */
-	void (*terminate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
-	/**
-	 * Terminate a connection by peers virtual IP.
-	 *
-	 * @param msg		stroke message
-	 */
-	void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
-	/**
-	 * Delete IKE_SAs without a CHILD_SA.
-	 *
-	 * @param msg		stroke message
-	 */
-	void (*purge_ike)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
-	/**
-	 * Route a connection.
-	 *
-	 * @param msg		stroke message
-	 */
-	void (*route)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
-	/**
-	 * Unroute a connection.
-	 *
-	 * @param msg		stroke message
-	 */
-	void (*unroute)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
-	/**
-	 * Destroy a stroke_control instance.
-	 */
-	void (*destroy)(stroke_control_t *this);
-};
-
-/**
- * Create a stroke_control instance.
- */
-stroke_control_t *stroke_control_create();
-
-#endif /** STROKE_CONTROL_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
deleted file mode 100644
index bc0b2f6fc..000000000
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ /dev/null
@@ -1,1174 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/stat.h>
-#include <limits.h>
-#include <glob.h>
-#include <libgen.h>
-
-#include "stroke_cred.h"
-#include "stroke_shared_key.h"
-
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ac.h>
-#include <utils/linked_list.h>
-#include <utils/lexparser.h>
-#include <threading/rwlock.h>
-#include <daemon.h>
-
-/* configuration directories and files */
-#define CONFIG_DIR IPSEC_CONFDIR
-#define IPSEC_D_DIR CONFIG_DIR "/ipsec.d"
-#define PRIVATE_KEY_DIR IPSEC_D_DIR "/private"
-#define CERTIFICATE_DIR IPSEC_D_DIR "/certs"
-#define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts"
-#define AA_CERTIFICATE_DIR IPSEC_D_DIR "/aacerts"
-#define ATTR_CERTIFICATE_DIR IPSEC_D_DIR "/acerts"
-#define OCSP_CERTIFICATE_DIR IPSEC_D_DIR "/ocspcerts"
-#define CRL_DIR IPSEC_D_DIR "/crls"
-#define SECRETS_FILE CONFIG_DIR "/ipsec.secrets"
-
-#define MAX_SECRETS_RECURSION 10
-
-typedef struct private_stroke_cred_t private_stroke_cred_t;
-
-/**
- * private data of stroke_cred
- */
-struct private_stroke_cred_t {
-
-	/**
-	 * public functions
-	 */
-	stroke_cred_t public;
-
-	/**
-	 * list of trusted peer/signer/CA certificates (certificate_t)
-	 */
-	linked_list_t *certs;
-
-	/**
-	 * list of shared secrets (private_shared_key_t)
-	 */
-	linked_list_t *shared;
-
-	/**
-	 * list of private keys (private_key_t)
-	 */
-	linked_list_t *private;
-
-	/**
-	 * read-write lock to lists
-	 */
-	rwlock_t *lock;
-
-	/**
-	 * cache CRLs to disk?
-	 */
-	bool cachecrl;
-};
-
-/**
- * data to pass to various filters
- */
-typedef struct {
-	private_stroke_cred_t *this;
-	identification_t *id;
-	certificate_type_t type;
-} id_data_t;
-
-/**
- * destroy id enumerator data and unlock list
- */
-static void id_data_destroy(id_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * filter function for private key enumerator
- */
-static bool private_filter(id_data_t *data,
-						   private_key_t **in, private_key_t **out)
-{
-	private_key_t *key;
-
-	key = *in;
-	if (data->id == NULL)
-	{
-		*out = key;
-		return TRUE;
-	}
-	if (key->has_fingerprint(key, data->id->get_encoding(data->id)))
-	{
-		*out = key;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implements credential_set_t.create_private_enumerator
- */
-static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
-							key_type_t type, identification_t *id)
-{
-	id_data_t *data;
-
-	data = malloc_thing(id_data_t);
-	data->this = this;
-	data->id = id;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(this->private->create_enumerator(this->private),
-									(void*)private_filter, data,
-									(void*)id_data_destroy);
-}
-
-/**
- * filter function for certs enumerator
- */
-static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out)
-{
-	public_key_t *public;
-	certificate_t *cert = *in;
-
-	if (data->type != CERT_ANY && data->type != cert->get_type(cert))
-	{
-		return FALSE;
-	}
-	if (data->id == NULL || cert->has_subject(cert, data->id))
-	{
-		*out = *in;
-		return TRUE;
-	}
-
-	public = cert->get_public_key(cert);
-	if (public)
-	{
-		if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
-		{
-			public->destroy(public);
-			*out = *in;
-			return TRUE;
-		}
-		public->destroy(public);
-	}
-	return FALSE;
-}
-
-/**
- * Implements credential_set_t.create_cert_enumerator
- */
-static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
-							certificate_type_t cert, key_type_t key,
-							identification_t *id, bool trusted)
-{
-	id_data_t *data;
-
-	if (trusted && (cert == CERT_X509_CRL || cert == CERT_X509_AC))
-	{
-		return NULL;
-	}
-	data = malloc_thing(id_data_t);
-	data->this = this;
-	data->id = id;
-	data->type = cert;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(this->certs->create_enumerator(this->certs),
-									(void*)certs_filter, data,
-									(void*)id_data_destroy);
-}
-
-typedef struct {
-	private_stroke_cred_t *this;
-	identification_t *me;
-	identification_t *other;
-	shared_key_type_t type;
-} shared_data_t;
-
-/**
- * free shared key enumerator data and unlock list
- */
-static void shared_data_destroy(shared_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * filter function for certs enumerator
- */
-static bool shared_filter(shared_data_t *data,
-						  stroke_shared_key_t **in, shared_key_t **out,
-						  void **unused1, id_match_t *me,
-						  void **unused2, id_match_t *other)
-{
-	id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE;
-	stroke_shared_key_t *stroke = *in;
-	shared_key_t *shared = &stroke->shared;
-
-	if (data->type != SHARED_ANY && shared->get_type(shared) != data->type)
-	{
-		return FALSE;
-	}
-
-	if (data->me)
-	{
-		my_match = stroke->has_owner(stroke, data->me);
-	}
-	if (data->other)
-	{
-		other_match = stroke->has_owner(stroke, data->other);
-	}
-	if ((data->me || data->other) && (!my_match && !other_match))
-	{
-		return FALSE;
-	}
-	*out = shared;
-	if (me)
-	{
-		*me = my_match;
-	}
-	if (other)
-	{
-		*other = other_match;
-	}
-	return TRUE;
-}
-
-/**
- * Implements credential_set_t.create_shared_enumerator
- */
-static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
-							shared_key_type_t type,	identification_t *me,
-							identification_t *other)
-{
-	shared_data_t *data = malloc_thing(shared_data_t);
-
-	data->this = this;
-	data->me = me;
-	data->other = other;
-	data->type = type;
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(this->shared->create_enumerator(this->shared),
-									(void*)shared_filter, data,
-									(void*)shared_data_destroy);
-}
-
-/**
- * Add a certificate to chain
- */
-static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
-{
-	certificate_t *current;
-	enumerator_t *enumerator;
-	bool new = TRUE;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->certs->create_enumerator(this->certs);
-	while (enumerator->enumerate(enumerator, (void**)&current))
-	{
-		if (current->equals(current, cert))
-		{
-			/* cert already in queue */
-			cert->destroy(cert);
-			cert = current;
-			new = FALSE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (new)
-	{
-		this->certs->insert_last(this->certs, cert);
-	}
-	this->lock->unlock(this->lock);
-	return cert;
-}
-
-/**
- * Implementation of stroke_cred_t.load_ca.
- */
-static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
-{
-	certificate_t *cert;
-	char path[PATH_MAX];
-
-	if (*filename == '/')
-	{
-		snprintf(path, sizeof(path), "%s", filename);
-	}
-	else
-	{
-		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
-	}
-
-	cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_X509,
-							  BUILD_FROM_FILE, path,
-							  BUILD_END);
-	if (cert)
-	{
-		x509_t *x509 = (x509_t*)cert;
-
-		if (!(x509->get_flags(x509) & X509_CA))
-		{
-			DBG1(DBG_CFG, "  ca certificate \"%Y\" misses ca basic constraint, "
-				 "discarded", cert->get_subject(cert));
-			cert->destroy(cert);
-			return NULL;
-		}
-		return (certificate_t*)add_cert(this, cert);
-	}
-	return NULL;
-}
-
-/**
- * Add X.509 CRL to chain
- */
-static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
-{
-	certificate_t *current, *cert = &crl->certificate;
-	enumerator_t *enumerator;
-	bool new = TRUE, found = FALSE;
-
-	this->lock->write_lock(this->lock);
-	enumerator = this->certs->create_enumerator(this->certs);
-	while (enumerator->enumerate(enumerator, (void**)&current))
-	{
-		if (current->get_type(current) == CERT_X509_CRL)
-		{
-			crl_t *crl_c = (crl_t*)current;
-			chunk_t authkey = crl->get_authKeyIdentifier(crl);
-			chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c);
-
-			/* if compare authorityKeyIdentifiers if available */
-			if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c))
-			{
-				found = TRUE;
-			}
-			else
-			{
-				identification_t *issuer = cert->get_issuer(cert);
-				identification_t *issuer_c = current->get_issuer(current);
-
-				/* otherwise compare issuer distinguished names */
-				if (issuer->equals(issuer, issuer_c))
-				{
-					found = TRUE;
-				}
-			}
-			if (found)
-			{
-				new = cert->is_newer(cert, current);
-				if (new)
-				{
-					this->certs->remove_at(this->certs, enumerator);
-				}
-				else
-				{
-					cert->destroy(cert);
-				}
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (new)
-	{
-		this->certs->insert_last(this->certs, cert);
-	}
-	this->lock->unlock(this->lock);
-	return new;
-}
-
-/**
- * Add X.509 attribute certificate to chain
- */
-static bool add_ac(private_stroke_cred_t *this, ac_t* ac)
-{
-	certificate_t *cert = &ac->certificate;
-
-	this->lock->write_lock(this->lock);
-	this->certs->insert_last(this->certs, cert);
-	this->lock->unlock(this->lock);
-	return TRUE;
-}
-
-/**
- * Implementation of stroke_cred_t.load_peer.
- */
-static certificate_t* load_peer(private_stroke_cred_t *this, char *filename)
-{
-	certificate_t *cert;
-	char path[PATH_MAX];
-
-	if (*filename == '/')
-	{
-		snprintf(path, sizeof(path), "%s", filename);
-	}
-	else
-	{
-		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
-	}
-
-	cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_ANY,
-							  BUILD_FROM_FILE, path,
-							  BUILD_END);
-	if (cert)
-	{
-		cert = add_cert(this, cert);
-		DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
-					  cert->get_subject(cert), filename);
-		return cert->get_ref(cert);
-	}
-	DBG1(DBG_CFG, "  loading certificate from '%s' failed", filename);
-	return NULL;
-}
-
-/**
- * load trusted certificates from a directory
- */
-static void load_certdir(private_stroke_cred_t *this, char *path,
-						 certificate_type_t type, x509_flag_t flag)
-{
-	struct stat st;
-	char *file;
-
-	enumerator_t *enumerator = enumerator_create_directory(path);
-
-	if (!enumerator)
-	{
-		DBG1(DBG_CFG, "  reading directory failed");
-		return;
-	}
-
-	while (enumerator->enumerate(enumerator, NULL, &file, &st))
-	{
-		certificate_t *cert;
-
-		if (!S_ISREG(st.st_mode))
-		{
-			/* skip special file */
-			continue;
-		}
-		switch (type)
-		{
-			case CERT_X509:
-				if (flag & X509_CA)
-				{	/* for CA certificates, we strictly require
-					 * the CA basic constraint to be set */
-					cert = lib->creds->create(lib->creds,
-										CRED_CERTIFICATE, CERT_X509,
-										BUILD_FROM_FILE, file, BUILD_END);
-					if (cert)
-					{
-						x509_t *x509 = (x509_t*)cert;
-
-						if (!(x509->get_flags(x509) & X509_CA))
-						{
-							DBG1(DBG_CFG, "  ca certificate \"%Y\" lacks "
-								 "ca basic constraint, discarded",
-								 cert->get_subject(cert));
-							cert->destroy(cert);
-							cert = NULL;
-						}
-						else
-						{
-							DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
-										  cert->get_subject(cert), file);
-						}
-					}
-					else
-					{
-						DBG1(DBG_CFG, "  loading ca certificate from '%s' "
-									  "failed", file);
-					}
-				}
-				else
-				{	/* for all other flags, we add them to the certificate. */
-					cert = lib->creds->create(lib->creds,
-										CRED_CERTIFICATE, CERT_X509,
-										BUILD_FROM_FILE, file,
-										BUILD_X509_FLAG, flag, BUILD_END);
-					if (cert)
-					{
-						DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
-									  cert->get_subject(cert), file);
-					}
-					else
-					{
-						DBG1(DBG_CFG, "  loading certificate from '%s' "
-									  "failed", file);
-					}
-				}
-				if (cert)
-				{
-					add_cert(this, cert);
-				}
-				break;
-			case CERT_X509_CRL:
-				cert = lib->creds->create(lib->creds,
-										  CRED_CERTIFICATE, CERT_X509_CRL,
-										  BUILD_FROM_FILE, file,
-										  BUILD_END);
-				if (cert)
-				{
-					add_crl(this, (crl_t*)cert);
-					DBG1(DBG_CFG, "  loaded crl from '%s'",  file);
-				}
-				else
-				{
-					DBG1(DBG_CFG, "  loading crl from '%s' failed", file);
-				}
-				break;
-			case CERT_X509_AC:
-				cert = lib->creds->create(lib->creds,
-										  CRED_CERTIFICATE, CERT_X509_AC,
-										  BUILD_FROM_FILE, file,
-										  BUILD_END);
-				if (cert)
-				{
-					add_ac(this, (ac_t*)cert);
-					DBG1(DBG_CFG, "  loaded attribute certificate from '%s'",
-								  file);
-				}
-				else
-				{
-					DBG1(DBG_CFG, "  loading attribute certificate from '%s' "
-								  "failed", file);
-				}
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of credential_set_t.cache_cert.
- */
-static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
-{
-	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
-	{
-		/* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */
-		crl_t *crl = (crl_t*)cert;
-
-		cert->get_ref(cert);
-		if (add_crl(this, crl))
-		{
-			char buf[BUF_LEN];
-			chunk_t chunk, hex;
-
-			chunk = crl->get_authKeyIdentifier(crl);
-			hex = chunk_to_hex(chunk, NULL, FALSE);
-			snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex);
-			free(hex.ptr);
-
-			chunk = cert->get_encoding(cert);
-			chunk_write(chunk, buf, "crl", 022, TRUE);
-			free(chunk.ptr);
-		}
-	}
-}
-
-/**
- * Implementation of stroke_cred_t.cachecrl.
- */
-static void cachecrl(private_stroke_cred_t *this, bool enabled)
-{
-	DBG1(DBG_CFG, "crl caching to %s %s",
-		 CRL_DIR, enabled ? "enabled" : "disabled");
-	this->cachecrl = enabled;
-}
-
-
-/**
- * Convert a string of characters into a binary secret
- * A string between single or double quotes is treated as ASCII characters
- * A string prepended by 0x is treated as HEX and prepended by 0s as Base64
- */
-static err_t extract_secret(chunk_t *secret, chunk_t *line)
-{
-	chunk_t raw_secret;
-	char delimiter = ' ';
-	bool quotes = FALSE;
-
-	if (!eat_whitespace(line))
-	{
-		return "missing secret";
-	}
-
-	if (*line->ptr == '\'' || *line->ptr == '"')
-	{
-		quotes = TRUE;
-		delimiter = *line->ptr;
-		line->ptr++;  line->len--;
-	}
-
-	if (!extract_token(&raw_secret, delimiter, line))
-	{
-		if (delimiter == ' ')
-		{
-			raw_secret = *line;
-		}
-		else
-		{
-			return "missing second delimiter";
-		}
-	}
-
-	if (quotes)
-	{
-		/* treat as an ASCII string */
-		*secret = chunk_clone(raw_secret);
-		return NULL;
-	}
-	/* treat 0x as hex, 0s as base64 */
-	if (raw_secret.len > 2)
-	{
-		if (strncasecmp("0x", raw_secret.ptr, 2) == 0)
-		{
-			*secret = chunk_from_hex(chunk_skip(raw_secret, 2), NULL);
-			return NULL;
-		}
-		if (strncasecmp("0s", raw_secret.ptr, 2) == 0)
-		{
-			*secret = chunk_from_base64(chunk_skip(raw_secret, 2), NULL);
-			return NULL;
-		}
-	}
-	*secret = chunk_clone(raw_secret);
-	return NULL;
-}
-
-/**
- * Data to pass to passphrase_cb
- */
-typedef struct {
-	/** socket we use for prompting */
-	FILE *prompt;
-	/** private key file */
-	char *file;
-	/** buffer for passphrase */
-	char buf[256];
-} passphrase_cb_data_t;
-
-/**
- * Passphrase callback to read from whack fd
- */
-chunk_t passphrase_cb(passphrase_cb_data_t *data, int try)
-{
-	chunk_t secret = chunk_empty;;
-
-	if (try > 5)
-	{
-		fprintf(data->prompt, "invalid passphrase, too many trials\n");
-		return chunk_empty;
-	}
-	if (try == 1)
-	{
-		fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file);
-	}
-	else
-	{
-		fprintf(data->prompt, "invalid passphrase\n");
-	}
-	fprintf(data->prompt, "Passphrase:\n");
-	if (fgets(data->buf, sizeof(data->buf), data->prompt))
-	{
-		secret = chunk_create(data->buf, strlen(data->buf));
-		if (secret.len)
-		{	/* trim appended \n */
-			secret.len--;
-		}
-	}
-	return secret;
-}
-
-/**
- * reload ipsec.secrets
- */
-static void load_secrets(private_stroke_cred_t *this, char *file, int level,
-						 FILE *prompt)
-{
-	size_t bytes;
-	int line_nr = 0;
-	chunk_t chunk, src, line;
-	FILE *fd;
-	private_key_t *private;
-	shared_key_t *shared;
-
-	DBG1(DBG_CFG, "loading secrets from '%s'", file);
-
-	fd = fopen(file, "r");
-	if (fd == NULL)
-	{
-		DBG1(DBG_CFG, "opening secrets file '%s' failed", file);
-		return;
-	}
-
-	/* TODO: do error checks */
-	fseek(fd, 0, SEEK_END);
-	chunk.len = ftell(fd);
-	rewind(fd);
-	chunk.ptr = malloc(chunk.len);
-	bytes = fread(chunk.ptr, 1, chunk.len, fd);
-	fclose(fd);
-	src = chunk;
-
-	if (level == 0)
-	{
-		this->lock->write_lock(this->lock);
-
-		/* flush secrets on non-recursive invocation */
-		while (this->shared->remove_last(this->shared,
-										 (void**)&shared) == SUCCESS)
-		{
-			shared->destroy(shared);
-		}
-		while (this->private->remove_last(this->private,
-										  (void**)&private) == SUCCESS)
-		{
-			private->destroy(private);
-		}
-	}
-
-	while (fetchline(&src, &line))
-	{
-		chunk_t ids, token;
-		shared_key_type_t type;
-
-		line_nr++;
-
-		if (!eat_whitespace(&line))
-		{
-			continue;
-		}
-		if (line.len > strlen("include ") &&
-			strneq(line.ptr, "include ", strlen("include ")))
-		{
-			glob_t buf;
-			char **expanded, *dir, pattern[PATH_MAX];
-			u_char *pos;
-
-			if (level > MAX_SECRETS_RECURSION)
-			{
-				DBG1(DBG_CFG, "maximum level of %d includes reached, ignored",
-					 MAX_SECRETS_RECURSION);
-				continue;
-			}
-			/* terminate filename by space */
-			line = chunk_skip(line, strlen("include "));
-			pos = memchr(line.ptr, ' ', line.len);
-			if (pos)
-			{
-				line.len = pos - line.ptr;
-			}
-			if (line.len && line.ptr[0] == '/')
-			{
-				if (line.len + 1 > sizeof(pattern))
-				{
-					DBG1(DBG_CFG, "include pattern too long, ignored");
-					continue;
-				}
-				snprintf(pattern, sizeof(pattern), "%.*s", line.len, line.ptr);
-			}
-			else
-			{	/* use directory of current file if relative */
-				dir = strdup(file);
-				dir = dirname(dir);
-
-				if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern))
-				{
-					DBG1(DBG_CFG, "include pattern too long, ignored");
-					free(dir);
-					continue;
-				}
-				snprintf(pattern, sizeof(pattern), "%s/%.*s",
-						 dir, line.len, line.ptr);
-				free(dir);
-			}
-			if (glob(pattern, GLOB_ERR, NULL, &buf) != 0)
-			{
-				DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern);
-				globfree(&buf);
-			}
-			else
-			{
-				for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
-				{
-					load_secrets(this, *expanded, level + 1, prompt);
-				}
-			}
-			globfree(&buf);
-			continue;
-		}
-
-		if (line.len > 2 && strneq(": ", line.ptr, 2))
-		{
-			/* no ids, skip the ':' */
-			ids = chunk_empty;
-			line.ptr++;
-			line.len--;
-		}
-		else if (extract_token_str(&ids, " : ", &line))
-		{
-			/* NULL terminate the extracted id string */
-			*(ids.ptr + ids.len) = '\0';
-		}
-		else
-		{
-			DBG1(DBG_CFG, "line %d: missing ' : ' separator", line_nr);
-			goto error;
-		}
-
-		if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
-		{
-			DBG1(DBG_CFG, "line %d: missing token", line_nr);
-			goto error;
-		}
-		if (match("RSA", &token) || match("ECDSA", &token))
-		{
-			char path[PATH_MAX];
-			chunk_t filename;
-			chunk_t secret = chunk_empty;
-			private_key_t *key = NULL;
-			key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA;
-
-			err_t ugh = extract_value(&filename, &line);
-
-			if (ugh != NULL)
-			{
-				DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
-				goto error;
-			}
-			if (filename.len == 0)
-			{
-				DBG1(DBG_CFG, "line %d: empty filename", line_nr);
-				goto error;
-			}
-			if (*filename.ptr == '/')
-			{
-				/* absolute path name */
-				snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
-			}
-			else
-			{
-				/* relative path name */
-				snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
-						 filename.len, filename.ptr);
-			}
-
-			/* check for optional passphrase */
-			if (eat_whitespace(&line))
-			{
-				ugh = extract_secret(&secret, &line);
-				if (ugh != NULL)
-				{
-					DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
-					goto error;
-				}
-			}
-			if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
-			{
-				if (prompt)
-				{
-					passphrase_cb_data_t data;
-
-					data.prompt = prompt;
-					data.file = path;
-					key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-											 key_type, BUILD_FROM_FILE, path,
-											 BUILD_PASSPHRASE_CALLBACK,
-											 passphrase_cb, &data, BUILD_END);
-				}
-			}
-			else
-			{
-				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
-										 BUILD_FROM_FILE, path,
-										 BUILD_PASSPHRASE, secret, BUILD_END);
-			}
-			if (key)
-			{
-				DBG1(DBG_CFG, "  loaded %N private key from '%s'",
-					 key_type_names, key->get_type(key), path);
-				this->private->insert_last(this->private, key);
-			}
-			else
-			{
-				DBG1(DBG_CFG, "  loading private key from '%s' failed", path);
-			}
-			chunk_clear(&secret);
-		}
-		else if (match("PIN", &token))
-		{
-			chunk_t sc = chunk_empty, secret = chunk_empty;
-			char smartcard[32], keyid[22], pin[32];
-			private_key_t *key;
-			u_int slot;
-
-			err_t ugh = extract_value(&sc, &line);
-
-			if (ugh != NULL)
-			{
-				DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
-				goto error;
-			}
-			if (sc.len == 0)
-			{
-				DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr);
-				goto error;
-			}
-			snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
-			smartcard[sizeof(smartcard) - 1] = '\0';
-
-			/* parse slot and key id. only two formats are supported.
-			 * first try %smartcard<slot>:<keyid> */
-			if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
-			{
-				snprintf(smartcard, sizeof(smartcard), "%u:%s", slot, keyid);
-			}
-			/* then try %smartcard:<keyid> */
-			else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1)
-			{
-				snprintf(smartcard, sizeof(smartcard), "%s", keyid);
-			}
-			else
-			{
-				DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not"
-						" supported or invalid", line_nr);
-				goto error;
-			}
-
-			if (!eat_whitespace(&line))
-			{
-				DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
-				goto error;
-			}
-			ugh = extract_secret(&secret, &line);
-			if (ugh != NULL)
-			{
-				DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
-				goto error;
-			}
-			snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
-			pin[sizeof(pin) - 1] = '\0';
-
-			/* we assume an RSA key */
-			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-									 BUILD_SMARTCARD_KEYID, smartcard,
-									 BUILD_SMARTCARD_PIN, pin, BUILD_END);
-
-			if (key)
-			{
-				DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
-				this->private->insert_last(this->private, key);
-			}
-			memset(pin, 0, sizeof(pin));
-			chunk_clear(&secret);
-		}
-		else if ((match("PSK", &token) && (type = SHARED_IKE)) ||
-				 (match("EAP", &token) && (type = SHARED_EAP)) ||
-				 (match("XAUTH", &token) && (type = SHARED_EAP)))
-		{
-			stroke_shared_key_t *shared_key;
-			chunk_t secret = chunk_empty;
-			bool any = TRUE;
-
-			err_t ugh = extract_secret(&secret, &line);
-			if (ugh != NULL)
-			{
-				DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh);
-				goto error;
-			}
-			shared_key = stroke_shared_key_create(type, secret);
-			DBG1(DBG_CFG, "  loaded %N secret for %s", shared_key_type_names, type,
-				 ids.len > 0 ? (char*)ids.ptr : "%any");
-			DBG4(DBG_CFG, "  secret: %#B", &secret);
-
-			this->shared->insert_last(this->shared, shared_key);
-			while (ids.len > 0)
-			{
-				chunk_t id;
-				identification_t *peer_id;
-
-				ugh = extract_value(&id, &ids);
-				if (ugh != NULL)
-				{
-					DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
-					goto error;
-				}
-				if (id.len == 0)
-				{
-					continue;
-				}
-
-				/* NULL terminate the ID string */
-				*(id.ptr + id.len) = '\0';
-				peer_id = identification_create_from_string(id.ptr);
-				if (peer_id->get_type(peer_id) == ID_ANY)
-				{
-					peer_id->destroy(peer_id);
-					continue;
-				}
-
-				shared_key->add_owner(shared_key, peer_id);
-				any = FALSE;
-			}
-			if (any)
-			{
-				shared_key->add_owner(shared_key,
-					identification_create_from_encoding(ID_ANY, chunk_empty));
-			}
-		}
-		else
-		{
-			DBG1(DBG_CFG, "line %d: token must be either "
-				 "RSA, ECDSA, PSK, EAP, XAUTH or PIN", line_nr);
-			goto error;
-		}
-	}
-error:
-	if (level == 0)
-	{
-		this->lock->unlock(this->lock);
-	}
-	chunk_clear(&chunk);
-}
-
-/**
- * load all certificates from ipsec.d
- */
-static void load_certs(private_stroke_cred_t *this)
-{
-	DBG1(DBG_CFG, "loading ca certificates from '%s'",
-		 CA_CERTIFICATE_DIR);
-	load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA);
-
-	DBG1(DBG_CFG, "loading aa certificates from '%s'",
-		 AA_CERTIFICATE_DIR);
-	load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA);
-
-	DBG1(DBG_CFG, "loading ocsp signer certificates from '%s'",
-		 OCSP_CERTIFICATE_DIR);
-	load_certdir(this, OCSP_CERTIFICATE_DIR, CERT_X509, X509_OCSP_SIGNER);
-
-	DBG1(DBG_CFG, "loading attribute certificates from '%s'",
-		 ATTR_CERTIFICATE_DIR);
-	load_certdir(this, ATTR_CERTIFICATE_DIR, CERT_X509_AC, 0);
-
-	DBG1(DBG_CFG, "loading crls from '%s'",
-		 CRL_DIR);
-	load_certdir(this, CRL_DIR, CERT_X509_CRL, 0);
-}
-
-/**
- * Implementation of stroke_cred_t.reread.
- */
-static void reread(private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt)
-{
-	if (msg->reread.flags & REREAD_SECRETS)
-	{
-		DBG1(DBG_CFG, "rereading secrets");
-		load_secrets(this, SECRETS_FILE, 0, prompt);
-	}
-	if (msg->reread.flags & REREAD_CACERTS)
-	{
-		DBG1(DBG_CFG, "rereading ca certificates from '%s'",
-			 CA_CERTIFICATE_DIR);
-		load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA);
-	}
-	if (msg->reread.flags & REREAD_OCSPCERTS)
-	{
-		DBG1(DBG_CFG, "rereading ocsp signer certificates from '%s'",
-			 OCSP_CERTIFICATE_DIR);
-		load_certdir(this, OCSP_CERTIFICATE_DIR, CERT_X509,
-			 X509_OCSP_SIGNER);
-	}
-	if (msg->reread.flags & REREAD_AACERTS)
-	{
-		DBG1(DBG_CFG, "rereading aa certificates from '%s'",
-			 AA_CERTIFICATE_DIR);
-		load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA);
-	}
-	if (msg->reread.flags & REREAD_ACERTS)
-	{
-		DBG1(DBG_CFG, "rereading attribute certificates from '%s'",
-			 ATTR_CERTIFICATE_DIR);
-		load_certdir(this, ATTR_CERTIFICATE_DIR, CERT_X509_AC, 0);
-	}
-	if (msg->reread.flags & REREAD_CRLS)
-	{
-		DBG1(DBG_CFG, "rereading crls from '%s'",
-			 CRL_DIR);
-		load_certdir(this, CRL_DIR, CERT_X509_CRL, 0);
-	}
-}
-
-/**
- * Implementation of stroke_cred_t.destroy
- */
-static void destroy(private_stroke_cred_t *this)
-{
-	this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
-	this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy));
-	this->private->destroy_offset(this->private, offsetof(private_key_t, destroy));
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/*
- * see header file
- */
-stroke_cred_t *stroke_cred_create()
-{
-	private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t);
-
-	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
-	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
-	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)cache_cert;
-	this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg, FILE*))reread;
-	this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca;
-	this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer;
-	this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl;
-	this->public.destroy = (void(*)(stroke_cred_t*))destroy;
-
-	this->certs = linked_list_create();
-	this->shared = linked_list_create();
-	this->private = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
-	load_certs(this);
-	load_secrets(this, SECRETS_FILE, 0, NULL);
-
-	this->cachecrl = FALSE;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/stroke/stroke_cred.h b/src/charon/plugins/stroke/stroke_cred.h
deleted file mode 100644
index ccee7d87c..000000000
--- a/src/charon/plugins/stroke/stroke_cred.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup stroke_cred stroke_cred
- * @{ @ingroup stroke
- */
-
-#ifndef STROKE_CRED_H_
-#define STROKE_CRED_H_
-
-#include <stdio.h>
-
-#include <stroke_msg.h>
-#include <credentials/credential_set.h>
-#include <credentials/certificates/certificate.h>
-
-typedef struct stroke_cred_t stroke_cred_t;
-
-/**
- * Stroke in-memory credential storage.
- */
-struct stroke_cred_t {
-
-	/**
-	 * Implements credential_set_t
-	 */
-	credential_set_t set;
-
-	/**
-	 * Reread secrets from config files.
-	 *
-	 * @param msg		stroke message
-	 * @param prompt	I/O channel to prompt for private key passhprase
-	 */
-	void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt);
-
-	/**
-	 * Load a CA certificate, and serve it through the credential_set.
-	 *
-	 * @param filename		file to load CA cert from
-	 * @return				reference to loaded certificate, or NULL
-	 */
-	certificate_t* (*load_ca)(stroke_cred_t *this, char *filename);
-
-	/**
-	 * Load a peer certificate and serve it rhrough the credential_set.
-	 *
-	 * @param filename		file to load peer cert from
-	 * @return				reference to loaded certificate, or NULL
-	 */
-	certificate_t* (*load_peer)(stroke_cred_t *this, char *filename);
-
-	/**
-	 * Enable/Disable CRL caching to disk.
-	 *
-	 * @param enabled		TRUE to enable, FALSE to disable
-	 */
-	void (*cachecrl)(stroke_cred_t *this, bool enabled);
-
-	/**
-	 * Destroy a stroke_cred instance.
-	 */
-	void (*destroy)(stroke_cred_t *this);
-};
-
-/**
- * Create a stroke_cred instance.
- */
-stroke_cred_t *stroke_cred_create();
-
-#endif /** STROKE_CRED_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
deleted file mode 100644
index c2a98da33..000000000
--- a/src/charon/plugins/stroke/stroke_list.c
+++ /dev/null
@@ -1,1230 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "stroke_list.h"
-
-#include <time.h>
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/ac.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/pgp_certificate.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
-#include <config/peer_cfg.h>
-
-/* warning intervals for list functions */
-#define CERT_WARNING_INTERVAL  30	/* days */
-#define CRL_WARNING_INTERVAL	7	/* days */
-#define AC_WARNING_INTERVAL		1	/* day */
-
-typedef struct private_stroke_list_t private_stroke_list_t;
-
-/**
- * private data of stroke_list
- */
-struct private_stroke_list_t {
-
-	/**
-	 * public functions
-	 */
-	stroke_list_t public;
-
-	/**
-	 * timestamp of daemon start
-	 */
-	time_t uptime;
-
-	/**
-	 * strokes attribute provider
-	 */
-	stroke_attribute_t *attribute;
-};
-
-/**
- * log an IKE_SA to out
- */
-static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
-{
-	ike_sa_id_t *id = ike_sa->get_id(ike_sa);
-	time_t now = time_monotonic(NULL);
-
-	fprintf(out, "%12s[%d]: %N",
-			ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
-			ike_sa_state_names, ike_sa->get_state(ike_sa));
-
-	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
-	{
-		time_t established;
-
-		established = ike_sa->get_statistic(ike_sa, STAT_ESTABLISHED);
-		fprintf(out, " %V ago", &now, &established);
-	}
-
-	fprintf(out, ", %H[%Y]...%H[%Y]\n",
-			ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
-			ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
-
-	if (all)
-	{
-		proposal_t *ike_proposal;
-
-		ike_proposal = ike_sa->get_proposal(ike_sa);
-
-		fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s",
-				ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
-				id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
-				id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
-
-
-		if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
-		{
-			time_t rekey, reauth;
-			peer_cfg_t *peer_cfg;
-
-			rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY);
-			reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH);
-			peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-
-			if (rekey)
-			{
-				fprintf(out, ", rekeying in %V", &rekey, &now);
-			}
-			if (reauth)
-			{
-				bool first = TRUE;
-				enumerator_t *enumerator;
-				auth_cfg_t *auth;
-
-				fprintf(out, ", ");
-				enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, TRUE);
-				while (enumerator->enumerate(enumerator, &auth))
-				{
-					if (!first)
-					{
-						fprintf(out, "+");
-					}
-					first = FALSE;
-					fprintf(out, "%N", auth_class_names,
-							auth->get(auth, AUTH_RULE_AUTH_CLASS));
-				}
-				enumerator->destroy(enumerator);
-				fprintf(out, " reauthentication in %V", &reauth, &now);
-			}
-			if (!rekey && !reauth)
-			{
-				fprintf(out, ", rekeying disabled");
-			}
-		}
-		fprintf(out, "\n");
-
-		if (ike_proposal)
-		{
-			char buf[BUF_LEN];
-
-			snprintf(buf, BUF_LEN, "%P", ike_proposal);
-			fprintf(out, "%12s[%d]: IKE proposal: %s\n",
-					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
-					buf+4);
-		}
-	}
-}
-
-/**
- * log an CHILD_SA to out
- */
-static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
-{
-	time_t use_in, use_out, rekey, now;
-	u_int64_t bytes_in, bytes_out;
-	proposal_t *proposal;
-	child_cfg_t *config = child_sa->get_config(child_sa);
-
-
-	fprintf(out, "%12s{%d}:  %N, %N%s",
-			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
-			child_sa_state_names, child_sa->get_state(child_sa),
-			ipsec_mode_names, child_sa->get_mode(child_sa),
-			config->use_proxy_mode(config) ? "_PROXY" : "");
-
-	if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
-	{
-		fprintf(out, ", %N%s SPIs: %.8x_i %.8x_o",
-				protocol_id_names, child_sa->get_protocol(child_sa),
-				child_sa->has_encap(child_sa) ? " in UDP" : "",
-				ntohl(child_sa->get_spi(child_sa, TRUE)),
-				ntohl(child_sa->get_spi(child_sa, FALSE)));
-
-		if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE)
-		{
-			fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o",
-					ntohs(child_sa->get_cpi(child_sa, TRUE)),
-					ntohs(child_sa->get_cpi(child_sa, FALSE)));
-		}
-
-		if (all)
-		{
-			fprintf(out, "\n%12s{%d}:  ", child_sa->get_name(child_sa),
-					child_sa->get_reqid(child_sa));
-
-			proposal = child_sa->get_proposal(child_sa);
-			if (proposal)
-			{
-				u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
-				u_int16_t encr_size = 0, int_size = 0;
-
-				proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
-										&encr_alg, &encr_size);
-				proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
-										&int_alg, &int_size);
-
-				if (encr_alg != ENCR_UNDEFINED)
-				{
-					fprintf(out, "%N", encryption_algorithm_names, encr_alg);
-					if (encr_size)
-					{
-						fprintf(out, "_%u", encr_size);
-					}
-				}
-				if (int_alg != AUTH_UNDEFINED)
-				{
-					fprintf(out, "/%N", integrity_algorithm_names, int_alg);
-					if (int_size)
-					{
-						fprintf(out, "_%u", int_size);
-					}
-				}
-			}
-
-			now = time_monotonic(NULL);
-			child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in);
-			fprintf(out, ", %llu bytes_i", bytes_in);
-			if (use_in)
-			{
-				fprintf(out, " (%ds ago)", now - use_in);
-			}
-
-			child_sa->get_usestats(child_sa, FALSE, &use_out, &bytes_out);
-			fprintf(out, ", %llu bytes_o", bytes_out);
-			if (use_out)
-			{
-				fprintf(out, " (%ds ago)", now - use_out);
-			}
-			fprintf(out, ", rekeying ");
-
-			rekey = child_sa->get_lifetime(child_sa, FALSE);
-			if (rekey)
-			{
-				if (now > rekey)
-				{
-					fprintf(out, "active");
-				}
-				else
-				{
-					fprintf(out, "in %V", &now, &rekey);
-				}
-			}
-			else
-			{
-				fprintf(out, "disabled");
-			}
-
-		}
-	}
-
-	fprintf(out, "\n%12s{%d}:   %#R=== %#R\n",
-			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
-			child_sa->get_traffic_selectors(child_sa, TRUE),
-			child_sa->get_traffic_selectors(child_sa, FALSE));
-}
-
-/**
- * Log a configs local or remote authentication config to out
- */
-static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
-{
-	enumerator_t *enumerator, *rules;
-	auth_rule_t rule;
-	auth_cfg_t *auth;
-	auth_class_t auth_class;
-	identification_t *id;
-	certificate_t *cert;
-	cert_validation_t valid;
-	char *name;
-
-	name = peer_cfg->get_name(peer_cfg);
-
-	enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
-	while (enumerator->enumerate(enumerator, &auth))
-	{
-		fprintf(out, "%12s:   %s [%Y] uses ", name,	local ? "local: " : "remote:",
-				auth->get(auth, AUTH_RULE_IDENTITY));
-
-		auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
-		if (auth_class != AUTH_CLASS_EAP)
-		{
-			fprintf(out, "%N authentication\n", auth_class_names, auth_class);
-		}
-		else
-		{
-			if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE) == EAP_NAK)
-			{
-				fprintf(out, "EAP authentication");
-			}
-			else
-			{
-				if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR))
-				{
-					fprintf(out, "EAP_%d-%d authentication",
-						(uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE),
-						(uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR));
-				}
-				else
-				{
-					fprintf(out, "%N authentication", eap_type_names,
-						(uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE));
-				}
-			}
-			id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
-			if (id)
-			{
-				fprintf(out, " with EAP identity '%Y'", id);
-			}
-			fprintf(out, "\n");
-		}
-
-		cert = auth->get(auth, AUTH_RULE_CA_CERT);
-		if (cert)
-		{
-			fprintf(out, "%12s:    ca:    \"%Y\"\n", name, cert->get_subject(cert));
-		}
-
-		cert = auth->get(auth, AUTH_RULE_IM_CERT);
-		if (cert)
-		{
-			fprintf(out, "%12s:    im-ca: \"%Y\"\n", name, cert->get_subject(cert));
-		}
-
-		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
-		if (cert)
-		{
-			fprintf(out, "%12s:    cert:  \"%Y\"\n", name,
-					cert->get_subject(cert));
-		}
-
-		valid = (uintptr_t)auth->get(auth, AUTH_RULE_OCSP_VALIDATION);
-		if (valid != VALIDATION_FAILED)
-		{
-			fprintf(out, "%12s:    ocsp:  status must be GOOD%s\n", name,
-					(valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
-		}
-
-		valid = (uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION);
-		if (valid != VALIDATION_FAILED)
-		{
-			fprintf(out, "%12s:    crl:   status must be GOOD%s\n", name,
-					(valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
-		}
-
-		rules = auth->create_enumerator(auth);
-		while (rules->enumerate(rules, &rule, &id))
-		{
-			if (rule == AUTH_RULE_AC_GROUP)
-			{
-				fprintf(out, "%12s:    group: %Y\n", name, id);
-			}
-		}
-		rules->destroy(rules);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of stroke_list_t.status.
- */
-static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all)
-{
-	enumerator_t *enumerator, *children;
-	ike_cfg_t *ike_cfg;
-	child_cfg_t *child_cfg;
-	child_sa_t *child_sa;
-	ike_sa_t *ike_sa;
-	bool first, found = FALSE;
-	char *name = msg->status.name;
-
-	if (all)
-	{
-		peer_cfg_t *peer_cfg;
-		char *plugin, *pool;
-		host_t *host;
-		u_int32_t dpd;
-		time_t since, now;
-		u_int size, online, offline;
-
-		now = time_monotonic(NULL);
-		since = time(NULL) - (now - this->uptime);
-
-		fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n");
-		fprintf(out, "  uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE);
-		fprintf(out, "  worker threads: %d idle of %d,",
-				charon->processor->get_idle_threads(charon->processor),
-				charon->processor->get_total_threads(charon->processor));
-		fprintf(out, " job queue load: %d,",
-				charon->processor->get_job_load(charon->processor));
-		fprintf(out, " scheduled events: %d\n",
-				charon->scheduler->get_job_load(charon->scheduler));
-		fprintf(out, "  loaded plugins: ");
-		enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
-		while (enumerator->enumerate(enumerator, &plugin))
-		{
-			fprintf(out, "%s ", plugin);
-		}
-		enumerator->destroy(enumerator);
-		fprintf(out, "\n");
-
-		first = TRUE;
-		enumerator = this->attribute->create_pool_enumerator(this->attribute);
-		while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
-		{
-			if (name && !streq(name, pool))
-			{
-				continue;
-			}
-			if (first)
-			{
-				first = FALSE;
-				fprintf(out, "Virtual IP pools (size/online/offline):\n");
-			}
-			fprintf(out, "  %s: %u/%u/%u\n", pool, size, online, offline);
-		}
-		enumerator->destroy(enumerator);
-
-		enumerator = charon->kernel_interface->create_address_enumerator(
-								charon->kernel_interface, FALSE, FALSE);
-		fprintf(out, "Listening IP addresses:\n");
-		while (enumerator->enumerate(enumerator, (void**)&host))
-		{
-			fprintf(out, "  %H\n", host);
-		}
-		enumerator->destroy(enumerator);
-
-		fprintf(out, "Connections:\n");
-		enumerator = charon->backends->create_peer_cfg_enumerator(
-									charon->backends, NULL, NULL, NULL, NULL);
-		while (enumerator->enumerate(enumerator, &peer_cfg))
-		{
-			if (peer_cfg->get_ike_version(peer_cfg) != 2 ||
-				(name && !streq(name, peer_cfg->get_name(peer_cfg))))
-			{
-				continue;
-			}
-
-			ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
-			fprintf(out, "%12s:  %s...%s", peer_cfg->get_name(peer_cfg),
-				ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg));
-
-			dpd = peer_cfg->get_dpd(peer_cfg);
-			if (dpd)
-			{
-				fprintf(out, ", dpddelay=%us", dpd);
-			}
-			fprintf(out, "\n");
-
-			log_auth_cfgs(out, peer_cfg, TRUE);
-			log_auth_cfgs(out, peer_cfg, FALSE);
-
-			children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
-			while (children->enumerate(children, &child_cfg))
-			{
-				linked_list_t *my_ts, *other_ts;
-
-				my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
-				other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
-				fprintf(out, "%12s:   child:  %#R=== %#R", child_cfg->get_name(child_cfg),
-						my_ts, other_ts);
-				my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
-				other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-
-				if (dpd)
-				{
-					fprintf(out, ", dpdaction=%N", action_names,
-							child_cfg->get_dpd_action(child_cfg));
-				}
-				fprintf(out, "\n");
-			}
-			children->destroy(children);
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	first = TRUE;
-	enumerator = charon->traps->create_enumerator(charon->traps);
-	while (enumerator->enumerate(enumerator, NULL, &child_sa))
-	{
-		if (first)
-		{
-			fprintf(out, "Routed Connections:\n");
-			first = FALSE;
-		}
-		log_child_sa(out, child_sa, all);
-	}
-	enumerator->destroy(enumerator);
-
-	fprintf(out, "Security Associations:\n");
-	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
-	while (enumerator->enumerate(enumerator, &ike_sa))
-	{
-		bool ike_printed = FALSE;
-		iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
-
-		if (name == NULL || streq(name, ike_sa->get_name(ike_sa)))
-		{
-			log_ike_sa(out, ike_sa, all);
-			found = TRUE;
-			ike_printed = TRUE;
-		}
-
-		while (children->iterate(children, (void**)&child_sa))
-		{
-			if (name == NULL || streq(name, child_sa->get_name(child_sa)))
-			{
-				if (!ike_printed)
-				{
-					log_ike_sa(out, ike_sa, all);
-					found = TRUE;
-					ike_printed = TRUE;
-				}
-				log_child_sa(out, child_sa, all);
-			}
-		}
-		children->destroy(children);
-	}
-	enumerator->destroy(enumerator);
-
-	if (!found)
-	{
-		if (name)
-		{
-			fprintf(out, "  no match\n");
-		}
-		else
-		{
-			fprintf(out, "  none\n");
-		}
-	}
-}
-
-/**
- * create a unique certificate list without duplicates
- * certicates having the same issuer are grouped together.
- */
-static linked_list_t* create_unique_cert_list(certificate_type_t type)
-{
-	linked_list_t *list = linked_list_create();
-	enumerator_t *enumerator = charon->credentials->create_cert_enumerator(
-									charon->credentials, type, KEY_ANY,
-									NULL, FALSE);
-	certificate_t *cert;
-
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		iterator_t *iterator = list->create_iterator(list, TRUE);
-		identification_t *issuer = cert->get_issuer(cert);
-		bool previous_same, same = FALSE, last = TRUE;
-		certificate_t *list_cert;
-
-		while (iterator->iterate(iterator, (void**)&list_cert))
-		{
-			/* exit if we have a duplicate? */
-			if (list_cert->equals(list_cert, cert))
-			{
-				last = FALSE;
-				break;
-			}
-			/* group certificates with same issuer */
-			previous_same = same;
-			same = list_cert->has_issuer(list_cert, issuer);
-			if (previous_same && !same)
-			{
-				iterator->insert_before(iterator, (void *)cert->get_ref(cert));
-				last = FALSE;
-				break;
-			}
-		}
-		iterator->destroy(iterator);
-
-		if (last)
-		{
-			list->insert_last(list, (void *)cert->get_ref(cert));
-		}
-	}
-	enumerator->destroy(enumerator);
-	return list;
-}
-
-/**
- * Print a single public key.
- */
-static void list_public_key(public_key_t *public, FILE *out)
-{
-	private_key_t *private = NULL;
-	chunk_t keyid;
-	identification_t *id;
-	auth_cfg_t *auth;
-
-	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
-	{
-		id = identification_create_from_encoding(ID_KEY_ID, keyid);
-		auth = auth_cfg_create();
-		private = charon->credentials->get_private(charon->credentials,
-									public->get_type(public), id, auth);
-		auth->destroy(auth);
-		id->destroy(id);
-	}
-
-	fprintf(out, "  pubkey:    %N %d bits%s\n",
-			key_type_names, public->get_type(public),
-			public->get_keysize(public) * 8,
-			private ? ", has private key" : "");
-	if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
-	{
-		fprintf(out, "  keyid:     %#B\n", &keyid);
-	}
-	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
-	{
-		fprintf(out, "  subjkey:   %#B\n", &keyid);
-	}
-	DESTROY_IF(private);
-}
-
-/**
- * list all raw public keys
- */
-static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
-{
-	bool first = TRUE;
-
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
-
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		public_key_t *public = cert->get_public_key(cert);
-
-		if (public)
-		{
-			if (first)
-			{
-				fprintf(out, "\n");
-				fprintf(out, "List of Raw Public Keys:\n");
-				first = FALSE;
-			}
-			fprintf(out, "\n");
-
-			list_public_key(public, out);
-			public->destroy(public);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * list OpenPGP certificates
- */
-static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
-{
-	bool first = TRUE;
-	time_t now = time(NULL);
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
-
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		time_t created, until;
-		public_key_t *public;
-		pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
-		chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
-
-		if (first)
-		{
-
-			fprintf(out, "\n");
-				fprintf(out, "List of PGP End Entity Certificates:\n");
-				first = FALSE;
-		}
-		fprintf(out, "\n");
-		fprintf(out, "  userid:   '%Y'\n", cert->get_subject(cert));
-
-		fprintf(out, "  digest:    %#B\n", &fingerprint);
-
-		/* list validity */
-		cert->get_validity(cert, &now, &created, &until);
-		fprintf(out, "  created:   %T\n", &created, utc);
-		fprintf(out, "  until:     %T%s\n", &until, utc,
-			(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
-
-		public = cert->get_public_key(cert);
-		if (public)
-		{
-			list_public_key(public, out);
-			public->destroy(public);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * list all X.509 certificates matching the flags
- */
-static void stroke_list_certs(linked_list_t *list, char *label,
-							  x509_flag_t flags, bool utc, FILE *out)
-{
-	bool first = TRUE;
-	time_t now = time(NULL);
-	enumerator_t *enumerator;
-	certificate_t *cert;
-	x509_flag_t flag_mask;
-
-	/* mask all auxiliary flags */
-	flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH |
-				  X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS );
-
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		x509_t *x509 = (x509_t*)cert;
-		x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
-
-		/* list only if flag is set or flag == 0 */
-		if ((x509_flags & flags) || (x509_flags == flags))
-		{
-			enumerator_t *enumerator;
-			identification_t *altName;
-			bool first_altName = TRUE;
-			int pathlen;
-			chunk_t serial, authkey;
-			time_t notBefore, notAfter;
-			public_key_t *public;
-
-			if (first)
-			{
-				fprintf(out, "\n");
-				fprintf(out, "List of %s:\n", label);
-				first = FALSE;
-			}
-			fprintf(out, "\n");
-
-			/* list subjectAltNames */
-			enumerator = x509->create_subjectAltName_enumerator(x509);
-			while (enumerator->enumerate(enumerator, (void**)&altName))
-			{
-				if (first_altName)
-				{
-					fprintf(out, "  altNames:  ");
-					first_altName = FALSE;
-				}
-				else
-				{
-					fprintf(out, ", ");
-				}
-				fprintf(out, "%Y", altName);
-			}
-			if (!first_altName)
-			{
-				fprintf(out, "\n");
-			}
-			enumerator->destroy(enumerator);
-
-			fprintf(out, "  subject:  \"%Y\"\n", cert->get_subject(cert));
-			fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-			serial = x509->get_serial(x509);
-			fprintf(out, "  serial:    %#B\n", &serial);
-
-			/* list validity */
-			cert->get_validity(cert, &now, &notBefore, &notAfter);
-			fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
-			if (now < notBefore)
-			{
-				fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
-			}
-			else
-			{
-				fprintf(out, "ok\n");
-			}
-			fprintf(out, "             not after  %T, ", &notAfter, utc);
-			if (now > notAfter)
-			{
-				fprintf(out, "expired (%V ago)\n", &now, &notAfter);
-			}
-			else
-			{
-				fprintf(out, "ok");
-				if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
-				{
-					fprintf(out, " (expires in %V)", &now, &notAfter);
-				}
-				fprintf(out, " \n");
-			}
-
-			public = cert->get_public_key(cert);
-			if (public)
-			{
-				list_public_key(public, out);
-				public->destroy(public);
-			}
-
-			/* list optional authorityKeyIdentifier */
-			authkey = x509->get_authKeyIdentifier(x509);
-			if (authkey.ptr)
-			{
-				fprintf(out, "  authkey:   %#B\n", &authkey);
-			}
-
-			/* list optional pathLenConstraint */
-			pathlen = x509->get_pathLenConstraint(x509);
-			if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
-			{
-				fprintf(out, "  pathlen:   %d\n", pathlen);
-			}
-
-			/* list optional ipAddrBlocks */
-			if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
-			{
-				traffic_selector_t *ipAddrBlock;
-				bool first_ipAddrBlock = TRUE;
-
-				fprintf(out, "  addresses: ");
-				enumerator = x509->create_ipAddrBlock_enumerator(x509);
-				while (enumerator->enumerate(enumerator, &ipAddrBlock))
-				{
-					if (first_ipAddrBlock)
-					{
-						first_ipAddrBlock = FALSE;
-					}
-					else
-					{
-						fprintf(out, ", ");
-					}
-					fprintf(out, "%R", ipAddrBlock);
-				}
-				enumerator->destroy(enumerator);
-				fprintf(out, "\n");
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * list all X.509 attribute certificates
- */
-static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
-{
-	bool first = TRUE;
-	time_t thisUpdate, nextUpdate, now = time(NULL);
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
-
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		ac_t *ac = (ac_t*)cert;
-		identification_t *id;
-		ietf_attributes_t *groups;
-		chunk_t chunk;
-
-		if (first)
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of X.509 Attribute Certificates:\n");
-			first = FALSE;
-		}
-		fprintf(out, "\n");
-
-		id = cert->get_subject(cert);
-		if (id)
-		{
-			fprintf(out, "  holder:   \"%Y\"\n", id);
-		}
-		id = ac->get_holderIssuer(ac);
-		if (id)
-		{
-			fprintf(out, "  hissuer:  \"%Y\"\n", id);
-		}
-		chunk = ac->get_holderSerial(ac);
-		if (chunk.ptr)
-		{
-			fprintf(out, "  hserial:   %#B\n", &chunk);
-		}
-		groups = ac->get_groups(ac);
-		if (groups)
-		{
-			fprintf(out, "  groups:    %s\n", groups->get_string(groups));
-			groups->destroy(groups);
-		}
-		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-		chunk  = ac->get_serial(ac);
-		fprintf(out, "  serial:    %#B\n", &chunk);
-
-		/* list validity */
-		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
-		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
-		fprintf(out, "             next %T, ", &nextUpdate, utc);
-		if (now > nextUpdate)
-		{
-			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
-		}
-		else
-		{
-			fprintf(out, "ok");
-			if (now > nextUpdate - AC_WARNING_INTERVAL * 60 * 60 * 24)
-			{
-				fprintf(out, " (expires in %V)", &now, &nextUpdate);
-			}
-			fprintf(out, " \n");
-		}
-
-		/* list optional authorityKeyIdentifier */
-		chunk = ac->get_authKeyIdentifier(ac);
-		if (chunk.ptr)
-		{
-			fprintf(out, "  authkey:   %#B\n", &chunk);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * list all X.509 CRLs
- */
-static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
-{
-	bool first = TRUE;
-	time_t thisUpdate, nextUpdate, now = time(NULL);
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
-
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		crl_t *crl = (crl_t*)cert;
-		chunk_t chunk;
-
-		if (first)
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of X.509 CRLs:\n");
-			first = FALSE;
-		}
-		fprintf(out, "\n");
-
-		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
-		/* list optional crlNumber */
-		chunk = crl->get_serial(crl);
-		if (chunk.ptr)
-		{
-			fprintf(out, "  serial:    %#B\n", &chunk);
-		}
-
-		/* count the number of revoked certificates */
-		{
-			int count = 0;
-			enumerator_t *enumerator = crl->create_enumerator(crl);
-
-			while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
-			{
-				count++;
-			}
-			fprintf(out, "  revoked:   %d certificate%s\n", count,
-							(count == 1)? "" : "s");
-			enumerator->destroy(enumerator);
-		}
-
-		/* list validity */
-		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
-		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
-		fprintf(out, "             next %T, ", &nextUpdate, utc);
-		if (now > nextUpdate)
-		{
-			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
-		}
-		else
-		{
-			fprintf(out, "ok");
-			if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
-			{
-				fprintf(out, " (expires in %V)", &now, &nextUpdate);
-			}
-			fprintf(out, " \n");
-		}
-
-		/* list optional authorityKeyIdentifier */
-		chunk = crl->get_authKeyIdentifier(crl);
-		if (chunk.ptr)
-		{
-			fprintf(out, "  authkey:   %#B\n", &chunk);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * list all OCSP responses
- */
-static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
-{
-	bool first = TRUE;
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
-
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		if (first)
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of OCSP responses:\n");
-			fprintf(out, "\n");
-			first = FALSE;
-		}
-
-		fprintf(out, "  signer:   \"%Y\"\n", cert->get_issuer(cert));
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * List of registered cryptographical algorithms
- */
-static void list_algs(FILE *out)
-{
-	enumerator_t *enumerator;
-	encryption_algorithm_t encryption;
-	integrity_algorithm_t integrity;
-	hash_algorithm_t hash;
-	pseudo_random_function_t prf;
-	diffie_hellman_group_t group;
-
-	fprintf(out, "\n");
-	fprintf(out, "List of registered IKEv2 Algorithms:\n");
-	fprintf(out, "\n  encryption: ");
-	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &encryption))
-	{
-		fprintf(out, "%N ", encryption_algorithm_names, encryption);
-	}
-	enumerator->destroy(enumerator);
-	fprintf(out, "\n  integrity:  ");
-	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &integrity))
-	{
-		fprintf(out, "%N ", integrity_algorithm_names, integrity);
-	}
-	enumerator->destroy(enumerator);
-	fprintf(out, "\n  hasher:     ");
-	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &hash))
-	{
-		fprintf(out, "%N ", hash_algorithm_names, hash);
-	}
-	enumerator->destroy(enumerator);
-	fprintf(out, "\n  prf:        ");
-	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &prf))
-	{
-		fprintf(out, "%N ", pseudo_random_function_names, prf);
-	}
-	enumerator->destroy(enumerator);
-	fprintf(out, "\n  dh-group:   ");
-	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &group))
-	{
-		fprintf(out, "%N ", diffie_hellman_group_names, group);
-	}
-	enumerator->destroy(enumerator);
-	fprintf(out, "\n");
-}
-
-/**
- * Implementation of stroke_list_t.list.
- */
-static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
-{
-	linked_list_t *cert_list = NULL;
-
-	if (msg->list.flags & LIST_PUBKEYS)
-	{
-		linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
-
-		stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
-		pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
-	}
-	if (msg->list.flags & LIST_CERTS)
-	{
-		linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
-
-		stroke_list_pgp(pgp_list, msg->list.utc, out);
-		pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
-	}
-	if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
-	{
-		cert_list = create_unique_cert_list(CERT_X509);
-	}
-	if (msg->list.flags & LIST_CERTS)
-	{
-		stroke_list_certs(cert_list, "X.509 End Entity Certificates",
-						  X509_NONE, msg->list.utc, out);
-	}
-	if (msg->list.flags & LIST_CACERTS)
-	{
-		stroke_list_certs(cert_list, "X.509 CA Certificates",
-						  X509_CA, msg->list.utc, out);
-	}
-	if (msg->list.flags & LIST_OCSPCERTS)
-	{
-		stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates",
-						  X509_OCSP_SIGNER, msg->list.utc, out);
-	}
-	if (msg->list.flags & LIST_AACERTS)
-	{
-		stroke_list_certs(cert_list, "X.509 AA Certificates",
-						  X509_AA, msg->list.utc, out);
-	}
-	DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
-
-	if (msg->list.flags & LIST_ACERTS)
-	{
-		linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
-
-		stroke_list_acerts(ac_list, msg->list.utc, out);
-		ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
-	}
-	if (msg->list.flags & LIST_CRLS)
-	{
-		linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
-
-		stroke_list_crls(crl_list, msg->list.utc, out);
-		crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
-	}
-	if (msg->list.flags & LIST_OCSP)
-	{
-		linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
-
-		stroke_list_ocsp(ocsp_list, msg->list.utc, out);
-
-		ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
-	}
-	if (msg->list.flags & LIST_ALGS)
-	{
-		list_algs(out);
-	}
-}
-
-/**
- * Print leases of a single pool
- */
-static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
-						host_t *address, u_int size, u_int online, u_int offline)
-{
-	enumerator_t *enumerator;
-	identification_t *id;
-	host_t *lease;
-	bool on;
-	int found = 0;
-
-	fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n",
-			pool, online + offline, size, online);
-	enumerator = this->attribute->create_lease_enumerator(this->attribute, pool);
-	while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on))
-	{
-		if (!address || address->ip_equals(address, lease))
-		{
-			fprintf(out, "  %15H   %s   '%Y'\n",
-					lease, on ? "online" : "offline", id);
-			found++;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!found)
-	{
-		fprintf(out, "  no matching leases found\n");
-	}
-}
-
-/**
- * Implementation of stroke_list_t.leases
- */
-static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
-{
-	enumerator_t *enumerator;
-	u_int size, offline, online;
-	host_t *address = NULL;
-	char *pool;
-	int found = 0;
-
-	if (msg->leases.address)
-	{
-		address = host_create_from_string(msg->leases.address, 0);
-	}
-
-	enumerator = this->attribute->create_pool_enumerator(this->attribute);
-	while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
-	{
-		if (!msg->leases.pool || streq(msg->leases.pool, pool))
-		{
-			pool_leases(this, out, pool, address, size, online, offline);
-			found++;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!found)
-	{
-		if (msg->leases.pool)
-		{
-			fprintf(out, "pool '%s' not found\n", msg->leases.pool);
-		}
-		else
-		{
-			fprintf(out, "no pools found\n");
-		}
-	}
-	DESTROY_IF(address);
-}
-
-/**
- * Implementation of stroke_list_t.destroy
- */
-static void destroy(private_stroke_list_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-stroke_list_t *stroke_list_create(stroke_attribute_t *attribute)
-{
-	private_stroke_list_t *this = malloc_thing(private_stroke_list_t);
-
-	this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list;
-	this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status;
-	this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases;
-	this->public.destroy = (void(*)(stroke_list_t*))destroy;
-
-	this->uptime = time_monotonic(NULL);
-	this->attribute = attribute;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/stroke/stroke_list.h b/src/charon/plugins/stroke/stroke_list.h
deleted file mode 100644
index b5bedc6c2..000000000
--- a/src/charon/plugins/stroke/stroke_list.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup stroke_list stroke_list
- * @{ @ingroup stroke
- */
-
-#ifndef STROKE_LIST_H_
-#define STROKE_LIST_H_
-
-#include "stroke_attribute.h"
-
-#include <stroke_msg.h>
-#include <library.h>
-
-typedef struct stroke_list_t stroke_list_t;
-
-/**
- * Log status information to stroke console
- */
-struct stroke_list_t {
-
-	/**
-	 * List certificate information to stroke console.
-	 *
-	 * @param msg		stroke message
-	 * @param out		stroke console stream
-	 */
-	void (*list)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
-
-	/**
-	 * Log status information to stroke console.
-	 *
-	 * @param msg		stroke message
-	 * @param out		stroke console stream
-	 * @param all		TRUE for "statusall"
-	 */
-	void (*status)(stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all);
-
-	/**
-	 * Log pool leases to stroke console.
-	 *
-	 * @param msg		stroke message
-	 * @param out		stroke console stream
-	 */
-	void (*leases)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
-
-	/**
-	 * Destroy a stroke_list instance.
-	 */
-	void (*destroy)(stroke_list_t *this);
-};
-
-/**
- * Create a stroke_list instance.
- *
- * @param attribute		strokes attribute provider
- */
-stroke_list_t *stroke_list_create(stroke_attribute_t *attribute);
-
-#endif /** STROKE_LIST_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_plugin.c b/src/charon/plugins/stroke/stroke_plugin.c
deleted file mode 100644
index 61ae10953..000000000
--- a/src/charon/plugins/stroke/stroke_plugin.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "stroke_plugin.h"
-
-#include <library.h>
-#include "stroke_socket.h"
-
-typedef struct private_stroke_plugin_t private_stroke_plugin_t;
-
-/**
- * private data of stroke_plugin
- */
-struct private_stroke_plugin_t {
-
-	/**
-	 * public functions
-	 */
-	stroke_plugin_t public;
-
-	/**
-	 * stroke socket, receives strokes
-	 */
-	stroke_socket_t *socket;
-};
-
-/**
- * Implementation of stroke_plugin_t.destroy
- */
-static void destroy(private_stroke_plugin_t *this)
-{
-	this->socket->destroy(this->socket);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->socket = stroke_socket_create();
-	if (this->socket == NULL)
-	{
-		free(this);
-		return NULL;
-	}
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/stroke/stroke_plugin.h b/src/charon/plugins/stroke/stroke_plugin.h
deleted file mode 100644
index 3a1e81df6..000000000
--- a/src/charon/plugins/stroke/stroke_plugin.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup stroke stroke
- * @ingroup cplugins
- *
- * @defgroup stroke_plugin stroke_plugin
- * @{ @ingroup stroke
- */
-
-#ifndef STROKE_PLUGIN_H_
-#define STROKE_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct stroke_plugin_t stroke_plugin_t;
-
-/**
- * strongSwan 2.x style configuration and control interface.
- *
- * Stroke is a home-brewed communication interface inspired by whack. It
- * uses a unix socket (/var/run/charon.ctl).
- */
-struct stroke_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Instanciate stroke plugin.
- */
-plugin_t *plugin_create();
-
-#endif /** STROKE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_shared_key.c b/src/charon/plugins/stroke/stroke_shared_key.c
deleted file mode 100644
index 4f716e83a..000000000
--- a/src/charon/plugins/stroke/stroke_shared_key.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "stroke_shared_key.h"
-
-#include <utils/linked_list.h>
-
-typedef struct private_stroke_shared_key_t private_stroke_shared_key_t;
-
-/**
- * private data of shared_key
- */
-struct private_stroke_shared_key_t {
-
-	/**
-	 * implements shared_key_t
-	 */
-	stroke_shared_key_t public;
-
-	/**
-	 * type of this key
-	 */
-	shared_key_type_t type;
-
-	/**
-	 * data of the key
-	 */
-	chunk_t key;
-
-	/**
-	 * list of key owners, as identification_t
-	 */
-	linked_list_t *owners;
-
-	/**
-	 * reference counter
-	 */
-	refcount_t ref;
-};
-
-/**
- * Implementation of shared_key_t.get_type.
- */
-static shared_key_type_t get_type(private_stroke_shared_key_t *this)
-{
-	return this->type;
-}
-
-/**
- * Implementation of shared_key_t.get_ref.
- */
-static private_stroke_shared_key_t* get_ref(private_stroke_shared_key_t *this)
-{
-	ref_get(&this->ref);
-	return this;
-}
-
-/**
- * Implementation of shared_key_t.get_key.
- */
-static chunk_t get_key(private_stroke_shared_key_t *this)
-{
-	return this->key;
-}
-
-/**
- * Implementation of stroke_shared_key_t.has_owner.
- */
-static id_match_t has_owner(private_stroke_shared_key_t *this, identification_t *owner)
-{
-	enumerator_t *enumerator;
-	id_match_t match, best = ID_MATCH_NONE;
-	identification_t *current;
-
-	enumerator = this->owners->create_enumerator(this->owners);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		match  = owner->matches(owner, current);
-		if (match > best)
-		{
-			best = match;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return best;
-}
-/**
- * Implementation of stroke_shared_key_t.add_owner.
- */
-static void add_owner(private_stroke_shared_key_t *this, identification_t *owner)
-{
-	this->owners->insert_last(this->owners, owner);
-}
-
-/**
- * Implementation of stroke_shared_key_t.destroy
- */
-static void destroy(private_stroke_shared_key_t *this)
-{
-	if (ref_put(&this->ref))
-	{
-		this->owners->destroy_offset(this->owners, offsetof(identification_t, destroy));
-		chunk_free(&this->key);
-		free(this);
-	}
-}
-
-/**
- * create a shared key
- */
-stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key)
-{
-	private_stroke_shared_key_t *this = malloc_thing(private_stroke_shared_key_t);
-
-	this->public.shared.get_type = (shared_key_type_t(*)(shared_key_t*))get_type;
-	this->public.shared.get_key = (chunk_t(*)(shared_key_t*))get_key;
-	this->public.shared.get_ref = (shared_key_t*(*)(shared_key_t*))get_ref;
-	this->public.shared.destroy = (void(*)(shared_key_t*))destroy;
-	this->public.add_owner = (void(*)(stroke_shared_key_t*, identification_t *owner))add_owner;
-	this->public.has_owner = (id_match_t(*)(stroke_shared_key_t*, identification_t *owner))has_owner;
-
-	this->owners = linked_list_create();
-	this->type = type;
-	this->key = key;
-	this->ref = 1;
-
-	return &this->public;
-}
diff --git a/src/charon/plugins/stroke/stroke_shared_key.h b/src/charon/plugins/stroke/stroke_shared_key.h
deleted file mode 100644
index 05ad55083..000000000
--- a/src/charon/plugins/stroke/stroke_shared_key.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup stroke_shared_key stroke_shared_key
- * @{ @ingroup stroke
- */
-
-#ifndef STROKE_SHARED_KEY_H_
-#define STROKE_SHARED_KEY_H_
-
-#include <utils/identification.h>
-#include <credentials/keys/shared_key.h>
-
-typedef struct stroke_shared_key_t stroke_shared_key_t;
-
-/**
- * Shared key implementation for keys read from ipsec.secrets
- */
-struct stroke_shared_key_t {
-
-	/**
-	 * Implements the shared_key_t interface.
-	 */
-	shared_key_t shared;
-
-	/**
-	 * Add an owner to the key.
-	 *
-	 * @param owner		owner to add
-	 */
-	void (*add_owner)(stroke_shared_key_t *this, identification_t *owner);
-
-	/**
-	 * Check if a key has a specific owner.
-	 *
-	 * @param owner		owner to check
-	 * @return			best match found
-	 */
-	id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner);
-};
-
-/**
- * Create a stroke_shared_key instance.
- */
-stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key);
-
-#endif /** STROKE_SHARED_KEY_H_ @}*/
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
deleted file mode 100644
index 820e097f1..000000000
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ /dev/null
@@ -1,670 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "stroke_socket.h"
-
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <sys/fcntl.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include <processing/jobs/callback_job.h>
-#include <daemon.h>
-#include <threading/thread.h>
-
-#include "stroke_config.h"
-#include "stroke_control.h"
-#include "stroke_cred.h"
-#include "stroke_ca.h"
-#include "stroke_attribute.h"
-#include "stroke_list.h"
-
-typedef struct stroke_job_context_t stroke_job_context_t;
-typedef struct private_stroke_socket_t private_stroke_socket_t;
-
-/**
- * private data of stroke_socket
- */
-struct private_stroke_socket_t {
-
-	/**
-	 * public functions
-	 */
-	stroke_socket_t public;
-
-	/**
-	 * Unix socket to listen for strokes
-	 */
-	int socket;
-
-	/**
-	 * job accepting stroke messages
-	 */
-	callback_job_t *job;
-
-	/**
-	 * configuration backend
-	 */
-	stroke_config_t *config;
-
-	/**
-	 * attribute provider
-	 */
-	stroke_attribute_t *attribute;
-
-	/**
-	 * controller to control daemon
-	 */
-	stroke_control_t *control;
-
-	/**
-	 * credential set
-	 */
-	stroke_cred_t *cred;
-
-	/**
-	 * CA sections
-	 */
-	stroke_ca_t *ca;
-
-	/**
-	 * Status information logging
-	 */
-	stroke_list_t *list;
-};
-
-/**
- * job context to pass to processing thread
- */
-struct stroke_job_context_t {
-
-	/**
-	 * file descriptor to read from
-	 */
-	int fd;
-
-	/**
-	 * global stroke interface
-	 */
-	private_stroke_socket_t *this;
-};
-
-/**
- * Helper function which corrects the string pointers
- * in a stroke_msg_t. Strings in a stroke_msg sent over "wire"
- * contains RELATIVE addresses (relative to the beginning of the
- * stroke_msg). They must be corrected if they reach our address
- * space...
- */
-static void pop_string(stroke_msg_t *msg, char **string)
-{
-	if (*string == NULL)
-	{
-		return;
-	}
-
-	/* check for sanity of string pointer and string */
-	if (string < (char**)msg ||
-		string > (char**)msg + sizeof(stroke_msg_t) ||
-		(unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg) ||
-		(unsigned long)*string > msg->length)
-	{
-		*string = "(invalid pointer in stroke msg)";
-	}
-	else
-	{
-		*string = (char*)msg + (unsigned long)*string;
-	}
-}
-
-/**
- * Pop the strings of a stroke_end_t struct and log them for debugging purposes
- */
-static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
-{
-	pop_string(msg, &end->address);
-	pop_string(msg, &end->subnets);
-	pop_string(msg, &end->sourceip);
-	pop_string(msg, &end->auth);
-	pop_string(msg, &end->auth2);
-	pop_string(msg, &end->id);
-	pop_string(msg, &end->id2);
-	pop_string(msg, &end->cert);
-	pop_string(msg, &end->cert2);
-	pop_string(msg, &end->ca);
-	pop_string(msg, &end->ca2);
-	pop_string(msg, &end->groups);
-	pop_string(msg, &end->updown);
-
-	DBG2(DBG_CFG, "  %s=%s", label, end->address);
-	DBG2(DBG_CFG, "  %ssubnet=%s", label, end->subnets);
-	DBG2(DBG_CFG, "  %ssourceip=%s", label, end->sourceip);
-	DBG2(DBG_CFG, "  %sauth=%s", label, end->auth);
-	DBG2(DBG_CFG, "  %sauth2=%s", label, end->auth2);
-	DBG2(DBG_CFG, "  %sid=%s", label, end->id);
-	DBG2(DBG_CFG, "  %sid2=%s", label, end->id2);
-	DBG2(DBG_CFG, "  %scert=%s", label, end->cert);
-	DBG2(DBG_CFG, "  %scert2=%s", label, end->cert2);
-	DBG2(DBG_CFG, "  %sca=%s", label, end->ca);
-	DBG2(DBG_CFG, "  %sca2=%s", label, end->ca2);
-	DBG2(DBG_CFG, "  %sgroups=%s", label, end->groups);
-	DBG2(DBG_CFG, "  %supdown=%s", label, end->updown);
-}
-
-/**
- * Add a connection to the configuration list
- */
-static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
-{
-	pop_string(msg, &msg->add_conn.name);
-	DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name);
-
-	DBG2(DBG_CFG, "conn %s", msg->add_conn.name);
-	pop_end(msg, "left", &msg->add_conn.me);
-	pop_end(msg, "right", &msg->add_conn.other);
-	pop_string(msg, &msg->add_conn.eap_identity);
-	pop_string(msg, &msg->add_conn.algorithms.ike);
-	pop_string(msg, &msg->add_conn.algorithms.esp);
-	pop_string(msg, &msg->add_conn.ikeme.mediated_by);
-	pop_string(msg, &msg->add_conn.ikeme.peerid);
-	DBG2(DBG_CFG, "  eap_identity=%s", msg->add_conn.eap_identity);
-	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
-	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
-	DBG2(DBG_CFG, "  mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
-	DBG2(DBG_CFG, "  mediated_by=%s", msg->add_conn.ikeme.mediated_by);
-	DBG2(DBG_CFG, "  me_peerid=%s", msg->add_conn.ikeme.peerid);
-
-	this->config->add(this->config, msg);
-	this->attribute->add_pool(this->attribute, msg);
-}
-
-/**
- * Delete a connection from the list
- */
-static void stroke_del_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
-{
-	pop_string(msg, &msg->del_conn.name);
-	DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name);
-
-	this->config->del(this->config, msg);
-	this->attribute->del_pool(this->attribute, msg);
-}
-
-/**
- * initiate a connection by name
- */
-static void stroke_initiate(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
-{
-	pop_string(msg, &msg->initiate.name);
-	DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
-
-	this->control->initiate(this->control, msg, out);
-}
-
-/**
- * terminate a connection by name
- */
-static void stroke_terminate(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
-{
-	pop_string(msg, &msg->terminate.name);
-	DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
-
-	this->control->terminate(this->control, msg, out);
-}
-
-/**
- * terminate a connection by peers virtual IP
- */
-static void stroke_terminate_srcip(private_stroke_socket_t *this,
-								   stroke_msg_t *msg, FILE *out)
-{
-	pop_string(msg, &msg->terminate_srcip.start);
-	pop_string(msg, &msg->terminate_srcip.end);
-	DBG1(DBG_CFG, "received stroke: terminate-srcip %s-%s",
-		 msg->terminate_srcip.start, msg->terminate_srcip.end);
-
-	this->control->terminate_srcip(this->control, msg, out);
-}
-
-/**
- * route a policy (install SPD entries)
- */
-static void stroke_route(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
-{
-	pop_string(msg, &msg->route.name);
-	DBG1(DBG_CFG, "received stroke: route '%s'", msg->route.name);
-
-	this->control->route(this->control, msg, out);
-}
-
-/**
- * unroute a policy
- */
-static void stroke_unroute(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
-{
-	pop_string(msg, &msg->terminate.name);
-	DBG1(DBG_CFG, "received stroke: unroute '%s'", msg->route.name);
-
-	this->control->unroute(this->control, msg, out);
-}
-
-/**
- * Add a ca information record to the cainfo list
- */
-static void stroke_add_ca(private_stroke_socket_t *this,
-						  stroke_msg_t *msg, FILE *out)
-{
-	pop_string(msg, &msg->add_ca.name);
-	DBG1(DBG_CFG, "received stroke: add ca '%s'", msg->add_ca.name);
-
-	pop_string(msg, &msg->add_ca.cacert);
-	pop_string(msg, &msg->add_ca.crluri);
-	pop_string(msg, &msg->add_ca.crluri2);
-	pop_string(msg, &msg->add_ca.ocspuri);
-	pop_string(msg, &msg->add_ca.ocspuri2);
-	pop_string(msg, &msg->add_ca.certuribase);
-	DBG2(DBG_CFG, "ca %s",            msg->add_ca.name);
-	DBG2(DBG_CFG, "  cacert=%s",      msg->add_ca.cacert);
-	DBG2(DBG_CFG, "  crluri=%s",      msg->add_ca.crluri);
-	DBG2(DBG_CFG, "  crluri2=%s",     msg->add_ca.crluri2);
-	DBG2(DBG_CFG, "  ocspuri=%s",     msg->add_ca.ocspuri);
-	DBG2(DBG_CFG, "  ocspuri2=%s",    msg->add_ca.ocspuri2);
-	DBG2(DBG_CFG, "  certuribase=%s", msg->add_ca.certuribase);
-
-	this->ca->add(this->ca, msg);
-}
-
-/**
- * Delete a ca information record from the cainfo list
- */
-static void stroke_del_ca(private_stroke_socket_t *this,
-						  stroke_msg_t *msg, FILE *out)
-{
-	pop_string(msg, &msg->del_ca.name);
-	DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name);
-
-	this->ca->del(this->ca, msg);
-}
-
-
-/**
- * show status of daemon
- */
-static void stroke_status(private_stroke_socket_t *this,
-						  stroke_msg_t *msg, FILE *out, bool all)
-{
-	pop_string(msg, &(msg->status.name));
-
-	this->list->status(this->list, msg, out, all);
-}
-
-/**
- * list various information
- */
-static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
-{
-	if (msg->list.flags & LIST_CAINFOS)
-	{
-		this->ca->list(this->ca, msg, out);
-	}
-	this->list->list(this->list, msg, out);
-}
-
-/**
- * reread various information
- */
-static void stroke_reread(private_stroke_socket_t *this,
-						  stroke_msg_t *msg, FILE *out)
-{
-	this->cred->reread(this->cred, msg, out);
-}
-
-/**
- * purge various information
- */
-static void stroke_purge(private_stroke_socket_t *this,
-						 stroke_msg_t *msg, FILE *out)
-{
-	if (msg->purge.flags & PURGE_OCSP)
-	{
-		charon->credentials->flush_cache(charon->credentials,
-										 CERT_X509_OCSP_RESPONSE);
-	}
-	if (msg->purge.flags & PURGE_IKE)
-	{
-		this->control->purge_ike(this->control, msg, out);
-	}
-}
-
-/**
- * list pool leases
- */
-static void stroke_leases(private_stroke_socket_t *this,
-						  stroke_msg_t *msg, FILE *out)
-{
-	pop_string(msg, &msg->leases.pool);
-	pop_string(msg, &msg->leases.address);
-
-	this->list->leases(this->list, msg, out);
-}
-
-debug_t get_group_from_name(char *type)
-{
-	if (strcaseeq(type, "any")) return DBG_ANY;
-	else if (strcaseeq(type, "mgr")) return DBG_MGR;
-	else if (strcaseeq(type, "ike")) return DBG_IKE;
-	else if (strcaseeq(type, "chd")) return DBG_CHD;
-	else if (strcaseeq(type, "job")) return DBG_JOB;
-	else if (strcaseeq(type, "cfg")) return DBG_CFG;
-	else if (strcaseeq(type, "knl")) return DBG_KNL;
-	else if (strcaseeq(type, "net")) return DBG_NET;
-	else if (strcaseeq(type, "enc")) return DBG_ENC;
-	else if (strcaseeq(type, "lib")) return DBG_LIB;
-	else return -1;
-}
-
-/**
- * set the verbosity debug output
- */
-static void stroke_loglevel(private_stroke_socket_t *this,
-							stroke_msg_t *msg, FILE *out)
-{
-	enumerator_t *enumerator;
-	sys_logger_t *sys_logger;
-	file_logger_t *file_logger;
-	debug_t group;
-
-	pop_string(msg, &(msg->loglevel.type));
-	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
-		 msg->loglevel.level, msg->loglevel.type);
-
-	group = get_group_from_name(msg->loglevel.type);
-	if (group < 0)
-	{
-		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
-		return;
-	}
-	/* we set the loglevel on ALL sys- and file-loggers */
-	enumerator = charon->sys_loggers->create_enumerator(charon->sys_loggers);
-	while (enumerator->enumerate(enumerator, &sys_logger))
-	{
-		sys_logger->set_level(sys_logger, group, msg->loglevel.level);
-	}
-	enumerator->destroy(enumerator);
-	enumerator = charon->file_loggers->create_enumerator(charon->file_loggers);
-	while (enumerator->enumerate(enumerator, &file_logger))
-	{
-		file_logger->set_level(file_logger, group, msg->loglevel.level);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * set various config options
- */
-static void stroke_config(private_stroke_socket_t *this,
-						  stroke_msg_t *msg, FILE *out)
-{
-	this->cred->cachecrl(this->cred, msg->config.cachecrl);
-}
-
-/**
- * destroy a job context
- */
-static void stroke_job_context_destroy(stroke_job_context_t *this)
-{
-	if (this->fd)
-	{
-		close(this->fd);
-	}
-	free(this);
-}
-
-/**
- * process a stroke request from the socket pointed by "fd"
- */
-static job_requeue_t process(stroke_job_context_t *ctx)
-{
-	stroke_msg_t *msg;
-	u_int16_t msg_length;
-	ssize_t bytes_read;
-	FILE *out;
-	private_stroke_socket_t *this = ctx->this;
-	int strokefd = ctx->fd;
-
-	/* peek the length */
-	bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
-	if (bytes_read != sizeof(msg_length))
-	{
-		DBG1(DBG_CFG, "reading length of stroke message failed: %s",
-			 strerror(errno));
-		return JOB_REQUEUE_NONE;
-	}
-
-	/* read message */
-	msg = alloca(msg_length);
-	bytes_read = recv(strokefd, msg, msg_length, 0);
-	if (bytes_read != msg_length)
-	{
-		DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
-		return JOB_REQUEUE_NONE;
-	}
-
-	out = fdopen(strokefd, "w+");
-	if (out == NULL)
-	{
-		DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno));
-		return JOB_REQUEUE_NONE;
-	}
-
-	DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
-
-	switch (msg->type)
-	{
-		case STR_INITIATE:
-			stroke_initiate(this, msg, out);
-			break;
-		case STR_ROUTE:
-			stroke_route(this, msg, out);
-			break;
-		case STR_UNROUTE:
-			stroke_unroute(this, msg, out);
-			break;
-		case STR_TERMINATE:
-			stroke_terminate(this, msg, out);
-			break;
-		case STR_TERMINATE_SRCIP:
-			stroke_terminate_srcip(this, msg, out);
-			break;
-		case STR_STATUS:
-			stroke_status(this, msg, out, FALSE);
-			break;
-		case STR_STATUS_ALL:
-			stroke_status(this, msg, out, TRUE);
-			break;
-		case STR_ADD_CONN:
-			stroke_add_conn(this, msg);
-			break;
-		case STR_DEL_CONN:
-			stroke_del_conn(this, msg);
-			break;
-		case STR_ADD_CA:
-			stroke_add_ca(this, msg, out);
-			break;
-		case STR_DEL_CA:
-			stroke_del_ca(this, msg, out);
-			break;
-		case STR_LOGLEVEL:
-			stroke_loglevel(this, msg, out);
-			break;
-		case STR_CONFIG:
-			stroke_config(this, msg, out);
-			break;
-		case STR_LIST:
-			stroke_list(this, msg, out);
-			break;
-		case STR_REREAD:
-			stroke_reread(this, msg, out);
-			break;
-		case STR_PURGE:
-			stroke_purge(this, msg, out);
-			break;
-		case STR_LEASES:
-			stroke_leases(this, msg, out);
-			break;
-		default:
-			DBG1(DBG_CFG, "received unknown stroke");
-			break;
-	}
-	fclose(out);
-	/* fclose() closes underlying FD */
-	ctx->fd = 0;
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Implementation of private_stroke_socket_t.stroke_receive.
- */
-static job_requeue_t receive(private_stroke_socket_t *this)
-{
-	struct sockaddr_un strokeaddr;
-	int strokeaddrlen = sizeof(strokeaddr);
-	int strokefd;
-	bool oldstate;
-	callback_job_t *job;
-	stroke_job_context_t *ctx;
-
-	oldstate = thread_cancelability(TRUE);
-	strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
-	thread_cancelability(oldstate);
-
-	if (strokefd < 0)
-	{
-		DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
-		return JOB_REQUEUE_FAIR;
-	}
-
-	ctx = malloc_thing(stroke_job_context_t);
-	ctx->fd = strokefd;
-	ctx->this = this;
-	job = callback_job_create((callback_job_cb_t)process,
-							  ctx, (void*)stroke_job_context_destroy, this->job);
-	charon->processor->queue_job(charon->processor, (job_t*)job);
-
-	return JOB_REQUEUE_FAIR;
-}
-
-
-/**
- * initialize and open stroke socket
- */
-static bool open_socket(private_stroke_socket_t *this)
-{
-	struct sockaddr_un socket_addr;
-	mode_t old;
-
-	socket_addr.sun_family = AF_UNIX;
-	strcpy(socket_addr.sun_path, STROKE_SOCKET);
-
-	/* set up unix socket */
-	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "could not create stroke socket");
-		return FALSE;
-	}
-
-	unlink(socket_addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
-	{
-		DBG1(DBG_CFG, "could not bind stroke socket: %s", strerror(errno));
-		close(this->socket);
-		return FALSE;
-	}
-	umask(old);
-	if (chown(socket_addr.sun_path, charon->uid, charon->gid) != 0)
-	{
-		DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
-			 strerror(errno));
-	}
-
-	if (listen(this->socket, 10) < 0)
-	{
-		DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno));
-		close(this->socket);
-		unlink(socket_addr.sun_path);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of stroke_socket_t.destroy
- */
-static void destroy(private_stroke_socket_t *this)
-{
-	this->job->cancel(this->job);
-	charon->credentials->remove_set(charon->credentials, &this->ca->set);
-	charon->credentials->remove_set(charon->credentials, &this->cred->set);
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	lib->attributes->remove_provider(lib->attributes, &this->attribute->provider);
-	this->cred->destroy(this->cred);
-	this->ca->destroy(this->ca);
-	this->config->destroy(this->config);
-	this->attribute->destroy(this->attribute);
-	this->control->destroy(this->control);
-	this->list->destroy(this->list);
-	free(this);
-}
-
-/*
- * see header file
- */
-stroke_socket_t *stroke_socket_create()
-{
-	private_stroke_socket_t *this = malloc_thing(private_stroke_socket_t);
-
-	this->public.destroy = (void(*)(stroke_socket_t*))destroy;
-
-	if (!open_socket(this))
-	{
-		free(this);
-		return NULL;
-	}
-
-	this->cred = stroke_cred_create();
-	this->attribute = stroke_attribute_create();
-	this->ca = stroke_ca_create(this->cred);
-	this->config = stroke_config_create(this->ca, this->cred);
-	this->control = stroke_control_create();
-	this->list = stroke_list_create(this->attribute);
-
-	charon->credentials->add_set(charon->credentials, &this->ca->set);
-	charon->credentials->add_set(charon->credentials, &this->cred->set);
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	lib->attributes->add_provider(lib->attributes, &this->attribute->provider);
-
-	this->job = callback_job_create((callback_job_cb_t)receive,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/stroke/stroke_socket.h b/src/charon/plugins/stroke/stroke_socket.h
deleted file mode 100644
index 2aac8be9b..000000000
--- a/src/charon/plugins/stroke/stroke_socket.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup stroke_socket stroke_socket
- * @{ @ingroup stroke
- */
-
-#ifndef STROKE_SOCKET_H_
-#define STROKE_SOCKET_H_
-
-typedef struct stroke_socket_t stroke_socket_t;
-
-/**
- * Stroke socket, opens UNIX communication socket, reads and dispatches.
- */
-struct stroke_socket_t {
-
-	/**
-	 * Destroy a stroke_socket instance.
-	 */
-	void (*destroy)(stroke_socket_t *this);
-};
-
-/**
- * Create a stroke_socket instance.
- */
-stroke_socket_t *stroke_socket_create();
-
-#endif /** STROKE_SOCKET_H_ @}*/
diff --git a/src/charon/plugins/uci/Makefile.am b/src/charon/plugins/uci/Makefile.am
deleted file mode 100644
index 9fdbfb709..000000000
--- a/src/charon/plugins/uci/Makefile.am
+++ /dev/null
@@ -1,14 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-uci.la
-libstrongswan_uci_la_SOURCES = \
-  uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \
-  uci_config.h uci_config.c uci_creds.h uci_creds.c \
-  uci_control.h uci_control.c
-libstrongswan_uci_la_LDFLAGS = -module -avoid-version
-libstrongswan_uci_la_LIBADD = -luci
-
-
diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in
deleted file mode 100644
index 00436f509..000000000
--- a/src/charon/plugins/uci/Makefile.in
+++ /dev/null
@@ -1,576 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/uci
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_uci_la_DEPENDENCIES =
-am_libstrongswan_uci_la_OBJECTS = uci_plugin.lo uci_parser.lo \
-	uci_config.lo uci_creds.lo uci_control.lo
-libstrongswan_uci_la_OBJECTS = $(am_libstrongswan_uci_la_OBJECTS)
-libstrongswan_uci_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_uci_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_uci_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_uci_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-uci.la
-libstrongswan_uci_la_SOURCES = \
-  uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \
-  uci_config.h uci_config.c uci_creds.h uci_creds.c \
-  uci_control.h uci_control.c
-
-libstrongswan_uci_la_LDFLAGS = -module -avoid-version
-libstrongswan_uci_la_LIBADD = -luci
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/uci/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/uci/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-uci.la: $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_DEPENDENCIES) 
-	$(libstrongswan_uci_la_LINK) -rpath $(plugindir) $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_config.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_control.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_parser.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/uci/uci_config.c b/src/charon/plugins/uci/uci_config.c
deleted file mode 100644
index a6ee970ad..000000000
--- a/src/charon/plugins/uci/uci_config.c
+++ /dev/null
@@ -1,359 +0,0 @@
-/*
- * Copyright (C) 2008 Thomas Kallenberg
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <string.h>
-
-#include "uci_config.h"
-#include "uci_parser.h"
-
-#include <daemon.h>
-
-typedef struct private_uci_config_t private_uci_config_t;
-
-/**
- * Private data of an uci_config_t object
- */
-struct private_uci_config_t {
-
-	/**
-	 * Public part
-	 */
-	uci_config_t public;
-
-	/**
-	 * UCI parser context
-	 */
-	uci_parser_t *parser;
-};
-
-/**
- * enumerator implementation for create_peer_cfg_enumerator
- */
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** currently enumerated peer config */
-	peer_cfg_t *peer_cfg;
-	/** inner uci_parser section enumerator */
-	enumerator_t *inner;
-} peer_enumerator_t;
-
-/**
- * create a proposal from a string, with fallback to default
- */
-static proposal_t *create_proposal(char *string, protocol_id_t proto)
-{
-	proposal_t *proposal = NULL;
-
-	if (string)
-	{
-		proposal = proposal_create_from_string(proto, string);
-	}
-	if (!proposal)
-	{	/* UCI default is aes/sha1 only */
-		if (proto == PROTO_IKE)
-		{
-			proposal = proposal_create_from_string(proto,
-								"aes128-aes192-aes256-sha1-modp1536-modp2048");
-		}
-		else
-		{
-			proposal = proposal_create_from_string(proto,
-								"aes128-aes192-aes256-sha1");
-		}
-	}
-	return proposal;
-}
-
-/**
- * create an traffic selector, fallback to dynamic
- */
-static traffic_selector_t *create_ts(char *string)
-{
-	if (string)
-	{
-		int netbits = 32;
-		host_t *net;
-		char *pos;
-
-		string = strdupa(string);
-		pos = strchr(string, '/');
-		if (pos)
-		{
-			*pos++ = '\0';
-			netbits = atoi(pos);
-		}
-		else
-		{
-			if (strchr(string, ':'))
-			{
-				netbits = 128;
-			}
-		}
-		net = host_create_from_string(string, 0);
-		if (net)
-		{
-			return traffic_selector_create_from_subnet(net, netbits, 0, 0);
-		}
-	}
-	return traffic_selector_create_dynamic(0, 0, 65535);
-}
-
-/**
- * create a rekey time from a string with hours, with fallback
- */
-static u_int create_rekey(char *string)
-{
-	u_int rekey = 0;
-
-	if (string)
-	{
-		rekey = atoi(string);
-		if (rekey)
-		{
-			return rekey * 3600;
-		}
-	}
-	/* every 12 hours */
-	return 12 * 3600;
-}
-
-/**
- * Implementation of peer_enumerator_t.public.enumerate
- */
-static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
-{
-	char *name, *ike_proposal, *esp_proposal, *ike_rekey, *esp_rekey;
-	char *local_id, *local_addr, *local_net;
-	char *remote_id, *remote_addr, *remote_net;
-	child_cfg_t *child_cfg;
-	ike_cfg_t *ike_cfg;
-	auth_cfg_t *auth;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = create_rekey(esp_rekey) + 300,
-			.rekey = create_rekey(esp_rekey),
-			.jitter = 300
-		}
-	};
-
-	/* defaults */
-	name = "unnamed";
-	local_id = NULL;
-	remote_id = NULL;
-	local_addr = "0.0.0.0";
-	remote_addr = "0.0.0.0";
-	local_net = NULL;
-	remote_net = NULL;
-	ike_proposal = NULL;
-	esp_proposal = NULL;
-	ike_rekey = NULL;
-	esp_rekey = NULL;
-
-	if (this->inner->enumerate(this->inner, &name, &local_id, &remote_id,
-			&local_addr, &remote_addr, &local_net, &remote_net,
-			&ike_proposal, &esp_proposal, &ike_rekey, &esp_rekey))
-	{
-		DESTROY_IF(this->peer_cfg);
-		ike_cfg = ike_cfg_create(FALSE, FALSE, local_addr, remote_addr);
-		ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
-		this->peer_cfg = peer_cfg_create(
-					name, 2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
-					1, create_rekey(ike_rekey), 0,  /* keytries, rekey, reauth */
-					1800, 900,						/* jitter, overtime */
-					TRUE, 60, 						/* mobike, dpddelay */
-					NULL, NULL, 					/* vip, pool */
-					FALSE, NULL, NULL); 			/* mediation, med by, peer id */
-		auth = auth_cfg_create();
-		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
-		auth->add(auth, AUTH_RULE_IDENTITY,
-				  identification_create_from_string(local_id));
-		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, TRUE);
-
-		auth = auth_cfg_create();
-		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
-		if (remote_id)
-		{
-			auth->add(auth, AUTH_RULE_IDENTITY,
-					  identification_create_from_string(remote_id));
-		}
-		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
-
-		child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-									 ACTION_NONE, ACTION_NONE, FALSE, 0);
-		child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
-		child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
-		child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
-		this->peer_cfg->add_child_cfg(this->peer_cfg, child_cfg);
-		*cfg = this->peer_cfg;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of peer_enumerator_t.public.destroy
- */
-static void peer_enumerator_destroy(peer_enumerator_t *this)
-{
-	DESTROY_IF(this->peer_cfg);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of backend_t.create_peer_cfg_enumerator.
- */
-static enumerator_t* create_peer_cfg_enumerator(private_uci_config_t *this,
-												identification_t *me,
-												identification_t *other)
-{
-	peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
-
-	e->public.enumerate = (void*)peer_enumerator_enumerate;
-	e->public.destroy = (void*)peer_enumerator_destroy;
-	e->peer_cfg = NULL;
-	e->inner = this->parser->create_section_enumerator(this->parser,
-					"local_id", "remote_id", "local_addr", "remote_addr",
-					"local_net", "remote_net", "ike_proposal", "esp_proposal",
-					"ike_rekey", "esp_rekey", NULL);
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * enumerator implementation for create_ike_cfg_enumerator
- */
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** currently enumerated ike config */
-	ike_cfg_t *ike_cfg;
-	/** inner uci_parser section enumerator */
-	enumerator_t *inner;
-} ike_enumerator_t;
-
-/**
- * Implementation of peer_enumerator_t.public.enumerate
- */
-static bool ike_enumerator_enumerate(ike_enumerator_t *this, ike_cfg_t **cfg)
-{
-	char *local_addr, *remote_addr, *ike_proposal;
-
-	/* defaults */
-	local_addr = "0.0.0.0";
-	remote_addr = "0.0.0.0";
-	ike_proposal = NULL;
-
-	if (this->inner->enumerate(this->inner, NULL,
-							   &local_addr, &remote_addr, &ike_proposal))
-	{
-		DESTROY_IF(this->ike_cfg);
-		this->ike_cfg = ike_cfg_create(FALSE, FALSE, local_addr, remote_addr);
-		this->ike_cfg->add_proposal(this->ike_cfg,
-									create_proposal(ike_proposal, PROTO_IKE));
-
-		*cfg = this->ike_cfg;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of ike_enumerator_t.public.destroy
- */
-static void ike_enumerator_destroy(ike_enumerator_t *this)
-{
-	DESTROY_IF(this->ike_cfg);
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of backend_t.create_ike_cfg_enumerator.
- */
-static enumerator_t* create_ike_cfg_enumerator(private_uci_config_t *this,
-											   host_t *me, host_t *other)
-{
-	ike_enumerator_t *e = malloc_thing(ike_enumerator_t);
-
-	e->public.enumerate = (void*)ike_enumerator_enumerate;
-	e->public.destroy = (void*)ike_enumerator_destroy;
-	e->ike_cfg = NULL;
-	e->inner = this->parser->create_section_enumerator(this->parser,
-							"local_addr", "remote_addr", "ike_proposal", NULL);
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * implements backend_t.get_peer_cfg_by_name.
- */
-static peer_cfg_t *get_peer_cfg_by_name(private_uci_config_t *this, char *name)
-{
-	enumerator_t *enumerator;
-	peer_cfg_t *current, *found = NULL;
-
-	enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
-	if (enumerator)
-	{
-		while (enumerator->enumerate(enumerator, &current))
-		{
-			if (streq(name, current->get_name(current)))
-			{
-				found = current->get_ref(current);
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	return found;
-}
-
-/**
- * Implementation of uci_config_t.destroy.
- */
-static void destroy(private_uci_config_t *this)
-{
-	free(this);
-}
-
-/**
- * Described in header.
- */
-uci_config_t *uci_config_create(uci_parser_t *parser)
-{
-	private_uci_config_t *this = malloc_thing(private_uci_config_t);
-
-	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
-	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
-	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
-	this->public.destroy = (void(*)(uci_config_t*))destroy;
-	this->parser = parser;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/uci/uci_config.h b/src/charon/plugins/uci/uci_config.h
deleted file mode 100644
index 130f15d85..000000000
--- a/src/charon/plugins/uci/uci_config.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Copyright (C) 2008 Thomas Kallenberg
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup uci_config_t uci_config
- * @{ @ingroup uci
- */
-
-#ifndef UCI_CONFIG_H_
-#define UCI_CONFIG_H_
-
-#include "uci_parser.h"
-
-#include <config/backend.h>
-
-typedef struct uci_config_t uci_config_t;
-
-/**
- * OpenWRT UCI configuration backend.
- */
-struct uci_config_t {
-
-	/**
-	 * Implements backend_t interface
-	 */
-	backend_t backend;
-
-	/**
-	 * Destroy the backend.
-	 */
-	void (*destroy)(uci_config_t *this);
-};
-
-/**
- * Create a UCI based configuration backend.
- *
- * @param parser	UCI parser to use
- * @return			configuration backend
- */
-uci_config_t *uci_config_create(uci_parser_t *parser);
-
-#endif /** UCI_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/uci/uci_control.c b/src/charon/plugins/uci/uci_control.c
deleted file mode 100644
index 3c4928be4..000000000
--- a/src/charon/plugins/uci/uci_control.c
+++ /dev/null
@@ -1,301 +0,0 @@
-/*
- * Copyright (C) 2008 Thomas Kallenberg
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <string.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <errno.h>
-
-#include "uci_control.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <processing/jobs/callback_job.h>
-
-#define FIFO_FILE "/var/run/charon.fifo"
-
-
-typedef struct private_uci_control_t private_uci_control_t;
-
-/**
- * private data of uci_control_t
- */
-struct private_uci_control_t {
-
-	/**
-	 * Public part
-	 */
-	uci_control_t public;
-
-	/**
-	 * Job
-	 */
-	callback_job_t *job;
-};
-
-/**
- * write answer to fifo
- */
-static void write_fifo(private_uci_control_t *this, char *format, ...)
-{
-	va_list args;
-	FILE *out;
-
-	out = fopen(FIFO_FILE, "w");
-	if (out)
-	{
-		va_start(args, format);
-		vfprintf(out, format, args);
-		va_end(args);
-		fclose(out);
-	}
-	else
-	{
-		DBG1(DBG_CFG, "writing to UCI fifo failed: %s", strerror(errno));
-	}
-}
-
-/**
- * print IKE_SA status information
- */
-static void status(private_uci_control_t *this, char *name)
-{
-	enumerator_t *configs, *sas;
-	iterator_t *children;
-	ike_sa_t *ike_sa;
-	child_sa_t *child_sa;
-	peer_cfg_t *peer_cfg;
-	char buf[2048];
-	FILE *out = NULL;
-
-	configs = charon->backends->create_peer_cfg_enumerator(charon->backends,
-														NULL, NULL, NULL, NULL);
-	while (configs->enumerate(configs, &peer_cfg))
-	{
-		if (name && !streq(name, peer_cfg->get_name(peer_cfg)))
-		{
-			continue;
-		}
-		sas = charon->controller->create_ike_sa_enumerator(charon->controller);
-		while (sas->enumerate(sas, &ike_sa))
-		{
-			if (!streq(ike_sa->get_name(ike_sa), peer_cfg->get_name(peer_cfg)))
-			{
-				continue;
-			}
-			if (!out)
-			{
-				out = fmemopen(buf, sizeof(buf), "w");
-				if (!out)
-				{
-					continue;
-				}
-			}
-			fprintf(out, "%-8s %-20D %-16H ", ike_sa->get_name(ike_sa),
-				ike_sa->get_other_id(ike_sa), ike_sa->get_other_host(ike_sa));
-
-			children = ike_sa->create_child_sa_iterator(ike_sa);
-			while (children->iterate(children, (void**)&child_sa))
-			{
-				fprintf(out, "%#R",
-						child_sa->get_traffic_selectors(child_sa, FALSE));
-			}
-			children->destroy(children);
-			fprintf(out, "\n");
-		}
-		sas->destroy(sas);
-	}
-	configs->destroy(configs);
-	if (out)
-	{
-		fclose(out);
-		write_fifo(this, "%s", buf);
-	}
-	else
-	{
-		write_fifo(this, "");
-	}
-}
-
-/**
- * Initiate an IKE_SA
- */
-static void initiate(private_uci_control_t *this, char *name)
-{
-	peer_cfg_t *peer_cfg;
-	child_cfg_t *child_cfg;
-	enumerator_t *enumerator;
-
-	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, name);
-	if (peer_cfg)
-	{
-		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
-		if (enumerator->enumerate(enumerator, &child_cfg) &&
-			charon->controller->initiate(charon->controller, peer_cfg,
-										 child_cfg->get_ref(child_cfg),
-										 controller_cb_empty, NULL) == SUCCESS)
-		{
-			write_fifo(this, "connection '%s' established\n", name);
-		}
-		else
-		{
-			write_fifo(this, "establishing connection '%s' failed\n", name);
-		}
-		enumerator->destroy(enumerator);
-	}
-	else
-	{
-		write_fifo(this, "no connection named '%s' found\n", name);
-	}
-}
-
-/**
- * terminate an IKE_SA
- */
-static void terminate(private_uci_control_t *this, char *name)
-{
-	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
-	u_int id;
-
-	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
-	while (enumerator->enumerate(enumerator, &ike_sa))
-	{
-		if (streq(name, ike_sa->get_name(ike_sa)))
-		{
-			id = ike_sa->get_unique_id(ike_sa);
-			enumerator->destroy(enumerator);
-			charon->controller->terminate_ike(charon->controller, id,
-											  controller_cb_empty, NULL);
-			write_fifo(this, "connection '%s' terminated\n", name);
-			return;
-		}
-	}
-	enumerator->destroy(enumerator);
-	write_fifo(this, "no active connection named '%s'\n", name);
-}
-
-/**
- * dispatch control request
- */
-static void process(private_uci_control_t *this, char *message)
-{
-	enumerator_t* enumerator;
-
-	enumerator = enumerator_create_token(message, " \n", "");
-	if (enumerator->enumerate(enumerator, &message))
-	{
-		if (streq(message, "status"))
-		{
-			if (enumerator->enumerate(enumerator, &message))
-			{
-				status(this, message);
-			}
-			else
-			{
-				status(this, NULL);
-			}
-		}
-		else if (streq(message, "up") &&
-				 enumerator->enumerate(enumerator, &message))
-		{
-			initiate(this, message);
-		}
-		else if (streq(message, "down") &&
-				 enumerator->enumerate(enumerator, &message))
-		{
-			terminate(this, message);
-		}
-		else
-		{
-			write_fifo(this, "usage: status [<name>] | up <name> | down <name>\n"
-					   "  status format: name peer-id peer-addr tunnel(s)\n");
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * read from fifo
- */
-static job_requeue_t receive(private_uci_control_t *this)
-{
-	char message[128];
-	int len;
-	bool oldstate;
-	FILE *in;
-
-	memset(message, 0, sizeof(message));
-	oldstate = thread_cancelability(TRUE);
-	in = fopen(FIFO_FILE, "r");
-	thread_cancelability(oldstate);
-	if (in)
-	{
-		len = fread(message, 1, sizeof(message) - 1, in);
-		fclose(in);
-		if (len > 0)
-		{
-			process(this, message);
-		}
-		else
-		{
-			DBG1(DBG_DMN, "reading from UCI fifo failed: %s", strerror(errno));
-		}
-	}
-	else
-	{
-		DBG1(DBG_DMN, "opening UCI fifo failed: %s", strerror(errno));
-	}
-	return JOB_REQUEUE_FAIR;
-}
-
-/**
- * Implementation of uci_control_t.destroy
- */
-static void destroy(private_uci_control_t *this)
-{
-	this->job->cancel(this->job);
-	unlink(FIFO_FILE);
-	free(this);
-}
-
-/**
- * Described in header.
- */
-uci_control_t *uci_control_create()
-{
-	private_uci_control_t *this = malloc_thing(private_uci_control_t);
-
-	this->public.destroy = (void(*)(uci_control_t*))destroy;
-
-	unlink(FIFO_FILE);
-	if (mkfifo(FIFO_FILE, S_IRUSR|S_IWUSR) != 0)
-	{
-		DBG1(DBG_CFG, "creating UCI control fifo '%s' failed: %s",
-			 FIFO_FILE, strerror(errno));
-	}
-	else
-	{
-		this->job = callback_job_create((callback_job_cb_t)receive,
-										this, NULL, NULL);
-		charon->processor->queue_job(charon->processor, (job_t*)this->job);
-	}
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/uci/uci_control.h b/src/charon/plugins/uci/uci_control.h
deleted file mode 100644
index 794220aa1..000000000
--- a/src/charon/plugins/uci/uci_control.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2008 Thomas Kallenberg
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup uci_control_t uci_control
- * @{ @ingroup uci
- */
-
-#ifndef UCI_CONTROL_H_
-#define UCI_CONTROL_H_
-
-typedef struct uci_control_t uci_control_t;
-
-/**
- * UCI control interface, uses a simple FIFO file
- */
-struct uci_control_t {
-
-	/**
-	 * Destroy the controller
-	 */
-	void (*destroy)(uci_control_t *this);
-};
-
-/**
- * Create a UCI based configuration backend.
- */
-uci_control_t *uci_control_create();
-
-#endif /** UCI_CONTROL_H_ @}*/
diff --git a/src/charon/plugins/uci/uci_creds.c b/src/charon/plugins/uci/uci_creds.c
deleted file mode 100644
index 4d664feb2..000000000
--- a/src/charon/plugins/uci/uci_creds.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/*
- * Copyright (C) 2008 Thomas Kallenberg
- * Copyright (C) 2008 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "uci_creds.h"
-
-#include <daemon.h>
-#include <credentials/keys/shared_key.h>
-#include <utils/identification.h>
-
-typedef struct private_uci_creds_t private_uci_creds_t;
-
-/**
- * Private data of an uci_creds_t object
- */
-struct private_uci_creds_t {
-	/**
-	 * Public part
-	 */
-	uci_creds_t public;
-
-	/**
-	 * UCI parser context
-	 */
-	uci_parser_t *parser;
-};
-
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** inneer UCI enumerator */
-	enumerator_t *inner;
-	/** currently enumerated shared shared */
-	shared_key_t *current;
-	/** local ID to match */
-	identification_t *me;
-	/** remote ID to match */
-	identification_t *other;
-} shared_enumerator_t;
-
-/**
- * Implementation of shared_enumerator_t.public.enumerate
- */
-static bool shared_enumerator_enumerate(shared_enumerator_t *this,
-						shared_key_t **key, id_match_t *me, id_match_t *other)
-{
-	char *local_id, *remote_id, *psk;
-	identification_t *local, *remote;
-
-	while (TRUE)
-	{
-		/* defaults */
-		local_id = "%any";
-		remote_id = "%any";
-		psk = NULL;
-
-		if (!this->inner->enumerate(this->inner, NULL,
-									&local_id, &remote_id, &psk))
-		{
-			return FALSE;
-		}
-		if (psk == NULL)
-		{
-			continue;
-		}
-		if (me)
-		{
-			local = identification_create_from_string(local_id);
-			*me = this->me ? this->me->matches(this->me, local)
-						   : ID_MATCH_ANY;
-			local->destroy(local);
-			if (!*me)
-			{
-				continue;
-			}
-		}
-		if (other)
-		{
-			remote = identification_create_from_string(remote_id);
-			*other = this->other ? this->other->matches(this->other, remote)
-								 : ID_MATCH_ANY;
-			remote->destroy(remote);
-			if (!*other)
-			{
-				continue;
-			}
-		}
-		break;
-	}
-	DESTROY_IF(this->current);
-	this->current = shared_key_create(SHARED_IKE,
-								chunk_clone(chunk_create(psk, strlen(psk))));
-	*key = this->current;
-	return TRUE;
-}
-
-/**
- * Implementation of shared_enumerator_t.public.destroy
- */
-static void shared_enumerator_destroy(shared_enumerator_t *this)
-{
-	this->inner->destroy(this->inner);
-	DESTROY_IF(this->current);
-	free(this);
-}
-
-/**
- * Implementation of backend_t.create_shared_cfg_enumerator.
- */
-static enumerator_t* create_shared_enumerator(private_uci_creds_t *this,
-											  shared_key_type_t type,
-											  identification_t *me,
-											  identification_t *other)
-{
-	shared_enumerator_t *e;
-
-	if (type != SHARED_IKE)
-	{
-		return NULL;
-	}
-
-	e = malloc_thing(shared_enumerator_t);
-	e->current = NULL;
-	e->public.enumerate = (void*)shared_enumerator_enumerate;
-	e->public.destroy = (void*)shared_enumerator_destroy;
-	e->me = me;
-	e->other = other;
-	e->inner = this->parser->create_section_enumerator(this->parser,
-								"local_id", "remote_id", "psk", NULL);
-	if (!e->inner)
-	{
-		free(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * Implementation of uci_creds_t.destroy
- */
-static void destroy(private_uci_creds_t *this)
-{
-	free(this);
-}
-
-uci_creds_t *uci_creds_create(uci_parser_t *parser)
-{
-	private_uci_creds_t *this = malloc_thing(private_uci_creds_t);
-
-	this->public.credential_set.create_shared_enumerator = (enumerator_t*(*)(credential_set_t*, shared_key_type_t, identification_t*, identification_t*))create_shared_enumerator;
-	this->public.credential_set.create_private_enumerator = (enumerator_t*(*) (credential_set_t*, key_type_t, identification_t*))return_null;
-	this->public.credential_set.create_cert_enumerator = (enumerator_t*(*) (credential_set_t*,	certificate_type_t, key_type_t,identification_t *, bool))return_null;
-	this->public.credential_set.create_cdp_enumerator  = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
-	this->public.credential_set.cache_cert = (void (*)(credential_set_t *, certificate_t *))nop;
-	this->public.destroy = (void(*) (uci_creds_t*))destroy;
-
-	this->parser = parser;
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/uci/uci_creds.h b/src/charon/plugins/uci/uci_creds.h
deleted file mode 100644
index a283ed9f5..000000000
--- a/src/charon/plugins/uci/uci_creds.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Copyright (C) 2008 Thomas Kallenberg
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup uci_creds_t uci_creds
- * @{ @ingroup uci
- */
-
-#ifndef UCI_CREDS_H_
-#define UCI_CREDS_H_
-
-#include "uci_parser.h"
-
-#include <credentials/credential_set.h>
-
-typedef struct uci_creds_t uci_creds_t;
-
-/**
- * OpenWRT UCI credential set implementation.
- */
-struct uci_creds_t {
-
-	/**
-	 * Implements credential set interface.
-	 */
-	credential_set_t credential_set;
-
-	/**
-	 * Destroy the backend.
-	 */
-	void (*destroy)(uci_creds_t *this);
-};
-
-/**
- * Create a UCI based credential set.
- *
- * @param parser	UCI parser to use
- * @return			credential set
- */
-uci_creds_t *uci_creds_create(uci_parser_t *parser);
-
-#endif /** UCI_CREDS_H_ @}*/
diff --git a/src/charon/plugins/uci/uci_parser.c b/src/charon/plugins/uci/uci_parser.c
deleted file mode 100644
index 6de55d218..000000000
--- a/src/charon/plugins/uci/uci_parser.c
+++ /dev/null
@@ -1,186 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Copyright (C) 2008 Thomas Kallenberg
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "uci_parser.h"
-
-#include <stdarg.h>
-
-#include <library.h>
-#include <uci.h>
-
-typedef struct private_uci_parser_t private_uci_parser_t;
-
-/**
- * Private data of an uci_parser_t object
- */
-struct private_uci_parser_t {
-
-	/**
-	 * Public part
-	 */
-	uci_parser_t public;
-
-	/**
-	 * UCI package name this parser reads
-	 */
-	char *package;
-};
-
-/**
- * enumerator implementation create_section_enumerator
- */
-typedef struct {
-	/** implements enumerator */
-	enumerator_t public;
-	/** currently enumerated uci section */
-	struct uci_element *current;
-	/** all uci ipsec config sections */
-	struct uci_list *list;
-	/** uci conntext */
-	struct uci_context *ctx;
-	/** ipsec uci package */
-	struct uci_package *package;
-	/** NULL terminated list of keywords */
-	char *keywords[];
-} section_enumerator_t;
-
-/**
- * Implementation of section_enumerator_t.enumerate
- */
-static bool section_enumerator_enumerate(section_enumerator_t *this, ...)
-{
-	struct uci_element *element;
-	char **value;
-	va_list args;
-	int i;
-
-	if (&this->current->list == this->list)
-	{
-		return FALSE;
-	}
-
-	va_start(args, this);
-
-	value = va_arg(args, char**);
-	if (value)
-	{
-		if (uci_lookup(this->ctx, &element, this->package,
-					   this->current->name, "name") == UCI_OK)
-		{	/* use "name" attribute as config name if available ... */
-			*value = uci_to_option(element)->value;
-		}
-		else
-		{	/* ... or the section name becomes config name */
-			*value = uci_to_section(this->current)->type;
-		}
-	}
-
-	/* followed by keyword parameters */
-	for (i = 0; this->keywords[i]; i++)
-	{
-		value = va_arg(args, char**);
-		if (value && uci_lookup(this->ctx, &element, this->package,
-						  this->current->name, this->keywords[i]) == UCI_OK)
-		{
-			*value = uci_to_option(element)->value;
-		}
-	}
-	va_end(args);
-
-	this->current = list_to_element(this->current->list.next);
-	return TRUE;
-}
-
-/**
- * Implementation of section_enumerator_t.public.destroy
- */
-static void section_enumerator_destroy(section_enumerator_t *this)
-{
-	uci_free_context(this->ctx);
-	free(this);
-}
-
-/**
- * Implementation of backend_t.create_section_enumerator.
- */
-static enumerator_t* create_section_enumerator(private_uci_parser_t *this, ...)
-{
-	section_enumerator_t *e;
-	va_list args;
-	int i;
-
-	/* allocate enumerator large enought to hold keyword pointers */
-	i = 1;
-	va_start(args, this);
-	while (va_arg(args, char*))
-	{
-		i++;
-	}
-	va_end(args);
-	e = malloc(sizeof(section_enumerator_t) + sizeof(char*) * i);
-	i = 0;
-	va_start(args, this);
-	do
-	{
-		e->keywords[i] = va_arg(args, char*);
-	}
-	while (e->keywords[i++]);
-	va_end(args);
-
-	e->public.enumerate = (void*)section_enumerator_enumerate;
-	e->public.destroy = (void*)section_enumerator_destroy;
-
-	/* load uci context */
-	e->ctx = uci_alloc_context();
-	if (uci_load(e->ctx, this->package, &e->package) != UCI_OK)
-	{
-		section_enumerator_destroy(e);
-		return NULL;
-	}
-	e->list = &e->package->sections;
-	e->current = list_to_element(e->list->next);
-	if (e->current->type != UCI_TYPE_SECTION)
-	{
-		section_enumerator_destroy(e);
-		return NULL;
-	}
-	return &e->public;
-}
-
-/**
- * Implementation of uci_parser_t.destroy.
- */
-static void destroy(private_uci_parser_t *this)
-{
-	free(this->package);
-	free(this);
-}
-
-/**
- * Described in header.
- */
-uci_parser_t *uci_parser_create(char *package)
-{
-	private_uci_parser_t *this = malloc_thing(private_uci_parser_t);
-
-	this->public.create_section_enumerator = (enumerator_t*(*)(uci_parser_t*, ...))create_section_enumerator;
-	this->public.destroy = (void(*)(uci_parser_t*))destroy;
-
-	this->package = strdup(package);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/uci/uci_parser.h b/src/charon/plugins/uci/uci_parser.h
deleted file mode 100644
index 7217e507a..000000000
--- a/src/charon/plugins/uci/uci_parser.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Copyright (C) 2008 Thomas Kallenberg
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup uci_parser_t uci_parser
- * @{ @ingroup uci
- */
-
-#ifndef UCI_PARSER_H_
-#define UCI_PARSER_H_
-
-#include <utils/enumerator.h>
-
-typedef struct uci_parser_t uci_parser_t;
-
-/**
- * Wrapper to parse UCI sections with an enumerator.
- */
-struct uci_parser_t {
-
-	/**
-	 * Create an enumerator over a section.
-	 *
-	 * The enumerator returns a section name followed by values for the keywords
-	 * specified in the variable argument list of this function.
-	 *
-	 * @param ...		variable argument list with keywords, NULL terminated
-	 * @return			enumerator over sections
-	 */
-	enumerator_t* (*create_section_enumerator)(uci_parser_t *this, ...);
-
-	/**
-	 * Destroy the parser.
-	 */
-	void (*destroy)(uci_parser_t *this);
-};
-
-/**
- * Create a UCI parser.
- *
- * @param package	UCI package this parser should read
- * @return			parser context
- */
-uci_parser_t *uci_parser_create(char *package);
-
-#endif /** UCI_PARSER_H_ @}*/
diff --git a/src/charon/plugins/uci/uci_plugin.c b/src/charon/plugins/uci/uci_plugin.c
deleted file mode 100644
index 2a79b9109..000000000
--- a/src/charon/plugins/uci/uci_plugin.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2008 Thomas Kallenberg
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "uci_plugin.h"
-#include "uci_config.h"
-#include "uci_creds.h"
-#include "uci_control.h"
-
-#include <daemon.h>
-
-/**
- * UCI package name to use for lookups
- */
-#define UCI_PACKAGE "strongswan"
-
-typedef struct private_uci_plugin_t private_uci_plugin_t;
-
-/**
- * private data of uci plugin
- */
-struct private_uci_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	uci_plugin_t public;
-
-	/**
-	 * UCI configuration backend
-	 */
-	uci_config_t *config;
-
-	/**
-	 * UCI credential set implementation
-	 */
-	uci_creds_t *creds;
-
-	/**
-	 * UCI parser wrapper
-	 */
-	uci_parser_t *parser;
-
-	/**
-	 * UCI control interface
-	 */
-	uci_control_t *control;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_uci_plugin_t *this)
-{
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->credentials->remove_set(charon->credentials, &this->creds->credential_set);
-	this->config->destroy(this->config);
-	this->creds->destroy(this->creds);
-	this->parser->destroy(this->parser);
-	this->control->destroy(this->control);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_uci_plugin_t *this = malloc_thing(private_uci_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->parser = uci_parser_create(UCI_PACKAGE);
-	this->config = uci_config_create(this->parser);
-	this->creds = uci_creds_create(this->parser);
-	this->control = uci_control_create();
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/uci/uci_plugin.h b/src/charon/plugins/uci/uci_plugin.h
deleted file mode 100644
index e7743227c..000000000
--- a/src/charon/plugins/uci/uci_plugin.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (C) 2008 Thomas Kallenberg
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup uci uci
- * @ingroup cplugins
- *
- * @defgroup uci_plugin uci_plugin
- * @{ @ingroup uci
- */
-
-#ifndef UCI_PLUGIN_H_
-#define UCI_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct uci_plugin_t uci_plugin_t;
-
-/**
- * OpenWRT UCI (Unified Configuration Interface) configuration plugin.
- */
-struct uci_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a uci_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** UCI_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am
deleted file mode 100644
index 64846f995..000000000
--- a/src/charon/plugins/unit_tester/Makefile.am
+++ /dev/null
@@ -1,24 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-unit-tester.la
-
-libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
-  tests/test_enumerator.c \
-  tests/test_auth_info.c \
-  tests/test_curl.c \
-  tests/test_mysql.c \
-  tests/test_sqlite.c \
-  tests/test_mutex.c \
-  tests/test_rsa_gen.c \
-  tests/test_cert.c \
-  tests/test_med_db.c \
-  tests/test_chunk.c \
-  tests/test_pool.c \
-  tests/test_agent.c \
-  tests/test_id.c
-
-libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in
deleted file mode 100644
index 9926c43e8..000000000
--- a/src/charon/plugins/unit_tester/Makefile.in
+++ /dev/null
@@ -1,690 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/unit_tester
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_unit_tester_la_LIBADD =
-am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
-	test_enumerator.lo test_auth_info.lo test_curl.lo \
-	test_mysql.lo test_sqlite.lo test_mutex.lo test_rsa_gen.lo \
-	test_cert.lo test_med_db.lo test_chunk.lo test_pool.lo \
-	test_agent.lo test_id.lo
-libstrongswan_unit_tester_la_OBJECTS =  \
-	$(am_libstrongswan_unit_tester_la_OBJECTS)
-libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unit_tester_la_LDFLAGS) \
-	$(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-unit-tester.la
-libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
-  tests/test_enumerator.c \
-  tests/test_auth_info.c \
-  tests/test_curl.c \
-  tests/test_mysql.c \
-  tests/test_sqlite.c \
-  tests/test_mutex.c \
-  tests/test_rsa_gen.c \
-  tests/test_cert.c \
-  tests/test_med_db.c \
-  tests/test_chunk.c \
-  tests/test_pool.c \
-  tests/test_agent.c \
-  tests/test_id.c
-
-libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/unit_tester/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/unit_tester/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) 
-	$(libstrongswan_unit_tester_la_LINK) -rpath $(plugindir) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_agent.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_auth_info.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cert.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_enumerator.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_id.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_med_db.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mysql.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pool.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rsa_gen.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_sqlite.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-test_enumerator.lo: tests/test_enumerator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_enumerator.lo -MD -MP -MF $(DEPDIR)/test_enumerator.Tpo -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_enumerator.Tpo $(DEPDIR)/test_enumerator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_enumerator.c' object='test_enumerator.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
-
-test_auth_info.lo: tests/test_auth_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_auth_info.lo -MD -MP -MF $(DEPDIR)/test_auth_info.Tpo -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_auth_info.Tpo $(DEPDIR)/test_auth_info.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_auth_info.c' object='test_auth_info.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
-
-test_curl.lo: tests/test_curl.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_curl.lo -MD -MP -MF $(DEPDIR)/test_curl.Tpo -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_curl.Tpo $(DEPDIR)/test_curl.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_curl.c' object='test_curl.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
-
-test_mysql.lo: tests/test_mysql.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mysql.lo -MD -MP -MF $(DEPDIR)/test_mysql.Tpo -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_mysql.Tpo $(DEPDIR)/test_mysql.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_mysql.c' object='test_mysql.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
-
-test_sqlite.lo: tests/test_sqlite.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_sqlite.lo -MD -MP -MF $(DEPDIR)/test_sqlite.Tpo -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_sqlite.Tpo $(DEPDIR)/test_sqlite.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_sqlite.c' object='test_sqlite.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
-
-test_mutex.lo: tests/test_mutex.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mutex.lo -MD -MP -MF $(DEPDIR)/test_mutex.Tpo -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_mutex.Tpo $(DEPDIR)/test_mutex.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_mutex.c' object='test_mutex.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
-
-test_rsa_gen.lo: tests/test_rsa_gen.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_rsa_gen.lo -MD -MP -MF $(DEPDIR)/test_rsa_gen.Tpo -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_rsa_gen.Tpo $(DEPDIR)/test_rsa_gen.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_rsa_gen.c' object='test_rsa_gen.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
-
-test_cert.lo: tests/test_cert.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_cert.lo -MD -MP -MF $(DEPDIR)/test_cert.Tpo -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_cert.Tpo $(DEPDIR)/test_cert.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_cert.c' object='test_cert.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
-
-test_med_db.lo: tests/test_med_db.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_med_db.lo -MD -MP -MF $(DEPDIR)/test_med_db.Tpo -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_med_db.Tpo $(DEPDIR)/test_med_db.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_med_db.c' object='test_med_db.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
-
-test_chunk.lo: tests/test_chunk.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_chunk.lo -MD -MP -MF $(DEPDIR)/test_chunk.Tpo -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_chunk.Tpo $(DEPDIR)/test_chunk.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_chunk.c' object='test_chunk.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
-
-test_pool.lo: tests/test_pool.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_pool.lo -MD -MP -MF $(DEPDIR)/test_pool.Tpo -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_pool.Tpo $(DEPDIR)/test_pool.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_pool.c' object='test_pool.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
-
-test_agent.lo: tests/test_agent.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_agent.lo -MD -MP -MF $(DEPDIR)/test_agent.Tpo -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_agent.Tpo $(DEPDIR)/test_agent.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_agent.c' object='test_agent.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
-
-test_id.lo: tests/test_id.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_id.lo -MD -MP -MF $(DEPDIR)/test_id.Tpo -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_id.Tpo $(DEPDIR)/test_id.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_id.c' object='test_id.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h
deleted file mode 100644
index 96313d390..000000000
--- a/src/charon/plugins/unit_tester/tests.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup tests tests
- * @{ @ingroup unit_tester
- */
-
-DEFINE_TEST("linked_list_t->remove()", test_list_remove, FALSE)
-DEFINE_TEST("simple enumerator", test_enumerate, FALSE)
-DEFINE_TEST("nested enumerator", test_enumerate_nested, FALSE)
-DEFINE_TEST("filtered enumerator", test_enumerate_filtered, FALSE)
-DEFINE_TEST("token enumerator", test_enumerate_token, FALSE)
-DEFINE_TEST("auth cfg", test_auth_cfg, FALSE)
-DEFINE_TEST("CURL get", test_curl_get, FALSE)
-DEFINE_TEST("MySQL operations", test_mysql, FALSE)
-DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
-DEFINE_TEST("mutex primitive", test_mutex, FALSE)
-DEFINE_TEST("RSA key generation", test_rsa_gen, FALSE)
-DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, FALSE)
-DEFINE_TEST("X509 certificate", test_cert_x509, FALSE)
-DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE)
-DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
-DEFINE_TEST("IP pool", test_pool, FALSE)
-DEFINE_TEST("SSH agent", test_agent, FALSE)
-DEFINE_TEST("ID parts", test_id_parts, FALSE)
-DEFINE_TEST("ID wildcards", test_id_wildcards, FALSE)
-DEFINE_TEST("ID equals", test_id_equals, FALSE)
-DEFINE_TEST("ID matches", test_id_matches, FALSE)
-
-/** @}*/
diff --git a/src/charon/plugins/unit_tester/tests/test_agent.c b/src/charon/plugins/unit_tester/tests/test_agent.c
deleted file mode 100644
index baab629be..000000000
--- a/src/charon/plugins/unit_tester/tests/test_agent.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * SSH agent signature creation and verification
- ******************************************************************************/
-bool test_agent()
-{
-	char *path;
-	chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
-	private_key_t *private;
-	public_key_t *public;
-
-	path = getenv("SSH_AUTH_SOCK");
-	if (!path)
-	{
-		DBG1(DBG_CFG, "ssh-agent not found.");
-		return FALSE;
-	}
-
-	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-								 BUILD_AGENT_SOCKET, path, BUILD_END);
-	if (!private)
-	{
-		return FALSE;
-	}
-	if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
-	{
-		return FALSE;
-	}
-	public = private->get_public_key(private);
-	if (!public)
-	{
-		return FALSE;;
-	}
-	if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
-	{
-		return FALSE;
-	}
-	free(sig.ptr);
-	data.ptr[1] = 0x01; /* fake it */
-	if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
-	{
-		return FALSE;
-	}
-
-	private->destroy(private);
-	public->destroy(public);
-
-	return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_auth_info.c b/src/charon/plugins/unit_tester/tests/test_auth_info.c
deleted file mode 100644
index d6abe7a05..000000000
--- a/src/charon/plugins/unit_tester/tests/test_auth_info.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-#include <library.h>
-#include <config/auth_cfg.h>
-
-
-static chunk_t certchunk = chunk_from_chars(
-	0x30,0x82,0x02,0xfa,0x30,0x82,0x01,0xe2,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x5a,
-	0xf2,0x65,0xae,0x78,0xff,0x23,0xde,0xf7,0xa6,0xa3,0x94,0x8c,0x3f,0xa0,0xc1,0x30,
-	0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x39,
-	0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x19,0x30,
-	0x17,0x06,0x03,0x55,0x04,0x0a,0x13,0x10,0x4c,0x69,0x6e,0x75,0x78,0x20,0x73,0x74,
-	0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,
-	0x03,0x13,0x06,0x6d,0x61,0x72,0x74,0x69,0x6e,0x30,0x1e,0x17,0x0d,0x30,0x37,0x30,
-	0x34,0x32,0x37,0x30,0x37,0x31,0x34,0x32,0x36,0x5a,0x17,0x0d,0x31,0x32,0x30,0x34,
-	0x32,0x35,0x30,0x37,0x31,0x34,0x32,0x36,0x5a,0x30,0x39,0x31,0x0b,0x30,0x09,0x06,
-	0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,
-	0x0a,0x13,0x10,0x4c,0x69,0x6e,0x75,0x78,0x20,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,
-	0x77,0x61,0x6e,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x03,0x13,0x06,0x6d,0x61,
-	0x72,0x74,0x69,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
-	0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,
-	0x02,0x82,0x01,0x01,0x00,0xd7,0xb9,0xba,0x4d,0xe2,0x3b,0x3d,0x35,0x7a,0x3f,0x88,
-	0x67,0x95,0xe7,0xfd,0x9f,0xe9,0x0a,0x0d,0x79,0x3a,0x9e,0x21,0x8f,0xcb,0xe4,0x67,
-	0x24,0xae,0x0c,0xda,0xb3,0xcc,0xec,0x36,0xb4,0xa8,0x4d,0xf1,0x3d,0xad,0xe4,0x8c,
-	0x63,0x92,0x54,0xb7,0xb2,0x02,0xa2,0x00,0x62,0x8b,0x04,0xac,0xa0,0x17,0xad,0x17,
-	0x9a,0x05,0x0d,0xd7,0xb3,0x08,0x02,0xc5,0x26,0xcf,0xdd,0x05,0x42,0xfc,0x13,0x6d,
-	0x9f,0xb1,0xf3,0x4f,0x82,0x1d,0xef,0x01,0xc9,0x91,0xea,0x37,0x1b,0x79,0x28,0xfa,
-	0xbf,0x9f,0xb3,0xeb,0x82,0x4f,0x10,0xc6,0x4b,0xa4,0x08,0xf7,0x8e,0xf2,0x00,0xea,
-	0x04,0x97,0x80,0x9f,0x65,0x86,0xde,0x6b,0xc7,0xda,0x83,0xfc,0xad,0x4a,0xaf,0x52,
-	0x8b,0x4d,0x33,0xee,0x49,0x87,0x2f,0x3b,0x60,0x45,0x66,0x8f,0xe6,0x89,0xcc,0xb1,
-	0x92,0x02,0x17,0x2b,0x7b,0x8e,0x90,0x47,0x84,0x84,0x59,0x95,0x81,0xd8,0xe0,0xf3,
-	0x87,0xe0,0x04,0x09,0xfd,0xcc,0x3a,0x21,0x34,0xfa,0xec,0xbe,0xf5,0x9c,0xcf,0x55,
-	0x80,0x7b,0xe3,0x75,0x9d,0x36,0x68,0xab,0x83,0xe3,0xad,0x01,0x53,0x0d,0x8a,0x9a,
-	0xa6,0xb0,0x15,0xc9,0xc5,0xf8,0x9b,0x51,0x32,0xcf,0x97,0x6c,0xfe,0x4a,0x56,0x3c,
-	0xc8,0x8f,0x4a,0x70,0x23,0x4f,0xf6,0xf7,0xe6,0x9f,0x09,0xcd,0x8f,0xea,0x20,0x7d,
-	0x34,0xc0,0xc5,0xc0,0x34,0x06,0x6f,0x8b,0xeb,0x04,0x54,0x3f,0x0e,0xcd,0xe2,0x85,
-	0xab,0x94,0x3e,0x91,0x6c,0x18,0x6f,0x96,0x5d,0xf2,0x8b,0x10,0xe9,0x90,0x43,0xb0,
-	0x61,0x52,0xac,0xcf,0x75,0x02,0x03,0x01,0x00,0x01,0x30,0x0d,0x06,0x09,0x2a,0x86,
-	0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0x63,
-	0x42,0xad,0xe5,0xa3,0xf6,0xc9,0x5d,0x08,0xf2,0x78,0x7b,0xeb,0x8a,0xef,0x50,0x00,
-	0xc8,0xeb,0xe9,0x26,0x94,0xcb,0x84,0x10,0x7e,0x42,0x6b,0x86,0x38,0x57,0xa6,0x02,
-	0x98,0x5a,0x2c,0x8f,0x44,0x32,0x1b,0x97,0x8c,0x7e,0x4b,0xd8,0xe8,0xe8,0x0f,0x4a,
-	0xb9,0x31,0x9f,0xf6,0x9f,0x0e,0x67,0x26,0x05,0x2a,0x99,0x14,0x35,0x41,0x47,0x9a,
-	0xfa,0x12,0x94,0x0b,0xe9,0x27,0x7c,0x71,0x20,0xd7,0x8d,0x3b,0x97,0x19,0x2d,0x15,
-	0xff,0xa4,0xf3,0x89,0x8d,0x29,0x5f,0xf6,0x3f,0x93,0xaf,0x78,0x61,0xe4,0xe1,0x2e,
-	0x75,0xc1,0x2c,0xc4,0x76,0x95,0x19,0xf8,0x37,0xdc,0xd8,0x00,0x7a,0x3c,0x0f,0x49,
-	0x2e,0x88,0x09,0x16,0xb3,0x92,0x33,0xdf,0x77,0x83,0x4f,0xb5,0x9e,0x30,0x8c,0x48,
-	0x1d,0xd8,0x84,0xfb,0xf1,0xb9,0xa0,0xbe,0x25,0xff,0x4c,0xeb,0xef,0x2b,0xcd,0xfa,
-	0x0b,0x94,0x66,0x3b,0x28,0x08,0x3f,0x3a,0xda,0x41,0xd0,0x6b,0xab,0x5e,0xbb,0x8a,
-	0x9f,0xdc,0x98,0x3e,0x59,0x37,0x48,0xbe,0x69,0xde,0x85,0x82,0xf2,0x53,0x8b,0xe4,
-	0x44,0xe4,0x71,0x91,0x14,0x85,0x0e,0x1e,0x79,0xdd,0x62,0xf5,0xdc,0x25,0x89,0xab,
-	0x50,0x5b,0xaa,0xae,0xe3,0x64,0x6a,0x23,0x34,0xd7,0x30,0xe2,0x2a,0xc8,0x81,0x0c,
-	0xec,0xd2,0x31,0xc6,0x1e,0xb6,0xc0,0x57,0xd9,0xe1,0x14,0x06,0x9b,0xf8,0x51,0x69,
-	0x47,0xf0,0x9c,0xcd,0x69,0xef,0x8e,0x5f,0x62,0xda,0x10,0xf7,0x3c,0x6d,0x0f,0x33,
-	0xec,0x6f,0xfd,0x94,0x07,0x16,0x41,0x32,0x06,0xa4,0xe1,0x08,0x31,0x87,
-);
-
-/*******************************************************************************
- * auth info test
- ******************************************************************************/
-bool test_auth_cfg()
-{
-	auth_cfg_t *auth = auth_cfg_create(), *auth2;
-	certificate_t *c1, *c2;
-	enumerator_t *enumerator;
-	int round = 0;
-	void *value;
-	auth_rule_t type;
-
-	c1 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							BUILD_BLOB_ASN1_DER, certchunk,
-							BUILD_END);
-	if (!c1)
-	{
-		return FALSE;
-	}
-
-	auth->add(auth, AUTH_RULE_SUBJECT_CERT, c1->get_ref(c1));
-	c2 = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
-	if (!c2)
-	{
-		return FALSE;
-	}
-	if (!c1->equals(c1, c2))
-	{
-		return FALSE;
-	}
-
-	enumerator = auth->create_enumerator(auth);
-	while (enumerator->enumerate(enumerator, &type, &value))
-	{
-		round++;
-		if (round == 1 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
-		{
-			continue;
-		}
-		return FALSE;
-	}
-	enumerator->destroy(enumerator);
-
-	auth2 = auth_cfg_create();
-	auth2->add(auth2, AUTH_RULE_CA_CERT, c1->get_ref(c1));
-	auth2->merge(auth2, auth, FALSE);
-
-	round = 0;
-	enumerator = auth2->create_enumerator(auth2);
-	while (enumerator->enumerate(enumerator, &type, &value))
-	{
-		round++;
-		if (round == 1 && type == AUTH_RULE_CA_CERT && value == c1)
-		{
-			continue;
-		}
-		if (round == 2 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
-		{
-			continue;
-		}
-		return FALSE;
-	}
-	enumerator->destroy(enumerator);
-	auth->destroy(auth);
-	auth2->destroy(auth2);
-	c1->destroy(c1);
-	return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_cert.c b/src/charon/plugins/unit_tester/tests/test_cert.c
deleted file mode 100644
index 3b00421f8..000000000
--- a/src/charon/plugins/unit_tester/tests/test_cert.c
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <credentials/certificates/x509.h>
-
-/*******************************************************************************
- * X509 certificate generation and parsing
- ******************************************************************************/
-bool test_cert_x509()
-{
-	private_key_t *ca_key, *peer_key;
-	public_key_t *public;
-	certificate_t *ca_cert, *peer_cert, *parsed;
-	identification_t *issuer, *subject;
-	u_int32_t serial = htonl(0);
-	chunk_t encoding;
-
-	issuer = identification_create_from_string("CN=CA, OU=Test, O=strongSwan");
-	subject = identification_create_from_string("CN=Peer, OU=Test, O=strongSwan");
-
-	ca_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-						BUILD_KEY_SIZE, 1024, BUILD_END);
-	peer_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-						BUILD_KEY_SIZE, 1024, BUILD_END);
-	if (!ca_key)
-	{
-		return FALSE;
-	}
-	ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-						BUILD_SIGNING_KEY, ca_key,
-						BUILD_SUBJECT, issuer,
-						BUILD_SERIAL, chunk_from_thing(serial),
-						BUILD_X509_FLAG, X509_CA,
-						BUILD_END);
-	if (!ca_cert)
-	{
-		return FALSE;
-	}
-
-	encoding = ca_cert->get_encoding(ca_cert);
-	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-						BUILD_BLOB_ASN1_DER, encoding,
-						BUILD_END);
-	chunk_free(&encoding);
-	if (!parsed)
-	{
-		return FALSE;
-	}
-	if (!parsed->issued_by(parsed, ca_cert))
-	{
-		return FALSE;
-	}
-	parsed->destroy(parsed);
-
-	serial = htonl(ntohl(serial) + 1);
-	public = peer_key->get_public_key(peer_key);
-	peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-						BUILD_SIGNING_KEY, ca_key,
-						BUILD_SIGNING_CERT, ca_cert,
-						BUILD_PUBLIC_KEY, public,
-						BUILD_SUBJECT, subject,
-						BUILD_SERIAL, chunk_from_thing(serial),
-						BUILD_END);
-	public->destroy(public);
-	if (!peer_cert)
-	{
-		return FALSE;
-	}
-
-	encoding = peer_cert->get_encoding(peer_cert);
-	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-						BUILD_BLOB_ASN1_DER, encoding,
-						BUILD_END);
-	chunk_free(&encoding);
-	if (!parsed)
-	{
-		return FALSE;
-	}
-	if (!parsed->issued_by(parsed, ca_cert))
-	{
-		return FALSE;
-	}
-	parsed->destroy(parsed);
-
-	ca_cert->destroy(ca_cert);
-	ca_key->destroy(ca_key);
-	peer_cert->destroy(peer_cert);
-	peer_key->destroy(peer_key);
-	issuer->destroy(issuer);
-	subject->destroy(subject);
-	return TRUE;
-}
-
-
diff --git a/src/charon/plugins/unit_tester/tests/test_chunk.c b/src/charon/plugins/unit_tester/tests/test_chunk.c
deleted file mode 100644
index 2e0905b2c..000000000
--- a/src/charon/plugins/unit_tester/tests/test_chunk.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * Base64 encoding/decoding test
- ******************************************************************************/
-bool test_chunk_base64()
-{
-	/* test vectors from RFC4648:
-	 *
-	 * BASE64("") = ""
-	 * BASE64("f") = "Zg=="
-	 * BASE64("fo") = "Zm8="
-	 * BASE64("foo") = "Zm9v"
-	 * BASE64("foob") = "Zm9vYg=="
-	 * BASE64("fooba") = "Zm9vYmE="
-	 * BASE64("foobar") = "Zm9vYmFy"
-	 */
-
-	typedef struct {
-		char *in;
-		char *out;
-	} testdata_t;
-
-	testdata_t test[] = {
-		{"", ""},
-		{"f", "Zg=="},
-		{"fo", "Zm8="},
-		{"foo", "Zm9v"},
-		{"foob", "Zm9vYg=="},
-		{"fooba", "Zm9vYmE="},
-		{"foobar", "Zm9vYmFy"},
-	};
-	int i;
-
-	for (i = 0; i < countof(test); i++)
-	{
-		chunk_t out;
-
-		out = chunk_to_base64(chunk_create(test[i].in, strlen(test[i].in)), NULL);
-
-		if (!streq(out.ptr, test[i].out))
-		{
-			DBG1(DBG_CFG, "base64 conversion error - should %s, is %s",
-				test[i].out, out.ptr);
-			return FALSE;
-		}
-		free(out.ptr);
-	}
-
-	for (i = 0; i < countof(test); i++)
-	{
-		chunk_t out;
-
-		out = chunk_from_base64(chunk_create(test[i].out, strlen(test[i].out)), NULL);
-
-		if (!strneq(out.ptr, test[i].in, out.len))
-		{
-			DBG1(DBG_CFG, "base64 conversion error - should %s, is %#B",
-				test[i].in, &out);
-			return FALSE;
-		}
-		free(out.ptr);
-	}
-	return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_curl.c b/src/charon/plugins/unit_tester/tests/test_curl.c
deleted file mode 100644
index 21656a94e..000000000
--- a/src/charon/plugins/unit_tester/tests/test_curl.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-
-/*******************************************************************************
- * curl get test
- ******************************************************************************/
-
-bool test_curl_get()
-{
-	chunk_t chunk;
-
-	if (lib->fetcher->fetch(lib->fetcher, "http://www.strongswan.org",
-							&chunk, FETCH_END) != SUCCESS)
-	{
-		return FALSE;
-	}
-	free(chunk.ptr);
-
-	if (lib->fetcher->fetch(lib->fetcher, "http://www.google.com",
-							&chunk, FETCH_END) != SUCCESS)
-	{
-		return FALSE;
-	}
-	free(chunk.ptr);
-	return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_enumerator.c b/src/charon/plugins/unit_tester/tests/test_enumerator.c
deleted file mode 100644
index edbf0f5bb..000000000
--- a/src/charon/plugins/unit_tester/tests/test_enumerator.c
+++ /dev/null
@@ -1,306 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <utils/linked_list.h>
-
-
-/*******************************************************************************
- * linked list remove test
- ******************************************************************************/
-bool test_list_remove()
-{
-	void *a = (void*)1, *b = (void*)2;
-	linked_list_t *list;
-
-	list = linked_list_create();
-	list->insert_last(list, a);
-	if (list->remove(list, a, NULL) != 1)
-	{
-		return FALSE;
-	}
-	list->insert_last(list, a);
-	list->insert_first(list, a);
-	list->insert_last(list, a);
-	list->insert_last(list, b);
-	if (list->remove(list, a, NULL) != 3)
-	{
-		return FALSE;
-	}
-	if (list->remove(list, a, NULL) != 0)
-	{
-		return FALSE;
-	}
-	if (list->get_count(list) != 1)
-	{
-		return FALSE;
-	}
-	if (list->remove(list, b, NULL) != 1)
-	{
-		return FALSE;
-	}
-	if (list->remove(list, b, NULL) != 0)
-	{
-		return FALSE;
-	}
-	list->destroy(list);
-	return TRUE;
-}
-
-/*******************************************************************************
- * Simple insert first/last and enumerate test
- ******************************************************************************/
-bool test_enumerate()
-{
-	int round, x;
-	void *a = (void*)4, *b = (void*)3, *c = (void*)2, *d = (void*)5, *e = (void*)1;
-	linked_list_t *list;
-	enumerator_t *enumerator;
-
-	list = linked_list_create();
-
-	list->insert_last(list, a);
-	list->insert_first(list, b);
-	list->insert_first(list, c);
-	list->insert_last(list, d);
-	list->insert_first(list, e);
-
-	round = 1;
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, &x))
-	{
-		if (round != x)
-		{
-			return FALSE;
-		}
-		round++;
-	}
-	enumerator->destroy(enumerator);
-
-	list->destroy(list);
-	return TRUE;
-}
-
-/*******************************************************************************
- * nested enumerator test
- ******************************************************************************/
-
-static bool bad_data;
-
-static enumerator_t* create_inner(linked_list_t *outer, void *data)
-{
-	if (data != (void*)101)
-	{
-		bad_data = TRUE;
-	}
-	return outer->create_enumerator(outer);
-}
-
-
-static void destroy_data(void *data)
-{
-	if (data != (void*)101)
-	{
-		bad_data = TRUE;
-	}
-}
-
-bool test_enumerate_nested()
-{
-	int round, x;
-	void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
-	linked_list_t *list, *l1, *l2, *l3;
-	enumerator_t *enumerator;
-
-	bad_data = FALSE;
-	list = linked_list_create();
-	l1 = linked_list_create();
-	l2 = linked_list_create();
-	l3 = linked_list_create();
-	list->insert_last(list, l1);
-	list->insert_last(list, l2);
-	list->insert_last(list, l3);
-
-	l1->insert_last(l1, a);
-	l1->insert_last(l1, b);
-	l3->insert_last(l3, c);
-	l3->insert_last(l3, d);
-	l3->insert_last(l3, e);
-
-	round = 1;
-	enumerator = enumerator_create_nested(list->create_enumerator(list),
-					(void*)create_inner, (void*)101, destroy_data);
-	while (enumerator->enumerate(enumerator, &x))
-	{
-		if (round != x)
-		{
-			return FALSE;
-		}
-		round++;
-	}
-	enumerator->destroy(enumerator);
-
-	list->destroy(list);
-	l1->destroy(l1);
-	l2->destroy(l2);
-	l3->destroy(l3);
-	return !bad_data;
-}
-
-
-/*******************************************************************************
- * filtered enumerator test
- ******************************************************************************/
-static bool filter(void *data, int *v, int *vo, int *w, int *wo,
-				   int *x, int *xo, int *y, int *yo, int *z, int *zo)
-{
-	int val = *v;
-
-	*vo = val++;
-	*wo = val++;
-	*xo = val++;
-	*yo = val++;
-	*zo = val++;
-	if (data != (void*)101)
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-bool test_enumerate_filtered()
-{
-	int round, v, w, x, y, z;
-	void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
-	linked_list_t *list;
-	enumerator_t *enumerator;
-
-	bad_data = FALSE;
-	list = linked_list_create();
-
-	list->insert_last(list, a);
-	list->insert_last(list, b);
-	list->insert_last(list, c);
-	list->insert_last(list, d);
-	list->insert_last(list, e);
-
-	round = 1;
-	enumerator = enumerator_create_filter(list->create_enumerator(list),
-									(void*)filter, (void*)101, destroy_data);
-	while (enumerator->enumerate(enumerator, &v, &w, &x, &y, &z))
-	{
-		if (v != round || w != round + 1 || x != round + 2 ||
-			y != round + 3 || z != round + 4)
-		{
-			return FALSE;
-		}
-		round++;
-	}
-	enumerator->destroy(enumerator);
-
-	list->destroy(list);
-	return !bad_data;
-}
-
-/*******************************************************************************
- * token parser test
- ******************************************************************************/
-
-bool test_enumerate_token()
-{
-	enumerator_t *enumerator;
-	char *token;
-	int i, num;
-	struct {
-		char *string;
-		char *sep;
-		char *trim;
-	} tests1[] = {
-		{"abc, cde, efg", ",", " "},
-		{" abc 1:2 cde;3  4efg5.  ", ":;.,", " 12345"},
-		{"abc.cde,efg", ",.", ""},
-		{"  abc   cde  efg  ", " ", " "},
-		{"a'abc' c 'cde' cefg", " ", " abcd"},
-		{"'abc' abc 'cde'd 'efg'", " ", " abcd"},
-	}, tests2[] = {
-		{"a, b, c", ",", " "},
-		{"a,b,c", ",", " "},
-		{" a 1:2 b;3  4c5.  ", ":;.,", " 12345"},
-		{"a.b,c", ",.", ""},
-		{"  a   b  c  ", " ", " "},
-	};
-
-	for (num = 0; num < countof(tests1); num++)
-	{
-		i = 0;
-		enumerator = enumerator_create_token(tests1[num].string,
-											 tests1[num].sep, tests1[num].trim);
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			switch (i)
-			{
-				case 0:
-					if (!streq(token, "abc")) return FALSE;
-					break;
-				case 1:
-					if (!streq(token, "cde")) return FALSE;
-					break;
-				case 2:
-					if (!streq(token, "efg")) return FALSE;
-					break;
-				default:
-					return FALSE;
-			}
-			i++;
-		}
-		if (i != 3)
-		{
-			return FALSE;
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	for (num = 0; num < countof(tests2); num++)
-	{
-		i = 0;
-		enumerator = enumerator_create_token(tests2[num].string,
-											 tests2[num].sep, tests2[num].trim);
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			switch (i)
-			{
-				case 0:
-					if (!streq(token, "a")) return FALSE;
-					break;
-				case 1:
-					if (!streq(token, "b")) return FALSE;
-					break;
-				case 2:
-					if (!streq(token, "c")) return FALSE;
-					break;
-				default:
-					return FALSE;
-			}
-			i++;
-		}
-		if (i != 3)
-		{
-			return FALSE;
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_id.c b/src/charon/plugins/unit_tester/tests/test_id.c
deleted file mode 100644
index 868a2ca8b..000000000
--- a/src/charon/plugins/unit_tester/tests/test_id.c
+++ /dev/null
@@ -1,249 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-
-/*******************************************************************************
- * identification part enumeration test
- ******************************************************************************/
-bool test_id_parts()
-{
-	identification_t *id;
-	enumerator_t *enumerator;
-	id_part_t part;
-	chunk_t data;
-	int i = 0;
-
-	id = identification_create_from_string("C=CH, O=strongSwan, CN=tester");
-
-	enumerator = id->create_part_enumerator(id);
-	while (enumerator->enumerate(enumerator, &part, &data))
-	{
-		switch (i++)
-		{
-			case 0:
-				if (part != ID_PART_RDN_C ||
-					!chunk_equals(data, chunk_create("CH", 2)))
-				{
-					return FALSE;
-				}
-				break;
-			case 1:
-				if (part != ID_PART_RDN_O ||
-					!chunk_equals(data, chunk_create("strongSwan", 10)))
-				{
-					return FALSE;
-				}
-				break;
-			case 2:
-				if (part != ID_PART_RDN_CN ||
-					!chunk_equals(data, chunk_create("tester", 6)))
-				{
-					return FALSE;
-				}
-				break;
-			default:
-				return FALSE;
-		}
-	}
-	if (i < 3)
-	{
-		return FALSE;
-	}
-	enumerator->destroy(enumerator);
-	id->destroy(id);
-	return TRUE;
-}
-
-/*******************************************************************************
- * identification contains_wildcards() test
- ******************************************************************************/
-
-static bool test_id_wildcards_has(char *string)
-{
-	identification_t *id;
-	bool contains;
-
-	id = identification_create_from_string(string);
-	contains = id->contains_wildcards(id);
-	id->destroy(id);
-	return contains;
-}
-
-bool test_id_wildcards()
-{
-	if (!test_id_wildcards_has("C=*, O=strongSwan, CN=gw"))
-	{
-		return FALSE;
-	}
-	if (!test_id_wildcards_has("C=CH, O=strongSwan, CN=*"))
-	{
-		return FALSE;
-	}
-	if (test_id_wildcards_has("C=**, O=a*, CN=*a"))
-	{
-		return FALSE;
-	}
-	if (!test_id_wildcards_has("*@strongswan.org"))
-	{
-		return FALSE;
-	}
-	if (!test_id_wildcards_has("*.strongswan.org"))
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/*******************************************************************************
- * identification equals test
- ******************************************************************************/
-
-static bool test_id_equals_one(identification_t *a, char *b_str)
-{
-	identification_t *b;
-	bool equals;
-
-	b = identification_create_from_string(b_str);
-	equals = a->equals(a, b);
-	b->destroy(b);
-	return equals;
-}
-
-bool test_id_equals()
-{
-	identification_t *a;
-	chunk_t encoding, fuzzed;
-	int i;
-
-	a = identification_create_from_string(
-							   "C=CH, E=martin@strongswan.org, CN=martin");
-
-	if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
-	{
-		return FALSE;
-	}
-	if (!test_id_equals_one(a, "C=ch, E=martin@STRONGSWAN.ORG, CN=Martin"))
-	{
-		return FALSE;
-	}
-	if (test_id_equals_one(a, "C=CN, E=martin@strongswan.org, CN=martin"))
-	{
-		return FALSE;
-	}
-	if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
-	{
-		return FALSE;
-	}
-	if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
-	{
-		return FALSE;
-	}
-	encoding = chunk_clone(a->get_encoding(a));
-	a->destroy(a);
-
-	/* simple fuzzing, increment each byte of encoding */
-	for (i = 0; i < encoding.len; i++)
-	{
-		if (i == 11 || i == 30 || i == 62)
-		{	/* skip ASN.1 type fields, as equals() handles them graceful */
-			continue;
-		}
-		fuzzed = chunk_clone(encoding);
-		fuzzed.ptr[i]++;
-		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
-		if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
-		{
-			return FALSE;
-		}
-		a->destroy(a);
-		free(fuzzed.ptr);
-	}
-
-	/* and decrement each byte of encoding */
-	for (i = 0; i < encoding.len; i++)
-	{
-		if (i == 11 || i == 30 || i == 62)
-		{
-			continue;
-		}
-		fuzzed = chunk_clone(encoding);
-		fuzzed.ptr[i]--;
-		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
-		if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
-		{
-			return FALSE;
-		}
-		a->destroy(a);
-		free(fuzzed.ptr);
-	}
-	free(encoding.ptr);
-	return TRUE;
-}
-
-/*******************************************************************************
- * identification matches test
- ******************************************************************************/
-
-static id_match_t test_id_matches_one(identification_t *a, char *b_str)
-{
-	identification_t *b;
-	id_match_t match;
-
-	b = identification_create_from_string(b_str);
-	match = a->matches(a, b);
-	b->destroy(b);
-	return match;
-}
-
-bool test_id_matches()
-{
-	identification_t *a;
-
-	a = identification_create_from_string(
-							   "C=CH, E=martin@strongswan.org, CN=martin");
-
-	if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin")
-															!= ID_MATCH_PERFECT)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=CH, E=*, CN=martin") != ID_MATCH_ONE_WILDCARD)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=CH, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 1)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 2)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=*, CN=*, O=BADInc") != ID_MATCH_NONE)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=*") != ID_MATCH_NONE)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=a@b.c, CN=*") != ID_MATCH_NONE)
-	{
-		return FALSE;
-	}
-	a->destroy(a);
-	return TRUE;
-}
diff --git a/src/charon/plugins/unit_tester/tests/test_med_db.c b/src/charon/plugins/unit_tester/tests/test_med_db.c
deleted file mode 100644
index 7fd78b0bc..000000000
--- a/src/charon/plugins/unit_tester/tests/test_med_db.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <utils/enumerator.h>
-
-#include <unistd.h>
-
-/*******************************************************************************
- * fetch public key from mediation database
- ******************************************************************************/
-
-bool test_med_db()
-{
-	chunk_t found, keyid = chunk_from_chars(
-		0xed,0x90,0xe6,0x4f,0xec,0xa2,0x1f,0x4b,
-		0x68,0x97,0x99,0x24,0x22,0xe0,0xde,0x21,
-		0xb9,0xd6,0x26,0x29
-	);
-	identification_t *id;
-	enumerator_t *enumerator;
-	public_key_t *public;
-	auth_cfg_t *auth;
-	bool good = FALSE;
-
-	id = identification_create_from_encoding(ID_KEY_ID, keyid);
-	enumerator = charon->credentials->create_public_enumerator(
-									charon->credentials, KEY_ANY, id, NULL);
-	while (enumerator->enumerate(enumerator, &public, &auth))
-	{
-		good = public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &found);
-		if (good)
-		{
-			good = chunk_equals(id->get_encoding(id), found);
-		}
-	}
-	enumerator->destroy(enumerator);
-	id->destroy(id);
-	return good;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_mutex.c b/src/charon/plugins/unit_tester/tests/test_mutex.c
deleted file mode 100644
index 77085cb2f..000000000
--- a/src/charon/plugins/unit_tester/tests/test_mutex.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <threading/mutex.h>
-
-#include <unistd.h>
-#include <sched.h>
-#include <pthread.h>
-
-
-static mutex_t *mutex;
-
-static int locked = 0;
-
-static bool failed = FALSE;
-
-static pthread_barrier_t barrier;
-
-static void* run(void* null)
-{
-	int i;
-
-	/* wait for all threads before getting in action */
-	pthread_barrier_wait(&barrier);
-
-	for (i = 0; i < 100; i++)
-	{
-		mutex->lock(mutex);
-		mutex->lock(mutex);
-		mutex->lock(mutex);
-		locked++;
-		sched_yield();
-		if (locked > 1)
-		{
-			failed = TRUE;
-		}
-		locked--;
-		mutex->unlock(mutex);
-		mutex->unlock(mutex);
-		mutex->unlock(mutex);
-	}
-	return NULL;
-}
-
-#define THREADS 20
-
-/*******************************************************************************
- * mutex test
- ******************************************************************************/
-bool test_mutex()
-{
-	int i;
-	pthread_t threads[THREADS];
-
-	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-
-	for (i = 0; i < 10; i++)
-	{
-		mutex->lock(mutex);
-		mutex->unlock(mutex);
-	}
-	for (i = 0; i < 10; i++)
-	{
-		mutex->lock(mutex);
-	}
-	for (i = 0; i < 10; i++)
-	{
-		mutex->unlock(mutex);
-	}
-
-	pthread_barrier_init(&barrier, NULL, THREADS);
-
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_create(&threads[i], NULL, run, NULL);
-	}
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_join(threads[i], NULL);
-	}
-	pthread_barrier_destroy(&barrier);
-
-	mutex->destroy(mutex);
-
-	return !failed;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_mysql.c b/src/charon/plugins/unit_tester/tests/test_mysql.c
deleted file mode 100644
index 252441ef8..000000000
--- a/src/charon/plugins/unit_tester/tests/test_mysql.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <utils/enumerator.h>
-
-/*******************************************************************************
- * mysql simple test
- ******************************************************************************/
-bool test_mysql()
-{
-	database_t *db;
-	char *txt = "I'm a superduper test";
-	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
-	int row;
-	chunk_t qdata;
-	char *qtxt;
-	bool good = FALSE;
-	enumerator_t *enumerator;
-
-	db = lib->db->create(lib->db, "mysql://testuser:testpass@localhost/test");
-	if (!db)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "CREATE TABLE test ("
-								"id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, "
-								"txt TEXT, data BLOB)") < 0)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, &row, "INSERT INTO test (txt, data) VALUES (?,?)",
-					DB_TEXT, txt, DB_BLOB, data) < 0)
-	{
-		return FALSE;
-	}
-	if (row != 1)
-	{
-		return FALSE;
-	}
-	enumerator = db->query(db, "SELECT txt, data FROM test WHERE id = ?",
-						   DB_INT, row,
-						   DB_TEXT, DB_BLOB);
-	if (!enumerator)
-	{
-		return FALSE;
-	}
-	while (enumerator->enumerate(enumerator, &qtxt, &qdata))
-	{
-		if (good)
-		{	/* only one row */
-			good = FALSE;
-			break;
-		}
-		if (streq(qtxt, txt) && chunk_equals(data, qdata))
-		{
-			good = TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!good)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "DELETE FROM test WHERE id = ?", DB_INT, row) != 1)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "DROP TABLE test") < 0)
-	{
-		return FALSE;
-	}
-	db->destroy(db);
-	return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_pool.c b/src/charon/plugins/unit_tester/tests/test_pool.c
deleted file mode 100644
index 109c06fda..000000000
--- a/src/charon/plugins/unit_tester/tests/test_pool.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <time.h>
-#include <pthread.h>
-
-#include <library.h>
-
-#define ALLOCS 1000
-#define THREADS 20
-
-static void* testing(void *thread)
-{
-	int i;
-	host_t *addr[ALLOCS];
-	identification_t *id[ALLOCS];
-
-	/* prepare identities */
-	for (i = 0; i < ALLOCS; i++)
-	{
-		char buf[256];
-
-		snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (uintptr_t)thread, i);
-		id[i] = identification_create_from_string(buf);
-	}
-
-	/* allocate addresses */
-	for (i = 0; i < ALLOCS; i++)
-	{
-		addr[i] = lib->attributes->acquire_address(lib->attributes,
-												   "test", id[i], NULL);
-		if (!addr[i])
-		{
-			return (void*)FALSE;
-		}
-	}
-
-	/* release addresses */
-	for (i = 0; i < ALLOCS; i++)
-	{
-		lib->attributes->release_address(lib->attributes,
-										 "test", addr[i], id[i]);
-	}
-
-	/* cleanup */
-	for (i = 0; i < ALLOCS; i++)
-	{
-		addr[i]->destroy(addr[i]);
-		id[i]->destroy(id[i]);
-	}
-	return (void*)TRUE;
-}
-
-
-/*******************************************************************************
- * SQL pool performance test
- ******************************************************************************/
-bool test_pool()
-{
-	uintptr_t i;
-	void *res;
-	pthread_t thread[THREADS];
-
-	for (i = 0; i < THREADS; i++)
-	{
-		if (pthread_create(&thread[i], NULL, (void*)testing, (void*)i) < 0)
-		{
-			return FALSE;
-		}
-	}
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_join(thread[i], &res);
-		if (res == NULL)
-		{
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_rsa_gen.c b/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
deleted file mode 100644
index 59da15644..000000000
--- a/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * RSA key generation and signature
- ******************************************************************************/
-bool test_rsa_gen()
-{
-	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
-	chunk_t sig, crypt, plain;
-	private_key_t *private;
-	public_key_t *public;
-	u_int key_size;
-
-	for (key_size = 512; key_size <= 2048; key_size *= 2)
-	{
-		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-									 BUILD_KEY_SIZE, key_size, BUILD_END);
-		if (!private)
-		{
-			DBG1(DBG_CFG, "generating %d bit RSA key failed");
-			return FALSE;
-		}
-		public = private->get_public_key(private);
-		if (!public)
-		{
-			DBG1(DBG_CFG, "generating public from private key failed");
-			return FALSE;
-		}
-		if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
-		{
-			DBG1(DBG_CFG, "creating RSA signature failed");
-			return FALSE;
-		}
-		if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
-		{
-			DBG1(DBG_CFG, "verifying RSA signature failed");
-			return FALSE;
-		}
-		sig.ptr[sig.len-1]++;
-		if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
-		{
-			DBG1(DBG_CFG, "verifying faked RSA signature succeeded!");
-			return FALSE;
-		}
-		free(sig.ptr);
-		if (!public->encrypt(public, data, &crypt))
-		{
-			DBG1(DBG_CFG, "encrypting data with RSA failed");
-			return FALSE;
-		}
-		if (!private->decrypt(private, crypt, &plain))
-		{
-			DBG1(DBG_CFG, "decrypting data with RSA failed");
-			return FALSE;
-		}
-		if (!chunk_equals(data, plain))
-		{
-			DBG1(DBG_CFG, "decrpyted data invalid, expected %B, got %B", &
-				 data, &plain);
-			return FALSE;
-		}
-		chunk_clear(&crypt);
-		chunk_clear(&plain);
-		public->destroy(public);
-		private->destroy(private);
-	}
-	return TRUE;
-}
-
-bool test_rsa_load_any()
-{
-	chunk_t chunk = chunk_from_chars(
-		0x30,0x82,0x01,0x20,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
-		0x01,0x05,0x00,0x03,0x82,0x01,0x0d,0x00,0x30,0x82,0x01,0x08,0x02,0x82,0x01,0x01,
-		0x00,0xc6,0x68,0x99,0x1d,0xc8,0x06,0xdb,0xcf,0x1c,0x66,0xbb,0x91,0xc3,0xd4,0x10,
-		0xb2,0x08,0xa9,0xc5,0x71,0x39,0x1c,0xbe,0x5b,0x1d,0xce,0xfd,0x1b,0xfa,0xec,0x04,
-		0x89,0x9f,0x79,0xc8,0x46,0x00,0xd2,0x71,0xfb,0x22,0x16,0x52,0x2f,0xda,0xbf,0x0f,
-		0xe7,0x16,0xb1,0xd7,0x6a,0xa5,0xa5,0xfc,0xee,0xff,0x84,0x4c,0x81,0x3f,0xab,0x84,
-		0x0e,0xed,0x4a,0x26,0x59,0xd0,0x9b,0xb5,0xe1,0xec,0x61,0xc4,0xd3,0x15,0x4c,0x29,
-		0x51,0xa0,0xde,0x33,0x07,0x58,0x6c,0x36,0x1b,0x18,0x61,0xd9,0x56,0x18,0x39,0x54,
-		0x8b,0xd2,0xea,0x4e,0x87,0x28,0x58,0xb9,0x88,0x3d,0x30,0xbc,0xfc,0x6d,0xad,0xab,
-		0x43,0x26,0x09,0x48,0x4e,0x6e,0x8a,0x8b,0x88,0xb3,0xf0,0x29,0x25,0x79,0xb6,0xb6,
-		0x71,0x3c,0x93,0x59,0xd2,0x36,0x94,0xd5,0xfc,0xf3,0x62,0x2b,0x69,0xa3,0x7a,0x47,
-		0x4e,0x53,0xa2,0x35,0x1b,0x26,0x89,0xaa,0x09,0xfd,0x56,0xd7,0x75,0x2a,0xd4,0x91,
-		0xc0,0xf2,0x78,0xd7,0x05,0xca,0x12,0x1d,0xd9,0xd4,0x81,0x23,0xb2,0x3c,0x38,0xd9,
-		0xb4,0xdc,0x21,0xe0,0xe5,0x2d,0xd4,0xbe,0x61,0x39,0x8a,0x46,0x90,0x46,0x73,0x31,
-		0xba,0x48,0xbb,0x51,0xbb,0x91,0xd5,0x62,0xad,0xd1,0x53,0x5b,0x85,0xc9,0x1d,0xa7,
-		0xf6,0xa0,0xe1,0x0e,0x6c,0x22,0x5d,0x29,0x9a,0xe7,0x0f,0xe8,0x0a,0x50,0xa7,0x19,
-		0x11,0xc2,0x8b,0xe0,0x8a,0xfd,0x2b,0x94,0x31,0x7a,0x78,0x9c,0x9b,0x75,0x63,0x49,
-		0xa9,0xe5,0x58,0xe6,0x3a,0x99,0xcb,0x2b,0xdd,0x0e,0xdc,0x7d,0x1b,0x98,0x80,0xc3,
-		0x9f,0x02,0x01,0x23);
-	public_key_t *public;
-
-	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-								BUILD_BLOB_ASN1_DER, chunk,
-								BUILD_END);
-	if (!public || public->get_keysize(public) != 256)
-	{
-		return FALSE;
-	}
-	public->destroy(public);
-	return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_sqlite.c b/src/charon/plugins/unit_tester/tests/test_sqlite.c
deleted file mode 100644
index dd8d1955e..000000000
--- a/src/charon/plugins/unit_tester/tests/test_sqlite.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <utils/enumerator.h>
-
-#include <unistd.h>
-
-
-#define DBFILE "/tmp/strongswan-test.db"
-
-/*******************************************************************************
- * sqlite simple test
- ******************************************************************************/
-bool test_sqlite()
-{
-	database_t *db;
-	char *txt = "I'm a superduper test";
-	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
-	int row;
-	chunk_t qdata;
-	char *qtxt;
-	bool good = FALSE;
-	enumerator_t *enumerator;
-
-	db = lib->db->create(lib->db, "sqlite://" DBFILE);
-	if (!db)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "CREATE TABLE test (txt TEXT, data BLOB)") < 0)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, &row, "INSERT INTO test (txt, data) VALUES (?,?)",
-					DB_TEXT, txt, DB_BLOB, data) < 0)
-	{
-		return FALSE;
-	}
-	if (row != 1)
-	{
-		return FALSE;
-	}
-	enumerator = db->query(db, "SELECT txt, data FROM test WHERE oid = ?",
-						   DB_INT, row,
-						   DB_TEXT, DB_BLOB);
-	if (!enumerator)
-	{
-		return FALSE;
-	}
-	while (enumerator->enumerate(enumerator, &qtxt, &qdata))
-	{
-		if (good)
-		{	/* only one row */
-			good = FALSE;
-			break;
-		}
-		if (streq(qtxt, txt) && chunk_equals(data, qdata))
-		{
-			good = TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!good)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "DELETE FROM test WHERE oid = ?", DB_INT, row) != 1)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "DROP TABLE test") < 0)
-	{
-		return FALSE;
-	}
-	db->destroy(db);
-	unlink(DBFILE);
-	return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/unit_tester.c b/src/charon/plugins/unit_tester/unit_tester.c
deleted file mode 100644
index 3c39688c6..000000000
--- a/src/charon/plugins/unit_tester/unit_tester.c
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "unit_tester.h"
-
-#include <daemon.h>
-
-typedef struct private_unit_tester_t private_unit_tester_t;
-typedef struct unit_test_t unit_test_t;
-typedef enum test_status_t test_status_t;
-
-/**
- * private data of unit_tester
- */
-struct private_unit_tester_t {
-
-	/**
-	 * public functions
-	 */
-	unit_tester_t public;
-};
-
-struct unit_test_t {
-
-	/**
-	 * name of the test
-	 */
-	char *name;
-
-	/**
-	 * test function
-	 */
-	bool (*test)(void);
-
-	/**
-	 * run the test?
-	 */
-	bool enabled;
-};
-
-#undef DEFINE_TEST
-#define DEFINE_TEST(name, function, enabled) bool function();
-#include <plugins/unit_tester/tests.h>
-#undef DEFINE_TEST
-#define DEFINE_TEST(name, function, enabled) {name, function, enabled},
-static unit_test_t tests[] = {
-#include <plugins/unit_tester/tests.h>
-};
-
-static void run_tests(private_unit_tester_t *this)
-{
-	int i, run = 0, failed = 0, success = 0, skipped = 0;
-
-	DBG1(DBG_CFG, "running unit tests, %d tests registered",
-		 sizeof(tests)/sizeof(unit_test_t));
-
-	for (i = 0; i < sizeof(tests)/sizeof(unit_test_t); i++)
-	{
-		if (tests[i].enabled)
-		{
-			run++;
-			if (tests[i].test())
-			{
-				DBG1(DBG_CFG, "test '%s' successful", tests[i].name);
-				success++;
-			}
-			else
-			{
-				DBG1(DBG_CFG, "test '%s' failed", tests[i].name);
-				failed++;
-			}
-		}
-		else
-		{
-			DBG1(DBG_CFG, "test '%s' disabled", tests[i].name);
-			skipped++;
-		}
-	}
-	DBG1(DBG_CFG, "%d/%d tests successful (%d failed, %d disabled)",
-		 success, run, failed, skipped);
-}
-
-/**
- * Implementation of 2007_t.destroy
- */
-static void destroy(private_unit_tester_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_unit_tester_t *this = malloc_thing(private_unit_tester_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	run_tests(this);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/unit_tester/unit_tester.h b/src/charon/plugins/unit_tester/unit_tester.h
deleted file mode 100644
index 79d5bc021..000000000
--- a/src/charon/plugins/unit_tester/unit_tester.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup unit_tester unit_tester
- * @{ @ingroup cplugins
- */
-
-#ifndef UNIT_TESTER_H_
-#define UNIT_TESTER_H_
-
-#include <plugins/plugin.h>
-
-typedef struct unit_tester_t unit_tester_t;
-
-/**
- * Unit testing plugin.
- *
- * The unit testing plugin runs tests on plugin initialization. Tests are
- * defined in tests.h using the DEFINE_TEST macro. Implementation of the
- * tests is done in the tests folder. Each test has uses a function which
- * returns TRUE for success or FALSE for failure.
- */
-struct unit_tester_t {
-
-	/**
-	 * Implements the plugin interface.
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a unit_tester plugin.
- */
-plugin_t *plugin_create();
-
-#endif /** UNIT_TESTER_H_ @}*/
diff --git a/src/charon/plugins/updown/Makefile.am b/src/charon/plugins/updown/Makefile.am
deleted file mode 100644
index 6cad02a96..000000000
--- a/src/charon/plugins/updown/Makefile.am
+++ /dev/null
@@ -1,12 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-updown.la
-libstrongswan_updown_la_SOURCES = \
-  updown_plugin.h updown_plugin.c \
-  updown_listener.h updown_listener.c
-libstrongswan_updown_la_LDFLAGS = -module -avoid-version
-
-
diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in
deleted file mode 100644
index 78ba19d65..000000000
--- a/src/charon/plugins/updown/Makefile.in
+++ /dev/null
@@ -1,572 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/charon/plugins/updown
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_updown_la_LIBADD =
-am_libstrongswan_updown_la_OBJECTS = updown_plugin.lo \
-	updown_listener.lo
-libstrongswan_updown_la_OBJECTS =  \
-	$(am_libstrongswan_updown_la_OBJECTS)
-libstrongswan_updown_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_updown_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_updown_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_updown_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-updown.la
-libstrongswan_updown_la_SOURCES = \
-  updown_plugin.h updown_plugin.c \
-  updown_listener.h updown_listener.c
-
-libstrongswan_updown_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/updown/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/charon/plugins/updown/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES) 
-	$(libstrongswan_updown_la_LINK) -rpath $(plugindir) $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_listener.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/charon/plugins/updown/updown_listener.c b/src/charon/plugins/updown/updown_listener.c
deleted file mode 100644
index 5a6746f92..000000000
--- a/src/charon/plugins/updown/updown_listener.c
+++ /dev/null
@@ -1,294 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <stdio.h>
-
-#include "updown_listener.h"
-
-#include <daemon.h>
-#include <config/child_cfg.h>
-
-typedef struct private_updown_listener_t private_updown_listener_t;
-
-/**
- * Private data of an updown_listener_t object.
- */
-struct private_updown_listener_t {
-
-	/**
-	 * Public updown_listener_t interface.
-	 */
-	updown_listener_t public;
-
-	/**
-	 * List of cached interface names
-	 */
-	linked_list_t *iface_cache;
-};
-
-typedef struct cache_entry_t cache_entry_t;
-
-/**
- * Cache line in the interface name cache.
- */
-struct cache_entry_t {
-	/** requid of the CHILD_SA */
-	u_int32_t reqid;
-	/** cached interface name */
-	char *iface;
-};
-
-/**
- * Insert an interface name to the cache
- */
-static void cache_iface(private_updown_listener_t *this, u_int32_t reqid,
-						char *iface)
-{
-	cache_entry_t *entry = malloc_thing(cache_entry_t);
-
-	entry->reqid = reqid;
-	entry->iface = strdup(iface);
-
-	this->iface_cache->insert_first(this->iface_cache, entry);
-}
-
-/**
- * Remove a cached interface name and return it.
- */
-static char* uncache_iface(private_updown_listener_t *this, u_int32_t reqid)
-{
-	enumerator_t *enumerator;
-	cache_entry_t *entry;
-	char *iface = NULL;
-
-	enumerator = this->iface_cache->create_enumerator(this->iface_cache);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->reqid == reqid)
-		{
-			this->iface_cache->remove_at(this->iface_cache, enumerator);
-			iface = entry->iface;
-			free(entry);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return iface;
-}
-
-METHOD(listener_t, child_updown, bool,
-	private_updown_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-	bool up)
-{
-	traffic_selector_t *my_ts, *other_ts;
-	enumerator_t *enumerator;
-	child_cfg_t *config;
-	host_t *vip, *me, *other;
-	char *script;
-
-	config = child_sa->get_config(child_sa);
-	vip = ike_sa->get_virtual_ip(ike_sa, TRUE);
-	script = config->get_updown(config);
-	me = ike_sa->get_my_host(ike_sa);
-	other = ike_sa->get_other_host(ike_sa);
-
-	if (script == NULL)
-	{
-		return TRUE;
-	}
-
-	enumerator = child_sa->create_policy_enumerator(child_sa);
-	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
-	{
-		char command[1024];
-		char *my_client, *other_client, *my_client_mask, *other_client_mask;
-		char *pos, *virtual_ip, *iface;
-		bool is_host, is_ipv6;
-		FILE *shell;
-
-		/* get subnet/bits from string */
-		if (asprintf(&my_client, "%R", my_ts) < 0)
-		{
-			my_client = NULL;
-		}
-		pos = strchr(my_client, '/');
-		*pos = '\0';
-		my_client_mask = pos + 1;
-		pos = strchr(my_client_mask, '[');
-		if (pos)
-		{
-			*pos = '\0';
-		}
-		if (asprintf(&other_client, "%R", other_ts) < 0)
-		{
-			other_client = NULL;
-		}
-		pos = strchr(other_client, '/');
-		*pos = '\0';
-		other_client_mask = pos + 1;
-		pos = strchr(other_client_mask, '[');
-		if (pos)
-		{
-			*pos = '\0';
-		}
-
-		if (vip)
-		{
-			if (asprintf(&virtual_ip, "PLUTO_MY_SOURCEIP='%H' ", vip) < 0)
-			{
-				virtual_ip = NULL;
-			}
-		}
-		else
-		{
-			if (asprintf(&virtual_ip, "") < 0)
-			{
-				virtual_ip = NULL;
-			}
-		}
-
-		if (up)
-		{
-			iface = charon->kernel_interface->get_interface(
-												charon->kernel_interface, me);
-			if (iface)
-			{
-				cache_iface(this, child_sa->get_reqid(child_sa), iface);
-			}
-		}
-		else
-		{
-			iface = uncache_iface(this, child_sa->get_reqid(child_sa));
-		}
-
-		/* determine IPv4/IPv6 and client/host situation */
-		is_host = my_ts->is_host(my_ts, me);
-		is_ipv6 = is_host ? (me->get_family(me) == AF_INET6) :
-							(my_ts->get_type(my_ts) == TS_IPV6_ADDR_RANGE);
-
-		/* build the command with all env variables.
-		 * TODO: PLUTO_PEER_CA and PLUTO_NEXT_HOP are currently missing
-		 */
-		snprintf(command, sizeof(command),
-				 "2>&1 "
-				"PLUTO_VERSION='1.1' "
-				"PLUTO_VERB='%s%s%s' "
-				"PLUTO_CONNECTION='%s' "
-				"PLUTO_INTERFACE='%s' "
-				"PLUTO_REQID='%u' "
-				"PLUTO_ME='%H' "
-				"PLUTO_MY_ID='%Y' "
-				"PLUTO_MY_CLIENT='%s/%s' "
-				"PLUTO_MY_CLIENT_NET='%s' "
-				"PLUTO_MY_CLIENT_MASK='%s' "
-				"PLUTO_MY_PORT='%u' "
-				"PLUTO_MY_PROTOCOL='%u' "
-				"PLUTO_PEER='%H' "
-				"PLUTO_PEER_ID='%Y' "
-				"PLUTO_PEER_CLIENT='%s/%s' "
-				"PLUTO_PEER_CLIENT_NET='%s' "
-				"PLUTO_PEER_CLIENT_MASK='%s' "
-				"PLUTO_PEER_PORT='%u' "
-				"PLUTO_PEER_PROTOCOL='%u' "
-				"%s"
-				"%s"
-				"%s",
-				 up ? "up" : "down",
-				 is_host ? "-host" : "-client",
-				 is_ipv6 ? "-v6" : "",
-				 config->get_name(config),
-				 iface ? iface : "unknown",
-				 child_sa->get_reqid(child_sa),
-				 me, ike_sa->get_my_id(ike_sa),
-				 my_client, my_client_mask,
-				 my_client, my_client_mask,
-				 my_ts->get_from_port(my_ts),
-				 my_ts->get_protocol(my_ts),
-				 other, ike_sa->get_other_id(ike_sa),
-				 other_client, other_client_mask,
-				 other_client, other_client_mask,
-				 other_ts->get_from_port(other_ts),
-				 other_ts->get_protocol(other_ts),
-				 virtual_ip,
-				 config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "",
-				 script);
-		free(my_client);
-		free(other_client);
-		free(virtual_ip);
-		free(iface);
-
-		DBG3(DBG_CHD, "running updown script: %s", command);
-		shell = popen(command, "r");
-
-		if (shell == NULL)
-		{
-			DBG1(DBG_CHD, "could not execute updown script '%s'", script);
-			return TRUE;
-		}
-
-		while (TRUE)
-		{
-			char resp[128];
-
-			if (fgets(resp, sizeof(resp), shell) == NULL)
-			{
-				if (ferror(shell))
-				{
-					DBG1(DBG_CHD, "error reading output from updown script");
-				}
-				break;
-			}
-			else
-			{
-				char *e = resp + strlen(resp);
-				if (e > resp && e[-1] == '\n')
-				{	/* trim trailing '\n' */
-					e[-1] = '\0';
-				}
-				DBG1(DBG_CHD, "updown: %s", resp);
-			}
-		}
-		pclose(shell);
-	}
-	enumerator->destroy(enumerator);
-	return TRUE;
-}
-
-METHOD(updown_listener_t, destroy, void,
-	private_updown_listener_t *this)
-{
-	this->iface_cache->destroy(this->iface_cache);
-	free(this);
-}
-
-/**
- * See header
- */
-updown_listener_t *updown_listener_create()
-{
-	private_updown_listener_t *this;
-
-	INIT(this,
-		.public = {
-			.listener.child_updown = _child_updown,
-			.destroy = _destroy,
-		},
-		.iface_cache = linked_list_create(),
-	);
-
-	return &this->public;
-}
-
diff --git a/src/charon/plugins/updown/updown_listener.h b/src/charon/plugins/updown/updown_listener.h
deleted file mode 100644
index 5b866c4e5..000000000
--- a/src/charon/plugins/updown/updown_listener.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup updown_listener updown_listener
- * @{ @ingroup updown
- */
-
-#ifndef UPDOWN_LISTENER_H_
-#define UPDOWN_LISTENER_H_
-
-#include <bus/bus.h>
-
-typedef struct updown_listener_t updown_listener_t;
-
-/**
- * Listener which invokes the scripts on CHILD_SA up/down.
- */
-struct updown_listener_t {
-
-	/**
-	 * Implements listener_t.
-	 */
-	listener_t listener;
-
-	/**
-	 * Destroy a updown_listener_t.
-	 */
-	void (*destroy)(updown_listener_t *this);
-};
-
-/**
- * Create a updown_listener instance.
- */
-updown_listener_t *updown_listener_create();
-
-#endif /** UPDOWN_LISTENER_H_ @}*/
diff --git a/src/charon/plugins/updown/updown_plugin.c b/src/charon/plugins/updown/updown_plugin.c
deleted file mode 100644
index 6cb0efdcd..000000000
--- a/src/charon/plugins/updown/updown_plugin.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "updown_plugin.h"
-#include "updown_listener.h"
-
-#include <daemon.h>
-
-typedef struct private_updown_plugin_t private_updown_plugin_t;
-
-/**
- * private data of updown plugin
- */
-struct private_updown_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	updown_plugin_t public;
-
-	/**
-	 * Listener interface, listens to CHILD_SA state changes
-	 */
-	updown_listener_t *listener;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_updown_plugin_t *this)
-{
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
-	this->listener->destroy(this->listener);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	private_updown_plugin_t *this = malloc_thing(private_updown_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->listener = updown_listener_create();
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/updown/updown_plugin.h b/src/charon/plugins/updown/updown_plugin.h
deleted file mode 100644
index 2873b499d..000000000
--- a/src/charon/plugins/updown/updown_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup updown updown
- * @ingroup cplugins
- *
- * @defgroup updown_plugin updown_plugin
- * @{ @ingroup updown
- */
-
-#ifndef UPDOWN_PLUGIN_H_
-#define UPDOWN_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct updown_plugin_t updown_plugin_t;
-
-/**
- * Updown firewall script invocation plugin, compatible to pluto ones.
- */
-struct updown_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a updown_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** UPDOWN_PLUGIN_H_ @}*/
diff --git a/src/charon/processing/jobs/acquire_job.c b/src/charon/processing/jobs/acquire_job.c
deleted file mode 100644
index 45ace9312..000000000
--- a/src/charon/processing/jobs/acquire_job.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "acquire_job.h"
-
-#include <daemon.h>
-
-
-typedef struct private_acquire_job_t private_acquire_job_t;
-
-/**
- * Private data of an acquire_job_t object.
- */
-struct private_acquire_job_t {
-	/**
-	 * Public acquire_job_t interface.
-	 */
-	acquire_job_t public;
-
-	/**
-	 * reqid of the child to rekey
-	 */
-	u_int32_t reqid;
-
-	/**
-	 * acquired source traffic selector
-	 */
-	traffic_selector_t *src_ts;
-
-	/**
-	 * acquired destination traffic selector
-	 */
-	traffic_selector_t *dst_ts;
-};
-
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_acquire_job_t *this)
-{
-	DESTROY_IF(this->src_ts);
-	DESTROY_IF(this->dst_ts);
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_acquire_job_t *this)
-{
-	charon->traps->acquire(charon->traps, this->reqid,
-						   this->src_ts, this->dst_ts);
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-acquire_job_t *acquire_job_create(u_int32_t reqid,
-								  traffic_selector_t *src_ts,
-								  traffic_selector_t *dst_ts)
-{
-	private_acquire_job_t *this = malloc_thing(private_acquire_job_t);
-
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
-	this->reqid = reqid;
-	this->src_ts = src_ts;
-	this->dst_ts = dst_ts;
-
-	return &this->public;
-}
-
diff --git a/src/charon/processing/jobs/acquire_job.h b/src/charon/processing/jobs/acquire_job.h
deleted file mode 100644
index eff79a9b0..000000000
--- a/src/charon/processing/jobs/acquire_job.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup acquire_job acquire_job
- * @{ @ingroup jobs
- */
-
-#ifndef ACQUIRE_JOB_H_
-#define ACQUIRE_JOB_H_
-
-typedef struct acquire_job_t acquire_job_t;
-
-#include <library.h>
-#include <selectors/traffic_selector.h>
-#include <processing/jobs/job.h>
-
-/**
- * Class representing an ACQUIRE Job.
- *
- * This job initiates a CHILD SA on kernel request.
- */
-struct acquire_job_t {
-	/**
-	 * The job_t interface.
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type ACQUIRE.
- *
- * @param reqid		reqid of the trapped CHILD_SA to acquire
- * @param src_ts	source traffic selector
- * @param dst_ts	destination traffic selector
- * @return			acquire_job_t object
- */
-acquire_job_t *acquire_job_create(u_int32_t reqid,
-								  traffic_selector_t *src_ts,
-								  traffic_selector_t *dst_ts);
-
-#endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/callback_job.c b/src/charon/processing/jobs/callback_job.c
deleted file mode 100644
index 7e35dcdcb..000000000
--- a/src/charon/processing/jobs/callback_job.c
+++ /dev/null
@@ -1,267 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "callback_job.h"
-
-#include <semaphore.h>
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-
-typedef struct private_callback_job_t private_callback_job_t;
-
-/**
- * Private data of an callback_job_t Object.
- */
-struct private_callback_job_t {
-	/**
-	 * Public callback_job_t interface.
-	 */
-	callback_job_t public;
-
-	/**
-	 * Callback to call on execution
-	 */
-	callback_job_cb_t callback;
-
-	/**
-	 * parameter to supply to callback
-	 */
-	void *data;
-
-	/**
-	 * cleanup function for data
-	 */
-	callback_job_cleanup_t cleanup;
-
-	/**
-	 * thread of the job, if running
-	 */
-	thread_t *thread;
-
-	/**
-	 * mutex to access jobs interna
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * list of asociated child jobs
-	 */
-	linked_list_t *children;
-
-	/**
-	 * parent of this job, or NULL
-	 */
-	private_callback_job_t *parent;
-
-	/**
-	 * TRUE if the job got cancelled
-	 */
-	bool cancelled;
-
-	/**
-	 * condvar to synchronize the cancellation/destruction of the job
-	 */
-	condvar_t *destroyable;
-
-	/**
-	 * semaphore to synchronize the termination of the assigned thread.
-	 *
-	 * separately allocated during cancellation, so that we can wait on it
-	 * without risking that it gets freed too early during destruction.
-	 */
-	sem_t *terminated;
-};
-
-/**
- * unregister a child from its parent, if any.
- * note: this->mutex has to be locked
- */
-static void unregister(private_callback_job_t *this)
-{
-	if (this->parent)
-	{
-		this->parent->mutex->lock(this->parent->mutex);
-		if (this->parent->cancelled && !this->cancelled)
-		{
-			/* if the parent has been cancelled but we have not yet, we do not
-			 * unregister until we got cancelled by the parent. */
-			this->parent->mutex->unlock(this->parent->mutex);
-			this->destroyable->wait(this->destroyable, this->mutex);
-			this->parent->mutex->lock(this->parent->mutex);
-		}
-		this->parent->children->remove(this->parent->children, this, NULL);
-		this->parent->mutex->unlock(this->parent->mutex);
-		this->parent = NULL;
-	}
-}
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_callback_job_t *this)
-{
-	this->mutex->lock(this->mutex);
-	unregister(this);
-	if (this->cleanup)
-	{
-		this->cleanup(this->data);
-	}
-	if (this->terminated)
-	{
-		sem_post(this->terminated);
-	}
-	this->children->destroy(this->children);
-	this->destroyable->destroy(this->destroyable);
-	this->mutex->unlock(this->mutex);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/**
- * Implementation of callback_job_t.cancel.
- */
-static void cancel(private_callback_job_t *this)
-{
-	callback_job_t *child;
-	sem_t *terminated = NULL;
-
-	this->mutex->lock(this->mutex);
-	this->cancelled = TRUE;
-	/* terminate children */
-	while (this->children->get_first(this->children, (void**)&child) == SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		child->cancel(child);
-		this->mutex->lock(this->mutex);
-	}
-	if (this->thread)
-	{
-		/* terminate the thread, if there is currently one executing the job.
-		 * we wait for its termination using a semaphore */
-		this->thread->cancel(this->thread);
-		terminated = this->terminated = malloc_thing(sem_t);
-		sem_init(terminated, 0, 0);
-	}
-	else
-	{
-		/* if the job is currently queued, it gets terminated later.
-		 * we can't wait, because it might not get executed at all.
-		 * we also unregister the queued job manually from its parent (the
-		 * others get unregistered during destruction) */
-		unregister(this);
-	}
-	this->destroyable->signal(this->destroyable);
-	this->mutex->unlock(this->mutex);
-
-	if (terminated)
-	{
-		sem_wait(terminated);
-		sem_destroy(terminated);
-		free(terminated);
-	}
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_callback_job_t *this)
-{
-	bool cleanup = FALSE;
-
-	thread_cleanup_push((thread_cleanup_t)destroy, this);
-
-	this->mutex->lock(this->mutex);
-	this->thread = thread_current();
-	this->mutex->unlock(this->mutex);
-
-	while (TRUE)
-	{
-		this->mutex->lock(this->mutex);
-		if (this->cancelled)
-		{
-			this->mutex->unlock(this->mutex);
-			cleanup = TRUE;
-			break;
-		}
-		this->mutex->unlock(this->mutex);
-		switch (this->callback(this->data))
-		{
-			case JOB_REQUEUE_DIRECT:
-				continue;
-			case JOB_REQUEUE_FAIR:
-			{
-				charon->processor->queue_job(charon->processor,
-											 &this->public.job_interface);
-				break;
-			}
-			case JOB_REQUEUE_NONE:
-			default:
-			{
-				cleanup = TRUE;
-				break;
-			}
-		}
-		break;
-	}
-	this->mutex->lock(this->mutex);
-	this->thread = NULL;
-	this->mutex->unlock(this->mutex);
-	/* manually create a cancellation point to avoid that a cancelled thread
-	 * goes back into the thread pool */
-	thread_cancellation_point();
-	thread_cleanup_pop(cleanup);
-}
-
-/*
- * Described in header.
- */
-callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
-									callback_job_cleanup_t cleanup,
-									callback_job_t *parent)
-{
-	private_callback_job_t *this = malloc_thing(private_callback_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	this->public.cancel = (void(*)(callback_job_t*))cancel;
-
-	/* private variables */
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->callback = cb;
-	this->data = data;
-	this->cleanup = cleanup;
-	this->thread = 0;
-	this->children = linked_list_create();
-	this->parent = (private_callback_job_t*)parent;
-	this->cancelled = FALSE;
-	this->destroyable = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->terminated = NULL;
-
-	/* register us at parent */
-	if (parent)
-	{
-		this->parent->mutex->lock(this->parent->mutex);
-		this->parent->children->insert_last(this->parent->children, this);
-		this->parent->mutex->unlock(this->parent->mutex);
-	}
-
-	return &this->public;
-}
-
diff --git a/src/charon/processing/jobs/callback_job.h b/src/charon/processing/jobs/callback_job.h
deleted file mode 100644
index 62da1edd1..000000000
--- a/src/charon/processing/jobs/callback_job.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup callback_job callback_job
- * @{ @ingroup jobs
- */
-
-#ifndef CALLBACK_JOB_H_
-#define CALLBACK_JOB_H_
-
-typedef struct callback_job_t callback_job_t;
-
-#include <library.h>
-#include <processing/jobs/job.h>
-
-
-typedef enum job_requeue_t job_requeue_t;
-
-/**
- * Job requeueing policy
- *
- * The job requeueing policy defines how a job is handled when the callback
- * function returns.
- */
-enum job_requeue_t {
-
-	/**
-	 * Do not requeue job, destroy it
-	 */
-	JOB_REQUEUE_NONE,
-
-	/**
-	 * Reque the job fairly, meaning it has to requeue as any other job
-	 */
-	JOB_REQUEUE_FAIR,
-
-	/**
-	 * Reexecute the job directly, without the need of requeueing it
-	 */
-	JOB_REQUEUE_DIRECT,
-};
-
-/**
- * The callback function to use for the callback job.
- *
- * This is the function to use as callback for a callback job. It receives
- * a parameter supplied to the callback jobs constructor.
- *
- * @param data			param supplied to job
- * @return				requeing policy how to requeue the job
- */
-typedef job_requeue_t (*callback_job_cb_t)(void *data);
-
-/**
- * Cleanup function to use for data cleanup.
- *
- * The callback has an optional user argument which receives data. However,
- * this data may be cleaned up if it is allocated. This is the function
- * to supply to the constructor.
- *
- * @param data			param supplied to job
- * @return				requeing policy how to requeue the job
- */
-typedef void (*callback_job_cleanup_t)(void *data);
-
-/**
- * Class representing an callback Job.
- *
- * This is a special job which allows a simple callback function to
- * be executed by a thread of the thread pool. This allows simple execution
- * of asynchronous methods, without to manage threads.
- */
-struct callback_job_t {
-	/**
-	 * The job_t interface.
-	 */
-	job_t job_interface;
-
-	/**
-	 * Cancel the job's thread and wait for its termination. This only works
-	 * reliably for jobs that always use JOB_REQUEUE_FAIR or JOB_REQUEUE_DIRECT,
-	 * otherwise the job may already be destroyed when cancel is called. */
-	void (*cancel)(callback_job_t *this);
-};
-
-/**
- * Creates a callback job.
- *
- * The cleanup function is called when the job gets destroyed to destroy
- * the associated data.
- * If parent is not NULL, the specified job gets an association. Whenever
- * the parent gets cancelled (or runs out), all of its children are cancelled,
- * too.
- *
- * @param cb				callback to call from the processor
- * @param data				user data to supply to callback
- * @param cleanup			destructor for data on destruction, or NULL
- * @param parent			parent of this job
- * @return					callback_job_t object
- */
-callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
-									callback_job_cleanup_t cleanup,
-									callback_job_t *parent);
-
-#endif /** CALLBACK_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/delete_child_sa_job.c b/src/charon/processing/jobs/delete_child_sa_job.c
deleted file mode 100644
index ca55721f2..000000000
--- a/src/charon/processing/jobs/delete_child_sa_job.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "delete_child_sa_job.h"
-
-#include <daemon.h>
-
-
-typedef struct private_delete_child_sa_job_t private_delete_child_sa_job_t;
-
-/**
- * Private data of an delete_child_sa_job_t object.
- */
-struct private_delete_child_sa_job_t {
-	/**
-
-	 * Public delete_child_sa_job_t interface.
-	 */
-	delete_child_sa_job_t public;
-
-	/**
-	 * reqid of the CHILD_SA
-	 */
-	u_int32_t reqid;
-
-	/**
-	 * protocol of the CHILD_SA (ESP/AH)
-	 */
-	protocol_id_t protocol;
-
-	/**
-	 * inbound SPI of the CHILD_SA
-	 */
-	u_int32_t spi;
-};
-
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_delete_child_sa_job_t *this)
-{
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_delete_child_sa_job_t *this)
-{
-	ike_sa_t *ike_sa;
-
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													this->reqid, TRUE);
-	if (ike_sa == NULL)
-	{
-		DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete",
-			 this->reqid);
-	}
-	else
-	{
-		ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi);
-
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	}
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
-												  protocol_id_t protocol,
-												  u_int32_t spi)
-{
-	private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
-	/* private variables */
-	this->reqid = reqid;
-	this->protocol = protocol;
-	this->spi = spi;
-
-	return &this->public;
-}
-
diff --git a/src/charon/processing/jobs/delete_child_sa_job.h b/src/charon/processing/jobs/delete_child_sa_job.h
deleted file mode 100644
index 662a7b7c7..000000000
--- a/src/charon/processing/jobs/delete_child_sa_job.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup delete_child_sa_job delete_child_sa_job
- * @{ @ingroup jobs
- */
-
-#ifndef DELETE_CHILD_SA_JOB_H_
-#define DELETE_CHILD_SA_JOB_H_
-
-typedef struct delete_child_sa_job_t delete_child_sa_job_t;
-
-#include <library.h>
-#include <sa/ike_sa_id.h>
-#include <processing/jobs/job.h>
-#include <config/proposal.h>
-
-
-/**
- * Class representing an DELETE_CHILD_SA Job.
- *
- * This job initiates the delete of a CHILD SA.
- */
-struct delete_child_sa_job_t {
-	/**
-	 * The job_t interface.
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type DELETE_CHILD_SA.
- *
- * The CHILD_SA is identified by its reqid, protocol (AH/ESP) and its
- * inbound SPI.
- *
- * @param reqid		reqid of the CHILD_SA, as used in kernel
- * @param protocol	protocol of the CHILD_SA
- * @param spi		security parameter index of the CHILD_SA
- * @return			delete_child_sa_job_t object
- */
-delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
-												  protocol_id_t protocol,
-												  u_int32_t spi);
-
-#endif /** DELETE_CHILD_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.c b/src/charon/processing/jobs/delete_ike_sa_job.c
deleted file mode 100644
index dffd08ba3..000000000
--- a/src/charon/processing/jobs/delete_ike_sa_job.c
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "delete_ike_sa_job.h"
-
-#include <daemon.h>
-
-typedef struct private_delete_ike_sa_job_t private_delete_ike_sa_job_t;
-
-/**
- * Private data of an delete_ike_sa_job_t Object
- */
-struct private_delete_ike_sa_job_t {
-	/**
-	 * public delete_ike_sa_job_t interface
-	 */
-	delete_ike_sa_job_t public;
-
-	/**
-	 * ID of the ike_sa to delete
-	 */
-	ike_sa_id_t *ike_sa_id;
-
-	/**
-	 * Should the IKE_SA be deleted if it is in ESTABLISHED state?
-	 */
-	bool delete_if_established;
-};
-
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_delete_ike_sa_job_t *this)
-{
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_delete_ike_sa_job_t *this)
-{
-	ike_sa_t *ike_sa;
-
-	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-											  this->ike_sa_id);
-	if (ike_sa)
-	{
-		if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
-		{
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-			return destroy(this);
-		}
-		if (this->delete_if_established)
-		{
-			if (ike_sa->delete(ike_sa) == DESTROY_ME)
-			{
-				charon->ike_sa_manager->checkin_and_destroy(
-												charon->ike_sa_manager, ike_sa);
-			}
-			else
-			{
-				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-			}
-		}
-		else
-		{
-			/* destroy only if not ESTABLISHED */
-			if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
-			{
-				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-			}
-			else
-			{
-				DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
-				charon->ike_sa_manager->checkin_and_destroy(
-												charon->ike_sa_manager, ike_sa);
-			}
-		}
-	}
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
-											  bool delete_if_established)
-{
-	private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t *)) destroy;;
-
-	/* private variables */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-	this->delete_if_established = delete_if_established;
-
-	return &(this->public);
-}
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.h b/src/charon/processing/jobs/delete_ike_sa_job.h
deleted file mode 100644
index f641deea3..000000000
--- a/src/charon/processing/jobs/delete_ike_sa_job.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup delete_child_sa_job delete_child_sa_job
- * @{ @ingroup jobs
- */
-
-#ifndef DELETE_IKE_SA_JOB_H_
-#define DELETE_IKE_SA_JOB_H_
-
-typedef struct delete_ike_sa_job_t delete_ike_sa_job_t;
-
-#include <library.h>
-#include <sa/ike_sa_id.h>
-#include <processing/jobs/job.h>
-
-
-/**
- * Class representing an DELETE_IKE_SA Job.
- *
- * This job is responsible for deleting established or half open IKE_SAs.
- * A half open IKE_SA is every IKE_SA which hasn't reache the SA_ESTABLISHED
- * state.
- */
-struct delete_ike_sa_job_t {
-
-	/**
-	 * The job_t interface.
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type DELETE_IKE_SA.
- *
- * @param ike_sa_id				id of the IKE_SA to delete
- * @param delete_if_established	should the IKE_SA be deleted if it is established?
- * @return						created delete_ike_sa_job_t object
- */
-delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
-											  bool delete_if_established);
-
-#endif /** DELETE_IKE_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/inactivity_job.c b/src/charon/processing/jobs/inactivity_job.c
deleted file mode 100644
index 13fc5e3d0..000000000
--- a/src/charon/processing/jobs/inactivity_job.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "inactivity_job.h"
-
-#include <daemon.h>
-
-typedef struct private_inactivity_job_t private_inactivity_job_t;
-
-/**
- * Private data of an inactivity_job_t object.
- */
-struct private_inactivity_job_t {
-
-	/**
-	 * Public inactivity_job_t interface.
-	 */
-	inactivity_job_t public;
-
-	/**
-	 * Reqid of CHILD_SA to check
-	 */
-	u_int32_t reqid;
-
-	/**
-	 * Inactivity timeout
-	 */
-	u_int32_t timeout;
-
-	/**
-	 * Close IKE_SA if last remaining CHILD inactive?
-	 */
-	bool close_ike;
-};
-
-METHOD(job_t, destroy, void,
-	private_inactivity_job_t *this)
-{
-	free(this);
-}
-
-METHOD(job_t, execute, void,
-	private_inactivity_job_t *this)
-{
-	ike_sa_t *ike_sa;
-	bool rescheduled = FALSE;
-
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													this->reqid, TRUE);
-	if (ike_sa)
-	{
-		iterator_t *iterator;
-		child_sa_t *child_sa;
-		u_int32_t delete = 0;
-		protocol_id_t proto = 0;
-		int children = 0;
-		status_t status = SUCCESS;
-
-		iterator = ike_sa->create_child_sa_iterator(ike_sa);
-		while (iterator->iterate(iterator, (void**)&child_sa))
-		{
-			if (child_sa->get_reqid(child_sa) == this->reqid)
-			{
-				time_t in, out, diff;
-
-				child_sa->get_usestats(child_sa, TRUE, &in, NULL);
-				child_sa->get_usestats(child_sa, FALSE, &out, NULL);
-
-				diff = time_monotonic(NULL) - max(in, out);
-
-				if (diff >= this->timeout)
-				{
-					delete = child_sa->get_spi(child_sa, TRUE);
-					proto = child_sa->get_protocol(child_sa);
-				}
-				else
-				{
-					charon->scheduler->schedule_job(charon->scheduler,
-							&this->public.job_interface, this->timeout - diff);
-					rescheduled = TRUE;
-				}
-			}
-			children++;
-		}
-		iterator->destroy(iterator);
-
-		if (delete)
-		{
-			if (children == 1 && this->close_ike)
-			{
-				DBG1(DBG_JOB, "deleting IKE_SA after %d seconds "
-					 "of CHILD_SA inactivity", this->timeout);
-				status = ike_sa->delete(ike_sa);
-			}
-			else
-			{
-				DBG1(DBG_JOB, "deleting CHILD_SA after %d seconds "
-					 "of inactivity", this->timeout);
-				status = ike_sa->delete_child_sa(ike_sa, proto, delete);
-			}
-		}
-		if (status == DESTROY_ME)
-		{
-			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-														ike_sa);
-		}
-		else
-		{
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		}
-	}
-	if (!rescheduled)
-	{
-		destroy(this);
-	}
-}
-
-/**
- * See header
- */
-inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
-										bool close_ike)
-{
-	private_inactivity_job_t *this;
-
-	INIT(this,
-		.public.job_interface = {
-			.execute = _execute,
-			.destroy = _destroy,
-		},
-		.reqid = reqid,
-		.timeout = timeout,
-		.close_ike = close_ike,
-	);
-
-	return &this->public;
-}
-
diff --git a/src/charon/processing/jobs/inactivity_job.h b/src/charon/processing/jobs/inactivity_job.h
deleted file mode 100644
index 9c9daced8..000000000
--- a/src/charon/processing/jobs/inactivity_job.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup inactivity_job inactivity_job
- * @{ @ingroup jobs
- */
-
-#ifndef INACTIVITY_JOB_H_
-#define INACTIVITY_JOB_H_
-
-#include <library.h>
-#include <processing/jobs/job.h>
-
-typedef struct inactivity_job_t inactivity_job_t;
-
-/**
- * Job checking for inactivity of CHILD_SA to close them.
- *
- * The inactivity job reschedules itself to check CHILD_SAs prediodically.
- */
-struct inactivity_job_t {
-
-	/**
-	 * Implements job_t.
-	 */
-	job_t job_interface;
-};
-
-/**
- * Create a inactivity_job instance.
- *
- * @param reqid		reqid of CHILD_SA to check for inactivity
- * @param timeout	inactivity timeout in s
- * @param close_ike	close IKE_SA if the last remaining CHILD_SA is inactive?
- * @return			inactivity checking job
- */
-inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
-										bool close_ike);
-
-#endif /** INACTIVITY_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/initiate_mediation_job.c b/src/charon/processing/jobs/initiate_mediation_job.c
deleted file mode 100644
index ffe8755e2..000000000
--- a/src/charon/processing/jobs/initiate_mediation_job.c
+++ /dev/null
@@ -1,271 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "initiate_mediation_job.h"
-
-#include <sa/ike_sa.h>
-#include <daemon.h>
-
-
-typedef struct private_initiate_mediation_job_t private_initiate_mediation_job_t;
-
-/**
- * Private data of an initiate_mediation_job_t Object
- */
-struct private_initiate_mediation_job_t {
-	/**
-	 * public initiate_mediation_job_t interface
-	 */
-	initiate_mediation_job_t public;
-
-	/**
-	 * ID of the IKE_SA of the mediated connection.
-	 */
-	ike_sa_id_t *mediated_sa_id;
-
-	/**
-	 * ID of the IKE_SA of the mediation connection.
-	 */
-	ike_sa_id_t *mediation_sa_id;
-};
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_initiate_mediation_job_t *this)
-{
-	DESTROY_IF(this->mediation_sa_id);
-	DESTROY_IF(this->mediated_sa_id);
-	free(this);
-}
-
-/**
- * Callback to handle initiation of mediation connection
- */
-static bool initiate_callback(private_initiate_mediation_job_t *this,
-			debug_t group, level_t level, ike_sa_t *ike_sa,
-			char *format, va_list args)
-{
-	if (ike_sa && !this->mediation_sa_id)
-	{
-		this->mediation_sa_id = ike_sa->get_id(ike_sa);
-		this->mediation_sa_id = this->mediation_sa_id->clone(this->mediation_sa_id);
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void initiate(private_initiate_mediation_job_t *this)
-{
-	ike_sa_t *mediated_sa, *mediation_sa;
-	peer_cfg_t *mediated_cfg, *mediation_cfg;
-	enumerator_t *enumerator;
-	auth_cfg_t *auth_cfg;
-
-	mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-												   this->mediated_sa_id);
-	if (mediated_sa)
-	{
-		DBG1(DBG_IKE, "initiating mediation connection");
-		mediated_cfg = mediated_sa->get_peer_cfg(mediated_sa);
-		mediated_cfg->get_ref(mediated_cfg);
-
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
-
-		mediation_cfg = mediated_cfg->get_mediated_by(mediated_cfg);
-		mediation_cfg->get_ref(mediation_cfg);
-
-		enumerator = mediation_cfg->create_auth_cfg_enumerator(mediation_cfg,
-															   TRUE);
-		if (!enumerator->enumerate(enumerator, &auth_cfg) ||
-			auth_cfg->get(auth_cfg, AUTH_RULE_IDENTITY) == NULL)
-		{
-			mediated_cfg->destroy(mediated_cfg);
-			mediation_cfg->destroy(mediation_cfg);
-			enumerator->destroy(enumerator);
-			destroy(this);
-			return;
-		}
-		enumerator->destroy(enumerator);
-
-		if (charon->connect_manager->check_and_register(charon->connect_manager,
-				auth_cfg->get(auth_cfg, AUTH_RULE_IDENTITY),
-				mediated_cfg->get_peer_id(mediated_cfg),
-				this->mediated_sa_id))
-		{
-			mediated_cfg->destroy(mediated_cfg);
-			mediation_cfg->destroy(mediation_cfg);
-
-			mediated_sa = charon->ike_sa_manager->checkout(
-								charon->ike_sa_manager, this->mediated_sa_id);
-			if (mediated_sa)
-			{
-				DBG1(DBG_IKE, "mediation with the same peer is already in "
-					 "progress, queued");
-				charon->ike_sa_manager->checkin(
-								charon->ike_sa_manager, mediated_sa);
-			}
-			destroy(this);
-			return;
-		}
-		/* we need an additional reference because initiate consumes one */
-		mediation_cfg->get_ref(mediation_cfg);
-
-		if (charon->controller->initiate(charon->controller, mediation_cfg,
-					NULL, (controller_cb_t)initiate_callback, this) != SUCCESS)
-		{
-			mediation_cfg->destroy(mediation_cfg);
-			mediated_cfg->destroy(mediated_cfg);
-			mediated_sa = charon->ike_sa_manager->checkout(
-								charon->ike_sa_manager, this->mediated_sa_id);
-			if (mediated_sa)
-			{
-				DBG1(DBG_IKE, "initiating mediation connection failed");
-				charon->ike_sa_manager->checkin_and_destroy(
-									charon->ike_sa_manager, mediated_sa);
-			}
-			destroy(this);
-			return;
-		}
-		mediation_cfg->destroy(mediation_cfg);
-
-		mediation_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-														this->mediation_sa_id);
-		if (mediation_sa)
-		{
-			if (mediation_sa->initiate_mediation(mediation_sa,
-												 mediated_cfg) != SUCCESS)
-			{
-				mediated_cfg->destroy(mediated_cfg);
-				charon->ike_sa_manager->checkin_and_destroy(
-								charon->ike_sa_manager, mediation_sa);
-				mediated_sa = charon->ike_sa_manager->checkout(
-								charon->ike_sa_manager, this->mediated_sa_id);
-				if (mediated_sa)
-				{
-					DBG1(DBG_IKE, "establishing mediation connection failed");
-					charon->ike_sa_manager->checkin_and_destroy(
-										charon->ike_sa_manager, mediated_sa);
-				}
-				destroy(this);
-				return;
-			}
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager,
-											mediation_sa);
-		}
-		mediated_cfg->destroy(mediated_cfg);
-	}
-	destroy(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void reinitiate(private_initiate_mediation_job_t *this)
-{
-	ike_sa_t *mediated_sa, *mediation_sa;
-	peer_cfg_t *mediated_cfg;
-
-	mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-												   this->mediated_sa_id);
-	if (mediated_sa)
-	{
-		mediated_cfg = mediated_sa->get_peer_cfg(mediated_sa);
-		mediated_cfg->get_ref(mediated_cfg);
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
-
-		mediation_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-														this->mediation_sa_id);
-		if (mediation_sa)
-		{
-			if (mediation_sa->initiate_mediation(mediation_sa,
-												 mediated_cfg) != SUCCESS)
-			{
-				DBG1(DBG_JOB, "initiating mediated connection '%s' failed",
-					 mediated_cfg->get_name(mediated_cfg));
-				mediated_cfg->destroy(mediated_cfg);
-				charon->ike_sa_manager->checkin_and_destroy(
-										charon->ike_sa_manager,
-										mediation_sa);
-				mediated_sa = charon->ike_sa_manager->checkout(
-										charon->ike_sa_manager,
-										this->mediated_sa_id);
-				if (mediated_sa)
-				{
-					DBG1(DBG_IKE, "establishing mediation connection failed");
-					charon->ike_sa_manager->checkin_and_destroy(
-										charon->ike_sa_manager,
-										mediated_sa);
-				}
-				destroy(this);
-				return;
-			}
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager,
-											mediation_sa);
-		}
-
-		mediated_cfg->destroy(mediated_cfg);
-	}
-	destroy(this);
-}
-
-/**
- * Creates an empty job
- */
-static private_initiate_mediation_job_t *initiate_mediation_job_create_empty()
-{
-	private_initiate_mediation_job_t *this = malloc_thing(private_initiate_mediation_job_t);
-
-	/* interface functions */
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
-	/* private variables */
-	this->mediation_sa_id = NULL;
-	this->mediated_sa_id = NULL;
-
-	return this;
-}
-
-/*
- * Described in header
- */
-initiate_mediation_job_t *initiate_mediation_job_create(ike_sa_id_t *ike_sa_id)
-{
-	private_initiate_mediation_job_t *this = initiate_mediation_job_create_empty();
-
-	this->public.job_interface.execute = (void (*) (job_t *)) initiate;
-
-	this->mediated_sa_id = ike_sa_id->clone(ike_sa_id);
-
-	return &this->public;
-}
-
-/*
- * Described in header
- */
-initiate_mediation_job_t *reinitiate_mediation_job_create(ike_sa_id_t *mediation_sa_id,
-		ike_sa_id_t *mediated_sa_id)
-{
-	private_initiate_mediation_job_t *this = initiate_mediation_job_create_empty();
-
-	this->public.job_interface.execute = (void (*) (job_t *)) reinitiate;
-
-	this->mediation_sa_id = mediation_sa_id->clone(mediation_sa_id);
-	this->mediated_sa_id = mediated_sa_id->clone(mediated_sa_id);
-
-	return &this->public;
-}
diff --git a/src/charon/processing/jobs/initiate_mediation_job.h b/src/charon/processing/jobs/initiate_mediation_job.h
deleted file mode 100644
index fddb1dd7b..000000000
--- a/src/charon/processing/jobs/initiate_mediation_job.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup initiate_mediation_job initiate_mediation_job
- * @{ @ingroup jobs
- */
-
-#ifndef INITIATE_MEDIATION_JOB_H_
-#define INITIATE_MEDIATION_JOB_H_
-
-typedef struct initiate_mediation_job_t initiate_mediation_job_t;
-
-#include <processing/jobs/job.h>
-#include <sa/ike_sa_id.h>
-
-/**
- * Class representing a INITIATE_MEDIATION Job.
- *
- * This job will initiate a mediation on behalf of a mediated connection.
- * If required the mediation connection is established.
- */
-struct initiate_mediation_job_t {
-	/**
-	 * implements job_t interface
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type INITIATE_MEDIATION.
- *
- * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
- * @return				job object
- */
-initiate_mediation_job_t *initiate_mediation_job_create(ike_sa_id_t *ike_sa_id);
-
-/**
- * Creates a special job of type INITIATE_MEDIATION that reinitiates a
- * specific connection.
- *
- * @param mediation_sa_id		identification of the mediation sa (gets cloned)
- * @param mediated_sa_id		identification of the mediated sa (gets cloned)
- * @return						job object
- */
-initiate_mediation_job_t *reinitiate_mediation_job_create(
-												ike_sa_id_t *mediation_sa_id,
-												ike_sa_id_t *mediated_sa_id);
-
-#endif /** INITIATE_MEDIATION_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/job.h b/src/charon/processing/jobs/job.h
deleted file mode 100644
index 0f1c16ebe..000000000
--- a/src/charon/processing/jobs/job.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup job job
- * @{ @ingroup jobs
- */
-
-#ifndef JOB_H_
-#define JOB_H_
-
-typedef struct job_t job_t;
-
-#include <library.h>
-
-/**
- * Job-Interface as it is stored in the job queue.
- */
-struct job_t {
-
-	/**
-	 * Execute a job.
-	 *
-	 * The processing facility executes a job using this method. Jobs are
-	 * one-shot, they destroy themself after execution, so don't use a job
-	 * once it has been executed.
-	 */
-	void (*execute) (job_t *this);
-
-	/**
-	 * Destroy a job.
-	 *
-	 * Is only called whenever a job was not executed (e.g. due daemon shutdown).
-	 * After execution, jobs destroy themself.
-	 */
-	void (*destroy) (job_t *job);
-};
-
-#endif /** JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/mediation_job.c b/src/charon/processing/jobs/mediation_job.c
deleted file mode 100644
index b5b8af3b3..000000000
--- a/src/charon/processing/jobs/mediation_job.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "mediation_job.h"
-
-#include <encoding/payloads/endpoint_notify.h>
-#include <daemon.h>
-
-
-typedef struct private_mediation_job_t private_mediation_job_t;
-
-/**
- * Private data of an mediation_job_t Object
- */
-struct private_mediation_job_t {
-	/**
-	 * public mediation_job_t interface
-	 */
-	mediation_job_t public;
-
-	/**
-	 * ID of target peer.
-	 */
-	identification_t *target;
-
-	/**
-	 * ID of the source peer.
-	 */
-	identification_t *source;
-
-	/**
-	 * ME_CONNECTID
-	 */
-	chunk_t connect_id;
-
-	/**
-	 * ME_CONNECTKEY
-	 */
-	chunk_t connect_key;
-
-	/**
-	 * Submitted endpoints
-	 */
-	linked_list_t *endpoints;
-
-	/**
-	 * Is this a callback job?
-	 */
-	bool callback;
-
-	/**
-	 * Is this a response?
-	 */
-	bool response;
-};
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_mediation_job_t *this)
-{
-	DESTROY_IF(this->target);
-	DESTROY_IF(this->source);
-	chunk_free(&this->connect_id);
-	chunk_free(&this->connect_key);
-	DESTROY_OFFSET_IF(this->endpoints, offsetof(endpoint_notify_t, destroy));
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_mediation_job_t *this)
-{
-	ike_sa_id_t *target_sa_id;
-
-	target_sa_id = charon->mediation_manager->check(charon->mediation_manager, this->target);
-
-	if (target_sa_id)
-	{
-		ike_sa_t *target_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-											  target_sa_id);
-		if (target_sa)
-		{
-			if (this->callback)
-			{
-				/* send callback to a peer */
-				if (target_sa->callback(target_sa, this->source) != SUCCESS)
-				{
-					DBG1(DBG_JOB, "callback for '%Y' to '%Y' failed",
-							this->source, this->target);
-					charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
-					destroy(this);
-					return;
-				}
-			}
-			else
-			{
-				/* normal mediation between two peers */
-				if (target_sa->relay(target_sa, this->source, this->connect_id,
-						this->connect_key, this->endpoints, this->response) != SUCCESS)
-				{
-					DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed",
-							this->source, this->target);
-					charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
-					/* FIXME: notify the initiator */
-					destroy(this);
-					return;
-				}
-			}
-
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
-		}
-		else
-		{
-			DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
-					"SA not found", this->source, this->target);
-		}
-	}
-	else
-	{
-		DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
-				"peer is not online anymore", this->source, this->target);
-	}
-	destroy(this);
-}
-
-/**
- * Creates an empty mediation job
- */
-static private_mediation_job_t *mediation_job_create_empty()
-{
-	private_mediation_job_t *this = malloc_thing(private_mediation_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
-	/* private variables */
-	this->target = NULL;
-	this->source = NULL;
-	this->callback = FALSE;
-	this->connect_id = chunk_empty;
-	this->connect_key = chunk_empty;
-	this->endpoints = NULL;
-	this->response = FALSE;
-
-	return this;
-}
-
-/*
- * Described in header
- */
-mediation_job_t *mediation_job_create(identification_t *peer_id,
-		identification_t *requester, chunk_t connect_id, chunk_t connect_key,
-		linked_list_t *endpoints, bool response)
-{
-	private_mediation_job_t *this = mediation_job_create_empty();
-
-	this->target = peer_id->clone(peer_id);
-	this->source = requester->clone(requester);
-	this->connect_id = chunk_clone(connect_id);
-	this->connect_key = chunk_clone(connect_key);
-	this->endpoints = endpoints->clone_offset(endpoints, offsetof(endpoint_notify_t, clone));
-	this->response = response;
-
-	return &this->public;
-}
-
-/*
- * Described in header
- */
-mediation_job_t *mediation_callback_job_create(identification_t *requester,
-		identification_t *peer_id)
-{
-	private_mediation_job_t *this = mediation_job_create_empty();
-
-	this->target = requester->clone(requester);
-	this->source = peer_id->clone(peer_id);
-	this->callback = TRUE;
-
-	return &this->public;
-}
diff --git a/src/charon/processing/jobs/mediation_job.h b/src/charon/processing/jobs/mediation_job.h
deleted file mode 100644
index 0574c65eb..000000000
--- a/src/charon/processing/jobs/mediation_job.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup mediation_job mediation_job
- * @{ @ingroup jobs
- */
-
-#ifndef MEDIATION_JOB_H_
-#define MEDIATION_JOB_H_
-
-typedef struct mediation_job_t mediation_job_t;
-
-#include <library.h>
-#include <processing/jobs/job.h>
-#include <utils/identification.h>
-#include <utils/linked_list.h>
-
-/**
- * Class representing a MEDIATION Job.
- *
- * This job handles the mediation on the mediation server.
- */
-struct mediation_job_t {
-	/**
-	 * implements job_t interface
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type MEDIATION.
- *
- * Parameters get cloned.
- *
- * @param peer_id		ID of the requested peer
- * @param requester		ID of the requesting peer
- * @param connect_id	content of ME_CONNECTID (could be NULL)
- * @param connect_key	content of ME_CONNECTKEY
- * @param endpoints		list of submitted endpoints
- * @param response		TRUE if this is a response
- * @return				job object
- */
-mediation_job_t *mediation_job_create(identification_t *peer_id,
-		identification_t *requester, chunk_t connect_id, chunk_t connect_key,
-		linked_list_t *endpoints, bool response);
-
-
-/**
- * Creates a special job of type MEDIATION that is used to send a callback
- * notification to a peer.
- *
- * Parameters get cloned.
- *
- * @param requester		ID of the waiting peer
- * @param peer_id		ID of the requested peer
- * @return				job object
- */
-mediation_job_t *mediation_callback_job_create(identification_t *requester,
-		identification_t *peer_id);
-
-#endif /** MEDIATION_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/migrate_job.c b/src/charon/processing/jobs/migrate_job.c
deleted file mode 100644
index 05f47340c..000000000
--- a/src/charon/processing/jobs/migrate_job.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "migrate_job.h"
-
-#include <daemon.h>
-
-#include <config/child_cfg.h>
-
-
-typedef struct private_migrate_job_t private_migrate_job_t;
-
-/**
- * Private data of a migrate_job_t object.
- */
-struct private_migrate_job_t {
-	/**
-	 * Public migrate_job_t interface.
-	 */
-	migrate_job_t public;
-
-	/**
-	 * reqid of the CHILD_SA if it already exists
-	 */
-	u_int32_t reqid;
-
-	/**
-	 * source traffic selector
-	 */
-	traffic_selector_t *src_ts;
-
-	/**
-	 * destination traffic selector
-	 */
-	traffic_selector_t *dst_ts;
-
-	/**
-	 * local host address to be used for IKE
-	 */
-	host_t *local;
-
-	/**
-	 * remote host address to be used for IKE
-	 */
-	host_t *remote;
-};
-
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_migrate_job_t *this)
-{
-	DESTROY_IF(this->src_ts);
-	DESTROY_IF(this->dst_ts);
-	DESTROY_IF(this->local);
-	DESTROY_IF(this->remote);
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_migrate_job_t *this)
-{
-	ike_sa_t *ike_sa = NULL;
-
-	if (this->reqid)
-	{
-		ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-														this->reqid, TRUE);
-	}
-	if (ike_sa)
-	{
-		iterator_t *children;
-		child_sa_t *child_sa;
-		host_t *host;
-
-		children = ike_sa->create_child_sa_iterator(ike_sa);
-		while (children->iterate(children, (void**)&child_sa))
-		{
-			if (child_sa->get_reqid(child_sa) == this->reqid)
-			{
-				break;
-			}
-		}
-		children->destroy(children);
-		DBG2(DBG_JOB, "found CHILD_SA with reqid {%d}", this->reqid);
-
-		ike_sa->set_kmaddress(ike_sa, this->local, this->remote);
-
-		host = this->local->clone(this->local);
-		host->set_port(host, IKEV2_UDP_PORT);
-		ike_sa->set_my_host(ike_sa, host);
-
-		host = this->remote->clone(this->remote);
-		host->set_port(host, IKEV2_UDP_PORT);
-		ike_sa->set_other_host(ike_sa, host);
-
-		if (child_sa->update(child_sa, this->local, this->remote,
-				ike_sa->get_virtual_ip(ike_sa, TRUE),
-				ike_sa->has_condition(ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
-		{
-			ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
-								   child_sa->get_spi(child_sa, TRUE));
-		}
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	}
-	else
-	{
-		DBG1(DBG_JOB, "no CHILD_SA found with reqid {%d}", this->reqid);
-	}
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-migrate_job_t *migrate_job_create(u_int32_t reqid,
-								  traffic_selector_t *src_ts,
-								  traffic_selector_t *dst_ts,
-								  policy_dir_t dir,
-								  host_t *local, host_t *remote)
-{
-	private_migrate_job_t *this = malloc_thing(private_migrate_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
-	/* private variables */
-	this->reqid = reqid;
-	this->src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts;
-	this->dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts;
-	this->local = local;
-	this->remote = remote;
-
-	return &this->public;
-}
diff --git a/src/charon/processing/jobs/migrate_job.h b/src/charon/processing/jobs/migrate_job.h
deleted file mode 100644
index de313d517..000000000
--- a/src/charon/processing/jobs/migrate_job.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup migrate_job migrate_job
- * @{ @ingroup jobs
- */
-
-#ifndef MIGRATE_JOB_H_
-#define MIGRATE_JOB_H_
-
-typedef struct migrate_job_t migrate_job_t;
-
-#include <library.h>
-#include <utils/host.h>
-#include <selectors/traffic_selector.h>
-#include <kernel/kernel_ipsec.h>
-#include <processing/jobs/job.h>
-
-/**
- * Class representing a MIGRATE Job.
- *
- * This job sets a routed CHILD_SA for an existing IPsec policy.
- */
-struct migrate_job_t {
-	/**
-	 * The job_t interface.
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type MIGRATE.
- *
- * We use the reqid or the traffic selectors to find a matching CHILD_SA.
- *
- * @param reqid		reqid of the CHILD_SA to acquire
- * @param src_ts	source traffic selector to be used in the policy
- * @param dst_ts	destination traffic selector to be used in the policy
- * @param dir		direction of the policy (in|out)
- * @param local		local host address to be used in the IKE_SA
- * @param remote	remote host address to be used in the IKE_SA
- * @return			migrate_job_t object
- */
-migrate_job_t *migrate_job_create(u_int32_t reqid,
-						traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-						policy_dir_t dir, host_t *local, host_t *remote);
-
-#endif /** MIGRATE_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/process_message_job.c b/src/charon/processing/jobs/process_message_job.c
deleted file mode 100644
index a47d48e38..000000000
--- a/src/charon/processing/jobs/process_message_job.c
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "process_message_job.h"
-
-#include <daemon.h>
-
-typedef struct private_process_message_job_t private_process_message_job_t;
-
-/**
- * Private data of an process_message_job_t Object
- */
-struct private_process_message_job_t {
-	/**
-	 * public process_message_job_t interface
-	 */
-	process_message_job_t public;
-
-	/**
-	 * Message associated with this job
-	 */
-	message_t *message;
-};
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_process_message_job_t *this)
-{
-	this->message->destroy(this->message);
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_process_message_job_t *this)
-{
-	ike_sa_t *ike_sa;
-
-#ifdef ME
-	/* if this is an unencrypted INFORMATIONAL exchange it is likely a
-	 * connectivity check. */
-	if (this->message->get_exchange_type(this->message) == INFORMATIONAL &&
-		this->message->get_first_payload_type(this->message) != ENCRYPTED)
-	{
-		/* theoretically this could also be an error message
-		 * see RFC 4306, section 1.5. */
-		DBG1(DBG_NET, "received unencrypted informational: from %#H to %#H",
-			 this->message->get_source(this->message),
-			 this->message->get_destination(this->message));
-		charon->connect_manager->process_check(charon->connect_manager, this->message);
-		destroy(this);
-		return;
-	}
-#endif /* ME */
-
-	ike_sa = charon->ike_sa_manager->checkout_by_message(charon->ike_sa_manager,
-														 this->message);
-	if (ike_sa)
-	{
-		DBG1(DBG_NET, "received packet: from %#H to %#H",
-			 this->message->get_source(this->message),
-			 this->message->get_destination(this->message));
-		if (ike_sa->process_message(ike_sa, this->message) == DESTROY_ME)
-		{
-			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-														ike_sa);
-		}
-		else
-		{
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		}
-	}
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-process_message_job_t *process_message_job_create(message_t *message)
-{
-	private_process_message_job_t *this = malloc_thing(private_process_message_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void(*)(job_t*))destroy;
-
-	/* private variables */
-	this->message = message;
-
-	return &(this->public);
-}
diff --git a/src/charon/processing/jobs/process_message_job.h b/src/charon/processing/jobs/process_message_job.h
deleted file mode 100644
index 5e3f44d1f..000000000
--- a/src/charon/processing/jobs/process_message_job.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup process_message_job process_message_job
- * @{ @ingroup jobs
- */
-
-#ifndef PROCESS_MESSAGE_JOB_H_
-#define PROCESS_MESSAGE_JOB_H_
-
-typedef struct process_message_job_t process_message_job_t;
-
-#include <library.h>
-#include <encoding/message.h>
-#include <processing/jobs/job.h>
-
-/**
- * Class representing an PROCESS_MESSAGE job.
- */
-struct process_message_job_t {
-	/**
-	 * implements job_t interface
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type PROCESS_MESSAGE.
- *
- * @param message		message to process
- * @return				created process_message_job_t object
- */
-process_message_job_t *process_message_job_create(message_t *message);
-
-#endif /** PROCESS_MESSAGE_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/rekey_child_sa_job.c b/src/charon/processing/jobs/rekey_child_sa_job.c
deleted file mode 100644
index b797d181e..000000000
--- a/src/charon/processing/jobs/rekey_child_sa_job.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "rekey_child_sa_job.h"
-
-#include <daemon.h>
-
-
-typedef struct private_rekey_child_sa_job_t private_rekey_child_sa_job_t;
-
-/**
- * Private data of an rekey_child_sa_job_t object.
- */
-struct private_rekey_child_sa_job_t {
-	/**
-	 * Public rekey_child_sa_job_t interface.
-	 */
-	rekey_child_sa_job_t public;
-
-	/**
-	 * reqid of the child to rekey
-	 */
-	u_int32_t reqid;
-
-	/**
-	 * protocol of the CHILD_SA (ESP/AH)
-	 */
-	protocol_id_t protocol;
-
-	/**
-	 * inbound SPI of the CHILD_SA
-	 */
-	u_int32_t spi;
-};
-
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_rekey_child_sa_job_t *this)
-{
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_rekey_child_sa_job_t *this)
-{
-	ike_sa_t *ike_sa;
-
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													this->reqid, TRUE);
-	if (ike_sa == NULL)
-	{
-		DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying",
-			 this->reqid);
-	}
-	else
-	{
-		ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi);
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	}
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
-												protocol_id_t protocol,
-												u_int32_t spi)
-{
-	private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
-	/* private variables */
-	this->reqid = reqid;
-	this->protocol = protocol;
-	this->spi = spi;
-
-	return &this->public;
-}
diff --git a/src/charon/processing/jobs/rekey_child_sa_job.h b/src/charon/processing/jobs/rekey_child_sa_job.h
deleted file mode 100644
index 62887d6b9..000000000
--- a/src/charon/processing/jobs/rekey_child_sa_job.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup rekey_child_sa_job rekey_child_sa_job
- * @{ @ingroup jobs
- */
-
-#ifndef REKEY_CHILD_SA_JOB_H_
-#define REKEY_CHILD_SA_JOB_H_
-
-typedef struct rekey_child_sa_job_t rekey_child_sa_job_t;
-
-#include <library.h>
-#include <sa/ike_sa_id.h>
-#include <processing/jobs/job.h>
-#include <config/proposal.h>
-
-/**
- * Class representing an REKEY_CHILD_SA Job.
- *
- * This job initiates the rekeying of a CHILD SA.
- */
-struct rekey_child_sa_job_t {
-	/**
-	 * The job_t interface.
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type REKEY_CHILD_SA.
- *
- * The CHILD_SA is identified by its protocol (AH/ESP) and its
- * inbound SPI.
- *
- * @param reqid		reqid of the CHILD_SA to rekey
- * @param protocol	protocol of the CHILD_SA
- * @param spi		security parameter index of the CHILD_SA
- * @return			rekey_child_sa_job_t object
- */
-rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
-												protocol_id_t protocol,
-												u_int32_t spi);
-#endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.c b/src/charon/processing/jobs/rekey_ike_sa_job.c
deleted file mode 100644
index 5ec0b1b88..000000000
--- a/src/charon/processing/jobs/rekey_ike_sa_job.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "rekey_ike_sa_job.h"
-
-#include <daemon.h>
-
-typedef struct private_rekey_ike_sa_job_t private_rekey_ike_sa_job_t;
-
-/**
- * Private data of an rekey_ike_sa_job_t object.
- */
-struct private_rekey_ike_sa_job_t {
-	/**
-	 * Public rekey_ike_sa_job_t interface.
-	 */
-	rekey_ike_sa_job_t public;
-
-	/**
-	 * ID of the IKE_SA to rekey
-	 */
-	ike_sa_id_t *ike_sa_id;
-
-	/**
-	 * force reauthentication of the peer (full IKE_SA setup)
-	 */
-	bool reauth;
-};
-
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_rekey_ike_sa_job_t *this)
-{
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_rekey_ike_sa_job_t *this)
-{
-	ike_sa_t *ike_sa;
-	status_t status = SUCCESS;
-
-	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-											  this->ike_sa_id);
-	if (ike_sa == NULL)
-	{
-		DBG2(DBG_JOB, "IKE_SA to rekey not found");
-	}
-	else
-	{
-		if (this->reauth)
-		{
-			status = ike_sa->reauth(ike_sa);
-		}
-		else
-		{
-			status = ike_sa->rekey(ike_sa);
-		}
-
-		if (status == DESTROY_ME)
-		{
-			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-		}
-		else
-		{
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		}
-	}
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth)
-{
-	private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
-	/* private variables */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-	this->reauth = reauth;
-
-	return &(this->public);
-}
diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.h b/src/charon/processing/jobs/rekey_ike_sa_job.h
deleted file mode 100644
index a5c1028aa..000000000
--- a/src/charon/processing/jobs/rekey_ike_sa_job.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup rekey_ike_sa_job rekey_ike_sa_job
- * @{ @ingroup jobs
- */
-
-#ifndef REKEY_IKE_SA_JOB_H_
-#define REKEY_IKE_SA_JOB_H_
-
-typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t;
-
-#include <library.h>
-#include <sa/ike_sa_id.h>
-#include <processing/jobs/job.h>
-
-/**
- * Class representing an REKEY_IKE_SA Job.
- *
- * This job initiates the rekeying of an IKE_SA.
- */
-struct rekey_ike_sa_job_t {
-	/**
-	 * The job_t interface.
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type REKEY_IKE_SA.
- *
- * @param ike_sa_id		ID of the IKE_SA to rekey
- * @param reauth		TRUE to reauthenticate peer, FALSE for rekeying only
- * @return				rekey_ike_sa_job_t object
- */
-rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth);
-
-#endif /** REKEY_IKE_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/retransmit_job.c b/src/charon/processing/jobs/retransmit_job.c
deleted file mode 100644
index fc787f208..000000000
--- a/src/charon/processing/jobs/retransmit_job.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "retransmit_job.h"
-
-#include <daemon.h>
-
-typedef struct private_retransmit_job_t private_retransmit_job_t;
-
-/**
- * Private data of an retransmit_job_t Object.
- */
-struct private_retransmit_job_t {
-	/**
-	 * Public retransmit_job_t interface.
-	 */
-	retransmit_job_t public;
-
-	/**
-	 * Message ID of the request to resend.
-	 */
-	u_int32_t message_id;
-
-	/**
-	 * ID of the IKE_SA which the message belongs to.
-	 */
-	ike_sa_id_t *ike_sa_id;
-};
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_retransmit_job_t *this)
-{
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_retransmit_job_t *this)
-{
-	ike_sa_t *ike_sa;
-
-	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-											  this->ike_sa_id);
-	if (ike_sa)
-	{
-		if (ike_sa->retransmit(ike_sa, this->message_id) == DESTROY_ME)
-		{
-			/* retransmitted to many times, giving up */
-			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-														ike_sa);
-		}
-		else
-		{
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		}
-	}
-	destroy(this);
-}
-
-/*
- * Described in header.
- */
-retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id)
-{
-	private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
-	/* private variables */
-	this->message_id = message_id;
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-
-	return &this->public;
-}
diff --git a/src/charon/processing/jobs/retransmit_job.h b/src/charon/processing/jobs/retransmit_job.h
deleted file mode 100644
index c8c13479b..000000000
--- a/src/charon/processing/jobs/retransmit_job.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup retransmit_job retransmit_job
- * @{ @ingroup jobs
- */
-
-#ifndef RETRANSMIT_JOB_H_
-#define RETRANSMIT_JOB_H_
-
-typedef struct retransmit_job_t retransmit_job_t;
-
-#include <library.h>
-#include <processing/jobs/job.h>
-#include <sa/ike_sa_id.h>
-
-/**
- * Class representing an retransmit Job.
- *
- * This job is scheduled every time a request is sent over the
- * wire. If the response to the request is not received at schedule
- * time, the retransmission will be initiated.
- */
-struct retransmit_job_t {
-	/**
-	 * The job_t interface.
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type retransmit.
- *
- * @param message_id		message_id of the request to resend
- * @param ike_sa_id			identification of the ike_sa as ike_sa_id_t
- * @return					retransmit_job_t object
- */
-retransmit_job_t *retransmit_job_create(u_int32_t message_id,
-										ike_sa_id_t *ike_sa_id);
-
-#endif /** RETRANSMIT_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/roam_job.c b/src/charon/processing/jobs/roam_job.c
deleted file mode 100644
index adc884a8a..000000000
--- a/src/charon/processing/jobs/roam_job.c
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-
-#include "roam_job.h"
-
-#include <sa/ike_sa.h>
-#include <daemon.h>
-
-
-typedef struct private_roam_job_t private_roam_job_t;
-
-/**
- * Private data of an roam_job_t Object
- */
-struct private_roam_job_t {
-	/**
-	 * public roam_job_t interface
-	 */
-	roam_job_t public;
-
-	/**
-	 * has the address list changed, or the routing only?
-	 */
-	bool address;
-};
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_roam_job_t *this)
-{
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_roam_job_t *this)
-{
-	ike_sa_t *ike_sa;
-	linked_list_t *list;
-	ike_sa_id_t *id;
-	enumerator_t *enumerator;
-
-	/* enumerator over all IKE_SAs gives us no way to checkin_and_destroy
-	 * after a DESTROY_ME, so we check out each available IKE_SA by hand. */
-	list = linked_list_create();
-	enumerator = charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager);
-	while (enumerator->enumerate(enumerator, &ike_sa))
-	{
-		id = ike_sa->get_id(ike_sa);
-		list->insert_last(list, id->clone(id));
-	}
-	enumerator->destroy(enumerator);
-
-	while (list->remove_last(list, (void**)&id) == SUCCESS)
-	{
-		ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
-		if (ike_sa)
-		{
-			if (ike_sa->roam(ike_sa, this->address) == DESTROY_ME)
-			{
-				charon->ike_sa_manager->checkin_and_destroy(
-											charon->ike_sa_manager, ike_sa);
-			}
-			else
-			{
-				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-			}
-		}
-		id->destroy(id);
-	}
-	list->destroy(list);
-
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-roam_job_t *roam_job_create(bool address)
-{
-	private_roam_job_t *this = malloc_thing(private_roam_job_t);
-
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
-	this->address = address;
-
-	return &this->public;
-}
-
diff --git a/src/charon/processing/jobs/roam_job.h b/src/charon/processing/jobs/roam_job.h
deleted file mode 100644
index 55bdf2b28..000000000
--- a/src/charon/processing/jobs/roam_job.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup roam_job roam_job
- * @{ @ingroup jobs
- */
-
-#ifndef ROAM_JOB_H_
-#define ROAM_JOB_H_
-
-typedef struct roam_job_t roam_job_t;
-
-#include <library.h>
-#include <sa/ike_sa_id.h>
-#include <processing/jobs/job.h>
-
-/**
- * A job to inform IKE_SAs about changed local address setup.
- *
- * If a local address appears or disappears, the kernel fires this job to
- * update all IKE_SAs.
- */
-struct roam_job_t {
-
-	/**
-	 * implements job_t interface
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job to inform IKE_SAs about an updated address list.
- *
- * @param address		TRUE if address list changed, FALSE if routing changed
- * @return				initiate_ike_sa_job_t object
- */
-roam_job_t *roam_job_create(bool address);
-
-#endif /** ROAM_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/send_dpd_job.c b/src/charon/processing/jobs/send_dpd_job.c
deleted file mode 100644
index 1c2da52b8..000000000
--- a/src/charon/processing/jobs/send_dpd_job.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-
-#include "send_dpd_job.h"
-
-#include <sa/ike_sa.h>
-#include <daemon.h>
-
-
-typedef struct private_send_dpd_job_t private_send_dpd_job_t;
-
-/**
- * Private data of an send_dpd_job_t Object
- */
-struct private_send_dpd_job_t {
-	/**
-	 * public send_dpd_job_t interface
-	 */
-	send_dpd_job_t public;
-
-	/**
-	 * ID of the IKE_SA which the message belongs to.
-	 */
-	ike_sa_id_t *ike_sa_id;
-};
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_send_dpd_job_t *this)
-{
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_send_dpd_job_t *this)
-{
-	ike_sa_t *ike_sa;
-
-	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-											  this->ike_sa_id);
-	if (ike_sa)
-	{
-		if (ike_sa->send_dpd(ike_sa) == DESTROY_ME)
-		{
-			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-		}
-		else
-		{
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		}
-	}
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id)
-{
-	private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
-	/* private variables */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-
-	return &this->public;
-}
diff --git a/src/charon/processing/jobs/send_dpd_job.h b/src/charon/processing/jobs/send_dpd_job.h
deleted file mode 100644
index 8078a38bc..000000000
--- a/src/charon/processing/jobs/send_dpd_job.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup send_dpd_job send_dpd_job
- * @{ @ingroup jobs
- */
-
-#ifndef SEND_DPD_JOB_H_
-#define SEND_DPD_JOB_H_
-
-typedef struct send_dpd_job_t send_dpd_job_t;
-
-#include <library.h>
-#include <processing/jobs/job.h>
-#include <sa/ike_sa_id.h>
-
-/**
- * Class representing a SEND_DPD Job.
- *
- * Job to periodically send a Dead Peer Detection (DPD) request,
- * ie. an IKE request with no payloads other than the encrypted payload
- * required by the syntax.
- */
-struct send_dpd_job_t {
-	/**
-	 * implements job_t interface
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type SEND_DPD.
- *
- * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
- * @return				initiate_ike_sa_job_t object
- */
-send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id);
-
-#endif /** SEND_DPD_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/send_keepalive_job.c b/src/charon/processing/jobs/send_keepalive_job.c
deleted file mode 100644
index 3d02cea2e..000000000
--- a/src/charon/processing/jobs/send_keepalive_job.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-
-#include "send_keepalive_job.h"
-
-#include <sa/ike_sa.h>
-#include <daemon.h>
-
-
-typedef struct private_send_keepalive_job_t private_send_keepalive_job_t;
-
-/**
- * Private data of an send_keepalive_job_t Object
- */
-struct private_send_keepalive_job_t {
-	/**
-	 * public send_keepalive_job_t interface
-	 */
-	send_keepalive_job_t public;
-
-	/**
-	 * ID of the IKE_SA which the message belongs to.
-	 */
-	ike_sa_id_t *ike_sa_id;
-};
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_send_keepalive_job_t *this)
-{
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_send_keepalive_job_t *this)
-{
-	ike_sa_t *ike_sa;
-
-	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
-											  this->ike_sa_id);
-	if (ike_sa)
-	{
-		ike_sa->send_keepalive(ike_sa);
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	}
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id)
-{
-	private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
-	/* private variables */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-
-	return &this->public;
-}
diff --git a/src/charon/processing/jobs/send_keepalive_job.h b/src/charon/processing/jobs/send_keepalive_job.h
deleted file mode 100644
index cda83cd7e..000000000
--- a/src/charon/processing/jobs/send_keepalive_job.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup send_keepalive_job send_keepalive_job
- * @{ @ingroup jobs
- */
-
-#ifndef SEND_KEEPALIVE_JOB_H_
-#define SEND_KEEPALIVE_JOB_H_
-
-typedef struct send_keepalive_job_t send_keepalive_job_t;
-
-#include <library.h>
-#include <processing/jobs/job.h>
-#include <sa/ike_sa_id.h>
-
-/**
- * Class representing a SEND_KEEPALIVE Job.
- *
- * This job will send a NAT keepalive packet if the IKE SA is still alive,
- * and reinsert itself into the event queue.
- */
-struct send_keepalive_job_t {
-	/**
-	 * implements job_t interface
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job of type SEND_KEEPALIVE.
- *
- * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
- * @return				initiate_ike_sa_job_t object
- */
-send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id);
-
-#endif /** SEND_KEEPALIVE_JOB_H_ @}*/
diff --git a/src/charon/processing/jobs/update_sa_job.c b/src/charon/processing/jobs/update_sa_job.c
deleted file mode 100644
index 17dce2548..000000000
--- a/src/charon/processing/jobs/update_sa_job.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-
-#include "update_sa_job.h"
-
-#include <sa/ike_sa.h>
-#include <daemon.h>
-
-
-typedef struct private_update_sa_job_t private_update_sa_job_t;
-
-/**
- * Private data of an update_sa_job_t Object
- */
-struct private_update_sa_job_t {
-	/**
-	 * public update_sa_job_t interface
-	 */
-	update_sa_job_t public;
-
-	/**
-	 * reqid of the CHILD_SA
-	 */
-	u_int32_t reqid;
-
-	/**
-	 * New SA address and port
-	 */
-	host_t *new;
-};
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_update_sa_job_t *this)
-{
-	this->new->destroy(this->new);
-	free(this);
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_update_sa_job_t *this)
-{
-	ike_sa_t *ike_sa;
-
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													this->reqid, TRUE);
-	if (ike_sa == NULL)
-	{
-		DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for update", this->reqid);
-	}
-	else
-	{
-		/* we update only if other host is NATed, but not our */
-		if (ike_sa->has_condition(ike_sa, COND_NAT_THERE) &&
-			!ike_sa->has_condition(ike_sa, COND_NAT_HERE))
-		{
-			ike_sa->update_hosts(ike_sa, NULL, this->new);
-		}
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	}
-	destroy(this);
-}
-
-/*
- * Described in header
- */
-update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
-{
-	private_update_sa_job_t *this = malloc_thing(private_update_sa_job_t);
-
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
-	this->reqid = reqid;
-	this->new = new;
-
-	return &this->public;
-}
-
diff --git a/src/charon/processing/jobs/update_sa_job.h b/src/charon/processing/jobs/update_sa_job.h
deleted file mode 100644
index 11d1ac9b6..000000000
--- a/src/charon/processing/jobs/update_sa_job.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup update_sa_job update_sa_job
- * @{ @ingroup jobs
- */
-
-#ifndef UPDATE_SA_JOB_H_
-#define UPDATE_SA_JOB_H_
-
-typedef struct update_sa_job_t update_sa_job_t;
-
-#include <library.h>
-#include <utils/host.h>
-#include <processing/jobs/job.h>
-
-/**
- * Update the addresses of an IKE and its CHILD_SAs.
- */
-struct update_sa_job_t {
-
-	/**
-	 * implements job_t interface
-	 */
-	job_t job_interface;
-};
-
-/**
- * Creates a job to update IKE and CHILD_SA addresses.
- *
- * @param reqid			reqid of the CHILD_SA
- * @param new			new address and port
- * @return				update_sa_job_t object
- */
-update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new);
-
-#endif /** UPDATE_SA_JOB_H_ @}*/
diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c
deleted file mode 100644
index d5774af26..000000000
--- a/src/charon/processing/processor.c
+++ /dev/null
@@ -1,273 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-
-#include "processor.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-
-
-typedef struct private_processor_t private_processor_t;
-
-/**
- * Private data of processor_t class.
- */
-struct private_processor_t {
-	/**
-	 * Public processor_t interface.
-	 */
-	processor_t public;
-
-	/**
-	 * Number of running threads
-	 */
-	u_int total_threads;
-
-	/**
-	 * Desired number of threads
-	 */
-	u_int desired_threads;
-
-	/**
-	 * Number of threads waiting for work
-	 */
-	u_int idle_threads;
-
-	/**
-	 * All threads managed in the pool (including threads that have been
-	 * cancelled, this allows to join them during destruction)
-	 */
-	linked_list_t *threads;
-
-	/**
-	 * The jobs are stored in a linked list
-	 */
-	linked_list_t *list;
-
-	/**
-	 * access to linked_list is locked through this mutex
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Condvar to wait for new jobs
-	 */
-	condvar_t *job_added;
-
-	/**
-	 * Condvar to wait for terminated threads
-	 */
-	condvar_t *thread_terminated;
-};
-
-static void process_jobs(private_processor_t *this);
-
-/**
- * restart a terminated thread
- */
-static void restart(private_processor_t *this)
-{
-	thread_t *thread;
-
-	DBG2(DBG_JOB, "terminated worker thread, ID: %u", thread_current_id());
-
-	/* respawn thread if required */
-	this->mutex->lock(this->mutex);
-	if (this->desired_threads < this->total_threads ||
-		(thread = thread_create((thread_main_t)process_jobs, this)) == NULL)
-	{
-		this->total_threads--;
-		this->thread_terminated->signal(this->thread_terminated);
-	}
-	else
-	{
-		this->threads->insert_last(this->threads, thread);
-	}
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Process queued jobs, called by the worker threads
- */
-static void process_jobs(private_processor_t *this)
-{
-	/* worker threads are not cancellable by default */
-	thread_cancelability(FALSE);
-
-	DBG2(DBG_JOB, "started worker thread, ID: %u", thread_current_id());
-
-	this->mutex->lock(this->mutex);
-	while (this->desired_threads >= this->total_threads)
-	{
-		job_t *job;
-
-		if (this->list->get_count(this->list) == 0)
-		{
-			this->idle_threads++;
-			this->job_added->wait(this->job_added, this->mutex);
-			this->idle_threads--;
-			continue;
-		}
-		this->list->remove_first(this->list, (void**)&job);
-		this->mutex->unlock(this->mutex);
-		/* terminated threads are restarted, so we have a constant pool */
-		thread_cleanup_push((thread_cleanup_t)restart, this);
-		job->execute(job);
-		thread_cleanup_pop(FALSE);
-		this->mutex->lock(this->mutex);
-	}
-	this->mutex->unlock(this->mutex);
-	restart(this);
-}
-
-/**
- * Implementation of processor_t.get_total_threads.
- */
-static u_int get_total_threads(private_processor_t *this)
-{
-	u_int count;
-	this->mutex->lock(this->mutex);
-	count = this->total_threads;
-	this->mutex->unlock(this->mutex);
-	return count;
-}
-
-/**
- * Implementation of processor_t.get_idle_threads.
- */
-static u_int get_idle_threads(private_processor_t *this)
-{
-	u_int count;
-	this->mutex->lock(this->mutex);
-	count = this->idle_threads;
-	this->mutex->unlock(this->mutex);
-	return count;
-}
-
-/**
- * implements processor_t.get_job_load
- */
-static u_int get_job_load(private_processor_t *this)
-{
-	u_int load;
-	this->mutex->lock(this->mutex);
-	load = this->list->get_count(this->list);
-	this->mutex->unlock(this->mutex);
-	return load;
-}
-
-/**
- * implements function processor_t.queue_job
- */
-static void queue_job(private_processor_t *this, job_t *job)
-{
-	this->mutex->lock(this->mutex);
-	this->list->insert_last(this->list, job);
-	this->job_added->signal(this->job_added);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of processor_t.set_threads.
- */
-static void set_threads(private_processor_t *this, u_int count)
-{
-	this->mutex->lock(this->mutex);
-	if (count > this->total_threads)
-	{	/* increase thread count */
-		int i;
-		thread_t *current;
-
-		this->desired_threads = count;
-		DBG1(DBG_JOB, "spawning %d worker threads", count - this->total_threads);
-		for (i = this->total_threads; i < count; i++)
-		{
-			current = thread_create((thread_main_t)process_jobs, this);
-			if (current)
-			{
-				this->threads->insert_last(this->threads, current);
-				this->total_threads++;
-			}
-		}
-	}
-	else if (count < this->total_threads)
-	{	/* decrease thread count */
-		this->desired_threads = count;
-	}
-	this->job_added->broadcast(this->job_added);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of processor_t.destroy.
- */
-static void destroy(private_processor_t *this)
-{
-	thread_t *current;
-	set_threads(this, 0);
-	this->mutex->lock(this->mutex);
-	while (this->total_threads > 0)
-	{
-		this->job_added->broadcast(this->job_added);
-		this->thread_terminated->wait(this->thread_terminated, this->mutex);
-	}
-	while (this->threads->remove_first(this->threads,
-									   (void**)&current) == SUCCESS)
-	{
-		current->join(current);
-	}
-	this->mutex->unlock(this->mutex);
-	this->thread_terminated->destroy(this->thread_terminated);
-	this->job_added->destroy(this->job_added);
-	this->mutex->destroy(this->mutex);
-	this->list->destroy_offset(this->list, offsetof(job_t, destroy));
-	this->threads->destroy(this->threads);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-processor_t *processor_create(size_t pool_size)
-{
-	private_processor_t *this = malloc_thing(private_processor_t);
-
-	this->public.get_total_threads = (u_int(*)(processor_t*))get_total_threads;
-	this->public.get_idle_threads = (u_int(*)(processor_t*))get_idle_threads;
-	this->public.get_job_load = (u_int(*)(processor_t*))get_job_load;
-	this->public.queue_job = (void(*)(processor_t*, job_t*))queue_job;
-	this->public.set_threads = (void(*)(processor_t*, u_int))set_threads;
-	this->public.destroy = (void(*)(processor_t*))destroy;
-
-	this->list = linked_list_create();
-	this->threads = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->total_threads = 0;
-	this->desired_threads = 0;
-	this->idle_threads = 0;
-
-	return &this->public;
-}
-
diff --git a/src/charon/processing/processor.h b/src/charon/processing/processor.h
deleted file mode 100644
index 5bf8cf573..000000000
--- a/src/charon/processing/processor.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup processor processor
- * @{ @ingroup processing
- */
-
-#ifndef PROCESSOR_H_
-#define PROCESSOR_H_
-
-typedef struct processor_t processor_t;
-
-#include <stdlib.h>
-
-#include <library.h>
-#include <processing/jobs/job.h>
-
-/**
- * The processor uses threads to process queued jobs.
- */
-struct processor_t {
-
-	/**
-	 * Get the total number of threads used by the processor.
-	 *
-	 * @return				size of thread pool
-	 */
-	u_int (*get_total_threads) (processor_t *this);
-
-	/**
-	 * Get the number of threads currently waiting.
-	 *
-	 * @return				number of idle threads
-	 */
-	u_int (*get_idle_threads) (processor_t *this);
-
-	/**
-	 * Get the number of queued jobs.
-	 *
-	 * @returns 			number of items in queue
-	 */
-	u_int (*get_job_load) (processor_t *this);
-
-	/**
-	 * Adds a job to the queue.
-	 *
-	 * This function is non blocking and adds a job_t to the queue.
-	 *
-	 * @param job 			job to add to the queue
-	 */
-	void (*queue_job) (processor_t *this, job_t *job);
-
-	/**
-	 * Set the number of threads to use in the processor.
-	 *
-	 * If the number of threads is smaller than number of currently running
-	 * threads, thread count is decreased. Use 0 to disable the processor.
-	 * This call blocks if it decreases thread count until threads have
-	 * terminated, so make sure there are not too many blocking jobs.
-	 *
-	 * @param count			number of threads to allocate
-	 */
-	void (*set_threads)(processor_t *this, u_int count);
-
-	/**
-	 * Destroy a processor object.
-	 */
-	void (*destroy) (processor_t *processor);
-};
-
-/**
- * Create the thread pool without any threads.
- *
- * Use the set_threads method to start processing jobs.
- *
- * @return					processor_t object
- */
-processor_t *processor_create();
-
-#endif /** PROCESSOR_H_ @}*/
diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c
deleted file mode 100644
index 345af502a..000000000
--- a/src/charon/processing/scheduler.c
+++ /dev/null
@@ -1,358 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-
-#include "scheduler.h"
-
-#include <daemon.h>
-#include <processing/processor.h>
-#include <processing/jobs/callback_job.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-
-/* the initial size of the heap */
-#define HEAP_SIZE_DEFAULT 64
-
-typedef struct event_t event_t;
-
-/**
- * Event containing a job and a schedule time
- */
-struct event_t {
-	/**
-	 * Time to fire the event.
-	 */
-	timeval_t time;
-
-	/**
-	 * Every event has its assigned job.
-	 */
-	job_t *job;
-};
-
-/**
- * destroy an event and its job
- */
-static void event_destroy(event_t *event)
-{
-	event->job->destroy(event->job);
-	free(event);
-}
-
-typedef struct private_scheduler_t private_scheduler_t;
-
-/**
- * Private data of a scheduler_t object.
- */
-struct private_scheduler_t {
-
-	/**
-	 * Public part of a scheduler_t object.
-	 */
-	 scheduler_t public;
-
-	/**
-	 * Job which queues scheduled jobs to the processor.
-	 */
-	callback_job_t *job;
-
-	/**
-	 * The heap in which the events are stored.
-	 */
-	event_t **heap;
-
-	/**
-	 * The size of the heap.
-	 */
-	u_int heap_size;
-
-	/**
-	 * The number of scheduled events.
-	 */
-	u_int event_count;
-
-	/**
-	 * Exclusive access to list
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Condvar to wait for next job.
-	 */
-	condvar_t *condvar;
-};
-
-/**
- * Comparse two timevals, return >0 if a > b, <0 if a < b and =0 if equal
- */
-static int timeval_cmp(timeval_t *a, timeval_t *b)
-{
-	if (a->tv_sec > b->tv_sec)
-	{
-		return 1;
-	}
-	if (a->tv_sec < b->tv_sec)
-	{
-		return -1;
-	}
-	if (a->tv_usec > b->tv_usec)
-	{
-		return 1;
-	}
-	if (a->tv_usec < b->tv_usec)
-	{
-		return -1;
-	}
-	return 0;
-}
-
-/**
- * Returns the top event without removing it. Returns NULL if the heap is empty.
- */
-static event_t *peek_event(private_scheduler_t *this)
-{
-	return this->event_count > 0 ? this->heap[1] : NULL;
-}
-
-/**
- * Removes the top event from the heap and returns it. Returns NULL if the heap
- * is empty.
- */
-static event_t *remove_event(private_scheduler_t *this)
-{
-	event_t *event, *top;
-	if (!this->event_count)
-	{
-		return NULL;
-	}
-
-	/* store the value to return */
-	event = this->heap[1];
-	/* move the bottom event to the top */
-	top = this->heap[1] = this->heap[this->event_count];
-
-	if (--this->event_count > 1)
-	{
-		/* seep down the top event */
-		u_int position = 1;
-		while ((position << 1) <= this->event_count)
-		{
-			u_int child = position << 1;
-
-			if ((child + 1) <= this->event_count &&
-				timeval_cmp(&this->heap[child + 1]->time,
-							&this->heap[child]->time) < 0)
-			{
-				/* the "right" child is smaller */
-				child++;
-			}
-
-			if (timeval_cmp(&top->time, &this->heap[child]->time) <= 0)
-			{
-				/* the top event fires before the smaller of the two children,
-				 * stop */
-				break;
-			}
-
-			/* swap with the smaller child */
-			this->heap[position] = this->heap[child];
-			position = child;
-		}
-		this->heap[position] = top;
-	}
-	return event;
-}
-
-/**
- * Get events from the queue and pass it to the processor
- */
-static job_requeue_t schedule(private_scheduler_t * this)
-{
-	timeval_t now;
-	event_t *event;
-	bool timed = FALSE, oldstate;
-
-	this->mutex->lock(this->mutex);
-
-	time_monotonic(&now);
-
-	if ((event = peek_event(this)) != NULL)
-	{
-		if (timeval_cmp(&now, &event->time) >= 0)
-		{
-			remove_event(this);
-			this->mutex->unlock(this->mutex);
-			DBG2(DBG_JOB, "got event, queuing job for execution");
-			charon->processor->queue_job(charon->processor, event->job);
-			free(event);
-			return JOB_REQUEUE_DIRECT;
-		}
-		timersub(&event->time, &now, &now);
-		if (now.tv_sec)
-		{
-			DBG2(DBG_JOB, "next event in %ds %dms, waiting",
-				 now.tv_sec, now.tv_usec/1000);
-		}
-		else
-		{
-			DBG2(DBG_JOB, "next event in %dms, waiting", now.tv_usec/1000);
-		}
-		timed = TRUE;
-	}
-	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
-	oldstate = thread_cancelability(TRUE);
-
-	if (timed)
-	{
-		this->condvar->timed_wait_abs(this->condvar, this->mutex, event->time);
-	}
-	else
-	{
-		DBG2(DBG_JOB, "no events, waiting");
-		this->condvar->wait(this->condvar, this->mutex);
-	}
-	thread_cancelability(oldstate);
-	thread_cleanup_pop(TRUE);
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Implements scheduler_t.get_job_load
- */
-static u_int get_job_load(private_scheduler_t *this)
-{
-	int count;
-	this->mutex->lock(this->mutex);
-	count = this->event_count;
-	this->mutex->unlock(this->mutex);
-	return count;
-}
-
-/**
- * Implements scheduler_t.schedule_job_tv.
- */
-static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
-{
-	event_t *event;
-	u_int position;
-
-	event = malloc_thing(event_t);
-	event->job = job;
-	event->time = tv;
-
-	this->mutex->lock(this->mutex);
-
-	this->event_count++;
-	if (this->event_count > this->heap_size)
-	{
-		/* double the size of the heap */
-		this->heap_size <<= 1;
-		this->heap = (event_t**)realloc(this->heap,
-									(this->heap_size + 1) * sizeof(event_t*));
-	}
-	/* "put" the event to the bottom */
-	position = this->event_count;
-
-	/* then bubble it up */
-	while (position > 1 && timeval_cmp(&this->heap[position >> 1]->time,
-									   &event->time) > 0)
-	{
-		/* parent has to be fired after the new event, move up */
-		this->heap[position] = this->heap[position >> 1];
-		position >>= 1;
-	}
-	this->heap[position] = event;
-
-	this->condvar->signal(this->condvar);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implements scheduler_t.schedule_job.
- */
-static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
-{
-	timeval_t tv;
-
-	time_monotonic(&tv);
-	tv.tv_sec += s;
-
-	schedule_job_tv(this, job, tv);
-}
-
-/**
- * Implements scheduler_t.schedule_job_ms.
- */
-static void schedule_job_ms(private_scheduler_t *this, job_t *job, u_int32_t ms)
-{
-	timeval_t tv, add;
-
-	time_monotonic(&tv);
-	add.tv_sec = ms / 1000;
-	add.tv_usec = (ms % 1000) * 1000;
-
-	timeradd(&tv, &add, &tv);
-
-	schedule_job_tv(this, job, tv);
-}
-
-/**
- * Implementation of scheduler_t.destroy.
- */
-static void destroy(private_scheduler_t *this)
-{
-	event_t *event;
-	this->job->cancel(this->job);
-	this->condvar->destroy(this->condvar);
-	this->mutex->destroy(this->mutex);
-	while ((event = remove_event(this)) != NULL)
-	{
-		event_destroy(event);
-	}
-	free(this->heap);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-scheduler_t * scheduler_create()
-{
-	private_scheduler_t *this = malloc_thing(private_scheduler_t);
-
-	this->public.get_job_load = (u_int (*) (scheduler_t *this)) get_job_load;
-	this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t s)) schedule_job;
-	this->public.schedule_job_ms = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job_ms;
-	this->public.schedule_job_tv = (void (*) (scheduler_t *this, job_t *job, timeval_t tv)) schedule_job_tv;
-	this->public.destroy = (void(*)(scheduler_t*)) destroy;
-
-	/* Note: the root of the heap is at index 1 */
-	this->event_count = 0;
-	this->heap_size = HEAP_SIZE_DEFAULT;
-	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
-
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-
-	this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
-
diff --git a/src/charon/processing/scheduler.h b/src/charon/processing/scheduler.h
deleted file mode 100644
index 5f5d2a563..000000000
--- a/src/charon/processing/scheduler.h
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup scheduler scheduler
- * @{ @ingroup processing
- */
-
-#ifndef SCHEDULER_H_
-#define SCHEDULER_H_
-
-typedef struct scheduler_t scheduler_t;
-
-#include <library.h>
-#include <processing/jobs/job.h>
-
-/**
- * The scheduler queues timed events which are then passed to the processor.
- *
- * The scheduler is implemented as a heap. A heap is a special kind of tree-
- * based data structure that satisfies the following property: if B is a child
- * node of A, then key(A) >= (or <=) key(B). So either the element with the
- * greatest (max-heap) or the smallest (min-heap) key is the root of the heap.
- * We use a min-heap whith the key being the absolute unix time at which an
- * event is scheduled. So the root is always the event that will fire next.
- *
- * An earlier implementation of the scheduler used a sorted linked list to store
- * the events. That had the advantage that removing the next event was extremely
- * fast, also, adding an event scheduled before or after all other events was
- * equally fast (all in O(1)). The problem was, though, that adding an event
- * in-between got slower, as the number of events grew larger (O(n)).
- * For each connection there could be several events: IKE-rekey, NAT-keepalive,
- * retransmissions, expire (half-open), and others. So a gateway that probably
- * has to handle thousands of concurrent connnections has to be able to queue a
- * large number of events as fast as possible. Locking makes this even worse, to
- * provide thread-safety, no events can be processed, while an event is queued,
- * so making the insertion fast is even more important.
- *
- * That's the advantage of the heap. Adding an element to the heap can be
- * achieved in O(log n) - on the other hand, removing the root node also
- * requires O(log n) operations. Consider 10000 queued events. Inserting a new
- * event in the list implementation required up to 10000 comparisons. In the
- * heap implementation, the worst case is about 13.3 comparisons. That's a
- * drastic improvement.
- *
- * The implementation itself uses a binary tree mapped to a one-based array to
- * store the elements. This reduces storage overhead and simplifies navigation:
- * the children of the node at position n are at position 2n and 2n+1 (likewise
- * the parent node of the node at position n is at position [n/2]). Thus,
- * navigating up and down the tree is reduced to simple index computations.
- *
- * Adding an element to the heap works as follows: The heap is always filled
- * from left to right, until a row is full, then the next row is filled. Mapped
- * to an array this gets as simple as putting the new element to the first free
- * position. In a one-based array that position equals the number of elements
- * currently stored in the heap. Then the heap property has to be restored, i.e.
- * the new element has to be "bubbled up" the tree until the parent node's key
- * is smaller or the element got the new root of the tree.
- *
- * Removing the next event from the heap works similarly. The event itself is
- * the root node and stored at position 1 of the array. After removing it, the
- * root has to be replaced and the heap property has to be restored. This is
- * done by moving the bottom element (last row, rightmost element) to the root
- * and then "seep it down" by swapping it with child nodes until none of the
- * children has a smaller key or it is again a leaf node.
- */
-struct scheduler_t {
-
-	/**
-	 * Adds a event to the queue, using a relative time offset in s.
-	 *
-	 * @param job 			job to schedule
-	 * @param time 			relative time to schedule job, in s
-	 */
-	void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t s);
-
-	/**
-	 * Adds a event to the queue, using a relative time offset in ms.
-	 *
-	 * @param job 			job to schedule
-	 * @param time 			relative time to schedule job, in ms
-	 */
-	void (*schedule_job_ms) (scheduler_t *this, job_t *job, u_int32_t ms);
-
-	/**
-	 * Adds a event to the queue, using an absolut time.
-	 *
-	 * The passed timeval should be calculated based on the time_monotonic()
-	 * function.
-	 *
-	 * @param job 			job to schedule
-	 * @param time 			absolut time to schedule job
-	 */
-	void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
-
-	/**
-	 * Returns number of jobs scheduled.
-	 *
-	 * @return 				number of scheduled jobs
-	 */
-	u_int (*get_job_load) (scheduler_t *this);
-
-	/**
-	 * Destroys a scheduler object.
-	 */
-	void (*destroy) (scheduler_t *this);
-};
-
-/**
- * Create a scheduler.
- *
- * @return 		scheduler_t object
- */
-scheduler_t *scheduler_create(void);
-
-#endif /** SCHEDULER_H_ @}*/
diff --git a/src/charon/sa/authenticators/authenticator.c b/src/charon/sa/authenticators/authenticator.c
deleted file mode 100644
index 13586a23e..000000000
--- a/src/charon/sa/authenticators/authenticator.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "authenticator.h"
-
-#include <sa/authenticators/pubkey_authenticator.h>
-#include <sa/authenticators/psk_authenticator.h>
-#include <sa/authenticators/eap_authenticator.h>
-#include <encoding/payloads/auth_payload.h>
-
-
-ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
-	"RSA signature",
-	"pre-shared key",
-	"DSS signature");
-ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS,
-	"ECDSA-256 signature",
-	"ECDSA-384 signature",
-	"ECDSA-521 signature");
-ENUM_END(auth_method_names, AUTH_ECDSA_521);
-
-ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
-	"any",
-	"public key",
-	"pre-shared key",
-	"EAP",
-);
-
-/**
- * Described in header.
- */
-authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init)
-{
-	switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
-	{
-		case AUTH_CLASS_ANY:
-			/* defaults to PUBKEY */
-		case AUTH_CLASS_PUBKEY:
-			return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
-											received_nonce, sent_init);
-		case AUTH_CLASS_PSK:
-			return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
-											received_nonce, sent_init);
-		case AUTH_CLASS_EAP:
-			return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
-						received_nonce, sent_nonce, received_init, sent_init);
-		default:
-			return NULL;
-	}
-}
-
-/**
- * Described in header.
- */
-authenticator_t *authenticator_create_verifier(
-									ike_sa_t *ike_sa, message_t *message,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init)
-{
-	auth_payload_t *auth_payload;
-
-	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
-	if (auth_payload == NULL)
-	{
-		return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
-						received_nonce, sent_nonce, received_init, sent_init);
-	}
-	switch (auth_payload->get_auth_method(auth_payload))
-	{
-		case AUTH_RSA:
-		case AUTH_ECDSA_256:
-		case AUTH_ECDSA_384:
-		case AUTH_ECDSA_521:
-			return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
-													sent_nonce, received_init);
-		case AUTH_PSK:
-			return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
-													sent_nonce, received_init);
-		default:
-			return NULL;
-	}
-}
-
diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h
deleted file mode 100644
index fff91ed34..000000000
--- a/src/charon/sa/authenticators/authenticator.h
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup authenticator authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef AUTHENTICATOR_H_
-#define AUTHENTICATOR_H_
-
-typedef enum auth_method_t auth_method_t;
-typedef enum auth_class_t auth_class_t;
-typedef struct authenticator_t authenticator_t;
-
-#include <library.h>
-#include <config/auth_cfg.h>
-#include <sa/ike_sa.h>
-
-/**
- * Method to use for authentication, as defined in IKEv2.
- */
-enum auth_method_t {
-	/**
-	 * Computed as specified in section 2.15 of RFC using
-	 * an RSA private key over a PKCS#1 padded hash.
-	 */
-	AUTH_RSA = 1,
-
-	/**
-	 * Computed as specified in section 2.15 of RFC using the
-	 * shared key associated with the identity in the ID payload
-	 * and the negotiated prf function
-	 */
-	AUTH_PSK = 2,
-
-	/**
-	 * Computed as specified in section 2.15 of RFC using a
-	 * DSS private key over a SHA-1 hash.
-	 */
-	AUTH_DSS = 3,
-
-	/**
-	 * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
-	 */
-	AUTH_ECDSA_256 = 9,
-
-	/**
-	 * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
-	 */
-	AUTH_ECDSA_384 = 10,
-
-	/**
-	 * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
-	 */
-	AUTH_ECDSA_521 = 11,
-};
-
-/**
- * enum names for auth_method_t.
- */
-extern enum_name_t *auth_method_names;
-
-/**
- * Class of authentication to use. This is different to auth_method_t in that
- * it does not specify a method, but a class of acceptable methods. The found
- * certificate finally dictates wich method is used.
- */
-enum auth_class_t {
-	/** any class acceptable */
-	AUTH_CLASS_ANY = 0,
-	/** authentication using public keys (RSA, ECDSA) */
-	AUTH_CLASS_PUBKEY = 1,
-	/** authentication using a pre-shared secrets */
-	AUTH_CLASS_PSK = 2,
-	/** authentication using EAP */
-	AUTH_CLASS_EAP = 3,
-};
-
-/**
- * enum strings for auth_class_t
- */
-extern enum_name_t *auth_class_names;
-
-/**
- * Authenticator interface implemented by the various authenticators.
- *
- * An authenticator implementation handles AUTH and EAP payloads. Received
- * messages are passed to the process() method, to send authentication data
- * the message is passed to the build() method.
- */
-struct authenticator_t {
-
-	/**
-	 * Process an incoming message using the authenticator.
-	 *
-	 * @param message		message containing authentication payloads
-	 * @return
-	 *						- SUCCESS if authentication successful
-	 *						- FAILED if authentication failed
-	 *						- NEED_MORE if another exchange required
-	 */
-	status_t (*process)(authenticator_t *this, message_t *message);
-
-	/**
-	 * Attach authentication data to an outgoing message.
-	 *
-	 * @param message		message to add authentication data to
-	 * @return
-	 *						- SUCCESS if authentication successful
-	 *						- FAILED if authentication failed
-	 *						- NEED_MORE if another exchange required
-	 */
-	status_t (*build)(authenticator_t *this, message_t *message);
-
-	/**
-	 * Check if the authenticator is capable of mutual authentication.
-	 *
-	 * Some authenticator authenticate both peers, e.g. EAP. To support
-	 * mutual authentication with only a single authenticator (EAP-only
-	 * authentication), it must be mutual. This method is invoked in ike_auth
-	 * to check if the given authenticator is capable of doing so.
-	 */
-	bool (*is_mutual)(authenticator_t *this);
-
-	/**
-	 * Destroy authenticator instance.
-	 */
-	void (*destroy) (authenticator_t *this);
-};
-
-/**
- * Create an authenticator to build signatures.
- *
- * @param ike_sa			associated ike_sa
- * @param cfg				authentication configuration
- * @param received_nonce	nonce received in IKE_SA_INIT
- * @param sent_nonce		nonce sent in IKE_SA_INIT
- * @param received_init		received IKE_SA_INIT message data
- * @param sent_init			sent IKE_SA_INIT message data
- * @return					authenticator, NULL if not supported
- */
-authenticator_t *authenticator_create_builder(
-									ike_sa_t *ike_sa, auth_cfg_t *cfg,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init);
-
-/**
- * Create an authenticator to verify signatures.
- *
- * @param ike_sa			associated ike_sa
- * @param message			message containing authentication data
- * @param received_nonce	nonce received in IKE_SA_INIT
- * @param sent_nonce		nonce sent in IKE_SA_INIT
- * @param received_init		received IKE_SA_INIT message data
- * @param sent_init			sent IKE_SA_INIT message data
- * @return					authenticator, NULL if not supported
- */
-authenticator_t *authenticator_create_verifier(
-									ike_sa_t *ike_sa, message_t *message,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init);
-
-#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c
deleted file mode 100644
index f795183f0..000000000
--- a/src/charon/sa/authenticators/eap/eap_manager.c
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_manager.h"
-
-#include <utils/linked_list.h>
-#include <threading/rwlock.h>
-
-typedef struct private_eap_manager_t private_eap_manager_t;
-typedef struct eap_entry_t eap_entry_t;
-
-/**
- * EAP constructor entry
- */
-struct eap_entry_t {
-
-	/**
-	 * EAP method type, vendor specific if vendor is set
-	 */
-	eap_type_t type;
-
-	/**
-	 * vendor ID, 0 for default EAP methods
-	 */
-	u_int32_t vendor;
-
-	/**
-	 * Role of the method returned by the constructor, EAP_SERVER or EAP_PEER
-	 */
-	eap_role_t role;
-
-	/**
-	 * constructor function to create instance
-	 */
-	eap_constructor_t constructor;
-};
-
-/**
- * private data of eap_manager
- */
-struct private_eap_manager_t {
-
-	/**
-	 * public functions
-	 */
-	eap_manager_t public;
-
-	/**
-	 * list of eap_entry_t's
-	 */
-	linked_list_t *methods;
-
-	/**
-	 * rwlock to lock methods
-	 */
-	rwlock_t *lock;
-};
-
-/**
- * Implementation of eap_manager_t.add_method.
- */
-static void add_method(private_eap_manager_t *this, eap_type_t type,
-					   u_int32_t vendor, eap_role_t role,
-					   eap_constructor_t constructor)
-{
-	eap_entry_t *entry = malloc_thing(eap_entry_t);
-
-	entry->type = type;
-	entry->vendor = vendor;
-	entry->role = role;
-	entry->constructor = constructor;
-
-	this->lock->write_lock(this->lock);
-	this->methods->insert_last(this->methods, entry);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of eap_manager_t.remove_method.
- */
-static void remove_method(private_eap_manager_t *this, eap_constructor_t constructor)
-{
-	enumerator_t *enumerator;
-	eap_entry_t *entry;
-
-	this->lock->write_lock(this->lock);
-	enumerator = this->methods->create_enumerator(this->methods);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (constructor == entry->constructor)
-		{
-			this->methods->remove_at(this->methods, enumerator);
-			free(entry);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of eap_manager_t.create_instance.
- */
-static eap_method_t* create_instance(private_eap_manager_t *this,
-									 eap_type_t type, u_int32_t vendor,
-									 eap_role_t role, identification_t *server,
-									 identification_t *peer)
-{
-	enumerator_t *enumerator;
-	eap_entry_t *entry;
-	eap_method_t *method = NULL;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->methods->create_enumerator(this->methods);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (type == entry->type && vendor == entry->vendor &&
-			role == entry->role)
-		{
-			method = entry->constructor(server, peer);
-			if (method)
-			{
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	return method;
-}
-
-/**
- * Implementation of 2008_t.destroy
- */
-static void destroy(private_eap_manager_t *this)
-{
-	this->methods->destroy_function(this->methods, free);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/*
- * see header file
- */
-eap_manager_t *eap_manager_create()
-{
-	private_eap_manager_t *this = malloc_thing(private_eap_manager_t);
-
-	this->public.add_method = (void(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, eap_constructor_t constructor))add_method;
-	this->public.remove_method = (void(*)(eap_manager_t*, eap_constructor_t constructor))remove_method;
-	this->public.create_instance = (eap_method_t*(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, identification_t*,identification_t*))create_instance;
-	this->public.destroy = (void(*)(eap_manager_t*))destroy;
-
-	this->methods = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/authenticators/eap/eap_manager.h b/src/charon/sa/authenticators/eap/eap_manager.h
deleted file mode 100644
index 0333fb6da..000000000
--- a/src/charon/sa/authenticators/eap/eap_manager.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_manager eap_manager
- * @{ @ingroup eap
- */
-
-#ifndef EAP_MANAGER_H_
-#define EAP_MANAGER_H_
-
-#include <sa/authenticators/eap/eap_method.h>
-
-typedef struct eap_manager_t eap_manager_t;
-
-/**
- * The EAP manager manages all EAP implementations and creates instances.
- *
- * A plugin registers it's implemented EAP method at the manager by
- * providing type and a contructor function. The manager then instanciates
- * eap_method_t instances through the provided constructor to handle
- * EAP authentication.
- */
-struct eap_manager_t {
-
-	/**
-	 * Register a EAP method implementation.
-	 *
-	 * @param method		vendor specific method, if vendor != 0
-	 * @param vendor		vendor ID, 0 for non-vendor (default) EAP methods
-	 * @param role			EAP role of the registered method
-	 * @param constructor	constructor function, returns an eap_method_t
-	 */
-	void (*add_method)(eap_manager_t *this, eap_type_t type, u_int32_t vendor,
-					   eap_role_t role, eap_constructor_t constructor);
-
-	/**
-	 * Unregister a EAP method implementation using it's constructor.
-	 *
-	 * @param constructor	constructor function to remove, as added in add_method
-	 */
-	void (*remove_method)(eap_manager_t *this, eap_constructor_t constructor);
-
-	/**
-	 * Create a new EAP method instance.
-	 *
-	 * @param type			type of the EAP method
-	 * @param vendor		vendor ID, 0 for non-vendor (default) EAP methods
-	 * @param role			role of EAP method, either EAP_SERVER or EAP_PEER
-	 * @param server		identity of the server
-	 * @param peer			identity of the peer (client)
-	 * @return				EAP method instance, NULL if no constructor found
-	 */
-	eap_method_t* (*create_instance)(eap_manager_t *this, eap_type_t type,
-									 u_int32_t vendor, eap_role_t role,
-									 identification_t *server,
-									 identification_t *peer);
-
-	/**
-	 * Destroy a eap_manager instance.
-	 */
-	void (*destroy)(eap_manager_t *this);
-};
-
-/**
- * Create a eap_manager instance.
- */
-eap_manager_t *eap_manager_create();
-
-#endif /** EAP_MANAGER_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c
deleted file mode 100644
index 91fa5305f..000000000
--- a/src/charon/sa/authenticators/eap/eap_method.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_method.h"
-
-ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
-	"EAP_IDENTITY",
-	"EAP_NOTIFICATION",
-	"EAP_NAK",
-	"EAP_MD5",
-	"EAP_OTP",
-	"EAP_GTC");
-ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC,
-	"EAP_SIM");
-ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
-	"EAP_AKA");
-ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
-	"EAP_MSCHAPV2");
-ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
-	"EAP_RADIUS",
-	"EAP_EXPANDED",
-	"EAP_EXPERIMENTAL");
-ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
-
-ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
-	"ID",
-	"NTF",
-	"NAK",
-	"MD5",
-	"OTP",
-	"GTC");
-ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC,
-	"SIM");
-ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM,
-	"AKA");
-ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
-	"MSCHAPV2");
-ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
-	"RAD",
-	"EXP",
-	"XP");
-ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
-
-/*
- * See header
- */
-eap_type_t eap_type_from_string(char *name)
-{
-	int i;
-	static struct {
-		char *name;
-		eap_type_t type;
-	} types[] = {
-		{"identity",	EAP_IDENTITY},
-		{"md5",			EAP_MD5},
-		{"otp",			EAP_OTP},
-		{"gtc",			EAP_GTC},
-		{"sim",			EAP_SIM},
-		{"aka",			EAP_AKA},
-		{"mschapv2",	EAP_MSCHAPV2},
-		{"radius",		EAP_RADIUS},
-	};
-
-	for (i = 0; i < countof(types); i++)
-	{
-		if (strcaseeq(name, types[i].name))
-		{
-			return types[i].type;
-		}
-	}
-	return 0;
-}
-
-ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
-	"EAP_REQUEST",
-	"EAP_RESPONSE",
-	"EAP_SUCCESS",
-	"EAP_FAILURE",
-);
-
-ENUM(eap_code_short_names, EAP_REQUEST, EAP_FAILURE,
-	"REQ",
-	"RES",
-	"SUCC",
-	"FAIL",
-);
-
-ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
-	"EAP_SERVER",
-	"EAP_PEER",
-);
-
-
-
-
diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h
deleted file mode 100644
index 4cab84535..000000000
--- a/src/charon/sa/authenticators/eap/eap_method.h
+++ /dev/null
@@ -1,205 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_method eap_method
- * @{ @ingroup eap
- */
-
-#ifndef EAP_METHOD_H_
-#define EAP_METHOD_H_
-
-typedef struct eap_method_t eap_method_t;
-typedef enum eap_role_t eap_role_t;
-typedef enum eap_type_t eap_type_t;
-typedef enum eap_code_t eap_code_t;
-
-#include <library.h>
-#include <utils/identification.h>
-#include <encoding/payloads/eap_payload.h>
-
-/**
- * Role of an eap_method, SERVER or PEER (client)
- */
-enum eap_role_t {
-	EAP_SERVER,
-	EAP_PEER,
-};
-/**
- * enum names for eap_role_t.
- */
-extern enum_name_t *eap_role_names;
-
-/**
- * EAP types, defines the EAP method implementation
- */
-enum eap_type_t {
-	EAP_IDENTITY = 1,
-	EAP_NOTIFICATION = 2,
-	EAP_NAK = 3,
-	EAP_MD5 = 4,
-	EAP_OTP = 5,
-	EAP_GTC = 6,
-	EAP_SIM = 18,
-	EAP_AKA = 23,
-	EAP_MSCHAPV2 = 26,
-	/** not a method, but an implementation providing different methods */
-	EAP_RADIUS = 253,
-	EAP_EXPANDED = 254,
-	EAP_EXPERIMENTAL = 255,
-};
-
-/**
- * enum names for eap_type_t.
- */
-extern enum_name_t *eap_type_names;
-
-/**
- * short string enum names for eap_type_t.
- */
-extern enum_name_t *eap_type_short_names;
-
-/**
- * Lookup the EAP method type from a string.
- *
- * @param name		EAP method name (such as "md5", "aka")
- * @return			method type, 0 if unkown
- */
-eap_type_t eap_type_from_string(char *name);
-
-/**
- * EAP code, type of an EAP message
- */
-enum eap_code_t {
-	EAP_REQUEST = 1,
-	EAP_RESPONSE = 2,
-	EAP_SUCCESS = 3,
-	EAP_FAILURE = 4,
-};
-
-/**
- * enum names for eap_code_t.
- */
-extern enum_name_t *eap_code_names;
-
-/**
- * short string enum names for eap_code_t.
- */
-extern enum_name_t *eap_code_short_names;
-
-/**
- * Interface of an EAP method for server and client side.
- *
- * An EAP method initiates an EAP exchange and processes requests and
- * responses. An EAP method may need multiple exchanges before succeeding, and
- * the eap_authentication may use multiple EAP methods to authenticate a peer.
- * To accomplish these requirements, all EAP methods have their own
- * implementation while the eap_authenticatior uses one or more of these
- * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
- * of the method, the eap_authenticator does this.
- * An EAP method may establish a MSK, this is used the complete the
- * authentication. Even if a mutual EAP method is used, the traditional
- * AUTH payloads are required. Only these include the nonces and messages from
- * ike_sa_init and therefore prevent man in the middle attacks.
- * The EAP method must use an initial EAP identifier value != 0, as a preceding
- * EAP-Identity exchange always uses identifier 0.
- */
-struct eap_method_t {
-
-	/**
-	 * Initiate the EAP exchange.
-	 *
-	 * initiate() is only useable for server implementations, as clients only
-	 * reply to server requests.
-	 * A eap_payload is created in "out" if result is NEED_MORE.
-	 *
-	 * @param out		eap_payload to send to the client
-	 * @return
-	 * 					- NEED_MORE, if an other exchange is required
-	 * 					- FAILED, if unable to create eap request payload
-	 */
-	status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
-
-	/**
-	 * Process a received EAP message.
-	 *
-	 * A eap_payload is created in "out" if result is NEED_MORE.
-	 *
-	 * @param in		eap_payload response received
-	 * @param out		created eap_payload to send
-	 * @return
-	 * 					- NEED_MORE, if an other exchange is required
-	 * 					- FAILED, if EAP method failed
-	 * 					- SUCCESS, if EAP method succeeded
-	 */
-	status_t (*process) (eap_method_t *this, eap_payload_t *in,
-						 eap_payload_t **out);
-
-	/**
-	 * Get the EAP type implemented in this method.
-	 *
-	 * @param vendor	pointer receiving vendor identifier for type, 0 for none
-	 * @return			type of the EAP method
-	 */
-	eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
-
-	/**
-	 * Check if this EAP method authenticates the server.
-	 *
-	 * Some EAP methods provide mutual authentication and
-	 * allow authentication using only EAP, if the peer supports it.
-	 *
-	 * @return			TRUE if methods provides mutual authentication
-	 */
-	bool (*is_mutual) (eap_method_t *this);
-
-	/**
-	 * Get the MSK established by this EAP method.
-	 *
-	 * Not all EAP methods establish a shared secret. For implementations of
-	 * the EAP-Identity method, get_msk() returns the received identity.
-	 *
-	 * @param msk		chunk receiving internal stored MSK
-	 * @return
-	 *					- SUCCESS, or
-	 * 					- FAILED, if MSK not established (yet)
-	 */
-	status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
-
-	/**
-	 * Destroys a eap_method_t object.
-	 */
-	void (*destroy) (eap_method_t *this);
-};
-
-/**
- * Constructor definition for a pluggable EAP method.
- *
- * Each EAP module must define a constructor function which will return
- * an initialized object with the methods defined in eap_method_t.
- * Constructors for server and peers are identical, to support both roles
- * of a EAP method, a plugin needs register two constructors in the
- * eap_manager_t.
- * The passed identites are of type ID_EAP and valid only during the
- * constructor invocation.
- *
- * @param server		ID of the server to use for credential lookup
- * @param peer			ID of the peer to use for credential lookup
- * @return				implementation of the eap_method_t interface
- */
-typedef eap_method_t *(*eap_constructor_t)(identification_t *server,
-										   identification_t *peer);
-
-#endif /** EAP_METHOD_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap/sim_manager.c b/src/charon/sa/authenticators/eap/sim_manager.c
deleted file mode 100644
index 5060a3147..000000000
--- a/src/charon/sa/authenticators/eap/sim_manager.c
+++ /dev/null
@@ -1,541 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "sim_manager.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-
-typedef struct private_sim_manager_t private_sim_manager_t;
-
-/**
- * Private data of an sim_manager_t object.
- */
-struct private_sim_manager_t {
-
-	/**
-	 * Public sim_manager_t interface.
-	 */
-	sim_manager_t public;
-
-	/**
-	 * list of added cards
-	 */
-	linked_list_t *cards;
-
-	/**
-	 * list of added provider
-	 */
-	linked_list_t *providers;
-
-	/**
-	 * list of added hooks
-	 */
-	linked_list_t *hooks;
-};
-
-/**
- * Implementation of sim_manager_t.add_card
- */
-static void add_card(private_sim_manager_t *this, sim_card_t *card)
-{
-	this->cards->insert_last(this->cards, card);
-}
-
-/**
- * Implementation of sim_manager_t.remove_card
- */
-static void remove_card(private_sim_manager_t *this, sim_card_t *card)
-{
-	this->cards->remove(this->cards, card, NULL);
-}
-
-/**
- * Implementation of sim_manager_t.card_get_triplet
- */
-static bool card_get_triplet(private_sim_manager_t *this, identification_t *id,
-							 char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
-							 char kc[SIM_KC_LEN])
-{
-	enumerator_t *enumerator;
-	sim_card_t *card;
-	int tried = 0;
-
-	enumerator = this->cards->create_enumerator(this->cards);
-	while (enumerator->enumerate(enumerator, &card))
-	{
-		if (card->get_triplet(card, id, rand, sres, kc))
-		{
-			enumerator->destroy(enumerator);
-			return TRUE;
-		}
-		tried++;
-	}
-	enumerator->destroy(enumerator);
-	DBG1(DBG_IKE, "tried %d SIM cards, but none has triplets for '%Y'",
-		 tried, id);
-	return FALSE;
-}
-
-/**
- * Implementation of sim_manager_t.card_get_quintuplet
- */
-static status_t card_get_quintuplet(private_sim_manager_t *this,
-								identification_t *id, char rand[AKA_RAND_LEN],
-								char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
-								char ik[AKA_IK_LEN], char res[AKA_RES_MAX],
-								int *res_len)
-{
-	enumerator_t *enumerator;
-	sim_card_t *card;
-	status_t status = NOT_FOUND;
-	int tried = 0;
-
-	enumerator = this->cards->create_enumerator(this->cards);
-	while (enumerator->enumerate(enumerator, &card))
-	{
-		status = card->get_quintuplet(card, id, rand, autn, ck, ik, res, res_len);
-		switch (status)
-		{	/* try next on error, but not on INVALID_STATE */
-			case SUCCESS:
-			case INVALID_STATE:
-				enumerator->destroy(enumerator);
-				return status;
-			case NOT_SUPPORTED:
-			case FAILED:
-			default:
-				tried++;
-				continue;
-		}
-	}
-	enumerator->destroy(enumerator);
-	DBG1(DBG_IKE, "tried %d SIM cards, but none has quintuplets for '%Y'",
-		 tried, id);
-	return status;
-}
-
-/**
- * Implementation of sim_manager_t.card_resync
- */
-static bool card_resync(private_sim_manager_t *this, identification_t *id,
-						char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
-{
-	enumerator_t *enumerator;
-	sim_card_t *card;
-
-	enumerator = this->cards->create_enumerator(this->cards);
-	while (enumerator->enumerate(enumerator, &card))
-	{
-		if (card->resync(card, id, rand, auts))
-		{
-			enumerator->destroy(enumerator);
-			return TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return FALSE;
-}
-
-/**
- * Implementation of sim_manager_t.card_set_pseudonym
- */
-static void card_set_pseudonym(private_sim_manager_t *this,
-							identification_t *id, identification_t *pseudonym)
-{
-	enumerator_t *enumerator;
-	sim_card_t *card;
-
-	DBG1(DBG_IKE, "storing pseudonym '%Y' for '%Y'", pseudonym, id);
-
-	enumerator = this->cards->create_enumerator(this->cards);
-	while (enumerator->enumerate(enumerator, &card))
-	{
-		card->set_pseudonym(card, id, pseudonym);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of sim_manager_t.card_get_pseudonym
- */
-static identification_t* card_get_pseudonym(private_sim_manager_t *this,
-											identification_t *id)
-{
-	enumerator_t *enumerator;
-	sim_card_t *card;
-	identification_t *pseudonym = NULL;
-
-	enumerator = this->cards->create_enumerator(this->cards);
-	while (enumerator->enumerate(enumerator, &card))
-	{
-		pseudonym = card->get_pseudonym(card, id);
-		if (pseudonym)
-		{
-			DBG1(DBG_IKE, "using stored pseudonym identity '%Y' "
-				 "instead of '%Y'", pseudonym, id);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return pseudonym;
-}
-
-/**
- * Implementation of sim_manager_t.card_set_reauth
- */
-static void card_set_reauth(private_sim_manager_t *this, identification_t *id,
-							identification_t *next, char mk[HASH_SIZE_SHA1],
-							u_int16_t counter)
-{
-	enumerator_t *enumerator;
-	sim_card_t *card;
-
-	DBG1(DBG_IKE, "storing next reauthentication identity '%Y' for '%Y'",
-		 next, id);
-
-	enumerator = this->cards->create_enumerator(this->cards);
-	while (enumerator->enumerate(enumerator, &card))
-	{
-		card->set_reauth(card, id, next, mk, counter);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of sim_manager_t.card_get_reauth
- */
-static identification_t* card_get_reauth(private_sim_manager_t *this,
-								identification_t *id, char mk[HASH_SIZE_SHA1],
-								u_int16_t *counter)
-{
-	enumerator_t *enumerator;
-	sim_card_t *card;
-	identification_t *reauth = NULL;
-
-	enumerator = this->cards->create_enumerator(this->cards);
-	while (enumerator->enumerate(enumerator, &card))
-	{
-		reauth = card->get_reauth(card, id, mk, counter);
-		if (reauth)
-		{
-			DBG1(DBG_IKE, "using stored reauthentication identity '%Y' "
-				 "instead of '%Y'", reauth, id);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return reauth;
-}
-
-/**
- * Implementation of sim_manager_t.add_provider
- */
-static void add_provider(private_sim_manager_t *this, sim_provider_t *provider)
-{
-	this->providers->insert_last(this->providers, provider);
-}
-
-/**
- * Implementation of sim_manager_t.remove_provider
- */
-static void remove_provider(private_sim_manager_t *this,
-							sim_provider_t *provider)
-{
-	this->providers->remove(this->providers, provider, NULL);
-}
-
-/**
- * Implementation of sim_manager_t.provider_get_triplet
- */
-static bool provider_get_triplet(private_sim_manager_t *this,
-								 identification_t *id, char rand[SIM_RAND_LEN],
-								 char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
-{
-	enumerator_t *enumerator;
-	sim_provider_t *provider;
-	int tried = 0;
-
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &provider))
-	{
-		if (provider->get_triplet(provider, id, rand, sres, kc))
-		{
-			enumerator->destroy(enumerator);
-			return TRUE;
-		}
-		tried++;
-	}
-	enumerator->destroy(enumerator);
-	DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
-		 tried, id);
-	return FALSE;
-}
-
-/**
- * Implementation of sim_manager_t.provider_get_quintuplet
- */
-static bool provider_get_quintuplet(private_sim_manager_t *this,
-								identification_t *id, char rand[AKA_RAND_LEN],
-								char xres[AKA_RES_MAX], int *xres_len,
-								char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
-								char autn[AKA_AUTN_LEN])
-{
-	enumerator_t *enumerator;
-	sim_provider_t *provider;
-	int tried = 0;
-
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &provider))
-	{
-		if (provider->get_quintuplet(provider, id, rand, xres, xres_len,
-									 ck, ik, autn))
-		{
-			enumerator->destroy(enumerator);
-			return TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	DBG1(DBG_IKE, "tried %d SIM providers, but none had a quintuplet for '%Y'",
-		 tried, id);
-	return FALSE;
-}
-
-/**
- * Implementation of sim_manager_t.provider_resync
- */
-static bool provider_resync(private_sim_manager_t *this, identification_t *id,
-							char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
-{
-	enumerator_t *enumerator;
-	sim_provider_t *provider;
-
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &provider))
-	{
-		if (provider->resync(provider, id, rand, auts))
-		{
-			enumerator->destroy(enumerator);
-			return TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return FALSE;
-}
-
-/**
- * Implementation of sim_manager_t.provider_is_pseudonym
- */
-static identification_t* provider_is_pseudonym(private_sim_manager_t *this,
-											   identification_t *id)
-{
-	enumerator_t *enumerator;
-	sim_provider_t *provider;
-	identification_t *permanent = NULL;
-
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &provider))
-	{
-		permanent = provider->is_pseudonym(provider, id);
-		if (permanent)
-		{
-			DBG1(DBG_IKE, "received pseudonym identity '%Y' "
-				 "mapping to '%Y'", id, permanent);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return permanent;
-}
-
-/**
- * Implementation of sim_manager_t.provider_gen_pseudonym
- */
-static identification_t* provider_gen_pseudonym(private_sim_manager_t *this,
-												identification_t *id)
-{
-	enumerator_t *enumerator;
-	sim_provider_t *provider;
-	identification_t *pseudonym = NULL;
-
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &provider))
-	{
-		pseudonym = provider->gen_pseudonym(provider, id);
-		if (pseudonym)
-		{
-			DBG1(DBG_IKE, "proposing new pseudonym '%Y'", pseudonym);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return pseudonym;
-}
-
-/**
- * Implementation of sim_manager_t.provider_is_reauth
- */
-static identification_t* provider_is_reauth(private_sim_manager_t *this,
-								identification_t *id, char mk[HASH_SIZE_SHA1],
-								u_int16_t *counter)
-{
-	enumerator_t *enumerator;
-	sim_provider_t *provider;
-	identification_t *permanent = NULL;
-
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &provider))
-	{
-		permanent = provider->is_reauth(provider, id, mk, counter);
-		if (permanent)
-		{
-			DBG1(DBG_IKE, "received reauthentication identity '%Y' "
-				 "mapping to '%Y'", id, permanent);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return permanent;
-}
-
-/**
- * Implementation of sim_manager_t.provider_gen_reauth
- */
-static identification_t* provider_gen_reauth(private_sim_manager_t *this,
-								identification_t *id, char mk[HASH_SIZE_SHA1])
-{
-	enumerator_t *enumerator;
-	sim_provider_t *provider;
-	identification_t *reauth = NULL;
-
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &provider))
-	{
-		reauth = provider->gen_reauth(provider, id, mk);
-		if (reauth)
-		{
-			DBG1(DBG_IKE, "proposing new reauthentication identity '%Y'", reauth);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return reauth;
-}
-
-/**
- * Implementation of sim_manager_t.add_hooks
- */
-static void add_hooks(private_sim_manager_t *this, sim_hooks_t *hooks)
-{
-	this->hooks->insert_last(this->hooks, hooks);
-}
-
-/**
- * Implementation of sim_manager_t.remove_hooks
- */
-static void remove_hooks(private_sim_manager_t *this, sim_hooks_t *hooks)
-{
-	this->hooks->remove(this->hooks, hooks, NULL);
-}
-
-/**
- * Implementation of sim_manager_t.attribute_hook
- */
-static bool attribute_hook(private_sim_manager_t *this, eap_code_t code,
-						   eap_type_t type, u_int8_t subtype,
-						   u_int8_t attribute, chunk_t data)
-{
-	enumerator_t *enumerator;
-	sim_hooks_t *hooks;
-	bool filter = FALSE;
-
-	enumerator = this->hooks->create_enumerator(this->hooks);
-	while (enumerator->enumerate(enumerator, &hooks))
-	{
-		if (hooks->attribute(hooks, code, type, subtype, attribute, data))
-		{
-			filter = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return filter;
-}
-
-/**
- * Implementation of sim_manager_t.key_hook
- */
-static void key_hook(private_sim_manager_t *this,
-					 chunk_t k_encr, chunk_t k_auth)
-{
-	enumerator_t *enumerator;
-	sim_hooks_t *hooks;
-
-	enumerator = this->hooks->create_enumerator(this->hooks);
-	while (enumerator->enumerate(enumerator, &hooks))
-	{
-		hooks->keys(hooks, k_encr, k_auth);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of sim_manager_t.destroy.
- */
-static void destroy(private_sim_manager_t *this)
-{
-	this->cards->destroy(this->cards);
-	this->providers->destroy(this->providers);
-	this->hooks->destroy(this->hooks);
-	free(this);
-}
-
-/**
- * See header
- */
-sim_manager_t *sim_manager_create()
-{
-	private_sim_manager_t *this = malloc_thing(private_sim_manager_t);
-
-	this->public.add_card = (void(*)(sim_manager_t*, sim_card_t *card))add_card;
-	this->public.remove_card = (void(*)(sim_manager_t*, sim_card_t *card))remove_card;
-	this->public.card_get_triplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))card_get_triplet;
-	this->public.card_get_quintuplet = (status_t(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))card_get_quintuplet;
-	this->public.card_resync = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))card_resync;
-	this->public.card_set_pseudonym = (void(*)(sim_manager_t*, identification_t *id, identification_t *pseudonym))card_set_pseudonym;
-	this->public.card_get_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))card_get_pseudonym;
-	this->public.card_set_reauth = (void(*)(sim_manager_t*, identification_t *id, identification_t *next, char mk[HASH_SIZE_SHA1], u_int16_t counter))card_set_reauth;
-	this->public.card_get_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))card_get_reauth;
-	this->public.add_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))add_provider;
-	this->public.remove_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))remove_provider;
-	this->public.provider_get_triplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))provider_get_triplet;
-	this->public.provider_get_quintuplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))provider_get_quintuplet;
-	this->public.provider_resync = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))provider_resync;
-	this->public.provider_is_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))provider_is_pseudonym;
-	this->public.provider_gen_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))provider_gen_pseudonym;
-	this->public.provider_is_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))provider_is_reauth;
-	this->public.provider_gen_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))provider_gen_reauth;
-	this->public.add_hooks = (void(*)(sim_manager_t*, sim_hooks_t *hooks))add_hooks;
-	this->public.remove_hooks = (void(*)(sim_manager_t*, sim_hooks_t *hooks))remove_hooks;
-	this->public.attribute_hook = (bool(*)(sim_manager_t*, eap_code_t code, eap_type_t type, u_int8_t subtype, u_int8_t attribute, chunk_t data))attribute_hook;
-	this->public.key_hook = (void(*)(sim_manager_t*, chunk_t k_encr, chunk_t k_auth))key_hook;
-	this->public.destroy = (void(*)(sim_manager_t*))destroy;
-
-	this->cards = linked_list_create();
-	this->providers = linked_list_create();
-	this->hooks = linked_list_create();
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/authenticators/eap/sim_manager.h b/src/charon/sa/authenticators/eap/sim_manager.h
deleted file mode 100644
index 49d27cbaa..000000000
--- a/src/charon/sa/authenticators/eap/sim_manager.h
+++ /dev/null
@@ -1,515 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup sim_manager sim_manager
- * @{ @ingroup eap
- */
-
-#ifndef SIM_MANAGER_H_
-#define SIM_MANAGER_H_
-
-#include <crypto/hashers/hasher.h>
-#include <utils/identification.h>
-#include <utils/enumerator.h>
-#include <sa/authenticators/eap/eap_method.h>
-
-typedef struct sim_manager_t sim_manager_t;
-typedef struct sim_card_t sim_card_t;
-typedef struct sim_provider_t sim_provider_t;
-typedef struct sim_hooks_t sim_hooks_t;
-
-#define SIM_RAND_LEN	16
-#define SIM_SRES_LEN	 4
-#define SIM_KC_LEN		 8
-
-#define AKA_RAND_LEN	16
-#define AKA_RES_MAX		16
-#define AKA_CK_LEN		16
-#define AKA_IK_LEN		16
-#define AKA_AUTN_LEN	16
-#define AKA_AUTS_LEN	14
-
-/**
- * Interface for a (U)SIM card (used as EAP client).
- *
- * The SIM card completes triplets/quintuplets requested in a challenge
- * received from the server.
- * An implementation supporting only one of SIM/AKA authentication may
- * implement the other methods with return_false()/return NOT_SUPPORTED/NULL.
- */
-struct sim_card_t {
-
-	/**
-	 * Calculate SRES/KC from a RAND for SIM authentication.
-	 *
-	 * @param id		permanent identity to get a triplet for
-	 * @param rand		RAND input buffer, fixed size 16 bytes
-	 * @param sres		SRES output buffer, fixed size 4 byte
-	 * @param kc		KC output buffer, fixed size 8 bytes
-	 * @return			TRUE if SRES/KC calculated, FALSE on error/wrong identity
-	 */
-	bool (*get_triplet)(sim_card_t *this, identification_t *id,
-						char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
-						char kc[SIM_KC_LEN]);
-
-	/**
-	 * Calculate CK/IK/RES from RAND/AUTN for AKA authentication.
-	 *
-	 * If the received sequence number (in autn) is out of sync, INVALID_STATE
-	 * is returned.
-	 * The RES value is the only one with variable length. Pass a buffer
-	 * of at least AKA_RES_MAX, the actual number of bytes is written to the
-	 * res_len value. While the standard would allow any bit length between
-	 * 32 and 128 bits, we support only full bytes for now.
-	 *
-	 * @param id		permanent identity to request quintuplet for
-	 * @param rand		random value rand
-	 * @param autn		authentication token autn
-	 * @param ck		buffer receiving encryption key ck
-	 * @param ik		buffer receiving integrity key ik
-	 * @param res		buffer receiving authentication result res
-	 * @param res_len	nubmer of bytes written to res buffer
-	 * @return			SUCCESS, FAILED, or INVALID_STATE if out of sync
-	 */
-	status_t (*get_quintuplet)(sim_card_t *this, identification_t *id,
-							   char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
-							   char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
-							   char res[AKA_RES_MAX], int *res_len);
-
-	/**
-	 * Calculate AUTS from RAND for AKA resynchronization.
-	 *
-	 * @param id		permanent identity to request quintuplet for
-	 * @param rand		random value rand
-	 * @param auts		resynchronization parameter auts
-	 * @return			TRUE if parameter generated successfully
-	 */
-	bool (*resync)(sim_card_t *this, identification_t *id,
-				   char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
-
-	/**
-	 * Set the pseudonym to use for next authentication.
-	 *
-	 * @param id		permanent identity of the peer
-	 * @param pseudonym	pseudonym identity received from the server
-	 */
-	void (*set_pseudonym)(sim_card_t *this, identification_t *id,
-						  identification_t *pseudonym);
-
-	/**
-	 * Get the pseudonym previously stored via set_pseudonym().
-	 *
-	 * @param id		permanent identity of the peer
-	 * @return			associated pseudonym identity, NULL if none stored
-	 */
-	identification_t* (*get_pseudonym)(sim_card_t *this, identification_t *id);
-
-	/**
-	 * Store parameters to use for the next fast reauthentication.
-	 *
-	 * @param id		permanent identity of the peer
-	 * @param next		next fast reauthentication identity to use
-	 * @param mk		master key MK to store for reauthentication
-	 * @param counter	counter value to store, host order
-	 */
-	void (*set_reauth)(sim_card_t *this, identification_t *id,
-					   identification_t *next, char mk[HASH_SIZE_SHA1],
-					   u_int16_t counter);
-
-	/**
-	 * Retrieve parameters for fast reauthentication stored via set_reauth().
-	 *
-	 * @param id		permanent identity of the peer
-	 * @param mk		buffer receiving master key MK
-	 * @param counter	pointer receiving counter value, in host order
-	 * @return			fast reauthentication identity, NULL if not found
-	 */
-	identification_t* (*get_reauth)(sim_card_t *this, identification_t *id,
-									char mk[HASH_SIZE_SHA1], u_int16_t *counter);
-};
-
-/**
- * Interface for a triplet/quintuplet provider (used as EAP server).
- *
- * A SIM provider hands out triplets for SIM authentication and quintuplets
- * for AKA authentication. Multiple SIM provider instances can serve as
- * authentication backend to authenticate clients using SIM/AKA.
- * An implementation supporting only one of SIM/AKA authentication may
- * implement the other methods with return_false().
- */
-struct sim_provider_t {
-
-	/**
-	 * Create a challenge for SIM authentication.
-	 *
-	 * @param id		permanent identity of peer to gen triplet for
-	 * @param rand		RAND output buffer, fixed size 16 bytes
-	 * @param sres		SRES output buffer, fixed size 4 byte
-	 * @param kc		KC output buffer, fixed size 8 bytes
-	 * @return			TRUE if triplet received, FALSE otherwise
-	 */
-	bool (*get_triplet)(sim_provider_t *this, identification_t *id,
-						char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
-						char kc[SIM_KC_LEN]);
-
-	/**
-	 * Create a challenge for AKA authentication.
-	 *
-	 * The XRES value is the only one with variable length. Pass a buffer
-	 * of at least AKA_RES_MAX, the actual number of bytes is written to the
-	 * xres_len value. While the standard would allow any bit length between
-	 * 32 and 128 bits, we support only full bytes for now.
-	 *
-	 * @param id		permanent identity of peer to create challenge for
-	 * @param rand		buffer receiving random value rand
-	 * @param xres		buffer receiving expected authentication result xres
-	 * @param xres_len	nubmer of bytes written to xres buffer
-	 * @param ck		buffer receiving encryption key ck
-	 * @param ik		buffer receiving integrity key ik
-	 * @param autn		authentication token autn
-	 * @return			TRUE if quintuplet generated successfully
-	 */
-	bool (*get_quintuplet)(sim_provider_t *this, identification_t *id,
-						   char rand[AKA_RAND_LEN],
-						   char xres[AKA_RES_MAX], int *xres_len,
-						   char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
-						   char autn[AKA_AUTN_LEN]);
-
-	/**
-	 * Process AKA resynchroniusation request of a peer.
-	 *
-	 * @param id		permanent identity of peer requesting resynchronisation
-	 * @param rand		random value rand
-	 * @param auts		synchronization parameter auts
-	 * @return			TRUE if resynchronized successfully
-	 */
-	bool (*resync)(sim_provider_t *this, identification_t *id,
-				   char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
-
-	/**
-	 * Check if peer uses a pseudonym, get permanent identity.
-	 *
-	 * @param id		pseudonym identity candidate
-	 * @return			permanent identity, NULL if id not a pseudonym
-	 */
-	identification_t* (*is_pseudonym)(sim_provider_t *this,
-									  identification_t *id);
-
-	/**
-	 * Generate a pseudonym identitiy for a given peer identity.
-	 *
-	 * @param id		permanent identity to generate a pseudonym for
-	 * @return			generated pseudonym, NULL to not use a pseudonym identity
-	 */
-	identification_t* (*gen_pseudonym)(sim_provider_t *this,
-									   identification_t *id);
-
-	/**
-	 * Check if peer uses reauthentication, retrieve reauth parameters.
-	 *
-	 * @param id		reauthentication identity (candidate)
-	 * @param mk		buffer receiving master key MK
-	 * @param counter	pointer receiving current counter value, host order
-	 * @return			permanent identity, NULL if id not a reauth identity
-	 */
-	identification_t* (*is_reauth)(sim_provider_t *this, identification_t *id,
-								   char mk[HASH_SIZE_SHA1], u_int16_t *counter);
-
-	/**
-	 * Generate a fast reauthentication identity, associated to a master key.
-	 *
-	 * @param id		permanent peer identity
-	 * @param mk		master key to store along with generated identity
-	 * @return			fast reauthentication identity, NULL to not use reauth
-	 */
-	identification_t* (*gen_reauth)(sim_provider_t *this, identification_t *id,
-									char mk[HASH_SIZE_SHA1]);
-};
-
-/**
- * Additional hooks invoked during EAP-SIM/AKA message processing.
- */
-struct sim_hooks_t {
-
-	/**
-	 * SIM/AKA attribute parsing hook.
-	 *
-	 * @param code		code of EAP message the attribute was parsed from
-	 * @param type		EAP method, SIM or AKA
-	 * @param subtye	method specific subtype
-	 * @param attribute	parsed SIM/AKA attribute type
-	 * @param data		attribute data
-	 * @return			TRUE to filter out attribute from further processing
-	 */
-	bool (*attribute)(sim_hooks_t *this, eap_code_t code, eap_type_t type,
-					  u_int8_t subtype, u_int8_t attribute, chunk_t data);
-
-	/**
-	 * SIM/AKA encryption/authentication key hooks.
-	 *
-	 * @param k_encr	derived SIM/AKA encryption key k_encr
-	 * @param k_auth	derived SIM/AKA authentication key k_auth
-	 */
-	void (*keys)(sim_hooks_t *this, chunk_t k_encr, chunk_t k_auth);
-};
-
-/**
- * The SIM manager handles multiple (U)SIM cards/providers and hooks.
- */
-struct sim_manager_t {
-
-	/**
-	 * Register a SIM card (client) at the manager.
-	 *
-	 * @param card		sim card to register
-	 */
-	void (*add_card)(sim_manager_t *this, sim_card_t *card);
-
-	/**
-	 * Unregister a previously registered card from the manager.
-	 *
-	 * @param card		sim card to unregister
-	 */
-	void (*remove_card)(sim_manager_t *this, sim_card_t *card);
-
-	/**
-	 * Calculate SIM triplets on one of the registered SIM cards.
-	 *
-	 * @param id		permanent identity to get a triplet for
-	 * @param rand		RAND input buffer, fixed size 16 bytes
-	 * @param sres		SRES output buffer, fixed size 4 byte
-	 * @param kc		KC output buffer, fixed size 8 bytes
-	 * @return			TRUE if calculated, FALSE if no matching card found
-	 */
-	bool (*card_get_triplet)(sim_manager_t *this, identification_t *id,
-							 char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
-							 char kc[SIM_KC_LEN]);
-
-	/**
-	 * Calculate AKA quitpulets on one of the registered SIM cards.
-	 *
-	 * @param id		permanent identity to request quintuplet for
-	 * @param rand		random value rand
-	 * @param autn		authentication token autn
-	 * @param ck		buffer receiving encryption key ck
-	 * @param ik		buffer receiving integrity key ik
-	 * @param res		buffer receiving authentication result res
-	 * @param res_len	nubmer of bytes written to res buffer
-	 * @return			SUCCESS, FAILED, or INVALID_STATE if out of sync
-	 */
-	status_t (*card_get_quintuplet)(sim_manager_t *this, identification_t *id,
-								char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
-								char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
-								char res[AKA_RES_MAX], int *res_len);
-
-	/**
-	 * Calculate resynchronization data on one of the registered SIM cards.
-	 *
-	 * @param id		permanent identity to request quintuplet for
-	 * @param rand		random value rand
-	 * @param auts		resynchronization parameter auts
-	 * @return			TRUE if calculated, FALSE if no matcing card found
-	 */
-	bool (*card_resync)(sim_manager_t *this, identification_t *id,
-						char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
-
-	/**
-	 * Store a received pseudonym on one of the registered SIM cards.
-	 *
-	 * @param id		permanent identity of the peer
-	 * @param pseudonym	pseudonym identity received from the server
-	 */
-	void (*card_set_pseudonym)(sim_manager_t *this, identification_t *id,
-							   identification_t *pseudonym);
-
-	/**
-	 * Get a stored pseudonym from one of the registerd SIM cards.
-	 *
-	 * @param id		permanent identity of the peer
-	 * @return			associated pseudonym identity, NULL if none found
-	 */
-	identification_t* (*card_get_pseudonym)(sim_manager_t *this,
-											identification_t *id);
-
-	/**
-	 * Store fast reauthentication parameters on one of the registered cards.
-	 *
-	 * @param id		permanent identity of the peer
-	 * @param next		next fast reauthentication identity to use
-	 * @param mk		master key MK to store for reauthentication
-	 * @param counter	counter value to store, host order
-	 */
-	void (*card_set_reauth)(sim_manager_t *this, identification_t *id,
-							identification_t *next, char mk[HASH_SIZE_SHA1],
-							u_int16_t counter);
-
-	/**
-	 * Retrieve fast reauthentication parameters from one of the registerd cards.
-	 *
-	 * @param id		permanent identity of the peer
-	 * @param mk		buffer receiving master key MK
-	 * @param counter	pointer receiving counter value, in host order
-	 * @return			fast reauthentication identity, NULL if none found
-	 */
-	identification_t* (*card_get_reauth)(sim_manager_t *this,
-								identification_t *id, char mk[HASH_SIZE_SHA1],
-								u_int16_t *counter);
-
-	/**
-	 * Register a triplet provider (server) at the manager.
-	 *
-	 * @param card		sim card to register
-	 */
-	void (*add_provider)(sim_manager_t *this, sim_provider_t *provider);
-
-	/**
-	 * Unregister a previously registered provider from the manager.
-	 *
-	 * @param card		sim card to unregister
-	 */
-	void (*remove_provider)(sim_manager_t *this, sim_provider_t *provider);
-
-	/**
-	 * Get a SIM triplet from one of the registered providers.
-	 *
-	 * @param id		permanent identity of peer to gen triplet for
-	 * @param rand		RAND output buffer, fixed size 16 bytes
-	 * @param sres		SRES output buffer, fixed size 4 byte
-	 * @param kc		KC output buffer, fixed size 8 bytes
-	 * @return			TRUE if triplet received, FALSE if no match found
-	 */
-	bool (*provider_get_triplet)(sim_manager_t *this, identification_t *id,
-							char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
-							char kc[SIM_KC_LEN]);
-
-	/**
-	 * Get a AKA quintuplet from one of the registered providers.
-	 *
-	 * @param id		permanent identity of peer to create challenge for
-	 * @param rand		buffer receiving random value rand
-	 * @param xres		buffer receiving expected authentication result xres
-	 * @param ck		buffer receiving encryption key ck
-	 * @param ik		buffer receiving integrity key ik
-	 * @param autn		authentication token autn
-	 * @return			TRUE if quintuplet received, FALSE if no match found
-	 */
-	bool (*provider_get_quintuplet)(sim_manager_t *this, identification_t *id,
-							char rand[AKA_RAND_LEN],
-							char xres[AKA_RES_MAX], int *xres_len,
-							char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
-							char autn[AKA_AUTN_LEN]);
-
-	/**
-	 * Pass AKA resynchronization data to one of the registered providers.
-	 *
-	 * @param id		permanent identity of peer requesting resynchronisation
-	 * @param rand		random value rand
-	 * @param auts		synchronization parameter auts
-	 * @return			TRUE if resynchronized, FALSE if not handled
-	 */
-	bool (*provider_resync)(sim_manager_t *this, identification_t *id,
-							char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
-
-	/**
-	 * Check if a peer uses a pseudonym using one of the registered providers.
-	 *
-	 * @param id		pseudonym identity candidate
-	 * @return			permanent identity, NULL if id not a pseudonym
-	 */
-	identification_t* (*provider_is_pseudonym)(sim_manager_t *this,
-											   identification_t *id);
-
-	/**
-	 * Generate a new pseudonym using one of the registered providers.
-	 *
-	 * @param id		permanent identity to generate a pseudonym for
-	 * @return			generated pseudonym, NULL to not use a pseudonym identity
-	 */
-	identification_t* (*provider_gen_pseudonym)(sim_manager_t *this,
-												identification_t *id);
-
-	/**
-	 * Check if a peer uses a reauth id using one of the registered providers.
-	 *
-	 * @param id		reauthentication identity (candidate)
-	 * @param mk		buffer receiving master key MK
-	 * @param counter	pointer receiving current counter value, host order
-	 * @return			permanent identity, NULL if not a known reauth identity
-	 */
-	identification_t* (*provider_is_reauth)(sim_manager_t *this,
-								identification_t *id, char mk[HASH_SIZE_SHA1],
-								u_int16_t *counter);
-
-	/**
-	 * Generate a fast reauth id using one of the registered providers.
-	 *
-	 * @param id		permanent peer identity
-	 * @param mk		master key to store along with generated identity
-	 * @return			fast reauthentication identity, NULL to not use reauth
-	 */
-	identification_t* (*provider_gen_reauth)(sim_manager_t *this,
-								identification_t *id, char mk[HASH_SIZE_SHA1]);
-
-	/**
-	 * Register a set of hooks to the manager.
-	 *
-	 * @param hooks		hook interface implementation to register
-	 */
-	void (*add_hooks)(sim_manager_t *this, sim_hooks_t *hooks);
-
-	/**
-	 * Unregister a set of hooks from the manager.
-	 *
-	 * @param hooks		hook interface implementation to unregister
-	 */
-	void (*remove_hooks)(sim_manager_t *this, sim_hooks_t *hooks);
-
-	/**
-	 * Invoke SIM/AKA attribute hook.
-	 *
-	 * @param code		EAP message code (Request/response/success/failed)
-	 * @param type		EAP method type, EAP-SIM or AKA
-	 * @param subtype	method specific message subtype
-	 * @param attribute	SIM/AKA attribute type
-	 * @param data		attribute data
-	 * @return			TRUE to filter out attribute from further processing
-	 */
-	bool (*attribute_hook)(sim_manager_t *this, eap_code_t code,
-						   eap_type_t type, u_int8_t subtype,
-						   u_int8_t attribute, chunk_t data);
-
-	/**
-	 * Invoke SIM/AKA key hook.
-	 *
-	 * @param k_encr	SIM/AKA encryption key k_encr
-	 * @param k_auth	SIM/AKA authentication key k_auth
-	 */
-	void (*key_hook)(sim_manager_t *this, chunk_t k_encr, chunk_t k_auth);
-
-	/**
-	 * Destroy a manager instance.
-	 */
-	void (*destroy)(sim_manager_t *this);
-};
-
-/**
- * Create an SIM manager to handle multiple (U)SIM cards/providers.
- *
- * @return			sim_t object
- */
-sim_manager_t *sim_manager_create();
-
-#endif /** SIM_MANAGER_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
deleted file mode 100644
index 16911050a..000000000
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ /dev/null
@@ -1,705 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_authenticator.h"
-
-#include <daemon.h>
-#include <sa/authenticators/eap/eap_method.h>
-#include <encoding/payloads/auth_payload.h>
-#include <encoding/payloads/eap_payload.h>
-
-typedef struct private_eap_authenticator_t private_eap_authenticator_t;
-
-/**
- * Private data of an eap_authenticator_t object.
- */
-struct private_eap_authenticator_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	eap_authenticator_t public;
-
-	/**
-	 * Assigned IKE_SA
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * others nonce to include in AUTH calculation
-	 */
-	chunk_t received_nonce;
-
-	/**
-	 * our nonce to include in AUTH calculation
-	 */
-	chunk_t sent_nonce;
-
-	/**
-	 * others IKE_SA_INIT message data to include in AUTH calculation
-	 */
-	chunk_t received_init;
-
-	/**
-	 * our IKE_SA_INIT message data to include in AUTH calculation
-	 */
-	chunk_t sent_init;
-
-	/**
-	 * Current EAP method processing
-	 */
-	eap_method_t *method;
-
-	/**
-	 * MSK used to build and verify auth payload
-	 */
-	chunk_t msk;
-
-	/**
-	 * EAP authentication method completed successfully
-	 */
-	bool eap_complete;
-
-	/**
-	 * Set if we require mutual EAP due EAP-only authentication
-	 */
-	bool require_mutual;
-
-	/**
-	 * authentication payload verified successfully
-	 */
-	bool auth_complete;
-
-	/**
-	 * generated EAP payload
-	 */
-	eap_payload_t *eap_payload;
-
-	/**
-	 * EAP identity of peer
-	 */
-	identification_t *eap_identity;
-};
-
-/**
- * load an EAP method
- */
-static eap_method_t *load_method(private_eap_authenticator_t *this,
-							eap_type_t type, u_int32_t vendor, eap_role_t role)
-{
-	identification_t *server, *peer;
-
-	if (role == EAP_SERVER)
-	{
-		server = this->ike_sa->get_my_id(this->ike_sa);
-		peer = this->ike_sa->get_other_id(this->ike_sa);
-	}
-	else
-	{
-		server = this->ike_sa->get_other_id(this->ike_sa);
-		peer = this->ike_sa->get_my_id(this->ike_sa);
-	}
-	if (this->eap_identity)
-	{
-		peer = this->eap_identity;
-	}
-	return charon->eap->create_instance(charon->eap, type, vendor,
-										role, server, peer);
-}
-
-/**
- * Initiate EAP conversation as server
- */
-static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
-										  bool do_identity)
-{
-	auth_cfg_t *auth;
-	eap_type_t type;
-	identification_t *id;
-	u_int32_t vendor;
-	eap_payload_t *out;
-	char *action;
-
-	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-
-	/* initiate EAP-Identity exchange if required */
-	if (!this->eap_identity && do_identity)
-	{
-		id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
-		if (id)
-		{
-			this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER);
-			if (this->method)
-			{
-				if (this->method->initiate(this->method, &out) == NEED_MORE)
-				{
-					DBG1(DBG_IKE, "initiating EAP-Identity request");
-					return out;
-				}
-				this->method->destroy(this->method);
-			}
-			DBG1(DBG_IKE, "EAP-Identity request configured, but not supported");
-		}
-	}
-	/* invoke real EAP method */
-	type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
-	vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
-	action = "loading";
-	this->method = load_method(this, type, vendor, EAP_SERVER);
-	if (this->method)
-	{
-		action = "initiating";
-		if (this->method->initiate(this->method, &out) == NEED_MORE)
-		{
-			if (vendor)
-			{
-				DBG1(DBG_IKE, "initiating EAP vendor type %d-%d method",
-							  type, vendor);
-			}
-			else
-			{
-				DBG1(DBG_IKE, "initiating %N method", eap_type_names, type);
-			}
-			return out;
-		}
-	}
-	if (vendor)
-	{
-		DBG1(DBG_IKE, "%s EAP vendor type %d-%d method failed",
-					  action, type,	vendor);
-	}
-	else
-	{
-		DBG1(DBG_IKE, "%s %N method failed", action, eap_type_names, type);
-	}
-	return eap_payload_create_code(EAP_FAILURE, 0);
-}
-
-/**
- * Replace the existing EAP-Identity in other auth config
- */
-static void replace_eap_identity(private_eap_authenticator_t *this)
-{
-	enumerator_t *enumerator;
-	auth_rule_t rule;
-	auth_cfg_t *cfg;
-	void *ptr;
-
-	cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-	enumerator = cfg->create_enumerator(cfg);
-	while (enumerator->enumerate(enumerator, &rule, &ptr))
-	{
-		if (rule == AUTH_RULE_EAP_IDENTITY)
-		{
-			cfg->replace(cfg, enumerator, AUTH_RULE_EAP_IDENTITY,
-						 this->eap_identity->clone(this->eap_identity));
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Handle EAP exchange as server
- */
-static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
-										 eap_payload_t *in)
-{
-	eap_type_t type, received_type;
-	u_int32_t vendor, received_vendor;
-	eap_payload_t *out;
-	auth_cfg_t *cfg;
-
-	if (in->get_code(in) != EAP_RESPONSE)
-	{
-		DBG1(DBG_IKE, "received %N, sending %N",
-			 eap_code_names, in->get_code(in), eap_code_names, EAP_FAILURE);
-		return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
-	}
-
-	type = this->method->get_type(this->method, &vendor);
-	received_type = in->get_type(in, &received_vendor);
-	if (type != received_type || vendor != received_vendor)
-	{
-		if (received_vendor == 0 && received_type == EAP_NAK)
-		{
-			DBG1(DBG_IKE, "received %N, sending %N",
-				 eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "received invalid EAP response, sending %N",
-				 eap_code_names, EAP_FAILURE);
-		}
-		return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
-	}
-
-	switch (this->method->process(this->method, in, &out))
-	{
-		case NEED_MORE:
-			return out;
-		case SUCCESS:
-			if (type == EAP_IDENTITY)
-			{
-				chunk_t data;
-
-				if (this->method->get_msk(this->method, &data) == SUCCESS)
-				{
-					this->eap_identity = identification_create_from_data(data);
-					DBG1(DBG_IKE, "received EAP identity '%Y'",
-						 this->eap_identity);
-					replace_eap_identity(this);
-				}
-				/* restart EAP exchange, but with real method */
-				this->method->destroy(this->method);
-				return server_initiate_eap(this, FALSE);
-			}
-			if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
-			{
-				this->msk = chunk_clone(this->msk);
-			}
-			if (vendor)
-			{
-				DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
-					 "%sMSK established", type, vendor,
-					 this->msk.ptr ? "" : "no ");
-			}
-			else
-			{
-				DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
-					 eap_type_names, type, this->msk.ptr ? "" : "no ");
-			}
-			this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED,
-										TRUE);
-			cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-			cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
-			if (vendor)
-			{
-				cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
-			}
-			this->eap_complete = TRUE;
-			return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
-		case FAILED:
-		default:
-			if (vendor)
-			{
-				DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
-					 "peer %Y", type, vendor,
-					 this->ike_sa->get_other_id(this->ike_sa));
-			}
-			else
-			{
-				DBG1(DBG_IKE, "EAP method %N failed for peer %Y",
-					 eap_type_names, type,
-					 this->ike_sa->get_other_id(this->ike_sa));
-			}
-			return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
-	}
-}
-
-/**
- * Processing method for a peer
- */
-static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
-										 eap_payload_t *in)
-{
-	eap_type_t type;
-	u_int32_t vendor;
-	auth_cfg_t *auth;
-	eap_payload_t *out;
-	identification_t *id;
-
-	type = in->get_type(in, &vendor);
-
-	if (!vendor && type == EAP_IDENTITY)
-	{
-		DESTROY_IF(this->eap_identity);
-		auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-		id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
-		if (!id || id->get_type(id) == ID_ANY)
-		{
-			id = this->ike_sa->get_my_id(this->ike_sa);
-		}
-		DBG1(DBG_IKE, "server requested %N, sending '%Y'",
-			 eap_type_names, type, id);
-		this->eap_identity = id->clone(id);
-
-		this->method = load_method(this, type, vendor, EAP_PEER);
-		if (this->method)
-		{
-			if (this->method->process(this->method, in, &out) == SUCCESS)
-			{
-				this->method->destroy(this->method);
-				this->method = NULL;
-				return out;
-			}
-			this->method->destroy(this->method);
-			this->method = NULL;
-		}
-		DBG1(DBG_IKE, "%N not supported, sending EAP_NAK",
-			 eap_type_names, type);
-		return eap_payload_create_nak(in->get_identifier(in));
-	}
-	if (this->method == NULL)
-	{
-		if (vendor)
-		{
-			DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
-				 type, vendor);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "server requested %N authentication",
-				 eap_type_names, type);
-		}
-		this->method = load_method(this, type, vendor, EAP_PEER);
-		if (!this->method)
-		{
-			DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
-			return eap_payload_create_nak(in->get_identifier(in));
-		}
-	}
-
-	type = this->method->get_type(this->method, &vendor);
-
-	if (this->method->process(this->method, in, &out) == NEED_MORE)
-	{	/* client methods should never return SUCCESS */
-		return out;
-	}
-
-	if (vendor)
-	{
-		DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", type, vendor);
-	}
-	else
-	{
-		DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
-	}
-	return NULL;
-}
-
-/**
- * Verify AUTH payload
- */
-static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
-						chunk_t nonce, chunk_t init)
-{
-	auth_payload_t *auth_payload;
-	chunk_t auth_data, recv_auth_data;
-	identification_t *other_id;
-	auth_cfg_t *auth;
-	keymat_t *keymat;
-
-	auth_payload = (auth_payload_t*)message->get_payload(message,
-														 AUTHENTICATION);
-	if (!auth_payload)
-	{
-		DBG1(DBG_IKE, "AUTH payload missing");
-		return FALSE;
-	}
-	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
-									this->msk, other_id);
-	recv_auth_data = auth_payload->get_data(auth_payload);
-	if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
-	{
-		DBG1(DBG_IKE, "verification of AUTH payload with%s EAP MSK failed",
-			 this->msk.ptr ? "" : "out");
-		chunk_free(&auth_data);
-		return FALSE;
-	}
-	chunk_free(&auth_data);
-
-	DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-		 other_id, auth_class_names, AUTH_CLASS_EAP);
-	this->auth_complete = TRUE;
-	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-	return TRUE;
-}
-
-/**
- * Build AUTH payload
- */
-static void build_auth(private_eap_authenticator_t *this, message_t *message,
-					   chunk_t nonce, chunk_t init)
-{
-	auth_payload_t *auth_payload;
-	identification_t *my_id;
-	chunk_t auth_data;
-	keymat_t *keymat;
-
-	my_id = this->ike_sa->get_my_id(this->ike_sa);
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-
-	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
-		 my_id, auth_class_names, AUTH_CLASS_EAP);
-
-	auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
-	auth_payload = auth_payload_create();
-	auth_payload->set_auth_method(auth_payload, AUTH_PSK);
-	auth_payload->set_data(auth_payload, auth_data);
-	message->add_payload(message, (payload_t*)auth_payload);
-	chunk_free(&auth_data);
-}
-
-/**
- * Implementation of authenticator_t.process for a server
- */
-static status_t process_server(private_eap_authenticator_t *this,
-							   message_t *message)
-{
-	eap_payload_t *eap_payload;
-
-	if (this->eap_complete)
-	{
-		if (!verify_auth(this, message, this->sent_nonce, this->received_init))
-		{
-			return FAILED;
-		}
-		return NEED_MORE;
-	}
-
-	if (!this->method)
-	{
-		this->eap_payload = server_initiate_eap(this, TRUE);
-	}
-	else
-	{
-		eap_payload = (eap_payload_t*)message->get_payload(message,
-													EXTENSIBLE_AUTHENTICATION);
-		if (!eap_payload)
-		{
-			return FAILED;
-		}
-		this->eap_payload = server_process_eap(this, eap_payload);
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of authenticator_t.build for a server
- */
-static status_t build_server(private_eap_authenticator_t *this,
-							 message_t *message)
-{
-	if (this->eap_payload)
-	{
-		eap_code_t code;
-
-		code = this->eap_payload->get_code(this->eap_payload);
-		message->add_payload(message, (payload_t*)this->eap_payload);
-		this->eap_payload = NULL;
-		if (code == EAP_FAILURE)
-		{
-			return FAILED;
-		}
-		return NEED_MORE;
-	}
-	if (this->eap_complete && this->auth_complete)
-	{
-		build_auth(this, message, this->received_nonce, this->sent_init);
-		return SUCCESS;
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of authenticator_t.process for a client
- */
-static status_t process_client(private_eap_authenticator_t *this,
-							   message_t *message)
-{
-	eap_payload_t *eap_payload;
-
-	if (this->eap_complete)
-	{
-		if (!verify_auth(this, message, this->sent_nonce, this->received_init))
-		{
-			return FAILED;
-		}
-		if (this->require_mutual && !this->method->is_mutual(this->method))
-		{	/* we require mutual authentication due to EAP-only */
-			u_int32_t vendor;
-
-			DBG1(DBG_IKE, "EAP-only authentication requires a mutual and "
-				 "MSK deriving EAP method, but %N is not",
-				 eap_type_names, this->method->get_type(this->method, &vendor));
-			return FAILED;
-		}
-		return SUCCESS;
-	}
-
-	eap_payload = (eap_payload_t*)message->get_payload(message,
-													EXTENSIBLE_AUTHENTICATION);
-	if (eap_payload)
-	{
-		switch (eap_payload->get_code(eap_payload))
-		{
-			case EAP_REQUEST:
-			{
-				this->eap_payload = client_process_eap(this, eap_payload);
-				if (this->eap_payload)
-				{
-					return NEED_MORE;
-				}
-				return FAILED;
-			}
-			case EAP_SUCCESS:
-			{
-				eap_type_t type;
-				u_int32_t vendor;
-				auth_cfg_t *cfg;
-
-				if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
-				{
-					this->msk = chunk_clone(this->msk);
-				}
-				type = this->method->get_type(this->method, &vendor);
-				if (vendor)
-				{
-					DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
-						 "%sMSK established", type, vendor,
-						 this->msk.ptr ? "" : "no ");
-				}
-				else
-				{
-					DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
-						 eap_type_names, type, this->msk.ptr ? "" : "no ");
-				}
-				cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-				cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
-				if (vendor)
-				{
-					cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
-				}
-				this->eap_complete = TRUE;
-				return NEED_MORE;
-			}
-			case EAP_FAILURE:
-			default:
-			{
-				DBG1(DBG_IKE, "received %N, EAP authentication failed",
-					 eap_code_names, eap_payload->get_code(eap_payload));
-				return FAILED;
-			}
-		}
-	}
-	return FAILED;
-}
-
-/**
- * Implementation of authenticator_t.build for a client
- */
-static status_t build_client(private_eap_authenticator_t *this,
-							 message_t *message)
-{
-	if (this->eap_payload)
-	{
-		message->add_payload(message, (payload_t*)this->eap_payload);
-		this->eap_payload = NULL;
-		return NEED_MORE;
-	}
-	if (this->eap_complete)
-	{
-		build_auth(this, message, this->received_nonce, this->sent_init);
-		return NEED_MORE;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of authenticator_t.is_mutual.
- */
-static bool is_mutual(private_eap_authenticator_t *this)
-{
-	/* we don't know yet, but insist on it after EAP is complete */
-	this->require_mutual = TRUE;
-	return TRUE;
-}
-
-/**
- * Implementation of authenticator_t.destroy.
- */
-static void destroy(private_eap_authenticator_t *this)
-{
-	DESTROY_IF(this->method);
-	DESTROY_IF(this->eap_payload);
-	DESTROY_IF(this->eap_identity);
-	chunk_free(&this->msk);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init)
-{
-	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->received_init = received_init;
-	this->received_nonce = received_nonce;
-	this->sent_init = sent_init;
-	this->sent_nonce = sent_nonce;
-	this->msk = chunk_empty;
-	this->method = NULL;
-	this->eap_payload = NULL;
-	this->eap_complete = FALSE;
-	this->auth_complete = FALSE;
-	this->eap_identity = NULL;
-	this->require_mutual = FALSE;
-
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init)
-{
-	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->received_init = received_init;
-	this->received_nonce = received_nonce;
-	this->sent_init = sent_init;
-	this->sent_nonce = sent_nonce;
-	this->msk = chunk_empty;
-	this->method = NULL;
-	this->eap_payload = NULL;
-	this->eap_complete = FALSE;
-	this->auth_complete = FALSE;
-	this->eap_identity = NULL;
-	this->require_mutual = FALSE;
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/authenticators/eap_authenticator.h b/src/charon/sa/authenticators/eap_authenticator.h
deleted file mode 100644
index 41eb6a8c9..000000000
--- a/src/charon/sa/authenticators/eap_authenticator.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_authenticator eap_authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef EAP_AUTHENTICATOR_H_
-#define EAP_AUTHENTICATOR_H_
-
-typedef struct eap_authenticator_t eap_authenticator_t;
-
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Implementation of authenticator_t using EAP authentication.
- *
- * Authentication using EAP involves the most complex authenticator. It stays
- * alive over multiple ike_auth transactions and handles multiple EAP
- * messages.
- *
- * @verbatim
-                          ike_sa_init
-                   ------------------------->
-                   <-------------------------
-                 followed by multiple ike_auth:
-
-     +--------+                                +--------+
-     |  EAP   |       IDi, [IDr,] SA, TS       |  EAP   |
-     | client |  --------------------------->  | server |
-     |        |          ID, AUTH, EAP         |        |
-     |        |  <---------------------------  |        |
-     |        |              EAP               |        |
-     |        |  --------------------------->  |        |
-     |        |              EAP               |        |
-     |        |  <---------------------------  |        |
-     |        |              EAP               |        |
-     |        |  --------------------------->  |        |
-     |        |           EAP(SUCCESS)         |        |
-     |        |  <---------------------------  |        |
-     |        |              AUTH              |        |  If EAP establishes
-     |        |  --------------------------->  |        |  a session key, AUTH
-     |        |          AUTH, SA, TS          |        |  payloads use this
-     |        |  <---------------------------  |        |  key, not SK_pi/pr
-     +--------+                                +--------+
-
-   @endverbatim
- */
-struct eap_authenticator_t {
-
-	/**
-	 * Implemented authenticator_t interface.
-	 */
-	authenticator_t authenticator;
-};
-
-/**
- * Create an authenticator to authenticate against an EAP server.
- *
- * @param ike_sa			associated ike_sa
- * @param received_nonce	nonce received in IKE_SA_INIT
- * @param sent_nonce		nonce sent in IKE_SA_INIT
- * @param received_init		received IKE_SA_INIT message data
- * @param sent_init			sent IKE_SA_INIT message data
- * @return					EAP authenticator
- */
-eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init);
-
-/**
- * Create an authenticator to authenticate EAP clients.
- *
- * @param ike_sa			associated ike_sa
- * @param received_nonce	nonce received in IKE_SA_INIT
- * @param sent_nonce		nonce sent in IKE_SA_INIT
- * @param received_init		received IKE_SA_INIT message data
- * @param sent_init			sent IKE_SA_INIT message data
- * @return					EAP authenticator
- */
-eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init);
-
-#endif /** EAP_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
deleted file mode 100644
index 67197d690..000000000
--- a/src/charon/sa/authenticators/psk_authenticator.c
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "psk_authenticator.h"
-
-#include <daemon.h>
-#include <encoding/payloads/auth_payload.h>
-
-typedef struct private_psk_authenticator_t private_psk_authenticator_t;
-
-/**
- * Private data of an psk_authenticator_t object.
- */
-struct private_psk_authenticator_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	psk_authenticator_t public;
-
-	/**
-	 * Assigned IKE_SA
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * nonce to include in AUTH calculation
-	 */
-	chunk_t nonce;
-
-	/**
-	 * IKE_SA_INIT message data to include in AUTH calculation
-	 */
-	chunk_t ike_sa_init;
-};
-
-/*
- * Implementation of authenticator_t.build for builder
- */
-static status_t build(private_psk_authenticator_t *this, message_t *message)
-{
-	identification_t *my_id, *other_id;
-	auth_payload_t *auth_payload;
-	shared_key_t *key;
-	chunk_t auth_data;
-	keymat_t *keymat;
-
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	my_id = this->ike_sa->get_my_id(this->ike_sa);
-	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
-		 my_id, auth_method_names, AUTH_PSK);
-	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
-										  my_id, other_id);
-	if (key == NULL)
-	{
-		DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
-		return NOT_FOUND;
-	}
-	auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
-									this->nonce, key->get_key(key), my_id);
-	key->destroy(key);
-	DBG2(DBG_IKE, "successfully created shared key MAC");
-	auth_payload = auth_payload_create();
-	auth_payload->set_auth_method(auth_payload, AUTH_PSK);
-	auth_payload->set_data(auth_payload, auth_data);
-	chunk_free(&auth_data);
-	message->add_payload(message, (payload_t*)auth_payload);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of authenticator_t.process for verifier
- */
-static status_t process(private_psk_authenticator_t *this, message_t *message)
-{
-	chunk_t auth_data, recv_auth_data;
-	identification_t *my_id, *other_id;
-	auth_payload_t *auth_payload;
-	auth_cfg_t *auth;
-	shared_key_t *key;
-	enumerator_t *enumerator;
-	bool authenticated = FALSE;
-	int keys_found = 0;
-	keymat_t *keymat;
-
-	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
-	if (!auth_payload)
-	{
-		return FAILED;
-	}
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	recv_auth_data = auth_payload->get_data(auth_payload);
-	my_id = this->ike_sa->get_my_id(this->ike_sa);
-	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	enumerator = charon->credentials->create_shared_enumerator(
-							charon->credentials, SHARED_IKE, my_id, other_id);
-	while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
-	{
-		keys_found++;
-
-		auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
-									this->nonce, key->get_key(key), other_id);
-		if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
-		{
-			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-				 other_id, auth_method_names, AUTH_PSK);
-			authenticated = TRUE;
-		}
-		chunk_free(&auth_data);
-	}
-	enumerator->destroy(enumerator);
-
-	if (!authenticated)
-	{
-		if (keys_found == 0)
-		{
-			DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
-			return NOT_FOUND;
-		}
-		DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched",
-			 keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
-		return FAILED;
-	}
-
-	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
-	return SUCCESS;
-}
-
-/**
- * Implementation of authenticator_t.process for builder
- * Implementation of authenticator_t.build for verifier
- */
-static status_t return_failed()
-{
-	return FAILED;
-}
-
-/**
- * Implementation of authenticator_t.destroy.
- */
-static void destroy(private_psk_authenticator_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_init)
-{
-	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->ike_sa_init = sent_init;
-	this->nonce = received_nonce;
-
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
-									chunk_t sent_nonce, chunk_t received_init)
-{
-	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->ike_sa_init = received_init;
-	this->nonce = sent_nonce;
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/authenticators/psk_authenticator.h b/src/charon/sa/authenticators/psk_authenticator.h
deleted file mode 100644
index 0fab11095..000000000
--- a/src/charon/sa/authenticators/psk_authenticator.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup psk_authenticator psk_authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef PSK_AUTHENTICATOR_H_
-#define PSK_AUTHENTICATOR_H_
-
-typedef struct psk_authenticator_t psk_authenticator_t;
-
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Implementation of authenticator_t using pre-shared keys.
- */
-struct psk_authenticator_t {
-
-	/**
-	 * Implemented authenticator_t interface.
-	 */
-	authenticator_t authenticator;
-};
-
-/**
- * Create an authenticator to build PSK signatures.
- *
- * @param ike_sa			associated ike_sa
- * @param received_nonce	nonce received in IKE_SA_INIT
- * @param sent_init			sent IKE_SA_INIT message data
- * @return					PSK authenticator
- */
-psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_init);
-
-/**
- * Create an authenticator to verify PSK signatures.
- *
- * @param ike_sa			associated ike_sa
- * @param sent_nonce		nonce sent in IKE_SA_INIT
- * @param received_init		received IKE_SA_INIT message data
- * @return					PSK authenticator
- */
-psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
-									chunk_t sent_nonce, chunk_t received_init);
-
-#endif /** PSK_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c
deleted file mode 100644
index f1dca2702..000000000
--- a/src/charon/sa/authenticators/pubkey_authenticator.c
+++ /dev/null
@@ -1,265 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "pubkey_authenticator.h"
-
-#include <daemon.h>
-#include <encoding/payloads/auth_payload.h>
-
-typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
-
-/**
- * Private data of an pubkey_authenticator_t object.
- */
-struct private_pubkey_authenticator_t {
-
-	/**
-	 * Public authenticator_t interface.
-	 */
-	pubkey_authenticator_t public;
-
-	/**
-	 * Assigned IKE_SA
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * nonce to include in AUTH calculation
-	 */
-	chunk_t nonce;
-
-	/**
-	 * IKE_SA_INIT message data to include in AUTH calculation
-	 */
-	chunk_t ike_sa_init;
-};
-
-/**
- * Implementation of authenticator_t.build for builder
- */
-static status_t build(private_pubkey_authenticator_t *this, message_t *message)
-{
-	chunk_t octets, auth_data;
-	status_t status = FAILED;
-	private_key_t *private;
-	identification_t *id;
-	auth_cfg_t *auth;
-	auth_payload_t *auth_payload;
-	auth_method_t auth_method;
-	signature_scheme_t scheme;
-	keymat_t *keymat;
-
-	id = this->ike_sa->get_my_id(this->ike_sa);
-	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-	private = charon->credentials->get_private(charon->credentials, KEY_ANY,
-											   id, auth);
-	if (private == NULL)
-	{
-		DBG1(DBG_IKE, "no private key found for '%Y'", id);
-		return NOT_FOUND;
-	}
-
-	switch (private->get_type(private))
-	{
-		case KEY_RSA:
-			/* we currently use always SHA1 for signatures,
-			 * TODO: support other hashes depending on configuration/auth */
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-			auth_method = AUTH_RSA;
-			break;
-		case KEY_ECDSA:
-			/* we try to deduct the signature scheme from the keysize */
-			switch (private->get_keysize(private))
-			{
-				case 32:
-					scheme = SIGN_ECDSA_256;
-					auth_method = AUTH_ECDSA_256;
-					break;
-				case 48:
-					scheme = SIGN_ECDSA_384;
-					auth_method = AUTH_ECDSA_384;
-					break;
-				case 66:
-					scheme = SIGN_ECDSA_521;
-					auth_method = AUTH_ECDSA_521;
-					break;
-				default:
-					DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
-							private->get_keysize(private));
-					return status;
-			}
-			break;
-		default:
-			DBG1(DBG_IKE, "private key of type %N not supported",
-					key_type_names, private->get_type(private));
-			return status;
-	}
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
-									 this->nonce, id);
-	if (private->sign(private, scheme, octets, &auth_data))
-	{
-		auth_payload = auth_payload_create();
-		auth_payload->set_auth_method(auth_payload, auth_method);
-		auth_payload->set_data(auth_payload, auth_data);
-		chunk_free(&auth_data);
-		message->add_payload(message, (payload_t*)auth_payload);
-		status = SUCCESS;
-	}
-	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
-		 auth_method_names, auth_method,
-		 (status == SUCCESS)? "successful":"failed");
-	chunk_free(&octets);
-	private->destroy(private);
-
-	return status;
-}
-
-/**
- * Implementation of authenticator_t.process for verifier
- */
-static status_t process(private_pubkey_authenticator_t *this, message_t *message)
-{
-	public_key_t *public;
-	auth_method_t auth_method;
-	auth_payload_t *auth_payload;
-	chunk_t auth_data, octets;
-	identification_t *id;
-	auth_cfg_t *auth, *current_auth;
-	enumerator_t *enumerator;
-	key_type_t key_type = KEY_ECDSA;
-	signature_scheme_t scheme;
-	status_t status = NOT_FOUND;
-	keymat_t *keymat;
-
-	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
-	if (!auth_payload)
-	{
-		return FAILED;
-	}
-	auth_method = auth_payload->get_auth_method(auth_payload);
-	switch (auth_method)
-	{
-		case AUTH_RSA:
-			/* We currently accept SHA1 signatures only
-			 * TODO: allow other hash algorithms and note it in "auth" */
-			key_type = KEY_RSA;
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-			break;
-		case AUTH_ECDSA_256:
-			scheme = SIGN_ECDSA_256;
-			break;
-		case AUTH_ECDSA_384:
-			scheme = SIGN_ECDSA_384;
-			break;
-		case AUTH_ECDSA_521:
-			scheme = SIGN_ECDSA_521;
-			break;
-		default:
-			return INVALID_ARG;
-	}
-	auth_data = auth_payload->get_data(auth_payload);
-	id = this->ike_sa->get_other_id(this->ike_sa);
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
-									 this->nonce, id);
-	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-	enumerator = charon->credentials->create_public_enumerator(
-										charon->credentials, key_type, id, auth);
-	while (enumerator->enumerate(enumerator, &public, &current_auth))
-	{
-		if (public->verify(public, scheme, octets, auth_data))
-		{
-			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-						   id, auth_method_names, auth_method);
-			status = SUCCESS;
-			auth->merge(auth, current_auth, FALSE);
-			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-			break;
-		}
-		else
-		{
-			status = FAILED;
-			DBG1(DBG_IKE, "signature validation failed, looking for another key");
-		}
-	}
-	enumerator->destroy(enumerator);
-	chunk_free(&octets);
-	if (status == NOT_FOUND)
-	{
-		DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
-			 key_type_names, key_type, id);
-	}
-	return status;
-}
-
-/**
- * Implementation of authenticator_t.process for builder
- * Implementation of authenticator_t.build for verifier
- */
-static status_t return_failed()
-{
-	return FAILED;
-}
-
-/**
- * Implementation of authenticator_t.destroy.
- */
-static void destroy(private_pubkey_authenticator_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_init)
-{
-	private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->ike_sa_init = sent_init;
-	this->nonce = received_nonce;
-
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
-									chunk_t sent_nonce, chunk_t received_init)
-{
-	private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->ike_sa_init = received_init;
-	this->nonce = sent_nonce;
-
-	return &this->public;
-}
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.h b/src/charon/sa/authenticators/pubkey_authenticator.h
deleted file mode 100644
index be369cb89..000000000
--- a/src/charon/sa/authenticators/pubkey_authenticator.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pubkey_authenticator pubkey_authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef PUBKEY_AUTHENTICATOR_H_
-#define PUBKEY_AUTHENTICATOR_H_
-
-typedef struct pubkey_authenticator_t pubkey_authenticator_t;
-
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Implementation of authenticator_t using public key authenitcation.
- */
-struct pubkey_authenticator_t {
-
-	/**
-	 * Implemented authenticator_t interface.
-	 */
-	authenticator_t authenticator;
-};
-
-/**
- * Create an authenticator to build public key signatures.
- *
- * @param ike_sa			associated ike_sa
- * @param received_nonce	nonce received in IKE_SA_INIT
- * @param sent_init			sent IKE_SA_INIT message data
- * @return					public key authenticator
- */
-pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_init);
-
-/**
- * Create an authenticator to verify public key signatures.
- *
- * @param ike_sa			associated ike_sa
- * @param sent_nonce		nonce sent in IKE_SA_INIT
- * @param received_init		received IKE_SA_INIT message data
- * @return					public key authenticator
- */
-pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
-									chunk_t sent_nonce, chunk_t received_init);
-
-#endif /** PUBKEY_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
deleted file mode 100644
index 3fdfb51ad..000000000
--- a/src/charon/sa/child_sa.c
+++ /dev/null
@@ -1,1015 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include "child_sa.h"
-
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-
-#include <daemon.h>
-
-ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
-	"CREATED",
-	"ROUTED",
-	"INSTALLING",
-	"INSTALLED",
-	"UPDATING",
-	"REKEYING",
-	"DELETING",
-	"DESTROYING",
-);
-
-typedef struct private_child_sa_t private_child_sa_t;
-
-/**
- * Private data of a child_sa_t object.
- */
-struct private_child_sa_t {
-	/**
-	 * Public interface of child_sa_t.
-	 */
-	child_sa_t public;
-
-	/**
-	 * address of us
-	 */
-	host_t *my_addr;
-
-	/**
-	 * address of remote
-	 */
-	host_t *other_addr;
-
-	/**
-	 * our actually used SPI, 0 if unused
-	 */
-	u_int32_t my_spi;
-
-	/**
-	 * others used SPI, 0 if unused
-	 */
-	u_int32_t other_spi;
-
-	/**
-	 * our Compression Parameter Index (CPI) used, 0 if unused
-	 */
-	u_int16_t my_cpi;
-
-	/**
-	 * others Compression Parameter Index (CPI) used, 0 if unused
-	 */
-	u_int16_t other_cpi;
-
-	/**
-	 * List for local traffic selectors
-	 */
-	linked_list_t *my_ts;
-
-	/**
-	 * List for remote traffic selectors
-	 */
-	linked_list_t *other_ts;
-
-	/**
-	 * Protocol used to protect this SA, ESP|AH
-	 */
-	protocol_id_t protocol;
-
-	/**
-	 * reqid used for this child_sa
-	 */
-	u_int32_t reqid;
-
-	/**
-	 * absolute time when rekeying is scheduled
-	 */
-	time_t rekey_time;
-
-	/**
-	 * absolute time when the SA expires
-	 */
-	time_t expire_time;
-
-	/**
-	 * state of the CHILD_SA
-	 */
-	child_sa_state_t state;
-
-	/**
-	 * Specifies if UDP encapsulation is enabled (NAT traversal)
-	 */
-	bool encap;
-
-	/**
-	 * Specifies the IPComp transform used (IPCOMP_NONE if disabled)
-	 */
-	ipcomp_transform_t ipcomp;
-
-	/**
-	 * mode this SA uses, tunnel/transport
-	 */
-	ipsec_mode_t mode;
-
-	/**
-	 * selected proposal
-	 */
-	proposal_t *proposal;
-
-	/**
-	 * config used to create this child
-	 */
-	child_cfg_t *config;
-
-	/**
-	 * time of last use in seconds (inbound)
-	 */
-	u_int32_t my_usetime;
-
-	/**
-	 * time of last use in seconds (outbound)
-	 */
-	u_int32_t other_usetime;
-
-	/**
-	 * last number of inbound bytes
-	 */
-	u_int64_t my_usebytes;
-
-	/**
-	 * last number of outbound bytes
-	 */
-	u_int64_t other_usebytes;
-};
-
-/**
- * Implementation of child_sa_t.get_name
- */
-static char *get_name(private_child_sa_t *this)
-{
-	return this->config->get_name(this->config);
-}
-
-/**
- * Implements child_sa_t.get_reqid
- */
-static u_int32_t get_reqid(private_child_sa_t *this)
-{
-	return this->reqid;
-}
-
-/**
- * Implements child_sa_t.get_config
- */
-static child_cfg_t* get_config(private_child_sa_t *this)
-{
-	return this->config;
-}
-
-/**
- * Implements child_sa_t.set_state
- */
-static void set_state(private_child_sa_t *this, child_sa_state_t state)
-{
-	charon->bus->child_state_change(charon->bus, &this->public, state);
-	this->state = state;
-}
-
-/**
- * Implements child_sa_t.get_state
- */
-static child_sa_state_t get_state(private_child_sa_t *this)
-{
-	return this->state;
-}
-
-/**
- * Implements child_sa_t.get_spi
- */
-u_int32_t get_spi(private_child_sa_t *this, bool inbound)
-{
-	return inbound ? this->my_spi : this->other_spi;
-}
-
-/**
- * Implements child_sa_t.get_cpi
- */
-u_int16_t get_cpi(private_child_sa_t *this, bool inbound)
-{
-	return inbound ? this->my_cpi : this->other_cpi;
-}
-
-/**
- * Implements child_sa_t.get_protocol
- */
-protocol_id_t get_protocol(private_child_sa_t *this)
-{
-	return this->protocol;
-}
-
-/**
- * Implementation of child_sa_t.set_protocol
- */
-static void set_protocol(private_child_sa_t *this, protocol_id_t protocol)
-{
-	this->protocol = protocol;
-}
-
-/**
- * Implementation of child_sa_t.get_mode
- */
-static ipsec_mode_t get_mode(private_child_sa_t *this)
-{
-	return this->mode;
-}
-
-/**
- * Implementation of child_sa_t.set_mode
- */
-static void set_mode(private_child_sa_t *this, ipsec_mode_t mode)
-{
-	this->mode = mode;
-}
-
-/**
- * Implementation of child_sa_t.has_encap
- */
-static bool has_encap(private_child_sa_t *this)
-{
-	return this->encap;
-}
-
-/**
- * Implementation of child_sa_t.get_ipcomp
- */
-static ipcomp_transform_t get_ipcomp(private_child_sa_t *this)
-{
-	return this->ipcomp;
-}
-
-/**
- * Implementation of child_sa_t.set_ipcomp.
- */
-static void set_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp)
-{
-	this->ipcomp = ipcomp;
-}
-
-/**
- * Implementation of child_sa_t.get_proposal
- */
-static proposal_t* get_proposal(private_child_sa_t *this)
-{
-	return this->proposal;
-}
-
-/**
- * Implementation of child_sa_t.set_proposal
- */
-static void set_proposal(private_child_sa_t *this, proposal_t *proposal)
-{
-	this->proposal = proposal->clone(proposal);
-}
-
-/**
- * Implementation of child_sa_t.get_traffic_selectors.
- */
-static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local)
-{
-	return local ? this->my_ts : this->other_ts;
-}
-
-typedef struct policy_enumerator_t policy_enumerator_t;
-
-/**
- * Private policy enumerator
- */
-struct policy_enumerator_t {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** enumerator over own TS */
-	enumerator_t *mine;
-	/** enumerator over others TS */
-	enumerator_t *other;
-	/** list of others TS, to recreate enumerator */
-	linked_list_t *list;
-	/** currently enumerating TS for "me" side */
-	traffic_selector_t *ts;
-};
-
-/**
- * enumerator function of create_policy_enumerator()
- */
-static bool policy_enumerate(policy_enumerator_t *this,
-				 traffic_selector_t **my_out, traffic_selector_t **other_out)
-{
-	traffic_selector_t *other_ts;
-
-	while (this->ts || this->mine->enumerate(this->mine, &this->ts))
-	{
-		if (!this->other->enumerate(this->other, &other_ts))
-		{	/* end of others list, restart with new of mine */
-			this->other->destroy(this->other);
-			this->other = this->list->create_enumerator(this->list);
-			this->ts = NULL;
-			continue;
-		}
-		if (this->ts->get_type(this->ts) != other_ts->get_type(other_ts))
-		{	/* family mismatch */
-			continue;
-		}
-		if (this->ts->get_protocol(this->ts) &&
-			other_ts->get_protocol(other_ts) &&
-			this->ts->get_protocol(this->ts) != other_ts->get_protocol(other_ts))
-		{	/* protocol mismatch */
-			continue;
-		}
-		*my_out = this->ts;
-		*other_out = other_ts;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * destroy function of create_policy_enumerator()
- */
-static void policy_destroy(policy_enumerator_t *this)
-{
-	this->mine->destroy(this->mine);
-	this->other->destroy(this->other);
-	free(this);
-}
-
-/**
- * Implementation of child_sa_t.create_policy_enumerator
- */
-static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
-{
-	policy_enumerator_t *e = malloc_thing(policy_enumerator_t);
-
-	e->public.enumerate = (void*)policy_enumerate;
-	e->public.destroy = (void*)policy_destroy;
-	e->mine = this->my_ts->create_enumerator(this->my_ts);
-	e->other = this->other_ts->create_enumerator(this->other_ts);
-	e->list = this->other_ts;
-	e->ts = NULL;
-
-	return &e->public;
-}
-
-/**
- * update the cached usebytes
- * returns SUCCESS if the usebytes have changed, FAILED if not or no SPIs
- * are available, and NOT_SUPPORTED if the kernel interface does not support
- * querying the usebytes.
- */
-static status_t update_usebytes(private_child_sa_t *this, bool inbound)
-{
-	status_t status = FAILED;
-	u_int64_t bytes;
-
-	if (inbound)
-	{
-		if (this->my_spi)
-		{
-			status = charon->kernel_interface->query_sa(
-									charon->kernel_interface,
-									this->other_addr, this->my_addr,
-									this->my_spi, this->protocol, &bytes);
-			if (status == SUCCESS)
-			{
-				if (bytes > this->my_usebytes)
-				{
-					this->my_usebytes = bytes;
-					return SUCCESS;
-				}
-				return FAILED;
-			}
-		}
-	}
-	else
-	{
-		if (this->other_spi)
-		{
-			status = charon->kernel_interface->query_sa(
-									charon->kernel_interface,
-									this->my_addr, this->other_addr,
-									this->other_spi, this->protocol, &bytes);
-			if (status == SUCCESS)
-			{
-				if (bytes > this->other_usebytes)
-				{
-					this->other_usebytes = bytes;
-					return SUCCESS;
-				}
-				return FAILED;
-			}
-		}
-	}
-	return status;
-}
-
-/**
- * updates the cached usetime
- */
-static void update_usetime(private_child_sa_t *this, bool inbound)
-{
-	enumerator_t *enumerator;
-	traffic_selector_t *my_ts, *other_ts;
-	u_int32_t last_use = 0;
-
-	enumerator = create_policy_enumerator(this);
-	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
-	{
-		u_int32_t in, out, fwd;
-
-		if (inbound)
-		{
-			if (charon->kernel_interface->query_policy(charon->kernel_interface,
-								other_ts, my_ts, POLICY_IN, &in) == SUCCESS)
-			{
-				last_use = max(last_use, in);
-			}
-			if (this->mode != MODE_TRANSPORT)
-			{
-				if (charon->kernel_interface->query_policy(charon->kernel_interface,
-								other_ts, my_ts, POLICY_FWD, &fwd) == SUCCESS)
-				{
-					last_use = max(last_use, fwd);
-				}
-			}
-		}
-		else
-		{
-			if (charon->kernel_interface->query_policy(charon->kernel_interface,
-								my_ts, other_ts, POLICY_OUT, &out) == SUCCESS)
-			{
-				last_use = max(last_use, out);
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (last_use == 0)
-	{
-		return;
-	}
-	if (inbound)
-	{
-		this->my_usetime = last_use;
-	}
-	else
-	{
-		this->other_usetime = last_use;
-	}
-}
-
-/**
- * Implementation of child_sa_t.get_usestats
- */
-static void get_usestats(private_child_sa_t *this, bool inbound,
-						 time_t *time, u_int64_t *bytes)
-{
-	if (update_usebytes(this, inbound) != FAILED)
-	{
-		/* there was traffic since last update or the kernel interface
-		 * does not support querying the number of usebytes.
-		 */
-		update_usetime(this, inbound);
-	}
-	if (time)
-	{
-		*time = inbound ? this->my_usetime : this->other_usetime;
-	}
-	if (bytes)
-	{
-		*bytes = inbound ? this->my_usebytes : this->other_usebytes;
-	}
-}
-
-/**
- * Implementation of child_sa_t.get_lifetime
- */
-static time_t get_lifetime(private_child_sa_t *this, bool hard)
-{
-	return hard ? this->expire_time : this->rekey_time;
-}
-
-/**
- * Implementation of child_sa_t.alloc_spi
- */
-static u_int32_t alloc_spi(private_child_sa_t *this, protocol_id_t protocol)
-{
-	if (charon->kernel_interface->get_spi(charon->kernel_interface,
-							this->other_addr, this->my_addr, protocol,
-							this->reqid, &this->my_spi) == SUCCESS)
-	{
-		return this->my_spi;
-	}
-	return 0;
-}
-
-/**
- * Implementation of child_sa_t.alloc_cpi
- */
-static u_int16_t alloc_cpi(private_child_sa_t *this)
-{
-	if (charon->kernel_interface->get_cpi(charon->kernel_interface,
-					this->other_addr, this->my_addr, this->reqid,
-					&this->my_cpi) == SUCCESS)
-	{
-		return this->my_cpi;
-	}
-	return 0;
-}
-
-/**
- * Implementation of child_sa_t.install
- */
-static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi, bool inbound,
-						linked_list_t *my_ts, linked_list_t *other_ts)
-{
-	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
-	traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
-	time_t now;
-	lifetime_cfg_t *lifetime;
-	host_t *src, *dst;
-	status_t status;
-	bool update = FALSE;
-
-	/* now we have to decide which spi to use. Use self allocated, if "in",
-	 * or the one in the proposal, if not "in" (others). Additionally,
-	 * source and dest host switch depending on the role */
-	if (inbound)
-	{
-		dst = this->my_addr;
-		src = this->other_addr;
-		if (this->my_spi == spi)
-		{	/* alloc_spi has been called, do an SA update */
-			update = TRUE;
-		}
-		this->my_spi = spi;
-		this->my_cpi = cpi;
-	}
-	else
-	{
-		src = this->my_addr;
-		dst = this->other_addr;
-		this->other_spi = spi;
-		this->other_cpi = cpi;
-	}
-
-	DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
-		 protocol_id_names, this->protocol);
-
-	/* send SA down to the kernel */
-	DBG2(DBG_CHD, "  SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
-
-	this->proposal->get_algorithm(this->proposal, ENCRYPTION_ALGORITHM,
-								  &enc_alg, &size);
-	this->proposal->get_algorithm(this->proposal, INTEGRITY_ALGORITHM,
-								  &int_alg, &size);
-
-	lifetime = this->config->get_lifetime(this->config);
-
-	now = time_monotonic(NULL);
-	if (lifetime->time.rekey)
-	{
-		this->rekey_time = now + lifetime->time.rekey;
-	}
-	if (lifetime->time.life)
-	{
-		this->expire_time = now + lifetime->time.life;
-	}
-
-	if (!lifetime->time.jitter && !inbound)
-	{	/* avoid triggering multiple rekey events */
-		lifetime->time.rekey = 0;
-	}
-
-	if (this->mode == MODE_BEET)
-	{
-		/* BEET requires the bound address from the traffic selectors.
-		 * TODO: We add just the first traffic selector for now, as the
-		 * kernel accepts a single TS per SA only */
-		if (inbound)
-		{
-			my_ts->get_first(my_ts, (void**)&dst_ts);
-			other_ts->get_first(other_ts, (void**)&src_ts);
-		}
-		else
-		{
-			my_ts->get_first(my_ts, (void**)&src_ts);
-			other_ts->get_first(other_ts, (void**)&dst_ts);
-		}
-	}
-
-	status = charon->kernel_interface->add_sa(charon->kernel_interface,
-				src, dst, spi, this->protocol, this->reqid, lifetime,
-				enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi,
-				this->encap, update, src_ts, dst_ts);
-
-	free(lifetime);
-
-	return status;
-}
-
-/**
- * Implementation of child_sa_t.add_policies
- */
-static status_t add_policies(private_child_sa_t *this,
-					linked_list_t *my_ts_list, linked_list_t *other_ts_list)
-{
-	enumerator_t *enumerator;
-	traffic_selector_t *my_ts, *other_ts;
-	status_t status = SUCCESS;
-	bool routed = (this->state == CHILD_CREATED);
-
-	/* apply traffic selectors */
-	enumerator = my_ts_list->create_enumerator(my_ts_list);
-	while (enumerator->enumerate(enumerator, &my_ts))
-	{
-		this->my_ts->insert_last(this->my_ts, my_ts->clone(my_ts));
-	}
-	enumerator->destroy(enumerator);
-	enumerator = other_ts_list->create_enumerator(other_ts_list);
-	while (enumerator->enumerate(enumerator, &other_ts))
-	{
-		this->other_ts->insert_last(this->other_ts, other_ts->clone(other_ts));
-	}
-	enumerator->destroy(enumerator);
-
-	if (this->config->install_policy(this->config))
-	{
-		/* enumerate pairs of traffic selectors */
-		enumerator = create_policy_enumerator(this);
-		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
-		{
-			/* install 3 policies: out, in and forward */
-			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT,
-					this->other_spi, this->protocol, this->reqid, this->mode,
-					this->ipcomp, this->other_cpi, routed);
-
-			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN,
-					this->my_spi, this->protocol, this->reqid, this->mode,
-					this->ipcomp, this->my_cpi, routed);
-			if (this->mode != MODE_TRANSPORT)
-			{
-				status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD,
-					this->my_spi, this->protocol, this->reqid, this->mode,
-					this->ipcomp, this->my_cpi, routed);
-			}
-
-			if (status != SUCCESS)
-			{
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	if (status == SUCCESS && this->state == CHILD_CREATED)
-	{	/* switch to routed state if no SAD entry set up */
-		set_state(this, CHILD_ROUTED);
-	}
-	return status;
-}
-
-/**
- * Implementation of child_sa_t.update.
- */
-static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
-					   host_t *vip, bool encap)
-{
-	child_sa_state_t old;
-	bool transport_proxy_mode;
-
-	/* anything changed at all? */
-	if (me->equals(me, this->my_addr) &&
-		other->equals(other, this->other_addr) && this->encap == encap)
-	{
-		return SUCCESS;
-	}
-
-	old = this->state;
-	set_state(this, CHILD_UPDATING);
-	transport_proxy_mode = this->config->use_proxy_mode(this->config) &&
-						   this->mode == MODE_TRANSPORT;
-
-	if (!transport_proxy_mode)
-	{
-		/* update our (initator) SA */
-		if (this->my_spi)
-		{
-			if (charon->kernel_interface->update_sa(charon->kernel_interface,
-							this->my_spi, this->protocol,
-							this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
-							this->other_addr, this->my_addr, other, me,
-							this->encap, encap) == NOT_SUPPORTED)
-			{
-				return NOT_SUPPORTED;
-			}
-		}
-
-		/* update his (responder) SA */
-		if (this->other_spi)
-		{
-			if (charon->kernel_interface->update_sa(charon->kernel_interface,
-							this->other_spi, this->protocol,
-							this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
-							this->my_addr, this->other_addr, me, other,
-							this->encap, encap) == NOT_SUPPORTED)
-			{
-				return NOT_SUPPORTED;
-			}
-		}
-	}
-
-	if (this->config->install_policy(this->config))
-	{
-		/* update policies */
-		if (!me->ip_equals(me, this->my_addr) ||
-			!other->ip_equals(other, this->other_addr))
-		{
-			enumerator_t *enumerator;
-			traffic_selector_t *my_ts, *other_ts;
-
-			/* always use high priorities, as hosts getting updated are INSTALLED */
-			enumerator = create_policy_enumerator(this);
-			while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
-			{
-				/* remove old policies first */
-				charon->kernel_interface->del_policy(charon->kernel_interface,
-											my_ts, other_ts, POLICY_OUT, FALSE);
-				charon->kernel_interface->del_policy(charon->kernel_interface,
-											other_ts, my_ts,  POLICY_IN, FALSE);
-				if (this->mode != MODE_TRANSPORT)
-				{
-					charon->kernel_interface->del_policy(charon->kernel_interface,
-											other_ts, my_ts, POLICY_FWD, FALSE);
-				}
-
-				/* check whether we have to update a "dynamic" traffic selector */
-				if (!me->ip_equals(me, this->my_addr) &&
-					my_ts->is_host(my_ts, this->my_addr))
-				{
-					my_ts->set_address(my_ts, me);
-				}
-				if (!other->ip_equals(other, this->other_addr) &&
-					other_ts->is_host(other_ts, this->other_addr))
-				{
-					other_ts->set_address(other_ts, other);
-				}
-
-				/* we reinstall the virtual IP to handle interface roaming
-				 * correctly */
-				if (vip)
-				{
-					charon->kernel_interface->del_ip(charon->kernel_interface, vip);
-					charon->kernel_interface->add_ip(charon->kernel_interface, vip, me);
-				}
-
-				/* reinstall updated policies */
-				charon->kernel_interface->add_policy(charon->kernel_interface,
-						me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
-						this->protocol, this->reqid, this->mode, this->ipcomp,
-						this->other_cpi, FALSE);
-				charon->kernel_interface->add_policy(charon->kernel_interface,
-						other, me, other_ts, my_ts, POLICY_IN, this->my_spi,
-						this->protocol, this->reqid, this->mode, this->ipcomp,
-						this->my_cpi, FALSE);
-				if (this->mode != MODE_TRANSPORT)
-				{
-					charon->kernel_interface->add_policy(charon->kernel_interface,
-						other, me, other_ts, my_ts, POLICY_FWD, this->my_spi,
-						this->protocol, this->reqid, this->mode, this->ipcomp,
-						this->my_cpi, FALSE);
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-	}
-
-	if (!transport_proxy_mode)
-	{
-		/* apply hosts */
-		if (!me->equals(me, this->my_addr))
-		{
-			this->my_addr->destroy(this->my_addr);
-			this->my_addr = me->clone(me);
-		}
-		if (!other->equals(other, this->other_addr))
-		{
-			this->other_addr->destroy(this->other_addr);
-			this->other_addr = other->clone(other);
-		}
-	}
-
-	this->encap = encap;
-	set_state(this, old);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of child_sa_t.destroy.
- */
-static void destroy(private_child_sa_t *this)
-{
-	enumerator_t *enumerator;
-	traffic_selector_t *my_ts, *other_ts;
-	bool unrouted = (this->state == CHILD_ROUTED);
-
-	set_state(this, CHILD_DESTROYING);
-
-	/* delete SAs in the kernel, if they are set up */
-	if (this->my_spi)
-	{
-		/* if CHILD was not established, use PROTO_ESP used during alloc_spi().
-		 * TODO: For AH support, we have to store protocol specific SPI.s */
-		if (this->protocol == PROTO_NONE)
-		{
-			this->protocol = PROTO_ESP;
-		}
-		charon->kernel_interface->del_sa(charon->kernel_interface,
-					this->other_addr, this->my_addr, this->my_spi,
-					this->protocol, this->my_cpi);
-	}
-	if (this->other_spi)
-	{
-		charon->kernel_interface->del_sa(charon->kernel_interface,
-					this->my_addr, this->other_addr, this->other_spi,
-					this->protocol, this->other_cpi);
-	}
-
-	if (this->config->install_policy(this->config))
-	{
-		/* delete all policies in the kernel */
-		enumerator = create_policy_enumerator(this);
-		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
-		{
-			charon->kernel_interface->del_policy(charon->kernel_interface,
-										my_ts, other_ts, POLICY_OUT, unrouted);
-			charon->kernel_interface->del_policy(charon->kernel_interface,
-										other_ts, my_ts, POLICY_IN, unrouted);
-			if (this->mode != MODE_TRANSPORT)
-			{
-				charon->kernel_interface->del_policy(charon->kernel_interface,
-										other_ts, my_ts, POLICY_FWD, unrouted);
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
-	this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
-	this->my_addr->destroy(this->my_addr);
-	this->other_addr->destroy(this->other_addr);
-	DESTROY_IF(this->proposal);
-	this->config->destroy(this->config);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-child_sa_t * child_sa_create(host_t *me, host_t* other,
-							 child_cfg_t *config, u_int32_t rekey, bool encap)
-{
-	static u_int32_t reqid = 0;
-	private_child_sa_t *this = malloc_thing(private_child_sa_t);
-
-	/* public functions */
-	this->public.get_name = (char*(*)(child_sa_t*))get_name;
-	this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid;
-	this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
-	this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
-	this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
-	this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
-	this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi;
-	this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
-	this->public.set_protocol = (void(*)(child_sa_t*, protocol_id_t protocol))set_protocol;
-	this->public.get_mode = (ipsec_mode_t(*)(child_sa_t*))get_mode;
-	this->public.set_mode = (void(*)(child_sa_t*, ipsec_mode_t mode))set_mode;
-	this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal;
-	this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal;
-	this->public.get_lifetime = (time_t(*)(child_sa_t*, bool))get_lifetime;
-	this->public.get_usestats = (void(*)(child_sa_t*,bool,time_t*,u_int64_t*))get_usestats;
-	this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
-	this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
-	this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp;
-	this->public.alloc_spi = (u_int32_t(*)(child_sa_t*, protocol_id_t protocol))alloc_spi;
-	this->public.alloc_cpi = (u_int16_t(*)(child_sa_t*))alloc_cpi;
-	this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound, linked_list_t *my_ts_list, linked_list_t *other_ts_list))install;
-	this->public.update = (status_t (*)(child_sa_t*,host_t*,host_t*,host_t*,bool))update;
-	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*))add_policies;
-	this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
-	this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
-	this->public.destroy = (void(*)(child_sa_t*))destroy;
-
-	/* private data */
-	this->my_addr = me->clone(me);
-	this->other_addr = other->clone(other);
-	this->my_spi = 0;
-	this->other_spi = 0;
-	this->my_cpi = 0;
-	this->other_cpi = 0;
-	this->encap = encap;
-	this->ipcomp = IPCOMP_NONE;
-	this->state = CHILD_CREATED;
-	this->my_usetime = 0;
-	this->other_usetime = 0;
-	this->my_usebytes = 0;
-	this->other_usebytes = 0;
-	/* reuse old reqid if we are rekeying an existing CHILD_SA */
-	this->reqid = rekey ? rekey : ++reqid;
-	this->my_ts = linked_list_create();
-	this->other_ts = linked_list_create();
-	this->protocol = PROTO_NONE;
-	this->mode = MODE_TUNNEL;
-	this->proposal = NULL;
-	this->rekey_time = 0;
-	this->expire_time = 0;
-	this->config = config;
-	config->get_ref(config);
-
-	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
-	if (config->get_mode(config) == MODE_TRANSPORT &&
-		config->use_proxy_mode(config))
-	{
-		ts_type_t type;
-		int family;
-		chunk_t addr;
-		host_t *host;
-		enumerator_t *enumerator;
-		linked_list_t *my_ts_list, *other_ts_list;
-		traffic_selector_t *my_ts, *other_ts;
-
-		this->mode = MODE_TRANSPORT;
-
-		my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, me);
-		enumerator = my_ts_list->create_enumerator(my_ts_list);
-		if (enumerator->enumerate(enumerator, &my_ts))
-		{
-			if (my_ts->is_host(my_ts, NULL) &&
-			   !my_ts->is_host(my_ts, this->my_addr))
-			{
-				type = my_ts->get_type(my_ts);
-				family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-				addr = my_ts->get_from_address(my_ts);
-				host = host_create_from_chunk(family, addr, 0);
-				free(addr.ptr);
-				DBG1(DBG_CHD, "my address: %H is a transport mode proxy for %H",
-							   this->my_addr, host);
-				this->my_addr->destroy(this->my_addr);
-				this->my_addr = host;
-			}
-		}
-		enumerator->destroy(enumerator);
-		my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy));
-
-		other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, other);
-		enumerator = other_ts_list->create_enumerator(other_ts_list);
-		if (enumerator->enumerate(enumerator, &other_ts))
-		{
-			if (other_ts->is_host(other_ts, NULL) &&
-			   !other_ts->is_host(other_ts, this->other_addr))
-			{
-				type = other_ts->get_type(other_ts);
-				family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-				addr = other_ts->get_from_address(other_ts);
-				host = host_create_from_chunk(family, addr, 0);
-				free(addr.ptr);
-				DBG1(DBG_CHD, "other address: %H is a transport mode proxy for %H",
-							   this->other_addr, host);
-				this->other_addr->destroy(this->other_addr);
-				this->other_addr = host;
-			}
-		}
-		enumerator->destroy(enumerator);
-		other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy));
-	}
-
-	return &this->public;
-}
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
deleted file mode 100644
index d70bed664..000000000
--- a/src/charon/sa/child_sa.h
+++ /dev/null
@@ -1,337 +0,0 @@
-/*
- * Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2006-2008 Martin Willi
- * Copyright (C) 2006 Daniel Roethlisberger
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup child_sa child_sa
- * @{ @ingroup sa
- */
-
-#ifndef CHILD_SA_H_
-#define CHILD_SA_H_
-
-typedef enum child_sa_state_t child_sa_state_t;
-typedef struct child_sa_t child_sa_t;
-
-#include <library.h>
-#include <crypto/prf_plus.h>
-#include <encoding/payloads/proposal_substructure.h>
-#include <config/proposal.h>
-#include <config/child_cfg.h>
-
-/**
- * States of a CHILD_SA
- */
-enum child_sa_state_t {
-
-	/**
-	 * Just created, uninstalled CHILD_SA
-	 */
-	CHILD_CREATED,
-
-	/**
-	 * Installed SPD, but no SAD entries
-	 */
-	CHILD_ROUTED,
-
-	/**
-	 * Installing an in-use CHILD_SA
-	 */
-	CHILD_INSTALLING,
-
-	/**
-	 * Installed an in-use CHILD_SA
-	 */
-	CHILD_INSTALLED,
-
-	/**
-	 * While updating hosts, in update_hosts()
-	 */
-	CHILD_UPDATING,
-
-	/**
-	 * CHILD_SA which is rekeying
-	 */
-	CHILD_REKEYING,
-
-	/**
-	 * CHILD_SA in progress of delete
-	 */
-	CHILD_DELETING,
-
-	/**
-	 * CHILD_SA object gets destroyed
-	 */
-	CHILD_DESTROYING,
-};
-
-/**
- * enum strings for child_sa_state_t.
- */
-extern enum_name_t *child_sa_state_names;
-
-/**
- * Represents an IPsec SAs between two hosts.
- *
- * A child_sa_t contains two SAs. SAs for both
- * directions are managed in one child_sa_t object. Both
- * SAs and the policies have the same reqid.
- *
- * The procedure for child sa setup is as follows:
- * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc
- * - A send the proposals with the allocated SPIs to B
- * - B selects a suitable proposal
- * - B allocates an SPI for the selected protocol
- * - B calls child_sa_t.install for both, the allocated and received SPI
- * - B sends the proposal with the allocated SPI to A
- * - A calls child_sa_t.install for both, the allocated and recevied SPI
- *
- * Once SAs are set up, policies can be added using add_policies.
- */
-struct child_sa_t {
-
-	/**
-	 * Get the name of the config this CHILD_SA uses.
-	 *
-	 * @return			name
-	 */
-	char* (*get_name) (child_sa_t *this);
-
-	/**
-	 * Get the reqid of the CHILD SA.
-	 *
-	 * Every CHILD_SA has a reqid. The kernel uses this ID to
-	 * identify it.
-	 *
-	 * @return 			reqid of the CHILD SA
-	 */
-	u_int32_t (*get_reqid)(child_sa_t *this);
-
-	/**
-	 * Get the config used to set up this child sa.
-	 *
-	 * @return			child_cfg
-	 */
-	child_cfg_t* (*get_config) (child_sa_t *this);
-
-	/**
-	 * Get the state of the CHILD_SA.
-	 *
-	 * @return 			CHILD_SA state
-	 */
-	child_sa_state_t (*get_state) (child_sa_t *this);
-
-	/**
-	 * Set the state of the CHILD_SA.
-	 *
-	 * @param state		state to set on CHILD_SA
-	 */
-	void (*set_state) (child_sa_t *this, child_sa_state_t state);
-
-	/**
-	 * Get the SPI of this CHILD_SA.
-	 *
-	 * Set the boolean parameter inbound to TRUE to
-	 * get the SPI for which we receive packets, use
-	 * FALSE to get those we use for sending packets.
-	 *
-	 * @param inbound	TRUE to get inbound SPI, FALSE for outbound.
-	 * @return 			SPI of the CHILD SA
-	 */
-	u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
-
-	/**
-	 * Get the CPI of this CHILD_SA.
-	 *
-	 * Set the boolean parameter inbound to TRUE to
-	 * get the CPI for which we receive packets, use
-	 * FALSE to get those we use for sending packets.
-	 *
-	 * @param inbound	TRUE to get inbound CPI, FALSE for outbound.
-	 * @return 			CPI of the CHILD SA
-	 */
-	u_int16_t (*get_cpi) (child_sa_t *this, bool inbound);
-
-	/**
-	 * Get the protocol which this CHILD_SA uses to protect traffic.
-	 *
-	 * @return 			AH | ESP
-	 */
-	protocol_id_t (*get_protocol) (child_sa_t *this);
-
-	/**
-	 * Set the negotiated protocol to use for this CHILD_SA.
-	 *
-	 * @param protocol	AH | ESP
-	 */
-	void (*set_protocol)(child_sa_t *this, protocol_id_t protocol);
-
-	/**
-	 * Get the IPsec mode of this CHILD_SA.
-	 *
-	 * @return			TUNNEL | TRANSPORT | BEET
-	 */
-	ipsec_mode_t (*get_mode)(child_sa_t *this);
-
-	/**
-	 * Set the negotiated IPsec mode to use.
-	 *
-	 * @param mode		TUNNEL | TRANPORT | BEET
-	 */
-	void (*set_mode)(child_sa_t *this, ipsec_mode_t mode);
-
-	/**
-	 * Get the used IPComp algorithm.
-	 *
-	 * @return			IPComp compression algorithm.
-	 */
-	ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
-
-	/**
-	 * Set the IPComp algorithm to use.
-	 *
-	 * @param ipcomp	the IPComp transform to use
-	 */
-	void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
-
-	/**
-	 * Get the selected proposal.
-	 *
-	 * @return			selected proposal
-	 */
-	proposal_t* (*get_proposal)(child_sa_t *this);
-
-	/**
-	 * Set the negotiated proposal.
-	 *
-	 * @param proposal	selected proposal
-	 */
-	void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
-
-	/**
-	 * Check if this CHILD_SA uses UDP encapsulation.
-	 *
-	 * @return			TRUE if SA encapsulates ESP packets
-	 */
-	bool (*has_encap)(child_sa_t *this);
-
-	/**
-	 * Get the absolute time when the CHILD_SA expires or gets rekeyed.
-	 *
-	 * @param hard		TRUE for hard lifetime, FALSE for soft (rekey) lifetime
-	 * @return			absolute time
-	 */
-	time_t (*get_lifetime)(child_sa_t *this, bool hard);
-
-	/**
-	 * Get last use time and the number of bytes processed.
-	 *
-	 * @param inbound		TRUE for inbound traffic, FALSE for outbound
-	 * @param[out] time		time of last use in seconds (NULL to ignore)
-	 * @param[out] bytes	number of processed bytes (NULL to ignore)
-	 */
-	void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
-						 u_int64_t *bytes);
-
-	/**
-	 * Get the traffic selectors list added for one side.
-	 *
-	 * @param local		TRUE for own traffic selectors, FALSE for remote
-	 * @return			list of traffic selectors
-	 */
-	linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
-
-	/**
-	 * Create an enumerator over installed policies.
-	 *
-	 * @return			enumerator over pairs of traffic selectors.
-	 */
-	enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
-
-	/**
-	 * Allocate an SPI to include in a proposal.
-	 *
-	 * @param protocol	protocol to allocate SPI for (ESP|AH)
-	 * @param spi		SPI output pointer
-	 * @return			SPI, 0 on failure
-	 */
-	u_int32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
-
-	/**
-	 * Allocate a CPI to use for IPComp.
-	 *
-	 * @return			CPI, 0 on failure
-	 */
-	u_int16_t (*alloc_cpi)(child_sa_t *this);
-
-	/**
-	 * Install an IPsec SA for one direction.
-	 *
-	 * @param encr		encryption key, if any
-	 * @param integ		integrity key
-	 * @param spi		SPI to use, allocated for inbound
-	 * @param cpi		CPI to use, allocated for outbound
-	 * @param inbound	TRUE to install an inbound SA, FALSE for outbound
-	 * @param my_ts		negotiated local traffic selector list
-	 * @param other_ts	negotiated remote traffic selector list
-	 * @return			SUCCESS or FAILED
-	 */
-	status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi, bool inbound,
-						linked_list_t *my_ts, linked_list_t *other_ts);
-	/**
-	 * Install the policies using some traffic selectors.
-	 *
-	 * Supplied lists of traffic_selector_t's specify the policies
-	 * to use for this child sa.
-	 *
-	 * @param my_ts		traffic selectors for local site
-	 * @param other_ts	traffic selectors for remote site
-	 * @return			SUCCESS or FAILED
-	 */
-	status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
-							 linked_list_t *other_ts_list);
-	/**
-	 * Update hosts and ecapulation mode in the kernel SAs and policies.
-	 *
-	 * @param me		the new local host
-	 * @param other		the new remote host
-	 * @param vip		virtual IP, if any
-	 * @param			TRUE to use UDP encapsulation for NAT traversal
-	 * @return			SUCCESS or FAILED
-	 */
-	status_t (*update)(child_sa_t *this, host_t *me, host_t *other,
-					   host_t *vip, bool encap);
-	/**
-	 * Destroys a child_sa.
-	 */
-	void (*destroy) (child_sa_t *this);
-};
-
-/**
- * Constructor to create a new child_sa_t.
- *
- * @param me				own address
- * @param other				remote address
- * @param config			config to use for this CHILD_SA
- * @param reqid				reqid of old CHILD_SA when rekeying, 0 otherwise
- * @param encap				TRUE to enable UDP encapsulation (NAT traversal)
- * @return					child_sa_t object
- */
-child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
-							 u_int32_t reqid, bool encap);
-
-#endif /** CHILD_SA_H_ @}*/
diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c
deleted file mode 100644
index b78ba070d..000000000
--- a/src/charon/sa/connect_manager.c
+++ /dev/null
@@ -1,1623 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "connect_manager.h"
-
-#include <math.h>
-
-#include <daemon.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <crypto/hashers/hasher.h>
-
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/initiate_mediation_job.h>
-#include <encoding/payloads/endpoint_notify.h>
-
-/* base timeout
- * the check interval is ME_INTERVAL */
-#define ME_INTERVAL 25 /* ms */
-/* retransmission timeout is first ME_INTERVAL for ME_BOOST retransmissions
- * then gets reduced to ME_INTERVAL * ME_RETRANS_BASE ^ (sent retransmissions - ME_BOOST). */
-/* number of initial retransmissions sent in short interval */
-#define ME_BOOST 2
-/* base for retransmissions */
-#define ME_RETRANS_BASE 1.8
-/* max number of retransmissions */
-#define ME_MAX_RETRANS 13
-
-/* time to wait before the initiator finishes the connectivity checks after
- * the first check has succeeded */
-#define ME_WAIT_TO_FINISH 1000 /* ms */
-
-typedef struct private_connect_manager_t private_connect_manager_t;
-
-/**
- * Additional private members of connect_manager_t.
- */
-struct private_connect_manager_t {
-	/**
-	 * Public interface of connect_manager_t.
-	 */
-	 connect_manager_t public;
-
-	 /**
-	  * Lock for exclusivly accessing the manager.
-	  */
-	 mutex_t *mutex;
-
-	 /**
-	  * Hasher to generate signatures
-	  */
-	 hasher_t *hasher;
-
-	 /**
-	  * Linked list with initiated mediated connections
-	  */
-	 linked_list_t *initiated;
-
-	 /**
-	  * Linked list with checklists (hash table with connect ID as key would
-	  * be better).
-	  */
-	 linked_list_t *checklists;
-};
-
-typedef enum check_state_t check_state_t;
-
-enum check_state_t {
-	CHECK_NONE,
-	CHECK_WAITING,
-	CHECK_IN_PROGRESS,
-	CHECK_SUCCEEDED,
-	CHECK_FAILED
-};
-
-typedef struct endpoint_pair_t endpoint_pair_t;
-
-/**
- * An entry in the check list.
- */
-struct endpoint_pair_t {
-	/** pair id */
-	u_int32_t id;
-
-	/** priority */
-	u_int64_t priority;
-
-	/** local endpoint */
-	host_t *local;
-
-	/** remote endpoint */
-	host_t *remote;
-
-	/** state */
-	check_state_t state;
-
-	/** number of retransmissions */
-	u_int32_t retransmitted;
-
-	/** the generated packet */
-	packet_t *packet;
-};
-
-/**
- * Destroys an endpoint pair
- */
-static void endpoint_pair_destroy(endpoint_pair_t *this)
-{
-	DESTROY_IF(this->local);
-	DESTROY_IF(this->remote);
-	DESTROY_IF(this->packet);
-	free(this);
-}
-
-/**
- * Creates a new entry for the list.
- */
-static endpoint_pair_t *endpoint_pair_create(endpoint_notify_t *initiator,
-		endpoint_notify_t *responder, bool initiator_is_local)
-{
-	endpoint_pair_t *this = malloc_thing(endpoint_pair_t);
-
-	this->id = 0;
-
-	u_int32_t pi = initiator->get_priority(initiator);
-	u_int32_t pr = responder->get_priority(responder);
-	this->priority = pow(2, 32) * min(pi, pr) + 2 * max(pi, pr) + (pi > pr ? 1 : 0);
-
-	this->local = initiator_is_local ? initiator->get_base(initiator)
-									 : responder->get_base(responder);
-	this->local = this->local->clone(this->local);
-	this->remote = initiator_is_local ? responder->get_host(responder)
-									  : initiator->get_host(initiator);
-	this->remote = this->remote->clone(this->remote);
-
-	this->state = CHECK_WAITING;
-	this->retransmitted = 0;
-	this->packet = NULL;
-
-	return this;
-}
-
-
-typedef struct check_list_t check_list_t;
-
-/**
- * An entry in the linked list.
- */
-struct check_list_t {
-
-	struct {
-		/** initiator's id */
-		identification_t *id;
-
-		/** initiator's key */
-		chunk_t key;
-
-		/** initiator's endpoints */
-		linked_list_t *endpoints;
-	} initiator;
-
-	struct {
-		/** responder's id */
-		identification_t *id;
-
-		/** responder's key */
-		chunk_t key;
-
-		/** responder's endpoints */
-		linked_list_t *endpoints;
-	} responder;
-
-	/** connect id */
-	chunk_t connect_id;
-
-	/** list of endpoint pairs */
-	linked_list_t *pairs;
-
-	/** pairs queued for triggered checks */
-	linked_list_t *triggered;
-
-	/** state */
-	check_state_t state;
-
-	/** TRUE if this is the initiator */
-	bool is_initiator;
-
-	/** TRUE if the initiator is finishing the checks */
-	bool is_finishing;
-
-	/** the current sender job */
-	job_t *sender;
-
-};
-
-/**
- * Destroys a checklist
- */
-static void check_list_destroy(check_list_t *this)
-{
-	DESTROY_IF(this->initiator.id);
-	DESTROY_IF(this->responder.id);
-
-	chunk_free(&this->connect_id);
-	chunk_free(&this->initiator.key);
-	chunk_free(&this->responder.key);
-
-	DESTROY_OFFSET_IF(this->initiator.endpoints,
-					  offsetof(endpoint_notify_t, destroy));
-	DESTROY_OFFSET_IF(this->responder.endpoints,
-					  offsetof(endpoint_notify_t, destroy));
-
-	DESTROY_FUNCTION_IF(this->pairs, (void*)endpoint_pair_destroy);
-	/* this list contains some of the elements contained in this->pairs */
-	DESTROY_IF(this->triggered);
-
-	free(this);
-}
-
-/**
- * Creates a new checklist
- */
-static check_list_t *check_list_create(identification_t *initiator,
-									   identification_t *responder,
-									   chunk_t connect_id,
-									   chunk_t initiator_key,
-									   linked_list_t *initiator_endpoints,
-									   bool is_initiator)
-{
-	check_list_t *this = malloc_thing(check_list_t);
-
-	this->connect_id = chunk_clone(connect_id);
-
-	this->initiator.id = initiator->clone(initiator);
-	this->initiator.key = chunk_clone(initiator_key);
-	this->initiator.endpoints = initiator_endpoints->clone_offset(initiator_endpoints, offsetof(endpoint_notify_t, clone));
-
-	this->responder.id = responder->clone(responder);
-	this->responder.key = chunk_empty;
-	this->responder.endpoints = NULL;
-
-	this->pairs = linked_list_create();
-	this->triggered = linked_list_create();
-	this->state = CHECK_NONE;
-	this->is_initiator = is_initiator;
-	this->is_finishing = FALSE;
-
-	return this;
-}
-
-typedef struct initiated_t initiated_t;
-
-/**
- * For an initiator, the data stored about initiated mediation connections
- */
-struct initiated_t {
-	/** my id */
-	identification_t *id;
-
-	/** peer id */
-	identification_t *peer_id;
-
-	/** list of mediated sas */
-	linked_list_t *mediated;
-};
-
-/**
- * Destroys a queued initiation
- */
-static void initiated_destroy(initiated_t *this)
-{
-	DESTROY_IF(this->id);
-	DESTROY_IF(this->peer_id);
-	this->mediated->destroy_offset(this->mediated,
-								   offsetof(ike_sa_id_t, destroy));
-	free(this);
-}
-
-/**
- * Creates a queued initiation
- */
-static initiated_t *initiated_create(identification_t *id,
-									 identification_t *peer_id)
-{
-	initiated_t *this = malloc_thing(initiated_t);
-
-	this->id = id->clone(id);
-	this->peer_id = peer_id->clone(peer_id);
-	this->mediated = linked_list_create();
-
-	return this;
-}
-
-
-typedef struct check_t check_t;
-
-/**
- * Data exchanged in a connectivity check
- */
-struct check_t {
-	/** message id */
-	u_int32_t mid;
-
-	/** source of the connectivity check */
-	host_t *src;
-
-	/** destination of the connectivity check */
-	host_t *dst;
-
-	/** connect id */
-	chunk_t connect_id;
-
-	/** endpoint */
-	endpoint_notify_t *endpoint;
-
-	/** raw endpoint payload (to verify the signature) */
-	chunk_t endpoint_raw;
-
-	/** connect auth */
-	chunk_t auth;
-};
-
-/**
- * Destroys a connectivity check
- */
-static void check_destroy(check_t *this)
-{
-	chunk_free(&this->connect_id);
-	chunk_free(&this->endpoint_raw);
-	chunk_free(&this->auth);
-	DESTROY_IF(this->src);
-	DESTROY_IF(this->dst);
-	DESTROY_IF(this->endpoint);
-	free(this);
-}
-
-/**
- * Creates a new connectivity check
- */
-static check_t *check_create()
-{
-	check_t *this = malloc_thing(check_t);
-
-	this->connect_id = chunk_empty;
-	this->auth = chunk_empty;
-	this->endpoint_raw = chunk_empty;
-	this->src = NULL;
-	this->dst = NULL;
-	this->endpoint = NULL;
-
-	this->mid = 0;
-
-	return this;
-}
-
-typedef struct callback_data_t callback_data_t;
-
-/**
- * Data required by several callback jobs used in this file
- */
-struct callback_data_t {
-	/** connect manager */
-	private_connect_manager_t *connect_manager;
-
-	/** connect id */
-	chunk_t connect_id;
-
-	/** message (pair) id */
-	u_int32_t mid;
-};
-
-/**
- * Destroys a callback data object
- */
-static void callback_data_destroy(callback_data_t *this)
-{
-	chunk_free(&this->connect_id);
-	free(this);
-}
-
-/**
- * Creates a new callback data object
- */
-static callback_data_t *callback_data_create(private_connect_manager_t *connect_manager,
-											 chunk_t connect_id)
-{
-	callback_data_t *this = malloc_thing(callback_data_t);
-	this->connect_manager = connect_manager;
-	this->connect_id = chunk_clone(connect_id);
-	this->mid = 0;
-	return this;
-}
-
-/**
- * Creates a new retransmission data object
- */
-static callback_data_t *retransmit_data_create(private_connect_manager_t *connect_manager,
-											   chunk_t connect_id, u_int32_t mid)
-{
-	callback_data_t *this = callback_data_create(connect_manager, connect_id);
-	this->mid = mid;
-	return this;
-}
-
-typedef struct initiate_data_t initiate_data_t;
-
-/**
- * Data required by the initiate mediated
- */
-struct initiate_data_t {
-	/** checklist */
-	check_list_t *checklist;
-
-	/** waiting mediated connections */
-	initiated_t *initiated;
-};
-
-/**
- * Destroys a initiate data object
- */
-static void initiate_data_destroy(initiate_data_t *this)
-{
-	check_list_destroy(this->checklist);
-	initiated_destroy(this->initiated);
-	free(this);
-}
-
-/**
- * Creates a new initiate data object
- */
-static initiate_data_t *initiate_data_create(check_list_t *checklist,
-											 initiated_t *initiated)
-{
-	initiate_data_t *this = malloc_thing(initiate_data_t);
-
-	this->checklist = checklist;
-	this->initiated = initiated;
-
-	return this;
-}
-
-/**
- * Find an initiated connection by the peers' ids
- */
-static bool match_initiated_by_ids(initiated_t *current, identification_t *id,
-								   identification_t *peer_id)
-{
-	return id->equals(id, current->id) && peer_id->equals(peer_id, current->peer_id);
-}
-
-static status_t get_initiated_by_ids(private_connect_manager_t *this,
-									 identification_t *id,
-									 identification_t *peer_id,
-									 initiated_t **initiated)
-{
-	return this->initiated->find_first(this->initiated,
-								(linked_list_match_t)match_initiated_by_ids,
-								(void**)initiated, id, peer_id);
-}
-
-/**
- * Removes data about initiated connections
- */
-static void remove_initiated(private_connect_manager_t *this,
-							 initiated_t *initiated)
-{
-	iterator_t *iterator;
-	initiated_t *current;
-
-	iterator = this->initiated->create_iterator(this->initiated, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		if (current == initiated)
-		{
-			iterator->remove(iterator);
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * Find the checklist with a specific connect ID
- */
-static bool match_checklist_by_id(check_list_t *current, chunk_t *connect_id)
-{
-	return chunk_equals(*connect_id, current->connect_id);
-}
-
-static status_t get_checklist_by_id(private_connect_manager_t *this,
-									chunk_t connect_id,
-									check_list_t **check_list)
-{
-	return this->checklists->find_first(this->checklists,
-								(linked_list_match_t)match_checklist_by_id,
-								(void**)check_list, &connect_id);
-}
-
-/**
- * Removes a checklist
- */
-static void remove_checklist(private_connect_manager_t *this,
-							 check_list_t *checklist)
-{
-	iterator_t *iterator;
-	check_list_t *current;
-
-	iterator = this->checklists->create_iterator(this->checklists, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		if (current == checklist)
-		{
-			iterator->remove(iterator);
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * Checks if a list of endpoint_notify_t contains a certain host_t
- */
-static bool match_endpoint_by_host(endpoint_notify_t *current, host_t *host)
-{
-	return host->equals(host, current->get_host(current));
-}
-
-static status_t endpoints_contain(linked_list_t *endpoints, host_t *host,
-								  endpoint_notify_t **endpoint)
-{
-	return endpoints->find_first(endpoints,
-								 (linked_list_match_t)match_endpoint_by_host,
-								 (void**)endpoint, host);
-}
-
-/**
- * Inserts an endpoint pair into a list of pairs ordered by priority (high to low)
- */
-static void insert_pair_by_priority(linked_list_t *pairs, endpoint_pair_t *pair)
-{
-	iterator_t *iterator;
-	endpoint_pair_t *current;
-	bool inserted = FALSE;
-
-	iterator = pairs->create_iterator(pairs, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		if (current->priority < pair->priority)
-		{
-			iterator->insert_before(iterator, pair);
-			inserted = TRUE;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	if (!inserted)
-	{
-		pairs->insert_last(pairs, pair);
-	}
-}
-
-/**
- * Searches a list of endpoint_pair_t for a pair with specific host_ts
- */
-static bool match_pair_by_hosts(endpoint_pair_t *current, host_t *local,
-								host_t *remote)
-{
-	return local->equals(local, current->local) && remote->equals(remote, current->remote);
-}
-
-static status_t get_pair_by_hosts(linked_list_t *pairs, host_t *local,
-								  host_t *remote, endpoint_pair_t **pair)
-{
-	return pairs->find_first(pairs, (linked_list_match_t)match_pair_by_hosts,
-							 (void**)pair, local, remote);
-}
-
-static bool match_pair_by_id(endpoint_pair_t *current, u_int32_t *id)
-{
-	return current->id == *id;
-}
-
-/**
- * Searches for a pair with a specific id
- */
-static status_t get_pair_by_id(check_list_t *checklist, u_int32_t id,
-							   endpoint_pair_t **pair)
-{
-	return checklist->pairs->find_first(checklist->pairs,
-										(linked_list_match_t)match_pair_by_id,
-										(void**)pair, &id);
-}
-
-static bool match_succeeded_pair(endpoint_pair_t *current)
-{
-	return current->state == CHECK_SUCCEEDED;
-}
-
-/**
- * Returns the best pair of state CHECK_SUCCEEDED from a checklist.
- */
-static status_t get_best_valid_pair(check_list_t *checklist,
-									endpoint_pair_t **pair)
-{
-	return checklist->pairs->find_first(checklist->pairs,
-									(linked_list_match_t)match_succeeded_pair,
-									(void**)pair);
-}
-
-static bool match_waiting_pair(endpoint_pair_t *current)
-{
-	return current->state == CHECK_WAITING;
-}
-
-/**
- * Returns and *removes* the first triggered pair in state CHECK_WAITING.
- */
-static status_t get_triggered_pair(check_list_t *checklist,
-								   endpoint_pair_t **pair)
-{
-	iterator_t *iterator;
-	endpoint_pair_t *current;
-	status_t status = NOT_FOUND;
-
-	iterator = checklist->triggered->create_iterator(checklist->triggered, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		iterator->remove(iterator);
-
-		if (current->state == CHECK_WAITING)
-		{
-			if (pair)
-			{
-				*pair = current;
-			}
-			status = SUCCESS;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	return status;
-}
-
-/**
- * Prints all the pairs on a checklist
- */
-static void print_checklist(check_list_t *checklist)
-{
-	iterator_t *iterator;
-	endpoint_pair_t *current;
-
-	DBG1(DBG_IKE, "pairs on checklist %#B:", &checklist->connect_id);
-	iterator = checklist->pairs->create_iterator(checklist->pairs, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		DBG1(DBG_IKE, " * %#H - %#H (%d)", current->local, current->remote,
-			 current->priority);
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * Prunes identical pairs with lower priority from the list
- * Note: this function also numbers the remaining pairs serially
- */
-static void prune_pairs(linked_list_t *pairs)
-{
-	iterator_t *iterator, *search;
-	endpoint_pair_t *current, *other;
-	u_int32_t id = 0;
-
-	iterator = pairs->create_iterator(pairs, TRUE);
-	search = pairs->create_iterator(pairs, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		current->id = ++id;
-
-		while (search->iterate(search, (void**)&other))
-		{
-			if (current == other)
-			{
-				continue;
-			}
-
-			if (current->local->equals(current->local, other->local) &&
-				current->remote->equals(current->remote, other->remote))
-			{
-				/* since the list of pairs is sorted by priority in descending
-				 * order, and we iterate the list from the beginning, we are
-				 * sure that the priority of 'other' is lower than that of
-				 * 'current', remove it */
-				DBG1(DBG_IKE, "pruning endpoint pair %#H - %#H with priority %d",
-					 other->local, other->remote, other->priority);
-				search->remove(search);
-				endpoint_pair_destroy(other);
-			}
-		}
-		search->reset(search);
-	}
-	search->destroy(search);
-	iterator->destroy(iterator);
-}
-
-/**
- * Builds a list of endpoint pairs
- */
-static void build_pairs(check_list_t *checklist)
-{
-	/* FIXME: limit endpoints and pairs */
-	iterator_t *iterator_i, *iterator_r;
-	endpoint_notify_t *initiator, *responder;
-
-	iterator_i = checklist->initiator.endpoints->create_iterator(
-										checklist->initiator.endpoints, TRUE);
-	while (iterator_i->iterate(iterator_i, (void**)&initiator))
-	{
-		iterator_r = checklist->responder.endpoints->create_iterator(
-										checklist->responder.endpoints, TRUE);
-		while (iterator_r->iterate(iterator_r, (void**)&responder))
-		{
-			if (initiator->get_family(initiator) != responder->get_family(responder))
-			{
-				continue;
-			}
-
-			insert_pair_by_priority(checklist->pairs, endpoint_pair_create(
-							initiator, responder, checklist->is_initiator));
-		}
-		iterator_r->destroy(iterator_r);
-	}
-	iterator_i->destroy(iterator_i);
-
-	print_checklist(checklist);
-
-	prune_pairs(checklist->pairs);
-}
-
-/**
- * Processes the payloads of a connectivity check and returns the extracted data
- */
-static status_t process_payloads(message_t *message, check_t *check)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) != NOTIFY)
-		{
-			DBG1(DBG_IKE, "ignoring payload of type '%N' while processing "
-				 "connectivity check", payload_type_names,
-				 payload->get_type(payload));
-			continue;
-		}
-
-		notify_payload_t *notify = (notify_payload_t*)payload;
-
-		switch (notify->get_notify_type(notify))
-		{
-			case ME_ENDPOINT:
-			{
-				if (check->endpoint)
-				{
-					DBG1(DBG_IKE, "connectivity check contains multiple "
-						 "ME_ENDPOINT notifies");
-					break;
-				}
-
-				endpoint_notify_t *endpoint = endpoint_notify_create_from_payload(notify);
-				if (!endpoint)
-				{
-					DBG1(DBG_IKE, "received invalid ME_ENDPOINT notify");
-					break;
-				}
-				check->endpoint = endpoint;
-				check->endpoint_raw = chunk_clone(notify->get_notification_data(notify));
-				DBG2(DBG_IKE, "received ME_ENDPOINT notify");
-				break;
-			}
-			case ME_CONNECTID:
-			{
-				if (check->connect_id.ptr)
-				{
-					DBG1(DBG_IKE, "connectivity check contains multiple "
-						 "ME_CONNECTID notifies");
-					break;
-				}
-				check->connect_id = chunk_clone(notify->get_notification_data(notify));
-				DBG2(DBG_IKE, "received ME_CONNECTID %#B", &check->connect_id);
-				break;
-			}
-			case ME_CONNECTAUTH:
-			{
-				if (check->auth.ptr)
-				{
-					DBG1(DBG_IKE, "connectivity check contains multiple "
-						 "ME_CONNECTAUTH notifies");
-					break;
-				}
-				check->auth = chunk_clone(notify->get_notification_data(notify));
-				DBG2(DBG_IKE, "received ME_CONNECTAUTH %#B", &check->auth);
-				break;
-			}
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (!check->connect_id.ptr || !check->endpoint || !check->auth.ptr)
-	{
-		DBG1(DBG_IKE, "at least one required payload was missing from the "
-			 "connectivity check");
-		return FAILED;
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Builds the signature for a connectivity check
- */
-static chunk_t build_signature(private_connect_manager_t *this,
-		check_list_t *checklist, check_t *check, bool outbound)
-{
-	u_int32_t mid;
-	chunk_t mid_chunk, key_chunk, sig_chunk;
-	chunk_t sig_hash;
-
-	mid = htonl(check->mid);
-	mid_chunk = chunk_from_thing(mid);
-
-	key_chunk = (checklist->is_initiator && outbound) || (!checklist->is_initiator && !outbound)
-					? checklist->initiator.key : checklist->responder.key;
-
-	/* signature = SHA1( MID | ME_CONNECTID | ME_ENDPOINT | ME_CONNECTKEY ) */
-	sig_chunk = chunk_cat("cccc", mid_chunk, check->connect_id,
-						  check->endpoint_raw, key_chunk);
-	this->hasher->allocate_hash(this->hasher, sig_chunk, &sig_hash);
-	DBG3(DBG_IKE, "sig_chunk %#B", &sig_chunk);
-	DBG3(DBG_IKE, "sig_hash %#B", &sig_hash);
-
-	chunk_free(&sig_chunk);
-	return sig_hash;
-}
-
-static void queue_retransmission(private_connect_manager_t *this, check_list_t *checklist, endpoint_pair_t *pair);
-static void schedule_checks(private_connect_manager_t *this, check_list_t *checklist, u_int32_t time);
-static void finish_checks(private_connect_manager_t *this, check_list_t *checklist);
-
-/**
- * After one of the initiator's pairs has succeeded we finish the checks without
- * waiting for all the timeouts
- */
-static job_requeue_t initiator_finish(callback_data_t *data)
-{
-	private_connect_manager_t *this = data->connect_manager;
-
-	this->mutex->lock(this->mutex);
-
-	check_list_t *checklist;
-	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't finish "
-			 "connectivity checks", &data->connect_id);
-		this->mutex->unlock(this->mutex);
-		return JOB_REQUEUE_NONE;
-	}
-
-	finish_checks(this, checklist);
-
-	this->mutex->unlock(this->mutex);
-
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Updates the state of the whole checklist
- */
-static void update_checklist_state(private_connect_manager_t *this,
-								   check_list_t *checklist)
-{
-	iterator_t *iterator;
-	endpoint_pair_t *current;
-	bool in_progress = FALSE, succeeded = FALSE;
-
-	iterator = checklist->pairs->create_iterator(checklist->pairs, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		switch(current->state)
-		{
-			case CHECK_WAITING:
-				/* at least one is still waiting -> checklist remains
-				 * in waiting state */
-				iterator->destroy(iterator);
-				return;
-			case CHECK_IN_PROGRESS:
-				in_progress = TRUE;
-				break;
-			case CHECK_SUCCEEDED:
-				succeeded = TRUE;
-				break;
-			default:
-				break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	if (checklist->is_initiator && succeeded && !checklist->is_finishing)
-	{
-		/* instead of waiting until all checks have finished (i.e. all
-		 * retransmissions have failed) the initiator finishes the checks
-		 * right after the first check has succeeded. to allow a probably
-		 * better pair to succeed, we still wait a certain time */
-		DBG2(DBG_IKE, "fast finishing checks for checklist '%#B'",
-			 &checklist->connect_id);
-
-		callback_data_t *data = callback_data_create(this, checklist->connect_id);
-		job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-		charon->scheduler->schedule_job_ms(charon->scheduler, job, ME_WAIT_TO_FINISH);
-		checklist->is_finishing = TRUE;
-	}
-
-	if (in_progress)
-	{
-		checklist->state = CHECK_IN_PROGRESS;
-	}
-	else if (succeeded)
-	{
-		checklist->state = CHECK_SUCCEEDED;
-	}
-	else
-	{
-		checklist->state = CHECK_FAILED;
-	}
-}
-
-/**
- * This function is triggered for each sent check after a specific timeout
- */
-static job_requeue_t retransmit(callback_data_t *data)
-{
-	private_connect_manager_t *this = data->connect_manager;
-
-	this->mutex->lock(this->mutex);
-
-	check_list_t *checklist;
-	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't retransmit "
-			 "connectivity check", &data->connect_id);
-		this->mutex->unlock(this->mutex);
-		return JOB_REQUEUE_NONE;
-	}
-
-	endpoint_pair_t *pair;
-	if (get_pair_by_id(checklist, data->mid, &pair) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "pair with id '%d' not found, can't retransmit "
-			 "connectivity check", data->mid);
-		goto retransmit_end;
-	}
-
-	if (pair->state != CHECK_IN_PROGRESS)
-	{
-		DBG2(DBG_IKE, "pair with id '%d' is in wrong state [%d], don't "
-			 "retransmit the connectivity check", data->mid, pair->state);
-		goto retransmit_end;
-	}
-
-	if (++pair->retransmitted > ME_MAX_RETRANS)
-	{
-		DBG2(DBG_IKE, "pair with id '%d' failed after %d retransmissions",
-			 data->mid, ME_MAX_RETRANS);
-		pair->state = CHECK_FAILED;
-		goto retransmit_end;
-	}
-
-	charon->sender->send(charon->sender, pair->packet->clone(pair->packet));
-
-	queue_retransmission(this, checklist, pair);
-
-retransmit_end:
-	update_checklist_state(this, checklist);
-
-	switch(checklist->state)
-	{
-		case CHECK_SUCCEEDED:
-		case CHECK_FAILED:
-			finish_checks(this, checklist);
-			break;
-		default:
-			break;
-	}
-
-	this->mutex->unlock(this->mutex);
-
-	/* we reschedule it manually */
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Queues a retransmission job
- */
-static void queue_retransmission(private_connect_manager_t *this, check_list_t *checklist, endpoint_pair_t *pair)
-{
-	callback_data_t *data = retransmit_data_create(this, checklist->connect_id, pair->id);
-	job_t *job = (job_t*)callback_job_create((callback_job_cb_t)retransmit, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-
-	u_int32_t retransmission = pair->retransmitted + 1;
-	u_int32_t rto = ME_INTERVAL;
-	if (retransmission > ME_BOOST)
-	{
-		rto = (u_int32_t)(ME_INTERVAL * pow(ME_RETRANS_BASE, retransmission - ME_BOOST));
-	}
-	DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms",
-		 retransmission, pair->id, rto);
-
-	charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)job, rto);
-}
-
-/**
- * Sends a check
- */
-static void send_check(private_connect_manager_t *this, check_list_t *checklist,
-		check_t *check, endpoint_pair_t *pair, bool request)
-{
-	message_t *message = message_create();
-	message->set_message_id(message, check->mid);
-	message->set_exchange_type(message, INFORMATIONAL);
-	message->set_request(message, request);
-	message->set_destination(message, check->dst->clone(check->dst));
-	message->set_source(message, check->src->clone(check->src));
-
-	ike_sa_id_t *ike_sa_id = ike_sa_id_create(0, 0, request);
-	message->set_ike_sa_id(message, ike_sa_id);
-	ike_sa_id->destroy(ike_sa_id);
-
-	message->add_notify(message, FALSE, ME_CONNECTID, check->connect_id);
-	DBG2(DBG_IKE, "send ME_CONNECTID %#B", &check->connect_id);
-
-	notify_payload_t *endpoint = check->endpoint->build_notify(check->endpoint);
-	check->endpoint_raw = chunk_clone(endpoint->get_notification_data(endpoint));
-	message->add_payload(message, (payload_t*)endpoint);
-	DBG2(DBG_IKE, "send ME_ENDPOINT notify");
-
-	check->auth = build_signature(this, checklist, check, TRUE);
-	message->add_notify(message, FALSE, ME_CONNECTAUTH, check->auth);
-	DBG2(DBG_IKE, "send ME_CONNECTAUTH %#B", &check->auth);
-
-	packet_t *packet;
-	if (message->generate(message, NULL, NULL, &packet) == SUCCESS)
-	{
-		charon->sender->send(charon->sender, packet->clone(packet));
-
-		if (request)
-		{
-			DESTROY_IF(pair->packet);
-			pair->packet = packet;
-			pair->retransmitted = 0;
-			queue_retransmission(this, checklist, pair);
-		}
-		else
-		{
-			packet->destroy(packet);
-		}
-	}
-	message->destroy(message);
-}
-
-/**
- * Queues a triggered check
- */
-static void queue_triggered_check(private_connect_manager_t *this,
-		check_list_t *checklist, endpoint_pair_t *pair)
-{
-	DBG2(DBG_IKE, "queueing triggered check for pair '%d'", pair->id);
-	pair->state = CHECK_WAITING;
-	checklist->triggered->insert_last(checklist->triggered, pair);
-
-	if (!checklist->sender)
-	{
-		/* if the sender is not running we restart it */
-		schedule_checks(this, checklist, ME_INTERVAL);
-	}
-}
-
-/**
- * This function is triggered for each checklist at a specific interval
- */
-static job_requeue_t sender(callback_data_t *data)
-{
-	private_connect_manager_t *this = data->connect_manager;
-
-	this->mutex->lock(this->mutex);
-
-	check_list_t *checklist;
-	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't send "
-			 "connectivity check", &data->connect_id);
-		this->mutex->unlock(this->mutex);
-		return JOB_REQUEUE_NONE;
-	}
-
-	/* reset the sender */
-	checklist->sender = NULL;
-
-	endpoint_pair_t *pair;
-	if (get_triggered_pair(checklist, &pair) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "no triggered check queued, sending an ordinary check");
-
-		if (checklist->pairs->find_first(checklist->pairs,
-									(linked_list_match_t)match_waiting_pair,
-									(void**)&pair) != SUCCESS)
-		{
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_IKE, "no pairs in waiting state, aborting");
-			return JOB_REQUEUE_NONE;
-		}
-	}
-	else
-	{
-		DBG1(DBG_IKE, "triggered check found");
-	}
-
-	check_t *check = check_create();
-	check->mid = pair->id;
-	check->src = pair->local->clone(pair->local);
-	check->dst = pair->remote->clone(pair->remote);
-	check->connect_id = chunk_clone(checklist->connect_id);
-	check->endpoint = endpoint_notify_create_from_host(PEER_REFLEXIVE, NULL,
-													   NULL);
-
-	pair->state = CHECK_IN_PROGRESS;
-
-	send_check(this, checklist, check, pair, TRUE);
-
-	check_destroy(check);
-
-	/* schedule this job again */
-	schedule_checks(this, checklist, ME_INTERVAL);
-
-	this->mutex->unlock(this->mutex);
-
-	/* we reschedule it manually */
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Schedules checks for a checklist (time in ms)
- */
-static void schedule_checks(private_connect_manager_t *this, check_list_t *checklist, u_int32_t time)
-{
-	callback_data_t *data = callback_data_create(this, checklist->connect_id);
-	checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-	charon->scheduler->schedule_job_ms(charon->scheduler, checklist->sender, time);
-}
-
-/**
- * Initiates waiting mediated connections
- */
-static job_requeue_t initiate_mediated(initiate_data_t *data)
-{
-	check_list_t *checklist = data->checklist;
-	initiated_t *initiated = data->initiated;
-
-	endpoint_pair_t *pair;
-	if (get_best_valid_pair(checklist, &pair) == SUCCESS)
-	{
-		ike_sa_id_t *waiting_sa;
-		iterator_t *iterator = initiated->mediated->create_iterator(initiated->mediated, TRUE);
-		while (iterator->iterate(iterator, (void**)&waiting_sa))
-		{
-			ike_sa_t *sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, waiting_sa);
-			if (sa->initiate_mediated(sa, pair->local, pair->remote, checklist->connect_id) != SUCCESS)
-			{
-				DBG1(DBG_IKE, "establishing mediated connection failed");
-				charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
-			}
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa);
-		}
-		iterator->destroy(iterator);
-	}
-	else
-	{
-		/* this should (can?) not happen */
-	}
-
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Finishes checks for a checklist
- */
-static void finish_checks(private_connect_manager_t *this, check_list_t *checklist)
-{
-	if (checklist->is_initiator)
-	{
-		initiated_t *initiated;
-		if (get_initiated_by_ids(this, checklist->initiator.id,
-				checklist->responder.id, &initiated) == SUCCESS)
-		{
-			remove_checklist(this, checklist);
-			remove_initiated(this, initiated);
-
-			initiate_data_t *data = initiate_data_create(checklist, initiated);
-			job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiate_mediated, data, (callback_job_cleanup_t)initiate_data_destroy, NULL);
-			charon->processor->queue_job(charon->processor, job);
-			return;
-		}
-		else
-		{
-			DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y'"
-				 " and '%Y'", checklist->initiator.id, checklist->responder.id);
-		}
-	}
-}
-
-/**
- * Process the response to one of our requests
- */
-static void process_response(private_connect_manager_t *this, check_t *check,
-		check_list_t *checklist)
-{
-	endpoint_pair_t *pair;
-	if (get_pair_by_id(checklist, check->mid, &pair) == SUCCESS)
-	{
-		if (pair->local->equals(pair->local, check->dst) &&
-			pair->remote->equals(pair->remote, check->src))
-		{
-			DBG1(DBG_IKE, "endpoint pair '%d' is valid: '%#H' - '%#H'",
-				 pair->id, pair->local, pair->remote);
-			pair->state = CHECK_SUCCEEDED;
-		}
-
-		linked_list_t *local_endpoints = checklist->is_initiator ?
-			checklist->initiator.endpoints : checklist->responder.endpoints;
-
-		endpoint_notify_t *local_endpoint;
-		if (endpoints_contain(local_endpoints,
-							  check->endpoint->get_host(check->endpoint),
-							  &local_endpoint) != SUCCESS)
-		{
-			local_endpoint = endpoint_notify_create_from_host(PEER_REFLEXIVE,
-					check->endpoint->get_host(check->endpoint), pair->local);
-			local_endpoint->set_priority(local_endpoint,
-								check->endpoint->get_priority(check->endpoint));
-			local_endpoints->insert_last(local_endpoints, local_endpoint);
-		}
-
-		update_checklist_state(this, checklist);
-
-		switch(checklist->state)
-		{
-			case CHECK_SUCCEEDED:
-			case CHECK_FAILED:
-				finish_checks(this, checklist);
-				break;
-			default:
-				break;
-		}
-	}
-	else
-	{
-		DBG1(DBG_IKE, "pair with id '%d' not found", check->mid);
-	}
-}
-
-static void process_request(private_connect_manager_t *this, check_t *check,
-							check_list_t *checklist)
-{
-	linked_list_t *remote_endpoints = checklist->is_initiator ?
-				checklist->responder.endpoints : checklist->initiator.endpoints;
-
-	endpoint_notify_t *peer_reflexive, *remote_endpoint;
-	peer_reflexive = endpoint_notify_create_from_host(PEER_REFLEXIVE,
-													  check->src, NULL);
-	peer_reflexive->set_priority(peer_reflexive,
-							check->endpoint->get_priority(check->endpoint));
-
-	if (endpoints_contain(remote_endpoints, check->src, &remote_endpoint) != SUCCESS)
-	{
-		remote_endpoint = peer_reflexive->clone(peer_reflexive);
-		remote_endpoints->insert_last(remote_endpoints, remote_endpoint);
-	}
-
-	endpoint_pair_t *pair;
-	if (get_pair_by_hosts(checklist->pairs, check->dst, check->src,
-						  &pair) == SUCCESS)
-	{
-		switch(pair->state)
-		{
-			case CHECK_IN_PROGRESS:
-				/* prevent retransmissions */
-				pair->retransmitted = ME_MAX_RETRANS;
-				/* FIXME: we should wait to the next rto to send the triggered
-				 * check */
-				/* fall-through */
-			case CHECK_WAITING:
-			case CHECK_FAILED:
-				queue_triggered_check(this, checklist, pair);
-				break;
-			case CHECK_SUCCEEDED:
-			default:
-				break;
-		}
-	}
-	else
-	{
-		endpoint_notify_t *local_endpoint = endpoint_notify_create_from_host(HOST, check->dst, NULL);
-
-		endpoint_notify_t *initiator = checklist->is_initiator ? local_endpoint : remote_endpoint;
-		endpoint_notify_t *responder = checklist->is_initiator ? remote_endpoint : local_endpoint;
-
-		pair = endpoint_pair_create(initiator, responder, checklist->is_initiator);
-		pair->id = checklist->pairs->get_count(checklist->pairs) + 1;
-
-		insert_pair_by_priority(checklist->pairs, pair);
-
-		queue_triggered_check(this, checklist, pair);
-
-		local_endpoint->destroy(local_endpoint);
-	}
-
-	check_t *response = check_create();
-
-	response->mid = check->mid;
-	response->src = check->dst->clone(check->dst);
-	response->dst = check->src->clone(check->src);
-	response->connect_id = chunk_clone(check->connect_id);
-	response->endpoint = peer_reflexive;
-
-	send_check(this, checklist, response, pair, FALSE);
-
-	check_destroy(response);
-}
-
-/**
- * Implementation of connect_manager_t.process_check.
- */
-static void process_check(private_connect_manager_t *this, message_t *message)
-{
-	if (message->parse_body(message, NULL, NULL) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
-			 exchange_type_names, message->get_exchange_type(message),
-			 message->get_request(message) ? "request" : "response",
-			 message->get_message_id(message));
-		return;
-	}
-
-	check_t *check = check_create();
-	check->mid = message->get_message_id(message);
-	check->src = message->get_source(message);
-	check->src = check->src->clone(check->src);
-	check->dst = message->get_destination(message);
-	check->dst = check->dst->clone(check->dst);
-
-	if (process_payloads(message, check) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "invalid connectivity check %s received",
-			 message->get_request(message) ? "request" : "response");
-		check_destroy(check);
-		return;
-	}
-
-	this->mutex->lock(this->mutex);
-
-	check_list_t *checklist;
-	if (get_checklist_by_id(this, check->connect_id, &checklist) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "checklist with id '%#B' not found",
-			 &check->connect_id);
-		check_destroy(check);
-		this->mutex->unlock(this->mutex);
-		return;
-	}
-
-	chunk_t sig = build_signature(this, checklist, check, FALSE);
-	if (!chunk_equals(sig, check->auth))
-	{
-		DBG1(DBG_IKE, "connectivity check verification failed");
-		check_destroy(check);
-		chunk_free(&sig);
-		this->mutex->unlock(this->mutex);
-		return;
-	}
-	chunk_free(&sig);
-
-	if (message->get_request(message))
-	{
-		process_request(this, check, checklist);
-	}
-	else
-	{
-		process_response(this, check, checklist);
-	}
-
-	this->mutex->unlock(this->mutex);
-
-	check_destroy(check);
-}
-
-/**
- * Implementation of connect_manager_t.check_and_register.
- */
-static bool check_and_register(private_connect_manager_t *this,
-			identification_t *id, identification_t *peer_id,
-			ike_sa_id_t *mediated_sa)
-{
-	initiated_t *initiated;
-	bool already_there = TRUE;
-
-	this->mutex->lock(this->mutex);
-
-	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
-	{
-		DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'",
-			 peer_id);
-		initiated = initiated_create(id, peer_id);
-		this->initiated->insert_last(this->initiated, initiated);
-		already_there = FALSE;
-	}
-
-	if (initiated->mediated->find_first(initiated->mediated,
-								(linked_list_match_t)mediated_sa->equals,
-								NULL, mediated_sa) != SUCCESS)
-	{
-		initiated->mediated->insert_last(initiated->mediated,
-										 mediated_sa->clone(mediated_sa));
-	}
-
-	this->mutex->unlock(this->mutex);
-
-	return already_there;
-}
-
-/**
- * Implementation of connect_manager_t.check_and_initiate.
- */
-static void check_and_initiate(private_connect_manager_t *this,
-							   ike_sa_id_t *mediation_sa, identification_t *id,
-							   identification_t *peer_id)
-{
-	initiated_t *initiated;
-
-	this->mutex->lock(this->mutex);
-
-	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
-	{
-		DBG2(DBG_IKE, "no waiting mediated connections with '%Y'", peer_id);
-		this->mutex->unlock(this->mutex);
-		return;
-	}
-
-	ike_sa_id_t *waiting_sa;
-	iterator_t *iterator = initiated->mediated->create_iterator(
-													initiated->mediated, TRUE);
-	while (iterator->iterate(iterator, (void**)&waiting_sa))
-	{
-		job_t *job = (job_t*)reinitiate_mediation_job_create(mediation_sa,
-															 waiting_sa);
-		charon->processor->queue_job(charon->processor, job);
-	}
-	iterator->destroy(iterator);
-
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of connect_manager_t.set_initiator_data.
- */
-static status_t set_initiator_data(private_connect_manager_t *this,
-								   identification_t *initiator,
-								   identification_t *responder,
-								   chunk_t connect_id, chunk_t key,
-								   linked_list_t *endpoints, bool is_initiator)
-{
-	check_list_t *checklist;
-
-	this->mutex->lock(this->mutex);
-
-	if (get_checklist_by_id(this, connect_id, NULL) == SUCCESS)
-	{
-		DBG1(DBG_IKE, "checklist with id '%#B' already exists, aborting",
-			 &connect_id);
-		this->mutex->unlock(this->mutex);
-		return FAILED;
-	}
-
-	checklist = check_list_create(initiator, responder, connect_id, key,
-								  endpoints, is_initiator);
-	this->checklists->insert_last(this->checklists, checklist);
-
-	this->mutex->unlock(this->mutex);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of connect_manager_t.set_responder_data.
- */
-static status_t set_responder_data(private_connect_manager_t *this,
-								   chunk_t connect_id, chunk_t key,
-								   linked_list_t *endpoints)
-{
-	check_list_t *checklist;
-
-	this->mutex->lock(this->mutex);
-
-	if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "checklist with id '%#B' not found",
-			 &connect_id);
-		this->mutex->unlock(this->mutex);
-		return NOT_FOUND;
-	}
-
-	checklist->responder.key = chunk_clone(key);
-	checklist->responder.endpoints = endpoints->clone_offset(endpoints,
-											offsetof(endpoint_notify_t, clone));
-	checklist->state = CHECK_WAITING;
-
-	build_pairs(checklist);
-
-	/* send the first check immediately */
-	schedule_checks(this, checklist, 0);
-
-	this->mutex->unlock(this->mutex);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of connect_manager_t.stop_checks.
- */
-static status_t stop_checks(private_connect_manager_t *this, chunk_t connect_id)
-{
-	check_list_t *checklist;
-
-	this->mutex->lock(this->mutex);
-
-	if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
-	{
-		DBG1(DBG_IKE, "checklist with id '%#B' not found",
-			 &connect_id);
-		this->mutex->unlock(this->mutex);
-		return NOT_FOUND;
-	}
-
-	DBG1(DBG_IKE, "removing checklist with id '%#B'", &connect_id);
-
-	remove_checklist(this, checklist);
-	check_list_destroy(checklist);
-
-	this->mutex->unlock(this->mutex);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of connect_manager_t.destroy.
- */
-static void destroy(private_connect_manager_t *this)
-{
-	this->mutex->lock(this->mutex);
-
-	this->hasher->destroy(this->hasher);
-	this->checklists->destroy_function(this->checklists, (void*)check_list_destroy);
-	this->initiated->destroy_function(this->initiated, (void*)initiated_destroy);
-
-	this->mutex->unlock(this->mutex);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-connect_manager_t *connect_manager_create()
-{
-	private_connect_manager_t *this = malloc_thing(private_connect_manager_t);
-
-	this->public.destroy = (void(*)(connect_manager_t*))destroy;
-	this->public.check_and_register = (bool(*)(connect_manager_t*,identification_t*,identification_t*,ike_sa_id_t*))check_and_register;
-	this->public.check_and_initiate = (void(*)(connect_manager_t*,ike_sa_id_t*,identification_t*,identification_t*))check_and_initiate;
-	this->public.set_initiator_data = (status_t(*)(connect_manager_t*,identification_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool))set_initiator_data;
-	this->public.set_responder_data = (status_t(*)(connect_manager_t*,chunk_t,chunk_t,linked_list_t*))set_responder_data;
-	this->public.process_check = (void(*)(connect_manager_t*,message_t*))process_check;
-	this->public.stop_checks = (status_t(*)(connect_manager_t*,chunk_t))stop_checks;
-
-	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (this->hasher == NULL)
-	{
-		DBG1(DBG_IKE, "unable to create connect manager, SHA1 not supported");
-		free(this);
-		return NULL;
-	}
-
-	this->checklists = linked_list_create();
-	this->initiated = linked_list_create();
-
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
-	return (connect_manager_t*)this;
-}
diff --git a/src/charon/sa/connect_manager.h b/src/charon/sa/connect_manager.h
deleted file mode 100644
index 8fa8ff697..000000000
--- a/src/charon/sa/connect_manager.h
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup connect_manager connect_manager
- * @{ @ingroup sa
- */
-
-#ifndef CONNECT_MANAGER_H_
-#define CONNECT_MANAGER_H_
-
-typedef struct connect_manager_t connect_manager_t;
-
-#include <encoding/message.h>
-#include <sa/ike_sa_id.h>
-#include <utils/identification.h>
-
-/**
- * The connection manager is responsible for establishing a direct
- * connection with another peer.
- */
-struct connect_manager_t {
-
-	/**
-	 * Checks if a there is already a mediated connection registered
-	 * between two peers.
-	 *
-	 * @param id			my id
-	 * @param peer_id		the other peer's id
-	 * @param mediated_sa	the IKE_SA ID of the mediated connection
-	 * @returns
-	 *						- TRUE, if a mediated connection is registered
-	 *						- FALSE, otherwise
-	 */
-	bool (*check_and_register) (connect_manager_t *this, identification_t *id,
-								identification_t *peer_id,
-								ike_sa_id_t *mediated_sa);
-
-	/**
-	 * Checks if there are waiting connections with a specific peer.
-	 * If so, reinitiate them.
-	 *
-	 * @param id			my id
-	 * @param peer_id		the other peer's id
-	 */
-	void (*check_and_initiate) (connect_manager_t *this,
-								ike_sa_id_t *mediation_sa, identification_t *id,
-								identification_t *peer_id);
-
-	/**
-	 * Creates a checklist and sets the initiator's data.
-	 *
-	 * @param initiator		ID of the initiator
-	 * @param responder		ID of the responder
-	 * @param connect_id	the connect ID provided by the initiator
-	 * @param key			the initiator's key
-	 * @param endpoints		the initiator's endpoints
-	 * @param is_initiator	TRUE, if the caller of this method is the initiator
-	 * @returns				SUCCESS
-	 */
-	status_t (*set_initiator_data) (connect_manager_t *this,
-									identification_t *initiator,
-									identification_t *responder,
-									chunk_t connect_id, chunk_t key,
-									linked_list_t *endpoints,
-									bool is_initiator);
-
-	/**
-	 * Updates a checklist and sets the responder's data. The checklist's
-	 * state is advanced to WAITING which means that checks will be sent.
-	 *
-	 * @param connect_id	the connect ID
-	 * @param chunk_t		the responder's key
-	 * @param endpoints		the responder's endpoints
-	 * @returns
-	 *						- NOT_FOUND, if the checklist has not been found
-	 *						- SUCCESS, otherwise
-	 */
-	status_t (*set_responder_data) (connect_manager_t *this,
-									chunk_t connect_id, chunk_t key,
-									linked_list_t *endpoints);
-
-	/**
-	 * Stops checks for a checklist. Called after the responder received an
-	 * IKE_SA_INIT request which contains a ME_CONNECTID payload.
-	 *
-	 * @param connect_id	the connect ID
-	 * @returns
-	 *						- NOT_FOUND, if the checklist has not been found
-	 *						- SUCCESS, otherwise
-	 */
-	status_t (*stop_checks) (connect_manager_t *this, chunk_t connect_id);
-
-	/**
-	 * Processes a connectivity check
-	 *
-	 * @param message		the received message
-	 */
-	void (*process_check) (connect_manager_t *this, message_t *message);
-
-	/**
-	 * Destroys the manager with all data.
-	 */
-	void (*destroy) (connect_manager_t *this);
-};
-
-/**
- * Create a manager.
- *
- * @returns	connect_manager_t object
- */
-connect_manager_t *connect_manager_create(void);
-
-#endif /** CONNECT_MANAGER_H_ @}*/
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
deleted file mode 100644
index 975a0904a..000000000
--- a/src/charon/sa/ike_sa.c
+++ /dev/null
@@ -1,2192 +0,0 @@
-/*
- * Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <time.h>
-
-#include "ike_sa.h"
-
-#include <library.h>
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/lexparser.h>
-#include <sa/task_manager.h>
-#include <sa/tasks/ike_init.h>
-#include <sa/tasks/ike_natd.h>
-#include <sa/tasks/ike_mobike.h>
-#include <sa/tasks/ike_auth.h>
-#include <sa/tasks/ike_auth_lifetime.h>
-#include <sa/tasks/ike_config.h>
-#include <sa/tasks/ike_cert_pre.h>
-#include <sa/tasks/ike_cert_post.h>
-#include <sa/tasks/ike_rekey.h>
-#include <sa/tasks/ike_reauth.h>
-#include <sa/tasks/ike_delete.h>
-#include <sa/tasks/ike_dpd.h>
-#include <sa/tasks/ike_vendor.h>
-#include <sa/tasks/child_create.h>
-#include <sa/tasks/child_delete.h>
-#include <sa/tasks/child_rekey.h>
-#include <processing/jobs/retransmit_job.h>
-#include <processing/jobs/delete_ike_sa_job.h>
-#include <processing/jobs/send_dpd_job.h>
-#include <processing/jobs/send_keepalive_job.h>
-#include <processing/jobs/rekey_ike_sa_job.h>
-
-#ifdef ME
-#include <sa/tasks/ike_me.h>
-#include <processing/jobs/initiate_mediation_job.h>
-#endif
-
-ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
-	"CREATED",
-	"CONNECTING",
-	"ESTABLISHED",
-	"PASSIVE",
-	"REKEYING",
-	"DELETING",
-	"DESTROYING",
-);
-
-typedef struct private_ike_sa_t private_ike_sa_t;
-typedef struct attribute_entry_t attribute_entry_t;
-
-/**
- * Private data of an ike_sa_t object.
- */
-struct private_ike_sa_t {
-
-	/**
-	 * Public members
-	 */
-	ike_sa_t public;
-
-	/**
-	 * Identifier for the current IKE_SA.
-	 */
-	ike_sa_id_t *ike_sa_id;
-
-	/**
-	 * unique numerical ID for this IKE_SA.
-	 */
-	u_int32_t unique_id;
-
-	/**
-	 * Current state of the IKE_SA
-	 */
-	ike_sa_state_t state;
-
-	/**
-	 * IKE configuration used to set up this IKE_SA
-	 */
-	ike_cfg_t *ike_cfg;
-
-	/**
-	 * Peer and authentication information to establish IKE_SA.
-	 */
-	peer_cfg_t *peer_cfg;
-
-	/**
-	 * currently used authentication ruleset, local (as auth_cfg_t)
-	 */
-	auth_cfg_t *my_auth;
-
-	/**
-	 * list of completed local authentication rounds
-	 */
-	linked_list_t *my_auths;
-
-	/**
-	 * list of completed remote authentication rounds
-	 */
-	linked_list_t *other_auths;
-
-	/**
-	 * currently used authentication constraints, remote (as auth_cfg_t)
-	 */
-	auth_cfg_t *other_auth;
-
-	/**
-	 * Selected IKE proposal
-	 */
-	proposal_t *proposal;
-
-	/**
-	 * Juggles tasks to process messages
-	 */
-	task_manager_t *task_manager;
-
-	/**
-	 * Address of local host
-	 */
-	host_t *my_host;
-
-	/**
-	 * Address of remote host
-	 */
-	host_t *other_host;
-
-#ifdef ME
-	/**
-	 * Are we mediation server
-	 */
-	bool is_mediation_server;
-
-	/**
-	 * Server reflexive host
-	 */
-	host_t *server_reflexive_host;
-
-	/**
-	 * Connect ID
-	 */
-	chunk_t connect_id;
-#endif /* ME */
-
-	/**
-	 * Identification used for us
-	 */
-	identification_t *my_id;
-
-	/**
-	 * Identification used for other
-	 */
-	identification_t *other_id;
-
-	/**
-	 * set of extensions the peer supports
-	 */
-	ike_extension_t extensions;
-
-	/**
-	 * set of condition flags currently enabled for this IKE_SA
-	 */
-	ike_condition_t conditions;
-
-	/**
-	 * Linked List containing the child sa's of the current IKE_SA.
-	 */
-	linked_list_t *child_sas;
-
-	/**
-	 * keymat of this IKE_SA
-	 */
-	keymat_t *keymat;
-
-	/**
-	 * Virtual IP on local host, if any
-	 */
-	host_t *my_virtual_ip;
-
-	/**
-	 * Virtual IP on remote host, if any
-	 */
-	host_t *other_virtual_ip;
-
-	/**
-	 * List of configuration attributes (attribute_entry_t)
-	 */
-	linked_list_t *attributes;
-
-	/**
-	 * list of peers additional addresses, transmitted via MOBIKE
-	 */
-	linked_list_t *additional_addresses;
-
-	/**
-	 * previously value of received DESTINATION_IP hash
-	 */
-	chunk_t nat_detection_dest;
-
-	/**
-	 * number pending UPDATE_SA_ADDRESS (MOBIKE)
-	 */
-	u_int32_t pending_updates;
-
-	/**
-	 * NAT keep alive interval
-	 */
-	u_int32_t keepalive_interval;
-
-	/**
-	 * Timestamps for this IKE_SA
-	 */
-	u_int32_t stats[STAT_MAX];
-
-	/**
-	 * how many times we have retried so far (keyingtries)
-	 */
-	u_int32_t keyingtry;
-
-	/**
-	 * local host address to be used for IKE, set via MIGRATE kernel message
-	 */
-	host_t *local_host;
-
-	/**
-	 * remote host address to be used for IKE, set via MIGRATE kernel message
-	 */
-	host_t *remote_host;
-};
-
-/**
- * Entry to maintain install configuration attributes during IKE_SA lifetime
- */
-struct attribute_entry_t {
-	/** handler used to install this attribute */
-	attribute_handler_t *handler;
-	/** attribute type */
-	configuration_attribute_type_t type;
-	/** attribute data */
-	chunk_t data;
-};
-
-/**
- * get the time of the latest traffic processed by the kernel
- */
-static time_t get_use_time(private_ike_sa_t* this, bool inbound)
-{
-	enumerator_t *enumerator;
-	child_sa_t *child_sa;
-	time_t use_time, current;
-
-	if (inbound)
-	{
-		use_time = this->stats[STAT_INBOUND];
-	}
-	else
-	{
-		use_time = this->stats[STAT_OUTBOUND];
-	}
-	enumerator = this->child_sas->create_enumerator(this->child_sas);
-	while (enumerator->enumerate(enumerator, &child_sa))
-	{
-		child_sa->get_usestats(child_sa, inbound, &current, NULL);
-		use_time = max(use_time, current);
-	}
-	enumerator->destroy(enumerator);
-
-	return use_time;
-}
-
-/**
- * Implementation of ike_sa_t.get_unique_id
- */
-static u_int32_t get_unique_id(private_ike_sa_t *this)
-{
-	return this->unique_id;
-}
-
-/**
- * Implementation of ike_sa_t.get_name.
- */
-static char *get_name(private_ike_sa_t *this)
-{
-	if (this->peer_cfg)
-	{
-		return this->peer_cfg->get_name(this->peer_cfg);
-	}
-	return "(unnamed)";
-}
-
-/**
- * Implementation of ike_sa_t.get_statistic.
- */
-static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
-{
-	if (kind < STAT_MAX)
-	{
-		return this->stats[kind];
-	}
-	return 0;
-}
-
-/**
- * Implementation of ike_sa_t.get_my_host.
- */
-static host_t *get_my_host(private_ike_sa_t *this)
-{
-	return this->my_host;
-}
-
-/**
- * Implementation of ike_sa_t.set_my_host.
- */
-static void set_my_host(private_ike_sa_t *this, host_t *me)
-{
-	DESTROY_IF(this->my_host);
-	this->my_host = me;
-}
-
-/**
- * Implementation of ike_sa_t.get_other_host.
- */
-static host_t *get_other_host(private_ike_sa_t *this)
-{
-	return this->other_host;
-}
-
-/**
- * Implementation of ike_sa_t.set_other_host.
- */
-static void set_other_host(private_ike_sa_t *this, host_t *other)
-{
-	DESTROY_IF(this->other_host);
-	this->other_host = other;
-}
-
-/**
- * Implementation of ike_sa_t.get_peer_cfg
- */
-static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
-{
-	return this->peer_cfg;
-}
-
-/**
- * Implementation of ike_sa_t.set_peer_cfg
- */
-static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
-{
-	DESTROY_IF(this->peer_cfg);
-	peer_cfg->get_ref(peer_cfg);
-	this->peer_cfg = peer_cfg;
-
-	if (this->ike_cfg == NULL)
-	{
-		this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
-		this->ike_cfg->get_ref(this->ike_cfg);
-	}
-}
-
-/**
- * Implementation of ike_sa_t.get_auth_cfg
- */
-static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local)
-{
-	if (local)
-	{
-		return this->my_auth;
-	}
-	return this->other_auth;
-}
-
-/**
- * Implementation of ike_sa_t.add_auth_cfg
- */
-static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
-{
-	if (local)
-	{
-		this->my_auths->insert_last(this->my_auths, cfg);
-	}
-	else
-	{
-		this->other_auths->insert_last(this->other_auths, cfg);
-	}
-}
-
-/**
- * Implementation of ike_sa_t.create_auth_cfg_enumerator
- */
-static enumerator_t* create_auth_cfg_enumerator(private_ike_sa_t *this,
-												bool local)
-{
-	if (local)
-	{
-		return this->my_auths->create_enumerator(this->my_auths);
-	}
-	return this->other_auths->create_enumerator(this->other_auths);
-}
-
-/**
- * Flush the stored authentication round information
- */
-static void flush_auth_cfgs(private_ike_sa_t *this)
-{
-	auth_cfg_t *cfg;
-
-	if (lib->settings->get_bool(lib->settings, "charon.flush_auth_cfg", TRUE))
-	{
-		while (this->my_auths->remove_last(this->my_auths,
-										   (void**)&cfg) == SUCCESS)
-		{
-			cfg->destroy(cfg);
-		}
-		while (this->other_auths->remove_last(this->other_auths,
-											  (void**)&cfg) == SUCCESS)
-		{
-			cfg->destroy(cfg);
-		}
-	}
-}
-
-/**
- * Implementation of ike_sa_t.get_proposal
- */
-static proposal_t* get_proposal(private_ike_sa_t *this)
-{
-	return this->proposal;
-}
-
-/**
- * Implementation of ike_sa_t.set_proposal
- */
-static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
-{
-	DESTROY_IF(this->proposal);
-	this->proposal = proposal->clone(proposal);
-}
-
-/**
- * Implementation of ike_sa_t.set_message_id
- */
-static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid)
-{
-	if (initiate)
-	{
-		this->task_manager->reset(this->task_manager, mid, UINT_MAX);
-	}
-	else
-	{
-		this->task_manager->reset(this->task_manager, UINT_MAX, mid);
-	}
-}
-
-/**
- * Implementation of ike_sa_t.send_keepalive
- */
-static void send_keepalive(private_ike_sa_t *this)
-{
-	send_keepalive_job_t *job;
-	time_t last_out, now, diff;
-
-	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
-	{	/* disable keep alives if we are not NATed anymore */
-		return;
-	}
-
-	last_out = get_use_time(this, FALSE);
-	now = time_monotonic(NULL);
-
-	diff = now - last_out;
-
-	if (diff >= this->keepalive_interval)
-	{
-		packet_t *packet;
-		chunk_t data;
-
-		packet = packet_create();
-		packet->set_source(packet, this->my_host->clone(this->my_host));
-		packet->set_destination(packet, this->other_host->clone(this->other_host));
-		data.ptr = malloc(1);
-		data.ptr[0] = 0xFF;
-		data.len = 1;
-		packet->set_data(packet, data);
-		DBG1(DBG_IKE, "sending keep alive");
-		charon->sender->send(charon->sender, packet);
-		diff = 0;
-	}
-	job = send_keepalive_job_create(this->ike_sa_id);
-	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
-									this->keepalive_interval - diff);
-}
-
-/**
- * Implementation of ike_sa_t.get_ike_cfg
- */
-static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
-{
-	return this->ike_cfg;
-}
-
-/**
- * Implementation of ike_sa_t.set_ike_cfg
- */
-static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
-{
-	ike_cfg->get_ref(ike_cfg);
-	this->ike_cfg = ike_cfg;
-}
-
-/**
- * Implementation of ike_sa_t.enable_extension.
- */
-static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
-{
-	this->extensions |= extension;
-}
-
-/**
- * Implementation of ike_sa_t.has_extension.
- */
-static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
-{
-	return (this->extensions & extension) != FALSE;
-}
-
-/**
- * Implementation of ike_sa_t.has_condition.
- */
-static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
-{
-	return (this->conditions & condition) != FALSE;
-}
-
-/**
- * Implementation of ike_sa_t.enable_condition.
- */
-static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
-						  bool enable)
-{
-	if (has_condition(this, condition) != enable)
-	{
-		if (enable)
-		{
-			this->conditions |= condition;
-			switch (condition)
-			{
-				case COND_NAT_HERE:
-					DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
-					this->conditions |= COND_NAT_ANY;
-					send_keepalive(this);
-					break;
-				case COND_NAT_THERE:
-					DBG1(DBG_IKE, "remote host is behind NAT");
-					this->conditions |= COND_NAT_ANY;
-					break;
-				case COND_NAT_FAKE:
-					DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
-					this->conditions |= COND_NAT_ANY;
-					break;
-				default:
-					break;
-			}
-		}
-		else
-		{
-			this->conditions &= ~condition;
-			switch (condition)
-			{
-				case COND_NAT_HERE:
-				case COND_NAT_FAKE:
-				case COND_NAT_THERE:
-					set_condition(this, COND_NAT_ANY,
-								  has_condition(this, COND_NAT_HERE) ||
-								  has_condition(this, COND_NAT_THERE) ||
-								  has_condition(this, COND_NAT_FAKE));
-					break;
-				default:
-					break;
-			}
-		}
-	}
-}
-
-/**
- * Implementation of ike_sa_t.send_dpd
- */
-static status_t send_dpd(private_ike_sa_t *this)
-{
-	job_t *job;
-	time_t diff, delay;
-
-	delay = this->peer_cfg->get_dpd(this->peer_cfg);
-
-	if (delay == 0)
-	{
-		/* DPD disabled */
-		return SUCCESS;
-	}
-
-	if (this->task_manager->busy(this->task_manager))
-	{
-		/* an exchange is in the air, no need to start a DPD check */
-		diff = 0;
-	}
-	else
-	{
-		/* check if there was any inbound traffic */
-		time_t last_in, now;
-		last_in = get_use_time(this, TRUE);
-		now = time_monotonic(NULL);
-		diff = now - last_in;
-		if (diff >= delay)
-		{
-			/* to long ago, initiate dead peer detection */
-			task_t *task;
-			ike_mobike_t *mobike;
-
-			if (supports_extension(this, EXT_MOBIKE) &&
-				has_condition(this, COND_NAT_HERE))
-			{
-				/* use mobike enabled DPD to detect NAT mapping changes */
-				mobike = ike_mobike_create(&this->public, TRUE);
-				mobike->dpd(mobike);
-				task = &mobike->task;
-			}
-			else
-			{
-				task = (task_t*)ike_dpd_create(TRUE);
-			}
-			diff = 0;
-			DBG1(DBG_IKE, "sending DPD request");
-
-			this->task_manager->queue_task(this->task_manager, task);
-			this->task_manager->initiate(this->task_manager);
-		}
-	}
-	/* recheck in "interval" seconds */
-	job = (job_t*)send_dpd_job_create(this->ike_sa_id);
-	charon->scheduler->schedule_job(charon->scheduler, job, delay - diff);
-	return SUCCESS;
-}
-
-/**
- * Implementation of ike_sa_t.get_state.
- */
-static ike_sa_state_t get_state(private_ike_sa_t *this)
-{
-	return this->state;
-}
-
-/**
- * Implementation of ike_sa_t.set_state.
- */
-static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
-{
-	DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
-		 get_name(this), this->unique_id,
-		 ike_sa_state_names, this->state,
-		 ike_sa_state_names, state);
-
-	switch (state)
-	{
-		case IKE_ESTABLISHED:
-		{
-			if (this->state == IKE_CONNECTING ||
-				this->state == IKE_PASSIVE)
-			{
-				job_t *job;
-				u_int32_t t;
-
-				/* calculate rekey, reauth and lifetime */
-				this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
-
-				/* schedule rekeying if we have a time which is smaller than
-				 * an already scheduled rekeying */
-				t = this->peer_cfg->get_rekey_time(this->peer_cfg);
-				if (t && (this->stats[STAT_REKEY] == 0 ||
-					(this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
-				{
-					this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
-					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
-					charon->scheduler->schedule_job(charon->scheduler, job, t);
-					DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
-				}
-				t = this->peer_cfg->get_reauth_time(this->peer_cfg);
-				if (t && (this->stats[STAT_REAUTH] == 0 ||
-					(this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
-				{
-					this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
-					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
-					charon->scheduler->schedule_job(charon->scheduler, job, t);
-					DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
-				}
-				t = this->peer_cfg->get_over_time(this->peer_cfg);
-				if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
-				{
-					if (this->stats[STAT_REAUTH] == 0)
-					{
-						this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
-					}
-					else if (this->stats[STAT_REKEY] == 0)
-					{
-						this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
-					}
-					else
-					{
-						this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
-													   this->stats[STAT_REAUTH]);
-					}
-					this->stats[STAT_DELETE] += t;
-					t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
-					job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-					charon->scheduler->schedule_job(charon->scheduler, job, t);
-					DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
-				}
-
-				/* start DPD checks */
-				send_dpd(this);
-			}
-			break;
-		}
-		case IKE_DELETING:
-		{
-			/* delete may fail if a packet gets lost, so set a timeout */
-			job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-			charon->scheduler->schedule_job(charon->scheduler, job,
-											HALF_OPEN_IKE_SA_TIMEOUT);
-			break;
-		}
-		default:
-			break;
-	}
-	charon->bus->ike_state_change(charon->bus, &this->public, state);
-	this->state = state;
-}
-
-/**
- * Implementation of ike_sa_t.reset
- */
-static void reset(private_ike_sa_t *this)
-{
-	/*  the responder ID is reset, as peer may choose another one */
-	if (this->ike_sa_id->is_initiator(this->ike_sa_id))
-	{
-		this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
-	}
-
-	set_state(this, IKE_CREATED);
-
-	this->task_manager->reset(this->task_manager, 0, 0);
-}
-
-/**
- * Implementation of ike_sa_t.get_keymat
- */
-static keymat_t* get_keymat(private_ike_sa_t *this)
-{
-	return this->keymat;
-}
-
-/**
- * Implementation of ike_sa_t.set_virtual_ip
- */
-static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
-{
-	if (local)
-	{
-		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
-		if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
-											 this->my_host) == SUCCESS)
-		{
-			if (this->my_virtual_ip)
-			{
-				DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
-				charon->kernel_interface->del_ip(charon->kernel_interface,
-												 this->my_virtual_ip);
-			}
-			DESTROY_IF(this->my_virtual_ip);
-			this->my_virtual_ip = ip->clone(ip);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
-			this->my_virtual_ip = NULL;
-		}
-	}
-	else
-	{
-		DESTROY_IF(this->other_virtual_ip);
-		this->other_virtual_ip = ip->clone(ip);
-	}
-}
-
-/**
- * Implementation of ike_sa_t.get_virtual_ip
- */
-static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
-{
-	if (local)
-	{
-		return this->my_virtual_ip;
-	}
-	else
-	{
-		return this->other_virtual_ip;
-	}
-}
-
-/**
- * Implementation of ike_sa_t.add_additional_address.
- */
-static void add_additional_address(private_ike_sa_t *this, host_t *host)
-{
-	this->additional_addresses->insert_last(this->additional_addresses, host);
-}
-
-/**
- * Implementation of ike_sa_t.create_additional_address_iterator.
- */
-static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
-{
-	return this->additional_addresses->create_iterator(
-											this->additional_addresses, TRUE);
-}
-
-/**
- * Implementation of ike_sa_t.has_mapping_changed
- */
-static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash)
-{
-	if (this->nat_detection_dest.ptr == NULL)
-	{
-		this->nat_detection_dest = chunk_clone(hash);
-		return FALSE;
-	}
-	if (chunk_equals(hash, this->nat_detection_dest))
-	{
-		return FALSE;
-	}
-	free(this->nat_detection_dest.ptr);
-	this->nat_detection_dest = chunk_clone(hash);
-	return TRUE;
-}
-
-/**
- * Implementation of ike_sa_t.set_pending_updates.
- */
-static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
-{
-	this->pending_updates = updates;
-}
-
-/**
- * Implementation of ike_sa_t.get_pending_updates.
- */
-static u_int32_t get_pending_updates(private_ike_sa_t *this)
-{
-	return this->pending_updates;
-}
-
-/**
- * Update hosts, as addresses may change (NAT)
- */
-static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
-{
-	bool update = FALSE;
-
-	if (me == NULL)
-	{
-		me = this->my_host;
-	}
-	if (other == NULL)
-	{
-		other = this->other_host;
-	}
-
-	/* apply hosts on first received message */
-	if (this->my_host->is_anyaddr(this->my_host) ||
-		this->other_host->is_anyaddr(this->other_host))
-	{
-		set_my_host(this, me->clone(me));
-		set_other_host(this, other->clone(other));
-		update = TRUE;
-	}
-	else
-	{
-		/* update our address in any case */
-		if (!me->equals(me, this->my_host))
-		{
-			set_my_host(this, me->clone(me));
-			update = TRUE;
-		}
-
-		if (!other->equals(other, this->other_host))
-		{
-			/* update others adress if we are NOT NATed,
-			 * and allow port changes if we are NATed */
-			if (!has_condition(this, COND_NAT_HERE) ||
-				other->ip_equals(other, this->other_host))
-			{
-				set_other_host(this, other->clone(other));
-				update = TRUE;
-			}
-		}
-	}
-
-	/* update all associated CHILD_SAs, if required */
-	if (update)
-	{
-		iterator_t *iterator;
-		child_sa_t *child_sa;
-
-		iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-		while (iterator->iterate(iterator, (void**)&child_sa))
-		{
-			if (child_sa->update(child_sa, this->my_host,
-						this->other_host, this->my_virtual_ip,
-						has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
-			{
-				this->public.rekey_child_sa(&this->public,
-						child_sa->get_protocol(child_sa),
-						child_sa->get_spi(child_sa, TRUE));
-			}
-		}
-		iterator->destroy(iterator);
-	}
-}
-
-/**
- * Implementation of ike_sa_t.generate
- */
-static status_t generate_message(private_ike_sa_t *this, message_t *message,
-								 packet_t **packet)
-{
-	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
-	message->set_ike_sa_id(message, this->ike_sa_id);
-	return message->generate(message,
-				this->keymat->get_crypter(this->keymat, FALSE),
-				this->keymat->get_signer(this->keymat, FALSE), packet);
-}
-
-/**
- * send a notify back to the sender
- */
-static void send_notify_response(private_ike_sa_t *this, message_t *request,
-								 notify_type_t type)
-{
-	message_t *response;
-	packet_t *packet;
-
-	response = message_create();
-	response->set_exchange_type(response, request->get_exchange_type(request));
-	response->set_request(response, FALSE);
-	response->set_message_id(response, request->get_message_id(request));
-	response->add_notify(response, FALSE, type, chunk_empty);
-	if (this->my_host->is_anyaddr(this->my_host))
-	{
-		this->my_host->destroy(this->my_host);
-		this->my_host = request->get_destination(request);
-		this->my_host = this->my_host->clone(this->my_host);
-	}
-	if (this->other_host->is_anyaddr(this->other_host))
-	{
-		this->other_host->destroy(this->other_host);
-		this->other_host = request->get_source(request);
-		this->other_host = this->other_host->clone(this->other_host);
-	}
-	response->set_source(response, this->my_host->clone(this->my_host));
-	response->set_destination(response, this->other_host->clone(this->other_host));
-	if (generate_message(this, response, &packet) == SUCCESS)
-	{
-		charon->sender->send(charon->sender, packet);
-	}
-	response->destroy(response);
-}
-
-/**
- * Implementation of ike_sa_t.set_kmaddress.
- */
-static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote)
-{
-	DESTROY_IF(this->local_host);
-	DESTROY_IF(this->remote_host);
-	this->local_host = local->clone(local);
-	this->remote_host = remote->clone(remote);
-}
-
-#ifdef ME
-/**
- * Implementation of ike_sa_t.act_as_mediation_server.
- */
-static void act_as_mediation_server(private_ike_sa_t *this)
-{
-	charon->mediation_manager->update_sa_id(charon->mediation_manager,
-			this->other_id, this->ike_sa_id);
-	this->is_mediation_server = TRUE;
-}
-
-/**
- * Implementation of ike_sa_t.get_server_reflexive_host.
- */
-static host_t *get_server_reflexive_host(private_ike_sa_t *this)
-{
-	return this->server_reflexive_host;
-}
-
-/**
- * Implementation of ike_sa_t.set_server_reflexive_host.
- */
-static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
-{
-	DESTROY_IF(this->server_reflexive_host);
-	this->server_reflexive_host = host;
-}
-
-/**
- * Implementation of ike_sa_t.get_connect_id.
- */
-static chunk_t get_connect_id(private_ike_sa_t *this)
-{
-	return this->connect_id;
-}
-
-/**
- * Implementation of ike_sa_t.respond
- */
-static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
-						chunk_t connect_id)
-{
-	ike_me_t *task = ike_me_create(&this->public, TRUE);
-	task->respond(task, peer_id, connect_id);
-	this->task_manager->queue_task(this->task_manager, (task_t*)task);
-	return this->task_manager->initiate(this->task_manager);
-}
-
-/**
- * Implementation of ike_sa_t.callback
- */
-static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
-{
-	ike_me_t *task = ike_me_create(&this->public, TRUE);
-	task->callback(task, peer_id);
-	this->task_manager->queue_task(this->task_manager, (task_t*)task);
-	return this->task_manager->initiate(this->task_manager);
-}
-
-/**
- * Implementation of ike_sa_t.relay
- */
-static status_t relay(private_ike_sa_t *this, identification_t *requester,
-					  chunk_t connect_id, chunk_t connect_key,
-					  linked_list_t *endpoints, bool response)
-{
-	ike_me_t *task = ike_me_create(&this->public, TRUE);
-	task->relay(task, requester, connect_id, connect_key, endpoints, response);
-	this->task_manager->queue_task(this->task_manager, (task_t*)task);
-	return this->task_manager->initiate(this->task_manager);
-}
-
-/**
- * Implementation of ike_sa_t.initiate_mediation
- */
-static status_t initiate_mediation(private_ike_sa_t *this,
-								   peer_cfg_t *mediated_cfg)
-{
-	ike_me_t *task = ike_me_create(&this->public, TRUE);
-	task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
-	this->task_manager->queue_task(this->task_manager, (task_t*)task);
-	return this->task_manager->initiate(this->task_manager);
-}
-
-/**
- * Implementation of ike_sa_t.initiate_mediated
- */
-static status_t initiate_mediated(private_ike_sa_t *this, host_t *me,
-								  host_t *other, chunk_t connect_id)
-{
-	set_my_host(this, me->clone(me));
-	set_other_host(this, other->clone(other));
-	chunk_free(&this->connect_id);
-	this->connect_id = chunk_clone(connect_id);
-	return this->task_manager->initiate(this->task_manager);
-}
-#endif /* ME */
-
-/**
- * Resolve DNS host in configuration
- */
-static void resolve_hosts(private_ike_sa_t *this)
-{
-	host_t *host;
-
-	if (this->remote_host)
-	{
-		host = this->remote_host->clone(this->remote_host);
-		host->set_port(host, IKEV2_UDP_PORT);
-	}
-	else
-	{
-		host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
-									0, IKEV2_UDP_PORT);
-	}
-	if (host)
-	{
-		set_other_host(this, host);
-	}
-
-	if (this->local_host)
-	{
-		host = this->local_host->clone(this->local_host);
-		host->set_port(host, IKEV2_UDP_PORT);
-	}
-	else
-	{
-		int family = 0;
-
-		/* use same address family as for other */
-		if (!this->other_host->is_anyaddr(this->other_host))
-		{
-			family = this->other_host->get_family(this->other_host);
-		}
-		host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
-									family, IKEV2_UDP_PORT);
-
-		if (host && host->is_anyaddr(host) &&
-			!this->other_host->is_anyaddr(this->other_host))
-		{
-			host->destroy(host);
-			host = charon->kernel_interface->get_source_addr(
-							charon->kernel_interface, this->other_host, NULL);
-			if (host)
-			{
-				host->set_port(host, IKEV2_UDP_PORT);
-			}
-			else
-			{	/* fallback to address family specific %any(6), if configured */
-				host = host_create_from_dns(
-									this->ike_cfg->get_my_addr(this->ike_cfg),
-									0, IKEV2_UDP_PORT);
-			}
-		}
-	}
-	if (host)
-	{
-		set_my_host(this, host);
-	}
-}
-
-/**
- * Implementation of ike_sa_t.initiate
- */
-static status_t initiate(private_ike_sa_t *this,
-						 child_cfg_t *child_cfg, u_int32_t reqid,
-						 traffic_selector_t *tsi, traffic_selector_t *tsr)
-{
-	task_t *task;
-
-	if (this->state == IKE_CREATED)
-	{
-		resolve_hosts(this);
-
-		if (this->other_host->is_anyaddr(this->other_host)
-#ifdef ME
-			&& !this->peer_cfg->get_mediated_by(this->peer_cfg)
-#endif /* ME */
-			)
-		{
-			child_cfg->destroy(child_cfg);
-			DBG1(DBG_IKE, "unable to initiate to %%any");
-			return DESTROY_ME;
-		}
-
-		set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
-
-		task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_vendor_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_natd_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_auth_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_cert_post_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_config_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		if (this->peer_cfg->use_mobike(this->peer_cfg))
-		{
-			task = (task_t*)ike_mobike_create(&this->public, TRUE);
-			this->task_manager->queue_task(this->task_manager, task);
-		}
-#ifdef ME
-		task = (task_t*)ike_me_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-#endif /* ME */
-	}
-
-#ifdef ME
-	if (this->peer_cfg->is_mediation(this->peer_cfg))
-	{
-		if (this->state == IKE_ESTABLISHED)
-		{
-			/* mediation connection is already established, retrigger state
-			 * change to notify bus listeners */
-			DBG1(DBG_IKE, "mediation connection is already up");
-			set_state(this, IKE_ESTABLISHED);
-		}
-		DESTROY_IF(child_cfg);
-	}
-	else
-#endif /* ME */
-	{
-		/* normal IKE_SA with CHILD_SA */
-		task = (task_t*)child_create_create(&this->public, child_cfg, FALSE,
-											tsi, tsr);
-		child_cfg->destroy(child_cfg);
-		if (reqid)
-		{
-			child_create_t *child_create = (child_create_t*)task;
-			child_create->use_reqid(child_create, reqid);
-		}
-		this->task_manager->queue_task(this->task_manager, task);
-
-#ifdef ME
-		if (this->peer_cfg->get_mediated_by(this->peer_cfg))
-		{
-			/* mediated connection, initiate mediation process */
-			job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
-			charon->processor->queue_job(charon->processor, job);
-			return SUCCESS;
-		}
-#endif /* ME */
-	}
-
-	return this->task_manager->initiate(this->task_manager);
-}
-
-/**
- * Implementation of ike_sa_t.process_message.
- */
-static status_t process_message(private_ike_sa_t *this, message_t *message)
-{
-	status_t status;
-	bool is_request;
-
-	if (this->state == IKE_PASSIVE)
-	{	/* do not handle messages in passive state */
-		return FAILED;
-	}
-
-	is_request = message->get_request(message);
-
-	status = message->parse_body(message,
-								 this->keymat->get_crypter(this->keymat, TRUE),
-								 this->keymat->get_signer(this->keymat, TRUE));
-	if (status != SUCCESS)
-	{
-
-		if (is_request)
-		{
-			switch (status)
-			{
-				case NOT_SUPPORTED:
-					DBG1(DBG_IKE, "critical unknown payloads found");
-					if (is_request)
-					{
-						send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
-					}
-					break;
-				case PARSE_ERROR:
-					DBG1(DBG_IKE, "message parsing failed");
-					if (is_request)
-					{
-						send_notify_response(this, message, INVALID_SYNTAX);
-					}
-					break;
-				case VERIFY_ERROR:
-					DBG1(DBG_IKE, "message verification failed");
-					if (is_request)
-					{
-						send_notify_response(this, message, INVALID_SYNTAX);
-					}
-					break;
-				case FAILED:
-					DBG1(DBG_IKE, "integrity check failed");
-					/* ignored */
-					break;
-				case INVALID_STATE:
-					DBG1(DBG_IKE, "found encrypted message, but no keys available");
-					if (is_request)
-					{
-						send_notify_response(this, message, INVALID_SYNTAX);
-					}
-				default:
-					break;
-			}
-		}
-		DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
-			 exchange_type_names, message->get_exchange_type(message),
-			 message->get_request(message) ? "request" : "response",
-			 message->get_message_id(message));
-
-		if (this->state == IKE_CREATED)
-		{	/* invalid initiation attempt, close SA */
-			return DESTROY_ME;
-		}
-	}
-	else
-	{
-		host_t *me, *other;
-
-		me = message->get_destination(message);
-		other = message->get_source(message);
-
-		/* if this IKE_SA is virgin, we check for a config */
-		if (this->ike_cfg == NULL)
-		{
-			job_t *job;
-			this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
-														  me, other);
-			if (this->ike_cfg == NULL)
-			{
-				/* no config found for these hosts, destroy */
-				DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
-					 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
-				send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
-				return DESTROY_ME;
-			}
-			/* add a timeout if peer does not establish it completely */
-			job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
-			charon->scheduler->schedule_job(charon->scheduler, job,
-											HALF_OPEN_IKE_SA_TIMEOUT);
-		}
-		this->stats[STAT_INBOUND] = time_monotonic(NULL);
-		/* check if message is trustworthy, and update host information */
-		if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
-			message->get_exchange_type(message) != IKE_SA_INIT)
-		{
-			if (!supports_extension(this, EXT_MOBIKE))
-			{	/* with MOBIKE, we do no implicit updates */
-				update_hosts(this, me, other);
-			}
-		}
-		status = this->task_manager->process_message(this->task_manager, message);
-		if (message->get_exchange_type(message) == IKE_AUTH &&
-			this->state == IKE_ESTABLISHED)
-		{	/* authentication completed */
-			flush_auth_cfgs(this);
-		}
-	}
-	return status;
-}
-
-/**
- * Implementation of ike_sa_t.get_id.
- */
-static ike_sa_id_t* get_id(private_ike_sa_t *this)
-{
-	return this->ike_sa_id;
-}
-
-/**
- * Implementation of ike_sa_t.get_my_id.
- */
-static identification_t* get_my_id(private_ike_sa_t *this)
-{
-	return this->my_id;
-}
-
-/**
- * Implementation of ike_sa_t.set_my_id.
- */
-static void set_my_id(private_ike_sa_t *this, identification_t *me)
-{
-	DESTROY_IF(this->my_id);
-	this->my_id = me;
-}
-
-/**
- * Implementation of ike_sa_t.get_other_id.
- */
-static identification_t* get_other_id(private_ike_sa_t *this)
-{
-	return this->other_id;
-}
-
-/**
- * Implementation of ike_sa_t.set_other_id.
- */
-static void set_other_id(private_ike_sa_t *this, identification_t *other)
-{
-	DESTROY_IF(this->other_id);
-	this->other_id = other;
-}
-
-/**
- * Implementation of ike_sa_t.add_child_sa.
- */
-static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
-{
-	this->child_sas->insert_last(this->child_sas, child_sa);
-}
-
-/**
- * Implementation of ike_sa_t.get_child_sa.
- */
-static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
-								u_int32_t spi, bool inbound)
-{
-	iterator_t *iterator;
-	child_sa_t *current, *found = NULL;
-
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		if (current->get_spi(current, inbound) == spi &&
-			current->get_protocol(current) == protocol)
-		{
-			found = current;
-		}
-	}
-	iterator->destroy(iterator);
-	return found;
-}
-
-/**
- * Implementation of ike_sa_t.create_child_sa_iterator.
- */
-static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
-{
-	return this->child_sas->create_iterator(this->child_sas, TRUE);
-}
-
-/**
- * Implementation of ike_sa_t.rekey_child_sa.
- */
-static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
-							   u_int32_t spi)
-{
-	child_rekey_t *child_rekey;
-
-	child_rekey = child_rekey_create(&this->public, protocol, spi);
-	this->task_manager->queue_task(this->task_manager, &child_rekey->task);
-	return this->task_manager->initiate(this->task_manager);
-}
-
-/**
- * Implementation of ike_sa_t.delete_child_sa.
- */
-static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
-								u_int32_t spi)
-{
-	child_delete_t *child_delete;
-
-	child_delete = child_delete_create(&this->public, protocol, spi);
-	this->task_manager->queue_task(this->task_manager, &child_delete->task);
-	return this->task_manager->initiate(this->task_manager);
-}
-
-/**
- * Implementation of ike_sa_t.destroy_child_sa.
- */
-static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
-								 u_int32_t spi)
-{
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-	status_t status = NOT_FOUND;
-
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		if (child_sa->get_protocol(child_sa) == protocol &&
-			child_sa->get_spi(child_sa, TRUE) == spi)
-		{
-			child_sa->destroy(child_sa);
-			iterator->remove(iterator);
-			status = SUCCESS;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	return status;
-}
-
-/**
- * Implementation of public_ike_sa_t.delete.
- */
-static status_t delete_(private_ike_sa_t *this)
-{
-	ike_delete_t *ike_delete;
-
-	switch (this->state)
-	{
-		case IKE_ESTABLISHED:
-		case IKE_REKEYING:
-			ike_delete = ike_delete_create(&this->public, TRUE);
-			this->task_manager->queue_task(this->task_manager, &ike_delete->task);
-			return this->task_manager->initiate(this->task_manager);
-		case IKE_CREATED:
-			DBG1(DBG_IKE, "deleting unestablished IKE_SA");
-			break;
-		case IKE_PASSIVE:
-			break;
-		default:
-			DBG1(DBG_IKE, "destroying IKE_SA in state %N "
-				"without notification", ike_sa_state_names, this->state);
-			break;
-	}
-	return DESTROY_ME;
-}
-
-/**
- * Implementation of ike_sa_t.rekey.
- */
-static status_t rekey(private_ike_sa_t *this)
-{
-	ike_rekey_t *ike_rekey;
-
-	ike_rekey = ike_rekey_create(&this->public, TRUE);
-
-	this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
-	return this->task_manager->initiate(this->task_manager);
-}
-
-/**
- * Implementation of ike_sa_t.reauth
- */
-static status_t reauth(private_ike_sa_t *this)
-{
-	task_t *task;
-
-	/* we can't reauthenticate as responder when we use EAP or virtual IPs.
-	 * If the peer does not support RFC4478, there is no way to keep the
-	 * IKE_SA up. */
-	if (!has_condition(this, COND_ORIGINAL_INITIATOR))
-	{
-		DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
-		if (this->other_virtual_ip != NULL ||
-			has_condition(this, COND_EAP_AUTHENTICATED)
-#ifdef ME
-			/* as mediation server we too cannot reauth the IKE_SA */
-			|| this->is_mediation_server
-#endif /* ME */
-			)
-		{
-			time_t now = time_monotonic(NULL);
-
-			DBG1(DBG_IKE, "IKE_SA will timeout in %V",
-				 &now, &this->stats[STAT_DELETE]);
-			return FAILED;
-		}
-		else
-		{
-			DBG1(DBG_IKE, "reauthenticating actively");
-		}
-	}
-	task = (task_t*)ike_reauth_create(&this->public);
-	this->task_manager->queue_task(this->task_manager, task);
-
-	return this->task_manager->initiate(this->task_manager);
-}
-
-/**
- * Implementation of ike_sa_t.reestablish
- */
-static status_t reestablish(private_ike_sa_t *this)
-{
-	ike_sa_t *new;
-	host_t *host;
-	action_t action;
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-	child_cfg_t *child_cfg;
-	bool restart = FALSE;
-	status_t status = FAILED;
-
-	/* check if we have children to keep up at all */
-	iterator = create_child_sa_iterator(this);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		child_cfg = child_sa->get_config(child_sa);
-		if (this->state == IKE_DELETING)
-		{
-			action = child_cfg->get_close_action(child_cfg);
-		}
-		else
-		{
-			action = child_cfg->get_dpd_action(child_cfg);
-		}
-		switch (action)
-		{
-			case ACTION_RESTART:
-				restart = TRUE;
-				break;
-			case ACTION_ROUTE:
-				charon->traps->install(charon->traps, this->peer_cfg, child_cfg);
-				break;
-			default:
-				break;
-		}
-	}
-	iterator->destroy(iterator);
-#ifdef ME
-	/* mediation connections have no children, keep them up anyway */
-	if (this->peer_cfg->is_mediation(this->peer_cfg))
-	{
-		restart = TRUE;
-	}
-#endif /* ME */
-	if (!restart)
-	{
-		return FAILED;
-	}
-
-	/* check if we are able to reestablish this IKE_SA */
-	if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
-		(this->other_virtual_ip != NULL ||
-		 has_condition(this, COND_EAP_AUTHENTICATED)
-#ifdef ME
-		 || this->is_mediation_server
-#endif /* ME */
-		))
-	{
-		DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
-		return FAILED;
-	}
-
-	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
-	new->set_peer_cfg(new, this->peer_cfg);
-	host = this->other_host;
-	new->set_other_host(new, host->clone(host));
-	host = this->my_host;
-	new->set_my_host(new, host->clone(host));
-	/* if we already have a virtual IP, we reuse it */
-	host = this->my_virtual_ip;
-	if (host)
-	{
-		new->set_virtual_ip(new, TRUE, host);
-	}
-
-#ifdef ME
-	if (this->peer_cfg->is_mediation(this->peer_cfg))
-	{
-		status = new->initiate(new, NULL, 0, NULL, NULL);
-	}
-	else
-#endif /* ME */
-	{
-		iterator = create_child_sa_iterator(this);
-		while (iterator->iterate(iterator, (void**)&child_sa))
-		{
-			child_cfg = child_sa->get_config(child_sa);
-			if (this->state == IKE_DELETING)
-			{
-				action = child_cfg->get_close_action(child_cfg);
-			}
-			else
-			{
-				action = child_cfg->get_dpd_action(child_cfg);
-			}
-			switch (action)
-			{
-				case ACTION_RESTART:
-					DBG1(DBG_IKE, "restarting CHILD_SA %s",
-						 child_cfg->get_name(child_cfg));
-					child_cfg->get_ref(child_cfg);
-					status = new->initiate(new, child_cfg, 0, NULL, NULL);
-					break;
-				default:
-					continue;
-			}
-			if (status == DESTROY_ME)
-			{
-				break;
-			}
-		}
-		iterator->destroy(iterator);
-	}
-
-	if (status == DESTROY_ME)
-	{
-		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
-		status = FAILED;
-	}
-	else
-	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
-		status = SUCCESS;
-	}
-	charon->bus->set_sa(charon->bus, &this->public);
-	return status;
-}
-
-/**
- * Implementation of ike_sa_t.retransmit.
- */
-static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
-{
-	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
-	if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
-	{
-		/* send a proper signal to brief interested bus listeners */
-		switch (this->state)
-		{
-			case IKE_CONNECTING:
-			{
-				/* retry IKE_SA_INIT if we have multiple keyingtries */
-				u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
-				this->keyingtry++;
-				if (tries == 0 || tries > this->keyingtry)
-				{
-					DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
-						 this->keyingtry + 1, tries);
-					reset(this);
-					return this->task_manager->initiate(this->task_manager);
-				}
-				DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
-				break;
-			}
-			case IKE_DELETING:
-				DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
-				break;
-			case IKE_REKEYING:
-				DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
-				/* FALL */
-			default:
-				reestablish(this);
-				break;
-		}
-		return DESTROY_ME;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of ike_sa_t.set_auth_lifetime.
- */
-static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
-{
-	u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
-	u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction;
-
-	if (lifetime < reduction)
-	{
-		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
-			 lifetime);
-		charon->processor->queue_job(charon->processor,
-					(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
-	}
-	else if (this->stats[STAT_REAUTH] == 0 ||
-			 this->stats[STAT_REAUTH] > reauth_time)
-	{
-		this->stats[STAT_REAUTH] = reauth_time;
-		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
-			 " in %ds", lifetime, lifetime - reduction);
-		charon->scheduler->schedule_job(charon->scheduler,
-						(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
-						lifetime - reduction);
-	}
-	else
-	{
-		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
-			 "reauthentication already scheduled in %ds", lifetime,
-			 this->stats[STAT_REAUTH] - time_monotonic(NULL));
-	}
-}
-
-/**
- * Implementation of ike_sa_t.roam.
- */
-static status_t roam(private_ike_sa_t *this, bool address)
-{
-	host_t *src;
-	ike_mobike_t *mobike;
-
-	switch (this->state)
-	{
-		case IKE_CREATED:
-		case IKE_DELETING:
-		case IKE_DESTROYING:
-		case IKE_PASSIVE:
-			return SUCCESS;
-		default:
-			break;
-	}
-	/* responder just updates the peer about changed address config */
-	if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
-	{
-		if (supports_extension(this, EXT_MOBIKE) && address)
-		{
-			DBG1(DBG_IKE, "sending address list update using MOBIKE");
-			mobike = ike_mobike_create(&this->public, TRUE);
-			this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
-			return this->task_manager->initiate(this->task_manager);
-		}
-		return SUCCESS;
-	}
-
-	/* keep existing path if possible */
-	src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
-											this->other_host, this->my_host);
-	if (src)
-	{
-		if (src->ip_equals(src, this->my_host))
-		{
-			DBG2(DBG_IKE, "keeping connection path %H - %H",
-				 src, this->other_host);
-			src->destroy(src);
-			set_condition(this, COND_STALE, FALSE);
-			return SUCCESS;
-		}
-		src->destroy(src);
-
-	}
-	else
-	{
-		/* check if we find a route at all */
-		enumerator_t *enumerator;
-		host_t *addr;
-
-		src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
-														this->other_host, NULL);
-		if (!src)
-		{
-			enumerator = this->additional_addresses->create_enumerator(
-													this->additional_addresses);
-			while (enumerator->enumerate(enumerator, &addr))
-			{
-				DBG1(DBG_IKE, "looking for a route to %H ...", addr);
-				src = charon->kernel_interface->get_source_addr(
-										charon->kernel_interface, addr, NULL);
-				if (src)
-				{
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-		if (!src)
-		{
-			DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
-				 this->other_host);
-			set_condition(this, COND_STALE, TRUE);
-			return SUCCESS;
-		}
-		src->destroy(src);
-	}
-	set_condition(this, COND_STALE, FALSE);
-
-	/* update addresses with mobike, if supported ... */
-	if (supports_extension(this, EXT_MOBIKE))
-	{
-		DBG1(DBG_IKE, "requesting address change using MOBIKE");
-		mobike = ike_mobike_create(&this->public, TRUE);
-		mobike->roam(mobike, address);
-		this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
-		return this->task_manager->initiate(this->task_manager);
-	}
-	DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
-	/* ... reauth if not */
-	return reauth(this);
-}
-
-/**
- * Implementation of ike_sa_t.add_configuration_attribute
- */
-static void add_configuration_attribute(private_ike_sa_t *this,
-							attribute_handler_t *handler,
-							configuration_attribute_type_t type, chunk_t data)
-{
-	attribute_entry_t *entry = malloc_thing(attribute_entry_t);
-
-	entry->handler = handler;
-	entry->type = type;
-	entry->data = chunk_clone(data);
-
-	this->attributes->insert_last(this->attributes, entry);
-}
-
-/**
- * Implementation of ike_sa_t.inherit.
- */
-static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
-{
-	child_sa_t *child_sa;
-	attribute_entry_t *entry;
-
-	/* apply hosts and ids */
-	this->my_host->destroy(this->my_host);
-	this->other_host->destroy(this->other_host);
-	this->my_id->destroy(this->my_id);
-	this->other_id->destroy(this->other_id);
-	this->my_host = other->my_host->clone(other->my_host);
-	this->other_host = other->other_host->clone(other->other_host);
-	this->my_id = other->my_id->clone(other->my_id);
-	this->other_id = other->other_id->clone(other->other_id);
-
-	/* apply virtual assigned IPs... */
-	if (other->my_virtual_ip)
-	{
-		this->my_virtual_ip = other->my_virtual_ip;
-		other->my_virtual_ip = NULL;
-	}
-	if (other->other_virtual_ip)
-	{
-		this->other_virtual_ip = other->other_virtual_ip;
-		other->other_virtual_ip = NULL;
-	}
-
-	/* ... and configuration attributes */
-	while (other->attributes->remove_last(other->attributes,
-										  (void**)&entry) == SUCCESS)
-	{
-		this->attributes->insert_first(this->attributes, entry);
-	}
-
-	/* inherit all conditions */
-	this->conditions = other->conditions;
-	if (this->conditions & COND_NAT_HERE)
-	{
-		send_keepalive(this);
-	}
-
-#ifdef ME
-	if (other->is_mediation_server)
-	{
-		act_as_mediation_server(this);
-	}
-	else if (other->server_reflexive_host)
-	{
-		this->server_reflexive_host = other->server_reflexive_host->clone(
-				other->server_reflexive_host);
-	}
-#endif /* ME */
-
-	/* adopt all children */
-	while (other->child_sas->remove_last(other->child_sas,
-										 (void**)&child_sa) == SUCCESS)
-	{
-		this->child_sas->insert_first(this->child_sas, (void*)child_sa);
-	}
-
-	/* move pending tasks to the new IKE_SA */
-	this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
-
-	/* reauthentication timeout survives a rekeying */
-	if (other->stats[STAT_REAUTH])
-	{
-		time_t reauth, delete, now = time_monotonic(NULL);
-
-		this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
-		reauth = this->stats[STAT_REAUTH] - now;
-		delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
-		this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
-		DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
-			 "lifetime reduced to %ds", reauth, delete);
-		charon->scheduler->schedule_job(charon->scheduler,
-				(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
-		charon->scheduler->schedule_job(charon->scheduler,
-				(job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
-	}
-	/* we have to initate here, there may be new tasks to handle */
-	return this->task_manager->initiate(this->task_manager);
-}
-
-/**
- * Implementation of ike_sa_t.destroy.
- */
-static void destroy(private_ike_sa_t *this)
-{
-	attribute_entry_t *entry;
-
-	charon->bus->set_sa(charon->bus, &this->public);
-
-	set_state(this, IKE_DESTROYING);
-
-	/* remove attributes first, as we pass the IKE_SA to the handler */
-	while (this->attributes->remove_last(this->attributes,
-										 (void**)&entry) == SUCCESS)
-	{
-		lib->attributes->release(lib->attributes, entry->handler,
-								 this->other_id, entry->type, entry->data);
-		free(entry->data.ptr);
-		free(entry);
-	}
-	this->attributes->destroy(this->attributes);
-
-	this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
-
-	/* unset SA after here to avoid usage by the listeners */
-	charon->bus->set_sa(charon->bus, NULL);
-
-	this->task_manager->destroy(this->task_manager);
-	this->keymat->destroy(this->keymat);
-
-	if (this->my_virtual_ip)
-	{
-		charon->kernel_interface->del_ip(charon->kernel_interface,
-										 this->my_virtual_ip);
-		this->my_virtual_ip->destroy(this->my_virtual_ip);
-	}
-	if (this->other_virtual_ip)
-	{
-		if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
-		{
-			lib->attributes->release_address(lib->attributes,
-									this->peer_cfg->get_pool(this->peer_cfg),
-									this->other_virtual_ip, this->other_id);
-		}
-		this->other_virtual_ip->destroy(this->other_virtual_ip);
-	}
-	this->additional_addresses->destroy_offset(this->additional_addresses,
-													offsetof(host_t, destroy));
-#ifdef ME
-	if (this->is_mediation_server)
-	{
-		charon->mediation_manager->remove(charon->mediation_manager,
-										  this->ike_sa_id);
-	}
-	DESTROY_IF(this->server_reflexive_host);
-	chunk_free(&this->connect_id);
-#endif /* ME */
-	free(this->nat_detection_dest.ptr);
-
-	DESTROY_IF(this->my_host);
-	DESTROY_IF(this->other_host);
-	DESTROY_IF(this->my_id);
-	DESTROY_IF(this->other_id);
-	DESTROY_IF(this->local_host);
-	DESTROY_IF(this->remote_host);
-
-	DESTROY_IF(this->ike_cfg);
-	DESTROY_IF(this->peer_cfg);
-	DESTROY_IF(this->proposal);
-	this->my_auth->destroy(this->my_auth);
-	this->other_auth->destroy(this->other_auth);
-	this->my_auths->destroy_offset(this->my_auths,
-								   offsetof(auth_cfg_t, destroy));
-	this->other_auths->destroy_offset(this->other_auths,
-									  offsetof(auth_cfg_t, destroy));
-
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
-{
-	private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
-	static u_int32_t unique_id = 0;
-
-	/* Public functions */
-	this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
-	this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
-	this->public.get_name = (char* (*)(ike_sa_t*))get_name;
-	this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
-	this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
-	this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*,u_int32_t,traffic_selector_t*,traffic_selector_t*)) initiate;
-	this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
-	this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
-	this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
-	this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
-	this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg;
-	this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(ike_sa_t*, bool local))create_auth_cfg_enumerator;
-	this->public.add_auth_cfg = (void(*)(ike_sa_t*, bool local, auth_cfg_t *cfg))add_auth_cfg;
-	this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
-	this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
-	this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
-	this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
-	this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
-	this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
-	this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
-	this->public.set_message_id = (void(*)(ike_sa_t*, bool inbound, u_int32_t mid))set_message_id;
-	this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
-	this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
-	this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
-	this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
-	this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
-	this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
-	this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
-	this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
-	this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
-	this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
-	this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
-	this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
-	this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
-	this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
-	this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
-	this->public.delete = (status_t (*)(ike_sa_t*))delete_;
-	this->public.destroy = (void (*)(ike_sa_t*))destroy;
-	this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
-	this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
-	this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat;
-	this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
-	this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
-	this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
-	this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
-	this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
-	this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
-	this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
-	this->public.reauth = (status_t (*)(ike_sa_t*))reauth;
-	this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
-	this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
-	this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
-	this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
-	this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
-	this->public.reset = (void (*)(ike_sa_t*))reset;
-	this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
-	this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
-	this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
-	this->public.add_configuration_attribute = (void(*)(ike_sa_t*, attribute_handler_t *handler,configuration_attribute_type_t type, chunk_t data))add_configuration_attribute;
-	this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
-#ifdef ME
-	this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
-	this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
-	this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
-	this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
-	this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
-	this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated;
-	this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
-	this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
-	this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
-#endif /* ME */
-
-	/* initialize private fields */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-	this->child_sas = linked_list_create();
-	this->my_host = host_create_any(AF_INET);
-	this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
-	this->other_host = host_create_any(AF_INET);
-	this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
-	this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
-	this->extensions = 0;
-	this->conditions = 0;
-	this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id));
-	this->state = IKE_CREATED;
-	this->keepalive_interval = lib->settings->get_time(lib->settings,
-									"charon.keep_alive", KEEPALIVE_INTERVAL);
-	memset(this->stats, 0, sizeof(this->stats));
-	this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
-	this->ike_cfg = NULL;
-	this->peer_cfg = NULL;
-	this->my_auth = auth_cfg_create();
-	this->other_auth = auth_cfg_create();
-	this->my_auths = linked_list_create();
-	this->other_auths = linked_list_create();
-	this->proposal = NULL;
-	this->task_manager = task_manager_create(&this->public);
-	this->unique_id = ++unique_id;
-	this->my_virtual_ip = NULL;
-	this->other_virtual_ip = NULL;
-	this->additional_addresses = linked_list_create();
-	this->attributes = linked_list_create();
-	this->nat_detection_dest = chunk_empty;
-	this->pending_updates = 0;
-	this->keyingtry = 0;
-	this->local_host = NULL;
-	this->remote_host = NULL;
-#ifdef ME
-	this->is_mediation_server = FALSE;
-	this->server_reflexive_host = NULL;
-	this->connect_id = chunk_empty;
-#endif /* ME */
-
-	return &this->public;
-}
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
deleted file mode 100644
index 4dce1937c..000000000
--- a/src/charon/sa/ike_sa.h
+++ /dev/null
@@ -1,913 +0,0 @@
-/*
- * Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_sa ike_sa
- * @{ @ingroup sa
- */
-
-#ifndef IKE_SA_H_
-#define IKE_SA_H_
-
-typedef enum ike_extension_t ike_extension_t;
-typedef enum ike_condition_t ike_condition_t;
-typedef enum ike_sa_state_t ike_sa_state_t;
-typedef enum statistic_t statistic_t;
-typedef struct ike_sa_t ike_sa_t;
-
-#include <library.h>
-#include <encoding/message.h>
-#include <encoding/payloads/proposal_substructure.h>
-#include <encoding/payloads/configuration_attribute.h>
-#include <sa/ike_sa_id.h>
-#include <sa/child_sa.h>
-#include <sa/tasks/task.h>
-#include <sa/keymat.h>
-#include <config/peer_cfg.h>
-#include <config/ike_cfg.h>
-#include <config/auth_cfg.h>
-
-/**
- * Timeout in seconds after that a half open IKE_SA gets deleted.
- */
-#define HALF_OPEN_IKE_SA_TIMEOUT 30
-
-/**
- * Interval to send keepalives when NATed, in seconds.
- */
-#define KEEPALIVE_INTERVAL 20
-
-/**
- * After which time rekeying should be retried if it failed, in seconds.
- */
-#define RETRY_INTERVAL 30
-
-/**
- * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
- */
-#define RETRY_JITTER 20
-
-/**
- * Extensions (or optional features) the peer supports
- */
-enum ike_extension_t {
-
-	/**
-	 * peer supports NAT traversal as specified in RFC4306
-	 */
-	EXT_NATT = (1<<0),
-
-	/**
-	 * peer supports MOBIKE (RFC4555)
-	 */
-	EXT_MOBIKE = (1<<1),
-
-	/**
-	 * peer supports HTTP cert lookups as specified in RFC4306
-	 */
-	EXT_HASH_AND_URL = (1<<2),
-
-	/**
-	 * peer supports multiple authentication exchanges, RFC4739
-	 */
-	EXT_MULTIPLE_AUTH = (1<<3),
-
-	/**
-	 * peer uses strongSwan, accept private use extensions
-	 */
-	EXT_STRONGSWAN = (1<<4),
-
-	/**
-	 * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
-	 */
-	EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
-};
-
-/**
- * Conditions of an IKE_SA, change during its lifetime
- */
-enum ike_condition_t {
-
-	/**
-	 * Connection is natted (or faked) somewhere
-	 */
-	COND_NAT_ANY = (1<<0),
-
-	/**
-	 * we are behind NAT
-	 */
-	COND_NAT_HERE = (1<<1),
-
-	/**
-	 * other is behind NAT
-	 */
-	COND_NAT_THERE = (1<<2),
-
-	/**
-	 * Faking NAT to enforce UDP encapsulation
-	 */
-	COND_NAT_FAKE = (1<<3),
-
-	/**
-	 * peer has been authenticated using EAP at least once
-	 */
-	COND_EAP_AUTHENTICATED = (1<<4),
-
-	/**
-	 * received a certificate request from the peer
-	 */
-	COND_CERTREQ_SEEN = (1<<5),
-
-	/**
-	 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
-	 */
-	COND_ORIGINAL_INITIATOR = (1<<6),
-
-	/**
-	 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
-	 */
-	COND_STALE = (1<<7),
-};
-
-/**
- * Timing information and statistics to query from an SA
- */
-enum statistic_t {
-	/** Timestamp of SA establishement */
-	STAT_ESTABLISHED = 0,
-	/** Timestamp of scheudled rekeying */
-	STAT_REKEY,
-	/** Timestamp of scheudled reauthentication */
-	STAT_REAUTH,
-	/** Timestamp of scheudled delete */
-	STAT_DELETE,
-	/** Timestamp of last inbound IKE packet */
-	STAT_INBOUND,
-	/** Timestamp of last outbound IKE packet */
-	STAT_OUTBOUND,
-
-	STAT_MAX
-};
-
-/**
- * State of an IKE_SA.
- *
- * An IKE_SA passes various states in its lifetime. A newly created
- * SA is in the state CREATED.
- * @verbatim
-                 +----------------+
-                 ¦   SA_CREATED   ¦
-                 +----------------+
-                         ¦
-    on initiate()--->    ¦   <----- on IKE_SA_INIT received
-                         V
-                 +----------------+
-                 ¦ SA_CONNECTING  ¦
-                 +----------------+
-                         ¦
-                         ¦   <----- on IKE_AUTH successfully completed
-                         V
-                 +----------------+
-                 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
-                 +----------------+                         ¦
-                         ¦                                  V
-    on delete()--->      ¦   <----- on IKE_SA        +-------------+
-                         ¦          delete request   ¦ SA_REKEYING ¦
-                         ¦          received         +-------------+
-                         V                                  ¦
-                 +----------------+                         ¦
-                 ¦  SA_DELETING   ¦<------------------------+ <-- after rekeying
-                 +----------------+
-                         ¦
-                         ¦   <----- after delete() acknowledged
-                         ¦
-                        \V/
-                         X
-                        / \
-   @endverbatim
- */
-enum ike_sa_state_t {
-
-	/**
-	 * IKE_SA just got created, but is not initiating nor responding yet.
-	 */
-	IKE_CREATED,
-
-	/**
-	 * IKE_SA gets initiated actively or passively
-	 */
-	IKE_CONNECTING,
-
-	/**
-	 * IKE_SA is fully established
-	 */
-	IKE_ESTABLISHED,
-
-	/**
-	 * IKE_SA is managed externally and does not process messages
-	 */
-	IKE_PASSIVE,
-
-	/**
-	 * IKE_SA rekeying in progress
-	 */
-	IKE_REKEYING,
-
-	/**
-	 * IKE_SA is in progress of deletion
-	 */
-	IKE_DELETING,
-
-	/**
-	 * IKE_SA object gets destroyed
-	 */
-	IKE_DESTROYING,
-};
-
-/**
- * enum names for ike_sa_state_t.
- */
-extern enum_name_t *ike_sa_state_names;
-
-/**
- * Class ike_sa_t representing an IKE_SA.
- *
- * An IKE_SA contains crypto information related to a connection
- * with a peer. It contains multiple IPsec CHILD_SA, for which
- * it is responsible. All traffic is handled by an IKE_SA, using
- * the task manager and its tasks.
- */
-struct ike_sa_t {
-
-	/**
-	 * Get the id of the SA.
-	 *
-	 * Returned ike_sa_id_t object is not getting cloned!
-	 *
-	 * @return 				ike_sa's ike_sa_id_t
-	 */
-	ike_sa_id_t* (*get_id) (ike_sa_t *this);
-
-	/**
-	 * Get the numerical ID uniquely defining this IKE_SA.
-	 *
-	 * @return 				unique ID
-	 */
-	u_int32_t (*get_unique_id) (ike_sa_t *this);
-
-	/**
-	 * Get the state of the IKE_SA.
-	 *
-	 * @return				state of the IKE_SA
-	 */
-	ike_sa_state_t (*get_state) (ike_sa_t *this);
-
-	/**
-	 * Set the state of the IKE_SA.
-	 *
-	 * @param state			state to set for the IKE_SA
-	 */
-	void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
-
-	/**
-	 * Get the name of the connection this IKE_SA uses.
-	 *
-	 * @return				name
-	 */
-	char* (*get_name) (ike_sa_t *this);
-
-	/**
-	 * Get statistic values from the IKE_SA.
-	 *
-	 * @param kind			kind of requested value
-	 * @return				value as integer
-	 */
-	u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
-
-	/**
-	 * Get the own host address.
-	 *
-	 * @return				host address
-	 */
-	host_t* (*get_my_host) (ike_sa_t *this);
-
-	/**
-	 * Set the own host address.
-	 *
-	 * @param me			host address
-	 */
-	void (*set_my_host) (ike_sa_t *this, host_t *me);
-
-	/**
-	 * Get the other peers host address.
-	 *
-	 * @return				host address
-	 */
-	host_t* (*get_other_host) (ike_sa_t *this);
-
-	/**
-	 * Set the others host address.
-	 *
-	 * @param other			host address
-	 */
-	void (*set_other_host) (ike_sa_t *this, host_t *other);
-
-	/**
-	 * Update the IKE_SAs host.
-	 *
-	 * Hosts may be NULL to use current host.
-	 *
-	 * @param me			new local host address, or NULL
-	 * @param other			new remote host address, or NULL
-	 */
-	void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
-
-	/**
-	 * Get the own identification.
-	 *
-	 * @return				identification
-	 */
-	identification_t* (*get_my_id) (ike_sa_t *this);
-
-	/**
-	 * Set the own identification.
-	 *
-	 * @param me			identification
-	 */
-	void (*set_my_id) (ike_sa_t *this, identification_t *me);
-
-	/**
-	 * Get the other peer's identification.
-	 *
-	 * @return				identification
-	 */
-	identification_t* (*get_other_id) (ike_sa_t *this);
-
-	/**
-	 * Set the other peer's identification.
-	 *
-	 * @param other			identification
-	 */
-	void (*set_other_id) (ike_sa_t *this, identification_t *other);
-
-	/**
-	 * Get the config used to setup this IKE_SA.
-	 *
-	 * @return				ike_config
-	 */
-	ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
-
-	/**
-	 * Set the config to setup this IKE_SA.
-	 *
-	 * @param config		ike_config to use
-	 */
-	void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
-
-	/**
-	 * Get the peer config used by this IKE_SA.
-	 *
-	 * @return				peer_config
-	 */
-	peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
-
-	/**
-	 * Set the peer config to use with this IKE_SA.
-	 *
-	 * @param config		peer_config to use
-	 */
-	void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
-
-	/**
-	 * Get the authentication config with rules of the current auth round.
-	 *
-	 * @param local			TRUE for local rules, FALSE for remote constraints
-	 * @return				current cfg
-	 */
-	auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
-
-	/**
-	 * Insert a completed authentication round.
-	 *
-	 * @param local			TRUE for own rules, FALSE for others constraints
-	 * @param cfg			auth config to append
-	 */
-	void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
-
-	/**
-	 * Create an enumerator over added authentication rounds.
-	 *
-	 * @param local			TRUE for own rules, FALSE for others constraints
-	 * @return				enumerator over auth_cfg_t
-	 */
-	enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
-
-	/**
-	 * Get the selected proposal of this IKE_SA.
-	 *
-	 * @return				selected proposal
-	 */
-	proposal_t* (*get_proposal)(ike_sa_t *this);
-
-	/**
-	 * Set the proposal selected for this IKE_SA.
-	 *
-	 * @param				selected proposal
-	 */
-	void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
-
-	/**
-	 * Set the message id of the IKE_SA.
-	 *
-	 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
-	 * and one to respond to exchanges (expect).
-	 *
-	 * @param initiate		TRUE to set message ID for initiating
-	 * @param mid			message id to set
-	 */
-	void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
-
-	/**
-	 * Add an additional address for the peer.
-	 *
-	 * In MOBIKE, a peer may transmit additional addresses where it is
-	 * reachable. These are stored in the IKE_SA.
-	 * The own list of addresses is not stored, they are queried from
-	 * the kernel when required.
-	 *
-	 * @param host			host to add to list
-	 */
-	void (*add_additional_address)(ike_sa_t *this, host_t *host);
-
-	/**
-	 * Create an iterator over all additional addresses of the peer.
-	 *
-	 * @return 				iterator over addresses
-	 */
-	iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
-
-	/**
-	 * Check if mappings have changed on a NAT for our source address.
-	 *
-	 * @param hash			received DESTINATION_IP hash
-	 * @return				TRUE if mappings have changed
-	 */
-	bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
-
-	/**
-	 * Enable an extension the peer supports.
-	 *
-	 * If support for an IKE extension is detected, this method is called
-	 * to enable that extension and behave accordingly.
-	 *
-	 * @param extension		extension to enable
-	 */
-	void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
-
-	/**
-	 * Check if the peer supports an extension.
-	 *
-	 * @param extension		extension to check for support
-	 * @return				TRUE if peer supports it, FALSE otherwise
-	 */
-	bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
-
-	/**
-	 * Enable/disable a condition flag for this IKE_SA.
-	 *
-	 * @param condition		condition to enable/disable
-	 * @param enable		TRUE to enable condition, FALSE to disable
-	 */
-	void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
-
-	/**
-	 * Check if a condition flag is set.
-	 *
-	 * @param condition		condition to check
-	 * @return				TRUE if condition flag set, FALSE otherwise
-	 */
-	bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
-
-	/**
-	 * Get the number of queued MOBIKE address updates.
-	 *
-	 * @return				number of pending updates
-	 */
-	u_int32_t (*get_pending_updates)(ike_sa_t *this);
-
-	/**
-	 * Set the number of queued MOBIKE address updates.
-	 *
-	 * @param updates		number of pending updates
-	 */
-	void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
-
-#ifdef ME
-	/**
-	 * Activate mediation server functionality for this IKE_SA.
-	 */
-	void (*act_as_mediation_server) (ike_sa_t *this);
-
-	/**
-	 * Get the server reflexive host.
-	 *
-	 * @return				server reflexive host
-	 */
-	host_t* (*get_server_reflexive_host) (ike_sa_t *this);
-
-	/**
-	 * Set the server reflexive host.
-	 *
-	 * @param host			server reflexive host
-	 */
-	void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
-
-	/**
-	 * Get the connect ID.
-	 *
-	 * @return				connect ID
-	 */
-	chunk_t (*get_connect_id) (ike_sa_t *this);
-
-	/**
-	 * Initiate the mediation of a mediated connection (i.e. initiate a
-	 * ME_CONNECT exchange to a mediation server).
-	 *
-	 * @param mediated_cfg	peer_cfg of the mediated connection
-	 * @return
-	 * 						- SUCCESS if initialization started
-	 * 						- DESTROY_ME if initialization failed
-	 */
-	status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
-
-	/**
-	 * Initiate the mediated connection
-	 *
-	 * @param me			local endpoint (gets cloned)
-	 * @param other			remote endpoint (gets cloned)
-	 * @param connect_id	connect ID (gets cloned)
-	 * @return
-	 * 						- SUCCESS if initialization started
-	 * 						- DESTROY_ME if initialization failed
-	 */
-	status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
-								   chunk_t connect_id);
-
-	/**
-	 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
-	 * to a peer).
-	 *
-	 * Data is cloned.
-	 *
-	 * @param requester		ID of the requesting peer
-	 * @param connect_id	data of the ME_CONNECTID payload
-	 * @param connect_key	data of the ME_CONNECTKEY payload
-	 * @param endpoints		endpoints
-	 * @param response		TRUE if this is a response
-	 * @return
-	 * 						- SUCCESS if relay started
-	 * 						- DESTROY_ME if relay failed
-	 */
-	status_t (*relay) (ike_sa_t *this, identification_t *requester,
-					   chunk_t connect_id, chunk_t connect_key,
-					   linked_list_t *endpoints, bool response);
-
-	/**
-	 * Send a callback to a peer.
-	 *
-	 * Data is cloned.
-	 *
-	 * @param peer_id		ID of the other peer
-	 * @return
-	 * 						- SUCCESS if response started
-	 * 						- DESTROY_ME if response failed
-	 */
-	status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
-
-	/**
-	 * Respond to a ME_CONNECT request.
-	 *
-	 * Data is cloned.
-	 *
-	 * @param peer_id		ID of the other peer
-	 * @param connect_id	the connect ID supplied by the initiator
-	 * @return
-	 * 						- SUCCESS if response started
-	 * 						- DESTROY_ME if response failed
-	 */
-	status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
-						 chunk_t connect_id);
-#endif /* ME */
-
-	/**
-	 * Initiate a new connection.
-	 *
-	 * The configs are owned by the IKE_SA after the call. If the initiate
-	 * is triggered by a packet, traffic selectors of the packet can be added
-	 * to the CHILD_SA.
-	 *
-	 * @param child_cfg		child config to create CHILD from
-	 * @param reqid			reqid to use for CHILD_SA, 0 assigne uniquely
-	 * @param tsi			source of triggering packet
-	 * @param tsr			destination of triggering packet.
-	 * @return
-	 * 						- SUCCESS if initialization started
-	 * 						- DESTROY_ME if initialization failed
-	 */
-	status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
-						  u_int32_t reqid, traffic_selector_t *tsi,
-						  traffic_selector_t *tsr);
-
-	/**
-	 * Initiates the deletion of an IKE_SA.
-	 *
-	 * Sends a delete message to the remote peer and waits for
-	 * its response. If the response comes in, or a timeout occurs,
-	 * the IKE SA gets deleted.
-	 *
-	 * @return
-	 * 						- SUCCESS if deletion is initialized
-	 * 						- DESTROY_ME, if the IKE_SA is not in
-	 * 						  an established state and can not be
-	 * 						  deleted (but destroyed).
-	 */
-	status_t (*delete) (ike_sa_t *this);
-
-	/**
-	 * Update IKE_SAs after network interfaces have changed.
-	 *
-	 * Whenever the network interface configuration changes, the kernel
-	 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
-	 * the new network config requires changes, and handles appropriate.
-	 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
-	 * restarted.
-	 *
-	 * @param address		TRUE if address list changed, FALSE otherwise
-	 * @return				SUCCESS, FAILED, DESTROY_ME
-	 */
-	status_t (*roam)(ike_sa_t *this, bool address);
-
-	/**
-	 * Processes a incoming IKEv2-Message.
-	 *
-	 * Message processing may fail. If a critical failure occurs,
-	 * process_message() return DESTROY_ME. Then the caller must
-	 * destroy the IKE_SA immediatly, as it is unusable.
-	 *
-	 * @param message 		message to process
-	 * @return
-	 * 						- SUCCESS
-	 * 						- FAILED
-	 * 						- DESTROY_ME if this IKE_SA MUST be deleted
-	 */
-	status_t (*process_message) (ike_sa_t *this, message_t *message);
-
-	/**
-	 * Generate a IKE message to send it to the peer.
-	 *
-	 * This method generates all payloads in the message and encrypts/signs
-	 * the packet.
-	 *
-	 * @param message 		message to generate
-	 * @param packet		generated output packet
-	 * @return
-	 * 						- SUCCESS
-	 * 						- FAILED
-	 * 						- DESTROY_ME if this IKE_SA MUST be deleted
-	 */
-	status_t (*generate_message) (ike_sa_t *this, message_t *message,
-								  packet_t **packet);
-
-	/**
-	 * Retransmits a request.
-	 *
-	 * @param message_id	ID of the request to retransmit
-	 * @return
-	 * 						- SUCCESS
-	 * 						- NOT_FOUND if request doesn't have to be retransmited
-	 */
-	status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
-
-	/**
-	 * Sends a DPD request to the peer.
-	 *
-	 * To check if a peer is still alive, periodic
-	 * empty INFORMATIONAL messages are sent if no
-	 * other traffic was received.
-	 *
-	 * @return
-	 * 						- SUCCESS
-	 * 						- DESTROY_ME, if peer did not respond
-	 */
-	status_t (*send_dpd) (ike_sa_t *this);
-
-	/**
-	 * Sends a keep alive packet.
-	 *
-	 * To refresh NAT tables in a NAT router
-	 * between the peers, periodic empty
-	 * UDP packets are sent if no other traffic
-	 * was sent.
-	 */
-	void (*send_keepalive) (ike_sa_t *this);
-
-	/**
-	 * Get the keying material of this IKE_SA.
-	 *
-	 * @return				per IKE_SA keymat instance
-	 */
-	keymat_t* (*get_keymat)(ike_sa_t *this);
-
-	/**
-	 * Associates a child SA to this IKE SA
-	 *
-	 * @param child_sa		child_sa to add
-	 */
-	void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
-
-	/**
-	 * Get a CHILD_SA identified by protocol and SPI.
-	 *
-	 * @param protocol		protocol of the SA
-	 * @param spi			SPI of the CHILD_SA
-	 * @param inbound		TRUE if SPI is inbound, FALSE if outbound
-	 * @return				child_sa, or NULL if none found
-	 */
-	child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
-								 u_int32_t spi, bool inbound);
-
-	/**
-	 * Create an iterator over all CHILD_SAs.
-	 *
-	 * @return				iterator
-	 */
-	iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
-
-	/**
-	 * Rekey the CHILD SA with the specified reqid.
-	 *
-	 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
-	 *
-	 * @param protocol		protocol of the SA
-	 * @param spi			inbound SPI of the CHILD_SA
-	 * @return
-	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
-	 * 						- SUCCESS, if rekeying initiated
-	 */
-	status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
-
-	/**
-	 * Close the CHILD SA with the specified protocol/SPI.
-	 *
-	 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
-	 * notify's the remote peer about the delete. The associated
-	 * states and policies in the kernel get deleted, if they exist.
-	 *
-	 * @param protocol		protocol of the SA
-	 * @param spi			inbound SPI of the CHILD_SA
-	 * @return
-	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
-	 * 						- SUCCESS, if delete message sent
-	 */
-	status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
-
-	/**
-	 * Destroy a CHILD SA with the specified protocol/SPI.
-	 *
-	 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
-	 *
-	 * @param protocol		protocol of the SA
-	 * @param spi			inbound SPI of the CHILD_SA
-	 * @return
-	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
-	 * 						- SUCCESS
-	 */
-	status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
-
-	/**
-	 * Rekey the IKE_SA.
-	 *
-	 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
-	 *
-	 * @return				- SUCCESS, if IKE_SA rekeying initiated
-	 */
-	status_t (*rekey) (ike_sa_t *this);
-
-	/**
-	 * Reauthenticate the IKE_SA.
-	 *
-	 * Create a completely new IKE_SA with authentication, recreates all children
-	 * within the IKE_SA, closes this IKE_SA.
-	 *
-	 * @return				DESTROY_ME to destroy the IKE_SA
-	 */
-	status_t (*reauth) (ike_sa_t *this);
-
-	/**
-	 * Restablish the IKE_SA.
-	 *
-	 * Reestablish an IKE_SA after it has been closed.
-	 *
-	 * @return				DESTROY_ME to destroy the IKE_SA
-	 */
-	status_t (*reestablish) (ike_sa_t *this);
-
-	/**
-	 * Set the lifetime limit received from a AUTH_LIFETIME notify.
-	 *
-	 * @param lifetime		lifetime in seconds
-	 */
-	void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
-
-	/**
-	 * Set the virtual IP to use for this IKE_SA and its children.
-	 *
-	 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
-	 * lifetime as the IKE_SA.
-	 *
-	 * @param local			TRUE to set local address, FALSE for remote
-	 * @param ip			IP to set as virtual IP
-	 */
-	void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
-
-	/**
-	 * Get the virtual IP configured.
-	 *
-	 * @param local			TRUE to get local virtual IP, FALSE for remote
-	 * @return				host_t *virtual IP
-	 */
-	host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
-
-	/**
-	 * Register a configuration attribute to the IKE_SA.
-	 *
-	 * If an IRAS sends a configuration attribute it is installed and
-	 * registered at the IKE_SA. Attributes are inherit()ed and get released
-	 * when the IKE_SA is closed.
-	 *
-	 * @param handler		handler installed the attribute, use for release()
-	 * @param type			configuration attribute type
-	 * @param data			associated attribute data
-	 */
-	void (*add_configuration_attribute)(ike_sa_t *this,
-							attribute_handler_t *handler,
-							configuration_attribute_type_t type, chunk_t data);
-
-	/**
-	 * Set local and remote host addresses to be used for IKE.
-	 *
-	 * These addresses are communicated via the KMADDRESS field of a MIGRATE
-	 * message sent via the NETLINK or PF _KEY kernel socket interface.
-	 *
-	 * @param local			local kmaddress
-	 * @param remote		remote kmaddress
-	 */
-	void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
-
-	/**
-	 * Inherit all attributes of other to this after rekeying.
-	 *
-	 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
-	 * outstanding tasks are moved from other to this.
-	 * As this call may initiate inherited tasks, a status is returned.
-	 *
-	 * @param other			other task to inherit from
-	 * @return				DESTROY_ME if initiation of inherited task failed
-	 */
-	status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
-
-	/**
-	 * Reset the IKE_SA, useable when initiating fails
-	 */
-	void (*reset) (ike_sa_t *this);
-
-	/**
-	 * Destroys a ike_sa_t object.
-	 */
-	void (*destroy) (ike_sa_t *this);
-};
-
-/**
- * Creates an ike_sa_t object with a specific ID.
- *
- * @param ike_sa_id 	ike_sa_id_t object to associate with new IKE_SA
- * @return 				ike_sa_t object
- */
-ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
-
-#endif /** IKE_SA_H_ @}*/
diff --git a/src/charon/sa/ike_sa_id.c b/src/charon/sa/ike_sa_id.c
deleted file mode 100644
index 94c5405f2..000000000
--- a/src/charon/sa/ike_sa_id.c
+++ /dev/null
@@ -1,179 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_sa_id.h"
-
-#include <stdio.h>
-
-
-typedef struct private_ike_sa_id_t private_ike_sa_id_t;
-
-/**
- * Private data of an ike_sa_id_t object.
- */
-struct private_ike_sa_id_t {
-	/**
-	 * Public interface of ike_sa_id_t.
-	 */
-	ike_sa_id_t public;
-
-	 /**
-	  * SPI of Initiator.
-	  */
-	u_int64_t initiator_spi;
-
-	 /**
-	  * SPI of Responder.
-	  */
-	u_int64_t responder_spi;
-
-	/**
-	 * Role for specific IKE_SA.
-	 */
-	bool is_initiator_flag;
-};
-
-/**
- * Implementation of ike_sa_id_t.set_responder_spi.
- */
-static void set_responder_spi (private_ike_sa_id_t *this, u_int64_t responder_spi)
-{
-	this->responder_spi = responder_spi;
-}
-
-/**
- * Implementation of ike_sa_id_t.set_initiator_spi.
- */
-static void set_initiator_spi(private_ike_sa_id_t *this, u_int64_t initiator_spi)
-{
-	this->initiator_spi = initiator_spi;
-}
-
-/**
- * Implementation of ike_sa_id_t.get_initiator_spi.
- */
-static u_int64_t get_initiator_spi (private_ike_sa_id_t *this)
-{
-	return this->initiator_spi;
-}
-
-/**
- * Implementation of ike_sa_id_t.get_responder_spi.
- */
-static u_int64_t get_responder_spi (private_ike_sa_id_t *this)
-{
-	return this->responder_spi;
-}
-
-/**
- * Implementation of ike_sa_id_t.equals.
- */
-static bool equals (private_ike_sa_id_t *this, private_ike_sa_id_t *other)
-{
-	if (other == NULL)
-	{
-		return FALSE;
-	}
-	if ((this->is_initiator_flag == other->is_initiator_flag) &&
-		(this->initiator_spi == other->initiator_spi) &&
-		(this->responder_spi == other->responder_spi))
-	{
-		/* private_ike_sa_id's are equal */
-		return TRUE;
-	}
-	else
-	{
-		/* private_ike_sa_id's are not equal */
-		return FALSE;
-	}
-}
-
-/**
- * Implementation of ike_sa_id_t.replace_values.
- */
-static void replace_values(private_ike_sa_id_t *this, private_ike_sa_id_t *other)
-{
-	this->initiator_spi = other->initiator_spi;
-	this->responder_spi = other->responder_spi;
-	this->is_initiator_flag = other->is_initiator_flag;
-}
-
-/**
- * Implementation of ike_sa_id_t.is_initiator.
- */
-static bool is_initiator(private_ike_sa_id_t *this)
-{
-	return this->is_initiator_flag;
-}
-
-/**
- * Implementation of ike_sa_id_t.switch_initiator.
- */
-static bool switch_initiator(private_ike_sa_id_t *this)
-{
-	if (this->is_initiator_flag)
-	{
-		this->is_initiator_flag = FALSE;
-	}
-	else
-	{
-		this->is_initiator_flag = TRUE;
-	}
-	return this->is_initiator_flag;
-}
-
-/**
- * Implementation of ike_sa_id_t.clone.
- */
-static ike_sa_id_t* clone_(private_ike_sa_id_t *this)
-{
-	return ike_sa_id_create(this->initiator_spi, this->responder_spi, this->is_initiator_flag);
-}
-
-/**
- * Implementation of ike_sa_id_t.destroy.
- */
-static void destroy(private_ike_sa_id_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi, bool is_initiator_flag)
-{
-	private_ike_sa_id_t *this = malloc_thing(private_ike_sa_id_t);
-
-	/* public functions */
-	this->public.set_responder_spi = (void(*)(ike_sa_id_t*,u_int64_t)) set_responder_spi;
-	this->public.set_initiator_spi = (void(*)(ike_sa_id_t*,u_int64_t)) set_initiator_spi;
-	this->public.get_responder_spi = (u_int64_t(*)(ike_sa_id_t*)) get_responder_spi;
-	this->public.get_initiator_spi = (u_int64_t(*)(ike_sa_id_t*)) get_initiator_spi;
-	this->public.equals = (bool(*)(ike_sa_id_t*,ike_sa_id_t*)) equals;
-	this->public.replace_values = (void(*)(ike_sa_id_t*,ike_sa_id_t*)) replace_values;
-	this->public.is_initiator = (bool(*)(ike_sa_id_t*)) is_initiator;
-	this->public.switch_initiator = (bool(*)(ike_sa_id_t*)) switch_initiator;
-	this->public.clone = (ike_sa_id_t*(*)(ike_sa_id_t*)) clone_;
-	this->public.destroy = (void(*)(ike_sa_id_t*))destroy;
-
-	/* private data */
-	this->initiator_spi = initiator_spi;
-	this->responder_spi = responder_spi;
-	this->is_initiator_flag = is_initiator_flag;
-
-	return &this->public;
-}
diff --git a/src/charon/sa/ike_sa_id.h b/src/charon/sa/ike_sa_id.h
deleted file mode 100644
index a833aa9d6..000000000
--- a/src/charon/sa/ike_sa_id.h
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_sa_id ike_sa_id
- * @{ @ingroup sa
- */
-
-#ifndef IKE_SA_ID_H_
-#define IKE_SA_ID_H_
-
-typedef struct ike_sa_id_t ike_sa_id_t;
-
-#include <library.h>
-
-/**
- * An object of type ike_sa_id_t is used to identify an IKE_SA.
- *
- * An IKE_SA is identified by its initiator and responder spi's.
- * Additionaly it contains the role of the actual running IKEv2-Daemon
- * for the specific IKE_SA (original initiator or responder).
- */
-struct ike_sa_id_t {
-
-	/**
-	 * Set the SPI of the responder.
-	 *
-	 * This function is called when a request or reply of a IKE_SA_INIT is received.
-	 *
-	 * @param responder_spi 	SPI of responder to set
-	 */
-	void (*set_responder_spi) (ike_sa_id_t *this, u_int64_t responder_spi);
-
-	/**
-	 * Set the SPI of the initiator.
-	 *
-	 * @param initiator_spi 	SPI to set
-	 */
-	void (*set_initiator_spi) (ike_sa_id_t *this, u_int64_t initiator_spi);
-
-	/**
-	 * Get the initiator SPI.
-	 *
-	 * @return 					SPI of the initiator
-	 */
-	u_int64_t (*get_initiator_spi) (ike_sa_id_t *this);
-
-	/**
-	 * Get the responder SPI.
-	 *
-	 * @return 					SPI of the responder
-	 */
-	u_int64_t (*get_responder_spi) (ike_sa_id_t *this);
-
-	/**
-	 * Check if two ike_sa_id_t objects are equal.
-	 *
-	 * Two ike_sa_id_t objects are equal if both SPI values and the role matches.
-	 *
-	 * @param other 			ike_sa_id_t object to check if equal
-	 * @return 					TRUE if given ike_sa_id_t are equal, FALSE otherwise
-	 */
-	bool (*equals) (ike_sa_id_t *this, ike_sa_id_t *other);
-
-	/**
-	 * Replace all values of a given ike_sa_id_t object with values.
-	 * from another ike_sa_id_t object.
-	 *
-	 * After calling this function, both objects are equal.
-	 *
-	 * @param other 			ike_sa_id_t object from which values will be taken
-	 */
-	void (*replace_values) (ike_sa_id_t *this, ike_sa_id_t *other);
-
-	/**
-	 * Get the initiator flag.
-	 *
-	 * @return 					TRUE if we are the original initator
-	 */
-	bool (*is_initiator) (ike_sa_id_t *this);
-
-	/**
-	 * Switche the original initiator flag.
-	 *
-	 * @return 					TRUE if we are the original initator after switch, FALSE otherwise
-	 */
-	bool (*switch_initiator) (ike_sa_id_t *this);
-
-	/**
-	 * Clones a given ike_sa_id_t object.
-	 *
-	 * @return 					cloned ike_sa_id_t object
-	 */
-	ike_sa_id_t *(*clone) (ike_sa_id_t *this);
-
-	/**
-	 * Destroys an ike_sa_id_t object.
-	 */
-	void (*destroy) (ike_sa_id_t *this);
-};
-
-/**
- * Creates an ike_sa_id_t object with specific SPI's and defined role.
- *
- * @param initiator_spi			initiators SPI
- * @param responder_spi			responders SPI
- * @param is_initiaor			TRUE if we are the original initiator
- * @return						ike_sa_id_t object
- */
-ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi,
-							   bool is_initiaor);
-
-#endif /** IKE_SA_ID_H_ @}*/
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
deleted file mode 100644
index 3ef0f3bb0..000000000
--- a/src/charon/sa/ike_sa_manager.c
+++ /dev/null
@@ -1,1741 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "ike_sa_manager.h"
-
-#include <daemon.h>
-#include <sa/ike_sa_id.h>
-#include <bus/bus.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-#include <threading/rwlock.h>
-#include <utils/linked_list.h>
-#include <crypto/hashers/hasher.h>
-
-/* the default size of the hash table (MUST be a power of 2) */
-#define DEFAULT_HASHTABLE_SIZE 1
-
-/* the maximum size of the hash table (MUST be a power of 2) */
-#define MAX_HASHTABLE_SIZE (1 << 30)
-
-/* the default number of segments (MUST be a power of 2) */
-#define DEFAULT_SEGMENT_COUNT 1
-
-typedef struct entry_t entry_t;
-
-/**
- * An entry in the linked list, contains IKE_SA, locking and lookup data.
- */
-struct entry_t {
-
-	/**
-	 * Number of threads waiting for this ike_sa_t object.
-	 */
-	int waiting_threads;
-
-	/**
-	 * Condvar where threads can wait until ike_sa_t object is free for use again.
-	 */
-	condvar_t *condvar;
-
-	/**
-	 * Is this ike_sa currently checked out?
-	 */
-	bool checked_out;
-
-	/**
-	 * Does this SA drives out new threads?
-	 */
-	bool driveout_new_threads;
-
-	/**
-	 * Does this SA drives out waiting threads?
-	 */
-	bool driveout_waiting_threads;
-
-	/**
-	 * Identification of an IKE_SA (SPIs).
-	 */
-	ike_sa_id_t *ike_sa_id;
-
-	/**
-	 * The contained ike_sa_t object.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * hash of the IKE_SA_INIT message, used to detect retransmissions
-	 */
-	chunk_t init_hash;
-
-	/**
-	 * remote host address, required for DoS detection
-	 */
-	host_t *other;
-
-	/**
-	 * As responder: Is this SA half-open?
-	 */
-	bool half_open;
-
-	/**
-	 * own identity, required for duplicate checking
-	 */
-	identification_t *my_id;
-
-	/**
-	 * remote identity, required for duplicate checking
-	 */
-	identification_t *other_id;
-
-	/**
-	 * message ID currently processing, if any
-	 */
-	u_int32_t message_id;
-};
-
-/**
- * Implementation of entry_t.destroy.
- */
-static status_t entry_destroy(entry_t *this)
-{
-	/* also destroy IKE SA */
-	this->ike_sa->destroy(this->ike_sa);
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	chunk_free(&this->init_hash);
-	DESTROY_IF(this->other);
-	DESTROY_IF(this->my_id);
-	DESTROY_IF(this->other_id);
-	this->condvar->destroy(this->condvar);
-	free(this);
-	return SUCCESS;
-}
-
-/**
- * Creates a new entry for the ike_sa_t list.
- */
-static entry_t *entry_create()
-{
-	entry_t *this = malloc_thing(entry_t);
-
-	this->waiting_threads = 0;
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-
-	/* we set checkout flag when we really give it out */
-	this->checked_out = FALSE;
-	this->driveout_new_threads = FALSE;
-	this->driveout_waiting_threads = FALSE;
-	this->message_id = -1;
-	this->init_hash = chunk_empty;
-	this->other = NULL;
-	this->half_open = FALSE;
-	this->my_id = NULL;
-	this->other_id = NULL;
-	this->ike_sa_id = NULL;
-	this->ike_sa = NULL;
-
-	return this;
-}
-
-/**
- * Function that matches entry_t objects by initiator SPI and the hash of the
- * IKE_SA_INIT message.
- */
-static bool entry_match_by_hash(entry_t *entry, ike_sa_id_t *id, chunk_t *hash)
-{
-	return id->get_responder_spi(id) == 0 &&
-		id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-		id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id) &&
-		chunk_equals(*hash, entry->init_hash);
-}
-
-/**
- * Function that matches entry_t objects by ike_sa_id_t.
- */
-static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id)
-{
-	if (id->equals(id, entry->ike_sa_id))
-	{
-		return TRUE;
-	}
-	if ((id->get_responder_spi(id) == 0 ||
-		 entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) &&
-		id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-		id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id))
-	{
-		/* this is TRUE for IKE_SAs that we initiated but have not yet received a response */
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Function that matches entry_t objects by ike_sa_t pointers.
- */
-static bool entry_match_by_sa(entry_t *entry, ike_sa_t *ike_sa)
-{
-	return entry->ike_sa == ike_sa;
-}
-
-/**
- * Hash function for ike_sa_id_t objects.
- */
-static u_int ike_sa_id_hash(ike_sa_id_t *ike_sa_id)
-{
-	/* we always use initiator spi as key */
-	return ike_sa_id->get_initiator_spi(ike_sa_id);
-}
-
-typedef struct half_open_t half_open_t;
-
-/**
- * Struct to manage half-open IKE_SAs per peer.
- */
-struct half_open_t {
-	/** chunk of remote host address */
-	chunk_t other;
-
-	/** the number of half-open IKE_SAs with that host */
-	u_int count;
-};
-
-/**
- * Destroys a half_open_t object.
- */
-static void half_open_destroy(half_open_t *this)
-{
-	chunk_free(&this->other);
-	free(this);
-}
-
-/**
- * Function that matches half_open_t objects by the given IP address chunk.
- */
-static bool half_open_match(half_open_t *half_open, chunk_t *addr)
-{
-	return chunk_equals(*addr, half_open->other);
-}
-
-typedef struct connected_peers_t connected_peers_t;
-
-struct connected_peers_t {
-	/** own identity */
-	identification_t *my_id;
-
-	/** remote identity */
-	identification_t *other_id;
-
-	/** list of ike_sa_id_t objects of IKE_SAs between the two identities */
-	linked_list_t *sas;
-};
-
-static void connected_peers_destroy(connected_peers_t *this)
-{
-	this->my_id->destroy(this->my_id);
-	this->other_id->destroy(this->other_id);
-	this->sas->destroy(this->sas);
-	free(this);
-}
-
-/**
- * Function that matches connected_peers_t objects by the given ids.
- */
-static bool connected_peers_match(connected_peers_t *connected_peers,
-							identification_t *my_id, identification_t *other_id)
-{
-	return my_id->equals(my_id, connected_peers->my_id) &&
-		   other_id->equals(other_id, connected_peers->other_id);
-}
-
-typedef struct segment_t segment_t;
-
-/**
- * Struct to manage segments of the hash table.
- */
-struct segment_t {
-	/** mutex to access a segment exclusively */
-	mutex_t *mutex;
-
-	/** the number of entries in this segment */
-	u_int count;
-};
-
-typedef struct shareable_segment_t shareable_segment_t;
-
-/**
- * Struct to manage segments of the "half-open" and "connected peers" hash tables.
- */
-struct shareable_segment_t {
-	/** rwlock to access a segment non-/exclusively */
-	rwlock_t *lock;
-
-	/** the number of entries in this segment - in case of the "half-open table"
-	 * it's the sum of all half_open_t.count in a segment. */
-	u_int count;
-};
-
-typedef struct private_ike_sa_manager_t private_ike_sa_manager_t;
-
-/**
- * Additional private members of ike_sa_manager_t.
- */
-struct private_ike_sa_manager_t {
-	/**
-	 * Public interface of ike_sa_manager_t.
-	 */
-	 ike_sa_manager_t public;
-
-	 /**
-	  * Hash table with entries for the ike_sa_t objects.
-	  */
-	 linked_list_t **ike_sa_table;
-
-	 /**
-	  * The size of the hash table.
-	  */
-	 u_int table_size;
-
-	 /**
-	  * Mask to map the hashes to table rows.
-	  */
-	 u_int table_mask;
-
-	 /**
-	  * Segments of the hash table.
-	  */
-	 segment_t *segments;
-
-	 /**
-	  * The number of segments.
-	  */
-	 u_int segment_count;
-
-	 /**
-	  * Mask to map a table row to a segment.
-	  */
-	 u_int segment_mask;
-
-	 /**
-	  * Hash table with half_open_t objects.
-	  */
-	 linked_list_t **half_open_table;
-
-	 /**
-	  * Segments of the "half-open" hash table.
-	  */
-	 shareable_segment_t *half_open_segments;
-
-	 /**
-	  * Hash table with connected_peers_t objects.
-	  */
-	 linked_list_t **connected_peers_table;
-
-	 /**
-	  * Segments of the "connected peers" hash table.
-	  */
-	 shareable_segment_t *connected_peers_segments;
-
-	 /**
-	  * RNG to get random SPIs for our side
-	  */
-	 rng_t *rng;
-
-	 /**
-	  * SHA1 hasher for IKE_SA_INIT retransmit detection
-	  */
-	 hasher_t *hasher;
-
-	/**
-	 * reuse existing IKE_SAs in checkout_by_config
-	 */
-	 bool reuse_ikesa;
-};
-
-/**
- * Acquire a lock to access the segment of the table row with the given index.
- * It also works with the segment index directly.
- */
-static void lock_single_segment(private_ike_sa_manager_t *this, u_int index)
-{
-	mutex_t *lock = this->segments[index & this->segment_mask].mutex;
-
-	lock->lock(lock);
-}
-
-/**
- * Release the lock required to access the segment of the table row with the given index.
- * It also works with the segment index directly.
- */
-static void unlock_single_segment(private_ike_sa_manager_t *this, u_int index)
-{
-	mutex_t *lock = this->segments[index & this->segment_mask].mutex;
-
-	lock->unlock(lock);
-}
-
-/**
- * Lock all segments
- */
-static void lock_all_segments(private_ike_sa_manager_t *this)
-{
-	u_int i;
-
-	for (i = 0; i < this->segment_count; ++i)
-	{
-		this->segments[i].mutex->lock(this->segments[i].mutex);
-	}
-}
-
-/**
- * Unlock all segments
- */
-static void unlock_all_segments(private_ike_sa_manager_t *this)
-{
-	u_int i;
-
-	for (i = 0; i < this->segment_count; ++i)
-	{
-		this->segments[i].mutex->unlock(this->segments[i].mutex);
-	}
-}
-
-typedef struct private_enumerator_t private_enumerator_t;
-
-/**
- * hash table enumerator implementation
- */
-struct private_enumerator_t {
-
-	/**
-	 * implements enumerator interface
-	 */
-	enumerator_t enumerator;
-
-	/**
-	 * associated ike_sa_manager_t
-	 */
-	private_ike_sa_manager_t *manager;
-
-	/**
-	 * current segment index
-	 */
-	u_int segment;
-
-	/**
-	 * currently enumerating entry
-	 */
-	entry_t *entry;
-
-	/**
-	 * current table row index
-	 */
-	u_int row;
-
-	/**
-	 * enumerator for the current table row
-	 */
-	enumerator_t *current;
-};
-
-/**
- * Implementation of private_enumerator_t.enumerator.enumerate.
- */
-static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segment)
-{
-	if (this->entry)
-	{
-		this->entry->condvar->signal(this->entry->condvar);
-		this->entry = NULL;
-	}
-	while (this->segment < this->manager->segment_count)
-	{
-		while (this->row < this->manager->table_size)
-		{
-			if (this->current)
-			{
-				entry_t *item;
-
-				if (this->current->enumerate(this->current, &item))
-				{
-					*entry = this->entry = item;
-					*segment = this->segment;
-					return TRUE;
-				}
-				this->current->destroy(this->current);
-				this->current = NULL;
-				unlock_single_segment(this->manager, this->segment);
-			}
-			else
-			{
-				linked_list_t *list;
-
-				lock_single_segment(this->manager, this->segment);
-				if ((list = this->manager->ike_sa_table[this->row]) != NULL &&
-					 list->get_count(list))
-				{
-					this->current = list->create_enumerator(list);
-					continue;
-				}
-				unlock_single_segment(this->manager, this->segment);
-			}
-			this->row += this->manager->segment_count;
-		}
-		this->segment++;
-		this->row = this->segment;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of private_enumerator_t.enumerator.destroy.
- */
-static void enumerator_destroy(private_enumerator_t *this)
-{
-	if (this->entry)
-	{
-		this->entry->condvar->signal(this->entry->condvar);
-	}
-	if (this->current)
-	{
-		this->current->destroy(this->current);
-		unlock_single_segment(this->manager, this->segment);
-	}
-	free(this);
-}
-
-/**
- * Creates an enumerator to enumerate the entries in the hash table.
- */
-static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
-{
-	private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
-
-	enumerator->enumerator.enumerate = (void*)enumerate;
-	enumerator->enumerator.destroy = (void*)enumerator_destroy;
-	enumerator->manager = this;
-	enumerator->segment = 0;
-	enumerator->entry = NULL;
-	enumerator->row = 0;
-	enumerator->current = NULL;
-
-	return &enumerator->enumerator;
-}
-
-/**
- * Put an entry into the hash table.
- * Note: The caller has to unlock the returned segment.
- */
-static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
-{
-	linked_list_t *list;
-	u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
-	u_int segment = row & this->segment_mask;
-
-	lock_single_segment(this, segment);
-	if ((list = this->ike_sa_table[row]) == NULL)
-	{
-		list = this->ike_sa_table[row] = linked_list_create();
-	}
-	list->insert_last(list, entry);
-	this->segments[segment].count++;
-	return segment;
-}
-
-/**
- * Remove an entry from the hash table.
- * Note: The caller MUST have a lock on the segment of this entry.
- */
-static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry)
-{
-	linked_list_t *list;
-	u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
-	u_int segment = row & this->segment_mask;
-
-	if ((list = this->ike_sa_table[row]) != NULL)
-	{
-		entry_t *current;
-
-		enumerator_t *enumerator = list->create_enumerator(list);
-		while (enumerator->enumerate(enumerator, &current))
-		{
-			if (current == entry)
-			{
-				list->remove_at(list, enumerator);
-				this->segments[segment].count--;
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-}
-
-/**
- * Remove the entry at the current enumerator position.
- */
-static void remove_entry_at(private_enumerator_t *this)
-{
-	this->entry = NULL;
-	if (this->current)
-	{
-		linked_list_t *list = this->manager->ike_sa_table[this->row];
-		list->remove_at(list, this->current);
-		this->manager->segments[this->segment].count--;
-	}
-}
-
-/**
- * Find an entry using the provided match function to compare the entries for
- * equality.
- */
-static status_t get_entry_by_match_function(private_ike_sa_manager_t *this,
-					ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment,
-					linked_list_match_t match, void *p1, void *p2)
-{
-	entry_t *current;
-	linked_list_t *list;
-	u_int row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
-	u_int seg = row & this->segment_mask;
-
-	lock_single_segment(this, seg);
-	if ((list = this->ike_sa_table[row]) != NULL)
-	{
-		if (list->find_first(list, match, (void**)&current, p1, p2) == SUCCESS)
-		{
-			*entry = current;
-			*segment = seg;
-			/* the locked segment has to be unlocked by the caller */
-			return SUCCESS;
-		}
-	}
-	unlock_single_segment(this, seg);
-	return NOT_FOUND;
-}
-
-/**
- * Find an entry by ike_sa_id_t.
- * Note: On SUCCESS, the caller has to unlock the segment.
- */
-static status_t get_entry_by_id(private_ike_sa_manager_t *this,
-						ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment)
-{
-	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
-				(linked_list_match_t)entry_match_by_id, ike_sa_id, NULL);
-}
-
-/**
- * Find an entry by initiator SPI and IKE_SA_INIT hash.
- * Note: On SUCCESS, the caller has to unlock the segment.
- */
-static status_t get_entry_by_hash(private_ike_sa_manager_t *this,
-			ike_sa_id_t *ike_sa_id, chunk_t hash, entry_t **entry, u_int *segment)
-{
-	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
-				(linked_list_match_t)entry_match_by_hash, ike_sa_id, &hash);
-}
-
-/**
- * Find an entry by IKE_SA pointer.
- * Note: On SUCCESS, the caller has to unlock the segment.
- */
-static status_t get_entry_by_sa(private_ike_sa_manager_t *this,
-			ike_sa_id_t *ike_sa_id, ike_sa_t *ike_sa, entry_t **entry, u_int *segment)
-{
-	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
-				(linked_list_match_t)entry_match_by_sa, ike_sa, NULL);
-}
-
-/**
- * Wait until no other thread is using an IKE_SA, return FALSE if entry not
- * acquirable.
- */
-static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry,
-						   u_int segment)
-{
-	if (entry->driveout_new_threads)
-	{
-		/* we are not allowed to get this */
-		return FALSE;
-	}
-	while (entry->checked_out && !entry->driveout_waiting_threads)
-	{
-		/* so wait until we can get it for us.
-		 * we register us as waiting. */
-		entry->waiting_threads++;
-		entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
-		entry->waiting_threads--;
-	}
-	/* hm, a deletion request forbids us to get this SA, get next one */
-	if (entry->driveout_waiting_threads)
-	{
-		/* we must signal here, others may be waiting on it, too */
-		entry->condvar->signal(entry->condvar);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Put a half-open SA into the hash table.
- */
-static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
-{
-	half_open_t *half_open = NULL;
-	linked_list_t *list;
-	chunk_t addr = entry->other->get_address(entry->other);
-	u_int row = chunk_hash(addr) & this->table_mask;
-	u_int segment = row & this->segment_mask;
-
-	rwlock_t *lock = this->half_open_segments[segment].lock;
-	lock->write_lock(lock);
-	if ((list = this->half_open_table[row]) == NULL)
-	{
-		list = this->half_open_table[row] = linked_list_create();
-	}
-	else
-	{
-		half_open_t *current;
-		if (list->find_first(list, (linked_list_match_t)half_open_match,
-							 (void**)&current, &addr) == SUCCESS)
-		{
-			half_open = current;
-			half_open->count++;
-			this->half_open_segments[segment].count++;
-		}
-	}
-
-	if (!half_open)
-	{
-		half_open = malloc_thing(half_open_t);
-		half_open->other = chunk_clone(addr);
-		half_open->count = 1;
-		list->insert_last(list, half_open);
-		this->half_open_segments[segment].count++;
-	}
-	lock->unlock(lock);
-}
-
-/**
- * Remove a half-open SA from the hash table.
- */
-static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
-{
-	linked_list_t *list;
-	chunk_t addr = entry->other->get_address(entry->other);
-	u_int row = chunk_hash(addr) & this->table_mask;
-	u_int segment = row & this->segment_mask;
-
-	rwlock_t *lock = this->half_open_segments[segment].lock;
-	lock->write_lock(lock);
-	if ((list = this->half_open_table[row]) != NULL)
-	{
-		half_open_t *current;
-		enumerator_t *enumerator = list->create_enumerator(list);
-		while (enumerator->enumerate(enumerator, &current))
-		{
-			if (half_open_match(current, &addr))
-			{
-				if (--current->count == 0)
-				{
-					list->remove_at(list, enumerator);
-					half_open_destroy(current);
-				}
-				this->half_open_segments[segment].count--;
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	lock->unlock(lock);
-}
-
-/**
- * Put an SA between two peers into the hash table.
- */
-static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
-{
-	linked_list_t *list;
-	connected_peers_t *connected_peers = NULL;
-	chunk_t my_id = entry->my_id->get_encoding(entry->my_id),
-			other_id = entry->other_id->get_encoding(entry->other_id);
-	u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
-	u_int segment = row & this->segment_mask;
-
-	rwlock_t *lock = this->connected_peers_segments[segment].lock;
-	lock->write_lock(lock);
-	if ((list = this->connected_peers_table[row]) == NULL)
-	{
-		list = this->connected_peers_table[row] = linked_list_create();
-	}
-	else
-	{
-		connected_peers_t *current;
-		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
-					(void**)&current, entry->my_id, entry->other_id) == SUCCESS)
-		{
-			connected_peers = current;
-			if (connected_peers->sas->find_first(connected_peers->sas,
-					(linked_list_match_t)entry->ike_sa_id->equals,
-					NULL, entry->ike_sa_id) == SUCCESS)
-			{
-				lock->unlock(lock);
-				return;
-			}
-		}
-	}
-
-	if (!connected_peers)
-	{
-		connected_peers = malloc_thing(connected_peers_t);
-		connected_peers->my_id = entry->my_id->clone(entry->my_id);
-		connected_peers->other_id = entry->other_id->clone(entry->other_id);
-		connected_peers->sas = linked_list_create();
-		list->insert_last(list, connected_peers);
-	}
-	connected_peers->sas->insert_last(connected_peers->sas,
-									  entry->ike_sa_id->clone(entry->ike_sa_id));
-	this->connected_peers_segments[segment].count++;
-	lock->unlock(lock);
-}
-
-/**
- * Remove an SA between two peers from the hash table.
- */
-static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
-{
-	linked_list_t *list;
-	chunk_t my_id = entry->my_id->get_encoding(entry->my_id),
-			other_id = entry->other_id->get_encoding(entry->other_id);
-	u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
-	u_int segment = row & this->segment_mask;
-
-	rwlock_t *lock = this->connected_peers_segments[segment].lock;
-	lock->write_lock(lock);
-	if ((list = this->connected_peers_table[row]) != NULL)
-	{
-		connected_peers_t *current;
-		enumerator_t *enumerator = list->create_enumerator(list);
-		while (enumerator->enumerate(enumerator, &current))
-		{
-			if (connected_peers_match(current, entry->my_id, entry->other_id))
-			{
-				ike_sa_id_t *ike_sa_id;
-				enumerator_t *inner = current->sas->create_enumerator(current->sas);
-				while (inner->enumerate(inner, &ike_sa_id))
-				{
-					if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id))
-					{
-						current->sas->remove_at(current->sas, inner);
-						ike_sa_id->destroy(ike_sa_id);
-						this->connected_peers_segments[segment].count--;
-						break;
-					}
-				}
-				inner->destroy(inner);
-				if (current->sas->get_count(current->sas) == 0)
-				{
-					list->remove_at(list, enumerator);
-					connected_peers_destroy(current);
-				}
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	lock->unlock(lock);
-}
-
-/**
- * Implementation of private_ike_sa_manager_t.get_next_spi.
- */
-static u_int64_t get_next_spi(private_ike_sa_manager_t *this)
-{
-	u_int64_t spi;
-
-	this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi);
-	return spi;
-}
-
-/**
- * Implementation of of ike_sa_manager.checkout.
- */
-static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
-{
-	ike_sa_t *ike_sa = NULL;
-	entry_t *entry;
-	u_int segment;
-
-	DBG2(DBG_MGR, "checkout IKE_SA");
-
-	if (get_entry_by_id(this, ike_sa_id, &entry, &segment) == SUCCESS)
-	{
-		if (wait_for_entry(this, entry, segment))
-		{
-			DBG2(DBG_MGR, "IKE_SA successfully checked out");
-			entry->checked_out = TRUE;
-			ike_sa = entry->ike_sa;
-		}
-		unlock_single_segment(this, segment);
-	}
-	charon->bus->set_sa(charon->bus, ike_sa);
-	return ike_sa;
-}
-
-/**
- * Implementation of of ike_sa_manager.checkout_new.
- */
-static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
-{
-	ike_sa_id_t *ike_sa_id;
-	ike_sa_t *ike_sa;
-	entry_t *entry;
-	u_int segment;
-
-	if (initiator)
-	{
-		ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
-	}
-	else
-	{
-		ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE);
-	}
-	ike_sa = ike_sa_create(ike_sa_id);
-
-	DBG2(DBG_MGR, "created IKE_SA");
-
-	if (!initiator)
-	{
-		ike_sa_id->destroy(ike_sa_id);
-		return ike_sa;
-	}
-
-	entry = entry_create();
-	entry->ike_sa_id = ike_sa_id;
-	entry->ike_sa = ike_sa;
-	segment = put_entry(this, entry);
-	entry->checked_out = TRUE;
-	unlock_single_segment(this, segment);
-	return entry->ike_sa;
-}
-
-/**
- * Implementation of of ike_sa_manager.checkout_by_message.
- */
-static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
-									 message_t *message)
-{
-	u_int segment;
-	entry_t *entry;
-	ike_sa_t *ike_sa = NULL;
-	ike_sa_id_t *id = message->get_ike_sa_id(message);
-
-	id = id->clone(id);
-	id->switch_initiator(id);
-
-	DBG2(DBG_MGR, "checkout IKE_SA by message");
-
-	if (message->get_request(message) &&
-		message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		/* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */
-		chunk_t data, hash;
-
-		data = message->get_packet_data(message);
-		this->hasher->allocate_hash(this->hasher, data, &hash);
-		chunk_free(&data);
-
-		if (get_entry_by_hash(this, id, hash, &entry, &segment) == SUCCESS)
-		{
-			if (entry->message_id == 0)
-			{
-				unlock_single_segment(this, segment);
-				chunk_free(&hash);
-				id->destroy(id);
-				DBG1(DBG_MGR, "ignoring IKE_SA_INIT, already processing");
-				return NULL;
-			}
-			else if (wait_for_entry(this, entry, segment))
-			{
-				DBG2(DBG_MGR, "IKE_SA checked out by hash");
-				entry->checked_out = TRUE;
-				entry->message_id = message->get_message_id(message);
-				ike_sa = entry->ike_sa;
-			}
-			unlock_single_segment(this, segment);
-		}
-
-		if (ike_sa == NULL)
-		{
-			if (id->get_responder_spi(id) == 0 &&
-				message->get_exchange_type(message) == IKE_SA_INIT)
-			{
-				/* no IKE_SA found, create a new one */
-				id->set_responder_spi(id, get_next_spi(this));
-				entry = entry_create();
-				entry->ike_sa = ike_sa_create(id);
-				entry->ike_sa_id = id->clone(id);
-
-				segment = put_entry(this, entry);
-				entry->checked_out = TRUE;
-				unlock_single_segment(this, segment);
-
-				entry->message_id = message->get_message_id(message);
-				entry->init_hash = hash;
-				ike_sa = entry->ike_sa;
-
-				DBG2(DBG_MGR, "created IKE_SA");
-			}
-			else
-			{
-				chunk_free(&hash);
-				DBG1(DBG_MGR, "ignoring message, no such IKE_SA");
-			}
-		}
-		else
-		{
-			chunk_free(&hash);
-		}
-		id->destroy(id);
-		charon->bus->set_sa(charon->bus, ike_sa);
-		return ike_sa;
-	}
-
-	if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS)
-	{
-		/* only check out if we are not processing this request */
-		if (message->get_request(message) &&
-			message->get_message_id(message) == entry->message_id)
-		{
-			DBG1(DBG_MGR, "ignoring request with ID %d, already processing",
-				 entry->message_id);
-		}
-		else if (wait_for_entry(this, entry, segment))
-		{
-			ike_sa_id_t *ike_id = entry->ike_sa->get_id(entry->ike_sa);
-			DBG2(DBG_MGR, "IKE_SA successfully checked out");
-			entry->checked_out = TRUE;
-			entry->message_id = message->get_message_id(message);
-			if (ike_id->get_responder_spi(ike_id) == 0)
-			{
-				ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
-			}
-			ike_sa = entry->ike_sa;
-		}
-		unlock_single_segment(this, segment);
-	}
-	id->destroy(id);
-	charon->bus->set_sa(charon->bus, ike_sa);
-	return ike_sa;
-}
-
-/**
- * Implementation of of ike_sa_manager.checkout_by_config.
- */
-static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
-									peer_cfg_t *peer_cfg)
-{
-	enumerator_t *enumerator;
-	entry_t *entry;
-	ike_sa_t *ike_sa = NULL;
-	peer_cfg_t *current_peer;
-	ike_cfg_t *current_ike;
-	u_int segment;
-
-	if (!this->reuse_ikesa)
-	{	/* IKE_SA reuse disable by config */
-		ike_sa = checkout_new(this, TRUE);
-		charon->bus->set_sa(charon->bus, ike_sa);
-		return ike_sa;
-	}
-
-	enumerator = create_table_enumerator(this);
-	while (enumerator->enumerate(enumerator, &entry, &segment))
-	{
-		if (!wait_for_entry(this, entry, segment))
-		{
-			continue;
-		}
-		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
-		{	/* skip IKE_SAs which are not usable */
-			continue;
-		}
-
-		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
-		if (current_peer && current_peer->equals(current_peer, peer_cfg))
-		{
-			current_ike = current_peer->get_ike_cfg(current_peer);
-			if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
-			{
-				DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config",
-					 current_peer->get_name(current_peer));
-				entry->checked_out = TRUE;
-				ike_sa = entry->ike_sa;
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (!ike_sa)
-	{	/* no IKE_SA using such a config, hand out a new */
-		ike_sa = checkout_new(this, TRUE);
-	}
-	charon->bus->set_sa(charon->bus, ike_sa);
-	return ike_sa;
-}
-
-/**
- * Implementation of of ike_sa_manager.checkout_by_id.
- */
-static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
-								bool child)
-{
-	enumerator_t *enumerator;
-	iterator_t *children;
-	entry_t *entry;
-	ike_sa_t *ike_sa = NULL;
-	child_sa_t *child_sa;
-	u_int segment;
-
-	enumerator = create_table_enumerator(this);
-	while (enumerator->enumerate(enumerator, &entry, &segment))
-	{
-		if (wait_for_entry(this, entry, segment))
-		{
-			/* look for a child with such a reqid ... */
-			if (child)
-			{
-				children = entry->ike_sa->create_child_sa_iterator(entry->ike_sa);
-				while (children->iterate(children, (void**)&child_sa))
-				{
-					if (child_sa->get_reqid(child_sa) == id)
-					{
-						ike_sa = entry->ike_sa;
-						break;
-					}
-				}
-				children->destroy(children);
-			}
-			else /* ... or for a IKE_SA with such a unique id */
-			{
-				if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
-				{
-					ike_sa = entry->ike_sa;
-				}
-			}
-			/* got one, return */
-			if (ike_sa)
-			{
-				entry->checked_out = TRUE;
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	charon->bus->set_sa(charon->bus, ike_sa);
-	return ike_sa;
-}
-
-/**
- * Implementation of of ike_sa_manager.checkout_by_name.
- */
-static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
-								  bool child)
-{
-	enumerator_t *enumerator;
-	iterator_t *children;
-	entry_t *entry;
-	ike_sa_t *ike_sa = NULL;
-	child_sa_t *child_sa;
-	u_int segment;
-
-	enumerator = create_table_enumerator(this);
-	while (enumerator->enumerate(enumerator, &entry, &segment))
-	{
-		if (wait_for_entry(this, entry, segment))
-		{
-			/* look for a child with such a policy name ... */
-			if (child)
-			{
-				children = entry->ike_sa->create_child_sa_iterator(entry->ike_sa);
-				while (children->iterate(children, (void**)&child_sa))
-				{
-					if (streq(child_sa->get_name(child_sa), name))
-					{
-						ike_sa = entry->ike_sa;
-						break;
-					}
-				}
-				children->destroy(children);
-			}
-			else /* ... or for a IKE_SA with such a connection name */
-			{
-				if (streq(entry->ike_sa->get_name(entry->ike_sa), name))
-				{
-					ike_sa = entry->ike_sa;
-				}
-			}
-			/* got one, return */
-			if (ike_sa)
-			{
-				entry->checked_out = TRUE;
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	charon->bus->set_sa(charon->bus, ike_sa);
-	return ike_sa;
-}
-
-/**
- * enumerator filter function
- */
-static bool enumerator_filter(private_ike_sa_manager_t *this,
-							  entry_t **in, ike_sa_t **out, u_int *segment)
-{
-	if (wait_for_entry(this, *in, *segment))
-	{
-		*out = (*in)->ike_sa;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Implementation of ike_sa_manager_t.create_enumerator.
- */
-static enumerator_t *create_enumerator(private_ike_sa_manager_t* this)
-{
-	return enumerator_create_filter(
-						create_table_enumerator(this),
-						(void*)enumerator_filter, this, NULL);
-}
-
-/**
- * Implementation of ike_sa_manager_t.checkin.
- */
-static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
-{
-	/* to check the SA back in, we look for the pointer of the ike_sa
-	 * in all entries.
-	 * The lookup is done by initiator SPI, so even if the SPI has changed (e.g.
-	 * on reception of a IKE_SA_INIT response) the lookup will work but
-	 * updating of the SPI MAY be necessary...
-	 */
-	entry_t *entry;
-	ike_sa_id_t *ike_sa_id;
-	host_t *other;
-	identification_t *my_id, *other_id;
-	u_int segment;
-
-	ike_sa_id = ike_sa->get_id(ike_sa);
-	my_id = ike_sa->get_my_id(ike_sa);
-	other_id = ike_sa->get_other_id(ike_sa);
-	other = ike_sa->get_other_host(ike_sa);
-
-	DBG2(DBG_MGR, "checkin IKE_SA");
-
-	/* look for the entry */
-	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
-	{
-		/* ike_sa_id must be updated */
-		entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
-		/* signal waiting threads */
-		entry->checked_out = FALSE;
-		entry->message_id = -1;
-		/* check if this SA is half-open */
-		if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING)
-		{
-			/* not half open anymore */
-			entry->half_open = FALSE;
-			remove_half_open(this, entry);
-		}
-		else if (entry->half_open && !other->ip_equals(other, entry->other))
-		{
-			/* the other host's IP has changed, we must update the hash table */
-			remove_half_open(this, entry);
-			DESTROY_IF(entry->other);
-			entry->other = other->clone(other);
-			put_half_open(this, entry);
-		}
-		else if (!entry->half_open &&
-				 !entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-				 ike_sa->get_state(ike_sa) == IKE_CONNECTING)
-		{
-			/* this is a new half-open SA */
-			entry->half_open = TRUE;
-			entry->other = other->clone(other);
-			put_half_open(this, entry);
-		}
-		DBG2(DBG_MGR, "check-in of IKE_SA successful.");
-		entry->condvar->signal(entry->condvar);
-	}
-	else
-	{
-		entry = entry_create();
-		entry->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-		entry->ike_sa = ike_sa;
-		segment = put_entry(this, entry);
-	}
-
-	/* apply identities for duplicate test (only as responder) */
-	if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-		ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
-		entry->my_id == NULL && entry->other_id == NULL)
-	{
-		entry->my_id = my_id->clone(my_id);
-		entry->other_id = other_id->clone(other_id);
-		put_connected_peers(this, entry);
-	}
-
-	unlock_single_segment(this, segment);
-
-	charon->bus->set_sa(charon->bus, NULL);
-}
-
-/**
- * Implementation of ike_sa_manager_t.checkin_and_destroy.
- */
-static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
-{
-	/* deletion is a bit complex, we must ensure that no thread is waiting for
-	 * this SA.
-	 * We take this SA from the table, and start signaling while threads
-	 * are in the condvar.
-	 */
-	entry_t *entry;
-	ike_sa_id_t *ike_sa_id;
-	u_int segment;
-
-	ike_sa_id = ike_sa->get_id(ike_sa);
-
-	DBG2(DBG_MGR, "checkin and destroy IKE_SA");
-
-	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
-	{
-		/* drive out waiting threads, as we are in hurry */
-		entry->driveout_waiting_threads = TRUE;
-		/* mark it, so no new threads can get this entry */
-		entry->driveout_new_threads = TRUE;
-		/* wait until all workers have done their work */
-		while (entry->waiting_threads)
-		{
-			/* wake up all */
-			entry->condvar->broadcast(entry->condvar);
-			/* they will wake us again when their work is done */
-			entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
-		}
-		remove_entry(this, entry);
-		unlock_single_segment(this, segment);
-
-		if (entry->half_open)
-		{
-			remove_half_open(this, entry);
-		}
-		if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-			entry->my_id && entry->other_id)
-		{
-			remove_connected_peers(this, entry);
-		}
-
-		entry_destroy(entry);
-
-		DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
-	}
-	else
-	{
-		DBG1(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
-		ike_sa->destroy(ike_sa);
-	}
-	charon->bus->set_sa(charon->bus, NULL);
-}
-
-
-/**
- * Implementation of ike_sa_manager_t.check_uniqueness.
- */
-static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
-{
-	bool cancel = FALSE;
-	peer_cfg_t *peer_cfg;
-	unique_policy_t policy;
-	linked_list_t *list, *duplicate_ids = NULL;
-	enumerator_t *enumerator;
-	ike_sa_id_t *duplicate_id = NULL;
-	identification_t *me, *other;
-	u_int row, segment;
-	rwlock_t *lock;
-
-	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-	policy = peer_cfg->get_unique_policy(peer_cfg);
-	if (policy == UNIQUE_NO)
-	{
-		return FALSE;
-	}
-
-	me = ike_sa->get_my_id(ike_sa);
-	other = ike_sa->get_other_id(ike_sa);
-
-	row = chunk_hash_inc(other->get_encoding(other),
-						 chunk_hash(me->get_encoding(me))) & this->table_mask;
-	segment = row & this->segment_mask;
-
-	lock = this->connected_peers_segments[segment & this->segment_mask].lock;
-	lock->read_lock(lock);
-	if ((list = this->connected_peers_table[row]) != NULL)
-	{
-		connected_peers_t *current;
-
-		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
-							 (void**)&current, me, other) == SUCCESS)
-		{
-			/* clone the list, so we can release the lock */
-			duplicate_ids = current->sas->clone_offset(current->sas,
-												offsetof(ike_sa_id_t, clone));
-		}
-	}
-	lock->unlock(lock);
-
-	if (!duplicate_ids)
-	{
-		return FALSE;
-	}
-
-	enumerator = duplicate_ids->create_enumerator(duplicate_ids);
-	while (enumerator->enumerate(enumerator, &duplicate_id))
-	{
-		status_t status = SUCCESS;
-		ike_sa_t *duplicate;
-
-		duplicate = checkout(this, duplicate_id);
-		if (!duplicate)
-		{
-			continue;
-		}
-		peer_cfg = duplicate->get_peer_cfg(duplicate);
-		if (peer_cfg && peer_cfg->equals(peer_cfg, ike_sa->get_peer_cfg(ike_sa)))
-		{
-			switch (duplicate->get_state(duplicate))
-			{
-				case IKE_ESTABLISHED:
-				case IKE_REKEYING:
-					switch (policy)
-					{
-						case UNIQUE_REPLACE:
-							DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
-									"'%Y' due to uniqueness policy", other);
-							status = duplicate->delete(duplicate);
-							break;
-						case UNIQUE_KEEP:
-							cancel = TRUE;
-							/* we keep the first IKE_SA and delete all
-							 * other duplicates that might exist */
-							policy = UNIQUE_REPLACE;
-							break;
-						default:
-							break;
-					}
-					break;
-				default:
-					break;
-			}
-		}
-		if (status == DESTROY_ME)
-		{
-			checkin_and_destroy(this, duplicate);
-		}
-		else
-		{
-			checkin(this, duplicate);
-		}
-	}
-	enumerator->destroy(enumerator);
-	duplicate_ids->destroy_offset(duplicate_ids, offsetof(ike_sa_id_t, destroy));
-	/* reset thread's current IKE_SA after checkin */
-	charon->bus->set_sa(charon->bus, ike_sa);
-	return cancel;
-}
-
-/**
- * Implementation of ike_sa_manager_t.get_half_open_count.
- */
-static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
-{
-	int count = 0;
-
-	if (ip)
-	{
-		linked_list_t *list;
-		chunk_t addr = ip->get_address(ip);
-		u_int row = chunk_hash(addr) & this->table_mask;
-		u_int segment = row & this->segment_mask;
-
-		rwlock_t *lock = this->half_open_segments[segment & this->segment_mask].lock;
-		lock->read_lock(lock);
-		if ((list = this->half_open_table[row]) != NULL)
-		{
-			half_open_t *current;
-
-			if (list->find_first(list, (linked_list_match_t)half_open_match,
-								 (void**)&current, &addr) == SUCCESS)
-			{
-				count = current->count;
-			}
-		}
-		lock->unlock(lock);
-	}
-	else
-	{
-		u_int segment;
-
-		for (segment = 0; segment < this->segment_count; ++segment)
-		{
-			rwlock_t *lock;
-			lock = this->half_open_segments[segment & this->segment_mask].lock;
-			lock->read_lock(lock);
-			count += this->half_open_segments[segment].count;
-			lock->unlock(lock);
-		}
-	}
-
-	return count;
-}
-
-/**
- * Implementation of ike_sa_manager_t.flush.
- */
-static void flush(private_ike_sa_manager_t *this)
-{
-	/* destroy all list entries */
-	enumerator_t *enumerator;
-	entry_t *entry;
-	u_int segment;
-
-	lock_all_segments(this);
-	DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
-	/* Step 1: drive out all waiting threads  */
-	DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's");
-	enumerator = create_table_enumerator(this);
-	while (enumerator->enumerate(enumerator, &entry, &segment))
-	{
-		/* do not accept new threads, drive out waiting threads */
-		entry->driveout_new_threads = TRUE;
-		entry->driveout_waiting_threads = TRUE;
-	}
-	enumerator->destroy(enumerator);
-	DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
-	/* Step 2: wait until all are gone */
-	enumerator = create_table_enumerator(this);
-	while (enumerator->enumerate(enumerator, &entry, &segment))
-	{
-		while (entry->waiting_threads || entry->checked_out)
-		{
-			/* wake up all */
-			entry->condvar->broadcast(entry->condvar);
-			/* go sleeping until they are gone */
-			entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
-		}
-	}
-	enumerator->destroy(enumerator);
-	DBG2(DBG_MGR, "delete all IKE_SA's");
-	/* Step 3: initiate deletion of all IKE_SAs */
-	enumerator = create_table_enumerator(this);
-	while (enumerator->enumerate(enumerator, &entry, &segment))
-	{
-		charon->bus->set_sa(charon->bus, entry->ike_sa);
-		/* as the delete never gets processed, fire down events */
-		switch (entry->ike_sa->get_state(entry->ike_sa))
-		{
-			case IKE_ESTABLISHED:
-			case IKE_REKEYING:
-			case IKE_DELETING:
-				charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE);
-				break;
-			default:
-				break;
-		}
-		entry->ike_sa->delete(entry->ike_sa);
-	}
-	enumerator->destroy(enumerator);
-
-	DBG2(DBG_MGR, "destroy all entries");
-	/* Step 4: destroy all entries */
-	enumerator = create_table_enumerator(this);
-	while (enumerator->enumerate(enumerator, &entry, &segment))
-	{
-		charon->bus->set_sa(charon->bus, entry->ike_sa);
-		if (entry->half_open)
-		{
-			remove_half_open(this, entry);
-		}
-		if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-			entry->my_id && entry->other_id)
-		{
-			remove_connected_peers(this, entry);
-		}
-		remove_entry_at((private_enumerator_t*)enumerator);
-		entry_destroy(entry);
-	}
-	enumerator->destroy(enumerator);
-	charon->bus->set_sa(charon->bus, NULL);
-	unlock_all_segments(this);
-}
-
-/**
- * Implementation of ike_sa_manager_t.destroy.
- */
-static void destroy(private_ike_sa_manager_t *this)
-{
-	u_int i;
-
-	for (i = 0; i < this->table_size; ++i)
-	{
-		linked_list_t *list;
-
-		if ((list = this->ike_sa_table[i]) != NULL)
-		{
-			list->destroy(list);
-		}
-		if ((list = this->half_open_table[i]) != NULL)
-		{
-			list->destroy(list);
-		}
-		if ((list = this->connected_peers_table[i]) != NULL)
-		{
-			list->destroy(list);
-		}
-	}
-	free(this->ike_sa_table);
-	free(this->half_open_table);
-	free(this->connected_peers_table);
-	for (i = 0; i < this->segment_count; ++i)
-	{
-		this->segments[i].mutex->destroy(this->segments[i].mutex);
-		this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock);
-		this->connected_peers_segments[i].lock->destroy(this->connected_peers_segments[i].lock);
-	}
-	free(this->segments);
-	free(this->half_open_segments);
-	free(this->connected_peers_segments);
-
-	this->rng->destroy(this->rng);
-	this->hasher->destroy(this->hasher);
-	free(this);
-}
-
-/**
- * This function returns the next-highest power of two for the given number.
- * The algorithm works by setting all bits on the right-hand side of the most
- * significant 1 to 1 and then increments the whole number so it rolls over
- * to the nearest power of two. Note: returns 0 for n == 0
- */
-static u_int get_nearest_powerof2(u_int n)
-{
-	u_int i;
-
-	--n;
-	for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
-	{
-		n |= n >> i;
-	}
-	return ++n;
-}
-
-/*
- * Described in header.
- */
-ike_sa_manager_t *ike_sa_manager_create()
-{
-	u_int i;
-	private_ike_sa_manager_t *this = malloc_thing(private_ike_sa_manager_t);
-
-	/* assign public functions */
-	this->public.flush = (void(*)(ike_sa_manager_t*))flush;
-	this->public.destroy = (void(*)(ike_sa_manager_t*))destroy;
-	this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout;
-	this->public.checkout_new = (ike_sa_t*(*)(ike_sa_manager_t*,bool))checkout_new;
-	this->public.checkout_by_message = (ike_sa_t*(*)(ike_sa_manager_t*,message_t*))checkout_by_message;
-	this->public.checkout_by_config = (ike_sa_t*(*)(ike_sa_manager_t*,peer_cfg_t*))checkout_by_config;
-	this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t,bool))checkout_by_id;
-	this->public.checkout_by_name = (ike_sa_t*(*)(ike_sa_manager_t*,char*,bool))checkout_by_name;
-	this->public.check_uniqueness = (bool(*)(ike_sa_manager_t*, ike_sa_t *ike_sa))check_uniqueness;
-	this->public.create_enumerator = (enumerator_t*(*)(ike_sa_manager_t*))create_enumerator;
-	this->public.checkin = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
-	this->public.checkin_and_destroy = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
-	this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count;
-
-	/* initialize private variables */
-	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
-	if (this->hasher == NULL)
-	{
-		DBG1(DBG_MGR, "manager initialization failed, no hasher supported");
-		free(this);
-		return NULL;
-	}
-	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (this->rng == NULL)
-	{
-		DBG1(DBG_MGR, "manager initialization failed, no RNG supported");
-		this->hasher->destroy(this->hasher);
-		free(this);
-		return NULL;
-	}
-	this->table_size = get_nearest_powerof2(lib->settings->get_int(lib->settings,
-						"charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE));
-	this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
-	this->table_mask = this->table_size - 1;
-
-	this->segment_count = get_nearest_powerof2(lib->settings->get_int(lib->settings,
-						"charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT));
-	this->segment_count = max(1, min(this->segment_count, this->table_size));
-	this->segment_mask = this->segment_count - 1;
-
-	this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*));
-
-	this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
-	for (i = 0; i < this->segment_count; ++i)
-	{
-		this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-		this->segments[i].count = 0;
-	}
-
-	/* we use the same table parameters for the table to track half-open SAs */
-	this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*));
-	this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
-	for (i = 0; i < this->segment_count; ++i)
-	{
-		this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-		this->half_open_segments[i].count = 0;
-	}
-
-	/* also for the hash table used for duplicate tests */
-	this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*));
-	this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
-	for (i = 0; i < this->segment_count; ++i)
-	{
-		this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-		this->connected_peers_segments[i].count = 0;
-	}
-
-	this->reuse_ikesa = lib->settings->get_bool(lib->settings,
-												"charon.reuse_ikesa", TRUE);
-	return &this->public;
-}
diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h
deleted file mode 100644
index 38f5454e1..000000000
--- a/src/charon/sa/ike_sa_manager.h
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_sa_manager ike_sa_manager
- * @{ @ingroup sa
- */
-
-#ifndef IKE_SA_MANAGER_H_
-#define IKE_SA_MANAGER_H_
-
-typedef struct ike_sa_manager_t ike_sa_manager_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <encoding/message.h>
-#include <config/peer_cfg.h>
-
-/**
- * Manages and synchronizes access to all IKE_SAs.
- *
- * To synchronize access to thread-unsave IKE_SAs, they are checked out for
- * use and checked in afterwards. A checked out SA is exclusively accessible
- * by the owning thread.
- */
-struct ike_sa_manager_t {
-
-	/**
-	 * Checkout an existing IKE_SA.
-	 *
-	 * @param ike_sa_id			the SA identifier, will be updated
-	 * @returns
-	 * 							- checked out IKE_SA if found
-	 * 							- NULL, if specified IKE_SA is not found.
-	 */
-	ike_sa_t* (*checkout) (ike_sa_manager_t* this, ike_sa_id_t *sa_id);
-
-	/**
-	 * Create and check out a new IKE_SA.
-	 *
-	 * @note If initiator equals FALSE, the returned IKE_SA is not registered
-	 * in the manager.
-	 *
-	 * @param initiator			TRUE for initiator, FALSE otherwise
-	 * @returns 				created and checked out IKE_SA
-	 */
-	ike_sa_t* (*checkout_new) (ike_sa_manager_t* this, bool initiator);
-
-	/**
-	 * Checkout an IKE_SA by a message.
-	 *
-	 * In some situations, it is necessary that the manager knows the
-	 * message to use for the checkout. This has the following reasons:
-	 *
-	 * 1. If the targeted IKE_SA is already processing a message, we do not
-	 *    check it out if the message ID is the same.
-	 * 2. If it is an IKE_SA_INIT request, we have to check if it is a
-	 *    retransmission. If so, we have to drop the message, we would
-	 *    create another unneeded IKE_SA for each retransmitted packet.
-	 *
-	 * A call to checkout_by_message() returns a (maybe new created) IKE_SA.
-	 * If processing the message does not make sense (for the reasons above),
-	 * NULL is returned.
-	 *
-	 * @param ike_sa_id			the SA identifier, will be updated
-	 * @returns
-	 * 							- checked out/created IKE_SA
-	 * 							- NULL to not process message further
-	 */
-	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
-
-	/**
-	 * Checkout an IKE_SA for initiation by a peer_config.
-	 *
-	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
-	 * This call checks for an existing IKE_SA by comparing the configuration.
-	 * If the CHILD_SA can be created in an existing IKE_SA, the matching SA
-	 * is returned.
-	 * If no IKE_SA is found, a new one is created. This is also the case when
-	 * the found IKE_SA is in the DELETING state.
-	 *
-	 * @param peer_cfg			configuration used to find an existing IKE_SA
-	 * @return					checked out/created IKE_SA
-	 */
-	ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this,
-									 peer_cfg_t *peer_cfg);
-
-	/**
-	 * Check for duplicates of the given IKE_SA.
-	 *
-	 * Measures are taken according to the uniqueness policy of the IKE_SA.
-	 * The return value indicates whether duplicates have been found and if
-	 * further measures should be taken (e.g. cancelling an IKE_AUTH exchange).
-	 * check_uniqueness() must be called before the IKE_SA is complete,
-	 * deadlocks occur otherwise.
-	 *
-	 * @param ike_sa			ike_sa to check
-	 * @return					TRUE, if the given IKE_SA has duplicates and
-	 * 							should be deleted
-	 */
-	bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa);
-
-	/**
-	 * Check out an IKE_SA a unique ID.
-	 *
-	 * Every IKE_SA and every CHILD_SA is uniquely identified by an ID.
-	 * These checkout function uses, depending
-	 * on the child parameter, the unique ID of the IKE_SA or the reqid
-	 * of one of a IKE_SAs CHILD_SA.
-	 *
-	 * @param id				unique ID of the object
-	 * @param child				TRUE to use CHILD, FALSE to use IKE_SA
-	 * @return
-	 * 							- checked out IKE_SA, if found
-	 * 							- NULL, if not found
-	 */
-	ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id,
-								 bool child);
-
-	/**
-	 * Check out an IKE_SA by the policy/connection name.
-	 *
-	 * Check out the IKE_SA by the configuration name, either from the IKE- or
-	 * one of its CHILD_SAs.
-	 *
-	 * @param name				name of the connection/policy
-	 * @param child				TRUE to use policy name, FALSE to use conn name
-	 * @return
-	 * 							- checked out IKE_SA, if found
-	 * 							- NULL, if not found
-	 */
-	ike_sa_t* (*checkout_by_name) (ike_sa_manager_t* this, char *name,
-								   bool child);
-
-	/**
-	 * Create an enumerator over all stored IKE_SAs.
-	 *
-	 * While enumerating an IKE_SA, it is temporarily checked out and
-	 * automatically checked in after the current enumeration step.
-	 *
-	 * @return					enumerator over all IKE_SAs.
-	 */
-	enumerator_t *(*create_enumerator) (ike_sa_manager_t* this);
-
-	/**
-	 * Checkin the SA after usage.
-	 *
-	 * If the IKE_SA is not registered in the manager, a new entry is created.
-	 *
-	 * @param ike_sa_id			the SA identifier, will be updated
-	 * @param ike_sa			checked out SA
-	 */
-	void (*checkin) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
-
-	/**
-	 * Destroy a checked out SA.
-	 *
-	 * The IKE SA is destroyed without notification of the remote peer.
-	 * Use this only if the other peer doesn't respond or behaves not
-	 * as predicted.
-	 * Checking in and destruction is an atomic operation (for the IKE_SA),
-	 * so this can be called if the SA is in a "unclean" state, without the
-	 * risk that another thread can get the SA.
-	 *
-	 * @param ike_sa			SA to delete
-	 */
-	void (*checkin_and_destroy) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
-
-	/**
-	 * Get the number of IKE_SAs which are in the connecting state.
-	 *
-	 * To prevent the server from resource exhaustion, cookies and other
-	 * mechanisms are used. The number of half open IKE_SAs is a good
-	 * indicator to see if a peer is flooding the server.
-	 * If a host is supplied, only the number of half open IKE_SAs initiated
-	 * from this IP are counted.
-	 * Only SAs for which we are the responder are counted.
-	 *
-	 * @param ip				NULL for all, IP for half open IKE_SAs with IP
-	 * @return					number of half open IKE_SAs
-	 */
-	int (*get_half_open_count) (ike_sa_manager_t *this, host_t *ip);
-
-	/**
-	 * Delete all existing IKE_SAs and destroy them immediately.
-	 *
-	 * Threads will be driven out, so all SAs can be deleted cleanly.
-	 */
-	void (*flush)(ike_sa_manager_t *this);
-
-	/**
-	 * Destroys the manager with all associated SAs.
-	 *
-	 * A call to flush() is required before calling destroy.
-	 */
-	void (*destroy) (ike_sa_manager_t *this);
-};
-
-/**
- * Create the IKE_SA manager.
- *
- * @returns 	ike_sa_manager_t object, NULL if initialization fails
- */
-ike_sa_manager_t *ike_sa_manager_create(void);
-
-#endif /** IKE_SA_MANAGER_H_ @}*/
diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c
deleted file mode 100644
index e49626354..000000000
--- a/src/charon/sa/keymat.c
+++ /dev/null
@@ -1,616 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "keymat.h"
-
-#include <daemon.h>
-#include <crypto/prf_plus.h>
-
-typedef struct private_keymat_t private_keymat_t;
-
-/**
- * Private data of an keymat_t object.
- */
-struct private_keymat_t {
-
-	/**
-	 * Public keymat_t interface.
-	 */
-	keymat_t public;
-
-	/**
-	 * IKE_SA Role, initiator or responder
-	 */
-	bool initiator;
-
-	/**
-	 * inbound signer (verify)
-	 */
-	signer_t *signer_in;
-
-	/**
-	 * outbound signer (sign)
-	 */
-	signer_t *signer_out;
-
-	/**
-	 * inbound crypter (decrypt)
-	 */
-	crypter_t *crypter_in;
-
-	/**
-	 * outbound crypter (encrypt)
-	 */
-	crypter_t *crypter_out;
-
-	/**
-	 * General purpose PRF
-	 */
-	prf_t *prf;
-
-	/**
-	 * Negotiated PRF algorithm
-	 */
-	pseudo_random_function_t prf_alg;
-
-	/**
-	 * Key to derive key material from for CHILD_SAs, rekeying
-	 */
-	chunk_t skd;
-
-	/**
-	 * Key to build outging authentication data (SKp)
-	 */
-	chunk_t skp_build;
-
-	/**
-	 * Key to verify incoming authentication data (SKp)
-	 */
-	chunk_t skp_verify;
-};
-
-typedef struct keylen_entry_t keylen_entry_t;
-
-/**
- * Implicit key length for an algorithm
- */
-struct keylen_entry_t {
-	/** IKEv2 algorithm identifier */
-	int algo;
-	/** key length in bits */
-	int len;
-};
-
-#define END_OF_LIST -1
-
-/**
- * Keylen for encryption algos
- */
-keylen_entry_t keylen_enc[] = {
-	{ENCR_DES, 					 64},
-	{ENCR_3DES, 				192},
-	{END_OF_LIST,				  0}
-};
-
-/**
- * Keylen for integrity algos
- */
-keylen_entry_t keylen_int[] = {
-	{AUTH_HMAC_MD5_96, 			128},
-	{AUTH_HMAC_SHA1_96,			160},
-	{AUTH_HMAC_SHA2_256_96,		256},
-	{AUTH_HMAC_SHA2_256_128,	256},
-	{AUTH_HMAC_SHA2_384_192,	384},
-	{AUTH_HMAC_SHA2_512_256,	512},
-	{AUTH_AES_XCBC_96,			128},
-	{END_OF_LIST,				  0}
-};
-
-/**
- * Lookup key length of an algorithm
- */
-static int lookup_keylen(keylen_entry_t *list, int algo)
-{
-	while (list->algo != END_OF_LIST)
-	{
-		if (algo == list->algo)
-		{
-			return list->len;
-		}
-		list++;
-	}
-	return 0;
-}
-
-/**
- * Implementation of keymat_t.create_dh
- */
-static diffie_hellman_t* create_dh(private_keymat_t *this,
-								   diffie_hellman_group_t group)
-{
-	return lib->crypto->create_dh(lib->crypto, group);;
-}
-
-/**
- * Implementation of keymat_t.derive_keys
- */
-static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
-							diffie_hellman_t *dh, chunk_t nonce_i,
-							chunk_t nonce_r, ike_sa_id_t *id,
-							pseudo_random_function_t rekey_function,
-							chunk_t rekey_skd)
-{
-	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
-	chunk_t spi_i, spi_r;
-	crypter_t *crypter_i, *crypter_r;
-	signer_t *signer_i, *signer_r;
-	prf_plus_t *prf_plus;
-	u_int16_t alg, key_size;
-	prf_t *rekey_prf = NULL;
-
-	spi_i = chunk_alloca(sizeof(u_int64_t));
-	spi_r = chunk_alloca(sizeof(u_int64_t));
-
-	if (dh->get_shared_secret(dh, &secret) != SUCCESS)
-	{
-		return FALSE;
-	}
-
-	/* Create SAs general purpose PRF first, we may use it here */
-	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
-	{
-		DBG1(DBG_IKE, "no %N selected",
-			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
-		return FALSE;
-	}
-	this->prf_alg = alg;
-	this->prf = lib->crypto->create_prf(lib->crypto, alg);
-	if (this->prf == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N not supported!",
-			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
-			 pseudo_random_function_names, alg);
-		return FALSE;
-	}
-	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
-	/* full nonce is used as seed for PRF+ ... */
-	full_nonce = chunk_cat("cc", nonce_i, nonce_r);
-	/* but the PRF may need a fixed key which only uses the first bytes of
-	 * the nonces. */
-	switch (alg)
-	{
-		case PRF_AES128_XCBC:
-			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
-			 * not and therefore fixed key semantics apply to XCBC for key
-			 * derivation. */
-			key_size = this->prf->get_key_size(this->prf)/2;
-			nonce_i.len = min(nonce_i.len, key_size);
-			nonce_r.len = min(nonce_r.len, key_size);
-			break;
-		default:
-			/* all other algorithms use variable key length, full nonce */
-			break;
-	}
-	fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
-	*((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
-	*((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
-	prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
-
-	/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
-	 *
-	 * if we are rekeying, SKEYSEED is built on another way
-	 */
-	if (rekey_function == PRF_UNDEFINED) /* not rekeying */
-	{
-		/* SKEYSEED = prf(Ni | Nr, g^ir) */
-		this->prf->set_key(this->prf, fixed_nonce);
-		this->prf->allocate_bytes(this->prf, secret, &skeyseed);
-		this->prf->set_key(this->prf, skeyseed);
-		prf_plus = prf_plus_create(this->prf, prf_plus_seed);
-	}
-	else
-	{
-		/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
-		 * use OLD SAs PRF functions for both prf_plus and prf */
-		rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
-		if (!rekey_prf)
-		{
-			DBG1(DBG_IKE, "PRF of old SA %N not supported!",
-				 pseudo_random_function_names, rekey_function);
-			chunk_free(&full_nonce);
-			chunk_free(&fixed_nonce);
-			chunk_clear(&prf_plus_seed);
-			return FALSE;
-		}
-		secret = chunk_cat("mc", secret, full_nonce);
-		rekey_prf->set_key(rekey_prf, rekey_skd);
-		rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed);
-		rekey_prf->set_key(rekey_prf, skeyseed);
-		prf_plus = prf_plus_create(rekey_prf, prf_plus_seed);
-	}
-	DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
-
-	chunk_clear(&skeyseed);
-	chunk_clear(&secret);
-	chunk_free(&full_nonce);
-	chunk_free(&fixed_nonce);
-	chunk_clear(&prf_plus_seed);
-
-	/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
-
-	/* SK_d is used for generating CHILD_SA key mat => store for later use */
-	key_size = this->prf->get_key_size(this->prf);
-	prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
-	DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
-
-	/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
-	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
-	{
-		DBG1(DBG_IKE, "no %N selected",
-			 transform_type_names, INTEGRITY_ALGORITHM);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-	signer_i = lib->crypto->create_signer(lib->crypto, alg);
-	signer_r = lib->crypto->create_signer(lib->crypto, alg);
-	if (signer_i == NULL || signer_r == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N not supported!",
-			 transform_type_names, INTEGRITY_ALGORITHM,
-			 integrity_algorithm_names ,alg);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-	key_size = signer_i->get_key_size(signer_i);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
-	signer_i->set_key(signer_i, key);
-	chunk_clear(&key);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
-	signer_r->set_key(signer_r, key);
-	chunk_clear(&key);
-
-	if (this->initiator)
-	{
-		this->signer_in = signer_r;
-		this->signer_out = signer_i;
-	}
-	else
-	{
-		this->signer_in = signer_i;
-		this->signer_out = signer_r;
-	}
-
-	/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
-	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
-	{
-		DBG1(DBG_IKE, "no %N selected",
-			 transform_type_names, ENCRYPTION_ALGORITHM);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-	crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
-	crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
-	if (crypter_i == NULL || crypter_r == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
-			 transform_type_names, ENCRYPTION_ALGORITHM,
-			 encryption_algorithm_names, alg, key_size);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-	key_size = crypter_i->get_key_size(crypter_i);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
-	crypter_i->set_key(crypter_i, key);
-	chunk_clear(&key);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_er secret %B", &key);
-	crypter_r->set_key(crypter_r, key);
-	chunk_clear(&key);
-
-	if (this->initiator)
-	{
-		this->crypter_in = crypter_r;
-		this->crypter_out = crypter_i;
-	}
-	else
-	{
-		this->crypter_in = crypter_i;
-		this->crypter_out = crypter_r;
-	}
-
-	/* SK_pi/SK_pr used for authentication => stored for later */
-	key_size = this->prf->get_key_size(this->prf);
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_pi secret %B", &key);
-	if (this->initiator)
-	{
-		this->skp_build = key;
-	}
-	else
-	{
-		this->skp_verify = key;
-	}
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_pr secret %B", &key);
-	if (this->initiator)
-	{
-		this->skp_verify = key;
-	}
-	else
-	{
-		this->skp_build = key;
-	}
-
-	/* all done, prf_plus not needed anymore */
-	prf_plus->destroy(prf_plus);
-	DESTROY_IF(rekey_prf);
-
-	return TRUE;
-}
-
-/**
- * Implementation of keymat_t.derive_child_keys
- */
-static bool derive_child_keys(private_keymat_t *this,
-							  proposal_t *proposal, diffie_hellman_t *dh,
-							  chunk_t nonce_i, chunk_t nonce_r,
-							  chunk_t *encr_i, chunk_t *integ_i,
-							  chunk_t *encr_r, chunk_t *integ_r)
-{
-	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
-	chunk_t seed, secret = chunk_empty;
-	prf_plus_t *prf_plus;
-
-	if (dh)
-	{
-		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
-		{
-			return FALSE;
-		}
-		DBG4(DBG_CHD, "DH secret %B", &secret);
-	}
-	seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
-	DBG4(DBG_CHD, "seed %B", &seed);
-
-	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
-								&enc_alg, &enc_size))
-	{
-		DBG2(DBG_CHD, "  using %N for encryption",
-			 encryption_algorithm_names, enc_alg);
-
-		if (!enc_size)
-		{
-			enc_size = lookup_keylen(keylen_enc, enc_alg);
-		}
-		if (enc_alg != ENCR_NULL && !enc_size)
-		{
-			DBG1(DBG_CHD, "no keylength defined for %N",
-				 encryption_algorithm_names, enc_alg);
-			return FALSE;
-		}
-		/* to bytes */
-		enc_size /= 8;
-
-		/* CCM/GCM/CTR needs additional bytes */
-		switch (enc_alg)
-		{
-			case ENCR_AES_CCM_ICV8:
-			case ENCR_AES_CCM_ICV12:
-			case ENCR_AES_CCM_ICV16:
-			case ENCR_CAMELLIA_CCM_ICV8:
-			case ENCR_CAMELLIA_CCM_ICV12:
-			case ENCR_CAMELLIA_CCM_ICV16:
-				enc_size += 3;
-				break;
-			case ENCR_AES_GCM_ICV8:
-			case ENCR_AES_GCM_ICV12:
-			case ENCR_AES_GCM_ICV16:
-			case ENCR_AES_CTR:
-				enc_size += 4;
-				break;
-			default:
-				break;
-		}
-	}
-
-	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
-								&int_alg, &int_size))
-	{
-		DBG2(DBG_CHD, "  using %N for integrity",
-			 integrity_algorithm_names, int_alg);
-
-		if (!int_size)
-		{
-			int_size = lookup_keylen(keylen_int, int_alg);
-		}
-		if (!int_size)
-		{
-			DBG1(DBG_CHD, "no keylength defined for %N",
-				 integrity_algorithm_names, int_alg);
-			return FALSE;
-		}
-		/* to bytes */
-		int_size /= 8;
-	}
-
-	this->prf->set_key(this->prf, this->skd);
-	prf_plus = prf_plus_create(this->prf, seed);
-
-	prf_plus->allocate_bytes(prf_plus, enc_size, encr_i);
-	prf_plus->allocate_bytes(prf_plus, int_size, integ_i);
-	prf_plus->allocate_bytes(prf_plus, enc_size, encr_r);
-	prf_plus->allocate_bytes(prf_plus, int_size, integ_r);
-
-	prf_plus->destroy(prf_plus);
-
-	if (enc_size)
-	{
-		DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
-		DBG4(DBG_CHD, "encryption responder key %B", encr_r);
-	}
-	if (int_size)
-	{
-		DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
-		DBG4(DBG_CHD, "integrity responder key %B", integ_r);
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of keymat_t.get_skd
- */
-static pseudo_random_function_t get_skd(private_keymat_t *this, chunk_t *skd)
-{
-	*skd = this->skd;
-	return this->prf_alg;
-}
-
-/**
- * Implementation of keymat_t.get_signer
- */
-static signer_t* get_signer(private_keymat_t *this, bool in)
-{
-	return in ? this->signer_in : this->signer_out;
-}
-
-/**
- * Implementation of keymat_t.get_crypter
- */
-static crypter_t* get_crypter(private_keymat_t *this, bool in)
-{
-	return in ? this->crypter_in : this->crypter_out;
-}
-
-/**
- * Implementation of keymat_t.get_auth_octets
- */
-static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
-							   chunk_t ike_sa_init, chunk_t nonce,
-							   identification_t *id)
-{
-	chunk_t chunk, idx, octets;
-	chunk_t skp;
-
-	skp = verify ? this->skp_verify : this->skp_build;
-
-	chunk = chunk_alloca(4);
-	memset(chunk.ptr, 0, chunk.len);
-	chunk.ptr[0] = id->get_type(id);
-	idx = chunk_cata("cc", chunk, id->get_encoding(id));
-
-	DBG3(DBG_IKE, "IDx' %B", &idx);
-	DBG3(DBG_IKE, "SK_p %B", &skp);
-	this->prf->set_key(this->prf, skp);
-	this->prf->allocate_bytes(this->prf, idx, &chunk);
-
-	octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
-	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
-	return octets;
-}
-
-/**
- * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- */
-#define IKEV2_KEY_PAD "Key Pad for IKEv2"
-#define IKEV2_KEY_PAD_LENGTH 17
-
-/**
- * Implementation of keymat_t.get_psk_sig
- */
-static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
-						   chunk_t ike_sa_init, chunk_t nonce, chunk_t secret,
-						   identification_t *id)
-{
-	chunk_t key_pad, key, sig, octets;
-
-	if (!secret.len)
-	{	/* EAP uses SK_p if no MSK has been established */
-		secret = verify ? this->skp_verify : this->skp_build;
-	}
-	octets = get_auth_octets(this, verify, ike_sa_init, nonce, id);
-	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
-	key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
-	this->prf->set_key(this->prf, secret);
-	this->prf->allocate_bytes(this->prf, key_pad, &key);
-	this->prf->set_key(this->prf, key);
-	this->prf->allocate_bytes(this->prf, octets, &sig);
-	DBG4(DBG_IKE, "secret %B", &secret);
-	DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
-	DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
-	chunk_free(&octets);
-	chunk_free(&key);
-
-	return sig;
-}
-
-/**
- * Implementation of keymat_t.destroy.
- */
-static void destroy(private_keymat_t *this)
-{
-	DESTROY_IF(this->signer_in);
-	DESTROY_IF(this->signer_out);
-	DESTROY_IF(this->crypter_in);
-	DESTROY_IF(this->crypter_out);
-	DESTROY_IF(this->prf);
-	chunk_clear(&this->skd);
-	chunk_clear(&this->skp_verify);
-	chunk_clear(&this->skp_build);
-	free(this);
-}
-
-/**
- * See header
- */
-keymat_t *keymat_create(bool initiator)
-{
-	private_keymat_t *this = malloc_thing(private_keymat_t);
-
-	this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
-	this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys;
-	this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
-	this->public.get_skd = (pseudo_random_function_t(*)(keymat_t*, chunk_t *skd))get_skd;
-	this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
-	this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
-	this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
-	this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig;
-	this->public.destroy = (void(*)(keymat_t*))destroy;
-
-	this->initiator = initiator;
-
-	this->signer_in = NULL;
-	this->signer_out = NULL;
-	this->crypter_in = NULL;
-	this->crypter_out = NULL;
-	this->prf = NULL;
-	this->prf_alg = PRF_UNDEFINED;
-	this->skd = chunk_empty;
-	this->skp_verify = chunk_empty;
-	this->skp_build = chunk_empty;
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/keymat.h b/src/charon/sa/keymat.h
deleted file mode 100644
index e51709e8d..000000000
--- a/src/charon/sa/keymat.h
+++ /dev/null
@@ -1,163 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup keymat keymat
- * @{ @ingroup sa
- */
-
-#ifndef KEYMAT_H_
-#define KEYMAT_H_
-
-#include <library.h>
-#include <utils/identification.h>
-#include <crypto/prfs/prf.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
-#include <config/proposal.h>
-#include <sa/ike_sa_id.h>
-
-typedef struct keymat_t keymat_t;
-
-/**
- * Derivation an management of sensitive keying material.
- */
-struct keymat_t {
-
-	/**
-	 * Create a diffie hellman object for key agreement.
-	 *
-	 * The diffie hellman is either for IKE negotiation/rekeying or
-	 * CHILD_SA rekeying (using PFS). The resulting DH object must be passed
-	 * to derive_keys or to derive_child_keys and destroyed after use
-	 *
-	 * @param group			diffie hellman group
-	 * @return				DH object, NULL if group not supported
-	 */
-	diffie_hellman_t* (*create_dh)(keymat_t *this, diffie_hellman_group_t group);
-
-	/**
-	 * Derive keys for the IKE_SA.
-	 *
-	 * These keys are not handed out, but are used by the associated signers,
-	 * crypters and authentication functions.
-	 *
-	 * @param proposal	selected algorithms
-	 * @param dh		diffie hellman key allocated by create_dh()
-	 * @param nonce_i	initiators nonce value
-	 * @param nonce_r	responders nonce value
-	 * @param id		IKE_SA identifier
-	 * @param rekey_prf	PRF of old SA if rekeying, PRF_UNDEFINED otherwise
-	 * @param rekey_sdk	SKd of old SA if rekeying
-	 * @return			TRUE on success
-	 */
-	bool (*derive_ike_keys)(keymat_t *this, proposal_t *proposal,
-							diffie_hellman_t *dh, chunk_t nonce_i,
-							chunk_t nonce_r, ike_sa_id_t *id,
-							pseudo_random_function_t rekey_function,
-							chunk_t rekey_skd);
-	/**
-	 * Derive keys for a CHILD_SA.
-	 *
-	 * The keys for the CHILD_SA are allocated in the integ and encr chunks.
-	 * An implementation might hand out encrypted keys only, which are
-	 * decrypted in the kernel before use.
-	 * If no PFS is used for the CHILD_SA, dh can be NULL.
-	 *
-	 * @param proposal	selected algorithms
-	 * @param dh		diffie hellman key allocated by create_dh(), or NULL
-	 * @param nonce_i	initiators nonce value
-	 * @param nonce_r	responders nonce value
-	 * @param encr_i	chunk to write initiators encryption key to
-	 * @param integ_i	chunk to write initiators integrity key to
-	 * @param encr_r	chunk to write responders encryption key to
-	 * @param integ_r	chunk to write responders integrity key to
-	 * @return			TRUE on success
-	 */
-	bool (*derive_child_keys)(keymat_t *this,
-							  proposal_t *proposal, diffie_hellman_t *dh,
-							  chunk_t nonce_i, chunk_t nonce_r,
-							  chunk_t *encr_i, chunk_t *integ_i,
-							  chunk_t *encr_r, chunk_t *integ_r);
-	/**
-	 * Get SKd to pass to derive_ikey_keys() during rekeying.
-	 *
-	 * @param skd		chunk to write SKd to (internal data)
-	 * @return			PRF function to derive keymat
-	 */
-	pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd);
-
-	/**
-	 * Get a signer to sign/verify IKE messages.
-	 *
-	 * @param in		TRUE for inbound (verify), FALSE for outbound (sign)
-	 * @return			signer
-	 */
-	signer_t* (*get_signer)(keymat_t *this, bool in);
-
-	/*
-	 * Get a crypter to en-/decrypt IKE messages.
-	 *
-	 * @param in		TRUE for inbound (decrypt), FALSE for outbound (encrypt)
-	 * @return			crypter
-	 */
-	crypter_t* (*get_crypter)(keymat_t *this, bool in);
-
-	/**
-	 * Generate octets to use for authentication procedure (RFC4306 2.15).
-	 *
-	 * This method creates the plain octets and is usually signed by a private
-	 * key. PSK and EAP authentication include a secret into the data, use
-	 * the get_psk_sig() method instead.
-	 *
-	 * @param verify		TRUE to create for verfification, FALSE to sign
-	 * @param ike_sa_init	encoded ike_sa_init message
-	 * @param nonce			nonce value
-	 * @param id			identity
-	 * @return				authentication octets
-	 */
-	chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init,
-							   chunk_t nonce, identification_t *id);
-	/**
-	 * Build the shared secret signature used for PSK and EAP authentication.
-	 *
-	 * This method wraps the get_auth_octets() method and additionally
-	 * includes the secret into the signature. If no secret is given, SK_p is
-	 * used as secret (used for EAP methods without MSK).
-	 *
-	 * @param verify		TRUE to create for verfification, FALSE to sign
-	 * @param ike_sa_init	encoded ike_sa_init message
-	 * @param nonce			nonce value
-	 * @param secret		optional secret to include into signature
-	 * @param id			identity
-	 * @return				signature octets
-	 */
-	chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init,
-						   chunk_t nonce, chunk_t secret, identification_t *id);
-	/**
-	 * Destroy a keymat_t.
-	 */
-	void (*destroy)(keymat_t *this);
-};
-
-/**
- * Create a keymat instance.
- *
- * @param initiator		TRUE if we are the initiator
- * @return				keymat instance
- */
-keymat_t *keymat_create(bool initiator);
-
-#endif /** KEYMAT_H_ @}*/
diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c
deleted file mode 100644
index 035f49053..000000000
--- a/src/charon/sa/mediation_manager.c
+++ /dev/null
@@ -1,341 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "mediation_manager.h"
-
-#include <daemon.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <processing/jobs/mediation_job.h>
-
-typedef struct peer_t peer_t;
-
-/**
- * An entry in the linked list.
- */
-struct peer_t {
-	/** id of the peer */
-	identification_t *id;
-
-	/** sa id of the peer, NULL if offline */
-	ike_sa_id_t *ike_sa_id;
-
-	/** list of peer ids that reuested this peer */
-	linked_list_t *requested_by;
-};
-
-/**
- * Implementation of peer_t.destroy.
- */
-static void peer_destroy(peer_t *this)
-{
-	DESTROY_IF(this->id);
-	DESTROY_IF(this->ike_sa_id);
-	this->requested_by->destroy_offset(this->requested_by,
-									   offsetof(identification_t, destroy));
-	free(this);
-}
-
-/**
- * Creates a new entry for the list.
- */
-static peer_t *peer_create(identification_t *id, ike_sa_id_t* ike_sa_id)
-{
-	peer_t *this = malloc_thing(peer_t);
-
-	/* clone everything */
-	this->id = id->clone(id);
-	this->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
-	this->requested_by = linked_list_create();
-
-	return this;
-}
-
-typedef struct private_mediation_manager_t private_mediation_manager_t;
-
-/**
- * Additional private members of mediation_manager_t.
- */
-struct private_mediation_manager_t {
-	/**
-	 * Public interface of mediation_manager_t.
-	 */
-	 mediation_manager_t public;
-
-	 /**
-	  * Lock for exclusivly accessing the manager.
-	  */
-	 mutex_t *mutex;
-
-	 /**
-	  * Linked list with state entries.
-	  */
-	 linked_list_t *peers;
-};
-
-/**
- * Registers a peer's ID at another peer, if it is not yet registered
- */
-static void register_peer(peer_t *peer, identification_t *peer_id)
-{
-	iterator_t *iterator;
-	identification_t *current;
-
-	iterator = peer->requested_by->create_iterator(peer->requested_by, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		if (peer_id->equals(peer_id, current))
-		{
-			iterator->destroy(iterator);
-			return;
-		}
-	}
-	iterator->destroy(iterator);
-
-	peer->requested_by->insert_last(peer->requested_by,
-									peer_id->clone(peer_id));
-}
-
-/**
- * Get a peer_t object by a peer's id
- */
-static status_t get_peer_by_id(private_mediation_manager_t *this,
-							   identification_t *id, peer_t **peer)
-{
-	iterator_t *iterator;
-	peer_t *current;
-	status_t status = NOT_FOUND;
-
-	iterator = this->peers->create_iterator(this->peers, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		if (id->equals(id, current->id))
-		{
-			if (peer)
-			{
-				*peer = current;
-			}
-			status = SUCCESS;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	return status;
-}
-
-/**
- * Check if a given peer is registered at other peers. If so, remove it there
- * and then remove peers completely that are not online and have no registered
- * peers.
- */
-static void unregister_peer(private_mediation_manager_t *this,
-							identification_t *peer_id)
-{
-	iterator_t *iterator, *iterator_r;
-	peer_t *peer;
-	identification_t *registered;
-
-	iterator = this->peers->create_iterator(this->peers, TRUE);
-	while (iterator->iterate(iterator, (void**)&peer))
-	{
-		iterator_r = peer->requested_by->create_iterator(peer->requested_by,
-														 TRUE);
-		while (iterator_r->iterate(iterator_r, (void**)&registered))
-		{
-			if (peer_id->equals(peer_id, registered))
-			{
-				iterator_r->remove(iterator_r);
-				registered->destroy(registered);
-				break;
-			}
-		}
-		iterator_r->destroy(iterator_r);
-
-		if (!peer->ike_sa_id && !peer->requested_by->get_count(peer->requested_by))
-		{
-			iterator->remove(iterator);
-			peer_destroy(peer);
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * Implementation of mediation_manager_t.remove
- */
-static void remove_sa(private_mediation_manager_t *this, ike_sa_id_t *ike_sa_id)
-{
-	iterator_t *iterator;
-	peer_t *peer;
-
-	this->mutex->lock(this->mutex);
-
-	iterator = this->peers->create_iterator(this->peers, TRUE);
-	while (iterator->iterate(iterator, (void**)&peer))
-	{
-		if (ike_sa_id->equals(ike_sa_id, peer->ike_sa_id))
-		{
-			iterator->remove(iterator);
-
-			unregister_peer(this, peer->id);
-
-			peer_destroy(peer);
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of mediation_manager_t.update_sa_id
- */
-static void update_sa_id(private_mediation_manager_t *this, identification_t *peer_id, ike_sa_id_t *ike_sa_id)
-{
-	iterator_t *iterator;
-	peer_t *peer;
-	bool found = FALSE;
-
-	this->mutex->lock(this->mutex);
-
-	iterator = this->peers->create_iterator(this->peers, TRUE);
-	while (iterator->iterate(iterator, (void**)&peer))
-	{
-		if (peer_id->equals(peer_id, peer->id))
-		{
-			DESTROY_IF(peer->ike_sa_id);
-			found = TRUE;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	if (!found)
-	{
-		DBG2(DBG_IKE, "adding peer '%Y'", peer_id);
-		peer = peer_create(peer_id, NULL);
-		this->peers->insert_last(this->peers, peer);
-	}
-
-	DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);
-	peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
-
-	/* send callbacks to registered peers */
-	identification_t *requester;
-	while(peer->requested_by->remove_last(peer->requested_by,
-										  (void**)&requester) == SUCCESS)
-	{
-		job_t *job = (job_t*)mediation_callback_job_create(requester, peer_id);
-		charon->processor->queue_job(charon->processor, job);
-		requester->destroy(requester);
-	}
-
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of mediation_manager_t.check.
- */
-static ike_sa_id_t *check(private_mediation_manager_t *this,
-			identification_t *peer_id)
-{
-	peer_t *peer;
-	ike_sa_id_t *ike_sa_id;
-
-	this->mutex->lock(this->mutex);
-
-	if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		return NULL;
-	}
-
-	ike_sa_id = peer->ike_sa_id;
-
-	this->mutex->unlock(this->mutex);
-
-	return ike_sa_id;
-}
-
-/**
- * Implementation of mediation_manager_t.check_and_register.
- */
-static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
-			identification_t *peer_id, identification_t *requester)
-{
-	peer_t *peer;
-	ike_sa_id_t *ike_sa_id;
-
-	this->mutex->lock(this->mutex);
-
-	if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
-	{
-		DBG2(DBG_IKE, "adding peer %Y", peer_id);
-		peer = peer_create(peer_id, NULL);
-		this->peers->insert_last(this->peers, peer);
-	}
-
-	if (!peer->ike_sa_id)
-	{
-		/* the peer is not online */
-		DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'",
-			 peer_id, requester);
-		register_peer(peer, requester);
-		this->mutex->unlock(this->mutex);
-		return NULL;
-	}
-
-	ike_sa_id = peer->ike_sa_id;
-
-	this->mutex->unlock(this->mutex);
-
-	return ike_sa_id;
-}
-
-/**
- * Implementation of mediation_manager_t.destroy.
- */
-static void destroy(private_mediation_manager_t *this)
-{
-	this->mutex->lock(this->mutex);
-
-	this->peers->destroy_function(this->peers, (void*)peer_destroy);
-
-	this->mutex->unlock(this->mutex);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-mediation_manager_t *mediation_manager_create()
-{
-	private_mediation_manager_t *this = malloc_thing(private_mediation_manager_t);
-
-	this->public.destroy = (void(*)(mediation_manager_t*))destroy;
-	this->public.remove = (void(*)(mediation_manager_t*,ike_sa_id_t*))remove_sa;
-	this->public.update_sa_id = (void(*)(mediation_manager_t*,identification_t*,ike_sa_id_t*))update_sa_id;
-	this->public.check = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*))check;
-	this->public.check_and_register = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*,identification_t*))check_and_register;
-
-	this->peers = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
-	return (mediation_manager_t*)this;
-}
diff --git a/src/charon/sa/mediation_manager.h b/src/charon/sa/mediation_manager.h
deleted file mode 100644
index 31a16f69c..000000000
--- a/src/charon/sa/mediation_manager.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup mediation_manager mediation_manager
- * @{ @ingroup sa
- */
-
-#ifndef MEDIATION_MANAGER_H_
-#define MEDIATION_MANAGER_H_
-
-typedef struct mediation_manager_t mediation_manager_t;
-
-#include <sa/ike_sa_id.h>
-#include <utils/identification.h>
-
-/**
- * The mediation manager is responsible for managing currently online
- * peers and registered requests for offline peers on the mediation server.
- */
-struct mediation_manager_t {
-
-	/**
-	 * Remove the IKE_SA of a peer.
-	 *
-	 * @param ike_sa_id			the IKE_SA ID of the peer's SA
-	 */
-	void (*remove) (mediation_manager_t* this, ike_sa_id_t *ike_sa_id);
-
-	/**
-	 * Update the ike_sa_id that is assigned to a peer's ID. If the peer
-	 * is new, it gets a new record assigned.
-	 *
-	 * @param peer_id			the peer's ID
-	 * @param ike_sa_id			the IKE_SA ID of the peer's SA
-	 */
-	void (*update_sa_id) (mediation_manager_t* this, identification_t *peer_id,
-						  ike_sa_id_t *ike_sa_id);
-
-	/**
-	 * Checks if a specific peer is online.
-	 *
-	 * @param peer_id			the peer's ID
-	 * @returns
-	 *							- IKE_SA ID of the peer's SA.
-	 *							- NULL, if the peer is not online.
-	 */
-	ike_sa_id_t* (*check) (mediation_manager_t* this,
-						   identification_t *peer_id);
-
-	/**
-	 * Checks if a specific peer is online and registers the requesting
-	 * peer if it is not.
-	 *
-	 * @param peer_id			the peer's ID
-	 * @param requester			the requesters ID
-	 * @returns
-	 *							- IKE_SA ID of the peer's SA.
-	 *							- NULL, if the peer is not online.
-	 */
-	ike_sa_id_t* (*check_and_register) (mediation_manager_t* this,
-										identification_t *peer_id,
-										identification_t *requester);
-
-	/**
-	 * Destroys the manager with all data.
-	 */
-	void (*destroy) (mediation_manager_t *this);
-};
-
-/**
- * Create a manager.
- *
- * @returns	mediation_manager_t object
- */
-mediation_manager_t *mediation_manager_create(void);
-
-#endif /** MEDIATION_MANAGER_H_ @}*/
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
deleted file mode 100644
index 1de0c06f0..000000000
--- a/src/charon/sa/task_manager.c
+++ /dev/null
@@ -1,1082 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "task_manager.h"
-
-#include <math.h>
-
-#include <daemon.h>
-#include <sa/tasks/ike_init.h>
-#include <sa/tasks/ike_natd.h>
-#include <sa/tasks/ike_mobike.h>
-#include <sa/tasks/ike_auth.h>
-#include <sa/tasks/ike_auth_lifetime.h>
-#include <sa/tasks/ike_cert_pre.h>
-#include <sa/tasks/ike_cert_post.h>
-#include <sa/tasks/ike_rekey.h>
-#include <sa/tasks/ike_delete.h>
-#include <sa/tasks/ike_config.h>
-#include <sa/tasks/ike_dpd.h>
-#include <sa/tasks/ike_vendor.h>
-#include <sa/tasks/child_create.h>
-#include <sa/tasks/child_rekey.h>
-#include <sa/tasks/child_delete.h>
-#include <encoding/payloads/delete_payload.h>
-#include <processing/jobs/retransmit_job.h>
-
-#ifdef ME
-#include <sa/tasks/ike_me.h>
-#endif
-
-typedef struct exchange_t exchange_t;
-
-/**
- * An exchange in the air, used do detect and handle retransmission
- */
-struct exchange_t {
-
-	/**
-	 * Message ID used for this transaction
-	 */
-	u_int32_t mid;
-
-	/**
-	 * generated packet for retransmission
-	 */
-	packet_t *packet;
-};
-
-typedef struct private_task_manager_t private_task_manager_t;
-
-/**
- * private data of the task manager
- */
-struct private_task_manager_t {
-
-	/**
-	 * public functions
-	 */
-	task_manager_t public;
-
-	/**
-	 * associated IKE_SA we are serving
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Exchange we are currently handling as responder
-	 */
-	struct {
-		/**
-		 * Message ID of the exchange
-		 */
-		u_int32_t mid;
-
-		/**
-		 * packet for retransmission
-		 */
-		packet_t *packet;
-
-	} responding;
-
-	/**
-	 * Exchange we are currently handling as initiator
-	 */
-	struct {
-		/**
-		 * Message ID of the exchange
-		 */
-		u_int32_t mid;
-
-		/**
-		 * how many times we have retransmitted so far
-		 */
-		u_int retransmitted;
-
-		/**
-		 * packet for retransmission
-		 */
-		packet_t *packet;
-
-		/**
-		 * type of the initated exchange
-		 */
-		exchange_type_t type;
-
-	} initiating;
-
-	/**
-	 * List of queued tasks not yet in action
-	 */
-	linked_list_t *queued_tasks;
-
-	/**
-	 * List of active tasks, initiated by ourselve
-	 */
-	linked_list_t *active_tasks;
-
-	/**
-	 * List of tasks initiated by peer
-	 */
-	linked_list_t *passive_tasks;
-
-	/**
-	 * the task manager has been reset
-	 */
-	bool reset;
-
-	/**
-	 * Number of times we retransmit messages before giving up
-	 */
-	u_int retransmit_tries;
-
-	/**
-	 * Retransmission timeout
-	 */
-	double retransmit_timeout;
-
-	/**
-	 * Base to calculate retransmission timeout
-	 */
-	double retransmit_base;
-};
-
-/**
- * flush all tasks in the task manager
- */
-static void flush(private_task_manager_t *this)
-{
-	this->queued_tasks->destroy_offset(this->queued_tasks,
-										offsetof(task_t, destroy));
-	this->passive_tasks->destroy_offset(this->passive_tasks,
-										offsetof(task_t, destroy));
-	this->active_tasks->destroy_offset(this->active_tasks,
-										offsetof(task_t, destroy));
-	this->queued_tasks = linked_list_create();
-	this->passive_tasks = linked_list_create();
-	this->active_tasks = linked_list_create();
-}
-
-/**
- * move a task of a specific type from the queue to the active list
- */
-static bool activate_task(private_task_manager_t *this, task_type_t type)
-{
-	iterator_t *iterator;
-	task_t *task;
-	bool found = FALSE;
-
-	iterator = this->queued_tasks->create_iterator(this->queued_tasks, TRUE);
-	while (iterator->iterate(iterator, (void**)&task))
-	{
-		if (task->get_type(task) == type)
-		{
-			DBG2(DBG_IKE, "  activating %N task", task_type_names, type);
-			iterator->remove(iterator);
-			this->active_tasks->insert_last(this->active_tasks, task);
-			found = TRUE;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	return found;
-}
-
-/**
- * Implementation of task_manager_t.retransmit
- */
-static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
-{
-	if (message_id == this->initiating.mid)
-	{
-		u_int32_t timeout;
-		job_t *job;
-		iterator_t *iterator;
-		packet_t *packet;
-		task_t *task;
-		ike_mobike_t *mobike = NULL;
-
-		/* check if we are retransmitting a MOBIKE routability check */
-		iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
-		while (iterator->iterate(iterator, (void*)&task))
-		{
-			if (task->get_type(task) == IKE_MOBIKE)
-			{
-				mobike = (ike_mobike_t*)task;
-				if (!mobike->is_probing(mobike))
-				{
-					mobike = NULL;
-				}
-				break;
-			}
-		}
-		iterator->destroy(iterator);
-
-		if (mobike == NULL)
-		{
-			if (this->initiating.retransmitted <= this->retransmit_tries)
-			{
-				timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
-					pow(this->retransmit_base, this->initiating.retransmitted));
-			}
-			else
-			{
-				DBG1(DBG_IKE, "giving up after %d retransmits",
-					 this->initiating.retransmitted - 1);
-				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
-				{
-					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				}
-				return DESTROY_ME;
-			}
-
-			if (this->initiating.retransmitted)
-			{
-				DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
-					 this->initiating.retransmitted, message_id);
-			}
-			packet = this->initiating.packet->clone(this->initiating.packet);
-			charon->sender->send(charon->sender, packet);
-		}
-		else
-		{	/* for routeability checks, we use a more aggressive behavior */
-			if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
-			{
-				timeout = ROUTEABILITY_CHECK_INTERVAL;
-			}
-			else
-			{
-				DBG1(DBG_IKE, "giving up after %d path probings",
-					 this->initiating.retransmitted - 1);
-				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				return DESTROY_ME;
-			}
-
-			if (this->initiating.retransmitted)
-			{
-				DBG1(DBG_IKE, "path probing attempt %d",
-					 this->initiating.retransmitted);
-			}
-			mobike->transmit(mobike, this->initiating.packet);
-		}
-
-		this->initiating.retransmitted++;
-		job = (job_t*)retransmit_job_create(this->initiating.mid,
-											this->ike_sa->get_id(this->ike_sa));
-		charon->scheduler->schedule_job_ms(charon->scheduler, job, timeout);
-	}
-	return SUCCESS;
-}
-
-/**
- * build a request using the active task list
- * Implementation of task_manager_t.initiate
- */
-static status_t build_request(private_task_manager_t *this)
-{
-	iterator_t *iterator;
-	task_t *task;
-	message_t *message;
-	host_t *me, *other;
-	status_t status;
-	exchange_type_t exchange = 0;
-
-	if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
-	{
-		DBG2(DBG_IKE, "delaying task initiation, exchange in progress");
-		/* do not initiate if we already have a message in the air */
-		return SUCCESS;
-	}
-
-	if (this->active_tasks->get_count(this->active_tasks) == 0)
-	{
-		DBG2(DBG_IKE, "activating new tasks");
-		switch (this->ike_sa->get_state(this->ike_sa))
-		{
-			case IKE_CREATED:
-				if (activate_task(this, IKE_INIT))
-				{
-					this->initiating.mid = 0;
-					exchange = IKE_SA_INIT;
-					activate_task(this, IKE_VENDOR);
-					activate_task(this, IKE_NATD);
-					activate_task(this, IKE_CERT_PRE);
-#ifdef ME
-					/* this task has to be activated before the IKE_AUTHENTICATE
-					 * task, because that task pregenerates the packet after
-					 * which no payloads can be added to the message anymore.
-					 */
-					activate_task(this, IKE_ME);
-#endif /* ME */
-					activate_task(this, IKE_AUTHENTICATE);
-					activate_task(this, IKE_CERT_POST);
-					activate_task(this, IKE_CONFIG);
-					activate_task(this, CHILD_CREATE);
-					activate_task(this, IKE_AUTH_LIFETIME);
-					activate_task(this, IKE_MOBIKE);
-				}
-				break;
-			case IKE_ESTABLISHED:
-				if (activate_task(this, CHILD_CREATE))
-				{
-					exchange = CREATE_CHILD_SA;
-					break;
-				}
-				if (activate_task(this, CHILD_DELETE))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-				if (activate_task(this, CHILD_REKEY))
-				{
-					exchange = CREATE_CHILD_SA;
-					break;
-				}
-				if (activate_task(this, IKE_DELETE))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-				if (activate_task(this, IKE_REKEY))
-				{
-					exchange = CREATE_CHILD_SA;
-					break;
-				}
-				if (activate_task(this, IKE_REAUTH))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-				if (activate_task(this, IKE_MOBIKE))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-				if (activate_task(this, IKE_DPD))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-#ifdef ME
-				if (activate_task(this, IKE_ME))
-				{
-					exchange = ME_CONNECT;
-					break;
-				}
-#endif /* ME */
-			case IKE_REKEYING:
-				if (activate_task(this, IKE_DELETE))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-			case IKE_DELETING:
-			default:
-				break;
-		}
-	}
-	else
-	{
-		DBG2(DBG_IKE, "reinitiating already active tasks");
-		iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
-		while (iterator->iterate(iterator, (void**)&task))
-		{
-			DBG2(DBG_IKE, "  %N task", task_type_names, task->get_type(task));
-			switch (task->get_type(task))
-			{
-				case IKE_INIT:
-					exchange = IKE_SA_INIT;
-					break;
-				case IKE_AUTHENTICATE:
-					exchange = IKE_AUTH;
-					break;
-				case CHILD_CREATE:
-				case CHILD_REKEY:
-				case IKE_REKEY:
-					exchange = CREATE_CHILD_SA;
-					break;
-				case IKE_MOBIKE:
-					exchange = INFORMATIONAL;
-				default:
-					continue;
-			}
-			break;
-		}
-		iterator->destroy(iterator);
-	}
-
-	if (exchange == 0)
-	{
-		DBG2(DBG_IKE, "nothing to initiate");
-		/* nothing to do yet... */
-		return SUCCESS;
-	}
-
-	me = this->ike_sa->get_my_host(this->ike_sa);
-	other = this->ike_sa->get_other_host(this->ike_sa);
-
-	message = message_create();
-	message->set_message_id(message, this->initiating.mid);
-	message->set_source(message, me->clone(me));
-	message->set_destination(message, other->clone(other));
-	message->set_exchange_type(message, exchange);
-	this->initiating.type = exchange;
-	this->initiating.retransmitted = 0;
-
-	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
-	while (iterator->iterate(iterator, (void*)&task))
-	{
-		switch (task->build(task, message))
-		{
-			case SUCCESS:
-				/* task completed, remove it */
-				iterator->remove(iterator);
-				task->destroy(task);
-				break;
-			case NEED_MORE:
-				/* processed, but task needs another exchange */
-				break;
-			case FAILED:
-			default:
-				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
-				{
-					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				}
-				/* FALL */
-			case DESTROY_ME:
-				/* critical failure, destroy IKE_SA */
-				iterator->destroy(iterator);
-				message->destroy(message);
-				flush(this);
-				return DESTROY_ME;
-		}
-	}
-	iterator->destroy(iterator);
-
-	/* update exchange type if a task changed it */
-	this->initiating.type = message->get_exchange_type(message);
-
-	charon->bus->message(charon->bus, message, FALSE);
-	status = this->ike_sa->generate_message(this->ike_sa, message,
-											&this->initiating.packet);
-	if (status != SUCCESS)
-	{
-		/* message generation failed. There is nothing more to do than to
-		 * close the SA */
-		message->destroy(message);
-		flush(this);
-		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-		return DESTROY_ME;
-	}
-	message->destroy(message);
-
-	return retransmit(this, this->initiating.mid);
-}
-
-/**
- * handle an incoming response message
- */
-static status_t process_response(private_task_manager_t *this,
-								 message_t *message)
-{
-	iterator_t *iterator;
-	task_t *task;
-
-	if (message->get_exchange_type(message) != this->initiating.type)
-	{
-		DBG1(DBG_IKE, "received %N response, but expected %N",
-			 exchange_type_names, message->get_exchange_type(message),
-			 exchange_type_names, this->initiating.type);
-		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-		return DESTROY_ME;
-	}
-
-	/* catch if we get resetted while processing */
-	this->reset = FALSE;
-	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
-	while (iterator->iterate(iterator, (void*)&task))
-	{
-		switch (task->process(task, message))
-		{
-			case SUCCESS:
-				/* task completed, remove it */
-				iterator->remove(iterator);
-				task->destroy(task);
-				break;
-			case NEED_MORE:
-				/* processed, but task needs another exchange */
-				break;
-			case FAILED:
-			default:
-				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				/* FALL */
-			case DESTROY_ME:
-				/* critical failure, destroy IKE_SA */
-				iterator->remove(iterator);
-				iterator->destroy(iterator);
-				task->destroy(task);
-				return DESTROY_ME;
-		}
-		if (this->reset)
-		{	/* start all over again if we were reset */
-			this->reset = FALSE;
-			iterator->destroy(iterator);
-			return build_request(this);
-		}
-	}
-	iterator->destroy(iterator);
-
-	this->initiating.mid++;
-	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-	this->initiating.packet->destroy(this->initiating.packet);
-	this->initiating.packet = NULL;
-
-	return build_request(this);
-}
-
-/**
- * handle exchange collisions
- */
-static void handle_collisions(private_task_manager_t *this, task_t *task)
-{
-	iterator_t *iterator;
-	task_t *active;
-	task_type_t type;
-
-	type = task->get_type(task);
-
-	/* do we have to check  */
-	if (type == IKE_REKEY || type == CHILD_REKEY ||
-		type == CHILD_DELETE || type == IKE_DELETE || type == IKE_REAUTH)
-	{
-		/* find an exchange collision, and notify these tasks */
-		iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
-		while (iterator->iterate(iterator, (void**)&active))
-		{
-			switch (active->get_type(active))
-			{
-				case IKE_REKEY:
-					if (type == IKE_REKEY || type == IKE_DELETE ||
-						type == IKE_REAUTH)
-					{
-						ike_rekey_t *rekey = (ike_rekey_t*)active;
-						rekey->collide(rekey, task);
-						break;
-					}
-					continue;
-				case CHILD_REKEY:
-					if (type == CHILD_REKEY || type == CHILD_DELETE)
-					{
-						child_rekey_t *rekey = (child_rekey_t*)active;
-						rekey->collide(rekey, task);
-						break;
-					}
-					continue;
-				default:
-					continue;
-			}
-			iterator->destroy(iterator);
-			return;
-		}
-		iterator->destroy(iterator);
-	}
-	/* destroy task if not registered in any active task */
-	task->destroy(task);
-}
-
-/**
- * build a response depending on the "passive" task list
- */
-static status_t build_response(private_task_manager_t *this, message_t *request)
-{
-	iterator_t *iterator;
-	task_t *task;
-	message_t *message;
-	host_t *me, *other;
-	bool delete = FALSE;
-	status_t status;
-
-	me = request->get_destination(request);
-	other = request->get_source(request);
-
-	message = message_create();
-	message->set_exchange_type(message, request->get_exchange_type(request));
-	/* send response along the path the request came in */
-	message->set_source(message, me->clone(me));
-	message->set_destination(message, other->clone(other));
-	message->set_message_id(message, this->responding.mid);
-	message->set_request(message, FALSE);
-
-	iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
-	while (iterator->iterate(iterator, (void*)&task))
-	{
-		switch (task->build(task, message))
-		{
-			case SUCCESS:
-				/* task completed, remove it */
-				iterator->remove(iterator);
-				handle_collisions(this, task);
-			case NEED_MORE:
-				/* processed, but task needs another exchange */
-				break;
-			case FAILED:
-			default:
-				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				/* FALL */
-			case DESTROY_ME:
-				/* destroy IKE_SA, but SEND response first */
-				delete = TRUE;
-				break;
-		}
-		if (delete)
-		{
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	/* remove resonder SPI if IKE_SA_INIT failed */
-	if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
-	{
-		ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
-		id->set_responder_spi(id, 0);
-	}
-
-	/* message complete, send it */
-	DESTROY_IF(this->responding.packet);
-	this->responding.packet = NULL;
-	charon->bus->message(charon->bus, message, FALSE);
-	status = this->ike_sa->generate_message(this->ike_sa, message,
-											&this->responding.packet);
-	message->destroy(message);
-	if (status != SUCCESS)
-	{
-		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-		return DESTROY_ME;
-	}
-
-	charon->sender->send(charon->sender,
-						 this->responding.packet->clone(this->responding.packet));
-	if (delete)
-	{
-		return DESTROY_ME;
-	}
-	return SUCCESS;
-}
-
-/**
- * handle an incoming request message
- */
-static status_t process_request(private_task_manager_t *this,
-								message_t *message)
-{
-	enumerator_t *enumerator;
-	iterator_t *iterator;
-	task_t *task = NULL;
-	payload_t *payload;
-	notify_payload_t *notify;
-	delete_payload_t *delete;
-
-	if (this->passive_tasks->get_count(this->passive_tasks) == 0)
-	{	/* create tasks depending on request type, if not already some queued */
-		switch (message->get_exchange_type(message))
-		{
-			case IKE_SA_INIT:
-			{
-				task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-#ifdef ME
-				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-#endif /* ME */
-				task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_config_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
-													NULL, NULL);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				break;
-			}
-			case CREATE_CHILD_SA:
-			{	/* FIXME: we should prevent this on mediation connections */
-				bool notify_found = FALSE, ts_found = FALSE;
-				enumerator = message->create_payload_enumerator(message);
-				while (enumerator->enumerate(enumerator, &payload))
-				{
-					switch (payload->get_type(payload))
-					{
-						case NOTIFY:
-						{	/* if we find a rekey notify, its CHILD_SA rekeying */
-							notify = (notify_payload_t*)payload;
-							if (notify->get_notify_type(notify) == REKEY_SA &&
-								(notify->get_protocol_id(notify) == PROTO_AH ||
-								 notify->get_protocol_id(notify) == PROTO_ESP))
-							{
-								notify_found = TRUE;
-							}
-							break;
-						}
-						case TRAFFIC_SELECTOR_INITIATOR:
-						case TRAFFIC_SELECTOR_RESPONDER:
-						{	/* if we don't find a TS, its IKE rekeying */
-							ts_found = TRUE;
-							break;
-						}
-						default:
-							break;
-					}
-				}
-				enumerator->destroy(enumerator);
-
-				if (ts_found)
-				{
-					if (notify_found)
-					{
-						task = (task_t*)child_rekey_create(this->ike_sa,
-														   PROTO_NONE, 0);
-					}
-					else
-					{
-						task = (task_t*)child_create_create(this->ike_sa, NULL,
-															FALSE, NULL, NULL);
-					}
-				}
-				else
-				{
-					task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
-				}
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				break;
-			}
-			case INFORMATIONAL:
-			{
-				enumerator = message->create_payload_enumerator(message);
-				while (enumerator->enumerate(enumerator, &payload))
-				{
-					switch (payload->get_type(payload))
-					{
-						case NOTIFY:
-						{
-							notify = (notify_payload_t*)payload;
-							switch (notify->get_notify_type(notify))
-							{
-								case ADDITIONAL_IP4_ADDRESS:
-								case ADDITIONAL_IP6_ADDRESS:
-								case NO_ADDITIONAL_ADDRESSES:
-								case UPDATE_SA_ADDRESSES:
-								case NO_NATS_ALLOWED:
-								case UNACCEPTABLE_ADDRESSES:
-								case UNEXPECTED_NAT_DETECTED:
-								case COOKIE2:
-								case NAT_DETECTION_SOURCE_IP:
-								case NAT_DETECTION_DESTINATION_IP:
-									task = (task_t*)ike_mobike_create(
-															this->ike_sa, FALSE);
-									break;
-								case AUTH_LIFETIME:
-									task = (task_t*)ike_auth_lifetime_create(
-															this->ike_sa, FALSE);
-									break;
-								default:
-									break;
-							}
-							break;
-						}
-						case DELETE:
-						{
-							delete = (delete_payload_t*)payload;
-							if (delete->get_protocol_id(delete) == PROTO_IKE)
-							{
-								task = (task_t*)ike_delete_create(this->ike_sa,
-																FALSE);
-							}
-							else
-							{
-								task = (task_t*)child_delete_create(this->ike_sa,
-																PROTO_NONE, 0);
-							}
-							break;
-						}
-						default:
-							break;
-					}
-					if (task)
-					{
-						break;
-					}
-				}
-				enumerator->destroy(enumerator);
-
-				if (task == NULL)
-				{
-					task = (task_t*)ike_dpd_create(FALSE);
-				}
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				break;
-			}
-#ifdef ME
-			case ME_CONNECT:
-			{
-				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-			}
-#endif /* ME */
-			default:
-				break;
-		}
-	}
-
-	/* let the tasks process the message */
-	iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
-	while (iterator->iterate(iterator, (void*)&task))
-	{
-		switch (task->process(task, message))
-		{
-			case SUCCESS:
-				/* task completed, remove it */
-				iterator->remove(iterator);
-				task->destroy(task);
-				break;
-			case NEED_MORE:
-				/* processed, but task needs at least another call to build() */
-				break;
-			case FAILED:
-			default:
-				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				/* FALL */
-			case DESTROY_ME:
-				/* critical failure, destroy IKE_SA */
-				iterator->remove(iterator);
-				iterator->destroy(iterator);
-				task->destroy(task);
-				return DESTROY_ME;
-		}
-	}
-	iterator->destroy(iterator);
-
-	return build_response(this, message);
-}
-
-/**
- * Implementation of task_manager_t.process_message
- */
-static status_t process_message(private_task_manager_t *this, message_t *msg)
-{
-	u_int32_t mid = msg->get_message_id(msg);
-
-	if (msg->get_request(msg))
-	{
-		if (mid == this->responding.mid)
-		{
-			charon->bus->message(charon->bus, msg, TRUE);
-			if (process_request(this, msg) != SUCCESS)
-			{
-				flush(this);
-				return DESTROY_ME;
-			}
-			this->responding.mid++;
-		}
-		else if ((mid == this->responding.mid - 1) && this->responding.packet)
-		{
-			packet_t *clone;
-			host_t *me, *other;
-
-			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
-				 "retransmitting response", mid);
-			clone = this->responding.packet->clone(this->responding.packet);
-			me = msg->get_destination(msg);
-			other = msg->get_source(msg);
-			clone->set_source(clone, me->clone(me));
-			clone->set_destination(clone, other->clone(other));
-			charon->sender->send(charon->sender, clone);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
-				 mid, this->responding.mid);
-		}
-	}
-	else
-	{
-		if (mid == this->initiating.mid)
-		{
-			if (process_response(this, msg) != SUCCESS)
-			{
-				flush(this);
-				return DESTROY_ME;
-			}
-		}
-		else
-		{
-			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
-				 mid, this->initiating.mid);
-			return SUCCESS;
-		}
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_manager_t.queue_task
- */
-static void queue_task(private_task_manager_t *this, task_t *task)
-{
-	if (task->get_type(task) == IKE_MOBIKE)
-	{	/*  there is no need to queue more than one mobike task */
-		iterator_t *iterator;
-		task_t *current;
-
-		iterator = this->queued_tasks->create_iterator(this->queued_tasks, TRUE);
-		while (iterator->iterate(iterator, (void**)&current))
-		{
-			if (current->get_type(current) == IKE_MOBIKE)
-			{
-				iterator->destroy(iterator);
-				task->destroy(task);
-				return;
-			}
-		}
-		iterator->destroy(iterator);
-	}
-	DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
-	this->queued_tasks->insert_last(this->queued_tasks, task);
-}
-
-/**
- * Implementation of task_manager_t.adopt_tasks
- */
-static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *other)
-{
-	task_t *task;
-
-	/* move queued tasks from other to this */
-	while (other->queued_tasks->remove_last(other->queued_tasks,
-												(void**)&task) == SUCCESS)
-	{
-		DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
-		task->migrate(task, this->ike_sa);
-		this->queued_tasks->insert_first(this->queued_tasks, task);
-	}
-}
-
-/**
- * Implementation of task_manager_t.busy
- */
-static bool busy(private_task_manager_t *this)
-{
-	return (this->active_tasks->get_count(this->active_tasks) > 0);
-}
-
-/**
- * Implementation of task_manager_t.reset
- */
-static void reset(private_task_manager_t *this,
-				  u_int32_t initiate, u_int32_t respond)
-{
-	task_t *task;
-
-	/* reset message counters and retransmit packets */
-	DESTROY_IF(this->responding.packet);
-	DESTROY_IF(this->initiating.packet);
-	this->responding.packet = NULL;
-	this->initiating.packet = NULL;
-	if (initiate != UINT_MAX)
-	{
-		this->initiating.mid = initiate;
-	}
-	if (respond != UINT_MAX)
-	{
-		this->responding.mid = respond;
-	}
-	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-
-	/* reset active tasks */
-	while (this->active_tasks->remove_last(this->active_tasks,
-										   (void**)&task) == SUCCESS)
-	{
-		task->migrate(task, this->ike_sa);
-		this->queued_tasks->insert_first(this->queued_tasks, task);
-	}
-
-	this->reset = TRUE;
-}
-
-/**
- * Implementation of task_manager_t.destroy
- */
-static void destroy(private_task_manager_t *this)
-{
-	flush(this);
-
-	this->active_tasks->destroy(this->active_tasks);
-	this->queued_tasks->destroy(this->queued_tasks);
-	this->passive_tasks->destroy(this->passive_tasks);
-
-	DESTROY_IF(this->responding.packet);
-	DESTROY_IF(this->initiating.packet);
-	free(this);
-}
-
-/*
- * see header file
- */
-task_manager_t *task_manager_create(ike_sa_t *ike_sa)
-{
-	private_task_manager_t *this = malloc_thing(private_task_manager_t);
-
-	this->public.process_message = (status_t(*)(task_manager_t*,message_t*))process_message;
-	this->public.queue_task = (void(*)(task_manager_t*,task_t*))queue_task;
-	this->public.initiate = (status_t(*)(task_manager_t*))build_request;
-	this->public.retransmit = (status_t(*)(task_manager_t*,u_int32_t))retransmit;
-	this->public.reset = (void(*)(task_manager_t*,u_int32_t,u_int32_t))reset;
-	this->public.adopt_tasks = (void(*)(task_manager_t*,task_manager_t*))adopt_tasks;
-	this->public.busy = (bool(*)(task_manager_t*))busy;
-	this->public.destroy = (void(*)(task_manager_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->responding.packet = NULL;
-	this->initiating.packet = NULL;
-	this->responding.mid = 0;
-	this->initiating.mid = 0;
-	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-	this->queued_tasks = linked_list_create();
-	this->active_tasks = linked_list_create();
-	this->passive_tasks = linked_list_create();
-	this->reset = FALSE;
-
-	this->retransmit_tries = lib->settings->get_int(lib->settings,
-								"charon.retransmit_tries", RETRANSMIT_TRIES);
-	this->retransmit_timeout = lib->settings->get_double(lib->settings,
-								"charon.retransmit_timeout", RETRANSMIT_TIMEOUT);
-	this->retransmit_base = lib->settings->get_double(lib->settings,
-								"charon.retransmit_base", RETRANSMIT_BASE);
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/task_manager.h b/src/charon/sa/task_manager.h
deleted file mode 100644
index 731ed4898..000000000
--- a/src/charon/sa/task_manager.h
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup task_manager task_manager
- * @{ @ingroup sa
- */
-
-#ifndef TASK_MANAGER_H_
-#define TASK_MANAGER_H_
-
-typedef struct task_manager_t task_manager_t;
-
-#include <limits.h>
-
-#include <library.h>
-#include <encoding/message.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * First retransmit timeout in seconds.
- */
-#define RETRANSMIT_TIMEOUT 4.0
-
-/**
- * Base which is raised to the power of the retransmission try.
- */
-#define RETRANSMIT_BASE 1.8
-
-/**
- * Number of retransmits done before giving up.
- */
-#define RETRANSMIT_TRIES 5
-
-/**
- * Interval for mobike routability checks in ms.
- */
-#define ROUTEABILITY_CHECK_INTERVAL 2500
-
-/**
- * Number of routability checks before giving up
- */
-#define ROUTEABILITY_CHECK_TRIES 10
-
-
-/**
- * The task manager, juggles task and handles message exchanges.
- *
- * On incoming requests, the task manager creates new tasks on demand and
- * juggles the request through all available tasks. Each task inspects the
- * request and adds payloads as necessary to the response.
- * On outgoing requests, the task manager delivers the request through the tasks
- * to build it, the response gets processed by each task to complete.
- * The task manager has an internal Queue to store task which should get
- * completed.
- * For the initial IKE_SA setup, several tasks are queued: One for the
- * unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup
- * and maybe one for virtual IP assignement.
- * The task manager is also responsible for retransmission. It uses a backoff
- * algorithm. The timeout is calculated using
- * RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try).
- * When try reaches RETRANSMIT_TRIES, retransmission is given up.
- *
- * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us:
- * @verbatim
-                   | relative | absolute
-   ---------------------------------------------------------
-   4s * (1.8 ** 0) =    4s         4s
-   4s * (1.8 ** 1) =    7s        11s
-   4s * (1.8 ** 2) =   13s        24s
-   4s * (1.8 ** 3) =   23s        47s
-   4s * (1.8 ** 4) =   42s        89s
-   4s * (1.8 ** 5) =   76s       165s
-
-   @endverbatim
- * The peer is considered dead after 2min 45s when no reply comes in.
- */
-struct task_manager_t {
-
-	/**
-	 * Process an incoming message.
-	 *
-	 * @param message		message to add payloads to
-	 * @return
-	 *						- DESTROY_ME if IKE_SA must be closed
-	 *						- SUCCESS otherwise
-	 */
-	status_t (*process_message) (task_manager_t *this, message_t *message);
-
-	/**
-	 * Initiate an exchange with the currently queued tasks.
-	 */
-	status_t (*initiate) (task_manager_t *this);
-
-	/**
-	 * Queue a task in the manager.
-	 *
-	 * @param task			task to queue
-	 */
-	void (*queue_task) (task_manager_t *this, task_t *task);
-
-	/**
-	 * Retransmit a request if it hasn't been acknowledged yet.
-	 *
-	 * A return value of INVALID_STATE means that the message was already
-	 * acknowledged and has not to be retransmitted. A return value of SUCCESS
-	 * means retransmission was required and the message has been resent.
-	 *
-	 * @param message_id	ID of the message to retransmit
-	 * @return
-	 *						- INVALID_STATE if retransmission not required
-	 *						- SUCCESS if retransmission sent
-	 */
-	status_t (*retransmit) (task_manager_t *this, u_int32_t message_id);
-
-	/**
-	 * Migrate all tasks from other to this.
-	 *
-	 * To rekey or reestablish an IKE_SA completely, all queued or active
-	 * tasks should get migrated to the new IKE_SA.
-	 *
-	 * @param other			manager which gives away its tasks
-	 */
-	void (*adopt_tasks) (task_manager_t *this, task_manager_t *other);
-
-	/**
-	 * Reset message ID counters of the task manager.
-	 *
-	 * The IKEv2 protocol requires to restart exchanges with message IDs
-	 * reset to zero (INVALID_KE_PAYLOAD, COOKIES, ...). The reset() method
-	 * resets the message IDs and resets all active tasks using the migrate()
-	 * method.
-	 * Use a value of UINT_MAX to keep the current message ID.
-	 *
-	 * @param initiate		message ID to initiate exchanges (send)
-	 * @param respond		message ID to respond to exchanges (expect)
-	 */
-	void (*reset) (task_manager_t *this, u_int32_t initiate, u_int32_t respond);
-
-	/**
-	 * Check if we are currently waiting for a reply.
-	 *
-	 * @return				TRUE if we are waiting, FALSE otherwise
-	 */
-	bool (*busy) (task_manager_t *this);
-
-	/**
-	 * Destroy the task_manager_t.
-	 */
-	void (*destroy) (task_manager_t *this);
-};
-
-/**
- * Create an instance of the task manager.
- *
- * @param ike_sa		IKE_SA to manage.
- */
-task_manager_t *task_manager_create(ike_sa_t *ike_sa);
-
-#endif /** TASK_MANAGER_H_ @}*/
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
deleted file mode 100644
index 3f002f263..000000000
--- a/src/charon/sa/tasks/child_create.c
+++ /dev/null
@@ -1,1351 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "child_create.h"
-
-#include <daemon.h>
-#include <crypto/diffie_hellman.h>
-#include <credentials/certificates/x509.h>
-#include <encoding/payloads/sa_payload.h>
-#include <encoding/payloads/ke_payload.h>
-#include <encoding/payloads/ts_payload.h>
-#include <encoding/payloads/nonce_payload.h>
-#include <encoding/payloads/notify_payload.h>
-#include <processing/jobs/delete_ike_sa_job.h>
-#include <processing/jobs/inactivity_job.h>
-
-
-typedef struct private_child_create_t private_child_create_t;
-
-/**
- * Private members of a child_create_t task.
- */
-struct private_child_create_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	child_create_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * nonce chosen by us
-	 */
-	chunk_t my_nonce;
-
-	/**
-	 * nonce chosen by peer
-	 */
-	chunk_t other_nonce;
-
-	/**
-	 * config to create the CHILD_SA from
-	 */
-	child_cfg_t *config;
-
-	/**
-	 * list of proposal candidates
-	 */
-	linked_list_t *proposals;
-
-	/**
-	 * selected proposal to use for CHILD_SA
-	 */
-	proposal_t *proposal;
-
-	/**
-	 * traffic selectors for initiators side
-	 */
-	linked_list_t *tsi;
-
-	/**
-	 * traffic selectors for responders side
-	 */
-	linked_list_t *tsr;
-
-	/**
-	 * source of triggering packet
-	 */
-	traffic_selector_t *packet_tsi;
-
-	/**
-	 * destination of triggering packet
-	 */
-	traffic_selector_t *packet_tsr;
-
-	/**
-	 * optional diffie hellman exchange
-	 */
-	diffie_hellman_t *dh;
-
-	/**
-	 * group used for DH exchange
-	 */
-	diffie_hellman_group_t dh_group;
-
-	/**
-	 * IKE_SAs keymat
-	 */
-	keymat_t *keymat;
-
-	/**
-	 * mode the new CHILD_SA uses (transport/tunnel/beet)
-	 */
-	ipsec_mode_t mode;
-
-	/**
-	 * IPComp transform to use
-	 */
-	ipcomp_transform_t ipcomp;
-
-	/**
-	 * IPComp transform proposed or accepted by the other peer
-	 */
-	ipcomp_transform_t ipcomp_received;
-
-	/**
-	 * Own allocated SPI
-	 */
-	u_int32_t my_spi;
-
-	/**
-	 * SPI received in proposal
-	 */
-	u_int32_t other_spi;
-
-	/**
-	 * Own allocated Compression Parameter Index (CPI)
-	 */
-	u_int16_t my_cpi;
-
-	/**
-	 * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
-	 */
-	u_int16_t other_cpi;
-
-	/**
-	 * reqid to use if we are rekeying
-	 */
-	u_int32_t reqid;
-
-	/**
-	 * CHILD_SA which gets established
-	 */
-	child_sa_t *child_sa;
-
-	/**
-	 * successfully established the CHILD?
-	 */
-	bool established;
-
-	/**
-	 * whether the CHILD_SA rekeys an existing one
-	 */
-	bool rekey;
-};
-
-/**
- * get the nonce from a message
- */
-static status_t get_nonce(message_t *message, chunk_t *nonce)
-{
-	nonce_payload_t *payload;
-
-	payload = (nonce_payload_t*)message->get_payload(message, NONCE);
-	if (payload == NULL)
-	{
-		return FAILED;
-	}
-	*nonce = payload->get_nonce(payload);
-	return NEED_MORE;
-}
-
-/**
- * generate a new nonce to include in a CREATE_CHILD_SA message
- */
-static status_t generate_nonce(chunk_t *nonce)
-{
-	rng_t *rng;
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_IKE, "error generating nonce value, no RNG found");
-		return FAILED;
-	}
-	rng->allocate_bytes(rng, NONCE_SIZE, nonce);
-	rng->destroy(rng);
-	return SUCCESS;
-}
-
-/**
- * Check a list of traffic selectors if any selector belongs to host
- */
-static bool ts_list_is_host(linked_list_t *list, host_t *host)
-{
-	traffic_selector_t *ts;
-	bool is_host = TRUE;
-	iterator_t *iterator = list->create_iterator(list, TRUE);
-
-	while (is_host && iterator->iterate(iterator, (void**)&ts))
-	{
-		is_host = is_host && ts->is_host(ts, host);
-	}
-	iterator->destroy(iterator);
-	return is_host;
-}
-
-/**
- * Allocate SPIs and update proposals
- */
-static bool allocate_spi(private_child_create_t *this)
-{
-	enumerator_t *enumerator;
-	proposal_t *proposal;
-
-	/* TODO: allocate additional SPI for AH if we have such proposals */
-	this->my_spi = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
-	if (this->my_spi)
-	{
-		if (this->initiator)
-		{
-			enumerator = this->proposals->create_enumerator(this->proposals);
-			while (enumerator->enumerate(enumerator, &proposal))
-			{
-				proposal->set_spi(proposal, this->my_spi);
-			}
-			enumerator->destroy(enumerator);
-		}
-		else
-		{
-			this->proposal->set_spi(this->proposal, this->my_spi);
-		}
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Schedule inactivity timeout for CHILD_SA with reqid, if enabled
- */
-static void schedule_inactivity_timeout(private_child_create_t *this)
-{
-	u_int32_t timeout;
-	bool close_ike;
-
-	timeout = this->config->get_inactivity(this->config);
-	if (timeout)
-	{
-		close_ike = lib->settings->get_bool(lib->settings,
-										"charon.inactivity_close_ike", FALSE);
-		charon->scheduler->schedule_job(charon->scheduler, (job_t*)
-				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
-									  timeout, close_ike), timeout);
-	}
-}
-
-/**
- * Install a CHILD_SA for usage, return value:
- * - FAILED: no acceptable proposal
- * - INVALID_ARG: diffie hellman group inacceptable
- * - NOT_FOUND: TS inacceptable
- */
-static status_t select_and_install(private_child_create_t *this, bool no_dh)
-{
-	status_t status, status_i, status_o;
-	chunk_t nonce_i, nonce_r;
-	chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
-	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
-	linked_list_t *my_ts, *other_ts;
-	host_t *me, *other, *other_vip, *my_vip;
-	bool private;
-
-	if (this->proposals == NULL)
-	{
-		DBG1(DBG_IKE, "SA payload missing in message");
-		return FAILED;
-	}
-	if (this->tsi == NULL || this->tsr == NULL)
-	{
-		DBG1(DBG_IKE, "TS payloads missing in message");
-		return NOT_FOUND;
-	}
-
-	me = this->ike_sa->get_my_host(this->ike_sa);
-	other = this->ike_sa->get_other_host(this->ike_sa);
-	my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-	other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
-
-	private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
-	this->proposal = this->config->select_proposal(this->config,
-											this->proposals, no_dh, private);
-	if (this->proposal == NULL)
-	{
-		DBG1(DBG_IKE, "no acceptable proposal found");
-		return FAILED;
-	}
-	this->other_spi = this->proposal->get_spi(this->proposal);
-
-	if (!this->initiator && !allocate_spi(this))
-	{	/* responder has no SPI allocated yet */
-		DBG1(DBG_IKE, "allocating SPI failed");
-		return FAILED;
-	}
-	this->child_sa->set_proposal(this->child_sa, this->proposal);
-
-	if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
-	{
-		u_int16_t group;
-
-		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
-										  &group, NULL))
-		{
-			DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
-				 diffie_hellman_group_names, this->dh_group,
-				 diffie_hellman_group_names, group);
-			this->dh_group = group;
-			return INVALID_ARG;
-		}
-		else
-		{
-			DBG1(DBG_IKE, "no acceptable proposal found");
-			return FAILED;
-		}
-	}
-
-	if (my_vip == NULL)
-	{
-		my_vip = me;
-	}
-	if (other_vip == NULL)
-	{
-		other_vip = other;
-	}
-
-	if (this->initiator)
-	{
-		nonce_i = this->my_nonce;
-		nonce_r = this->other_nonce;
-		my_ts = this->tsi;
-		other_ts = this->tsr;
-	}
-	else
-	{
-		nonce_r = this->my_nonce;
-		nonce_i = this->other_nonce;
-		my_ts = this->tsr;
-		other_ts = this->tsi;
-	}
-	my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
-												my_vip);
-	other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
-												   other_vip);
-
-	if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
-	{
-		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
-		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-		DBG1(DBG_IKE, "no acceptable traffic selectors found");
-		return NOT_FOUND;
-	}
-
-	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
-	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
-	if (this->initiator)
-	{
-		this->tsi = my_ts;
-		this->tsr = other_ts;
-	}
-	else
-	{
-		this->tsr = my_ts;
-		this->tsi = other_ts;
-	}
-
-	if (!this->initiator)
-	{
-		/* check if requested mode is acceptable, downgrade if required */
-		switch (this->mode)
-		{
-			case MODE_TRANSPORT:
-				if (!this->config->use_proxy_mode(this->config) &&
-					   (!ts_list_is_host(this->tsi, other) ||
-						!ts_list_is_host(this->tsr, me))
-				   )
-				{
-					this->mode = MODE_TUNNEL;
-					DBG1(DBG_IKE, "not using transport mode, not host-to-host");
-				}
-				else if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-				{
-					this->mode = MODE_TUNNEL;
-					DBG1(DBG_IKE, "not using transport mode, connection NATed");
-				}
-				break;
-			case MODE_BEET:
-				if (!ts_list_is_host(this->tsi, NULL) ||
-					!ts_list_is_host(this->tsr, NULL))
-				{
-					this->mode = MODE_TUNNEL;
-					DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
-				}
-				break;
-			default:
-				break;
-		}
-	}
-
-	/* check for any certificate-based IP address block constraints */
-	if (this->mode == MODE_BEET || this->mode == MODE_TUNNEL)
-	{
-		auth_cfg_t *auth;
-		enumerator_t *auth_enum;
-		certificate_t *cert = NULL;
-
-		auth_enum = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
-		while (auth_enum->enumerate(auth_enum, &auth))
-		{
-			cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
-			if (cert)
-			{
-				break;
-			}
-		}
-		auth_enum->destroy(auth_enum);
-
-		if (cert && cert->get_type(cert) == CERT_X509)
-		{
-			x509_t *x509 = (x509_t*)cert;
-
-			if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
-			{
-				enumerator_t *enumerator, *block_enum;
-				traffic_selector_t *ts, *block_ts;
-
-				DBG1(DBG_IKE, "checking certificate-based traffic selector "
-							  "constraints [RFC 3779]");
-				enumerator = other_ts->create_enumerator(other_ts);
-				while (enumerator->enumerate(enumerator, &ts))
-				{
-					bool contained = FALSE;
-
-					block_enum = x509->create_ipAddrBlock_enumerator(x509);
-					while (block_enum->enumerate(block_enum, &block_ts))
-					{
-						if (ts->is_contained_in(ts, block_ts))
-						{
-							DBG1(DBG_IKE, "  TS %R is contained in address block"
-										  " constraint %R", ts, block_ts);
-							contained = TRUE;
-							break;
-						}
-					}
-					block_enum->destroy(block_enum);
-
-					if (!contained)
-					{
-						DBG1(DBG_IKE, "  TS %R is not contained in any"
-									  " address block constraint", ts);
-						enumerator->destroy(enumerator);
-						return FAILED;
-					}
-				}
-				enumerator->destroy(enumerator);
-			}
-		}
-	}
-
-	this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
-	this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
-	this->child_sa->set_mode(this->child_sa, this->mode);
-	this->child_sa->set_protocol(this->child_sa,
-								 this->proposal->get_protocol(this->proposal));
-
-	if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
-	{
-		this->my_cpi = this->other_cpi = 0;
-		this->ipcomp = IPCOMP_NONE;
-	}
-	status_i = status_o = FAILED;
-	if (this->keymat->derive_child_keys(this->keymat, this->proposal,
-			this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
-	{
-		if (this->initiator)
-		{
-			status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
-					this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
-			status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
-					this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
-		}
-		else
-		{
-			status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
-					this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
-			status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
-					this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
-		}
-	}
-	chunk_clear(&integ_i);
-	chunk_clear(&integ_r);
-	chunk_clear(&encr_i);
-	chunk_clear(&encr_r);
-
-	if (status_i != SUCCESS || status_o != SUCCESS)
-	{
-		DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
-			(status_i != SUCCESS) ? "inbound " : "",
-			(status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
-			(status_o != SUCCESS) ? "outbound " : "");
-		return FAILED;
-	}
-
-	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
-	if (status != SUCCESS)
-	{
-		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
-		return NOT_FOUND;
-	}
-
-	charon->bus->child_keys(charon->bus, this->child_sa, this->dh,
-							nonce_i, nonce_r);
-
-	/* add to IKE_SA, and remove from task */
-	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
-	this->established = TRUE;
-
-	if (!this->rekey)
-	{	/* a rekeyed SA uses the same reqid, no need for a new job */
-		schedule_inactivity_timeout(this);
-	}
-	return SUCCESS;
-}
-
-/**
- * build the payloads for the message
- */
-static void build_payloads(private_child_create_t *this, message_t *message)
-{
-	sa_payload_t *sa_payload;
-	nonce_payload_t *nonce_payload;
-	ke_payload_t *ke_payload;
-	ts_payload_t *ts_payload;
-
-	/* add SA payload */
-	if (this->initiator)
-	{
-		sa_payload = sa_payload_create_from_proposal_list(this->proposals);
-	}
-	else
-	{
-		sa_payload = sa_payload_create_from_proposal(this->proposal);
-	}
-	message->add_payload(message, (payload_t*)sa_payload);
-
-	/* add nonce payload if not in IKE_AUTH */
-	if (message->get_exchange_type(message) == CREATE_CHILD_SA)
-	{
-		nonce_payload = nonce_payload_create();
-		nonce_payload->set_nonce(nonce_payload, this->my_nonce);
-		message->add_payload(message, (payload_t*)nonce_payload);
-	}
-
-	/* diffie hellman exchange, if PFS enabled */
-	if (this->dh)
-	{
-		ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
-		message->add_payload(message, (payload_t*)ke_payload);
-	}
-
-	/* add TSi/TSr payloads */
-	ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
-	message->add_payload(message, (payload_t*)ts_payload);
-	ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
-	message->add_payload(message, (payload_t*)ts_payload);
-
-	/* add a notify if we are not in tunnel mode */
-	switch (this->mode)
-	{
-		case MODE_TRANSPORT:
-			message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
-			break;
-		case MODE_BEET:
-			message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
-			break;
-		default:
-			break;
-	}
-}
-
-/**
- * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
- */
-static void add_ipcomp_notify(private_child_create_t *this,
-								  message_t *message, u_int8_t ipcomp)
-{
-	if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-	{
-		DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
-			 "IPComp disabled");
-		return;
-	}
-
-	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
-	if (this->my_cpi)
-	{
-		this->ipcomp = ipcomp;
-		message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
-							chunk_cata("cc", chunk_from_thing(this->my_cpi),
-									   chunk_from_thing(ipcomp)));
-	}
-	else
-	{
-		DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
-	}
-}
-
-/**
- * handle a received notify payload
- */
-static void handle_notify(private_child_create_t *this, notify_payload_t *notify)
-{
-	switch (notify->get_notify_type(notify))
-	{
-		case USE_TRANSPORT_MODE:
-			this->mode = MODE_TRANSPORT;
-			break;
-		case USE_BEET_MODE:
-			if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
-			{	/* handle private use notify only if we know its meaning */
-				this->mode = MODE_BEET;
-			}
-			else
-			{
-				DBG1(DBG_IKE, "received a notify strongSwan uses for BEET "
-					 "mode, but peer implementation unknown, skipped");
-			}
-			break;
-		case IPCOMP_SUPPORTED:
-		{
-			ipcomp_transform_t ipcomp;
-			u_int16_t cpi;
-			chunk_t data;
-
-			data = notify->get_notification_data(notify);
-			cpi = *(u_int16_t*)data.ptr;
-			ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
-			switch (ipcomp)
-			{
-				case IPCOMP_DEFLATE:
-					this->other_cpi = cpi;
-					this->ipcomp_received = ipcomp;
-					break;
-				case IPCOMP_LZS:
-				case IPCOMP_LZJH:
-				default:
-					DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a "
-						 "transform ID we don't support %N",
-						 ipcomp_transform_names, ipcomp);
-					break;
-			}
-		}
-		default:
-			break;
-	}
-}
-
-/**
- * Read payloads from message
- */
-static void process_payloads(private_child_create_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	sa_payload_t *sa_payload;
-	ke_payload_t *ke_payload;
-	ts_payload_t *ts_payload;
-
-	/* defaults to TUNNEL mode */
-	this->mode = MODE_TUNNEL;
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		switch (payload->get_type(payload))
-		{
-			case SECURITY_ASSOCIATION:
-				sa_payload = (sa_payload_t*)payload;
-				this->proposals = sa_payload->get_proposals(sa_payload);
-				break;
-			case KEY_EXCHANGE:
-				ke_payload = (ke_payload_t*)payload;
-				if (!this->initiator)
-				{
-					this->dh_group = ke_payload->get_dh_group_number(ke_payload);
-					this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
-				}
-				if (this->dh)
-				{
-					this->dh->set_other_public_value(this->dh,
-								ke_payload->get_key_exchange_data(ke_payload));
-				}
-				break;
-			case TRAFFIC_SELECTOR_INITIATOR:
-				ts_payload = (ts_payload_t*)payload;
-				this->tsi = ts_payload->get_traffic_selectors(ts_payload);
-				break;
-			case TRAFFIC_SELECTOR_RESPONDER:
-				ts_payload = (ts_payload_t*)payload;
-				this->tsr = ts_payload->get_traffic_selectors(ts_payload);
-				break;
-			case NOTIFY:
-				handle_notify(this, (notify_payload_t*)payload);
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_child_create_t *this, message_t *message)
-{
-	host_t *me, *other, *vip;
-	peer_cfg_t *peer_cfg;
-
-	switch (message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-			return get_nonce(message, &this->my_nonce);
-		case CREATE_CHILD_SA:
-			if (generate_nonce(&this->my_nonce) != SUCCESS)
-			{
-				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
-				return SUCCESS;
-			}
-			if (this->dh_group == MODP_NONE)
-			{
-				this->dh_group = this->config->get_dh_group(this->config);
-			}
-			break;
-		case IKE_AUTH:
-			if (message->get_message_id(message) != 1)
-			{
-				/* send only in the first request, not in subsequent rounds */
-				return NEED_MORE;
-			}
-			break;
-		default:
-			break;
-	}
-
-	if (this->reqid)
-	{
-		DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
-			 this->config->get_name(this->config), this->reqid);
-	}
-	else
-	{
-		DBG0(DBG_IKE, "establishing CHILD_SA %s",
-			 this->config->get_name(this->config));
-	}
-
-	/* reuse virtual IP if we already have one */
-	me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-	if (me == NULL)
-	{
-		me = this->ike_sa->get_my_host(this->ike_sa);
-	}
-	other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
-	if (other == NULL)
-	{
-		other = this->ike_sa->get_other_host(this->ike_sa);
-	}
-
-	/* check if we want a virtual IP, but don't have one */
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	vip = peer_cfg->get_virtual_ip(peer_cfg);
-	if (!this->reqid && vip)
-	{
-		/* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
-		vip = host_create_any(vip->get_family(vip));
-		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
-														NULL, vip);
-		vip->destroy(vip);
-	}
-	else
-	{	/* but narrow it for host2host / if we already have a vip */
-		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
-														NULL, me);
-	}
-	this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
-													NULL, other);
-
-	if (this->packet_tsi)
-	{
-		this->tsi->insert_first(this->tsi,
-								this->packet_tsi->clone(this->packet_tsi));
-	}
-	if (this->packet_tsr)
-	{
-		this->tsr->insert_first(this->tsr,
-								this->packet_tsr->clone(this->packet_tsr));
-	}
-	this->proposals = this->config->get_proposals(this->config,
-												  this->dh_group == MODP_NONE);
-	this->mode = this->config->get_mode(this->config);
-	if (this->mode == MODE_TRANSPORT &&
-		this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-	{
-		this->mode = MODE_TUNNEL;
-		DBG1(DBG_IKE, "not using transport mode, connection NATed");
-	}
-
-	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
-			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
-
-	if (!allocate_spi(this))
-	{
-		DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
-		return FAILED;
-	}
-
-	if (this->dh_group != MODP_NONE)
-	{
-		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
-	}
-
-	if (this->config->use_ipcomp(this->config))
-	{
-		/* IPCOMP_DEFLATE is the only transform we support at the moment */
-		add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
-	}
-
-	build_payloads(this, message);
-
-	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
-	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
-	this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
-	this->tsi = NULL;
-	this->tsr = NULL;
-	this->proposals = NULL;
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_child_create_t *this, message_t *message)
-{
-	switch (message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-			return get_nonce(message, &this->other_nonce);
-		case CREATE_CHILD_SA:
-			get_nonce(message, &this->other_nonce);
-			break;
-		case IKE_AUTH:
-			if (message->get_message_id(message) != 1)
-			{
-				/* only handle first AUTH payload, not additional rounds */
-				return NEED_MORE;
-			}
-		default:
-			break;
-	}
-
-	process_payloads(this, message);
-
-	return NEED_MORE;
-}
-
-/**
- * handle CHILD_SA setup failure
- */
-static void handle_child_sa_failure(private_child_create_t *this,
-									message_t *message)
-{
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		lib->settings->get_bool(lib->settings,
-								"charon.close_ike_on_child_failure", FALSE))
-	{
-		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
-		 * first */
-		DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
-		charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
-			delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
-			100);
-	}
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_child_create_t *this, message_t *message)
-{
-	peer_cfg_t *peer_cfg;
-	payload_t *payload;
-	enumerator_t *enumerator;
-	bool no_dh = TRUE;
-
-	switch (message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-			return get_nonce(message, &this->my_nonce);
-		case CREATE_CHILD_SA:
-			if (generate_nonce(&this->my_nonce) != SUCCESS)
-			{
-				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
-									chunk_empty);
-				return SUCCESS;
-			}
-			no_dh = FALSE;
-			break;
-		case IKE_AUTH:
-			if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
-			{	/* wait until all authentication round completed */
-				return NEED_MORE;
-			}
-		default:
-			break;
-	}
-
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
-	{
-		DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
-		message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
-		return SUCCESS;
-	}
-
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (peer_cfg && this->tsi && this->tsr)
-	{
-		host_t *me, *other;
-
-		me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-		if (me == NULL)
-		{
-			me = this->ike_sa->get_my_host(this->ike_sa);
-		}
-		other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
-		if (other == NULL)
-		{
-			other = this->ike_sa->get_other_host(this->ike_sa);
-		}
-		this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
-												  this->tsi, me, other);
-	}
-
-	if (this->config == NULL)
-	{
-		DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
-			 this->tsr, this->tsi);
-		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
-		handle_child_sa_failure(this, message);
-		return SUCCESS;
-	}
-
-	/* check if ike_config_t included non-critical error notifies */
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify_payload_t *notify = (notify_payload_t*)payload;
-
-			switch (notify->get_notify_type(notify))
-			{
-				case INTERNAL_ADDRESS_FAILURE:
-				case FAILED_CP_REQUIRED:
-				{
-					DBG1(DBG_IKE,"configuration payload negotation "
-						 "failed, no CHILD_SA built");
-					enumerator->destroy(enumerator);
-					handle_child_sa_failure(this, message);
-					return SUCCESS;
-				}
-				default:
-					break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
-			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
-
-	if (this->ipcomp_received != IPCOMP_NONE)
-	{
-		if (this->config->use_ipcomp(this->config))
-		{
-			add_ipcomp_notify(this, message, this->ipcomp_received);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
-				 notify_type_names, IPCOMP_SUPPORTED);
-		}
-	}
-
-	switch (select_and_install(this, no_dh))
-	{
-		case SUCCESS:
-			break;
-		case NOT_FOUND:
-			message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
-			handle_child_sa_failure(this, message);
-			return SUCCESS;
-		case INVALID_ARG:
-		{
-			u_int16_t group = htons(this->dh_group);
-			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
-								chunk_from_thing(group));
-			handle_child_sa_failure(this, message);
-			return SUCCESS;
-		}
-		case FAILED:
-		default:
-			message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
-			handle_child_sa_failure(this, message);
-			return SUCCESS;
-	}
-
-	build_payloads(this, message);
-
-	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
-		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-		 this->child_sa->get_name(this->child_sa),
-		 this->child_sa->get_reqid(this->child_sa),
-		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
-		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
-		 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
-		 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-
-	if (!this->rekey)
-	{	/* invoke the child_up() hook if we are not rekeying */
-		charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_child_create_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	bool no_dh = TRUE;
-
-	switch (message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-			return get_nonce(message, &this->other_nonce);
-		case CREATE_CHILD_SA:
-			get_nonce(message, &this->other_nonce);
-			no_dh = FALSE;
-			break;
-		case IKE_AUTH:
-			if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
-			{	/* wait until all authentication round completed */
-				return NEED_MORE;
-			}
-		default:
-			break;
-	}
-
-	/* check for erronous notifies */
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify_payload_t *notify = (notify_payload_t*)payload;
-			notify_type_t type = notify->get_notify_type(notify);
-
-			switch (type)
-			{
-				/* handle notify errors related to CHILD_SA only */
-				case NO_PROPOSAL_CHOSEN:
-				case SINGLE_PAIR_REQUIRED:
-				case NO_ADDITIONAL_SAS:
-				case INTERNAL_ADDRESS_FAILURE:
-				case FAILED_CP_REQUIRED:
-				case TS_UNACCEPTABLE:
-				case INVALID_SELECTORS:
-				{
-					DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
-						 notify_type_names, type);
-					enumerator->destroy(enumerator);
-					handle_child_sa_failure(this, message);
-					/* an error in CHILD_SA creation is not critical */
-					return SUCCESS;
-				}
-				case INVALID_KE_PAYLOAD:
-				{
-					chunk_t data;
-					u_int16_t group = MODP_NONE;
-
-					data = notify->get_notification_data(notify);
-					if (data.len == sizeof(group))
-					{
-						memcpy(&group, data.ptr, data.len);
-						group = ntohs(group);
-					}
-					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
-						 "it requested %N", diffie_hellman_group_names,
-						 this->dh_group, diffie_hellman_group_names, group);
-					this->dh_group = group;
-					this->public.task.migrate(&this->public.task, this->ike_sa);
-					enumerator->destroy(enumerator);
-					return NEED_MORE;
-				}
-				default:
-					break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	process_payloads(this, message);
-
-	if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
-	{
-		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
-			 " one, no CHILD_SA built");
-		handle_child_sa_failure(this, message);
-		return SUCCESS;
-	}
-	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
-	{
-		DBG1(DBG_IKE, "peer didn't accept our proposed IPComp transforms, "
-			 "IPComp is disabled");
-		this->ipcomp = IPCOMP_NONE;
-	}
-	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
-	{
-		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
-			 "no CHILD_SA built");
-		handle_child_sa_failure(this, message);
-		return SUCCESS;
-	}
-
-	if (select_and_install(this, no_dh) == SUCCESS)
-	{
-		DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
-			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-			 this->child_sa->get_name(this->child_sa),
-			 this->child_sa->get_reqid(this->child_sa),
-			 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
-			 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
-			 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
-			 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-
-		if (!this->rekey)
-		{	/* invoke the child_up() hook if we are not rekeying */
-			charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
-		}
-	}
-	else
-	{
-		handle_child_sa_failure(this, message);
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_child_create_t *this)
-{
-	return CHILD_CREATE;
-}
-
-/**
- * Implementation of child_create_t.use_reqid
- */
-static void use_reqid(private_child_create_t *this, u_int32_t reqid)
-{
-	this->reqid = reqid;
-}
-
-/**
- * Implementation of child_create_t.get_child
- */
-static child_sa_t* get_child(private_child_create_t *this)
-{
-	return this->child_sa;
-}
-
-/**
- * Implementation of child_create_t.get_lower_nonce
- */
-static chunk_t get_lower_nonce(private_child_create_t *this)
-{
-	if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
-			   min(this->my_nonce.len, this->other_nonce.len)) < 0)
-	{
-		return this->my_nonce;
-	}
-	else
-	{
-		return this->other_nonce;
-	}
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
-{
-	chunk_free(&this->my_nonce);
-	chunk_free(&this->other_nonce);
-	if (this->tsi)
-	{
-		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
-	}
-	if (this->tsr)
-	{
-		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
-	}
-	DESTROY_IF(this->child_sa);
-	DESTROY_IF(this->proposal);
-	DESTROY_IF(this->dh);
-	if (this->proposals)
-	{
-		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
-	}
-
-	this->ike_sa = ike_sa;
-	this->keymat = ike_sa->get_keymat(ike_sa);
-	this->proposal = NULL;
-	this->proposals = NULL;
-	this->tsi = NULL;
-	this->tsr = NULL;
-	this->dh = NULL;
-	this->child_sa = NULL;
-	this->mode = MODE_TUNNEL;
-	this->ipcomp = IPCOMP_NONE;
-	this->ipcomp_received = IPCOMP_NONE;
-	this->other_cpi = 0;
-	this->reqid = 0;
-	this->established = FALSE;
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_child_create_t *this)
-{
-	chunk_free(&this->my_nonce);
-	chunk_free(&this->other_nonce);
-	if (this->tsr)
-	{
-		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
-	}
-	if (this->tsi)
-	{
-		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
-	}
-	if (!this->established)
-	{
-		DESTROY_IF(this->child_sa);
-	}
-	DESTROY_IF(this->packet_tsi);
-	DESTROY_IF(this->packet_tsr);
-	DESTROY_IF(this->proposal);
-	DESTROY_IF(this->dh);
-	if (this->proposals)
-	{
-		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
-	}
-
-	DESTROY_IF(this->config);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-child_create_t *child_create_create(ike_sa_t *ike_sa,
-							child_cfg_t *config, bool rekey,
-							traffic_selector_t *tsi, traffic_selector_t *tsr)
-{
-	private_child_create_t *this = malloc_thing(private_child_create_t);
-
-	this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child;
-	this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce;
-	this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid;
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-	if (config)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-		this->initiator = TRUE;
-		config->get_ref(config);
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-		this->initiator = FALSE;
-	}
-
-	this->ike_sa = ike_sa;
-	this->config = config;
-	this->my_nonce = chunk_empty;
-	this->other_nonce = chunk_empty;
-	this->proposals = NULL;
-	this->proposal = NULL;
-	this->tsi = NULL;
-	this->tsr = NULL;
-	this->packet_tsi = tsi ? tsi->clone(tsi) : NULL;
-	this->packet_tsr = tsr ? tsr->clone(tsr) : NULL;
-	this->dh = NULL;
-	this->dh_group = MODP_NONE;
-	this->keymat = ike_sa->get_keymat(ike_sa);
-	this->child_sa = NULL;
-	this->mode = MODE_TUNNEL;
-	this->ipcomp = IPCOMP_NONE;
-	this->ipcomp_received = IPCOMP_NONE;
-	this->my_spi = 0;
-	this->other_spi = 0;
-	this->my_cpi = 0;
-	this->other_cpi = 0;
-	this->reqid = 0;
-	this->established = FALSE;
-	this->rekey = rekey;
-
-	return &this->public;
-}
diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h
deleted file mode 100644
index 5dedeb8b1..000000000
--- a/src/charon/sa/tasks/child_create.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup child_create child_create
- * @{ @ingroup tasks
- */
-
-#ifndef CHILD_CREATE_H_
-#define CHILD_CREATE_H_
-
-typedef struct child_create_t child_create_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-#include <config/child_cfg.h>
-
-/**
- * Task of type CHILD_CREATE, established a new CHILD_SA.
- *
- * This task may be included in the IKE_AUTH message or in a separate
- * CREATE_CHILD_SA exchange.
- */
-struct child_create_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-
-	/**
-	 * Use a specific reqid for the CHILD_SA.
-	 *
-	 * When this task is used for rekeying, the same reqid is used
-	 * for the new CHILD_SA.
-	 *
-	 * @param reqid		reqid to use
-	 */
-	void (*use_reqid) (child_create_t *this, u_int32_t reqid);
-
-	/**
-	 * Get the lower of the two nonces, used for rekey collisions.
-	 *
-	 * @return			lower nonce
-	 */
-	chunk_t (*get_lower_nonce) (child_create_t *this);
-
-	/**
-	 * Get the CHILD_SA established/establishing by this task.
-	 *
-	 * @return			child_sa
-	 */
-	child_sa_t* (*get_child) (child_create_t *this);
-};
-
-/**
- * Create a new child_create task.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param config		child_cfg if task initiator, NULL if responder
- * @param rekey			whether we do a rekey or not
- * @param tsi			source of triggering packet, or NULL
- * @param tsr			destination of triggering packet, or NULL
- * @return				child_create task to handle by the task_manager
- */
-child_create_t *child_create_create(ike_sa_t *ike_sa,
-							child_cfg_t *config, bool rekey,
-							traffic_selector_t *tsi, traffic_selector_t *tsr);
-
-#endif /** CHILD_CREATE_H_ @}*/
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
deleted file mode 100644
index d7c6b0541..000000000
--- a/src/charon/sa/tasks/child_delete.c
+++ /dev/null
@@ -1,402 +0,0 @@
-/*
- * Copyright (C) 2006-2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "child_delete.h"
-
-#include <daemon.h>
-#include <encoding/payloads/delete_payload.h>
-
-
-typedef struct private_child_delete_t private_child_delete_t;
-
-/**
- * Private members of a child_delete_t task.
- */
-struct private_child_delete_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	child_delete_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * Protocol of CHILD_SA to delete
-	 */
-	protocol_id_t protocol;
-
-	/**
-	 * Inbound SPI of CHILD_SA to delete
-	 */
-	u_int32_t spi;
-
-	/**
-	 * whether to enforce delete action policy
-	 */
-	bool check_delete_action;
-
-	/**
-	 * is this delete exchange following a rekey?
-	 */
-	bool rekeyed;
-
-	/**
-	 * CHILD_SAs which get deleted
-	 */
-	linked_list_t *child_sas;
-};
-
-/**
- * build the delete payloads from the listed child_sas
- */
-static void build_payloads(private_child_delete_t *this, message_t *message)
-{
-	delete_payload_t *ah = NULL, *esp = NULL;
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		protocol_id_t protocol = child_sa->get_protocol(child_sa);
-		u_int32_t spi = child_sa->get_spi(child_sa, TRUE);
-
-		switch (protocol)
-		{
-			case PROTO_ESP:
-				if (esp == NULL)
-				{
-					esp = delete_payload_create(PROTO_ESP);
-					message->add_payload(message, (payload_t*)esp);
-				}
-				esp->add_spi(esp, spi);
-				DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
-							   protocol_id_names, protocol, ntohl(spi));
-				break;
-			case PROTO_AH:
-				if (ah == NULL)
-				{
-					ah = delete_payload_create(PROTO_AH);
-					message->add_payload(message, (payload_t*)ah);
-				}
-				ah->add_spi(ah, spi);
-				DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
-							   protocol_id_names, protocol, ntohl(spi));
-				break;
-			default:
-				break;
-		}
-		child_sa->set_state(child_sa, CHILD_DELETING);
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * read in payloads and find the children to delete
- */
-static void process_payloads(private_child_delete_t *this, message_t *message)
-{
-	enumerator_t *payloads;
-	iterator_t *spis;
-	payload_t *payload;
-	delete_payload_t *delete_payload;
-	u_int32_t *spi;
-	protocol_id_t protocol;
-	child_sa_t *child_sa;
-
-	payloads = message->create_payload_enumerator(message);
-	while (payloads->enumerate(payloads, &payload))
-	{
-		if (payload->get_type(payload) == DELETE)
-		{
-			delete_payload = (delete_payload_t*)payload;
-			protocol = delete_payload->get_protocol_id(delete_payload);
-			if (protocol != PROTO_ESP && protocol != PROTO_AH)
-			{
-				continue;
-			}
-			spis = delete_payload->create_spi_iterator(delete_payload);
-			while (spis->iterate(spis, (void**)&spi))
-			{
-				child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
-													  *spi, FALSE);
-				if (child_sa == NULL)
-				{
-					DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x, "
-						 "but no such SA", protocol_id_names, protocol, ntohl(*spi));
-					continue;
-				}
-				DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
-						protocol_id_names, protocol, ntohl(*spi));
-
-				switch (child_sa->get_state(child_sa))
-				{
-					case CHILD_REKEYING:
-						this->rekeyed = TRUE;
-						/* we reply as usual, rekeying will fail */
-						break;
-					case CHILD_DELETING:
-						/* we don't send back a delete if we initiated ourself */
-						if (!this->initiator)
-						{
-							this->ike_sa->destroy_child_sa(this->ike_sa,
-														   protocol, *spi);
-							continue;
-						}
-					case CHILD_INSTALLED:
-						if (!this->initiator)
-						{	/* reestablish installed children if required */
-							this->check_delete_action = TRUE;
-						}
-					default:
-						break;
-				}
-
-				this->child_sas->insert_last(this->child_sas, child_sa);
-			}
-			spis->destroy(spis);
-		}
-	}
-	payloads->destroy(payloads);
-}
-
-/**
- * destroy the children listed in this->child_sas, reestablish by policy
- */
-static status_t destroy_and_reestablish(private_child_delete_t *this)
-{
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-	child_cfg_t *child_cfg;
-	protocol_id_t protocol;
-	u_int32_t spi;
-	status_t status = SUCCESS;
-
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		/* signal child down event if we are not rekeying */
-		if (!this->rekeyed)
-		{
-			charon->bus->child_updown(charon->bus, child_sa, FALSE);
-		}
-		spi = child_sa->get_spi(child_sa, TRUE);
-		protocol = child_sa->get_protocol(child_sa);
-		child_cfg = child_sa->get_config(child_sa);
-		child_cfg->get_ref(child_cfg);
-		this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
-		if (this->check_delete_action)
-		{	/* enforce child_cfg policy if deleted passively */
-			switch (child_cfg->get_close_action(child_cfg))
-			{
-				case ACTION_RESTART:
-					child_cfg->get_ref(child_cfg);
-					status = this->ike_sa->initiate(this->ike_sa, child_cfg, 0,
-													NULL, NULL);
-					break;
-				case ACTION_ROUTE:
-					charon->traps->install(charon->traps,
-							this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg);
-					break;
-				default:
-					break;
-			}
-		}
-		child_cfg->destroy(child_cfg);
-		if (status != SUCCESS)
-		{
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	return status;
-}
-
-/**
- * send closing signals for all CHILD_SAs over the bus
- */
-static void log_children(private_child_delete_t *this)
-{
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-	u_int64_t bytes_in, bytes_out;
-
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
-		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
-
-		DBG0(DBG_IKE, "closing CHILD_SA %s{%d} "
-			 "with SPIs %.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
-			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
-			 ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
-			 ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
-			 child_sa->get_traffic_selectors(child_sa, TRUE),
-			 child_sa->get_traffic_selectors(child_sa, FALSE));
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_child_delete_t *this, message_t *message)
-{
-	child_sa_t *child_sa;
-
-	child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
-										  this->spi, TRUE);
-	if (!child_sa)
-	{	/* check if it is an outbound sa */
-		child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
-											  this->spi, FALSE);
-		if (!child_sa)
-		{	/* child does not exist anymore */
-			return SUCCESS;
-		}
-		/* we work only with the inbound SPI */
-		this->spi = child_sa->get_spi(child_sa, TRUE);
-	}
-	this->child_sas->insert_last(this->child_sas, child_sa);
-	if (child_sa->get_state(child_sa) == CHILD_REKEYING)
-	{
-		this->rekeyed = TRUE;
-	}
-	log_children(this);
-	build_payloads(this, message);
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_child_delete_t *this, message_t *message)
-{
-	/* flush the list before adding new SAs */
-	this->child_sas->destroy(this->child_sas);
-	this->child_sas = linked_list_create();
-
-	process_payloads(this, message);
-	DBG1(DBG_IKE, "CHILD_SA closed");
-	return destroy_and_reestablish(this);
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_r(private_child_delete_t *this, message_t *message)
-{
-	process_payloads(this, message);
-	log_children(this);
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_child_delete_t *this, message_t *message)
-{
-	/* if we are rekeying, we send an empty informational */
-	if (this->ike_sa->get_state(this->ike_sa) != IKE_REKEYING)
-	{
-		build_payloads(this, message);
-	}
-	DBG1(DBG_IKE, "CHILD_SA closed");
-	return destroy_and_reestablish(this);
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_child_delete_t *this)
-{
-	return CHILD_DELETE;
-}
-
-/**
- * Implementation of child_delete_t.get_child
- */
-static child_sa_t* get_child(private_child_delete_t *this)
-{
-	child_sa_t *child_sa = NULL;
-	this->child_sas->get_first(this->child_sas, (void**)&child_sa);
-	return child_sa;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_child_delete_t *this, ike_sa_t *ike_sa)
-{
-	this->check_delete_action = FALSE;
-	this->ike_sa = ike_sa;
-
-	this->child_sas->destroy(this->child_sas);
-	this->child_sas = linked_list_create();
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_child_delete_t *this)
-{
-	this->child_sas->destroy(this->child_sas);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-									u_int32_t spi)
-{
-	private_child_delete_t *this = malloc_thing(private_child_delete_t);
-
-	this->public.get_child = (child_sa_t*(*)(child_delete_t*))get_child;
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->check_delete_action = FALSE;
-	this->child_sas = linked_list_create();
-	this->protocol = protocol;
-	this->spi = spi;
-	this->rekeyed = FALSE;
-
-	if (protocol != PROTO_NONE)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-		this->initiator = TRUE;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-		this->initiator = FALSE;
-	}
-	return &this->public;
-}
diff --git a/src/charon/sa/tasks/child_delete.h b/src/charon/sa/tasks/child_delete.h
deleted file mode 100644
index 365807c68..000000000
--- a/src/charon/sa/tasks/child_delete.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup child_delete child_delete
- * @{ @ingroup tasks
- */
-
-#ifndef CHILD_DELETE_H_
-#define CHILD_DELETE_H_
-
-typedef struct child_delete_t child_delete_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-#include <sa/child_sa.h>
-
-/**
- * Task of type child_delete, delete a CHILD_SA.
- */
-struct child_delete_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-
-	/**
-	 * Get the CHILD_SA to delete by this task.
-	 *
-	 * @return			child_sa
-	 */
-	child_sa_t* (*get_child) (child_delete_t *this);
-};
-
-/**
- * Create a new child_delete task.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param protocol		protocol of CHILD_SA to delete, PROTO_NONE as responder
- * @param spi			inbound SPI of CHILD_SA to delete
- * @return				child_delete task to handle by the task_manager
- */
-child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-									u_int32_t spi);
-
-#endif /** CHILD_DELETE_H_ @}*/
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
deleted file mode 100644
index b5e4e84b4..000000000
--- a/src/charon/sa/tasks/child_rekey.c
+++ /dev/null
@@ -1,430 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "child_rekey.h"
-
-#include <daemon.h>
-#include <encoding/payloads/notify_payload.h>
-#include <sa/tasks/child_create.h>
-#include <sa/tasks/child_delete.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/rekey_ike_sa_job.h>
-
-
-typedef struct private_child_rekey_t private_child_rekey_t;
-
-/**
- * Private members of a child_rekey_t task.
- */
-struct private_child_rekey_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	child_rekey_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * Protocol of CHILD_SA to rekey
-	 */
-	protocol_id_t protocol;
-
-	/**
-	 * Inbound SPI of CHILD_SA to rekey
-	 */
-	u_int32_t spi;
-
-	/**
-	 * the CHILD_CREATE task which is reused to simplify rekeying
-	 */
-	child_create_t *child_create;
-
-	/**
-	 * the CHILD_DELETE task to delete rekeyed CHILD_SA
-	 */
-	child_delete_t *child_delete;
-
-	/**
-	 * CHILD_SA which gets rekeyed
-	 */
-	child_sa_t *child_sa;
-
-	/**
-	 * colliding task, may be delete or rekey
-	 */
-	task_t *collision;
-};
-
-/**
- * Implementation of task_t.build for initiator, after rekeying
- */
-static status_t build_i_delete(private_child_rekey_t *this, message_t *message)
-{
-	/* update exchange type to INFORMATIONAL for the delete */
-	message->set_exchange_type(message, INFORMATIONAL);
-
-	return this->child_delete->task.build(&this->child_delete->task, message);
-}
-
-/**
- * Implementation of task_t.process for initiator, after rekeying
- */
-static status_t process_i_delete(private_child_rekey_t *this, message_t *message)
-{
-	return this->child_delete->task.process(&this->child_delete->task, message);
-}
-
-/**
- * find a child using the REKEY_SA notify
- */
-static void find_child(private_child_rekey_t *this, message_t *message)
-{
-	notify_payload_t *notify;
-	protocol_id_t protocol;
-	u_int32_t spi;
-
-	notify = message->get_notify(message, REKEY_SA);
-	if (notify)
-	{
-		protocol = notify->get_protocol_id(notify);
-		spi = notify->get_spi(notify);
-
-		if (protocol == PROTO_ESP || protocol == PROTO_AH)
-		{
-			this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
-														spi, FALSE);
-		}
-	}
-}
-
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_child_rekey_t *this, message_t *message)
-{
-	notify_payload_t *notify;
-	u_int32_t reqid;
-	child_cfg_t *config;
-
-	this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
-												this->spi, TRUE);
-	if (!this->child_sa)
-	{	/* check if it is an outbound CHILD_SA */
-		this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
-													this->spi, FALSE);
-		if (!this->child_sa)
-		{	/* CHILD_SA is gone, unable to rekey. As an empty CREATE_CHILD_SA
-			 * exchange is invalid, we fall back to an INFORMATIONAL exchange.*/
-			message->set_exchange_type(message, INFORMATIONAL);
-			return SUCCESS;
-		}
-		/* we work only with the inbound SPI */
-		this->spi = this->child_sa->get_spi(this->child_sa, TRUE);
-	}
-	config = this->child_sa->get_config(this->child_sa);
-
-	/* we just need the rekey notify ... */
-	notify = notify_payload_create_from_protocol_and_type(this->protocol,
-														  REKEY_SA);
-	notify->set_spi(notify, this->spi);
-	message->add_payload(message, (payload_t*)notify);
-
-	/* ... our CHILD_CREATE task does the hard work for us. */
-	if (!this->child_create)
-	{
-		this->child_create = child_create_create(this->ike_sa, config, TRUE,
-												 NULL, NULL);
-	}
-	reqid = this->child_sa->get_reqid(this->child_sa);
-	this->child_create->use_reqid(this->child_create, reqid);
-	this->child_create->task.build(&this->child_create->task, message);
-
-	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_r(private_child_rekey_t *this, message_t *message)
-{
-	/* let the CHILD_CREATE task process the message */
-	this->child_create->task.process(&this->child_create->task, message);
-
-	find_child(this, message);
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_child_rekey_t *this, message_t *message)
-{
-	u_int32_t reqid;
-
-	if (this->child_sa == NULL ||
-		this->child_sa->get_state(this->child_sa) == CHILD_DELETING)
-	{
-		DBG1(DBG_IKE, "unable to rekey, CHILD_SA not found");
-		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
-		return SUCCESS;
-	}
-
-	/* let the CHILD_CREATE task build the response */
-	reqid = this->child_sa->get_reqid(this->child_sa);
-	this->child_create->use_reqid(this->child_create, reqid);
-	this->child_create->task.build(&this->child_create->task, message);
-
-	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
-	{
-		/* rekeying failed, reuse old child */
-		this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-		return SUCCESS;
-	}
-
-	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
-
-	/* invoke rekey hook */
-	charon->bus->child_rekey(charon->bus, this->child_sa,
-							 this->child_create->get_child(this->child_create));
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_child_rekey_t *this, message_t *message)
-{
-	protocol_id_t protocol;
-	u_int32_t spi;
-	child_sa_t *to_delete;
-
-	if (message->get_notify(message, NO_ADDITIONAL_SAS))
-	{
-		DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
-			 "starting reauthentication");
-		this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-		charon->processor->queue_job(charon->processor,
-				(job_t*)rekey_ike_sa_job_create(
-							this->ike_sa->get_id(this->ike_sa), TRUE));
-		return SUCCESS;
-	}
-
-	if (this->child_create->task.process(&this->child_create->task,
-										 message) == NEED_MORE)
-	{
-		/* bad DH group while rekeying, try again */
-		this->child_create->task.migrate(&this->child_create->task, this->ike_sa);
-		return NEED_MORE;
-	}
-	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
-	{
-		/* establishing new child failed, reuse old. but not when we
-		 * recieved a delete in the meantime */
-		if (!(this->collision &&
-			  this->collision->get_type(this->collision) == CHILD_DELETE))
-		{
-			job_t *job;
-			u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
-
-			job = (job_t*)rekey_child_sa_job_create(
-								this->child_sa->get_reqid(this->child_sa),
-								this->child_sa->get_protocol(this->child_sa),
-								this->child_sa->get_spi(this->child_sa, TRUE));
-			DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
-								"trying again in %d seconds", retry);
-			this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-			charon->scheduler->schedule_job(charon->scheduler, job, retry);
-		}
-		return SUCCESS;
-	}
-
-	to_delete = this->child_sa;
-
-	/* check for rekey collisions */
-	if (this->collision &&
-		this->collision->get_type(this->collision) == CHILD_REKEY)
-	{
-		chunk_t this_nonce, other_nonce;
-		private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
-
-		this_nonce = this->child_create->get_lower_nonce(this->child_create);
-		other_nonce = other->child_create->get_lower_nonce(other->child_create);
-
-		/* if we have the lower nonce, delete rekeyed SA. If not, delete
-		 * the redundant. */
-		if (memcmp(this_nonce.ptr, other_nonce.ptr,
-				   min(this_nonce.len, other_nonce.len)) < 0)
-		{
-			DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting rekeyed child");
-		}
-		else
-		{
-			DBG1(DBG_IKE, "CHILD_SA rekey collision lost, deleting redundant child");
-			to_delete = this->child_create->get_child(this->child_create);
-			if (to_delete == NULL)
-			{
-				/* ooops, should not happen, fallback */
-				to_delete = this->child_sa;
-			}
-		}
-	}
-
-	if (to_delete != this->child_create->get_child(this->child_create))
-	{	/* invoke rekey hook if rekeying successful */
-		charon->bus->child_rekey(charon->bus, this->child_sa,
-							this->child_create->get_child(this->child_create));
-	}
-
-	spi = to_delete->get_spi(to_delete, TRUE);
-	protocol = to_delete->get_protocol(to_delete);
-
-	/* rekeying done, delete the obsolete CHILD_SA using a subtask */
-	this->child_delete = child_delete_create(this->ike_sa, protocol, spi);
-	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
-	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_child_rekey_t *this)
-{
-	return CHILD_REKEY;
-}
-
-/**
- * Implementation of child_rekey_t.collide
- */
-static void collide(private_child_rekey_t *this, task_t *other)
-{
-	/* the task manager only detects exchange collision, but not if
-	 * the collision is for the same child. we check it here. */
-	if (other->get_type(other) == CHILD_REKEY)
-	{
-		private_child_rekey_t *rekey = (private_child_rekey_t*)other;
-		if (rekey == NULL || rekey->child_sa != this->child_sa)
-		{
-			/* not the same child => no collision */
-			other->destroy(other);
-			return;
-		}
-	}
-	else if (other->get_type(other) == CHILD_DELETE)
-	{
-		child_delete_t *del = (child_delete_t*)other;
-		if (del == NULL || del->get_child(del) != this->child_sa)
-		{
-			/* not the same child => no collision */
-			other->destroy(other);
-			return;
-		}
-	}
-	else
-	{
-		/* any other task is not critical for collisisions, ignore */
-		other->destroy(other);
-		return;
-	}
-	DESTROY_IF(this->collision);
-	this->collision = other;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_child_rekey_t *this, ike_sa_t *ike_sa)
-{
-	if (this->child_create)
-	{
-		this->child_create->task.migrate(&this->child_create->task, ike_sa);
-	}
-	if (this->child_delete)
-	{
-		this->child_delete->task.migrate(&this->child_delete->task, ike_sa);
-	}
-	DESTROY_IF(this->collision);
-
-	this->ike_sa = ike_sa;
-	this->collision = NULL;
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_child_rekey_t *this)
-{
-	if (this->child_create)
-	{
-		this->child_create->task.destroy(&this->child_create->task);
-	}
-	if (this->child_delete)
-	{
-		this->child_delete->task.destroy(&this->child_delete->task);
-	}
-	DESTROY_IF(this->collision);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-								  u_int32_t spi)
-{
-	private_child_rekey_t *this = malloc_thing(private_child_rekey_t);
-
-	this->public.collide = (void (*)(child_rekey_t*,task_t*))collide;
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-	if (protocol != PROTO_NONE)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-		this->initiator = TRUE;
-		this->child_create = NULL;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-		this->initiator = FALSE;
-		this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL);
-	}
-
-	this->ike_sa = ike_sa;
-	this->child_sa = NULL;
-	this->protocol = protocol;
-	this->spi = spi;
-	this->collision = NULL;
-	this->child_delete = NULL;
-
-	return &this->public;
-}
diff --git a/src/charon/sa/tasks/child_rekey.h b/src/charon/sa/tasks/child_rekey.h
deleted file mode 100644
index 9b1aea5fa..000000000
--- a/src/charon/sa/tasks/child_rekey.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup child_rekey child_rekey
- * @{ @ingroup tasks
- */
-
-#ifndef CHILD_REKEY_H_
-#define CHILD_REKEY_H_
-
-typedef struct child_rekey_t child_rekey_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/child_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type CHILD_REKEY, rekey an established CHILD_SA.
- */
-struct child_rekey_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-
-	/**
-	 * Register a rekeying task which collides with this one
-	 *
-	 * If two peers initiate rekeying at the same time, the collision must
-	 * be handled gracefully. The task manager is aware of what exchanges
-	 * are going on and notifies the outgoing task by passing the incoming.
-	 *
-	 * @param other		incoming task
-	 */
-	void (*collide)(child_rekey_t* this, task_t *other);
-};
-
-/**
- * Create a new CHILD_REKEY task.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param protocol		protocol of CHILD_SA to rekey, PROTO_NONE as responder
- * @param spi			inbound SPI of CHILD_SA to rekey
- * @return				child_rekey task to handle by the task_manager
- */
-child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-								  u_int32_t spi);
-
-#endif /** CHILD_REKEY_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
deleted file mode 100644
index a07f96767..000000000
--- a/src/charon/sa/tasks/ike_auth.c
+++ /dev/null
@@ -1,1041 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details
- */
-
-#include "ike_auth.h"
-
-#include <string.h>
-
-#include <daemon.h>
-#include <encoding/payloads/id_payload.h>
-#include <encoding/payloads/auth_payload.h>
-#include <encoding/payloads/eap_payload.h>
-#include <encoding/payloads/nonce_payload.h>
-#include <sa/authenticators/eap_authenticator.h>
-
-typedef struct private_ike_auth_t private_ike_auth_t;
-
-/**
- * Private members of a ike_auth_t task.
- */
-struct private_ike_auth_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_auth_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * Nonce chosen by us in ike_init
-	 */
-	chunk_t my_nonce;
-
-	/**
-	 * Nonce chosen by peer in ike_init
-	 */
-	chunk_t other_nonce;
-
-	/**
-	 * IKE_SA_INIT message sent by us
-	 */
-	packet_t *my_packet;
-
-	/**
-	 * IKE_SA_INIT message sent by peer
-	 */
-	packet_t *other_packet;
-
-	/**
-	 * currently active authenticator, to authenticate us
-	 */
-	authenticator_t *my_auth;
-
-	/**
-	 * currently active authenticator, to authenticate peer
-	 */
-	authenticator_t *other_auth;
-
-	/**
-	 * peer_cfg candidates, ordered by priority
-	 */
-	linked_list_t *candidates;
-
-	/**
-	 * selected peer config (might change when using multiple authentications)
-	 */
-	peer_cfg_t *peer_cfg;
-
-	/**
-	 * have we planned an(other) authentication exchange?
-	 */
-	bool do_another_auth;
-
-	/**
-	 * has the peer announced another authentication exchange?
-	 */
-	bool expect_another_auth;
-
-	/**
-	 * should we send a AUTHENTICATION_FAILED notify?
-	 */
-	bool authentication_failed;
-};
-
-/**
- * check if multiple authentication extension is enabled, configuration-wise
- */
-static bool multiple_auth_enabled()
-{
-	return lib->settings->get_bool(lib->settings,
-								   "charon.multiple_authentication", TRUE);
-}
-
-/**
- * collect the needed information in the IKE_SA_INIT exchange from our message
- */
-static status_t collect_my_init_data(private_ike_auth_t *this,
-									 message_t *message)
-{
-	nonce_payload_t *nonce;
-
-	/* get the nonce that was generated in ike_init */
-	nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
-	if (nonce == NULL)
-	{
-		return FAILED;
-	}
-	this->my_nonce = nonce->get_nonce(nonce);
-
-	/* pre-generate the message, keep a copy */
-	if (this->ike_sa->generate_message(this->ike_sa, message,
-									   &this->my_packet) != SUCCESS)
-	{
-		return FAILED;
-	}
-	return NEED_MORE;
-}
-
-/**
- * collect the needed information in the IKE_SA_INIT exchange from others message
- */
-static status_t collect_other_init_data(private_ike_auth_t *this,
-										message_t *message)
-{
-	/* we collect the needed information in the IKE_SA_INIT exchange */
-	nonce_payload_t *nonce;
-
-	/* get the nonce that was generated in ike_init */
-	nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
-	if (nonce == NULL)
-	{
-		return FAILED;
-	}
-	this->other_nonce = nonce->get_nonce(nonce);
-
-	/* keep a copy of the received packet */
-	this->other_packet = message->get_packet(message);
-	return NEED_MORE;
-}
-
-/**
- * Get the next authentication configuration
- */
-static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
-{
-	enumerator_t *e1, *e2;
-	auth_cfg_t *c1, *c2, *next = NULL;
-
-	/* find an available config not already done */
-	e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
-	while (e1->enumerate(e1, &c1))
-	{
-		bool found = FALSE;
-
-		e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
-		while (e2->enumerate(e2, &c2))
-		{
-			if (c2->complies(c2, c1, FALSE))
-			{
-				found = TRUE;
-				break;
-			}
-		}
-		e2->destroy(e2);
-		if (!found)
-		{
-			next = c1;
-			break;
-		}
-	}
-	e1->destroy(e1);
-	return next;
-}
-
-/**
- * Check if we have should initiate another authentication round
- */
-static bool do_another_auth(private_ike_auth_t *this)
-{
-	bool do_another = FALSE;
-	enumerator_t *done, *todo;
-	auth_cfg_t *done_cfg, *todo_cfg;
-
-	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
-	{
-		return FALSE;
-	}
-
-	done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
-	todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
-	while (todo->enumerate(todo, &todo_cfg))
-	{
-		if (!done->enumerate(done, &done_cfg))
-		{
-			done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-		}
-		if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
-		{
-			do_another = TRUE;
-			break;
-		}
-	}
-	done->destroy(done);
-	todo->destroy(todo);
-	return do_another;
-}
-
-/**
- * Get peer configuration candidates from backends
- */
-static bool load_cfg_candidates(private_ike_auth_t *this)
-{
-	enumerator_t *enumerator;
-	peer_cfg_t *peer_cfg;
-	host_t *me, *other;
-	identification_t *my_id, *other_id;
-
-	me = this->ike_sa->get_my_host(this->ike_sa);
-	other = this->ike_sa->get_other_host(this->ike_sa);
-	my_id = this->ike_sa->get_my_id(this->ike_sa);
-	other_id = this->ike_sa->get_other_id(this->ike_sa);
-
-	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
-													me, other, my_id, other_id);
-	while (enumerator->enumerate(enumerator, &peer_cfg))
-	{
-		peer_cfg->get_ref(peer_cfg);
-		if (this->peer_cfg == NULL)
-		{	/* best match */
-			this->peer_cfg = peer_cfg;
-			this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
-		}
-		else
-		{
-			this->candidates->insert_last(this->candidates, peer_cfg);
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (this->peer_cfg)
-	{
-		DBG1(DBG_CFG, "selected peer config '%s'",
-			 this->peer_cfg->get_name(this->peer_cfg));
-		return TRUE;
-	}
-	DBG1(DBG_CFG, "no matching peer config found");
-	return FALSE;
-}
-
-/**
- * update the current peer candidate if necessary, using candidates
- */
-static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
-{
-	do
-	{
-		if (this->peer_cfg)
-		{
-			bool complies = TRUE;
-			enumerator_t *e1, *e2, *tmp;
-			auth_cfg_t *c1, *c2;
-
-			e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
-			e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
-
-			if (strict)
-			{	/* swap lists in strict mode: all configured rounds must be
-				 * fulfilled. If !strict, we check only the rounds done so far. */
-				tmp = e1;
-				e1 = e2;
-				e2 = tmp;
-			}
-			while (e1->enumerate(e1, &c1))
-			{
-				/* check if done authentications comply to configured ones */
-				if ((!e2->enumerate(e2, &c2)) ||
-					(!strict && !c1->complies(c1, c2, TRUE)) ||
-					(strict && !c2->complies(c2, c1, TRUE)))
-				{
-					complies = FALSE;
-					break;
-				}
-			}
-			e1->destroy(e1);
-			e2->destroy(e2);
-			if (complies)
-			{
-				break;
-			}
-			DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
-				 this->peer_cfg->get_name(this->peer_cfg));
-			this->peer_cfg->destroy(this->peer_cfg);
-		}
-		if (this->candidates->remove_first(this->candidates,
-										(void**)&this->peer_cfg) != SUCCESS)
-		{
-			DBG1(DBG_CFG, "no alternative config found");
-			this->peer_cfg = NULL;
-		}
-		else
-		{
-			DBG1(DBG_CFG, "switching to peer config '%s'",
-				 this->peer_cfg->get_name(this->peer_cfg));
-			this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
-		}
-	}
-	while (this->peer_cfg);
-
-	return this->peer_cfg != NULL;
-}
-
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_ike_auth_t *this, message_t *message)
-{
-	auth_cfg_t *cfg;
-
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		return collect_my_init_data(this, message);
-	}
-
-	if (this->peer_cfg == NULL)
-	{
-		this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-		this->peer_cfg->get_ref(this->peer_cfg);
-	}
-
-	if (message->get_message_id(message) == 1)
-	{	/* in the first IKE_AUTH ... */
-		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
-		{	/* indicate support for multiple authentication */
-			message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
-								chunk_empty);
-		}
-		/* indicate support for EAP-only authentication */
-		message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
-							chunk_empty);
-	}
-
-	if (!this->do_another_auth && !this->my_auth)
-	{	/* we have done our rounds */
-		return NEED_MORE;
-	}
-
-	/* check if an authenticator is in progress */
-	if (this->my_auth == NULL)
-	{
-		identification_t *id;
-		id_payload_t *id_payload;
-
-		/* clean up authentication config from a previous round */
-		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-		cfg->purge(cfg, TRUE);
-
-		/* add (optional) IDr */
-		cfg = get_auth_cfg(this, FALSE);
-		if (cfg)
-		{
-			id = cfg->get(cfg, AUTH_RULE_IDENTITY);
-			if (id && !id->contains_wildcards(id))
-			{
-				this->ike_sa->set_other_id(this->ike_sa, id->clone(id));
-				id_payload = id_payload_create_from_identification(
-															ID_RESPONDER, id);
-				message->add_payload(message, (payload_t*)id_payload);
-			}
-		}
-		/* add IDi */
-		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-		cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
-		id = cfg->get(cfg, AUTH_RULE_IDENTITY);
-		if (!id)
-		{
-			DBG1(DBG_CFG, "configuration misses IDi");
-			return FAILED;
-		}
-		this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
-		id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
-		message->add_payload(message, (payload_t*)id_payload);
-
-		/* build authentication data */
-		this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
-							this->other_nonce, this->my_nonce,
-							this->other_packet->get_data(this->other_packet),
-							this->my_packet->get_data(this->my_packet));
-		if (!this->my_auth)
-		{
-			return FAILED;
-		}
-	}
-	switch (this->my_auth->build(this->my_auth, message))
-	{
-		case SUCCESS:
-			/* authentication step complete, reset authenticator */
-			cfg = auth_cfg_create();
-			cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
-			this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
-			this->my_auth->destroy(this->my_auth);
-			this->my_auth = NULL;
-			break;
-		case NEED_MORE:
-			break;
-		default:
-			return FAILED;
-	}
-
-	/* check for additional authentication rounds */
-	if (do_another_auth(this))
-	{
-		if (message->get_payload(message, AUTHENTICATION))
-		{
-			message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
-		}
-	}
-	else
-	{
-		this->do_another_auth = FALSE;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_auth_t *this, message_t *message)
-{
-	auth_cfg_t *cfg, *cand;
-	id_payload_t *id_payload;
-	identification_t *id;
-
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		return collect_other_init_data(this, message);
-	}
-
-	if (this->my_auth == NULL && this->do_another_auth)
-	{
-		/* handle (optional) IDr payload, apply proposed identity */
-		id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
-		if (id_payload)
-		{
-			id = id_payload->get_identification(id_payload);
-		}
-		else
-		{
-			id = identification_create_from_encoding(ID_ANY, chunk_empty);
-		}
-		this->ike_sa->set_my_id(this->ike_sa, id);
-	}
-
-	if (!this->expect_another_auth)
-	{
-		return NEED_MORE;
-	}
-
-	if (message->get_message_id(message) == 1)
-	{	/* check for extensions in the first IKE_AUTH */
-		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
-		{
-			this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
-		}
-		if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
-			message->get_notify(message, EAP_ONLY_AUTHENTICATION))
-		{	/* EAP-only has no official notify, accept only from strongSwan */
-			this->ike_sa->enable_extension(this->ike_sa,
-										   EXT_EAP_ONLY_AUTHENTICATION);
-		}
-	}
-
-	if (this->other_auth == NULL)
-	{
-		/* handle IDi payload */
-		id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
-		if (!id_payload)
-		{
-			DBG1(DBG_IKE, "IDi payload missing");
-			return FAILED;
-		}
-		id = id_payload->get_identification(id_payload);
-		this->ike_sa->set_other_id(this->ike_sa, id);
-		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-		cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
-
-		if (this->peer_cfg == NULL)
-		{
-			if (!load_cfg_candidates(this))
-			{
-				this->authentication_failed = TRUE;
-				return NEED_MORE;
-			}
-		}
-		if (message->get_payload(message, AUTHENTICATION) == NULL)
-		{	/* before authenticating with EAP, we need a EAP config */
-			cand = get_auth_cfg(this, FALSE);
-			while (!cand || (
-					(uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
-					(uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
-			{	/* peer requested EAP, but current config does not match */
-				this->peer_cfg->destroy(this->peer_cfg);
-				this->peer_cfg = NULL;
-				if (!update_cfg_candidates(this, FALSE))
-				{
-					this->authentication_failed = TRUE;
-					return NEED_MORE;
-				}
-				cand = get_auth_cfg(this, FALSE);
-			}
-			cfg->merge(cfg, cand, TRUE);
-		}
-
-		/* verify authentication data */
-		this->other_auth = authenticator_create_verifier(this->ike_sa,
-							message, this->other_nonce, this->my_nonce,
-							this->other_packet->get_data(this->other_packet),
-							this->my_packet->get_data(this->my_packet));
-		if (!this->other_auth)
-		{
-			this->authentication_failed = TRUE;
-			return NEED_MORE;
-		}
-	}
-	switch (this->other_auth->process(this->other_auth, message))
-	{
-		case SUCCESS:
-			this->other_auth->destroy(this->other_auth);
-			this->other_auth = NULL;
-			break;
-		case NEED_MORE:
-			if (message->get_payload(message, AUTHENTICATION))
-			{	/* AUTH verification successful, but another build() needed */
-				break;
-			}
-			return NEED_MORE;
-		default:
-			this->authentication_failed = TRUE;
-			return NEED_MORE;
-	}
-
-	/* store authentication information */
-	cfg = auth_cfg_create();
-	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-	this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
-
-	/* another auth round done, invoke authorize hook */
-	if (!charon->bus->authorize(charon->bus, FALSE))
-	{
-		DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
-		this->authentication_failed = TRUE;
-		return NEED_MORE;
-	}
-
-	if (!update_cfg_candidates(this, FALSE))
-	{
-		this->authentication_failed = TRUE;
-		return NEED_MORE;
-	}
-
-	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
-	{
-		this->expect_another_auth = FALSE;
-		if (!update_cfg_candidates(this, TRUE))
-		{
-			this->authentication_failed = TRUE;
-			return NEED_MORE;
-		}
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_auth_t *this, message_t *message)
-{
-	auth_cfg_t *cfg;
-
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		if (multiple_auth_enabled())
-		{
-			message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
-								chunk_empty);
-		}
-		return collect_my_init_data(this, message);
-	}
-
-	if (this->authentication_failed || this->peer_cfg == NULL)
-	{
-		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
-		return FAILED;
-	}
-
-	if (this->my_auth == NULL && this->do_another_auth)
-	{
-		identification_t *id, *id_cfg;
-		id_payload_t *id_payload;
-
-		/* add IDr */
-		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-		cfg->purge(cfg, TRUE);
-		cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
-
-		id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
-		id = this->ike_sa->get_my_id(this->ike_sa);
-		if (id->get_type(id) == ID_ANY)
-		{	/* no IDr received, apply configured ID */
-			if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
-			{
-				DBG1(DBG_CFG, "IDr not configured and negotiation failed");
-				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-									chunk_empty);
-				return FAILED;
-			}
-			this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
-			id = id_cfg;
-		}
-		else
-		{	/* IDr received, check if it matches configuration */
-			if (id_cfg && !id->matches(id, id_cfg))
-			{
-				DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
-				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-									chunk_empty);
-				return FAILED;
-			}
-		}
-
-		id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
-		message->add_payload(message, (payload_t*)id_payload);
-
-		if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
-		{	/* EAP-only authentication */
-			if (!this->ike_sa->supports_extension(this->ike_sa,
-												  EXT_EAP_ONLY_AUTHENTICATION))
-			{
-				DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
-					 "does not support it");
-				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-									chunk_empty);
-				return FAILED;
-			}
-		}
-		else
-		{
-			/* build authentication data */
-			this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
-								this->other_nonce, this->my_nonce,
-								this->other_packet->get_data(this->other_packet),
-								this->my_packet->get_data(this->my_packet));
-			if (!this->my_auth)
-			{
-				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-									chunk_empty);
-				return FAILED;
-			}
-		}
-	}
-
-	if (this->other_auth)
-	{
-		switch (this->other_auth->build(this->other_auth, message))
-		{
-			case SUCCESS:
-				this->other_auth->destroy(this->other_auth);
-				this->other_auth = NULL;
-				break;
-			case NEED_MORE:
-				break;
-			default:
-				if (!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
-				{	/* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
-					message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-										chunk_empty);
-				}
-				return FAILED;
-		}
-	}
-	if (this->my_auth)
-	{
-		switch (this->my_auth->build(this->my_auth, message))
-		{
-			case SUCCESS:
-				cfg = auth_cfg_create();
-				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
-						   TRUE);
-				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
-				this->my_auth->destroy(this->my_auth);
-				this->my_auth = NULL;
-				break;
-			case NEED_MORE:
-				break;
-			default:
-				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-									chunk_empty);
-				return FAILED;
-		}
-	}
-
-	/* check for additional authentication rounds */
-	if (do_another_auth(this))
-	{
-		message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
-	}
-	else
-	{
-		this->do_another_auth = FALSE;
-	}
-	if (!this->do_another_auth && !this->expect_another_auth)
-	{
-		if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-													 this->ike_sa))
-		{
-			DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
-			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-								chunk_empty);
-			return FAILED;
-		}
-		if (!charon->bus->authorize(charon->bus, TRUE))
-		{
-			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
-			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-								chunk_empty);
-			return FAILED;
-		}
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
-			 this->ike_sa->get_name(this->ike_sa),
-			 this->ike_sa->get_unique_id(this->ike_sa),
-			 this->ike_sa->get_my_host(this->ike_sa),
-			 this->ike_sa->get_my_id(this->ike_sa),
-			 this->ike_sa->get_other_host(this->ike_sa),
-			 this->ike_sa->get_other_id(this->ike_sa));
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_auth_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	auth_cfg_t *cfg;
-	bool mutual_eap = FALSE;
-
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
-			multiple_auth_enabled())
-		{
-			this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
-		}
-		return collect_other_init_data(this, message);
-	}
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify_payload_t *notify = (notify_payload_t*)payload;
-			notify_type_t type = notify->get_notify_type(notify);
-
-			switch (type)
-			{
-				case NO_PROPOSAL_CHOSEN:
-				case SINGLE_PAIR_REQUIRED:
-				case NO_ADDITIONAL_SAS:
-				case INTERNAL_ADDRESS_FAILURE:
-				case FAILED_CP_REQUIRED:
-				case TS_UNACCEPTABLE:
-				case INVALID_SELECTORS:
-					/* these are errors, but are not critical as only the
-					 * CHILD_SA won't get build, but IKE_SA establishes anyway */
-					break;
-				case MOBIKE_SUPPORTED:
-				case ADDITIONAL_IP4_ADDRESS:
-				case ADDITIONAL_IP6_ADDRESS:
-					/* handled in ike_mobike task */
-					break;
-				case AUTH_LIFETIME:
-					/* handled in ike_auth_lifetime task */
-					break;
-				case ME_ENDPOINT:
-					/* handled in ike_me task */
-					break;
-				default:
-				{
-					if (type < 16383)
-					{
-						DBG1(DBG_IKE, "received %N notify error",
-							 notify_type_names, type);
-						enumerator->destroy(enumerator);
-						return FAILED;
-					}
-					DBG2(DBG_IKE, "received %N notify",
-						notify_type_names, type);
-					break;
-				}
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (this->expect_another_auth)
-	{
-		if (this->other_auth == NULL)
-		{
-			id_payload_t *id_payload;
-			identification_t *id;
-
-			/* handle IDr payload */
-			id_payload = (id_payload_t*)message->get_payload(message,
-															 ID_RESPONDER);
-			if (!id_payload)
-			{
-				DBG1(DBG_IKE, "IDr payload missing");
-				return FAILED;
-			}
-			id = id_payload->get_identification(id_payload);
-			this->ike_sa->set_other_id(this->ike_sa, id);
-			cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-			cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
-
-			if (message->get_payload(message, AUTHENTICATION))
-			{
-				/* verify authentication data */
-				this->other_auth = authenticator_create_verifier(this->ike_sa,
-								message, this->other_nonce, this->my_nonce,
-								this->other_packet->get_data(this->other_packet),
-								this->my_packet->get_data(this->my_packet));
-				if (!this->other_auth)
-				{
-					return FAILED;
-				}
-			}
-			else
-			{
-				/* responder omitted AUTH payload, indicating EAP-only */
-				mutual_eap = TRUE;
-			}
-		}
-		if (this->other_auth)
-		{
-			switch (this->other_auth->process(this->other_auth, message))
-			{
-				case SUCCESS:
-					break;
-				case NEED_MORE:
-					return NEED_MORE;
-				default:
-					return FAILED;
-			}
-			this->other_auth->destroy(this->other_auth);
-			this->other_auth = NULL;
-		}
-		/* store authentication information, reset authenticator */
-		cfg = auth_cfg_create();
-		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-		this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
-
-		/* another auth round done, invoke authorize hook */
-		if (!charon->bus->authorize(charon->bus, FALSE))
-		{
-			DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
-			return FAILED;
-		}
-	}
-
-	if (this->my_auth)
-	{
-		switch (this->my_auth->process(this->my_auth, message))
-		{
-			case SUCCESS:
-				cfg = auth_cfg_create();
-				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
-						   TRUE);
-				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
-				this->my_auth->destroy(this->my_auth);
-				this->my_auth = NULL;
-				this->do_another_auth = do_another_auth(this);
-				break;
-			case NEED_MORE:
-				break;
-			default:
-				return FAILED;
-		}
-	}
-	if (mutual_eap)
-	{
-		if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
-		{
-			DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
-			return FAILED;
-		}
-		DBG1(DBG_IKE, "allow mutual EAP-only authentication");
-	}
-
-	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
-	{
-		this->expect_another_auth = FALSE;
-	}
-	if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
-	{
-		if (!update_cfg_candidates(this, TRUE))
-		{
-			return FAILED;
-		}
-		if (!charon->bus->authorize(charon->bus, TRUE))
-		{
-			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
-			return FAILED;
-		}
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
-			 this->ike_sa->get_name(this->ike_sa),
-			 this->ike_sa->get_unique_id(this->ike_sa),
-			 this->ike_sa->get_my_host(this->ike_sa),
-			 this->ike_sa->get_my_id(this->ike_sa),
-			 this->ike_sa->get_other_host(this->ike_sa),
-			 this->ike_sa->get_other_id(this->ike_sa));
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_auth_t *this)
-{
-	return IKE_AUTHENTICATE;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
-{
-	chunk_free(&this->my_nonce);
-	chunk_free(&this->other_nonce);
-	DESTROY_IF(this->my_packet);
-	DESTROY_IF(this->other_packet);
-	DESTROY_IF(this->peer_cfg);
-	DESTROY_IF(this->my_auth);
-	DESTROY_IF(this->other_auth);
-	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
-
-	this->my_packet = NULL;
-	this->other_packet = NULL;
-	this->ike_sa = ike_sa;
-	this->peer_cfg = NULL;
-	this->my_auth = NULL;
-	this->other_auth = NULL;
-	this->do_another_auth = TRUE;
-	this->expect_another_auth = TRUE;
-	this->authentication_failed = FALSE;
-	this->candidates = linked_list_create();
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_auth_t *this)
-{
-	chunk_free(&this->my_nonce);
-	chunk_free(&this->other_nonce);
-	DESTROY_IF(this->my_packet);
-	DESTROY_IF(this->other_packet);
-	DESTROY_IF(this->my_auth);
-	DESTROY_IF(this->other_auth);
-	DESTROY_IF(this->peer_cfg);
-	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
-
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-	this->my_nonce = chunk_empty;
-	this->other_nonce = chunk_empty;
-	this->my_packet = NULL;
-	this->other_packet = NULL;
-	this->peer_cfg = NULL;
-	this->candidates = linked_list_create();
-	this->my_auth = NULL;
-	this->other_auth = NULL;
-	this->do_another_auth = TRUE;
-	this->expect_another_auth = TRUE;
-	this->authentication_failed = FALSE;
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/tasks/ike_auth.h b/src/charon/sa/tasks/ike_auth.h
deleted file mode 100644
index bba46d961..000000000
--- a/src/charon/sa/tasks/ike_auth.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_auth ike_auth
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_AUTH_H_
-#define IKE_AUTH_H_
-
-typedef struct ike_auth_t ike_auth_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type ike_auth, authenticates an IKE_SA using authenticators.
- *
- * The ike_auth task authenticates the IKE_SA using the IKE_AUTH
- * exchange. It processes and build IDi and IDr payloads and also
- * handles AUTH payloads. The AUTH payloads are passed to authenticator_t's,
- * which do the actual authentication process. If the ike_auth task is used
- * with EAP authentication, it stays alive over multiple exchanges until
- * EAP has completed.
- */
-struct ike_auth_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-};
-
-/**
- * Create a new task of type IKE_AUTHENTICATE.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE if thask is the initator of an exchange
- * @return				ike_auth task to handle by the task_manager
- */
-ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_AUTH_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_auth_lifetime.c b/src/charon/sa/tasks/ike_auth_lifetime.c
deleted file mode 100644
index 75ff35168..000000000
--- a/src/charon/sa/tasks/ike_auth_lifetime.c
+++ /dev/null
@@ -1,182 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_auth_lifetime.h"
-
-#include <time.h>
-
-#include <daemon.h>
-#include <encoding/payloads/notify_payload.h>
-
-
-typedef struct private_ike_auth_lifetime_t private_ike_auth_lifetime_t;
-
-/**
- * Private members of a ike_auth_lifetime_t task.
- */
-struct private_ike_auth_lifetime_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_auth_lifetime_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-};
-
-/**
- * add the AUTH_LIFETIME notify to the message
- */
-static void add_auth_lifetime(private_ike_auth_lifetime_t *this, message_t *message)
-{
-	chunk_t chunk;
-	u_int32_t lifetime;
-
-	lifetime = this->ike_sa->get_statistic(this->ike_sa, STAT_REAUTH);
-	if (lifetime)
-	{
-		lifetime -= time_monotonic(NULL);
-		chunk = chunk_from_thing(lifetime);
-		*(u_int32_t*)chunk.ptr = htonl(lifetime);
-		message->add_notify(message, FALSE, AUTH_LIFETIME, chunk);
-	}
-}
-
-/**
- * read notifys from message and evaluate them
- */
-static void process_payloads(private_ike_auth_lifetime_t *this, message_t *message)
-{
-	notify_payload_t *notify;
-	chunk_t data;
-	u_int32_t lifetime;
-
-	notify = message->get_notify(message, AUTH_LIFETIME);
-	if (notify)
-	{
-		data = notify->get_notification_data(notify);
-		lifetime = ntohl(*(u_int32_t*)data.ptr);
-		this->ike_sa->set_auth_lifetime(this->ike_sa, lifetime);
-	}
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t build_i(private_ike_auth_lifetime_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) == INFORMATIONAL)
-	{
-		add_auth_lifetime(this, message);
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_auth_lifetime_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) == INFORMATIONAL)
-	{
-		process_payloads(this, message);
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_auth_lifetime_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
-	{
-		add_auth_lifetime(this, message);
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_auth_lifetime_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
-	{
-		process_payloads(this, message);
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_auth_lifetime_t *this)
-{
-	return IKE_AUTH_LIFETIME;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_auth_lifetime_t *this, ike_sa_t *ike_sa)
-{
-	this->ike_sa = ike_sa;
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_auth_lifetime_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_auth_lifetime_t *this = malloc_thing(private_ike_auth_lifetime_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
-
-	this->ike_sa = ike_sa;
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/tasks/ike_auth_lifetime.h b/src/charon/sa/tasks/ike_auth_lifetime.h
deleted file mode 100644
index 3b129b9e3..000000000
--- a/src/charon/sa/tasks/ike_auth_lifetime.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_auth_lifetime ike_auth_lifetime
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_AUTH_LIFETIME_H_
-#define IKE_AUTH_LIFETIME_H_
-
-typedef struct ike_auth_lifetime_t ike_auth_lifetime_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type IKE_AUTH_LIFETIME, implements RFC4478.
- *
- * This task exchanges lifetimes for IKE_AUTH to force a client to
- * reauthenticate before the responders lifetime reaches the limit.
- */
-struct ike_auth_lifetime_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-};
-
-/**
- * Create a new IKE_AUTH_LIFETIME task.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE if taks is initiated by us
- * @return				ike_auth_lifetime task to handle by the task_manager
- */
-ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_MOBIKE_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c
deleted file mode 100644
index c831df975..000000000
--- a/src/charon/sa/tasks/ike_cert_post.c
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_cert_post.h"
-
-#include <daemon.h>
-#include <sa/ike_sa.h>
-#include <encoding/payloads/cert_payload.h>
-#include <encoding/payloads/certreq_payload.h>
-#include <encoding/payloads/auth_payload.h>
-#include <credentials/certificates/x509.h>
-
-
-typedef struct private_ike_cert_post_t private_ike_cert_post_t;
-
-/**
- * Private members of a ike_cert_post_t task.
- */
-struct private_ike_cert_post_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_cert_post_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-};
-
-/**
- * Generates the cert payload, if possible with "Hash and URL"
- */
-static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
-										 certificate_t *cert)
-{
-	hasher_t *hasher;
-	identification_t *id;
-	chunk_t hash, encoded ;
-	enumerator_t *enumerator;
-	char *url;
-	cert_payload_t *payload = NULL;
-
-	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_HASH_AND_URL))
-	{
-		return cert_payload_create_from_cert(cert);
-	}
-
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (!hasher)
-	{
-		DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
-		return cert_payload_create_from_cert(cert);
-	}
-
-	encoded = cert->get_encoding(cert);
-	hasher->allocate_hash(hasher, encoded, &hash);
-	chunk_free(&encoded);
-	hasher->destroy(hasher);
-	id = identification_create_from_encoding(ID_KEY_ID, hash);
-
-	enumerator = charon->credentials->create_cdp_enumerator(charon->credentials,
-															CERT_X509, id);
-	if (enumerator->enumerate(enumerator, &url))
-	{
-		payload = cert_payload_create_from_hash_and_url(hash, url);
-	}
-	else
-	{
-		payload = cert_payload_create_from_cert(cert);
-	}
-	enumerator->destroy(enumerator);
-	chunk_free(&hash);
-	id->destroy(id);
-	return payload;
-}
-
-/**
- * add certificates to message
- */
-static void build_certs(private_ike_cert_post_t *this, message_t *message)
-{
-	peer_cfg_t *peer_cfg;
-	auth_payload_t *payload;
-
-	payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (!peer_cfg || !payload || payload->get_auth_method(payload) == AUTH_PSK)
-	{	/* no CERT payload for EAP/PSK */
-		return;
-	}
-
-	switch (peer_cfg->get_cert_policy(peer_cfg))
-	{
-		case CERT_NEVER_SEND:
-			break;
-		case CERT_SEND_IF_ASKED:
-			if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
-			{
-				break;
-			}
-			/* FALL */
-		case CERT_ALWAYS_SEND:
-		{
-			cert_payload_t *payload;
-			enumerator_t *enumerator;
-			certificate_t *cert;
-			auth_rule_t type;
-			auth_cfg_t *auth;
-
-			auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-
-			/* get subject cert first, then issuing certificates */
-			cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
-			if (!cert)
-			{
-				break;
-			}
-			payload = build_cert_payload(this, cert);
-			if (!payload)
-			{
-				break;
-			}
-			DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
-				 cert->get_subject(cert));
-			message->add_payload(message, (payload_t*)payload);
-
-			enumerator = auth->create_enumerator(auth);
-			while (enumerator->enumerate(enumerator, &type, &cert))
-			{
-				if (type == AUTH_RULE_IM_CERT)
-				{
-					payload = cert_payload_create_from_cert(cert);
-					if (payload)
-					{
-						DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
-							 cert->get_subject(cert));
-						message->add_payload(message, (payload_t*)payload);
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-	}
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t build_i(private_ike_cert_post_t *this, message_t *message)
-{
-	build_certs(this, message);
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_cert_post_t *this, message_t *message)
-{
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_cert_post_t *this, message_t *message)
-{
-	build_certs(this, message);
-
-	if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
-	{	/* stay alive, we might have additional rounds with certs */
-		return NEED_MORE;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_cert_post_t *this, message_t *message)
-{
-	if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
-	{	/* stay alive, we might have additional rounds with CERTS */
-		return NEED_MORE;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_cert_post_t *this)
-{
-	return IKE_CERT_POST;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_cert_post_t *this, ike_sa_t *ike_sa)
-{
-	this->ike_sa = ike_sa;
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_cert_post_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_cert_post_t *this = malloc_thing(private_ike_cert_post_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
-
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/tasks/ike_cert_post.h b/src/charon/sa/tasks/ike_cert_post.h
deleted file mode 100644
index a21f45927..000000000
--- a/src/charon/sa/tasks/ike_cert_post.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_cert_post ike_cert_post
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_CERT_POST_H_
-#define IKE_CERT_POST_H_
-
-typedef struct ike_cert_post_t ike_cert_post_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type ike_cert_post, certificate processing after authentication.
- */
-struct ike_cert_post_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-};
-
-/**
- * Create a new ike_cert_post task.
- *
- * The initiator parameter means the original initiator, not the initiator
- * of the certificate request.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE if thask is the original initator
- * @return				ike_cert_post task to handle by the task_manager
- */
-ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_CERT_POST_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c
deleted file mode 100644
index 0805d0290..000000000
--- a/src/charon/sa/tasks/ike_cert_pre.c
+++ /dev/null
@@ -1,524 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_cert_pre.h"
-
-#include <daemon.h>
-#include <sa/ike_sa.h>
-#include <encoding/payloads/cert_payload.h>
-#include <encoding/payloads/certreq_payload.h>
-#include <credentials/certificates/x509.h>
-
-
-typedef struct private_ike_cert_pre_t private_ike_cert_pre_t;
-
-/**
- * Private members of a ike_cert_pre_t task.
- */
-struct private_ike_cert_pre_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_cert_pre_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * Do we accept HTTP certificate lookup requests
-	 */
-	bool do_http_lookup;
-
-	/**
-	 * wheter this is the final authentication round
-	 */
-	bool final;
-};
-
-/**
- * read certificate requests
- */
-static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	auth_cfg_t *auth;
-
-	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		switch (payload->get_type(payload))
-		{
-			case CERTIFICATE_REQUEST:
-			{
-				certreq_payload_t *certreq = (certreq_payload_t*)payload;
-				enumerator_t *enumerator;
-				chunk_t keyid;
-
-				this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
-
-				if (certreq->get_cert_type(certreq) != CERT_X509)
-				{
-					DBG1(DBG_IKE, "cert payload %N not supported - ignored",
-						 certificate_type_names, certreq->get_cert_type(certreq));
-					break;
-				}
-				enumerator = certreq->create_keyid_enumerator(certreq);
-				while (enumerator->enumerate(enumerator, &keyid))
-				{
-					identification_t *id;
-					certificate_t *cert;
-
-					id = identification_create_from_encoding(ID_KEY_ID, keyid);
-					cert = charon->credentials->get_cert(charon->credentials,
-											CERT_X509, KEY_ANY, id, TRUE);
-					if (cert)
-					{
-						DBG1(DBG_IKE, "received cert request for \"%Y\"",
-							 cert->get_subject(cert));
-						auth->add(auth, AUTH_RULE_CA_CERT, cert);
-					}
-					else
-					{
-						DBG1(DBG_IKE, "received cert request for unknown ca "
-									  "with keyid %Y", id);
-					}
-					id->destroy(id);
-				}
-				enumerator->destroy(enumerator);
-				break;
-			}
-			case NOTIFY:
-			{
-				notify_payload_t *notify = (notify_payload_t*)payload;
-
-				/* we only handle one type of notify here */
-				if (notify->get_notify_type(notify) == HTTP_CERT_LOOKUP_SUPPORTED)
-				{
-					this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL);
-				}
-				break;
-			}
-			default:
-				/* ignore other payloads here, these are handled elsewhere */
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * tries to extract a certificate from the cert payload or the credential
- * manager (based on the hash of a "Hash and URL" encoded cert).
- * Note: the returned certificate (if any) has to be destroyed
- */
-static certificate_t *try_get_cert(cert_payload_t *cert_payload)
-{
-	certificate_t *cert = NULL;
-
-	switch (cert_payload->get_cert_encoding(cert_payload))
-	{
-		case ENC_X509_SIGNATURE:
-		{
-			cert = cert_payload->get_cert(cert_payload);
-			break;
-		}
-		case ENC_X509_HASH_AND_URL:
-		{
-			identification_t *id;
-			chunk_t hash = cert_payload->get_hash(cert_payload);
-			if (!hash.ptr)
-			{
-				/* invalid "Hash and URL" data (logged elsewhere) */
-				break;
-			}
-			id = identification_create_from_encoding(ID_KEY_ID, hash);
-			cert = charon->credentials->get_cert(charon->credentials,
-												 CERT_X509, KEY_ANY, id, FALSE);
-			id->destroy(id);
-			break;
-		}
-		default:
-		{
-			break;
-		}
-	}
-	return cert;
-}
-
-/**
- * import certificates
- */
-static void process_certs(private_ike_cert_pre_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	auth_cfg_t *auth;
-	bool first = TRUE;
-
-	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == CERTIFICATE)
-		{
-			cert_payload_t *cert_payload;
-			cert_encoding_t encoding;
-			certificate_t *cert;
-			char *url;
-
-			cert_payload = (cert_payload_t*)payload;
-			encoding = cert_payload->get_cert_encoding(cert_payload);
-
-			switch (encoding)
-			{
-				case ENC_X509_HASH_AND_URL:
-				{
-					if (!this->do_http_lookup)
-					{
-						DBG1(DBG_IKE, "received hash-and-url encoded cert, but"
-								" we don't accept them, ignore");
-						break;
-					}
-					/* FALL */
-				}
-				case ENC_X509_SIGNATURE:
-				{
-					cert = try_get_cert(cert_payload);
-					if (cert)
-					{
-						if (first)
-						{	/* the first is an end entity certificate */
-							DBG1(DBG_IKE, "received end entity cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
-							first = FALSE;
-						}
-						else
-						{
-							DBG1(DBG_IKE, "received issuer cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_IM_CERT, cert);
-						}
-					}
-					else if (encoding == ENC_X509_HASH_AND_URL)
-					{
-						/* we fetch the certificate not yet, but only if
-						 * it is really needed during authentication */
-						url = cert_payload->get_url(cert_payload);
-						if (!url)
-						{
-							DBG1(DBG_IKE, "received invalid hash-and-url "
-								 "encoded cert, ignore");
-							break;
-						}
-						url = strdup(url);
-						if (first)
-						{	/* first URL is for an end entity certificate */
-							DBG1(DBG_IKE, "received hash-and-url for end"
-								 " entity cert \"%s\"", url);
-							auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
-							first = FALSE;
-						}
-						else
-						{
-							DBG1(DBG_IKE, "received hash-and-url for issuer"
-									" cert \"%s\"", url);
-							auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
-						}
-					}
-					break;
-				}
-				case ENC_PKCS7_WRAPPED_X509:
-				case ENC_PGP:
-				case ENC_DNS_SIGNED_KEY:
-				case ENC_KERBEROS_TOKEN:
-				case ENC_CRL:
-				case ENC_ARL:
-				case ENC_SPKI:
-				case ENC_X509_ATTRIBUTE:
-				case ENC_RAW_RSA_KEY:
-				case ENC_X509_HASH_AND_URL_BUNDLE:
-				case ENC_OCSP_CONTENT:
-				default:
-					DBG1(DBG_ENC, "certificate encoding %N not supported",
-						 cert_encoding_names, encoding);
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * add the keyid of a certificate to the certificate request payload
- */
-static void add_certreq(certreq_payload_t **req, certificate_t *cert)
-{
-	switch (cert->get_type(cert))
-	{
-		case CERT_X509:
-		{
-			public_key_t *public;
-			chunk_t keyid;
-			x509_t *x509 = (x509_t*)cert;
-
-			if (!(x509->get_flags(x509) & X509_CA))
-			{	/* no CA cert, skip */
-				break;
-			}
-			public = cert->get_public_key(cert);
-			if (!public)
-			{
-				break;
-			}
-			if (*req == NULL)
-			{
-				*req = certreq_payload_create_type(CERT_X509);
-			}
-			if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
-			{
-				(*req)->add_keyid(*req, keyid);
-				DBG1(DBG_IKE, "sending cert request for \"%Y\"",
-					 cert->get_subject(cert));
-			}
-			public->destroy(public);
-			break;
-		}
-		default:
-			break;
-	}
-}
-
-/**
- * add a auth_cfg's CA certificates to the certificate request
- */
-static void add_certreqs(certreq_payload_t **req, auth_cfg_t *auth)
-{
-	enumerator_t *enumerator;
-	auth_rule_t type;
-	void *value;
-
-	enumerator = auth->create_enumerator(auth);
-	while (enumerator->enumerate(enumerator, &type, &value))
-	{
-		switch (type)
-		{
-			case AUTH_RULE_CA_CERT:
-				add_certreq(req, (certificate_t*)value);
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * build certificate requests
- */
-static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	ike_cfg_t *ike_cfg;
-	peer_cfg_t *peer_cfg;
-	certificate_t *cert;
-	auth_cfg_t *auth;
-	certreq_payload_t *req = NULL;
-
-	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
-	if (!ike_cfg->send_certreq(ike_cfg))
-	{
-		return;
-	}
-
-	/* check if we require a specific CA for that peer */
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (peer_cfg)
-	{
-		enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
-		while (enumerator->enumerate(enumerator, &auth))
-		{
-			add_certreqs(&req, auth);
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	if (!req)
-	{
-		/* otherwise add all trusted CA certificates */
-		enumerator = charon->credentials->create_cert_enumerator(
-							charon->credentials, CERT_ANY, KEY_ANY, NULL, TRUE);
-		while (enumerator->enumerate(enumerator, &cert))
-		{
-			add_certreq(&req, cert);
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	if (req)
-	{
-		message->add_payload(message, (payload_t*)req);
-
-		if (lib->settings->get_bool(lib->settings, "charon.hash_and_url", FALSE))
-		{
-			message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
-								chunk_empty);
-			this->do_http_lookup = TRUE;
-		}
-	}
-}
-
-/**
- * Check if this is the final authentication round
- */
-static bool final_auth(message_t *message)
-{
-	/* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */
-	if (message->get_payload(message, AUTHENTICATION) == NULL)
-	{
-		return FALSE;
-	}
-	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS))
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t build_i(private_ike_cert_pre_t *this, message_t *message)
-{
-	if (message->get_message_id(message) == 1)
-	{	/* initiator sends CERTREQs in first IKE_AUTH */
-		build_certreqs(this, message);
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_cert_pre_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) != IKE_SA_INIT)
-	{	/* handle certreqs/certs in any IKE_AUTH, just in case */
-		process_certreqs(this, message);
-		process_certs(this, message);
-	}
-	this->final = final_auth(message);
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_cert_pre_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		build_certreqs(this, message);
-	}
-	if (this->final)
-	{
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_cert_pre_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		process_certreqs(this, message);
-	}
-	process_certs(this, message);
-
-	if (final_auth(message))
-	{
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_cert_pre_t *this)
-{
-	return IKE_CERT_PRE;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_cert_pre_t *this, ike_sa_t *ike_sa)
-{
-	this->ike_sa = ike_sa;
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_cert_pre_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_cert_pre_t *this = malloc_thing(private_ike_cert_pre_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
-
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-	this->do_http_lookup = FALSE;
-	this->final = FALSE;
-
-	return &this->public;
-}
diff --git a/src/charon/sa/tasks/ike_cert_pre.h b/src/charon/sa/tasks/ike_cert_pre.h
deleted file mode 100644
index 1541b80e5..000000000
--- a/src/charon/sa/tasks/ike_cert_pre.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_cert_pre ike_cert_pre
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_CERT_PRE_H_
-#define IKE_CERT_PRE_H_
-
-typedef struct ike_cert_pre_t ike_cert_pre_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type ike_cert_post, certificate processing before authentication.
- */
-struct ike_cert_pre_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-};
-
-/**
- * Create a new ike_cert_pre task.
- *
- * The initiator parameter means the original initiator, not the initiator
- * of the certificate request.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE if thask is the original initator
- * @return				ike_cert_pre task to handle by the task_manager
- */
-ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_CERT_PRE_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c
deleted file mode 100644
index f010439fe..000000000
--- a/src/charon/sa/tasks/ike_config.c
+++ /dev/null
@@ -1,479 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_config.h"
-
-#include <daemon.h>
-#include <encoding/payloads/cp_payload.h>
-
-typedef struct private_ike_config_t private_ike_config_t;
-
-/**
- * Private members of a ike_config_t task.
- */
-struct private_ike_config_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_config_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * virtual ip
-	 */
-	host_t *virtual_ip;
-
-	/**
-	 * list of attributes requested and its handler, entry_t
-	 */
-	linked_list_t *requested;
-};
-
-/**
- * Entry for a requested attribute and the requesting handler
- */
-typedef struct {
-	/** attribute requested */
-	configuration_attribute_type_t type;
-	/** handler requesting this attribute */
-	attribute_handler_t *handler;
-} entry_t;
-
-/**
- * build INTERNAL_IPV4/6_ADDRESS attribute from virtual ip
- */
-static configuration_attribute_t *build_vip(host_t *vip)
-{
-	configuration_attribute_type_t type;
-	chunk_t chunk, prefix;
-
-	if (vip->get_family(vip) == AF_INET)
-	{
-		type = INTERNAL_IP4_ADDRESS;
-		if (vip->is_anyaddr(vip))
-		{
-			chunk = chunk_empty;
-		}
-		else
-		{
-			chunk = vip->get_address(vip);
-		}
-	}
-	else
-	{
-		type = INTERNAL_IP6_ADDRESS;
-		if (vip->is_anyaddr(vip))
-		{
-			chunk = chunk_empty;
-		}
-		else
-		{
-			prefix = chunk_alloca(1);
-			*prefix.ptr = 64;
-			chunk = vip->get_address(vip);
-			chunk = chunk_cata("cc", chunk, prefix);
-		}
-	}
-	return configuration_attribute_create_value(type, chunk);
-}
-
-/**
- * Handle a received attribute as initiator
- */
-static void handle_attribute(private_ike_config_t *this,
-							 configuration_attribute_t *ca)
-{
-	attribute_handler_t *handler = NULL;
-	enumerator_t *enumerator;
-	entry_t *entry;
-
-	/* find the handler which requested this attribute */
-	enumerator = this->requested->create_enumerator(this->requested);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->type == ca->get_type(ca))
-		{
-			handler = entry->handler;
-			this->requested->remove_at(this->requested, enumerator);
-			free(entry);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* and pass it to the handle function */
-	handler = lib->attributes->handle(lib->attributes,
-							this->ike_sa->get_other_id(this->ike_sa), handler,
-							ca->get_type(ca), ca->get_value(ca));
-	if (handler)
-	{
-		this->ike_sa->add_configuration_attribute(this->ike_sa,
-				handler, ca->get_type(ca), ca->get_value(ca));
-	}
-}
-
-/**
- * process a single configuration attribute
- */
-static void process_attribute(private_ike_config_t *this,
-							  configuration_attribute_t *ca)
-{
-	host_t *ip;
-	chunk_t addr;
-	int family = AF_INET6;
-
-	switch (ca->get_type(ca))
-	{
-		case INTERNAL_IP4_ADDRESS:
-			family = AF_INET;
-			/* fall */
-		case INTERNAL_IP6_ADDRESS:
-		{
-			addr = ca->get_value(ca);
-			if (addr.len == 0)
-			{
-				ip = host_create_any(family);
-			}
-			else
-			{
-				/* skip prefix byte in IPv6 payload*/
-				if (family == AF_INET6)
-				{
-					addr.len--;
-				}
-				ip = host_create_from_chunk(family, addr, 0);
-			}
-			if (ip)
-			{
-				DESTROY_IF(this->virtual_ip);
-				this->virtual_ip = ip;
-			}
-			break;
-		}
-		default:
-		{
-			if (this->initiator)
-			{
-				handle_attribute(this, ca);
-			}
-		}
-	}
-}
-
-/**
- * Scan for configuration payloads and attributes
- */
-static void process_payloads(private_ike_config_t *this, message_t *message)
-{
-	enumerator_t *enumerator, *attributes;
-	payload_t *payload;
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == CONFIGURATION)
-		{
-			cp_payload_t *cp = (cp_payload_t*)payload;
-			configuration_attribute_t *ca;
-
-			switch (cp->get_type(cp))
-			{
-				case CFG_REQUEST:
-				case CFG_REPLY:
-				{
-					attributes = cp->create_attribute_enumerator(cp);
-					while (attributes->enumerate(attributes, &ca))
-					{
-						DBG2(DBG_IKE, "processing %N attribute",
-							 configuration_attribute_type_names, ca->get_type(ca));
-						process_attribute(this, ca);
-					}
-					attributes->destroy(attributes);
-					break;
-				}
-				default:
-					DBG1(DBG_IKE, "ignoring %N config payload",
-						 config_type_names, cp->get_type(cp));
-					break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t build_i(private_ike_config_t *this, message_t *message)
-{
-	if (message->get_message_id(message) == 1)
-	{	/* in first IKE_AUTH only */
-		cp_payload_t *cp = NULL;
-		enumerator_t *enumerator;
-		attribute_handler_t *handler;
-		peer_cfg_t *config;
-		configuration_attribute_type_t type;
-		chunk_t data;
-		host_t *vip;
-
-		/* reuse virtual IP if we already have one */
-		vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-		if (!vip)
-		{
-			config = this->ike_sa->get_peer_cfg(this->ike_sa);
-			vip = config->get_virtual_ip(config);
-		}
-		if (vip)
-		{
-			cp = cp_payload_create_type(CFG_REQUEST);
-			cp->add_attribute(cp, build_vip(vip));
-		}
-
-		enumerator = lib->attributes->create_initiator_enumerator(lib->attributes,
-								this->ike_sa->get_other_id(this->ike_sa), vip);
-		while (enumerator->enumerate(enumerator, &handler, &type, &data))
-		{
-			configuration_attribute_t *ca;
-			entry_t *entry;
-
-			/* create configuration attribute */
-			DBG2(DBG_IKE, "building %N attribute",
-				 configuration_attribute_type_names, type);
-			ca = configuration_attribute_create_value(type, data);
-			if (!cp)
-			{
-				cp = cp_payload_create_type(CFG_REQUEST);
-			}
-			cp->add_attribute(cp, ca);
-
-			/* save handler along with requested type */
-			entry = malloc_thing(entry_t);
-			entry->type = type;
-			entry->handler = handler;
-
-			this->requested->insert_last(this->requested, entry);
-		}
-		enumerator->destroy(enumerator);
-
-		if (cp)
-		{
-			message->add_payload(message, (payload_t*)cp);
-		}
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_config_t *this, message_t *message)
-{
-	if (message->get_message_id(message) == 1)
-	{	/* in first IKE_AUTH only */
-		process_payloads(this, message);
-	}
-	return NEED_MORE;
-}
-
-/**
- * Find a peer (EAP) identity to query provider for attributes
- */
-static identification_t *get_peer_identity(private_ike_config_t *this)
-{
-	identification_t *id = NULL, *current;
-	enumerator_t *enumerator;
-	auth_cfg_t *cfg;
-
-	enumerator = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
-	while (enumerator->enumerate(enumerator, &cfg))
-	{
-		/* prefer EAP-Identity of last round */
-		current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
-		if (!current || current->get_type(current) == ID_ANY)
-		{
-			current = cfg->get(cfg, AUTH_RULE_IDENTITY);
-		}
-		if (current && current->get_type(current) != ID_ANY)
-		{
-			id = current;
-			continue;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!id)
-	{	/* fallback, should not happen */
-		id = this->ike_sa->get_other_id(this->ike_sa);
-	}
-	return id;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_config_t *this, message_t *message)
-{
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
-	{	/* in last IKE_AUTH exchange */
-		enumerator_t *enumerator;
-		configuration_attribute_type_t type;
-		chunk_t value;
-		host_t *vip = NULL;
-		cp_payload_t *cp = NULL;
-		peer_cfg_t *config;
-		identification_t *id;
-
-		id = get_peer_identity(this);
-
-		config = this->ike_sa->get_peer_cfg(this->ike_sa);
-		if (config && this->virtual_ip)
-		{
-			DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
-			if (config->get_pool(config))
-			{
-				vip = lib->attributes->acquire_address(lib->attributes,
-							config->get_pool(config), id, this->virtual_ip);
-			}
-			if (vip == NULL)
-			{
-				DBG1(DBG_IKE, "no virtual IP found, sending %N",
-					 notify_type_names, INTERNAL_ADDRESS_FAILURE);
-				message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE,
-									chunk_empty);
-				return SUCCESS;
-			}
-			DBG1(DBG_IKE, "assigning virtual IP %H to peer", vip);
-			this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip);
-
-			cp = cp_payload_create_type(CFG_REPLY);
-			cp->add_attribute(cp, build_vip(vip));
-		}
-
-		/* query registered providers for additional attributes to include */
-		enumerator = lib->attributes->create_responder_enumerator(
-													lib->attributes, id, vip);
-		while (enumerator->enumerate(enumerator, &type, &value))
-		{
-			if (!cp)
-			{
-				cp = cp_payload_create_type(CFG_REPLY);
-			}
-			DBG2(DBG_IKE, "building %N attribute",
-				 configuration_attribute_type_names, type);
-			cp->add_attribute(cp,
-						configuration_attribute_create_value(type, value));
-		}
-		enumerator->destroy(enumerator);
-
-		if (cp)
-		{
-			message->add_payload(message, (payload_t*)cp);
-		}
-		DESTROY_IF(vip);
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_config_t *this, message_t *message)
-{
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
-	{	/* in last IKE_AUTH exchange */
-
-		process_payloads(this, message);
-
-		if (this->virtual_ip)
-		{
-			this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip);
-		}
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_config_t *this)
-{
-	return IKE_CONFIG;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa)
-{
-	DESTROY_IF(this->virtual_ip);
-
-	this->ike_sa = ike_sa;
-	this->virtual_ip = NULL;
-	this->requested->destroy_function(this->requested, free);
-	this->requested = linked_list_create();
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_config_t *this)
-{
-	DESTROY_IF(this->virtual_ip);
-	this->requested->destroy_function(this->requested, free);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_config_t *this = malloc_thing(private_ike_config_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	this->initiator = initiator;
-	this->ike_sa = ike_sa;
-	this->virtual_ip = NULL;
-	this->requested = linked_list_create();
-
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/tasks/ike_config.h b/src/charon/sa/tasks/ike_config.h
deleted file mode 100644
index 8cef08697..000000000
--- a/src/charon/sa/tasks/ike_config.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_config ike_config
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_CONFIG_H_
-#define IKE_CONFIG_H_
-
-typedef struct ike_config_t ike_config_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type IKE_CONFIG, sets up a virtual IP and other
- * configurations for an IKE_SA.
- */
-struct ike_config_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-};
-
-/**
- * Create a new ike_config task.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE for initiator
- * @return				ike_config task to handle by the task_manager
- */
-ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_CONFIG_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
deleted file mode 100644
index 130948836..000000000
--- a/src/charon/sa/tasks/ike_delete.c
+++ /dev/null
@@ -1,210 +0,0 @@
-/*
- * Copyright (C) 2006-2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_delete.h"
-
-#include <daemon.h>
-#include <encoding/payloads/delete_payload.h>
-
-
-typedef struct private_ike_delete_t private_ike_delete_t;
-
-/**
- * Private members of a ike_delete_t task.
- */
-struct private_ike_delete_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_delete_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * are we deleting a rekeyed SA?
-	 */
-	bool rekeyed;
-
-	/**
-	 * are we responding to a delete, but have initated our own?
-	 */
-	bool simultaneous;
-};
-
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_ike_delete_t *this, message_t *message)
-{
-	delete_payload_t *delete_payload;
-
-	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
-		 this->ike_sa->get_name(this->ike_sa),
-		 this->ike_sa->get_unique_id(this->ike_sa),
-		 this->ike_sa->get_my_host(this->ike_sa),
-		 this->ike_sa->get_my_id(this->ike_sa),
-		 this->ike_sa->get_other_host(this->ike_sa),
-		 this->ike_sa->get_other_id(this->ike_sa));
-
-	delete_payload = delete_payload_create(PROTO_IKE);
-	message->add_payload(message, (payload_t*)delete_payload);
-
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
-	{
-		this->rekeyed = TRUE;
-	}
-	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
-
-	DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]",
-		 this->ike_sa->get_name(this->ike_sa),
-		 this->ike_sa->get_unique_id(this->ike_sa));
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_delete_t *this, message_t *message)
-{
-	DBG0(DBG_IKE, "IKE_SA deleted");
-	if (!this->rekeyed)
-	{	/* invoke ike_down() hook if SA has not been rekeyed */
-		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-	}
-	/* completed, delete IKE_SA by returning DESTROY_ME */
-	return DESTROY_ME;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_delete_t *this, message_t *message)
-{
-	/* we don't even scan the payloads, as the message wouldn't have
-	 * come so far without being correct */
-	DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
-		 this->ike_sa->get_name(this->ike_sa),
-		 this->ike_sa->get_unique_id(this->ike_sa));
-	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
-		 this->ike_sa->get_name(this->ike_sa),
-		 this->ike_sa->get_unique_id(this->ike_sa),
-		 this->ike_sa->get_my_host(this->ike_sa),
-		 this->ike_sa->get_my_id(this->ike_sa),
-		 this->ike_sa->get_other_host(this->ike_sa),
-		 this->ike_sa->get_other_id(this->ike_sa));
-
-	switch (this->ike_sa->get_state(this->ike_sa))
-	{
-		case IKE_ESTABLISHED:
-			this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
-			this->ike_sa->reestablish(this->ike_sa);
-			return NEED_MORE;
-		case IKE_REKEYING:
-			this->rekeyed = TRUE;
-			break;
-		case IKE_DELETING:
-			this->simultaneous = TRUE;
-			break;
-		default:
-			break;
-	}
-	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_delete_t *this, message_t *message)
-{
-	DBG0(DBG_IKE, "IKE_SA deleted");
-
-	if (this->simultaneous)
-	{
-		/* wait for peer's response for our delete request, but set a timeout */
-		return SUCCESS;
-	}
-	if (!this->rekeyed)
-	{	/* invoke ike_down() hook if SA has not been rekeyed */
-		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-	}
-	/* completed, delete IKE_SA by returning DESTROY_ME */
-	return DESTROY_ME;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_delete_t *this)
-{
-	return IKE_DELETE;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_delete_t *this, ike_sa_t *ike_sa)
-{
-	this->ike_sa = ike_sa;
-	this->simultaneous = FALSE;
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_delete_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_delete_t *this = malloc_thing(private_ike_delete_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
-
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-	this->rekeyed = FALSE;
-	this->simultaneous = FALSE;
-
-	return &this->public;
-}
diff --git a/src/charon/sa/tasks/ike_delete.h b/src/charon/sa/tasks/ike_delete.h
deleted file mode 100644
index 82782f393..000000000
--- a/src/charon/sa/tasks/ike_delete.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_delete ike_delete
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_DELETE_H_
-#define IKE_DELETE_H_
-
-typedef struct ike_delete_t ike_delete_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type ike_delete, delete an IKE_SA.
- */
-struct ike_delete_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-};
-
-/**
- * Create a new ike_delete task.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE if we initiate the delete
- * @return				ike_delete task to handle by the task_manager
- */
-ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_DELETE_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_dpd.c b/src/charon/sa/tasks/ike_dpd.c
deleted file mode 100644
index 4c6ba7662..000000000
--- a/src/charon/sa/tasks/ike_dpd.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_dpd.h"
-
-#include <daemon.h>
-
-
-typedef struct private_ike_dpd_t private_ike_dpd_t;
-
-/**
- * Private members of a ike_dpd_t task.
- */
-struct private_ike_dpd_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_dpd_t public;
-};
-
-/**
- * Implementation of task_t.build for initiator
- * Implementation of task_t.process for responder
- */
-static status_t return_need_more(private_ike_dpd_t *this, message_t *message)
-{
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for initiator
- * Implementation of task_t.build for responder
- */
-static status_t return_success(private_ike_dpd_t *this, message_t *message)
-{
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_dpd_t *this)
-{
-	return IKE_DPD;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_dpd_t *this, ike_sa_t *ike_sa)
-{
-
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_dpd_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_dpd_t *ike_dpd_create(bool initiator)
-{
-	private_ike_dpd_t *this = malloc_thing(private_ike_dpd_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))return_need_more;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))return_success;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))return_success;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))return_need_more;
-	}
-
-	return &this->public;
-}
diff --git a/src/charon/sa/tasks/ike_dpd.h b/src/charon/sa/tasks/ike_dpd.h
deleted file mode 100644
index 36388d15b..000000000
--- a/src/charon/sa/tasks/ike_dpd.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_dpd ike_dpd
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_DPD_H_
-#define IKE_DPD_H_
-
-typedef struct ike_dpd_t ike_dpd_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type ike_dpd, detects dead peers.
- *
- * The DPD task actually does nothing, as a DPD has no associated payloads.
- */
-struct ike_dpd_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-};
-
-/**
- * Create a new ike_dpd task.
- *
- * @param initiator		TRUE if thask is the original initator
- * @return				ike_dpd task to handle by the task_manager
- */
-ike_dpd_t *ike_dpd_create(bool initiator);
-
-#endif /** IKE_DPD_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
deleted file mode 100644
index 5eb33b540..000000000
--- a/src/charon/sa/tasks/ike_init.c
+++ /dev/null
@@ -1,600 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_init.h"
-
-#include <string.h>
-
-#include <daemon.h>
-#include <crypto/diffie_hellman.h>
-#include <encoding/payloads/sa_payload.h>
-#include <encoding/payloads/ke_payload.h>
-#include <encoding/payloads/nonce_payload.h>
-
-/** maximum retries to do with cookies/other dh groups */
-#define MAX_RETRIES 5
-
-typedef struct private_ike_init_t private_ike_init_t;
-
-/**
- * Private members of a ike_init_t task.
- */
-struct private_ike_init_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_init_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * IKE config to establish
-	 */
-	ike_cfg_t *config;
-
-	/**
-	 * diffie hellman group to use
-	 */
-	diffie_hellman_group_t dh_group;
-
-	/**
-	 * diffie hellman key exchange
-	 */
-	diffie_hellman_t *dh;
-
-	/**
-	 * Keymat derivation (from IKE_SA)
-	 */
-	keymat_t *keymat;
-
-	/**
-	 * nonce chosen by us
-	 */
-	chunk_t my_nonce;
-
-	/**
-	 * nonce chosen by peer
-	 */
-	chunk_t other_nonce;
-
-	/**
-	 * Negotiated proposal used for IKE_SA
-	 */
-	proposal_t *proposal;
-
-	/**
-	 * Old IKE_SA which gets rekeyed
-	 */
-	ike_sa_t *old_sa;
-
-	/**
-	 * cookie received from responder
-	 */
-	chunk_t cookie;
-
-	/**
-	 * retries done so far after failure (cookie or bad dh group)
-	 */
-	u_int retry;
-};
-
-/**
- * build the payloads for the message
- */
-static void build_payloads(private_ike_init_t *this, message_t *message)
-{
-	sa_payload_t *sa_payload;
-	ke_payload_t *ke_payload;
-	nonce_payload_t *nonce_payload;
-	linked_list_t *proposal_list;
-	ike_sa_id_t *id;
-	proposal_t *proposal;
-	iterator_t *iterator;
-
-	id = this->ike_sa->get_id(this->ike_sa);
-
-	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
-
-	if (this->initiator)
-	{
-		proposal_list = this->config->get_proposals(this->config);
-		if (this->old_sa)
-		{
-			/* include SPI of new IKE_SA when we are rekeying */
-			iterator = proposal_list->create_iterator(proposal_list, TRUE);
-			while (iterator->iterate(iterator, (void**)&proposal))
-			{
-				proposal->set_spi(proposal, id->get_initiator_spi(id));
-			}
-			iterator->destroy(iterator);
-		}
-
-		sa_payload = sa_payload_create_from_proposal_list(proposal_list);
-		proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
-	}
-	else
-	{
-		if (this->old_sa)
-		{
-			/* include SPI of new IKE_SA when we are rekeying */
-			this->proposal->set_spi(this->proposal, id->get_responder_spi(id));
-		}
-		sa_payload = sa_payload_create_from_proposal(this->proposal);
-	}
-	message->add_payload(message, (payload_t*)sa_payload);
-
-	nonce_payload = nonce_payload_create();
-	nonce_payload->set_nonce(nonce_payload, this->my_nonce);
-	ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
-
-	if (this->old_sa)
-	{	/* payload order differs if we are rekeying */
-		message->add_payload(message, (payload_t*)nonce_payload);
-		message->add_payload(message, (payload_t*)ke_payload);
-	}
-	else
-	{
-		message->add_payload(message, (payload_t*)ke_payload);
-		message->add_payload(message, (payload_t*)nonce_payload);
-	}
-}
-
-/**
- * Read payloads from message
- */
-static void process_payloads(private_ike_init_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		switch (payload->get_type(payload))
-		{
-			case SECURITY_ASSOCIATION:
-			{
-				sa_payload_t *sa_payload = (sa_payload_t*)payload;
-				linked_list_t *proposal_list;
-				bool private;
-
-				proposal_list = sa_payload->get_proposals(sa_payload);
-				private = this->ike_sa->supports_extension(this->ike_sa,
-														   EXT_STRONGSWAN);
-				this->proposal = this->config->select_proposal(this->config,
-														proposal_list, private);
-				proposal_list->destroy_offset(proposal_list,
-											  offsetof(proposal_t, destroy));
-				break;
-			}
-			case KEY_EXCHANGE:
-			{
-				ke_payload_t *ke_payload = (ke_payload_t*)payload;
-
-				this->dh_group = ke_payload->get_dh_group_number(ke_payload);
-				if (!this->initiator)
-				{
-					this->dh = this->keymat->create_dh(this->keymat,
-													   this->dh_group);
-				}
-				if (this->dh)
-				{
-					this->dh->set_other_public_value(this->dh,
-								ke_payload->get_key_exchange_data(ke_payload));
-				}
-				break;
-			}
-			case NONCE:
-			{
-				nonce_payload_t *nonce_payload = (nonce_payload_t*)payload;
-
-				this->other_nonce = nonce_payload->get_nonce(nonce_payload);
-				break;
-			}
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t build_i(private_ike_init_t *this, message_t *message)
-{
-	rng_t *rng;
-
-	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
-	DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
-		 this->ike_sa->get_name(this->ike_sa),
-		 this->ike_sa->get_unique_id(this->ike_sa),
-		 this->ike_sa->get_other_host(this->ike_sa));
-	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
-
-	if (this->retry >= MAX_RETRIES)
-	{
-		DBG1(DBG_IKE, "giving up after %d retries", MAX_RETRIES);
-		return FAILED;
-	}
-
-	/* if the DH group is set via use_dh_group(), we already have a DH object */
-	if (!this->dh)
-	{
-		this->dh_group = this->config->get_dh_group(this->config);
-		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
-		if (!this->dh)
-		{
-			DBG1(DBG_IKE, "configured DH group %N not supported",
-				diffie_hellman_group_names, this->dh_group);
-			return FAILED;
-		}
-	}
-
-	/* generate nonce only when we are trying the first time */
-	if (this->my_nonce.ptr == NULL)
-	{
-		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		if (!rng)
-		{
-			DBG1(DBG_IKE, "error generating nonce");
-			return FAILED;
-		}
-		rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
-		rng->destroy(rng);
-	}
-
-	if (this->cookie.ptr)
-	{
-		message->add_notify(message, FALSE, COOKIE, this->cookie);
-	}
-
-	build_payloads(this, message);
-
-#ifdef ME
-	{
-		chunk_t connect_id = this->ike_sa->get_connect_id(this->ike_sa);
-		if (connect_id.ptr)
-		{
-			message->add_notify(message, FALSE, ME_CONNECTID, connect_id);
-		}
-	}
-#endif /* ME */
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_init_t *this, message_t *message)
-{
-	rng_t *rng;
-
-	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
-	DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message));
-	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_IKE, "error generating nonce");
-		return FAILED;
-	}
-	rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
-	rng->destroy(rng);
-
-#ifdef ME
-	{
-		notify_payload_t *notify = message->get_notify(message, ME_CONNECTID);
-		if (notify)
-		{
-			chunk_t connect_id = notify->get_notification_data(notify);
-			DBG2(DBG_IKE, "received ME_CONNECTID %#B", &connect_id);
-			charon->connect_manager->stop_checks(charon->connect_manager,
-												 connect_id);
-		}
-	}
-#endif /* ME */
-
-	process_payloads(this, message);
-
-	return NEED_MORE;
-}
-
-/**
- * Derive the keymat for the IKE_SA
- */
-static bool derive_keys(private_ike_init_t *this,
-						chunk_t nonce_i, chunk_t nonce_r)
-{
-	keymat_t *old_keymat;
-	pseudo_random_function_t prf_alg = PRF_UNDEFINED;
-	chunk_t skd = chunk_empty;
-	ike_sa_id_t *id;
-
-	id = this->ike_sa->get_id(this->ike_sa);
-	if (this->old_sa)
-	{
-		/* rekeying: Include old SKd, use old PRF, apply SPI */
-		old_keymat = this->old_sa->get_keymat(this->old_sa);
-		prf_alg = old_keymat->get_skd(old_keymat, &skd);
-		if (this->initiator)
-		{
-			id->set_responder_spi(id, this->proposal->get_spi(this->proposal));
-		}
-		else
-		{
-			id->set_initiator_spi(id, this->proposal->get_spi(this->proposal));
-		}
-	}
-	if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
-									   nonce_i, nonce_r, id, prf_alg, skd))
-	{
-		return FALSE;
-	}
-	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
-						  nonce_i, nonce_r, this->old_sa);
-	return TRUE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_init_t *this, message_t *message)
-{
-	/* check if we have everything we need */
-	if (this->proposal == NULL ||
-		this->other_nonce.len == 0 || this->my_nonce.len == 0)
-	{
-		DBG1(DBG_IKE, "received proposals inacceptable");
-		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
-		return FAILED;
-	}
-	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
-
-	if (this->dh == NULL ||
-		!this->proposal->has_dh_group(this->proposal, this->dh_group))
-	{
-		u_int16_t group;
-
-		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
-										  &group, NULL))
-		{
-			DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
-				 diffie_hellman_group_names, this->dh_group,
-				 diffie_hellman_group_names, group);
-			this->dh_group = group;
-			group = htons(group);
-			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
-								chunk_from_thing(group));
-		}
-		else
-		{
-			DBG1(DBG_IKE, "no acceptable proposal found");
-		}
-		return FAILED;
-	}
-
-	if (!derive_keys(this, this->other_nonce, this->my_nonce))
-	{
-		DBG1(DBG_IKE, "key derivation failed");
-		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
-		return FAILED;
-	}
-	build_payloads(this, message);
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_init_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-
-	/* check for erronous notifies */
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify_payload_t *notify = (notify_payload_t*)payload;
-			notify_type_t type = notify->get_notify_type(notify);
-
-			switch (type)
-			{
-				case INVALID_KE_PAYLOAD:
-				{
-					chunk_t data;
-					diffie_hellman_group_t bad_group;
-
-					bad_group = this->dh_group;
-					data = notify->get_notification_data(notify);
-					this->dh_group = ntohs(*((u_int16_t*)data.ptr));
-					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
-						 "it requested %N", diffie_hellman_group_names,
-						 bad_group, diffie_hellman_group_names, this->dh_group);
-
-					if (this->old_sa == NULL)
-					{	/* reset the IKE_SA if we are not rekeying */
-						this->ike_sa->reset(this->ike_sa);
-					}
-
-					enumerator->destroy(enumerator);
-					this->retry++;
-					return NEED_MORE;
-				}
-				case NAT_DETECTION_SOURCE_IP:
-				case NAT_DETECTION_DESTINATION_IP:
-					/* skip, handled in ike_natd_t */
-					break;
-				case MULTIPLE_AUTH_SUPPORTED:
-					/* handled in ike_auth_t */
-					break;
-				case COOKIE:
-				{
-					chunk_free(&this->cookie);
-					this->cookie = chunk_clone(notify->get_notification_data(notify));
-					this->ike_sa->reset(this->ike_sa);
-					enumerator->destroy(enumerator);
-					DBG2(DBG_IKE, "received %N notify", notify_type_names, type);
-					this->retry++;
-					return NEED_MORE;
-				}
-				default:
-				{
-					if (type < 16383)
-					{
-						DBG1(DBG_IKE, "received %N notify error",
-							 notify_type_names, type);
-						enumerator->destroy(enumerator);
-						return FAILED;
-					}
-					DBG2(DBG_IKE, "received %N notify",
-						notify_type_names, type);
-					break;
-				}
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	process_payloads(this, message);
-
-	/* check if we have everything */
-	if (this->proposal == NULL ||
-		this->other_nonce.len == 0 || this->my_nonce.len == 0)
-	{
-		DBG1(DBG_IKE, "peers proposal selection invalid");
-		return FAILED;
-	}
-	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
-
-	if (this->dh == NULL ||
-		!this->proposal->has_dh_group(this->proposal, this->dh_group))
-	{
-		DBG1(DBG_IKE, "peer DH group selection invalid");
-		return FAILED;
-	}
-
-	if (!derive_keys(this, this->my_nonce, this->other_nonce))
-	{
-		DBG1(DBG_IKE, "key derivation failed");
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_init_t *this)
-{
-	return IKE_INIT;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static chunk_t get_lower_nonce(private_ike_init_t *this)
-{
-	if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
-			   min(this->my_nonce.len, this->other_nonce.len)) < 0)
-	{
-		return this->my_nonce;
-	}
-	else
-	{
-		return this->other_nonce;
-	}
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa)
-{
-	DESTROY_IF(this->proposal);
-	chunk_free(&this->other_nonce);
-
-	this->ike_sa = ike_sa;
-	this->proposal = NULL;
-	DESTROY_IF(this->dh);
-	this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_init_t *this)
-{
-	DESTROY_IF(this->dh);
-	DESTROY_IF(this->proposal);
-	chunk_free(&this->my_nonce);
-	chunk_free(&this->other_nonce);
-	chunk_free(&this->cookie);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
-{
-	private_ike_init_t *this = malloc_thing(private_ike_init_t);
-
-	this->public.get_lower_nonce = (chunk_t(*)(ike_init_t*))get_lower_nonce;
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
-
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-	this->dh_group = MODP_NONE;
-	this->dh = NULL;
-	this->keymat = ike_sa->get_keymat(ike_sa);
-	this->my_nonce = chunk_empty;
-	this->other_nonce = chunk_empty;
-	this->cookie = chunk_empty;
-	this->proposal = NULL;
-	this->config = NULL;
-	this->old_sa = old_sa;
-	this->retry = 0;
-
-	return &this->public;
-}
diff --git a/src/charon/sa/tasks/ike_init.h b/src/charon/sa/tasks/ike_init.h
deleted file mode 100644
index 7bd784cff..000000000
--- a/src/charon/sa/tasks/ike_init.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_init ike_init
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_INIT_H_
-#define IKE_INIT_H_
-
-typedef struct ike_init_t ike_init_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type IKE_INIT, creates an IKE_SA without authentication.
- *
- * The authentication of is handle in the ike_auth task.
- */
-struct ike_init_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-
-	/**
-	 * Get the lower of the two nonces, used for rekey collisions.
-	 *
-	 * @return			lower nonce
-	 */
-	chunk_t (*get_lower_nonce) (ike_init_t *this);
-};
-
-/**
- * Create a new IKE_INIT task.
- *
- * @param ike_sa		IKE_SA this task works for (new one when rekeying)
- * @param initiator		TRUE if thask is the original initator
- * @param old_sa		old IKE_SA when we are rekeying
- * @return				ike_init task to handle by the task_manager
- */
-ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa);
-
-#endif /** IKE_INIT_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c
deleted file mode 100644
index 2d2847ae0..000000000
--- a/src/charon/sa/tasks/ike_me.c
+++ /dev/null
@@ -1,856 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_me.h"
-
-#include <string.h>
-
-#include <daemon.h>
-#include <config/peer_cfg.h>
-#include <encoding/payloads/id_payload.h>
-#include <encoding/payloads/notify_payload.h>
-#include <encoding/payloads/endpoint_notify.h>
-#include <processing/jobs/mediation_job.h>
-
-#define ME_CONNECTID_LEN 4
-#define ME_CONNECTKEY_LEN 16
-
-typedef struct private_ike_me_t private_ike_me_t;
-
-/**
- * Private members of a ike_me_t task.
- */
-struct private_ike_me_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_me_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * Is this a mediation connection?
-	 */
-	bool mediation;
-
-	/**
-	 * Is this the response from another peer?
-	 */
-	bool response;
-
-	/**
-	 * Gathered endpoints
-	 */
-	linked_list_t *local_endpoints;
-
-	/**
-	 * Parsed endpoints
-	 */
-	linked_list_t *remote_endpoints;
-
-	/**
-	 * Did the peer request a callback?
-	 */
-	bool callback;
-
-	/**
-	 * Did the connect fail?
-	 */
-	bool failed;
-
-	/**
-	 * Was there anything wrong with the payloads?
-	 */
-	bool invalid_syntax;
-
-	/**
-	 * The requested peer
-	 */
-	identification_t *peer_id;
-	/**
-	 * Received ID used for connectivity checks
-	 */
-	chunk_t connect_id;
-
-	/**
-	 * Received key used for connectivity checks
-	 */
-	chunk_t connect_key;
-
-	/**
-	 * Peer config of the mediated connection
-	 */
-	peer_cfg_t *mediated_cfg;
-
-};
-
-/**
- * Adds a list of endpoints as notifies to a given message
- */
-static void add_endpoints_to_message(message_t *message, linked_list_t *endpoints)
-{
-	iterator_t *iterator;
-	endpoint_notify_t *endpoint;
-
-	iterator = endpoints->create_iterator(endpoints, TRUE);
-	while (iterator->iterate(iterator, (void**)&endpoint))
-	{
-		message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * Gathers endpoints and adds them to the current message
- */
-static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	host_t *addr, *host;
-	u_int16_t port;
-
-	/* get the port that is used to communicate with the ms */
-	host = this->ike_sa->get_my_host(this->ike_sa);
-	port = host->get_port(host);
-
-	enumerator = charon->kernel_interface->create_address_enumerator(
-										charon->kernel_interface, FALSE, FALSE);
-	while (enumerator->enumerate(enumerator, (void**)&addr))
-	{
-		host = addr->clone(addr);
-		host->set_port(host, port);
-
-		this->local_endpoints->insert_last(this->local_endpoints,
-				endpoint_notify_create_from_host(HOST, host, NULL));
-
-		host->destroy(host);
-	}
-	enumerator->destroy(enumerator);
-
-	host = this->ike_sa->get_server_reflexive_host(this->ike_sa);
-	if (host)
-	{
-		this->local_endpoints->insert_last(this->local_endpoints,
-				endpoint_notify_create_from_host(SERVER_REFLEXIVE, host,
-						this->ike_sa->get_my_host(this->ike_sa)));
-	}
-
-	add_endpoints_to_message(message, this->local_endpoints);
-}
-
-/**
- * read notifys from message and evaluate them
- */
-static void process_payloads(private_ike_me_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) != NOTIFY)
-		{
-			continue;
-		}
-
-		notify_payload_t *notify = (notify_payload_t*)payload;
-
-		switch (notify->get_notify_type(notify))
-		{
-			case ME_CONNECT_FAILED:
-			{
-				DBG2(DBG_IKE, "received ME_CONNECT_FAILED notify");
-				this->failed = TRUE;
-				break;
-			}
-			case ME_MEDIATION:
-			{
-				DBG2(DBG_IKE, "received ME_MEDIATION notify");
-				this->mediation = TRUE;
-				break;
-			}
-			case ME_ENDPOINT:
-			{
-				endpoint_notify_t *endpoint;
-				endpoint = endpoint_notify_create_from_payload(notify);
-				if (!endpoint)
-				{
-					DBG1(DBG_IKE, "received invalid ME_ENDPOINT notify");
-					break;
-				}
-				DBG1(DBG_IKE, "received %N ME_ENDPOINT %#H",
-					 me_endpoint_type_names, endpoint->get_type(endpoint),
-					 endpoint->get_host(endpoint));
-
-				this->remote_endpoints->insert_last(this->remote_endpoints,
-													endpoint);
-				break;
-			}
-			case ME_CALLBACK:
-			{
-				DBG2(DBG_IKE, "received ME_CALLBACK notify");
-				this->callback = TRUE;
-				break;
-			}
-			case ME_CONNECTID:
-			{
-				chunk_free(&this->connect_id);
-				this->connect_id = chunk_clone(notify->get_notification_data(notify));
-				DBG2(DBG_IKE, "received ME_CONNECTID %#B", &this->connect_id);
-				break;
-			}
-			case ME_CONNECTKEY:
-			{
-				chunk_free(&this->connect_key);
-				this->connect_key = chunk_clone(notify->get_notification_data(notify));
-				DBG4(DBG_IKE, "received ME_CONNECTKEY %#B", &this->connect_key);
-				break;
-			}
-			case ME_RESPONSE:
-			{
-				DBG2(DBG_IKE, "received ME_RESPONSE notify");
-				this->response = TRUE;
-				break;
-			}
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_ike_me_t *this, message_t *message)
-{
-	switch(message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-		{
-			peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-			if (peer_cfg->is_mediation(peer_cfg))
-			{
-				DBG2(DBG_IKE, "adding ME_MEDIATION");
-				message->add_notify(message, FALSE, ME_MEDIATION, chunk_empty);
-			}
-			else
-			{
-				return SUCCESS;
-			}
-			break;
-		}
-		case IKE_AUTH:
-		{
-			if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
-			{
-				endpoint_notify_t *endpoint;
-				endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE,
-															NULL, NULL);
-				message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
-				endpoint->destroy(endpoint);
-			}
-			break;
-		}
-		case ME_CONNECT:
-		{
-			rng_t *rng;
-			id_payload_t *id_payload;
-			id_payload = id_payload_create_from_identification(ID_PEER,
-															   this->peer_id);
-			message->add_payload(message, (payload_t*)id_payload);
-
-			rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-			if (!rng)
-			{
-				DBG1(DBG_IKE, "unable to generate connect ID for ME_CONNECT");
-				return FAILED;
-			}
-			if (!this->response)
-			{
-				/* only the initiator creates a connect ID. the responder
-				 * returns the connect ID that it received from the initiator */
-				rng->allocate_bytes(rng, ME_CONNECTID_LEN, &this->connect_id);
-			}
-			rng->allocate_bytes(rng, ME_CONNECTKEY_LEN, &this->connect_key);
-			rng->destroy(rng);
-
-			message->add_notify(message, FALSE, ME_CONNECTID, this->connect_id);
-			message->add_notify(message, FALSE, ME_CONNECTKEY, this->connect_key);
-
-			if (this->response)
-			{
-				message->add_notify(message, FALSE, ME_RESPONSE, chunk_empty);
-			}
-			else
-			{
-				/* FIXME: should we make this configurable? */
-				message->add_notify(message, FALSE, ME_CALLBACK, chunk_empty);
-			}
-
-			gather_and_add_endpoints(this, message);
-
-			break;
-		}
-		default:
-			break;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_me_t *this, message_t *message)
-{
-	switch(message->get_exchange_type(message))
-	{
-		case ME_CONNECT:
-		{
-			id_payload_t *id_payload;
-			id_payload = (id_payload_t*)message->get_payload(message, ID_PEER);
-			if (!id_payload)
-			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload"
-					 ", aborting");
-				break;
-			}
-			this->peer_id = id_payload->get_identification(id_payload);
-
-			process_payloads(this, message);
-
-			if (this->callback)
-			{
-				DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id);
-				break;
-			}
-
-			if (!this->connect_id.ptr)
-			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify"
-					 ", aborting");
-				this->invalid_syntax = TRUE;
-				break;
-			}
-
-			if (!this->connect_key.ptr)
-			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY "
-					 "notify, aborting");
-				this->invalid_syntax = TRUE;
-				break;
-			}
-
-			if (!this->remote_endpoints->get_count(this->remote_endpoints))
-			{
-				DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT "
-					 "payloads, aborting");
-				this->invalid_syntax = TRUE;
-				break;
-			}
-
-			DBG1(DBG_IKE, "received ME_CONNECT");
-			break;
-		}
-		default:
-			break;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_me_t *this, message_t *message)
-{
-	switch(message->get_exchange_type(message))
-	{
-		case ME_CONNECT:
-		{
-			if (this->invalid_syntax)
-			{
-				message->add_notify(message, TRUE, INVALID_SYNTAX, chunk_empty);
-				break;
-			}
-
-			if (this->callback)
-			{
-				/* we got a callback from the mediation server, initiate the
-				 * queued mediated connecction */
-				charon->connect_manager->check_and_initiate(
-						charon->connect_manager,
-						this->ike_sa->get_id(this->ike_sa),
-						this->ike_sa->get_my_id(this->ike_sa), this->peer_id);
-				return SUCCESS;
-			}
-
-			if (this->response)
-			{
-				/* FIXME: handle result of set_responder_data
-				 * as initiator, upon receiving a response from another peer,
-				 * update the checklist and start sending checks */
-				charon->connect_manager->set_responder_data(
-						charon->connect_manager,
-						this->connect_id, this->connect_key,
-						this->remote_endpoints);
-			}
-			else
-			{
-				/* FIXME: handle result of set_initiator_data
-				 * as responder, create a checklist with the initiator's data */
-				charon->connect_manager->set_initiator_data(
-						charon->connect_manager,
-						this->peer_id, this->ike_sa->get_my_id(this->ike_sa),
-						this->connect_id, this->connect_key,
-						this->remote_endpoints, FALSE);
-				if (this->ike_sa->respond(this->ike_sa, this->peer_id,
-										  this->connect_id) != SUCCESS)
-				{
-					return FAILED;
-				}
-			}
-			break;
-		}
-		default:
-			break;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_me_t *this, message_t *message)
-{
-	switch(message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-		{
-			process_payloads(this, message);
-			if (!this->mediation)
-			{
-				DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting");
-				return FAILED;
-			}
-			return NEED_MORE;
-		}
-		case IKE_AUTH:
-		{
-			process_payloads(this, message);
-			/* FIXME: we should update the server reflexive endpoint somehow,
-			 * if mobike notices a change */
-			endpoint_notify_t *reflexive;
-			if (this->remote_endpoints->get_first(this->remote_endpoints,
-											(void**)&reflexive) == SUCCESS &&
-				reflexive->get_type(reflexive) == SERVER_REFLEXIVE)
-			{	/* FIXME: should we accept this endpoint even if we did not send
-				 * a request? */
-				host_t *endpoint = reflexive->get_host(reflexive);
-				endpoint = endpoint->clone(endpoint);
-				this->ike_sa->set_server_reflexive_host(this->ike_sa, endpoint);
-			}
-			break;
-		}
-		case ME_CONNECT:
-		{
-			process_payloads(this, message);
-
-			if (this->failed)
-			{
-				DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id);
-				/* FIXME: notify the mediated connection (job?) */
-			}
-			else
-			{
-				if (this->response)
-				{
-					/* FIXME: handle result of set_responder_data. */
-					/* as responder, we update the checklist and start sending
-					 * checks */
-					charon->connect_manager->set_responder_data(
-							charon->connect_manager, this->connect_id,
-							this->connect_key, this->local_endpoints);
-				}
-				else
-				{
-					/* FIXME: handle result of set_initiator_data */
-					/* as initiator, we create a checklist and set the
-					 * initiator's data */
-					charon->connect_manager->set_initiator_data(
-							charon->connect_manager,
-							this->ike_sa->get_my_id(this->ike_sa),
-							this->peer_id, this->connect_id, this->connect_key,
-							this->local_endpoints, TRUE);
-					/* FIXME: also start a timer for the whole transaction
-					 * (maybe within the connect_manager?) */
-				}
-			}
-			break;
-		}
-		default:
-			break;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.build for initiator (mediation server)
- */
-static status_t build_i_ms(private_ike_me_t *this, message_t *message)
-{
-	switch(message->get_exchange_type(message))
-	{
-		case ME_CONNECT:
-		{
-			id_payload_t *id_payload;
-			id_payload = id_payload_create_from_identification(ID_PEER,
-															   this->peer_id);
-			message->add_payload(message, (payload_t*)id_payload);
-
-			if (this->callback)
-			{
-				message->add_notify(message, FALSE, ME_CALLBACK, chunk_empty);
-			}
-			else
-			{
-				if (this->response)
-				{
-					message->add_notify(message, FALSE, ME_RESPONSE,
-										chunk_empty);
-				}
-				message->add_notify(message, FALSE, ME_CONNECTID,
-									this->connect_id);
-				message->add_notify(message, FALSE, ME_CONNECTKEY,
-									this->connect_key);
-				add_endpoints_to_message(message, this->remote_endpoints);
-			}
-			break;
-		}
-		default:
-			break;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder (mediation server)
- */
-static status_t process_r_ms(private_ike_me_t *this, message_t *message)
-{
-	switch(message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-		{
-			/* FIXME: we should check for SA* and TS* payloads. if there are
-			 * any, send NO_ADDITIONAL_SAS back and delete this SA */
-			process_payloads(this, message);
-			return this->mediation ? NEED_MORE : SUCCESS;
-		}
-		case IKE_AUTH:
-		{
-			/* FIXME: we should check whether the current peer_config is
-			 * configured as mediation connection */
-			process_payloads(this, message);
-			break;
-		}
-		case CREATE_CHILD_SA:
-		{
-			/* FIXME: if this is not to rekey the IKE SA we have to return a
-			 * NO_ADDITIONAL_SAS and then delete the SA */
-			break;
-		}
-		case ME_CONNECT:
-		{
-			id_payload_t *id_payload;
-			id_payload = (id_payload_t*)message->get_payload(message, ID_PEER);
-			if (!id_payload)
-			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload"
-					 ", aborting");
-				this->invalid_syntax = TRUE;
-				break;
-			}
-			this->peer_id = id_payload->get_identification(id_payload);
-
-			process_payloads(this, message);
-
-			if (!this->connect_id.ptr)
-			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify"
-					 ", aborting");
-				this->invalid_syntax = TRUE;
-				break;
-			}
-
-			if (!this->connect_key.ptr)
-			{
-				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY notify"
-					 ", aborting");
-				this->invalid_syntax = TRUE;
-				break;
-			}
-
-			if (!this->remote_endpoints->get_count(this->remote_endpoints))
-			{
-				DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT "
-					 "payloads, aborting");
-				this->invalid_syntax = TRUE;
-				break;
-			}
-			break;
-		}
-		default:
-			break;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder (mediation server)
- */
-static status_t build_r_ms(private_ike_me_t *this, message_t *message)
-{
-	switch(message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-		{
-			message->add_notify(message, FALSE, ME_MEDIATION, chunk_empty);
-			return NEED_MORE;
-		}
-		case IKE_AUTH:
-		{
-			endpoint_notify_t *endpoint;
-			if (this->remote_endpoints->get_first(this->remote_endpoints,
-											(void**)&endpoint) == SUCCESS &&
-				endpoint->get_type(endpoint) == SERVER_REFLEXIVE)
-			{
-				host_t *host = this->ike_sa->get_other_host(this->ike_sa);
-				DBG2(DBG_IKE, "received request for a server reflexive "
-					 "endpoint sending: %#H", host);
-				endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE,
-															host, NULL);
-				message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
-				endpoint->destroy(endpoint);
-			}
-			this->ike_sa->act_as_mediation_server(this->ike_sa);
-			break;
-		}
-		case ME_CONNECT:
-		{
-			if (this->invalid_syntax)
-			{
-				message->add_notify(message, TRUE, INVALID_SYNTAX, chunk_empty);
-				break;
-			}
-
-			ike_sa_id_t *peer_sa;
-			if (this->callback)
-			{
-				peer_sa = charon->mediation_manager->check_and_register(
-									charon->mediation_manager, this->peer_id,
-									this->ike_sa->get_other_id(this->ike_sa));
-			}
-			else
-			{
-				peer_sa = charon->mediation_manager->check(
-									charon->mediation_manager, this->peer_id);
-			}
-
-			if (!peer_sa)
-			{
-				/* the peer is not online */
-				message->add_notify(message, TRUE, ME_CONNECT_FAILED,
-									chunk_empty);
-				break;
-			}
-
-			job_t *job = (job_t*)mediation_job_create(this->peer_id,
-					this->ike_sa->get_other_id(this->ike_sa), this->connect_id,
-					this->connect_key, this->remote_endpoints, this->response);
-			charon->processor->queue_job(charon->processor, job);
-			break;
-		}
-		default:
-			break;
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.process for initiator (mediation server)
- */
-static status_t process_i_ms(private_ike_me_t *this, message_t *message)
-{
-	/* FIXME: theoretically we should be prepared to receive a ME_CONNECT_FAILED
-	 * here if the responding peer is not able to proceed. in this case we shall
-	 * notify the initiating peer with a ME_CONNECT request containing only a
-	 * ME_CONNECT_FAILED */
-	return SUCCESS;
-}
-
-/**
- * Implementation of ike_me.connect
- */
-static void me_connect(private_ike_me_t *this, identification_t *peer_id)
-{
-	this->peer_id = peer_id->clone(peer_id);
-}
-
-/**
- * Implementation of ike_me.respond
- */
-static void me_respond(private_ike_me_t *this, identification_t *peer_id,
-					   chunk_t connect_id)
-{
-	this->peer_id = peer_id->clone(peer_id);
-	this->connect_id = chunk_clone(connect_id);
-	this->response = TRUE;
-}
-
-/**
- * Implementation of ike_me.callback
- */
-static void me_callback(private_ike_me_t *this, identification_t *peer_id)
-{
-	this->peer_id = peer_id->clone(peer_id);
-	this->callback = TRUE;
-}
-
-/**
- * Implementation of ike_me.relay
- */
-static void relay(private_ike_me_t *this, identification_t *requester,
-				  chunk_t connect_id, chunk_t connect_key,
-				  linked_list_t *endpoints, bool response)
-{
-	this->peer_id = requester->clone(requester);
-	this->connect_id = chunk_clone(connect_id);
-	this->connect_key = chunk_clone(connect_key);
-
-	this->remote_endpoints->destroy_offset(this->remote_endpoints,
-										offsetof(endpoint_notify_t, destroy));
-	this->remote_endpoints = endpoints->clone_offset(endpoints,
-										offsetof(endpoint_notify_t, clone));
-
-	this->response = response;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_me_t *this)
-{
-	return IKE_ME;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_me_t *this, ike_sa_t *ike_sa)
-{
-	this->ike_sa = ike_sa;
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_me_t *this)
-{
-	DESTROY_IF(this->peer_id);
-
-	chunk_free(&this->connect_id);
-	chunk_free(&this->connect_key);
-
-	this->local_endpoints->destroy_offset(this->local_endpoints,
-										offsetof(endpoint_notify_t, destroy));
-	this->remote_endpoints->destroy_offset(this->remote_endpoints,
-										offsetof(endpoint_notify_t, destroy));
-
-	DESTROY_IF(this->mediated_cfg);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_me_t *this = malloc_thing(private_ike_me_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
-	{
-		if (initiator)
-		{
-			this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-			this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-		}
-		else
-		{
-			this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-			this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-		}
-	}
-	else
-	{
-		/* mediation server */
-		if (initiator)
-		{
-			this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_ms;
-			this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_ms;
-		}
-		else
-		{
-			this->public.task.build = (status_t(*)(task_t*,message_t*))build_r_ms;
-			this->public.task.process = (status_t(*)(task_t*,message_t*))process_r_ms;
-		}
-	}
-
-	this->public.connect = (void(*)(ike_me_t*,identification_t*))me_connect;
-	this->public.respond = (void(*)(ike_me_t*,identification_t*,chunk_t))me_respond;
-	this->public.callback = (void(*)(ike_me_t*,identification_t*))me_callback;
-	this->public.relay = (void(*)(ike_me_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool))relay;
-
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-
-	this->peer_id = NULL;
-	this->connect_id = chunk_empty;
-	this->connect_key = chunk_empty;
-	this->local_endpoints = linked_list_create();
-	this->remote_endpoints = linked_list_create();
-	this->mediation = FALSE;
-	this->response = FALSE;
-	this->callback = FALSE;
-	this->failed = FALSE;
-	this->invalid_syntax = FALSE;
-
-	this->mediated_cfg = NULL;
-
-	return &this->public;
-}
diff --git a/src/charon/sa/tasks/ike_me.h b/src/charon/sa/tasks/ike_me.h
deleted file mode 100644
index 31285a426..000000000
--- a/src/charon/sa/tasks/ike_me.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_me ike_me
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_ME_H_
-#define IKE_ME_H_
-
-typedef struct ike_me_t ike_me_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type IKE_ME, detects and handles IKE-ME extensions.
- *
- * This tasks handles the ME_MEDIATION Notify exchange to setup a mediation
- * connection, allows to initiate mediated connections using ME_CONNECT
- * exchanges and to request reflexive addresses from the mediation server using
- * ME_ENDPOINT notifies.
- *
- * @note This task has to be activated before the IKE_AUTH task, because that
- * task generates the IKE_SA_INIT message so that no more payloads can be added
- * to it afterwards.
- */
-struct ike_me_t {
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-
-	/**
-	 * Initiates a connection with another peer (i.e. sends a ME_CONNECT
-	 * to the mediation server)
-	 *
-	 * @param peer_id			ID of the other peer (gets cloned)
-	 */
-	void (*connect)(ike_me_t *this, identification_t *peer_id);
-
-	/**
-	 * Responds to a ME_CONNECT from another peer (i.e. sends a ME_CONNECT
-	 * to the mediation server)
-	 *
-	 * Data gets cloned.
-	 *
-	 * @param peer_id			ID of the other peer
-	 * @param connect_id		the connect ID as provided by the initiator
-	 */
-	void (*respond)(ike_me_t *this, identification_t *peer_id,
-					chunk_t connect_id);
-
-	/**
-	 * Sends a ME_CALLBACK to a peer that previously requested some other peer.
-	 *
-	 * @param peer_id			ID of the other peer (gets cloned)
-	 */
-	void (*callback)(ike_me_t *this, identification_t *peer_id);
-
-	/**
-	 * Relays data to another peer (i.e. sends a ME_CONNECT to the peer)
-	 *
-	 * Data gets cloned.
-	 *
-	 * @param requester			ID of the requesting peer
-	 * @param connect_id		content of the ME_CONNECTID notify
-	 * @param connect_key		content of the ME_CONNECTKEY notify
-	 * @param endpoints			endpoints
-	 * @param response			TRUE if this is a response
-	 */
-	void (*relay)(ike_me_t *this, identification_t *requester,
-				  chunk_t connect_id, chunk_t connect_key,
-				  linked_list_t *endpoints, bool response);
-};
-
-/**
- * Create a new ike_me task.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE if task is initiated by us
- * @return				ike_me task to be handled by the task_manager
- */
-ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_ME_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c
deleted file mode 100644
index d76ba8d2b..000000000
--- a/src/charon/sa/tasks/ike_mobike.c
+++ /dev/null
@@ -1,637 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_mobike.h"
-
-#include <string.h>
-
-#include <daemon.h>
-#include <sa/tasks/ike_natd.h>
-#include <encoding/payloads/notify_payload.h>
-
-#define COOKIE2_SIZE 16
-#define MAX_ADDITIONAL_ADDRS 8
-
-typedef struct private_ike_mobike_t private_ike_mobike_t;
-
-/**
- * Private members of a ike_mobike_t task.
- */
-struct private_ike_mobike_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_mobike_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * cookie2 value to verify new addresses
-	 */
-	chunk_t cookie2;
-
-	/**
-	 * NAT discovery reusing the IKE_NATD task
-	 */
-	ike_natd_t *natd;
-
-	/**
-	 * use task to update addresses
-	 */
-	bool update;
-
-	/**
-	 * do routability check
-	 */
-	bool check;
-
-	/**
-	 * include address list update
-	 */
-	bool address;
-};
-
-/**
- * flush the IKE_SAs list of additional addresses
- */
-static void flush_additional_addresses(private_ike_mobike_t *this)
-{
-	iterator_t *iterator;
-	host_t *host;
-
-	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
-	while (iterator->iterate(iterator, (void**)&host))
-	{
-		iterator->remove(iterator);
-		host->destroy(host);
-	}
-	iterator->destroy(iterator);
-}
-
-
-/**
- * read notifys from message and evaluate them
- */
-static void process_payloads(private_ike_mobike_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	bool first = TRUE;
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		int family = AF_INET;
-		notify_payload_t *notify;
-		chunk_t data;
-		host_t *host;
-
-		if (payload->get_type(payload) != NOTIFY)
-		{
-			continue;
-		}
-		notify = (notify_payload_t*)payload;
-		switch (notify->get_notify_type(notify))
-		{
-			case MOBIKE_SUPPORTED:
-			{
-				peer_cfg_t *peer_cfg;
-
-				peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-				if (!this->initiator &&
-					peer_cfg && !peer_cfg->use_mobike(peer_cfg))
-				{
-					DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
-				}
-				else
-				{
-					DBG1(DBG_IKE, "peer supports MOBIKE");
-					this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
-				}
-				break;
-			}
-			case COOKIE2:
-			{
-				chunk_free(&this->cookie2);
-				this->cookie2 = chunk_clone(notify->get_notification_data(notify));
-				break;
-			}
-			case ADDITIONAL_IP6_ADDRESS:
-			{
-				family = AF_INET6;
-				/* fall through */
-			}
-			case ADDITIONAL_IP4_ADDRESS:
-			{
-				if (first)
-				{	/* an ADDITIONAL_*_ADDRESS means replace, so flush once */
-					flush_additional_addresses(this);
-					first = FALSE;
-				}
-				data = notify->get_notification_data(notify);
-				host = host_create_from_chunk(family, data, 0);
-				DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
-				this->ike_sa->add_additional_address(this->ike_sa, host);
-				break;
-			}
-			case UPDATE_SA_ADDRESSES:
-			{
-				this->update = TRUE;
-				break;
-			}
-			case NO_ADDITIONAL_ADDRESSES:
-			{
-				flush_additional_addresses(this);
-				break;
-			}
-			case NAT_DETECTION_SOURCE_IP:
-			case NAT_DETECTION_DESTINATION_IP:
-			{
-				/* NAT check in this MOBIKE exchange, create subtask for it */
-				if (this->natd == NULL)
-				{
-					this->natd = ike_natd_create(this->ike_sa, this->initiator);
-				}
-				break;
-			}
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
- */
-static void build_address_list(private_ike_mobike_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	host_t *host, *me;
-	notify_type_t type;
-	int added = 0;
-
-	me = this->ike_sa->get_my_host(this->ike_sa);
-	enumerator = charon->kernel_interface->create_address_enumerator(
-										charon->kernel_interface, FALSE, FALSE);
-	while (enumerator->enumerate(enumerator, (void**)&host))
-	{
-		if (me->ip_equals(me, host))
-		{	/* "ADDITIONAL" means do not include IKE_SAs host */
-			continue;
-		}
-		switch (host->get_family(host))
-		{
-			case AF_INET:
-				type = ADDITIONAL_IP4_ADDRESS;
-				break;
-			case AF_INET6:
-				type = ADDITIONAL_IP6_ADDRESS;
-				break;
-			default:
-				continue;
-		}
-		message->add_notify(message, FALSE, type, host->get_address(host));
-		if (++added >= MAX_ADDITIONAL_ADDRS)
-		{	/* limit number of notifys, some implementations do not like too
-			 * many of them (f.e. strongSwan ;-) */
-			break;
-		}
-	}
-	if (!added)
-	{
-		message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * build a cookie and add it to the message
- */
-static void build_cookie(private_ike_mobike_t *this, message_t *message)
-{
-	rng_t *rng;
-
-	chunk_free(&this->cookie2);
-	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-	if (rng)
-	{
-		rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
-		rng->destroy(rng);
-		message->add_notify(message, FALSE, COOKIE2, this->cookie2);
-	}
-}
-
-/**
- * update addresses of associated CHILD_SAs
- */
-static void update_children(private_ike_mobike_t *this)
-{
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-
-	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		if (child_sa->update(child_sa,
-				this->ike_sa->get_my_host(this->ike_sa),
-				this->ike_sa->get_other_host(this->ike_sa),
-				this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
-				this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
-		{
-			this->ike_sa->rekey_child_sa(this->ike_sa,
-					child_sa->get_protocol(child_sa),
-					child_sa->get_spi(child_sa, TRUE));
-		}
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * Implementation of ike_mobike_t.transmit
- */
-static void transmit(private_ike_mobike_t *this, packet_t *packet)
-{
-	host_t *me, *other, *me_old, *other_old;
-	iterator_t *iterator;
-	packet_t *copy;
-
-	if (!this->check)
-	{
-		return;
-	}
-
-	me_old = this->ike_sa->get_my_host(this->ike_sa);
-	other_old = this->ike_sa->get_other_host(this->ike_sa);
-
-	me = charon->kernel_interface->get_source_addr(
-									charon->kernel_interface, other_old, NULL);
-	if (me)
-	{
-		me->set_port(me, me->ip_equals(me, me_old) ?
-					 me_old->get_port(me_old) : IKEV2_NATT_PORT);
-		DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old);
-		copy = packet->clone(packet);
-		copy->set_source(copy, me);
-		charon->sender->send(charon->sender, copy);
-	}
-
-	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
-	while (iterator->iterate(iterator, (void**)&other))
-	{
-		me = charon->kernel_interface->get_source_addr(
-										charon->kernel_interface, other, NULL);
-		if (me)
-		{
-			if (me->get_family(me) != other->get_family(other))
-			{
-				me->destroy(me);
-				continue;
-			}
-			/* reuse port for an active address, 4500 otherwise */
-			me->set_port(me, me->ip_equals(me, me_old) ?
-						 me_old->get_port(me_old) : IKEV2_NATT_PORT);
-			other = other->clone(other);
-			other->set_port(other, other->ip_equals(other, other_old) ?
-							other_old->get_port(other_old) : IKEV2_NATT_PORT);
-			DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
-			copy = packet->clone(packet);
-			copy->set_source(copy, me);
-			copy->set_destination(copy, other);
-			charon->sender->send(charon->sender, copy);
-		}
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t build_i(private_ike_mobike_t *this, message_t *message)
-{
-	if (message->get_message_id(message) == 1)
-	{	/* only in first IKE_AUTH */
-		message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
-		build_address_list(this, message);
-	}
-	else if (message->get_exchange_type(message) == INFORMATIONAL)
-	{
-		host_t *old, *new;
-
-		/* we check if the existing address is still valid */
-		old = message->get_source(message);
-		new = charon->kernel_interface->get_source_addr(charon->kernel_interface,
-										message->get_destination(message), old);
-		if (new)
-		{
-			if (!new->ip_equals(new, old))
-			{
-				new->set_port(new, old->get_port(old));
-				message->set_source(message, new);
-			}
-			else
-			{
-				new->destroy(new);
-			}
-		}
-		if (this->update)
-		{
-			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
-			build_cookie(this, message);
-			update_children(this);
-		}
-		if (this->address)
-		{
-			build_address_list(this, message);
-		}
-		if (this->natd)
-		{
-			this->natd->task.build(&this->natd->task, message);
-		}
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_mobike_t *this, message_t *message)
-{
-	if (message->get_message_id(message) == 1)
-	{	/* only first IKE_AUTH */
-		process_payloads(this, message);
-	}
-	else if (message->get_exchange_type(message) == INFORMATIONAL)
-	{
-		process_payloads(this, message);
-		if (this->update)
-		{
-			host_t *me, *other;
-
-			me = message->get_destination(message);
-			other = message->get_source(message);
-			this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
-			this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
-		}
-
-		if (this->natd)
-		{
-			this->natd->task.process(&this->natd->task, message);
-		}
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_mobike_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
-	{
-		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
-		{
-			message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
-			build_address_list(this, message);
-		}
-		return SUCCESS;
-	}
-	else if (message->get_exchange_type(message) == INFORMATIONAL)
-	{
-		if (this->natd)
-		{
-			this->natd->task.build(&this->natd->task, message);
-		}
-		if (this->cookie2.ptr)
-		{
-			message->add_notify(message, FALSE, COOKIE2, this->cookie2);
-			chunk_free(&this->cookie2);
-		}
-		if (this->update)
-		{
-			update_children(this);
-		}
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_mobike_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
-	{
-		process_payloads(this, message);
-		return SUCCESS;
-	}
-	else if (message->get_exchange_type(message) == INFORMATIONAL)
-	{
-		u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
-		this->ike_sa->set_pending_updates(this->ike_sa, updates);
-		if (updates > 0)
-		{
-			/* newer update queued, ignore this one */
-			return SUCCESS;
-		}
-		if (this->cookie2.ptr)
-		{	/* check cookie if we included one */
-			chunk_t cookie2;
-
-			cookie2 = this->cookie2;
-			this->cookie2 = chunk_empty;
-			process_payloads(this, message);
-			if (!chunk_equals(cookie2, this->cookie2))
-			{
-				chunk_free(&cookie2);
-				DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
-				return FAILED;
-			}
-			chunk_free(&cookie2);
-		}
-		else
-		{
-			process_payloads(this, message);
-		}
-		if (this->natd)
-		{
-			this->natd->task.process(&this->natd->task, message);
-			if (this->natd->has_mapping_changed(this->natd))
-			{
-				/* force an update if mappings have changed */
-				this->update = this->check = TRUE;
-				DBG1(DBG_IKE, "detected changes in NAT mappings, "
-					 "initiating MOBIKE update");
-			}
-		}
-		if (this->update)
-		{
-			/* update again, as NAT state may have changed */
-			update_children(this);
-		}
-		if (this->check)
-		{
-			host_t *me_new, *me_old, *other_new, *other_old;
-
-			me_new = message->get_destination(message);
-			other_new = message->get_source(message);
-			me_old = this->ike_sa->get_my_host(this->ike_sa);
-			other_old = this->ike_sa->get_other_host(this->ike_sa);
-
-			if (!me_new->equals(me_new, me_old))
-			{
-				this->update = TRUE;
-				this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
-			}
-			if (!other_new->equals(other_new, other_old))
-			{
-				this->update = TRUE;
-				this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
-			}
-			if (this->update)
-			{
-				/* start the update with the same task */
-				this->check = FALSE;
-				this->address = FALSE;
-				if (this->natd)
-				{
-					this->natd->task.destroy(&this->natd->task);
-				}
-				this->natd = ike_natd_create(this->ike_sa, this->initiator);
-				this->ike_sa->set_pending_updates(this->ike_sa, 1);
-				return NEED_MORE;
-			}
-		}
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of ike_mobike_t.roam.
- */
-static void roam(private_ike_mobike_t *this, bool address)
-{
-	this->check = TRUE;
-	this->address = address;
-	this->ike_sa->set_pending_updates(this->ike_sa,
-							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
-}
-
-/**
- * Implementation of ike_mobike_t.dpd
- */
-static void dpd(private_ike_mobike_t *this)
-{
-	if (!this->natd)
-	{
-		this->natd = ike_natd_create(this->ike_sa, this->initiator);
-	}
-	this->address = FALSE;
-	this->ike_sa->set_pending_updates(this->ike_sa,
-							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
-}
-
-/**
- * Implementation of ike_mobike_t.is_probing.
- */
-static bool is_probing(private_ike_mobike_t *this)
-{
-	return this->check;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_mobike_t *this)
-{
-	return IKE_MOBIKE;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa)
-{
-	chunk_free(&this->cookie2);
-	this->ike_sa = ike_sa;
-	if (this->natd)
-	{
-		this->natd->task.migrate(&this->natd->task, ike_sa);
-	}
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_mobike_t *this)
-{
-	chunk_free(&this->cookie2);
-	if (this->natd)
-	{
-		this->natd->task.destroy(&this->natd->task);
-	}
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t);
-
-	this->public.roam = (void(*)(ike_mobike_t*,bool))roam;
-	this->public.dpd = (void(*)(ike_mobike_t*))dpd;
-	this->public.transmit = (void(*)(ike_mobike_t*,packet_t*))transmit;
-	this->public.is_probing = (bool(*)(ike_mobike_t*))is_probing;
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
-
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-	this->update = FALSE;
-	this->check = FALSE;
-	this->address = TRUE;
-	this->cookie2 = chunk_empty;
-	this->natd = NULL;
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/tasks/ike_mobike.h b/src/charon/sa/tasks/ike_mobike.h
deleted file mode 100644
index 05b2224d1..000000000
--- a/src/charon/sa/tasks/ike_mobike.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_mobike ike_mobike
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_MOBIKE_H_
-#define IKE_MOBIKE_H_
-
-typedef struct ike_mobike_t ike_mobike_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-#include <network/packet.h>
-
-/**
- * Task of type ike_mobike, detects and handles MOBIKE extension.
- *
- * The MOBIKE extension is defined in RFC4555. It allows to update IKE
- * and IPsec tunnel addresses.
- * This tasks handles the MOBIKE_SUPPORTED notify exchange to detect MOBIKE
- * support, allows the exchange of ADDITIONAL_*_ADDRESS to exchange additional
- * endpoints and handles the UPDATE_SA_ADDRESS notify to finally update
- * endpoints.
- */
-struct ike_mobike_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-
-	/**
-	 * Use the task to roam to other addresses.
-	 *
-	 * @param address		TRUE to include address list update
-	 */
-	void (*roam)(ike_mobike_t *this, bool address);
-
-	/**
-	 * Use the task for a DPD check which detects changes in NAT mappings.
-	 */
-	void (*dpd)(ike_mobike_t *this);
-
-	/**
-	 * Transmision hook, called by task manager.
-	 *
-	 * The task manager calls this hook whenever it transmits a packet. It
-	 * allows the mobike task to send the packet on multiple paths to do path
-	 * probing.
-	 *
-	 * @param packet		the packet to transmit
-	 */
-	void (*transmit)(ike_mobike_t *this, packet_t *packet);
-
-	/**
-	 * Check if this task is probing for routability.
-	 *
-	 * @return				TRUE if task is probing
-	 */
-	bool (*is_probing)(ike_mobike_t *this);
-};
-
-/**
- * Create a new ike_mobike task.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE if taks is initiated by us
- * @return				ike_mobike task to handle by the task_manager
- */
-ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_MOBIKE_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c
deleted file mode 100644
index 9121fe2ea..000000000
--- a/src/charon/sa/tasks/ike_natd.c
+++ /dev/null
@@ -1,487 +0,0 @@
-/*
- * Copyright (C) 2006-2007 Martin Willi
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_natd.h"
-
-#include <string.h>
-
-#include <daemon.h>
-#include <config/peer_cfg.h>
-#include <crypto/hashers/hasher.h>
-#include <encoding/payloads/notify_payload.h>
-
-
-typedef struct private_ike_natd_t private_ike_natd_t;
-
-/**
- * Private members of a ike_natd_t task.
- */
-struct private_ike_natd_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_natd_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * Hasher used to build NAT detection hashes
-	 */
-	hasher_t *hasher;
-
-	/**
-	 * Did we process any NAT detection notifys for a source address?
-	 */
-	bool src_seen;
-
-	/**
-	 * Did we process any NAT detection notifys for a destination address?
-	 */
-	bool dst_seen;
-
-	/**
-	 * Have we found a matching source address NAT hash?
-	 */
-	bool src_matched;
-
-	/**
-	 * Have we found a matching destination address NAT hash?
-	 */
-	bool dst_matched;
-
-	/**
-	 * whether NAT mappings for our NATed address has changed
-	 */
-	bool mapping_changed;
-};
-
-
-/**
- * Build NAT detection hash for a host
- */
-static chunk_t generate_natd_hash(private_ike_natd_t *this,
-								  ike_sa_id_t *ike_sa_id, host_t *host)
-{
-	chunk_t natd_chunk, spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk;
-	chunk_t natd_hash;
-	u_int64_t spi_i, spi_r;
-	u_int16_t port;
-
-	/* prepare all required chunks */
-	spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
-	spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
-	spi_i_chunk.ptr = (void*)&spi_i;
-	spi_i_chunk.len = sizeof(spi_i);
-	spi_r_chunk.ptr = (void*)&spi_r;
-	spi_r_chunk.len = sizeof(spi_r);
-	port = htons(host->get_port(host));
-	port_chunk.ptr = (void*)&port;
-	port_chunk.len = sizeof(port);
-	addr_chunk = host->get_address(host);
-
-	/*  natd_hash = SHA1( spi_i | spi_r | address | port ) */
-	natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
-	this->hasher->allocate_hash(this->hasher, natd_chunk, &natd_hash);
-	DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
-	DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
-
-	chunk_free(&natd_chunk);
-	return natd_hash;
-}
-
-/**
- * build a faked NATD payload to enforce UDP encap
- */
-static chunk_t generate_natd_hash_faked(private_ike_natd_t *this)
-{
-	rng_t *rng;
-	chunk_t chunk;
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_IKE, "unable to get random bytes for NATD fake");
-		return chunk_empty;
-	}
-	rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk);
-	rng->destroy(rng);
-	return chunk;
-}
-
-/**
- * Build a NAT detection notify payload.
- */
-static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
-											notify_type_t type, host_t *host)
-{
-	chunk_t hash;
-	notify_payload_t *notify;
-	ike_sa_id_t *ike_sa_id;
-	ike_cfg_t *config;
-
-	ike_sa_id = this->ike_sa->get_id(this->ike_sa);
-	config = this->ike_sa->get_ike_cfg(this->ike_sa);
-	if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
-	{
-		hash = generate_natd_hash_faked(this);
-	}
-	else
-	{
-		hash = generate_natd_hash(this, ike_sa_id, host);
-	}
-	notify = notify_payload_create();
-	notify->set_notify_type(notify, type);
-	notify->set_notification_data(notify, hash);
-	chunk_free(&hash);
-
-	return notify;
-}
-
-/**
- * read notifys from message and evaluate them
- */
-static void process_payloads(private_ike_natd_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	notify_payload_t *notify;
-	chunk_t hash, src_hash, dst_hash;
-	ike_sa_id_t *ike_sa_id;
-	host_t *me, *other;
-	ike_cfg_t *config;
-
-	/* Precompute NAT-D hashes for incoming NAT notify comparison */
-	ike_sa_id = message->get_ike_sa_id(message);
-	me = message->get_destination(message);
-	other = message->get_source(message);
-	dst_hash = generate_natd_hash(this, ike_sa_id, me);
-	src_hash = generate_natd_hash(this, ike_sa_id, other);
-
-	DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
-	DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) != NOTIFY)
-		{
-			continue;
-		}
-		notify = (notify_payload_t*)payload;
-		switch (notify->get_notify_type(notify))
-		{
-			case NAT_DETECTION_DESTINATION_IP:
-			{
-				this->dst_seen = TRUE;
-				hash = notify->get_notification_data(notify);
-				if (!this->dst_matched)
-				{
-					DBG3(DBG_IKE, "received dst_hash %B", &hash);
-					if (chunk_equals(hash, dst_hash))
-					{
-						this->dst_matched = TRUE;
-					}
-				}
-				/* RFC4555 says we should also compare against IKE_SA_INIT
-				 * NATD payloads, but this does not work: We are running
-				 * there at port 500, but use 4500 afterwards... */
-				if (message->get_exchange_type(message) == INFORMATIONAL &&
-					this->initiator && !this->dst_matched)
-				{
-					this->mapping_changed = this->ike_sa->has_mapping_changed(
-															this->ike_sa, hash);
-				}
-				break;
-			}
-			case NAT_DETECTION_SOURCE_IP:
-			{
-				this->src_seen = TRUE;
-				if (!this->src_matched)
-				{
-					hash = notify->get_notification_data(notify);
-					DBG3(DBG_IKE, "received src_hash %B", &hash);
-					if (chunk_equals(hash, src_hash))
-					{
-						this->src_matched = TRUE;
-					}
-				}
-				break;
-			}
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	chunk_free(&src_hash);
-	chunk_free(&dst_hash);
-
-	if (this->src_seen && this->dst_seen)
-	{
-		this->ike_sa->enable_extension(this->ike_sa, EXT_NATT);
-
-		this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
-									!this->dst_matched);
-		this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
-									!this->src_matched);
-		config = this->ike_sa->get_ike_cfg(this->ike_sa);
-		if (this->dst_matched && this->src_matched &&
-			config->force_encap(config))
-		{
-			this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
-		}
-	}
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_natd_t *this, message_t *message)
-{
-	process_payloads(this, message);
-
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-
-#ifdef ME
-		/* if we are on a mediated connection we have already switched to
-		 * port 4500 and the correct destination port is already configured,
-		 * therefore we must not switch again */
-		if (peer_cfg->get_mediated_by(peer_cfg))
-		{
-			return SUCCESS;
-		}
-#endif /* ME */
-
-		if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
-#ifdef ME
-			/* if we are on a mediation connection we switch to port 4500 even
-			 * if no NAT is detected. */
-			peer_cfg->is_mediation(peer_cfg) ||
-#endif /* ME */
-			/* if peer supports NAT-T, we switch to port 4500 even
-			 * if no NAT is detected. MOBIKE requires this. */
-			(peer_cfg->use_mobike(peer_cfg) &&
-			 this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
-		{
-			host_t *me, *other;
-
-			/* do not switch if we have a custom port from mobike/NAT */
-			me = this->ike_sa->get_my_host(this->ike_sa);
-			if (me->get_port(me) == IKEV2_UDP_PORT)
-			{
-				me->set_port(me, IKEV2_NATT_PORT);
-			}
-			other = this->ike_sa->get_other_host(this->ike_sa);
-			if (other->get_port(other) == IKEV2_UDP_PORT)
-			{
-				other->set_port(other, IKEV2_NATT_PORT);
-			}
-		}
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t build_i(private_ike_natd_t *this, message_t *message)
-{
-	notify_payload_t *notify;
-	enumerator_t *enumerator;
-	host_t *host;
-
-	if (this->hasher == NULL)
-	{
-		DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
-		return NEED_MORE;
-	}
-
-	/* destination is always set */
-	host = message->get_destination(message);
-	notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
-	message->add_payload(message, (payload_t*)notify);
-
-	/* source may be any, we have 3 possibilities to get our source address:
-	 * 1. It is defined in the config => use the one of the IKE_SA
-	 * 2. We do a routing lookup in the kernel interface
-	 * 3. Include all possbile addresses
-	 */
-	host = message->get_source(message);
-	if (!host->is_anyaddr(host))
-	{	/* 1. */
-		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
-		message->add_payload(message, (payload_t*)notify);
-	}
-	else
-	{
-		host = charon->kernel_interface->get_source_addr(charon->kernel_interface,
-							this->ike_sa->get_other_host(this->ike_sa), NULL);
-		if (host)
-		{	/* 2. */
-			host->set_port(host, IKEV2_UDP_PORT);
-			notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
-			message->add_payload(message, (payload_t*)notify);
-			host->destroy(host);
-		}
-		else
-		{	/* 3. */
-			enumerator = charon->kernel_interface->create_address_enumerator(
-										charon->kernel_interface, FALSE, FALSE);
-			while (enumerator->enumerate(enumerator, (void**)&host))
-			{
-				/* apply port 500 to host, but work on a copy */
-				host = host->clone(host);
-				host->set_port(host, IKEV2_UDP_PORT);
-				notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
-				host->destroy(host);
-				message->add_payload(message, (payload_t*)notify);
-			}
-			enumerator->destroy(enumerator);
-		}
-	}
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_natd_t *this, message_t *message)
-{
-	notify_payload_t *notify;
-	host_t *me, *other;
-
-	/* only add notifies on successfull responses. */
-	if (message->get_exchange_type(message) == IKE_SA_INIT &&
-		message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
-	{
-		return SUCCESS;
-	}
-
-	if (this->src_seen && this->dst_seen)
-	{
-		if (this->hasher == NULL)
-		{
-			DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
-			return SUCCESS;
-		}
-
-		/* initiator seems to support NAT detection, add response */
-		me = message->get_source(message);
-		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, me);
-		message->add_payload(message, (payload_t*)notify);
-
-		other = message->get_destination(message);
-		notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, other);
-		message->add_payload(message, (payload_t*)notify);
-	}
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_natd_t *this, message_t *message)
-{
-	process_payloads(this, message);
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_natd_t *this)
-{
-	return IKE_NATD;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_natd_t *this, ike_sa_t *ike_sa)
-{
-	this->ike_sa = ike_sa;
-	this->src_seen = FALSE;
-	this->dst_seen = FALSE;
-	this->src_matched = FALSE;
-	this->dst_matched = FALSE;
-	this->mapping_changed = FALSE;
-}
-
-/**
- * Implementation of ike_natd_t.has_mapping_changed
- */
-static bool has_mapping_changed(private_ike_natd_t *this)
-{
-	return this->mapping_changed;
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_natd_t *this)
-{
-	DESTROY_IF(this->hasher);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_natd_t *this = malloc_thing(private_ike_natd_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
-
-	this->public.has_mapping_changed = (bool(*)(ike_natd_t*))has_mapping_changed;
-
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	this->src_seen = FALSE;
-	this->dst_seen = FALSE;
-	this->src_matched = FALSE;
-	this->dst_matched = FALSE;
-	this->mapping_changed = FALSE;
-
-	return &this->public;
-}
diff --git a/src/charon/sa/tasks/ike_natd.h b/src/charon/sa/tasks/ike_natd.h
deleted file mode 100644
index 97b652ead..000000000
--- a/src/charon/sa/tasks/ike_natd.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_natd ike_natd
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_NATD_H_
-#define IKE_NATD_H_
-
-typedef struct ike_natd_t ike_natd_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type ike_natd, detects NAT situation in IKE_SA_INIT exchange.
- */
-struct ike_natd_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-
-	/**
-	 * Check if the NAT mapping has changed for our address.
-	 *
-	 * MOBIKE uses NAT payloads in DPD to detect changes in the NAT mappings.
-	 *
-	 * @return 	TRUE if mappings have changed
-	 */
-	bool (*has_mapping_changed)(ike_natd_t *this);
-};
-
-/**
- * Create a new ike_natd task.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE if thask is the original initator
- * @return			  ike_natd task to handle by the task_manager
- */
-ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_NATD_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_reauth.c b/src/charon/sa/tasks/ike_reauth.c
deleted file mode 100644
index ac89c358b..000000000
--- a/src/charon/sa/tasks/ike_reauth.c
+++ /dev/null
@@ -1,196 +0,0 @@
-/*
- * Copyright (C) 2006-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_reauth.h"
-
-#include <daemon.h>
-#include <sa/tasks/ike_delete.h>
-
-
-typedef struct private_ike_reauth_t private_ike_reauth_t;
-
-/**
- * Private members of a ike_reauth_t task.
- */
-struct private_ike_reauth_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_reauth_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * reused ike_delete task
-	 */
-	ike_delete_t *ike_delete;
-};
-
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_ike_reauth_t *this, message_t *message)
-{
-	return this->ike_delete->task.build(&this->ike_delete->task, message);
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_reauth_t *this, message_t *message)
-{
-	ike_sa_t *new;
-	host_t *host;
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-	peer_cfg_t *peer_cfg;
-
-	/* process delete response first */
-	this->ike_delete->task.process(&this->ike_delete->task, message);
-
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-
-	/* reauthenticate only if we have children */
-	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
-	if (iterator->get_count(iterator) == 0
-#ifdef ME
-		/* we allow peers to reauth mediation connections (without children) */
-		&& !peer_cfg->is_mediation(peer_cfg)
-#endif /* ME */
-		)
-	{
-		DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA to recreate");
-		iterator->destroy(iterator);
-		return FAILED;
-	}
-
-	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
-
-	new->set_peer_cfg(new, peer_cfg);
-	host = this->ike_sa->get_other_host(this->ike_sa);
-	new->set_other_host(new, host->clone(host));
-	host = this->ike_sa->get_my_host(this->ike_sa);
-	new->set_my_host(new, host->clone(host));
-	/* if we already have a virtual IP, we reuse it */
-	host = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-	if (host)
-	{
-		new->set_virtual_ip(new, TRUE, host);
-	}
-
-#ifdef ME
-	/* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
-	if (peer_cfg->is_mediation(peer_cfg))
-	{
-		if (new->initiate(new, NULL, 0, NULL, NULL) == DESTROY_ME)
-		{
-			charon->ike_sa_manager->checkin_and_destroy(
-								charon->ike_sa_manager, new);
-			/* set threads active IKE_SA after checkin */
-			charon->bus->set_sa(charon->bus, this->ike_sa);
-			DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
-			return FAILED;
-		}
-	}
-#endif /* ME */
-
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		switch (child_sa->get_state(child_sa))
-		{
-			case CHILD_ROUTED:
-			{
-				/* move routed child directly */
-				iterator->remove(iterator);
-				new->add_child_sa(new, child_sa);
-				break;
-			}
-			default:
-			{
-				/* initiate/queue all child SAs */
-				child_cfg_t *child_cfg = child_sa->get_config(child_sa);
-				child_cfg->get_ref(child_cfg);
-				if (new->initiate(new, child_cfg, 0, NULL, NULL) == DESTROY_ME)
-				{
-					iterator->destroy(iterator);
-					charon->ike_sa_manager->checkin_and_destroy(
-										charon->ike_sa_manager, new);
-					/* set threads active IKE_SA after checkin */
-					charon->bus->set_sa(charon->bus, this->ike_sa);
-					DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
-					return FAILED;
-				}
-				break;
-			}
-		}
-	}
-	iterator->destroy(iterator);
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
-	/* set threads active IKE_SA after checkin */
-	charon->bus->set_sa(charon->bus, this->ike_sa);
-
-	/* we always return failed to delete the obsolete IKE_SA */
-	return FAILED;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_reauth_t *this)
-{
-	return IKE_REAUTH;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_reauth_t *this, ike_sa_t *ike_sa)
-{
-	this->ike_delete->task.migrate(&this->ike_delete->task, ike_sa);
-	this->ike_sa = ike_sa;
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_reauth_t *this)
-{
-	this->ike_delete->task.destroy(&this->ike_delete->task);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa)
-{
-	private_ike_reauth_t *this = malloc_thing(private_ike_reauth_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-
-	this->ike_sa = ike_sa;
-	this->ike_delete = ike_delete_create(ike_sa, TRUE);
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/tasks/ike_reauth.h b/src/charon/sa/tasks/ike_reauth.h
deleted file mode 100644
index 5e97b719c..000000000
--- a/src/charon/sa/tasks/ike_reauth.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_reauth ike_reauth
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_REAUTH_H_
-#define IKE_REAUTH_H_
-
-typedef struct ike_reauth_t ike_reauth_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type ike_reauth, reestablishes an IKE_SA.
- */
-struct ike_reauth_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-};
-
-/**
- * Create a new ike_reauth task.
- *
- * This task is initiator only.
- *
- * @param ike_sa		IKE_SA this task works for
- * @return				ike_reauth task to handle by the task_manager
- */
-ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa);
-
-#endif /** IKE_REAUTH_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
deleted file mode 100644
index a2275e796..000000000
--- a/src/charon/sa/tasks/ike_rekey.c
+++ /dev/null
@@ -1,409 +0,0 @@
-/*
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_rekey.h"
-
-#include <daemon.h>
-#include <encoding/payloads/notify_payload.h>
-#include <sa/tasks/ike_init.h>
-#include <sa/tasks/ike_delete.h>
-#include <processing/jobs/delete_ike_sa_job.h>
-#include <processing/jobs/rekey_ike_sa_job.h>
-
-
-typedef struct private_ike_rekey_t private_ike_rekey_t;
-
-/**
- * Private members of a ike_rekey_t task.
- */
-struct private_ike_rekey_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_rekey_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * New IKE_SA which replaces the current one
-	 */
-	ike_sa_t *new_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * the IKE_INIT task which is reused to simplify rekeying
-	 */
-	ike_init_t *ike_init;
-
-	/**
-	 * IKE_DELETE task to delete the old IKE_SA after rekeying was successful
-	 */
-	ike_delete_t *ike_delete;
-
-	/**
-	 * colliding task detected by the task manager
-	 */
-	task_t *collision;
-};
-
-/**
- * Implementation of task_t.build for initiator, after rekeying
- */
-static status_t build_i_delete(private_ike_rekey_t *this, message_t *message)
-{
-	/* update exchange type to INFORMATIONAL for the delete */
-	message->set_exchange_type(message, INFORMATIONAL);
-
-	return this->ike_delete->task.build(&this->ike_delete->task, message);
-}
-
-/**
- * Implementation of task_t.process for initiator, after rekeying
- */
-static status_t process_i_delete(private_ike_rekey_t *this, message_t *message)
-{
-	return this->ike_delete->task.process(&this->ike_delete->task, message);
-}
-
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_ike_rekey_t *this, message_t *message)
-{
-	peer_cfg_t *peer_cfg;
-	host_t *other_host;
-
-	/* create new SA only on first try */
-	if (this->new_sa == NULL)
-	{
-		this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
-															TRUE);
-
-		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-		other_host = this->ike_sa->get_other_host(this->ike_sa);
-		this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
-		this->new_sa->set_other_host(this->new_sa, other_host->clone(other_host));
-		this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
-		this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
-	}
-	this->ike_init->task.build(&this->ike_init->task, message);
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_rekey_t *this, message_t *message)
-{
-	peer_cfg_t *peer_cfg;
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
-	{
-		DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
-		return NEED_MORE;
-	}
-
-	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		switch (child_sa->get_state(child_sa))
-		{
-			case CHILD_CREATED:
-			case CHILD_REKEYING:
-			case CHILD_DELETING:
-				/* we do not allow rekeying while we have children in-progress */
-				DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
-				iterator->destroy(iterator);
-				return NEED_MORE;
-			default:
-				break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
-														FALSE);
-
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
-	this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa);
-	this->ike_init->task.process(&this->ike_init->task, message);
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_rekey_t *this, message_t *message)
-{
-	if (this->new_sa == NULL)
-	{
-		/* IKE_SA/a CHILD_SA is in an inacceptable state, deny rekeying */
-		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
-		return SUCCESS;
-	}
-
-	if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
-	{
-		return SUCCESS;
-	}
-
-	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
-	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
-	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
-		 this->new_sa->get_name(this->new_sa),
-		 this->new_sa->get_unique_id(this->new_sa),
-		 this->ike_sa->get_my_host(this->ike_sa),
-		 this->ike_sa->get_my_id(this->ike_sa),
-		 this->ike_sa->get_other_host(this->ike_sa),
-		 this->ike_sa->get_other_id(this->ike_sa));
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_rekey_t *this, message_t *message)
-{
-	if (message->get_notify(message, NO_ADDITIONAL_SAS))
-	{
-		DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
-			 "starting reauthentication");
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		charon->processor->queue_job(charon->processor,
-				(job_t*)rekey_ike_sa_job_create(
-							this->ike_sa->get_id(this->ike_sa), TRUE));
-		return SUCCESS;
-	}
-
-	switch (this->ike_init->task.process(&this->ike_init->task, message))
-	{
-		case FAILED:
-			/* rekeying failed, fallback to old SA */
-			if (!(this->collision && (
-				this->collision->get_type(this->collision) == IKE_DELETE ||
-				this->collision->get_type(this->collision) == IKE_REAUTH)))
-			{
-				job_t *job;
-				u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
-				job = (job_t*)rekey_ike_sa_job_create(
-										this->ike_sa->get_id(this->ike_sa), FALSE);
-				DBG1(DBG_IKE, "IKE_SA rekeying failed, "
-										"trying again in %d seconds", retry);
-				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-				charon->scheduler->schedule_job(charon->scheduler, job, retry);
-			}
-			return SUCCESS;
-		case NEED_MORE:
-			/* bad dh group, try again */
-			this->ike_init->task.migrate(&this->ike_init->task, this->new_sa);
-			return NEED_MORE;
-		default:
-			break;
-	}
-
-	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
-	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
-		 this->new_sa->get_name(this->new_sa),
-		 this->new_sa->get_unique_id(this->new_sa),
-		 this->ike_sa->get_my_host(this->ike_sa),
-		 this->ike_sa->get_my_id(this->ike_sa),
-		 this->ike_sa->get_other_host(this->ike_sa),
-		 this->ike_sa->get_other_id(this->ike_sa));
-
-	/* check for collisions */
-	if (this->collision &&
-		this->collision->get_type(this->collision) == IKE_REKEY)
-	{
-		chunk_t this_nonce, other_nonce;
-		host_t *host;
-		private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
-
-		this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
-		other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
-
-		/* if we have the lower nonce, delete rekeyed SA. If not, delete
-		 * the redundant. */
-		if (memcmp(this_nonce.ptr, other_nonce.ptr,
-				   min(this_nonce.len, other_nonce.len)) < 0)
-		{
-			/* peer should delete this SA. Add a timeout just in case. */
-			job_t *job = (job_t*)delete_ike_sa_job_create(
-									other->new_sa->get_id(other->new_sa), TRUE);
-			charon->scheduler->schedule_job(charon->scheduler, job, 10);
-			DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
-			other->new_sa = NULL;
-		}
-		else
-		{
-			DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA");
-			/* apply host for a proper delete */
-			host = this->ike_sa->get_my_host(this->ike_sa);
-			this->new_sa->set_my_host(this->new_sa, host->clone(host));
-			host = this->ike_sa->get_other_host(this->ike_sa);
-			this->new_sa->set_other_host(this->new_sa, host->clone(host));
-			this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-			if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
-			{
-				charon->ike_sa_manager->checkin_and_destroy(
-										charon->ike_sa_manager, this->new_sa);
-			}
-			else
-			{
-				charon->ike_sa_manager->checkin(
-										charon->ike_sa_manager, this->new_sa);
-			}
-			/* set threads active IKE_SA after checkin */
-			charon->bus->set_sa(charon->bus, this->ike_sa);
-			/* inherit to other->new_sa in destroy() */
-			this->new_sa = other->new_sa;
-			other->new_sa = NULL;
-			return SUCCESS;
-		}
-		/* set threads active IKE_SA after checkin */
-		charon->bus->set_sa(charon->bus, this->ike_sa);
-	}
-
-	/* rekeying successful, delete the IKE_SA using a subtask */
-	this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
-	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
-	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
-
-	return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_rekey_t *this)
-{
-	return IKE_REKEY;
-}
-
-static void collide(private_ike_rekey_t* this, task_t *other)
-{
-	DESTROY_IF(this->collision);
-	this->collision = other;
-}
-
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
-{
-	if (this->ike_init)
-	{
-		this->ike_init->task.destroy(&this->ike_init->task);
-	}
-	if (this->ike_delete)
-	{
-		this->ike_delete->task.destroy(&this->ike_delete->task);
-	}
-	if (this->new_sa)
-	{
-		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-													this->new_sa);
-		/* set threads active IKE_SA after checkin */
-		charon->bus->set_sa(charon->bus, this->ike_sa);
-	}
-	DESTROY_IF(this->collision);
-
-	this->collision = NULL;
-	this->ike_sa = ike_sa;
-	this->new_sa = NULL;
-	this->ike_init = NULL;
-	this->ike_delete = NULL;
-}
-
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_rekey_t *this)
-{
-	if (this->new_sa)
-	{
-		if (this->new_sa->get_state(this->new_sa) == IKE_ESTABLISHED &&
-			this->new_sa->inherit(this->new_sa, this->ike_sa) != DESTROY_ME)
-		{
-			/* invoke hook if rekeying was successful */
-			charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
-		}
-		else
-		{
-			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-														this->new_sa);
-		}
-		/* set threads active IKE_SA after checkin */
-		charon->bus->set_sa(charon->bus, this->ike_sa);
-	}
-	if (this->ike_init)
-	{
-		this->ike_init->task.destroy(&this->ike_init->task);
-	}
-	if (this->ike_delete)
-	{
-		this->ike_delete->task.destroy(&this->ike_delete->task);
-	}
-	DESTROY_IF(this->collision);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_rekey_t *this = malloc_thing(private_ike_rekey_t);
-
-	this->public.collide = (void(*)(ike_rekey_t*,task_t*))collide;
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-	if (initiator)
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-	}
-
-	this->ike_sa = ike_sa;
-	this->new_sa = NULL;
-	this->ike_init = NULL;
-	this->ike_delete = NULL;
-	this->initiator = initiator;
-	this->collision = NULL;
-
-	return &this->public;
-}
diff --git a/src/charon/sa/tasks/ike_rekey.h b/src/charon/sa/tasks/ike_rekey.h
deleted file mode 100644
index 1c9550768..000000000
--- a/src/charon/sa/tasks/ike_rekey.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_rekey ike_rekey
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_REKEY_H_
-#define IKE_REKEY_H_
-
-typedef struct ike_rekey_t ike_rekey_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Task of type IKE_REKEY, rekey an established IKE_SA.
- */
-struct ike_rekey_t {
-
-	/**
-	 * Implements the task_t interface
-	 */
-	task_t task;
-
-	/**
-	 * Register a rekeying task which collides with this one.
-	 *
-	 * If two peers initiate rekeying at the same time, the collision must
-	 * be handled gracefully. The task manager is aware of what exchanges
-	 * are going on and notifies the outgoing task by passing the incoming.
-	 *
-	 * @param other		incoming task
-	 */
-	void (*collide)(ike_rekey_t* this, task_t *other);
-};
-
-/**
- * Create a new IKE_REKEY task.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE for initiator, FALSE for responder
- * @return				IKE_REKEY task to handle by the task_manager
- */
-ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_REKEY_H_ @}*/
diff --git a/src/charon/sa/tasks/ike_vendor.c b/src/charon/sa/tasks/ike_vendor.c
deleted file mode 100644
index 7c435b6d1..000000000
--- a/src/charon/sa/tasks/ike_vendor.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_vendor.h"
-
-#include <daemon.h>
-#include <encoding/payloads/vendor_id_payload.h>
-
-typedef struct private_ike_vendor_t private_ike_vendor_t;
-
-/**
- * Private data of an ike_vendor_t object.
- */
-struct private_ike_vendor_t {
-
-	/**
-	 * Public ike_vendor_t interface.
-	 */
-	ike_vendor_t public;
-
-	/**
-	 * Associated IKE_SA
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the inititator of this task
-	 */
-	bool initiator;
-};
-
-/**
- * strongSwan specific vendor ID without version, MD5("strongSwan")
- */
-static chunk_t strongswan_vid = chunk_from_chars(
-	0x88,0x2f,0xe5,0x6d,0x6f,0xd2,0x0d,0xbc,
-	0x22,0x51,0x61,0x3b,0x2e,0xbe,0x5b,0xeb
-);
-
-METHOD(task_t, build, status_t,
-	private_ike_vendor_t *this, message_t *message)
-{
-	if (lib->settings->get_bool(lib->settings,
-								"charon.send_vendor_id", FALSE))
-	{
-		vendor_id_payload_t *vid;
-
-		vid = vendor_id_payload_create_data(chunk_clone(strongswan_vid));
-		message->add_payload(message, &vid->payload_interface);
-	}
-
-	return this->initiator ? NEED_MORE : SUCCESS;
-}
-
-METHOD(task_t, process, status_t,
-	private_ike_vendor_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == VENDOR_ID)
-		{
-			vendor_id_payload_t *vid;
-			chunk_t data;
-
-			vid = (vendor_id_payload_t*)payload;
-			data = vid->get_data(vid);
-
-			if (chunk_equals(data, strongswan_vid))
-			{
-				DBG1(DBG_IKE, "received strongSwan vendor id");
-				this->ike_sa->enable_extension(this->ike_sa, EXT_STRONGSWAN);
-			}
-			else
-			{
-				DBG1(DBG_ENC, "received unknown vendor id: %#B", &data);
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	return this->initiator ? SUCCESS : NEED_MORE;
-}
-
-METHOD(task_t, migrate, void,
-	private_ike_vendor_t *this, ike_sa_t *ike_sa)
-{
-	this->ike_sa = ike_sa;
-}
-
-METHOD(task_t, get_type, task_type_t,
-	private_ike_vendor_t *this)
-{
-	return IKE_VENDOR;
-}
-
-METHOD(task_t, destroy, void,
-	private_ike_vendor_t *this)
-{
-	free(this);
-}
-
-/**
- * See header
- */
-ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_vendor_t *this;
-
-	INIT(this,
-		.public.task = {
-			.build = _build,
-			.process = _process,
-			.migrate = _migrate,
-			.get_type = _get_type,
-			.destroy = _destroy,
-		},
-		.initiator = initiator,
-		.ike_sa = ike_sa,
-	);
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/tasks/ike_vendor.h b/src/charon/sa/tasks/ike_vendor.h
deleted file mode 100644
index dcdd37424..000000000
--- a/src/charon/sa/tasks/ike_vendor.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ike_vendor ike_vendor
- * @{ @ingroup tasks
- */
-
-#ifndef IKE_VENDOR_H_
-#define IKE_VENDOR_H_
-
-typedef struct ike_vendor_t ike_vendor_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-
-/**
- * Vendor ID processing task.
- */
-struct ike_vendor_t {
-
-	/**
-	 * Implements task interface.
-	 */
-	task_t task;
-};
-
-/**
- * Create a ike_vendor instance.
- *
- * @param ike_sa		IKE_SA this task works for
- * @param initiator		TRUE if thask is the original initator
- */
-ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator);
-
-#endif /** IKE_VENDOR_H_ @}*/
diff --git a/src/charon/sa/tasks/task.c b/src/charon/sa/tasks/task.c
deleted file mode 100644
index 0d7383141..000000000
--- a/src/charon/sa/tasks/task.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "task.h"
-
-#ifdef ME
-ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
-	"IKE_INIT",
-	"IKE_NATD",
-	"IKE_MOBIKE",
-	"IKE_AUTHENTICATE",
-	"IKE_AUTH_LIFETIME",
-	"IKE_CERT_PRE",
-	"IKE_CERT_POST",
-	"IKE_CONFIG",
-	"IKE_REKEY",
-	"IKE_REAUTH",
-	"IKE_DELETE",
-	"IKE_DPD",
-	"IKE_VENDOR",
-	"IKE_ME",
-	"CHILD_CREATE",
-	"CHILD_DELETE",
-	"CHILD_REKEY",
-);
-#else
-ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
-	"IKE_INIT",
-	"IKE_NATD",
-	"IKE_MOBIKE",
-	"IKE_AUTHENTICATE",
-	"IKE_AUTH_LIFETIME",
-	"IKE_CERT_PRE",
-	"IKE_CERT_POST",
-	"IKE_CONFIG",
-	"IKE_REKEY",
-	"IKE_REAUTH",
-	"IKE_DELETE",
-	"IKE_DPD",
-	"IKE_VENDOR",
-	"CHILD_CREATE",
-	"CHILD_DELETE",
-	"CHILD_REKEY",
-);
-#endif /* ME */
diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h
deleted file mode 100644
index 4468f2ebe..000000000
--- a/src/charon/sa/tasks/task.h
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup task task
- * @{ @ingroup tasks
- */
-
-#ifndef TASK_H_
-#define TASK_H_
-
-typedef enum task_type_t task_type_t;
-typedef struct task_t task_t;
-
-#include <library.h>
-#include <sa/ike_sa.h>
-#include <encoding/message.h>
-
-/**
- * Different kinds of tasks.
- */
-enum task_type_t {
-	/** establish an unauthenticated IKE_SA */
-	IKE_INIT,
-	/** detect NAT situation */
-	IKE_NATD,
-	/** handle MOBIKE stuff */
-	IKE_MOBIKE,
-	/** authenticate the initiated IKE_SA */
-	IKE_AUTHENTICATE,
-	/** AUTH_LIFETIME negotiation, RFC4478 */
-	IKE_AUTH_LIFETIME,
-	/** certificate processing before authentication (certreqs, cert parsing) */
-	IKE_CERT_PRE,
-	/** certificate processing after authentication (certs payload generation) */
-	IKE_CERT_POST,
-	/** Configuration payloads, virtual IP and such */
-	IKE_CONFIG,
-	/** rekey an IKE_SA */
-	IKE_REKEY,
-	/** reestablish a complete IKE_SA */
-	IKE_REAUTH,
-	/** delete an IKE_SA */
-	IKE_DELETE,
-	/** liveness check */
-	IKE_DPD,
-	/** Vendor ID processing */
-	IKE_VENDOR,
-#ifdef ME
-	/** handle ME stuff */
-	IKE_ME,
-#endif /* ME */
-	/** establish a CHILD_SA within an IKE_SA */
-	CHILD_CREATE,
-	/** delete an established CHILD_SA */
-	CHILD_DELETE,
-	/** rekey an CHILD_SA */
-	CHILD_REKEY,
-};
-
-/**
- * enum names for task_type_t.
- */
-extern enum_name_t *task_type_names;
-
-/**
- * Interface for a task, an operation handled within exchanges.
- *
- * A task is an elemantary operation. It may be handled by a single or by
- * multiple exchanges. An exchange may even complete multiple tasks.
- * A task has a build() and an process() operation. The build() operation
- * creates payloads and adds it to the message. The process() operation
- * inspects a message and handles its payloads. An initiator of an exchange
- * first calls build() to build the request, and processes the response message
- * with the process() method.
- * A responder does the opposite; it calls process() first to handle an incoming
- * request and secondly calls build() to build an appropriate response.
- * Both methods return either SUCCESS, NEED_MORE or FAILED. A SUCCESS indicates
- * that the task completed, even when the task completed unsuccesfully. The
- * manager then removes the task from the list. A NEED_MORE is returned when
- * the task needs further build()/process() calls to complete, the manager
- * leaves the taks in the queue. A returned FAILED indicates a critical failure.
- * The manager closes the IKE_SA whenever a task returns FAILED.
- */
-struct task_t {
-
-	/**
-	 * Build a request or response message for this task.
-	 *
-	 * @param message		message to add payloads to
-	 * @return
-	 *						- FAILED if a critical error occured
-	 *						- DESTROY_ME if IKE_SA has been properly deleted
-	 *						- NEED_MORE if another call to build/process needed
-	 *						- SUCCESS if task completed
-	 */
-	status_t (*build) (task_t *this, message_t *message);
-
-	/**
-	 * Process a request or response message for this task.
-	 *
-	 * @param message		message to read payloads from
-	 * @return
-	 * 						- FAILED if a critical error occured
-	 *						- DESTROY_ME if IKE_SA has been properly deleted
-	 *						- NEED_MORE if another call to build/process needed
-	 *						- SUCCESS if task completed
-	 */
-	status_t (*process) (task_t *this, message_t *message);
-
-	/**
-	 * Get the type of the task implementation.
-	 */
-	task_type_t (*get_type) (task_t *this);
-
-	/**
-	 * Migrate a task to a new IKE_SA.
-	 *
-	 * After migrating a task, it goes back to a state where it can be
-	 * used again to initate an exchange. This is useful when a task
-	 * has to get migrated to a new IKE_SA.
-	 * A special usage is when a INVALID_KE_PAYLOAD is received. A call
-	 * to reset resets the task, but uses another DH group for the next
-	 * try.
-	 * The ike_sa is the new IKE_SA this task belongs to and operates on.
-	 *
-	 * @param ike_sa		new IKE_SA this task works for
-	 */
-	void (*migrate) (task_t *this, ike_sa_t *ike_sa);
-
-	/**
-	 * Destroys a task_t object.
-	 */
-	void (*destroy) (task_t *this);
-};
-
-#endif /** TASK_H_ @}*/
diff --git a/src/charon/sa/trap_manager.c b/src/charon/sa/trap_manager.c
deleted file mode 100644
index ed758995a..000000000
--- a/src/charon/sa/trap_manager.c
+++ /dev/null
@@ -1,403 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "trap_manager.h"
-
-#include <daemon.h>
-#include <threading/rwlock.h>
-#include <utils/linked_list.h>
-
-
-typedef struct private_trap_manager_t private_trap_manager_t;
-typedef struct trap_listener_t trap_listener_t;
-
-/**
- * listener to track acquires
- */
-struct trap_listener_t {
-
-	/**
-	 * Implements listener interface
-	 */
-	listener_t listener;
-
-	/**
-	 * points to trap_manager
-	 */
-	private_trap_manager_t *traps;
-};
-
-/**
- * Private data of an trap_manager_t object.
- */
-struct private_trap_manager_t {
-
-	/**
-	 * Public trap_manager_t interface.
-	 */
-	trap_manager_t public;
-
-	/**
-	 * Installed traps, as entry_t
-	 */
-	linked_list_t *traps;
-
-	/**
-	 * read write lock for traps list
-	 */
-	rwlock_t *lock;
-
-	/**
-	 * listener to track acquiring IKE_SAs
-	 */
-	trap_listener_t listener;
-};
-
-/**
- * A installed trap entry
- */
-typedef struct {
-	/** ref to peer_cfg to initiate */
-	peer_cfg_t *peer_cfg;
-	/** ref to instanciated CHILD_SA */
-	child_sa_t *child_sa;
-	/** pending IKE_SA connecting upon acquire */
-	ike_sa_t *pending;
-} entry_t;
-
-/**
- * actually uninstall and destroy an installed entry
- */
-static void destroy_entry(entry_t *entry)
-{
-	entry->child_sa->destroy(entry->child_sa);
-	entry->peer_cfg->destroy(entry->peer_cfg);
-	free(entry);
-}
-
-/**
- * Implementation of trap_manager_t.install
- */
-static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
-					 child_cfg_t *child)
-{
-	entry_t *entry;
-	ike_cfg_t *ike_cfg;
-	child_sa_t *child_sa;
-	host_t *me, *other;
-	linked_list_t *my_ts, *other_ts;
-	enumerator_t *enumerator;
-	bool found = FALSE;
-	status_t status;
-	u_int32_t reqid;
-
-	/* check if not already done */
-	this->lock->read_lock(this->lock);
-	enumerator = this->traps->create_enumerator(this->traps);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (streq(entry->child_sa->get_name(entry->child_sa),
-				  child->get_name(child)))
-		{
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	if (found)
-	{
-		DBG1(DBG_CFG, "CHILD_SA named '%s' already routed",
-			 child->get_name(child));
-		return 0;
-	}
-
-	/* try to resolve addresses */
-	ike_cfg = peer->get_ike_cfg(peer);
-	other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg),
-								 0, IKEV2_UDP_PORT);
-	if (!other)
-	{
-		DBG1(DBG_CFG, "installing trap failed, remote address unknown");
-		return 0;
-	}
-	me = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg),
-							  other->get_family(other), IKEV2_UDP_PORT);
-	if (!me || me->is_anyaddr(me))
-	{
-		DESTROY_IF(me);
-		me = charon->kernel_interface->get_source_addr(
-									charon->kernel_interface, other, NULL);
-		if (!me)
-		{
-			DBG1(DBG_CFG, "installing trap failed, local address unknown");
-			other->destroy(other);
-			return 0;
-		}
-		me->set_port(me, IKEV2_UDP_PORT);
-	}
-
-	/* create and route CHILD_SA */
-	child_sa = child_sa_create(me, other, child, 0, FALSE);
-	my_ts = child->get_traffic_selectors(child, TRUE, NULL, me);
-	other_ts = child->get_traffic_selectors(child, FALSE, NULL, other);
-	me->destroy(me);
-	other->destroy(other);
-
-	/* while we don't know the finally negotiated protocol (ESP|AH), we
-	 * could iterate all proposals for a best guest (TODO). But as we
-	 * support ESP only for now, we set here. */
-	child_sa->set_protocol(child_sa, PROTO_ESP);
-	child_sa->set_mode(child_sa, child->get_mode(child));
-	status = child_sa->add_policies(child_sa, my_ts, other_ts);
-	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
-	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-	if (status != SUCCESS)
-	{
-		child_sa->destroy(child_sa);
-		DBG1(DBG_CFG, "installing trap failed");
-		return 0;
-	}
-
-	reqid = child_sa->get_reqid(child_sa);
-	entry = malloc_thing(entry_t);
-	entry->child_sa = child_sa;
-	entry->peer_cfg = peer->get_ref(peer);
-	entry->pending = NULL;
-
-	this->lock->write_lock(this->lock);
-	this->traps->insert_last(this->traps, entry);
-	this->lock->unlock(this->lock);
-
-	return reqid;
-}
-
-/**
- * Implementation of trap_manager_t.uninstall
- */
-static bool uninstall(private_trap_manager_t *this, u_int32_t reqid)
-{
-	enumerator_t *enumerator;
-	entry_t *entry, *found = NULL;
-
-	this->lock->write_lock(this->lock);
-	enumerator = this->traps->create_enumerator(this->traps);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
-		{
-			this->traps->remove_at(this->traps, enumerator);
-			found = entry;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-
-	if (!found)
-	{
-		DBG1(DBG_CFG, "trap %d not found to uninstall", reqid);
-		return FALSE;
-	}
-
-	destroy_entry(found);
-	return TRUE;
-}
-
-/**
- * convert enumerated entries to peer_cfg, child_sa
- */
-static bool trap_filter(rwlock_t *lock, entry_t **entry, peer_cfg_t **peer_cfg,
-						void *none, child_sa_t **child_sa)
-{
-	if (peer_cfg)
-	{
-		*peer_cfg = (*entry)->peer_cfg;
-	}
-	if (child_sa)
-	{
-		*child_sa = (*entry)->child_sa;
-	}
-	return TRUE;
-}
-
-/**
- * Implementation of trap_manager_t.create_enumerator
- */
-static enumerator_t* create_enumerator(private_trap_manager_t *this)
-{
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(this->traps->create_enumerator(this->traps),
-									(void*)trap_filter, this->lock,
-									(void*)this->lock->unlock);
-}
-
-/**
- * Implementation of trap_manager_t.acquire
- */
-static void acquire(private_trap_manager_t *this, u_int32_t reqid,
-					traffic_selector_t *src, traffic_selector_t *dst)
-{
-	enumerator_t *enumerator;
-	entry_t *entry, *found = NULL;
-	peer_cfg_t *peer;
-	child_cfg_t *child;
-	ike_sa_t *ike_sa;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->traps->create_enumerator(this->traps);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
-		{
-			found = entry;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (!found)
-	{
-		DBG1(DBG_CFG, "trap not found, unable to acquire reqid %d",reqid);
-	}
-	else if (found->pending)
-	{
-		DBG1(DBG_CFG, "ignoring acquire, connection attempt pending");
-	}
-	else
-	{
-		child = found->child_sa->get_config(found->child_sa);
-		peer = found->peer_cfg;
-		ike_sa = charon->ike_sa_manager->checkout_by_config(
-												charon->ike_sa_manager, peer);
-		if (ike_sa->get_peer_cfg(ike_sa) == NULL)
-		{
-			ike_sa->set_peer_cfg(ike_sa, peer);
-		}
-		child->get_ref(child);
-		reqid = found->child_sa->get_reqid(found->child_sa);
-		if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME)
-		{
-			found->pending = ike_sa;
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		}
-		else
-		{
-			charon->ike_sa_manager->checkin_and_destroy(
-												charon->ike_sa_manager, ike_sa);
-		}
-	}
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Complete the acquire, if successful or failed
- */
-static void complete(private_trap_manager_t *this, ike_sa_t *ike_sa,
-					 child_sa_t *child_sa)
-{
-	enumerator_t *enumerator;
-	entry_t *entry;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->traps->create_enumerator(this->traps);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->pending != ike_sa)
-		{
-			continue;
-		}
-		if (child_sa && child_sa->get_reqid(child_sa) !=
-									entry->child_sa->get_reqid(entry->child_sa))
-		{
-			continue;
-		}
-		entry->pending = NULL;
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of listener_t.ike_state_change
- */
-static bool ike_state_change(trap_listener_t *listener, ike_sa_t *ike_sa,
-							 ike_sa_state_t state)
-{
-	switch (state)
-	{
-		case IKE_DESTROYING:
-			complete(listener->traps, ike_sa, NULL);
-			return TRUE;
-		default:
-			return TRUE;
-	}
-}
-
-/**
- * Implementation of listener_t.child_state_change
- */
-static bool child_state_change(trap_listener_t *listener, ike_sa_t *ike_sa,
-							   child_sa_t *child_sa, child_sa_state_t state)
-{
-	switch (state)
-	{
-		case CHILD_INSTALLED:
-		case CHILD_DESTROYING:
-			complete(listener->traps, ike_sa, child_sa);
-			return TRUE;
-		default:
-			return TRUE;
-	}
-}
-
-/**
- * Implementation of trap_manager_t.destroy.
- */
-static void destroy(private_trap_manager_t *this)
-{
-	charon->bus->remove_listener(charon->bus, &this->listener.listener);
-	this->traps->invoke_function(this->traps, (void*)destroy_entry);
-	this->traps->destroy(this->traps);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/**
- * See header
- */
-trap_manager_t *trap_manager_create()
-{
-	private_trap_manager_t *this = malloc_thing(private_trap_manager_t);
-
-	this->public.install = (u_int(*)(trap_manager_t*, peer_cfg_t *peer, child_cfg_t *child))install;
-	this->public.uninstall = (bool(*)(trap_manager_t*, u_int32_t id))uninstall;
-	this->public.create_enumerator = (enumerator_t*(*)(trap_manager_t*))create_enumerator;
-	this->public.acquire = (void(*)(trap_manager_t*, u_int32_t reqid, traffic_selector_t *src, traffic_selector_t *dst))acquire;
-	this->public.destroy = (void(*)(trap_manager_t*))destroy;
-
-	this->traps = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
-	/* register listener for IKE state changes */
-	this->listener.traps = this;
-	memset(&this->listener.listener, 0, sizeof(listener_t));
-	this->listener.listener.ike_state_change = (void*)ike_state_change;
-	this->listener.listener.child_state_change = (void*)child_state_change;
-	charon->bus->add_listener(charon->bus, &this->listener.listener);
-
-	return &this->public;
-}
-
diff --git a/src/charon/sa/trap_manager.h b/src/charon/sa/trap_manager.h
deleted file mode 100644
index 37b42e2b0..000000000
--- a/src/charon/sa/trap_manager.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup trap_manager trap_manager
- * @{ @ingroup sa
- */
-
-#ifndef TRAP_MANAGER_H_
-#define TRAP_MANAGER_H_
-
-#include <library.h>
-#include <utils/enumerator.h>
-#include <config/peer_cfg.h>
-
-typedef struct trap_manager_t trap_manager_t;
-
-/**
- * Manage policies to create SAs from traffic.
- */
-struct trap_manager_t {
-
-	/**
-	 * Install a policy as a trap.
-	 *
-	 * @param peer		peer configuration to initiate on trap
-	 * @param child 	child configuration to install as a trap
-	 * @return			reqid of installed CHILD_SA, 0 if failed
-	 */
-	u_int32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
-						 child_cfg_t *child);
-
-	/**
-	 * Uninstall a trap policy.
-	 *
-	 * @param id		reqid of CHILD_SA to uninstall, returned by install()
-	 * @return			TRUE if uninstalled successfully
-	 */
-	bool (*uninstall)(trap_manager_t *this, u_int32_t reqid);
-
-	/**
-	 * Create an enumerator over all installed traps.
-	 *
-	 * @return			enumerator over (peer_cfg_t, child_sa_t)
-	 */
-	enumerator_t* (*create_enumerator)(trap_manager_t *this);
-
-	/**
-	 * Acquire an SA triggered by an installed trap.
-	 *
-	 * @param reqid		requid of the triggering CHILD_SA
-	 * @param src		source of the triggering packet
-	 * @param dst		destination of the triggering packet
-	 */
-	void (*acquire)(trap_manager_t *this, u_int32_t reqid,
-					traffic_selector_t *src, traffic_selector_t *dst);
-
-	/**
-	 * Destroy a trap_manager_t.
-	 */
-	void (*destroy)(trap_manager_t *this);
-};
-
-/**
- * Create a trap_manager instance.
- */
-trap_manager_t *trap_manager_create();
-
-#endif /** TRAP_MANAGER_H_ @}*/
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index d0413e64e..27d615dab 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -5,17 +5,28 @@ nodist_libchecksum_la_SOURCES = checksum.c
 libchecksum_la_LDFLAGS = -module -avoid-version
 
 checksum_builder_SOURCES = checksum_builder.c
-checksum_builder_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+checksum_builder_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(DLLIB)
 
 BUILT_SOURCES = checksum.c
 CLEANFILES = checksum.c
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 
-libs =	$(shell find $(top_builddir)/src/libstrongswan $(top_builddir)/src/charon \
+libs =	$(shell find $(top_builddir)/src/libstrongswan \
+			$(top_builddir)/src/libcharon \
+			$(top_builddir)/src/libhydra \
 			-name 'libstrongswan*.so')
 
+if USE_LIBHYDRA
+  libs += $(top_builddir)/src/libhydra/.libs/libhydra.so
+endif
+
 if USE_CHARON
+  libs += $(top_builddir)/src/libcharon/.libs/libcharon.so
   libs += $(top_builddir)/src/charon/.libs/charon
 endif
 
@@ -30,7 +41,7 @@ if USE_TOOLS
 endif
 
 if USE_ATTR_SQL
-  libs += $(top_builddir)/src/libstrongswan/plugins/attr_sql/.libs/pool
+  libs += $(top_builddir)/src/libhydra/plugins/attr_sql/.libs/pool
 endif
 
 checksum.c : checksum_builder $(libs)
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 6769c2601..3e0ab1e69 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -36,13 +36,15 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 noinst_PROGRAMS = checksum_builder$(EXEEXT)
-@USE_CHARON_TRUE@am__append_1 = $(top_builddir)/src/charon/.libs/charon
-@USE_PLUTO_TRUE@am__append_2 = $(top_builddir)/src/pluto/.libs/pluto
-@USE_TOOLS_TRUE@am__append_3 =  \
+@USE_LIBHYDRA_TRUE@am__append_1 = $(top_builddir)/src/libhydra/.libs/libhydra.so
+@USE_CHARON_TRUE@am__append_2 = $(top_builddir)/src/libcharon/.libs/libcharon.so \
+@USE_CHARON_TRUE@	$(top_builddir)/src/charon/.libs/charon
+@USE_PLUTO_TRUE@am__append_3 = $(top_builddir)/src/pluto/.libs/pluto
+@USE_TOOLS_TRUE@am__append_4 =  \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/openac/.libs/openac \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/pki/.libs/pki \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/scepclient/.libs/scepclient
-@USE_ATTR_SQL_TRUE@am__append_4 = $(top_builddir)/src/libstrongswan/plugins/attr_sql/.libs/pool
+@USE_ATTR_SQL_TRUE@am__append_5 = $(top_builddir)/src/libhydra/plugins/attr_sql/.libs/pool
 subdir = src/checksum
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -91,8 +93,12 @@ libchecksum_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 PROGRAMS = $(noinst_PROGRAMS)
 am_checksum_builder_OBJECTS = checksum_builder.$(OBJEXT)
 checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS)
+am__DEPENDENCIES_1 =
 checksum_builder_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -231,6 +237,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -269,15 +276,20 @@ ipsec_LTLIBRARIES = libchecksum.la
 nodist_libchecksum_la_SOURCES = checksum.c
 libchecksum_la_LDFLAGS = -module -avoid-version
 checksum_builder_SOURCES = checksum_builder.c
-checksum_builder_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+checksum_builder_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(DLLIB)
+
 BUILT_SOURCES = checksum.c
 CLEANFILES = checksum.c
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 libs = $(shell find $(top_builddir)/src/libstrongswan \
-	$(top_builddir)/src/charon -name 'libstrongswan*.so') \
-	$(am__append_1) $(am__append_2) $(am__append_3) \
-	$(am__append_4)
+	$(top_builddir)/src/libcharon $(top_builddir)/src/libhydra \
+	-name 'libstrongswan*.so') $(am__append_1) $(am__append_2) \
+	$(am__append_3) $(am__append_4) $(am__append_5)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index 54f4539ff..b68a25a19 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -13,17 +13,13 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
 #include <stdlib.h>
 #include <stdio.h>
 #include <dlfcn.h>
 
 #include <library.h>
 
-/* we need to fake some charon symbols to dlopen() its plugins */
-void *charon, *eap_type_names, *auth_class_names, *protocol_id_names,
-*action_names, *ipsec_mode_names, *ike_sa_state_names, *child_sa_state_names,
-*policy_dir_names, *ipcomp_transform_names, *debug_names, *controller_cb_empty;
-
 int main(int argc, char* argv[])
 {
 	int i;
@@ -62,12 +58,30 @@ int main(int argc, char* argv[])
 			name[strlen(name) - 3] = '"';
 			name[strlen(name) - 2] = ',';
 			name[strlen(name) - 1] = '\0';
-			sname = "plugin_create";
+			if (asprintf(&sname, "%.*s_plugin_create", strlen(name) - 2,
+						 name) < 0)
+			{
+				fprintf(stderr, "failed to format plugin constructor "
+						"for '%s', ignored", path);
+				free(name);
+				continue;
+			}
+			translate(sname, "-", "_");
 		}
 		else if (strstr(path, "libstrongswan.so"))
 		{
 			name = strdup("libstrongswan\",");
-			sname = "library_init";
+			sname = strdup("library_init");
+		}
+		else if (strstr(path, "libhydra.so"))
+		{
+			name = strdup("libhydra\",");
+			sname = strdup("libhydra_init");
+		}
+		else if (strstr(path, "libcharon.so"))
+		{
+			name = strdup("libcharon\",");
+			sname = strdup("libcharon_init");
 		}
 		else if (strstr(path, "pool"))
 		{
@@ -126,6 +140,7 @@ int main(int argc, char* argv[])
 			   name, fsize, fsum, ssize, ssum);
 		fprintf(stderr, "\"%-20s%7u / 0x%08x       %6u / 0x%08x\n",
 				name, fsize, fsum, ssize, ssum);
+		free(sname);
 		free(name);
 	}
 	printf("};\n");
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 8bc08e2c1..36fdbff28 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -226,6 +226,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
diff --git a/src/dumm/bridge.c b/src/dumm/bridge.c
index 592fecefd..9c63beed9 100644
--- a/src/dumm/bridge.c
+++ b/src/dumm/bridge.c
@@ -69,8 +69,8 @@ static bool disconnect_iface(private_bridge_t *this, iface_t *iface)
 		{
 			if (br_del_interface(this->name, iface->get_hostif(iface)) != 0)
 			{
-				DBG1("removing iface '%s' from bridge '%s' in kernel failed: %m",
-					 iface->get_hostif(iface), this->name);
+				DBG1(DBG_LIB, "removing iface '%s' from bridge '%s' in kernel"
+					 " failed: %m", iface->get_hostif(iface), this->name);
 			}
 			else
 			{
@@ -83,8 +83,8 @@ static bool disconnect_iface(private_bridge_t *this, iface_t *iface)
 	}
 	if (iface != current)
 	{
-		DBG1("iface '%s' not found on bridge '%s'", iface->get_hostif(iface),
-			 this->name);
+		DBG1(DBG_LIB, "iface '%s' not found on bridge '%s'",
+			 iface->get_hostif(iface), this->name);
 	}
 	enumerator->destroy(enumerator);
 	return good;
@@ -97,7 +97,7 @@ static bool connect_iface(private_bridge_t *this, iface_t *iface)
 {
 	if (br_add_interface(this->name, iface->get_hostif(iface)) != 0)
 	{
-		DBG1("adding iface '%s' to bridge '%s' failed: %m",
+		DBG1(DBG_LIB, "adding iface '%s' to bridge '%s' failed: %m",
 			 iface->get_hostif(iface), this->name);
 		return FALSE;
 	}
@@ -124,7 +124,8 @@ static void destroy(private_bridge_t *this)
 	{
 		if (br_del_interface(this->name, iface->get_hostif(iface)) != 0)
 		{
-			DBG1("disconnecting iface '%s' failed: %m", iface->get_hostif(iface));
+			DBG1(DBG_LIB, "disconnecting iface '%s' failed: %m",
+				 iface->get_hostif(iface));
 		}
 		iface->set_bridge(iface, NULL);
 	}
@@ -133,7 +134,8 @@ static void destroy(private_bridge_t *this)
 	iface_control(this->name, FALSE);
 	if (br_del_bridge(this->name) != 0)
 	{
-		DBG1("deleting bridge '%s' from kernel failed: %m", this->name);
+		DBG1(DBG_LIB, "deleting bridge '%s' from kernel failed: %m",
+			 this->name);
 	}
 	free(this->name);
 	free(this);
@@ -154,7 +156,7 @@ bridge_t *bridge_create(char *name)
 	{
 		if (br_init() != 0)
 		{
-			DBG1("libbridge initialization failed: %m");
+			DBG1(DBG_LIB, "libbridge initialization failed: %m");
 			return NULL;
 		}
 	}
@@ -168,13 +170,13 @@ bridge_t *bridge_create(char *name)
 
 	if (br_add_bridge(name) != 0)
 	{
-		DBG1("creating bridge '%s' failed: %m", name);
+		DBG1(DBG_LIB, "creating bridge '%s' failed: %m", name);
 		free(this);
 		return NULL;
 	}
 	if (!iface_control(name, TRUE))
 	{
-		DBG1("bringing bridge '%s' up failed: %m", name);
+		DBG1(DBG_LIB, "bringing bridge '%s' up failed: %m", name);
 	}
 
 	this->name = strdup(name);
diff --git a/src/dumm/cowfs.c b/src/dumm/cowfs.c
index f7b6b0cf3..70767890b 100644
--- a/src/dumm/cowfs.c
+++ b/src/dumm/cowfs.c
@@ -493,12 +493,12 @@ static int cowfs_link(const char *from, const char *to)
 
 	if (!clone_path(rd, wr, to))
 	{
-		DBG1("cloning path '%s' failed", to);
+		DBG1(DBG_LIB, "cloning path '%s' failed", to);
 		return -errno;
 	}
 	if (linkat(rd, from, wr, to, 0) < 0)
 	{
-		DBG1("linking '%s' to '%s' failed", from, to);
+		DBG1(DBG_LIB, "linking '%s' to '%s' failed", from, to);
 		return -errno;
 	}
 	return 0;
@@ -777,7 +777,7 @@ static bool set_overlay(private_cowfs_t *this, char *path)
 		this->over_fd = open(path, O_RDONLY | O_DIRECTORY);
 		if (this->over_fd < 0)
 		{
-			DBG1("failed to open overlay directory '%s': %m", path);
+			DBG1(DBG_LIB, "failed to open overlay directory '%s': %m", path);
 			return FALSE;
 		}
 		this->over = strdup(path);
@@ -821,14 +821,14 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 	this->master_fd = open(master, O_RDONLY | O_DIRECTORY);
 	if (this->master_fd < 0)
 	{
-		DBG1("failed to open master filesystem '%s'", master);
+		DBG1(DBG_LIB, "failed to open master filesystem '%s'", master);
 		free(this);
 		return NULL;
 	}
 	this->host_fd = open(host, O_RDONLY | O_DIRECTORY);
 	if (this->host_fd < 0)
 	{
-		DBG1("failed to open host filesystem '%s'", host);
+		DBG1(DBG_LIB, "failed to open host filesystem '%s'", host);
 		close(this->master_fd);
 		free(this);
 		return NULL;
@@ -838,7 +838,7 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 	this->chan = fuse_mount(mount, &args);
 	if (this->chan == NULL)
 	{
-		DBG1("mounting cowfs FUSE on '%s' failed", mount);
+		DBG1(DBG_LIB, "mounting cowfs FUSE on '%s' failed", mount);
 		close(this->master_fd);
 		close(this->host_fd);
 		free(this);
@@ -849,7 +849,7 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 						  sizeof(cowfs_operations), this);
 	if (this->fuse == NULL)
 	{
-		DBG1("creating cowfs FUSE handle failed");
+		DBG1(DBG_LIB, "creating cowfs FUSE handle failed");
 		close(this->master_fd);
 		close(this->host_fd);
 		fuse_unmount(mount, this->chan);
@@ -865,7 +865,7 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 	this->thread = thread_create((thread_main_t)fuse_loop, this->fuse);
 	if (!this->thread)
 	{
-		DBG1("creating thread to handle FUSE failed");
+		DBG1(DBG_LIB, "creating thread to handle FUSE failed");
 		fuse_unmount(mount, this->chan);
 		free(this->mount);
 		free(this->master);
diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c
index 0e8ab43f3..7ec340089 100644
--- a/src/dumm/dumm.c
+++ b/src/dumm/dumm.c
@@ -162,7 +162,7 @@ static bool load_template(private_dumm_t *this, char *dir)
 	}
 	if (strlen(dir) > PATH_MAX)
 	{
-		DBG1("template directory string '%s' is too long", dir);
+		DBG1(DBG_LIB, "template directory string '%s' is too long", dir);
 		return FALSE;
 	}
 
@@ -175,7 +175,8 @@ static bool load_template(private_dumm_t *this, char *dir)
 	{	/* does not exist, create template */
 		if (!mkdir_p(this->template, PERME))
 		{
-			DBG1("creating template directory '%s' failed: %m", this->template);
+			DBG1(DBG_LIB, "creating template directory '%s' failed: %m",
+				 this->template);
 			return FALSE;
 		}
 	}
@@ -302,7 +303,8 @@ static void load_guests(private_dumm_t *this)
 		}
 		else
 		{
-			DBG1("loading guest in directory '%s' failed, skipped", ent->d_name);
+			DBG1(DBG_LIB, "loading guest in directory '%s' failed, skipped",
+				 ent->d_name);
 		}
 	}
 	closedir(dir);
@@ -360,7 +362,8 @@ dumm_t *dumm_create(char *dir)
 	if (this->dir == NULL || this->guest_dir == NULL ||
 		(mkdir(this->guest_dir, PERME) < 0 && errno != EEXIST))
 	{
-		DBG1("creating guest directory '%s' failed: %m", this->guest_dir);
+		DBG1(DBG_LIB, "creating guest directory '%s' failed: %m",
+			 this->guest_dir);
 		destroy(this);
 		return NULL;
 	}
diff --git a/src/dumm/guest.c b/src/dumm/guest.c
index 112adb441..ebd87769a 100644
--- a/src/dumm/guest.c
+++ b/src/dumm/guest.c
@@ -100,7 +100,8 @@ static iface_t* create_iface(private_guest_t *this, char *name)
 
 	if (this->state != GUEST_RUNNING)
 	{
-		DBG1("guest '%s' not running, unable to add interface", this->name);
+		DBG1(DBG_LIB, "guest '%s' not running, unable to add interface",
+			 this->name);
 		return NULL;
 	}
 
@@ -109,7 +110,8 @@ static iface_t* create_iface(private_guest_t *this, char *name)
 	{
 		if (streq(name, iface->get_guestif(iface)))
 		{
-			DBG1("guest '%s' already has an interface '%s'", this->name, name);
+			DBG1(DBG_LIB, "guest '%s' already has an interface '%s'",
+				 this->name, name);
 			enumerator->destroy(enumerator);
 			return NULL;
 		}
@@ -251,7 +253,8 @@ static bool start(private_guest_t *this, invoke_function_t invoke, void* data,
 
 	if (this->state != GUEST_STOPPED)
 	{
-		DBG1("unable to start guest in state %N", guest_state_names, this->state);
+		DBG1(DBG_LIB, "unable to start guest in state %N", guest_state_names,
+			 this->state);
 		return FALSE;
 	}
 	this->state = GUEST_STARTING;
@@ -284,7 +287,7 @@ static bool start(private_guest_t *this, invoke_function_t invoke, void* data,
 	this->mconsole = mconsole_create(notify, idle);
 	if (this->mconsole == NULL)
 	{
-		DBG1("opening mconsole at '%s' failed, stopping guest", buf);
+		DBG1(DBG_LIB, "opening mconsole at '%s' failed, stopping guest", buf);
 		stop(this, NULL);
 		return FALSE;
 	}
@@ -315,7 +318,8 @@ static bool load_template(private_guest_t *this, char *path)
 	{
 		if (!mkdir_p(dir, PERME))
 		{
-			DBG1("creating overlay for guest '%s' failed: %m", this->name);
+			DBG1(DBG_LIB, "creating overlay for guest '%s' failed: %m",
+				 this->name);
 			return FALSE;
 		}
 	}
@@ -595,7 +599,7 @@ static private_guest_t *guest_create_generic(char *parent, char *name,
 	this->dir = open(this->dirname, O_DIRECTORY, PERME);
 	if (this->dir < 0)
 	{
-		DBG1("opening guest directory '%s' failed: %m", this->dirname);
+		DBG1(DBG_LIB, "opening guest directory '%s' failed: %m", this->dirname);
 		free(this->dirname);
 		free(this);
 		return NULL;
@@ -647,7 +651,7 @@ guest_t *guest_create(char *parent, char *name, char *kernel,
 	if (!make_symlink(this, master, MASTER_DIR) ||
 		!make_symlink(this, kernel, KERNEL_FILE))
 	{
-		DBG1("creating master/kernel symlink failed: %m");
+		DBG1(DBG_LIB, "creating master/kernel symlink failed: %m");
 		destroy(this);
 		return NULL;
 	}
@@ -655,7 +659,7 @@ guest_t *guest_create(char *parent, char *name, char *kernel,
 	if (mkdirat(this->dir, UNION_DIR, PERME) != 0 ||
 		mkdirat(this->dir, DIFF_DIR, PERME) != 0)
 	{
-		DBG1("unable to create directories for '%s': %m", name);
+		DBG1(DBG_LIB, "unable to create directories for '%s': %m", name);
 		destroy(this);
 		return NULL;
 	}
diff --git a/src/dumm/iface.c b/src/dumm/iface.c
index 9910c392e..1b5b7d717 100644
--- a/src/dumm/iface.c
+++ b/src/dumm/iface.c
@@ -196,7 +196,7 @@ static bool destroy_tap(private_iface_t *this)
 
 	if (!iface_control(this->hostif, FALSE))
 	{
-		DBG1("bringing iface down failed: %m");
+		DBG1(DBG_LIB, "bringing iface down failed: %m");
 	}
 	memset(&ifr, 0, sizeof(ifr));
 	ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
@@ -205,13 +205,13 @@ static bool destroy_tap(private_iface_t *this)
 	tap = open(TAP_DEVICE, O_RDWR);
 	if (tap < 0)
 	{
-		DBG1("unable to open tap device %s: %m", TAP_DEVICE);
+		DBG1(DBG_LIB, "unable to open tap device %s: %m", TAP_DEVICE);
 		return FALSE;
 	}
 	if (ioctl(tap, TUNSETIFF, &ifr) < 0 ||
 		ioctl(tap, TUNSETPERSIST, 0) < 0)
 	{
-		DBG1("removing %s failed: %m", this->hostif);
+		DBG1(DBG_LIB, "removing %s failed: %m", this->hostif);
 		close(tap);
 		return FALSE;
 	}
@@ -235,14 +235,14 @@ static char* create_tap(private_iface_t *this)
 	tap = open(TAP_DEVICE, O_RDWR);
 	if (tap < 0)
 	{
-		DBG1("unable to open tap device %s: %m", TAP_DEVICE);
+		DBG1(DBG_LIB, "unable to open tap device %s: %m", TAP_DEVICE);
 		return NULL;
 	}
 	if (ioctl(tap, TUNSETIFF, &ifr) < 0 ||
 		ioctl(tap, TUNSETPERSIST, 1) < 0 ||
 		ioctl(tap, TUNSETOWNER, 0))
 	{
-		DBG1("creating new tap device failed: %m");
+		DBG1(DBG_LIB, "creating new tap device failed: %m");
 		close(tap);
 		return NULL;
 	}
@@ -299,7 +299,7 @@ iface_t *iface_create(char *name, guest_t *guest, mconsole_t *mconsole)
 	}
 	if (!this->mconsole->add_iface(this->mconsole, this->guestif, this->hostif))
 	{
-		DBG1("creating interface '%s' in guest failed", this->guestif);
+		DBG1(DBG_LIB, "creating interface '%s' in guest failed", this->guestif);
 		destroy_tap(this);
 		free(this->guestif);
 		free(this->hostif);
@@ -308,7 +308,7 @@ iface_t *iface_create(char *name, guest_t *guest, mconsole_t *mconsole)
 	}
 	if (!iface_control(this->hostif, TRUE))
 	{
-		DBG1("bringing iface '%s' up failed: %m", this->hostif);
+		DBG1(DBG_LIB, "bringing iface '%s' up failed: %m", this->hostif);
 	}
 	return &this->public;
 }
diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c
index 35984bdd5..7d982a54c 100644
--- a/src/dumm/mconsole.c
+++ b/src/dumm/mconsole.c
@@ -120,7 +120,7 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
 
 	if (len < 0)
 	{
-		DBG1("sending mconsole command to UML failed: %m");
+		DBG1(DBG_LIB, "sending mconsole command to UML failed: %m");
 		return -1;
 	}
 	do
@@ -136,7 +136,7 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
 		}
 		if (len < 0)
 		{
-			DBG1("receiving from mconsole failed: %m");
+			DBG1(DBG_LIB, "receiving from mconsole failed: %m");
 			return -1;
 		}
 		if (len > 0)
@@ -149,7 +149,7 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
 			{
 				if (reply.len && *reply.data)
 				{
-					DBG1("received mconsole error %d: %.*s",
+					DBG1(DBG_LIB, "received mconsole error %d: %.*s",
 						 reply.err, reply.len, reply.data);
 				}
 				break;
@@ -245,7 +245,7 @@ static bool wait_for_notify(private_mconsole_t *this, char *nsock)
 	this->notify = socket(AF_UNIX, SOCK_DGRAM, 0);
 	if (this->notify < 0)
 	{
-		DBG1("opening mconsole notify socket failed: %m");
+		DBG1(DBG_LIB, "opening mconsole notify socket failed: %m");
 		return FALSE;
 	}
 	memset(&addr, 0, sizeof(addr));
@@ -253,7 +253,8 @@ static bool wait_for_notify(private_mconsole_t *this, char *nsock)
 	strncpy(addr.sun_path, nsock, sizeof(addr.sun_path));
 	if (bind(this->notify, (struct sockaddr*)&addr, sizeof(addr)) < 0)
 	{
-		DBG1("binding mconsole notify socket to '%s' failed: %m", nsock);
+		DBG1(DBG_LIB, "binding mconsole notify socket to '%s' failed: %m",
+			 nsock);
 		close(this->notify);
 		return FALSE;
 	}
@@ -273,7 +274,7 @@ static bool wait_for_notify(private_mconsole_t *this, char *nsock)
 
 	if (len < 0 || len >= sizeof(notify))
 	{
-		DBG1("reading from mconsole notify socket failed: %m");
+		DBG1(DBG_LIB, "reading from mconsole notify socket failed: %m");
 		close(this->notify);
 		unlink(nsock);
 		return FALSE;
@@ -282,8 +283,8 @@ static bool wait_for_notify(private_mconsole_t *this, char *nsock)
 		notify.version != MCONSOLE_VERSION ||
 		notify.type != MCONSOLE_SOCKET)
 	{
-		DBG1("received unexpected message from mconsole notify socket: %b",
-			 &notify, sizeof(notify));
+		DBG1(DBG_LIB, "received unexpected message from mconsole notify"
+			 " socket: %b", &notify, sizeof(notify));
 		close(this->notify);
 		unlink(nsock);
 		return FALSE;
@@ -304,7 +305,7 @@ static bool setup_console(private_mconsole_t *this)
 	this->console = socket(AF_UNIX, SOCK_DGRAM, 0);
 	if (this->console < 0)
 	{
-		DBG1("opening mconsole socket failed: %m");
+		DBG1(DBG_LIB, "opening mconsole socket failed: %m");
 		return FALSE;
 	}
 	memset(&addr, 0, sizeof(addr));
@@ -313,7 +314,8 @@ static bool setup_console(private_mconsole_t *this)
 			 getpid(), this->console);
 	if (bind(this->console, (struct sockaddr*)&addr, sizeof(addr)) < 0)
 	{
-		DBG1("binding mconsole socket to '%s' failed: %m", &addr.sun_path[1]);
+		DBG1(DBG_LIB, "binding mconsole socket to '%s' failed: %m",
+			 &addr.sun_path[1]);
 		close(this->console);
 		return FALSE;
 	}
diff --git a/src/include/Makefile.am b/src/include/Makefile.am
index 6aeb84bae..9edad1141 100644
--- a/src/include/Makefile.am
+++ b/src/include/Makefile.am
@@ -1,3 +1,3 @@
 EXTRA_DIST = linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
              linux/pfkeyv2.h linux/udp.h linux/xfrm.h linux/types.h \
-             sys/queue.h
+             linux/jhash.h sys/queue.h
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 762b32649..720ba3a11 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -172,6 +172,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -208,7 +209,7 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 EXTRA_DIST = linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
              linux/pfkeyv2.h linux/udp.h linux/xfrm.h linux/types.h \
-             sys/queue.h
+             linux/jhash.h sys/queue.h
 
 all: all-am
 
diff --git a/src/include/linux/jhash.h b/src/include/linux/jhash.h
new file mode 100644
index 000000000..2a2f99fbc
--- /dev/null
+++ b/src/include/linux/jhash.h
@@ -0,0 +1,143 @@
+#ifndef _LINUX_JHASH_H
+#define _LINUX_JHASH_H
+
+/* jhash.h: Jenkins hash support.
+ *
+ * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
+ *
+ * http://burtleburtle.net/bob/hash/
+ *
+ * These are the credits from Bob's sources:
+ *
+ * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
+ * hash(), hash2(), hash3, and mix() are externally useful functions.
+ * Routines to test the hash are included if SELF_TEST is defined.
+ * You can use this free for any purpose.  It has no warranty.
+ *
+ * Copyright (C) 2003 David S. Miller (davem@redhat.com)
+ *
+ * I've modified Bob's hash to be useful in the Linux kernel, and
+ * any bugs present are surely my fault.  -DaveM
+ */
+
+/* NOTE: Arguments are modified. */
+#define __jhash_mix(a, b, c) \
+{ \
+  a -= b; a -= c; a ^= (c>>13); \
+  b -= c; b -= a; b ^= (a<<8); \
+  c -= a; c -= b; c ^= (b>>13); \
+  a -= b; a -= c; a ^= (c>>12);  \
+  b -= c; b -= a; b ^= (a<<16); \
+  c -= a; c -= b; c ^= (b>>5); \
+  a -= b; a -= c; a ^= (c>>3);  \
+  b -= c; b -= a; b ^= (a<<10); \
+  c -= a; c -= b; c ^= (b>>15); \
+}
+
+/* The golden ration: an arbitrary value */
+#define JHASH_GOLDEN_RATIO	0x9e3779b9
+
+/* The most generic version, hashes an arbitrary sequence
+ * of bytes.  No alignment or length assumptions are made about
+ * the input key.
+ */
+static inline u32 jhash(const void *key, u32 length, u32 initval)
+{
+	u32 a, b, c, len;
+	const u8 *k = key;
+
+	len = length;
+	a = b = JHASH_GOLDEN_RATIO;
+	c = initval;
+
+	while (len >= 12) {
+		a += (k[0] +((u32)k[1]<<8) +((u32)k[2]<<16) +((u32)k[3]<<24));
+		b += (k[4] +((u32)k[5]<<8) +((u32)k[6]<<16) +((u32)k[7]<<24));
+		c += (k[8] +((u32)k[9]<<8) +((u32)k[10]<<16)+((u32)k[11]<<24));
+
+		__jhash_mix(a,b,c);
+
+		k += 12;
+		len -= 12;
+	}
+
+	c += length;
+	switch (len) {
+	case 11: c += ((u32)k[10]<<24);
+	case 10: c += ((u32)k[9]<<16);
+	case 9 : c += ((u32)k[8]<<8);
+	case 8 : b += ((u32)k[7]<<24);
+	case 7 : b += ((u32)k[6]<<16);
+	case 6 : b += ((u32)k[5]<<8);
+	case 5 : b += k[4];
+	case 4 : a += ((u32)k[3]<<24);
+	case 3 : a += ((u32)k[2]<<16);
+	case 2 : a += ((u32)k[1]<<8);
+	case 1 : a += k[0];
+	};
+
+	__jhash_mix(a,b,c);
+
+	return c;
+}
+
+/* A special optimized version that handles 1 or more of u32s.
+ * The length parameter here is the number of u32s in the key.
+ */
+static inline u32 jhash2(const u32 *k, u32 length, u32 initval)
+{
+	u32 a, b, c, len;
+
+	a = b = JHASH_GOLDEN_RATIO;
+	c = initval;
+	len = length;
+
+	while (len >= 3) {
+		a += k[0];
+		b += k[1];
+		c += k[2];
+		__jhash_mix(a, b, c);
+		k += 3; len -= 3;
+	}
+
+	c += length * 4;
+
+	switch (len) {
+	case 2 : b += k[1];
+	case 1 : a += k[0];
+	};
+
+	__jhash_mix(a,b,c);
+
+	return c;
+}
+
+
+/* A special ultra-optimized versions that knows they are hashing exactly
+ * 3, 2 or 1 word(s).
+ *
+ * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
+ *       done at the end is not done here.
+ */
+static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval)
+{
+	a += JHASH_GOLDEN_RATIO;
+	b += JHASH_GOLDEN_RATIO;
+	c += initval;
+
+	__jhash_mix(a, b, c);
+
+	return c;
+}
+
+static inline u32 jhash_2words(u32 a, u32 b, u32 initval)
+{
+	return jhash_3words(a, b, 0, initval);
+}
+
+static inline u32 jhash_1word(u32 a, u32 initval)
+{
+	return jhash_3words(a, 0, 0, initval);
+}
+
+#endif /* _LINUX_JHASH_H */
diff --git a/src/include/linux/pfkeyv2.h b/src/include/linux/pfkeyv2.h
index b4b0712a4..7379d1a94 100644
--- a/src/include/linux/pfkeyv2.h
+++ b/src/include/linux/pfkeyv2.h
@@ -315,6 +315,7 @@ struct sadb_x_kmaddress {
 #define SADB_X_EALG_AES_GCM_ICV12	19
 #define SADB_X_EALG_AES_GCM_ICV16	20
 #define SADB_X_EALG_CAMELLIACBC		22
+#define SADB_X_EALG_NULL_AES_GMAC	23
 #define SADB_EALG_MAX                   253 /* last EALG */
 /* private allocations should use 249-255 (RFC2407) */
 #define SADB_X_EALG_SERPENTCBC  252     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index ff88ed1ff..3834b672a 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -200,6 +200,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in
index 1da3c2d90..0bddc201a 100755
--- a/src/ipsec/ipsec.in
+++ b/src/ipsec/ipsec.in
@@ -2,13 +2,13 @@
 # prefix command to run stuff from our programs directory
 # Copyright (C) 1998-2002  Henry Spencer.
 # Copyright (C) 2006 Andreas Steffen
-# Copyright (C) 2006 Martin Willi 
-# 
+# Copyright (C) 2006 Martin Willi
+#
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
 # Free Software Foundation; either version 2 of the License, or (at your
 # option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
+#
 # This program is distributed in the hope that it will be useful, but
 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
@@ -67,7 +67,7 @@ case "$1" in
 	echo "	rereadacerts|rereadcrls|rereadall"
 	echo "	purgeocsp|purgeike"
 	echo "	scencrypt|scdecrypt <value> [--inbase <base>] [--outbase <base>] [--keyid <id>]"
- 	echo "	openac"
+	echo "	openac"
 	echo "	pluto"
 	echo "	scepclient"
 	echo "	secrets"
@@ -138,17 +138,26 @@ listcards|rereadgroups)
 		$IPSEC_WHACK "$@" "--$op"
 		rc="$?"
 	fi
-	if [ -e $IPSEC_CHARON_PID ] 
-	then 
-		exit 3 
-	else 
-		exit 7 
-	fi 
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		exit 3
+	else
+		exit 7
+	fi
 	;;
 leases)
 	op="$1"
 	rc=7
 	shift
+	if [ -e $IPSEC_PLUTO_PID ]
+	then
+		case "$#" in
+		0) $IPSEC_WHACK "--$op" ;;
+		1) $IPSEC_WHACK "--$op" --name "$1" ;;
+		*) $IPSEC_WHACK "--$op" --name "$1" --lease-addr "$2" ;;
+		esac
+		rc="$?"
+	fi
 	if [ -e $IPSEC_CHARON_PID ]
 	then
 		case "$#" in
@@ -330,7 +339,7 @@ stop)
 			fi
 		fi
 	else
-	    	echo "Stopping strongSwan IPsec failed: starter is not running" >&2
+		echo "Stopping strongSwan IPsec failed: starter is not running" >&2
 	fi
 	if [ -d /var/lock/subsys ]; then
 		rm -f /var/lock/subsys/ipsec
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
new file mode 100644
index 000000000..d473b455e
--- /dev/null
+++ b/src/libcharon/Android.mk
@@ -0,0 +1,174 @@
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+# copy-n-paste from Makefile.am
+LOCAL_SRC_FILES := \
+bus/bus.c bus/bus.h \
+bus/listeners/listener.h \
+bus/listeners/file_logger.c bus/listeners/file_logger.h \
+bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
+config/backend_manager.c config/backend_manager.h config/backend.h \
+config/child_cfg.c config/child_cfg.h \
+config/ike_cfg.c config/ike_cfg.h \
+config/peer_cfg.c config/peer_cfg.h \
+config/proposal.c config/proposal.h \
+config/auth_cfg.c config/auth_cfg.h \
+control/controller.c control/controller.h \
+daemon.c daemon.h \
+encoding/generator.c encoding/generator.h \
+encoding/message.c encoding/message.h \
+encoding/parser.c encoding/parser.h \
+encoding/payloads/auth_payload.c encoding/payloads/auth_payload.h \
+encoding/payloads/cert_payload.c encoding/payloads/cert_payload.h \
+encoding/payloads/certreq_payload.c encoding/payloads/certreq_payload.h \
+encoding/payloads/configuration_attribute.c encoding/payloads/configuration_attribute.h \
+encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
+encoding/payloads/delete_payload.c encoding/payloads/delete_payload.h \
+encoding/payloads/eap_payload.c encoding/payloads/eap_payload.h \
+encoding/payloads/encodings.c encoding/payloads/encodings.h \
+encoding/payloads/encryption_payload.c encoding/payloads/encryption_payload.h \
+encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
+encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
+encoding/payloads/ke_payload.c  encoding/payloads/ke_payload.h \
+encoding/payloads/nonce_payload.c encoding/payloads/nonce_payload.h \
+encoding/payloads/notify_payload.c encoding/payloads/notify_payload.h \
+encoding/payloads/payload.c encoding/payloads/payload.h \
+encoding/payloads/proposal_substructure.c encoding/payloads/proposal_substructure.h \
+encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \
+encoding/payloads/traffic_selector_substructure.c encoding/payloads/traffic_selector_substructure.h \
+encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \
+encoding/payloads/transform_substructure.c encoding/payloads/transform_substructure.h \
+encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
+encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
+encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.h \
+network/packet.c network/packet.h \
+network/receiver.c network/receiver.h \
+network/sender.c network/sender.h \
+network/socket_manager.c network/socket_manager.h network/socket.h \
+processing/jobs/job.h \
+processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
+processing/jobs/callback_job.c processing/jobs/callback_job.h \
+processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
+processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
+processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
+processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
+processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
+processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
+processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
+processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
+processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
+processing/jobs/roam_job.c processing/jobs/roam_job.h \
+processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
+processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
+processing/scheduler.c processing/scheduler.h \
+processing/processor.c processing/processor.h  \
+sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
+sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
+sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
+sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
+sa/authenticators/eap/sim_manager.c sa/authenticators/eap/sim_manager.h \
+sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
+sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
+sa/child_sa.c sa/child_sa.h \
+sa/ike_sa.c sa/ike_sa.h \
+sa/ike_sa_id.c sa/ike_sa_id.h \
+sa/ike_sa_manager.c sa/ike_sa_manager.h \
+sa/task_manager.c sa/task_manager.h \
+sa/keymat.c sa/keymat.h \
+sa/trap_manager.c sa/trap_manager.h \
+sa/tasks/child_create.c sa/tasks/child_create.h \
+sa/tasks/child_delete.c sa/tasks/child_delete.h \
+sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
+sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
+sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
+sa/tasks/ike_config.c sa/tasks/ike_config.h \
+sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
+sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
+sa/tasks/ike_init.c sa/tasks/ike_init.h \
+sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
+sa/tasks/ike_mobike.c sa/tasks/ike_mobike.h \
+sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
+sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
+sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
+sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
+sa/tasks/task.c sa/tasks/task.h \
+credentials/credential_manager.c credentials/credential_manager.h \
+credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
+credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
+credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+credentials/credential_set.h
+
+# adding the plugin source files
+
+LOCAL_SRC_FILES += $(call add_plugin, android)
+ifneq ($(call plugin_enabled, android)),)
+LOCAL_SHARED_LIBRARIES += libcutils
+endif
+
+LOCAL_SRC_FILES += $(call add_plugin, attr)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-aka)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-aka-3gpp2)
+ifneq ($(call plugin_enabled, eap-aka-3gpp2)),)
+LOCAL_C_INCLUDES += $(libgmp_PATH)
+LOCAL_SHARED_LIBRARIES += libgmp
+endif
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-gtc)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-identity)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-md5)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-mschapv2)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-sim)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-pseudonym)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-reauth)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-sim-file)
+
+# adding libakasim if either eap-aka or eap-sim is enabled
+ifneq ($(or $(call plugin_enabled, eap-aka), $(call plugin_enabled, eap-sim)),)
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libsimaka/
+LOCAL_SRC_FILES += $(addprefix ../libsimaka/, \
+		simaka_message.h simaka_message.c \
+		simaka_crypto.h simaka_crypto.c \
+	)
+endif
+
+LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
+
+LOCAL_SRC_FILES += $(call add_plugin, load-tester)
+
+LOCAL_SRC_FILES += $(call add_plugin, socket-default)
+
+LOCAL_SRC_FILES += $(call add_plugin, socket-dynamic)
+
+# build libcharon --------------------------------------------------------------
+
+LOCAL_C_INCLUDES += \
+	$(libvstr_PATH) \
+	$(strongswan_PATH)/src/include \
+	$(strongswan_PATH)/src/libhydra \
+	$(strongswan_PATH)/src/libstrongswan
+
+LOCAL_CFLAGS := $(strongswan_CFLAGS)
+
+LOCAL_MODULE := libcharon
+
+LOCAL_ARM_MODE := arm
+
+LOCAL_PRELINK_MODULE := false
+
+LOCAL_SHARED_LIBRARIES += libstrongswan libhydra
+
+include $(BUILD_SHARED_LIBRARY)
+
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
new file mode 100644
index 000000000..0eaccf7a0
--- /dev/null
+++ b/src/libcharon/Makefile.am
@@ -0,0 +1,418 @@
+lib_LTLIBRARIES = libcharon.la
+
+libcharon_la_SOURCES = \
+bus/bus.c bus/bus.h \
+bus/listeners/listener.h \
+bus/listeners/file_logger.c bus/listeners/file_logger.h \
+bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
+config/backend_manager.c config/backend_manager.h config/backend.h \
+config/child_cfg.c config/child_cfg.h \
+config/ike_cfg.c config/ike_cfg.h \
+config/peer_cfg.c config/peer_cfg.h \
+config/proposal.c config/proposal.h \
+config/auth_cfg.c config/auth_cfg.h \
+control/controller.c control/controller.h \
+daemon.c daemon.h \
+encoding/generator.c encoding/generator.h \
+encoding/message.c encoding/message.h \
+encoding/parser.c encoding/parser.h \
+encoding/payloads/auth_payload.c encoding/payloads/auth_payload.h \
+encoding/payloads/cert_payload.c encoding/payloads/cert_payload.h \
+encoding/payloads/certreq_payload.c encoding/payloads/certreq_payload.h \
+encoding/payloads/configuration_attribute.c encoding/payloads/configuration_attribute.h \
+encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
+encoding/payloads/delete_payload.c encoding/payloads/delete_payload.h \
+encoding/payloads/eap_payload.c encoding/payloads/eap_payload.h \
+encoding/payloads/encodings.c encoding/payloads/encodings.h \
+encoding/payloads/encryption_payload.c encoding/payloads/encryption_payload.h \
+encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
+encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
+encoding/payloads/ke_payload.c  encoding/payloads/ke_payload.h \
+encoding/payloads/nonce_payload.c encoding/payloads/nonce_payload.h \
+encoding/payloads/notify_payload.c encoding/payloads/notify_payload.h \
+encoding/payloads/payload.c encoding/payloads/payload.h \
+encoding/payloads/proposal_substructure.c encoding/payloads/proposal_substructure.h \
+encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \
+encoding/payloads/traffic_selector_substructure.c encoding/payloads/traffic_selector_substructure.h \
+encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \
+encoding/payloads/transform_substructure.c encoding/payloads/transform_substructure.h \
+encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
+encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
+encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.h \
+network/packet.c network/packet.h \
+network/receiver.c network/receiver.h \
+network/sender.c network/sender.h \
+network/socket_manager.c network/socket_manager.h network/socket.h \
+processing/jobs/job.h \
+processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
+processing/jobs/callback_job.c processing/jobs/callback_job.h \
+processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
+processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
+processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
+processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
+processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
+processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
+processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
+processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
+processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
+processing/jobs/roam_job.c processing/jobs/roam_job.h \
+processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
+processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
+processing/scheduler.c processing/scheduler.h \
+processing/processor.c processing/processor.h  \
+sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
+sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
+sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
+sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
+sa/authenticators/eap/sim_manager.c sa/authenticators/eap/sim_manager.h \
+sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
+sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
+sa/child_sa.c sa/child_sa.h \
+sa/ike_sa.c sa/ike_sa.h \
+sa/ike_sa_id.c sa/ike_sa_id.h \
+sa/ike_sa_manager.c sa/ike_sa_manager.h \
+sa/task_manager.c sa/task_manager.h \
+sa/keymat.c sa/keymat.h \
+sa/trap_manager.c sa/trap_manager.h \
+sa/tasks/child_create.c sa/tasks/child_create.h \
+sa/tasks/child_delete.c sa/tasks/child_delete.h \
+sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
+sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
+sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
+sa/tasks/ike_config.c sa/tasks/ike_config.h \
+sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
+sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
+sa/tasks/ike_init.c sa/tasks/ike_init.h \
+sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
+sa/tasks/ike_mobike.c sa/tasks/ike_mobike.h \
+sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
+sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
+sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
+sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
+sa/tasks/task.c sa/tasks/task.h \
+credentials/credential_manager.c credentials/credential_manager.h \
+credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
+credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
+credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+credentials/credential_set.h
+
+daemon.lo :		$(top_builddir)/config.status
+
+INCLUDES = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
+
+EXTRA_DIST = Android.mk
+
+# compile options
+#################
+
+if USE_ME
+  libcharon_la_SOURCES += encoding/payloads/endpoint_notify.c encoding/payloads/endpoint_notify.h \
+    processing/jobs/initiate_mediation_job.c processing/jobs/initiate_mediation_job.h \
+    processing/jobs/mediation_job.c processing/jobs/mediation_job.h \
+    sa/connect_manager.c sa/connect_manager.h \
+    sa/mediation_manager.c sa/mediation_manager.h \
+    sa/tasks/ike_me.c sa/tasks/ike_me.h
+endif
+
+if USE_CAPABILITIES
+  libcharon_la_LIBADD += -lcap
+endif
+
+# build optional plugins
+########################
+
+if MONOLITHIC
+SUBDIRS =
+else
+SUBDIRS = .
+endif
+
+PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins}
+
+if USE_LOAD_TESTER
+  SUBDIRS += plugins/load_tester
+  PLUGINS += load-tester
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/load_tester/libstrongswan-load-tester.la
+endif
+endif
+
+if USE_KERNEL_PFKEY
+  SUBDIRS += plugins/kernel_pfkey
+  PLUGINS += kernel-pfkey
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+endif
+endif
+
+if USE_KERNEL_PFROUTE
+  SUBDIRS += plugins/kernel_pfroute
+  PLUGINS += kernel-pfroute
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+endif
+endif
+
+if USE_KERNEL_KLIPS
+  SUBDIRS += plugins/kernel_klips
+  PLUGINS += kernel-klips
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_klips/libstrongswan-kernel-klips.la
+endif
+endif
+
+if USE_KERNEL_NETLINK
+  SUBDIRS += plugins/kernel_netlink
+  PLUGINS += kernel-netlink
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+endif
+endif
+
+if USE_SOCKET_DEFAULT
+  SUBDIRS += plugins/socket_default
+  PLUGINS += socket-default
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/socket_default/libstrongswan-socket-default.la
+endif
+endif
+
+if USE_SOCKET_RAW
+  SUBDIRS += plugins/socket_raw
+  PLUGINS += socket-raw
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/socket_raw/libstrongswan-socket-raw.la
+endif
+endif
+
+if USE_SOCKET_DYNAMIC
+  SUBDIRS += plugins/socket_dynamic
+  PLUGINS += socket-dynamic
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/socket_dynamic/libstrongswan-socket-dynamic.la
+endif
+endif
+
+if USE_FARP
+  SUBDIRS += plugins/farp
+  PLUGINS += farp
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/farp/libstrongswan-farp.la
+endif
+endif
+
+if USE_STROKE
+  SUBDIRS += plugins/stroke
+  PLUGINS += stroke
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/stroke/libstrongswan-stroke.la
+endif
+endif
+
+if USE_SMP
+  SUBDIRS += plugins/smp
+  PLUGINS += smp
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/smp/libstrongswan-smp.la
+endif
+endif
+
+if USE_SQL
+  SUBDIRS += plugins/sql
+  PLUGINS += sql
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/sql/libstrongswan-sql.la
+endif
+endif
+
+if USE_UPDOWN
+  SUBDIRS += plugins/updown
+  PLUGINS += updown
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/updown/libstrongswan-updown.la
+endif
+endif
+
+if USE_EAP_IDENTITY
+  SUBDIRS += plugins/eap_identity
+  PLUGINS += eap-identity
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_identity/libstrongswan-eap-identity.la
+endif
+endif
+
+if USE_EAP_SIM
+  SUBDIRS += plugins/eap_sim
+  PLUGINS += eap-sim
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_sim/libstrongswan-eap-sim.la
+endif
+endif
+
+if USE_EAP_SIM_FILE
+  SUBDIRS += plugins/eap_sim_file
+  PLUGINS += eap-sim-file
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+endif
+endif
+
+if USE_EAP_SIMAKA_PSEUDONYM
+  SUBDIRS += plugins/eap_simaka_pseudonym
+  PLUGINS += eap-simaka-pseudonym
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+endif
+endif
+
+if USE_EAP_SIMAKA_REAUTH
+  SUBDIRS += plugins/eap_simaka_reauth
+  PLUGINS += eap-simaka-reauth
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+endif
+endif
+
+if USE_EAP_AKA
+  SUBDIRS += plugins/eap_aka
+  PLUGINS += eap-aka
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_aka/libstrongswan-eap-aka.la
+endif
+endif
+
+if USE_EAP_AKA_3GPP2
+  SUBDIRS += plugins/eap_aka_3gpp2
+  PLUGINS += eap-aka-3gpp2
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+endif
+endif
+
+if USE_SIMAKA
+if MONOLITHIC
+  # otherwise this library is linked to both the eap_aka and the eap_sim plugin
+  libcharon_la_LIBADD += $(top_builddir)/src/libsimaka/libsimaka.la
+endif
+endif
+
+if USE_EAP_MD5
+  SUBDIRS += plugins/eap_md5
+  PLUGINS += eap-md5
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_md5/libstrongswan-eap-md5.la
+endif
+endif
+
+if USE_EAP_GTC
+  SUBDIRS += plugins/eap_gtc
+  PLUGINS += eap-gtc
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_gtc/libstrongswan-eap-gtc.la
+endif
+endif
+
+if USE_EAP_MSCHAPV2
+  SUBDIRS += plugins/eap_mschapv2
+  PLUGINS += eap-mschapv2
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+endif
+endif
+
+if USE_EAP_RADIUS
+  SUBDIRS += plugins/eap_radius
+  PLUGINS += eap-radius
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_radius/libstrongswan-eap-radius.la
+endif
+endif
+
+if USE_MEDSRV
+  SUBDIRS += plugins/medsrv
+  PLUGINS += medsrv
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/medsrv/libstrongswan-medsrv.la
+endif
+endif
+
+if USE_MEDCLI
+  SUBDIRS += plugins/medcli
+  PLUGINS += medcli
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/medcli/libstrongswan-medcli.la
+endif
+endif
+
+if USE_NM
+  SUBDIRS += plugins/nm
+  PLUGINS += nm
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/nm/libstrongswan-nm.la
+endif
+endif
+
+if USE_DHCP
+  SUBDIRS += plugins/dhcp
+  PLUGINS += dhcp
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/dhcp/libstrongswan-dhcp.la
+endif
+endif
+
+if USE_RESOLVE
+  SUBDIRS += plugins/resolve
+  PLUGINS += resolve
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/resolve/libstrongswan-resolve.la
+endif
+endif
+
+if USE_ANDROID
+  SUBDIRS += plugins/android
+  PLUGINS += android
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/android/libstrongswan-android.la
+endif
+endif
+
+if USE_HA
+  SUBDIRS += plugins/ha
+  PLUGINS += ha
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/ha/libstrongswan-ha.la
+endif
+endif
+
+if USE_UCI
+  SUBDIRS += plugins/uci
+  PLUGINS += uci
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/uci/libstrongswan-uci.la
+endif
+endif
+
+if USE_UNIT_TESTS
+  SUBDIRS += plugins/unit_tester
+  PLUGINS += unit-tester
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/unit_tester/libstrongswan-unit-tester.la
+endif
+endif
+
+AM_CFLAGS += -DPLUGINS=\""${PLUGINS}\""
+
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
new file mode 100644
index 000000000..0eb6f36f4
--- /dev/null
+++ b/src/libcharon/Makefile.in
@@ -0,0 +1,1994 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+
+# compile options
+#################
+@USE_ME_TRUE@am__append_1 = encoding/payloads/endpoint_notify.c encoding/payloads/endpoint_notify.h \
+@USE_ME_TRUE@    processing/jobs/initiate_mediation_job.c processing/jobs/initiate_mediation_job.h \
+@USE_ME_TRUE@    processing/jobs/mediation_job.c processing/jobs/mediation_job.h \
+@USE_ME_TRUE@    sa/connect_manager.c sa/connect_manager.h \
+@USE_ME_TRUE@    sa/mediation_manager.c sa/mediation_manager.h \
+@USE_ME_TRUE@    sa/tasks/ike_me.c sa/tasks/ike_me.h
+
+@USE_CAPABILITIES_TRUE@am__append_2 = -lcap
+@USE_LOAD_TESTER_TRUE@am__append_3 = plugins/load_tester
+@USE_LOAD_TESTER_TRUE@am__append_4 = load-tester
+@MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_5 = plugins/load_tester/libstrongswan-load-tester.la
+@USE_KERNEL_PFKEY_TRUE@am__append_6 = plugins/kernel_pfkey
+@USE_KERNEL_PFKEY_TRUE@am__append_7 = kernel-pfkey
+@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_8 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute
+@USE_KERNEL_PFROUTE_TRUE@am__append_10 = kernel-pfroute
+@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_11 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+@USE_KERNEL_KLIPS_TRUE@am__append_12 = plugins/kernel_klips
+@USE_KERNEL_KLIPS_TRUE@am__append_13 = kernel-klips
+@MONOLITHIC_TRUE@@USE_KERNEL_KLIPS_TRUE@am__append_14 = plugins/kernel_klips/libstrongswan-kernel-klips.la
+@USE_KERNEL_NETLINK_TRUE@am__append_15 = plugins/kernel_netlink
+@USE_KERNEL_NETLINK_TRUE@am__append_16 = kernel-netlink
+@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_17 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+@USE_SOCKET_DEFAULT_TRUE@am__append_18 = plugins/socket_default
+@USE_SOCKET_DEFAULT_TRUE@am__append_19 = socket-default
+@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_20 = plugins/socket_default/libstrongswan-socket-default.la
+@USE_SOCKET_RAW_TRUE@am__append_21 = plugins/socket_raw
+@USE_SOCKET_RAW_TRUE@am__append_22 = socket-raw
+@MONOLITHIC_TRUE@@USE_SOCKET_RAW_TRUE@am__append_23 = plugins/socket_raw/libstrongswan-socket-raw.la
+@USE_SOCKET_DYNAMIC_TRUE@am__append_24 = plugins/socket_dynamic
+@USE_SOCKET_DYNAMIC_TRUE@am__append_25 = socket-dynamic
+@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_26 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
+@USE_FARP_TRUE@am__append_27 = plugins/farp
+@USE_FARP_TRUE@am__append_28 = farp
+@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_29 = plugins/farp/libstrongswan-farp.la
+@USE_STROKE_TRUE@am__append_30 = plugins/stroke
+@USE_STROKE_TRUE@am__append_31 = stroke
+@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_32 = plugins/stroke/libstrongswan-stroke.la
+@USE_SMP_TRUE@am__append_33 = plugins/smp
+@USE_SMP_TRUE@am__append_34 = smp
+@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_35 = plugins/smp/libstrongswan-smp.la
+@USE_SQL_TRUE@am__append_36 = plugins/sql
+@USE_SQL_TRUE@am__append_37 = sql
+@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_38 = plugins/sql/libstrongswan-sql.la
+@USE_UPDOWN_TRUE@am__append_39 = plugins/updown
+@USE_UPDOWN_TRUE@am__append_40 = updown
+@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_41 = plugins/updown/libstrongswan-updown.la
+@USE_EAP_IDENTITY_TRUE@am__append_42 = plugins/eap_identity
+@USE_EAP_IDENTITY_TRUE@am__append_43 = eap-identity
+@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_44 = plugins/eap_identity/libstrongswan-eap-identity.la
+@USE_EAP_SIM_TRUE@am__append_45 = plugins/eap_sim
+@USE_EAP_SIM_TRUE@am__append_46 = eap-sim
+@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_47 = plugins/eap_sim/libstrongswan-eap-sim.la
+@USE_EAP_SIM_FILE_TRUE@am__append_48 = plugins/eap_sim_file
+@USE_EAP_SIM_FILE_TRUE@am__append_49 = eap-sim-file
+@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_50 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_51 = plugins/eap_simaka_pseudonym
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_52 = eap-simaka-pseudonym
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_53 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_54 = plugins/eap_simaka_reauth
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_55 = eap-simaka-reauth
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_56 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+@USE_EAP_AKA_TRUE@am__append_57 = plugins/eap_aka
+@USE_EAP_AKA_TRUE@am__append_58 = eap-aka
+@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_59 = plugins/eap_aka/libstrongswan-eap-aka.la
+@USE_EAP_AKA_3GPP2_TRUE@am__append_60 = plugins/eap_aka_3gpp2
+@USE_EAP_AKA_3GPP2_TRUE@am__append_61 = eap-aka-3gpp2
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_62 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_63 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_EAP_MD5_TRUE@am__append_64 = plugins/eap_md5
+@USE_EAP_MD5_TRUE@am__append_65 = eap-md5
+@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_66 = plugins/eap_md5/libstrongswan-eap-md5.la
+@USE_EAP_GTC_TRUE@am__append_67 = plugins/eap_gtc
+@USE_EAP_GTC_TRUE@am__append_68 = eap-gtc
+@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_69 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+@USE_EAP_MSCHAPV2_TRUE@am__append_70 = plugins/eap_mschapv2
+@USE_EAP_MSCHAPV2_TRUE@am__append_71 = eap-mschapv2
+@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_72 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+@USE_EAP_RADIUS_TRUE@am__append_73 = plugins/eap_radius
+@USE_EAP_RADIUS_TRUE@am__append_74 = eap-radius
+@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_75 = plugins/eap_radius/libstrongswan-eap-radius.la
+@USE_MEDSRV_TRUE@am__append_76 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_77 = medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_78 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_79 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_80 = medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_81 = plugins/medcli/libstrongswan-medcli.la
+@USE_NM_TRUE@am__append_82 = plugins/nm
+@USE_NM_TRUE@am__append_83 = nm
+@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_84 = plugins/nm/libstrongswan-nm.la
+@USE_DHCP_TRUE@am__append_85 = plugins/dhcp
+@USE_DHCP_TRUE@am__append_86 = dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_87 = plugins/dhcp/libstrongswan-dhcp.la
+@USE_RESOLVE_TRUE@am__append_88 = plugins/resolve
+@USE_RESOLVE_TRUE@am__append_89 = resolve
+@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_90 = plugins/resolve/libstrongswan-resolve.la
+@USE_ANDROID_TRUE@am__append_91 = plugins/android
+@USE_ANDROID_TRUE@am__append_92 = android
+@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_93 = plugins/android/libstrongswan-android.la
+@USE_HA_TRUE@am__append_94 = plugins/ha
+@USE_HA_TRUE@am__append_95 = ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_96 = plugins/ha/libstrongswan-ha.la
+@USE_UCI_TRUE@am__append_97 = plugins/uci
+@USE_UCI_TRUE@am__append_98 = uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_99 = plugins/uci/libstrongswan-uci.la
+@USE_UNIT_TESTS_TRUE@am__append_100 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_101 = unit-tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_102 = plugins/unit_tester/libstrongswan-unit-tester.la
+subdir = src/libcharon
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(libdir)"
+LTLIBRARIES = $(lib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__append_5) $(am__append_8) \
+	$(am__append_11) $(am__append_14) $(am__append_17) \
+	$(am__append_20) $(am__append_23) $(am__append_26) \
+	$(am__append_29) $(am__append_32) $(am__append_35) \
+	$(am__append_38) $(am__append_41) $(am__append_44) \
+	$(am__append_47) $(am__append_50) $(am__append_53) \
+	$(am__append_56) $(am__append_59) $(am__append_62) \
+	$(am__append_63) $(am__append_66) $(am__append_69) \
+	$(am__append_72) $(am__append_75) $(am__append_78) \
+	$(am__append_81) $(am__append_84) $(am__append_87) \
+	$(am__append_90) $(am__append_93) $(am__append_96) \
+	$(am__append_99) $(am__append_102)
+am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
+	bus/listeners/listener.h bus/listeners/file_logger.c \
+	bus/listeners/file_logger.h bus/listeners/sys_logger.c \
+	bus/listeners/sys_logger.h config/backend_manager.c \
+	config/backend_manager.h config/backend.h config/child_cfg.c \
+	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
+	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
+	config/proposal.h config/auth_cfg.c config/auth_cfg.h \
+	control/controller.c control/controller.h daemon.c daemon.h \
+	encoding/generator.c encoding/generator.h encoding/message.c \
+	encoding/message.h encoding/parser.c encoding/parser.h \
+	encoding/payloads/auth_payload.c \
+	encoding/payloads/auth_payload.h \
+	encoding/payloads/cert_payload.c \
+	encoding/payloads/cert_payload.h \
+	encoding/payloads/certreq_payload.c \
+	encoding/payloads/certreq_payload.h \
+	encoding/payloads/configuration_attribute.c \
+	encoding/payloads/configuration_attribute.h \
+	encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
+	encoding/payloads/delete_payload.c \
+	encoding/payloads/delete_payload.h \
+	encoding/payloads/eap_payload.c \
+	encoding/payloads/eap_payload.h encoding/payloads/encodings.c \
+	encoding/payloads/encodings.h \
+	encoding/payloads/encryption_payload.c \
+	encoding/payloads/encryption_payload.h \
+	encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
+	encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
+	encoding/payloads/ke_payload.c encoding/payloads/ke_payload.h \
+	encoding/payloads/nonce_payload.c \
+	encoding/payloads/nonce_payload.h \
+	encoding/payloads/notify_payload.c \
+	encoding/payloads/notify_payload.h encoding/payloads/payload.c \
+	encoding/payloads/payload.h \
+	encoding/payloads/proposal_substructure.c \
+	encoding/payloads/proposal_substructure.h \
+	encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \
+	encoding/payloads/traffic_selector_substructure.c \
+	encoding/payloads/traffic_selector_substructure.h \
+	encoding/payloads/transform_attribute.c \
+	encoding/payloads/transform_attribute.h \
+	encoding/payloads/transform_substructure.c \
+	encoding/payloads/transform_substructure.h \
+	encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
+	encoding/payloads/unknown_payload.c \
+	encoding/payloads/unknown_payload.h \
+	encoding/payloads/vendor_id_payload.c \
+	encoding/payloads/vendor_id_payload.h \
+	kernel/kernel_interface.c kernel/kernel_interface.h \
+	kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+	kernel/kernel_net.h network/packet.c network/packet.h \
+	network/receiver.c network/receiver.h network/sender.c \
+	network/sender.h network/socket_manager.c \
+	network/socket_manager.h network/socket.h \
+	processing/jobs/job.h processing/jobs/acquire_job.c \
+	processing/jobs/acquire_job.h processing/jobs/callback_job.c \
+	processing/jobs/callback_job.h \
+	processing/jobs/delete_child_sa_job.c \
+	processing/jobs/delete_child_sa_job.h \
+	processing/jobs/delete_ike_sa_job.c \
+	processing/jobs/delete_ike_sa_job.h \
+	processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
+	processing/jobs/process_message_job.c \
+	processing/jobs/process_message_job.h \
+	processing/jobs/rekey_child_sa_job.c \
+	processing/jobs/rekey_child_sa_job.h \
+	processing/jobs/rekey_ike_sa_job.c \
+	processing/jobs/rekey_ike_sa_job.h \
+	processing/jobs/retransmit_job.c \
+	processing/jobs/retransmit_job.h \
+	processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
+	processing/jobs/send_keepalive_job.c \
+	processing/jobs/send_keepalive_job.h \
+	processing/jobs/roam_job.c processing/jobs/roam_job.h \
+	processing/jobs/update_sa_job.c \
+	processing/jobs/update_sa_job.h \
+	processing/jobs/inactivity_job.c \
+	processing/jobs/inactivity_job.h processing/scheduler.c \
+	processing/scheduler.h processing/processor.c \
+	processing/processor.h sa/authenticators/authenticator.c \
+	sa/authenticators/authenticator.h \
+	sa/authenticators/eap_authenticator.c \
+	sa/authenticators/eap_authenticator.h \
+	sa/authenticators/eap/eap_method.c \
+	sa/authenticators/eap/eap_method.h \
+	sa/authenticators/eap/eap_manager.c \
+	sa/authenticators/eap/eap_manager.h \
+	sa/authenticators/eap/sim_manager.c \
+	sa/authenticators/eap/sim_manager.h \
+	sa/authenticators/psk_authenticator.c \
+	sa/authenticators/psk_authenticator.h \
+	sa/authenticators/pubkey_authenticator.c \
+	sa/authenticators/pubkey_authenticator.h sa/child_sa.c \
+	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
+	sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
+	sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
+	sa/trap_manager.c sa/trap_manager.h sa/tasks/child_create.c \
+	sa/tasks/child_create.h sa/tasks/child_delete.c \
+	sa/tasks/child_delete.h sa/tasks/child_rekey.c \
+	sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+	sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
+	sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
+	sa/tasks/ike_config.c sa/tasks/ike_config.h \
+	sa/tasks/ike_delete.c sa/tasks/ike_delete.h sa/tasks/ike_dpd.c \
+	sa/tasks/ike_dpd.h sa/tasks/ike_init.c sa/tasks/ike_init.h \
+	sa/tasks/ike_natd.c sa/tasks/ike_natd.h sa/tasks/ike_mobike.c \
+	sa/tasks/ike_mobike.h sa/tasks/ike_rekey.c \
+	sa/tasks/ike_rekey.h sa/tasks/ike_reauth.c \
+	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
+	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
+	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
+	credentials/credential_manager.c \
+	credentials/credential_manager.h \
+	credentials/sets/auth_cfg_wrapper.c \
+	credentials/sets/auth_cfg_wrapper.h \
+	credentials/sets/ocsp_response_wrapper.c \
+	credentials/sets/ocsp_response_wrapper.h \
+	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+	credentials/credential_set.h \
+	encoding/payloads/endpoint_notify.c \
+	encoding/payloads/endpoint_notify.h \
+	processing/jobs/initiate_mediation_job.c \
+	processing/jobs/initiate_mediation_job.h \
+	processing/jobs/mediation_job.c \
+	processing/jobs/mediation_job.h sa/connect_manager.c \
+	sa/connect_manager.h sa/mediation_manager.c \
+	sa/mediation_manager.h sa/tasks/ike_me.c sa/tasks/ike_me.h
+@USE_ME_TRUE@am__objects_1 = endpoint_notify.lo \
+@USE_ME_TRUE@	initiate_mediation_job.lo mediation_job.lo \
+@USE_ME_TRUE@	connect_manager.lo mediation_manager.lo ike_me.lo
+am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \
+	backend_manager.lo child_cfg.lo ike_cfg.lo peer_cfg.lo \
+	proposal.lo auth_cfg.lo controller.lo daemon.lo generator.lo \
+	message.lo parser.lo auth_payload.lo cert_payload.lo \
+	certreq_payload.lo configuration_attribute.lo cp_payload.lo \
+	delete_payload.lo eap_payload.lo encodings.lo \
+	encryption_payload.lo id_payload.lo ike_header.lo \
+	ke_payload.lo nonce_payload.lo notify_payload.lo payload.lo \
+	proposal_substructure.lo sa_payload.lo \
+	traffic_selector_substructure.lo transform_attribute.lo \
+	transform_substructure.lo ts_payload.lo unknown_payload.lo \
+	vendor_id_payload.lo kernel_interface.lo kernel_ipsec.lo \
+	packet.lo receiver.lo sender.lo socket_manager.lo \
+	acquire_job.lo callback_job.lo delete_child_sa_job.lo \
+	delete_ike_sa_job.lo migrate_job.lo process_message_job.lo \
+	rekey_child_sa_job.lo rekey_ike_sa_job.lo retransmit_job.lo \
+	send_dpd_job.lo send_keepalive_job.lo roam_job.lo \
+	update_sa_job.lo inactivity_job.lo scheduler.lo processor.lo \
+	authenticator.lo eap_authenticator.lo eap_method.lo \
+	eap_manager.lo sim_manager.lo psk_authenticator.lo \
+	pubkey_authenticator.lo child_sa.lo ike_sa.lo ike_sa_id.lo \
+	ike_sa_manager.lo task_manager.lo keymat.lo trap_manager.lo \
+	child_create.lo child_delete.lo child_rekey.lo ike_auth.lo \
+	ike_cert_pre.lo ike_cert_post.lo ike_config.lo ike_delete.lo \
+	ike_dpd.lo ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \
+	ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \
+	credential_manager.lo auth_cfg_wrapper.lo \
+	ocsp_response_wrapper.lo cert_cache.lo $(am__objects_1)
+libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libcharon_la_SOURCES)
+DIST_SOURCES = $(am__libcharon_la_SOURCES_DIST)
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
+	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
+	distdir
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
+	plugins/kernel_pfroute plugins/kernel_klips \
+	plugins/kernel_netlink plugins/socket_default \
+	plugins/socket_raw plugins/socket_dynamic plugins/farp \
+	plugins/stroke plugins/smp plugins/sql plugins/updown \
+	plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \
+	plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \
+	plugins/eap_aka plugins/eap_aka_3gpp2 plugins/eap_md5 \
+	plugins/eap_gtc plugins/eap_mschapv2 plugins/eap_radius \
+	plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \
+	plugins/resolve plugins/android plugins/ha plugins/uci \
+	plugins/unit_tester
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+lib_LTLIBRARIES = libcharon.la
+libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
+	bus/listeners/file_logger.c bus/listeners/file_logger.h \
+	bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
+	config/backend_manager.c config/backend_manager.h \
+	config/backend.h config/child_cfg.c config/child_cfg.h \
+	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
+	config/peer_cfg.h config/proposal.c config/proposal.h \
+	config/auth_cfg.c config/auth_cfg.h control/controller.c \
+	control/controller.h daemon.c daemon.h encoding/generator.c \
+	encoding/generator.h encoding/message.c encoding/message.h \
+	encoding/parser.c encoding/parser.h \
+	encoding/payloads/auth_payload.c \
+	encoding/payloads/auth_payload.h \
+	encoding/payloads/cert_payload.c \
+	encoding/payloads/cert_payload.h \
+	encoding/payloads/certreq_payload.c \
+	encoding/payloads/certreq_payload.h \
+	encoding/payloads/configuration_attribute.c \
+	encoding/payloads/configuration_attribute.h \
+	encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
+	encoding/payloads/delete_payload.c \
+	encoding/payloads/delete_payload.h \
+	encoding/payloads/eap_payload.c \
+	encoding/payloads/eap_payload.h encoding/payloads/encodings.c \
+	encoding/payloads/encodings.h \
+	encoding/payloads/encryption_payload.c \
+	encoding/payloads/encryption_payload.h \
+	encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
+	encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
+	encoding/payloads/ke_payload.c encoding/payloads/ke_payload.h \
+	encoding/payloads/nonce_payload.c \
+	encoding/payloads/nonce_payload.h \
+	encoding/payloads/notify_payload.c \
+	encoding/payloads/notify_payload.h encoding/payloads/payload.c \
+	encoding/payloads/payload.h \
+	encoding/payloads/proposal_substructure.c \
+	encoding/payloads/proposal_substructure.h \
+	encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \
+	encoding/payloads/traffic_selector_substructure.c \
+	encoding/payloads/traffic_selector_substructure.h \
+	encoding/payloads/transform_attribute.c \
+	encoding/payloads/transform_attribute.h \
+	encoding/payloads/transform_substructure.c \
+	encoding/payloads/transform_substructure.h \
+	encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
+	encoding/payloads/unknown_payload.c \
+	encoding/payloads/unknown_payload.h \
+	encoding/payloads/vendor_id_payload.c \
+	encoding/payloads/vendor_id_payload.h \
+	kernel/kernel_interface.c kernel/kernel_interface.h \
+	kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+	kernel/kernel_net.h network/packet.c network/packet.h \
+	network/receiver.c network/receiver.h network/sender.c \
+	network/sender.h network/socket_manager.c \
+	network/socket_manager.h network/socket.h \
+	processing/jobs/job.h processing/jobs/acquire_job.c \
+	processing/jobs/acquire_job.h processing/jobs/callback_job.c \
+	processing/jobs/callback_job.h \
+	processing/jobs/delete_child_sa_job.c \
+	processing/jobs/delete_child_sa_job.h \
+	processing/jobs/delete_ike_sa_job.c \
+	processing/jobs/delete_ike_sa_job.h \
+	processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
+	processing/jobs/process_message_job.c \
+	processing/jobs/process_message_job.h \
+	processing/jobs/rekey_child_sa_job.c \
+	processing/jobs/rekey_child_sa_job.h \
+	processing/jobs/rekey_ike_sa_job.c \
+	processing/jobs/rekey_ike_sa_job.h \
+	processing/jobs/retransmit_job.c \
+	processing/jobs/retransmit_job.h \
+	processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
+	processing/jobs/send_keepalive_job.c \
+	processing/jobs/send_keepalive_job.h \
+	processing/jobs/roam_job.c processing/jobs/roam_job.h \
+	processing/jobs/update_sa_job.c \
+	processing/jobs/update_sa_job.h \
+	processing/jobs/inactivity_job.c \
+	processing/jobs/inactivity_job.h processing/scheduler.c \
+	processing/scheduler.h processing/processor.c \
+	processing/processor.h sa/authenticators/authenticator.c \
+	sa/authenticators/authenticator.h \
+	sa/authenticators/eap_authenticator.c \
+	sa/authenticators/eap_authenticator.h \
+	sa/authenticators/eap/eap_method.c \
+	sa/authenticators/eap/eap_method.h \
+	sa/authenticators/eap/eap_manager.c \
+	sa/authenticators/eap/eap_manager.h \
+	sa/authenticators/eap/sim_manager.c \
+	sa/authenticators/eap/sim_manager.h \
+	sa/authenticators/psk_authenticator.c \
+	sa/authenticators/psk_authenticator.h \
+	sa/authenticators/pubkey_authenticator.c \
+	sa/authenticators/pubkey_authenticator.h sa/child_sa.c \
+	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
+	sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
+	sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
+	sa/trap_manager.c sa/trap_manager.h sa/tasks/child_create.c \
+	sa/tasks/child_create.h sa/tasks/child_delete.c \
+	sa/tasks/child_delete.h sa/tasks/child_rekey.c \
+	sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+	sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
+	sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
+	sa/tasks/ike_config.c sa/tasks/ike_config.h \
+	sa/tasks/ike_delete.c sa/tasks/ike_delete.h sa/tasks/ike_dpd.c \
+	sa/tasks/ike_dpd.h sa/tasks/ike_init.c sa/tasks/ike_init.h \
+	sa/tasks/ike_natd.c sa/tasks/ike_natd.h sa/tasks/ike_mobike.c \
+	sa/tasks/ike_mobike.h sa/tasks/ike_rekey.c \
+	sa/tasks/ike_rekey.h sa/tasks/ike_reauth.c \
+	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
+	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
+	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
+	credentials/credential_manager.c \
+	credentials/credential_manager.h \
+	credentials/sets/auth_cfg_wrapper.c \
+	credentials/sets/auth_cfg_wrapper.h \
+	credentials/sets/ocsp_response_wrapper.c \
+	credentials/sets/ocsp_response_wrapper.h \
+	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+	credentials/credential_set.h $(am__append_1)
+INCLUDES = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${PLUGINS}\""
+libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
+	$(am__append_2) $(am__append_5) $(am__append_8) \
+	$(am__append_11) $(am__append_14) $(am__append_17) \
+	$(am__append_20) $(am__append_23) $(am__append_26) \
+	$(am__append_29) $(am__append_32) $(am__append_35) \
+	$(am__append_38) $(am__append_41) $(am__append_44) \
+	$(am__append_47) $(am__append_50) $(am__append_53) \
+	$(am__append_56) $(am__append_59) $(am__append_62) \
+	$(am__append_63) $(am__append_66) $(am__append_69) \
+	$(am__append_72) $(am__append_75) $(am__append_78) \
+	$(am__append_81) $(am__append_84) $(am__append_87) \
+	$(am__append_90) $(am__append_93) $(am__append_96) \
+	$(am__append_99) $(am__append_102)
+EXTRA_DIST = Android.mk
+@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_6) \
+@MONOLITHIC_FALSE@	$(am__append_9) $(am__append_12) \
+@MONOLITHIC_FALSE@	$(am__append_15) $(am__append_18) \
+@MONOLITHIC_FALSE@	$(am__append_21) $(am__append_24) \
+@MONOLITHIC_FALSE@	$(am__append_27) $(am__append_30) \
+@MONOLITHIC_FALSE@	$(am__append_33) $(am__append_36) \
+@MONOLITHIC_FALSE@	$(am__append_39) $(am__append_42) \
+@MONOLITHIC_FALSE@	$(am__append_45) $(am__append_48) \
+@MONOLITHIC_FALSE@	$(am__append_51) $(am__append_54) \
+@MONOLITHIC_FALSE@	$(am__append_57) $(am__append_60) \
+@MONOLITHIC_FALSE@	$(am__append_64) $(am__append_67) \
+@MONOLITHIC_FALSE@	$(am__append_70) $(am__append_73) \
+@MONOLITHIC_FALSE@	$(am__append_76) $(am__append_79) \
+@MONOLITHIC_FALSE@	$(am__append_82) $(am__append_85) \
+@MONOLITHIC_FALSE@	$(am__append_88) $(am__append_91) \
+@MONOLITHIC_FALSE@	$(am__append_94) $(am__append_97) \
+@MONOLITHIC_FALSE@	$(am__append_100)
+
+# build optional plugins
+########################
+@MONOLITHIC_TRUE@SUBDIRS = $(am__append_3) $(am__append_6) \
+@MONOLITHIC_TRUE@	$(am__append_9) $(am__append_12) \
+@MONOLITHIC_TRUE@	$(am__append_15) $(am__append_18) \
+@MONOLITHIC_TRUE@	$(am__append_21) $(am__append_24) \
+@MONOLITHIC_TRUE@	$(am__append_27) $(am__append_30) \
+@MONOLITHIC_TRUE@	$(am__append_33) $(am__append_36) \
+@MONOLITHIC_TRUE@	$(am__append_39) $(am__append_42) \
+@MONOLITHIC_TRUE@	$(am__append_45) $(am__append_48) \
+@MONOLITHIC_TRUE@	$(am__append_51) $(am__append_54) \
+@MONOLITHIC_TRUE@	$(am__append_57) $(am__append_60) \
+@MONOLITHIC_TRUE@	$(am__append_64) $(am__append_67) \
+@MONOLITHIC_TRUE@	$(am__append_70) $(am__append_73) \
+@MONOLITHIC_TRUE@	$(am__append_76) $(am__append_79) \
+@MONOLITHIC_TRUE@	$(am__append_82) $(am__append_85) \
+@MONOLITHIC_TRUE@	$(am__append_88) $(am__append_91) \
+@MONOLITHIC_TRUE@	$(am__append_94) $(am__append_97) \
+@MONOLITHIC_TRUE@	$(am__append_100)
+PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} $(am__append_4) \
+	$(am__append_7) $(am__append_10) $(am__append_13) \
+	$(am__append_16) $(am__append_19) $(am__append_22) \
+	$(am__append_25) $(am__append_28) $(am__append_31) \
+	$(am__append_34) $(am__append_37) $(am__append_40) \
+	$(am__append_43) $(am__append_46) $(am__append_49) \
+	$(am__append_52) $(am__append_55) $(am__append_58) \
+	$(am__append_61) $(am__append_65) $(am__append_68) \
+	$(am__append_71) $(am__append_74) $(am__append_77) \
+	$(am__append_80) $(am__append_83) $(am__append_86) \
+	$(am__append_89) $(am__append_92) $(am__append_95) \
+	$(am__append_98) $(am__append_101)
+all: all-recursive
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
+	}
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
+	done
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) 
+	$(LINK) -rpath $(libdir) $(libcharon_la_OBJECTS) $(libcharon_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_create.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_delete.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_rekey.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_sa.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configuration_attribute.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connect_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/controller.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cp_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_child_sa_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_ike_sa_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_authenticator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_method.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encodings.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encryption_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/endpoint_notify.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file_logger.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/generator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth_lifetime.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cert_post.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cert_pre.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cfg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_delete.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_dpd.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_header.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_init.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_me.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_mobike.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_natd.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_reauth.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_rekey.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_vendor.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keymat.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/migrate_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/notify_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer_cfg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_message_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/processor.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_substructure.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk_authenticator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_authenticator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/receiver.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_child_sa_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_ike_sa_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retransmit_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/roam_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_dpd_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_keepalive_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sim_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/trap_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ts_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unknown_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/update_sa_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor_id_payload.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+bus.lo: bus/bus.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.lo -MD -MP -MF $(DEPDIR)/bus.Tpo -c -o bus.lo `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/bus.c' object='bus.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.lo `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
+
+file_logger.lo: bus/listeners/file_logger.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.lo -MD -MP -MF $(DEPDIR)/file_logger.Tpo -c -o file_logger.lo `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/file_logger.c' object='file_logger.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.lo `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
+
+sys_logger.lo: bus/listeners/sys_logger.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.lo -MD -MP -MF $(DEPDIR)/sys_logger.Tpo -c -o sys_logger.lo `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.lo `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
+
+backend_manager.lo: config/backend_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.lo -MD -MP -MF $(DEPDIR)/backend_manager.Tpo -c -o backend_manager.lo `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/backend_manager.c' object='backend_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.lo `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
+
+child_cfg.lo: config/child_cfg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.lo -MD -MP -MF $(DEPDIR)/child_cfg.Tpo -c -o child_cfg.lo `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/child_cfg.c' object='child_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.lo `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
+
+ike_cfg.lo: config/ike_cfg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.lo -MD -MP -MF $(DEPDIR)/ike_cfg.Tpo -c -o ike_cfg.lo `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/ike_cfg.c' object='ike_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.lo `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
+
+peer_cfg.lo: config/peer_cfg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.lo -MD -MP -MF $(DEPDIR)/peer_cfg.Tpo -c -o peer_cfg.lo `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/peer_cfg.c' object='peer_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.lo `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
+
+proposal.lo: config/proposal.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.lo -MD -MP -MF $(DEPDIR)/proposal.Tpo -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/proposal.c' object='proposal.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
+
+auth_cfg.lo: config/auth_cfg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
+
+controller.lo: control/controller.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.lo -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/controller.c' object='controller.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
+
+generator.lo: encoding/generator.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.lo -MD -MP -MF $(DEPDIR)/generator.Tpo -c -o generator.lo `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.lo `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
+
+message.lo: encoding/message.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.lo -MD -MP -MF $(DEPDIR)/message.Tpo -c -o message.lo `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/message.Tpo $(DEPDIR)/message.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.lo `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
+
+parser.lo: encoding/parser.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.lo -MD -MP -MF $(DEPDIR)/parser.Tpo -c -o parser.lo `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.lo `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
+
+auth_payload.lo: encoding/payloads/auth_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.lo -MD -MP -MF $(DEPDIR)/auth_payload.Tpo -c -o auth_payload.lo `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.lo `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
+
+cert_payload.lo: encoding/payloads/cert_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.lo -MD -MP -MF $(DEPDIR)/cert_payload.Tpo -c -o cert_payload.lo `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.lo `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
+
+certreq_payload.lo: encoding/payloads/certreq_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.lo -MD -MP -MF $(DEPDIR)/certreq_payload.Tpo -c -o certreq_payload.lo `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.lo `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
+
+configuration_attribute.lo: encoding/payloads/configuration_attribute.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.lo -MD -MP -MF $(DEPDIR)/configuration_attribute.Tpo -c -o configuration_attribute.lo `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.lo `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
+
+cp_payload.lo: encoding/payloads/cp_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.lo -MD -MP -MF $(DEPDIR)/cp_payload.Tpo -c -o cp_payload.lo `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.lo `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
+
+delete_payload.lo: encoding/payloads/delete_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.lo -MD -MP -MF $(DEPDIR)/delete_payload.Tpo -c -o delete_payload.lo `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.lo `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
+
+eap_payload.lo: encoding/payloads/eap_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.lo -MD -MP -MF $(DEPDIR)/eap_payload.Tpo -c -o eap_payload.lo `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.lo `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
+
+encodings.lo: encoding/payloads/encodings.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.lo -MD -MP -MF $(DEPDIR)/encodings.Tpo -c -o encodings.lo `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.lo `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
+
+encryption_payload.lo: encoding/payloads/encryption_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.lo -MD -MP -MF $(DEPDIR)/encryption_payload.Tpo -c -o encryption_payload.lo `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.lo `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
+
+id_payload.lo: encoding/payloads/id_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.lo -MD -MP -MF $(DEPDIR)/id_payload.Tpo -c -o id_payload.lo `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.lo `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
+
+ike_header.lo: encoding/payloads/ike_header.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.lo -MD -MP -MF $(DEPDIR)/ike_header.Tpo -c -o ike_header.lo `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.lo `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
+
+ke_payload.lo: encoding/payloads/ke_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.lo -MD -MP -MF $(DEPDIR)/ke_payload.Tpo -c -o ke_payload.lo `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.lo `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
+
+nonce_payload.lo: encoding/payloads/nonce_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.lo -MD -MP -MF $(DEPDIR)/nonce_payload.Tpo -c -o nonce_payload.lo `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.lo `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
+
+notify_payload.lo: encoding/payloads/notify_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.lo -MD -MP -MF $(DEPDIR)/notify_payload.Tpo -c -o notify_payload.lo `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.lo `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
+
+payload.lo: encoding/payloads/payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.lo -MD -MP -MF $(DEPDIR)/payload.Tpo -c -o payload.lo `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.lo `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
+
+proposal_substructure.lo: encoding/payloads/proposal_substructure.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.lo -MD -MP -MF $(DEPDIR)/proposal_substructure.Tpo -c -o proposal_substructure.lo `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.lo `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
+
+sa_payload.lo: encoding/payloads/sa_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.lo -MD -MP -MF $(DEPDIR)/sa_payload.Tpo -c -o sa_payload.lo `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.lo `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
+
+traffic_selector_substructure.lo: encoding/payloads/traffic_selector_substructure.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.lo -MD -MP -MF $(DEPDIR)/traffic_selector_substructure.Tpo -c -o traffic_selector_substructure.lo `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.lo `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
+
+transform_attribute.lo: encoding/payloads/transform_attribute.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.lo -MD -MP -MF $(DEPDIR)/transform_attribute.Tpo -c -o transform_attribute.lo `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_attribute.c' object='transform_attribute.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.lo `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
+
+transform_substructure.lo: encoding/payloads/transform_substructure.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.lo -MD -MP -MF $(DEPDIR)/transform_substructure.Tpo -c -o transform_substructure.lo `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_substructure.c' object='transform_substructure.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.lo `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
+
+ts_payload.lo: encoding/payloads/ts_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.lo -MD -MP -MF $(DEPDIR)/ts_payload.Tpo -c -o ts_payload.lo `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.lo `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
+
+unknown_payload.lo: encoding/payloads/unknown_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.lo -MD -MP -MF $(DEPDIR)/unknown_payload.Tpo -c -o unknown_payload.lo `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.lo `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
+
+vendor_id_payload.lo: encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.lo -MD -MP -MF $(DEPDIR)/vendor_id_payload.Tpo -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
+
+kernel_interface.lo: kernel/kernel_interface.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
+
+kernel_ipsec.lo: kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+
+packet.lo: network/packet.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.lo `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
+
+receiver.lo: network/receiver.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.lo -MD -MP -MF $(DEPDIR)/receiver.Tpo -c -o receiver.lo `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/receiver.c' object='receiver.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.lo `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
+
+sender.lo: network/sender.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.lo -MD -MP -MF $(DEPDIR)/sender.Tpo -c -o sender.lo `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/sender.c' object='sender.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.lo `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
+
+socket_manager.lo: network/socket_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket_manager.lo -MD -MP -MF $(DEPDIR)/socket_manager.Tpo -c -o socket_manager.lo `test -f 'network/socket_manager.c' || echo '$(srcdir)/'`network/socket_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket_manager.Tpo $(DEPDIR)/socket_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket_manager.c' object='socket_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket_manager.lo `test -f 'network/socket_manager.c' || echo '$(srcdir)/'`network/socket_manager.c
+
+acquire_job.lo: processing/jobs/acquire_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.lo -MD -MP -MF $(DEPDIR)/acquire_job.Tpo -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/acquire_job.c' object='acquire_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
+
+callback_job.lo: processing/jobs/callback_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+
+delete_child_sa_job.lo: processing/jobs/delete_child_sa_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
+
+delete_ike_sa_job.lo: processing/jobs/delete_ike_sa_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_ike_sa_job.Tpo -c -o delete_ike_sa_job.lo `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.lo `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
+
+migrate_job.lo: processing/jobs/migrate_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.lo -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.lo `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/migrate_job.c' object='migrate_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.lo `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
+
+process_message_job.lo: processing/jobs/process_message_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.lo -MD -MP -MF $(DEPDIR)/process_message_job.Tpo -c -o process_message_job.lo `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/process_message_job.c' object='process_message_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.lo `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
+
+rekey_child_sa_job.lo: processing/jobs/rekey_child_sa_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.lo -MD -MP -MF $(DEPDIR)/rekey_child_sa_job.Tpo -c -o rekey_child_sa_job.lo `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.lo `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
+
+rekey_ike_sa_job.lo: processing/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.lo -MD -MP -MF $(DEPDIR)/rekey_ike_sa_job.Tpo -c -o rekey_ike_sa_job.lo `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.lo `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
+
+retransmit_job.lo: processing/jobs/retransmit_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.lo -MD -MP -MF $(DEPDIR)/retransmit_job.Tpo -c -o retransmit_job.lo `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/retransmit_job.c' object='retransmit_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.lo `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
+
+send_dpd_job.lo: processing/jobs/send_dpd_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.lo -MD -MP -MF $(DEPDIR)/send_dpd_job.Tpo -c -o send_dpd_job.lo `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_dpd_job.c' object='send_dpd_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.lo `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
+
+send_keepalive_job.lo: processing/jobs/send_keepalive_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.lo -MD -MP -MF $(DEPDIR)/send_keepalive_job.Tpo -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
+
+roam_job.lo: processing/jobs/roam_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.lo -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/roam_job.c' object='roam_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
+
+update_sa_job.lo: processing/jobs/update_sa_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.lo -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.lo `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/update_sa_job.c' object='update_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.lo `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
+
+inactivity_job.lo: processing/jobs/inactivity_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT inactivity_job.lo -MD -MP -MF $(DEPDIR)/inactivity_job.Tpo -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/inactivity_job.Tpo $(DEPDIR)/inactivity_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/inactivity_job.c' object='inactivity_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
+
+scheduler.lo: processing/scheduler.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+
+processor.lo: processing/processor.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
+
+authenticator.lo: sa/authenticators/authenticator.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.lo -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.lo `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.lo `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
+
+eap_authenticator.lo: sa/authenticators/eap_authenticator.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.lo -MD -MP -MF $(DEPDIR)/eap_authenticator.Tpo -c -o eap_authenticator.lo `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.lo `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
+
+eap_method.lo: sa/authenticators/eap/eap_method.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.lo -MD -MP -MF $(DEPDIR)/eap_method.Tpo -c -o eap_method.lo `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.lo `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
+
+eap_manager.lo: sa/authenticators/eap/eap_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_manager.lo -MD -MP -MF $(DEPDIR)/eap_manager.Tpo -c -o eap_manager.lo `test -f 'sa/authenticators/eap/eap_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_manager.c' object='eap_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_manager.lo `test -f 'sa/authenticators/eap/eap_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_manager.c
+
+sim_manager.lo: sa/authenticators/eap/sim_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sim_manager.lo -MD -MP -MF $(DEPDIR)/sim_manager.Tpo -c -o sim_manager.lo `test -f 'sa/authenticators/eap/sim_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/sim_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sim_manager.Tpo $(DEPDIR)/sim_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/sim_manager.c' object='sim_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sim_manager.lo `test -f 'sa/authenticators/eap/sim_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/sim_manager.c
+
+psk_authenticator.lo: sa/authenticators/psk_authenticator.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.lo -MD -MP -MF $(DEPDIR)/psk_authenticator.Tpo -c -o psk_authenticator.lo `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.lo `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
+
+pubkey_authenticator.lo: sa/authenticators/pubkey_authenticator.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_authenticator.lo -MD -MP -MF $(DEPDIR)/pubkey_authenticator.Tpo -c -o pubkey_authenticator.lo `test -f 'sa/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/pubkey_authenticator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/pubkey_authenticator.c' object='pubkey_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_authenticator.lo `test -f 'sa/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/pubkey_authenticator.c
+
+child_sa.lo: sa/child_sa.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.lo -MD -MP -MF $(DEPDIR)/child_sa.Tpo -c -o child_sa.lo `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.lo `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
+
+ike_sa.lo: sa/ike_sa.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.lo -MD -MP -MF $(DEPDIR)/ike_sa.Tpo -c -o ike_sa.lo `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.lo `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
+
+ike_sa_id.lo: sa/ike_sa_id.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.lo -MD -MP -MF $(DEPDIR)/ike_sa_id.Tpo -c -o ike_sa_id.lo `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.lo `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
+
+ike_sa_manager.lo: sa/ike_sa_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.lo -MD -MP -MF $(DEPDIR)/ike_sa_manager.Tpo -c -o ike_sa_manager.lo `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.lo `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
+
+task_manager.lo: sa/task_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.lo -MD -MP -MF $(DEPDIR)/task_manager.Tpo -c -o task_manager.lo `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.lo `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
+
+keymat.lo: sa/keymat.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.lo -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.lo `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/keymat.c' object='keymat.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.lo `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
+
+trap_manager.lo: sa/trap_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.lo -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.lo `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/trap_manager.c' object='trap_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.lo `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+
+child_create.lo: sa/tasks/child_create.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.lo -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.lo `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.lo `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
+
+child_delete.lo: sa/tasks/child_delete.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.lo -MD -MP -MF $(DEPDIR)/child_delete.Tpo -c -o child_delete.lo `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.lo `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
+
+child_rekey.lo: sa/tasks/child_rekey.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.lo -MD -MP -MF $(DEPDIR)/child_rekey.Tpo -c -o child_rekey.lo `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.lo `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
+
+ike_auth.lo: sa/tasks/ike_auth.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.lo -MD -MP -MF $(DEPDIR)/ike_auth.Tpo -c -o ike_auth.lo `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.lo `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
+
+ike_cert_pre.lo: sa/tasks/ike_cert_pre.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_pre.lo -MD -MP -MF $(DEPDIR)/ike_cert_pre.Tpo -c -o ike_cert_pre.lo `test -f 'sa/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_pre.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_pre.c' object='ike_cert_pre.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_pre.lo `test -f 'sa/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_pre.c
+
+ike_cert_post.lo: sa/tasks/ike_cert_post.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_post.lo -MD -MP -MF $(DEPDIR)/ike_cert_post.Tpo -c -o ike_cert_post.lo `test -f 'sa/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_post.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_post.c' object='ike_cert_post.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_post.lo `test -f 'sa/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_post.c
+
+ike_config.lo: sa/tasks/ike_config.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.lo -MD -MP -MF $(DEPDIR)/ike_config.Tpo -c -o ike_config.lo `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.lo `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
+
+ike_delete.lo: sa/tasks/ike_delete.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.lo -MD -MP -MF $(DEPDIR)/ike_delete.Tpo -c -o ike_delete.lo `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.lo `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
+
+ike_dpd.lo: sa/tasks/ike_dpd.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.lo -MD -MP -MF $(DEPDIR)/ike_dpd.Tpo -c -o ike_dpd.lo `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.lo `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
+
+ike_init.lo: sa/tasks/ike_init.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.lo -MD -MP -MF $(DEPDIR)/ike_init.Tpo -c -o ike_init.lo `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.lo `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
+
+ike_natd.lo: sa/tasks/ike_natd.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.lo -MD -MP -MF $(DEPDIR)/ike_natd.Tpo -c -o ike_natd.lo `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.lo `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
+
+ike_mobike.lo: sa/tasks/ike_mobike.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.lo -MD -MP -MF $(DEPDIR)/ike_mobike.Tpo -c -o ike_mobike.lo `test -f 'sa/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/tasks/ike_mobike.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_mobike.c' object='ike_mobike.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.lo `test -f 'sa/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/tasks/ike_mobike.c
+
+ike_rekey.lo: sa/tasks/ike_rekey.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.lo -MD -MP -MF $(DEPDIR)/ike_rekey.Tpo -c -o ike_rekey.lo `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.lo `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
+
+ike_reauth.lo: sa/tasks/ike_reauth.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.lo -MD -MP -MF $(DEPDIR)/ike_reauth.Tpo -c -o ike_reauth.lo `test -f 'sa/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/tasks/ike_reauth.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_reauth.c' object='ike_reauth.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.lo `test -f 'sa/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/tasks/ike_reauth.c
+
+ike_auth_lifetime.lo: sa/tasks/ike_auth_lifetime.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_lifetime.lo -MD -MP -MF $(DEPDIR)/ike_auth_lifetime.Tpo -c -o ike_auth_lifetime.lo `test -f 'sa/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/tasks/ike_auth_lifetime.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth_lifetime.c' object='ike_auth_lifetime.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_lifetime.lo `test -f 'sa/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/tasks/ike_auth_lifetime.c
+
+ike_vendor.lo: sa/tasks/ike_vendor.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_vendor.lo -MD -MP -MF $(DEPDIR)/ike_vendor.Tpo -c -o ike_vendor.lo `test -f 'sa/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/tasks/ike_vendor.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_vendor.Tpo $(DEPDIR)/ike_vendor.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_vendor.c' object='ike_vendor.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_vendor.lo `test -f 'sa/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/tasks/ike_vendor.c
+
+task.lo: sa/tasks/task.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.lo -MD -MP -MF $(DEPDIR)/task.Tpo -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task.Tpo $(DEPDIR)/task.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
+
+credential_manager.lo: credentials/credential_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
+
+auth_cfg_wrapper.lo: credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
+
+ocsp_response_wrapper.lo: credentials/sets/ocsp_response_wrapper.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
+
+cert_cache.lo: credentials/sets/cert_cache.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
+
+endpoint_notify.lo: encoding/payloads/endpoint_notify.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/endpoint_notify.c' object='endpoint_notify.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
+
+initiate_mediation_job.lo: processing/jobs/initiate_mediation_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_mediation_job.lo -MD -MP -MF $(DEPDIR)/initiate_mediation_job.Tpo -c -o initiate_mediation_job.lo `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/initiate_mediation_job.c' object='initiate_mediation_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_mediation_job.lo `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
+
+mediation_job.lo: processing/jobs/mediation_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_job.lo -MD -MP -MF $(DEPDIR)/mediation_job.Tpo -c -o mediation_job.lo `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/mediation_job.c' object='mediation_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_job.lo `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
+
+connect_manager.lo: sa/connect_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connect_manager.lo -MD -MP -MF $(DEPDIR)/connect_manager.Tpo -c -o connect_manager.lo `test -f 'sa/connect_manager.c' || echo '$(srcdir)/'`sa/connect_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/connect_manager.c' object='connect_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connect_manager.lo `test -f 'sa/connect_manager.c' || echo '$(srcdir)/'`sa/connect_manager.c
+
+mediation_manager.lo: sa/mediation_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_manager.lo -MD -MP -MF $(DEPDIR)/mediation_manager.Tpo -c -o mediation_manager.lo `test -f 'sa/mediation_manager.c' || echo '$(srcdir)/'`sa/mediation_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/mediation_manager.c' object='mediation_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_manager.lo `test -f 'sa/mediation_manager.c' || echo '$(srcdir)/'`sa/mediation_manager.c
+
+ike_me.lo: sa/tasks/ike_me.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_me.lo -MD -MP -MF $(DEPDIR)/ike_me.Tpo -c -o ike_me.lo `test -f 'sa/tasks/ike_me.c' || echo '$(srcdir)/'`sa/tasks/ike_me.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_me.c' object='ike_me.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_me.lo `test -f 'sa/tasks/ike_me.c' || echo '$(srcdir)/'`sa/tasks/ike_me.c
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
+	    || exit 1; \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+		am__skip_mode_fix=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-recursive
+all-am: Makefile $(LTLIBRARIES)
+installdirs: installdirs-recursive
+installdirs-am:
+	for dir in "$(DESTDIR)$(libdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-recursive
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+html-am:
+
+info: info-recursive
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-recursive
+
+install-dvi-am:
+
+install-exec-am: install-libLTLIBRARIES
+
+install-html: install-html-recursive
+
+install-html-am:
+
+install-info: install-info-recursive
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-recursive
+
+install-pdf-am:
+
+install-ps: install-ps-recursive
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am: uninstall-libLTLIBRARIES
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
+	install-am install-strip tags-recursive
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am check check-am clean clean-generic \
+	clean-libLTLIBRARIES clean-libtool ctags ctags-recursive \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-libLTLIBRARIES install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags tags-recursive uninstall uninstall-am \
+	uninstall-libLTLIBRARIES
+
+
+daemon.lo :		$(top_builddir)/config.status
+
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@  # otherwise this library is linked to both the eap_aka and the eap_sim plugin
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
new file mode 100644
index 000000000..764744a41
--- /dev/null
+++ b/src/libcharon/bus/bus.c
@@ -0,0 +1,727 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bus.h"
+
+#include <stdint.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/thread_value.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+
+typedef struct private_bus_t private_bus_t;
+
+/**
+ * Private data of a bus_t object.
+ */
+struct private_bus_t {
+	/**
+	 * Public part of a bus_t object.
+	 */
+	bus_t public;
+
+	/**
+	 * List of registered listeners as entry_t's
+	 */
+	linked_list_t *listeners;
+
+	/**
+	 * mutex to synchronize active listeners, recursively
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Thread local storage the threads IKE_SA
+	 */
+	thread_value_t *thread_sa;
+};
+
+typedef struct entry_t entry_t;
+
+/**
+ * a listener entry, either active or passive
+ */
+struct entry_t {
+
+	/**
+	 * registered listener interface
+	 */
+	listener_t *listener;
+
+	/**
+	 * is this a active listen() call with a blocking thread
+	 */
+	bool blocker;
+
+	/**
+	 * are we currently calling this listener
+	 */
+	int calling;
+
+	/**
+	 * condvar where active listeners wait
+	 */
+	condvar_t *condvar;
+};
+
+/**
+ * create a listener entry
+ */
+static entry_t *entry_create(listener_t *listener, bool blocker)
+{
+	entry_t *this = malloc_thing(entry_t);
+
+	this->listener = listener;
+	this->blocker = blocker;
+	this->calling = 0;
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+
+	return this;
+}
+
+/**
+ * destroy an entry_t
+ */
+static void entry_destroy(entry_t *entry)
+{
+	entry->condvar->destroy(entry->condvar);
+	free(entry);
+}
+
+/**
+ * Implementation of bus_t.add_listener.
+ */
+static void add_listener(private_bus_t *this, listener_t *listener)
+{
+	this->mutex->lock(this->mutex);
+	this->listeners->insert_last(this->listeners, entry_create(listener, FALSE));
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.remove_listener.
+ */
+static void remove_listener(private_bus_t *this, listener_t *listener)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->listener == listener)
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+			entry_destroy(entry);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+typedef struct cleanup_data_t cleanup_data_t;
+
+/**
+ * data to remove a listener using thread_cleanup_t handler
+ */
+struct cleanup_data_t {
+	/** bus instance */
+	private_bus_t *this;
+	/** listener entry */
+	entry_t *entry;
+};
+
+/**
+ * thread_cleanup_t handler to remove a listener
+ */
+static void listener_cleanup(cleanup_data_t *data)
+{
+	data->this->listeners->remove(data->this->listeners, data->entry, NULL);
+	entry_destroy(data->entry);
+}
+
+/**
+ * Implementation of bus_t.listen.
+ */
+static void listen_(private_bus_t *this, listener_t *listener, job_t *job)
+{
+	bool old;
+	cleanup_data_t data;
+
+	data.this = this;
+	data.entry = entry_create(listener, TRUE);
+
+	this->mutex->lock(this->mutex);
+	this->listeners->insert_last(this->listeners, data.entry);
+	charon->processor->queue_job(charon->processor, job);
+	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+	thread_cleanup_push((thread_cleanup_t)listener_cleanup, &data);
+	old = thread_cancelability(TRUE);
+	while (data.entry->blocker)
+	{
+		data.entry->condvar->wait(data.entry->condvar, this->mutex);
+	}
+	thread_cancelability(old);
+	thread_cleanup_pop(FALSE);
+	/* unlock mutex */
+	thread_cleanup_pop(TRUE);
+	entry_destroy(data.entry);
+}
+
+/**
+ * Implementation of bus_t.set_sa.
+ */
+static void set_sa(private_bus_t *this, ike_sa_t *ike_sa)
+{
+	this->thread_sa->set(this->thread_sa, ike_sa);
+}
+
+/**
+ * Implementation of bus_t.get_sa
+ */
+static ike_sa_t* get_sa(private_bus_t *this)
+{
+	return this->thread_sa->get(this->thread_sa);
+}
+
+/**
+ * data associated to a signal, passed to callback
+ */
+typedef struct {
+	/** associated IKE_SA */
+	ike_sa_t *ike_sa;
+	/** invoking thread */
+	long thread;
+	/** debug group */
+	debug_t group;
+	/** debug level */
+	level_t level;
+	/** format string */
+	char *format;
+	/** argument list */
+	va_list args;
+} log_data_t;
+
+/**
+ * listener->log() invocation as a list remove callback
+ */
+static bool log_cb(entry_t *entry, log_data_t *data)
+{
+	va_list args;
+
+	if (entry->calling || !entry->listener->log)
+	{	/* avoid recursive calls */
+		return FALSE;
+	}
+	entry->calling++;
+	va_copy(args, data->args);
+	if (!entry->listener->log(entry->listener, data->group, data->level,
+							  data->thread, data->ike_sa, data->format, args))
+	{
+		if (entry->blocker)
+		{
+			entry->blocker = FALSE;
+			entry->condvar->signal(entry->condvar);
+		}
+		else
+		{
+			entry_destroy(entry);
+		}
+		va_end(args);
+		entry->calling--;
+		return TRUE;
+	}
+	va_end(args);
+	entry->calling--;
+	return FALSE;
+}
+
+/**
+ * Implementation of bus_t.vlog.
+ */
+static void vlog(private_bus_t *this, debug_t group, level_t level,
+				 char* format, va_list args)
+{
+	log_data_t data;
+
+	data.ike_sa = this->thread_sa->get(this->thread_sa);
+	data.thread = thread_current_id();
+	data.group = group;
+	data.level = level;
+	data.format = format;
+	va_copy(data.args, args);
+
+	this->mutex->lock(this->mutex);
+	/* We use the remove() method to invoke all listeners. This is cheap and
+	 * does not require an allocation for this performance critical function. */
+	this->listeners->remove(this->listeners, &data, (void*)log_cb);
+	this->mutex->unlock(this->mutex);
+
+	va_end(data.args);
+}
+
+/**
+ * Implementation of bus_t.log.
+ */
+static void log_(private_bus_t *this, debug_t group, level_t level,
+				 char* format, ...)
+{
+	va_list args;
+
+	va_start(args, format);
+	vlog(this, group, level, format, args);
+	va_end(args);
+}
+
+/**
+ * unregister a listener
+ */
+static void unregister_listener(private_bus_t *this, entry_t *entry,
+								enumerator_t *enumerator)
+{
+	if (entry->blocker)
+	{
+		entry->blocker = FALSE;
+		entry->condvar->signal(entry->condvar);
+	}
+	else
+	{
+		entry_destroy(entry);
+	}
+	this->listeners->remove_at(this->listeners, enumerator);
+}
+
+/**
+ * Implementation of bus_t.alert
+ */
+static void alert(private_bus_t *this, alert_t alert, ...)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	va_list args;
+	bool keep;
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->alert)
+		{
+			continue;
+		}
+		entry->calling++;
+		va_start(args, alert);
+		keep = entry->listener->alert(entry->listener, ike_sa, alert, args);
+		va_end(args);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.ike_state_change
+ */
+static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa,
+							 ike_sa_state_t state)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_state_change)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_state_change(entry->listener, ike_sa, state);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_state_change
+ */
+static void child_state_change(private_bus_t *this, child_sa_t *child_sa,
+							   child_sa_state_t state)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->child_state_change)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->child_state_change(entry->listener, ike_sa,
+												   child_sa, state);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.message
+ */
+static void message(private_bus_t *this, message_t *message, bool incoming)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->message)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->message(entry->listener, ike_sa,
+										message, incoming);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.ike_keys
+ */
+static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa,
+					 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
+					 ike_sa_t *rekey)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_keys)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_keys(entry->listener, ike_sa, dh,
+										 nonce_i, nonce_r, rekey);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_keys
+ */
+static void child_keys(private_bus_t *this, child_sa_t *child_sa,
+					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->child_keys)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->child_keys(entry->listener, ike_sa, child_sa,
+										   dh, nonce_i, nonce_r);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_updown
+ */
+static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->child_updown)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->child_updown(entry->listener,
+											 ike_sa, child_sa, up);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_rekey
+ */
+static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->child_rekey)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->child_rekey(entry->listener, ike_sa, old, new);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.ike_updown
+ */
+static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_updown)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_updown(entry->listener, ike_sa, up);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	/* a down event for IKE_SA implicitly downs all CHILD_SAs */
+	if (!up)
+	{
+		iterator_t *iterator;
+		child_sa_t *child_sa;
+
+		iterator = ike_sa->create_child_sa_iterator(ike_sa);
+		while (iterator->iterate(iterator, (void**)&child_sa))
+		{
+			child_updown(this, child_sa, FALSE);
+		}
+		iterator->destroy(iterator);
+	}
+}
+
+/**
+ * Implementation of bus_t.ike_rekey
+ */
+static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_rekey)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_rekey(entry->listener, old, new);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.authorize
+ */
+static bool authorize(private_bus_t *this, bool final)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep, success = TRUE;
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->authorize)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->authorize(entry->listener, ike_sa,
+										  final, &success);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+		if (!success)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+	return success;
+}
+
+/**
+ * Implementation of bus_t.destroy.
+ */
+static void destroy(private_bus_t *this)
+{
+	this->thread_sa->destroy(this->thread_sa);
+	this->mutex->destroy(this->mutex);
+	this->listeners->destroy_function(this->listeners, (void*)entry_destroy);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+bus_t *bus_create()
+{
+	private_bus_t *this = malloc_thing(private_bus_t);
+
+	this->public.add_listener = (void(*)(bus_t*,listener_t*))add_listener;
+	this->public.remove_listener = (void(*)(bus_t*,listener_t*))remove_listener;
+	this->public.listen = (void(*)(bus_t*, listener_t *listener, job_t *job))listen_;
+	this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa;
+	this->public.get_sa = (ike_sa_t*(*)(bus_t*))get_sa;
+	this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_;
+	this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog;
+	this->public.alert = (void(*)(bus_t*, alert_t alert, ...))alert;
+	this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change;
+	this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change;
+	this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
+	this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
+	this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
+	this->public.ike_updown = (void(*)(bus_t*, ike_sa_t *ike_sa, bool up))ike_updown;
+	this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey;
+	this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown;
+	this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey;
+	this->public.authorize = (bool(*)(bus_t*, bool final))authorize;
+	this->public.destroy = (void(*)(bus_t*)) destroy;
+
+	this->listeners = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+	this->thread_sa = thread_value_create(NULL);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
new file mode 100644
index 000000000..8cf392eae
--- /dev/null
+++ b/src/libcharon/bus/bus.h
@@ -0,0 +1,286 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bus bus
+ * @{ @ingroup libcharon
+ */
+
+#ifndef BUS_H_
+#define BUS_H_
+
+typedef enum alert_t alert_t;
+typedef struct bus_t bus_t;
+
+#include <stdarg.h>
+
+#include <debug.h>
+#include <sa/ike_sa.h>
+#include <sa/child_sa.h>
+#include <processing/jobs/job.h>
+#include <bus/listeners/listener.h>
+
+/* undefine the definitions from libstrongswan */
+#undef DBG0
+#undef DBG1
+#undef DBG2
+#undef DBG3
+#undef DBG4
+
+#ifndef DEBUG_LEVEL
+# define DEBUG_LEVEL 4
+#endif /* DEBUG_LEVEL */
+
+#if DEBUG_LEVEL >= 0
+#define DBG0(group, format, ...) charon->bus->log(charon->bus, group, 0, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL >= 0 */
+#if DEBUG_LEVEL >= 1
+#define DBG1(group, format, ...) charon->bus->log(charon->bus, group, 1, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL >= 1 */
+#if DEBUG_LEVEL >= 2
+#define DBG2(group, format, ...) charon->bus->log(charon->bus, group, 2, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL >= 2 */
+#if DEBUG_LEVEL >= 3
+#define DBG3(group, format, ...) charon->bus->log(charon->bus, group, 3, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL >= 3 */
+#if DEBUG_LEVEL >= 4
+#define DBG4(group, format, ...) charon->bus->log(charon->bus, group, 4, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL >= 4 */
+
+#ifndef DBG0
+# define DBG0(...) {}
+#endif /* DBG0 */
+#ifndef DBG1
+# define DBG1(...) {}
+#endif /* DBG1 */
+#ifndef DBG2
+# define DBG2(...) {}
+#endif /* DBG2 */
+#ifndef DBG3
+# define DBG3(...) {}
+#endif /* DBG3 */
+#ifndef DBG4
+# define DBG4(...) {}
+#endif /* DBG4 */
+
+/**
+ * Kind of alerts to raise.
+ */
+enum alert_t {
+	/* a RADIUS server did not respond, no additional arguments */
+	ALERT_RADIUS_NOT_RESPONDING,
+	/* a shutdown signal has been received, argument is a int with the signal */
+	ALERT_SHUTDOWN_SIGNAL,
+};
+
+/**
+ * The bus receives events and sends them to all registered listeners.
+ *
+ * Any events sent to are delivered to all registered listeners. Threads
+ * may wait actively to events using the blocking listen() call.
+ */
+struct bus_t {
+
+	/**
+	 * Register a listener to the bus.
+	 *
+	 * A registered listener receives all events which are sent to the bus.
+	 * The listener is passive; the thread which emitted the event
+	 * processes the listener routine.
+	 *
+	 * @param listener	listener to register.
+	 */
+	void (*add_listener) (bus_t *this, listener_t *listener);
+
+	/**
+	 * Unregister a listener from the bus.
+	 *
+	 * @param listener	listener to unregister.
+	 */
+	void (*remove_listener) (bus_t *this, listener_t *listener);
+
+	/**
+	 * Register a listener and block the calling thread.
+	 *
+	 * This call registers a listener and blocks the calling thread until
+	 * its listeners function returns FALSE. This allows to wait for certain
+	 * events. The associated job is executed after the listener has been
+	 * registered: This allows to listen on events we initiate with the job,
+	 * without missing any events to job may fire.
+	 *
+	 * @param listener	listener to register
+	 * @param job		job to execute asynchronously when registered, or NULL
+	 */
+	void (*listen)(bus_t *this, listener_t *listener, job_t *job);
+
+	/**
+	 * Set the IKE_SA the calling thread is using.
+	 *
+	 * To associate an received log message to an IKE_SA without passing it as
+	 * parameter each time, the thread registers the currenlty used IKE_SA
+	 * during check-out. Before check-in, the thread unregisters the IKE_SA.
+	 * This IKE_SA is stored per-thread, so each thread has its own IKE_SA
+	 * registered.
+	 *
+	 * @param ike_sa	ike_sa to register, or NULL to unregister
+	 */
+	void (*set_sa) (bus_t *this, ike_sa_t *ike_sa);
+
+	/**
+	 * Get the IKE_SA the calling thread is currently using.
+	 *
+	 * If a thread currently does not know what IKE_SA it is processing,
+	 * it can call get_sa() to look up the SA set during checkout via set_sa().
+	 *
+	 * @return			registered ike_sa, NULL if none registered
+	 */
+	ike_sa_t* (*get_sa)(bus_t *this);
+
+	/**
+	 * Send a log message to the bus.
+	 *
+	 * The signal specifies the type of the event occured. The format string
+	 * specifies an additional informational or error message with a
+	 * printf() like variable argument list.
+	 * Use the DBG() macros.
+	 *
+	 * @param group		debugging group
+	 * @param level		verbosity level of the signal
+	 * @param format	printf() style format string
+	 * @param ...		printf() style argument list
+	 */
+	void (*log)(bus_t *this, debug_t group, level_t level, char* format, ...);
+
+	/**
+	 * Send a log message to the bus using va_list arguments.
+	 *
+	 * Same as bus_t.signal(), but uses va_list argument list.
+	 *
+	 * @param group		kind of the signal (up, down, rekeyed, ...)
+	 * @param level		verbosity level of the signal
+	 * @param format	printf() style format string
+	 * @param args		va_list arguments
+	 */
+	void (*vlog)(bus_t *this, debug_t group, level_t level,
+				 char* format, va_list args);
+
+	/**
+	 * Raise an alert over the bus.
+	 *
+	 * @param alert		kind of alert
+	 * @param ...		alert specific attributes
+	 */
+	void (*alert)(bus_t *this, alert_t alert, ...);
+
+	/**
+	 * Send a IKE_SA state change event to the bus.
+	 *
+	 * @param ike_sa	IKE_SA which changes its state
+	 * @param state		new state IKE_SA changes to
+	 */
+	void (*ike_state_change)(bus_t *this, ike_sa_t *ike_sa,
+							 ike_sa_state_t state);
+	/**
+	 * Send a CHILD_SA state change event to the bus.
+	 *
+	 * @param child_sa	CHILD_SA which changes its state
+	 * @param state		new state CHILD_SA changes to
+	 */
+	void (*child_state_change)(bus_t *this, child_sa_t *child_sa,
+							   child_sa_state_t state);
+	/**
+	 * Message send/receive hook.
+	 *
+	 * @param message	message to send/receive
+	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
+	 */
+	void (*message)(bus_t *this, message_t *message, bool incoming);
+
+	/**
+	 * IKE_SA authorization hook.
+	 *
+	 * @param final		TRUE if this is the final invocation
+	 * @return			TRUE to establish IKE_SA, FALSE to send AUTH_FAILED
+	 */
+	bool (*authorize)(bus_t *this, bool final);
+
+	/**
+	 * IKE_SA keymat hook.
+	 *
+	 * @param ike_sa	IKE_SA this keymat belongs to
+	 * @param dh		diffie hellman shared secret
+	 * @param nonce_i	initiators nonce
+	 * @param nonce_r	responders nonce
+	 * @param rekey		IKE_SA we are rekeying, if any
+	 */
+	void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+	/**
+	 * CHILD_SA keymat hook.
+	 *
+	 * @param child_sa	CHILD_SA this keymat is used for
+	 * @param dh		diffie hellman shared secret
+	 * @param nonce_i	initiators nonce
+	 * @param nonce_r	responders nonce
+	 */
+	void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
+					   chunk_t nonce_i, chunk_t nonce_r);
+
+	/**
+	 * IKE_SA up/down hook.
+	 *
+	 * @param ike_sa	IKE_SA coming up/going down
+	 * @param up		TRUE for an up event, FALSE for a down event
+	 */
+	void (*ike_updown)(bus_t *this, ike_sa_t *ike_sa, bool up);
+
+	/**
+	 * IKE_SA rekeying hook.
+	 *
+	 * @param old		rekeyed and obsolete IKE_SA
+	 * @param new		new IKE_SA replacing old
+	 */
+	void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
+
+	/**
+	 * CHILD_SA up/down hook.
+	 *
+	 * @param child_sa	CHILD_SA coming up/going down
+	 * @param up		TRUE for an up event, FALSE for a down event
+	 */
+	void (*child_updown)(bus_t *this, child_sa_t *child_sa, bool up);
+
+	/**
+	 * CHILD_SA rekeying hook.
+	 *
+	 * @param old		rekeyed and obsolete CHILD_SA
+	 * @param new		new CHILD_SA replacing old
+	 */
+	void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new);
+
+	/**
+	 * Destroy the event bus.
+	 */
+	void (*destroy) (bus_t *this);
+};
+
+/**
+ * Create the event bus which forwards events to its listeners.
+ *
+ * @return		event bus instance
+ */
+bus_t *bus_create();
+
+#endif /** BUS_H_ @}*/
diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c
new file mode 100644
index 000000000..12587deaf
--- /dev/null
+++ b/src/libcharon/bus/listeners/file_logger.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "file_logger.h"
+
+
+typedef struct private_file_logger_t private_file_logger_t;
+
+/**
+ * Private data of a file_logger_t object
+ */
+struct private_file_logger_t {
+
+	/**
+	 * Public data.
+	 */
+	file_logger_t public;
+
+	/**
+	 * output file
+	 */
+	FILE *out;
+
+	/**
+	 * Maximum level to log, for each group
+	 */
+	level_t levels[DBG_MAX];
+};
+
+/**
+ * Implementation of bus_listener_t.log.
+ */
+static bool log_(private_file_logger_t *this, debug_t group, level_t level,
+				 int thread, ike_sa_t* ike_sa, char *format, va_list args)
+{
+	if (level <= this->levels[group])
+	{
+		char buffer[8192];
+		char *current = buffer, *next;
+
+		/* write in memory buffer first */
+		vsnprintf(buffer, sizeof(buffer), format, args);
+
+		/* prepend a prefix in front of every line */
+		while (current)
+		{
+			next = strchr(current, '\n');
+			if (next)
+			{
+				*(next++) = '\0';
+			}
+			fprintf(this->out, "%.2d[%N] %s\n",
+					thread, debug_names, group, current);
+			current = next;
+		}
+	}
+	/* always stay registered */
+	return TRUE;
+}
+
+/**
+ * Implementation of file_logger_t.set_level.
+ */
+static void set_level(private_file_logger_t *this, debug_t group, level_t level)
+{
+	if (group < DBG_ANY)
+	{
+		this->levels[group] = level;
+	}
+	else
+	{
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			this->levels[group] = level;
+		}
+	}
+}
+
+/**
+ * Implementation of file_logger_t.destroy.
+ */
+static void destroy(private_file_logger_t *this)
+{
+	if (this->out != stdout && this->out != stderr)
+	{
+		fclose(this->out);
+	}
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+file_logger_t *file_logger_create(FILE *out)
+{
+	private_file_logger_t *this = malloc_thing(private_file_logger_t);
+
+	/* public functions */
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
+	this->public.set_level = (void(*)(file_logger_t*,debug_t,level_t))set_level;
+	this->public.destroy = (void(*)(file_logger_t*))destroy;
+
+	/* private variables */
+	this->out = out;
+	set_level(this, DBG_ANY, LEVEL_SILENT);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h
new file mode 100644
index 000000000..bd443fdb8
--- /dev/null
+++ b/src/libcharon/bus/listeners/file_logger.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup file_logger file_logger
+ * @{ @ingroup listeners
+ */
+
+#ifndef FILE_LOGGER_H_
+#define FILE_LOGGER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct file_logger_t file_logger_t;
+
+/**
+ * Logger to files which implements listener_t.
+ */
+struct file_logger_t {
+
+	/**
+	 * Implements the listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Set the loglevel for a debug group.
+	 *
+	 * @param group		debug group to set
+	 * @param level		max level to log (0..4)
+	 */
+	void (*set_level) (file_logger_t *this, debug_t group, level_t level);
+
+	/**
+	 * Destroys a file_logger_t object.
+	 */
+	void (*destroy) (file_logger_t *this);
+};
+
+/**
+ * Constructor to create a file_logger_t object.
+ *
+ * @param out		FILE to write to
+ * @return			file_logger_t object
+ */
+file_logger_t *file_logger_create(FILE *out);
+
+#endif /** FILE_LOGGER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
new file mode 100644
index 000000000..9a51a2ef4
--- /dev/null
+++ b/src/libcharon/bus/listeners/listener.h
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup listener listener
+ * @{ @ingroup listeners
+ */
+
+#ifndef LISTENER_H_
+#define LISTENER_H_
+
+typedef struct listener_t listener_t;
+
+#include <bus/bus.h>
+
+/**
+ * Listener interface, listens to events if registered to the bus.
+ */
+struct listener_t {
+
+	/**
+	 * Log a debugging message.
+	 *
+	 * The implementing signal function returns TRUE to stay registered
+	 * to the bus, or FALSE to unregister itself.
+	 * Calling bus_t.log() inside of a registered listener is possible,
+	 * but the bus does not invoke listeners recursively.
+	 *
+	 * @param group		kind of the signal (up, down, rekeyed, ...)
+	 * @param level		verbosity level of the signal
+	 * @param thread	ID of the thread raised this signal
+	 * @param ike_sa	IKE_SA associated to the event
+	 * @param format	printf() style format string
+	 * @param args		vprintf() style va_list argument list
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*log)(listener_t *this, debug_t group, level_t level, int thread,
+				ike_sa_t *ike_sa, char* format, va_list args);
+
+	/**
+	 * Hook called if a critical alert is risen.
+	 *
+	 * @param ike_sa	IKE_SA associated to the alert, if any
+	 * @param alert		kind of alert
+	 * @param ...		alert specific argument list
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*alert)(listener_t *this, ike_sa_t *ike_sa,
+				  alert_t alert, va_list args);
+
+	/**
+	 * Handle state changes in an IKE_SA.
+	 *
+	 * @param ike_sa	IKE_SA which changes its state
+	 * @param state		new IKE_SA state this IKE_SA changes to
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa,
+							 ike_sa_state_t state);
+
+	/**
+	 * Handle state changes in a CHILD_SA.
+	 *
+	 * @param ike_sa	IKE_SA containing the affected CHILD_SA
+	 * @param child_sa	CHILD_SA which changes its state
+	 * @param state		new CHILD_SA state this CHILD_SA changes to
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa,
+							   child_sa_t *child_sa, child_sa_state_t state);
+
+	/**
+	 * Hook called for received/sent messages of an IKE_SA.
+	 *
+	 * @param ike_sa	IKE_SA sending/receving a message
+	 * @param message	message object
+	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
+					bool incoming);
+
+	/**
+	 * Hook called with IKE_SA key material.
+	 *
+	 * @param ike_sa	IKE_SA this keymat belongs to
+	 * @param dh		diffie hellman shared secret
+	 * @param nonce_i	initiators nonce
+	 * @param nonce_r	responders nonce
+	 * @param rekey		IKE_SA we are rekeying, if any
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+
+	/**
+	 * Hook called with CHILD_SA key material.
+	 *
+	 * @param ike_sa	IKE_SA the child sa belongs to
+	 * @param child_sa	CHILD_SA this keymat is used for
+	 * @param dh		diffie hellman shared secret
+	 * @param nonce_i	initiators nonce
+	 * @param nonce_r	responders nonce
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
+
+	/**
+	 * Hook called if an IKE_SA gets up or down.
+	 *
+	 * @param ike_sa	IKE_SA coming up/going down
+	 * @param up		TRUE for an up event, FALSE for a down event
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_updown)(listener_t *this, ike_sa_t *ike_sa, bool up);
+
+	/**
+	 * Hook called when an IKE_SA gets rekeyed.
+	 *
+	 * @param old		rekeyed IKE_SA getting obsolete
+	 * @param new		new IKE_SA replacing old
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
+
+	/**
+	 * Hook called when a CHILD_SA gets up or down.
+	 *
+	 * @param ike_sa	IKE_SA containing the handled CHILD_SA
+	 * @param child_sa	CHILD_SA coming up/going down
+	 * @param up		TRUE for an up event, FALSE for a down event
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*child_updown)(listener_t *this, ike_sa_t *ike_sa,
+						 child_sa_t *child_sa, bool up);
+
+	/**
+	 * Hook called when an CHILD_SA gets rekeyed.
+	 *
+	 * @param ike_sa	IKE_SA containing the rekeyed CHILD_SA
+	 * @param old		rekeyed CHILD_SA getting obsolete
+	 * @param new		new CHILD_SA replacing old
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*child_rekey)(listener_t *this, ike_sa_t *ike_sa,
+						child_sa_t *old, child_sa_t *new);
+
+	/**
+	 * Hook called to invoke additional authorization rules.
+	 *
+	 * An authorization hook gets invoked several times: After each
+	 * authentication round, the hook gets invoked with with final = FALSE.
+	 * After authentication is complete and the peer configuration is selected,
+	 * it is invoked again, but with final = TRUE.
+	 *
+	 * @param ike_sa	IKE_SA to authorize
+	 * @param final		TRUE if this is the final hook invocation
+	 * @param success	set to TRUE to complete IKE_SA, FALSE abort
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*authorize)(listener_t *this, ike_sa_t *ike_sa,
+					  bool final, bool *success);
+};
+
+#endif /** LISTENER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c
new file mode 100644
index 000000000..11421ad05
--- /dev/null
+++ b/src/libcharon/bus/listeners/sys_logger.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "sys_logger.h"
+
+
+typedef struct private_sys_logger_t private_sys_logger_t;
+
+/**
+ * Private data of a sys_logger_t object
+ */
+struct private_sys_logger_t {
+
+	/**
+	 * Public data.
+	 */
+	sys_logger_t public;
+
+	/**
+	 * syslog facility to use
+	 */
+	int facility;
+
+	/**
+	 * Maximum level to log, for each group
+	 */
+	level_t levels[DBG_MAX];
+};
+
+/**
+ * Implementation of listener_t.log.
+ */
+static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
+				 int thread, ike_sa_t* ike_sa, char *format, va_list args)
+{
+	if (level <= this->levels[group])
+	{
+		char buffer[8192];
+		char *current = buffer, *next;
+
+		/* write in memory buffer first */
+		vsnprintf(buffer, sizeof(buffer), format, args);
+
+		/* do a syslog with every line */
+		while (current)
+		{
+			next = strchr(current, '\n');
+			if (next)
+			{
+				*(next++) = '\0';
+			}
+			syslog(this->facility|LOG_INFO, "%.2d[%N] %s\n",
+				   thread, debug_names, group, current);
+			current = next;
+		}
+	}
+	/* always stay registered */
+	return TRUE;
+}
+
+/**
+ * Implementation of sys_logger_t.set_level.
+ */
+static void set_level(private_sys_logger_t *this, debug_t group, level_t level)
+{
+	if (group < DBG_ANY)
+	{
+		this->levels[group] = level;
+	}
+	else
+	{
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			this->levels[group] = level;
+		}
+	}
+}
+
+/**
+ * Implementation of sys_logger_t.destroy.
+ */
+static void destroy(private_sys_logger_t *this)
+{
+	closelog();
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+sys_logger_t *sys_logger_create(int facility)
+{
+	private_sys_logger_t *this = malloc_thing(private_sys_logger_t);
+
+	/* public functions */
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
+	this->public.set_level = (void(*)(sys_logger_t*,debug_t,level_t))set_level;
+	this->public.destroy = (void(*)(sys_logger_t*))destroy;
+
+	/* private variables */
+	this->facility = facility;
+	set_level(this, DBG_ANY, LEVEL_SILENT);
+
+	return &this->public;
+}
diff --git a/src/libcharon/bus/listeners/sys_logger.h b/src/libcharon/bus/listeners/sys_logger.h
new file mode 100644
index 000000000..730890d68
--- /dev/null
+++ b/src/libcharon/bus/listeners/sys_logger.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sys_logger sys_logger
+ * @{ @ingroup listeners
+ */
+
+#ifndef SYS_LOGGER_H_
+#define SYS_LOGGER_H_
+
+#include <syslog.h>
+
+#include <bus/listeners/listener.h>
+
+typedef struct sys_logger_t sys_logger_t;
+
+/**
+ * Logger for syslog which implements listener_t.
+ */
+struct sys_logger_t {
+
+	/**
+	 * Implements the listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Set the loglevel for a debug group.
+	 *
+	 * @param group		debug group to set
+	 * @param level		max level to log (0..4)
+	 */
+	void (*set_level) (sys_logger_t *this, debug_t group, level_t level);
+
+	/**
+	 * Destroys a sys_logger_t object.
+	 */
+	void (*destroy) (sys_logger_t *this);
+};
+
+/**
+ * Constructor to create a sys_logger_t object.
+ *
+ * @param facility	syslog facility to use
+ * @return			sys_logger_t object
+ */
+sys_logger_t *sys_logger_create(int facility);
+
+#endif /** SYS_LOGGER_H_ @}*/
diff --git a/src/libcharon/config/auth_cfg.c b/src/libcharon/config/auth_cfg.c
new file mode 100644
index 000000000..94362c756
--- /dev/null
+++ b/src/libcharon/config/auth_cfg.c
@@ -0,0 +1,768 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "auth_cfg.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <credentials/certificates/certificate.h>
+
+ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
+	"RULE_IDENTITY",
+	"RULE_AUTH_CLASS",
+	"RULE_EAP_IDENTITY",
+	"RULE_EAP_TYPE",
+	"RULE_EAP_VENDOR",
+	"RULE_CA_CERT",
+	"RULE_IM_CERT",
+	"RULE_SUBJECT_CERT",
+	"RULE_CRL_VALIDATION",
+	"RULE_OCSP_VALIDATION",
+	"RULE_AC_GROUP",
+	"HELPER_IM_CERT",
+	"HELPER_SUBJECT_CERT",
+	"HELPER_IM_HASH_URL",
+	"HELPER_SUBJECT_HASH_URL",
+);
+
+typedef struct private_auth_cfg_t private_auth_cfg_t;
+
+/**
+ * private data of item_set
+ */
+struct private_auth_cfg_t {
+
+	/**
+	 * public functions
+	 */
+	auth_cfg_t public;
+
+	/**
+	 * list of entry_t
+	 */
+	linked_list_t *entries;
+};
+
+typedef struct entry_t entry_t;
+
+struct entry_t {
+	/** rule type */
+	auth_rule_t type;
+	/** associated value */
+	void *value;
+};
+
+/**
+ * enumerator for auth_cfg_t.create_enumerator()
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** inner enumerator from linked_list_t */
+	enumerator_t *inner;
+	/** current entry */
+	entry_t *current;
+} entry_enumerator_t;
+
+/**
+ * enumerate function for item_enumerator_t
+ */
+static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value)
+{
+	entry_t *entry;
+
+	if (this->inner->enumerate(this->inner, &entry))
+	{
+		this->current = entry;
+		*type = entry->type;
+		*value = entry->value;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * destroy function for item_enumerator_t
+ */
+static void entry_enumerator_destroy(entry_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of auth_cfg_t.create_enumerator.
+ */
+static enumerator_t* create_enumerator(private_auth_cfg_t *this)
+{
+	entry_enumerator_t *enumerator;
+
+	enumerator = malloc_thing(entry_enumerator_t);
+	enumerator->inner = this->entries->create_enumerator(this->entries);
+	enumerator->public.enumerate = (void*)enumerate;
+	enumerator->public.destroy = (void*)entry_enumerator_destroy;
+	enumerator->current = NULL;
+	return &enumerator->public;
+}
+
+/**
+ * Destroy the value associated with an entry
+ */
+static void destroy_entry_value(entry_t *entry)
+{
+	switch (entry->type)
+	{
+		case AUTH_RULE_IDENTITY:
+		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AC_GROUP:
+		{
+			identification_t *id = (identification_t*)entry->value;
+			id->destroy(id);
+			break;
+		}
+		case AUTH_RULE_CA_CERT:
+		case AUTH_RULE_IM_CERT:
+		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_HELPER_IM_CERT:
+		case AUTH_HELPER_SUBJECT_CERT:
+		{
+			certificate_t *cert = (certificate_t*)entry->value;
+			cert->destroy(cert);
+			break;
+		}
+		case AUTH_HELPER_IM_HASH_URL:
+		case AUTH_HELPER_SUBJECT_HASH_URL:
+		{
+			free(entry->value);
+			break;
+		}
+		case AUTH_RULE_AUTH_CLASS:
+		case AUTH_RULE_EAP_TYPE:
+		case AUTH_RULE_EAP_VENDOR:
+		case AUTH_RULE_CRL_VALIDATION:
+		case AUTH_RULE_OCSP_VALIDATION:
+			break;
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.replace.
+ */
+static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
+					auth_rule_t type, ...)
+{
+	if (enumerator->current)
+	{
+		va_list args;
+
+		va_start(args, type);
+
+		destroy_entry_value(enumerator->current);
+		enumerator->current->type = type;
+		switch (type)
+		{
+			case AUTH_RULE_AUTH_CLASS:
+			case AUTH_RULE_EAP_TYPE:
+			case AUTH_RULE_EAP_VENDOR:
+			case AUTH_RULE_CRL_VALIDATION:
+			case AUTH_RULE_OCSP_VALIDATION:
+				/* integer type */
+				enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
+				break;
+			case AUTH_RULE_IDENTITY:
+			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_AC_GROUP:
+			case AUTH_RULE_CA_CERT:
+			case AUTH_RULE_IM_CERT:
+			case AUTH_RULE_SUBJECT_CERT:
+			case AUTH_HELPER_IM_CERT:
+			case AUTH_HELPER_SUBJECT_CERT:
+			case AUTH_HELPER_IM_HASH_URL:
+			case AUTH_HELPER_SUBJECT_HASH_URL:
+				/* pointer type */
+				enumerator->current->value = va_arg(args, void*);
+				break;
+		}
+		va_end(args);
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.get.
+ */
+static void* get(private_auth_cfg_t *this, auth_rule_t type)
+{
+	enumerator_t *enumerator;
+	void *current_value, *best_value = NULL;
+	auth_rule_t current_type;
+	bool found = FALSE;
+
+	enumerator = create_enumerator(this);
+	while (enumerator->enumerate(enumerator, &current_type, &current_value))
+	{
+		if (type == current_type)
+		{
+			if (type == AUTH_RULE_CRL_VALIDATION ||
+				type == AUTH_RULE_OCSP_VALIDATION)
+			{	/* for CRL/OCSP validation, always get() the highest value */
+				if (!found || current_value > best_value)
+				{
+					best_value = current_value;
+				}
+				found = TRUE;
+				continue;
+			}
+			best_value = current_value;
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (found)
+	{
+		return best_value;
+	}
+	switch (type)
+	{
+		/* use some sane defaults if we don't find an entry */
+		case AUTH_RULE_AUTH_CLASS:
+			return (void*)AUTH_CLASS_ANY;
+		case AUTH_RULE_EAP_TYPE:
+			return (void*)EAP_NAK;
+		case AUTH_RULE_EAP_VENDOR:
+			return (void*)0;
+		case AUTH_RULE_CRL_VALIDATION:
+		case AUTH_RULE_OCSP_VALIDATION:
+			return (void*)VALIDATION_FAILED;
+		case AUTH_RULE_IDENTITY:
+		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AC_GROUP:
+		case AUTH_RULE_CA_CERT:
+		case AUTH_RULE_IM_CERT:
+		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_HELPER_IM_CERT:
+		case AUTH_HELPER_SUBJECT_CERT:
+		case AUTH_HELPER_IM_HASH_URL:
+		case AUTH_HELPER_SUBJECT_HASH_URL:
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.add.
+ */
+static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
+{
+	entry_t *entry = malloc_thing(entry_t);
+	va_list args;
+
+	va_start(args, type);
+	entry->type = type;
+	switch (type)
+	{
+		case AUTH_RULE_AUTH_CLASS:
+		case AUTH_RULE_EAP_TYPE:
+		case AUTH_RULE_EAP_VENDOR:
+		case AUTH_RULE_CRL_VALIDATION:
+		case AUTH_RULE_OCSP_VALIDATION:
+			/* integer type */
+			entry->value = (void*)(uintptr_t)va_arg(args, u_int);
+			break;
+		case AUTH_RULE_IDENTITY:
+		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AC_GROUP:
+		case AUTH_RULE_CA_CERT:
+		case AUTH_RULE_IM_CERT:
+		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_HELPER_IM_CERT:
+		case AUTH_HELPER_SUBJECT_CERT:
+		case AUTH_HELPER_IM_HASH_URL:
+		case AUTH_HELPER_SUBJECT_HASH_URL:
+			/* pointer type */
+			entry->value = va_arg(args, void*);
+			break;
+	}
+	va_end(args);
+	this->entries->insert_last(this->entries, entry);
+}
+
+/**
+ * Implementation of auth_cfg_t.complies.
+ */
+static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
+					 bool log_error)
+{
+	enumerator_t *e1, *e2;
+	bool success = TRUE;
+	auth_rule_t t1, t2;
+	void *value;
+
+	e1 = constraints->create_enumerator(constraints);
+	while (e1->enumerate(e1, &t1, &value))
+	{
+		switch (t1)
+		{
+			case AUTH_RULE_CA_CERT:
+			case AUTH_RULE_IM_CERT:
+			{
+				certificate_t *c1, *c2;
+
+				c1 = (certificate_t*)value;
+
+				success = FALSE;
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &c2))
+				{
+					if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
+						c1->equals(c1, c2))
+					{
+						success = TRUE;
+					}
+				}
+				e2->destroy(e2);
+				if (!success && log_error)
+				{
+					DBG1(DBG_CFG, "constraint check failed: peer not "
+						 "authenticated by CA '%Y'.", c1->get_subject(c1));
+				}
+				break;
+			}
+			case AUTH_RULE_SUBJECT_CERT:
+			{
+				certificate_t *c1, *c2;
+
+				c1 = (certificate_t*)value;
+				c2 = get(this, AUTH_RULE_SUBJECT_CERT);
+				if (!c2 || !c1->equals(c1, c2))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint check failed: peer not "
+							 "authenticated with peer cert '%Y'.",
+							 c1->get_subject(c1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_CRL_VALIDATION:
+			case AUTH_RULE_OCSP_VALIDATION:
+			{
+				cert_validation_t validated, required;
+
+				required = (uintptr_t)value;
+				validated = (uintptr_t)get(this, t1);
+				switch (required)
+				{
+					case VALIDATION_FAILED:
+						/* no constraint */
+						break;
+					case VALIDATION_SKIPPED:
+						if (validated == VALIDATION_SKIPPED)
+						{
+							break;
+						}
+						/* FALL */
+					case VALIDATION_GOOD:
+						if (validated == VALIDATION_GOOD)
+						{
+							break;
+						}
+						/* FALL */
+					default:
+						success = FALSE;
+						if (log_error)
+						{
+							DBG1(DBG_CFG, "constraint check failed: %N is %N, "
+								 "but requires at least %N", auth_rule_names,
+								 t1, cert_validation_names, validated,
+								 cert_validation_names, required);
+						}
+						break;
+				}
+				break;
+			}
+			case AUTH_RULE_IDENTITY:
+			case AUTH_RULE_EAP_IDENTITY:
+			{
+				identification_t *id1, *id2;
+
+				id1 = (identification_t*)value;
+				id2 = get(this, t1);
+				if (!id2 || !id2->matches(id2, id1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'"
+							 " required ", t1 == AUTH_RULE_IDENTITY ? "" :
+							 "EAP ", id1);
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_AUTH_CLASS:
+			{
+				if ((uintptr_t)value != AUTH_CLASS_ANY &&
+					(uintptr_t)value != (uintptr_t)get(this, t1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint requires %N authentication, "
+							 "but %N was used", auth_class_names, (uintptr_t)value,
+							 auth_class_names, (uintptr_t)get(this, t1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_EAP_TYPE:
+			{
+				if ((uintptr_t)value != (uintptr_t)get(this, t1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint requires %N, "
+							 "but %N was used", eap_type_names, (uintptr_t)value,
+							 eap_type_names,  (uintptr_t)get(this, t1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_EAP_VENDOR:
+			{
+				if ((uintptr_t)value != (uintptr_t)get(this, t1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint requires EAP vendor %d, "
+							 "but %d was used", (uintptr_t)value,
+							 (uintptr_t)get(this, t1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_AC_GROUP:
+			{
+				success = FALSE;
+				if (log_error)
+				{
+					DBG1(DBG_CFG, "constraint check %N not implemented!",
+						 auth_rule_names, t1);
+				}
+				break;
+			}
+			case AUTH_HELPER_IM_CERT:
+			case AUTH_HELPER_SUBJECT_CERT:
+			case AUTH_HELPER_IM_HASH_URL:
+			case AUTH_HELPER_SUBJECT_HASH_URL:
+				/* skip helpers */
+				continue;
+		}
+		if (!success)
+		{
+			break;
+		}
+	}
+	e1->destroy(e1);
+	return success;
+}
+
+/**
+ * Implementation of auth_cfg_t.merge.
+ */
+static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy)
+{
+	if (!other)
+	{	/* nothing to merge */
+		return;
+	}
+	if (copy)
+	{
+		enumerator_t *enumerator;
+		auth_rule_t type;
+		void *value;
+
+		enumerator = create_enumerator(other);
+		while (enumerator->enumerate(enumerator, &type, &value))
+		{
+			switch (type)
+			{
+				case AUTH_RULE_CA_CERT:
+				case AUTH_RULE_IM_CERT:
+				case AUTH_RULE_SUBJECT_CERT:
+				case AUTH_HELPER_IM_CERT:
+				case AUTH_HELPER_SUBJECT_CERT:
+				{
+					certificate_t *cert = (certificate_t*)value;
+
+					add(this, type, cert->get_ref(cert));
+					break;
+				}
+				case AUTH_RULE_CRL_VALIDATION:
+				case AUTH_RULE_OCSP_VALIDATION:
+				case AUTH_RULE_AUTH_CLASS:
+				case AUTH_RULE_EAP_TYPE:
+				case AUTH_RULE_EAP_VENDOR:
+				{
+					add(this, type, (uintptr_t)value);
+					break;
+				}
+				case AUTH_RULE_IDENTITY:
+				case AUTH_RULE_EAP_IDENTITY:
+				case AUTH_RULE_AC_GROUP:
+				{
+					identification_t *id = (identification_t*)value;
+
+					add(this, type, id->clone(id));
+					break;
+				}
+				case AUTH_HELPER_IM_HASH_URL:
+				case AUTH_HELPER_SUBJECT_HASH_URL:
+				{
+					add(this, type, strdup((char*)value));
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		entry_t *entry;
+
+		while (other->entries->remove_first(other->entries,
+											(void**)&entry) == SUCCESS)
+		{
+			this->entries->insert_last(this->entries, entry);
+		}
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.equals.
+ */
+static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
+{
+	enumerator_t *e1, *e2;
+	entry_t *i1, *i2;
+	bool equal = TRUE, found;
+
+	if (this->entries->get_count(this->entries) !=
+		other->entries->get_count(other->entries))
+	{
+		return FALSE;
+	}
+	e1 = this->entries->create_enumerator(this->entries);
+	while (e1->enumerate(e1, &i1))
+	{
+		found = FALSE;
+		e2 = other->entries->create_enumerator(other->entries);
+		while (e2->enumerate(e2, &i2))
+		{
+			if (i1->type == i2->type)
+			{
+				switch (i1->type)
+				{
+					case AUTH_RULE_AUTH_CLASS:
+					case AUTH_RULE_EAP_TYPE:
+					case AUTH_RULE_EAP_VENDOR:
+					case AUTH_RULE_CRL_VALIDATION:
+					case AUTH_RULE_OCSP_VALIDATION:
+					{
+						if (i1->value == i2->value)
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+					case AUTH_RULE_CA_CERT:
+					case AUTH_RULE_IM_CERT:
+					case AUTH_RULE_SUBJECT_CERT:
+					case AUTH_HELPER_IM_CERT:
+					case AUTH_HELPER_SUBJECT_CERT:
+					{
+						certificate_t *c1, *c2;
+
+						c1 = (certificate_t*)i1->value;
+						c2 = (certificate_t*)i2->value;
+
+						if (c1->equals(c1, c2))
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+					case AUTH_RULE_IDENTITY:
+					case AUTH_RULE_EAP_IDENTITY:
+					case AUTH_RULE_AC_GROUP:
+					{
+						identification_t *id1, *id2;
+
+						id1 = (identification_t*)i1->value;
+						id2 = (identification_t*)i2->value;
+
+						if (id1->equals(id1, id2))
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+					case AUTH_HELPER_IM_HASH_URL:
+					case AUTH_HELPER_SUBJECT_HASH_URL:
+					{
+						if (streq(i1->value, i2->value))
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+				}
+				break;
+			}
+		}
+		e2->destroy(e2);
+		if (!found)
+		{
+			equal = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	return equal;
+}
+
+/**
+ * Implementation of auth_cfg_t.purge
+ */
+static void purge(private_auth_cfg_t *this, bool keep_ca)
+{
+	entry_t *entry;
+	linked_list_t *cas;
+
+	cas = linked_list_create();
+	while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
+	{
+		if (keep_ca && entry->type == AUTH_RULE_CA_CERT)
+		{
+			cas->insert_first(cas, entry);
+		}
+		else
+		{
+			destroy_entry_value(entry);
+			free(entry);
+		}
+	}
+	while (cas->remove_last(cas, (void**)&entry) == SUCCESS)
+	{
+		this->entries->insert_first(this->entries, entry);
+	}
+	cas->destroy(cas);
+}
+
+/**
+ * Implementation of auth_cfg_t.clone
+ */
+static auth_cfg_t* clone_(private_auth_cfg_t *this)
+{
+	enumerator_t *enumerator;
+	auth_cfg_t *clone;
+	entry_t *entry;
+
+	clone = auth_cfg_create();
+	enumerator = this->entries->create_enumerator(this->entries);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		switch (entry->type)
+		{
+			case AUTH_RULE_IDENTITY:
+			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_AC_GROUP:
+			{
+				identification_t *id = (identification_t*)entry->value;
+				clone->add(clone, entry->type, id->clone(id));
+				break;
+			}
+			case AUTH_RULE_CA_CERT:
+			case AUTH_RULE_IM_CERT:
+			case AUTH_RULE_SUBJECT_CERT:
+			case AUTH_HELPER_IM_CERT:
+			case AUTH_HELPER_SUBJECT_CERT:
+			{
+				certificate_t *cert = (certificate_t*)entry->value;
+				clone->add(clone, entry->type, cert->get_ref(cert));
+				break;
+			}
+			case AUTH_HELPER_IM_HASH_URL:
+			case AUTH_HELPER_SUBJECT_HASH_URL:
+			{
+				clone->add(clone, entry->type, strdup(entry->value));
+				break;
+			}
+			case AUTH_RULE_AUTH_CLASS:
+			case AUTH_RULE_EAP_TYPE:
+			case AUTH_RULE_EAP_VENDOR:
+			case AUTH_RULE_CRL_VALIDATION:
+			case AUTH_RULE_OCSP_VALIDATION:
+				clone->add(clone, entry->type, (uintptr_t)entry->value);
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return clone;
+}
+
+/**
+ * Implementation of auth_cfg_t.destroy
+ */
+static void destroy(private_auth_cfg_t *this)
+{
+	purge(this, FALSE);
+	this->entries->destroy(this->entries);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+auth_cfg_t *auth_cfg_create()
+{
+	private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t);
+
+	this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add;
+	this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get;
+	this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator;
+	this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace;
+	this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies;
+	this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge;
+	this->public.purge = (void(*)(auth_cfg_t*,bool))purge;
+	this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals;
+	this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_;
+	this->public.destroy = (void(*)(auth_cfg_t*))destroy;
+
+	this->entries = linked_list_create();
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/config/auth_cfg.h b/src/libcharon/config/auth_cfg.h
new file mode 100644
index 000000000..5e6215a4a
--- /dev/null
+++ b/src/libcharon/config/auth_cfg.h
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup auth_cfg auth_cfg
+ * @{ @ingroup config
+ */
+
+#ifndef AUTH_CFG_H_
+#define AUTH_CFG_H_
+
+#include <utils/enumerator.h>
+
+typedef struct auth_cfg_t auth_cfg_t;
+typedef enum auth_rule_t auth_rule_t;
+
+/**
+ * Authentication config to use during authentication process.
+ *
+ * Each authentication config contains a set of rules. These rule-sets are used
+ * in two ways:
+ * - For configs specifying local authentication behavior, the rules define
+ *   which authentication method in which way.
+ * - For configs specifying remote peer authentication, the rules define
+ *   constraints the peer has to fullfill.
+ *
+ * Additionally to the rules, there is a set of helper items. These are used
+ * to transport credentials during the authentication process.
+ */
+enum auth_rule_t {
+
+	/** identity to use for IKEv2 authentication exchange, identification_t* */
+	AUTH_RULE_IDENTITY,
+	/** authentication class, auth_class_t */
+	AUTH_RULE_AUTH_CLASS,
+	/** EAP identity to use within EAP-Identity exchange, identification_t* */
+	AUTH_RULE_EAP_IDENTITY,
+	/** EAP type to propose for peer authentication, eap_type_t */
+	AUTH_RULE_EAP_TYPE,
+	/** EAP vendor for vendor specific type, u_int32_t */
+	AUTH_RULE_EAP_VENDOR,
+	/** certificate authority, certificate_t* */
+	AUTH_RULE_CA_CERT,
+	/** intermediate certificate in trustchain, certificate_t* */
+	AUTH_RULE_IM_CERT,
+	/** subject certificate, certificate_t* */
+	AUTH_RULE_SUBJECT_CERT,
+	/** result of a CRL validation, cert_validation_t */
+	AUTH_RULE_CRL_VALIDATION,
+	/** result of a OCSP validation, cert_validation_t */
+	AUTH_RULE_OCSP_VALIDATION,
+	/** subject is in attribute certificate group, identification_t* */
+	AUTH_RULE_AC_GROUP,
+
+	/** intermediate certificate, certificate_t* */
+	AUTH_HELPER_IM_CERT,
+	/** subject certificate, certificate_t* */
+	AUTH_HELPER_SUBJECT_CERT,
+	/** Hash and URL of a intermediate certificate, char* */
+	AUTH_HELPER_IM_HASH_URL,
+	/** Hash and URL of a end-entity certificate, char* */
+	AUTH_HELPER_SUBJECT_HASH_URL,
+};
+
+/**
+ * enum name for auth_rule_t.
+ */
+extern enum_name_t *auth_rule_names;
+
+/**
+ * Authentication/Authorization round.
+ *
+ * RFC4739 defines multiple authentication rounds. This class defines such
+ * a round from a configuration perspective, either for the local or the remote
+ * peer. Local config are called "rulesets", as they define how we authenticate.
+ * Remote peer configs are called "constraits", they define what is needed to
+ * complete the authentication round successfully.
+ *
+ * @verbatim
+
+   [Repeat for each configuration]
+   +--------------------------------------------------+
+   |                                                  |
+   |                                                  |
+   |   +----------+     IKE_AUTH       +--------- +   |
+   |   |  config  |   ----------->     |          |   |
+   |   |  ruleset |                    |          |   |
+   |   +----------+ [ <----------- ]   |          |   |
+   |                [ optional EAP ]   |   Peer   |   |
+   |   +----------+ [ -----------> ]   |          |   |
+   |   |  config  |                    |          |   |
+   |   |  constr. |   <-----------     |          |   |
+   |   +----------+     IKE_AUTH       +--------- +   |
+   |                                                  |
+   |                                                  |
+   +--------------------------------------------------+
+
+   @endverbatim
+ *
+ * Values for each items are either pointers (casted to void*) or short
+ * integers (use uintptr_t cast).
+ */
+struct auth_cfg_t {
+
+	/**
+	 * Add an rule to the set.
+	 *
+	 * @param rule		rule type
+	 * @param ...		associated value to rule
+	 */
+	void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
+
+	/**
+	 * Get an rule value.
+	 *
+	 * @param rule		rule type
+	 * @return			bool if item has been found
+	 */
+	void* (*get)(auth_cfg_t *this, auth_rule_t rule);
+
+	/**
+	 * Create an enumerator over added rules.
+	 *
+	 * @return			enumerator over (auth_rule_t, union{void*,uintpr_t})
+	 */
+	enumerator_t* (*create_enumerator)(auth_cfg_t *this);
+
+	/**
+	 * Replace an rule at enumerator position.
+	 *
+	 * @param pos		enumerator position position
+	 * @param rule		rule type
+	 * @param ...		associated value to rule
+	 */
+	void (*replace)(auth_cfg_t *this, enumerator_t *pos,
+					auth_rule_t rule, ...);
+
+	/**
+	 * Check if a used config fulfills a set of configured constraints.
+	 *
+	 * @param constraints	required authorization rules
+	 * @param log_error		wheter to log compliance errors
+	 * @return				TRUE if this complies with constraints
+	 */
+	bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
+
+	/**
+	 * Merge items from other into this.
+	 *
+	 * @param other		items to read for merge
+	 * @param copy		TRUE to copy items, FALSE to move them
+	 */
+	void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
+
+	/**
+	 * Purge all rules in a config.
+	 *
+	 * @param keep_ca	wheter to keep AUTH_RULE_CA_CERT entries
+	 */
+	void (*purge)(auth_cfg_t *this, bool keep_ca);
+
+	/**
+	 * Check two configs for equality.
+	 *
+	 * @param other		other config to compaire against this
+	 * @return			TRUE if auth infos identical
+	 */
+	bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
+
+	/**
+	 * Clone a authentication config, including all rules.
+	 *
+	 * @return			cloned configuration
+	 */
+	auth_cfg_t* (*clone)(auth_cfg_t *this);
+
+	/**
+	 * Destroy a config with all associated rules/values.
+	 */
+	void (*destroy)(auth_cfg_t *this);
+};
+
+/**
+ * Create a authentication config.
+ */
+auth_cfg_t *auth_cfg_create();
+
+#endif /** AUTH_CFG_H_ @}*/
diff --git a/src/libcharon/config/backend.h b/src/libcharon/config/backend.h
new file mode 100644
index 000000000..458abc37f
--- /dev/null
+++ b/src/libcharon/config/backend.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup backend backend
+ * @{ @ingroup config
+ */
+
+#ifndef BACKEND_H_
+#define BACKEND_H_
+
+typedef struct backend_t backend_t;
+
+#include <library.h>
+#include <config/ike_cfg.h>
+#include <config/peer_cfg.h>
+#include <utils/linked_list.h>
+
+/**
+ * The interface for a configuration backend.
+ *
+ * A configuration backend is loaded into the backend_manager. It does the actual
+ * configuration lookup for the method it implements. See backend_manager_t for
+ * more information.
+ */
+struct backend_t {
+
+	/**
+	 * Create an enumerator over all IKE configs matching two hosts.
+	 *
+	 * Hosts may be NULL to get all.
+	 *
+	 * There is no requirement for the backend to filter the configurations
+	 * using the supplied hosts; but it may do so if it increases lookup times
+	 * (e.g. include hosts in SQL query).
+	 *
+	 * @param me		address of local host
+	 * @param other		address of remote host
+	 * @return			enumerator over ike_cfg_t's
+	 */
+	enumerator_t* (*create_ike_cfg_enumerator)(backend_t *this,
+											   host_t *me, host_t *other);
+	/**
+	 * Create an enumerator over all peer configs matching two identities.
+	 *
+	 * IDs may be NULL to get all.
+	 *
+	 * As configurations are looked up in the first authentication round (when
+	 * multiple authentication), the backend implementation should compare
+	 * the identities to the first auth_cfgs only.
+	 * There is no requirement for the backend to filter the configurations
+	 * using the supplied identities; but it may do so if it increases lookup
+	 * times (e.g. include hosts in SQL query).
+	 *
+	 * @param me		identity of ourself
+	 * @param other		identity of remote host
+	 * @return			enumerator over peer_cfg_t
+	 */
+	enumerator_t* (*create_peer_cfg_enumerator)(backend_t *this,
+												identification_t *me,
+												identification_t *other);
+	/**
+	 * Get a peer_cfg identified by it's name, or a name of its children.
+	 *
+	 * @param name				name of peer/child cfg
+	 * @return					matching peer_config, or NULL if none found
+	 */
+	peer_cfg_t *(*get_peer_cfg_by_name)(backend_t *this, char *name);
+};
+
+#endif /** BACKEND_H_ @}*/
diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c
new file mode 100644
index 000000000..90ef58563
--- /dev/null
+++ b/src/libcharon/config/backend_manager.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "backend_manager.h"
+
+#include <sys/types.h>
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+
+typedef struct private_backend_manager_t private_backend_manager_t;
+
+/**
+ * Private data of an backend_manager_t object.
+ */
+struct private_backend_manager_t {
+
+	/**
+	 * Public part of backend_manager_t object.
+	 */
+	backend_manager_t public;
+
+	/**
+	 * list of registered backends
+	 */
+	linked_list_t *backends;
+
+	/**
+	 * rwlock for backends
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * match of an ike_cfg
+ */
+typedef enum ike_cfg_match_t {
+	MATCH_NONE  = 0x00,
+	MATCH_ANY   = 0x01,
+	MATCH_ME	= 0x04,
+	MATCH_OTHER = 0x08,
+} ike_cfg_match_t;
+
+/**
+ * data to pass nested IKE enumerator
+ */
+typedef struct {
+	private_backend_manager_t *this;
+	host_t *me;
+	host_t *other;
+} ike_data_t;
+
+/**
+ * inner enumerator constructor for IKE cfgs
+ */
+static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
+{
+	return backend->create_ike_cfg_enumerator(backend, data->me, data->other);
+}
+
+/**
+ * get a match of a candidate ike_cfg for two hosts
+ */
+static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
+{
+	host_t *me_cand, *other_cand;
+	ike_cfg_match_t match = MATCH_NONE;
+
+	if (me)
+	{
+		me_cand = host_create_from_dns(cand->get_my_addr(cand),
+									   me->get_family(me), 0);
+		if (!me_cand)
+		{
+			return MATCH_NONE;
+		}
+		if (me_cand->ip_equals(me_cand, me))
+		{
+			match += MATCH_ME;
+		}
+		else if (me_cand->is_anyaddr(me_cand))
+		{
+			match += MATCH_ANY;
+		}
+		me_cand->destroy(me_cand);
+	}
+	else
+	{
+		match += MATCH_ANY;
+	}
+
+	if (other)
+	{
+		other_cand = host_create_from_dns(cand->get_other_addr(cand),
+										  other->get_family(other), 0);
+		if (!other_cand)
+		{
+			return MATCH_NONE;
+		}
+		if (other_cand->ip_equals(other_cand, other))
+		{
+			match += MATCH_OTHER;
+		}
+		else if (other_cand->is_anyaddr(other_cand))
+		{
+			match += MATCH_ANY;
+		}
+		other_cand->destroy(other_cand);
+	}
+	else
+	{
+		match += MATCH_ANY;
+	}
+	return match;
+}
+
+/**
+ * implements backend_manager_t.get_ike_cfg.
+ */
+static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
+							  host_t *me, host_t *other)
+{
+	ike_cfg_t *current, *found = NULL;
+	enumerator_t *enumerator;
+	ike_cfg_match_t match, best = MATCH_ANY;
+	ike_data_t *data;
+
+	data = malloc_thing(ike_data_t);
+	data->this = this;
+	data->me = me;
+	data->other = other;
+
+	DBG2(DBG_CFG, "looking for an ike config for %H...%H", me, other);
+
+	this->lock->read_lock(this->lock);
+	enumerator = enumerator_create_nested(
+						this->backends->create_enumerator(this->backends),
+						(void*)ike_enum_create, data, (void*)free);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		match = get_ike_match(current, me, other);
+
+		if (match)
+		{
+			DBG2(DBG_CFG, "  candidate: %s...%s, prio %d",
+				 current->get_my_addr(current),
+				 current->get_other_addr(current), match);
+			if (match > best)
+			{
+				DESTROY_IF(found);
+				found = current;
+				found->get_ref(found);
+				best = match;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	if (found)
+	{
+		DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d",
+			 found->get_my_addr(found), found->get_other_addr(found), best);
+	}
+	return found;
+}
+
+/**
+ * Get the best ID match in one of the configs auth_cfg
+ */
+static id_match_t get_peer_match(identification_t *id,
+								 peer_cfg_t *cfg, bool local)
+{
+	enumerator_t *enumerator;
+	auth_cfg_t *auth;
+	identification_t *candidate;
+	id_match_t match = ID_MATCH_NONE;
+
+	if (!id)
+	{
+		return ID_MATCH_ANY;
+	}
+
+	/* compare first auth config only */
+	enumerator = cfg->create_auth_cfg_enumerator(cfg, local);
+	if (enumerator->enumerate(enumerator, &auth))
+	{
+		candidate = auth->get(auth, AUTH_RULE_IDENTITY);
+		if (candidate)
+		{
+			match = id->matches(id, candidate);
+			/* match vice-versa, as the proposed IDr might be ANY */
+			if (!match)
+			{
+				match = candidate->matches(candidate, id);
+			}
+		}
+		else
+		{
+			match = ID_MATCH_ANY;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return match;
+}
+
+/**
+ * data to pass nested peer enumerator
+ */
+typedef struct {
+	rwlock_t *lock;
+	identification_t *me;
+	identification_t *other;
+} peer_data_t;
+
+/**
+ * list element to help sorting
+ */
+typedef struct {
+	id_match_t match_peer;
+	ike_cfg_match_t match_ike;
+	peer_cfg_t *cfg;
+} match_entry_t;
+
+/**
+ * inner enumerator constructor for peer cfgs
+ */
+static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data)
+{
+	return backend->create_peer_cfg_enumerator(backend, data->me, data->other);
+}
+
+/**
+ * unlock/cleanup peer enumerator
+ */
+static void peer_enum_destroy(peer_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
+}
+
+/**
+ * convert enumerator value from match_entry to config
+ */
+static bool peer_enum_filter(linked_list_t *configs,
+							 match_entry_t **in, peer_cfg_t **out)
+{
+	*out = (*in)->cfg;
+	return TRUE;
+}
+
+/**
+ * Clean up temporary config list
+ */
+static void peer_enum_filter_destroy(linked_list_t *configs)
+{
+	match_entry_t *entry;
+
+	while (configs->remove_last(configs, (void**)&entry) == SUCCESS)
+	{
+		entry->cfg->destroy(entry->cfg);
+		free(entry);
+	}
+	configs->destroy(configs);
+}
+
+/**
+ * Insert entry into match-sorted list, using helper
+ */
+static void insert_sorted(match_entry_t *entry, linked_list_t *list,
+						  linked_list_t *helper)
+{
+	match_entry_t *current;
+
+	while (list->remove_first(list, (void**)&current) == SUCCESS)
+	{
+		helper->insert_last(helper, current);
+	}
+	while (helper->remove_first(helper, (void**)&current) == SUCCESS)
+	{
+		if (entry && (
+			 (entry->match_ike > current->match_ike &&
+			  entry->match_peer >= current->match_peer) ||
+			 (entry->match_ike >= current->match_ike &&
+			  entry->match_peer > current->match_peer)))
+		{
+			list->insert_last(list, entry);
+			entry = NULL;
+		}
+		list->insert_last(list, current);
+	}
+	if (entry)
+	{
+		list->insert_last(list, entry);
+	}
+}
+
+/**
+ * Implements backend_manager_t.create_peer_cfg_enumerator.
+ */
+static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
+							host_t *me, host_t *other, identification_t *my_id,
+							identification_t *other_id)
+{
+	enumerator_t *enumerator;
+	peer_data_t *data;
+	peer_cfg_t *cfg;
+	linked_list_t *configs, *helper;
+
+	data = malloc_thing(peer_data_t);
+	data->lock = this->lock;
+	data->me = my_id;
+	data->other = other_id;
+
+	/* create a sorted list with all matches */
+	this->lock->read_lock(this->lock);
+	enumerator = enumerator_create_nested(
+					this->backends->create_enumerator(this->backends),
+					(void*)peer_enum_create, data, (void*)peer_enum_destroy);
+
+	if (!me && !other && !my_id && !other_id)
+	{	/* shortcut if we are doing a "listall" */
+		return enumerator;
+	}
+
+	DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
+		 me, my_id, other, other_id);
+
+	configs = linked_list_create();
+	/* only once allocated helper list for sorting */
+	helper = linked_list_create();
+	while (enumerator->enumerate(enumerator, &cfg))
+	{
+		id_match_t match_peer_me, match_peer_other;
+		ike_cfg_match_t match_ike;
+		match_entry_t *entry;
+
+		match_peer_me = get_peer_match(my_id, cfg, TRUE);
+		match_peer_other = get_peer_match(other_id, cfg, FALSE);
+		match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other);
+
+		if (match_peer_me && match_peer_other && match_ike)
+		{
+			DBG2(DBG_CFG, "  candidate \"%s\", match: %d/%d/%d (me/other/ike)",
+				 cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
+
+			entry = malloc_thing(match_entry_t);
+			entry->match_peer = match_peer_me + match_peer_other;
+			entry->match_ike = match_ike;
+			entry->cfg = cfg->get_ref(cfg);
+			insert_sorted(entry, configs, helper);
+		}
+	}
+	enumerator->destroy(enumerator);
+	helper->destroy(helper);
+
+	return enumerator_create_filter(configs->create_enumerator(configs),
+									(void*)peer_enum_filter, configs,
+									(void*)peer_enum_filter_destroy);
+}
+
+/**
+ * implements backend_manager_t.get_peer_cfg_by_name.
+ */
+static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *name)
+{
+	backend_t *backend;
+	peer_cfg_t *config = NULL;
+	enumerator_t *enumerator;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->backends->create_enumerator(this->backends);
+	while (config == NULL && enumerator->enumerate(enumerator, (void**)&backend))
+	{
+		config = backend->get_peer_cfg_by_name(backend, name);
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return config;
+}
+
+/**
+ * Implementation of backend_manager_t.remove_backend.
+ */
+static void remove_backend(private_backend_manager_t *this, backend_t *backend)
+{
+	this->lock->write_lock(this->lock);
+	this->backends->remove(this->backends, backend, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of backend_manager_t.add_backend.
+ */
+static void add_backend(private_backend_manager_t *this, backend_t *backend)
+{
+	this->lock->write_lock(this->lock);
+	this->backends->insert_last(this->backends, backend);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of backend_manager_t.destroy.
+ */
+static void destroy(private_backend_manager_t *this)
+{
+	this->backends->destroy(this->backends);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * Described in header-file
+ */
+backend_manager_t *backend_manager_create()
+{
+	private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
+
+	this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
+	this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name;
+	this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator;
+	this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend;
+	this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend;
+	this->public.destroy = (void (*)(backend_manager_t*))destroy;
+
+	this->backends = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/config/backend_manager.h b/src/libcharon/config/backend_manager.h
new file mode 100644
index 000000000..5b394f791
--- /dev/null
+++ b/src/libcharon/config/backend_manager.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup backend_manager backend_manager
+ * @{ @ingroup config
+ */
+
+#ifndef BACKEND_MANAGER_H_
+#define BACKEND_MANAGER_H_
+
+typedef struct backend_manager_t backend_manager_t;
+
+#include <library.h>
+#include <utils/host.h>
+#include <utils/identification.h>
+#include <config/ike_cfg.h>
+#include <config/peer_cfg.h>
+#include <config/backend.h>
+
+
+/**
+ * A loader and multiplexer to use multiple backends.
+ *
+ * Charon allows the use of multiple configuration backends simultaneously. To
+ * access all this backends by a single call, this class wraps multiple
+ * backends behind a single object.
+ * @verbatim
+
+   +---------+      +-----------+         +--------------+     |
+   |         |      |           |       +--------------+ |     |
+   | daemon  |----->| backend_- |     +--------------+ |-+  <==|==> IPC
+   |  core   |      | manager   |---->|   backends   |-+       |
+   |         |----->|           |     +--------------+         |
+   |         |      |           |                              |
+   +---------+      +-----------+                              |
+
+   @endverbatim
+ */
+struct backend_manager_t {
+
+	/**
+	 * Get an ike_config identified by two hosts.
+	 *
+	 * @param my_host			address of own host
+	 * @param other_host		address of remote host
+	 * @return					matching ike_config, or NULL if none found
+	 */
+	ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this,
+							  host_t *my_host, host_t *other_host);
+
+	/**
+	 * Get a peer_config identified by it's name.
+	 *
+	 * @param name				name of the peer_config
+	 * @return					matching peer_config, or NULL if none found
+	 */
+	peer_cfg_t* (*get_peer_cfg_by_name)(backend_manager_t *this, char *name);
+
+	/**
+	 * Create an enumerator over all matching peer configs.
+	 *
+	 * Pass NULL as parameters to match any. The enumerator enumerates over
+	 * peer_cfgs, ordered by priority (best match first).
+	 *
+	 * @param me				local address
+	 * @param other				remote address
+	 * @param my_id				IDr in first authentication round
+	 * @param other_id			IDi in first authentication round
+	 * @return 					enumerator over peer_cfg_t
+	 */
+	enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this,
+							host_t *me, host_t *other, identification_t *my_id,
+							identification_t *other_id);
+	/**
+	 * Register a backend on the manager.
+	 *
+	 * @param backend			backend to register
+	 */
+	void (*add_backend)(backend_manager_t *this, backend_t *backend);
+
+	/**
+	 * Unregister a backend.
+	 *
+	 * @param backend			backend to unregister
+	 */
+	void (*remove_backend)(backend_manager_t *this, backend_t *backend);
+
+	/**
+	 * Destroys a backend_manager_t object.
+	 */
+	void (*destroy) (backend_manager_t *this);
+};
+
+/**
+ * Create an instance of the backend manager
+ *
+ * @return		backend_manager instance
+ */
+backend_manager_t* backend_manager_create(void);
+
+#endif /** BACKEND_MANAGER_H_ @}*/
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
new file mode 100644
index 000000000..8410b3fe5
--- /dev/null
+++ b/src/libcharon/config/child_cfg.c
@@ -0,0 +1,552 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_cfg.h"
+
+#include <daemon.h>
+
+ENUM(action_names, ACTION_NONE, ACTION_RESTART,
+	"clear",
+	"hold",
+	"restart",
+);
+
+ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE,
+	"IPCOMP_NONE");
+ENUM_NEXT(ipcomp_transform_names, IPCOMP_OUI, IPCOMP_LZJH, IPCOMP_NONE,
+	"IPCOMP_OUI",
+	"IPCOMP_DEFLATE",
+	"IPCOMP_LZS",
+	"IPCOMP_LZJH");
+ENUM_END(ipcomp_transform_names, IPCOMP_LZJH);
+
+typedef struct private_child_cfg_t private_child_cfg_t;
+
+/**
+ * Private data of an child_cfg_t object
+ */
+struct private_child_cfg_t {
+
+	/**
+	 * Public part
+	 */
+	child_cfg_t public;
+
+	/**
+	 * Number of references hold by others to this child_cfg
+	 */
+	refcount_t refcount;
+
+	/**
+	 * Name of the child_cfg, used to query it
+	 */
+	char *name;
+
+	/**
+	 * list for all proposals
+	 */
+	linked_list_t *proposals;
+
+	/**
+	 * list for traffic selectors for my site
+	 */
+	linked_list_t *my_ts;
+
+	/**
+	 * list for traffic selectors for others site
+	 */
+	linked_list_t *other_ts;
+
+	/**
+	 * updown script
+	 */
+	char *updown;
+
+	/**
+	 * allow host access
+	 */
+	bool hostaccess;
+
+	/**
+	 * Mode to propose for a initiated CHILD: tunnel/transport
+	 */
+	ipsec_mode_t mode;
+
+	/**
+	 * action to take on DPD
+	 */
+	action_t dpd_action;
+
+	/**
+	 * action to take on CHILD_SA close
+	 */
+	action_t close_action;
+
+	/**
+	 * CHILD_SA lifetime config
+	 */
+	lifetime_cfg_t lifetime;
+
+	/**
+	 * enable IPComp
+	 */
+	bool use_ipcomp;
+
+	/**
+	 * Inactivity timeout
+	 */
+	u_int32_t inactivity;
+
+	/**
+	 * set up IPsec transport SA in MIPv6 proxy mode
+	 */
+	bool proxy_mode;
+
+	/**
+	 * enable installation and removal of kernel IPsec policies
+	 */
+	bool install_policy;
+};
+
+/**
+ * Implementation of child_cfg_t.get_name.
+ */
+static char *get_name(private_child_cfg_t *this)
+{
+	return this->name;
+}
+
+/**
+ * Implementation of child_cfg_t.add_proposal.
+ */
+static void add_proposal(private_child_cfg_t *this, proposal_t *proposal)
+{
+	this->proposals->insert_last(this->proposals, proposal);
+}
+
+/**
+ * Implementation of child_cfg_t.get_proposals.
+ */
+static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
+{
+	enumerator_t *enumerator;
+	proposal_t *current;
+	linked_list_t *proposals = linked_list_create();
+
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		current = current->clone(current);
+		if (strip_dh)
+		{
+			current->strip_dh(current);
+		}
+		proposals->insert_last(proposals, current);
+	}
+	enumerator->destroy(enumerator);
+
+	return proposals;
+}
+
+/**
+ * Implementation of child_cfg_t.select_proposal.
+ */
+static proposal_t* select_proposal(private_child_cfg_t*this,
+								   linked_list_t *proposals, bool strip_dh,
+								   bool private)
+{
+	enumerator_t *stored_enum, *supplied_enum;
+	proposal_t *stored, *supplied, *selected = NULL;
+
+	stored_enum = this->proposals->create_enumerator(this->proposals);
+	supplied_enum = proposals->create_enumerator(proposals);
+
+	/* compare all stored proposals with all supplied. Stored ones are preferred. */
+	while (stored_enum->enumerate(stored_enum, &stored))
+	{
+		stored = stored->clone(stored);
+		while (supplied_enum->enumerate(supplied_enum, &supplied))
+		{
+			if (strip_dh)
+			{
+				stored->strip_dh(stored);
+			}
+			selected = stored->select(stored, supplied, private);
+			if (selected)
+			{
+				DBG2(DBG_CFG, "received proposals: %#P", proposals);
+				DBG2(DBG_CFG, "configured proposals: %#P", this->proposals);
+				DBG2(DBG_CFG, "selected proposal: %P", selected);
+				break;
+			}
+		}
+		stored->destroy(stored);
+		if (selected)
+		{
+			break;
+		}
+		supplied_enum->destroy(supplied_enum);
+		supplied_enum = proposals->create_enumerator(proposals);
+	}
+	stored_enum->destroy(stored_enum);
+	supplied_enum->destroy(supplied_enum);
+	if (selected == NULL)
+	{
+		DBG1(DBG_CFG, "received proposals: %#P", proposals);
+		DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
+	}
+	return selected;
+}
+
+/**
+ * Implementation of child_cfg_t.add_traffic_selector.
+ */
+static void add_traffic_selector(private_child_cfg_t *this, bool local,
+								 traffic_selector_t *ts)
+{
+	if (local)
+	{
+		this->my_ts->insert_last(this->my_ts, ts);
+	}
+	else
+	{
+		this->other_ts->insert_last(this->other_ts, ts);
+	}
+}
+
+/**
+ * Implementation of child_cfg_t.get_traffic_selectors.
+ */
+static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool local,
+											linked_list_t *supplied,
+											host_t *host)
+{
+	enumerator_t *e1, *e2;
+	traffic_selector_t *ts1, *ts2, *selected;
+	linked_list_t *result = linked_list_create();
+
+	if (local)
+	{
+		e1 = this->my_ts->create_enumerator(this->my_ts);
+	}
+	else
+	{
+		e1 = this->other_ts->create_enumerator(this->other_ts);
+	}
+
+	/* no list supplied, just fetch the stored traffic selectors */
+	if (supplied == NULL)
+	{
+		DBG2(DBG_CFG, "proposing traffic selectors for %s:",
+			 local ? "us" : "other");
+		while (e1->enumerate(e1, &ts1))
+		{
+			/* we make a copy of the TS, this allows us to update dynamic TS' */
+			selected = ts1->clone(ts1);
+			if (host)
+			{
+				selected->set_address(selected, host);
+			}
+			DBG2(DBG_CFG, " %R (derived from %R)", selected, ts1);
+			result->insert_last(result, selected);
+		}
+		e1->destroy(e1);
+	}
+	else
+	{
+		DBG2(DBG_CFG, "selecting traffic selectors for %s:",
+			 local ? "us" : "other");
+		e2 = supplied->create_enumerator(supplied);
+		/* iterate over all stored selectors */
+		while (e1->enumerate(e1, &ts1))
+		{
+			/* we make a copy of the TS, as we have to update dynamic TS' */
+			ts1 = ts1->clone(ts1);
+			if (host)
+			{
+				ts1->set_address(ts1, host);
+			}
+
+			/* iterate over all supplied traffic selectors */
+			while (e2->enumerate(e2, &ts2))
+			{
+				selected = ts1->get_subset(ts1, ts2);
+				if (selected)
+				{
+					DBG2(DBG_CFG, " config: %R, received: %R => match: %R",
+						 ts1, ts2, selected);
+					result->insert_last(result, selected);
+				}
+				else
+				{
+					DBG2(DBG_CFG, " config: %R, received: %R => no match",
+						 ts1, ts2);
+				}
+			}
+			e2->destroy(e2);
+			e2 = supplied->create_enumerator(supplied);
+			ts1->destroy(ts1);
+		}
+		e1->destroy(e1);
+		e2->destroy(e2);
+	}
+
+	/* remove any redundant traffic selectors in the list */
+	e1 = result->create_enumerator(result);
+	e2 = result->create_enumerator(result);
+	while (e1->enumerate(e1, &ts1))
+	{
+		while (e2->enumerate(e2, &ts2))
+		{
+			if (ts1 != ts2)
+			{
+				if (ts2->is_contained_in(ts2, ts1))
+				{
+					result->remove_at(result, e2);
+					ts2->destroy(ts2);
+					e1->destroy(e1);
+					e1 = result->create_enumerator(result);
+					break;
+				}
+				if (ts1->is_contained_in(ts1, ts2))
+				{
+					result->remove_at(result, e1);
+					ts1->destroy(ts1);
+					e2->destroy(e2);
+					e2 = result->create_enumerator(result);
+					break;
+				}
+			}
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+
+	return result;
+}
+
+/**
+ * Implementation of child_cfg_t.get_updown.
+ */
+static char* get_updown(private_child_cfg_t *this)
+{
+	return this->updown;
+}
+
+/**
+ * Implementation of child_cfg_t.get_hostaccess.
+ */
+static bool get_hostaccess(private_child_cfg_t *this)
+{
+	return this->hostaccess;
+}
+
+/**
+ * Applies jitter to the rekey value. Returns the new rekey value.
+ * Note: The distribution of random values is not perfect, but it
+ * should get the job done.
+ */
+static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
+{
+	if (jitter == 0)
+	{
+		return rekey;
+	}
+	jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
+	return rekey - jitter * (random() / (RAND_MAX + 1.0));
+}
+#define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
+
+/**
+ * Implementation of child_cfg_t.get_lifetime.
+ */
+static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
+{
+	lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
+	memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
+	APPLY_JITTER(lft->time);
+	APPLY_JITTER(lft->bytes);
+	APPLY_JITTER(lft->packets);
+	return lft;
+}
+
+/**
+ * Implementation of child_cfg_t.get_mode.
+ */
+static ipsec_mode_t get_mode(private_child_cfg_t *this)
+{
+	return this->mode;
+}
+
+/**
+ * Implementation of child_cfg_t.get_dpd_action.
+ */
+static action_t get_dpd_action(private_child_cfg_t *this)
+{
+	return this->dpd_action;
+}
+
+/**
+ * Implementation of child_cfg_t.get_close_action.
+ */
+static action_t get_close_action(private_child_cfg_t *this)
+{
+	return this->close_action;
+}
+
+/**
+ * Implementation of child_cfg_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this)
+{
+	enumerator_t *enumerator;
+	proposal_t *proposal;
+	u_int16_t dh_group = MODP_NONE;
+
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, &proposal))
+	{
+		if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &dh_group, NULL))
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return dh_group;
+}
+
+/**
+ * Implementation of child_cfg_t.use_ipcomp.
+ */
+static bool use_ipcomp(private_child_cfg_t *this)
+{
+	return this->use_ipcomp;
+}
+
+/**
+ * Implementation of child_cfg_t.get_inactivity.
+ */
+static u_int32_t get_inactivity(private_child_cfg_t *this)
+{
+	return this->inactivity;
+}
+
+/**
+ * Implementation of child_cfg_t.set_mipv6_options.
+ */
+static void set_mipv6_options(private_child_cfg_t *this, bool proxy_mode,
+														 bool install_policy)
+{
+	this->proxy_mode = proxy_mode;
+	this->install_policy = install_policy;
+}
+
+/**
+ * Implementation of child_cfg_t.use_proxy_mode.
+ */
+static bool use_proxy_mode(private_child_cfg_t *this)
+{
+	return this->proxy_mode;
+}
+
+/**
+ * Implementation of child_cfg_t.install_policy.
+ */
+static bool install_policy(private_child_cfg_t *this)
+{
+	return this->install_policy;
+}
+
+/**
+ * Implementation of child_cfg_t.get_ref.
+ */
+static child_cfg_t* get_ref(private_child_cfg_t *this)
+{
+	ref_get(&this->refcount);
+	return &this->public;
+}
+
+/**
+ * Implements child_cfg_t.destroy.
+ */
+static void destroy(private_child_cfg_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+		this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
+		this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
+		if (this->updown)
+		{
+			free(this->updown);
+		}
+		free(this->name);
+		free(this);
+	}
+}
+
+/*
+ * Described in header-file
+ */
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+							  char *updown, bool hostaccess,
+							  ipsec_mode_t mode, action_t dpd_action,
+							  action_t close_action, bool ipcomp,
+							  u_int32_t inactivity)
+{
+	private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
+
+	this->public.get_name = (char* (*) (child_cfg_t*))get_name;
+	this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector;
+	this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
+	this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
+	this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
+	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool,bool))select_proposal;
+	this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
+	this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
+	this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
+	this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
+	this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
+	this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime;
+	this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
+	this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
+	this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
+	this->public.get_inactivity = (u_int32_t (*) (child_cfg_t *))get_inactivity;
+	this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode;
+	this->public.install_policy = (bool (*) (child_cfg_t *))install_policy;
+	this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref;
+	this->public.destroy = (void (*) (child_cfg_t*))destroy;
+
+	this->name = strdup(name);
+	this->updown = updown ? strdup(updown) : NULL;
+	this->hostaccess = hostaccess;
+	this->mode = mode;
+	this->dpd_action = dpd_action;
+	this->close_action = close_action;
+	this->use_ipcomp = ipcomp;
+	this->inactivity = inactivity;
+	this->proxy_mode = FALSE;
+	this->install_policy = TRUE;
+	this->refcount = 1;
+	this->proposals = linked_list_create();
+	this->my_ts = linked_list_create();
+	this->other_ts = linked_list_create();
+	memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t));
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
new file mode 100644
index 000000000..c6186ea36
--- /dev/null
+++ b/src/libcharon/config/child_cfg.h
@@ -0,0 +1,310 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup child_cfg child_cfg
+ * @{ @ingroup config
+ */
+
+#ifndef CHILD_CFG_H_
+#define CHILD_CFG_H_
+
+typedef enum action_t action_t;
+typedef enum ipcomp_transform_t ipcomp_transform_t;
+typedef struct lifetime_cfg_t lifetime_cfg_t;
+typedef struct child_cfg_t child_cfg_t;
+
+#include <library.h>
+#include <selectors/traffic_selector.h>
+#include <config/proposal.h>
+#include <kernel/kernel_ipsec.h>
+
+/**
+ * Action to take when DPD detected/connection gets closed by peer.
+ */
+enum action_t {
+	/** No action */
+	ACTION_NONE,
+	/** Route config to reestablish on demand */
+	ACTION_ROUTE,
+	/** Restart config immediately */
+	ACTION_RESTART,
+};
+
+/**
+ * enum names for action_t.
+ */
+extern enum_name_t *action_names;
+
+/**
+ * IPComp transform IDs, as in RFC 4306
+ */
+enum ipcomp_transform_t {
+	IPCOMP_NONE = 241,
+	IPCOMP_OUI = 1,
+	IPCOMP_DEFLATE = 2,
+	IPCOMP_LZS = 3,
+	IPCOMP_LZJH = 4,
+};
+
+/**
+ * enum strings for ipcomp_transform_t.
+ */
+extern enum_name_t *ipcomp_transform_names;
+
+/**
+ * A lifetime_cfg_t defines the lifetime limits of a CHILD_SA.
+ *
+ * Set any of these values to 0 to ignore.
+ */
+struct lifetime_cfg_t {
+	struct {
+		/** Limit before the CHILD_SA gets invalid. */
+		u_int64_t	life;
+		/** Limit before the CHILD_SA gets rekeyed. */
+		u_int64_t	rekey;
+		/** The range of a random value subtracted from rekey. */
+		u_int64_t	jitter;
+	} time, bytes, packets;
+};
+
+/**
+ * A child_cfg_t defines the config template for a CHILD_SA.
+ *
+ * After creation, proposals and traffic selectors may be added to the config.
+ * A child_cfg object is referenced multiple times, and is not thread save.
+ * Reading from the object is save, adding things is not allowed while other
+ * threads may access the object.
+ * A reference counter handles the number of references hold to this config.
+ *
+ * @see peer_cfg_t to get an overview over the configurations.
+ */
+struct child_cfg_t {
+
+	/**
+	 * Get the name of the child_cfg.
+	 *
+	 * @return				child_cfg's name
+	 */
+	char *(*get_name) (child_cfg_t *this);
+
+	/**
+	 * Add a proposal to the list.
+	 *
+	 * The proposals are stored by priority, first added
+	 * is the most prefered.
+	 * After add, proposal is owned by child_cfg.
+	 *
+	 * @param proposal		proposal to add
+	 */
+	void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
+
+	/**
+	 * Get the list of proposals for the CHILD_SA.
+	 *
+	 * Resulting list and all of its proposals must be freed after use.
+	 *
+	 * @param strip_dh		TRUE strip out diffie hellman groups
+	 * @return				list of proposals
+	 */
+	linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
+
+	/**
+	 * Select a proposal from a supplied list.
+	 *
+	 * Returned propsal is newly created and must be destroyed after usage.
+	 *
+	 * @param proposals		list from from wich proposals are selected
+	 * @param strip_dh		TRUE strip out diffie hellman groups
+	 * @param private		accept algorithms from a private range
+	 * @return				selected proposal, or NULL if nothing matches
+	 */
+	proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
+								   bool strip_dh, bool private);
+
+	/**
+	 * Add a traffic selector to the config.
+	 *
+	 * Use the "local" parameter to add it for the local or the remote side.
+	 * After add, traffic selector is owned by child_cfg.
+	 *
+	 * @param local			TRUE for local side, FALSE for remote
+	 * @param ts			traffic_selector to add
+	 */
+	void (*add_traffic_selector)(child_cfg_t *this, bool local,
+								 traffic_selector_t *ts);
+
+	/**
+	 * Get a list of traffic selectors to use for the CHILD_SA.
+	 *
+	 * The config contains two set of traffic selectors, one for the local
+	 * side, one for the remote side.
+	 * If a list with traffic selectors is supplied, these are used to narrow
+	 * down the traffic selector list to the greatest common divisor.
+	 * Some traffic selector may be "dymamic", meaning they are narrowed down
+	 * to a specific address (host-to-host or virtual-IP setups). Use
+	 * the "host" parameter to narrow such traffic selectors to that address.
+	 * Resulted list and its traffic selectors must be destroyed after use.
+	 *
+	 * @param local			TRUE for TS on local side, FALSE for remote
+	 * @param supplied		list with TS to select from, or NULL
+	 * @param host			address to use for narrowing "dynamic" TS', or NULL
+	 * @return				list containing the traffic selectors
+	 */
+	linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
+											linked_list_t *supplied,
+											host_t *host);
+	/**
+	 * Get the updown script to run for the CHILD_SA.
+	 *
+	 * @return				path to updown script
+	 */
+	char* (*get_updown)(child_cfg_t *this);
+
+	/**
+	 * Should we allow access to the local host (gateway)?
+	 *
+	 * @return				value of hostaccess flag
+	 */
+	bool (*get_hostaccess) (child_cfg_t *this);
+
+	/**
+	 * Get the lifetime configuration of a CHILD_SA.
+	 *
+	 * The rekey limits automatically contain a jitter to avoid simultaneous
+	 * rekeying. These values will change with each call to this function.
+	 *
+	 * @return				lifetime_cfg_t (has to be freed)
+	 */
+	lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
+
+	/**
+	 * Get the mode to use for the CHILD_SA.
+	 *
+	 * The mode is either tunnel, transport or BEET. The peer must agree
+	 * on the method, fallback is tunnel mode.
+	 *
+	 * @return				ipsec mode
+	 */
+	ipsec_mode_t (*get_mode) (child_cfg_t *this);
+
+	/**
+	 * Action to take on DPD.
+	 *
+	 * @return				DPD action
+	 */
+	action_t (*get_dpd_action) (child_cfg_t *this);
+
+	/**
+	 * Action to take if CHILD_SA gets closed.
+	 *
+	 * @return				close action
+	 */
+	action_t (*get_close_action) (child_cfg_t *this);
+
+	/**
+	 * Get the DH group to use for CHILD_SA setup.
+	 *
+	 * @return				dh group to use
+	 */
+	diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
+
+	/**
+	 * Check whether IPComp should be used, if the other peer supports it.
+	 *
+	 * @return				TRUE, if IPComp should be used
+	 * 						FALSE, otherwise
+	 */
+	bool (*use_ipcomp)(child_cfg_t *this);
+
+	/**
+	 * Get the inactivity timeout value.
+	 *
+	 * @return				inactivity timeout in s
+	 */
+	u_int32_t (*get_inactivity)(child_cfg_t *this);
+
+	/**
+	 * Sets two options needed for Mobile IPv6 interoperability
+	 *
+	 * @param proxy_mode	use IPsec transport proxy mode (default FALSE)
+	 * @param install_policy install IPsec kernel policies (default TRUE)
+	 */
+	void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mode,
+												 bool install_policy);
+
+	/**
+	 * Check whether IPsec transport SA should be set up in proxy mode
+	 *
+	 * @return				TRUE, if proxy mode should be used
+	 * 						FALSE, otherwise
+	 */
+	bool (*use_proxy_mode)(child_cfg_t *this);
+
+	/**
+	 * Check whether IPsec policies should be installed in the kernel
+	 *
+	 * @return				TRUE, if IPsec kernel policies should be installed
+	 * 						FALSE, otherwise
+	 */
+	bool (*install_policy)(child_cfg_t *this);
+
+	/**
+	 * Increase the reference count.
+	 *
+	 * @return				reference to this
+	 */
+	child_cfg_t* (*get_ref) (child_cfg_t *this);
+
+	/**
+	 * Destroys the child_cfg object.
+	 *
+	 * Decrements the internal reference counter and
+	 * destroys the child_cfg when it reaches zero.
+	 */
+	void (*destroy) (child_cfg_t *this);
+};
+
+/**
+ * Create a configuration template for CHILD_SA setup.
+ *
+ * The "name" string gets cloned.
+ *
+ * The lifetime_cfg_t object gets cloned.
+ * To prevent two peers to start rekeying at the same time, a jitter may be
+ * specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
+ *
+ * After a call to create, a reference is obtained (refcount = 1).
+ *
+ * @param name				name of the child_cfg
+ * @param lifetime			lifetime_cfg_t for this child_cfg
+ * @param updown			updown script to execute on up/down event
+ * @param hostaccess		TRUE to allow access to the local host
+ * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
+ * @param dpd_action		DPD action
+ * @param close_action		close action
+ * @param ipcomp			use IPComp, if peer supports it
+ * @param inactivity		inactivity timeout in s before closing a CHILD_SA
+ * @return 					child_cfg_t object
+ */
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+							  char *updown, bool hostaccess,
+							  ipsec_mode_t mode, action_t dpd_action,
+							  action_t close_action, bool ipcomp,
+							  u_int32_t inactivity);
+
+#endif /** CHILD_CFG_H_ @}*/
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
new file mode 100644
index 000000000..89dcd8022
--- /dev/null
+++ b/src/libcharon/config/ike_cfg.c
@@ -0,0 +1,294 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_cfg.h"
+
+#include <string.h>
+
+#include <daemon.h>
+
+
+typedef struct private_ike_cfg_t private_ike_cfg_t;
+
+/**
+ * Private data of an ike_cfg_t object
+ */
+struct private_ike_cfg_t {
+
+	/**
+	 * Public part
+	 */
+	ike_cfg_t public;
+
+	/**
+	 * Number of references hold by others to this ike_cfg
+	 */
+	refcount_t refcount;
+
+	/**
+	 * Address of local host
+	 */
+	char *me;
+
+	/**
+	 * Address of remote host
+	 */
+	char *other;
+
+	/**
+	 * our source port
+	 */
+	u_int16_t my_port;
+
+	/**
+	 * destination port
+	 */
+	u_int16_t other_port;
+
+	/**
+	 * should we send a certificate request?
+	 */
+	bool certreq;
+
+	/**
+	 * enforce UDP encapsulation
+	 */
+	bool force_encap;
+
+	/**
+	 * List of proposals to use
+	 */
+	linked_list_t *proposals;
+};
+
+METHOD(ike_cfg_t, send_certreq, bool,
+	private_ike_cfg_t *this)
+{
+	return this->certreq;
+}
+
+METHOD(ike_cfg_t, force_encap_, bool,
+	private_ike_cfg_t *this)
+{
+	return this->force_encap;
+}
+
+METHOD(ike_cfg_t, get_my_addr, char*,
+	private_ike_cfg_t *this)
+{
+	return this->me;
+}
+
+METHOD(ike_cfg_t, get_other_addr, char*,
+	private_ike_cfg_t *this)
+{
+	return this->other;
+}
+
+METHOD(ike_cfg_t, get_my_port, u_int16_t,
+	private_ike_cfg_t *this)
+{
+	return this->my_port;
+}
+
+METHOD(ike_cfg_t, get_other_port, u_int16_t,
+	private_ike_cfg_t *this)
+{
+	return this->other_port;
+}
+
+METHOD(ike_cfg_t, add_proposal, void,
+	private_ike_cfg_t *this, proposal_t *proposal)
+{
+	this->proposals->insert_last(this->proposals, proposal);
+}
+
+METHOD(ike_cfg_t, get_proposals, linked_list_t*,
+	private_ike_cfg_t *this)
+{
+	enumerator_t *enumerator;
+	proposal_t *current;
+	linked_list_t *proposals;
+
+	proposals = linked_list_create();
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		current = current->clone(current);
+		proposals->insert_last(proposals, current);
+	}
+	enumerator->destroy(enumerator);
+
+	return proposals;
+}
+
+METHOD(ike_cfg_t, select_proposal, proposal_t*,
+	private_ike_cfg_t *this, linked_list_t *proposals, bool private)
+{
+	iterator_t *stored_iter, *supplied_iter;
+	proposal_t *stored, *supplied, *selected;
+
+	stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
+	supplied_iter = proposals->create_iterator(proposals, TRUE);
+
+
+	/* compare all stored proposals with all supplied. Stored ones are preferred.*/
+	while (stored_iter->iterate(stored_iter, (void**)&stored))
+	{
+		supplied_iter->reset(supplied_iter);
+
+		while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
+		{
+			selected = stored->select(stored, supplied, private);
+			if (selected)
+			{
+				/* they match, return */
+				stored_iter->destroy(stored_iter);
+				supplied_iter->destroy(supplied_iter);
+				DBG2(DBG_CFG, "received proposals: %#P", proposals);
+				DBG2(DBG_CFG, "configured proposals: %#P", this->proposals);
+				DBG2(DBG_CFG, "selected proposal: %P", selected);
+				return selected;
+			}
+		}
+	}
+	/* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
+	stored_iter->destroy(stored_iter);
+	supplied_iter->destroy(supplied_iter);
+	DBG1(DBG_CFG, "received proposals: %#P", proposals);
+	DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
+
+	return NULL;
+}
+
+METHOD(ike_cfg_t, get_dh_group, diffie_hellman_group_t,
+	private_ike_cfg_t *this)
+{
+	enumerator_t *enumerator;
+	proposal_t *proposal;
+	u_int16_t dh_group = MODP_NONE;
+
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, &proposal))
+	{
+		if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &dh_group, NULL))
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return dh_group;
+}
+
+METHOD(ike_cfg_t, equals, bool,
+	private_ike_cfg_t *this, ike_cfg_t *other_public)
+{
+	private_ike_cfg_t *other = (private_ike_cfg_t*)other_public;
+	enumerator_t *e1, *e2;
+	proposal_t *p1, *p2;
+	bool eq = TRUE;
+
+	if (this == other)
+	{
+		return TRUE;
+	}
+	if (this->public.equals != other->public.equals)
+	{
+		return FALSE;
+	}
+	if (this->proposals->get_count(this->proposals) !=
+		other->proposals->get_count(other->proposals))
+	{
+		return FALSE;
+	}
+	e1 = this->proposals->create_enumerator(this->proposals);
+	e2 = this->proposals->create_enumerator(this->proposals);
+	while (e1->enumerate(e1, &p1) && e2->enumerate(e2, &p2))
+	{
+		if (!p1->equals(p1, p2))
+		{
+			eq = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+
+	return (eq &&
+		this->certreq == other->certreq &&
+		this->force_encap == other->force_encap &&
+		streq(this->me, other->me) &&
+		streq(this->other, other->other) &&
+		this->my_port == other->my_port &&
+		this->other_port == other->other_port);
+}
+
+METHOD(ike_cfg_t, get_ref, ike_cfg_t*,
+	private_ike_cfg_t *this)
+{
+	ref_get(&this->refcount);
+	return &this->public;
+}
+
+METHOD(ike_cfg_t, destroy, void,
+	private_ike_cfg_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		this->proposals->destroy_offset(this->proposals,
+										offsetof(proposal_t, destroy));
+		free(this->me);
+		free(this->other);
+		free(this);
+	}
+}
+
+/**
+ * Described in header.
+ */
+ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
+				char *me, u_int16_t my_port, char *other, u_int16_t other_port)
+{
+	private_ike_cfg_t *this;
+
+	INIT(this,
+		.public = {
+			.send_certreq = _send_certreq,
+			.force_encap = _force_encap_,
+			.get_my_addr = _get_my_addr,
+			.get_other_addr = _get_other_addr,
+			.get_my_port = _get_my_port,
+			.get_other_port = _get_other_port,
+			.add_proposal = _add_proposal,
+			.get_proposals = _get_proposals,
+			.select_proposal = _select_proposal,
+			.get_dh_group = _get_dh_group,
+			.equals = _equals,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.refcount = 1,
+		.certreq = certreq,
+		.force_encap = force_encap,
+		.me = strdup(me),
+		.other = strdup(other),
+		.my_port = my_port,
+		.other_port = other_port,
+		.proposals = linked_list_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
new file mode 100644
index 000000000..f1edde255
--- /dev/null
+++ b/src/libcharon/config/ike_cfg.h
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_cfg ike_cfg
+ * @{ @ingroup config
+ */
+
+#ifndef IKE_CFG_H_
+#define IKE_CFG_H_
+
+typedef struct ike_cfg_t ike_cfg_t;
+
+#include <library.h>
+#include <utils/host.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <config/proposal.h>
+#include <crypto/diffie_hellman.h>
+
+/**
+ * An ike_cfg_t defines the rules to set up an IKE_SA.
+ *
+ * @see peer_cfg_t to get an overview over the configurations.
+ */
+struct ike_cfg_t {
+
+	/**
+	 * Get own address.
+	 *
+	 * @return		string of address/DNS name
+	 */
+	char* (*get_my_addr) (ike_cfg_t *this);
+
+	/**
+	 * Get peers address.
+	 *
+	 * @return		string of address/DNS name
+	 */
+	char* (*get_other_addr) (ike_cfg_t *this);
+
+	/**
+	 * Get the port to use as our source port.
+	 *
+	 * @return		source address port, host order
+	 */
+	u_int16_t (*get_my_port)(ike_cfg_t *this);
+
+	/**
+	 * Get the port to use as destination port.
+	 *
+	 * @return		destination address, host order
+	 */
+	u_int16_t (*get_other_port)(ike_cfg_t *this);
+
+	/**
+	 * Adds a proposal to the list.
+	 *
+	 * The first added proposal has the highest priority, the last
+	 * added the lowest.
+	 *
+	 * @param proposal	proposal to add
+	 */
+	void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
+
+	/**
+	 * Returns a list of all supported proposals.
+	 *
+	 * Returned list and its proposals must be destroyed after use.
+	 *
+	 * @return 			list containing all the proposals
+	 */
+	linked_list_t* (*get_proposals) (ike_cfg_t *this);
+
+	/**
+	 * Select a proposed from suggested proposals.
+	 *
+	 * Returned proposal must be destroyed after use.
+	 *
+	 * @param proposals	list of proposals to select from
+	 * @param private	accept algorithms from a private range
+	 * @return			selected proposal, or NULL if none matches.
+	 */
+	proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
+									bool private);
+
+	/**
+	 * Should we send a certificate request in IKE_SA_INIT?
+	 *
+	 * @return			certificate request sending policy
+	 */
+	bool (*send_certreq) (ike_cfg_t *this);
+
+	/**
+	 * Enforce UDP encapsulation by faking NATD notifies?
+	 *
+	 * @return			TRUE to enfoce UDP encapsulation
+	 */
+	bool (*force_encap) (ike_cfg_t *this);
+
+	/**
+	 * Get the DH group to use for IKE_SA setup.
+	 *
+	 * @return			dh group to use for initialization
+	 */
+	diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
+
+	/**
+	 * Check if two IKE configs are equal.
+	 *
+	 * @param other		other to check for equality
+	 * @return			TRUE if other equal to this
+	 */
+	bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
+
+	/**
+	 * Increase reference count.
+	 *
+	 * @return			reference to this
+	 */
+	ike_cfg_t* (*get_ref) (ike_cfg_t *this);
+
+	/**
+	 * Destroys a ike_cfg_t object.
+	 *
+	 * Decrements the internal reference counter and
+	 * destroys the ike_cfg when it reaches zero.
+	 */
+	void (*destroy) (ike_cfg_t *this);
+};
+
+/**
+ * Creates a ike_cfg_t object.
+ *
+ * Supplied hosts become owned by ike_cfg, the name gets cloned.
+ *
+ * @param certreq		TRUE to send a certificate request
+ * @param force_encap	enforce UDP encapsulation by faking NATD notify
+ * @param me			address/DNS name of local peer
+ * @param my_port		IKE port to use as source, 500 uses IKEv2 port floating
+ * @param other			address/DNS name of remote peer
+ * @param other_port	IKE port to use as dest, 500 uses IKEv2 port floating
+ * @return 				ike_cfg_t object.
+ */
+ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
+				char *me, u_int16_t my_port, char *other, u_int16_t other_port);
+
+#endif /** IKE_CFG_H_ @}*/
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
new file mode 100644
index 000000000..9df14c9ae
--- /dev/null
+++ b/src/libcharon/config/peer_cfg.c
@@ -0,0 +1,699 @@
+/*
+ * Copyright (C) 2007-2008 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "peer_cfg.h"
+
+#include <daemon.h>
+
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
+	"CERT_ALWAYS_SEND",
+	"CERT_SEND_IF_ASKED",
+	"CERT_NEVER_SEND",
+);
+
+ENUM(unique_policy_names, UNIQUE_NO, UNIQUE_KEEP,
+	"UNIQUE_NO",
+	"UNIQUE_REPLACE",
+	"UNIQUE_KEEP",
+);
+
+typedef struct private_peer_cfg_t private_peer_cfg_t;
+
+/**
+ * Private data of an peer_cfg_t object
+ */
+struct private_peer_cfg_t {
+
+	/**
+	 * Public part
+	 */
+	peer_cfg_t public;
+
+	/**
+	 * Number of references hold by others to this peer_cfg
+	 */
+	refcount_t refcount;
+
+	/**
+	 * Name of the peer_cfg, used to query it
+	 */
+	char *name;
+
+	/**
+	 * IKE version to use for initiation
+	 */
+	u_int ike_version;
+
+	/**
+	 * IKE config associated to this peer config
+	 */
+	ike_cfg_t *ike_cfg;
+
+	/**
+	 * list of child configs associated to this peer config
+	 */
+	linked_list_t *child_cfgs;
+
+	/**
+	 * mutex to lock access to list of child_cfgs
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * should we send a certificate
+	 */
+	cert_policy_t cert_policy;
+
+	/**
+	 * uniqueness of an IKE_SA
+	 */
+	unique_policy_t unique;
+
+	/**
+	 * number of tries after giving up if peer does not respond
+	 */
+	u_int32_t keyingtries;
+
+	/**
+	 * enable support for MOBIKE
+	 */
+	bool use_mobike;
+
+	/**
+	 * Time before starting rekeying
+	 */
+	u_int32_t rekey_time;
+
+	/**
+	 * Time before starting reauthentication
+	 */
+	u_int32_t reauth_time;
+
+	/**
+	 * Time, which specifies the range of a random value substracted from above.
+	 */
+	u_int32_t jitter_time;
+
+	/**
+	 * Delay before deleting a rekeying/reauthenticating SA
+	 */
+	u_int32_t over_time;
+
+	/**
+	 * DPD check intervall
+	 */
+	u_int32_t dpd;
+
+	/**
+	 * virtual IP to use locally
+	 */
+	host_t *virtual_ip;
+
+	/**
+	 * pool to acquire configuration attributes from
+	 */
+	char *pool;
+
+	/**
+	 * local authentication configs (rulesets)
+	 */
+	linked_list_t *local_auth;
+
+	/**
+	 * remote authentication configs (constraints)
+	 */
+	linked_list_t *remote_auth;
+
+#ifdef ME
+	/**
+	 * Is this a mediation connection?
+	 */
+	bool mediation;
+
+	/**
+	 * Name of the mediation connection to mediate through
+	 */
+	peer_cfg_t *mediated_by;
+
+	/**
+	 * ID of our peer at the mediation server (= leftid of the peer's conn with
+	 * the mediation server)
+	 */
+	identification_t *peer_id;
+#endif /* ME */
+};
+
+/**
+ * Implementation of peer_cfg_t.get_name
+ */
+static char *get_name(private_peer_cfg_t *this)
+{
+	return this->name;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_ike_version
+ */
+static u_int get_ike_version(private_peer_cfg_t *this)
+{
+	return this->ike_version;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_ike_cfg
+ */
+static ike_cfg_t* get_ike_cfg(private_peer_cfg_t *this)
+{
+	return this->ike_cfg;
+}
+
+/**
+ * Implementation of peer_cfg_t.add_child_cfg.
+ */
+static void add_child_cfg(private_peer_cfg_t *this, child_cfg_t *child_cfg)
+{
+	this->mutex->lock(this->mutex);
+	this->child_cfgs->insert_last(this->child_cfgs, child_cfg);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * child_cfg enumerator
+ */
+typedef struct {
+	enumerator_t public;
+	enumerator_t *wrapped;
+	mutex_t *mutex;
+} child_cfg_enumerator_t;
+
+/**
+ * Implementation of peer_cfg_t.remove_child_cfg.
+ */
+static void remove_child_cfg(private_peer_cfg_t *this,
+							 child_cfg_enumerator_t *enumerator)
+{
+	this->child_cfgs->remove_at(this->child_cfgs, enumerator->wrapped);
+}
+
+/**
+ * Implementation of child_cfg_enumerator_t.destroy
+ */
+static void child_cfg_enumerator_destroy(child_cfg_enumerator_t *this)
+{
+	this->mutex->unlock(this->mutex);
+	this->wrapped->destroy(this->wrapped);
+	free(this);
+}
+
+/**
+ * Implementation of child_cfg_enumerator_t.enumerate
+ */
+static bool child_cfg_enumerate(child_cfg_enumerator_t *this, child_cfg_t **chd)
+{
+	return this->wrapped->enumerate(this->wrapped, chd);
+}
+
+/**
+ * Implementation of peer_cfg_t.create_child_cfg_enumerator.
+ */
+static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this)
+{
+	child_cfg_enumerator_t *enumerator = malloc_thing(child_cfg_enumerator_t);
+
+	enumerator->public.enumerate = (void*)child_cfg_enumerate;
+	enumerator->public.destroy = (void*)child_cfg_enumerator_destroy;
+	enumerator->mutex = this->mutex;
+	enumerator->wrapped = this->child_cfgs->create_enumerator(this->child_cfgs);
+
+	this->mutex->lock(this->mutex);
+	return &enumerator->public;
+}
+
+/**
+ * Check how good a list of TS matches a given child config
+ */
+static int get_ts_match(child_cfg_t *cfg, bool local,
+						linked_list_t *sup_list, host_t *host)
+{
+	linked_list_t *cfg_list;
+	enumerator_t *sup_enum, *cfg_enum;
+	traffic_selector_t *sup_ts, *cfg_ts;
+	int match = 0, round;
+
+	/* fetch configured TS list, narrowing dynamic TS */
+	cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host);
+
+	/* use a round counter to rate leading TS with higher priority */
+	round = sup_list->get_count(sup_list);
+
+	sup_enum = sup_list->create_enumerator(sup_list);
+	while (sup_enum->enumerate(sup_enum, &sup_ts))
+	{
+		cfg_enum = cfg_list->create_enumerator(cfg_list);
+		while (cfg_enum->enumerate(cfg_enum, &cfg_ts))
+		{
+			if (cfg_ts->equals(cfg_ts, sup_ts))
+			{	/* equality is honored better than matches */
+				match += round * 5;
+			}
+			else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) ||
+					 sup_ts->is_contained_in(sup_ts, cfg_ts))
+			{
+				match += round * 1;
+			}
+		}
+		cfg_enum->destroy(cfg_enum);
+		round--;
+	}
+	sup_enum->destroy(sup_enum);
+
+	cfg_list->destroy_offset(cfg_list, offsetof(traffic_selector_t, destroy));
+
+	return match;
+}
+
+/**
+ * Implementation of peer_cfg_t.select_child_cfg
+ */
+static child_cfg_t* select_child_cfg(private_peer_cfg_t *this,
+									 linked_list_t *my_ts,
+									 linked_list_t *other_ts,
+									 host_t *my_host, host_t *other_host)
+{
+	child_cfg_t *current, *found = NULL;
+	enumerator_t *enumerator;
+	int best = 0;
+
+	DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);
+	enumerator = create_child_cfg_enumerator(this);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		int my_prio, other_prio;
+
+		my_prio = get_ts_match(current, TRUE, my_ts, my_host);
+		other_prio = get_ts_match(current, FALSE, other_ts, other_host);
+
+		if (my_prio && other_prio)
+		{
+			DBG2(DBG_CFG, "  candidate \"%s\" with prio %d+%d",
+				 current->get_name(current), my_prio, other_prio);
+			if (my_prio + other_prio > best)
+			{
+				best = my_prio + other_prio;
+				DESTROY_IF(found);
+				found = current->get_ref(current);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (found)
+	{
+		DBG2(DBG_CFG, "found matching child config \"%s\" with prio %d",
+			 found->get_name(found), best);
+	}
+	return found;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_cert_policy.
+ */
+static cert_policy_t get_cert_policy(private_peer_cfg_t *this)
+{
+	return this->cert_policy;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_unique_policy.
+ */
+static unique_policy_t get_unique_policy(private_peer_cfg_t *this)
+{
+	return this->unique;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_keyingtries.
+ */
+static u_int32_t get_keyingtries(private_peer_cfg_t *this)
+{
+	return this->keyingtries;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_rekey_time.
+ */
+static u_int32_t get_rekey_time(private_peer_cfg_t *this)
+{
+	if (this->rekey_time == 0)
+	{
+		return 0;
+	}
+	if (this->jitter_time == 0)
+	{
+		return this->rekey_time;
+	}
+	return this->rekey_time - (random() % this->jitter_time);
+}
+
+/**
+ * Implementation of peer_cfg_t.get_reauth_time.
+ */
+static u_int32_t get_reauth_time(private_peer_cfg_t *this)
+{
+	if (this->reauth_time == 0)
+	{
+		return 0;
+	}
+	if (this->jitter_time == 0)
+	{
+		return this->reauth_time;
+	}
+	return this->reauth_time - (random() % this->jitter_time);
+}
+
+/**
+ * Implementation of peer_cfg_t.get_over_time.
+ */
+static u_int32_t get_over_time(private_peer_cfg_t *this)
+{
+	return this->over_time;
+}
+
+/**
+ * Implementation of peer_cfg_t.use_mobike.
+ */
+static bool use_mobike(private_peer_cfg_t *this)
+{
+	return this->use_mobike;
+}
+
+/**
+ * Implements peer_cfg_t.get_dpd
+ */
+static u_int32_t get_dpd(private_peer_cfg_t *this)
+{
+	return this->dpd;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_virtual_ip.
+ */
+static host_t* get_virtual_ip(private_peer_cfg_t *this)
+{
+	return this->virtual_ip;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_pool.
+ */
+static char* get_pool(private_peer_cfg_t *this)
+{
+	return this->pool;
+}
+
+/**
+ * Implementation of peer_cfg_t.add_auth_cfg
+ */
+static void add_auth_cfg(private_peer_cfg_t *this,
+						 auth_cfg_t *cfg, bool local)
+{
+	if (local)
+	{
+		this->local_auth->insert_last(this->local_auth, cfg);
+	}
+	else
+	{
+		this->remote_auth->insert_last(this->remote_auth, cfg);
+	}
+}
+
+/**
+ * Implementation of peer_cfg_t.create_auth_cfg_enumerator
+ */
+static enumerator_t* create_auth_cfg_enumerator(private_peer_cfg_t *this,
+												 bool local)
+{
+	if (local)
+	{
+		return this->local_auth->create_enumerator(this->local_auth);
+	}
+	return this->remote_auth->create_enumerator(this->remote_auth);
+}
+
+#ifdef ME
+/**
+ * Implementation of peer_cfg_t.is_mediation.
+ */
+static bool is_mediation(private_peer_cfg_t *this)
+{
+	return this->mediation;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_mediated_by.
+ */
+static peer_cfg_t* get_mediated_by(private_peer_cfg_t *this)
+{
+	return this->mediated_by;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_peer_id.
+ */
+static identification_t* get_peer_id(private_peer_cfg_t *this)
+{
+	return this->peer_id;
+}
+#endif /* ME */
+
+/**
+ * check auth configs for equality
+ */
+static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
+{
+	enumerator_t *e1, *e2;
+	auth_cfg_t *cfg1, *cfg2;
+	bool equal = TRUE;
+
+	if (this->local_auth->get_count(this->local_auth) !=
+		other->local_auth->get_count(other->local_auth))
+	{
+		return FALSE;
+	}
+	if (this->remote_auth->get_count(this->remote_auth) !=
+		other->remote_auth->get_count(other->remote_auth))
+	{
+		return FALSE;
+	}
+
+	e1 = this->local_auth->create_enumerator(this->local_auth);
+	e2 = other->local_auth->create_enumerator(other->local_auth);
+	while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
+	{
+		if (!cfg1->equals(cfg1, cfg2))
+		{
+			equal = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+
+	if (!equal)
+	{
+		return FALSE;
+	}
+
+	e1 = this->remote_auth->create_enumerator(this->remote_auth);
+	e2 = other->remote_auth->create_enumerator(other->remote_auth);
+	while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
+	{
+		if (!cfg1->equals(cfg1, cfg2))
+		{
+			equal = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+
+	return equal;
+}
+
+/**
+ * Implementation of peer_cfg_t.equals.
+ */
+static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
+{
+	if (this == other)
+	{
+		return TRUE;
+	}
+	if (this->public.equals != other->public.equals)
+	{
+		return FALSE;
+	}
+
+	return (
+		this->ike_version == other->ike_version &&
+		this->cert_policy == other->cert_policy &&
+		this->unique == other->unique &&
+		this->keyingtries == other->keyingtries &&
+		this->use_mobike == other->use_mobike &&
+		this->rekey_time == other->rekey_time &&
+		this->reauth_time == other->reauth_time &&
+		this->jitter_time == other->jitter_time &&
+		this->over_time == other->over_time &&
+		this->dpd == other->dpd &&
+		(this->virtual_ip == other->virtual_ip ||
+		 (this->virtual_ip && other->virtual_ip &&
+		  this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) &&
+		(this->pool == other->pool ||
+		 (this->pool && other->pool && streq(this->pool, other->pool))) &&
+		auth_cfg_equal(this, other)
+#ifdef ME
+		&& this->mediation == other->mediation &&
+		this->mediated_by == other->mediated_by &&
+		(this->peer_id == other->peer_id ||
+		 (this->peer_id && other->peer_id &&
+		  this->peer_id->equals(this->peer_id, other->peer_id)))
+#endif /* ME */
+		);
+}
+
+/**
+ * Implements peer_cfg_t.get_ref.
+ */
+static peer_cfg_t* get_ref(private_peer_cfg_t *this)
+{
+	ref_get(&this->refcount);
+	return &this->public;
+}
+
+/**
+ * Implements peer_cfg_t.destroy.
+ */
+static void destroy(private_peer_cfg_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		this->ike_cfg->destroy(this->ike_cfg);
+		this->child_cfgs->destroy_offset(this->child_cfgs,
+										offsetof(child_cfg_t, destroy));
+		DESTROY_IF(this->virtual_ip);
+		this->local_auth->destroy_offset(this->local_auth,
+										offsetof(auth_cfg_t, destroy));
+		this->remote_auth->destroy_offset(this->remote_auth,
+										offsetof(auth_cfg_t, destroy));
+#ifdef ME
+		DESTROY_IF(this->mediated_by);
+		DESTROY_IF(this->peer_id);
+#endif /* ME */
+		this->mutex->destroy(this->mutex);
+		free(this->name);
+		free(this->pool);
+		free(this);
+	}
+}
+
+/*
+ * Described in header-file
+ */
+peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
+							cert_policy_t cert_policy, unique_policy_t unique,
+							u_int32_t keyingtries, u_int32_t rekey_time,
+							u_int32_t reauth_time, u_int32_t jitter_time,
+							u_int32_t over_time, bool mobike, u_int32_t dpd,
+							host_t *virtual_ip, char *pool,
+							bool mediation, peer_cfg_t *mediated_by,
+							identification_t *peer_id)
+{
+	private_peer_cfg_t *this = malloc_thing(private_peer_cfg_t);
+
+	/* public functions */
+	this->public.get_name = (char* (*) (peer_cfg_t *))get_name;
+	this->public.get_ike_version = (u_int(*) (peer_cfg_t *))get_ike_version;
+	this->public.get_ike_cfg = (ike_cfg_t* (*) (peer_cfg_t *))get_ike_cfg;
+	this->public.add_child_cfg = (void (*) (peer_cfg_t *, child_cfg_t*))add_child_cfg;
+	this->public.remove_child_cfg = (void(*)(peer_cfg_t*, enumerator_t*))remove_child_cfg;
+	this->public.create_child_cfg_enumerator = (enumerator_t* (*) (peer_cfg_t *))create_child_cfg_enumerator;
+	this->public.select_child_cfg = (child_cfg_t* (*) (peer_cfg_t *,linked_list_t*,linked_list_t*,host_t*,host_t*))select_child_cfg;
+	this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy;
+	this->public.get_unique_policy = (unique_policy_t (*) (peer_cfg_t *))get_unique_policy;
+	this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries;
+	this->public.get_rekey_time = (u_int32_t(*)(peer_cfg_t*))get_rekey_time;
+	this->public.get_reauth_time = (u_int32_t(*)(peer_cfg_t*))get_reauth_time;
+	this->public.get_over_time = (u_int32_t(*)(peer_cfg_t*))get_over_time;
+	this->public.use_mobike = (bool (*) (peer_cfg_t *))use_mobike;
+	this->public.get_dpd = (u_int32_t (*) (peer_cfg_t *))get_dpd;
+	this->public.get_virtual_ip = (host_t* (*) (peer_cfg_t *))get_virtual_ip;
+	this->public.get_pool = (char*(*)(peer_cfg_t*))get_pool;
+	this->public.add_auth_cfg = (void(*)(peer_cfg_t*, auth_cfg_t *cfg, bool local))add_auth_cfg;
+	this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(peer_cfg_t*, bool local))create_auth_cfg_enumerator;
+	this->public.equals = (bool(*)(peer_cfg_t*, peer_cfg_t *other))equals;
+	this->public.get_ref = (peer_cfg_t*(*)(peer_cfg_t *))get_ref;
+	this->public.destroy = (void(*)(peer_cfg_t *))destroy;
+#ifdef ME
+	this->public.is_mediation = (bool (*) (peer_cfg_t *))is_mediation;
+	this->public.get_mediated_by = (peer_cfg_t* (*) (peer_cfg_t *))get_mediated_by;
+	this->public.get_peer_id = (identification_t* (*) (peer_cfg_t *))get_peer_id;
+#endif /* ME */
+
+	/* apply init values */
+	this->name = strdup(name);
+	this->ike_version = ike_version;
+	this->ike_cfg = ike_cfg;
+	this->child_cfgs = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->cert_policy = cert_policy;
+	this->unique = unique;
+	this->keyingtries = keyingtries;
+	this->rekey_time = rekey_time;
+	this->reauth_time = reauth_time;
+	if (rekey_time && jitter_time > rekey_time)
+	{
+		jitter_time = rekey_time;
+	}
+	if (reauth_time && jitter_time > reauth_time)
+	{
+		jitter_time = reauth_time;
+	}
+	this->jitter_time = jitter_time;
+	this->over_time = over_time;
+	this->use_mobike = mobike;
+	this->dpd = dpd;
+	this->virtual_ip = virtual_ip;
+	this->pool = pool ? strdup(pool) : NULL;
+	this->local_auth = linked_list_create();
+	this->remote_auth = linked_list_create();
+	this->refcount = 1;
+#ifdef ME
+	this->mediation = mediation;
+	this->mediated_by = mediated_by;
+	this->peer_id = peer_id;
+#else /* ME */
+	DESTROY_IF(mediated_by);
+	DESTROY_IF(peer_id);
+#endif /* ME */
+
+	return &this->public;
+}
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
new file mode 100644
index 000000000..6855276f8
--- /dev/null
+++ b/src/libcharon/config/peer_cfg.h
@@ -0,0 +1,358 @@
+/*
+ * Copyright (C) 2007-2008 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup peer_cfg peer_cfg
+ * @{ @ingroup config
+ */
+
+#ifndef PEER_CFG_H_
+#define PEER_CFG_H_
+
+typedef enum cert_policy_t cert_policy_t;
+typedef enum unique_policy_t unique_policy_t;
+typedef struct peer_cfg_t peer_cfg_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <utils/enumerator.h>
+#include <selectors/traffic_selector.h>
+#include <config/proposal.h>
+#include <config/ike_cfg.h>
+#include <config/child_cfg.h>
+#include <sa/authenticators/authenticator.h>
+#include <sa/authenticators/eap/eap_method.h>
+#include <config/auth_cfg.h>
+
+/**
+ * Certificate sending policy. This is also used for certificate
+ * requests when using this definition for the other peer. If
+ * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
+ * included.
+ *
+ * @warning These definitions must be the same as in pluto/starter,
+ * as they are sent over the stroke socket.
+ */
+enum cert_policy_t {
+	/** always send certificates, even when not requested */
+	CERT_ALWAYS_SEND =		0,
+	/** send certificate upon cert request */
+	CERT_SEND_IF_ASKED =	1,
+	/** never send a certificate, even when requested */
+	CERT_NEVER_SEND =		2,
+};
+
+/**
+ * enum strings for cert_policy_t
+ */
+extern enum_name_t *cert_policy_names;
+
+/**
+ * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
+ */
+enum unique_policy_t {
+	/** do not check for client uniqueness */
+	UNIQUE_NO,
+	/** replace unique IKE_SAs if new ones get established */
+	UNIQUE_REPLACE,
+	/** keep existing IKE_SAs, close the new ones on connection attept */
+	UNIQUE_KEEP,
+};
+
+/**
+ * enum strings for unique_policy_t
+ */
+extern enum_name_t *unique_policy_names;
+
+/**
+ * Configuration of a peer, specified by IDs.
+ *
+ * The peer config defines a connection between two given IDs. It contains
+ * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
+ * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
+ * @verbatim
+                          +-------------------+        +---------------+
+   +---------------+      |     peer_cfg      |      +---------------+ |
+   |    ike_cfg    |      +-------------------+      |   child_cfg   | |
+   +---------------+      | - ids             |      +---------------+ |
+   | - hosts       | 1  1 | - cas             | 1  n | - proposals   | |
+   | - proposals   |<-----| - auth info       |----->| - traffic sel | |
+   | - ...         |      | - dpd config      |      | - ...         |-+
+   +---------------+      | - ...             |      +---------------+
+                          +-------------------+
+                             | 1         0 |
+                             |             |
+                             v n         n V
+             +-------------------+     +-------------------+
+           +-------------------+ |   +-------------------+ |
+           |     auth_cfg      | |   |     auth_cfg      | |
+           +-------------------+ |   +-------------------+ |
+           | - local rules     |-+   | - remote constr.  |-+
+           +-------------------+     +-------------------+
+   @endverbatim
+ *
+ * Each peer_cfg has two lists of authentication config attached. Local
+ * authentication configs define how to authenticate ourself against the remote
+ * peer. Each config is enforced using the multiple authentication extension
+ * (RFC4739).
+ * The remote authentication configs are handled as constraints. The peer has
+ * to fullfill each of these rules (using multiple authentication, in any order)
+ * to gain access to the configuration.
+ */
+struct peer_cfg_t {
+
+	/**
+	 * Get the name of the peer_cfg.
+	 *
+	 * Returned object is not getting cloned.
+	 *
+	 * @return				peer_cfg's name
+	 */
+	char* (*get_name) (peer_cfg_t *this);
+
+	/**
+	 * Get the IKE version to use for initiating.
+	 *
+	 * @return 				IKE major version
+	 */
+	u_int (*get_ike_version)(peer_cfg_t *this);
+
+	/**
+	 * Get the IKE config to use for initiaton.
+	 *
+	 * @return				the IKE config to use
+	 */
+	ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
+
+	/**
+	 * Attach a CHILD config.
+	 *
+	 * @param child_cfg		CHILD config to add
+	 */
+	void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
+
+	/**
+	 * Detach a CHILD config, pointed to by an enumerator.
+	 *
+	 * @param enumerator	enumerator indicating element position
+	 */
+	void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
+
+	/**
+	 * Create an enumerator for all attached CHILD configs.
+	 *
+	 * @return				an enumerator over all CHILD configs.
+	 */
+	enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
+
+	/**
+	 * Select a CHILD config from traffic selectors.
+	 *
+	 * @param my_ts			TS for local side
+	 * @param other_ts		TS for remote side
+	 * @param my_host		host to narrow down dynamic TS for local side
+	 * @param other_host	host to narrow down dynamic TS for remote side
+	 * @return				selected CHILD config, or NULL if no match found
+	 */
+	child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
+									  linked_list_t *other_ts, host_t *my_host,
+									  host_t *other_host);
+
+	/**
+	 * Add an authentication config to the peer configuration.
+	 *
+	 * @param config		config to add
+	 * @param local			TRUE for local rules, FALSE for remote constraints
+	 */
+	void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
+
+	/**
+	 * Create an enumerator over registered authentication configs.
+	 *
+	 * @param local			TRUE for local rules, FALSE for remote constraints
+	 * @return				enumerator over auth_cfg_t*
+	 */
+	enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
+
+	/**
+	 * Should be sent a certificate for this connection?
+	 *
+	 * @return			certificate sending policy
+	 */
+	cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
+
+	/**
+	 * How to handle uniqueness of IKE_SAs?
+	 *
+	 * @return			unique policy
+	 */
+	unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
+
+	/**
+	 * Get the max number of retries after timeout.
+	 *
+	 * @return			max number retries
+	 */
+	u_int32_t (*get_keyingtries) (peer_cfg_t *this);
+
+	/**
+	 * Get a time to start rekeying (is randomized with jitter).
+	 *
+	 * @return			time in s when to start rekeying, 0 disables rekeying
+	 */
+	u_int32_t (*get_rekey_time)(peer_cfg_t *this);
+
+	/**
+	 * Get a time to start reauthentication (is randomized with jitter).
+	 *
+	 * @return			time in s when to start reauthentication, 0 disables it
+	 */
+	u_int32_t (*get_reauth_time)(peer_cfg_t *this);
+
+	/**
+	 * Get the timeout of a rekeying/reauthenticating SA.
+	 *
+	 * @return			timeout in s
+	 */
+	u_int32_t (*get_over_time)(peer_cfg_t *this);
+
+	/**
+	 * Use MOBIKE (RFC4555) if peer supports it?
+	 *
+	 * @return			TRUE to enable MOBIKE support
+	 */
+	bool (*use_mobike) (peer_cfg_t *this);
+
+	/**
+	 * Get the DPD check interval.
+	 *
+	 * @return			dpd_delay in seconds
+	 */
+	u_int32_t (*get_dpd) (peer_cfg_t *this);
+
+	/**
+	 * Get a virtual IP for the local peer.
+	 *
+	 * If no virtual IP should be used, NULL is returned. %any means to request
+	 * a virtual IP using configuration payloads. A specific address is also
+	 * used for a request and may be changed by the server.
+	 *
+	 * @param suggestion	NULL, %any or specific
+	 * @return				virtual IP, %any or NULL
+	 */
+	host_t* (*get_virtual_ip) (peer_cfg_t *this);
+
+	/**
+	 * Get the name of the pool to acquire configuration attributes from.
+	 *
+	 * @return				pool name, NULL if none defined
+	 */
+	char* (*get_pool)(peer_cfg_t *this);
+
+#ifdef ME
+	/**
+	 * Is this a mediation connection?
+	 *
+	 * @return				TRUE, if this is a mediation connection
+	 */
+	bool (*is_mediation) (peer_cfg_t *this);
+
+	/**
+	 * Get peer_cfg of the connection this one is mediated through.
+	 *
+	 * @return				the peer_cfg of the mediation connection
+	 */
+	peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
+
+	/**
+	 * Get the id of the other peer at the mediation server.
+	 *
+	 * This is the leftid of the peer's connection with the mediation server.
+	 *
+	 * If it is not configured, it is assumed to be the same as the right id
+	 * of this connection.
+	 *
+	 * @return				the id of the other peer
+	 */
+	identification_t* (*get_peer_id) (peer_cfg_t *this);
+#endif /* ME */
+
+	/**
+	 * Check if two peer configurations are equal.
+	 *
+	 * This method does not compare associated ike/child_cfg.
+	 *
+	 * @param other			candidate to check for equality against this
+	 * @return				TRUE if peer_cfg and ike_cfg are equal
+	 */
+	bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
+
+	/**
+	 * Increase reference count.
+	 *
+	 * @return				reference to this
+	 */
+	peer_cfg_t* (*get_ref) (peer_cfg_t *this);
+
+	/**
+	 * Destroys the peer_cfg object.
+	 *
+	 * Decrements the internal reference counter and
+	 * destroys the peer_cfg when it reaches zero.
+	 */
+	void (*destroy) (peer_cfg_t *this);
+};
+
+/**
+ * Create a configuration object for IKE_AUTH and later.
+ *
+ * name-string gets cloned, ID's not.
+ * Virtual IPs are used if they are != NULL. A %any host means the virtual
+ * IP should be obtained from the other peer.
+ * Lifetimes are in seconds. To prevent to peers to start rekeying at the
+ * same time, a jitter may be specified. Rekeying of an SA starts at
+ * (rekeylifetime - random(0, jitter)).
+ *
+ * @param name				name of the peer_cfg
+ * @param ike_version		which IKE version we sould use for this peer
+ * @param ike_cfg			IKE config to use when acting as initiator
+ * @param cert_policy		should we send a certificate payload?
+ * @param unique			uniqueness of an IKE_SA
+ * @param keyingtries		how many keying tries should be done before giving up
+ * @param rekey_time		timeout before starting rekeying
+ * @param reauth_time		timeout before starting reauthentication
+ * @param jitter_time		timerange to randomly substract from rekey/reauth time
+ * @param over_time			maximum overtime before closing a rekeying/reauth SA
+ * @param mobike			use MOBIKE (RFC4555) if peer supports it
+ * @param dpd				DPD check interval, 0 to disable
+ * @param virtual_ip		virtual IP for local host, or NULL
+ * @param pool				pool name to get configuration attributes from, or NULL
+ * @param mediation			TRUE if this is a mediation connection
+ * @param mediated_by		peer_cfg_t of the mediation connection to mediate through
+ * @param peer_id			ID that identifies our peer at the mediation server
+ * @return 					peer_cfg_t object
+ */
+peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
+							cert_policy_t cert_policy, unique_policy_t unique,
+							u_int32_t keyingtries, u_int32_t rekey_time,
+							u_int32_t reauth_time, u_int32_t jitter_time,
+							u_int32_t over_time, bool mobike, u_int32_t dpd,
+							host_t *virtual_ip, char *pool,
+							bool mediation, peer_cfg_t *mediated_by,
+							identification_t *peer_id);
+
+#endif /** PEER_CFG_H_ @}*/
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
new file mode 100644
index 000000000..e86393028
--- /dev/null
+++ b/src/libcharon/config/proposal.c
@@ -0,0 +1,949 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "proposal.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <utils/lexparser.h>
+#include <crypto/transform.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <crypto/proposal/proposal_keywords.h>
+
+ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP,
+	"PROTO_NONE",
+	"IKE",
+	"AH",
+	"ESP",
+);
+
+ENUM(extended_sequence_numbers_names, NO_EXT_SEQ_NUMBERS, EXT_SEQ_NUMBERS,
+	"NO_EXT_SEQ",
+	"EXT_SEQ",
+);
+
+typedef struct private_proposal_t private_proposal_t;
+typedef struct algorithm_t algorithm_t;
+
+/**
+ * Private data of an proposal_t object
+ */
+struct private_proposal_t {
+
+	/**
+	 * Public part
+	 */
+	proposal_t public;
+
+	/**
+	 * protocol (ESP or AH)
+	 */
+	protocol_id_t protocol;
+
+	/**
+	 * priority ordered list of encryption algorithms
+	 */
+	linked_list_t *encryption_algos;
+
+	/**
+	 * priority ordered list of integrity algorithms
+	 */
+	linked_list_t *integrity_algos;
+
+	/**
+	 * priority ordered list of pseudo random functions
+	 */
+	linked_list_t *prf_algos;
+
+	/**
+	 * priority ordered list of dh groups
+	 */
+	linked_list_t *dh_groups;
+
+	/**
+	 * priority ordered list of extended sequence number flags
+	 */
+	linked_list_t *esns;
+
+	/**
+	 * senders SPI
+	 */
+	u_int64_t spi;
+};
+
+/**
+ * Struct used to store different kinds of algorithms.
+ */
+struct algorithm_t {
+	/**
+	 * Value from an encryption_algorithm_t/integrity_algorithm_t/...
+	 */
+	u_int16_t algorithm;
+
+	/**
+	 * the associated key size in bits, or zero if not needed
+	 */
+	u_int16_t key_size;
+};
+
+/**
+ * Add algorithm/keysize to a algorithm list
+ */
+static void add_algo(linked_list_t *list, u_int16_t algo, u_int16_t key_size)
+{
+	algorithm_t *algo_key;
+
+	algo_key = malloc_thing(algorithm_t);
+	algo_key->algorithm = algo;
+	algo_key->key_size = key_size;
+	list->insert_last(list, (void*)algo_key);
+}
+
+/**
+ * Implements proposal_t.add_algorithm
+ */
+static void add_algorithm(private_proposal_t *this, transform_type_t type,
+						  u_int16_t algo, u_int16_t key_size)
+{
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			add_algo(this->encryption_algos, algo, key_size);
+			break;
+		case INTEGRITY_ALGORITHM:
+			add_algo(this->integrity_algos, algo, key_size);
+			break;
+		case PSEUDO_RANDOM_FUNCTION:
+			add_algo(this->prf_algos, algo, key_size);
+			break;
+		case DIFFIE_HELLMAN_GROUP:
+			add_algo(this->dh_groups, algo, 0);
+			break;
+		case EXTENDED_SEQUENCE_NUMBERS:
+			add_algo(this->esns, algo, 0);
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * filter function for peer configs
+ */
+static bool alg_filter(void *null, algorithm_t **in, u_int16_t *alg,
+					   void **unused, u_int16_t *key_size)
+{
+	algorithm_t *algo = *in;
+	*alg = algo->algorithm;
+	if (key_size)
+	{
+		*key_size = algo->key_size;
+	}
+	return TRUE;
+}
+
+/**
+ * Implements proposal_t.create_enumerator.
+ */
+static enumerator_t *create_enumerator(private_proposal_t *this,
+									   transform_type_t type)
+{
+	linked_list_t *list;
+
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			list = this->encryption_algos;
+			break;
+		case INTEGRITY_ALGORITHM:
+			list = this->integrity_algos;
+			break;
+		case PSEUDO_RANDOM_FUNCTION:
+			list = this->prf_algos;
+			break;
+		case DIFFIE_HELLMAN_GROUP:
+			list = this->dh_groups;
+			break;
+		case EXTENDED_SEQUENCE_NUMBERS:
+			list = this->esns;
+			break;
+		default:
+			return NULL;
+	}
+	return enumerator_create_filter(list->create_enumerator(list),
+									(void*)alg_filter, NULL, NULL);
+}
+
+/**
+ * Implements proposal_t.get_algorithm.
+ */
+static bool get_algorithm(private_proposal_t *this, transform_type_t type,
+						  u_int16_t *alg, u_int16_t *key_size)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+
+	enumerator = create_enumerator(this, type);
+	if (enumerator->enumerate(enumerator, alg, key_size))
+	{
+		found = TRUE;
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Implements proposal_t.has_dh_group
+ */
+static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group)
+{
+	bool result = FALSE;
+
+	if (this->dh_groups->get_count(this->dh_groups))
+	{
+		algorithm_t *current;
+		enumerator_t *enumerator;
+
+		enumerator = this->dh_groups->create_enumerator(this->dh_groups);
+		while (enumerator->enumerate(enumerator, (void**)&current))
+		{
+			if (current->algorithm == group)
+			{
+				result = TRUE;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	else if (group == MODP_NONE)
+	{
+		result = TRUE;
+	}
+	return result;
+}
+
+/**
+ * Implementation of proposal_t.strip_dh.
+ */
+static void strip_dh(private_proposal_t *this)
+{
+	algorithm_t *alg;
+
+	while (this->dh_groups->remove_last(this->dh_groups, (void**)&alg) == SUCCESS)
+	{
+		free(alg);
+	}
+}
+
+/**
+ * Returns true if the given alg is an authenticated encryption algorithm
+ */
+static bool is_authenticated_encryption(u_int16_t alg)
+{
+	switch(alg)
+	{
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_CCM_ICV16:
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+		case ENCR_CAMELLIA_CCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV16:
+		case ENCR_NULL_AUTH_AES_GMAC:
+			return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Find a matching alg/keysize in two linked lists
+ */
+static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
+						bool *add, u_int16_t *alg, size_t *key_size)
+{
+	enumerator_t *e1, *e2;
+	algorithm_t *alg1, *alg2;
+
+	/* if in both are zero algorithms specified, we HAVE a match */
+	if (first->get_count(first) == 0 && second->get_count(second) == 0)
+	{
+		*add = FALSE;
+		return TRUE;
+	}
+
+	e1 = first->create_enumerator(first);
+	e2 = second->create_enumerator(second);
+	/* compare algs, order of algs in "first" is preferred */
+	while (e1->enumerate(e1, &alg1))
+	{
+		e2->destroy(e2);
+		e2 = second->create_enumerator(second);
+		while (e2->enumerate(e2, &alg2))
+		{
+			if (alg1->algorithm == alg2->algorithm &&
+				alg1->key_size == alg2->key_size)
+			{
+				if (!priv && alg1->algorithm >= 1024)
+				{
+					/* accept private use algorithms only if requested */
+					DBG1(DBG_CFG, "an algorithm from private space would match, "
+						 "but peer implementation is unknown, skipped");
+					continue;
+				}
+				/* ok, we have an algorithm */
+				*alg = alg1->algorithm;
+				*key_size = alg1->key_size;
+				*add = TRUE;
+				e1->destroy(e1);
+				e2->destroy(e2);
+				return TRUE;
+			}
+		}
+	}
+	/* no match in all comparisons */
+	e1->destroy(e1);
+	e2->destroy(e2);
+	return FALSE;
+}
+
+/**
+ * Implements proposal_t.select.
+ */
+static proposal_t *select_proposal(private_proposal_t *this,
+								private_proposal_t *other, bool private)
+{
+	proposal_t *selected;
+	u_int16_t algo;
+	size_t key_size;
+	bool add;
+
+	DBG2(DBG_CFG, "selecting proposal:");
+
+	/* check protocol */
+	if (this->protocol != other->protocol)
+	{
+		DBG2(DBG_CFG, "  protocol mismatch, skipping");
+		return NULL;
+	}
+
+	selected = proposal_create(this->protocol);
+
+	/* select encryption algorithm */
+	if (select_algo(this->encryption_algos, other->encryption_algos, private,
+					&add, &algo, &key_size))
+	{
+		if (add)
+		{
+			selected->add_algorithm(selected, ENCRYPTION_ALGORITHM,
+									algo, key_size);
+		}
+	}
+	else
+	{
+		selected->destroy(selected);
+		DBG2(DBG_CFG, "  no acceptable %N found",
+			 transform_type_names, ENCRYPTION_ALGORITHM);
+		return NULL;
+	}
+	/* select integrity algorithm */
+	if (!is_authenticated_encryption(algo))
+	{
+		if (select_algo(this->integrity_algos, other->integrity_algos, private,
+						&add, &algo, &key_size))
+		{
+			if (add)
+			{
+				selected->add_algorithm(selected, INTEGRITY_ALGORITHM,
+										algo, key_size);
+			}
+		}
+		else
+		{
+			selected->destroy(selected);
+			DBG2(DBG_CFG, "  no acceptable %N found",
+				 transform_type_names, INTEGRITY_ALGORITHM);
+			return NULL;
+		}
+	}
+	/* select prf algorithm */
+	if (select_algo(this->prf_algos, other->prf_algos, private,
+					&add, &algo, &key_size))
+	{
+		if (add)
+		{
+			selected->add_algorithm(selected, PSEUDO_RANDOM_FUNCTION,
+									algo, key_size);
+		}
+	}
+	else
+	{
+		selected->destroy(selected);
+		DBG2(DBG_CFG, "  no acceptable %N found",
+			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
+		return NULL;
+	}
+	/* select a DH-group */
+	if (select_algo(this->dh_groups, other->dh_groups, private,
+					&add, &algo, &key_size))
+	{
+		if (add)
+		{
+			selected->add_algorithm(selected, DIFFIE_HELLMAN_GROUP, algo, 0);
+		}
+	}
+	else
+	{
+		selected->destroy(selected);
+		DBG2(DBG_CFG, "  no acceptable %N found",
+			 transform_type_names, DIFFIE_HELLMAN_GROUP);
+		return NULL;
+	}
+	/* select if we use ESNs (has no private use space) */
+	if (select_algo(this->esns, other->esns, TRUE, &add, &algo, &key_size))
+	{
+		if (add)
+		{
+			selected->add_algorithm(selected, EXTENDED_SEQUENCE_NUMBERS, algo, 0);
+		}
+	}
+	else
+	{
+		selected->destroy(selected);
+		DBG2(DBG_CFG, "  no acceptable %N found",
+			 transform_type_names, EXTENDED_SEQUENCE_NUMBERS);
+		return NULL;
+	}
+	DBG2(DBG_CFG, "  proposal matches");
+
+	/* apply SPI from "other" */
+	selected->set_spi(selected, other->spi);
+
+	/* everything matched, return new proposal */
+	return selected;
+}
+
+/**
+ * Implements proposal_t.get_protocols.
+ */
+static protocol_id_t get_protocol(private_proposal_t *this)
+{
+	return this->protocol;
+}
+
+/**
+ * Implements proposal_t.set_spi.
+ */
+static void set_spi(private_proposal_t *this, u_int64_t spi)
+{
+	this->spi = spi;
+}
+
+/**
+ * Implements proposal_t.get_spi.
+ */
+static u_int64_t get_spi(private_proposal_t *this)
+{
+	return this->spi;
+}
+
+/**
+ * Clone a algorithm list
+ */
+static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list)
+{
+	algorithm_t *algo, *clone_algo;
+	enumerator_t *enumerator;
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &algo))
+	{
+		clone_algo = malloc_thing(algorithm_t);
+		memcpy(clone_algo, algo, sizeof(algorithm_t));
+		clone_list->insert_last(clone_list, (void*)clone_algo);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * check if an algorithm list equals
+ */
+static bool algo_list_equals(linked_list_t *l1, linked_list_t *l2)
+{
+	enumerator_t *e1, *e2;
+	algorithm_t *alg1, *alg2;
+	bool equals = TRUE;
+
+	if (l1->get_count(l1) != l2->get_count(l2))
+	{
+		return FALSE;
+	}
+
+	e1 = l1->create_enumerator(l1);
+	e2 = l2->create_enumerator(l2);
+	while (e1->enumerate(e1, &alg1) && e2->enumerate(e2, &alg2))
+	{
+		if (alg1->algorithm != alg2->algorithm ||
+			alg1->key_size != alg2->key_size)
+		{
+			equals = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+	return equals;
+}
+
+/**
+ * Implementation of proposal_t.equals.
+ */
+static bool equals(private_proposal_t *this, private_proposal_t *other)
+{
+	if (this == other)
+	{
+		return TRUE;
+	}
+	if (this->public.equals != other->public.equals)
+	{
+		return FALSE;
+	}
+	return (
+		algo_list_equals(this->encryption_algos, other->encryption_algos) &&
+		algo_list_equals(this->integrity_algos, other->integrity_algos) &&
+		algo_list_equals(this->prf_algos, other->prf_algos) &&
+		algo_list_equals(this->dh_groups, other->dh_groups) &&
+		algo_list_equals(this->esns, other->esns));
+}
+
+/**
+ * Implements proposal_t.clone
+ */
+static proposal_t *clone_(private_proposal_t *this)
+{
+	private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol);
+
+	clone_algo_list(this->encryption_algos, clone->encryption_algos);
+	clone_algo_list(this->integrity_algos, clone->integrity_algos);
+	clone_algo_list(this->prf_algos, clone->prf_algos);
+	clone_algo_list(this->dh_groups, clone->dh_groups);
+	clone_algo_list(this->esns, clone->esns);
+
+	clone->spi = this->spi;
+
+	return &clone->public;
+}
+
+/**
+ * Checks the proposal read from a string.
+ */
+static void check_proposal(private_proposal_t *this)
+{
+	enumerator_t *e;
+	algorithm_t *alg;
+	bool all_aead = TRUE;
+
+	e = this->encryption_algos->create_enumerator(this->encryption_algos);
+	while (e->enumerate(e, &alg))
+	{
+		if (!is_authenticated_encryption(alg->algorithm))
+		{
+			all_aead = FALSE;
+			break;
+		}
+	}
+	e->destroy(e);
+
+	if (all_aead)
+	{
+		/* if all encryption algorithms in the proposal are authenticated encryption
+		 * algorithms we MUST NOT propose any integrity algorithms */
+		while (this->integrity_algos->remove_last(this->integrity_algos,
+												  (void**)&alg) == SUCCESS)
+		{
+			free(alg);
+		}
+	}
+}
+
+/**
+ * add a algorithm identified by a string to the proposal.
+ */
+static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
+{
+	const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len);
+
+	if (token == NULL)
+	{
+		return FAILED;
+	}
+
+	add_algorithm(this, token->type, token->algorithm, token->keysize);
+
+	if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM)
+	{
+		pseudo_random_function_t prf;
+
+		switch (token->algorithm)
+		{
+			case AUTH_HMAC_SHA1_96:
+				prf = PRF_HMAC_SHA1;
+				break;
+			case AUTH_HMAC_SHA2_256_128:
+				prf = PRF_HMAC_SHA2_256;
+				break;
+			case AUTH_HMAC_SHA2_384_192:
+				prf = PRF_HMAC_SHA2_384;
+				break;
+			case AUTH_HMAC_SHA2_512_256:
+				prf = PRF_HMAC_SHA2_512;
+				break;
+			case AUTH_HMAC_MD5_96:
+				prf = PRF_HMAC_MD5;
+				break;
+			case AUTH_AES_XCBC_96:
+				prf = PRF_AES128_XCBC;
+				break;
+			default:
+				prf = PRF_UNDEFINED;
+		}
+		if (prf != PRF_UNDEFINED)
+		{
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
+		}
+	}
+	return SUCCESS;
+}
+
+/**
+ * print all algorithms of a kind to buffer
+ */
+static int print_alg(private_proposal_t *this, char **dst, size_t *len,
+					 u_int kind, void *names, bool *first)
+{
+	enumerator_t *enumerator;
+	size_t written = 0;
+	u_int16_t alg, size;
+
+	enumerator = create_enumerator(this, kind);
+	while (enumerator->enumerate(enumerator, &alg, &size))
+	{
+		if (*first)
+		{
+			written += print_in_hook(*dst, *len, "%N", names, alg);
+			*first = FALSE;
+		}
+		else
+		{
+			written += print_in_hook(*dst, *len, "/%N", names, alg);
+		}
+		if (size)
+		{
+			written += print_in_hook(*dst, *len, "_%u", size);
+		}
+	}
+	enumerator->destroy(enumerator);
+	return written;
+}
+
+/**
+ * Described in header.
+ */
+int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+						 const void *const *args)
+{
+	private_proposal_t *this = *((private_proposal_t**)(args[0]));
+	linked_list_t *list = *((linked_list_t**)(args[0]));
+	enumerator_t *enumerator;
+	size_t written = 0;
+	bool first = TRUE;
+
+	if (this == NULL)
+	{
+		return print_in_hook(dst, len, "(null)");
+	}
+
+	if (spec->hash)
+	{
+		enumerator = list->create_enumerator(list);
+		while (enumerator->enumerate(enumerator, &this))
+		{	/* call recursivly */
+			if (first)
+			{
+				written += print_in_hook(dst, len, "%P", this);
+				first = FALSE;
+			}
+			else
+			{
+				written += print_in_hook(dst, len, ", %P", this);
+			}
+		}
+		enumerator->destroy(enumerator);
+		return written;
+	}
+
+	written = print_in_hook(dst, len, "%N:", protocol_id_names, this->protocol);
+	written += print_alg(this, &dst, &len, ENCRYPTION_ALGORITHM,
+						 encryption_algorithm_names, &first);
+	written += print_alg(this, &dst, &len, INTEGRITY_ALGORITHM,
+						 integrity_algorithm_names, &first);
+	written += print_alg(this, &dst, &len, PSEUDO_RANDOM_FUNCTION,
+						 pseudo_random_function_names, &first);
+	written += print_alg(this, &dst, &len, DIFFIE_HELLMAN_GROUP,
+						 diffie_hellman_group_names, &first);
+	written += print_alg(this, &dst, &len, EXTENDED_SEQUENCE_NUMBERS,
+						 extended_sequence_numbers_names, &first);
+	return written;
+}
+
+/**
+ * Implements proposal_t.destroy.
+ */
+static void destroy(private_proposal_t *this)
+{
+	this->encryption_algos->destroy_function(this->encryption_algos, free);
+	this->integrity_algos->destroy_function(this->integrity_algos, free);
+	this->prf_algos->destroy_function(this->prf_algos, free);
+	this->dh_groups->destroy_function(this->dh_groups, free);
+	this->esns->destroy_function(this->esns, free);
+	free(this);
+}
+
+/*
+ * Describtion in header-file
+ */
+proposal_t *proposal_create(protocol_id_t protocol)
+{
+	private_proposal_t *this = malloc_thing(private_proposal_t);
+
+	this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,u_int16_t))add_algorithm;
+	this->public.create_enumerator = (enumerator_t* (*)(proposal_t*,transform_type_t))create_enumerator;
+	this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm;
+	this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group;
+	this->public.strip_dh = (void(*)(proposal_t*))strip_dh;
+	this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*,bool))select_proposal;
+	this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
+	this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
+	this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
+	this->public.equals = (bool(*)(proposal_t*, proposal_t *other))equals;
+	this->public.clone = (proposal_t*(*)(proposal_t*))clone_;
+	this->public.destroy = (void(*)(proposal_t*))destroy;
+
+	this->spi = 0;
+	this->protocol = protocol;
+
+	this->encryption_algos = linked_list_create();
+	this->integrity_algos = linked_list_create();
+	this->prf_algos = linked_list_create();
+	this->dh_groups = linked_list_create();
+	this->esns = linked_list_create();
+
+	return &this->public;
+}
+
+/**
+ * Add supported IKE algorithms to proposal
+ */
+static void proposal_add_supported_ike(private_proposal_t *this)
+{
+	enumerator_t *enumerator;
+	encryption_algorithm_t encryption;
+	integrity_algorithm_t integrity;
+	pseudo_random_function_t prf;
+	diffie_hellman_group_t group;
+
+	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption))
+	{
+		switch (encryption)
+		{
+			case ENCR_AES_CBC:
+				/* we assume that we support all AES sizes */
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+				break;
+			case ENCR_3DES:
+			case ENCR_AES_CTR:
+			case ENCR_AES_CCM_ICV8:
+			case ENCR_AES_CCM_ICV12:
+			case ENCR_AES_CCM_ICV16:
+			case ENCR_AES_GCM_ICV8:
+			case ENCR_AES_GCM_ICV12:
+			case ENCR_AES_GCM_ICV16:
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
+				break;
+			case ENCR_DES:
+				/* no, thanks */
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &integrity))
+	{
+		switch (integrity)
+		{
+			case AUTH_HMAC_SHA1_96:
+			case AUTH_HMAC_SHA2_256_128:
+			case AUTH_HMAC_SHA2_384_192:
+			case AUTH_HMAC_SHA2_512_256:
+			case AUTH_HMAC_MD5_96:
+			case AUTH_AES_XCBC_96:
+				add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &prf))
+	{
+		switch (prf)
+		{
+			case PRF_HMAC_SHA1:
+			case PRF_HMAC_SHA2_256:
+			case PRF_HMAC_SHA2_384:
+			case PRF_HMAC_SHA2_512:
+			case PRF_HMAC_MD5:
+			case PRF_AES128_XCBC:
+				add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group))
+	{
+		switch (group)
+		{
+			case MODP_NULL:
+				/* only for testing purposes */
+				break;
+			case MODP_768_BIT:
+				/* weak */
+				break;
+			case MODP_1024_BIT:
+			case MODP_1536_BIT:
+			case MODP_2048_BIT:
+			case MODP_4096_BIT:
+			case MODP_8192_BIT:
+			case ECP_256_BIT:
+			case ECP_384_BIT:
+			case ECP_521_BIT:
+			case MODP_1024_160:
+			case MODP_2048_224:
+			case MODP_2048_256:
+			case ECP_192_BIT:
+			case ECP_224_BIT:
+				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/*
+ * Describtion in header-file
+ */
+proposal_t *proposal_create_default(protocol_id_t protocol)
+{
+	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
+
+	switch (protocol)
+	{
+		case PROTO_IKE:
+			proposal_add_supported_ike(this);
+			break;
+		case PROTO_ESP:
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         192);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         256);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,              0);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_BLOWFISH,        256);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
+			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
+			break;
+		case PROTO_AH:
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
+			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
+			break;
+		default:
+			break;
+	}
+	return &this->public;
+}
+
+/*
+ * Describtion in header-file
+ */
+proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
+{
+	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
+	chunk_t string = {(void*)algs, strlen(algs)};
+	chunk_t alg;
+	status_t status = SUCCESS;
+
+	eat_whitespace(&string);
+	if (string.len < 1)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	/* get all tokens, separated by '-' */
+	while (extract_token(&alg, '-', &string))
+	{
+		status |= add_string_algo(this, alg);
+	}
+	if (string.len)
+	{
+		status |= add_string_algo(this, string);
+	}
+	if (status != SUCCESS)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	check_proposal(this);
+
+	if (protocol == PROTO_AH || protocol == PROTO_ESP)
+	{
+		add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
new file mode 100644
index 000000000..30f63b80d
--- /dev/null
+++ b/src/libcharon/config/proposal.h
@@ -0,0 +1,226 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup proposal proposal
+ * @{ @ingroup config
+ */
+
+#ifndef PROPOSAL_H_
+#define PROPOSAL_H_
+
+typedef enum protocol_id_t protocol_id_t;
+typedef enum extended_sequence_numbers_t extended_sequence_numbers_t;
+typedef struct proposal_t proposal_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <utils/linked_list.h>
+#include <utils/host.h>
+#include <crypto/transform.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <crypto/diffie_hellman.h>
+#include <selectors/traffic_selector.h>
+
+/**
+ * Protocol ID of a proposal.
+ */
+enum protocol_id_t {
+	PROTO_NONE = 0,
+	PROTO_IKE = 1,
+	PROTO_AH = 2,
+	PROTO_ESP = 3,
+};
+
+/**
+ * enum names for protocol_id_t
+ */
+extern enum_name_t *protocol_id_names;
+
+/**
+ * Extended sequence numbers, as in IKEv2 RFC 3.3.2.
+ */
+enum extended_sequence_numbers_t {
+	NO_EXT_SEQ_NUMBERS = 0,
+	EXT_SEQ_NUMBERS = 1
+};
+
+/**
+ * enum strings for extended_sequence_numbers_t.
+ */
+extern enum_name_t *extended_sequence_numbers_names;
+
+/**
+ * Stores a set of algorithms used for an SA.
+ *
+ * A proposal stores algorithms for a specific
+ * protocol. It can store algorithms for one protocol.
+ * Proposals with multiple protocols are not supported,
+ * as it's not specified in RFC4301 anymore.
+ */
+struct proposal_t {
+
+	/**
+	 * Add an algorithm to the proposal.
+	 *
+	 * The algorithms are stored by priority, first added
+	 * is the most preferred.
+	 * Key size is only needed for encryption algorithms
+	 * with variable key size (such as AES). Must be set
+	 * to zero if key size is not specified.
+	 * The alg parameter accepts encryption_algorithm_t,
+	 * integrity_algorithm_t, dh_group_number_t and
+	 * extended_sequence_numbers_t.
+	 *
+	 * @param type			kind of algorithm
+	 * @param alg			identifier for algorithm
+	 * @param key_size		key size to use
+	 */
+	void (*add_algorithm) (proposal_t *this, transform_type_t type,
+						   u_int16_t alg, u_int16_t key_size);
+
+	/**
+	 * Get an enumerator over algorithms for a specifc algo type.
+	 *
+	 * @param type			kind of algorithm
+	 * @return				enumerator over u_int16_t alg, u_int16_t key_size
+	 */
+	enumerator_t *(*create_enumerator) (proposal_t *this, transform_type_t type);
+
+	/**
+	 * Get the algorithm for a type to use.
+	 *
+	 * If there are multiple algorithms, only the first is returned.
+	 *
+	 * @param type			kind of algorithm
+	 * @param alg			pointer which receives algorithm
+	 * @param key_size		pointer which receives the key size
+	 * @return				TRUE if algorithm of this kind available
+	 */
+	bool (*get_algorithm) (proposal_t *this, transform_type_t type,
+						   u_int16_t *alg, u_int16_t *key_size);
+
+	/**
+	 * Check if the proposal has a specific DH group.
+	 *
+	 * @param group			group to check for
+	 * @return				TRUE if algorithm included
+	 */
+	bool (*has_dh_group) (proposal_t *this, diffie_hellman_group_t group);
+
+	/**
+	 * Strip DH groups from proposal to use it without PFS.
+	 */
+	void (*strip_dh)(proposal_t *this);
+
+	/**
+	 * Compare two proposal, and select a matching subset.
+	 *
+	 * If the proposals are for the same protocols (AH/ESP), they are
+	 * compared. If they have at least one algorithm of each type
+	 * in common, a resulting proposal of this kind is created.
+	 *
+	 * @param other			proposal to compair agains
+	 * @param private		accepts algorithms allocated in a private range
+	 * @return				selected proposal, NULL if proposals don't match
+	 */
+	proposal_t *(*select) (proposal_t *this, proposal_t *other, bool private);
+
+	/**
+	 * Get the protocol ID of the proposal.
+	 *
+	 * @return				protocol of the proposal
+	 */
+	protocol_id_t (*get_protocol) (proposal_t *this);
+
+	/**
+	 * Get the SPI of the proposal.
+	 *
+	 * @return				spi for proto
+	 */
+	u_int64_t (*get_spi) (proposal_t *this);
+
+	/**
+	 * Set the SPI of the proposal.
+	 *
+	 * @param spi			spi to set for proto
+	 */
+	void (*set_spi) (proposal_t *this, u_int64_t spi);
+
+	/**
+	 * Check for the eqality of two proposals.
+	 *
+	 * @param other			other proposal to check for equality
+	 * @return				TRUE if other equal to this
+	 */
+	bool (*equals)(proposal_t *this, proposal_t *other);
+
+	/**
+	 * Clone a proposal.
+	 *
+	 * @return				clone of proposal
+	 */
+	proposal_t *(*clone) (proposal_t *this);
+
+	/**
+	 * Destroys the proposal object.
+	 */
+	void (*destroy) (proposal_t *this);
+};
+
+/**
+ * Create a child proposal for AH, ESP or IKE.
+ *
+ * @param protocol			protocol, such as PROTO_ESP
+ * @return 					proposal_t object
+ */
+proposal_t *proposal_create(protocol_id_t protocol);
+
+/**
+ * Create a default proposal if nothing further specified.
+ *
+ * @param protocol			protocol, such as PROTO_ESP
+ * @return 					proposal_t object
+ */
+proposal_t *proposal_create_default(protocol_id_t protocol);
+
+/**
+ * Create a proposal from a string identifying the algorithms.
+ *
+ * The string is in the same form as a in the ipsec.conf file.
+ * E.g.:	aes128-sha2_256-modp2048
+ *		  3des-md5
+ * An additional '!' at the end of the string forces this proposal,
+ * without it the peer may choose another algorithm we support.
+ *
+ * @param protocol			protocol, such as PROTO_ESP
+ * @param algs				algorithms as string
+ * @return 					proposal_t object
+ */
+proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs);
+
+/**
+ * printf hook function for proposal_t.
+ *
+ * Arguments are:
+ *	proposal_t *proposal
+ * With the #-specifier, arguments are:
+ *	linked_list_t *list containing proposal_t*
+ */
+int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+						 const void *const *args);
+
+#endif /** PROPOSAL_H_ @}*/
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
new file mode 100644
index 000000000..94c64028c
--- /dev/null
+++ b/src/libcharon/control/controller.c
@@ -0,0 +1,455 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "controller.h"
+
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <dlfcn.h>
+
+#include <daemon.h>
+#include <library.h>
+
+
+typedef struct private_controller_t private_controller_t;
+typedef struct interface_listener_t interface_listener_t;
+
+/**
+ * Private data of an stroke_t object.
+ */
+struct private_controller_t {
+
+	/**
+	 * Public part of stroke_t object.
+	 */
+	controller_t public;
+};
+
+/**
+ * helper struct to map listener callbacks to interface callbacks
+ */
+struct interface_listener_t {
+
+	/**
+	 * public bus listener interface
+	 */
+	listener_t public;
+
+	/**
+	 * status of the operation, return to method callers
+	 */
+	status_t status;
+
+	/**
+	 *  interface callback (listener gets redirected to here)
+	 */
+	controller_cb_t callback;
+
+	/**
+	 * user parameter to pass to callback
+	 */
+	void *param;
+
+	/**
+	 * child configuration, used for initiate
+	 */
+	child_cfg_t *child_cfg;
+
+	/**
+	 * peer configuration, used for initiate
+	 */
+	peer_cfg_t *peer_cfg;
+
+	/**
+	 * IKE_SA to handle
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * CHILD_SA to handle
+	 */
+	child_sa_t *child_sa;
+
+	/**
+	 * unique ID, used for various methods
+	 */
+	u_int32_t id;
+};
+
+
+typedef struct interface_job_t interface_job_t;
+
+/**
+ * job for asynchronous listen operations
+ */
+struct interface_job_t {
+	/**
+	 * job interface
+	 */
+	job_t public;
+
+	/**
+	 * associated listener
+	 */
+	interface_listener_t listener;
+};
+
+/**
+ * listener log function
+ */
+static bool listener_log(interface_listener_t *this, debug_t group,
+						 level_t level, int thread, ike_sa_t *ike_sa,
+						 char* format, va_list args)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		if (!this->callback(this->param, group, level, ike_sa, format, args))
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool listener_ike_state(interface_listener_t *this, ike_sa_t *ike_sa,
+							   ike_sa_state_t state)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		switch (state)
+		{
+#ifdef ME
+			case IKE_ESTABLISHED:
+			{	/* mediation connections are complete without CHILD_SA */
+				peer_cfg_t *peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+
+				if (peer_cfg->is_mediation(peer_cfg))
+				{
+					this->status = SUCCESS;
+					return FALSE;
+				}
+				break;
+			}
+#endif /* ME */
+			case IKE_DESTROYING:
+				if (ike_sa->get_state(ike_sa) == IKE_DELETING)
+				{	/* proper termination */
+					this->status = SUCCESS;
+				}
+				return FALSE;
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.child_state_change
+ */
+static bool listener_child_state(interface_listener_t *this, ike_sa_t *ike_sa,
+								 child_sa_t *child_sa, child_sa_state_t state)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		switch (state)
+		{
+			case CHILD_INSTALLED:
+				this->status = SUCCESS;
+				return FALSE;
+			case CHILD_DESTROYING:
+				switch (child_sa->get_state(child_sa))
+				{
+					case CHILD_DELETING:
+						/* proper delete */
+						this->status = SUCCESS;
+						break;
+					default:
+						break;
+				}
+				return FALSE;
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * cleanup job if job is never executed
+ */
+static void recheckin(interface_job_t *job)
+{
+	if (job->listener.ike_sa)
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager,
+										job->listener.ike_sa);
+	}
+}
+
+/**
+ * Implementation of controller_t.create_ike_sa_iterator.
+ */
+static enumerator_t* create_ike_sa_enumerator(controller_t *this)
+{
+	return charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager);
+}
+
+/**
+ * execute function for initiate
+ */
+static status_t initiate_execute(interface_job_t *job)
+{
+	ike_sa_t *ike_sa;
+	interface_listener_t *listener = &job->listener;
+	peer_cfg_t *peer_cfg = listener->peer_cfg;
+
+	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+														peer_cfg);
+	listener->ike_sa = ike_sa;
+
+	if (ike_sa->get_peer_cfg(ike_sa) == NULL)
+	{
+		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+	}
+	peer_cfg->destroy(peer_cfg);
+
+	if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS)
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return SUCCESS;
+	}
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	return FAILED;
+}
+
+/**
+ * Implementation of controller_t.initiate.
+ */
+static status_t initiate(private_controller_t *this,
+						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+						 controller_cb_t callback, void *param)
+{
+	interface_job_t job = {
+		.listener = {
+			.public = {
+				.log = (void*)listener_log,
+				.ike_state_change = (void*)listener_ike_state,
+				.child_state_change = (void*)listener_child_state,
+			},
+			.callback = callback,
+			.param = param,
+			.status = FAILED,
+			.child_cfg = child_cfg,
+			.peer_cfg = peer_cfg,
+		},
+		.public = {
+			.execute = (void*)initiate_execute,
+			.destroy = (void*)recheckin,
+		},
+	};
+	if (callback == NULL)
+	{
+		return initiate_execute(&job);
+	}
+	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
+	return job.listener.status;
+}
+
+/**
+ * execute function for terminate_ike
+ */
+static status_t terminate_ike_execute(interface_job_t *job)
+{
+	interface_listener_t *listener = &job->listener;
+	ike_sa_t *ike_sa = listener->ike_sa;
+
+	charon->bus->set_sa(charon->bus, ike_sa);
+
+	if (ike_sa->delete(ike_sa) != DESTROY_ME)
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		/* delete failed */
+		return FAILED;
+	}
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of controller_t.terminate_ike.
+ */
+static status_t terminate_ike(controller_t *this, u_int32_t unique_id,
+							  controller_cb_t callback, void *param)
+{
+	ike_sa_t *ike_sa;
+	interface_job_t job = {
+		.listener = {
+			.public = {
+				.log = (void*)listener_log,
+				.ike_state_change = (void*)listener_ike_state,
+				.child_state_change = (void*)listener_child_state,
+			},
+			.callback = callback,
+			.param = param,
+			.status = FAILED,
+			.id = unique_id,
+		},
+		.public = {
+			.execute = (void*)terminate_ike_execute,
+			.destroy = (void*)recheckin,
+		},
+	};
+
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													unique_id, FALSE);
+	if (ike_sa == NULL)
+	{
+		DBG1(DBG_IKE, "unable to terminate IKE_SA: ID %d not found", unique_id);
+		return NOT_FOUND;
+	}
+	job.listener.ike_sa = ike_sa;
+
+	if (callback == NULL)
+	{
+		return terminate_ike_execute(&job);
+	}
+	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
+	return job.listener.status;
+}
+
+/**
+ * execute function for terminate_child
+ */
+static status_t terminate_child_execute(interface_job_t *job)
+{
+	interface_listener_t *listener = &job->listener;
+	ike_sa_t *ike_sa = listener->ike_sa;
+	child_sa_t *child_sa = listener->child_sa;
+
+	charon->bus->set_sa(charon->bus, ike_sa);
+	if (ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa),
+								child_sa->get_spi(child_sa, TRUE)) != DESTROY_ME)
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return SUCCESS;
+	}
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	return FAILED;
+}
+
+/**
+ * Implementation of controller_t.terminate_child.
+ */
+static status_t terminate_child(controller_t *this, u_int32_t reqid,
+								controller_cb_t callback, void *param)
+{
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+	iterator_t *iterator;
+	interface_job_t job = {
+		.listener = {
+			.public = {
+				.log = (void*)listener_log,
+				.ike_state_change = (void*)listener_ike_state,
+				.child_state_change = (void*)listener_child_state,
+			},
+			.callback = callback,
+			.param = param,
+			.status = FAILED,
+			.id = reqid,
+		},
+		.public = {
+			.execute = (void*)terminate_child_execute,
+			.destroy = (void*)recheckin,
+		},
+	};
+
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													reqid, TRUE);
+	if (ike_sa == NULL)
+	{
+		DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found",
+			 reqid);
+		return NOT_FOUND;
+	}
+	job.listener.ike_sa = ike_sa;
+
+	iterator = ike_sa->create_child_sa_iterator(ike_sa);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		if (child_sa->get_state(child_sa) != CHILD_ROUTED &&
+			child_sa->get_reqid(child_sa) == reqid)
+		{
+			break;
+		}
+		child_sa = NULL;
+	}
+	iterator->destroy(iterator);
+
+	if (child_sa == NULL)
+	{
+		DBG1(DBG_IKE, "unable to terminate, established "
+			 "CHILD_SA with ID %d not found", reqid);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return NOT_FOUND;
+	}
+	job.listener.child_sa = child_sa;
+
+	if (callback == NULL)
+	{
+		return terminate_child_execute(&job);
+	}
+	charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
+	return job.listener.status;
+}
+
+/**
+ * See header
+ */
+bool controller_cb_empty(void *param, debug_t group, level_t level,
+					ike_sa_t *ike_sa, char *format, va_list args)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of stroke_t.destroy.
+ */
+static void destroy(private_controller_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header-file
+ */
+controller_t *controller_create(void)
+{
+	private_controller_t *this = malloc_thing(private_controller_t);
+
+	this->public.create_ike_sa_enumerator = (enumerator_t*(*)(controller_t*))create_ike_sa_enumerator;
+	this->public.initiate = (status_t(*)(controller_t*,peer_cfg_t*,child_cfg_t*,controller_cb_t,void*))initiate;
+	this->public.terminate_ike = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void*))terminate_ike;
+	this->public.terminate_child = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void *param))terminate_child;
+	this->public.destroy = (void (*)(controller_t*))destroy;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
new file mode 100644
index 000000000..31b69c78c
--- /dev/null
+++ b/src/libcharon/control/controller.h
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup controller_i controller
+ * @{ @ingroup control
+ */
+
+#ifndef CONTROLLER_H_
+#define CONTROLLER_H_
+
+#include <bus/bus.h>
+
+/**
+ * callback to log things triggered by controller.
+ *
+ * @param param			echoed parameter supplied when function invoked
+ * @param group			debugging group
+ * @param level			verbosity level if log
+ * @param ike_sa		associated IKE_SA, if any
+ * @param format		printf like format string
+ * @param args			list of arguments to use for format
+ * @return				FALSE to return from invoked function
+ */
+typedef bool(*controller_cb_t)(void* param, debug_t group, level_t level,
+							   ike_sa_t* ike_sa, char* format, va_list args);
+
+/**
+ * Empty callback function for controller_t functions.
+ *
+ * If you want to do a synchronous call, but don't need a callback, pass
+ * this function to the controllers methods.
+ */
+bool controller_cb_empty(void *param, debug_t group, level_t level,
+						 ike_sa_t *ike_sa, char *format, va_list args);
+
+typedef struct controller_t controller_t;
+
+/**
+ * The controller provides a simple interface to run actions.
+ *
+ * The controller starts actions by creating jobs. It then tries to
+ * evaluate the result of the operation by listening on the bus.
+ *
+ * Passing NULL as callback to the managers function calls them asynchronously.
+ * If a callback is specified, they are called synchronously. There is a default
+ * callback "controller_cb_empty" if you wan't to call a function
+ * synchronously, but don't need a callback.
+ */
+struct controller_t {
+
+	/**
+	 * Create an enumerator for all IKE_SAs.
+	 *
+	 * The enumerator blocks the IKE_SA manager until it gets destroyed. Do
+	 * not call another interface/manager method while the iterator is alive.
+	 *
+	 * @return				enumerator, locks IKE_SA manager until destroyed
+	 */
+	enumerator_t* (*create_ike_sa_enumerator)(controller_t *this);
+
+	/**
+	 * Initiate a CHILD_SA, and if required, an IKE_SA.
+	 *
+	 * The initiate() function is synchronous and thus blocks until the
+	 * IKE_SA is established or failed. Because of this, the initiate() function
+	 * contains a thread cancellation point.
+	 *
+	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
+	 * @param child_cfg		child_cfg to set up CHILD_SA from
+	 * @param cb			logging callback
+	 * @param param			parameter to include in each call of cb
+	 * @return
+	 *						- SUCCESS, if CHILD_SA established
+	 *						- FAILED, if setup failed
+	 *						- NEED_MORE, if callback returned FALSE
+	 */
+	status_t (*initiate)(controller_t *this,
+						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+						 controller_cb_t callback, void *param);
+
+	/**
+	 * Terminate an IKE_SA and all of its CHILD_SAs.
+	 *
+	 * The terminate() function is synchronous and thus blocks until the
+	 * IKE_SA is properly deleted, or the delete timed out.
+	 * The terminate() function contains a thread cancellation point.
+	 *
+	 * @param unique_id		unique id of the IKE_SA to terminate.
+	 * @param cb			logging callback
+	 * @param param			parameter to include in each call of cb
+	 * @return
+	 *						- SUCCESS, if CHILD_SA terminated
+	 *						- NOT_FOUND, if no such CHILD_SA found
+	 *						- NEED_MORE, if callback returned FALSE
+	 */
+	status_t (*terminate_ike)(controller_t *this, u_int32_t unique_id,
+							  controller_cb_t callback, void *param);
+
+	/**
+	 * Terminate a CHILD_SA.
+	 *
+	 * @param reqid			reqid of the CHILD_SA to terminate
+	 * @param cb			logging callback
+	 * @param param			parameter to include in each call of cb
+	 * @return
+	 *						- SUCCESS, if CHILD_SA terminated
+	 *						- NOT_FOUND, if no such CHILD_SA found
+	 *						- NEED_MORE, if callback returned FALSE
+	 */
+	status_t (*terminate_child)(controller_t *this, u_int32_t reqid,
+								controller_cb_t callback, void *param);
+
+	/**
+	 * Destroy a controller_t instance.
+	 */
+	void (*destroy) (controller_t *this);
+};
+
+
+/**
+ * Creates a controller instance.
+ *
+ * @return 			controller_t object
+ */
+controller_t *controller_create(void);
+
+#endif /** CONTROLLER_H_ @}*/
diff --git a/src/libcharon/credentials/credential_manager.c b/src/libcharon/credentials/credential_manager.c
new file mode 100644
index 000000000..adea0b4be
--- /dev/null
+++ b/src/libcharon/credentials/credential_manager.c
@@ -0,0 +1,1681 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "credential_manager.h"
+
+#include <daemon.h>
+#include <threading/thread_value.h>
+#include <threading/mutex.h>
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+#include <credentials/sets/cert_cache.h>
+#include <credentials/sets/auth_cfg_wrapper.h>
+#include <credentials/sets/ocsp_response_wrapper.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/crl.h>
+#include <credentials/certificates/ocsp_request.h>
+#include <credentials/certificates/ocsp_response.h>
+
+typedef struct private_credential_manager_t private_credential_manager_t;
+
+/**
+ * private data of credential_manager
+ */
+struct private_credential_manager_t {
+
+	/**
+	 * public functions
+	 */
+	credential_manager_t public;
+
+	/**
+	 * list of credential sets
+	 */
+	linked_list_t *sets;
+
+	/**
+	 * thread local set of credentials, linked_list_t with credential_set_t's
+	 */
+	thread_value_t *local_sets;
+
+	/**
+	 * trust relationship and certificate cache
+	 */
+	cert_cache_t *cache;
+
+	/**
+	 * certificates queued for persistent caching
+	 */
+	linked_list_t *cache_queue;
+
+	/**
+	 * read-write lock to sets list
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * mutex for cache queue
+	 */
+	mutex_t *queue_mutex;
+};
+
+/** data to pass to create_private_enumerator */
+typedef struct {
+	private_credential_manager_t *this;
+	key_type_t type;
+	identification_t* keyid;
+} private_data_t;
+
+/** data to pass to create_cert_enumerator */
+typedef struct {
+	private_credential_manager_t *this;
+	certificate_type_t cert;
+	key_type_t key;
+	identification_t *id;
+	bool trusted;
+} cert_data_t;
+
+/** data to pass to create_cdp_enumerator */
+typedef struct {
+	private_credential_manager_t *this;
+	certificate_type_t type;
+	identification_t *id;
+} cdp_data_t;
+
+/** data to pass to create_shared_enumerator */
+typedef struct {
+	private_credential_manager_t *this;
+	shared_key_type_t type;
+	identification_t *me;
+	identification_t *other;
+} shared_data_t;
+
+/** enumerator over local and global sets */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** enumerator over global sets */
+	enumerator_t *global;
+	/** enumerator over local sets */
+	enumerator_t *local;
+} sets_enumerator_t;
+
+/**
+ * destroy a sets_enumerator_t
+ */
+static void sets_enumerator_destroy(sets_enumerator_t *this)
+{
+	DESTROY_IF(this->global);
+	DESTROY_IF(this->local);
+	free(this);
+}
+
+/**
+ * sets_enumerator_t.enumerate
+ */
+static bool sets_enumerator_enumerate(sets_enumerator_t *this,
+									  credential_set_t **set)
+{
+	if (this->global)
+	{
+		if (this->global->enumerate(this->global, set))
+		{
+			return TRUE;
+		}
+		/* end of global sets, look for local */
+		this->global->destroy(this->global);
+		this->global = NULL;
+	}
+	if (this->local)
+	{
+		return this->local->enumerate(this->local, set);
+	}
+	return FALSE;
+}
+
+/**
+ * create an enumerator over both, global and local sets
+ */
+static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
+{
+	linked_list_t *local;
+	sets_enumerator_t *enumerator = malloc_thing(sets_enumerator_t);
+
+	enumerator->public.enumerate = (void*)sets_enumerator_enumerate;
+	enumerator->public.destroy = (void*)sets_enumerator_destroy;
+	enumerator->global = this->sets->create_enumerator(this->sets);
+	enumerator->local = NULL;
+	local = this->local_sets->get(this->local_sets);
+	if (local)
+	{
+		enumerator->local = local->create_enumerator(local);
+	}
+	return &enumerator->public;
+}
+
+/**
+ * cleanup function for cert data
+ */
+static void destroy_cert_data(cert_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * enumerator constructor for certificates
+ */
+static enumerator_t *create_cert(credential_set_t *set, cert_data_t *data)
+{
+	return set->create_cert_enumerator(set, data->cert, data->key,
+									   data->id, data->trusted);
+}
+
+/**
+ * Implementation of credential_manager_t.create_cert_enumerator.
+ */
+static enumerator_t *create_cert_enumerator(private_credential_manager_t *this,
+						certificate_type_t certificate, key_type_t key,
+						identification_t *id, bool trusted)
+{
+	cert_data_t *data = malloc_thing(cert_data_t);
+	data->this = this;
+	data->cert = certificate;
+	data->key = key;
+	data->id = id;
+	data->trusted = trusted;
+
+	this->lock->read_lock(this->lock);
+	return enumerator_create_nested(create_sets_enumerator(this),
+									(void*)create_cert, data,
+									(void*)destroy_cert_data);
+}
+
+/**
+ * Implementation of credential_manager_t.get_cert.
+ */
+static certificate_t *get_cert(private_credential_manager_t *this,
+						certificate_type_t cert, key_type_t key,
+						identification_t *id, bool trusted)
+{
+	certificate_t *current, *found = NULL;
+	enumerator_t *enumerator;
+
+	enumerator = create_cert_enumerator(this, cert, key, id, trusted);
+	if (enumerator->enumerate(enumerator, &current))
+	{
+		/* TODO: best match? order by keyid, subject, sualtname */
+		found = current->get_ref(current);
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+
+/**
+ * cleanup function for cdp data
+ */
+static void destroy_cdp_data(cdp_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * enumerator constructor for CDPs
+ */
+static enumerator_t *create_cdp(credential_set_t *set, cdp_data_t *data)
+{
+	return set->create_cdp_enumerator(set, data->type, data->id);
+}
+/**
+ * Implementation of credential_manager_t.create_cdp_enumerator.
+ */
+static enumerator_t * create_cdp_enumerator(private_credential_manager_t *this,
+								certificate_type_t type, identification_t *id)
+{
+	cdp_data_t *data = malloc_thing(cdp_data_t);
+	data->this = this;
+	data->type = type;
+	data->id = id;
+
+	this->lock->read_lock(this->lock);
+	return enumerator_create_nested(create_sets_enumerator(this),
+									(void*)create_cdp, data,
+									(void*)destroy_cdp_data);
+}
+
+/**
+ * cleanup function for private data
+ */
+static void destroy_private_data(private_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * enumerator constructor for private keys
+ */
+static enumerator_t *create_private(credential_set_t *set, private_data_t *data)
+{
+	return set->create_private_enumerator(set, data->type, data->keyid);
+}
+
+/**
+ * Implementation of credential_manager_t.create_private_enumerator.
+ */
+static enumerator_t* create_private_enumerator(
+									private_credential_manager_t *this,
+									key_type_t key, identification_t *keyid)
+{
+	private_data_t *data;
+
+	data = malloc_thing(private_data_t);
+	data->this = this;
+	data->type = key;
+	data->keyid = keyid;
+	this->lock->read_lock(this->lock);
+	return enumerator_create_nested(create_sets_enumerator(this),
+									(void*)create_private, data,
+									(void*)destroy_private_data);
+}
+
+/**
+ * Implementation of credential_manager_t.get_private_by_keyid.
+ */
+static private_key_t *get_private_by_keyid(private_credential_manager_t *this,
+										key_type_t key, identification_t *keyid)
+{
+	private_key_t *found = NULL;
+	enumerator_t *enumerator;
+
+	enumerator = create_private_enumerator(this, key, keyid);
+	if (enumerator->enumerate(enumerator, &found))
+	{
+		found->get_ref(found);
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * cleanup function for shared data
+ */
+static void destroy_shared_data(shared_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * enumerator constructor for shared keys
+ */
+static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data)
+{
+	return set->create_shared_enumerator(set, data->type, data->me, data->other);
+}
+
+/**
+ * Implementation of credential_manager_t.create_shared_enumerator.
+ */
+static enumerator_t *create_shared_enumerator(private_credential_manager_t *this,
+						shared_key_type_t type,
+						identification_t *me, identification_t *other)
+{
+	shared_data_t *data = malloc_thing(shared_data_t);
+	data->this = this;
+	data->type = type;
+	data->me = me;
+	data->other = other;
+
+	this->lock->read_lock(this->lock);
+	return enumerator_create_nested(create_sets_enumerator(this),
+									(void*)create_shared, data,
+									(void*)destroy_shared_data);
+}
+
+/**
+ * Implementation of credential_manager_t.get_shared.
+ */
+static shared_key_t *get_shared(private_credential_manager_t *this,
+								shared_key_type_t type,	identification_t *me,
+								identification_t *other)
+{
+	shared_key_t *current, *found = NULL;
+	id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE;
+	id_match_t *match_me, *match_other;
+	enumerator_t *enumerator;
+
+	enumerator = create_shared_enumerator(this, type, me, other);
+	while (enumerator->enumerate(enumerator, &current, &match_me, &match_other))
+	{
+		if (match_other > best_other ||
+			(match_other == best_other && match_me > best_me))
+		{
+			DESTROY_IF(found);
+			found = current->get_ref(current);
+			best_me = match_me;
+			best_other = match_other;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * add a credential set to the thread local list
+ */
+static void add_local_set(private_credential_manager_t *this,
+						  credential_set_t *set)
+{
+	linked_list_t *sets;
+
+	sets = this->local_sets->get(this->local_sets);
+	if (!sets)
+	{	/* first invocation */
+		sets = linked_list_create();
+		this->local_sets->set(this->local_sets, sets);
+	}
+	sets->insert_last(sets, set);
+}
+
+/**
+ * remove a credential set from the thread local list
+ */
+static void remove_local_set(private_credential_manager_t *this,
+							 credential_set_t *set)
+{
+	linked_list_t *sets;
+
+	sets = this->local_sets->get(this->local_sets);
+	sets->remove(sets, set, NULL);
+}
+
+/**
+ * Implementation of credential_manager_t.cache_cert.
+ */
+static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
+{
+	credential_set_t *set;
+	enumerator_t *enumerator;
+
+	if (this->lock->try_write_lock(this->lock))
+	{
+		enumerator = this->sets->create_enumerator(this->sets);
+		while (enumerator->enumerate(enumerator, &set))
+		{
+			set->cache_cert(set, cert);
+		}
+		enumerator->destroy(enumerator);
+		this->lock->unlock(this->lock);
+	}
+	else
+	{	/* we can't cache now as other threads are active, queue for later */
+		this->queue_mutex->lock(this->queue_mutex);
+		this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert));
+		this->queue_mutex->unlock(this->queue_mutex);
+	}
+}
+
+/**
+ * Try to cache certificates queued for caching
+ */
+static void cache_queue(private_credential_manager_t *this)
+{
+	credential_set_t *set;
+	certificate_t *cert;
+	enumerator_t *enumerator;
+
+	this->queue_mutex->lock(this->queue_mutex);
+	if (this->cache_queue->get_count(this->cache_queue) > 0 &&
+		this->lock->try_write_lock(this->lock))
+	{
+		while (this->cache_queue->remove_last(this->cache_queue,
+											  (void**)&cert) == SUCCESS)
+		{
+			enumerator = this->sets->create_enumerator(this->sets);
+			while (enumerator->enumerate(enumerator, &set))
+			{
+				set->cache_cert(set, cert);
+			}
+			enumerator->destroy(enumerator);
+			cert->destroy(cert);
+		}
+		this->lock->unlock(this->lock);
+	}
+	this->queue_mutex->unlock(this->queue_mutex);
+}
+
+/**
+ * forward declaration
+ */
+static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
+					key_type_t type, identification_t *id, bool crl, bool ocsp);
+
+/**
+ * Do an OCSP request
+ */
+static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
+								 certificate_t *subject, certificate_t *issuer)
+{
+	certificate_t *request, *response;
+	chunk_t send, receive;
+
+	/* TODO: requestor name, signature */
+	request = lib->creds->create(lib->creds,
+						CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+						BUILD_CA_CERT, issuer,
+						BUILD_CERT, subject, BUILD_END);
+	if (!request)
+	{
+		DBG1(DBG_CFG, "generating ocsp request failed");
+		return NULL;
+	}
+
+	send = request->get_encoding(request);
+	request->destroy(request);
+
+	DBG1(DBG_CFG, "  requesting ocsp status from '%s' ...", url);
+	if (lib->fetcher->fetch(lib->fetcher, url, &receive,
+							FETCH_REQUEST_DATA, send,
+							FETCH_REQUEST_TYPE, "application/ocsp-request",
+							FETCH_END) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "ocsp request to %s failed", url);
+		chunk_free(&send);
+		return NULL;
+	}
+	chunk_free(&send);
+
+	response = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+								  BUILD_BLOB_ASN1_DER, receive, BUILD_END);
+	chunk_free(&receive);
+	if (!response)
+	{
+		DBG1(DBG_CFG, "parsing ocsp response failed");
+		return NULL;
+	}
+	return response;
+}
+
+/**
+ * check the signature of an OCSP response
+ */
+static bool verify_ocsp(private_credential_manager_t *this,
+						ocsp_response_t *response)
+{
+	certificate_t *issuer, *subject;
+	identification_t *responder;
+	ocsp_response_wrapper_t *wrapper;
+	enumerator_t *enumerator;
+	bool verified = FALSE;
+
+	wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
+	add_local_set(this, &wrapper->set);
+
+	subject = &response->certificate;
+	responder = subject->get_issuer(subject);
+	enumerator = create_trusted_enumerator(this, KEY_ANY, responder, FALSE, FALSE);
+	while (enumerator->enumerate(enumerator, &issuer, NULL))
+	{
+		if (this->cache->issued_by(this->cache, subject, issuer))
+		{
+			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
+							 issuer->get_subject(issuer));
+			verified = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	remove_local_set(this, &wrapper->set);
+	wrapper->destroy(wrapper);
+	return verified;
+}
+
+/**
+ * Get the better of two OCSP responses, and check for usable OCSP info
+ */
+static certificate_t *get_better_ocsp(private_credential_manager_t *this,
+									  certificate_t *cand, certificate_t *best,
+									  x509_t *subject, x509_t *issuer,
+									  cert_validation_t *valid, bool cache)
+{
+	ocsp_response_t *response;
+	time_t revocation, this_update, next_update, valid_until;
+	crl_reason_t reason;
+	bool revoked = FALSE;
+
+	response = (ocsp_response_t*)cand;
+
+	/* check ocsp signature */
+	if (!verify_ocsp(this, response))
+	{
+		DBG1(DBG_CFG, "ocsp response verification failed");
+		cand->destroy(cand);
+		return best;
+	}
+	/* check if response contains our certificate */
+	switch (response->get_status(response, subject, issuer, &revocation, &reason,
+								 &this_update, &next_update))
+	{
+		case VALIDATION_REVOKED:
+			/* subject has been revoked by a valid OCSP response */
+			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
+						  &revocation, TRUE, crl_reason_names, reason);
+			revoked = TRUE;
+			break;
+		case VALIDATION_GOOD:
+			/* results in either good or stale */
+			break;
+		default:
+		case VALIDATION_FAILED:
+			/* candidate unusable, does not contain our cert */
+			DBG1(DBG_CFG, "  ocsp response contains no status on our certificate");
+			cand->destroy(cand);
+			return best;
+	}
+
+	/* select the better of the two responses */
+	if (best == NULL || cand->is_newer(cand, best))
+	{
+		DESTROY_IF(best);
+		best = cand;
+		if (best->get_validity(best, NULL, NULL, &valid_until))
+		{
+			DBG1(DBG_CFG, "  ocsp response is valid: until %T",
+							 &valid_until, FALSE);
+			*valid = VALIDATION_GOOD;
+			if (cache)
+			{	/* cache non-stale only, stale certs get refetched */
+				cache_cert(this, best);
+			}
+		}
+		else
+		{
+			DBG1(DBG_CFG, "  ocsp response is stale: since %T",
+							 &valid_until, FALSE);
+			*valid = VALIDATION_STALE;
+		}
+	}
+	else
+	{
+		*valid = VALIDATION_STALE;
+		cand->destroy(cand);
+	}
+	if (revoked)
+	{	/* revoked always counts, even if stale */
+		*valid = VALIDATION_REVOKED;
+	}
+	return best;
+}
+
+/**
+ * validate a x509 certificate using OCSP
+ */
+static cert_validation_t check_ocsp(private_credential_manager_t *this,
+									x509_t *subject, x509_t *issuer,
+									auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	cert_validation_t valid = VALIDATION_SKIPPED;
+	certificate_t *best = NULL, *current;
+	identification_t *keyid = NULL;
+	public_key_t *public;
+	chunk_t chunk;
+	char *uri = NULL;
+
+	/** lookup cache for valid OCSP responses */
+	enumerator = create_cert_enumerator(this, CERT_X509_OCSP_RESPONSE,
+										KEY_ANY, NULL, FALSE);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		current->get_ref(current);
+		best = get_better_ocsp(this, current, best, subject, issuer,
+							   &valid, FALSE);
+		if (best && valid != VALIDATION_STALE)
+		{
+			DBG1(DBG_CFG, "  using cached ocsp response");
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* derive the authorityKeyIdentifier from the issuer's public key */
+	current = &issuer->interface;
+	public = current->get_public_key(current);
+	if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+	{
+		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+	}
+	/** fetch from configured OCSP responder URLs */
+	if (keyid && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+	{
+		enumerator = create_cdp_enumerator(this, CERT_X509_OCSP_RESPONSE, keyid);
+		while (enumerator->enumerate(enumerator, &uri))
+		{
+			current = fetch_ocsp(this, uri, &subject->interface,
+								 &issuer->interface);
+			if (current)
+			{
+				best = get_better_ocsp(this, current, best, subject, issuer,
+									   &valid, TRUE);
+				if (best && valid != VALIDATION_STALE)
+				{
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	DESTROY_IF(public);
+	DESTROY_IF(keyid);
+
+	/* fallback to URL fetching from subject certificate's URIs */
+	if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+	{
+		enumerator = subject->create_ocsp_uri_enumerator(subject);
+		while (enumerator->enumerate(enumerator, &uri))
+		{
+			current = fetch_ocsp(this, uri, &subject->interface,
+								 &issuer->interface);
+			if (current)
+			{
+				best = get_better_ocsp(this, current, best, subject, issuer,
+									   &valid, TRUE);
+				if (best && valid != VALIDATION_STALE)
+				{
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	/* an uri was found, but no result. switch validation state to failed */
+	if (valid == VALIDATION_SKIPPED && uri)
+	{
+		valid = VALIDATION_FAILED;
+	}
+	if (auth)
+	{
+		auth->add(auth, AUTH_RULE_OCSP_VALIDATION, valid);
+		if (valid == VALIDATION_GOOD)
+		{	/* successful OCSP check fulfills also CRL constraint */
+			auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
+		}
+	}
+	DESTROY_IF(best);
+	return valid;
+}
+
+/**
+ * fetch a CRL from an URL
+ */
+static certificate_t* fetch_crl(private_credential_manager_t *this, char *url)
+{
+	certificate_t *crl;
+	chunk_t chunk;
+
+	DBG1(DBG_CFG, "  fetching crl from '%s' ...", url);
+	if (lib->fetcher->fetch(lib->fetcher, url, &chunk, FETCH_END) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "crl fetching failed");
+		return NULL;
+	}
+	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+							 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	chunk_free(&chunk);
+	if (!crl)
+	{
+		DBG1(DBG_CFG, "crl fetched successfully but parsing failed");
+		return NULL;
+	}
+	return crl;
+}
+
+/**
+ * check the signature of an CRL
+ */
+static bool verify_crl(private_credential_manager_t *this, certificate_t *crl)
+{
+	certificate_t *issuer;
+	enumerator_t *enumerator;
+	bool verified = FALSE;
+
+	enumerator = create_trusted_enumerator(this, KEY_ANY, crl->get_issuer(crl),
+										   FALSE, FALSE);
+	while (enumerator->enumerate(enumerator, &issuer, NULL))
+	{
+		if (this->cache->issued_by(this->cache, crl, issuer))
+		{
+			DBG1(DBG_CFG, "  crl correctly signed by \"%Y\"",
+						   issuer->get_subject(issuer));
+			verified = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return verified;
+}
+
+/**
+ * Get the better of two CRLs, and check for usable CRL info
+ */
+static certificate_t *get_better_crl(private_credential_manager_t *this,
+									 certificate_t *cand, certificate_t *best,
+									 x509_t *subject, x509_t *issuer,
+									 cert_validation_t *valid, bool cache)
+{
+	enumerator_t *enumerator;
+	time_t revocation, valid_until;
+	crl_reason_t reason;
+	chunk_t serial;
+	crl_t *crl;
+
+	/* check CRL signature */
+	if (!verify_crl(this, cand))
+	{
+		DBG1(DBG_CFG, "crl response verification failed");
+		cand->destroy(cand);
+		return best;
+	}
+
+	crl = (crl_t*)cand;
+	enumerator = crl->create_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
+	{
+		if (chunk_equals(serial, subject->get_serial(subject)))
+		{
+			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
+				 &revocation, TRUE, crl_reason_names, reason);
+			*valid = VALIDATION_REVOKED;
+			enumerator->destroy(enumerator);
+			DESTROY_IF(best);
+			return cand;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* select the better of the two CRLs */
+	if (best == NULL || cand->is_newer(cand, best))
+	{
+		DESTROY_IF(best);
+		best = cand;
+		if (best->get_validity(best, NULL, NULL, &valid_until))
+		{
+			DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
+			*valid = VALIDATION_GOOD;
+			if (cache)
+			{	/* we cache non-stale crls only, as a stale crls are refetched */
+				cache_cert(this, best);
+			}
+		}
+		else
+		{
+			DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
+			*valid = VALIDATION_STALE;
+		}
+	}
+	else
+	{
+		*valid = VALIDATION_STALE;
+		cand->destroy(cand);
+	}
+	return best;
+}
+
+/**
+ * validate a x509 certificate using CRL
+ */
+static cert_validation_t check_crl(private_credential_manager_t *this,
+								   x509_t *subject, x509_t *issuer,
+								   auth_cfg_t *auth)
+{
+	cert_validation_t valid = VALIDATION_SKIPPED;
+	identification_t *keyid = NULL;
+	certificate_t *best = NULL;
+	certificate_t *current;
+	public_key_t *public;
+	enumerator_t *enumerator;
+	chunk_t chunk;
+	char *uri = NULL;
+
+	/* derive the authorityKeyIdentifier from the issuer's public key */
+	current = &issuer->interface;
+	public = current->get_public_key(current);
+	if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+	{
+		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+
+		/* find a cached crl by authorityKeyIdentifier */
+		enumerator = create_cert_enumerator(this, CERT_X509_CRL, KEY_ANY,
+											keyid, FALSE);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			current->get_ref(current);
+			best = get_better_crl(this, current, best, subject, issuer,
+								  &valid, FALSE);
+			if (best && valid != VALIDATION_STALE)
+			{
+				DBG1(DBG_CFG, "  using cached crl");
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* fallback to fetching crls from credential sets cdps */
+		if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+		{
+			enumerator = create_cdp_enumerator(this, CERT_X509_CRL, keyid);
+
+			while (enumerator->enumerate(enumerator, &uri))
+			{
+				current = fetch_crl(this, uri);
+				if (current)
+				{
+					best = get_better_crl(this, current, best, subject, issuer,
+										  &valid, TRUE);
+					if (best && valid != VALIDATION_STALE)
+					{
+						break;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		keyid->destroy(keyid);
+	}
+	DESTROY_IF(public);
+
+	/* fallback to fetching crls from cdps from subject's certificate */
+	if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+	{
+		enumerator = subject->create_crl_uri_enumerator(subject);
+
+		while (enumerator->enumerate(enumerator, &uri))
+		{
+			current = fetch_crl(this, uri);
+			if (current)
+			{
+				best = get_better_crl(this, current, best, subject, issuer,
+									  &valid, TRUE);
+				if (best && valid != VALIDATION_STALE)
+				{
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	/* an uri was found, but no result. switch validation state to failed */
+	if (valid == VALIDATION_SKIPPED && uri)
+	{
+		valid = VALIDATION_FAILED;
+	}
+	if (auth)
+	{
+		if (valid == VALIDATION_SKIPPED)
+		{	/* if we skipped CRL validation, we use the result of OCSP for
+			 * constraint checking */
+			auth->add(auth, AUTH_RULE_CRL_VALIDATION,
+					  auth->get(auth, AUTH_RULE_OCSP_VALIDATION));
+		}
+		else
+		{
+			auth->add(auth, AUTH_RULE_CRL_VALIDATION, valid);
+		}
+	}
+	DESTROY_IF(best);
+	return valid;
+}
+
+/**
+ * check a certificate for optional IP address block constraints
+ */
+static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
+{
+	bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
+	bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
+	bool contained = TRUE;
+
+	enumerator_t *subject_enumerator, *issuer_enumerator;
+	traffic_selector_t *subject_ts, *issuer_ts;
+
+	if (!subject_constraint && !issuer_constraint)
+	{
+		return TRUE;		
+	}
+	if (!subject_constraint)
+	{
+		DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
+		return FALSE;
+	}
+	if (!issuer_constraint)
+	{
+		DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
+		return FALSE;		
+	}
+	subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
+	while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
+	{
+		contained = FALSE;
+
+		issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
+		while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
+		{
+			if (subject_ts->is_contained_in(subject_ts, issuer_ts))
+			{
+				DBG2(DBG_CFG, "  subject address block %R is contained in "
+							  "issuer address block %R", subject_ts, issuer_ts);
+				contained = TRUE;
+				break;
+			}
+		}
+		issuer_enumerator->destroy(issuer_enumerator);
+		if (!contained)
+		{
+			DBG1(DBG_CFG, "subject address block %R is not contained in any "
+						  "issuer address block", subject_ts);
+			break;
+		}
+	}
+	subject_enumerator->destroy(subject_enumerator);
+	return contained;	
+}
+
+/**
+ * check a certificate for its lifetime
+ */
+static bool check_certificate(private_credential_manager_t *this,
+							  certificate_t *subject, certificate_t *issuer,
+							  bool crl, bool ocsp, auth_cfg_t *auth)
+{
+	time_t not_before, not_after;
+
+	if (!subject->get_validity(subject, NULL, &not_before, &not_after))
+	{
+		DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
+			 &not_before, FALSE, &not_after, FALSE);
+		return FALSE;
+	}
+	if (!issuer->get_validity(issuer, NULL, &not_before, &not_after))
+	{
+		DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)",
+			 &not_before, FALSE, &not_after, FALSE);
+		return FALSE;
+	}
+	if (issuer->get_type(issuer) == CERT_X509 &&
+		subject->get_type(subject) == CERT_X509)
+	{
+		if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer))
+		{
+			return FALSE;
+		}
+		if (ocsp || crl)
+		{
+			DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
+						   subject->get_subject(subject));
+		}
+		if (ocsp)
+		{
+			switch (check_ocsp(this, (x509_t*)subject, (x509_t*)issuer, auth))
+			{
+				case VALIDATION_GOOD:
+					DBG1(DBG_CFG, "certificate status is good");
+					return TRUE;
+				case VALIDATION_REVOKED:
+					/* has already been logged */
+					return FALSE;
+				case VALIDATION_SKIPPED:
+					DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
+					break;
+				case VALIDATION_STALE:
+					DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
+					break;
+				case VALIDATION_FAILED:
+					DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
+					break;
+			}
+		}
+		if (crl)
+		{
+			switch (check_crl(this, (x509_t*)subject, (x509_t*)issuer, auth))
+			{
+				case VALIDATION_GOOD:
+					DBG1(DBG_CFG, "certificate status is good");
+					return TRUE;
+				case VALIDATION_REVOKED:
+					/* has already been logged */
+					return FALSE;
+				case VALIDATION_FAILED:
+				case VALIDATION_SKIPPED:
+					DBG1(DBG_CFG, "certificate status is not available");
+					break;
+				case VALIDATION_STALE:
+					DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
+					break;
+			}
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Get a trusted certificate from a credential set
+ */
+static certificate_t *get_pretrusted_cert(private_credential_manager_t *this,
+										  key_type_t type, identification_t *id)
+{
+	certificate_t *subject;
+	public_key_t *public;
+
+	subject = get_cert(this, CERT_ANY, type, id, TRUE);
+	if (!subject)
+	{
+		return NULL;
+	}
+	public = subject->get_public_key(subject);
+	if (!public)
+	{
+		subject->destroy(subject);
+		return NULL;
+	}
+	public->destroy(public);
+	return subject;
+}
+
+/**
+ * Get the issuing certificate of a subject certificate
+ */
+static certificate_t *get_issuer_cert(private_credential_manager_t *this,
+									  certificate_t *subject, bool trusted)
+{
+	enumerator_t *enumerator;
+	certificate_t *issuer = NULL, *candidate;
+
+	enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY,
+										subject->get_issuer(subject), trusted);
+	while (enumerator->enumerate(enumerator, &candidate))
+	{
+		if (this->cache->issued_by(this->cache, subject, candidate))
+		{
+			issuer = candidate->get_ref(candidate);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return issuer;
+}
+
+/**
+ * try to verify the trust chain of subject, return TRUE if trusted
+ */
+static bool verify_trust_chain(private_credential_manager_t *this,
+							   certificate_t *subject, auth_cfg_t *result,
+							   bool trusted, bool crl, bool ocsp)
+{
+	certificate_t *current, *issuer;
+	x509_t *x509;
+	auth_cfg_t *auth;
+	int pathlen, pathlen_constraint;
+
+	auth = auth_cfg_create();
+	current = subject->get_ref(subject);
+
+	for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++)
+	{
+		issuer = get_issuer_cert(this, current, TRUE);
+		if (issuer)
+		{
+			/* accept only self-signed CAs as trust anchor */
+			if (this->cache->issued_by(this->cache, issuer, issuer))
+			{
+				auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
+				DBG1(DBG_CFG, "  using trusted ca certificate \"%Y\"",
+							  issuer->get_subject(issuer));
+				trusted = TRUE;
+			}
+			else
+			{
+				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
+				DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
+					 "\"%Y\"", issuer->get_subject(issuer));
+			}
+		}
+		else
+		{
+			issuer = get_issuer_cert(this, current, FALSE);
+			if (issuer)
+			{
+				if (current->equals(current, issuer))
+				{
+					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not trusted",
+						 current->get_subject(current));
+					issuer->destroy(issuer);
+					break;
+				}
+				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
+				DBG1(DBG_CFG, "  using untrusted intermediate certificate "
+					 "\"%Y\"", issuer->get_subject(issuer));
+			}
+			else
+			{
+				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
+					 current->get_subject(current));
+				break;
+			}
+		}
+		if (!check_certificate(this, current, issuer, crl, ocsp,
+							   current == subject ? auth : NULL))
+		{
+			trusted = FALSE;
+			issuer->destroy(issuer);
+			break;
+		}
+
+		/* check path length constraint */
+		x509 = (x509_t*)issuer;
+		pathlen_constraint = x509->get_pathLenConstraint(x509);
+		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+			pathlen > pathlen_constraint)
+		{
+			DBG1(DBG_CFG, "path length of %d violates constraint of %d",
+				 pathlen, pathlen_constraint);
+			trusted = FALSE;
+			issuer->destroy(issuer);
+			break;
+		}
+		current->destroy(current);
+		current = issuer;
+		if (trusted)
+		{
+			DBG1(DBG_CFG, "  reached self-signed root ca with a path length of %d",
+						  pathlen);
+			break;
+		}
+	}
+	current->destroy(current);
+	if (pathlen > X509_MAX_PATH_LEN)
+	{
+		DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN);
+	}
+	if (trusted)
+	{
+		result->merge(result, auth, FALSE);
+	}
+	auth->destroy(auth);
+	return trusted;
+}
+
+/**
+ * enumerator for trusted certificates
+ */
+typedef struct {
+	/** implements enumerator_t interface */
+	enumerator_t public;
+	/** enumerator over candidate peer certificates */
+	enumerator_t *candidates;
+	/** reference to the credential_manager */
+	private_credential_manager_t *this;
+	/** type of the requested key */
+	key_type_t type;
+	/** identity the requested key belongs to */
+	identification_t *id;
+	/** TRUE to do CRL checking */
+	bool crl;
+	/** TRUE to do OCSP checking */
+	bool ocsp;
+	/** pretrusted certificate we have served at first invocation */
+	certificate_t *pretrusted;
+	/** currently enumerating auth config */
+	auth_cfg_t *auth;
+} trusted_enumerator_t;
+
+/**
+ * Implements trusted_enumerator_t.enumerate
+ */
+static bool trusted_enumerate(trusted_enumerator_t *this,
+							  certificate_t **cert, auth_cfg_t **auth)
+{
+	certificate_t *current;
+
+	DESTROY_IF(this->auth);
+	this->auth = auth_cfg_create();
+
+	if (!this->candidates)
+	{
+		/* first invocation, build enumerator for next one */
+		this->candidates = create_cert_enumerator(this->this, CERT_ANY,
+												  this->type, this->id, FALSE);
+		/* check if we have a trusted certificate for that peer */
+		this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id);
+		if (this->pretrusted)
+		{
+			/* if we find a trusted self signed certificate, we just accept it.
+			 * However, in order to fulfill authorization rules, we try to build
+			 * the trust chain if it is not self signed */
+			if (this->this->cache->issued_by(this->this->cache,
+								   this->pretrusted, this->pretrusted) ||
+				verify_trust_chain(this->this, this->pretrusted, this->auth,
+								   TRUE, this->crl, this->ocsp))
+			{
+				this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
+								this->pretrusted->get_ref(this->pretrusted));
+				DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
+					 this->pretrusted->get_subject(this->pretrusted));
+				*cert = this->pretrusted;
+				if (auth)
+				{
+					*auth = this->auth;
+				}
+				return TRUE;
+			}
+		}
+	}
+	/* try to verify the trust chain for each certificate found */
+	while (this->candidates->enumerate(this->candidates, &current))
+	{
+		if (this->pretrusted &&
+			this->pretrusted->equals(this->pretrusted, current))
+		{	/* skip pretrusted certificate we already served */
+			continue;
+		}
+
+		DBG1(DBG_CFG, "  using certificate \"%Y\"",
+			 current->get_subject(current));
+		if (verify_trust_chain(this->this, current, this->auth, FALSE,
+							   this->crl, this->ocsp))
+		{
+			*cert = current;
+			if (auth)
+			{
+				*auth = this->auth;
+			}
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Implements trusted_enumerator_t.destroy
+ */
+static void trusted_destroy(trusted_enumerator_t *this)
+{
+	DESTROY_IF(this->pretrusted);
+	DESTROY_IF(this->auth);
+	DESTROY_IF(this->candidates);
+	free(this);
+}
+
+/**
+ * create an enumerator over trusted certificates and their trustchain
+ */
+static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
+					key_type_t type, identification_t *id, bool crl, bool ocsp)
+{
+	trusted_enumerator_t *enumerator = malloc_thing(trusted_enumerator_t);
+
+	enumerator->public.enumerate = (void*)trusted_enumerate;
+	enumerator->public.destroy = (void*)trusted_destroy;
+
+	enumerator->candidates = NULL;
+	enumerator->this = this;
+	enumerator->type = type;
+	enumerator->id = id;
+	enumerator->crl = crl;
+	enumerator->ocsp = ocsp;
+	enumerator->pretrusted = NULL;
+	enumerator->auth = NULL;
+
+	return &enumerator->public;
+}
+
+/**
+ * enumerator for public keys
+ */
+typedef struct {
+	/** implements enumerator_t interface */
+	enumerator_t public;
+	/** enumerator over candidate peer certificates */
+	enumerator_t *inner;
+	/** reference to the credential_manager */
+	private_credential_manager_t *this;
+	/** currently enumerating key */
+	public_key_t *current;
+	/** credset wrapper around auth config */
+	auth_cfg_wrapper_t *wrapper;
+} public_enumerator_t;
+
+/**
+ * Implements public_enumerator_t.enumerate
+ */
+static bool public_enumerate(public_enumerator_t *this,
+							 public_key_t **key, auth_cfg_t **auth)
+{
+	certificate_t *cert;
+
+	while (this->inner->enumerate(this->inner, &cert, auth))
+	{
+		DESTROY_IF(this->current);
+		this->current = cert->get_public_key(cert);
+		if (this->current)
+		{
+			*key = this->current;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Implements public_enumerator_t.destroy
+ */
+static void public_destroy(public_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	if (this->wrapper)
+	{
+		remove_local_set(this->this, &this->wrapper->set);
+		this->wrapper->destroy(this->wrapper);
+	}
+	this->this->lock->unlock(this->this->lock);
+
+	/* check for delayed certificate cache queue */
+	cache_queue(this->this);
+	free(this);
+}
+
+/**
+ * Implementation of credential_manager_t.create_public_enumerator.
+ */
+static enumerator_t* create_public_enumerator(private_credential_manager_t *this,
+						key_type_t type, identification_t *id, auth_cfg_t *auth)
+{
+	public_enumerator_t *enumerator = malloc_thing(public_enumerator_t);
+
+	enumerator->public.enumerate = (void*)public_enumerate;
+	enumerator->public.destroy = (void*)public_destroy;
+	enumerator->inner = create_trusted_enumerator(this, type, id, TRUE, TRUE);
+	enumerator->this = this;
+	enumerator->current = NULL;
+	enumerator->wrapper = NULL;
+	if (auth)
+	{
+		enumerator->wrapper = auth_cfg_wrapper_create(auth);
+		add_local_set(this, &enumerator->wrapper->set);
+	}
+	this->lock->read_lock(this->lock);
+	return &enumerator->public;
+}
+
+/**
+ * Check if a certificate's keyid is contained in the auth helper
+ */
+static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert)
+{
+	enumerator_t *enumerator;
+	identification_t *value;
+	auth_rule_t type;
+	bool found = FALSE;
+
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		if (type == AUTH_RULE_CA_CERT &&
+			cert->equals(cert, (certificate_t*)value))
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * build a trustchain from subject up to a trust anchor in trusted
+ */
+static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
+									 certificate_t *subject, auth_cfg_t *auth)
+{
+	certificate_t *issuer, *current;
+	auth_cfg_t *trustchain;
+	int pathlen = 0;
+
+	trustchain = auth_cfg_create();
+
+	current = auth->get(auth, AUTH_RULE_CA_CERT);
+	if (!current)
+	{
+		/* no trust anchor specified, return this cert only */
+		trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT,
+						subject->get_ref(subject));
+		return trustchain;
+	}
+	current = subject->get_ref(subject);
+	while (TRUE)
+	{
+		if (auth_contains_cacert(auth, current))
+		{
+			trustchain->add(trustchain, AUTH_RULE_CA_CERT, current);
+			return trustchain;
+		}
+		if (subject == current)
+		{
+			trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current);
+		}
+		else
+		{
+			trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
+		}
+		issuer = get_issuer_cert(this, current, FALSE);
+		if (!issuer || issuer->equals(issuer, current) ||
+			pathlen > X509_MAX_PATH_LEN)
+		{
+			DESTROY_IF(issuer);
+			break;
+		}
+		current = issuer;
+		pathlen++;
+	}
+	trustchain->destroy(trustchain);
+	return NULL;
+}
+
+/**
+ * find a private key of a give certificate
+ */
+static private_key_t *get_private_by_cert(private_credential_manager_t *this,
+										  certificate_t *cert, key_type_t type)
+{
+	private_key_t *private = NULL;
+	identification_t *keyid;
+	chunk_t chunk;
+	public_key_t *public;
+
+	public = cert->get_public_key(cert);
+	if (public)
+	{
+		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+		{
+			keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+			private = get_private_by_keyid(this, type, keyid);
+			keyid->destroy(keyid);
+		}
+		public->destroy(public);
+	}
+	return private;
+}
+
+/**
+ * Implementation of credential_manager_t.get_private.
+ */
+static private_key_t *get_private(private_credential_manager_t *this,
+								  key_type_t type, identification_t *id,
+								  auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	private_key_t *private = NULL;
+	auth_cfg_t *trustchain;
+
+	/* check if this is a lookup by key ID, and do it if so */
+	if (id && id->get_type(id) == ID_KEY_ID)
+	{
+		private = get_private_by_keyid(this, type, id);
+		if (private)
+		{
+			return private;
+		}
+	}
+
+	/* if a specific certificate is preferred, check for a matching key */
+	cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+	if (cert)
+	{
+		private = get_private_by_cert(this, cert, type);
+		if (private)
+		{
+			trustchain = build_trustchain(this, cert, auth);
+			if (trustchain)
+			{
+				auth->merge(auth, trustchain, FALSE);
+				trustchain->destroy(trustchain);
+			}
+			return private;
+		}
+	}
+
+	/* try to build a trust chain for each certificate found */
+	enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		private = get_private_by_cert(this, cert, type);
+		if (private)
+		{
+			trustchain = build_trustchain(this, cert, auth);
+			if (trustchain)
+			{
+				auth->merge(auth, trustchain, FALSE);
+				trustchain->destroy(trustchain);
+				break;
+			}
+			private->destroy(private);
+			private = NULL;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* if no valid trustchain was found, fall back to the first usable cert */
+	if (!private)
+	{
+		enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			private = get_private_by_cert(this, cert, type);
+			if (private)
+			{
+				auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return private;
+}
+
+/**
+ * Implementation of credential_manager_t.flush_cache.
+ */
+static void flush_cache(private_credential_manager_t *this,
+						certificate_type_t type)
+{
+	this->cache->flush(this->cache, type);
+}
+
+/**
+ * Implementation of credential_manager_t.add_set.
+ */
+static void add_set(private_credential_manager_t *this,
+							   credential_set_t *set)
+{
+	this->lock->write_lock(this->lock);
+	this->sets->insert_last(this->sets, set);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of credential_manager_t.remove_set.
+ */
+static void remove_set(private_credential_manager_t *this, credential_set_t *set)
+{
+	this->lock->write_lock(this->lock);
+	this->sets->remove(this->sets, set, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of credential_manager_t.destroy
+ */
+static void destroy(private_credential_manager_t *this)
+{
+	cache_queue(this);
+	this->cache_queue->destroy(this->cache_queue);
+	this->sets->remove(this->sets, this->cache, NULL);
+	this->sets->destroy(this->sets);
+	this->local_sets->destroy(this->local_sets);
+	this->cache->destroy(this->cache);
+	this->lock->destroy(this->lock);
+	this->queue_mutex->destroy(this->queue_mutex);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+credential_manager_t *credential_manager_create()
+{
+	private_credential_manager_t *this = malloc_thing(private_credential_manager_t);
+
+	this->public.create_cert_enumerator = (enumerator_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *id,bool))create_cert_enumerator;
+	this->public.create_shared_enumerator = (enumerator_t *(*)(credential_manager_t *this, shared_key_type_t type,identification_t *me, identification_t *other))create_shared_enumerator;
+	this->public.create_cdp_enumerator = (enumerator_t *(*)(credential_manager_t*, certificate_type_t type, identification_t *id))create_cdp_enumerator;
+	this->public.get_cert = (certificate_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *, bool))get_cert;
+	this->public.get_shared = (shared_key_t *(*)(credential_manager_t *this,shared_key_type_t type,identification_t *me, identification_t *other))get_shared;
+	this->public.get_private = (private_key_t*(*)(credential_manager_t*, key_type_t type, identification_t *, auth_cfg_t*))get_private;
+	this->public.create_public_enumerator = (enumerator_t*(*)(credential_manager_t*, key_type_t type, identification_t *id, auth_cfg_t *aut))create_public_enumerator;
+	this->public.flush_cache = (void(*)(credential_manager_t*, certificate_type_t type))flush_cache;
+	this->public.cache_cert = (void(*)(credential_manager_t*, certificate_t *cert))cache_cert;
+	this->public.add_set = (void(*)(credential_manager_t*, credential_set_t *set))add_set;
+	this->public.remove_set = (void(*)(credential_manager_t*, credential_set_t *set))remove_set;
+	this->public.destroy = (void(*)(credential_manager_t*))destroy;
+
+	this->sets = linked_list_create();
+	this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
+	this->cache = cert_cache_create();
+	this->cache_queue = linked_list_create();
+	this->sets->insert_first(this->sets, this->cache);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	this->queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/credentials/credential_manager.h b/src/libcharon/credentials/credential_manager.h
new file mode 100644
index 000000000..0448da992
--- /dev/null
+++ b/src/libcharon/credentials/credential_manager.h
@@ -0,0 +1,203 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup credential_manager credential_manager
+ * @{ @ingroup ccredentials
+ */
+
+#ifndef CREDENTIAL_MANAGER_H_
+#define CREDENTIAL_MANAGER_H_
+
+#include <utils/identification.h>
+#include <utils/enumerator.h>
+#include <config/auth_cfg.h>
+#include <credentials/credential_set.h>
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/shared_key.h>
+#include <credentials/certificates/certificate.h>
+
+typedef struct credential_manager_t credential_manager_t;
+
+/**
+ * Manages credentials using credential_sets.
+ *
+ * The credential manager is the entry point of the credential framework. It
+ * uses so called "sets" to access credentials in a modular fashion, these
+ * are implemented through the credential_set_t interface.
+ * The manager additionally does trust chain verification and trust status
+ * chaching. A set may call the managers methods if it needs credentials itself,
+ * the manager uses recursive locking.
+ *
+ * @verbatim
+
+  +-------+        +----------------+
+  |   A   |        |                |          +------------------+
+  |   u   | -----> |                | ------>  |  +------------------+
+  |   t   |        |   credential-  |          |  |  +------------------+
+  |   h   | -----> |     manager    | ------>  +--|  |   credential-    | => IPC
+  |   e   |        |                |             +--|       sets       |
+  |   n   |   +--> |                | ------>        +------------------+
+  |   t   |   |    |                |                        |
+  |   i   |   |    |                |                        |
+  |   c   |   |    +----------------+                        |
+  |   a   |   |                                              |
+  |   t   |   +----------------------------------------------+
+  |   o   |                    may be recursive
+  |   r   |
+  +-------+
+
+   @endverbatim
+ *
+ * The credential manager uses rwlocks for performance reasons, credential
+ * sets must be fully thread save.
+ */
+struct credential_manager_t {
+
+	/**
+	 * Create an enumerator over all certificates.
+	 *
+	 * @param cert		kind of certificate
+	 * @param key		kind of key in certificate
+	 * @param id		subject this certificate belongs to
+	 * @param trusted	TRUE to list trusted certificates only
+	 * @return			enumerator over the certificates
+	 */
+	enumerator_t *(*create_cert_enumerator)(credential_manager_t *this,
+								certificate_type_t cert, key_type_t key,
+								identification_t *id, bool trusted);
+	/**
+	 * Create an enumerator over all shared keys.
+	 *
+	 * The enumerator enumerates over:
+	 *  shared_key_t*, id_match_t me, id_match_t other
+	 * But must accepts values for the id_matches.
+	 *
+	 * @param type		kind of requested shared key
+	 * @param first		first subject between key is shared
+	 * @param second	second subject between key is shared
+	 * @return			enumerator over shared keys
+	 */
+	enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
+								shared_key_type_t type,
+								identification_t *first, identification_t *second);
+	/**
+	 * Create an enumerator over all Certificate Distribution Points.
+	 *
+	 * @param type		kind of certificate the point distributes
+	 * @param id		identification of the distributed certificate
+	 * @return			enumerator of CDPs as char*
+	 */
+	enumerator_t *(*create_cdp_enumerator)(credential_manager_t *this,
+								certificate_type_t type, identification_t *id);
+	/**
+	 * Get a trusted or untrusted certificate.
+	 *
+	 * @param cert		kind of certificate
+	 * @param key		kind of key in certificate
+	 * @param id		subject this certificate belongs to
+	 * @param trusted	TRUE to get a trusted certificate only
+	 * @return			certificate, if found, NULL otherwise
+	 */
+	certificate_t *(*get_cert)(credential_manager_t *this,
+							   certificate_type_t cert, key_type_t key,
+							   identification_t *id, bool trusted);
+	/**
+	 * Get the best matching shared key for two IDs.
+	 *
+	 * @param type		kind of requested shared key
+	 * @param me		own identity
+	 * @param other		peers identity
+	 * @return			shared_key_t, NULL if none found
+	 */
+	shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
+								identification_t *me, identification_t *other);
+	/**
+	 * Get a private key to create a signature.
+	 *
+	 * The get_private() method gets a secret private key identified by either
+	 * the keyid itself or an id the key belongs to.
+	 * The auth parameter contains additional information, such as receipients
+	 * trusted CA certs. Auth gets filled with subject and CA certificates
+	 * needed to validate a created signature.
+	 *
+	 * @param type		type of the key to get
+	 * @param id		identification the key belongs to
+	 * @param auth		auth config, including trusted CA certificates
+	 * @return			private_key_t, NULL if none found
+	 */
+	private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
+								  identification_t *id, auth_cfg_t *auth);
+
+	/**
+	 * Create an enumerator over trusted public keys.
+	 *
+	 * This method gets a an enumerator over trusted public keys to verify a
+	 * signature created by id. The auth parameter contains additional
+	 * authentication infos, e.g. peer and intermediate certificates.
+	 * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
+	 * where the auth config helper contains rules for constraint checks.
+	 *
+	 * @param type		type of the key to get
+	 * @param id		owner of the key, signer of the signature
+	 * @param auth		authentication infos
+	 * @return			enumerator
+	 */
+	enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
+					key_type_t type, identification_t *id, auth_cfg_t *auth);
+
+	/**
+	 * Cache a certificate by invoking cache_cert() on all registerd sets.
+	 *
+	 * @param cert		certificate to cache
+	 */
+	void (*cache_cert)(credential_manager_t *this, certificate_t *cert);
+
+	/**
+	 * Flush the certificate cache.
+	 *
+	 * Only the managers local cache is flushed, but not the sets cache filled
+	 * by the cache_cert() method.
+	 *
+	 * @param type		type of certificate to flush, or CERT_ANY
+	 */
+	void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
+
+	/**
+	 * Register a credential set to the manager.
+	 *
+	 * @param set		set to register
+	 */
+	void (*add_set)(credential_manager_t *this, credential_set_t *set);
+
+	/**
+	 * Unregister a credential set from the manager.
+	 *
+	 * @param set		set to unregister
+	 */
+	void (*remove_set)(credential_manager_t *this, credential_set_t *set);
+
+	/**
+	 * Destroy a credential_manager instance.
+	 */
+	void (*destroy)(credential_manager_t *this);
+};
+
+/**
+ * Create a credential_manager instance.
+ */
+credential_manager_t *credential_manager_create();
+
+#endif /** CREDENTIAL_MANAGER_H_ @}*/
diff --git a/src/libcharon/credentials/credential_set.h b/src/libcharon/credentials/credential_set.h
new file mode 100644
index 000000000..274eb3feb
--- /dev/null
+++ b/src/libcharon/credentials/credential_set.h
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup credential_set credential_set
+ * @{ @ingroup ccredentials
+ */
+
+#ifndef CREDENTIAL_SET_H_
+#define CREDENTIAL_SET_H_
+
+#include <credentials/keys/public_key.h>
+#include <credentials/keys/shared_key.h>
+#include <credentials/certificates/certificate.h>
+
+typedef struct credential_set_t credential_set_t;
+
+/**
+ * A set of credentials.
+ *
+ * Contains private keys, shared keys and different kinds of certificates.
+ * Enumerators are used because queries might return multiple matches.
+ * Filter parameters restrict enumeration over specific items only.
+ * See credential_manager_t for an overview of the credential framework.
+ *
+ * A credential set enumerator may not block the credential set, i.e. multiple
+ * threads must be able to hold multiple enumerators, as the credential manager
+ * is higly parallelized. The best way to achieve this is by using shared
+ * read locks for the enumerators only. Otherwiese deadlocks will occur.
+ * The writing cache_cert() routine is called by the manager only if no
+ * enumerator is alive, so it is save to use a write lock there.
+ */
+struct credential_set_t {
+
+	/**
+	 * Create an enumerator over private keys (private_key_t).
+	 *
+	 * The id is either a key identifier of the requested key, or an identity
+	 * of the key owner.
+	 *
+	 * @param type		type of requested private key
+	 * @param id		key identifier/owner
+	 * @return			enumerator over private_key_t's.
+	 */
+	enumerator_t *(*create_private_enumerator)(credential_set_t *this,
+						key_type_t type, identification_t *id);
+	/**
+	 * Create an enumerator over certificates (certificate_t).
+	 *
+	 * @param cert		kind of certificate
+	 * @param key		kind of key in certificate
+	 * @param id		identity (subject) this certificate belongs to
+	 * @param trusted	whether the certificate must be trustworthy
+	 * @return			enumerator as described above
+	 */
+	enumerator_t *(*create_cert_enumerator)(credential_set_t *this,
+						certificate_type_t cert, key_type_t key,
+						identification_t *id, bool trusted);
+	/**
+	 * Create an enumerator over shared keys (shared_key_t).
+	 *
+	 * The enumerator enumerates over:
+	 *  shared_key_t*, id_match_t me, id_match_t other
+	 * But must accept NULL values for the id_matches.
+	 *
+	 * @param type		kind of requested shared key
+	 * @param me		own identity
+	 * @param other		other identity who owns that secret
+	 * @return			enumerator as described above
+	 */
+	enumerator_t *(*create_shared_enumerator)(credential_set_t *this,
+						shared_key_type_t type,
+						identification_t *me, identification_t *other);
+
+	/**
+	 * Create an enumerator over certificate distribution points.
+	 *
+	 * @param type		type of the certificate to get a CDP
+	 * @param id		identification of the distributed certificate
+	 * @return			an enumerator over CDPs as char*
+	 */
+	enumerator_t *(*create_cdp_enumerator)(credential_set_t *this,
+						certificate_type_t type, identification_t *id);
+
+	/**
+	 * Cache a certificate in the credential set.
+	 *
+	 * The caching policy is implementation dependent, the sets may cache the
+	 * certificate in-memory, persistent on disk or not at all.
+	 *
+	 * @param cert		certificate to cache
+	 */
+	void (*cache_cert)(credential_set_t *this, certificate_t *cert);
+};
+
+#endif /** CREDENTIAL_SET_H_ @}*/
diff --git a/src/libcharon/credentials/sets/auth_cfg_wrapper.c b/src/libcharon/credentials/sets/auth_cfg_wrapper.c
new file mode 100644
index 000000000..82e33d283
--- /dev/null
+++ b/src/libcharon/credentials/sets/auth_cfg_wrapper.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+#include "auth_cfg_wrapper.h"
+
+typedef struct private_auth_cfg_wrapper_t private_auth_cfg_wrapper_t;
+
+/**
+ * private data of auth_cfg_wrapper
+ */
+struct private_auth_cfg_wrapper_t {
+
+	/**
+	 * public functions
+	 */
+	auth_cfg_wrapper_t public;
+
+	/**
+	 * wrapped auth info
+	 */
+	auth_cfg_t *auth;
+};
+
+/**
+ * enumerator for auth_cfg_wrapper_t.create_cert_enumerator()
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** inner enumerator from auth_cfg */
+	enumerator_t *inner;
+	/** wrapped auth round */
+	auth_cfg_t *auth;
+	/** enumerated cert type */
+	certificate_type_t cert;
+	/** enumerated key type */
+	key_type_t key;
+	/** enumerated id */
+	identification_t *id;
+} wrapper_enumerator_t;
+
+/**
+ * Tries to fetch a certificate that was supplied as "Hash and URL"
+ * (replaces rule type and value in place).
+ */
+static bool fetch_cert(wrapper_enumerator_t *enumerator,
+					   auth_rule_t *rule, void **value)
+{
+	char *url = (char*)*value;
+	if (!url)
+	{
+		/* fetching the certificate previously failed */
+		return FALSE;
+	}
+
+	chunk_t data;
+	certificate_t *cert;
+
+	DBG1(DBG_CFG, "  fetching certificate from '%s' ...", url);
+	if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "  fetching certificate failed");
+		/* we set the item to NULL, so we can skip it */
+		enumerator->auth->replace(enumerator->auth, enumerator->inner,
+								  *rule, NULL);
+		return FALSE;
+	}
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+	free(data.ptr);
+
+	if (!cert)
+	{
+		DBG1(DBG_CFG, "  parsing fetched certificate failed");
+		/* we set the item to NULL, so we can skip it */
+		enumerator->auth->replace(enumerator->auth, enumerator->inner,
+								  *rule, NULL);
+		return FALSE;
+	}
+
+	DBG1(DBG_CFG, "  fetched certificate \"%Y\"", cert->get_subject(cert));
+	charon->credentials->cache_cert(charon->credentials, cert);
+
+	if (*rule == AUTH_HELPER_IM_HASH_URL)
+	{
+		*rule = AUTH_HELPER_IM_CERT;
+	}
+	else
+	{
+		*rule = AUTH_HELPER_SUBJECT_CERT;
+	}
+	*value = cert;
+	enumerator->auth->replace(enumerator->auth, enumerator->inner,
+							  *rule, cert->get_ref(cert));
+	return TRUE;
+}
+
+/**
+ * enumerate function for wrapper_enumerator_t
+ */
+static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
+{
+	auth_rule_t rule;
+	certificate_t *current;
+	public_key_t *public;
+
+	while (this->inner->enumerate(this->inner, &rule, &current))
+	{
+		if (rule == AUTH_HELPER_IM_HASH_URL ||
+			rule == AUTH_HELPER_SUBJECT_HASH_URL)
+		{	/* on-demand fetching of hash and url certificates */
+			if (!fetch_cert(this, &rule, (void**)&current))
+			{
+				continue;
+			}
+		}
+		else if (rule != AUTH_HELPER_SUBJECT_CERT &&
+				 rule != AUTH_HELPER_IM_CERT)
+		{	/* handle only HELPER certificates */
+			continue;
+		}
+		if (this->cert != CERT_ANY && this->cert != current->get_type(current))
+		{	/* CERT type requested, but does not match */
+			continue;
+		}
+		public = current->get_public_key(current);
+		if (this->key != KEY_ANY && !public)
+		{	/* key type requested, but no public key */
+			DESTROY_IF(public);
+			continue;
+		}
+		if (this->key != KEY_ANY && public && this->key != public->get_type(public))
+		{	/* key type requested, but public key has another type */
+			DESTROY_IF(public);
+			continue;
+		}
+		DESTROY_IF(public);
+		if (this->id && !current->has_subject(current, this->id))
+		{	/* subject requested, but does not match */
+			continue;
+		}
+		*cert = current;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * destroy function for wrapper_enumerator_t
+ */
+static void wrapper_enumerator_destroy(wrapper_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator
+ */
+static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this,
+									   certificate_type_t cert, key_type_t key,
+									   identification_t *id, bool trusted)
+{
+	wrapper_enumerator_t *enumerator;
+
+	if (trusted)
+	{
+		return NULL;
+	}
+	enumerator = malloc_thing(wrapper_enumerator_t);
+	enumerator->auth = this->auth;
+	enumerator->cert = cert;
+	enumerator->key = key;
+	enumerator->id = id;
+	enumerator->inner = this->auth->create_enumerator(this->auth);
+	enumerator->public.enumerate = (void*)enumerate;
+	enumerator->public.destroy = (void*)wrapper_enumerator_destroy;
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of auth_cfg_wrapper_t.destroy
+ */
+static void destroy(private_auth_cfg_wrapper_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth)
+{
+	private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t);
+
+	this->public.set.create_private_enumerator = (void*)return_null;
+	this->public.set.create_cert_enumerator = (void*)create_enumerator;
+	this->public.set.create_shared_enumerator = (void*)return_null;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+	this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy;
+
+	this->auth = auth;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/credentials/sets/auth_cfg_wrapper.h b/src/libcharon/credentials/sets/auth_cfg_wrapper.h
new file mode 100644
index 000000000..7653fcdbf
--- /dev/null
+++ b/src/libcharon/credentials/sets/auth_cfg_wrapper.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup auth_cfg_wrapper auth_cfg_wrapper
+ * @{ @ingroup sets
+ */
+
+#ifndef AUTH_CFG_WRAPPER_H_
+#define AUTH_CFG_WRAPPER_H_
+
+#include <config/auth_cfg.h>
+#include <credentials/credential_set.h>
+
+typedef struct auth_cfg_wrapper_t auth_cfg_wrapper_t;
+
+/**
+ * A wrapper around auth_cfg_t to handle it as a credential set.
+ */
+struct auth_cfg_wrapper_t {
+
+	/**
+	 * implements credential_set_t
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy a auth_cfg_wrapper instance.
+	 */
+	void (*destroy)(auth_cfg_wrapper_t *this);
+};
+
+/**
+ * Create a auth_cfg_wrapper instance.
+ *
+ * @param auth		the wrapped auth info
+ * @return			wrapper around auth
+ */
+auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth);
+
+#endif /** AUTH_CFG_WRAPPER_H_ @}*/
diff --git a/src/libcharon/credentials/sets/cert_cache.c b/src/libcharon/credentials/sets/cert_cache.c
new file mode 100644
index 000000000..176accce2
--- /dev/null
+++ b/src/libcharon/credentials/sets/cert_cache.c
@@ -0,0 +1,390 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cert_cache.h"
+
+#include <time.h>
+#include <sched.h>
+
+#include <daemon.h>
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+
+/** cache size, a power of 2 for fast modulo */
+#define CACHE_SIZE 32
+
+/** attempts to acquire a cache lock */
+#define REPLACE_TRIES 5
+
+typedef struct private_cert_cache_t private_cert_cache_t;
+typedef struct relation_t relation_t;
+
+/**
+ * A trusted relation between subject and issuer
+ */
+struct relation_t {
+
+	/**
+	 * subject of this relation
+	 */
+	certificate_t *subject;
+
+	/**
+	 * issuer of this relation
+	 */
+	certificate_t *issuer;
+
+	/**
+	 * Cache hits
+	 */
+	u_int hits;
+
+	/**
+	 * Lock for this relation
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * private data of cert_cache
+ */
+struct private_cert_cache_t {
+
+	/**
+	 * public functions
+	 */
+	cert_cache_t public;
+
+	/**
+	 * array of trusted subject-issuer relations
+	 */
+	relation_t relations[CACHE_SIZE];
+};
+
+/**
+ * Cache relation in a free slot/replace an other
+ */
+static void cache(private_cert_cache_t *this,
+				  certificate_t *subject, certificate_t *issuer)
+{
+	relation_t *rel;
+	int i, offset, try;
+	u_int total_hits = 0;
+
+	/* check for a unused relation slot first */
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		rel = &this->relations[i];
+
+		if (!rel->subject && rel->lock->try_write_lock(rel->lock))
+		{
+			/* double-check having lock */
+			if (!rel->subject)
+			{
+				rel->subject = subject->get_ref(subject);
+				rel->issuer = issuer->get_ref(issuer);
+				return rel->lock->unlock(rel->lock);
+			}
+			rel->lock->unlock(rel->lock);
+		}
+		total_hits += rel->hits;
+	}
+	/* run several attempts to replace a random slot, never block. */
+	for (try = 0; try < REPLACE_TRIES; try++)
+	{
+		/* replace a random relation */
+		offset = random();
+		for (i = 0; i < CACHE_SIZE; i++)
+		{
+			rel = &this->relations[(i + offset) % CACHE_SIZE];
+
+			if (rel->hits > total_hits / CACHE_SIZE)
+			{	/* skip often used slots */
+				continue;
+			}
+			if (rel->lock->try_write_lock(rel->lock))
+			{
+				if (rel->subject)
+				{
+					rel->subject->destroy(rel->subject);
+					rel->issuer->destroy(rel->issuer);
+				}
+				rel->subject = subject->get_ref(subject);
+				rel->issuer = issuer->get_ref(issuer);
+				rel->hits = 0;
+				return rel->lock->unlock(rel->lock);
+			}
+		}
+		/* give other threads a chance to release locks */
+		sched_yield();
+	}
+}
+
+/**
+ * Implementation of cert_cache_t.issued_by.
+ */
+static bool issued_by(private_cert_cache_t *this,
+					  certificate_t *subject, certificate_t *issuer)
+{
+	relation_t *found = NULL, *current;
+	int i;
+
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		current = &this->relations[i];
+
+		current->lock->read_lock(current->lock);
+		if (current->subject)
+		{
+			/* check for equal issuer */
+			if (issuer->equals(issuer, current->issuer))
+			{
+				/* reuse issuer instance in cache() */
+				issuer = current->issuer;
+				if (subject->equals(subject, current->subject))
+				{
+					/* write hit counter is not locked, but not critical */
+					current->hits++;
+					found = current;
+				}
+			}
+		}
+		current->lock->unlock(current->lock);
+		if (found)
+		{
+			return TRUE;
+		}
+	}
+	/* no cache hit, check and cache signature */
+	if (subject->issued_by(subject, issuer))
+	{
+		cache(this, subject, issuer);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * certificate enumerator implemenation
+ */
+typedef struct {
+	/** implements enumerator_t interface */
+	enumerator_t public;
+	/** type of requested certificate */
+	certificate_type_t cert;
+	/** type of requested key */
+	key_type_t key;
+	/** ID to get a cert for */
+	identification_t *id;
+	/** cache */
+	relation_t *relations;
+	/** current position in array cache */
+	int index;
+	/** currently locked relation */
+	int locked;
+} cert_enumerator_t;
+
+/**
+ * filter function for certs enumerator
+ */
+static bool cert_enumerate(cert_enumerator_t *this, certificate_t **out)
+{
+	public_key_t *public;
+	relation_t *rel;
+
+	if (this->locked >= 0)
+	{
+		rel = &this->relations[this->locked];
+		rel->lock->unlock(rel->lock);
+		this->locked = -1;
+	}
+
+	while (++this->index < CACHE_SIZE)
+	{
+		rel = &this->relations[this->index];
+		rel->lock->read_lock(rel->lock);
+		this->locked = this->index;
+		if (rel->subject)
+		{
+			/* CRL lookup is done using issuer/authkeyidentifier */
+			if (this->key == KEY_ANY && this->id &&
+				(this->cert == CERT_ANY || this->cert == CERT_X509_CRL) &&
+				rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
+				rel->subject->has_issuer(rel->subject, this->id))
+			{
+				*out = rel->subject;
+				return TRUE;
+			}
+			if ((this->cert == CERT_ANY ||
+				 rel->subject->get_type(rel->subject) == this->cert) &&
+				(!this->id || rel->subject->has_subject(rel->subject, this->id)))
+			{
+				if (this->key == KEY_ANY)
+				{
+					*out = rel->subject;
+					return TRUE;
+				}
+				public = rel->subject->get_public_key(rel->subject);
+				if (public)
+				{
+					if (public->get_type(public) == this->key)
+					{
+						public->destroy(public);
+						*out = rel->subject;
+						return TRUE;
+					}
+					public->destroy(public);
+				}
+			}
+		}
+		this->locked = -1;
+		rel->lock->unlock(rel->lock);
+	}
+	return FALSE;
+}
+
+/**
+ * clean up enumeration data
+ */
+static void cert_enumerator_destroy(cert_enumerator_t *this)
+{
+	relation_t *rel;
+
+	if (this->locked >= 0)
+	{
+		rel = &this->relations[this->locked];
+		rel->lock->unlock(rel->lock);
+	}
+	free(this);
+}
+
+/**
+ * implementation of credential_set_t.create_cert_enumerator
+ */
+static enumerator_t *create_enumerator(private_cert_cache_t *this,
+									   certificate_type_t cert, key_type_t key,
+									   identification_t *id, bool trusted)
+{
+	cert_enumerator_t *enumerator;
+
+	if (trusted)
+	{
+		return NULL;
+	}
+	enumerator = malloc_thing(cert_enumerator_t);
+	enumerator->public.enumerate = (void*)cert_enumerate;
+	enumerator->public.destroy = (void*)cert_enumerator_destroy;
+	enumerator->cert = cert;
+	enumerator->key = key;
+	enumerator->id = id;
+	enumerator->relations = this->relations;
+	enumerator->index = -1;
+	enumerator->locked = -1;
+
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of cert_cache_t.flush.
+ */
+static void flush(private_cert_cache_t *this, certificate_type_t type)
+{
+	relation_t *rel;
+	int i;
+
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		rel = &this->relations[i];
+		if (!rel->subject)
+		{
+			continue;
+		}
+		/* check with cheap read lock first */
+		if (type != CERT_ANY)
+		{
+			rel->lock->read_lock(rel->lock);
+			if (!rel->subject || type != rel->subject->get_type(rel->subject))
+			{
+				rel->lock->unlock(rel->lock);
+				continue;
+			}
+			rel->lock->unlock(rel->lock);
+		}
+		/* double check in write lock */
+		rel->lock->write_lock(rel->lock);
+		if (rel->subject)
+		{
+			if (type == CERT_ANY || type == rel->subject->get_type(rel->subject))
+			{
+				rel->subject->destroy(rel->subject);
+				rel->issuer->destroy(rel->issuer);
+				rel->subject = NULL;
+				rel->issuer = NULL;
+				rel->hits = 0;
+			}
+		}
+		rel->lock->unlock(rel->lock);
+	}
+}
+
+/**
+ * Implementation of cert_cache_t.destroy
+ */
+static void destroy(private_cert_cache_t *this)
+{
+	relation_t *rel;
+	int i;
+
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		rel = &this->relations[i];
+		if (rel->subject)
+		{
+			rel->subject->destroy(rel->subject);
+			rel->issuer->destroy(rel->issuer);
+		}
+		rel->lock->destroy(rel->lock);
+	}
+	free(this);
+}
+
+/*
+ * see header file
+ */
+cert_cache_t *cert_cache_create()
+{
+	private_cert_cache_t *this;
+	int i;
+
+	this = malloc_thing(private_cert_cache_t);
+	this->public.set.create_private_enumerator = (void*)return_null;
+	this->public.set.create_cert_enumerator = (void*)create_enumerator;
+	this->public.set.create_shared_enumerator = (void*)return_null;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+	this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
+	this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
+	this->public.destroy = (void(*)(cert_cache_t*))destroy;
+
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		this->relations[i].subject = NULL;
+		this->relations[i].issuer = NULL;
+		this->relations[i].hits = 0;
+		this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	}
+	return &this->public;
+}
+
diff --git a/src/libcharon/credentials/sets/cert_cache.h b/src/libcharon/credentials/sets/cert_cache.h
new file mode 100644
index 000000000..d2721866e
--- /dev/null
+++ b/src/libcharon/credentials/sets/cert_cache.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup cert_cache cert_cache
+ * @{ @ingroup sets
+ */
+
+#ifndef CERT_CACHE_H_
+#define CERT_CACHE_H_
+
+#include <credentials/credential_set.h>
+
+typedef struct cert_cache_t cert_cache_t;
+
+/**
+ * Certificate signature verification and certificate cache.
+ *
+ * This cache serves all certificates seen in its issued_by method
+ * and serves them as untrusted through the credential set interface. Further,
+ * it caches valid subject-issuer relationships to speed up the issued_by
+ * method.
+ */
+struct cert_cache_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Caching wrapper around certificate_t.issued_by.
+	 *
+	 * @param subject		certificate to verify
+	 * @param issuer		issuing certificate to verify subject
+	 * @return				TRUE if subject issued by issuer
+	 */
+	bool (*issued_by)(cert_cache_t *this,
+					  certificate_t *subject, certificate_t *issuer);
+
+	/**
+	 * Flush the certificate cache.
+	 *
+	 * @param type			type of certificate to flush, or CERT_ANY
+	 */
+	void (*flush)(cert_cache_t *this, certificate_type_t type);
+
+	/**
+	 * Destroy a cert_cache instance.
+	 */
+	void (*destroy)(cert_cache_t *this);
+};
+
+/**
+ * Create a cert_cache instance.
+ */
+cert_cache_t *cert_cache_create();
+
+#endif /** CERT_CACHE_H_ @}*/
diff --git a/src/libcharon/credentials/sets/ocsp_response_wrapper.c b/src/libcharon/credentials/sets/ocsp_response_wrapper.c
new file mode 100644
index 000000000..82079209a
--- /dev/null
+++ b/src/libcharon/credentials/sets/ocsp_response_wrapper.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ocsp_response_wrapper.h"
+
+typedef struct private_ocsp_response_wrapper_t private_ocsp_response_wrapper_t;
+
+/**
+ * private data of ocsp_response_wrapper
+ */
+struct private_ocsp_response_wrapper_t {
+
+	/**
+	 * public functions
+	 */
+	ocsp_response_wrapper_t public;
+
+	/**
+	 * wrapped OCSP response
+	 */
+	ocsp_response_t *response;
+};
+
+/**
+ * enumerator for ocsp_response_wrapper_t.create_cert_enumerator()
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** enumerator over ocsp response */
+	enumerator_t *inner;
+	/** type of cert */
+	certificate_type_t cert;
+	/** type of key */
+	key_type_t key;
+	/** filtering identity */
+	identification_t *id;
+} wrapper_enumerator_t;
+
+/**
+ * enumerate function wrapper_enumerator_t
+ */
+static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
+{
+	certificate_t *current;
+	public_key_t *public;
+
+	while (this->inner->enumerate(this->inner, &current))
+	{
+		if (this->cert != CERT_ANY && this->cert != current->get_type(current))
+		{	/* CERT type requested, but does not match */
+			continue;
+		}
+		public = current->get_public_key(current);
+		if (this->key != KEY_ANY && !public)
+		{	/* key type requested, but no public key */
+			DESTROY_IF(public);
+			continue;
+		}
+		if (this->key != KEY_ANY && public && this->key != public->get_type(public))
+		{	/* key type requested, but public key has another type */
+			DESTROY_IF(public);
+			continue;
+		}
+		DESTROY_IF(public);
+		if (this->id && !current->has_subject(current, this->id))
+		{	/* subject requested, but does not match */
+			continue;
+		}
+		*cert = current;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * destroy function for wrapper_enumerator_t
+ */
+static void enumerator_destroy(wrapper_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * implementation of ocsp_response_wrapper_t.set.create_cert_enumerator
+ */
+static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this,
+									   certificate_type_t cert, key_type_t key,
+									   identification_t *id, bool trusted)
+{
+	wrapper_enumerator_t *enumerator;
+
+	if (trusted)
+	{
+		return NULL;
+	}
+
+	enumerator = malloc_thing(wrapper_enumerator_t);
+	enumerator->cert = cert;
+	enumerator->key = key;
+	enumerator->id = id;
+	enumerator->inner = this->response->create_cert_enumerator(this->response);
+	enumerator->public.enumerate = (void*)enumerate;
+	enumerator->public.destroy = (void*)enumerator_destroy;
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of ocsp_response_wrapper_t.destroy
+ */
+static void destroy(private_ocsp_response_wrapper_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response)
+{
+	private_ocsp_response_wrapper_t *this = malloc_thing(private_ocsp_response_wrapper_t);
+
+	this->public.set.create_private_enumerator = (void*)return_null;
+	this->public.set.create_cert_enumerator = (void*)create_enumerator;
+	this->public.set.create_shared_enumerator = (void*)return_null;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+	this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy;
+
+	this->response = response;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/credentials/sets/ocsp_response_wrapper.h b/src/libcharon/credentials/sets/ocsp_response_wrapper.h
new file mode 100644
index 000000000..dc4b451df
--- /dev/null
+++ b/src/libcharon/credentials/sets/ocsp_response_wrapper.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ocsp_response_wrapper ocsp_response_wrapper
+ * @{ @ingroup sets
+ */
+
+#ifndef OCSP_RESPONSE_WRAPPER_H_
+#define OCSP_RESPONSE_WRAPPER_H_
+
+#include <credentials/credential_set.h>
+#include <credentials/certificates/ocsp_response.h>
+
+typedef struct ocsp_response_wrapper_t ocsp_response_wrapper_t;
+
+/**
+ * A wrapper around ocsp_response_t to handle it like a credential set.
+ */
+struct ocsp_response_wrapper_t {
+
+	/**
+	 * implements credential_set_t
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy a ocsp_response_wrapper instance.
+	 */
+	void (*destroy)(ocsp_response_wrapper_t *this);
+};
+
+/**
+ * Create a ocsp_response_wrapper instance.
+ *
+ * @param response	the wrapped OCSP response
+ * @return			wrapper around response
+ */
+ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response);
+
+#endif /** OCSP_RESPONSE_WRAPPER_H_ @}*/
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
new file mode 100644
index 000000000..11c94beb9
--- /dev/null
+++ b/src/libcharon/daemon.c
@@ -0,0 +1,443 @@
+/*
+ * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <time.h>
+#include <errno.h>
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif /* CAPABILITIES */
+
+#include "daemon.h"
+
+#include <library.h>
+#include <selectors/traffic_selector.h>
+#include <config/proposal.h>
+
+#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+
+typedef struct private_daemon_t private_daemon_t;
+
+/**
+ * Private additions to daemon_t, contains threads and internal functions.
+ */
+struct private_daemon_t {
+	/**
+	 * Public members of daemon_t.
+	 */
+	daemon_t public;
+
+#ifdef CAPABILITIES
+	/**
+	 * capabilities to keep
+	 */
+	cap_t caps;
+#endif /* CAPABILITIES */
+};
+
+/**
+ * One and only instance of the daemon.
+ */
+daemon_t *charon;
+
+/**
+ * hook in library for debugging messages
+ */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * we store the previous debug function so we can reset it
+ */
+static void (*dbg_old) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * Logging hook for library logs, spreads debug message over bus
+ */
+static void dbg_bus(debug_t group, level_t level, char *fmt, ...)
+{
+	va_list args;
+
+	va_start(args, fmt);
+	charon->bus->vlog(charon->bus, group, level, fmt, args);
+	va_end(args);
+}
+
+/**
+ * Clean up all daemon resources
+ */
+static void destroy(private_daemon_t *this)
+{
+	/* terminate all idle threads */
+	if (this->public.processor)
+	{
+		this->public.processor->set_threads(this->public.processor, 0);
+	}
+	/* close all IKE_SAs */
+	if (this->public.ike_sa_manager)
+	{
+		this->public.ike_sa_manager->flush(this->public.ike_sa_manager);
+	}
+	DESTROY_IF(this->public.receiver);
+	/* unload plugins to release threads */
+	lib->plugins->unload(lib->plugins);
+#ifdef CAPABILITIES
+	cap_free(this->caps);
+#endif /* CAPABILITIES */
+	DESTROY_IF(this->public.traps);
+	DESTROY_IF(this->public.ike_sa_manager);
+	DESTROY_IF(this->public.kernel_interface);
+	DESTROY_IF(this->public.scheduler);
+	DESTROY_IF(this->public.controller);
+	DESTROY_IF(this->public.eap);
+	DESTROY_IF(this->public.sim);
+#ifdef ME
+	DESTROY_IF(this->public.connect_manager);
+	DESTROY_IF(this->public.mediation_manager);
+#endif /* ME */
+	DESTROY_IF(this->public.backends);
+	DESTROY_IF(this->public.credentials);
+	DESTROY_IF(this->public.sender);
+	DESTROY_IF(this->public.socket);
+	/* wait until all threads are gone */
+	DESTROY_IF(this->public.processor);
+
+	/* rehook library logging, shutdown logging */
+	dbg = dbg_old;
+	DESTROY_IF(this->public.bus);
+	this->public.file_loggers->destroy_offset(this->public.file_loggers,
+											offsetof(file_logger_t, destroy));
+	this->public.sys_loggers->destroy_offset(this->public.sys_loggers,
+											offsetof(sys_logger_t, destroy));
+	free(this);
+}
+
+METHOD(daemon_t, keep_cap, void,
+	   private_daemon_t *this, u_int cap)
+{
+#ifdef CAPABILITIES
+	cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
+	cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET);
+	cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET);
+#endif /* CAPABILITIES */
+}
+
+METHOD(daemon_t, drop_capabilities, bool,
+	   private_daemon_t *this)
+{
+#ifdef CAPABILITIES
+	if (cap_set_proc(this->caps) != 0)
+	{
+		return FALSE;
+	}
+#endif /* CAPABILITIES */
+	return TRUE;
+}
+
+METHOD(daemon_t, start, void,
+	   private_daemon_t *this)
+{
+	/* start the engine, go multithreaded */
+	charon->processor->set_threads(charon->processor,
+						lib->settings->get_int(lib->settings, "charon.threads",
+											   DEFAULT_THREADS));
+}
+
+/**
+ * Log loaded plugins
+ */
+static void print_plugins()
+{
+	char buf[512], *plugin;
+	int len = 0;
+	enumerator_t *enumerator;
+
+	buf[0] = '\0';
+	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
+	while (len < sizeof(buf) && enumerator->enumerate(enumerator, &plugin))
+	{
+		len += snprintf(&buf[len], sizeof(buf)-len, "%s ", plugin);
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_DMN, "loaded plugins: %s", buf);
+}
+
+/**
+ * Initialize logging
+ */
+static void initialize_loggers(private_daemon_t *this, bool use_stderr,
+							   level_t levels[])
+{
+	sys_logger_t *sys_logger;
+	file_logger_t *file_logger;
+	enumerator_t *enumerator;
+	char *facility, *filename;
+	int loggers_defined = 0;
+	debug_t group;
+	level_t  def;
+	bool append;
+	FILE *file;
+
+	/* setup sysloggers */
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+														  "charon.syslog");
+	while (enumerator->enumerate(enumerator, &facility))
+	{
+		loggers_defined++;
+		if (streq(facility, "daemon"))
+		{
+			sys_logger = sys_logger_create(LOG_DAEMON);
+		}
+		else if (streq(facility, "auth"))
+		{
+			sys_logger = sys_logger_create(LOG_AUTHPRIV);
+		}
+		else
+		{
+			continue;
+		}
+		def = lib->settings->get_int(lib->settings,
+									 "charon.syslog.%s.default", 1, facility);
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			sys_logger->set_level(sys_logger, group,
+				lib->settings->get_int(lib->settings,
+									   "charon.syslog.%s.%N", def,
+									   facility, debug_lower_names, group));
+		}
+		this->public.sys_loggers->insert_last(this->public.sys_loggers,
+											  sys_logger);
+		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
+	}
+	enumerator->destroy(enumerator);
+
+	/* and file loggers */
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+														  "charon.filelog");
+	while (enumerator->enumerate(enumerator, &filename))
+	{
+		loggers_defined++;
+		if (streq(filename, "stderr"))
+		{
+			file = stderr;
+		}
+		else if (streq(filename, "stdout"))
+		{
+			file = stdout;
+		}
+		else
+		{
+			append = lib->settings->get_bool(lib->settings,
+									"charon.filelog.%s.append", TRUE, filename);
+			file = fopen(filename, append ? "a" : "w");
+			if (file == NULL)
+			{
+				DBG1(DBG_DMN, "opening file %s for logging failed: %s",
+					 filename, strerror(errno));
+				continue;
+			}
+		}
+		file_logger = file_logger_create(file);
+		def = lib->settings->get_int(lib->settings,
+									 "charon.filelog.%s.default", 1, filename);
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			file_logger->set_level(file_logger, group,
+				lib->settings->get_int(lib->settings,
+									   "charon.filelog.%s.%N", def,
+									   filename, debug_lower_names, group));
+		}
+		this->public.file_loggers->insert_last(this->public.file_loggers,
+											   file_logger);
+		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
+
+	}
+	enumerator->destroy(enumerator);
+
+	/* set up legacy style default loggers provided via command-line */
+	if (!loggers_defined)
+	{
+		/* set up default stdout file_logger */
+		file_logger = file_logger_create(stdout);
+		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
+		this->public.file_loggers->insert_last(this->public.file_loggers,
+											   file_logger);
+		/* set up default daemon sys_logger */
+		sys_logger = sys_logger_create(LOG_DAEMON);
+		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
+		this->public.sys_loggers->insert_last(this->public.sys_loggers,
+											  sys_logger);
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			sys_logger->set_level(sys_logger, group, levels[group]);
+			if (use_stderr)
+			{
+				file_logger->set_level(file_logger, group, levels[group]);
+			}
+		}
+
+		/* set up default auth sys_logger */
+		sys_logger = sys_logger_create(LOG_AUTHPRIV);
+		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
+		this->public.sys_loggers->insert_last(this->public.sys_loggers,
+											  sys_logger);
+		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
+	}
+}
+
+METHOD(daemon_t, initialize, bool,
+	   private_daemon_t *this, bool syslog, level_t levels[])
+{
+	/* for uncritical pseudo random numbers */
+	srandom(time(NULL) + getpid());
+
+	/* setup bus and it's listeners first to enable log output */
+	this->public.bus = bus_create();
+	/* set up hook to log dbg message in library via charons message bus */
+	dbg_old = dbg;
+	dbg = dbg_bus;
+
+	initialize_loggers(this, !syslog, levels);
+
+	DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")");
+
+	if (lib->integrity)
+	{
+		DBG1(DBG_DMN, "integrity tests enabled:");
+		DBG1(DBG_DMN, "lib    'libstrongswan': passed file and segment integrity tests");
+		DBG1(DBG_DMN, "lib    'libhydra': passed file and segment integrity tests");
+		DBG1(DBG_DMN, "lib    'libcharon': passed file and segment integrity tests");
+		DBG1(DBG_DMN, "daemon 'charon': passed file integrity test");
+	}
+
+	/* load secrets, ca certificates and crls */
+	this->public.processor = processor_create();
+	this->public.scheduler = scheduler_create();
+	this->public.credentials = credential_manager_create();
+	this->public.controller = controller_create();
+	this->public.eap = eap_manager_create();
+	this->public.sim = sim_manager_create();
+	this->public.backends = backend_manager_create();
+	this->public.kernel_interface = kernel_interface_create();
+	this->public.socket = socket_manager_create();
+	this->public.traps = trap_manager_create();
+
+	/* load plugins, further infrastructure may need it */
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "charon.load", PLUGINS)))
+	{
+		return FALSE;
+	}
+
+	print_plugins();
+
+	this->public.ike_sa_manager = ike_sa_manager_create();
+	if (this->public.ike_sa_manager == NULL)
+	{
+		return FALSE;
+	}
+	this->public.sender = sender_create();
+	this->public.receiver = receiver_create();
+	if (this->public.receiver == NULL)
+	{
+		return FALSE;
+	}
+
+#ifdef ME
+	this->public.connect_manager = connect_manager_create();
+	if (this->public.connect_manager == NULL)
+	{
+		return FALSE;
+	}
+	this->public.mediation_manager = mediation_manager_create();
+#endif /* ME */
+
+	return TRUE;
+}
+
+/**
+ * Create the daemon.
+ */
+private_daemon_t *daemon_create()
+{
+	private_daemon_t *this;
+
+	INIT(this,
+		.public = {
+			.keep_cap = _keep_cap,
+			.drop_capabilities = _drop_capabilities,
+			.initialize = _initialize,
+			.start = _start,
+			.file_loggers = linked_list_create(),
+			.sys_loggers = linked_list_create(),
+		},
+	);
+
+#ifdef CAPABILITIES
+	this->caps = cap_init();
+	keep_cap(this, CAP_NET_ADMIN);
+	if (lib->leak_detective)
+	{
+		keep_cap(this, CAP_SYS_NICE);
+	}
+#endif /* CAPABILITIES */
+
+	return this;
+}
+
+/**
+ * Described in header.
+ */
+void libcharon_deinit()
+{
+
+	destroy((private_daemon_t*)charon);
+	charon = NULL;
+}
+
+/**
+ * Described in header.
+ */
+bool libcharon_init()
+{
+	private_daemon_t *this;
+
+	this = daemon_create();
+	charon = &this->public;
+
+	lib->printf_hook->add_handler(lib->printf_hook, 'R',
+								  traffic_selector_printf_hook,
+								  PRINTF_HOOK_ARGTYPE_POINTER,
+								  PRINTF_HOOK_ARGTYPE_END);
+	lib->printf_hook->add_handler(lib->printf_hook, 'P',
+								  proposal_printf_hook,
+								  PRINTF_HOOK_ARGTYPE_POINTER,
+								  PRINTF_HOOK_ARGTYPE_END);
+
+	if (lib->integrity &&
+		!lib->integrity->check(lib->integrity, "libcharon", libcharon_init))
+	{
+		dbg(DBG_DMN, 1, "integrity check of libcharon failed");
+		return FALSE;
+	}
+
+	return TRUE;
+}
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
new file mode 100644
index 000000000..9b6d97060
--- /dev/null
+++ b/src/libcharon/daemon.h
@@ -0,0 +1,341 @@
+/*
+ * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libcharon libcharon
+ *
+ * @defgroup bus bus
+ * @ingroup libcharon
+ *
+ * @defgroup listeners listeners
+ * @ingroup bus
+ *
+ * @defgroup config config
+ * @ingroup libcharon
+ *
+ * @defgroup control control
+ * @ingroup libcharon
+ *
+ * @defgroup ccredentials credentials
+ * @ingroup libcharon
+ *
+ * @defgroup sets sets
+ * @ingroup ccredentials
+ *
+ * @defgroup encoding encoding
+ * @ingroup libcharon
+ *
+ * @defgroup payloads payloads
+ * @ingroup encoding
+ *
+ * @defgroup kernel kernel
+ * @ingroup libcharon
+ *
+ * @defgroup network network
+ * @ingroup libcharon
+ *
+ * @defgroup cplugins plugins
+ * @ingroup libcharon
+ *
+ * @defgroup processing processing
+ * @ingroup libcharon
+ *
+ * @defgroup jobs jobs
+ * @ingroup processing
+ *
+ * @defgroup sa sa
+ * @ingroup libcharon
+ *
+ * @defgroup authenticators authenticators
+ * @ingroup sa
+ *
+ * @defgroup eap eap
+ * @ingroup authenticators
+ *
+ * @defgroup tasks tasks
+ * @ingroup sa
+ *
+ * @addtogroup libcharon
+ * @{
+ *
+ * IKEv2 keying daemon.
+ *
+ * All IKEv2 stuff is handled in charon. It uses a newer and more flexible
+ * architecture than pluto. Charon uses a thread-pool (called processor),
+ * which allows parallel execution SA-management. All threads originate
+ * from the processor. Work is delegated to the processor by queueing jobs
+ * to it.
+   @verbatim
+
+      +---------------------------------+       +----------------------------+
+      |           controller            |       |          config            |
+      +---------------------------------+       +----------------------------+
+               |      |      |                           ^     ^    ^
+               V      V      V                           |     |    |
+
+       +----------+  +-----------+   +------+            +----------+    +----+
+       | receiver |  |           |   |      |  +------+  | CHILD_SA |    | K  |
+       +---+------+  | Scheduler |   | IKE- |  | IKE- |--+----------+    | e  |
+           |         |           |   | SA   |--| SA   |  | CHILD_SA |    | r  |
+    +------+---+     +-----------+   |      |  +------+  +----------+    | n  |
+ <->|  socket  |           |         | Man- |                            | e  |
+    +------+---+     +-----------+   | ager |  +------+  +----------+    | l  |
+           |         |           |   |      |  | IKE- |--| CHILD_SA |    | -  |
+       +---+------+  | Processor |---|      |--| SA   |  +----------+    | I  |
+       |  sender  |  |           |   |      |  +------+                  | f  |
+       +----------+  +-----------+   +------+                            +----+
+
+               |      |      |                        |      |      |
+               V      V      V                        V      V      V
+      +---------------------------------+       +----------------------------+
+      |               Bus               |       |         credentials        |
+      +---------------------------------+       +----------------------------+
+
+   @endverbatim
+ * The scheduler is responsible to execute timed events. Jobs may be queued to
+ * the scheduler to get executed at a defined time (e.g. rekeying). The
+ * scheduler does not execute the jobs itself, it queues them to the processor.
+ *
+ * The IKE_SA manager managers all IKE_SA. It further handles the
+ * synchronization:
+ * Each IKE_SA must be checked out strictly and checked in again after use. The
+ * manager guarantees that only one thread may check out a single IKE_SA. This
+ * allows us to write the (complex) IKE_SAs routines non-threadsave.
+ * The IKE_SA contain the state and the logic of each IKE_SA and handle the
+ * messages.
+ *
+ * The CHILD_SA contains state about a IPsec security association and manages
+ * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
+ * takes place here through the kernel interface.
+ *
+ * The kernel interface installs IPsec security associations, policies, routes
+ * and virtual addresses. It further provides methods to enumerate interfaces
+ * and may notify the daemon about state changes at lower layers.
+ *
+ * The bus receives signals from the different threads and relays them to
+ * interested listeners. Debugging signals, but also important state changes or
+ * error messages are sent over the bus.
+ * Its listeners are not only for logging, but also to track the state of an
+ * IKE_SA.
+ *
+ * The controller, credential_manager, bus and backend_manager (config) are
+ * places where a plugin ca register itself to privide information or observe
+ * and control the daemon.
+ */
+
+#ifndef DAEMON_H_
+#define DAEMON_H_
+
+typedef struct daemon_t daemon_t;
+
+#include <network/sender.h>
+#include <network/receiver.h>
+#include <network/socket_manager.h>
+#include <processing/scheduler.h>
+#include <processing/processor.h>
+#include <kernel/kernel_interface.h>
+#include <control/controller.h>
+#include <bus/bus.h>
+#include <bus/listeners/file_logger.h>
+#include <bus/listeners/sys_logger.h>
+#include <sa/ike_sa_manager.h>
+#include <sa/trap_manager.h>
+#include <config/backend_manager.h>
+#include <credentials/credential_manager.h>
+#include <sa/authenticators/eap/eap_manager.h>
+#include <sa/authenticators/eap/sim_manager.h>
+
+#ifdef ME
+#include <sa/connect_manager.h>
+#include <sa/mediation_manager.h>
+#endif /* ME */
+
+/**
+ * Number of threads in the thread pool, if not specified in config.
+ */
+#define DEFAULT_THREADS 16
+
+/**
+ * UDP Port on which the daemon will listen for incoming traffic.
+ */
+#define IKEV2_UDP_PORT 500
+
+/**
+ * UDP Port to which the daemon will float to if NAT is detected.
+ */
+#define IKEV2_NATT_PORT 4500
+
+/**
+ * Main class of daemon, contains some globals.
+ */
+struct daemon_t {
+
+	/**
+	 * Socket manager instance
+	 */
+	socket_manager_t *socket;
+
+	/**
+	 * A ike_sa_manager_t instance.
+	 */
+	ike_sa_manager_t *ike_sa_manager;
+
+	/**
+	 * Manager for triggering policies, called traps
+	 */
+	trap_manager_t *traps;
+
+	/**
+	 * Manager for the different configuration backends.
+	 */
+	backend_manager_t *backends;
+
+	/**
+	 * Manager for the credential backends
+	 */
+	credential_manager_t *credentials;
+
+	/**
+	 * The Sender-Thread.
+	 */
+	sender_t *sender;
+
+	/**
+	 * The Receiver-Thread.
+	 */
+	receiver_t *receiver;
+
+	/**
+	 * The Scheduler-Thread.
+	 */
+	scheduler_t *scheduler;
+
+	/**
+	 * Job processing using a thread pool.
+	 */
+	processor_t *processor;
+
+	/**
+	 * The signaling bus.
+	 */
+	bus_t *bus;
+
+	/**
+	 * A list of installed file_logger_t's
+	 */
+	linked_list_t *file_loggers;
+
+	/**
+	 * A list of installed sys_logger_t's
+	 */
+	linked_list_t *sys_loggers;
+
+	/**
+	 * Kernel Interface to communicate with kernel
+	 */
+	kernel_interface_t *kernel_interface;
+
+	/**
+	 * Controller to control the daemon
+	 */
+	controller_t *controller;
+
+	/**
+	 * EAP manager to maintain registered EAP methods
+	 */
+	eap_manager_t *eap;
+
+	/**
+	 * SIM manager to maintain (U)SIM cards/providers
+	 */
+	sim_manager_t *sim;
+
+#ifdef ME
+	/**
+	 * Connect manager
+	 */
+	connect_manager_t *connect_manager;
+
+	/**
+	 * Mediation manager
+	 */
+	mediation_manager_t *mediation_manager;
+#endif /* ME */
+
+	/**
+	 * User ID the daemon will user after initialization
+	 */
+	uid_t uid;
+
+	/**
+	 * Group ID the daemon will use after initialization
+	 */
+	gid_t gid;
+
+	/**
+	 * Do not drop a given capability after initialization.
+	 *
+	 * Some plugins might need additional capabilites. They tell the daemon
+	 * during plugin initialization which one they need, the daemon won't
+	 * drop these.
+	 */
+	void (*keep_cap)(daemon_t *this, u_int cap);
+
+	/**
+	 * Drop all capabilities of the current process.
+	 *
+	 * Drops all capabalities, excect those exlcuded using keep_cap().
+	 * This should be called after the initialization of the daemon because
+	 * some plugins require the process to keep additional capabilities.
+	 *
+	 * @return		TRUE if successful, FALSE otherwise
+	 */
+	bool (*drop_capabilities)(daemon_t *this);
+
+	/**
+	 * Initialize the daemon.
+	 */
+	bool (*initialize)(daemon_t *this, bool syslog, level_t levels[]);
+
+	/**
+	 * Starts the daemon, i.e. spawns the threads of the thread pool.
+	 */
+	void (*start)(daemon_t *this);
+
+};
+
+/**
+ * The one and only instance of the daemon.
+ *
+ * Set between libcharon_init() and libcharon_deinit() calls.
+ */
+extern daemon_t *charon;
+
+/**
+ * Initialize libcharon and create the "charon" instance of daemon_t.
+ *
+ * @return		FALSE if integrity check failed
+ */
+bool libcharon_init();
+
+/**
+ * Deinitialize libcharon and destroy the "charon" instance of daemon_t.
+ */
+void libcharon_deinit();
+
+#endif /** DAEMON_H_ @}*/
diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c
new file mode 100644
index 000000000..6485da492
--- /dev/null
+++ b/src/libcharon/encoding/generator.c
@@ -0,0 +1,888 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+
+#include "generator.h"
+
+#include <library.h>
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/delete_payload.h>
+#include <encoding/payloads/vendor_id_payload.h>
+#include <encoding/payloads/cp_payload.h>
+#include <encoding/payloads/configuration_attribute.h>
+#include <encoding/payloads/eap_payload.h>
+
+
+typedef struct private_generator_t private_generator_t;
+
+/**
+ * Private part of a generator_t object.
+ */
+struct private_generator_t {
+	/**
+	 * Public part of a generator_t object.
+	 */
+	 generator_t public;
+
+	/**
+	 * Buffer used to generate the data into.
+	 */
+	u_int8_t *buffer;
+
+	/**
+	 * Current write position in buffer (one byte aligned).
+	 */
+	u_int8_t *out_position;
+
+	/**
+	 * Position of last byte in buffer.
+	 */
+	u_int8_t *roof_position;
+
+	/**
+	 * Current bit writing to in current byte (between 0 and 7).
+	 */
+	u_int8_t current_bit;
+
+	/**
+	 * Associated data struct to read informations from.
+	 */
+	void *data_struct;
+
+	/*
+	 * Last payload length position offset in the buffer.
+	 */
+	u_int32_t last_payload_length_position_offset;
+
+	/**
+	 * Offset of the header length field in the buffer.
+	 */
+	u_int32_t header_length_position_offset;
+
+	/**
+	 * Last SPI size.
+	 */
+	u_int8_t last_spi_size;
+
+	/**
+	 * Attribute format of the last generated transform attribute.
+	 *
+	 * Used to check if a variable value field is used or not for
+	 * the transform attribute value.
+	 */
+	bool attribute_format;
+
+	/**
+	 * Depending on the value of attribute_format this field is used
+	 * to hold the length of the transform attribute in bytes.
+	 */
+	u_int16_t attribute_length;
+};
+
+/**
+ * Get size of current buffer in bytes.
+ */
+static int get_size(private_generator_t *this)
+{
+	return this->roof_position - this->buffer;
+}
+
+/**
+ * Get free space of current buffer in bytes.
+ */
+static int get_space(private_generator_t *this)
+{
+	return this->roof_position - this->out_position;
+}
+
+/**
+ * Get length of data in buffer (in bytes).
+ */
+static int get_length(private_generator_t *this)
+{
+	return this->out_position - this->buffer;
+}
+
+/**
+ * Get current offset in buffer (in bytes).
+ */
+static u_int32_t get_offset(private_generator_t *this)
+{
+	return this->out_position - this->buffer;
+}
+
+/**
+ * Makes sure enough space is available in buffer to store amount of bits.
+ */
+static void make_space_available(private_generator_t *this, int bits)
+{
+	while ((get_space(this) * 8 - this->current_bit) < bits)
+	{
+		int old_buffer_size, new_buffer_size, out_position_offset;
+
+		old_buffer_size = get_size(this);
+		new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
+		out_position_offset = this->out_position - this->buffer;
+
+		DBG2(DBG_ENC, "increasing gen buffer from %d to %d byte",
+			 old_buffer_size, new_buffer_size);
+
+		this->buffer = realloc(this->buffer,new_buffer_size);
+		this->out_position = (this->buffer + out_position_offset);
+		this->roof_position = (this->buffer + new_buffer_size);
+	}
+}
+
+/**
+ * Writes a specific amount of byte into the buffer.
+ */
+static void write_bytes_to_buffer(private_generator_t *this, void *bytes,
+								  int number_of_bytes)
+{
+	int i;
+	u_int8_t *read_position = (u_int8_t *)bytes;
+
+	make_space_available(this, number_of_bytes * 8);
+
+	for (i = 0; i < number_of_bytes; i++)
+	{
+		*(this->out_position) = *(read_position);
+		read_position++;
+		this->out_position++;
+	}
+}
+
+/**
+ * Writes a specific amount of byte into the buffer at a specific offset.
+ */
+static void write_bytes_to_buffer_at_offset(private_generator_t *this,
+						void *bytes, int number_of_bytes, u_int32_t offset)
+{
+	int i;
+	u_int8_t *read_position = (u_int8_t *)bytes;
+	u_int8_t *write_position;
+	u_int32_t free_space_after_offset = get_size(this) - offset;
+
+	/* check first if enough space for new data is available */
+	if (number_of_bytes > free_space_after_offset)
+	{
+		make_space_available(this,
+							 (number_of_bytes - free_space_after_offset) * 8);
+	}
+
+	write_position = this->buffer + offset;
+	for (i = 0; i < number_of_bytes; i++)
+	{
+		*write_position = *read_position;
+		read_position++;
+		write_position++;
+	}
+}
+
+/**
+ * Generates a U_INT-Field type and writes it to buffer.
+ */
+static void generate_u_int_type(private_generator_t *this,
+								encoding_type_t int_type,u_int32_t offset)
+{
+	int number_of_bits = 0;
+
+	/* find out number of bits of each U_INT type to check for enough space */
+	switch (int_type)
+	{
+		case U_INT_4:
+			number_of_bits = 4;
+			break;
+		case TS_TYPE:
+		case U_INT_8:
+			number_of_bits = 8;
+			break;
+		case U_INT_16:
+		case CONFIGURATION_ATTRIBUTE_LENGTH:
+			number_of_bits = 16;
+			break;
+		case U_INT_32:
+			number_of_bits = 32;
+			break;
+		case ATTRIBUTE_TYPE:
+			number_of_bits = 15;
+			break;
+		case IKE_SPI:
+			number_of_bits = 64;
+			break;
+		default:
+			DBG1(DBG_ENC, "U_INT Type %N is not supported",
+				 encoding_type_names, int_type);
+			return;
+	}
+	if ((number_of_bits % 8) == 0 && this->current_bit != 0)
+	{
+		DBG1(DBG_ENC, "U_INT Type %N is not 8 Bit aligned",
+			 encoding_type_names, int_type);
+		return;
+	}
+
+	make_space_available(this, number_of_bits);
+	switch (int_type)
+	{
+		case U_INT_4:
+		{
+			u_int8_t high, low;
+
+			if (this->current_bit == 0)
+			{
+				/* high of current byte in buffer has to be set to the new value*/
+				high = *((u_int8_t *)(this->data_struct + offset)) << 4;
+				/* low in buffer is not changed */
+				low = *(this->out_position) & 0x0F;
+				/* high is set, low_val is not changed */
+				*(this->out_position) = high | low;
+				DBG3(DBG_ENC, "   => %d", *(this->out_position));
+				/* write position is not changed, just bit position is moved */
+				this->current_bit = 4;
+			}
+			else if (this->current_bit == 4)
+			{
+				/* high in buffer is not changed */
+				high = *(this->out_position) & 0xF0;
+				/* low of current byte in buffer has to be set to the new value*/
+				low = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
+				*(this->out_position) = high | low;
+				DBG3(DBG_ENC, "   => %d", *(this->out_position));
+				this->out_position++;
+				this->current_bit = 0;
+			}
+			else
+			{
+				DBG1(DBG_ENC, "U_INT_4 Type is not 4 Bit aligned");
+				/* 4 Bit integers must have a 4 bit alignment */
+				return;
+			}
+			break;
+		}
+		case TS_TYPE:
+		case U_INT_8:
+		{
+			/* 8 bit values are written as they are */
+			*this->out_position = *((u_int8_t *)(this->data_struct + offset));
+			DBG3(DBG_ENC, "   => %d", *(this->out_position));
+			this->out_position++;
+			break;
+		}
+		case ATTRIBUTE_TYPE:
+		{
+			u_int8_t attribute_format_flag;
+			u_int16_t val;
+
+			/* attribute type must not change first bit of current byte */
+			if (this->current_bit != 1)
+			{
+				DBG1(DBG_ENC, "ATTRIBUTE FORMAT flag is not set");
+				return;
+			}
+			attribute_format_flag = *(this->out_position) & 0x80;
+			/* get attribute type value as 16 bit integer*/
+			val = *((u_int16_t*)(this->data_struct + offset));
+			/* unset most significant bit */
+			val &= 0x7FFF;
+			if (attribute_format_flag)
+			{
+				val |= 0x8000;
+			}
+			val = htons(val);
+			DBG3(DBG_ENC, "   => %d", val);
+			/* write bytes to buffer (set bit is overwritten) */
+			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
+			this->current_bit = 0;
+			break;
+
+		}
+		case U_INT_16:
+		case CONFIGURATION_ATTRIBUTE_LENGTH:
+		{
+			u_int16_t val = htons(*((u_int16_t*)(this->data_struct + offset)));
+			DBG3(DBG_ENC, "   => %b", &val, sizeof(u_int16_t));
+			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
+			break;
+		}
+		case U_INT_32:
+		{
+			u_int32_t val = htonl(*((u_int32_t*)(this->data_struct + offset)));
+			DBG3(DBG_ENC, "   => %b", &val, sizeof(u_int32_t));
+			write_bytes_to_buffer(this, &val, sizeof(u_int32_t));
+			break;
+		}
+		case IKE_SPI:
+		{
+			/* 64 bit are written as-is, no host order conversion */
+			write_bytes_to_buffer(this, this->data_struct + offset,
+								  sizeof(u_int64_t));
+			DBG3(DBG_ENC, "   => %b", this->data_struct + offset,
+				 sizeof(u_int64_t));
+			break;
+		}
+		default:
+		{
+			DBG1(DBG_ENC, "U_INT Type %N is not supported",
+				 encoding_type_names, int_type);
+			return;
+		}
+	}
+}
+
+/**
+ * Generate a reserved bit or byte
+ */
+static void generate_reserved_field(private_generator_t *this, int bits)
+{
+	/* only one bit or 8 bit fields are supported */
+	if (bits != 1 && bits != 8)
+	{
+		DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits);
+		return ;
+	}
+	make_space_available(this, bits);
+
+	if (bits == 1)
+	{
+		u_int8_t reserved_bit = ~(1 << (7 - this->current_bit));
+
+		*(this->out_position) = *(this->out_position) & reserved_bit;
+		if (this->current_bit == 0)
+		{
+			/* memory must be zero */
+			*(this->out_position) = 0x00;
+		}
+		this->current_bit++;
+		if (this->current_bit >= 8)
+		{
+			this->current_bit = this->current_bit % 8;
+			this->out_position++;
+		}
+	}
+	else
+	{
+		if (this->current_bit > 0)
+		{
+			DBG1(DBG_ENC, "reserved field cannot be written cause "
+				 "alignement of current bit is %d", this->current_bit);
+			return;
+		}
+		*(this->out_position) = 0x00;
+		this->out_position++;
+	}
+}
+
+/**
+ * Generate a FLAG filed
+ */
+static void generate_flag(private_generator_t *this, u_int32_t offset)
+{
+	u_int8_t flag_value;
+	u_int8_t flag;
+
+	flag_value = (*((bool *) (this->data_struct + offset))) ? 1 : 0;
+	/* get flag position */
+	flag = (flag_value << (7 - this->current_bit));
+
+	/* make sure one bit is available in buffer */
+	make_space_available(this, 1);
+	if (this->current_bit == 0)
+	{
+		/* memory must be zero */
+		*(this->out_position) = 0x00;
+	}
+
+	*(this->out_position) = *(this->out_position) | flag;
+	DBG3(DBG_ENC, "   => %d", *this->out_position);
+
+	this->current_bit++;
+	if (this->current_bit >= 8)
+	{
+		this->current_bit = this->current_bit % 8;
+		this->out_position++;
+	}
+}
+
+/**
+ * Generates a bytestream from a chunk_t.
+ */
+static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
+{
+	chunk_t *value;
+
+	if (this->current_bit != 0)
+	{
+		DBG1(DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit);
+		return ;
+	}
+
+	value = (chunk_t *)(this->data_struct + offset);
+	DBG3(DBG_ENC, "   => %B", value);
+
+	write_bytes_to_buffer(this, value->ptr, value->len);
+}
+
+/**
+ * Implementation of private_generator_t.write_to_chunk.
+ */
+static void write_to_chunk(private_generator_t *this,chunk_t *data)
+{
+	int data_length = get_length(this);
+	u_int32_t header_length_field = data_length;
+
+	/* write length into header length field */
+	if (this->header_length_position_offset > 0)
+	{
+		u_int32_t val = htonl(header_length_field);
+		write_bytes_to_buffer_at_offset(this, &val, sizeof(u_int32_t),
+										this->header_length_position_offset);
+	}
+
+	if (this->current_bit > 0)
+	{
+		data_length++;
+	}
+	*data = chunk_alloc(data_length);
+	memcpy(data->ptr, this->buffer, data_length);
+
+	DBG3(DBG_ENC, "generated data of this generator %B", data);
+}
+
+/**
+ * Implementation of private_generator_t.generate_payload.
+ */
+static void generate_payload (private_generator_t *this,payload_t *payload)
+{
+	int i, offset_start;
+	size_t rule_count;
+	encoding_rule_t *rules;
+	payload_type_t payload_type;
+
+	this->data_struct = payload;
+	payload_type = payload->get_type(payload);
+	/* spi size has to get reseted */
+	this->last_spi_size = 0;
+
+	offset_start = this->out_position - this->buffer;
+
+	DBG2(DBG_ENC, "generating payload of type %N",
+		 payload_type_names, payload_type);
+
+	/* each payload has its own encoding rules */
+	payload->get_encoding_rules(payload, &rules, &rule_count);
+
+	for (i = 0; i < rule_count;i++)
+	{
+		DBG2(DBG_ENC, "  generating rule %d %N",
+			 i, encoding_type_names, rules[i].type);
+		switch (rules[i].type)
+		{
+			case U_INT_4:
+			case U_INT_8:
+			case U_INT_16:
+			case U_INT_32:
+			case IKE_SPI:
+			case TS_TYPE:
+			case ATTRIBUTE_TYPE:
+			case CONFIGURATION_ATTRIBUTE_LENGTH:
+			{
+				generate_u_int_type(this, rules[i].type, rules[i].offset);
+				break;
+			}
+			case RESERVED_BIT:
+			{
+				generate_reserved_field(this, 1);
+				break;
+			}
+			case RESERVED_BYTE:
+			{
+				generate_reserved_field(this, 8);
+				break;
+			}
+			case FLAG:
+			{
+				generate_flag(this, rules[i].offset);
+				break;
+			}
+			case PAYLOAD_LENGTH:
+			{
+				this->last_payload_length_position_offset = get_offset(this);
+				generate_u_int_type(this, U_INT_16,rules[i].offset);
+				break;
+			}
+			case HEADER_LENGTH:
+			{
+				this->header_length_position_offset = get_offset(this);
+				generate_u_int_type(this ,U_INT_32, rules[i].offset);
+				break;
+			}
+			case SPI_SIZE:
+				generate_u_int_type(this, U_INT_8, rules[i].offset);
+				this->last_spi_size = *((u_int8_t *)(this->data_struct +
+													 rules[i].offset));
+				break;
+			case ADDRESS:
+			{
+				generate_from_chunk(this, rules[i].offset);
+				break;
+			}
+			case SPI:
+			{
+				generate_from_chunk(this, rules[i].offset);
+				break;
+			}
+			case KEY_EXCHANGE_DATA:
+			case NOTIFICATION_DATA:
+			case NONCE_DATA:
+			case ID_DATA:
+			case AUTH_DATA:
+			case CERT_DATA:
+			case CERTREQ_DATA:
+			case SPIS:
+			case CONFIGURATION_ATTRIBUTE_VALUE:
+			case VID_DATA:
+			case EAP_DATA:
+			{
+				u_int32_t payload_length_position_offset;
+				u_int16_t length_of_payload;
+				u_int16_t header_length = 0;
+				u_int16_t length_in_network_order;
+
+				switch(rules[i].type)
+				{
+					case KEY_EXCHANGE_DATA:
+						header_length = KE_PAYLOAD_HEADER_LENGTH;
+						break;
+					case NOTIFICATION_DATA:
+						header_length = NOTIFY_PAYLOAD_HEADER_LENGTH +
+														this->last_spi_size;
+						break;
+					case NONCE_DATA:
+						header_length = NONCE_PAYLOAD_HEADER_LENGTH;
+						break;
+					case ID_DATA:
+						header_length = ID_PAYLOAD_HEADER_LENGTH;
+						break;
+					case AUTH_DATA:
+						header_length = AUTH_PAYLOAD_HEADER_LENGTH;
+						break;
+					case CERT_DATA:
+						header_length = CERT_PAYLOAD_HEADER_LENGTH;
+						break;
+					case CERTREQ_DATA:
+						header_length = CERTREQ_PAYLOAD_HEADER_LENGTH;
+						break;
+					case SPIS:
+						header_length = DELETE_PAYLOAD_HEADER_LENGTH;
+						break;
+					case VID_DATA:
+						header_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH;
+						break;
+					case CONFIGURATION_ATTRIBUTE_VALUE:
+						header_length = CONFIGURATION_ATTRIBUTE_HEADER_LENGTH;
+						break;
+					case EAP_DATA:
+						header_length = EAP_PAYLOAD_HEADER_LENGTH;
+						break;
+					default:
+						break;
+				}
+				generate_from_chunk(this, rules[i].offset);
+
+				payload_length_position_offset =
+									this->last_payload_length_position_offset;
+
+				length_of_payload = header_length +
+						((chunk_t *)(this->data_struct + rules[i].offset))->len;
+
+				length_in_network_order = htons(length_of_payload);
+				write_bytes_to_buffer_at_offset(this, &length_in_network_order,
+							sizeof(u_int16_t), payload_length_position_offset);
+				break;
+			}
+			case PROPOSALS:
+			{
+				u_int32_t payload_length_position_offset =
+									this->last_payload_length_position_offset;
+				/* Length of SA_PAYLOAD is calculated */
+				u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH;
+				u_int16_t int16_val;
+				linked_list_t *proposals = *((linked_list_t **)
+										(this->data_struct + rules[i].offset));
+				iterator_t *iterator;
+				payload_t *current_proposal;
+
+				iterator = proposals->create_iterator(proposals,TRUE);
+				while (iterator->iterate(iterator, (void**)&current_proposal))
+				{
+					u_int32_t before_generate_position_offset;
+					u_int32_t after_generate_position_offset;
+
+					before_generate_position_offset = get_offset(this);
+					generate_payload(this, current_proposal);
+					after_generate_position_offset = get_offset(this);
+					length_of_sa_payload += (after_generate_position_offset -
+											 before_generate_position_offset);
+				}
+				iterator->destroy(iterator);
+
+				int16_val = htons(length_of_sa_payload);
+				write_bytes_to_buffer_at_offset(this, &int16_val,
+							sizeof(u_int16_t),payload_length_position_offset);
+				break;
+			}
+			case TRANSFORMS:
+			{
+				u_int32_t payload_length_position_offset =
+									this->last_payload_length_position_offset;
+				u_int16_t length_of_proposal =
+					PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size;
+				u_int16_t int16_val;
+				linked_list_t *transforms = *((linked_list_t **)
+										(this->data_struct + rules[i].offset));
+				iterator_t *iterator;
+				payload_t *current_transform;
+
+				iterator = transforms->create_iterator(transforms,TRUE);
+				while (iterator->iterate(iterator, (void**)&current_transform))
+				{
+					u_int32_t before_generate_position_offset;
+					u_int32_t after_generate_position_offset;
+
+					before_generate_position_offset = get_offset(this);
+					generate_payload(this, current_transform);
+					after_generate_position_offset = get_offset(this);
+
+					length_of_proposal += (after_generate_position_offset -
+										   before_generate_position_offset);
+				}
+				iterator->destroy(iterator);
+
+				int16_val = htons(length_of_proposal);
+				write_bytes_to_buffer_at_offset(this, &int16_val,
+							sizeof(u_int16_t), payload_length_position_offset);
+				break;
+			}
+			case TRANSFORM_ATTRIBUTES:
+			{
+				u_int32_t transform_length_position_offset =
+									this->last_payload_length_position_offset;
+				u_int16_t length_of_transform =
+									TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+				u_int16_t int16_val;
+				linked_list_t *transform_attributes =*((linked_list_t **)
+									(this->data_struct + rules[i].offset));
+				iterator_t *iterator;
+				payload_t *current_attribute;
+
+				iterator = transform_attributes->create_iterator(
+													transform_attributes, TRUE);
+				while (iterator->iterate(iterator, (void**)&current_attribute))
+				{
+					u_int32_t before_generate_position_offset;
+					u_int32_t after_generate_position_offset;
+
+					before_generate_position_offset = get_offset(this);
+					generate_payload(this, current_attribute);
+					after_generate_position_offset = get_offset(this);
+
+					length_of_transform += (after_generate_position_offset -
+											before_generate_position_offset);
+				}
+
+				iterator->destroy(iterator);
+
+				int16_val = htons(length_of_transform);
+				write_bytes_to_buffer_at_offset(this, &int16_val,
+							sizeof(u_int16_t),transform_length_position_offset);
+				break;
+			}
+			case CONFIGURATION_ATTRIBUTES:
+			{
+				u_int32_t configurations_length_position_offset =
+									this->last_payload_length_position_offset;
+				u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH;
+				u_int16_t int16_val;
+				linked_list_t *configuration_attributes = *((linked_list_t **)
+										(this->data_struct + rules[i].offset));
+				iterator_t *iterator;
+				payload_t *current_attribute;
+
+				iterator = configuration_attributes->create_iterator(
+												configuration_attributes,TRUE);
+				while (iterator->iterate(iterator, (void**)&current_attribute))
+				{
+					u_int32_t before_generate_position_offset;
+					u_int32_t after_generate_position_offset;
+
+					before_generate_position_offset = get_offset(this);
+					generate_payload(this, current_attribute);
+					after_generate_position_offset = get_offset(this);
+
+					length_of_configurations += after_generate_position_offset -
+											before_generate_position_offset;
+				}
+
+				iterator->destroy(iterator);
+
+				int16_val = htons(length_of_configurations);
+				write_bytes_to_buffer_at_offset(this, &int16_val,
+					 sizeof(u_int16_t),configurations_length_position_offset);
+				break;
+			}
+			case ATTRIBUTE_FORMAT:
+			{
+				generate_flag(this, rules[i].offset);
+				/* Attribute format is a flag which is stored in context*/
+				this->attribute_format =
+							*((bool *)(this->data_struct + rules[i].offset));
+				break;
+			}
+
+			case ATTRIBUTE_LENGTH_OR_VALUE:
+			{
+				if (this->attribute_format == FALSE)
+				{
+					generate_u_int_type(this, U_INT_16, rules[i].offset);
+					/* this field hold the length of the attribute */
+					this->attribute_length =
+						*((u_int16_t *)(this->data_struct + rules[i].offset));
+				}
+				else
+				{
+					generate_u_int_type(this, U_INT_16, rules[i].offset);
+				}
+				break;
+			}
+			case ATTRIBUTE_VALUE:
+			{
+				if (this->attribute_format == FALSE)
+				{
+					DBG2(DBG_ENC, "attribute value has not fixed size");
+					/* the attribute value is generated */
+					generate_from_chunk(this, rules[i].offset);
+				}
+				break;
+			}
+			case TRAFFIC_SELECTORS:
+			{
+				u_int32_t payload_length_position_offset =
+									this->last_payload_length_position_offset;
+				u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH;
+				u_int16_t int16_val;
+				linked_list_t *traffic_selectors = *((linked_list_t **)
+										(this->data_struct + rules[i].offset));
+				iterator_t *iterator;
+				payload_t *current_tss;
+
+				iterator = traffic_selectors->create_iterator(
+													traffic_selectors,TRUE);
+				while (iterator->iterate(iterator, (void **)&current_tss))
+				{
+					u_int32_t before_generate_position_offset;
+					u_int32_t after_generate_position_offset;
+
+					before_generate_position_offset = get_offset(this);
+					generate_payload(this, current_tss);
+					after_generate_position_offset = get_offset(this);
+
+					length_of_ts_payload += (after_generate_position_offset -
+											 before_generate_position_offset);
+				}
+				iterator->destroy(iterator);
+
+				int16_val = htons(length_of_ts_payload);
+				write_bytes_to_buffer_at_offset(this, &int16_val,
+							sizeof(u_int16_t),payload_length_position_offset);
+				break;
+			}
+
+			case ENCRYPTED_DATA:
+			{
+				generate_from_chunk(this, rules[i].offset);
+				break;
+			}
+			default:
+				DBG1(DBG_ENC, "field type %N is not supported",
+					 encoding_type_names, rules[i].type);
+				return;
+		}
+	}
+	DBG2(DBG_ENC, "generating %N payload finished",
+		 payload_type_names, payload_type);
+	DBG3(DBG_ENC, "generated data for this payload %b",
+		 this->buffer + offset_start,
+		 this->out_position - this->buffer - offset_start);
+}
+
+/**
+ * Implementation of generator_t.destroy.
+ */
+static status_t destroy(private_generator_t *this)
+{
+	free(this->buffer);
+	free(this);
+	return SUCCESS;
+}
+
+/*
+ * Described in header
+ */
+generator_t *generator_create()
+{
+	private_generator_t *this;
+
+	this = malloc_thing(private_generator_t);
+
+	/* initiate public functions */
+	this->public.generate_payload = (void(*)(generator_t*, payload_t *))generate_payload;
+	this->public.destroy = (void(*)(generator_t*)) destroy;
+	this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *))write_to_chunk;
+
+	/* allocate memory for buffer */
+	this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE);
+
+	/* initiate private variables */
+	this->out_position = this->buffer;
+	this->roof_position = this->buffer + GENERATOR_DATA_BUFFER_SIZE;
+	this->data_struct = NULL;
+	this->current_bit = 0;
+	this->last_payload_length_position_offset = 0;
+	this->header_length_position_offset = 0;
+	this->attribute_format = FALSE;
+	this->attribute_length = 0;
+
+	return &(this->public);
+}
+
diff --git a/src/libcharon/encoding/generator.h b/src/libcharon/encoding/generator.h
new file mode 100644
index 000000000..2221c84af
--- /dev/null
+++ b/src/libcharon/encoding/generator.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup generator generator
+ * @{ @ingroup encoding
+ */
+
+#ifndef GENERATOR_H_
+#define GENERATOR_H_
+
+typedef struct generator_t generator_t;
+
+#include <library.h>
+#include <encoding/payloads/encodings.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Generating is done in a data buffer.
+ * This is the start size of this buffer in bytes.
+ */
+#define GENERATOR_DATA_BUFFER_SIZE 500
+
+/**
+ * Number of bytes to increase the buffer, if it is too small.
+ */
+#define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500
+
+
+/**
+ * A generator_t class used to generate IKEv2 payloads.
+ *
+ * After creation, multiple payloads can be generated with the generate_payload
+ * method. The generated bytes are appended. After all payloads are added,
+ * the write_to_chunk method writes out all generated data since
+ * the creation of the generator. After that, the generator must be destroyed.
+ * The generater uses a set of encoding rules, which it can get from
+ * the supplied payload. With this rules, the generater can generate
+ * the payload and all substructures automatically.
+ */
+struct generator_t {
+
+	/**
+	 * Generates a specific payload from given payload object.
+	 *
+	 * Remember: Header and substructures are also handled as payloads.
+	 *
+	 * @param payload 		interface payload_t implementing object
+	 */
+	void (*generate_payload) (generator_t *this,payload_t *payload);
+
+	/**
+	 * Writes all generated data of the generator to a chunk.
+	 *
+	 * @param data 		chunk to write the data to
+	 */
+	void (*write_to_chunk) (generator_t *this,chunk_t *data);
+
+	/**
+	 * Destroys a generator_t object.
+	 */
+	void (*destroy) (generator_t *this);
+};
+
+/**
+ * Constructor to create a generator.
+ *
+ * @return generator_t object.
+ */
+generator_t *generator_create(void);
+
+#endif /** GENERATOR_H_ @}*/
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
new file mode 100644
index 000000000..acfc0fd44
--- /dev/null
+++ b/src/libcharon/encoding/message.c
@@ -0,0 +1,1723 @@
+/*
+ * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "message.h"
+
+#include <library.h>
+#include <daemon.h>
+#include <sa/ike_sa_id.h>
+#include <encoding/generator.h>
+#include <encoding/parser.h>
+#include <utils/linked_list.h>
+#include <encoding/payloads/encodings.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/unknown_payload.h>
+
+/**
+ * Max number of notify payloads per IKEv2 Message
+ */
+#define MAX_NOTIFY_PAYLOADS 20
+
+/**
+ * Max number of delete payloads per IKEv2 Message
+ */
+#define MAX_DELETE_PAYLOADS 20
+
+
+typedef struct payload_rule_t payload_rule_t;
+
+/**
+ * A payload rule defines the rules for a payload
+ * in a specific message rule. It defines if and how
+ * many times a payload must/can occur in a message
+ * and if it must be encrypted.
+ */
+struct payload_rule_t {
+	/**
+	 * Payload type.
+	 */
+	 payload_type_t payload_type;
+
+	 /**
+	  * Minimal occurence of this payload.
+	  */
+	 size_t min_occurence;
+
+	 /**
+	  * Max occurence of this payload.
+	  */
+	 size_t max_occurence;
+
+	 /**
+	  * TRUE if payload must be encrypted
+	  */
+	 bool encrypted;
+
+	 /**
+	  * If this payload occurs, the message rule is
+	  * fullfilled in any case. This applies e.g. to
+	  * notify_payloads.
+	  */
+	 bool sufficient;
+};
+
+typedef struct payload_order_t payload_order_t;
+
+/**
+ * payload ordering structure allows us to reorder payloads according to RFC.
+ */
+struct payload_order_t {
+
+	/**
+	 * payload type
+	 */
+	payload_type_t type;
+
+	/**
+	 * notify type, if payload == NOTIFY
+	 */
+	notify_type_t notify;
+};
+
+
+typedef struct message_rule_t message_rule_t;
+
+/**
+ * A message rule defines the kind of a message,
+ * if it has encrypted contents and a list
+ * of payload ordering rules and payload parsing rules.
+ */
+struct message_rule_t {
+	/**
+	 * Type of message.
+	 */
+	exchange_type_t exchange_type;
+
+	/**
+	 * Is message a request or response.
+	 */
+	bool is_request;
+
+	/**
+	 * Message contains encrypted content.
+	 */
+	bool encrypted_content;
+
+	/**
+	 * Number of payload rules which will follow
+	 */
+	int payload_rule_count;
+
+	/**
+	 * Pointer to first payload rule
+	 */
+	payload_rule_t *payload_rules;
+
+	/**
+	 * Number of payload order rules
+	 */
+	int payload_order_count;
+
+	/**
+	 * payload ordering rules
+	 */
+	payload_order_t *payload_order;
+};
+
+/**
+ * Message rule for IKE_SA_INIT from initiator.
+ */
+static payload_rule_t ike_sa_init_i_payload_rules[] = {
+/*	payload type					min	max						encr	suff */
+	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
+	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
+	{NONCE,							1,	1,						FALSE,	FALSE},
+	{VENDOR_ID,						0,	10,						FALSE,	FALSE},
+};
+
+/**
+ * payload order for IKE_SA_INIT initiator
+ */
+static payload_order_t ike_sa_init_i_payload_order[] = {
+/*	payload type					notify type */
+	{NOTIFY,						COOKIE},
+	{SECURITY_ASSOCIATION,			0},
+	{KEY_EXCHANGE,					0},
+	{NONCE,							0},
+	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
+	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
+	{NOTIFY,						0},
+	{VENDOR_ID,						0},
+};
+
+/**
+ * Message rule for IKE_SA_INIT from responder.
+ */
+static payload_rule_t ike_sa_init_r_payload_rules[] = {
+/*	payload type					min	max						encr	suff */
+	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	FALSE,	TRUE},
+	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
+	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
+	{NONCE,							1,	1,						FALSE,	FALSE},
+	{VENDOR_ID,						0,	10,						FALSE,	FALSE},
+};
+
+/**
+ * payload order for IKE_SA_INIT responder
+ */
+static payload_order_t ike_sa_init_r_payload_order[] = {
+/*	payload type					notify type */
+	{SECURITY_ASSOCIATION,			0},
+	{KEY_EXCHANGE,					0},
+	{NONCE,							0},
+	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
+	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
+	{NOTIFY,						HTTP_CERT_LOOKUP_SUPPORTED},
+	{CERTIFICATE_REQUEST,			0},
+	{NOTIFY,						0},
+	{VENDOR_ID,						0},
+};
+
+/**
+ * Message rule for IKE_AUTH from initiator.
+ */
+static payload_rule_t ike_auth_i_payload_rules[] = {
+/*	payload type					min	max						encr	suff */
+	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
+	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
+	{ID_INITIATOR,					0,	1,						TRUE,	FALSE},
+	{CERTIFICATE,					0,	4,						TRUE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	1,						TRUE,	FALSE},
+	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
+#ifdef ME
+	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
+#else
+	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
+#endif /* ME */
+	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
+	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
+};
+
+/**
+ * payload order for IKE_AUTH initiator
+ */
+static payload_order_t ike_auth_i_payload_order[] = {
+/*	payload type					notify type */
+	{ID_INITIATOR,					0},
+	{CERTIFICATE,					0},
+	{NOTIFY,						INITIAL_CONTACT},
+	{NOTIFY,						HTTP_CERT_LOOKUP_SUPPORTED},
+	{CERTIFICATE_REQUEST,			0},
+	{ID_RESPONDER,					0},
+	{AUTHENTICATION,				0},
+	{EXTENSIBLE_AUTHENTICATION,		0},
+	{CONFIGURATION,					0},
+	{NOTIFY,						IPCOMP_SUPPORTED},
+	{NOTIFY,						USE_TRANSPORT_MODE},
+	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
+	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
+	{SECURITY_ASSOCIATION,			0},
+	{TRAFFIC_SELECTOR_INITIATOR,	0},
+	{TRAFFIC_SELECTOR_RESPONDER,	0},
+	{NOTIFY,						MOBIKE_SUPPORTED},
+	{NOTIFY,						ADDITIONAL_IP4_ADDRESS},
+	{NOTIFY,						ADDITIONAL_IP6_ADDRESS},
+	{NOTIFY,						NO_ADDITIONAL_ADDRESSES},
+	{NOTIFY,						0},
+	{VENDOR_ID,						0},
+};
+
+/**
+ * Message rule for IKE_AUTH from responder.
+ */
+static payload_rule_t ike_auth_r_payload_rules[] = {
+/*	payload type					min	max						encr	suff */
+	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
+	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
+	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
+	{CERTIFICATE,					0,	4,						TRUE,	FALSE},
+	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
+	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
+	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
+	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
+};
+
+/**
+ * payload order for IKE_AUTH responder
+ */
+static payload_order_t ike_auth_r_payload_order[] = {
+/*	payload type					notify type */
+	{ID_RESPONDER,					0},
+	{CERTIFICATE,					0},
+	{AUTHENTICATION,				0},
+	{EXTENSIBLE_AUTHENTICATION,		0},
+	{CONFIGURATION,					0},
+	{NOTIFY,						IPCOMP_SUPPORTED},
+	{NOTIFY,						USE_TRANSPORT_MODE},
+	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
+	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
+	{SECURITY_ASSOCIATION,			0},
+	{TRAFFIC_SELECTOR_INITIATOR,	0},
+	{TRAFFIC_SELECTOR_RESPONDER,	0},
+	{NOTIFY,						AUTH_LIFETIME},
+	{NOTIFY,						MOBIKE_SUPPORTED},
+	{NOTIFY,						ADDITIONAL_IP4_ADDRESS},
+	{NOTIFY,						ADDITIONAL_IP6_ADDRESS},
+	{NOTIFY,						NO_ADDITIONAL_ADDRESSES},
+	{NOTIFY,						0},
+	{VENDOR_ID,						0},
+};
+
+/**
+ * Message rule for INFORMATIONAL from initiator.
+ */
+static payload_rule_t informational_i_payload_rules[] = {
+/*	payload type					min	max						encr	suff */
+	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
+	{DELETE,						0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
+	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
+};
+
+/**
+ * payload order for INFORMATIONAL initiator
+ */
+static payload_order_t informational_i_payload_order[] = {
+/*	payload type					notify type */
+	{NOTIFY,						UPDATE_SA_ADDRESSES},
+	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
+	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
+	{NOTIFY,						COOKIE2},
+	{NOTIFY,						0},
+	{DELETE,						0},
+	{CONFIGURATION,					0},
+};
+
+/**
+ * Message rule for INFORMATIONAL from responder.
+ */
+static payload_rule_t informational_r_payload_rules[] = {
+/*	payload type					min	max						encr	suff */
+	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
+	{DELETE,						0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
+	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
+};
+
+/**
+ * payload order for INFORMATIONAL responder
+ */
+static payload_order_t informational_r_payload_order[] = {
+/*	payload type					notify type */
+	{NOTIFY,						UPDATE_SA_ADDRESSES},
+	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
+	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
+	{NOTIFY,						COOKIE2},
+	{NOTIFY,						0},
+	{DELETE,						0},
+	{CONFIGURATION,					0},
+};
+
+/**
+ * Message rule for CREATE_CHILD_SA from initiator.
+ */
+static payload_rule_t create_child_sa_i_payload_rules[] = {
+/*	payload type					min	max						encr	suff */
+	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
+	{NONCE,							1,	1,						TRUE,	FALSE},
+	{KEY_EXCHANGE,					0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
+	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
+	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
+};
+
+/**
+ * payload order for CREATE_CHILD_SA from initiator.
+ */
+static payload_order_t create_child_sa_i_payload_order[] = {
+/*	payload type					notify type */
+	{NOTIFY,						REKEY_SA},
+	{NOTIFY,						IPCOMP_SUPPORTED},
+	{NOTIFY,						USE_TRANSPORT_MODE},
+	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
+	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
+	{SECURITY_ASSOCIATION,			0},
+	{NONCE,							0},
+	{KEY_EXCHANGE,					0},
+	{TRAFFIC_SELECTOR_INITIATOR,	0},
+	{TRAFFIC_SELECTOR_RESPONDER,	0},
+	{NOTIFY,						0},
+};
+
+/**
+ * Message rule for CREATE_CHILD_SA from responder.
+ */
+static payload_rule_t create_child_sa_r_payload_rules[] = {
+/*	payload type					min	max						encr	suff */
+	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
+	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
+	{NONCE,							1,	1,						TRUE,	FALSE},
+	{KEY_EXCHANGE,					0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
+	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
+	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
+	{VENDOR_ID,						0,	10,						TRUE,	FALSE},
+};
+
+/**
+ * payload order for CREATE_CHILD_SA from responder.
+ */
+static payload_order_t create_child_sa_r_payload_order[] = {
+/*	payload type					notify type */
+	{NOTIFY,						IPCOMP_SUPPORTED},
+	{NOTIFY,						USE_TRANSPORT_MODE},
+	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
+	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
+	{SECURITY_ASSOCIATION,			0},
+	{NONCE,							0},
+	{KEY_EXCHANGE,					0},
+	{TRAFFIC_SELECTOR_INITIATOR,	0},
+	{TRAFFIC_SELECTOR_RESPONDER,	0},
+	{NOTIFY,						ADDITIONAL_TS_POSSIBLE},
+	{NOTIFY,						0},
+};
+
+#ifdef ME
+/**
+ * Message rule for ME_CONNECT from initiator.
+ */
+static payload_rule_t me_connect_i_payload_rules[] = {
+/*	payload type					min	max						encr	suff */
+	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
+	{ID_PEER,						1,	1,						TRUE,	FALSE},
+	{VENDOR_ID,						0,	10,						TRUE,	FALSE}
+};
+
+/**
+ * payload order for ME_CONNECT from initiator.
+ */
+static payload_order_t me_connect_i_payload_order[] = {
+/*	payload type					notify type */
+	{NOTIFY,						0},
+	{ID_PEER,						0},
+	{VENDOR_ID,						0},
+};
+
+/**
+ * Message rule for ME_CONNECT from responder.
+ */
+static payload_rule_t me_connect_r_payload_rules[] = {
+/*	payload type					min	max						encr	suff */
+	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
+	{VENDOR_ID,						0,	10,						TRUE,	FALSE}
+};
+
+/**
+ * payload order for ME_CONNECT from responder.
+ */
+static payload_order_t me_connect_r_payload_order[] = {
+/*	payload type					notify type */
+	{NOTIFY,						0},
+	{VENDOR_ID,						0},
+};
+#endif /* ME */
+
+/**
+ * Message rules, defines allowed payloads.
+ */
+static message_rule_t message_rules[] = {
+	{IKE_SA_INIT,		TRUE,	FALSE,
+		(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
+		ike_sa_init_i_payload_rules,
+		(sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
+		ike_sa_init_i_payload_order,
+	},
+	{IKE_SA_INIT,		FALSE,	FALSE,
+		(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
+		ike_sa_init_r_payload_rules,
+		(sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
+		ike_sa_init_r_payload_order,
+	},
+	{IKE_AUTH,			TRUE,	TRUE,
+		(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
+		ike_auth_i_payload_rules,
+		(sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
+		ike_auth_i_payload_order,
+	},
+	{IKE_AUTH,			FALSE,	TRUE,
+		(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
+		ike_auth_r_payload_rules,
+		(sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
+		ike_auth_r_payload_order,
+	},
+	{INFORMATIONAL,		TRUE,	TRUE,
+		(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
+		informational_i_payload_rules,
+		(sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
+		informational_i_payload_order,
+	},
+	{INFORMATIONAL,		FALSE,	TRUE,
+		(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
+		informational_r_payload_rules,
+		(sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
+		informational_r_payload_order,
+	},
+	{CREATE_CHILD_SA,	TRUE,	TRUE,
+		(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
+		create_child_sa_i_payload_rules,
+		(sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
+		create_child_sa_i_payload_order,
+	},
+	{CREATE_CHILD_SA,	FALSE,	TRUE,
+		(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
+		create_child_sa_r_payload_rules,
+		(sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
+		create_child_sa_r_payload_order,
+	},
+#ifdef ME
+	{ME_CONNECT,		TRUE,	TRUE,
+		(sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
+		me_connect_i_payload_rules,
+		(sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
+		me_connect_i_payload_order,
+	},
+	{ME_CONNECT,		FALSE,	TRUE,
+		(sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
+		me_connect_r_payload_rules,
+		(sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
+		me_connect_r_payload_order,
+	},
+#endif /* ME */
+};
+
+
+typedef struct private_message_t private_message_t;
+
+/**
+ * Private data of an message_t object.
+ */
+struct private_message_t {
+
+	/**
+	 * Public part of a message_t object.
+	 */
+	message_t public;
+
+	/**
+	 * Minor version of message.
+	 */
+	u_int8_t major_version;
+
+	/**
+	 * Major version of message.
+	 */
+	u_int8_t minor_version;
+
+	/**
+	 * First Payload in message.
+	 */
+	payload_type_t first_payload;
+
+	/**
+	 * Assigned exchange type.
+	 */
+	exchange_type_t exchange_type;
+
+	/**
+	 * TRUE if message is a request, FALSE if a reply.
+	 */
+	bool is_request;
+
+	/**
+	 * Message ID of this message.
+	 */
+	u_int32_t message_id;
+
+	/**
+	 * ID of assigned IKE_SA.
+	 */
+	ike_sa_id_t *ike_sa_id;
+
+	/**
+	 * Assigned UDP packet, stores incoming packet or last generated one.
+	 */
+	packet_t *packet;
+
+	/**
+	 * Linked List where payload data are stored in.
+	 */
+	linked_list_t *payloads;
+
+	 /**
+	  * Assigned parser to parse Header and Body of this message.
+	  */
+	parser_t *parser;
+
+	/**
+	 * The message rule for this message instance
+	 */
+	message_rule_t *message_rule;
+};
+
+/**
+ * Implementation of private_message_t.set_message_rule.
+ */
+static  status_t set_message_rule(private_message_t *this)
+{
+	int i;
+
+	for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
+	{
+		if ((this->exchange_type == message_rules[i].exchange_type) &&
+			(this->is_request == message_rules[i].is_request))
+		{
+			/* found rule for given exchange_type*/
+			this->message_rule = &(message_rules[i]);
+			return SUCCESS;
+		}
+	}
+	this->message_rule = NULL;
+	return NOT_FOUND;
+}
+
+/**
+ * Implementation of private_message_t.get_payload_rule.
+ */
+static status_t get_payload_rule(private_message_t *this,
+					payload_type_t payload_type, payload_rule_t **payload_rule)
+{
+	int i;
+
+	for (i = 0; i < this->message_rule->payload_rule_count;i++)
+	{
+		if (this->message_rule->payload_rules[i].payload_type == payload_type)
+		{
+			*payload_rule = &(this->message_rule->payload_rules[i]);
+			return SUCCESS;
+		}
+	}
+
+	*payload_rule = NULL;
+	return NOT_FOUND;
+}
+
+/**
+ * Implementation of message_t.set_ike_sa_id.
+ */
+static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id)
+{
+	DESTROY_IF(this->ike_sa_id);
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+}
+
+/**
+ * Implementation of message_t.get_ike_sa_id.
+ */
+static ike_sa_id_t* get_ike_sa_id(private_message_t *this)
+{
+	return this->ike_sa_id;
+}
+
+/**
+ * Implementation of message_t.set_message_id.
+ */
+static void set_message_id(private_message_t *this,u_int32_t message_id)
+{
+	this->message_id = message_id;
+}
+
+/**
+ * Implementation of message_t.get_message_id.
+ */
+static u_int32_t get_message_id(private_message_t *this)
+{
+	return this->message_id;
+}
+
+/**
+ * Implementation of message_t.get_initiator_spi.
+ */
+static u_int64_t get_initiator_spi(private_message_t *this)
+{
+	return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
+}
+
+/**
+ * Implementation of message_t.get_responder_spi.
+ */
+static u_int64_t get_responder_spi(private_message_t *this)
+{
+	return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
+}
+
+/**
+ * Implementation of message_t.set_major_version.
+ */
+static void set_major_version(private_message_t *this,u_int8_t major_version)
+{
+	this->major_version = major_version;
+}
+
+/**
+ * Implementation of message_t.set_major_version.
+ */
+static u_int8_t get_major_version(private_message_t *this)
+{
+	return this->major_version;
+}
+
+/**
+ * Implementation of message_t.set_minor_version.
+ */
+static void set_minor_version(private_message_t *this,u_int8_t minor_version)
+{
+	this->minor_version = minor_version;
+}
+
+/**
+ * Implementation of message_t.get_minor_version.
+ */
+static u_int8_t get_minor_version(private_message_t *this)
+{
+	return this->minor_version;
+}
+
+/**
+ * Implementation of message_t.set_exchange_type.
+ */
+static void set_exchange_type(private_message_t *this,
+							  exchange_type_t exchange_type)
+{
+	this->exchange_type = exchange_type;
+}
+
+/**
+ * Implementation of message_t.get_exchange_type.
+ */
+static exchange_type_t get_exchange_type(private_message_t *this)
+{
+	return this->exchange_type;
+}
+
+/**
+ * Implementation of message_t.get_first_payload_type.
+ */
+static payload_type_t get_first_payload_type(private_message_t *this)
+{
+	return this->first_payload;
+}
+
+/**
+ * Implementation of message_t.set_request.
+ */
+static void set_request(private_message_t *this, bool request)
+{
+	this->is_request = request;
+}
+
+/**
+ * Implementation of message_t.get_request.
+ */
+static exchange_type_t get_request(private_message_t *this)
+{
+	return this->is_request;
+}
+
+/**
+ * Is this message in an encoded form?
+ */
+static bool is_encoded(private_message_t *this)
+{
+	chunk_t data = this->packet->get_data(this->packet);
+
+	if (data.ptr == NULL)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of message_t.add_payload.
+ */
+static void add_payload(private_message_t *this, payload_t *payload)
+{
+	payload_t *last_payload;
+
+	if (this->payloads->get_count(this->payloads) > 0)
+	{
+		this->payloads->get_last(this->payloads, (void **)&last_payload);
+		last_payload->set_next_type(last_payload, payload->get_type(payload));
+	}
+	else
+	{
+		this->first_payload = payload->get_type(payload);
+	}
+	payload->set_next_type(payload, NO_PAYLOAD);
+	this->payloads->insert_last(this->payloads, payload);
+
+	DBG2(DBG_ENC ,"added payload of type %N to message",
+		 payload_type_names, payload->get_type(payload));
+}
+
+/**
+ * Implementation of message_t.add_notify.
+ */
+static void add_notify(private_message_t *this, bool flush, notify_type_t type,
+					   chunk_t data)
+{
+	notify_payload_t *notify;
+	payload_t *payload;
+
+	if (flush)
+	{
+		while (this->payloads->remove_last(this->payloads,
+												(void**)&payload) == SUCCESS)
+		{
+			payload->destroy(payload);
+		}
+	}
+	notify = notify_payload_create();
+	notify->set_notify_type(notify, type);
+	notify->set_notification_data(notify, data);
+	add_payload(this, (payload_t*)notify);
+}
+
+/**
+ * Implementation of message_t.set_source.
+ */
+static void set_source(private_message_t *this, host_t *host)
+{
+	this->packet->set_source(this->packet, host);
+}
+
+/**
+ * Implementation of message_t.set_destination.
+ */
+static void set_destination(private_message_t *this, host_t *host)
+{
+	this->packet->set_destination(this->packet, host);
+}
+
+/**
+ * Implementation of message_t.get_source.
+ */
+static host_t* get_source(private_message_t *this)
+{
+	return this->packet->get_source(this->packet);
+}
+
+/**
+ * Implementation of message_t.get_destination.
+ */
+static host_t * get_destination(private_message_t *this)
+{
+	return this->packet->get_destination(this->packet);
+}
+
+/**
+ * Implementation of message_t.create_payload_enumerator.
+ */
+static enumerator_t *create_payload_enumerator(private_message_t *this)
+{
+	return this->payloads->create_enumerator(this->payloads);
+}
+
+/**
+ * Implementation of message_t.get_payload.
+ */
+static payload_t *get_payload(private_message_t *this, payload_type_t type)
+{
+	payload_t *current, *found = NULL;
+	enumerator_t *enumerator;
+
+	enumerator = create_payload_enumerator(this);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current->get_type(current) == type)
+		{
+			found = current;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Implementation of message_t.get_notify
+ */
+static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
+{
+	enumerator_t *enumerator;
+	notify_payload_t *notify = NULL;
+	payload_t *payload;
+
+	enumerator = create_payload_enumerator(this);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify = (notify_payload_t*)payload;
+			if (notify->get_notify_type(notify) == type)
+			{
+				break;
+			}
+			notify = NULL;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return notify;
+}
+
+/**
+ * get a string representation of the message
+ */
+static char* get_string(private_message_t *this, char *buf, int len)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	int written;
+	char *pos = buf;
+
+	memset(buf, 0, len);
+	len--;
+
+	written = snprintf(pos, len, "%N %s %d [",
+					   exchange_type_names, this->exchange_type,
+					   this->is_request ? "request" : "response",
+					   this->message_id);
+	if (written >= len || written < 0)
+	{
+		return "";
+	}
+	pos += written;
+	len -= written;
+
+	enumerator = create_payload_enumerator(this);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		written = snprintf(pos, len, " %N", payload_type_short_names,
+						   payload->get_type(payload));
+		if (written >= len || written < 0)
+		{
+			return buf;
+		}
+		pos += written;
+		len -= written;
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			written = snprintf(pos, len, "(%N)", notify_type_short_names,
+							   notify->get_notify_type(notify));
+			if (written >= len || written < 0)
+			{
+				return buf;
+			}
+			pos += written;
+			len -= written;
+		}
+		if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
+		{
+			eap_payload_t *eap = (eap_payload_t*)payload;
+			u_int32_t vendor;
+			eap_type_t type;
+			char method[64] = "";
+
+			type = eap->get_type(eap, &vendor);
+			if (type)
+			{
+				if (vendor)
+				{
+					snprintf(method, sizeof(method), "/%d-%d", type, vendor);
+				}
+				else
+				{
+					snprintf(method, sizeof(method), "/%N",
+							 eap_type_short_names, type);
+				}
+			}
+			written = snprintf(pos, len, "/%N%s", eap_code_short_names,
+							   eap->get_code(eap), method);
+			if (written >= len || written < 0)
+			{
+				return buf;
+			}
+			pos += written;
+			len -= written;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* remove last space */
+	snprintf(pos, len, " ]");
+	return buf;
+}
+
+/**
+ * reorder payloads depending on reordering rules
+ */
+static void order_payloads(private_message_t *this)
+{
+	linked_list_t *list;
+	payload_t *payload;
+	int i;
+
+	/* move to temp list */
+	list = linked_list_create();
+	while (this->payloads->remove_last(this->payloads,
+									   (void**)&payload) == SUCCESS)
+	{
+		list->insert_first(list, payload);
+	}
+	/* for each rule, ... */
+	for (i = 0; i < this->message_rule->payload_order_count; i++)
+	{
+		enumerator_t *enumerator;
+		notify_payload_t *notify;
+		payload_order_t order = this->message_rule->payload_order[i];
+
+		/* ... find all payload ... */
+		enumerator = list->create_enumerator(list);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			/* ... with that type ... */
+			if (payload->get_type(payload) == order.type)
+			{
+				notify = (notify_payload_t*)payload;
+
+				/**... and check notify for type. */
+				if (order.type != NOTIFY || order.notify == 0 ||
+					order.notify == notify->get_notify_type(notify))
+				{
+					list->remove_at(list, enumerator);
+					add_payload(this, payload);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	/* append all payloads without a rule to the end */
+	while (list->remove_last(list, (void**)&payload) == SUCCESS)
+	{
+		/* do not complain about payloads in private use space */
+		if (payload->get_type(payload) < 128)
+		{
+			DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
+				 payload_type_names, payload->get_type(payload),
+				 exchange_type_names, this->message_rule->exchange_type,
+				 this->message_rule->is_request ? "request" : "response");
+		}
+		add_payload(this, payload);
+	}
+	list->destroy(list);
+}
+
+/**
+ * Implementation of private_message_t.encrypt_payloads.
+ */
+static status_t encrypt_payloads(private_message_t *this,
+								 crypter_t *crypter, signer_t* signer)
+{
+	encryption_payload_t *encryption;
+	linked_list_t *payloads;
+	payload_t *current;
+	status_t status;
+
+	if (!this->message_rule->encrypted_content)
+	{
+		DBG2(DBG_ENC, "message doesn't have to be encrypted");
+		/* message contains no content to encrypt */
+		return SUCCESS;
+	}
+
+	if (!crypter || !signer)
+	{
+		DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
+		/* message contains no content to encrypt */
+		return SUCCESS;
+	}
+
+	DBG2(DBG_ENC, "copy all payloads to a temporary list");
+	payloads = linked_list_create();
+
+	/* first copy all payloads in a temporary list */
+	while (this->payloads->get_count(this->payloads) > 0)
+	{
+		this->payloads->remove_first(this->payloads, (void**)&current);
+		payloads->insert_last(payloads, current);
+	}
+
+	encryption = encryption_payload_create();
+
+	DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
+	while (payloads->get_count(payloads) > 0)
+	{
+		payload_rule_t *rule;
+		payload_type_t type;
+		bool to_encrypt = TRUE;
+
+		payloads->remove_first(payloads, (void**)&current);
+
+		type = current->get_type(current);
+		if (get_payload_rule(this, type, &rule) == SUCCESS)
+		{
+			to_encrypt = rule->encrypted;
+		}
+		if (to_encrypt)
+		{
+			DBG2(DBG_ENC, "insert payload %N to encryption payload",
+				 payload_type_names, current->get_type(current));
+			encryption->add_payload(encryption, current);
+		}
+		else
+		{
+			DBG2(DBG_ENC, "insert payload %N unencrypted",
+				 payload_type_names, current->get_type(current));
+			add_payload(this, (payload_t*)current);
+		}
+	}
+
+	DBG2(DBG_ENC, "encrypting encryption payload");
+	encryption->set_transforms(encryption, crypter, signer);
+	status = encryption->encrypt(encryption);
+	DBG2(DBG_ENC, "add encrypted payload to payload list");
+	add_payload(this, (payload_t*)encryption);
+
+	payloads->destroy(payloads);
+
+	return status;
+}
+
+/**
+ * Implementation of message_t.generate.
+ */
+static status_t generate(private_message_t *this, crypter_t *crypter,
+						 signer_t* signer, packet_t **packet)
+{
+	generator_t *generator;
+	ike_header_t *ike_header;
+	payload_t *payload, *next_payload;
+	enumerator_t *enumerator;
+	status_t status;
+	chunk_t packet_data;
+	char str[256];
+
+	if (is_encoded(this))
+	{
+		/* already generated, return a new packet clone */
+		*packet = this->packet->clone(this->packet);
+		return SUCCESS;
+	}
+
+	if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
+	{
+		DBG1(DBG_ENC, "exchange type is not defined");
+		return INVALID_STATE;
+	}
+
+	if (this->packet->get_source(this->packet) == NULL ||
+		this->packet->get_destination(this->packet) == NULL)
+	{
+		DBG1(DBG_ENC, "%s not defined",
+			 !this->packet->get_source(this->packet) ? "source" : "destination");
+		return INVALID_STATE;
+	}
+
+	/* set the rules for this messge */
+	status = set_message_rule(this);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "no message rules specified for this message type");
+		return NOT_SUPPORTED;
+	}
+
+	order_payloads(this);
+
+	DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
+
+	/* going to encrypt all content which have to be encrypted */
+	status = encrypt_payloads(this, crypter, signer);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "payload encryption failed");
+		return status;
+	}
+
+	/* build ike header */
+	ike_header = ike_header_create();
+
+	ike_header->set_exchange_type(ike_header, this->exchange_type);
+	ike_header->set_message_id(ike_header, this->message_id);
+	ike_header->set_response_flag(ike_header, !this->is_request);
+	ike_header->set_initiator_flag(ike_header,
+						this->ike_sa_id->is_initiator(this->ike_sa_id));
+	ike_header->set_initiator_spi(ike_header,
+						this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
+	ike_header->set_responder_spi(ike_header,
+						this->ike_sa_id->get_responder_spi(this->ike_sa_id));
+
+	generator = generator_create();
+
+	payload = (payload_t*)ike_header;
+
+	/* generate every payload expect last one, this is done later*/
+	enumerator = create_payload_enumerator(this);
+	while (enumerator->enumerate(enumerator, &next_payload))
+	{
+		payload->set_next_type(payload, next_payload->get_type(next_payload));
+		generator->generate_payload(generator, payload);
+		payload = next_payload;
+	}
+	enumerator->destroy(enumerator);
+
+	/* last payload has no next payload*/
+	payload->set_next_type(payload, NO_PAYLOAD);
+
+	generator->generate_payload(generator, payload);
+
+	ike_header->destroy(ike_header);
+
+	/* build packet */
+	generator->write_to_chunk(generator, &packet_data);
+	generator->destroy(generator);
+
+	/* if last payload is of type encrypted, integrity checksum if necessary */
+	if (payload->get_type(payload) == ENCRYPTED)
+	{
+		DBG2(DBG_ENC, "build signature on whole message");
+		encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
+		status = encryption_payload->build_signature(encryption_payload, packet_data);
+		if (status != SUCCESS)
+		{
+			return status;
+		}
+	}
+
+	this->packet->set_data(this->packet, packet_data);
+
+	/* clone packet for caller */
+	*packet = this->packet->clone(this->packet);
+
+	DBG2(DBG_ENC, "message generated successfully");
+	return SUCCESS;
+}
+
+/**
+ * Implementation of message_t.get_packet.
+ */
+static packet_t *get_packet(private_message_t *this)
+{
+	if (this->packet == NULL)
+	{
+		return NULL;
+	}
+	return this->packet->clone(this->packet);
+}
+
+/**
+ * Implementation of message_t.get_packet_data.
+ */
+static chunk_t get_packet_data(private_message_t *this)
+{
+	if (this->packet == NULL)
+	{
+		return chunk_empty;
+	}
+	return chunk_clone(this->packet->get_data(this->packet));
+}
+
+/**
+ * Implementation of message_t.parse_header.
+ */
+static status_t parse_header(private_message_t *this)
+{
+	ike_header_t *ike_header;
+	status_t status;
+
+	DBG2(DBG_ENC, "parsing header of message");
+
+	this->parser->reset_context(this->parser);
+	status = this->parser->parse_payload(this->parser, HEADER,
+										 (payload_t**)&ike_header);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "header could not be parsed");
+		return status;
+
+	}
+
+	/* verify payload */
+	status = ike_header->payload_interface.verify(
+										&ike_header->payload_interface);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "header verification failed");
+		ike_header->destroy(ike_header);
+		return status;
+	}
+
+	if (this->ike_sa_id != NULL)
+	{
+		this->ike_sa_id->destroy(this->ike_sa_id);
+	}
+
+	this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
+									ike_header->get_responder_spi(ike_header),
+									ike_header->get_initiator_flag(ike_header));
+
+	this->exchange_type = ike_header->get_exchange_type(ike_header);
+	this->message_id = ike_header->get_message_id(ike_header);
+	this->is_request = (!(ike_header->get_response_flag(ike_header)));
+	this->major_version = ike_header->get_maj_version(ike_header);
+	this->minor_version = ike_header->get_min_version(ike_header);
+	this->first_payload = ike_header->payload_interface.get_next_type(
+												&ike_header->payload_interface);
+
+	DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
+		 this->is_request ? "request" : "response");
+
+	ike_header->destroy(ike_header);
+
+	/* get the rules for this messge */
+	status = set_message_rule(this);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "no message rules specified for a %N %s",
+			 exchange_type_names, this->exchange_type,
+			 this->is_request ? "request" : "response");
+	}
+
+	return status;
+}
+
+/**
+ * Implementation of private_message_t.decrypt_and_verify_payloads.
+ */
+static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter,
+								 signer_t* signer)
+{
+	bool current_payload_was_encrypted = FALSE;
+	payload_t *previous_payload = NULL;
+	int payload_number = 1;
+	iterator_t *iterator;
+	payload_t *current_payload;
+	status_t status;
+
+	iterator = this->payloads->create_iterator(this->payloads,TRUE);
+
+	/* process each payload and decrypt a encryption payload */
+	while(iterator->iterate(iterator, (void**)&current_payload))
+	{
+		payload_rule_t *payload_rule;
+		payload_type_t current_payload_type;
+
+		/* needed to check */
+		current_payload_type = current_payload->get_type(current_payload);
+
+		DBG2(DBG_ENC, "process payload of type %N",
+			 payload_type_names, current_payload_type);
+
+		if (current_payload_type == ENCRYPTED)
+		{
+			encryption_payload_t *encryption_payload;
+			payload_t *current_encrypted_payload;
+
+			encryption_payload = (encryption_payload_t*)current_payload;
+
+			DBG2(DBG_ENC, "found an encryption payload");
+
+			if (payload_number != this->payloads->get_count(this->payloads))
+			{
+				/* encrypted payload is not last one */
+				DBG1(DBG_ENC, "encrypted payload is not last payload");
+				iterator->destroy(iterator);
+				return VERIFY_ERROR;
+			}
+			/* decrypt */
+			encryption_payload->set_transforms(encryption_payload,
+											   crypter, signer);
+			DBG2(DBG_ENC, "verify signature of encryption payload");
+			status = encryption_payload->verify_signature(encryption_payload,
+										this->packet->get_data(this->packet));
+			if (status != SUCCESS)
+			{
+				DBG1(DBG_ENC, "encryption payload signature invalid");
+				iterator->destroy(iterator);
+				return FAILED;
+			}
+			DBG2(DBG_ENC, "decrypting content of encryption payload");
+			status = encryption_payload->decrypt(encryption_payload);
+			if (status != SUCCESS)
+			{
+				DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
+				iterator->destroy(iterator);
+				return PARSE_ERROR;
+			}
+
+			/* needed later to find out if a payload was encrypted */
+			current_payload_was_encrypted = TRUE;
+
+			/* check if there are payloads contained in the encryption payload */
+			if (encryption_payload->get_payload_count(encryption_payload) == 0)
+			{
+				DBG2(DBG_ENC, "encrypted payload is empty");
+				/* remove the encryption payload, is not needed anymore */
+				iterator->remove(iterator);
+				/* encrypted payload contains no other payload */
+				current_payload_type = NO_PAYLOAD;
+			}
+			else
+			{
+				/* encryption_payload is replaced with first payload contained
+				 * in encryption_payload */
+				encryption_payload->remove_first_payload(encryption_payload,
+													&current_encrypted_payload);
+				iterator->replace(iterator, NULL,
+								  (void *)current_encrypted_payload);
+				current_payload_type = current_encrypted_payload->get_type(
+													current_encrypted_payload);
+			}
+
+			/* is the current paylad the first in the message? */
+			if (previous_payload == NULL)
+			{
+				/* yes, set the first payload type of the message to the
+				 * current type */
+				this->first_payload = current_payload_type;
+			}
+			else
+			{
+				/* no, set the next_type of the previous payload to the
+				 * current type */
+				previous_payload->set_next_type(previous_payload,
+												current_payload_type);
+			}
+
+			/* all encrypted payloads are added to the payload list */
+			while (encryption_payload->get_payload_count(encryption_payload) > 0)
+			{
+				encryption_payload->remove_first_payload(encryption_payload,
+													&current_encrypted_payload);
+				DBG2(DBG_ENC, "insert unencrypted payload of type "
+					 "%N at end of list", payload_type_names,
+					 current_encrypted_payload->get_type(
+											current_encrypted_payload));
+				this->payloads->insert_last(this->payloads,
+											current_encrypted_payload);
+			}
+
+			/* encryption payload is processed, payloads are moved. Destroy it. */
+			encryption_payload->destroy(encryption_payload);
+		}
+
+		/* we allow unknown payloads of any type and don't bother if it was
+		 * encrypted. Not our problem. */
+		if (current_payload_type != UNKNOWN_PAYLOAD &&
+			current_payload_type != NO_PAYLOAD)
+		{
+			/* get the ruleset for found payload */
+			status = get_payload_rule(this, current_payload_type, &payload_rule);
+			if (status != SUCCESS)
+			{
+				/* payload is not allowed */
+				DBG1(DBG_ENC, "payload type %N not allowed",
+								  payload_type_names, current_payload_type);
+				iterator->destroy(iterator);
+				return VERIFY_ERROR;
+			}
+
+			/* check if the payload was encrypted, and if it should been have
+			 * encrypted */
+			if (payload_rule->encrypted != current_payload_was_encrypted)
+			{
+				/* payload was not encrypted, but should have been.
+				 * or vice-versa */
+				DBG1(DBG_ENC, "payload type %N should be %s!",
+					 payload_type_names, current_payload_type,
+					 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
+				iterator->destroy(iterator);
+				return VERIFY_ERROR;
+			}
+		}
+		/* advance to the next payload */
+		payload_number++;
+		/* is stored to set next payload in case of found encryption payload */
+		previous_payload = current_payload;
+	}
+	iterator->destroy(iterator);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_message_t.verify.
+ */
+static status_t verify(private_message_t *this)
+{
+	int i;
+	enumerator_t *enumerator;
+	payload_t *current_payload;
+	size_t total_found_payloads = 0;
+
+	DBG2(DBG_ENC, "verifying message structure");
+
+	/* check for payloads with wrong count*/
+	for (i = 0; i < this->message_rule->payload_rule_count; i++)
+	{
+		size_t found_payloads = 0;
+		payload_rule_t *rule;
+
+		rule = &this->message_rule->payload_rules[i];
+		enumerator = create_payload_enumerator(this);
+
+		/* check all payloads for specific rule */
+		while (enumerator->enumerate(enumerator, &current_payload))
+		{
+			payload_type_t current_payload_type;
+			unknown_payload_t *unknown_payload;
+
+			current_payload_type = current_payload->get_type(current_payload);
+			if (current_payload_type == UNKNOWN_PAYLOAD)
+			{
+				/* unknown payloads are ignored, IF they are not critical */
+				unknown_payload = (unknown_payload_t*)current_payload;
+				if (unknown_payload->is_critical(unknown_payload))
+				{
+					DBG1(DBG_ENC, "%N is not supported, but its critical!",
+						 payload_type_names, current_payload_type);
+					enumerator->destroy(enumerator);
+					return NOT_SUPPORTED;
+				}
+			}
+			else if (current_payload_type == rule->payload_type)
+			{
+				found_payloads++;
+				total_found_payloads++;
+				DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
+					 rule->payload_type);
+
+				/* as soon as ohe payload occures more then specified,
+				 * the verification fails */
+				if (found_payloads >
+					rule->max_occurence)
+				{
+					DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
+						 "occured in current message", payload_type_names,
+						 current_payload_type, rule->max_occurence,
+						 found_payloads);
+					enumerator->destroy(enumerator);
+					return VERIFY_ERROR;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (found_payloads < rule->min_occurence)
+		{
+			DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
+				 payload_type_names, rule->payload_type, rule->min_occurence,
+				 found_payloads);
+			return VERIFY_ERROR;
+		}
+		if (rule->sufficient)
+		{
+			return SUCCESS;
+		}
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of message_t.parse_body.
+ */
+static status_t parse_body(private_message_t *this, crypter_t *crypter,
+						   signer_t *signer)
+{
+	status_t status = SUCCESS;
+	payload_type_t current_payload_type;
+	char str[256];
+
+	current_payload_type = this->first_payload;
+
+	DBG2(DBG_ENC, "parsing body of message, first payload is %N",
+		 payload_type_names, current_payload_type);
+
+	/* parse payload for payload, while there are more available */
+	while ((current_payload_type != NO_PAYLOAD))
+	{
+		payload_t *current_payload;
+
+		DBG2(DBG_ENC, "starting parsing a %N payload",
+			 payload_type_names, current_payload_type);
+
+		/* parse current payload */
+		status = this->parser->parse_payload(this->parser, current_payload_type,
+											 (payload_t**)&current_payload);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "payload type %N could not be parsed",
+				 payload_type_names, current_payload_type);
+			return PARSE_ERROR;
+		}
+
+		DBG2(DBG_ENC, "verifying payload of type %N",
+			 payload_type_names, current_payload_type);
+
+		/* verify it, stop parsig if its invalid */
+		status = current_payload->verify(current_payload);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "%N payload verification failed",
+				 payload_type_names, current_payload_type);
+			current_payload->destroy(current_payload);
+			return VERIFY_ERROR;
+		}
+
+		DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
+			 payload_type_names, current_payload_type);
+		this->payloads->insert_last(this->payloads,current_payload);
+
+		/* an encryption payload is the last one, so STOP here. decryption is
+		 * done later */
+		if (current_payload_type == ENCRYPTED)
+		{
+			DBG2(DBG_ENC, "%N payload found. Stop parsing",
+				 payload_type_names, current_payload_type);
+			break;
+		}
+
+		/* get next payload type */
+		current_payload_type = current_payload->get_next_type(current_payload);
+	}
+
+	if (current_payload_type == ENCRYPTED)
+	{
+		status = decrypt_payloads(this,crypter,signer);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "could not decrypt payloads");
+			return status;
+		}
+	}
+
+	status = verify(this);
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+
+	DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of message_t.destroy.
+ */
+static void destroy (private_message_t *this)
+{
+	DESTROY_IF(this->ike_sa_id);
+	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
+	this->packet->destroy(this->packet);
+	this->parser->destroy(this->parser);
+	free(this);
+}
+
+/*
+ * Described in Header-File
+ */
+message_t *message_create_from_packet(packet_t *packet)
+{
+	private_message_t *this = malloc_thing(private_message_t);
+
+	/* public functions */
+	this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
+	this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
+	this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
+	this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
+	this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
+	this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
+	this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
+	this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
+	this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
+	this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
+	this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
+	this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
+	this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
+	this->public.set_request = (void(*)(message_t*, bool))set_request;
+	this->public.get_request = (bool(*)(message_t*))get_request;
+	this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
+	this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
+	this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
+	this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
+	this->public.get_source = (host_t * (*) (message_t*)) get_source;
+	this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
+	this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
+	this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
+	this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
+	this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
+	this->public.parse_header = (status_t (*) (message_t *)) parse_header;
+	this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
+	this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
+	this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
+	this->public.destroy = (void(*)(message_t*))destroy;
+
+	/* private values */
+	this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
+	this->is_request = TRUE;
+	this->ike_sa_id = NULL;
+	this->first_payload = NO_PAYLOAD;
+	this->message_id = 0;
+
+	/* private values */
+	if (packet == NULL)
+	{
+		packet = packet_create();
+	}
+	this->message_rule = NULL;
+	this->packet = packet;
+	this->payloads = linked_list_create();
+
+	/* parser is created from data of packet */
+	this->parser = parser_create(this->packet->get_data(this->packet));
+
+	return (&this->public);
+}
+
+/*
+ * Described in Header.
+ */
+message_t *message_create()
+{
+	return message_create_from_packet(NULL);
+}
+
diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h
new file mode 100644
index 000000000..2c7718f49
--- /dev/null
+++ b/src/libcharon/encoding/message.h
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup message message
+ * @{ @ingroup encoding
+ */
+
+#ifndef MESSAGE_H_
+#define MESSAGE_H_
+
+typedef struct message_t message_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <network/packet.h>
+#include <encoding/payloads/ike_header.h>
+#include <encoding/payloads/notify_payload.h>
+#include <utils/linked_list.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+
+/**
+ * This class is used to represent an IKEv2-Message.
+ *
+ * The message handles parsing and generation of payloads
+ * via parser_t/generator_t. Encryption is done transparently
+ * via the encryption_payload_t. A set of rules for messages
+ * and payloads does check parsed messages.
+ */
+struct message_t {
+
+	/**
+	 * Sets the IKE major version of the message.
+	 *
+	 * @param major_version	major version to set
+	 */
+	void (*set_major_version) (message_t *this,u_int8_t major_version);
+
+	/**
+	 * Gets the IKE major version of the message.
+	 *
+	 * @return				major version of the message
+	 */
+	u_int8_t (*get_major_version) (message_t *this);
+
+	/**
+	 * Sets the IKE minor version of the message.
+	 *
+	 * @param minor_version	minor version to set
+	 */
+	void (*set_minor_version) (message_t *this,u_int8_t minor_version);
+
+	/**
+	 * Gets the IKE minor version of the message.
+	 *
+	 * @return				minor version of the message
+	 */
+	u_int8_t (*get_minor_version) (message_t *this);
+
+	/**
+	 * Sets the Message ID of the message.
+	 *
+	 * @param message_id	message_id to set
+	 */
+	void (*set_message_id) (message_t *this,u_int32_t message_id);
+
+	/**
+	 * Gets the Message ID of the message.
+	 *
+	 * @return				message_id type of the message
+	 */
+	u_int32_t (*get_message_id) (message_t *this);
+
+	/**
+	 * Gets the initiator SPI of the message.
+	 *
+	 * @return				initiator spi of the message
+	 */
+	u_int64_t (*get_initiator_spi) (message_t *this);
+
+	/**
+	 * Gets the responder SPI of the message.
+	 *
+	 * @return				responder spi of the message
+	 */
+	u_int64_t (*get_responder_spi) (message_t *this);
+
+	/**
+	 * Sets the IKE_SA ID of the message.
+	 *
+	 * ike_sa_id gets cloned.
+	 *
+	 * @param ike_sa_id		ike_sa_id to set
+	 */
+	void (*set_ike_sa_id) (message_t *this, ike_sa_id_t * ike_sa_id);
+
+	/**
+	 * Gets the IKE_SA ID of the message.
+	 *
+	 * The ike_sa_id points to the message internal id, do not modify.
+	 *
+	 * @return				ike_sa_id of message
+	 */
+	ike_sa_id_t *(*get_ike_sa_id) (message_t *this);
+
+	/**
+	 * Sets the exchange type of the message.
+	 *
+	 * @param exchange_type	exchange_type to set
+	 */
+	void (*set_exchange_type) (message_t *this,exchange_type_t exchange_type);
+
+	/**
+	 * Gets the exchange type of the message.
+	 *
+	 * @return				exchange type of the message
+	 */
+	exchange_type_t (*get_exchange_type) (message_t *this);
+
+	/**
+	 * Gets the payload type of the first payload.
+	 *
+	 * @return				payload type of the first payload
+	 */
+	payload_type_t (*get_first_payload_type) (message_t *this);
+
+	/**
+	 * Sets the request flag.
+	 *
+	 * @param request		TRUE if message is a request, FALSE if it is a reply
+	 */
+	void (*set_request) (message_t *this, bool request);
+
+	/**
+	 * Gets request flag.
+	 *
+	 * @return				TRUE if message is a request, FALSE if it is a reply
+	 */
+	bool (*get_request) (message_t *this);
+
+	/**
+	 * Append a payload to the message.
+	 *
+	 * If the payload must be encrypted is not specified here. Encryption
+	 * of payloads is evaluated via internal rules for the messages and
+	 * is done before generation. The order of payloads may change, since
+	 * all payloads to encrypt are added to the encryption payload, which is
+	 * always the last one.
+	 *
+	 * @param payload 		payload to append
+	 */
+	void (*add_payload) (message_t *this, payload_t *payload);
+
+	/**
+	 * Build a notify payload and add it to the message.
+	 *
+	 * This is a helper method to create notify messages or add
+	 * notify payload to messages. The flush parameter specifies if existing
+	 * payloads should get removed before appending the notify.
+	 *
+	 * @param flush			TRUE to remove existing payloads
+	 * @param type			type of the notify
+	 * @param data			a chunk of data to add to the notify, gets cloned
+	 */
+	void (*add_notify) (message_t *this, bool flush, notify_type_t type,
+						chunk_t data);
+
+	/**
+	 * Parses header of message.
+	 *
+	 * Begins parisng of a message created via message_create_from_packet().
+	 * The parsing context is stored, so a subsequent call to parse_body()
+	 * will continue the parsing process.
+	 *
+	 * @return
+	 * 					- SUCCESS if header could be parsed
+	 *					- PARSE_ERROR if corrupted/invalid data found
+	 * 					- FAILED if consistence check of header failed
+	 */
+	status_t (*parse_header) (message_t *this);
+
+	/**
+	 * Parses body of message.
+	 *
+	 * The body gets not only parsed, but rather it gets verified.
+	 * All payloads are verified if they are allowed to exist in the message
+	 * of this type and if their own structure is ok.
+	 * If there are encrypted payloads, they get decrypted via the supplied
+	 * crypter. Also the message integrity gets verified with the supplied
+	 * signer.
+	 * Crypter/signer can be omitted (by passing NULL) when no encryption
+	 * payload is expected.
+	 *
+	 * @param crypter	crypter to decrypt encryption payloads
+	 * @param signer	signer to verifiy a message with an encryption payload
+	 * @return
+	 * 					- SUCCESS if parsing successful
+	 * 					- NOT_SUPPORTED if ciritcal unknown payloads found
+	 * 					- NOT_SUPPORTED if message type is not supported!
+	 *					- PARSE_ERROR if message parsing failed
+	 * 					- VERIFY_ERROR if message verification failed (bad syntax)
+	 * 					- FAILED if integrity check failed
+	 * 					- INVALID_STATE if crypter/signer not supplied, but needed
+	 */
+	status_t (*parse_body) (message_t *this, crypter_t *crypter, signer_t *signer);
+
+	/**
+	 * Generates the UDP packet of specific message.
+	 *
+	 * Payloads which must be encrypted are generated first and added to
+	 * an encryption payload. This encryption payload will get encrypted via
+	 * the supplied crypter. Then all other payloads and the header get generated.
+	 * After that, the checksum is added to the encryption payload over the full
+	 * message.
+	 * Crypter/signer can be omitted (by passing NULL) when no encryption
+	 * payload is expected.
+	 * Generation is only done once, multiple calls will just return a packet copy.
+	 *
+	 * @param crypter	crypter to use when a payload must be encrypted
+	 * @param signer	signer to build a mac
+	 * @param packet	copy of generated packet
+	 * @return
+	 * 					- SUCCESS if packet could be generated
+	 * 					- INVALID_STATE if exchange type is currently not set
+	 * 					- NOT_FOUND if no rules found for message generation
+	 * 					- INVALID_STATE if crypter/signer not supplied but needed.
+	 */
+	status_t (*generate) (message_t *this, crypter_t *crypter, signer_t *signer, packet_t **packet);
+
+	/**
+	 * Gets the source host informations.
+	 *
+	 * @warning Returned host_t object is not getting cloned,
+	 * do not destroy nor modify.
+	 *
+	 * @return			host_t object representing source host
+	 */
+	host_t * (*get_source) (message_t *this);
+
+	/**
+	 * Sets the source host informations.
+	 *
+	 * @warning host_t object is not getting cloned and gets destroyed by
+	 * 			message_t.destroy or next call of message_t.set_source.
+	 *
+	 * @param host		host_t object representing source host
+	 */
+	void (*set_source) (message_t *this, host_t *host);
+
+	/**
+	 * Gets the destination host informations.
+	 *
+	 * @warning Returned host_t object is not getting cloned,
+	 * do not destroy nor modify.
+	 *
+	 * @return			host_t object representing destination host
+	 */
+	host_t * (*get_destination) (message_t *this);
+
+	/**
+	 * Sets the destination host informations.
+	 *
+	 * @warning host_t object is not getting cloned and gets destroyed by
+	 * 			message_t.destroy or next call of message_t.set_destination.
+	 *
+	 * @param host		host_t object representing destination host
+	 */
+	void (*set_destination) (message_t *this, host_t *host);
+
+	/**
+	 * Create an enumerator over all payloads.
+	 *
+	 * @return			enumerator over payload_t
+	 */
+	enumerator_t * (*create_payload_enumerator) (message_t *this);
+
+	/**
+	 * Find a payload of a specific type.
+	 *
+	 * Returns the first occurance.
+	 *
+	 * @param type		type of the payload to find
+	 * @return			payload, or NULL if no such payload found
+	 */
+	payload_t* (*get_payload) (message_t *this, payload_type_t type);
+
+	/**
+	 * Get the first notify payload of a specific type.
+	 *
+	 * @param type		type of notification payload
+	 * @return			notify payload, NULL if no such notify found
+	 */
+	notify_payload_t* (*get_notify)(message_t *this, notify_type_t type);
+
+	/**
+	 * Returns a clone of the internal stored packet_t object.
+	 *
+	 * @return			packet_t object as clone of internal one
+	 */
+	packet_t * (*get_packet) (message_t *this);
+
+	/**
+	 * Returns a clone of the internal stored packet_t data.
+	 *
+	 * @return			clone of the internal stored packet_t data.
+	 */
+	chunk_t (*get_packet_data) (message_t *this);
+
+	/**
+	 * Destroys a message and all including objects.
+	 */
+	void (*destroy) (message_t *this);
+};
+
+/**
+ * Creates an message_t object from a incoming UDP Packet.
+ *
+ * @warning the given packet_t object is not copied and gets
+ *			destroyed in message_t's destroy call.
+ *
+ * - exchange_type is set to NOT_SET
+ * - original_initiator is set to TRUE
+ * - is_request is set to TRUE
+ * Call message_t.parse_header afterwards.
+ *
+ * @param packet		packet_t object which is assigned to message
+ * @return 				message_t object
+ */
+message_t * message_create_from_packet(packet_t *packet);
+
+
+/**
+ * Creates an empty message_t object.
+ *
+ * - exchange_type is set to NOT_SET
+ * - original_initiator is set to TRUE
+ * - is_request is set to TRUE
+ *
+ * @return message_t object
+ */
+message_t * message_create(void);
+
+#endif /** MESSAGE_H_ @}*/
diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c
new file mode 100644
index 000000000..9aa34b1bc
--- /dev/null
+++ b/src/libcharon/encoding/parser.c
@@ -0,0 +1,862 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <arpa/inet.h>
+#include <string.h>
+
+#include "parser.h"
+
+#include <library.h>
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <encoding/payloads/encodings.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <encoding/payloads/transform_attribute.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/delete_payload.h>
+#include <encoding/payloads/vendor_id_payload.h>
+#include <encoding/payloads/cp_payload.h>
+#include <encoding/payloads/configuration_attribute.h>
+#include <encoding/payloads/eap_payload.h>
+#include <encoding/payloads/unknown_payload.h>
+
+
+typedef struct private_parser_t private_parser_t;
+
+/**
+ * Private data stored in a context.
+ *
+ * Contains pointers and counters to store current state.
+ */
+struct private_parser_t {
+	/**
+	 * Public members, see parser_t.
+	 */
+	parser_t public;
+
+	/**
+	 * Current bit for reading in input data.
+	 */
+	u_int8_t bit_pos;
+
+	/**
+	 * Current byte for reading in input data.
+	 */
+	u_int8_t *byte_pos;
+
+	/**
+	 * Input data to parse.
+	 */
+	u_int8_t *input;
+
+	/**
+	 * Roof of input, used for length-checking.
+	 */
+	u_int8_t *input_roof;
+
+	/**
+	 * Set of encoding rules for this parsing session.
+	 */
+	encoding_rule_t *rules;
+};
+
+/**
+ * Forward declaration
+ */
+static status_t parse_payload(private_parser_t *this,
+							  payload_type_t payload_type, payload_t **payload);
+
+/**
+ * Log invalid length error
+ */
+static bool short_input(private_parser_t *this, int number)
+{
+	DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
+		 number, encoding_type_names, this->rules[number].type);
+	return FALSE;
+}
+
+/**
+ * Log unaligned rules
+ */
+static bool bad_bitpos(private_parser_t *this, int number)
+{
+	DBG1(DBG_ENC, "  found rule %d %N on bitpos %d",
+		 number, encoding_type_names, this->rules[number].type, this->bit_pos);
+	return FALSE;
+}
+
+/**
+ * Parse a 4-Bit unsigned integer from the current parsing position.
+ */
+static bool parse_uint4(private_parser_t *this, int rule_number,
+						u_int8_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
+	{
+		return short_input(this, rule_number);
+	}
+	switch (this->bit_pos)
+	{
+		case 0:
+			if (output_pos)
+			{
+				*output_pos = *(this->byte_pos) >> 4;
+			}
+			this->bit_pos = 4;
+			break;
+		case 4:
+			if (output_pos)
+			{
+				*output_pos = *(this->byte_pos) & 0x0F;
+			}
+			this->bit_pos = 0;
+			this->byte_pos++;
+			break;
+		default:
+			return bad_bitpos(this, rule_number);
+	}
+	if (output_pos)
+	{
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	return TRUE;
+}
+
+/**
+ * Parse a 8-Bit unsigned integer from the current parsing position.
+ */
+static bool parse_uint8(private_parser_t *this, int rule_number,
+						u_int8_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
+	{
+		return short_input(this, rule_number);
+	}
+	if (this->bit_pos)
+	{
+		return bad_bitpos(this, rule_number);
+	}
+	if (output_pos)
+	{
+		*output_pos = *(this->byte_pos);
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	this->byte_pos++;
+	return TRUE;
+}
+
+/**
+ * Parse a 15-Bit unsigned integer from the current parsing position.
+ */
+static bool parse_uint15(private_parser_t *this, int rule_number,
+						 u_int16_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
+	{
+		return short_input(this, rule_number);
+	}
+	if (this->bit_pos != 1)
+	{
+		return bad_bitpos(this, rule_number);
+	}
+	if (output_pos)
+	{
+		memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
+		*output_pos = ntohs(*output_pos) & ~0x8000;
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	this->byte_pos += sizeof(u_int16_t);
+	this->bit_pos = 0;
+	return TRUE;
+}
+
+/**
+ * Parse a 16-Bit unsigned integer from the current parsing position.
+ */
+static bool parse_uint16(private_parser_t *this, int rule_number,
+						 u_int16_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
+	{
+		return short_input(this, rule_number);
+	}
+	if (this->bit_pos)
+	{
+		return bad_bitpos(this, rule_number);
+	}
+	if (output_pos)
+	{
+		memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
+		*output_pos = ntohs(*output_pos);
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	this->byte_pos += sizeof(u_int16_t);
+	return TRUE;
+}
+/**
+ * Parse a 32-Bit unsigned integer from the current parsing position.
+ */
+static bool parse_uint32(private_parser_t *this, int rule_number,
+						 u_int32_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int32_t) > this->input_roof)
+	{
+		return short_input(this, rule_number);
+	}
+	if (this->bit_pos)
+	{
+		return bad_bitpos(this, rule_number);
+	}
+	if (output_pos)
+	{
+		memcpy(output_pos, this->byte_pos, sizeof(u_int32_t));
+		*output_pos = ntohl(*output_pos);
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	this->byte_pos += sizeof(u_int32_t);
+	return TRUE;
+}
+
+/**
+ * Parse a given amount of bytes and writes them to a specific location
+ */
+static bool parse_bytes(private_parser_t *this, int rule_number,
+						u_int8_t *output_pos, int bytes)
+{
+	if (this->byte_pos + bytes > this->input_roof)
+	{
+		return short_input(this, rule_number);
+	}
+	if (this->bit_pos)
+	{
+		return bad_bitpos(this, rule_number);
+	}
+	if (output_pos)
+	{
+		memcpy(output_pos, this->byte_pos, bytes);
+		DBG3(DBG_ENC, "   => %b", output_pos, bytes);
+	}
+	this->byte_pos += bytes;
+	return TRUE;
+}
+
+/**
+ * Parse a single Bit from the current parsing position
+ */
+static bool parse_bit(private_parser_t *this, int rule_number,
+					  bool *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
+	{
+		return short_input(this, rule_number);
+	}
+	if (output_pos)
+	{
+		u_int8_t mask;
+		mask = 0x01 << (7 - this->bit_pos);
+		*output_pos = *this->byte_pos & mask;
+
+		if (*output_pos)
+		{	/* set to a "clean", comparable true */
+			*output_pos = TRUE;
+		}
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	this->bit_pos = (this->bit_pos + 1) % 8;
+	if (this->bit_pos == 0)
+	{
+		this->byte_pos++;
+	}
+	return TRUE;
+}
+
+/**
+ * Parse substructures in a list.
+ */
+static bool parse_list(private_parser_t *this, int rule_number,
+			linked_list_t **output_pos, payload_type_t payload_type, int length)
+{
+	linked_list_t *list = *output_pos;
+
+	if (length < 0)
+	{
+		return short_input(this, rule_number);
+	}
+	if (this->bit_pos)
+	{
+		return bad_bitpos(this, rule_number);
+	}
+	while (length > 0)
+	{
+		u_int8_t *pos_before = this->byte_pos;
+		payload_t *payload;
+
+		DBG2(DBG_ENC, "  %d bytes left, parsing recursively %N",
+			 length, payload_type_names, payload_type);
+
+		if (parse_payload(this, payload_type, &payload) != SUCCESS)
+		{
+			DBG1(DBG_ENC, "  parsing of a %N substructure failed",
+				 payload_type_names, payload_type);
+			return FALSE;
+		}
+		list->insert_last(list, payload);
+		length -= this->byte_pos - pos_before;
+	}
+	if (length != 0)
+	{	/* must yield exactly to zero */
+		DBG1(DBG_ENC, "  length of %N substructure list invalid",
+			 payload_type_names, payload_type);
+		return FALSE;
+	}
+	*output_pos = list;
+	return TRUE;
+}
+
+/**
+ * Parse data from current parsing position in a chunk.
+ */
+static bool parse_chunk(private_parser_t *this, int rule_number,
+						chunk_t *output_pos, int length)
+{
+	if (this->byte_pos + length > this->input_roof)
+	{
+		return short_input(this, rule_number);
+	}
+	if (this->bit_pos)
+	{
+		return bad_bitpos(this, rule_number);
+	}
+	if (output_pos)
+	{
+		*output_pos = chunk_alloc(length);
+		memcpy(output_pos->ptr, this->byte_pos, length);
+		DBG3(DBG_ENC, "   => %b", output_pos->ptr, length);
+	}
+	this->byte_pos += length;
+	return TRUE;
+}
+
+/**
+ * Implementation of parser_t.parse_payload.
+ */
+static status_t parse_payload(private_parser_t *this,
+							  payload_type_t payload_type, payload_t **payload)
+{
+	payload_t *pld;
+	void *output;
+	size_t rule_count;
+	int payload_length = 0, spi_size = 0, attribute_length = 0;
+	u_int16_t ts_type = 0;
+	bool attribute_format = FALSE;
+	int rule_number;
+	encoding_rule_t *rule;
+
+	/* create instance of the payload to parse */
+	pld = payload_create(payload_type);
+
+	DBG2(DBG_ENC, "parsing %N payload, %d bytes left",
+		 payload_type_names, payload_type, this->input_roof - this->byte_pos);
+
+	DBG3(DBG_ENC, "parsing payload from %b",
+		 this->byte_pos, this->input_roof - this->byte_pos);
+
+	if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
+	{
+		DBG1(DBG_ENC, "  payload type %d is unknown, handling as %N",
+			 payload_type, payload_type_names, UNKNOWN_PAYLOAD);
+	}
+
+	/* base pointer for output, avoids casting in every rule */
+	output = pld;
+
+	/* parse the payload with its own rulse */
+	pld->get_encoding_rules(pld, &this->rules, &rule_count);
+	for (rule_number = 0; rule_number < rule_count; rule_number++)
+	{
+		rule = &(this->rules[rule_number]);
+		DBG2(DBG_ENC, "  parsing rule %d %N",
+			 rule_number, encoding_type_names, rule->type);
+		switch (rule->type)
+		{
+			case U_INT_4:
+			{
+				if (!parse_uint4(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case U_INT_8:
+			{
+				if (!parse_uint8(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case U_INT_16:
+			{
+				if (!parse_uint16(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case U_INT_32:
+			{
+				if (!parse_uint32(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case IKE_SPI:
+			{
+				if (!parse_bytes(this, rule_number, output + rule->offset, 8))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case RESERVED_BIT:
+			{
+				if (!parse_bit(this, rule_number, NULL))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case RESERVED_BYTE:
+			{
+				if (!parse_uint8(this, rule_number, NULL))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case FLAG:
+			{
+				if (!parse_bit(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case PAYLOAD_LENGTH:
+			{
+				if (!parse_uint16(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				/* parsed u_int16 should be aligned */
+				payload_length = *(u_int16_t*)(output + rule->offset);
+				if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH)
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case HEADER_LENGTH:
+			{
+				if (!parse_uint32(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case SPI_SIZE:
+			{
+				if (!parse_uint8(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				spi_size = *(u_int8_t*)(output + rule->offset);
+				break;
+			}
+			case SPI:
+			{
+				if (!parse_chunk(this, rule_number, output + rule->offset,
+								 spi_size))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case PROPOSALS:
+			{
+				if (payload_length < SA_PAYLOAD_HEADER_LENGTH ||
+					!parse_list(this, rule_number, output + rule->offset,
+								PROPOSAL_SUBSTRUCTURE,
+								payload_length - SA_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case TRANSFORMS:
+			{
+				if (payload_length <
+							spi_size + PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH ||
+					!parse_list(this, rule_number, output + rule->offset,
+							TRANSFORM_SUBSTRUCTURE, payload_length - spi_size -
+										PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case TRANSFORM_ATTRIBUTES:
+			{
+				if (payload_length < TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH ||
+					!parse_list(this, rule_number, output + rule->offset,
+						TRANSFORM_ATTRIBUTE,
+						payload_length - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case CONFIGURATION_ATTRIBUTES:
+			{
+				if (payload_length < CP_PAYLOAD_HEADER_LENGTH ||
+					!parse_list(this, rule_number, output + rule->offset,
+								CONFIGURATION_ATTRIBUTE,
+								payload_length - CP_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case ATTRIBUTE_FORMAT:
+			{
+				if (!parse_bit(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				attribute_format = *(bool*)(output + rule->offset);
+				break;
+			}
+			case ATTRIBUTE_TYPE:
+			{
+				if (!parse_uint15(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case CONFIGURATION_ATTRIBUTE_LENGTH:
+			{
+				if (!parse_uint16(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				attribute_length = *(u_int16_t*)(output + rule->offset);
+				break;
+			}
+			case ATTRIBUTE_LENGTH_OR_VALUE:
+			{
+				if (!parse_uint16(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				attribute_length = *(u_int16_t*)(output + rule->offset);
+				break;
+			}
+			case ATTRIBUTE_VALUE:
+			{
+				if (attribute_format == FALSE &&
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 attribute_length))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case NONCE_DATA:
+			{
+				if (payload_length < NONCE_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - NONCE_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case ID_DATA:
+			{
+				if (payload_length < ID_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - ID_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case AUTH_DATA:
+			{
+				if (payload_length < AUTH_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - AUTH_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case CERT_DATA:
+			{
+				if (payload_length < CERT_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - CERT_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case CERTREQ_DATA:
+			{
+				if (payload_length < CERTREQ_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - CERTREQ_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case EAP_DATA:
+			{
+				if (payload_length < EAP_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - EAP_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case SPIS:
+			{
+				if (payload_length < DELETE_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - DELETE_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case VID_DATA:
+			{
+				if (payload_length < VENDOR_ID_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+							payload_length - VENDOR_ID_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case CONFIGURATION_ATTRIBUTE_VALUE:
+			{
+				if (!parse_chunk(this, rule_number, output + rule->offset,
+								 attribute_length))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case KEY_EXCHANGE_DATA:
+			{
+				if (payload_length < KE_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - KE_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case NOTIFICATION_DATA:
+			{
+				if (payload_length < NOTIFY_PAYLOAD_HEADER_LENGTH + spi_size ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+						payload_length - NOTIFY_PAYLOAD_HEADER_LENGTH - spi_size))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case ENCRYPTED_DATA:
+			{
+				if (payload_length < ENCRYPTION_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+							payload_length - ENCRYPTION_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case TS_TYPE:
+			{
+				if (!parse_uint8(this, rule_number, output + rule->offset))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				ts_type = *(u_int8_t*)(output + rule->offset);
+				break;
+			}
+			case ADDRESS:
+			{
+				int address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+
+				if (!parse_chunk(this, rule_number, output + rule->offset,
+								 address_length))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case TRAFFIC_SELECTORS:
+			{
+				if (payload_length < TS_PAYLOAD_HEADER_LENGTH ||
+					!parse_list(this, rule_number, output + rule->offset,
+								TRAFFIC_SELECTOR_SUBSTRUCTURE,
+								payload_length - TS_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case UNKNOWN_DATA:
+			{
+				if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+								payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH))
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			default:
+			{
+				DBG1(DBG_ENC, "  no rule to parse rule %d %N",
+					 rule_number, encoding_type_names, rule->type);
+				pld->destroy(pld);
+				return PARSE_ERROR;
+			}
+		}
+		/* process next rulue */
+		rule++;
+	}
+
+	*payload = pld;
+	DBG2(DBG_ENC, "parsing %N payload finished",
+		 payload_type_names, payload_type);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of parser_t.get_remaining_byte_count.
+ */
+static int get_remaining_byte_count (private_parser_t *this)
+{
+	return this->input_roof - this->byte_pos;
+}
+
+/**
+ * Implementation of parser_t.reset_context.
+ */
+static void reset_context (private_parser_t *this)
+{
+	this->byte_pos = this->input;
+	this->bit_pos = 0;
+}
+
+/**
+ * Implementation of parser_t.destroy.
+ */
+static void destroy(private_parser_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+parser_t *parser_create(chunk_t data)
+{
+	private_parser_t *this = malloc_thing(private_parser_t);
+
+	this->public.parse_payload = (status_t(*)(parser_t*,payload_type_t,payload_t**))parse_payload;
+	this->public.reset_context = (void(*)(parser_t*)) reset_context;
+	this->public.get_remaining_byte_count = (int (*) (parser_t *))get_remaining_byte_count;
+	this->public.destroy = (void(*)(parser_t*)) destroy;
+
+	this->input = data.ptr;
+	this->byte_pos = data.ptr;
+	this->bit_pos = 0;
+	this->input_roof = data.ptr + data.len;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/encoding/parser.h b/src/libcharon/encoding/parser.h
new file mode 100644
index 000000000..27c5f03fe
--- /dev/null
+++ b/src/libcharon/encoding/parser.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup parser parser
+ * @{ @ingroup encoding
+ */
+
+#ifndef PARSER_H_
+#define PARSER_H_
+
+typedef struct parser_t parser_t;
+
+#include <library.h>
+#include <encoding/payloads/encodings.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * A parser_t class to parse IKEv2 payloads.
+ *
+ * A parser is used for parsing one chunk of data. Multiple
+ * payloads can be parsed out of the chunk using parse_payload.
+ * The parser remains the state until destroyed.
+ */
+struct parser_t {
+
+	/**
+	 * Parses the next payload.
+	 *
+	 * @warning Caller is responsible for freeing allocated payload.
+	 *
+	 * Rules for parsing are described in the payload definition.
+	 *
+	 * @param payload_type	payload type to parse
+	 * @param payload		pointer where parsed payload was allocated
+	 * @return
+	 * 						- SUCCESSFUL if succeeded,
+	 * 						- PARSE_ERROR if corrupted/invalid data found
+	 */
+	status_t (*parse_payload) (parser_t *this, payload_type_t payload_type, payload_t **payload);
+
+	/**
+	 * Gets the remaining byte count which is not currently parsed.
+	 */
+	int (*get_remaining_byte_count) (parser_t *this);
+
+	/**
+	 * Resets the current parser context.
+	 */
+	void (*reset_context) (parser_t *this);
+
+	/**
+	 * Destroys a parser_t object.
+	 */
+	void (*destroy) (parser_t *this);
+};
+
+/**
+ * Constructor to create a parser_t object.
+ *
+ * @param data		chunk of data to parse with this parser_t object
+ * @return 			parser_t object
+ */
+parser_t *parser_create(chunk_t data);
+
+#endif /** PARSER_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/auth_payload.c b/src/libcharon/encoding/payloads/auth_payload.c
new file mode 100644
index 000000000..d31208abb
--- /dev/null
+++ b/src/libcharon/encoding/payloads/auth_payload.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "auth_payload.h"
+
+#include <encoding/payloads/encodings.h>
+
+
+typedef struct private_auth_payload_t private_auth_payload_t;
+
+/**
+ * Private data of an auth_payload_t object.
+ *
+ */
+struct private_auth_payload_t {
+
+	/**
+	 * Public auth_payload_t interface.
+	 */
+	auth_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Method of the AUTH Data.
+	 */
+	u_int8_t auth_method;
+
+	/**
+	 * The contained auth data value.
+	 */
+	chunk_t auth_data;
+};
+
+/**
+ * Encoding rules to parse or generate a AUTH payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_auth_payload_t.
+ */
+encoding_rule_t auth_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_auth_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_auth_payload_t, critical) 		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_auth_payload_t, payload_length)},
+	/* 1 Byte AUTH type*/
+	{ U_INT_8,			offsetof(private_auth_payload_t, auth_method)	},
+	/* 3 reserved bytes */
+	{ RESERVED_BYTE,	0 												},
+	{ RESERVED_BYTE,	0 												},
+	{ RESERVED_BYTE,	0 												},
+	/* some auth data bytes, length is defined in PAYLOAD_LENGTH */
+	{ AUTH_DATA,		offsetof(private_auth_payload_t, auth_data) 	}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Auth Method   !                RESERVED                       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                      Authentication Data                      ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_auth_payload_t *this)
+{
+	if (this->auth_method == 0 ||
+		(this->auth_method >= 4 && this->auth_method <= 8) ||
+		(this->auth_method >= 12 && this->auth_method <= 200))
+	{
+		/* reserved IDs */
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of auth_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = auth_payload_encodings;
+	*rule_count = sizeof(auth_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_auth_payload_t *this)
+{
+	return AUTHENTICATION;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_auth_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_auth_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_auth_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of auth_payload_t.set_auth_method.
+ */
+static void set_auth_method (private_auth_payload_t *this, auth_method_t method)
+{
+	this->auth_method = method;
+}
+
+/**
+ * Implementation of auth_payload_t.get_auth_method.
+ */
+static auth_method_t get_auth_method (private_auth_payload_t *this)
+{
+	return (this->auth_method);
+}
+
+/**
+ * Implementation of auth_payload_t.set_data.
+ */
+static void set_data (private_auth_payload_t *this, chunk_t data)
+{
+	if (this->auth_data.ptr != NULL)
+	{
+		chunk_free(&(this->auth_data));
+	}
+	this->auth_data.ptr = clalloc(data.ptr,data.len);
+	this->auth_data.len = data.len;
+	this->payload_length = AUTH_PAYLOAD_HEADER_LENGTH + this->auth_data.len;
+}
+
+/**
+ * Implementation of auth_payload_t.get_data.
+ */
+static chunk_t get_data (private_auth_payload_t *this)
+{
+	return (this->auth_data);
+}
+
+/**
+ * Implementation of auth_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_auth_payload_t *this)
+{
+	chunk_t cloned_data;
+	if (this->auth_data.ptr == NULL)
+	{
+		return (this->auth_data);
+	}
+	cloned_data.ptr = clalloc(this->auth_data.ptr,this->auth_data.len);
+	cloned_data.len = this->auth_data.len;
+	return cloned_data;
+}
+
+/**
+ * Implementation of payload_t.destroy and auth_payload_t.destroy.
+ */
+static void destroy(private_auth_payload_t *this)
+{
+	if (this->auth_data.ptr != NULL)
+	{
+		chunk_free(&(this->auth_data));
+	}
+
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+auth_payload_t *auth_payload_create()
+{
+	private_auth_payload_t *this = malloc_thing(private_auth_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.destroy = (void (*) (auth_payload_t *)) destroy;
+	this->public.set_auth_method = (void (*) (auth_payload_t *,auth_method_t)) set_auth_method;
+	this->public.get_auth_method = (auth_method_t (*) (auth_payload_t *)) get_auth_method;
+	this->public.set_data = (void (*) (auth_payload_t *,chunk_t)) set_data;
+	this->public.get_data_clone = (chunk_t (*) (auth_payload_t *)) get_data_clone;
+	this->public.get_data = (chunk_t (*) (auth_payload_t *)) get_data;
+
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length =AUTH_PAYLOAD_HEADER_LENGTH;
+	this->auth_data = chunk_empty;
+
+	return (&(this->public));
+}
diff --git a/src/libcharon/encoding/payloads/auth_payload.h b/src/libcharon/encoding/payloads/auth_payload.h
new file mode 100644
index 000000000..37ee149db
--- /dev/null
+++ b/src/libcharon/encoding/payloads/auth_payload.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup auth_payload auth_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef AUTH_PAYLOAD_H_
+#define AUTH_PAYLOAD_H_
+
+typedef struct auth_payload_t auth_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * Length of a auth payload without the auth data in bytes.
+ */
+#define AUTH_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * Class representing an IKEv2 AUTH payload.
+ *
+ * The AUTH payload format is described in RFC section 3.8.
+ */
+struct auth_payload_t {
+
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Set the AUTH method.
+	 *
+	 * @param method		auth_method_t to use
+	 */
+	void (*set_auth_method) (auth_payload_t *this, auth_method_t method);
+
+	/**
+	 * Get the AUTH method.
+	 *
+	 * @return				auth_method_t used
+	 */
+	auth_method_t (*get_auth_method) (auth_payload_t *this);
+
+	/**
+	 * Set the AUTH data.
+	 *
+	 * Data gets cloned.
+	 *
+	 * @param data			AUTH data as chunk_t
+	 */
+	void (*set_data) (auth_payload_t *this, chunk_t data);
+
+	/**
+	 * Get the AUTH data.
+	 *
+	 * Returned data are a copy of the internal one.
+	 *
+	 * @return				AUTH data as chunk_t
+	 */
+	chunk_t (*get_data_clone) (auth_payload_t *this);
+
+	/**
+	 * Get the AUTH data.
+	 *
+	 * Returned data are NOT copied
+	 *
+	 * @return				AUTH data as chunk_t
+	 */
+	chunk_t (*get_data) (auth_payload_t *this);
+
+	/**
+	 * Destroys an auth_payload_t object.
+	 */
+	void (*destroy) (auth_payload_t *this);
+};
+
+/**
+ * Creates an empty auth_payload_t object.
+ *
+ * @return auth_payload_t object
+ */
+auth_payload_t *auth_payload_create(void);
+
+#endif /** AUTH_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
new file mode 100644
index 000000000..6dd3141f0
--- /dev/null
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -0,0 +1,340 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+#include <ctype.h>
+
+#include <daemon.h>
+
+#include "cert_payload.h"
+
+ENUM(cert_encoding_names, ENC_PKCS7_WRAPPED_X509, ENC_OCSP_CONTENT,
+	"ENC_PKCS7_WRAPPED_X509",
+	"ENC_PGP",
+	"ENC_DNS_SIGNED_KEY",
+	"ENC_X509_SIGNATURE",
+	"ENC_X509_KEY_EXCHANGE",
+	"ENC_KERBEROS_TOKENS",
+	"ENC_CRL",
+	"ENC_ARL",
+	"ENC_SPKI",
+	"ENC_X509_ATTRIBUTE",
+	"ENC_RAW_RSA_KEY",
+	"ENC_X509_HASH_AND_URL",
+	"ENC_X509_HASH_AND_URL_BUNDLE",
+	"ENC_OCSP_CONTENT",
+);
+
+typedef struct private_cert_payload_t private_cert_payload_t;
+
+/**
+ * Private data of an cert_payload_t object.
+ *
+ */
+struct private_cert_payload_t {
+	/**
+	 * Public cert_payload_t interface.
+	 */
+	cert_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Encoding of the CERT Data.
+	 */
+	u_int8_t encoding;
+
+	/**
+	 * The contained cert data value.
+	 */
+	chunk_t data;
+
+	/**
+	 * TRUE if the "Hash and URL" data is invalid
+	 */
+	bool invalid_hash_and_url;
+};
+
+/**
+ * Encoding rules to parse or generate a CERT payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_cert_payload_t.
+ *
+ */
+encoding_rule_t cert_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_cert_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_cert_payload_t, critical) 		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_cert_payload_t, payload_length)},
+	/* 1 Byte CERT type*/
+	{ U_INT_8,			offsetof(private_cert_payload_t, encoding)		},
+	/* some cert data bytes, length is defined in PAYLOAD_LENGTH */
+	{ CERT_DATA,		offsetof(private_cert_payload_t, data) 			}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Cert Encoding !                                               !
+      +-+-+-+-+-+-+-+-+                                               !
+      ~                       Certificate Data                        ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_cert_payload_t *this)
+{
+	if (this->encoding == ENC_X509_HASH_AND_URL ||
+		this->encoding == ENC_X509_HASH_AND_URL_BUNDLE)
+	{
+		/* coarse verification of "Hash and URL" encoded certificates */
+		if (this->data.len <= 20)
+		{
+			DBG1(DBG_ENC, "invalid payload length for hash-and-url (%d), ignore",
+					this->data.len);
+			this->invalid_hash_and_url = TRUE;
+			return SUCCESS;
+		}
+
+		int i = 20; /* skipping the hash */
+		for (; i < this->data.len; ++i)
+		{
+			if (this->data.ptr[i] == '\0')
+			{
+				/* null terminated, fine */
+				return SUCCESS;
+			}
+			else if (!isprint(this->data.ptr[i]))
+			{
+				DBG1(DBG_ENC, "non printable characters in url of hash-and-url"
+						" encoded certificate payload, ignore");
+				this->invalid_hash_and_url = TRUE;
+				return SUCCESS;
+			}
+		}
+
+		/* URL is not null terminated, correct that */
+		chunk_t data = chunk_alloc(this->data.len + 1);
+		memcpy(data.ptr, this->data.ptr, this->data.len);
+		data.ptr[this->data.len] = '\0';
+		chunk_free(&this->data);
+		this->data = data;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of cert_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_cert_payload_t *this,
+							   encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = cert_payload_encodings;
+	*rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_cert_payload_t *this)
+{
+	return CERTIFICATE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_cert_payload_t *this)
+{
+	return this->next_payload;
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_cert_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_cert_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of cert_payload_t.get_cert_encoding.
+ */
+static cert_encoding_t get_cert_encoding(private_cert_payload_t *this)
+{
+	return this->encoding;
+}
+
+/**
+ * Implementation of cert_payload_t.get_cert.
+ */
+static certificate_t *get_cert(private_cert_payload_t *this)
+{
+	if (this->encoding != ENC_X509_SIGNATURE)
+	{
+		return NULL;
+	}
+	return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_BLOB_ASN1_DER, this->data,
+							  BUILD_END);
+}
+
+/**
+ * Implementation of cert_payload_t.get_hash.
+ */
+static chunk_t get_hash(private_cert_payload_t *this)
+{
+	chunk_t hash = chunk_empty;
+	if ((this->encoding != ENC_X509_HASH_AND_URL &&
+		this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) ||
+		this->invalid_hash_and_url)
+	{
+		return hash;
+	}
+	hash.ptr = this->data.ptr;
+	hash.len = 20;
+	return hash;
+}
+
+/**
+ * Implementation of cert_payload_t.get_url.
+ */
+static char *get_url(private_cert_payload_t *this)
+{
+	if ((this->encoding != ENC_X509_HASH_AND_URL &&
+		this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) ||
+		this->invalid_hash_and_url)
+	{
+		return NULL;
+	}
+	return (char*)this->data.ptr + 20;
+}
+
+/**
+ * Implementation of payload_t.destroy and cert_payload_t.destroy.
+ */
+static void destroy(private_cert_payload_t *this)
+{
+	chunk_free(&this->data);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+cert_payload_t *cert_payload_create()
+{
+	private_cert_payload_t *this = malloc_thing(private_cert_payload_t);
+
+	this->public.payload_interface.verify = (status_t (*) (payload_t*))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**, size_t*))get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
+
+	this->public.destroy = (void (*) (cert_payload_t*))destroy;
+	this->public.get_cert = (certificate_t* (*) (cert_payload_t*))get_cert;
+	this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t*))get_cert_encoding;
+	this->public.get_hash = (chunk_t (*) (cert_payload_t*))get_hash;
+	this->public.get_url = (char* (*) (cert_payload_t*))get_url;
+
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH;
+	this->data = chunk_empty;
+	this->encoding = 0;
+	this->invalid_hash_and_url = FALSE;
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+cert_payload_t *cert_payload_create_from_cert(certificate_t *cert)
+{
+	private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create();
+
+	switch (cert->get_type(cert))
+	{
+		case CERT_X509:
+			this->encoding = ENC_X509_SIGNATURE;
+			break;
+		default:
+			DBG1(DBG_ENC, "embedding %N certificate in payload failed",
+				 certificate_type_names, cert->get_type(cert));
+			free(this);
+			return NULL;
+	}
+	this->data = cert->get_encoding(cert);
+	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url)
+{
+	private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create();
+
+	this->encoding = ENC_X509_HASH_AND_URL;
+	this->data = chunk_cat("cc", hash, chunk_create(url, strlen(url)));
+	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
+	return &this->public;
+}
+
diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h
new file mode 100644
index 000000000..aa1c7bf5a
--- /dev/null
+++ b/src/libcharon/encoding/payloads/cert_payload.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup cert_payload cert_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef CERT_PAYLOAD_H_
+#define CERT_PAYLOAD_H_
+
+typedef struct cert_payload_t cert_payload_t;
+typedef enum cert_encoding_t cert_encoding_t;
+
+#include <library.h>
+#include <credentials/certificates/certificate.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Length of a cert payload without the cert data in bytes.
+ */
+#define CERT_PAYLOAD_HEADER_LENGTH 5
+
+/**
+ * Certifcate encodings, as in RFC4306
+ */
+enum cert_encoding_t {
+	ENC_PKCS7_WRAPPED_X509 =		 1,
+	ENC_PGP =						 2,
+	ENC_DNS_SIGNED_KEY =			 3,
+	ENC_X509_SIGNATURE =			 4,
+	ENC_KERBEROS_TOKEN	=			 6,
+	ENC_CRL =						 7,
+	ENC_ARL =						 8,
+	ENC_SPKI =						 9,
+	ENC_X509_ATTRIBUTE =			10,
+	ENC_RAW_RSA_KEY =				11,
+	ENC_X509_HASH_AND_URL =			12,
+	ENC_X509_HASH_AND_URL_BUNDLE =	13,
+	ENC_OCSP_CONTENT =				14,  /* from RFC 4806 */
+};
+
+/**
+ * Enum names for cert_encoding_t
+ */
+extern enum_name_t *cert_encoding_names;
+
+/**
+ * Class representing an IKEv2 CERT payload.
+ *
+ * The CERT payload format is described in RFC section 3.6.
+ */
+struct cert_payload_t {
+
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the playoads encoded certifcate.
+	 *
+	 * @return				certifcate copy
+	 */
+	certificate_t *(*get_cert)(cert_payload_t *this);
+
+	/**
+	 * Get the encoding of the certificate.
+	 *
+	 * @return				encoding
+	 */
+	cert_encoding_t (*get_cert_encoding)(cert_payload_t *this);
+
+	/**
+	 * Get the hash if this is a hash and URL encoded certificate.
+	 *
+	 * This function returns internal data, do not free.
+	 *
+	 * @return				hash
+	 */
+	chunk_t (*get_hash)(cert_payload_t *this);
+
+	/**
+	 * Get the URL if this is a hash and URL encoded certificate.
+	 *
+	 * This function returns internal data, do not free.
+	 *
+	 * @return				url
+	 */
+	char *(*get_url)(cert_payload_t *this);
+
+
+	/**
+	 * Destroys the cert_payload object.
+	 */
+	void (*destroy) (cert_payload_t *this);
+};
+
+/**
+ * Creates an empty certificate payload.
+ *
+ * @return					cert_payload_t object
+ */
+cert_payload_t *cert_payload_create(void);
+
+/**
+ * Creates a certificate payload with an embedded certificate.
+ *
+ * @param cert				certificate to embed
+ * @return					cert_payload_t object
+ */
+cert_payload_t *cert_payload_create_from_cert(certificate_t *cert);
+
+/**
+ * Creates a certificate payload with hash and URL encoding of a certificate.
+ *
+ * @param hash				hash of the DER encoded certificate (get's cloned)
+ * @param url				the URL to locate the certificate (get's cloned)
+ * @return					cert_payload_t object
+ */
+cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url);
+
+#endif /** CERT_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/certreq_payload.c b/src/libcharon/encoding/payloads/certreq_payload.c
new file mode 100644
index 000000000..9ff0bdde0
--- /dev/null
+++ b/src/libcharon/encoding/payloads/certreq_payload.c
@@ -0,0 +1,298 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include <daemon.h>
+#include <crypto/hashers/hasher.h>
+#include <encoding/payloads/cert_payload.h>
+
+#include "certreq_payload.h"
+
+
+typedef struct private_certreq_payload_t private_certreq_payload_t;
+
+/**
+ * Private data of an certreq_payload_t object.
+ *
+ */
+struct private_certreq_payload_t {
+	/**
+	 * Public certreq_payload_t interface.
+	 */
+	certreq_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Encoding of the CERT Data.
+	 */
+	u_int8_t encoding;
+
+	/**
+	 * The contained certreq data value.
+	 */
+	chunk_t data;
+};
+
+/**
+ * Encoding rules to parse or generate a CERTREQ payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_certreq_payload_t.
+ *
+ */
+encoding_rule_t certreq_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_certreq_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_certreq_payload_t, critical) 		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_certreq_payload_t, payload_length)	},
+	/* 1 Byte CERTREQ type*/
+	{ U_INT_8,			offsetof(private_certreq_payload_t, encoding)		},
+	/* some certreq data bytes, length is defined in PAYLOAD_LENGTH */
+	{ CERTREQ_DATA,		offsetof(private_certreq_payload_t, data)			}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Cert Encoding !                                               !
+      +-+-+-+-+-+-+-+-+                                               !
+      ~                    Certification Authority                    ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_certreq_payload_t *this)
+{
+	if (this->encoding == ENC_X509_SIGNATURE)
+	{
+		if (this->data.len < HASH_SIZE_SHA1 ||
+			this->data.len % HASH_SIZE_SHA1)
+		{
+			DBG1(DBG_ENC, "invalid X509 hash length (%d) in certreq",
+				 this->data.len);
+			return FAILED;
+		}
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of certreq_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = certreq_payload_encodings;
+	*rule_count = sizeof(certreq_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_certreq_payload_t *this)
+{
+	return CERTIFICATE_REQUEST;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_certreq_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_certreq_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_certreq_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of certreq_payload_t.add_keyid.
+ */
+static void add_keyid(private_certreq_payload_t *this, chunk_t keyid)
+{
+	this->data = chunk_cat("mc", this->data, keyid);
+	this->payload_length += keyid.len;
+}
+
+typedef struct keyid_enumerator_t keyid_enumerator_t;
+
+/**
+ * enumerator to enumerate keyids
+ */
+struct keyid_enumerator_t  {
+	enumerator_t public;
+	chunk_t full;
+	u_char *pos;
+};
+
+/**
+ * enumerate function for keyid_enumerator
+ */
+static bool keyid_enumerate(keyid_enumerator_t *this, chunk_t *chunk)
+{
+	if (this->pos == NULL)
+	{
+		this->pos = this->full.ptr;
+	}
+	else
+	{
+		this->pos += HASH_SIZE_SHA1;
+		if (this->pos > (this->full.ptr + this->full.len - HASH_SIZE_SHA1))
+		{
+			this->pos = NULL;
+		}
+	}
+	if (this->pos)
+	{
+		chunk->ptr = this->pos;
+		chunk->len = HASH_SIZE_SHA1;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of certreq_payload_t.create_keyid_enumerator.
+ */
+static enumerator_t* create_keyid_enumerator(private_certreq_payload_t *this)
+{
+	keyid_enumerator_t *enumerator = malloc_thing(keyid_enumerator_t);
+	enumerator->public.enumerate = (void*)keyid_enumerate;
+	enumerator->public.destroy = (void*)free;
+	enumerator->full = this->data;
+	enumerator->pos = NULL;
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of certreq_payload_t.get_cert_type.
+ */
+static certificate_type_t get_cert_type(private_certreq_payload_t *this)
+{
+	switch (this->encoding)
+	{
+		case ENC_X509_SIGNATURE:
+			return CERT_X509;
+		default:
+			return CERT_ANY;
+	}
+}
+
+/**
+ * Implementation of payload_t.destroy and certreq_payload_t.destroy.
+ */
+static void destroy(private_certreq_payload_t *this)
+{
+	chunk_free(&this->data);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+certreq_payload_t *certreq_payload_create()
+{
+	private_certreq_payload_t *this = malloc_thing(private_certreq_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t*))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**,size_t*))get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
+
+	/* public functions */
+	this->public.destroy = (void (*) (certreq_payload_t*)) destroy;
+	this->public.create_keyid_enumerator = (enumerator_t*(*)(certreq_payload_t*))create_keyid_enumerator;
+		this->public.get_cert_type = (certificate_type_t(*)(certreq_payload_t*))get_cert_type;
+	this->public.add_keyid = (void(*)(certreq_payload_t*, chunk_t keyid))add_keyid;
+
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH;
+	this->data = chunk_empty;
+	this->encoding = 0;
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+certreq_payload_t *certreq_payload_create_type(certificate_type_t type)
+{
+	private_certreq_payload_t *this = (private_certreq_payload_t*)certreq_payload_create();
+
+	switch (type)
+	{
+		case CERT_X509:
+			this->encoding = ENC_X509_SIGNATURE;
+			break;
+		default:
+			DBG1(DBG_ENC, "certificate type %N not supported in requests",
+				 certificate_type_names, type);
+			free(this);
+			return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libcharon/encoding/payloads/certreq_payload.h b/src/libcharon/encoding/payloads/certreq_payload.h
new file mode 100644
index 000000000..914063628
--- /dev/null
+++ b/src/libcharon/encoding/payloads/certreq_payload.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup certreq_payload certreq_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef CERTREQ_PAYLOAD_H_
+#define CERTREQ_PAYLOAD_H_
+
+typedef struct certreq_payload_t certreq_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/cert_payload.h>
+
+/**
+ * Length of a CERTREQ payload without the CERTREQ data in bytes.
+ */
+#define CERTREQ_PAYLOAD_HEADER_LENGTH 5
+
+/**
+ * Class representing an IKEv2 CERTREQ payload.
+ *
+ * The CERTREQ payload format is described in RFC section 3.7.
+ */
+struct certreq_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Create an enumerator over contained keyids.
+	 *
+	 * @return			enumerator over chunk_t's.
+	 */
+	enumerator_t* (*create_keyid_enumerator)(certreq_payload_t *this);
+
+	/**
+	 * Get the type of contained certificate keyids.
+	 *
+	 * @return			certificate keyid type
+	 */
+	certificate_type_t (*get_cert_type)(certreq_payload_t *this);
+
+	/**
+	 * Add a certificates keyid to the payload.
+	 *
+	 * @param keyid		keyid of the trusted certifcate
+	 * @return
+	 */
+	void (*add_keyid)(certreq_payload_t *this, chunk_t keyid);
+
+	/**
+	 * Destroys an certreq_payload_t object.
+	 */
+	void (*destroy) (certreq_payload_t *this);
+};
+
+/**
+ * Creates an empty certreq_payload_t object.
+ *
+ * @return 				certreq payload
+ */
+certreq_payload_t *certreq_payload_create(void);
+
+/**
+ * Creates an empty certreq_payload_t for a kind of certificates.
+ *
+ * @param type			type of the added keyids
+ * @return 				certreq payload
+ */
+certreq_payload_t *certreq_payload_create_type(certificate_type_t type);
+
+#endif /** CERTREQ_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c
new file mode 100644
index 000000000..9094fd44d
--- /dev/null
+++ b/src/libcharon/encoding/payloads/configuration_attribute.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "configuration_attribute.h"
+
+#include <encoding/payloads/encodings.h>
+#include <library.h>
+#include <daemon.h>
+
+
+typedef struct private_configuration_attribute_t private_configuration_attribute_t;
+
+/**
+ * Private data of an configuration_attribute_t object.
+ *
+ */
+struct private_configuration_attribute_t {
+	/**
+	 * Public configuration_attribute_t interface.
+	 */
+	configuration_attribute_t public;
+
+	/**
+	 * Type of the attribute.
+	 */
+	u_int16_t type;
+
+	/**
+	 * Length of the attribute.
+	 */
+	u_int16_t length;
+
+	/**
+	 * Attribute value as chunk.
+	 */
+	chunk_t value;
+};
+
+/**
+ * Encoding rules to parse or generate a configuration attribute.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_configuration_attribute_t.
+ */
+encoding_rule_t configuration_attribute_encodings[] = {
+
+	{ RESERVED_BIT,						0													},
+	/* type of the attribute as 15 bit unsigned integer */
+	{ ATTRIBUTE_TYPE,					offsetof(private_configuration_attribute_t, type)	},
+	/* Length of attribute value */
+	{ CONFIGURATION_ATTRIBUTE_LENGTH,	offsetof(private_configuration_attribute_t, length)	},
+	/* Value of attribute if attribute format flag is zero */
+	{ CONFIGURATION_ATTRIBUTE_VALUE,	offsetof(private_configuration_attribute_t, value)	}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !R|         Attribute Type      !            Length             |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                                                               |
+      ~                             Value                             ~
+      |                                                               |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_configuration_attribute_t *this)
+{
+	bool failed = FALSE;
+
+	if (this->length != this->value.len)
+	{
+		DBG1(DBG_ENC, "invalid attribute length");
+		return FAILED;
+	}
+
+	switch (this->type)
+	{
+		 case INTERNAL_IP4_ADDRESS:
+		 case INTERNAL_IP4_NETMASK:
+		 case INTERNAL_IP4_DNS:
+		 case INTERNAL_IP4_NBNS:
+		 case INTERNAL_ADDRESS_EXPIRY:
+		 case INTERNAL_IP4_DHCP:
+			if (this->length != 0 && this->length != 4)
+			{
+				failed = TRUE;
+			}
+			break;
+		 case INTERNAL_IP4_SUBNET:
+			if (this->length != 0 && this->length != 8)
+			{
+				failed = TRUE;
+			}
+			break;
+		 case INTERNAL_IP6_ADDRESS:
+		 case INTERNAL_IP6_SUBNET:
+			if (this->length != 0 && this->length != 17)
+			{
+				failed = TRUE;
+			}
+			break;
+		 case INTERNAL_IP6_DNS:
+		 case INTERNAL_IP6_NBNS:
+		 case INTERNAL_IP6_DHCP:
+			if (this->length != 0 && this->length != 16)
+			{
+				failed = TRUE;
+			}
+			break;
+		 case SUPPORTED_ATTRIBUTES:
+			if (this->length % 2)
+			{
+				failed = TRUE;
+			}
+			break;
+		 case APPLICATION_VERSION:
+			/* any length acceptable */
+			break;
+		 default:
+			DBG1(DBG_ENC, "unknown attribute type %N",
+				 configuration_attribute_type_names, this->type);
+			break;
+	}
+
+	if (failed)
+	{
+		DBG1(DBG_ENC, "invalid attribute length %d for %N",
+			 this->length, configuration_attribute_type_names, this->type);
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_configuration_attribute_t *this,
+							   encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = configuration_attribute_encodings;
+	*rule_count = sizeof(configuration_attribute_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_configuration_attribute_t *this)
+{
+	return CONFIGURATION_ATTRIBUTE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_configuration_attribute_t *this)
+{
+	return NO_PAYLOAD;
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_configuration_attribute_t *this,
+						  payload_type_t type)
+{
+}
+
+/**
+ * Implementation of configuration_attribute_t.get_length.
+ */
+static size_t get_length(private_configuration_attribute_t *this)
+{
+	return this->value.len + CONFIGURATION_ATTRIBUTE_HEADER_LENGTH;
+}
+
+/**
+ * Implementation of configuration_attribute_t.get_type.
+ */
+static configuration_attribute_type_t get_configuration_attribute_type(
+									private_configuration_attribute_t *this)
+{
+	return this->type;
+}
+
+/**
+ * Implementation of configuration_attribute_t.get_value.
+ */
+static chunk_t get_value(private_configuration_attribute_t *this)
+{
+	return this->value;
+}
+
+/**
+ * Implementation of configuration_attribute_t.destroy and payload_t.destroy.
+ */
+static void destroy(private_configuration_attribute_t *this)
+{
+	free(this->value.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+configuration_attribute_t *configuration_attribute_create()
+{
+	private_configuration_attribute_t *this;
+
+	this = malloc_thing(private_configuration_attribute_t);
+	this->public.payload_interface.verify = (status_t(*)(payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void(*)(payload_t *, encoding_rule_t **, size_t *) )get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t(*)(payload_t *))get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t(*)(payload_t *))get_next_type;
+	this->public.payload_interface.set_next_type = (void(*)(payload_t *,payload_type_t))set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t(*)(payload_t *))get_type;
+	this->public.payload_interface.destroy = (void(*)(payload_t*))destroy;
+
+	this->public.get_value = (chunk_t(*)(configuration_attribute_t *))get_value;
+	this->public.get_type = (configuration_attribute_type_t(*)(configuration_attribute_t *))get_configuration_attribute_type;
+	this->public.destroy = (void (*)(configuration_attribute_t*))destroy;
+
+	this->type = 0;
+	this->value = chunk_empty;
+	this->length = 0;
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+configuration_attribute_t *configuration_attribute_create_value(
+							configuration_attribute_type_t type, chunk_t value)
+{
+	private_configuration_attribute_t *this;
+
+	this = (private_configuration_attribute_t*)configuration_attribute_create();
+	this->type = ((u_int16_t)type) & 0x7FFF;
+	this->value = chunk_clone(value);
+	this->length = value.len;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.h b/src/libcharon/encoding/payloads/configuration_attribute.h
new file mode 100644
index 000000000..6e4b018bb
--- /dev/null
+++ b/src/libcharon/encoding/payloads/configuration_attribute.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup configuration_attribute configuration_attribute
+ * @{ @ingroup payloads
+ */
+
+#ifndef CONFIGURATION_ATTRIBUTE_H_
+#define CONFIGURATION_ATTRIBUTE_H_
+
+typedef struct configuration_attribute_t configuration_attribute_t;
+
+#include <library.h>
+#include <attributes/attributes.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Configuration attribute header length in bytes.
+ */
+#define CONFIGURATION_ATTRIBUTE_HEADER_LENGTH 4
+
+/**
+ * Class representing an IKEv2-CONFIGURATION Attribute.
+ *
+ * The CONFIGURATION ATTRIBUTE format is described in RFC section 3.15.1.
+ */
+struct configuration_attribute_t {
+
+	/**
+	 * Implements payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the type of the attribute.
+	 *
+	 * @return 		type of the configuration attribute
+	 */
+	configuration_attribute_type_t (*get_type)(configuration_attribute_t *this);
+
+	/**
+	 * Returns the value of the attribute.
+	 *
+	 * @return 		chunk_t pointing to the internal value
+	 */
+	chunk_t (*get_value) (configuration_attribute_t *this);
+
+	/**
+	 * Destroys an configuration_attribute_t object.
+	 */
+	void (*destroy) (configuration_attribute_t *this);
+};
+
+/**
+ * Creates an empty configuration attribute.
+ *
+ * @return		created configuration attribute
+ */
+configuration_attribute_t *configuration_attribute_create();
+
+/**
+ * Creates a configuration attribute with type and value.
+ *
+ * @param type	type of configuration attribute
+ * @param value	value, gets cloned
+ * @return		created configuration attribute
+ */
+configuration_attribute_t *configuration_attribute_create_value(
+							configuration_attribute_type_t type, chunk_t value);
+
+#endif /** CONFIGURATION_ATTRIBUTE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/cp_payload.c b/src/libcharon/encoding/payloads/cp_payload.c
new file mode 100644
index 000000000..f0a26eee2
--- /dev/null
+++ b/src/libcharon/encoding/payloads/cp_payload.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "cp_payload.h"
+
+#include <encoding/payloads/encodings.h>
+#include <utils/linked_list.h>
+
+ENUM(config_type_names, CFG_REQUEST, CFG_ACK,
+	"CFG_REQUEST",
+	"CFG_REPLY",
+	"CFG_SET",
+	"CFG_ACK",
+);
+
+typedef struct private_cp_payload_t private_cp_payload_t;
+
+/**
+ * Private data of an cp_payload_t object.
+ *
+ */
+struct private_cp_payload_t {
+	/**
+	 * Public cp_payload_t interface.
+	 */
+	cp_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * List of attributes, as configuration_attribute_t
+	 */
+	linked_list_t *attributes;
+
+	/**
+	 * Config Type.
+	 */
+	u_int8_t type;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-CP Payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_cp_payload_t.
+ *
+ */
+encoding_rule_t cp_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,		offsetof(private_cp_payload_t, next_payload) 			},
+	/* the critical bit */
+	{ FLAG,			offsetof(private_cp_payload_t, critical) 				},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole CP payload*/
+	{ PAYLOAD_LENGTH,		offsetof(private_cp_payload_t, payload_length) 	},
+	/* Proposals are stored in a proposal substructure,
+	   offset points to a linked_list_t pointer */
+	{ U_INT_8,				offsetof(private_cp_payload_t, type)			},
+	{ RESERVED_BYTE,0 														},
+	{ RESERVED_BYTE,0														},
+	{ RESERVED_BYTE,0														},
+	{ CONFIGURATION_ATTRIBUTES,	offsetof(private_cp_payload_t, attributes)	}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C! RESERVED    !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !   CFG Type    !                    RESERVED                   !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                   Configuration Attributes                    ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_cp_payload_t *this)
+{
+	status_t status = SUCCESS;
+	enumerator_t *enumerator;
+	payload_t *attribute;
+
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
+	{
+		status = attribute->verify(attribute);
+		if (status != SUCCESS)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return status;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_cp_payload_t *this,
+							   encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = cp_payload_encodings;
+	*rule_count = sizeof(cp_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_cp_payload_t *this)
+{
+	return CONFIGURATION;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_cp_payload_t *this)
+{
+	return this->next_payload;
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_cp_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute the length of the payload.
+ */
+static void compute_length(private_cp_payload_t *this)
+{
+	enumerator_t *enumerator;
+	payload_t *attribute;
+
+	this->payload_length = CP_PAYLOAD_HEADER_LENGTH;
+
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
+	{
+		this->payload_length += attribute->get_length(attribute);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_cp_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of cp_payload_t.create_attribute_enumerator.
+ */
+static enumerator_t *create_attribute_enumerator(private_cp_payload_t *this)
+{
+	return this->attributes->create_enumerator(this->attributes);
+}
+
+/**
+ * Implementation of cp_payload_t.add_attribute.
+ */
+static void add_attribute(private_cp_payload_t *this,
+						  configuration_attribute_t *attribute)
+{
+	this->attributes->insert_last(this->attributes, attribute);
+	compute_length(this);
+}
+
+/**
+ * Implementation of cp_payload_t.get_type.
+ */
+static config_type_t get_config_type(private_cp_payload_t *this)
+{
+	return this->type;
+}
+
+/**
+ * Implementation of payload_t.destroy and cp_payload_t.destroy.
+ */
+static void destroy(private_cp_payload_t *this)
+{
+	this->attributes->destroy_offset(this->attributes,
+								offsetof(configuration_attribute_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+cp_payload_t *cp_payload_create()
+{
+	private_cp_payload_t *this = malloc_thing(private_cp_payload_t);
+
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	this->public.create_attribute_enumerator = (enumerator_t*(*)(cp_payload_t *))create_attribute_enumerator;
+	this->public.add_attribute = (void (*) (cp_payload_t *,configuration_attribute_t*))add_attribute;
+	this->public.get_type = (config_type_t (*) (cp_payload_t *))get_config_type;
+	this->public.destroy = (void (*)(cp_payload_t *))destroy;
+
+	/* set default values of the fields */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = CP_PAYLOAD_HEADER_LENGTH;
+	this->attributes = linked_list_create();
+	this->type = CFG_REQUEST;
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+cp_payload_t *cp_payload_create_type(config_type_t type)
+{
+	private_cp_payload_t *this = (private_cp_payload_t*)cp_payload_create();
+
+	this->type = type;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/encoding/payloads/cp_payload.h b/src/libcharon/encoding/payloads/cp_payload.h
new file mode 100644
index 000000000..7dcf58f7e
--- /dev/null
+++ b/src/libcharon/encoding/payloads/cp_payload.h
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup cp_payload cp_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef CP_PAYLOAD_H_
+#define CP_PAYLOAD_H_
+
+typedef enum config_type_t config_type_t;
+typedef struct cp_payload_t cp_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/configuration_attribute.h>
+#include <utils/enumerator.h>
+
+/**
+ * CP_PAYLOAD length in bytes without any proposal substructure.
+ */
+#define CP_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * Config Type of an Configuration Payload.
+ */
+enum config_type_t {
+	CFG_REQUEST = 1,
+	CFG_REPLY = 2,
+	CFG_SET = 3,
+	CFG_ACK = 4,
+};
+
+/**
+ * enum name for config_type_t.
+ */
+extern enum_name_t *config_type_names;
+
+/**
+ * Class representing an IKEv2-CP Payload.
+ *
+ * The CP Payload format is described in RFC section 3.15.
+ */
+struct cp_payload_t {
+
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Creates an iterator of stored configuration_attribute_t objects.
+	 *
+	 * @return			enumerator over configration_attribute_T
+	 */
+	enumerator_t *(*create_attribute_enumerator) (cp_payload_t *this);
+
+	/**
+	 * Adds a configuration attribute to the configuration payload.
+	 *
+	 * @param attribute	attribute to add
+	 */
+	void (*add_attribute)(cp_payload_t *this,
+						  configuration_attribute_t *attribute);
+
+	/**
+	 * Get the configuration payload type.
+	 *
+	 * @return			type of configuration payload
+	 */
+	config_type_t (*get_type) (cp_payload_t *this);
+
+	/**
+	 * Destroys an cp_payload_t object.
+	 */
+	void (*destroy) (cp_payload_t *this);
+};
+
+/**
+ * Creates an empty configuration payload
+ *
+ * @return		empty configuration payload
+ */
+cp_payload_t *cp_payload_create();
+
+/**
+ * Creates an cp_payload_t with type and value
+ *
+ * @param config_type	type of configuration payload to create
+ * @return				created configuration payload
+ */
+cp_payload_t *cp_payload_create_type(config_type_t config_type);
+
+#endif /** CP_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c
new file mode 100644
index 000000000..97b4743b2
--- /dev/null
+++ b/src/libcharon/encoding/payloads/delete_payload.c
@@ -0,0 +1,292 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "delete_payload.h"
+
+
+typedef struct private_delete_payload_t private_delete_payload_t;
+
+/**
+ * Private data of an delete_payload_t object.
+ *
+ */
+struct private_delete_payload_t {
+	/**
+	 * Public delete_payload_t interface.
+	 */
+	delete_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Protocol ID.
+	 */
+	u_int8_t protocol_id;
+
+	/**
+	 * SPI Size.
+	 */
+	u_int8_t spi_size;
+
+	/**
+	 * Number of SPI's.
+	 */
+	u_int16_t spi_count;
+
+	/**
+	 * The contained SPI's.
+	 */
+	chunk_t spis;
+
+	/**
+	 * List containing u_int32_t spis
+	 */
+	linked_list_t *spi_list;
+};
+
+/**
+ * Encoding rules to parse or generate a DELETE payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_delete_payload_t.
+ *
+ */
+encoding_rule_t delete_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_delete_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_delete_payload_t, critical) 		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_delete_payload_t, payload_length)},
+	{ U_INT_8,			offsetof(private_delete_payload_t, protocol_id)		},
+	{ U_INT_8,			offsetof(private_delete_payload_t, spi_size)		},
+	{ U_INT_16,			offsetof(private_delete_payload_t, spi_count)		},
+	/* some delete data bytes, length is defined in PAYLOAD_LENGTH */
+	{ SPIS,			offsetof(private_delete_payload_t, spis) 				}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Protocol ID   !   SPI Size    !           # of SPIs           !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~               Security Parameter Index(es) (SPI)              ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_delete_payload_t *this)
+{
+	switch (this->protocol_id)
+	{
+		case PROTO_AH:
+		case PROTO_ESP:
+			if (this->spi_size != 4)
+			{
+				return FAILED;
+			}
+			break;
+		case PROTO_IKE:
+		case 0:
+			/* IKE deletion has no spi assigned! */
+			if (this->spi_size != 0)
+			{
+				return FAILED;
+			}
+			break;
+		default:
+			return FAILED;
+	}
+	if (this->spis.len != (this->spi_count * this->spi_size))
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of delete_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_delete_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = delete_payload_encodings;
+	*rule_count = sizeof(delete_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_delete_payload_t *this)
+{
+	return DELETE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_delete_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_delete_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_delete_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of delete_payload_t.get_protocol_id.
+ */
+static protocol_id_t get_protocol_id (private_delete_payload_t *this)
+{
+	return (this->protocol_id);
+}
+
+/**
+ * Implementation of delete_payload_t.add_spi.
+ */
+static void add_spi(private_delete_payload_t *this, u_int32_t spi)
+{
+	/* only add SPIs if AH|ESP, ignore others */
+	if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP)
+	{
+		this->spi_count += 1;
+		this->spis.len += this->spi_size;
+		this->spis.ptr = realloc(this->spis.ptr, this->spis.len);
+		*(u_int32_t*)(this->spis.ptr + (this->spis.len / this->spi_size - 1)) = spi;
+		if (this->spi_list)
+		{
+			/* reset SPI iterator list */
+			this->spi_list->destroy(this->spi_list);
+			this->spi_list = NULL;
+		}
+	}
+}
+
+/**
+ * Implementation of delete_payload_t.create_spi_iterator.
+ */
+static iterator_t* create_spi_iterator(private_delete_payload_t *this)
+{
+	int i;
+
+	if (this->spi_list == NULL)
+	{
+		this->spi_list = linked_list_create();
+		/* only parse SPIs if AH|ESP */
+		if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP)
+		{
+			for (i = 0; i < this->spi_count; i++)
+			{
+				this->spi_list->insert_last(this->spi_list, this->spis.ptr + i *
+															this->spi_size);
+			}
+		}
+	}
+	return this->spi_list->create_iterator(this->spi_list, TRUE);
+}
+
+/**
+ * Implementation of payload_t.destroy and delete_payload_t.destroy.
+ */
+static void destroy(private_delete_payload_t *this)
+{
+	if (this->spis.ptr != NULL)
+	{
+		chunk_free(&this->spis);
+	}
+	if (this->spi_list)
+	{
+		this->spi_list->destroy(this->spi_list);
+	}
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+delete_payload_t *delete_payload_create(protocol_id_t protocol_id)
+{
+	private_delete_payload_t *this = malloc_thing(private_delete_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.destroy = (void (*) (delete_payload_t *)) destroy;
+	this->public.get_protocol_id = (protocol_id_t (*) (delete_payload_t *)) get_protocol_id;
+	this->public.add_spi = (void (*) (delete_payload_t *,u_int32_t))add_spi;
+	this->public.create_spi_iterator = (iterator_t* (*) (delete_payload_t *)) create_spi_iterator;
+
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = DELETE_PAYLOAD_HEADER_LENGTH;
+	this->protocol_id = protocol_id;
+	this->spi_size = protocol_id == PROTO_AH || protocol_id == PROTO_ESP ? 4 : 0;
+	this->spi_count = 0;
+	this->spis = chunk_empty;
+	this->spi_list = NULL;
+
+	return (&this->public);
+}
diff --git a/src/libcharon/encoding/payloads/delete_payload.h b/src/libcharon/encoding/payloads/delete_payload.h
new file mode 100644
index 000000000..3b62c1af1
--- /dev/null
+++ b/src/libcharon/encoding/payloads/delete_payload.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup delete_payload delete_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef DELETE_PAYLOAD_H_
+#define DELETE_PAYLOAD_H_
+
+typedef struct delete_payload_t delete_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/proposal_substructure.h>
+
+/**
+ * Length of a delete payload without the SPI in bytes.
+ */
+#define DELETE_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * Class representing an IKEv2 DELETE payload.
+ *
+ * The DELETE payload format is described in RFC section 3.11.
+ */
+struct delete_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the protocol ID.
+	 *
+	 * @return				protocol ID
+	 */
+	protocol_id_t (*get_protocol_id) (delete_payload_t *this);
+
+	/**
+	 * Add an SPI to the list of deleted SAs.
+	 *
+	 * @param spi			spi to add
+	 */
+	void (*add_spi) (delete_payload_t *this, u_int32_t spi);
+
+	/**
+	 * Get an iterator over the SPIs.
+	 *
+	 * The iterate() function returns a pointer to a u_int32_t SPI.
+	 *
+	 * @return				iterator over SPIs
+	 */
+	iterator_t *(*create_spi_iterator) (delete_payload_t *this);
+
+	/**
+	 * Destroys an delete_payload_t object.
+	 */
+	void (*destroy) (delete_payload_t *this);
+};
+
+/**
+ * Creates an empty delete_payload_t object.
+ *
+ * @param protocol_id	protocol, such as AH|ESP
+ * @return 				delete_payload_t object
+ */
+delete_payload_t *delete_payload_create(protocol_id_t protocol_id);
+
+#endif /** DELETE_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c
new file mode 100644
index 000000000..21f34a642
--- /dev/null
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@@ -0,0 +1,302 @@
+/*
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "eap_payload.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_payload_t private_eap_payload_t;
+
+/**
+ * Private data of an eap_payload_t object.
+ *
+ */
+struct private_eap_payload_t {
+	/**
+	 * Public eap_payload_t interface.
+	 */
+	eap_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * EAP message data, if available
+	 */
+	chunk_t data;
+};
+
+/**
+ * Encoding rules to parse or generate a EAP payload.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_eap_payload_t.
+ *
+ */
+static encoding_rule_t eap_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_eap_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_eap_payload_t, critical) 		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_eap_payload_t, payload_length)	},
+	/* chunt to data, starting at "code" */
+	{ EAP_DATA,			offsetof(private_eap_payload_t, data)			},
+};
+
+/*
+                            1                   2                   3
+        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       ! Next Payload  !C!  RESERVED   !         Payload Length        !
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       !     Code      ! Identifier    !           Length              !
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       !     Type      ! Type_Data...
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+*/
+
+METHOD(payload_t, verify, status_t,
+	private_eap_payload_t *this)
+{
+	u_int16_t length;
+	u_int8_t code;
+
+	if (this->data.len < 4)
+	{
+		DBG1(DBG_ENC, "EAP payloads EAP message too short (%d)", this->data.len);
+		return FAILED;
+	}
+	length = untoh16(this->data.ptr + 2);
+	if (this->data.len != length)
+	{
+		DBG1(DBG_ENC, "EAP payload length (%d) does not match contained "
+			 "message length (%d)", this->data.len, length);
+		return FAILED;
+	}
+	code = this->data.ptr[0];
+	switch (code)
+	{
+		case EAP_REQUEST:
+		case EAP_RESPONSE:
+		{
+			if (this->data.len < 4)
+			{
+				DBG1(DBG_ENC, "EAP Request/Response does not have any data");
+				return FAILED;
+			}
+			break;
+		}
+		case EAP_SUCCESS:
+		case EAP_FAILURE:
+		{
+			if (this->data.len != 4)
+			{
+				DBG1(DBG_ENC, "EAP Success/Failure has data");
+				return FAILED;
+			}
+			break;
+		}
+		default:
+			return FAILED;
+	}
+	return SUCCESS;
+}
+
+METHOD(payload_t, get_encoding_rules, void,
+	private_eap_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = eap_payload_encodings;
+	*rule_count = sizeof(eap_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+METHOD(payload_t, get_payload_type, payload_type_t,
+	private_eap_payload_t *this)
+{
+	return EXTENSIBLE_AUTHENTICATION;
+}
+
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_eap_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+METHOD(payload_t, set_next_type, void,
+	private_eap_payload_t *this, payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+METHOD(payload_t, get_length, size_t,
+	private_eap_payload_t *this)
+{
+	return this->payload_length;
+}
+
+METHOD(eap_payload_t, get_data, chunk_t,
+	private_eap_payload_t *this)
+{
+	return this->data;
+}
+
+METHOD(eap_payload_t, set_data, void,
+	private_eap_payload_t *this, chunk_t data)
+{
+	free(this->data.ptr);
+	this->data = chunk_clone(data);
+	this->payload_length = this->data.len + 4;
+}
+
+METHOD(eap_payload_t, get_code, eap_code_t,
+	private_eap_payload_t *this)
+{
+	if (this->data.len > 0)
+	{
+		return this->data.ptr[0];
+	}
+	/* should not happen, as it is verified */
+	return 0;
+}
+
+METHOD(eap_payload_t, get_identifier, u_int8_t,
+	private_eap_payload_t *this)
+{
+	if (this->data.len > 1)
+	{
+		return this->data.ptr[1];
+	}
+	/* should not happen, as it is verified */
+	return 0;
+}
+
+METHOD(eap_payload_t, get_type, eap_type_t,
+	private_eap_payload_t *this, u_int32_t *vendor)
+{
+	eap_type_t type;
+
+	*vendor = 0;
+	if (this->data.len > 4)
+	{
+		type = this->data.ptr[4];
+		if (type != EAP_EXPANDED)
+		{
+			return type;
+		}
+		if (this->data.len >= 12)
+		{
+			*vendor = untoh32(this->data.ptr + 4) & 0x00FFFFFF;
+			return untoh32(this->data.ptr + 8);
+		}
+	}
+	return 0;
+}
+
+METHOD2(payload_t, eap_payload_t, destroy, void,
+	private_eap_payload_t *this)
+{
+	chunk_free(&this->data);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+eap_payload_t *eap_payload_create()
+{
+	private_eap_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_payload_type,
+				.destroy = _destroy,
+			},
+			.get_data = _get_data,
+			.set_data = _set_data,
+			.get_code = _get_code,
+			.get_identifier = _get_identifier,
+			.get_type = _get_type,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = EAP_PAYLOAD_HEADER_LENGTH,
+	);
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+eap_payload_t *eap_payload_create_data(chunk_t data)
+{
+	eap_payload_t *this = eap_payload_create();
+
+	this->set_data(this, data);
+	return this;
+}
+
+/*
+ * Described in header
+ */
+eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier)
+{
+	chunk_t data;
+
+	data = chunk_from_chars(code, identifier, 0, 0);
+	htoun16(data.ptr + 2, data.len);
+	return eap_payload_create_data(data);
+}
+
+/*
+ * Described in header
+ */
+eap_payload_t *eap_payload_create_nak(u_int8_t identifier)
+{
+	chunk_t data;
+
+	data = chunk_from_chars(EAP_RESPONSE, identifier, 0, 0, EAP_NAK);
+	htoun16(data.ptr + 2, data.len);
+	return eap_payload_create_data(data);
+}
+
diff --git a/src/libcharon/encoding/payloads/eap_payload.h b/src/libcharon/encoding/payloads/eap_payload.h
new file mode 100644
index 000000000..0bde4b15e
--- /dev/null
+++ b/src/libcharon/encoding/payloads/eap_payload.h
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_payload eap_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef EAP_PAYLOAD_H_
+#define EAP_PAYLOAD_H_
+
+typedef struct eap_payload_t eap_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Length of a EAP payload without the EAP Message in bytes.
+ */
+#define EAP_PAYLOAD_HEADER_LENGTH 4
+
+/**
+ * Class representing an IKEv2 EAP payload.
+ *
+ * The EAP payload format is described in RFC section 3.16.
+ */
+struct eap_payload_t {
+
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Set the contained EAP data.
+	 *
+	 * This contains the FULL EAP message starting with "code".
+	 * Chunk gets cloned.
+	 *
+	 * @param message	EAP data
+	 */
+	void (*set_data) (eap_payload_t *this, chunk_t data);
+
+	/**
+	 * Get the contained EAP data.
+	 *
+	 * This contains the FULL EAP message starting with "code".
+	 *
+	 * @return			EAP data (pointer to internal data)
+	 */
+	chunk_t (*get_data) (eap_payload_t *this);
+
+	/**
+	 * Get the EAP code.
+	 *
+	 * @return			EAP message as chunk_t
+	 */
+	eap_code_t (*get_code) (eap_payload_t *this);
+
+	/**
+	 * Get the EAP identifier.
+	 *
+	 * @return			unique identifier
+	 */
+	u_int8_t (*get_identifier) (eap_payload_t *this);
+
+	/**
+	 * Get the EAP method type.
+	 *
+	 * @param vendor	pointer receiving vendor identifier
+	 * @return			EAP method type, vendor specific if vendor != 0
+	 */
+	eap_type_t (*get_type) (eap_payload_t *this, u_int32_t *vendor);
+
+	/**
+	 * Destroys an eap_payload_t object.
+	 */
+	void (*destroy) (eap_payload_t *this);
+};
+
+/**
+ * Creates an empty eap_payload_t object.
+ *
+ * @return eap_payload_t object
+ */
+eap_payload_t *eap_payload_create(void);
+
+/**
+ * Creates an eap_payload_t object with data.
+ *
+ * @return eap_payload_t object
+ */
+eap_payload_t *eap_payload_create_data(chunk_t data);
+
+/**
+ * Creates an eap_payload_t object with a code.
+ *
+ * Could should be either EAP_SUCCESS/EAP_FAILURE, use
+ * constructor above otherwise.
+ *
+ * @param code			EAP status code
+ * @param identifier	EAP identifier to use in payload
+ * @return 				eap_payload_t object
+ */
+eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier);
+
+/**
+ * Creates an eap_payload_t EAP_RESPONSE containing an EAP_NAK.
+ *
+ * @param identifier	EAP identifier to use in payload
+ * @return 				eap_payload_t object
+ */
+eap_payload_t *eap_payload_create_nak(u_int8_t identifier);
+
+#endif /** EAP_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/encodings.c b/src/libcharon/encoding/payloads/encodings.c
new file mode 100644
index 000000000..85caeda82
--- /dev/null
+++ b/src/libcharon/encoding/payloads/encodings.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "encodings.h"
+
+ENUM(encoding_type_names, U_INT_4, ENCRYPTED_DATA,
+	"U_INT_4",
+	"U_INT_8",
+	"U_INT_16",
+	"U_INT_32",
+	"RESERVED_BIT",
+	"RESERVED_BYTE",
+	"FLAG",
+	"PAYLOAD_LENGTH",
+	"HEADER_LENGTH",
+	"SPI_SIZE",
+	"SPI",
+	"KEY_EXCHANGE_DATA",
+	"NOTIFICATION_DATA",
+	"PROPOSALS",
+	"TRANSFORMS",
+	"TRANSFORM_ATTRIBUTES",
+	"CONFIGURATION_ATTRIBUTES",
+	"CONFIGURATION_ATTRIBUTE_VALUE",
+	"ATTRIBUTE_FORMAT",
+	"ATTRIBUTE_TYPE",
+	"ATTRIBUTE_LENGTH_OR_VALUE",
+	"CONFIGURATION_ATTRIBUTE_LENGTH",
+	"ATTRIBUTE_VALUE",
+	"TRAFFIC_SELECTORS",
+	"TS_TYPE",
+	"ADDRESS",
+	"NONCE_DATA",
+	"ID_DATA",
+	"AUTH_DATA",
+	"CERT_DATA",
+	"CERTREQ_DATA",
+	"EAP_DATA",
+	"SPIS",
+	"VID_DATA",
+	"UNKNOWN_DATA",
+	"IKE_SPI",
+	"ENCRYPTED_DATA",
+);
diff --git a/src/libcharon/encoding/payloads/encodings.h b/src/libcharon/encoding/payloads/encodings.h
new file mode 100644
index 000000000..52af4a984
--- /dev/null
+++ b/src/libcharon/encoding/payloads/encodings.h
@@ -0,0 +1,515 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup encodings encodings
+ * @{ @ingroup payloads
+ */
+
+#ifndef ENCODINGS_H_
+#define ENCODINGS_H_
+
+typedef enum encoding_type_t encoding_type_t;
+typedef struct encoding_rule_t encoding_rule_t;
+
+#include <library.h>
+
+/**
+ * All different kinds of encoding types.
+ *
+ * Each field of an IKEv2-Message (in header or payload)
+ * which has to be parsed or generated differently has its own
+ * type defined here.
+ *
+ * Header is parsed like a payload and gets its one payload_id
+ * from PRIVATE USE space. Also the substructures
+ * of specific payload types get their own payload_id
+ * from PRIVATE_USE space. See IKEv2-Draft for more informations.
+ */
+enum encoding_type_t {
+
+	/**
+	 * Representing a 4 Bit unsigned int value.
+	 *
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 4 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 4 bit forward afterwards.
+	 */
+	U_INT_4,
+
+	/**
+	 * Representing a 8 Bit unsigned int value.
+	 *
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 8 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 8 bit forward afterwards.
+	 */
+	U_INT_8,
+
+	/**
+	 * Representing a 16 Bit unsigned int value.
+	 *
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 16 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 16 bit forward afterwards.
+	 */
+	U_INT_16,
+
+	/**
+	 * Representing a 32 Bit unsigned int value.
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 32 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 32 bit forward afterwards.
+	 */
+	U_INT_32,
+
+	/**
+	 * represents a RESERVED_BIT used in FLAG-Bytes.
+	 *
+	 * When generating, the next bit is set to zero and the current write
+	 * position is moved one bit forward.
+	 * No value is read from the associated data struct.
+	 * The current write position is moved 1 bit forward afterwards.
+	 *
+	 * When parsing, the current read pointer is moved one bit forward.
+	 * No value is written to the associated data struct.
+	 * The current read pointer is moved 1 bit forward afterwards.
+	 */
+	RESERVED_BIT,
+
+	/**
+	 * represents a RESERVED_BYTE.
+	 *
+	 * When generating, the next byte is set to zero and the current write
+	 * position is moved one byte forward.
+	 * No value is read from the associated data struct.
+	 * The current write position is moved 1 byte forward afterwards.
+	 *
+	 * When parsing, the current read pointer is moved one byte forward.
+	 * No value is written to the associated data struct.
+	 * The current read pointer is moved 1 byte forward afterwards.
+	 */
+	RESERVED_BYTE,
+
+	/**
+	 * Representing a 1 Bit flag.
+	 *
+	 * When generation, the next bit is set to 1 if the associated value
+	 * in the data struct is TRUE, 0 otherwise. The current write position
+	 * is moved 1 bit forward afterwards.
+	 *
+	 * When parsing, the next bit is read and stored in the associated data
+	 * struct. 0 means FALSE, 1 means TRUE, The current read pointer
+	 * is moved 1 bit forward afterwards
+	 */
+	FLAG,
+
+	/**
+	 * Representating a length field of a payload.
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 16 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 16 bit forward afterwards.
+	 */
+	PAYLOAD_LENGTH,
+
+	/**
+	 * Representating a length field of a header.
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 32 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 32 bit forward afterwards.
+	 */
+	HEADER_LENGTH,
+
+	/**
+	 * Representating a spi size field.
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 8 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 8 bit forward afterwards.
+	 */
+	SPI_SIZE,
+
+	/**
+	 * Representating a spi field.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
+	 */
+	SPI,
+
+	/**
+	 * Representating a Key Exchange Data field.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
+	 */
+	KEY_EXCHANGE_DATA,
+
+	/**
+	 * Representating a Notification field.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - spi size - 8) bytes are read and written into the chunk pointing to.
+	 */
+	NOTIFICATION_DATA,
+
+	/**
+	 * Representating one or more proposal substructures.
+	 *
+	 * The offset points to a linked_list_t pointer.
+	 *
+	 * When generating the proposal_substructure_t objects are stored
+	 * in the pointed linked_list.
+	 *
+	 * When parsing the parsed proposal_substructure_t objects have
+	 * to be stored in the pointed linked_list.
+	 */
+	PROPOSALS,
+
+	/**
+	 * Representating one or more transform substructures.
+	 *
+	 * The offset points to a linked_list_t pointer.
+	 *
+	 * When generating the transform_substructure_t objects are stored
+	 * in the pointed linked_list.
+	 *
+	 * When parsing the parsed transform_substructure_t objects have
+	 * to be stored in the pointed linked_list.
+	 */
+	TRANSFORMS,
+
+	/**
+	 * Representating one or more Attributes of a transform substructure.
+	 *
+	 * The offset points to a linked_list_t pointer.
+	 *
+	 * When generating the transform_attribute_t objects are stored
+	 * in the pointed linked_list.
+	 *
+	 * When parsing the parsed transform_attribute_t objects have
+	 * to be stored in the pointed linked_list.
+	 */
+	TRANSFORM_ATTRIBUTES,
+
+	/**
+	 * Representating one or more Attributes of a configuration payload.
+	 *
+	 * The offset points to a linked_list_t pointer.
+	 *
+	 * When generating the configuration_attribute_t objects are stored
+	 * in the pointed linked_list.
+	 *
+	 * When parsing the parsed configuration_attribute_t objects have
+	 * to be stored in the pointed linked_list.
+	 */
+	CONFIGURATION_ATTRIBUTES,
+
+	/**
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 */
+	CONFIGURATION_ATTRIBUTE_VALUE,
+
+	/**
+	 * Representing a 1 Bit flag specifying the format of a transform attribute.
+	 *
+	 * When generation, the next bit is set to 1 if the associated value
+	 * in the data struct is TRUE, 0 otherwise. The current write position
+	 * is moved 1 bit forward afterwards.
+	 *
+	 * When parsing, the next bit is read and stored in the associated data
+	 * struct. 0 means FALSE, 1 means TRUE, The current read pointer
+	 * is moved 1 bit forward afterwards.
+	 */
+	ATTRIBUTE_FORMAT,
+	/**
+	 * Representing a 15 Bit unsigned int value used as attribute type
+	 * in an attribute transform.
+	 *
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 15 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 15 bit forward afterwards.
+	 */
+	ATTRIBUTE_TYPE,
+
+	/**
+	 * Depending on the field of type ATTRIBUTE_FORMAT
+	 * this field contains the length or the value of an transform attribute.
+	 * Its stored in a 16 unsigned integer field.
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 16 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 16 bit forward afterwards.
+	 */
+	ATTRIBUTE_LENGTH_OR_VALUE,
+
+	/**
+	 * This field contains the length or the value of an configuration attribute.
+	 * Its stored in a 16 unsigned integer field.
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 16 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 16 bit forward afterwards.
+	 */
+	CONFIGURATION_ATTRIBUTE_LENGTH,
+
+	/**
+	 * Depending on the field of type ATTRIBUTE_FORMAT
+	 * this field is available or missing and so parsed/generated
+	 * or not parsed/not generated.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
+	 */
+	ATTRIBUTE_VALUE,
+
+	/**
+	 * Representating one or more Traffic selectors of a TS payload.
+	 *
+	 * The offset points to a linked_list_t pointer.
+	 *
+	 * When generating the traffic_selector_substructure_t objects are stored
+	 * in the pointed linked_list.
+	 *
+	 * When parsing the parsed traffic_selector_substructure_t objects have
+	 * to be stored in the pointed linked_list.
+	 */
+	TRAFFIC_SELECTORS,
+
+	/**
+	 * Representating a Traffic selector type field.
+	 *
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 16 bit forward afterwards.
+	 *
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 16 bit forward afterwards.
+	 */
+	TS_TYPE,
+
+	/**
+	 * Representating an address field in a traffic selector.
+	 *
+	 * Depending on the last field of type TS_TYPE
+	 * this field is either 4 or 16 byte long.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing 4 or 16 bytes are read and written into the chunk pointing to.
+	 */
+	ADDRESS,
+
+	/**
+	 * Representating a Nonce Data field.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 */
+	NONCE_DATA,
+
+	/**
+	 * Representating a ID Data field.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
+	 */
+	ID_DATA,
+
+	/**
+	 * Representating a AUTH Data field.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
+	 */
+	AUTH_DATA,
+
+	/**
+	 * Representating a CERT Data field.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
+	 */
+	CERT_DATA,
+
+	/**
+	 * Representating a CERTREQ Data field.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
+	 */
+	CERTREQ_DATA,
+
+	/**
+	 * Representating an EAP message field.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 */
+	EAP_DATA,
+
+	/**
+	 * Representating the SPIS field in a DELETE payload.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
+	 */
+	SPIS,
+
+	/**
+	 * Representating the VID DATA field in a VENDOR ID payload.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 */
+	VID_DATA,
+
+	/**
+	 * Representating the DATA of an unknown payload.
+	 *
+	 * When generating the content of the chunkt pointing to
+	 * is written.
+	 *
+	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 */
+	UNKNOWN_DATA,
+
+	/**
+	 * Representating an IKE_SPI field in an IKEv2 Header.
+	 *
+	 * When generating the value of the u_int64_t pointing to
+	 * is written (host and networ order is not changed).
+	 *
+	 * When parsing 8 bytes are read and written into the u_int64_t pointing to.
+	 */
+	IKE_SPI,
+
+	/**
+	 * Representing the encrypted data body of a encryption payload.
+	 */
+	ENCRYPTED_DATA,
+};
+
+/**
+ * enum name for encoding_type_t
+ */
+extern enum_name_t *encoding_type_names;
+
+/**
+ * Rule how to en-/decode a payload field.
+ *
+ * An encoding rule is a mapping of a specific encoding type to
+ * a location in the data struct where the current field is stored to
+ * or read from.
+ * This rules are used by parser and generator.
+ */
+struct encoding_rule_t {
+
+	/**
+	 * Encoding type.
+	 */
+	encoding_type_t type;
+
+	/**
+	 * Offset in the data struct.
+	 *
+	 * When parsing, data are written to this offset of the
+	 * data struct.
+	 *
+	 * When generating, data are read from this offset in the
+	 * data struct.
+	 */
+	u_int32_t offset;
+};
+
+#endif /** ENCODINGS_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/encryption_payload.c b/src/libcharon/encoding/payloads/encryption_payload.c
new file mode 100644
index 000000000..2adbb88b9
--- /dev/null
+++ b/src/libcharon/encoding/payloads/encryption_payload.c
@@ -0,0 +1,619 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+#include <string.h>
+
+#include "encryption_payload.h"
+
+#include <daemon.h>
+#include <encoding/payloads/encodings.h>
+#include <utils/linked_list.h>
+#include <encoding/generator.h>
+#include <encoding/parser.h>
+#include <utils/iterator.h>
+#include <crypto/signers/signer.h>
+
+
+typedef struct private_encryption_payload_t private_encryption_payload_t;
+
+/**
+ * Private data of an encryption_payload_t' Object.
+ *
+ */
+struct private_encryption_payload_t {
+
+	/**
+	 * Public encryption_payload_t interface.
+	 */
+	encryption_payload_t public;
+
+	/**
+	 * There is no next payload for an encryption payload,
+	 * since encryption payload MUST be the last one.
+	 * next_payload means here the first payload of the
+	 * contained, encrypted payload.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Chunk containing the iv, data, padding,
+	 * and (an eventually not calculated) signature.
+	 */
+	chunk_t encrypted;
+
+	/**
+	 * Chunk containing the data in decrypted (unpadded) form.
+	 */
+	chunk_t decrypted;
+
+	/**
+	 * Signer set by set_signer.
+	 */
+	signer_t *signer;
+
+	/**
+	 * Crypter, supplied by encrypt/decrypt
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * Contained payloads of this encrpytion_payload.
+	 */
+	linked_list_t *payloads;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-Encryption Payload.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_encryption_payload_t.
+ *
+ */
+encoding_rule_t encryption_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_encryption_payload_t, next_payload)	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_encryption_payload_t, critical)		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,		0														},
+	{ RESERVED_BIT,		0														},
+	{ RESERVED_BIT,		0														},
+	{ RESERVED_BIT,		0														},
+	{ RESERVED_BIT,		0														},
+	{ RESERVED_BIT,		0														},
+	{ RESERVED_BIT,		0														},
+	/* Length of the whole encryption payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_encryption_payload_t, payload_length)	},
+	/* encrypted data, stored in a chunk. contains iv, data, padding */
+	{ ENCRYPTED_DATA,	offsetof(private_encryption_payload_t, encrypted)			},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                     Initialization Vector                     !
+      !         (length is block size for encryption algorithm)       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                    Encrypted IKE Payloads                     !
+      +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !               !             Padding (0-255 octets)            !
+      +-+-+-+-+-+-+-+-+                               +-+-+-+-+-+-+-+-+
+      !                                               !  Pad Length   !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ~                    Integrity Checksum Data                    ~
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_encryption_payload_t *this)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = encryption_payload_encodings;
+	*rule_count = sizeof(encryption_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_encryption_payload_t *this)
+{
+	return ENCRYPTED;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_encryption_payload_t *this)
+{
+	/* returns first contained payload here */
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
+{
+	/* set next type is not allowed, since this payload MUST be the last one
+	 * and so nothing is done in here*/
+}
+
+/**
+ * (re-)compute the lenght of the whole payload
+ */
+static void compute_length(private_encryption_payload_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_payload;
+	size_t block_size, length = 0;
+	iterator = this->payloads->create_iterator(this->payloads, TRUE);
+
+	/* count payload length */
+	while (iterator->iterate(iterator, (void **) &current_payload))
+	{
+		length += current_payload->get_length(current_payload);
+	}
+	iterator->destroy(iterator);
+
+	if (this->crypter && this->signer)
+	{
+		/* append one byte for padding length */
+		length++;
+		/* append padding */
+		block_size = this->crypter->get_block_size(this->crypter);
+		length += block_size - length % block_size;
+		/* add iv */
+		length += block_size;
+		/* add signature */
+		length += this->signer->get_block_size(this->signer);
+	}
+	length += ENCRYPTION_PAYLOAD_HEADER_LENGTH;
+	this->payload_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_encryption_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of payload_t.create_payload_iterator.
+ */
+static  iterator_t *create_payload_iterator (private_encryption_payload_t *this, bool forward)
+{
+	return (this->payloads->create_iterator(this->payloads, forward));
+}
+
+/**
+ * Implementation of payload_t.add_payload.
+ */
+static void add_payload(private_encryption_payload_t *this, payload_t *payload)
+{
+	payload_t *last_payload;
+	if (this->payloads->get_count(this->payloads) > 0)
+	{
+		this->payloads->get_last(this->payloads,(void **) &last_payload);
+		last_payload->set_next_type(last_payload, payload->get_type(payload));
+	}
+	else
+	{
+		this->next_payload = payload->get_type(payload);
+	}
+	payload->set_next_type(payload, NO_PAYLOAD);
+	this->payloads->insert_last(this->payloads, (void*)payload);
+	compute_length(this);
+}
+
+/**
+ * Implementation of encryption_payload_t.remove_first_payload.
+ */
+static status_t remove_first_payload(private_encryption_payload_t *this, payload_t **payload)
+{
+	return this->payloads->remove_first(this->payloads, (void**)payload);
+}
+
+/**
+ * Implementation of encryption_payload_t.get_payload_count.
+ */
+static size_t get_payload_count(private_encryption_payload_t *this)
+{
+	return this->payloads->get_count(this->payloads);
+}
+
+/**
+ * Generate payload before encryption.
+ */
+static void generate(private_encryption_payload_t *this)
+{
+	payload_t *current_payload, *next_payload;
+	generator_t *generator;
+	iterator_t *iterator;
+
+	/* recalculate length before generating */
+	compute_length(this);
+
+	/* create iterator */
+	iterator = this->payloads->create_iterator(this->payloads, TRUE);
+
+	/* get first payload */
+	if (iterator->iterate(iterator, (void**)&current_payload))
+	{
+		this->next_payload = current_payload->get_type(current_payload);
+	}
+	else
+	{
+		/* no paylads? */
+		DBG2(DBG_ENC, "generating contained payloads, but none available");
+		free(this->decrypted.ptr);
+		this->decrypted = chunk_empty;
+		iterator->destroy(iterator);
+		return;
+	}
+
+	generator = generator_create();
+
+	/* build all payload, except last */
+	while(iterator->iterate(iterator, (void**)&next_payload))
+	{
+		current_payload->set_next_type(current_payload, next_payload->get_type(next_payload));
+		generator->generate_payload(generator, current_payload);
+		current_payload = next_payload;
+	}
+	iterator->destroy(iterator);
+
+	/* build last payload */
+	current_payload->set_next_type(current_payload, NO_PAYLOAD);
+	generator->generate_payload(generator, current_payload);
+
+	/* free already generated data */
+	free(this->decrypted.ptr);
+
+	generator->write_to_chunk(generator, &(this->decrypted));
+	generator->destroy(generator);
+	DBG2(DBG_ENC, "successfully generated content in encryption payload");
+}
+
+/**
+ * Implementation of encryption_payload_t.encrypt.
+ */
+static status_t encrypt(private_encryption_payload_t *this)
+{
+	chunk_t iv, padding, to_crypt, result;
+	rng_t *rng;
+	size_t block_size;
+
+	if (this->signer == NULL || this->crypter == NULL)
+	{
+		DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
+		return INVALID_STATE;
+	}
+
+	/* for random data in iv and padding */
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_ENC, "could not encrypt, no RNG found");
+		return FAILED;
+	}
+	/* build payload chunk */
+	generate(this);
+
+	DBG2(DBG_ENC, "encrypting payloads");
+	DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
+
+	/* build padding */
+	block_size = this->crypter->get_block_size(this->crypter);
+	padding.len = block_size - ((this->decrypted.len + 1) %  block_size);
+	rng->allocate_bytes(rng, padding.len, &padding);
+
+	/* concatenate payload data, padding, padding len */
+	to_crypt.len = this->decrypted.len + padding.len + 1;
+	to_crypt.ptr = malloc(to_crypt.len);
+
+	memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
+	memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
+	*(to_crypt.ptr + to_crypt.len - 1) = padding.len;
+
+	/* build iv */
+	iv.len = block_size;
+	rng->allocate_bytes(rng, iv.len, &iv);
+	rng->destroy(rng);
+
+	DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
+
+	/* encrypt to_crypt chunk */
+	free(this->encrypted.ptr);
+	this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
+	free(padding.ptr);
+	free(to_crypt.ptr);
+
+	DBG3(DBG_ENC, "data after encryption %B", &result);
+
+	/* build encrypted result with iv and signature */
+	this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
+	free(this->encrypted.ptr);
+	this->encrypted.ptr = malloc(this->encrypted.len);
+
+	/* fill in result, signature is left out */
+	memcpy(this->encrypted.ptr, iv.ptr, iv.len);
+	memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
+
+	free(result.ptr);
+	free(iv.ptr);
+	DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
+		 &this->encrypted);
+
+	return SUCCESS;
+}
+
+/**
+ * Parse the payloads after decryption.
+ */
+static status_t parse(private_encryption_payload_t *this)
+{
+	parser_t *parser;
+	status_t status;
+	payload_type_t current_payload_type;
+
+	/* build a parser on the decrypted data */
+	parser = parser_create(this->decrypted);
+
+	current_payload_type = this->next_payload;
+	/* parse all payloads */
+	while (current_payload_type != NO_PAYLOAD)
+	{
+		payload_t *current_payload;
+
+		status = parser->parse_payload(parser, current_payload_type, (payload_t**)&current_payload);
+		if (status != SUCCESS)
+		{
+			parser->destroy(parser);
+			return PARSE_ERROR;
+		}
+
+		status = current_payload->verify(current_payload);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "%N verification failed",
+				 payload_type_names, current_payload->get_type(current_payload));
+			current_payload->destroy(current_payload);
+			parser->destroy(parser);
+			return VERIFY_ERROR;
+		}
+
+		/* get next payload type */
+		current_payload_type = current_payload->get_next_type(current_payload);
+
+		this->payloads->insert_last(this->payloads,current_payload);
+	}
+	parser->destroy(parser);
+	DBG2(DBG_ENC, "succesfully parsed content of encryption payload");
+	return SUCCESS;
+}
+
+/**
+ * Implementation of encryption_payload_t.encrypt.
+ */
+static status_t decrypt(private_encryption_payload_t *this)
+{
+	chunk_t iv, concatenated;
+	u_int8_t padding_length;
+
+	DBG2(DBG_ENC, "decrypting encryption payload");
+	DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
+		 &this->encrypted);
+
+	if (this->signer == NULL || this->crypter == NULL)
+	{
+		DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
+		return INVALID_STATE;
+	}
+
+	/* get IV */
+	iv.len = this->crypter->get_block_size(this->crypter);
+
+	iv.ptr = this->encrypted.ptr;
+
+	/* point concatenated to data + padding + padding_length*/
+	concatenated.ptr = this->encrypted.ptr + iv.len;
+	concatenated.len = this->encrypted.len - iv.len -
+								this->signer->get_block_size(this->signer);
+
+	/* concatenated must be a multiple of block_size of crypter */
+	if (concatenated.len < iv.len || concatenated.len % iv.len)
+	{
+		DBG1(DBG_ENC, "could not decrypt, invalid input");
+		return FAILED;
+	}
+
+	/* free previus data, if any */
+	free(this->decrypted.ptr);
+
+	DBG3(DBG_ENC, "data before decryption %B", &concatenated);
+
+	this->crypter->decrypt(this->crypter, concatenated, iv, &this->decrypted);
+
+	DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
+
+	/* get padding length, sits just bevore signature */
+	padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
+	/* add one byte to the padding length, since the padding_length field is
+	 * not included */
+	padding_length++;
+
+	/* check size again */
+	if (padding_length > concatenated.len || padding_length > this->decrypted.len)
+	{
+		DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
+		/* decryption failed :-/ */
+		return FAILED;
+	}
+	this->decrypted.len -= padding_length;
+
+	/* free padding */
+	this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
+	DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
+	DBG2(DBG_ENC, "decryption successful, trying to parse content");
+	return parse(this);
+}
+
+/**
+ * Implementation of encryption_payload_t.set_transforms.
+ */
+static void set_transforms(private_encryption_payload_t *this, crypter_t* crypter, signer_t* signer)
+{
+	this->signer = signer;
+	this->crypter = crypter;
+}
+
+/**
+ * Implementation of encryption_payload_t.build_signature.
+ */
+static status_t build_signature(private_encryption_payload_t *this, chunk_t data)
+{
+	chunk_t data_without_sig = data;
+	chunk_t sig;
+
+	if (this->signer == NULL)
+	{
+		DBG1(DBG_ENC, "unable to build signature, no signer set");
+		return INVALID_STATE;
+	}
+
+	sig.len = this->signer->get_block_size(this->signer);
+	data_without_sig.len -= sig.len;
+	sig.ptr = data.ptr + data_without_sig.len;
+	DBG2(DBG_ENC, "building signature");
+	this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of encryption_payload_t.verify_signature.
+ */
+static status_t verify_signature(private_encryption_payload_t *this, chunk_t data)
+{
+	chunk_t sig, data_without_sig;
+	bool valid;
+
+	if (this->signer == NULL)
+	{
+		DBG1(DBG_ENC, "unable to verify signature, no signer set");
+		return INVALID_STATE;
+	}
+	/* find signature in data chunk */
+	sig.len = this->signer->get_block_size(this->signer);
+	if (data.len <= sig.len)
+	{
+		DBG1(DBG_ENC, "unable to verify signature, invalid input");
+		return FAILED;
+	}
+	sig.ptr = data.ptr + data.len - sig.len;
+
+	/* verify it */
+	data_without_sig.len = data.len - sig.len;
+	data_without_sig.ptr = data.ptr;
+	valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
+
+	if (!valid)
+	{
+		DBG1(DBG_ENC, "signature verification failed");
+		return FAILED;
+	}
+
+	DBG2(DBG_ENC, "signature verification successful");
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.destroy.
+ */
+static void destroy(private_encryption_payload_t *this)
+{
+	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
+	free(this->encrypted.ptr);
+	free(this->decrypted.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+encryption_payload_t *encryption_payload_create()
+{
+	private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
+
+	/* payload_t interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
+	this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
+	this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
+	this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
+
+	this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
+	this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
+	this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
+	this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
+	this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
+	this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
+
+	/* set default values of the fields */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH;
+	this->encrypted = chunk_empty;
+	this->decrypted = chunk_empty;
+	this->signer = NULL;
+	this->crypter = NULL;
+	this->payloads = linked_list_create();
+
+	return (&(this->public));
+}
diff --git a/src/libcharon/encoding/payloads/encryption_payload.h b/src/libcharon/encoding/payloads/encryption_payload.h
new file mode 100644
index 000000000..ac5326b87
--- /dev/null
+++ b/src/libcharon/encoding/payloads/encryption_payload.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup encryption_payload encryption_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef ENCRYPTION_PAYLOAD_H_
+#define ENCRYPTION_PAYLOAD_H_
+
+typedef struct encryption_payload_t encryption_payload_t;
+
+#include <library.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <encoding/payloads/payload.h>
+#include <utils/linked_list.h>
+
+/**
+ * Encrpytion payload length in bytes without IV and following data.
+ */
+#define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4
+
+
+/**
+ * The encryption payload as described in RFC section 3.14.
+ *
+ * Before any crypt/decrypt/sign/verify operation can occur,
+ * the transforms must be set. After that, a parsed encryption payload
+ * can be decrypted, which also will parse the contained payloads.
+ * Encryption is done the same way, added payloads will get generated
+ * and then encrypted.
+ * For signature building, there is the FULL packet needed. Meaning it
+ * must be builded after generation of all payloads and the encryption
+ * of the encryption payload.
+ * Signature verificatin is done before decryption.
+ */
+struct encryption_payload_t {
+	/**
+	 * Implements payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Creates an iterator for all contained payloads.
+	 *
+	 * iterator_t object has to get destroyed by the caller.
+	 *
+	 * @param forward 		iterator direction (TRUE: front to end)
+	 * return				created iterator_t object
+	 */
+	 iterator_t *(*create_payload_iterator) (encryption_payload_t *this, bool forward);
+
+	/**
+	 * Adds a payload to this encryption payload.
+	 *
+	 * @param payload		payload_t object to add
+	 */
+	void (*add_payload) (encryption_payload_t *this, payload_t *payload);
+
+	/**
+	 * Reove the last payload in the contained payload list.
+	 *
+	 * @param payload		removed payload
+	 * @return
+	 * 						- SUCCESS, or
+	 * 						- NOT_FOUND if list empty
+	 */
+	status_t (*remove_first_payload) (encryption_payload_t *this, payload_t **payload);
+
+	/**
+	 * Get the number of payloads.
+	 *
+	 * @return				number of contained payloads
+	 */
+	size_t (*get_payload_count) (encryption_payload_t *this);
+
+	/**
+	 * Set transforms to use.
+	 *
+	 * To decryption, encryption, signature building and verifying,
+	 * the payload needs a crypter and a signer object.
+	 *
+	 * @warning Do NOT call this function again after encryption, since
+	 * the signer must be the same while encrypting and signature building!
+	 *
+	 * @param crypter		crypter_t to use for data de-/encryption
+	 * @param signer		signer_t to use for data signing/verifying
+	 */
+	void (*set_transforms) (encryption_payload_t *this, crypter_t *crypter, signer_t *signer);
+
+	/**
+	 * Generate and encrypt contained payloads.
+	 *
+	 * This function generates the content for added payloads
+	 * and encrypts them. Signature is not built, since we need
+	 * additional data (the full message).
+	 *
+	 * @return				SUCCESS, or INVALID_STATE if transforms not set
+	 */
+	status_t (*encrypt) (encryption_payload_t *this);
+
+	/**
+	 * Decrypt and parse contained payloads.
+	 *
+	 * This function decrypts the contained data. After,
+	 * the payloads are parsed internally and are accessible
+	 * via the iterator.
+	 *
+	 * @return
+	 * 						- SUCCESS, or
+	 * 						- INVALID_STATE if transforms not set, or
+	 * 						- FAILED if data is invalid
+	 */
+	status_t (*decrypt) (encryption_payload_t *this);
+
+	/**
+	 * Build the signature.
+	 *
+	 * The signature is built over the FULL message, so the header
+	 * and every payload (inclusive this one) must already be generated.
+	 * The generated message is supplied via the data paramater.
+	 *
+	 * @param data			chunk contains the already generated message
+	 * @return
+	 * 						- SUCCESS, or
+	 * 						- INVALID_STATE if transforms not set
+	 */
+	status_t (*build_signature) (encryption_payload_t *this, chunk_t data);
+
+	/**
+	 * Verify the signature.
+	 *
+	 * Since the signature is built over the full message, we need
+	 * this data to do the verification. The message data
+	 * is supplied via the data argument.
+	 *
+	 * @param data			chunk contains the message
+	 * @return
+	 * 						- SUCCESS, or
+	 * 						- FAILED if signature invalid, or
+	 * 						- INVALID_STATE if transforms not set
+	 */
+	status_t (*verify_signature) (encryption_payload_t *this, chunk_t data);
+
+	/**
+	 * Destroys an encryption_payload_t object.
+	 */
+	void (*destroy) (encryption_payload_t *this);
+};
+
+/**
+ * Creates an empty encryption_payload_t object.
+ *
+ * @return encryption_payload_t object
+ */
+encryption_payload_t *encryption_payload_create(void);
+
+#endif /** ENCRYPTION_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/endpoint_notify.c b/src/libcharon/encoding/payloads/endpoint_notify.c
new file mode 100644
index 000000000..faec1ea71
--- /dev/null
+++ b/src/libcharon/encoding/payloads/endpoint_notify.c
@@ -0,0 +1,422 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "endpoint_notify.h"
+
+#include <math.h>
+
+#include <daemon.h>
+
+typedef struct private_endpoint_notify_t private_endpoint_notify_t;
+
+/**
+ * Private data of an notify_payload_t object.
+ */
+struct private_endpoint_notify_t {
+	/**
+	 * Public endpoint_notify_t interface.
+	 */
+	endpoint_notify_t public;
+
+	/**
+	 * Priority
+	 */
+	u_int32_t priority;
+
+	/**
+	 * Family
+	 */
+	me_endpoint_family_t family;
+
+	/**
+	 * Endpoint type
+	 */
+	me_endpoint_type_t type;
+
+	/**
+	 * Endpoint
+	 */
+	host_t *endpoint;
+
+	/**
+	 * Base (used for server reflexive endpoints)
+	 */
+	host_t *base;
+};
+
+/*    Notification data:
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                           Priority                            !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !     Family    !      Type     !              Port             !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                       IP Address (variable)                   !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+ENUM(me_endpoint_type_names, HOST, RELAYED,
+	"HOST",
+	"PEER_REFLEXIVE",
+	"SERVER_REFLEXIVE",
+	"RELAYED"
+);
+
+/**
+ * Helper functions to parse integer values
+ */
+static status_t parse_uint8(u_int8_t **cur, u_int8_t *top, u_int8_t *val)
+{
+	if (*cur + sizeof(u_int8_t) > top)
+	{
+		return FAILED;
+	}
+	*val =  *(u_int8_t*)*cur;
+	*cur += sizeof(u_int8_t);
+	return SUCCESS;
+}
+
+static status_t parse_uint16(u_int8_t **cur, u_int8_t *top, u_int16_t *val)
+{
+	if (*cur + sizeof(u_int16_t) > top)
+	{
+		return FAILED;
+	}
+	*val =  ntohs(*(u_int16_t*)*cur);
+	*cur += sizeof(u_int16_t);
+	return SUCCESS;
+}
+
+static status_t parse_uint32(u_int8_t **cur, u_int8_t *top, u_int32_t *val)
+{
+	if (*cur + sizeof(u_int32_t) > top)
+	{
+		return FAILED;
+	}
+	*val =  ntohl(*(u_int32_t*)*cur);
+	*cur += sizeof(u_int32_t);
+	return SUCCESS;
+}
+
+/**
+ * Parses the notification data of a ME_ENDPOINT notify
+ */
+static status_t parse_notification_data(private_endpoint_notify_t *this, chunk_t data)
+{
+	u_int8_t family, type, addr_family;
+	u_int16_t port;
+	chunk_t addr;
+	u_int8_t *cur = data.ptr;
+	u_int8_t *top = data.ptr + data.len;
+
+	DBG3(DBG_IKE, "me_endpoint_data %B", &data);
+
+	if (parse_uint32(&cur, top, &this->priority) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid priority");
+		return FAILED;
+	}
+
+	if (parse_uint8(&cur, top, &family) != SUCCESS || family >= MAX_FAMILY)
+	{
+		DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid family");
+		return FAILED;
+	}
+	this->family = (me_endpoint_family_t)family;
+
+	if (parse_uint8(&cur, top, &type) != SUCCESS ||
+		type == NO_TYPE || type >= MAX_TYPE)
+	{
+		DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid type");
+		return FAILED;
+	}
+	this->type = (me_endpoint_type_t)type;
+
+	addr_family = AF_INET;
+	addr.len = 4;
+
+	switch(this->family)
+	{
+		case IPv6:
+			addr_family = AF_INET6;
+			addr.len = 16;
+			/* fall-through */
+		case IPv4:
+			if (parse_uint16(&cur, top, &port) != SUCCESS)
+			{
+				DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid port");
+				return FAILED;
+			}
+
+			if (cur + addr.len > top)
+			{
+				DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid IP address");
+				return FAILED;
+			}
+
+			addr.ptr = cur;
+			this->endpoint = host_create_from_chunk(addr_family, addr, port);
+			break;
+		case NO_FAMILY:
+		default:
+			this->endpoint = NULL;
+			break;
+	}
+	return SUCCESS;
+}
+
+
+/**
+ * Generates the notification data of a ME_ENDPOINT notify
+ */
+static chunk_t build_notification_data(private_endpoint_notify_t *this)
+{
+	chunk_t prio_chunk, family_chunk, type_chunk, port_chunk, addr_chunk;
+	chunk_t data;
+	u_int32_t prio;
+	u_int16_t port;
+	u_int8_t family, type;
+
+	prio = htonl(this->priority);
+	prio_chunk = chunk_from_thing(prio);
+	family = this->family;
+	family_chunk = chunk_from_thing(family);
+	type = this->type;
+	type_chunk = chunk_from_thing(type);
+
+	if (this->endpoint)
+	{
+		port = htons(this->endpoint->get_port(this->endpoint));
+		addr_chunk = this->endpoint->get_address(this->endpoint);
+	}
+	else
+	{
+		port = 0;
+		addr_chunk = chunk_empty;
+	}
+	port_chunk = chunk_from_thing(port);
+
+	/* data = prio | family | type | port | addr */
+	data = chunk_cat("ccccc", prio_chunk, family_chunk, type_chunk,
+					 port_chunk, addr_chunk);
+	DBG3(DBG_IKE, "me_endpoint_data %B", &data);
+	return data;
+}
+
+/**
+ * Implementation of endpoint_notify_t.build_notify
+ */
+static notify_payload_t *build_notify(private_endpoint_notify_t *this)
+{
+	chunk_t data;
+	notify_payload_t *notify;
+
+	notify = notify_payload_create();
+	notify->set_notify_type(notify, ME_ENDPOINT);
+	data = build_notification_data(this);
+	notify->set_notification_data(notify, data);
+	chunk_free(&data);
+
+	return notify;
+}
+
+/**
+ * Implementation of endpoint_notify_t.get_priority.
+ */
+static u_int32_t get_priority(private_endpoint_notify_t *this)
+{
+	return this->priority;
+}
+
+/**
+ * Implementation of endpoint_notify_t.set_priority.
+ */
+static void set_priority(private_endpoint_notify_t *this, u_int32_t priority)
+{
+	this->priority = priority;
+}
+
+/**
+ * Implementation of endpoint_notify_t.get_type.
+ */
+static me_endpoint_type_t get_type(private_endpoint_notify_t *this)
+{
+	return this->type;
+}
+
+/**
+ * Implementation of endpoint_notify_t.get_family.
+ */
+static me_endpoint_family_t get_family(private_endpoint_notify_t *this)
+{
+	return this->family;
+}
+
+/**
+ * Implementation of endpoint_notify_t.get_host.
+ */
+static host_t *get_host(private_endpoint_notify_t *this)
+{
+	return this->endpoint;
+}
+
+/**
+ * Implementation of endpoint_notify_t.get_base.
+ */
+static host_t *get_base(private_endpoint_notify_t *this)
+{
+	return (!this->base) ? this->endpoint : this->base;
+}
+
+/**
+ * Implementation of endpoint_notify_t.clone.
+ */
+static endpoint_notify_t *_clone(private_endpoint_notify_t *this)
+{
+	private_endpoint_notify_t *clone = (private_endpoint_notify_t*)endpoint_notify_create();
+
+	clone->priority = this->priority;
+	clone->type = this->type;
+	clone->family = this->family;
+	if (this->endpoint)
+	{
+		clone->endpoint = this->endpoint->clone(this->endpoint);
+	}
+
+	if (this->base)
+	{
+		clone->base = this->base->clone(this->base);
+	}
+
+	return &clone->public;
+}
+
+/**
+ * Implementation of endpoint_notify_t.destroy.
+ */
+static status_t destroy(private_endpoint_notify_t *this)
+{
+	DESTROY_IF(this->endpoint);
+	DESTROY_IF(this->base);
+	free(this);
+	return SUCCESS;
+}
+
+/*
+ * Described in header
+ */
+endpoint_notify_t *endpoint_notify_create()
+{
+	private_endpoint_notify_t *this = malloc_thing(private_endpoint_notify_t);
+
+	/* public functions */
+	this->public.get_priority = (u_int32_t (*) (endpoint_notify_t *)) get_priority;
+	this->public.set_priority = (void (*) (endpoint_notify_t *, u_int32_t)) set_priority;
+	this->public.get_type = (me_endpoint_type_t (*) (endpoint_notify_t *)) get_type;
+	this->public.get_family = (me_endpoint_family_t (*) (endpoint_notify_t *)) get_family;
+	this->public.get_host = (host_t *(*) (endpoint_notify_t *)) get_host;
+	this->public.get_base = (host_t *(*) (endpoint_notify_t *)) get_base;
+	this->public.build_notify = (notify_payload_t *(*) (endpoint_notify_t *)) build_notify;
+	this->public.clone = (endpoint_notify_t *(*) (endpoint_notify_t *)) _clone;
+	this->public.destroy = (void (*) (endpoint_notify_t *)) destroy;
+
+	/* set default values of the fields */
+	this->priority = 0;
+	this->family = NO_FAMILY;
+	this->type = NO_TYPE;
+	this->endpoint = NULL;
+	this->base = NULL;
+
+	return &this->public;
+}
+
+/**
+ * Described in header
+ */
+endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type, host_t *host, host_t *base)
+{
+	private_endpoint_notify_t *this = (private_endpoint_notify_t*)endpoint_notify_create();
+
+	this->type = type;
+
+	switch(type)
+	{
+		case HOST:
+			this->priority = pow(2, 16) * ME_PRIO_HOST;
+			break;
+		case PEER_REFLEXIVE:
+			this->priority = pow(2, 16) * ME_PRIO_PEER;
+			break;
+		case SERVER_REFLEXIVE:
+			this->priority = pow(2, 16) * ME_PRIO_SERVER;
+			break;
+		case RELAYED:
+		default:
+			this->priority = pow(2, 16) * ME_PRIO_RELAY;
+			break;
+	}
+
+	/* FIXME: if there is more than one ip address we should vary this priority */
+	this->priority += 65535;
+
+	if (!host)
+	{
+		return &this->public;
+	}
+
+	switch(host->get_family(host))
+	{
+		case AF_INET:
+			this->family = IPv4;
+			break;
+		case AF_INET6:
+			this->family = IPv6;
+			break;
+		default:
+			/* unsupported family type, we do not set the host
+			 * (family is set to NO_FAMILY) */
+			return &this->public;
+	}
+
+	this->endpoint = host->clone(host);
+
+	if (base)
+	{
+		this->base = base->clone(base);
+	}
+
+	return &this->public;
+}
+
+/**
+ * Described in header
+ */
+endpoint_notify_t *endpoint_notify_create_from_payload(notify_payload_t *notify)
+{
+	if (notify->get_notify_type(notify) != ME_ENDPOINT)
+	{
+		return NULL;
+	}
+
+	private_endpoint_notify_t *this = (private_endpoint_notify_t*)endpoint_notify_create();
+	chunk_t data = notify->get_notification_data(notify);
+	if (parse_notification_data(this, data) != SUCCESS)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/encoding/payloads/endpoint_notify.h b/src/libcharon/encoding/payloads/endpoint_notify.h
new file mode 100644
index 000000000..120eef49a
--- /dev/null
+++ b/src/libcharon/encoding/payloads/endpoint_notify.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup endpoint_notify endpoint_notify
+ * @{ @ingroup payloads
+ */
+
+#ifndef ENDPOINT_NOTIFY_H_
+#define ENDPOINT_NOTIFY_H_
+
+#define ME_PRIO_HOST   255
+#define ME_PRIO_PEER   128
+#define ME_PRIO_SERVER 64
+#define ME_PRIO_RELAY  0
+
+typedef enum me_endpoint_family_t me_endpoint_family_t;
+typedef enum me_endpoint_type_t me_endpoint_type_t;
+typedef struct endpoint_notify_t endpoint_notify_t;
+
+#include <encoding/payloads/notify_payload.h>
+
+/**
+ * ME endpoint families.
+ */
+enum me_endpoint_family_t {
+
+	NO_FAMILY = 0,
+
+	IPv4 = 1,
+
+	IPv6 = 2,
+
+	MAX_FAMILY = 3
+
+};
+
+/**
+ * ME endpoint types.
+ */
+enum me_endpoint_type_t {
+
+	NO_TYPE = 0,
+
+	HOST = 1,
+
+	PEER_REFLEXIVE = 2,
+
+	SERVER_REFLEXIVE = 3,
+
+	RELAYED = 4,
+
+	MAX_TYPE = 5
+
+};
+
+/**
+ * enum name for me_endpoint_type_t.
+ */
+extern enum_name_t *me_endpoint_type_names;
+
+/**
+ * Class representing a ME_ENDPOINT Notify payload. In fact it's not
+ * the notify per se, but the notification data of that notify that is
+ * handled with this class.
+ */
+struct endpoint_notify_t {
+	/**
+	 * Returns the priority of this endpoint.
+	 *
+	 * @return			priority
+	 */
+	u_int32_t (*get_priority) (endpoint_notify_t *this);
+
+	/**
+	 * Sets the priority of this endpoint.
+	 *
+	 * @param priority	priority
+	 */
+	void (*set_priority) (endpoint_notify_t *this, u_int32_t priority);
+
+	/**
+	 * Returns the endpoint type of this endpoint.
+	 *
+	 * @return			endpoint type
+	 */
+	me_endpoint_type_t (*get_type) (endpoint_notify_t *this);
+
+	/**
+	 * Returns the endpoint family of this endpoint.
+	 *
+	 * @return			endpoint family
+	 */
+	me_endpoint_family_t (*get_family) (endpoint_notify_t *this);
+
+	/**
+	 * Returns the host of this endpoint.
+	 *
+	 * @return			host
+	 */
+	host_t *(*get_host) (endpoint_notify_t *this);
+
+	/**
+	 * Returns the base of this endpoint.
+	 *
+	 * If this is not a SERVER_REFLEXIVE endpoint, the returned host is the same
+	 * as the one returned by get_host.
+	 *
+	 * @return			host
+	 */
+	host_t *(*get_base) (endpoint_notify_t *this);
+
+	/**
+	 * Generates a notification payload from this endpoint.
+	 *
+	 * @return 			built notify_payload_t
+	 */
+	notify_payload_t *(*build_notify) (endpoint_notify_t *this);
+
+	/**
+	 * Clones an endpoint_notify_t object.
+	 *
+	 * @return			cloned object
+	 */
+	endpoint_notify_t *(*clone) (endpoint_notify_t *this);
+
+	/**
+	 * Destroys an endpoint_notify_t object.
+	 */
+	void (*destroy) (endpoint_notify_t *this);
+};
+
+/**
+ * Creates an empty endpoint_notify_t object.
+ *
+ * @return			created endpoint_notify_t object
+ */
+endpoint_notify_t *endpoint_notify_create(void);
+
+
+/**
+ * Creates an endpoint_notify_t object from a host.
+ *
+ * @param type		the endpoint type
+ * @param host		host to base the notify on (gets cloned)
+ * @param base		base of the endpoint, applies only to reflexive endpoints (gets cloned)
+ * @return			created endpoint_notify_t object
+ */
+endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type,
+													host_t *host, host_t *base);
+
+/**
+ * Creates an endpoint_notify_t object from a notify payload.
+ *
+ * @param notify	the notify payload
+ * @return			- created endpoint_notify_t object
+ * 					- NULL if invalid payload
+ */
+endpoint_notify_t *endpoint_notify_create_from_payload(notify_payload_t *notify);
+
+#endif /** ENDPOINT_NOTIFY_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
new file mode 100644
index 000000000..4158c3e07
--- /dev/null
+++ b/src/libcharon/encoding/payloads/id_payload.c
@@ -0,0 +1,293 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "id_payload.h"
+
+#include <daemon.h>
+#include <encoding/payloads/encodings.h>
+
+typedef struct private_id_payload_t private_id_payload_t;
+
+/**
+ * Private data of an id_payload_t object.
+ *
+ */
+struct private_id_payload_t {
+	/**
+	 * Public id_payload_t interface.
+	 */
+	id_payload_t public;
+
+	/**
+	 * one of ID_INITIATOR, ID_RESPONDER
+	 */
+	payload_type_t payload_type;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Type of the ID Data.
+	 */
+	u_int8_t id_type;
+
+	/**
+	 * The contained id data value.
+	 */
+	chunk_t id_data;
+};
+
+/**
+ * Encoding rules to parse or generate a ID payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_id_payload_t.
+ *
+ */
+encoding_rule_t id_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_id_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_id_payload_t, critical) 		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_id_payload_t, payload_length) 	},
+	/* 1 Byte ID type*/
+	{ U_INT_8,			offsetof(private_id_payload_t, id_type)			},
+	/* 3 reserved bytes */
+	{ RESERVED_BYTE,	0 												},
+	{ RESERVED_BYTE,	0 												},
+	{ RESERVED_BYTE,	0 												},
+	/* some id data bytes, length is defined in PAYLOAD_LENGTH */
+	{ ID_DATA,			offsetof(private_id_payload_t, id_data) 		}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !   ID Type     !                 RESERVED                      |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                   Identification Data                         ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_id_payload_t *this)
+{
+	if ((this->id_type == 0) ||
+		(this->id_type == 4) ||
+		((this->id_type >= 6) && (this->id_type <= 8)) ||
+		((this->id_type >= 12) && (this->id_type <= 200)))
+	{
+		/* reserved IDs */
+		DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of id_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = id_payload_encodings;
+	*rule_count = sizeof(id_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_id_payload_t *this)
+{
+	return this->payload_type;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_id_payload_t *this)
+{
+	return this->next_payload;
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_id_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_id_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of id_payload_t.set_type.
+ */
+static void set_id_type (private_id_payload_t *this, id_type_t type)
+{
+	this->id_type = type;
+}
+
+/**
+ * Implementation of id_payload_t.get_id_type.
+ */
+static id_type_t get_id_type (private_id_payload_t *this)
+{
+	return (this->id_type);
+}
+
+/**
+ * Implementation of id_payload_t.set_data.
+ */
+static void set_data (private_id_payload_t *this, chunk_t data)
+{
+	if (this->id_data.ptr != NULL)
+	{
+		chunk_free(&(this->id_data));
+	}
+	this->id_data.ptr = clalloc(data.ptr,data.len);
+	this->id_data.len = data.len;
+	this->payload_length = ID_PAYLOAD_HEADER_LENGTH + this->id_data.len;
+}
+
+
+/**
+ * Implementation of id_payload_t.get_data_clone.
+ */
+static chunk_t get_data (private_id_payload_t *this)
+{
+	return (this->id_data);
+}
+
+/**
+ * Implementation of id_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_id_payload_t *this)
+{
+	chunk_t cloned_data;
+	if (this->id_data.ptr == NULL)
+	{
+		return (this->id_data);
+	}
+	cloned_data.ptr = clalloc(this->id_data.ptr,this->id_data.len);
+	cloned_data.len = this->id_data.len;
+	return cloned_data;
+}
+
+/**
+ * Implementation of id_payload_t.get_identification.
+ */
+static identification_t *get_identification (private_id_payload_t *this)
+{
+	return identification_create_from_encoding(this->id_type,this->id_data);
+}
+
+/**
+ * Implementation of payload_t.destroy and id_payload_t.destroy.
+ */
+static void destroy(private_id_payload_t *this)
+{
+	if (this->id_data.ptr != NULL)
+	{
+		chunk_free(&(this->id_data));
+	}
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+id_payload_t *id_payload_create(payload_type_t payload_type)
+{
+	private_id_payload_t *this = malloc_thing(private_id_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.destroy = (void (*) (id_payload_t *)) destroy;
+	this->public.set_id_type = (void (*) (id_payload_t *,id_type_t)) set_id_type;
+	this->public.get_id_type = (id_type_t (*) (id_payload_t *)) get_id_type;
+	this->public.set_data = (void (*) (id_payload_t *,chunk_t)) set_data;
+	this->public.get_data = (chunk_t (*) (id_payload_t *)) get_data;
+	this->public.get_data_clone = (chunk_t (*) (id_payload_t *)) get_data_clone;
+
+	this->public.get_identification = (identification_t * (*) (id_payload_t *this)) get_identification;
+
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length =ID_PAYLOAD_HEADER_LENGTH;
+	this->id_data = chunk_empty;
+	this->payload_type = payload_type;
+
+	return (&(this->public));
+}
+
+/*
+ * Described in header.
+ */
+id_payload_t *id_payload_create_from_identification(payload_type_t payload_type, identification_t *identification)
+{
+	id_payload_t *this= id_payload_create(payload_type);
+	this->set_data(this,identification->get_encoding(identification));
+	this->set_id_type(this,identification->get_type(identification));
+	return this;
+}
diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
new file mode 100644
index 000000000..5502dc961
--- /dev/null
+++ b/src/libcharon/encoding/payloads/id_payload.h
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup id_payload id_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef ID_PAYLOAD_H_
+#define ID_PAYLOAD_H_
+
+typedef struct id_payload_t id_payload_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Length of a id payload without the data in bytes.
+ */
+#define ID_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * Object representing an IKEv2 ID payload.
+ *
+ * The ID payload format is described in RFC section 3.5.
+ */
+struct id_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Set the ID type.
+	 *
+	 * @param type			Type of ID
+	 */
+	void (*set_id_type) (id_payload_t *this, id_type_t type);
+
+	/**
+	 * Get the ID type.
+	 *
+	 * @return				type of the ID
+	 */
+	id_type_t (*get_id_type) (id_payload_t *this);
+
+	/**
+	 * Set the ID data.
+	 *
+	 * Data are getting cloned.
+	 *
+	 * @param data			ID data as chunk_t
+	 */
+	void (*set_data) (id_payload_t *this, chunk_t data);
+
+	/**
+	 * Get the ID data.
+	 *
+	 * Returned data are a copy of the internal one
+	 *
+	 * @return				ID data as chunk_t
+	 */
+	chunk_t (*get_data_clone) (id_payload_t *this);
+
+	/**
+	 * Get the ID data.
+	 *
+	 * Returned data are NOT copied.
+	 *
+	 * @return				ID data as chunk_t
+	 */
+	chunk_t (*get_data) (id_payload_t *this);
+
+	/**
+	 * Creates an identification object of this id payload.
+	 *
+	 * Returned object has to get destroyed by the caller.
+	 *
+	 * @return				identification_t object
+	 */
+	identification_t *(*get_identification) (id_payload_t *this);
+
+	/**
+	 * Destroys an id_payload_t object.
+	 */
+	void (*destroy) (id_payload_t *this);
+};
+
+/**
+ * Creates an empty id_payload_t object.
+ *
+ * @param payload_type	one of ID_INITIATOR, ID_RESPONDER
+ * @return				id_payload_t object
+ */
+id_payload_t *id_payload_create(payload_type_t payload_type);
+
+/**
+ * Creates an id_payload_t from an existing identification_t object.
+ *
+ * @param payload_type		one of ID_INITIATOR, ID_RESPONDER
+ * @param identification	identification_t object
+ * @return					id_payload_t object
+ */
+id_payload_t *id_payload_create_from_identification(payload_type_t payload_type,
+											identification_t *identification);
+
+#endif /** ID_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/ike_header.c b/src/libcharon/encoding/payloads/ike_header.c
new file mode 100644
index 000000000..735f01304
--- /dev/null
+++ b/src/libcharon/encoding/payloads/ike_header.c
@@ -0,0 +1,415 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/* offsetof macro */
+#include <stddef.h>
+
+#include "ike_header.h"
+
+#include <encoding/payloads/encodings.h>
+
+
+typedef struct private_ike_header_t private_ike_header_t;
+
+/**
+ * Private data of an ike_header_t object.
+ */
+struct private_ike_header_t {
+	/**
+	 * Public interface.
+	 */
+	ike_header_t public;
+
+	/**
+	 * SPI of the initiator.
+	 */
+	u_int64_t initiator_spi;
+
+	/**
+	 * SPI of the responder.
+	 */
+	u_int64_t responder_spi;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+	/**
+	 * IKE major version.
+	 */
+	u_int8_t  maj_version;
+
+	/**
+	 * IKE minor version.
+	 */
+	u_int8_t  min_version;
+
+	/**
+	 * Exchange type .
+	 */
+	u_int8_t  exchange_type;
+
+	/**
+	 * Flags of the Message.
+	 */
+	struct {
+		/**
+		 * Sender is initiator of the associated IKE_SA_INIT-Exchange.
+		 */
+		bool initiator;
+
+		/**
+		 * Is protocol supporting higher version?
+		 */
+		bool version;
+
+		/**
+		 * TRUE, if this is a response, FALSE if its a Request.
+		 */
+		bool response;
+	} flags;
+
+	/**
+	 * Associated Message-ID.
+	 */
+	u_int32_t message_id;
+
+	/**
+	 * Length of the whole IKEv2-Message (header and all payloads).
+	 */
+	u_int32_t length;
+};
+
+ENUM_BEGIN(exchange_type_names, EXCHANGE_TYPE_UNDEFINED, EXCHANGE_TYPE_UNDEFINED,
+	"EXCHANGE_TYPE_UNDEFINED");
+ENUM_NEXT(exchange_type_names, IKE_SA_INIT, INFORMATIONAL, EXCHANGE_TYPE_UNDEFINED,
+	"IKE_SA_INIT",
+	"IKE_AUTH",
+	"CREATE_CHILD_SA",
+	"INFORMATIONAL");
+#ifdef ME
+ENUM_NEXT(exchange_type_names, ME_CONNECT, ME_CONNECT, INFORMATIONAL,
+	"ME_CONNECT");
+ENUM_END(exchange_type_names, ME_CONNECT);
+#else
+ENUM_END(exchange_type_names, INFORMATIONAL);
+#endif /* ME */
+
+/**
+ * Encoding rules to parse or generate a IKEv2-Header.
+ *
+ * The defined offsets are the positions in a object of type
+ * ike_header_t.
+ */
+encoding_rule_t ike_header_encodings[] = {
+	/* 8 Byte SPI, stored in the field initiator_spi */
+	{ IKE_SPI,		offsetof(private_ike_header_t, initiator_spi)	},
+	/* 8 Byte SPI, stored in the field responder_spi */
+	{ IKE_SPI,		offsetof(private_ike_header_t, responder_spi) 	},
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,		offsetof(private_ike_header_t, next_payload) 	},
+	/* 4 Bit major version, stored in the field maj_version */
+	{ U_INT_4,		offsetof(private_ike_header_t, maj_version) 	},
+	/* 4 Bit minor version, stored in the field min_version */
+	{ U_INT_4,		offsetof(private_ike_header_t, min_version) 	},
+	/* 8 Bit for the exchange type */
+	{ U_INT_8,		offsetof(private_ike_header_t, exchange_type) 	},
+	/* 2 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 										},
+	{ RESERVED_BIT,	0 										},
+	/* 3 Bit flags, stored in the fields response, version and initiator */
+	{ FLAG,			offsetof(private_ike_header_t, flags.response) 	},
+	{ FLAG,			offsetof(private_ike_header_t, flags.version) 	},
+	{ FLAG,			offsetof(private_ike_header_t, flags.initiator) },
+	/* 3 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 										},
+	{ RESERVED_BIT,	0 										},
+	{ RESERVED_BIT,	0 										},
+	/* 4 Byte message id, stored in the field message_id */
+	{ U_INT_32,		offsetof(private_ike_header_t, message_id) 		},
+	/* 4 Byte length fied, stored in the field length */
+	{ HEADER_LENGTH,	offsetof(private_ike_header_t, length) 			}
+};
+
+
+/*                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                       IKE_SA Initiator's SPI                  !
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                       IKE_SA Responder's SPI                  !
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                          Message ID                           !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                            Length                             !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_ike_header_t *this)
+{
+	if ((this->exchange_type < IKE_SA_INIT) ||
+		((this->exchange_type > INFORMATIONAL)
+#ifdef ME
+			&& (this->exchange_type != ME_CONNECT)
+#endif /* ME */
+		))
+	{
+		/* unsupported exchange type */
+		return FAILED;
+	}
+
+	if (this->initiator_spi == 0
+#ifdef ME
+		/* we allow zero spi for INFORMATIONAL exchanges,
+		 * to allow connectivity checks */
+		&& this->exchange_type != INFORMATIONAL
+#endif /* ME */
+		)
+	{
+		/* initiator spi not set */
+		return FAILED;
+	}
+
+	/* verification of version is not done in here */
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(payload_t *this,payload_type_t type)
+{
+	((private_ike_header_t *)this)->next_payload = type;
+}
+/**
+ * Implementation of ike_header_t.get_initiator_spi.
+ */
+static u_int64_t get_initiator_spi(private_ike_header_t *this)
+{
+	return this->initiator_spi;
+}
+
+/**
+ * Implementation of ike_header_t.set_initiator_spi.
+ */
+static void set_initiator_spi(private_ike_header_t *this, u_int64_t initiator_spi)
+{
+	this->initiator_spi = initiator_spi;
+}
+
+/**
+ * Implementation of ike_header_t.get_responder_spi.
+ */
+static u_int64_t get_responder_spi(private_ike_header_t *this)
+{
+	return this->responder_spi;
+}
+
+/**
+ * Implementation of ike_header_t.set_responder_spi.
+ */
+static void set_responder_spi(private_ike_header_t *this, u_int64_t responder_spi)
+{
+	this->responder_spi = responder_spi;
+}
+
+/**
+ * Implementation of ike_header_t.get_maj_version.
+ */
+static u_int8_t get_maj_version(private_ike_header_t *this)
+{
+	return this->maj_version;
+}
+
+/**
+ * Implementation of ike_header_t.get_min_version.
+ */
+static u_int8_t get_min_version(private_ike_header_t *this)
+{
+	return this->min_version;
+}
+
+/**
+ * Implementation of ike_header_t.get_response_flag.
+ */
+static bool get_response_flag(private_ike_header_t *this)
+{
+	return this->flags.response;
+}
+
+/**
+ * Implementation of ike_header_t.set_response_flag.
+ */
+static void set_response_flag(private_ike_header_t *this, bool response)
+{
+	this->flags.response = response;
+}
+
+/**
+ * Implementation of ike_header_t.get_version_flag.
+ */
+static bool get_version_flag(private_ike_header_t *this)
+{
+	return this->flags.version;
+}
+
+/**
+ * Implementation of ike_header_t.get_initiator_flag.
+ */
+static bool get_initiator_flag(private_ike_header_t *this)
+{
+	return this->flags.initiator;
+}
+
+/**
+ * Implementation of ike_header_t.set_initiator_flag.
+ */
+static void set_initiator_flag(private_ike_header_t *this, bool initiator)
+{
+	this->flags.initiator = initiator;
+}
+
+/**
+ * Implementation of ike_header_t.get_exchange_type.
+ */
+static u_int8_t get_exchange_type(private_ike_header_t *this)
+{
+	return this->exchange_type;
+}
+
+/**
+ * Implementation of ike_header_t.set_exchange_type.
+ */
+static void set_exchange_type(private_ike_header_t *this, u_int8_t exchange_type)
+{
+	this->exchange_type = exchange_type;
+}
+
+/**
+ * Implements ike_header_t's get_message_id function.
+ * See #ike_header_t.get_message_id  for description.
+ */
+static u_int32_t get_message_id(private_ike_header_t *this)
+{
+	return this->message_id;
+}
+
+/**
+ * Implementation of ike_header_t.set_message_id.
+ */
+static void set_message_id(private_ike_header_t *this, u_int32_t message_id)
+{
+	this->message_id = message_id;
+}
+
+/**
+ * Implementation of ike_header_t.destroy and payload_t.destroy.
+ */
+static void destroy(ike_header_t *this)
+{
+	free(this);
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = ike_header_encodings;
+	*rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(payload_t *this)
+{
+	return HEADER;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(payload_t *this)
+{
+	return (((private_ike_header_t*)this)->next_payload);
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(payload_t *this)
+{
+	return (((private_ike_header_t*)this)->length);
+}
+
+/*
+ * Described in header.
+ */
+ike_header_t *ike_header_create()
+{
+	private_ike_header_t *this = malloc_thing(private_ike_header_t);
+
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = get_encoding_rules;
+	this->public.payload_interface.get_length = get_length;
+	this->public.payload_interface.get_next_type = get_next_type;
+	this->public.payload_interface.set_next_type = set_next_type;
+	this->public.payload_interface.get_type = get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	this->public.destroy = destroy;
+
+	this->public.get_initiator_spi = (u_int64_t (*) (ike_header_t*))get_initiator_spi;
+	this->public.set_initiator_spi = (void (*) (ike_header_t*,u_int64_t))set_initiator_spi;
+	this->public.get_responder_spi = (u_int64_t (*) (ike_header_t*))get_responder_spi;
+	this->public.set_responder_spi = (void (*) (ike_header_t *,u_int64_t))set_responder_spi;
+	this->public.get_maj_version = (u_int8_t (*) (ike_header_t*))get_maj_version;
+	this->public.get_min_version = (u_int8_t (*) (ike_header_t*))get_min_version;
+	this->public.get_response_flag = (bool (*) (ike_header_t*))get_response_flag;
+	this->public.set_response_flag = (void (*) (ike_header_t*,bool))set_response_flag;
+	this->public.get_version_flag = (bool (*) (ike_header_t*))get_version_flag;
+	this->public.get_initiator_flag = (bool (*) (ike_header_t*))get_initiator_flag;
+	this->public.set_initiator_flag = (void (*) (ike_header_t*,bool))set_initiator_flag;
+	this->public.get_exchange_type = (u_int8_t (*) (ike_header_t*))get_exchange_type;
+	this->public.set_exchange_type = (void (*) (ike_header_t*,u_int8_t))set_exchange_type;
+	this->public.get_message_id = (u_int32_t (*) (ike_header_t*))get_message_id;
+	this->public.set_message_id = (void (*) (ike_header_t*,u_int32_t))set_message_id;
+
+	/* set default values of the fields */
+	this->initiator_spi = 0;
+	this->responder_spi = 0;
+	this->next_payload = 0;
+	this->maj_version = IKE_MAJOR_VERSION;
+	this->min_version = IKE_MINOR_VERSION;
+	this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
+	this->flags.initiator = TRUE;
+	this->flags.version = HIGHER_VERSION_SUPPORTED_FLAG;
+	this->flags.response = FALSE;
+	this->message_id = 0;
+	this->length = IKE_HEADER_LENGTH;
+
+	return (ike_header_t*)this;
+}
diff --git a/src/libcharon/encoding/payloads/ike_header.h b/src/libcharon/encoding/payloads/ike_header.h
new file mode 100644
index 000000000..e63e8bf06
--- /dev/null
+++ b/src/libcharon/encoding/payloads/ike_header.h
@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_header ike_header
+ * @{ @ingroup payloads
+ */
+
+#ifndef IKE_HEADER_H_
+#define IKE_HEADER_H_
+
+typedef enum exchange_type_t exchange_type_t;
+typedef struct ike_header_t ike_header_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Major Version of IKEv2.
+ */
+#define IKE_MAJOR_VERSION 2
+
+/**
+ * Minor Version of IKEv2.
+ */
+#define IKE_MINOR_VERSION 0
+
+/**
+ * Flag in IKEv2-Header. Always 0.
+ */
+#define HIGHER_VERSION_SUPPORTED_FLAG 0
+
+/**
+ * Length of IKE Header in Bytes.
+ */
+#define IKE_HEADER_LENGTH 28
+
+/**
+ * Different types of IKE-Exchanges.
+ *
+ * See RFC for different types.
+ */
+enum exchange_type_t{
+
+	/**
+	 * EXCHANGE_TYPE_UNDEFINED. In private space, since not a official message type.
+	 */
+	EXCHANGE_TYPE_UNDEFINED = 255,
+
+	/**
+	 * IKE_SA_INIT.
+	 */
+	IKE_SA_INIT = 34,
+
+	/**
+	 * IKE_AUTH.
+	 */
+	IKE_AUTH = 35,
+
+	/**
+	 * CREATE_CHILD_SA.
+	 */
+	CREATE_CHILD_SA = 36,
+
+	/**
+	 * INFORMATIONAL.
+	 */
+	INFORMATIONAL = 37,
+#ifdef ME
+	/**
+	 * ME_CONNECT
+	 */
+	ME_CONNECT = 240
+#endif /* ME */
+};
+
+/**
+ * enum name for exchange_type_t
+ */
+extern enum_name_t *exchange_type_names;
+
+/**
+ * An object of this type represents an IKEv2 header and is used to
+ * generate and parse IKEv2 headers.
+ *
+ * The header format of an IKEv2-Message is compatible to the
+ * ISAKMP-Header format to allow implementations supporting
+ * both versions of the IKE-protocol.
+ */
+struct ike_header_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the initiator spi.
+	 *
+	 * @return 				initiator_spi
+	 */
+	u_int64_t (*get_initiator_spi) (ike_header_t *this);
+
+	/**
+	 * Set the initiator spi.
+	 *
+	 * @param initiator_spi	initiator_spi
+	 */
+	void (*set_initiator_spi) (ike_header_t *this, u_int64_t initiator_spi);
+
+	/**
+	 * Get the responder spi.
+	 *
+	 * @return 				responder_spi
+	 */
+	u_int64_t (*get_responder_spi) (ike_header_t *this);
+
+	/**
+	 * Set the responder spi.
+	 *
+	 * @param responder_spi	responder_spi
+	 */
+	void (*set_responder_spi) (ike_header_t *this, u_int64_t responder_spi);
+
+	/**
+	 * Get the major version.
+	 *
+	 * @return 				major version
+	 */
+	u_int8_t (*get_maj_version) (ike_header_t *this);
+
+	/**
+	 * Get the minor version.
+	 *
+	 * @return 				minor version
+	 */
+	u_int8_t (*get_min_version) (ike_header_t *this);
+
+	/**
+	 * Get the response flag.
+	 *
+	 * @return 				response flag
+	 */
+	bool (*get_response_flag) (ike_header_t *this);
+
+	/**
+	 * Set the response flag-
+	 *
+	 * @param response		response flag
+	 */
+	void (*set_response_flag) (ike_header_t *this, bool response);
+	/**
+	 * Get "higher version supported"-flag.
+	 *
+	 * @return 				version flag
+	 */
+	bool (*get_version_flag) (ike_header_t *this);
+
+	/**
+	 * Get the initiator flag.
+	 *
+	 * @return 				initiator flag
+	 */
+	bool (*get_initiator_flag) (ike_header_t *this);
+
+	/**
+	 * Set the initiator flag.
+	 *
+	 * @param initiator		initiator flag
+	 */
+	void (*set_initiator_flag) (ike_header_t *this, bool initiator);
+
+	/**
+	 * Get the exchange type.
+	 *
+	 * @return 				exchange type
+	 */
+	u_int8_t (*get_exchange_type) (ike_header_t *this);
+
+	/**
+	 * Set the  exchange type.
+	 *
+	 * @param exchange_type	exchange type
+	 */
+	void (*set_exchange_type) (ike_header_t *this, u_int8_t exchange_type);
+
+	/**
+	 * Get the message id.
+	 *
+	 * @return 				message id
+	 */
+	u_int32_t (*get_message_id) (ike_header_t *this);
+
+	/**
+	 * Set the message id.
+	 *
+	 * @param initiator_spi	message id
+	 */
+	void (*set_message_id) (ike_header_t *this, u_int32_t message_id);
+
+	/**
+	 * Destroys a ike_header_t object.
+	 */
+	void (*destroy) (ike_header_t *this);
+};
+
+/**
+ * Create an ike_header_t object
+ *
+ * @return ike_header_t object
+ */
+ike_header_t *ike_header_create(void);
+
+#endif /** IKE_HEADER_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c
new file mode 100644
index 000000000..1bc79f084
--- /dev/null
+++ b/src/libcharon/encoding/payloads/ke_payload.c
@@ -0,0 +1,270 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "ke_payload.h"
+
+#include <encoding/payloads/encodings.h>
+
+
+typedef struct private_ke_payload_t private_ke_payload_t;
+
+/**
+ * Private data of an ke_payload_t object.
+ *
+ */
+struct private_ke_payload_t {
+	/**
+	 * Public ke_payload_t interface.
+	 */
+	ke_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * DH Group Number.
+	 */
+	u_int16_t dh_group_number;
+
+	/**
+	 * Key Exchange Data of this KE payload.
+	 */
+	chunk_t key_exchange_data;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-KE Payload.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_ke_payload_t.
+ *
+ */
+encoding_rule_t ke_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_ke_payload_t, next_payload) 		},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_ke_payload_t, critical) 			},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_ke_payload_t, payload_length) 		},
+	/* DH Group number as 16 bit field*/
+	{ U_INT_16,			offsetof(private_ke_payload_t, dh_group_number) 	},
+	{ RESERVED_BYTE,	0 													},
+	{ RESERVED_BYTE,	0 													},
+	/* Key Exchange Data is from variable size */
+	{ KEY_EXCHANGE_DATA,	offsetof(private_ke_payload_t, key_exchange_data)}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !          DH Group #           !           RESERVED            !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       Key Exchange Data                       ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_ke_payload_t *this)
+{
+	/* dh group is not verified in here */
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.destroy.
+ */
+static void destroy(private_ke_payload_t *this)
+{
+	if (this->key_exchange_data.ptr != NULL)
+	{
+		free(this->key_exchange_data.ptr);
+	}
+	free(this);
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = ke_payload_encodings;
+	*rule_count = sizeof(ke_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_ke_payload_t *this)
+{
+	return KEY_EXCHANGE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_ke_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_ke_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute the length of the payload.
+ */
+static void compute_length(private_ke_payload_t *this)
+{
+	size_t length = KE_PAYLOAD_HEADER_LENGTH;
+	if (this->key_exchange_data.ptr != NULL)
+	{
+		length += this->key_exchange_data.len;
+	}
+	this->payload_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_ke_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of ke_payload_t.get_key_exchange_data.
+ */
+static chunk_t get_key_exchange_data(private_ke_payload_t *this)
+{
+	return (this->key_exchange_data);
+}
+
+/**
+ * Implementation of ke_payload_t.set_key_exchange_data.
+ */
+static void set_key_exchange_data(private_ke_payload_t *this, chunk_t key_exchange_data)
+{
+	/* destroy existing data first */
+	if (this->key_exchange_data.ptr != NULL)
+	{
+		/* free existing value */
+		free(this->key_exchange_data.ptr);
+		this->key_exchange_data.ptr = NULL;
+		this->key_exchange_data.len = 0;
+
+	}
+
+	this->key_exchange_data = chunk_clone(key_exchange_data);
+	compute_length(this);
+}
+
+/**
+ * Implementation of ke_payload_t.get_dh_group_number.
+ */
+static diffie_hellman_group_t get_dh_group_number(private_ke_payload_t *this)
+{
+	return this->dh_group_number;
+}
+
+/**
+ * Implementation of ke_payload_t.set_dh_group_number.
+ */
+static void set_dh_group_number(private_ke_payload_t *this, diffie_hellman_group_t dh_group_number)
+{
+	this->dh_group_number = dh_group_number;
+}
+
+/*
+ * Described in header
+ */
+ke_payload_t *ke_payload_create()
+{
+	private_ke_payload_t *this = malloc_thing(private_ke_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.get_key_exchange_data = (chunk_t (*) (ke_payload_t *)) get_key_exchange_data;
+	this->public.set_key_exchange_data = (void (*) (ke_payload_t *,chunk_t)) set_key_exchange_data;
+	this->public.get_dh_group_number = (diffie_hellman_group_t (*) (ke_payload_t *)) get_dh_group_number;
+	this->public.set_dh_group_number =(void (*) (ke_payload_t *,diffie_hellman_group_t)) set_dh_group_number;
+	this->public.destroy = (void (*) (ke_payload_t *)) destroy;
+
+	/* set default values of the fields */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = KE_PAYLOAD_HEADER_LENGTH;
+	this->key_exchange_data = chunk_empty;
+	this->dh_group_number = MODP_NONE;
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *dh)
+{
+	private_ke_payload_t *this = (private_ke_payload_t*)ke_payload_create();
+
+	dh->get_my_public_value(dh, &this->key_exchange_data);
+	this->dh_group_number = dh->get_dh_group(dh);
+	compute_length(this);
+
+	return &this->public;
+}
diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h
new file mode 100644
index 000000000..3ca05009e
--- /dev/null
+++ b/src/libcharon/encoding/payloads/ke_payload.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ke_payload ke_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef KE_PAYLOAD_H_
+#define KE_PAYLOAD_H_
+
+typedef struct ke_payload_t ke_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <utils/linked_list.h>
+#include <crypto/diffie_hellman.h>
+
+/**
+ * KE payload length in bytes without any key exchange data.
+ */
+#define KE_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * Class representing an IKEv2-KE Payload.
+ *
+ * The KE Payload format is described in RFC section 3.4.
+ */
+struct ke_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Returns the currently set key exchange data of this KE payload.
+	 *
+	 * @warning Returned data are not copied.
+	 *
+	 * @return 		chunk_t pointing to the value
+	 */
+	chunk_t (*get_key_exchange_data) (ke_payload_t *this);
+
+	/**
+	 * Sets the key exchange data of this KE payload.
+	 *
+	 * Value is getting copied.
+	 *
+	 * @param key_exchange_data chunk_t pointing to the value to set
+	 */
+	void (*set_key_exchange_data) (ke_payload_t *this, chunk_t key_exchange_data);
+
+	/**
+	 * Gets the Diffie-Hellman Group Number of this KE payload.
+	 *
+	 * @return 					DH Group Number of this payload
+	 */
+	diffie_hellman_group_t (*get_dh_group_number) (ke_payload_t *this);
+
+	/**
+	 * Sets the Diffie-Hellman Group Number of this KE payload.
+	 *
+	 * @param dh_group_number	DH Group to set
+	 */
+	void (*set_dh_group_number) (ke_payload_t *this,
+								 diffie_hellman_group_t dh_group_number);
+
+	/**
+	 * Destroys an ke_payload_t object.
+	 */
+	void (*destroy) (ke_payload_t *this);
+};
+
+/**
+ * Creates an empty ke_payload_t object
+ *
+ * @return ke_payload_t object
+ */
+ke_payload_t *ke_payload_create(void);
+
+/**
+ * Creates a ke_payload_t from a diffie_hellman_t
+ *
+ * @param diffie_hellman	diffie hellman object containing group and key
+ * @return 					ke_payload_t object
+ */
+ke_payload_t *ke_payload_create_from_diffie_hellman(
+											diffie_hellman_t *diffie_hellman);
+
+#endif /** KE_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c
new file mode 100644
index 000000000..4ad5ce9dd
--- /dev/null
+++ b/src/libcharon/encoding/payloads/nonce_payload.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/* offsetof macro */
+#include <stddef.h>
+
+#include "nonce_payload.h"
+
+#include <encoding/payloads/encodings.h>
+
+
+typedef struct private_nonce_payload_t private_nonce_payload_t;
+
+/**
+ * Private data of an nonce_payload_t object.
+ *
+ */
+struct private_nonce_payload_t {
+	/**
+	 * Public nonce_payload_t interface.
+	 */
+	nonce_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * The contained nonce value.
+	 */
+	chunk_t nonce;
+};
+
+/**
+ * Encoding rules to parse or generate a nonce payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_nonce_payload_t.
+ *
+ */
+encoding_rule_t nonce_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_nonce_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_nonce_payload_t, critical) 		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole nonce payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_nonce_payload_t, payload_length) 	},
+	/* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */
+	{ NONCE_DATA,			offsetof(private_nonce_payload_t, nonce) 		}
+};
+
+/*                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                            Nonce Data                         ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_nonce_payload_t *this)
+{
+	if ((this->nonce.len < 16) || ((this->nonce.len > 256)))
+	{
+		/* nonce length is wrong */
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of nonce_payload_t.set_nonce.
+ */
+static status_t set_nonce(private_nonce_payload_t *this, chunk_t nonce)
+{
+	this->nonce.ptr = clalloc(nonce.ptr, nonce.len);
+	this->nonce.len = nonce.len;
+	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of nonce_payload_t.get_nonce.
+ */
+static chunk_t get_nonce(private_nonce_payload_t *this)
+{
+	chunk_t nonce;
+	nonce.ptr = clalloc(this->nonce.ptr,this->nonce.len);
+	nonce.len = this->nonce.len;
+	return nonce;
+}
+
+/**
+ * Implementation of nonce_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = nonce_payload_encodings;
+	*rule_count = sizeof(nonce_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_nonce_payload_t *this)
+{
+	return NONCE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_nonce_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_nonce_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute the length of the payload.
+ */
+static void compute_length(private_nonce_payload_t *this)
+{
+	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + this->nonce.len;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_nonce_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of payload_t.destroy and nonce_payload_t.destroy.
+ */
+static void destroy(private_nonce_payload_t *this)
+{
+	if (this->nonce.ptr != NULL)
+	{
+		free(this->nonce.ptr);
+	}
+
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+nonce_payload_t *nonce_payload_create()
+{
+	private_nonce_payload_t *this = malloc_thing(private_nonce_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.destroy = (void (*) (nonce_payload_t *)) destroy;
+	this->public.set_nonce = (void (*) (nonce_payload_t *,chunk_t)) set_nonce;
+	this->public.get_nonce = (chunk_t (*) (nonce_payload_t *)) get_nonce;
+
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH;
+	this->nonce.ptr = NULL;
+	this->nonce.len = 0;
+
+	return (&(this->public));
+}
+
+
diff --git a/src/libcharon/encoding/payloads/nonce_payload.h b/src/libcharon/encoding/payloads/nonce_payload.h
new file mode 100644
index 000000000..e9212202e
--- /dev/null
+++ b/src/libcharon/encoding/payloads/nonce_payload.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup nonce_payload nonce_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef NONCE_PAYLOAD_H_
+#define NONCE_PAYLOAD_H_
+
+typedef struct nonce_payload_t nonce_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Nonce size in bytes for nonces sending to other peer.
+ */
+#define NONCE_SIZE 32
+
+/**
+ * Length of a nonce payload without a nonce in bytes.
+ */
+#define NONCE_PAYLOAD_HEADER_LENGTH 4
+
+/**
+ * Object representing an IKEv2 Nonce payload.
+ *
+ * The Nonce payload format is described in RFC section 3.3.
+ */
+struct nonce_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Set the nonce value.
+	 *
+	 * @param nonce			chunk containing the nonce, will be cloned
+	 */
+	void (*set_nonce) (nonce_payload_t *this, chunk_t nonce);
+
+	/**
+	 * Get the nonce value.
+	 *
+	 * @return				a chunk containing the cloned nonce
+	 */
+	chunk_t (*get_nonce) (nonce_payload_t *this);
+
+	/**
+	 * Destroys an nonce_payload_t object.
+	 */
+	void (*destroy) (nonce_payload_t *this);
+};
+
+/**
+ * Creates an empty nonce_payload_t object
+ *
+ * @return nonce_payload_t object
+ */
+nonce_payload_t *nonce_payload_create(void);
+
+#endif /** NONCE_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
new file mode 100644
index 000000000..469698ef5
--- /dev/null
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -0,0 +1,617 @@
+/*
+ * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "notify_payload.h"
+
+#include <daemon.h>
+#include <encoding/payloads/encodings.h>
+#include <crypto/hashers/hasher.h>
+
+ENUM_BEGIN(notify_type_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD,
+	"UNSUPPORTED_CRITICAL_PAYLOAD");
+ENUM_NEXT(notify_type_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, UNSUPPORTED_CRITICAL_PAYLOAD,
+	"INVALID_IKE_SPI",
+	"INVALID_MAJOR_VERSION");
+ENUM_NEXT(notify_type_names, INVALID_SYNTAX, INVALID_SYNTAX, INVALID_MAJOR_VERSION,
+	"INVALID_SYNTAX");
+ENUM_NEXT(notify_type_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVALID_SYNTAX,
+	"INVALID_MESSAGE_ID");
+ENUM_NEXT(notify_type_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
+	"INVALID_SPI");
+ENUM_NEXT(notify_type_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI,
+	"NO_PROPOSAL_CHOSEN");
+ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
+	"INVALID_KE_PAYLOAD");
+ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
+	"AUTHENTICATION_FAILED");
+ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED,
+	"SINGLE_PAIR_REQUIRED",
+	"NO_ADDITIONAL_SAS",
+	"INTERNAL_ADDRESS_FAILURE",
+	"FAILED_CP_REQUIRED",
+	"TS_UNACCEPTABLE",
+	"INVALID_SELECTORS",
+	"UNACCEPTABLE_ADDRESSES",
+	"UNEXPECTED_NAT_DETECTED",
+	"USE_ASSIGNED_HoA");
+ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA,
+	"ME_CONNECT_FAILED");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
+	"INITIAL_CONTACT",
+	"SET_WINDOW_SIZE",
+	"ADDITIONAL_TS_POSSIBLE",
+	"IPCOMP_SUPPORTED",
+	"NAT_DETECTION_SOURCE_IP",
+	"NAT_DETECTION_DESTINATION_IP",
+	"COOKIE",
+	"USE_TRANSPORT_MODE",
+	"HTTP_CERT_LOOKUP_SUPPORTED",
+	"REKEY_SA",
+	"ESP_TFC_PADDING_NOT_SUPPORTED",
+	"NON_FIRST_FRAGMENTS_ALSO",
+	"MOBIKE_SUPPORTED",
+	"ADDITIONAL_IP4_ADDRESS",
+	"ADDITIONAL_IP6_ADDRESS",
+	"NO_ADDITIONAL_ADDRESSES",
+	"UPDATE_SA_ADDRESSES",
+	"COOKIE2",
+	"NO_NATS_ALLOWED",
+	"AUTH_LIFETIME",
+	"MULTIPLE_AUTH_SUPPORTED",
+	"ANOTHER_AUTH_FOLLOWS",
+	"REDIRECT_SUPPORTED",
+	"REDIRECT",
+	"REDIRECTED_FROM",
+	"TICKET_LT_OPAQUE",
+	"TICKET_REQUEST",
+	"TICKET_ACK",
+	"TICKET_NACK",
+	"TICKET_OPAQUE",
+	"LINK_ID");
+ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID,
+	"EAP_ONLY_AUTHENTICATION");
+ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
+	"USE_BEET_MODE");
+ENUM_NEXT(notify_type_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE,
+	"ME_MEDIATION",
+	"ME_ENDPOINT",
+	"ME_CALLBACK",
+	"ME_CONNECTID",
+	"ME_CONNECTKEY",
+	"ME_CONNECTAUTH",
+	"ME_RESPONSE");
+ENUM_END(notify_type_names, ME_RESPONSE);
+
+
+ENUM_BEGIN(notify_type_short_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD,
+	"CRIT");
+ENUM_NEXT(notify_type_short_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, UNSUPPORTED_CRITICAL_PAYLOAD,
+	"INVAL_IKE_SPI",
+	"INVAL_MAJOR");
+ENUM_NEXT(notify_type_short_names, INVALID_SYNTAX, INVALID_SYNTAX, INVALID_MAJOR_VERSION,
+	"INVAL_SYN");
+ENUM_NEXT(notify_type_short_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVALID_SYNTAX,
+	"INVAL_MID");
+ENUM_NEXT(notify_type_short_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
+	"INVAL_SPI");
+ENUM_NEXT(notify_type_short_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI,
+	"NO_PROP");
+ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
+	"INVAL_KE");
+ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
+	"AUTH_FAILED");
+ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED,
+	"SINGLE_PAIR",
+	"NO_ADD_SAS",
+	"INT_ADDR_FAIL",
+	"FAIL_CP_REQ",
+	"TS_UNACCEPT",
+	"INVAL_SEL",
+	"UNACCEPT_ADDR",
+	"UNEXPECT_NAT",
+	"ASSIGNED_HoA");
+ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA,
+	"ME_CONN_FAIL");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
+	"INIT_CONTACT",
+	"SET_WINSIZE",
+	"ADD_TS_POSS",
+	"IPCOMP_SUPP",
+	"NATD_S_IP",
+	"NATD_D_IP",
+	"COOKIE",
+	"USE_TRANSP",
+	"HTTP_CERT_LOOK",
+	"REKEY_SA",
+	"ESP_TFC_PAD_N",
+	"NON_FIRST_FRAG",
+	"MOBIKE_SUP",
+	"ADD_4_ADDR",
+	"ADD_6_ADDR",
+	"NO_ADD_ADDR",
+	"UPD_SA_ADDR",
+	"COOKIE2",
+	"NO_NATS",
+	"AUTH_LFT",
+	"MULT_AUTH",
+	"AUTH_FOLLOWS",
+	"REDIR_SUP",
+	"REDIR",
+	"REDIR_FROM",
+	"TKT_LT_OPAK",
+	"TKT_REQ",
+	"TKT_ACK",
+	"TKT_NACK",
+	"TKT_OPAK",
+	"LINK_ID");
+ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID,
+	"EAP_ONLY");
+ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
+	"BEET_MODE");
+ENUM_NEXT(notify_type_short_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE,
+	"ME_MED",
+	"ME_EP",
+	"ME_CB",
+	"ME_CID",
+	"ME_CKEY",
+	"ME_CAUTH",
+	"ME_R");
+ENUM_END(notify_type_short_names, ME_RESPONSE);
+
+
+typedef struct private_notify_payload_t private_notify_payload_t;
+
+/**
+ * Private data of an notify_payload_t object.
+ *
+ */
+struct private_notify_payload_t {
+	/**
+	 * Public notify_payload_t interface.
+	 */
+	notify_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Protocol id.
+	 */
+	u_int8_t protocol_id;
+
+	/**
+	 * Spi size.
+	 */
+	u_int8_t spi_size;
+
+	/**
+	 * Notify message type.
+	 */
+	u_int16_t notify_type;
+
+	/**
+	 * Security parameter index (spi).
+	 */
+	chunk_t spi;
+
+	/**
+	 * Notification data.
+	 */
+	chunk_t notification_data;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-Notify Payload.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_notify_payload_t.
+ *
+ */
+encoding_rule_t notify_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload) 		},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_notify_payload_t, critical) 			},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length) 		},
+	/* Protocol ID as 8 bit field*/
+	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id) 			},
+	/* SPI Size as 8 bit field*/
+	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size) 			},
+	/* Notify message type as 16 bit field*/
+	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)	},
+	/* SPI as variable length field*/
+	{ SPI,				offsetof(private_notify_payload_t, spi)					},
+	/* Key Exchange Data is from variable size */
+	{ NOTIFICATION_DATA,	offsetof(private_notify_payload_t, notification_data) 	}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !  Protocol ID  !   SPI Size    !      Notify Message Type      !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                Security Parameter Index (SPI)                 ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       Notification Data                       ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_notify_payload_t *this)
+{
+	bool bad_length = FALSE;
+
+	switch (this->protocol_id)
+	{
+		case PROTO_NONE:
+		case PROTO_IKE:
+		case PROTO_AH:
+		case PROTO_ESP:
+			break;
+		default:
+			DBG1(DBG_ENC, "Unknown protocol (%d)", this->protocol_id);
+			return FAILED;
+	}
+
+	switch (this->notify_type)
+	{
+		case INVALID_KE_PAYLOAD:
+		{
+			if (this->notification_data.len != 2)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
+		case NAT_DETECTION_SOURCE_IP:
+		case NAT_DETECTION_DESTINATION_IP:
+		case ME_CONNECTAUTH:
+		{
+			if (this->notification_data.len != HASH_SIZE_SHA1)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
+		case INVALID_SYNTAX:
+		case INVALID_MAJOR_VERSION:
+		case NO_PROPOSAL_CHOSEN:
+		{
+			if (this->notification_data.len != 0)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
+		case ADDITIONAL_IP4_ADDRESS:
+		{
+			if (this->notification_data.len != 4)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
+		case ADDITIONAL_IP6_ADDRESS:
+		{
+			if (this->notification_data.len != 16)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
+		case AUTH_LIFETIME:
+		{
+			if (this->notification_data.len != 4)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
+		case IPCOMP_SUPPORTED:
+		{
+			if (this->notification_data.len != 3)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
+		case ME_ENDPOINT:
+			if (this->notification_data.len != 8 &&
+				this->notification_data.len != 12 &&
+				this->notification_data.len != 24)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		case ME_CONNECTID:
+			if (this->notification_data.len < 4 ||
+				this->notification_data.len > 16)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		case ME_CONNECTKEY:
+			if (this->notification_data.len < 16 ||
+				this->notification_data.len > 32)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		default:
+			/* TODO: verify */
+			break;
+	}
+	if (bad_length)
+	{
+		DBG1(DBG_ENC, "invalid notify data length for %N (%d)",
+			 notify_type_names, this->notify_type,
+			 this->notification_data.len);
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = notify_payload_encodings;
+	*rule_count = sizeof(notify_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_notify_payload_t *this)
+{
+	return NOTIFY;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_notify_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_notify_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute the payloads length.
+ */
+static void compute_length (private_notify_payload_t *this)
+{
+	size_t length = NOTIFY_PAYLOAD_HEADER_LENGTH;
+	if (this->notification_data.ptr != NULL)
+	{
+		length += this->notification_data.len;
+	}
+	if (this->spi.ptr != NULL)
+	{
+		length += this->spi.len;
+	}
+	this->payload_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_notify_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of notify_payload_t.get_protocol_id.
+ */
+static u_int8_t get_protocol_id(private_notify_payload_t *this)
+{
+	return this->protocol_id;
+}
+
+/**
+ * Implementation of notify_payload_t.set_protocol_id.
+ */
+static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id)
+{
+	this->protocol_id = protocol_id;
+}
+
+/**
+ * Implementation of notify_payload_t.get_notify_type.
+ */
+static notify_type_t get_notify_type(private_notify_payload_t *this)
+{
+	return this->notify_type;
+}
+
+/**
+ * Implementation of notify_payload_t.set_notify_type.
+ */
+static void set_notify_type(private_notify_payload_t *this, u_int16_t notify_type)
+{
+	this->notify_type = notify_type;
+}
+
+/**
+ * Implementation of notify_payload_t.get_spi.
+ */
+static u_int32_t get_spi(private_notify_payload_t *this)
+{
+	switch (this->protocol_id)
+	{
+		case PROTO_AH:
+		case PROTO_ESP:
+			if (this->spi.len == 4)
+			{
+				return *((u_int32_t*)this->spi.ptr);
+			}
+		default:
+			break;
+	}
+	return 0;
+}
+
+/**
+ * Implementation of notify_payload_t.set_spi.
+ */
+static void set_spi(private_notify_payload_t *this, u_int32_t spi)
+{
+	chunk_free(&this->spi);
+	switch (this->protocol_id)
+	{
+		case PROTO_AH:
+		case PROTO_ESP:
+			this->spi = chunk_alloc(4);
+			*((u_int32_t*)this->spi.ptr) = spi;
+			break;
+		default:
+			break;
+	}
+	this->spi_size = this->spi.len;
+	compute_length(this);
+}
+
+/**
+ * Implementation of notify_payload_t.get_notification_data.
+ */
+static chunk_t get_notification_data(private_notify_payload_t *this)
+{
+	return (this->notification_data);
+}
+
+/**
+ * Implementation of notify_payload_t.set_notification_data.
+ */
+static status_t set_notification_data(private_notify_payload_t *this, chunk_t notification_data)
+{
+	chunk_free(&this->notification_data);
+	if (notification_data.len > 0)
+	{
+		this->notification_data = chunk_clone(notification_data);
+	}
+	compute_length(this);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of notify_payload_t.destroy and notify_payload_t.destroy.
+ */
+static status_t destroy(private_notify_payload_t *this)
+{
+	chunk_free(&this->notification_data);
+	chunk_free(&this->spi);
+	free(this);
+	return SUCCESS;
+}
+
+/*
+ * Described in header
+ */
+notify_payload_t *notify_payload_create()
+{
+	private_notify_payload_t *this = malloc_thing(private_notify_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id;
+	this->public.set_protocol_id  = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id;
+	this->public.get_notify_type = (notify_type_t (*) (notify_payload_t *)) get_notify_type;
+	this->public.set_notify_type = (void (*) (notify_payload_t *,notify_type_t)) set_notify_type;
+	this->public.get_spi = (u_int32_t (*) (notify_payload_t *)) get_spi;
+	this->public.set_spi = (void (*) (notify_payload_t *,u_int32_t)) set_spi;
+	this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data;
+	this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data;
+	this->public.destroy = (void (*) (notify_payload_t *)) destroy;
+
+	/* set default values of the fields */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH;
+	this->protocol_id = 0;
+	this->notify_type = 0;
+	this->spi.ptr = NULL;
+	this->spi.len = 0;
+	this->spi_size = 0;
+	this->notification_data.ptr = NULL;
+	this->notification_data.len = 0;
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+notify_payload_t *notify_payload_create_from_protocol_and_type(protocol_id_t protocol_id, notify_type_t notify_type)
+{
+	notify_payload_t *notify = notify_payload_create();
+
+	notify->set_notify_type(notify,notify_type);
+	notify->set_protocol_id(notify,protocol_id);
+
+	return notify;
+}
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
new file mode 100644
index 000000000..0e1bc23b8
--- /dev/null
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup notify_payload notify_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef NOTIFY_PAYLOAD_H_
+#define NOTIFY_PAYLOAD_H_
+
+typedef enum notify_type_t notify_type_t;
+typedef struct notify_payload_t notify_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <utils/linked_list.h>
+
+/**
+ * Notify payload length in bytes without any spi and notification data.
+ */
+#define NOTIFY_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * Notify message types.
+ *
+ * See IKEv2 RFC 3.10.1.
+ */
+enum notify_type_t {
+	/* notify error messages */
+	UNSUPPORTED_CRITICAL_PAYLOAD = 1,
+	INVALID_IKE_SPI = 4,
+	INVALID_MAJOR_VERSION = 5,
+	INVALID_SYNTAX = 7,
+	INVALID_MESSAGE_ID = 9,
+	INVALID_SPI = 11,
+	NO_PROPOSAL_CHOSEN = 14,
+	INVALID_KE_PAYLOAD = 17,
+	AUTHENTICATION_FAILED = 24,
+	SINGLE_PAIR_REQUIRED = 34,
+	NO_ADDITIONAL_SAS = 35,
+	INTERNAL_ADDRESS_FAILURE = 36,
+	FAILED_CP_REQUIRED = 37,
+	TS_UNACCEPTABLE = 38,
+	INVALID_SELECTORS = 39,
+	/* mobile extension, RFC 4555 */
+	UNACCEPTABLE_ADDRESSES = 40,
+	UNEXPECTED_NAT_DETECTED = 41,
+	/* mobile IPv6 bootstrapping, RFC 5026 */
+	USE_ASSIGNED_HoA = 42,
+
+	/* IKE-ME, private use */
+	ME_CONNECT_FAILED = 8192,
+
+	/* notify status messages */
+	INITIAL_CONTACT = 16384,
+	SET_WINDOW_SIZE = 16385,
+	ADDITIONAL_TS_POSSIBLE = 16386,
+	IPCOMP_SUPPORTED = 16387,
+	NAT_DETECTION_SOURCE_IP = 16388,
+	NAT_DETECTION_DESTINATION_IP = 16389,
+	COOKIE = 16390,
+	USE_TRANSPORT_MODE = 16391,
+	HTTP_CERT_LOOKUP_SUPPORTED = 16392,
+	REKEY_SA = 16393,
+	ESP_TFC_PADDING_NOT_SUPPORTED = 16394,
+	NON_FIRST_FRAGMENTS_ALSO = 16395,
+	/* mobike extension, RFC4555 */
+	MOBIKE_SUPPORTED = 16396,
+	ADDITIONAL_IP4_ADDRESS = 16397,
+	ADDITIONAL_IP6_ADDRESS = 16398,
+	NO_ADDITIONAL_ADDRESSES = 16399,
+	UPDATE_SA_ADDRESSES = 16400,
+	COOKIE2 = 16401,
+	NO_NATS_ALLOWED = 16402,
+	/* repeated authentication extension, RFC4478 */
+	AUTH_LIFETIME = 16403,
+	/* multiple authentication exchanges, RFC 4739 */
+	MULTIPLE_AUTH_SUPPORTED = 16404,
+	ANOTHER_AUTH_FOLLOWS = 16405,
+	/* redirect mechanism, RFC 5685 */
+	REDIRECT_SUPPORTED = 16406,
+	REDIRECT = 16407,
+	REDIRECTED_FROM = 16408,
+	/* draft-ietf-ipsecme-ikev2-resumption, assigned by IANA */
+	TICKET_LT_OPAQUE = 16409,
+	TICKET_REQUEST = 16410,
+	TICKET_ACK = 16411,
+	TICKET_NACK = 16412,
+	TICKET_OPAQUE = 16413,
+	LINK_ID = 16414,
+
+	/* draft-eronen-ipsec-ikev2-eap-auth, not assigned by IANA yet */
+	EAP_ONLY_AUTHENTICATION = 40960,
+	/* BEET mode, not even a draft yet. private use */
+	USE_BEET_MODE = 40961,
+	/* IKE-ME, private use */
+	ME_MEDIATION = 40962,
+	ME_ENDPOINT = 40963,
+	ME_CALLBACK = 40964,
+	ME_CONNECTID = 40965,
+	ME_CONNECTKEY = 40966,
+	ME_CONNECTAUTH = 40967,
+	ME_RESPONSE = 40968
+};
+
+/**
+ * enum name for notify_type_t.
+ */
+extern enum_name_t *notify_type_names;
+
+/**
+ * enum name for notify_type_t (shorter strings).
+ */
+extern enum_name_t *notify_type_short_names;
+
+/**
+ * Class representing an IKEv2-Notify Payload.
+ *
+ * The Notify Payload format is described in Draft section 3.10.
+ */
+struct notify_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Gets the protocol id of this payload.
+	 *
+	 * @return 			protocol id of this payload
+	 */
+	u_int8_t (*get_protocol_id) (notify_payload_t *this);
+
+	/**
+	 * Sets the protocol id of this payload.
+	 *
+	 * @param protocol_id	protocol id to set
+	 */
+	void (*set_protocol_id) (notify_payload_t *this, u_int8_t protocol_id);
+
+	/**
+	 * Gets the notify message type of this payload.
+	 *
+	 * @return 			notify message type of this payload
+	 */
+	notify_type_t (*get_notify_type) (notify_payload_t *this);
+
+	/**
+	 * Sets notify message type of this payload.
+	 *
+	 * @param type		notify message type to set
+	 */
+	void (*set_notify_type) (notify_payload_t *this, notify_type_t type);
+
+	/**
+	 * Returns the currently set spi of this payload.
+	 *
+	 * This is only valid for notifys with protocol AH|ESP
+	 *
+	 * @return 		SPI value
+	 */
+	u_int32_t (*get_spi) (notify_payload_t *this);
+
+	/**
+	 * Sets the spi of this payload.
+	 *
+	 * This is only valid for notifys with protocol AH|ESP
+	 *
+	 * @param spi	SPI value
+	 */
+	void (*set_spi) (notify_payload_t *this, u_int32_t spi);
+
+	/**
+	 * Returns the currently set notification data of payload.
+	 *
+	 * Returned data are not copied.
+	 *
+	 * @return 		chunk_t pointing to the value
+	 */
+	chunk_t (*get_notification_data) (notify_payload_t *this);
+
+	/**
+	 * Sets the notification data of this payload.
+	 *
+	 * @warning Value is getting copied.
+	 *
+	 * @param notification_data 	chunk_t pointing to the value to set
+	 */
+	void (*set_notification_data) (notify_payload_t *this,
+								   chunk_t notification_data);
+
+	/**
+	 * Destroys an notify_payload_t object.
+	 */
+	void (*destroy) (notify_payload_t *this);
+};
+
+/**
+ * Creates an empty notify_payload_t object
+ *
+ * @return			created notify_payload_t object
+ */
+notify_payload_t *notify_payload_create(void);
+
+/**
+ * Creates an notify_payload_t object of specific type for specific protocol id.
+ *
+ * @param protocol_id			protocol id (IKE, AH or ESP)
+ * @param type					notify type (see notify_type_t)
+ * @return						notify_payload_t object
+ */
+notify_payload_t *notify_payload_create_from_protocol_and_type(
+								protocol_id_t protocol_id, notify_type_t type);
+
+#endif /** NOTIFY_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
new file mode 100644
index 000000000..1cee6d2aa
--- /dev/null
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "payload.h"
+
+#include <encoding/payloads/ike_header.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/delete_payload.h>
+#include <encoding/payloads/vendor_id_payload.h>
+#include <encoding/payloads/cp_payload.h>
+#include <encoding/payloads/configuration_attribute.h>
+#include <encoding/payloads/eap_payload.h>
+#include <encoding/payloads/unknown_payload.h>
+
+
+ENUM_BEGIN(payload_type_names, NO_PAYLOAD, NO_PAYLOAD,
+	"NO_PAYLOAD");
+ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, NO_PAYLOAD,
+	"SECURITY_ASSOCIATION",
+	"KEY_EXCHANGE",
+	"ID_INITIATOR",
+	"ID_RESPONDER",
+	"CERTIFICATE",
+	"CERTIFICATE_REQUEST",
+	"AUTHENTICATION",
+	"NONCE",
+	"NOTIFY",
+	"DELETE",
+	"VENDOR_ID",
+	"TRAFFIC_SELECTOR_INITIATOR",
+	"TRAFFIC_SELECTOR_RESPONDER",
+	"ENCRYPTED",
+	"CONFIGURATION",
+	"EXTENSIBLE_AUTHENTICATION");
+#ifdef ME
+ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION,
+	"ID_PEER");
+ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER,
+	"HEADER",
+	"PROPOSAL_SUBSTRUCTURE",
+	"TRANSFORM_SUBSTRUCTURE",
+	"TRANSFORM_ATTRIBUTE",
+	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
+	"CONFIGURATION_ATTRIBUTE",
+	"UNKNOWN_PAYLOAD");
+#else
+ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION,
+	"HEADER",
+	"PROPOSAL_SUBSTRUCTURE",
+	"TRANSFORM_SUBSTRUCTURE",
+	"TRANSFORM_ATTRIBUTE",
+	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
+	"CONFIGURATION_ATTRIBUTE",
+	"UNKNOWN_PAYLOAD");
+#endif /* ME */
+ENUM_END(payload_type_names, UNKNOWN_PAYLOAD);
+
+/* short forms of payload names */
+ENUM_BEGIN(payload_type_short_names, NO_PAYLOAD, NO_PAYLOAD,
+	"--");
+ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, NO_PAYLOAD,
+	"SA",
+	"KE",
+	"IDi",
+	"IDr",
+	"CERT",
+	"CERTREQ",
+	"AUTH",
+	"No",
+	"N",
+	"D",
+	"V",
+	"TSi",
+	"TSr",
+	"E",
+	"CP",
+	"EAP");
+#ifdef ME
+ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION,
+	"IDp");
+ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER,
+	"HDR",
+	"PROP",
+	"TRANS",
+	"TRANSATTR",
+	"TSSUB",
+	"CPATTR",
+	"??");
+#else
+ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION,
+	"HDR",
+	"PROP",
+	"TRANS",
+	"TRANSATTR",
+	"TSSUB",
+	"CPATTR",
+	"??");
+#endif /* ME */
+ENUM_END(payload_type_short_names, UNKNOWN_PAYLOAD);
+
+/*
+ * see header
+ */
+payload_t *payload_create(payload_type_t type)
+{
+	switch (type)
+	{
+		case HEADER:
+			return (payload_t*)ike_header_create();
+		case SECURITY_ASSOCIATION:
+			return (payload_t*)sa_payload_create();
+		case PROPOSAL_SUBSTRUCTURE:
+			return (payload_t*)proposal_substructure_create();
+		case TRANSFORM_SUBSTRUCTURE:
+			return (payload_t*)transform_substructure_create();
+		case TRANSFORM_ATTRIBUTE:
+			return (payload_t*)transform_attribute_create();
+		case NONCE:
+			return (payload_t*)nonce_payload_create();
+		case ID_INITIATOR:
+			return (payload_t*)id_payload_create(ID_INITIATOR);
+		case ID_RESPONDER:
+			return (payload_t*)id_payload_create(ID_RESPONDER);
+#ifdef ME
+		case ID_PEER:
+			return (payload_t*)id_payload_create(ID_PEER);
+#endif /* ME */
+		case AUTHENTICATION:
+			return (payload_t*)auth_payload_create();
+		case CERTIFICATE:
+			return (payload_t*)cert_payload_create();
+		case CERTIFICATE_REQUEST:
+			return (payload_t*)certreq_payload_create();
+		case TRAFFIC_SELECTOR_SUBSTRUCTURE:
+			return (payload_t*)traffic_selector_substructure_create();
+		case TRAFFIC_SELECTOR_INITIATOR:
+			return (payload_t*)ts_payload_create(TRUE);
+		case TRAFFIC_SELECTOR_RESPONDER:
+			return (payload_t*)ts_payload_create(FALSE);
+		case KEY_EXCHANGE:
+			return (payload_t*)ke_payload_create();
+		case NOTIFY:
+			return (payload_t*)notify_payload_create();
+		case DELETE:
+			return (payload_t*)delete_payload_create(0);
+		case VENDOR_ID:
+			return (payload_t*)vendor_id_payload_create();
+		case CONFIGURATION:
+			return (payload_t*)cp_payload_create();
+		case CONFIGURATION_ATTRIBUTE:
+			return (payload_t*)configuration_attribute_create();
+		case EXTENSIBLE_AUTHENTICATION:
+			return (payload_t*)eap_payload_create();
+		case ENCRYPTED:
+			return (payload_t*)encryption_payload_create();
+		default:
+			return (payload_t*)unknown_payload_create();
+	}
+}
+
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
new file mode 100644
index 000000000..2e783cb30
--- /dev/null
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -0,0 +1,272 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup payload payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef PAYLOAD_H_
+#define PAYLOAD_H_
+
+typedef enum payload_type_t payload_type_t;
+typedef struct payload_t payload_t;
+
+#include <library.h>
+#include <encoding/payloads/encodings.h>
+
+
+/**
+ * Payload-Types of a IKEv2-Message.
+ *
+ * Header and substructures are also defined as
+ * payload types with values from PRIVATE USE space.
+ */
+enum payload_type_t{
+
+	/**
+	 * End of payload list in next_payload
+	 */
+	NO_PAYLOAD = 0,
+
+	/**
+	 * The security association (SA) payload containing proposals.
+	 */
+	SECURITY_ASSOCIATION = 33,
+
+	/**
+	 * The key exchange (KE) payload containing diffie-hellman values.
+	 */
+	KEY_EXCHANGE = 34,
+
+	/**
+	 * Identification for the original initiator (IDi).
+	 */
+	ID_INITIATOR = 35,
+
+	/**
+	 * Identification for the original responder (IDr).
+	 */
+	ID_RESPONDER = 36,
+
+	/**
+	 * Certificate payload with certificates (CERT).
+	 */
+	CERTIFICATE = 37,
+
+	/**
+	 * Certificate request payload (CERTREQ).
+	 */
+	CERTIFICATE_REQUEST = 38,
+
+	/**
+	 * Authentication payload contains auth data (AUTH).
+	 */
+	AUTHENTICATION = 39,
+
+	/**
+	 * Nonces, for initator and responder (Ni, Nr, N)
+	 */
+	NONCE = 40,
+
+	/**
+	 * Notify paylaod (N).
+	 */
+	NOTIFY = 41,
+
+	/**
+	 * Delete payload (D)
+	 */
+	DELETE = 42,
+
+	/**
+	 * Vendor id paylpoad (V).
+	 */
+	VENDOR_ID = 43,
+
+	/**
+	 * Traffic selector for the original initiator (TSi).
+	 */
+	TRAFFIC_SELECTOR_INITIATOR = 44,
+
+	/**
+	 * Traffic selector for the original responser (TSr).
+	 */
+	TRAFFIC_SELECTOR_RESPONDER = 45,
+
+	/**
+	 * Encryption payload, contains other payloads (E).
+	 */
+	ENCRYPTED = 46,
+
+	/**
+	 * Configuration payload (CP).
+	 */
+	CONFIGURATION = 47,
+
+	/**
+	 * Extensible authentication payload (EAP).
+	 */
+	EXTENSIBLE_AUTHENTICATION = 48,
+
+#ifdef ME
+	/**
+	 * Identification payload for peers has a value from
+	 * the PRIVATE USE space.
+	 */
+	ID_PEER = 128,
+#endif /* ME */
+
+	/**
+	 * Header has a value of PRIVATE USE space.
+	 *
+	 * This payload type is not sent over wire and just
+	 * used internally to handle IKEv2-Header like a payload.
+	 */
+	HEADER = 140,
+
+	/**
+	 * PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space.
+	 *
+	 * This payload type is not sent over wire and just
+	 * used internally to handle a proposal substructure like a payload.
+	 */
+	PROPOSAL_SUBSTRUCTURE = 141,
+
+	/**
+	 * TRANSFORM_SUBSTRUCTURE has a value of PRIVATE USE space.
+	 *
+	 * This payload type is not sent over wire and just
+	 * used internally to handle a transform substructure like a payload.
+	 */
+	TRANSFORM_SUBSTRUCTURE = 142,
+
+	/**
+	 * TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space.
+	 *
+	 * This payload type is not sent over wire and just
+	 * used internally to handle a transform attribute like a payload.
+	 */
+	TRANSFORM_ATTRIBUTE = 143,
+
+	/**
+	 * TRAFFIC_SELECTOR_SUBSTRUCTURE has a value of PRIVATE USE space.
+	 *
+	 * This payload type is not sent over wire and just
+	 * used internally to handle a transform selector like a payload.
+	 */
+	TRAFFIC_SELECTOR_SUBSTRUCTURE = 144,
+
+	/**
+	 * CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space.
+	 *
+	 * This payload type is not sent over wire and just
+	 * used internally to handle a transform attribute like a payload.
+	 */
+	CONFIGURATION_ATTRIBUTE = 145,
+
+	/**
+	 * A unknown payload has a value of PRIVATE USE space.
+	 *
+	 * This payload type is not sent over wire and just
+	 * used internally to handle a unknown payload.
+	 */
+	UNKNOWN_PAYLOAD = 146,
+};
+
+
+/**
+ * enum names for payload_type_t.
+ */
+extern enum_name_t *payload_type_names;
+
+/**
+ * enum names for payload_type_t in a short form.
+ */
+extern enum_name_t *payload_type_short_names;
+
+/**
+ * Generic interface for all payload types (incl.header and substructures).
+ *
+ * To handle all kinds of payloads on a generic way, this interface must
+ * be implemented by every payload. This allows parser_t/generator_t a simple
+ * handling of all payloads.
+ */
+struct payload_t {
+
+	/**
+	 * Get encoding rules for this payload.
+	 *
+	 * @param rules			location to store pointer of first rule
+	 * @param rule_count	location to store number of rules
+	 */
+	void (*get_encoding_rules) (payload_t *this, encoding_rule_t **rules, size_t *rule_count);
+
+	/**
+	 * Get type of payload.
+	 *
+	 * @return 				type of this payload
+	 */
+	payload_type_t (*get_type) (payload_t *this);
+
+	/**
+	 * Get type of next payload or NO_PAYLOAD (0) if this is the last one.
+	 *
+	 * @return 				type of next payload
+	 */
+	payload_type_t (*get_next_type) (payload_t *this);
+
+	/**
+	 * Set type of next payload.
+	 *
+	 * @param type 			type of next payload
+	 */
+	void (*set_next_type) (payload_t *this,payload_type_t type);
+
+	/**
+	 * Get length of payload.
+	 *
+	 * @return 				length of this payload
+	 */
+	size_t (*get_length) (payload_t *this);
+
+	/**
+	 * Verifies payload structure and makes consistence check.
+	 *
+	 * @return 				SUCCESS,  FAILED if consistence not given
+	 */
+	status_t (*verify) (payload_t *this);
+
+	/**
+	 * Destroys a payload and all included substructures.
+	 */
+	void (*destroy) (payload_t *this);
+};
+
+/**
+ * Create an empty payload.
+ *
+ * Useful for the parser, who wants a generic constructor for all payloads.
+ * It supports all payload_t methods. If a payload type is not known,
+ * an unknwon_paylod is created with the chunk of data in it.
+ *
+ * @param type		type of the payload to create
+ * @return			payload_t object
+ */
+payload_t *payload_create(payload_type_t type);
+
+#endif /** PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
new file mode 100644
index 000000000..c93f73a68
--- /dev/null
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -0,0 +1,598 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "proposal_substructure.h"
+
+#include <encoding/payloads/encodings.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <library.h>
+#include <utils/linked_list.h>
+#include <daemon.h>
+
+
+/**
+ * IKEv1 Value for a proposal payload.
+ */
+#define PROPOSAL_TYPE_VALUE 2
+
+
+typedef struct private_proposal_substructure_t private_proposal_substructure_t;
+
+/**
+ * Private data of an proposal_substructure_t object.
+ *
+ */
+struct private_proposal_substructure_t {
+	/**
+	 * Public proposal_substructure_t interface.
+	 */
+	proposal_substructure_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t proposal_length;
+
+	/**
+	 * Proposal number.
+	 */
+	u_int8_t proposal_number;
+
+	/**
+	 * Protocol ID.
+	 */
+	u_int8_t protocol_id;
+
+	/**
+	 * SPI size of the following SPI.
+	 */
+	u_int8_t  spi_size;
+
+	/**
+	 * Number of transforms.
+	 */
+	u_int8_t  transforms_count;
+
+	/**
+	 * SPI is stored as chunk.
+	 */
+	chunk_t spi;
+
+	/**
+	 * Transforms are stored in a linked_list_t.
+	 */
+	linked_list_t * transforms;
+};
+
+/**
+ * Encoding rules to parse or generate a Proposal substructure.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_proposal_substructure_t.
+ */
+encoding_rule_t proposal_substructure_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload) 		},
+	/* Reserved Byte is skipped */
+	{ RESERVED_BYTE,		0															},
+	/* Length of the whole proposal substructure payload*/
+	{ PAYLOAD_LENGTH,		offsetof(private_proposal_substructure_t, proposal_length) 	},
+	/* proposal number is a number of 8 bit */
+	{ U_INT_8,				offsetof(private_proposal_substructure_t, proposal_number) 	},
+	/* protocol ID is a number of 8 bit */
+	{ U_INT_8,				offsetof(private_proposal_substructure_t, protocol_id)		},
+	/* SPI Size has its own type */
+	{ SPI_SIZE,				offsetof(private_proposal_substructure_t, spi_size)			},
+	/* Number of transforms is a number of 8 bit */
+	{ U_INT_8,				offsetof(private_proposal_substructure_t, transforms_count)	},
+	/* SPI is a chunk of variable size*/
+	{ SPI,					offsetof(private_proposal_substructure_t, spi)				},
+	/* Transforms are stored in a transform substructure,
+	   offset points to a linked_list_t pointer */
+	{ TRANSFORMS,			offsetof(private_proposal_substructure_t, transforms) 		}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! 0 (last) or 2 !   RESERVED    !         Proposal Length       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Proposal #    !  Protocol ID  !    SPI Size   !# of Transforms!
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ~                        SPI (variable)                         ~
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                        <Transforms>                           ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_proposal_substructure_t *this)
+{
+	status_t status = SUCCESS;
+	iterator_t *iterator;
+	payload_t *current_transform;
+
+	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 2))
+	{
+		/* must be 0 or 2 */
+		DBG1(DBG_ENC, "inconsistent next payload");
+		return FAILED;
+	}
+	if (this->transforms_count != this->transforms->get_count(this->transforms))
+	{
+		/* must be the same! */
+		DBG1(DBG_ENC, "transform count invalid");
+		return FAILED;
+	}
+
+	switch (this->protocol_id)
+	{
+		case PROTO_AH:
+		case PROTO_ESP:
+			if (this->spi.len != 4)
+			{
+				DBG1(DBG_ENC, "invalid SPI length in %N proposal",
+								  protocol_id_names, this->protocol_id);
+				return FAILED;
+			}
+			break;
+		case PROTO_IKE:
+			if (this->spi.len != 0 && this->spi.len  != 8)
+			{
+				DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
+				return FAILED;
+			}
+			break;
+		default:
+			DBG1(DBG_ENC, "invalid proposal protocol (%d)", this->protocol_id);
+			return FAILED;
+	}
+	if ((this->protocol_id == 0) || (this->protocol_id >= 4))
+	{
+		/* reserved are not supported */
+		DBG1(DBG_ENC, "invalid protocol");
+		return FAILED;
+	}
+
+	iterator = this->transforms->create_iterator(this->transforms,TRUE);
+	while(iterator->iterate(iterator, (void**)&current_transform))
+	{
+		status = current_transform->verify(current_transform);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed");
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	/* proposal number is checked in SA payload */
+	return status;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_proposal_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = proposal_substructure_encodings;
+	*rule_count = sizeof(proposal_substructure_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_proposal_substructure_t *this)
+{
+	return PROPOSAL_SUBSTRUCTURE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_proposal_substructure_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_proposal_substructure_t *this,payload_type_t type)
+{
+}
+
+/**
+ * (re-)compute the length of the payload.
+ */
+static void compute_length(private_proposal_substructure_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_transform;
+	size_t transforms_count = 0;
+	size_t length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH;
+
+	iterator = this->transforms->create_iterator(this->transforms,TRUE);
+	while (iterator->iterate(iterator, (void**)&current_transform))
+	{
+		length += current_transform->get_length(current_transform);
+		transforms_count++;
+	}
+	iterator->destroy(iterator);
+
+	length += this->spi.len;
+	this->transforms_count = transforms_count;
+	this->proposal_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_proposal_substructure_t *this)
+{
+	compute_length(this);
+	return this->proposal_length;
+}
+
+/**
+ * Implementation of proposal_substructure_t.create_transform_substructure_iterator.
+ */
+static iterator_t *create_transform_substructure_iterator (private_proposal_substructure_t *this,bool forward)
+{
+	return (this->transforms->create_iterator(this->transforms,forward));
+}
+
+/**
+ * Implementation of proposal_substructure_t.add_transform_substructure.
+ */
+static void add_transform_substructure (private_proposal_substructure_t *this,transform_substructure_t *transform)
+{
+	status_t status;
+	if (this->transforms->get_count(this->transforms) > 0)
+	{
+		transform_substructure_t *last_transform;
+		status = this->transforms->get_last(this->transforms,(void **) &last_transform);
+		/* last transform is now not anymore last one */
+		last_transform->set_is_last_transform(last_transform,FALSE);
+
+	}
+	transform->set_is_last_transform(transform,TRUE);
+
+	this->transforms->insert_last(this->transforms,(void *) transform);
+	compute_length(this);
+}
+
+/**
+ * Implementation of proposal_substructure_t.proposal_substructure_t.
+ */
+static void set_is_last_proposal (private_proposal_substructure_t *this, bool is_last)
+{
+	this->next_payload = (is_last) ? 0: PROPOSAL_TYPE_VALUE;
+}
+
+/**
+ * Implementation of proposal_substructure_t.set_proposal_number.
+ */
+static void set_proposal_number(private_proposal_substructure_t *this,u_int8_t proposal_number)
+{
+	this->proposal_number = proposal_number;
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_proposal_number.
+ */
+static u_int8_t get_proposal_number (private_proposal_substructure_t *this)
+{
+	return (this->proposal_number);
+}
+
+/**
+ * Implementation of proposal_substructure_t.set_protocol_id.
+ */
+static void set_protocol_id(private_proposal_substructure_t *this,u_int8_t protocol_id)
+{
+	this->protocol_id = protocol_id;
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_protocol_id.
+ */
+static u_int8_t get_protocol_id(private_proposal_substructure_t *this)
+{
+	return (this->protocol_id);
+}
+
+/**
+ * Implementation of proposal_substructure_t.set_spi.
+ */
+static void set_spi(private_proposal_substructure_t *this, chunk_t spi)
+{
+	/* first delete already set spi value */
+	if (this->spi.ptr != NULL)
+	{
+		free(this->spi.ptr);
+		this->spi.ptr = NULL;
+		this->spi.len = 0;
+		compute_length(this);
+	}
+
+	this->spi.ptr = clalloc(spi.ptr,spi.len);
+	this->spi.len = spi.len;
+	this->spi_size = spi.len;
+	compute_length(this);
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_spi.
+ */
+static chunk_t get_spi(private_proposal_substructure_t *this)
+{
+	chunk_t spi;
+	spi.ptr = this->spi.ptr;
+	spi.len = this->spi.len;
+
+	return spi;
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_transform_count.
+ */
+static size_t get_transform_count (private_proposal_substructure_t *this)
+{
+	return this->transforms->get_count(this->transforms);
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_spi_size.
+ */
+static size_t get_spi_size (private_proposal_substructure_t *this)
+{
+	return this->spi.len;
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_proposal.
+ */
+proposal_t* get_proposal(private_proposal_substructure_t *this)
+{
+	iterator_t *iterator;
+	transform_substructure_t *transform;
+	proposal_t *proposal;
+	u_int64_t spi;
+
+	proposal = proposal_create(this->protocol_id);
+
+	iterator = this->transforms->create_iterator(this->transforms, TRUE);
+	while (iterator->iterate(iterator, (void**)&transform))
+	{
+		transform_type_t transform_type;
+		u_int16_t transform_id;
+		u_int16_t key_length = 0;
+
+		transform_type = transform->get_transform_type(transform);
+		transform_id = transform->get_transform_id(transform);
+		transform->get_key_length(transform, &key_length);
+
+		proposal->add_algorithm(proposal, transform_type, transform_id, key_length);
+	}
+	iterator->destroy(iterator);
+
+	switch (this->spi.len)
+	{
+		case 4:
+			spi = *((u_int32_t*)this->spi.ptr);
+			break;
+		case 8:
+			spi = *((u_int64_t*)this->spi.ptr);
+			break;
+		default:
+			spi = 0;
+	}
+	proposal->set_spi(proposal, spi);
+
+	return proposal;
+}
+
+/**
+ * Implementation of proposal_substructure_t.clone.
+ */
+static private_proposal_substructure_t* clone_(private_proposal_substructure_t *this)
+{
+	private_proposal_substructure_t *clone;
+	iterator_t *transforms;
+	transform_substructure_t *current_transform;
+
+	clone = (private_proposal_substructure_t *) proposal_substructure_create();
+	clone->next_payload = this->next_payload;
+	clone->proposal_number = this->proposal_number;
+	clone->protocol_id = this->protocol_id;
+	clone->spi_size = this->spi_size;
+	if (this->spi.ptr != NULL)
+	{
+		clone->spi.ptr = clalloc(this->spi.ptr,this->spi.len);
+		clone->spi.len = this->spi.len;
+	}
+
+	transforms = this->transforms->create_iterator(this->transforms,FALSE);
+	while (transforms->iterate(transforms, (void**)&current_transform))
+	{
+		current_transform = current_transform->clone(current_transform);
+		clone->public.add_transform_substructure(&clone->public, current_transform);
+	}
+	transforms->destroy(transforms);
+
+	return clone;
+}
+
+/**
+ * Implements payload_t's and proposal_substructure_t's destroy function.
+ * See #payload_s.destroy or proposal_substructure_s.destroy for description.
+ */
+static void destroy(private_proposal_substructure_t *this)
+{
+	this->transforms->destroy_offset(this->transforms,
+									 offsetof(transform_substructure_t, destroy));
+	chunk_free(&this->spi);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+proposal_substructure_t *proposal_substructure_create()
+{
+	private_proposal_substructure_t *this = malloc_thing(private_proposal_substructure_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+
+	/* public functions */
+	this->public.create_transform_substructure_iterator = (iterator_t* (*) (proposal_substructure_t *,bool)) create_transform_substructure_iterator;
+	this->public.add_transform_substructure = (void (*) (proposal_substructure_t *,transform_substructure_t *)) add_transform_substructure;
+	this->public.set_proposal_number = (void (*) (proposal_substructure_t *,u_int8_t))set_proposal_number;
+	this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number;
+	this->public.set_protocol_id = (void (*) (proposal_substructure_t *,u_int8_t))set_protocol_id;
+	this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
+	this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal;
+	this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal;
+	this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
+	this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
+	this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count;
+	this->public.get_spi_size = (size_t (*) (proposal_substructure_t *)) get_spi_size;
+	this->public.clone = (proposal_substructure_t * (*) (proposal_substructure_t *)) clone_;
+	this->public.destroy = (void (*) (proposal_substructure_t *)) destroy;
+
+	/* set default values of the fields */
+	this->next_payload = NO_PAYLOAD;
+	this->proposal_length = 0;
+	this->proposal_number = 0;
+	this->protocol_id = 0;
+	this->transforms_count = 0;
+	this->spi_size = 0;
+	this->spi.ptr = NULL;
+	this->spi.len = 0;
+
+	this->transforms = linked_list_create();
+
+	return (&(this->public));
+}
+
+/*
+ * Described in header.
+ */
+proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal)
+{
+	transform_substructure_t *transform;
+	private_proposal_substructure_t *this;
+	u_int16_t alg, key_size;
+	enumerator_t *enumerator;
+
+	this = (private_proposal_substructure_t*)proposal_substructure_create();
+
+	/* encryption algorithm is only availble in ESP */
+	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
+	while (enumerator->enumerate(enumerator, &alg, &key_size))
+	{
+		transform = transform_substructure_create_type(ENCRYPTION_ALGORITHM,
+													   alg, key_size);
+		add_transform_substructure(this, transform);
+	}
+	enumerator->destroy(enumerator);
+
+	/* integrity algorithms */
+	enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
+	while (enumerator->enumerate(enumerator, &alg, &key_size))
+	{
+		transform = transform_substructure_create_type(INTEGRITY_ALGORITHM,
+													   alg, key_size);
+		add_transform_substructure(this, transform);
+	}
+	enumerator->destroy(enumerator);
+
+	/* prf algorithms */
+	enumerator = proposal->create_enumerator(proposal, PSEUDO_RANDOM_FUNCTION);
+	while (enumerator->enumerate(enumerator, &alg, &key_size))
+	{
+		transform = transform_substructure_create_type(PSEUDO_RANDOM_FUNCTION,
+													   alg, key_size);
+		add_transform_substructure(this, transform);
+	}
+	enumerator->destroy(enumerator);
+
+	/* dh groups */
+	enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
+	while (enumerator->enumerate(enumerator, &alg, NULL))
+	{
+		transform = transform_substructure_create_type(DIFFIE_HELLMAN_GROUP,
+													   alg, 0);
+		add_transform_substructure(this, transform);
+	}
+	enumerator->destroy(enumerator);
+
+	/* extended sequence numbers */
+	enumerator = proposal->create_enumerator(proposal, EXTENDED_SEQUENCE_NUMBERS);
+	while (enumerator->enumerate(enumerator, &alg, NULL))
+	{
+		transform = transform_substructure_create_type(EXTENDED_SEQUENCE_NUMBERS,
+													   alg, 0);
+		add_transform_substructure(this, transform);
+	}
+	enumerator->destroy(enumerator);
+
+	/* add SPI, if necessary */
+	switch (proposal->get_protocol(proposal))
+	{
+		case PROTO_AH:
+		case PROTO_ESP:
+			this->spi_size = this->spi.len = 4;
+			this->spi.ptr = malloc(this->spi_size);
+			*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal);
+			break;
+		case PROTO_IKE:
+			if (proposal->get_spi(proposal))
+			{	/* IKE only uses SPIS when rekeying, but on initial setup */
+				this->spi_size = this->spi.len = 8;
+				this->spi.ptr = malloc(this->spi_size);
+				*((u_int64_t*)this->spi.ptr) = proposal->get_spi(proposal);
+			}
+			break;
+		default:
+			break;
+	}
+	this->proposal_number = 0;
+	this->protocol_id = proposal->get_protocol(proposal);
+
+	return &this->public;
+}
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h
new file mode 100644
index 000000000..4934802af
--- /dev/null
+++ b/src/libcharon/encoding/payloads/proposal_substructure.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup proposal_substructure proposal_substructure
+ * @{ @ingroup payloads
+ */
+
+#ifndef PROPOSAL_SUBSTRUCTURE_H_
+#define PROPOSAL_SUBSTRUCTURE_H_
+
+typedef struct proposal_substructure_t proposal_substructure_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <config/proposal.h>
+#include <utils/linked_list.h>
+
+
+/**
+ * Length of the proposal substructure header (without spi).
+ */
+#define PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH 8
+
+/**
+ * Class representing an IKEv2-PROPOSAL SUBSTRUCTURE.
+ *
+ * The PROPOSAL SUBSTRUCTURE format is described in RFC section 3.3.1.
+ */
+struct proposal_substructure_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Creates an iterator of stored transform_substructure_t objects.
+	 *
+	 * @param forward		iterator direction (TRUE: front to end)
+	 * @return				created iterator_t object
+	 */
+	iterator_t *(*create_transform_substructure_iterator) (
+								proposal_substructure_t *this, bool forward);
+
+	/**
+	 * Adds a transform_substructure_t object to this object.
+	 *
+	 * @param transform 	transform_substructure_t object to add
+	 */
+	void (*add_transform_substructure) (proposal_substructure_t *this,
+										transform_substructure_t *transform);
+
+	/**
+	 * Sets the proposal number of current proposal.
+	 *
+	 * @param id			proposal number to set
+	 */
+	void (*set_proposal_number) (proposal_substructure_t *this,
+								 u_int8_t proposal_number);
+
+	/**
+	 * get proposal number of current proposal.
+	 *
+	 * @return 			proposal number of current proposal substructure.
+	 */
+	u_int8_t (*get_proposal_number) (proposal_substructure_t *this);
+
+	/**
+	 * get the number of transforms in current proposal.
+	 *
+	 * @return 			transform count in current proposal
+	 */
+	size_t (*get_transform_count) (proposal_substructure_t *this);
+
+	/**
+	 * get size of the set spi in bytes.
+	 *
+	 * @return 			size of the spi in bytes
+	 */
+	size_t (*get_spi_size) (proposal_substructure_t *this);
+
+	/**
+	 * Sets the protocol id of current proposal.
+	 *
+	 * @param id		protocol id to set
+	 */
+	void (*set_protocol_id) (proposal_substructure_t *this,
+							 u_int8_t protocol_id);
+
+	/**
+	 * get protocol id of current proposal.
+	 *
+	 * @return 			protocol id of current proposal substructure.
+	 */
+	u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
+
+	/**
+	 * Sets the next_payload field of this substructure
+	 *
+	 * If this is the last proposal, next payload field is set to 0,
+	 * otherwise to 2
+	 *
+	 * @param is_last	When TRUE, next payload field is set to 0, otherwise to 2
+	 */
+	void (*set_is_last_proposal) (proposal_substructure_t *this, bool is_last);
+
+	/**
+	 * Returns the currently set SPI of this proposal.
+	 *
+	 * @return 			chunk_t pointing to the value
+	 */
+	chunk_t (*get_spi) (proposal_substructure_t *this);
+
+	/**
+	 * Sets the SPI of the current proposal.
+	 *
+	 * @warning SPI is getting copied
+	 *
+	 * @param spi		chunk_t pointing to the value to set
+	 */
+	void (*set_spi) (proposal_substructure_t *this, chunk_t spi);
+
+	/**
+	 * Get a proposal_t from the propsal_substructure_t.
+	 *
+	 * @return			proposal_t
+	 */
+	proposal_t * (*get_proposal) (proposal_substructure_t *this);
+
+	/**
+	 * Clones an proposal_substructure_t object.
+	 *
+	 * @return		cloned object
+	 */
+	proposal_substructure_t* (*clone) (proposal_substructure_t *this);
+
+	/**
+	 * Destroys an proposal_substructure_t object.
+	 */
+	void (*destroy) (proposal_substructure_t *this);
+};
+
+/**
+ * Creates an empty proposal_substructure_t object
+ *
+ * @return proposal_substructure_t object
+ */
+proposal_substructure_t *proposal_substructure_create(void);
+
+/**
+ * Creates a proposal_substructure_t from a proposal_t.
+ *
+ * @param proposal		proposal to build a substruct out of it
+ * @return 				proposal_substructure_t object
+ */
+proposal_substructure_t *proposal_substructure_create_from_proposal(
+														proposal_t *proposal);
+
+#endif /** PROPOSAL_SUBSTRUCTURE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
new file mode 100644
index 000000000..187a8fee0
--- /dev/null
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -0,0 +1,368 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "sa_payload.h"
+
+#include <encoding/payloads/encodings.h>
+#include <utils/linked_list.h>
+#include <daemon.h>
+
+
+typedef struct private_sa_payload_t private_sa_payload_t;
+
+/**
+ * Private data of an sa_payload_t object.
+ *
+ */
+struct private_sa_payload_t {
+	/**
+	 * Public sa_payload_t interface.
+	 */
+	sa_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Proposals in this payload are stored in a linked_list_t.
+	 */
+	linked_list_t * proposals;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-SA Payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_sa_payload_t.
+ *
+ */
+encoding_rule_t sa_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,		offsetof(private_sa_payload_t, next_payload) 			},
+	/* the critical bit */
+	{ FLAG,			offsetof(private_sa_payload_t, critical) 				},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole SA payload*/
+	{ PAYLOAD_LENGTH,		offsetof(private_sa_payload_t, payload_length) 	},
+	/* Proposals are stored in a proposal substructure,
+	   offset points to a linked_list_t pointer */
+	{ PROPOSALS,		offsetof(private_sa_payload_t, proposals) 				}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                          <Proposals>                          ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_sa_payload_t *this)
+{
+	int expected_number = 1, current_number;
+	status_t status = SUCCESS;
+	iterator_t *iterator;
+	proposal_substructure_t *current_proposal;
+	bool first = TRUE;
+
+	/* check proposal numbering */
+	iterator = this->proposals->create_iterator(this->proposals,TRUE);
+
+	while(iterator->iterate(iterator, (void**)&current_proposal))
+	{
+		current_number = current_proposal->get_proposal_number(current_proposal);
+		if (current_number < expected_number)
+		{
+			if (current_number != (expected_number + 1))
+			{
+				DBG1(DBG_ENC, "proposal number is %d, expected %d or %d",
+					 current_number, expected_number, expected_number + 1);
+				status = FAILED;
+				break;
+			}
+		}
+		else if (current_number < expected_number)
+		{
+			/* must not be smaller then proceeding one */
+			DBG1(DBG_ENC, "proposal number smaller than that of previous proposal");
+			status = FAILED;
+			break;
+		}
+
+		status = current_proposal->payload_interface.verify(&(current_proposal->payload_interface));
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed");
+			break;
+		}
+		first = FALSE;
+		expected_number = current_number;
+	}
+
+	iterator->destroy(iterator);
+	return status;
+}
+
+
+/**
+ * Implementation of payload_t.destroy and sa_payload_t.destroy.
+ */
+static status_t destroy(private_sa_payload_t *this)
+{
+	this->proposals->destroy_offset(this->proposals,
+									offsetof(proposal_substructure_t, destroy));
+	free(this);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_sa_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = sa_payload_encodings;
+	*rule_count = sizeof(sa_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_sa_payload_t *this)
+{
+	return SECURITY_ASSOCIATION;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_sa_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_sa_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute length of the payload.
+ */
+static void compute_length (private_sa_payload_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_proposal;
+	size_t length = SA_PAYLOAD_HEADER_LENGTH;
+
+	iterator = this->proposals->create_iterator(this->proposals,TRUE);
+	while (iterator->iterate(iterator, (void **)&current_proposal))
+	{
+		length += current_proposal->get_length(current_proposal);
+	}
+	iterator->destroy(iterator);
+
+	this->payload_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_sa_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of sa_payload_t.create_proposal_substructure_iterator.
+ */
+static iterator_t *create_proposal_substructure_iterator (private_sa_payload_t *this,bool forward)
+{
+	return this->proposals->create_iterator(this->proposals,forward);
+}
+
+/**
+ * Implementation of sa_payload_t.add_proposal_substructure.
+ */
+static void add_proposal_substructure(private_sa_payload_t *this,proposal_substructure_t *proposal)
+{
+	status_t status;
+	u_int proposal_count = this->proposals->get_count(this->proposals);
+
+	if (proposal_count > 0)
+	{
+		proposal_substructure_t *last_proposal;
+		status = this->proposals->get_last(this->proposals,(void **) &last_proposal);
+		/* last transform is now not anymore last one */
+		last_proposal->set_is_last_proposal(last_proposal, FALSE);
+	}
+	proposal->set_is_last_proposal(proposal, TRUE);
+	proposal->set_proposal_number(proposal, proposal_count + 1);
+	this->proposals->insert_last(this->proposals,(void *) proposal);
+	compute_length(this);
+}
+
+/**
+ * Implementation of sa_payload_t.add_proposal.
+ */
+static void add_proposal(private_sa_payload_t *this, proposal_t *proposal)
+{
+	proposal_substructure_t *substructure;
+
+	substructure = proposal_substructure_create_from_proposal(proposal);
+	add_proposal_substructure(this, substructure);
+}
+
+/**
+ * Implementation of sa_payload_t.get_proposals.
+ */
+static linked_list_t *get_proposals(private_sa_payload_t *this)
+{
+	int struct_number = 0;
+	int ignore_struct_number = 0;
+	iterator_t *iterator;
+	proposal_substructure_t *proposal_struct;
+	linked_list_t *proposal_list;
+
+	/* this list will hold our proposals */
+	proposal_list = linked_list_create();
+
+	/* we do not support proposals split up to two proposal substructures, as
+	 * AH+ESP bundles are not supported in RFC4301 anymore.
+	 * To handle such structures safely, we just skip proposals with multiple
+	 * protocols.
+	 */
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->iterate(iterator, (void **)&proposal_struct))
+	{
+		proposal_t *proposal;
+
+		/* check if a proposal has a single protocol */
+		if (proposal_struct->get_proposal_number(proposal_struct) == struct_number)
+		{
+			if (ignore_struct_number < struct_number)
+			{
+				/* remova an already added, if first of series */
+				proposal_list->remove_last(proposal_list, (void**)&proposal);
+				proposal->destroy(proposal);
+				ignore_struct_number = struct_number;
+			}
+			continue;
+		}
+		struct_number++;
+		proposal = proposal_struct->get_proposal(proposal_struct);
+		if (proposal)
+		{
+			proposal_list->insert_last(proposal_list, proposal);
+		}
+	}
+	iterator->destroy(iterator);
+	return proposal_list;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create()
+{
+	private_sa_payload_t *this = malloc_thing(private_sa_payload_t);
+
+	/* public interface */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.create_proposal_substructure_iterator = (iterator_t* (*) (sa_payload_t *,bool)) create_proposal_substructure_iterator;
+	this->public.add_proposal_substructure = (void (*) (sa_payload_t *,proposal_substructure_t *)) add_proposal_substructure;
+	this->public.add_proposal = (void (*) (sa_payload_t*,proposal_t*))add_proposal;
+	this->public.get_proposals = (linked_list_t* (*) (sa_payload_t *)) get_proposals;
+	this->public.destroy = (void (*) (sa_payload_t *)) destroy;
+
+	/* set default values of the fields */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = SA_PAYLOAD_HEADER_LENGTH;
+	this->proposals = linked_list_create();
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
+{
+	iterator_t *iterator;
+	proposal_t *proposal;
+	sa_payload_t *sa_payload = sa_payload_create();
+
+	/* add every payload from the list */
+	iterator = proposals->create_iterator(proposals, TRUE);
+	while (iterator->iterate(iterator, (void**)&proposal))
+	{
+		add_proposal((private_sa_payload_t*)sa_payload, proposal);
+	}
+	iterator->destroy(iterator);
+
+	return sa_payload;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal)
+{
+	sa_payload_t *sa_payload = sa_payload_create();
+
+	add_proposal((private_sa_payload_t*)sa_payload, proposal);
+
+	return sa_payload;
+}
diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h
new file mode 100644
index 000000000..25f5a2407
--- /dev/null
+++ b/src/libcharon/encoding/payloads/sa_payload.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sa_payload sa_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef SA_PAYLOAD_H_
+#define SA_PAYLOAD_H_
+
+typedef struct sa_payload_t sa_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <utils/linked_list.h>
+
+/**
+ * SA_PAYLOAD length in bytes without any proposal substructure.
+ */
+#define SA_PAYLOAD_HEADER_LENGTH 4
+
+/**
+ * Class representing an IKEv2-SA Payload.
+ *
+ * The SA Payload format is described in RFC section 3.3.
+ */
+struct sa_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Creates an iterator of stored proposal_substructure_t objects.
+	 *
+	 * When deleting an proposal using this iterator,
+	 * the length of this transform substructure has to be refreshed
+	 * by calling get_length()!
+	 *
+	 * @param forward 		iterator direction (TRUE: front to end)
+	 * @return				created iterator_t object
+	 */
+	iterator_t *(*create_proposal_substructure_iterator) (sa_payload_t *this,
+														  bool forward);
+
+	/**
+	 * Adds a proposal_substructure_t object to this object.
+	 *
+	 * @param proposal  		proposal_substructure_t object to add
+	 */
+	void (*add_proposal_substructure) (sa_payload_t *this,
+									   proposal_substructure_t *proposal);
+
+	/**
+	 * Gets the proposals in this payload as a list.
+	 *
+	 * @return					a list containing proposal_t s
+	 */
+	linked_list_t *(*get_proposals) (sa_payload_t *this);
+
+	/**
+	 * Add a child proposal (AH/ESP) to the payload.
+	 *
+	 * @param proposal			child proposal to add to the payload
+	 */
+	void (*add_proposal) (sa_payload_t *this, proposal_t *proposal);
+
+	/**
+	 * Destroys an sa_payload_t object.
+	 */
+	void (*destroy) (sa_payload_t *this);
+};
+
+/**
+ * Creates an empty sa_payload_t object
+ *
+ * @return					created sa_payload_t object
+ */
+sa_payload_t *sa_payload_create(void);
+
+/**
+ * Creates a sa_payload_t object from a list of proposals.
+ *
+ * @param proposals			list of proposals to build the payload from
+ * @return					sa_payload_t object
+ */
+sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals);
+
+/**
+ * Creates a sa_payload_t object from a single proposal.
+ *
+ * This is only for convenience. Use sa_payload_create_from_proposal_list
+ * if you want to add more than one proposal.
+ *
+ * @param proposal			proposal from which the payload should be built.
+ * @return					sa_payload_t object
+ */
+sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal);
+
+#endif /** SA_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
new file mode 100644
index 000000000..f24857591
--- /dev/null
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
@@ -0,0 +1,276 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "traffic_selector_substructure.h"
+
+#include <encoding/payloads/encodings.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_traffic_selector_substructure_t private_traffic_selector_substructure_t;
+
+/**
+ * Private data of an traffic_selector_substructure_t object.
+ *
+ */
+struct private_traffic_selector_substructure_t {
+	/**
+	 * Public traffic_selector_substructure_t interface.
+	 */
+	traffic_selector_substructure_t public;
+
+	/**
+	 * Type of traffic selector.
+	 */
+	u_int8_t ts_type;
+
+	/**
+	 * IP Protocol ID.
+	 */
+	u_int8_t ip_protocol_id;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Start port number.
+	 */
+	u_int16_t start_port;
+
+	/**
+	 * End port number.
+	 */
+	u_int16_t end_port;
+
+	/**
+	 * Starting address.
+	 */
+	chunk_t starting_address;
+
+	/**
+	 * Ending address.
+	 */
+	chunk_t ending_address;
+};
+
+/**
+ * Encoding rules to parse or generate a TS payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_traffic_selector_substructure_t.
+ *
+ */
+encoding_rule_t traffic_selector_substructure_encodings[] = {
+	/* 1 Byte next ts type*/
+	{ TS_TYPE,			offsetof(private_traffic_selector_substructure_t, ts_type) 			},
+	/* 1 Byte IP protocol id*/
+	{ U_INT_8,			offsetof(private_traffic_selector_substructure_t, ip_protocol_id) 	},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_traffic_selector_substructure_t, payload_length)		},
+	/* 2 Byte start port*/
+	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, start_port)			},
+	/* 2 Byte end port*/
+	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, end_port)			},
+	/* starting address is either 4 or 16 byte */
+	{ ADDRESS,			offsetof(private_traffic_selector_substructure_t, starting_address)	},
+	/* ending address is either 4 or 16 byte */
+	{ ADDRESS,			offsetof(private_traffic_selector_substructure_t, ending_address)		}
+
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !   TS Type     !IP Protocol ID*|       Selector Length         |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |           Start Port*         |           End Port*           |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                         Starting Address*                     ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                         Ending Address*                       ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_traffic_selector_substructure_t *this)
+{
+	if (this->start_port > this->end_port)
+	{
+		return FAILED;
+	}
+	switch (this->ts_type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+		{
+			if ((this->starting_address.len != 4) ||
+				(this->ending_address.len != 4))
+			{
+				/* ipv4 address must be 4 bytes long */
+				return FAILED;
+			}
+			break;
+		}
+		case TS_IPV6_ADDR_RANGE:
+		{
+			if ((this->starting_address.len != 16) ||
+				(this->ending_address.len != 16))
+			{
+				/* ipv6 address must be 16 bytes long */
+				return FAILED;
+			}
+			break;
+		}
+		default:
+		{
+			/* not supported ts type */
+			return FAILED;
+		}
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of traffic_selector_substructure_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_traffic_selector_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = traffic_selector_substructure_encodings;
+	*rule_count = sizeof(traffic_selector_substructure_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_traffic_selector_substructure_t *this)
+{
+	return TRAFFIC_SELECTOR_SUBSTRUCTURE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_traffic_selector_substructure_t *this)
+{
+	return 0;
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_traffic_selector_substructure_t *this,payload_type_t type)
+{
+
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_traffic_selector_substructure_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of traffic_selector_substructure_t.get_traffic_selector.
+ */
+static traffic_selector_t *get_traffic_selector(private_traffic_selector_substructure_t *this)
+{
+	traffic_selector_t *ts;
+	ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type,
+											this->starting_address, this->start_port,
+											this->ending_address, this->end_port);
+	return ts;
+}
+
+/**
+ * recompute length field of the payload
+ */
+void compute_length(private_traffic_selector_substructure_t *this)
+{
+	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH +
+			this->ending_address.len + this->starting_address.len;
+}
+
+/**
+ * Implementation of payload_t.destroy and traffic_selector_substructure_t.destroy.
+ */
+static void destroy(private_traffic_selector_substructure_t *this)
+{
+	free(this->starting_address.ptr);
+	free(this->ending_address.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+traffic_selector_substructure_t *traffic_selector_substructure_create()
+{
+	private_traffic_selector_substructure_t *this = malloc_thing(private_traffic_selector_substructure_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.get_traffic_selector = (traffic_selector_t* (*)(traffic_selector_substructure_t*))get_traffic_selector;
+	this->public.destroy = (void (*) (traffic_selector_substructure_t *)) destroy;
+
+	/* private variables */
+	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH;
+	this->start_port = 0;
+	this->end_port = 0;
+	this->starting_address = chunk_empty;
+	this->ending_address = chunk_empty;
+	this->ip_protocol_id = 0;
+	/* must be set to be valid */
+	this->ts_type = TS_IPV4_ADDR_RANGE;
+
+	return (&(this->public));
+}
+
+/*
+ * Described in header
+ */
+traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(traffic_selector_t *traffic_selector)
+{
+	private_traffic_selector_substructure_t *this = (private_traffic_selector_substructure_t*)traffic_selector_substructure_create();
+	this->ts_type = traffic_selector->get_type(traffic_selector);
+	this->ip_protocol_id = traffic_selector->get_protocol(traffic_selector);
+	this->start_port = traffic_selector->get_from_port(traffic_selector);
+	this->end_port = traffic_selector->get_to_port(traffic_selector);
+	this->starting_address = chunk_clone(traffic_selector->get_from_address(traffic_selector));
+	this->ending_address = chunk_clone(traffic_selector->get_to_address(traffic_selector));
+
+	compute_length(this);
+
+	return &(this->public);
+}
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.h b/src/libcharon/encoding/payloads/traffic_selector_substructure.h
new file mode 100644
index 000000000..0109fd7f5
--- /dev/null
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.h
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup traffic_selector_substructure traffic_selector_substructure
+ * @{ @ingroup payloads
+ */
+
+#ifndef TRAFFIC_SELECTOR_SUBSTRUCTURE_H_
+#define TRAFFIC_SELECTOR_SUBSTRUCTURE_H_
+
+typedef struct traffic_selector_substructure_t traffic_selector_substructure_t;
+
+#include <library.h>
+#include <utils/host.h>
+#include <selectors/traffic_selector.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Length of a TRAFFIC SELECTOR SUBSTRUCTURE without start and end address.
+ */
+#define TRAFFIC_SELECTOR_HEADER_LENGTH 8
+
+/**
+ * Class representing an IKEv2 TRAFFIC SELECTOR.
+ *
+ * The TRAFFIC SELECTOR format is described in RFC section 3.13.1.
+ */
+struct traffic_selector_substructure_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the type of Traffic selector.
+	 *
+	 * @return			type of traffic selector
+	 *
+	 */
+	ts_type_t (*get_ts_type) (traffic_selector_substructure_t *this);
+
+	/**
+	 * Set the type of Traffic selector.
+	 *
+	 * @param ts_type	type of traffic selector
+	 */
+	void (*set_ts_type) (traffic_selector_substructure_t *this,
+						 ts_type_t ts_type);
+
+	/**
+	 * Get the IP protocol ID of Traffic selector.
+	 *
+	 * @return			type of traffic selector
+	 *
+	 */
+	u_int8_t (*get_protocol_id) (traffic_selector_substructure_t *this);
+
+	/**
+	 * Set the IP protocol ID of Traffic selector
+	 *
+	 * @param protocol_id	protocol ID of traffic selector
+	 */
+	void (*set_protocol_id) (traffic_selector_substructure_t *this,
+							  u_int8_t protocol_id);
+
+	/**
+	 * Get the start port and address as host_t object.
+	 *
+	 * Returned host_t object has to get destroyed by the caller.
+	 *
+	 * @return			start host as host_t object
+	 *
+	 */
+	host_t *(*get_start_host) (traffic_selector_substructure_t *this);
+
+	/**
+	 * Set the start port and address as host_t object.
+	 *
+	 * @param start_host	start host as host_t object
+	 */
+	void (*set_start_host) (traffic_selector_substructure_t *this,
+							host_t *start_host);
+
+	/**
+	 * Get the end port and address as host_t object.
+	 *
+	 * Returned host_t object has to get destroyed by the caller.
+	 *
+	 * @return			end host as host_t object
+	 *
+	 */
+	host_t *(*get_end_host) (traffic_selector_substructure_t *this);
+
+	/**
+	 * Set the end port and address as host_t object.
+	 *
+	 * @param end_host	end host as host_t object
+	 */
+	void (*set_end_host) (traffic_selector_substructure_t *this,
+						  host_t *end_host);
+
+	/**
+	 * Get a traffic_selector_t from this substructure.
+	 *
+	 * @warning traffic_selector_t must be destroyed after usage.
+	 *
+	 * @return			contained traffic_selector_t
+	 */
+	traffic_selector_t *(*get_traffic_selector) (
+										traffic_selector_substructure_t *this);
+
+	/**
+	 * Destroys an traffic_selector_substructure_t object.
+	 */
+	void (*destroy) (traffic_selector_substructure_t *this);
+};
+
+/**
+ * Creates an empty traffic_selector_substructure_t object.
+ *
+ * TS type is set to default TS_IPV4_ADDR_RANGE!
+ *
+ * @return 					traffic_selector_substructure_t object
+ */
+traffic_selector_substructure_t *traffic_selector_substructure_create(void);
+
+/**
+ * Creates an initialized traffif selector substructure using
+ * the values from a traffic_selector_t.
+ *
+ * @param traffic_selector	traffic_selector_t to use for initialization
+ * @return					traffic_selector_substructure_t object
+ */
+traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(
+										traffic_selector_t *traffic_selector);
+
+#endif /** TRAFFIC_SELECTOR_SUBSTRUCTURE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/transform_attribute.c b/src/libcharon/encoding/payloads/transform_attribute.c
new file mode 100644
index 000000000..8bf2ddef4
--- /dev/null
+++ b/src/libcharon/encoding/payloads/transform_attribute.c
@@ -0,0 +1,325 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <stddef.h>
+
+#include "transform_attribute.h"
+
+#include <encoding/payloads/encodings.h>
+#include <library.h>
+
+typedef struct private_transform_attribute_t private_transform_attribute_t;
+
+/**
+ * Private data of an transform_attribute_t object.
+ *
+ */
+struct private_transform_attribute_t {
+	/**
+	 * Public transform_attribute_t interface.
+	 */
+	transform_attribute_t public;
+
+	/**
+	 * Attribute Format Flag.
+	 *
+	 * - TRUE means value is stored in attribute_length_or_value
+	 * - FALSE means value is stored in attribute_value
+	 */
+	bool attribute_format;
+
+	/**
+	 * Type of the attribute.
+	 */
+	u_int16_t attribute_type;
+
+	/**
+	 * Attribute Length if attribute_format is 0, attribute Value otherwise.
+	 */
+	u_int16_t attribute_length_or_value;
+
+	/**
+	 * Attribute value as chunk if attribute_format is 0 (FALSE).
+	 */
+	chunk_t attribute_value;
+};
+
+
+ENUM_BEGIN(transform_attribute_type_name, ATTRIBUTE_UNDEFINED, ATTRIBUTE_UNDEFINED,
+	"ATTRIBUTE_UNDEFINED");
+ENUM_NEXT(transform_attribute_type_name, KEY_LENGTH, KEY_LENGTH, ATTRIBUTE_UNDEFINED,
+	"KEY_LENGTH");
+ENUM_END(transform_attribute_type_name, KEY_LENGTH);
+
+/**
+ * Encoding rules to parse or generate a Transform attribute.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_transform_attribute_t.
+ *
+ */
+encoding_rule_t transform_attribute_encodings[] = {
+	/* Flag defining the format of this payload */
+	{ ATTRIBUTE_FORMAT,			offsetof(private_transform_attribute_t, attribute_format) 			},
+	/* type of the attribute as 15 bit unsigned integer */
+	{ ATTRIBUTE_TYPE,			offsetof(private_transform_attribute_t, attribute_type)				},
+	/* Length or value, depending on the attribute format flag */
+	{ ATTRIBUTE_LENGTH_OR_VALUE,	offsetof(private_transform_attribute_t, attribute_length_or_value)	},
+	/* Value of attribute if attribute format flag is zero */
+	{ ATTRIBUTE_VALUE,			offsetof(private_transform_attribute_t, attribute_value) 			}
+};
+
+/*
+                          1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !A!       Attribute Type        !    AF=0  Attribute Length     !
+      !F!                             !    AF=1  Attribute Value      !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                   AF=0  Attribute Value                       !
+      !                   AF=1  Not Transmitted                       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_transform_attribute_t *this)
+{
+	if (this->attribute_type != KEY_LENGTH)
+	{
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_transform_attribute_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = transform_attribute_encodings;
+	*rule_count = sizeof(transform_attribute_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_transform_attribute_t *this)
+{
+	return TRANSFORM_ATTRIBUTE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_transform_attribute_t *this)
+{
+	return (NO_PAYLOAD);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_transform_attribute_t *this,payload_type_t type)
+{
+}
+
+/**
+ * Implementation of transform_attribute_t.get_length.
+ */
+static size_t get_length(private_transform_attribute_t *this)
+{
+	if (this->attribute_format == TRUE)
+	{
+		/*Attribute size is only 4 byte */
+		return 4;
+	}
+	return (this->attribute_length_or_value + 4);
+}
+
+/**
+ * Implementation of transform_attribute_t.set_value_chunk.
+ */
+static void set_value_chunk(private_transform_attribute_t *this, chunk_t value)
+{
+	if (this->attribute_value.ptr != NULL)
+	{
+		/* free existing value */
+		free(this->attribute_value.ptr);
+		this->attribute_value.ptr = NULL;
+		this->attribute_value.len = 0;
+
+	}
+
+	if (value.len > 2)
+	{
+		this->attribute_value.ptr = clalloc(value.ptr,value.len);
+		this->attribute_value.len = value.len;
+		this->attribute_length_or_value = value.len;
+		/* attribute has not a fixed length */
+		this->attribute_format = FALSE;
+	}
+	else
+	{
+		memcpy(&(this->attribute_length_or_value),value.ptr,value.len);
+	}
+}
+
+/**
+ * Implementation of transform_attribute_t.set_value.
+ */
+static void set_value(private_transform_attribute_t *this, u_int16_t value)
+{
+	if (this->attribute_value.ptr != NULL)
+	{
+		/* free existing value */
+		free(this->attribute_value.ptr);
+		this->attribute_value.ptr = NULL;
+		this->attribute_value.len = 0;
+
+	}
+	this->attribute_length_or_value = value;
+}
+
+/**
+ * Implementation of transform_attribute_t.get_value_chunk.
+ */
+static chunk_t get_value_chunk (private_transform_attribute_t *this)
+{
+	chunk_t value;
+
+	if (this->attribute_format == FALSE)
+	{
+		value.ptr = this->attribute_value.ptr;
+		value.len = this->attribute_value.len;
+	}
+	else
+	{
+		value.ptr = (void *) &(this->attribute_length_or_value);
+		value.len = 2;
+	}
+
+	return value;
+}
+
+/**
+ * Implementation of transform_attribute_t.get_value.
+ */
+static u_int16_t get_value (private_transform_attribute_t *this)
+{
+	return this->attribute_length_or_value;
+}
+
+
+/**
+ * Implementation of transform_attribute_t.set_attribute_type.
+ */
+static void set_attribute_type (private_transform_attribute_t *this, u_int16_t type)
+{
+	this->attribute_type = type & 0x7FFF;
+}
+
+/**
+ * Implementation of transform_attribute_t.get_attribute_type.
+ */
+static u_int16_t get_attribute_type (private_transform_attribute_t *this)
+{
+	return this->attribute_type;
+}
+
+/**
+ * Implementation of transform_attribute_t.clone.
+ */
+static transform_attribute_t * _clone(private_transform_attribute_t *this)
+{
+	private_transform_attribute_t *new_clone;
+
+	new_clone = (private_transform_attribute_t *) transform_attribute_create();
+
+	new_clone->attribute_format = this->attribute_format;
+	new_clone->attribute_type = this->attribute_type;
+	new_clone->attribute_length_or_value = this->attribute_length_or_value;
+
+	if (!new_clone->attribute_format)
+	{
+		new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len);
+		new_clone->attribute_value.len = this->attribute_value.len;
+	}
+
+	return (transform_attribute_t *) new_clone;
+}
+
+/**
+ * Implementation of transform_attribute_t.destroy and payload_t.destroy.
+ */
+static void destroy(private_transform_attribute_t *this)
+{
+	if (this->attribute_value.ptr != NULL)
+	{
+		free(this->attribute_value.ptr);
+	}
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+transform_attribute_t *transform_attribute_create()
+{
+	private_transform_attribute_t *this = malloc_thing(private_transform_attribute_t);
+
+	/* payload interface */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.set_value_chunk = (void (*) (transform_attribute_t *,chunk_t)) set_value_chunk;
+	this->public.set_value = (void (*) (transform_attribute_t *,u_int16_t)) set_value;
+	this->public.get_value_chunk = (chunk_t (*) (transform_attribute_t *)) get_value_chunk;
+	this->public.get_value = (u_int16_t (*) (transform_attribute_t *)) get_value;
+	this->public.set_attribute_type = (void (*) (transform_attribute_t *,u_int16_t type)) set_attribute_type;
+	this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type;
+	this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) _clone;
+	this->public.destroy = (void (*) (transform_attribute_t *)) destroy;
+
+	/* set default values of the fields */
+	this->attribute_format = TRUE;
+	this->attribute_type = 0;
+	this->attribute_length_or_value = 0;
+	this->attribute_value.ptr = NULL;
+	this->attribute_value.len = 0;
+
+	return (&(this->public));
+}
+
+/*
+ * Described in header.
+ */
+transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length)
+{
+	transform_attribute_t *attribute = transform_attribute_create();
+	attribute->set_attribute_type(attribute,KEY_LENGTH);
+	attribute->set_value(attribute,key_length);
+	return attribute;
+}
diff --git a/src/libcharon/encoding/payloads/transform_attribute.h b/src/libcharon/encoding/payloads/transform_attribute.h
new file mode 100644
index 000000000..a5fe0154b
--- /dev/null
+++ b/src/libcharon/encoding/payloads/transform_attribute.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup transform_attribute transform_attribute
+ * @{ @ingroup payloads
+ */
+
+#ifndef TRANSFORM_ATTRIBUTE_H_
+#define TRANSFORM_ATTRIBUTE_H_
+
+typedef enum transform_attribute_type_t transform_attribute_type_t;
+typedef struct transform_attribute_t transform_attribute_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+
+/**
+ * Type of the attribute, as in IKEv2 RFC 3.3.5.
+ */
+enum transform_attribute_type_t {
+	ATTRIBUTE_UNDEFINED = 16384,
+	KEY_LENGTH = 14
+};
+
+/**
+ * enum name for transform_attribute_type_t.
+ */
+extern enum_name_t *transform_attribute_type_names;
+
+/**
+ * Class representing an IKEv2- TRANSFORM Attribute.
+ *
+ * The TRANSFORM ATTRIBUTE format is described in RFC section 3.3.5.
+ */
+struct transform_attribute_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Returns the currently set value of the attribute.
+	 *
+	 * Returned data are not copied.
+	 *
+	 * @return 		chunk_t pointing to the value
+	 */
+	chunk_t (*get_value_chunk) (transform_attribute_t *this);
+
+	/**
+	 * Returns the currently set value of the attribute.
+	 *
+	 * Returned data are not copied.
+	 *
+	 * @return 		value
+	 */
+	u_int16_t (*get_value) (transform_attribute_t *this);
+
+	/**
+	 * Sets the value of the attribute.
+	 *
+	 * Value is getting copied.
+	 *
+	 * @param value chunk_t pointing to the value to set
+	 */
+	void (*set_value_chunk) (transform_attribute_t *this, chunk_t value);
+
+	/**
+	 * Sets the value of the attribute.
+	 *
+	 * @param value value to set
+	 */
+	void (*set_value) (transform_attribute_t *this, u_int16_t value);
+
+	/**
+	 * Sets the type of the attribute.
+	 *
+	 * @param type	type to set (most significant bit is set to zero)
+	 */
+	void (*set_attribute_type) (transform_attribute_t *this, u_int16_t type);
+
+	/**
+	 * get the type of the attribute.
+	 *
+	 * @return 		type of the value
+	 */
+	u_int16_t (*get_attribute_type) (transform_attribute_t *this);
+
+	/**
+	 * Clones an transform_attribute_t object.
+	 *
+	 * @return		cloned transform_attribute_t object
+	 */
+	transform_attribute_t * (*clone) (transform_attribute_t *this);
+
+	/**
+	 * Destroys an transform_attribute_t object.
+	 */
+	void (*destroy) (transform_attribute_t *this);
+};
+
+/**
+ * Creates an empty transform_attribute_t object.
+ *
+ * @return				transform_attribute_t object
+ */
+transform_attribute_t *transform_attribute_create(void);
+
+/**
+ * Creates an transform_attribute_t of type KEY_LENGTH.
+ *
+ * @param key_length	key length in bytes
+ * @return				transform_attribute_t object
+ */
+transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length);
+
+#endif /** TRANSFORM_ATTRIBUTE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c
new file mode 100644
index 000000000..c94f6c1a2
--- /dev/null
+++ b/src/libcharon/encoding/payloads/transform_substructure.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "transform_substructure.h"
+
+#include <encoding/payloads/transform_attribute.h>
+#include <encoding/payloads/encodings.h>
+#include <library.h>
+#include <utils/linked_list.h>
+#include <daemon.h>
+
+
+typedef struct private_transform_substructure_t private_transform_substructure_t;
+
+/**
+ * Private data of an transform_substructure_t object.
+ *
+ */
+struct private_transform_substructure_t {
+	/**
+	 * Public transform_substructure_t interface.
+	 */
+	transform_substructure_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t transform_length;
+
+
+	/**
+	 * Type of the transform.
+	 */
+	u_int8_t transform_type;
+
+	/**
+	 * Transform ID.
+	 */
+	u_int16_t transform_id;
+
+	/**
+	 * Transforms Attributes are stored in a linked_list_t.
+	 */
+	linked_list_t *attributes;
+};
+
+
+/**
+ * Encoding rules to parse or generate a Transform substructure.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_transform_substructure_t.
+ *
+ */
+encoding_rule_t transform_substructure_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_transform_substructure_t, next_payload) 		},
+	/* Reserved Byte is skipped */
+	{ RESERVED_BYTE,		0																},
+	/* Length of the whole transform substructure*/
+	{ PAYLOAD_LENGTH,		offsetof(private_transform_substructure_t, transform_length)	},
+	/* transform type is a number of 8 bit */
+	{ U_INT_8,				offsetof(private_transform_substructure_t, transform_type) 	},
+	/* Reserved Byte is skipped */
+	{ RESERVED_BYTE,		0																},
+	/* tranform ID is a number of 8 bit */
+	{ U_INT_16,				offsetof(private_transform_substructure_t, transform_id)		},
+	/* Attributes are stored in a transform attribute,
+	   offset points to a linked_list_t pointer */
+	{ TRANSFORM_ATTRIBUTES,	offsetof(private_transform_substructure_t, attributes) 		}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! 0 (last) or 3 !   RESERVED    !        Transform Length       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !Transform Type !   RESERVED    !          Transform ID         !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                      Transform Attributes                     ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_transform_substructure_t *this)
+{
+	status_t status = SUCCESS;
+	iterator_t *iterator;
+	payload_t *current_attributes;
+
+	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3))
+	{
+		/* must be 0 or 3 */
+		DBG1(DBG_ENC, "inconsistent next payload");
+		return FAILED;
+	}
+
+	switch (this->transform_type)
+	{
+		case ENCRYPTION_ALGORITHM:
+		case PSEUDO_RANDOM_FUNCTION:
+		case INTEGRITY_ALGORITHM:
+		case DIFFIE_HELLMAN_GROUP:
+		case EXTENDED_SEQUENCE_NUMBERS:
+			/* we don't check transform ID, we want to reply
+			 * cleanly with NO_PROPOSAL_CHOSEN or so if we don't support it */
+			break;
+		default:
+		{
+			DBG1(DBG_ENC, "invalid transform type: %d", this->transform_type);
+			return FAILED;
+		}
+	}
+	iterator = this->attributes->create_iterator(this->attributes,TRUE);
+
+	while(iterator->iterate(iterator, (void**)&current_attributes))
+	{
+		status = current_attributes->verify(current_attributes);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed");
+		}
+	}
+	iterator->destroy(iterator);
+
+	/* proposal number is checked in SA payload */
+	return status;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_transform_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = transform_substructure_encodings;
+	*rule_count = sizeof(transform_substructure_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_transform_substructure_t *this)
+{
+	return TRANSFORM_SUBSTRUCTURE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_transform_substructure_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * recompute the length of the payload.
+ */
+static void compute_length (private_transform_substructure_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_attribute;
+	size_t length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+
+	iterator = this->attributes->create_iterator(this->attributes,TRUE);
+	while (iterator->iterate(iterator, (void**)&current_attribute))
+	{
+		length += current_attribute->get_length(current_attribute);
+	}
+	iterator->destroy(iterator);
+
+	this->transform_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_transform_substructure_t *this)
+{
+	compute_length(this);
+	return this->transform_length;
+}
+
+/**
+ * Implementation of transform_substructure_t.create_transform_attribute_iterator.
+ */
+static iterator_t *create_transform_attribute_iterator (private_transform_substructure_t *this,bool forward)
+{
+	return this->attributes->create_iterator(this->attributes,forward);
+}
+
+/**
+ * Implementation of transform_substructure_t.add_transform_attribute.
+ */
+static void add_transform_attribute (private_transform_substructure_t *this,transform_attribute_t *attribute)
+{
+	this->attributes->insert_last(this->attributes,(void *) attribute);
+	compute_length(this);
+}
+
+/**
+ * Implementation of transform_substructure_t.set_is_last_transform.
+ */
+static void set_is_last_transform (private_transform_substructure_t *this, bool is_last)
+{
+	this->next_payload = (is_last) ? 0: TRANSFORM_TYPE_VALUE;
+}
+
+/**
+ * Implementation of transform_substructure_t.get_is_last_transform.
+ */
+static bool get_is_last_transform (private_transform_substructure_t *this)
+{
+	return ((this->next_payload == TRANSFORM_TYPE_VALUE) ? FALSE : TRUE);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_transform_substructure_t *this,payload_type_t type)
+{
+}
+
+/**
+ * Implementation of transform_substructure_t.set_transform_type.
+ */
+static void set_transform_type (private_transform_substructure_t *this,u_int8_t type)
+{
+	this->transform_type = type;
+}
+
+/**
+ * Implementation of transform_substructure_t.get_transform_type.
+ */
+static u_int8_t get_transform_type (private_transform_substructure_t *this)
+{
+	return this->transform_type;
+}
+
+/**
+ * Implementation of transform_substructure_t.set_transform_id.
+ */
+static void set_transform_id (private_transform_substructure_t *this,u_int16_t id)
+{
+	this->transform_id = id;
+}
+
+/**
+ * Implementation of transform_substructure_t.get_transform_id.
+ */
+static u_int16_t get_transform_id (private_transform_substructure_t *this)
+{
+	return this->transform_id;
+}
+
+/**
+ * Implementation of transform_substructure_t.clone.
+ */
+static transform_substructure_t *clone_(private_transform_substructure_t *this)
+{
+	private_transform_substructure_t *clone;
+	iterator_t *attributes;
+	transform_attribute_t *current_attribute;
+
+	clone = (private_transform_substructure_t *) transform_substructure_create();
+	clone->next_payload = this->next_payload;
+	clone->transform_type = this->transform_type;
+	clone->transform_id = this->transform_id;
+
+	attributes = this->attributes->create_iterator(this->attributes, FALSE);
+	while (attributes->iterate(attributes, (void**)&current_attribute))
+	{
+		current_attribute = current_attribute->clone(current_attribute);
+		clone->public.add_transform_attribute(&clone->public, current_attribute);
+	}
+	attributes->destroy(attributes);
+
+	return &clone->public;
+}
+
+
+/**
+ * Implementation of transform_substructure_t.get_key_length.
+ */
+static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length)
+{
+	iterator_t *attributes;
+	transform_attribute_t *current_attribute;
+
+	attributes = this->attributes->create_iterator(this->attributes, TRUE);
+	while (attributes->iterate(attributes, (void**)&current_attribute))
+	{
+		if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH)
+		{
+			*key_length = current_attribute->get_value(current_attribute);
+			attributes->destroy(attributes);
+			return SUCCESS;
+		}
+	}
+	attributes->destroy(attributes);
+	return FAILED;
+}
+
+
+/**
+ * Implementation of transform_substructure_t.destroy and payload_t.destroy.
+ */
+static void destroy(private_transform_substructure_t *this)
+{
+	this->attributes->destroy_offset(this->attributes,
+									 offsetof(transform_attribute_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+transform_substructure_t *transform_substructure_create()
+{
+	private_transform_substructure_t *this = malloc_thing(private_transform_substructure_t);
+
+	/* payload interface */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.create_transform_attribute_iterator = (iterator_t * (*) (transform_substructure_t *,bool)) create_transform_attribute_iterator;
+	this->public.add_transform_attribute = (void (*) (transform_substructure_t *,transform_attribute_t *)) add_transform_attribute;
+	this->public.set_is_last_transform = (void (*) (transform_substructure_t *,bool)) set_is_last_transform;
+	this->public.get_is_last_transform = (bool (*) (transform_substructure_t *)) get_is_last_transform;
+	this->public.set_transform_type = (void (*) (transform_substructure_t *,u_int8_t)) set_transform_type;
+	this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type;
+	this->public.set_transform_id = (void (*) (transform_substructure_t *,u_int16_t)) set_transform_id;
+	this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id;
+	this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length;
+	this->public.clone = (transform_substructure_t* (*) (transform_substructure_t *)) clone_;
+	this->public.destroy = (void (*) (transform_substructure_t *)) destroy;
+
+	/* set default values of the fields */
+	this->next_payload = NO_PAYLOAD;
+	this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+	this->transform_id = 0;
+	this->transform_type = 0;
+	this->attributes = linked_list_create();
+
+	return (&(this->public));
+}
+
+/*
+ * Described in header
+ */
+transform_substructure_t *transform_substructure_create_type(
+								transform_type_t transform_type,
+								u_int16_t transform_id, u_int16_t key_length)
+{
+	transform_substructure_t *transform = transform_substructure_create();
+
+	transform->set_transform_type(transform,transform_type);
+	transform->set_transform_id(transform,transform_id);
+
+	if (key_length)
+	{
+		transform_attribute_t *attribute;
+
+		attribute = transform_attribute_create_key_length(key_length);
+		transform->add_transform_attribute(transform, attribute);
+
+	}
+	return transform;
+}
+
diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h
new file mode 100644
index 000000000..5d31f8c0a
--- /dev/null
+++ b/src/libcharon/encoding/payloads/transform_substructure.h
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup transform_substructure transform_substructure
+ * @{ @ingroup payloads
+ */
+
+#ifndef TRANSFORM_SUBSTRUCTURE_H_
+#define TRANSFORM_SUBSTRUCTURE_H_
+
+typedef struct transform_substructure_t transform_substructure_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/transform_attribute.h>
+#include <utils/linked_list.h>
+#include <crypto/diffie_hellman.h>
+#include <crypto/signers/signer.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/crypters/crypter.h>
+#include <config/proposal.h>
+
+
+/**
+ * IKEv1 Value for a transform payload.
+ */
+#define TRANSFORM_TYPE_VALUE 3
+
+/**
+ * Length of the transform substructure header in bytes.
+ */
+#define TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH 8
+
+
+/**
+ * Class representing an IKEv2- TRANSFORM SUBSTRUCTURE.
+ *
+ * The TRANSFORM SUBSTRUCTURE format is described in RFC section 3.3.2.
+ */
+struct transform_substructure_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Creates an iterator of stored transform_attribute_t objects.
+	 *
+	 * When deleting an transform attribute using this iterator,
+	 * the length of this transform substructure has to be refreshed
+	 * by calling get_length().
+	 *
+	 * @param forward 		iterator direction (TRUE: front to end)
+	 * @return				created iterator_t object.
+	 */
+	iterator_t * (*create_transform_attribute_iterator) (
+								transform_substructure_t *this, bool forward);
+
+	/**
+	 * Adds a transform_attribute_t object to this object.
+	 *
+	 * @param proposal  transform_attribute_t object to add
+	 */
+	void (*add_transform_attribute) (transform_substructure_t *this,
+									 transform_attribute_t *attribute);
+
+	/**
+	 * Sets the next_payload field of this substructure
+	 *
+	 * If this is the last transform, next payload field is set to 0,
+	 * otherwise to 3
+	 *
+	 * @param is_last	When TRUE, next payload field is set to 0, otherwise to 3
+	 */
+	void (*set_is_last_transform) (transform_substructure_t *this, bool is_last);
+
+	/**
+	 * Checks if this is the last transform.
+	 *
+	 * @return 			TRUE if this is the last Transform, FALSE otherwise
+	 */
+	bool (*get_is_last_transform) (transform_substructure_t *this);
+
+	/**
+	 * Sets transform type of the current transform substructure.
+	 *
+	 * @param type		type value to set
+	 */
+	void (*set_transform_type) (transform_substructure_t *this, u_int8_t type);
+
+	/**
+	 * get transform type of the current transform.
+	 *
+	 * @return 			Transform type of current transform substructure.
+	 */
+	u_int8_t (*get_transform_type) (transform_substructure_t *this);
+
+	/**
+	 * Sets transform id of the current transform substructure.
+	 *
+	 * @param id		transform id to set
+	 */
+	void (*set_transform_id) (transform_substructure_t *this, u_int16_t id);
+
+	/**
+	 * get transform id of the current transform.
+	 *
+	 * @return 			Transform id of current transform substructure.
+	 */
+	u_int16_t (*get_transform_id) (transform_substructure_t *this);
+
+	/**
+	 * get transform id of the current transform.
+	 *
+	 * @param key_length	The key length is written to this location
+	 * @return
+	 * 						- SUCCESS if a key length attribute is contained
+	 * 						- FAILED if no key length attribute is part of this
+	 * 						  transform or key length uses more then 16 bit!
+	 */
+	status_t (*get_key_length) (transform_substructure_t *this,
+								u_int16_t *key_length);
+
+	/**
+	 * Clones an transform_substructure_t object.
+	 *
+	 * @return		cloned transform_substructure_t object
+	 */
+	transform_substructure_t* (*clone) (transform_substructure_t *this);
+
+	/**
+	 * Destroys an transform_substructure_t object.
+	 */
+	void (*destroy) (transform_substructure_t *this);
+};
+
+/**
+ * Creates an empty transform_substructure_t object.
+ *
+ * @return			created transform_substructure_t object
+ */
+transform_substructure_t *transform_substructure_create(void);
+
+/**
+ * Creates an empty transform_substructure_t object.
+ *
+ * The key length is used for the transport types ENCRYPTION_ALGORITHM,
+ * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all
+ * other transport types the key_length parameter is not used
+ *
+ * @param transform_type	type of transform to create
+ * @param transform_id		transform id specifying the specific algorithm of a transform type
+ * @param key_length		Key length for key lenght attribute
+ * @return					transform_substructure_t object
+ */
+transform_substructure_t *transform_substructure_create_type(
+						transform_type_t transform_type, u_int16_t transform_id,
+						u_int16_t key_length);
+
+#endif /** TRANSFORM_SUBSTRUCTURE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c
new file mode 100644
index 000000000..6bf3e4293
--- /dev/null
+++ b/src/libcharon/encoding/payloads/ts_payload.c
@@ -0,0 +1,334 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "ts_payload.h"
+
+#include <encoding/payloads/encodings.h>
+#include <utils/linked_list.h>
+
+typedef struct private_ts_payload_t private_ts_payload_t;
+
+/**
+ * Private data of an ts_payload_t object.
+ *
+ */
+struct private_ts_payload_t {
+	/**
+	 * Public ts_payload_t interface.
+	 */
+	ts_payload_t public;
+
+	/**
+	 * TRUE if this TS payload is of type TSi, FALSE for TSr.
+	 */
+	bool is_initiator;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Number of traffic selectors
+	 */
+	u_int8_t number_of_traffic_selectors;
+
+	/**
+	 * Contains the traffic selectors of type traffic_selector_substructure_t.
+	 */
+	linked_list_t *traffic_selectors;
+};
+
+/**
+ * Encoding rules to parse or generate a TS payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_ts_payload_t.
+ *
+ */
+encoding_rule_t ts_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_ts_payload_t, next_payload) 				},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_ts_payload_t, critical) 					},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_ts_payload_t, payload_length)},
+	/* 1 Byte TS type*/
+	{ U_INT_8,			offsetof(private_ts_payload_t, number_of_traffic_selectors)	},
+	/* 3 reserved bytes */
+	{ RESERVED_BYTE,	0 															},
+	{ RESERVED_BYTE,	0 															},
+	{ RESERVED_BYTE,	0 															},
+	/* some ts data bytes, length is defined in PAYLOAD_LENGTH */
+	{ TRAFFIC_SELECTORS,	offsetof(private_ts_payload_t, traffic_selectors)		}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Number of TSs !                 RESERVED                      !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       <Traffic Selectors>                     ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_ts_payload_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_traffic_selector;
+	status_t status = SUCCESS;
+
+	if (this->number_of_traffic_selectors != (this->traffic_selectors->get_count(this->traffic_selectors)))
+	{
+		/* must be the same */
+		return FAILED;
+	}
+
+	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
+	while(iterator->iterate(iterator, (void**)&current_traffic_selector))
+	{
+		status = current_traffic_selector->verify(current_traffic_selector);
+		if (status != SUCCESS)
+		{
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	return status;
+}
+
+/**
+ * Implementation of ts_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = ts_payload_encodings;
+	*rule_count = sizeof(ts_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_ts_payload_t *this)
+{
+	if (this->is_initiator)
+	{
+		return TRAFFIC_SELECTOR_INITIATOR;
+	}
+	else
+	{
+		return TRAFFIC_SELECTOR_RESPONDER;
+	}
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_ts_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_ts_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute the length of the payload.
+ */
+static void compute_length (private_ts_payload_t *this)
+{
+	iterator_t *iterator;
+	size_t ts_count = 0;
+	size_t length = TS_PAYLOAD_HEADER_LENGTH;
+	payload_t *current_traffic_selector;
+
+	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
+	while (iterator->iterate(iterator, (void**)&current_traffic_selector))
+	{
+		length += current_traffic_selector->get_length(current_traffic_selector);
+		ts_count++;
+	}
+	iterator->destroy(iterator);
+
+	this->number_of_traffic_selectors= ts_count;
+	this->payload_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_ts_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of ts_payload_t.get_initiator.
+ */
+static bool get_initiator (private_ts_payload_t *this)
+{
+	return (this->is_initiator);
+}
+
+/**
+ * Implementation of ts_payload_t.set_initiator.
+ */
+static void set_initiator (private_ts_payload_t *this,bool is_initiator)
+{
+	this->is_initiator = is_initiator;
+}
+
+/**
+ * Implementation of ts_payload_t.add_traffic_selector_substructure.
+ */
+static void add_traffic_selector_substructure (private_ts_payload_t *this,traffic_selector_substructure_t *traffic_selector)
+{
+	this->traffic_selectors->insert_last(this->traffic_selectors,traffic_selector);
+	this->number_of_traffic_selectors = this->traffic_selectors->get_count(this->traffic_selectors);
+}
+
+/**
+ * Implementation of ts_payload_t.create_traffic_selector_substructure_iterator.
+ */
+static iterator_t * create_traffic_selector_substructure_iterator (private_ts_payload_t *this, bool forward)
+{
+	return this->traffic_selectors->create_iterator(this->traffic_selectors,forward);
+}
+
+/**
+ * Implementation of ts_payload_t.get_traffic_selectors.
+ */
+static linked_list_t *get_traffic_selectors(private_ts_payload_t *this)
+{
+	traffic_selector_t *ts;
+	iterator_t *iterator;
+	traffic_selector_substructure_t *ts_substructure;
+	linked_list_t *ts_list = linked_list_create();
+
+	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors, TRUE);
+	while (iterator->iterate(iterator, (void**)&ts_substructure))
+	{
+		ts = ts_substructure->get_traffic_selector(ts_substructure);
+		ts_list->insert_last(ts_list, (void*)ts);
+	}
+	iterator->destroy(iterator);
+
+	return ts_list;
+}
+
+/**
+ * Implementation of payload_t.destroy and ts_payload_t.destroy.
+ */
+static void destroy(private_ts_payload_t *this)
+{
+	this->traffic_selectors->destroy_offset(this->traffic_selectors,
+											offsetof(payload_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+ts_payload_t *ts_payload_create(bool is_initiator)
+{
+	private_ts_payload_t *this = malloc_thing(private_ts_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.destroy = (void (*) (ts_payload_t *)) destroy;
+	this->public.get_initiator = (bool (*) (ts_payload_t *)) get_initiator;
+	this->public.set_initiator = (void (*) (ts_payload_t *,bool)) set_initiator;
+	this->public.add_traffic_selector_substructure = (void (*) (ts_payload_t *,traffic_selector_substructure_t *)) add_traffic_selector_substructure;
+	this->public.create_traffic_selector_substructure_iterator = (iterator_t* (*) (ts_payload_t *,bool)) create_traffic_selector_substructure_iterator;
+	this->public.get_traffic_selectors = (linked_list_t *(*) (ts_payload_t *)) get_traffic_selectors;
+
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length =TS_PAYLOAD_HEADER_LENGTH;
+	this->is_initiator = is_initiator;
+	this->number_of_traffic_selectors = 0;
+	this->traffic_selectors = linked_list_create();
+
+	return &(this->public);
+}
+
+/*
+ * Described in header
+ */
+ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked_list_t *traffic_selectors)
+{
+	iterator_t *iterator;
+	traffic_selector_t *ts;
+	traffic_selector_substructure_t *ts_substructure;
+	private_ts_payload_t *this;
+
+	this = (private_ts_payload_t*)ts_payload_create(is_initiator);
+
+	iterator = traffic_selectors->create_iterator(traffic_selectors, TRUE);
+	while (iterator->iterate(iterator, (void**)&ts))
+	{
+		ts_substructure = traffic_selector_substructure_create_from_traffic_selector(ts);
+		this->public.add_traffic_selector_substructure(&(this->public), ts_substructure);
+	}
+	iterator->destroy(iterator);
+
+	return &(this->public);
+}
+
diff --git a/src/libcharon/encoding/payloads/ts_payload.h b/src/libcharon/encoding/payloads/ts_payload.h
new file mode 100644
index 000000000..d322ff1a8
--- /dev/null
+++ b/src/libcharon/encoding/payloads/ts_payload.h
@@ -0,0 +1,127 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ts_payload ts_payload
+ * @{ @ingroup payloads
+ */
+
+
+#ifndef TS_PAYLOAD_H_
+#define TS_PAYLOAD_H_
+
+typedef struct ts_payload_t ts_payload_t;
+
+#include <library.h>
+#include <utils/linked_list.h>
+#include <selectors/traffic_selector.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/traffic_selector_substructure.h>
+
+/**
+ * Length of a TS payload without the Traffic selectors.
+ */
+#define TS_PAYLOAD_HEADER_LENGTH 8
+
+
+/**
+ * Class representing an IKEv2 TS payload.
+ *
+ * The TS payload format is described in RFC section 3.13.
+ */
+struct ts_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the type of TSpayload (TSi or TSr).
+	 *
+	 * @return
+	 * 						- TRUE if this payload is of type TSi
+	 * 						- FALSE if this payload is of type TSr
+	 */
+	bool (*get_initiator) (ts_payload_t *this);
+
+	/**
+	 * Set the type of TS payload (TSi or TSr).
+	 *
+	 * @param is_initiator
+	 * 						- TRUE if this payload is of type TSi
+	 * 						- FALSE if this payload is of type TSr
+	 */
+	void (*set_initiator) (ts_payload_t *this,bool is_initiator);
+
+	/**
+	 * Adds a traffic_selector_substructure_t object to this object.
+	 *
+	 * @param traffic_selector  traffic_selector_substructure_t object to add
+	 */
+	void (*add_traffic_selector_substructure) (ts_payload_t *this,
+							traffic_selector_substructure_t *traffic_selector);
+
+	/**
+	 * Creates an iterator of stored traffic_selector_substructure_t objects.
+	 *
+	 * When removing an traffic_selector_substructure_t object
+	 * using this iterator, the length of this payload
+	 * has to get refreshed by calling payload_t.get_length!
+	 *
+	 * @param forward 		iterator direction (TRUE: front to end)
+	 * @return				created iterator_t object
+	 */
+	iterator_t *(*create_traffic_selector_substructure_iterator) (
+											ts_payload_t *this, bool forward);
+
+	/**
+	 * Get a list of nested traffic selectors as traffic_selector_t.
+	 *
+	 * Resulting list and its traffic selectors must be destroyed after usage
+	 *
+	 * @return				list of traffic selectors
+	 */
+	linked_list_t *(*get_traffic_selectors) (ts_payload_t *this);
+
+	/**
+	 * Destroys an ts_payload_t object.
+	 */
+	void (*destroy) (ts_payload_t *this);
+};
+
+/**
+ * Creates an empty ts_payload_t object.
+ *
+ * @param is_initiator
+ * 						- TRUE if this payload is of type TSi
+ * 						- FALSE if this payload is of type TSr
+ * @return				ts_payload_t object
+ */
+ts_payload_t *ts_payload_create(bool is_initiator);
+
+/**
+ * Creates ts_payload with a list of traffic_selector_t
+ *
+ * @param is_initiator
+ * 							- TRUE if this payload is of type TSi
+ * 							- FALSE if this payload is of type TSr
+ * @param traffic_selectors	list of traffic selectors to include
+ * @return					ts_payload_t object
+ */
+ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator,
+											linked_list_t *traffic_selectors);
+
+#endif /** TS_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c
new file mode 100644
index 000000000..dd5547dc3
--- /dev/null
+++ b/src/libcharon/encoding/payloads/unknown_payload.c
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "unknown_payload.h"
+
+
+
+typedef struct private_unknown_payload_t private_unknown_payload_t;
+
+/**
+ * Private data of an unknown_payload_t object.
+ */
+struct private_unknown_payload_t {
+
+	/**
+	 * Public unknown_payload_t interface.
+	 */
+	unknown_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * The contained data.
+	 */
+	chunk_t data;
+};
+
+/**
+ * Encoding rules to parse an payload which is not further specified.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_unknown_payload_t.
+ *
+ */
+encoding_rule_t unknown_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_unknown_payload_t, next_payload)},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_unknown_payload_t, critical) 	},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_unknown_payload_t, payload_length)},
+	/* some unknown data bytes, length is defined in PAYLOAD_LENGTH */
+	{ UNKNOWN_DATA,		offsetof(private_unknown_payload_t, data) 		}
+};
+
+/*
+                           1                   2                   3
+        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       ! Next Payload  !C!  RESERVED   !         Payload Length        !
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       !                                                               !
+       ~                       Data of any type                        ~
+       !                                                               !
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_unknown_payload_t *this)
+{
+	/* can't do any checks, so we assume its good */
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = unknown_payload_encodings;
+	*rule_count = sizeof(unknown_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_unknown_payload_t *this)
+{
+	return UNKNOWN_PAYLOAD;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_unknown_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_unknown_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_unknown_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of unknown_payload_t.get_data.
+ */
+static bool is_critical(private_unknown_payload_t *this)
+{
+	return this->critical;
+}
+
+/**
+ * Implementation of unknown_payload_t.get_data.
+ */
+static chunk_t get_data (private_unknown_payload_t *this)
+{
+	return (this->data);
+}
+
+/**
+ * Implementation of payload_t.destroy and unknown_payload_t.destroy.
+ */
+static void destroy(private_unknown_payload_t *this)
+{
+	if (this->data.ptr != NULL)
+	{
+		chunk_free(&(this->data));
+	}
+
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+unknown_payload_t *unknown_payload_create()
+{
+	private_unknown_payload_t *this = malloc_thing(private_unknown_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.destroy = (void (*) (unknown_payload_t *)) destroy;
+	this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical;
+	this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data;
+
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH;
+	this->data = chunk_empty;
+
+	return (&(this->public));
+}
diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h
new file mode 100644
index 000000000..c761ed2b6
--- /dev/null
+++ b/src/libcharon/encoding/payloads/unknown_payload.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unknown_payload unknown_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef UNKNOWN_PAYLOAD_H_
+#define UNKNOWN_PAYLOAD_H_
+
+typedef struct unknown_payload_t unknown_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Header length of the unknown payload.
+ */
+#define UNKNOWN_PAYLOAD_HEADER_LENGTH 4
+
+/**
+ * Payload which can't be processed further.
+ *
+ * When the parser finds an unknown payload, he builds an instance of
+ * this class. This allows further processing of this payload, such as
+ * a check for the critical bit in the header.
+ */
+struct unknown_payload_t {
+
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the raw data of this payload, without
+	 * the generic payload header.
+	 *
+	 * Returned data are NOT copied and must not be freed.
+	 *
+	 * @return				data as chunk_t
+	 */
+	chunk_t (*get_data) (unknown_payload_t *this);
+
+	/**
+	 * Get the critical flag.
+	 *
+	 * @return				TRUE if payload is critical, FALSE if not
+	 */
+	bool (*is_critical) (unknown_payload_t *this);
+
+	/**
+	 * Destroys an unknown_payload_t object.
+	 */
+	void (*destroy) (unknown_payload_t *this);
+};
+
+/**
+ * Creates an empty unknown_payload_t object.
+ *
+ * @return unknown_payload_t object
+ */
+unknown_payload_t *unknown_payload_create(void);
+
+#endif /** UNKNOWN_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.c b/src/libcharon/encoding/payloads/vendor_id_payload.c
new file mode 100644
index 000000000..bf33d2418
--- /dev/null
+++ b/src/libcharon/encoding/payloads/vendor_id_payload.c
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "vendor_id_payload.h"
+
+typedef struct private_vendor_id_payload_t private_vendor_id_payload_t;
+
+/**
+ * Private data of an vendor_id_payload_t object.
+ */
+struct private_vendor_id_payload_t {
+
+	/**
+	 * Public vendor_id_payload_t interface.
+	 */
+	vendor_id_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * The contained data.
+	 */
+	chunk_t data;
+};
+
+/**
+ * Encoding rules to parse or generate a VENDOR ID payload
+ *
+ * The defined offsets are the positions in a object of type
+ * private_vendor_id_payload_t.
+ */
+encoding_rule_t vendor_id_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_vendor_id_payload_t, next_payload) },
+	/* the critical bit */
+	{ FLAG,				offsetof(private_vendor_id_payload_t, critical)		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_vendor_id_payload_t, payload_length)},
+	/* some vendor_id data bytes, length is defined in PAYLOAD_LENGTH */
+	{ VID_DATA,			offsetof(private_vendor_id_payload_t, data) }
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      +                                                               !
+      ~                            VID Data                           ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_vendor_id_payload_t *this)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of vendor_id_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_vendor_id_payload_t *this,
+							   encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = vendor_id_payload_encodings;
+	*rule_count = sizeof(vendor_id_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_vendor_id_payload_t *this)
+{
+	return VENDOR_ID;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_vendor_id_payload_t *this)
+{
+	return this->next_payload;
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_vendor_id_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_vendor_id_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of vendor_id_payload_t.get_data.
+ */
+static chunk_t get_data(private_vendor_id_payload_t *this)
+{
+	return this->data;
+}
+
+/**
+ * Implementation of payload_t.destroy and vendor_id_payload_t.destroy.
+ */
+static void destroy(private_vendor_id_payload_t *this)
+{
+	free(this->data.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+vendor_id_payload_t *vendor_id_payload_create()
+{
+	private_vendor_id_payload_t *this = malloc_thing(private_vendor_id_payload_t);
+
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	this->public.get_data = (chunk_t (*) (vendor_id_payload_t *)) get_data;
+
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH;
+	this->data = chunk_empty;
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data)
+{
+	private_vendor_id_payload_t *this;
+
+	this = (private_vendor_id_payload_t*)vendor_id_payload_create();
+	this->payload_length += data.len;
+	this->data = data;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.h b/src/libcharon/encoding/payloads/vendor_id_payload.h
new file mode 100644
index 000000000..241535cac
--- /dev/null
+++ b/src/libcharon/encoding/payloads/vendor_id_payload.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup vendor_id_payload vendor_id_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef VENDOR_ID_PAYLOAD_H_
+#define VENDOR_ID_PAYLOAD_H_
+
+typedef struct vendor_id_payload_t vendor_id_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Length of a VENDOR ID payload without the VID data in bytes.
+ */
+#define VENDOR_ID_PAYLOAD_HEADER_LENGTH 4
+
+/**
+ * Class representing an IKEv2 VENDOR ID payload.
+ *
+ * The VENDOR ID payload format is described in RFC section 3.12.
+ */
+struct vendor_id_payload_t {
+
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the VID data.
+	 *
+	 * @return		VID data, pointing to an internal chunk_t
+	 */
+	chunk_t (*get_data)(vendor_id_payload_t *this);
+};
+
+/**
+ * Creates an empty Vendor ID payload.
+ *
+ * @return			vendor ID payload
+ */
+vendor_id_payload_t *vendor_id_payload_create();
+
+/**
+ * Creates a vendor ID payload using a chunk of data
+ *
+ * @param data		data to use in vendor ID payload, gets owned by payload
+ * @return			vendor ID payload
+ */
+vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data);
+
+#endif /** VENDOR_ID_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c
new file mode 100644
index 000000000..64a43a7fc
--- /dev/null
+++ b/src/libcharon/kernel/kernel_interface.c
@@ -0,0 +1,386 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "kernel_interface.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_interface_t private_kernel_interface_t;
+
+/**
+ * Private data of a kernel_interface_t object.
+ */
+struct private_kernel_interface_t {
+
+	/**
+	 * Public part of kernel_interface_t object.
+	 */
+	kernel_interface_t public;
+
+	/**
+	 * ipsec interface
+	 */
+	kernel_ipsec_t *ipsec;
+
+	/**
+	 * network interface
+	 */
+	kernel_net_t *net;
+};
+
+METHOD(kernel_interface_t, get_spi, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst,
+	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi);
+}
+
+METHOD(kernel_interface_t, get_cpi, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi);
+}
+
+METHOD(kernel_interface_t, add_sa, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
+	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
+			lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi,
+			encap, inbound, src_ts, dst_ts);
+}
+
+METHOD(kernel_interface_t, update_sa, status_t,
+	private_kernel_interface_t *this, u_int32_t spi, protocol_id_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
+								  new_src, new_dst, encap, new_encap);
+}
+
+METHOD(kernel_interface_t, query_sa, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, bytes);
+}
+
+METHOD(kernel_interface_t, del_sa, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi,
+	protocol_id_t protocol, u_int16_t cpi)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi);
+}
+
+METHOD(kernel_interface_t, add_policy, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+	u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+	bool routed)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
+			direction, spi, protocol, reqid, mode, ipcomp, cpi, routed);
+}
+
+METHOD(kernel_interface_t, query_policy, status_t,
+	private_kernel_interface_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts,
+									 direction, use_time);
+}
+
+METHOD(kernel_interface_t, del_policy, status_t,
+	private_kernel_interface_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts,
+								   direction, unrouted);
+}
+
+METHOD(kernel_interface_t, get_source_addr, host_t*,
+	private_kernel_interface_t *this, host_t *dest, host_t *src)
+{
+	if (!this->net)
+	{
+		return NULL;
+	}
+	return this->net->get_source_addr(this->net, dest, src);
+}
+
+METHOD(kernel_interface_t, get_nexthop, host_t*,
+	private_kernel_interface_t *this, host_t *dest)
+{
+	if (!this->net)
+	{
+		return NULL;
+	}
+	return this->net->get_nexthop(this->net, dest);
+}
+
+METHOD(kernel_interface_t, get_interface, char*,
+	private_kernel_interface_t *this, host_t *host)
+{
+	if (!this->net)
+	{
+		return NULL;
+	}
+	return this->net->get_interface(this->net, host);
+}
+
+METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*,
+	private_kernel_interface_t *this, bool include_down_ifaces,
+	bool include_virtual_ips)
+{
+	if (!this->net)
+	{
+		return enumerator_create_empty();
+	}
+	return this->net->create_address_enumerator(this->net, include_down_ifaces,
+												include_virtual_ips);
+}
+
+METHOD(kernel_interface_t, add_ip, status_t,
+	private_kernel_interface_t *this, host_t *virtual_ip, host_t *iface_ip)
+{
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->net->add_ip(this->net, virtual_ip, iface_ip);
+}
+
+METHOD(kernel_interface_t, del_ip, status_t,
+	private_kernel_interface_t *this, host_t *virtual_ip)
+{
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->net->del_ip(this->net, virtual_ip);
+}
+
+METHOD(kernel_interface_t, add_route, status_t,
+	private_kernel_interface_t *this, chunk_t dst_net,
+	u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->net->add_route(this->net, dst_net, prefixlen, gateway,
+								src_ip, if_name);
+}
+
+METHOD(kernel_interface_t, del_route, status_t,
+	private_kernel_interface_t *this, chunk_t dst_net,
+	u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->net->del_route(this->net, dst_net, prefixlen, gateway,
+								src_ip, if_name);
+}
+
+METHOD(kernel_interface_t, bypass_socket, bool,
+	private_kernel_interface_t *this, int fd, int family)
+{
+	if (!this->ipsec)
+	{
+		return FALSE;
+	}
+	return this->ipsec->bypass_socket(this->ipsec, fd, family);
+}
+
+METHOD(kernel_interface_t, get_address_by_ts, status_t,
+	private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip)
+{
+	enumerator_t *addrs;
+	host_t *host;
+	int family;
+	bool found = FALSE;
+
+	DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
+
+	/* if we have a family which includes localhost, we do not
+	 * search for an IP, we use the default */
+	family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
+
+	if (family == AF_INET)
+	{
+		host = host_create_from_string("127.0.0.1", 0);
+	}
+	else
+	{
+		host = host_create_from_string("::1", 0);
+	}
+
+	if (ts->includes(ts, host))
+	{
+		*ip = host_create_any(family);
+		host->destroy(host);
+		DBG2(DBG_KNL, "using host %H", *ip);
+		return SUCCESS;
+	}
+	host->destroy(host);
+
+	addrs = create_address_enumerator(this, TRUE, TRUE);
+	while (addrs->enumerate(addrs, (void**)&host))
+	{
+		if (ts->includes(ts, host))
+		{
+			found = TRUE;
+			*ip = host->clone(host);
+			break;
+		}
+	}
+	addrs->destroy(addrs);
+
+	if (!found)
+	{
+		DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "using host %H", *ip);
+	return SUCCESS;
+}
+
+
+METHOD(kernel_interface_t, add_ipsec_interface, void,
+	private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
+{
+	if (!this->ipsec)
+	{
+		this->ipsec = constructor();
+	}
+}
+
+METHOD(kernel_interface_t, remove_ipsec_interface, void,
+	private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
+{
+	/* TODO: replace if interface currently in use */
+}
+
+METHOD(kernel_interface_t, add_net_interface, void,
+	private_kernel_interface_t *this, kernel_net_constructor_t constructor)
+{
+	if (!this->net)
+	{
+		this->net = constructor();
+	}
+}
+
+METHOD(kernel_interface_t, remove_net_interface, void,
+	private_kernel_interface_t *this, kernel_net_constructor_t constructor)
+{
+	/* TODO: replace if interface currently in use */
+}
+
+METHOD(kernel_interface_t, destroy, void,
+	private_kernel_interface_t *this)
+{
+	DESTROY_IF(this->ipsec);
+	DESTROY_IF(this->net);
+	free(this);
+}
+
+/*
+ * Described in header-file
+ */
+kernel_interface_t *kernel_interface_create()
+{
+	private_kernel_interface_t *this;
+
+	INIT(this,
+		.public = {
+			.get_spi = _get_spi,
+			.get_cpi = _get_cpi,
+			.add_sa = _add_sa,
+			.update_sa = _update_sa,
+			.query_sa = _query_sa,
+			.del_sa = _del_sa,
+			.add_policy = _add_policy,
+			.query_policy = _query_policy,
+			.del_policy = _del_policy,
+			.get_source_addr = _get_source_addr,
+			.get_nexthop = _get_nexthop,
+			.get_interface = _get_interface,
+			.create_address_enumerator = _create_address_enumerator,
+			.add_ip = _add_ip,
+			.del_ip = _del_ip,
+			.add_route = _add_route,
+			.del_route = _del_route,
+			.bypass_socket = _bypass_socket,
+
+			.get_address_by_ts = _get_address_by_ts,
+			.add_ipsec_interface = _add_ipsec_interface,
+			.remove_ipsec_interface = _remove_ipsec_interface,
+			.add_net_interface = _add_net_interface,
+			.remove_net_interface = _remove_net_interface,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h
new file mode 100644
index 000000000..4a62e76b8
--- /dev/null
+++ b/src/libcharon/kernel/kernel_interface.h
@@ -0,0 +1,398 @@
+/*
+ * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_interface kernel_interface
+ * @{ @ingroup kernel
+ */
+
+#ifndef KERNEL_INTERFACE_H_
+#define KERNEL_INTERFACE_H_
+
+typedef struct kernel_interface_t kernel_interface_t;
+
+#include <utils/host.h>
+#include <crypto/prf_plus.h>
+#include <encoding/payloads/proposal_substructure.h>
+
+#include <kernel/kernel_ipsec.h>
+#include <kernel/kernel_net.h>
+
+/**
+ * Constructor function for ipsec kernel interface
+ */
+typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void);
+
+/**
+ * Constructor function for network kernel interface
+ */
+typedef kernel_net_t* (*kernel_net_constructor_t)(void);
+
+/**
+ * Manager and wrapper for different kernel interfaces.
+ *
+ * The kernel interface handles the communication with the kernel
+ * for SA and policy management and interface and IP address management.
+ */
+struct kernel_interface_t {
+
+	/**
+	 * Get a SPI from the kernel.
+	 *
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param protocol	protocol for SA (ESP/AH)
+	 * @param reqid		unique ID for this SA
+	 * @param spi		allocated spi
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
+						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
+
+	/**
+	 * Get a Compression Parameter Index (CPI) from the kernel.
+	 *
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param reqid		unique ID for the corresponding SA
+	 * @param cpi		allocated cpi
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
+						u_int32_t reqid, u_int16_t *cpi);
+
+	/**
+	 * Add an SA to the SAD.
+	 *
+	 * add_sa() may update an already allocated
+	 * SPI (via get_spi). In this case, the replace
+	 * flag must be set.
+	 * This function does install a single SA for a
+	 * single protocol in one direction.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param reqid			unique ID for this SA
+	 * @param lifetime		lifetime_cfg_t for this SA
+	 * @param enc_alg		Algorithm to use for encryption (ESP only)
+	 * @param enc_key		key to use for encryption
+	 * @param int_alg		Algorithm to use for integrity protection
+	 * @param int_key		key to use for integrity protection
+	 * @param mode			mode of the SA (tunnel, transport)
+	 * @param ipcomp		IPComp transform to use
+	 * @param cpi			CPI for IPComp
+	 * @param encap			enable UDP encapsulation for NAT traversal
+	 * @param inbound		TRUE if this is an inbound SA
+	 * @param src_ts		traffic selector with BEET source address
+	 * @param dst_ts		traffic selector with BEET destination address
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_sa) (kernel_interface_t *this,
+						host_t *src, host_t *dst, u_int32_t spi,
+						protocol_id_t protocol, u_int32_t reqid,
+						lifetime_cfg_t *lifetime,
+						u_int16_t enc_alg, chunk_t enc_key,
+						u_int16_t int_alg, chunk_t int_key,
+						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						bool encap, bool inbound,
+						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+
+	/**
+	 * Update the hosts on an installed SA.
+	 *
+	 * We cannot directly update the destination address as the kernel
+	 * requires the spi, the protocol AND the destination address (and family)
+	 * to identify SAs. Therefore if the destination address changed we
+	 * create a new SA and delete the old one.
+	 *
+	 * @param spi			SPI of the SA
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
+	 * @param src			current source address
+	 * @param dst			current destination address
+	 * @param new_src		new source address
+	 * @param new_dst		new destination address
+	 * @param encap			current use of UDP encapsulation
+	 * @param new_encap		new use of UDP encapsulation
+	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
+	 *					  the kernel interface can't update the SA
+	 */
+	status_t (*update_sa)(kernel_interface_t *this,
+						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap);
+
+	/**
+	 * Query the number of bytes processed by an SA from the SAD.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param[out] bytes	the number of bytes processed by SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+						  u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
+
+	/**
+	 * Delete a previously installed SA from the SAD.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp or 0
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
+
+	/**
+	 * Add a policy to the SPD.
+	 *
+	 * A policy is always associated to an SA. Traffic which matches a
+	 * policy is handled by the SA with the same reqid.
+	 *
+	 * @param src			source address of SA
+	 * @param dst			dest address of SA
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param spi			SPI of SA
+	 * @param protocol		protocol to use to protect traffic (AH/ESP)
+	 * @param reqid			unique ID of an SA to use to enforce policy
+	 * @param mode			mode of SA (tunnel, transport)
+	 * @param ipcomp		the IPComp transform used
+	 * @param cpi			CPI for IPComp
+	 * @param routed		TRUE, if this policy is routed in the kernel
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_policy) (kernel_interface_t *this,
+							host_t *src, host_t *dst,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction, u_int32_t spi,
+							protocol_id_t protocol, u_int32_t reqid,
+							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+							bool routed);
+
+	/**
+	 * Query the use time of a policy.
+	 *
+	 * The use time of a policy is the time the policy was used
+	 * for the last time.
+	 *
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param[out] use_time	the time of this SA's last use
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_policy) (kernel_interface_t *this,
+							  traffic_selector_t *src_ts,
+							  traffic_selector_t *dst_ts,
+							  policy_dir_t direction, u_int32_t *use_time);
+
+	/**
+	 * Remove a policy from the SPD.
+	 *
+	 * The kernel interface implements reference counting for policies.
+	 * If the same policy is installed multiple times (in the case of rekeying),
+	 * the reference counter is increased. del_policy() decreases the ref counter
+	 * and removes the policy only when no more references are available.
+	 *
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_policy) (kernel_interface_t *this,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction,
+							bool unrouted);
+
+	/**
+	 * Get our outgoing source address for a destination.
+	 *
+	 * Does a route lookup to get the source address used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 * An optional src address can be used to check if a route is available
+	 * for given source to dest.
+	 *
+	 * @param dest			target destination address
+	 * @param src			source address to check, or NULL
+	 * @return				outgoing source address, NULL if unreachable
+	 */
+	host_t* (*get_source_addr)(kernel_interface_t *this,
+							   host_t *dest, host_t *src);
+
+	/**
+	 * Get the next hop for a destination.
+	 *
+	 * Does a route lookup to get the next hop used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 *
+	 * @param dest			target destination address
+	 * @return				next hop address, NULL if unreachable
+	 */
+	host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest);
+
+	/**
+	 * Get the interface name of a local address.
+	 *
+	 * @param host			address to get interface name from
+	 * @return 				allocated interface name, or NULL if not found
+	 */
+	char* (*get_interface) (kernel_interface_t *this, host_t *host);
+
+	/**
+	 * Creates an enumerator over all local addresses.
+	 *
+	 * This function blocks an internal cached address list until the
+	 * enumerator gets destroyed.
+	 * The hosts are read-only, do not modify of free.
+	 *
+	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
+	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
+	 * @return						enumerator over host_t's
+	 */
+	enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
+						bool include_down_ifaces, bool include_virtual_ips);
+
+	/**
+	 * Add a virtual IP to an interface.
+	 *
+	 * Virtual IPs are attached to an interface. If an IP is added multiple
+	 * times, the IP is refcounted and not removed until del_ip() was called
+	 * as many times as add_ip().
+	 * The virtual IP is attached to the interface where the iface_ip is found.
+	 *
+	 * @param virtual_ip	virtual ip address to assign
+	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
+						host_t *iface_ip);
+
+	/**
+	 * Remove a virtual IP from an interface.
+	 *
+	 * The kernel interface uses refcounting, see add_ip().
+	 *
+	 * @param virtual_ip	virtual ip address to assign
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
+
+	/**
+	 * Add a route.
+	 *
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 * 						ALREADY_DONE if the route already exists
+	 */
+	status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name);
+
+	/**
+	 * Delete a route.
+	 *
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name);
+
+	/**
+	 * Set up a bypass policy for a given socket.
+	 *
+	 * @param fd			socket file descriptor to setup policy for
+	 * @param family		protocol family of the socket
+	 * @return				TRUE of policy set up successfully
+	 */
+	bool (*bypass_socket)(kernel_interface_t *this, int fd, int family);
+
+	/**
+	 * manager methods
+	 */
+
+	/**
+	 * Tries to find an ip address of a local interface that is included in the
+	 * supplied traffic selector.
+	 *
+	 * @param ts			traffic selector
+	 * @param ip			returned ip (has to be destroyed)
+	 * @return				SUCCESS if address found
+	 */
+	status_t (*get_address_by_ts) (kernel_interface_t *this,
+										traffic_selector_t *ts, host_t **ip);
+
+	/**
+	 * Register an ipsec kernel interface constructor on the manager.
+	 *
+	 * @param create			constructor to register
+	 */
+	void (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
+
+	/**
+	 * Unregister an ipsec kernel interface constructor.
+	 *
+	 * @param create			constructor to unregister
+	 */
+	void (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
+
+	/**
+	 * Register a network kernel interface constructor on the manager.
+	 *
+	 * @param create			constructor to register
+	 */
+	void (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
+
+	/**
+	 * Unregister a network kernel interface constructor.
+	 *
+	 * @param create			constructor to unregister
+	 */
+	void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
+
+	/**
+	 * Destroys a kernel_interface_manager_t object.
+	 */
+	void (*destroy) (kernel_interface_t *this);
+};
+
+/**
+ * Creates an object of type kernel_interface_t.
+ */
+kernel_interface_t *kernel_interface_create(void);
+
+#endif /** KERNEL_INTERFACE_H_ @}*/
diff --git a/src/libcharon/kernel/kernel_ipsec.c b/src/libcharon/kernel/kernel_ipsec.c
new file mode 100644
index 000000000..5b0335b16
--- /dev/null
+++ b/src/libcharon/kernel/kernel_ipsec.c
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "kernel_ipsec.h"
+
+ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_BEET,
+	"TRANSPORT",
+	"TUNNEL",
+	"BEET",
+);
+
+ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
+	"in",
+	"out",
+	"fwd"
+);
+
diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h
new file mode 100644
index 000000000..300464cf6
--- /dev/null
+++ b/src/libcharon/kernel/kernel_ipsec.h
@@ -0,0 +1,282 @@
+/*
+ * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_ipsec kernel_ipsec
+ * @{ @ingroup kernel
+ */
+
+#ifndef KERNEL_IPSEC_H_
+#define KERNEL_IPSEC_H_
+
+typedef enum ipsec_mode_t ipsec_mode_t;
+typedef enum policy_dir_t policy_dir_t;
+typedef struct kernel_ipsec_t kernel_ipsec_t;
+
+#include <utils/host.h>
+#include <crypto/prf_plus.h>
+#include <config/proposal.h>
+#include <config/child_cfg.h>
+
+/**
+ * Mode of a CHILD_SA.
+ */
+enum ipsec_mode_t {
+	/** transport mode, no inner address */
+	MODE_TRANSPORT = 1,
+	/** tunnel mode, inner and outer addresses */
+	MODE_TUNNEL,
+	/** BEET mode, tunnel mode but fixed, bound inner addresses */
+	MODE_BEET,
+};
+
+/**
+ * enum names for ipsec_mode_t.
+ */
+extern enum_name_t *ipsec_mode_names;
+
+/**
+ * Direction of a policy. These are equal to those
+ * defined in xfrm.h, but we want to stay implementation
+ * neutral here.
+ */
+enum policy_dir_t {
+	/** Policy for inbound traffic */
+	POLICY_IN = 0,
+	/** Policy for outbound traffic */
+	POLICY_OUT = 1,
+	/** Policy for forwarded traffic */
+	POLICY_FWD = 2,
+};
+
+/**
+ * enum names for policy_dir_t.
+ */
+extern enum_name_t *policy_dir_names;
+
+/**
+ * Interface to the ipsec subsystem of the kernel.
+ *
+ * The kernel ipsec interface handles the communication with the kernel
+ * for SA and policy management. It allows setup of these, and provides
+ * further the handling of kernel events.
+ * Policy information are cached in the interface. This is necessary to do
+ * reference counting. The Linux kernel does not allow the same policy
+ * installed twice, but we need this as CHILD_SA exist multiple times
+ * when rekeying. Thats why we do reference counting of policies.
+ */
+struct kernel_ipsec_t {
+
+	/**
+	 * Get a SPI from the kernel.
+	 *
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param protocol	protocol for SA (ESP/AH)
+	 * @param reqid		unique ID for this SA
+	 * @param spi		allocated spi
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
+						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
+
+	/**
+	 * Get a Compression Parameter Index (CPI) from the kernel.
+	 *
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param reqid		unique ID for the corresponding SA
+	 * @param cpi		allocated cpi
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
+						u_int32_t reqid, u_int16_t *cpi);
+
+	/**
+	 * Add an SA to the SAD.
+	 *
+	 * add_sa() may update an already allocated
+	 * SPI (via get_spi). In this case, the replace
+	 * flag must be set.
+	 * This function does install a single SA for a
+	 * single protocol in one direction.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param reqid			unique ID for this SA
+	 * @param lifetime		lifetime_cfg_t for this SA
+	 * @param enc_alg		Algorithm to use for encryption (ESP only)
+	 * @param enc_key		key to use for encryption
+	 * @param int_alg		Algorithm to use for integrity protection
+	 * @param int_key		key to use for integrity protection
+	 * @param mode			mode of the SA (tunnel, transport)
+	 * @param ipcomp		IPComp transform to use
+	 * @param cpi			CPI for IPComp
+	 * @param encap			enable UDP encapsulation for NAT traversal
+	 * @param inbound		TRUE if this is an inbound SA
+	 * @param src_ts		traffic selector with BEET source address
+	 * @param dst_ts		traffic selector with BEET destination address
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_sa) (kernel_ipsec_t *this,
+						host_t *src, host_t *dst, u_int32_t spi,
+						protocol_id_t protocol, u_int32_t reqid,
+						lifetime_cfg_t *lifetime,
+						u_int16_t enc_alg, chunk_t enc_key,
+						u_int16_t int_alg, chunk_t int_key,
+						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						bool encap, bool inbound,
+						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+
+	/**
+	 * Update the hosts on an installed SA.
+	 *
+	 * We cannot directly update the destination address as the kernel
+	 * requires the spi, the protocol AND the destination address (and family)
+	 * to identify SAs. Therefore if the destination address changed we
+	 * create a new SA and delete the old one.
+	 *
+	 * @param spi			SPI of the SA
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
+	 * @param src			current source address
+	 * @param dst			current destination address
+	 * @param new_src		new source address
+	 * @param new_dst		new destination address
+	 * @param encap			current use of UDP encapsulation
+	 * @param new_encap		new use of UDP encapsulation
+	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
+	 *					  the kernel interface can't update the SA
+	 */
+	status_t (*update_sa)(kernel_ipsec_t *this,
+						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap);
+
+	/**
+	 * Query the number of bytes processed by an SA from the SAD.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param[out] bytes	the number of bytes processed by SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+						  u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
+
+	/**
+	 * Delete a previusly installed SA from the SAD.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp or 0
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
+
+	/**
+	 * Add a policy to the SPD.
+	 *
+	 * A policy is always associated to an SA. Traffic which matches a
+	 * policy is handled by the SA with the same reqid.
+	 *
+	 * @param src			source address of SA
+	 * @param dst			dest address of SA
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param spi			SPI of SA
+	 * @param protocol		protocol to use to protect traffic (AH/ESP)
+	 * @param reqid			unique ID of an SA to use to enforce policy
+	 * @param mode			mode of SA (tunnel, transport)
+	 * @param ipcomp		the IPComp transform used
+	 * @param cpi			CPI for IPComp
+	 * @param routed		TRUE, if this policy is routed in the kernel
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_policy) (kernel_ipsec_t *this,
+							host_t *src, host_t *dst,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction, u_int32_t spi,
+							protocol_id_t protocol, u_int32_t reqid,
+							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+							bool routed);
+
+	/**
+	 * Query the use time of a policy.
+	 *
+	 * The use time of a policy is the time the policy was used for the last
+	 * time. It is not the system time, but a monotonic timestamp as returned
+	 * by time_monotonic.
+	 *
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param[out] use_time	the monotonic timestamp of this SA's last use
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_policy) (kernel_ipsec_t *this,
+							  traffic_selector_t *src_ts,
+							  traffic_selector_t *dst_ts,
+							  policy_dir_t direction, u_int32_t *use_time);
+
+	/**
+	 * Remove a policy from the SPD.
+	 *
+	 * The kernel interface implements reference counting for policies.
+	 * If the same policy is installed multiple times (in the case of rekeying),
+	 * the reference counter is increased. del_policy() decreases the ref counter
+	 * and removes the policy only when no more references are available.
+	 *
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_policy) (kernel_ipsec_t *this,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction,
+							bool unrouted);
+
+	/**
+	 * Install a bypass policy for the given socket.
+	 *
+	 * @param fd			socket file descriptor to setup policy for
+	 * @param family		protocol family of the socket
+	 * @return				TRUE of policy set up successfully
+	 */
+	bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family);
+
+	/**
+	 * Destroy the implementation.
+	 */
+	void (*destroy) (kernel_ipsec_t *this);
+};
+
+#endif /** KERNEL_IPSEC_H_ @}*/
diff --git a/src/libcharon/kernel/kernel_net.h b/src/libcharon/kernel/kernel_net.h
new file mode 100644
index 000000000..efb221f88
--- /dev/null
+++ b/src/libcharon/kernel/kernel_net.h
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_net kernel_net
+ * @{ @ingroup kernel
+ */
+
+#ifndef KERNEL_NET_H_
+#define KERNEL_NET_H_
+
+typedef struct kernel_net_t kernel_net_t;
+
+#include <utils/enumerator.h>
+#include <utils/host.h>
+
+/**
+ * Interface to the network subsystem of the kernel.
+ *
+ * The kernel network interface handles the communication with the kernel
+ * for interface and IP address management.
+ */
+struct kernel_net_t {
+
+	/**
+	 * Get our outgoing source address for a destination.
+	 *
+	 * Does a route lookup to get the source address used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 * An optional src address can be used to check if a route is available
+	 * for given source to dest.
+	 *
+	 * @param dest			target destination address
+	 * @param src			source address to check, or NULL
+	 * @return				outgoing source address, NULL if unreachable
+	 */
+	host_t* (*get_source_addr)(kernel_net_t *this, host_t *dest, host_t *src);
+
+	/**
+	 * Get the next hop for a destination.
+	 *
+	 * Does a route lookup to get the next hop used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 *
+	 * @param dest			target destination address
+	 * @return				next hop address, NULL if unreachable
+	 */
+	host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest);
+
+	/**
+	 * Get the interface name of a local address.
+	 *
+	 * @param host			address to get interface name from
+	 * @return 				allocated interface name, or NULL if not found
+	 */
+	char* (*get_interface) (kernel_net_t *this, host_t *host);
+
+	/**
+	 * Creates an enumerator over all local addresses.
+	 *
+	 * This function blocks an internal cached address list until the
+	 * enumerator gets destroyed.
+	 * The hosts are read-only, do not modify of free.
+	 *
+	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
+	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
+	 * @return						enumerator over host_t's
+	 */
+	enumerator_t *(*create_address_enumerator) (kernel_net_t *this,
+						bool include_down_ifaces, bool include_virtual_ips);
+
+	/**
+	 * Add a virtual IP to an interface.
+	 *
+	 * Virtual IPs are attached to an interface. If an IP is added multiple
+	 * times, the IP is refcounted and not removed until del_ip() was called
+	 * as many times as add_ip().
+	 * The virtual IP is attached to the interface where the iface_ip is found.
+	 *
+	 * @param virtual_ip	virtual ip address to assign
+	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip,
+						host_t *iface_ip);
+
+	/**
+	 * Remove a virtual IP from an interface.
+	 *
+	 * The kernel interface uses refcounting, see add_ip().
+	 *
+	 * @param virtual_ip	virtual ip address to assign
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip);
+
+	/**
+	 * Add a route.
+	 *
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 * 						ALREADY_DONE if the route already exists
+	 */
+	status_t (*add_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name);
+
+	/**
+	 * Delete a route.
+	 *
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name);
+
+	/**
+	 * Destroy the implementation.
+	 */
+	void (*destroy) (kernel_net_t *this);
+};
+
+#endif /** KERNEL_NET_H_ @}*/
diff --git a/src/libcharon/network/packet.c b/src/libcharon/network/packet.c
new file mode 100644
index 000000000..19db362f7
--- /dev/null
+++ b/src/libcharon/network/packet.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "packet.h"
+
+typedef struct private_packet_t private_packet_t;
+
+/**
+ * Private data of an packet_t object.
+ */
+struct private_packet_t {
+
+	/**
+	 * Public part of a packet_t object.
+	 */
+	packet_t public;
+
+	/**
+	 * source address
+	 */
+	host_t *source;
+
+	/**
+	 * destination address
+	 */
+	host_t *destination;
+
+	 /**
+	  * message data
+	  */
+	chunk_t data;
+};
+
+METHOD(packet_t, set_source, void,
+	private_packet_t *this, host_t *source)
+{
+	DESTROY_IF(this->source);
+	this->source = source;
+}
+
+METHOD(packet_t, set_destination, void,
+	private_packet_t *this, host_t *destination)
+{
+	DESTROY_IF(this->destination);
+	this->destination = destination;
+}
+
+METHOD(packet_t, get_source, host_t*,
+	private_packet_t *this)
+{
+	return this->source;
+}
+
+METHOD(packet_t, get_destination, host_t*,
+	private_packet_t *this)
+{
+	return this->destination;
+}
+
+METHOD(packet_t, get_data, chunk_t,
+	private_packet_t *this)
+{
+	return this->data;
+}
+
+METHOD(packet_t, set_data, void,
+	private_packet_t *this, chunk_t data)
+{
+	free(this->data.ptr);
+	this->data = data;
+}
+
+METHOD(packet_t, destroy, void,
+	private_packet_t *this)
+{
+	DESTROY_IF(this->source);
+	DESTROY_IF(this->destination);
+	free(this->data.ptr);
+	free(this);
+}
+
+METHOD(packet_t, clone_, packet_t*,
+	private_packet_t *this)
+{
+	packet_t *other;
+
+	other = packet_create();
+	if (this->destination != NULL)
+	{
+		other->set_destination(other, this->destination->clone(this->destination));
+	}
+	if (this->source != NULL)
+	{
+		other->set_source(other, this->source->clone(this->source));
+	}
+	if (this->data.ptr != NULL)
+	{
+		other->set_data(other, chunk_clone(this->data));
+	}
+	return other;
+}
+
+/*
+ * Documented in header
+ */
+packet_t *packet_create(void)
+{
+	private_packet_t *this;
+
+	INIT(this,
+		.public = {
+			.set_data = _set_data,
+			.get_data = _get_data,
+			.set_source = _set_source,
+			.get_source = _get_source,
+			.set_destination = _set_destination,
+			.get_destination = _get_destination,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/network/packet.h b/src/libcharon/network/packet.h
new file mode 100644
index 000000000..18d82c6fc
--- /dev/null
+++ b/src/libcharon/network/packet.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup packet packet
+ * @{ @ingroup network
+ */
+
+#ifndef PACKET_H_
+#define PACKET_H_
+
+typedef struct packet_t packet_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * Abstraction of an UDP-Packet, contains data, sender and receiver.
+ */
+struct packet_t {
+
+	/**
+	 * Set the source address.
+	 *
+	 * Set host_t is now owned by packet_t, it will destroy
+	 * it if necessary.
+	 *
+	 * @param source	address to set as source
+	 */
+	void (*set_source) (packet_t *packet, host_t *source);
+
+	/**
+	 * Set the destination address.
+	 *
+	 * Set host_t is now owned by packet_t, it will destroy
+	 * it if necessary.
+	 *
+	 * @param source	address to set as destination
+	 */
+	void (*set_destination) (packet_t *packet, host_t *destination);
+
+	/**
+	 * Get the source address.
+	 *
+	 * Set host_t is still owned by packet_t, clone it
+	 * if needed.
+	 *
+	 * @return			source address
+	 */
+	host_t *(*get_source) (packet_t *packet);
+
+	/**
+	 * Get the destination address.
+	 *
+	 * Set host_t is still owned by packet_t, clone it
+	 * if needed.
+	 *
+	 * @return			destination address
+	 */
+	host_t *(*get_destination) (packet_t *packet);
+
+	/**
+	 * Get the data from the packet.
+	 *
+	 * The data pointed by the chunk is still owned
+	 * by the packet. Clone it if needed.
+	 *
+	 * @return			chunk containing the data
+	 */
+	chunk_t (*get_data) (packet_t *packet);
+
+	/**
+	 * Set the data in the packet.
+	 *
+	 * Supplied chunk data is now owned by the
+	 * packet. It will free it.
+	 *
+	 * @param data		chunk with data to set
+	 */
+	void (*set_data) (packet_t *packet, chunk_t data);
+
+	/**
+	 * Clones a packet_t object.
+	 *
+	 * @param clone		clone of the packet
+	 */
+	packet_t* (*clone) (packet_t *packet);
+
+	/**
+	 * Destroy the packet, freeing contained data.
+	 */
+	void (*destroy) (packet_t *packet);
+};
+
+/**
+ * create an empty packet
+ *
+ * @return packet_t object
+ */
+packet_t *packet_create(void);
+
+#endif /** PACKET_H_ @}*/
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
new file mode 100644
index 000000000..df897021a
--- /dev/null
+++ b/src/libcharon/network/receiver.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "receiver.h"
+
+#include <daemon.h>
+#include <network/socket.h>
+#include <network/packet.h>
+#include <processing/jobs/job.h>
+#include <processing/jobs/process_message_job.h>
+#include <processing/jobs/callback_job.h>
+#include <crypto/hashers/hasher.h>
+
+/** lifetime of a cookie, in seconds */
+#define COOKIE_LIFETIME 10
+/** how many times to reuse the secret */
+#define COOKIE_REUSE 10000
+/** default value for private_receiver_t.cookie_threshold */
+#define COOKIE_THRESHOLD_DEFAULT 10
+/** default value for private_receiver_t.block_threshold */
+#define BLOCK_THRESHOLD_DEFAULT 5
+/** length of the secret to use for cookie calculation */
+#define SECRET_LENGTH 16
+
+typedef struct private_receiver_t private_receiver_t;
+
+/**
+ * Private data of a receiver_t object.
+ */
+struct private_receiver_t {
+	/**
+	 * Public part of a receiver_t object.
+	 */
+	receiver_t public;
+
+	/**
+	 * Threads job receiving packets
+	 */
+	callback_job_t *job;
+
+	/**
+	 * current secret to use for cookie calculation
+	 */
+	char secret[SECRET_LENGTH];
+
+	/**
+	 * previous secret used to verify older cookies
+	 */
+	char secret_old[SECRET_LENGTH];
+
+	/**
+	 * how many times we have used "secret" so far
+	 */
+	u_int32_t secret_used;
+
+	/**
+	 * time we did the cookie switch
+	 */
+	u_int32_t secret_switch;
+
+	/**
+	 * time offset to use, hides our system time
+	 */
+	u_int32_t secret_offset;
+
+	/**
+	 * the RNG to use for secret generation
+	 */
+	rng_t *rng;
+
+	/**
+	 * hasher to use for cookie calculation
+	 */
+	hasher_t *hasher;
+
+	/**
+	 * require cookies after this many half open IKE_SAs
+	 */
+	u_int32_t cookie_threshold;
+
+	/**
+	 * how many half open IKE_SAs per peer before blocking
+	 */
+	u_int32_t block_threshold;
+
+	/**
+	 * Delay for receiving incoming packets, to simulate larger RTT
+	 */
+	u_int receive_delay;
+};
+
+/**
+ * send a notify back to the sender
+ */
+static void send_notify(message_t *request, notify_type_t type, chunk_t data)
+{
+	if (request->get_request(request) &&
+		request->get_exchange_type(request) == IKE_SA_INIT)
+	{
+		message_t *response;
+		host_t *src, *dst;
+		packet_t *packet;
+		ike_sa_id_t *ike_sa_id;
+
+		response = message_create();
+		dst = request->get_source(request);
+		src = request->get_destination(request);
+		response->set_source(response, src->clone(src));
+		response->set_destination(response, dst->clone(dst));
+		response->set_exchange_type(response, request->get_exchange_type(request));
+		response->set_request(response, FALSE);
+		response->set_message_id(response, 0);
+		ike_sa_id = request->get_ike_sa_id(request);
+		ike_sa_id->switch_initiator(ike_sa_id);
+		response->set_ike_sa_id(response, ike_sa_id);
+		response->add_notify(response, FALSE, type, data);
+		if (response->generate(response, NULL, NULL, &packet) == SUCCESS)
+		{
+			charon->sender->send(charon->sender, packet);
+			response->destroy(response);
+		}
+	}
+}
+
+/**
+ * build a cookie
+ */
+static chunk_t cookie_build(private_receiver_t *this, message_t *message,
+							u_int32_t t, chunk_t secret)
+{
+	u_int64_t spi = message->get_initiator_spi(message);
+	host_t *ip = message->get_source(message);
+	chunk_t input, hash;
+
+	/* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
+	input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
+					  chunk_from_thing(t), secret);
+	hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
+	this->hasher->get_hash(this->hasher, input, hash.ptr);
+	return chunk_cat("cc", chunk_from_thing(t), hash);
+}
+
+/**
+ * verify a received cookie
+ */
+static bool cookie_verify(private_receiver_t *this, message_t *message,
+						  chunk_t cookie)
+{
+	u_int32_t t, now;
+	chunk_t reference;
+	chunk_t secret;
+
+	now = time_monotonic(NULL);
+	t = *(u_int32_t*)cookie.ptr;
+
+	if (cookie.len != sizeof(u_int32_t) +
+			this->hasher->get_hash_size(this->hasher) ||
+		t < now - this->secret_offset - COOKIE_LIFETIME)
+	{
+		DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
+		return FALSE;
+	}
+
+	/* check if cookie is derived from old_secret */
+	if (t + this->secret_offset > this->secret_switch)
+	{
+		secret = chunk_from_thing(this->secret);
+	}
+	else
+	{
+		secret = chunk_from_thing(this->secret_old);
+	}
+
+	/* compare own calculation against received */
+	reference = cookie_build(this, message, t, secret);
+	if (chunk_equals(reference, cookie))
+	{
+		chunk_free(&reference);
+		return TRUE;
+	}
+	chunk_free(&reference);
+	return FALSE;
+}
+
+/**
+ * check if cookies are required, and if so, a valid cookie is included
+ */
+static bool cookie_required(private_receiver_t *this, message_t *message)
+{
+	bool failed = FALSE;
+
+	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
+												NULL) >= this->cookie_threshold)
+	{
+		/* check for a cookie. We don't use our parser here and do it
+		 * quick and dirty for performance reasons.
+		 * we assume the cookie is the first payload (which is a MUST), and
+		 * the cookie's SPI length is zero. */
+		packet_t *packet = message->get_packet(message);
+		chunk_t data = packet->get_data(packet);
+		if (data.len <
+			 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
+			 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
+			*(data.ptr + 16) != NOTIFY ||
+			*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
+		{
+			/* no cookie found */
+			failed = TRUE;
+		}
+		else
+		{
+			data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
+			data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher);
+			if (!cookie_verify(this, message, data))
+			{
+				DBG2(DBG_NET, "found cookie, but content invalid");
+				failed = TRUE;
+			}
+		}
+		packet->destroy(packet);
+	}
+	return failed;
+}
+
+/**
+ * check if peer has to many half open IKE_SAs
+ */
+static bool peer_to_aggressive(private_receiver_t *this, message_t *message)
+{
+	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
+						message->get_source(message)) >= this->block_threshold)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Job callback to receive packets
+ */
+static job_requeue_t receive_packets(private_receiver_t *this)
+{
+	packet_t *packet;
+	message_t *message;
+	job_t *job;
+
+	/* read in a packet */
+	if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
+	{
+		DBG2(DBG_NET, "receiving from socket failed!");
+		return JOB_REQUEUE_FAIR;
+	}
+
+	/* parse message header */
+	message = message_create_from_packet(packet);
+	if (message->parse_header(message) != SUCCESS)
+	{
+		DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
+			 packet->get_source(packet));
+		message->destroy(message);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	/* check IKE major version */
+	if (message->get_major_version(message) != IKE_MAJOR_VERSION)
+	{
+		DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
+			 "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
+			 message->get_minor_version(message), packet->get_source(packet));
+		send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
+		message->destroy(message);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	if (message->get_request(message) &&
+		message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		/* check for cookies */
+		if (this->cookie_threshold && cookie_required(this, message))
+		{
+			u_int32_t now = time_monotonic(NULL);
+			chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
+										  chunk_from_thing(this->secret));
+
+			DBG2(DBG_NET, "received packet from: %#H to %#H",
+				 message->get_source(message),
+				 message->get_destination(message));
+			DBG2(DBG_NET, "sending COOKIE notify to %H",
+				 message->get_source(message));
+			send_notify(message, COOKIE, cookie);
+			chunk_free(&cookie);
+			if (++this->secret_used > COOKIE_REUSE)
+			{
+				/* create new cookie */
+				DBG1(DBG_NET, "generating new cookie secret after %d uses",
+					 this->secret_used);
+				memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+				this->rng->get_bytes(this->rng,	SECRET_LENGTH, this->secret);
+				this->secret_switch = now;
+				this->secret_used = 0;
+			}
+			message->destroy(message);
+			return JOB_REQUEUE_DIRECT;
+		}
+
+		/* check if peer has not too many IKE_SAs half open */
+		if (this->block_threshold && peer_to_aggressive(this, message))
+		{
+			DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
+				 "peer too aggressive", message->get_source(message));
+			message->destroy(message);
+			return JOB_REQUEUE_DIRECT;
+		}
+	}
+	job = (job_t*)process_message_job_create(message);
+	if (this->receive_delay)
+	{
+		charon->scheduler->schedule_job_ms(charon->scheduler,
+										   job, this->receive_delay);
+	}
+	else
+	{
+		charon->processor->queue_job(charon->processor, job);
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(receiver_t, destroy, void,
+	private_receiver_t *this)
+{
+	this->job->cancel(this->job);
+	this->rng->destroy(this->rng);
+	this->hasher->destroy(this->hasher);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+receiver_t *receiver_create()
+{
+	private_receiver_t *this;
+	u_int32_t now = time_monotonic(NULL);
+
+	INIT(this,
+		.public.destroy = _destroy,
+		.secret_switch = now,
+		.secret_offset = random() % now,
+	);
+
+	if (lib->settings->get_bool(lib->settings, "charon.dos_protection", TRUE))
+	{
+		this->cookie_threshold = lib->settings->get_int(lib->settings,
+						"charon.cookie_threshold", COOKIE_THRESHOLD_DEFAULT);
+		this->block_threshold = lib->settings->get_int(lib->settings,
+						"charon.block_threshold", BLOCK_THRESHOLD_DEFAULT);
+	}
+	this->receive_delay = lib->settings->get_int(lib->settings,
+						"charon.receive_delay", 0);
+
+	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
+	if (this->hasher == NULL)
+	{
+		DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
+		free(this);
+		return NULL;
+	}
+	this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	if (this->rng == NULL)
+	{
+		DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported");
+		this->hasher->destroy(this->hasher);
+		free(this);
+		return NULL;
+	}
+	this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
+	memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+
+	this->job = callback_job_create((callback_job_cb_t)receive_packets,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/network/receiver.h b/src/libcharon/network/receiver.h
new file mode 100644
index 000000000..690d8dbab
--- /dev/null
+++ b/src/libcharon/network/receiver.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup receiver receiver
+ * @{ @ingroup network
+ */
+
+#ifndef RECEIVER_H_
+#define RECEIVER_H_
+
+typedef struct receiver_t receiver_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * Receives packets from the socket and adds them to the job queue.
+ *
+ * The receiver starts a thread, wich reads on the blocking socket. A received
+ * packet is preparsed and a process_message_job is queued in the job queue.
+ *
+ * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half
+ * open. The calculation of cookies is slightly different from the proposed
+ * method in RFC4306. We do not include a nonce, because we think the advantage
+ * we gain does not justify the overhead to parse the whole message.
+ * Instead of VersionIdOfSecret, we include a timestamp. This allows us to
+ * find out wich key was used for cookie creation. Further, we can set a
+ * lifetime for the cookie, which allows us to reuse the secret for a longer
+ * time.
+ *		 COOKIE = time | sha1( IPi | SPIi | time | secret )
+ *
+ * The secret is changed after a certain amount of cookies sent. The old
+ * secret is stored to allow a clean migration between secret changes.
+ *
+ * Further, the number of half-initiated IKE_SAs is limited per peer. This
+ * mades it impossible for a peer to flood the server with its real IP address.
+ */
+struct receiver_t {
+
+	/**
+	 * Destroys a receiver_t object.
+	 */
+	void (*destroy) (receiver_t *receiver);
+};
+
+/**
+ * Create a receiver_t object.
+ *
+ * The receiver thread will start working, get data
+ * from the socket and add those packets to the job queue.
+ *
+ * @return	receiver_t object, NULL if initialization fails
+ */
+receiver_t * receiver_create(void);
+
+#endif /** RECEIVER_H_ @}*/
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
new file mode 100644
index 000000000..c18f1138e
--- /dev/null
+++ b/src/libcharon/network/sender.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#include "sender.h"
+
+#include <daemon.h>
+#include <network/socket.h>
+#include <processing/jobs/callback_job.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+
+
+typedef struct private_sender_t private_sender_t;
+
+/**
+ * Private data of a sender_t object.
+ */
+struct private_sender_t {
+	/**
+	 * Public part of a sender_t object.
+	 */
+	sender_t public;
+
+	/**
+	 * Sender threads job.
+	 */
+	callback_job_t *job;
+
+	/**
+	 * The packets are stored in a linked list
+	 */
+	linked_list_t *list;
+
+	/**
+	 * mutex to synchronize access to list
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * condvar to signal for packets added to list
+	 */
+	condvar_t *got;
+
+	/**
+	 * condvar to signal for packets sent
+	 */
+	condvar_t *sent;
+
+	/**
+	 * Delay for sending outgoing packets, to simulate larger RTT
+	 */
+	int send_delay;
+};
+
+METHOD(sender_t, send_, void,
+	private_sender_t *this, packet_t *packet)
+{
+	host_t *src, *dst;
+
+	src = packet->get_source(packet);
+	dst = packet->get_destination(packet);
+	DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+
+	if (this->send_delay)
+	{
+		usleep(this->send_delay * 1000);
+	}
+
+	this->mutex->lock(this->mutex);
+	this->list->insert_last(this->list, packet);
+	this->got->signal(this->got);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Job callback function to send packets
+ */
+static job_requeue_t send_packets(private_sender_t * this)
+{
+	packet_t *packet;
+	bool oldstate;
+
+	this->mutex->lock(this->mutex);
+	while (this->list->get_count(this->list) == 0)
+	{
+		/* add cleanup handler, wait for packet, remove cleanup handler */
+		thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+		oldstate = thread_cancelability(TRUE);
+
+		this->got->wait(this->got, this->mutex);
+
+		thread_cancelability(oldstate);
+		thread_cleanup_pop(FALSE);
+	}
+	this->list->remove_first(this->list, (void**)&packet);
+	this->sent->signal(this->sent);
+	this->mutex->unlock(this->mutex);
+
+	charon->socket->send(charon->socket, packet);
+	packet->destroy(packet);
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(sender_t, destroy, void,
+	private_sender_t *this)
+{
+	/* send all packets in the queue */
+	this->mutex->lock(this->mutex);
+	while (this->list->get_count(this->list))
+	{
+		this->sent->wait(this->sent, this->mutex);
+	}
+	this->mutex->unlock(this->mutex);
+	this->job->cancel(this->job);
+	this->list->destroy(this->list);
+	this->got->destroy(this->got);
+	this->sent->destroy(this->sent);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+sender_t * sender_create()
+{
+	private_sender_t *this;
+
+	INIT(this,
+		.public = {
+			.send = _send_,
+			.destroy = _destroy,
+		},
+		.list = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.got = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.sent = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.job = callback_job_create((callback_job_cb_t)send_packets,
+									this, NULL, NULL),
+		.send_delay = lib->settings->get_int(lib->settings,
+											 "charon.send_delay", 0),
+	);
+
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/network/sender.h b/src/libcharon/network/sender.h
new file mode 100644
index 000000000..f77fadab2
--- /dev/null
+++ b/src/libcharon/network/sender.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sender sender
+ * @{ @ingroup network
+ */
+
+#ifndef SENDER_H_
+#define SENDER_H_
+
+typedef struct sender_t sender_t;
+
+#include <library.h>
+#include <network/packet.h>
+
+/**
+ * Thread responsible for sending packets over the socket.
+ */
+struct sender_t {
+
+	/**
+	 * Send a packet over the network.
+	 *
+	 * This function is non blocking and adds the packet to a queue.
+	 * Whenever the sender thread thinks it's good to send the packet,
+	 * it'll do so.
+	 *
+	 * @param packet	packet to send
+	 */
+	void (*send) (sender_t *this, packet_t *packet);
+
+	/**
+	 * Destroys a sender object.
+	 */
+	void (*destroy) (sender_t *this);
+};
+
+/**
+ * Create the sender thread.
+ *
+ * The thread will start to work, getting packets
+ * from its queue and sends them out.
+ *
+ * @return		created sender object
+ */
+sender_t * sender_create(void);
+
+#endif /** SENDER_H_ @}*/
diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h
new file mode 100644
index 000000000..5c5a4edfb
--- /dev/null
+++ b/src/libcharon/network/socket.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup socket socket
+ * @{ @ingroup network
+ */
+
+#ifndef SOCKET_H_
+#define SOCKET_H_
+
+typedef struct socket_t socket_t;
+
+#include <library.h>
+#include <network/packet.h>
+#include <utils/enumerator.h>
+
+/**
+ * Socket interface definition.
+ */
+struct socket_t {
+
+	/**
+	 * Receive a packet.
+	 *
+	 * Reads a packet from the socket and sets source/dest
+	 * appropriately.
+	 *
+	 * @param packet		pinter gets address from allocated packet_t
+	 * @return
+	 * 						- SUCCESS when packet successfully received
+	 * 						- FAILED when unable to receive
+	 */
+	status_t (*receive) (socket_t *this, packet_t **packet);
+
+	/**
+	 * Send a packet.
+	 *
+	 * Sends a packet to the net using source and destination addresses of
+	 * the packet.
+	 *
+	 * @param packet		packet_t to send
+	 * @return
+	 * 						- SUCCESS when packet successfully sent
+	 * 						- FAILED when unable to send
+	 */
+	status_t (*send) (socket_t *this, packet_t *packet);
+};
+
+#endif /** SOCKET_H_ @}*/
diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c
new file mode 100644
index 000000000..0dbce4b1b
--- /dev/null
+++ b/src/libcharon/network/socket_manager.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "socket_manager.h"
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+
+typedef struct private_socket_manager_t private_socket_manager_t;
+
+/**
+ * Private data of an socket_manager_t object.
+ */
+struct private_socket_manager_t {
+
+	/**
+	 * Public socket_manager_t interface.
+	 */
+	socket_manager_t public;
+
+	/**
+	 * List of registered socket
+	 */
+	linked_list_t *sockets;
+
+	/**
+	 * Lock for sockets list
+	 */
+	rwlock_t *lock;
+};
+
+METHOD(socket_manager_t, receiver, status_t,
+	private_socket_manager_t *this, packet_t **packet)
+{
+	socket_t *socket;
+	status_t status;
+
+	this->lock->read_lock(this->lock);
+	if (this->sockets->get_first(this->sockets, (void**)&socket) != SUCCESS)
+	{
+		DBG1(DBG_NET, "no socket implementation registered, receiving failed");
+		this->lock->unlock(this->lock);
+		return NOT_SUPPORTED;
+	}
+	/* receive is blocking and the thread can be cancelled */
+	thread_cleanup_push((thread_cleanup_t)this->lock->unlock, this->lock);
+	status = socket->receive(socket, packet);
+	thread_cleanup_pop(TRUE);
+	return status;
+}
+
+METHOD(socket_manager_t, sender, status_t,
+	private_socket_manager_t *this, packet_t *packet)
+{
+	socket_t *socket;
+	status_t status;
+
+	this->lock->read_lock(this->lock);
+	if (this->sockets->get_first(this->sockets, (void**)&socket) != SUCCESS)
+	{
+		DBG1(DBG_NET, "no socket implementation registered, sending failed");
+		this->lock->unlock(this->lock);
+		return NOT_SUPPORTED;
+	}
+	status = socket->send(socket, packet);
+	this->lock->unlock(this->lock);
+	return status;
+}
+
+METHOD(socket_manager_t, add_socket, void,
+	private_socket_manager_t *this, socket_t *socket)
+{
+	this->lock->write_lock(this->lock);
+	this->sockets->insert_last(this->sockets, socket);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(socket_manager_t, remove_socket, void,
+	private_socket_manager_t *this, socket_t *socket)
+{
+	this->lock->write_lock(this->lock);
+	this->sockets->remove(this->sockets, socket, NULL);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(socket_manager_t, destroy, void,
+	private_socket_manager_t *this)
+{
+	this->sockets->destroy(this->sockets);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+socket_manager_t *socket_manager_create()
+{
+	private_socket_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.send = _sender,
+			.receive = _receiver,
+			.add_socket = _add_socket,
+			.remove_socket = _remove_socket,
+			.destroy = _destroy,
+		},
+		.sockets = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/network/socket_manager.h b/src/libcharon/network/socket_manager.h
new file mode 100644
index 000000000..b33d5c71c
--- /dev/null
+++ b/src/libcharon/network/socket_manager.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup socket_manager socket_manager
+ * @{ @ingroup network
+ */
+
+#ifndef SOCKET_MANAGER_H_
+#define SOCKET_MANAGER_H_
+
+#include <network/socket.h>
+
+typedef struct socket_manager_t socket_manager_t;
+
+/**
+ * Handle pluggable socket implementations and send/receive packets through it.
+ */
+struct socket_manager_t {
+
+	/**
+	 * Receive a packet using the registered socket.
+	 *
+	 * @param packet		allocated packet that has been received
+	 * @return
+	 *						- SUCCESS when packet successfully received
+	 *						- FAILED when unable to receive
+	 */
+	status_t (*receive) (socket_manager_t *this, packet_t **packet);
+
+	/**
+	 * Send a packet using the registered socket.
+	 *
+	 * @param packet		packet to send out
+	 * @return
+	 *						- SUCCESS when packet successfully sent
+	 *						- FAILED when unable to send
+	 */
+	status_t (*send) (socket_manager_t *this, packet_t *packet);
+
+	/**
+	 * Register a socket implementation.
+	 */
+	void (*add_socket)(socket_manager_t *this, socket_t *socket);
+
+	/**
+	 * Unregister a registered socket implementation.
+	 */
+	void (*remove_socket)(socket_manager_t *this, socket_t *socket);
+
+	/**
+	 * Destroy a socket_manager_t.
+	 */
+	void (*destroy)(socket_manager_t *this);
+};
+
+/**
+ * Create a socket_manager instance.
+ */
+socket_manager_t *socket_manager_create();
+
+#endif /** SOCKET_MANAGER_H_ @}*/
diff --git a/src/libcharon/plugins/android/Makefile.am b/src/libcharon/plugins/android/Makefile.am
new file mode 100644
index 000000000..e8423589c
--- /dev/null
+++ b/src/libcharon/plugins/android/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-android.la
+else
+plugin_LTLIBRARIES = libstrongswan-android.la
+endif
+
+libstrongswan_android_la_SOURCES = \
+	android_plugin.c android_plugin.h \
+	android_handler.c android_handler.h
+
+libstrongswan_android_la_LDFLAGS = -module -avoid-version
+libstrongswan_android_la_LIBADD  = -lcutils
diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in
new file mode 100644
index 000000000..9f12a9c75
--- /dev/null
+++ b/src/libcharon/plugins/android/Makefile.in
@@ -0,0 +1,590 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/android
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_android_la_DEPENDENCIES =
+am_libstrongswan_android_la_OBJECTS = android_plugin.lo \
+	android_handler.lo
+libstrongswan_android_la_OBJECTS =  \
+	$(am_libstrongswan_android_la_OBJECTS)
+libstrongswan_android_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_android_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_android_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_android_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_android_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_android_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-android.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android.la
+libstrongswan_android_la_SOURCES = \
+	android_plugin.c android_plugin.h \
+	android_handler.c android_handler.h
+
+libstrongswan_android_la_LDFLAGS = -module -avoid-version
+libstrongswan_android_la_LIBADD = -lcutils
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/android/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/android/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-android.la: $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_DEPENDENCIES) 
+	$(libstrongswan_android_la_LINK) $(am_libstrongswan_android_la_rpath) $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/android/android_handler.c b/src/libcharon/plugins/android/android_handler.c
new file mode 100644
index 000000000..a475eeaab
--- /dev/null
+++ b/src/libcharon/plugins/android/android_handler.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "android_handler.h"
+
+#include <utils/linked_list.h>
+
+#include <cutils/properties.h>
+
+typedef struct private_android_handler_t private_android_handler_t;
+
+/**
+ * Private data of an android_handler_t object.
+ */
+struct private_android_handler_t {
+
+	/**
+	 * Public android_handler_t interface.
+	 */
+	android_handler_t public;
+
+	/**
+	 * List of registered DNS servers
+	 */
+	linked_list_t *dns;
+};
+
+/**
+ * Struct to store a pair of old and installed DNS servers
+ */
+typedef struct {
+	/** installed dns server */
+	host_t *dns;
+	/** old dns server */
+	host_t *old;
+} dns_pair_t;
+
+/**
+ * Destroy a pair of old and installed DNS servers
+ */
+void destroy_dns_pair(dns_pair_t *this)
+{
+	DESTROY_IF(this->dns);
+	DESTROY_IF(this->old);
+	free(this);
+}
+
+/**
+ * Filter pairs of DNS servers
+ */
+bool filter_dns_pair(void *data, dns_pair_t **in, host_t **out)
+{
+	*out = (*in)->dns;
+	return TRUE;
+}
+
+/**
+ * Read DNS server property with a given index
+ */
+host_t *get_dns_server(int index)
+{
+	host_t *dns = NULL;
+	char key[10], value[PROPERTY_VALUE_MAX];
+
+	if (snprintf(key, sizeof(key), "net.dns%d", index) >= sizeof(key))
+	{
+		return NULL;
+	}
+
+	if (property_get(key, value, NULL) > 0)
+	{
+		dns = host_create_from_string(value, 0);
+	}
+	return dns;
+}
+
+/**
+ * Set DNS server property with a given index
+ */
+bool set_dns_server(int index, host_t *dns)
+{
+	char key[10], value[PROPERTY_VALUE_MAX];
+
+	if (snprintf(key, sizeof(key), "net.dns%d", index) >= sizeof(key))
+	{
+		return FALSE;
+	}
+
+	if (dns)
+	{
+		if (snprintf(value, sizeof(value), "%H", dns) >= sizeof(value))
+		{
+			return FALSE;
+		}
+	}
+	else
+	{
+		value[0] = '\0';
+	}
+
+	if (property_set(key, value) != 0)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(attribute_handler_t, handle, bool,
+	private_android_handler_t *this, identification_t *id,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+		{
+			host_t *dns;
+			dns_pair_t *pair;
+			int index;
+
+			dns = host_create_from_chunk(AF_INET, data, 0);
+			if (dns)
+			{
+				pair = malloc_thing(dns_pair_t);
+				pair->dns = dns;
+				index = this->dns->get_count(this->dns) + 1;
+				pair->old = get_dns_server(index);
+				set_dns_server(index, dns);
+				this->dns->insert_last(this->dns, pair);
+				return TRUE;
+			}
+			return FALSE;
+		}
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(attribute_handler_t, release, void,
+	private_android_handler_t *this, identification_t *server,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	if (type == INTERNAL_IP4_DNS)
+	{
+		enumerator_t *enumerator;
+		dns_pair_t *pair;
+		int index;
+
+		enumerator = this->dns->create_enumerator(this->dns);
+		for (index = 1; enumerator->enumerate(enumerator, &pair); index++)
+		{
+			if (chunk_equals(pair->dns->get_address(pair->dns), data))
+			{
+				this->dns->remove_at(this->dns, enumerator);
+				set_dns_server(index, pair->old);
+				destroy_dns_pair(pair);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+METHOD(enumerator_t, enumerate_dns, bool,
+	enumerator_t *this, configuration_attribute_type_t *type, chunk_t *data)
+{
+	*type = INTERNAL_IP4_DNS;
+	*data = chunk_empty;
+	/* stop enumeration */
+	this->enumerate = (void*)return_false;
+	return TRUE;
+}
+
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
+	android_handler_t *this, identification_t *id, host_t *vip)
+{
+	enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.enumerate = (void*)_enumerate_dns,
+		.destroy = (void*)free,
+	);
+	return enumerator;
+}
+
+METHOD(android_handler_t, destroy, void,
+	private_android_handler_t *this)
+{
+	this->dns->destroy_function(this->dns, (void*)destroy_dns_pair);
+	free(this);
+}
+
+/**
+ * See header
+ */
+android_handler_t *android_handler_create()
+{
+	private_android_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.handle = _handle,
+				.release = _release,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.destroy = _destroy,
+		},
+		.dns = linked_list_create(),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/android/android_handler.h b/src/libcharon/plugins/android/android_handler.h
new file mode 100644
index 000000000..af620505b
--- /dev/null
+++ b/src/libcharon/plugins/android/android_handler.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_handler android_handler
+ * @{ @ingroup android
+ */
+
+#ifndef ANDROID_HANDLER_H_
+#define ANDROID_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct android_handler_t android_handler_t;
+
+/**
+ * Android specific DNS attribute handler.
+ */
+struct android_handler_t {
+
+	/**
+	 * Implements attribute_handler_t.
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Destroy a android_handler_t.
+	 */
+	void (*destroy)(android_handler_t *this);
+};
+
+/**
+ * Create a android_handler instance.
+ */
+android_handler_t *android_handler_create();
+
+#endif /** ANDROID_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c
new file mode 100644
index 000000000..9a558f53b
--- /dev/null
+++ b/src/libcharon/plugins/android/android_plugin.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "android_plugin.h"
+#include "android_handler.h"
+
+#include <hydra.h>
+#include <daemon.h>
+
+typedef struct private_android_plugin_t private_android_plugin_t;
+
+/**
+ * Private data of an android_plugin_t object.
+ */
+struct private_android_plugin_t {
+
+	/**
+	 * Public android_plugin_t interface.
+	 */
+	android_plugin_t public;
+
+	/**
+	 * Android specific DNS handler
+	 */
+	android_handler_t *handler;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_android_plugin_t *this)
+{
+	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *android_plugin_create()
+{
+	private_android_plugin_t *this;
+
+	INIT(this,
+		.public.plugin = {
+			.destroy = _destroy,
+		},
+		.handler = android_handler_create(),
+	);
+
+	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/android/android_plugin.h b/src/libcharon/plugins/android/android_plugin.h
new file mode 100644
index 000000000..987f2aa37
--- /dev/null
+++ b/src/libcharon/plugins/android/android_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android android
+ * @ingroup cplugins
+ *
+ * @defgroup android_plugin android_plugin
+ * @{ @ingroup android
+ */
+
+#ifndef ANDROID_PLUGIN_H_
+#define ANDROID_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct android_plugin_t android_plugin_t;
+
+/**
+ * Plugin providing functionality specific to the Android platform.
+ */
+struct android_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ANDROID_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/dhcp/Makefile.am b/src/libcharon/plugins/dhcp/Makefile.am
new file mode 100644
index 000000000..45d7536be
--- /dev/null
+++ b/src/libcharon/plugins/dhcp/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-dhcp.la
+else
+plugin_LTLIBRARIES = libstrongswan-dhcp.la
+endif
+
+libstrongswan_dhcp_la_SOURCES = dhcp_plugin.h dhcp_plugin.c \
+	dhcp_provider.h dhcp_provider.c \
+	dhcp_socket.h dhcp_socket.c \
+	dhcp_transaction.h dhcp_transaction.c
+
+libstrongswan_dhcp_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
new file mode 100644
index 000000000..7606b963c
--- /dev/null
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -0,0 +1,590 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/dhcp
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_dhcp_la_LIBADD =
+am_libstrongswan_dhcp_la_OBJECTS = dhcp_plugin.lo dhcp_provider.lo \
+	dhcp_socket.lo dhcp_transaction.lo
+libstrongswan_dhcp_la_OBJECTS = $(am_libstrongswan_dhcp_la_OBJECTS)
+libstrongswan_dhcp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_dhcp_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_dhcp_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_dhcp_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_dhcp_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_dhcp_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-dhcp.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-dhcp.la
+libstrongswan_dhcp_la_SOURCES = dhcp_plugin.h dhcp_plugin.c \
+	dhcp_provider.h dhcp_provider.c \
+	dhcp_socket.h dhcp_socket.c \
+	dhcp_transaction.h dhcp_transaction.c
+
+libstrongswan_dhcp_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/dhcp/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/dhcp/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-dhcp.la: $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_DEPENDENCIES) 
+	$(libstrongswan_dhcp_la_LINK) $(am_libstrongswan_dhcp_la_rpath) $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcp_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcp_provider.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcp_socket.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcp_transaction.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
new file mode 100644
index 000000000..829fd6356
--- /dev/null
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "dhcp_plugin.h"
+
+#include <hydra.h>
+#include <daemon.h>
+
+#include "dhcp_socket.h"
+#include "dhcp_provider.h"
+
+typedef struct private_dhcp_plugin_t private_dhcp_plugin_t;
+
+/**
+ * private data of dhcp plugin
+ */
+struct private_dhcp_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	dhcp_plugin_t public;
+
+	/**
+	 * DHCP communication socket
+	 */
+	dhcp_socket_t *socket;
+
+	/**
+	 * Attribute provider
+	 */
+	dhcp_provider_t *provider;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_dhcp_plugin_t *this)
+{
+	hydra->attributes->remove_provider(hydra->attributes,
+									   &this->provider->provider);
+	this->provider->destroy(this->provider);
+	this->socket->destroy(this->socket);
+	free(this);
+}
+
+/**
+ * Plugin constructor.
+ */
+plugin_t *dhcp_plugin_create()
+{
+	private_dhcp_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+		.socket = dhcp_socket_create(),
+	);
+
+	if (!this->socket)
+	{
+		free(this);
+		return NULL;
+	}
+
+	this->provider = dhcp_provider_create(this->socket);
+	hydra->attributes->add_provider(hydra->attributes,
+									&this->provider->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.h b/src/libcharon/plugins/dhcp/dhcp_plugin.h
new file mode 100644
index 000000000..b21b44d28
--- /dev/null
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup dhcp dhcp
+ * @ingroup cplugins
+ *
+ * @defgroup dhcp_plugin dhcp_plugin
+ * @{ @ingroup dhcp
+ */
+
+#ifndef DHCP_PLUGIN_H_
+#define DHCP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct dhcp_plugin_t dhcp_plugin_t;
+
+/**
+ * DHCP based attribute provider plugin.
+ */
+struct dhcp_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** DHCP_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c
new file mode 100644
index 000000000..dbcceb6ce
--- /dev/null
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "dhcp_provider.h"
+
+#include <utils/hashtable.h>
+#include <threading/mutex.h>
+
+typedef struct private_dhcp_provider_t private_dhcp_provider_t;
+
+/**
+ * Private data of an dhcp_provider_t object.
+ */
+struct private_dhcp_provider_t {
+
+	/**
+	 * Public dhcp_provider_t interface.
+	 */
+	dhcp_provider_t public;
+
+	/**
+	 * Completed DHCP transactions
+	 */
+	hashtable_t *transactions;
+
+	/**
+	 * Lock for transactions
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * DHCP communication socket
+	 */
+	dhcp_socket_t *socket;
+};
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(void *key)
+{
+	return (uintptr_t)key;
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(void *a, void *b)
+{
+	return a == b;
+}
+
+/**
+ * Hash ID and host to a key
+ */
+static uintptr_t hash_id_host(identification_t *id, host_t *host)
+{
+	return chunk_hash_inc(id->get_encoding(id),
+						  chunk_hash(host->get_address(host)));
+}
+
+/**
+ * Hash a DHCP transaction to a key, using address and id
+ */
+static uintptr_t hash_transaction(dhcp_transaction_t *transaction)
+{
+	return hash_id_host(transaction->get_identity(transaction),
+						transaction->get_address(transaction));
+}
+
+METHOD(attribute_provider_t, acquire_address, host_t*,
+	private_dhcp_provider_t *this, char *pool,
+	identification_t *id, host_t *requested)
+{
+	if (streq(pool, "dhcp"))
+	{
+		dhcp_transaction_t *transaction, *old;
+		host_t *vip;
+
+		transaction = this->socket->enroll(this->socket, id);
+		if (!transaction)
+		{
+			return NULL;
+		}
+		vip = transaction->get_address(transaction);
+		vip = vip->clone(vip);
+		this->mutex->lock(this->mutex);
+		old = this->transactions->put(this->transactions,
+							(void*)hash_transaction(transaction), transaction);
+		this->mutex->unlock(this->mutex);
+		DESTROY_IF(old);
+		return vip;
+	}
+	return NULL;
+}
+
+METHOD(attribute_provider_t, release_address, bool,
+	private_dhcp_provider_t *this, char *pool,
+	host_t *address, identification_t *id)
+{
+	if (streq(pool, "dhcp"))
+	{
+		dhcp_transaction_t *transaction;
+
+		this->mutex->lock(this->mutex);
+		transaction = this->transactions->remove(this->transactions,
+										(void*)hash_id_host(id, address));
+		this->mutex->unlock(this->mutex);
+		if (transaction)
+		{
+			this->socket->release(this->socket, transaction);
+			transaction->destroy(transaction);
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
+	private_dhcp_provider_t *this, identification_t *id, host_t *vip)
+{
+	dhcp_transaction_t *transaction;
+
+	if (!vip)
+	{
+		return NULL;
+	}
+	this->mutex->lock(this->mutex);
+	transaction = this->transactions->get(this->transactions,
+										  (void*)hash_id_host(id, vip));
+	if (!transaction)
+	{
+		this->mutex->unlock(this->mutex);
+		return NULL;
+	}
+	return enumerator_create_cleaner(
+						transaction->create_attribute_enumerator(transaction),
+						(void*)this->mutex->unlock, this->mutex);
+}
+
+METHOD(dhcp_provider_t, destroy, void,
+	private_dhcp_provider_t *this)
+{
+	enumerator_t *enumerator;
+	dhcp_transaction_t *value;
+	void *key;
+
+	enumerator = this->transactions->create_enumerator(this->transactions);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		value->destroy(value);
+	}
+	enumerator->destroy(enumerator);
+	this->transactions->destroy(this->transactions);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+dhcp_provider_t *dhcp_provider_create(dhcp_socket_t *socket)
+{
+	private_dhcp_provider_t *this;
+
+	INIT(this,
+		.public = {
+			.provider = {
+				.acquire_address = _acquire_address,
+				.release_address = _release_address,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.destroy = _destroy,
+		},
+		.socket = socket,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.transactions = hashtable_create(hash, equals, 8),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.h b/src/libcharon/plugins/dhcp/dhcp_provider.h
new file mode 100644
index 000000000..e720e876c
--- /dev/null
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup dhcp_provider dhcp_provider
+ * @{ @ingroup dhcp
+ */
+
+#ifndef DHCP_PROVIDER_H_
+#define DHCP_PROVIDER_H_
+
+typedef struct dhcp_provider_t dhcp_provider_t;
+
+#include "dhcp_socket.h"
+
+#include <attributes/attribute_provider.h>
+
+/**
+ * DHCP based attribute provider.
+ */
+struct dhcp_provider_t {
+
+	/**
+	 * Implements attribute_provier_t interface.
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Destroy a dhcp_provider_t.
+	 */
+	void (*destroy)(dhcp_provider_t *this);
+};
+
+/**
+ * Create a dhcp_provider instance.
+ *
+ * @param socket		socket to use for DHCP communication
+ * @return				provider instance
+ */
+dhcp_provider_t *dhcp_provider_create(dhcp_socket_t *socket);
+
+#endif /** DHCP_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
new file mode 100644
index 000000000..f61b3a60e
--- /dev/null
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -0,0 +1,758 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "dhcp_socket.h"
+
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <linux/if_arp.h>
+#include <linux/if_ether.h>
+#include <linux/filter.h>
+
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <threading/thread.h>
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+
+#define DHCP_SERVER_PORT 67
+#define DHCP_CLIENT_PORT 68
+#define DHCP_TRIES 5
+
+typedef struct private_dhcp_socket_t private_dhcp_socket_t;
+
+/**
+ * Private data of an dhcp_socket_t object.
+ */
+struct private_dhcp_socket_t {
+
+	/**
+	 * Public dhcp_socket_t interface.
+	 */
+	dhcp_socket_t public;
+
+	/**
+	 * Random number generator
+	 */
+	rng_t *rng;
+
+	/**
+	 * List of transactions in DISCOVER
+	 */
+	linked_list_t *discover;
+
+	/**
+	 * List of transactions in REQUEST
+	 */
+	linked_list_t *request;
+
+	/**
+	 * List of successfully completed transactions
+	 */
+	linked_list_t *completed;
+
+	/**
+	 * Lock for transactions
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for transaction completion
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * Threads waiting in condvar
+	 */
+	int waiting;
+
+	/**
+	 * DHCP send socket
+	 */
+	int send;
+
+	/**
+	 * DHCP receive socket
+	 */
+	int receive;
+
+	/**
+	 * Do we use per-identity or random leases (and MAC addresses)
+	 */
+	bool identity_lease;
+
+	/**
+	 * DHCP server address, or broadcast
+	 */
+	host_t *dst;
+
+	/**
+	 * Callback job receiving DHCP responses
+	 */
+	callback_job_t *job;
+};
+
+/**
+ * DHCP opcode (or BOOTP actually)
+ */
+typedef enum {
+	BOOTREQUEST = 1,
+	BOOTREPLY = 2,
+} dhcp_opcode_t;
+
+/**
+ * Some DHCP options used
+ */
+typedef enum {
+	DHCP_DNS_SERVER = 6,
+	DHCP_HOST_NAME = 12,
+	DHCP_NBNS_SERVER = 44,
+	DHCP_REQUESTED_IP = 50,
+	DHCP_MESSAGE_TYPE = 53,
+	DHCP_SERVER_ID = 54,
+	DHCP_PARAM_REQ_LIST = 55,
+	DHCP_CLIENT_ID = 61,
+	DHCP_OPTEND = 255,
+} dhcp_option_type_t;
+
+/**
+ * DHCP messages types in the DHCP_MESSAGE_TYPE option
+ */
+typedef enum {
+	DHCP_DISCOVER = 1,
+	DHCP_OFFER = 2,
+	DHCP_REQUEST = 3,
+	DHCP_DECLINE = 4,
+	DHCP_ACK = 5,
+	DHCP_NAK = 6,
+	DHCP_RELEASE = 7,
+	DHCP_INFORM = 8,
+} dhcp_message_type_t;
+/**
+ * DHCP option encoding, a TLV
+ */
+typedef struct __attribute__((packed)) {
+	u_int8_t type;
+	u_int8_t len;
+	char data[];
+} dhcp_option_t;
+
+/**
+ * DHCP message format, with a maximum size options buffer
+ */
+typedef struct __attribute__((packed)) {
+	u_int8_t opcode;
+	u_int8_t hw_type;
+	u_int8_t hw_addr_len;
+	u_int8_t hop_count;
+	u_int32_t transaction_id;
+	u_int16_t number_of_seconds;
+	u_int16_t flags;
+	u_int32_t client_address;
+	u_int32_t your_address;
+	u_int32_t server_address;
+	u_int32_t gateway_address;
+	char client_hw_addr[6];
+	char client_hw_padding[10];
+	char server_hostname[64];
+	char boot_filename[128];
+	u_int32_t magic_cookie;
+	char options[252];
+} dhcp_t;
+
+/**
+ * Prepare a DHCP message for a given transaction
+ */
+static int prepare_dhcp(private_dhcp_socket_t *this,
+						dhcp_transaction_t *transaction,
+						dhcp_message_type_t type, dhcp_t *dhcp)
+{
+	chunk_t chunk, broadcast = chunk_from_chars(0xFF,0xFF,0xFF,0xFF);
+	identification_t *identity;
+	dhcp_option_t *option;
+	int optlen = 0;
+	host_t *src;
+	u_int32_t id;
+
+	memset(dhcp, 0, sizeof(*dhcp));
+	dhcp->opcode = BOOTREQUEST;
+	dhcp->hw_type = ARPHRD_ETHER;
+	dhcp->hw_addr_len = 6;
+	dhcp->transaction_id = transaction->get_id(transaction);
+	if (chunk_equals(broadcast, this->dst->get_address(this->dst)))
+	{
+		/* TODO: send with 0.0.0.0 source address */
+	}
+	else
+	{
+		/* act as relay agent */
+		src = charon->kernel_interface->get_source_addr(
+									charon->kernel_interface, this->dst, NULL);
+		if (src)
+		{
+			memcpy(&dhcp->gateway_address, src->get_address(src).ptr,
+				   sizeof(dhcp->gateway_address));
+			src->destroy(src);
+		}
+	}
+
+	identity = transaction->get_identity(transaction);
+	chunk = identity->get_encoding(identity);
+	/* magic bytes, a locally administered unicast MAC */
+	dhcp->client_hw_addr[0] = 0x7A;
+	dhcp->client_hw_addr[1] = 0xA7;
+	/* with ID specific postfix */
+	if (this->identity_lease)
+	{
+		id = htonl(chunk_hash(chunk));
+	}
+	else
+	{
+		id = transaction->get_id(transaction);
+	}
+	memcpy(&dhcp->client_hw_addr[2], &id, sizeof(id));
+
+	dhcp->magic_cookie = htonl(0x63825363);
+
+	option = (dhcp_option_t*)&dhcp->options[optlen];
+	option->type = DHCP_MESSAGE_TYPE;
+	option->len = 1;
+	option->data[0] = type;
+	optlen += sizeof(dhcp_option_t) + option->len;
+
+	if (identity->get_type(identity) == ID_FQDN)
+	{
+		option = (dhcp_option_t*)&dhcp->options[optlen];
+		option->type = DHCP_HOST_NAME;
+		option->len = min(chunk.len, 64);
+		memcpy(option->data, chunk.ptr, option->len);
+		optlen += sizeof(dhcp_option_t) + option->len;
+	}
+
+	option = (dhcp_option_t*)&dhcp->options[optlen];
+	option->type = DHCP_CLIENT_ID;
+	option->len = min(chunk.len, 64);
+	memcpy(option->data, chunk.ptr, option->len);
+	optlen += sizeof(dhcp_option_t) + option->len;
+
+	return optlen;
+}
+
+/**
+ * Send a DHCP message with given options length
+ */
+static bool send_dhcp(private_dhcp_socket_t *this,
+					  dhcp_transaction_t *transaction, dhcp_t *dhcp, int optlen)
+{
+	host_t *dst;
+	ssize_t len;
+
+	dst = transaction->get_server(transaction);
+	if (!dst)
+	{
+		dst = this->dst;
+	}
+	len = offsetof(dhcp_t, magic_cookie) + ((optlen + 4) / 64 * 64 + 64);
+	return sendto(this->send, dhcp, len, 0, dst->get_sockaddr(dst),
+				  *dst->get_sockaddr_len(dst)) == len;
+}
+
+/**
+ * Send DHCP discover using a given transaction
+ */
+static bool discover(private_dhcp_socket_t *this,
+					 dhcp_transaction_t *transaction)
+{
+	dhcp_option_t *option;
+	dhcp_t dhcp;
+	int optlen;
+
+	optlen = prepare_dhcp(this, transaction, DHCP_DISCOVER, &dhcp);
+
+	DBG1(DBG_CFG, "sending DHCP DISCOVER to %H", this->dst);
+
+	option = (dhcp_option_t*)&dhcp.options[optlen];
+	option->type = DHCP_PARAM_REQ_LIST;
+	option->len = 2;
+	option->data[0] = DHCP_DNS_SERVER;
+	option->data[1] = DHCP_NBNS_SERVER;
+	optlen += sizeof(dhcp_option_t) + option->len;
+
+	dhcp.options[optlen++] = DHCP_OPTEND;
+
+	if (!send_dhcp(this, transaction, &dhcp, optlen))
+	{
+		DBG1(DBG_CFG, "sending DHCP DISCOVER failed: %s", strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Send DHCP request using a given transaction
+ */
+static bool request(private_dhcp_socket_t *this,
+					dhcp_transaction_t *transaction)
+{
+	dhcp_option_t *option;
+	dhcp_t dhcp;
+	host_t *offer, *server;
+	chunk_t chunk;
+	int optlen;
+
+	optlen = prepare_dhcp(this, transaction, DHCP_REQUEST, &dhcp);
+
+	offer = transaction->get_address(transaction);
+	server = transaction->get_server(transaction);
+	if (!offer || !server)
+	{
+		return FALSE;
+	}
+	DBG1(DBG_CFG, "sending DHCP REQUEST for %H to %H", offer, server);
+
+	option = (dhcp_option_t*)&dhcp.options[optlen];
+	option->type = DHCP_REQUESTED_IP;
+	option->len = 4;
+	chunk = offer->get_address(offer);
+	memcpy(option->data, chunk.ptr, min(chunk.len, option->len));
+	optlen += sizeof(dhcp_option_t) + option->len;
+
+	option = (dhcp_option_t*)&dhcp.options[optlen];
+	option->type = DHCP_SERVER_ID;
+	option->len = 4;
+	chunk = server->get_address(server);
+	memcpy(option->data, chunk.ptr, min(chunk.len, option->len));
+	optlen += sizeof(dhcp_option_t) + option->len;
+
+	option = (dhcp_option_t*)&dhcp.options[optlen];
+	option->type = DHCP_PARAM_REQ_LIST;
+	option->len = 2;
+	option->data[0] = DHCP_DNS_SERVER;
+	option->data[1] = DHCP_NBNS_SERVER;
+	optlen += sizeof(dhcp_option_t) + option->len;
+
+	dhcp.options[optlen++] = DHCP_OPTEND;
+
+	if (!send_dhcp(this, transaction, &dhcp, optlen))
+	{
+		DBG1(DBG_CFG, "sending DHCP REQUEST failed: %s", strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(dhcp_socket_t, enroll, dhcp_transaction_t*,
+	private_dhcp_socket_t *this, identification_t *identity)
+{
+	dhcp_transaction_t *transaction;
+	u_int32_t id;
+	int try;
+
+	this->rng->get_bytes(this->rng, sizeof(id), (u_int8_t*)&id);
+	transaction = dhcp_transaction_create(id, identity);
+
+	this->mutex->lock(this->mutex);
+	this->discover->insert_last(this->discover, transaction);
+	try = 1;
+	while (try <= DHCP_TRIES && discover(this, transaction))
+	{
+		if (!this->condvar->timed_wait(this->condvar, this->mutex, 1000 * try) &&
+			this->request->find_first(this->request, NULL,
+									  (void**)&transaction) == SUCCESS)
+		{
+			break;
+		}
+		try++;
+	}
+	if (this->discover->remove(this->discover, transaction, NULL))
+	{	/* no OFFER received */
+		this->mutex->unlock(this->mutex);
+		transaction->destroy(transaction);
+		DBG1(DBG_CFG, "DHCP DISCOVER timed out");
+		return NULL;
+	}
+
+	try = 1;
+	while (try <= DHCP_TRIES && request(this, transaction))
+	{
+		if (!this->condvar->timed_wait(this->condvar, this->mutex, 1000 * try) &&
+			this->completed->remove(this->completed, transaction, NULL))
+		{
+			break;
+		}
+		try++;
+	}
+	if (this->request->remove(this->request, transaction, NULL))
+	{	/* no ACK received */
+		this->mutex->unlock(this->mutex);
+		transaction->destroy(transaction);
+		DBG1(DBG_CFG, "DHCP REQUEST timed out");
+		return NULL;
+	}
+	this->mutex->unlock(this->mutex);
+
+	return transaction;
+}
+
+METHOD(dhcp_socket_t, release, void,
+	private_dhcp_socket_t *this, dhcp_transaction_t *transaction)
+{
+	dhcp_option_t *option;
+	dhcp_t dhcp;
+	host_t *release, *server;
+	chunk_t chunk;
+	int optlen;
+
+	optlen = prepare_dhcp(this, transaction, DHCP_RELEASE, &dhcp);
+
+	release = transaction->get_address(transaction);
+	server = transaction->get_server(transaction);
+	if (!release || !server)
+	{
+		return;
+	}
+	DBG1(DBG_CFG, "sending DHCP RELEASE for %H to %H", release, server);
+
+	chunk = release->get_address(release);
+	memcpy(&dhcp.client_address, chunk.ptr,
+		   min(chunk.len, sizeof(dhcp.client_address)));
+
+	option = (dhcp_option_t*)&dhcp.options[optlen];
+	option->type = DHCP_SERVER_ID;
+	option->len = 4;
+	chunk = server->get_address(server);
+	memcpy(option->data, chunk.ptr, min(chunk.len, option->len));
+	optlen += sizeof(dhcp_option_t) + option->len;
+
+	dhcp.options[optlen++] = DHCP_OPTEND;
+
+	if (!send_dhcp(this, transaction, &dhcp, optlen))
+	{
+		DBG1(DBG_CFG, "sending DHCP RELEASE failed: %s", strerror(errno));
+	}
+}
+
+/**
+ * Handle a DHCP OFFER
+ */
+static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
+{
+	dhcp_transaction_t *transaction = NULL;
+	enumerator_t *enumerator;
+	host_t *offer, *server;
+
+	offer = host_create_from_chunk(AF_INET,
+					chunk_from_thing(dhcp->your_address), 0);
+	server = host_create_from_chunk(AF_INET,
+					chunk_from_thing(dhcp->server_address), DHCP_SERVER_PORT);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->discover->create_enumerator(this->discover);
+	while (enumerator->enumerate(enumerator, &transaction))
+	{
+		if (transaction->get_id(transaction) == dhcp->transaction_id)
+		{
+			DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server);
+			this->discover->remove_at(this->discover, enumerator);
+			this->request->insert_last(this->request, transaction);
+			transaction->set_address(transaction, offer->clone(offer));
+			transaction->set_server(transaction, server->clone(server));
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (transaction)
+	{
+		int optsize, optpos = 0, pos;
+		dhcp_option_t *option;
+
+		while (optlen > sizeof(dhcp_option_t))
+		{
+			option = (dhcp_option_t*)&dhcp->options[optpos];
+			optsize = sizeof(dhcp_option_t) + option->len;
+			if (option->type == DHCP_OPTEND || optlen < optsize)
+			{
+				break;
+			}
+			if (option->type == DHCP_DNS_SERVER ||
+				option->type == DHCP_NBNS_SERVER)
+			{
+				for (pos = 0; pos + 4 <= option->len; pos += 4)
+				{
+					transaction->add_attribute(transaction, option->type ==
+						DHCP_DNS_SERVER ? INTERNAL_IP4_DNS : INTERNAL_IP4_NBNS,
+						chunk_create((char*)&option->data[pos], 4));
+				}
+			}
+			optlen -= optsize;
+			optpos += optsize;
+		}
+	}
+	this->mutex->unlock(this->mutex);
+	this->condvar->broadcast(this->condvar);
+	offer->destroy(offer);
+	server->destroy(server);
+}
+
+/**
+ * Handle a DHCP ACK
+ */
+static void handle_ack(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
+{
+	dhcp_transaction_t *transaction;
+	enumerator_t *enumerator;
+	host_t *offer;
+
+	offer = host_create_from_chunk(AF_INET,
+						chunk_from_thing(dhcp->your_address), 0);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->request->create_enumerator(this->request);
+	while (enumerator->enumerate(enumerator, &transaction))
+	{
+		if (transaction->get_id(transaction) == dhcp->transaction_id)
+		{
+			DBG1(DBG_CFG, "received DHCP ACK for %H", offer);
+			this->request->remove_at(this->request, enumerator);
+			this->completed->insert_last(this->completed, transaction);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+	this->condvar->broadcast(this->condvar);
+	offer->destroy(offer);
+}
+
+/**
+ * Receive DHCP responses
+ */
+static job_requeue_t receive_dhcp(private_dhcp_socket_t *this)
+{
+	struct sockaddr_ll addr;
+	socklen_t addr_len = sizeof(addr);
+	struct __attribute__((packed)) {
+		struct iphdr ip;
+		struct udphdr udp;
+		dhcp_t dhcp;
+	} packet;
+	int oldstate, optlen, origoptlen, optsize, optpos = 0;
+	ssize_t len;
+	dhcp_option_t *option;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recvfrom(this->receive, &packet, sizeof(packet), 0,
+					(struct sockaddr*)&addr, &addr_len);
+	thread_cancelability(oldstate);
+
+	if (len >= sizeof(struct iphdr) + sizeof(struct udphdr) +
+		offsetof(dhcp_t, options))
+	{
+		origoptlen = optlen = len - sizeof(struct iphdr) +
+					 sizeof(struct udphdr) + offsetof(dhcp_t, options);
+		while (optlen > sizeof(dhcp_option_t))
+		{
+			option = (dhcp_option_t*)&packet.dhcp.options[optpos];
+			optsize = sizeof(dhcp_option_t) + option->len;
+			if (option->type == DHCP_OPTEND || optlen < optsize)
+			{
+				break;
+			}
+			if (option->type == DHCP_MESSAGE_TYPE && option->len == 1)
+			{
+				switch (option->data[0])
+				{
+					case DHCP_OFFER:
+						handle_offer(this, &packet.dhcp, origoptlen);
+						break;
+					case DHCP_ACK:
+						handle_ack(this, &packet.dhcp, origoptlen);
+					default:
+						break;
+				}
+				break;
+			}
+			optlen -= optsize;
+			optpos += optsize;
+		}
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(dhcp_socket_t, destroy, void,
+	private_dhcp_socket_t *this)
+{
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	while (this->waiting)
+	{
+		this->condvar->signal(this->condvar);
+	}
+	if (this->send > 0)
+	{
+		close(this->send);
+	}
+	if (this->receive > 0)
+	{
+		close(this->receive);
+	}
+	this->mutex->destroy(this->mutex);
+	this->condvar->destroy(this->condvar);
+	this->discover->destroy_offset(this->discover,
+								offsetof(dhcp_transaction_t, destroy));
+	this->request->destroy_offset(this->request,
+								offsetof(dhcp_transaction_t, destroy));
+	this->completed->destroy_offset(this->completed,
+								offsetof(dhcp_transaction_t, destroy));
+	DESTROY_IF(this->rng);
+	DESTROY_IF(this->dst);
+	free(this);
+}
+
+/**
+ * See header
+ */
+dhcp_socket_t *dhcp_socket_create()
+{
+	private_dhcp_socket_t *this;
+	struct sockaddr_in src;
+	int on = 1;
+	struct sock_filter dhcp_filter_code[] = {
+		BPF_STMT(BPF_LD+BPF_B+BPF_ABS,
+				 offsetof(struct iphdr, protocol)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_UDP, 0, 16),
+		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, sizeof(struct iphdr) +
+				 offsetof(struct udphdr, source)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_SERVER_PORT, 0, 14),
+		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, sizeof(struct iphdr) +
+				 offsetof(struct udphdr, dest)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_CLIENT_PORT, 0, 2),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_SERVER_PORT, 0, 1),
+		BPF_JUMP(BPF_JMP+BPF_JA, 0, 0, 10),
+		BPF_STMT(BPF_LD+BPF_B+BPF_ABS, sizeof(struct iphdr) +
+				 sizeof(struct udphdr) + offsetof(dhcp_t, opcode)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, BOOTREPLY, 0, 8),
+		BPF_STMT(BPF_LD+BPF_B+BPF_ABS, sizeof(struct iphdr) +
+				 sizeof(struct udphdr) + offsetof(dhcp_t, hw_type)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPHRD_ETHER, 0, 6),
+		BPF_STMT(BPF_LD+BPF_B+BPF_ABS, sizeof(struct iphdr) +
+				 sizeof(struct udphdr) + offsetof(dhcp_t, hw_addr_len)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 6, 0, 4),
+		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, sizeof(struct iphdr) +
+				 sizeof(struct udphdr) + offsetof(dhcp_t, magic_cookie)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x63825363, 0, 2),
+		BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0),
+		BPF_STMT(BPF_RET+BPF_A, 0),
+		BPF_STMT(BPF_RET+BPF_K, 0),
+	};
+	struct sock_fprog dhcp_filter = {
+		sizeof(dhcp_filter_code) / sizeof(struct sock_filter),
+		dhcp_filter_code,
+	};
+
+	INIT(this,
+		.public = {
+			.enroll = _enroll,
+			.release = _release,
+			.destroy = _destroy,
+		},
+		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.discover = linked_list_create(),
+		.request = linked_list_create(),
+		.completed = linked_list_create(),
+	);
+
+	if (!this->rng)
+	{
+		DBG1(DBG_CFG, "unable to create RNG");
+		destroy(this);
+		return NULL;
+	}
+	this->identity_lease = lib->settings->get_bool(lib->settings,
+							"charon.plugins.dhcp.identity_lease", FALSE);
+	this->dst = host_create_from_string(lib->settings->get_str(lib->settings,
+							"charon.plugins.dhcp.server", "255.255.255.255"),
+							DHCP_SERVER_PORT);
+	if (!this->dst)
+	{
+		DBG1(DBG_CFG, "configured DHCP server address invalid");
+		destroy(this);
+		return NULL;
+	}
+
+	this->send = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+	if (this->send == -1)
+	{
+		DBG1(DBG_CFG, "unable to create DHCP send socket: %s", strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+	if (setsockopt(this->send, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
+	{
+		DBG1(DBG_CFG, "unable to reuse DHCP socket address: %s", strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+	if (setsockopt(this->send, SOL_SOCKET, SO_BROADCAST, &on, sizeof(on)) == -1)
+	{
+		DBG1(DBG_CFG, "unable to broadcast on DHCP socket: %s", strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+	src.sin_family = AF_INET;
+	src.sin_port = htons(DHCP_CLIENT_PORT);
+	src.sin_addr.s_addr = INADDR_ANY;
+	if (bind(this->send, (struct sockaddr*)&src, sizeof(src)) == -1)
+	{
+		DBG1(DBG_CFG, "unable to bind DHCP send socket: %s", strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+
+	this->receive = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_IP));
+	if (this->receive == -1)
+	{
+		DBG1(DBG_NET, "opening DHCP receive socket failed: %s", strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+	if (setsockopt(this->receive, SOL_SOCKET, SO_ATTACH_FILTER,
+				   &dhcp_filter, sizeof(dhcp_filter)) < 0)
+	{
+		DBG1(DBG_CFG, "installing DHCP socket filter failed: %s",
+			 strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)receive_dhcp,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.h b/src/libcharon/plugins/dhcp/dhcp_socket.h
new file mode 100644
index 000000000..0a8398aba
--- /dev/null
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup dhcp_socket dhcp_socket
+ * @{ @ingroup dhcp
+ */
+
+#ifndef DHCP_SOCKET_H_
+#define DHCP_SOCKET_H_
+
+typedef struct dhcp_socket_t dhcp_socket_t;
+
+#include "dhcp_transaction.h"
+
+/**
+ * DHCP socket implementation
+ */
+struct dhcp_socket_t {
+
+	/**
+	 * Enroll a client address using DHCP.
+	 *
+	 * @param identity		peer identity to enroll an address for
+	 * @return				completed DHCP transaction, NULL on failure
+	 */
+	dhcp_transaction_t* (*enroll)(dhcp_socket_t *this,
+								  identification_t *identity);
+
+	/**
+	 * Release an enrolled DHCP address.
+	 *
+	 * @param transaction	transaction returned by enroll
+	 */
+	void (*release)(dhcp_socket_t *this, dhcp_transaction_t *transaction);
+
+	/**
+	 * Destroy a dhcp_socket_t.
+	 */
+	void (*destroy)(dhcp_socket_t *this);
+};
+
+/**
+ * Create a dhcp_socket instance.
+ */
+dhcp_socket_t *dhcp_socket_create();
+
+#endif /** DHCP_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/dhcp/dhcp_transaction.c b/src/libcharon/plugins/dhcp/dhcp_transaction.c
new file mode 100644
index 000000000..83f822dd8
--- /dev/null
+++ b/src/libcharon/plugins/dhcp/dhcp_transaction.c
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "dhcp_transaction.h"
+
+#include <utils/linked_list.h>
+
+typedef struct private_dhcp_transaction_t private_dhcp_transaction_t;
+
+/**
+ * Private data of an dhcp_transaction_t object.
+ */
+struct private_dhcp_transaction_t {
+
+	/**
+	 * Public dhcp_transaction_t interface.
+	 */
+	dhcp_transaction_t public;
+
+	/**
+	 * DHCP transaction ID
+	 */
+	u_int32_t id;
+
+	/**
+	 * Peer identity
+	 */
+	identification_t *identity;
+
+	/**
+	 * received DHCP address
+	 */
+	host_t *address;
+
+	/**
+	 * discovered DHCP server address
+	 */
+	host_t *server;
+
+	/**
+	 * List of added attributes, as attribute_entry_t
+	 */
+	linked_list_t *attributes;
+};
+
+/**
+ * Entry for an added attribute
+ */
+typedef struct {
+	configuration_attribute_type_t type;
+	chunk_t data;
+} attribute_entry_t;
+
+METHOD(dhcp_transaction_t, get_id, u_int32_t,
+	private_dhcp_transaction_t *this)
+{
+	return this->id;
+}
+
+METHOD(dhcp_transaction_t, get_identity, identification_t*,
+	private_dhcp_transaction_t *this)
+{
+	return this->identity;
+}
+
+METHOD(dhcp_transaction_t, set_address, void,
+	private_dhcp_transaction_t *this, host_t *address)
+{
+	DESTROY_IF(this->address);
+	this->address = address;
+}
+
+METHOD(dhcp_transaction_t, get_address, host_t*,
+	private_dhcp_transaction_t *this)
+{
+	return this->address;
+}
+
+METHOD(dhcp_transaction_t, set_server, void,
+	private_dhcp_transaction_t *this, host_t *server)
+{
+	DESTROY_IF(this->server);
+	this->server = server;
+}
+
+METHOD(dhcp_transaction_t, get_server, host_t*,
+	private_dhcp_transaction_t *this)
+{
+	return this->server;
+}
+
+METHOD(dhcp_transaction_t, add_attribute, void,
+	private_dhcp_transaction_t *this, configuration_attribute_type_t type,
+	chunk_t data)
+{
+	attribute_entry_t *entry;
+
+	INIT(entry,
+		.type = type,
+		.data = chunk_clone(data),
+	);
+	this->attributes->insert_last(this->attributes, entry);
+}
+
+/**
+ * Filter function to map entries to type/data
+ */
+static bool attribute_filter(void *null, attribute_entry_t **entry,
+							 configuration_attribute_type_t *type,
+							 void **dummy, chunk_t *data)
+{
+	*type = (*entry)->type;
+	*data = (*entry)->data;
+	return TRUE;
+}
+
+METHOD(dhcp_transaction_t, create_attribute_enumerator, enumerator_t*,
+	private_dhcp_transaction_t *this)
+{
+	return enumerator_create_filter(
+						this->attributes->create_enumerator(this->attributes),
+						(void*)attribute_filter, NULL, NULL);
+}
+
+/**
+ * Clean up an attribute entry
+ */
+static void attribute_entry_destroy(attribute_entry_t *entry)
+{
+	free(entry->data.ptr);
+	free(entry);
+}
+
+METHOD(dhcp_transaction_t, destroy, void,
+	private_dhcp_transaction_t *this)
+{
+	this->identity->destroy(this->identity);
+	DESTROY_IF(this->address);
+	DESTROY_IF(this->server);
+	this->attributes->destroy_function(this->attributes,
+									   (void*)attribute_entry_destroy);
+	free(this);
+}
+
+/**
+ * See header
+ */
+dhcp_transaction_t *dhcp_transaction_create(u_int32_t id,
+											identification_t *identity)
+{
+	private_dhcp_transaction_t *this;
+
+	INIT(this,
+		.public = {
+			.get_id = _get_id,
+			.get_identity = _get_identity,
+			.set_address = _set_address,
+			.get_address = _get_address,
+			.set_server = _set_server,
+			.get_server = _get_server,
+			.add_attribute = _add_attribute,
+			.create_attribute_enumerator = _create_attribute_enumerator,
+			.destroy = _destroy,
+		},
+		.id = id,
+		.identity = identity->clone(identity),
+		.attributes = linked_list_create(),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/dhcp/dhcp_transaction.h b/src/libcharon/plugins/dhcp/dhcp_transaction.h
new file mode 100644
index 000000000..19c163f88
--- /dev/null
+++ b/src/libcharon/plugins/dhcp/dhcp_transaction.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup dhcp_transaction dhcp_transaction
+ * @{ @ingroup dhcp
+ */
+
+#ifndef DHCP_TRANSACTION_H_
+#define DHCP_TRANSACTION_H_
+
+#include <utils/host.h>
+#include <utils/identification.h>
+#include <attributes/attributes.h>
+
+typedef struct dhcp_transaction_t dhcp_transaction_t;
+
+/**
+ * DHCP transaction class.
+ */
+struct dhcp_transaction_t {
+
+	/**
+	 * Get the DCHP transaction ID.
+	 *
+	 * @return			DHCP transaction identifier
+	 */
+	u_int32_t (*get_id)(dhcp_transaction_t *this);
+
+	/**
+	 * Get the peer identity this transaction is used for.
+	 *
+	 * @return			peer Identity
+	 */
+	identification_t* (*get_identity)(dhcp_transaction_t *this);
+
+	/**
+	 * Set the DHCP address received using this transaction.
+	 *
+	 * @param host		received DHCP address
+	 */
+	void (*set_address)(dhcp_transaction_t *this, host_t *address);
+
+	/**
+	 * Get the DHCP address received using this transaction.
+	 *
+	 * @return			received DHCP address
+	 */
+	host_t* (*get_address)(dhcp_transaction_t *this);
+
+	/**
+	 * Set the DCHP server address discovered.
+	 *
+	 * @param server	DHCP server address
+	 */
+	void (*set_server)(dhcp_transaction_t *this, host_t *server);
+
+	/**
+	 * Get the DHCP server address.
+	 *
+	 * @return			DHCP server address
+	 */
+	host_t* (*get_server)(dhcp_transaction_t *this);
+
+	/**
+	 * An an additional attribute to serve to peer.
+	 *
+	 * @param type		type of attribute
+	 * @param data		attribute data
+	 */
+	void (*add_attribute)(dhcp_transaction_t *this,
+						  configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Create an enumerator over added attributes.
+	 *
+	 * @return			enumerator over (configuration_attribute_t, chunk_t)
+	 */
+	enumerator_t* (*create_attribute_enumerator)(dhcp_transaction_t *this);
+
+	/**
+	 * Destroy a dhcp_transaction_t.
+	 */
+	void (*destroy)(dhcp_transaction_t *this);
+};
+
+/**
+ * Create a dhcp_transaction instance.
+ *
+ * @param id		DHCP transaction identifier
+ * @param identity	peer identity this transaction is used for
+ * @return			transaction instance
+ */
+dhcp_transaction_t *dhcp_transaction_create(u_int32_t id,
+											identification_t *identity);
+
+#endif /** DHCP_TRANSACTION_H_ @}*/
diff --git a/src/libcharon/plugins/eap_aka/Makefile.am b/src/libcharon/plugins/eap_aka/Makefile.am
new file mode 100644
index 000000000..d37d1691c
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka/Makefile.am
@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-aka.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-aka.la
+libstrongswan_eap_aka_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
+endif
+
+libstrongswan_eap_aka_la_SOURCES = \
+	eap_aka_plugin.h eap_aka_plugin.c \
+	eap_aka_peer.h eap_aka_peer.c \
+	eap_aka_server.h eap_aka_server.c
+
+libstrongswan_eap_aka_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
new file mode 100644
index 000000000..1cea81a9b
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -0,0 +1,593 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_aka
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+@MONOLITHIC_FALSE@libstrongswan_eap_aka_la_DEPENDENCIES =  \
+@MONOLITHIC_FALSE@	$(top_builddir)/src/libsimaka/libsimaka.la
+am_libstrongswan_eap_aka_la_OBJECTS = eap_aka_plugin.lo \
+	eap_aka_peer.lo eap_aka_server.lo
+libstrongswan_eap_aka_la_OBJECTS =  \
+	$(am_libstrongswan_eap_aka_la_OBJECTS)
+libstrongswan_eap_aka_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_aka_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_aka_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_aka_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-aka.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-aka.la
+@MONOLITHIC_FALSE@libstrongswan_eap_aka_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
+libstrongswan_eap_aka_la_SOURCES = \
+	eap_aka_plugin.h eap_aka_plugin.c \
+	eap_aka_peer.h eap_aka_peer.c \
+	eap_aka_server.h eap_aka_server.c
+
+libstrongswan_eap_aka_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_aka/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_aka/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-aka.la: $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_DEPENDENCIES) 
+	$(libstrongswan_eap_aka_la_LINK) $(am_libstrongswan_eap_aka_la_rpath) $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_peer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_server.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.c b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
new file mode 100644
index 000000000..26546809d
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
@@ -0,0 +1,583 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_peer.h"
+
+#include <library.h>
+#include <daemon.h>
+
+#include <simaka_message.h>
+#include <simaka_crypto.h>
+
+typedef struct private_eap_aka_peer_t private_eap_aka_peer_t;
+
+/**
+ * Private data of an eap_aka_peer_t object.
+ */
+struct private_eap_aka_peer_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_aka_peer_t public;
+
+	/**
+	 * EAP-AKA crypto helper
+	 */
+	simaka_crypto_t *crypto;
+
+	/**
+	 * permanent ID of peer
+	 */
+	identification_t *permanent;
+
+	/**
+	 * Pseudonym identity the peer uses
+	 */
+	identification_t *pseudonym;
+
+	/**
+	 * Reauthentication identity the peer uses
+	 */
+	identification_t *reauth;
+
+	/**
+	 * MSK
+	 */
+	chunk_t msk;
+
+	/**
+	 * Master key, if reauthentication is used
+	 */
+	char mk[HASH_SIZE_SHA1];
+
+	/**
+	 * Counter value if reauthentication is used
+	 */
+	u_int16_t counter;
+};
+
+/**
+ * Create a AKA_CLIENT_ERROR: "Unable to process"
+ */
+static eap_payload_t* create_client_error(private_eap_aka_peer_t *this,
+										  u_int8_t identifier)
+{
+	simaka_message_t *message;
+	eap_payload_t *out;
+	u_int16_t encoded;
+
+	DBG1(DBG_IKE, "sending client error '%N'",
+		 simaka_client_error_names, AKA_UNABLE_TO_PROCESS);
+
+	message = simaka_message_create(FALSE, identifier, EAP_AKA,
+									AKA_CLIENT_ERROR, this->crypto);
+	encoded = htons(AKA_UNABLE_TO_PROCESS);
+	message->add_attribute(message, AT_CLIENT_ERROR_CODE,
+						   chunk_create((char*)&encoded, sizeof(encoded)));
+	out = message->generate(message, chunk_empty);
+	message->destroy(message);
+	return out;
+}
+
+/**
+ * process an EAP-AKA/Request/Identity message
+ */
+static status_t process_identity(private_eap_aka_peer_t *this,
+								 simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, id = chunk_empty;
+	simaka_attribute_t id_req = 0;
+
+	/* reset previously uses reauthentication/pseudonym data */
+	this->crypto->clear_keys(this->crypto);
+	DESTROY_IF(this->pseudonym);
+	this->pseudonym = NULL;
+	DESTROY_IF(this->reauth);
+	this->reauth = NULL;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_ANY_ID_REQ:
+			case AT_FULLAUTH_ID_REQ:
+			case AT_PERMANENT_ID_REQ:
+				id_req = type;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in));
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	switch (id_req)
+	{
+		case AT_ANY_ID_REQ:
+			this->reauth = charon->sim->card_get_reauth(charon->sim,
+									this->permanent, this->mk, &this->counter);
+			if (this->reauth)
+			{
+				id = this->reauth->get_encoding(this->reauth);
+				break;
+			}
+			/* FALL */
+		case AT_FULLAUTH_ID_REQ:
+			this->pseudonym = charon->sim->card_get_pseudonym(charon->sim,
+															  this->permanent);
+			if (this->pseudonym)
+			{
+				id = this->pseudonym->get_encoding(this->pseudonym);
+				break;
+			}
+			/* FALL */
+		case AT_PERMANENT_ID_REQ:
+			id = this->permanent->get_encoding(this->permanent);
+			break;
+		default:
+			break;
+	}
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+									AKA_IDENTITY, this->crypto);
+	if (id.len)
+	{
+		message->add_attribute(message, AT_IDENTITY, id);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	return NEED_MORE;
+}
+
+/**
+ * Process an EAP-AKA/Request/Challenge message
+ */
+static status_t process_challenge(private_eap_aka_peer_t *this,
+								  simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, rand = chunk_empty, autn = chunk_empty, mk;
+	u_char res[AKA_RES_MAX], ck[AKA_CK_LEN], ik[AKA_IK_LEN], auts[AKA_AUTS_LEN];
+	int res_len;
+	identification_t *id;
+	status_t status;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_RAND:
+				rand = data;
+				break;
+			case AT_AUTN:
+				autn = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in));
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!rand.len || !autn.len)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-AKA challenge message");
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+
+	status = charon->sim->card_get_quintuplet(charon->sim, this->permanent,
+									rand.ptr, autn.ptr, ck, ik, res, &res_len);
+	if (status == INVALID_STATE &&
+		charon->sim->card_resync(charon->sim, this->permanent, rand.ptr, auts))
+	{
+		DBG1(DBG_IKE, "received SQN invalid, sending %N",
+			 simaka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
+		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+									AKA_SYNCHRONIZATION_FAILURE, this->crypto);
+		message->add_attribute(message, AT_AUTS,
+							   chunk_create(auts, AKA_AUTS_LEN));
+		*out = message->generate(message, chunk_empty);
+		message->destroy(message);
+		return NEED_MORE;
+	}
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "no USIM found with quintuplets for '%Y', sending %N",
+			 this->permanent, simaka_subtype_names, AKA_AUTHENTICATION_REJECT);
+		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+										AKA_AUTHENTICATION_REJECT, this->crypto);
+		*out = message->generate(message, chunk_empty);
+		message->destroy(message);
+		return NEED_MORE;
+	}
+
+	id = this->permanent;
+	if (this->pseudonym)
+	{
+		id = this->pseudonym;
+	}
+	data = chunk_cata("cc", chunk_create(ik, AKA_IK_LEN),
+					  chunk_create(ck, AKA_CK_LEN));
+	free(this->msk.ptr);
+	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	memcpy(this->mk, mk.ptr, mk.len);
+	free(mk.ptr);
+
+	/* Verify AT_MAC attribute and parse() again after key derivation,
+	 * reading encrypted attributes */
+	if (!in->verify(in, chunk_empty) || !in->parse(in))
+	{
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_NEXT_REAUTH_ID:
+				this->counter = 0;
+				id = identification_create_from_data(data);
+				charon->sim->card_set_reauth(charon->sim, this->permanent, id,
+											 this->mk, this->counter);
+				id->destroy(id);
+				break;
+			case AT_NEXT_PSEUDONYM:
+				id = identification_create_from_data(data);
+				charon->sim->card_set_pseudonym(charon->sim, this->permanent, id);
+				id->destroy(id);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+									AKA_CHALLENGE, this->crypto);
+	message->add_attribute(message, AT_RES, chunk_create(res, res_len));
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+	return NEED_MORE;
+}
+
+/**
+ * Check if a received counter value is acceptable
+ */
+static bool counter_too_small(private_eap_aka_peer_t *this, chunk_t chunk)
+{
+	u_int16_t counter;
+
+	memcpy(&counter, chunk.ptr, sizeof(counter));
+	counter = htons(counter);
+	return counter < this->counter;
+}
+
+/**
+ * process an EAP-AKA/Request/Reauthentication message
+ */
+static status_t process_reauthentication(private_eap_aka_peer_t *this,
+									simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, counter = chunk_empty, nonce = chunk_empty, id = chunk_empty;
+
+	if (!this->reauth)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, AKA_REAUTHENTICATION);
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+
+	this->crypto->derive_keys_reauth(this->crypto,
+									 chunk_create(this->mk, HASH_SIZE_SHA1));
+
+	/* verify MAC and parse again with decryption key */
+	if (!in->verify(in, chunk_empty) || !in->parse(in))
+	{
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_COUNTER:
+				counter = data;
+				break;
+			case AT_NONCE_S:
+				nonce = data;
+				break;
+			case AT_NEXT_REAUTH_ID:
+				id = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in));
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!nonce.len || !counter.len)
+	{
+		DBG1(DBG_IKE, "EAP-AKA/Request/Reauthentication message incomplete");
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+									AKA_REAUTHENTICATION, this->crypto);
+	if (counter_too_small(this, counter))
+	{
+		DBG1(DBG_IKE, "reauthentication counter too small");
+		message->add_attribute(message, AT_COUNTER_TOO_SMALL, chunk_empty);
+	}
+	else
+	{
+		free(this->msk.ptr);
+		this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
+										this->reauth, counter, nonce,
+										chunk_create(this->mk, HASH_SIZE_SHA1));
+		if (id.len)
+		{
+			identification_t *reauth;
+
+			reauth = identification_create_from_data(data);
+			charon->sim->card_set_reauth(charon->sim, this->permanent, reauth,
+							 this->mk, this->counter);
+			reauth->destroy(reauth);
+		}
+	}
+	message->add_attribute(message, AT_COUNTER, counter);
+	*out = message->generate(message, nonce);
+	message->destroy(message);
+	return NEED_MORE;
+}
+
+/**
+ * Process an EAP-AKA/Request/Notification message
+ */
+static status_t process_notification(private_eap_aka_peer_t *this,
+									 simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data;
+	bool success = TRUE;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == AT_NOTIFICATION)
+		{
+			u_int16_t code;
+
+			memcpy(&code, data.ptr, sizeof(code));
+			code = ntohs(code);
+
+			/* test success bit */
+			if (!(data.ptr[0] & 0x80))
+			{
+				success = FALSE;
+				DBG1(DBG_IKE, "received EAP-AKA notification error '%N'",
+					 simaka_notification_names, code);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received EAP-AKA notification '%N'",
+					 simaka_notification_names, code);
+			}
+		}
+		else if (!simaka_attribute_skippable(type))
+		{
+			success = FALSE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (success)
+	{	/* empty notification reply */
+		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+										AKA_NOTIFICATION, this->crypto);
+		*out = message->generate(message, chunk_empty);
+		message->destroy(message);
+	}
+	else
+	{
+		*out = create_client_error(this, in->get_identifier(in));
+	}
+	return NEED_MORE;
+}
+
+
+/**
+ * Implementation of eap_method_t.process
+ */
+static status_t process(private_eap_aka_peer_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	status_t status;
+
+	message = simaka_message_create_from_payload(in, this->crypto);
+	if (!message)
+	{
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+	if (!message->parse(message))
+	{
+		message->destroy(message);
+		*out = create_client_error(this, in->get_identifier(in));
+		return NEED_MORE;
+	}
+	switch (message->get_subtype(message))
+	{
+		case AKA_IDENTITY:
+			status = process_identity(this, message, out);
+			break;
+		case AKA_CHALLENGE:
+			status = process_challenge(this, message, out);
+			break;
+		case AKA_REAUTHENTICATION:
+			status = process_reauthentication(this, message, out);
+			break;
+		case AKA_NOTIFICATION:
+			status = process_notification(this, message, out);
+			break;
+		default:
+			DBG1(DBG_IKE, "unable to process EAP-AKA subtype %N",
+				 simaka_subtype_names, message->get_subtype(message));
+			*out = create_client_error(this, in->get_identifier(in));
+			status = NEED_MORE;
+			break;
+	}
+	message->destroy(message);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_aka_peer_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_aka_peer_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_AKA;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_aka_peer_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_aka_peer_t *this)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_aka_peer_t *this)
+{
+	this->crypto->destroy(this->crypto);
+	this->permanent->destroy(this->permanent);
+	DESTROY_IF(this->pseudonym);
+	DESTROY_IF(this->reauth);
+	free(this->msk.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_aka_peer_t *eap_aka_peer_create(identification_t *server,
+									identification_t *peer)
+{
+	private_eap_aka_peer_t *this = malloc_thing(private_eap_aka_peer_t);
+
+	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	this->crypto = simaka_crypto_create();
+	if (!this->crypto)
+	{
+		free(this);
+		return NULL;
+	}
+	this->permanent = peer->clone(peer);
+	this->pseudonym = NULL;
+	this->reauth = NULL;
+	this->msk = chunk_empty;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.h b/src/libcharon/plugins/eap_aka/eap_aka_peer.h
new file mode 100644
index 000000000..65a210406
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_peer eap_aka_peer
+ * @{ @ingroup eap_aka
+ */
+
+#ifndef EAP_AKA_PEER_H_
+#define EAP_AKA_PEER_H_
+
+typedef struct eap_aka_peer_t eap_aka_peer_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-AKA as a client.
+ */
+struct eap_aka_peer_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t interface;
+};
+
+/**
+ * Creates the peer implementation of the EAP method EAP-AKA.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_aka_peer_t object
+ */
+eap_aka_peer_t *eap_aka_peer_create(identification_t *server,
+									identification_t *peer);
+
+#endif /** EAP_AKA_PEER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_plugin.c b/src/libcharon/plugins/eap_aka/eap_aka_plugin.c
new file mode 100644
index 000000000..f9283393a
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka/eap_aka_plugin.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_plugin.h"
+
+#include "eap_aka_peer.h"
+#include "eap_aka_server.h"
+
+#include <daemon.h>
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(eap_aka_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_aka_server_create);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_aka_peer_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_aka_plugin_create()
+{
+	eap_aka_plugin_t *this = malloc_thing(eap_aka_plugin_t);
+
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_SERVER,
+							(eap_constructor_t)eap_aka_server_create);
+	charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_PEER,
+							(eap_constructor_t)eap_aka_peer_create);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_plugin.h b/src/libcharon/plugins/eap_aka/eap_aka_plugin.h
new file mode 100644
index 000000000..d011904b3
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka/eap_aka_plugin.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka eap_aka
+ * @ingroup cplugins
+ *
+ * @defgroup eap_aka_plugin eap_aka_plugin
+ * @{ @ingroup eap_aka
+ */
+
+#ifndef EAP_AKA_PLUGIN_H_
+#define EAP_AKA_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_aka_plugin_t eap_aka_plugin_t;
+
+/**
+ * EAP-AKA plugin.
+ *
+ * EAP-AKA uses 3rd generation mobile phone standard authentication
+ * mechanism for authentication, as defined RFC4187.
+ */
+struct eap_aka_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_AKA_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.c b/src/libcharon/plugins/eap_aka/eap_aka_server.c
new file mode 100644
index 000000000..9baff3e23
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.c
@@ -0,0 +1,700 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_server.h"
+
+#include <daemon.h>
+#include <library.h>
+
+#include <simaka_message.h>
+#include <simaka_crypto.h>
+
+/** length of the AT_NONCE_S value */
+#define NONCE_LEN 16
+
+typedef struct private_eap_aka_server_t private_eap_aka_server_t;
+
+/**
+ * Private data of an eap_aka_server_t object.
+ */
+struct private_eap_aka_server_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_aka_server_t public;
+
+	/**
+	 * EAP-AKA crypto helper
+	 */
+	simaka_crypto_t *crypto;
+
+	/**
+	 * permanent ID of the peer
+	 */
+	identification_t *permanent;
+
+	/**
+	 * pseudonym ID of peer
+	 */
+	identification_t *pseudonym;
+
+	/**
+	 * reauthentication ID of peer
+	 */
+	identification_t *reauth;
+
+	/**
+	 * EAP identifier value
+	 */
+	u_int8_t identifier;
+
+	/**
+	 * Expected Result XRES
+	 */
+	chunk_t xres;
+
+	/**
+	 * Random value RAND
+	 */
+	chunk_t rand;
+
+	/**
+	 * MSK
+	 */
+	chunk_t msk;
+
+	/**
+	 * Nonce value used in AT_NONCE_S
+	 */
+	chunk_t nonce;
+
+	/**
+	 * Counter value negotiated, network order
+	 */
+	chunk_t counter;
+
+	/**
+	 * Do we request fast reauthentication?
+	 */
+	bool use_reauth;
+
+	/**
+	 * Do we request pseudonym identities?
+	 */
+	bool use_pseudonym;
+
+	/**
+	 * Do we request permanent identities?
+	 */
+	bool use_permanent;
+
+	/**
+	 * EAP-AKA message we have initiated
+	 */
+	simaka_subtype_t pending;
+
+	/**
+	 * Did the client send a synchronize request?
+	 */
+	bool synchronized;
+};
+
+/**
+ * Create EAP-AKA/Request/Identity message
+ */
+static status_t identity(private_eap_aka_server_t *this, eap_payload_t **out)
+{
+	simaka_message_t *message;
+
+	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
+									AKA_IDENTITY, this->crypto);
+	if (this->use_reauth)
+	{
+		message->add_attribute(message, AT_ANY_ID_REQ, chunk_empty);
+	}
+	else if (this->use_pseudonym)
+	{
+		message->add_attribute(message, AT_FULLAUTH_ID_REQ, chunk_empty);
+	}
+	else if (this->use_permanent)
+	{
+		message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	this->pending = AKA_IDENTITY;
+	return NEED_MORE;
+}
+
+/**
+ * Create EAP-AKA/Request/Challenge message
+ */
+static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	char rand[AKA_RAND_LEN], xres[AKA_RES_MAX];
+	char ck[AKA_CK_LEN], ik[AKA_IK_LEN], autn[AKA_AUTN_LEN];
+	int xres_len;
+	chunk_t data, mk;
+	identification_t *id;
+
+	if (!charon->sim->provider_get_quintuplet(charon->sim, this->permanent,
+										rand, xres, &xres_len, ck, ik, autn))
+	{
+		if (this->use_pseudonym)
+		{
+			/* probably received a pseudonym/reauth id we couldn't map */
+			DBG1(DBG_IKE, "failed to map pseudonym/reauth identity '%Y', "
+				 "fallback to permanent identity request", this->permanent);
+			this->use_pseudonym = FALSE;
+			DESTROY_IF(this->pseudonym);
+			this->pseudonym = NULL;
+			return identity(this, out);
+		}
+		return FAILED;
+	}
+	id = this->permanent;
+	if (this->pseudonym)
+	{
+		id = this->pseudonym;
+	}
+	data = chunk_cata("cc", chunk_create(ik, AKA_IK_LEN),
+					  chunk_create(ck, AKA_CK_LEN));
+	free(this->msk.ptr);
+	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	this->rand = chunk_clone(chunk_create(rand, AKA_RAND_LEN));
+	this->xres = chunk_clone(chunk_create(xres, xres_len));
+
+	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
+									AKA_CHALLENGE, this->crypto);
+	message->add_attribute(message, AT_RAND, this->rand);
+	message->add_attribute(message, AT_AUTN, chunk_create(autn, AKA_AUTN_LEN));
+	id = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk.ptr);
+	if (id)
+	{
+		message->add_attribute(message, AT_NEXT_REAUTH_ID,
+							   id->get_encoding(id));
+		id->destroy(id);
+	}
+	else
+	{
+		id = charon->sim->provider_gen_pseudonym(charon->sim, this->permanent);
+		if (id)
+		{
+			message->add_attribute(message, AT_NEXT_PSEUDONYM,
+								   id->get_encoding(id));
+			id->destroy(id);
+		}
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	free(mk.ptr);
+	this->pending = AKA_CHALLENGE;
+	return NEED_MORE;
+}
+
+/**
+ * Initiate  EAP-AKA/Request/Re-authentication message
+ */
+static status_t reauthenticate(private_eap_aka_server_t *this,
+							   char mk[HASH_SIZE_SHA1], u_int16_t counter,
+							   eap_payload_t **out)
+{
+	simaka_message_t *message;
+	identification_t *next;
+	chunk_t mkc;
+	rng_t *rng;
+
+	DBG1(DBG_IKE, "initiating EAP-AKA reauthentication");
+
+	rng = this->crypto->get_rng(this->crypto);
+	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+
+	mkc = chunk_create(mk, HASH_SIZE_SHA1);
+	counter = htons(counter);
+	this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter)));
+
+	this->crypto->derive_keys_reauth(this->crypto, mkc);
+	this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
+								this->reauth, this->counter, this->nonce, mkc);
+
+	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
+									AKA_REAUTHENTICATION, this->crypto);
+	message->add_attribute(message, AT_COUNTER, this->counter);
+	message->add_attribute(message, AT_NONCE_S, this->nonce);
+	next = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk);
+	if (next)
+	{
+		message->add_attribute(message, AT_NEXT_REAUTH_ID,
+							   next->get_encoding(next));
+		next->destroy(next);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	this->pending = SIM_REAUTHENTICATION;
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_aka_server_t *this, eap_payload_t **out)
+{
+	if (this->use_permanent || this->use_pseudonym || this->use_reauth)
+	{
+		return identity(this, out);
+	}
+	return challenge(this, out);
+}
+
+/**
+ * Process EAP-AKA/Response/Identity message
+ */
+static status_t process_identity(private_eap_aka_server_t *this,
+								 simaka_message_t *in, eap_payload_t **out)
+{
+	identification_t *permanent, *id;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, identity = chunk_empty;
+
+	if (this->pending != AKA_IDENTITY)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, AKA_IDENTITY);
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_IDENTITY:
+				identity = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!identity.len)
+	{
+		DBG1(DBG_IKE, "received incomplete Identity response");
+		return FAILED;
+	}
+
+	id = identification_create_from_data(identity);
+	if (this->use_reauth)
+	{
+		char mk[HASH_SIZE_SHA1];
+		u_int16_t counter;
+
+		permanent = charon->sim->provider_is_reauth(charon->sim, id,
+													mk, &counter);
+		if (permanent)
+		{
+			this->permanent->destroy(this->permanent);
+			this->permanent = permanent;
+			this->reauth = id;
+			return reauthenticate(this, mk, counter, out);
+		}
+		/* unable to map, maybe a pseudonym? */
+		DBG1(DBG_IKE, "'%Y' is not a reauth identity", id);
+		this->use_reauth = FALSE;
+	}
+	if (this->use_pseudonym)
+	{
+		permanent = charon->sim->provider_is_pseudonym(charon->sim, id);
+		if (permanent)
+		{
+			this->permanent->destroy(this->permanent);
+			this->permanent = permanent;
+			this->pseudonym = id->clone(id);
+			/* we already have a new permanent identity now */
+			this->use_permanent = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "'%Y' is not a pseudonym", id);
+		}
+	}
+	if (!this->pseudonym && this->use_permanent)
+	{
+		/* got a permanent identity or a pseudonym reauth id wou couldn't map,
+		 * try to get quintuplets */
+		DBG1(DBG_IKE, "received identity '%Y'", id);
+		this->permanent->destroy(this->permanent);
+		this->permanent = id->clone(id);
+	}
+	id->destroy(id);
+
+	return challenge(this, out);
+}
+
+/**
+ * Process EAP-AKA/Response/Challenge message
+ */
+static status_t process_challenge(private_eap_aka_server_t *this,
+								  simaka_message_t *in)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, res = chunk_empty;
+
+	if (this->pending != AKA_CHALLENGE)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, AKA_CHALLENGE);
+		return FAILED;
+	}
+	/* verify MAC of EAP message, AT_MAC */
+	if (!in->verify(in, chunk_empty))
+	{
+		return FAILED;
+	}
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_RES:
+				res = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* compare received RES against stored XRES */
+	if (!chunk_equals(res, this->xres))
+	{
+		DBG1(DBG_IKE, "received RES does not match XRES");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * process an EAP-AKA/Response/Reauthentication message
+ */
+static status_t process_reauthentication(private_eap_aka_server_t *this,
+									simaka_message_t *in, eap_payload_t **out)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, counter = chunk_empty;
+	bool too_small = FALSE;
+
+	if (this->pending != AKA_REAUTHENTICATION)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, AKA_REAUTHENTICATION);
+		return FAILED;
+	}
+	/* verify AT_MAC attribute, signature is over "EAP packet | NONCE_S"  */
+	if (!in->verify(in, this->nonce))
+	{
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_COUNTER:
+				counter = data;
+				break;
+			case AT_COUNTER_TOO_SMALL:
+				too_small = TRUE;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (too_small)
+	{
+		DBG1(DBG_IKE, "received %N, initiating full authentication",
+			 simaka_attribute_names, AT_COUNTER_TOO_SMALL);
+		this->use_reauth = FALSE;
+		this->crypto->clear_keys(this->crypto);
+		return challenge(this, out);
+	}
+	if (!chunk_equals(counter, this->counter))
+	{
+		DBG1(DBG_IKE, "received counter does not match");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Process EAP-AKA/Response/SynchronizationFailure message
+ */
+static status_t process_synchronize(private_eap_aka_server_t *this,
+									simaka_message_t *in, eap_payload_t **out)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, auts = chunk_empty;
+
+	if (this->synchronized)
+	{
+		DBG1(DBG_IKE, "received %N, but peer did already resynchronize",
+			 simaka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
+		return FAILED;
+	}
+
+	DBG1(DBG_IKE, "received synchronization request, retrying...");
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_AUTS:
+				auts = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!auts.len)
+	{
+		DBG1(DBG_IKE, "synchronization request didn't contain usable AUTS");
+		return FAILED;
+	}
+
+	if (!charon->sim->provider_resync(charon->sim, this->permanent,
+									  this->rand.ptr, auts.ptr))
+	{
+		DBG1(DBG_IKE, "no AKA provider found supporting "
+			 "resynchronization for '%Y'", this->permanent);
+		return FAILED;
+	}
+	this->synchronized = TRUE;
+	return challenge(this, out);
+}
+
+/**
+ * Process EAP-AKA/Response/ClientErrorCode message
+ */
+static status_t process_client_error(private_eap_aka_server_t *this,
+									 simaka_message_t *in)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == AT_CLIENT_ERROR_CODE)
+		{
+			u_int16_t code;
+
+			memcpy(&code, data.ptr, sizeof(code));
+			DBG1(DBG_IKE, "received EAP-AKA client error '%N'",
+				 simaka_client_error_names, ntohs(code));
+		}
+		else if (!simaka_attribute_skippable(type))
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FAILED;
+}
+
+/**
+ * Process EAP-AKA/Response/AuthenticationReject message
+ */
+static status_t process_authentication_reject(private_eap_aka_server_t *this,
+											  simaka_message_t *in)
+{
+	DBG1(DBG_IKE, "received %N, authentication failed",
+		 simaka_subtype_names, in->get_subtype(in));
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.process
+ */
+static status_t process(private_eap_aka_server_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	status_t status;
+
+	message = simaka_message_create_from_payload(in, this->crypto);
+	if (!message)
+	{
+		return FAILED;
+	}
+	if (!message->parse(message))
+	{
+		message->destroy(message);
+		return FAILED;
+	}
+	switch (message->get_subtype(message))
+	{
+		case AKA_IDENTITY:
+			status = process_identity(this, message, out);
+			break;
+		case AKA_CHALLENGE:
+			status = process_challenge(this, message);
+			break;
+		case AKA_REAUTHENTICATION:
+			status = process_reauthentication(this, message, out);
+			break;
+		case AKA_SYNCHRONIZATION_FAILURE:
+			status = process_synchronize(this, message, out);
+			break;
+		case AKA_CLIENT_ERROR:
+			status = process_client_error(this, message);
+			break;
+		case AKA_AUTHENTICATION_REJECT:
+			status = process_authentication_reject(this, message);
+			break;
+		default:
+			DBG1(DBG_IKE, "unable to process EAP-AKA subtype %N",
+				 simaka_subtype_names, message->get_subtype(message));
+			status = FAILED;
+			break;
+	}
+	message->destroy(message);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_aka_server_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_AKA;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_aka_server_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_aka_server_t *this)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_aka_server_t *this)
+{
+	this->crypto->destroy(this->crypto);
+	this->permanent->destroy(this->permanent);
+	DESTROY_IF(this->pseudonym);
+	DESTROY_IF(this->reauth);
+	free(this->xres.ptr);
+	free(this->rand.ptr);
+	free(this->nonce.ptr);
+	free(this->msk.ptr);
+	free(this->counter.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_aka_server_t *eap_aka_server_create(identification_t *server,
+										identification_t *peer)
+{
+	private_eap_aka_server_t *this = malloc_thing(private_eap_aka_server_t);
+
+	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	this->crypto = simaka_crypto_create();
+	if (!this->crypto)
+	{
+		free(this);
+		return NULL;
+	}
+	this->permanent = peer->clone(peer);
+	this->pseudonym = NULL;
+	this->reauth = NULL;
+	this->xres = chunk_empty;
+	this->rand = chunk_empty;
+	this->nonce = chunk_empty;
+	this->msk = chunk_empty;
+	this->counter = chunk_empty;
+	this->pending = 0;
+	this->synchronized = FALSE;
+	this->use_reauth = this->use_pseudonym = this->use_permanent =
+		lib->settings->get_bool(lib->settings,
+								"charon.plugins.eap-aka.request_identity", TRUE);
+	/* generate a non-zero identifier */
+	do {
+		this->identifier = random();
+	} while (!this->identifier);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.h b/src/libcharon/plugins/eap_aka/eap_aka_server.h
new file mode 100644
index 000000000..d48fc4c34
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_server eap_aka_server
+ * @{ @ingroup eap_aka
+ */
+
+#ifndef EAP_AKA_SERVER_H_
+#define EAP_AKA_SERVER_H_
+
+typedef struct eap_aka_server_t eap_aka_server_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-AKA as server.
+ */
+struct eap_aka_server_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t interface;
+};
+
+/**
+ * Creates the server implementation of the EAP method EAP-AKA.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_aka_server_t object
+ */
+eap_aka_server_t *eap_aka_server_create(identification_t *server,
+										identification_t *peer);
+
+#endif /** EAP_AKA_SERVER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
new file mode 100644
index 000000000..598799e2a
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
@@ -0,0 +1,20 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-aka-3gpp2.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-aka-3gpp2.la
+endif
+
+libstrongswan_eap_aka_3gpp2_la_SOURCES = \
+	eap_aka_3gpp2_plugin.h eap_aka_3gpp2_plugin.c \
+	eap_aka_3gpp2_card.h eap_aka_3gpp2_card.c \
+	eap_aka_3gpp2_provider.h eap_aka_3gpp2_provider.c \
+	eap_aka_3gpp2_functions.h eap_aka_3gpp2_functions.c
+
+libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_aka_3gpp2_la_LIBADD  = -lgmp
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
new file mode 100644
index 000000000..d0b0f5601
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -0,0 +1,596 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_aka_3gpp2
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES =
+am_libstrongswan_eap_aka_3gpp2_la_OBJECTS = eap_aka_3gpp2_plugin.lo \
+	eap_aka_3gpp2_card.lo eap_aka_3gpp2_provider.lo \
+	eap_aka_3gpp2_functions.lo
+libstrongswan_eap_aka_3gpp2_la_OBJECTS =  \
+	$(am_libstrongswan_eap_aka_3gpp2_la_OBJECTS)
+libstrongswan_eap_aka_3gpp2_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_aka_3gpp2_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_aka_3gpp2_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_aka_3gpp2_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-aka-3gpp2.la
+libstrongswan_eap_aka_3gpp2_la_SOURCES = \
+	eap_aka_3gpp2_plugin.h eap_aka_3gpp2_plugin.c \
+	eap_aka_3gpp2_card.h eap_aka_3gpp2_card.c \
+	eap_aka_3gpp2_provider.h eap_aka_3gpp2_provider.c \
+	eap_aka_3gpp2_functions.h eap_aka_3gpp2_functions.c
+
+libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_aka_3gpp2/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_aka_3gpp2/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-aka-3gpp2.la: $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) 
+	$(libstrongswan_eap_aka_3gpp2_la_LINK) $(am_libstrongswan_eap_aka_3gpp2_la_rpath) $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_card.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_functions.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
new file mode 100644
index 000000000..5c0fe38ad
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_card.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_aka_3gpp2_card_t private_eap_aka_3gpp2_card_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_card_t object.
+ */
+struct private_eap_aka_3gpp2_card_t {
+
+	/**
+	 * Public eap_aka_3gpp2_card_t interface.
+	 */
+	eap_aka_3gpp2_card_t public;
+
+	/**
+	 * AKA functions
+	 */
+	eap_aka_3gpp2_functions_t *f;
+
+	/**
+	 * do sequence number checking?
+	 */
+	bool seq_check;
+
+	/**
+	 * SQN stored in this pseudo-USIM
+	 */
+	char sqn[AKA_SQN_LEN];
+};
+
+/**
+ * Functions from eap_aka_3gpp2_provider.c
+ */
+bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN]);
+void eap_aka_3gpp2_get_sqn(char sqn[AKA_SQN_LEN], int offset);
+
+/**
+ * Implementation of sim_card_t.get_quintuplet
+ */
+static status_t get_quintuplet(private_eap_aka_3gpp2_card_t *this,
+							   identification_t *id, char rand[AKA_RAND_LEN],
+							   char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
+							   char ik[AKA_IK_LEN], char res[AKA_RES_MAX],
+							   int *res_len)
+{
+	char *amf, *mac;
+	char k[AKA_K_LEN], ak[AKA_AK_LEN], sqn[AKA_SQN_LEN], xmac[AKA_MAC_LEN];
+
+	if (!eap_aka_3gpp2_get_k(id, k))
+	{
+		DBG1(DBG_IKE, "no EAP key found for %Y to authenticate with AKA", id);
+		return FAILED;
+	}
+
+	/* AUTN = SQN xor AK | AMF | MAC */
+	DBG3(DBG_IKE, "received autn %b", autn, AKA_AUTN_LEN);
+	DBG3(DBG_IKE, "using K %b", k, AKA_K_LEN);
+	DBG3(DBG_IKE, "using rand %b", rand, AKA_RAND_LEN);
+	memcpy(sqn, autn, AKA_SQN_LEN);
+	amf = autn + AKA_SQN_LEN;
+	mac = autn + AKA_SQN_LEN + AKA_AMF_LEN;
+
+	/* XOR anonymity key AK into SQN to decrypt it */
+	this->f->f5(this->f, k, rand, ak);
+	DBG3(DBG_IKE, "using ak %b", ak, AKA_AK_LEN);
+	memxor(sqn, ak, AKA_SQN_LEN);
+	DBG3(DBG_IKE, "using sqn %b", sqn, AKA_SQN_LEN);
+
+	/* calculate expected MAC and compare against received one */
+	this->f->f1(this->f, k, rand, sqn, amf, xmac);
+	if (!memeq(mac, xmac, AKA_MAC_LEN))
+	{
+		DBG1(DBG_IKE, "received MAC does not match XMAC");
+		DBG3(DBG_IKE, "MAC %b\nXMAC %b", mac, AKA_MAC_LEN, xmac, AKA_MAC_LEN);
+		return FAILED;
+	}
+
+	if (this->seq_check && memcmp(this->sqn, sqn, AKA_SQN_LEN) >= 0)
+	{
+		DBG3(DBG_IKE, "received SQN %b\ncurrent SQN %b",
+			 sqn, AKA_SQN_LEN, this->sqn, AKA_SQN_LEN);
+		return INVALID_STATE;
+	}
+
+	/* update stored SQN to the received one */
+	memcpy(this->sqn, sqn, AKA_SQN_LEN);
+
+	/* CK/IK */
+	this->f->f3(this->f, k, rand, ck);
+	this->f->f4(this->f, k, rand, ik);
+	/* calculate RES */
+	this->f->f2(this->f, k, rand, res);
+	*res_len = AKA_RES_MAX;
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of sim_card_t.resync
+ */
+static bool resync(private_eap_aka_3gpp2_card_t *this, identification_t *id,
+				   char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
+{
+	char amf[AKA_AMF_LEN], k[AKA_K_LEN], aks[AKA_AK_LEN], macs[AKA_MAC_LEN];
+
+	if (!eap_aka_3gpp2_get_k(id, k))
+	{
+		DBG1(DBG_IKE, "no EAP key found for %Y to resync AKA", id);
+		return FALSE;
+	}
+
+	/* AMF is set to zero in resync */
+	memset(amf, 0, AKA_AMF_LEN);
+	this->f->f5star(this->f, k, rand, aks);
+	this->f->f1star(this->f, k, rand, this->sqn, amf, macs);
+	/* AUTS = SQN xor AKS | MACS */
+	memcpy(auts, this->sqn, AKA_SQN_LEN);
+	memxor(auts, aks, AKA_AK_LEN);
+	memcpy(auts + AKA_AK_LEN, macs, AKA_MAC_LEN);
+
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_aka_3gpp2_card_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_card_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f)
+{
+	private_eap_aka_3gpp2_card_t *this = malloc_thing(private_eap_aka_3gpp2_card_t);
+
+	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
+	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
+	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))resync;
+	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *id))return_null;
+	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))nop;
+	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))nop;
+	this->public.destroy = (void(*)(eap_aka_3gpp2_card_t*))destroy;
+
+	this->f = f;
+	this->seq_check = lib->settings->get_bool(lib->settings,
+									"charon.plugins.eap-aka-3gpp2.seq_check",
+#ifdef SEQ_CHECK /* handle legacy compile time configuration as default */
+									TRUE);
+#else /* !SEQ_CHECK */
+									FALSE);
+#endif /* SEQ_CHECK */
+
+	eap_aka_3gpp2_get_sqn(this->sqn, 0);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h
new file mode 100644
index 000000000..b95bc52af
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2_card eap_aka_3gpp2_card
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_CARD_H_
+#define EAP_AKA_3GPP2_CARD_H_
+
+#include "eap_aka_3gpp2_functions.h"
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_aka_3gpp2_card_t eap_aka_3gpp2_card_t;
+
+/**
+ * SIM card implementation using a set of AKA functions.
+ */
+struct eap_aka_3gpp2_card_t {
+
+	/**
+	 * Implements sim_card_t interface
+	 */
+	sim_card_t card;
+
+	/**
+	 * Destroy a eap_aka_3gpp2_card_t.
+	 */
+	void (*destroy)(eap_aka_3gpp2_card_t *this);
+};
+
+/**
+ * Create a eap_aka_3gpp2_card instance.
+ *
+ * @param f		AKA functions
+ */
+eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f);
+
+#endif /** EAP_AKA_3GPP2_CARD_H_ @}*/
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
new file mode 100644
index 000000000..1d3d246d1
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
@@ -0,0 +1,394 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_functions.h"
+
+#include <gmp.h>
+#include <limits.h>
+
+#include <daemon.h>
+
+typedef struct private_eap_aka_3gpp2_functions_t private_eap_aka_3gpp2_functions_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_functions_t object.
+ */
+struct private_eap_aka_3gpp2_functions_t {
+
+	/**
+	 * Public eap_aka_3gpp2_functions_t interface.
+	 */
+	eap_aka_3gpp2_functions_t public;
+
+	/**
+	 * Used keyed SHA1 function, as PRF
+	 */
+	prf_t *prf;
+};
+
+#define AKA_PAYLOAD_LEN 64
+
+#define F1			  0x42
+#define F1STAR		  0x43
+#define F2			  0x44
+#define F3			  0x45
+#define F4			  0x46
+#define F5			  0x47
+#define F5STAR		  0x48
+
+/** Family key, as proposed in S.S0055 */
+static chunk_t fmk = chunk_from_chars(0x41, 0x48, 0x41, 0x47);
+
+/**
+ * Binary represnation of the polynom T^160 + T^5 + T^3 + T^2 + 1
+ */
+static u_int8_t g[] = {
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x2d
+};
+
+/**
+ * Predefined random bits from the RAND Corporation book
+ */
+static u_int8_t a[] = {
+	0x9d, 0xe9, 0xc9, 0xc8, 0xef, 0xd5, 0x78, 0x11,
+	0x48, 0x23, 0x14, 0x01, 0x90, 0x1f, 0x2d, 0x49,
+	0x3f, 0x4c, 0x63, 0x65
+};
+
+/**
+ * Predefined random bits from the RAND Corporation book
+ */
+static u_int8_t b[] = {
+	0x75, 0xef, 0xd1, 0x5c, 0x4b, 0x8f, 0x8f, 0x51,
+	0x4e, 0xf3, 0xbc, 0xc3, 0x79, 0x4a, 0x76, 0x5e,
+	0x7e, 0xec, 0x45, 0xe0
+};
+
+/**
+ * Multiplicate two mpz_t with bits interpreted as polynoms.
+ */
+static void mpz_mul_poly(mpz_t r, mpz_t a, mpz_t b)
+{
+	mpz_t bm, rm;
+	int current = 0, shifted = 0, shift;
+
+	mpz_init_set(bm, b);
+	mpz_init_set_ui(rm, 0);
+	/* scan through a, for each found bit: */
+	while ((current = mpz_scan1(a, current)) != ULONG_MAX)
+	{
+		/* XOR shifted b into r */
+		shift = current - shifted;
+		mpz_mul_2exp(bm, bm, shift);
+		shifted += shift;
+		mpz_xor(rm, rm, bm);
+		current++;
+	}
+
+	mpz_swap(r, rm);
+	mpz_clear(rm);
+	mpz_clear(bm);
+}
+
+/**
+ * Calculate the sum of a + b interpreted as polynoms.
+ */
+static void mpz_add_poly(mpz_t res, mpz_t a, mpz_t b)
+{
+	/* addition of polynominals is just the XOR */
+	mpz_xor(res, a, b);
+}
+
+/**
+ * Calculate the remainder of a/b interpreted as polynoms.
+ */
+static void mpz_mod_poly(mpz_t r, mpz_t a, mpz_t b)
+{
+	/* Example:
+	 * a = 10001010
+	 * b = 00000101
+	 */
+	int a_bit, b_bit, diff;
+	mpz_t bm, am;
+
+	mpz_init_set(am, a);
+	mpz_init(bm);
+
+	a_bit = mpz_sizeinbase(a, 2);
+	b_bit = mpz_sizeinbase(b, 2);
+
+	/* don't do anything if b > a */
+	if (a_bit >= b_bit)
+	{
+		/* shift b left to align up most signaficant "1" to a:
+		 * a = 10001010
+		 * b = 10100000
+		 */
+		mpz_mul_2exp(bm, b, a_bit - b_bit);
+		do
+		{
+			/* XOR b into a, this kills the most significant "1":
+			 * a = 00101010
+			 */
+			mpz_xor(am, am, bm);
+			/* find the next most significant "1" in a, and align up b:
+			 * a = 00101010
+			 * b = 00101000
+			 */
+			diff = a_bit - mpz_sizeinbase(am, 2);
+			mpz_div_2exp(bm, bm, diff);
+			a_bit -= diff;
+		}
+		while (b_bit <= mpz_sizeinbase(bm, 2));
+		/* While b is not shifted to its original value */
+	}
+	/* after another iteration:
+	 * a = 00000010
+	 * which is the polynomial modulo
+	 */
+
+	mpz_swap(r, am);
+	mpz_clear(am);
+	mpz_clear(bm);
+}
+
+/**
+ * Step 3 of the various fx() functions:
+ * XOR the key into the SHA1 IV
+ */
+static void step3(prf_t *prf, u_char k[AKA_K_LEN],
+				  u_char payload[AKA_PAYLOAD_LEN], u_int8_t h[HASH_SIZE_SHA1])
+{
+	/* use the keyed hasher to build the hash */
+	prf->set_key(prf, chunk_create(k, AKA_K_LEN));
+	prf->get_bytes(prf, chunk_create(payload, AKA_PAYLOAD_LEN), h);
+}
+
+/**
+ * Step 4 of the various fx() functions:
+ * Polynomial whiten calculations
+ */
+static void step4(u_char x[HASH_SIZE_SHA1])
+{
+	mpz_t xm, am, bm, gm;
+
+	mpz_init(xm);
+	mpz_init(am);
+	mpz_init(bm);
+	mpz_init(gm);
+
+	mpz_import(xm, HASH_SIZE_SHA1, 1, 1, 1, 0, x);
+	mpz_import(am, sizeof(a), 1, 1, 1, 0, a);
+	mpz_import(bm, sizeof(b), 1, 1, 1, 0, b);
+	mpz_import(gm, sizeof(g), 1, 1, 1, 0, g);
+
+	mpz_mul_poly(xm, am, xm);
+	mpz_add_poly(xm, bm, xm);
+	mpz_mod_poly(xm, xm, gm);
+
+	mpz_export(x, NULL, 1, HASH_SIZE_SHA1, 1, 0, xm);
+
+	mpz_clear(xm);
+	mpz_clear(am);
+	mpz_clear(bm);
+	mpz_clear(gm);
+}
+
+/**
+ * Calculation function for f2(), f3(), f4()
+ */
+static void fx(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char out[AKA_MAC_LEN])
+{
+	u_char payload[AKA_PAYLOAD_LEN];
+	u_char h[HASH_SIZE_SHA1];
+	u_char i;
+
+	for (i = 0; i < 2; i++)
+	{
+		memset(payload, 0x5c, AKA_PAYLOAD_LEN);
+		payload[11] ^= f;
+		memxor(payload + 12, fmk.ptr, fmk.len);
+		memxor(payload + 24, rand, AKA_RAND_LEN);
+
+		payload[3]  ^= i;
+		payload[19] ^= i;
+		payload[35] ^= i;
+		payload[51] ^= i;
+
+		step3(prf, k, payload, h);
+		step4(h);
+		memcpy(out + i * 8, h, 8);
+	}
+}
+
+/**
+ * Calculation function of f1() and f1star()
+ */
+static void f1x(prf_t *prf, u_int8_t f, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
+				u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN])
+{
+	/* generate MAC = f1(FMK, SQN, RAND, AMF)
+	 * K is loaded into hashers IV; FMK, RAND, SQN, AMF are XORed in a 512-bit
+	 * payload which gets hashed
+	 */
+	u_char payload[AKA_PAYLOAD_LEN];
+	u_char h[HASH_SIZE_SHA1];
+
+	memset(payload, 0x5c, AKA_PAYLOAD_LEN);
+	payload[11] ^= f;
+	memxor(payload + 12, fmk.ptr, fmk.len);
+	memxor(payload + 16, rand, AKA_RAND_LEN);
+	memxor(payload + 34, sqn, AKA_SQN_LEN);
+	memxor(payload + 42, amf, AKA_AMF_LEN);
+
+	step3(prf, k, payload, h);
+	step4(h);
+	memcpy(mac, h, AKA_MAC_LEN);
+}
+
+/**
+ * Calculation function of f5() and f5star()
+ */
+static void f5x(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN])
+{
+	u_char payload[AKA_PAYLOAD_LEN];
+	u_char h[HASH_SIZE_SHA1];
+
+	memset(payload, 0x5c, AKA_PAYLOAD_LEN);
+	payload[11] ^= f;
+	memxor(payload + 12, fmk.ptr, fmk.len);
+	memxor(payload + 16, rand, AKA_RAND_LEN);
+
+	step3(prf, k, payload, h);
+	step4(h);
+	memcpy(ak, h, AKA_AK_LEN);
+}
+
+/**
+ * Calculate MAC from RAND, SQN, AMF using K
+ */
+static void f1(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
+			   u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN])
+{
+	f1x(this->prf, F1, k, rand, sqn, amf, mac);
+	DBG3(DBG_IKE, "MAC %b", mac, AKA_MAC_LEN);
+}
+
+/**
+ * Calculate MACS from RAND, SQN, AMF using K
+ */
+static void f1star(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				   u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
+				   u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN])
+{
+	f1x(this->prf, F1STAR, k, rand, sqn, amf, macs);
+	DBG3(DBG_IKE, "MACS %b", macs, AKA_MAC_LEN);
+}
+
+/**
+ * Calculate RES from RAND using K
+ */
+static void f2(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX])
+{
+	fx(this->prf, F2, k, rand, res);
+	DBG3(DBG_IKE, "RES %b", res, AKA_RES_MAX);
+}
+
+/**
+ * Calculate CK from RAND using K
+ */
+static void f3(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN])
+{
+	fx(this->prf, F3, k, rand, ck);
+	DBG3(DBG_IKE, "CK %b", ck, AKA_CK_LEN);
+}
+
+/**
+ * Calculate IK from RAND using K
+ */
+static void f4(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN])
+{
+	fx(this->prf, F4, k, rand, ik);
+	DBG3(DBG_IKE, "IK %b", ik, AKA_IK_LEN);
+}
+
+/**
+ * Calculate AK from a RAND using K
+ */
+static void f5(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN])
+{
+	f5x(this->prf, F5, k, rand, ak);
+	DBG3(DBG_IKE, "AK %b", ak, AKA_AK_LEN);
+}
+
+/**
+ * Calculate AKS from a RAND using K
+ */
+static void f5star(private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+			   u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN])
+{
+	f5x(this->prf, F5STAR, k, rand, aks);
+	DBG3(DBG_IKE, "AKS %b", aks, AKA_AK_LEN);
+}
+
+
+/**
+ * Implementation of eap_aka_3gpp2_functions_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_functions_t *this)
+{
+	this->prf->destroy(this->prf);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_aka_3gpp2_functions_t *eap_aka_3gpp2_functions_create()
+{
+	private_eap_aka_3gpp2_functions_t *this;
+
+	this = malloc_thing(private_eap_aka_3gpp2_functions_t);
+
+	this->public.f1 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN], u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN]))f1;
+	this->public.f1star = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN], u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN]))f1star;
+	this->public.f2 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX]))f2;
+	this->public.f3 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN]))f3;
+	this->public.f4 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN]))f4;
+	this->public.f5 = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN]))f5;
+	this->public.f5star = (void(*)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN], u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN]))f5star;
+	this->public.destroy = (void(*)(eap_aka_3gpp2_functions_t*))destroy;
+
+	this->prf = lib->crypto->create_prf(lib->crypto, PRF_KEYED_SHA1);
+	if (!this->prf)
+	{
+		DBG1(DBG_CFG, "%N not supported, unable to use 3GPP2 algorithm",
+			 pseudo_random_function_names, PRF_KEYED_SHA1);
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
new file mode 100644
index 000000000..95c6da6a9
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2_functions eap_aka_3gpp2_functions
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_FUNCTIONS_H_
+#define EAP_AKA_3GPP2_FUNCTIONS_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+#define AKA_SQN_LEN		 6
+#define AKA_K_LEN		16
+#define AKA_MAC_LEN 	 8
+#define AKA_AK_LEN		 6
+#define AKA_AMF_LEN		 2
+#define AKA_FMK_LEN		 4
+
+typedef struct eap_aka_3gpp2_functions_t eap_aka_3gpp2_functions_t;
+
+/**
+ * f1-f5(), f1*() and f5*() functions from the 3GPP2 (S.S0055) standard.
+ */
+struct eap_aka_3gpp2_functions_t {
+
+	/**
+	 * Calculate MAC from RAND, SQN, AMF using K.
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value rand
+	 * @param sqn	sequence number
+	 * @param amf	authentication management field
+	 * @param mac	buffer receiving mac MAC
+	 */
+	void (*f1)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
+				u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN]);
+
+	/**
+	 * Calculate MACS from RAND, SQN, AMF using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param sqn	sequence number
+	 * @param amf	authentication management field
+	 * @param macs	buffer receiving resynchronization mac MACS
+	 */
+	void (*f1star)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
+				u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN]);
+
+	/**
+	 * Calculate RES from RAND using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param res	buffer receiving result RES, uses full 128 bit
+	 */
+	void (*f2)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX]);
+	/**
+	 * Calculate CK from RAND using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param macs	buffer receiving encryption key CK
+	 */
+	void (*f3)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN]);
+	/**
+	 * Calculate IK from RAND using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param macs	buffer receiving integrity key IK
+	 */
+	void (*f4)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN]);
+	/**
+	 * Calculate AK from a RAND using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param macs	buffer receiving anonymity key AK
+	 */
+	void (*f5)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN]);
+	/**
+	 * Calculate AKS from a RAND using K
+	 *
+	 * @param k		secret key K
+	 * @param rand	random value RAND
+	 * @param macs	buffer receiving resynchronization anonymity key AKS
+	 */
+	void (*f5star)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+				u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN]);
+
+	/**
+	 * Destroy a eap_aka_3gpp2_functions_t.
+	 */
+	void (*destroy)(eap_aka_3gpp2_functions_t *this);
+};
+
+/**
+ * Create a eap_aka_3gpp2_functions instance.
+ *
+ * @return			function set, NULL on error
+ */
+eap_aka_3gpp2_functions_t *eap_aka_3gpp2_functions_create();
+
+#endif /** EAP_AKA_3GPP2_FUNCTIONS_H_ @}*/
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
new file mode 100644
index 000000000..626e83311
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_plugin.h"
+#include "eap_aka_3gpp2_card.h"
+#include "eap_aka_3gpp2_provider.h"
+#include "eap_aka_3gpp2_functions.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_aka_3gpp2_t private_eap_aka_3gpp2_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_t object.
+ */
+struct private_eap_aka_3gpp2_t {
+
+	/**
+	 * Public eap_aka_3gpp2_plugin_t interface.
+	 */
+	eap_aka_3gpp2_plugin_t public;
+
+	/**
+	 * SIM card
+	 */
+	eap_aka_3gpp2_card_t *card;
+
+	/**
+	 * SIM provider
+	 */
+	eap_aka_3gpp2_provider_t *provider;
+
+	/**
+	 * AKA functions
+	 */
+	eap_aka_3gpp2_functions_t *functions;
+};
+
+/**
+ * Implementation of eap_aka_3gpp2_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_t *this)
+{
+	charon->sim->remove_card(charon->sim, &this->card->card);
+	charon->sim->remove_provider(charon->sim, &this->provider->provider);
+	this->card->destroy(this->card);
+	this->provider->destroy(this->provider);
+	this->functions->destroy(this->functions);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *eap_aka_3gpp2_plugin_create()
+{
+	private_eap_aka_3gpp2_t *this = malloc_thing(private_eap_aka_3gpp2_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->functions = eap_aka_3gpp2_functions_create();
+	if (!this->functions)
+	{
+		free(this);
+		return NULL;
+	}
+	this->card = eap_aka_3gpp2_card_create(this->functions);
+	this->provider = eap_aka_3gpp2_provider_create(this->functions);
+
+	charon->sim->add_card(charon->sim, &this->card->card);
+	charon->sim->add_provider(charon->sim, &this->provider->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h
new file mode 100644
index 000000000..2ac450a7d
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2 eap_aka_3gpp2
+ * @ingroup cplugins
+ *
+ * @defgroup eap_aka_3gpp2_plugin eap_aka_3gpp2_plugin
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_PLUGIN_H_
+#define EAP_AKA_3GPP2_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_aka_3gpp2_plugin_t eap_aka_3gpp2_plugin_t;
+
+/**
+ * Plugin to provide a SIM card/provider using the 3GPP2 (S.S0055) standard.
+ *
+ * This plugin implements the standard of the 3GPP2 (S.S0055) and not the one
+ * of 3GGP, completely in software using the libgmp library..
+ * The shared key used for authentication is from ipsec.secrets. The
+ * peers ID is used to query it.
+ * The AKA mechanism uses sequence numbers to detect replay attacks. The
+ * peer stores the sequence number normally in a USIM and accepts
+ * incremental sequence numbers (incremental for lifetime of the USIM). To
+ * prevent a complex sequence number management, this implementation uses
+ * a sequence number derived from time. It is initialized to the startup
+ * time of the daemon.
+ * To enable time based SEQs, define SEQ_CHECK as 1. Default is to accept
+ * any SEQ numbers. This allows an attacker to do replay attacks. But since
+ * the server has proven his identity via IKE, such an attack is only
+ * possible between server and AAA (if any).
+ */
+struct eap_aka_3gpp2_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_AKA_3GPP2_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
new file mode 100644
index 000000000..9817fff8f
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_provider.h"
+
+#include <daemon.h>
+#include <credentials/keys/shared_key.h>
+
+typedef struct private_eap_aka_3gpp2_provider_t private_eap_aka_3gpp2_provider_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_provider_t object.
+ */
+struct private_eap_aka_3gpp2_provider_t {
+
+	/**
+	 * Public eap_aka_3gpp2_provider_t interface.
+	 */
+	eap_aka_3gpp2_provider_t public;
+
+	/**
+	 * AKA functions
+	 */
+	eap_aka_3gpp2_functions_t *f;
+
+	/**
+	 * time based SQN, we use the same for all peers
+	 */
+	char sqn[AKA_SQN_LEN];
+};
+
+/** Authentication management field */
+static char amf[AKA_AMF_LEN] = {0x00, 0x01};
+
+/**
+ * Get a shared key K from the credential database
+ */
+bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN])
+{
+	shared_key_t *shared;
+	chunk_t key;
+
+	shared = charon->credentials->get_shared(charon->credentials,
+											 SHARED_EAP, id, NULL);
+	if (shared == NULL)
+	{
+		return FALSE;
+	}
+	key = shared->get_key(shared);
+	memset(k, '\0', AKA_K_LEN);
+	memcpy(k, key.ptr, min(key.len, AKA_K_LEN));
+	shared->destroy(shared);
+	return TRUE;
+}
+
+/**
+ * get SQN using current time
+ */
+void eap_aka_3gpp2_get_sqn(char sqn[AKA_SQN_LEN], int offset)
+{
+	timeval_t time;
+
+	gettimeofday(&time, NULL);
+	/* set sqn to an integer containing 4 bytes seconds + 2 bytes usecs */
+	time.tv_sec = htonl(time.tv_sec + offset);
+	/* usec's are never larger than 0x000f423f, so we shift the 12 first bits */
+	time.tv_usec = htonl(time.tv_usec << 12);
+	memcpy(sqn, (char*)&time.tv_sec + sizeof(time_t) - 4, 4);
+	memcpy(sqn + 4, &time.tv_usec, 2);
+}
+
+/**
+ * Implementation of usim_provider_t.get_quintuplet
+ */
+static bool get_quintuplet(private_eap_aka_3gpp2_provider_t *this,
+						   identification_t *id, char rand[AKA_RAND_LEN],
+						   char xres[AKA_RES_MAX], int *xres_len,
+						   char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+						   char autn[AKA_AUTN_LEN])
+{
+	rng_t *rng;
+	char mac[AKA_MAC_LEN], ak[AKA_AK_LEN], k[AKA_K_LEN];
+
+	/* generate RAND: we use a registered RNG, not f0() proposed in S.S0055 */
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "generating RAND for AKA failed");
+		return FALSE;
+	}
+	rng->get_bytes(rng, AKA_RAND_LEN, rand);
+	rng->destroy(rng);
+
+	if (!eap_aka_3gpp2_get_k(id, k))
+	{
+		DBG1(DBG_IKE, "no EAP key found for %Y to authenticate with AKA", id);
+		return FALSE;
+	}
+
+	DBG3(DBG_IKE, "generated rand %b", rand, AKA_RAND_LEN);
+	DBG3(DBG_IKE, "using K %b", k, AKA_K_LEN);
+
+	/* MAC */
+	this->f->f1(this->f, k, rand, this->sqn, amf, mac);
+	/* AK */
+	this->f->f5(this->f, k, rand, ak);
+	/* XRES as expected from client */
+	this->f->f2(this->f, k, rand, xres);
+	*xres_len = AKA_RES_MAX;
+	/* AUTN = (SQN xor AK) || AMF || MAC */
+	memcpy(autn, this->sqn, AKA_SQN_LEN);
+	memxor(autn, ak, AKA_AK_LEN);
+	memcpy(autn + AKA_SQN_LEN, amf, AKA_AMF_LEN);
+	memcpy(autn + AKA_SQN_LEN + AKA_AMF_LEN, mac, AKA_MAC_LEN);
+	DBG3(DBG_IKE, "AUTN %b", autn, AKA_AUTN_LEN);
+	/* CK/IK */
+	this->f->f3(this->f, k, rand, ck);
+	this->f->f4(this->f, k, rand, ik);
+
+	return TRUE;
+}
+
+/**
+ * Implementation of usim_provider_t.resync
+ */
+static bool resync(private_eap_aka_3gpp2_provider_t *this,
+				   identification_t *id, char rand[AKA_RAND_LEN],
+				   char auts[AKA_AUTS_LEN])
+{
+	char *sqn, *macs;
+	char aks[AKA_AK_LEN], k[AKA_K_LEN], amf[AKA_AMF_LEN], xmacs[AKA_MAC_LEN];
+
+	if (!eap_aka_3gpp2_get_k(id, k))
+	{
+		DBG1(DBG_IKE, "no EAP key found for %Y to authenticate with AKA", id);
+		return FALSE;
+	}
+
+	/* AUTHS = (AK xor SQN) | MAC */
+	sqn = auts;
+	macs = auts + AKA_SQN_LEN;
+	this->f->f5star(this->f, k, rand, aks);
+	memxor(sqn, aks, AKA_AK_LEN);
+
+	/* verify XMACS, AMF of zero is used in resynchronization */
+	memset(amf, 0, AKA_AMF_LEN);
+	this->f->f1star(this->f, k, rand, sqn, amf, xmacs);
+	if (!memeq(macs, xmacs, AKA_MAC_LEN))
+	{
+		DBG1(DBG_IKE, "received MACS does not match XMACS");
+		DBG3(DBG_IKE, "MACS %b XMACS %b",
+			 macs, AKA_MAC_LEN, xmacs, AKA_MAC_LEN);
+		return FALSE;
+	}
+	/* update stored SQN to received SQN + 1 */
+	memcpy(this->sqn, sqn, AKA_SQN_LEN);
+	chunk_increment(chunk_create(this->sqn, AKA_SQN_LEN));
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_aka_3gpp2_provider_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_provider_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create(
+												eap_aka_3gpp2_functions_t *f)
+{
+	private_eap_aka_3gpp2_provider_t *this = malloc_thing(private_eap_aka_3gpp2_provider_t);
+
+	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
+	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))get_quintuplet;
+	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))resync;
+	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))return_null;
+	this->public.destroy = (void(*)(eap_aka_3gpp2_provider_t*))destroy;
+
+	this->f = f;
+	/* use an offset to accept clock skew between client/server without resync */
+	eap_aka_3gpp2_get_sqn(this->sqn, 180);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h
new file mode 100644
index 000000000..22ac0a96e
--- /dev/null
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2_provider eap_aka_3gpp2_provider
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_PROVIDER_H_
+#define EAP_AKA_3GPP2_PROVIDER_H_
+
+#include "eap_aka_3gpp2_functions.h"
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_aka_3gpp2_provider_t eap_aka_3gpp2_provider_t;
+
+/**
+ * SIM provider implementation using a set of AKA functions.
+ */
+struct eap_aka_3gpp2_provider_t {
+
+	/**
+	 * Implements sim_provider_t interface.
+	 */
+	sim_provider_t provider;
+
+	/**
+	 * Destroy a eap_aka_3gpp2_provider_t.
+	 */
+	void (*destroy)(eap_aka_3gpp2_provider_t *this);
+};
+
+/**
+ * Create a eap_aka_3gpp2_provider instance.
+ */
+eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create(
+												eap_aka_3gpp2_functions_t *f);
+
+#endif /** EAP_AKA_3GPP2_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.am b/src/libcharon/plugins/eap_gtc/Makefile.am
new file mode 100644
index 000000000..d8722bf9d
--- /dev/null
+++ b/src/libcharon/plugins/eap_gtc/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-gtc.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-gtc.la
+endif
+
+libstrongswan_eap_gtc_la_SOURCES = \
+	eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
+
+libstrongswan_eap_gtc_la_LDFLAGS = -module -avoid-version -lpam
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
new file mode 100644
index 000000000..110e1528b
--- /dev/null
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -0,0 +1,587 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_gtc
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_gtc_la_LIBADD =
+am_libstrongswan_eap_gtc_la_OBJECTS = eap_gtc_plugin.lo eap_gtc.lo
+libstrongswan_eap_gtc_la_OBJECTS =  \
+	$(am_libstrongswan_eap_gtc_la_OBJECTS)
+libstrongswan_eap_gtc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_gtc_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_gtc_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_gtc_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-gtc.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-gtc.la
+libstrongswan_eap_gtc_la_SOURCES = \
+	eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
+
+libstrongswan_eap_gtc_la_LDFLAGS = -module -avoid-version -lpam
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_gtc/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_gtc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-gtc.la: $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_DEPENDENCIES) 
+	$(libstrongswan_eap_gtc_la_LINK) $(am_libstrongswan_eap_gtc_la_rpath) $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_gtc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_gtc_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
new file mode 100644
index 000000000..c7f55fa70
--- /dev/null
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_gtc.h"
+
+#include <daemon.h>
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
+#include <security/pam_appl.h>
+
+#define GTC_REQUEST_MSG "password"
+#define GTC_PAM_SERVICE "login"
+
+typedef struct private_eap_gtc_t private_eap_gtc_t;
+
+/**
+ * Private data of an eap_gtc_t object.
+ */
+struct private_eap_gtc_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_gtc_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+	/**
+	 * EAP message identififier
+	 */
+	u_int8_t identifier;
+};
+
+typedef struct eap_gtc_header_t eap_gtc_header_t;
+
+/**
+ * packed eap GTC header struct
+ */
+struct eap_gtc_header_t {
+	/** EAP code (REQUEST/RESPONSE) */
+	u_int8_t code;
+	/** unique message identifier */
+	u_int8_t identifier;
+	/** length of whole message */
+	u_int16_t length;
+	/** EAP type */
+	u_int8_t type;
+	/** type data */
+	u_int8_t data[];
+} __attribute__((__packed__));
+
+/**
+ * Implementation of eap_method_t.initiate for the peer
+ */
+static status_t initiate_peer(private_eap_gtc_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * PAM conv callback function
+ */
+static int auth_conv(int num_msg, const struct pam_message **msg,
+					 struct pam_response **resp, char *password)
+{
+	struct pam_response *response;
+
+	if (num_msg != 1)
+	{
+		return PAM_CONV_ERR;
+	}
+	response = malloc(sizeof(struct pam_response));
+	response->resp = strdup(password);
+	response->resp_retcode = 0;
+	*resp = response;
+	return PAM_SUCCESS;
+}
+
+/**
+ * Authenticate a username/password using PAM
+ */
+static bool authenticate(char *service, char *user, char *password)
+{
+	pam_handle_t *pamh = NULL;
+	static struct pam_conv conv;
+	int ret;
+
+	conv.conv = (void*)auth_conv;
+	conv.appdata_ptr = password;
+
+	ret = pam_start(service, user, &conv, &pamh);
+	if (ret != PAM_SUCCESS)
+	{
+		DBG1(DBG_IKE, "EAP-GTC pam_start failed: %s",
+			 pam_strerror(pamh, ret));
+		return FALSE;
+	}
+	ret = pam_authenticate(pamh, 0);
+	if (ret == PAM_SUCCESS)
+	{
+		ret = pam_acct_mgmt(pamh, 0);
+		if (ret != PAM_SUCCESS)
+		{
+			DBG1(DBG_IKE, "EAP-GTC pam_acct_mgmt failed: %s",
+				 pam_strerror(pamh, ret));
+		}
+	}
+	else
+	{
+		DBG1(DBG_IKE, "EAP-GTC pam_authenticate failed: %s",
+			 pam_strerror(pamh, ret));
+	}
+	pam_end(pamh, ret);
+	return ret == PAM_SUCCESS;
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the server
+ */
+static status_t initiate_server(private_eap_gtc_t *this, eap_payload_t **out)
+{
+	eap_gtc_header_t *req;
+	size_t len;
+
+	len = strlen(GTC_REQUEST_MSG);
+	req = alloca(sizeof(eap_gtc_header_t) + len);
+	req->length = htons(sizeof(eap_gtc_header_t) + len);
+	req->code = EAP_REQUEST;
+	req->identifier = this->identifier;
+	req->type = EAP_GTC;
+	memcpy(req->data, GTC_REQUEST_MSG, len);
+
+	*out = eap_payload_create_data(chunk_create((void*)req,
+								   sizeof(eap_gtc_header_t) + len));
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.process for the peer
+ */
+static status_t process_peer(private_eap_gtc_t *this,
+							 eap_payload_t *in, eap_payload_t **out)
+{
+	eap_gtc_header_t *res;
+	shared_key_t *shared;
+	chunk_t key;
+	size_t len;
+
+	shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP,
+											 this->peer, this->server);
+	if (shared == NULL)
+	{
+		DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",
+			 this->peer, this->server);
+		return FAILED;
+	}
+	key = shared->get_key(shared);
+	len = key.len;
+
+	/* TODO: According to the draft we should "SASLprep" password, RFC4013. */
+
+	res = alloca(sizeof(eap_gtc_header_t) + len);
+	res->length = htons(sizeof(eap_gtc_header_t) + len);
+	res->code = EAP_RESPONSE;
+	res->identifier = in->get_identifier(in);
+	res->type = EAP_GTC;
+	memcpy(res->data, key.ptr, len);
+
+	shared->destroy(shared);
+
+	*out = eap_payload_create_data(chunk_create((void*)res,
+								   sizeof(eap_gtc_header_t) + len));
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.process for the server
+ */
+static status_t process_server(private_eap_gtc_t *this,
+							   eap_payload_t *in, eap_payload_t **out)
+{
+	chunk_t data, encoding;
+	char *user, *password, *service, *pos;
+
+	data = chunk_skip(in->get_data(in), 5);
+	if (this->identifier != in->get_identifier(in) || !data.len)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-GTC message");
+		return FAILED;
+	}
+
+	encoding = this->peer->get_encoding(this->peer);
+	/* if a RFC822_ADDR id is provided, we use the username part only */
+	pos = memchr(encoding.ptr, '@', encoding.len);
+	if (pos)
+	{
+		encoding.len = (u_char*)pos - encoding.ptr;
+	}
+	user = alloca(encoding.len + 1);
+	memcpy(user, encoding.ptr, encoding.len);
+	user[encoding.len] = '\0';
+
+	password = alloca(data.len + 1);
+	memcpy(password, data.ptr, data.len);
+	password[data.len] = '\0';
+
+	service = lib->settings->get_str(lib->settings,
+						"charon.plugins.eap-gtc.pam_service", GTC_PAM_SERVICE);
+
+	if (!authenticate(service, user, password))
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_gtc_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_GTC;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_gtc_t *this, chunk_t *msk)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_gtc_t *this)
+{
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_gtc_t *this)
+{
+	this->peer->destroy(this->peer);
+	this->server->destroy(this->server);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_eap_gtc_t *eap_gtc_create_generic(identification_t *server,
+												 identification_t *peer)
+{
+	private_eap_gtc_t *this = malloc_thing(private_eap_gtc_t);
+
+	this->public.eap_method_interface.initiate = NULL;
+	this->public.eap_method_interface.process = NULL;
+	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	/* private data */
+	this->peer = peer->clone(peer);
+	this->server = server->clone(server);
+	this->identifier = 0;
+
+	return this;
+}
+
+/*
+ * see header
+ */
+eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer)
+{
+	private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
+
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
+
+	/* generate a non-zero identifier */
+	do {
+		this->identifier = random();
+	} while (!this->identifier);
+
+	return &this->public;
+}
+
+/*
+ * see header
+ */
+eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer)
+{
+	private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
+
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.h b/src/libcharon/plugins/eap_gtc/eap_gtc.h
new file mode 100644
index 000000000..2eb8482f8
--- /dev/null
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_gtc_i eap_gtc
+ * @{ @ingroup eap_gtc
+ */
+
+#ifndef EAP_GTC_H_
+#define EAP_GTC_H_
+
+typedef struct eap_gtc_t eap_gtc_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-GTC.
+ *
+ * This implementation of draft-sheffer-ikev2-gtc-00.txt uses PAM to
+ * verify user credentials.
+ */
+struct eap_gtc_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method_interface;
+};
+
+/**
+ * Creates the EAP method EAP-GTC acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_gtc_t object
+ */
+eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-GTC acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_gtc_t object
+ */
+eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer);
+
+#endif /** EAP_GTC_H_ @}*/
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c b/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c
new file mode 100644
index 000000000..91ba84b3d
--- /dev/null
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_gtc_plugin.h"
+
+#include "eap_gtc.h"
+
+#include <daemon.h>
+
+/* missing in cababilities.h */
+#define CAP_AUDIT_WRITE 29
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(eap_gtc_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_gtc_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_gtc_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_gtc_plugin_create()
+{
+	eap_gtc_plugin_t *this = malloc_thing(eap_gtc_plugin_t);
+
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	/* required for PAM authentication */
+	charon->keep_cap(charon, CAP_AUDIT_WRITE);
+
+	charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_SERVER,
+							(eap_constructor_t)eap_gtc_create_server);
+	charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_PEER,
+							(eap_constructor_t)eap_gtc_create_peer);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.h b/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.h
new file mode 100644
index 000000000..9c4052a6d
--- /dev/null
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_gtc eap_gtc
+ * @ingroup cplugins
+ *
+ * @defgroup eap_gtc_plugin eap_gtc_plugin
+ * @{ @ingroup eap_gtc
+ */
+
+#ifndef EAP_GTC_PLUGIN_H_
+#define EAP_GTC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_gtc_plugin_t eap_gtc_plugin_t;
+
+/**
+ * EAP-GTC plugin
+ */
+struct eap_gtc_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_GTC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_identity/Makefile.am b/src/libcharon/plugins/eap_identity/Makefile.am
new file mode 100644
index 000000000..2a7c764b0
--- /dev/null
+++ b/src/libcharon/plugins/eap_identity/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-identity.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-identity.la
+endif
+
+libstrongswan_eap_identity_la_SOURCES = \
+	eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
+
+libstrongswan_eap_identity_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
new file mode 100644
index 000000000..bbb987dd6
--- /dev/null
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -0,0 +1,589 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_identity
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_identity_la_LIBADD =
+am_libstrongswan_eap_identity_la_OBJECTS = eap_identity_plugin.lo \
+	eap_identity.lo
+libstrongswan_eap_identity_la_OBJECTS =  \
+	$(am_libstrongswan_eap_identity_la_OBJECTS)
+libstrongswan_eap_identity_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_identity_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_identity_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_identity_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-identity.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-identity.la
+libstrongswan_eap_identity_la_SOURCES = \
+	eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
+
+libstrongswan_eap_identity_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_identity/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_identity/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-identity.la: $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_DEPENDENCIES) 
+	$(libstrongswan_eap_identity_la_LINK) $(am_libstrongswan_eap_identity_la_rpath) $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_identity.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_identity_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_identity/eap_identity.c b/src/libcharon/plugins/eap_identity/eap_identity.c
new file mode 100644
index 000000000..ab082a955
--- /dev/null
+++ b/src/libcharon/plugins/eap_identity/eap_identity.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_identity.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_identity_t private_eap_identity_t;
+
+/**
+ * Private data of an eap_identity_t object.
+ */
+struct private_eap_identity_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_identity_t public;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+	/**
+	 * received identity chunk
+	 */
+	chunk_t identity;
+};
+
+typedef struct eap_identity_header_t eap_identity_header_t;
+
+/**
+ * packed EAP Identity header struct
+ */
+struct eap_identity_header_t {
+	/** EAP code (REQUEST/RESPONSE) */
+	u_int8_t code;
+	/** unique message identifier */
+	u_int8_t identifier;
+	/** length of whole message */
+	u_int16_t length;
+	/** EAP type */
+	u_int8_t type;
+	/** identity data */
+	u_int8_t data[];
+} __attribute__((__packed__));
+
+/**
+ * Implementation of eap_method_t.process for the peer
+ */
+static status_t process_peer(private_eap_identity_t *this,
+							 eap_payload_t *in, eap_payload_t **out)
+{
+	chunk_t id;
+	eap_identity_header_t *hdr;
+	size_t len;
+
+	id = this->peer->get_encoding(this->peer);
+	len = sizeof(eap_identity_header_t) + id.len;
+
+	hdr = alloca(len);
+	hdr->code = EAP_RESPONSE;
+	hdr->identifier = in->get_identifier(in);
+	hdr->length = htons(len);
+	hdr->type = EAP_IDENTITY;
+	memcpy(hdr->data, id.ptr, id.len);
+
+	*out = eap_payload_create_data(chunk_create((u_char*)hdr, len));
+	return SUCCESS;
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the peer
+ */
+static status_t initiate_peer(private_eap_identity_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.process for the server
+ */
+static status_t process_server(private_eap_identity_t *this,
+							   eap_payload_t *in, eap_payload_t **out)
+{
+	chunk_t data;
+
+	data = chunk_skip(in->get_data(in), 5);
+	if (data.len)
+	{
+		this->identity = chunk_clone(data);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the server
+ */
+static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **out)
+{
+	eap_identity_header_t hdr;
+
+	hdr.code = EAP_REQUEST;
+	hdr.identifier = 0;
+	hdr.length = htons(sizeof(eap_identity_header_t));
+	hdr.type = EAP_IDENTITY;
+
+	*out = eap_payload_create_data(chunk_create((u_char*)&hdr,
+												sizeof(eap_identity_header_t)));
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_identity_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_IDENTITY;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_identity_t *this, chunk_t *msk)
+{
+	if (this->identity.ptr)
+	{
+		*msk = this->identity;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_identity_t *this)
+{
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_identity_t *this)
+{
+	this->peer->destroy(this->peer);
+	free(this->identity.ptr);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_eap_identity_t *eap_identity_create(identification_t *server,
+												   identification_t *peer)
+{
+	private_eap_identity_t *this = malloc_thing(private_eap_identity_t);
+
+	this->public.eap_method_interface.initiate = NULL;
+	this->public.eap_method_interface.process = NULL;
+	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	this->peer = peer->clone(peer);
+	this->identity = chunk_empty;
+
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+eap_identity_t *eap_identity_create_peer(identification_t *server,
+										 identification_t *peer)
+{
+	private_eap_identity_t *this = eap_identity_create(server, peer);
+
+	/* public functions */
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+eap_identity_t *eap_identity_create_server(identification_t *server,
+										   identification_t *peer)
+{
+	private_eap_identity_t *this = eap_identity_create(server, peer);
+
+	/* public functions */
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_identity/eap_identity.h b/src/libcharon/plugins/eap_identity/eap_identity.h
new file mode 100644
index 000000000..7364a8bda
--- /dev/null
+++ b/src/libcharon/plugins/eap_identity/eap_identity.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_identity_i eap_identity
+ * @{ @ingroup eap_identity
+ */
+
+#ifndef EAP_IDENTITY_H_
+#define EAP_IDENTITY_H_
+
+typedef struct eap_identity_t eap_identity_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP Identity.
+ */
+struct eap_identity_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method_interface;
+};
+
+/**
+ * Creates the EAP method EAP Identity, acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_identity_t object
+ */
+eap_identity_t *eap_identity_create_server(identification_t *server,
+										   identification_t *peer);
+
+/**
+ * Creates the EAP method EAP Identity, acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_identity_t object
+ */
+eap_identity_t *eap_identity_create_peer(identification_t *server,
+										 identification_t *peer);
+
+#endif /** EAP_IDENTITY_H_ @}*/
diff --git a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
new file mode 100644
index 000000000..082997154
--- /dev/null
+++ b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_identity_plugin.h"
+
+#include "eap_identity.h"
+
+#include <daemon.h>
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(eap_identity_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_identity_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_identity_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_identity_plugin_create()
+{
+	eap_identity_plugin_t *this = malloc_thing(eap_identity_plugin_t);
+
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_SERVER,
+							(eap_constructor_t)eap_identity_create_server);
+	charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_PEER,
+							(eap_constructor_t)eap_identity_create_peer);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_identity/eap_identity_plugin.h b/src/libcharon/plugins/eap_identity/eap_identity_plugin.h
new file mode 100644
index 000000000..274156a1b
--- /dev/null
+++ b/src/libcharon/plugins/eap_identity/eap_identity_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_identity eap_identity
+ * @ingroup cplugins
+ *
+ * @defgroup eap_identity_plugin eap_identity_plugin
+ * @{ @ingroup eap_identity
+ */
+
+#ifndef EAP_IDENTITY_PLUGIN_H_
+#define EAP_IDENTITY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_identity_plugin_t eap_identity_plugin_t;
+
+/**
+ * EAP-IDENTITY plugin.
+ */
+struct eap_identity_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_IDENTITY_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_md5/Makefile.am b/src/libcharon/plugins/eap_md5/Makefile.am
new file mode 100644
index 000000000..e9936c925
--- /dev/null
+++ b/src/libcharon/plugins/eap_md5/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-md5.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-md5.la
+endif
+
+libstrongswan_eap_md5_la_SOURCES = \
+	eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
+
+libstrongswan_eap_md5_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
new file mode 100644
index 000000000..943811604
--- /dev/null
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -0,0 +1,587 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_md5
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_md5_la_LIBADD =
+am_libstrongswan_eap_md5_la_OBJECTS = eap_md5_plugin.lo eap_md5.lo
+libstrongswan_eap_md5_la_OBJECTS =  \
+	$(am_libstrongswan_eap_md5_la_OBJECTS)
+libstrongswan_eap_md5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_md5_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_md5_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_md5_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-md5.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-md5.la
+libstrongswan_eap_md5_la_SOURCES = \
+	eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
+
+libstrongswan_eap_md5_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_md5/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_md5/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-md5.la: $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_DEPENDENCIES) 
+	$(libstrongswan_eap_md5_la_LINK) $(am_libstrongswan_eap_md5_la_rpath) $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_md5.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_md5_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
new file mode 100644
index 000000000..0eda8f755
--- /dev/null
+++ b/src/libcharon/plugins/eap_md5/eap_md5.c
@@ -0,0 +1,303 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_md5.h"
+
+#include <daemon.h>
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct private_eap_md5_t private_eap_md5_t;
+
+/**
+ * Private data of an eap_md5_t object.
+ */
+struct private_eap_md5_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_md5_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+	/**
+	 * challenge sent by the server
+	 */
+	chunk_t challenge;
+
+	/**
+	 * EAP message identififier
+	 */
+	u_int8_t identifier;
+};
+
+typedef struct eap_md5_header_t eap_md5_header_t;
+
+/**
+ * packed eap MD5 header struct
+ */
+struct eap_md5_header_t {
+	/** EAP code (REQUEST/RESPONSE) */
+	u_int8_t code;
+	/** unique message identifier */
+	u_int8_t identifier;
+	/** length of whole message */
+	u_int16_t length;
+	/** EAP type */
+	u_int8_t type;
+	/** length of value (challenge) */
+	u_int8_t value_size;
+	/** actual value */
+	u_int8_t value[];
+} __attribute__((__packed__));
+
+#define CHALLENGE_LEN 16
+#define PAYLOAD_LEN (CHALLENGE_LEN + sizeof(eap_md5_header_t))
+
+/**
+ * Hash the challenge string, create response
+ */
+static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response,
+							   identification_t *me, identification_t *other)
+{
+	shared_key_t *shared;
+	chunk_t concat;
+	hasher_t *hasher;
+
+	shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP,
+											 me, other);
+	if (shared == NULL)
+	{
+		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", me, other);
+		return NOT_FOUND;
+	}
+	concat = chunk_cata("ccc", chunk_from_thing(this->identifier),
+						shared->get_key(shared), this->challenge);
+	shared->destroy(shared);
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+	if (hasher == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MD5 failed, MD5 not supported");
+		return FAILED;
+	}
+	hasher->allocate_hash(hasher, concat, response);
+	hasher->destroy(hasher);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the peer
+ */
+static status_t initiate_peer(private_eap_md5_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the server
+ */
+static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out)
+{
+	rng_t *rng;
+	eap_md5_header_t *req;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		return FAILED;
+	}
+	rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
+	rng->destroy(rng);
+
+	req = alloca(PAYLOAD_LEN);
+	req->length = htons(PAYLOAD_LEN);
+	req->code = EAP_REQUEST;
+	req->identifier = this->identifier;
+	req->type = EAP_MD5;
+	req->value_size = this->challenge.len;
+	memcpy(req->value, this->challenge.ptr, this->challenge.len);
+
+	*out = eap_payload_create_data(chunk_create((void*)req, PAYLOAD_LEN));
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.process for the peer
+ */
+static status_t process_peer(private_eap_md5_t *this,
+							 eap_payload_t *in, eap_payload_t **out)
+{
+	chunk_t response;
+	chunk_t data;
+	eap_md5_header_t *req;
+
+	this->identifier = in->get_identifier(in);
+	data = in->get_data(in);
+	this->challenge = chunk_clone(chunk_skip(data, 6));
+	if (data.len < 6 || this->challenge.len < *(data.ptr + 5))
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MD5 message");
+		return FAILED;
+	}
+	if (hash_challenge(this, &response, this->peer, this->server) != SUCCESS)
+	{
+		return FAILED;
+	}
+	req = alloca(PAYLOAD_LEN);
+	req->length = htons(PAYLOAD_LEN);
+	req->code = EAP_RESPONSE;
+	req->identifier = this->identifier;
+	req->type = EAP_MD5;
+	req->value_size = response.len;
+	memcpy(req->value, response.ptr, response.len);
+	chunk_free(&response);
+
+	*out = eap_payload_create_data(chunk_create((void*)req, PAYLOAD_LEN));
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.process for the server
+ */
+static status_t process_server(private_eap_md5_t *this,
+							   eap_payload_t *in, eap_payload_t **out)
+{
+	chunk_t response, expected;
+	chunk_t data;
+
+	if (this->identifier != in->get_identifier(in))
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MD5 message");
+		return FAILED;
+	}
+	if (hash_challenge(this, &expected, this->server, this->peer) != SUCCESS)
+	{
+		return FAILED;
+	}
+	data = in->get_data(in);
+	response = chunk_skip(data, 6);
+
+	if (response.len < expected.len ||
+		!memeq(response.ptr, expected.ptr, expected.len))
+	{
+		chunk_free(&expected);
+		DBG1(DBG_IKE, "EAP-MD5 verification failed");
+		return FAILED;
+	}
+	chunk_free(&expected);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_md5_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_MD5;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_md5_t *this, chunk_t *msk)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_md5_t *this)
+{
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_md5_t *this)
+{
+	this->peer->destroy(this->peer);
+	this->server->destroy(this->server);
+	chunk_free(&this->challenge);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_eap_md5_t *eap_md5_create_generic(identification_t *server,
+												 identification_t *peer)
+{
+	private_eap_md5_t *this = malloc_thing(private_eap_md5_t);
+
+	this->public.eap_method_interface.initiate = NULL;
+	this->public.eap_method_interface.process = NULL;
+	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	/* private data */
+	this->peer = peer->clone(peer);
+	this->server = server->clone(server);
+	this->challenge = chunk_empty;
+	this->identifier = 0;
+
+	return this;
+}
+
+/*
+ * see header
+ */
+eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *peer)
+{
+	private_eap_md5_t *this = eap_md5_create_generic(server, peer);
+
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
+
+	/* generate a non-zero identifier */
+	do {
+		this->identifier = random();
+	} while (!this->identifier);
+
+	return &this->public;
+}
+
+/*
+ * see header
+ */
+eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer)
+{
+	private_eap_md5_t *this = eap_md5_create_generic(server, peer);
+
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.h b/src/libcharon/plugins/eap_md5/eap_md5.h
new file mode 100644
index 000000000..3cff0dd79
--- /dev/null
+++ b/src/libcharon/plugins/eap_md5/eap_md5.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_md5_i eap_md5
+ * @{ @ingroup eap_md5
+ */
+
+#ifndef EAP_MD5_H_
+#define EAP_MD5_H_
+
+typedef struct eap_md5_t eap_md5_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-MD5 (CHAP).
+ */
+struct eap_md5_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method_interface;
+};
+
+/**
+ * Creates the EAP method EAP-MD5 acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_md5_t object
+ */
+eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-MD5 acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_md5_t object
+ */
+eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer);
+
+#endif /** EAP_MD5_H_ @}*/
diff --git a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
new file mode 100644
index 000000000..e716dc6e8
--- /dev/null
+++ b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_md5_plugin.h"
+
+#include "eap_md5.h"
+
+#include <daemon.h>
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(eap_md5_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_md5_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_md5_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_md5_plugin_create()
+{
+	eap_md5_plugin_t *this = malloc_thing(eap_md5_plugin_t);
+
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_SERVER,
+							(eap_constructor_t)eap_md5_create_server);
+	charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_PEER,
+							(eap_constructor_t)eap_md5_create_peer);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_md5/eap_md5_plugin.h b/src/libcharon/plugins/eap_md5/eap_md5_plugin.h
new file mode 100644
index 000000000..e5e1a6e94
--- /dev/null
+++ b/src/libcharon/plugins/eap_md5/eap_md5_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_md5 eap_md5
+ * @ingroup cplugins
+ *
+ * @defgroup eap_md5_plugin eap_md5_plugin
+ * @{ @ingroup eap_md5
+ */
+
+#ifndef EAP_MD5_PLUGIN_H_
+#define EAP_MD5_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_md5_plugin_t eap_md5_plugin_t;
+
+/**
+ * EAP-MD5 plugin
+ */
+struct eap_md5_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_MD5_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.am b/src/libcharon/plugins/eap_mschapv2/Makefile.am
new file mode 100644
index 000000000..b9555b3c1
--- /dev/null
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-mschapv2.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la
+endif
+
+libstrongswan_eap_mschapv2_la_SOURCES = \
+	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
+	eap_mschapv2.h eap_mschapv2.c
+
+libstrongswan_eap_mschapv2_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
new file mode 100644
index 000000000..2f6c65df4
--- /dev/null
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -0,0 +1,590 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_mschapv2
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_mschapv2_la_LIBADD =
+am_libstrongswan_eap_mschapv2_la_OBJECTS = eap_mschapv2_plugin.lo \
+	eap_mschapv2.lo
+libstrongswan_eap_mschapv2_la_OBJECTS =  \
+	$(am_libstrongswan_eap_mschapv2_la_OBJECTS)
+libstrongswan_eap_mschapv2_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_mschapv2_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_mschapv2_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_mschapv2_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-mschapv2.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la
+libstrongswan_eap_mschapv2_la_SOURCES = \
+	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
+	eap_mschapv2.h eap_mschapv2.c
+
+libstrongswan_eap_mschapv2_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_mschapv2/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_mschapv2/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) 
+	$(libstrongswan_eap_mschapv2_la_LINK) $(am_libstrongswan_eap_mschapv2_la_rpath) $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_mschapv2.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_mschapv2_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
new file mode 100644
index 000000000..c1ccf72eb
--- /dev/null
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -0,0 +1,1250 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_mschapv2.h"
+
+#include <ctype.h>
+#include <unistd.h>
+
+#include <daemon.h>
+#include <library.h>
+#include <utils/enumerator.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct private_eap_mschapv2_t private_eap_mschapv2_t;
+
+/**
+ * Private data of an eap_mschapv2_t object.
+ */
+struct private_eap_mschapv2_t
+{
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_mschapv2_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+	/**
+	 * challenge sent by the server
+	 */
+	chunk_t challenge;
+
+	/**
+	 * generated NT-Response
+	 */
+	chunk_t nt_response;
+
+	/**
+	 * generated Authenticator Response
+	 */
+	chunk_t auth_response;
+
+	/**
+	 * generated MSK
+	 */
+	chunk_t msk;
+
+	/**
+	 * EAP message identifier
+	 */
+	u_int8_t identifier;
+
+	/**
+	 * MS-CHAPv2-ID (session ID, increases with each retry)
+	 */
+	u_int8_t mschapv2id;
+
+	/**
+	 * Number of retries
+	 */
+	int retries;
+};
+
+/**
+ * OpCodes
+ */
+enum mschapv2_opcode_t
+{
+	MSCHAPV2_CHALLENGE = 1,
+	MSCHAPV2_RESPONSE = 2,
+	MSCHAPV2_SUCCESS = 3,
+	MSCHAPV2_FAILURE = 4,
+	MSCHAPV2_CHANGE_PASSWORD = 7,
+};
+
+/**
+ * Names for OpCodes
+ */
+ENUM_BEGIN(mschapv2_opcode_names, MSCHAPV2_CHALLENGE, MSCHAPV2_FAILURE,
+		"CHALLENGE",
+		"RESPONSE",
+		"SUCCESS",
+		"FAILURE");
+ENUM_NEXT(mschapv2_opcode_names, MSCHAPV2_CHANGE_PASSWORD, MSCHAPV2_CHANGE_PASSWORD, MSCHAPV2_FAILURE,
+		"CHANGE_PASSWORD");
+ENUM_END(mschapv2_opcode_names, MSCHAPV2_CHANGE_PASSWORD);
+
+/**
+ * Error codes
+ */
+enum mschapv2_error_t
+{
+	ERROR_RESTRICTED_LOGON_HOURS	= 646,
+	ERROR_ACCT_DISABLED				= 647,
+	ERROR_PASSWD_EXPIRED			= 648,
+	ERROR_NO_DIALIN_PERMISSION		= 649,
+	ERROR_AUTHENTICATION_FAILURE	= 691,
+	ERROR_CHANGING_PASSWORD			= 709,
+};
+
+/**
+ * Names for error codes
+ */
+ENUM_BEGIN(mschapv2_error_names, ERROR_RESTRICTED_LOGON_HOURS, ERROR_NO_DIALIN_PERMISSION,
+		"ERROR_RESTRICTED_LOGON_HOURS",
+		"ERROR_ACCT_DISABLED",
+		"ERROR_PASSWD_EXPIRED",
+		"ERROR_NO_DIALIN_PERMISSION");
+ENUM_NEXT(mschapv2_error_names, ERROR_AUTHENTICATION_FAILURE, ERROR_AUTHENTICATION_FAILURE, ERROR_NO_DIALIN_PERMISSION,
+		"ERROR_AUTHENTICATION_FAILURE");
+ENUM_NEXT(mschapv2_error_names, ERROR_CHANGING_PASSWORD, ERROR_CHANGING_PASSWORD, ERROR_AUTHENTICATION_FAILURE,
+		"ERROR_CHANGING_PASSWORD");
+ENUM_END(mschapv2_error_names, ERROR_CHANGING_PASSWORD);
+
+/* Length of the challenge */
+#define CHALLENGE_LEN 16
+/* Length of the response (see eap_mschapv2_response_t) */
+#define RESPONSE_LEN 49
+/* Length of the authenticator response string ("S=<...>") */
+#define AUTH_RESPONSE_LEN 42
+/* Name we send as authenticator */
+#define MSCHAPV2_HOST_NAME "strongSwan"
+/* Message sent on success */
+#define SUCCESS_MESSAGE " M=Welcome2strongSwan"
+/* Message sent on failure */
+#define FAILURE_MESSAGE "E=691 R=1 C="
+/* Length of the complete failure message */
+#define FAILURE_MESSAGE_LEN (sizeof(FAILURE_MESSAGE) + CHALLENGE_LEN * 2)
+
+/* Number of seconds to delay retries */
+#define RETRY_DELAY 2
+/* Maximum number of retries */
+#define MAX_RETRIES 2
+
+typedef struct eap_mschapv2_header_t eap_mschapv2_header_t;
+typedef struct eap_mschapv2_challenge_t eap_mschapv2_challenge_t;
+typedef struct eap_mschapv2_response_t eap_mschapv2_response_t;
+
+/**
+ * packed EAP-MS-CHAPv2 header struct
+ */
+struct eap_mschapv2_header_t
+{
+	/** EAP code (REQUEST/RESPONSE) */
+	u_int8_t code;
+	/** unique message identifier */
+	u_int8_t identifier;
+	/** length of whole message */
+	u_int16_t length;
+	/** EAP type */
+	u_int8_t type;
+	/** MS-CHAPv2 OpCode */
+	u_int8_t opcode;
+	/** MS-CHAPv2-ID (equals identifier) */
+	u_int8_t ms_chapv2_id;
+	/** MS-Length (defined as length - 5) */
+	u_int16_t ms_length;
+	/** packet data (determined by OpCode) */
+	u_int8_t data[];
+}__attribute__((__packed__));
+
+/**
+ * packed data for a MS-CHAPv2 Challenge packet
+ */
+struct eap_mschapv2_challenge_t
+{
+	/** Value-Size */
+	u_int8_t value_size;
+	/** Challenge */
+	u_int8_t challenge[CHALLENGE_LEN];
+	/** Name */
+	u_int8_t name[];
+}__attribute__((__packed__));
+
+/**
+ * packed data for a MS-CHAPv2 Response packet
+ */
+struct eap_mschapv2_response_t
+{
+	/** Value-Size */
+	u_int8_t value_size;
+	/** Response */
+	struct
+	{
+		/* Peer-Challenge*/
+		u_int8_t peer_challenge[CHALLENGE_LEN];
+		/* Reserved (=zero) */
+		u_int8_t peer_reserved[8];
+		/* NT-Response */
+		u_int8_t nt_response[24];
+		/* Flags (=zero) */
+		u_int8_t flags;
+	} response;
+	/** Name */
+	u_int8_t name[];
+}__attribute__((__packed__));
+
+/**
+ * Length of the MS-CHAPv2 header
+ */
+#define HEADER_LEN (sizeof(eap_mschapv2_header_t))
+
+/**
+ * Length of the header for MS-CHAPv2 success/failure packets (does not include
+ * MS-CHAPv2-ID and MS-Length, i.e. 3 octets)
+ */
+#define SHORT_HEADER_LEN (HEADER_LEN - 3)
+
+/**
+ * The minimum length of an MS-CHAPv2 Challenge packet (the name MUST be
+ * at least one octet)
+ */
+#define CHALLENGE_PAYLOAD_LEN (HEADER_LEN + sizeof(eap_mschapv2_challenge_t))
+
+/**
+ * The minimum length of an MS-CHAPv2 Response packet
+ */
+#define RESPONSE_PAYLOAD_LEN (HEADER_LEN + sizeof(eap_mschapv2_response_t))
+
+
+/**
+ * Expand a 56-bit key to a 64-bit DES key by adding parity bits (odd parity)
+ */
+static chunk_t ExpandDESKey(chunk_t key)
+{
+	static const u_char bitmask[] =	{ 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
+	int i;
+	u_char carry = 0;
+	chunk_t expanded;
+
+	/* expand the 7 octets to 8 octets */
+	expanded = chunk_alloc(8);
+	for (i = 0; i < 7; i++)
+	{
+		expanded.ptr[i] = ((key.ptr[i] & bitmask[i]) >> i) | (carry << (8 - i));
+		carry = key.ptr[i] & ~bitmask[i];
+	}
+	expanded.ptr[7] = carry << 1;
+
+	/* add parity bits to each octet */
+	for (i = 0; i < 8; i++)
+	{
+		u_char val = expanded.ptr[i];
+		val = (val ^ (val >> 4)) & 0x0f;
+		expanded.ptr[i] |= (0x9669 >> val) & 1;
+	}
+	return expanded;
+}
+
+/**
+ * Calculate the NT password hash (i.e. hash the (unicode) password with MD4)
+ */
+static status_t NtPasswordHash(chunk_t password, chunk_t *password_hash)
+{
+	hasher_t *hasher;
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD4);
+	if (hasher == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no MD4 hasher available");
+		return FAILED;
+	}
+	hasher->allocate_hash(hasher, password, password_hash);
+	hasher->destroy(hasher);
+	return SUCCESS;
+}
+
+/**
+ * Calculate the challenge hash (i.e. hash [peer_challenge | server_challenge |
+ * username (without domain part)] with SHA1)
+ */
+static status_t ChallengeHash(chunk_t peer_challenge, chunk_t server_challenge,
+							  chunk_t username, chunk_t *challenge_hash)
+{
+	chunk_t concat;
+	hasher_t *hasher;
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
+		return FAILED;
+	}
+	concat = chunk_cata("ccc", peer_challenge, server_challenge, username);
+	hasher->allocate_hash(hasher, concat, challenge_hash);
+	hasher->destroy(hasher);
+	/* we need only the first 8 octets */
+	challenge_hash->len = 8;
+	return SUCCESS;
+}
+
+/**
+ * Calculate the challenge response (i.e. expand password_hash to three DES keys
+ * and then encrypt the 8-octet challenge_hash with these keys and concatenate
+ * the results).
+ */
+static status_t ChallengeResponse(chunk_t challenge_hash, chunk_t password_hash,
+								  chunk_t *response)
+{
+	int i;
+	crypter_t *crypter;
+	chunk_t keys[3], z_password_hash;
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_DES_ECB, 8);
+	if (crypter == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, DES-ECB not supported");
+		return FAILED;
+	}
+	/* prepare keys: first pad password_hash to 21 octets, these get then split
+	 * into 7-octet chunks, which then get expanded into 8-octet DES keys */
+	z_password_hash = chunk_alloca(21);
+	memset(z_password_hash.ptr, 0, z_password_hash.len);
+	memcpy(z_password_hash.ptr, password_hash.ptr, password_hash.len);
+	chunk_split(z_password_hash, "mmm", 7, &keys[0], 7, &keys[1], 7, &keys[2]);
+
+	*response = chunk_alloc(24);
+	for (i = 0; i < 3; i++)
+	{
+		chunk_t expanded, encrypted;
+		expanded = ExpandDESKey(keys[i]);
+		crypter->set_key(crypter, expanded);
+		crypter->encrypt(crypter, challenge_hash, chunk_empty, &encrypted);
+		memcpy(&response->ptr[i * 8], encrypted.ptr, encrypted.len);
+		chunk_clear(&encrypted);
+		chunk_clear(&expanded);
+	}
+	crypter->destroy(crypter);
+	return SUCCESS;
+}
+
+/**
+ * Computes the authenticator response
+ */
+static status_t AuthenticatorResponse(chunk_t password_hash_hash,
+		chunk_t challenge_hash, chunk_t nt_response, chunk_t *response)
+{
+	chunk_t magic1 = chunk_from_chars(
+		0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
+		0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
+		0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
+		0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74);
+	chunk_t magic2 = chunk_from_chars(
+		0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
+		0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
+		0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
+		0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
+		0x6E);
+	chunk_t digest = chunk_empty, concat;
+	hasher_t *hasher;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
+		return FAILED;
+	}
+
+	concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
+	hasher->allocate_hash(hasher, concat, &digest);
+	concat = chunk_cata("ccc", digest, challenge_hash, magic2);
+	hasher->allocate_hash(hasher, concat, response);
+
+	hasher->destroy(hasher);
+	chunk_free(&digest);
+	return SUCCESS;
+}
+
+/**
+ * Generate the master session key according to RFC3079
+ */
+static status_t GenerateMSK(chunk_t password_hash_hash,
+							chunk_t nt_response, chunk_t *msk)
+{
+	chunk_t magic1 = chunk_from_chars(
+		0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
+		0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
+		0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79);
+	chunk_t magic2 = chunk_from_chars(
+		0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
+		0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
+		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+		0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
+		0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+		0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
+		0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+		0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
+		0x6b, 0x65, 0x79, 0x2e);
+	chunk_t magic3 = chunk_from_chars(
+		0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
+		0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
+		0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+		0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
+		0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
+		0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
+		0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
+		0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
+		0x6b, 0x65, 0x79, 0x2e);
+	chunk_t shapad1 = chunk_from_chars(
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
+	chunk_t shapad2 = chunk_from_chars(
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2);
+	chunk_t keypad = chunk_from_chars(
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
+	chunk_t concat, master_key, master_receive_key, master_send_key;
+	hasher_t *hasher;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
+		return FAILED;
+	}
+
+	concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
+	hasher->allocate_hash(hasher, concat, &master_key);
+	master_key.len = 16;
+
+	concat = chunk_cata("cccc", master_key, shapad1, magic2, shapad2);
+	hasher->allocate_hash(hasher, concat, &master_receive_key);
+	master_receive_key.len = 16;
+
+	concat = chunk_cata("cccc", master_key, shapad1, magic3, shapad2);
+	hasher->allocate_hash(hasher, concat, &master_send_key);
+	master_send_key.len = 16;
+
+	*msk = chunk_cat("cccc", master_receive_key, master_send_key, keypad, keypad);
+
+	hasher->destroy(hasher);
+	chunk_free(&master_key);
+	chunk_free(&master_receive_key);
+	chunk_free(&master_send_key);
+	return SUCCESS;
+}
+
+static status_t GenerateStuff(private_eap_mschapv2_t *this,
+							  chunk_t server_challenge, chunk_t peer_challenge,
+							  chunk_t username, chunk_t nt_hash)
+{
+	status_t status = FAILED;
+	chunk_t nt_hash_hash = chunk_empty, challenge_hash = chunk_empty;
+
+	if (NtPasswordHash(nt_hash, &nt_hash_hash) != SUCCESS)
+	{
+		goto error;
+	}
+	if (ChallengeHash(peer_challenge, server_challenge, username,
+						&challenge_hash) != SUCCESS)
+	{
+		goto error;
+	}
+	if (ChallengeResponse(challenge_hash, nt_hash,
+						&this->nt_response) != SUCCESS)
+	{
+		goto error;
+	}
+	if (AuthenticatorResponse(nt_hash_hash, challenge_hash,
+						this->nt_response, &this->auth_response) != SUCCESS)
+	{
+		goto error;
+	}
+	if (GenerateMSK(nt_hash_hash, this->nt_response, &this->msk) != SUCCESS)
+	{
+		goto error;
+	}
+
+	status = SUCCESS;
+
+error:
+	chunk_free(&nt_hash_hash);
+	chunk_free(&challenge_hash);
+	return status;
+}
+
+/**
+ * Converts an ASCII string into a UTF-16 (little-endian) string
+ */
+static chunk_t ascii_to_unicode(chunk_t ascii)
+{
+	int i;
+	chunk_t unicode = chunk_alloc(ascii.len * 2);
+	for (i = 0; i < ascii.len; i++)
+	{
+		unicode.ptr[i * 2] = ascii.ptr[i];
+		unicode.ptr[i * 2 + 1] = 0;
+	}
+	return unicode;
+}
+
+/**
+ * sanitize a string for printing
+ */
+static char* sanitize(char *str)
+{
+	char *pos = str;
+
+	while (pos && *pos)
+	{
+		if (!isprint(*pos))
+		{
+			*pos = '?';
+		}
+		pos++;
+	}
+	return str;
+}
+
+/**
+ * Returns a chunk of just the username part of the given user identity.
+ * Note: the chunk points to internal data of the identification.
+ */
+static chunk_t extract_username(identification_t* identification)
+{
+	char *has_domain;
+	chunk_t id;
+	id = identification->get_encoding(identification);
+	has_domain = (char*)memchr(id.ptr, '\\', id.len);
+	if (has_domain)
+	{
+		int len;
+		has_domain++; /* skip the backslash */
+		len = id.len - ((u_char*)has_domain - id.ptr);
+		return len > 0 ? chunk_create(has_domain, len) : chunk_empty;
+	}
+	return id;
+}
+
+/**
+ * Set the ms_length field using aligned write
+ */
+static void set_ms_length(eap_mschapv2_header_t *eap, u_int16_t len)
+{
+	len = htons(len - 5);
+	memcpy(&eap->ms_length, &len, sizeof(u_int16_t));
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the peer
+ */
+static status_t initiate_peer(private_eap_mschapv2_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the server
+ */
+static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **out)
+{
+	rng_t *rng;
+	eap_mschapv2_header_t *eap;
+	eap_mschapv2_challenge_t *cha;
+	const char *name = MSCHAPV2_HOST_NAME;
+	u_int16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
+		return FAILED;
+	}
+	rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
+	rng->destroy(rng);
+
+	eap = alloca(len);
+	eap->code = EAP_REQUEST;
+	eap->identifier = this->identifier;
+	eap->length = htons(len);
+	eap->type = EAP_MSCHAPV2;
+	eap->opcode = MSCHAPV2_CHALLENGE;
+	eap->ms_chapv2_id = this->mschapv2id;
+	set_ms_length(eap, len);
+
+	cha = (eap_mschapv2_challenge_t*)eap->data;
+	cha->value_size = CHALLENGE_LEN;
+	memcpy(cha->challenge, this->challenge.ptr, this->challenge.len);
+	memcpy(cha->name, name, sizeof(MSCHAPV2_HOST_NAME) - 1);
+
+	*out = eap_payload_create_data(chunk_create((void*) eap, len));
+	return NEED_MORE;
+}
+
+static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me,
+					   identification_t *other, chunk_t *nt_hash)
+{
+	shared_key_t *shared;
+	chunk_t password;
+
+	/* try to find a stored NT_HASH first */
+	shared = charon->credentials->get_shared(charon->credentials,
+											SHARED_NT_HASH, me, other);
+	if (shared )
+	{
+		*nt_hash = chunk_clone(shared->get_key(shared));
+		shared->destroy(shared);
+		return TRUE;
+	}
+
+	/* fallback to plaintext password */
+	shared = charon->credentials->get_shared(charon->credentials,
+											SHARED_EAP, me, other);
+	if (shared)
+	{
+		password = ascii_to_unicode(shared->get_key(shared));
+		shared->destroy(shared);
+
+		if (NtPasswordHash(password, nt_hash) == SUCCESS)
+		{
+			chunk_clear(&password);
+			return TRUE;
+		}
+		chunk_clear(&password);
+	}
+	return FALSE;
+}
+
+/**
+ * Process MS-CHAPv2 Challenge Requests
+ */
+static status_t process_peer_challenge(private_eap_mschapv2_t *this,
+									   eap_payload_t *in, eap_payload_t **out)
+{
+	rng_t *rng;
+	eap_mschapv2_header_t *eap;
+	eap_mschapv2_challenge_t *cha;
+	eap_mschapv2_response_t *res;
+	chunk_t data, peer_challenge, username, nt_hash;
+	u_int16_t len = RESPONSE_PAYLOAD_LEN;
+
+	data = in->get_data(in);
+	eap = (eap_mschapv2_header_t*)data.ptr;
+
+	/* the name MUST be at least one octet long */
+	if (data.len < CHALLENGE_PAYLOAD_LEN + 1)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+		return FAILED;
+	}
+
+	cha = (eap_mschapv2_challenge_t*)eap->data;
+
+	if (cha->value_size != CHALLENGE_LEN)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+			 "invalid challenge size");
+		return FAILED;
+	}
+
+	this->mschapv2id = eap->ms_chapv2_id;
+	this->challenge = chunk_clone(chunk_create(cha->challenge, CHALLENGE_LEN));
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
+		return FAILED;
+	}
+	peer_challenge = chunk_alloca(CHALLENGE_LEN);
+	rng->get_bytes(rng, CHALLENGE_LEN, peer_challenge.ptr);
+	rng->destroy(rng);
+
+	if (!get_nt_hash(this, this->peer, this->server, &nt_hash))
+	{
+		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
+			 this->server, this->peer);
+		return NOT_FOUND;
+	}
+
+	username = extract_username(this->peer);
+	len += username.len;
+
+	if (GenerateStuff(this, this->challenge, peer_challenge,
+					  username, nt_hash) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 generating NT-Response failed");
+		chunk_clear(&nt_hash);
+		return FAILED;
+	}
+	chunk_clear(&nt_hash);
+
+	eap = alloca(len);
+	eap->code = EAP_RESPONSE;
+	eap->identifier = this->identifier;
+	eap->length = htons(len);
+	eap->type = EAP_MSCHAPV2;
+	eap->opcode = MSCHAPV2_RESPONSE;
+	eap->ms_chapv2_id = this->mschapv2id;
+	set_ms_length(eap, len);
+
+	res = (eap_mschapv2_response_t*)eap->data;
+	res->value_size = RESPONSE_LEN;
+	memset(&res->response, 0, RESPONSE_LEN);
+	memcpy(res->response.peer_challenge, peer_challenge.ptr, peer_challenge.len);
+	memcpy(res->response.nt_response, this->nt_response.ptr, this->nt_response.len);
+
+	username = this->peer->get_encoding(this->peer);
+	memcpy(res->name, username.ptr, username.len);
+
+	*out = eap_payload_create_data(chunk_create((void*) eap, len));
+	return NEED_MORE;
+}
+
+/**
+ * Process MS-CHAPv2 Success Requests
+ */
+static status_t process_peer_success(private_eap_mschapv2_t *this,
+									  eap_payload_t *in, eap_payload_t **out)
+{
+	status_t status = FAILED;
+	enumerator_t *enumerator;
+	eap_mschapv2_header_t *eap;
+	chunk_t data, auth_string = chunk_empty;
+	char *message, *token, *msg = NULL;
+	int message_len;
+	u_int16_t len = SHORT_HEADER_LEN;
+
+	data = in->get_data(in);
+	eap = (eap_mschapv2_header_t*)data.ptr;
+
+	if (data.len < AUTH_RESPONSE_LEN)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+		return FAILED;
+	}
+
+	message_len = data.len - HEADER_LEN;
+	message = malloc(message_len + 1);
+	memcpy(message, eap->data, message_len);
+	message[message_len] = '\0';
+
+	/* S=<auth_string> M=<msg> */
+	enumerator = enumerator_create_token(message, " ", " ");
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		if (strneq(token, "S=", 2))
+		{
+			chunk_t hex;
+			token += 2;
+			if (strlen(token) != AUTH_RESPONSE_LEN - 2)
+			{
+				DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+					 "invalid auth string");
+				goto error;
+			}
+			hex = chunk_create(token, AUTH_RESPONSE_LEN - 2);
+			auth_string = chunk_from_hex(hex, NULL);
+		}
+		else if (strneq(token, "M=", 2))
+		{
+			token += 2;
+			msg = strdup(token);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (auth_string.ptr == NULL)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+			 "auth string missing");
+		goto error;
+	}
+
+	if (!chunk_equals(this->auth_response, auth_string))
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
+		goto error;
+	}
+
+	DBG1(DBG_IKE, "EAP-MS-CHAPv2 succeeded: '%s'", sanitize(msg));
+
+	eap = alloca(len);
+	eap->code = EAP_RESPONSE;
+	eap->identifier = this->identifier;
+	eap->length = htons(len);
+	eap->type = EAP_MSCHAPV2;
+	eap->opcode = MSCHAPV2_SUCCESS;
+
+	*out = eap_payload_create_data(chunk_create((void*) eap, len));
+	status = NEED_MORE;
+
+error:
+	chunk_free(&auth_string);
+	free(message);
+	free(msg);
+	return status;
+}
+
+static status_t process_peer_failure(private_eap_mschapv2_t *this,
+									 eap_payload_t *in, eap_payload_t **out)
+{
+	status_t status = FAILED;
+	enumerator_t *enumerator;
+	eap_mschapv2_header_t *eap;
+	chunk_t data;
+	char *message, *token, *msg = NULL;
+	int message_len, error, retryable;
+	chunk_t challenge = chunk_empty;
+
+	data = in->get_data(in);
+	eap = (eap_mschapv2_header_t*)data.ptr;
+
+	if (data.len < 3) /* we want at least an error code: E=e */
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+		return FAILED;
+	}
+
+	message_len = data.len - HEADER_LEN;
+	message = malloc(message_len + 1);
+	memcpy(message, eap->data, message_len);
+	message[message_len] = '\0';
+
+	/* E=eeeeeeeeee R=r C=cccccccccccccccccccccccccccccccc V=vvvvvvvvvv M=<msg> */
+	enumerator = enumerator_create_token(message, " ", " ");
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		if (strneq(token, "E=", 2))
+		{
+			token += 2;
+			error = atoi(token);
+		}
+		else if (strneq(token, "R=", 2))
+		{
+			token += 2;
+			retryable = atoi(token);
+		}
+		else if (strneq(token, "C=", 2))
+		{
+			chunk_t hex;
+			token += 2;
+			if (strlen(token) != 2 * CHALLENGE_LEN)
+			{
+				DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message:"
+					 "invalid challenge");
+				goto error;
+			}
+			hex = chunk_create(token, 2 * CHALLENGE_LEN);
+			challenge = chunk_from_hex(hex, NULL);
+		}
+		else if (strneq(token, "V=", 2))
+		{
+			int version;
+			token += 2;
+			version = atoi(token);
+		}
+		else if (strneq(token, "M=", 2))
+		{
+			token += 2;
+			msg = strdup(token);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed with error %N: '%s'",
+		 mschapv2_error_names, error, sanitize(msg));
+
+	/**
+	 * at this point, if the error is retryable, we MAY retry the authentication
+	 * or MAY send a Change Password packet.
+	 *
+	 * if the error is not retryable (or if we do neither of the above), we
+	 * SHOULD send a Failure Response packet.
+	 * windows clients don't do that, and since windows server 2008 r2 behaves
+	 * pretty odd if we do send a Failure Response, we just don't send one
+	 * either. windows 7 actually sends a delete notify (which, according to the
+	 * logs, results in an error on windows server 2008 r2).
+	 *
+	 * btw, windows server 2008 r2 does not send non-retryable errors for e.g.
+	 * a disabled account but returns the windows error code in a notify payload
+	 * of type 12345.
+	 */
+
+	status = FAILED;
+
+error:
+	chunk_free(&challenge);
+	free(message);
+	free(msg);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.process for the peer
+ */
+static status_t process_peer(private_eap_mschapv2_t *this, eap_payload_t *in,
+		eap_payload_t **out)
+{
+	chunk_t data;
+	eap_mschapv2_header_t *eap;
+
+	this->identifier = in->get_identifier(in);
+	data = in->get_data(in);
+	if (data.len < SHORT_HEADER_LEN)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message");
+		return FAILED;
+	}
+
+	eap = (eap_mschapv2_header_t*)data.ptr;
+
+	switch (eap->opcode)
+	{
+		case MSCHAPV2_CHALLENGE:
+		{
+			return process_peer_challenge(this, in, out);
+		}
+		case MSCHAPV2_SUCCESS:
+		{
+			return process_peer_success(this, in, out);
+		}
+		case MSCHAPV2_FAILURE:
+		{
+			return process_peer_failure(this, in, out);
+		}
+		default:
+		{
+			DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported "
+				 "OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
+			break;
+		}
+	}
+	return FAILED;
+}
+
+/**
+ * Handles retries on the server
+ */
+static status_t process_server_retry(private_eap_mschapv2_t *this,
+									 eap_payload_t **out)
+{
+	eap_mschapv2_header_t *eap;
+	rng_t *rng;
+	chunk_t hex;
+	char msg[FAILURE_MESSAGE_LEN];
+	u_int16_t len = HEADER_LEN + FAILURE_MESSAGE_LEN - 1; /* no null byte */
+
+	if (++this->retries > MAX_RETRIES)
+	{
+		/* we MAY send a Failure Request with R=0, but windows 7 does not
+		 * really like that and does not respond with a Failure Response.
+		 * so, to clean up our state we just fail with an EAP-Failure.
+		 * this gives an unknown error on the windows side, but is also fine
+		 * with the standard. */
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed: "
+			 "maximum number of retries reached");
+		return FAILED;
+	}
+
+	DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed, retry (%d)", this->retries);
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
+		return FAILED;
+	}
+	rng->get_bytes(rng, CHALLENGE_LEN, this->challenge.ptr);
+	rng->destroy(rng);
+
+	chunk_free(&this->nt_response);
+	chunk_free(&this->auth_response);
+	chunk_free(&this->msk);
+
+	eap = alloca(len);
+	eap->code = EAP_REQUEST;
+	eap->identifier = ++this->identifier;
+	eap->length = htons(len);
+	eap->type = EAP_MSCHAPV2;
+	eap->opcode = MSCHAPV2_FAILURE;
+	eap->ms_chapv2_id = this->mschapv2id++; /* increase for each retry */
+	set_ms_length(eap, len);
+
+	hex = chunk_to_hex(this->challenge, NULL, TRUE);
+	snprintf(msg, FAILURE_MESSAGE_LEN, "%s%s", FAILURE_MESSAGE, hex.ptr);
+	chunk_free(&hex);
+	memcpy(eap->data, msg, FAILURE_MESSAGE_LEN - 1); /* no null byte */
+	*out = eap_payload_create_data(chunk_create((void*) eap, len));
+
+	/* delay the response for some time to make brute-force attacks harder */
+	sleep(RETRY_DELAY);
+
+	return NEED_MORE;
+}
+
+/**
+ * Process MS-CHAPv2 Response response packets
+ */
+static status_t process_server_response(private_eap_mschapv2_t *this,
+										eap_payload_t *in, eap_payload_t **out)
+{
+	eap_mschapv2_header_t *eap;
+	eap_mschapv2_response_t *res;
+	chunk_t data, peer_challenge, username, nt_hash;
+	identification_t *userid;
+	int name_len;
+	char buf[256];
+
+	data = in->get_data(in);
+	eap = (eap_mschapv2_header_t*)data.ptr;
+
+	if (data.len < RESPONSE_PAYLOAD_LEN)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+		return FAILED;
+	}
+
+	res = (eap_mschapv2_response_t*)eap->data;
+	peer_challenge = chunk_create(res->response.peer_challenge, CHALLENGE_LEN);
+
+	name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
+	snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
+	userid = identification_create_from_string(buf);
+	DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
+	username = extract_username(userid);
+
+	if (!get_nt_hash(this, this->server, userid, &nt_hash))
+	{
+		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
+					  this->server, userid);
+		/* FIXME: windows 7 always sends the username that is first entered in
+		 * the username box, even, if the user changes it during retries (probably
+		 * to keep consistent with the EAP-Identity).
+		 * thus, we could actually fail here, because retries do not make much
+		 * sense. on the other hand, an attacker could guess usernames, if the
+		 * error messages were different. */
+		userid->destroy(userid);
+		return process_server_retry(this, out);
+	}
+
+	if (GenerateStuff(this, this->challenge, peer_challenge,
+					  username, nt_hash) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
+		userid->destroy(userid);
+		chunk_clear(&nt_hash);
+		return FAILED;
+	}
+	userid->destroy(userid);
+	chunk_clear(&nt_hash);
+
+	if (memeq(res->response.nt_response, this->nt_response.ptr,
+			  this->nt_response.len))
+	{
+		chunk_t hex;
+		char msg[AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)];
+		u_int16_t len = HEADER_LEN + AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE);
+
+		eap = alloca(len);
+		eap->code = EAP_REQUEST;
+		eap->identifier = ++this->identifier;
+		eap->length = htons(len);
+		eap->type = EAP_MSCHAPV2;
+		eap->opcode = MSCHAPV2_SUCCESS;
+		eap->ms_chapv2_id = this->mschapv2id;
+		set_ms_length(eap, len);
+
+		hex = chunk_to_hex(this->auth_response, NULL, TRUE);
+		snprintf(msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE),
+					  "S=%s%s", hex.ptr, SUCCESS_MESSAGE);
+		chunk_free(&hex);
+		memcpy(eap->data, msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE));
+		*out = eap_payload_create_data(chunk_create((void*) eap, len));
+		return NEED_MORE;
+	}
+
+	return process_server_retry(this, out);
+}
+
+/**
+ * Implementation of eap_method_t.process for the server
+ */
+static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in,
+		eap_payload_t **out)
+{
+	eap_mschapv2_header_t *eap;
+	chunk_t data;
+
+	if (this->identifier != in->get_identifier(in))
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+			 "unexpected identifier");
+		return FAILED;
+	}
+
+	data = in->get_data(in);
+	if (data.len < SHORT_HEADER_LEN)
+	{
+		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+		return FAILED;
+	}
+
+	eap = (eap_mschapv2_header_t*)data.ptr;
+
+	switch (eap->opcode)
+	{
+		case MSCHAPV2_RESPONSE:
+		{
+			return process_server_response(this, in, out);
+		}
+		case MSCHAPV2_SUCCESS:
+		{
+			return SUCCESS;
+		}
+		case MSCHAPV2_FAILURE:
+		{
+			return FAILED;
+		}
+		default:
+		{
+			DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported "
+				 "OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
+			break;
+		}
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_mschapv2_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_MSCHAPV2;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_mschapv2_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_mschapv2_t *this)
+{
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_mschapv2_t *this)
+{
+	this->peer->destroy(this->peer);
+	this->server->destroy(this->server);
+	chunk_free(&this->challenge);
+	chunk_free(&this->nt_response);
+	chunk_free(&this->auth_response);
+	chunk_free(&this->msk);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *server, identification_t *peer)
+{
+	private_eap_mschapv2_t *this = malloc_thing(private_eap_mschapv2_t);
+
+	this->public.eap_method_interface.initiate = NULL;
+	this->public.eap_method_interface.process = NULL;
+	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	/* private data */
+	this->peer = peer->clone(peer);
+	this->server = server->clone(server);
+	this->challenge = chunk_empty;
+	this->nt_response = chunk_empty;
+	this->auth_response = chunk_empty;
+	this->msk = chunk_empty;
+	this->identifier = 0;
+	this->mschapv2id = 0;
+	this->retries = 0;
+
+	return this;
+}
+
+/*
+ * see header
+ */
+eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identification_t *peer)
+{
+	private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
+
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_server;
+
+	/* generate a non-zero identifier */
+	do
+	{
+		this->identifier = random();
+	} while (!this->identifier);
+
+	this->mschapv2id = this->identifier;
+
+	return &this->public;
+}
+
+/*
+ * see header
+ */
+eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer)
+{
+	private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
+
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_peer;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h
new file mode 100644
index 000000000..34cc1141e
--- /dev/null
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_mschapv2_i eap_mschapv2
+ * @{ @ingroup eap_mschapv2
+ */
+
+#ifndef EAP_MSCHAPV2_H_
+#define EAP_MSCHAPV2_H_
+
+typedef struct eap_mschapv2_t eap_mschapv2_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-MS-CHAPv2.
+ */
+struct eap_mschapv2_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method_interface;
+};
+
+/**
+ * Creates the EAP method EAP-MS-CHAPv2 acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_mschapv2_t object
+ */
+eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-MS-CHAPv2 acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_mschapv2_t object
+ */
+eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer);
+
+#endif /** EAP_MSCHAPV2_H_ @}*/
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
new file mode 100644
index 000000000..a7b41ddbf
--- /dev/null
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_mschapv2_plugin.h"
+
+#include "eap_mschapv2.h"
+
+#include <daemon.h>
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(eap_mschapv2_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_mschapv2_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_mschapv2_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_mschapv2_plugin_create()
+{
+	eap_mschapv2_plugin_t *this = malloc_thing(eap_mschapv2_plugin_t);
+
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_SERVER,
+							(eap_constructor_t)eap_mschapv2_create_server);
+	charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_PEER,
+							(eap_constructor_t)eap_mschapv2_create_peer);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.h b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
new file mode 100644
index 000000000..f250a9d47
--- /dev/null
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_mschapv2 eap_mschapv2
+ * @ingroup cplugins
+ *
+ * @defgroup eap_mschapv2_plugin eap_mschapv2_plugin
+ * @{ @ingroup eap_mschapv2
+ */
+
+#ifndef EAP_MSCHAPV2_PLUGIN_H_
+#define EAP_MSCHAPV2_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_mschapv2_plugin_t eap_mschapv2_plugin_t;
+
+/**
+ * EAP-MS-CHAPv2 plugin
+ */
+struct eap_mschapv2_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_MSCHAPV2_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am
new file mode 100644
index 000000000..a3abd4124
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/Makefile.am
@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-radius.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-radius.la
+endif
+
+libstrongswan_eap_radius_la_SOURCES = \
+	eap_radius_plugin.h eap_radius_plugin.c \
+	eap_radius.h eap_radius.c \
+	radius_client.h radius_client.c \
+	radius_message.h radius_message.c
+
+libstrongswan_eap_radius_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
new file mode 100644
index 000000000..18427adef
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -0,0 +1,594 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_radius
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_radius_la_LIBADD =
+am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \
+	eap_radius.lo radius_client.lo radius_message.lo
+libstrongswan_eap_radius_la_OBJECTS =  \
+	$(am_libstrongswan_eap_radius_la_OBJECTS)
+libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_radius_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_radius_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_radius_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-radius.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-radius.la
+libstrongswan_eap_radius_la_SOURCES = \
+	eap_radius_plugin.h eap_radius_plugin.c \
+	eap_radius.h eap_radius.c \
+	radius_client.h radius_client.c \
+	radius_message.h radius_message.c
+
+libstrongswan_eap_radius_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_radius/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_radius/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) 
+	$(libstrongswan_eap_radius_la_LINK) $(am_libstrongswan_eap_radius_la_rpath) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_client.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_message.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
new file mode 100644
index 000000000..f041fda54
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_radius.h"
+
+#include "radius_message.h"
+#include "radius_client.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_radius_t private_eap_radius_t;
+
+/**
+ * Private data of an eap_radius_t object.
+ */
+struct private_eap_radius_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_radius_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+	/**
+	 * EAP method type we are proxying
+	 */
+	eap_type_t type;
+
+	/**
+	 * EAP vendor, if any
+	 */
+	u_int32_t vendor;
+
+	/**
+	 * EAP MSK, if method established one
+	 */
+	chunk_t msk;
+
+	/**
+	 * RADIUS client instance
+	 */
+	radius_client_t *client;
+
+	/**
+	 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
+	 */
+	bool eap_start;
+
+	/**
+	 * Prefix to prepend to EAP identity
+	 */
+	char *id_prefix;
+};
+
+/**
+ * Add EAP-Identity to RADIUS message
+ */
+static void add_eap_identity(private_eap_radius_t *this,
+							 radius_message_t *request)
+{
+	struct {
+		/** EAP code (REQUEST/RESPONSE) */
+		u_int8_t code;
+		/** unique message identifier */
+		u_int8_t identifier;
+		/** length of whole message */
+		u_int16_t length;
+		/** EAP type */
+		u_int8_t type;
+		/** identity data */
+		u_int8_t data[];
+	} __attribute__((__packed__)) *hdr;
+	chunk_t id, prefix;
+	size_t len;
+
+	id = this->peer->get_encoding(this->peer);
+	prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
+	len = sizeof(*hdr) + prefix.len + id.len;
+
+	hdr = alloca(len);
+	hdr->code = EAP_RESPONSE;
+	hdr->identifier = 0;
+	hdr->length = htons(len);
+	hdr->type = EAP_IDENTITY;
+	memcpy(hdr->data, prefix.ptr, prefix.len);
+	memcpy(hdr->data + prefix.len, id.ptr, id.len);
+
+	request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
+}
+
+/**
+ * Copy EAP-Message attribute from RADIUS message to an new EAP payload
+ */
+static bool radius2ike(private_eap_radius_t *this,
+					   radius_message_t *msg, eap_payload_t **out)
+{
+	enumerator_t *enumerator;
+	eap_payload_t *payload;
+	chunk_t data, message = chunk_empty;
+	int type;
+
+	enumerator = msg->create_enumerator(msg);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == RAT_EAP_MESSAGE && data.len)
+		{
+			message = chunk_cat("mc", message, data);
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (message.len)
+	{
+		*out = payload = eap_payload_create_data(message);
+		free(message.ptr);
+		/* apply EAP method selected by RADIUS server */
+		this->type = payload->get_type(payload, &this->vendor);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
+{
+	radius_message_t *request, *response;
+	status_t status = FAILED;
+	chunk_t username;
+
+	request = radius_message_create_request();
+	username = chunk_create(this->id_prefix, strlen(this->id_prefix));
+	username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
+	request->add(request, RAT_USER_NAME, username);
+
+	if (this->eap_start)
+	{
+		request->add(request, RAT_EAP_MESSAGE, chunk_empty);
+	}
+	else
+	{
+		add_eap_identity(this, request);
+	}
+
+	response = this->client->request(this->client, request);
+	if (response)
+	{
+		if (radius2ike(this, response, out))
+		{
+			status = NEED_MORE;
+		}
+		response->destroy(response);
+	}
+	request->destroy(request);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.process
+ */
+static status_t process(private_eap_radius_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	radius_message_t *request, *response;
+	status_t status = FAILED;
+	chunk_t data;
+
+	request = radius_message_create_request();
+	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
+	data = in->get_data(in);
+	/* fragment data suitable for RADIUS (not more than 253 bytes) */
+	while (data.len > 253)
+	{
+		request->add(request, RAT_EAP_MESSAGE, chunk_create(data.ptr, 253));
+		data = chunk_skip(data, 253);
+	}
+	request->add(request, RAT_EAP_MESSAGE, data);
+
+	response = this->client->request(this->client, request);
+	if (response)
+	{
+		switch (response->get_code(response))
+		{
+			case RMC_ACCESS_CHALLENGE:
+				if (radius2ike(this, response, out))
+				{
+					status = NEED_MORE;
+					break;
+				}
+				status = FAILED;
+				break;
+			case RMC_ACCESS_ACCEPT:
+				this->msk = this->client->decrypt_msk(this->client,
+													  response, request);
+				status = SUCCESS;
+				break;
+			case RMC_ACCESS_REJECT:
+			default:
+				DBG1(DBG_CFG, "received %N from RADIUS server",
+					 radius_message_code_names, response->get_code(response));
+				status = FAILED;
+				break;
+		}
+		response->destroy(response);
+	}
+	request->destroy(request);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_radius_t *this, u_int32_t *vendor)
+{
+	*vendor = this->vendor;
+	return this->type;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_radius_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_radius_t *this)
+{
+	switch (this->type)
+	{
+		case EAP_AKA:
+		case EAP_SIM:
+			return TRUE;
+		default:
+			return FALSE;
+	}
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_radius_t *this)
+{
+	this->peer->destroy(this->peer);
+	this->server->destroy(this->server);
+	this->client->destroy(this->client);
+	chunk_clear(&this->msk);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
+{
+	private_eap_radius_t *this = malloc_thing(private_eap_radius_t);
+
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	this->client = radius_client_create();
+	if (!this->client)
+	{
+		free(this);
+		return NULL;
+	}
+	this->peer = peer->clone(peer);
+	this->server = server->clone(server);
+	/* initially EAP_RADIUS, but is set to the method selected by RADIUS */
+	this->type = EAP_RADIUS;
+	this->vendor = 0;
+	this->msk = chunk_empty;
+	this->eap_start = lib->settings->get_bool(lib->settings,
+								"charon.plugins.eap-radius.eap_start", FALSE);
+	this->id_prefix = lib->settings->get_str(lib->settings,
+								"charon.plugins.eap-radius.id_prefix", "");
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.h b/src/libcharon/plugins/eap_radius/eap_radius.h
new file mode 100644
index 000000000..8eb9e8c2d
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_radius_i eap_radius
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef EAP_RADIUS_H_
+#define EAP_RADIUS_H_
+
+typedef struct eap_radius_t eap_radius_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using a RADIUS server.
+ */
+struct eap_radius_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method_interface;
+};
+
+/**
+ * Create a EAP RADIUS proxy.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_radius_t object
+ */
+eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer);
+
+#endif /** EAP_RADIUS_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
new file mode 100644
index 000000000..7d2788c3e
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_radius_plugin.h"
+
+#include "eap_radius.h"
+#include "radius_client.h"
+
+#include <daemon.h>
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(eap_radius_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_radius_create);
+	radius_client_cleanup();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_radius_plugin_create()
+{
+	eap_radius_plugin_t *this;
+
+	if (!radius_client_init())
+	{
+		DBG1(DBG_CFG, "RADIUS plugin initialization failed");
+		return NULL;
+	}
+
+	this = malloc_thing(eap_radius_plugin_t);
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	charon->eap->add_method(charon->eap, EAP_RADIUS, 0,
+							EAP_SERVER, (eap_constructor_t)eap_radius_create);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
new file mode 100644
index 000000000..f2b8b5082
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_radius eap_radius
+ * @ingroup cplugins
+ *
+ * @defgroup eap_radius_plugin eap_radius_plugin
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef EAP_RADIUS_PLUGIN_H_
+#define EAP_RADIUS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_radius_plugin_t eap_radius_plugin_t;
+
+/**
+ * EAP RADIUS proxy plugin.
+ *
+ * This plugin provides not a single EAP method, but a proxy to forwared
+ * EAP packets to a RADIUS server. It only provides server implementations.
+ */
+struct eap_radius_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_RADIUS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/radius_client.c b/src/libcharon/plugins/eap_radius/radius_client.c
new file mode 100644
index 000000000..1d1f21742
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/radius_client.c
@@ -0,0 +1,495 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "radius_client.h"
+
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <utils/linked_list.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+
+/**
+ * Default RADIUS server port, when not configured
+ */
+#define RADIUS_PORT 1812
+
+/**
+ * Vendor-Id of Microsoft specific attributes
+ */
+#define VENDOR_ID_MICROSOFT 311
+
+/**
+ * Microsoft specific vendor attributes
+ */
+#define MS_MPPE_SEND_KEY 16
+#define MS_MPPE_RECV_KEY 17
+
+typedef struct private_radius_client_t private_radius_client_t;
+
+typedef struct entry_t entry_t;
+
+/**
+ * A socket pool entry.
+ */
+struct entry_t {
+	/** socket file descriptor */
+	int fd;
+	/** current RADIUS identifier */
+	u_int8_t identifier;
+	/** hasher to use for response verification */
+	hasher_t *hasher;
+	/** HMAC-MD5 signer to build Message-Authenticator attribute */
+	signer_t *signer;
+	/** random number generator for RADIUS request authenticator */
+	rng_t *rng;
+};
+
+/**
+ * Private data of an radius_client_t object.
+ */
+struct private_radius_client_t {
+
+	/**
+	 * Public radius_client_t interface.
+	 */
+	radius_client_t public;
+
+	/**
+	 * RADIUS servers State attribute
+	 */
+	chunk_t state;
+};
+
+/**
+ * Global list of radius sockets, contains entry_t's
+ */
+static linked_list_t *sockets;
+
+/**
+ * mutex to lock sockets list
+ */
+static mutex_t *mutex;
+
+/**
+ * condvar to wait for sockets
+ */
+static condvar_t *condvar;
+
+/**
+ * RADIUS secret
+ */
+static chunk_t secret;
+
+/**
+ * NAS-Identifier
+ */
+static chunk_t nas_identifier;
+
+/**
+ * Clean up socket list
+ */
+void radius_client_cleanup()
+{
+	entry_t *entry;
+
+	mutex->destroy(mutex);
+	condvar->destroy(condvar);
+	while (sockets->remove_last(sockets, (void**)&entry) == SUCCESS)
+	{
+		entry->rng->destroy(entry->rng);
+		entry->hasher->destroy(entry->hasher);
+		entry->signer->destroy(entry->signer);
+		close(entry->fd);
+		free(entry);
+	}
+	sockets->destroy(sockets);
+}
+
+/**
+ * Initialize the socket list
+ */
+bool radius_client_init()
+{
+	int i, count, fd;
+	u_int16_t port;
+	entry_t *entry;
+	host_t *host;
+	char *server;
+
+	nas_identifier.ptr = lib->settings->get_str(lib->settings,
+					"charon.plugins.eap-radius.nas_identifier", "strongSwan");
+	nas_identifier.len = strlen(nas_identifier.ptr);
+
+	secret.ptr = lib->settings->get_str(lib->settings,
+					"charon.plugins.eap-radius.secret", NULL);
+	if (!secret.ptr)
+	{
+		DBG1(DBG_CFG, "no RADUIS secret defined");
+		return FALSE;
+	}
+	secret.len = strlen(secret.ptr);
+	server = lib->settings->get_str(lib->settings,
+					"charon.plugins.eap-radius.server", NULL);
+	if (!server)
+	{
+		DBG1(DBG_CFG, "no RADUIS server defined");
+		return FALSE;
+	}
+	port = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-radius.port", RADIUS_PORT);
+	host = host_create_from_dns(server, 0, port);
+	if (!host)
+	{
+		return FALSE;
+	}
+	count = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-radius.sockets", 1);
+
+	sockets = linked_list_create();
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	for (i = 0; i < count; i++)
+	{
+		fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP);
+		if (fd < 0)
+		{
+			DBG1(DBG_CFG, "opening RADIUS socket failed");
+			host->destroy(host);
+			radius_client_cleanup();
+			return FALSE;
+		}
+		if (connect(fd, host->get_sockaddr(host),
+					*host->get_sockaddr_len(host)) < 0)
+		{
+			DBG1(DBG_CFG, "connecting RADIUS socket failed");
+			host->destroy(host);
+			radius_client_cleanup();
+			return FALSE;
+		}
+		entry = malloc_thing(entry_t);
+		entry->fd = fd;
+		/* we use per-socket crypto elements: this reduces overhead, but
+		 * is still thread-save. */
+		entry->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+		entry->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128);
+		entry->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		if (!entry->hasher || !entry->signer || !entry->rng)
+		{
+			DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
+			DESTROY_IF(entry->hasher);
+			DESTROY_IF(entry->signer);
+			DESTROY_IF(entry->rng);
+			free(entry);
+			host->destroy(host);
+			radius_client_cleanup();
+			return FALSE;
+		}
+		entry->signer->set_key(entry->signer, secret);
+		/* we use a random identifier, helps if we restart often (testing) */
+		entry->identifier = random();
+		sockets->insert_last(sockets, entry);
+	}
+	host->destroy(host);
+	return TRUE;
+}
+
+/**
+ * Get a socket from the pool, block if none available
+ */
+static entry_t* get_socket()
+{
+	entry_t *entry;
+
+	mutex->lock(mutex);
+	while (sockets->remove_first(sockets, (void**)&entry) != SUCCESS)
+	{
+		condvar->wait(condvar, mutex);
+	}
+	mutex->unlock(mutex);
+	return entry;
+}
+
+/**
+ * Release a socket to the pool
+ */
+static void put_socket(entry_t *entry)
+{
+	mutex->lock(mutex);
+	sockets->insert_last(sockets, entry);
+	mutex->unlock(mutex);
+	condvar->signal(condvar);
+}
+
+/**
+ * Save the state attribute to include in further request
+ */
+static void save_state(private_radius_client_t *this, radius_message_t *msg)
+{
+	enumerator_t *enumerator;
+	int type;
+	chunk_t data;
+
+	enumerator = msg->create_enumerator(msg);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == RAT_STATE)
+		{
+			free(this->state.ptr);
+			this->state = chunk_clone(data);
+			enumerator->destroy(enumerator);
+			return;
+		}
+	}
+	enumerator->destroy(enumerator);
+	/* no state attribute found, remove state */
+	chunk_free(&this->state);
+}
+
+/**
+ * Implementation of radius_client_t.request
+ */
+static radius_message_t* request(private_radius_client_t *this,
+								 radius_message_t *req)
+{
+	char virtual[] = {0x00,0x00,0x00,0x05};
+	entry_t *socket;
+	chunk_t data;
+	int i;
+
+	socket = get_socket();
+
+	/* set Message Identifier */
+	req->set_identifier(req, socket->identifier++);
+	/* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */
+	req->add(req, RAT_NAS_PORT_TYPE, chunk_create(virtual, sizeof(virtual)));
+	/* add our NAS-Identifier */
+	req->add(req, RAT_NAS_IDENTIFIER, nas_identifier);
+	/* add State attribute, if server sent one */
+	if (this->state.ptr)
+	{
+		req->add(req, RAT_STATE, this->state);
+	}
+	/* sign the request */
+	req->sign(req, socket->rng, socket->signer);
+
+	data = req->get_encoding(req);
+	/* timeout after 2, 3, 4, 5 seconds */
+	for (i = 2; i <= 5; i++)
+	{
+		radius_message_t *response;
+		bool retransmit = FALSE;
+		struct timeval tv;
+		char buf[4096];
+		fd_set fds;
+		int res;
+
+		if (send(socket->fd, data.ptr, data.len, 0) != data.len)
+		{
+			DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
+			put_socket(socket);
+			return NULL;
+		}
+		tv.tv_sec = i;
+		tv.tv_usec = 0;
+
+		while (TRUE)
+		{
+			FD_ZERO(&fds);
+			FD_SET(socket->fd, &fds);
+			res = select(socket->fd + 1, &fds, NULL, NULL, &tv);
+			/* TODO: updated tv to time not waited. Linux does this for us. */
+			if (res < 0)
+			{	/* failed */
+				DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
+					 strerror(errno));
+				break;
+			}
+			if (res == 0)
+			{	/* timeout */
+				DBG1(DBG_CFG, "retransmitting RADIUS message");
+				retransmit = TRUE;
+				break;
+			}
+			res = recv(socket->fd, buf, sizeof(buf), MSG_DONTWAIT);
+			if (res <= 0)
+			{
+				DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
+					 strerror(errno));
+				break;
+			}
+			response = radius_message_parse_response(chunk_create(buf, res));
+			if (response)
+			{
+				if (response->verify(response, req->get_authenticator(req),
+							secret, socket->hasher, socket->signer))
+				{
+					save_state(this, response);
+					put_socket(socket);
+					return response;
+				}
+				response->destroy(response);
+			}
+			DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+		}
+		if (!retransmit)
+		{
+			break;
+		}
+	}
+	DBG1(DBG_CFG, "RADIUS server is not responding");
+	put_socket(socket);
+	charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
+	return NULL;
+}
+
+/**
+ * Decrypt a MS-MPPE-Send/Recv-Key
+ */
+static chunk_t decrypt_mppe_key(private_radius_client_t *this, u_int16_t salt,
+								chunk_t C, radius_message_t *request)
+{
+	chunk_t A, R, P, seed;
+	u_char *c, *p;
+	hasher_t *hasher;
+
+	/**
+	 * From RFC2548 (encryption):
+	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
+	 * b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
+	 *      . . .
+	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
+	 */
+
+	if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
+	{
+		return chunk_empty;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+	if (!hasher)
+	{
+		return chunk_empty;
+	}
+
+	A = chunk_create((u_char*)&salt, sizeof(salt));
+	R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
+	P = chunk_alloca(C.len);
+	p = P.ptr;
+	c = C.ptr;
+
+	seed = chunk_cata("cc", R, A);
+
+	while (c < C.ptr + C.len)
+	{
+		/* b(i) = MD5(S + c(i-1)) */
+		hasher->get_hash(hasher, secret, NULL);
+		hasher->get_hash(hasher, seed, p);
+
+		/* p(i) = b(i) xor c(1) */
+		memxor(p, c, HASH_SIZE_MD5);
+
+		/* prepare next round */
+		seed = chunk_create(c, HASH_SIZE_MD5);
+		c += HASH_SIZE_MD5;
+		p += HASH_SIZE_MD5;
+	}
+	hasher->destroy(hasher);
+
+	/* remove truncation, first byte is key length */
+	if (*P.ptr >= P.len)
+	{	/* decryption failed? */
+		return chunk_empty;
+	}
+	return chunk_clone(chunk_create(P.ptr + 1, *P.ptr));
+}
+
+/**
+ * Implementation of radius_client_t.decrypt_msk
+ */
+static chunk_t decrypt_msk(private_radius_client_t *this,
+						   radius_message_t *response, radius_message_t *request)
+{
+	struct {
+		u_int32_t id;
+		u_int8_t type;
+		u_int8_t length;
+		u_int16_t salt;
+		u_int8_t key[];
+	} __attribute__((packed)) *mppe_key;
+	enumerator_t *enumerator;
+	chunk_t data, send = chunk_empty, recv = chunk_empty;
+	int type;
+
+	enumerator = response->create_enumerator(response);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == RAT_VENDOR_SPECIFIC &&
+			data.len > sizeof(*mppe_key))
+		{
+			mppe_key = (void*)data.ptr;
+			if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT &&
+				mppe_key->length == data.len - sizeof(mppe_key->id))
+			{
+				data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key));
+				if (mppe_key->type == MS_MPPE_SEND_KEY)
+				{
+					send = decrypt_mppe_key(this, mppe_key->salt, data, request);
+				}
+				if (mppe_key->type == MS_MPPE_RECV_KEY)
+				{
+					recv = decrypt_mppe_key(this, mppe_key->salt, data, request);
+				}
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (send.ptr && recv.ptr)
+	{
+		return chunk_cat("mm", recv, send);
+	}
+	chunk_clear(&send);
+	chunk_clear(&recv);
+	return chunk_empty;
+}
+
+/**
+ * Implementation of radius_client_t.destroy.
+ */
+static void destroy(private_radius_client_t *this)
+{
+	free(this->state.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+radius_client_t *radius_client_create()
+{
+	private_radius_client_t *this = malloc_thing(private_radius_client_t);
+
+	this->public.request = (radius_message_t*(*)(radius_client_t*, radius_message_t *msg))request;
+	this->public.decrypt_msk = (chunk_t(*)(radius_client_t*, radius_message_t *, radius_message_t *))decrypt_msk;
+	this->public.destroy = (void(*)(radius_client_t*))destroy;
+
+	this->state = chunk_empty;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_radius/radius_client.h b/src/libcharon/plugins/eap_radius/radius_client.h
new file mode 100644
index 000000000..77ba94807
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/radius_client.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup radius_client radius_client
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef RADIUS_CLIENT_H_
+#define RADIUS_CLIENT_H_
+
+#include "radius_message.h"
+
+typedef struct radius_client_t radius_client_t;
+
+/**
+ * RADIUS client functionality.
+ *
+ * To communicate with a RADIUS server, create a client and send messages over
+ * it. All instances share a fixed size pool of sockets. The client reserves
+ * a socket during request() and releases it afterwards.
+ */
+struct radius_client_t {
+
+	/**
+	 * Send a RADIUS request and wait for the response.
+	 *
+	 * The client fills in RADIUS Message identifier, NAS-Identifier,
+	 * NAS-Port-Type, builds a Request-Authenticator and calculates the
+	 * Message-Authenticator attribute.
+	 * The received response gets verified using the Response-Identifier
+	 * and the Message-Authenticator attribute.
+	 *
+	 * @param msg			RADIUS request message to send
+	 * @return				response, NULL if timed out/verification failed
+	 */
+	radius_message_t* (*request)(radius_client_t *this, radius_message_t *msg);
+
+	/**
+	 * Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key.
+	 *
+	 * @param response		RADIUS response message containing attributes
+	 * @param request		associated RADIUS request message
+	 * @return				allocated MSK, empty chunk if none found
+	 */
+	chunk_t (*decrypt_msk)(radius_client_t *this, radius_message_t *response,
+						   radius_message_t *request);
+
+	/**
+	 * Destroy the client, release the socket.
+	 */
+	void (*destroy)(radius_client_t *this);
+};
+
+/**
+ * Create a RADIUS client, acquire a socket.
+ *
+ * This call might block if the socket pool is empty.
+ *
+ * @return			radius_client_t object
+ */
+radius_client_t *radius_client_create();
+
+/**
+ * Initialize the socket pool.
+ *
+ * @return 			TRUE if initialization successful
+ */
+bool radius_client_init();
+
+/**
+ * Cleanup the socket pool.
+ */
+void radius_client_cleanup();
+
+#endif /** RADIUS_CLIENT_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/radius_message.c b/src/libcharon/plugins/eap_radius/radius_message.c
new file mode 100644
index 000000000..11a1d8dfc
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/radius_message.c
@@ -0,0 +1,476 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "radius_message.h"
+
+#include <daemon.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct private_radius_message_t private_radius_message_t;
+typedef struct rmsg_t rmsg_t;
+typedef struct rattr_t rattr_t;
+
+/**
+ * RADIUS message header
+ */
+struct rmsg_t {
+	/** message code, radius_message_code_t */
+	u_int8_t code;
+	/** message identifier */
+	u_int8_t identifier;
+	/** length of Code, Identifier, Length, Authenticator and Attributes */
+	u_int16_t length;
+	/** message authenticator, MD5 hash */
+	u_int8_t authenticator[HASH_SIZE_MD5];
+	/** variable list of packed attributes */
+	u_int8_t attributes[];
+} __attribute__((packed));
+
+/**
+ * RADIUS message attribute.
+ */
+struct rattr_t {
+	/** attribute type, radius_attribute_type_t */
+	u_int8_t type;
+	/** length of the attriubte, including the Type, Length and Value fields */
+	u_int8_t length;
+	/** variable length attribute value */
+	u_int8_t value[];
+} __attribute__((packed));
+
+/**
+ * Private data of an radius_message_t object.
+ */
+struct private_radius_message_t {
+
+	/**
+	 * Public radius_message_t interface.
+	 */
+	radius_message_t public;
+
+	/**
+	 * message data, allocated
+	 */
+	rmsg_t *msg;
+};
+
+ENUM_BEGIN(radius_message_code_names, RMC_ACCESS_REQUEST, RMC_ACCOUNTING_RESPONSE,
+	"Access-Request",
+	"Access-Accept",
+	"Access-Reject",
+	"Accounting-Request",
+	"Accounting-Response");
+ENUM_NEXT(radius_message_code_names, RMC_ACCESS_CHALLENGE, RMC_ACCESS_CHALLENGE, RMC_ACCOUNTING_RESPONSE,
+	"Access-Challenge");
+ENUM_END(radius_message_code_names, RMC_ACCESS_CHALLENGE);
+
+ENUM(radius_attribute_type_names, RAT_USER_NAME, RAT_MIP6_HOME_LINK_PREFIX,
+	"User-Name",
+	"User-Password",
+	"CHAP-Password",
+	"NAS-IP-Address",
+	"NAS-Port",
+	"Service-Type",
+	"Framed-Protocol",
+	"Framed-IP-Address",
+	"Framed-IP-Netmask",
+	"Framed-Routing",
+	"Filter-Id",
+	"Framed-MTU",
+	"Framed-Compression",
+	"Login-IP-Host",
+	"Login-Service",
+	"Login-TCP-Port",
+	"Unassigned",
+	"Reply-Message",
+	"Callback-Number",
+	"Callback-Id",
+	"Unassigned",
+	"Framed-Route",
+	"Framed-IPX-Network",
+	"State",
+	"Class",
+	"Vendor-Specific",
+	"Session-Timeout",
+	"Idle-Timeout",
+	"Termination-Action",
+	"Called-Station-Id",
+	"Calling-Station-Id",
+	"NAS-Identifier",
+	"Proxy-State",
+	"Login-LAT-Service",
+	"Login-LAT-Node",
+	"Login-LAT-Group",
+	"Framed-AppleTalk-Link",
+	"Framed-AppleTalk-Network",
+	"Framed-AppleTalk-Zone",
+	"Acct-Status-Type",
+	"Acct-Delay-Time",
+	"Acct-Input-Octets",
+	"Acct-Output-Octets",
+	"Acct-Session-Id",
+	"Acct-Authentic",
+	"Acct-Session-Time",
+	"Acct-Input-Packets",
+	"Acct-Output-Packets",
+	"Acct-Terminate-Cause",
+	"Acct-Multi-Session-Id",
+	"Acct-Link-Count",
+	"Acct-Input-Gigawords",
+	"Acct-Output-Gigawords",
+	"Unassigned",
+	"Event-Timestamp",
+	"Egress-VLANID",
+	"Ingress-Filters",
+	"Egress-VLAN-Name",
+	"User-Priority-Table",
+	"CHAP-Challenge",
+	"NAS-Port-Type",
+	"Port-Limit",
+	"Login-LAT-Port",
+	"Tunnel-Type",
+	"Tunnel-Medium-Type",
+	"Tunnel-Client-Endpoint",
+	"Tunnel-Server-Endpoint",
+	"Acct-Tunnel-Connection",
+	"Tunnel-Password",
+	"ARAP-Password",
+	"ARAP-Features",
+	"ARAP-Zone-Access",
+	"ARAP-Security",
+	"ARAP-Security-Data",
+	"Password-Retry",
+	"Prompt",
+	"Connect-Info",
+	"Configuration-Token",
+	"EAP-Message",
+	"Message-Authenticator",
+	"Tunnel-Private-Group-ID",
+	"Tunnel-Assignment-ID",
+	"Tunnel-Preference",
+	"ARAP-Challenge-Response",
+	"Acct-Interim-Interval",
+	"Acct-Tunnel-Packets-Lost",
+	"NAS-Port-Id",
+	"Framed-Pool",
+	"CUI",
+	"Tunnel-Client-Auth-ID",
+	"Tunnel-Server-Auth-ID",
+	"NAS-Filter-Rule",
+	"Unassigned",
+	"Originating-Line-Info",
+	"NAS-IPv6-Address",
+	"Framed-Interface-Id",
+	"Framed-IPv6-Prefix",
+	"Login-IPv6-Host",
+	"Framed-IPv6-Route",
+	"Framed-IPv6-Pool",
+	"Error-Cause",
+	"EAP-Key-Name",
+	"Digest-Response",
+	"Digest-Realm",
+	"Digest-Nonce",
+	"Digest-Response-Auth",
+	"Digest-Nextnonce",
+	"Digest-Method",
+	"Digest-URI",
+	"Digest-Qop",
+	"Digest-Algorithm",
+	"Digest-Entity-Body-Hash",
+	"Digest-CNonce",
+	"Digest-Nonce-Count",
+	"Digest-Username",
+	"Digest-Opaque",
+	"Digest-Auth-Param",
+	"Digest-AKA-Auts",
+	"Digest-Domain",
+	"Digest-Stale",
+	"Digest-HA1",
+	"SIP-AOR",
+	"Delegated-IPv6-Prefix",
+	"MIP6-Feature-Vector",
+	"MIP6-Home-Link-Prefix");
+
+/**
+ * Attribute enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator interface */
+	enumerator_t public;
+	/** currently pointing attribute */
+	rattr_t *next;
+	/** bytes left */
+	int left;
+} attribute_enumerator_t;
+
+
+/**
+ * Implementation of attribute_enumerator_t.enumerate
+ */
+static bool attribute_enumerate(attribute_enumerator_t *this,
+								int *type, chunk_t *data)
+
+{
+	if (this->left == 0)
+	{
+		return FALSE;
+	}
+	if (this->left < sizeof(rattr_t) ||
+		this->left < this->next->length)
+	{
+		DBG1(DBG_IKE, "RADIUS message truncated");
+		return FALSE;
+	}
+	*type = this->next->type;
+	data->ptr = this->next->value;
+	data->len = this->next->length - sizeof(rattr_t);
+	this->left -= this->next->length;
+	this->next = ((void*)this->next) + this->next->length;
+	return TRUE;
+}
+
+/**
+ * Implementation of radius_message_t.create_enumerator
+ */
+static enumerator_t* create_enumerator(private_radius_message_t *this)
+{
+	attribute_enumerator_t *e;
+
+	if (ntohs(this->msg->length) < sizeof(rmsg_t) + sizeof(rattr_t))
+	{
+		return enumerator_create_empty();
+	}
+
+	e = malloc_thing(attribute_enumerator_t);
+	e->public.enumerate = (void*)attribute_enumerate;
+	e->public.destroy = (void*)free;
+	e->next = (rattr_t*)this->msg->attributes;
+	e->left = ntohs(this->msg->length) - sizeof(rmsg_t);
+	return &e->public;
+}
+
+/**
+ * Implementation of radius_message_t.add
+ */
+static void add(private_radius_message_t *this, radius_attribute_type_t type,
+				chunk_t data)
+{
+	rattr_t *attribute;
+
+	data.len = min(data.len, 253);
+	this->msg = realloc(this->msg,
+						ntohs(this->msg->length) + sizeof(rattr_t) + data.len);
+	attribute = ((void*)this->msg) + ntohs(this->msg->length);
+	attribute->type = type;
+	attribute->length = data.len + sizeof(rattr_t);
+	memcpy(attribute->value, data.ptr, data.len);
+	this->msg->length = htons(ntohs(this->msg->length) + attribute->length);
+}
+
+/**
+ * Implementation of radius_message_t.sign
+ */
+static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer)
+{
+	char buf[HASH_SIZE_MD5];
+
+	/* build Request-Authenticator */
+	rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
+
+	/* build Message-Authenticator attribute, using 16 null bytes */
+	memset(buf, 0, sizeof(buf));
+	add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
+	signer->get_signature(signer,
+				chunk_create((u_char*)this->msg, ntohs(this->msg->length)),
+				((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5);
+}
+
+/**
+ * Implementation of radius_message_t.verify
+ */
+static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
+				   chunk_t secret, hasher_t *hasher, signer_t *signer)
+{
+	char buf[HASH_SIZE_MD5], res_auth[HASH_SIZE_MD5];
+	enumerator_t *enumerator;
+	int type;
+	chunk_t data, msg;
+	bool has_eap = FALSE, has_auth = FALSE;
+
+	/* replace Response by Request Authenticator for verification */
+	memcpy(res_auth, this->msg->authenticator, HASH_SIZE_MD5);
+	memcpy(this->msg->authenticator, req_auth, HASH_SIZE_MD5);
+	msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
+
+	/* verify Response-Authenticator */
+	hasher->get_hash(hasher, msg, NULL);
+	hasher->get_hash(hasher, secret, buf);
+	if (!memeq(buf, res_auth, HASH_SIZE_MD5))
+	{
+		DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed");
+		return FALSE;
+	}
+
+	/* verify Message-Authenticator attribute */
+	enumerator = create_enumerator(this);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == RAT_MESSAGE_AUTHENTICATOR)
+		{
+			if (data.len != HASH_SIZE_MD5)
+			{
+				DBG1(DBG_CFG, "RADIUS Message-Authenticator invalid length");
+				enumerator->destroy(enumerator);
+				return FALSE;
+			}
+			memcpy(buf, data.ptr, data.len);
+			memset(data.ptr, 0, data.len);
+			if (signer->verify_signature(signer, msg,
+										 chunk_create(buf, sizeof(buf))))
+			{
+				/* restore Message-Authenticator */
+				memcpy(data.ptr, buf, data.len);
+				has_auth = TRUE;
+				break;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "RADIUS Message-Authenticator verification failed");
+				enumerator->destroy(enumerator);
+				return FALSE;
+			}
+		}
+		else if (type == RAT_EAP_MESSAGE)
+		{
+			has_eap = TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	/* restore Response-Authenticator */
+	memcpy(this->msg->authenticator, res_auth, HASH_SIZE_MD5);
+
+	if (has_eap && !has_auth)
+	{	/* Message-Authenticator is required if we have an EAP-Message */
+		DBG1(DBG_CFG, "RADIUS Message-Authenticator attribute missing");
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of radius_message_t.get_code
+ */
+static radius_message_code_t get_code(private_radius_message_t *this)
+{
+	return this->msg->code;
+}
+
+/**
+ * Implementation of radius_message_t.get_identifier
+ */
+static u_int8_t get_identifier(private_radius_message_t *this)
+{
+	return this->msg->identifier;
+}
+
+/**
+ * Implementation of radius_message_t.set_identifier
+ */
+static void set_identifier(private_radius_message_t *this, u_int8_t identifier)
+{
+	this->msg->identifier = identifier;
+}
+
+/**
+ * Implementation of radius_message_t.get_authenticator
+ */
+static u_int8_t* get_authenticator(private_radius_message_t *this)
+{
+	return this->msg->authenticator;
+}
+
+
+/**
+ * Implementation of radius_message_t.get_encoding
+ */
+static chunk_t get_encoding(private_radius_message_t *this)
+{
+	return chunk_create((u_char*)this->msg, ntohs(this->msg->length));
+}
+
+/**
+ * Implementation of radius_message_t.destroy.
+ */
+static void destroy(private_radius_message_t *this)
+{
+	free(this->msg);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_radius_message_t *radius_message_create()
+{
+	private_radius_message_t *this = malloc_thing(private_radius_message_t);
+
+	this->public.create_enumerator = (enumerator_t*(*)(radius_message_t*))create_enumerator;
+	this->public.add = (void(*)(radius_message_t*, radius_attribute_type_t,chunk_t))add;
+	this->public.get_code = (radius_message_code_t(*)(radius_message_t*))get_code;
+	this->public.get_identifier = (u_int8_t(*)(radius_message_t*))get_identifier;
+	this->public.set_identifier = (void(*)(radius_message_t*, u_int8_t identifier))set_identifier;
+	this->public.get_authenticator = (u_int8_t*(*)(radius_message_t*))get_authenticator;
+	this->public.get_encoding = (chunk_t(*)(radius_message_t*))get_encoding;
+	this->public.sign = (void(*)(radius_message_t*, rng_t *rng, signer_t *signer))sign;
+	this->public.verify = (bool(*)(radius_message_t*, u_int8_t *req_auth, chunk_t secret, hasher_t *hasher, signer_t *signer))verify;
+	this->public.destroy = (void(*)(radius_message_t*))destroy;
+
+	return this;
+}
+
+/**
+ * See header
+ */
+radius_message_t *radius_message_create_request()
+{
+	private_radius_message_t *this = radius_message_create();
+
+	this->msg = malloc_thing(rmsg_t);
+	this->msg->code = RMC_ACCESS_REQUEST;
+	this->msg->identifier = 0;
+	this->msg->length = htons(sizeof(rmsg_t));
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+radius_message_t *radius_message_parse_response(chunk_t data)
+{
+	private_radius_message_t *this = radius_message_create();
+
+	this->msg = malloc(data.len);
+	memcpy(this->msg, data.ptr, data.len);
+	if (data.len < sizeof(rmsg_t) ||
+		ntohs(this->msg->length) != data.len)
+	{
+		DBG1(DBG_IKE, "RADIUS message has invalid length");
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_radius/radius_message.h b/src/libcharon/plugins/eap_radius/radius_message.h
new file mode 100644
index 000000000..266839d3b
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/radius_message.h
@@ -0,0 +1,276 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup radius_message radius_message
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef RADIUS_MESSAGE_H_
+#define RADIUS_MESSAGE_H_
+
+#include <library.h>
+
+typedef struct radius_message_t radius_message_t;
+typedef enum radius_message_code_t radius_message_code_t;
+typedef enum radius_attribute_type_t radius_attribute_type_t;
+
+/**
+ * RADIUS Message Codes.
+ */
+enum radius_message_code_t {
+	RMC_ACCESS_REQUEST = 1,
+	RMC_ACCESS_ACCEPT = 2,
+	RMC_ACCESS_REJECT = 3,
+	RMC_ACCOUNTING_REQUEST = 4,
+	RMC_ACCOUNTING_RESPONSE = 5,
+	RMC_ACCESS_CHALLENGE = 11,
+};
+
+/**
+ * Enum names for radius_attribute_type_t.
+ */
+extern enum_name_t *radius_message_code_names;
+
+/**
+ * RADIUS Attribute Types.
+ */
+enum radius_attribute_type_t {
+	RAT_USER_NAME = 1,
+	RAT_USER_PASSWORD = 2,
+	RAT_CHAP_PASSWORD = 3,
+	RAT_NAS_IP_ADDRESS = 4,
+	RAT_NAS_PORT = 5,
+	RAT_SERVICE_TYPE = 6,
+	RAT_FRAMED_PROTOCOL = 7,
+	RAT_FRAMED_IP_ADDRESS = 8,
+	RAT_FRAMED_IP_NETMASK = 9,
+	RAT_FRAMED_ROUTING = 10,
+	RAT_FILTER_ID = 11,
+	RAT_FRAMED_MTU = 12,
+	RAT_FRAMED_COMPRESSION = 13,
+	RAT_LOGIN_IP_HOST = 14,
+	RAT_LOGIN_SERVICE = 15,
+	RAT_LOGIN_TCP_PORT = 16,
+	RAT_REPLY_MESSAGE = 18,
+	RAT_CALLBACK_NUMBER = 19,
+	RAT_CALLBACK_ID = 20,
+	RAT_FRAMED_ROUTE = 22,
+	RAT_FRAMED_IPX_NETWORK = 23,
+	RAT_STATE = 24,
+	RAT_CLASS = 25,
+	RAT_VENDOR_SPECIFIC = 26,
+	RAT_SESSION_TIMEOUT = 27,
+	RAT_IDLE_TIMEOUT = 28,
+	RAT_TERMINATION_ACTION = 29,
+	RAT_CALLED_STATION_ID = 30,
+	RAT_CALLING_STATION_ID = 31,
+	RAT_NAS_IDENTIFIER = 32,
+	RAT_PROXY_STATE = 33,
+	RAT_LOGIN_LAT_SERVICE = 34,
+	RAT_LOGIN_LAT_NODE = 35,
+	RAT_LOGIN_LAT_GROUP = 36,
+	RAT_FRAMED_APPLETALK_LINK = 37,
+	RAT_FRAMED_APPLETALK_NETWORK = 38,
+	RAT_FRAMED_APPLETALK_ZONE = 39,
+	RAT_ACCT_STATUS_TYPE = 40,
+	RAT_ACCT_DELAY_TIME = 41,
+	RAT_ACCT_INPUT_OCTETS = 42,
+	RAT_ACCT_OUTPUT_OCTETS = 43,
+	RAT_ACCT_SESSION_ID = 44,
+	RAT_ACCT_AUTHENTIC = 45,
+	RAT_ACCT_SESSION_TIME = 46,
+	RAT_ACCT_INPUT_PACKETS = 47,
+	RAT_ACCT_OUTPUT_PACKETS = 48,
+	RAT_ACCT_TERMINATE_CAUSE = 49,
+	RAT_ACCT_MULTI_SESSION_ID = 50,
+	RAT_ACCT_LINK_COUNT = 51,
+	RAT_ACCT_INPUT_GIGAWORDS = 52,
+	RAT_ACCT_OUTPUT_GIGAWORDS = 53,
+	RAT_EVENT_TIMESTAMP = 55,
+	RAT_EGRESS_VLANID = 56,
+	RAT_INGRESS_FILTERS = 57,
+	RAT_EGRESS_VLAN_NAME = 58,
+	RAT_USER_PRIORITY_TABLE = 59,
+	RAT_CHAP_CHALLENGE = 60,
+	RAT_NAS_PORT_TYPE = 61,
+	RAT_PORT_LIMIT = 62,
+	RAT_LOGIN_LAT_PORT = 63,
+	RAT_TUNNEL_TYPE = 64,
+	RAT_TUNNEL_MEDIUM_TYPE = 65,
+	RAT_TUNNEL_CLIENT_ENDPOINT = 66,
+	RAT_TUNNEL_SERVER_ENDPOINT = 67,
+	RAT_ACCT_TUNNEL_CONNECTION = 68,
+	RAT_TUNNEL_PASSWORD = 69,
+	RAT_ARAP_PASSWORD = 70,
+	RAT_ARAP_FEATURES = 71,
+	RAT_ARAP_ZONE_ACCESS = 72,
+	RAT_ARAP_SECURITY = 73,
+	RAT_ARAP_SECURITY_DATA = 74,
+	RAT_PASSWORD_RETRY = 75,
+	RAT_PROMPT = 76,
+	RAT_CONNECT_INFO = 77,
+	RAT_CONFIGURATION_TOKEN = 78,
+	RAT_EAP_MESSAGE = 79,
+	RAT_MESSAGE_AUTHENTICATOR = 80,
+	RAT_TUNNEL_PRIVATE_GROUP_ID = 81,
+	RAT_TUNNEL_ASSIGNMENT_ID = 82,
+	RAT_TUNNEL_PREFERENCE = 83,
+	RAT_ARAP_CHALLENGE_RESPONSE = 84,
+	RAT_ACCT_INTERIM_INTERVAL = 85,
+	RAT_ACCT_TUNNEL_PACKETS_LOST = 86,
+	RAT_NAS_PORT_ID = 87,
+	RAT_FRAMED_POOL = 88,
+	RAT_CUI = 89,
+	RAT_TUNNEL_CLIENT_AUTH_ID = 90,
+	RAT_TUNNEL_SERVER_AUTH_ID = 91,
+	RAT_NAS_FILTER_RULE = 92,
+	RAT_UNASSIGNED = 93,
+	RAT_ORIGINATING_LINE_INFO = 94,
+	RAT_NAS_IPV6_ADDRESS = 95,
+	RAT_FRAMED_INTERFACE_ID = 96,
+	RAT_FRAMED_IPV6_PREFIX = 97,
+	RAT_LOGIN_IPV6_HOST = 98,
+	RAT_FRAMED_IPV6_ROUTE = 99,
+	RAT_FRAMED_IPV6_POOL = 100,
+	RAT_ERROR_CAUSE = 101,
+	RAT_EAP_KEY_NAME = 102,
+	RAT_DIGEST_RESPONSE = 103,
+	RAT_DIGEST_REALM = 104,
+	RAT_DIGEST_NONCE = 105,
+	RAT_DIGEST_RESPONSE_AUTH = 106,
+	RAT_DIGEST_NEXTNONCE = 107,
+	RAT_DIGEST_METHOD = 108,
+	RAT_DIGEST_URI = 109,
+	RAT_DIGEST_QOP = 110,
+	RAT_DIGEST_ALGORITHM = 111,
+	RAT_DIGEST_ENTITY_BODY_HASH = 112,
+	RAT_DIGEST_CNONCE = 113,
+	RAT_DIGEST_NONCE_COUNT = 114,
+	RAT_DIGEST_USERNAME = 115,
+	RAT_DIGEST_OPAQUE = 116,
+	RAT_DIGEST_AUTH_PARAM = 117,
+	RAT_DIGEST_AKA_AUTS = 118,
+	RAT_DIGEST_DOMAIN = 119,
+	RAT_DIGEST_STALE = 120,
+	RAT_DIGEST_HA1 = 121,
+	RAT_SIP_AOR = 122,
+	RAT_DELEGATED_IPV6_PREFIX = 123,
+	RAT_MIP6_FEATURE_VECTOR = 124,
+	RAT_MIP6_HOME_LINK_PREFIX = 125,
+};
+
+/**
+ * Enum names for radius_attribute_type_t.
+ */
+extern enum_name_t *radius_attribute_type_names;
+
+/**
+ * A RADIUS message, contains attributes.
+ */
+struct radius_message_t {
+
+	/**
+	 * Create an enumerator over contained RADIUS attributes.
+	 *
+	 * @return				enumerator over (int type, chunk_t data)
+	 */
+	enumerator_t* (*create_enumerator)(radius_message_t *this);
+
+	/**
+	 * Add a RADIUS attribute to the message.
+	 *
+	 * @param type			type of attribute to add
+	 * @param				attribute data, gets cloned
+	 */
+	void (*add)(radius_message_t *this, radius_attribute_type_t type,
+				chunk_t data);
+
+	/**
+	 * Get the message type (code).
+	 *
+	 * @return				message code
+	 */
+	radius_message_code_t (*get_code)(radius_message_t *this);
+
+	/**
+	 * Get the message identifier.
+	 *
+	 * @return				message identifier
+	 */
+	u_int8_t (*get_identifier)(radius_message_t *this);
+
+	/**
+	 * Set the message identifier.
+	 *
+	 * @param identifier	message identifier
+	 */
+	void (*set_identifier)(radius_message_t *this, u_int8_t identifier);
+
+	/**
+	 * Get the 16 byte authenticator.
+	 *
+	 * @return				pointer to the Authenticator field
+	 */
+	u_int8_t* (*get_authenticator)(radius_message_t *this);
+
+	/**
+	 * Get the RADIUS message in its encoded form.
+	 *
+	 * @return				chunk pointing to internal RADIUS message.
+	 */
+	chunk_t (*get_encoding)(radius_message_t *this);
+
+	/**
+	 * Calculate and add the Message-Authenticator attribute to the message.
+	 *
+	 * @param rng			RNG to create Request-Authenticator
+	 * @param signer		HMAC-MD5 signer with secret set
+	 */
+	void (*sign)(radius_message_t *this, rng_t *rng, signer_t *signer);
+
+	/**
+	 * Verify the integrity of a received RADIUS response.
+	 *
+	 * @param req_auth		16 byte Authenticator of the corresponding request
+	 * @param secret		shared RADIUS secret
+	 * @param hasher		hasher to verify Response-Authenticator
+	 * @param signer		signer to verify Message-Authenticator attribute
+	 */
+	bool (*verify)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
+				   hasher_t *hasher, signer_t *signer);
+
+	/**
+	 * Destroy the message.
+	 */
+	void (*destroy)(radius_message_t *this);
+};
+
+/**
+ * Create an empty RADIUS request message (RMT_ACCESS_REQUEST).
+ *
+ * @return				radius_message_t object
+ */
+radius_message_t *radius_message_create_request();
+
+/**
+ * Parse and verify a recevied RADIUS response.
+ *
+ * @param data			received message data
+ * @return				radius_message_t object, NULL if length invalid
+ */
+radius_message_t *radius_message_parse_response(chunk_t data);
+
+#endif /** RADIUS_MESSAGE_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim/Makefile.am b/src/libcharon/plugins/eap_sim/Makefile.am
new file mode 100644
index 000000000..a0cb72f5f
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim/Makefile.am
@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-sim.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-sim.la
+libstrongswan_eap_sim_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
+endif
+
+libstrongswan_eap_sim_la_SOURCES = \
+	eap_sim_plugin.h eap_sim_plugin.c \
+	eap_sim_peer.h eap_sim_peer.c \
+	eap_sim_server.h eap_sim_server.c
+
+libstrongswan_eap_sim_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
new file mode 100644
index 000000000..588965113
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -0,0 +1,593 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_sim
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+@MONOLITHIC_FALSE@libstrongswan_eap_sim_la_DEPENDENCIES =  \
+@MONOLITHIC_FALSE@	$(top_builddir)/src/libsimaka/libsimaka.la
+am_libstrongswan_eap_sim_la_OBJECTS = eap_sim_plugin.lo \
+	eap_sim_peer.lo eap_sim_server.lo
+libstrongswan_eap_sim_la_OBJECTS =  \
+	$(am_libstrongswan_eap_sim_la_OBJECTS)
+libstrongswan_eap_sim_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_sim_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_sim_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_sim_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-sim.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-sim.la
+@MONOLITHIC_FALSE@libstrongswan_eap_sim_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
+libstrongswan_eap_sim_la_SOURCES = \
+	eap_sim_plugin.h eap_sim_plugin.c \
+	eap_sim_peer.h eap_sim_peer.c \
+	eap_sim_server.h eap_sim_server.c
+
+libstrongswan_eap_sim_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-sim.la: $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_DEPENDENCIES) 
+	$(libstrongswan_eap_sim_la_LINK) $(am_libstrongswan_eap_sim_la_rpath) $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_peer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_server.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.c b/src/libcharon/plugins/eap_sim/eap_sim_peer.c
new file mode 100644
index 000000000..961cfd30d
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.c
@@ -0,0 +1,654 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_peer.h"
+
+#include <daemon.h>
+
+#include <simaka_message.h>
+
+/* number of tries we do authenticate */
+#define MAX_TRIES 3
+
+/* number of triplets for one authentication */
+#define TRIPLET_COUNT 3
+
+/** length of the AT_NONCE_MT nonce value */
+#define NONCE_LEN 16
+
+typedef struct private_eap_sim_peer_t private_eap_sim_peer_t;
+
+/**
+ * Private data of an eap_sim_peer_t object.
+ */
+struct private_eap_sim_peer_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_sim_peer_t public;
+
+	/**
+	 * permanent ID of peer
+	 */
+	identification_t *permanent;
+
+	/**
+	 * Pseudonym identity the peer uses
+	 */
+	identification_t *pseudonym;
+
+	/**
+	 * Reauthentication identity the peer uses
+	 */
+	identification_t *reauth;
+
+	/**
+	 * EAP-SIM crypto helper
+	 */
+	simaka_crypto_t *crypto;
+
+	/**
+	 * how many times we try to authenticate
+	 */
+	int tries;
+
+	/**
+	 * version list received from server
+	 */
+	chunk_t version_list;
+
+	/**
+	 * Nonce value used in AT_NONCE_MT/AT_NONCE_S
+	 */
+	chunk_t nonce;
+
+	/**
+	 * MSK, used for EAP-SIM based IKEv2 authentication
+	 */
+	chunk_t msk;
+
+	/**
+	 * Master key, if reauthentication is used
+	 */
+	char mk[HASH_SIZE_SHA1];
+
+	/**
+	 * Counter value if reauthentication is used
+	 */
+	u_int16_t counter;
+};
+
+/* version of SIM protocol we speak */
+static chunk_t version = chunk_from_chars(0x00,0x01);
+
+/**
+ * Create a SIM_CLIENT_ERROR
+ */
+static eap_payload_t* create_client_error(private_eap_sim_peer_t *this,
+							u_int8_t identifier, simaka_client_error_t code)
+{
+	simaka_message_t *message;
+	eap_payload_t *out;
+	u_int16_t encoded;
+
+	DBG1(DBG_IKE, "sending client error '%N'", simaka_client_error_names, code);
+
+	message = simaka_message_create(FALSE, identifier, EAP_SIM,
+									SIM_CLIENT_ERROR, this->crypto);
+	encoded = htons(code);
+	message->add_attribute(message, AT_CLIENT_ERROR_CODE,
+						   chunk_create((char*)&encoded, sizeof(encoded)));
+	out = message->generate(message, chunk_empty);
+	message->destroy(message);
+	return out;
+}
+
+/**
+ * process an EAP-SIM/Request/Start message
+ */
+static status_t process_start(private_eap_sim_peer_t *this,
+							  simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, id = chunk_empty;
+	rng_t *rng;
+	bool supported = FALSE;
+	simaka_attribute_t id_req = 0;
+
+	/* reset previously uses reauthentication/pseudonym data */
+	this->crypto->clear_keys(this->crypto);
+	DESTROY_IF(this->pseudonym);
+	this->pseudonym = NULL;
+	DESTROY_IF(this->reauth);
+	this->reauth = NULL;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_VERSION_LIST:
+			{
+				free(this->version_list.ptr);
+				this->version_list = chunk_clone(data);
+				while (data.len >= version.len)
+				{
+					if (memeq(data.ptr, version.ptr, version.len))
+					{
+						supported = TRUE;
+						break;
+					}
+				}
+				break;
+			}
+			case AT_ANY_ID_REQ:
+			case AT_FULLAUTH_ID_REQ:
+			case AT_PERMANENT_ID_REQ:
+				id_req = type;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in),
+											   SIM_UNABLE_TO_PROCESS);
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!supported)
+	{
+		DBG1(DBG_IKE, "server does not support EAP-SIM version number 1");
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNSUPPORTED_VERSION);
+		return NEED_MORE;
+	}
+
+	switch (id_req)
+	{
+		case AT_ANY_ID_REQ:
+			this->reauth = charon->sim->card_get_reauth(charon->sim,
+									this->permanent, this->mk, &this->counter);
+			if (this->reauth)
+			{
+				id = this->reauth->get_encoding(this->reauth);
+				break;
+			}
+			/* FALL */
+		case AT_FULLAUTH_ID_REQ:
+			this->pseudonym = charon->sim->card_get_pseudonym(charon->sim,
+															  this->permanent);
+			if (this->pseudonym)
+			{
+				id = this->pseudonym->get_encoding(this->pseudonym);
+				break;
+			}
+			/* FALL */
+		case AT_PERMANENT_ID_REQ:
+			id = this->permanent->get_encoding(this->permanent);
+			break;
+		default:
+			break;
+	}
+
+	/* generate AT_NONCE_MT value */
+	rng = this->crypto->get_rng(this->crypto);
+	free(this->nonce.ptr);
+	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+									SIM_START, this->crypto);
+	if (!this->reauth)
+	{
+		message->add_attribute(message, AT_SELECTED_VERSION, version);
+		message->add_attribute(message, AT_NONCE_MT, this->nonce);
+	}
+	if (id.len)
+	{
+		message->add_attribute(message, AT_IDENTITY, id);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	return NEED_MORE;
+}
+
+/**
+ * process an EAP-SIM/Request/Challenge message
+ */
+static status_t process_challenge(private_eap_sim_peer_t *this,
+								  simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, rands = chunk_empty, kcs, kc, sreses, sres, mk;
+	identification_t *id;
+
+	if (this->tries-- <= 0)
+	{
+		/* give up without notification. This hack is required as some buggy
+		 * server implementations won't respect our client-error. */
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_RAND:
+				rands = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in),
+											   SIM_UNABLE_TO_PROCESS);
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* excepting two or three RAND, each 16 bytes. We require two valid
+	 * and different RANDs */
+	if ((rands.len != 2 * SIM_RAND_LEN && rands.len != 3 * SIM_RAND_LEN) ||
+		memeq(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN))
+	{
+		DBG1(DBG_IKE, "no valid AT_RAND received");
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_INSUFFICIENT_CHALLENGES);
+		return NEED_MORE;
+	}
+	/* get two or three KCs/SRESes from SIM using RANDs */
+	kcs = kc = chunk_alloca(rands.len / 2);
+	sreses = sres = chunk_alloca(rands.len / 4);
+	while (rands.len >= SIM_RAND_LEN)
+	{
+		if (!charon->sim->card_get_triplet(charon->sim, this->permanent,
+										   rands.ptr, sres.ptr, kc.ptr))
+		{
+			DBG1(DBG_IKE, "unable to get EAP-SIM triplet");
+			*out = create_client_error(this, in->get_identifier(in),
+									   SIM_UNABLE_TO_PROCESS);
+			return NEED_MORE;
+		}
+		DBG3(DBG_IKE, "got triplet for RAND %b\n  Kc %b\n  SRES %b",
+			 rands.ptr, SIM_RAND_LEN, sres.ptr, SIM_SRES_LEN, kc.ptr, SIM_KC_LEN);
+		kc = chunk_skip(kc, SIM_KC_LEN);
+		sres = chunk_skip(sres, SIM_SRES_LEN);
+		rands = chunk_skip(rands, SIM_RAND_LEN);
+	}
+
+	id = this->permanent;
+	if (this->pseudonym)
+	{
+		id = this->pseudonym;
+	}
+	data = chunk_cata("cccc", kcs, this->nonce, this->version_list, version);
+	free(this->msk.ptr);
+	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	memcpy(this->mk, mk.ptr, mk.len);
+	free(mk.ptr);
+
+	/* Verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT", and
+	 * parse() again after key derivation, reading encrypted attributes */
+	if (!in->verify(in, this->nonce) || !in->parse(in))
+	{
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_NEXT_REAUTH_ID:
+				this->counter = 0;
+				id = identification_create_from_data(data);
+				charon->sim->card_set_reauth(charon->sim, this->permanent, id,
+											 this->mk, this->counter);
+				id->destroy(id);
+				break;
+			case AT_NEXT_PSEUDONYM:
+				id = identification_create_from_data(data);
+				charon->sim->card_set_pseudonym(charon->sim, this->permanent, id);
+				id->destroy(id);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* build response with AT_MAC, built over "EAP packet | n*SRES" */
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+									SIM_CHALLENGE, this->crypto);
+	*out = message->generate(message, sreses);
+	message->destroy(message);
+	return NEED_MORE;
+}
+
+/**
+ * Check if a received counter value is acceptable
+ */
+static bool counter_too_small(private_eap_sim_peer_t *this, chunk_t chunk)
+{
+	u_int16_t counter;
+
+	memcpy(&counter, chunk.ptr, sizeof(counter));
+	counter = htons(counter);
+	return counter < this->counter;
+}
+
+/**
+ * process an EAP-SIM/Request/Re-Authentication message
+ */
+static status_t process_reauthentication(private_eap_sim_peer_t *this,
+									simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, counter = chunk_empty, nonce = chunk_empty, id = chunk_empty;
+
+	if (!this->reauth)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, SIM_REAUTHENTICATION);
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+
+	this->crypto->derive_keys_reauth(this->crypto,
+									 chunk_create(this->mk, HASH_SIZE_SHA1));
+
+	/* verify MAC and parse again with decryption key */
+	if (!in->verify(in, chunk_empty) || !in->parse(in))
+	{
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_COUNTER:
+				counter = data;
+				break;
+			case AT_NONCE_S:
+				nonce = data;
+				break;
+			case AT_NEXT_REAUTH_ID:
+				id = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					*out = create_client_error(this, in->get_identifier(in),
+											   SIM_UNABLE_TO_PROCESS);
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!nonce.len || !counter.len)
+	{
+		DBG1(DBG_IKE, "EAP-SIM/Request/Re-Authentication message incomplete");
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+
+	message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+									SIM_REAUTHENTICATION, this->crypto);
+	if (counter_too_small(this, counter))
+	{
+		DBG1(DBG_IKE, "reauthentication counter too small");
+		message->add_attribute(message, AT_COUNTER_TOO_SMALL, chunk_empty);
+	}
+	else
+	{
+		free(this->msk.ptr);
+		this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
+										this->reauth, counter, nonce,
+										chunk_create(this->mk, HASH_SIZE_SHA1));
+		if (id.len)
+		{
+			identification_t *reauth;
+
+			reauth = identification_create_from_data(data);
+			charon->sim->card_set_reauth(charon->sim, this->permanent, reauth,
+							 this->mk, this->counter);
+			reauth->destroy(reauth);
+		}
+	}
+	message->add_attribute(message, AT_COUNTER, counter);
+	*out = message->generate(message, nonce);
+	message->destroy(message);
+	return NEED_MORE;
+}
+
+/**
+ * process an EAP-SIM/Request/Notification message
+ */
+static status_t process_notification(private_eap_sim_peer_t *this,
+									 simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data;
+	bool success = TRUE;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == AT_NOTIFICATION)
+		{
+			u_int16_t code;
+
+			memcpy(&code, data.ptr, sizeof(code));
+			code = ntohs(code);
+
+			/* test success bit */
+			if (!(data.ptr[0] & 0x80))
+			{
+				success = FALSE;
+				DBG1(DBG_IKE, "received EAP-SIM notification error '%N'",
+					 simaka_notification_names, code);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received EAP-SIM notification '%N'",
+					 simaka_notification_names, code);
+			}
+		}
+		else if (!simaka_attribute_skippable(type))
+		{
+			success = FALSE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (success)
+	{	/* empty notification reply */
+		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+										SIM_NOTIFICATION, this->crypto);
+		*out = message->generate(message, chunk_empty);
+		message->destroy(message);
+	}
+	else
+	{
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.process
+ */
+static status_t process(private_eap_sim_peer_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	status_t status;
+
+	message = simaka_message_create_from_payload(in, this->crypto);
+	if (!message)
+	{
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+	if (!message->parse(message))
+	{
+		message->destroy(message);
+		*out = create_client_error(this, in->get_identifier(in),
+								   SIM_UNABLE_TO_PROCESS);
+		return NEED_MORE;
+	}
+	switch (message->get_subtype(message))
+	{
+		case SIM_START:
+			status = process_start(this, message, out);
+			break;
+		case SIM_CHALLENGE:
+			status = process_challenge(this, message, out);
+			break;
+		case SIM_REAUTHENTICATION:
+			status = process_reauthentication(this, message, out);
+			break;
+		case SIM_NOTIFICATION:
+			status = process_notification(this, message, out);
+			break;
+		default:
+			DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N",
+				 simaka_subtype_names, message->get_subtype(message));
+			*out = create_client_error(this, in->get_identifier(in),
+									   SIM_UNABLE_TO_PROCESS);
+			status = NEED_MORE;
+			break;
+	}
+	message->destroy(message);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_sim_peer_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_sim_peer_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_SIM;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_sim_peer_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_sim_peer_t *this)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_sim_peer_t *this)
+{
+	this->permanent->destroy(this->permanent);
+	DESTROY_IF(this->pseudonym);
+	DESTROY_IF(this->reauth);
+	this->crypto->destroy(this->crypto);
+	free(this->version_list.ptr);
+	free(this->nonce.ptr);
+	free(this->msk.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_sim_peer_t *eap_sim_peer_create(identification_t *server,
+									identification_t *peer)
+{
+	private_eap_sim_peer_t *this = malloc_thing(private_eap_sim_peer_t);
+
+	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	this->crypto = simaka_crypto_create();
+	if (!this->crypto)
+	{
+		free(this);
+		return NULL;
+	}
+	this->permanent = peer->clone(peer);
+	this->pseudonym = NULL;
+	this->reauth = NULL;
+	this->tries = MAX_TRIES;
+	this->version_list = chunk_empty;
+	this->nonce = chunk_empty;
+	this->msk = chunk_empty;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.h b/src/libcharon/plugins/eap_sim/eap_sim_peer.h
new file mode 100644
index 000000000..89f81301e
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim_peer eap_sim_peer
+ * @{ @ingroup eap_sim
+ */
+
+#ifndef EAP_SIM_PEER_H_
+#define EAP_SIM_PEER_H_
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct eap_sim_peer_t eap_sim_peer_t;
+
+/**
+ * EAP-SIM peer implementation.
+ *
+ * This EAP-SIM module uses sim_card_t implementations for triplet calculation,
+ * found via the eap_sim_manager_t.
+ */
+struct eap_sim_peer_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t interface;
+
+	/**
+	 * Destroy a eap_sim_peer_t.
+	 */
+	void (*destroy)(eap_sim_peer_t *this);
+};
+
+/**
+ * Creates the EAP method EAP-SIM acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP peer
+ * @return			eap_sim_t object
+ */
+eap_sim_peer_t *eap_sim_peer_create(identification_t *server,
+									identification_t *peer);
+
+#endif /** EAP_SIM_PEER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_plugin.c b/src/libcharon/plugins/eap_sim/eap_sim_plugin.c
new file mode 100644
index 000000000..f0c972253
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim/eap_sim_plugin.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_plugin.h"
+
+#include "eap_sim_server.h"
+#include "eap_sim_peer.h"
+
+#include <daemon.h>
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(eap_sim_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_sim_server_create);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_sim_peer_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_sim_plugin_create()
+{
+	eap_sim_plugin_t *this = malloc_thing(eap_sim_plugin_t);
+
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	charon->eap->add_method(charon->eap, EAP_SIM, 0, EAP_SERVER,
+							(eap_constructor_t)eap_sim_server_create);
+	charon->eap->add_method(charon->eap, EAP_SIM, 0, EAP_PEER,
+							(eap_constructor_t)eap_sim_peer_create);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_plugin.h b/src/libcharon/plugins/eap_sim/eap_sim_plugin.h
new file mode 100644
index 000000000..4e10380c4
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim/eap_sim_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim eap_sim
+ * @ingroup cplugins
+ *
+ * @defgroup eap_sim_plugin eap_sim_plugin
+ * @{ @ingroup eap_sim
+ */
+
+#ifndef EAP_SIM_PLUGIN_H_
+#define EAP_SIM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_sim_plugin_t eap_sim_plugin_t;
+
+/**
+ * EAP-SIM plugin.
+ */
+struct eap_sim_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_SIM_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.c b/src/libcharon/plugins/eap_sim/eap_sim_server.c
new file mode 100644
index 000000000..f6d5df09b
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim/eap_sim_server.c
@@ -0,0 +1,611 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_server.h"
+
+#include <daemon.h>
+
+#include <simaka_message.h>
+#include <simaka_crypto.h>
+
+/* number of triplets for one authentication */
+#define TRIPLET_COUNT 3
+
+/** length of the AT_NONCE_S value */
+#define NONCE_LEN 16
+
+typedef struct private_eap_sim_server_t private_eap_sim_server_t;
+
+/**
+ * Private data of an eap_sim_server_t object.
+ */
+struct private_eap_sim_server_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_sim_server_t public;
+
+	/**
+	 * permanent ID of peer
+	 */
+	identification_t *permanent;
+
+	/**
+	 * pseudonym ID of peer
+	 */
+	identification_t *pseudonym;
+
+	/**
+	 * reauthentication ID of peer
+	 */
+	identification_t *reauth;
+
+	/**
+	 * EAP-SIM/AKA crypto helper
+	 */
+	simaka_crypto_t *crypto;
+
+	/**
+	 * unique EAP identifier
+	 */
+	u_int8_t identifier;
+
+	/**
+	 * concatenated SRES values
+	 */
+	chunk_t sreses;
+
+	/**
+	 * Nonce value used in AT_NONCE_S
+	 */
+	chunk_t nonce;
+
+	/**
+	 * Counter value negotiated, network order
+	 */
+	chunk_t counter;
+
+	/**
+	 * MSK, used for EAP-SIM based IKEv2 authentication
+	 */
+	chunk_t msk;
+
+	/**
+	 * Do we request fast reauthentication?
+	 */
+	bool use_reauth;
+
+	/**
+	 * Do we request pseudonym identities?
+	 */
+	bool use_pseudonym;
+
+	/**
+	 * Do we request permanent identities?
+	 */
+	bool use_permanent;
+
+	/**
+	 * EAP-SIM message we have initiated
+	 */
+	simaka_subtype_t pending;
+};
+
+/* version of SIM protocol we speak */
+static chunk_t version = chunk_from_chars(0x00,0x01);
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_sim_server_t *this, eap_payload_t **out)
+{
+	simaka_message_t *message;
+
+	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
+									SIM_START, this->crypto);
+	message->add_attribute(message, AT_VERSION_LIST, version);
+	if (this->use_reauth)
+	{
+		message->add_attribute(message, AT_ANY_ID_REQ, chunk_empty);
+	}
+	else if (this->use_pseudonym)
+	{
+		message->add_attribute(message, AT_FULLAUTH_ID_REQ, chunk_empty);
+	}
+	else if (this->use_permanent)
+	{
+		message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	this->pending = SIM_START;
+	return NEED_MORE;
+}
+
+/**
+ * Initiate  EAP-SIM/Request/Re-authentication message
+ */
+static status_t reauthenticate(private_eap_sim_server_t *this,
+							   char mk[HASH_SIZE_SHA1], u_int16_t counter,
+							   eap_payload_t **out)
+{
+	simaka_message_t *message;
+	identification_t *next;
+	chunk_t mkc;
+	rng_t *rng;
+
+	DBG1(DBG_IKE, "initiating EAP-SIM reauthentication");
+
+	rng = this->crypto->get_rng(this->crypto);
+	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+
+	mkc = chunk_create(mk, HASH_SIZE_SHA1);
+	counter = htons(counter);
+	this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter)));
+
+	this->crypto->derive_keys_reauth(this->crypto, mkc);
+	this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
+								this->reauth, this->counter, this->nonce, mkc);
+
+	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
+									SIM_REAUTHENTICATION, this->crypto);
+	message->add_attribute(message, AT_COUNTER, this->counter);
+	message->add_attribute(message, AT_NONCE_S, this->nonce);
+	next = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk);
+	if (next)
+	{
+		message->add_attribute(message, AT_NEXT_REAUTH_ID,
+							   next->get_encoding(next));
+		next->destroy(next);
+	}
+	*out = message->generate(message, chunk_empty);
+	message->destroy(message);
+
+	this->pending = SIM_REAUTHENTICATION;
+	return NEED_MORE;
+}
+
+/**
+ * process an EAP-SIM/Response/Reauthentication message
+ */
+static status_t process_reauthentication(private_eap_sim_server_t *this,
+									simaka_message_t *in, eap_payload_t **out)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, counter = chunk_empty;
+	bool too_small = FALSE;
+
+	if (this->pending != SIM_REAUTHENTICATION)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, SIM_REAUTHENTICATION);
+		return FAILED;
+	}
+	/* verify AT_MAC attribute, signature is over "EAP packet | NONCE_S"  */
+	if (!in->verify(in, this->nonce))
+	{
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_COUNTER:
+				counter = data;
+				break;
+			case AT_COUNTER_TOO_SMALL:
+				too_small = TRUE;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (too_small)
+	{
+		DBG1(DBG_IKE, "received %N, initiating full authentication",
+			 simaka_attribute_names, AT_COUNTER_TOO_SMALL);
+		this->use_reauth = FALSE;
+		this->crypto->clear_keys(this->crypto);
+		return initiate(this, out);
+	}
+	if (!chunk_equals(counter, this->counter))
+	{
+		DBG1(DBG_IKE, "received counter does not match");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * process an EAP-SIM/Response/Start message
+ */
+static status_t process_start(private_eap_sim_server_t *this,
+							  simaka_message_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data, identity = chunk_empty, nonce = chunk_empty, mk;
+	chunk_t rands, rand, kcs, kc, sreses, sres;
+	bool supported = FALSE;
+	identification_t *id;
+	int i;
+
+	if (this->pending != SIM_START)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, SIM_START);
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case AT_NONCE_MT:
+				nonce = data;
+				break;
+			case AT_SELECTED_VERSION:
+				if (chunk_equals(data, version))
+				{
+					supported = TRUE;
+				}
+				break;
+			case AT_IDENTITY:
+				identity = data;
+				break;
+			default:
+				if (!simaka_attribute_skippable(type))
+				{
+					enumerator->destroy(enumerator);
+					return FAILED;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (identity.len)
+	{
+		identification_t *permanent;
+
+		id = identification_create_from_data(identity);
+		if (this->use_reauth && !nonce.len)
+		{
+			char mk[HASH_SIZE_SHA1];
+			u_int16_t counter;
+
+			permanent = charon->sim->provider_is_reauth(charon->sim, id,
+														mk, &counter);
+			if (permanent)
+			{
+				this->permanent->destroy(this->permanent);
+				this->permanent = permanent;
+				this->reauth = id;
+				return reauthenticate(this, mk, counter, out);
+			}
+			DBG1(DBG_IKE, "received unknown reauthentication identity '%Y', "
+				 "initiating full authentication", id);
+			this->use_reauth = FALSE;
+			id->destroy(id);
+			return initiate(this, out);
+		}
+		if (this->use_pseudonym)
+		{
+			permanent = charon->sim->provider_is_pseudonym(charon->sim, id);
+			if (permanent)
+			{
+				this->permanent->destroy(this->permanent);
+				this->permanent = permanent;
+				this->pseudonym = id->clone(id);
+				/* we already have a new permanent identity now */
+				this->use_permanent = FALSE;
+			}
+		}
+		if (!this->pseudonym && this->use_permanent)
+		{
+			DBG1(DBG_IKE, "received %spermanent identity '%Y'",
+				 this->use_pseudonym ? "pseudonym or " : "", id);
+			this->permanent->destroy(this->permanent);
+			this->permanent = id->clone(id);
+		}
+		id->destroy(id);
+	}
+
+	if (!supported || !nonce.len)
+	{
+		DBG1(DBG_IKE, "received incomplete EAP-SIM/Response/Start");
+		return FAILED;
+	}
+
+	/* read triplets from provider */
+	rand = rands = chunk_alloca(SIM_RAND_LEN * TRIPLET_COUNT);
+	kc = kcs = chunk_alloca(SIM_KC_LEN * TRIPLET_COUNT);
+	sres = sreses = chunk_alloca(SIM_SRES_LEN * TRIPLET_COUNT);
+	rands.len = kcs.len = sreses.len = 0;
+	for (i = 0; i < TRIPLET_COUNT; i++)
+	{
+		if (!charon->sim->provider_get_triplet(charon->sim, this->permanent,
+											   rand.ptr, sres.ptr, kc.ptr))
+		{
+			if (this->use_pseudonym)
+			{
+				/* probably received a pseudonym we couldn't map */
+				DBG1(DBG_IKE, "failed to map pseudonym identity '%Y', "
+					 "fallback to permanent identity request", this->permanent);
+				this->use_pseudonym = FALSE;
+				DESTROY_IF(this->pseudonym);
+				this->pseudonym = NULL;
+				return initiate(this, out);
+			}
+			return FAILED;
+		}
+		rands.len += SIM_RAND_LEN;
+		sreses.len += SIM_SRES_LEN;
+		kcs.len += SIM_KC_LEN;
+		rand = chunk_skip(rand, SIM_RAND_LEN);
+		sres = chunk_skip(sres, SIM_SRES_LEN);
+		kc = chunk_skip(kc, SIM_KC_LEN);
+	}
+	free(this->sreses.ptr);
+	this->sreses = chunk_clone(sreses);
+
+	data = chunk_cata("cccc", kcs, nonce, version, version);
+	free(this->msk.ptr);
+	id = this->permanent;
+	if (this->pseudonym)
+	{
+		id = this->pseudonym;
+	}
+	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+
+	/* build response with AT_MAC, built over "EAP packet | NONCE_MT" */
+	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
+									SIM_CHALLENGE, this->crypto);
+	message->add_attribute(message, AT_RAND, rands);
+	id = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk.ptr);
+	if (id)
+	{
+		message->add_attribute(message, AT_NEXT_REAUTH_ID,
+							   id->get_encoding(id));
+		id->destroy(id);
+	}
+	else
+	{
+		id = charon->sim->provider_gen_pseudonym(charon->sim, this->permanent);
+		if (id)
+		{
+			message->add_attribute(message, AT_NEXT_PSEUDONYM,
+								   id->get_encoding(id));
+			id->destroy(id);
+		}
+	}
+	*out = message->generate(message, nonce);
+	message->destroy(message);
+
+	free(mk.ptr);
+	this->pending = SIM_CHALLENGE;
+	return NEED_MORE;
+}
+
+/**
+ * process an EAP-SIM/Response/Challenge message
+ */
+static status_t process_challenge(private_eap_sim_server_t *this,
+								  simaka_message_t *in, eap_payload_t **out)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data;
+
+	if (this->pending != SIM_CHALLENGE)
+	{
+		DBG1(DBG_IKE, "received %N, but not expected",
+			 simaka_subtype_names, SIM_CHALLENGE);
+		return FAILED;
+	}
+	/* verify AT_MAC attribute, signature is over "EAP packet | n*SRES"  */
+	if (!in->verify(in, this->sreses))
+	{
+		return FAILED;
+	}
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (!simaka_attribute_skippable(type))
+		{
+			enumerator->destroy(enumerator);
+			return FAILED;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return SUCCESS;
+}
+
+/**
+ * EAP-SIM/Response/ClientErrorCode message
+ */
+static status_t process_client_error(private_eap_sim_server_t *this,
+									 simaka_message_t *in)
+{
+	enumerator_t *enumerator;
+	simaka_attribute_t type;
+	chunk_t data;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == AT_CLIENT_ERROR_CODE)
+		{
+			u_int16_t code;
+
+			memcpy(&code, data.ptr, sizeof(code));
+			DBG1(DBG_IKE, "received EAP-SIM client error '%N'",
+				 simaka_client_error_names, ntohs(code));
+		}
+		else if (!simaka_attribute_skippable(type))
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.process
+ */
+static status_t process(private_eap_sim_server_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	simaka_message_t *message;
+	status_t status;
+
+	message = simaka_message_create_from_payload(in, this->crypto);
+	if (!message)
+	{
+		return FAILED;
+	}
+	if (!message->parse(message))
+	{
+		message->destroy(message);
+		return FAILED;
+	}
+	switch (message->get_subtype(message))
+	{
+		case SIM_START:
+			status = process_start(this, message, out);
+			break;
+		case SIM_CHALLENGE:
+			status = process_challenge(this, message, out);
+			break;
+		case SIM_REAUTHENTICATION:
+			status = process_reauthentication(this, message, out);
+			break;
+		case SIM_CLIENT_ERROR:
+			status = process_client_error(this, message);
+			break;
+		default:
+			DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N",
+				 simaka_subtype_names, message->get_subtype(message));
+			status = FAILED;
+			break;
+	}
+	message->destroy(message);
+	return status;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_sim_server_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_SIM;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_sim_server_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_sim_server_t *this)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_sim_server_t *this)
+{
+	this->crypto->destroy(this->crypto);
+	this->permanent->destroy(this->permanent);
+	DESTROY_IF(this->pseudonym);
+	DESTROY_IF(this->reauth);
+	free(this->sreses.ptr);
+	free(this->nonce.ptr);
+	free(this->msk.ptr);
+	free(this->counter.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_sim_server_t *eap_sim_server_create(identification_t *server,
+										identification_t *peer)
+{
+	private_eap_sim_server_t *this = malloc_thing(private_eap_sim_server_t);
+
+	this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
+	this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+
+	this->crypto = simaka_crypto_create();
+	if (!this->crypto)
+	{
+		free(this);
+		return NULL;
+	}
+	this->permanent = peer->clone(peer);
+	this->pseudonym = NULL;
+	this->reauth = NULL;
+	this->sreses = chunk_empty;
+	this->nonce = chunk_empty;
+	this->msk = chunk_empty;
+	this->counter = chunk_empty;
+	this->pending = 0;
+	this->use_reauth = this->use_pseudonym = this->use_permanent =
+		lib->settings->get_bool(lib->settings,
+								"charon.plugins.eap-sim.request_identity", TRUE);
+
+	/* generate a non-zero identifier */
+	do {
+		this->identifier = random();
+	} while (!this->identifier);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.h b/src/libcharon/plugins/eap_sim/eap_sim_server.h
new file mode 100644
index 000000000..978e1e1e9
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim/eap_sim_server.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim_server eap_sim_server
+ * @{ @ingroup eap_sim
+ */
+
+#ifndef EAP_SIM_SERVER_H_
+#define EAP_SIM_SERVER_H_
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct eap_sim_server_t eap_sim_server_t;
+
+/**
+ * EAP-SIM server implementation.
+ *
+ * This EAP-SIM module uses sim_provider_t implementations for triplet
+ * calculation, found via the eap_sim_manager_t.
+ */
+struct eap_sim_server_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t interface;
+
+	/**
+	 * Destroy a eap_sim_server_t.
+	 */
+	void (*destroy)(eap_sim_server_t *this);
+};
+
+/**
+ * Creates the EAP method EAP-SIM acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP peer
+ * @return			eap_sim_t object
+ */
+eap_sim_server_t *eap_sim_server_create(identification_t *server,
+										identification_t *peer);
+
+#endif /** EAP_SIM_SERVER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.am b/src/libcharon/plugins/eap_sim_file/Makefile.am
new file mode 100644
index 000000000..2b59a7c88
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.am
@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-sim-file.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-sim-file.la
+endif
+
+libstrongswan_eap_sim_file_la_SOURCES = \
+	eap_sim_file_plugin.h eap_sim_file_plugin.c \
+	eap_sim_file_card.h eap_sim_file_card.c \
+	eap_sim_file_provider.h eap_sim_file_provider.c \
+	eap_sim_file_triplets.h eap_sim_file_triplets.c
+
+libstrongswan_eap_sim_file_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
new file mode 100644
index 000000000..2d998dbcc
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -0,0 +1,595 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_sim_file
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_sim_file_la_LIBADD =
+am_libstrongswan_eap_sim_file_la_OBJECTS = eap_sim_file_plugin.lo \
+	eap_sim_file_card.lo eap_sim_file_provider.lo \
+	eap_sim_file_triplets.lo
+libstrongswan_eap_sim_file_la_OBJECTS =  \
+	$(am_libstrongswan_eap_sim_file_la_OBJECTS)
+libstrongswan_eap_sim_file_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_sim_file_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_sim_file_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_sim_file_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-sim-file.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-sim-file.la
+libstrongswan_eap_sim_file_la_SOURCES = \
+	eap_sim_file_plugin.h eap_sim_file_plugin.c \
+	eap_sim_file_card.h eap_sim_file_card.c \
+	eap_sim_file_provider.h eap_sim_file_provider.c \
+	eap_sim_file_triplets.h eap_sim_file_triplets.c
+
+libstrongswan_eap_sim_file_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim_file/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim_file/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-sim-file.la: $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_DEPENDENCIES) 
+	$(libstrongswan_eap_sim_file_la_LINK) $(am_libstrongswan_eap_sim_file_la_rpath) $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_card.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_provider.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_triplets.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c
new file mode 100644
index 000000000..d132a38f6
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_file_card.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_sim_file_card_t private_eap_sim_file_card_t;
+
+/**
+ * Private data of an eap_sim_file_card_t object.
+ */
+struct private_eap_sim_file_card_t {
+
+	/**
+	 * Public eap_sim_file_card_t interface.
+	 */
+	eap_sim_file_card_t public;
+
+	/**
+	 * source of triplets
+	 */
+	eap_sim_file_triplets_t *triplets;
+};
+
+/**
+ * Implementation of sim_card_t.get_triplet
+ */
+static bool get_triplet(private_eap_sim_file_card_t *this,
+						identification_t *id, char *rand, char *sres, char *kc)
+{
+	enumerator_t *enumerator;
+	identification_t *cand;
+	char *c_rand, *c_sres, *c_kc;
+
+	DBG2(DBG_CFG, "looking for triplet: %Y rand %b", id, rand, SIM_RAND_LEN);
+
+	enumerator = this->triplets->create_enumerator(this->triplets);
+	while (enumerator->enumerate(enumerator, &cand, &c_rand, &c_sres, &c_kc))
+	{
+		DBG2(DBG_CFG, "got a triplet: %Y rand %b\nsres %b\n kc %b", cand,
+			 c_rand, SIM_RAND_LEN, c_sres, SIM_SRES_LEN, c_kc, SIM_KC_LEN);
+		if (id->matches(id, cand))
+		{
+			if (memeq(c_rand, rand, SIM_RAND_LEN))
+			{
+				DBG2(DBG_CFG, "  => triplet matches");
+				memcpy(sres, c_sres, SIM_SRES_LEN);
+				memcpy(kc, c_kc, SIM_KC_LEN);
+				enumerator->destroy(enumerator);
+				return TRUE;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_card_t.get_quintuplet
+ */
+static status_t get_quintuplet()
+{
+	return NOT_SUPPORTED;
+}
+
+/**
+ * Implementation of eap_sim_file_card_t.destroy.
+ */
+static void destroy(private_eap_sim_file_card_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets)
+{
+	private_eap_sim_file_card_t *this = malloc_thing(private_eap_sim_file_card_t);
+
+	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))get_triplet;
+	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
+	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *perm))return_null;
+	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))nop;
+	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))nop;
+	this->public.destroy = (void(*)(eap_sim_file_card_t*))destroy;
+
+	this->triplets = triplets;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.h b/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.h
new file mode 100644
index 000000000..1a5470968
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim_file_card eap_sim_file_card
+ * @{ @ingroup eap_sim_file
+ */
+
+#ifndef EAP_SIM_FILE_CARD_H_
+#define EAP_SIM_FILE_CARD_H_
+
+#include "eap_sim_file_triplets.h"
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_sim_file_card_t eap_sim_file_card_t;
+
+/**
+ * SIM card implementation on top of a triplet file.
+ */
+struct eap_sim_file_card_t {
+
+	/**
+	 * Implements sim_card_t interface
+	 */
+	sim_card_t card;
+
+	/**
+	 * Destroy a eap_sim_file_card_t.
+	 */
+	void (*destroy)(eap_sim_file_card_t *this);
+};
+
+/**
+ * Create a eap_sim_file_card instance.
+ *
+ * @param triplets		source of triplets
+ */
+eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets);
+
+#endif /** EAP_SIM_FILE_CARD_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.c
new file mode 100644
index 000000000..4f25c35ea
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_file_plugin.h"
+#include "eap_sim_file_card.h"
+#include "eap_sim_file_provider.h"
+#include "eap_sim_file_triplets.h"
+
+#include <daemon.h>
+
+#define TRIPLET_FILE IPSEC_CONFDIR "/ipsec.d/triplets.dat"
+
+typedef struct private_eap_sim_file_t private_eap_sim_file_t;
+
+/**
+ * Private data of an eap_sim_file_t object.
+ */
+struct private_eap_sim_file_t {
+
+	/**
+	 * Public eap_sim_file_plugin_t interface.
+	 */
+	eap_sim_file_plugin_t public;
+
+	/**
+	 * SIM card
+	 */
+	eap_sim_file_card_t *card;
+
+	/**
+	 * SIM provider
+	 */
+	eap_sim_file_provider_t *provider;
+
+	/**
+	 * Triplet source
+	 */
+	eap_sim_file_triplets_t *triplets;
+};
+
+/**
+ * Implementation of eap_sim_file_t.destroy.
+ */
+static void destroy(private_eap_sim_file_t *this)
+{
+	charon->sim->remove_card(charon->sim, &this->card->card);
+	charon->sim->remove_provider(charon->sim, &this->provider->provider);
+	this->card->destroy(this->card);
+	this->provider->destroy(this->provider);
+	this->triplets->destroy(this->triplets);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *eap_sim_file_plugin_create()
+{
+	private_eap_sim_file_t *this = malloc_thing(private_eap_sim_file_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->triplets = eap_sim_file_triplets_create(TRIPLET_FILE);
+	this->provider = eap_sim_file_provider_create(this->triplets);
+	if (!this->provider)
+	{
+		this->triplets->destroy(this->triplets);
+		free(this);
+		return NULL;
+	}
+	this->card = eap_sim_file_card_create(this->triplets);
+
+	charon->sim->add_card(charon->sim, &this->card->card);
+	charon->sim->add_provider(charon->sim, &this->provider->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.h b/src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.h
new file mode 100644
index 000000000..f5083c72f
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim_file eap_sim_file
+ * @ingroup cplugins
+ *
+ * @defgroup eap_sim_file_plugin eap_sim_file_plugin
+ * @{ @ingroup eap_sim_file
+ */
+
+#ifndef EAP_SIM_FILE_PLUGIN_H_
+#define EAP_SIM_FILE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_sim_file_plugin_t eap_sim_file_plugin_t;
+
+/**
+ * Plugin to provide a SIM card/provider on top of a triplet file.
+ */
+struct eap_sim_file_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_SIM_FILE_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.c
new file mode 100644
index 000000000..9bee31fc3
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_file_provider.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_sim_file_provider_t private_eap_sim_file_provider_t;
+
+/**
+ * Private data of an eap_sim_file_provider_t object.
+ */
+struct private_eap_sim_file_provider_t {
+
+	/**
+	 * Public eap_sim_file_provider_t interface.
+	 */
+	eap_sim_file_provider_t public;
+
+	/**
+	 * source of triplets
+	 */
+	eap_sim_file_triplets_t *triplets;
+};
+
+/**
+ * Implementation of sim_provider_t.get_triplet
+ */
+static bool get_triplet(private_eap_sim_file_provider_t *this,
+						identification_t *id, char *rand, char *sres, char *kc)
+{
+	enumerator_t *enumerator;
+	identification_t *cand;
+	char *c_rand, *c_sres, *c_kc;
+
+	enumerator = this->triplets->create_enumerator(this->triplets);
+	while (enumerator->enumerate(enumerator, &cand, &c_rand, &c_sres, &c_kc))
+	{
+		if (id->matches(id, cand))
+		{
+			memcpy(rand, c_rand, SIM_RAND_LEN);
+			memcpy(sres, c_sres, SIM_SRES_LEN);
+			memcpy(kc, c_kc, SIM_KC_LEN);
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_sim_file_provider_t.destroy.
+ */
+static void destroy(private_eap_sim_file_provider_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_sim_file_provider_t *eap_sim_file_provider_create(
+											eap_sim_file_triplets_t *triplets)
+{
+	private_eap_sim_file_provider_t *this = malloc_thing(private_eap_sim_file_provider_t);
+
+	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))get_triplet;
+	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))return_false;
+	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))return_null;
+	this->public.destroy = (void(*)(eap_sim_file_provider_t*))destroy;
+
+	this->triplets = triplets;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.h b/src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.h
new file mode 100644
index 000000000..10fda282a
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim_file_provider eap_sim_file_provider
+ * @{ @ingroup eap_sim_file
+ */
+
+#ifndef EAP_SIM_FILE_PROVIDER_H_
+#define EAP_SIM_FILE_PROVIDER_H_
+
+#include "eap_sim_file_triplets.h"
+
+typedef struct eap_sim_file_provider_t eap_sim_file_provider_t;
+
+/**
+ * SIM provider implementation on top of triplets file.
+ */
+struct eap_sim_file_provider_t {
+
+	/**
+	 * Implements sim_provider_t interface.
+	 */
+	sim_provider_t provider;
+
+	/**
+	 * Destroy a eap_sim_file_provider_t.
+	 */
+	void (*destroy)(eap_sim_file_provider_t *this);
+};
+
+/**
+ * Create a eap_sim_file_provider instance.
+ */
+eap_sim_file_provider_t *eap_sim_file_provider_create(
+											eap_sim_file_triplets_t *triplets);
+
+#endif /** EAP_SIM_FILE_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
new file mode 100644
index 000000000..6b7d99fb7
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -0,0 +1,260 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_file_triplets.h"
+
+#include <stdio.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <threading/mutex.h>
+
+typedef struct private_eap_sim_file_triplets_t private_eap_sim_file_triplets_t;
+
+/**
+ * Private data of an eap_sim_file_triplets_t object.
+ */
+struct private_eap_sim_file_triplets_t {
+
+	/**
+	 * Public eap_sim_file_triplets_t interface.
+	 */
+	eap_sim_file_triplets_t public;
+
+	/**
+	 * List of triplets, as triplet_t
+	 */
+	linked_list_t *triplets;
+
+	/**
+	 * mutex to lock triplets list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * A single triplet
+ */
+typedef struct  {
+	identification_t *imsi;
+	char rand[SIM_RAND_LEN];
+	char sres[SIM_SRES_LEN];
+	char kc[SIM_KC_LEN];
+} triplet_t;
+
+/**
+ * Destroy a triplet
+ */
+static void triplet_destroy(triplet_t *this)
+{
+	DESTROY_IF(this->imsi);
+	free(this);
+}
+
+/**
+ * triplet enumerator
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner enumerator */
+	enumerator_t *inner;
+	/** current enumerating triplet */
+	triplet_t *current;
+	/** back ptr */
+	private_eap_sim_file_triplets_t *this;
+} triplet_enumerator_t;
+
+/**
+ * destroy a triplet enumerator
+ */
+static void enumerator_destroy(triplet_enumerator_t *e)
+{
+	if (e->current)
+	{
+		/* We assume that the current element is used on invocation if destroy.
+		 * We move that triplet to the end to avoid handout of the same triplet
+		 * next time. */
+		e->this->triplets->remove_at(e->this->triplets, e->inner);
+		e->this->triplets->insert_last(e->this->triplets, e->current);
+	}
+	e->inner->destroy(e->inner);
+	e->this->mutex->unlock(e->this->mutex);
+	free(e);
+}
+
+/**
+ * enumerate through triplets
+ */
+static bool enumerator_enumerate(triplet_enumerator_t *e, identification_t **imsi,
+								 char **rand, char **sres, char **kc)
+{
+	triplet_t *triplet;
+
+	if (e->inner->enumerate(e->inner, &triplet))
+	{
+		e->current = triplet;
+		*imsi = triplet->imsi;
+		*rand = triplet->rand;
+		*sres = triplet->sres;
+		*kc = triplet->kc;
+		return TRUE;
+	}
+	e->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_sim_file_triplets_t.create_enumerator
+ */
+static enumerator_t* create_enumerator(private_eap_sim_file_triplets_t *this)
+{
+	triplet_enumerator_t *enumerator = malloc_thing(triplet_enumerator_t);
+
+	this->mutex->lock(this->mutex);
+	enumerator->public.enumerate = (void*)enumerator_enumerate;
+	enumerator->public.destroy = (void*)enumerator_destroy;
+	enumerator->inner = this->triplets->create_enumerator(this->triplets);
+	enumerator->current = NULL;
+	enumerator->this = this;
+
+	return &enumerator->public;
+}
+
+/**
+ * convert to token into the array
+ */
+static void parse_token(char *to, char *from, size_t len)
+{
+	chunk_t chunk;
+
+	chunk = chunk_create(from, min(strlen(from), len * 2));
+	chunk = chunk_from_hex(chunk, NULL);
+	memset(to, 0, len);
+	memcpy(to + len - chunk.len, chunk.ptr, chunk.len);
+	free(chunk.ptr);
+}
+
+/**
+ * Read the triplets from the file
+ */
+static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
+{
+	char line[512];
+	FILE *file;
+	int i, nr = 0;
+
+	file = fopen(path, "r");
+	if (file == NULL)
+	{
+		DBG1(DBG_CFG, "opening triplet file %s failed: %s",
+			 path, strerror(errno));
+		return;
+	}
+
+	/* read line by line */
+	while (fgets(line, sizeof(line), file))
+	{
+		triplet_t *triplet;
+		enumerator_t *enumerator;
+		char *token;
+
+		nr++;
+		/* skip comments, empty lines */
+		switch (line[0])
+		{
+			case '\n':
+			case '\r':
+			case '#':
+			case '\0':
+				continue;
+			default:
+				break;
+		}
+		triplet = malloc_thing(triplet_t);
+		memset(triplet, 0, sizeof(triplet_t));
+
+		i = 0;
+		enumerator = enumerator_create_token(line, ",", " \n\r#");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			switch (i++)
+			{
+				case 0: /* IMSI */
+					triplet->imsi = identification_create_from_string(token);
+					continue;
+				case 1: /* rand */
+					parse_token(triplet->rand, token, SIM_RAND_LEN);
+					continue;
+				case 2: /* sres */
+					parse_token(triplet->sres, token, SIM_SRES_LEN);
+					continue;
+				case 3: /* kc */
+					parse_token(triplet->kc, token, SIM_KC_LEN);
+					continue;
+				default:
+					break;;
+			}
+			break;
+		}
+		enumerator->destroy(enumerator);
+		if (i < 4)
+		{
+			DBG1(DBG_CFG, "error in triplet file, line %d", nr);
+			triplet_destroy(triplet);
+			continue;
+		}
+
+		DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b",
+			 triplet->imsi, triplet->rand, SIM_RAND_LEN,
+			 triplet->sres, SIM_SRES_LEN, triplet->kc, SIM_KC_LEN);
+
+		this->triplets->insert_last(this->triplets, triplet);
+	}
+	fclose(file);
+
+	DBG1(DBG_CFG, "read %d triplets from %s",
+		 this->triplets->get_count(this->triplets), path);
+}
+
+/**
+ * Implementation of eap_sim_file_triplets_t.destroy.
+ */
+static void destroy(private_eap_sim_file_triplets_t *this)
+{
+	this->triplets->destroy_function(this->triplets, (void*)triplet_destroy);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file)
+{
+	private_eap_sim_file_triplets_t *this = malloc_thing(private_eap_sim_file_triplets_t);
+
+	this->public.create_enumerator = (enumerator_t*(*)(eap_sim_file_triplets_t*))create_enumerator;
+	this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy;
+
+	this->triplets = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+
+	read_triplets(this, file);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
new file mode 100644
index 000000000..8f8130810
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim_file_triplets eap_sim_file_triplets
+ * @{ @ingroup eap_sim_file
+ */
+
+#ifndef EAP_SIM_FILE_TRIPLETS_H_
+#define EAP_SIM_FILE_TRIPLETS_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
+
+/**
+ * Reads triplets from a triplets.dat file.
+ *
+ * The file is in freeradius triplet file syntax:
+ * http://www.freeradius.org/radiusd/doc/rlm_sim_triplets
+ */
+struct eap_sim_file_triplets_t {
+
+	/**
+	 * Create an enumerator over the file's triplets.
+	 *
+	 * @return			enumerator over (identity, rand, sres, kc)
+	 */
+	enumerator_t* (*create_enumerator)(eap_sim_file_triplets_t *this);
+
+	/**
+	 * Destroy a eap_sim_file_triplets_t.
+	 */
+	void (*destroy)(eap_sim_file_triplets_t *this);
+};
+
+/**
+ * Create a eap_sim_file_triplets instance.
+ *
+ * @param file		triplet file to read from
+ */
+eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file);
+
+#endif /** EAP_SIM_FILE_TRIPLETS_H_ @}*/
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
new file mode 100644
index 000000000..a158d6dbe
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
+endif
+
+libstrongswan_eap_simaka_pseudonym_la_SOURCES = \
+	eap_simaka_pseudonym_plugin.h eap_simaka_pseudonym_plugin.c \
+	eap_simaka_pseudonym_card.h eap_simaka_pseudonym_card.c \
+	eap_simaka_pseudonym_provider.h eap_simaka_pseudonym_provider.c
+
+libstrongswan_eap_simaka_pseudonym_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
new file mode 100644
index 000000000..6c44ea2bb
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -0,0 +1,594 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_simaka_pseudonym
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_simaka_pseudonym_la_LIBADD =
+am_libstrongswan_eap_simaka_pseudonym_la_OBJECTS =  \
+	eap_simaka_pseudonym_plugin.lo eap_simaka_pseudonym_card.lo \
+	eap_simaka_pseudonym_provider.lo
+libstrongswan_eap_simaka_pseudonym_la_OBJECTS =  \
+	$(am_libstrongswan_eap_simaka_pseudonym_la_OBJECTS)
+libstrongswan_eap_simaka_pseudonym_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_simaka_pseudonym_la_LDFLAGS) $(LDFLAGS) -o \
+	$@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_simaka_pseudonym_la_rpath =  \
+@MONOLITHIC_FALSE@	-rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_simaka_pseudonym_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
+libstrongswan_eap_simaka_pseudonym_la_SOURCES = \
+	eap_simaka_pseudonym_plugin.h eap_simaka_pseudonym_plugin.c \
+	eap_simaka_pseudonym_card.h eap_simaka_pseudonym_card.c \
+	eap_simaka_pseudonym_provider.h eap_simaka_pseudonym_provider.c
+
+libstrongswan_eap_simaka_pseudonym_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_pseudonym/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_pseudonym/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-simaka-pseudonym.la: $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) 
+	$(libstrongswan_eap_simaka_pseudonym_la_LINK) $(am_libstrongswan_eap_simaka_pseudonym_la_rpath) $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_card.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
new file mode 100644
index 000000000..9b0f1bc71
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_pseudonym_card.h"
+
+#include <daemon.h>
+#include <utils/hashtable.h>
+
+typedef struct private_eap_simaka_pseudonym_card_t private_eap_simaka_pseudonym_card_t;
+
+/**
+ * Private data of an eap_simaka_pseudonym_card_t object.
+ */
+struct private_eap_simaka_pseudonym_card_t {
+
+	/**
+	 * Public eap_simaka_pseudonym_card_t interface.
+	 */
+	eap_simaka_pseudonym_card_t public;
+
+	/**
+	 * Permanent -> pseudonym mappings
+	 */
+	hashtable_t *pseudonym;
+
+	/**
+	 * Reverse pseudonym -> permanent mappings
+	 */
+	hashtable_t *permanent;
+};
+
+/**
+ * hashtable hash function
+ */
+static u_int hash(identification_t *key)
+{
+	return chunk_hash(key->get_encoding(key));
+}
+
+/**
+ * hashtable equals function
+ */
+static bool equals(identification_t *key1, identification_t *key2)
+{
+	return key1->equals(key1, key2);
+}
+
+/**
+ * Implementation of sim_card_t.get_pseudonym
+ */
+static identification_t *get_pseudonym(private_eap_simaka_pseudonym_card_t *this,
+									   identification_t *id)
+{
+	identification_t *pseudonym;
+
+	pseudonym = this->pseudonym->get(this->pseudonym, id);
+	if (pseudonym)
+	{
+		return pseudonym->clone(pseudonym);
+	}
+	return NULL;
+}
+
+/**
+ * Implementation of sim_card_t.set_pseudonym
+ */
+static void set_pseudonym(private_eap_simaka_pseudonym_card_t *this,
+						  identification_t *id, identification_t *pseudonym)
+{
+	identification_t *permanent;
+
+	/* create new entries */
+	id = id->clone(id);
+	pseudonym = pseudonym->clone(pseudonym);
+	permanent = this->permanent->put(this->permanent, pseudonym, id);
+	pseudonym = this->pseudonym->put(this->pseudonym, id, pseudonym);
+
+	/* delete old entries */
+	DESTROY_IF(permanent);
+	DESTROY_IF(pseudonym);
+}
+
+/**
+ * Implementation of sim_card_t.get_quintuplet
+ */
+static status_t get_quintuplet()
+{
+	return NOT_SUPPORTED;
+}
+
+/**
+ * Implementation of eap_simaka_pseudonym_card_t.destroy.
+ */
+static void destroy(private_eap_simaka_pseudonym_card_t *this)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	void *key;
+
+	enumerator = this->pseudonym->create_enumerator(this->pseudonym);
+	while (enumerator->enumerate(enumerator, &key, &id))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->permanent->create_enumerator(this->permanent);
+	while (enumerator->enumerate(enumerator, &key, &id))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	this->pseudonym->destroy(this->pseudonym);
+	this->permanent->destroy(this->permanent);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_pseudonym_card_t *eap_simaka_pseudonym_card_create()
+{
+	private_eap_simaka_pseudonym_card_t *this;
+
+	this = malloc_thing(private_eap_simaka_pseudonym_card_t);
+
+	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
+	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
+	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *perm))get_pseudonym;
+	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))set_pseudonym;
+	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))nop;
+	this->public.destroy = (void(*)(eap_simaka_pseudonym_card_t*))destroy;
+
+	this->pseudonym = hashtable_create((void*)hash, (void*)equals, 0);
+	this->permanent = hashtable_create((void*)hash, (void*)equals, 0);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h
new file mode 100644
index 000000000..1b5940fdc
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_pseudonym_card eap_simaka_pseudonym_card
+ * @{ @ingroup eap_simaka_pseudonym
+ */
+
+#ifndef EAP_SIMAKA_PSEUDONYM_CARD_H_
+#define EAP_SIMAKA_PSEUDONYM_CARD_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_simaka_pseudonym_card_t eap_simaka_pseudonym_card_t;
+
+/**
+ * SIM card implementing volatile in-memory pseudonym storage.
+ */
+struct eap_simaka_pseudonym_card_t {
+
+	/**
+	 * Implements sim_card_t interface
+	 */
+	sim_card_t card;
+
+	/**
+	 * Destroy a eap_simaka_pseudonym_card_t.
+	 */
+	void (*destroy)(eap_simaka_pseudonym_card_t *this);
+};
+
+/**
+ * Create a eap_simaka_pseudonym_card instance.
+ */
+eap_simaka_pseudonym_card_t *eap_simaka_pseudonym_card_create();
+
+#endif /** EAP_SIMAKA_PSEUDONYM_CARD_H_ @}*/
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
new file mode 100644
index 000000000..81b9d7b00
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_pseudonym_plugin.h"
+#include "eap_simaka_pseudonym_card.h"
+#include "eap_simaka_pseudonym_provider.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_simaka_pseudonym_t private_eap_simaka_pseudonym_t;
+
+/**
+ * Private data of an eap_simaka_pseudonym_t object.
+ */
+struct private_eap_simaka_pseudonym_t {
+
+	/**
+	 * Public eap_simaka_pseudonym_plugin_t interface.
+	 */
+	eap_simaka_pseudonym_plugin_t public;
+
+	/**
+	 * SIM card
+	 */
+	eap_simaka_pseudonym_card_t *card;
+
+	/**
+	 * SIM provider
+	 */
+	eap_simaka_pseudonym_provider_t *provider;
+};
+
+/**
+ * Implementation of eap_simaka_pseudonym_t.destroy.
+ */
+static void destroy(private_eap_simaka_pseudonym_t *this)
+{
+	charon->sim->remove_card(charon->sim, &this->card->card);
+	charon->sim->remove_provider(charon->sim, &this->provider->provider);
+	this->card->destroy(this->card);
+	this->provider->destroy(this->provider);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *eap_simaka_pseudonym_plugin_create()
+{
+	private_eap_simaka_pseudonym_t *this;
+
+	this = malloc_thing(private_eap_simaka_pseudonym_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->provider = eap_simaka_pseudonym_provider_create();
+	if (!this->provider)
+	{
+		free(this);
+		return NULL;
+	}
+	this->card = eap_simaka_pseudonym_card_create();
+
+	charon->sim->add_card(charon->sim, &this->card->card);
+	charon->sim->add_provider(charon->sim, &this->provider->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h
new file mode 100644
index 000000000..1992b2482
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_pseudonym eap_simaka_pseudonym
+ * @ingroup cplugins
+ *
+ * @defgroup eap_simaka_pseudonym_plugin eap_simaka_pseudonym_plugin
+ * @{ @ingroup eap_simaka_pseudonym
+ */
+
+#ifndef EAP_SIMAKA_PSEUDONYM_PLUGIN_H_
+#define EAP_SIMAKA_PSEUDONYM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_simaka_pseudonym_plugin_t eap_simaka_pseudonym_plugin_t;
+
+/**
+ * Plugin to provide in-memory storage of EAP-SIM/AKA pseudonyms.
+ */
+struct eap_simaka_pseudonym_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_SIMAKA_PSEUDONYM_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
new file mode 100644
index 000000000..0613b8807
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_pseudonym_provider.h"
+
+#include <utils/hashtable.h>
+
+typedef struct private_eap_simaka_pseudonym_provider_t private_eap_simaka_pseudonym_provider_t;
+
+/**
+ * Private data of an eap_simaka_pseudonym_provider_t object.
+ */
+struct private_eap_simaka_pseudonym_provider_t {
+
+	/**
+	 * Public eap_simaka_pseudonym_provider_t interface.
+	 */
+	eap_simaka_pseudonym_provider_t public;
+
+	/**
+	 * Permanent -> pseudonym mappings
+	 */
+	hashtable_t *pseudonym;
+
+	/**
+	 * Reverse pseudonym -> permanent mappings
+	 */
+	hashtable_t *permanent;
+
+	/**
+	 * RNG for pseudonyms/reauth identities
+	 */
+	rng_t *rng;
+};
+
+/**
+ * hashtable hash function
+ */
+static u_int hash(identification_t *key)
+{
+	return chunk_hash(key->get_encoding(key));
+}
+
+/**
+ * hashtable equals function
+ */
+static bool equals(identification_t *key1, identification_t *key2)
+{
+	return key1->equals(key1, key2);
+}
+
+/**
+ * Implementation of sim_provider_t.is_pseudonym
+ */
+static identification_t* is_pseudonym(
+			private_eap_simaka_pseudonym_provider_t *this, identification_t *id)
+{
+	identification_t *permanent;
+
+	permanent = this->permanent->get(this->permanent, id);
+	if (permanent)
+	{
+		return permanent->clone(permanent);
+	}
+	return NULL;
+}
+
+/**
+ * Generate a random identity
+ */
+static identification_t *gen_identity(
+								private_eap_simaka_pseudonym_provider_t *this)
+{
+	char buf[8], hex[sizeof(buf) * 2 + 1];
+
+	this->rng->get_bytes(this->rng, sizeof(buf), buf);
+	chunk_to_hex(chunk_create(buf, sizeof(buf)), hex, FALSE);
+
+	return identification_create_from_string(hex);
+}
+
+/**
+ * Implementation of sim_provider_t.get_pseudonym
+ */
+static identification_t* gen_pseudonym(
+			private_eap_simaka_pseudonym_provider_t *this, identification_t *id)
+{
+	identification_t *pseudonym, *permanent;
+
+	/* remove old entry */
+	pseudonym = this->pseudonym->remove(this->pseudonym, id);
+	if (pseudonym)
+	{
+		permanent = this->permanent->remove(this->permanent, pseudonym);
+		if (permanent)
+		{
+			permanent->destroy(permanent);
+		}
+		pseudonym->destroy(pseudonym);
+	}
+
+	pseudonym = gen_identity(this);
+
+	/* create new entries */
+	id = id->clone(id);
+	this->pseudonym->put(this->pseudonym, id, pseudonym);
+	this->permanent->put(this->permanent, pseudonym, id);
+
+	return pseudonym->clone(pseudonym);
+}
+
+/**
+ * Implementation of eap_simaka_pseudonym_provider_t.destroy.
+ */
+static void destroy(private_eap_simaka_pseudonym_provider_t *this)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	void *key;
+
+	enumerator = this->pseudonym->create_enumerator(this->pseudonym);
+	while (enumerator->enumerate(enumerator, &key, &id))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->permanent->create_enumerator(this->permanent);
+	while (enumerator->enumerate(enumerator, &key, &id))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	this->pseudonym->destroy(this->pseudonym);
+	this->permanent->destroy(this->permanent);
+	this->rng->destroy(this->rng);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_pseudonym_provider_t *eap_simaka_pseudonym_provider_create()
+{
+	private_eap_simaka_pseudonym_provider_t *this;
+
+	this = malloc_thing(private_eap_simaka_pseudonym_provider_t);
+
+	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
+	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))return_false;
+	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))is_pseudonym;
+	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))gen_pseudonym;
+	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))return_null;
+	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))return_null;
+	this->public.destroy = (void(*)(eap_simaka_pseudonym_provider_t*))destroy;
+
+	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!this->rng)
+	{
+		free(this);
+		return NULL;
+	}
+	this->pseudonym = hashtable_create((void*)hash, (void*)equals, 0);
+	this->permanent = hashtable_create((void*)hash, (void*)equals, 0);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h
new file mode 100644
index 000000000..5d8e6d221
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_pseudonym_provider eap_simaka_pseudonym_provider
+ * @{ @ingroup eap_simaka_pseudonym
+ */
+
+#ifndef EAP_SIMAKA_PSEDUONYM_PROVIDER_H_
+#define EAP_SIMAKA_PSEDUONYM_PROVIDER_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_simaka_pseudonym_provider_t eap_simaka_pseudonym_provider_t;
+
+/**
+ * SIM provider implementing volatile in-memory pseudonym storage.
+ */
+struct eap_simaka_pseudonym_provider_t {
+
+	/**
+	 * Implements sim_provider_t interface.
+	 */
+	sim_provider_t provider;
+
+	/**
+	 * Destroy a eap_simaka_pseudonym_provider_t.
+	 */
+	void (*destroy)(eap_simaka_pseudonym_provider_t *this);
+};
+
+/**
+ * Create a eap_simaka_pseudonym_provider instance.
+ */
+eap_simaka_pseudonym_provider_t *eap_simaka_pseudonym_provider_create();
+
+#endif /** EAP_SIMAKA_PSEDUONYM_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
new file mode 100644
index 000000000..fbcd544d3
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
+endif
+
+libstrongswan_eap_simaka_reauth_la_SOURCES = \
+	eap_simaka_reauth_plugin.h eap_simaka_reauth_plugin.c \
+	eap_simaka_reauth_card.h eap_simaka_reauth_card.c \
+	eap_simaka_reauth_provider.h eap_simaka_reauth_provider.c
+
+libstrongswan_eap_simaka_reauth_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
new file mode 100644
index 000000000..35d8e7c3b
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -0,0 +1,593 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_simaka_reauth
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_simaka_reauth_la_LIBADD =
+am_libstrongswan_eap_simaka_reauth_la_OBJECTS =  \
+	eap_simaka_reauth_plugin.lo eap_simaka_reauth_card.lo \
+	eap_simaka_reauth_provider.lo
+libstrongswan_eap_simaka_reauth_la_OBJECTS =  \
+	$(am_libstrongswan_eap_simaka_reauth_la_OBJECTS)
+libstrongswan_eap_simaka_reauth_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_simaka_reauth_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_simaka_reauth_la_rpath =  \
+@MONOLITHIC_FALSE@	-rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_simaka_reauth_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
+libstrongswan_eap_simaka_reauth_la_SOURCES = \
+	eap_simaka_reauth_plugin.h eap_simaka_reauth_plugin.c \
+	eap_simaka_reauth_card.h eap_simaka_reauth_card.c \
+	eap_simaka_reauth_provider.h eap_simaka_reauth_provider.c
+
+libstrongswan_eap_simaka_reauth_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_reauth/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_reauth/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-simaka-reauth.la: $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) 
+	$(libstrongswan_eap_simaka_reauth_la_LINK) $(am_libstrongswan_eap_simaka_reauth_la_rpath) $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_card.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
new file mode 100644
index 000000000..14d0416d9
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_reauth_card.h"
+
+#include <daemon.h>
+#include <utils/hashtable.h>
+
+typedef struct private_eap_simaka_reauth_card_t private_eap_simaka_reauth_card_t;
+
+/**
+ * Private data of an eap_simaka_reauth_card_t object.
+ */
+struct private_eap_simaka_reauth_card_t {
+
+	/**
+	 * Public eap_simaka_reauth_card_t interface.
+	 */
+	eap_simaka_reauth_card_t public;
+
+	/**
+	 * Permanent -> reauth_data_t mappings
+	 */
+	hashtable_t *reauth;
+};
+
+/**
+ * Data associated to a reauthentication identity
+ */
+typedef struct {
+	/** currently used reauthentication identity */
+	identification_t *id;
+	/** associated permanent identity */
+	identification_t *permanent;
+	/** counter value */
+	u_int16_t counter;
+	/** master key */
+	char mk[HASH_SIZE_SHA1];
+} reauth_data_t;
+
+/**
+ * hashtable hash function
+ */
+static u_int hash(identification_t *key)
+{
+	return chunk_hash(key->get_encoding(key));
+}
+
+/**
+ * hashtable equals function
+ */
+static bool equals(identification_t *key1, identification_t *key2)
+{
+	return key1->equals(key1, key2);
+}
+
+/**
+ * Implementation of sim_card_t.get_reauth
+ */
+static identification_t *get_reauth(private_eap_simaka_reauth_card_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter)
+{
+	reauth_data_t *data;
+	identification_t *reauth;
+
+	/* look up reauthentication data */
+	data = this->reauth->remove(this->reauth, id);
+	if (!data)
+	{
+		return NULL;
+	}
+	*counter = ++data->counter;
+	memcpy(mk, data->mk, HASH_SIZE_SHA1);
+	reauth = data->id;
+	data->permanent->destroy(data->permanent);
+	free(data);
+	return reauth;
+}
+
+/**
+ * Implementation of sim_card_t.set_reauth
+ */
+static void set_reauth(private_eap_simaka_reauth_card_t *this,
+					   identification_t *id, identification_t* next,
+					   char mk[HASH_SIZE_SHA1], u_int16_t counter)
+{
+	reauth_data_t *data;
+
+	data = this->reauth->get(this->reauth, id);
+	if (data)
+	{
+		data->id->destroy(data->id);
+	}
+	else
+	{
+		data = malloc_thing(reauth_data_t);
+		data->permanent = id->clone(id);
+		this->reauth->put(this->reauth, data->permanent, data);
+	}
+	data->counter = counter;
+	data->id = next->clone(next);
+	memcpy(data->mk, mk, HASH_SIZE_SHA1);
+}
+
+/**
+ * Implementation of sim_card_t.get_quintuplet
+ */
+static status_t get_quintuplet()
+{
+	return NOT_SUPPORTED;
+}
+
+/**
+ * Implementation of eap_simaka_reauth_card_t.destroy.
+ */
+static void destroy(private_eap_simaka_reauth_card_t *this)
+{
+	enumerator_t *enumerator;
+	reauth_data_t *data;
+	void *key;
+
+	enumerator = this->reauth->create_enumerator(this->reauth);
+	while (enumerator->enumerate(enumerator, &key, &data))
+	{
+		data->id->destroy(data->id);
+		data->permanent->destroy(data->permanent);
+		free(data);
+	}
+	enumerator->destroy(enumerator);
+
+	this->reauth->destroy(this->reauth);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_reauth_card_t *eap_simaka_reauth_card_create()
+{
+	private_eap_simaka_reauth_card_t *this;
+
+	this = malloc_thing(private_eap_simaka_reauth_card_t);
+
+	this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_null;
+	this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
+	this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *perm))return_null;
+	this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))nop;
+	this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))get_reauth;
+	this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))set_reauth;
+	this->public.destroy = (void(*)(eap_simaka_reauth_card_t*))destroy;
+
+	this->reauth = hashtable_create((void*)hash, (void*)equals, 0);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h
new file mode 100644
index 000000000..f24dc8a15
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_reauth_card eap_simaka_reauth_card
+ * @{ @ingroup eap_simaka_reauth
+ */
+
+#ifndef EAP_SIMAKA_REAUTH_CARD_H_
+#define EAP_SIMAKA_REAUTH_CARD_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_simaka_reauth_card_t eap_simaka_reauth_card_t;
+
+/**
+ * SIM card implementing volatile in-memory reauthentication data storage.
+ */
+struct eap_simaka_reauth_card_t {
+
+	/**
+	 * Implements sim_card_t interface
+	 */
+	sim_card_t card;
+
+	/**
+	 * Destroy a eap_simaka_reauth_card_t.
+	 */
+	void (*destroy)(eap_simaka_reauth_card_t *this);
+};
+
+/**
+ * Create a eap_simaka_reauth_card instance.
+ */
+eap_simaka_reauth_card_t *eap_simaka_reauth_card_create();
+
+#endif /** EAP_SIMAKA_REAUTH_CARD_H_ @}*/
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
new file mode 100644
index 000000000..987a0e109
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_reauth_plugin.h"
+#include "eap_simaka_reauth_card.h"
+#include "eap_simaka_reauth_provider.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_simaka_reauth_t private_eap_simaka_reauth_t;
+
+/**
+ * Private data of an eap_simaka_reauth_t object.
+ */
+struct private_eap_simaka_reauth_t {
+
+	/**
+	 * Public eap_simaka_reauth_plugin_t interface.
+	 */
+	eap_simaka_reauth_plugin_t public;
+
+	/**
+	 * SIM card
+	 */
+	eap_simaka_reauth_card_t *card;
+
+	/**
+	 * SIM provider
+	 */
+	eap_simaka_reauth_provider_t *provider;
+};
+
+/**
+ * Implementation of eap_simaka_reauth_t.destroy.
+ */
+static void destroy(private_eap_simaka_reauth_t *this)
+{
+	charon->sim->remove_card(charon->sim, &this->card->card);
+	charon->sim->remove_provider(charon->sim, &this->provider->provider);
+	this->card->destroy(this->card);
+	this->provider->destroy(this->provider);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *eap_simaka_reauth_plugin_create()
+{
+	private_eap_simaka_reauth_t *this = malloc_thing(private_eap_simaka_reauth_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->provider = eap_simaka_reauth_provider_create();
+	if (!this->provider)
+	{
+		free(this);
+		return NULL;
+	}
+	this->card = eap_simaka_reauth_card_create();
+
+	charon->sim->add_card(charon->sim, &this->card->card);
+	charon->sim->add_provider(charon->sim, &this->provider->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h
new file mode 100644
index 000000000..80c8a1037
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_reauth eap_simaka_reauth
+ * @ingroup cplugins
+ *
+ * @defgroup eap_simaka_reauth_plugin eap_simaka_reauth_plugin
+ * @{ @ingroup eap_simaka_reauth
+ */
+
+#ifndef EAP_SIMAKA_REAUTH_PLUGIN_H_
+#define EAP_SIMAKA_REAUTH_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_simaka_reauth_plugin_t eap_simaka_reauth_plugin_t;
+
+/**
+ * Plugin to provide in-memory EAP-SIM/AKA reauthentication data storage.
+ */
+struct eap_simaka_reauth_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_SIMAKA_REAUTH_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
new file mode 100644
index 000000000..f962b2d84
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_reauth_provider.h"
+
+#include <daemon.h>
+#include <utils/hashtable.h>
+
+typedef struct private_eap_simaka_reauth_provider_t private_eap_simaka_reauth_provider_t;
+
+/**
+ * Private data of an eap_simaka_reauth_provider_t object.
+ */
+struct private_eap_simaka_reauth_provider_t {
+
+	/**
+	 * Public eap_simaka_reauth_provider_t interface.
+	 */
+	eap_simaka_reauth_provider_t public;
+
+	/**
+	 * Permanent -> reauth_data_t mappings
+	 */
+	hashtable_t *reauth;
+
+	/**
+	 * Reverse reauth -> permanent mappings
+	 */
+	hashtable_t *permanent;
+
+	/**
+	 * RNG for pseudonyms/reauth identities
+	 */
+	rng_t *rng;
+};
+
+/**
+ * Data associated to a reauthentication identity
+ */
+typedef struct {
+	/** currently used reauthentication identity */
+	identification_t *id;
+	/** counter value */
+	u_int16_t counter;
+	/** master key */
+	char mk[HASH_SIZE_SHA1];
+} reauth_data_t;
+
+/**
+ * hashtable hash function
+ */
+static u_int hash(identification_t *key)
+{
+	return chunk_hash(key->get_encoding(key));
+}
+
+/**
+ * hashtable equals function
+ */
+static bool equals(identification_t *key1, identification_t *key2)
+{
+	return key1->equals(key1, key2);
+}
+
+/**
+ * Generate a random identity
+ */
+static identification_t *gen_identity(private_eap_simaka_reauth_provider_t *this)
+{
+	char buf[8], hex[sizeof(buf) * 2 + 1];
+
+	this->rng->get_bytes(this->rng, sizeof(buf), buf);
+	chunk_to_hex(chunk_create(buf, sizeof(buf)), hex, FALSE);
+
+	return identification_create_from_string(hex);
+}
+
+/**
+ * Implementation of sim_provider_t.is_reauth
+ */
+static identification_t *is_reauth(private_eap_simaka_reauth_provider_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter)
+{
+	identification_t *permanent;
+	reauth_data_t *data;
+
+	/* look up permanent identity */
+	permanent = this->permanent->get(this->permanent, id);
+	if (!permanent)
+	{
+		return NULL;
+	}
+	/* look up reauthentication data */
+	data = this->reauth->get(this->reauth, permanent);
+	if (!data)
+	{
+		return NULL;
+	}
+	*counter = ++data->counter;
+	memcpy(mk, data->mk, HASH_SIZE_SHA1);
+	return permanent->clone(permanent);
+}
+
+/**
+ * Implementation of sim_provider_t.gen_reauth
+ */
+static identification_t *gen_reauth(private_eap_simaka_reauth_provider_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1])
+{
+	reauth_data_t *data;
+	identification_t *permanent;
+
+	data = this->reauth->get(this->reauth, id);
+	if (data)
+	{	/* update existing entry */
+		permanent = this->permanent->remove(this->permanent, data->id);
+		if (permanent)
+		{
+			data->id->destroy(data->id);
+			data->id = gen_identity(this);
+			this->permanent->put(this->permanent, data->id, permanent);
+		}
+	}
+	else
+	{	/* generate new entry */
+		data = malloc_thing(reauth_data_t);
+		data->counter = 0;
+		data->id = gen_identity(this);
+		id = id->clone(id);
+		this->reauth->put(this->reauth, id, data);
+		this->permanent->put(this->permanent, data->id, id);
+	}
+	memcpy(data->mk, mk, HASH_SIZE_SHA1);
+
+	return data->id->clone(data->id);
+}
+
+/**
+ * Implementation of eap_simaka_reauth_provider_t.destroy.
+ */
+static void destroy(private_eap_simaka_reauth_provider_t *this)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	reauth_data_t *data;
+	void *key;
+
+	enumerator = this->permanent->create_enumerator(this->permanent);
+	while (enumerator->enumerate(enumerator, &key, &id))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->reauth->create_enumerator(this->reauth);
+	while (enumerator->enumerate(enumerator, &key, &data))
+	{
+		data->id->destroy(data->id);
+		free(data);
+	}
+	enumerator->destroy(enumerator);
+
+	this->permanent->destroy(this->permanent);
+	this->reauth->destroy(this->reauth);
+	this->rng->destroy(this->rng);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_reauth_provider_t *eap_simaka_reauth_provider_create()
+{
+	private_eap_simaka_reauth_provider_t *this = malloc_thing(private_eap_simaka_reauth_provider_t);
+
+	this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))return_false;
+	this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))return_false;
+	this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
+	this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
+	this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))is_reauth;
+	this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))gen_reauth;
+	this->public.destroy = (void(*)(eap_simaka_reauth_provider_t*))destroy;
+
+	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!this->rng)
+	{
+		free(this);
+		return NULL;
+	}
+	this->permanent = hashtable_create((void*)hash, (void*)equals, 0);
+	this->reauth = hashtable_create((void*)hash, (void*)equals, 0);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h
new file mode 100644
index 000000000..7ae151a27
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_reauth_provider eap_simaka_reauth_provider
+ * @{ @ingroup eap_simaka_reauth
+ */
+
+#ifndef EAP_SIMAKA_REAUTH_PROVIDER_H_
+#define EAP_SIMAKA_REAUTH_PROVIDER_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_simaka_reauth_provider_t eap_simaka_reauth_provider_t;
+
+/**
+ * SIM provider implementing volatile in-memory reauthentication data storage.
+ */
+struct eap_simaka_reauth_provider_t {
+
+	/**
+	 * Implements sim_provider_t interface.
+	 */
+	sim_provider_t provider;
+
+	/**
+	 * Destroy a eap_simaka_reauth_provider_t.
+	 */
+	void (*destroy)(eap_simaka_reauth_provider_t *this);
+};
+
+/**
+ * Create a eap_simaka_reauth_provider instance.
+ */
+eap_simaka_reauth_provider_t *eap_simaka_reauth_provider_create();
+
+#endif /** EAP_SIMAKA_REAUTH_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/farp/Makefile.am b/src/libcharon/plugins/farp/Makefile.am
new file mode 100644
index 000000000..42cd31879
--- /dev/null
+++ b/src/libcharon/plugins/farp/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-farp.la
+else
+plugin_LTLIBRARIES = libstrongswan-farp.la
+endif
+
+libstrongswan_farp_la_SOURCES = farp_plugin.h farp_plugin.c \
+	farp_listener.h farp_listener.c farp_spoofer.h farp_spoofer.c
+
+libstrongswan_farp_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
new file mode 100644
index 000000000..20ac77080
--- /dev/null
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -0,0 +1,587 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/farp
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_farp_la_LIBADD =
+am_libstrongswan_farp_la_OBJECTS = farp_plugin.lo farp_listener.lo \
+	farp_spoofer.lo
+libstrongswan_farp_la_OBJECTS = $(am_libstrongswan_farp_la_OBJECTS)
+libstrongswan_farp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_farp_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_farp_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_farp_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_farp_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_farp_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-farp.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-farp.la
+libstrongswan_farp_la_SOURCES = farp_plugin.h farp_plugin.c \
+	farp_listener.h farp_listener.c farp_spoofer.h farp_spoofer.c
+
+libstrongswan_farp_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/farp/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/farp/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-farp.la: $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_DEPENDENCIES) 
+	$(libstrongswan_farp_la_LINK) $(am_libstrongswan_farp_la_rpath) $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/farp_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/farp_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/farp_spoofer.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/farp/farp_listener.c b/src/libcharon/plugins/farp/farp_listener.c
new file mode 100644
index 000000000..8eed49778
--- /dev/null
+++ b/src/libcharon/plugins/farp/farp_listener.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "farp_listener.h"
+
+#include <utils/hashtable.h>
+#include <threading/rwlock.h>
+
+typedef struct private_farp_listener_t private_farp_listener_t;
+
+/**
+ * Private data of an farp_listener_t object.
+ */
+struct private_farp_listener_t {
+
+	/**
+	 * Public farp_listener_t interface.
+	 */
+	farp_listener_t public;
+
+	/**
+	 * Hashtable with active virtual IPs
+	 */
+	hashtable_t *ips;
+
+	/**
+	 * RWlock for IP list
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(host_t *key)
+{
+	return chunk_hash(key->get_address(key));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(host_t *a, host_t *b)
+{
+	return a->ip_equals(a, b);
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_farp_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+	if (!up)
+	{
+		host_t *ip;
+
+		ip = ike_sa->get_virtual_ip(ike_sa, FALSE);
+		if (ip)
+		{
+			this->lock->write_lock(this->lock);
+			ip = this->ips->remove(this->ips, ip);
+			this->lock->unlock(this->lock);
+			DESTROY_IF(ip);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_farp_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming)
+{
+	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+		message->get_exchange_type(message) == IKE_AUTH &&
+		!message->get_request(message))
+	{
+		host_t *ip;
+
+		ip = ike_sa->get_virtual_ip(ike_sa, FALSE);
+		if (ip)
+		{
+			ip = ip->clone(ip);
+			this->lock->write_lock(this->lock);
+			ip = this->ips->put(this->ips, ip, ip);
+			this->lock->unlock(this->lock);
+			DESTROY_IF(ip);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(farp_listener_t, is_active, bool,
+	private_farp_listener_t *this, host_t *ip)
+{
+	bool active;
+
+	this->lock->read_lock(this->lock);
+	active = this->ips->get(this->ips, ip) != NULL;
+	this->lock->unlock(this->lock);
+	return active;
+}
+
+METHOD(farp_listener_t, destroy, void,
+	private_farp_listener_t *this)
+{
+	enumerator_t *enumerator;
+	host_t *key, *value;
+
+	enumerator = this->ips->create_enumerator(this->ips);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		value->destroy(value);
+	}
+	enumerator->destroy(enumerator);
+	this->ips->destroy(this->ips);
+
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+farp_listener_t *farp_listener_create()
+{
+	private_farp_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_updown = _ike_updown,
+				.message = _message_hook,
+			},
+			.is_active = _is_active,
+			.destroy = _destroy,
+		},
+		.ips = hashtable_create((hashtable_hash_t)hash,
+								(hashtable_equals_t)equals, 8),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/farp/farp_listener.h b/src/libcharon/plugins/farp/farp_listener.h
new file mode 100644
index 000000000..bd96d7a1c
--- /dev/null
+++ b/src/libcharon/plugins/farp/farp_listener.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup farp_listener farp_listener
+ * @{ @ingroup farp
+ */
+
+#ifndef FARP_LISTENER_H_
+#define FARP_LISTENER_H_
+
+#include <utils/host.h>
+#include <bus/listeners/listener.h>
+
+typedef struct farp_listener_t farp_listener_t;
+
+/**
+ * Listener to register the set of IPs we spoof ARP responses for.
+ */
+struct farp_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Check if a given IP is currently used as virtual IP by a peer.
+	 *
+	 * @param ip		IP to check
+	 * @return			TRUE if IP is an active virtual IP
+	 */
+	bool (*is_active)(farp_listener_t *this, host_t *ip);
+
+	/**
+	 * Destroy a farp_listener_t.
+	 */
+	void (*destroy)(farp_listener_t *this);
+};
+
+/**
+ * Create a farp_listener instance.
+ */
+farp_listener_t *farp_listener_create();
+
+#endif /** FARP_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c
new file mode 100644
index 000000000..01c2a39c8
--- /dev/null
+++ b/src/libcharon/plugins/farp/farp_plugin.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "farp_plugin.h"
+
+#include "farp_listener.h"
+#include "farp_spoofer.h"
+
+#include <daemon.h>
+
+typedef struct private_farp_plugin_t private_farp_plugin_t;
+
+/**
+ * private data of farp plugin
+ */
+struct private_farp_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	farp_plugin_t public;
+
+	/**
+	 * Listener registering active virtual IPs
+	 */
+	farp_listener_t *listener;
+
+	/**
+	 * Spoofer listening and spoofing ARP messages
+	 */
+	farp_spoofer_t *spoofer;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_farp_plugin_t *this)
+{
+	DESTROY_IF(this->spoofer);
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *farp_plugin_create()
+{
+	private_farp_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+		.listener = farp_listener_create(),
+	);
+
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+	this->spoofer = farp_spoofer_create(this->listener);
+	if (!this->spoofer)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/farp/farp_plugin.h b/src/libcharon/plugins/farp/farp_plugin.h
new file mode 100644
index 000000000..0246fcc2a
--- /dev/null
+++ b/src/libcharon/plugins/farp/farp_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup farp farp
+ * @ingroup cplugins
+ *
+ * @defgroup farp_plugin farp_plugin
+ * @{ @ingroup farp
+ */
+
+#ifndef FARP_PLUGIN_H_
+#define FARP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct farp_plugin_t farp_plugin_t;
+
+/**
+ * ARP faking plugin that responds to ARP requests to peers virtual IP.
+ */
+struct farp_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** FARP_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c
new file mode 100644
index 000000000..29e64e32d
--- /dev/null
+++ b/src/libcharon/plugins/farp/farp_spoofer.c
@@ -0,0 +1,198 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "farp_spoofer.h"
+
+#include <errno.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <linux/if_arp.h>
+#include <linux/if_ether.h>
+#include <linux/filter.h>
+#include <sys/ioctl.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_farp_spoofer_t private_farp_spoofer_t;
+
+/**
+ * Private data of an farp_spoofer_t object.
+ */
+struct private_farp_spoofer_t {
+
+	/**
+	 * Public farp_spoofer_t interface.
+	 */
+	farp_spoofer_t public;
+
+	/**
+	 * Listener that knows active addresses
+	 */
+	farp_listener_t *listener;
+
+	/**
+	 * Callback job to read ARP requests
+	 */
+	callback_job_t *job;
+
+	/**
+	 * RAW socket for ARP requests
+	 */
+	int skt;
+};
+
+/**
+ * IP over Ethernet ARP message
+ */
+typedef struct __attribute__((packed)) {
+	u_int16_t hardware_type;
+	u_int16_t protocol_type;
+	u_int8_t hardware_size;
+	u_int8_t protocol_size;
+	u_int16_t opcode;
+	u_int8_t sender_mac[6];
+	u_int8_t sender_ip[4];
+	u_int8_t target_mac[6];
+	u_int8_t target_ip[4];
+} arp_t;
+
+/**
+ * Send faked ARP response
+ */
+static void send_arp(private_farp_spoofer_t *this,
+					 arp_t *arp, struct sockaddr_ll *addr)
+{
+	struct ifreq req;
+	char tmp[4];
+
+	req.ifr_ifindex = addr->sll_ifindex;
+	if (ioctl(this->skt, SIOCGIFNAME, &req) == 0 &&
+		ioctl(this->skt, SIOCGIFHWADDR, &req) == 0 &&
+		req.ifr_hwaddr.sa_family == ARPHRD_ETHER)
+	{
+		memcpy(arp->target_mac, arp->sender_mac, 6);
+		memcpy(arp->sender_mac, req.ifr_hwaddr.sa_data, 6);
+
+		memcpy(tmp, arp->sender_ip, 4);
+		memcpy(arp->sender_ip, arp->target_ip, 4);
+		memcpy(arp->target_ip, tmp, 4);
+
+		arp->opcode = htons(ARPOP_REPLY);
+
+		sendto(this->skt, arp, sizeof(*arp), 0,
+			   (struct sockaddr*)addr, sizeof(*addr));
+	}
+}
+
+/**
+ * ARP request receiving
+ */
+static job_requeue_t receive_arp(private_farp_spoofer_t *this)
+{
+	struct sockaddr_ll addr;
+	socklen_t addr_len = sizeof(addr);
+	arp_t arp;
+	int oldstate;
+	ssize_t len;
+	host_t *ip;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recvfrom(this->skt, &arp, sizeof(arp), 0,
+				   (struct sockaddr*)&addr, &addr_len);
+	thread_cancelability(oldstate);
+
+	if (len == sizeof(arp))
+	{
+		ip = host_create_from_chunk(AF_INET,
+									chunk_create((char*)&arp.target_ip, 4), 0);
+		if (ip)
+		{
+			if (this->listener->is_active(this->listener, ip))
+			{
+				send_arp(this, &arp, &addr);
+			}
+			ip->destroy(ip);
+		}
+	}
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(farp_spoofer_t, destroy, void,
+	private_farp_spoofer_t *this)
+{
+	this->job->cancel(this->job);
+	close(this->skt);
+	free(this);
+}
+
+/**
+ * See header
+ */
+farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
+{
+	private_farp_spoofer_t *this;
+	struct sock_filter arp_request_filter_code[] = {
+		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, protocol_type)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETH_P_IP, 0, 9),
+		BPF_STMT(BPF_LD+BPF_B+BPF_ABS, offsetof(arp_t, hardware_size)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 6, 0, 7),
+		BPF_STMT(BPF_LD+BPF_B+BPF_ABS, offsetof(arp_t, protocol_size)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 4, 0, 4),
+		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, opcode)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 3),
+		BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 28, 0, 1),
+		BPF_STMT(BPF_RET+BPF_A, 0),
+		BPF_STMT(BPF_RET+BPF_K, 0),
+	};
+	struct sock_fprog arp_request_filter = {
+		sizeof(arp_request_filter_code) / sizeof(struct sock_filter),
+		arp_request_filter_code,
+	};
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+		.listener = listener,
+	);
+
+	this->skt = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
+	if (this->skt == -1)
+	{
+		DBG1(DBG_NET, "opening ARP packet socket failed: %s", strerror(errno));
+		free(this);
+		return NULL;
+	}
+
+	if (setsockopt(this->skt, SOL_SOCKET, SO_ATTACH_FILTER,
+				   &arp_request_filter, sizeof(arp_request_filter)) < 0)
+	{
+		DBG1(DBG_NET, "installing ARP packet filter failed: %s", strerror(errno));
+		close(this->skt);
+		free(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)receive_arp,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/farp/farp_spoofer.h b/src/libcharon/plugins/farp/farp_spoofer.h
new file mode 100644
index 000000000..c91fb3b96
--- /dev/null
+++ b/src/libcharon/plugins/farp/farp_spoofer.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup farp_spoofer farp_spoofer
+ * @{ @ingroup farp
+ */
+
+#ifndef FARP_SPOOFER_H_
+#define FARP_SPOOFER_H_
+
+#include "farp_listener.h"
+
+typedef struct farp_spoofer_t farp_spoofer_t;
+
+/**
+ * Listen to ARP requests and spoof responses, if required.
+ */
+struct farp_spoofer_t {
+
+	/**
+	 * Destroy a farp_spoofer_t.
+	 */
+	void (*destroy)(farp_spoofer_t *this);
+};
+
+/**
+ * Create a farp_spoofer instance.
+ *
+ * @param listener		listener to check for addresses to spoof
+ * @return				spoofer instance
+ */
+farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener);
+
+#endif /** FARP_SPOOFER_H_ @}*/
diff --git a/src/libcharon/plugins/ha/Makefile.am b/src/libcharon/plugins/ha/Makefile.am
new file mode 100644
index 000000000..74fe1f4c7
--- /dev/null
+++ b/src/libcharon/plugins/ha/Makefile.am
@@ -0,0 +1,25 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ha.la
+else
+plugin_LTLIBRARIES = libstrongswan-ha.la
+endif
+
+libstrongswan_ha_la_SOURCES = \
+  ha_plugin.h ha_plugin.c \
+  ha_message.h ha_message.c \
+  ha_socket.h ha_socket.c \
+  ha_tunnel.h ha_tunnel.c \
+  ha_dispatcher.h ha_dispatcher.c \
+  ha_segments.h ha_segments.c \
+  ha_kernel.h ha_kernel.c \
+  ha_ctl.h ha_ctl.c \
+  ha_ike.h ha_ike.c \
+  ha_child.h ha_child.c
+libstrongswan_ha_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
new file mode 100644
index 000000000..c60d3bf56
--- /dev/null
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -0,0 +1,604 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/ha
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ha_la_LIBADD =
+am_libstrongswan_ha_la_OBJECTS = ha_plugin.lo ha_message.lo \
+	ha_socket.lo ha_tunnel.lo ha_dispatcher.lo ha_segments.lo \
+	ha_kernel.lo ha_ctl.lo ha_ike.lo ha_child.lo
+libstrongswan_ha_la_OBJECTS = $(am_libstrongswan_ha_la_OBJECTS)
+libstrongswan_ha_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_ha_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ha_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ha_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_ha_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ha_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ha.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ha.la
+libstrongswan_ha_la_SOURCES = \
+  ha_plugin.h ha_plugin.c \
+  ha_message.h ha_message.c \
+  ha_socket.h ha_socket.c \
+  ha_tunnel.h ha_tunnel.c \
+  ha_dispatcher.h ha_dispatcher.c \
+  ha_segments.h ha_segments.c \
+  ha_kernel.h ha_kernel.c \
+  ha_ctl.h ha_ctl.c \
+  ha_ike.h ha_ike.c \
+  ha_child.h ha_child.c
+
+libstrongswan_ha_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/ha/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/ha/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-ha.la: $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_DEPENDENCIES) 
+	$(libstrongswan_ha_la_LINK) $(am_libstrongswan_ha_la_rpath) $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_child.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_ctl.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_dispatcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_ike.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_kernel.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_message.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_segments.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_socket.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_tunnel.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
new file mode 100644
index 000000000..2eb8e27f6
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_child.h"
+
+typedef struct private_ha_child_t private_ha_child_t;
+
+/**
+ * Private data of an ha_child_t object.
+ */
+struct private_ha_child_t {
+
+	/**
+	 * Public ha_child_t interface.
+	 */
+	ha_child_t public;
+
+	/**
+	 * socket we use for syncing
+	 */
+	ha_socket_t *socket;
+
+	/**
+	 * tunnel securing sync messages
+	 */
+	ha_tunnel_t *tunnel;
+};
+
+/**
+ * Implementation of listener_t.child_keys
+ */
+static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa,
+					   child_sa_t *child_sa, diffie_hellman_t *dh,
+					   chunk_t nonce_i, chunk_t nonce_r)
+{
+	ha_message_t *m;
+	chunk_t secret;
+	proposal_t *proposal;
+	u_int16_t alg, len;
+	linked_list_t *list;
+	enumerator_t *enumerator;
+	traffic_selector_t *ts;
+
+	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
+	{	/* do not sync SA between nodes */
+		return TRUE;
+	}
+
+	m = ha_message_create(HA_CHILD_ADD);
+
+	m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+	m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE));
+	m->add_attribute(m, HA_OUTBOUND_SPI, child_sa->get_spi(child_sa, FALSE));
+	m->add_attribute(m, HA_INBOUND_CPI, child_sa->get_cpi(child_sa, TRUE));
+	m->add_attribute(m, HA_OUTBOUND_CPI, child_sa->get_cpi(child_sa, FALSE));
+	m->add_attribute(m, HA_IPSEC_MODE, child_sa->get_mode(child_sa));
+	m->add_attribute(m, HA_IPCOMP, child_sa->get_ipcomp(child_sa));
+	m->add_attribute(m, HA_CONFIG_NAME, child_sa->get_name(child_sa));
+
+	proposal = child_sa->get_proposal(child_sa);
+	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
+	{
+		m->add_attribute(m, HA_ALG_ENCR, alg);
+		if (len)
+		{
+			m->add_attribute(m, HA_ALG_ENCR_LEN, len);
+		}
+	}
+	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
+	{
+		m->add_attribute(m, HA_ALG_INTEG, alg);
+	}
+	m->add_attribute(m, HA_NONCE_I, nonce_i);
+	m->add_attribute(m, HA_NONCE_R, nonce_r);
+	if (dh && dh->get_shared_secret(dh, &secret) == SUCCESS)
+	{
+		m->add_attribute(m, HA_SECRET, secret);
+		chunk_clear(&secret);
+	}
+
+	list = child_sa->get_traffic_selectors(child_sa, TRUE);
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		m->add_attribute(m, HA_LOCAL_TS, ts);
+	}
+	enumerator->destroy(enumerator);
+	list = child_sa->get_traffic_selectors(child_sa, FALSE);
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		m->add_attribute(m, HA_REMOTE_TS, ts);
+	}
+	enumerator->destroy(enumerator);
+
+	this->socket->push(this->socket, m);
+
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.child_state_change
+ */
+static bool child_state_change(private_ha_child_t *this, ike_sa_t *ike_sa,
+							   child_sa_t *child_sa, child_sa_state_t state)
+{
+	if (!ike_sa ||
+		ike_sa->get_state(ike_sa) == IKE_PASSIVE ||
+		ike_sa->get_state(ike_sa) == IKE_DESTROYING)
+	{	/* only sync active IKE_SAs */
+		return TRUE;
+	}
+	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
+	{	/* do not sync SA between nodes */
+		return TRUE;
+	}
+
+
+	if (state == CHILD_DESTROYING)
+	{
+		ha_message_t *m;
+
+		m = ha_message_create(HA_CHILD_DELETE);
+
+		m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+		m->add_attribute(m, HA_INBOUND_SPI,
+						 child_sa->get_spi(child_sa, TRUE));
+		this->socket->push(this->socket, m);
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of ha_child_t.destroy.
+ */
+static void destroy(private_ha_child_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel)
+{
+	private_ha_child_t *this = malloc_thing(private_ha_child_t);
+
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.child_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
+	this->public.listener.child_state_change = (bool(*)(listener_t*,ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state))child_state_change;
+	this->public.destroy = (void(*)(ha_child_t*))destroy;
+
+	this->socket = socket;
+	this->tunnel = tunnel;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ha/ha_child.h b/src/libcharon/plugins/ha/ha_child.h
new file mode 100644
index 000000000..ea83495f7
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_child.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_child ha_child
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_CHILD_H_
+#define HA_CHILD_H_
+
+#include "ha_socket.h"
+#include "ha_tunnel.h"
+#include "ha_segments.h"
+
+#include <daemon.h>
+
+typedef struct ha_child_t ha_child_t;
+
+/**
+ * Listener to synchronize CHILD_SAs.
+ */
+struct ha_child_t {
+
+	/**
+	 * Implements bus listener interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a ha_child_t.
+	 */
+	void (*destroy)(ha_child_t *this);
+};
+
+/**
+ * Create a ha_child instance.
+ *
+ * @param socket		socket to use for sending synchronization messages
+ * @param tunnel		tunnel securing sync messages, if any
+ * @return				CHILD listener
+ */
+ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel);
+
+#endif /* HA_CHILD_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
new file mode 100644
index 000000000..441d26d9e
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_ctl.c
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_ctl.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/select.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <pthread.h>
+
+#include <processing/jobs/callback_job.h>
+
+#define HA_FIFO IPSEC_PIDDIR "/charon.ha"
+
+typedef struct private_ha_ctl_t private_ha_ctl_t;
+
+/**
+ * Private data of an ha_ctl_t object.
+ */
+struct private_ha_ctl_t {
+
+	/**
+	 * Public ha_ctl_t interface.
+	 */
+	ha_ctl_t public;
+
+	/**
+	 * Segments to control
+	 */
+	ha_segments_t *segments;
+
+	/**
+	 * FIFO reader thread
+	 */
+	callback_job_t *job;
+};
+
+/**
+ * FIFO dispatching function
+ */
+static job_requeue_t dispatch_fifo(private_ha_ctl_t *this)
+{
+	int fifo, old;
+	char buf[8];
+	u_int segment;
+
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old);
+	fifo = open(HA_FIFO, O_RDONLY);
+	pthread_setcancelstate(old, NULL);
+	if (fifo == -1)
+	{
+		DBG1(DBG_CFG, "opening HA fifo failed: %s", strerror(errno));
+		sleep(1);
+		return JOB_REQUEUE_FAIR;
+	}
+
+	memset(buf, 0, sizeof(buf));
+	if (read(fifo, buf, sizeof(buf)-1) > 1)
+	{
+		segment = atoi(&buf[1]);
+		if (segment)
+		{
+			switch (buf[0])
+			{
+				case '+':
+					this->segments->activate(this->segments, segment, TRUE);
+					break;
+				case '-':
+					this->segments->deactivate(this->segments, segment, TRUE);
+					break;
+				case '*':
+					this->segments->resync(this->segments, segment);
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	close(fifo);
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Implementation of ha_ctl_t.destroy.
+ */
+static void destroy(private_ha_ctl_t *this)
+{
+	this->job->cancel(this->job);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ha_ctl_t *ha_ctl_create(ha_segments_t *segments)
+{
+	private_ha_ctl_t *this = malloc_thing(private_ha_ctl_t);
+
+	this->public.destroy = (void(*)(ha_ctl_t*))destroy;
+
+	if (access(HA_FIFO, R_OK|W_OK) != 0)
+	{
+		if (mkfifo(HA_FIFO, 600) != 0)
+		{
+			DBG1(DBG_CFG, "creating HA FIFO %s failed: %s",
+				 HA_FIFO, strerror(errno));
+		}
+	}
+
+	this->segments = segments;
+	this->job = callback_job_create((callback_job_cb_t)dispatch_fifo,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ha/ha_ctl.h b/src/libcharon/plugins/ha/ha_ctl.h
new file mode 100644
index 000000000..f33a809be
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_ctl.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_ctl ha_ctl
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_CTL_H_
+#define HA_CTL_H_
+
+#include "ha_segments.h"
+
+typedef struct ha_ctl_t ha_ctl_t;
+
+/**
+ * HA Sync control interface using a FIFO.
+ */
+struct ha_ctl_t {
+
+	/**
+	 * Destroy a ha_ctl_t.
+	 */
+	void (*destroy)(ha_ctl_t *this);
+};
+
+/**
+ * Create a ha_ctl instance.
+ *
+ * @param segments	segments to control
+ * @return			HA control interface
+ */
+ha_ctl_t *ha_ctl_create(ha_segments_t *segments);
+
+#endif /* HA_CTL_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
new file mode 100644
index 000000000..7df2f1fa8
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -0,0 +1,737 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_dispatcher.h"
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_ha_dispatcher_t private_ha_dispatcher_t;
+
+/**
+ * Private data of an ha_dispatcher_t object.
+ */
+struct private_ha_dispatcher_t {
+
+	/**
+	 * Public ha_dispatcher_t interface.
+	 */
+	ha_dispatcher_t public;
+
+	/**
+	 * socket to pull messages from
+	 */
+	ha_socket_t *socket;
+
+	/**
+	 * segments to control
+	 */
+	ha_segments_t *segments;
+
+	/**
+	 * Dispatcher job
+	 */
+	callback_job_t *job;
+};
+
+/**
+ * Quick and dirty hack implementation of diffie_hellman_t.get_shared_secret
+ */
+static status_t get_shared_secret(diffie_hellman_t *this, chunk_t *secret)
+{
+	*secret = chunk_clone((*(chunk_t*)this->destroy));
+	return SUCCESS;
+}
+
+/**
+ * Process messages of type IKE_ADD
+ */
+static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message)
+{
+	ha_message_attribute_t attribute;
+	ha_message_value_t value;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa = NULL, *old_sa = NULL;
+	u_int16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED;
+	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty;
+	chunk_t secret = chunk_empty, old_skd = chunk_empty;
+
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		switch (attribute)
+		{
+			case HA_IKE_ID:
+				ike_sa = ike_sa_create(value.ike_sa_id);
+				break;
+			case HA_IKE_REKEY_ID:
+				old_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+														  value.ike_sa_id);
+				break;
+			case HA_NONCE_I:
+				nonce_i = value.chunk;
+				break;
+			case HA_NONCE_R:
+				nonce_r = value.chunk;
+				break;
+			case HA_SECRET:
+				secret = value.chunk;
+				break;
+			case HA_OLD_SKD:
+				old_skd = value.chunk;
+				break;
+			case HA_ALG_ENCR:
+				encr = value.u16;
+				break;
+			case HA_ALG_ENCR_LEN:
+				len = value.u16;
+				break;
+			case HA_ALG_INTEG:
+				integ = value.u16;
+				break;
+			case HA_ALG_PRF:
+				prf = value.u16;
+				break;
+			case HA_ALG_OLD_PRF:
+				old_prf = value.u16;
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (ike_sa)
+	{
+		proposal_t *proposal;
+		keymat_t *keymat;
+		/* quick and dirty hack of a DH implementation ;-) */
+		diffie_hellman_t dh = { .get_shared_secret = get_shared_secret,
+								.destroy = (void*)&secret };
+
+		proposal = proposal_create(PROTO_IKE);
+		keymat = ike_sa->get_keymat(ike_sa);
+		if (integ)
+		{
+			proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, integ, 0);
+		}
+		if (encr)
+		{
+			proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, len);
+		}
+		if (prf)
+		{
+			proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, prf, 0);
+		}
+		charon->bus->set_sa(charon->bus, ike_sa);
+		if (keymat->derive_ike_keys(keymat, proposal, &dh, nonce_i, nonce_r,
+									 ike_sa->get_id(ike_sa), old_prf, old_skd))
+		{
+			if (old_sa)
+			{
+				peer_cfg_t *peer_cfg = old_sa->get_peer_cfg(old_sa);
+
+				if (peer_cfg)
+				{
+					ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+					ike_sa->inherit(ike_sa, old_sa);
+				}
+				charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, old_sa);
+				old_sa = NULL;
+			}
+			ike_sa->set_state(ike_sa, IKE_CONNECTING);
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "HA keymat derivation failed");
+			ike_sa->destroy(ike_sa);
+		}
+		charon->bus->set_sa(charon->bus, NULL);
+		proposal->destroy(proposal);
+	}
+	if (old_sa)
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, old_sa);
+	}
+}
+
+/**
+ * Apply a condition flag to the IKE_SA if it is in set
+ */
+static void set_condition(ike_sa_t *ike_sa, ike_condition_t set,
+						  ike_condition_t flag)
+{
+	ike_sa->set_condition(ike_sa, flag, flag & set);
+}
+
+/**
+ * Apply a extension flag to the IKE_SA if it is in set
+ */
+static void set_extension(ike_sa_t *ike_sa, ike_extension_t set,
+						  ike_extension_t flag)
+{
+	if (flag & set)
+	{
+		ike_sa->enable_extension(ike_sa, flag);
+	}
+}
+
+/**
+ * Process messages of type IKE_UPDATE
+ */
+static void process_ike_update(private_ha_dispatcher_t *this,
+							   ha_message_t *message)
+{
+	ha_message_attribute_t attribute;
+	ha_message_value_t value;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa = NULL;
+	peer_cfg_t *peer_cfg = NULL;
+
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		if (attribute != HA_IKE_ID && ike_sa == NULL)
+		{
+			/* must be first attribute */
+			break;
+		}
+		switch (attribute)
+		{
+			case HA_IKE_ID:
+				ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+														  value.ike_sa_id);
+				break;
+			case HA_LOCAL_ID:
+				ike_sa->set_my_id(ike_sa, value.id->clone(value.id));
+				break;
+			case HA_REMOTE_ID:
+				ike_sa->set_other_id(ike_sa, value.id->clone(value.id));
+				break;
+			case HA_LOCAL_ADDR:
+				ike_sa->set_my_host(ike_sa, value.host->clone(value.host));
+				break;
+			case HA_REMOTE_ADDR:
+				ike_sa->set_other_host(ike_sa, value.host->clone(value.host));
+				break;
+			case HA_LOCAL_VIP:
+				ike_sa->set_virtual_ip(ike_sa, TRUE, value.host);
+				break;
+			case HA_REMOTE_VIP:
+				ike_sa->set_virtual_ip(ike_sa, FALSE, value.host);
+				break;
+			case HA_ADDITIONAL_ADDR:
+				ike_sa->add_additional_address(ike_sa,
+											   value.host->clone(value.host));
+				break;
+			case HA_CONFIG_NAME:
+				peer_cfg = charon->backends->get_peer_cfg_by_name(
+												charon->backends, value.str);
+				if (peer_cfg)
+				{
+					ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+					peer_cfg->destroy(peer_cfg);
+				}
+				else
+				{
+					DBG1(DBG_IKE, "HA is missing nodes peer configuration");
+				}
+				break;
+			case HA_EXTENSIONS:
+				set_extension(ike_sa, value.u32, EXT_NATT);
+				set_extension(ike_sa, value.u32, EXT_MOBIKE);
+				set_extension(ike_sa, value.u32, EXT_HASH_AND_URL);
+				break;
+			case HA_CONDITIONS:
+				set_condition(ike_sa, value.u32, COND_NAT_ANY);
+				set_condition(ike_sa, value.u32, COND_NAT_HERE);
+				set_condition(ike_sa, value.u32, COND_NAT_THERE);
+				set_condition(ike_sa, value.u32, COND_NAT_FAKE);
+				set_condition(ike_sa, value.u32, COND_EAP_AUTHENTICATED);
+				set_condition(ike_sa, value.u32, COND_CERTREQ_SEEN);
+				set_condition(ike_sa, value.u32, COND_ORIGINAL_INITIATOR);
+				break;
+			case HA_INITIATE_MID:
+				ike_sa->set_message_id(ike_sa, TRUE, value.u32);
+				break;
+			case HA_RESPOND_MID:
+				ike_sa->set_message_id(ike_sa, FALSE, value.u32);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (ike_sa)
+	{
+		if (ike_sa->get_state(ike_sa) == IKE_CONNECTING &&
+			ike_sa->get_peer_cfg(ike_sa))
+		{
+			ike_sa->set_state(ike_sa, IKE_PASSIVE);
+		}
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+}
+
+/**
+ * Process messages of type IKE_DELETE
+ */
+static void process_ike_delete(private_ha_dispatcher_t *this,
+							   ha_message_t *message)
+{
+	ha_message_attribute_t attribute;
+	ha_message_value_t value;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		switch (attribute)
+		{
+			case HA_IKE_ID:
+				ike_sa = charon->ike_sa_manager->checkout(
+									charon->ike_sa_manager, value.ike_sa_id);
+				if (ike_sa)
+				{
+					charon->ike_sa_manager->checkin_and_destroy(
+									charon->ike_sa_manager, ike_sa);
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Lookup a child cfg from the peer cfg by name
+ */
+static child_cfg_t* find_child_cfg(ike_sa_t *ike_sa, char *name)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *current, *found = NULL;
+	enumerator_t *enumerator;
+
+	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (streq(current->get_name(current), name))
+			{
+				found = current;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return found;
+}
+
+/**
+ * Process messages of type CHILD_ADD
+ */
+static void process_child_add(private_ha_dispatcher_t *this,
+							  ha_message_t *message)
+{
+	ha_message_attribute_t attribute;
+	ha_message_value_t value;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa = NULL;
+	char *config_name = "";
+	child_cfg_t *config = NULL;
+	child_sa_t *child_sa;
+	proposal_t *proposal;
+	keymat_t *keymat;
+	bool initiator = FALSE, failed = FALSE;
+	u_int32_t inbound_spi = 0, outbound_spi = 0;
+	u_int16_t inbound_cpi = 0, outbound_cpi = 0;
+	u_int8_t mode = MODE_TUNNEL, ipcomp = 0;
+	u_int16_t encr = ENCR_UNDEFINED, integ = AUTH_UNDEFINED, len = 0;
+	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty;
+	chunk_t encr_i, integ_i, encr_r, integ_r;
+	linked_list_t *local_ts, *remote_ts;
+	/* quick and dirty hack of a DH implementation */
+	diffie_hellman_t dh = { .get_shared_secret = get_shared_secret,
+							.destroy = (void*)&secret };
+
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		switch (attribute)
+		{
+			case HA_IKE_ID:
+				ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+														  value.ike_sa_id);
+				initiator = value.ike_sa_id->is_initiator(value.ike_sa_id);
+				break;
+			case HA_CONFIG_NAME:
+				config_name = value.str;
+				break;
+			case HA_INBOUND_SPI:
+				inbound_spi = value.u32;
+				break;
+			case HA_OUTBOUND_SPI:
+				outbound_spi = value.u32;
+				break;
+			case HA_INBOUND_CPI:
+				inbound_cpi = value.u32;
+				break;
+			case HA_OUTBOUND_CPI:
+				outbound_cpi = value.u32;
+				break;
+			case HA_IPSEC_MODE:
+				mode = value.u8;
+				break;
+			case HA_IPCOMP:
+				ipcomp = value.u8;
+				break;
+			case HA_ALG_ENCR:
+				encr = value.u16;
+				break;
+			case HA_ALG_ENCR_LEN:
+				len = value.u16;
+				break;
+			case HA_ALG_INTEG:
+				integ = value.u16;
+				break;
+			case HA_NONCE_I:
+				nonce_i = value.chunk;
+				break;
+			case HA_NONCE_R:
+				nonce_r = value.chunk;
+				break;
+			case HA_SECRET:
+				secret = value.chunk;
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!ike_sa)
+	{
+		DBG1(DBG_CHD, "IKE_SA for HA CHILD_SA not found");
+		return;
+	}
+	config = find_child_cfg(ike_sa, config_name);
+	if (!config)
+	{
+		DBG1(DBG_CHD, "HA is missing nodes child configuration");
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return;
+	}
+
+	child_sa = child_sa_create(ike_sa->get_my_host(ike_sa),
+							   ike_sa->get_other_host(ike_sa), config, 0,
+							   ike_sa->has_condition(ike_sa, COND_NAT_ANY));
+	child_sa->set_mode(child_sa, mode);
+	child_sa->set_protocol(child_sa, PROTO_ESP);
+	child_sa->set_ipcomp(child_sa, ipcomp);
+
+	proposal = proposal_create(PROTO_ESP);
+	if (integ)
+	{
+		proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, integ, 0);
+	}
+	if (encr)
+	{
+		proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, len);
+	}
+	keymat = ike_sa->get_keymat(ike_sa);
+
+	if (!keymat->derive_child_keys(keymat, proposal, secret.ptr ? &dh : NULL,
+					nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
+	{
+		DBG1(DBG_CHD, "HA CHILD_SA key derivation failed");
+		child_sa->destroy(child_sa);
+		proposal->destroy(proposal);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return;
+	}
+	child_sa->set_proposal(child_sa, proposal);
+	child_sa->set_state(child_sa, CHILD_INSTALLING);
+	proposal->destroy(proposal);
+
+	/* TODO: Change CHILD_SA API to avoid cloning twice */
+	local_ts = linked_list_create();
+	remote_ts = linked_list_create();
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		switch (attribute)
+		{
+			case HA_LOCAL_TS:
+				local_ts->insert_last(local_ts, value.ts->clone(value.ts));
+				break;
+			case HA_REMOTE_TS:
+				remote_ts->insert_last(remote_ts, value.ts->clone(value.ts));
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (initiator)
+	{
+		if (child_sa->install(child_sa, encr_r, integ_r, inbound_spi,
+						inbound_cpi, TRUE, local_ts, remote_ts) != SUCCESS ||
+			child_sa->install(child_sa, encr_i, integ_i, outbound_spi,
+						outbound_cpi, FALSE, local_ts, remote_ts) != SUCCESS)
+		{
+			failed = TRUE;
+		}
+	}
+	else
+	{
+		if (child_sa->install(child_sa, encr_i, integ_i, inbound_spi,
+						inbound_cpi, TRUE, local_ts, remote_ts) != SUCCESS ||
+			child_sa->install(child_sa, encr_r, integ_r, outbound_spi,
+						outbound_cpi, FALSE, local_ts, remote_ts) != SUCCESS)
+		{
+			failed = TRUE;
+		}
+	}
+	chunk_clear(&encr_i);
+	chunk_clear(&integ_i);
+	chunk_clear(&encr_r);
+	chunk_clear(&integ_r);
+
+	if (failed)
+	{
+		DBG1(DBG_CHD, "HA CHILD_SA installation failed");
+		child_sa->destroy(child_sa);
+		local_ts->destroy_offset(local_ts, offsetof(traffic_selector_t, destroy));
+		remote_ts->destroy_offset(remote_ts, offsetof(traffic_selector_t, destroy));
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return;
+	}
+
+	child_sa->add_policies(child_sa, local_ts, remote_ts);
+	local_ts->destroy_offset(local_ts, offsetof(traffic_selector_t, destroy));
+	remote_ts->destroy_offset(remote_ts, offsetof(traffic_selector_t, destroy));
+
+	child_sa->set_state(child_sa, CHILD_INSTALLED);
+	ike_sa->add_child_sa(ike_sa, child_sa);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+}
+
+/**
+ * Process messages of type CHILD_DELETE
+ */
+static void process_child_delete(private_ha_dispatcher_t *this,
+								 ha_message_t *message)
+{
+	ha_message_attribute_t attribute;
+	ha_message_value_t value;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa = NULL;
+
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		switch (attribute)
+		{
+			case HA_IKE_ID:
+				ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+														  value.ike_sa_id);
+				break;
+			case HA_INBOUND_SPI:
+				if (ike_sa)
+				{
+					ike_sa->destroy_child_sa(ike_sa, PROTO_ESP, value.u32);
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	if (ike_sa)
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Process messages of type SEGMENT_TAKE/DROP
+ */
+static void process_segment(private_ha_dispatcher_t *this,
+							ha_message_t *message, bool take)
+{
+	ha_message_attribute_t attribute;
+	ha_message_value_t value;
+	enumerator_t *enumerator;
+
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		switch (attribute)
+		{
+			case HA_SEGMENT:
+				if (take)
+				{
+					DBG1(DBG_CFG, "remote node takes segment %d", value.u16);
+					this->segments->deactivate(this->segments, value.u16, FALSE);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "remote node drops segment %d", value.u16);
+					this->segments->activate(this->segments, value.u16, FALSE);
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Process messages of type STATUS
+ */
+static void process_status(private_ha_dispatcher_t *this,
+						   ha_message_t *message)
+{
+	ha_message_attribute_t attribute;
+	ha_message_value_t value;
+	enumerator_t *enumerator;
+	segment_mask_t mask = 0;
+
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		switch (attribute)
+		{
+			case HA_SEGMENT:
+				mask |= SEGMENTS_BIT(value.u16);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	this->segments->handle_status(this->segments, mask);
+}
+
+/**
+ * Process messages of type RESYNC
+ */
+static void process_resync(private_ha_dispatcher_t *this,
+						   ha_message_t *message)
+{
+	ha_message_attribute_t attribute;
+	ha_message_value_t value;
+	enumerator_t *enumerator;
+
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		switch (attribute)
+		{
+			case HA_SEGMENT:
+				this->segments->resync(this->segments, value.u16);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Dispatcher job function
+ */
+static job_requeue_t dispatch(private_ha_dispatcher_t *this)
+{
+	ha_message_t *message;
+
+	message = this->socket->pull(this->socket);
+	switch (message->get_type(message))
+	{
+		case HA_IKE_ADD:
+			process_ike_add(this, message);
+			break;
+		case HA_IKE_UPDATE:
+			process_ike_update(this, message);
+			break;
+		case HA_IKE_DELETE:
+			process_ike_delete(this, message);
+			break;
+		case HA_CHILD_ADD:
+			process_child_add(this, message);
+			break;
+		case HA_CHILD_DELETE:
+			process_child_delete(this, message);
+			break;
+		case HA_SEGMENT_DROP:
+			process_segment(this, message, FALSE);
+			break;
+		case HA_SEGMENT_TAKE:
+			process_segment(this, message, TRUE);
+			break;
+		case HA_STATUS:
+			process_status(this, message);
+			break;
+		case HA_RESYNC:
+			process_resync(this, message);
+			break;
+		default:
+			DBG1(DBG_CFG, "received unknown HA message type %d",
+				 message->get_type(message));
+			break;
+	}
+	message->destroy(message);
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Implementation of ha_dispatcher_t.destroy.
+ */
+static void destroy(private_ha_dispatcher_t *this)
+{
+	this->job->cancel(this->job);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
+									  ha_segments_t *segments)
+{
+	private_ha_dispatcher_t *this = malloc_thing(private_ha_dispatcher_t);
+
+	this->public.destroy = (void(*)(ha_dispatcher_t*))destroy;
+
+	this->socket = socket;
+	this->segments = segments;
+	this->job = callback_job_create((callback_job_cb_t)dispatch,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.h b/src/libcharon/plugins/ha/ha_dispatcher.h
new file mode 100644
index 000000000..d2baace3f
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_dispatcher.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_dispatcher ha_dispatcher
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_DISPATCHER_H_
+#define HA_DISPATCHER_H_
+
+#include "ha_socket.h"
+#include "ha_segments.h"
+
+typedef struct ha_dispatcher_t ha_dispatcher_t;
+
+/**
+ * The dispatcher pulls messages in a thread an processes them.
+ */
+struct ha_dispatcher_t {
+
+	/**
+	 * Destroy a ha_dispatcher_t.
+	 */
+	void (*destroy)(ha_dispatcher_t *this);
+};
+
+/**
+ * Create a ha_dispatcher instance pulling from socket.
+ *
+ * @param socket		socket to pull messages from
+ * @param segments		segments to control based on received messages
+ * @return				dispatcher object
+ */
+ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
+									  ha_segments_t *segments);
+
+#endif /* HA_DISPATCHER_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
new file mode 100644
index 000000000..1f025d0e5
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_ike.h"
+
+typedef struct private_ha_ike_t private_ha_ike_t;
+
+/**
+ * Private data of an ha_ike_t object.
+ */
+struct private_ha_ike_t {
+
+	/**
+	 * Public ha_ike_t interface.
+	 */
+	ha_ike_t public;
+
+	/**
+	 * socket we use for syncing
+	 */
+	ha_socket_t *socket;
+
+	/**
+	 * tunnel securing sync messages
+	 */
+	ha_tunnel_t *tunnel;
+};
+
+/**
+ * Return condition if it is set on ike_sa
+ */
+static ike_condition_t copy_condition(ike_sa_t *ike_sa, ike_condition_t cond)
+{
+	if (ike_sa->has_condition(ike_sa, cond))
+	{
+		return cond;
+	}
+	return 0;
+}
+
+/**
+ * Return extension if it is supported by peers IKE_SA
+ */
+static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
+{
+	if (ike_sa->supports_extension(ike_sa, ext))
+	{
+		return ext;
+	}
+	return 0;
+}
+
+/**
+ * Implementation of listener_t.ike_keys
+ */
+static bool ike_keys(private_ha_ike_t *this, ike_sa_t *ike_sa,
+					 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
+					 ike_sa_t *rekey)
+{
+	ha_message_t *m;
+	chunk_t secret;
+	proposal_t *proposal;
+	u_int16_t alg, len;
+
+	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
+	{	/* do not sync SA between nodes */
+		return TRUE;
+	}
+	if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+	{
+		return TRUE;
+	}
+
+	m = ha_message_create(HA_IKE_ADD);
+	m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+
+	if (rekey)
+	{
+		chunk_t skd;
+		keymat_t *keymat;
+
+		keymat = rekey->get_keymat(rekey);
+		m->add_attribute(m, HA_IKE_REKEY_ID, rekey->get_id(rekey));
+		m->add_attribute(m, HA_ALG_OLD_PRF, keymat->get_skd(keymat, &skd));
+		m->add_attribute(m, HA_OLD_SKD, skd);
+	}
+
+	proposal = ike_sa->get_proposal(ike_sa);
+	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
+	{
+		m->add_attribute(m, HA_ALG_ENCR, alg);
+		if (len)
+		{
+			m->add_attribute(m, HA_ALG_ENCR_LEN, len);
+		}
+	}
+	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
+	{
+		m->add_attribute(m, HA_ALG_INTEG, alg);
+	}
+	if (proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
+	{
+		m->add_attribute(m, HA_ALG_PRF, alg);
+	}
+	m->add_attribute(m, HA_NONCE_I, nonce_i);
+	m->add_attribute(m, HA_NONCE_R, nonce_r);
+	m->add_attribute(m, HA_SECRET, secret);
+	chunk_clear(&secret);
+
+	this->socket->push(this->socket, m);
+
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.ike_updown
+ */
+static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
+{
+	ha_message_t *m;
+
+	if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
+	{	/* only sync active IKE_SAs */
+		return TRUE;
+	}
+	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
+	{	/* do not sync SA between nodes */
+		return TRUE;
+	}
+
+	if (up)
+	{
+		iterator_t *iterator;
+		peer_cfg_t *peer_cfg;
+		u_int32_t extension, condition;
+		host_t *addr;
+		ike_sa_id_t *id;
+
+		peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+
+		condition = copy_condition(ike_sa, COND_NAT_ANY)
+				  | copy_condition(ike_sa, COND_NAT_HERE)
+				  | copy_condition(ike_sa, COND_NAT_THERE)
+				  | copy_condition(ike_sa, COND_NAT_FAKE)
+				  | copy_condition(ike_sa, COND_EAP_AUTHENTICATED)
+				  | copy_condition(ike_sa, COND_CERTREQ_SEEN)
+				  | copy_condition(ike_sa, COND_ORIGINAL_INITIATOR);
+
+		extension = copy_extension(ike_sa, EXT_NATT)
+				  | copy_extension(ike_sa, EXT_MOBIKE)
+				  | copy_extension(ike_sa, EXT_HASH_AND_URL);
+
+		id = ike_sa->get_id(ike_sa);
+
+		m = ha_message_create(HA_IKE_UPDATE);
+		m->add_attribute(m, HA_IKE_ID, id);
+		m->add_attribute(m, HA_LOCAL_ID, ike_sa->get_my_id(ike_sa));
+		m->add_attribute(m, HA_REMOTE_ID, ike_sa->get_other_id(ike_sa));
+		m->add_attribute(m, HA_LOCAL_ADDR, ike_sa->get_my_host(ike_sa));
+		m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
+		m->add_attribute(m, HA_CONDITIONS, condition);
+		m->add_attribute(m, HA_EXTENSIONS, extension);
+		m->add_attribute(m, HA_CONFIG_NAME, peer_cfg->get_name(peer_cfg));
+		iterator = ike_sa->create_additional_address_iterator(ike_sa);
+		while (iterator->iterate(iterator, (void**)&addr))
+		{
+			m->add_attribute(m, HA_ADDITIONAL_ADDR, addr);
+		}
+		iterator->destroy(iterator);
+	}
+	else
+	{
+		m = ha_message_create(HA_IKE_DELETE);
+		m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+	}
+	this->socket->push(this->socket, m);
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.ike_rekey
+ */
+static bool ike_rekey(private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	ike_updown(this, old, FALSE);
+	ike_updown(this, new, TRUE);
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.message
+ */
+static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa,
+						 message_t *message, bool incoming)
+{
+	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
+	{	/* do not sync SA between nodes */
+		return TRUE;
+	}
+
+	if (message->get_exchange_type(message) != IKE_SA_INIT &&
+		message->get_request(message))
+	{	/* we sync on requests, but skip it on IKE_SA_INIT */
+		ha_message_t *m;
+		u_int32_t mid;
+
+		m = ha_message_create(HA_IKE_UPDATE);
+		m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+		mid = message->get_message_id(message) + 1;
+		if (incoming)
+		{
+			m->add_attribute(m, HA_RESPOND_MID, mid);
+		}
+		else
+		{
+			m->add_attribute(m, HA_INITIATE_MID, mid);
+		}
+		this->socket->push(this->socket, m);
+	}
+	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+		message->get_exchange_type(message) == IKE_AUTH &&
+		!message->get_request(message))
+	{	/* After IKE_SA has been established, sync peers virtual IP.
+		 * We cannot sync it in the state_change hook, it is installed later.
+		 * TODO: where to sync local VIP? */
+		ha_message_t *m;
+		host_t *vip;
+
+		vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
+		if (vip)
+		{
+			m = ha_message_create(HA_IKE_UPDATE);
+			m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+			m->add_attribute(m, HA_REMOTE_VIP, vip);
+			this->socket->push(this->socket, m);
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of ha_ike_t.destroy.
+ */
+static void destroy(private_ha_ike_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel)
+{
+	private_ha_ike_t *this = malloc_thing(private_ha_ike_t);
+
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.ike_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh,chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
+	this->public.listener.ike_updown = (bool(*)(listener_t*,ike_sa_t *ike_sa, bool up))ike_updown;
+	this->public.listener.ike_rekey = (bool(*)(listener_t*,ike_sa_t *old, ike_sa_t *new))ike_rekey;
+	this->public.listener.message = (bool(*)(listener_t*, ike_sa_t *, message_t *,bool))message_hook;
+	this->public.destroy = (void(*)(ha_ike_t*))destroy;
+
+	this->socket = socket;
+	this->tunnel = tunnel;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ha/ha_ike.h b/src/libcharon/plugins/ha/ha_ike.h
new file mode 100644
index 000000000..9de210e67
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_ike.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_ike ha_ike
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_IKE_H_
+#define HA_IKE_H_
+
+#include "ha_socket.h"
+#include "ha_tunnel.h"
+#include "ha_segments.h"
+
+#include <daemon.h>
+
+typedef struct ha_ike_t ha_ike_t;
+
+/**
+ * Listener to synchronize IKE_SAs.
+ */
+struct ha_ike_t {
+
+	/**
+	 * Implements bus listener interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a ha_ike_t.
+	 */
+	void (*destroy)(ha_ike_t *this);
+};
+
+/**
+ * Create a ha_ike instance.
+ *
+ * @param socket		socket to use for sending synchronization messages
+ * @param tunnel		tunnel securing sync messages, if any
+ * @return				IKE listener
+ */
+ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel);
+
+#endif /* HA_IKE_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c
new file mode 100644
index 000000000..0ad9c22c3
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_kernel.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_kernel.h"
+
+typedef u_int32_t u32;
+typedef u_int8_t u8;
+
+#include <linux/jhash.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#define CLUSTERIP_DIR "/proc/net/ipt_CLUSTERIP"
+
+typedef struct private_ha_kernel_t private_ha_kernel_t;
+
+/**
+ * Private data of an ha_kernel_t object.
+ */
+struct private_ha_kernel_t {
+
+	/**
+	 * Public ha_kernel_t interface.
+	 */
+	ha_kernel_t public;
+
+	/**
+	 * Init value for jhash
+	 */
+	u_int initval;
+
+	/**
+	 * Total number of ClusterIP segments
+	 */
+	u_int count;
+};
+
+/**
+ * Implementation of ha_kernel_t.in_segment
+ */
+static bool in_segment(private_ha_kernel_t *this, host_t *host, u_int segment)
+{
+	if (host->get_family(host) == AF_INET)
+	{
+		unsigned long hash;
+		u_int32_t addr;
+
+		addr = *(u_int32_t*)host->get_address(host).ptr;
+		hash = jhash_1word(ntohl(addr), this->initval);
+
+		if ((((u_int64_t)hash * this->count) >> 32) + 1 == segment)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Activate/Deactivate a segment for a given clusterip file
+ */
+static void enable_disable(private_ha_kernel_t *this, u_int segment,
+						   char *file, bool enable)
+{
+	char cmd[8];
+	int fd;
+
+	snprintf(cmd, sizeof(cmd), "%c%d\n", enable ? '+' : '-', segment);
+
+	fd = open(file, O_WRONLY);
+	if (fd == -1)
+	{
+		DBG1(DBG_CFG, "opening CLUSTERIP file '%s' failed: %s",
+			 file, strerror(errno));
+		return;
+	}
+	if (write(fd, cmd, strlen(cmd) == -1))
+	{
+		DBG1(DBG_CFG, "writing to CLUSTERIP file '%s' failed: %s",
+			 file, strerror(errno));
+	}
+	close(fd);
+}
+
+/**
+ * Get the currenlty active segments in the kernel for a clusterip file
+ */
+static segment_mask_t get_active(private_ha_kernel_t *this, char *file)
+{
+	char buf[256];
+	segment_mask_t mask = 0;
+	ssize_t len;
+	int fd;
+
+	fd = open(file, O_RDONLY);
+	if (fd == -1)
+	{
+		DBG1(DBG_CFG, "opening CLUSTERIP file '%s' failed: %s",
+			 file, strerror(errno));
+		return 0;
+	}
+	len = read(fd, buf, sizeof(buf)-1);
+	if (len == -1)
+	{
+		DBG1(DBG_CFG, "reading from CLUSTERIP file '%s' failed: %s",
+			 file, strerror(errno));
+	}
+	else
+	{
+		enumerator_t *enumerator;
+		u_int segment;
+		char *token;
+
+		buf[len] = '\0';
+		enumerator = enumerator_create_token(buf, ",", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			segment = atoi(token);
+			if (segment)
+			{
+				mask |= SEGMENTS_BIT(segment);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return mask;
+}
+
+/**
+ * Implementation of ha_kernel_t.activate
+ */
+static void activate(private_ha_kernel_t *this, u_int segment)
+{
+	enumerator_t *enumerator;
+	char *file;
+
+	enumerator = enumerator_create_directory(CLUSTERIP_DIR);
+	while (enumerator->enumerate(enumerator, NULL, &file, NULL))
+	{
+		enable_disable(this, segment, file, TRUE);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of ha_kernel_t.deactivate
+ */
+static void deactivate(private_ha_kernel_t *this, u_int segment)
+{
+	enumerator_t *enumerator;
+	char *file;
+
+	enumerator = enumerator_create_directory(CLUSTERIP_DIR);
+	while (enumerator->enumerate(enumerator, NULL, &file, NULL))
+	{
+		enable_disable(this, segment, file, FALSE);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Disable all not-yet disabled segments on all clusterip addresses
+ */
+static void disable_all(private_ha_kernel_t *this)
+{
+	enumerator_t *enumerator;
+	segment_mask_t active;
+	char *file;
+	int i;
+
+	enumerator = enumerator_create_directory(CLUSTERIP_DIR);
+	while (enumerator->enumerate(enumerator, NULL, &file, NULL))
+	{
+		active = get_active(this, file);
+		for (i = 1; i <= this->count; i++)
+		{
+			if (active & SEGMENTS_BIT(i))
+			{
+				enable_disable(this, i, file, FALSE);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of ha_kernel_t.destroy.
+ */
+static void destroy(private_ha_kernel_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+ha_kernel_t *ha_kernel_create(u_int count)
+{
+	private_ha_kernel_t *this = malloc_thing(private_ha_kernel_t);
+
+	this->public.in_segment = (bool(*)(ha_kernel_t*, host_t *host, u_int segment))in_segment;
+	this->public.activate = (void(*)(ha_kernel_t*, u_int segment))activate;
+	this->public.deactivate = (void(*)(ha_kernel_t*, u_int segment))deactivate;
+	this->public.destroy = (void(*)(ha_kernel_t*))destroy;
+
+	this->initval = 0;
+	this->count = count;
+
+	disable_all(this);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ha/ha_kernel.h b/src/libcharon/plugins/ha/ha_kernel.h
new file mode 100644
index 000000000..b37cc7667
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_kernel.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_kernel ha_kernel
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_KERNEL_H_
+#define HA_KERNEL_H_
+
+typedef struct ha_kernel_t ha_kernel_t;
+
+#include "ha_segments.h"
+
+/**
+ * HA segment kernel configuration interface.
+ */
+struct ha_kernel_t {
+
+	/**
+	 * Check if a host is in a segment.
+	 *
+	 * @param host		host to check
+	 * @param segment	segment
+	 * @return 			TRUE if host belongs to segment
+	 */
+	bool (*in_segment)(ha_kernel_t *this, host_t *host, u_int segment);
+
+	/**
+	 * Activate a segment at kernel level for all cluster addresses.
+	 *
+	 * @param segment	segment to activate
+	 */
+	void (*activate)(ha_kernel_t *this, u_int segment);
+
+	/**
+	 * Deactivate a segment at kernel level for all cluster addresses.
+	 *
+	 * @param segment	segment to deactivate
+	 */
+	void (*deactivate)(ha_kernel_t *this, u_int segment);
+
+	/**
+	 * Destroy a ha_kernel_t.
+	 */
+	void (*destroy)(ha_kernel_t *this);
+};
+
+/**
+ * Create a ha_kernel instance.
+ *
+ * @param count			total number of segments to use
+ * @param active		bitmask of initially active segments
+ */
+ha_kernel_t *ha_kernel_create(u_int count);
+
+#endif /* HA_KERNEL_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c
new file mode 100644
index 000000000..54b10f05d
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_message.c
@@ -0,0 +1,663 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <arpa/inet.h>
+
+#include "ha_message.h"
+
+#include <daemon.h>
+
+#define ALLOCATION_BLOCK 64
+
+typedef struct private_ha_message_t private_ha_message_t;
+
+/**
+ * Private data of an ha_message_t object.
+ */
+struct private_ha_message_t {
+
+	/**
+	 * Public ha_message_t interface.
+	 */
+	ha_message_t public;
+
+	/**
+	 * Allocated size of buf
+	 */
+	size_t allocated;
+
+	/**
+	 * Buffer containing encoded data
+	 */
+	chunk_t buf;
+};
+
+typedef struct ike_sa_id_encoding_t ike_sa_id_encoding_t;
+
+/**
+ * Encoding if an ike_sa_id_t
+ */
+struct ike_sa_id_encoding_t {
+	u_int64_t initiator_spi;
+	u_int64_t responder_spi;
+	u_int8_t initiator;
+} __attribute__((packed));
+
+typedef struct identification_encoding_t identification_encoding_t;
+
+/**
+ * Encoding of a identification_t
+ */
+struct identification_encoding_t {
+	u_int8_t type;
+	u_int8_t len;
+	char encoding[];
+} __attribute__((packed));
+
+typedef struct host_encoding_t host_encoding_t;
+
+/**
+ * encoding of a host_t
+ */
+struct host_encoding_t {
+	u_int16_t port;
+	u_int8_t family;
+	char encoding[];
+} __attribute__((packed));
+
+typedef struct ts_encoding_t ts_encoding_t;
+
+/**
+ * encoding of a traffic_selector_t
+ */
+struct ts_encoding_t {
+	u_int8_t type;
+	u_int8_t protocol;
+	u_int16_t from_port;
+	u_int16_t to_port;
+	u_int8_t dynamic;
+	char encoding[];
+} __attribute__((packed));
+
+/**
+ * Implementation of ha_message_t.get_type
+ */
+static ha_message_type_t get_type(private_ha_message_t *this)
+{
+	return this->buf.ptr[1];
+}
+
+/**
+ * check for space in buffer, increase if necessary
+ */
+static void check_buf(private_ha_message_t *this, size_t len)
+{
+	int increased = 0;
+
+	while (this->buf.len + len > this->allocated)
+	{	/* double size */
+		this->allocated += ALLOCATION_BLOCK;
+		increased++;
+	}
+	if (increased)
+	{
+		this->buf.ptr = realloc(this->buf.ptr, this->allocated);
+	}
+}
+
+/**
+ * Implementation of ha_message_t.add_attribute
+ */
+static void add_attribute(private_ha_message_t *this,
+						  ha_message_attribute_t attribute, ...)
+{
+	size_t len;
+	va_list args;
+
+	check_buf(this, sizeof(u_int8_t));
+	this->buf.ptr[this->buf.len] = attribute;
+	this->buf.len += sizeof(u_int8_t);
+
+	va_start(args, attribute);
+	switch (attribute)
+	{
+		/* ike_sa_id_t* */
+		case HA_IKE_ID:
+		case HA_IKE_REKEY_ID:
+		{
+			ike_sa_id_encoding_t *enc;
+			ike_sa_id_t *id;
+
+			id = va_arg(args, ike_sa_id_t*);
+			check_buf(this, sizeof(ike_sa_id_encoding_t));
+			enc = (ike_sa_id_encoding_t*)(this->buf.ptr + this->buf.len);
+			this->buf.len += sizeof(ike_sa_id_encoding_t);
+			enc->initiator = id->is_initiator(id);
+			enc->initiator_spi = id->get_initiator_spi(id);
+			enc->responder_spi = id->get_responder_spi(id);
+			break;
+		}
+		/* identification_t* */
+		case HA_LOCAL_ID:
+		case HA_REMOTE_ID:
+		{
+			identification_encoding_t *enc;
+			identification_t *id;
+			chunk_t data;
+
+			id = va_arg(args, identification_t*);
+			data = id->get_encoding(id);
+			check_buf(this, sizeof(identification_encoding_t) + data.len);
+			enc = (identification_encoding_t*)(this->buf.ptr + this->buf.len);
+			this->buf.len += sizeof(identification_encoding_t) + data.len;
+			enc->type = id->get_type(id);
+			enc->len = data.len;
+			memcpy(enc->encoding, data.ptr, data.len);
+			break;
+		}
+		/* host_t* */
+		case HA_LOCAL_ADDR:
+		case HA_REMOTE_ADDR:
+		case HA_LOCAL_VIP:
+		case HA_REMOTE_VIP:
+		case HA_ADDITIONAL_ADDR:
+		{
+			host_encoding_t *enc;
+			host_t *host;
+			chunk_t data;
+
+			host = va_arg(args, host_t*);
+			data = host->get_address(host);
+			check_buf(this, sizeof(host_encoding_t) + data.len);
+			enc = (host_encoding_t*)(this->buf.ptr + this->buf.len);
+			this->buf.len += sizeof(host_encoding_t) + data.len;
+			enc->family = host->get_family(host);
+			enc->port = htons(host->get_port(host));
+			memcpy(enc->encoding, data.ptr, data.len);
+			break;
+		}
+		/* char* */
+		case HA_CONFIG_NAME:
+		{
+			char *str;
+
+			str = va_arg(args, char*);
+			len = strlen(str) + 1;
+			check_buf(this, len);
+			memcpy(this->buf.ptr + this->buf.len, str, len);
+			this->buf.len += len;
+			break;
+		}
+		/* u_int8_t */
+		case HA_IPSEC_MODE:
+		case HA_IPCOMP:
+		{
+			u_int8_t val;
+
+			val = va_arg(args, u_int);
+			check_buf(this, sizeof(val));
+			this->buf.ptr[this->buf.len] = val;
+			this->buf.len += sizeof(val);
+			break;
+		}
+		/* u_int16_t */
+		case HA_ALG_PRF:
+		case HA_ALG_OLD_PRF:
+		case HA_ALG_ENCR:
+		case HA_ALG_ENCR_LEN:
+		case HA_ALG_INTEG:
+		case HA_INBOUND_CPI:
+		case HA_OUTBOUND_CPI:
+		case HA_SEGMENT:
+		{
+			u_int16_t val;
+
+			val = va_arg(args, u_int);
+			check_buf(this, sizeof(val));
+			*(u_int16_t*)(this->buf.ptr + this->buf.len) = htons(val);
+			this->buf.len += sizeof(val);
+			break;
+		}
+		/** u_int32_t */
+		case HA_CONDITIONS:
+		case HA_EXTENSIONS:
+		case HA_INBOUND_SPI:
+		case HA_OUTBOUND_SPI:
+		case HA_INITIATE_MID:
+		case HA_RESPOND_MID:
+		{
+			u_int32_t val;
+
+			val = va_arg(args, u_int);
+			check_buf(this, sizeof(val));
+			*(u_int32_t*)(this->buf.ptr + this->buf.len) = htonl(val);
+			this->buf.len += sizeof(val);
+			break;
+		}
+		/** chunk_t */
+		case HA_NONCE_I:
+		case HA_NONCE_R:
+		case HA_SECRET:
+		case HA_OLD_SKD:
+		{
+			chunk_t chunk;
+
+			chunk = va_arg(args, chunk_t);
+			check_buf(this, chunk.len + sizeof(u_int16_t));
+			*(u_int16_t*)(this->buf.ptr + this->buf.len) = htons(chunk.len);
+			memcpy(this->buf.ptr + this->buf.len + sizeof(u_int16_t),
+				   chunk.ptr, chunk.len);
+			this->buf.len += chunk.len + sizeof(u_int16_t);;
+			break;
+		}
+		/** traffic_selector_t */
+		case HA_LOCAL_TS:
+		case HA_REMOTE_TS:
+		{
+			ts_encoding_t *enc;
+			traffic_selector_t *ts;
+			chunk_t data;
+
+			ts = va_arg(args, traffic_selector_t*);
+			data = chunk_cata("cc", ts->get_from_address(ts),
+							  ts->get_to_address(ts));
+			check_buf(this, sizeof(ts_encoding_t) + data.len);
+			enc = (ts_encoding_t*)(this->buf.ptr + this->buf.len);
+			this->buf.len += sizeof(ts_encoding_t) + data.len;
+			enc->type = ts->get_type(ts);
+			enc->protocol = ts->get_protocol(ts);
+			enc->from_port = htons(ts->get_from_port(ts));
+			enc->to_port = htons(ts->get_to_port(ts));
+			enc->dynamic = ts->is_dynamic(ts);
+			memcpy(enc->encoding, data.ptr, data.len);
+			break;
+		}
+		default:
+		{
+			DBG1(DBG_CFG, "unable to encode, attribute %d unknown", attribute);
+			this->buf.len -= sizeof(u_int8_t);
+			break;
+		}
+	}
+	va_end(args);
+}
+
+/**
+ * Attribute enumerator implementation
+ */
+typedef struct {
+	/** implementes enumerator_t */
+	enumerator_t public;
+	/** position in message */
+	chunk_t buf;
+	/** cleanup handler of current element, if any */
+	void (*cleanup)(void* data);
+	/** data to pass to cleanup handler */
+	void *cleanup_data;
+} attribute_enumerator_t;
+
+/**
+ * Implementation of create_attribute_enumerator().enumerate
+ */
+static bool attribute_enumerate(attribute_enumerator_t *this,
+								ha_message_attribute_t *attr_out,
+								ha_message_value_t *value)
+{
+	ha_message_attribute_t attr;
+
+	if (this->cleanup)
+	{
+		this->cleanup(this->cleanup_data);
+		this->cleanup = NULL;
+	}
+	if (this->buf.len < 1)
+	{
+		return FALSE;
+	}
+	attr = this->buf.ptr[0];
+	this->buf = chunk_skip(this->buf, 1);
+	switch (attr)
+	{
+		/* ike_sa_id_t* */
+		case HA_IKE_ID:
+		case HA_IKE_REKEY_ID:
+		{
+			ike_sa_id_encoding_t *enc;
+
+			if (this->buf.len < sizeof(ike_sa_id_encoding_t))
+			{
+				return FALSE;
+			}
+			enc = (ike_sa_id_encoding_t*)(this->buf.ptr);
+			value->ike_sa_id = ike_sa_id_create(enc->initiator_spi,
+											enc->responder_spi, enc->initiator);
+			*attr_out = attr;
+			this->cleanup = (void*)value->ike_sa_id->destroy;
+			this->cleanup_data = value->ike_sa_id;
+			this->buf = chunk_skip(this->buf, sizeof(ike_sa_id_encoding_t));
+			return TRUE;
+		}
+		/* identification_t* */
+		case HA_LOCAL_ID:
+		case HA_REMOTE_ID:
+		{
+			identification_encoding_t *enc;
+
+			enc = (identification_encoding_t*)(this->buf.ptr);
+			if (this->buf.len < sizeof(identification_encoding_t) ||
+				this->buf.len < sizeof(identification_encoding_t) + enc->len)
+			{
+				return FALSE;
+			}
+			value->id = identification_create_from_encoding(enc->type,
+										chunk_create(enc->encoding, enc->len));
+			*attr_out = attr;
+			this->cleanup = (void*)value->id->destroy;
+			this->cleanup_data = value->id;
+			this->buf = chunk_skip(this->buf,
+								sizeof(identification_encoding_t) + enc->len);
+			return TRUE;
+		}
+		/* host_t* */
+		case HA_LOCAL_ADDR:
+		case HA_REMOTE_ADDR:
+		case HA_LOCAL_VIP:
+		case HA_REMOTE_VIP:
+		case HA_ADDITIONAL_ADDR:
+		{
+			host_encoding_t *enc;
+
+			enc = (host_encoding_t*)(this->buf.ptr);
+			if (this->buf.len < sizeof(host_encoding_t))
+			{
+				return FALSE;
+			}
+			value->host = host_create_from_chunk(enc->family,
+									chunk_create(enc->encoding,
+										this->buf.len - sizeof(host_encoding_t)),
+									ntohs(enc->port));
+			if (!value->host)
+			{
+				return FALSE;
+			}
+			*attr_out = attr;
+			this->cleanup = (void*)value->host->destroy;
+			this->cleanup_data = value->host;
+			this->buf = chunk_skip(this->buf, sizeof(host_encoding_t) +
+								   value->host->get_address(value->host).len);
+			return TRUE;
+		}
+		/* char* */
+		case HA_CONFIG_NAME:
+		{
+			size_t len;
+
+			len = strnlen(this->buf.ptr, this->buf.len);
+			if (len >= this->buf.len)
+			{
+				return FALSE;
+			}
+			value->str = this->buf.ptr;
+			*attr_out = attr;
+			this->buf = chunk_skip(this->buf, len + 1);
+			return TRUE;
+		}
+		/* u_int8_t */
+		case HA_IPSEC_MODE:
+		case HA_IPCOMP:
+		{
+			if (this->buf.len < sizeof(u_int8_t))
+			{
+				return FALSE;
+			}
+			value->u8 = *(u_int8_t*)this->buf.ptr;
+			*attr_out = attr;
+			this->buf = chunk_skip(this->buf, sizeof(u_int8_t));
+			return TRUE;
+		}
+		/** u_int16_t */
+		case HA_ALG_PRF:
+		case HA_ALG_OLD_PRF:
+		case HA_ALG_ENCR:
+		case HA_ALG_ENCR_LEN:
+		case HA_ALG_INTEG:
+		case HA_INBOUND_CPI:
+		case HA_OUTBOUND_CPI:
+		case HA_SEGMENT:
+		{
+			if (this->buf.len < sizeof(u_int16_t))
+			{
+				return FALSE;
+			}
+			value->u16 = ntohs(*(u_int16_t*)this->buf.ptr);
+			*attr_out = attr;
+			this->buf = chunk_skip(this->buf, sizeof(u_int16_t));
+			return TRUE;
+		}
+		/** u_int32_t */
+		case HA_CONDITIONS:
+		case HA_EXTENSIONS:
+		case HA_INBOUND_SPI:
+		case HA_OUTBOUND_SPI:
+		case HA_INITIATE_MID:
+		case HA_RESPOND_MID:
+		{
+			if (this->buf.len < sizeof(u_int32_t))
+			{
+				return FALSE;
+			}
+			value->u32 = ntohl(*(u_int32_t*)this->buf.ptr);
+			*attr_out = attr;
+			this->buf = chunk_skip(this->buf, sizeof(u_int32_t));
+			return TRUE;
+		}
+		/** chunk_t */
+		case HA_NONCE_I:
+		case HA_NONCE_R:
+		case HA_SECRET:
+		case HA_OLD_SKD:
+		{
+			size_t len;
+
+			if (this->buf.len < sizeof(u_int16_t))
+			{
+				return FALSE;
+			}
+			len = ntohs(*(u_int16_t*)this->buf.ptr);
+			this->buf = chunk_skip(this->buf, sizeof(u_int16_t));
+			if (this->buf.len < len)
+			{
+				return FALSE;
+			}
+			value->chunk.len = len;
+			value->chunk.ptr = this->buf.ptr;
+			*attr_out = attr;
+			this->buf = chunk_skip(this->buf, len);
+			return TRUE;
+		}
+		case HA_LOCAL_TS:
+		case HA_REMOTE_TS:
+		{
+			ts_encoding_t *enc;
+			host_t *host;
+			int addr_len;
+
+			enc = (ts_encoding_t*)(this->buf.ptr);
+			if (this->buf.len < sizeof(ts_encoding_t))
+			{
+				return FALSE;
+			}
+			switch (enc->type)
+			{
+				case TS_IPV4_ADDR_RANGE:
+					addr_len = 4;
+					if (this->buf.len < sizeof(ts_encoding_t) + 2 * addr_len)
+					{
+						return FALSE;
+					}
+					break;
+				case TS_IPV6_ADDR_RANGE:
+					addr_len = 16;
+					if (this->buf.len < sizeof(ts_encoding_t) + 2 * addr_len)
+					{
+						return FALSE;
+					}
+					break;
+				default:
+					return FALSE;
+			}
+			if (enc->dynamic)
+			{
+				host = host_create_from_chunk(0,
+									chunk_create(enc->encoding, addr_len), 0);
+				if (!host)
+				{
+					return FALSE;
+				}
+				value->ts = traffic_selector_create_dynamic(enc->protocol,
+									ntohs(enc->from_port), ntohs(enc->to_port));
+				value->ts->set_address(value->ts, host);
+				host->destroy(host);
+			}
+			else
+			{
+				value->ts = traffic_selector_create_from_bytes(enc->protocol,
+								enc->type, chunk_create(enc->encoding, addr_len),
+								ntohs(enc->from_port),
+								chunk_create(enc->encoding + addr_len, addr_len),
+								ntohs(enc->to_port));
+				if (!value->ts)
+				{
+					return FALSE;
+				}
+			}
+			*attr_out = attr;
+			this->cleanup = (void*)value->ts->destroy;
+			this->cleanup_data = value->ts;
+			this->buf = chunk_skip(this->buf, sizeof(ts_encoding_t)
+										+ addr_len * 2);
+			return TRUE;
+		}
+		default:
+		{
+			return FALSE;
+		}
+	}
+}
+
+/**
+ * Implementation of create_attribute_enumerator().destroy
+ */
+static void enum_destroy(attribute_enumerator_t *this)
+{
+	if (this->cleanup)
+	{
+		this->cleanup(this->cleanup_data);
+	}
+	free(this);
+}
+
+/**
+ * Implementation of ha_message_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(private_ha_message_t *this)
+{
+	attribute_enumerator_t *e = malloc_thing(attribute_enumerator_t);
+
+	e->public.enumerate = (void*)attribute_enumerate;
+	e->public.destroy = (void*)enum_destroy;
+
+	e->buf = chunk_skip(this->buf, 2);
+	e->cleanup = NULL;
+	e->cleanup_data = NULL;
+
+	return &e->public;
+}
+
+/**
+ * Implementation of ha_message_t.get_encoding
+ */
+static chunk_t get_encoding(private_ha_message_t *this)
+{
+	return this->buf;
+}
+
+/**
+ * Implementation of ha_message_t.destroy.
+ */
+static void destroy(private_ha_message_t *this)
+{
+	free(this->buf.ptr);
+	free(this);
+}
+
+
+static private_ha_message_t *ha_message_create_generic()
+{
+	private_ha_message_t *this = malloc_thing(private_ha_message_t);
+
+	this->public.get_type = (ha_message_type_t(*)(ha_message_t*))get_type;
+	this->public.add_attribute = (void(*)(ha_message_t*, ha_message_attribute_t attribute, ...))add_attribute;
+	this->public.create_attribute_enumerator = (enumerator_t*(*)(ha_message_t*))create_attribute_enumerator;
+	this->public.get_encoding = (chunk_t(*)(ha_message_t*))get_encoding;
+	this->public.destroy = (void(*)(ha_message_t*))destroy;
+
+	return this;
+}
+
+/**
+ * See header
+ */
+ha_message_t *ha_message_create(ha_message_type_t type)
+{
+	private_ha_message_t *this = ha_message_create_generic();
+
+	this->allocated = ALLOCATION_BLOCK;
+	this->buf.ptr = malloc(this->allocated);
+	this->buf.len = 2;
+	this->buf.ptr[0] = HA_MESSAGE_VERSION;
+	this->buf.ptr[1] = type;
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+ha_message_t *ha_message_parse(chunk_t data)
+{
+	private_ha_message_t *this;
+
+	if (data.len < 2)
+	{
+		DBG1(DBG_CFG, "HA message too short");
+		return NULL;
+	}
+	if (data.ptr[0] != HA_MESSAGE_VERSION)
+	{
+		DBG1(DBG_CFG, "HA message has version %d, expected %d",
+			 data.ptr[0], HA_MESSAGE_VERSION);
+		return NULL;
+	}
+
+	this = ha_message_create_generic();
+	this->buf = chunk_clone(data);
+	this->allocated = this->buf.len;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
new file mode 100644
index 000000000..b2bc23724
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_message ha_message
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_MESSAGE_H_
+#define HA_MESSAGE_H_
+
+#include <library.h>
+#include <utils/host.h>
+#include <utils/identification.h>
+#include <sa/ike_sa_id.h>
+#include <selectors/traffic_selector.h>
+
+/**
+ * Protocol version of this implementation
+ */
+#define HA_MESSAGE_VERSION 1
+
+typedef struct ha_message_t ha_message_t;
+typedef enum ha_message_type_t ha_message_type_t;
+typedef enum ha_message_attribute_t ha_message_attribute_t;
+typedef union ha_message_value_t ha_message_value_t;
+
+/**
+ * Type of a HA message
+ */
+enum ha_message_type_t {
+	/** add a completely new IKE_SA */
+	HA_IKE_ADD = 1,
+	/** update an existing IKE_SA (message IDs, address update, ...) */
+	HA_IKE_UPDATE,
+	/** delete an existing IKE_SA */
+	HA_IKE_DELETE,
+	/** add a new CHILD_SA */
+	HA_CHILD_ADD,
+	/** delete an existing CHILD_SA */
+	HA_CHILD_DELETE,
+	/** segments the sending node is giving up */
+	HA_SEGMENT_DROP,
+	/** segments the sending node is taking over */
+	HA_SEGMENT_TAKE,
+	/** status with the segments the sending node is currently serving */
+	HA_STATUS,
+	/** segments the receiving node is requested to resync */
+	HA_RESYNC,
+};
+
+/**
+ * Type of attributes contained in a message
+ */
+enum ha_message_attribute_t {
+	/** ike_sa_id_t*, to identify IKE_SA */
+	HA_IKE_ID = 1,
+	/** ike_Sa_id_t*, identifies IKE_SA which gets rekeyed */
+	HA_IKE_REKEY_ID,
+	/** identification_t*, local identity */
+	HA_LOCAL_ID,
+	/** identification_t*, remote identity */
+	HA_REMOTE_ID,
+	/** host_t*, local address */
+	HA_LOCAL_ADDR,
+	/** host_t*, remote address */
+	HA_REMOTE_ADDR,
+	/** char*, name of configuration */
+	HA_CONFIG_NAME,
+	/** u_int32_t, bitset of ike_condition_t */
+	HA_CONDITIONS,
+	/** u_int32_t, bitset of ike_extension_t */
+	HA_EXTENSIONS,
+	/** host_t*, local virtual IP */
+	HA_LOCAL_VIP,
+	/** host_t*, remote virtual IP */
+	HA_REMOTE_VIP,
+	/** host_t*, additional MOBIKE peer address */
+	HA_ADDITIONAL_ADDR,
+	/** chunk_t, initiators nonce */
+	HA_NONCE_I,
+	/** chunk_t, responders nonce */
+	HA_NONCE_R,
+	/** chunk_t, diffie hellman shared secret */
+	HA_SECRET,
+	/** chunk_t, SKd of old SA if rekeying */
+	HA_OLD_SKD,
+	/** u_int16_t, pseudo random function */
+	HA_ALG_PRF,
+	/** u_int16_t, old pseudo random function if rekeying */
+	HA_ALG_OLD_PRF,
+	/** u_int16_t, encryption algorithm */
+	HA_ALG_ENCR,
+	/** u_int16_t, encryption key size in bytes */
+	HA_ALG_ENCR_LEN,
+	/** u_int16_t, integrity protection algorithm */
+	HA_ALG_INTEG,
+	/** u_int8_t, IPsec mode, TUNNEL|TRANSPORT|... */
+	HA_IPSEC_MODE,
+	/** u_int8_t, IPComp protocol */
+	HA_IPCOMP,
+	/** u_int32_t, inbound security parameter index */
+	HA_INBOUND_SPI,
+	/** u_int32_t, outbound security parameter index */
+	HA_OUTBOUND_SPI,
+	/** u_int16_t, inbound security parameter index */
+	HA_INBOUND_CPI,
+	/** u_int16_t, outbound security parameter index */
+	HA_OUTBOUND_CPI,
+	/** traffic_selector_t*, local traffic selector */
+	HA_LOCAL_TS,
+	/** traffic_selector_t*, remote traffic selector */
+	HA_REMOTE_TS,
+	/** u_int32_t, initiating message ID */
+	HA_INITIATE_MID,
+	/** u_int32_t, responding message ID */
+	HA_RESPOND_MID,
+	/** u_int16_t, HA segment */
+	HA_SEGMENT,
+};
+
+/**
+ * Union to enumerate typed attributes in a message
+ */
+union ha_message_value_t {
+	u_int8_t u8;
+	u_int16_t u16;
+	u_int32_t u32;
+	char *str;
+	chunk_t chunk;
+	ike_sa_id_t *ike_sa_id;
+	identification_t *id;
+	host_t *host;
+	traffic_selector_t *ts;
+};
+
+/**
+ * Abstracted message passed between nodes in a HA cluster.
+ */
+struct ha_message_t {
+
+	/**
+	 * Get the type of the message.
+	 *
+	 * @return		message type
+	 */
+	ha_message_type_t (*get_type)(ha_message_t *this);
+
+	/**
+	 * Add an attribute to a message.
+	 *
+	 * @param attribute		attribute type to add
+	 * @param ...			attribute specific data
+	 */
+	void (*add_attribute)(ha_message_t *this,
+						  ha_message_attribute_t attribute, ...);
+
+	/**
+	 * Create an enumerator over all attributes in a message.
+	 *
+	 * @return				enumerator over attribute, ha_message_value_t
+	 */
+	enumerator_t* (*create_attribute_enumerator)(ha_message_t *this);
+
+	/**
+	 * Get the message in a encoded form.
+	 *
+	 * @return				chunk pointing to internal data
+	 */
+	chunk_t (*get_encoding)(ha_message_t *this);
+
+	/**
+	 * Destroy a ha_message_t.
+	 */
+	void (*destroy)(ha_message_t *this);
+};
+
+/**
+ * Create a new ha_message instance, ready for adding attributes
+ *
+ * @param version			protocol version to create a message from
+ * @param type				type of the message
+ */
+ha_message_t *ha_message_create(ha_message_type_t type);
+
+/**
+ * Create a ha_message from encoded data.
+ *
+ * @param data				encoded message data
+ */
+ha_message_t *ha_message_parse(chunk_t data);
+
+#endif /* HA_MESSAGE_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
new file mode 100644
index 000000000..ea255c8ab
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_plugin.h"
+#include "ha_ike.h"
+#include "ha_child.h"
+#include "ha_socket.h"
+#include "ha_tunnel.h"
+#include "ha_dispatcher.h"
+#include "ha_segments.h"
+#include "ha_ctl.h"
+
+#include <daemon.h>
+#include <config/child_cfg.h>
+
+typedef struct private_ha_plugin_t private_ha_plugin_t;
+
+/**
+ * private data of ha plugin
+ */
+struct private_ha_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	ha_plugin_t public;
+
+	/**
+	 * Communication socket
+	 */
+	ha_socket_t *socket;
+
+	/**
+	 * Tunnel securing sync messages.
+	 */
+	ha_tunnel_t *tunnel;
+
+	/**
+	 * IKE_SA synchronization
+	 */
+	ha_ike_t *ike;
+
+	/**
+	 * CHILD_SA synchronization
+	 */
+	ha_child_t *child;
+
+	/**
+	 * Dispatcher to process incoming messages
+	 */
+	ha_dispatcher_t *dispatcher;
+
+	/**
+	 * Active/Passive segment management
+	 */
+	ha_segments_t *segments;
+
+	/**
+	 * Interface to control segments at kernel level
+	 */
+	ha_kernel_t *kernel;
+
+	/**
+	 * Segment control interface via FIFO
+	 */
+	ha_ctl_t *ctl;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_ha_plugin_t *this)
+{
+	DESTROY_IF(this->ctl);
+	charon->bus->remove_listener(charon->bus, &this->segments->listener);
+	charon->bus->remove_listener(charon->bus, &this->ike->listener);
+	charon->bus->remove_listener(charon->bus, &this->child->listener);
+	this->ike->destroy(this->ike);
+	this->child->destroy(this->child);
+	this->dispatcher->destroy(this->dispatcher);
+	this->segments->destroy(this->segments);
+	this->kernel->destroy(this->kernel);
+	this->socket->destroy(this->socket);
+	DESTROY_IF(this->tunnel);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *ha_plugin_create()
+{
+	private_ha_plugin_t *this;
+	char *local, *remote, *secret;
+	u_int count;
+	bool fifo, monitor, resync;
+
+	local = lib->settings->get_str(lib->settings,
+								"charon.plugins.ha.local", NULL);
+	remote = lib->settings->get_str(lib->settings,
+								"charon.plugins.ha.remote", NULL);
+	secret = lib->settings->get_str(lib->settings,
+								"charon.plugins.ha.secret", NULL);
+	fifo = lib->settings->get_bool(lib->settings,
+								"charon.plugins.ha.fifo_interface", TRUE);
+	monitor = lib->settings->get_bool(lib->settings,
+								"charon.plugins.ha.monitor", TRUE);
+	resync = lib->settings->get_bool(lib->settings,
+								"charon.plugins.ha.resync", TRUE);
+	count = min(SEGMENTS_MAX, lib->settings->get_int(lib->settings,
+								"charon.plugins.ha.segment_count", 1));
+	if (!local || !remote)
+	{
+		DBG1(DBG_CFG, "HA config misses local/remote address");
+		return NULL;
+	}
+
+	this = malloc_thing(private_ha_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	this->tunnel = NULL;
+	this->ctl = NULL;
+
+	if (secret)
+	{
+		this->tunnel = ha_tunnel_create(local, remote, secret);
+	}
+	this->socket = ha_socket_create(local, remote);
+	if (!this->socket)
+	{
+		DESTROY_IF(this->tunnel);
+		free(this);
+		return NULL;
+	}
+	this->kernel = ha_kernel_create(count);
+	this->segments = ha_segments_create(this->socket, this->kernel, this->tunnel,
+							count, strcmp(local, remote) > 0, monitor, resync);
+	if (fifo)
+	{
+		this->ctl = ha_ctl_create(this->segments);
+	}
+	this->dispatcher = ha_dispatcher_create(this->socket, this->segments);
+	this->ike = ha_ike_create(this->socket, this->tunnel);
+	this->child = ha_child_create(this->socket, this->tunnel);
+	charon->bus->add_listener(charon->bus, &this->segments->listener);
+	charon->bus->add_listener(charon->bus, &this->ike->listener);
+	charon->bus->add_listener(charon->bus, &this->child->listener);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/ha/ha_plugin.h b/src/libcharon/plugins/ha/ha_plugin.h
new file mode 100644
index 000000000..1ae2fe6dd
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha ha
+ * @ingroup cplugins
+ *
+ * @defgroup ha_plugin ha_plugin
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_PLUGIN_H_
+#define HA_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+/**
+ * UDP port we use for communication
+ */
+#define HA_PORT 4510
+
+typedef struct ha_plugin_t ha_plugin_t;
+
+/**
+ * Plugin to synchronize state in a high availability cluster.
+ */
+struct ha_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /* HA_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
new file mode 100644
index 000000000..2199671fc
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -0,0 +1,503 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_segments.h"
+
+#include <pthread.h>
+
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#define HEARTBEAT_DELAY 1000
+#define HEARTBEAT_TIMEOUT 2100
+
+typedef struct private_ha_segments_t private_ha_segments_t;
+
+/**
+ * Private data of an ha_segments_t object.
+ */
+struct private_ha_segments_t {
+
+	/**
+	 * Public ha_segments_t interface.
+	 */
+	ha_segments_t public;
+
+	/**
+	 * communication socket
+	 */
+	ha_socket_t *socket;
+
+	/**
+	 * Sync tunnel, if any
+	 */
+	ha_tunnel_t *tunnel;
+
+	/**
+	 * Interface to control segments at kernel level
+	 */
+	ha_kernel_t *kernel;
+
+	/**
+	 * Mutex to lock segment manipulation
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for heartbeats
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * Job checking for heartbeats
+	 */
+	callback_job_t *job;
+
+	/**
+	 * Total number of ClusterIP segments
+	 */
+	u_int count;
+
+	/**
+	 * mask of active segments
+	 */
+	segment_mask_t active;
+
+	/**
+	 * Node number
+	 */
+	u_int node;
+};
+
+/**
+ * Log currently active segments
+ */
+static void log_segments(private_ha_segments_t *this, bool activated,
+						 u_int segment)
+{
+	char buf[64] = "none", *pos = buf;
+	int i;
+	bool first = TRUE;
+
+	for (i = 1; i <= this->count; i++)
+	{
+		if (this->active & SEGMENTS_BIT(i))
+		{
+			if (first)
+			{
+				first = FALSE;
+			}
+			else
+			{
+				pos += snprintf(pos, buf + sizeof(buf) - pos, ",");
+			}
+			pos += snprintf(pos, buf + sizeof(buf) - pos, "%d", i);
+		}
+	}
+	DBG1(DBG_CFG, "HA segment %d %sactivated, now active: %s",
+		 segment, activated ? "" : "de", buf);
+}
+
+/**
+ * Enable/Disable a specific segment
+ */
+static void enable_disable(private_ha_segments_t *this, u_int segment,
+						   bool enable, bool notify)
+{
+	ike_sa_t *ike_sa;
+	enumerator_t *enumerator;
+	ike_sa_state_t old, new;
+	ha_message_t *message = NULL;
+	ha_message_type_t type;
+	bool changes = FALSE;
+
+	if (segment > this->count)
+	{
+		return;
+	}
+
+	if (enable)
+	{
+		old = IKE_PASSIVE;
+		new = IKE_ESTABLISHED;
+		type = HA_SEGMENT_TAKE;
+		if (!(this->active & SEGMENTS_BIT(segment)))
+		{
+			this->active |= SEGMENTS_BIT(segment);
+			this->kernel->activate(this->kernel, segment);
+			changes = TRUE;
+		}
+	}
+	else
+	{
+		old = IKE_ESTABLISHED;
+		new = IKE_PASSIVE;
+		type = HA_SEGMENT_DROP;
+		if (this->active & SEGMENTS_BIT(segment))
+		{
+			this->active &= ~SEGMENTS_BIT(segment);
+			this->kernel->deactivate(this->kernel, segment);
+			changes = TRUE;
+		}
+	}
+
+	if (changes)
+	{
+		enumerator = charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager);
+		while (enumerator->enumerate(enumerator, &ike_sa))
+		{
+			if (ike_sa->get_state(ike_sa) != old)
+			{
+				continue;
+			}
+			if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
+			{
+				continue;
+			}
+			if (this->kernel->in_segment(this->kernel,
+									ike_sa->get_other_host(ike_sa), segment))
+			{
+				ike_sa->set_state(ike_sa, new);
+			}
+		}
+		enumerator->destroy(enumerator);
+		log_segments(this, enable, segment);
+	}
+
+	if (notify)
+	{
+		message = ha_message_create(type);
+		message->add_attribute(message, HA_SEGMENT, segment);
+		this->socket->push(this->socket, message);
+	}
+}
+
+/**
+ * Enable/Disable all or a specific segment, do locking
+ */
+static void enable_disable_all(private_ha_segments_t *this, u_int segment,
+							   bool enable, bool notify)
+{
+	int i;
+
+	this->mutex->lock(this->mutex);
+	if (segment == 0)
+	{
+		for (i = 1; i <= this->count; i++)
+		{
+			enable_disable(this, i, enable, notify);
+		}
+	}
+	else
+	{
+		enable_disable(this, segment, enable, notify);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of ha_segments_t.activate
+ */
+static void activate(private_ha_segments_t *this, u_int segment, bool notify)
+{
+	enable_disable_all(this, segment, TRUE, notify);
+}
+
+/**
+ * Implementation of ha_segments_t.deactivate
+ */
+static void deactivate(private_ha_segments_t *this, u_int segment, bool notify)
+{
+	enable_disable_all(this, segment, FALSE, notify);
+}
+
+/**
+ * Rekey all children of an IKE_SA
+ */
+static status_t rekey_children(ike_sa_t *ike_sa)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	status_t status = SUCCESS;
+
+	iterator = ike_sa->create_child_sa_iterator(ike_sa);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		DBG1(DBG_CFG, "resyncing CHILD_SA");
+		status = ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
+										child_sa->get_spi(child_sa, TRUE));
+		if (status == DESTROY_ME)
+		{
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return status;
+}
+
+/**
+ * Implementation of ha_segments_t.resync
+ */
+static void resync(private_ha_segments_t *this, u_int segment)
+{
+	ike_sa_t *ike_sa;
+	enumerator_t *enumerator;
+	linked_list_t *list;
+	ike_sa_id_t *id;
+
+	list = linked_list_create();
+	this->mutex->lock(this->mutex);
+
+	if (segment > 0 && segment <= this->count)
+	{
+		DBG1(DBG_CFG, "resyncing HA segment %d", segment);
+
+		/* we do the actual rekeying in a seperate loop to avoid rekeying
+		 * an SA twice. */
+		enumerator = charon->ike_sa_manager->create_enumerator(
+													charon->ike_sa_manager);
+		while (enumerator->enumerate(enumerator, &ike_sa))
+		{
+			if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+				this->kernel->in_segment(this->kernel,
+									ike_sa->get_other_host(ike_sa), segment))
+			{
+				id = ike_sa->get_id(ike_sa);
+				list->insert_last(list, id->clone(id));
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	this->mutex->unlock(this->mutex);
+
+	while (list->remove_last(list, (void**)&id) == SUCCESS)
+	{
+		ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
+		id->destroy(id);
+		if (ike_sa)
+		{
+			DBG1(DBG_CFG, "resyncing IKE_SA");
+			if (ike_sa->rekey(ike_sa) != DESTROY_ME)
+			{
+				if (rekey_children(ike_sa) != DESTROY_ME)
+				{
+					charon->ike_sa_manager->checkin(
+										charon->ike_sa_manager, ike_sa);
+					continue;
+				}
+			}
+			charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager, ike_sa);
+		}
+	}
+	list->destroy(list);
+}
+
+/**
+ * Implementation of listener_t.alert
+ */
+static bool alert_hook(private_ha_segments_t *this, ike_sa_t *ike_sa,
+					   alert_t alert, va_list args)
+{
+	if (alert == ALERT_SHUTDOWN_SIGNAL)
+	{
+		deactivate(this, 0, TRUE);
+	}
+	return TRUE;
+}
+
+/**
+ * Request a resync of all segments
+ */
+static job_requeue_t request_resync(private_ha_segments_t *this)
+{
+	ha_message_t *message;
+	int i;
+
+	message = ha_message_create(HA_RESYNC);
+	for (i = 1; i <= this->count; i++)
+	{
+		message->add_attribute(message, HA_SEGMENT, i);
+	}
+	this->socket->push(this->socket, message);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Monitor heartbeat activity of remote node
+ */
+static job_requeue_t watchdog(private_ha_segments_t *this)
+{
+	int oldstate;
+	bool timeout;
+
+	this->mutex->lock(this->mutex);
+	pthread_cleanup_push((void*)this->mutex->unlock, this->mutex);
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	timeout = this->condvar->timed_wait(this->condvar, this->mutex,
+										HEARTBEAT_TIMEOUT);
+	pthread_setcancelstate(oldstate, NULL);
+	pthread_cleanup_pop(TRUE);
+	if (timeout)
+	{
+		DBG1(DBG_CFG, "no heartbeat received, taking all segments");
+		activate(this, 0, TRUE);
+		/* disable heartbeat detection util we get one */
+		this->job = NULL;
+		return JOB_REQUEUE_NONE;
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Start the heartbeat detection thread
+ */
+static void start_watchdog(private_ha_segments_t *this)
+{
+	this->job = callback_job_create((callback_job_cb_t)watchdog,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+}
+
+/**
+ * Implementation of ha_segments_t.handle_status
+ */
+static void handle_status(private_ha_segments_t *this, segment_mask_t mask)
+{
+	segment_mask_t missing;
+	int i;
+
+	this->mutex->lock(this->mutex);
+
+	missing = ~(this->active | mask);
+
+	for (i = 1; i <= this->count; i++)
+	{
+		if (missing & SEGMENTS_BIT(i))
+		{
+			if (this->node == i % 2)
+			{
+				DBG1(DBG_CFG, "HA segment %d was not handled, taking", i);
+				enable_disable(this, i, TRUE, TRUE);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "HA segment %d was not handled, dropping", i);
+				enable_disable(this, i, FALSE, TRUE);
+			}
+		}
+	}
+
+	this->mutex->unlock(this->mutex);
+	this->condvar->signal(this->condvar);
+
+	if (!this->job)
+	{
+		DBG1(DBG_CFG, "received heartbeat, reenabling watchdog");
+		start_watchdog(this);
+	}
+}
+
+/**
+ * Send a status message with our active segments
+ */
+static job_requeue_t send_status(private_ha_segments_t *this)
+{
+	ha_message_t *message;
+	int i;
+
+	message = ha_message_create(HA_STATUS);
+
+	for (i = 1; i <= this->count; i++)
+	{
+		if (this->active & SEGMENTS_BIT(i))
+		{
+			message->add_attribute(message, HA_SEGMENT, i);
+		}
+	}
+
+	this->socket->push(this->socket, message);
+
+	/* schedule next invocation */
+	charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
+									callback_job_create((callback_job_cb_t)
+										send_status, this, NULL, NULL),
+									HEARTBEAT_DELAY);
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Implementation of ha_segments_t.destroy.
+ */
+static void destroy(private_ha_segments_t *this)
+{
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	this->mutex->destroy(this->mutex);
+	this->condvar->destroy(this->condvar);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
+								  ha_tunnel_t *tunnel, u_int count, u_int node,
+								  bool monitor, bool sync)
+{
+	private_ha_segments_t *this = malloc_thing(private_ha_segments_t);
+
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.alert = (bool(*)(listener_t*, ike_sa_t *, alert_t, va_list))alert_hook;
+	this->public.activate = (void(*)(ha_segments_t*, u_int segment,bool))activate;
+	this->public.deactivate = (void(*)(ha_segments_t*, u_int segment,bool))deactivate;
+	this->public.resync = (void(*)(ha_segments_t*, u_int segment))resync;
+	this->public.handle_status = (void(*)(ha_segments_t*, segment_mask_t mask))handle_status;
+	this->public.destroy = (void(*)(ha_segments_t*))destroy;
+
+	this->socket = socket;
+	this->tunnel = tunnel;
+	this->kernel = kernel;
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->count = count;
+	this->node = node;
+	this->job = NULL;
+
+	/* initially all segments are deactivated */
+	this->active = 0;
+
+	if (monitor)
+	{
+		send_status(this);
+		start_watchdog(this);
+	}
+
+	if (sync)
+	{
+		/* request a resync as soon as we are up */
+		charon->processor->queue_job(charon->processor, (job_t*)
+						callback_job_create((callback_job_cb_t)request_resync,
+											this, NULL, NULL));
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ha/ha_segments.h b/src/libcharon/plugins/ha/ha_segments.h
new file mode 100644
index 000000000..6d1cd5441
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_segments.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_segments ha_segments
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_SEGMENTS_H_
+#define HA_SEGMENTS_H_
+
+#include <daemon.h>
+
+typedef struct ha_segments_t ha_segments_t;
+
+typedef u_int16_t segment_mask_t;
+
+/**
+ * maximum number of segments
+ */
+#define SEGMENTS_MAX (sizeof(segment_mask_t)*8)
+
+/**
+ * Get the bit in the mask of a segment
+ */
+#define SEGMENTS_BIT(segment) (0x01 << (segment - 1))
+
+#include "ha_socket.h"
+#include "ha_tunnel.h"
+#include "ha_kernel.h"
+
+/**
+ * Segmentation of peers into active and passive.
+ */
+struct ha_segments_t {
+
+	/**
+	 * Implements listener interface to catch daemon shutdown.
+	 */
+	listener_t listener;
+
+	/**
+	 * Activate a set of IKE_SAs identified by a segment.
+	 *
+	 * @param segment	numerical segment to takeover, 0 for all
+	 * @param notify	wheter to notify other nodes about activation
+	 */
+	void (*activate)(ha_segments_t *this, u_int segment, bool notify);
+
+	/**
+	 * Deactivate a set of IKE_SAs identified by a segment.
+	 *
+	 * @param segment	numerical segment to takeover, 0 for all
+	 * @param notify	wheter to notify other nodes about deactivation
+	 */
+	void (*deactivate)(ha_segments_t *this, u_int segment, bool notify);
+
+	/**
+	 * Resync an active segment.
+	 *
+	 * To reintegrade a node into the cluster, resynchronization is reqired.
+	 * IKE_SAs and CHILD_SAs are synced automatically during rekeying. A call
+	 * to this method enforces a rekeying immediately sync all state of a
+	 * segment.
+	 *
+	 * @param segment	segment to resync
+	 */
+	void (*resync)(ha_segments_t *this, u_int segment);
+
+	/**
+	 * Handle a status message from the remote node.
+	 *
+	 * @param mask		segments the remote node is serving actively
+	 */
+	void (*handle_status)(ha_segments_t *this, segment_mask_t mask);
+
+	/**
+	 * Destroy a ha_segments_t.
+	 */
+	void (*destroy)(ha_segments_t *this);
+};
+
+/**
+ * Create a ha_segments instance.
+ *
+ * @param socket		socket to communicate segment (de-)activation
+ * @param kernel		interface to control segments at kernel level
+ * @param tunnel		HA tunnel
+ * @param count			number of segments the cluster uses
+ * @param node			node, currently 1 or 0
+ * @param monitor		should we use monitoring functionality
+ * @param resync		request a complete resync on startup
+ * @return				segment object
+ */
+ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
+								  ha_tunnel_t *tunnel, u_int count, u_int node,
+								  bool monitor, bool resync);
+
+#endif /* HA_SEGMENTS_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c
new file mode 100644
index 000000000..b84b02868
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_socket.c
@@ -0,0 +1,234 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_socket.h"
+#include "ha_plugin.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <errno.h>
+#include <unistd.h>
+#include <pthread.h>
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_ha_socket_t private_ha_socket_t;
+
+/**
+ * Private data of an ha_socket_t object.
+ */
+struct private_ha_socket_t {
+
+	/**
+	 * Public ha_socket_t interface.
+	 */
+	ha_socket_t public;
+
+	/**
+	 * UDP communication socket fd
+	 */
+	int fd;
+
+	/**
+	 * local host to receive/send from
+	 */
+	host_t *local;
+
+	/**
+	 * remote host to receive/send to
+	 */
+	host_t *remote;
+};
+
+/**
+ * Data to pass to the send_message() callback job
+ */
+typedef struct {
+	ha_message_t *message;
+	private_ha_socket_t *this;
+} job_data_t;
+
+/**
+ * Cleanup job data
+ */
+static void job_data_destroy(job_data_t *this)
+{
+	this->message->destroy(this->message);
+	free(this);
+}
+
+/**
+ * Callback to asynchronously send messages
+ */
+static job_requeue_t send_message(job_data_t *data)
+{
+	private_ha_socket_t *this;
+	chunk_t chunk;
+
+	this = data->this;
+	chunk = data->message->get_encoding(data->message);
+	if (send(this->fd, chunk.ptr, chunk.len, 0) < chunk.len)
+	{
+		DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno));
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Implementation of ha_socket_t.push
+ */
+static void push(private_ha_socket_t *this, ha_message_t *message)
+{
+	chunk_t chunk;
+
+	/* Try to send synchronously, but non-blocking. */
+	chunk = message->get_encoding(message);
+	if (send(this->fd, chunk.ptr, chunk.len, MSG_DONTWAIT) < chunk.len)
+	{
+		if (errno == EAGAIN)
+		{
+			callback_job_t *job;
+			job_data_t *data;
+
+			/* Fallback to asynchronous transmission. This is required, as sendto()
+			 * is a blocking call if it acquires a policy. We could end up in a
+			 * deadlock, as we own an IKE_SA. */
+			data = malloc_thing(job_data_t);
+			data->message = message;
+			data->this = this;
+
+			job = callback_job_create((callback_job_cb_t)send_message,
+									  data, (void*)job_data_destroy, NULL);
+			charon->processor->queue_job(charon->processor, (job_t*)job);
+			return;
+		}
+		DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno));
+	}
+	message->destroy(message);
+}
+
+/**
+ * Implementation of ha_socket_t.pull
+ */
+static ha_message_t *pull(private_ha_socket_t *this)
+{
+	while (TRUE)
+	{
+		ha_message_t *message;
+		char buf[1024];
+		int oldstate;
+		ssize_t len;
+
+		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+		len = recv(this->fd, buf, sizeof(buf), 0);
+		pthread_setcancelstate(oldstate, NULL);
+		if (len <= 0)
+		{
+			switch (errno)
+			{
+				case ECONNREFUSED:
+				case EINTR:
+					continue;
+				default:
+					DBG1(DBG_CFG, "pulling HA message failed: %s",
+						 strerror(errno));
+					sleep(1);
+			}
+		}
+		message = ha_message_parse(chunk_create(buf, len));
+		if (message)
+		{
+			return message;
+		}
+	}
+}
+
+/**
+ * Open and connect the HA socket
+ */
+static bool open_socket(private_ha_socket_t *this)
+{
+	this->fd = socket(this->local->get_family(this->local), SOCK_DGRAM, 0);
+	if (this->fd == -1)
+	{
+		DBG1(DBG_CFG, "opening HA socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+
+	if (bind(this->fd, this->local->get_sockaddr(this->local),
+			 *this->local->get_sockaddr_len(this->local)) == -1)
+	{
+		DBG1(DBG_CFG, "binding HA socket failed: %s", strerror(errno));
+		close(this->fd);
+		this->fd = -1;
+		return FALSE;
+	}
+	if (connect(this->fd, this->remote->get_sockaddr(this->remote),
+				*this->remote->get_sockaddr_len(this->remote)) == -1)
+	{
+		DBG1(DBG_CFG, "connecting HA socket failed: %s", strerror(errno));
+		close(this->fd);
+		this->fd = -1;
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+/**
+ * Implementation of ha_socket_t.destroy.
+ */
+static void destroy(private_ha_socket_t *this)
+{
+	if (this->fd != -1)
+	{
+		close(this->fd);
+	}
+	DESTROY_IF(this->local);
+	DESTROY_IF(this->remote);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ha_socket_t *ha_socket_create(char *local, char *remote)
+{
+	private_ha_socket_t *this = malloc_thing(private_ha_socket_t);
+
+	this->public.push = (void(*)(ha_socket_t*, ha_message_t*))push;
+	this->public.pull = (ha_message_t*(*)(ha_socket_t*))pull;
+	this->public.destroy = (void(*)(ha_socket_t*))destroy;
+
+	this->local = host_create_from_dns(local, 0, HA_PORT);
+	this->remote = host_create_from_dns(remote, 0, HA_PORT);
+	this->fd = -1;
+
+	if (!this->local || !this->remote)
+	{
+		DBG1(DBG_CFG, "invalid local/remote HA address");
+		destroy(this);
+		return NULL;
+	}
+	if (!open_socket(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ha/ha_socket.h b/src/libcharon/plugins/ha/ha_socket.h
new file mode 100644
index 000000000..8d398e22b
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_socket.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_socket ha_socket
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_SOCKET_H_
+#define HA_SOCKET_H_
+
+#include "ha_message.h"
+
+#include <sa/ike_sa.h>
+
+typedef struct ha_socket_t ha_socket_t;
+
+/**
+ * Socket to send/received SA synchronization data
+ */
+struct ha_socket_t {
+
+	/**
+	 * Push synchronization information to the responsible node.
+	 *
+	 * @param message	message to send, gets destroyed by push()
+	 */
+	void (*push)(ha_socket_t *this, ha_message_t *message);
+
+	/**
+	 * Pull synchronization information from a peer we are responsible.
+	 *
+	 * @return			received message
+	 */
+	ha_message_t *(*pull)(ha_socket_t *this);
+
+	/**
+	 * Destroy a ha_socket_t.
+	 */
+	void (*destroy)(ha_socket_t *this);
+};
+
+/**
+ * Create a ha_socket instance.
+ */
+ha_socket_t *ha_socket_create(char *local, char *remote);
+
+#endif /* HA_SOCKET_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
new file mode 100644
index 000000000..b3511e5f0
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -0,0 +1,298 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_tunnel.h"
+#include "ha_plugin.h"
+
+#include <daemon.h>
+#include <utils/identification.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_ha_tunnel_t private_ha_tunnel_t;
+typedef struct ha_backend_t ha_backend_t;
+typedef struct ha_creds_t ha_creds_t;
+
+/**
+ * Serves credentials for the HA SA
+ */
+struct ha_creds_t {
+
+	/**
+	 * Implements credential_set_t
+	 */
+	credential_set_t public;
+
+	/**
+	 * own identity
+	 */
+	identification_t *local;
+
+	/**
+	 * peer identity
+	 */
+	identification_t *remote;
+
+	/**
+	 * Shared key to serve
+	 */
+	shared_key_t *key;
+};
+
+/**
+ * Serves configurations for the HA SA
+ */
+struct ha_backend_t {
+
+	/**
+	 * Implements backend_t
+	 */
+	backend_t public;
+
+	/**
+	 * peer config we serve
+	 */
+	peer_cfg_t *cfg;
+};
+
+/**
+ * Private data of an ha_tunnel_t object.
+ */
+struct private_ha_tunnel_t {
+
+	/**
+	 * Public ha_tunnel_t interface.
+	 */
+	ha_tunnel_t public;
+
+	/**
+	 * Reqid of installed trap
+	 */
+	u_int32_t trap;
+
+	/**
+	 * backend for HA SA
+	 */
+	ha_backend_t backend;
+
+	/**
+	 * credential set for HA SA
+	 */
+	ha_creds_t creds;
+};
+
+/**
+ * Implementation of ha_tunnel_t.is_sa
+ */
+static bool is_sa(private_ha_tunnel_t *this, ike_sa_t *ike_sa)
+{
+	peer_cfg_t *cfg = this->backend.cfg;
+
+	return cfg && ike_sa->get_ike_cfg(ike_sa) == cfg->get_ike_cfg(cfg);
+}
+
+/**
+ * Enumerator over HA shared_key
+ */
+typedef struct {
+	/** Implements enumerator_t */
+	enumerator_t public;
+	/** a single secret we serve */
+	shared_key_t *key;
+} shared_enum_t;
+
+/**
+ * Implementation of shared_enum_t.enumerate
+ */
+static bool shared_enumerate(shared_enum_t *this, shared_key_t **key,
+							 id_match_t *me, id_match_t *other)
+{
+	if (this->key)
+	{
+		if (me)
+		{
+			*me = ID_MATCH_PERFECT;
+		}
+		if (other)
+		{
+			*other = ID_MATCH_PERFECT;
+		}
+		*key = this->key;
+		this->key = NULL;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implements ha_creds_t.create_shared_enumerator
+ */
+static enumerator_t* create_shared_enumerator(ha_creds_t *this,
+							shared_key_type_t type, identification_t *me,
+							identification_t *other)
+{
+	shared_enum_t *enumerator;
+
+	if (type != SHARED_IKE && type != SHARED_ANY)
+	{
+		return NULL;
+	}
+	if (me && !me->equals(me, this->local))
+	{
+		return NULL;
+	}
+	if (other && !other->equals(other, this->remote))
+	{
+		return NULL;
+	}
+
+	enumerator = malloc_thing(shared_enum_t);
+	enumerator->public.enumerate = (void*)shared_enumerate;
+	enumerator->public.destroy = (void*)free;
+	enumerator->key = this->key;
+
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of backend_t.create_peer_cfg_enumerator.
+ */
+static enumerator_t* create_peer_cfg_enumerator(ha_backend_t *this,
+								identification_t *me, identification_t *other)
+{
+	return enumerator_create_single(this->cfg, NULL);
+}
+
+/**
+ * Implementation of backend_t.create_ike_cfg_enumerator.
+ */
+static enumerator_t* create_ike_cfg_enumerator(ha_backend_t *this,
+											   host_t *me, host_t *other)
+{
+	return enumerator_create_single(this->cfg->get_ike_cfg(this->cfg), NULL);
+}
+
+/**
+ * Install configs and a a trap for secured HA message exchange
+ */
+static void setup_tunnel(private_ha_tunnel_t *this,
+						 char *local, char *remote, char *secret)
+{
+	peer_cfg_t *peer_cfg;
+	ike_cfg_t *ike_cfg;
+	auth_cfg_t *auth_cfg;
+	child_cfg_t *child_cfg;
+	traffic_selector_t *ts;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = 21600, .rekey = 20400, .jitter = 400,
+		},
+	};
+
+	/* setup credentials */
+	this->creds.local = identification_create_from_string(local);
+	this->creds.remote = identification_create_from_string(remote);
+	this->creds.key = shared_key_create(SHARED_IKE,
+							chunk_clone(chunk_create(secret, strlen(secret))));
+	this->creds.public.create_private_enumerator = (void*)return_null;
+	this->creds.public.create_cert_enumerator = (void*)return_null;
+	this->creds.public.create_shared_enumerator = (void*)create_shared_enumerator;
+	this->creds.public.create_cdp_enumerator = (void*)return_null;
+	this->creds.public.cache_cert = (void*)nop;
+
+	charon->credentials->add_set(charon->credentials, &this->creds.public);
+
+	/* create config and backend */
+	ike_cfg = ike_cfg_create(FALSE, FALSE, local, IKEV2_UDP_PORT,
+							 remote, IKEV2_UDP_PORT);
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	peer_cfg = peer_cfg_create("ha", 2, ike_cfg, CERT_NEVER_SEND,
+						UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, 30,
+						NULL, NULL, FALSE, NULL, NULL);
+
+	auth_cfg = auth_cfg_create();
+	auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+	auth_cfg->add(auth_cfg, AUTH_RULE_IDENTITY,
+				  identification_create_from_string(local));
+	peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
+
+	auth_cfg = auth_cfg_create();
+	auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+	auth_cfg->add(auth_cfg, AUTH_RULE_IDENTITY,
+				  identification_create_from_string(remote));
+	peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
+
+	child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE,
+						MODE_TRANSPORT, ACTION_NONE, ACTION_NONE, FALSE, 0);
+	ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+
+	this->backend.cfg = peer_cfg;
+	this->backend.public.create_peer_cfg_enumerator = (void*)create_peer_cfg_enumerator;
+	this->backend.public.create_ike_cfg_enumerator = (void*)create_ike_cfg_enumerator;
+	this->backend.public.get_peer_cfg_by_name = (void*)return_null;
+
+	charon->backends->add_backend(charon->backends, &this->backend.public);
+
+	/* install an acquiring trap */
+	this->trap = charon->traps->install(charon->traps, peer_cfg, child_cfg);
+}
+
+/**
+ * Implementation of ha_tunnel_t.destroy.
+ */
+static void destroy(private_ha_tunnel_t *this)
+{
+	if (this->backend.cfg)
+	{
+		charon->backends->remove_backend(charon->backends, &this->backend.public);
+		this->backend.cfg->destroy(this->backend.cfg);
+	}
+	if (this->creds.key)
+	{
+		charon->credentials->remove_set(charon->credentials, &this->creds.public);
+		this->creds.key->destroy(this->creds.key);
+	}
+	this->creds.local->destroy(this->creds.local);
+	this->creds.remote->destroy(this->creds.remote);
+	if (this->trap)
+	{
+		charon->traps->uninstall(charon->traps, this->trap);
+	}
+	free(this);
+}
+
+/**
+ * See header
+ */
+ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret)
+{
+	private_ha_tunnel_t *this = malloc_thing(private_ha_tunnel_t);
+
+	this->public.is_sa = (bool(*)(ha_tunnel_t*, ike_sa_t *ike_sa))is_sa;
+	this->public.destroy = (void(*)(ha_tunnel_t*))destroy;
+
+	setup_tunnel(this, local, remote, secret);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ha/ha_tunnel.h b/src/libcharon/plugins/ha/ha_tunnel.h
new file mode 100644
index 000000000..085fb6122
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_tunnel.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_ ha_tunnel
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_TUNNEL_H_
+#define HA_TUNNEL_H_
+
+#include <sa/ike_sa.h>
+
+typedef struct ha_tunnel_t ha_tunnel_t;
+
+/**
+ * Socket to send/received SA synchronization data
+ */
+struct ha_tunnel_t {
+
+	/**
+	 * Check if an IKE_SA is used for exchanging HA messages.
+	 *
+	 * @param ike_Sa	ike_sa to check
+	 * @return			TRUE if IKE_SA is used to secure HA messages
+	 */
+	bool (*is_sa)(ha_tunnel_t *this, ike_sa_t *ike_sa);
+
+	/**
+	 * Destroy a ha_tunnel_t.
+	 */
+	void (*destroy)(ha_tunnel_t *this);
+};
+
+/**
+ * Create a ha_tunnel instance.
+ *
+ * @param local		local address of HA tunnel
+ * @param remote	remote address of HA tunnel
+ * @param secret	PSK tunnel authentication secret
+ * @return			HA tunnel instance
+ */
+ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret);
+
+#endif /* HA_TUNNEL_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_klips/Makefile.am b/src/libcharon/plugins/kernel_klips/Makefile.am
new file mode 100644
index 000000000..540bbe106
--- /dev/null
+++ b/src/libcharon/plugins/kernel_klips/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
+endif
+
+libstrongswan_kernel_klips_la_SOURCES = \
+	kernel_klips_plugin.h kernel_klips_plugin.c \
+	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
+
+libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_klips/Makefile.in b/src/libcharon/plugins/kernel_klips/Makefile.in
new file mode 100644
index 000000000..f0d112a0f
--- /dev/null
+++ b/src/libcharon/plugins/kernel_klips/Makefile.in
@@ -0,0 +1,590 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/kernel_klips
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_klips_la_LIBADD =
+am_libstrongswan_kernel_klips_la_OBJECTS = kernel_klips_plugin.lo \
+	kernel_klips_ipsec.lo
+libstrongswan_kernel_klips_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_klips_la_OBJECTS)
+libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_klips_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_klips_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_klips_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
+libstrongswan_kernel_klips_la_SOURCES = \
+	kernel_klips_plugin.h kernel_klips_plugin.c \
+	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
+
+libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_klips/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_klips/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_klips_la_LINK) $(am_libstrongswan_kernel_klips_la_rpath) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c
new file mode 100644
index 000000000..01df4f71a
--- /dev/null
+++ b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -0,0 +1,2657 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <stdint.h>
+#include "pfkeyv2.h"
+#include <linux/udp.h>
+#include <net/if.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <errno.h>
+
+#include "kernel_klips_ipsec.h"
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/update_sa_job.h>
+
+/** default timeout for generated SPIs (in seconds) */
+#define SPI_TIMEOUT 30
+
+/** buffer size for PF_KEY messages */
+#define PFKEY_BUFFER_SIZE 2048
+
+/** PF_KEY messages are 64 bit aligned */
+#define PFKEY_ALIGNMENT 8
+/** aligns len to 64 bits */
+#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
+/** calculates the properly padded length in 64 bit chunks */
+#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
+/** calculates user mode length i.e. in bytes */
+#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
+
+/** given a PF_KEY message header and an extension this updates the length in the header */
+#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
+/** given a PF_KEY message header this returns a pointer to the next extension */
+#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
+/** copy an extension and append it to a PF_KEY message */
+#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
+/** given a PF_KEY extension this returns a pointer to the next extension */
+#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
+/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
+#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
+/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
+#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len <= (len))
+
+/** special SPI values used for policies in KLIPS */
+#define SPI_PASS 256
+#define SPI_DROP 257
+#define SPI_REJECT 258
+#define SPI_HOLD 259
+#define SPI_TRAP 260
+#define SPI_TRAPSUBNET 261
+
+/** the prefix of the name of KLIPS ipsec devices */
+#define IPSEC_DEV_PREFIX "ipsec"
+/** this is the default number of ipsec devices */
+#define DEFAULT_IPSEC_DEV_COUNT 4
+/** TRUE if the given name matches an ipsec device */
+#define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1))
+
+/** the following stuff is from ipsec_tunnel.h */
+struct ipsectunnelconf
+{
+	__u32	cf_cmd;
+	union
+	{
+		char	cfu_name[12];
+	} cf_u;
+#define cf_name cf_u.cfu_name
+};
+
+#define IPSEC_SET_DEV (SIOCDEVPRIVATE)
+#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1)
+#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2)
+
+typedef struct private_kernel_klips_ipsec_t private_kernel_klips_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_klips class.
+ */
+struct private_kernel_klips_ipsec_t
+{
+	/**
+	 * Public part of the kernel_klips_t object.
+	 */
+	kernel_klips_ipsec_t public;
+
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * List of installed policies (policy_entry_t)
+	 */
+	linked_list_t *policies;
+
+	/**
+	 * List of allocated SPIs without installed SA (sa_entry_t)
+	 */
+	linked_list_t *allocated_spis;
+
+	/**
+	 * List of installed SAs (sa_entry_t)
+	 */
+	linked_list_t *installed_sas;
+
+	/**
+	 * whether to install routes along policies
+	 */
+	bool install_routes;
+
+	/**
+	 * List of ipsec devices (ipsec_dev_t)
+	 */
+	linked_list_t *ipsec_devices;
+
+	/**
+	 * job receiving PF_KEY events
+	 */
+	callback_job_t *job;
+
+	/**
+	 * mutex to lock access to the PF_KEY socket
+	 */
+	mutex_t *mutex_pfkey;
+
+	/**
+	 * PF_KEY socket to communicate with the kernel
+	 */
+	int socket;
+
+	/**
+	 * PF_KEY socket to receive acquire and expire events
+	 */
+	int socket_events;
+
+	/**
+	 * sequence number for messages sent to the kernel
+	 */
+	int seq;
+
+};
+
+
+typedef struct ipsec_dev_t ipsec_dev_t;
+
+/**
+ * ipsec device
+ */
+struct ipsec_dev_t {
+	/** name of the virtual ipsec interface */
+	char name[IFNAMSIZ];
+
+	/** name of the physical interface */
+	char phys_name[IFNAMSIZ];
+
+	/** by how many CHILD_SA's this ipsec device is used */
+	u_int refcount;
+};
+
+/**
+ * compare the given name with the virtual device name
+ */
+static inline bool ipsec_dev_match_byname(ipsec_dev_t *current, char *name)
+{
+	return name && streq(current->name, name);
+}
+
+/**
+ * compare the given name with the physical device name
+ */
+static inline bool ipsec_dev_match_byphys(ipsec_dev_t *current, char *name)
+{
+	return name && streq(current->phys_name, name);
+}
+
+/**
+ * matches free ipsec devices
+ */
+static inline bool ipsec_dev_match_free(ipsec_dev_t *current)
+{
+	return current->refcount == 0;
+}
+
+/**
+ * tries to find an ipsec_dev_t object by name
+ */
+static status_t find_ipsec_dev(private_kernel_klips_ipsec_t *this, char *name,
+							   ipsec_dev_t **dev)
+{
+	linked_list_match_t match = (linked_list_match_t)(IS_IPSEC_DEV(name) ?
+								ipsec_dev_match_byname : ipsec_dev_match_byphys);
+	return this->ipsec_devices->find_first(this->ipsec_devices, match,
+												(void**)dev, name);
+}
+
+/**
+ * attach an ipsec device to a physical interface
+ */
+static status_t attach_ipsec_dev(char* name, char *phys_name)
+{
+	int sock;
+	struct ifreq req;
+	struct ipsectunnelconf *itc = (struct ipsectunnelconf*)&req.ifr_data;
+	short phys_flags;
+	int mtu;
+
+	DBG2(DBG_KNL, "attaching virtual interface %s to %s", name, phys_name);
+
+	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
+	{
+		return FAILED;
+	}
+
+	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+	{
+		close(sock);
+		return FAILED;
+	}
+	phys_flags = req.ifr_flags;
+
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+	{
+		close(sock);
+		return FAILED;
+	}
+
+	if (req.ifr_flags & IFF_UP)
+	{
+		/* if it's already up, it is already attached, detach it first */
+		ioctl(sock, IPSEC_DEL_DEV, &req);
+	}
+
+	/* attach it */
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	strncpy(itc->cf_name, phys_name, sizeof(itc->cf_name));
+	ioctl(sock, IPSEC_SET_DEV, &req);
+
+	/* copy address from physical to virtual */
+	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFADDR, &req) == 0)
+	{
+		strncpy(req.ifr_name, name, IFNAMSIZ);
+		ioctl(sock, SIOCSIFADDR, &req);
+	}
+
+	/* copy net mask from physical to virtual */
+	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
+	{
+		strncpy(req.ifr_name, name, IFNAMSIZ);
+		ioctl(sock, SIOCSIFNETMASK, &req);
+	}
+
+	/* copy other flags and addresses */
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
+	{
+		if (phys_flags & IFF_POINTOPOINT)
+		{
+			req.ifr_flags |= IFF_POINTOPOINT;
+			req.ifr_flags &= ~IFF_BROADCAST;
+			ioctl(sock, SIOCSIFFLAGS, &req);
+
+			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+			if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0)
+			{
+				strncpy(req.ifr_name, name, IFNAMSIZ);
+				ioctl(sock, SIOCSIFDSTADDR, &req);
+			}
+		}
+		else if (phys_flags & IFF_BROADCAST)
+		{
+			req.ifr_flags &= ~IFF_POINTOPOINT;
+			req.ifr_flags |= IFF_BROADCAST;
+			ioctl(sock, SIOCSIFFLAGS, &req);
+
+			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+			if (ioctl(sock, SIOCGIFBRDADDR, &req)==0)
+			{
+				strncpy(req.ifr_name, name, IFNAMSIZ);
+				ioctl(sock, SIOCSIFBRDADDR, &req);
+			}
+		}
+		else
+		{
+			req.ifr_flags &= ~IFF_POINTOPOINT;
+			req.ifr_flags &= ~IFF_BROADCAST;
+			ioctl(sock, SIOCSIFFLAGS, &req);
+		}
+	}
+
+	mtu = lib->settings->get_int(lib->settings,
+						"charon.plugins.kernel-klips.ipsec_dev_mtu", 0);
+	if (mtu <= 0)
+	{
+		/* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
+		 * ESP overhead      : 73 bytes
+		 * NAT-T overhead    :  8 bytes ==> 81 bytes
+		 *
+		 * assuming tunnel mode with AES encryption and integrity
+		 * outer IP header  : 20 bytes
+		 * (NAT-T UDP header:  8 bytes)
+		 * ESP header       :  8 bytes
+		 * IV               : 16 bytes
+		 * padding          : 15 bytes (worst-case)
+		 * pad len / NH     :  2 bytes
+		 * auth data        : 12 bytes
+		 */
+		strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+		ioctl(sock, SIOCGIFMTU, &req);
+		mtu = req.ifr_mtu - 81;
+	}
+
+	/* set MTU */
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	req.ifr_mtu = mtu;
+	ioctl(sock, SIOCSIFMTU, &req);
+
+	/* bring ipsec device UP */
+	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
+	{
+		req.ifr_flags |= IFF_UP;
+		ioctl(sock, SIOCSIFFLAGS, &req);
+	}
+
+	close(sock);
+	return SUCCESS;
+}
+
+/**
+ * detach an ipsec device from a physical interface
+ */
+static status_t detach_ipsec_dev(char* name, char *phys_name)
+{
+	int sock;
+	struct ifreq req;
+
+	DBG2(DBG_KNL, "detaching virtual interface %s from %s", name,
+			strlen(phys_name) ? phys_name : "any physical interface");
+
+	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
+	{
+		return FAILED;
+	}
+
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+	{
+		close(sock);
+		return FAILED;
+	}
+
+	/* shutting interface down */
+	if (req.ifr_flags & IFF_UP)
+	{
+		req.ifr_flags &= ~IFF_UP;
+		ioctl(sock, SIOCSIFFLAGS, &req);
+	}
+
+	/* unset address */
+	memset(&req.ifr_addr, 0, sizeof(req.ifr_addr));
+	req.ifr_addr.sa_family = AF_INET;
+	ioctl(sock, SIOCSIFADDR, &req);
+
+	/* detach interface */
+	ioctl(sock, IPSEC_DEL_DEV, &req);
+
+	close(sock);
+	return SUCCESS;
+}
+
+/**
+ * destroy an ipsec_dev_t object
+ */
+static void ipsec_dev_destroy(ipsec_dev_t *this)
+{
+	detach_ipsec_dev(this->name, this->phys_name);
+	free(this);
+}
+
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+
+	/** Source ip of the route */
+	host_t *src_ip;
+
+	/** Gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	this->src_ip->destroy(this->src_ip);
+	this->gateway->destroy(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+
+	/** reqid of this policy, if setup as trap */
+	u_int32_t reqid;
+
+	/** direction of this policy: in, out, forward */
+	u_int8_t direction;
+
+	/** parameters of installed policy */
+	struct {
+		/** subnet and port */
+		host_t *net;
+		/** subnet mask */
+		u_int8_t mask;
+		/** protocol */
+		u_int8_t proto;
+	} src, dst;
+
+	/** associated route installed for this policy */
+	route_entry_t *route;
+
+	/** by how many CHILD_SA's this policy is actively used */
+	u_int activecount;
+
+	/** by how many CHILD_SA's this policy is trapped */
+	u_int trapcount;
+};
+
+/**
+ * convert a numerical netmask to a host_t
+ */
+static host_t *mask2host(int family, u_int8_t mask)
+{
+	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+	chunk_t chunk = chunk_alloca(family == AF_INET ? 4 : 16);
+	int bytes = mask / 8, bits = mask % 8;
+	memset(chunk.ptr, 0xFF, bytes);
+	memset(chunk.ptr + bytes, 0, chunk.len - bytes);
+	if (bits)
+	{
+		chunk.ptr[bytes] =  bitmask[bits];
+	}
+	return host_create_from_chunk(family, chunk, 0);
+}
+
+/**
+ * check if a host is in a subnet (host with netmask in bits)
+ */
+static bool is_host_in_net(host_t *host, host_t *net, u_int8_t mask)
+{
+	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+	chunk_t host_chunk, net_chunk;
+	int bytes = mask / 8, bits = mask % 8;
+
+	host_chunk = host->get_address(host);
+	net_chunk = net->get_address(net);
+
+	if (host_chunk.len != net_chunk.len)
+	{
+		return FALSE;
+	}
+
+	if (memeq(host_chunk.ptr, net_chunk.ptr, bytes))
+	{
+		return (bits == 0) ||
+			   (host_chunk.ptr[bytes] & bitmask[bits]) ==
+				   (net_chunk.ptr[bytes] & bitmask[bits]);
+	}
+
+	return FALSE;
+}
+
+/**
+ * create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+		traffic_selector_t *dst_ts, policy_dir_t dir)
+{
+	policy_entry_t *policy = malloc_thing(policy_entry_t);
+	policy->reqid = 0;
+	policy->direction = dir;
+	policy->route = NULL;
+	policy->activecount = 0;
+	policy->trapcount = 0;
+
+	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
+	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
+
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
+	policy->src.proto = policy->src.proto ? policy->src.proto : 0;
+	policy->dst.proto = policy->src.proto;
+
+	return policy;
+}
+
+/**
+ * destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+	DESTROY_IF(this->src.net);
+	DESTROY_IF(this->dst.net);
+	if (this->route)
+	{
+		route_entry_destroy(this->route);
+	}
+	free(this);
+}
+
+/**
+ * compares two policy_entry_t
+ */
+static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
+{
+	return current->direction == policy->direction &&
+		   current->src.proto == policy->src.proto &&
+		   current->dst.proto == policy->dst.proto &&
+		   current->src.mask == policy->src.mask &&
+		   current->dst.mask == policy->dst.mask &&
+		   current->src.net->equals(current->src.net, policy->src.net) &&
+		   current->dst.net->equals(current->dst.net, policy->dst.net);
+}
+
+static inline bool policy_entry_match_byaddrs(policy_entry_t *current, host_t *src,
+		host_t *dst)
+{
+	return is_host_in_net(src, current->src.net, current->src.mask) &&
+			is_host_in_net(dst, current->dst.net, current->dst.mask);
+}
+
+typedef struct sa_entry_t sa_entry_t;
+
+/**
+ * used for two things:
+ * - allocated SPIs that have not yet resulted in an installed SA
+ * - installed inbound SAs with enabled UDP encapsulation
+ */
+struct sa_entry_t {
+
+	/** protocol of this SA */
+	protocol_id_t protocol;
+
+	/** reqid of this SA */
+	u_int32_t reqid;
+
+	/** SPI of this SA */
+	u_int32_t spi;
+
+	/** src address of this SA */
+	host_t *src;
+
+	/** dst address of this SA */
+	host_t *dst;
+
+	/** TRUE if this SA uses UDP encapsulation */
+	bool encap;
+
+	/** TRUE if this SA is inbound */
+	bool inbound;
+};
+
+/**
+ * create an sa_entry_t object
+ */
+static sa_entry_t *create_sa_entry(protocol_id_t protocol, u_int32_t spi,
+								   u_int32_t reqid, host_t *src, host_t *dst,
+								   bool encap, bool inbound)
+{
+	sa_entry_t *sa = malloc_thing(sa_entry_t);
+	sa->protocol = protocol;
+	sa->reqid = reqid;
+	sa->spi = spi;
+	sa->src = src ? src->clone(src) : NULL;
+	sa->dst = dst ? dst->clone(dst) : NULL;
+	sa->encap = encap;
+	sa->inbound = inbound;
+	return sa;
+}
+
+/**
+ * destroy an sa_entry_t object
+ */
+static void sa_entry_destroy(sa_entry_t *this)
+{
+	DESTROY_IF(this->src);
+	DESTROY_IF(this->dst);
+	free(this);
+}
+
+/**
+ * match an sa_entry_t for an inbound SA that uses UDP encapsulation by spi and src (remote) address
+ */
+static inline bool sa_entry_match_encapbysrc(sa_entry_t *current, u_int32_t *spi,
+		host_t *src)
+{
+	return current->encap && current->inbound &&
+		   current->spi == *spi && src->ip_equals(src, current->src);
+}
+
+/**
+ * match an sa_entry_t by protocol, spi and dst address (as the kernel does it)
+ */
+static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *protocol,
+		u_int32_t *spi, host_t *dst)
+{
+	return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst);
+}
+
+/**
+ * match an sa_entry_t by protocol, reqid and spi
+ */
+static inline bool sa_entry_match_byid(sa_entry_t *current, protocol_id_t *protocol,
+		u_int32_t *spi, u_int32_t *reqid)
+{
+	return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid;
+}
+
+typedef struct pfkey_msg_t pfkey_msg_t;
+
+struct pfkey_msg_t
+{
+	/**
+	 * PF_KEY message base
+	 */
+	struct sadb_msg *msg;
+
+
+	/**
+	 * PF_KEY message extensions
+	 */
+	union {
+		struct sadb_ext *ext[SADB_EXT_MAX + 1];
+		struct {
+			struct sadb_ext *reserved;				/* SADB_EXT_RESERVED */
+			struct sadb_sa *sa;						/* SADB_EXT_SA */
+			struct sadb_lifetime *lft_current;		/* SADB_EXT_LIFETIME_CURRENT */
+			struct sadb_lifetime *lft_hard;			/* SADB_EXT_LIFETIME_HARD */
+			struct sadb_lifetime *lft_soft;			/* SADB_EXT_LIFETIME_SOFT */
+			struct sadb_address *src;				/* SADB_EXT_ADDRESS_SRC */
+			struct sadb_address *dst;				/* SADB_EXT_ADDRESS_DST */
+			struct sadb_address *proxy;				/* SADB_EXT_ADDRESS_PROXY */
+			struct sadb_key *key_auth;				/* SADB_EXT_KEY_AUTH */
+			struct sadb_key *key_encr;				/* SADB_EXT_KEY_ENCRYPT */
+			struct sadb_ident *id_src;				/* SADB_EXT_IDENTITY_SRC */
+			struct sadb_ident *id_dst;				/* SADB_EXT_IDENTITY_DST */
+			struct sadb_sens *sensitivity;			/* SADB_EXT_SENSITIVITY */
+			struct sadb_prop *proposal;				/* SADB_EXT_PROPOSAL */
+			struct sadb_supported *supported_auth;	/* SADB_EXT_SUPPORTED_AUTH */
+			struct sadb_supported *supported_encr;	/* SADB_EXT_SUPPORTED_ENCRYPT */
+			struct sadb_spirange *spirange;			/* SADB_EXT_SPIRANGE */
+			struct sadb_x_kmprivate *x_kmprivate;	/* SADB_X_EXT_KMPRIVATE */
+			struct sadb_ext *x_policy;				/* SADB_X_EXT_SATYPE2 */
+			struct sadb_ext *x_sa2;					/* SADB_X_EXT_SA2 */
+			struct sadb_address *x_dst2;			/* SADB_X_EXT_ADDRESS_DST2 */
+			struct sadb_address *x_src_flow;		/* SADB_X_EXT_ADDRESS_SRC_FLOW */
+			struct sadb_address *x_dst_flow;		/* SADB_X_EXT_ADDRESS_DST_FLOW */
+			struct sadb_address *x_src_mask;		/* SADB_X_EXT_ADDRESS_SRC_MASK */
+			struct sadb_address *x_dst_mask;		/* SADB_X_EXT_ADDRESS_DST_MASK */
+			struct sadb_x_debug *x_debug;			/* SADB_X_EXT_DEBUG */
+			struct sadb_protocol *x_protocol;		/* SADB_X_EXT_PROTOCOL */
+			struct sadb_x_nat_t_type *x_natt_type;	/* SADB_X_EXT_NAT_T_TYPE */
+			struct sadb_x_nat_t_port *x_natt_sport;	/* SADB_X_EXT_NAT_T_SPORT */
+			struct sadb_x_nat_t_port *x_natt_dport;	/* SADB_X_EXT_NAT_T_DPORT */
+			struct sadb_address *x_natt_oa;			/* SADB_X_EXT_NAT_T_OA */
+		} __attribute__((__packed__));
+	};
+};
+
+/**
+ * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
+ */
+static u_int8_t proto_ike2satype(protocol_id_t proto)
+{
+	switch (proto)
+	{
+		case PROTO_ESP:
+			return SADB_SATYPE_ESP;
+		case PROTO_AH:
+			return SADB_SATYPE_AH;
+		case IPPROTO_COMP:
+			return SADB_X_SATYPE_COMP;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
+ */
+static protocol_id_t proto_satype2ike(u_int8_t proto)
+{
+	switch (proto)
+	{
+		case SADB_SATYPE_ESP:
+			return PROTO_ESP;
+		case SADB_SATYPE_AH:
+			return PROTO_AH;
+		case SADB_X_SATYPE_COMP:
+			return IPPROTO_COMP;
+		default:
+			return proto;
+	}
+}
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 algorithms to PF_KEY algorithms
+ */
+struct kernel_algorithm_t {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2;
+
+	/**
+	 * Identifier as defined in pfkeyv2.h
+	 */
+	int kernel;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64,				0							}, */
+	{ENCR_DES,					SADB_EALG_DESCBC			},
+	{ENCR_3DES,					SADB_EALG_3DESCBC			},
+/*	{ENCR_RC5,					0							}, */
+/*	{ENCR_IDEA,					0							}, */
+/*	{ENCR_CAST,					0							}, */
+	{ENCR_BLOWFISH,				SADB_EALG_BFCBC				},
+/*	{ENCR_3IDEA,				0							}, */
+/*	{ENCR_DES_IV32,				0							}, */
+	{ENCR_NULL,					SADB_EALG_NULL				},
+	{ENCR_AES_CBC,				SADB_EALG_AESCBC			},
+/*	{ENCR_AES_CTR,				0							}, */
+/*	{ENCR_AES_CCM_ICV8,			0							}, */
+/*	{ENCR_AES_CCM_ICV12,		0							}, */
+/*	{ENCR_AES_CCM_ICV16,		0							}, */
+/*	{ENCR_AES_GCM_ICV8,			0							}, */
+/*	{ENCR_AES_GCM_ICV12,		0							}, */
+/*	{ENCR_AES_GCM_ICV16,		0							}, */
+	{END_OF_LIST,				0							},
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
+	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
+	{AUTH_HMAC_SHA2_256_128,	SADB_AALG_SHA256_HMAC		},
+	{AUTH_HMAC_SHA2_384_192,	SADB_AALG_SHA384_HMAC		},
+	{AUTH_HMAC_SHA2_512_256,	SADB_AALG_SHA512_HMAC		},
+/*	{AUTH_DES_MAC,				0,							}, */
+/*	{AUTH_KPDK_MD5,				0,							}, */
+/*	{AUTH_AES_XCBC_96,			0,							}, */
+	{END_OF_LIST,				0,							},
+};
+
+#if 0
+/**
+ * Algorithms for IPComp, unused yet
+ */
+static kernel_algorithm_t compression_algs[] = {
+/*	{IPCOMP_OUI,				0							}, */
+	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
+	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
+/*	{IPCOMP_LZJH,				0							}, */
+	{END_OF_LIST,				0							},
+};
+#endif
+
+/**
+ * Look up a kernel algorithm ID and its key size
+ */
+static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+{
+	while (list->ikev2 != END_OF_LIST)
+	{
+		if (ikev2 == list->ikev2)
+		{
+			return list->kernel;
+		}
+		list++;
+	}
+	return 0;
+}
+
+/**
+ * add a host behind a sadb_address extension
+ */
+static void host2ext(host_t *host, struct sadb_address *ext)
+{
+	sockaddr_t *host_addr = host->get_sockaddr(host);
+	socklen_t *len = host->get_sockaddr_len(host);
+	memcpy((char*)(ext + 1), host_addr, *len);
+	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+}
+
+/**
+ * add a host to the given sadb_msg
+ */
+static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type)
+{
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	host2ext(host, addr);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * adds an empty address extension to the given sadb_msg
+ */
+static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
+{
+	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
+										  sizeof(struct sockaddr_in6);
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
+	saddr->sa_family = family;
+	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * add udp encap extensions to a sadb_msg
+ */
+static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst,
+							bool ports_only)
+{
+	struct sadb_x_nat_t_type* nat_type;
+	struct sadb_x_nat_t_port* nat_port;
+
+	if (!ports_only)
+	{
+		nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
+		nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+		nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
+		nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
+		PFKEY_EXT_ADD(msg, nat_type);
+	}
+
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = src->get_port(src);
+	PFKEY_EXT_ADD(msg, nat_port);
+
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = dst->get_port(dst);
+	PFKEY_EXT_ADD(msg, nat_port);
+}
+
+/**
+ * build an SADB_X_ADDFLOW msg
+ */
+static void build_addflow(struct sadb_msg *msg, u_int8_t satype, u_int32_t spi,
+		host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
+		host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
+{
+	struct sadb_sa *sa;
+	struct sadb_protocol *proto;
+	host_t *host;
+
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_ADDFLOW;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_flags = replace ? SADB_X_SAFLAGS_REPLACEFLOW : 0;
+	PFKEY_EXT_ADD(msg, sa);
+
+	if (!src)
+	{
+		add_anyaddr_ext(msg, src_net->get_family(src_net), SADB_EXT_ADDRESS_SRC);
+	}
+	else
+	{
+		add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	}
+
+	if (!dst)
+	{
+		add_anyaddr_ext(msg, dst_net->get_family(dst_net), SADB_EXT_ADDRESS_DST);
+	}
+	else
+	{
+		add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+	}
+
+	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
+	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
+
+	host = mask2host(src_net->get_family(src_net), src_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
+	host->destroy(host);
+
+	host = mask2host(dst_net->get_family(dst_net), dst_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
+	host->destroy(host);
+
+	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
+	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
+	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
+	proto->sadb_protocol_proto = protocol;
+	PFKEY_EXT_ADD(msg, proto);
+}
+
+/**
+ * build an SADB_X_DELFLOW msg
+ */
+static void build_delflow(struct sadb_msg *msg, u_int8_t satype,
+		host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
+		u_int8_t protocol)
+{
+	struct sadb_protocol *proto;
+	host_t *host;
+
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_DELFLOW;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
+	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
+
+	host = mask2host(src_net->get_family(src_net),
+					 src_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
+	host->destroy(host);
+
+	host = mask2host(dst_net->get_family(dst_net),
+					 dst_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
+	host->destroy(host);
+
+	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
+	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
+	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
+	proto->sadb_protocol_proto = protocol;
+	PFKEY_EXT_ADD(msg, proto);
+}
+
+/**
+ * Parses a pfkey message received from the kernel
+ */
+static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
+{
+	struct sadb_ext* ext;
+	size_t len;
+
+	memset(out, 0, sizeof(pfkey_msg_t));
+	out->msg = msg;
+
+	len = msg->sadb_msg_len;
+	len -= PFKEY_LEN(sizeof(struct sadb_msg));
+
+	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
+
+	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
+	{
+		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
+			ext->sadb_ext_len > len)
+		{
+			DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+			break;
+		}
+
+		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
+		{
+			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+			break;
+		}
+
+		if (out->ext[ext->sadb_ext_type])
+		{
+			DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);
+			break;
+		}
+
+		out->ext[ext->sadb_ext_type] = ext;
+		ext = PFKEY_EXT_NEXT_LEN(ext, len);
+	}
+
+	if (len)
+	{
+		DBG1(DBG_KNL, "PF_KEY message length is invalid");
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Send a message to a specific PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_socket(private_kernel_klips_ipsec_t *this, int socket,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg;
+	int in_len, len;
+
+	this->mutex_pfkey->lock(this->mutex_pfkey);
+
+	in->sadb_msg_seq = ++this->seq;
+	in->sadb_msg_pid = getpid();
+
+	in_len = PFKEY_USER_LEN(in->sadb_msg_len);
+
+	while (TRUE)
+	{
+		len = send(socket, in, in_len, 0);
+
+		if (len != in_len)
+		{
+			switch (errno)
+			{
+				case EINTR:
+					/* interrupted, try again */
+					continue;
+				case EINVAL:
+				case EEXIST:
+				case ESRCH:
+					/* we should also get a response for these from KLIPS */
+					break;
+				default:
+					this->mutex_pfkey->unlock(this->mutex_pfkey);
+					DBG1(DBG_KNL, "error sending to PF_KEY socket: %s (%d)",
+							strerror(errno), errno);
+					return FAILED;
+			}
+		}
+		break;
+	}
+
+	while (TRUE)
+	{
+		msg = (struct sadb_msg*)buf;
+
+		len = recv(socket, buf, sizeof(buf), 0);
+
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				DBG1(DBG_KNL, "got interrupted");
+				/* interrupted, try again */
+				continue;
+			}
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
+			return FAILED;
+		}
+		if (len < sizeof(struct sadb_msg) ||
+			msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+		{
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "received corrupted PF_KEY message");
+			return FAILED;
+		}
+		if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+		{
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+			return FAILED;
+		}
+		if (msg->sadb_msg_pid != in->sadb_msg_pid)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
+			continue;
+		}
+		if (msg->sadb_msg_seq != this->seq)
+		{
+			DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number,"
+					" was %d expected %d", msg->sadb_msg_seq, this->seq);
+			if (msg->sadb_msg_seq < this->seq)
+			{
+				continue;
+			}
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (msg->sadb_msg_type != in->sadb_msg_type)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message of wrong type,"
+					" was %d expected %d, ignoring",
+					msg->sadb_msg_type, in->sadb_msg_type);
+		}
+		break;
+	}
+
+	*out_len = len;
+	*out = (struct sadb_msg*)malloc(len);
+	memcpy(*out, buf, len);
+
+	this->mutex_pfkey->unlock(this->mutex_pfkey);
+
+	return SUCCESS;
+}
+
+/**
+ * Send a message to the default PF_KEY socket.
+ */
+static status_t pfkey_send(private_kernel_klips_ipsec_t *this,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	return pfkey_send_socket(this, this->socket, in, out, out_len);
+}
+
+/**
+ * Send a message to the default PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_ack(private_kernel_klips_ipsec_t *this, struct sadb_msg *in)
+{
+	struct sadb_msg *out;
+	size_t len;
+
+	if (pfkey_send(this, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "PF_KEY error: %s (%d)",
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Add an eroute to KLIPS
+ */
+static status_t add_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
+		u_int32_t spi, host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
+		host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)request;
+
+	memset(&request, 0, sizeof(request));
+
+	build_addflow(msg, satype, spi, src, dst, src_net, src_mask,
+			dst_net, dst_mask, protocol, replace);
+
+	return pfkey_send_ack(this, msg);
+}
+
+/**
+ * Delete an eroute fom KLIPS
+ */
+static status_t del_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
+		host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
+		u_int8_t protocol)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)request;
+
+	memset(&request, 0, sizeof(request));
+
+	build_delflow(msg, satype, src_net, src_mask, dst_net, dst_mask, protocol);
+
+	return pfkey_send_ack(this, msg);
+}
+
+/**
+ * Process a SADB_ACQUIRE message from the kernel
+ */
+static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	host_t *src, *dst;
+	u_int32_t reqid;
+	u_int8_t proto;
+	policy_entry_t *policy;
+	job_t *job;
+
+	switch (msg->sadb_msg_satype)
+	{
+		case SADB_SATYPE_UNSPEC:
+		case SADB_SATYPE_ESP:
+		case SADB_SATYPE_AH:
+			break;
+		default:
+			/* acquire for AH/ESP only */
+			return;
+	}
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
+		return;
+	}
+
+	/* KLIPS provides us only with the source and destination address,
+	 * and the transport protocol of the packet that triggered the policy.
+	 * we use this information to find a matching policy in our cache.
+	 * because KLIPS installs a narrow %hold eroute covering only this information,
+	 * we replace both the %trap and this %hold eroutes with a broader %hold
+	 * eroute covering the whole policy */
+	src = host_create_from_sockaddr((sockaddr_t*)(response.src + 1));
+	dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
+	proto = response.src->sadb_address_proto;
+	if (!src || !dst || src->get_family(src) != dst->get_family(dst))
+	{
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE with invalid hosts");
+		return;
+	}
+
+	DBG2(DBG_KNL, "received an SADB_ACQUIRE for %H == %H : %d", src, dst, proto);
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_match_byaddrs,
+				(void**)&policy, src, dst) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but found no matching policy");
+		return;
+	}
+	if ((reqid = policy->reqid) == 0)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but policy is not routed anymore");
+		return;
+	}
+
+	/* add a broad %hold eroute that replaces the %trap eroute */
+	add_eroute(this, SADB_X_SATYPE_INT, htonl(SPI_HOLD), NULL, NULL,
+			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
+			policy->src.proto, TRUE);
+
+	/* remove the narrow %hold eroute installed by KLIPS */
+	del_eroute(this, SADB_X_SATYPE_INT, src, 32, dst, 32, proto);
+
+	this->mutex->unlock(this->mutex);
+
+	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
+	DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
+	job = (job_t*)acquire_job_create(reqid, NULL, NULL);
+	charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
+ */
+static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	u_int32_t spi, reqid;
+	host_t *old_src, *new_src;
+	job_t *job;
+
+	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
+		return;
+	}
+
+	spi = response.sa->sadb_sa_spi;
+
+	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
+	{
+		sa_entry_t *sa;
+		sockaddr_t *addr = (sockaddr_t*)(response.src + 1);
+		old_src = host_create_from_sockaddr(addr);
+
+		this->mutex->lock(this->mutex);
+		if (!old_src || this->installed_sas->find_first(this->installed_sas,
+				(linked_list_match_t)sa_entry_match_encapbysrc,
+					(void**)&sa, &spi, old_src) != SUCCESS)
+		{
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING, but found no matching SA");
+			return;
+		}
+		reqid = sa->reqid;
+		this->mutex->unlock(this->mutex);
+
+		addr = (sockaddr_t*)(response.dst + 1);
+		switch (addr->sa_family)
+		{
+			case AF_INET:
+			{
+				struct sockaddr_in *sin = (struct sockaddr_in*)addr;
+				sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			case AF_INET6:
+			{
+				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr;
+				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			default:
+				break;
+		}
+		new_src = host_create_from_sockaddr(addr);
+		if (new_src)
+		{
+			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and"
+				" reqid {%d} changed, queuing update job", ntohl(spi), reqid);
+			job = (job_t*)update_sa_job_create(reqid, new_src);
+			charon->processor->queue_job(charon->processor, job);
+		}
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)buf;
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recv(this->socket_events, buf, sizeof(buf), 0);
+	thread_cancelability(oldstate);
+
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+
+	if (len < sizeof(struct sadb_msg) ||
+		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+	{
+		DBG2(DBG_KNL, "received corrupted PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+	{
+		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	switch (msg->sadb_msg_type)
+	{
+		case SADB_ACQUIRE:
+			process_acquire(this, msg);
+			break;
+		case SADB_EXPIRE:
+			/* SADB_EXPIRE events in KLIPS are only triggered by traffic (even for
+			 * the time based limits). So if there is no traffic for a longer
+			 * period than configured as hard limit, we wouldn't be able to rekey
+			 * the SA and just receive the hard expire and thus delete the SA.
+			 * To avoid this behavior and to make charon behave as with the other
+			 * kernel plugins, we implement the expiration of SAs ourselves. */
+			break;
+		case SADB_X_NAT_T_NEW_MAPPING:
+			process_mapping(this, msg);
+			break;
+		default:
+			break;
+	}
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+typedef enum {
+	/** an SPI has expired */
+	EXPIRE_TYPE_SPI,
+	/** a CHILD_SA has to be rekeyed */
+	EXPIRE_TYPE_SOFT,
+	/** a CHILD_SA has to be deleted */
+	EXPIRE_TYPE_HARD
+} expire_type_t;
+
+typedef struct sa_expire_t sa_expire_t;
+
+struct sa_expire_t {
+	/** kernel interface */
+	private_kernel_klips_ipsec_t *this;
+	/** the SPI of the expiring SA */
+	u_int32_t spi;
+	/** the protocol of the expiring SA */
+	protocol_id_t protocol;
+	/** the reqid of the expiring SA*/
+	u_int32_t reqid;
+	/** what type of expire this is */
+	expire_type_t type;
+};
+
+/**
+ * Called when an SA expires
+ */
+static job_requeue_t sa_expires(sa_expire_t *expire)
+{
+	private_kernel_klips_ipsec_t *this = expire->this;
+	protocol_id_t protocol = expire->protocol;
+	u_int32_t spi = expire->spi, reqid = expire->reqid;
+	bool hard = expire->type != EXPIRE_TYPE_SOFT;
+	sa_entry_t *cached_sa;
+	linked_list_t *list;
+	job_t *job;
+
+	/* for an expired SPI we first check whether the CHILD_SA got installed
+	 * in the meantime, for expired SAs we check whether they are still installed */
+	list = expire->type == EXPIRE_TYPE_SPI ? this->allocated_spis : this->installed_sas;
+
+	this->mutex->lock(this->mutex);
+	if (list->find_first(list, (linked_list_match_t)sa_entry_match_byid,
+			(void**)&cached_sa, &protocol, &spi, &reqid) != SUCCESS)
+	{
+		/* we found no entry:
+		 * - for SPIs, a CHILD_SA has been installed
+		 * - for SAs, the CHILD_SA has already been deleted */
+		this->mutex->unlock(this->mutex);
+		return JOB_REQUEUE_NONE;
+	}
+	else
+	{
+		list->remove(list, cached_sa, NULL);
+		sa_entry_destroy(cached_sa);
+	}
+	this->mutex->unlock(this->mutex);
+
+	DBG2(DBG_KNL, "%N CHILD_SA with SPI %.8x and reqid {%d} expired",
+			protocol_id_names, protocol, ntohl(spi), reqid);
+
+	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
+		 hard ? "delete" : "rekey",  protocol_id_names,
+		 protocol, ntohl(spi), reqid);
+	if (hard)
+	{
+		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+	}
+	else
+	{
+		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+	}
+	charon->processor->queue_job(charon->processor, job);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedule an expire job for an SA. Time is in seconds.
+ */
+static void schedule_expire(private_kernel_klips_ipsec_t *this,
+							protocol_id_t protocol, u_int32_t spi,
+							u_int32_t reqid, expire_type_t type, u_int32_t time)
+{
+	callback_job_t *job;
+	sa_expire_t *expire = malloc_thing(sa_expire_t);
+	expire->this = this;
+	expire->protocol = protocol;
+	expire->spi = spi;
+	expire->reqid = reqid;
+	expire->type = type;
+	job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL);
+	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time);
+}
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
+	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	/* we cannot use SADB_GETSPI because KLIPS does not allow us to set the
+	 * NAT-T type in an SADB_UPDATE which we would have to use to update the
+	 * implicitly created SA.
+	 */
+	rng_t *rng;
+	u_int32_t spi_gen;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_KNL, "allocating SPI failed: no RNG");
+		return FAILED;
+	}
+	rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen);
+	rng->destroy(rng);
+
+	/* charon's SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
+	spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF);
+
+	DBG2(DBG_KNL, "allocated SPI %.8x for %N SA between %#H..%#H",
+			spi_gen, protocol_id_names, protocol, src, dst);
+
+	*spi = htonl(spi_gen);
+
+	this->mutex->lock(this->mutex);
+	this->allocated_spis->insert_last(this->allocated_spis,
+			create_sa_entry(protocol, *spi, reqid, NULL, NULL, FALSE, TRUE));
+	this->mutex->unlock(this->mutex);
+	schedule_expire(this, protocol, *spi, reqid, EXPIRE_TYPE_SPI, SPI_TIMEOUT);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	return FAILED;
+}
+
+/**
+ * Add a pseudo IPIP SA for tunnel mode with KLIPS.
+ */
+static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi, u_int32_t reqid)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "adding pseudo IPIP SA with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_ADD;
+	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * group the IPIP SA required for tunnel mode with the outer SA
+ */
+static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi,
+					   protocol_id_t protocol, u_int32_t reqid)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_x_satype *satype;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "grouping SAs with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_GRPSA;
+	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+	satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg);
+	satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
+	satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype));
+	satype->sadb_x_satype_satype = proto_ike2satype(protocol);
+	PFKEY_EXT_ADD(msg, satype);
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_X_EXT_SA2;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+
+	add_addr_ext(msg, dst, SADB_X_EXT_ADDRESS_DST2);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
+	protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime,
+	u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key,
+	ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
+	bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_key *key;
+	size_t len;
+
+	if (inbound)
+	{
+		/* for inbound SAs we allocated an SPI via get_spi, so we first check
+		 * whether that SPI has already expired (race condition) */
+		sa_entry_t *alloc_spi;
+		this->mutex->lock(this->mutex);
+		if (this->allocated_spis->find_first(this->allocated_spis,
+				(linked_list_match_t)sa_entry_match_byid, (void**)&alloc_spi,
+					&protocol, &spi, &reqid) != SUCCESS)
+		{
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_KNL, "allocated SPI %.8x has already expired", ntohl(spi));
+			return FAILED;
+		}
+		else
+		{
+			this->allocated_spis->remove(this->allocated_spis, alloc_spi, NULL);
+			sa_entry_destroy(alloc_spi);
+		}
+		this->mutex->unlock(this->mutex);
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_ADD;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
+	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
+	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+	PFKEY_EXT_ADD(msg, sa);
+
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+	if (enc_alg != ENCR_UNDEFINED)
+	{
+		if (!sa->sadb_sa_encrypt)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 encryption_algorithm_names, enc_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
+		key->sadb_key_bits = enc_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
+		memcpy(key + 1, enc_key.ptr, enc_key.len);
+
+		PFKEY_EXT_ADD(msg, key);
+	}
+
+	if (int_alg != AUTH_UNDEFINED)
+	{
+		if (!sa->sadb_sa_auth)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 integrity_algorithm_names, int_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
+			 integrity_algorithm_names, int_alg, int_key.len * 8);
+
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
+		key->sadb_key_bits = int_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
+		memcpy(key + 1, int_key.ptr, int_key.len);
+
+		PFKEY_EXT_ADD(msg, key);
+	}
+
+	if (ipcomp != IPCOMP_NONE)
+	{
+		/*TODO*/
+	}
+
+	if (encap)
+	{
+		add_encap_ext(msg, src, dst, FALSE);
+	}
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	/* for tunnel mode SAs we have to install an additional IPIP SA and
+	 * group the two SAs together */
+	if (mode == MODE_TUNNEL)
+	{
+		if (add_ipip_sa(this, src, dst, spi, reqid) != SUCCESS ||
+			group_ipip_sa(this, src, dst, spi, protocol, reqid) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+			return FAILED;
+		}
+	}
+
+	this->mutex->lock(this->mutex);
+	/* we cache this SA for two reasons:
+	 * - in case an SADB_X_NAT_T_MAPPING_NEW event occurs (we need to find the reqid then)
+	 * - to decide if an expired SA is still installed */
+	this->installed_sas->insert_last(this->installed_sas,
+				create_sa_entry(protocol, spi, reqid, src, dst, encap, inbound));
+	this->mutex->unlock(this->mutex);
+
+	/* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime
+	 * of SAs manually in the plugin. Refer to the comments in receive_events()
+	 * for details. */
+	if (lifetime->time.rekey)
+	{
+		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, lifetime->time.rekey);
+	}
+
+	if (lifetime->time.life)
+	{
+		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, lifetime->time.life);
+	}
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_kernel_klips_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	size_t len;
+
+	/* we can't update the SA if any of the ip addresses have changed.
+	 * that's because we can't use SADB_UPDATE and by deleting and readding the
+	 * SA the sequence numbers would get lost */
+	if (!src->ip_equals(src, new_src) ||
+		!dst->ip_equals(dst, new_dst))
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
+				" are not supported", ntohl(spi));
+		return NOT_SUPPORTED;
+	}
+
+	/* because KLIPS does not allow us to change the NAT-T type in an SADB_UPDATE,
+	 * we can't update the SA if the encap flag has changed since installing it */
+	if (encap != new_encap)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: change of UDP"
+				" encapsulation is not supported", ntohl(spi));
+		return NOT_SUPPORTED;
+	}
+
+	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_UPDATE;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_encrypt = SADB_EALG_AESCBC; /* ignored */
+	sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; /* ignored */
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+	add_encap_ext(msg, new_src, new_dst, TRUE);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
+{
+	return NOT_SUPPORTED;  /* TODO */
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	sa_entry_t *cached_sa;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	/* all grouped SAs are automatically deleted by KLIPS as soon as
+	 * one of them is deleted, therefore we delete only the main one */
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+
+	this->mutex->lock(this->mutex);
+	/* this should not fail, but we don't care if it does, let the kernel decide
+	 * whether this SA exists or not */
+	if (this->installed_sas->find_first(this->installed_sas,
+			(linked_list_match_t)sa_entry_match_bydst, (void**)&cached_sa,
+			&protocol, &spi, dst) == SUCCESS)
+	{
+		this->installed_sas->remove(this->installed_sas, cached_sa, NULL);
+		sa_entry_destroy(cached_sa);
+	}
+	this->mutex->unlock(this->mutex);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_DELETE;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+
+	/* the kernel wants an SADB_EXT_ADDRESS_SRC to be present even though
+	 * it is not used for anything. */
+	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+	u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+	bool routed)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	policy_entry_t *policy, *found = NULL;
+	u_int8_t satype;
+	size_t len;
+
+	if (direction == POLICY_FWD)
+	{
+		/* no forward policies for KLIPS */
+		return SUCCESS;
+	}
+
+	/* tunnel mode policies direct the packets into the pseudo IPIP SA */
+	satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
+									 proto_ike2satype(protocol);
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+	{
+		/* use existing policy */
+		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing"
+					  " refcount", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{
+		/* apply the new one, if we have no such policy */
+		this->policies->insert_last(this->policies, policy);
+	}
+
+	if (routed)
+	{
+		/* we install this as a %trap eroute in the kernel, later to be
+		 * triggered by packets matching the policy (-> ACQUIRE). */
+		spi = htonl(SPI_TRAP);
+		satype = SADB_X_SATYPE_INT;
+
+		/* the reqid is always set to the latest child SA that trapped this
+		 * policy. we will need this reqid upon receiving an acquire. */
+		policy->reqid = reqid;
+
+		/* increase the trap counter */
+		policy->trapcount++;
+
+		if (policy->activecount)
+		{
+			/* we do not replace the current policy in the kernel while a
+			 * policy is actively used */
+			this->mutex->unlock(this->mutex);
+			return SUCCESS;
+		}
+	}
+	else
+	{
+		/* increase the reference counter */
+		policy->activecount++;
+	}
+
+	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+
+	/* FIXME: SADB_X_SAFLAGS_INFLOW may be required, if we add an inbound policy for an IPIP SA */
+	build_addflow(msg, satype, spi, routed ? NULL : src, routed ? NULL : dst,
+			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
+			policy->src.proto, found != NULL);
+
+	this->mutex->unlock(this->mutex);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
+					   policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	this->mutex->lock(this->mutex);
+
+	/* we try to find the policy again and install the route if needed */
+	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG2(DBG_KNL, "the policy %R === %R %N is already gone, ignoring",
+				src_ts, dst_ts, policy_dir_names, direction);
+		return SUCCESS;
+	}
+
+	/* KLIPS requires a special route that directs traffic that matches this
+	 * policy to one of the virtual ipsec interfaces. The virtual interface
+	 * has to be attached to the physical one the traffic runs over.
+	 * This is a special case of the source route we install in other kernel
+	 * interfaces.
+	 * In the following cases we do NOT install a source route (but just a
+	 * regular route):
+	 * - we are not in tunnel mode
+	 * - we are using IPv6 (does not work correctly yet!)
+	 * - routing is disabled via strongswan.conf
+	 */
+	if (policy->route == NULL && direction == POLICY_OUT)
+	{
+		char *iface;
+		ipsec_dev_t *dev;
+		route_entry_t *route = malloc_thing(route_entry_t);
+		route->src_ip = NULL;
+
+		if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+			this->install_routes)
+		{
+			charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+						src_ts, &route->src_ip);
+		}
+
+		if (!route->src_ip)
+		{
+			route->src_ip = host_create_any(src->get_family(src));
+		}
+
+		/* find the virtual interface */
+		iface = charon->kernel_interface->get_interface(charon->kernel_interface,
+														src);
+		if (find_ipsec_dev(this, iface, &dev) == SUCCESS)
+		{
+			/* above, we got either the name of a virtual or a physical
+			 * interface. for both cases it means we already have the devices
+			 * properly attached (assuming that we are exclusively attaching
+			 * ipsec devices). */
+			dev->refcount++;
+		}
+		else
+		{
+			/* there is no record of a mapping with the returned interface.
+			 * thus, we attach the first free virtual interface we find to
+			 * it. As above we assume we are the only client fiddling with
+			 * ipsec devices. */
+			if (this->ipsec_devices->find_first(this->ipsec_devices,
+					(linked_list_match_t)ipsec_dev_match_free,
+						(void**)&dev) == SUCCESS)
+			{
+				if (attach_ipsec_dev(dev->name, iface) == SUCCESS)
+				{
+					strncpy(dev->phys_name, iface, IFNAMSIZ);
+					dev->refcount = 1;
+				}
+				else
+				{
+					DBG1(DBG_KNL, "failed to attach virtual interface %s"
+							" to %s", dev->name, iface);
+					this->mutex->unlock(this->mutex);
+					free(iface);
+					return FAILED;
+				}
+			}
+			else
+			{
+				this->mutex->unlock(this->mutex);
+				DBG1(DBG_KNL, "failed to attach a virtual interface to %s: no"
+						" virtual interfaces left", iface);
+				free(iface);
+				return FAILED;
+			}
+		}
+		free(iface);
+		route->if_name = strdup(dev->name);
+
+		/* get the nexthop to dst */
+		route->gateway = charon->kernel_interface->get_nexthop(
+										charon->kernel_interface, dst);
+		route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net));
+		route->prefixlen = policy->dst.mask;
+
+		switch (charon->kernel_interface->add_route(charon->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name))
+		{
+			default:
+				DBG1(DBG_KNL, "unable to install route for policy %R === %R",
+					 src_ts, dst_ts);
+				/* FALL */
+			case ALREADY_DONE:
+				/* route exists, do not uninstall */
+				route_entry_destroy(route);
+				break;
+			case SUCCESS:
+				/* cache the installed route */
+				policy->route = route;
+				break;
+		}
+	}
+
+	this->mutex->unlock(this->mutex);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
+{
+	#define IDLE_PREFIX "idle="
+	static const char *path_eroute = "/proc/net/ipsec_eroute";
+	static const char *path_spi = "/proc/net/ipsec_spi";
+	FILE *file;
+	char line[1024], src[INET6_ADDRSTRLEN + 9], dst[INET6_ADDRSTRLEN + 9];
+	char *said = NULL, *pos;
+	policy_entry_t *policy, *found = NULL;
+	status_t status = FAILED;
+
+	if (direction == POLICY_FWD)
+	{
+		/* we do not install forward policies */
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		return NOT_FOUND;
+	}
+	policy_entry_destroy(policy);
+	policy = found;
+
+	/* src and dst selectors in KLIPS are of the form NET_ADDR/NETBITS:PROTO */
+	snprintf(src, sizeof(src), "%H/%d:%d", policy->src.net, policy->src.mask,
+			policy->src.proto);
+	src[sizeof(src) - 1] = '\0';
+	snprintf(dst, sizeof(dst), "%H/%d:%d", policy->dst.net, policy->dst.mask,
+			policy->dst.proto);
+	dst[sizeof(dst) - 1] = '\0';
+
+	this->mutex->unlock(this->mutex);
+
+	/* we try to find the matching eroute first */
+	file = fopen(path_eroute, "r");
+	if (file == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+				dst_ts, policy_dir_names, direction, strerror(errno), errno);
+		return FAILED;
+	}
+
+	/* read line by line where each line looks like:
+	 * packets  src  ->  dst  =>  said */
+	while (fgets(line, sizeof(line), file))
+	{
+		enumerator_t *enumerator;
+		char *token;
+		int i = 0;
+
+		enumerator = enumerator_create_token(line, " \t", " \t\n");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			switch (i++)
+			{
+				case 0: /* packets */
+					continue;
+				case 1: /* src */
+					if (streq(token, src))
+					{
+						continue;
+					}
+					break;
+				case 2: /* -> */
+					continue;
+				case 3: /* dst */
+					if (streq(token, dst))
+					{
+						continue;
+					}
+					break;
+				case 4: /* => */
+					continue;
+				case 5: /* said */
+					said = strdup(token);
+					break;
+			}
+			break;
+		}
+		enumerator->destroy(enumerator);
+
+		if (i == 5)
+		{
+			/* eroute matched */
+			break;
+		}
+	}
+	fclose(file);
+
+	if (said == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: found no matching"
+				" eroute", src_ts, dst_ts, policy_dir_names, direction);
+		return FAILED;
+	}
+
+	/* compared with the one in the spi entry the SA ID from the eroute entry
+	 * has an additional ":PROTO" appended, which we need to cut off */
+	pos = strrchr(said, ':');
+	*pos = '\0';
+
+	/* now we try to find the matching spi entry */
+	file = fopen(path_spi, "r");
+	if (file == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+				dst_ts, policy_dir_names, direction, strerror(errno), errno);
+		return FAILED;
+	}
+
+	while (fgets(line, sizeof(line), file))
+	{
+		if (strneq(line, said, strlen(said)))
+		{
+			/* fine we found the correct line, now find the idle time */
+			u_int32_t idle_time;
+			pos = strstr(line, IDLE_PREFIX);
+			if (pos == NULL)
+			{
+				/* no idle time, i.e. this SA has not been used yet */
+				break;
+			}
+			if (sscanf(pos, IDLE_PREFIX"%u", &idle_time) <= 0)
+			{
+				/* idle time not valid */
+				break;
+			}
+
+			*use_time = time_monotonic(NULL) - idle_time;
+			status = SUCCESS;
+			break;
+		}
+	}
+	fclose(file);
+	free(said);
+
+	return status;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)request, *out;
+	policy_entry_t *policy, *found = NULL;
+	route_entry_t *route;
+	size_t len;
+
+	if (direction == POLICY_FWD)
+	{
+		/* no forward policies for KLIPS */
+		return SUCCESS;
+	}
+
+	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		return NOT_FOUND;
+	}
+	policy_entry_destroy(policy);
+
+	/* decrease appropriate counter */
+	unrouted ? found->trapcount-- : found->activecount--;
+
+	if (found->trapcount == 0)
+	{
+		/* if this policy is finally unrouted, we reset the reqid because it
+		 * may still be actively used and there might be a pending acquire for
+		 * this policy. */
+		found->reqid = 0;
+	}
+
+	if (found->activecount > 0)
+	{
+		/* is still used by SAs, keep in kernel */
+		this->mutex->unlock(this->mutex);
+		DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+		return SUCCESS;
+	}
+	else if (found->activecount == 0 && found->trapcount > 0)
+	{
+		/* for a policy that is not used actively anymore, but is still trapped
+		 * by another child SA we replace the current eroute with a %trap eroute */
+		DBG2(DBG_KNL, "policy still routed by another CHILD_SA, not removed");
+		memset(&request, 0, sizeof(request));
+		build_addflow(msg, SADB_X_SATYPE_INT, htonl(SPI_TRAP), NULL, NULL,
+				found->src.net, found->src.mask, found->dst.net,
+				found->dst.mask, found->src.proto, TRUE);
+		this->mutex->unlock(this->mutex);
+		return pfkey_send_ack(this, msg);
+	}
+
+	/* remove if last reference */
+	this->policies->remove(this->policies, found, NULL);
+	policy = found;
+
+	this->mutex->unlock(this->mutex);
+
+	memset(&request, 0, sizeof(request));
+
+	build_delflow(msg, 0, policy->src.net, policy->src.mask, policy->dst.net,
+			policy->dst.mask, policy->src.proto);
+
+	route = policy->route;
+	policy->route = NULL;
+	policy_entry_destroy(policy);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
+					   dst_ts, policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	if (route)
+	{
+		ipsec_dev_t *dev;
+
+		if (charon->kernel_interface->del_route(charon->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with"
+						  " policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}
+
+		/* we have to detach the ipsec interface from the physical one over which
+		 * this SA ran (if it is not used by any other) */
+		this->mutex->lock(this->mutex);
+
+		if (find_ipsec_dev(this, route->if_name, &dev) == SUCCESS)
+		{
+			/* fine, we found a matching device object, let's check if we have
+			 * to detach it. */
+			if (--dev->refcount == 0)
+			{
+				if (detach_ipsec_dev(dev->name, dev->phys_name) != SUCCESS)
+				{
+					DBG1(DBG_KNL, "failed to detach virtual interface %s"
+							" from %s", dev->name, dev->phys_name);
+				}
+				dev->phys_name[0] = '\0';
+			}
+		}
+
+		this->mutex->unlock(this->mutex);
+
+		route_entry_destroy(route);
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Initialize the list of ipsec devices
+ */
+static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
+{
+	int i, count = lib->settings->get_int(lib->settings,
+						"charon.plugins.kernel-klips.ipsec_dev_count",
+						DEFAULT_IPSEC_DEV_COUNT);
+
+	for (i = 0; i < count; ++i)
+	{
+		ipsec_dev_t *dev = malloc_thing(ipsec_dev_t);
+		snprintf(dev->name, IFNAMSIZ, IPSEC_DEV_PREFIX"%d", i);
+		dev->name[IFNAMSIZ - 1] = '\0';
+		dev->phys_name[0] = '\0';
+		dev->refcount = 0;
+		this->ipsec_devices->insert_last(this->ipsec_devices, dev);
+
+		/* detach any previously attached ipsec device */
+		detach_ipsec_dev(dev->name, dev->phys_name);
+	}
+}
+
+/**
+ * Register a socket for AQUIRE/EXPIRE messages
+ */
+static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8_t satype)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_REGISTER;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket");
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_kernel_klips_ipsec_t *this, int fd, int family)
+{
+	/* KLIPS does not need a bypass policy for IKE */
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_kernel_klips_ipsec_t *this)
+{
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	if (this->socket > 0)
+	{
+		close(this->socket);
+	}
+	if (this->socket_evnets > 0)
+	{
+		close(this->socket_events);
+	}
+	this->mutex_pfkey->destroy(this->mutex_pfkey);
+	this->mutex->destroy(this->mutex);
+	this->ipsec_devices->destroy_function(this->ipsec_devices, (void*)ipsec_dev_destroy);
+	this->installed_sas->destroy_function(this->installed_sas, (void*)sa_entry_destroy);
+	this->allocated_spis->destroy_function(this->allocated_spis, (void*)sa_entry_destroy);
+	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_klips_ipsec_t *kernel_klips_ipsec_create()
+{
+	private_kernel_klips_ipsec_t *this;
+
+	INIT(this,
+		.public.interface = {
+			.get_spi = _get_spi,
+			.get_cpi = _get_cpi,
+			.add_sa  = _add_sa,
+			.update_sa = _update_sa,
+			.query_sa = _query_sa,
+			.del_sa = _del_sa,
+			.add_policy = _add_policy,
+			.query_policy = _query_policy,
+			.del_policy = _del_policy,
+			.bypass_socket = _bypass_socket,
+			.destroy = _destroy,
+		},
+		.policies = linked_list_create(),
+		.allocated_spis = linked_list_create(),
+		.installed_sas = linked_list_create(),
+		.ipsec_devices = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
+		.install_routes = lib->settings->get_bool(lib->settings,
+												"charon.install_routes", TRUE),
+	);
+
+	/* initialize ipsec devices */
+	init_ipsec_devices(this);
+
+	/* create a PF_KEY socket to communicate with the kernel */
+	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket <= 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_KEY socket");
+		destroy(this);
+		return NULL;
+	}
+
+	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
+	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket_events <= 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_KEY event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	/* register the event socket */
+	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
+		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h
new file mode 100644
index 000000000..306ec0ada
--- /dev/null
+++ b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_klips_ipsec_i kernel_klips_ipsec
+ * @{ @ingroup kernel_klips
+ */
+
+#ifndef KERNEL_KLIPS_IPSEC_H_
+#define KERNEL_KLIPS_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_klips_ipsec_t kernel_klips_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using PF_KEY.
+ */
+struct kernel_klips_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a PF_KEY kernel ipsec interface instance.
+ *
+ * @return			kernel_klips_ipsec_t instance
+ */
+kernel_klips_ipsec_t *kernel_klips_ipsec_create();
+
+#endif /** KERNEL_KLIPS_IPSEC_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c b/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c
new file mode 100644
index 000000000..fa5e9eb29
--- /dev/null
+++ b/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_klips_plugin.h"
+
+#include "kernel_klips_ipsec.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t;
+
+/**
+ * private data of kernel PF_KEY plugin
+ */
+struct private_kernel_klips_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_klips_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_klips_plugin_t *this)
+{
+	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_klips_plugin_create()
+{
+	private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h b/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h
new file mode 100644
index 000000000..6086217ad
--- /dev/null
+++ b/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_klips kernel_klips
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_klips_plugin kernel_klips_plugin
+ * @{ @ingroup kernel_klips
+ */
+
+#ifndef KERNEL_KLIPS_PLUGIN_H_
+#define KERNEL_KLIPS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_klips_plugin_t kernel_klips_plugin_t;
+
+/**
+ * PF_KEY kernel interface plugin
+ */
+struct kernel_klips_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KERNEL_KLIPS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_klips/pfkeyv2.h b/src/libcharon/plugins/kernel_klips/pfkeyv2.h
new file mode 100644
index 000000000..20d1c298d
--- /dev/null
+++ b/src/libcharon/plugins/kernel_klips/pfkeyv2.h
@@ -0,0 +1,322 @@
+/*
+RFC 2367               PF_KEY Key Management API               July 1998
+
+
+Appendix D: Sample Header File
+
+This file defines structures and symbols for the PF_KEY Version 2
+key management interface. It was written at the U.S. Naval Research
+Laboratory. This file is in the public domain. The authors ask that
+you leave this credit intact on any copies of this file.
+*/
+#ifndef __PFKEY_V2_H
+#define __PFKEY_V2_H 1
+
+#define PF_KEY_V2 2
+#define PFKEYV2_REVISION        199806L
+
+#define SADB_RESERVED    0
+#define SADB_GETSPI      1
+#define SADB_UPDATE      2
+#define SADB_ADD         3
+#define SADB_DELETE      4
+#define SADB_GET         5
+#define SADB_ACQUIRE     6
+#define SADB_REGISTER    7
+#define SADB_EXPIRE      8
+#define SADB_FLUSH       9
+#define SADB_DUMP       10
+#define SADB_X_PROMISC  11
+#define SADB_X_PCHANGE  12
+#define SADB_X_GRPSA    13
+#define SADB_X_ADDFLOW	14
+#define SADB_X_DELFLOW	15
+#define SADB_X_DEBUG	16
+#define SADB_X_NAT_T_NEW_MAPPING  17
+#define SADB_MAX                  17
+
+struct sadb_msg {
+  uint8_t sadb_msg_version;
+  uint8_t sadb_msg_type;
+  uint8_t sadb_msg_errno;
+  uint8_t sadb_msg_satype;
+  uint16_t sadb_msg_len;
+  uint16_t sadb_msg_reserved;
+  uint32_t sadb_msg_seq;
+  uint32_t sadb_msg_pid;
+};
+
+struct sadb_ext {
+  uint16_t sadb_ext_len;
+  uint16_t sadb_ext_type;
+};
+
+struct sadb_sa {
+  uint16_t sadb_sa_len;
+  uint16_t sadb_sa_exttype;
+  uint32_t sadb_sa_spi;
+  uint8_t sadb_sa_replay;
+  uint8_t sadb_sa_state;
+  uint8_t sadb_sa_auth;
+  uint8_t sadb_sa_encrypt;
+  uint32_t sadb_sa_flags;
+};
+
+struct sadb_lifetime {
+  uint16_t sadb_lifetime_len;
+  uint16_t sadb_lifetime_exttype;
+  uint32_t sadb_lifetime_allocations;
+  uint64_t sadb_lifetime_bytes;
+  uint64_t sadb_lifetime_addtime;
+  uint64_t sadb_lifetime_usetime;
+  uint32_t sadb_x_lifetime_packets;
+  uint32_t sadb_x_lifetime_reserved;
+};
+
+struct sadb_address {
+  uint16_t sadb_address_len;
+  uint16_t sadb_address_exttype;
+  uint8_t sadb_address_proto;
+  uint8_t sadb_address_prefixlen;
+  uint16_t sadb_address_reserved;
+};
+
+struct sadb_key {
+  uint16_t sadb_key_len;
+  uint16_t sadb_key_exttype;
+  uint16_t sadb_key_bits;
+  uint16_t sadb_key_reserved;
+};
+
+struct sadb_ident {
+  uint16_t sadb_ident_len;
+  uint16_t sadb_ident_exttype;
+  uint16_t sadb_ident_type;
+  uint16_t sadb_ident_reserved;
+  uint64_t sadb_ident_id;
+};
+
+struct sadb_sens {
+  uint16_t sadb_sens_len;
+  uint16_t sadb_sens_exttype;
+  uint32_t sadb_sens_dpd;
+  uint8_t sadb_sens_sens_level;
+  uint8_t sadb_sens_sens_len;
+  uint8_t sadb_sens_integ_level;
+  uint8_t sadb_sens_integ_len;
+  uint32_t sadb_sens_reserved;
+};
+
+struct sadb_prop {
+  uint16_t sadb_prop_len;
+  uint16_t sadb_prop_exttype;
+  uint8_t sadb_prop_replay;
+  uint8_t sadb_prop_reserved[3];
+};
+
+struct sadb_comb {
+  uint8_t sadb_comb_auth;
+  uint8_t sadb_comb_encrypt;
+  uint16_t sadb_comb_flags;
+  uint16_t sadb_comb_auth_minbits;
+  uint16_t sadb_comb_auth_maxbits;
+  uint16_t sadb_comb_encrypt_minbits;
+  uint16_t sadb_comb_encrypt_maxbits;
+  uint32_t sadb_comb_reserved;
+  uint32_t sadb_comb_soft_allocations;
+  uint32_t sadb_comb_hard_allocations;
+  uint64_t sadb_comb_soft_bytes;
+  uint64_t sadb_comb_hard_bytes;
+  uint64_t sadb_comb_soft_addtime;
+  uint64_t sadb_comb_hard_addtime;
+  uint64_t sadb_comb_soft_usetime;
+  uint64_t sadb_comb_hard_usetime;
+  uint32_t sadb_x_comb_soft_packets;
+  uint32_t sadb_x_comb_hard_packets;
+};
+
+struct sadb_supported {
+  uint16_t sadb_supported_len;
+  uint16_t sadb_supported_exttype;
+  uint32_t sadb_supported_reserved;
+};
+
+struct sadb_alg {
+  uint8_t sadb_alg_id;
+  uint8_t sadb_alg_ivlen;
+  uint16_t sadb_alg_minbits;
+  uint16_t sadb_alg_maxbits;
+  uint16_t sadb_alg_reserved;
+};
+
+struct sadb_spirange {
+  uint16_t sadb_spirange_len;
+  uint16_t sadb_spirange_exttype;
+  uint32_t sadb_spirange_min;
+  uint32_t sadb_spirange_max;
+  uint32_t sadb_spirange_reserved;
+};
+
+struct sadb_x_kmprivate {
+  uint16_t sadb_x_kmprivate_len;
+  uint16_t sadb_x_kmprivate_exttype;
+  uint32_t sadb_x_kmprivate_reserved;
+};
+
+struct sadb_x_satype {
+  uint16_t sadb_x_satype_len;
+  uint16_t sadb_x_satype_exttype;
+  uint8_t sadb_x_satype_satype;
+  uint8_t sadb_x_satype_reserved[3];
+};
+
+struct sadb_x_debug {
+  uint16_t sadb_x_debug_len;
+  uint16_t sadb_x_debug_exttype;
+  uint32_t sadb_x_debug_tunnel;
+  uint32_t sadb_x_debug_netlink;
+  uint32_t sadb_x_debug_xform;
+  uint32_t sadb_x_debug_eroute;
+  uint32_t sadb_x_debug_spi;
+  uint32_t sadb_x_debug_radij;
+  uint32_t sadb_x_debug_esp;
+  uint32_t sadb_x_debug_ah;
+  uint32_t sadb_x_debug_rcv;
+  uint32_t sadb_x_debug_pfkey;
+  uint32_t sadb_x_debug_ipcomp;
+  uint32_t sadb_x_debug_verbose;
+  uint8_t sadb_x_debug_reserved[4];
+};
+
+struct sadb_x_nat_t_type {
+  uint16_t sadb_x_nat_t_type_len;
+  uint16_t sadb_x_nat_t_type_exttype;
+  uint8_t sadb_x_nat_t_type_type;
+  uint8_t sadb_x_nat_t_type_reserved[3];
+};
+struct sadb_x_nat_t_port {
+  uint16_t sadb_x_nat_t_port_len;
+  uint16_t sadb_x_nat_t_port_exttype;
+  uint16_t sadb_x_nat_t_port_port;
+  uint16_t sadb_x_nat_t_port_reserved;
+};
+
+/*
+ * A protocol structure for passing through the transport level
+ * protocol.  It contains more fields than are actually used/needed
+ * but it is this way to be compatible with the structure used in
+ * OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
+ */
+struct sadb_protocol {
+  uint16_t sadb_protocol_len;
+  uint16_t sadb_protocol_exttype;
+  uint8_t  sadb_protocol_proto;
+  uint8_t  sadb_protocol_direction;
+  uint8_t  sadb_protocol_flags;
+  uint8_t  sadb_protocol_reserved2;
+};
+
+#define SADB_EXT_RESERVED             0
+#define SADB_EXT_SA                   1
+#define SADB_EXT_LIFETIME_CURRENT     2
+#define SADB_EXT_LIFETIME_HARD        3
+#define SADB_EXT_LIFETIME_SOFT        4
+#define SADB_EXT_ADDRESS_SRC          5
+#define SADB_EXT_ADDRESS_DST          6
+#define SADB_EXT_ADDRESS_PROXY        7
+#define SADB_EXT_KEY_AUTH             8
+#define SADB_EXT_KEY_ENCRYPT          9
+#define SADB_EXT_IDENTITY_SRC         10
+#define SADB_EXT_IDENTITY_DST         11
+#define SADB_EXT_SENSITIVITY          12
+#define SADB_EXT_PROPOSAL             13
+#define SADB_EXT_SUPPORTED_AUTH       14
+#define SADB_EXT_SUPPORTED_ENCRYPT    15
+#define SADB_EXT_SPIRANGE             16
+#define SADB_X_EXT_KMPRIVATE          17
+#define SADB_X_EXT_SATYPE2            18
+#define SADB_X_EXT_SA2                19
+#define SADB_X_EXT_ADDRESS_DST2       20
+#define SADB_X_EXT_ADDRESS_SRC_FLOW   21
+#define SADB_X_EXT_ADDRESS_DST_FLOW   22
+#define SADB_X_EXT_ADDRESS_SRC_MASK   23
+#define SADB_X_EXT_ADDRESS_DST_MASK   24
+#define SADB_X_EXT_DEBUG              25
+#define SADB_X_EXT_PROTOCOL           26
+#define SADB_X_EXT_NAT_T_TYPE         27
+#define SADB_X_EXT_NAT_T_SPORT        28
+#define SADB_X_EXT_NAT_T_DPORT        29
+#define SADB_X_EXT_NAT_T_OA           30
+#define SADB_EXT_MAX                  30
+
+/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
+#define SADB_X_EXT_ADDRESS_DELFLOW \
+	( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
+	| (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
+	| (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
+	| (1<<SADB_X_EXT_ADDRESS_DST_MASK))
+
+#define SADB_SATYPE_UNSPEC    0
+#define SADB_SATYPE_AH        2
+#define SADB_SATYPE_ESP       3
+#define SADB_SATYPE_RSVP      5
+#define SADB_SATYPE_OSPFV2    6
+#define SADB_SATYPE_RIPV2     7
+#define SADB_SATYPE_MIP       8
+#define SADB_X_SATYPE_IPIP    9
+#define SADB_X_SATYPE_COMP    10
+#define SADB_X_SATYPE_INT     11
+#define SADB_SATYPE_MAX       11
+
+#define SADB_SASTATE_LARVAL   0
+#define SADB_SASTATE_MATURE   1
+#define SADB_SASTATE_DYING    2
+#define SADB_SASTATE_DEAD     3
+#define SADB_SASTATE_MAX      3
+
+#define SADB_SAFLAGS_PFS		1
+#define SADB_X_SAFLAGS_REPLACEFLOW	2
+#define SADB_X_SAFLAGS_CLEARFLOW	4
+#define SADB_X_SAFLAGS_INFLOW		8
+
+#define SADB_AALG_NONE        0
+#define SADB_AALG_MD5HMAC     2
+#define SADB_AALG_SHA1HMAC    3
+#define	SADB_AALG_SHA256_HMAC    5
+#define	SADB_AALG_SHA384_HMAC    6
+#define	SADB_AALG_SHA512_HMAC    7
+#define	SADB_AALG_RIPEMD160HMAC      8
+#define	SADB_AALG_MAX         15
+
+#define SADB_EALG_NONE        0
+#define SADB_EALG_DESCBC      2
+#define SADB_EALG_3DESCBC     3
+#define SADB_EALG_BFCBC	      7
+#define SADB_EALG_NULL        11
+#define SADB_EALG_AESCBC      12
+#define SADB_EALG_MAX         255
+
+#define SADB_X_CALG_NONE          0
+#define SADB_X_CALG_OUI           1
+#define SADB_X_CALG_DEFLATE       2
+#define SADB_X_CALG_LZS           3
+#define SADB_X_CALG_V42BIS        4
+#define SADB_X_CALG_MAX           4
+
+#define SADB_X_TALG_NONE          0
+#define SADB_X_TALG_IPv4_in_IPv4  1
+#define SADB_X_TALG_IPv6_in_IPv4  2
+#define SADB_X_TALG_IPv4_in_IPv6  3
+#define SADB_X_TALG_IPv6_in_IPv6  4
+#define SADB_X_TALG_MAX           4
+
+
+#define SADB_IDENTTYPE_RESERVED   0
+#define SADB_IDENTTYPE_PREFIX     1
+#define SADB_IDENTTYPE_FQDN       2
+#define SADB_IDENTTYPE_USERFQDN   3
+#define SADB_X_IDENTTYPE_CONNECTION 4
+#define SADB_IDENTTYPE_MAX        4
+
+#define SADB_KEY_FLAGS_MAX     0
+#endif /* __PFKEY_V2_H */
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.am b/src/libcharon/plugins/kernel_netlink/Makefile.am
new file mode 100644
index 000000000..2bb00ec0d
--- /dev/null
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.am
@@ -0,0 +1,20 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+-DROUTING_TABLE=${routing_table} \
+-DROUTING_TABLE_PRIO=${routing_table_prio}
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
+endif
+
+libstrongswan_kernel_netlink_la_SOURCES = \
+	kernel_netlink_plugin.h kernel_netlink_plugin.c \
+	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
+	kernel_netlink_shared.h kernel_netlink_shared.c
+
+libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in
new file mode 100644
index 000000000..8c9965467
--- /dev/null
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.in
@@ -0,0 +1,597 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/kernel_netlink
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_netlink_la_LIBADD =
+am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \
+	kernel_netlink_ipsec.lo kernel_netlink_net.lo \
+	kernel_netlink_shared.lo
+libstrongswan_kernel_netlink_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_netlink_la_OBJECTS)
+libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_netlink_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_netlink_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_netlink_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+-DROUTING_TABLE=${routing_table} \
+-DROUTING_TABLE_PRIO=${routing_table_prio}
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
+libstrongswan_kernel_netlink_la_SOURCES = \
+	kernel_netlink_plugin.h kernel_netlink_plugin.c \
+	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
+	kernel_netlink_shared.h kernel_netlink_shared.c
+
+libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
new file mode 100644
index 000000000..1b8c1b879
--- /dev/null
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -0,0 +1,2032 @@
+/*
+ * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2008 Andreas Steffen
+ * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <stdint.h>
+#include <linux/ipsec.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <linux/xfrm.h>
+#include <linux/udp.h>
+#include <unistd.h>
+#include <time.h>
+#include <errno.h>
+#include <string.h>
+#include <fcntl.h>
+
+#include "kernel_netlink_ipsec.h"
+#include "kernel_netlink_shared.h"
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <utils/hashtable.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/migrate_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/update_sa_job.h>
+
+/** required for Linux 2.6.26 kernel and later */
+#ifndef XFRM_STATE_AF_UNSPEC
+#define XFRM_STATE_AF_UNSPEC	32
+#endif
+
+/** from linux/in.h */
+#ifndef IP_XFRM_POLICY
+#define IP_XFRM_POLICY 17
+#endif
+
+/* missing on uclibc */
+#ifndef IPV6_XFRM_POLICY
+#define IPV6_XFRM_POLICY 34
+#endif /*IPV6_XFRM_POLICY*/
+
+/** default priority of installed policies */
+#define PRIO_LOW 3000
+#define PRIO_HIGH 2000
+
+/**
+ * map the limit for bytes and packets to XFRM_INF per default
+ */
+#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
+
+/**
+ * Create ORable bitfield of XFRM NL groups
+ */
+#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
+
+/**
+ * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
+ * 'usual' netlink data x like 'struct xfrm_usersa_info'
+ */
+#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
+/**
+ * returns a pointer to the next rtattr following rta.
+ * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
+ */
+#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
+/**
+ * returns the total size of attached rta data
+ * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
+ */
+#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 kernel identifier to linux crypto API names
+ */
+struct kernel_algorithm_t {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2;
+
+	/**
+	 * Name of the algorithm in linux crypto API
+	 */
+	char *name;
+};
+
+ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
+	"XFRM_MSG_NEWSA",
+	"XFRM_MSG_DELSA",
+	"XFRM_MSG_GETSA",
+	"XFRM_MSG_NEWPOLICY",
+	"XFRM_MSG_DELPOLICY",
+	"XFRM_MSG_GETPOLICY",
+	"XFRM_MSG_ALLOCSPI",
+	"XFRM_MSG_ACQUIRE",
+	"XFRM_MSG_EXPIRE",
+	"XFRM_MSG_UPDPOLICY",
+	"XFRM_MSG_UPDSA",
+	"XFRM_MSG_POLEXPIRE",
+	"XFRM_MSG_FLUSHSA",
+	"XFRM_MSG_FLUSHPOLICY",
+	"XFRM_MSG_NEWAE",
+	"XFRM_MSG_GETAE",
+	"XFRM_MSG_REPORT",
+	"XFRM_MSG_MIGRATE",
+	"XFRM_MSG_NEWSADINFO",
+	"XFRM_MSG_GETSADINFO",
+	"XFRM_MSG_NEWSPDINFO",
+	"XFRM_MSG_GETSPDINFO",
+	"XFRM_MSG_MAPPING"
+);
+
+ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
+	"XFRMA_UNSPEC",
+	"XFRMA_ALG_AUTH",
+	"XFRMA_ALG_CRYPT",
+	"XFRMA_ALG_COMP",
+	"XFRMA_ENCAP",
+	"XFRMA_TMPL",
+	"XFRMA_SA",
+	"XFRMA_POLICY",
+	"XFRMA_SEC_CTX",
+	"XFRMA_LTIME_VAL",
+	"XFRMA_REPLAY_VAL",
+	"XFRMA_REPLAY_THRESH",
+	"XFRMA_ETIMER_THRESH",
+	"XFRMA_SRCADDR",
+	"XFRMA_COADDR",
+	"XFRMA_LASTUSED",
+	"XFRMA_POLICY_TYPE",
+	"XFRMA_MIGRATE",
+	"XFRMA_ALG_AEAD",
+	"XFRMA_KMADDRESS"
+);
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64,				"***"				}, */
+	{ENCR_DES,					"des"				},
+	{ENCR_3DES,					"des3_ede"			},
+/*	{ENCR_RC5,					"***"				}, */
+/*	{ENCR_IDEA,					"***"				}, */
+	{ENCR_CAST,					"cast128"			},
+	{ENCR_BLOWFISH,				"blowfish"			},
+/*	{ENCR_3IDEA,				"***"				}, */
+/*	{ENCR_DES_IV32,				"***"				}, */
+	{ENCR_NULL,					"cipher_null"		},
+	{ENCR_AES_CBC,				"aes"				},
+	{ENCR_AES_CTR,				"rfc3686(ctr(aes))"	},
+	{ENCR_AES_CCM_ICV8,			"rfc4309(ccm(aes))"	},
+	{ENCR_AES_CCM_ICV12,		"rfc4309(ccm(aes))"	},
+	{ENCR_AES_CCM_ICV16,		"rfc4309(ccm(aes))"	},
+	{ENCR_AES_GCM_ICV8,			"rfc4106(gcm(aes))"	},
+	{ENCR_AES_GCM_ICV12,		"rfc4106(gcm(aes))"	},
+	{ENCR_AES_GCM_ICV16,		"rfc4106(gcm(aes))"	},
+	{ENCR_NULL_AUTH_AES_GMAC,	"rfc4543(gcm(aes))"	},
+	{ENCR_CAMELLIA_CBC,			"cbc(camellia)"		},
+/*	{ENCR_CAMELLIA_CTR,			"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV8,	"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV12,	"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV16,	"***"				}, */
+	{END_OF_LIST,				NULL				}
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+	{AUTH_HMAC_MD5_96,			"md5"				},
+	{AUTH_HMAC_SHA1_96,			"sha1"				},
+	{AUTH_HMAC_SHA2_256_96,		"sha256"			},
+	{AUTH_HMAC_SHA2_256_128,	"hmac(sha256)"		},
+	{AUTH_HMAC_SHA2_384_192,	"hmac(sha384)"		},
+	{AUTH_HMAC_SHA2_512_256,	"hmac(sha512)"		},
+/*	{AUTH_DES_MAC,				"***"				}, */
+/*	{AUTH_KPDK_MD5,				"***"				}, */
+	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
+	{END_OF_LIST,				NULL				}
+};
+
+/**
+ * Algorithms for IPComp
+ */
+static kernel_algorithm_t compression_algs[] = {
+/*	{IPCOMP_OUI,				"***"				}, */
+	{IPCOMP_DEFLATE,			"deflate"			},
+	{IPCOMP_LZS,				"lzs"				},
+	{IPCOMP_LZJH,				"lzjh"				},
+	{END_OF_LIST,				NULL				}
+};
+
+/**
+ * Look up a kernel algorithm name and its key size
+ */
+static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+{
+	while (list->ikev2 != END_OF_LIST)
+	{
+		if (list->ikev2 == ikev2)
+		{
+			return list->name;
+		}
+		list++;
+	}
+	return NULL;
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+
+	/** Source ip of the route */
+	host_t *src_ip;
+
+	/** gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	this->src_ip->destroy(this->src_ip);
+	DESTROY_IF(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+
+	/** direction of this policy: in, out, forward */
+	u_int8_t direction;
+
+	/** parameters of installed policy */
+	struct xfrm_selector sel;
+
+	/** associated route installed for this policy */
+	route_entry_t *route;
+
+	/** by how many CHILD_SA's this policy is used */
+	u_int refcount;
+};
+
+/**
+ * Hash function for policy_entry_t objects
+ */
+static u_int policy_hash(policy_entry_t *key)
+{
+	chunk_t chunk = chunk_create((void*)&key->sel, sizeof(struct xfrm_selector));
+	return chunk_hash(chunk);
+}
+
+/**
+ * Equality function for policy_entry_t objects
+ */
+static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
+{
+	return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
+		   key->direction == other_key->direction;
+}
+
+typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_netlink class.
+ */
+struct private_kernel_netlink_ipsec_t {
+	/**
+	 * Public part of the kernel_netlink_t object.
+	 */
+	kernel_netlink_ipsec_t public;
+
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Hash table of installed policies (policy_entry_t)
+	 */
+	hashtable_t *policies;
+
+	/**
+	 * job receiving netlink events
+	 */
+	callback_job_t *job;
+
+	/**
+	 * Netlink xfrm socket (IPsec)
+	 */
+	netlink_socket_t *socket_xfrm;
+
+	/**
+	 * netlink xfrm socket to receive acquire and expire events
+	 */
+	int socket_xfrm_events;
+
+	/**
+	 * whether to install routes along policies
+	 */
+	bool install_routes;
+};
+
+/**
+ * convert a IKEv2 specific protocol identifier to the kernel one
+ */
+static u_int8_t proto_ike2kernel(protocol_id_t proto)
+{
+	switch (proto)
+	{
+		case PROTO_ESP:
+			return IPPROTO_ESP;
+		case PROTO_AH:
+			return IPPROTO_AH;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * reverse of ike2kernel
+ */
+static protocol_id_t proto_kernel2ike(u_int8_t proto)
+{
+	switch (proto)
+	{
+		case IPPROTO_ESP:
+			return PROTO_ESP;
+		case IPPROTO_AH:
+			return PROTO_AH;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert the general ipsec mode to the one defined in xfrm.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+	switch (mode)
+	{
+		case MODE_TRANSPORT:
+			return XFRM_MODE_TRANSPORT;
+		case MODE_TUNNEL:
+			return XFRM_MODE_TUNNEL;
+		case MODE_BEET:
+			return XFRM_MODE_BEET;
+		default:
+			return mode;
+	}
+}
+
+/**
+ * convert a host_t to a struct xfrm_address
+ */
+static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
+{
+	chunk_t chunk = host->get_address(host);
+	memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
+}
+
+/**
+ * convert a struct xfrm_address to a host_t
+ */
+static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
+{
+	chunk_t chunk;
+
+	switch (family)
+	{
+		case AF_INET:
+			chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
+			break;
+		case AF_INET6:
+			chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
+			break;
+		default:
+			return NULL;
+	}
+	return host_create_from_chunk(family, chunk, ntohs(port));
+}
+
+/**
+ * convert a traffic selector address range to subnet and its mask.
+ */
+static void ts2subnet(traffic_selector_t* ts,
+					  xfrm_address_t *net, u_int8_t *mask)
+{
+	host_t *net_host;
+	chunk_t net_chunk;
+
+	ts->to_subnet(ts, &net_host, mask);
+	net_chunk = net_host->get_address(net_host);
+	memcpy(net, net_chunk.ptr, net_chunk.len);
+	net_host->destroy(net_host);
+}
+
+/**
+ * convert a traffic selector port range to port/portmask
+ */
+static void ts2ports(traffic_selector_t* ts,
+					 u_int16_t *port, u_int16_t *mask)
+{
+	/* linux does not seem to accept complex portmasks. Only
+	 * any or a specific port is allowed. We set to any, if we have
+	 * a port range, or to a specific, if we have one port only.
+	 */
+	u_int16_t from, to;
+
+	from = ts->get_from_port(ts);
+	to = ts->get_to_port(ts);
+
+	if (from == to)
+	{
+		*port = htons(from);
+		*mask = ~0;
+	}
+	else
+	{
+		*port = 0;
+		*mask = 0;
+	}
+}
+
+/**
+ * convert a pair of traffic_selectors to a xfrm_selector
+ */
+static struct xfrm_selector ts2selector(traffic_selector_t *src,
+										traffic_selector_t *dst)
+{
+	struct xfrm_selector sel;
+
+	memset(&sel, 0, sizeof(sel));
+	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
+	ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
+	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
+	ts2ports(dst, &sel.dport, &sel.dport_mask);
+	ts2ports(src, &sel.sport, &sel.sport_mask);
+	sel.ifindex = 0;
+	sel.user = 0;
+
+	return sel;
+}
+
+/**
+ * convert a xfrm_selector to a src|dst traffic_selector
+ */
+static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+{
+	u_char *addr;
+	u_int8_t prefixlen;
+	u_int16_t port = 0;
+	host_t *host = NULL;
+
+	if (src)
+	{
+		addr = (u_char*)&sel->saddr;
+		prefixlen = sel->prefixlen_s;
+		if (sel->sport_mask)
+		{
+			port = htons(sel->sport);
+		}
+	}
+	else
+	{
+		addr = (u_char*)&sel->daddr;
+		prefixlen = sel->prefixlen_d;
+		if (sel->dport_mask)
+		{
+			port = htons(sel->dport);
+		}
+	}
+
+	/* The Linux 2.6 kernel does not set the selector's family field,
+	 * so as a kludge we additionally test the prefix length.
+	 */
+	if (sel->family == AF_INET || sel->prefixlen_s == 32)
+	{
+		host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
+	}
+	else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
+	{
+		host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
+	}
+
+	if (host)
+	{
+		return traffic_selector_create_from_subnet(host, prefixlen,
+												   sel->proto, port);
+	}
+	return NULL;
+}
+
+/**
+ * process a XFRM_MSG_ACQUIRE from kernel
+ */
+static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
+{
+	u_int32_t reqid = 0;
+	int proto = 0;
+	traffic_selector_t *src_ts, *dst_ts;
+	struct xfrm_user_acquire *acquire;
+	struct rtattr *rta;
+	size_t rtasize;
+	job_t *job;
+
+	acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
+	rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
+	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
+
+	DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
+
+	while (RTA_OK(rta, rtasize))
+	{
+		DBG2(DBG_KNL, "  %N", xfrm_attr_type_names, rta->rta_type);
+
+		if (rta->rta_type == XFRMA_TMPL)
+		{
+			struct xfrm_user_tmpl* tmpl;
+
+			tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
+			reqid = tmpl->reqid;
+			proto = tmpl->id.proto;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	switch (proto)
+	{
+		case 0:
+		case IPPROTO_ESP:
+		case IPPROTO_AH:
+			break;
+		default:
+			/* acquire for AH/ESP only, not for IPCOMP */
+			return;
+	}
+	src_ts = selector2ts(&acquire->sel, TRUE);
+	dst_ts = selector2ts(&acquire->sel, FALSE);
+	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
+					src_ts, dst_ts, reqid);
+	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
+	charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * process a XFRM_MSG_EXPIRE from kernel
+ */
+static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
+{
+	job_t *job;
+	protocol_id_t protocol;
+	u_int32_t spi, reqid;
+	struct xfrm_user_expire *expire;
+
+	expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
+	protocol = proto_kernel2ike(expire->state.id.proto);
+	spi = expire->state.id.spi;
+	reqid = expire->state.reqid;
+
+	DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
+
+	if (protocol != PROTO_ESP && protocol != PROTO_AH)
+	{
+		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
+					  "which is not a CHILD_SA", ntohl(spi), reqid);
+		return;
+	}
+
+	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
+		 expire->hard ? "delete" : "rekey",  protocol_id_names,
+		 protocol, ntohl(spi), reqid);
+	if (expire->hard)
+	{
+		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+	}
+	else
+	{
+		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+	}
+	charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * process a XFRM_MSG_MIGRATE from kernel
+ */
+static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
+{
+	traffic_selector_t *src_ts, *dst_ts;
+	host_t *local = NULL, *remote = NULL;
+	host_t *old_src = NULL, *old_dst = NULL;
+	host_t *new_src = NULL, *new_dst = NULL;
+	struct xfrm_userpolicy_id *policy_id;
+	struct rtattr *rta;
+	size_t rtasize;
+	u_int32_t reqid = 0;
+	policy_dir_t dir;
+	job_t *job;
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	rta     = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
+	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
+
+	DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
+
+	src_ts = selector2ts(&policy_id->sel, TRUE);
+	dst_ts = selector2ts(&policy_id->sel, FALSE);
+	dir = (policy_dir_t)policy_id->dir;
+
+	DBG2(DBG_KNL, "  policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
+
+	while (RTA_OK(rta, rtasize))
+	{
+		DBG2(DBG_KNL, "  %N", xfrm_attr_type_names, rta->rta_type);
+		if (rta->rta_type == XFRMA_KMADDRESS)
+		{
+			struct xfrm_user_kmaddress *kmaddress;
+
+			kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
+			local  = xfrm2host(kmaddress->family, &kmaddress->local, 0);
+			remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
+			DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
+		}
+		else if (rta->rta_type == XFRMA_MIGRATE)
+		{
+			struct xfrm_user_migrate *migrate;
+			protocol_id_t proto;
+
+			migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
+			old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
+			old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
+			new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
+			new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
+			proto = proto_kernel2ike(migrate->proto);
+			reqid = migrate->reqid;
+			DBG2(DBG_KNL, "  migrate %N %H...%H to %H...%H, reqid {%u}",
+							 protocol_id_names, proto, old_src, old_dst,
+							 new_src, new_dst, reqid);
+			DESTROY_IF(old_src);
+			DESTROY_IF(old_dst);
+			DESTROY_IF(new_src);
+			DESTROY_IF(new_dst);
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+
+	if (src_ts && dst_ts && local && remote)
+	{
+		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
+					   src_ts, dst_ts, policy_dir_names, dir, reqid, local);
+		job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
+										 local, remote);
+		charon->processor->queue_job(charon->processor, job);
+	}
+	else
+	{
+		DESTROY_IF(src_ts);
+		DESTROY_IF(dst_ts);
+		DESTROY_IF(local);
+		DESTROY_IF(remote);
+	}
+}
+
+/**
+ * process a XFRM_MSG_MAPPING from kernel
+ */
+static void process_mapping(private_kernel_netlink_ipsec_t *this,
+							struct nlmsghdr *hdr)
+{
+	job_t *job;
+	u_int32_t spi, reqid;
+	struct xfrm_user_mapping *mapping;
+	host_t *host;
+
+	mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
+	spi = mapping->id.spi;
+	reqid = mapping->reqid;
+
+	DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
+
+	if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
+	{
+		host = xfrm2host(mapping->id.family, &mapping->new_saddr,
+						 mapping->new_sport);
+		if (host)
+		{
+			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
+				"reqid {%u} changed, queuing update job", ntohl(spi), reqid);
+			job = (job_t*)update_sa_job_create(reqid, host);
+			charon->processor->queue_job(charon->processor, job);
+		}
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
+{
+	char response[1024];
+	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
+	struct sockaddr_nl addr;
+	socklen_t addr_len = sizeof(addr);
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
+				   (struct sockaddr*)&addr, &addr_len);
+	thread_cancelability(oldstate);
+
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from xfrm event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+
+	if (addr.nl_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	while (NLMSG_OK(hdr, len))
+	{
+		switch (hdr->nlmsg_type)
+		{
+			case XFRM_MSG_ACQUIRE:
+				process_acquire(this, hdr);
+				break;
+			case XFRM_MSG_EXPIRE:
+				process_expire(this, hdr);
+				break;
+			case XFRM_MSG_MIGRATE:
+				process_migrate(this, hdr);
+				break;
+			case XFRM_MSG_MAPPING:
+				process_mapping(this, hdr);
+				break;
+			default:
+				DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
+				break;
+		}
+		hdr = NLMSG_NEXT(hdr, len);
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Get an SPI for a specific protocol from the kernel.
+ */
+static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
+		host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
+		u_int32_t reqid, u_int32_t *spi)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr, *out;
+	struct xfrm_userspi_info *userspi;
+	u_int32_t received_spi = 0;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
+
+	userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
+	host2xfrm(src, &userspi->info.saddr);
+	host2xfrm(dst, &userspi->info.id.daddr);
+	userspi->info.id.proto = proto;
+	userspi->info.mode = XFRM_MODE_TUNNEL;
+	userspi->info.reqid = reqid;
+	userspi->info.family = src->get_family(src);
+	userspi->min = min;
+	userspi->max = max;
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
+					received_spi = usersa->id.spi;
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+
+					DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+		free(out);
+	}
+
+	if (received_spi == 0)
+	{
+		return FAILED;
+	}
+
+	*spi = received_spi;
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
+
+	if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
+			0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	u_int32_t received_spi = 0;
+
+	DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
+
+	if (get_spi_internal(this, src, dst,
+			IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
+		return FAILED;
+	}
+
+	*cpi = htons((u_int16_t)ntohl(received_spi));
+
+	DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
+	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool encap, bool inbound, traffic_selector_t* src_ts,
+	traffic_selector_t* dst_ts)
+{
+	netlink_buf_t request;
+	char *alg_name;
+	struct nlmsghdr *hdr;
+	struct xfrm_usersa_info *sa;
+	u_int16_t icv_size = 64;
+
+	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
+	 * we are in the recursive call below */
+	if (ipcomp != IPCOMP_NONE && cpi != 0)
+	{
+		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
+		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft,
+			   ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
+			   mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
+		ipcomp = IPCOMP_NONE;
+		/* use transport mode ESP SA, IPComp uses tunnel mode */
+		mode = MODE_TRANSPORT;
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
+		 ntohl(spi), reqid);
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
+
+	sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
+	host2xfrm(src, &sa->saddr);
+	host2xfrm(dst, &sa->id.daddr);
+	sa->id.spi = spi;
+	sa->id.proto = proto_ike2kernel(protocol);
+	sa->family = src->get_family(src);
+	sa->mode = mode2kernel(mode);
+	switch (mode)
+	{
+		case MODE_TUNNEL:
+			sa->flags |= XFRM_STATE_AF_UNSPEC;
+			break;
+		case MODE_BEET:
+			if(src_ts && dst_ts)
+			{
+				sa->sel = ts2selector(src_ts, dst_ts);
+			}
+			break;
+		default:
+			break;
+	}
+
+	sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
+	sa->reqid = reqid;
+	sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
+	sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
+	sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
+	sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
+	/* we use lifetimes since added, not since used */
+	sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
+	sa->lft.hard_add_expires_seconds = lifetime->time.life;
+	sa->lft.soft_use_expires_seconds = 0;
+	sa->lft.hard_use_expires_seconds = 0;
+
+	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
+
+	switch (enc_alg)
+	{
+		case ENCR_UNDEFINED:
+			/* no encryption */
+			break;
+		case ENCR_AES_CCM_ICV16:
+		case ENCR_AES_GCM_ICV16:
+		case ENCR_NULL_AUTH_AES_GMAC:
+		case ENCR_CAMELLIA_CCM_ICV16:
+			icv_size += 32;
+			/* FALL */
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV12:
+			icv_size += 32;
+			/* FALL */
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV8:
+		{
+			struct xfrm_algo_aead *algo;
+
+			alg_name = lookup_algorithm(encryption_algs, enc_alg);
+			if (alg_name == NULL)
+			{
+				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 encryption_algorithm_names, enc_alg);
+				return FAILED;
+			}
+			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+			rthdr->rta_type = XFRMA_ALG_AEAD;
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
+			algo->alg_key_len = enc_key.len * 8;
+			algo->alg_icv_len = icv_size;
+			strcpy(algo->alg_name, alg_name);
+			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
+
+			rthdr = XFRM_RTA_NEXT(rthdr);
+			break;
+		}
+		default:
+		{
+			struct xfrm_algo *algo;
+
+			alg_name = lookup_algorithm(encryption_algs, enc_alg);
+			if (alg_name == NULL)
+			{
+				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 encryption_algorithm_names, enc_alg);
+				return FAILED;
+			}
+			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+			rthdr->rta_type = XFRMA_ALG_CRYPT;
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+			algo->alg_key_len = enc_key.len * 8;
+			strcpy(algo->alg_name, alg_name);
+			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
+
+			rthdr = XFRM_RTA_NEXT(rthdr);
+		}
+	}
+
+	if (int_alg  != AUTH_UNDEFINED)
+	{
+		alg_name = lookup_algorithm(integrity_algs, int_alg);
+		if (alg_name == NULL)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 integrity_algorithm_names, int_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
+			 integrity_algorithm_names, int_alg, int_key.len * 8);
+
+		if (int_alg == AUTH_HMAC_SHA2_256_128)
+		{
+			struct xfrm_algo_auth* algo;
+
+			/* the kernel uses SHA256 with 96 bit truncation by default,
+			 * use specified truncation size supported by newer kernels */
+			rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len);
+
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
+			algo->alg_key_len = int_key.len * 8;
+			algo->alg_trunc_len = 128;
+			strcpy(algo->alg_name, alg_name);
+			memcpy(algo->alg_key, int_key.ptr, int_key.len);
+		}
+		else
+		{
+			struct xfrm_algo* algo;
+
+			rthdr->rta_type = XFRMA_ALG_AUTH;
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
+
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+			algo->alg_key_len = int_key.len * 8;
+			strcpy(algo->alg_name, alg_name);
+			memcpy(algo->alg_key, int_key.ptr, int_key.len);
+		}
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
+	if (ipcomp != IPCOMP_NONE)
+	{
+		rthdr->rta_type = XFRMA_ALG_COMP;
+		alg_name = lookup_algorithm(compression_algs, ipcomp);
+		if (alg_name == NULL)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 ipcomp_transform_names, ipcomp);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using compression algorithm %N",
+			 ipcomp_transform_names, ipcomp);
+
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+		algo->alg_key_len = 0;
+		strcpy(algo->alg_name, alg_name);
+
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
+	if (encap)
+	{
+		rthdr->rta_type = XFRMA_ENCAP;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
+		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
+		tmpl->encap_sport = htons(src->get_port(src));
+		tmpl->encap_dport = htons(dst->get_port(dst));
+		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
+		/* encap_oa could probably be derived from the
+		 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
+		 * pluto does the same as we do here but it uses encap_oa in the
+		 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
+		 * the kernel ignores it anyway
+		 *   -> does that mean that NAT-T encap doesn't work in transport mode?
+		 * No. The reason the kernel ignores NAT-OA is that it recomputes
+		 * (or, rather, just ignores) the checksum. If packets pass
+		 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Get the replay state (i.e. sequence numbers) of an SA.
+ */
+static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
+						  u_int32_t spi, protocol_id_t protocol, host_t *dst,
+						  struct xfrm_replay_state *replay)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr, *out = NULL;
+	struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
+	size_t len;
+	struct rtattr *rta;
+	size_t rtasize;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETAE;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
+
+	aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
+	aevent_id->flags = XFRM_AE_RVAL;
+
+	host2xfrm(dst, &aevent_id->sa_id.daddr);
+	aevent_id->sa_id.spi = spi;
+	aevent_id->sa_id.proto = proto_ike2kernel(protocol);
+	aevent_id->sa_id.family = dst->get_family(dst);
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWAE:
+				{
+					out_aevent = NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+
+	if (out_aevent == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
+					  ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+
+	rta = XFRM_RTA(out, struct xfrm_aevent_id);
+	rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
+	while(RTA_OK(rta, rtasize))
+	{
+		if (rta->rta_type == XFRMA_REPLAY_VAL &&
+			RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
+		{
+			memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
+			free(out);
+			return SUCCESS;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+
+	DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
+				  ntohl(spi));
+	free(out);
+	return FAILED;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *out = NULL, *hdr;
+	struct xfrm_usersa_id *sa_id;
+	struct xfrm_usersa_info *sa = NULL;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->family = dst->get_family(dst);
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)",
+						 ntohl(spi), strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+
+	if (sa == NULL)
+	{
+		DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	*bytes = sa->curlft.bytes;
+
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct xfrm_usersa_id *sa_id;
+
+	/* if IPComp was used, we first delete the additional IPComp SA */
+	if (cpi)
+	{
+		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_DELSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->family = dst->get_family(dst);
+
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool old_encap, bool new_encap)
+{
+	netlink_buf_t request;
+	u_char *pos;
+	struct nlmsghdr *hdr, *out = NULL;
+	struct xfrm_usersa_id *sa_id;
+	struct xfrm_usersa_info *out_sa = NULL, *sa;
+	size_t len;
+	struct rtattr *rta;
+	size_t rtasize;
+	struct xfrm_encap_tmpl* tmpl = NULL;
+	bool got_replay_state = FALSE;
+	struct xfrm_replay_state replay;
+
+	/* if IPComp is used, we first update the IPComp SA */
+	if (cpi)
+	{
+		update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
+				  src, dst, new_src, new_dst, FALSE, FALSE);
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
+
+	/* query the existing SA first */
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->family = dst->get_family(dst);
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					out_sa = NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+	if (out_sa == NULL)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+
+	/* try to get the replay state */
+	if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
+	{
+		got_replay_state = TRUE;
+	}
+
+	/* delete the old SA (without affecting the IPComp SA) */
+	if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+	/* copy over the SA from out to request */
+	hdr = (struct nlmsghdr*)request;
+	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_NEWSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
+	sa = NLMSG_DATA(hdr);
+	sa->family = new_dst->get_family(new_dst);
+
+	if (!src->ip_equals(src, new_src))
+	{
+		host2xfrm(new_src, &sa->saddr);
+	}
+	if (!dst->ip_equals(dst, new_dst))
+	{
+		host2xfrm(new_dst, &sa->id.daddr);
+	}
+
+	rta = XFRM_RTA(out, struct xfrm_usersa_info);
+	rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
+	pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
+	while(RTA_OK(rta, rtasize))
+	{
+		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
+		if (rta->rta_type != XFRMA_ENCAP || new_encap)
+		{
+			if (rta->rta_type == XFRMA_ENCAP)
+			{	/* update encap tmpl */
+				tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
+				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
+				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
+			}
+			memcpy(pos, rta, rta->rta_len);
+			pos += RTA_ALIGN(rta->rta_len);
+			hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+
+	rta = (struct rtattr*)pos;
+	if (tmpl == NULL && new_encap)
+	{	/* add tmpl if we are enabling it */
+		rta->rta_type = XFRMA_ENCAP;
+		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
+
+		hdr->nlmsg_len += rta->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
+		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
+		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
+		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
+		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
+
+		rta = XFRM_RTA_NEXT(rta);
+	}
+
+	if (got_replay_state)
+	{	/* copy the replay data if available */
+		rta->rta_type = XFRMA_REPLAY_VAL;
+		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
+
+		hdr->nlmsg_len += rta->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+		memcpy(RTA_DATA(rta), &replay, sizeof(replay));
+
+		rta = XFRM_RTA_NEXT(rta);
+	}
+
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+	u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+	bool routed)
+{
+	policy_entry_t *current, *policy;
+	bool found = FALSE;
+	netlink_buf_t request;
+	struct xfrm_userpolicy_info *policy_info;
+	struct nlmsghdr *hdr;
+
+	/* create a policy */
+	policy = malloc_thing(policy_entry_t);
+	memset(policy, 0, sizeof(policy_entry_t));
+	policy->sel = ts2selector(src_ts, dst_ts);
+	policy->direction = direction;
+
+	/* find the policy, which matches EXACTLY */
+	this->mutex->lock(this->mutex);
+	current = this->policies->get(this->policies, policy);
+	if (current)
+	{
+		/* use existing policy */
+		current->refcount++;
+		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
+					  "refcount", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		free(policy);
+		policy = current;
+		found = TRUE;
+	}
+	else
+	{	/* apply the new one, if we have no such policy */
+		this->policies->put(this->policies, policy, policy);
+		policy->refcount = 1;
+	}
+
+	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	memset(&request, 0, sizeof(request));
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
+
+	policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
+	policy_info->sel = policy->sel;
+	policy_info->dir = policy->direction;
+	/* calculate priority based on source selector size, small size = high prio */
+	policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
+	policy_info->priority -= policy->sel.prefixlen_s * 10;
+	policy_info->priority -= policy->sel.proto ? 2 : 0;
+	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
+	policy_info->action = XFRM_POLICY_ALLOW;
+	policy_info->share = XFRM_SHARE_ANY;
+	this->mutex->unlock(this->mutex);
+
+	/* policies don't expire */
+	policy_info->lft.soft_byte_limit = XFRM_INF;
+	policy_info->lft.soft_packet_limit = XFRM_INF;
+	policy_info->lft.hard_byte_limit = XFRM_INF;
+	policy_info->lft.hard_packet_limit = XFRM_INF;
+	policy_info->lft.soft_add_expires_seconds = 0;
+	policy_info->lft.hard_add_expires_seconds = 0;
+	policy_info->lft.soft_use_expires_seconds = 0;
+	policy_info->lft.hard_use_expires_seconds = 0;
+
+	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
+	rthdr->rta_type = XFRMA_TMPL;
+	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+
+	hdr->nlmsg_len += rthdr->rta_len;
+	if (hdr->nlmsg_len > sizeof(request))
+	{
+		return FAILED;
+	}
+
+	struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
+
+	if (ipcomp != IPCOMP_NONE)
+	{
+		tmpl->reqid = reqid;
+		tmpl->id.proto = IPPROTO_COMP;
+		tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
+		tmpl->mode = mode2kernel(mode);
+		tmpl->optional = direction != POLICY_OUT;
+		tmpl->family = src->get_family(src);
+
+		host2xfrm(src, &tmpl->saddr);
+		host2xfrm(dst, &tmpl->id.daddr);
+
+		/* add an additional xfrm_user_tmpl */
+		rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+		hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		tmpl++;
+
+		/* use transport mode for ESP if we have a tunnel mode IPcomp SA */
+		mode = MODE_TRANSPORT;
+	}
+	else
+	{
+		/* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
+		host2xfrm(src, &tmpl->saddr);
+		host2xfrm(dst, &tmpl->id.daddr);
+	}
+
+	tmpl->reqid = reqid;
+	tmpl->id.proto = proto_ike2kernel(protocol);
+	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
+	tmpl->mode = mode2kernel(mode);
+	tmpl->family = src->get_family(src);
+
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+
+	/* install a route, if:
+	 * - we are NOT updating a policy
+	 * - this is a forward policy (to just get one for each child)
+	 * - we are in tunnel/BEET mode
+	 * - routing is not disabled via strongswan.conf
+	 */
+	if (policy->route == NULL && direction == POLICY_FWD &&
+		mode != MODE_TRANSPORT && this->install_routes)
+	{
+		route_entry_t *route = malloc_thing(route_entry_t);
+
+		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+				dst_ts, &route->src_ip) == SUCCESS)
+		{
+			/* get the nexthop to src (src as we are in POLICY_FWD).*/
+			route->gateway = charon->kernel_interface->get_nexthop(
+												charon->kernel_interface, src);
+			/* install route via outgoing interface */
+			route->if_name = charon->kernel_interface->get_interface(
+												charon->kernel_interface, dst);
+			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
+			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
+			route->prefixlen = policy->sel.prefixlen_s;
+
+			if (route->if_name)
+			{
+				switch (charon->kernel_interface->add_route(
+									charon->kernel_interface, route->dst_net,
+									route->prefixlen, route->gateway,
+									route->src_ip, route->if_name))
+				{
+					default:
+						DBG1(DBG_KNL, "unable to install source route for %H",
+							 route->src_ip);
+						/* FALL */
+					case ALREADY_DONE:
+						/* route exists, do not uninstall */
+						route_entry_destroy(route);
+						break;
+					case SUCCESS:
+						/* cache the installed route */
+						policy->route = route;
+						break;
+				}
+			}
+			else
+			{
+				route_entry_destroy(route);
+			}
+		}
+		else
+		{
+			free(route);
+		}
+	}
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *out = NULL, *hdr;
+	struct xfrm_userpolicy_id *policy_id;
+	struct xfrm_userpolicy_info *policy = NULL;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id->sel = ts2selector(src_ts, dst_ts);
+	policy_id->dir = direction;
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWPOLICY:
+				{
+					policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying policy failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+
+	if (policy == NULL)
+	{
+		DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+
+	if (policy->curlft.use_time)
+	{
+		/* we need the monotonic time, but the kernel returns system time. */
+		*use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
+	}
+	else
+	{
+		*use_time = 0;
+	}
+
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
+{
+	policy_entry_t *current, policy, *to_delete = NULL;
+	route_entry_t *route;
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct xfrm_userpolicy_id *policy_id;
+
+	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	/* create a policy */
+	memset(&policy, 0, sizeof(policy_entry_t));
+	policy.sel = ts2selector(src_ts, dst_ts);
+	policy.direction = direction;
+
+	/* find the policy */
+	this->mutex->lock(this->mutex);
+	current = this->policies->get(this->policies, &policy);
+	if (current)
+	{
+		to_delete = current;
+		if (--to_delete->refcount > 0)
+		{
+			/* is used by more SAs, keep in kernel */
+			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+			this->mutex->unlock(this->mutex);
+			return SUCCESS;
+		}
+		/* remove if last reference */
+		this->policies->remove(this->policies, to_delete);
+	}
+	this->mutex->unlock(this->mutex);
+	if (!to_delete)
+	{
+		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		return NOT_FOUND;
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id->sel = to_delete->sel;
+	policy_id->dir = direction;
+
+	route = to_delete->route;
+	free(to_delete);
+
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+
+	if (route)
+	{
+		if (charon->kernel_interface->del_route(charon->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with "
+						  "policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}
+		route_entry_destroy(route);
+	}
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_kernel_netlink_ipsec_t *this, int fd, int family)
+{
+	struct xfrm_userpolicy_info policy;
+	u_int sol, ipsec_policy;
+
+	switch (family)
+	{
+		case AF_INET:
+			sol = SOL_IP;
+			ipsec_policy = IP_XFRM_POLICY;
+			break;
+		case AF_INET6:
+			sol = SOL_IPV6;
+			ipsec_policy = IPV6_XFRM_POLICY;
+			break;
+		default:
+			return FALSE;
+	}
+
+	memset(&policy, 0, sizeof(policy));
+	policy.action = XFRM_POLICY_ALLOW;
+	policy.sel.family = family;
+
+	policy.dir = XFRM_POLICY_OUT;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	policy.dir = XFRM_POLICY_IN;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_kernel_netlink_ipsec_t *this)
+{
+	enumerator_t *enumerator;
+	policy_entry_t *policy;
+
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	if (this->socket_xfrm_events > 0)
+	{
+		close(this->socket_xfrm_events);
+	}
+	DESTROY_IF(this->socket_xfrm);
+	enumerator = this->policies->create_enumerator(this->policies);
+	while (enumerator->enumerate(enumerator, &policy, &policy))
+	{
+		free(policy);
+	}
+	enumerator->destroy(enumerator);
+	this->policies->destroy(this->policies);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
+{
+	private_kernel_netlink_ipsec_t *this;
+	struct sockaddr_nl addr;
+	int fd;
+
+	INIT(this,
+		.public.interface = {
+			.get_spi = _get_spi,
+			.get_cpi = _get_cpi,
+			.add_sa  = _add_sa,
+			.update_sa = _update_sa,
+			.query_sa = _query_sa,
+			.del_sa = _del_sa,
+			.add_policy = _add_policy,
+			.query_policy = _query_policy,
+			.del_policy = _del_policy,
+			.bypass_socket = _bypass_socket,
+			.destroy = _destroy,
+		},
+		.policies = hashtable_create((hashtable_hash_t)policy_hash,
+									 (hashtable_equals_t)policy_equals, 32),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.install_routes = lib->settings->get_bool(lib->settings,
+												"charon.install_routes", TRUE),
+	);
+
+	/* disable lifetimes for allocated SPIs in kernel */
+	fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
+	if (fd)
+	{
+		ignore_result(write(fd, "165", 3));
+		close(fd);
+	}
+
+	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
+	if (!this->socket_xfrm)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+
+	/* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
+	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
+	if (this->socket_xfrm_events <= 0)
+	{
+		DBG1(DBG_KNL, "unable to create XFRM event socket");
+		destroy(this);
+		return NULL;
+	}
+	addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
+					 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
+	if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		DBG1(DBG_KNL, "unable to bind XFRM event socket");
+		destroy(this);
+		return NULL;
+	}
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
new file mode 100644
index 000000000..3a45cce06
--- /dev/null
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_netlink_ipsec_i kernel_netlink_ipsec
+ * @{ @ingroup kernel_netlink
+ */
+
+#ifndef KERNEL_NETLINK_IPSEC_H_
+#define KERNEL_NETLINK_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_netlink_ipsec_t kernel_netlink_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using Netlink.
+ */
+struct kernel_netlink_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a netlink kernel ipsec interface instance.
+ *
+ * @return			kernel_netlink_ipsec_t instance
+ */
+kernel_netlink_ipsec_t *kernel_netlink_ipsec_create();
+
+#endif /** KERNEL_NETLINK_IPSEC_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
new file mode 100644
index 000000000..6750458cf
--- /dev/null
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -0,0 +1,1506 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * Copyright (C) 2010 secunet Security Networks AG
+ * Copyright (C) 2010 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <unistd.h>
+#include <errno.h>
+#include <net/if.h>
+
+#include "kernel_netlink_net.h"
+#include "kernel_netlink_shared.h"
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/roam_job.h>
+
+/** delay before firing roam jobs (ms) */
+#define ROAM_DELAY 100
+
+typedef struct addr_entry_t addr_entry_t;
+
+/**
+ * IP address in an inface_entry_t
+ */
+struct addr_entry_t {
+
+	/** The ip address */
+	host_t *ip;
+
+	/** virtual IP managed by us */
+	bool virtual;
+
+	/** scope of the address */
+	u_char scope;
+
+	/** Number of times this IP is used, if virtual */
+	u_int refcount;
+};
+
+/**
+ * destroy a addr_entry_t object
+ */
+static void addr_entry_destroy(addr_entry_t *this)
+{
+	this->ip->destroy(this->ip);
+	free(this);
+}
+
+typedef struct iface_entry_t iface_entry_t;
+
+/**
+ * A network interface on this system, containing addr_entry_t's
+ */
+struct iface_entry_t {
+
+	/** interface index */
+	int ifindex;
+
+	/** name of the interface */
+	char ifname[IFNAMSIZ];
+
+	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+	u_int flags;
+
+	/** list of addresses as host_t */
+	linked_list_t *addrs;
+};
+
+/**
+ * destroy an interface entry
+ */
+static void iface_entry_destroy(iface_entry_t *this)
+{
+	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
+	free(this);
+}
+
+typedef struct private_kernel_netlink_net_t private_kernel_netlink_net_t;
+
+/**
+ * Private variables and functions of kernel_netlink_net class.
+ */
+struct private_kernel_netlink_net_t {
+	/**
+	 * Public part of the kernel_netlink_net_t object.
+	 */
+	kernel_netlink_net_t public;
+
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * condition variable to signal virtual IP add/removal
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * Cached list of interfaces and its addresses (iface_entry_t)
+	 */
+	linked_list_t *ifaces;
+
+	/**
+	 * job receiving netlink events
+	 */
+	callback_job_t *job;
+
+	/**
+	 * netlink rt socket (routing)
+	 */
+	netlink_socket_t *socket;
+
+	/**
+	 * Netlink rt socket to receive address change events
+	 */
+	int socket_events;
+
+	/**
+	 * time of the last roam_job
+	 */
+	timeval_t last_roam;
+
+	/**
+	 * routing table to install routes
+	 */
+	int routing_table;
+
+	/**
+	 * priority of used routing table
+	 */
+	int routing_table_prio;
+
+	/**
+	 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
+	 */
+	bool process_route;
+
+	/**
+	 * whether to actually install virtual IPs
+	 */
+	bool install_virtual_ip;
+
+	/**
+	 * list with routing tables to be excluded from route lookup
+	 */
+	linked_list_t *rt_exclude;
+};
+
+/**
+ * get the refcount of a virtual ip
+ */
+static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
+{
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	int refcount = 0;
+
+	ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
+		{
+			if (addr->virtual && (iface->flags & IFF_UP) &&
+				ip->ip_equals(ip, addr->ip))
+			{
+				refcount = addr->refcount;
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (refcount)
+		{
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+
+	return refcount;
+}
+
+/**
+ * start a roaming job. We delay it for a second and fire only one job
+ * for multiple events. Otherwise we would create two many jobs.
+ */
+static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
+{
+	timeval_t now;
+
+	time_monotonic(&now);
+	if (timercmp(&now, &this->last_roam, >))
+	{
+		now.tv_usec += ROAM_DELAY * 1000;
+		while (now.tv_usec > 1000000)
+		{
+			now.tv_sec++;
+			now.tv_usec -= 1000000;
+		}
+		this->last_roam = now;
+		charon->scheduler->schedule_job_ms(charon->scheduler,
+				(job_t*)roam_job_create(address), ROAM_DELAY);
+	}
+}
+
+/**
+ * process RTM_NEWLINK/RTM_DELLINK from kernel
+ */
+static void process_link(private_kernel_netlink_net_t *this,
+						 struct nlmsghdr *hdr, bool event)
+{
+	struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = IFLA_RTA(msg);
+	size_t rtasize = IFLA_PAYLOAD (hdr);
+	enumerator_t *enumerator;
+	iface_entry_t *current, *entry = NULL;
+	char *name = NULL;
+	bool update = FALSE;
+
+	while(RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
+		{
+			case IFLA_IFNAME:
+				name = RTA_DATA(rta);
+				break;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	if (!name)
+	{
+		name = "(unknown)";
+	}
+
+	this->mutex->lock(this->mutex);
+	switch (hdr->nlmsg_type)
+	{
+		case RTM_NEWLINK:
+		{
+			if (msg->ifi_flags & IFF_LOOPBACK)
+			{	/* ignore loopback interfaces */
+				break;
+			}
+			enumerator = this->ifaces->create_enumerator(this->ifaces);
+			while (enumerator->enumerate(enumerator, &current))
+			{
+				if (current->ifindex == msg->ifi_index)
+				{
+					entry = current;
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+			if (!entry)
+			{
+				entry = malloc_thing(iface_entry_t);
+				entry->ifindex = msg->ifi_index;
+				entry->flags = 0;
+				entry->addrs = linked_list_create();
+				this->ifaces->insert_last(this->ifaces, entry);
+			}
+			memcpy(entry->ifname, name, IFNAMSIZ);
+			entry->ifname[IFNAMSIZ-1] = '\0';
+			if (event)
+			{
+				if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
+				{
+					update = TRUE;
+					DBG1(DBG_KNL, "interface %s activated", name);
+				}
+				if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
+				{
+					update = TRUE;
+					DBG1(DBG_KNL, "interface %s deactivated", name);
+				}
+			}
+			entry->flags = msg->ifi_flags;
+			break;
+		}
+		case RTM_DELLINK:
+		{
+			enumerator = this->ifaces->create_enumerator(this->ifaces);
+			while (enumerator->enumerate(enumerator, &current))
+			{
+				if (current->ifindex == msg->ifi_index)
+				{
+					/* we do not remove it, as an address may be added to a
+					 * "down" interface and we wan't to know that. */
+					current->flags = msg->ifi_flags;
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+			break;
+		}
+	}
+	this->mutex->unlock(this->mutex);
+
+	/* send an update to all IKE_SAs */
+	if (update && event)
+	{
+		fire_roam_job(this, TRUE);
+	}
+}
+
+/**
+ * process RTM_NEWADDR/RTM_DELADDR from kernel
+ */
+static void process_addr(private_kernel_netlink_net_t *this,
+						 struct nlmsghdr *hdr, bool event)
+{
+	struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = IFA_RTA(msg);
+	size_t rtasize = IFA_PAYLOAD (hdr);
+	host_t *host = NULL;
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	chunk_t local = chunk_empty, address = chunk_empty;
+	bool update = FALSE, found = FALSE, changed = FALSE;
+
+	while(RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
+		{
+			case IFA_LOCAL:
+				local.ptr = RTA_DATA(rta);
+				local.len = RTA_PAYLOAD(rta);
+				break;
+			case IFA_ADDRESS:
+				address.ptr = RTA_DATA(rta);
+				address.len = RTA_PAYLOAD(rta);
+				break;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+
+	/* For PPP interfaces, we need the IFA_LOCAL address,
+	 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
+	 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
+	if (local.ptr)
+	{
+		host = host_create_from_chunk(msg->ifa_family, local, 0);
+	}
+	else if (address.ptr)
+	{
+		host = host_create_from_chunk(msg->ifa_family, address, 0);
+	}
+
+	if (host == NULL)
+	{	/* bad family? */
+		return;
+	}
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == msg->ifa_index)
+		{
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
+			{
+				if (host->ip_equals(host, addr->ip))
+				{
+					found = TRUE;
+					if (hdr->nlmsg_type == RTM_DELADDR)
+					{
+						iface->addrs->remove_at(iface->addrs, addrs);
+						if (!addr->virtual)
+						{
+							changed = TRUE;
+							DBG1(DBG_KNL, "%H disappeared from %s",
+								 host, iface->ifname);
+						}
+						addr_entry_destroy(addr);
+					}
+					else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
+					{
+						addr->refcount = 1;
+					}
+				}
+			}
+			addrs->destroy(addrs);
+
+			if (hdr->nlmsg_type == RTM_NEWADDR)
+			{
+				if (!found)
+				{
+					found = TRUE;
+					changed = TRUE;
+					addr = malloc_thing(addr_entry_t);
+					addr->ip = host->clone(host);
+					addr->virtual = FALSE;
+					addr->refcount = 1;
+					addr->scope = msg->ifa_scope;
+
+					iface->addrs->insert_last(iface->addrs, addr);
+					if (event)
+					{
+						DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+					}
+				}
+			}
+			if (found && (iface->flags & IFF_UP))
+			{
+				update = TRUE;
+			}
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	host->destroy(host);
+
+	/* send an update to all IKE_SAs */
+	if (update && event && changed)
+	{
+		fire_roam_job(this, TRUE);
+	}
+}
+
+/**
+ * process RTM_NEWROUTE and RTM_DELROUTE from kernel
+ */
+static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr)
+{
+	struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = RTM_RTA(msg);
+	size_t rtasize = RTM_PAYLOAD(hdr);
+	host_t *host = NULL;
+
+	/* ignore routes added by us */
+	if (msg->rtm_table && msg->rtm_table == this->routing_table)
+	{
+		return;
+	}
+
+	while (RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
+		{
+			case RTA_PREFSRC:
+				host = host_create_from_chunk(msg->rtm_family,
+							chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
+				break;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	if (host)
+	{
+		this->mutex->lock(this->mutex);
+		if (!get_vip_refcount(this, host))
+		{	/* ignore routes added for virtual IPs */
+			fire_roam_job(this, FALSE);
+		}
+		this->mutex->unlock(this->mutex);
+		host->destroy(host);
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
+{
+	char response[1024];
+	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
+	struct sockaddr_nl addr;
+	socklen_t addr_len = sizeof(addr);
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recvfrom(this->socket_events, response, sizeof(response), 0,
+				   (struct sockaddr*)&addr, &addr_len);
+	thread_cancelability(oldstate);
+
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from rt event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+
+	if (addr.nl_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	while (NLMSG_OK(hdr, len))
+	{
+		/* looks good so far, dispatch netlink message */
+		switch (hdr->nlmsg_type)
+		{
+			case RTM_NEWADDR:
+			case RTM_DELADDR:
+				process_addr(this, hdr, TRUE);
+				this->condvar->broadcast(this->condvar);
+				break;
+			case RTM_NEWLINK:
+			case RTM_DELLINK:
+				process_link(this, hdr, TRUE);
+				this->condvar->broadcast(this->condvar);
+				break;
+			case RTM_NEWROUTE:
+			case RTM_DELROUTE:
+				if (this->process_route)
+				{
+					process_route(this, hdr);
+				}
+				break;
+			default:
+				break;
+		}
+		hdr = NLMSG_NEXT(hdr, len);
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+/** enumerator over addresses */
+typedef struct {
+	private_kernel_netlink_net_t* this;
+	/** whether to enumerate down interfaces */
+	bool include_down_ifaces;
+	/** whether to enumerate virtual ip addresses */
+	bool include_virtual_ips;
+} address_enumerator_t;
+
+/**
+ * cleanup function for address enumerator
+ */
+static void address_enumerator_destroy(address_enumerator_t *data)
+{
+	data->this->mutex->unlock(data->this->mutex);
+	free(data);
+}
+
+/**
+ * filter for addresses
+ */
+static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+{
+	if (!data->include_virtual_ips && (*in)->virtual)
+	{	/* skip virtual interfaces added by us */
+		return FALSE;
+	}
+	if ((*in)->scope >= RT_SCOPE_LINK)
+	{	/* skip addresses with a unusable scope */
+		return FALSE;
+	}
+	*out = (*in)->ip;
+	return TRUE;
+}
+
+/**
+ * enumerator constructor for interfaces
+ */
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+{
+	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+				(void*)filter_addresses, data, NULL);
+}
+
+/**
+ * filter for interfaces
+ */
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+{
+	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+	{	/* skip interfaces not up */
+		return FALSE;
+	}
+	*out = *in;
+	return TRUE;
+}
+
+/**
+ * implementation of kernel_net_t.create_address_enumerator
+ */
+static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *this,
+		bool include_down_ifaces, bool include_virtual_ips)
+{
+	address_enumerator_t *data = malloc_thing(address_enumerator_t);
+	data->this = this;
+	data->include_down_ifaces = include_down_ifaces;
+	data->include_virtual_ips = include_virtual_ips;
+
+	this->mutex->lock(this->mutex);
+	return enumerator_create_nested(
+				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
+							(void*)filter_interfaces, data, NULL),
+				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+}
+
+/**
+ * implementation of kernel_net_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
+{
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	char *name = NULL;
+
+	DBG2(DBG_KNL, "getting interface name for %H", ip);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
+		{
+			if (ip->ip_equals(ip, addr->ip))
+			{
+				name = strdup(iface->ifname);
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (name)
+		{
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+
+	if (name)
+	{
+		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "%H is not a local address", ip);
+	}
+	return name;
+}
+
+/**
+ * get the index of an interface by name
+ */
+static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
+{
+	enumerator_t *ifaces;
+	iface_entry_t *iface;
+	int ifindex = 0;
+
+	DBG2(DBG_KNL, "getting iface index for %s", name);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (streq(name, iface->ifname))
+		{
+			ifindex = iface->ifindex;
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+
+	if (ifindex == 0)
+	{
+		DBG1(DBG_KNL, "unable to get interface index for %s", name);
+	}
+	return ifindex;
+}
+
+/**
+ * Check if an interface with a given index is up
+ */
+static bool is_interface_up(private_kernel_netlink_net_t *this, int index)
+{
+	enumerator_t *ifaces;
+	iface_entry_t *iface;
+	/* default to TRUE for interface we do not monitor (e.g. lo) */
+	bool up = TRUE;
+
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == index)
+		{
+			up = iface->flags & IFF_UP;
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	return up;
+}
+
+/**
+ * check if an address (chunk) addr is in subnet (net with net_len net bits)
+ */
+static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
+{
+	static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+	int byte = 0;
+
+	if (net_len == 0)
+	{	/* any address matches a /0 network */
+		return TRUE;
+	}
+	if (addr.len != net.len || net_len > 8 * net.len )
+	{
+		return FALSE;
+	}
+	/* scan through all bytes in network order */
+	while (net_len > 0)
+	{
+		if (net_len < 8)
+		{
+			return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
+		}
+		else
+		{
+			if (addr.ptr[byte] != net.ptr[byte])
+			{
+				return FALSE;
+			}
+			byte++;
+			net_len -= 8;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
+ */
+static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
+						 bool nexthop, host_t *candidate)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr, *out, *current;
+	struct rtmsg *msg;
+	chunk_t chunk;
+	size_t len;
+	int best = -1;
+	enumerator_t *enumerator;
+	host_t *src = NULL, *gtw = NULL;
+
+	DBG2(DBG_KNL, "getting address to reach %H", dest);
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	if (dest->get_family(dest) == AF_INET)
+	{
+		/* We dump all addresses for IPv4, as we want to ignore IPsec specific
+		 * routes installed by us. But the kernel does not return source
+		 * addresses in a IPv6 dump, so fall back to get() for v6 routes. */
+		hdr->nlmsg_flags |= NLM_F_ROOT | NLM_F_DUMP;
+	}
+	hdr->nlmsg_type = RTM_GETROUTE;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_family = dest->get_family(dest);
+	if (candidate)
+	{
+		chunk = candidate->get_address(candidate);
+		netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+	}
+	chunk = dest->get_address(dest);
+	netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
+
+	if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "getting address to %H failed", dest);
+		return NULL;
+	}
+	this->mutex->lock(this->mutex);
+
+	for (current = out; NLMSG_OK(current, len);
+		 current = NLMSG_NEXT(current, len))
+	{
+		switch (current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWROUTE:
+			{
+				struct rtattr *rta;
+				size_t rtasize;
+				chunk_t rta_gtw, rta_src, rta_dst;
+				u_int32_t rta_oif = 0;
+				host_t *new_src, *new_gtw;
+				bool cont = FALSE;
+				uintptr_t table;
+
+				rta_gtw = rta_src = rta_dst = chunk_empty;
+				msg = (struct rtmsg*)(NLMSG_DATA(current));
+				rta = RTM_RTA(msg);
+				rtasize = RTM_PAYLOAD(current);
+				while (RTA_OK(rta, rtasize))
+				{
+					switch (rta->rta_type)
+					{
+						case RTA_PREFSRC:
+							rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+							break;
+						case RTA_GATEWAY:
+							rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+							break;
+						case RTA_DST:
+							rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+							break;
+						case RTA_OIF:
+							if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
+							{
+								rta_oif = *(u_int32_t*)RTA_DATA(rta);
+							}
+							break;
+					}
+					rta = RTA_NEXT(rta, rtasize);
+				}
+				if (msg->rtm_dst_len <= best)
+				{	/* not better than a previous one */
+					continue;
+				}
+				enumerator = this->rt_exclude->create_enumerator(this->rt_exclude);
+				while (enumerator->enumerate(enumerator, &table))
+				{
+					if (table == msg->rtm_table)
+					{
+						cont = TRUE;
+						break;
+					}
+				}
+				enumerator->destroy(enumerator);
+				if (cont)
+				{
+					continue;
+				}
+				if (this->routing_table != 0 &&
+					msg->rtm_table == this->routing_table)
+				{	/* route is from our own ipsec routing table */
+					continue;
+				}
+				if (rta_oif && !is_interface_up(this, rta_oif))
+				{	/* interface is down */
+					continue;
+				}
+				if (!addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))
+				{	/* route destination does not contain dest */
+					continue;
+				}
+
+				if (nexthop)
+				{
+					/* nexthop lookup, return gateway if any */
+					DESTROY_IF(gtw);
+					gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
+					best = msg->rtm_dst_len;
+					continue;
+				}
+				if (rta_src.ptr)
+				{
+					/* got a source address */
+					new_src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
+					if (new_src)
+					{
+						if (get_vip_refcount(this, new_src))
+						{	/* skip source address if it is installed by us */
+							new_src->destroy(new_src);
+						}
+						else
+						{
+							DESTROY_IF(src);
+							src = new_src;
+							best = msg->rtm_dst_len;
+						}
+					}
+					continue;
+				}
+				if (rta_gtw.ptr)
+				{	/* no source, but a gateway. Lookup source to reach gtw. */
+					new_gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
+					new_src = get_route(this, new_gtw, FALSE, candidate);
+					new_gtw->destroy(new_gtw);
+					if (new_src)
+					{
+						DESTROY_IF(src);
+						src = new_src;
+						best = msg->rtm_dst_len;
+					}
+					continue;
+				}
+				continue;
+			}
+			default:
+				continue;
+		}
+		break;
+	}
+	free(out);
+	this->mutex->unlock(this->mutex);
+
+	if (nexthop)
+	{
+		if (gtw)
+		{
+			return gtw;
+		}
+		return dest->clone(dest);
+	}
+	return src;
+}
+
+/**
+ * Implementation of kernel_net_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_netlink_net_t *this,
+							   host_t *dest, host_t *src)
+{
+	return get_route(this, dest, FALSE, src);
+}
+
+/**
+ * Implementation of kernel_net_t.get_nexthop.
+ */
+static host_t* get_nexthop(private_kernel_netlink_net_t *this, host_t *dest)
+{
+	return get_route(this, dest, TRUE, NULL);
+}
+
+/**
+ * Manages the creation and deletion of ip addresses on an interface.
+ * By setting the appropriate nlmsg_type, the ip will be set or unset.
+ */
+static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
+							  int flags, int if_index, host_t *ip)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct ifaddrmsg *msg;
+	chunk_t chunk;
+
+	memset(&request, 0, sizeof(request));
+
+	chunk = ip->get_address(ip);
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+	hdr->nlmsg_type = nlmsg_type;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
+
+	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
+	msg->ifa_family = ip->get_family(ip);
+	msg->ifa_flags = 0;
+	msg->ifa_prefixlen = 8 * chunk.len;
+	msg->ifa_scope = RT_SCOPE_UNIVERSE;
+	msg->ifa_index = if_index;
+
+	netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
+
+	return this->socket->send_ack(this->socket, hdr);
+}
+
+/**
+ * Implementation of kernel_net_t.add_ip.
+ */
+static status_t add_ip(private_kernel_netlink_net_t *this,
+						host_t *virtual_ip, host_t *iface_ip)
+{
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	enumerator_t *addrs, *ifaces;
+	int ifindex;
+
+	if (!this->install_virtual_ip)
+	{	/* disabled by config */
+		return SUCCESS;
+	}
+
+	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		bool iface_found = FALSE;
+
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
+		{
+			if (iface_ip->ip_equals(iface_ip, addr->ip))
+			{
+				iface_found = TRUE;
+			}
+			else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
+			{
+				addr->refcount++;
+				DBG2(DBG_KNL, "virtual IP %H already installed on %s",
+					 virtual_ip, iface->ifname);
+				addrs->destroy(addrs);
+				ifaces->destroy(ifaces);
+				this->mutex->unlock(this->mutex);
+				return SUCCESS;
+			}
+		}
+		addrs->destroy(addrs);
+
+		if (iface_found)
+		{
+			ifindex = iface->ifindex;
+			addr = malloc_thing(addr_entry_t);
+			addr->ip = virtual_ip->clone(virtual_ip);
+			addr->refcount = 0;
+			addr->virtual = TRUE;
+			addr->scope = RT_SCOPE_UNIVERSE;
+			iface->addrs->insert_last(iface->addrs, addr);
+
+			if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
+							  ifindex, virtual_ip) == SUCCESS)
+			{
+				while (get_vip_refcount(this, virtual_ip) == 0)
+				{	/* wait until address appears */
+					this->condvar->wait(this->condvar, this->mutex);
+				}
+				ifaces->destroy(ifaces);
+				this->mutex->unlock(this->mutex);
+				return SUCCESS;
+			}
+			ifaces->destroy(ifaces);
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
+			return FAILED;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+
+	DBG1(DBG_KNL, "interface address %H not found, unable to install"
+		 "virtual IP %H", iface_ip, virtual_ip);
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_ip.
+ */
+static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
+{
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	enumerator_t *addrs, *ifaces;
+	status_t status;
+	int ifindex;
+
+	if (!this->install_virtual_ip)
+	{	/* disabled by config */
+		return SUCCESS;
+	}
+
+	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
+		{
+			if (virtual_ip->ip_equals(virtual_ip, addr->ip))
+			{
+				ifindex = iface->ifindex;
+				if (addr->refcount == 1)
+				{
+					status = manage_ipaddr(this, RTM_DELADDR, 0,
+										   ifindex, virtual_ip);
+					if (status == SUCCESS)
+					{	/* wait until the address is really gone */
+						while (get_vip_refcount(this, virtual_ip) > 0)
+						{
+							this->condvar->wait(this->condvar, this->mutex);
+						}
+					}
+					addrs->destroy(addrs);
+					ifaces->destroy(ifaces);
+					this->mutex->unlock(this->mutex);
+					return status;
+				}
+				else
+				{
+					addr->refcount--;
+				}
+				DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
+					 virtual_ip);
+				addrs->destroy(addrs);
+				ifaces->destroy(ifaces);
+				this->mutex->unlock(this->mutex);
+				return SUCCESS;
+			}
+		}
+		addrs->destroy(addrs);
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+
+	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
+	return FAILED;
+}
+
+/**
+ * Manages source routes in the routing table.
+ * By setting the appropriate nlmsg_type, the route gets added or removed.
+ */
+static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_type,
+								int flags, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct rtmsg *msg;
+	int ifindex;
+	chunk_t chunk;
+
+	/* if route is 0.0.0.0/0, we can't install it, as it would
+	 * overwrite the default route. Instead, we add two routes:
+	 * 0.0.0.0/1 and 128.0.0.0/1 */
+	if (this->routing_table == 0 && prefixlen == 0)
+	{
+		chunk_t half_net;
+		u_int8_t half_prefixlen;
+		status_t status;
+
+		half_net = chunk_alloca(dst_net.len);
+		memset(half_net.ptr, 0, half_net.len);
+		half_prefixlen = 1;
+
+		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
+					gateway, src_ip, if_name);
+		half_net.ptr[0] |= 0x80;
+		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
+					gateway, src_ip, if_name);
+		return status;
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+	hdr->nlmsg_type = nlmsg_type;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_family = src_ip->get_family(src_ip);
+	msg->rtm_dst_len = prefixlen;
+	msg->rtm_table = this->routing_table;
+	msg->rtm_protocol = RTPROT_STATIC;
+	msg->rtm_type = RTN_UNICAST;
+	msg->rtm_scope = RT_SCOPE_UNIVERSE;
+
+	netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request));
+	chunk = src_ip->get_address(src_ip);
+	netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+	if (gateway && gateway->get_family(gateway) == src_ip->get_family(src_ip))
+	{
+		chunk = gateway->get_address(gateway);
+		netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
+	}
+	ifindex = get_interface_index(this, if_name);
+	chunk.ptr = (char*)&ifindex;
+	chunk.len = sizeof(ifindex);
+	netlink_add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
+
+	return this->socket->send_ack(this->socket, hdr);
+}
+
+/**
+ * Implementation of kernel_net_t.add_route.
+ */
+static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
+				dst_net, prefixlen, gateway, src_ip, if_name);
+}
+
+/**
+ * Implementation of kernel_net_t.del_route.
+ */
+static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
+				gateway, src_ip, if_name);
+}
+
+/**
+ * Initialize a list of local addresses.
+ */
+static status_t init_address_list(private_kernel_netlink_net_t *this)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *out, *current, *in;
+	struct rtgenmsg *msg;
+	size_t len;
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+
+	DBG1(DBG_KNL, "listening on interfaces:");
+
+	memset(&request, 0, sizeof(request));
+
+	in = (struct nlmsghdr*)&request;
+	in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
+	in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
+	msg = (struct rtgenmsg*)NLMSG_DATA(in);
+	msg->rtgen_family = AF_UNSPEC;
+
+	/* get all links */
+	in->nlmsg_type = RTM_GETLINK;
+	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	current = out;
+	while (NLMSG_OK(current, len))
+	{
+		switch (current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWLINK:
+				process_link(this, current, FALSE);
+				/* fall through */
+			default:
+				current = NLMSG_NEXT(current, len);
+				continue;
+		}
+		break;
+	}
+	free(out);
+
+	/* get all interface addresses */
+	in->nlmsg_type = RTM_GETADDR;
+	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	current = out;
+	while (NLMSG_OK(current, len))
+	{
+		switch (current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWADDR:
+				process_addr(this, current, FALSE);
+				/* fall through */
+			default:
+				current = NLMSG_NEXT(current, len);
+				continue;
+		}
+		break;
+	}
+	free(out);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->flags & IFF_UP)
+		{
+			DBG1(DBG_KNL, "  %s", iface->ifname);
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, (void**)&addr))
+			{
+				DBG1(DBG_KNL, "    %H", addr->ip);
+			}
+			addrs->destroy(addrs);
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	return SUCCESS;
+}
+
+/**
+ * create or delete a rule to use our routing table
+ */
+static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
+							int family, u_int32_t table, u_int32_t prio)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct rtmsg *msg;
+	chunk_t chunk;
+
+	memset(&request, 0, sizeof(request));
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = nlmsg_type;
+	if (nlmsg_type == RTM_NEWRULE)
+	{
+		hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
+	}
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_table = table;
+	msg->rtm_family = family;
+	msg->rtm_protocol = RTPROT_BOOT;
+	msg->rtm_scope = RT_SCOPE_UNIVERSE;
+	msg->rtm_type = RTN_UNICAST;
+
+	chunk = chunk_from_thing(prio);
+	netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
+
+	return this->socket->send_ack(this->socket, hdr);
+}
+
+/**
+ * Implementation of kernel_netlink_net_t.destroy.
+ */
+static void destroy(private_kernel_netlink_net_t *this)
+{
+	if (this->routing_table)
+	{
+		manage_rule(this, RTM_DELRULE, AF_INET, this->routing_table,
+					this->routing_table_prio);
+		manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table,
+					this->routing_table_prio);
+	}
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	if (this->socket_events > 0)
+	{
+		close(this->socket_events);
+	}
+	DESTROY_IF(this->socket);
+	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	this->rt_exclude->destroy(this->rt_exclude);
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_netlink_net_t *kernel_netlink_net_create()
+{
+	private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t);
+	struct sockaddr_nl addr;
+	enumerator_t *enumerator;
+	char *exclude;
+
+	/* public functions */
+	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
+	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
+	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
+	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
+	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
+	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
+	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
+	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
+
+	/* private members */
+	this->ifaces = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	timerclear(&this->last_roam);
+	this->routing_table = lib->settings->get_int(lib->settings,
+					"charon.routing_table", ROUTING_TABLE);
+	this->routing_table_prio = lib->settings->get_int(lib->settings,
+					"charon.routing_table_prio", ROUTING_TABLE_PRIO);
+	this->process_route = lib->settings->get_bool(lib->settings,
+					"charon.process_route", TRUE);
+	this->install_virtual_ip = lib->settings->get_bool(lib->settings,
+					"charon.install_virtual_ip", TRUE);
+
+	this->rt_exclude = linked_list_create();
+	exclude = lib->settings->get_str(lib->settings,
+					"charon.ignore_routing_tables", NULL);
+	if (exclude)
+	{
+		char *token;
+		uintptr_t table;
+
+		enumerator = enumerator_create_token(exclude, " ", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			errno = 0;
+			table = strtoul(token, NULL, 10);
+
+			if (errno == 0)
+			{
+				this->rt_exclude->insert_last(this->rt_exclude, (void*)table);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	this->socket = netlink_socket_create(NETLINK_ROUTE);
+	this->job = NULL;
+
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+
+	/* create and bind RT socket for events (address/interface/route changes) */
+	this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+	if (this->socket_events < 0)
+	{
+		DBG1(DBG_KNL, "unable to create RT event socket");
+		destroy(this);
+		return NULL;
+	}
+	addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
+					 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
+	if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		DBG1(DBG_KNL, "unable to bind RT event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	if (init_address_list(this) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to get interface list");
+		destroy(this);
+		return NULL;
+	}
+
+	if (this->routing_table)
+	{
+		if (manage_rule(this, RTM_NEWRULE, AF_INET, this->routing_table,
+						this->routing_table_prio) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "unable to create IPv4 routing table rule");
+		}
+		if (manage_rule(this, RTM_NEWRULE, AF_INET6, this->routing_table,
+						this->routing_table_prio) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "unable to create IPv6 routing table rule");
+		}
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
new file mode 100644
index 000000000..ff9831d3c
--- /dev/null
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_netlink_net_i kernel_netlink_net
+ * @{ @ingroup kernel_netlink
+ */
+
+#ifndef KERNEL_NETLINK_NET_H_
+#define KERNEL_NETLINK_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_netlink_net_t kernel_netlink_net_t;
+
+/**
+ * Implementation of the kernel network interface using Netlink.
+ */
+struct kernel_netlink_net_t {
+
+	/**
+	 * Implements kernel_net_t interface
+	 */
+	kernel_net_t interface;
+};
+
+/**
+ * Create a netlink kernel network interface instance.
+ *
+ * @return			kernel_netlink_net_t instance
+ */
+kernel_netlink_net_t *kernel_netlink_net_create();
+
+#endif /** KERNEL_NETLINK_NET_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
new file mode 100644
index 000000000..4c61265aa
--- /dev/null
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_netlink_plugin.h"
+
+#include "kernel_netlink_ipsec.h"
+#include "kernel_netlink_net.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
+
+/**
+ * private data of kernel netlink plugin
+ */
+struct private_kernel_netlink_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_netlink_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_netlink_plugin_t *this)
+{
+	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
+	charon->kernel_interface->remove_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_netlink_plugin_create()
+{
+	private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
+	charon->kernel_interface->add_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
new file mode 100644
index 000000000..74c9ae24f
--- /dev/null
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_netlink kernel_netlink
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_netlink_plugin kernel_netlink_plugin
+ * @{ @ingroup kernel_netlink
+ */
+
+#ifndef KERNEL_NETLINK_PLUGIN_H_
+#define KERNEL_NETLINK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_netlink_plugin_t kernel_netlink_plugin_t;
+
+/**
+ * netlink kernel interface plugin
+ */
+struct kernel_netlink_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KERNEL_NETLINK_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
new file mode 100644
index 000000000..5ed568150
--- /dev/null
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -0,0 +1,306 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include "kernel_netlink_shared.h"
+
+#include <daemon.h>
+#include <threading/mutex.h>
+
+typedef struct private_netlink_socket_t private_netlink_socket_t;
+
+/**
+ * Private variables and functions of netlink_socket_t class.
+ */
+struct private_netlink_socket_t {
+	/**
+	 * public part of the netlink_socket_t object.
+	 */
+	netlink_socket_t public;
+
+	/**
+	 * mutex to lock access to netlink socket
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * current sequence number for netlink request
+	 */
+	int seq;
+
+	/**
+	 * netlink socket protocol
+	 */
+	int protocol;
+
+	/**
+	 * netlink socket
+	 */
+	int socket;
+};
+
+/**
+ * Imported from kernel_netlink_ipsec.c
+ */
+extern enum_name_t *xfrm_msg_names;
+
+/**
+ * Implementation of netlink_socket_t.send
+ */
+static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in,
+			  struct nlmsghdr **out, size_t *out_len)
+{
+	int len, addr_len;
+	struct sockaddr_nl addr;
+	chunk_t result = chunk_empty, tmp;
+	struct nlmsghdr *msg, peek;
+
+	this->mutex->lock(this->mutex);
+
+	in->nlmsg_seq = ++this->seq;
+	in->nlmsg_pid = getpid();
+
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+	addr.nl_pid = 0;
+	addr.nl_groups = 0;
+
+	if (this->protocol == NETLINK_XFRM)
+	{
+		chunk_t in_chunk = { (u_char*)in, in->nlmsg_len };
+
+		DBG3(DBG_KNL, "sending %N: %B", xfrm_msg_names, in->nlmsg_type, &in_chunk);
+	}
+
+	while (TRUE)
+	{
+		len = sendto(this->socket, in, in->nlmsg_len, 0,
+					 (struct sockaddr*)&addr, sizeof(addr));
+
+		if (len != in->nlmsg_len)
+		{
+			if (errno == EINTR)
+			{
+				/* interrupted, try again */
+				continue;
+			}
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
+			return FAILED;
+		}
+		break;
+	}
+
+	while (TRUE)
+	{
+		char buf[4096];
+		tmp.len = sizeof(buf);
+		tmp.ptr = buf;
+		msg = (struct nlmsghdr*)tmp.ptr;
+
+		memset(&addr, 0, sizeof(addr));
+		addr.nl_family = AF_NETLINK;
+		addr.nl_pid = getpid();
+		addr.nl_groups = 0;
+		addr_len = sizeof(addr);
+
+		len = recvfrom(this->socket, tmp.ptr, tmp.len, 0,
+					   (struct sockaddr*)&addr, &addr_len);
+
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				DBG1(DBG_KNL, "got interrupted");
+				/* interrupted, try again */
+				continue;
+			}
+			DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
+			this->mutex->unlock(this->mutex);
+			free(result.ptr);
+			return FAILED;
+		}
+		if (!NLMSG_OK(msg, len))
+		{
+			DBG1(DBG_KNL, "received corrupted netlink message");
+			this->mutex->unlock(this->mutex);
+			free(result.ptr);
+			return FAILED;
+		}
+		if (msg->nlmsg_seq != this->seq)
+		{
+			DBG1(DBG_KNL, "received invalid netlink sequence number");
+			if (msg->nlmsg_seq < this->seq)
+			{
+				continue;
+			}
+			this->mutex->unlock(this->mutex);
+			free(result.ptr);
+			return FAILED;
+		}
+
+		tmp.len = len;
+		result.ptr = realloc(result.ptr, result.len + tmp.len);
+		memcpy(result.ptr + result.len, tmp.ptr, tmp.len);
+		result.len += tmp.len;
+
+		/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
+		 * numbers to detect multi header messages */
+		len = recvfrom(this->socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
+					   (struct sockaddr*)&addr, &addr_len);
+
+		if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
+		{
+			/* seems to be multipart */
+			continue;
+		}
+		break;
+	}
+
+	*out_len = result.len;
+	*out = (struct nlmsghdr*)result.ptr;
+
+	this->mutex->unlock(this->mutex);
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of netlink_socket_t.send_ack.
+ */
+static status_t netlink_send_ack(private_netlink_socket_t *this, struct nlmsghdr *in)
+{
+	struct nlmsghdr *out, *hdr;
+	size_t len;
+
+	if (netlink_send(this, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	hdr = out;
+	while (NLMSG_OK(hdr, len))
+	{
+		switch (hdr->nlmsg_type)
+		{
+			case NLMSG_ERROR:
+			{
+				struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
+
+				if (err->error)
+				{
+					if (-err->error == EEXIST)
+					{	/* do not report existing routes */
+						free(out);
+						return ALREADY_DONE;
+					}
+					DBG1(DBG_KNL, "received netlink error: %s (%d)",
+						 strerror(-err->error), -err->error);
+					free(out);
+					return FAILED;
+				}
+				free(out);
+				return SUCCESS;
+			}
+			default:
+				hdr = NLMSG_NEXT(hdr, len);
+				continue;
+			case NLMSG_DONE:
+				break;
+		}
+		break;
+	}
+	DBG1(DBG_KNL, "netlink request not acknowledged");
+	free(out);
+	return FAILED;
+}
+
+/**
+ * Implementation of netlink_socket_t.destroy.
+ */
+static void destroy(private_netlink_socket_t *this)
+{
+	if (this->socket > 0)
+	{
+		close(this->socket);
+	}
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+netlink_socket_t *netlink_socket_create(int protocol)
+{
+	private_netlink_socket_t *this = malloc_thing(private_netlink_socket_t);
+	struct sockaddr_nl addr;
+
+	/* public functions */
+	this->public.send = (status_t(*)(netlink_socket_t*,struct nlmsghdr*, struct nlmsghdr**, size_t*))netlink_send;
+	this->public.send_ack = (status_t(*)(netlink_socket_t*,struct nlmsghdr*))netlink_send_ack;
+	this->public.destroy = (void(*)(netlink_socket_t*))destroy;
+
+	/* private members */
+	this->seq = 200;
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+
+	this->protocol = protocol;
+	this->socket = socket(AF_NETLINK, SOCK_RAW, protocol);
+	if (this->socket < 0)
+	{
+		DBG1(DBG_KNL, "unable to create netlink socket");
+		destroy(this);
+		return NULL;
+	}
+
+	addr.nl_groups = 0;
+	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		DBG1(DBG_KNL, "unable to bind netlink socket");
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
+/**
+ * Described in header.
+ */
+void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
+						  size_t buflen)
+{
+	struct rtattr *rta;
+
+	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
+	{
+		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
+		return;
+	}
+
+	rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
+	rta->rta_type = rta_type;
+	rta->rta_len = RTA_LENGTH(data.len);
+	memcpy(RTA_DATA(rta), data.ptr, data.len);
+	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
+}
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
new file mode 100644
index 000000000..dfd27a21a
--- /dev/null
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef KERNEL_NETLINK_SHARED_H_
+#define KERNEL_NETLINK_SHARED_H_
+
+#include <library.h>
+
+#include <linux/rtnetlink.h>
+
+/**
+ * General purpose netlink buffer.
+ *
+ * 1024 byte is currently sufficient for all operations. Some platform
+ * require an enforced aligment to four bytes (e.g. ARM).
+ */
+typedef u_char netlink_buf_t[1024] __attribute__((aligned(RTA_ALIGNTO)));
+
+typedef struct netlink_socket_t netlink_socket_t;
+
+/**
+ * Wrapper around a netlink socket.
+ */
+struct netlink_socket_t {
+
+	/**
+	 * Send a netlink message and wait for a reply.
+	 *
+	 * @param	in		netlink message to send
+	 * @param	out 	received netlink message
+	 * @param	out_len	length of the received message
+	 */
+	status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len);
+
+	/**
+	 * Send a netlink message and wait for its acknowledge.
+	 *
+	 * @param	in		netlink message to send
+	 */
+	status_t (*send_ack)(netlink_socket_t *this, struct nlmsghdr *in);
+
+	/**
+	 * Destroy the socket.
+	 */
+	void (*destroy)(netlink_socket_t *this);
+};
+
+/**
+ * Create a netlink_socket_t object.
+ *
+ * @param	protocol	protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
+ */
+netlink_socket_t *netlink_socket_create(int protocol);
+
+/**
+ * Creates an rtattr and adds it to the given netlink message.
+ *
+ * @param	hdr			netlink message
+ * @param	rta_type	type of the rtattr
+ * @param	data		data to add to the rtattr
+ * @param	buflen		length of the netlink message buffer
+ */
+void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, size_t buflen);
+
+#endif /* KERNEL_NETLINK_SHARED_H_ */
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.am b/src/libcharon/plugins/kernel_pfkey/Makefile.am
new file mode 100644
index 000000000..778a7f9a9
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+endif
+
+libstrongswan_kernel_pfkey_la_SOURCES = \
+	kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
new file mode 100644
index 000000000..2b028ba71
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in
@@ -0,0 +1,590 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/kernel_pfkey
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_pfkey_la_LIBADD =
+am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \
+	kernel_pfkey_ipsec.lo
+libstrongswan_kernel_pfkey_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_pfkey_la_OBJECTS)
+libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_pfkey_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_pfkey_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+libstrongswan_kernel_pfkey_la_SOURCES = \
+	kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
new file mode 100644
index 000000000..8a7883c8a
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -0,0 +1,2175 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#ifdef __FreeBSD__
+#include <limits.h> /* for LONG_MAX */
+#endif
+
+#ifdef HAVE_NET_PFKEYV2_H
+#include <net/pfkeyv2.h>
+#else
+#include <stdint.h>
+#include <linux/pfkeyv2.h>
+#endif
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+#define HAVE_NATT
+#endif
+
+#ifdef HAVE_NETIPSEC_IPSEC_H
+#include <netipsec/ipsec.h>
+#elif defined(HAVE_NETINET6_IPSEC_H)
+#include <netinet6/ipsec.h>
+#else
+#include <linux/ipsec.h>
+#endif
+
+#ifdef HAVE_NATT
+#ifdef HAVE_LINUX_UDP_H
+#include <linux/udp.h>
+#else
+#include <netinet/udp.h>
+#endif /*HAVE_LINUX_UDP_H*/
+#endif /*HAVE_NATT*/
+
+#include <unistd.h>
+#include <time.h>
+#include <errno.h>
+
+#include "kernel_pfkey_ipsec.h"
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/migrate_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/update_sa_job.h>
+
+/** non linux specific */
+#ifndef IPPROTO_COMP
+#define IPPROTO_COMP IPPROTO_IPCOMP
+#endif
+
+#ifndef SADB_X_AALG_SHA2_256HMAC
+#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
+#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
+#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
+#endif
+
+#ifndef SADB_X_EALG_AESCBC
+#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
+#endif
+
+#ifndef SADB_X_EALG_CASTCBC
+#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
+#endif
+
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+
+/** from linux/in.h */
+#ifndef IP_IPSEC_POLICY
+#define IP_IPSEC_POLICY 16
+#endif
+
+/** missing on uclibc */
+#ifndef IPV6_IPSEC_POLICY
+#define IPV6_IPSEC_POLICY 34
+#endif
+
+/** default priority of installed policies */
+#define PRIO_LOW 3000
+#define PRIO_HIGH 2000
+
+#ifdef __APPLE__
+/** from xnu/bsd/net/pfkeyv2.h */
+#define SADB_X_EXT_NATT 0x002
+	struct sadb_sa_2 {
+		struct sadb_sa	sa;
+		u_int16_t		sadb_sa_natt_port;
+		u_int16_t		sadb_reserved0;
+		u_int32_t		sadb_reserved1;
+	};
+#endif
+
+/** buffer size for PF_KEY messages */
+#define PFKEY_BUFFER_SIZE 4096
+
+/** PF_KEY messages are 64 bit aligned */
+#define PFKEY_ALIGNMENT 8
+/** aligns len to 64 bits */
+#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
+/** calculates the properly padded length in 64 bit chunks */
+#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
+/** calculates user mode length i.e. in bytes */
+#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
+
+/** given a PF_KEY message header and an extension this updates the length in the header */
+#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
+/** given a PF_KEY message header this returns a pointer to the next extension */
+#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
+/** copy an extension and append it to a PF_KEY message */
+#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
+/** given a PF_KEY extension this returns a pointer to the next extension */
+#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
+/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
+#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
+/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
+#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len <= (len))
+
+typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_pfkey class.
+ */
+struct private_kernel_pfkey_ipsec_t
+{
+	/**
+	 * Public part of the kernel_pfkey_t object.
+	 */
+	kernel_pfkey_ipsec_t public;
+
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * List of installed policies (policy_entry_t)
+	 */
+	linked_list_t *policies;
+
+	/**
+	 * whether to install routes along policies
+	 */
+	bool install_routes;
+
+	/**
+	 * job receiving PF_KEY events
+	 */
+	callback_job_t *job;
+
+	/**
+	 * mutex to lock access to the PF_KEY socket
+	 */
+	mutex_t *mutex_pfkey;
+
+	/**
+	 * PF_KEY socket to communicate with the kernel
+	 */
+	int socket;
+
+	/**
+	 * PF_KEY socket to receive acquire and expire events
+	 */
+	int socket_events;
+
+	/**
+	 * sequence number for messages sent to the kernel
+	 */
+	int seq;
+};
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+
+	/** Source ip of the route */
+	host_t *src_ip;
+
+	/** gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	DESTROY_IF(this->src_ip);
+	DESTROY_IF(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+
+	/** reqid of this policy */
+	u_int32_t reqid;
+
+	/** index assigned by the kernel */
+	u_int32_t index;
+
+	/** direction of this policy: in, out, forward */
+	u_int8_t direction;
+
+	/** parameters of installed policy */
+	struct {
+		/** subnet and port */
+		host_t *net;
+		/** subnet mask */
+		u_int8_t mask;
+		/** protocol */
+		u_int8_t proto;
+	} src, dst;
+
+	/** associated route installed for this policy */
+	route_entry_t *route;
+
+	/** by how many CHILD_SA's this policy is used */
+	u_int refcount;
+};
+
+/**
+ * create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+		traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
+{
+	policy_entry_t *policy = malloc_thing(policy_entry_t);
+	policy->reqid = reqid;
+	policy->index = 0;
+	policy->direction = dir;
+	policy->route = NULL;
+	policy->refcount = 0;
+
+	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
+	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
+
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
+	policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
+	policy->dst.proto = policy->src.proto;
+
+	return policy;
+}
+
+/**
+ * destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+	DESTROY_IF(this->src.net);
+	DESTROY_IF(this->dst.net);
+	if (this->route)
+	{
+		route_entry_destroy(this->route);
+	}
+	free(this);
+}
+
+/**
+ * compares two policy_entry_t
+ */
+static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
+{
+	return current->direction == policy->direction &&
+		   current->src.proto == policy->src.proto &&
+		   current->dst.proto == policy->dst.proto &&
+		   current->src.mask == policy->src.mask &&
+		   current->dst.mask == policy->dst.mask &&
+		   current->src.net->equals(current->src.net, policy->src.net) &&
+		   current->dst.net->equals(current->dst.net, policy->dst.net);
+}
+
+/**
+ * compare the given kernel index with that of a policy
+ */
+static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
+{
+	return current->index == *index;
+}
+
+typedef struct pfkey_msg_t pfkey_msg_t;
+
+struct pfkey_msg_t
+{
+	/**
+	 * PF_KEY message base
+	 */
+	struct sadb_msg *msg;
+
+	/**
+	 * PF_KEY message extensions
+	 */
+	union {
+		struct sadb_ext *ext[SADB_EXT_MAX + 1];
+		struct {
+			struct sadb_ext *reserved;				/* SADB_EXT_RESERVED */
+			struct sadb_sa *sa;						/* SADB_EXT_SA */
+			struct sadb_lifetime *lft_current;		/* SADB_EXT_LIFETIME_CURRENT */
+			struct sadb_lifetime *lft_hard;			/* SADB_EXT_LIFETIME_HARD */
+			struct sadb_lifetime *lft_soft;			/* SADB_EXT_LIFETIME_SOFT */
+			struct sadb_address *src;				/* SADB_EXT_ADDRESS_SRC */
+			struct sadb_address *dst;				/* SADB_EXT_ADDRESS_DST */
+			struct sadb_address *proxy;				/* SADB_EXT_ADDRESS_PROXY */
+			struct sadb_key *key_auth;				/* SADB_EXT_KEY_AUTH */
+			struct sadb_key *key_encr;				/* SADB_EXT_KEY_ENCRYPT */
+			struct sadb_ident *id_src;				/* SADB_EXT_IDENTITY_SRC */
+			struct sadb_ident *id_dst;				/* SADB_EXT_IDENTITY_DST */
+			struct sadb_sens *sensitivity;			/* SADB_EXT_SENSITIVITY */
+			struct sadb_prop *proposal;				/* SADB_EXT_PROPOSAL */
+			struct sadb_supported *supported_auth;	/* SADB_EXT_SUPPORTED_AUTH */
+			struct sadb_supported *supported_encr;	/* SADB_EXT_SUPPORTED_ENCRYPT */
+			struct sadb_spirange *spirange;			/* SADB_EXT_SPIRANGE */
+			struct sadb_x_kmprivate *x_kmprivate;	/* SADB_X_EXT_KMPRIVATE */
+			struct sadb_x_policy *x_policy;			/* SADB_X_EXT_POLICY */
+			struct sadb_x_sa2 *x_sa2;				/* SADB_X_EXT_SA2 */
+			struct sadb_x_nat_t_type *x_natt_type;	/* SADB_X_EXT_NAT_T_TYPE */
+			struct sadb_x_nat_t_port *x_natt_sport;	/* SADB_X_EXT_NAT_T_SPORT */
+			struct sadb_x_nat_t_port *x_natt_dport;	/* SADB_X_EXT_NAT_T_DPORT */
+			struct sadb_address *x_natt_oa;			/* SADB_X_EXT_NAT_T_OA */
+			struct sadb_x_sec_ctx *x_sec_ctx;		/* SADB_X_EXT_SEC_CTX */
+			struct sadb_x_kmaddress *x_kmaddress;	/* SADB_X_EXT_KMADDRESS */
+		} __attribute__((__packed__));
+	};
+};
+
+ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
+	"SADB_EXT_RESERVED",
+	"SADB_EXT_SA",
+	"SADB_EXT_LIFETIME_CURRENT",
+	"SADB_EXT_LIFETIME_HARD",
+	"SADB_EXT_LIFETIME_SOFT",
+	"SADB_EXT_ADDRESS_SRC",
+	"SADB_EXT_ADDRESS_DST",
+	"SADB_EXT_ADDRESS_PROXY",
+	"SADB_EXT_KEY_AUTH",
+	"SADB_EXT_KEY_ENCRYPT",
+	"SADB_EXT_IDENTITY_SRC",
+	"SADB_EXT_IDENTITY_DST",
+	"SADB_EXT_SENSITIVITY",
+	"SADB_EXT_PROPOSAL",
+	"SADB_EXT_SUPPORTED_AUTH",
+	"SADB_EXT_SUPPORTED_ENCRYPT",
+	"SADB_EXT_SPIRANGE",
+	"SADB_X_EXT_KMPRIVATE",
+	"SADB_X_EXT_POLICY",
+	"SADB_X_EXT_SA2",
+	"SADB_X_EXT_NAT_T_TYPE",
+	"SADB_X_EXT_NAT_T_SPORT",
+	"SADB_X_EXT_NAT_T_DPORT",
+	"SADB_X_EXT_NAT_T_OA",
+	"SADB_X_EXT_SEC_CTX",
+	"SADB_X_EXT_KMADDRESS"
+);
+
+/**
+ * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
+ */
+static u_int8_t proto_ike2satype(protocol_id_t proto)
+{
+	switch (proto)
+	{
+		case PROTO_ESP:
+			return SADB_SATYPE_ESP;
+		case PROTO_AH:
+			return SADB_SATYPE_AH;
+		case IPPROTO_COMP:
+			return SADB_X_SATYPE_IPCOMP;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
+ */
+static protocol_id_t proto_satype2ike(u_int8_t proto)
+{
+	switch (proto)
+	{
+		case SADB_SATYPE_ESP:
+			return PROTO_ESP;
+		case SADB_SATYPE_AH:
+			return PROTO_AH;
+		case SADB_X_SATYPE_IPCOMP:
+			return IPPROTO_COMP;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert a IKEv2 specific protocol identifier to the IP protocol identifier
+ */
+static u_int8_t proto_ike2ip(protocol_id_t proto)
+{
+	switch (proto)
+	{
+		case PROTO_ESP:
+			return IPPROTO_ESP;
+		case PROTO_AH:
+			return IPPROTO_AH;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert the general ipsec mode to the one defined in ipsec.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+	switch (mode)
+	{
+		case MODE_TRANSPORT:
+			return IPSEC_MODE_TRANSPORT;
+		case MODE_TUNNEL:
+			return IPSEC_MODE_TUNNEL;
+#ifdef HAVE_IPSEC_MODE_BEET
+		case MODE_BEET:
+			return IPSEC_MODE_BEET;
+#endif
+		default:
+			return mode;
+	}
+}
+
+/**
+ * convert the general policy direction to the one defined in ipsec.h
+ */
+static u_int8_t dir2kernel(policy_dir_t dir)
+{
+	switch (dir)
+	{
+		case POLICY_IN:
+			return IPSEC_DIR_INBOUND;
+		case POLICY_OUT:
+			return IPSEC_DIR_OUTBOUND;
+#ifdef HAVE_IPSEC_DIR_FWD
+		case POLICY_FWD:
+			return IPSEC_DIR_FWD;
+#endif
+		default:
+			return IPSEC_DIR_INVALID;
+	}
+}
+
+#ifdef SADB_X_MIGRATE
+/**
+ * convert the policy direction in ipsec.h to the general one.
+ */
+static policy_dir_t kernel2dir(u_int8_t  dir)
+{
+	switch (dir)
+	{
+		case IPSEC_DIR_INBOUND:
+			return POLICY_IN;
+		case IPSEC_DIR_OUTBOUND:
+			return POLICY_OUT;
+#ifdef HAVE_IPSEC_DIR_FWD
+		case IPSEC_DIR_FWD:
+			return POLICY_FWD;
+#endif
+		default:
+			return dir;
+	}
+}
+#endif /*SADB_X_MIGRATE*/
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 algorithms to PF_KEY algorithms
+ */
+struct kernel_algorithm_t {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2;
+
+	/**
+	 * Identifier as defined in pfkeyv2.h
+	 */
+	int kernel;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64,				0							}, */
+	{ENCR_DES,					SADB_EALG_DESCBC			},
+	{ENCR_3DES,					SADB_EALG_3DESCBC			},
+/*	{ENCR_RC5,					0							}, */
+/*	{ENCR_IDEA,					0							}, */
+	{ENCR_CAST,					SADB_X_EALG_CASTCBC			},
+	{ENCR_BLOWFISH,				SADB_X_EALG_BLOWFISHCBC		},
+/*	{ENCR_3IDEA,				0							}, */
+/*	{ENCR_DES_IV32,				0							}, */
+	{ENCR_NULL,					SADB_EALG_NULL				},
+	{ENCR_AES_CBC,				SADB_X_EALG_AESCBC			},
+/*	{ENCR_AES_CTR,				SADB_X_EALG_AESCTR			}, */
+/*  {ENCR_AES_CCM_ICV8,			SADB_X_EALG_AES_CCM_ICV8	}, */
+/*	{ENCR_AES_CCM_ICV12,		SADB_X_EALG_AES_CCM_ICV12	}, */
+/*	{ENCR_AES_CCM_ICV16,		SADB_X_EALG_AES_CCM_ICV16	}, */
+/*	{ENCR_AES_GCM_ICV8,			SADB_X_EALG_AES_GCM_ICV8	}, */
+/*	{ENCR_AES_GCM_ICV12,		SADB_X_EALG_AES_GCM_ICV12	}, */
+/*	{ENCR_AES_GCM_ICV16,		SADB_X_EALG_AES_GCM_ICV16	}, */
+	{END_OF_LIST,				0							},
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
+	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
+	{AUTH_HMAC_SHA2_256_128,	SADB_X_AALG_SHA2_256HMAC	},
+	{AUTH_HMAC_SHA2_384_192,	SADB_X_AALG_SHA2_384HMAC	},
+	{AUTH_HMAC_SHA2_512_256,	SADB_X_AALG_SHA2_512HMAC	},
+/*	{AUTH_DES_MAC,				0,							}, */
+/*	{AUTH_KPDK_MD5,				0,							}, */
+#ifdef SADB_X_AALG_AES_XCBC_MAC
+	{AUTH_AES_XCBC_96,			SADB_X_AALG_AES_XCBC_MAC,	},
+#endif
+	{END_OF_LIST,				0,							},
+};
+
+#if 0
+/**
+ * Algorithms for IPComp, unused yet
+ */
+static kernel_algorithm_t compression_algs[] = {
+/*	{IPCOMP_OUI,				0							}, */
+	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
+	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
+	{IPCOMP_LZJH,				SADB_X_CALG_LZJH			},
+	{END_OF_LIST,				0							},
+};
+#endif
+
+/**
+ * Look up a kernel algorithm ID and its key size
+ */
+static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+{
+	while (list->ikev2 != END_OF_LIST)
+	{
+		if (ikev2 == list->ikev2)
+		{
+			return list->kernel;
+		}
+		list++;
+	}
+	return 0;
+}
+
+/**
+ * add a host behind a sadb_address extension
+ */
+static void host2ext(host_t *host, struct sadb_address *ext)
+{
+	sockaddr_t *host_addr = host->get_sockaddr(host);
+	socklen_t *len = host->get_sockaddr_len(host);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	host_addr->sa_len = *len;
+#endif
+	memcpy((char*)(ext + 1), host_addr, *len);
+	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+}
+
+/**
+ * add a host to the given sadb_msg
+ */
+static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
+						 u_int8_t proto, u_int8_t prefixlen)
+{
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	addr->sadb_address_proto = proto;
+	addr->sadb_address_prefixlen = prefixlen;
+	host2ext(host, addr);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * adds an empty address extension to the given sadb_msg
+ */
+static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
+{
+	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
+										  sizeof(struct sockaddr_in6);
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
+	saddr->sa_family = family;
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	saddr->sa_len = len;
+#endif
+	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+#ifdef HAVE_NATT
+/**
+ * add udp encap extensions to a sadb_msg
+ */
+static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
+{
+	struct sadb_x_nat_t_type* nat_type;
+	struct sadb_x_nat_t_port* nat_port;
+
+	nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+	nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
+	nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
+	PFKEY_EXT_ADD(msg, nat_type);
+
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
+	PFKEY_EXT_ADD(msg, nat_port);
+
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
+	PFKEY_EXT_ADD(msg, nat_port);
+}
+#endif /*HAVE_NATT*/
+
+/**
+ * Convert a sadb_address to a traffic_selector
+ */
+static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
+{
+	traffic_selector_t *ts;
+	host_t *host;
+
+	/* The Linux 2.6 kernel does not set the protocol and port information
+	 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
+	 */
+	host = host_create_from_sockaddr((sockaddr_t*)&address[1])	;
+	ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
+				address->sadb_address_proto, host->get_port(host));
+	return ts;
+}
+
+/**
+ * Parses a pfkey message received from the kernel
+ */
+static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
+{
+	struct sadb_ext* ext;
+	size_t len;
+
+	memset(out, 0, sizeof(pfkey_msg_t));
+	out->msg = msg;
+
+	len = msg->sadb_msg_len;
+	len -= PFKEY_LEN(sizeof(struct sadb_msg));
+
+	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
+
+	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
+	{
+		DBG3(DBG_KNL, "  %N", sadb_ext_type_names, ext->sadb_ext_type);
+		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
+			ext->sadb_ext_len > len)
+		{
+			DBG1(DBG_KNL, "length of %N extension is invalid",
+						   sadb_ext_type_names, ext->sadb_ext_type);
+			break;
+		}
+
+		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
+		{
+			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+			break;
+		}
+
+		if (out->ext[ext->sadb_ext_type])
+		{
+			DBG1(DBG_KNL, "duplicate %N extension",
+						   sadb_ext_type_names, ext->sadb_ext_type);
+			break;
+		}
+
+		out->ext[ext->sadb_ext_type] = ext;
+		ext = PFKEY_EXT_NEXT_LEN(ext, len);
+	}
+
+	if (len)
+	{
+		DBG1(DBG_KNL, "PF_KEY message length is invalid");
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Send a message to a specific PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg;
+	int in_len, len;
+
+	this->mutex_pfkey->lock(this->mutex_pfkey);
+
+	/* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
+	 * in particular the behavior in response to an SADB_ACQUIRE. */
+	in->sadb_msg_seq = ++this->seq;
+	in->sadb_msg_pid = getpid();
+
+	in_len = PFKEY_USER_LEN(in->sadb_msg_len);
+
+	while (TRUE)
+	{
+		len = send(socket, in, in_len, 0);
+
+		if (len != in_len)
+		{
+			if (errno == EINTR)
+			{
+				/* interrupted, try again */
+				continue;
+			}
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
+			return FAILED;
+		}
+		break;
+	}
+
+	while (TRUE)
+	{
+		msg = (struct sadb_msg*)buf;
+
+		len = recv(socket, buf, sizeof(buf), 0);
+
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				DBG1(DBG_KNL, "got interrupted");
+				/* interrupted, try again */
+				continue;
+			}
+			DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (len < sizeof(struct sadb_msg) ||
+			msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+		{
+			DBG1(DBG_KNL, "received corrupted PF_KEY message");
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+		{
+			DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (msg->sadb_msg_pid != in->sadb_msg_pid)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
+			continue;
+		}
+		if (msg->sadb_msg_seq != this->seq)
+		{
+			DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
+				 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
+			if (msg->sadb_msg_seq == 0)
+			{
+				/* FreeBSD and Mac OS X do this for the response to
+				 * SADB_X_SPDGET (but not for the response to SADB_GET).
+				 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
+			}
+			else if (msg->sadb_msg_seq < this->seq)
+			{
+				continue;
+			}
+			else
+			{
+				this->mutex_pfkey->unlock(this->mutex_pfkey);
+				return FAILED;
+			}
+		}
+		if (msg->sadb_msg_type != in->sadb_msg_type)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
+					"was %d expected %d, ignoring",
+					msg->sadb_msg_type, in->sadb_msg_type);
+		}
+		break;
+	}
+
+	*out_len = len;
+	*out = (struct sadb_msg*)malloc(len);
+	memcpy(*out, buf, len);
+
+	this->mutex_pfkey->unlock(this->mutex_pfkey);
+
+	return SUCCESS;
+}
+
+/**
+ * Send a message to the default PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	return pfkey_send_socket(this, this->socket, in, out, out_len);
+}
+
+/**
+ * Process a SADB_ACQUIRE message from the kernel
+ */
+static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	u_int32_t index, reqid = 0;
+	traffic_selector_t *src_ts, *dst_ts;
+	policy_entry_t *policy;
+	job_t *job;
+
+	switch (msg->sadb_msg_satype)
+	{
+		case SADB_SATYPE_UNSPEC:
+		case SADB_SATYPE_ESP:
+		case SADB_SATYPE_AH:
+			break;
+		default:
+			/* acquire for AH/ESP only */
+			return;
+	}
+	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
+		return;
+	}
+
+	index = response.x_policy->sadb_x_policy_id;
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
+	{
+		reqid = policy->reqid;
+	}
+	else
+	{
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
+					   index);
+	}
+	src_ts = sadb_address2ts(response.src);
+	dst_ts = sadb_address2ts(response.dst);
+	this->mutex->unlock(this->mutex);
+
+	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
+				   src_ts, dst_ts, reqid);
+	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
+	charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * Process a SADB_EXPIRE message from the kernel
+ */
+static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	protocol_id_t protocol;
+	u_int32_t spi, reqid;
+	bool hard;
+	job_t *job;
+
+	DBG2(DBG_KNL, "received an SADB_EXPIRE");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
+		return;
+	}
+
+	protocol = proto_satype2ike(msg->sadb_msg_satype);
+	spi = response.sa->sadb_sa_spi;
+	reqid = response.x_sa2->sadb_x_sa2_reqid;
+	hard = response.lft_hard != NULL;
+
+	if (protocol != PROTO_ESP && protocol != PROTO_AH)
+	{
+		DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
+					  "which is not a CHILD_SA", ntohl(spi), reqid);
+		return;
+	}
+
+	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
+		 hard ? "delete" : "rekey",  protocol_id_names,
+		 protocol, ntohl(spi), reqid);
+	if (hard)
+	{
+		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+	}
+	else
+	{
+		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+	}
+	charon->processor->queue_job(charon->processor, job);
+}
+
+#ifdef SADB_X_MIGRATE
+/**
+ * Process a SADB_X_MIGRATE message from the kernel
+ */
+static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	traffic_selector_t *src_ts, *dst_ts;
+	policy_dir_t dir;
+	u_int32_t reqid = 0;
+	host_t *local = NULL, *remote = NULL;
+	job_t *job;
+
+	DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
+		return;
+	}
+	src_ts = sadb_address2ts(response.src);
+	dst_ts = sadb_address2ts(response.dst);
+	dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
+	DBG2(DBG_KNL, "  policy %R === %R %N, id %u", src_ts, dst_ts,
+					 policy_dir_names, dir);
+
+	/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
+	if (response.x_kmaddress)
+	{
+		sockaddr_t *local_addr, *remote_addr;
+		u_int32_t local_len;
+
+		local_addr  = (sockaddr_t*)&response.x_kmaddress[1];
+		local = host_create_from_sockaddr(local_addr);
+		local_len = (local_addr->sa_family == AF_INET6)?
+					sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
+		remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
+		remote = host_create_from_sockaddr(remote_addr);
+		DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
+	}
+
+	if (src_ts && dst_ts && local && remote)
+	{
+		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
+					   src_ts, dst_ts, policy_dir_names, dir, reqid, local);
+		job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
+										 local, remote);
+		charon->processor->queue_job(charon->processor, job);
+	}
+	else
+	{
+		DESTROY_IF(src_ts);
+		DESTROY_IF(dst_ts);
+		DESTROY_IF(local);
+		DESTROY_IF(remote);
+	}
+}
+#endif /*SADB_X_MIGRATE*/
+
+#ifdef HAVE_NATT
+/**
+ * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
+ */
+static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	u_int32_t spi, reqid;
+	host_t *host;
+	job_t *job;
+
+	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
+		return;
+	}
+
+	if (!response.x_sa2)
+	{
+		DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
+		return;
+	}
+
+	spi = response.sa->sadb_sa_spi;
+	reqid = response.x_sa2->sadb_x_sa2_reqid;
+
+	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
+	{
+		sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
+		switch (sa->sa_family)
+		{
+			case AF_INET:
+			{
+				struct sockaddr_in *sin = (struct sockaddr_in*)sa;
+				sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			case AF_INET6:
+			{
+				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
+				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			default:
+				break;
+		}
+		host = host_create_from_sockaddr(sa);
+		if (host)
+		{
+			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
+				"reqid {%u} changed, queuing update job", ntohl(spi), reqid);
+			job = (job_t*)update_sa_job_create(reqid, host);
+			charon->processor->queue_job(charon->processor, job);
+		}
+	}
+}
+#endif /*HAVE_NATT*/
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)buf;
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
+	thread_cancelability(oldstate);
+
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+
+	if (len < sizeof(struct sadb_msg) ||
+		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+	{
+		DBG2(DBG_KNL, "received corrupted PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+	{
+		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	switch (msg->sadb_msg_type)
+	{
+		case SADB_ACQUIRE:
+			process_acquire(this, msg);
+			break;
+		case SADB_EXPIRE:
+			process_expire(this, msg);
+			break;
+#ifdef SADB_X_MIGRATE
+		case SADB_X_MIGRATE:
+			process_migrate(this, msg);
+			break;
+#endif /*SADB_X_MIGRATE*/
+#ifdef HAVE_NATT
+		case SADB_X_NAT_T_NEW_MAPPING:
+			process_mapping(this, msg);
+			break;
+#endif /*HAVE_NATT*/
+		default:
+			break;
+	}
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_sa2 *sa2;
+	struct sadb_spirange *range;
+	pfkey_msg_t response;
+	u_int32_t received_spi = 0;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_GETSPI;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
+	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+	sa2->sadb_x_sa2_reqid = reqid;
+	PFKEY_EXT_ADD(msg, sa2);
+
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+	range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
+	range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
+	range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+	range->sadb_spirange_min = 0xc0000000;
+	range->sadb_spirange_max = 0xcFFFFFFF;
+	PFKEY_EXT_ADD(msg, range);
+
+	if (pfkey_send(this, msg, &out, &len) == SUCCESS)
+	{
+		if (out->sadb_msg_errno)
+		{
+			DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
+					strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		}
+		else if (parse_pfkey_message(out, &response) == SUCCESS)
+		{
+			received_spi = response.sa->sadb_sa_spi;
+		}
+		free(out);
+	}
+
+	if (received_spi == 0)
+	{
+		return FAILED;
+	}
+
+	*spi = received_spi;
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	return FAILED;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
+	protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime,
+	u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key,
+	ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
+	bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_x_sa2 *sa2;
+	struct sadb_lifetime *lft;
+	struct sadb_key *key;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+#ifdef __APPLE__
+	if (encap)
+	{
+		struct sadb_sa_2 *sa_2;
+		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+		sa_2->sadb_sa_natt_port = dst->get_port(dst);
+		sa = &sa_2->sa;
+		sa->sadb_sa_flags |= SADB_X_EXT_NATT;
+		len = sizeof(struct sadb_sa_2);
+	}
+	else
+#endif
+	{
+		sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+		len = sizeof(struct sadb_sa);
+	}
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(len);
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
+	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
+	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+	PFKEY_EXT_ADD(msg, sa);
+
+	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
+	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+	sa2->sadb_x_sa2_mode = mode2kernel(mode);
+	sa2->sadb_x_sa2_reqid = reqid;
+	PFKEY_EXT_ADD(msg, sa2);
+
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
+	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+	lft->sadb_lifetime_allocations = lifetime->packets.rekey;
+	lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
+	lft->sadb_lifetime_addtime = lifetime->time.rekey;
+	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
+	PFKEY_EXT_ADD(msg, lft);
+
+	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+	lft->sadb_lifetime_allocations = lifetime->packets.life;
+	lft->sadb_lifetime_bytes = lifetime->bytes.life;
+	lft->sadb_lifetime_addtime = lifetime->time.life;
+	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
+	PFKEY_EXT_ADD(msg, lft);
+
+	if (enc_alg != ENCR_UNDEFINED)
+	{
+		if (!sa->sadb_sa_encrypt)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 encryption_algorithm_names, enc_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
+		key->sadb_key_bits = enc_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
+		memcpy(key + 1, enc_key.ptr, enc_key.len);
+
+		PFKEY_EXT_ADD(msg, key);
+	}
+
+	if (int_alg != AUTH_UNDEFINED)
+	{
+		if (!sa->sadb_sa_auth)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 integrity_algorithm_names, int_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
+			 integrity_algorithm_names, int_alg, int_key.len * 8);
+
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
+		key->sadb_key_bits = int_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
+		memcpy(key + 1, int_key.ptr, int_key.len);
+
+		PFKEY_EXT_ADD(msg, key);
+	}
+
+	if (ipcomp != IPCOMP_NONE)
+	{
+		/*TODO*/
+	}
+
+#ifdef HAVE_NATT
+	if (encap)
+	{
+		add_encap_ext(msg, src, dst);
+	}
+#endif /*HAVE_NATT*/
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	pfkey_msg_t response;
+	size_t len;
+
+	/* we can't update the SA if any of the ip addresses have changed.
+	 * that's because we can't use SADB_UPDATE and by deleting and readding the
+	 * SA the sequence numbers would get lost */
+	if (!src->ip_equals(src, new_src) ||
+		!dst->ip_equals(dst, new_dst))
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
+				" are not supported", ntohl(spi));
+		return NOT_SUPPORTED;
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_GET;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+
+	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
+	 * it is not used for anything. */
+	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
+				ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+			ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
+				"from kernel failed", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_UPDATE;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+#ifdef __APPLE__
+	{
+		struct sadb_sa_2 *sa_2;
+		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+		sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
+		memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
+		if (encap)
+		{
+			sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
+			sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
+		}
+	}
+#else
+	PFKEY_EXT_COPY(msg, response.sa);
+#endif
+	PFKEY_EXT_COPY(msg, response.x_sa2);
+
+	PFKEY_EXT_COPY(msg, response.src);
+	PFKEY_EXT_COPY(msg, response.dst);
+
+	PFKEY_EXT_COPY(msg, response.lft_soft);
+	PFKEY_EXT_COPY(msg, response.lft_hard);
+
+	if (response.key_encr)
+	{
+		PFKEY_EXT_COPY(msg, response.key_encr);
+	}
+
+	if (response.key_auth)
+	{
+		PFKEY_EXT_COPY(msg, response.key_auth);
+	}
+
+#ifdef HAVE_NATT
+	if (new_encap)
+	{
+		add_encap_ext(msg, new_src, new_dst);
+	}
+#endif /*HAVE_NATT*/
+
+	free(out);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	pfkey_msg_t response;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_GET;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+
+	/* the Linux Kernel doesn't care for the src address, but other systems do
+	 * (e.g. FreeBSD)
+	 */
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	*bytes = response.lft_current->sadb_lifetime_bytes;
+
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_DELETE;
+	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+
+	/* the Linux Kernel doesn't care for the src address, but other systems do
+	 * (e.g. FreeBSD)
+	 */
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+	u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+	bool routed)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_policy *pol;
+	struct sadb_x_ipsecrequest *req;
+	policy_entry_t *policy, *found = NULL;
+	pfkey_msg_t response;
+	size_t len;
+
+	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	{
+		/* FWD policies are not supported on all platforms */
+		return SUCCESS;
+	}
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+	{
+		/* use existing policy */
+		found->refcount++;
+		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
+					  "refcount", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{
+		/* apply the new one, if we have no such policy */
+		this->policies->insert_last(this->policies, policy);
+		policy->refcount = 1;
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
+	msg->sadb_msg_satype = 0;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+	pol->sadb_x_policy_id = 0;
+	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
+	/* calculate priority based on source selector size, small size = high prio */
+	pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
+	pol->sadb_x_policy_priority -= policy->src.mask * 10;
+	pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
+	pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
+#endif
+
+	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
+	req = (struct sadb_x_ipsecrequest*)(pol + 1);
+	req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
+	/* !!! the length of this struct MUST be in octets instead of 64 bit words */
+	req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
+	req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
+	req->sadb_x_ipsecrequest_reqid = reqid;
+	req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
+	if (mode == MODE_TUNNEL)
+	{
+		sockaddr_t *sa;
+		socklen_t sl;
+		sa = src->get_sockaddr(src);
+		sl = *src->get_sockaddr_len(src);
+		memcpy(req + 1, sa, sl);
+		sa = dst->get_sockaddr(dst);
+		memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
+		req->sadb_x_ipsecrequest_len += sl * 2;
+	}
+
+	pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
+	PFKEY_EXT_ADD(msg, pol);
+
+	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+				 policy->src.mask);
+	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+				 policy->dst.mask);
+
+#ifdef __FreeBSD__
+	{	/* on FreeBSD a lifetime has to be defined to be able to later query
+		 * the current use time. */
+		struct sadb_lifetime *lft;
+		lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+		lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+		lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+		lft->sadb_lifetime_addtime = LONG_MAX;
+		PFKEY_EXT_ADD(msg, lft);
+	}
+#endif
+
+	this->mutex->unlock(this->mutex);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
+					   policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
+				"from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+
+	this->mutex->lock(this->mutex);
+
+	/* we try to find the policy again and update the kernel index */
+	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
+	{
+		DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
+				"already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
+		this->mutex->unlock(this->mutex);
+		free(out);
+		return SUCCESS;
+	}
+	policy->index = response.x_policy->sadb_x_policy_id;
+	free(out);
+
+	/* install a route, if:
+	 * - we are NOT updating a policy
+	 * - this is a forward policy (to just get one for each child)
+	 * - we are in tunnel mode
+	 * - we are not using IPv6 (does not work correctly yet!)
+	 * - routing is not disabled via strongswan.conf
+	 */
+	if (policy->route == NULL && direction == POLICY_FWD &&
+		mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+		this->install_routes)
+	{
+		route_entry_t *route = malloc_thing(route_entry_t);
+
+		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+				dst_ts, &route->src_ip) == SUCCESS)
+		{
+			/* get the nexthop to src (src as we are in POLICY_FWD).*/
+			route->gateway = charon->kernel_interface->get_nexthop(
+									charon->kernel_interface, src);
+			route->if_name = charon->kernel_interface->get_interface(
+									charon->kernel_interface, dst);
+			route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
+			route->prefixlen = policy->src.mask;
+
+			switch (charon->kernel_interface->add_route(charon->kernel_interface,
+					route->dst_net, route->prefixlen, route->gateway,
+					route->src_ip, route->if_name))
+			{
+				default:
+					DBG1(DBG_KNL, "unable to install source route for %H",
+						 route->src_ip);
+					/* FALL */
+				case ALREADY_DONE:
+					/* route exists, do not uninstall */
+					route_entry_destroy(route);
+					break;
+				case SUCCESS:
+					/* cache the installed route */
+					policy->route = route;
+					break;
+			}
+		}
+		else
+		{
+			free(route);
+		}
+	}
+
+	this->mutex->unlock(this->mutex);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_policy *pol;
+	policy_entry_t *policy, *found = NULL;
+	pfkey_msg_t response;
+	size_t len;
+
+	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	{
+		/* FWD policies are not supported on all platforms */
+		return NOT_FOUND;
+	}
+
+	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		this->mutex->unlock(this->mutex);
+		return NOT_FOUND;
+	}
+	policy_entry_destroy(policy);
+	policy = found;
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_SPDGET;
+	msg->sadb_msg_satype = 0;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	pol->sadb_x_policy_id = policy->index;
+	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+	PFKEY_EXT_ADD(msg, pol);
+
+	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+				 policy->src.mask);
+	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+				 policy->dst.mask);
+
+	this->mutex->unlock(this->mutex);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+					   dst_ts, policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
+				"from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+	else if (response.lft_current == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
+			 "use time", src_ts, dst_ts, policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+	/* we need the monotonic time, but the kernel returns system time. */
+	if (response.lft_current->sadb_lifetime_usetime)
+	{
+		*use_time = time_monotonic(NULL) -
+					(time(NULL) - response.lft_current->sadb_lifetime_usetime);
+	}
+	else
+	{
+		*use_time = 0;
+	}
+	free(out);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_policy *pol;
+	policy_entry_t *policy, *found = NULL;
+	route_entry_t *route;
+	size_t len;
+
+	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	{
+		/* FWD policies are not supported on all platforms */
+		return SUCCESS;
+	}
+
+	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+	{
+		if (--found->refcount > 0)
+		{
+			/* is used by more SAs, keep in kernel */
+			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+			policy_entry_destroy(policy);
+			this->mutex->unlock(this->mutex);
+			return SUCCESS;
+		}
+		/* remove if last reference */
+		this->policies->remove(this->policies, found, NULL);
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{
+		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		this->mutex->unlock(this->mutex);
+		return NOT_FOUND;
+	}
+	this->mutex->unlock(this->mutex);
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_SPDDELETE;
+	msg->sadb_msg_satype = 0;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+	PFKEY_EXT_ADD(msg, pol);
+
+	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+				 policy->src.mask);
+	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+				 policy->dst.mask);
+
+	route = policy->route;
+	policy->route = NULL;
+	policy_entry_destroy(policy);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
+					   dst_ts, policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	if (route)
+	{
+		if (charon->kernel_interface->del_route(charon->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with "
+						  "policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}
+		route_entry_destroy(route);
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Register a socket for AQUIRE/EXPIRE messages
+ */
+static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
+									  u_int8_t satype)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_REGISTER;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket");
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_kernel_pfkey_ipsec_t *this, int fd, int family)
+{
+	struct sadb_x_policy policy;
+	u_int sol, ipsec_policy;
+
+	switch (family)
+	{
+		case AF_INET:
+		{
+			sol = SOL_IP;
+			ipsec_policy = IP_IPSEC_POLICY;
+			break;
+		}
+		case AF_INET6:
+		{
+			sol = SOL_IPV6;
+			ipsec_policy = IPV6_IPSEC_POLICY;
+			break;
+		}
+		default:
+			return FALSE;
+	}
+
+	memset(&policy, 0, sizeof(policy));
+	policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+
+	policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_kernel_pfkey_ipsec_t *this)
+{
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	if (this->socket > 0)
+	{
+		close(this->socket);
+	}
+	if (this->socket_events > 0)
+	{
+		close(this->socket_events);
+	}
+	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+	this->mutex->destroy(this->mutex);
+	this->mutex_pfkey->destroy(this->mutex_pfkey);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
+{
+	private_kernel_pfkey_ipsec_t *this;
+
+	INIT(this,
+		.public.interface = {
+			.get_spi = _get_spi,
+			.get_cpi = _get_cpi,
+			.add_sa  = _add_sa,
+			.update_sa = _update_sa,
+			.query_sa = _query_sa,
+			.del_sa = _del_sa,
+			.add_policy = _add_policy,
+			.query_policy = _query_policy,
+			.del_policy = _del_policy,
+			.bypass_socket = _bypass_socket,
+			.destroy = _destroy,
+		},
+		.policies = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
+		.install_routes = lib->settings->get_bool(lib->settings,
+												"charon.install_routes", TRUE),
+	);
+
+	/* create a PF_KEY socket to communicate with the kernel */
+	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket <= 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_KEY socket");
+		destroy(this);
+		return NULL;
+	}
+
+	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
+	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket_events <= 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_KEY event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	/* register the event socket */
+	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
+		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
new file mode 100644
index 000000000..649f93733
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfkey_ipsec_i kernel_pfkey_ipsec
+ * @{ @ingroup kernel_pfkey
+ */
+
+#ifndef KERNEL_PFKEY_IPSEC_H_
+#define KERNEL_PFKEY_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_pfkey_ipsec_t kernel_pfkey_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using PF_KEY.
+ */
+struct kernel_pfkey_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a PF_KEY kernel ipsec interface instance.
+ *
+ * @return			kernel_pfkey_ipsec_t instance
+ */
+kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create();
+
+#endif /** KERNEL_PFKEY_IPSEC_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
new file mode 100644
index 000000000..b84ccf150
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_pfkey_plugin.h"
+
+#include "kernel_pfkey_ipsec.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t;
+
+/**
+ * private data of kernel PF_KEY plugin
+ */
+struct private_kernel_pfkey_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_pfkey_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfkey_plugin_t *this)
+{
+	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_pfkey_plugin_create()
+{
+	private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
new file mode 100644
index 000000000..ecccc6303
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfkey kernel_pfkey
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin
+ * @{ @ingroup kernel_pfkey
+ */
+
+#ifndef KERNEL_PFKEY_PLUGIN_H_
+#define KERNEL_PFKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfkey_plugin_t kernel_pfkey_plugin_t;
+
+/**
+ * PF_KEY kernel interface plugin
+ */
+struct kernel_pfkey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KERNEL_PFKEY_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.am b/src/libcharon/plugins/kernel_pfroute/Makefile.am
new file mode 100644
index 000000000..83db48160
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+endif
+
+libstrongswan_kernel_pfroute_la_SOURCES = \
+	kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+	kernel_pfroute_net.h kernel_pfroute_net.c
+
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in
new file mode 100644
index 000000000..3a4d2c3b5
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in
@@ -0,0 +1,590 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/kernel_pfroute
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_pfroute_la_LIBADD =
+am_libstrongswan_kernel_pfroute_la_OBJECTS = kernel_pfroute_plugin.lo \
+	kernel_pfroute_net.lo
+libstrongswan_kernel_pfroute_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_pfroute_la_OBJECTS)
+libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_pfroute_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_pfroute_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_pfroute_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+libstrongswan_kernel_pfroute_la_SOURCES = \
+	kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+	kernel_pfroute_net.h kernel_pfroute_net.c
+
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_pfroute_la_LINK) $(am_libstrongswan_kernel_pfroute_la_rpath) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_net.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
new file mode 100644
index 000000000..97c019b58
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -0,0 +1,729 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <ifaddrs.h>
+#include <net/route.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/roam_job.h>
+
+#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
+#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
+#endif
+
+/** delay before firing roam jobs (ms) */
+#define ROAM_DELAY 100
+
+/** buffer size for PF_ROUTE messages */
+#define PFROUTE_BUFFER_SIZE 4096
+
+typedef struct addr_entry_t addr_entry_t;
+
+/**
+ * IP address in an inface_entry_t
+ */
+struct addr_entry_t {
+
+	/** The ip address */
+	host_t *ip;
+
+	/** virtual IP managed by us */
+	bool virtual;
+
+	/** Number of times this IP is used, if virtual */
+	u_int refcount;
+};
+
+/**
+ * destroy a addr_entry_t object
+ */
+static void addr_entry_destroy(addr_entry_t *this)
+{
+	this->ip->destroy(this->ip);
+	free(this);
+}
+
+typedef struct iface_entry_t iface_entry_t;
+
+/**
+ * A network interface on this system, containing addr_entry_t's
+ */
+struct iface_entry_t {
+
+	/** interface index */
+	int ifindex;
+
+	/** name of the interface */
+	char ifname[IFNAMSIZ];
+
+	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+	u_int flags;
+
+	/** list of addresses as host_t */
+	linked_list_t *addrs;
+};
+
+/**
+ * destroy an interface entry
+ */
+static void iface_entry_destroy(iface_entry_t *this)
+{
+	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
+	free(this);
+}
+
+
+typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
+
+/**
+ * Private variables and functions of kernel_pfroute class.
+ */
+struct private_kernel_pfroute_net_t
+{
+	/**
+	 * Public part of the kernel_pfroute_t object.
+	 */
+	kernel_pfroute_net_t public;
+
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Cached list of interfaces and their addresses (iface_entry_t)
+	 */
+	linked_list_t *ifaces;
+
+	/**
+	 * job receiving PF_ROUTE events
+	 */
+	callback_job_t *job;
+
+	/**
+	 * mutex to lock access to the PF_ROUTE socket
+	 */
+	mutex_t *mutex_pfroute;
+
+	/**
+	 * PF_ROUTE socket to communicate with the kernel
+	 */
+	int socket;
+
+	/**
+	 * PF_ROUTE socket to receive events
+	 */
+	int socket_events;
+
+	/**
+	 * sequence number for messages sent to the kernel
+	 */
+	int seq;
+
+	/**
+	 * time of last roam job
+	 */
+	timeval_t last_roam;
+};
+
+/**
+ * Start a roaming job. We delay it a bit and fire only one job
+ * for multiple events. Otherwise we would create too many jobs.
+ */
+static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
+{
+	timeval_t now;
+
+	time_monotonic(&now);
+	if (timercmp(&now, &this->last_roam, >))
+	{
+		now.tv_usec += ROAM_DELAY * 1000;
+		while (now.tv_usec > 1000000)
+		{
+			now.tv_sec++;
+			now.tv_usec -= 1000000;
+		}
+		this->last_roam = now;
+		charon->scheduler->schedule_job_ms(charon->scheduler,
+			(job_t*)roam_job_create(address), ROAM_DELAY);
+	}
+}
+
+/**
+ * Process an RTM_*ADDR message from the kernel
+ */
+static void process_addr(private_kernel_pfroute_net_t *this,
+						 struct rt_msghdr *msg)
+{
+	struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
+	sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
+	host_t *host = NULL;
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	bool found = FALSE, changed = FALSE, roam = FALSE;
+	int i;
+
+	for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
+	{
+		if (ifa->ifam_addrs & i)
+		{
+			if (RTA_IFA & i)
+			{
+				host = host_create_from_sockaddr(sockaddr);
+				break;
+			}
+			sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
+		}
+	}
+
+	if (!host)
+	{
+		return;
+	}
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == ifa->ifam_index)
+		{
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
+			{
+				if (host->ip_equals(host, addr->ip))
+				{
+					found = TRUE;
+					if (ifa->ifam_type == RTM_DELADDR)
+					{
+						iface->addrs->remove_at(iface->addrs, addrs);
+						if (!addr->virtual)
+						{
+							changed = TRUE;
+							DBG1(DBG_KNL, "%H disappeared from %s",
+								 host, iface->ifname);
+						}
+						addr_entry_destroy(addr);
+					}
+					else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
+					{
+						addr->refcount = 1;
+					}
+				}
+			}
+			addrs->destroy(addrs);
+
+			if (!found && ifa->ifam_type == RTM_NEWADDR)
+			{
+				changed = TRUE;
+				addr = malloc_thing(addr_entry_t);
+				addr->ip = host->clone(host);
+				addr->virtual = FALSE;
+				addr->refcount = 1;
+				iface->addrs->insert_last(iface->addrs, addr);
+				DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+			}
+
+			if (changed && (iface->flags & IFF_UP))
+			{
+				roam = TRUE;
+			}
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	host->destroy(host);
+
+	if (roam)
+	{
+		fire_roam_job(this, TRUE);
+	}
+}
+
+/**
+ * Process an RTM_IFINFO message from the kernel
+ */
+static void process_link(private_kernel_pfroute_net_t *this,
+						 struct rt_msghdr *hdr)
+{
+	struct if_msghdr *msg = (struct if_msghdr*)hdr;
+	enumerator_t *enumerator;
+	iface_entry_t *iface;
+	bool roam = FALSE;
+
+	if (msg->ifm_flags & IFF_LOOPBACK)
+	{	/* ignore loopback interfaces */
+		return;
+	}
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->ifaces->create_enumerator(this->ifaces);
+	while (enumerator->enumerate(enumerator, &iface))
+	{
+		if (iface->ifindex == msg->ifm_index)
+		{
+			if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
+			{
+				roam = TRUE;
+				DBG1(DBG_KNL, "interface %s activated", iface->ifname);
+			}
+			else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
+			{
+				roam = TRUE;
+				DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
+			}
+			iface->flags = msg->ifm_flags;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	if (roam)
+	{
+		fire_roam_job(this, TRUE);
+	}
+}
+
+/**
+ * Process an RTM_*ROUTE message from the kernel
+ */
+static void process_route(private_kernel_pfroute_net_t *this,
+						  struct rt_msghdr *msg)
+{
+
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
+{
+	unsigned char buf[PFROUTE_BUFFER_SIZE];
+	struct rt_msghdr *msg = (struct rt_msghdr*)buf;
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
+	thread_cancelability(oldstate);
+
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+
+	if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
+		msg->rtm_version != RTM_VERSION)
+	{
+		DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	switch (msg->rtm_type)
+	{
+		case RTM_NEWADDR:
+		case RTM_DELADDR:
+			process_addr(this, msg);
+			break;
+		case RTM_IFINFO:
+		/*case RTM_IFANNOUNCE <- what about this*/
+			process_link(this, msg);
+			break;
+		case RTM_ADD:
+		case RTM_DELETE:
+			process_route(this, msg);
+		default:
+			break;
+	}
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+
+/** enumerator over addresses */
+typedef struct {
+	private_kernel_pfroute_net_t* this;
+	/** whether to enumerate down interfaces */
+	bool include_down_ifaces;
+	/** whether to enumerate virtual ip addresses */
+	bool include_virtual_ips;
+} address_enumerator_t;
+
+/**
+ * cleanup function for address enumerator
+ */
+static void address_enumerator_destroy(address_enumerator_t *data)
+{
+	data->this->mutex->unlock(data->this->mutex);
+	free(data);
+}
+
+/**
+ * filter for addresses
+ */
+static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+{
+	host_t *ip;
+	if (!data->include_virtual_ips && (*in)->virtual)
+	{   /* skip virtual interfaces added by us */
+		return FALSE;
+	}
+	ip = (*in)->ip;
+	if (ip->get_family(ip) == AF_INET6)
+	{
+		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip);
+		if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+		{   /* skip addresses with a unusable scope */
+			return FALSE;
+		}
+	}
+	*out = ip;
+	return TRUE;
+}
+
+/**
+ * enumerator constructor for interfaces
+ */
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+{
+	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+									(void*)filter_addresses, data, NULL);
+}
+
+/**
+ * filter for interfaces
+ */
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+{
+	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+	{   /* skip interfaces not up */
+		return FALSE;
+	}
+	*out = *in;
+	return TRUE;
+}
+
+/**
+ * implementation of kernel_net_t.create_address_enumerator
+ */
+static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this,
+		bool include_down_ifaces, bool include_virtual_ips)
+{
+	address_enumerator_t *data = malloc_thing(address_enumerator_t);
+	data->this = this;
+	data->include_down_ifaces = include_down_ifaces;
+	data->include_virtual_ips = include_virtual_ips;
+
+	this->mutex->lock(this->mutex);
+	return enumerator_create_nested(
+				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
+						(void*)filter_interfaces, data, NULL),
+				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+}
+
+/**
+ * implementation of kernel_net_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
+{
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	char *name = NULL;
+
+	DBG2(DBG_KNL, "getting interface name for %H", ip);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
+		{
+			if (ip->ip_equals(ip, addr->ip))
+			{
+				name = strdup(iface->ifname);
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (name)
+		{
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+
+	if (name)
+	{
+		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "%H is not a local address", ip);
+	}
+	return name;
+}
+
+/**
+ * Implementation of kernel_net_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_pfroute_net_t *this,
+							   host_t *dest, host_t *src)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.get_nexthop.
+ */
+static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.add_ip.
+ */
+static status_t add_ip(private_kernel_pfroute_net_t *this,
+						host_t *virtual_ip, host_t *iface_ip)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_ip.
+ */
+static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.add_route.
+ */
+static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_route.
+ */
+static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return FAILED;
+}
+
+/**
+ * Initialize a list of local addresses.
+ */
+static status_t init_address_list(private_kernel_pfroute_net_t *this)
+{
+	struct ifaddrs *ifap, *ifa;
+	iface_entry_t *iface, *current;
+	addr_entry_t *addr;
+	enumerator_t *ifaces, *addrs;
+
+	DBG1(DBG_KNL, "listening on interfaces:");
+
+	if (getifaddrs(&ifap) < 0)
+	{
+		DBG1(DBG_KNL, "  failed to get interfaces!");
+		return FAILED;
+	}
+
+	for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
+	{
+		if (ifa->ifa_addr == NULL)
+		{
+			continue;
+		}
+		switch(ifa->ifa_addr->sa_family)
+		{
+			case AF_LINK:
+			case AF_INET:
+			case AF_INET6:
+			{
+				if (ifa->ifa_flags & IFF_LOOPBACK)
+				{	/* ignore loopback interfaces */
+					continue;
+				}
+
+				iface = NULL;
+				ifaces = this->ifaces->create_enumerator(this->ifaces);
+				while (ifaces->enumerate(ifaces, &current))
+				{
+					if (streq(current->ifname, ifa->ifa_name))
+					{
+						iface = current;
+						break;
+					}
+				}
+				ifaces->destroy(ifaces);
+
+				if (!iface)
+				{
+					iface = malloc_thing(iface_entry_t);
+					memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
+					iface->ifindex = if_nametoindex(ifa->ifa_name);
+					iface->flags = ifa->ifa_flags;
+					iface->addrs = linked_list_create();
+					this->ifaces->insert_last(this->ifaces, iface);
+				}
+
+				if (ifa->ifa_addr->sa_family != AF_LINK)
+				{
+					addr = malloc_thing(addr_entry_t);
+					addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
+					addr->virtual = FALSE;
+					addr->refcount = 1;
+					iface->addrs->insert_last(iface->addrs, addr);
+				}
+			}
+		}
+	}
+	freeifaddrs(ifap);
+
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->flags & IFF_UP)
+		{
+			DBG1(DBG_KNL, "  %s", iface->ifname);
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, (void**)&addr))
+			{
+				DBG1(DBG_KNL, "    %H", addr->ip);
+			}
+			addrs->destroy(addrs);
+		}
+	}
+	ifaces->destroy(ifaces);
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_netlink_net_t.destroy.
+ */
+static void destroy(private_kernel_pfroute_net_t *this)
+{
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	if (this->socket > 0)
+	{
+		close(this->socket);
+	}
+	if (this->socket_events)
+	{
+		close(this->socket_events);
+	}
+	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	this->mutex->destroy(this->mutex);
+	this->mutex_pfroute->destroy(this->mutex_pfroute);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create()
+{
+	private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
+
+	/* public functions */
+	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
+	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
+	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
+	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
+	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
+	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
+	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
+
+	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
+
+	/* private members */
+	this->ifaces = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT);
+
+	this->seq = 0;
+	this->socket_events = 0;
+	this->job = NULL;
+
+	/* create a PF_ROUTE socket to communicate with the kernel */
+	this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+	if (this->socket < 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_ROUTE socket");
+		destroy(this);
+		return NULL;
+	}
+
+	/* create a PF_ROUTE socket to receive events */
+	this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+	if (this->socket_events < 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_ROUTE event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	if (init_address_list(this) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to get interface list");
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
new file mode 100644
index 000000000..10c3c9eb7
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfroute_net_i kernel_pfroute_net
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_NET_H_
+#define KERNEL_PFROUTE_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_pfroute_net_t kernel_pfroute_net_t;
+
+/**
+ * Implementation of the kernel net interface using PF_ROUTE.
+ */
+struct kernel_pfroute_net_t {
+
+	/**
+	 * Implements kernel_net_t interface
+	 */
+	kernel_net_t interface;
+};
+
+/**
+ * Create a PF_ROUTE kernel net interface instance.
+ *
+ * @return			kernel_pfroute_net_t instance
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create();
+
+#endif /** KERNEL_PFROUTE_NET_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
new file mode 100644
index 000000000..97139fb56
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_pfroute_plugin.h"
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
+
+/**
+ * private data of kernel PF_ROUTE plugin
+ */
+struct private_kernel_pfroute_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_pfroute_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfroute_plugin_t *this)
+{
+	charon->kernel_interface->remove_net_interface(charon->kernel_interface,
+						(kernel_net_constructor_t)kernel_pfroute_net_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_pfroute_plugin_create()
+{
+	private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	charon->kernel_interface->add_net_interface(charon->kernel_interface,
+						(kernel_net_constructor_t)kernel_pfroute_net_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
new file mode 100644
index 000000000..50642a572
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfroute kernel_pfroute
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_PLUGIN_H_
+#define KERNEL_PFROUTE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t;
+
+/**
+ * PF_ROUTE kernel interface plugin
+ */
+struct kernel_pfroute_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/Makefile.am b/src/libcharon/plugins/load_tester/Makefile.am
new file mode 100644
index 000000000..cdd0445a9
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-load-tester.la
+else
+plugin_LTLIBRARIES = libstrongswan-load-tester.la
+endif
+
+libstrongswan_load_tester_la_SOURCES = \
+	load_tester_plugin.c load_tester_plugin.h \
+	load_tester_config.c load_tester_config.h \
+	load_tester_creds.c load_tester_creds.h \
+	load_tester_ipsec.c load_tester_ipsec.h \
+	load_tester_listener.c load_tester_listener.h \
+	load_tester_diffie_hellman.c load_tester_diffie_hellman.h
+
+libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
new file mode 100644
index 000000000..8965aff78
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/load_tester
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_load_tester_la_LIBADD =
+am_libstrongswan_load_tester_la_OBJECTS = load_tester_plugin.lo \
+	load_tester_config.lo load_tester_creds.lo \
+	load_tester_ipsec.lo load_tester_listener.lo \
+	load_tester_diffie_hellman.lo
+libstrongswan_load_tester_la_OBJECTS =  \
+	$(am_libstrongswan_load_tester_la_OBJECTS)
+libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_load_tester_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_load_tester_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_load_tester_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_load_tester_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-load-tester.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-load-tester.la
+libstrongswan_load_tester_la_SOURCES = \
+	load_tester_plugin.c load_tester_plugin.h \
+	load_tester_config.c load_tester_config.h \
+	load_tester_creds.c load_tester_creds.h \
+	load_tester_ipsec.c load_tester_ipsec.h \
+	load_tester_listener.c load_tester_listener.h \
+	load_tester_diffie_hellman.c load_tester_diffie_hellman.h
+
+libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/load_tester/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/load_tester/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES) 
+	$(libstrongswan_load_tester_la_LINK) $(am_libstrongswan_load_tester_la_rpath) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_diffie_hellman.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
new file mode 100644
index 000000000..c1f98f2fe
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -0,0 +1,333 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_config.h"
+
+#include <daemon.h>
+
+typedef struct private_load_tester_config_t private_load_tester_config_t;
+
+/**
+ * Private data of an load_tester_config_t object
+ */
+struct private_load_tester_config_t {
+
+	/**
+	 * Public part
+	 */
+	load_tester_config_t public;
+
+	/**
+	 * peer config
+	 */
+	peer_cfg_t *peer_cfg;
+
+	/**
+	 * virtual IP, if any
+	 */
+	host_t *vip;
+
+	/**
+	 * Remote address
+	 */
+	char *remote;
+
+	/**
+	 * IP address pool
+	 */
+	char *pool;
+
+	/**
+	 * IKE proposal
+	 */
+	proposal_t *proposal;
+
+	/**
+	 * Authentication method(s) to use/expect from initiator
+	 */
+	char *initiator_auth;
+
+	/**
+	 * Authentication method(s) use/expected from responder
+	 */
+	char *responder_auth;
+
+	/**
+	 * IKE_SA rekeying delay
+	 */
+	u_int ike_rekey;
+
+	/**
+	 * CHILD_SA rekeying delay
+	 */
+	u_int child_rekey;
+
+	/**
+	 * incremental numbering of generated configs
+	 */
+	u_int num;
+
+	/**
+	 * Dynamic source port, if used
+	 */
+	u_int16_t port;
+};
+
+/**
+ * Generate auth config from string
+ */
+static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
+							  peer_cfg_t *peer_cfg, bool local, int num)
+{
+	enumerator_t *enumerator;
+	auth_cfg_t *auth;
+	identification_t *id;
+	auth_class_t class;
+	eap_type_t type;
+	char buf[128];
+	int rnd = 0;
+
+	enumerator = enumerator_create_token(str, "|", " ");
+	while (enumerator->enumerate(enumerator, &str))
+	{
+		auth = auth_cfg_create();
+		rnd++;
+
+		if (streq(str, "psk"))
+		{	/* PSK authentication, use FQDNs */
+			class = AUTH_CLASS_PSK;
+			if ((local && !num) || (!local && num))
+			{
+				id = identification_create_from_string("srv.strongswan.org");
+			}
+			else if (local)
+			{
+				snprintf(buf, sizeof(buf), "c%d-r%d.strongswan.org", num, rnd);
+				id = identification_create_from_string(buf);
+			}
+			else
+			{
+				id = identification_create_from_string("*.strongswan.org");
+			}
+		}
+		else if (strneq(str, "eap", strlen("eap")))
+		{	/* EAP authentication, use a NAI */
+			class = AUTH_CLASS_EAP;
+			if (*(str + strlen("eap")) == '-')
+			{
+				type = eap_type_from_string(str + strlen("eap-"));
+				if (type)
+				{
+					auth->add(auth, AUTH_RULE_EAP_TYPE, type);
+				}
+			}
+			if (local && num)
+			{
+				snprintf(buf, sizeof(buf), "1%.10d%.4d@strongswan.org", num, rnd);
+				id = identification_create_from_string(buf);
+			}
+			else
+			{
+				id = identification_create_from_encoding(ID_ANY, chunk_empty);
+			}
+		}
+		else
+		{
+			if (!streq(str, "pubkey"))
+			{
+				DBG1(DBG_CFG, "invalid authentication: '%s', fallback to pubkey",
+					 str);
+			}
+			/* certificate authentication, use distinguished names */
+			class = AUTH_CLASS_PUBKEY;
+			if ((local && !num) || (!local && num))
+			{
+				id = identification_create_from_string(
+							"CN=srv, OU=load-test, O=strongSwan");
+			}
+			else if (local)
+			{
+				snprintf(buf, sizeof(buf),
+						 "CN=c%d-r%d, OU=load-test, O=strongSwan", num, rnd);
+				id = identification_create_from_string(buf);
+			}
+			else
+			{
+				id = identification_create_from_string(
+								"CN=*, OU=load-test, O=strongSwan");
+			}
+		}
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
+		auth->add(auth, AUTH_RULE_IDENTITY, id);
+		peer_cfg->add_auth_cfg(peer_cfg, auth, local);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Generate a new initiator config, num = 0 for responder config
+ */
+static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
+{
+	ike_cfg_t *ike_cfg;
+	child_cfg_t *child_cfg;
+	peer_cfg_t *peer_cfg;
+	traffic_selector_t *ts;
+	proposal_t *proposal;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = this->child_rekey * 2,
+			.rekey = this->child_rekey,
+			.jitter = 0
+		}
+	};
+
+	if (this->port && num)
+	{
+		ike_cfg = ike_cfg_create(FALSE, FALSE,
+				"0.0.0.0", this->port + num - 1, this->remote, IKEV2_NATT_PORT);
+	}
+	else
+	{
+		ike_cfg = ike_cfg_create(FALSE, FALSE,
+				"0.0.0.0", IKEV2_UDP_PORT, this->remote, IKEV2_UDP_PORT);
+	}
+	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
+	peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
+							   CERT_SEND_IF_ASKED, UNIQUE_NO, 1, /* keytries */
+							   this->ike_rekey, 0, /* rekey, reauth */
+							   0, this->ike_rekey, /* jitter, overtime */
+							   FALSE, 0, /* mobike, dpddelay */
+							   this->vip ? this->vip->clone(this->vip) : NULL,
+							   this->pool, FALSE, NULL, NULL);
+	if (num)
+	{	/* initiator */
+		generate_auth_cfg(this, this->initiator_auth, peer_cfg, TRUE, num);
+		generate_auth_cfg(this, this->responder_auth, peer_cfg, FALSE, num);
+	}
+	else
+	{	/* responder */
+		generate_auth_cfg(this, this->responder_auth, peer_cfg, TRUE, num);
+		generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
+	}
+
+	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE,
+								 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0);
+	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
+	child_cfg->add_proposal(child_cfg, proposal);
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+	return peer_cfg;
+}
+
+/**
+ * Implementation of backend_t.create_peer_cfg_enumerator.
+ */
+static enumerator_t* create_peer_cfg_enumerator(private_load_tester_config_t *this,
+												identification_t *me,
+												identification_t *other)
+{
+	return enumerator_create_single(this->peer_cfg, NULL);
+}
+
+/**
+ * Implementation of backend_t.create_ike_cfg_enumerator.
+ */
+static enumerator_t* create_ike_cfg_enumerator(private_load_tester_config_t *this,
+											   host_t *me, host_t *other)
+{
+	ike_cfg_t *ike_cfg;
+
+	ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
+	return enumerator_create_single(ike_cfg, NULL);
+}
+
+/**
+ * implements backend_t.get_peer_cfg_by_name.
+ */
+static peer_cfg_t *get_peer_cfg_by_name(private_load_tester_config_t *this,
+										char *name)
+{
+	if (streq(name, "load-test"))
+	{
+		return generate_config(this, this->num++);
+	}
+	return NULL;
+}
+
+/**
+ * Implementation of load_tester_config_t.destroy.
+ */
+static void destroy(private_load_tester_config_t *this)
+{
+	this->peer_cfg->destroy(this->peer_cfg);
+	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->vip);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+load_tester_config_t *load_tester_config_create()
+{
+	private_load_tester_config_t *this = malloc_thing(private_load_tester_config_t);
+
+	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
+	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
+	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
+	this->public.destroy = (void(*)(load_tester_config_t*))destroy;
+
+	this->vip = NULL;
+	if (lib->settings->get_bool(lib->settings,
+				"charon.plugins.load-tester.request_virtual_ip", FALSE))
+	{
+		this->vip = host_create_from_string("0.0.0.0", 0);
+	}
+	this->pool = lib->settings->get_str(lib->settings,
+				"charon.plugins.load-tester.pool", NULL);
+	this->remote = lib->settings->get_str(lib->settings,
+				"charon.plugins.load-tester.remote", "127.0.0.1");
+
+	this->proposal = proposal_create_from_string(PROTO_IKE,
+			lib->settings->get_str(lib->settings,
+				"charon.plugins.load-tester.proposal", "aes128-sha1-modp768"));
+	if (!this->proposal)
+	{	/* fallback */
+		this->proposal = proposal_create_from_string(PROTO_IKE,
+													 "aes128-sha1-modp768");
+	}
+	this->ike_rekey = lib->settings->get_int(lib->settings,
+				"charon.plugins.load-tester.ike_rekey", 0);
+	this->child_rekey = lib->settings->get_int(lib->settings,
+				"charon.plugins.load-tester.child_rekey", 600);
+
+	this->initiator_auth = lib->settings->get_str(lib->settings,
+				"charon.plugins.load-tester.initiator_auth", "pubkey");
+	this->responder_auth = lib->settings->get_str(lib->settings,
+				"charon.plugins.load-tester.responder_auth", "pubkey");
+
+	this->port = lib->settings->get_int(lib->settings,
+				"charon.plugins.load-tester.dynamic_port", 0);
+
+	this->num = 1;
+	this->peer_cfg = generate_config(this, 0);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.h b/src/libcharon/plugins/load_tester/load_tester_config.h
new file mode 100644
index 000000000..c22387743
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_config.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup load_tester_config_t load_tester_config
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_CONFIG_H_
+#define LOAD_TESTER_CONFIG_H_
+
+#include <config/backend.h>
+
+typedef struct load_tester_config_t load_tester_config_t;
+
+/**
+ * Provide configurations for load testing.
+ */
+struct load_tester_config_t {
+
+	/**
+	 * Implements backend_t interface
+	 */
+	backend_t backend;
+
+	/**
+	 * Destroy the backend.
+	 */
+	void (*destroy)(load_tester_config_t *this);
+};
+
+/**
+ * Create a configuration backend for load testing.
+ *
+ * @return			configuration backend
+ */
+load_tester_config_t *load_tester_config_create();
+
+#endif /** LOAD_TESTER_CONFIG_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_creds.c b/src/libcharon/plugins/load_tester/load_tester_creds.c
new file mode 100644
index 000000000..890703c1a
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_creds.c
@@ -0,0 +1,313 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_creds.h"
+
+#include <time.h>
+
+#include <daemon.h>
+#include <credentials/keys/shared_key.h>
+#include <credentials/certificates/x509.h>
+#include <utils/identification.h>
+
+typedef struct private_load_tester_creds_t private_load_tester_creds_t;
+
+/**
+ * Private data of an load_tester_creds_t object
+ */
+struct private_load_tester_creds_t {
+	/**
+	 * Public part
+	 */
+	load_tester_creds_t public;
+
+	/**
+	 * Private key to create signatures
+	 */
+	private_key_t *private;
+
+	/**
+	 * CA certificate, to issue/verify peer certificates
+	 */
+	certificate_t *ca;
+
+	/**
+	 * serial number to issue certificates
+	 */
+	u_int32_t serial;
+
+	/**
+	 * Preshared key
+	 */
+	shared_key_t *shared;
+};
+
+/**
+ * 1024-bit RSA key:
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDQXr7poAPYZLxmTCqR51STGRuk9Hc5SWtTcs6b2RzpnP8EVRLx
+JEVxOKE9Mw6n7mD1pNrupCpnpGRdLAV5VznTPhSQ6k7ppJJrxosRYg0pHTZqBUEC
+7nQFwAe10g8q0UnM1wa4lJzGxDH78d21cVweJgbkxAeyriS0jhNs7gO5nQIDAQAB
+AoGACVACtkxJf7VY2jWTPXwaQoy/uIqYfX3zhwI9i6eTbDlxCE+JDi/xzpKaWjLa
+99RmjvP0OPArWQB239ck03x7gAm2obutosGbqbKzJZS5cyIayzyW9djZDHBdt9Ho
+quKB39aspWit3xPzkrr+QeIkiggtmBKALTBxTwxAU+P6euECQQD4IPdrzKbCrO79
+LKvoPrQQtTjL6ogag9rI9n2ZuoK3/XVybh2byOXT8tA5G5jSz9Ac8XeVOsnH9gT5
+3WXeaLOFAkEA1vrm/hVSEasp5eATgQ7ig9CF+GGKqhTwXp/uOSl/h3IRmStu5J0C
+9AkYyx0bn3j5R8iUEX/C00KSE1kQNh4NOQJAVOsLYlRG2idPH0xThQc4nuM2jes1
+K0Xm8ZISSDNhm1BeCoyPC4rExTW7d1/vfG5svgsRrvvQpOOYrl7MB0Lz9QJBALhg
+AWJiyLsskEd90Vx7dpvUaEHo7jMGuEx/X6GYzK5Oj3dNP9NEMfc4IhJ5SWqRJ0KA
+bTVA3MexLXT4iqXPSkkCQQDSjLhBwvEnSuW4ElIMzBwLbu7573z2gzU82Mj6trrw
+Osoox/vmcepT1Wjy4AvPZHgxp7vEXNSeS+M5L29QNTp8
+-----END RSA PRIVATE KEY-----
+ */
+static char private[] = {
+  0x30,0x82,0x02,0x5d,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xd0,0x5e,0xbe,0xe9,0xa0,
+  0x03,0xd8,0x64,0xbc,0x66,0x4c,0x2a,0x91,0xe7,0x54,0x93,0x19,0x1b,0xa4,0xf4,0x77,
+  0x39,0x49,0x6b,0x53,0x72,0xce,0x9b,0xd9,0x1c,0xe9,0x9c,0xff,0x04,0x55,0x12,0xf1,
+  0x24,0x45,0x71,0x38,0xa1,0x3d,0x33,0x0e,0xa7,0xee,0x60,0xf5,0xa4,0xda,0xee,0xa4,
+  0x2a,0x67,0xa4,0x64,0x5d,0x2c,0x05,0x79,0x57,0x39,0xd3,0x3e,0x14,0x90,0xea,0x4e,
+  0xe9,0xa4,0x92,0x6b,0xc6,0x8b,0x11,0x62,0x0d,0x29,0x1d,0x36,0x6a,0x05,0x41,0x02,
+  0xee,0x74,0x05,0xc0,0x07,0xb5,0xd2,0x0f,0x2a,0xd1,0x49,0xcc,0xd7,0x06,0xb8,0x94,
+  0x9c,0xc6,0xc4,0x31,0xfb,0xf1,0xdd,0xb5,0x71,0x5c,0x1e,0x26,0x06,0xe4,0xc4,0x07,
+  0xb2,0xae,0x24,0xb4,0x8e,0x13,0x6c,0xee,0x03,0xb9,0x9d,0x02,0x03,0x01,0x00,0x01,
+  0x02,0x81,0x80,0x09,0x50,0x02,0xb6,0x4c,0x49,0x7f,0xb5,0x58,0xda,0x35,0x93,0x3d,
+  0x7c,0x1a,0x42,0x8c,0xbf,0xb8,0x8a,0x98,0x7d,0x7d,0xf3,0x87,0x02,0x3d,0x8b,0xa7,
+  0x93,0x6c,0x39,0x71,0x08,0x4f,0x89,0x0e,0x2f,0xf1,0xce,0x92,0x9a,0x5a,0x32,0xda,
+  0xf7,0xd4,0x66,0x8e,0xf3,0xf4,0x38,0xf0,0x2b,0x59,0x00,0x76,0xdf,0xd7,0x24,0xd3,
+  0x7c,0x7b,0x80,0x09,0xb6,0xa1,0xbb,0xad,0xa2,0xc1,0x9b,0xa9,0xb2,0xb3,0x25,0x94,
+  0xb9,0x73,0x22,0x1a,0xcb,0x3c,0x96,0xf5,0xd8,0xd9,0x0c,0x70,0x5d,0xb7,0xd1,0xe8,
+  0xaa,0xe2,0x81,0xdf,0xd6,0xac,0xa5,0x68,0xad,0xdf,0x13,0xf3,0x92,0xba,0xfe,0x41,
+  0xe2,0x24,0x8a,0x08,0x2d,0x98,0x12,0x80,0x2d,0x30,0x71,0x4f,0x0c,0x40,0x53,0xe3,
+  0xfa,0x7a,0xe1,0x02,0x41,0x00,0xf8,0x20,0xf7,0x6b,0xcc,0xa6,0xc2,0xac,0xee,0xfd,
+  0x2c,0xab,0xe8,0x3e,0xb4,0x10,0xb5,0x38,0xcb,0xea,0x88,0x1a,0x83,0xda,0xc8,0xf6,
+  0x7d,0x99,0xba,0x82,0xb7,0xfd,0x75,0x72,0x6e,0x1d,0x9b,0xc8,0xe5,0xd3,0xf2,0xd0,
+  0x39,0x1b,0x98,0xd2,0xcf,0xd0,0x1c,0xf1,0x77,0x95,0x3a,0xc9,0xc7,0xf6,0x04,0xf9,
+  0xdd,0x65,0xde,0x68,0xb3,0x85,0x02,0x41,0x00,0xd6,0xfa,0xe6,0xfe,0x15,0x52,0x11,
+  0xab,0x29,0xe5,0xe0,0x13,0x81,0x0e,0xe2,0x83,0xd0,0x85,0xf8,0x61,0x8a,0xaa,0x14,
+  0xf0,0x5e,0x9f,0xee,0x39,0x29,0x7f,0x87,0x72,0x11,0x99,0x2b,0x6e,0xe4,0x9d,0x02,
+  0xf4,0x09,0x18,0xcb,0x1d,0x1b,0x9f,0x78,0xf9,0x47,0xc8,0x94,0x11,0x7f,0xc2,0xd3,
+  0x42,0x92,0x13,0x59,0x10,0x36,0x1e,0x0d,0x39,0x02,0x40,0x54,0xeb,0x0b,0x62,0x54,
+  0x46,0xda,0x27,0x4f,0x1f,0x4c,0x53,0x85,0x07,0x38,0x9e,0xe3,0x36,0x8d,0xeb,0x35,
+  0x2b,0x45,0xe6,0xf1,0x92,0x12,0x48,0x33,0x61,0x9b,0x50,0x5e,0x0a,0x8c,0x8f,0x0b,
+  0x8a,0xc4,0xc5,0x35,0xbb,0x77,0x5f,0xef,0x7c,0x6e,0x6c,0xbe,0x0b,0x11,0xae,0xfb,
+  0xd0,0xa4,0xe3,0x98,0xae,0x5e,0xcc,0x07,0x42,0xf3,0xf5,0x02,0x41,0x00,0xb8,0x60,
+  0x01,0x62,0x62,0xc8,0xbb,0x2c,0x90,0x47,0x7d,0xd1,0x5c,0x7b,0x76,0x9b,0xd4,0x68,
+  0x41,0xe8,0xee,0x33,0x06,0xb8,0x4c,0x7f,0x5f,0xa1,0x98,0xcc,0xae,0x4e,0x8f,0x77,
+  0x4d,0x3f,0xd3,0x44,0x31,0xf7,0x38,0x22,0x12,0x79,0x49,0x6a,0x91,0x27,0x42,0x80,
+  0x6d,0x35,0x40,0xdc,0xc7,0xb1,0x2d,0x74,0xf8,0x8a,0xa5,0xcf,0x4a,0x49,0x02,0x41,
+  0x00,0xd2,0x8c,0xb8,0x41,0xc2,0xf1,0x27,0x4a,0xe5,0xb8,0x12,0x52,0x0c,0xcc,0x1c,
+  0x0b,0x6e,0xee,0xf9,0xef,0x7c,0xf6,0x83,0x35,0x3c,0xd8,0xc8,0xfa,0xb6,0xba,0xf0,
+  0x3a,0xca,0x28,0xc7,0xfb,0xe6,0x71,0xea,0x53,0xd5,0x68,0xf2,0xe0,0x0b,0xcf,0x64,
+  0x78,0x31,0xa7,0xbb,0xc4,0x5c,0xd4,0x9e,0x4b,0xe3,0x39,0x2f,0x6f,0x50,0x35,0x3a,
+  0x7c,
+};
+
+/**
+ * And an associated self-signed certificate
+-----BEGIN CERTIFICATE-----
+MIIB9DCCAV2gAwIBAgIBADANBgkqhkiG9w0BAQUFADA3MQwwCgYDVQQDEwNzcnYx
+EjAQBgNVBAsTCWxvYWQtdGVzdDETMBEGA1UEChMKc3Ryb25nU3dhbjAeFw0wODEy
+MDgxODU4NDhaFw0xODEyMDYxODU4NDhaMDcxDDAKBgNVBAMTA3NydjESMBAGA1UE
+CxMJbG9hZC10ZXN0MRMwEQYDVQQKEwpzdHJvbmdTd2FuMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDQXr7poAPYZLxmTCqR51STGRuk9Hc5SWtTcs6b2RzpnP8E
+VRLxJEVxOKE9Mw6n7mD1pNrupCpnpGRdLAV5VznTPhSQ6k7ppJJrxosRYg0pHTZq
+BUEC7nQFwAe10g8q0UnM1wa4lJzGxDH78d21cVweJgbkxAeyriS0jhNs7gO5nQID
+AQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAF39Xedyk2wj
+qOcaaZ7ypb8RDlLvS0uaJMVtLtIhtb2weMMlgdmOnKXEYrJL2/mbp14Fhe+XYME9
+nZLAnmUnX8bQWCsQlajb7YGE8w6QDMwXUVgSXTMhRl+PRX2CMIUzU21h1EIx65Po
+CwMLbJ7vQqwPHXRitDmNkEOK9H+vRnDf
+-----END CERTIFICATE-----
+
+ */
+char cert[] = {
+  0x30,0x82,0x01,0xf4,0x30,0x82,0x01,0x5d,0xa0,0x03,0x02,0x01,0x02,0x02,0x01,0x00,
+  0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,
+  0x37,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x03,0x13,0x03,0x73,0x72,0x76,0x31,
+  0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x0b,0x13,0x09,0x6c,0x6f,0x61,0x64,0x2d,0x74,
+  0x65,0x73,0x74,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,
+  0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x30,0x1e,0x17,0x0d,0x30,0x38,0x31,0x32,
+  0x30,0x38,0x31,0x38,0x35,0x38,0x34,0x38,0x5a,0x17,0x0d,0x31,0x38,0x31,0x32,0x30,
+  0x36,0x31,0x38,0x35,0x38,0x34,0x38,0x5a,0x30,0x37,0x31,0x0c,0x30,0x0a,0x06,0x03,
+  0x55,0x04,0x03,0x13,0x03,0x73,0x72,0x76,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,
+  0x0b,0x13,0x09,0x6c,0x6f,0x61,0x64,0x2d,0x74,0x65,0x73,0x74,0x31,0x13,0x30,0x11,
+  0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,
+  0x6e,0x30,0x81,0x9f,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
+  0x01,0x05,0x00,0x03,0x81,0x8d,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xd0,0x5e,
+  0xbe,0xe9,0xa0,0x03,0xd8,0x64,0xbc,0x66,0x4c,0x2a,0x91,0xe7,0x54,0x93,0x19,0x1b,
+  0xa4,0xf4,0x77,0x39,0x49,0x6b,0x53,0x72,0xce,0x9b,0xd9,0x1c,0xe9,0x9c,0xff,0x04,
+  0x55,0x12,0xf1,0x24,0x45,0x71,0x38,0xa1,0x3d,0x33,0x0e,0xa7,0xee,0x60,0xf5,0xa4,
+  0xda,0xee,0xa4,0x2a,0x67,0xa4,0x64,0x5d,0x2c,0x05,0x79,0x57,0x39,0xd3,0x3e,0x14,
+  0x90,0xea,0x4e,0xe9,0xa4,0x92,0x6b,0xc6,0x8b,0x11,0x62,0x0d,0x29,0x1d,0x36,0x6a,
+  0x05,0x41,0x02,0xee,0x74,0x05,0xc0,0x07,0xb5,0xd2,0x0f,0x2a,0xd1,0x49,0xcc,0xd7,
+  0x06,0xb8,0x94,0x9c,0xc6,0xc4,0x31,0xfb,0xf1,0xdd,0xb5,0x71,0x5c,0x1e,0x26,0x06,
+  0xe4,0xc4,0x07,0xb2,0xae,0x24,0xb4,0x8e,0x13,0x6c,0xee,0x03,0xb9,0x9d,0x02,0x03,
+  0x01,0x00,0x01,0xa3,0x10,0x30,0x0e,0x30,0x0c,0x06,0x03,0x55,0x1d,0x13,0x04,0x05,
+  0x30,0x03,0x01,0x01,0xff,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,
+  0x01,0x05,0x05,0x00,0x03,0x81,0x81,0x00,0x5d,0xfd,0x5d,0xe7,0x72,0x93,0x6c,0x23,
+  0xa8,0xe7,0x1a,0x69,0x9e,0xf2,0xa5,0xbf,0x11,0x0e,0x52,0xef,0x4b,0x4b,0x9a,0x24,
+  0xc5,0x6d,0x2e,0xd2,0x21,0xb5,0xbd,0xb0,0x78,0xc3,0x25,0x81,0xd9,0x8e,0x9c,0xa5,
+  0xc4,0x62,0xb2,0x4b,0xdb,0xf9,0x9b,0xa7,0x5e,0x05,0x85,0xef,0x97,0x60,0xc1,0x3d,
+  0x9d,0x92,0xc0,0x9e,0x65,0x27,0x5f,0xc6,0xd0,0x58,0x2b,0x10,0x95,0xa8,0xdb,0xed,
+  0x81,0x84,0xf3,0x0e,0x90,0x0c,0xcc,0x17,0x51,0x58,0x12,0x5d,0x33,0x21,0x46,0x5f,
+  0x8f,0x45,0x7d,0x82,0x30,0x85,0x33,0x53,0x6d,0x61,0xd4,0x42,0x31,0xeb,0x93,0xe8,
+  0x0b,0x03,0x0b,0x6c,0x9e,0xef,0x42,0xac,0x0f,0x1d,0x74,0x62,0xb4,0x39,0x8d,0x90,
+  0x43,0x8a,0xf4,0x7f,0xaf,0x46,0x70,0xdf,
+};
+
+
+/**
+ * A preshared key
+ */
+static char psk[] = {
+  0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
+};
+
+/**
+ * Implements credential_set_t.create_private_enumerator
+ */
+static enumerator_t* create_private_enumerator(private_load_tester_creds_t *this,
+							key_type_t type, identification_t *id)
+{
+	if (this->private == NULL)
+	{
+		return NULL;
+	}
+	if (type != KEY_ANY && type != KEY_RSA)
+	{
+		return NULL;
+	}
+	if (id)
+	{
+		if (!this->private->has_fingerprint(this->private, id->get_encoding(id)))
+		{
+			return NULL;
+		}
+	}
+	return enumerator_create_single(this->private, NULL);
+}
+
+/**
+ * Implements credential_set_t.create_cert_enumerator
+ */
+static enumerator_t* create_cert_enumerator(private_load_tester_creds_t *this,
+							certificate_type_t cert, key_type_t key,
+							identification_t *id, bool trusted)
+{
+	certificate_t *peer_cert;
+	public_key_t *peer_key, *ca_key;
+	u_int32_t serial;
+	time_t now;
+
+	if (this->ca == NULL)
+	{
+		return NULL;
+	}
+	if (cert != CERT_ANY && cert != CERT_X509)
+	{
+		return NULL;
+	}
+	if (key != KEY_ANY && key != KEY_RSA)
+	{
+		return NULL;
+	}
+	if (!id)
+	{
+		return enumerator_create_single(this->ca, NULL);
+	}
+	ca_key = this->ca->get_public_key(this->ca);
+	if (ca_key)
+	{
+		if (ca_key->has_fingerprint(ca_key, id->get_encoding(id)))
+		{
+			ca_key->destroy(ca_key);
+			return enumerator_create_single(this->ca, NULL);
+		}
+		ca_key->destroy(ca_key);
+	}
+	if (this->ca->has_subject(this->ca, id))
+	{
+		return enumerator_create_single(this->ca, NULL);
+	}
+	if (!trusted)
+	{
+		/* peer certificate, generate on demand */
+		serial = htonl(++this->serial);
+		now = time(NULL);
+		peer_key = this->private->get_public_key(this->private);
+		peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+									BUILD_SIGNING_KEY, this->private,
+									BUILD_SIGNING_CERT, this->ca,
+									BUILD_PUBLIC_KEY, peer_key,
+									BUILD_SUBJECT, id,
+									BUILD_NOT_BEFORE_TIME, now - 60 * 60 * 24,
+									BUILD_NOT_AFTER_TIME, now + 60 * 60 * 24,
+									BUILD_SERIAL, chunk_from_thing(serial),
+									BUILD_END);
+		peer_key->destroy(peer_key);
+		if (peer_cert)
+		{
+			return enumerator_create_single(peer_cert, (void*)peer_cert->destroy);
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Implements credential_set_t.create_shared_enumerator
+ */
+static enumerator_t* create_shared_enumerator(private_load_tester_creds_t *this,
+							shared_key_type_t type,	identification_t *me,
+							identification_t *other)
+{
+	return enumerator_create_single(this->shared, NULL);
+}
+
+/**
+ * Implementation of load_tester_creds_t.destroy
+ */
+static void destroy(private_load_tester_creds_t *this)
+{
+	DESTROY_IF(this->private);
+	DESTROY_IF(this->ca);
+	this->shared->destroy(this->shared);
+	free(this);
+}
+
+load_tester_creds_t *load_tester_creds_create()
+{
+	private_load_tester_creds_t *this = malloc_thing(private_load_tester_creds_t);
+
+	this->public.credential_set.create_shared_enumerator = (enumerator_t*(*)(credential_set_t*, shared_key_type_t, identification_t*, identification_t*))create_shared_enumerator;
+	this->public.credential_set.create_private_enumerator = (enumerator_t*(*) (credential_set_t*, key_type_t, identification_t*))create_private_enumerator;
+	this->public.credential_set.create_cert_enumerator = (enumerator_t*(*) (credential_set_t*,	certificate_type_t, key_type_t,identification_t *, bool))create_cert_enumerator;
+	this->public.credential_set.create_cdp_enumerator  = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
+	this->public.credential_set.cache_cert = (void (*)(credential_set_t *, certificate_t *))nop;
+	this->public.destroy = (void(*) (load_tester_creds_t*))destroy;
+
+	this->private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+				BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
+				BUILD_END);
+
+	this->ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+				BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
+				BUILD_X509_FLAG, X509_CA,
+				BUILD_END);
+
+	this->shared = shared_key_create(SHARED_IKE,
+									 chunk_clone(chunk_create(psk, sizeof(psk))));
+	this->serial = 0;
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/load_tester/load_tester_creds.h b/src/libcharon/plugins/load_tester/load_tester_creds.h
new file mode 100644
index 000000000..fb3541164
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_creds.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup load_tester_creds_t load_tester_creds
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_CREDS_H_
+#define LOAD_TESTER_CREDS_H_
+
+#include <credentials/credential_set.h>
+
+typedef struct load_tester_creds_t load_tester_creds_t;
+
+/**
+ * Provide hard-coded credentials for load testing.
+ */
+struct load_tester_creds_t {
+
+	/**
+	 * Implements credential set interface.
+	 */
+	credential_set_t credential_set;
+
+	/**
+	 * Destroy the backend.
+	 */
+	void (*destroy)(load_tester_creds_t *this);
+};
+
+/**
+ * Create a credential set for load testing.
+ *
+ * @return			credential set
+ */
+load_tester_creds_t *load_tester_creds_create();
+
+#endif /** LOAD_TESTER_CREDS_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c b/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c
new file mode 100644
index 000000000..d5ec3599b
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_diffie_hellman.h"
+
+/**
+ * Implementation of gmp_diffie_hellman_t.get_my_public_value.
+ */
+static void get_my_public_value(load_tester_diffie_hellman_t *this,
+								chunk_t *value)
+{
+	*value = chunk_empty;
+}
+
+/**
+ * Implementation of gmp_diffie_hellman_t.get_shared_secret.
+ */
+static status_t get_shared_secret(load_tester_diffie_hellman_t *this,
+								  chunk_t *secret)
+{
+	*secret = chunk_empty;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of gmp_diffie_hellman_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(load_tester_diffie_hellman_t *this)
+{
+	return MODP_NULL;
+}
+
+/**
+ * See header
+ */
+load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
+												diffie_hellman_group_t group)
+{
+	load_tester_diffie_hellman_t *this;
+
+	if (group != MODP_NULL)
+	{
+		return NULL;
+	}
+
+	this = malloc_thing(load_tester_diffie_hellman_t);
+
+	this->dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *))get_shared_secret;
+	this->dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t ))nop;
+	this->dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *))get_my_public_value;
+	this->dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *))get_dh_group;
+	this->dh.destroy = (void (*)(diffie_hellman_t *))free;
+
+	return this;
+}
diff --git a/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.h b/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.h
new file mode 100644
index 000000000..672157fb8
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup load_tester_diffie_hellman load_tester_diffie_hellman
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_DIFFIE_HELLMAN_H_
+#define LOAD_TESTER_DIFFIE_HELLMAN_H_
+
+#include <crypto/diffie_hellman.h>
+
+typedef struct load_tester_diffie_hellman_t load_tester_diffie_hellman_t;
+
+/**
+ * A NULL Diffie Hellman implementation to avoid calculation overhead in tests.
+ */
+struct load_tester_diffie_hellman_t {
+
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new gmp_diffie_hellman_t object.
+ *
+ * @param group			Diffie Hellman group, supports MODP_NULL only
+ * @return				gmp_diffie_hellman_t object
+ */
+load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
+												diffie_hellman_group_t group);
+
+#endif /** LOAD_TESTER_DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
new file mode 100644
index 000000000..1218443cc
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_ipsec.h"
+
+#include <time.h>
+
+typedef struct private_load_tester_ipsec_t private_load_tester_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_pfkey class.
+ */
+struct private_load_tester_ipsec_t {
+	/**
+	 * Public interface.
+	 */
+	load_tester_ipsec_t public;
+
+	/**
+	 * faked SPI counter
+	 */
+	u_int32_t spi;
+};
+
+/**
+ * Implementation of kernel_interface_t.get_spi.
+ */
+static status_t get_spi(private_load_tester_ipsec_t *this,
+						host_t *src, host_t *dst,
+						protocol_id_t protocol, u_int32_t reqid,
+						u_int32_t *spi)
+{
+	*spi = ++this->spi;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_cpi.
+ */
+static status_t get_cpi(private_load_tester_ipsec_t *this,
+						host_t *src, host_t *dst,
+						u_int32_t reqid, u_int16_t *cpi)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_sa.
+ */
+static status_t add_sa(private_load_tester_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi,
+					   protocol_id_t protocol, u_int32_t reqid,
+					   lifetime_cfg_t *lifetime,
+					   u_int16_t enc_alg, chunk_t enc_key,
+					   u_int16_t int_alg, chunk_t int_key,
+					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+					   bool encap, bool inbound, traffic_selector_t *src_ts,
+					   traffic_selector_t *dst_ts)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.update_sa.
+ */
+static status_t update_sa(private_load_tester_ipsec_t *this,
+						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_load_tester_ipsec_t *this, host_t *src,
+						 host_t *dst, u_int32_t spi, protocol_id_t protocol,
+						 u_int64_t *bytes)
+{
+	return NOT_SUPPORTED;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src,
+					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
+					   u_int16_t cpi)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_policy.
+ */
+static status_t add_policy(private_load_tester_ipsec_t *this,
+						   host_t *src, host_t *dst,
+						   traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, u_int32_t spi,
+						   protocol_id_t protocol, u_int32_t reqid,
+						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						   bool routed)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_policy.
+ */
+static status_t query_policy(private_load_tester_ipsec_t *this,
+							 traffic_selector_t *src_ts,
+							 traffic_selector_t *dst_ts,
+							 policy_dir_t direction, u_int32_t *use_time)
+{
+	*use_time = time_monotonic(NULL);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_policy.
+ */
+static status_t del_policy(private_load_tester_ipsec_t *this,
+						   traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, bool unrouted)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.destroy.
+ */
+static void destroy(private_load_tester_ipsec_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+load_tester_ipsec_t *load_tester_ipsec_create()
+{
+	private_load_tester_ipsec_t *this = malloc_thing(private_load_tester_ipsec_t);
+
+	/* public functions */
+	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
+	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
+	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
+	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
+	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
+	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
+
+	this->spi = 0;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.h b/src/libcharon/plugins/load_tester/load_tester_ipsec.h
new file mode 100644
index 000000000..1e1bff84a
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup load_tester_ipsec_i load_tester_ipsec
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_IPSEC_H_
+#define LOAD_TESTER_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct load_tester_ipsec_t load_tester_ipsec_t;
+
+/**
+ * Implementation of a fake kernel ipsec interface for load testing.
+ */
+struct load_tester_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a faked kernel ipsec interface instance.
+ *
+ * @return			kernel_load_tester_ipsec_t instance
+ */
+load_tester_ipsec_t *load_tester_ipsec_create();
+
+#endif /** LOAD_TESTER_IPSEC_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c
new file mode 100644
index 000000000..96b0cf1ec
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_listener.h"
+
+#include <signal.h>
+
+#include <daemon.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+typedef struct private_load_tester_listener_t private_load_tester_listener_t;
+
+/**
+ * Private data of an load_tester_listener_t object
+ */
+struct private_load_tester_listener_t {
+	/**
+	 * Public part
+	 */
+	load_tester_listener_t public;
+
+	/**
+	 * Delete IKE_SA after it has been established
+	 */
+	bool delete_after_established;
+
+	/**
+	 * Number of established SAs
+	 */
+	u_int established;
+
+	/**
+	 * Shutdown the daemon if we have established this SA count
+	 */
+	u_int shutdown_on;
+};
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(private_load_tester_listener_t *this,
+							 ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	if (state == IKE_ESTABLISHED)
+	{
+		ike_sa_id_t *id = ike_sa->get_id(ike_sa);
+
+		if (this->delete_after_established)
+		{
+			charon->processor->queue_job(charon->processor,
+									(job_t*)delete_ike_sa_job_create(id, TRUE));
+		}
+
+		if (id->is_initiator(id))
+		{
+			if (this->shutdown_on == ++this->established)
+			{
+				DBG1(DBG_CFG, "load-test complete, raising SIGTERM");
+				kill(0, SIGTERM);
+			}
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of load_tester_listener_t.destroy
+ */
+static void destroy(private_load_tester_listener_t *this)
+{
+	free(this);
+}
+
+load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
+{
+	private_load_tester_listener_t *this = malloc_thing(private_load_tester_listener_t);
+
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.ike_state_change = (void*)ike_state_change;
+	this->public.destroy = (void(*) (load_tester_listener_t*))destroy;
+
+	this->delete_after_established = lib->settings->get_bool(lib->settings,
+				"charon.plugins.load-tester.delete_after_established", FALSE);
+
+	this->shutdown_on = shutdown_on;
+	this->established = 0;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.h b/src/libcharon/plugins/load_tester/load_tester_listener.h
new file mode 100644
index 000000000..b9599294c
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup load_tester_listener_t load_tester_listener
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_LISTENER_H_
+#define LOAD_TESTER_LISTENER_H_
+
+#include <bus/bus.h>
+
+typedef struct load_tester_listener_t load_tester_listener_t;
+
+/**
+ * Provide hard-coded credentials for load testing.
+ */
+struct load_tester_listener_t {
+
+	/**
+	 * Implements listener set interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy the backend.
+	 */
+	void (*destroy)(load_tester_listener_t *this);
+};
+
+/**
+ * Create a listener to handle special events during load test
+ *
+ * @param shutdown_on	shut down the daemon after this many SAs are established
+ * @return				listener
+ */
+load_tester_listener_t *load_tester_listener_create(u_int shutdown_on);
+
+#endif /** LOAD_TESTER_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
new file mode 100644
index 000000000..46145b803
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_plugin.h"
+#include "load_tester_config.h"
+#include "load_tester_creds.h"
+#include "load_tester_ipsec.h"
+#include "load_tester_listener.h"
+#include "load_tester_diffie_hellman.h"
+
+#include <unistd.h>
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+
+typedef struct private_load_tester_plugin_t private_load_tester_plugin_t;
+
+/**
+ * private data of load_tester plugin
+ */
+struct private_load_tester_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	load_tester_plugin_t public;
+
+	/**
+	 * load_tester configuration backend
+	 */
+	load_tester_config_t *config;
+
+	/**
+	 * load_tester credential set implementation
+	 */
+	load_tester_creds_t *creds;
+
+	/**
+	 * event handler, listens on bus
+	 */
+	load_tester_listener_t *listener;
+
+	/**
+	 * number of iterations per thread
+	 */
+	int iterations;
+
+	/**
+	 * number desired initiator threads
+	 */
+	int initiators;
+
+	/**
+	 * currenly running initiators
+	 */
+	int running;
+
+	/**
+	 * delay between initiations, in ms
+	 */
+	int delay;
+
+	/**
+	 * mutex to lock running field
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * condvar to wait for initiators
+	 */
+	condvar_t *condvar;
+};
+
+/**
+ * Begin the load test
+ */
+static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
+{
+	int i, s = 0, ms = 0;
+
+	this->mutex->lock(this->mutex);
+	if (!this->running)
+	{
+		this->running = this->initiators;
+	}
+	this->mutex->unlock(this->mutex);
+	if (this->delay)
+	{
+		s = this->delay / 1000;
+		ms = this->delay % 1000;
+	}
+
+	for (i = 0; this->iterations == 0 || i < this->iterations; i++)
+	{
+		peer_cfg_t *peer_cfg;
+		child_cfg_t *child_cfg = NULL;
+		enumerator_t *enumerator;
+
+		peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+														  "load-test");
+		if (!peer_cfg)
+		{
+			break;
+		}
+		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+		if (!enumerator->enumerate(enumerator, &child_cfg))
+		{
+			enumerator->destroy(enumerator);
+			break;
+		}
+		enumerator->destroy(enumerator);
+
+		charon->controller->initiate(charon->controller,
+					peer_cfg, child_cfg->get_ref(child_cfg),
+					NULL, NULL);
+		if (s)
+		{
+			sleep(s);
+		}
+		if (ms)
+		{
+			usleep(ms * 1000);
+		}
+	}
+	this->mutex->lock(this->mutex);
+	this->running--;
+	this->mutex->unlock(this->mutex);
+	this->condvar->signal(this->condvar);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_load_tester_plugin_t *this)
+{
+	this->iterations = -1;
+	this->mutex->lock(this->mutex);
+	while (this->running)
+	{
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+	this->mutex->unlock(this->mutex);
+	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface,
+						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
+	charon->backends->remove_backend(charon->backends, &this->config->backend);
+	charon->credentials->remove_set(charon->credentials, &this->creds->credential_set);
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->config->destroy(this->config);
+	this->creds->destroy(this->creds);
+	this->listener->destroy(this->listener);
+	lib->crypto->remove_dh(lib->crypto,
+						(dh_constructor_t)load_tester_diffie_hellman_create);
+	this->mutex->destroy(this->mutex);
+	this->condvar->destroy(this->condvar);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *load_tester_plugin_create()
+{
+	private_load_tester_plugin_t *this;
+	u_int i, shutdown_on = 0;
+
+	if (!lib->settings->get_bool(lib->settings,
+								 "charon.plugins.load-tester.enable", FALSE))
+	{
+		DBG1(DBG_CFG, "disabling load-tester plugin, not configured");
+		return NULL;
+	}
+
+	this = malloc_thing(private_load_tester_plugin_t);
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	lib->crypto->add_dh(lib->crypto, MODP_NULL,
+						(dh_constructor_t)load_tester_diffie_hellman_create);
+
+	this->delay = lib->settings->get_int(lib->settings,
+					"charon.plugins.load-tester.delay", 0);
+	this->iterations = lib->settings->get_int(lib->settings,
+					"charon.plugins.load-tester.iterations", 1);
+	this->initiators = lib->settings->get_int(lib->settings,
+					"charon.plugins.load-tester.initiators", 0);
+	if (lib->settings->get_bool(lib->settings,
+					"charon.plugins.load-tester.shutdown_when_complete", 0))
+	{
+		shutdown_on = this->iterations * this->initiators;
+	}
+
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->config = load_tester_config_create();
+	this->creds = load_tester_creds_create();
+	this->listener = load_tester_listener_create(shutdown_on);
+	charon->backends->add_backend(charon->backends, &this->config->backend);
+	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+	if (lib->settings->get_bool(lib->settings,
+					"charon.plugins.load-tester.fake_kernel", FALSE))
+	{
+		charon->kernel_interface->add_ipsec_interface(charon->kernel_interface,
+						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
+	}
+	this->running = 0;
+	for (i = 0; i < this->initiators; i++)
+	{
+		charon->processor->queue_job(charon->processor,
+					(job_t*)callback_job_create((callback_job_cb_t)do_load_test,
+												this, NULL, NULL));
+	}
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.h b/src/libcharon/plugins/load_tester/load_tester_plugin.h
new file mode 100644
index 000000000..15f2d1127
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup load_tester load_tester
+ * @ingroup cplugins
+ *
+ * @defgroup load_tester_plugin load_tester_plugin
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_PLUGIN_H_
+#define LOAD_TESTER_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct load_tester_plugin_t load_tester_plugin_t;
+
+/**
+ * Load tester plugin to inspect system core under high load.
+ *
+ * This plugin
+ */
+struct load_tester_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** LOAD_TESTER_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/medcli/Makefile.am b/src/libcharon/plugins/medcli/Makefile.am
new file mode 100644
index 000000000..cdff8d854
--- /dev/null
+++ b/src/libcharon/plugins/medcli/Makefile.am
@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-medcli.la
+else
+plugin_LTLIBRARIES = libstrongswan-medcli.la
+endif
+
+libstrongswan_medcli_la_SOURCES = \
+	medcli_plugin.h medcli_plugin.c \
+	medcli_creds.h medcli_creds.c \
+	medcli_config.h medcli_config.c \
+	medcli_listener.h medcli_listener.c
+
+libstrongswan_medcli_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
new file mode 100644
index 000000000..539890ec3
--- /dev/null
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -0,0 +1,593 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/medcli
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_medcli_la_LIBADD =
+am_libstrongswan_medcli_la_OBJECTS = medcli_plugin.lo medcli_creds.lo \
+	medcli_config.lo medcli_listener.lo
+libstrongswan_medcli_la_OBJECTS =  \
+	$(am_libstrongswan_medcli_la_OBJECTS)
+libstrongswan_medcli_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_medcli_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_medcli_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_medcli_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_medcli_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_medcli_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-medcli.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-medcli.la
+libstrongswan_medcli_la_SOURCES = \
+	medcli_plugin.h medcli_plugin.c \
+	medcli_creds.h medcli_creds.c \
+	medcli_config.h medcli_config.c \
+	medcli_listener.h medcli_listener.c
+
+libstrongswan_medcli_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/medcli/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/medcli/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-medcli.la: $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_DEPENDENCIES) 
+	$(libstrongswan_medcli_la_LINK) $(am_libstrongswan_medcli_la_rpath) $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medcli_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medcli_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medcli_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medcli_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
new file mode 100644
index 000000000..e355d55f7
--- /dev/null
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -0,0 +1,407 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+
+#include "medcli_config.h"
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_medcli_config_t private_medcli_config_t;
+
+/**
+ * Private data of an medcli_config_t object
+ */
+struct private_medcli_config_t {
+
+	/**
+	 * Public part
+	 */
+	medcli_config_t public;
+
+	/**
+	 * database connection
+	 */
+	database_t *db;
+
+	/**
+	 * rekey time
+	 */
+	int rekey;
+
+	/**
+	 * dpd delay
+	 */
+	int dpd;
+
+	/**
+	 * default ike config
+	 */
+	ike_cfg_t *ike;
+};
+
+/**
+ * create a traffic selector from a CIDR notation string
+ */
+static traffic_selector_t *ts_from_string(char *str)
+{
+	if (str)
+	{
+		int netbits = 32;
+		host_t *net;
+		char *pos;
+
+		str = strdupa(str);
+		pos = strchr(str, '/');
+		if (pos)
+		{
+			*pos++ = '\0';
+			netbits = atoi(pos);
+		}
+		else
+		{
+			if (strchr(str, ':'))
+			{
+				netbits = 128;
+			}
+		}
+		net = host_create_from_string(str, 0);
+		if (net)
+		{
+			return traffic_selector_create_from_subnet(net, netbits, 0, 0);
+		}
+	}
+	return traffic_selector_create_dynamic(0, 0, 65535);
+}
+
+/**
+ * implements backend_t.get_peer_cfg_by_name.
+ */
+static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *name)
+{
+	enumerator_t *e;
+	peer_cfg_t *peer_cfg, *med_cfg;
+	auth_cfg_t *auth;
+	ike_cfg_t *ike_cfg;
+	child_cfg_t *child_cfg;
+	chunk_t me, other;
+	char *address, *local_net, *remote_net;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = this->rekey * 60 + this->rekey,
+			.rekey = this->rekey,
+			.jitter = this->rekey
+		}
+	};
+
+	/* query mediation server config:
+	 * - build ike_cfg/peer_cfg for mediation connection on-the-fly
+	 */
+	e = this->db->query(this->db,
+			"SELECT Address, ClientConfig.KeyId, MediationServerConfig.KeyId "
+			"FROM MediationServerConfig JOIN ClientConfig",
+			DB_TEXT, DB_BLOB, DB_BLOB);
+	if (!e || !e->enumerate(e, &address, &me, &other))
+	{
+		DESTROY_IF(e);
+		return NULL;
+	}
+	ike_cfg = ike_cfg_create(FALSE, FALSE,
+						"0.0.0.0", IKEV2_UDP_PORT, address, IKEV2_UDP_PORT);
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	med_cfg = peer_cfg_create(
+		"mediation", 2, ike_cfg,
+		CERT_NEVER_SEND, UNIQUE_REPLACE,
+		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
+		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
+		TRUE, this->dpd, 				/* mobike, dpddelay */
+		NULL, NULL, 					/* vip, pool */
+		TRUE, NULL, NULL); 				/* mediation, med by, peer id */
+	e->destroy(e);
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, me));
+	med_cfg->add_auth_cfg(med_cfg, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, other));
+	med_cfg->add_auth_cfg(med_cfg, auth, FALSE);
+
+	/* query mediated config:
+	 * - use any-any ike_cfg
+	 * - build peer_cfg on-the-fly using med_cfg
+	 * - add a child_cfg
+	 */
+	e = this->db->query(this->db,
+			"SELECT ClientConfig.KeyId, Connection.KeyId, "
+			"Connection.LocalSubnet, Connection.RemoteSubnet "
+			"FROM ClientConfig JOIN Connection "
+			"WHERE Active AND Alias = ?", DB_TEXT, name,
+			DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT);
+	if (!e || !e->enumerate(e, &me, &other, &local_net, &remote_net))
+	{
+		DESTROY_IF(e);
+		return NULL;
+	}
+	peer_cfg = peer_cfg_create(
+		name, 2, this->ike->get_ref(this->ike),
+		CERT_NEVER_SEND, UNIQUE_REPLACE,
+		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
+		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
+		TRUE, this->dpd, 				/* mobike, dpddelay */
+		NULL, NULL, 					/* vip, pool */
+		FALSE, med_cfg,					/* mediation, med by */
+		identification_create_from_encoding(ID_KEY_ID, other));
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, me));
+	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, other));
+	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+
+	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE,
+							  MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+	e->destroy(e);
+	return peer_cfg;
+}
+
+/**
+ * Implementation of backend_t.create_ike_cfg_enumerator.
+ */
+static enumerator_t* create_ike_cfg_enumerator(private_medcli_config_t *this,
+											   host_t *me, host_t *other)
+{
+	return enumerator_create_single(this->ike, NULL);
+}
+
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated peer config */
+	peer_cfg_t *current;
+	/** ike cfg to use in peer cfg */
+	ike_cfg_t *ike;
+	/** rekey time */
+	int rekey;
+	/** dpd time */
+	int dpd;
+} peer_enumerator_t;
+
+/**
+ * Implementation of peer_enumerator_t.public.enumerate
+ */
+static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
+{
+	char *name, *local_net, *remote_net;
+	chunk_t me, other;
+	child_cfg_t *child_cfg;
+	auth_cfg_t *auth;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = this->rekey * 60 + this->rekey,
+			.rekey = this->rekey,
+			.jitter = this->rekey
+		}
+	};
+
+	DESTROY_IF(this->current);
+	if (!this->inner->enumerate(this->inner, &name, &me, &other,
+								&local_net, &remote_net))
+	{
+		this->current = NULL;
+		return FALSE;
+	}
+	this->current = peer_cfg_create(
+				name, 2, this->ike->get_ref(this->ike),
+				CERT_NEVER_SEND, UNIQUE_REPLACE,
+				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
+				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
+				TRUE, this->dpd, 				/* mobike, dpddelay */
+				NULL, NULL, 					/* vip, pool */
+				FALSE, NULL, NULL); 			/* mediation, med by, peer id */
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, me));
+	this->current->add_auth_cfg(this->current, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY,
+			  identification_create_from_encoding(ID_KEY_ID, other));
+	this->current->add_auth_cfg(this->current, auth, FALSE);
+
+	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
+								 ACTION_NONE, ACTION_NONE, FALSE, 0);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
+	this->current->add_child_cfg(this->current, child_cfg);
+	*cfg = this->current;
+	return TRUE;
+}
+
+/**
+ * Implementation of peer_enumerator_t.public.destroy
+ */
+static void peer_enumerator_destroy(peer_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of backend_t.create_peer_cfg_enumerator.
+ */
+static enumerator_t* create_peer_cfg_enumerator(private_medcli_config_t *this,
+												identification_t *me,
+												identification_t *other)
+{
+	peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
+
+	e->current = NULL;
+	e->ike = this->ike;
+	e->rekey = this->rekey;
+	e->dpd = this->dpd;
+	e->public.enumerate = (void*)peer_enumerator_enumerate;
+	e->public.destroy = (void*)peer_enumerator_destroy;
+
+	/* filter on IDs: NULL or ANY or matching KEY_ID */
+	e->inner = this->db->query(this->db,
+			"SELECT Alias, ClientConfig.KeyId, Connection.KeyId, "
+			"Connection.LocalSubnet, Connection.RemoteSubnet "
+			"FROM ClientConfig JOIN Connection "
+			"WHERE Active AND "
+			"(? OR ClientConfig.KeyId = ?) AND (? OR Connection.KeyId = ?)",
+			DB_INT, me == NULL || me->get_type(me) == ID_ANY,
+			DB_BLOB, me && me->get_type(me) == ID_KEY_ID ?
+				me->get_encoding(me) : chunk_empty,
+			DB_INT, other == NULL || other->get_type(other) == ID_ANY,
+			DB_BLOB, other && other->get_type(other) == ID_KEY_ID ?
+				other->get_encoding(other) : chunk_empty,
+			DB_TEXT, DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * initiate a peer config
+ */
+static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
+{
+	enumerator_t *enumerator;
+	child_cfg_t *child_cfg = NULL;;
+
+	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+	enumerator->enumerate(enumerator, &child_cfg);
+	if (child_cfg)
+	{
+		child_cfg->get_ref(child_cfg);
+		peer_cfg->get_ref(peer_cfg);
+		enumerator->destroy(enumerator);
+		charon->controller->initiate(charon->controller,
+									 peer_cfg, child_cfg, NULL, NULL);
+	}
+	else
+	{
+		enumerator->destroy(enumerator);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * schedule initation of all "active" connections
+ */
+static void schedule_autoinit(private_medcli_config_t *this)
+{
+	enumerator_t *e;
+	char *name;
+
+	e = this->db->query(this->db, "SELECT Alias FROM Connection WHERE Active",
+						DB_TEXT);
+	if (e)
+	{
+		while (e->enumerate(e, &name))
+		{
+			peer_cfg_t *peer_cfg;
+
+			peer_cfg = get_peer_cfg_by_name(this, name);
+			if (peer_cfg)
+			{
+				/* schedule asynchronous initiation job */
+				charon->processor->queue_job(charon->processor,
+						(job_t*)callback_job_create(
+									(callback_job_cb_t)initiate_config,
+									peer_cfg, (void*)peer_cfg->destroy, NULL));
+			}
+		}
+		e->destroy(e);
+	}
+}
+
+/**
+ * Implementation of medcli_config_t.destroy.
+ */
+static void destroy(private_medcli_config_t *this)
+{
+	this->ike->destroy(this->ike);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+medcli_config_t *medcli_config_create(database_t *db)
+{
+	private_medcli_config_t *this = malloc_thing(private_medcli_config_t);
+
+	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
+	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
+	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
+	this->public.destroy = (void(*)(medcli_config_t*))destroy;
+
+	this->db = db;
+	this->rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200);
+	this->dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300);
+	this->ike = ike_cfg_create(FALSE, FALSE,
+						"0.0.0.0", IKEV2_UDP_PORT, "0.0.0.0", IKEV2_UDP_PORT);
+	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
+
+	schedule_autoinit(this);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/medcli/medcli_config.h b/src/libcharon/plugins/medcli/medcli_config.h
new file mode 100644
index 000000000..36c20adf7
--- /dev/null
+++ b/src/libcharon/plugins/medcli/medcli_config.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup medcli_config_i medcli_config
+ * @{ @ingroup medcli
+ */
+
+#ifndef MEDCLI_CONFIG_H_
+#define MEDCLI_CONFIG_H_
+
+#include <config/backend.h>
+#include <database/database.h>
+
+typedef struct medcli_config_t medcli_config_t;
+
+/**
+ * Mediation client configuration backend.
+ */
+struct medcli_config_t {
+
+	/**
+	 * Implements backend_t interface
+	 */
+	backend_t backend;
+
+	/**
+	 * Destroy the backend.
+	 */
+	void (*destroy)(medcli_config_t *this);
+};
+
+/**
+ * Create a medcli_config backend instance.
+ *
+ * @param db		underlying database
+ * @return			backend instance
+ */
+medcli_config_t *medcli_config_create(database_t *db);
+
+#endif /** MEDCLI_CONFIG_H_ @}*/
diff --git a/src/libcharon/plugins/medcli/medcli_creds.c b/src/libcharon/plugins/medcli/medcli_creds.c
new file mode 100644
index 000000000..9729df3f5
--- /dev/null
+++ b/src/libcharon/plugins/medcli/medcli_creds.c
@@ -0,0 +1,243 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "medcli_creds.h"
+
+#include <daemon.h>
+#include <library.h>
+#include <utils/enumerator.h>
+
+typedef struct private_medcli_creds_t private_medcli_creds_t;
+
+/**
+ * Private data of an medcli_creds_t object
+ */
+struct private_medcli_creds_t {
+
+	/**
+	 * Public part
+	 */
+	medcli_creds_t public;
+
+	/**
+	 * underlying database handle
+	 */
+	database_t *db;
+};
+
+/**
+ * enumerator over private keys
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated private key */
+	private_key_t *current;
+} private_enumerator_t;
+
+/**
+ * Implementation of private_enumerator_t.public.enumerate
+ */
+static bool private_enumerator_enumerate(private_enumerator_t *this,
+										 private_key_t **key)
+{
+	chunk_t chunk;
+
+	DESTROY_IF(this->current);
+	while (this->inner->enumerate(this->inner, &chunk))
+	{
+		this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+										   BUILD_BLOB_ASN1_DER, chunk,
+										   BUILD_END);
+		if (this->current)
+		{
+			*key = this->current;
+			return TRUE;
+		}
+	}
+	this->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of private_enumerator_t.public.destroy
+ */
+static void private_enumerator_destroy(private_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of credential_set_t.create_private_enumerator.
+ */
+static enumerator_t* create_private_enumerator(private_medcli_creds_t *this,
+										key_type_t type, identification_t *id)
+{
+	private_enumerator_t *e;
+
+	if ((type != KEY_RSA && type != KEY_ANY) ||
+		id == NULL || id->get_type(id) != ID_KEY_ID)
+	{
+		DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id);
+		return NULL;
+	}
+
+	e = malloc_thing(private_enumerator_t);
+	e->current = NULL;
+	e->public.enumerate = (void*)private_enumerator_enumerate;
+	e->public.destroy = (void*)private_enumerator_destroy;
+	e->inner = this->db->query(this->db,
+						"SELECT PrivateKey FROM ClientConfig WHERE KeyId = ?",
+						DB_BLOB, id->get_encoding(id),
+						DB_BLOB);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * enumerator over certificates
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated cert */
+	certificate_t *current;
+	/** type of requested key */
+	key_type_t type;
+} cert_enumerator_t;
+
+/**
+ * Implementation of cert_enumerator_t.public.enumerate
+ */
+static bool cert_enumerator_enumerate(cert_enumerator_t *this,
+									  certificate_t **cert)
+{
+	public_key_t *public;
+	chunk_t chunk;
+
+	DESTROY_IF(this->current);
+	while (this->inner->enumerate(this->inner, &chunk))
+	{
+		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+									BUILD_BLOB_ASN1_DER, chunk,
+									BUILD_END);
+		if (public)
+		{
+			if (this->type == KEY_ANY || this->type == public->get_type(public))
+			{
+				this->current = lib->creds->create(lib->creds,
+										CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+										BUILD_PUBLIC_KEY, public, BUILD_END);
+				public->destroy(public);
+				if (this->current)
+				{
+					*cert = this->current;
+					return TRUE;
+				}
+			}
+			else
+			{
+				public->destroy(public);
+			}
+		}
+	}
+	this->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of cert_enumerator_t.public.destroy
+ */
+static void cert_enumerator_destroy(cert_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of credential_set_t.create_cert_enumerator.
+ */
+static enumerator_t* create_cert_enumerator(private_medcli_creds_t *this,
+										certificate_type_t cert, key_type_t key,
+										identification_t *id, bool trusted)
+{
+	cert_enumerator_t *e;
+
+	if ((cert != CERT_TRUSTED_PUBKEY && cert != CERT_ANY) ||
+		id == NULL || id->get_type(id) != ID_KEY_ID)
+	{
+		return NULL;
+	}
+
+	e = malloc_thing(cert_enumerator_t);
+	e->current = NULL;
+	e->type = key;
+	e->public.enumerate = (void*)cert_enumerator_enumerate;
+	e->public.destroy = (void*)cert_enumerator_destroy;
+	e->inner = this->db->query(this->db,
+			"SELECT PublicKey FROM ClientConfig WHERE KeyId = ? UNION "
+			"SELECT PublicKey FROM MediationServerConfig WHERE KeyId = ? UNION "
+			"SELECT PublicKey FROM Connection WHERE KeyId = ?",
+			DB_BLOB, id->get_encoding(id),
+			DB_BLOB, id->get_encoding(id),
+			DB_BLOB, id->get_encoding(id),
+			DB_BLOB);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * Implementation of backend_t.destroy.
+ */
+static void destroy(private_medcli_creds_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+medcli_creds_t *medcli_creds_create(database_t *db)
+{
+	private_medcli_creds_t *this = malloc_thing(private_medcli_creds_t);
+
+	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
+	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
+	this->public.set.create_shared_enumerator = (void*)return_null;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+
+	this->public.destroy = (void (*)(medcli_creds_t*))destroy;
+
+	this->db = db;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/medcli/medcli_creds.h b/src/libcharon/plugins/medcli/medcli_creds.h
new file mode 100644
index 000000000..4b5402653
--- /dev/null
+++ b/src/libcharon/plugins/medcli/medcli_creds.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup medcli_creds_i medcli_creds
+ * @{ @ingroup medcli
+ */
+
+#ifndef MEDCLI_CREDS_H_
+#define MEDCLI_CREDS_H_
+
+#include <credentials/credential_set.h>
+#include <database/database.h>
+
+typedef struct medcli_creds_t medcli_creds_t;
+
+/**
+ * Mediation client credentials database.
+ */
+struct medcli_creds_t {
+
+	/**
+	 * Implements credential_set_t interface
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy the credentials databse.
+	 */
+	void (*destroy)(medcli_creds_t *this);
+};
+
+/**
+ * Create the medcli credential set.
+ *
+ * @param database		underlying database
+ * @return				credential set implementation on that database
+ */
+medcli_creds_t *medcli_creds_create(database_t *database);
+
+#endif /** MEDCLI_CREDS_H_ @}*/
diff --git a/src/libcharon/plugins/medcli/medcli_listener.c b/src/libcharon/plugins/medcli/medcli_listener.c
new file mode 100644
index 000000000..142f02e6c
--- /dev/null
+++ b/src/libcharon/plugins/medcli/medcli_listener.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "medcli_listener.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_medcli_listener_t private_medcli_listener_t;
+typedef enum mediated_state_t mediated_state_t;
+
+/**
+ * state of a mediated connection
+ */
+enum mediated_state_t {
+	STATE_DOWN = 1,
+	STATE_CONNECTING = 2,
+	STATE_UP = 3,
+};
+
+/**
+ * Private data of an medcli_listener_t object
+ */
+struct private_medcli_listener_t {
+
+	/**
+	 * Public part
+	 */
+	medcli_listener_t public;
+
+	/**
+	 * underlying database handle
+	 */
+	database_t *db;
+};
+
+/**
+ * Implementation of bus_listener_t.signal.
+ */
+static void set_state(private_medcli_listener_t *this, char *alias,
+					  mediated_state_t state)
+{
+	this->db->execute(this->db, NULL,
+					  "UPDATE Connection SET Status = ? WHERE Alias = ?",
+					  DB_UINT, state, DB_TEXT, alias);
+}
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(private_medcli_listener_t *this,
+							 ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	if (ike_sa)
+	{
+		switch (state)
+		{
+			case IKE_CONNECTING:
+				set_state(this, ike_sa->get_name(ike_sa), STATE_CONNECTING);
+				break;
+			case IKE_DESTROYING:
+				set_state(this, ike_sa->get_name(ike_sa), STATE_DOWN);
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.child_state_change
+ */
+static bool child_state_change(private_medcli_listener_t *this,
+				ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state)
+{
+	if (ike_sa && child_sa)
+	{
+		switch (state)
+		{
+			case CHILD_INSTALLED:
+				set_state(this, child_sa->get_name(child_sa), STATE_UP);
+				break;
+			case CHILD_DESTROYING:
+				set_state(this, child_sa->get_name(child_sa), STATE_DOWN);
+				break;
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of backend_t.destroy.
+ */
+static void destroy(private_medcli_listener_t *this)
+{
+	this->db->execute(this->db, NULL, "UPDATE Connection SET Status = ?",
+					  DB_UINT, STATE_DOWN);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+medcli_listener_t *medcli_listener_create(database_t *db)
+{
+	private_medcli_listener_t *this = malloc_thing(private_medcli_listener_t);
+
+	memset(&this->public.listener, 0, sizeof(listener_t));
+
+	this->public.listener.ike_state_change = (void*)ike_state_change;
+	this->public.listener.child_state_change = (void*)child_state_change;
+	this->public.destroy = (void (*)(medcli_listener_t*))destroy;
+
+	this->db = db;
+	db->execute(db, NULL, "UPDATE Connection SET Status = ?",
+				DB_UINT, STATE_DOWN);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/medcli/medcli_listener.h b/src/libcharon/plugins/medcli/medcli_listener.h
new file mode 100644
index 000000000..4768beccd
--- /dev/null
+++ b/src/libcharon/plugins/medcli/medcli_listener.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup medcli_listener_i medcli_listener
+ * @{ @ingroup medcli
+ */
+
+#ifndef MEDCLI_LISTENER_H_
+#define MEDCLI_LISTENER_H_
+
+#include <bus/bus.h>
+#include <database/database.h>
+
+typedef struct medcli_listener_t medcli_listener_t;
+
+/**
+ * Mediation client listener, writes connection status to database
+ */
+struct medcli_listener_t {
+
+	/**
+	 * Implements bus_listener_t interface
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy the credentials databse.
+	 */
+	void (*destroy)(medcli_listener_t *this);
+};
+
+/**
+ * Create the medcli credential set.
+ *
+ * @param database		underlying database
+ * @return				listener
+ */
+medcli_listener_t *medcli_listener_create(database_t *database);
+
+#endif /** MEDCLI_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/medcli/medcli_plugin.c b/src/libcharon/plugins/medcli/medcli_plugin.c
new file mode 100644
index 000000000..397168d46
--- /dev/null
+++ b/src/libcharon/plugins/medcli/medcli_plugin.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "medcli_plugin.h"
+
+#include "medcli_creds.h"
+#include "medcli_config.h"
+#include "medcli_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_medcli_plugin_t private_medcli_plugin_t;
+
+/**
+ * private data of medcli plugin
+ */
+struct private_medcli_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	medcli_plugin_t public;
+
+	/**
+	 * database connection instance
+	 */
+	database_t *db;
+
+	/**
+	 * medcli credential set instance
+	 */
+	medcli_creds_t *creds;
+
+	/**
+	 * medcli config database
+	 */
+	medcli_config_t *config;
+
+	/**
+	 * Listener to update database connection state
+	 */
+	medcli_listener_t *listener;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_medcli_plugin_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	charon->backends->remove_backend(charon->backends, &this->config->backend);
+	charon->credentials->remove_set(charon->credentials, &this->creds->set);
+	this->listener->destroy(this->listener);
+	this->config->destroy(this->config);
+	this->creds->destroy(this->creds);
+	this->db->destroy(this->db);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *medcli_plugin_create()
+{
+	char *uri;
+	private_medcli_plugin_t *this = malloc_thing(private_medcli_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	uri = lib->settings->get_str(lib->settings,
+								 "medcli.database", NULL);
+	if (!uri)
+	{
+		DBG1(DBG_CFG, "mediation client database URI not defined, skipped");
+		free(this);
+		return NULL;
+	}
+
+	this->db = lib->db->create(lib->db, uri);
+	if (this->db == NULL)
+	{
+		DBG1(DBG_CFG, "opening mediation client database failed");
+		free(this);
+		return NULL;
+	}
+
+	this->creds = medcli_creds_create(this->db);
+	this->config = medcli_config_create(this->db);
+	this->listener = medcli_listener_create(this->db);
+
+	charon->credentials->add_set(charon->credentials, &this->creds->set);
+	charon->backends->add_backend(charon->backends, &this->config->backend);
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/medcli/medcli_plugin.h b/src/libcharon/plugins/medcli/medcli_plugin.h
new file mode 100644
index 000000000..44e7bb525
--- /dev/null
+++ b/src/libcharon/plugins/medcli/medcli_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup medcli medcli
+ * @ingroup cplugins
+ *
+ * @defgroup medcli_plugin medcli_plugin
+ * @{ @ingroup medcli
+ */
+
+#ifndef MEDCLI_PLUGIN_H_
+#define MEDCLI_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct medcli_plugin_t medcli_plugin_t;
+
+/**
+ * Mediation client database plugin.
+ */
+struct medcli_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** MEDCLI_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/medsrv/Makefile.am b/src/libcharon/plugins/medsrv/Makefile.am
new file mode 100644
index 000000000..7f5c8e2b3
--- /dev/null
+++ b/src/libcharon/plugins/medsrv/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-medsrv.la
+else
+plugin_LTLIBRARIES = libstrongswan-medsrv.la
+endif
+
+libstrongswan_medsrv_la_SOURCES = \
+	medsrv_plugin.h medsrv_plugin.c \
+	medsrv_creds.h medsrv_creds.c \
+	medsrv_config.h medsrv_config.c
+
+libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
new file mode 100644
index 000000000..a103a1340
--- /dev/null
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -0,0 +1,591 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/medsrv
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_medsrv_la_LIBADD =
+am_libstrongswan_medsrv_la_OBJECTS = medsrv_plugin.lo medsrv_creds.lo \
+	medsrv_config.lo
+libstrongswan_medsrv_la_OBJECTS =  \
+	$(am_libstrongswan_medsrv_la_OBJECTS)
+libstrongswan_medsrv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_medsrv_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_medsrv_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_medsrv_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_medsrv_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_medsrv_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-medsrv.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-medsrv.la
+libstrongswan_medsrv_la_SOURCES = \
+	medsrv_plugin.h medsrv_plugin.c \
+	medsrv_creds.h medsrv_creds.c \
+	medsrv_config.h medsrv_config.c
+
+libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/medsrv/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/medsrv/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-medsrv.la: $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_DEPENDENCIES) 
+	$(libstrongswan_medsrv_la_LINK) $(am_libstrongswan_medsrv_la_rpath) $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medsrv_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medsrv_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medsrv_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c
new file mode 100644
index 000000000..c23955ad0
--- /dev/null
+++ b/src/libcharon/plugins/medsrv/medsrv_config.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "medsrv_config.h"
+
+#include <daemon.h>
+
+typedef struct private_medsrv_config_t private_medsrv_config_t;
+
+/**
+ * Private data of an medsrv_config_t object
+ */
+struct private_medsrv_config_t {
+
+	/**
+	 * Public part
+	 */
+	medsrv_config_t public;
+
+	/**
+	 * database connection
+	 */
+	database_t *db;
+
+	/**
+	 * rekey time
+	 */
+	int rekey;
+
+	/**
+	 * dpd delay
+	 */
+	int dpd;
+
+	/**
+	 * default ike config
+	 */
+	ike_cfg_t *ike;
+};
+
+/**
+ * implements backend_t.get_peer_cfg_by_name.
+ */
+static peer_cfg_t *get_peer_cfg_by_name(private_medsrv_config_t *this, char *name)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of backend_t.create_ike_cfg_enumerator.
+ */
+static enumerator_t* create_ike_cfg_enumerator(private_medsrv_config_t *this,
+											   host_t *me, host_t *other)
+{
+	return enumerator_create_single(this->ike, NULL);
+}
+
+/**
+ * Implementation of backend_t.create_peer_cfg_enumerator.
+ */
+static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
+												identification_t *me,
+												identification_t *other)
+{
+	enumerator_t *e;
+
+	if (!me || !other || other->get_type(other) != ID_KEY_ID)
+	{
+		return NULL;
+	}
+	e = this->db->query(this->db,
+			"SELECT CONCAT(peer.alias, CONCAT('@', user.login)) FROM "
+			"peer JOIN user ON peer.user = user.id "
+			"WHERE peer.keyid = ?", DB_BLOB, other->get_encoding(other),
+			DB_TEXT);
+	if (e)
+	{
+		peer_cfg_t *peer_cfg;
+		auth_cfg_t *auth;
+		char *name;
+
+		if (e->enumerate(e, &name))
+		{
+			peer_cfg = peer_cfg_create(
+				name, 2, this->ike->get_ref(this->ike),
+				CERT_NEVER_SEND, UNIQUE_REPLACE,
+				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
+				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
+				TRUE, this->dpd, 				/* mobike, dpddelay */
+				NULL, NULL, 					/* vip, pool */
+				TRUE, NULL, NULL); 				/* mediation, med by, peer id */
+			e->destroy(e);
+
+			auth = auth_cfg_create();
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+			auth->add(auth, AUTH_RULE_IDENTITY, me->clone(me));
+			peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+			auth = auth_cfg_create();
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+			auth->add(auth, AUTH_RULE_IDENTITY, other->clone(other));
+			peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+
+			return enumerator_create_single(peer_cfg, (void*)peer_cfg->destroy);
+		}
+		e->destroy(e);
+	}
+	return NULL;
+}
+
+/**
+ * Implementation of medsrv_config_t.destroy.
+ */
+static void destroy(private_medsrv_config_t *this)
+{
+	this->ike->destroy(this->ike);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+medsrv_config_t *medsrv_config_create(database_t *db)
+{
+	private_medsrv_config_t *this = malloc_thing(private_medsrv_config_t);
+
+	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
+	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
+	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
+	this->public.destroy = (void(*)(medsrv_config_t*))destroy;
+
+	this->db = db;
+	this->rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200);
+	this->dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300);
+	this->ike = ike_cfg_create(FALSE, FALSE,
+						"0.0.0.0", IKEV2_UDP_PORT, "0.0.0.0", IKEV2_UDP_PORT);
+	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.h b/src/libcharon/plugins/medsrv/medsrv_config.h
new file mode 100644
index 000000000..fc8b0e972
--- /dev/null
+++ b/src/libcharon/plugins/medsrv/medsrv_config.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup medsrv_config_i medsrv_config
+ * @{ @ingroup medsrv
+ */
+
+#ifndef MEDSRV_CONFIG_H_
+#define MEDSRV_CONFIG_H_
+
+#include <config/backend.h>
+#include <database/database.h>
+
+typedef struct medsrv_config_t medsrv_config_t;
+
+/**
+ * Mediation server configuration backend.
+ */
+struct medsrv_config_t {
+
+	/**
+	 * Implements backend_t interface
+	 */
+	backend_t backend;
+
+	/**
+	 * Destroy the backend.
+	 */
+	void (*destroy)(medsrv_config_t *this);
+};
+
+/**
+ * Create a medsrv_config backend instance.
+ *
+ * @param db		underlying database
+ * @return			backend instance
+ */
+medsrv_config_t *medsrv_config_create(database_t *db);
+
+#endif /** MEDSRV_CONFIG_H_ @}*/
diff --git a/src/libcharon/plugins/medsrv/medsrv_creds.c b/src/libcharon/plugins/medsrv/medsrv_creds.c
new file mode 100644
index 000000000..8d1643908
--- /dev/null
+++ b/src/libcharon/plugins/medsrv/medsrv_creds.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "medsrv_creds.h"
+
+#include <daemon.h>
+#include <library.h>
+#include <utils/enumerator.h>
+
+typedef struct private_medsrv_creds_t private_medsrv_creds_t;
+
+/**
+ * Private data of an medsrv_creds_t object
+ */
+struct private_medsrv_creds_t {
+
+	/**
+	 * Public part
+	 */
+	medsrv_creds_t public;
+
+	/**
+	 * underlying database handle
+	 */
+	database_t *db;
+};
+
+/**
+ * enumerator over certificates
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated cert */
+	certificate_t *current;
+	/** type of requested key */
+	key_type_t type;
+} cert_enumerator_t;
+
+/**
+ * Implementation of cert_enumerator_t.public.enumerate
+ */
+static bool cert_enumerator_enumerate(cert_enumerator_t *this,
+									  certificate_t **cert)
+{
+	certificate_t *trusted;
+	public_key_t *public;
+	chunk_t chunk;
+
+	DESTROY_IF(this->current);
+	while (this->inner->enumerate(this->inner, &chunk))
+	{
+		public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+									BUILD_BLOB_ASN1_DER, chunk,
+									BUILD_END);
+		if (public)
+		{
+			if (this->type == KEY_ANY || this->type == public->get_type(public))
+			{
+				trusted = lib->creds->create(lib->creds,
+										CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+										BUILD_PUBLIC_KEY, public, BUILD_END);
+				public->destroy(public);
+				if (trusted)
+				{
+					*cert = this->current = trusted;
+					return TRUE;
+				}
+			}
+			else
+			{
+				public->destroy(public);
+			}
+		}
+	}
+	this->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of cert_enumerator_t.public.destroy
+ */
+static void cert_enumerator_destroy(cert_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of credential_set_t.create_cert_enumerator.
+ */
+static enumerator_t* create_cert_enumerator(private_medsrv_creds_t *this,
+										certificate_type_t cert, key_type_t key,
+										identification_t *id, bool trusted)
+{
+	cert_enumerator_t *e;
+
+	if ((cert != CERT_TRUSTED_PUBKEY && cert != CERT_ANY) ||
+		id == NULL || id->get_type(id) != ID_KEY_ID)
+	{
+		return NULL;
+	}
+
+	e = malloc_thing(cert_enumerator_t);
+	e->current = NULL;
+	e->type = key;
+	e->public.enumerate = (void*)cert_enumerator_enumerate;
+	e->public.destroy = (void*)cert_enumerator_destroy;
+	e->inner = this->db->query(this->db,
+							   "SELECT public_key FROM peer WHERE keyid = ?",
+							   DB_BLOB, id->get_encoding(id),
+							   DB_BLOB);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * Implementation of backend_t.destroy.
+ */
+static void destroy(private_medsrv_creds_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+medsrv_creds_t *medsrv_creds_create(database_t *db)
+{
+	private_medsrv_creds_t *this = malloc_thing(private_medsrv_creds_t);
+
+	this->public.set.create_private_enumerator = (void*)return_null;
+	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
+	this->public.set.create_shared_enumerator = (void*)return_null;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+
+	this->public.destroy = (void (*)(medsrv_creds_t*))destroy;
+
+	this->db = db;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/medsrv/medsrv_creds.h b/src/libcharon/plugins/medsrv/medsrv_creds.h
new file mode 100644
index 000000000..d08adf3bf
--- /dev/null
+++ b/src/libcharon/plugins/medsrv/medsrv_creds.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup medsrv_creds_i medsrv_creds
+ * @{ @ingroup medsrv
+ */
+
+#ifndef MEDSRV_CREDS_H_
+#define MEDSRV_CREDS_H_
+
+#include <credentials/credential_set.h>
+#include <database/database.h>
+
+typedef struct medsrv_creds_t medsrv_creds_t;
+
+/**
+ * Mediation credentials database.
+ */
+struct medsrv_creds_t {
+
+	/**
+	 * Implements credential_set_t interface
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy the credentials databse.
+	 */
+	void (*destroy)(medsrv_creds_t *this);
+};
+
+/**
+ * Create the medsrv credentials db.
+ *
+ * @param database		underlying database
+ * @return				credential set implementation on that database
+ */
+medsrv_creds_t *medsrv_creds_create(database_t *database);
+
+#endif /** MEDSRV_CREDS_H_ @}*/
diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.c b/src/libcharon/plugins/medsrv/medsrv_plugin.c
new file mode 100644
index 000000000..262d26d6b
--- /dev/null
+++ b/src/libcharon/plugins/medsrv/medsrv_plugin.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "medsrv_plugin.h"
+
+#include "medsrv_creds.h"
+#include "medsrv_config.h"
+
+#include <daemon.h>
+
+typedef struct private_medsrv_plugin_t private_medsrv_plugin_t;
+
+/**
+ * private data of medsrv plugin
+ */
+struct private_medsrv_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	medsrv_plugin_t public;
+
+	/**
+	 * database connection instance
+	 */
+	database_t *db;
+
+	/**
+	 * medsrv credential set instance
+	 */
+	medsrv_creds_t *creds;
+
+	/**
+	 * medsrv config database
+	 */
+	medsrv_config_t *config;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_medsrv_plugin_t *this)
+{
+	charon->backends->remove_backend(charon->backends, &this->config->backend);
+	charon->credentials->remove_set(charon->credentials, &this->creds->set);
+	this->config->destroy(this->config);
+	this->creds->destroy(this->creds);
+	this->db->destroy(this->db);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *medsrv_plugin_create()
+{
+	char *uri;
+	private_medsrv_plugin_t *this = malloc_thing(private_medsrv_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	uri = lib->settings->get_str(lib->settings,
+								 "medsrv.database", NULL);
+	if (!uri)
+	{
+		DBG1(DBG_CFG, "mediation database URI not defined, skipped");
+		free(this);
+		return NULL;
+	}
+
+	this->db = lib->db->create(lib->db, uri);
+	if (this->db == NULL)
+	{
+		DBG1(DBG_CFG, "opening mediation server database failed");
+		free(this);
+		return NULL;
+	}
+
+	this->creds = medsrv_creds_create(this->db);
+	this->config = medsrv_config_create(this->db);
+
+	charon->credentials->add_set(charon->credentials, &this->creds->set);
+	charon->backends->add_backend(charon->backends, &this->config->backend);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.h b/src/libcharon/plugins/medsrv/medsrv_plugin.h
new file mode 100644
index 000000000..8736822ee
--- /dev/null
+++ b/src/libcharon/plugins/medsrv/medsrv_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup medsrv medsrv
+ * @ingroup cplugins
+ *
+ * @defgroup medsrv_plugin medsrv_plugin
+ * @{ @ingroup medsrv
+ */
+
+#ifndef MEDSRV_PLUGIN_H_
+#define MEDSRV_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct medsrv_plugin_t medsrv_plugin_t;
+
+/**
+ * Mediation server database plugin.
+ */
+struct medsrv_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** MEDSRV_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/nm/Makefile.am b/src/libcharon/plugins/nm/Makefile.am
new file mode 100644
index 000000000..8e12a72be
--- /dev/null
+++ b/src/libcharon/plugins/nm/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon ${nm_CFLAGS}
+
+AM_CFLAGS = -rdynamic \
+  -DNM_CA_DIR=\"${nm_ca_dir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-nm.la
+else
+plugin_LTLIBRARIES = libstrongswan-nm.la
+endif
+
+libstrongswan_nm_la_SOURCES = \
+	nm_plugin.h nm_plugin.c \
+	nm_service.h nm_service.c \
+	nm_creds.h nm_creds.c \
+	nm_handler.h nm_handler.c
+
+libstrongswan_nm_la_LDFLAGS = -module -avoid-version
+libstrongswan_nm_la_LIBADD  = ${nm_LIBS}
diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in
new file mode 100644
index 000000000..c7f288f54
--- /dev/null
+++ b/src/libcharon/plugins/nm/Makefile.in
@@ -0,0 +1,595 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/nm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_nm_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_nm_la_OBJECTS = nm_plugin.lo nm_service.lo \
+	nm_creds.lo nm_handler.lo
+libstrongswan_nm_la_OBJECTS = $(am_libstrongswan_nm_la_OBJECTS)
+libstrongswan_nm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_nm_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_nm_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_nm_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_nm_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_nm_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon ${nm_CFLAGS}
+
+AM_CFLAGS = -rdynamic \
+  -DNM_CA_DIR=\"${nm_ca_dir}\"
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-nm.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-nm.la
+libstrongswan_nm_la_SOURCES = \
+	nm_plugin.h nm_plugin.c \
+	nm_service.h nm_service.c \
+	nm_creds.h nm_creds.c \
+	nm_handler.h nm_handler.c
+
+libstrongswan_nm_la_LDFLAGS = -module -avoid-version
+libstrongswan_nm_la_LIBADD = ${nm_LIBS}
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/nm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/nm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-nm.la: $(libstrongswan_nm_la_OBJECTS) $(libstrongswan_nm_la_DEPENDENCIES) 
+	$(libstrongswan_nm_la_LINK) $(am_libstrongswan_nm_la_rpath) $(libstrongswan_nm_la_OBJECTS) $(libstrongswan_nm_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_service.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/nm/nm_creds.c b/src/libcharon/plugins/nm/nm_creds.c
new file mode 100644
index 000000000..193838e6b
--- /dev/null
+++ b/src/libcharon/plugins/nm/nm_creds.c
@@ -0,0 +1,447 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "nm_creds.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <daemon.h>
+#include <threading/rwlock.h>
+#include <credentials/certificates/x509.h>
+
+typedef struct private_nm_creds_t private_nm_creds_t;
+
+/**
+ * private data of nm_creds
+ */
+struct private_nm_creds_t {
+
+	/**
+	 * public functions
+	 */
+	nm_creds_t public;
+
+	/**
+	 * List of trusted certificates, certificate_t*
+	 */
+	linked_list_t *certs;
+
+	/**
+	 * User name
+	 */
+	identification_t *user;
+
+	/**
+	 * User password
+	 */
+	char *pass;
+
+	/**
+	 * users certificate
+	 */
+	certificate_t *usercert;
+
+	/**
+	 * users private key
+	 */
+	private_key_t *key;
+
+	/**
+	 * read/write lock
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * Enumerator for user certificate
+ */
+static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
+							certificate_type_t cert, key_type_t key)
+{
+	public_key_t *public;
+
+	if (cert != CERT_ANY && cert != this->usercert->get_type(this->usercert))
+	{
+		return NULL;
+	}
+	if (key != KEY_ANY)
+	{
+		public = this->usercert->get_public_key(this->usercert);
+		if (!public)
+		{
+			return NULL;
+		}
+		if (public->get_type(public) != key)
+		{
+			public->destroy(public);
+			return NULL;
+		}
+		public->destroy(public);
+	}
+	this->lock->read_lock(this->lock);
+	return enumerator_create_cleaner(
+								enumerator_create_single(this->usercert, NULL),
+								(void*)this->lock->unlock, this->lock);
+}
+
+/**
+ * CA certificate enumerator data
+ */
+typedef struct {
+	/** ref to credential credential store */
+	private_nm_creds_t *this;
+	/** type of key we are looking for */
+	key_type_t key;
+	/** CA certificate ID */
+	identification_t *id;
+} cert_data_t;
+
+/**
+ * Destroy CA certificate enumerator data
+ */
+static void cert_data_destroy(cert_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * Filter function for certificates enumerator
+ */
+static bool cert_filter(cert_data_t *data, certificate_t **in,
+						 certificate_t **out)
+{
+	certificate_t *cert = *in;
+	public_key_t *public;
+
+	public = cert->get_public_key(cert);
+	if (!public)
+	{
+		return FALSE;
+	}
+	if (data->key != KEY_ANY && public->get_type(public) != data->key)
+	{
+		public->destroy(public);
+		return FALSE;
+	}
+	if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
+		public->has_fingerprint(public, data->id->get_encoding(data->id)))
+	{
+		public->destroy(public);
+		*out = cert;
+		return TRUE;
+	}
+	public->destroy(public);
+	if (data->id && !cert->has_subject(cert, data->id))
+	{
+		return FALSE;
+	}
+	*out = cert;
+	return TRUE;
+}
+
+/**
+ * Create enumerator for trusted certificates
+ */
+static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this,
+										key_type_t key, identification_t *id)
+{
+	cert_data_t *data = malloc_thing(cert_data_t);
+
+	data->this = this;
+	data->id = id;
+	data->key = key;
+
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(
+					this->certs->create_enumerator(this->certs),
+					(void*)cert_filter, data, (void*)cert_data_destroy);
+}
+
+/**
+ * Implements credential_set_t.create_cert_enumerator
+ */
+static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
+							certificate_type_t cert, key_type_t key,
+							identification_t *id, bool trusted)
+{
+	if (id && this->usercert &&
+		id->equals(id, this->usercert->get_subject(this->usercert)))
+	{
+		return create_usercert_enumerator(this, cert, key);
+	}
+	if (cert == CERT_X509 || cert == CERT_ANY)
+	{
+		return create_trusted_cert_enumerator(this, key, id);
+	}
+	return NULL;
+}
+
+/**
+ * Implements credential_set_t.create_cert_enumerator
+ */
+static enumerator_t* create_private_enumerator(private_nm_creds_t *this,
+										key_type_t type, identification_t *id)
+{
+	if (this->key == NULL)
+	{
+		return NULL;
+	}
+	if (type != KEY_ANY && type != this->key->get_type(this->key))
+	{
+		return NULL;
+	}
+	if (id && id->get_type(id) != ID_ANY)
+	{
+		if (id->get_type(id) != ID_KEY_ID ||
+			!this->key->has_fingerprint(this->key, id->get_encoding(id)))
+		{
+			return NULL;
+		}
+	}
+	this->lock->read_lock(this->lock);
+	return enumerator_create_cleaner(enumerator_create_single(this->key, NULL),
+									 (void*)this->lock->unlock, this->lock);
+}
+
+/**
+ * shared key enumerator implementation
+ */
+typedef struct {
+	enumerator_t public;
+	private_nm_creds_t *this;
+	shared_key_t *key;
+	bool done;
+} shared_enumerator_t;
+
+/**
+ * enumerate function for shared enumerator
+ */
+static bool shared_enumerate(shared_enumerator_t *this, shared_key_t **key,
+							 id_match_t *me, id_match_t *other)
+{
+	if (this->done)
+	{
+		return FALSE;
+	}
+	*key = this->key;
+	*me = ID_MATCH_PERFECT;
+	*other = ID_MATCH_ANY;
+	this->done = TRUE;
+	return TRUE;
+}
+
+/**
+ * Destroy function for shared enumerator
+ */
+static void shared_destroy(shared_enumerator_t *this)
+{
+	this->key->destroy(this->key);
+	this->this->lock->unlock(this->this->lock);
+	free(this);
+}
+/**
+ * Implements credential_set_t.create_cert_enumerator
+ */
+static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
+							shared_key_type_t type,	identification_t *me,
+							identification_t *other)
+{
+	shared_enumerator_t *enumerator;
+
+	if (!this->pass || !this->user)
+	{
+		return NULL;
+	}
+	if (type != SHARED_EAP && type != SHARED_IKE)
+	{
+		return NULL;
+	}
+	if (me && !me->equals(me, this->user))
+	{
+		return NULL;
+	}
+
+	enumerator = malloc_thing(shared_enumerator_t);
+	enumerator->public.enumerate = (void*)shared_enumerate;
+	enumerator->public.destroy = (void*)shared_destroy;
+	enumerator->this = this;
+	enumerator->done = FALSE;
+	this->lock->read_lock(this->lock);
+	enumerator->key = shared_key_create(type,
+										chunk_clone(chunk_create(this->pass,
+													strlen(this->pass))));
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of nm_creds_t.add_certificate
+ */
+static void add_certificate(private_nm_creds_t *this, certificate_t *cert)
+{
+	this->lock->write_lock(this->lock);
+	this->certs->insert_last(this->certs, cert);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Load a certificate file
+ */
+static void load_ca_file(private_nm_creds_t *this, char *file)
+{
+	certificate_t *cert;
+
+	/* We add the CA constraint, as many CAs miss it */
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, file, BUILD_END);
+	if (!cert)
+	{
+		DBG1(DBG_CFG, "loading CA certificate '%s' failed", file);
+	}
+	else
+	{
+		DBG2(DBG_CFG, "loaded CA certificate '%Y'", cert->get_subject(cert));
+		x509_t *x509 = (x509_t*)cert;
+		if (!(x509->get_flags(x509) & X509_SELF_SIGNED))
+		{
+			DBG1(DBG_CFG, "%Y is not self signed", cert->get_subject(cert));
+		}
+		this->certs->insert_last(this->certs, cert);
+	}
+}
+
+/**
+ * Implementation of nm_creds_t.load_ca_dir
+ */
+static void load_ca_dir(private_nm_creds_t *this, char *dir)
+{
+	enumerator_t *enumerator;
+	char *rel, *abs;
+	struct stat st;
+
+	enumerator = enumerator_create_directory(dir);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &rel, &abs, &st))
+		{
+			/* skip '.', '..' and hidden files */
+			if (rel[0] != '.')
+			{
+				if (S_ISDIR(st.st_mode))
+				{
+					load_ca_dir(this, abs);
+				}
+				else if (S_ISREG(st.st_mode))
+				{
+					load_ca_file(this, abs);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Implementation of nm_creds_t.set_password
+ */
+static void set_username_password(private_nm_creds_t *this, identification_t *id,
+						 char *password)
+{
+	this->lock->write_lock(this->lock);
+	DESTROY_IF(this->user);
+	this->user = id->clone(id);
+	free(this->pass);
+	this->pass = password ? strdup(password) : NULL;
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of nm_creds_t.set_cert_and_key
+ */
+static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
+							 private_key_t *key)
+{
+	this->lock->write_lock(this->lock);
+	DESTROY_IF(this->key);
+	DESTROY_IF(this->usercert);
+	this->key = key;
+	this->usercert = cert;
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of nm_creds_t.clear
+ */
+static void clear(private_nm_creds_t *this)
+{
+	certificate_t *cert;
+
+	while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
+	{
+		cert->destroy(cert);
+	}
+	DESTROY_IF(this->user);
+	free(this->pass);
+	DESTROY_IF(this->usercert);
+	DESTROY_IF(this->key);
+	this->key = NULL;
+	this->usercert = NULL;
+	this->pass = NULL;
+	this->user = NULL;
+}
+
+/**
+ * Implementation of nm_creds_t.destroy
+ */
+static void destroy(private_nm_creds_t *this)
+{
+	clear(this);
+	this->certs->destroy(this->certs);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+nm_creds_t *nm_creds_create()
+{
+	private_nm_creds_t *this = malloc_thing(private_nm_creds_t);
+
+	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
+	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
+	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+	this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate;
+	this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir;
+	this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
+	this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
+	this->public.clear = (void(*)(nm_creds_t*))clear;
+	this->public.destroy = (void(*)(nm_creds_t*))destroy;
+
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	this->certs = linked_list_create();
+	this->user = NULL;
+	this->pass = NULL;
+	this->usercert = NULL;
+	this->key = NULL;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/nm/nm_creds.h b/src/libcharon/plugins/nm/nm_creds.h
new file mode 100644
index 000000000..b55cff31e
--- /dev/null
+++ b/src/libcharon/plugins/nm/nm_creds.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup nm_creds nm_creds
+ * @{ @ingroup nm
+ */
+
+#ifndef NM_CREDS_H_
+#define NM_CREDS_H_
+
+#include <credentials/keys/private_key.h>
+#include <credentials/credential_set.h>
+
+typedef struct nm_creds_t nm_creds_t;
+
+/**
+ * NetworkManager credentials helper.
+ */
+struct nm_creds_t {
+
+	/**
+	 * Implements credential_set_t
+	 */
+	credential_set_t set;
+
+	/**
+	 * Add a trusted gateway certificate to serve by this set.
+	 *
+	 * @param cert		certificate to serve
+	 */
+	void (*add_certificate)(nm_creds_t *this, certificate_t *cert);
+
+	/**
+	 * Load CA certificates recursively from a directory.
+	 *
+	 * @param dir		directory to PEM encoded CA certificates
+	 */
+	void (*load_ca_dir)(nm_creds_t *this, char *dir);
+
+	/**
+	 * Set the username/password for authentication.
+	 *
+	 * @param id		ID of the user
+	 * @param password	password to use for authentication
+	 */
+	void (*set_username_password)(nm_creds_t *this, identification_t *id,
+								  char *password);
+	/**
+	 * Set the certificate and private key to use for client authentication.
+	 *
+	 * @param cert		client certificate
+	 * @param key		associated private key
+	 */
+	void (*set_cert_and_key)(nm_creds_t *this, certificate_t *cert,
+							 private_key_t *key);
+	/**
+	 * Clear the stored credentials.
+	 */
+	void (*clear)(nm_creds_t *this);
+
+	/**
+	 * Destroy a nm_creds instance.
+	 */
+	void (*destroy)(nm_creds_t *this);
+};
+
+/**
+ * Create a nm_creds instance.
+ */
+nm_creds_t *nm_creds_create();
+
+#endif /** NM_CREDS_H_ @}*/
diff --git a/src/libcharon/plugins/nm/nm_handler.c b/src/libcharon/plugins/nm/nm_handler.c
new file mode 100644
index 000000000..eacb54dda
--- /dev/null
+++ b/src/libcharon/plugins/nm/nm_handler.c
@@ -0,0 +1,193 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "nm_handler.h"
+
+#include <daemon.h>
+
+typedef struct private_nm_handler_t private_nm_handler_t;
+
+/**
+ * Private data of an nm_handler_t object.
+ */
+struct private_nm_handler_t {
+
+	/**
+	 * Public nm_handler_t interface.
+	 */
+	nm_handler_t public;
+
+	/**
+	 * list of received DNS server attributes, pointer to 4 byte data
+	 */
+	linked_list_t *dns;
+
+	/**
+	 * list of received NBNS server attributes, pointer to 4 byte data
+	 */
+	linked_list_t *nbns;
+};
+
+/**
+ * Implementation of attribute_handler_t.handle
+ */
+static bool handle(private_nm_handler_t *this, identification_t *server,
+				   configuration_attribute_type_t type, chunk_t data)
+{
+	linked_list_t *list;
+
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			list = this->dns;
+			break;
+		case INTERNAL_IP4_NBNS:
+			list = this->nbns;
+			break;
+		default:
+			return FALSE;
+	}
+	if (data.len != 4)
+	{
+		return FALSE;
+	}
+	list->insert_last(list, chunk_clone(data).ptr);
+	return TRUE;
+}
+
+/**
+ * Implementation of create_attribute_enumerator().enumerate() for WINS
+ */
+static bool enumerate_nbns(enumerator_t *this,
+						   configuration_attribute_type_t *type, chunk_t *data)
+{
+	*type = INTERNAL_IP4_NBNS;
+	*data = chunk_empty;
+	/* done */
+	this->enumerate = (void*)return_false;
+	return TRUE;
+}
+
+/**
+ * Implementation of create_attribute_enumerator().enumerate() for DNS
+ */
+static bool enumerate_dns(enumerator_t *this,
+						  configuration_attribute_type_t *type, chunk_t *data)
+{
+	*type = INTERNAL_IP4_DNS;
+	*data = chunk_empty;
+	/* enumerate WINS server as next attribute ... */
+	this->enumerate = (void*)enumerate_nbns;
+	return TRUE;
+}
+
+/**
+ * Implementation of attribute_handler_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(private_nm_handler_t *this,
+										identification_t *server, host_t *vip)
+{
+	if (vip && vip->get_family(vip) == AF_INET)
+	{	/* no IPv6 attributes yet */
+		enumerator_t *enumerator = malloc_thing(enumerator_t);
+		/* enumerate DNS attribute first ... */
+		enumerator->enumerate = (void*)enumerate_dns;
+		enumerator->destroy = (void*)free;
+
+		return enumerator;
+	}
+	return enumerator_create_empty();
+}
+
+/**
+ * convert plain byte ptrs to handy chunk during enumeration
+ */
+static bool filter_chunks(void* null, char **in, chunk_t *out)
+{
+	*out = chunk_create(*in, 4);
+	return TRUE;
+}
+
+/**
+ * Implementation of nm_handler_t.create_enumerator
+ */
+static enumerator_t* create_enumerator(private_nm_handler_t *this,
+									   configuration_attribute_type_t type)
+{
+	linked_list_t *list;
+
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			list = this->dns;
+			break;
+		case INTERNAL_IP4_NBNS:
+			list = this->nbns;
+			break;
+		default:
+			return enumerator_create_empty();
+	}
+	return enumerator_create_filter(list->create_enumerator(list),
+						(void*)filter_chunks, NULL, NULL);
+}
+
+/**
+ * Implementation of nm_handler_t.reset
+ */
+static void reset(private_nm_handler_t *this)
+{
+	void *data;
+
+	while (this->dns->remove_last(this->dns, (void**)&data) == SUCCESS)
+	{
+		free(data);
+	}
+	while (this->nbns->remove_last(this->nbns, (void**)&data) == SUCCESS)
+	{
+		free(data);
+	}
+}
+
+/**
+ * Implementation of nm_handler_t.destroy.
+ */
+static void destroy(private_nm_handler_t *this)
+{
+	reset(this);
+	this->dns->destroy(this->dns);
+	this->nbns->destroy(this->nbns);
+	free(this);
+}
+
+/**
+ * See header
+ */
+nm_handler_t *nm_handler_create()
+{
+	private_nm_handler_t *this = malloc_thing(private_nm_handler_t);
+
+	this->public.handler.handle = (bool(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))handle;
+	this->public.handler.release = (void(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))nop;
+	this->public.handler.create_attribute_enumerator = (enumerator_t*(*)(attribute_handler_t*, identification_t *server, host_t *vip))create_attribute_enumerator;
+	this->public.create_enumerator = (enumerator_t*(*)(nm_handler_t*, configuration_attribute_type_t type))create_enumerator;
+	this->public.reset = (void(*)(nm_handler_t*))reset;
+	this->public.destroy = (void(*)(nm_handler_t*))destroy;
+
+	this->dns = linked_list_create();
+	this->nbns = linked_list_create();
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/nm/nm_handler.h b/src/libcharon/plugins/nm/nm_handler.h
new file mode 100644
index 000000000..bb35ce767
--- /dev/null
+++ b/src/libcharon/plugins/nm/nm_handler.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup nm_handler nm_handler
+ * @{ @ingroup nm
+ */
+
+#ifndef NM_HANDLER_H_
+#define NM_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct nm_handler_t nm_handler_t;
+
+/**
+ * Handles DNS/NBNS attributes to pass to NM.
+ */
+struct nm_handler_t {
+
+	/**
+	 * Implements attribute handler interface
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Create an enumerator over received attributes of a given kind.
+	 *
+	 * @param type		type of attributes to enumerate
+	 * @return			enumerator over attribute data (chunk_t)
+	 */
+	enumerator_t* (*create_enumerator)(nm_handler_t *this,
+									   configuration_attribute_type_t type);
+	/**
+	 * Reset state, flush all received attributes.
+	 */
+	void (*reset)(nm_handler_t *this);
+
+	/**
+	 * Destroy a nm_handler_t.
+	 */
+	void (*destroy)(nm_handler_t *this);
+};
+
+/**
+ * Create a nm_handler instance.
+ */
+nm_handler_t *nm_handler_create();
+
+#endif /** NM_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/nm/nm_plugin.c b/src/libcharon/plugins/nm/nm_plugin.c
new file mode 100644
index 000000000..6087f6589
--- /dev/null
+++ b/src/libcharon/plugins/nm/nm_plugin.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "nm_plugin.h"
+#include "nm_service.h"
+#include "nm_creds.h"
+#include "nm_handler.h"
+
+#include <hydra.h>
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+
+#define CAP_DAC_OVERRIDE 1
+
+typedef struct private_nm_plugin_t private_nm_plugin_t;
+
+/**
+ * private data of nm plugin
+ */
+struct private_nm_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	nm_plugin_t public;
+
+	/**
+	 * NetworkManager service (VPNPlugin)
+	 */
+	NMStrongswanPlugin *plugin;
+
+	/**
+	 * Glib main loop for a thread, handles DBUS calls
+	 */
+	GMainLoop *loop;
+
+	/**
+	 * credential set registered at the daemon
+	 */
+	nm_creds_t *creds;
+
+	/**
+	 * attribute handler regeisterd at the daemon
+	 */
+	nm_handler_t *handler;
+};
+
+/**
+ * NM plugin processing routine, creates and handles NMVPNPlugin
+ */
+static job_requeue_t run(private_nm_plugin_t *this)
+{
+	this->loop = g_main_loop_new(NULL, FALSE);
+	g_main_loop_run(this->loop);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_nm_plugin_t *this)
+{
+	if (this->loop)
+	{
+		if (g_main_loop_is_running(this->loop))
+		{
+			g_main_loop_quit(this->loop);
+		}
+		g_main_loop_unref(this->loop);
+	}
+	if (this->plugin)
+	{
+		g_object_unref(this->plugin);
+	}
+	charon->credentials->remove_set(charon->credentials, &this->creds->set);
+	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	this->creds->destroy(this->creds);
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *nm_plugin_create()
+{
+	private_nm_plugin_t *this = malloc_thing(private_nm_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->loop = NULL;
+	g_type_init ();
+	if (!g_thread_supported())
+	{
+		g_thread_init(NULL);
+	}
+
+	this->creds = nm_creds_create();
+	this->handler = nm_handler_create();
+	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+	charon->credentials->add_set(charon->credentials, &this->creds->set);
+	this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
+	if (!this->plugin)
+	{
+		DBG1(DBG_CFG, "DBUS binding failed");
+		destroy(this);
+		return NULL;
+	}
+
+	/* bypass file permissions to read from users ssh-agent */
+	charon->keep_cap(charon, CAP_DAC_OVERRIDE);
+
+	charon->processor->queue_job(charon->processor,
+		 (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL));
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/nm/nm_plugin.h b/src/libcharon/plugins/nm/nm_plugin.h
new file mode 100644
index 000000000..b64b3edf6
--- /dev/null
+++ b/src/libcharon/plugins/nm/nm_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup nm nm
+ * @ingroup cplugins
+ *
+ * @defgroup nm_plugin nm_plugin
+ * @{ @ingroup nm
+ */
+
+#ifndef NM_PLUGIN_H_
+#define NM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct nm_plugin_t nm_plugin_t;
+
+/**
+ * NetworkManager integration plugin.
+ */
+struct nm_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** NM_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c
new file mode 100644
index 000000000..cdf7dc962
--- /dev/null
+++ b/src/libcharon/plugins/nm/nm_service.c
@@ -0,0 +1,629 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <nm-setting-vpn.h>
+#include <nm-setting-connection.h>
+#include "nm_service.h"
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <utils/identification.h>
+#include <config/peer_cfg.h>
+#include <credentials/certificates/x509.h>
+
+#include <stdio.h>
+
+G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
+
+/**
+ * Private data of NMStrongswanPlugin
+ */
+typedef struct {
+	/* implements bus listener interface */
+	listener_t listener;
+	/* IKE_SA we are listening on */
+	ike_sa_t *ike_sa;
+	/* backref to public plugin */
+	NMVPNPlugin *plugin;
+	/* credentials to use for authentication */
+	nm_creds_t *creds;
+	/* attribute handler for DNS/NBNS server information */
+	nm_handler_t *handler;
+	/* name of the connection */
+	char *name;
+} NMStrongswanPluginPrivate;
+
+#define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
+			(G_TYPE_INSTANCE_GET_PRIVATE ((o), \
+				NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
+
+/**
+ * convert enumerated handler chunks to a UINT_ARRAY GValue
+ */
+static GValue* handler_to_val(nm_handler_t *handler,
+							 configuration_attribute_type_t type)
+{
+	GValue *val;
+	GArray *array;
+	enumerator_t *enumerator;
+	chunk_t chunk;
+
+	enumerator = handler->create_enumerator(handler, type);
+	array = g_array_new (FALSE, TRUE, sizeof (guint32));
+	while (enumerator->enumerate(enumerator, &chunk))
+	{
+		g_array_append_val (array, *(u_int32_t*)chunk.ptr);
+	}
+	enumerator->destroy(enumerator);
+	val = g_slice_new0 (GValue);
+	g_value_init (val, DBUS_TYPE_G_UINT_ARRAY);
+	g_value_set_boxed (val, array);
+
+	return val;
+}
+
+/**
+ * signal IPv4 config to NM, set connection as established
+ */
+static void signal_ipv4_config(NMVPNPlugin *plugin,
+							   ike_sa_t *ike_sa, child_sa_t *child_sa)
+{
+	GValue *val;
+	GHashTable *config;
+	host_t *me, *other;
+	nm_handler_t *handler;
+
+	config = g_hash_table_new(g_str_hash, g_str_equal);
+	me = ike_sa->get_my_host(ike_sa);
+	other = ike_sa->get_other_host(ike_sa);
+	handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
+
+	/* NM requires a tundev, but netkey does not use one. Passing an invalid
+	 * iface makes NM complain, but it accepts it without fiddling on eth0. */
+	val = g_slice_new0 (GValue);
+	g_value_init (val, G_TYPE_STRING);
+	g_value_set_string (val, "none");
+	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
+
+	val = g_slice_new0(GValue);
+	g_value_init(val, G_TYPE_UINT);
+	g_value_set_uint(val, *(u_int32_t*)me->get_address(me).ptr);
+	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
+
+	val = g_slice_new0(GValue);
+	g_value_init(val, G_TYPE_UINT);
+	g_value_set_uint(val, me->get_address(me).len * 8);
+	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
+
+	val = handler_to_val(handler, INTERNAL_IP4_DNS);
+	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
+
+	val = handler_to_val(handler, INTERNAL_IP4_NBNS);
+	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NBNS, val);
+
+	handler->reset(handler);
+
+	nm_vpn_plugin_set_ip4_config(plugin, config);
+}
+
+/**
+ * signal failure to NM, connecting failed
+ */
+static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure)
+{
+	nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
+
+	handler->reset(handler);
+
+	/* TODO: NM does not handle this failure!? */
+	nm_vpn_plugin_failure(plugin, failure);
+	nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
+}
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
+							 ike_sa_state_t state)
+{
+	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+
+	if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
+	{
+		signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.child_state_change
+ */
+static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
+							   child_sa_t *child_sa, child_sa_state_t state)
+{
+	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+
+	if (private->ike_sa == ike_sa && state == CHILD_DESTROYING)
+	{
+		signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.child_updown
+ */
+static bool child_updown(listener_t *listener, ike_sa_t *ike_sa,
+						 child_sa_t *child_sa, bool up)
+{
+	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+
+	if (private->ike_sa == ike_sa)
+	{
+		if (up)
+		{	/* disable initiate-failure-detection hooks */
+			private->listener.ike_state_change = NULL;
+			private->listener.child_state_change = NULL;
+			signal_ipv4_config(private->plugin, ike_sa, child_sa);
+		}
+		else
+		{
+			signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of listener_t.ike_rekey
+ */
+static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
+{
+	NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+
+	if (private->ike_sa == old)
+	{	/* follow a rekeyed IKE_SA */
+		private->ike_sa = new;
+	}
+	return TRUE;
+}
+
+/**
+ * Connect function called from NM via DBUS
+ */
+static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
+						 GError **err)
+{
+	NMStrongswanPluginPrivate *priv;
+	NMSettingConnection *conn;
+	NMSettingVPN *vpn;
+	identification_t *user = NULL, *gateway = NULL;
+	const char *address, *str;
+	bool virtual, encap, ipcomp;
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	traffic_selector_t *ts;
+	ike_sa_t *ike_sa;
+	auth_cfg_t *auth;
+	auth_class_t auth_class = AUTH_CLASS_EAP;
+	certificate_t *cert = NULL;
+	x509_t *x509;
+	bool agent = FALSE;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = 10800 /* 3h */,
+			.rekey = 10200 /* 2h50min */,
+			.jitter = 300 /* 5min */
+		}
+	};
+
+	/**
+	 * Read parameters
+	 */
+	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+	conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection,
+												NM_TYPE_SETTING_CONNECTION));
+	vpn = NM_SETTING_VPN(nm_connection_get_setting(connection,
+												NM_TYPE_SETTING_VPN));
+	if (priv->name)
+	{
+		free(priv->name);
+	}
+	priv->name = strdup(nm_setting_connection_get_id(conn));
+	DBG1(DBG_CFG, "received initiate for NetworkManager connection %s",
+		 priv->name);
+	DBG4(DBG_CFG, "%s",
+		 nm_setting_to_string(NM_SETTING(vpn)));
+	address = nm_setting_vpn_get_data_item(vpn, "address");
+	if (!address || !*address)
+	{
+		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+					"Gateway address missing.");
+		return FALSE;
+	}
+	str = nm_setting_vpn_get_data_item(vpn, "virtual");
+	virtual = str && streq(str, "yes");
+	str = nm_setting_vpn_get_data_item(vpn, "encap");
+	encap = str && streq(str, "yes");
+	str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
+	ipcomp = str && streq(str, "yes");
+	str = nm_setting_vpn_get_data_item(vpn, "method");
+	if (str)
+	{
+		if (streq(str, "psk"))
+		{
+			auth_class = AUTH_CLASS_PSK;
+		}
+		else if (streq(str, "agent"))
+		{
+			auth_class = AUTH_CLASS_PUBKEY;
+			agent = TRUE;
+		}
+		else if (streq(str, "key"))
+		{
+			auth_class = AUTH_CLASS_PUBKEY;
+		}
+	}
+
+	/**
+	 * Register credentials
+	 */
+	priv->creds->clear(priv->creds);
+
+	/* gateway/CA cert */
+	str = nm_setting_vpn_get_data_item(vpn, "certificate");
+	if (str)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, str, BUILD_END);
+		if (!cert)
+		{
+			g_set_error(err, NM_VPN_PLUGIN_ERROR,
+						NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+						"Loading gateway certificate failed.");
+			return FALSE;
+		}
+		priv->creds->add_certificate(priv->creds, cert);
+
+		x509 = (x509_t*)cert;
+		if (!(x509->get_flags(x509) & X509_CA))
+		{	/* For a gateway certificate, we use the cert subject as identity. */
+			gateway = cert->get_subject(cert);
+			gateway = gateway->clone(gateway);
+			DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
+		}
+	}
+	else
+	{
+		/* no certificate defined, fall back to system-wide CA certificates */
+		priv->creds->load_ca_dir(priv->creds, NM_CA_DIR);
+	}
+	if (!gateway)
+	{
+		/* If the user configured a CA certificate, we use the IP/DNS
+		 * of the gateway as its identity. This identity will be used for
+		 * certificate lookup and requires the configured IP/DNS to be
+		 * included in the gateway certificate. */
+		gateway = identification_create_from_string((char*)address);
+		DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
+	}
+
+	if (auth_class == AUTH_CLASS_EAP)
+	{
+		/* username/password authentication ... */
+		str = nm_setting_vpn_get_data_item(vpn, "user");
+		if (str)
+		{
+			user = identification_create_from_string((char*)str);
+			str = nm_setting_vpn_get_secret(vpn, "password");
+			priv->creds->set_username_password(priv->creds, user, (char*)str);
+		}
+	}
+
+	if (auth_class == AUTH_CLASS_PUBKEY)
+	{
+		/* ... or certificate/private key authenitcation */
+		str = nm_setting_vpn_get_data_item(vpn, "usercert");
+		if (str)
+		{
+			public_key_t *public;
+			private_key_t *private = NULL;
+
+			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+									  BUILD_FROM_FILE, str, BUILD_END);
+			if (!cert)
+			{
+				g_set_error(err, NM_VPN_PLUGIN_ERROR,
+							NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+							"Loading peer certificate failed.");
+				gateway->destroy(gateway);
+				return FALSE;
+			}
+			/* try agent */
+			str = nm_setting_vpn_get_secret(vpn, "agent");
+			if (agent && str)
+			{
+				public = cert->get_public_key(cert);
+				if (public)
+				{
+					private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+												 public->get_type(public),
+												 BUILD_AGENT_SOCKET, str,
+												 BUILD_PUBLIC_KEY, public,
+												 BUILD_END);
+					public->destroy(public);
+				}
+				if (!private)
+				{
+					g_set_error(err, NM_VPN_PLUGIN_ERROR,
+								NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+								"Connecting to SSH agent failed.");
+				}
+			}
+			/* ... or key file */
+			str = nm_setting_vpn_get_data_item(vpn, "userkey");
+			if (!agent && str)
+			{
+				chunk_t secret;
+
+				secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
+				if (secret.ptr)
+				{
+					secret.len = strlen(secret.ptr);
+				}
+				private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								KEY_RSA, BUILD_FROM_FILE, str,
+								BUILD_PASSPHRASE, secret, BUILD_END);
+				if (!private)
+				{
+					g_set_error(err, NM_VPN_PLUGIN_ERROR,
+								NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+								"Loading private key failed.");
+				}
+			}
+			if (private)
+			{
+				user = cert->get_subject(cert);
+				user = user->clone(user);
+				priv->creds->set_cert_and_key(priv->creds, cert, private);
+			}
+			else
+			{
+				DESTROY_IF(cert);
+				gateway->destroy(gateway);
+				return FALSE;
+			}
+		}
+	}
+
+	if (!user)
+	{
+		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+					"Configuration parameters missing.");
+		gateway->destroy(gateway);
+		return FALSE;
+	}
+
+	/**
+	 * Set up configurations
+	 */
+	ike_cfg = ike_cfg_create(TRUE, encap,
+					"0.0.0.0", IKEV2_UDP_PORT, (char*)address, IKEV2_UDP_PORT);
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	peer_cfg = peer_cfg_create(priv->name, 2, ike_cfg,
+					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
+					36000, 0, /* rekey 10h, reauth none */
+					600, 600, /* jitter, over 10min */
+					TRUE, 0, /* mobike, DPD */
+					virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
+					NULL, FALSE, NULL, NULL); /* pool, mediation */
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_class);
+	auth->add(auth, AUTH_RULE_IDENTITY, user);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+
+	child_cfg = child_cfg_create(priv->name, &lifetime,
+								 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
+								 ACTION_NONE, ACTION_NONE, ipcomp, 0);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
+											 "0.0.0.0", 0,
+											 "255.255.255.255", 65535);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+
+	/**
+	 * Prepare IKE_SA
+	 */
+	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+														peer_cfg);
+	if (!ike_sa->get_peer_cfg(ike_sa))
+	{
+		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+	}
+	peer_cfg->destroy(peer_cfg);
+
+	/**
+	 * Register listener, enable  initiate-failure-detection hooks
+	 */
+	priv->ike_sa = ike_sa;
+	priv->listener.ike_state_change = ike_state_change;
+	priv->listener.child_state_change = child_state_change;
+	charon->bus->add_listener(charon->bus, &priv->listener);
+
+	/**
+	 * Initiate
+	 */
+	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
+	{
+		charon->bus->remove_listener(charon->bus, &priv->listener);
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+
+		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+					"Initiating failed.");
+		return FALSE;
+	}
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return TRUE;
+}
+
+/**
+ * NeedSecrets called from NM via DBUS
+ */
+static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
+							 char **setting_name, GError **error)
+{
+	NMSettingVPN *settings;
+	const char *method, *path;
+
+	settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
+														NM_TYPE_SETTING_VPN));
+	method = nm_setting_vpn_get_data_item(settings, "method");
+	if (method)
+	{
+		if (streq(method, "eap"))
+		{
+			if (nm_setting_vpn_get_secret(settings, "password"))
+			{
+				return FALSE;
+			}
+		}
+		else if (streq(method, "agent"))
+		{
+			if (nm_setting_vpn_get_secret(settings, "agent"))
+			{
+				return FALSE;
+			}
+		}
+		else if (streq(method, "key"))
+		{
+			path = nm_setting_vpn_get_data_item(settings, "userkey");
+			if (path)
+			{
+				private_key_t *key;
+				chunk_t secret;
+
+				secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
+				if (secret.ptr)
+				{
+					secret.len = strlen(secret.ptr);
+				}
+				/* try to load/decrypt the private key */
+				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								KEY_RSA, BUILD_FROM_FILE, path,
+								BUILD_PASSPHRASE, secret, BUILD_END);
+				if (key)
+				{
+					key->destroy(key);
+					return FALSE;
+				}
+			}
+		}
+	}
+	*setting_name = NM_SETTING_VPN_SETTING_NAME;
+	return TRUE;
+}
+
+/**
+ * Disconnect called from NM via DBUS
+ */
+static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
+{
+	NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	u_int id;
+
+	/* our ike_sa pointer might be invalid, lookup sa */
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (priv->ike_sa == ike_sa)
+		{
+			id = ike_sa->get_unique_id(ike_sa);
+			enumerator->destroy(enumerator);
+			charon->controller->terminate_ike(charon->controller, id,
+											  controller_cb_empty, NULL);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_GENERAL,
+				"Connection not found.");
+	return FALSE;
+}
+
+/**
+ * Initializer
+ */
+static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
+{
+	NMStrongswanPluginPrivate *priv;
+
+	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+	priv->plugin = NM_VPN_PLUGIN(plugin);
+	memset(&priv->listener.log, 0, sizeof(listener_t));
+	priv->listener.child_updown = child_updown;
+	priv->listener.ike_rekey = ike_rekey;
+}
+
+/**
+ * Class constructor
+ */
+static void nm_strongswan_plugin_class_init(
+									NMStrongswanPluginClass *strongswan_class)
+{
+	NMVPNPluginClass *parent_class = NM_VPN_PLUGIN_CLASS(strongswan_class);
+
+	g_type_class_add_private(G_OBJECT_CLASS(strongswan_class),
+							 sizeof(NMStrongswanPluginPrivate));
+	parent_class->connect = connect_;
+	parent_class->need_secrets = need_secrets;
+	parent_class->disconnect = disconnect;
+}
+
+/**
+ * Object constructor
+ */
+NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
+											 nm_handler_t *handler)
+{
+	NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_object_new (
+					NM_TYPE_STRONGSWAN_PLUGIN,
+					NM_VPN_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
+					NULL);
+	if (plugin)
+	{
+		NMStrongswanPluginPrivate *priv;
+
+		priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+		priv->creds = creds;
+		priv->handler = handler;
+		priv->name = NULL;
+	}
+	return plugin;
+}
+
diff --git a/src/libcharon/plugins/nm/nm_service.h b/src/libcharon/plugins/nm/nm_service.h
new file mode 100644
index 000000000..b00000b6f
--- /dev/null
+++ b/src/libcharon/plugins/nm/nm_service.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup nm_service nm_service
+ * @{ @ingroup nm
+ */
+
+#ifndef NM_SERVICE_H_
+#define NM_SERVICE_H_
+
+#include <glib/gtypes.h>
+#include <glib-object.h>
+#include <nm-vpn-plugin.h>
+
+#include "nm_creds.h"
+#include "nm_handler.h"
+
+#define NM_TYPE_STRONGSWAN_PLUGIN            (nm_strongswan_plugin_get_type ())
+#define NM_STRONGSWAN_PLUGIN(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPlugin))
+#define NM_STRONGSWAN_PLUGIN_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPluginClass))
+#define NM_IS_STRONGSWAN_PLUGIN(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_STRONGSWAN_PLUGIN))
+#define NM_IS_STRONGSWAN_PLUGIN_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((obj), NM_TYPE_STRONGSWAN_PLUGIN))
+#define NM_STRONGSWAN_PLUGIN_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPluginClass))
+
+#define NM_DBUS_SERVICE_STRONGSWAN    "org.freedesktop.NetworkManager.strongswan"
+#define NM_DBUS_INTERFACE_STRONGSWAN  "org.freedesktop.NetworkManager.strongswan"
+#define NM_DBUS_PATH_STRONGSWAN       "/org/freedesktop/NetworkManager/strongswan"
+
+typedef struct {
+	NMVPNPlugin parent;
+} NMStrongswanPlugin;
+
+typedef struct {
+	NMVPNPluginClass parent;
+} NMStrongswanPluginClass;
+
+GType nm_strongswan_plugin_get_type(void);
+
+NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
+											 nm_handler_t *handler);
+
+#endif /** NM_SERVICE_H_ @}*/
diff --git a/src/libcharon/plugins/resolve/Makefile.am b/src/libcharon/plugins/resolve/Makefile.am
new file mode 100644
index 000000000..f8830d42e
--- /dev/null
+++ b/src/libcharon/plugins/resolve/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DRESOLV_CONF=\"${resolv_conf}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-resolve.la
+else
+plugin_LTLIBRARIES = libstrongswan-resolve.la
+endif
+
+libstrongswan_resolve_la_SOURCES = \
+	resolve_plugin.h resolve_plugin.c \
+	resolve_handler.h resolve_handler.c
+
+libstrongswan_resolve_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in
new file mode 100644
index 000000000..92ee85539
--- /dev/null
+++ b/src/libcharon/plugins/resolve/Makefile.in
@@ -0,0 +1,591 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/resolve
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_resolve_la_LIBADD =
+am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \
+	resolve_handler.lo
+libstrongswan_resolve_la_OBJECTS =  \
+	$(am_libstrongswan_resolve_la_OBJECTS)
+libstrongswan_resolve_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_resolve_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_resolve_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_resolve_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_resolve_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DRESOLV_CONF=\"${resolv_conf}\"
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-resolve.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-resolve.la
+libstrongswan_resolve_la_SOURCES = \
+	resolve_plugin.h resolve_plugin.c \
+	resolve_handler.h resolve_handler.c
+
+libstrongswan_resolve_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) 
+	$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/resolve/resolve_handler.c b/src/libcharon/plugins/resolve/resolve_handler.c
new file mode 100644
index 000000000..714c751a6
--- /dev/null
+++ b/src/libcharon/plugins/resolve/resolve_handler.c
@@ -0,0 +1,251 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolve_handler.h"
+
+#include <unistd.h>
+
+#include <daemon.h>
+#include <threading/mutex.h>
+
+typedef struct private_resolve_handler_t private_resolve_handler_t;
+
+/**
+ * Private data of an resolve_handler_t object.
+ */
+struct private_resolve_handler_t {
+
+	/**
+	 * Public resolve_handler_t interface.
+	 */
+	resolve_handler_t public;
+
+	/**
+	 * resolv.conf file to use
+	 */
+	char *file;
+
+	/**
+	 * Mutex to access file exclusively
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Implementation of attribute_handler_t.handle
+ */
+static bool handle(private_resolve_handler_t *this, identification_t *server,
+				   configuration_attribute_type_t type, chunk_t data)
+{
+	FILE *in, *out;
+	char buf[1024];
+	host_t *addr;
+	size_t len;
+	bool handled = FALSE;
+
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			addr = host_create_from_chunk(AF_INET, data, 0);
+			break;
+		case INTERNAL_IP6_DNS:
+			addr = host_create_from_chunk(AF_INET6, data, 0);
+			break;
+		default:
+			return FALSE;
+	}
+
+	if (!addr || addr->is_anyaddr(addr))
+	{
+		DESTROY_IF(addr);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+
+	in = fopen(this->file, "r");
+	/* allows us to stream from in to out */
+	unlink(this->file);
+	out = fopen(this->file, "w");
+	if (out)
+	{
+		fprintf(out, "nameserver %H   # by strongSwan, from %Y\n", addr, server);
+		DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
+		handled = TRUE;
+
+		/* copy rest of the file */
+		if (in)
+		{
+			while ((len = fread(buf, 1, sizeof(buf), in)))
+			{
+				ignore_result(fwrite(buf, 1, len, out));
+			}
+		}
+		fclose(out);
+	}
+	if (in)
+	{
+		fclose(in);
+	}
+	this->mutex->unlock(this->mutex);
+	addr->destroy(addr);
+
+	if (!handled)
+	{
+		DBG1(DBG_IKE, "adding DNS server failed", this->file);
+	}
+	return handled;
+}
+
+/**
+ * Implementation of attribute_handler_t.release
+ */
+static void release(private_resolve_handler_t *this, identification_t *server,
+					configuration_attribute_type_t type, chunk_t data)
+{
+	FILE *in, *out;
+	char line[1024], matcher[512], *pos;
+	host_t *addr;
+	int family;
+
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			family = AF_INET;
+			break;
+		case INTERNAL_IP6_DNS:
+			family = AF_INET6;
+			break;
+		default:
+			return;
+	}
+
+	this->mutex->lock(this->mutex);
+
+	in = fopen(this->file, "r");
+	if (in)
+	{
+		/* allows us to stream from in to out */
+		unlink(this->file);
+		out = fopen(this->file, "w");
+		if (out)
+		{
+			addr = host_create_from_chunk(family, data, 0);
+			snprintf(matcher, sizeof(matcher),
+					 "nameserver %H   # by strongSwan, from %Y\n",
+					 addr, server);
+
+			/* copy all, but matching line */
+			while ((pos = fgets(line, sizeof(line), in)))
+			{
+				if (strneq(line, matcher, strlen(matcher)))
+				{
+					DBG1(DBG_IKE, "removing DNS server %H from %s",
+						 addr, this->file);
+				}
+				else
+				{
+					fputs(line, out);
+				}
+			}
+			addr->destroy(addr);
+			fclose(out);
+		}
+		fclose(in);
+	}
+
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Attribute enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator_t interface */
+	enumerator_t public;
+	/** virtual IP we are requesting */
+	host_t *vip;
+} attribute_enumerator_t;
+
+/**
+ * Implementation of create_attribute_enumerator().enumerate()
+ */
+static bool attribute_enumerate(attribute_enumerator_t *this,
+						configuration_attribute_type_t *type, chunk_t *data)
+{
+	switch (this->vip->get_family(this->vip))
+	{
+		case AF_INET:
+			*type = INTERNAL_IP4_DNS;
+			break;
+		case AF_INET6:
+			*type = INTERNAL_IP6_DNS;
+			break;
+		default:
+			return FALSE;
+	}
+	*data = chunk_empty;
+	/* enumerate only once */
+	this->public.enumerate = (void*)return_false;
+	return TRUE;
+}
+
+/**
+ * Implementation of attribute_handler_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(private_resolve_handler_t *this,
+										identification_t *server, host_t *vip)
+{
+	if (vip)
+	{
+		attribute_enumerator_t *enumerator;
+
+		enumerator = malloc_thing(attribute_enumerator_t);
+		enumerator->public.enumerate = (void*)attribute_enumerate;
+		enumerator->public.destroy = (void*)free;
+		enumerator->vip = vip;
+
+		return &enumerator->public;
+	}
+	return enumerator_create_empty();
+}
+
+/**
+ * Implementation of resolve_handler_t.destroy.
+ */
+static void destroy(private_resolve_handler_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+resolve_handler_t *resolve_handler_create()
+{
+	private_resolve_handler_t *this = malloc_thing(private_resolve_handler_t);
+
+	this->public.handler.handle = (bool(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))handle;
+	this->public.handler.release = (void(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))release;
+	this->public.handler.create_attribute_enumerator = (enumerator_t*(*)(attribute_handler_t*, identification_t *server, host_t *vip))create_attribute_enumerator;
+	this->public.destroy = (void(*)(resolve_handler_t*))destroy;
+
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->file = lib->settings->get_str(lib->settings,
+								"charon.plugins.resolve.file", RESOLV_CONF);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/resolve/resolve_handler.h b/src/libcharon/plugins/resolve/resolve_handler.h
new file mode 100644
index 000000000..77bf9781c
--- /dev/null
+++ b/src/libcharon/plugins/resolve/resolve_handler.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolve_handler resolve_handler
+ * @{ @ingroup resolve
+ */
+
+#ifndef RESOLVE_HANDLER_H_
+#define RESOLVE_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct resolve_handler_t resolve_handler_t;
+
+/**
+ * Handle DNS configuration attributes by mangling a resolv.conf file.
+ */
+struct resolve_handler_t {
+
+	/**
+	 * Implements the attribute_handler_t interface
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Destroy a resolve_handler_t.
+	 */
+	void (*destroy)(resolve_handler_t *this);
+};
+
+/**
+ * Create a resolve_handler instance.
+ */
+resolve_handler_t *resolve_handler_create();
+
+#endif /** RESOLVE_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/resolve/resolve_plugin.c b/src/libcharon/plugins/resolve/resolve_plugin.c
new file mode 100644
index 000000000..502129593
--- /dev/null
+++ b/src/libcharon/plugins/resolve/resolve_plugin.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolve_plugin.h"
+#include "resolve_handler.h"
+
+#include <hydra.h>
+
+typedef struct private_resolve_plugin_t private_resolve_plugin_t;
+
+/**
+ * private data of resolve plugin
+ */
+struct private_resolve_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	resolve_plugin_t public;
+
+	/**
+	 * The registerd DNS attribute handler
+	 */
+	resolve_handler_t *handler;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_resolve_plugin_t *this)
+{
+	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *resolve_plugin_create()
+{
+	private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	this->handler = resolve_handler_create();
+	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/resolve/resolve_plugin.h b/src/libcharon/plugins/resolve/resolve_plugin.h
new file mode 100644
index 000000000..0148b10d7
--- /dev/null
+++ b/src/libcharon/plugins/resolve/resolve_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolve resolve
+ * @ingroup cplugins
+ *
+ * @defgroup resolve_plugin resolve_plugin
+ * @{ @ingroup resolve
+ */
+
+#ifndef RESOLVE_PLUGIN_H_
+#define RESOLVE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct resolve_plugin_t resolve_plugin_t;
+
+/**
+ * Plugin that writes received DNS servers in a resolv.conf file.
+ */
+struct resolve_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** RESOLVE_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/smp/Makefile.am b/src/libcharon/plugins/smp/Makefile.am
new file mode 100644
index 000000000..f17235835
--- /dev/null
+++ b/src/libcharon/plugins/smp/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon ${xml_CFLAGS}
+
+AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-smp.la
+else
+plugin_LTLIBRARIES = libstrongswan-smp.la
+endif
+
+libstrongswan_smp_la_SOURCES = \
+	smp.h smp.c
+
+libstrongswan_smp_la_LDFLAGS = -module -avoid-version
+libstrongswan_smp_la_LIBADD  = ${xml_LIBS}
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
new file mode 100644
index 000000000..b88283f38
--- /dev/null
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -0,0 +1,586 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/smp
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_smp_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_smp_la_OBJECTS = smp.lo
+libstrongswan_smp_la_OBJECTS = $(am_libstrongswan_smp_la_OBJECTS)
+libstrongswan_smp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_smp_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_smp_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_smp_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_smp_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_smp_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon ${xml_CFLAGS}
+
+AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-smp.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-smp.la
+libstrongswan_smp_la_SOURCES = \
+	smp.h smp.c
+
+libstrongswan_smp_la_LDFLAGS = -module -avoid-version
+libstrongswan_smp_la_LIBADD = ${xml_LIBS}
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/smp/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/smp/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-smp.la: $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_DEPENDENCIES) 
+	$(libstrongswan_smp_la_LINK) $(am_libstrongswan_smp_la_rpath) $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smp.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
new file mode 100644
index 000000000..64820eb45
--- /dev/null
+++ b/src/libcharon/plugins/smp/smp.c
@@ -0,0 +1,768 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "smp.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+#include <signal.h>
+#include <libxml/xmlreader.h>
+#include <libxml/xmlwriter.h>
+
+#include <library.h>
+#include <daemon.h>
+#include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
+
+
+typedef struct private_smp_t private_smp_t;
+
+/**
+ * Private data of an smp_t object.
+ */
+struct private_smp_t {
+
+	/**
+	 * Public part of smp_t object.
+	 */
+	smp_t public;
+
+	/**
+	 * XML unix socket fd
+	 */
+	int socket;
+
+	/**
+	 * job accepting stroke messages
+	 */
+	callback_job_t *job;
+};
+
+ENUM(ike_sa_state_lower_names, IKE_CREATED, IKE_DELETING,
+	"created",
+	"connecting",
+	"established",
+	"rekeying",
+	"deleting",
+);
+
+/**
+ * write a bool into element
+ */
+static void write_bool(xmlTextWriterPtr writer, char *element, bool val)
+{
+	xmlTextWriterWriteElement(writer, element, val ? "true" : "false");
+}
+
+/**
+ * write a identification_t into element
+ */
+static void write_id(xmlTextWriterPtr writer, char *element, identification_t *id)
+{
+	xmlTextWriterStartElement(writer, element);
+	switch (id->get_type(id))
+	{
+		{
+			char *type = "";
+			while (TRUE)
+			{
+				case ID_ANY:
+					type = "any";
+					break;
+				case ID_IPV4_ADDR:
+					type = "ipv4";
+					break;
+				case ID_IPV6_ADDR:
+					type = "ipv6";
+					break;
+				case ID_FQDN:
+					type = "fqdn";
+					break;
+				case ID_RFC822_ADDR:
+					type = "email";
+					break;
+				case ID_DER_ASN1_DN:
+					type = "asn1dn";
+					break;
+				case ID_DER_ASN1_GN:
+					type = "asn1gn";
+					break;
+			}
+			xmlTextWriterWriteAttribute(writer, "type", type);
+			xmlTextWriterWriteFormatString(writer, "%Y", id);
+			break;
+		}
+		default:
+			/* TODO: base64 keyid */
+			xmlTextWriterWriteAttribute(writer, "type", "keyid");
+			break;
+	}
+	xmlTextWriterEndElement(writer);
+}
+
+/**
+ * write a host_t address into an element
+ */
+static void write_address(xmlTextWriterPtr writer, char *element, host_t *host)
+{
+	xmlTextWriterStartElement(writer, element);
+	xmlTextWriterWriteAttribute(writer, "type",
+						host->get_family(host) == AF_INET ? "ipv4" : "ipv6");
+	if (host->is_anyaddr(host))
+	{	/* do not use %any for XML */
+		xmlTextWriterWriteFormatString(writer, "%s",
+						host->get_family(host) == AF_INET ? "0.0.0.0" : "::");
+	}
+	else
+	{
+		xmlTextWriterWriteFormatString(writer, "%H", host);
+	}
+	xmlTextWriterEndElement(writer);
+}
+
+/**
+ * write networks element
+ */
+static void write_networks(xmlTextWriterPtr writer, char *element,
+						   linked_list_t *list)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *ts;
+
+	xmlTextWriterStartElement(writer, element);
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, (void**)&ts))
+	{
+		xmlTextWriterStartElement(writer, "network");
+		xmlTextWriterWriteAttribute(writer, "type",
+						ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? "ipv4" : "ipv6");
+		xmlTextWriterWriteFormatString(writer, "%R", ts);
+		xmlTextWriterEndElement(writer);
+	}
+	enumerator->destroy(enumerator);
+	xmlTextWriterEndElement(writer);
+}
+
+/**
+ * write a childEnd
+ */
+static void write_childend(xmlTextWriterPtr writer, child_sa_t *child, bool local)
+{
+	linked_list_t *list;
+
+	xmlTextWriterWriteFormatElement(writer, "spi", "%lx",
+									htonl(child->get_spi(child, local)));
+	list = child->get_traffic_selectors(child, local);
+	write_networks(writer, "networks", list);
+}
+
+/**
+ * write a child_sa_t
+ */
+static void write_child(xmlTextWriterPtr writer, child_sa_t *child)
+{
+	child_cfg_t *config;
+
+	config = child->get_config(child);
+
+	xmlTextWriterStartElement(writer, "childsa");
+	xmlTextWriterWriteFormatElement(writer, "reqid", "%d",
+									child->get_reqid(child));
+	xmlTextWriterWriteFormatElement(writer, "childconfig", "%s",
+									config->get_name(config));
+	xmlTextWriterStartElement(writer, "local");
+	write_childend(writer, child, TRUE);
+	xmlTextWriterEndElement(writer);
+	xmlTextWriterStartElement(writer, "remote");
+	write_childend(writer, child, FALSE);
+	xmlTextWriterEndElement(writer);
+	xmlTextWriterEndElement(writer);
+}
+
+/**
+ * process a ikesalist query request message
+ */
+static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+
+	/* <ikesalist> */
+	xmlTextWriterStartElement(writer, "ikesalist");
+
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		ike_sa_id_t *id;
+		host_t *local, *remote;
+		iterator_t *children;
+		child_sa_t *child_sa;
+
+		id = ike_sa->get_id(ike_sa);
+
+		xmlTextWriterStartElement(writer, "ikesa");
+		xmlTextWriterWriteFormatElement(writer, "id", "%d",
+							ike_sa->get_unique_id(ike_sa));
+		xmlTextWriterWriteFormatElement(writer, "status", "%N",
+							ike_sa_state_lower_names, ike_sa->get_state(ike_sa));
+		xmlTextWriterWriteElement(writer, "role",
+							id->is_initiator(id) ? "initiator" : "responder");
+		xmlTextWriterWriteElement(writer, "peerconfig", ike_sa->get_name(ike_sa));
+
+		/* <local> */
+		local = ike_sa->get_my_host(ike_sa);
+		xmlTextWriterStartElement(writer, "local");
+		xmlTextWriterWriteFormatElement(writer, "spi", "%.16llx",
+							id->is_initiator(id) ? id->get_initiator_spi(id)
+												 : id->get_responder_spi(id));
+		write_id(writer, "identification", ike_sa->get_my_id(ike_sa));
+		write_address(writer, "address", local);
+		xmlTextWriterWriteFormatElement(writer, "port", "%d",
+							local->get_port(local));
+		if (ike_sa->supports_extension(ike_sa, EXT_NATT))
+		{
+			write_bool(writer, "nat", ike_sa->has_condition(ike_sa, COND_NAT_HERE));
+		}
+		xmlTextWriterEndElement(writer);
+		/* </local> */
+
+		/* <remote> */
+		remote = ike_sa->get_other_host(ike_sa);
+		xmlTextWriterStartElement(writer, "remote");
+		xmlTextWriterWriteFormatElement(writer, "spi", "%.16llx",
+							id->is_initiator(id) ? id->get_responder_spi(id)
+												 : id->get_initiator_spi(id));
+		write_id(writer, "identification", ike_sa->get_other_id(ike_sa));
+		write_address(writer, "address", remote);
+		xmlTextWriterWriteFormatElement(writer, "port", "%d",
+							remote->get_port(remote));
+		if (ike_sa->supports_extension(ike_sa, EXT_NATT))
+		{
+			write_bool(writer, "nat", ike_sa->has_condition(ike_sa, COND_NAT_THERE));
+		}
+		xmlTextWriterEndElement(writer);
+		/* </remote> */
+
+		/* <childsalist> */
+		xmlTextWriterStartElement(writer, "childsalist");
+		children = ike_sa->create_child_sa_iterator(ike_sa);
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			write_child(writer, child_sa);
+		}
+		children->destroy(children);
+		/* </childsalist> */
+		xmlTextWriterEndElement(writer);
+
+		/* </ikesa> */
+		xmlTextWriterEndElement(writer);
+	}
+	enumerator->destroy(enumerator);
+
+	/* </ikesalist> */
+	xmlTextWriterEndElement(writer);
+}
+
+/**
+ * process a configlist query request message
+ */
+static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
+{
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+
+	/* <configlist> */
+	xmlTextWriterStartElement(writer, "configlist");
+
+	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+														NULL, NULL, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &peer_cfg))
+	{
+		enumerator_t *children;
+		child_cfg_t *child_cfg;
+		ike_cfg_t *ike_cfg;
+		linked_list_t *list;
+
+		if (peer_cfg->get_ike_version(peer_cfg) != 2)
+		{	/* only IKEv2 connections yet */
+			continue;
+		}
+
+		/* <peerconfig> */
+		xmlTextWriterStartElement(writer, "peerconfig");
+		xmlTextWriterWriteElement(writer, "name", peer_cfg->get_name(peer_cfg));
+
+		/* TODO: write auth_cfgs */
+
+		/* <ikeconfig> */
+		ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
+		xmlTextWriterStartElement(writer, "ikeconfig");
+		xmlTextWriterWriteElement(writer, "local", ike_cfg->get_my_addr(ike_cfg));
+		xmlTextWriterWriteElement(writer, "remote", ike_cfg->get_other_addr(ike_cfg));
+		xmlTextWriterEndElement(writer);
+		/* </ikeconfig> */
+
+		/* <childconfiglist> */
+		xmlTextWriterStartElement(writer, "childconfiglist");
+		children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+		while (children->enumerate(children, &child_cfg))
+		{
+			/* <childconfig> */
+			xmlTextWriterStartElement(writer, "childconfig");
+			xmlTextWriterWriteElement(writer, "name",
+									  child_cfg->get_name(child_cfg));
+			list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
+			write_networks(writer, "local", list);
+			list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
+			list = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
+			write_networks(writer, "remote", list);
+			list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
+			xmlTextWriterEndElement(writer);
+			/* </childconfig> */
+		}
+		children->destroy(children);
+		/* </childconfiglist> */
+		xmlTextWriterEndElement(writer);
+		/* </peerconfig> */
+		xmlTextWriterEndElement(writer);
+	}
+	enumerator->destroy(enumerator);
+	/* </configlist> */
+	xmlTextWriterEndElement(writer);
+}
+
+/**
+ * callback which logs to a XML writer
+ */
+static bool xml_callback(xmlTextWriterPtr writer, debug_t group, level_t level,
+						 ike_sa_t* ike_sa, char* format, va_list args)
+{
+	if (level <= 1)
+	{
+		/* <item> */
+		xmlTextWriterStartElement(writer, "item");
+		xmlTextWriterWriteFormatAttribute(writer, "level", "%d", level);
+		xmlTextWriterWriteFormatAttribute(writer, "source", "%N", debug_names, group);
+		xmlTextWriterWriteFormatAttribute(writer, "thread", "%u", thread_current_id());
+		xmlTextWriterWriteVFormatString(writer, format, args);
+		xmlTextWriterEndElement(writer);
+		/* </item> */
+	}
+	return TRUE;
+}
+
+/**
+ * process a *terminate control request message
+ */
+static void request_control_terminate(xmlTextReaderPtr reader,
+									  xmlTextWriterPtr writer, bool ike)
+{
+	if (xmlTextReaderRead(reader) &&
+		xmlTextReaderNodeType(reader) == XML_READER_TYPE_TEXT)
+	{
+		const char *str;
+		u_int32_t id;
+		status_t status;
+
+		str = xmlTextReaderConstValue(reader);
+		if (str == NULL)
+		{
+			DBG1(DBG_CFG, "error parsing XML id string");
+			return;
+		}
+		id = atoi(str);
+		if (!id)
+		{
+			enumerator_t *enumerator;
+			ike_sa_t *ike_sa;
+
+			enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+			while (enumerator->enumerate(enumerator, &ike_sa))
+			{
+				if (streq(str, ike_sa->get_name(ike_sa)))
+				{
+					ike = TRUE;
+					id = ike_sa->get_unique_id(ike_sa);
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		if (!id)
+		{
+			DBG1(DBG_CFG, "error parsing XML id string");
+			return;
+		}
+
+		DBG1(DBG_CFG, "terminating %s_SA %d", ike ? "IKE" : "CHILD", id);
+
+		/* <log> */
+		xmlTextWriterStartElement(writer, "log");
+		if (ike)
+		{
+			status = charon->controller->terminate_ike(
+					charon->controller,	id,
+					(controller_cb_t)xml_callback, writer);
+		}
+		else
+		{
+			status = charon->controller->terminate_child(
+					charon->controller,	id,
+					(controller_cb_t)xml_callback, writer);
+		}
+		/* </log> */
+		xmlTextWriterEndElement(writer);
+		xmlTextWriterWriteFormatElement(writer, "status", "%d", status);
+	}
+}
+
+/**
+ * process a *initiate control request message
+ */
+static void request_control_initiate(xmlTextReaderPtr reader,
+									  xmlTextWriterPtr writer, bool ike)
+{
+	if (xmlTextReaderRead(reader) &&
+		xmlTextReaderNodeType(reader) == XML_READER_TYPE_TEXT)
+	{
+		const char *str;
+		status_t status = FAILED;
+		peer_cfg_t *peer;
+		child_cfg_t *child = NULL;
+		enumerator_t *enumerator;
+
+		str = xmlTextReaderConstValue(reader);
+		if (str == NULL)
+		{
+			DBG1(DBG_CFG, "error parsing XML config name string");
+			return;
+		}
+		DBG1(DBG_CFG, "initiating %s_SA %s", ike ? "IKE" : "CHILD", str);
+
+		/* <log> */
+		xmlTextWriterStartElement(writer, "log");
+		peer = charon->backends->get_peer_cfg_by_name(charon->backends, (char*)str);
+		if (peer)
+		{
+			enumerator = peer->create_child_cfg_enumerator(peer);
+			if (ike)
+			{
+				if (!enumerator->enumerate(enumerator, &child))
+				{
+					child = NULL;
+				}
+				child->get_ref(child);
+			}
+			else
+			{
+				while (enumerator->enumerate(enumerator, &child))
+				{
+					if (streq(child->get_name(child), str))
+					{
+						child->get_ref(child);
+						break;
+					}
+					child = NULL;
+				}
+			}
+			enumerator->destroy(enumerator);
+			if (child)
+			{
+				status = charon->controller->initiate(charon->controller,
+							peer, child, (controller_cb_t)xml_callback,
+							writer);
+			}
+			else
+			{
+				peer->destroy(peer);
+			}
+		}
+		/* </log> */
+		xmlTextWriterEndElement(writer);
+		xmlTextWriterWriteFormatElement(writer, "status", "%d", status);
+	}
+}
+
+/**
+ * process a query request
+ */
+static void request_query(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
+{
+	/* <query> */
+	xmlTextWriterStartElement(writer, "query");
+	while (xmlTextReaderRead(reader))
+	{
+		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT)
+		{
+			if (streq(xmlTextReaderConstName(reader), "ikesalist"))
+			{
+				request_query_ikesa(reader, writer);
+				break;
+			}
+			if (streq(xmlTextReaderConstName(reader), "configlist"))
+			{
+				request_query_config(reader, writer);
+				break;
+			}
+		}
+	}
+	/* </query> */
+	xmlTextWriterEndElement(writer);
+}
+
+/**
+ * process a control request
+ */
+static void request_control(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
+{
+	/* <control> */
+	xmlTextWriterStartElement(writer, "control");
+	while (xmlTextReaderRead(reader))
+	{
+		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT)
+		{
+			if (streq(xmlTextReaderConstName(reader), "ikesaterminate"))
+			{
+				request_control_terminate(reader, writer, TRUE);
+				break;
+			}
+			if (streq(xmlTextReaderConstName(reader), "childsaterminate"))
+			{
+				request_control_terminate(reader, writer, FALSE);
+				break;
+			}
+			if (streq(xmlTextReaderConstName(reader), "ikesainitiate"))
+			{
+				request_control_initiate(reader, writer, TRUE);
+				break;
+			}
+			if (streq(xmlTextReaderConstName(reader), "childsainitiate"))
+			{
+				request_control_initiate(reader, writer, FALSE);
+				break;
+			}
+		}
+	}
+	/* </control> */
+	xmlTextWriterEndElement(writer);
+}
+
+/**
+ * process a request message
+ */
+static void request(xmlTextReaderPtr reader, char *id, int fd)
+{
+	xmlTextWriterPtr writer;
+
+	writer = xmlNewTextWriter(xmlOutputBufferCreateFd(fd, NULL));
+	if (writer == NULL)
+	{
+		DBG1(DBG_CFG, "opening SMP XML writer failed");
+		return;
+	}
+
+	xmlTextWriterStartDocument(writer, NULL, NULL, NULL);
+	/* <message xmlns="http://www.strongswan.org/smp/1.0"
+		id="id" type="response"> */
+	xmlTextWriterStartElement(writer, "message");
+	xmlTextWriterWriteAttribute(writer, "xmlns",
+								"http://www.strongswan.org/smp/1.0");
+	xmlTextWriterWriteAttribute(writer, "id", id);
+	xmlTextWriterWriteAttribute(writer, "type", "response");
+
+	while (xmlTextReaderRead(reader))
+	{
+		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT)
+		{
+			if (streq(xmlTextReaderConstName(reader), "query"))
+			{
+				request_query(reader, writer);
+				break;
+			}
+			if (streq(xmlTextReaderConstName(reader), "control"))
+			{
+				request_control(reader, writer);
+				break;
+			}
+		}
+	}
+	/*   </message> and close document */
+	xmlTextWriterEndDocument(writer);
+	xmlFreeTextWriter(writer);
+}
+
+/**
+ * cleanup helper function for open file descriptors
+ */
+static void closefdp(int *fd)
+{
+	close(*fd);
+}
+
+/**
+ * read from a opened connection and process it
+ */
+static job_requeue_t process(int *fdp)
+{
+	int fd = *fdp;
+	bool oldstate;
+	char buffer[4096];
+	size_t len;
+	xmlTextReaderPtr reader;
+	char *id = NULL, *type = NULL;
+
+	thread_cleanup_push((thread_cleanup_t)closefdp, (void*)&fd);
+	oldstate = thread_cancelability(TRUE);
+	len = read(fd, buffer, sizeof(buffer));
+	thread_cancelability(oldstate);
+	thread_cleanup_pop(FALSE);
+	if (len <= 0)
+	{
+		close(fd);
+		DBG2(DBG_CFG, "SMP XML connection closed");
+		return JOB_REQUEUE_NONE;
+	}
+	DBG3(DBG_CFG, "got XML request: %b", buffer, len);
+
+	reader = xmlReaderForMemory(buffer, len, NULL, NULL, 0);
+	if (reader == NULL)
+	{
+		DBG1(DBG_CFG, "opening SMP XML reader failed");
+		return JOB_REQUEUE_FAIR;;
+	}
+
+	/* read message type and id */
+	while (xmlTextReaderRead(reader))
+	{
+		if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT &&
+			streq(xmlTextReaderConstName(reader), "message"))
+		{
+			id = xmlTextReaderGetAttribute(reader, "id");
+			type = xmlTextReaderGetAttribute(reader, "type");
+			break;
+		}
+	}
+
+	/* process message */
+	if (id && type)
+	{
+		if (streq(type, "request"))
+		{
+			request(reader, id, fd);
+		}
+		else
+		{
+			/* response(reader, id) */
+		}
+	}
+	xmlFreeTextReader(reader);
+	return JOB_REQUEUE_FAIR;;
+}
+
+/**
+ * accept from XML socket and create jobs to process connections
+ */
+static job_requeue_t dispatch(private_smp_t *this)
+{
+	struct sockaddr_un strokeaddr;
+	int fd, *fdp, strokeaddrlen = sizeof(strokeaddr);
+	callback_job_t *job;
+	bool oldstate;
+
+	/* wait for connections, but allow thread to terminate */
+	oldstate = thread_cancelability(TRUE);
+	fd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
+	thread_cancelability(oldstate);
+
+	if (fd < 0)
+	{
+		DBG1(DBG_CFG, "accepting SMP XML socket failed: %s", strerror(errno));
+		sleep(1);
+		return JOB_REQUEUE_FAIR;;
+	}
+
+	fdp = malloc_thing(int);
+	*fdp = fd;
+	job = callback_job_create((callback_job_cb_t)process, fdp, free, this->job);
+	charon->processor->queue_job(charon->processor, (job_t*)job);
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Implementation of itnerface_t.destroy.
+ */
+static void destroy(private_smp_t *this)
+{
+	this->job->cancel(this->job);
+	close(this->socket);
+	free(this);
+}
+
+/*
+ * Described in header file
+ */
+plugin_t *smp_plugin_create()
+{
+	struct sockaddr_un unix_addr = { AF_UNIX, IPSEC_PIDDIR "/charon.xml"};
+	private_smp_t *this = malloc_thing(private_smp_t);
+	mode_t old;
+
+	this->public.plugin.destroy = (void (*)(plugin_t*))destroy;
+
+	/* set up unix socket */
+	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "could not create XML socket");
+		free(this);
+		return NULL;
+	}
+
+	unlink(unix_addr.sun_path);
+	old = umask(~(S_IRWXU | S_IRWXG));
+	if (bind(this->socket, (struct sockaddr *)&unix_addr, sizeof(unix_addr)) < 0)
+	{
+		DBG1(DBG_CFG, "could not bind XML socket: %s", strerror(errno));
+		close(this->socket);
+		free(this);
+		return NULL;
+	}
+	umask(old);
+	if (chown(unix_addr.sun_path, charon->uid, charon->gid) != 0)
+	{
+		DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
+	}
+
+	if (listen(this->socket, 5) < 0)
+	{
+		DBG1(DBG_CFG, "could not listen on XML socket: %s", strerror(errno));
+		close(this->socket);
+		free(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/smp/smp.h b/src/libcharon/plugins/smp/smp.h
new file mode 100644
index 000000000..74c85fb5f
--- /dev/null
+++ b/src/libcharon/plugins/smp/smp.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup smp smp
+ * @ingroup cplugins
+ *
+ * @defgroup smp_i smp
+ * @{ @ingroup smp
+ */
+
+#ifndef SMP_H_
+#define SMP_H_
+
+#include <plugins/plugin.h>
+
+typedef struct smp_t smp_t;
+
+/**
+ * SMP configuration and control interface.
+ *
+ * The SMP interface uses a socket and a to communicate. The syntax is strict
+ * XML, defined in the schema.xml specification.
+ */
+struct smp_t {
+
+	/**
+	 * implements the plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** XML_H_ @}*/
diff --git a/src/libcharon/plugins/socket_default/Makefile.am b/src/libcharon/plugins/socket_default/Makefile.am
new file mode 100644
index 000000000..635a1c548
--- /dev/null
+++ b/src/libcharon/plugins/socket_default/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-socket-default.la
+else
+plugin_LTLIBRARIES = libstrongswan-socket-default.la
+endif
+
+libstrongswan_socket_default_la_SOURCES = \
+	socket_default_socket.h socket_default_socket.c \
+	socket_default_plugin.h socket_default_plugin.c
+
+libstrongswan_socket_default_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
new file mode 100644
index 000000000..03c438acd
--- /dev/null
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -0,0 +1,590 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/socket_default
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_socket_default_la_LIBADD =
+am_libstrongswan_socket_default_la_OBJECTS = socket_default_socket.lo \
+	socket_default_plugin.lo
+libstrongswan_socket_default_la_OBJECTS =  \
+	$(am_libstrongswan_socket_default_la_OBJECTS)
+libstrongswan_socket_default_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_socket_default_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_socket_default_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_socket_default_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_socket_default_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_socket_default_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-socket-default.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-socket-default.la
+libstrongswan_socket_default_la_SOURCES = \
+	socket_default_socket.h socket_default_socket.c \
+	socket_default_plugin.h socket_default_plugin.c
+
+libstrongswan_socket_default_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/socket_default/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/socket_default/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-socket-default.la: $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_DEPENDENCIES) 
+	$(libstrongswan_socket_default_la_LINK) $(am_libstrongswan_socket_default_la_rpath) $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_default_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_default_socket.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/socket_default/socket_default_plugin.c b/src/libcharon/plugins/socket_default/socket_default_plugin.c
new file mode 100644
index 000000000..45390ddae
--- /dev/null
+++ b/src/libcharon/plugins/socket_default/socket_default_plugin.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "socket_default_plugin.h"
+
+#include "socket_default_socket.h"
+
+#include <daemon.h>
+
+typedef struct private_socket_default_plugin_t private_socket_default_plugin_t;
+
+/**
+ * Private data of socket plugin
+ */
+struct private_socket_default_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	socket_default_plugin_t public;
+
+	/**
+	 * Socket instance.
+	 */
+	socket_default_socket_t *socket;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_socket_default_plugin_t *this)
+{
+	charon->socket->remove_socket(charon->socket, &this->socket->socket);
+	this->socket->destroy(this->socket);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *socket_default_plugin_create()
+{
+	private_socket_default_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+		.socket = socket_default_socket_create(),
+	);
+
+	if (!this->socket)
+	{
+		free(this);
+		return NULL;
+	}
+	charon->socket->add_socket(charon->socket, &this->socket->socket);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/socket_default/socket_default_plugin.h b/src/libcharon/plugins/socket_default/socket_default_plugin.h
new file mode 100644
index 000000000..6270d93ad
--- /dev/null
+++ b/src/libcharon/plugins/socket_default/socket_default_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup socket_default socket_default
+ * @ingroup cplugins
+ *
+ * @defgroup socket_default_plugin socket_default_plugin
+ * @{ @ingroup socket_default
+ */
+
+#ifndef SOCKET_DEFAULT_PLUGIN_H_
+#define SOCKET_DEFAULT_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct socket_default_plugin_t socket_default_plugin_t;
+
+/**
+ * Default socket implementation plugin.
+ */
+struct socket_default_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** SOCKET_DEFAULT_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
new file mode 100644
index 000000000..bc998182e
--- /dev/null
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -0,0 +1,631 @@
+/*
+ * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/* for struct in6_pktinfo */
+#define _GNU_SOURCE
+#ifdef __sun
+#define _XPG4_2
+#define __EXTENSIONS__
+#endif
+
+#include "socket_default_socket.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <net/if.h>
+#ifdef __APPLE__
+#include <sys/sysctl.h>
+#endif
+
+#include <daemon.h>
+#include <threading/thread.h>
+
+/* Maximum size of a packet */
+#define MAX_PACKET 5000
+
+/* length of non-esp marker */
+#define MARKER_LEN sizeof(u_int32_t)
+
+/* from linux/udp.h */
+#ifndef UDP_ENCAP
+#define UDP_ENCAP 100
+#endif /*UDP_ENCAP*/
+
+#ifndef UDP_ENCAP_ESPINUDP
+#define UDP_ENCAP_ESPINUDP 2
+#endif /*UDP_ENCAP_ESPINUDP*/
+
+/* these are not defined on some platforms */
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#endif
+#ifndef SOL_IPV6
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+#ifndef SOL_UDP
+#define SOL_UDP IPPROTO_UDP
+#endif
+
+/* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
+ * previously defined IPV6_PKTINFO */
+#ifndef IPV6_RECVPKTINFO
+#define IPV6_RECVPKTINFO IPV6_PKTINFO
+#endif
+
+#ifndef IN6ADDR_ANY_INIT
+#define IN6ADDR_ANY_INIT {{{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}}
+#endif
+
+#ifndef HAVE_IN6ADDR_ANY
+static const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
+#endif
+
+typedef struct private_socket_default_socket_t private_socket_default_socket_t;
+
+/**
+ * Private data of an socket_t object
+ */
+struct private_socket_default_socket_t {
+
+	/**
+	 * public functions
+	 */
+	socket_default_socket_t public;
+
+	/**
+	 * IPv4 socket (500)
+	 */
+	int ipv4;
+
+	/**
+	 * IPv4 socket for NATT (4500)
+	 */
+	int ipv4_natt;
+
+	/**
+	 * IPv6 socket (500)
+	 */
+	int ipv6;
+
+	/**
+	 * IPv6 socket for NATT (4500)
+	 */
+	int ipv6_natt;
+};
+
+METHOD(socket_t, receiver, status_t,
+	private_socket_default_socket_t *this, packet_t **packet)
+{
+	char buffer[MAX_PACKET];
+	chunk_t data;
+	packet_t *pkt;
+	host_t *source = NULL, *dest = NULL;
+	int bytes_read = 0, data_offset;
+	bool oldstate;
+
+	fd_set rfds;
+	int max_fd = 0, selected = 0;
+	u_int16_t port = 0;
+
+	FD_ZERO(&rfds);
+
+	if (this->ipv4)
+	{
+		FD_SET(this->ipv4, &rfds);
+	}
+	if (this->ipv4_natt)
+	{
+		FD_SET(this->ipv4_natt, &rfds);
+	}
+	if (this->ipv6)
+	{
+		FD_SET(this->ipv6, &rfds);
+	}
+	if (this->ipv6_natt)
+	{
+		FD_SET(this->ipv6_natt, &rfds);
+	}
+	max_fd = max(max(this->ipv4, this->ipv4_natt), max(this->ipv6, this->ipv6_natt));
+
+	DBG2(DBG_NET, "waiting for data on sockets");
+	oldstate = thread_cancelability(TRUE);
+	if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
+	{
+		thread_cancelability(oldstate);
+		return FAILED;
+	}
+	thread_cancelability(oldstate);
+
+	if (FD_ISSET(this->ipv4, &rfds))
+	{
+		port = IKEV2_UDP_PORT;
+		selected = this->ipv4;
+	}
+	if (FD_ISSET(this->ipv4_natt, &rfds))
+	{
+		port = IKEV2_NATT_PORT;
+		selected = this->ipv4_natt;
+	}
+	if (FD_ISSET(this->ipv6, &rfds))
+	{
+		port = IKEV2_UDP_PORT;
+		selected = this->ipv6;
+	}
+	if (FD_ISSET(this->ipv6_natt, &rfds))
+	{
+		port = IKEV2_NATT_PORT;
+		selected = this->ipv6_natt;
+	}
+	if (selected)
+	{
+		struct msghdr msg;
+		struct cmsghdr *cmsgptr;
+		struct iovec iov;
+		char ancillary[64];
+		union {
+			struct sockaddr_in in4;
+			struct sockaddr_in6 in6;
+		} src;
+
+		msg.msg_name = &src;
+		msg.msg_namelen = sizeof(src);
+		iov.iov_base = buffer;
+		iov.iov_len = sizeof(buffer);
+		msg.msg_iov = &iov;
+		msg.msg_iovlen = 1;
+		msg.msg_control = ancillary;
+		msg.msg_controllen = sizeof(ancillary);
+		msg.msg_flags = 0;
+		bytes_read = recvmsg(selected, &msg, 0);
+		if (bytes_read < 0)
+		{
+			DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
+			return FAILED;
+		}
+		DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
+
+		if (bytes_read < MARKER_LEN)
+		{
+			DBG3(DBG_NET, "received packet too short (%d bytes)",
+				 bytes_read);
+			return FAILED;
+		}
+
+		/* read ancillary data to get destination address */
+		for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
+			 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
+		{
+			if (cmsgptr->cmsg_len == 0)
+			{
+				DBG1(DBG_NET, "error reading ancillary data");
+				return FAILED;
+			}
+
+#ifdef HAVE_IN6_PKTINFO
+			if (cmsgptr->cmsg_level == SOL_IPV6 &&
+				cmsgptr->cmsg_type == IPV6_PKTINFO)
+			{
+				struct in6_pktinfo *pktinfo;
+				pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
+				struct sockaddr_in6 dst;
+
+				memset(&dst, 0, sizeof(dst));
+				memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
+				dst.sin6_family = AF_INET6;
+				dst.sin6_port = htons(port);
+				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
+			}
+#endif /* HAVE_IN6_PKTINFO */
+			if (cmsgptr->cmsg_level == SOL_IP &&
+#ifdef IP_PKTINFO
+				cmsgptr->cmsg_type == IP_PKTINFO
+#elif defined(IP_RECVDSTADDR)
+				cmsgptr->cmsg_type == IP_RECVDSTADDR
+#else
+				FALSE
+#endif
+				)
+			{
+				struct in_addr *addr;
+				struct sockaddr_in dst;
+
+#ifdef IP_PKTINFO
+				struct in_pktinfo *pktinfo;
+				pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
+				addr = &pktinfo->ipi_addr;
+#elif defined(IP_RECVDSTADDR)
+				addr = (struct in_addr*)CMSG_DATA(cmsgptr);
+#endif
+				memset(&dst, 0, sizeof(dst));
+				memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
+
+				dst.sin_family = AF_INET;
+				dst.sin_port = htons(port);
+				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
+			}
+			if (dest)
+			{
+				break;
+			}
+		}
+		if (dest == NULL)
+		{
+			DBG1(DBG_NET, "error reading IP header");
+			return FAILED;
+		}
+		source = host_create_from_sockaddr((sockaddr_t*)&src);
+
+		pkt = packet_create();
+		pkt->set_source(pkt, source);
+		pkt->set_destination(pkt, dest);
+		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
+		data_offset = 0;
+		/* remove non esp marker */
+		if (dest->get_port(dest) == IKEV2_NATT_PORT)
+		{
+			data_offset += MARKER_LEN;
+		}
+		/* fill in packet */
+		data.len = bytes_read - data_offset;
+		data.ptr = malloc(data.len);
+		memcpy(data.ptr, buffer + data_offset, data.len);
+		pkt->set_data(pkt, data);
+	}
+	else
+	{
+		/* oops, shouldn't happen */
+		return FAILED;
+	}
+	/* return packet */
+	*packet = pkt;
+	return SUCCESS;
+}
+
+METHOD(socket_t, sender, status_t,
+	private_socket_default_socket_t *this, packet_t *packet)
+{
+	int sport, skt, family;
+	ssize_t bytes_sent;
+	chunk_t data, marked;
+	host_t *src, *dst;
+	struct msghdr msg;
+	struct cmsghdr *cmsg;
+	struct iovec iov;
+
+	src = packet->get_source(packet);
+	dst = packet->get_destination(packet);
+	data = packet->get_data(packet);
+
+	DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+
+	/* send data */
+	sport = src->get_port(src);
+	family = dst->get_family(dst);
+	if (sport == IKEV2_UDP_PORT)
+	{
+		if (family == AF_INET)
+		{
+			skt = this->ipv4;
+		}
+		else
+		{
+			skt = this->ipv6;
+		}
+	}
+	else if (sport == IKEV2_NATT_PORT)
+	{
+		if (family == AF_INET)
+		{
+			skt = this->ipv4_natt;
+		}
+		else
+		{
+			skt = this->ipv6_natt;
+		}
+		/* NAT keepalives without marker */
+		if (data.len != 1 || data.ptr[0] != 0xFF)
+		{
+			/* add non esp marker to packet */
+			if (data.len > MAX_PACKET - MARKER_LEN)
+			{
+				DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
+					 data.len);
+				return FAILED;
+			}
+			marked = chunk_alloc(data.len + MARKER_LEN);
+			memset(marked.ptr, 0, MARKER_LEN);
+			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
+			/* let the packet do the clean up for us */
+			packet->set_data(packet, marked);
+			data = marked;
+		}
+	}
+	else
+	{
+		DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
+		return FAILED;
+	}
+
+	memset(&msg, 0, sizeof(struct msghdr));
+	msg.msg_name = dst->get_sockaddr(dst);;
+	msg.msg_namelen = *dst->get_sockaddr_len(dst);
+	iov.iov_base = data.ptr;
+	iov.iov_len = data.len;
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_flags = 0;
+
+	if (!src->is_anyaddr(src))
+	{
+		if (family == AF_INET)
+		{
+#if defined(IP_PKTINFO) || defined(IP_SENDSRCADDR)
+			struct in_addr *addr;
+			struct sockaddr_in *sin;
+#ifdef IP_PKTINFO
+			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
+			struct in_pktinfo *pktinfo;
+#elif defined(IP_SENDSRCADDR)
+			char buf[CMSG_SPACE(sizeof(struct in_addr))];
+#endif
+			msg.msg_control = buf;
+			msg.msg_controllen = sizeof(buf);
+			cmsg = CMSG_FIRSTHDR(&msg);
+			cmsg->cmsg_level = SOL_IP;
+#ifdef IP_PKTINFO
+			cmsg->cmsg_type = IP_PKTINFO;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+			pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
+			memset(pktinfo, 0, sizeof(struct in_pktinfo));
+			addr = &pktinfo->ipi_spec_dst;
+#elif defined(IP_SENDSRCADDR)
+			cmsg->cmsg_type = IP_SENDSRCADDR;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
+			addr = (struct in_addr*)CMSG_DATA(cmsg);
+#endif
+			sin = (struct sockaddr_in*)src->get_sockaddr(src);
+			memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
+#endif /* IP_PKTINFO || IP_SENDSRCADDR */
+		}
+#ifdef HAVE_IN6_PKTINFO
+		else
+		{
+			char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
+			struct in6_pktinfo *pktinfo;
+			struct sockaddr_in6 *sin;
+
+			msg.msg_control = buf;
+			msg.msg_controllen = sizeof(buf);
+			cmsg = CMSG_FIRSTHDR(&msg);
+			cmsg->cmsg_level = SOL_IPV6;
+			cmsg->cmsg_type = IPV6_PKTINFO;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
+			pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
+			memset(pktinfo, 0, sizeof(struct in6_pktinfo));
+			sin = (struct sockaddr_in6*)src->get_sockaddr(src);
+			memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
+		}
+#endif /* HAVE_IN6_PKTINFO */
+	}
+
+	bytes_sent = sendmsg(skt, &msg, 0);
+
+	if (bytes_sent != data.len)
+	{
+		DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * open a socket to send and receive packets
+ */
+static int open_socket(private_socket_default_socket_t *this,
+					   int family, u_int16_t port)
+{
+	int on = TRUE;
+	struct sockaddr_storage addr;
+	socklen_t addrlen;
+	u_int sol, pktinfo = 0;
+	int skt;
+
+	memset(&addr, 0, sizeof(addr));
+	/* precalculate constants depending on address family */
+	switch (family)
+	{
+		case AF_INET:
+		{
+			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
+			sin->sin_family = AF_INET;
+			sin->sin_addr.s_addr = INADDR_ANY;
+			sin->sin_port = htons(port);
+			addrlen = sizeof(struct sockaddr_in);
+			sol = SOL_IP;
+#ifdef IP_PKTINFO
+			pktinfo = IP_PKTINFO;
+#elif defined(IP_RECVDSTADDR)
+			pktinfo = IP_RECVDSTADDR;
+#endif
+			break;
+		}
+		case AF_INET6:
+		{
+			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
+			sin6->sin6_family = AF_INET6;
+			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
+			sin6->sin6_port = htons(port);
+			addrlen = sizeof(struct sockaddr_in6);
+			sol = SOL_IPV6;
+			pktinfo = IPV6_RECVPKTINFO;
+			break;
+		}
+		default:
+			return 0;
+	}
+
+	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
+	if (skt < 0)
+	{
+		DBG1(DBG_NET, "could not open socket: %s", strerror(errno));
+		return 0;
+	}
+	if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set SO_REUSEADDR on socket: %s", strerror(errno));
+		close(skt);
+		return 0;
+	}
+
+	/* bind the socket */
+	if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
+	{
+		DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
+		close(skt);
+		return 0;
+	}
+
+	/* get additional packet info on receive */
+	if (pktinfo > 0)
+	{
+		if (setsockopt(skt, sol, pktinfo, &on, sizeof(on)) < 0)
+		{
+			DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
+			close(skt);
+			return 0;
+		}
+	}
+
+	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
+												 skt, family))
+	{
+		DBG1(DBG_NET, "installing IKE bypass policy failed");
+	}
+
+#ifndef __APPLE__
+	{
+		/* enable UDP decapsulation globally, only for one socket needed */
+		int type = UDP_ENCAP_ESPINUDP;
+		if (family == AF_INET && port == IKEV2_NATT_PORT &&
+			setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+		{
+			DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
+		}
+	}
+#endif
+	return skt;
+}
+
+METHOD(socket_default_socket_t, destroy, void,
+	private_socket_default_socket_t *this)
+{
+	if (this->ipv4)
+	{
+		close(this->ipv4);
+	}
+	if (this->ipv4_natt)
+	{
+		close(this->ipv4_natt);
+	}
+	if (this->ipv6)
+	{
+		close(this->ipv6);
+	}
+	if (this->ipv6_natt)
+	{
+		close(this->ipv6_natt);
+	}
+	free(this);
+}
+
+/*
+ * See header for description
+ */
+socket_default_socket_t *socket_default_socket_create()
+{
+	private_socket_default_socket_t *this;
+
+	INIT(this,
+		.public = {
+			.socket = {
+				.send = _sender,
+				.receive = _receiver,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+#ifdef __APPLE__
+	{
+		int natt_port = IKEV2_NATT_PORT;
+		if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &natt_port,
+						 sizeof(natt_port)) != 0)
+		{
+			DBG1(DBG_NET, "could not set net.inet.ipsec.esp_port to %d: %s",
+				 natt_port, strerror(errno));
+		}
+	}
+#endif
+
+	this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
+	if (this->ipv4 == 0)
+	{
+		DBG1(DBG_NET, "could not open IPv4 socket, IPv4 disabled");
+	}
+	else
+	{
+		this->ipv4_natt = open_socket(this, AF_INET, IKEV2_NATT_PORT);
+		if (this->ipv4_natt == 0)
+		{
+			DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
+		}
+	}
+
+	this->ipv6 = open_socket(this, AF_INET6, IKEV2_UDP_PORT);
+	if (this->ipv6 == 0)
+	{
+		DBG1(DBG_NET, "could not open IPv6 socket, IPv6 disabled");
+	}
+	else
+	{
+		this->ipv6_natt = open_socket(this, AF_INET6, IKEV2_NATT_PORT);
+		if (this->ipv6_natt == 0)
+		{
+			DBG1(DBG_NET, "could not open IPv6 NAT-T socket");
+		}
+	}
+
+	if (!this->ipv4 && !this->ipv6)
+	{
+		DBG1(DBG_NET, "could not create any sockets");
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.h b/src/libcharon/plugins/socket_default/socket_default_socket.h
new file mode 100644
index 000000000..755016662
--- /dev/null
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup socket_default_socket socket_default_socket
+ * @{ @ingroup socket_default
+ */
+
+#ifndef SOCKET_DEFAULT_SOCKET_H_
+#define SOCKET_DEFAULT_SOCKET_H_
+
+typedef struct socket_default_socket_t socket_default_socket_t;
+
+#include <network/socket.h>
+
+/**
+ * Default socket, binds to port 500/4500 using any IPv4/IPv6 address.
+ */
+struct socket_default_socket_t {
+
+	/**
+	 * Implements the socket_t interface.
+	 */
+	socket_t socket;
+
+	/**
+	 * Destroy a socket_default_socket_t.
+	 */
+	void (*destroy)(socket_default_socket_t *this);
+};
+
+/**
+ * Create a socket_default_socket instance.
+ */
+socket_default_socket_t *socket_default_socket_create();
+
+#endif /** SOCKET_DEFAULT_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.am b/src/libcharon/plugins/socket_dynamic/Makefile.am
new file mode 100644
index 000000000..914945535
--- /dev/null
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-socket-dynamic.la
+else
+plugin_LTLIBRARIES = libstrongswan-socket-dynamic.la
+endif
+
+libstrongswan_socket_dynamic_la_SOURCES = \
+	socket_dynamic_plugin.h socket_dynamic_plugin.c \
+	socket_dynamic_socket.h socket_dynamic_socket.c
+
+libstrongswan_socket_dynamic_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
new file mode 100644
index 000000000..3a5fb3778
--- /dev/null
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -0,0 +1,590 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/socket_dynamic
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_socket_dynamic_la_LIBADD =
+am_libstrongswan_socket_dynamic_la_OBJECTS = socket_dynamic_plugin.lo \
+	socket_dynamic_socket.lo
+libstrongswan_socket_dynamic_la_OBJECTS =  \
+	$(am_libstrongswan_socket_dynamic_la_OBJECTS)
+libstrongswan_socket_dynamic_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_socket_dynamic_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_socket_dynamic_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_socket_dynamic_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_socket_dynamic_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_socket_dynamic_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-socket-dynamic.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-socket-dynamic.la
+libstrongswan_socket_dynamic_la_SOURCES = \
+	socket_dynamic_plugin.h socket_dynamic_plugin.c \
+	socket_dynamic_socket.h socket_dynamic_socket.c
+
+libstrongswan_socket_dynamic_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/socket_dynamic/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/socket_dynamic/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-socket-dynamic.la: $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_DEPENDENCIES) 
+	$(libstrongswan_socket_dynamic_la_LINK) $(am_libstrongswan_socket_dynamic_la_rpath) $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_dynamic_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_dynamic_socket.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
new file mode 100644
index 000000000..3410fc7a4
--- /dev/null
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "socket_dynamic_plugin.h"
+
+#include "socket_dynamic_socket.h"
+
+#include <daemon.h>
+
+typedef struct private_socket_dynamic_plugin_t private_socket_dynamic_plugin_t;
+
+/**
+ * Private data of socket plugin
+ */
+struct private_socket_dynamic_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	socket_dynamic_plugin_t public;
+
+	/**
+	 * Socket instance.
+	 */
+	socket_dynamic_socket_t *socket;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_socket_dynamic_plugin_t *this)
+{
+	charon->socket->remove_socket(charon->socket, &this->socket->socket);
+	this->socket->destroy(this->socket);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *socket_dynamic_plugin_create()
+{
+	private_socket_dynamic_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+		.socket = socket_dynamic_socket_create(),
+	);
+
+	if (!this->socket)
+	{
+		free(this);
+		return NULL;
+	}
+	charon->socket->add_socket(charon->socket, &this->socket->socket);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.h b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.h
new file mode 100644
index 000000000..8d870795f
--- /dev/null
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup socket_dynamic socket_dynamic
+ * @ingroup cplugins
+ *
+ * @defgroup socket_dynamic_plugin socket_dynamic_plugin
+ * @{ @ingroup socket_dynamic
+ */
+
+#ifndef SOCKET_DYNAMIC_PLUGIN_H_
+#define SOCKET_DYNAMIC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct socket_dynamic_plugin_t socket_dynamic_plugin_t;
+
+/**
+ * Plugin providing a socket that binds ports dynamically.
+ */
+struct socket_dynamic_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** SOCKET_DYNAMIC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
new file mode 100644
index 000000000..a7db59ce5
--- /dev/null
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -0,0 +1,620 @@
+/*
+ * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/* for struct in6_pktinfo */
+#define _GNU_SOURCE
+
+#include "socket_dynamic_socket.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <net/if.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/rwlock.h>
+#include <utils/hashtable.h>
+
+/* Maximum size of a packet */
+#define MAX_PACKET 5000
+
+/* length of non-esp marker */
+#define MARKER_LEN sizeof(u_int32_t)
+
+/* from linux/udp.h */
+#ifndef UDP_ENCAP
+#define UDP_ENCAP 100
+#endif /*UDP_ENCAP*/
+
+#ifndef UDP_ENCAP_ESPINUDP
+#define UDP_ENCAP_ESPINUDP 2
+#endif /*UDP_ENCAP_ESPINUDP*/
+
+/* these are not defined on some platforms */
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#endif
+#ifndef SOL_IPV6
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+#ifndef SOL_UDP
+#define SOL_UDP IPPROTO_UDP
+#endif
+
+/* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
+ * previously defined IPV6_PKTINFO */
+#ifndef IPV6_RECVPKTINFO
+#define IPV6_RECVPKTINFO IPV6_PKTINFO
+#endif
+
+typedef struct private_socket_dynamic_socket_t private_socket_dynamic_socket_t;
+typedef struct dynsock_t dynsock_t;
+
+/**
+ * Private data of an socket_t object
+ */
+struct private_socket_dynamic_socket_t {
+
+	/**
+	 * public functions
+	 */
+	socket_dynamic_socket_t public;
+
+	/**
+	 * Hashtable of bound sockets
+	 */
+	hashtable_t *sockets;
+
+	/**
+	 * Lock for sockets hashtable
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * Notification pipe to signal receiver
+	 */
+	int notify[2];
+};
+
+/**
+ * Struct for a dynamically allocated socket
+ */
+struct dynsock_t {
+
+	/**
+	 * File descriptor of socket
+	 */
+	int fd;
+
+	/**
+	 * Address family
+	 */
+	int family;
+
+	/**
+	 * Bound source port
+	 */
+	u_int16_t port;
+};
+
+/**
+ * Hash function for hashtable
+ */
+static u_int hash(dynsock_t *key)
+{
+	return (key->family << 16) | key->port;
+}
+
+/**
+ * Equals function for hashtable
+ */
+static bool equals(dynsock_t *a, dynsock_t *b)
+{
+	return a->family == b->family && a->port == b->port;
+}
+
+/**
+ * Create a fd_set from all bound sockets
+ */
+static int build_fds(private_socket_dynamic_socket_t *this, fd_set *fds)
+{
+	enumerator_t *enumerator;
+	dynsock_t *key, *value;
+	int maxfd;
+
+	FD_ZERO(fds);
+	FD_SET(this->notify[0], fds);
+	maxfd = this->notify[0];
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->sockets->create_enumerator(this->sockets);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		FD_SET(value->fd, fds);
+		maxfd = max(maxfd, value->fd);
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return maxfd + 1;
+}
+
+/**
+ * Find the socket select()ed
+ */
+static dynsock_t* scan_fds(private_socket_dynamic_socket_t *this, fd_set *fds)
+{
+	enumerator_t *enumerator;
+	dynsock_t *key, *value, *selected = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->sockets->create_enumerator(this->sockets);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		if (FD_ISSET(value->fd, fds))
+		{
+			selected = value;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return selected;
+}
+
+/**
+ * Receive a packet from a given socket fd
+ */
+static packet_t *receive_packet(private_socket_dynamic_socket_t *this,
+								dynsock_t *skt)
+{
+	host_t *source = NULL, *dest = NULL;
+	ssize_t len;
+	char buffer[MAX_PACKET];
+	chunk_t data;
+	packet_t *packet;
+	struct msghdr msg;
+	struct cmsghdr *cmsgptr;
+	struct iovec iov;
+	char ancillary[64];
+	union {
+		struct sockaddr_in in4;
+		struct sockaddr_in6 in6;
+	} src;
+
+	msg.msg_name = &src;
+	msg.msg_namelen = sizeof(src);
+	iov.iov_base = buffer;
+	iov.iov_len = sizeof(buffer);
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_control = ancillary;
+	msg.msg_controllen = sizeof(ancillary);
+	msg.msg_flags = 0;
+	len = recvmsg(skt->fd, &msg, 0);
+	if (len < 0)
+	{
+		DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
+		return NULL;
+	}
+	DBG3(DBG_NET, "received packet %b", buffer, len);
+
+	if (len < MARKER_LEN)
+	{
+		DBG3(DBG_NET, "received packet too short (%d bytes)", len);
+		return NULL;
+	}
+
+	/* read ancillary data to get destination address */
+	for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
+		 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
+	{
+		if (cmsgptr->cmsg_len == 0)
+		{
+			DBG1(DBG_NET, "error reading ancillary data");
+			return NULL;
+		}
+
+		if (cmsgptr->cmsg_level == SOL_IPV6 &&
+			cmsgptr->cmsg_type == IPV6_PKTINFO)
+		{
+			struct in6_pktinfo *pktinfo;
+			struct sockaddr_in6 dst;
+
+			pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
+			memset(&dst, 0, sizeof(dst));
+			memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
+			dst.sin6_family = AF_INET6;
+			dst.sin6_port = htons(skt->port);
+			dest = host_create_from_sockaddr((sockaddr_t*)&dst);
+		}
+		if (cmsgptr->cmsg_level == SOL_IP &&
+			cmsgptr->cmsg_type == IP_PKTINFO)
+		{
+			struct in_pktinfo *pktinfo;
+			struct sockaddr_in dst;
+
+			pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
+			memset(&dst, 0, sizeof(dst));
+			memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr));
+
+			dst.sin_family = AF_INET;
+			dst.sin_port = htons(skt->port);
+			dest = host_create_from_sockaddr((sockaddr_t*)&dst);
+		}
+		if (dest)
+		{
+			break;
+		}
+	}
+	if (dest == NULL)
+	{
+		DBG1(DBG_NET, "error reading IP header");
+		return NULL;
+	}
+	source = host_create_from_sockaddr((sockaddr_t*)&src);
+	DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
+	data = chunk_create(buffer, len);
+
+	packet = packet_create();
+	packet->set_source(packet, source);
+	packet->set_destination(packet, dest);
+	/* we assume a non-ESP marker if none of the ports is on 500 */
+	if (dest->get_port(dest) != IKEV2_UDP_PORT &&
+		source->get_port(source) != IKEV2_UDP_PORT)
+	{
+		data = chunk_skip(data, MARKER_LEN);
+	}
+	packet->set_data(packet, chunk_clone(data));
+	return packet;
+}
+
+METHOD(socket_t, receiver, status_t,
+	private_socket_dynamic_socket_t *this, packet_t **packet)
+{
+	dynsock_t *selected;
+	packet_t *pkt;
+	bool oldstate;
+	fd_set fds;
+	int maxfd;
+
+	while (TRUE)
+	{
+		maxfd = build_fds(this, &fds);
+
+		DBG2(DBG_NET, "waiting for data on sockets");
+		oldstate = thread_cancelability(TRUE);
+		if (select(maxfd, &fds, NULL, NULL, NULL) <= 0)
+		{
+			thread_cancelability(oldstate);
+			return FAILED;
+		}
+		thread_cancelability(oldstate);
+
+		if (FD_ISSET(this->notify[0], &fds))
+		{	/* got notified, read garbage, rebuild fdset */
+			char buf[1];
+
+			ignore_result(read(this->notify[0], buf, sizeof(buf)));
+			DBG2(DBG_NET, "rebuilding fdset due to newly bound ports");
+			continue;
+		}
+		selected = scan_fds(this, &fds);
+		if (selected)
+		{
+			break;
+		}
+	}
+	pkt = receive_packet(this, selected);
+	if (pkt)
+	{
+		*packet = pkt;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * open a socket to send and receive packets
+ */
+static int open_socket(private_socket_dynamic_socket_t *this,
+					   int family, u_int16_t port)
+{
+	int on = TRUE, type = UDP_ENCAP_ESPINUDP;
+	struct sockaddr_storage addr;
+	socklen_t addrlen;
+	u_int sol, pktinfo = 0;
+	int fd;
+
+	memset(&addr, 0, sizeof(addr));
+	/* precalculate constants depending on address family */
+	switch (family)
+	{
+		case AF_INET:
+		{
+			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
+			sin->sin_family = AF_INET;
+			sin->sin_addr.s_addr = INADDR_ANY;
+			sin->sin_port = htons(port);
+			addrlen = sizeof(struct sockaddr_in);
+			sol = SOL_IP;
+			pktinfo = IP_PKTINFO;
+			break;
+		}
+		case AF_INET6:
+		{
+			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
+			sin6->sin6_family = AF_INET6;
+			memset(&sin6->sin6_addr, 0, sizeof(sin6->sin6_addr));
+			sin6->sin6_port = htons(port);
+			addrlen = sizeof(struct sockaddr_in6);
+			sol = SOL_IPV6;
+			pktinfo = IPV6_RECVPKTINFO;
+			break;
+		}
+		default:
+			return 0;
+	}
+
+	fd = socket(family, SOCK_DGRAM, IPPROTO_UDP);
+	if (fd < 0)
+	{
+		DBG1(DBG_NET, "could not open socket: %s", strerror(errno));
+		return 0;
+	}
+	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set SO_REUSEADDR on socket: %s", strerror(errno));
+		close(fd);
+		return 0;
+	}
+
+	/* bind the socket */
+	if (bind(fd, (struct sockaddr *)&addr, addrlen) < 0)
+	{
+		DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
+		close(fd);
+		return 0;
+	}
+
+	/* get additional packet info on receive */
+	if (setsockopt(fd, sol, pktinfo, &on, sizeof(on)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
+		close(fd);
+		return 0;
+	}
+
+	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
+												 fd, family))
+	{
+		DBG1(DBG_NET, "installing IKE bypass policy failed");
+	}
+
+	/* enable UDP decapsulation on each socket */
+	if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
+	}
+	return fd;
+}
+
+/**
+ * Find/Create a socket to send from host
+ */
+static dynsock_t *find_socket(private_socket_dynamic_socket_t *this,
+							  int family, u_int16_t port)
+{
+	dynsock_t *skt, lookup = {
+		.family = family,
+		.port = port,
+	};
+	char buf[] = {0x01};
+	int fd;
+
+	this->lock->read_lock(this->lock);
+	skt = this->sockets->get(this->sockets, &lookup);
+	this->lock->unlock(this->lock);
+	if (skt)
+	{
+		return skt;
+	}
+	fd = open_socket(this, family, port);
+	if (!fd)
+	{
+		return NULL;
+	}
+	INIT(skt,
+		.family = family,
+		.port = port,
+		.fd = fd,
+	);
+	this->lock->write_lock(this->lock);
+	this->sockets->put(this->sockets, skt, skt);
+	this->lock->unlock(this->lock);
+	/* notify receiver thread to reread socket list */
+	ignore_result(write(this->notify[1], buf, sizeof(buf)));
+
+	return skt;
+}
+
+METHOD(socket_t, sender, status_t,
+	private_socket_dynamic_socket_t *this, packet_t *packet)
+{
+	dynsock_t *skt;
+	host_t *src, *dst;
+	int port, family;
+	ssize_t len;
+	chunk_t data, marked;
+	struct msghdr msg;
+	struct cmsghdr *cmsg;
+	struct iovec iov;
+
+	src = packet->get_source(packet);
+	dst = packet->get_destination(packet);
+	family = src->get_family(src);
+	port = src->get_port(src);
+	skt = find_socket(this, family, port);
+	if (!skt)
+	{
+		return FAILED;
+	}
+
+	data = packet->get_data(packet);
+	DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+
+	/* use non-ESP marker if none of the ports is 500, not for keep alives */
+	if (port != IKEV2_UDP_PORT && dst->get_port(dst) != IKEV2_UDP_PORT &&
+		!(data.len == 1 && data.ptr[0] == 0xFF))
+	{
+		/* add non esp marker to packet */
+		if (data.len > MAX_PACKET - MARKER_LEN)
+		{
+			DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
+				 data.len);
+			return FAILED;
+		}
+		marked = chunk_alloc(data.len + MARKER_LEN);
+		memset(marked.ptr, 0, MARKER_LEN);
+		memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
+		/* let the packet do the clean up for us */
+		packet->set_data(packet, marked);
+		data = marked;
+	}
+
+	memset(&msg, 0, sizeof(struct msghdr));
+	msg.msg_name = dst->get_sockaddr(dst);;
+	msg.msg_namelen = *dst->get_sockaddr_len(dst);
+	iov.iov_base = data.ptr;
+	iov.iov_len = data.len;
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_flags = 0;
+
+	if (!src->is_anyaddr(src))
+	{
+		if (family == AF_INET)
+		{
+			struct in_addr *addr;
+			struct sockaddr_in *sin;
+			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
+			struct in_pktinfo *pktinfo;
+
+			msg.msg_control = buf;
+			msg.msg_controllen = sizeof(buf);
+			cmsg = CMSG_FIRSTHDR(&msg);
+			cmsg->cmsg_level = SOL_IP;
+			cmsg->cmsg_type = IP_PKTINFO;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+			pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
+			memset(pktinfo, 0, sizeof(struct in_pktinfo));
+			addr = &pktinfo->ipi_spec_dst;
+			sin = (struct sockaddr_in*)src->get_sockaddr(src);
+			memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
+		}
+		else
+		{
+			char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
+			struct in6_pktinfo *pktinfo;
+			struct sockaddr_in6 *sin;
+
+			msg.msg_control = buf;
+			msg.msg_controllen = sizeof(buf);
+			cmsg = CMSG_FIRSTHDR(&msg);
+			cmsg->cmsg_level = SOL_IPV6;
+			cmsg->cmsg_type = IPV6_PKTINFO;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
+			pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
+			memset(pktinfo, 0, sizeof(struct in6_pktinfo));
+			sin = (struct sockaddr_in6*)src->get_sockaddr(src);
+			memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
+		}
+	}
+
+	len = sendmsg(skt->fd, &msg, 0);
+	if (len != data.len)
+	{
+		DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+METHOD(socket_dynamic_socket_t, destroy, void,
+	private_socket_dynamic_socket_t *this)
+{
+	enumerator_t *enumerator;
+	dynsock_t *key, *value;
+
+	enumerator = this->sockets->create_enumerator(this->sockets);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		close(value->fd);
+		free(value);
+	}
+	enumerator->destroy(enumerator);
+	this->sockets->destroy(this->sockets);
+	this->lock->destroy(this->lock);
+
+	close(this->notify[0]);
+	close(this->notify[1]);
+	free(this);
+}
+
+/*
+ * See header for description
+ */
+socket_dynamic_socket_t *socket_dynamic_socket_create()
+{
+	private_socket_dynamic_socket_t *this;
+
+	INIT(this,
+		.public = {
+			.socket = {
+				.send = _sender,
+				.receive = _receiver,
+			},
+			.destroy = _destroy,
+		},
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	if (pipe(this->notify) != 0)
+	{
+		DBG1(DBG_NET, "creating notify pipe for dynamic socket failed");
+		free(this);
+		return NULL;
+	}
+
+	this->sockets = hashtable_create((void*)hash, (void*)equals, 8);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h
new file mode 100644
index 000000000..72551e545
--- /dev/null
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup socket_dynamic_socket socket_dynamic_socket
+ * @{ @ingroup socket_dynamic
+ */
+
+#ifndef SOCKET_DYNAMIC_SOCKET_H_
+#define SOCKET_DYNAMIC_SOCKET_H_
+
+typedef struct socket_dynamic_socket_t socket_dynamic_socket_t;
+
+#include <network/socket.h>
+
+/**
+ * A socket implementation binding to ports on demand as required.
+ */
+struct socket_dynamic_socket_t {
+
+	/**
+	 * Implements the socket_t interface.
+	 */
+	socket_t socket;
+
+	/**
+	 * Destroy a socket_dynamic_socket_t.
+	 */
+	void (*destroy)(socket_dynamic_socket_t *this);
+};
+
+/**
+ * Create a socket_dynamic_socket instance.
+ */
+socket_dynamic_socket_t *socket_dynamic_socket_create();
+
+#endif /** SOCKET_DYNAMIC_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/socket_raw/Makefile.am b/src/libcharon/plugins/socket_raw/Makefile.am
new file mode 100644
index 000000000..2109ae5f3
--- /dev/null
+++ b/src/libcharon/plugins/socket_raw/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-socket-raw.la
+else
+plugin_LTLIBRARIES = libstrongswan-socket-raw.la
+endif
+
+libstrongswan_socket_raw_la_SOURCES = \
+	socket_raw_plugin.h socket_raw_plugin.c \
+	socket_raw_socket.h socket_raw_socket.c
+
+libstrongswan_socket_raw_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in
new file mode 100644
index 000000000..65ad6a7a9
--- /dev/null
+++ b/src/libcharon/plugins/socket_raw/Makefile.in
@@ -0,0 +1,590 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/socket_raw
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_socket_raw_la_LIBADD =
+am_libstrongswan_socket_raw_la_OBJECTS = socket_raw_plugin.lo \
+	socket_raw_socket.lo
+libstrongswan_socket_raw_la_OBJECTS =  \
+	$(am_libstrongswan_socket_raw_la_OBJECTS)
+libstrongswan_socket_raw_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_socket_raw_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_socket_raw_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_socket_raw_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_socket_raw_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_socket_raw_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-socket-raw.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-socket-raw.la
+libstrongswan_socket_raw_la_SOURCES = \
+	socket_raw_plugin.h socket_raw_plugin.c \
+	socket_raw_socket.h socket_raw_socket.c
+
+libstrongswan_socket_raw_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/socket_raw/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/socket_raw/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-socket-raw.la: $(libstrongswan_socket_raw_la_OBJECTS) $(libstrongswan_socket_raw_la_DEPENDENCIES) 
+	$(libstrongswan_socket_raw_la_LINK) $(am_libstrongswan_socket_raw_la_rpath) $(libstrongswan_socket_raw_la_OBJECTS) $(libstrongswan_socket_raw_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_raw_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_raw_socket.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
new file mode 100644
index 000000000..5b011abcf
--- /dev/null
+++ b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "socket_raw_plugin.h"
+
+#include "socket_raw_socket.h"
+
+#include <daemon.h>
+
+typedef struct private_socket_raw_plugin_t private_socket_raw_plugin_t;
+
+/**
+ * Private data of socket plugin
+ */
+struct private_socket_raw_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	socket_raw_plugin_t public;
+
+	/**
+	 * Raw socket instance.
+	 */
+	socket_raw_socket_t *socket;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_socket_raw_plugin_t *this)
+{
+	charon->socket->remove_socket(charon->socket, &this->socket->socket);
+	this->socket->destroy(this->socket);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *socket_raw_plugin_create()
+{
+	private_socket_raw_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+		.socket = socket_raw_socket_create(),
+	);
+
+	if (!this->socket)
+	{
+		free(this);
+		return NULL;
+	}
+	charon->socket->add_socket(charon->socket, &this->socket->socket);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_plugin.h b/src/libcharon/plugins/socket_raw/socket_raw_plugin.h
new file mode 100644
index 000000000..a692b7594
--- /dev/null
+++ b/src/libcharon/plugins/socket_raw/socket_raw_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup socket_raw socket_raw
+ * @ingroup cplugins
+ *
+ * @defgroup socket_raw_plugin socket_raw_plugin
+ * @{ @ingroup socket_raw
+ */
+
+#ifndef SOCKET_RAW_PLUGIN_H_
+#define SOCKET_RAW_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct socket_raw_plugin_t socket_raw_plugin_t;
+
+/**
+ * RAW socket implementation plugin.
+ */
+struct socket_raw_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** SOCKET_RAW_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.c b/src/libcharon/plugins/socket_raw/socket_raw_socket.c
new file mode 100644
index 000000000..e0155fa87
--- /dev/null
+++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.c
@@ -0,0 +1,709 @@
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/* for struct in6_pktinfo */
+#define _GNU_SOURCE
+
+#include "socket_raw_socket.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/udp.h>
+#include <linux/types.h>
+#include <linux/filter.h>
+#include <net/if.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+
+/* Maximum size of a packet */
+#define MAX_PACKET 5000
+
+/* constants for packet handling */
+#define IP_LEN sizeof(struct iphdr)
+#define IP6_LEN sizeof(struct ip6_hdr)
+#define UDP_LEN sizeof(struct udphdr)
+#define MARKER_LEN sizeof(u_int32_t)
+
+/* offsets for packet handling */
+#define IP_PROTO_OFFSET 9
+#define IP6_PROTO_OFFSET 6
+#define IKE_VERSION_OFFSET 17
+#define IKE_LENGTH_OFFSET 24
+
+/* from linux/udp.h */
+#ifndef UDP_ENCAP
+#define UDP_ENCAP 100
+#endif /*UDP_ENCAP*/
+
+#ifndef UDP_ENCAP_ESPINUDP
+#define UDP_ENCAP_ESPINUDP 2
+#endif /*UDP_ENCAP_ESPINUDP*/
+
+/* needed for older kernel headers */
+#ifndef IPV6_2292PKTINFO
+#define IPV6_2292PKTINFO 2
+#endif /*IPV6_2292PKTINFO*/
+
+typedef struct private_socket_raw_socket_t private_socket_raw_socket_t;
+
+/**
+ * Private data of an socket_t object
+ */
+struct private_socket_raw_socket_t {
+
+	/**
+	 * public functions
+	 */
+	 socket_raw_socket_t public;
+
+	/**
+	 * regular port
+	 */
+	int port;
+
+	/**
+	 * port used for nat-t
+	 */
+	int natt_port;
+
+	/**
+	 * raw receiver socket for IPv4
+	 */
+	int recv4;
+
+	/**
+	 * raw receiver socket for IPv6
+	 */
+	int recv6;
+
+	/**
+	 * send socket on regular port for IPv4
+	 */
+	int send4;
+
+	/**
+	 * send socket on regular port for IPv6
+	 */
+	int send6;
+
+	/**
+	 * send socket on nat-t port for IPv4
+	 */
+	int send4_natt;
+
+	/**
+	 * send socket on nat-t port for IPv6
+	 */
+	int send6_natt;
+};
+
+METHOD(socket_t, receiver, status_t,
+	private_socket_raw_socket_t *this, packet_t **packet)
+{
+	char buffer[MAX_PACKET];
+	chunk_t data;
+	packet_t *pkt;
+	struct udphdr *udp;
+	host_t *source = NULL, *dest = NULL;
+	int bytes_read = 0, data_offset;
+	bool oldstate;
+	fd_set rfds;
+
+	FD_ZERO(&rfds);
+
+	if (this->recv4)
+	{
+		FD_SET(this->recv4, &rfds);
+	}
+	if (this->recv6)
+	{
+		FD_SET(this->recv6, &rfds);
+	}
+
+	DBG2(DBG_NET, "waiting for data on raw sockets");
+
+	oldstate = thread_cancelability(TRUE);
+	if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0)
+	{
+		thread_cancelability(oldstate);
+		return FAILED;
+	}
+	thread_cancelability(oldstate);
+
+	if (this->recv4 && FD_ISSET(this->recv4, &rfds))
+	{
+		/* IPv4 raw sockets return the IP header. We read src/dest
+		 * information directly from the raw header */
+		struct iphdr *ip;
+		struct sockaddr_in src, dst;
+
+		bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
+		if (bytes_read < 0)
+		{
+			DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno));
+			return FAILED;
+		}
+		DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
+
+		/* read source/dest from raw IP/UDP header */
+		if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
+		{
+			DBG1(DBG_NET, "received IPv4 packet too short (%d bytes)",
+				 bytes_read);
+			return FAILED;
+		}
+		ip = (struct iphdr*) buffer;
+		udp = (struct udphdr*) (buffer + IP_LEN);
+		src.sin_family = AF_INET;
+		src.sin_addr.s_addr = ip->saddr;
+		src.sin_port = udp->source;
+		dst.sin_family = AF_INET;
+		dst.sin_addr.s_addr = ip->daddr;
+		dst.sin_port = udp->dest;
+		source = host_create_from_sockaddr((sockaddr_t*)&src);
+		dest = host_create_from_sockaddr((sockaddr_t*)&dst);
+
+		pkt = packet_create();
+		pkt->set_source(pkt, source);
+		pkt->set_destination(pkt, dest);
+		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
+		data_offset = IP_LEN + UDP_LEN;
+		/* remove non esp marker */
+		if (dest->get_port(dest) == IKEV2_NATT_PORT)
+		{
+			data_offset += MARKER_LEN;
+		}
+		/* fill in packet */
+		data.len = bytes_read - data_offset;
+		data.ptr = malloc(data.len);
+		memcpy(data.ptr, buffer + data_offset, data.len);
+		pkt->set_data(pkt, data);
+	}
+	else if (this->recv6 && FD_ISSET(this->recv6, &rfds))
+	{
+		/* IPv6 raw sockets return no IP header. We must query
+		 * src/dest via socket options/ancillary data */
+		struct msghdr msg;
+		struct cmsghdr *cmsgptr;
+		struct sockaddr_in6 src, dst;
+		struct iovec iov;
+		char ancillary[64];
+
+		msg.msg_name = &src;
+		msg.msg_namelen = sizeof(src);
+		iov.iov_base = buffer;
+		iov.iov_len = sizeof(buffer);
+		msg.msg_iov = &iov;
+		msg.msg_iovlen = 1;
+		msg.msg_control = ancillary;
+		msg.msg_controllen = sizeof(ancillary);
+		msg.msg_flags = 0;
+
+		bytes_read = recvmsg(this->recv6, &msg, 0);
+		if (bytes_read < 0)
+		{
+			DBG1(DBG_NET, "error reading from IPv6 socket: %s", strerror(errno));
+			return FAILED;
+		}
+		DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
+
+		if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
+		{
+			DBG3(DBG_NET, "received IPv6 packet too short (%d bytes)",
+				 bytes_read);
+			return FAILED;
+		}
+
+		/* read ancillary data to get destination address */
+		for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
+			 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
+		{
+			if (cmsgptr->cmsg_len == 0)
+			{
+				DBG1(DBG_NET, "error reading IPv6 ancillary data");
+				return FAILED;
+			}
+			if (cmsgptr->cmsg_level == SOL_IPV6 &&
+				cmsgptr->cmsg_type == IPV6_2292PKTINFO)
+			{
+				struct in6_pktinfo *pktinfo;
+				pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
+
+				memset(&dst, 0, sizeof(dst));
+				memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
+				dst.sin6_family = AF_INET6;
+				udp = (struct udphdr*) (buffer);
+				dst.sin6_port = udp->dest;
+				src.sin6_port = udp->source;
+				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
+			}
+		}
+		/* ancillary data missing? */
+		if (dest == NULL)
+		{
+			DBG1(DBG_NET, "error reading IPv6 packet header");
+			return FAILED;
+		}
+
+		source = host_create_from_sockaddr((sockaddr_t*)&src);
+
+		pkt = packet_create();
+		pkt->set_source(pkt, source);
+		pkt->set_destination(pkt, dest);
+		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
+		data_offset = UDP_LEN;
+		/* remove non esp marker */
+		if (dest->get_port(dest) == IKEV2_NATT_PORT)
+		{
+			data_offset += MARKER_LEN;
+		}
+		/* fill in packet */
+		data.len = bytes_read - data_offset;
+		data.ptr = malloc(data.len);
+		memcpy(data.ptr, buffer + data_offset, data.len);
+		pkt->set_data(pkt, data);
+	}
+	else
+	{
+		/* oops, shouldn't happen */
+		return FAILED;
+	}
+
+	/* return packet */
+	*packet = pkt;
+	return SUCCESS;
+}
+
+METHOD(socket_t, sender, status_t,
+	private_socket_raw_socket_t *this, packet_t *packet)
+{
+	int sport, skt, family;
+	ssize_t bytes_sent;
+	chunk_t data, marked;
+	host_t *src, *dst;
+	struct msghdr msg;
+	struct cmsghdr *cmsg;
+	struct iovec iov;
+
+	src = packet->get_source(packet);
+	dst = packet->get_destination(packet);
+	data = packet->get_data(packet);
+
+	DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+
+	/* send data */
+	sport = src->get_port(src);
+	family = dst->get_family(dst);
+	if (sport == IKEV2_UDP_PORT)
+	{
+		if (family == AF_INET)
+		{
+			skt = this->send4;
+		}
+		else
+		{
+			skt = this->send6;
+		}
+	}
+	else if (sport == IKEV2_NATT_PORT)
+	{
+		if (family == AF_INET)
+		{
+			skt = this->send4_natt;
+		}
+		else
+		{
+			skt = this->send6_natt;
+		}
+		/* NAT keepalives without marker */
+		if (data.len != 1 || data.ptr[0] != 0xFF)
+		{
+			/* add non esp marker to packet */
+			if (data.len > MAX_PACKET - MARKER_LEN)
+			{
+				DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
+					 data.len);
+				return FAILED;
+			}
+			marked = chunk_alloc(data.len + MARKER_LEN);
+			memset(marked.ptr, 0, MARKER_LEN);
+			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
+			/* let the packet do the clean up for us */
+			packet->set_data(packet, marked);
+			data = marked;
+		}
+	}
+	else
+	{
+		DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
+		return FAILED;
+	}
+
+	memset(&msg, 0, sizeof(struct msghdr));
+	msg.msg_name = dst->get_sockaddr(dst);;
+	msg.msg_namelen = *dst->get_sockaddr_len(dst);
+	iov.iov_base = data.ptr;
+	iov.iov_len = data.len;
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_flags = 0;
+
+	if (!src->is_anyaddr(src))
+	{
+		if (family == AF_INET)
+		{
+			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
+			struct in_pktinfo *pktinfo;
+			struct sockaddr_in *sin;
+
+			msg.msg_control = buf;
+			msg.msg_controllen = sizeof(buf);
+			cmsg = CMSG_FIRSTHDR(&msg);
+			cmsg->cmsg_level = SOL_IP;
+			cmsg->cmsg_type = IP_PKTINFO;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+			pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
+			memset(pktinfo, 0, sizeof(struct in_pktinfo));
+			sin = (struct sockaddr_in*)src->get_sockaddr(src);
+			memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
+		}
+		else
+		{
+			char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
+			struct in6_pktinfo *pktinfo;
+			struct sockaddr_in6 *sin;
+
+			msg.msg_control = buf;
+			msg.msg_controllen = sizeof(buf);
+			cmsg = CMSG_FIRSTHDR(&msg);
+			cmsg->cmsg_level = SOL_IPV6;
+			cmsg->cmsg_type = IPV6_2292PKTINFO;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
+			pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
+			memset(pktinfo, 0, sizeof(struct in6_pktinfo));
+			sin = (struct sockaddr_in6*)src->get_sockaddr(src);
+			memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
+		}
+	}
+
+	bytes_sent = sendmsg(skt, &msg, 0);
+
+	if (bytes_sent != data.len)
+	{
+		DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * open a socket to send packets
+ */
+static int open_send_socket(private_socket_raw_socket_t *this,
+							int family, u_int16_t port)
+{
+	int on = TRUE;
+	int type = UDP_ENCAP_ESPINUDP;
+	struct sockaddr_storage addr;
+	u_int sol;
+	int skt;
+
+	memset(&addr, 0, sizeof(addr));
+	/* precalculate constants depending on address family */
+	switch (family)
+	{
+		case AF_INET:
+		{
+			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
+			sin->sin_family = AF_INET;
+			sin->sin_addr.s_addr = INADDR_ANY;
+			sin->sin_port = htons(port);
+			sol = SOL_IP;
+			break;
+		}
+		case AF_INET6:
+		{
+			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
+			sin6->sin6_family = AF_INET6;
+			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
+			sin6->sin6_port = htons(port);
+			sol = SOL_IPV6;
+			break;
+		}
+		default:
+			return 0;
+	}
+
+	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
+	if (skt < 0)
+	{
+		DBG1(DBG_NET, "could not open send socket: %s", strerror(errno));
+		return 0;
+	}
+
+	if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %s",
+			 strerror(errno));
+		close(skt);
+		return 0;
+	}
+
+	/* bind the send socket */
+	if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_NET, "unable to bind send socket: %s",
+			 strerror(errno));
+		close(skt);
+		return 0;
+	}
+
+	if (family == AF_INET)
+	{
+		/* enable UDP decapsulation globally, only for one socket needed */
+		if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+		{
+			DBG1(DBG_NET, "unable to set UDP_ENCAP: %s; NAT-T may fail",
+				 strerror(errno));
+		}
+	}
+
+	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
+												 skt, family))
+	{
+		DBG1(DBG_NET, "installing bypass policy on send socket failed");
+	}
+
+	return skt;
+}
+
+/**
+ * open a socket to receive packets
+ */
+static int open_recv_socket(private_socket_raw_socket_t *this, int family)
+{
+	int skt;
+	int on = TRUE;
+	u_int proto_offset, ip_len, sol, udp_header, ike_header;
+
+	/* precalculate constants depending on address family */
+	switch (family)
+	{
+		case AF_INET:
+			proto_offset = IP_PROTO_OFFSET;
+			ip_len = IP_LEN;
+			sol = SOL_IP;
+			break;
+		case AF_INET6:
+			proto_offset = IP6_PROTO_OFFSET;
+			ip_len = 0; /* IPv6 raw sockets contain no IP header */
+			sol = SOL_IPV6;
+			break;
+		default:
+			return 0;
+	}
+	udp_header = ip_len;
+	ike_header = ip_len + UDP_LEN;
+
+	/* This filter code filters out all non-IKEv2 traffic on
+	 * a SOCK_RAW IP_PROTP_UDP socket. Handling of other
+	 * IKE versions is done in pluto.
+	 */
+	struct sock_filter ikev2_filter_code[] =
+	{
+		/* Destination Port must be either port or natt_port */
+		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, udp_header + 2),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_UDP_PORT, 1, 0),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_NATT_PORT, 5, 12),
+		/* port */
+			/* IKE version must be 2.0 */
+			BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + IKE_VERSION_OFFSET),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 10),
+			/* packet length is length in IKEv2 header + ip header + udp header */
+			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + IKE_LENGTH_OFFSET),
+			BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN),
+			BPF_STMT(BPF_RET+BPF_A, 0),
+		/* natt_port */
+			/* nat-t: check for marker */
+			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 5),
+			/* nat-t: IKE version must be 2.0 */
+			BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + MARKER_LEN + IKE_VERSION_OFFSET),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3),
+			/* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */
+			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + MARKER_LEN + IKE_LENGTH_OFFSET),
+			BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN + MARKER_LEN),
+			BPF_STMT(BPF_RET+BPF_A, 0),
+		/* packet doesn't match, ignore */
+		BPF_STMT(BPF_RET+BPF_K, 0),
+	};
+
+	/* Filter struct to use with setsockopt */
+	struct sock_fprog ikev2_filter = {
+		sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
+		ikev2_filter_code
+	};
+
+	/* set up a raw socket */
+	skt = socket(family, SOCK_RAW, IPPROTO_UDP);
+	if (skt < 0)
+	{
+		DBG1(DBG_NET, "unable to create raw socket: %s", strerror(errno));
+		return 0;
+	}
+
+	if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
+				   &ikev2_filter, sizeof(ikev2_filter)) < 0)
+	{
+		DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %s",
+			 strerror(errno));
+		close(skt);
+		return 0;
+	}
+
+	if (family == AF_INET6 &&
+		/* we use IPV6_2292PKTINFO, as IPV6_PKTINFO is defined as
+		 * 2 or 50 depending on kernel header version */
+		setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %s",
+			 strerror(errno));
+		close(skt);
+		return 0;
+	}
+
+	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
+												 skt, family))
+	{
+		DBG1(DBG_NET, "installing bypass policy on receive socket failed");
+	}
+
+	return skt;
+}
+
+METHOD(socket_raw_socket_t, destroy, void,
+	private_socket_raw_socket_t *this)
+{
+	if (this->recv4)
+	{
+		close(this->recv4);
+	}
+	if (this->recv6)
+	{
+		close(this->recv6);
+	}
+	if (this->send4)
+	{
+		close(this->send4);
+	}
+	if (this->send6)
+	{
+		close(this->send6);
+	}
+	if (this->send4_natt)
+	{
+		close(this->send4_natt);
+	}
+	if (this->send6_natt)
+	{
+		close(this->send6_natt);
+	}
+	free(this);
+}
+
+/*
+ * See header for description
+ */
+socket_raw_socket_t *socket_raw_socket_create()
+{
+	private_socket_raw_socket_t *this;
+
+	INIT(this,
+		.public = {
+			.socket = {
+				.send = _sender,
+				.receive = _receiver,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	this->recv4 = open_recv_socket(this, AF_INET);
+	if (this->recv4 == 0)
+	{
+		DBG1(DBG_NET, "could not open IPv4 receive socket, IPv4 disabled");
+	}
+	else
+	{
+		this->send4 = open_send_socket(this, AF_INET, IKEV2_UDP_PORT);
+		if (this->send4 == 0)
+		{
+			DBG1(DBG_NET, "could not open IPv4 send socket, IPv4 disabled");
+			close(this->recv4);
+		}
+		else
+		{
+			this->send4_natt = open_send_socket(this, AF_INET, IKEV2_NATT_PORT);
+			if (this->send4_natt == 0)
+			{
+				DBG1(DBG_NET, "could not open IPv4 NAT-T send socket");
+			}
+		}
+	}
+
+	this->recv6 = open_recv_socket(this, AF_INET6);
+	if (this->recv6 == 0)
+	{
+		DBG1(DBG_NET, "could not open IPv6 receive socket, IPv6 disabled");
+	}
+	else
+	{
+		this->send6 = open_send_socket(this, AF_INET6, IKEV2_UDP_PORT);
+		if (this->send6 == 0)
+		{
+			DBG1(DBG_NET, "could not open IPv6 send socket, IPv6 disabled");
+			close(this->recv6);
+		}
+		else
+		{
+			this->send6_natt = open_send_socket(this, AF_INET6, IKEV2_NATT_PORT);
+			if (this->send6_natt == 0)
+			{
+				DBG1(DBG_NET, "could not open IPv6 NAT-T send socket");
+			}
+		}
+	}
+
+	if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6))
+	{
+		DBG1(DBG_NET, "could not create any sockets");
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.h b/src/libcharon/plugins/socket_raw/socket_raw_socket.h
new file mode 100644
index 000000000..94cf666e8
--- /dev/null
+++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup socket_raw_socket socket_raw_socket
+ * @{ @ingroup socket_raw
+ */
+
+#ifndef SOCKET_RAW_SOCKET_H_
+#define SOCKET_RAW_SOCKET_H_
+
+typedef struct socket_raw_socket_t socket_raw_socket_t;
+
+#include <network/socket.h>
+
+/**
+ * Raw socket, binds to port 500/4500 using any IPv4/IPv6 address.
+ *
+ * This imeplementation uses raw sockets to allow binding of other daemons
+ * (pluto) to UDP/500/4500. An installed "Linux socket filter" filters out
+ * all non-IKEv2 traffic and handles just IKEv2 messages. An other daemon
+ * must handle all traffic separately, e.g. ignore IKEv2 traffic, since charon
+ * handles that.
+ */
+struct socket_raw_socket_t {
+
+	/**
+	 * Implements the socket_t interface.
+	 */
+	socket_t socket;
+
+	/**
+	 * Destroy a socket_raw_socket_t.
+	 */
+	void (*destroy)(socket_raw_socket_t *this);
+};
+
+/**
+ * Create a socket_raw_socket instance.
+ */
+socket_raw_socket_t *socket_raw_socket_create();
+
+#endif /** SOCKET_RAW_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/sql/Makefile.am b/src/libcharon/plugins/sql/Makefile.am
new file mode 100644
index 000000000..68b7e8cb2
--- /dev/null
+++ b/src/libcharon/plugins/sql/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+  -DPLUGINS=\""${libstrongswan_plugins}\""
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-sql.la
+else
+plugin_LTLIBRARIES = libstrongswan-sql.la
+endif
+
+libstrongswan_sql_la_SOURCES = \
+	sql_plugin.h sql_plugin.c sql_config.h sql_config.c \
+	sql_cred.h sql_cred.c sql_logger.h sql_logger.c
+
+libstrongswan_sql_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
new file mode 100644
index 000000000..5803dc898
--- /dev/null
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -0,0 +1,591 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/sql
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_sql_la_LIBADD =
+am_libstrongswan_sql_la_OBJECTS = sql_plugin.lo sql_config.lo \
+	sql_cred.lo sql_logger.lo
+libstrongswan_sql_la_OBJECTS = $(am_libstrongswan_sql_la_OBJECTS)
+libstrongswan_sql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_sql_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_sql_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_sql_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_sql_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_sql_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+  -DPLUGINS=\""${libstrongswan_plugins}\""
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sql.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sql.la
+libstrongswan_sql_la_SOURCES = \
+	sql_plugin.h sql_plugin.c sql_config.h sql_config.c \
+	sql_cred.h sql_cred.c sql_logger.h sql_logger.c
+
+libstrongswan_sql_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/sql/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/sql/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-sql.la: $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_DEPENDENCIES) 
+	$(libstrongswan_sql_la_LINK) $(am_libstrongswan_sql_la_rpath) $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_logger.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
new file mode 100644
index 000000000..23366898a
--- /dev/null
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -0,0 +1,535 @@
+/*
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "sql_config.h"
+
+#include <daemon.h>
+
+typedef struct private_sql_config_t private_sql_config_t;
+
+/**
+ * Private data of an sql_config_t object
+ */
+struct private_sql_config_t {
+
+	/**
+	 * Public part
+	 */
+	sql_config_t public;
+
+	/**
+	 * database connection
+	 */
+	database_t *db;
+};
+
+/**
+ * forward declaration
+ */
+static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
+								  identification_t *me, identification_t *other);
+
+/**
+ * build a traffic selector from a SQL query
+ */
+static traffic_selector_t *build_traffic_selector(private_sql_config_t *this,
+												  enumerator_t *e, bool *local)
+{
+	int type, protocol, start_port, end_port;
+	chunk_t start_addr, end_addr;
+	traffic_selector_t *ts;
+	enum {
+		TS_LOCAL = 0,
+		TS_REMOTE = 1,
+		TS_LOCAL_DYNAMIC = 2,
+		TS_REMOTE_DYNAMIC = 3,
+	} kind;
+
+	while (e->enumerate(e, &kind, &type, &protocol,
+						&start_addr, &end_addr, &start_port, &end_port))
+	{
+		*local = FALSE;
+		switch (kind)
+		{
+			case TS_LOCAL:
+				*local = TRUE;
+				/* FALL */
+			case TS_REMOTE:
+				ts = traffic_selector_create_from_bytes(protocol, type,
+								start_addr, start_port,	end_addr, end_port);
+				break;
+			case TS_LOCAL_DYNAMIC:
+				*local = TRUE;
+				/* FALL */
+			case TS_REMOTE_DYNAMIC:
+				ts = traffic_selector_create_dynamic(protocol,
+								start_port, end_port);
+				break;
+			default:
+				continue;
+		}
+		if (ts)
+		{
+			return ts;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Add traffic selectors to a child config
+ */
+static void add_traffic_selectors(private_sql_config_t *this,
+								  child_cfg_t *child, int id)
+{
+	enumerator_t *e;
+	traffic_selector_t *ts;
+	bool local;
+
+	e = this->db->query(this->db,
+			"SELECT kind, type, protocol, "
+			"start_addr, end_addr, start_port, end_port "
+			"FROM traffic_selectors JOIN child_config_traffic_selector "
+			"ON id = traffic_selector WHERE child_cfg = ?",
+			DB_INT, id,
+			DB_INT, DB_INT, DB_INT,
+			DB_BLOB, DB_BLOB, DB_INT, DB_INT);
+	if (e)
+	{
+		while ((ts = build_traffic_selector(this, e, &local)))
+		{
+			child->add_traffic_selector(child, local, ts);
+		}
+		e->destroy(e);
+	}
+}
+
+/**
+ * build a Child configuration from a SQL query
+ */
+static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
+{
+	int id, lifetime, rekeytime, jitter, hostaccess, mode, dpd, close, ipcomp;
+	char *name, *updown;
+	child_cfg_t *child_cfg;
+
+	if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter,
+						&updown, &hostaccess, &mode, &dpd, &close, &ipcomp))
+	{
+		lifetime_cfg_t lft = {
+			.time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
+		};
+		child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
+									 dpd, close, ipcomp, 0);
+		/* TODO: read proposal from db */
+		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+		add_traffic_selectors(this, child_cfg, id);
+		return child_cfg;
+	}
+	return NULL;
+}
+
+/**
+ * Add child configs to peer config
+ */
+static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id)
+{
+	enumerator_t *e;
+	child_cfg_t *child_cfg;
+
+	e = this->db->query(this->db,
+			"SELECT id, name, lifetime, rekeytime, jitter, "
+			"updown, hostaccess, mode, dpd_action, close_action, ipcomp "
+			"FROM child_configs JOIN peer_config_child_config ON id = child_cfg "
+			"WHERE peer_cfg = ?",
+			DB_INT, id,
+			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT,
+			DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT);
+	if (e)
+	{
+		while ((child_cfg = build_child_cfg(this, e)))
+		{
+			peer->add_child_cfg(peer, child_cfg);
+		}
+		e->destroy(e);
+	}
+}
+
+/**
+ * build a ike configuration from a SQL query
+ */
+static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e,
+								host_t *my_host, host_t *other_host)
+{
+	int certreq, force_encap;
+	char *local, *remote;
+
+	while (e->enumerate(e, &certreq, &force_encap, &local, &remote))
+	{
+		ike_cfg_t *ike_cfg;
+
+		ike_cfg = ike_cfg_create(certreq, force_encap,
+								 local, IKEV2_UDP_PORT, remote, IKEV2_UDP_PORT);
+		/* TODO: read proposal from db */
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+		return ike_cfg;
+	}
+	return NULL;
+}
+
+/**
+ * Query a IKE config by its id
+ */
+static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id)
+{
+	enumerator_t *e;
+	ike_cfg_t *ike_cfg = NULL;
+
+	e = this->db->query(this->db,
+			"SELECT certreq, force_encap, local, remote "
+			"FROM ike_configs WHERE id = ?",
+			DB_INT, id,
+			DB_INT, DB_INT, DB_TEXT, DB_TEXT);
+	if (e)
+	{
+		ike_cfg = build_ike_cfg(this, e, NULL, NULL);
+		e->destroy(e);
+	}
+	return ike_cfg;
+}
+
+/**
+ * Query a peer config by its id
+ */
+static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id)
+{
+	enumerator_t *e;
+	peer_cfg_t *peer_cfg = NULL;
+
+	e = this->db->query(this->db,
+			"SELECT c.id, name, ike_cfg, l.type, l.data, r.type, r.data, "
+			"cert_policy, uniqueid, auth_method, eap_type, eap_vendor, "
+			"keyingtries, rekeytime, reauthtime, jitter, overtime, mobike, "
+			"dpd_delay, virtual, pool, "
+			"mediation, mediated_by, COALESCE(p.type, 0), p.data "
+			"FROM peer_configs AS c "
+			"JOIN identities AS l ON local_id = l.id "
+			"JOIN identities AS r ON remote_id = r.id "
+			"LEFT JOIN identities AS p ON peer_id = p.id "
+			"WHERE id = ?",
+			DB_INT, id,
+			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB,
+			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
+			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
+			DB_INT, DB_TEXT, DB_TEXT,
+			DB_INT, DB_INT, DB_INT, DB_BLOB);
+	if (e)
+	{
+		peer_cfg = build_peer_cfg(this, e, NULL, NULL);
+		e->destroy(e);
+	}
+	return peer_cfg;
+}
+
+/**
+ * build a peer configuration from a SQL query
+ */
+static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
+								  identification_t *me, identification_t *other)
+{
+	int id, ike_cfg, l_type, r_type,
+		cert_policy, uniqueid, auth_method, eap_type, eap_vendor, keyingtries,
+		rekeytime, reauthtime, jitter, overtime, mobike, dpd_delay,
+		mediation, mediated_by, p_type;
+	chunk_t l_data, r_data, p_data;
+	char *name, *virtual, *pool;
+
+	while (e->enumerate(e,
+			&id, &name, &ike_cfg, &l_type, &l_data, &r_type, &r_data,
+			&cert_policy, &uniqueid, &auth_method, &eap_type, &eap_vendor,
+			&keyingtries, &rekeytime, &reauthtime, &jitter, &overtime, &mobike,
+			&dpd_delay,	&virtual, &pool,
+			&mediation, &mediated_by, &p_type, &p_data))
+	{
+		identification_t *local_id, *remote_id, *peer_id = NULL;
+		peer_cfg_t *peer_cfg, *mediated_cfg;
+		ike_cfg_t *ike;
+		host_t *vip = NULL;
+		auth_cfg_t *auth;
+
+		local_id = identification_create_from_encoding(l_type, l_data);
+		remote_id = identification_create_from_encoding(r_type, r_data);
+		if ((me && !me->matches(me, local_id)) ||
+			(other && !other->matches(other, remote_id)))
+		{
+			local_id->destroy(local_id);
+			remote_id->destroy(remote_id);
+			continue;
+		}
+		ike = get_ike_cfg_by_id(this, ike_cfg);
+		mediated_cfg = mediated_by ? get_peer_cfg_by_id(this, mediated_by) : NULL;
+		if (p_type)
+		{
+			peer_id = identification_create_from_encoding(p_type, p_data);
+		}
+		if (virtual)
+		{
+			vip = host_create_from_string(virtual, 0);
+		}
+		if (ike)
+		{
+			peer_cfg = peer_cfg_create(
+					name, 2, ike, cert_policy, uniqueid,
+					keyingtries, rekeytime, reauthtime, jitter, overtime,
+					mobike,	dpd_delay, vip, pool,
+					mediation, mediated_cfg, peer_id);
+			auth = auth_cfg_create();
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
+			auth->add(auth, AUTH_RULE_IDENTITY, local_id);
+			peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+			auth = auth_cfg_create();
+			auth->add(auth, AUTH_RULE_IDENTITY, remote_id);
+			if (eap_type)
+			{
+				auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+				auth->add(auth, AUTH_RULE_EAP_TYPE, eap_type);
+				if (eap_vendor)
+				{
+					auth->add(auth, AUTH_RULE_EAP_VENDOR, eap_vendor);
+				}
+			}
+			peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+			add_child_cfgs(this, peer_cfg, id);
+			return peer_cfg;
+		}
+		DESTROY_IF(ike);
+		DESTROY_IF(mediated_cfg);
+		DESTROY_IF(peer_id);
+		DESTROY_IF(local_id);
+		DESTROY_IF(remote_id);
+	}
+	return NULL;
+}
+
+/**
+ * implements backend_t.get_peer_cfg_by_name.
+ */
+static peer_cfg_t *get_peer_cfg_by_name(private_sql_config_t *this, char *name)
+{
+	enumerator_t *e;
+	peer_cfg_t *peer_cfg = NULL;
+
+	e = this->db->query(this->db,
+			"SELECT c.id, name, ike_cfg, l.type, l.data, r.type, r.data, "
+			"cert_policy, uniqueid, auth_method, eap_type, eap_vendor, "
+			"keyingtries, rekeytime, reauthtime, jitter, overtime, mobike, "
+			"dpd_delay, virtual, pool, "
+			"mediation, mediated_by, COALESCE(p.type, 0), p.data "
+			"FROM peer_configs AS c "
+			"JOIN identities AS l ON local_id = l.id "
+			"JOIN identities AS r ON remote_id = r.id "
+			"LEFT JOIN identities AS p ON peer_id = p.id "
+			"WHERE ike_version = ? AND name = ?",
+			DB_INT, 2, DB_TEXT, name,
+			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB,
+			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
+			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
+			DB_INT, DB_TEXT, DB_TEXT,
+			DB_INT, DB_INT,	DB_INT, DB_BLOB);
+	if (e)
+	{
+		peer_cfg = build_peer_cfg(this, e, NULL, NULL);
+		e->destroy(e);
+	}
+	return peer_cfg;
+}
+
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** reference to context */
+	private_sql_config_t *this;
+	/** filtering own host */
+	host_t *me;
+	/** filtering remote host */
+	host_t *other;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated peer config */
+	ike_cfg_t *current;
+} ike_enumerator_t;
+
+/**
+ * Implementation of ike_enumerator_t.public.enumerate
+ */
+static bool ike_enumerator_enumerate(ike_enumerator_t *this, ike_cfg_t **cfg)
+{
+	DESTROY_IF(this->current);
+	this->current = build_ike_cfg(this->this, this->inner, this->me, this->other);
+	if (this->current)
+	{
+		*cfg = this->current;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of ike_enumerator_t.public.destroy
+ */
+static void ike_enumerator_destroy(ike_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of backend_t.create_ike_cfg_enumerator.
+ */
+static enumerator_t* create_ike_cfg_enumerator(private_sql_config_t *this,
+											   host_t *me, host_t *other)
+{
+	ike_enumerator_t *e = malloc_thing(ike_enumerator_t);
+
+	e->this = this;
+	e->me = me;
+	e->other = other;
+	e->current = NULL;
+	e->public.enumerate = (void*)ike_enumerator_enumerate;
+	e->public.destroy = (void*)ike_enumerator_destroy;
+
+	e->inner = this->db->query(this->db,
+			"SELECT certreq, force_encap, local, remote "
+			"FROM ike_configs",
+			DB_INT, DB_INT, DB_TEXT, DB_TEXT);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** reference to context */
+	private_sql_config_t *this;
+	/** filtering own identity */
+	identification_t *me;
+	/** filtering remote identity */
+	identification_t *other;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated peer config */
+	peer_cfg_t *current;
+} peer_enumerator_t;
+
+/**
+ * Implementation of peer_enumerator_t.public.enumerate
+ */
+static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
+{
+	DESTROY_IF(this->current);
+	this->current = build_peer_cfg(this->this, this->inner, this->me, this->other);
+	if (this->current)
+	{
+		*cfg = this->current;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of peer_enumerator_t.public.destroy
+ */
+static void peer_enumerator_destroy(peer_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of backend_t.create_peer_cfg_enumerator.
+ */
+static enumerator_t* create_peer_cfg_enumerator(private_sql_config_t *this,
+												identification_t *me,
+												identification_t *other)
+{
+	peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
+
+	e->this = this;
+	e->me = me;
+	e->other = other;
+	e->current = NULL;
+	e->public.enumerate = (void*)peer_enumerator_enumerate;
+	e->public.destroy = (void*)peer_enumerator_destroy;
+
+	/* TODO: only get configs whose IDs match exactly or contain wildcards */
+	e->inner = this->db->query(this->db,
+			"SELECT c.id, name, ike_cfg, l.type, l.data, r.type, r.data, "
+			"cert_policy, uniqueid, auth_method, eap_type, eap_vendor, "
+			"keyingtries, rekeytime, reauthtime, jitter, overtime, mobike, "
+			"dpd_delay, virtual, pool, "
+			"mediation, mediated_by, COALESCE(p.type, 0), p.data "
+			"FROM peer_configs AS c "
+			"JOIN identities AS l ON local_id = l.id "
+			"JOIN identities AS r ON remote_id = r.id "
+			"LEFT JOIN identities AS p ON peer_id = p.id "
+			"WHERE ike_version = ?",
+			DB_INT, 2,
+			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB,
+			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
+			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
+			DB_INT,	DB_TEXT, DB_TEXT,
+			DB_INT, DB_INT, DB_INT, DB_BLOB);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * Implementation of sql_config_t.destroy.
+ */
+static void destroy(private_sql_config_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+sql_config_t *sql_config_create(database_t *db)
+{
+	private_sql_config_t *this = malloc_thing(private_sql_config_t);
+
+	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
+	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
+	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
+	this->public.destroy = (void(*)(sql_config_t*))destroy;
+
+	this->db = db;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/sql/sql_config.h b/src/libcharon/plugins/sql/sql_config.h
new file mode 100644
index 000000000..700d00a97
--- /dev/null
+++ b/src/libcharon/plugins/sql/sql_config.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sql_config_i sql_config
+ * @{ @ingroup sql
+ */
+
+#ifndef SQL_CONFIG_H_
+#define SQL_CONFIG_H_
+
+#include <config/backend.h>
+#include <database/database.h>
+
+typedef struct sql_config_t sql_config_t;
+
+/**
+ * SQL database configuration backend.
+ */
+struct sql_config_t {
+
+	/**
+	 * Implements backend_t interface
+	 */
+	backend_t backend;
+
+	/**
+	 * Destry the backend.
+	 */
+	void (*destroy)(sql_config_t *this);
+};
+
+/**
+ * Create a sql_config backend instance.
+ *
+ * @param db		underlying database
+ * @return			backend instance
+ */
+sql_config_t *sql_config_create(database_t *db);
+
+#endif /** SQL_CONFIG_H_ @}*/
diff --git a/src/libcharon/plugins/sql/sql_cred.c b/src/libcharon/plugins/sql/sql_cred.c
new file mode 100644
index 000000000..12f4ab045
--- /dev/null
+++ b/src/libcharon/plugins/sql/sql_cred.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "sql_cred.h"
+
+#include <daemon.h>
+
+typedef struct private_sql_cred_t private_sql_cred_t;
+
+/**
+ * Private data of an sql_cred_t object
+ */
+struct private_sql_cred_t {
+
+	/**
+	 * Public part
+	 */
+	sql_cred_t public;
+
+	/**
+	 * database connection
+	 */
+	database_t *db;
+};
+
+/**
+ * enumerator over private keys
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated private key */
+	private_key_t *current;
+} private_enumerator_t;
+
+/**
+ * Implementation of private_enumerator_t.public.enumerate
+ */
+static bool private_enumerator_enumerate(private_enumerator_t *this,
+										 private_key_t **key)
+{
+	chunk_t blob;
+	int type;
+
+	DESTROY_IF(this->current);
+	while (this->inner->enumerate(this->inner, &type, &blob))
+	{
+		this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+										   BUILD_BLOB_ASN1_DER, blob,
+										   BUILD_END);
+		if (this->current)
+		{
+			*key = this->current;
+			return TRUE;
+		}
+	}
+	this->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of private_enumerator_t.public.destroy
+ */
+static void private_enumerator_destroy(private_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of credential_set_t.create_private_enumerator.
+ */
+static enumerator_t* create_private_enumerator(private_sql_cred_t *this,
+											   key_type_t type,
+											   identification_t *id)
+{
+	private_enumerator_t *e;
+
+	e = malloc_thing(private_enumerator_t);
+	e->current = NULL;
+	e->public.enumerate = (void*)private_enumerator_enumerate;
+	e->public.destroy = (void*)private_enumerator_destroy;
+	if (id && id->get_type(id) != ID_ANY)
+	{
+		e->inner = this->db->query(this->db,
+				"SELECT p.type, p.data FROM private_keys AS p "
+				"JOIN private_key_identity AS pi ON p.id = pi.private_key "
+				"JOIN identities AS i ON pi.identity = i.id "
+				"WHERE i.type = ? AND i.data = ? AND (? OR p.type = ?)",
+				DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
+				DB_INT, type == KEY_ANY, DB_INT, type,
+				DB_INT, DB_BLOB);
+	}
+	else
+	{
+		e->inner = this->db->query(this->db,
+				"SELECT type, data FROM private_keys WHERE (? OR type = ?)",
+				DB_INT, type == KEY_ANY, DB_INT, type,
+				DB_INT, DB_BLOB);
+	}
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * enumerator over certificates
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated cert */
+	certificate_t *current;
+} cert_enumerator_t;
+
+/**
+ * Implementation of cert_enumerator_t.public.enumerate
+ */
+static bool cert_enumerator_enumerate(cert_enumerator_t *this,
+									  certificate_t **cert)
+{
+	chunk_t blob;
+	int type;
+
+	DESTROY_IF(this->current);
+	while (this->inner->enumerate(this->inner, &type, &blob))
+	{
+		this->current = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+										   BUILD_BLOB_ASN1_DER, blob,
+										   BUILD_END);
+		if (this->current)
+		{
+			*cert = this->current;
+			return TRUE;
+		}
+	}
+	this->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of cert_enumerator_t.public.destroy
+ */
+static void cert_enumerator_destroy(cert_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of credential_set_t.create_cert_enumerator.
+ */
+static enumerator_t* create_cert_enumerator(private_sql_cred_t *this,
+										certificate_type_t cert, key_type_t key,
+										identification_t *id, bool trusted)
+{
+	cert_enumerator_t *e;
+
+	e = malloc_thing(cert_enumerator_t);
+	e->current = NULL;
+	e->public.enumerate = (void*)cert_enumerator_enumerate;
+	e->public.destroy = (void*)cert_enumerator_destroy;
+	if (id && id->get_type(id) != ID_ANY)
+	{
+		e->inner = this->db->query(this->db,
+				"SELECT c.type, c.data FROM certificates AS c "
+				"JOIN certificate_identity AS ci ON c.id = ci.certificate "
+				"JOIN identities AS i ON ci.identity = i.id "
+				"WHERE i.type = ? AND i.data = ? AND "
+				"(? OR c.type = ?) AND (? OR c.keytype = ?)",
+				DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
+				DB_INT, cert == CERT_ANY, DB_INT, cert,
+				DB_INT, key == KEY_ANY, DB_INT, key,
+				DB_INT, DB_BLOB);
+	}
+	else
+	{
+		e->inner = this->db->query(this->db,
+				"SELECT type, data FROM certificates WHERE "
+				"(? OR type = ?) AND (? OR keytype = ?)",
+				DB_INT, cert == CERT_ANY, DB_INT, cert,
+				DB_INT, key == KEY_ANY, DB_INT, key,
+				DB_INT, DB_BLOB);
+	}
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * enumerator over shared keys
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** own identity */
+	identification_t *me;
+	/** remote identity */
+	identification_t *other;
+	/** currently enumerated private key */
+	shared_key_t *current;
+} shared_enumerator_t;
+
+/**
+ * Implementation of shared_enumerator_t.public.enumerate
+ */
+static bool shared_enumerator_enumerate(shared_enumerator_t *this,
+										shared_key_t **shared,
+										id_match_t *me, id_match_t *other)
+{
+	chunk_t blob;
+	int type;
+
+	DESTROY_IF(this->current);
+	while (this->inner->enumerate(this->inner, &type, &blob))
+	{
+		this->current = shared_key_create(type, chunk_clone(blob));
+		if (this->current)
+		{
+			*shared = this->current;
+			if (me)
+			{
+				*me = this->me ? ID_MATCH_PERFECT : ID_MATCH_ANY;
+			}
+			if (other)
+			{
+				*other = this->other ? ID_MATCH_PERFECT : ID_MATCH_ANY;
+			}
+			return TRUE;
+		}
+	}
+	this->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of shared_enumerator_t.public.destroy
+ */
+static void shared_enumerator_destroy(shared_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of credential_set_t.create_shared_enumerator.
+ */
+static enumerator_t* create_shared_enumerator(private_sql_cred_t *this,
+								  shared_key_type_t type,
+								  identification_t *me, identification_t *other)
+{
+	shared_enumerator_t *e;
+
+	e = malloc_thing(shared_enumerator_t);
+	e->me = me;
+	e->other = other;
+	e->current = NULL;
+	e->public.enumerate = (void*)shared_enumerator_enumerate;
+	e->public.destroy = (void*)shared_enumerator_destroy;
+	if (!me && !other)
+	{
+		e->inner = this->db->query(this->db,
+				"SELECT type, data FROM shared_secrets WHERE  (? OR type = ?)",
+				DB_INT, type == SHARED_ANY, DB_INT, type,
+				DB_INT, DB_BLOB);
+	}
+	else if (me && other)
+	{
+		e->inner = this->db->query(this->db,
+				"SELECT s.type, s.data FROM shared_secrets AS s "
+				"JOIN shared_secret_identity AS sm ON s.id = sm.shared_secret "
+				"JOIN identities AS m ON sm.identity = m.id "
+				"JOIN shared_secret_identity AS so ON s.id = so.shared_secret "
+				"JOIN identities AS o ON so.identity = o.id "
+				"WHERE m.type = ? AND m.data = ? AND o.type = ? AND o.data = ? "
+				"AND (? OR s.type = ?)",
+				DB_INT, me->get_type(me), DB_BLOB, me->get_encoding(me),
+				DB_INT, other->get_type(other), DB_BLOB, other->get_encoding(other),
+				DB_INT, type == SHARED_ANY, DB_INT, type,
+				DB_INT, DB_BLOB);
+	}
+	else
+	{
+		identification_t *id = me ? me : other;
+
+		e->inner = this->db->query(this->db,
+				"SELECT s.type, s.data FROM shared_secrets AS s "
+				"JOIN shared_secret_identity AS si ON s.id = si.shared_secret "
+				"JOIN identities AS i ON si.identity = i.id "
+				"WHERE i.type = ? AND i.data = ? AND (? OR s.type = ?)",
+				DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
+				DB_INT, type == SHARED_ANY, DB_INT, type,
+				DB_INT, DB_BLOB);
+	}
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * Implementation of credential_set_t.cache_cert.
+ */
+static void cache_cert(private_sql_cred_t *this, certificate_t *cert)
+{
+	/* TODO: implement CRL caching to database */
+}
+
+/**
+ * Implementation of sql_cred_t.destroy.
+ */
+static void destroy(private_sql_cred_t *this)
+{
+	free(this);
+}
+/**
+ * Described in header.
+ */
+sql_cred_t *sql_cred_create(database_t *db)
+{
+	private_sql_cred_t *this = malloc_thing(private_sql_cred_t);
+
+	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
+	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
+	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)cache_cert;
+	this->public.destroy = (void(*)(sql_cred_t*))destroy;
+
+	this->db = db;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/sql/sql_cred.h b/src/libcharon/plugins/sql/sql_cred.h
new file mode 100644
index 000000000..7f387398e
--- /dev/null
+++ b/src/libcharon/plugins/sql/sql_cred.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sql_cred_i sql_cred
+ * @{ @ingroup sql
+ */
+
+#ifndef SQL_CRED_H_
+#define SQL_CRED_H_
+
+#include <credentials/credential_set.h>
+#include <database/database.h>
+
+typedef struct sql_cred_t sql_cred_t;
+
+/**
+ * SQL database credential set.
+ */
+struct sql_cred_t {
+
+	/**
+	 * Implements credential_set_t interface
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destry the backend.
+	 */
+	void (*destroy)(sql_cred_t *this);
+};
+
+/**
+ * Create a sql_cred backend instance.
+ *
+ * @param db		underlying database
+ * @return			credential set
+ */
+sql_cred_t *sql_cred_create(database_t *db);
+
+#endif /** SQL_CRED_H_ @}*/
diff --git a/src/libcharon/plugins/sql/sql_logger.c b/src/libcharon/plugins/sql/sql_logger.c
new file mode 100644
index 000000000..d350c4c3d
--- /dev/null
+++ b/src/libcharon/plugins/sql/sql_logger.c
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "sql_logger.h"
+
+#include <daemon.h>
+
+typedef struct private_sql_logger_t private_sql_logger_t;
+
+/**
+ * Private data of an sql_logger_t object
+ */
+struct private_sql_logger_t {
+
+	/**
+	 * Public part
+	 */
+	sql_logger_t public;
+
+	/**
+	 * database connection
+	 */
+	database_t *db;
+
+	/**
+	 * logging level
+	 */
+	int level;
+
+	/**
+	 * avoid recursive logging
+	 */
+	bool recursive;
+};
+
+/**
+ * Implementation of bus_listener_t.log.
+ */
+static bool log_(private_sql_logger_t *this, debug_t group, level_t level,
+				 int thread, ike_sa_t* ike_sa, char *format, va_list args)
+{
+	if (this->recursive)
+	{
+		return TRUE;
+	}
+	this->recursive = TRUE;
+
+	if (ike_sa && level <= this->level)
+	{
+		char buffer[8192];
+		chunk_t local_spi, remote_spi;
+		host_t *local_host, *remote_host;
+		identification_t *local_id, *remote_id;
+		u_int64_t ispi, rspi;
+		ike_sa_id_t *id;
+
+		id = ike_sa->get_id(ike_sa);
+		ispi = id->get_initiator_spi(id);
+		rspi = id->get_responder_spi(id);
+		if (id->is_initiator(id))
+		{
+			local_spi.ptr = (char*)&ispi;
+			remote_spi.ptr = (char*)&rspi;
+		}
+		else
+		{
+			local_spi.ptr = (char*)&rspi;
+			remote_spi.ptr = (char*)&ispi;
+		}
+		local_spi.len = remote_spi.len = sizeof(ispi);
+		local_id = ike_sa->get_my_id(ike_sa);
+		remote_id = ike_sa->get_other_id(ike_sa);
+		local_host = ike_sa->get_my_host(ike_sa);
+		remote_host = ike_sa->get_other_host(ike_sa);
+
+		vsnprintf(buffer, sizeof(buffer), format, args);
+
+		this->db->execute(this->db, NULL, "REPLACE INTO ike_sas ("
+						  "local_spi, remote_spi, id, initiator, "
+						  "local_id_type, local_id_data, "
+						  "remote_id_type, remote_id_data, "
+						  "host_family, local_host_data, remote_host_data) "
+						  "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+						  DB_BLOB, local_spi, DB_BLOB, remote_spi,
+						  DB_INT, ike_sa->get_unique_id(ike_sa),
+						  DB_INT, id->is_initiator(id),
+						  DB_INT, local_id->get_type(local_id),
+						  DB_BLOB, local_id->get_encoding(local_id),
+						  DB_INT, remote_id->get_type(remote_id),
+						  DB_BLOB, remote_id->get_encoding(remote_id),
+						  DB_INT, local_host->get_family(local_host),
+						  DB_BLOB, local_host->get_address(local_host),
+						  DB_BLOB, remote_host->get_address(remote_host));
+		this->db->execute(this->db, NULL, "INSERT INTO logs ("
+						  "local_spi, signal, level, msg) VALUES (?, ?, ?, ?)",
+						  DB_BLOB, local_spi, DB_INT, group, DB_INT, level,
+						  DB_TEXT, buffer);
+	}
+	this->recursive = FALSE;
+	/* always stay registered */
+	return TRUE;
+}
+
+/**
+ * Implementation of sql_logger_t.destroy.
+ */
+static void destroy(private_sql_logger_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+sql_logger_t *sql_logger_create(database_t *db)
+{
+	private_sql_logger_t *this = malloc_thing(private_sql_logger_t);
+
+	memset(&this->public.listener, 0, sizeof(listener_t));
+	this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
+	this->public.destroy = (void(*)(sql_logger_t*))destroy;
+
+	this->db = db;
+	this->recursive = FALSE;
+
+	this->level = lib->settings->get_int(lib->settings,
+										 "charon.plugins.sql.loglevel", -1);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/sql/sql_logger.h b/src/libcharon/plugins/sql/sql_logger.h
new file mode 100644
index 000000000..a933705da
--- /dev/null
+++ b/src/libcharon/plugins/sql/sql_logger.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sql_logger_i sql_logger
+ * @{ @ingroup sql
+ */
+
+#ifndef SQL_LOGGER_H_
+#define SQL_LOGGER_H_
+
+#include <bus/bus.h>
+#include <database/database.h>
+
+typedef struct sql_logger_t sql_logger_t;
+
+/**
+ * SQL database logger.
+ */
+struct sql_logger_t {
+
+	/**
+	 * Implements bus_listener_t interface
+	 */
+	listener_t listener;
+
+	/**
+	 * Destry the backend.
+	 */
+	void (*destroy)(sql_logger_t *this);
+};
+
+/**
+ * Create a sql_logger instance.
+ *
+ * @param db		underlying database
+ * @return			logger instance
+ */
+sql_logger_t *sql_logger_create(database_t *db);
+
+#endif /** SQL_LOGGER_H_ @}*/
diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c
new file mode 100644
index 000000000..e2d2d63b3
--- /dev/null
+++ b/src/libcharon/plugins/sql/sql_plugin.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sql_plugin.h"
+
+#include <daemon.h>
+#include "sql_config.h"
+#include "sql_cred.h"
+#include "sql_logger.h"
+
+typedef struct private_sql_plugin_t private_sql_plugin_t;
+
+/**
+ * private data of sql plugin
+ */
+struct private_sql_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	sql_plugin_t public;
+
+	/**
+	 * database connection instance
+	 */
+	database_t *db;
+
+	/**
+	 * configuration backend
+	 */
+	sql_config_t *config;
+
+	/**
+	 * credential set
+	 */
+	sql_cred_t *cred;
+
+	/**
+	 * bus listener/logger
+	 */
+	sql_logger_t *logger;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_sql_plugin_t *this)
+{
+	charon->backends->remove_backend(charon->backends, &this->config->backend);
+	charon->credentials->remove_set(charon->credentials, &this->cred->set);
+	charon->bus->remove_listener(charon->bus, &this->logger->listener);
+	this->config->destroy(this->config);
+	this->cred->destroy(this->cred);
+	this->logger->destroy(this->logger);
+	this->db->destroy(this->db);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *sql_plugin_create()
+{
+	char *uri;
+	private_sql_plugin_t *this;
+
+	uri = lib->settings->get_str(lib->settings, "charon.plugins.sql.database", NULL);
+	if (!uri)
+	{
+		DBG1(DBG_CFG, "sql plugin: database URI not set");
+		return NULL;
+	}
+
+	this = malloc_thing(private_sql_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->db = lib->db->create(lib->db, uri);
+	if (!this->db)
+	{
+		DBG1(DBG_CFG, "sql plugin failed to connect to database");
+		free(this);
+		return NULL;
+	}
+	this->config = sql_config_create(this->db);
+	this->cred = sql_cred_create(this->db);
+	this->logger = sql_logger_create(this->db);
+
+	charon->backends->add_backend(charon->backends, &this->config->backend);
+	charon->credentials->add_set(charon->credentials, &this->cred->set);
+	charon->bus->add_listener(charon->bus, &this->logger->listener);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/sql/sql_plugin.h b/src/libcharon/plugins/sql/sql_plugin.h
new file mode 100644
index 000000000..c6f9ba905
--- /dev/null
+++ b/src/libcharon/plugins/sql/sql_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sql sql
+ * @ingroup cplugins
+ *
+ * @defgroup sql_plugin sql_plugin
+ * @{ @ingroup sql
+ */
+
+#ifndef SQL_PLUGIN_H_
+#define SQL_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct sql_plugin_t sql_plugin_t;
+
+/**
+ * SQL database configuration plugin
+ */
+struct sql_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** SQL_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am
new file mode 100644
index 000000000..40888a40b
--- /dev/null
+++ b/src/libcharon/plugins/stroke/Makefile.am
@@ -0,0 +1,27 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/stroke
+
+AM_CFLAGS = \
+-rdynamic \
+-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+-DIPSEC_PIDDIR=\"${piddir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-stroke.la
+else
+plugin_LTLIBRARIES = libstrongswan-stroke.la
+endif
+
+libstrongswan_stroke_la_SOURCES = \
+	stroke_plugin.h stroke_plugin.c \
+	stroke_socket.h stroke_socket.c \
+	stroke_config.h stroke_config.c \
+	stroke_control.h stroke_control.c \
+	stroke_cred.h stroke_cred.c \
+	stroke_ca.h stroke_ca.c \
+	stroke_attribute.h stroke_attribute.c \
+	stroke_list.h stroke_list.c \
+	stroke_shared_key.h stroke_shared_key.c
+
+libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
new file mode 100644
index 000000000..8815ba741
--- /dev/null
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -0,0 +1,608 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/stroke
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_stroke_la_LIBADD =
+am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \
+	stroke_config.lo stroke_control.lo stroke_cred.lo stroke_ca.lo \
+	stroke_attribute.lo stroke_list.lo stroke_shared_key.lo
+libstrongswan_stroke_la_OBJECTS =  \
+	$(am_libstrongswan_stroke_la_OBJECTS)
+libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_stroke_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_stroke_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_stroke_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_stroke_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_stroke_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/stroke
+
+AM_CFLAGS = \
+-rdynamic \
+-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+-DIPSEC_PIDDIR=\"${piddir}\"
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-stroke.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-stroke.la
+libstrongswan_stroke_la_SOURCES = \
+	stroke_plugin.h stroke_plugin.c \
+	stroke_socket.h stroke_socket.c \
+	stroke_config.h stroke_config.c \
+	stroke_control.h stroke_control.c \
+	stroke_cred.h stroke_cred.c \
+	stroke_ca.h stroke_ca.c \
+	stroke_attribute.h stroke_attribute.c \
+	stroke_list.h stroke_list.c \
+	stroke_shared_key.h stroke_shared_key.c
+
+libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/stroke/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/stroke/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-stroke.la: $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_DEPENDENCIES) 
+	$(libstrongswan_stroke_la_LINK) $(am_libstrongswan_stroke_la_rpath) $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_attribute.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_ca.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_control.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_list.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_shared_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_socket.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/stroke/stroke_attribute.c b/src/libcharon/plugins/stroke/stroke_attribute.c
new file mode 100644
index 000000000..1e4615e12
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_attribute.c
@@ -0,0 +1,226 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_attribute.h"
+
+#include <daemon.h>
+#include <attributes/mem_pool.h>
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_stroke_attribute_t private_stroke_attribute_t;
+
+/**
+ * private data of stroke_attribute
+ */
+struct private_stroke_attribute_t {
+
+	/**
+	 * public functions
+	 */
+	stroke_attribute_t public;
+
+	/**
+	 * list of pools, contains mem_pool_t
+	 */
+	linked_list_t *pools;
+
+	/**
+	 * rwlock to lock access to pools
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * find a pool by name
+ */
+static mem_pool_t *find_pool(private_stroke_attribute_t *this, char *name)
+{
+	enumerator_t *enumerator;
+	mem_pool_t *current, *found = NULL;
+
+	enumerator = this->pools->create_enumerator(this->pools);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (streq(name, current->get_name(current)))
+		{
+			found = current;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+METHOD(attribute_provider_t, acquire_address, host_t*,
+	   private_stroke_attribute_t *this, char *name, identification_t *id,
+	   host_t *requested)
+{
+	mem_pool_t *pool;
+	host_t *addr = NULL;
+	this->lock->read_lock(this->lock);
+	pool = find_pool(this, name);
+	if (pool)
+	{
+		addr = pool->acquire_address(pool, id, requested);
+	}
+	this->lock->unlock(this->lock);
+	return addr;
+}
+
+METHOD(attribute_provider_t, release_address, bool,
+	   private_stroke_attribute_t *this, char *name, host_t *address,
+	   identification_t *id)
+{
+	mem_pool_t *pool;
+	bool found = FALSE;
+	this->lock->read_lock(this->lock);
+	pool = find_pool(this, name);
+	if (pool)
+	{
+		found = pool->release_address(pool, address, id);
+	}
+	this->lock->unlock(this->lock);
+	return found;
+}
+
+METHOD(stroke_attribute_t, add_pool, void,
+	   private_stroke_attribute_t *this, stroke_msg_t *msg)
+{
+	if (msg->add_conn.other.sourceip_mask)
+	{
+		mem_pool_t *pool;
+		host_t *base = NULL;
+		u_int32_t bits = 0;
+
+		/* if %config, add an empty pool, otherwise */
+		if (msg->add_conn.other.sourceip)
+		{
+			DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d",
+				 msg->add_conn.name, msg->add_conn.other.sourceip,
+				 msg->add_conn.other.sourceip_mask);
+			base = host_create_from_string(msg->add_conn.other.sourceip, 0);
+			if (!base)
+			{
+				DBG1(DBG_CFG, "virtual IP address invalid, discarded");
+				return;
+			}
+			bits = msg->add_conn.other.sourceip_mask;
+		}
+		pool = mem_pool_create(msg->add_conn.name, base, bits);
+		DESTROY_IF(base);
+
+		this->lock->write_lock(this->lock);
+		this->pools->insert_last(this->pools, pool);
+		this->lock->unlock(this->lock);
+	}
+}
+
+METHOD(stroke_attribute_t, del_pool, void,
+	   private_stroke_attribute_t *this, stroke_msg_t *msg)
+{
+	enumerator_t *enumerator;
+	mem_pool_t *pool;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->pools->create_enumerator(this->pools);
+	while (enumerator->enumerate(enumerator, &pool))
+	{
+		if (streq(msg->del_conn.name, pool->get_name(pool)))
+		{
+			this->pools->remove_at(this->pools, enumerator);
+			pool->destroy(pool);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Pool enumerator filter function, converts pool_t to name, size, ...
+ */
+static bool pool_filter(void *lock, mem_pool_t **poolp, const char **name,
+						void *d1, u_int *size, void *d2, u_int *online,
+						void *d3, u_int *offline)
+{
+	mem_pool_t *pool = *poolp;
+	*name = pool->get_name(pool);
+	*size = pool->get_size(pool);
+	*online = pool->get_online(pool);
+	*offline = pool->get_offline(pool);
+	return TRUE;
+}
+
+METHOD(stroke_attribute_t, create_pool_enumerator, enumerator_t*,
+	   private_stroke_attribute_t *this)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->pools->create_enumerator(this->pools),
+									(void*)pool_filter,
+									this->lock, (void*)this->lock->unlock);
+}
+
+METHOD(stroke_attribute_t, create_lease_enumerator, enumerator_t*,
+	   private_stroke_attribute_t *this, char *name)
+{
+	mem_pool_t *pool;
+	this->lock->read_lock(this->lock);
+	pool = find_pool(this, name);
+	if (!pool)
+	{
+		this->lock->unlock(this->lock);
+		return NULL;
+	}
+	return enumerator_create_cleaner(pool->create_lease_enumerator(pool),
+									 (void*)this->lock->unlock, this->lock);
+}
+
+METHOD(stroke_attribute_t, destroy, void,
+	   private_stroke_attribute_t *this)
+{
+	this->lock->destroy(this->lock);
+	this->pools->destroy_offset(this->pools, offsetof(mem_pool_t, destroy));
+	free(this);
+}
+
+/*
+ * see header file
+ */
+stroke_attribute_t *stroke_attribute_create()
+{
+	private_stroke_attribute_t *this;
+
+	INIT(this,
+		.public = {
+			.provider = {
+				.acquire_address = _acquire_address,
+				.release_address = _release_address,
+				.create_attribute_enumerator = enumerator_create_empty,
+			},
+			.add_pool = _add_pool,
+			.del_pool = _del_pool,
+			.create_pool_enumerator = _create_pool_enumerator,
+			.create_lease_enumerator = _create_lease_enumerator,
+			.destroy = _destroy,
+		},
+		.pools = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/stroke/stroke_attribute.h b/src/libcharon/plugins/stroke/stroke_attribute.h
new file mode 100644
index 000000000..249a9899b
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_attribute.h
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_attribute stroke_attribute
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_ATTRIBUTE_H_
+#define STROKE_ATTRIBUTE_H_
+
+#include <stroke_msg.h>
+#include <attributes/attribute_provider.h>
+
+typedef struct stroke_attribute_t stroke_attribute_t;
+
+/**
+ * Stroke IKEv2 cfg attribute provider
+ */
+struct stroke_attribute_t {
+
+	/**
+	 * Implements attribute provider interface
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Add a virtual IP address pool.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*add_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
+
+	/**
+	 * Remove a virtual IP address pool.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*del_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
+
+	/**
+	 * Create an enumerator over installed pools.
+	 *
+	 * Enumerator enumerates over
+	 * char *pool, u_int size, u_int offline, u_int online.
+	 *
+	 * @return			enumerator
+	 */
+	enumerator_t* (*create_pool_enumerator)(stroke_attribute_t *this);
+
+	/**
+	 * Create an enumerator over the leases of a pool.
+	 *
+	 * Enumerator enumerates over
+	 * identification_t *id, host_t *address, bool online
+	 *
+	 * @param pool		name of the pool to enumerate
+	 * @return			enumerator, NULL if pool not found
+	 */
+	enumerator_t* (*create_lease_enumerator)(stroke_attribute_t *this,
+											 char *pool);
+
+	/**
+	 * Destroy a stroke_attribute instance.
+	 */
+	void (*destroy)(stroke_attribute_t *this);
+};
+
+/**
+ * Create a stroke_attribute instance.
+ */
+stroke_attribute_t *stroke_attribute_create();
+
+#endif /** STROKE_ATTRIBUTE_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
new file mode 100644
index 000000000..49146f18b
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -0,0 +1,458 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_ca.h"
+#include "stroke_cred.h"
+
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+#include <crypto/hashers/hasher.h>
+
+#include <daemon.h>
+
+typedef struct private_stroke_ca_t private_stroke_ca_t;
+
+/**
+ * private data of stroke_ca
+ */
+struct private_stroke_ca_t {
+
+	/**
+	 * public functions
+	 */
+	stroke_ca_t public;
+
+	/**
+	 * read-write lock to lists
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * list of starters CA sections and its certificates (ca_section_t)
+	 */
+	linked_list_t *sections;
+
+	/**
+	 * stroke credentials, stores our CA certificates
+	 */
+	stroke_cred_t *cred;
+};
+
+typedef struct ca_section_t ca_section_t;
+
+/**
+ * loaded ipsec.conf CA sections
+ */
+struct ca_section_t {
+
+	/**
+	 * name of the CA section
+	 */
+	char *name;
+
+	/**
+	 * reference to cert in trusted_credential_t
+	 */
+	certificate_t *cert;
+
+	/**
+	 * CRL URIs
+	 */
+	linked_list_t *crl;
+
+	/**
+	 * OCSP URIs
+	 */
+	linked_list_t *ocsp;
+
+	/**
+	 * Hashes of certificates issued by this CA
+	 */
+	linked_list_t *hashes;
+
+	/**
+	 * Base URI used for certificates from this CA
+	 */
+	char *certuribase;
+};
+
+/**
+ * create a new CA section
+ */
+static ca_section_t *ca_section_create(char *name, certificate_t *cert)
+{
+	ca_section_t *ca = malloc_thing(ca_section_t);
+
+	ca->name = strdup(name);
+	ca->crl = linked_list_create();
+	ca->ocsp = linked_list_create();
+	ca->cert = cert;
+	ca->hashes = linked_list_create();
+	ca->certuribase = NULL;
+	return ca;
+}
+
+/**
+ * destroy a ca section entry
+ */
+static void ca_section_destroy(ca_section_t *this)
+{
+	this->crl->destroy_function(this->crl, free);
+	this->ocsp->destroy_function(this->ocsp, free);
+	this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy));
+	free(this->certuribase);
+	free(this->name);
+	free(this);
+}
+
+/**
+ * data to pass to create_inner_cdp
+ */
+typedef struct {
+	private_stroke_ca_t *this;
+	certificate_type_t type;
+	identification_t *id;
+} cdp_data_t;
+
+/**
+ * destroy cdp enumerator data and unlock list
+ */
+static void cdp_data_destroy(cdp_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * inner enumerator constructor for CDP URIs
+ */
+static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
+{
+	public_key_t *public;
+	enumerator_t *enumerator = NULL;
+	linked_list_t *list;
+
+	if (data->type == CERT_X509_OCSP_RESPONSE)
+	{
+		list = section->ocsp;
+	}
+	else
+	{
+		list = section->crl;
+	}
+
+	public = section->cert->get_public_key(section->cert);
+	if (public)
+	{
+		if (!data->id)
+		{
+			enumerator = list->create_enumerator(list);
+		}
+		else
+		{
+			if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
+			{
+				enumerator = list->create_enumerator(list);
+			}
+		}
+		public->destroy(public);
+	}
+	return enumerator;
+}
+
+/**
+ * inner enumerator constructor for "Hash and URL"
+ */
+static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data_t *data)
+{
+	enumerator_t *enumerator = NULL, *hash_enum;
+	identification_t *current;
+
+	if (!data->id || !section->certuribase)
+	{
+		return NULL;
+	}
+
+	hash_enum = section->hashes->create_enumerator(section->hashes);
+	while (hash_enum->enumerate(hash_enum, &current))
+	{
+		if (current->matches(current, data->id))
+		{
+			char *url, *hash;
+
+			url = malloc(strlen(section->certuribase) + 40 + 1);
+			strcpy(url, section->certuribase);
+			hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr;
+			strncat(url, hash, 40);
+			free(hash);
+
+			enumerator = enumerator_create_single(url, free);
+			break;
+		}
+	}
+	hash_enum->destroy(hash_enum);
+	return enumerator;
+}
+
+/**
+ * Implementation of credential_set_t.create_cdp_enumerator.
+ */
+static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this,
+								certificate_type_t type, identification_t *id)
+{
+	cdp_data_t *data;
+
+	switch (type)
+	{	/* we serve CRLs, OCSP responders and URLs for "Hash and URL" */
+		case CERT_X509:
+		case CERT_X509_CRL:
+		case CERT_X509_OCSP_RESPONSE:
+		case CERT_ANY:
+			break;
+		default:
+			return NULL;
+	}
+	data = malloc_thing(cdp_data_t);
+	data->this = this;
+	data->type = type;
+	data->id = id;
+
+	this->lock->read_lock(this->lock);
+	return enumerator_create_nested(this->sections->create_enumerator(this->sections),
+			(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp,
+			data, (void*)cdp_data_destroy);
+}
+/**
+ * Implementation of stroke_ca_t.add.
+ */
+static void add(private_stroke_ca_t *this, stroke_msg_t *msg)
+{
+	certificate_t *cert;
+	ca_section_t *ca;
+
+	if (msg->add_ca.cacert == NULL)
+	{
+		DBG1(DBG_CFG, "missing cacert parameter");
+		return;
+	}
+	cert = this->cred->load_ca(this->cred, msg->add_ca.cacert);
+	if (cert)
+	{
+		ca = ca_section_create(msg->add_ca.name, cert);
+		if (msg->add_ca.crluri)
+		{
+			ca->crl->insert_last(ca->crl, strdup(msg->add_ca.crluri));
+		}
+		if (msg->add_ca.crluri2)
+		{
+			ca->crl->insert_last(ca->crl, strdup(msg->add_ca.crluri2));
+		}
+		if (msg->add_ca.ocspuri)
+		{
+			ca->ocsp->insert_last(ca->ocsp, strdup(msg->add_ca.ocspuri));
+		}
+		if (msg->add_ca.ocspuri2)
+		{
+			ca->ocsp->insert_last(ca->ocsp, strdup(msg->add_ca.ocspuri2));
+		}
+		if (msg->add_ca.certuribase)
+		{
+			ca->certuribase = strdup(msg->add_ca.certuribase);
+		}
+		this->lock->write_lock(this->lock);
+		this->sections->insert_last(this->sections, ca);
+		this->lock->unlock(this->lock);
+		DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name);
+	}
+}
+
+/**
+ * Implementation of stroke_ca_t.del.
+ */
+static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
+{
+	enumerator_t *enumerator;
+	ca_section_t *ca = NULL;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->sections->create_enumerator(this->sections);
+	while (enumerator->enumerate(enumerator, &ca))
+	{
+		if (streq(ca->name, msg->del_ca.name))
+		{
+			this->sections->remove_at(this->sections, enumerator);
+			break;
+		}
+		ca = NULL;
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	if (ca == NULL)
+	{
+		DBG1(DBG_CFG, "no ca named '%s' found\n", msg->del_ca.name);
+		return;
+	}
+	ca_section_destroy(ca);
+	/* TODO: flush cached certs */
+}
+
+/**
+ * list crl or ocsp URIs
+ */
+static void list_uris(linked_list_t *list, char *label, FILE *out)
+{
+	bool first = TRUE;
+	char *uri;
+	enumerator_t *enumerator;
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, (void**)&uri))
+	{
+		if (first)
+		{
+			fprintf(out, label);
+			first = FALSE;
+		}
+		else
+		{
+			fprintf(out, "            ");
+		}
+		fprintf(out, "'%s'\n", uri);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of stroke_ca_t.check_for_hash_and_url.
+ */
+static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cert)
+{
+	ca_section_t *section;
+	enumerator_t *enumerator;
+
+	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher == NULL)
+	{
+		DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
+		return;
+	}
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->sections->create_enumerator(this->sections);
+	while (enumerator->enumerate(enumerator, (void**)&section))
+	{
+		if (section->certuribase && cert->issued_by(cert, section->cert))
+		{
+			chunk_t hash, encoded = cert->get_encoding(cert);
+			hasher->allocate_hash(hasher, encoded, &hash);
+			section->hashes->insert_last(section->hashes,
+					identification_create_from_encoding(ID_KEY_ID, hash));
+			chunk_free(&hash);
+			chunk_free(&encoded);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	hasher->destroy(hasher);
+}
+
+/**
+ * Implementation of stroke_ca_t.list.
+ */
+static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
+{
+	bool first = TRUE;
+	ca_section_t *section;
+	enumerator_t *enumerator;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->sections->create_enumerator(this->sections);
+	while (enumerator->enumerate(enumerator, (void**)&section))
+	{
+		certificate_t *cert = section->cert;
+		public_key_t *public = cert->get_public_key(cert);
+		chunk_t chunk;
+
+		if (first)
+		{
+			fprintf(out, "\n");
+			fprintf(out, "List of CA Information Sections:\n");
+			first = FALSE;
+		}
+		fprintf(out, "\n");
+		fprintf(out, "  authname:    \"%Y\"\n", cert->get_subject(cert));
+
+		/* list authkey and keyid */
+		if (public)
+		{
+			if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+			{
+				fprintf(out, "  authkey:      %#B\n", &chunk);
+			}
+			if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
+			{
+				fprintf(out, "  keyid:        %#B\n", &chunk);
+			}
+			public->destroy(public);
+		}
+		list_uris(section->crl, "  crluris:     ", out);
+		list_uris(section->ocsp, "  ocspuris:    ", out);
+		if (section->certuribase)
+		{
+			fprintf(out, "  certuribase: '%s'\n", section->certuribase);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of stroke_ca_t.destroy
+ */
+static void destroy(private_stroke_ca_t *this)
+{
+	this->sections->destroy_function(this->sections, (void*)ca_section_destroy);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
+{
+	private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t);
+
+	this->public.set.create_private_enumerator = (void*)return_null;
+	this->public.set.create_cert_enumerator = (void*)return_null;
+	this->public.set.create_shared_enumerator = (void*)return_null;
+	this->public.set.create_cdp_enumerator = (void*)create_cdp_enumerator;
+	this->public.set.cache_cert = (void*)nop;
+	this->public.add = (void(*)(stroke_ca_t*, stroke_msg_t *msg))add;
+	this->public.del = (void(*)(stroke_ca_t*, stroke_msg_t *msg))del;
+	this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list;
+	this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url;
+	this->public.destroy = (void(*)(stroke_ca_t*))destroy;
+
+	this->sections = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	this->cred = cred;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/stroke/stroke_ca.h b/src/libcharon/plugins/stroke/stroke_ca.h
new file mode 100644
index 000000000..21af912ea
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_ca.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_ca stroke_ca
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_CA_H_
+#define STROKE_CA_H_
+
+#include <stroke_msg.h>
+
+#include "stroke_cred.h"
+
+typedef struct stroke_ca_t stroke_ca_t;
+
+/**
+ * ipsec.conf ca section handling.
+ */
+struct stroke_ca_t {
+
+	/**
+	 * Implements credential_set_t
+	 */
+	credential_set_t set;
+
+	/**
+	 * Add a CA to the set using a stroke_msg_t.
+	 *
+	 * @param msg		stroke message containing CA info
+	 */
+	void (*add)(stroke_ca_t *this, stroke_msg_t *msg);
+
+	/**
+	 * Remove a CA from the set using a stroke_msg_t.
+	 *
+	 * @param msg		stroke message containing CA info
+	 */
+	void (*del)(stroke_ca_t *this, stroke_msg_t *msg);
+
+	/**
+	 * List CA sections to stroke console.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*list)(stroke_ca_t *this, stroke_msg_t *msg, FILE *out);
+
+	/**
+	 * Check if a certificate can be made available through hash and URL.
+	 *
+	 * @param cert		peer certificate
+	 */
+	void (*check_for_hash_and_url)(stroke_ca_t *this, certificate_t* cert);
+
+	/**
+	 * Destroy a stroke_ca instance.
+	 */
+	void (*destroy)(stroke_ca_t *this);
+};
+
+/**
+ * Create a stroke_ca instance.
+ */
+stroke_ca_t *stroke_ca_create(stroke_cred_t *cred);
+
+#endif /** STROKE_CA_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
new file mode 100644
index 000000000..bbc1e7a31
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -0,0 +1,949 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_config.h"
+
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <utils/lexparser.h>
+
+typedef struct private_stroke_config_t private_stroke_config_t;
+
+/**
+ * private data of stroke_config
+ */
+struct private_stroke_config_t {
+
+	/**
+	 * public functions
+	 */
+	stroke_config_t public;
+
+	/**
+	 * list of peer_cfg_t
+	 */
+	linked_list_t *list;
+
+	/**
+	 * mutex to lock config list
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * ca sections
+	 */
+	stroke_ca_t *ca;
+
+	/**
+	 * credentials
+	 */
+	stroke_cred_t *cred;
+};
+
+/**
+ * Implementation of backend_t.create_peer_cfg_enumerator.
+ */
+static enumerator_t* create_peer_cfg_enumerator(private_stroke_config_t *this,
+												identification_t *me,
+												identification_t *other)
+{
+	this->mutex->lock(this->mutex);
+	return enumerator_create_cleaner(this->list->create_enumerator(this->list),
+									 (void*)this->mutex->unlock, this->mutex);
+}
+
+/**
+ * filter function for ike configs
+ */
+static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out)
+{
+	*out = (*in)->get_ike_cfg(*in);
+	return TRUE;
+}
+
+/**
+ * Implementation of backend_t.create_ike_cfg_enumerator.
+ */
+static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this,
+											   host_t *me, host_t *other)
+{
+	this->mutex->lock(this->mutex);
+	return enumerator_create_filter(this->list->create_enumerator(this->list),
+									(void*)ike_filter, this->mutex,
+									(void*)this->mutex->unlock);
+}
+
+/**
+ * implements backend_t.get_peer_cfg_by_name.
+ */
+static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *name)
+{
+	enumerator_t *e1, *e2;
+	peer_cfg_t *current, *found = NULL;
+	child_cfg_t *child;
+
+	this->mutex->lock(this->mutex);
+	e1 = this->list->create_enumerator(this->list);
+	while (e1->enumerate(e1, &current))
+	{
+		/* compare peer_cfgs name first */
+		if (streq(current->get_name(current), name))
+		{
+			found = current;
+			found->get_ref(found);
+			break;
+		}
+		/* compare all child_cfg names otherwise */
+		e2 = current->create_child_cfg_enumerator(current);
+		while (e2->enumerate(e2, &child))
+		{
+			if (streq(child->get_name(child), name))
+			{
+				found = current;
+				found->get_ref(found);
+				break;
+			}
+		}
+		e2->destroy(e2);
+		if (found)
+		{
+			break;
+		}
+	}
+	e1->destroy(e1);
+	this->mutex->unlock(this->mutex);
+	return found;
+}
+
+/**
+ * parse a proposal string, either into ike_cfg or child_cfg
+ */
+static void add_proposals(private_stroke_config_t *this, char *string,
+						  ike_cfg_t *ike_cfg, child_cfg_t *child_cfg)
+{
+	if (string)
+	{
+		char *single;
+		char *strict;
+		proposal_t *proposal;
+		protocol_id_t proto = PROTO_ESP;
+
+		if (ike_cfg)
+		{
+			proto = PROTO_IKE;
+		}
+		strict = string + strlen(string) - 1;
+		if (*strict == '!')
+		{
+			*strict = '\0';
+		}
+		else
+		{
+			strict = NULL;
+		}
+		while ((single = strsep(&string, ",")))
+		{
+			proposal = proposal_create_from_string(proto, single);
+			if (proposal)
+			{
+				if (ike_cfg)
+				{
+					ike_cfg->add_proposal(ike_cfg, proposal);
+				}
+				else
+				{
+					child_cfg->add_proposal(child_cfg, proposal);
+				}
+				continue;
+			}
+			DBG1(DBG_CFG, "skipped invalid proposal string: %s", single);
+		}
+		if (strict)
+		{
+			return;
+		}
+		/* add default porposal to the end if not strict */
+	}
+	if (ike_cfg)
+	{
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	}
+	else
+	{
+		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	}
+}
+
+/**
+ * Build an IKE config from a stroke message
+ */
+static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg)
+{
+	stroke_end_t tmp_end;
+	ike_cfg_t *ike_cfg;
+	char *interface;
+	host_t *host;
+
+	host = host_create_from_dns(msg->add_conn.other.address, 0, 0);
+	if (host)
+	{
+		interface = charon->kernel_interface->get_interface(
+												charon->kernel_interface, host);
+		host->destroy(host);
+		if (interface)
+		{
+			DBG2(DBG_CFG, "left is other host, swapping ends");
+			tmp_end = msg->add_conn.me;
+			msg->add_conn.me = msg->add_conn.other;
+			msg->add_conn.other = tmp_end;
+			free(interface);
+		}
+		else
+		{
+			host = host_create_from_dns(msg->add_conn.me.address, 0, 0);
+			if (host)
+			{
+				interface = charon->kernel_interface->get_interface(
+												charon->kernel_interface, host);
+				host->destroy(host);
+				if (!interface)
+				{
+					DBG1(DBG_CFG, "left nor right host is our side, "
+						 "assuming left=local");
+				}
+				else
+				{
+					free(interface);
+				}
+
+			}
+		}
+	}
+	ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
+					msg->add_conn.force_encap,
+					msg->add_conn.me.address, msg->add_conn.me.ikeport,
+					msg->add_conn.other.address, msg->add_conn.other.ikeport);
+	add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
+	return ike_cfg;
+}
+
+/**
+ * Add CRL constraint to config
+ */
+static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
+{
+	/* CRL/OCSP policy, for remote config only */
+	if (!local)
+	{
+		switch (policy)
+		{
+			case CRL_STRICT_YES:
+				/* if yes, we require a GOOD validation */
+				cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
+				break;
+			case CRL_STRICT_IFURI:
+				/* for ifuri, a SKIPPED validation is sufficient */
+				cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_SKIPPED);
+				break;
+			default:
+				break;
+		}
+	}
+}
+
+/**
+ * build authentication config
+ */
+static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
+								  stroke_msg_t *msg, bool local, bool primary)
+{
+	identification_t *identity;
+	certificate_t *certificate;
+	char *auth, *id, *cert, *ca;
+	stroke_end_t *end, *other_end;
+	auth_cfg_t *cfg;
+	char eap_buf[32];
+
+	/* select strings */
+	if (local)
+	{
+		end = &msg->add_conn.me;
+		other_end = &msg->add_conn.other;
+	}
+	else
+	{
+		end = &msg->add_conn.other;
+		other_end = &msg->add_conn.me;
+	}
+	if (primary)
+	{
+		auth = end->auth;
+		id = end->id;
+		if (!id)
+		{	/* leftid/rightid fallback to address */
+			id = end->address;
+		}
+		cert = end->cert;
+		ca = end->ca;
+		if (ca && streq(ca, "%same"))
+		{
+			ca = other_end->ca;
+		}
+	}
+	else
+	{
+		auth = end->auth2;
+		id = end->id2;
+		if (local && !id)
+		{	/* leftid2 falls back to leftid */
+			id = end->id;
+		}
+		cert = end->cert2;
+		ca = end->ca2;
+		if (ca && streq(ca, "%same"))
+		{
+			ca = other_end->ca2;
+		}
+	}
+
+	if (!auth)
+	{
+		if (primary)
+		{
+			if (local)
+			{	/* "leftauth" not defined, fall back to deprecated "authby" */
+				switch (msg->add_conn.auth_method)
+				{
+					default:
+					case AUTH_CLASS_PUBKEY:
+						auth = "pubkey";
+						break;
+					case AUTH_CLASS_PSK:
+						auth = "psk";
+						break;
+					case AUTH_CLASS_EAP:
+						auth = "eap";
+						break;
+				}
+			}
+			else
+			{	/* "rightauth" not defined, fall back to deprecated "eap" */
+				if (msg->add_conn.eap_type)
+				{
+					if (msg->add_conn.eap_vendor)
+					{
+						snprintf(eap_buf, sizeof(eap_buf), "eap-%d-%d",
+								 msg->add_conn.eap_type,
+								 msg->add_conn.eap_vendor);
+					}
+					else
+					{
+						snprintf(eap_buf, sizeof(eap_buf), "eap-%d",
+								 msg->add_conn.eap_type);
+					}
+					auth = eap_buf;
+				}
+				else
+				{	/* not EAP => no constraints for this peer */
+					auth = "any";
+				}
+			}
+		}
+		else
+		{	/* no second authentication round, fine */
+			return NULL;
+		}
+	}
+
+	cfg = auth_cfg_create();
+
+	/* add identity and peer certifcate */
+	identity = identification_create_from_string(id);
+	if (cert)
+	{
+		certificate = this->cred->load_peer(this->cred, cert);
+		if (certificate)
+		{
+			if (local)
+			{
+				this->ca->check_for_hash_and_url(this->ca, certificate);
+			}
+			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
+			if (identity->get_type(identity) == ID_ANY ||
+				!certificate->has_subject(certificate, identity))
+			{
+				DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
+					 "defaulting to '%Y'", identity,
+					 certificate->get_subject(certificate));
+				identity->destroy(identity);
+				identity = certificate->get_subject(certificate);
+				identity = identity->clone(identity);
+			}
+		}
+	}
+	cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
+
+	/* CA constraint */
+	if (ca)
+	{
+		identity = identification_create_from_string(ca);
+		certificate = charon->credentials->get_cert(charon->credentials,
+											CERT_X509, KEY_ANY, identity, TRUE);
+		identity->destroy(identity);
+		if (certificate)
+		{
+			cfg->add(cfg, AUTH_RULE_CA_CERT, certificate);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "CA certificate %s not found, discarding CA "
+				 "constraint", ca);
+		}
+	}
+
+	/* AC groups */
+	if (end->groups)
+	{
+		enumerator_t *enumerator;
+		char *group;
+
+		enumerator = enumerator_create_token(end->groups, ",", " ");
+		while (enumerator->enumerate(enumerator, &group))
+		{
+			identity = identification_create_from_encoding(ID_IETF_ATTR_STRING,
+											chunk_create(group, strlen(group)));
+			cfg->add(cfg, AUTH_RULE_AC_GROUP, identity);
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	/* authentication metod (class, actually) */
+	if (streq(auth, "pubkey") ||
+		streq(auth, "rsasig") || streq(auth, "rsa") ||
+		streq(auth, "ecdsasig") || streq(auth, "ecdsa"))
+	{
+		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
+	}
+	else if (streq(auth, "psk") || streq(auth, "secret"))
+	{
+		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+	}
+	else if (strneq(auth, "eap", 3))
+	{
+		enumerator_t *enumerator;
+		char *str;
+		int i = 0, type = 0, vendor;
+
+		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+
+		/* parse EAP string, format: eap[-type[-vendor]] */
+		enumerator = enumerator_create_token(auth, "-", " ");
+		while (enumerator->enumerate(enumerator, &str))
+		{
+			switch (i)
+			{
+				case 1:
+					type = eap_type_from_string(str);
+					if (!type)
+					{
+						type = atoi(str);
+						if (!type)
+						{
+							DBG1(DBG_CFG, "unknown EAP method: %s", str);
+							break;
+						}
+					}
+					cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+					break;
+				case 2:
+					if (type)
+					{
+						vendor = atoi(str);
+						if (vendor)
+						{
+							cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+						}
+						else
+						{
+							DBG1(DBG_CFG, "unknown EAP vendor: %s", str);
+						}
+					}
+					break;
+				default:
+					break;
+			}
+			i++;
+		}
+		enumerator->destroy(enumerator);
+
+		if (msg->add_conn.eap_identity)
+		{
+			if (streq(msg->add_conn.eap_identity, "%identity"))
+			{
+				identity = identification_create_from_encoding(ID_ANY,
+															   chunk_empty);
+			}
+			else
+			{
+				identity = identification_create_from_string(
+													msg->add_conn.eap_identity);
+			}
+			cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
+		}
+	}
+	else
+	{
+		if (!streq(auth, "any"))
+		{
+			DBG1(DBG_CFG, "authentication method %s unknown, fallback to any",
+				 auth);
+		}
+		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
+	}
+	return cfg;
+}
+
+/**
+ * build a peer_cfg from a stroke msg
+ */
+static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
+								  stroke_msg_t *msg, ike_cfg_t *ike_cfg)
+{
+	identification_t *peer_id = NULL;
+	peer_cfg_t *mediated_by = NULL;
+	host_t *vip = NULL;
+	unique_policy_t unique;
+	u_int32_t rekey = 0, reauth = 0, over, jitter;
+	peer_cfg_t *peer_cfg;
+	auth_cfg_t *auth_cfg;
+
+#ifdef ME
+	if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
+	{
+		DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection "
+			 "at the same time, aborting");
+		return NULL;
+	}
+
+	if (msg->add_conn.ikeme.mediation)
+	{
+		/* force unique connections for mediation connections */
+		msg->add_conn.unique = 1;
+	}
+
+	if (msg->add_conn.ikeme.mediated_by)
+	{
+		mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
+											msg->add_conn.ikeme.mediated_by);
+		if (!mediated_by)
+		{
+			DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
+				 msg->add_conn.ikeme.mediated_by);
+			return NULL;
+		}
+		if (!mediated_by->is_mediation(mediated_by))
+		{
+			DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is "
+				 "no mediation connection, aborting",
+				 msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
+			mediated_by->destroy(mediated_by);
+			return NULL;
+		}
+		if (msg->add_conn.ikeme.peerid)
+		{
+			peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
+		}
+		else if (msg->add_conn.other.id)
+		{
+			peer_id = identification_create_from_string(msg->add_conn.other.id);
+		}
+	}
+#endif /* ME */
+
+	jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
+	over = msg->add_conn.rekey.margin;
+	if (msg->add_conn.rekey.reauth)
+	{
+		reauth = msg->add_conn.rekey.ike_lifetime - over;
+	}
+	else
+	{
+		rekey = msg->add_conn.rekey.ike_lifetime - over;
+	}
+	if (msg->add_conn.me.sourceip_mask)
+	{
+		if (msg->add_conn.me.sourceip)
+		{
+			vip = host_create_from_string(msg->add_conn.me.sourceip, 0);
+		}
+		if (!vip)
+		{	/* if it is set to something like %poolname, request an address */
+			if (msg->add_conn.me.subnets)
+			{	/* use the same address as in subnet, if any */
+				if (strchr(msg->add_conn.me.subnets, '.'))
+				{
+					vip = host_create_any(AF_INET);
+				}
+				else
+				{
+					vip = host_create_any(AF_INET6);
+				}
+			}
+			else
+			{
+				if (strchr(ike_cfg->get_my_addr(ike_cfg), ':'))
+				{
+					vip = host_create_any(AF_INET6);
+				}
+				else
+				{
+					vip = host_create_any(AF_INET);
+				}
+			}
+		}
+	}
+	switch (msg->add_conn.unique)
+	{
+		case 1: /* yes */
+		case 2: /* replace */
+			unique = UNIQUE_REPLACE;
+			break;
+		case 3: /* keep */
+			unique = UNIQUE_KEEP;
+			break;
+		default: /* no */
+			unique = UNIQUE_NO;
+			break;
+	}
+	if (msg->add_conn.dpd.action == 0)
+	{	/* dpdaction=none disables DPD */
+		msg->add_conn.dpd.delay = 0;
+	}
+
+	/* other.sourceip is managed in stroke_attributes. If it is set, we define
+	 * the pool name as the connection name, which the attribute provider
+	 * uses to serve pool addresses. */
+	peer_cfg = peer_cfg_create(msg->add_conn.name,
+		msg->add_conn.ikev2 ? 2 : 1, ike_cfg,
+		msg->add_conn.me.sendcert, unique,
+		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
+		msg->add_conn.mobike, msg->add_conn.dpd.delay,
+		vip, msg->add_conn.other.sourceip_mask ?
+							msg->add_conn.name : msg->add_conn.other.sourceip,
+		msg->add_conn.ikeme.mediation, mediated_by, peer_id);
+
+	/* build leftauth= */
+	auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
+	if (auth_cfg)
+	{
+		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
+	}
+	else
+	{	/* we require at least one config on our side */
+		peer_cfg->destroy(peer_cfg);
+		return NULL;
+	}
+	/* build leftauth2= */
+	auth_cfg = build_auth_cfg(this, msg, TRUE, FALSE);
+	if (auth_cfg)
+	{
+		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
+	}
+	/* build rightauth= */
+	auth_cfg = build_auth_cfg(this, msg, FALSE, TRUE);
+	if (auth_cfg)
+	{
+		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
+	}
+	/* build rightauth2= */
+	auth_cfg = build_auth_cfg(this, msg, FALSE, FALSE);
+	if (auth_cfg)
+	{
+		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
+	}
+	return peer_cfg;
+}
+
+/**
+ * build a traffic selector from a stroke_end
+ */
+static void add_ts(private_stroke_config_t *this,
+				   stroke_end_t *end, child_cfg_t *child_cfg, bool local)
+{
+	traffic_selector_t *ts;
+
+	if (end->tohost)
+	{
+		ts = traffic_selector_create_dynamic(end->protocol,
+					end->port ? end->port : 0, end->port ? end->port : 65535);
+		child_cfg->add_traffic_selector(child_cfg, local, ts);
+	}
+	else
+	{
+		host_t *net;
+
+		if (!end->subnets)
+		{
+			net = host_create_from_string(end->address, 0);
+			if (net)
+			{
+				ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
+														 end->port);
+				child_cfg->add_traffic_selector(child_cfg, local, ts);
+			}
+		}
+		else
+		{
+			char *del, *start, *bits;
+
+			start = end->subnets;
+			do
+			{
+				int intbits = 0;
+
+				del = strchr(start, ',');
+				if (del)
+				{
+					*del = '\0';
+				}
+				bits = strchr(start, '/');
+				if (bits)
+				{
+					*bits = '\0';
+					intbits = atoi(bits + 1);
+				}
+
+				net = host_create_from_string(start, 0);
+				if (net)
+				{
+					ts = traffic_selector_create_from_subnet(net, intbits,
+												end->protocol, end->port);
+					child_cfg->add_traffic_selector(child_cfg, local, ts);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "invalid subnet: %s, skipped", start);
+				}
+				start = del + 1;
+			}
+			while (del);
+		}
+	}
+}
+
+/**
+ * build a child config from the stroke message
+ */
+static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
+									stroke_msg_t *msg)
+{
+	child_cfg_t *child_cfg;
+	action_t dpd;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = msg->add_conn.rekey.ipsec_lifetime,
+			.rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
+			.jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+		},
+		.bytes = {
+			.life = msg->add_conn.rekey.life_bytes,
+			.rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
+			.jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+		},
+		.packets = {
+			.life = msg->add_conn.rekey.life_packets,
+			.rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
+			.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
+		}
+	};
+
+	switch (msg->add_conn.dpd.action)
+	{	/* map startes magic values to our action type */
+		case 2: /* =hold */
+			dpd = ACTION_ROUTE;
+			break;
+		case 3: /* =restart */
+			dpd = ACTION_RESTART;
+			break;
+		default:
+			dpd = ACTION_NONE;
+			break;
+	}
+
+	child_cfg = child_cfg_create(
+				msg->add_conn.name, &lifetime,
+				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
+				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
+				msg->add_conn.inactivity);
+	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
+											msg->add_conn.install_policy);
+	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
+	add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
+
+	add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg);
+
+	return child_cfg;
+}
+
+/**
+ * Implementation of stroke_config_t.add.
+ */
+static void add(private_stroke_config_t *this, stroke_msg_t *msg)
+{
+	ike_cfg_t *ike_cfg, *existing_ike;
+	peer_cfg_t *peer_cfg, *existing;
+	child_cfg_t *child_cfg;
+	enumerator_t *enumerator;
+	bool use_existing = FALSE;
+
+	ike_cfg = build_ike_cfg(this, msg);
+	if (!ike_cfg)
+	{
+		return;
+	}
+	peer_cfg = build_peer_cfg(this, msg, ike_cfg);
+	if (!peer_cfg)
+	{
+		ike_cfg->destroy(ike_cfg);
+		return;
+	}
+
+	enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &existing))
+	{
+		existing_ike = existing->get_ike_cfg(existing);
+		if (existing->equals(existing, peer_cfg) &&
+			existing_ike->equals(existing_ike, peer_cfg->get_ike_cfg(peer_cfg)))
+		{
+			use_existing = TRUE;
+			peer_cfg->destroy(peer_cfg);
+			peer_cfg = existing;
+			peer_cfg->get_ref(peer_cfg);
+			DBG1(DBG_CFG, "added child to existing configuration '%s'",
+				 peer_cfg->get_name(peer_cfg));
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	child_cfg = build_child_cfg(this, msg);
+	if (!child_cfg)
+	{
+		peer_cfg->destroy(peer_cfg);
+		return;
+	}
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+
+	if (use_existing)
+	{
+		peer_cfg->destroy(peer_cfg);
+	}
+	else
+	{
+		/* add config to backend */
+		DBG1(DBG_CFG, "added configuration '%s'", msg->add_conn.name);
+		this->mutex->lock(this->mutex);
+		this->list->insert_last(this->list, peer_cfg);
+		this->mutex->unlock(this->mutex);
+	}
+}
+
+/**
+ * Implementation of stroke_config_t.del.
+ */
+static void del(private_stroke_config_t *this, stroke_msg_t *msg)
+{
+	enumerator_t *enumerator, *children;
+	peer_cfg_t *peer;
+	child_cfg_t *child;
+	bool deleted = FALSE;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, (void**)&peer))
+	{
+		bool keep = FALSE;
+
+		/* remove any child with such a name */
+		children = peer->create_child_cfg_enumerator(peer);
+		while (children->enumerate(children, &child))
+		{
+			if (streq(child->get_name(child), msg->del_conn.name))
+			{
+				peer->remove_child_cfg(peer, children);
+				child->destroy(child);
+				deleted = TRUE;
+			}
+			else
+			{
+				keep = TRUE;
+			}
+		}
+		children->destroy(children);
+
+		/* if peer config matches, or has no children anymore, remove it */
+		if (!keep || streq(peer->get_name(peer), msg->del_conn.name))
+		{
+			this->list->remove_at(this->list, enumerator);
+			peer->destroy(peer);
+			deleted = TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	if (deleted)
+	{
+		DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "connection '%s' not found", msg->del_conn.name);
+	}
+}
+
+/**
+ * Implementation of stroke_config_t.destroy
+ */
+static void destroy(private_stroke_config_t *this)
+{
+	this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy));
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred)
+{
+	private_stroke_config_t *this = malloc_thing(private_stroke_config_t);
+
+	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
+	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
+	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
+	this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add;
+	this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del;
+	this->public.destroy = (void(*)(stroke_config_t*))destroy;
+
+	this->list = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+	this->ca = ca;
+	this->cred = cred;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/stroke/stroke_config.h b/src/libcharon/plugins/stroke/stroke_config.h
new file mode 100644
index 000000000..05e4665ca
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_config.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_config stroke_config
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_CONFIG_H_
+#define STROKE_CONFIG_H_
+
+#include <config/backend.h>
+#include <stroke_msg.h>
+#include "stroke_ca.h"
+#include "stroke_cred.h"
+
+typedef struct stroke_config_t stroke_config_t;
+
+/**
+ * Stroke in-memory configuration backend
+ */
+struct stroke_config_t {
+
+	/**
+	 * Implements the backend_t interface
+	 */
+	backend_t backend;
+
+	/**
+	 * Add a configuration to the backend.
+	 *
+	 * @param msg		received stroke message containing config
+	 */
+	void (*add)(stroke_config_t *this, stroke_msg_t *msg);
+
+	/**
+	 * Remove a configuration from the backend.
+	 *
+	 * @param msg		received stroke message containing config name
+	 */
+	void (*del)(stroke_config_t *this, stroke_msg_t *msg);
+
+	/**
+	 * Destroy a stroke_config instance.
+	 */
+	void (*destroy)(stroke_config_t *this);
+};
+
+/**
+ * Create a stroke_config instance.
+ */
+stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred);
+
+#endif /** STROKE_CONFIG_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
new file mode 100644
index 000000000..a03aef697
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -0,0 +1,491 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_control.h"
+
+#include <daemon.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+typedef struct private_stroke_control_t private_stroke_control_t;
+
+/**
+ * private data of stroke_control
+ */
+struct private_stroke_control_t {
+
+	/**
+	 * public functions
+	 */
+	stroke_control_t public;
+};
+
+
+typedef struct stroke_log_info_t stroke_log_info_t;
+
+/**
+ * helper struct to say what and where to log when using controller callback
+ */
+struct stroke_log_info_t {
+
+	/**
+	 * level to log up to
+	 */
+	level_t level;
+
+	/**
+	 * where to write log
+	 */
+	FILE* out;
+};
+
+/**
+ * logging to the stroke interface
+ */
+static bool stroke_log(stroke_log_info_t *info, debug_t group, level_t level,
+					   ike_sa_t *ike_sa, char *format, va_list args)
+{
+	if (level <= info->level)
+	{
+		if (vfprintf(info->out, format, args) < 0 ||
+			fprintf(info->out, "\n") < 0 ||
+			fflush(info->out) != 0)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * get the child_cfg with the same name as the peer cfg
+ */
+static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
+{
+	child_cfg_t *current, *found = NULL;
+	enumerator_t *enumerator;
+
+	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (streq(current->get_name(current), name))
+		{
+			found = current;
+			found->get_ref(found);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Implementation of stroke_control_t.initiate.
+ */
+static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	stroke_log_info_t info;
+
+	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+													  msg->initiate.name);
+	if (peer_cfg == NULL)
+	{
+		DBG1(DBG_CFG, "no config named '%s'\n", msg->initiate.name);
+		return;
+	}
+	if (peer_cfg->get_ike_version(peer_cfg) != 2)
+	{
+		DBG1(DBG_CFG, "ignoring initiation request for IKEv%d config",
+			 peer_cfg->get_ike_version(peer_cfg));
+		peer_cfg->destroy(peer_cfg);
+		return;
+	}
+
+	child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
+	if (child_cfg == NULL)
+	{
+		DBG1(DBG_CFG, "no child config named '%s'\n", msg->initiate.name);
+		peer_cfg->destroy(peer_cfg);
+		return;
+	}
+
+	if (msg->output_verbosity < 0)
+	{
+		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+									 NULL, NULL);
+	}
+	else
+	{
+		info.out = out;
+		info.level = msg->output_verbosity;
+		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+									 (controller_cb_t)stroke_log, &info);
+	}
+}
+
+/**
+ * Implementation of stroke_control_t.terminate.
+ */
+static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+{
+	char *string, *pos = NULL, *name = NULL;
+	u_int32_t id = 0;
+	bool child, all = FALSE;
+	int len;
+	ike_sa_t *ike_sa;
+	enumerator_t *enumerator;
+	linked_list_t *ike_list, *child_list;
+	stroke_log_info_t info;
+	uintptr_t del;
+
+	string = msg->terminate.name;
+
+	len = strlen(string);
+	if (len < 1)
+	{
+		DBG1(DBG_CFG, "error parsing string");
+		return;
+	}
+	switch (string[len-1])
+	{
+		case '}':
+			child = TRUE;
+			pos = strchr(string, '{');
+			break;
+		case ']':
+			child = FALSE;
+			pos = strchr(string, '[');
+			break;
+		default:
+			name = string;
+			child = FALSE;
+			break;
+	}
+
+	if (name)
+	{
+		/* is a single name */
+	}
+	else if (pos == string + len - 2)
+	{	/* is name[] or name{} */
+		string[len-2] = '\0';
+		name = string;
+	}
+	else
+	{
+		if (*(pos + 1) == '*')
+		{	/* is name[*] */
+			all = TRUE;
+			*pos = '\0';
+			name = string;
+		}
+		else
+		{	/* is name[123] or name{23} */
+			id = atoi(pos + 1);
+			if (id == 0)
+			{
+				DBG1(DBG_CFG, "error parsing string");
+				return;
+			}
+		}
+	}
+
+	info.out = out;
+	info.level = msg->output_verbosity;
+
+	if (id)
+	{
+		if (child)
+		{
+			charon->controller->terminate_child(charon->controller, id,
+									(controller_cb_t)stroke_log, &info);
+		}
+		else
+		{
+			charon->controller->terminate_ike(charon->controller, id,
+									(controller_cb_t)stroke_log, &info);
+		}
+		return;
+	}
+
+	ike_list = linked_list_create();
+	child_list = linked_list_create();
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		child_sa_t *child_sa;
+		iterator_t *children;
+
+		if (child)
+		{
+			children = ike_sa->create_child_sa_iterator(ike_sa);
+			while (children->iterate(children, (void**)&child_sa))
+			{
+				if (streq(name, child_sa->get_name(child_sa)))
+				{
+					child_list->insert_last(child_list,
+							(void*)(uintptr_t)child_sa->get_reqid(child_sa));
+					if (!all)
+					{
+						break;
+					}
+				}
+			}
+			children->destroy(children);
+			if (child_list->get_count(child_list) && !all)
+			{
+				break;
+			}
+		}
+		else if (streq(name, ike_sa->get_name(ike_sa)))
+		{
+			ike_list->insert_last(ike_list,
+						(void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
+			if (!all)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = child_list->create_enumerator(child_list);
+	while (enumerator->enumerate(enumerator, &del))
+	{
+		charon->controller->terminate_child(charon->controller, del,
+									(controller_cb_t)stroke_log, &info);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = ike_list->create_enumerator(ike_list);
+	while (enumerator->enumerate(enumerator, &del))
+	{
+		charon->controller->terminate_ike(charon->controller, del,
+									(controller_cb_t)stroke_log, &info);
+	}
+	enumerator->destroy(enumerator);
+
+	if (child_list->get_count(child_list) == 0 &&
+		ike_list->get_count(ike_list) == 0)
+	{
+		DBG1(DBG_CFG, "no %s_SA named '%s' found",
+			 child ? "CHILD" : "IKE", name);
+	}
+	ike_list->destroy(ike_list);
+	child_list->destroy(child_list);
+}
+
+/**
+ * Implementation of stroke_control_t.terminate_srcip.
+ */
+static void terminate_srcip(private_stroke_control_t *this,
+							stroke_msg_t *msg, FILE *out)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	host_t *start = NULL, *end = NULL, *vip;
+	chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
+
+	if (msg->terminate_srcip.start)
+	{
+		start = host_create_from_string(msg->terminate_srcip.start, 0);
+	}
+	if (!start)
+	{
+		DBG1(DBG_CFG, "invalid start address: %s", msg->terminate_srcip.start);
+		return;
+	}
+	chunk_start = start->get_address(start);
+	if (msg->terminate_srcip.end)
+	{
+		end = host_create_from_string(msg->terminate_srcip.end, 0);
+		if (!end)
+		{
+			DBG1(DBG_CFG, "invalid end address: %s", msg->terminate_srcip.end);
+			start->destroy(start);
+			return;
+		}
+		chunk_end = end->get_address(end);
+	}
+
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
+		if (!vip)
+		{
+			continue;
+		}
+		if (!end)
+		{
+			if (!vip->ip_equals(vip, start))
+			{
+				continue;
+			}
+		}
+		else
+		{
+			chunk_vip = vip->get_address(vip);
+			if (chunk_vip.len != chunk_start.len ||
+				chunk_vip.len != chunk_end.len ||
+				memcmp(chunk_vip.ptr, chunk_start.ptr, chunk_vip.len) < 0 ||
+				memcmp(chunk_vip.ptr, chunk_end.ptr, chunk_vip.len) > 0)
+			{
+				continue;
+			}
+		}
+
+		/* schedule delete asynchronously */
+		charon->processor->queue_job(charon->processor, (job_t*)
+						delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
+	}
+	enumerator->destroy(enumerator);
+	start->destroy(start);
+	DESTROY_IF(end);
+}
+
+/**
+ * Implementation of stroke_control_t.purge_ike
+ */
+static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+{
+	enumerator_t *enumerator;
+	iterator_t *iterator;
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+	linked_list_t *list;
+	uintptr_t del;
+	stroke_log_info_t info;
+
+	info.out = out;
+	info.level = msg->output_verbosity;
+
+	list = linked_list_create();
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		iterator = ike_sa->create_child_sa_iterator(ike_sa);
+		if (!iterator->iterate(iterator, (void**)&child_sa))
+		{
+			list->insert_last(list,
+						(void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
+		}
+		iterator->destroy(iterator);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &del))
+	{
+		charon->controller->terminate_ike(charon->controller, del,
+									(controller_cb_t)stroke_log, &info);
+	}
+	enumerator->destroy(enumerator);
+	list->destroy(list);
+}
+
+/**
+ * Implementation of stroke_control_t.route.
+ */
+static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+
+	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+													  msg->route.name);
+	if (peer_cfg == NULL)
+	{
+		fprintf(out, "no config named '%s'\n", msg->route.name);
+		return;
+	}
+	if (peer_cfg->get_ike_version(peer_cfg) != 2)
+	{
+		peer_cfg->destroy(peer_cfg);
+		return;
+	}
+
+	child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
+	if (child_cfg == NULL)
+	{
+		fprintf(out, "no child config named '%s'\n", msg->route.name);
+		peer_cfg->destroy(peer_cfg);
+		return;
+	}
+
+	if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
+	{
+		fprintf(out, "configuration '%s' routed\n", msg->route.name);
+	}
+	else
+	{
+		fprintf(out, "routing configuration '%s' failed\n", msg->route.name);
+	}
+	peer_cfg->destroy(peer_cfg);
+	child_cfg->destroy(child_cfg);
+}
+
+/**
+ * Implementation of stroke_control_t.unroute.
+ */
+static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+{
+	child_sa_t *child_sa;
+	enumerator_t *enumerator;
+	u_int32_t id;
+
+	enumerator = charon->traps->create_enumerator(charon->traps);
+	while (enumerator->enumerate(enumerator, NULL, &child_sa))
+	{
+		if (streq(msg->unroute.name, child_sa->get_name(child_sa)))
+		{
+			id = child_sa->get_reqid(child_sa);
+			enumerator->destroy(enumerator);
+			charon->traps->uninstall(charon->traps, id);
+			fprintf(out, "configuration '%s' unrouted\n", msg->unroute.name);
+			return;
+		}
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "configuration '%s' not found\n", msg->unroute.name);
+}
+
+/**
+ * Implementation of stroke_control_t.destroy
+ */
+static void destroy(private_stroke_control_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+stroke_control_t *stroke_control_create()
+{
+	private_stroke_control_t *this = malloc_thing(private_stroke_control_t);
+
+	this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate;
+	this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate;
+	this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip;
+	this->public.purge_ike = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))purge_ike;
+	this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route;
+	this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute;
+	this->public.destroy = (void(*)(stroke_control_t*))destroy;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/stroke/stroke_control.h b/src/libcharon/plugins/stroke/stroke_control.h
new file mode 100644
index 000000000..9b49bdc31
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_control.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_control stroke_control
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_CONTROL_H_
+#define STROKE_CONTROL_H_
+
+#include <stroke_msg.h>
+#include <library.h>
+#include <stdio.h>
+
+typedef struct stroke_control_t stroke_control_t;
+
+/**
+ * Process stroke control messages
+ */
+struct stroke_control_t {
+
+	/**
+	 * Initiate a connection.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*initiate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
+
+	/**
+	 * Terminate a connection.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*terminate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
+
+	/**
+	 * Terminate a connection by peers virtual IP.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
+
+	/**
+	 * Delete IKE_SAs without a CHILD_SA.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*purge_ike)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
+
+	/**
+	 * Route a connection.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*route)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
+
+	/**
+	 * Unroute a connection.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*unroute)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
+
+	/**
+	 * Destroy a stroke_control instance.
+	 */
+	void (*destroy)(stroke_control_t *this);
+};
+
+/**
+ * Create a stroke_control instance.
+ */
+stroke_control_t *stroke_control_create();
+
+#endif /** STROKE_CONTROL_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
new file mode 100644
index 000000000..e0a5210a9
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -0,0 +1,1175 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/stat.h>
+#include <limits.h>
+#include <glob.h>
+#include <libgen.h>
+
+#include "stroke_cred.h"
+#include "stroke_shared_key.h"
+
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/crl.h>
+#include <credentials/certificates/ac.h>
+#include <utils/linked_list.h>
+#include <utils/lexparser.h>
+#include <threading/rwlock.h>
+#include <daemon.h>
+
+/* configuration directories and files */
+#define CONFIG_DIR IPSEC_CONFDIR
+#define IPSEC_D_DIR CONFIG_DIR "/ipsec.d"
+#define PRIVATE_KEY_DIR IPSEC_D_DIR "/private"
+#define CERTIFICATE_DIR IPSEC_D_DIR "/certs"
+#define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts"
+#define AA_CERTIFICATE_DIR IPSEC_D_DIR "/aacerts"
+#define ATTR_CERTIFICATE_DIR IPSEC_D_DIR "/acerts"
+#define OCSP_CERTIFICATE_DIR IPSEC_D_DIR "/ocspcerts"
+#define CRL_DIR IPSEC_D_DIR "/crls"
+#define SECRETS_FILE CONFIG_DIR "/ipsec.secrets"
+
+#define MAX_SECRETS_RECURSION 10
+
+typedef struct private_stroke_cred_t private_stroke_cred_t;
+
+/**
+ * private data of stroke_cred
+ */
+struct private_stroke_cred_t {
+
+	/**
+	 * public functions
+	 */
+	stroke_cred_t public;
+
+	/**
+	 * list of trusted peer/signer/CA certificates (certificate_t)
+	 */
+	linked_list_t *certs;
+
+	/**
+	 * list of shared secrets (private_shared_key_t)
+	 */
+	linked_list_t *shared;
+
+	/**
+	 * list of private keys (private_key_t)
+	 */
+	linked_list_t *private;
+
+	/**
+	 * read-write lock to lists
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * cache CRLs to disk?
+	 */
+	bool cachecrl;
+};
+
+/**
+ * data to pass to various filters
+ */
+typedef struct {
+	private_stroke_cred_t *this;
+	identification_t *id;
+	certificate_type_t type;
+} id_data_t;
+
+/**
+ * destroy id enumerator data and unlock list
+ */
+static void id_data_destroy(id_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * filter function for private key enumerator
+ */
+static bool private_filter(id_data_t *data,
+						   private_key_t **in, private_key_t **out)
+{
+	private_key_t *key;
+
+	key = *in;
+	if (data->id == NULL)
+	{
+		*out = key;
+		return TRUE;
+	}
+	if (key->has_fingerprint(key, data->id->get_encoding(data->id)))
+	{
+		*out = key;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implements credential_set_t.create_private_enumerator
+ */
+static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
+							key_type_t type, identification_t *id)
+{
+	id_data_t *data;
+
+	data = malloc_thing(id_data_t);
+	data->this = this;
+	data->id = id;
+
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->private->create_enumerator(this->private),
+									(void*)private_filter, data,
+									(void*)id_data_destroy);
+}
+
+/**
+ * filter function for certs enumerator
+ */
+static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out)
+{
+	public_key_t *public;
+	certificate_t *cert = *in;
+
+	if (data->type != CERT_ANY && data->type != cert->get_type(cert))
+	{
+		return FALSE;
+	}
+	if (data->id == NULL || cert->has_subject(cert, data->id))
+	{
+		*out = *in;
+		return TRUE;
+	}
+
+	public = cert->get_public_key(cert);
+	if (public)
+	{
+		if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
+		{
+			public->destroy(public);
+			*out = *in;
+			return TRUE;
+		}
+		public->destroy(public);
+	}
+	return FALSE;
+}
+
+/**
+ * Implements credential_set_t.create_cert_enumerator
+ */
+static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
+							certificate_type_t cert, key_type_t key,
+							identification_t *id, bool trusted)
+{
+	id_data_t *data;
+
+	if (trusted && (cert == CERT_X509_CRL || cert == CERT_X509_AC))
+	{
+		return NULL;
+	}
+	data = malloc_thing(id_data_t);
+	data->this = this;
+	data->id = id;
+	data->type = cert;
+
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->certs->create_enumerator(this->certs),
+									(void*)certs_filter, data,
+									(void*)id_data_destroy);
+}
+
+typedef struct {
+	private_stroke_cred_t *this;
+	identification_t *me;
+	identification_t *other;
+	shared_key_type_t type;
+} shared_data_t;
+
+/**
+ * free shared key enumerator data and unlock list
+ */
+static void shared_data_destroy(shared_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * filter function for certs enumerator
+ */
+static bool shared_filter(shared_data_t *data,
+						  stroke_shared_key_t **in, shared_key_t **out,
+						  void **unused1, id_match_t *me,
+						  void **unused2, id_match_t *other)
+{
+	id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE;
+	stroke_shared_key_t *stroke = *in;
+	shared_key_t *shared = &stroke->shared;
+
+	if (data->type != SHARED_ANY && shared->get_type(shared) != data->type)
+	{
+		return FALSE;
+	}
+
+	if (data->me)
+	{
+		my_match = stroke->has_owner(stroke, data->me);
+	}
+	if (data->other)
+	{
+		other_match = stroke->has_owner(stroke, data->other);
+	}
+	if ((data->me || data->other) && (!my_match && !other_match))
+	{
+		return FALSE;
+	}
+	*out = shared;
+	if (me)
+	{
+		*me = my_match;
+	}
+	if (other)
+	{
+		*other = other_match;
+	}
+	return TRUE;
+}
+
+/**
+ * Implements credential_set_t.create_shared_enumerator
+ */
+static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
+							shared_key_type_t type,	identification_t *me,
+							identification_t *other)
+{
+	shared_data_t *data = malloc_thing(shared_data_t);
+
+	data->this = this;
+	data->me = me;
+	data->other = other;
+	data->type = type;
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->shared->create_enumerator(this->shared),
+									(void*)shared_filter, data,
+									(void*)shared_data_destroy);
+}
+
+/**
+ * Add a certificate to chain
+ */
+static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
+{
+	certificate_t *current;
+	enumerator_t *enumerator;
+	bool new = TRUE;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->certs->create_enumerator(this->certs);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		if (current->equals(current, cert))
+		{
+			/* cert already in queue */
+			cert->destroy(cert);
+			cert = current;
+			new = FALSE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (new)
+	{
+		this->certs->insert_last(this->certs, cert);
+	}
+	this->lock->unlock(this->lock);
+	return cert;
+}
+
+/**
+ * Implementation of stroke_cred_t.load_ca.
+ */
+static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
+{
+	certificate_t *cert;
+	char path[PATH_MAX];
+
+	if (*filename == '/')
+	{
+		snprintf(path, sizeof(path), "%s", filename);
+	}
+	else
+	{
+		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
+	}
+
+	cert = lib->creds->create(lib->creds,
+							  CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, path,
+							  BUILD_END);
+	if (cert)
+	{
+		x509_t *x509 = (x509_t*)cert;
+
+		if (!(x509->get_flags(x509) & X509_CA))
+		{
+			DBG1(DBG_CFG, "  ca certificate \"%Y\" misses ca basic constraint, "
+				 "discarded", cert->get_subject(cert));
+			cert->destroy(cert);
+			return NULL;
+		}
+		return (certificate_t*)add_cert(this, cert);
+	}
+	return NULL;
+}
+
+/**
+ * Add X.509 CRL to chain
+ */
+static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
+{
+	certificate_t *current, *cert = &crl->certificate;
+	enumerator_t *enumerator;
+	bool new = TRUE, found = FALSE;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->certs->create_enumerator(this->certs);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		if (current->get_type(current) == CERT_X509_CRL)
+		{
+			crl_t *crl_c = (crl_t*)current;
+			chunk_t authkey = crl->get_authKeyIdentifier(crl);
+			chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c);
+
+			/* if compare authorityKeyIdentifiers if available */
+			if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c))
+			{
+				found = TRUE;
+			}
+			else
+			{
+				identification_t *issuer = cert->get_issuer(cert);
+				identification_t *issuer_c = current->get_issuer(current);
+
+				/* otherwise compare issuer distinguished names */
+				if (issuer->equals(issuer, issuer_c))
+				{
+					found = TRUE;
+				}
+			}
+			if (found)
+			{
+				new = cert->is_newer(cert, current);
+				if (new)
+				{
+					this->certs->remove_at(this->certs, enumerator);
+				}
+				else
+				{
+					cert->destroy(cert);
+				}
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (new)
+	{
+		this->certs->insert_last(this->certs, cert);
+	}
+	this->lock->unlock(this->lock);
+	return new;
+}
+
+/**
+ * Add X.509 attribute certificate to chain
+ */
+static bool add_ac(private_stroke_cred_t *this, ac_t* ac)
+{
+	certificate_t *cert = &ac->certificate;
+
+	this->lock->write_lock(this->lock);
+	this->certs->insert_last(this->certs, cert);
+	this->lock->unlock(this->lock);
+	return TRUE;
+}
+
+/**
+ * Implementation of stroke_cred_t.load_peer.
+ */
+static certificate_t* load_peer(private_stroke_cred_t *this, char *filename)
+{
+	certificate_t *cert;
+	char path[PATH_MAX];
+
+	if (*filename == '/')
+	{
+		snprintf(path, sizeof(path), "%s", filename);
+	}
+	else
+	{
+		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
+	}
+
+	cert = lib->creds->create(lib->creds,
+							  CRED_CERTIFICATE, CERT_ANY,
+							  BUILD_FROM_FILE, path,
+							  BUILD_END);
+	if (cert)
+	{
+		cert = add_cert(this, cert);
+		DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
+					  cert->get_subject(cert), filename);
+		return cert->get_ref(cert);
+	}
+	DBG1(DBG_CFG, "  loading certificate from '%s' failed", filename);
+	return NULL;
+}
+
+/**
+ * load trusted certificates from a directory
+ */
+static void load_certdir(private_stroke_cred_t *this, char *path,
+						 certificate_type_t type, x509_flag_t flag)
+{
+	struct stat st;
+	char *file;
+
+	enumerator_t *enumerator = enumerator_create_directory(path);
+
+	if (!enumerator)
+	{
+		DBG1(DBG_CFG, "  reading directory failed");
+		return;
+	}
+
+	while (enumerator->enumerate(enumerator, NULL, &file, &st))
+	{
+		certificate_t *cert;
+
+		if (!S_ISREG(st.st_mode))
+		{
+			/* skip special file */
+			continue;
+		}
+		switch (type)
+		{
+			case CERT_X509:
+				if (flag & X509_CA)
+				{	/* for CA certificates, we strictly require
+					 * the CA basic constraint to be set */
+					cert = lib->creds->create(lib->creds,
+										CRED_CERTIFICATE, CERT_X509,
+										BUILD_FROM_FILE, file, BUILD_END);
+					if (cert)
+					{
+						x509_t *x509 = (x509_t*)cert;
+
+						if (!(x509->get_flags(x509) & X509_CA))
+						{
+							DBG1(DBG_CFG, "  ca certificate \"%Y\" lacks "
+								 "ca basic constraint, discarded",
+								 cert->get_subject(cert));
+							cert->destroy(cert);
+							cert = NULL;
+						}
+						else
+						{
+							DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
+										  cert->get_subject(cert), file);
+						}
+					}
+					else
+					{
+						DBG1(DBG_CFG, "  loading ca certificate from '%s' "
+									  "failed", file);
+					}
+				}
+				else
+				{	/* for all other flags, we add them to the certificate. */
+					cert = lib->creds->create(lib->creds,
+										CRED_CERTIFICATE, CERT_X509,
+										BUILD_FROM_FILE, file,
+										BUILD_X509_FLAG, flag, BUILD_END);
+					if (cert)
+					{
+						DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
+									  cert->get_subject(cert), file);
+					}
+					else
+					{
+						DBG1(DBG_CFG, "  loading certificate from '%s' "
+									  "failed", file);
+					}
+				}
+				if (cert)
+				{
+					add_cert(this, cert);
+				}
+				break;
+			case CERT_X509_CRL:
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509_CRL,
+										  BUILD_FROM_FILE, file,
+										  BUILD_END);
+				if (cert)
+				{
+					add_crl(this, (crl_t*)cert);
+					DBG1(DBG_CFG, "  loaded crl from '%s'",  file);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  loading crl from '%s' failed", file);
+				}
+				break;
+			case CERT_X509_AC:
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509_AC,
+										  BUILD_FROM_FILE, file,
+										  BUILD_END);
+				if (cert)
+				{
+					add_ac(this, (ac_t*)cert);
+					DBG1(DBG_CFG, "  loaded attribute certificate from '%s'",
+								  file);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  loading attribute certificate from '%s' "
+								  "failed", file);
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of credential_set_t.cache_cert.
+ */
+static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
+{
+	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
+	{
+		/* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */
+		crl_t *crl = (crl_t*)cert;
+
+		cert->get_ref(cert);
+		if (add_crl(this, crl))
+		{
+			char buf[BUF_LEN];
+			chunk_t chunk, hex;
+
+			chunk = crl->get_authKeyIdentifier(crl);
+			hex = chunk_to_hex(chunk, NULL, FALSE);
+			snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex);
+			free(hex.ptr);
+
+			chunk = cert->get_encoding(cert);
+			chunk_write(chunk, buf, "crl", 022, TRUE);
+			free(chunk.ptr);
+		}
+	}
+}
+
+/**
+ * Implementation of stroke_cred_t.cachecrl.
+ */
+static void cachecrl(private_stroke_cred_t *this, bool enabled)
+{
+	DBG1(DBG_CFG, "crl caching to %s %s",
+		 CRL_DIR, enabled ? "enabled" : "disabled");
+	this->cachecrl = enabled;
+}
+
+
+/**
+ * Convert a string of characters into a binary secret
+ * A string between single or double quotes is treated as ASCII characters
+ * A string prepended by 0x is treated as HEX and prepended by 0s as Base64
+ */
+static err_t extract_secret(chunk_t *secret, chunk_t *line)
+{
+	chunk_t raw_secret;
+	char delimiter = ' ';
+	bool quotes = FALSE;
+
+	if (!eat_whitespace(line))
+	{
+		return "missing secret";
+	}
+
+	if (*line->ptr == '\'' || *line->ptr == '"')
+	{
+		quotes = TRUE;
+		delimiter = *line->ptr;
+		line->ptr++;  line->len--;
+	}
+
+	if (!extract_token(&raw_secret, delimiter, line))
+	{
+		if (delimiter == ' ')
+		{
+			raw_secret = *line;
+		}
+		else
+		{
+			return "missing second delimiter";
+		}
+	}
+
+	if (quotes)
+	{
+		/* treat as an ASCII string */
+		*secret = chunk_clone(raw_secret);
+		return NULL;
+	}
+	/* treat 0x as hex, 0s as base64 */
+	if (raw_secret.len > 2)
+	{
+		if (strncasecmp("0x", raw_secret.ptr, 2) == 0)
+		{
+			*secret = chunk_from_hex(chunk_skip(raw_secret, 2), NULL);
+			return NULL;
+		}
+		if (strncasecmp("0s", raw_secret.ptr, 2) == 0)
+		{
+			*secret = chunk_from_base64(chunk_skip(raw_secret, 2), NULL);
+			return NULL;
+		}
+	}
+	*secret = chunk_clone(raw_secret);
+	return NULL;
+}
+
+/**
+ * Data to pass to passphrase_cb
+ */
+typedef struct {
+	/** socket we use for prompting */
+	FILE *prompt;
+	/** private key file */
+	char *file;
+	/** buffer for passphrase */
+	char buf[256];
+} passphrase_cb_data_t;
+
+/**
+ * Passphrase callback to read from whack fd
+ */
+chunk_t passphrase_cb(passphrase_cb_data_t *data, int try)
+{
+	chunk_t secret = chunk_empty;;
+
+	if (try > 5)
+	{
+		fprintf(data->prompt, "invalid passphrase, too many trials\n");
+		return chunk_empty;
+	}
+	if (try == 1)
+	{
+		fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file);
+	}
+	else
+	{
+		fprintf(data->prompt, "invalid passphrase\n");
+	}
+	fprintf(data->prompt, "Passphrase:\n");
+	if (fgets(data->buf, sizeof(data->buf), data->prompt))
+	{
+		secret = chunk_create(data->buf, strlen(data->buf));
+		if (secret.len)
+		{	/* trim appended \n */
+			secret.len--;
+		}
+	}
+	return secret;
+}
+
+/**
+ * reload ipsec.secrets
+ */
+static void load_secrets(private_stroke_cred_t *this, char *file, int level,
+						 FILE *prompt)
+{
+	size_t bytes;
+	int line_nr = 0;
+	chunk_t chunk, src, line;
+	FILE *fd;
+	private_key_t *private;
+	shared_key_t *shared;
+
+	DBG1(DBG_CFG, "loading secrets from '%s'", file);
+
+	fd = fopen(file, "r");
+	if (fd == NULL)
+	{
+		DBG1(DBG_CFG, "opening secrets file '%s' failed", file);
+		return;
+	}
+
+	/* TODO: do error checks */
+	fseek(fd, 0, SEEK_END);
+	chunk.len = ftell(fd);
+	rewind(fd);
+	chunk.ptr = malloc(chunk.len);
+	bytes = fread(chunk.ptr, 1, chunk.len, fd);
+	fclose(fd);
+	src = chunk;
+
+	if (level == 0)
+	{
+		this->lock->write_lock(this->lock);
+
+		/* flush secrets on non-recursive invocation */
+		while (this->shared->remove_last(this->shared,
+										 (void**)&shared) == SUCCESS)
+		{
+			shared->destroy(shared);
+		}
+		while (this->private->remove_last(this->private,
+										  (void**)&private) == SUCCESS)
+		{
+			private->destroy(private);
+		}
+	}
+
+	while (fetchline(&src, &line))
+	{
+		chunk_t ids, token;
+		shared_key_type_t type;
+
+		line_nr++;
+
+		if (!eat_whitespace(&line))
+		{
+			continue;
+		}
+		if (line.len > strlen("include ") &&
+			strneq(line.ptr, "include ", strlen("include ")))
+		{
+			glob_t buf;
+			char **expanded, *dir, pattern[PATH_MAX];
+			u_char *pos;
+
+			if (level > MAX_SECRETS_RECURSION)
+			{
+				DBG1(DBG_CFG, "maximum level of %d includes reached, ignored",
+					 MAX_SECRETS_RECURSION);
+				continue;
+			}
+			/* terminate filename by space */
+			line = chunk_skip(line, strlen("include "));
+			pos = memchr(line.ptr, ' ', line.len);
+			if (pos)
+			{
+				line.len = pos - line.ptr;
+			}
+			if (line.len && line.ptr[0] == '/')
+			{
+				if (line.len + 1 > sizeof(pattern))
+				{
+					DBG1(DBG_CFG, "include pattern too long, ignored");
+					continue;
+				}
+				snprintf(pattern, sizeof(pattern), "%.*s", line.len, line.ptr);
+			}
+			else
+			{	/* use directory of current file if relative */
+				dir = strdup(file);
+				dir = dirname(dir);
+
+				if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern))
+				{
+					DBG1(DBG_CFG, "include pattern too long, ignored");
+					free(dir);
+					continue;
+				}
+				snprintf(pattern, sizeof(pattern), "%s/%.*s",
+						 dir, line.len, line.ptr);
+				free(dir);
+			}
+			if (glob(pattern, GLOB_ERR, NULL, &buf) != 0)
+			{
+				DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern);
+				globfree(&buf);
+			}
+			else
+			{
+				for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
+				{
+					load_secrets(this, *expanded, level + 1, prompt);
+				}
+			}
+			globfree(&buf);
+			continue;
+		}
+
+		if (line.len > 2 && strneq(": ", line.ptr, 2))
+		{
+			/* no ids, skip the ':' */
+			ids = chunk_empty;
+			line.ptr++;
+			line.len--;
+		}
+		else if (extract_token_str(&ids, " : ", &line))
+		{
+			/* NULL terminate the extracted id string */
+			*(ids.ptr + ids.len) = '\0';
+		}
+		else
+		{
+			DBG1(DBG_CFG, "line %d: missing ' : ' separator", line_nr);
+			goto error;
+		}
+
+		if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
+		{
+			DBG1(DBG_CFG, "line %d: missing token", line_nr);
+			goto error;
+		}
+		if (match("RSA", &token) || match("ECDSA", &token))
+		{
+			char path[PATH_MAX];
+			chunk_t filename;
+			chunk_t secret = chunk_empty;
+			private_key_t *key = NULL;
+			key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA;
+
+			err_t ugh = extract_value(&filename, &line);
+
+			if (ugh != NULL)
+			{
+				DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+				goto error;
+			}
+			if (filename.len == 0)
+			{
+				DBG1(DBG_CFG, "line %d: empty filename", line_nr);
+				goto error;
+			}
+			if (*filename.ptr == '/')
+			{
+				/* absolute path name */
+				snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
+			}
+			else
+			{
+				/* relative path name */
+				snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
+						 filename.len, filename.ptr);
+			}
+
+			/* check for optional passphrase */
+			if (eat_whitespace(&line))
+			{
+				ugh = extract_secret(&secret, &line);
+				if (ugh != NULL)
+				{
+					DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
+					goto error;
+				}
+			}
+			if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
+			{
+				if (prompt)
+				{
+					passphrase_cb_data_t data;
+
+					data.prompt = prompt;
+					data.file = path;
+					key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+											 key_type, BUILD_FROM_FILE, path,
+											 BUILD_PASSPHRASE_CALLBACK,
+											 passphrase_cb, &data, BUILD_END);
+				}
+			}
+			else
+			{
+				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+										 BUILD_FROM_FILE, path,
+										 BUILD_PASSPHRASE, secret, BUILD_END);
+			}
+			if (key)
+			{
+				DBG1(DBG_CFG, "  loaded %N private key from '%s'",
+					 key_type_names, key->get_type(key), path);
+				this->private->insert_last(this->private, key);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "  loading private key from '%s' failed", path);
+			}
+			chunk_clear(&secret);
+		}
+		else if (match("PIN", &token))
+		{
+			chunk_t sc = chunk_empty, secret = chunk_empty;
+			char smartcard[32], keyid[22], pin[32];
+			private_key_t *key;
+			u_int slot;
+
+			err_t ugh = extract_value(&sc, &line);
+
+			if (ugh != NULL)
+			{
+				DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+				goto error;
+			}
+			if (sc.len == 0)
+			{
+				DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr);
+				goto error;
+			}
+			snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
+			smartcard[sizeof(smartcard) - 1] = '\0';
+
+			/* parse slot and key id. only two formats are supported.
+			 * first try %smartcard<slot>:<keyid> */
+			if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
+			{
+				snprintf(smartcard, sizeof(smartcard), "%u:%s", slot, keyid);
+			}
+			/* then try %smartcard:<keyid> */
+			else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1)
+			{
+				snprintf(smartcard, sizeof(smartcard), "%s", keyid);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not"
+						" supported or invalid", line_nr);
+				goto error;
+			}
+
+			if (!eat_whitespace(&line))
+			{
+				DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
+				goto error;
+			}
+			ugh = extract_secret(&secret, &line);
+			if (ugh != NULL)
+			{
+				DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
+				goto error;
+			}
+			snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
+			pin[sizeof(pin) - 1] = '\0';
+
+			/* we assume an RSA key */
+			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+									 BUILD_SMARTCARD_KEYID, smartcard,
+									 BUILD_SMARTCARD_PIN, pin, BUILD_END);
+
+			if (key)
+			{
+				DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
+				this->private->insert_last(this->private, key);
+			}
+			memset(pin, 0, sizeof(pin));
+			chunk_clear(&secret);
+		}
+		else if ((match("PSK", &token) && (type = SHARED_IKE)) ||
+				 (match("EAP", &token) && (type = SHARED_EAP)) ||
+				 (match("NTLM", &token) && (type = SHARED_NT_HASH)) ||
+				 (match("XAUTH", &token) && (type = SHARED_EAP)))
+		{
+			stroke_shared_key_t *shared_key;
+			chunk_t secret = chunk_empty;
+			bool any = TRUE;
+
+			err_t ugh = extract_secret(&secret, &line);
+			if (ugh != NULL)
+			{
+				DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh);
+				goto error;
+			}
+			shared_key = stroke_shared_key_create(type, secret);
+			DBG1(DBG_CFG, "  loaded %N secret for %s", shared_key_type_names, type,
+				 ids.len > 0 ? (char*)ids.ptr : "%any");
+			DBG4(DBG_CFG, "  secret: %#B", &secret);
+
+			this->shared->insert_last(this->shared, shared_key);
+			while (ids.len > 0)
+			{
+				chunk_t id;
+				identification_t *peer_id;
+
+				ugh = extract_value(&id, &ids);
+				if (ugh != NULL)
+				{
+					DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+					goto error;
+				}
+				if (id.len == 0)
+				{
+					continue;
+				}
+
+				/* NULL terminate the ID string */
+				*(id.ptr + id.len) = '\0';
+				peer_id = identification_create_from_string(id.ptr);
+				if (peer_id->get_type(peer_id) == ID_ANY)
+				{
+					peer_id->destroy(peer_id);
+					continue;
+				}
+
+				shared_key->add_owner(shared_key, peer_id);
+				any = FALSE;
+			}
+			if (any)
+			{
+				shared_key->add_owner(shared_key,
+					identification_create_from_encoding(ID_ANY, chunk_empty));
+			}
+		}
+		else
+		{
+			DBG1(DBG_CFG, "line %d: token must be either "
+				 "RSA, ECDSA, PSK, EAP, XAUTH or PIN", line_nr);
+			goto error;
+		}
+	}
+error:
+	if (level == 0)
+	{
+		this->lock->unlock(this->lock);
+	}
+	chunk_clear(&chunk);
+}
+
+/**
+ * load all certificates from ipsec.d
+ */
+static void load_certs(private_stroke_cred_t *this)
+{
+	DBG1(DBG_CFG, "loading ca certificates from '%s'",
+		 CA_CERTIFICATE_DIR);
+	load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA);
+
+	DBG1(DBG_CFG, "loading aa certificates from '%s'",
+		 AA_CERTIFICATE_DIR);
+	load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA);
+
+	DBG1(DBG_CFG, "loading ocsp signer certificates from '%s'",
+		 OCSP_CERTIFICATE_DIR);
+	load_certdir(this, OCSP_CERTIFICATE_DIR, CERT_X509, X509_OCSP_SIGNER);
+
+	DBG1(DBG_CFG, "loading attribute certificates from '%s'",
+		 ATTR_CERTIFICATE_DIR);
+	load_certdir(this, ATTR_CERTIFICATE_DIR, CERT_X509_AC, 0);
+
+	DBG1(DBG_CFG, "loading crls from '%s'",
+		 CRL_DIR);
+	load_certdir(this, CRL_DIR, CERT_X509_CRL, 0);
+}
+
+/**
+ * Implementation of stroke_cred_t.reread.
+ */
+static void reread(private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt)
+{
+	if (msg->reread.flags & REREAD_SECRETS)
+	{
+		DBG1(DBG_CFG, "rereading secrets");
+		load_secrets(this, SECRETS_FILE, 0, prompt);
+	}
+	if (msg->reread.flags & REREAD_CACERTS)
+	{
+		DBG1(DBG_CFG, "rereading ca certificates from '%s'",
+			 CA_CERTIFICATE_DIR);
+		load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA);
+	}
+	if (msg->reread.flags & REREAD_OCSPCERTS)
+	{
+		DBG1(DBG_CFG, "rereading ocsp signer certificates from '%s'",
+			 OCSP_CERTIFICATE_DIR);
+		load_certdir(this, OCSP_CERTIFICATE_DIR, CERT_X509,
+			 X509_OCSP_SIGNER);
+	}
+	if (msg->reread.flags & REREAD_AACERTS)
+	{
+		DBG1(DBG_CFG, "rereading aa certificates from '%s'",
+			 AA_CERTIFICATE_DIR);
+		load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA);
+	}
+	if (msg->reread.flags & REREAD_ACERTS)
+	{
+		DBG1(DBG_CFG, "rereading attribute certificates from '%s'",
+			 ATTR_CERTIFICATE_DIR);
+		load_certdir(this, ATTR_CERTIFICATE_DIR, CERT_X509_AC, 0);
+	}
+	if (msg->reread.flags & REREAD_CRLS)
+	{
+		DBG1(DBG_CFG, "rereading crls from '%s'",
+			 CRL_DIR);
+		load_certdir(this, CRL_DIR, CERT_X509_CRL, 0);
+	}
+}
+
+/**
+ * Implementation of stroke_cred_t.destroy
+ */
+static void destroy(private_stroke_cred_t *this)
+{
+	this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
+	this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy));
+	this->private->destroy_offset(this->private, offsetof(private_key_t, destroy));
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+stroke_cred_t *stroke_cred_create()
+{
+	private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t);
+
+	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
+	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
+	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)cache_cert;
+	this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg, FILE*))reread;
+	this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca;
+	this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer;
+	this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl;
+	this->public.destroy = (void(*)(stroke_cred_t*))destroy;
+
+	this->certs = linked_list_create();
+	this->shared = linked_list_create();
+	this->private = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	load_certs(this);
+	load_secrets(this, SECRETS_FILE, 0, NULL);
+
+	this->cachecrl = FALSE;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/stroke/stroke_cred.h b/src/libcharon/plugins/stroke/stroke_cred.h
new file mode 100644
index 000000000..ccee7d87c
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_cred.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_cred stroke_cred
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_CRED_H_
+#define STROKE_CRED_H_
+
+#include <stdio.h>
+
+#include <stroke_msg.h>
+#include <credentials/credential_set.h>
+#include <credentials/certificates/certificate.h>
+
+typedef struct stroke_cred_t stroke_cred_t;
+
+/**
+ * Stroke in-memory credential storage.
+ */
+struct stroke_cred_t {
+
+	/**
+	 * Implements credential_set_t
+	 */
+	credential_set_t set;
+
+	/**
+	 * Reread secrets from config files.
+	 *
+	 * @param msg		stroke message
+	 * @param prompt	I/O channel to prompt for private key passhprase
+	 */
+	void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt);
+
+	/**
+	 * Load a CA certificate, and serve it through the credential_set.
+	 *
+	 * @param filename		file to load CA cert from
+	 * @return				reference to loaded certificate, or NULL
+	 */
+	certificate_t* (*load_ca)(stroke_cred_t *this, char *filename);
+
+	/**
+	 * Load a peer certificate and serve it rhrough the credential_set.
+	 *
+	 * @param filename		file to load peer cert from
+	 * @return				reference to loaded certificate, or NULL
+	 */
+	certificate_t* (*load_peer)(stroke_cred_t *this, char *filename);
+
+	/**
+	 * Enable/Disable CRL caching to disk.
+	 *
+	 * @param enabled		TRUE to enable, FALSE to disable
+	 */
+	void (*cachecrl)(stroke_cred_t *this, bool enabled);
+
+	/**
+	 * Destroy a stroke_cred instance.
+	 */
+	void (*destroy)(stroke_cred_t *this);
+};
+
+/**
+ * Create a stroke_cred instance.
+ */
+stroke_cred_t *stroke_cred_create();
+
+#endif /** STROKE_CRED_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
new file mode 100644
index 000000000..c2a98da33
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -0,0 +1,1230 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_list.h"
+
+#include <time.h>
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/ac.h>
+#include <credentials/certificates/crl.h>
+#include <credentials/certificates/pgp_certificate.h>
+#include <credentials/ietf_attributes/ietf_attributes.h>
+#include <config/peer_cfg.h>
+
+/* warning intervals for list functions */
+#define CERT_WARNING_INTERVAL  30	/* days */
+#define CRL_WARNING_INTERVAL	7	/* days */
+#define AC_WARNING_INTERVAL		1	/* day */
+
+typedef struct private_stroke_list_t private_stroke_list_t;
+
+/**
+ * private data of stroke_list
+ */
+struct private_stroke_list_t {
+
+	/**
+	 * public functions
+	 */
+	stroke_list_t public;
+
+	/**
+	 * timestamp of daemon start
+	 */
+	time_t uptime;
+
+	/**
+	 * strokes attribute provider
+	 */
+	stroke_attribute_t *attribute;
+};
+
+/**
+ * log an IKE_SA to out
+ */
+static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
+{
+	ike_sa_id_t *id = ike_sa->get_id(ike_sa);
+	time_t now = time_monotonic(NULL);
+
+	fprintf(out, "%12s[%d]: %N",
+			ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+			ike_sa_state_names, ike_sa->get_state(ike_sa));
+
+	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
+	{
+		time_t established;
+
+		established = ike_sa->get_statistic(ike_sa, STAT_ESTABLISHED);
+		fprintf(out, " %V ago", &now, &established);
+	}
+
+	fprintf(out, ", %H[%Y]...%H[%Y]\n",
+			ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
+			ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
+
+	if (all)
+	{
+		proposal_t *ike_proposal;
+
+		ike_proposal = ike_sa->get_proposal(ike_sa);
+
+		fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s",
+				ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+				id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
+				id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
+
+
+		if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
+		{
+			time_t rekey, reauth;
+			peer_cfg_t *peer_cfg;
+
+			rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY);
+			reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH);
+			peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+
+			if (rekey)
+			{
+				fprintf(out, ", rekeying in %V", &rekey, &now);
+			}
+			if (reauth)
+			{
+				bool first = TRUE;
+				enumerator_t *enumerator;
+				auth_cfg_t *auth;
+
+				fprintf(out, ", ");
+				enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, TRUE);
+				while (enumerator->enumerate(enumerator, &auth))
+				{
+					if (!first)
+					{
+						fprintf(out, "+");
+					}
+					first = FALSE;
+					fprintf(out, "%N", auth_class_names,
+							auth->get(auth, AUTH_RULE_AUTH_CLASS));
+				}
+				enumerator->destroy(enumerator);
+				fprintf(out, " reauthentication in %V", &reauth, &now);
+			}
+			if (!rekey && !reauth)
+			{
+				fprintf(out, ", rekeying disabled");
+			}
+		}
+		fprintf(out, "\n");
+
+		if (ike_proposal)
+		{
+			char buf[BUF_LEN];
+
+			snprintf(buf, BUF_LEN, "%P", ike_proposal);
+			fprintf(out, "%12s[%d]: IKE proposal: %s\n",
+					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+					buf+4);
+		}
+	}
+}
+
+/**
+ * log an CHILD_SA to out
+ */
+static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
+{
+	time_t use_in, use_out, rekey, now;
+	u_int64_t bytes_in, bytes_out;
+	proposal_t *proposal;
+	child_cfg_t *config = child_sa->get_config(child_sa);
+
+
+	fprintf(out, "%12s{%d}:  %N, %N%s",
+			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			child_sa_state_names, child_sa->get_state(child_sa),
+			ipsec_mode_names, child_sa->get_mode(child_sa),
+			config->use_proxy_mode(config) ? "_PROXY" : "");
+
+	if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
+	{
+		fprintf(out, ", %N%s SPIs: %.8x_i %.8x_o",
+				protocol_id_names, child_sa->get_protocol(child_sa),
+				child_sa->has_encap(child_sa) ? " in UDP" : "",
+				ntohl(child_sa->get_spi(child_sa, TRUE)),
+				ntohl(child_sa->get_spi(child_sa, FALSE)));
+
+		if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE)
+		{
+			fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o",
+					ntohs(child_sa->get_cpi(child_sa, TRUE)),
+					ntohs(child_sa->get_cpi(child_sa, FALSE)));
+		}
+
+		if (all)
+		{
+			fprintf(out, "\n%12s{%d}:  ", child_sa->get_name(child_sa),
+					child_sa->get_reqid(child_sa));
+
+			proposal = child_sa->get_proposal(child_sa);
+			if (proposal)
+			{
+				u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
+				u_int16_t encr_size = 0, int_size = 0;
+
+				proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+										&encr_alg, &encr_size);
+				proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+										&int_alg, &int_size);
+
+				if (encr_alg != ENCR_UNDEFINED)
+				{
+					fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+					if (encr_size)
+					{
+						fprintf(out, "_%u", encr_size);
+					}
+				}
+				if (int_alg != AUTH_UNDEFINED)
+				{
+					fprintf(out, "/%N", integrity_algorithm_names, int_alg);
+					if (int_size)
+					{
+						fprintf(out, "_%u", int_size);
+					}
+				}
+			}
+
+			now = time_monotonic(NULL);
+			child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in);
+			fprintf(out, ", %llu bytes_i", bytes_in);
+			if (use_in)
+			{
+				fprintf(out, " (%ds ago)", now - use_in);
+			}
+
+			child_sa->get_usestats(child_sa, FALSE, &use_out, &bytes_out);
+			fprintf(out, ", %llu bytes_o", bytes_out);
+			if (use_out)
+			{
+				fprintf(out, " (%ds ago)", now - use_out);
+			}
+			fprintf(out, ", rekeying ");
+
+			rekey = child_sa->get_lifetime(child_sa, FALSE);
+			if (rekey)
+			{
+				if (now > rekey)
+				{
+					fprintf(out, "active");
+				}
+				else
+				{
+					fprintf(out, "in %V", &now, &rekey);
+				}
+			}
+			else
+			{
+				fprintf(out, "disabled");
+			}
+
+		}
+	}
+
+	fprintf(out, "\n%12s{%d}:   %#R=== %#R\n",
+			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			child_sa->get_traffic_selectors(child_sa, TRUE),
+			child_sa->get_traffic_selectors(child_sa, FALSE));
+}
+
+/**
+ * Log a configs local or remote authentication config to out
+ */
+static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
+{
+	enumerator_t *enumerator, *rules;
+	auth_rule_t rule;
+	auth_cfg_t *auth;
+	auth_class_t auth_class;
+	identification_t *id;
+	certificate_t *cert;
+	cert_validation_t valid;
+	char *name;
+
+	name = peer_cfg->get_name(peer_cfg);
+
+	enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
+	while (enumerator->enumerate(enumerator, &auth))
+	{
+		fprintf(out, "%12s:   %s [%Y] uses ", name,	local ? "local: " : "remote:",
+				auth->get(auth, AUTH_RULE_IDENTITY));
+
+		auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
+		if (auth_class != AUTH_CLASS_EAP)
+		{
+			fprintf(out, "%N authentication\n", auth_class_names, auth_class);
+		}
+		else
+		{
+			if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE) == EAP_NAK)
+			{
+				fprintf(out, "EAP authentication");
+			}
+			else
+			{
+				if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR))
+				{
+					fprintf(out, "EAP_%d-%d authentication",
+						(uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE),
+						(uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR));
+				}
+				else
+				{
+					fprintf(out, "%N authentication", eap_type_names,
+						(uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE));
+				}
+			}
+			id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+			if (id)
+			{
+				fprintf(out, " with EAP identity '%Y'", id);
+			}
+			fprintf(out, "\n");
+		}
+
+		cert = auth->get(auth, AUTH_RULE_CA_CERT);
+		if (cert)
+		{
+			fprintf(out, "%12s:    ca:    \"%Y\"\n", name, cert->get_subject(cert));
+		}
+
+		cert = auth->get(auth, AUTH_RULE_IM_CERT);
+		if (cert)
+		{
+			fprintf(out, "%12s:    im-ca: \"%Y\"\n", name, cert->get_subject(cert));
+		}
+
+		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+		if (cert)
+		{
+			fprintf(out, "%12s:    cert:  \"%Y\"\n", name,
+					cert->get_subject(cert));
+		}
+
+		valid = (uintptr_t)auth->get(auth, AUTH_RULE_OCSP_VALIDATION);
+		if (valid != VALIDATION_FAILED)
+		{
+			fprintf(out, "%12s:    ocsp:  status must be GOOD%s\n", name,
+					(valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
+		}
+
+		valid = (uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION);
+		if (valid != VALIDATION_FAILED)
+		{
+			fprintf(out, "%12s:    crl:   status must be GOOD%s\n", name,
+					(valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
+		}
+
+		rules = auth->create_enumerator(auth);
+		while (rules->enumerate(rules, &rule, &id))
+		{
+			if (rule == AUTH_RULE_AC_GROUP)
+			{
+				fprintf(out, "%12s:    group: %Y\n", name, id);
+			}
+		}
+		rules->destroy(rules);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of stroke_list_t.status.
+ */
+static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all)
+{
+	enumerator_t *enumerator, *children;
+	ike_cfg_t *ike_cfg;
+	child_cfg_t *child_cfg;
+	child_sa_t *child_sa;
+	ike_sa_t *ike_sa;
+	bool first, found = FALSE;
+	char *name = msg->status.name;
+
+	if (all)
+	{
+		peer_cfg_t *peer_cfg;
+		char *plugin, *pool;
+		host_t *host;
+		u_int32_t dpd;
+		time_t since, now;
+		u_int size, online, offline;
+
+		now = time_monotonic(NULL);
+		since = time(NULL) - (now - this->uptime);
+
+		fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n");
+		fprintf(out, "  uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE);
+		fprintf(out, "  worker threads: %d idle of %d,",
+				charon->processor->get_idle_threads(charon->processor),
+				charon->processor->get_total_threads(charon->processor));
+		fprintf(out, " job queue load: %d,",
+				charon->processor->get_job_load(charon->processor));
+		fprintf(out, " scheduled events: %d\n",
+				charon->scheduler->get_job_load(charon->scheduler));
+		fprintf(out, "  loaded plugins: ");
+		enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
+		while (enumerator->enumerate(enumerator, &plugin))
+		{
+			fprintf(out, "%s ", plugin);
+		}
+		enumerator->destroy(enumerator);
+		fprintf(out, "\n");
+
+		first = TRUE;
+		enumerator = this->attribute->create_pool_enumerator(this->attribute);
+		while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
+		{
+			if (name && !streq(name, pool))
+			{
+				continue;
+			}
+			if (first)
+			{
+				first = FALSE;
+				fprintf(out, "Virtual IP pools (size/online/offline):\n");
+			}
+			fprintf(out, "  %s: %u/%u/%u\n", pool, size, online, offline);
+		}
+		enumerator->destroy(enumerator);
+
+		enumerator = charon->kernel_interface->create_address_enumerator(
+								charon->kernel_interface, FALSE, FALSE);
+		fprintf(out, "Listening IP addresses:\n");
+		while (enumerator->enumerate(enumerator, (void**)&host))
+		{
+			fprintf(out, "  %H\n", host);
+		}
+		enumerator->destroy(enumerator);
+
+		fprintf(out, "Connections:\n");
+		enumerator = charon->backends->create_peer_cfg_enumerator(
+									charon->backends, NULL, NULL, NULL, NULL);
+		while (enumerator->enumerate(enumerator, &peer_cfg))
+		{
+			if (peer_cfg->get_ike_version(peer_cfg) != 2 ||
+				(name && !streq(name, peer_cfg->get_name(peer_cfg))))
+			{
+				continue;
+			}
+
+			ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
+			fprintf(out, "%12s:  %s...%s", peer_cfg->get_name(peer_cfg),
+				ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg));
+
+			dpd = peer_cfg->get_dpd(peer_cfg);
+			if (dpd)
+			{
+				fprintf(out, ", dpddelay=%us", dpd);
+			}
+			fprintf(out, "\n");
+
+			log_auth_cfgs(out, peer_cfg, TRUE);
+			log_auth_cfgs(out, peer_cfg, FALSE);
+
+			children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+			while (children->enumerate(children, &child_cfg))
+			{
+				linked_list_t *my_ts, *other_ts;
+
+				my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
+				other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
+				fprintf(out, "%12s:   child:  %#R=== %#R", child_cfg->get_name(child_cfg),
+						my_ts, other_ts);
+				my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+				other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+
+				if (dpd)
+				{
+					fprintf(out, ", dpdaction=%N", action_names,
+							child_cfg->get_dpd_action(child_cfg));
+				}
+				fprintf(out, "\n");
+			}
+			children->destroy(children);
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	first = TRUE;
+	enumerator = charon->traps->create_enumerator(charon->traps);
+	while (enumerator->enumerate(enumerator, NULL, &child_sa))
+	{
+		if (first)
+		{
+			fprintf(out, "Routed Connections:\n");
+			first = FALSE;
+		}
+		log_child_sa(out, child_sa, all);
+	}
+	enumerator->destroy(enumerator);
+
+	fprintf(out, "Security Associations:\n");
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		bool ike_printed = FALSE;
+		iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
+
+		if (name == NULL || streq(name, ike_sa->get_name(ike_sa)))
+		{
+			log_ike_sa(out, ike_sa, all);
+			found = TRUE;
+			ike_printed = TRUE;
+		}
+
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			if (name == NULL || streq(name, child_sa->get_name(child_sa)))
+			{
+				if (!ike_printed)
+				{
+					log_ike_sa(out, ike_sa, all);
+					found = TRUE;
+					ike_printed = TRUE;
+				}
+				log_child_sa(out, child_sa, all);
+			}
+		}
+		children->destroy(children);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		if (name)
+		{
+			fprintf(out, "  no match\n");
+		}
+		else
+		{
+			fprintf(out, "  none\n");
+		}
+	}
+}
+
+/**
+ * create a unique certificate list without duplicates
+ * certicates having the same issuer are grouped together.
+ */
+static linked_list_t* create_unique_cert_list(certificate_type_t type)
+{
+	linked_list_t *list = linked_list_create();
+	enumerator_t *enumerator = charon->credentials->create_cert_enumerator(
+									charon->credentials, type, KEY_ANY,
+									NULL, FALSE);
+	certificate_t *cert;
+
+	while (enumerator->enumerate(enumerator, (void**)&cert))
+	{
+		iterator_t *iterator = list->create_iterator(list, TRUE);
+		identification_t *issuer = cert->get_issuer(cert);
+		bool previous_same, same = FALSE, last = TRUE;
+		certificate_t *list_cert;
+
+		while (iterator->iterate(iterator, (void**)&list_cert))
+		{
+			/* exit if we have a duplicate? */
+			if (list_cert->equals(list_cert, cert))
+			{
+				last = FALSE;
+				break;
+			}
+			/* group certificates with same issuer */
+			previous_same = same;
+			same = list_cert->has_issuer(list_cert, issuer);
+			if (previous_same && !same)
+			{
+				iterator->insert_before(iterator, (void *)cert->get_ref(cert));
+				last = FALSE;
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+
+		if (last)
+		{
+			list->insert_last(list, (void *)cert->get_ref(cert));
+		}
+	}
+	enumerator->destroy(enumerator);
+	return list;
+}
+
+/**
+ * Print a single public key.
+ */
+static void list_public_key(public_key_t *public, FILE *out)
+{
+	private_key_t *private = NULL;
+	chunk_t keyid;
+	identification_t *id;
+	auth_cfg_t *auth;
+
+	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+	{
+		id = identification_create_from_encoding(ID_KEY_ID, keyid);
+		auth = auth_cfg_create();
+		private = charon->credentials->get_private(charon->credentials,
+									public->get_type(public), id, auth);
+		auth->destroy(auth);
+		id->destroy(id);
+	}
+
+	fprintf(out, "  pubkey:    %N %d bits%s\n",
+			key_type_names, public->get_type(public),
+			public->get_keysize(public) * 8,
+			private ? ", has private key" : "");
+	if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+	{
+		fprintf(out, "  keyid:     %#B\n", &keyid);
+	}
+	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+	{
+		fprintf(out, "  subjkey:   %#B\n", &keyid);
+	}
+	DESTROY_IF(private);
+}
+
+/**
+ * list all raw public keys
+ */
+static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
+{
+	bool first = TRUE;
+
+	enumerator_t *enumerator = list->create_enumerator(list);
+	certificate_t *cert;
+
+	while (enumerator->enumerate(enumerator, (void**)&cert))
+	{
+		public_key_t *public = cert->get_public_key(cert);
+
+		if (public)
+		{
+			if (first)
+			{
+				fprintf(out, "\n");
+				fprintf(out, "List of Raw Public Keys:\n");
+				first = FALSE;
+			}
+			fprintf(out, "\n");
+
+			list_public_key(public, out);
+			public->destroy(public);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * list OpenPGP certificates
+ */
+static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
+{
+	bool first = TRUE;
+	time_t now = time(NULL);
+	enumerator_t *enumerator = list->create_enumerator(list);
+	certificate_t *cert;
+
+	while (enumerator->enumerate(enumerator, (void**)&cert))
+	{
+		time_t created, until;
+		public_key_t *public;
+		pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
+		chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
+
+		if (first)
+		{
+
+			fprintf(out, "\n");
+				fprintf(out, "List of PGP End Entity Certificates:\n");
+				first = FALSE;
+		}
+		fprintf(out, "\n");
+		fprintf(out, "  userid:   '%Y'\n", cert->get_subject(cert));
+
+		fprintf(out, "  digest:    %#B\n", &fingerprint);
+
+		/* list validity */
+		cert->get_validity(cert, &now, &created, &until);
+		fprintf(out, "  created:   %T\n", &created, utc);
+		fprintf(out, "  until:     %T%s\n", &until, utc,
+			(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
+
+		public = cert->get_public_key(cert);
+		if (public)
+		{
+			list_public_key(public, out);
+			public->destroy(public);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * list all X.509 certificates matching the flags
+ */
+static void stroke_list_certs(linked_list_t *list, char *label,
+							  x509_flag_t flags, bool utc, FILE *out)
+{
+	bool first = TRUE;
+	time_t now = time(NULL);
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	x509_flag_t flag_mask;
+
+	/* mask all auxiliary flags */
+	flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH |
+				  X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS );
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, (void**)&cert))
+	{
+		x509_t *x509 = (x509_t*)cert;
+		x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
+
+		/* list only if flag is set or flag == 0 */
+		if ((x509_flags & flags) || (x509_flags == flags))
+		{
+			enumerator_t *enumerator;
+			identification_t *altName;
+			bool first_altName = TRUE;
+			int pathlen;
+			chunk_t serial, authkey;
+			time_t notBefore, notAfter;
+			public_key_t *public;
+
+			if (first)
+			{
+				fprintf(out, "\n");
+				fprintf(out, "List of %s:\n", label);
+				first = FALSE;
+			}
+			fprintf(out, "\n");
+
+			/* list subjectAltNames */
+			enumerator = x509->create_subjectAltName_enumerator(x509);
+			while (enumerator->enumerate(enumerator, (void**)&altName))
+			{
+				if (first_altName)
+				{
+					fprintf(out, "  altNames:  ");
+					first_altName = FALSE;
+				}
+				else
+				{
+					fprintf(out, ", ");
+				}
+				fprintf(out, "%Y", altName);
+			}
+			if (!first_altName)
+			{
+				fprintf(out, "\n");
+			}
+			enumerator->destroy(enumerator);
+
+			fprintf(out, "  subject:  \"%Y\"\n", cert->get_subject(cert));
+			fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
+			serial = x509->get_serial(x509);
+			fprintf(out, "  serial:    %#B\n", &serial);
+
+			/* list validity */
+			cert->get_validity(cert, &now, &notBefore, &notAfter);
+			fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
+			if (now < notBefore)
+			{
+				fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
+			}
+			else
+			{
+				fprintf(out, "ok\n");
+			}
+			fprintf(out, "             not after  %T, ", &notAfter, utc);
+			if (now > notAfter)
+			{
+				fprintf(out, "expired (%V ago)\n", &now, &notAfter);
+			}
+			else
+			{
+				fprintf(out, "ok");
+				if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
+				{
+					fprintf(out, " (expires in %V)", &now, &notAfter);
+				}
+				fprintf(out, " \n");
+			}
+
+			public = cert->get_public_key(cert);
+			if (public)
+			{
+				list_public_key(public, out);
+				public->destroy(public);
+			}
+
+			/* list optional authorityKeyIdentifier */
+			authkey = x509->get_authKeyIdentifier(x509);
+			if (authkey.ptr)
+			{
+				fprintf(out, "  authkey:   %#B\n", &authkey);
+			}
+
+			/* list optional pathLenConstraint */
+			pathlen = x509->get_pathLenConstraint(x509);
+			if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
+			{
+				fprintf(out, "  pathlen:   %d\n", pathlen);
+			}
+
+			/* list optional ipAddrBlocks */
+			if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+			{
+				traffic_selector_t *ipAddrBlock;
+				bool first_ipAddrBlock = TRUE;
+
+				fprintf(out, "  addresses: ");
+				enumerator = x509->create_ipAddrBlock_enumerator(x509);
+				while (enumerator->enumerate(enumerator, &ipAddrBlock))
+				{
+					if (first_ipAddrBlock)
+					{
+						first_ipAddrBlock = FALSE;
+					}
+					else
+					{
+						fprintf(out, ", ");
+					}
+					fprintf(out, "%R", ipAddrBlock);
+				}
+				enumerator->destroy(enumerator);
+				fprintf(out, "\n");
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * list all X.509 attribute certificates
+ */
+static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
+{
+	bool first = TRUE;
+	time_t thisUpdate, nextUpdate, now = time(NULL);
+	enumerator_t *enumerator = list->create_enumerator(list);
+	certificate_t *cert;
+
+	while (enumerator->enumerate(enumerator, (void**)&cert))
+	{
+		ac_t *ac = (ac_t*)cert;
+		identification_t *id;
+		ietf_attributes_t *groups;
+		chunk_t chunk;
+
+		if (first)
+		{
+			fprintf(out, "\n");
+			fprintf(out, "List of X.509 Attribute Certificates:\n");
+			first = FALSE;
+		}
+		fprintf(out, "\n");
+
+		id = cert->get_subject(cert);
+		if (id)
+		{
+			fprintf(out, "  holder:   \"%Y\"\n", id);
+		}
+		id = ac->get_holderIssuer(ac);
+		if (id)
+		{
+			fprintf(out, "  hissuer:  \"%Y\"\n", id);
+		}
+		chunk = ac->get_holderSerial(ac);
+		if (chunk.ptr)
+		{
+			fprintf(out, "  hserial:   %#B\n", &chunk);
+		}
+		groups = ac->get_groups(ac);
+		if (groups)
+		{
+			fprintf(out, "  groups:    %s\n", groups->get_string(groups));
+			groups->destroy(groups);
+		}
+		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
+		chunk  = ac->get_serial(ac);
+		fprintf(out, "  serial:    %#B\n", &chunk);
+
+		/* list validity */
+		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
+		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
+		fprintf(out, "             next %T, ", &nextUpdate, utc);
+		if (now > nextUpdate)
+		{
+			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
+		}
+		else
+		{
+			fprintf(out, "ok");
+			if (now > nextUpdate - AC_WARNING_INTERVAL * 60 * 60 * 24)
+			{
+				fprintf(out, " (expires in %V)", &now, &nextUpdate);
+			}
+			fprintf(out, " \n");
+		}
+
+		/* list optional authorityKeyIdentifier */
+		chunk = ac->get_authKeyIdentifier(ac);
+		if (chunk.ptr)
+		{
+			fprintf(out, "  authkey:   %#B\n", &chunk);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * list all X.509 CRLs
+ */
+static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
+{
+	bool first = TRUE;
+	time_t thisUpdate, nextUpdate, now = time(NULL);
+	enumerator_t *enumerator = list->create_enumerator(list);
+	certificate_t *cert;
+
+	while (enumerator->enumerate(enumerator, (void**)&cert))
+	{
+		crl_t *crl = (crl_t*)cert;
+		chunk_t chunk;
+
+		if (first)
+		{
+			fprintf(out, "\n");
+			fprintf(out, "List of X.509 CRLs:\n");
+			first = FALSE;
+		}
+		fprintf(out, "\n");
+
+		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
+
+		/* list optional crlNumber */
+		chunk = crl->get_serial(crl);
+		if (chunk.ptr)
+		{
+			fprintf(out, "  serial:    %#B\n", &chunk);
+		}
+
+		/* count the number of revoked certificates */
+		{
+			int count = 0;
+			enumerator_t *enumerator = crl->create_enumerator(crl);
+
+			while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
+			{
+				count++;
+			}
+			fprintf(out, "  revoked:   %d certificate%s\n", count,
+							(count == 1)? "" : "s");
+			enumerator->destroy(enumerator);
+		}
+
+		/* list validity */
+		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
+		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
+		fprintf(out, "             next %T, ", &nextUpdate, utc);
+		if (now > nextUpdate)
+		{
+			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
+		}
+		else
+		{
+			fprintf(out, "ok");
+			if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
+			{
+				fprintf(out, " (expires in %V)", &now, &nextUpdate);
+			}
+			fprintf(out, " \n");
+		}
+
+		/* list optional authorityKeyIdentifier */
+		chunk = crl->get_authKeyIdentifier(crl);
+		if (chunk.ptr)
+		{
+			fprintf(out, "  authkey:   %#B\n", &chunk);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * list all OCSP responses
+ */
+static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
+{
+	bool first = TRUE;
+	enumerator_t *enumerator = list->create_enumerator(list);
+	certificate_t *cert;
+
+	while (enumerator->enumerate(enumerator, (void**)&cert))
+	{
+		if (first)
+		{
+			fprintf(out, "\n");
+			fprintf(out, "List of OCSP responses:\n");
+			fprintf(out, "\n");
+			first = FALSE;
+		}
+
+		fprintf(out, "  signer:   \"%Y\"\n", cert->get_issuer(cert));
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * List of registered cryptographical algorithms
+ */
+static void list_algs(FILE *out)
+{
+	enumerator_t *enumerator;
+	encryption_algorithm_t encryption;
+	integrity_algorithm_t integrity;
+	hash_algorithm_t hash;
+	pseudo_random_function_t prf;
+	diffie_hellman_group_t group;
+
+	fprintf(out, "\n");
+	fprintf(out, "List of registered IKEv2 Algorithms:\n");
+	fprintf(out, "\n  encryption: ");
+	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption))
+	{
+		fprintf(out, "%N ", encryption_algorithm_names, encryption);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n  integrity:  ");
+	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &integrity))
+	{
+		fprintf(out, "%N ", integrity_algorithm_names, integrity);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n  hasher:     ");
+	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &hash))
+	{
+		fprintf(out, "%N ", hash_algorithm_names, hash);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n  prf:        ");
+	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &prf))
+	{
+		fprintf(out, "%N ", pseudo_random_function_names, prf);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n  dh-group:   ");
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group))
+	{
+		fprintf(out, "%N ", diffie_hellman_group_names, group);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n");
+}
+
+/**
+ * Implementation of stroke_list_t.list.
+ */
+static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
+{
+	linked_list_t *cert_list = NULL;
+
+	if (msg->list.flags & LIST_PUBKEYS)
+	{
+		linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
+
+		stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
+		pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
+	}
+	if (msg->list.flags & LIST_CERTS)
+	{
+		linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
+
+		stroke_list_pgp(pgp_list, msg->list.utc, out);
+		pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
+	}
+	if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
+	{
+		cert_list = create_unique_cert_list(CERT_X509);
+	}
+	if (msg->list.flags & LIST_CERTS)
+	{
+		stroke_list_certs(cert_list, "X.509 End Entity Certificates",
+						  X509_NONE, msg->list.utc, out);
+	}
+	if (msg->list.flags & LIST_CACERTS)
+	{
+		stroke_list_certs(cert_list, "X.509 CA Certificates",
+						  X509_CA, msg->list.utc, out);
+	}
+	if (msg->list.flags & LIST_OCSPCERTS)
+	{
+		stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates",
+						  X509_OCSP_SIGNER, msg->list.utc, out);
+	}
+	if (msg->list.flags & LIST_AACERTS)
+	{
+		stroke_list_certs(cert_list, "X.509 AA Certificates",
+						  X509_AA, msg->list.utc, out);
+	}
+	DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
+
+	if (msg->list.flags & LIST_ACERTS)
+	{
+		linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
+
+		stroke_list_acerts(ac_list, msg->list.utc, out);
+		ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
+	}
+	if (msg->list.flags & LIST_CRLS)
+	{
+		linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
+
+		stroke_list_crls(crl_list, msg->list.utc, out);
+		crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
+	}
+	if (msg->list.flags & LIST_OCSP)
+	{
+		linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
+
+		stroke_list_ocsp(ocsp_list, msg->list.utc, out);
+
+		ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
+	}
+	if (msg->list.flags & LIST_ALGS)
+	{
+		list_algs(out);
+	}
+}
+
+/**
+ * Print leases of a single pool
+ */
+static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
+						host_t *address, u_int size, u_int online, u_int offline)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	host_t *lease;
+	bool on;
+	int found = 0;
+
+	fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n",
+			pool, online + offline, size, online);
+	enumerator = this->attribute->create_lease_enumerator(this->attribute, pool);
+	while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on))
+	{
+		if (!address || address->ip_equals(address, lease))
+		{
+			fprintf(out, "  %15H   %s   '%Y'\n",
+					lease, on ? "online" : "offline", id);
+			found++;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		fprintf(out, "  no matching leases found\n");
+	}
+}
+
+/**
+ * Implementation of stroke_list_t.leases
+ */
+static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
+{
+	enumerator_t *enumerator;
+	u_int size, offline, online;
+	host_t *address = NULL;
+	char *pool;
+	int found = 0;
+
+	if (msg->leases.address)
+	{
+		address = host_create_from_string(msg->leases.address, 0);
+	}
+
+	enumerator = this->attribute->create_pool_enumerator(this->attribute);
+	while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
+	{
+		if (!msg->leases.pool || streq(msg->leases.pool, pool))
+		{
+			pool_leases(this, out, pool, address, size, online, offline);
+			found++;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		if (msg->leases.pool)
+		{
+			fprintf(out, "pool '%s' not found\n", msg->leases.pool);
+		}
+		else
+		{
+			fprintf(out, "no pools found\n");
+		}
+	}
+	DESTROY_IF(address);
+}
+
+/**
+ * Implementation of stroke_list_t.destroy
+ */
+static void destroy(private_stroke_list_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+stroke_list_t *stroke_list_create(stroke_attribute_t *attribute)
+{
+	private_stroke_list_t *this = malloc_thing(private_stroke_list_t);
+
+	this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list;
+	this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status;
+	this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases;
+	this->public.destroy = (void(*)(stroke_list_t*))destroy;
+
+	this->uptime = time_monotonic(NULL);
+	this->attribute = attribute;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/stroke/stroke_list.h b/src/libcharon/plugins/stroke/stroke_list.h
new file mode 100644
index 000000000..b5bedc6c2
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_list.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_list stroke_list
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_LIST_H_
+#define STROKE_LIST_H_
+
+#include "stroke_attribute.h"
+
+#include <stroke_msg.h>
+#include <library.h>
+
+typedef struct stroke_list_t stroke_list_t;
+
+/**
+ * Log status information to stroke console
+ */
+struct stroke_list_t {
+
+	/**
+	 * List certificate information to stroke console.
+	 *
+	 * @param msg		stroke message
+	 * @param out		stroke console stream
+	 */
+	void (*list)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
+
+	/**
+	 * Log status information to stroke console.
+	 *
+	 * @param msg		stroke message
+	 * @param out		stroke console stream
+	 * @param all		TRUE for "statusall"
+	 */
+	void (*status)(stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all);
+
+	/**
+	 * Log pool leases to stroke console.
+	 *
+	 * @param msg		stroke message
+	 * @param out		stroke console stream
+	 */
+	void (*leases)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
+
+	/**
+	 * Destroy a stroke_list instance.
+	 */
+	void (*destroy)(stroke_list_t *this);
+};
+
+/**
+ * Create a stroke_list instance.
+ *
+ * @param attribute		strokes attribute provider
+ */
+stroke_list_t *stroke_list_create(stroke_attribute_t *attribute);
+
+#endif /** STROKE_LIST_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
new file mode 100644
index 000000000..4361e5050
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_plugin.h"
+
+#include <library.h>
+#include "stroke_socket.h"
+
+typedef struct private_stroke_plugin_t private_stroke_plugin_t;
+
+/**
+ * private data of stroke_plugin
+ */
+struct private_stroke_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	stroke_plugin_t public;
+
+	/**
+	 * stroke socket, receives strokes
+	 */
+	stroke_socket_t *socket;
+};
+
+/**
+ * Implementation of stroke_plugin_t.destroy
+ */
+static void destroy(private_stroke_plugin_t *this)
+{
+	this->socket->destroy(this->socket);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *stroke_plugin_create()
+{
+	private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->socket = stroke_socket_create();
+	if (this->socket == NULL)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.h b/src/libcharon/plugins/stroke/stroke_plugin.h
new file mode 100644
index 000000000..464979910
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_plugin.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke stroke
+ * @ingroup cplugins
+ *
+ * @defgroup stroke_plugin stroke_plugin
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_PLUGIN_H_
+#define STROKE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct stroke_plugin_t stroke_plugin_t;
+
+/**
+ * strongSwan 2.x style configuration and control interface.
+ *
+ * Stroke is a home-brewed communication interface inspired by whack. It
+ * uses a unix socket (/var/run/charon.ctl).
+ */
+struct stroke_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** STROKE_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_shared_key.c b/src/libcharon/plugins/stroke/stroke_shared_key.c
new file mode 100644
index 000000000..4f716e83a
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_shared_key.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_shared_key.h"
+
+#include <utils/linked_list.h>
+
+typedef struct private_stroke_shared_key_t private_stroke_shared_key_t;
+
+/**
+ * private data of shared_key
+ */
+struct private_stroke_shared_key_t {
+
+	/**
+	 * implements shared_key_t
+	 */
+	stroke_shared_key_t public;
+
+	/**
+	 * type of this key
+	 */
+	shared_key_type_t type;
+
+	/**
+	 * data of the key
+	 */
+	chunk_t key;
+
+	/**
+	 * list of key owners, as identification_t
+	 */
+	linked_list_t *owners;
+
+	/**
+	 * reference counter
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Implementation of shared_key_t.get_type.
+ */
+static shared_key_type_t get_type(private_stroke_shared_key_t *this)
+{
+	return this->type;
+}
+
+/**
+ * Implementation of shared_key_t.get_ref.
+ */
+static private_stroke_shared_key_t* get_ref(private_stroke_shared_key_t *this)
+{
+	ref_get(&this->ref);
+	return this;
+}
+
+/**
+ * Implementation of shared_key_t.get_key.
+ */
+static chunk_t get_key(private_stroke_shared_key_t *this)
+{
+	return this->key;
+}
+
+/**
+ * Implementation of stroke_shared_key_t.has_owner.
+ */
+static id_match_t has_owner(private_stroke_shared_key_t *this, identification_t *owner)
+{
+	enumerator_t *enumerator;
+	id_match_t match, best = ID_MATCH_NONE;
+	identification_t *current;
+
+	enumerator = this->owners->create_enumerator(this->owners);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		match  = owner->matches(owner, current);
+		if (match > best)
+		{
+			best = match;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return best;
+}
+/**
+ * Implementation of stroke_shared_key_t.add_owner.
+ */
+static void add_owner(private_stroke_shared_key_t *this, identification_t *owner)
+{
+	this->owners->insert_last(this->owners, owner);
+}
+
+/**
+ * Implementation of stroke_shared_key_t.destroy
+ */
+static void destroy(private_stroke_shared_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->owners->destroy_offset(this->owners, offsetof(identification_t, destroy));
+		chunk_free(&this->key);
+		free(this);
+	}
+}
+
+/**
+ * create a shared key
+ */
+stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key)
+{
+	private_stroke_shared_key_t *this = malloc_thing(private_stroke_shared_key_t);
+
+	this->public.shared.get_type = (shared_key_type_t(*)(shared_key_t*))get_type;
+	this->public.shared.get_key = (chunk_t(*)(shared_key_t*))get_key;
+	this->public.shared.get_ref = (shared_key_t*(*)(shared_key_t*))get_ref;
+	this->public.shared.destroy = (void(*)(shared_key_t*))destroy;
+	this->public.add_owner = (void(*)(stroke_shared_key_t*, identification_t *owner))add_owner;
+	this->public.has_owner = (id_match_t(*)(stroke_shared_key_t*, identification_t *owner))has_owner;
+
+	this->owners = linked_list_create();
+	this->type = type;
+	this->key = key;
+	this->ref = 1;
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/stroke/stroke_shared_key.h b/src/libcharon/plugins/stroke/stroke_shared_key.h
new file mode 100644
index 000000000..05ad55083
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_shared_key.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_shared_key stroke_shared_key
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_SHARED_KEY_H_
+#define STROKE_SHARED_KEY_H_
+
+#include <utils/identification.h>
+#include <credentials/keys/shared_key.h>
+
+typedef struct stroke_shared_key_t stroke_shared_key_t;
+
+/**
+ * Shared key implementation for keys read from ipsec.secrets
+ */
+struct stroke_shared_key_t {
+
+	/**
+	 * Implements the shared_key_t interface.
+	 */
+	shared_key_t shared;
+
+	/**
+	 * Add an owner to the key.
+	 *
+	 * @param owner		owner to add
+	 */
+	void (*add_owner)(stroke_shared_key_t *this, identification_t *owner);
+
+	/**
+	 * Check if a key has a specific owner.
+	 *
+	 * @param owner		owner to check
+	 * @return			best match found
+	 */
+	id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner);
+};
+
+/**
+ * Create a stroke_shared_key instance.
+ */
+stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key);
+
+#endif /** STROKE_SHARED_KEY_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
new file mode 100644
index 000000000..56c18da38
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -0,0 +1,671 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_socket.h"
+
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <processing/jobs/callback_job.h>
+#include <hydra.h>
+#include <daemon.h>
+#include <threading/thread.h>
+
+#include "stroke_config.h"
+#include "stroke_control.h"
+#include "stroke_cred.h"
+#include "stroke_ca.h"
+#include "stroke_attribute.h"
+#include "stroke_list.h"
+
+typedef struct stroke_job_context_t stroke_job_context_t;
+typedef struct private_stroke_socket_t private_stroke_socket_t;
+
+/**
+ * private data of stroke_socket
+ */
+struct private_stroke_socket_t {
+
+	/**
+	 * public functions
+	 */
+	stroke_socket_t public;
+
+	/**
+	 * Unix socket to listen for strokes
+	 */
+	int socket;
+
+	/**
+	 * job accepting stroke messages
+	 */
+	callback_job_t *job;
+
+	/**
+	 * configuration backend
+	 */
+	stroke_config_t *config;
+
+	/**
+	 * attribute provider
+	 */
+	stroke_attribute_t *attribute;
+
+	/**
+	 * controller to control daemon
+	 */
+	stroke_control_t *control;
+
+	/**
+	 * credential set
+	 */
+	stroke_cred_t *cred;
+
+	/**
+	 * CA sections
+	 */
+	stroke_ca_t *ca;
+
+	/**
+	 * Status information logging
+	 */
+	stroke_list_t *list;
+};
+
+/**
+ * job context to pass to processing thread
+ */
+struct stroke_job_context_t {
+
+	/**
+	 * file descriptor to read from
+	 */
+	int fd;
+
+	/**
+	 * global stroke interface
+	 */
+	private_stroke_socket_t *this;
+};
+
+/**
+ * Helper function which corrects the string pointers
+ * in a stroke_msg_t. Strings in a stroke_msg sent over "wire"
+ * contains RELATIVE addresses (relative to the beginning of the
+ * stroke_msg). They must be corrected if they reach our address
+ * space...
+ */
+static void pop_string(stroke_msg_t *msg, char **string)
+{
+	if (*string == NULL)
+	{
+		return;
+	}
+
+	/* check for sanity of string pointer and string */
+	if (string < (char**)msg ||
+		string > (char**)msg + sizeof(stroke_msg_t) ||
+		(unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg) ||
+		(unsigned long)*string > msg->length)
+	{
+		*string = "(invalid pointer in stroke msg)";
+	}
+	else
+	{
+		*string = (char*)msg + (unsigned long)*string;
+	}
+}
+
+/**
+ * Pop the strings of a stroke_end_t struct and log them for debugging purposes
+ */
+static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
+{
+	pop_string(msg, &end->address);
+	pop_string(msg, &end->subnets);
+	pop_string(msg, &end->sourceip);
+	pop_string(msg, &end->auth);
+	pop_string(msg, &end->auth2);
+	pop_string(msg, &end->id);
+	pop_string(msg, &end->id2);
+	pop_string(msg, &end->cert);
+	pop_string(msg, &end->cert2);
+	pop_string(msg, &end->ca);
+	pop_string(msg, &end->ca2);
+	pop_string(msg, &end->groups);
+	pop_string(msg, &end->updown);
+
+	DBG2(DBG_CFG, "  %s=%s", label, end->address);
+	DBG2(DBG_CFG, "  %ssubnet=%s", label, end->subnets);
+	DBG2(DBG_CFG, "  %ssourceip=%s", label, end->sourceip);
+	DBG2(DBG_CFG, "  %sauth=%s", label, end->auth);
+	DBG2(DBG_CFG, "  %sauth2=%s", label, end->auth2);
+	DBG2(DBG_CFG, "  %sid=%s", label, end->id);
+	DBG2(DBG_CFG, "  %sid2=%s", label, end->id2);
+	DBG2(DBG_CFG, "  %scert=%s", label, end->cert);
+	DBG2(DBG_CFG, "  %scert2=%s", label, end->cert2);
+	DBG2(DBG_CFG, "  %sca=%s", label, end->ca);
+	DBG2(DBG_CFG, "  %sca2=%s", label, end->ca2);
+	DBG2(DBG_CFG, "  %sgroups=%s", label, end->groups);
+	DBG2(DBG_CFG, "  %supdown=%s", label, end->updown);
+}
+
+/**
+ * Add a connection to the configuration list
+ */
+static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
+{
+	pop_string(msg, &msg->add_conn.name);
+	DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name);
+
+	DBG2(DBG_CFG, "conn %s", msg->add_conn.name);
+	pop_end(msg, "left", &msg->add_conn.me);
+	pop_end(msg, "right", &msg->add_conn.other);
+	pop_string(msg, &msg->add_conn.eap_identity);
+	pop_string(msg, &msg->add_conn.algorithms.ike);
+	pop_string(msg, &msg->add_conn.algorithms.esp);
+	pop_string(msg, &msg->add_conn.ikeme.mediated_by);
+	pop_string(msg, &msg->add_conn.ikeme.peerid);
+	DBG2(DBG_CFG, "  eap_identity=%s", msg->add_conn.eap_identity);
+	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
+	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
+	DBG2(DBG_CFG, "  mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
+	DBG2(DBG_CFG, "  mediated_by=%s", msg->add_conn.ikeme.mediated_by);
+	DBG2(DBG_CFG, "  me_peerid=%s", msg->add_conn.ikeme.peerid);
+
+	this->config->add(this->config, msg);
+	this->attribute->add_pool(this->attribute, msg);
+}
+
+/**
+ * Delete a connection from the list
+ */
+static void stroke_del_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
+{
+	pop_string(msg, &msg->del_conn.name);
+	DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name);
+
+	this->config->del(this->config, msg);
+	this->attribute->del_pool(this->attribute, msg);
+}
+
+/**
+ * initiate a connection by name
+ */
+static void stroke_initiate(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->initiate.name);
+	DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
+
+	this->control->initiate(this->control, msg, out);
+}
+
+/**
+ * terminate a connection by name
+ */
+static void stroke_terminate(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->terminate.name);
+	DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
+
+	this->control->terminate(this->control, msg, out);
+}
+
+/**
+ * terminate a connection by peers virtual IP
+ */
+static void stroke_terminate_srcip(private_stroke_socket_t *this,
+								   stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->terminate_srcip.start);
+	pop_string(msg, &msg->terminate_srcip.end);
+	DBG1(DBG_CFG, "received stroke: terminate-srcip %s-%s",
+		 msg->terminate_srcip.start, msg->terminate_srcip.end);
+
+	this->control->terminate_srcip(this->control, msg, out);
+}
+
+/**
+ * route a policy (install SPD entries)
+ */
+static void stroke_route(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->route.name);
+	DBG1(DBG_CFG, "received stroke: route '%s'", msg->route.name);
+
+	this->control->route(this->control, msg, out);
+}
+
+/**
+ * unroute a policy
+ */
+static void stroke_unroute(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->terminate.name);
+	DBG1(DBG_CFG, "received stroke: unroute '%s'", msg->route.name);
+
+	this->control->unroute(this->control, msg, out);
+}
+
+/**
+ * Add a ca information record to the cainfo list
+ */
+static void stroke_add_ca(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->add_ca.name);
+	DBG1(DBG_CFG, "received stroke: add ca '%s'", msg->add_ca.name);
+
+	pop_string(msg, &msg->add_ca.cacert);
+	pop_string(msg, &msg->add_ca.crluri);
+	pop_string(msg, &msg->add_ca.crluri2);
+	pop_string(msg, &msg->add_ca.ocspuri);
+	pop_string(msg, &msg->add_ca.ocspuri2);
+	pop_string(msg, &msg->add_ca.certuribase);
+	DBG2(DBG_CFG, "ca %s",            msg->add_ca.name);
+	DBG2(DBG_CFG, "  cacert=%s",      msg->add_ca.cacert);
+	DBG2(DBG_CFG, "  crluri=%s",      msg->add_ca.crluri);
+	DBG2(DBG_CFG, "  crluri2=%s",     msg->add_ca.crluri2);
+	DBG2(DBG_CFG, "  ocspuri=%s",     msg->add_ca.ocspuri);
+	DBG2(DBG_CFG, "  ocspuri2=%s",    msg->add_ca.ocspuri2);
+	DBG2(DBG_CFG, "  certuribase=%s", msg->add_ca.certuribase);
+
+	this->ca->add(this->ca, msg);
+}
+
+/**
+ * Delete a ca information record from the cainfo list
+ */
+static void stroke_del_ca(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->del_ca.name);
+	DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name);
+
+	this->ca->del(this->ca, msg);
+}
+
+
+/**
+ * show status of daemon
+ */
+static void stroke_status(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out, bool all)
+{
+	pop_string(msg, &(msg->status.name));
+
+	this->list->status(this->list, msg, out, all);
+}
+
+/**
+ * list various information
+ */
+static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+	if (msg->list.flags & LIST_CAINFOS)
+	{
+		this->ca->list(this->ca, msg, out);
+	}
+	this->list->list(this->list, msg, out);
+}
+
+/**
+ * reread various information
+ */
+static void stroke_reread(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	this->cred->reread(this->cred, msg, out);
+}
+
+/**
+ * purge various information
+ */
+static void stroke_purge(private_stroke_socket_t *this,
+						 stroke_msg_t *msg, FILE *out)
+{
+	if (msg->purge.flags & PURGE_OCSP)
+	{
+		charon->credentials->flush_cache(charon->credentials,
+										 CERT_X509_OCSP_RESPONSE);
+	}
+	if (msg->purge.flags & PURGE_IKE)
+	{
+		this->control->purge_ike(this->control, msg, out);
+	}
+}
+
+/**
+ * list pool leases
+ */
+static void stroke_leases(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->leases.pool);
+	pop_string(msg, &msg->leases.address);
+
+	this->list->leases(this->list, msg, out);
+}
+
+debug_t get_group_from_name(char *type)
+{
+	if (strcaseeq(type, "any")) return DBG_ANY;
+	else if (strcaseeq(type, "mgr")) return DBG_MGR;
+	else if (strcaseeq(type, "ike")) return DBG_IKE;
+	else if (strcaseeq(type, "chd")) return DBG_CHD;
+	else if (strcaseeq(type, "job")) return DBG_JOB;
+	else if (strcaseeq(type, "cfg")) return DBG_CFG;
+	else if (strcaseeq(type, "knl")) return DBG_KNL;
+	else if (strcaseeq(type, "net")) return DBG_NET;
+	else if (strcaseeq(type, "enc")) return DBG_ENC;
+	else if (strcaseeq(type, "lib")) return DBG_LIB;
+	else return -1;
+}
+
+/**
+ * set the verbosity debug output
+ */
+static void stroke_loglevel(private_stroke_socket_t *this,
+							stroke_msg_t *msg, FILE *out)
+{
+	enumerator_t *enumerator;
+	sys_logger_t *sys_logger;
+	file_logger_t *file_logger;
+	debug_t group;
+
+	pop_string(msg, &(msg->loglevel.type));
+	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
+		 msg->loglevel.level, msg->loglevel.type);
+
+	group = get_group_from_name(msg->loglevel.type);
+	if (group < 0)
+	{
+		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
+		return;
+	}
+	/* we set the loglevel on ALL sys- and file-loggers */
+	enumerator = charon->sys_loggers->create_enumerator(charon->sys_loggers);
+	while (enumerator->enumerate(enumerator, &sys_logger))
+	{
+		sys_logger->set_level(sys_logger, group, msg->loglevel.level);
+	}
+	enumerator->destroy(enumerator);
+	enumerator = charon->file_loggers->create_enumerator(charon->file_loggers);
+	while (enumerator->enumerate(enumerator, &file_logger))
+	{
+		file_logger->set_level(file_logger, group, msg->loglevel.level);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * set various config options
+ */
+static void stroke_config(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	this->cred->cachecrl(this->cred, msg->config.cachecrl);
+}
+
+/**
+ * destroy a job context
+ */
+static void stroke_job_context_destroy(stroke_job_context_t *this)
+{
+	if (this->fd)
+	{
+		close(this->fd);
+	}
+	free(this);
+}
+
+/**
+ * process a stroke request from the socket pointed by "fd"
+ */
+static job_requeue_t process(stroke_job_context_t *ctx)
+{
+	stroke_msg_t *msg;
+	u_int16_t msg_length;
+	ssize_t bytes_read;
+	FILE *out;
+	private_stroke_socket_t *this = ctx->this;
+	int strokefd = ctx->fd;
+
+	/* peek the length */
+	bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
+	if (bytes_read != sizeof(msg_length))
+	{
+		DBG1(DBG_CFG, "reading length of stroke message failed: %s",
+			 strerror(errno));
+		return JOB_REQUEUE_NONE;
+	}
+
+	/* read message */
+	msg = alloca(msg_length);
+	bytes_read = recv(strokefd, msg, msg_length, 0);
+	if (bytes_read != msg_length)
+	{
+		DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
+		return JOB_REQUEUE_NONE;
+	}
+
+	out = fdopen(strokefd, "w+");
+	if (out == NULL)
+	{
+		DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno));
+		return JOB_REQUEUE_NONE;
+	}
+
+	DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
+
+	switch (msg->type)
+	{
+		case STR_INITIATE:
+			stroke_initiate(this, msg, out);
+			break;
+		case STR_ROUTE:
+			stroke_route(this, msg, out);
+			break;
+		case STR_UNROUTE:
+			stroke_unroute(this, msg, out);
+			break;
+		case STR_TERMINATE:
+			stroke_terminate(this, msg, out);
+			break;
+		case STR_TERMINATE_SRCIP:
+			stroke_terminate_srcip(this, msg, out);
+			break;
+		case STR_STATUS:
+			stroke_status(this, msg, out, FALSE);
+			break;
+		case STR_STATUS_ALL:
+			stroke_status(this, msg, out, TRUE);
+			break;
+		case STR_ADD_CONN:
+			stroke_add_conn(this, msg);
+			break;
+		case STR_DEL_CONN:
+			stroke_del_conn(this, msg);
+			break;
+		case STR_ADD_CA:
+			stroke_add_ca(this, msg, out);
+			break;
+		case STR_DEL_CA:
+			stroke_del_ca(this, msg, out);
+			break;
+		case STR_LOGLEVEL:
+			stroke_loglevel(this, msg, out);
+			break;
+		case STR_CONFIG:
+			stroke_config(this, msg, out);
+			break;
+		case STR_LIST:
+			stroke_list(this, msg, out);
+			break;
+		case STR_REREAD:
+			stroke_reread(this, msg, out);
+			break;
+		case STR_PURGE:
+			stroke_purge(this, msg, out);
+			break;
+		case STR_LEASES:
+			stroke_leases(this, msg, out);
+			break;
+		default:
+			DBG1(DBG_CFG, "received unknown stroke");
+			break;
+	}
+	fclose(out);
+	/* fclose() closes underlying FD */
+	ctx->fd = 0;
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Implementation of private_stroke_socket_t.stroke_receive.
+ */
+static job_requeue_t receive(private_stroke_socket_t *this)
+{
+	struct sockaddr_un strokeaddr;
+	int strokeaddrlen = sizeof(strokeaddr);
+	int strokefd;
+	bool oldstate;
+	callback_job_t *job;
+	stroke_job_context_t *ctx;
+
+	oldstate = thread_cancelability(TRUE);
+	strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
+	thread_cancelability(oldstate);
+
+	if (strokefd < 0)
+	{
+		DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
+		return JOB_REQUEUE_FAIR;
+	}
+
+	ctx = malloc_thing(stroke_job_context_t);
+	ctx->fd = strokefd;
+	ctx->this = this;
+	job = callback_job_create((callback_job_cb_t)process,
+							  ctx, (void*)stroke_job_context_destroy, this->job);
+	charon->processor->queue_job(charon->processor, (job_t*)job);
+
+	return JOB_REQUEUE_FAIR;
+}
+
+
+/**
+ * initialize and open stroke socket
+ */
+static bool open_socket(private_stroke_socket_t *this)
+{
+	struct sockaddr_un socket_addr;
+	mode_t old;
+
+	socket_addr.sun_family = AF_UNIX;
+	strcpy(socket_addr.sun_path, STROKE_SOCKET);
+
+	/* set up unix socket */
+	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "could not create stroke socket");
+		return FALSE;
+	}
+
+	unlink(socket_addr.sun_path);
+	old = umask(~(S_IRWXU | S_IRWXG));
+	if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
+	{
+		DBG1(DBG_CFG, "could not bind stroke socket: %s", strerror(errno));
+		close(this->socket);
+		return FALSE;
+	}
+	umask(old);
+	if (chown(socket_addr.sun_path, charon->uid, charon->gid) != 0)
+	{
+		DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
+			 strerror(errno));
+	}
+
+	if (listen(this->socket, 10) < 0)
+	{
+		DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno));
+		close(this->socket);
+		unlink(socket_addr.sun_path);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of stroke_socket_t.destroy
+ */
+static void destroy(private_stroke_socket_t *this)
+{
+	this->job->cancel(this->job);
+	charon->credentials->remove_set(charon->credentials, &this->ca->set);
+	charon->credentials->remove_set(charon->credentials, &this->cred->set);
+	charon->backends->remove_backend(charon->backends, &this->config->backend);
+	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
+	this->cred->destroy(this->cred);
+	this->ca->destroy(this->ca);
+	this->config->destroy(this->config);
+	this->attribute->destroy(this->attribute);
+	this->control->destroy(this->control);
+	this->list->destroy(this->list);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+stroke_socket_t *stroke_socket_create()
+{
+	private_stroke_socket_t *this = malloc_thing(private_stroke_socket_t);
+
+	this->public.destroy = (void(*)(stroke_socket_t*))destroy;
+
+	if (!open_socket(this))
+	{
+		free(this);
+		return NULL;
+	}
+
+	this->cred = stroke_cred_create();
+	this->attribute = stroke_attribute_create();
+	this->ca = stroke_ca_create(this->cred);
+	this->config = stroke_config_create(this->ca, this->cred);
+	this->control = stroke_control_create();
+	this->list = stroke_list_create(this->attribute);
+
+	charon->credentials->add_set(charon->credentials, &this->ca->set);
+	charon->credentials->add_set(charon->credentials, &this->cred->set);
+	charon->backends->add_backend(charon->backends, &this->config->backend);
+	hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
+
+	this->job = callback_job_create((callback_job_cb_t)receive,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/stroke/stroke_socket.h b/src/libcharon/plugins/stroke/stroke_socket.h
new file mode 100644
index 000000000..2aac8be9b
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_socket.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_socket stroke_socket
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_SOCKET_H_
+#define STROKE_SOCKET_H_
+
+typedef struct stroke_socket_t stroke_socket_t;
+
+/**
+ * Stroke socket, opens UNIX communication socket, reads and dispatches.
+ */
+struct stroke_socket_t {
+
+	/**
+	 * Destroy a stroke_socket instance.
+	 */
+	void (*destroy)(stroke_socket_t *this);
+};
+
+/**
+ * Create a stroke_socket instance.
+ */
+stroke_socket_t *stroke_socket_create();
+
+#endif /** STROKE_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/uci/Makefile.am b/src/libcharon/plugins/uci/Makefile.am
new file mode 100644
index 000000000..6decdb9da
--- /dev/null
+++ b/src/libcharon/plugins/uci/Makefile.am
@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-uci.la
+else
+plugin_LTLIBRARIES = libstrongswan-uci.la
+endif
+
+libstrongswan_uci_la_SOURCES = \
+	uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \
+	uci_config.h uci_config.c uci_creds.h uci_creds.c \
+	uci_control.h uci_control.c
+
+libstrongswan_uci_la_LDFLAGS = -module -avoid-version
+libstrongswan_uci_la_LIBADD  = -luci
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
new file mode 100644
index 000000000..c10829bb3
--- /dev/null
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -0,0 +1,592 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/uci
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_uci_la_DEPENDENCIES =
+am_libstrongswan_uci_la_OBJECTS = uci_plugin.lo uci_parser.lo \
+	uci_config.lo uci_creds.lo uci_control.lo
+libstrongswan_uci_la_OBJECTS = $(am_libstrongswan_uci_la_OBJECTS)
+libstrongswan_uci_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_uci_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_uci_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_uci_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_uci_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_uci_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-uci.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-uci.la
+libstrongswan_uci_la_SOURCES = \
+	uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \
+	uci_config.h uci_config.c uci_creds.h uci_creds.c \
+	uci_control.h uci_control.c
+
+libstrongswan_uci_la_LDFLAGS = -module -avoid-version
+libstrongswan_uci_la_LIBADD = -luci
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/uci/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/uci/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-uci.la: $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_DEPENDENCIES) 
+	$(libstrongswan_uci_la_LINK) $(am_libstrongswan_uci_la_rpath) $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_control.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_parser.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
new file mode 100644
index 000000000..bd58afbf0
--- /dev/null
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -0,0 +1,361 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+
+#include "uci_config.h"
+#include "uci_parser.h"
+
+#include <daemon.h>
+
+typedef struct private_uci_config_t private_uci_config_t;
+
+/**
+ * Private data of an uci_config_t object
+ */
+struct private_uci_config_t {
+
+	/**
+	 * Public part
+	 */
+	uci_config_t public;
+
+	/**
+	 * UCI parser context
+	 */
+	uci_parser_t *parser;
+};
+
+/**
+ * enumerator implementation for create_peer_cfg_enumerator
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** currently enumerated peer config */
+	peer_cfg_t *peer_cfg;
+	/** inner uci_parser section enumerator */
+	enumerator_t *inner;
+} peer_enumerator_t;
+
+/**
+ * create a proposal from a string, with fallback to default
+ */
+static proposal_t *create_proposal(char *string, protocol_id_t proto)
+{
+	proposal_t *proposal = NULL;
+
+	if (string)
+	{
+		proposal = proposal_create_from_string(proto, string);
+	}
+	if (!proposal)
+	{	/* UCI default is aes/sha1 only */
+		if (proto == PROTO_IKE)
+		{
+			proposal = proposal_create_from_string(proto,
+								"aes128-aes192-aes256-sha1-modp1536-modp2048");
+		}
+		else
+		{
+			proposal = proposal_create_from_string(proto,
+								"aes128-aes192-aes256-sha1");
+		}
+	}
+	return proposal;
+}
+
+/**
+ * create an traffic selector, fallback to dynamic
+ */
+static traffic_selector_t *create_ts(char *string)
+{
+	if (string)
+	{
+		int netbits = 32;
+		host_t *net;
+		char *pos;
+
+		string = strdupa(string);
+		pos = strchr(string, '/');
+		if (pos)
+		{
+			*pos++ = '\0';
+			netbits = atoi(pos);
+		}
+		else
+		{
+			if (strchr(string, ':'))
+			{
+				netbits = 128;
+			}
+		}
+		net = host_create_from_string(string, 0);
+		if (net)
+		{
+			return traffic_selector_create_from_subnet(net, netbits, 0, 0);
+		}
+	}
+	return traffic_selector_create_dynamic(0, 0, 65535);
+}
+
+/**
+ * create a rekey time from a string with hours, with fallback
+ */
+static u_int create_rekey(char *string)
+{
+	u_int rekey = 0;
+
+	if (string)
+	{
+		rekey = atoi(string);
+		if (rekey)
+		{
+			return rekey * 3600;
+		}
+	}
+	/* every 12 hours */
+	return 12 * 3600;
+}
+
+/**
+ * Implementation of peer_enumerator_t.public.enumerate
+ */
+static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
+{
+	char *name, *ike_proposal, *esp_proposal, *ike_rekey, *esp_rekey;
+	char *local_id, *local_addr, *local_net;
+	char *remote_id, *remote_addr, *remote_net;
+	child_cfg_t *child_cfg;
+	ike_cfg_t *ike_cfg;
+	auth_cfg_t *auth;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = create_rekey(esp_rekey) + 300,
+			.rekey = create_rekey(esp_rekey),
+			.jitter = 300
+		}
+	};
+
+	/* defaults */
+	name = "unnamed";
+	local_id = NULL;
+	remote_id = NULL;
+	local_addr = "0.0.0.0";
+	remote_addr = "0.0.0.0";
+	local_net = NULL;
+	remote_net = NULL;
+	ike_proposal = NULL;
+	esp_proposal = NULL;
+	ike_rekey = NULL;
+	esp_rekey = NULL;
+
+	if (this->inner->enumerate(this->inner, &name, &local_id, &remote_id,
+			&local_addr, &remote_addr, &local_net, &remote_net,
+			&ike_proposal, &esp_proposal, &ike_rekey, &esp_rekey))
+	{
+		DESTROY_IF(this->peer_cfg);
+		ike_cfg = ike_cfg_create(FALSE, FALSE,
+					local_addr, IKEV2_UDP_PORT, remote_addr, IKEV2_UDP_PORT);
+		ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
+		this->peer_cfg = peer_cfg_create(
+					name, 2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
+					1, create_rekey(ike_rekey), 0,  /* keytries, rekey, reauth */
+					1800, 900,						/* jitter, overtime */
+					TRUE, 60, 						/* mobike, dpddelay */
+					NULL, NULL, 					/* vip, pool */
+					FALSE, NULL, NULL); 			/* mediation, med by, peer id */
+		auth = auth_cfg_create();
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+		auth->add(auth, AUTH_RULE_IDENTITY,
+				  identification_create_from_string(local_id));
+		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, TRUE);
+
+		auth = auth_cfg_create();
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+		if (remote_id)
+		{
+			auth->add(auth, AUTH_RULE_IDENTITY,
+					  identification_create_from_string(remote_id));
+		}
+		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
+
+		child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
+									 ACTION_NONE, ACTION_NONE, FALSE, 0);
+		child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
+		child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
+		child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
+		this->peer_cfg->add_child_cfg(this->peer_cfg, child_cfg);
+		*cfg = this->peer_cfg;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of peer_enumerator_t.public.destroy
+ */
+static void peer_enumerator_destroy(peer_enumerator_t *this)
+{
+	DESTROY_IF(this->peer_cfg);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of backend_t.create_peer_cfg_enumerator.
+ */
+static enumerator_t* create_peer_cfg_enumerator(private_uci_config_t *this,
+												identification_t *me,
+												identification_t *other)
+{
+	peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
+
+	e->public.enumerate = (void*)peer_enumerator_enumerate;
+	e->public.destroy = (void*)peer_enumerator_destroy;
+	e->peer_cfg = NULL;
+	e->inner = this->parser->create_section_enumerator(this->parser,
+					"local_id", "remote_id", "local_addr", "remote_addr",
+					"local_net", "remote_net", "ike_proposal", "esp_proposal",
+					"ike_rekey", "esp_rekey", NULL);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * enumerator implementation for create_ike_cfg_enumerator
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** currently enumerated ike config */
+	ike_cfg_t *ike_cfg;
+	/** inner uci_parser section enumerator */
+	enumerator_t *inner;
+} ike_enumerator_t;
+
+/**
+ * Implementation of peer_enumerator_t.public.enumerate
+ */
+static bool ike_enumerator_enumerate(ike_enumerator_t *this, ike_cfg_t **cfg)
+{
+	char *local_addr, *remote_addr, *ike_proposal;
+
+	/* defaults */
+	local_addr = "0.0.0.0";
+	remote_addr = "0.0.0.0";
+	ike_proposal = NULL;
+
+	if (this->inner->enumerate(this->inner, NULL,
+							   &local_addr, &remote_addr, &ike_proposal))
+	{
+		DESTROY_IF(this->ike_cfg);
+		this->ike_cfg = ike_cfg_create(FALSE, FALSE, local_addr, IKEV2_UDP_PORT,
+										remote_addr, IKEV2_UDP_PORT);
+		this->ike_cfg->add_proposal(this->ike_cfg,
+									create_proposal(ike_proposal, PROTO_IKE));
+
+		*cfg = this->ike_cfg;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of ike_enumerator_t.public.destroy
+ */
+static void ike_enumerator_destroy(ike_enumerator_t *this)
+{
+	DESTROY_IF(this->ike_cfg);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of backend_t.create_ike_cfg_enumerator.
+ */
+static enumerator_t* create_ike_cfg_enumerator(private_uci_config_t *this,
+											   host_t *me, host_t *other)
+{
+	ike_enumerator_t *e = malloc_thing(ike_enumerator_t);
+
+	e->public.enumerate = (void*)ike_enumerator_enumerate;
+	e->public.destroy = (void*)ike_enumerator_destroy;
+	e->ike_cfg = NULL;
+	e->inner = this->parser->create_section_enumerator(this->parser,
+							"local_addr", "remote_addr", "ike_proposal", NULL);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * implements backend_t.get_peer_cfg_by_name.
+ */
+static peer_cfg_t *get_peer_cfg_by_name(private_uci_config_t *this, char *name)
+{
+	enumerator_t *enumerator;
+	peer_cfg_t *current, *found = NULL;
+
+	enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (streq(name, current->get_name(current)))
+			{
+				found = current->get_ref(current);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return found;
+}
+
+/**
+ * Implementation of uci_config_t.destroy.
+ */
+static void destroy(private_uci_config_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+uci_config_t *uci_config_create(uci_parser_t *parser)
+{
+	private_uci_config_t *this = malloc_thing(private_uci_config_t);
+
+	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
+	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
+	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
+	this->public.destroy = (void(*)(uci_config_t*))destroy;
+	this->parser = parser;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/uci/uci_config.h b/src/libcharon/plugins/uci/uci_config.h
new file mode 100644
index 000000000..130f15d85
--- /dev/null
+++ b/src/libcharon/plugins/uci/uci_config.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup uci_config_t uci_config
+ * @{ @ingroup uci
+ */
+
+#ifndef UCI_CONFIG_H_
+#define UCI_CONFIG_H_
+
+#include "uci_parser.h"
+
+#include <config/backend.h>
+
+typedef struct uci_config_t uci_config_t;
+
+/**
+ * OpenWRT UCI configuration backend.
+ */
+struct uci_config_t {
+
+	/**
+	 * Implements backend_t interface
+	 */
+	backend_t backend;
+
+	/**
+	 * Destroy the backend.
+	 */
+	void (*destroy)(uci_config_t *this);
+};
+
+/**
+ * Create a UCI based configuration backend.
+ *
+ * @param parser	UCI parser to use
+ * @return			configuration backend
+ */
+uci_config_t *uci_config_create(uci_parser_t *parser);
+
+#endif /** UCI_CONFIG_H_ @}*/
diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
new file mode 100644
index 000000000..3c4928be4
--- /dev/null
+++ b/src/libcharon/plugins/uci/uci_control.c
@@ -0,0 +1,301 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+
+#include "uci_control.h"
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
+
+#define FIFO_FILE "/var/run/charon.fifo"
+
+
+typedef struct private_uci_control_t private_uci_control_t;
+
+/**
+ * private data of uci_control_t
+ */
+struct private_uci_control_t {
+
+	/**
+	 * Public part
+	 */
+	uci_control_t public;
+
+	/**
+	 * Job
+	 */
+	callback_job_t *job;
+};
+
+/**
+ * write answer to fifo
+ */
+static void write_fifo(private_uci_control_t *this, char *format, ...)
+{
+	va_list args;
+	FILE *out;
+
+	out = fopen(FIFO_FILE, "w");
+	if (out)
+	{
+		va_start(args, format);
+		vfprintf(out, format, args);
+		va_end(args);
+		fclose(out);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "writing to UCI fifo failed: %s", strerror(errno));
+	}
+}
+
+/**
+ * print IKE_SA status information
+ */
+static void status(private_uci_control_t *this, char *name)
+{
+	enumerator_t *configs, *sas;
+	iterator_t *children;
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+	peer_cfg_t *peer_cfg;
+	char buf[2048];
+	FILE *out = NULL;
+
+	configs = charon->backends->create_peer_cfg_enumerator(charon->backends,
+														NULL, NULL, NULL, NULL);
+	while (configs->enumerate(configs, &peer_cfg))
+	{
+		if (name && !streq(name, peer_cfg->get_name(peer_cfg)))
+		{
+			continue;
+		}
+		sas = charon->controller->create_ike_sa_enumerator(charon->controller);
+		while (sas->enumerate(sas, &ike_sa))
+		{
+			if (!streq(ike_sa->get_name(ike_sa), peer_cfg->get_name(peer_cfg)))
+			{
+				continue;
+			}
+			if (!out)
+			{
+				out = fmemopen(buf, sizeof(buf), "w");
+				if (!out)
+				{
+					continue;
+				}
+			}
+			fprintf(out, "%-8s %-20D %-16H ", ike_sa->get_name(ike_sa),
+				ike_sa->get_other_id(ike_sa), ike_sa->get_other_host(ike_sa));
+
+			children = ike_sa->create_child_sa_iterator(ike_sa);
+			while (children->iterate(children, (void**)&child_sa))
+			{
+				fprintf(out, "%#R",
+						child_sa->get_traffic_selectors(child_sa, FALSE));
+			}
+			children->destroy(children);
+			fprintf(out, "\n");
+		}
+		sas->destroy(sas);
+	}
+	configs->destroy(configs);
+	if (out)
+	{
+		fclose(out);
+		write_fifo(this, "%s", buf);
+	}
+	else
+	{
+		write_fifo(this, "");
+	}
+}
+
+/**
+ * Initiate an IKE_SA
+ */
+static void initiate(private_uci_control_t *this, char *name)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	enumerator_t *enumerator;
+
+	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, name);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+		if (enumerator->enumerate(enumerator, &child_cfg) &&
+			charon->controller->initiate(charon->controller, peer_cfg,
+										 child_cfg->get_ref(child_cfg),
+										 controller_cb_empty, NULL) == SUCCESS)
+		{
+			write_fifo(this, "connection '%s' established\n", name);
+		}
+		else
+		{
+			write_fifo(this, "establishing connection '%s' failed\n", name);
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		write_fifo(this, "no connection named '%s' found\n", name);
+	}
+}
+
+/**
+ * terminate an IKE_SA
+ */
+static void terminate(private_uci_control_t *this, char *name)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	u_int id;
+
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (streq(name, ike_sa->get_name(ike_sa)))
+		{
+			id = ike_sa->get_unique_id(ike_sa);
+			enumerator->destroy(enumerator);
+			charon->controller->terminate_ike(charon->controller, id,
+											  controller_cb_empty, NULL);
+			write_fifo(this, "connection '%s' terminated\n", name);
+			return;
+		}
+	}
+	enumerator->destroy(enumerator);
+	write_fifo(this, "no active connection named '%s'\n", name);
+}
+
+/**
+ * dispatch control request
+ */
+static void process(private_uci_control_t *this, char *message)
+{
+	enumerator_t* enumerator;
+
+	enumerator = enumerator_create_token(message, " \n", "");
+	if (enumerator->enumerate(enumerator, &message))
+	{
+		if (streq(message, "status"))
+		{
+			if (enumerator->enumerate(enumerator, &message))
+			{
+				status(this, message);
+			}
+			else
+			{
+				status(this, NULL);
+			}
+		}
+		else if (streq(message, "up") &&
+				 enumerator->enumerate(enumerator, &message))
+		{
+			initiate(this, message);
+		}
+		else if (streq(message, "down") &&
+				 enumerator->enumerate(enumerator, &message))
+		{
+			terminate(this, message);
+		}
+		else
+		{
+			write_fifo(this, "usage: status [<name>] | up <name> | down <name>\n"
+					   "  status format: name peer-id peer-addr tunnel(s)\n");
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * read from fifo
+ */
+static job_requeue_t receive(private_uci_control_t *this)
+{
+	char message[128];
+	int len;
+	bool oldstate;
+	FILE *in;
+
+	memset(message, 0, sizeof(message));
+	oldstate = thread_cancelability(TRUE);
+	in = fopen(FIFO_FILE, "r");
+	thread_cancelability(oldstate);
+	if (in)
+	{
+		len = fread(message, 1, sizeof(message) - 1, in);
+		fclose(in);
+		if (len > 0)
+		{
+			process(this, message);
+		}
+		else
+		{
+			DBG1(DBG_DMN, "reading from UCI fifo failed: %s", strerror(errno));
+		}
+	}
+	else
+	{
+		DBG1(DBG_DMN, "opening UCI fifo failed: %s", strerror(errno));
+	}
+	return JOB_REQUEUE_FAIR;
+}
+
+/**
+ * Implementation of uci_control_t.destroy
+ */
+static void destroy(private_uci_control_t *this)
+{
+	this->job->cancel(this->job);
+	unlink(FIFO_FILE);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+uci_control_t *uci_control_create()
+{
+	private_uci_control_t *this = malloc_thing(private_uci_control_t);
+
+	this->public.destroy = (void(*)(uci_control_t*))destroy;
+
+	unlink(FIFO_FILE);
+	if (mkfifo(FIFO_FILE, S_IRUSR|S_IWUSR) != 0)
+	{
+		DBG1(DBG_CFG, "creating UCI control fifo '%s' failed: %s",
+			 FIFO_FILE, strerror(errno));
+	}
+	else
+	{
+		this->job = callback_job_create((callback_job_cb_t)receive,
+										this, NULL, NULL);
+		charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	}
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/uci/uci_control.h b/src/libcharon/plugins/uci/uci_control.h
new file mode 100644
index 000000000..794220aa1
--- /dev/null
+++ b/src/libcharon/plugins/uci/uci_control.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup uci_control_t uci_control
+ * @{ @ingroup uci
+ */
+
+#ifndef UCI_CONTROL_H_
+#define UCI_CONTROL_H_
+
+typedef struct uci_control_t uci_control_t;
+
+/**
+ * UCI control interface, uses a simple FIFO file
+ */
+struct uci_control_t {
+
+	/**
+	 * Destroy the controller
+	 */
+	void (*destroy)(uci_control_t *this);
+};
+
+/**
+ * Create a UCI based configuration backend.
+ */
+uci_control_t *uci_control_create();
+
+#endif /** UCI_CONTROL_H_ @}*/
diff --git a/src/libcharon/plugins/uci/uci_creds.c b/src/libcharon/plugins/uci/uci_creds.c
new file mode 100644
index 000000000..4d664feb2
--- /dev/null
+++ b/src/libcharon/plugins/uci/uci_creds.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "uci_creds.h"
+
+#include <daemon.h>
+#include <credentials/keys/shared_key.h>
+#include <utils/identification.h>
+
+typedef struct private_uci_creds_t private_uci_creds_t;
+
+/**
+ * Private data of an uci_creds_t object
+ */
+struct private_uci_creds_t {
+	/**
+	 * Public part
+	 */
+	uci_creds_t public;
+
+	/**
+	 * UCI parser context
+	 */
+	uci_parser_t *parser;
+};
+
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inneer UCI enumerator */
+	enumerator_t *inner;
+	/** currently enumerated shared shared */
+	shared_key_t *current;
+	/** local ID to match */
+	identification_t *me;
+	/** remote ID to match */
+	identification_t *other;
+} shared_enumerator_t;
+
+/**
+ * Implementation of shared_enumerator_t.public.enumerate
+ */
+static bool shared_enumerator_enumerate(shared_enumerator_t *this,
+						shared_key_t **key, id_match_t *me, id_match_t *other)
+{
+	char *local_id, *remote_id, *psk;
+	identification_t *local, *remote;
+
+	while (TRUE)
+	{
+		/* defaults */
+		local_id = "%any";
+		remote_id = "%any";
+		psk = NULL;
+
+		if (!this->inner->enumerate(this->inner, NULL,
+									&local_id, &remote_id, &psk))
+		{
+			return FALSE;
+		}
+		if (psk == NULL)
+		{
+			continue;
+		}
+		if (me)
+		{
+			local = identification_create_from_string(local_id);
+			*me = this->me ? this->me->matches(this->me, local)
+						   : ID_MATCH_ANY;
+			local->destroy(local);
+			if (!*me)
+			{
+				continue;
+			}
+		}
+		if (other)
+		{
+			remote = identification_create_from_string(remote_id);
+			*other = this->other ? this->other->matches(this->other, remote)
+								 : ID_MATCH_ANY;
+			remote->destroy(remote);
+			if (!*other)
+			{
+				continue;
+			}
+		}
+		break;
+	}
+	DESTROY_IF(this->current);
+	this->current = shared_key_create(SHARED_IKE,
+								chunk_clone(chunk_create(psk, strlen(psk))));
+	*key = this->current;
+	return TRUE;
+}
+
+/**
+ * Implementation of shared_enumerator_t.public.destroy
+ */
+static void shared_enumerator_destroy(shared_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	DESTROY_IF(this->current);
+	free(this);
+}
+
+/**
+ * Implementation of backend_t.create_shared_cfg_enumerator.
+ */
+static enumerator_t* create_shared_enumerator(private_uci_creds_t *this,
+											  shared_key_type_t type,
+											  identification_t *me,
+											  identification_t *other)
+{
+	shared_enumerator_t *e;
+
+	if (type != SHARED_IKE)
+	{
+		return NULL;
+	}
+
+	e = malloc_thing(shared_enumerator_t);
+	e->current = NULL;
+	e->public.enumerate = (void*)shared_enumerator_enumerate;
+	e->public.destroy = (void*)shared_enumerator_destroy;
+	e->me = me;
+	e->other = other;
+	e->inner = this->parser->create_section_enumerator(this->parser,
+								"local_id", "remote_id", "psk", NULL);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * Implementation of uci_creds_t.destroy
+ */
+static void destroy(private_uci_creds_t *this)
+{
+	free(this);
+}
+
+uci_creds_t *uci_creds_create(uci_parser_t *parser)
+{
+	private_uci_creds_t *this = malloc_thing(private_uci_creds_t);
+
+	this->public.credential_set.create_shared_enumerator = (enumerator_t*(*)(credential_set_t*, shared_key_type_t, identification_t*, identification_t*))create_shared_enumerator;
+	this->public.credential_set.create_private_enumerator = (enumerator_t*(*) (credential_set_t*, key_type_t, identification_t*))return_null;
+	this->public.credential_set.create_cert_enumerator = (enumerator_t*(*) (credential_set_t*,	certificate_type_t, key_type_t,identification_t *, bool))return_null;
+	this->public.credential_set.create_cdp_enumerator  = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
+	this->public.credential_set.cache_cert = (void (*)(credential_set_t *, certificate_t *))nop;
+	this->public.destroy = (void(*) (uci_creds_t*))destroy;
+
+	this->parser = parser;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/uci/uci_creds.h b/src/libcharon/plugins/uci/uci_creds.h
new file mode 100644
index 000000000..a283ed9f5
--- /dev/null
+++ b/src/libcharon/plugins/uci/uci_creds.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup uci_creds_t uci_creds
+ * @{ @ingroup uci
+ */
+
+#ifndef UCI_CREDS_H_
+#define UCI_CREDS_H_
+
+#include "uci_parser.h"
+
+#include <credentials/credential_set.h>
+
+typedef struct uci_creds_t uci_creds_t;
+
+/**
+ * OpenWRT UCI credential set implementation.
+ */
+struct uci_creds_t {
+
+	/**
+	 * Implements credential set interface.
+	 */
+	credential_set_t credential_set;
+
+	/**
+	 * Destroy the backend.
+	 */
+	void (*destroy)(uci_creds_t *this);
+};
+
+/**
+ * Create a UCI based credential set.
+ *
+ * @param parser	UCI parser to use
+ * @return			credential set
+ */
+uci_creds_t *uci_creds_create(uci_parser_t *parser);
+
+#endif /** UCI_CREDS_H_ @}*/
diff --git a/src/libcharon/plugins/uci/uci_parser.c b/src/libcharon/plugins/uci/uci_parser.c
new file mode 100644
index 000000000..6de55d218
--- /dev/null
+++ b/src/libcharon/plugins/uci/uci_parser.c
@@ -0,0 +1,186 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "uci_parser.h"
+
+#include <stdarg.h>
+
+#include <library.h>
+#include <uci.h>
+
+typedef struct private_uci_parser_t private_uci_parser_t;
+
+/**
+ * Private data of an uci_parser_t object
+ */
+struct private_uci_parser_t {
+
+	/**
+	 * Public part
+	 */
+	uci_parser_t public;
+
+	/**
+	 * UCI package name this parser reads
+	 */
+	char *package;
+};
+
+/**
+ * enumerator implementation create_section_enumerator
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** currently enumerated uci section */
+	struct uci_element *current;
+	/** all uci ipsec config sections */
+	struct uci_list *list;
+	/** uci conntext */
+	struct uci_context *ctx;
+	/** ipsec uci package */
+	struct uci_package *package;
+	/** NULL terminated list of keywords */
+	char *keywords[];
+} section_enumerator_t;
+
+/**
+ * Implementation of section_enumerator_t.enumerate
+ */
+static bool section_enumerator_enumerate(section_enumerator_t *this, ...)
+{
+	struct uci_element *element;
+	char **value;
+	va_list args;
+	int i;
+
+	if (&this->current->list == this->list)
+	{
+		return FALSE;
+	}
+
+	va_start(args, this);
+
+	value = va_arg(args, char**);
+	if (value)
+	{
+		if (uci_lookup(this->ctx, &element, this->package,
+					   this->current->name, "name") == UCI_OK)
+		{	/* use "name" attribute as config name if available ... */
+			*value = uci_to_option(element)->value;
+		}
+		else
+		{	/* ... or the section name becomes config name */
+			*value = uci_to_section(this->current)->type;
+		}
+	}
+
+	/* followed by keyword parameters */
+	for (i = 0; this->keywords[i]; i++)
+	{
+		value = va_arg(args, char**);
+		if (value && uci_lookup(this->ctx, &element, this->package,
+						  this->current->name, this->keywords[i]) == UCI_OK)
+		{
+			*value = uci_to_option(element)->value;
+		}
+	}
+	va_end(args);
+
+	this->current = list_to_element(this->current->list.next);
+	return TRUE;
+}
+
+/**
+ * Implementation of section_enumerator_t.public.destroy
+ */
+static void section_enumerator_destroy(section_enumerator_t *this)
+{
+	uci_free_context(this->ctx);
+	free(this);
+}
+
+/**
+ * Implementation of backend_t.create_section_enumerator.
+ */
+static enumerator_t* create_section_enumerator(private_uci_parser_t *this, ...)
+{
+	section_enumerator_t *e;
+	va_list args;
+	int i;
+
+	/* allocate enumerator large enought to hold keyword pointers */
+	i = 1;
+	va_start(args, this);
+	while (va_arg(args, char*))
+	{
+		i++;
+	}
+	va_end(args);
+	e = malloc(sizeof(section_enumerator_t) + sizeof(char*) * i);
+	i = 0;
+	va_start(args, this);
+	do
+	{
+		e->keywords[i] = va_arg(args, char*);
+	}
+	while (e->keywords[i++]);
+	va_end(args);
+
+	e->public.enumerate = (void*)section_enumerator_enumerate;
+	e->public.destroy = (void*)section_enumerator_destroy;
+
+	/* load uci context */
+	e->ctx = uci_alloc_context();
+	if (uci_load(e->ctx, this->package, &e->package) != UCI_OK)
+	{
+		section_enumerator_destroy(e);
+		return NULL;
+	}
+	e->list = &e->package->sections;
+	e->current = list_to_element(e->list->next);
+	if (e->current->type != UCI_TYPE_SECTION)
+	{
+		section_enumerator_destroy(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * Implementation of uci_parser_t.destroy.
+ */
+static void destroy(private_uci_parser_t *this)
+{
+	free(this->package);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+uci_parser_t *uci_parser_create(char *package)
+{
+	private_uci_parser_t *this = malloc_thing(private_uci_parser_t);
+
+	this->public.create_section_enumerator = (enumerator_t*(*)(uci_parser_t*, ...))create_section_enumerator;
+	this->public.destroy = (void(*)(uci_parser_t*))destroy;
+
+	this->package = strdup(package);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/uci/uci_parser.h b/src/libcharon/plugins/uci/uci_parser.h
new file mode 100644
index 000000000..7217e507a
--- /dev/null
+++ b/src/libcharon/plugins/uci/uci_parser.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup uci_parser_t uci_parser
+ * @{ @ingroup uci
+ */
+
+#ifndef UCI_PARSER_H_
+#define UCI_PARSER_H_
+
+#include <utils/enumerator.h>
+
+typedef struct uci_parser_t uci_parser_t;
+
+/**
+ * Wrapper to parse UCI sections with an enumerator.
+ */
+struct uci_parser_t {
+
+	/**
+	 * Create an enumerator over a section.
+	 *
+	 * The enumerator returns a section name followed by values for the keywords
+	 * specified in the variable argument list of this function.
+	 *
+	 * @param ...		variable argument list with keywords, NULL terminated
+	 * @return			enumerator over sections
+	 */
+	enumerator_t* (*create_section_enumerator)(uci_parser_t *this, ...);
+
+	/**
+	 * Destroy the parser.
+	 */
+	void (*destroy)(uci_parser_t *this);
+};
+
+/**
+ * Create a UCI parser.
+ *
+ * @param package	UCI package this parser should read
+ * @return			parser context
+ */
+uci_parser_t *uci_parser_create(char *package);
+
+#endif /** UCI_PARSER_H_ @}*/
diff --git a/src/libcharon/plugins/uci/uci_plugin.c b/src/libcharon/plugins/uci/uci_plugin.c
new file mode 100644
index 000000000..742fcf4d0
--- /dev/null
+++ b/src/libcharon/plugins/uci/uci_plugin.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "uci_plugin.h"
+#include "uci_config.h"
+#include "uci_creds.h"
+#include "uci_control.h"
+
+#include <daemon.h>
+
+/**
+ * UCI package name to use for lookups
+ */
+#define UCI_PACKAGE "strongswan"
+
+typedef struct private_uci_plugin_t private_uci_plugin_t;
+
+/**
+ * private data of uci plugin
+ */
+struct private_uci_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	uci_plugin_t public;
+
+	/**
+	 * UCI configuration backend
+	 */
+	uci_config_t *config;
+
+	/**
+	 * UCI credential set implementation
+	 */
+	uci_creds_t *creds;
+
+	/**
+	 * UCI parser wrapper
+	 */
+	uci_parser_t *parser;
+
+	/**
+	 * UCI control interface
+	 */
+	uci_control_t *control;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_uci_plugin_t *this)
+{
+	charon->backends->remove_backend(charon->backends, &this->config->backend);
+	charon->credentials->remove_set(charon->credentials, &this->creds->credential_set);
+	this->config->destroy(this->config);
+	this->creds->destroy(this->creds);
+	this->parser->destroy(this->parser);
+	this->control->destroy(this->control);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *uci_plugin_create()
+{
+	private_uci_plugin_t *this = malloc_thing(private_uci_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->parser = uci_parser_create(UCI_PACKAGE);
+	this->config = uci_config_create(this->parser);
+	this->creds = uci_creds_create(this->parser);
+	this->control = uci_control_create();
+	charon->backends->add_backend(charon->backends, &this->config->backend);
+	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/uci/uci_plugin.h b/src/libcharon/plugins/uci/uci_plugin.h
new file mode 100644
index 000000000..980ab26fd
--- /dev/null
+++ b/src/libcharon/plugins/uci/uci_plugin.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2008 Thomas Kallenberg
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup uci uci
+ * @ingroup cplugins
+ *
+ * @defgroup uci_plugin uci_plugin
+ * @{ @ingroup uci
+ */
+
+#ifndef UCI_PLUGIN_H_
+#define UCI_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct uci_plugin_t uci_plugin_t;
+
+/**
+ * OpenWRT UCI (Unified Configuration Interface) configuration plugin.
+ */
+struct uci_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** UCI_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/unit_tester/Makefile.am b/src/libcharon/plugins/unit_tester/Makefile.am
new file mode 100644
index 000000000..e27d1f859
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/Makefile.am
@@ -0,0 +1,29 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-unit-tester.la
+else
+plugin_LTLIBRARIES = libstrongswan-unit-tester.la
+endif
+
+libstrongswan_unit_tester_la_SOURCES = \
+	unit_tester.c unit_tester.h tests.h \
+	tests/test_enumerator.c \
+	tests/test_auth_info.c \
+	tests/test_curl.c \
+	tests/test_mysql.c \
+	tests/test_sqlite.c \
+	tests/test_mutex.c \
+	tests/test_rsa_gen.c \
+	tests/test_cert.c \
+	tests/test_med_db.c \
+	tests/test_chunk.c \
+	tests/test_pool.c \
+	tests/test_agent.c \
+	tests/test_id.c
+
+libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
new file mode 100644
index 000000000..6ca43a38f
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -0,0 +1,708 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/unit_tester
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_unit_tester_la_LIBADD =
+am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
+	test_enumerator.lo test_auth_info.lo test_curl.lo \
+	test_mysql.lo test_sqlite.lo test_mutex.lo test_rsa_gen.lo \
+	test_cert.lo test_med_db.lo test_chunk.lo test_pool.lo \
+	test_agent.lo test_id.lo
+libstrongswan_unit_tester_la_OBJECTS =  \
+	$(am_libstrongswan_unit_tester_la_OBJECTS)
+libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unit_tester_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_unit_tester_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_unit_tester_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unit-tester.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unit-tester.la
+libstrongswan_unit_tester_la_SOURCES = \
+	unit_tester.c unit_tester.h tests.h \
+	tests/test_enumerator.c \
+	tests/test_auth_info.c \
+	tests/test_curl.c \
+	tests/test_mysql.c \
+	tests/test_sqlite.c \
+	tests/test_mutex.c \
+	tests/test_rsa_gen.c \
+	tests/test_cert.c \
+	tests/test_med_db.c \
+	tests/test_chunk.c \
+	tests/test_pool.c \
+	tests/test_agent.c \
+	tests/test_id.c
+
+libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/unit_tester/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/unit_tester/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) 
+	$(libstrongswan_unit_tester_la_LINK) $(am_libstrongswan_unit_tester_la_rpath) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_agent.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_auth_info.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cert.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_enumerator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_id.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_med_db.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mysql.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pool.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rsa_gen.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_sqlite.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+test_enumerator.lo: tests/test_enumerator.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_enumerator.lo -MD -MP -MF $(DEPDIR)/test_enumerator.Tpo -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_enumerator.Tpo $(DEPDIR)/test_enumerator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_enumerator.c' object='test_enumerator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
+
+test_auth_info.lo: tests/test_auth_info.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_auth_info.lo -MD -MP -MF $(DEPDIR)/test_auth_info.Tpo -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_auth_info.Tpo $(DEPDIR)/test_auth_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_auth_info.c' object='test_auth_info.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
+
+test_curl.lo: tests/test_curl.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_curl.lo -MD -MP -MF $(DEPDIR)/test_curl.Tpo -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_curl.Tpo $(DEPDIR)/test_curl.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_curl.c' object='test_curl.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
+
+test_mysql.lo: tests/test_mysql.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mysql.lo -MD -MP -MF $(DEPDIR)/test_mysql.Tpo -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_mysql.Tpo $(DEPDIR)/test_mysql.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_mysql.c' object='test_mysql.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
+
+test_sqlite.lo: tests/test_sqlite.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_sqlite.lo -MD -MP -MF $(DEPDIR)/test_sqlite.Tpo -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_sqlite.Tpo $(DEPDIR)/test_sqlite.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_sqlite.c' object='test_sqlite.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
+
+test_mutex.lo: tests/test_mutex.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mutex.lo -MD -MP -MF $(DEPDIR)/test_mutex.Tpo -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_mutex.Tpo $(DEPDIR)/test_mutex.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_mutex.c' object='test_mutex.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
+
+test_rsa_gen.lo: tests/test_rsa_gen.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_rsa_gen.lo -MD -MP -MF $(DEPDIR)/test_rsa_gen.Tpo -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_rsa_gen.Tpo $(DEPDIR)/test_rsa_gen.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_rsa_gen.c' object='test_rsa_gen.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
+
+test_cert.lo: tests/test_cert.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_cert.lo -MD -MP -MF $(DEPDIR)/test_cert.Tpo -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_cert.Tpo $(DEPDIR)/test_cert.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_cert.c' object='test_cert.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
+
+test_med_db.lo: tests/test_med_db.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_med_db.lo -MD -MP -MF $(DEPDIR)/test_med_db.Tpo -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_med_db.Tpo $(DEPDIR)/test_med_db.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_med_db.c' object='test_med_db.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
+
+test_chunk.lo: tests/test_chunk.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_chunk.lo -MD -MP -MF $(DEPDIR)/test_chunk.Tpo -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_chunk.Tpo $(DEPDIR)/test_chunk.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_chunk.c' object='test_chunk.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
+
+test_pool.lo: tests/test_pool.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_pool.lo -MD -MP -MF $(DEPDIR)/test_pool.Tpo -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_pool.Tpo $(DEPDIR)/test_pool.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_pool.c' object='test_pool.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
+
+test_agent.lo: tests/test_agent.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_agent.lo -MD -MP -MF $(DEPDIR)/test_agent.Tpo -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_agent.Tpo $(DEPDIR)/test_agent.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_agent.c' object='test_agent.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
+
+test_id.lo: tests/test_id.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_id.lo -MD -MP -MF $(DEPDIR)/test_id.Tpo -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_id.Tpo $(DEPDIR)/test_id.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_id.c' object='test_id.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/unit_tester/tests.h b/src/libcharon/plugins/unit_tester/tests.h
new file mode 100644
index 000000000..96313d390
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tests tests
+ * @{ @ingroup unit_tester
+ */
+
+DEFINE_TEST("linked_list_t->remove()", test_list_remove, FALSE)
+DEFINE_TEST("simple enumerator", test_enumerate, FALSE)
+DEFINE_TEST("nested enumerator", test_enumerate_nested, FALSE)
+DEFINE_TEST("filtered enumerator", test_enumerate_filtered, FALSE)
+DEFINE_TEST("token enumerator", test_enumerate_token, FALSE)
+DEFINE_TEST("auth cfg", test_auth_cfg, FALSE)
+DEFINE_TEST("CURL get", test_curl_get, FALSE)
+DEFINE_TEST("MySQL operations", test_mysql, FALSE)
+DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
+DEFINE_TEST("mutex primitive", test_mutex, FALSE)
+DEFINE_TEST("RSA key generation", test_rsa_gen, FALSE)
+DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, FALSE)
+DEFINE_TEST("X509 certificate", test_cert_x509, FALSE)
+DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE)
+DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
+DEFINE_TEST("IP pool", test_pool, FALSE)
+DEFINE_TEST("SSH agent", test_agent, FALSE)
+DEFINE_TEST("ID parts", test_id_parts, FALSE)
+DEFINE_TEST("ID wildcards", test_id_wildcards, FALSE)
+DEFINE_TEST("ID equals", test_id_equals, FALSE)
+DEFINE_TEST("ID matches", test_id_matches, FALSE)
+
+/** @}*/
diff --git a/src/libcharon/plugins/unit_tester/tests/test_agent.c b/src/libcharon/plugins/unit_tester/tests/test_agent.c
new file mode 100644
index 000000000..baab629be
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_agent.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+
+/*******************************************************************************
+ * SSH agent signature creation and verification
+ ******************************************************************************/
+bool test_agent()
+{
+	char *path;
+	chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
+	private_key_t *private;
+	public_key_t *public;
+
+	path = getenv("SSH_AUTH_SOCK");
+	if (!path)
+	{
+		DBG1(DBG_CFG, "ssh-agent not found.");
+		return FALSE;
+	}
+
+	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								 BUILD_AGENT_SOCKET, path, BUILD_END);
+	if (!private)
+	{
+		return FALSE;
+	}
+	if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
+	{
+		return FALSE;
+	}
+	public = private->get_public_key(private);
+	if (!public)
+	{
+		return FALSE;;
+	}
+	if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
+	{
+		return FALSE;
+	}
+	free(sig.ptr);
+	data.ptr[1] = 0x01; /* fake it */
+	if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
+	{
+		return FALSE;
+	}
+
+	private->destroy(private);
+	public->destroy(public);
+
+	return TRUE;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c
new file mode 100644
index 000000000..d6abe7a05
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+#include <library.h>
+#include <config/auth_cfg.h>
+
+
+static chunk_t certchunk = chunk_from_chars(
+	0x30,0x82,0x02,0xfa,0x30,0x82,0x01,0xe2,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x5a,
+	0xf2,0x65,0xae,0x78,0xff,0x23,0xde,0xf7,0xa6,0xa3,0x94,0x8c,0x3f,0xa0,0xc1,0x30,
+	0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x39,
+	0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x19,0x30,
+	0x17,0x06,0x03,0x55,0x04,0x0a,0x13,0x10,0x4c,0x69,0x6e,0x75,0x78,0x20,0x73,0x74,
+	0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,
+	0x03,0x13,0x06,0x6d,0x61,0x72,0x74,0x69,0x6e,0x30,0x1e,0x17,0x0d,0x30,0x37,0x30,
+	0x34,0x32,0x37,0x30,0x37,0x31,0x34,0x32,0x36,0x5a,0x17,0x0d,0x31,0x32,0x30,0x34,
+	0x32,0x35,0x30,0x37,0x31,0x34,0x32,0x36,0x5a,0x30,0x39,0x31,0x0b,0x30,0x09,0x06,
+	0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,
+	0x0a,0x13,0x10,0x4c,0x69,0x6e,0x75,0x78,0x20,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,
+	0x77,0x61,0x6e,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x03,0x13,0x06,0x6d,0x61,
+	0x72,0x74,0x69,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
+	0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,
+	0x02,0x82,0x01,0x01,0x00,0xd7,0xb9,0xba,0x4d,0xe2,0x3b,0x3d,0x35,0x7a,0x3f,0x88,
+	0x67,0x95,0xe7,0xfd,0x9f,0xe9,0x0a,0x0d,0x79,0x3a,0x9e,0x21,0x8f,0xcb,0xe4,0x67,
+	0x24,0xae,0x0c,0xda,0xb3,0xcc,0xec,0x36,0xb4,0xa8,0x4d,0xf1,0x3d,0xad,0xe4,0x8c,
+	0x63,0x92,0x54,0xb7,0xb2,0x02,0xa2,0x00,0x62,0x8b,0x04,0xac,0xa0,0x17,0xad,0x17,
+	0x9a,0x05,0x0d,0xd7,0xb3,0x08,0x02,0xc5,0x26,0xcf,0xdd,0x05,0x42,0xfc,0x13,0x6d,
+	0x9f,0xb1,0xf3,0x4f,0x82,0x1d,0xef,0x01,0xc9,0x91,0xea,0x37,0x1b,0x79,0x28,0xfa,
+	0xbf,0x9f,0xb3,0xeb,0x82,0x4f,0x10,0xc6,0x4b,0xa4,0x08,0xf7,0x8e,0xf2,0x00,0xea,
+	0x04,0x97,0x80,0x9f,0x65,0x86,0xde,0x6b,0xc7,0xda,0x83,0xfc,0xad,0x4a,0xaf,0x52,
+	0x8b,0x4d,0x33,0xee,0x49,0x87,0x2f,0x3b,0x60,0x45,0x66,0x8f,0xe6,0x89,0xcc,0xb1,
+	0x92,0x02,0x17,0x2b,0x7b,0x8e,0x90,0x47,0x84,0x84,0x59,0x95,0x81,0xd8,0xe0,0xf3,
+	0x87,0xe0,0x04,0x09,0xfd,0xcc,0x3a,0x21,0x34,0xfa,0xec,0xbe,0xf5,0x9c,0xcf,0x55,
+	0x80,0x7b,0xe3,0x75,0x9d,0x36,0x68,0xab,0x83,0xe3,0xad,0x01,0x53,0x0d,0x8a,0x9a,
+	0xa6,0xb0,0x15,0xc9,0xc5,0xf8,0x9b,0x51,0x32,0xcf,0x97,0x6c,0xfe,0x4a,0x56,0x3c,
+	0xc8,0x8f,0x4a,0x70,0x23,0x4f,0xf6,0xf7,0xe6,0x9f,0x09,0xcd,0x8f,0xea,0x20,0x7d,
+	0x34,0xc0,0xc5,0xc0,0x34,0x06,0x6f,0x8b,0xeb,0x04,0x54,0x3f,0x0e,0xcd,0xe2,0x85,
+	0xab,0x94,0x3e,0x91,0x6c,0x18,0x6f,0x96,0x5d,0xf2,0x8b,0x10,0xe9,0x90,0x43,0xb0,
+	0x61,0x52,0xac,0xcf,0x75,0x02,0x03,0x01,0x00,0x01,0x30,0x0d,0x06,0x09,0x2a,0x86,
+	0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0x63,
+	0x42,0xad,0xe5,0xa3,0xf6,0xc9,0x5d,0x08,0xf2,0x78,0x7b,0xeb,0x8a,0xef,0x50,0x00,
+	0xc8,0xeb,0xe9,0x26,0x94,0xcb,0x84,0x10,0x7e,0x42,0x6b,0x86,0x38,0x57,0xa6,0x02,
+	0x98,0x5a,0x2c,0x8f,0x44,0x32,0x1b,0x97,0x8c,0x7e,0x4b,0xd8,0xe8,0xe8,0x0f,0x4a,
+	0xb9,0x31,0x9f,0xf6,0x9f,0x0e,0x67,0x26,0x05,0x2a,0x99,0x14,0x35,0x41,0x47,0x9a,
+	0xfa,0x12,0x94,0x0b,0xe9,0x27,0x7c,0x71,0x20,0xd7,0x8d,0x3b,0x97,0x19,0x2d,0x15,
+	0xff,0xa4,0xf3,0x89,0x8d,0x29,0x5f,0xf6,0x3f,0x93,0xaf,0x78,0x61,0xe4,0xe1,0x2e,
+	0x75,0xc1,0x2c,0xc4,0x76,0x95,0x19,0xf8,0x37,0xdc,0xd8,0x00,0x7a,0x3c,0x0f,0x49,
+	0x2e,0x88,0x09,0x16,0xb3,0x92,0x33,0xdf,0x77,0x83,0x4f,0xb5,0x9e,0x30,0x8c,0x48,
+	0x1d,0xd8,0x84,0xfb,0xf1,0xb9,0xa0,0xbe,0x25,0xff,0x4c,0xeb,0xef,0x2b,0xcd,0xfa,
+	0x0b,0x94,0x66,0x3b,0x28,0x08,0x3f,0x3a,0xda,0x41,0xd0,0x6b,0xab,0x5e,0xbb,0x8a,
+	0x9f,0xdc,0x98,0x3e,0x59,0x37,0x48,0xbe,0x69,0xde,0x85,0x82,0xf2,0x53,0x8b,0xe4,
+	0x44,0xe4,0x71,0x91,0x14,0x85,0x0e,0x1e,0x79,0xdd,0x62,0xf5,0xdc,0x25,0x89,0xab,
+	0x50,0x5b,0xaa,0xae,0xe3,0x64,0x6a,0x23,0x34,0xd7,0x30,0xe2,0x2a,0xc8,0x81,0x0c,
+	0xec,0xd2,0x31,0xc6,0x1e,0xb6,0xc0,0x57,0xd9,0xe1,0x14,0x06,0x9b,0xf8,0x51,0x69,
+	0x47,0xf0,0x9c,0xcd,0x69,0xef,0x8e,0x5f,0x62,0xda,0x10,0xf7,0x3c,0x6d,0x0f,0x33,
+	0xec,0x6f,0xfd,0x94,0x07,0x16,0x41,0x32,0x06,0xa4,0xe1,0x08,0x31,0x87,
+);
+
+/*******************************************************************************
+ * auth info test
+ ******************************************************************************/
+bool test_auth_cfg()
+{
+	auth_cfg_t *auth = auth_cfg_create(), *auth2;
+	certificate_t *c1, *c2;
+	enumerator_t *enumerator;
+	int round = 0;
+	void *value;
+	auth_rule_t type;
+
+	c1 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							BUILD_BLOB_ASN1_DER, certchunk,
+							BUILD_END);
+	if (!c1)
+	{
+		return FALSE;
+	}
+
+	auth->add(auth, AUTH_RULE_SUBJECT_CERT, c1->get_ref(c1));
+	c2 = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+	if (!c2)
+	{
+		return FALSE;
+	}
+	if (!c1->equals(c1, c2))
+	{
+		return FALSE;
+	}
+
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		round++;
+		if (round == 1 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
+		{
+			continue;
+		}
+		return FALSE;
+	}
+	enumerator->destroy(enumerator);
+
+	auth2 = auth_cfg_create();
+	auth2->add(auth2, AUTH_RULE_CA_CERT, c1->get_ref(c1));
+	auth2->merge(auth2, auth, FALSE);
+
+	round = 0;
+	enumerator = auth2->create_enumerator(auth2);
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		round++;
+		if (round == 1 && type == AUTH_RULE_CA_CERT && value == c1)
+		{
+			continue;
+		}
+		if (round == 2 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
+		{
+			continue;
+		}
+		return FALSE;
+	}
+	enumerator->destroy(enumerator);
+	auth->destroy(auth);
+	auth2->destroy(auth2);
+	c1->destroy(c1);
+	return TRUE;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c
new file mode 100644
index 000000000..3b00421f8
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_cert.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+#include <credentials/certificates/x509.h>
+
+/*******************************************************************************
+ * X509 certificate generation and parsing
+ ******************************************************************************/
+bool test_cert_x509()
+{
+	private_key_t *ca_key, *peer_key;
+	public_key_t *public;
+	certificate_t *ca_cert, *peer_cert, *parsed;
+	identification_t *issuer, *subject;
+	u_int32_t serial = htonl(0);
+	chunk_t encoding;
+
+	issuer = identification_create_from_string("CN=CA, OU=Test, O=strongSwan");
+	subject = identification_create_from_string("CN=Peer, OU=Test, O=strongSwan");
+
+	ca_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+						BUILD_KEY_SIZE, 1024, BUILD_END);
+	peer_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+						BUILD_KEY_SIZE, 1024, BUILD_END);
+	if (!ca_key)
+	{
+		return FALSE;
+	}
+	ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_SIGNING_KEY, ca_key,
+						BUILD_SUBJECT, issuer,
+						BUILD_SERIAL, chunk_from_thing(serial),
+						BUILD_X509_FLAG, X509_CA,
+						BUILD_END);
+	if (!ca_cert)
+	{
+		return FALSE;
+	}
+
+	encoding = ca_cert->get_encoding(ca_cert);
+	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_BLOB_ASN1_DER, encoding,
+						BUILD_END);
+	chunk_free(&encoding);
+	if (!parsed)
+	{
+		return FALSE;
+	}
+	if (!parsed->issued_by(parsed, ca_cert))
+	{
+		return FALSE;
+	}
+	parsed->destroy(parsed);
+
+	serial = htonl(ntohl(serial) + 1);
+	public = peer_key->get_public_key(peer_key);
+	peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_SIGNING_KEY, ca_key,
+						BUILD_SIGNING_CERT, ca_cert,
+						BUILD_PUBLIC_KEY, public,
+						BUILD_SUBJECT, subject,
+						BUILD_SERIAL, chunk_from_thing(serial),
+						BUILD_END);
+	public->destroy(public);
+	if (!peer_cert)
+	{
+		return FALSE;
+	}
+
+	encoding = peer_cert->get_encoding(peer_cert);
+	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_BLOB_ASN1_DER, encoding,
+						BUILD_END);
+	chunk_free(&encoding);
+	if (!parsed)
+	{
+		return FALSE;
+	}
+	if (!parsed->issued_by(parsed, ca_cert))
+	{
+		return FALSE;
+	}
+	parsed->destroy(parsed);
+
+	ca_cert->destroy(ca_cert);
+	ca_key->destroy(ca_key);
+	peer_cert->destroy(peer_cert);
+	peer_key->destroy(peer_key);
+	issuer->destroy(issuer);
+	subject->destroy(subject);
+	return TRUE;
+}
+
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_chunk.c b/src/libcharon/plugins/unit_tester/tests/test_chunk.c
new file mode 100644
index 000000000..2e0905b2c
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_chunk.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+
+/*******************************************************************************
+ * Base64 encoding/decoding test
+ ******************************************************************************/
+bool test_chunk_base64()
+{
+	/* test vectors from RFC4648:
+	 *
+	 * BASE64("") = ""
+	 * BASE64("f") = "Zg=="
+	 * BASE64("fo") = "Zm8="
+	 * BASE64("foo") = "Zm9v"
+	 * BASE64("foob") = "Zm9vYg=="
+	 * BASE64("fooba") = "Zm9vYmE="
+	 * BASE64("foobar") = "Zm9vYmFy"
+	 */
+
+	typedef struct {
+		char *in;
+		char *out;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{"", ""},
+		{"f", "Zg=="},
+		{"fo", "Zm8="},
+		{"foo", "Zm9v"},
+		{"foob", "Zm9vYg=="},
+		{"fooba", "Zm9vYmE="},
+		{"foobar", "Zm9vYmFy"},
+	};
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_to_base64(chunk_create(test[i].in, strlen(test[i].in)), NULL);
+
+		if (!streq(out.ptr, test[i].out))
+		{
+			DBG1(DBG_CFG, "base64 conversion error - should %s, is %s",
+				test[i].out, out.ptr);
+			return FALSE;
+		}
+		free(out.ptr);
+	}
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_from_base64(chunk_create(test[i].out, strlen(test[i].out)), NULL);
+
+		if (!strneq(out.ptr, test[i].in, out.len))
+		{
+			DBG1(DBG_CFG, "base64 conversion error - should %s, is %#B",
+				test[i].in, &out);
+			return FALSE;
+		}
+		free(out.ptr);
+	}
+	return TRUE;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_curl.c b/src/libcharon/plugins/unit_tester/tests/test_curl.c
new file mode 100644
index 000000000..21656a94e
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_curl.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+/*******************************************************************************
+ * curl get test
+ ******************************************************************************/
+
+bool test_curl_get()
+{
+	chunk_t chunk;
+
+	if (lib->fetcher->fetch(lib->fetcher, "http://www.strongswan.org",
+							&chunk, FETCH_END) != SUCCESS)
+	{
+		return FALSE;
+	}
+	free(chunk.ptr);
+
+	if (lib->fetcher->fetch(lib->fetcher, "http://www.google.com",
+							&chunk, FETCH_END) != SUCCESS)
+	{
+		return FALSE;
+	}
+	free(chunk.ptr);
+	return TRUE;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_enumerator.c b/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
new file mode 100644
index 000000000..edbf0f5bb
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
@@ -0,0 +1,306 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/linked_list.h>
+
+
+/*******************************************************************************
+ * linked list remove test
+ ******************************************************************************/
+bool test_list_remove()
+{
+	void *a = (void*)1, *b = (void*)2;
+	linked_list_t *list;
+
+	list = linked_list_create();
+	list->insert_last(list, a);
+	if (list->remove(list, a, NULL) != 1)
+	{
+		return FALSE;
+	}
+	list->insert_last(list, a);
+	list->insert_first(list, a);
+	list->insert_last(list, a);
+	list->insert_last(list, b);
+	if (list->remove(list, a, NULL) != 3)
+	{
+		return FALSE;
+	}
+	if (list->remove(list, a, NULL) != 0)
+	{
+		return FALSE;
+	}
+	if (list->get_count(list) != 1)
+	{
+		return FALSE;
+	}
+	if (list->remove(list, b, NULL) != 1)
+	{
+		return FALSE;
+	}
+	if (list->remove(list, b, NULL) != 0)
+	{
+		return FALSE;
+	}
+	list->destroy(list);
+	return TRUE;
+}
+
+/*******************************************************************************
+ * Simple insert first/last and enumerate test
+ ******************************************************************************/
+bool test_enumerate()
+{
+	int round, x;
+	void *a = (void*)4, *b = (void*)3, *c = (void*)2, *d = (void*)5, *e = (void*)1;
+	linked_list_t *list;
+	enumerator_t *enumerator;
+
+	list = linked_list_create();
+
+	list->insert_last(list, a);
+	list->insert_first(list, b);
+	list->insert_first(list, c);
+	list->insert_last(list, d);
+	list->insert_first(list, e);
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		if (round != x)
+		{
+			return FALSE;
+		}
+		round++;
+	}
+	enumerator->destroy(enumerator);
+
+	list->destroy(list);
+	return TRUE;
+}
+
+/*******************************************************************************
+ * nested enumerator test
+ ******************************************************************************/
+
+static bool bad_data;
+
+static enumerator_t* create_inner(linked_list_t *outer, void *data)
+{
+	if (data != (void*)101)
+	{
+		bad_data = TRUE;
+	}
+	return outer->create_enumerator(outer);
+}
+
+
+static void destroy_data(void *data)
+{
+	if (data != (void*)101)
+	{
+		bad_data = TRUE;
+	}
+}
+
+bool test_enumerate_nested()
+{
+	int round, x;
+	void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
+	linked_list_t *list, *l1, *l2, *l3;
+	enumerator_t *enumerator;
+
+	bad_data = FALSE;
+	list = linked_list_create();
+	l1 = linked_list_create();
+	l2 = linked_list_create();
+	l3 = linked_list_create();
+	list->insert_last(list, l1);
+	list->insert_last(list, l2);
+	list->insert_last(list, l3);
+
+	l1->insert_last(l1, a);
+	l1->insert_last(l1, b);
+	l3->insert_last(l3, c);
+	l3->insert_last(l3, d);
+	l3->insert_last(l3, e);
+
+	round = 1;
+	enumerator = enumerator_create_nested(list->create_enumerator(list),
+					(void*)create_inner, (void*)101, destroy_data);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		if (round != x)
+		{
+			return FALSE;
+		}
+		round++;
+	}
+	enumerator->destroy(enumerator);
+
+	list->destroy(list);
+	l1->destroy(l1);
+	l2->destroy(l2);
+	l3->destroy(l3);
+	return !bad_data;
+}
+
+
+/*******************************************************************************
+ * filtered enumerator test
+ ******************************************************************************/
+static bool filter(void *data, int *v, int *vo, int *w, int *wo,
+				   int *x, int *xo, int *y, int *yo, int *z, int *zo)
+{
+	int val = *v;
+
+	*vo = val++;
+	*wo = val++;
+	*xo = val++;
+	*yo = val++;
+	*zo = val++;
+	if (data != (void*)101)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+bool test_enumerate_filtered()
+{
+	int round, v, w, x, y, z;
+	void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
+	linked_list_t *list;
+	enumerator_t *enumerator;
+
+	bad_data = FALSE;
+	list = linked_list_create();
+
+	list->insert_last(list, a);
+	list->insert_last(list, b);
+	list->insert_last(list, c);
+	list->insert_last(list, d);
+	list->insert_last(list, e);
+
+	round = 1;
+	enumerator = enumerator_create_filter(list->create_enumerator(list),
+									(void*)filter, (void*)101, destroy_data);
+	while (enumerator->enumerate(enumerator, &v, &w, &x, &y, &z))
+	{
+		if (v != round || w != round + 1 || x != round + 2 ||
+			y != round + 3 || z != round + 4)
+		{
+			return FALSE;
+		}
+		round++;
+	}
+	enumerator->destroy(enumerator);
+
+	list->destroy(list);
+	return !bad_data;
+}
+
+/*******************************************************************************
+ * token parser test
+ ******************************************************************************/
+
+bool test_enumerate_token()
+{
+	enumerator_t *enumerator;
+	char *token;
+	int i, num;
+	struct {
+		char *string;
+		char *sep;
+		char *trim;
+	} tests1[] = {
+		{"abc, cde, efg", ",", " "},
+		{" abc 1:2 cde;3  4efg5.  ", ":;.,", " 12345"},
+		{"abc.cde,efg", ",.", ""},
+		{"  abc   cde  efg  ", " ", " "},
+		{"a'abc' c 'cde' cefg", " ", " abcd"},
+		{"'abc' abc 'cde'd 'efg'", " ", " abcd"},
+	}, tests2[] = {
+		{"a, b, c", ",", " "},
+		{"a,b,c", ",", " "},
+		{" a 1:2 b;3  4c5.  ", ":;.,", " 12345"},
+		{"a.b,c", ",.", ""},
+		{"  a   b  c  ", " ", " "},
+	};
+
+	for (num = 0; num < countof(tests1); num++)
+	{
+		i = 0;
+		enumerator = enumerator_create_token(tests1[num].string,
+											 tests1[num].sep, tests1[num].trim);
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			switch (i)
+			{
+				case 0:
+					if (!streq(token, "abc")) return FALSE;
+					break;
+				case 1:
+					if (!streq(token, "cde")) return FALSE;
+					break;
+				case 2:
+					if (!streq(token, "efg")) return FALSE;
+					break;
+				default:
+					return FALSE;
+			}
+			i++;
+		}
+		if (i != 3)
+		{
+			return FALSE;
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	for (num = 0; num < countof(tests2); num++)
+	{
+		i = 0;
+		enumerator = enumerator_create_token(tests2[num].string,
+											 tests2[num].sep, tests2[num].trim);
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			switch (i)
+			{
+				case 0:
+					if (!streq(token, "a")) return FALSE;
+					break;
+				case 1:
+					if (!streq(token, "b")) return FALSE;
+					break;
+				case 2:
+					if (!streq(token, "c")) return FALSE;
+					break;
+				default:
+					return FALSE;
+			}
+			i++;
+		}
+		if (i != 3)
+		{
+			return FALSE;
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	return TRUE;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_id.c b/src/libcharon/plugins/unit_tester/tests/test_id.c
new file mode 100644
index 000000000..868a2ca8b
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_id.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+/*******************************************************************************
+ * identification part enumeration test
+ ******************************************************************************/
+bool test_id_parts()
+{
+	identification_t *id;
+	enumerator_t *enumerator;
+	id_part_t part;
+	chunk_t data;
+	int i = 0;
+
+	id = identification_create_from_string("C=CH, O=strongSwan, CN=tester");
+
+	enumerator = id->create_part_enumerator(id);
+	while (enumerator->enumerate(enumerator, &part, &data))
+	{
+		switch (i++)
+		{
+			case 0:
+				if (part != ID_PART_RDN_C ||
+					!chunk_equals(data, chunk_create("CH", 2)))
+				{
+					return FALSE;
+				}
+				break;
+			case 1:
+				if (part != ID_PART_RDN_O ||
+					!chunk_equals(data, chunk_create("strongSwan", 10)))
+				{
+					return FALSE;
+				}
+				break;
+			case 2:
+				if (part != ID_PART_RDN_CN ||
+					!chunk_equals(data, chunk_create("tester", 6)))
+				{
+					return FALSE;
+				}
+				break;
+			default:
+				return FALSE;
+		}
+	}
+	if (i < 3)
+	{
+		return FALSE;
+	}
+	enumerator->destroy(enumerator);
+	id->destroy(id);
+	return TRUE;
+}
+
+/*******************************************************************************
+ * identification contains_wildcards() test
+ ******************************************************************************/
+
+static bool test_id_wildcards_has(char *string)
+{
+	identification_t *id;
+	bool contains;
+
+	id = identification_create_from_string(string);
+	contains = id->contains_wildcards(id);
+	id->destroy(id);
+	return contains;
+}
+
+bool test_id_wildcards()
+{
+	if (!test_id_wildcards_has("C=*, O=strongSwan, CN=gw"))
+	{
+		return FALSE;
+	}
+	if (!test_id_wildcards_has("C=CH, O=strongSwan, CN=*"))
+	{
+		return FALSE;
+	}
+	if (test_id_wildcards_has("C=**, O=a*, CN=*a"))
+	{
+		return FALSE;
+	}
+	if (!test_id_wildcards_has("*@strongswan.org"))
+	{
+		return FALSE;
+	}
+	if (!test_id_wildcards_has("*.strongswan.org"))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/*******************************************************************************
+ * identification equals test
+ ******************************************************************************/
+
+static bool test_id_equals_one(identification_t *a, char *b_str)
+{
+	identification_t *b;
+	bool equals;
+
+	b = identification_create_from_string(b_str);
+	equals = a->equals(a, b);
+	b->destroy(b);
+	return equals;
+}
+
+bool test_id_equals()
+{
+	identification_t *a;
+	chunk_t encoding, fuzzed;
+	int i;
+
+	a = identification_create_from_string(
+							   "C=CH, E=martin@strongswan.org, CN=martin");
+
+	if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
+	{
+		return FALSE;
+	}
+	if (!test_id_equals_one(a, "C=ch, E=martin@STRONGSWAN.ORG, CN=Martin"))
+	{
+		return FALSE;
+	}
+	if (test_id_equals_one(a, "C=CN, E=martin@strongswan.org, CN=martin"))
+	{
+		return FALSE;
+	}
+	if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
+	{
+		return FALSE;
+	}
+	if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
+	{
+		return FALSE;
+	}
+	encoding = chunk_clone(a->get_encoding(a));
+	a->destroy(a);
+
+	/* simple fuzzing, increment each byte of encoding */
+	for (i = 0; i < encoding.len; i++)
+	{
+		if (i == 11 || i == 30 || i == 62)
+		{	/* skip ASN.1 type fields, as equals() handles them graceful */
+			continue;
+		}
+		fuzzed = chunk_clone(encoding);
+		fuzzed.ptr[i]++;
+		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
+		if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
+		{
+			return FALSE;
+		}
+		a->destroy(a);
+		free(fuzzed.ptr);
+	}
+
+	/* and decrement each byte of encoding */
+	for (i = 0; i < encoding.len; i++)
+	{
+		if (i == 11 || i == 30 || i == 62)
+		{
+			continue;
+		}
+		fuzzed = chunk_clone(encoding);
+		fuzzed.ptr[i]--;
+		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
+		if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
+		{
+			return FALSE;
+		}
+		a->destroy(a);
+		free(fuzzed.ptr);
+	}
+	free(encoding.ptr);
+	return TRUE;
+}
+
+/*******************************************************************************
+ * identification matches test
+ ******************************************************************************/
+
+static id_match_t test_id_matches_one(identification_t *a, char *b_str)
+{
+	identification_t *b;
+	id_match_t match;
+
+	b = identification_create_from_string(b_str);
+	match = a->matches(a, b);
+	b->destroy(b);
+	return match;
+}
+
+bool test_id_matches()
+{
+	identification_t *a;
+
+	a = identification_create_from_string(
+							   "C=CH, E=martin@strongswan.org, CN=martin");
+
+	if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin")
+															!= ID_MATCH_PERFECT)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=CH, E=*, CN=martin") != ID_MATCH_ONE_WILDCARD)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=CH, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 1)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=*, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 2)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=*, E=*, CN=*, O=BADInc") != ID_MATCH_NONE)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=*, E=*") != ID_MATCH_NONE)
+	{
+		return FALSE;
+	}
+	if (test_id_matches_one(a, "C=*, E=a@b.c, CN=*") != ID_MATCH_NONE)
+	{
+		return FALSE;
+	}
+	a->destroy(a);
+	return TRUE;
+}
diff --git a/src/libcharon/plugins/unit_tester/tests/test_med_db.c b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
new file mode 100644
index 000000000..7fd78b0bc
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+#include <utils/enumerator.h>
+
+#include <unistd.h>
+
+/*******************************************************************************
+ * fetch public key from mediation database
+ ******************************************************************************/
+
+bool test_med_db()
+{
+	chunk_t found, keyid = chunk_from_chars(
+		0xed,0x90,0xe6,0x4f,0xec,0xa2,0x1f,0x4b,
+		0x68,0x97,0x99,0x24,0x22,0xe0,0xde,0x21,
+		0xb9,0xd6,0x26,0x29
+	);
+	identification_t *id;
+	enumerator_t *enumerator;
+	public_key_t *public;
+	auth_cfg_t *auth;
+	bool good = FALSE;
+
+	id = identification_create_from_encoding(ID_KEY_ID, keyid);
+	enumerator = charon->credentials->create_public_enumerator(
+									charon->credentials, KEY_ANY, id, NULL);
+	while (enumerator->enumerate(enumerator, &public, &auth))
+	{
+		good = public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &found);
+		if (good)
+		{
+			good = chunk_equals(id->get_encoding(id), found);
+		}
+	}
+	enumerator->destroy(enumerator);
+	id->destroy(id);
+	return good;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_mutex.c b/src/libcharon/plugins/unit_tester/tests/test_mutex.c
new file mode 100644
index 000000000..77085cb2f
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_mutex.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <threading/mutex.h>
+
+#include <unistd.h>
+#include <sched.h>
+#include <pthread.h>
+
+
+static mutex_t *mutex;
+
+static int locked = 0;
+
+static bool failed = FALSE;
+
+static pthread_barrier_t barrier;
+
+static void* run(void* null)
+{
+	int i;
+
+	/* wait for all threads before getting in action */
+	pthread_barrier_wait(&barrier);
+
+	for (i = 0; i < 100; i++)
+	{
+		mutex->lock(mutex);
+		mutex->lock(mutex);
+		mutex->lock(mutex);
+		locked++;
+		sched_yield();
+		if (locked > 1)
+		{
+			failed = TRUE;
+		}
+		locked--;
+		mutex->unlock(mutex);
+		mutex->unlock(mutex);
+		mutex->unlock(mutex);
+	}
+	return NULL;
+}
+
+#define THREADS 20
+
+/*******************************************************************************
+ * mutex test
+ ******************************************************************************/
+bool test_mutex()
+{
+	int i;
+	pthread_t threads[THREADS];
+
+	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+
+	for (i = 0; i < 10; i++)
+	{
+		mutex->lock(mutex);
+		mutex->unlock(mutex);
+	}
+	for (i = 0; i < 10; i++)
+	{
+		mutex->lock(mutex);
+	}
+	for (i = 0; i < 10; i++)
+	{
+		mutex->unlock(mutex);
+	}
+
+	pthread_barrier_init(&barrier, NULL, THREADS);
+
+	for (i = 0; i < THREADS; i++)
+	{
+		pthread_create(&threads[i], NULL, run, NULL);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		pthread_join(threads[i], NULL);
+	}
+	pthread_barrier_destroy(&barrier);
+
+	mutex->destroy(mutex);
+
+	return !failed;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_mysql.c b/src/libcharon/plugins/unit_tester/tests/test_mysql.c
new file mode 100644
index 000000000..252441ef8
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_mysql.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+#include <utils/enumerator.h>
+
+/*******************************************************************************
+ * mysql simple test
+ ******************************************************************************/
+bool test_mysql()
+{
+	database_t *db;
+	char *txt = "I'm a superduper test";
+	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
+	int row;
+	chunk_t qdata;
+	char *qtxt;
+	bool good = FALSE;
+	enumerator_t *enumerator;
+
+	db = lib->db->create(lib->db, "mysql://testuser:testpass@localhost/test");
+	if (!db)
+	{
+		return FALSE;
+	}
+	if (db->execute(db, NULL, "CREATE TABLE test ("
+								"id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, "
+								"txt TEXT, data BLOB)") < 0)
+	{
+		return FALSE;
+	}
+	if (db->execute(db, &row, "INSERT INTO test (txt, data) VALUES (?,?)",
+					DB_TEXT, txt, DB_BLOB, data) < 0)
+	{
+		return FALSE;
+	}
+	if (row != 1)
+	{
+		return FALSE;
+	}
+	enumerator = db->query(db, "SELECT txt, data FROM test WHERE id = ?",
+						   DB_INT, row,
+						   DB_TEXT, DB_BLOB);
+	if (!enumerator)
+	{
+		return FALSE;
+	}
+	while (enumerator->enumerate(enumerator, &qtxt, &qdata))
+	{
+		if (good)
+		{	/* only one row */
+			good = FALSE;
+			break;
+		}
+		if (streq(qtxt, txt) && chunk_equals(data, qdata))
+		{
+			good = TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!good)
+	{
+		return FALSE;
+	}
+	if (db->execute(db, NULL, "DELETE FROM test WHERE id = ?", DB_INT, row) != 1)
+	{
+		return FALSE;
+	}
+	if (db->execute(db, NULL, "DROP TABLE test") < 0)
+	{
+		return FALSE;
+	}
+	db->destroy(db);
+	return TRUE;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_pool.c b/src/libcharon/plugins/unit_tester/tests/test_pool.c
new file mode 100644
index 000000000..a68246fff
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_pool.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+
+#include <library.h>
+#include <threading/thread.h>
+#include <hydra.h>
+
+#define ALLOCS 1000
+#define THREADS 20
+
+static void* testing(void *thread)
+{
+	int i;
+	host_t *addr[ALLOCS];
+	identification_t *id[ALLOCS];
+
+	/* prepare identities */
+	for (i = 0; i < ALLOCS; i++)
+	{
+		char buf[256];
+
+		snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (uintptr_t)thread, i);
+		id[i] = identification_create_from_string(buf);
+	}
+
+	/* allocate addresses */
+	for (i = 0; i < ALLOCS; i++)
+	{
+		addr[i] = hydra->attributes->acquire_address(hydra->attributes,
+													 "test", id[i], NULL);
+		if (!addr[i])
+		{
+			return (void*)FALSE;
+		}
+	}
+
+	/* release addresses */
+	for (i = 0; i < ALLOCS; i++)
+	{
+		hydra->attributes->release_address(hydra->attributes,
+										   "test", addr[i], id[i]);
+	}
+
+	/* cleanup */
+	for (i = 0; i < ALLOCS; i++)
+	{
+		addr[i]->destroy(addr[i]);
+		id[i]->destroy(id[i]);
+	}
+	return (void*)TRUE;
+}
+
+
+/*******************************************************************************
+ * SQL pool performance test
+ ******************************************************************************/
+bool test_pool()
+{
+	thread_t *threads[THREADS];
+	uintptr_t i;
+
+	for (i = 0; i < THREADS; i++)
+	{
+		if (!(threads[i] = thread_create((thread_main_t)testing, (void*)i)))
+		{
+			return FALSE;
+		}
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		bool *res = threads[i]->join(threads[i]);
+		if (!res)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
new file mode 100644
index 000000000..59da15644
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+
+/*******************************************************************************
+ * RSA key generation and signature
+ ******************************************************************************/
+bool test_rsa_gen()
+{
+	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
+	chunk_t sig, crypt, plain;
+	private_key_t *private;
+	public_key_t *public;
+	u_int key_size;
+
+	for (key_size = 512; key_size <= 2048; key_size *= 2)
+	{
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+									 BUILD_KEY_SIZE, key_size, BUILD_END);
+		if (!private)
+		{
+			DBG1(DBG_CFG, "generating %d bit RSA key failed");
+			return FALSE;
+		}
+		public = private->get_public_key(private);
+		if (!public)
+		{
+			DBG1(DBG_CFG, "generating public from private key failed");
+			return FALSE;
+		}
+		if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
+		{
+			DBG1(DBG_CFG, "creating RSA signature failed");
+			return FALSE;
+		}
+		if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
+		{
+			DBG1(DBG_CFG, "verifying RSA signature failed");
+			return FALSE;
+		}
+		sig.ptr[sig.len-1]++;
+		if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
+		{
+			DBG1(DBG_CFG, "verifying faked RSA signature succeeded!");
+			return FALSE;
+		}
+		free(sig.ptr);
+		if (!public->encrypt(public, data, &crypt))
+		{
+			DBG1(DBG_CFG, "encrypting data with RSA failed");
+			return FALSE;
+		}
+		if (!private->decrypt(private, crypt, &plain))
+		{
+			DBG1(DBG_CFG, "decrypting data with RSA failed");
+			return FALSE;
+		}
+		if (!chunk_equals(data, plain))
+		{
+			DBG1(DBG_CFG, "decrpyted data invalid, expected %B, got %B", &
+				 data, &plain);
+			return FALSE;
+		}
+		chunk_clear(&crypt);
+		chunk_clear(&plain);
+		public->destroy(public);
+		private->destroy(private);
+	}
+	return TRUE;
+}
+
+bool test_rsa_load_any()
+{
+	chunk_t chunk = chunk_from_chars(
+		0x30,0x82,0x01,0x20,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
+		0x01,0x05,0x00,0x03,0x82,0x01,0x0d,0x00,0x30,0x82,0x01,0x08,0x02,0x82,0x01,0x01,
+		0x00,0xc6,0x68,0x99,0x1d,0xc8,0x06,0xdb,0xcf,0x1c,0x66,0xbb,0x91,0xc3,0xd4,0x10,
+		0xb2,0x08,0xa9,0xc5,0x71,0x39,0x1c,0xbe,0x5b,0x1d,0xce,0xfd,0x1b,0xfa,0xec,0x04,
+		0x89,0x9f,0x79,0xc8,0x46,0x00,0xd2,0x71,0xfb,0x22,0x16,0x52,0x2f,0xda,0xbf,0x0f,
+		0xe7,0x16,0xb1,0xd7,0x6a,0xa5,0xa5,0xfc,0xee,0xff,0x84,0x4c,0x81,0x3f,0xab,0x84,
+		0x0e,0xed,0x4a,0x26,0x59,0xd0,0x9b,0xb5,0xe1,0xec,0x61,0xc4,0xd3,0x15,0x4c,0x29,
+		0x51,0xa0,0xde,0x33,0x07,0x58,0x6c,0x36,0x1b,0x18,0x61,0xd9,0x56,0x18,0x39,0x54,
+		0x8b,0xd2,0xea,0x4e,0x87,0x28,0x58,0xb9,0x88,0x3d,0x30,0xbc,0xfc,0x6d,0xad,0xab,
+		0x43,0x26,0x09,0x48,0x4e,0x6e,0x8a,0x8b,0x88,0xb3,0xf0,0x29,0x25,0x79,0xb6,0xb6,
+		0x71,0x3c,0x93,0x59,0xd2,0x36,0x94,0xd5,0xfc,0xf3,0x62,0x2b,0x69,0xa3,0x7a,0x47,
+		0x4e,0x53,0xa2,0x35,0x1b,0x26,0x89,0xaa,0x09,0xfd,0x56,0xd7,0x75,0x2a,0xd4,0x91,
+		0xc0,0xf2,0x78,0xd7,0x05,0xca,0x12,0x1d,0xd9,0xd4,0x81,0x23,0xb2,0x3c,0x38,0xd9,
+		0xb4,0xdc,0x21,0xe0,0xe5,0x2d,0xd4,0xbe,0x61,0x39,0x8a,0x46,0x90,0x46,0x73,0x31,
+		0xba,0x48,0xbb,0x51,0xbb,0x91,0xd5,0x62,0xad,0xd1,0x53,0x5b,0x85,0xc9,0x1d,0xa7,
+		0xf6,0xa0,0xe1,0x0e,0x6c,0x22,0x5d,0x29,0x9a,0xe7,0x0f,0xe8,0x0a,0x50,0xa7,0x19,
+		0x11,0xc2,0x8b,0xe0,0x8a,0xfd,0x2b,0x94,0x31,0x7a,0x78,0x9c,0x9b,0x75,0x63,0x49,
+		0xa9,0xe5,0x58,0xe6,0x3a,0x99,0xcb,0x2b,0xdd,0x0e,0xdc,0x7d,0x1b,0x98,0x80,0xc3,
+		0x9f,0x02,0x01,0x23);
+	public_key_t *public;
+
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+								BUILD_BLOB_ASN1_DER, chunk,
+								BUILD_END);
+	if (!public || public->get_keysize(public) != 256)
+	{
+		return FALSE;
+	}
+	public->destroy(public);
+	return TRUE;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
new file mode 100644
index 000000000..dd8d1955e
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <daemon.h>
+#include <utils/enumerator.h>
+
+#include <unistd.h>
+
+
+#define DBFILE "/tmp/strongswan-test.db"
+
+/*******************************************************************************
+ * sqlite simple test
+ ******************************************************************************/
+bool test_sqlite()
+{
+	database_t *db;
+	char *txt = "I'm a superduper test";
+	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
+	int row;
+	chunk_t qdata;
+	char *qtxt;
+	bool good = FALSE;
+	enumerator_t *enumerator;
+
+	db = lib->db->create(lib->db, "sqlite://" DBFILE);
+	if (!db)
+	{
+		return FALSE;
+	}
+	if (db->execute(db, NULL, "CREATE TABLE test (txt TEXT, data BLOB)") < 0)
+	{
+		return FALSE;
+	}
+	if (db->execute(db, &row, "INSERT INTO test (txt, data) VALUES (?,?)",
+					DB_TEXT, txt, DB_BLOB, data) < 0)
+	{
+		return FALSE;
+	}
+	if (row != 1)
+	{
+		return FALSE;
+	}
+	enumerator = db->query(db, "SELECT txt, data FROM test WHERE oid = ?",
+						   DB_INT, row,
+						   DB_TEXT, DB_BLOB);
+	if (!enumerator)
+	{
+		return FALSE;
+	}
+	while (enumerator->enumerate(enumerator, &qtxt, &qdata))
+	{
+		if (good)
+		{	/* only one row */
+			good = FALSE;
+			break;
+		}
+		if (streq(qtxt, txt) && chunk_equals(data, qdata))
+		{
+			good = TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!good)
+	{
+		return FALSE;
+	}
+	if (db->execute(db, NULL, "DELETE FROM test WHERE oid = ?", DB_INT, row) != 1)
+	{
+		return FALSE;
+	}
+	if (db->execute(db, NULL, "DROP TABLE test") < 0)
+	{
+		return FALSE;
+	}
+	db->destroy(db);
+	unlink(DBFILE);
+	return TRUE;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/unit_tester.c b/src/libcharon/plugins/unit_tester/unit_tester.c
new file mode 100644
index 000000000..5f6f94e03
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/unit_tester.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "unit_tester.h"
+
+#include <daemon.h>
+
+typedef struct private_unit_tester_t private_unit_tester_t;
+typedef struct unit_test_t unit_test_t;
+typedef enum test_status_t test_status_t;
+
+/**
+ * private data of unit_tester
+ */
+struct private_unit_tester_t {
+
+	/**
+	 * public functions
+	 */
+	unit_tester_t public;
+};
+
+struct unit_test_t {
+
+	/**
+	 * name of the test
+	 */
+	char *name;
+
+	/**
+	 * test function
+	 */
+	bool (*test)(void);
+
+	/**
+	 * run the test?
+	 */
+	bool enabled;
+};
+
+#undef DEFINE_TEST
+#define DEFINE_TEST(name, function, enabled) bool function();
+#include <plugins/unit_tester/tests.h>
+#undef DEFINE_TEST
+#define DEFINE_TEST(name, function, enabled) {name, function, enabled},
+static unit_test_t tests[] = {
+#include <plugins/unit_tester/tests.h>
+};
+
+static void run_tests(private_unit_tester_t *this)
+{
+	int i, run = 0, failed = 0, success = 0, skipped = 0;
+
+	DBG1(DBG_CFG, "running unit tests, %d tests registered",
+		 sizeof(tests)/sizeof(unit_test_t));
+
+	for (i = 0; i < sizeof(tests)/sizeof(unit_test_t); i++)
+	{
+		if (tests[i].enabled)
+		{
+			run++;
+			if (tests[i].test())
+			{
+				DBG1(DBG_CFG, "test '%s' successful", tests[i].name);
+				success++;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "test '%s' failed", tests[i].name);
+				failed++;
+			}
+		}
+		else
+		{
+			DBG1(DBG_CFG, "test '%s' disabled", tests[i].name);
+			skipped++;
+		}
+	}
+	DBG1(DBG_CFG, "%d/%d tests successful (%d failed, %d disabled)",
+		 success, run, failed, skipped);
+}
+
+/**
+ * Implementation of 2007_t.destroy
+ */
+static void destroy(private_unit_tester_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *unit_tester_plugin_create()
+{
+	private_unit_tester_t *this = malloc_thing(private_unit_tester_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	run_tests(this);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/unit_tester/unit_tester.h b/src/libcharon/plugins/unit_tester/unit_tester.h
new file mode 100644
index 000000000..08784f6f4
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/unit_tester.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unit_tester unit_tester
+ * @{ @ingroup cplugins
+ */
+
+#ifndef UNIT_TESTER_H_
+#define UNIT_TESTER_H_
+
+#include <plugins/plugin.h>
+
+typedef struct unit_tester_t unit_tester_t;
+
+/**
+ * Unit testing plugin.
+ *
+ * The unit testing plugin runs tests on plugin initialization. Tests are
+ * defined in tests.h using the DEFINE_TEST macro. Implementation of the
+ * tests is done in the tests folder. Each test has uses a function which
+ * returns TRUE for success or FALSE for failure.
+ */
+struct unit_tester_t {
+
+	/**
+	 * Implements the plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** UNIT_TESTER_H_ @}*/
diff --git a/src/libcharon/plugins/updown/Makefile.am b/src/libcharon/plugins/updown/Makefile.am
new file mode 100644
index 000000000..312c8d7e8
--- /dev/null
+++ b/src/libcharon/plugins/updown/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-updown.la
+else
+plugin_LTLIBRARIES = libstrongswan-updown.la
+endif
+
+libstrongswan_updown_la_SOURCES = \
+	updown_plugin.h updown_plugin.c \
+	updown_listener.h updown_listener.c
+
+libstrongswan_updown_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
new file mode 100644
index 000000000..d3c509a32
--- /dev/null
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -0,0 +1,589 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/updown
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_updown_la_LIBADD =
+am_libstrongswan_updown_la_OBJECTS = updown_plugin.lo \
+	updown_listener.lo
+libstrongswan_updown_la_OBJECTS =  \
+	$(am_libstrongswan_updown_la_OBJECTS)
+libstrongswan_updown_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_updown_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_updown_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_updown_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_updown_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_updown_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-updown.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-updown.la
+libstrongswan_updown_la_SOURCES = \
+	updown_plugin.h updown_plugin.c \
+	updown_listener.h updown_listener.c
+
+libstrongswan_updown_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/updown/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/updown/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES) 
+	$(libstrongswan_updown_la_LINK) $(am_libstrongswan_updown_la_rpath) $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
new file mode 100644
index 000000000..5a6746f92
--- /dev/null
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -0,0 +1,294 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#include "updown_listener.h"
+
+#include <daemon.h>
+#include <config/child_cfg.h>
+
+typedef struct private_updown_listener_t private_updown_listener_t;
+
+/**
+ * Private data of an updown_listener_t object.
+ */
+struct private_updown_listener_t {
+
+	/**
+	 * Public updown_listener_t interface.
+	 */
+	updown_listener_t public;
+
+	/**
+	 * List of cached interface names
+	 */
+	linked_list_t *iface_cache;
+};
+
+typedef struct cache_entry_t cache_entry_t;
+
+/**
+ * Cache line in the interface name cache.
+ */
+struct cache_entry_t {
+	/** requid of the CHILD_SA */
+	u_int32_t reqid;
+	/** cached interface name */
+	char *iface;
+};
+
+/**
+ * Insert an interface name to the cache
+ */
+static void cache_iface(private_updown_listener_t *this, u_int32_t reqid,
+						char *iface)
+{
+	cache_entry_t *entry = malloc_thing(cache_entry_t);
+
+	entry->reqid = reqid;
+	entry->iface = strdup(iface);
+
+	this->iface_cache->insert_first(this->iface_cache, entry);
+}
+
+/**
+ * Remove a cached interface name and return it.
+ */
+static char* uncache_iface(private_updown_listener_t *this, u_int32_t reqid)
+{
+	enumerator_t *enumerator;
+	cache_entry_t *entry;
+	char *iface = NULL;
+
+	enumerator = this->iface_cache->create_enumerator(this->iface_cache);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->reqid == reqid)
+		{
+			this->iface_cache->remove_at(this->iface_cache, enumerator);
+			iface = entry->iface;
+			free(entry);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return iface;
+}
+
+METHOD(listener_t, child_updown, bool,
+	private_updown_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	bool up)
+{
+	traffic_selector_t *my_ts, *other_ts;
+	enumerator_t *enumerator;
+	child_cfg_t *config;
+	host_t *vip, *me, *other;
+	char *script;
+
+	config = child_sa->get_config(child_sa);
+	vip = ike_sa->get_virtual_ip(ike_sa, TRUE);
+	script = config->get_updown(config);
+	me = ike_sa->get_my_host(ike_sa);
+	other = ike_sa->get_other_host(ike_sa);
+
+	if (script == NULL)
+	{
+		return TRUE;
+	}
+
+	enumerator = child_sa->create_policy_enumerator(child_sa);
+	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+	{
+		char command[1024];
+		char *my_client, *other_client, *my_client_mask, *other_client_mask;
+		char *pos, *virtual_ip, *iface;
+		bool is_host, is_ipv6;
+		FILE *shell;
+
+		/* get subnet/bits from string */
+		if (asprintf(&my_client, "%R", my_ts) < 0)
+		{
+			my_client = NULL;
+		}
+		pos = strchr(my_client, '/');
+		*pos = '\0';
+		my_client_mask = pos + 1;
+		pos = strchr(my_client_mask, '[');
+		if (pos)
+		{
+			*pos = '\0';
+		}
+		if (asprintf(&other_client, "%R", other_ts) < 0)
+		{
+			other_client = NULL;
+		}
+		pos = strchr(other_client, '/');
+		*pos = '\0';
+		other_client_mask = pos + 1;
+		pos = strchr(other_client_mask, '[');
+		if (pos)
+		{
+			*pos = '\0';
+		}
+
+		if (vip)
+		{
+			if (asprintf(&virtual_ip, "PLUTO_MY_SOURCEIP='%H' ", vip) < 0)
+			{
+				virtual_ip = NULL;
+			}
+		}
+		else
+		{
+			if (asprintf(&virtual_ip, "") < 0)
+			{
+				virtual_ip = NULL;
+			}
+		}
+
+		if (up)
+		{
+			iface = charon->kernel_interface->get_interface(
+												charon->kernel_interface, me);
+			if (iface)
+			{
+				cache_iface(this, child_sa->get_reqid(child_sa), iface);
+			}
+		}
+		else
+		{
+			iface = uncache_iface(this, child_sa->get_reqid(child_sa));
+		}
+
+		/* determine IPv4/IPv6 and client/host situation */
+		is_host = my_ts->is_host(my_ts, me);
+		is_ipv6 = is_host ? (me->get_family(me) == AF_INET6) :
+							(my_ts->get_type(my_ts) == TS_IPV6_ADDR_RANGE);
+
+		/* build the command with all env variables.
+		 * TODO: PLUTO_PEER_CA and PLUTO_NEXT_HOP are currently missing
+		 */
+		snprintf(command, sizeof(command),
+				 "2>&1 "
+				"PLUTO_VERSION='1.1' "
+				"PLUTO_VERB='%s%s%s' "
+				"PLUTO_CONNECTION='%s' "
+				"PLUTO_INTERFACE='%s' "
+				"PLUTO_REQID='%u' "
+				"PLUTO_ME='%H' "
+				"PLUTO_MY_ID='%Y' "
+				"PLUTO_MY_CLIENT='%s/%s' "
+				"PLUTO_MY_CLIENT_NET='%s' "
+				"PLUTO_MY_CLIENT_MASK='%s' "
+				"PLUTO_MY_PORT='%u' "
+				"PLUTO_MY_PROTOCOL='%u' "
+				"PLUTO_PEER='%H' "
+				"PLUTO_PEER_ID='%Y' "
+				"PLUTO_PEER_CLIENT='%s/%s' "
+				"PLUTO_PEER_CLIENT_NET='%s' "
+				"PLUTO_PEER_CLIENT_MASK='%s' "
+				"PLUTO_PEER_PORT='%u' "
+				"PLUTO_PEER_PROTOCOL='%u' "
+				"%s"
+				"%s"
+				"%s",
+				 up ? "up" : "down",
+				 is_host ? "-host" : "-client",
+				 is_ipv6 ? "-v6" : "",
+				 config->get_name(config),
+				 iface ? iface : "unknown",
+				 child_sa->get_reqid(child_sa),
+				 me, ike_sa->get_my_id(ike_sa),
+				 my_client, my_client_mask,
+				 my_client, my_client_mask,
+				 my_ts->get_from_port(my_ts),
+				 my_ts->get_protocol(my_ts),
+				 other, ike_sa->get_other_id(ike_sa),
+				 other_client, other_client_mask,
+				 other_client, other_client_mask,
+				 other_ts->get_from_port(other_ts),
+				 other_ts->get_protocol(other_ts),
+				 virtual_ip,
+				 config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "",
+				 script);
+		free(my_client);
+		free(other_client);
+		free(virtual_ip);
+		free(iface);
+
+		DBG3(DBG_CHD, "running updown script: %s", command);
+		shell = popen(command, "r");
+
+		if (shell == NULL)
+		{
+			DBG1(DBG_CHD, "could not execute updown script '%s'", script);
+			return TRUE;
+		}
+
+		while (TRUE)
+		{
+			char resp[128];
+
+			if (fgets(resp, sizeof(resp), shell) == NULL)
+			{
+				if (ferror(shell))
+				{
+					DBG1(DBG_CHD, "error reading output from updown script");
+				}
+				break;
+			}
+			else
+			{
+				char *e = resp + strlen(resp);
+				if (e > resp && e[-1] == '\n')
+				{	/* trim trailing '\n' */
+					e[-1] = '\0';
+				}
+				DBG1(DBG_CHD, "updown: %s", resp);
+			}
+		}
+		pclose(shell);
+	}
+	enumerator->destroy(enumerator);
+	return TRUE;
+}
+
+METHOD(updown_listener_t, destroy, void,
+	private_updown_listener_t *this)
+{
+	this->iface_cache->destroy(this->iface_cache);
+	free(this);
+}
+
+/**
+ * See header
+ */
+updown_listener_t *updown_listener_create()
+{
+	private_updown_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener.child_updown = _child_updown,
+			.destroy = _destroy,
+		},
+		.iface_cache = linked_list_create(),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/updown/updown_listener.h b/src/libcharon/plugins/updown/updown_listener.h
new file mode 100644
index 000000000..5b866c4e5
--- /dev/null
+++ b/src/libcharon/plugins/updown/updown_listener.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup updown_listener updown_listener
+ * @{ @ingroup updown
+ */
+
+#ifndef UPDOWN_LISTENER_H_
+#define UPDOWN_LISTENER_H_
+
+#include <bus/bus.h>
+
+typedef struct updown_listener_t updown_listener_t;
+
+/**
+ * Listener which invokes the scripts on CHILD_SA up/down.
+ */
+struct updown_listener_t {
+
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a updown_listener_t.
+	 */
+	void (*destroy)(updown_listener_t *this);
+};
+
+/**
+ * Create a updown_listener instance.
+ */
+updown_listener_t *updown_listener_create();
+
+#endif /** UPDOWN_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/updown/updown_plugin.c b/src/libcharon/plugins/updown/updown_plugin.c
new file mode 100644
index 000000000..9d0591e62
--- /dev/null
+++ b/src/libcharon/plugins/updown/updown_plugin.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "updown_plugin.h"
+#include "updown_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_updown_plugin_t private_updown_plugin_t;
+
+/**
+ * private data of updown plugin
+ */
+struct private_updown_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	updown_plugin_t public;
+
+	/**
+	 * Listener interface, listens to CHILD_SA state changes
+	 */
+	updown_listener_t *listener;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_updown_plugin_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *updown_plugin_create()
+{
+	private_updown_plugin_t *this = malloc_thing(private_updown_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->listener = updown_listener_create();
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/updown/updown_plugin.h b/src/libcharon/plugins/updown/updown_plugin.h
new file mode 100644
index 000000000..abcb953a0
--- /dev/null
+++ b/src/libcharon/plugins/updown/updown_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup updown updown
+ * @ingroup cplugins
+ *
+ * @defgroup updown_plugin updown_plugin
+ * @{ @ingroup updown
+ */
+
+#ifndef UPDOWN_PLUGIN_H_
+#define UPDOWN_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct updown_plugin_t updown_plugin_t;
+
+/**
+ * Updown firewall script invocation plugin, compatible to pluto ones.
+ */
+struct updown_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** UPDOWN_PLUGIN_H_ @}*/
diff --git a/src/libcharon/processing/jobs/acquire_job.c b/src/libcharon/processing/jobs/acquire_job.c
new file mode 100644
index 000000000..45ace9312
--- /dev/null
+++ b/src/libcharon/processing/jobs/acquire_job.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "acquire_job.h"
+
+#include <daemon.h>
+
+
+typedef struct private_acquire_job_t private_acquire_job_t;
+
+/**
+ * Private data of an acquire_job_t object.
+ */
+struct private_acquire_job_t {
+	/**
+	 * Public acquire_job_t interface.
+	 */
+	acquire_job_t public;
+
+	/**
+	 * reqid of the child to rekey
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * acquired source traffic selector
+	 */
+	traffic_selector_t *src_ts;
+
+	/**
+	 * acquired destination traffic selector
+	 */
+	traffic_selector_t *dst_ts;
+};
+
+/**
+ * Implementation of job_t.destroy.
+ */
+static void destroy(private_acquire_job_t *this)
+{
+	DESTROY_IF(this->src_ts);
+	DESTROY_IF(this->dst_ts);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_acquire_job_t *this)
+{
+	charon->traps->acquire(charon->traps, this->reqid,
+						   this->src_ts, this->dst_ts);
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+acquire_job_t *acquire_job_create(u_int32_t reqid,
+								  traffic_selector_t *src_ts,
+								  traffic_selector_t *dst_ts)
+{
+	private_acquire_job_t *this = malloc_thing(private_acquire_job_t);
+
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+
+	this->reqid = reqid;
+	this->src_ts = src_ts;
+	this->dst_ts = dst_ts;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/processing/jobs/acquire_job.h b/src/libcharon/processing/jobs/acquire_job.h
new file mode 100644
index 000000000..eff79a9b0
--- /dev/null
+++ b/src/libcharon/processing/jobs/acquire_job.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup acquire_job acquire_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef ACQUIRE_JOB_H_
+#define ACQUIRE_JOB_H_
+
+typedef struct acquire_job_t acquire_job_t;
+
+#include <library.h>
+#include <selectors/traffic_selector.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Class representing an ACQUIRE Job.
+ *
+ * This job initiates a CHILD SA on kernel request.
+ */
+struct acquire_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type ACQUIRE.
+ *
+ * @param reqid		reqid of the trapped CHILD_SA to acquire
+ * @param src_ts	source traffic selector
+ * @param dst_ts	destination traffic selector
+ * @return			acquire_job_t object
+ */
+acquire_job_t *acquire_job_create(u_int32_t reqid,
+								  traffic_selector_t *src_ts,
+								  traffic_selector_t *dst_ts);
+
+#endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/callback_job.c b/src/libcharon/processing/jobs/callback_job.c
new file mode 100644
index 000000000..45e49112e
--- /dev/null
+++ b/src/libcharon/processing/jobs/callback_job.c
@@ -0,0 +1,271 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "callback_job.h"
+
+#include <semaphore.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+
+typedef struct private_callback_job_t private_callback_job_t;
+
+/**
+ * Private data of an callback_job_t Object.
+ */
+struct private_callback_job_t {
+	/**
+	 * Public callback_job_t interface.
+	 */
+	callback_job_t public;
+
+	/**
+	 * Callback to call on execution
+	 */
+	callback_job_cb_t callback;
+
+	/**
+	 * parameter to supply to callback
+	 */
+	void *data;
+
+	/**
+	 * cleanup function for data
+	 */
+	callback_job_cleanup_t cleanup;
+
+	/**
+	 * thread of the job, if running
+	 */
+	thread_t *thread;
+
+	/**
+	 * mutex to access jobs interna
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * list of asociated child jobs
+	 */
+	linked_list_t *children;
+
+	/**
+	 * parent of this job, or NULL
+	 */
+	private_callback_job_t *parent;
+
+	/**
+	 * TRUE if the job got cancelled
+	 */
+	bool cancelled;
+
+	/**
+	 * condvar to synchronize the cancellation/destruction of the job
+	 */
+	condvar_t *destroyable;
+
+	/**
+	 * semaphore to synchronize the termination of the assigned thread.
+	 *
+	 * separately allocated during cancellation, so that we can wait on it
+	 * without risking that it gets freed too early during destruction.
+	 */
+	sem_t *terminated;
+};
+
+/**
+ * unregister a child from its parent, if any.
+ * note: this->mutex has to be locked
+ */
+static void unregister(private_callback_job_t *this)
+{
+	if (this->parent)
+	{
+		this->parent->mutex->lock(this->parent->mutex);
+		if (this->parent->cancelled && !this->cancelled)
+		{
+			/* if the parent has been cancelled but we have not yet, we do not
+			 * unregister until we got cancelled by the parent. */
+			this->parent->mutex->unlock(this->parent->mutex);
+			this->destroyable->wait(this->destroyable, this->mutex);
+			this->parent->mutex->lock(this->parent->mutex);
+		}
+		this->parent->children->remove(this->parent->children, this, NULL);
+		this->parent->mutex->unlock(this->parent->mutex);
+		this->parent = NULL;
+	}
+}
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_callback_job_t *this)
+{
+	this->mutex->lock(this->mutex);
+	unregister(this);
+	if (this->cleanup)
+	{
+		this->cleanup(this->data);
+	}
+	if (this->terminated)
+	{
+		sem_post(this->terminated);
+	}
+	this->children->destroy(this->children);
+	this->destroyable->destroy(this->destroyable);
+	this->mutex->unlock(this->mutex);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * Implementation of callback_job_t.cancel.
+ */
+static void cancel(private_callback_job_t *this)
+{
+	callback_job_t *child;
+	sem_t *terminated = NULL;
+
+	this->mutex->lock(this->mutex);
+	this->cancelled = TRUE;
+	/* terminate children */
+	while (this->children->get_first(this->children, (void**)&child) == SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		child->cancel(child);
+		this->mutex->lock(this->mutex);
+	}
+	if (this->thread)
+	{
+		/* terminate the thread, if there is currently one executing the job.
+		 * we wait for its termination using a semaphore */
+		this->thread->cancel(this->thread);
+		terminated = this->terminated = malloc_thing(sem_t);
+		sem_init(terminated, 0, 0);
+	}
+	else
+	{
+		/* if the job is currently queued, it gets terminated later.
+		 * we can't wait, because it might not get executed at all.
+		 * we also unregister the queued job manually from its parent (the
+		 * others get unregistered during destruction) */
+		unregister(this);
+	}
+	this->destroyable->signal(this->destroyable);
+	this->mutex->unlock(this->mutex);
+
+	if (terminated)
+	{
+		sem_wait(terminated);
+		sem_destroy(terminated);
+		free(terminated);
+	}
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_callback_job_t *this)
+{
+	bool cleanup = FALSE, requeue = FALSE;
+
+	thread_cleanup_push((thread_cleanup_t)destroy, this);
+
+	this->mutex->lock(this->mutex);
+	this->thread = thread_current();
+	this->mutex->unlock(this->mutex);
+
+	while (TRUE)
+	{
+		this->mutex->lock(this->mutex);
+		if (this->cancelled)
+		{
+			this->mutex->unlock(this->mutex);
+			cleanup = TRUE;
+			break;
+		}
+		this->mutex->unlock(this->mutex);
+		switch (this->callback(this->data))
+		{
+			case JOB_REQUEUE_DIRECT:
+				continue;
+			case JOB_REQUEUE_FAIR:
+			{
+				requeue = TRUE;
+				break;
+			}
+			case JOB_REQUEUE_NONE:
+			default:
+			{
+				cleanup = TRUE;
+				break;
+			}
+		}
+		break;
+	}
+	this->mutex->lock(this->mutex);
+	this->thread = NULL;
+	this->mutex->unlock(this->mutex);
+	/* manually create a cancellation point to avoid that a cancelled thread
+	 * goes back into the thread pool */
+	thread_cancellation_point();
+	if (requeue)
+	{
+		charon->processor->queue_job(charon->processor,
+									 &this->public.job_interface);
+	}
+	thread_cleanup_pop(cleanup);
+}
+
+/*
+ * Described in header.
+ */
+callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
+									callback_job_cleanup_t cleanup,
+									callback_job_t *parent)
+{
+	private_callback_job_t *this = malloc_thing(private_callback_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	this->public.cancel = (void(*)(callback_job_t*))cancel;
+
+	/* private variables */
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->callback = cb;
+	this->data = data;
+	this->cleanup = cleanup;
+	this->thread = 0;
+	this->children = linked_list_create();
+	this->parent = (private_callback_job_t*)parent;
+	this->cancelled = FALSE;
+	this->destroyable = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->terminated = NULL;
+
+	/* register us at parent */
+	if (parent)
+	{
+		this->parent->mutex->lock(this->parent->mutex);
+		this->parent->children->insert_last(this->parent->children, this);
+		this->parent->mutex->unlock(this->parent->mutex);
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/processing/jobs/callback_job.h b/src/libcharon/processing/jobs/callback_job.h
new file mode 100644
index 000000000..62da1edd1
--- /dev/null
+++ b/src/libcharon/processing/jobs/callback_job.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup callback_job callback_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef CALLBACK_JOB_H_
+#define CALLBACK_JOB_H_
+
+typedef struct callback_job_t callback_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+
+typedef enum job_requeue_t job_requeue_t;
+
+/**
+ * Job requeueing policy
+ *
+ * The job requeueing policy defines how a job is handled when the callback
+ * function returns.
+ */
+enum job_requeue_t {
+
+	/**
+	 * Do not requeue job, destroy it
+	 */
+	JOB_REQUEUE_NONE,
+
+	/**
+	 * Reque the job fairly, meaning it has to requeue as any other job
+	 */
+	JOB_REQUEUE_FAIR,
+
+	/**
+	 * Reexecute the job directly, without the need of requeueing it
+	 */
+	JOB_REQUEUE_DIRECT,
+};
+
+/**
+ * The callback function to use for the callback job.
+ *
+ * This is the function to use as callback for a callback job. It receives
+ * a parameter supplied to the callback jobs constructor.
+ *
+ * @param data			param supplied to job
+ * @return				requeing policy how to requeue the job
+ */
+typedef job_requeue_t (*callback_job_cb_t)(void *data);
+
+/**
+ * Cleanup function to use for data cleanup.
+ *
+ * The callback has an optional user argument which receives data. However,
+ * this data may be cleaned up if it is allocated. This is the function
+ * to supply to the constructor.
+ *
+ * @param data			param supplied to job
+ * @return				requeing policy how to requeue the job
+ */
+typedef void (*callback_job_cleanup_t)(void *data);
+
+/**
+ * Class representing an callback Job.
+ *
+ * This is a special job which allows a simple callback function to
+ * be executed by a thread of the thread pool. This allows simple execution
+ * of asynchronous methods, without to manage threads.
+ */
+struct callback_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+
+	/**
+	 * Cancel the job's thread and wait for its termination. This only works
+	 * reliably for jobs that always use JOB_REQUEUE_FAIR or JOB_REQUEUE_DIRECT,
+	 * otherwise the job may already be destroyed when cancel is called. */
+	void (*cancel)(callback_job_t *this);
+};
+
+/**
+ * Creates a callback job.
+ *
+ * The cleanup function is called when the job gets destroyed to destroy
+ * the associated data.
+ * If parent is not NULL, the specified job gets an association. Whenever
+ * the parent gets cancelled (or runs out), all of its children are cancelled,
+ * too.
+ *
+ * @param cb				callback to call from the processor
+ * @param data				user data to supply to callback
+ * @param cleanup			destructor for data on destruction, or NULL
+ * @param parent			parent of this job
+ * @return					callback_job_t object
+ */
+callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
+									callback_job_cleanup_t cleanup,
+									callback_job_t *parent);
+
+#endif /** CALLBACK_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c
new file mode 100644
index 000000000..ca55721f2
--- /dev/null
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "delete_child_sa_job.h"
+
+#include <daemon.h>
+
+
+typedef struct private_delete_child_sa_job_t private_delete_child_sa_job_t;
+
+/**
+ * Private data of an delete_child_sa_job_t object.
+ */
+struct private_delete_child_sa_job_t {
+	/**
+
+	 * Public delete_child_sa_job_t interface.
+	 */
+	delete_child_sa_job_t public;
+
+	/**
+	 * reqid of the CHILD_SA
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * protocol of the CHILD_SA (ESP/AH)
+	 */
+	protocol_id_t protocol;
+
+	/**
+	 * inbound SPI of the CHILD_SA
+	 */
+	u_int32_t spi;
+};
+
+/**
+ * Implementation of job_t.destroy.
+ */
+static void destroy(private_delete_child_sa_job_t *this)
+{
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_delete_child_sa_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													this->reqid, TRUE);
+	if (ike_sa == NULL)
+	{
+		DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete",
+			 this->reqid);
+	}
+	else
+	{
+		ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi);
+
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
+												  protocol_id_t protocol,
+												  u_int32_t spi)
+{
+	private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+
+	/* private variables */
+	this->reqid = reqid;
+	this->protocol = protocol;
+	this->spi = spi;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h
new file mode 100644
index 000000000..662a7b7c7
--- /dev/null
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup delete_child_sa_job delete_child_sa_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef DELETE_CHILD_SA_JOB_H_
+#define DELETE_CHILD_SA_JOB_H_
+
+typedef struct delete_child_sa_job_t delete_child_sa_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <processing/jobs/job.h>
+#include <config/proposal.h>
+
+
+/**
+ * Class representing an DELETE_CHILD_SA Job.
+ *
+ * This job initiates the delete of a CHILD SA.
+ */
+struct delete_child_sa_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type DELETE_CHILD_SA.
+ *
+ * The CHILD_SA is identified by its reqid, protocol (AH/ESP) and its
+ * inbound SPI.
+ *
+ * @param reqid		reqid of the CHILD_SA, as used in kernel
+ * @param protocol	protocol of the CHILD_SA
+ * @param spi		security parameter index of the CHILD_SA
+ * @return			delete_child_sa_job_t object
+ */
+delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
+												  protocol_id_t protocol,
+												  u_int32_t spi);
+
+#endif /** DELETE_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c
new file mode 100644
index 000000000..dffd08ba3
--- /dev/null
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "delete_ike_sa_job.h"
+
+#include <daemon.h>
+
+typedef struct private_delete_ike_sa_job_t private_delete_ike_sa_job_t;
+
+/**
+ * Private data of an delete_ike_sa_job_t Object
+ */
+struct private_delete_ike_sa_job_t {
+	/**
+	 * public delete_ike_sa_job_t interface
+	 */
+	delete_ike_sa_job_t public;
+
+	/**
+	 * ID of the ike_sa to delete
+	 */
+	ike_sa_id_t *ike_sa_id;
+
+	/**
+	 * Should the IKE_SA be deleted if it is in ESTABLISHED state?
+	 */
+	bool delete_if_established;
+};
+
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_delete_ike_sa_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_delete_ike_sa_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa)
+	{
+		if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			return destroy(this);
+		}
+		if (this->delete_if_established)
+		{
+			if (ike_sa->delete(ike_sa) == DESTROY_ME)
+			{
+				charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
+			}
+			else
+			{
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			}
+		}
+		else
+		{
+			/* destroy only if not ESTABLISHED */
+			if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
+			{
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			}
+			else
+			{
+				DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
+				charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
+			}
+		}
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
+											  bool delete_if_established)
+{
+	private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t *)) destroy;;
+
+	/* private variables */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	this->delete_if_established = delete_if_established;
+
+	return &(this->public);
+}
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.h b/src/libcharon/processing/jobs/delete_ike_sa_job.h
new file mode 100644
index 000000000..f641deea3
--- /dev/null
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup delete_child_sa_job delete_child_sa_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef DELETE_IKE_SA_JOB_H_
+#define DELETE_IKE_SA_JOB_H_
+
+typedef struct delete_ike_sa_job_t delete_ike_sa_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <processing/jobs/job.h>
+
+
+/**
+ * Class representing an DELETE_IKE_SA Job.
+ *
+ * This job is responsible for deleting established or half open IKE_SAs.
+ * A half open IKE_SA is every IKE_SA which hasn't reache the SA_ESTABLISHED
+ * state.
+ */
+struct delete_ike_sa_job_t {
+
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type DELETE_IKE_SA.
+ *
+ * @param ike_sa_id				id of the IKE_SA to delete
+ * @param delete_if_established	should the IKE_SA be deleted if it is established?
+ * @return						created delete_ike_sa_job_t object
+ */
+delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
+											  bool delete_if_established);
+
+#endif /** DELETE_IKE_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
new file mode 100644
index 000000000..13fc5e3d0
--- /dev/null
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "inactivity_job.h"
+
+#include <daemon.h>
+
+typedef struct private_inactivity_job_t private_inactivity_job_t;
+
+/**
+ * Private data of an inactivity_job_t object.
+ */
+struct private_inactivity_job_t {
+
+	/**
+	 * Public inactivity_job_t interface.
+	 */
+	inactivity_job_t public;
+
+	/**
+	 * Reqid of CHILD_SA to check
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * Inactivity timeout
+	 */
+	u_int32_t timeout;
+
+	/**
+	 * Close IKE_SA if last remaining CHILD inactive?
+	 */
+	bool close_ike;
+};
+
+METHOD(job_t, destroy, void,
+	private_inactivity_job_t *this)
+{
+	free(this);
+}
+
+METHOD(job_t, execute, void,
+	private_inactivity_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	bool rescheduled = FALSE;
+
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													this->reqid, TRUE);
+	if (ike_sa)
+	{
+		iterator_t *iterator;
+		child_sa_t *child_sa;
+		u_int32_t delete = 0;
+		protocol_id_t proto = 0;
+		int children = 0;
+		status_t status = SUCCESS;
+
+		iterator = ike_sa->create_child_sa_iterator(ike_sa);
+		while (iterator->iterate(iterator, (void**)&child_sa))
+		{
+			if (child_sa->get_reqid(child_sa) == this->reqid)
+			{
+				time_t in, out, diff;
+
+				child_sa->get_usestats(child_sa, TRUE, &in, NULL);
+				child_sa->get_usestats(child_sa, FALSE, &out, NULL);
+
+				diff = time_monotonic(NULL) - max(in, out);
+
+				if (diff >= this->timeout)
+				{
+					delete = child_sa->get_spi(child_sa, TRUE);
+					proto = child_sa->get_protocol(child_sa);
+				}
+				else
+				{
+					charon->scheduler->schedule_job(charon->scheduler,
+							&this->public.job_interface, this->timeout - diff);
+					rescheduled = TRUE;
+				}
+			}
+			children++;
+		}
+		iterator->destroy(iterator);
+
+		if (delete)
+		{
+			if (children == 1 && this->close_ike)
+			{
+				DBG1(DBG_JOB, "deleting IKE_SA after %d seconds "
+					 "of CHILD_SA inactivity", this->timeout);
+				status = ike_sa->delete(ike_sa);
+			}
+			else
+			{
+				DBG1(DBG_JOB, "deleting CHILD_SA after %d seconds "
+					 "of inactivity", this->timeout);
+				status = ike_sa->delete_child_sa(ike_sa, proto, delete);
+			}
+		}
+		if (status == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	if (!rescheduled)
+	{
+		destroy(this);
+	}
+}
+
+/**
+ * See header
+ */
+inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
+										bool close_ike)
+{
+	private_inactivity_job_t *this;
+
+	INIT(this,
+		.public.job_interface = {
+			.execute = _execute,
+			.destroy = _destroy,
+		},
+		.reqid = reqid,
+		.timeout = timeout,
+		.close_ike = close_ike,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/processing/jobs/inactivity_job.h b/src/libcharon/processing/jobs/inactivity_job.h
new file mode 100644
index 000000000..9c9daced8
--- /dev/null
+++ b/src/libcharon/processing/jobs/inactivity_job.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup inactivity_job inactivity_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef INACTIVITY_JOB_H_
+#define INACTIVITY_JOB_H_
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+typedef struct inactivity_job_t inactivity_job_t;
+
+/**
+ * Job checking for inactivity of CHILD_SA to close them.
+ *
+ * The inactivity job reschedules itself to check CHILD_SAs prediodically.
+ */
+struct inactivity_job_t {
+
+	/**
+	 * Implements job_t.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Create a inactivity_job instance.
+ *
+ * @param reqid		reqid of CHILD_SA to check for inactivity
+ * @param timeout	inactivity timeout in s
+ * @param close_ike	close IKE_SA if the last remaining CHILD_SA is inactive?
+ * @return			inactivity checking job
+ */
+inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
+										bool close_ike);
+
+#endif /** INACTIVITY_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
new file mode 100644
index 000000000..ffe8755e2
--- /dev/null
+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
@@ -0,0 +1,271 @@
+/*
+ * Copyright (C) 2007-2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "initiate_mediation_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_initiate_mediation_job_t private_initiate_mediation_job_t;
+
+/**
+ * Private data of an initiate_mediation_job_t Object
+ */
+struct private_initiate_mediation_job_t {
+	/**
+	 * public initiate_mediation_job_t interface
+	 */
+	initiate_mediation_job_t public;
+
+	/**
+	 * ID of the IKE_SA of the mediated connection.
+	 */
+	ike_sa_id_t *mediated_sa_id;
+
+	/**
+	 * ID of the IKE_SA of the mediation connection.
+	 */
+	ike_sa_id_t *mediation_sa_id;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_initiate_mediation_job_t *this)
+{
+	DESTROY_IF(this->mediation_sa_id);
+	DESTROY_IF(this->mediated_sa_id);
+	free(this);
+}
+
+/**
+ * Callback to handle initiation of mediation connection
+ */
+static bool initiate_callback(private_initiate_mediation_job_t *this,
+			debug_t group, level_t level, ike_sa_t *ike_sa,
+			char *format, va_list args)
+{
+	if (ike_sa && !this->mediation_sa_id)
+	{
+		this->mediation_sa_id = ike_sa->get_id(ike_sa);
+		this->mediation_sa_id = this->mediation_sa_id->clone(this->mediation_sa_id);
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void initiate(private_initiate_mediation_job_t *this)
+{
+	ike_sa_t *mediated_sa, *mediation_sa;
+	peer_cfg_t *mediated_cfg, *mediation_cfg;
+	enumerator_t *enumerator;
+	auth_cfg_t *auth_cfg;
+
+	mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+												   this->mediated_sa_id);
+	if (mediated_sa)
+	{
+		DBG1(DBG_IKE, "initiating mediation connection");
+		mediated_cfg = mediated_sa->get_peer_cfg(mediated_sa);
+		mediated_cfg->get_ref(mediated_cfg);
+
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
+
+		mediation_cfg = mediated_cfg->get_mediated_by(mediated_cfg);
+		mediation_cfg->get_ref(mediation_cfg);
+
+		enumerator = mediation_cfg->create_auth_cfg_enumerator(mediation_cfg,
+															   TRUE);
+		if (!enumerator->enumerate(enumerator, &auth_cfg) ||
+			auth_cfg->get(auth_cfg, AUTH_RULE_IDENTITY) == NULL)
+		{
+			mediated_cfg->destroy(mediated_cfg);
+			mediation_cfg->destroy(mediation_cfg);
+			enumerator->destroy(enumerator);
+			destroy(this);
+			return;
+		}
+		enumerator->destroy(enumerator);
+
+		if (charon->connect_manager->check_and_register(charon->connect_manager,
+				auth_cfg->get(auth_cfg, AUTH_RULE_IDENTITY),
+				mediated_cfg->get_peer_id(mediated_cfg),
+				this->mediated_sa_id))
+		{
+			mediated_cfg->destroy(mediated_cfg);
+			mediation_cfg->destroy(mediation_cfg);
+
+			mediated_sa = charon->ike_sa_manager->checkout(
+								charon->ike_sa_manager, this->mediated_sa_id);
+			if (mediated_sa)
+			{
+				DBG1(DBG_IKE, "mediation with the same peer is already in "
+					 "progress, queued");
+				charon->ike_sa_manager->checkin(
+								charon->ike_sa_manager, mediated_sa);
+			}
+			destroy(this);
+			return;
+		}
+		/* we need an additional reference because initiate consumes one */
+		mediation_cfg->get_ref(mediation_cfg);
+
+		if (charon->controller->initiate(charon->controller, mediation_cfg,
+					NULL, (controller_cb_t)initiate_callback, this) != SUCCESS)
+		{
+			mediation_cfg->destroy(mediation_cfg);
+			mediated_cfg->destroy(mediated_cfg);
+			mediated_sa = charon->ike_sa_manager->checkout(
+								charon->ike_sa_manager, this->mediated_sa_id);
+			if (mediated_sa)
+			{
+				DBG1(DBG_IKE, "initiating mediation connection failed");
+				charon->ike_sa_manager->checkin_and_destroy(
+									charon->ike_sa_manager, mediated_sa);
+			}
+			destroy(this);
+			return;
+		}
+		mediation_cfg->destroy(mediation_cfg);
+
+		mediation_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+														this->mediation_sa_id);
+		if (mediation_sa)
+		{
+			if (mediation_sa->initiate_mediation(mediation_sa,
+												 mediated_cfg) != SUCCESS)
+			{
+				mediated_cfg->destroy(mediated_cfg);
+				charon->ike_sa_manager->checkin_and_destroy(
+								charon->ike_sa_manager, mediation_sa);
+				mediated_sa = charon->ike_sa_manager->checkout(
+								charon->ike_sa_manager, this->mediated_sa_id);
+				if (mediated_sa)
+				{
+					DBG1(DBG_IKE, "establishing mediation connection failed");
+					charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager, mediated_sa);
+				}
+				destroy(this);
+				return;
+			}
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager,
+											mediation_sa);
+		}
+		mediated_cfg->destroy(mediated_cfg);
+	}
+	destroy(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void reinitiate(private_initiate_mediation_job_t *this)
+{
+	ike_sa_t *mediated_sa, *mediation_sa;
+	peer_cfg_t *mediated_cfg;
+
+	mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+												   this->mediated_sa_id);
+	if (mediated_sa)
+	{
+		mediated_cfg = mediated_sa->get_peer_cfg(mediated_sa);
+		mediated_cfg->get_ref(mediated_cfg);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
+
+		mediation_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+														this->mediation_sa_id);
+		if (mediation_sa)
+		{
+			if (mediation_sa->initiate_mediation(mediation_sa,
+												 mediated_cfg) != SUCCESS)
+			{
+				DBG1(DBG_JOB, "initiating mediated connection '%s' failed",
+					 mediated_cfg->get_name(mediated_cfg));
+				mediated_cfg->destroy(mediated_cfg);
+				charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager,
+										mediation_sa);
+				mediated_sa = charon->ike_sa_manager->checkout(
+										charon->ike_sa_manager,
+										this->mediated_sa_id);
+				if (mediated_sa)
+				{
+					DBG1(DBG_IKE, "establishing mediation connection failed");
+					charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager,
+										mediated_sa);
+				}
+				destroy(this);
+				return;
+			}
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager,
+											mediation_sa);
+		}
+
+		mediated_cfg->destroy(mediated_cfg);
+	}
+	destroy(this);
+}
+
+/**
+ * Creates an empty job
+ */
+static private_initiate_mediation_job_t *initiate_mediation_job_create_empty()
+{
+	private_initiate_mediation_job_t *this = malloc_thing(private_initiate_mediation_job_t);
+
+	/* interface functions */
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+
+	/* private variables */
+	this->mediation_sa_id = NULL;
+	this->mediated_sa_id = NULL;
+
+	return this;
+}
+
+/*
+ * Described in header
+ */
+initiate_mediation_job_t *initiate_mediation_job_create(ike_sa_id_t *ike_sa_id)
+{
+	private_initiate_mediation_job_t *this = initiate_mediation_job_create_empty();
+
+	this->public.job_interface.execute = (void (*) (job_t *)) initiate;
+
+	this->mediated_sa_id = ike_sa_id->clone(ike_sa_id);
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+initiate_mediation_job_t *reinitiate_mediation_job_create(ike_sa_id_t *mediation_sa_id,
+		ike_sa_id_t *mediated_sa_id)
+{
+	private_initiate_mediation_job_t *this = initiate_mediation_job_create_empty();
+
+	this->public.job_interface.execute = (void (*) (job_t *)) reinitiate;
+
+	this->mediation_sa_id = mediation_sa_id->clone(mediation_sa_id);
+	this->mediated_sa_id = mediated_sa_id->clone(mediated_sa_id);
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.h b/src/libcharon/processing/jobs/initiate_mediation_job.h
new file mode 100644
index 000000000..fddb1dd7b
--- /dev/null
+++ b/src/libcharon/processing/jobs/initiate_mediation_job.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2007-2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup initiate_mediation_job initiate_mediation_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef INITIATE_MEDIATION_JOB_H_
+#define INITIATE_MEDIATION_JOB_H_
+
+typedef struct initiate_mediation_job_t initiate_mediation_job_t;
+
+#include <processing/jobs/job.h>
+#include <sa/ike_sa_id.h>
+
+/**
+ * Class representing a INITIATE_MEDIATION Job.
+ *
+ * This job will initiate a mediation on behalf of a mediated connection.
+ * If required the mediation connection is established.
+ */
+struct initiate_mediation_job_t {
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type INITIATE_MEDIATION.
+ *
+ * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
+ * @return				job object
+ */
+initiate_mediation_job_t *initiate_mediation_job_create(ike_sa_id_t *ike_sa_id);
+
+/**
+ * Creates a special job of type INITIATE_MEDIATION that reinitiates a
+ * specific connection.
+ *
+ * @param mediation_sa_id		identification of the mediation sa (gets cloned)
+ * @param mediated_sa_id		identification of the mediated sa (gets cloned)
+ * @return						job object
+ */
+initiate_mediation_job_t *reinitiate_mediation_job_create(
+												ike_sa_id_t *mediation_sa_id,
+												ike_sa_id_t *mediated_sa_id);
+
+#endif /** INITIATE_MEDIATION_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/job.h b/src/libcharon/processing/jobs/job.h
new file mode 100644
index 000000000..0f1c16ebe
--- /dev/null
+++ b/src/libcharon/processing/jobs/job.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup job job
+ * @{ @ingroup jobs
+ */
+
+#ifndef JOB_H_
+#define JOB_H_
+
+typedef struct job_t job_t;
+
+#include <library.h>
+
+/**
+ * Job-Interface as it is stored in the job queue.
+ */
+struct job_t {
+
+	/**
+	 * Execute a job.
+	 *
+	 * The processing facility executes a job using this method. Jobs are
+	 * one-shot, they destroy themself after execution, so don't use a job
+	 * once it has been executed.
+	 */
+	void (*execute) (job_t *this);
+
+	/**
+	 * Destroy a job.
+	 *
+	 * Is only called whenever a job was not executed (e.g. due daemon shutdown).
+	 * After execution, jobs destroy themself.
+	 */
+	void (*destroy) (job_t *job);
+};
+
+#endif /** JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/mediation_job.c b/src/libcharon/processing/jobs/mediation_job.c
new file mode 100644
index 000000000..b5b8af3b3
--- /dev/null
+++ b/src/libcharon/processing/jobs/mediation_job.c
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mediation_job.h"
+
+#include <encoding/payloads/endpoint_notify.h>
+#include <daemon.h>
+
+
+typedef struct private_mediation_job_t private_mediation_job_t;
+
+/**
+ * Private data of an mediation_job_t Object
+ */
+struct private_mediation_job_t {
+	/**
+	 * public mediation_job_t interface
+	 */
+	mediation_job_t public;
+
+	/**
+	 * ID of target peer.
+	 */
+	identification_t *target;
+
+	/**
+	 * ID of the source peer.
+	 */
+	identification_t *source;
+
+	/**
+	 * ME_CONNECTID
+	 */
+	chunk_t connect_id;
+
+	/**
+	 * ME_CONNECTKEY
+	 */
+	chunk_t connect_key;
+
+	/**
+	 * Submitted endpoints
+	 */
+	linked_list_t *endpoints;
+
+	/**
+	 * Is this a callback job?
+	 */
+	bool callback;
+
+	/**
+	 * Is this a response?
+	 */
+	bool response;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_mediation_job_t *this)
+{
+	DESTROY_IF(this->target);
+	DESTROY_IF(this->source);
+	chunk_free(&this->connect_id);
+	chunk_free(&this->connect_key);
+	DESTROY_OFFSET_IF(this->endpoints, offsetof(endpoint_notify_t, destroy));
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_mediation_job_t *this)
+{
+	ike_sa_id_t *target_sa_id;
+
+	target_sa_id = charon->mediation_manager->check(charon->mediation_manager, this->target);
+
+	if (target_sa_id)
+	{
+		ike_sa_t *target_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  target_sa_id);
+		if (target_sa)
+		{
+			if (this->callback)
+			{
+				/* send callback to a peer */
+				if (target_sa->callback(target_sa, this->source) != SUCCESS)
+				{
+					DBG1(DBG_JOB, "callback for '%Y' to '%Y' failed",
+							this->source, this->target);
+					charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
+					destroy(this);
+					return;
+				}
+			}
+			else
+			{
+				/* normal mediation between two peers */
+				if (target_sa->relay(target_sa, this->source, this->connect_id,
+						this->connect_key, this->endpoints, this->response) != SUCCESS)
+				{
+					DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed",
+							this->source, this->target);
+					charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
+					/* FIXME: notify the initiator */
+					destroy(this);
+					return;
+				}
+			}
+
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
+		}
+		else
+		{
+			DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
+					"SA not found", this->source, this->target);
+		}
+	}
+	else
+	{
+		DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
+				"peer is not online anymore", this->source, this->target);
+	}
+	destroy(this);
+}
+
+/**
+ * Creates an empty mediation job
+ */
+static private_mediation_job_t *mediation_job_create_empty()
+{
+	private_mediation_job_t *this = malloc_thing(private_mediation_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+
+	/* private variables */
+	this->target = NULL;
+	this->source = NULL;
+	this->callback = FALSE;
+	this->connect_id = chunk_empty;
+	this->connect_key = chunk_empty;
+	this->endpoints = NULL;
+	this->response = FALSE;
+
+	return this;
+}
+
+/*
+ * Described in header
+ */
+mediation_job_t *mediation_job_create(identification_t *peer_id,
+		identification_t *requester, chunk_t connect_id, chunk_t connect_key,
+		linked_list_t *endpoints, bool response)
+{
+	private_mediation_job_t *this = mediation_job_create_empty();
+
+	this->target = peer_id->clone(peer_id);
+	this->source = requester->clone(requester);
+	this->connect_id = chunk_clone(connect_id);
+	this->connect_key = chunk_clone(connect_key);
+	this->endpoints = endpoints->clone_offset(endpoints, offsetof(endpoint_notify_t, clone));
+	this->response = response;
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+mediation_job_t *mediation_callback_job_create(identification_t *requester,
+		identification_t *peer_id)
+{
+	private_mediation_job_t *this = mediation_job_create_empty();
+
+	this->target = requester->clone(requester);
+	this->source = peer_id->clone(peer_id);
+	this->callback = TRUE;
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/mediation_job.h b/src/libcharon/processing/jobs/mediation_job.h
new file mode 100644
index 000000000..0574c65eb
--- /dev/null
+++ b/src/libcharon/processing/jobs/mediation_job.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mediation_job mediation_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef MEDIATION_JOB_H_
+#define MEDIATION_JOB_H_
+
+typedef struct mediation_job_t mediation_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <utils/identification.h>
+#include <utils/linked_list.h>
+
+/**
+ * Class representing a MEDIATION Job.
+ *
+ * This job handles the mediation on the mediation server.
+ */
+struct mediation_job_t {
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type MEDIATION.
+ *
+ * Parameters get cloned.
+ *
+ * @param peer_id		ID of the requested peer
+ * @param requester		ID of the requesting peer
+ * @param connect_id	content of ME_CONNECTID (could be NULL)
+ * @param connect_key	content of ME_CONNECTKEY
+ * @param endpoints		list of submitted endpoints
+ * @param response		TRUE if this is a response
+ * @return				job object
+ */
+mediation_job_t *mediation_job_create(identification_t *peer_id,
+		identification_t *requester, chunk_t connect_id, chunk_t connect_key,
+		linked_list_t *endpoints, bool response);
+
+
+/**
+ * Creates a special job of type MEDIATION that is used to send a callback
+ * notification to a peer.
+ *
+ * Parameters get cloned.
+ *
+ * @param requester		ID of the waiting peer
+ * @param peer_id		ID of the requested peer
+ * @return				job object
+ */
+mediation_job_t *mediation_callback_job_create(identification_t *requester,
+		identification_t *peer_id);
+
+#endif /** MEDIATION_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/migrate_job.c b/src/libcharon/processing/jobs/migrate_job.c
new file mode 100644
index 000000000..05f47340c
--- /dev/null
+++ b/src/libcharon/processing/jobs/migrate_job.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "migrate_job.h"
+
+#include <daemon.h>
+
+#include <config/child_cfg.h>
+
+
+typedef struct private_migrate_job_t private_migrate_job_t;
+
+/**
+ * Private data of a migrate_job_t object.
+ */
+struct private_migrate_job_t {
+	/**
+	 * Public migrate_job_t interface.
+	 */
+	migrate_job_t public;
+
+	/**
+	 * reqid of the CHILD_SA if it already exists
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * source traffic selector
+	 */
+	traffic_selector_t *src_ts;
+
+	/**
+	 * destination traffic selector
+	 */
+	traffic_selector_t *dst_ts;
+
+	/**
+	 * local host address to be used for IKE
+	 */
+	host_t *local;
+
+	/**
+	 * remote host address to be used for IKE
+	 */
+	host_t *remote;
+};
+
+/**
+ * Implementation of job_t.destroy.
+ */
+static void destroy(private_migrate_job_t *this)
+{
+	DESTROY_IF(this->src_ts);
+	DESTROY_IF(this->dst_ts);
+	DESTROY_IF(this->local);
+	DESTROY_IF(this->remote);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_migrate_job_t *this)
+{
+	ike_sa_t *ike_sa = NULL;
+
+	if (this->reqid)
+	{
+		ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+														this->reqid, TRUE);
+	}
+	if (ike_sa)
+	{
+		iterator_t *children;
+		child_sa_t *child_sa;
+		host_t *host;
+
+		children = ike_sa->create_child_sa_iterator(ike_sa);
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			if (child_sa->get_reqid(child_sa) == this->reqid)
+			{
+				break;
+			}
+		}
+		children->destroy(children);
+		DBG2(DBG_JOB, "found CHILD_SA with reqid {%d}", this->reqid);
+
+		ike_sa->set_kmaddress(ike_sa, this->local, this->remote);
+
+		host = this->local->clone(this->local);
+		host->set_port(host, IKEV2_UDP_PORT);
+		ike_sa->set_my_host(ike_sa, host);
+
+		host = this->remote->clone(this->remote);
+		host->set_port(host, IKEV2_UDP_PORT);
+		ike_sa->set_other_host(ike_sa, host);
+
+		if (child_sa->update(child_sa, this->local, this->remote,
+				ike_sa->get_virtual_ip(ike_sa, TRUE),
+				ike_sa->has_condition(ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
+		{
+			ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
+								   child_sa->get_spi(child_sa, TRUE));
+		}
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	else
+	{
+		DBG1(DBG_JOB, "no CHILD_SA found with reqid {%d}", this->reqid);
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+migrate_job_t *migrate_job_create(u_int32_t reqid,
+								  traffic_selector_t *src_ts,
+								  traffic_selector_t *dst_ts,
+								  policy_dir_t dir,
+								  host_t *local, host_t *remote)
+{
+	private_migrate_job_t *this = malloc_thing(private_migrate_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+
+	/* private variables */
+	this->reqid = reqid;
+	this->src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts;
+	this->dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts;
+	this->local = local;
+	this->remote = remote;
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h
new file mode 100644
index 000000000..de313d517
--- /dev/null
+++ b/src/libcharon/processing/jobs/migrate_job.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup migrate_job migrate_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef MIGRATE_JOB_H_
+#define MIGRATE_JOB_H_
+
+typedef struct migrate_job_t migrate_job_t;
+
+#include <library.h>
+#include <utils/host.h>
+#include <selectors/traffic_selector.h>
+#include <kernel/kernel_ipsec.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Class representing a MIGRATE Job.
+ *
+ * This job sets a routed CHILD_SA for an existing IPsec policy.
+ */
+struct migrate_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type MIGRATE.
+ *
+ * We use the reqid or the traffic selectors to find a matching CHILD_SA.
+ *
+ * @param reqid		reqid of the CHILD_SA to acquire
+ * @param src_ts	source traffic selector to be used in the policy
+ * @param dst_ts	destination traffic selector to be used in the policy
+ * @param dir		direction of the policy (in|out)
+ * @param local		local host address to be used in the IKE_SA
+ * @param remote	remote host address to be used in the IKE_SA
+ * @return			migrate_job_t object
+ */
+migrate_job_t *migrate_job_create(u_int32_t reqid,
+						traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+						policy_dir_t dir, host_t *local, host_t *remote);
+
+#endif /** MIGRATE_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c
new file mode 100644
index 000000000..a47d48e38
--- /dev/null
+++ b/src/libcharon/processing/jobs/process_message_job.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "process_message_job.h"
+
+#include <daemon.h>
+
+typedef struct private_process_message_job_t private_process_message_job_t;
+
+/**
+ * Private data of an process_message_job_t Object
+ */
+struct private_process_message_job_t {
+	/**
+	 * public process_message_job_t interface
+	 */
+	process_message_job_t public;
+
+	/**
+	 * Message associated with this job
+	 */
+	message_t *message;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_process_message_job_t *this)
+{
+	this->message->destroy(this->message);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_process_message_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+#ifdef ME
+	/* if this is an unencrypted INFORMATIONAL exchange it is likely a
+	 * connectivity check. */
+	if (this->message->get_exchange_type(this->message) == INFORMATIONAL &&
+		this->message->get_first_payload_type(this->message) != ENCRYPTED)
+	{
+		/* theoretically this could also be an error message
+		 * see RFC 4306, section 1.5. */
+		DBG1(DBG_NET, "received unencrypted informational: from %#H to %#H",
+			 this->message->get_source(this->message),
+			 this->message->get_destination(this->message));
+		charon->connect_manager->process_check(charon->connect_manager, this->message);
+		destroy(this);
+		return;
+	}
+#endif /* ME */
+
+	ike_sa = charon->ike_sa_manager->checkout_by_message(charon->ike_sa_manager,
+														 this->message);
+	if (ike_sa)
+	{
+		DBG1(DBG_NET, "received packet: from %#H to %#H",
+			 this->message->get_source(this->message),
+			 this->message->get_destination(this->message));
+		if (ike_sa->process_message(ike_sa, this->message) == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+process_message_job_t *process_message_job_create(message_t *message)
+{
+	private_process_message_job_t *this = malloc_thing(private_process_message_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void(*)(job_t*))destroy;
+
+	/* private variables */
+	this->message = message;
+
+	return &(this->public);
+}
diff --git a/src/libcharon/processing/jobs/process_message_job.h b/src/libcharon/processing/jobs/process_message_job.h
new file mode 100644
index 000000000..5e3f44d1f
--- /dev/null
+++ b/src/libcharon/processing/jobs/process_message_job.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup process_message_job process_message_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef PROCESS_MESSAGE_JOB_H_
+#define PROCESS_MESSAGE_JOB_H_
+
+typedef struct process_message_job_t process_message_job_t;
+
+#include <library.h>
+#include <encoding/message.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Class representing an PROCESS_MESSAGE job.
+ */
+struct process_message_job_t {
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type PROCESS_MESSAGE.
+ *
+ * @param message		message to process
+ * @return				created process_message_job_t object
+ */
+process_message_job_t *process_message_job_create(message_t *message);
+
+#endif /** PROCESS_MESSAGE_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c
new file mode 100644
index 000000000..b797d181e
--- /dev/null
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rekey_child_sa_job.h"
+
+#include <daemon.h>
+
+
+typedef struct private_rekey_child_sa_job_t private_rekey_child_sa_job_t;
+
+/**
+ * Private data of an rekey_child_sa_job_t object.
+ */
+struct private_rekey_child_sa_job_t {
+	/**
+	 * Public rekey_child_sa_job_t interface.
+	 */
+	rekey_child_sa_job_t public;
+
+	/**
+	 * reqid of the child to rekey
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * protocol of the CHILD_SA (ESP/AH)
+	 */
+	protocol_id_t protocol;
+
+	/**
+	 * inbound SPI of the CHILD_SA
+	 */
+	u_int32_t spi;
+};
+
+/**
+ * Implementation of job_t.destroy.
+ */
+static void destroy(private_rekey_child_sa_job_t *this)
+{
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_rekey_child_sa_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													this->reqid, TRUE);
+	if (ike_sa == NULL)
+	{
+		DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying",
+			 this->reqid);
+	}
+	else
+	{
+		ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
+												protocol_id_t protocol,
+												u_int32_t spi)
+{
+	private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+
+	/* private variables */
+	this->reqid = reqid;
+	this->protocol = protocol;
+	this->spi = spi;
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h
new file mode 100644
index 000000000..62887d6b9
--- /dev/null
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rekey_child_sa_job rekey_child_sa_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef REKEY_CHILD_SA_JOB_H_
+#define REKEY_CHILD_SA_JOB_H_
+
+typedef struct rekey_child_sa_job_t rekey_child_sa_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <processing/jobs/job.h>
+#include <config/proposal.h>
+
+/**
+ * Class representing an REKEY_CHILD_SA Job.
+ *
+ * This job initiates the rekeying of a CHILD SA.
+ */
+struct rekey_child_sa_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type REKEY_CHILD_SA.
+ *
+ * The CHILD_SA is identified by its protocol (AH/ESP) and its
+ * inbound SPI.
+ *
+ * @param reqid		reqid of the CHILD_SA to rekey
+ * @param protocol	protocol of the CHILD_SA
+ * @param spi		security parameter index of the CHILD_SA
+ * @return			rekey_child_sa_job_t object
+ */
+rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
+												protocol_id_t protocol,
+												u_int32_t spi);
+#endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.c b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
new file mode 100644
index 000000000..5ec0b1b88
--- /dev/null
+++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rekey_ike_sa_job.h"
+
+#include <daemon.h>
+
+typedef struct private_rekey_ike_sa_job_t private_rekey_ike_sa_job_t;
+
+/**
+ * Private data of an rekey_ike_sa_job_t object.
+ */
+struct private_rekey_ike_sa_job_t {
+	/**
+	 * Public rekey_ike_sa_job_t interface.
+	 */
+	rekey_ike_sa_job_t public;
+
+	/**
+	 * ID of the IKE_SA to rekey
+	 */
+	ike_sa_id_t *ike_sa_id;
+
+	/**
+	 * force reauthentication of the peer (full IKE_SA setup)
+	 */
+	bool reauth;
+};
+
+/**
+ * Implementation of job_t.destroy.
+ */
+static void destroy(private_rekey_ike_sa_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_rekey_ike_sa_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	status_t status = SUCCESS;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa == NULL)
+	{
+		DBG2(DBG_JOB, "IKE_SA to rekey not found");
+	}
+	else
+	{
+		if (this->reauth)
+		{
+			status = ike_sa->reauth(ike_sa);
+		}
+		else
+		{
+			status = ike_sa->rekey(ike_sa);
+		}
+
+		if (status == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth)
+{
+	private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+
+	/* private variables */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	this->reauth = reauth;
+
+	return &(this->public);
+}
diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.h b/src/libcharon/processing/jobs/rekey_ike_sa_job.h
new file mode 100644
index 000000000..a5c1028aa
--- /dev/null
+++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rekey_ike_sa_job rekey_ike_sa_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef REKEY_IKE_SA_JOB_H_
+#define REKEY_IKE_SA_JOB_H_
+
+typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Class representing an REKEY_IKE_SA Job.
+ *
+ * This job initiates the rekeying of an IKE_SA.
+ */
+struct rekey_ike_sa_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type REKEY_IKE_SA.
+ *
+ * @param ike_sa_id		ID of the IKE_SA to rekey
+ * @param reauth		TRUE to reauthenticate peer, FALSE for rekeying only
+ * @return				rekey_ike_sa_job_t object
+ */
+rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth);
+
+#endif /** REKEY_IKE_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/retransmit_job.c b/src/libcharon/processing/jobs/retransmit_job.c
new file mode 100644
index 000000000..fc787f208
--- /dev/null
+++ b/src/libcharon/processing/jobs/retransmit_job.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "retransmit_job.h"
+
+#include <daemon.h>
+
+typedef struct private_retransmit_job_t private_retransmit_job_t;
+
+/**
+ * Private data of an retransmit_job_t Object.
+ */
+struct private_retransmit_job_t {
+	/**
+	 * Public retransmit_job_t interface.
+	 */
+	retransmit_job_t public;
+
+	/**
+	 * Message ID of the request to resend.
+	 */
+	u_int32_t message_id;
+
+	/**
+	 * ID of the IKE_SA which the message belongs to.
+	 */
+	ike_sa_id_t *ike_sa_id;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_retransmit_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_retransmit_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa)
+	{
+		if (ike_sa->retransmit(ike_sa, this->message_id) == DESTROY_ME)
+		{
+			/* retransmitted to many times, giving up */
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header.
+ */
+retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id)
+{
+	private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+
+	/* private variables */
+	this->message_id = message_id;
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/retransmit_job.h b/src/libcharon/processing/jobs/retransmit_job.h
new file mode 100644
index 000000000..c8c13479b
--- /dev/null
+++ b/src/libcharon/processing/jobs/retransmit_job.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup retransmit_job retransmit_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef RETRANSMIT_JOB_H_
+#define RETRANSMIT_JOB_H_
+
+typedef struct retransmit_job_t retransmit_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <sa/ike_sa_id.h>
+
+/**
+ * Class representing an retransmit Job.
+ *
+ * This job is scheduled every time a request is sent over the
+ * wire. If the response to the request is not received at schedule
+ * time, the retransmission will be initiated.
+ */
+struct retransmit_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type retransmit.
+ *
+ * @param message_id		message_id of the request to resend
+ * @param ike_sa_id			identification of the ike_sa as ike_sa_id_t
+ * @return					retransmit_job_t object
+ */
+retransmit_job_t *retransmit_job_create(u_int32_t message_id,
+										ike_sa_id_t *ike_sa_id);
+
+#endif /** RETRANSMIT_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/roam_job.c b/src/libcharon/processing/jobs/roam_job.c
new file mode 100644
index 000000000..adc884a8a
--- /dev/null
+++ b/src/libcharon/processing/jobs/roam_job.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "roam_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_roam_job_t private_roam_job_t;
+
+/**
+ * Private data of an roam_job_t Object
+ */
+struct private_roam_job_t {
+	/**
+	 * public roam_job_t interface
+	 */
+	roam_job_t public;
+
+	/**
+	 * has the address list changed, or the routing only?
+	 */
+	bool address;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_roam_job_t *this)
+{
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_roam_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	linked_list_t *list;
+	ike_sa_id_t *id;
+	enumerator_t *enumerator;
+
+	/* enumerator over all IKE_SAs gives us no way to checkin_and_destroy
+	 * after a DESTROY_ME, so we check out each available IKE_SA by hand. */
+	list = linked_list_create();
+	enumerator = charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		id = ike_sa->get_id(ike_sa);
+		list->insert_last(list, id->clone(id));
+	}
+	enumerator->destroy(enumerator);
+
+	while (list->remove_last(list, (void**)&id) == SUCCESS)
+	{
+		ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
+		if (ike_sa)
+		{
+			if (ike_sa->roam(ike_sa, this->address) == DESTROY_ME)
+			{
+				charon->ike_sa_manager->checkin_and_destroy(
+											charon->ike_sa_manager, ike_sa);
+			}
+			else
+			{
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			}
+		}
+		id->destroy(id);
+	}
+	list->destroy(list);
+
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+roam_job_t *roam_job_create(bool address)
+{
+	private_roam_job_t *this = malloc_thing(private_roam_job_t);
+
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+
+	this->address = address;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/processing/jobs/roam_job.h b/src/libcharon/processing/jobs/roam_job.h
new file mode 100644
index 000000000..55bdf2b28
--- /dev/null
+++ b/src/libcharon/processing/jobs/roam_job.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup roam_job roam_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef ROAM_JOB_H_
+#define ROAM_JOB_H_
+
+typedef struct roam_job_t roam_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <processing/jobs/job.h>
+
+/**
+ * A job to inform IKE_SAs about changed local address setup.
+ *
+ * If a local address appears or disappears, the kernel fires this job to
+ * update all IKE_SAs.
+ */
+struct roam_job_t {
+
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job to inform IKE_SAs about an updated address list.
+ *
+ * @param address		TRUE if address list changed, FALSE if routing changed
+ * @return				initiate_ike_sa_job_t object
+ */
+roam_job_t *roam_job_create(bool address);
+
+#endif /** ROAM_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/send_dpd_job.c b/src/libcharon/processing/jobs/send_dpd_job.c
new file mode 100644
index 000000000..1c2da52b8
--- /dev/null
+++ b/src/libcharon/processing/jobs/send_dpd_job.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "send_dpd_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_send_dpd_job_t private_send_dpd_job_t;
+
+/**
+ * Private data of an send_dpd_job_t Object
+ */
+struct private_send_dpd_job_t {
+	/**
+	 * public send_dpd_job_t interface
+	 */
+	send_dpd_job_t public;
+
+	/**
+	 * ID of the IKE_SA which the message belongs to.
+	 */
+	ike_sa_id_t *ike_sa_id;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_send_dpd_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_send_dpd_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa)
+	{
+		if (ike_sa->send_dpd(ike_sa) == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id)
+{
+	private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+
+	/* private variables */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/send_dpd_job.h b/src/libcharon/processing/jobs/send_dpd_job.h
new file mode 100644
index 000000000..8078a38bc
--- /dev/null
+++ b/src/libcharon/processing/jobs/send_dpd_job.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup send_dpd_job send_dpd_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef SEND_DPD_JOB_H_
+#define SEND_DPD_JOB_H_
+
+typedef struct send_dpd_job_t send_dpd_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <sa/ike_sa_id.h>
+
+/**
+ * Class representing a SEND_DPD Job.
+ *
+ * Job to periodically send a Dead Peer Detection (DPD) request,
+ * ie. an IKE request with no payloads other than the encrypted payload
+ * required by the syntax.
+ */
+struct send_dpd_job_t {
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type SEND_DPD.
+ *
+ * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
+ * @return				initiate_ike_sa_job_t object
+ */
+send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id);
+
+#endif /** SEND_DPD_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/send_keepalive_job.c b/src/libcharon/processing/jobs/send_keepalive_job.c
new file mode 100644
index 000000000..3d02cea2e
--- /dev/null
+++ b/src/libcharon/processing/jobs/send_keepalive_job.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "send_keepalive_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_send_keepalive_job_t private_send_keepalive_job_t;
+
+/**
+ * Private data of an send_keepalive_job_t Object
+ */
+struct private_send_keepalive_job_t {
+	/**
+	 * public send_keepalive_job_t interface
+	 */
+	send_keepalive_job_t public;
+
+	/**
+	 * ID of the IKE_SA which the message belongs to.
+	 */
+	ike_sa_id_t *ike_sa_id;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_send_keepalive_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_send_keepalive_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa)
+	{
+		ike_sa->send_keepalive(ike_sa);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id)
+{
+	private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+
+	/* private variables */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/send_keepalive_job.h b/src/libcharon/processing/jobs/send_keepalive_job.h
new file mode 100644
index 000000000..cda83cd7e
--- /dev/null
+++ b/src/libcharon/processing/jobs/send_keepalive_job.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup send_keepalive_job send_keepalive_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef SEND_KEEPALIVE_JOB_H_
+#define SEND_KEEPALIVE_JOB_H_
+
+typedef struct send_keepalive_job_t send_keepalive_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <sa/ike_sa_id.h>
+
+/**
+ * Class representing a SEND_KEEPALIVE Job.
+ *
+ * This job will send a NAT keepalive packet if the IKE SA is still alive,
+ * and reinsert itself into the event queue.
+ */
+struct send_keepalive_job_t {
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type SEND_KEEPALIVE.
+ *
+ * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
+ * @return				initiate_ike_sa_job_t object
+ */
+send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id);
+
+#endif /** SEND_KEEPALIVE_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c
new file mode 100644
index 000000000..17dce2548
--- /dev/null
+++ b/src/libcharon/processing/jobs/update_sa_job.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "update_sa_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_update_sa_job_t private_update_sa_job_t;
+
+/**
+ * Private data of an update_sa_job_t Object
+ */
+struct private_update_sa_job_t {
+	/**
+	 * public update_sa_job_t interface
+	 */
+	update_sa_job_t public;
+
+	/**
+	 * reqid of the CHILD_SA
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * New SA address and port
+	 */
+	host_t *new;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_update_sa_job_t *this)
+{
+	this->new->destroy(this->new);
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_update_sa_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													this->reqid, TRUE);
+	if (ike_sa == NULL)
+	{
+		DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for update", this->reqid);
+	}
+	else
+	{
+		/* we update only if other host is NATed, but not our */
+		if (ike_sa->has_condition(ike_sa, COND_NAT_THERE) &&
+			!ike_sa->has_condition(ike_sa, COND_NAT_HERE))
+		{
+			ike_sa->update_hosts(ike_sa, NULL, this->new);
+		}
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
+{
+	private_update_sa_job_t *this = malloc_thing(private_update_sa_job_t);
+
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+
+	this->reqid = reqid;
+	this->new = new;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h
new file mode 100644
index 000000000..11d1ac9b6
--- /dev/null
+++ b/src/libcharon/processing/jobs/update_sa_job.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup update_sa_job update_sa_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef UPDATE_SA_JOB_H_
+#define UPDATE_SA_JOB_H_
+
+typedef struct update_sa_job_t update_sa_job_t;
+
+#include <library.h>
+#include <utils/host.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Update the addresses of an IKE and its CHILD_SAs.
+ */
+struct update_sa_job_t {
+
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job to update IKE and CHILD_SA addresses.
+ *
+ * @param reqid			reqid of the CHILD_SA
+ * @param new			new address and port
+ * @return				update_sa_job_t object
+ */
+update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new);
+
+#endif /** UPDATE_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/processor.c b/src/libcharon/processing/processor.c
new file mode 100644
index 000000000..d5774af26
--- /dev/null
+++ b/src/libcharon/processing/processor.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include "processor.h"
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_processor_t private_processor_t;
+
+/**
+ * Private data of processor_t class.
+ */
+struct private_processor_t {
+	/**
+	 * Public processor_t interface.
+	 */
+	processor_t public;
+
+	/**
+	 * Number of running threads
+	 */
+	u_int total_threads;
+
+	/**
+	 * Desired number of threads
+	 */
+	u_int desired_threads;
+
+	/**
+	 * Number of threads waiting for work
+	 */
+	u_int idle_threads;
+
+	/**
+	 * All threads managed in the pool (including threads that have been
+	 * cancelled, this allows to join them during destruction)
+	 */
+	linked_list_t *threads;
+
+	/**
+	 * The jobs are stored in a linked list
+	 */
+	linked_list_t *list;
+
+	/**
+	 * access to linked_list is locked through this mutex
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for new jobs
+	 */
+	condvar_t *job_added;
+
+	/**
+	 * Condvar to wait for terminated threads
+	 */
+	condvar_t *thread_terminated;
+};
+
+static void process_jobs(private_processor_t *this);
+
+/**
+ * restart a terminated thread
+ */
+static void restart(private_processor_t *this)
+{
+	thread_t *thread;
+
+	DBG2(DBG_JOB, "terminated worker thread, ID: %u", thread_current_id());
+
+	/* respawn thread if required */
+	this->mutex->lock(this->mutex);
+	if (this->desired_threads < this->total_threads ||
+		(thread = thread_create((thread_main_t)process_jobs, this)) == NULL)
+	{
+		this->total_threads--;
+		this->thread_terminated->signal(this->thread_terminated);
+	}
+	else
+	{
+		this->threads->insert_last(this->threads, thread);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Process queued jobs, called by the worker threads
+ */
+static void process_jobs(private_processor_t *this)
+{
+	/* worker threads are not cancellable by default */
+	thread_cancelability(FALSE);
+
+	DBG2(DBG_JOB, "started worker thread, ID: %u", thread_current_id());
+
+	this->mutex->lock(this->mutex);
+	while (this->desired_threads >= this->total_threads)
+	{
+		job_t *job;
+
+		if (this->list->get_count(this->list) == 0)
+		{
+			this->idle_threads++;
+			this->job_added->wait(this->job_added, this->mutex);
+			this->idle_threads--;
+			continue;
+		}
+		this->list->remove_first(this->list, (void**)&job);
+		this->mutex->unlock(this->mutex);
+		/* terminated threads are restarted, so we have a constant pool */
+		thread_cleanup_push((thread_cleanup_t)restart, this);
+		job->execute(job);
+		thread_cleanup_pop(FALSE);
+		this->mutex->lock(this->mutex);
+	}
+	this->mutex->unlock(this->mutex);
+	restart(this);
+}
+
+/**
+ * Implementation of processor_t.get_total_threads.
+ */
+static u_int get_total_threads(private_processor_t *this)
+{
+	u_int count;
+	this->mutex->lock(this->mutex);
+	count = this->total_threads;
+	this->mutex->unlock(this->mutex);
+	return count;
+}
+
+/**
+ * Implementation of processor_t.get_idle_threads.
+ */
+static u_int get_idle_threads(private_processor_t *this)
+{
+	u_int count;
+	this->mutex->lock(this->mutex);
+	count = this->idle_threads;
+	this->mutex->unlock(this->mutex);
+	return count;
+}
+
+/**
+ * implements processor_t.get_job_load
+ */
+static u_int get_job_load(private_processor_t *this)
+{
+	u_int load;
+	this->mutex->lock(this->mutex);
+	load = this->list->get_count(this->list);
+	this->mutex->unlock(this->mutex);
+	return load;
+}
+
+/**
+ * implements function processor_t.queue_job
+ */
+static void queue_job(private_processor_t *this, job_t *job)
+{
+	this->mutex->lock(this->mutex);
+	this->list->insert_last(this->list, job);
+	this->job_added->signal(this->job_added);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of processor_t.set_threads.
+ */
+static void set_threads(private_processor_t *this, u_int count)
+{
+	this->mutex->lock(this->mutex);
+	if (count > this->total_threads)
+	{	/* increase thread count */
+		int i;
+		thread_t *current;
+
+		this->desired_threads = count;
+		DBG1(DBG_JOB, "spawning %d worker threads", count - this->total_threads);
+		for (i = this->total_threads; i < count; i++)
+		{
+			current = thread_create((thread_main_t)process_jobs, this);
+			if (current)
+			{
+				this->threads->insert_last(this->threads, current);
+				this->total_threads++;
+			}
+		}
+	}
+	else if (count < this->total_threads)
+	{	/* decrease thread count */
+		this->desired_threads = count;
+	}
+	this->job_added->broadcast(this->job_added);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of processor_t.destroy.
+ */
+static void destroy(private_processor_t *this)
+{
+	thread_t *current;
+	set_threads(this, 0);
+	this->mutex->lock(this->mutex);
+	while (this->total_threads > 0)
+	{
+		this->job_added->broadcast(this->job_added);
+		this->thread_terminated->wait(this->thread_terminated, this->mutex);
+	}
+	while (this->threads->remove_first(this->threads,
+									   (void**)&current) == SUCCESS)
+	{
+		current->join(current);
+	}
+	this->mutex->unlock(this->mutex);
+	this->thread_terminated->destroy(this->thread_terminated);
+	this->job_added->destroy(this->job_added);
+	this->mutex->destroy(this->mutex);
+	this->list->destroy_offset(this->list, offsetof(job_t, destroy));
+	this->threads->destroy(this->threads);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+processor_t *processor_create(size_t pool_size)
+{
+	private_processor_t *this = malloc_thing(private_processor_t);
+
+	this->public.get_total_threads = (u_int(*)(processor_t*))get_total_threads;
+	this->public.get_idle_threads = (u_int(*)(processor_t*))get_idle_threads;
+	this->public.get_job_load = (u_int(*)(processor_t*))get_job_load;
+	this->public.queue_job = (void(*)(processor_t*, job_t*))queue_job;
+	this->public.set_threads = (void(*)(processor_t*, u_int))set_threads;
+	this->public.destroy = (void(*)(processor_t*))destroy;
+
+	this->list = linked_list_create();
+	this->threads = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->total_threads = 0;
+	this->desired_threads = 0;
+	this->idle_threads = 0;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/processing/processor.h b/src/libcharon/processing/processor.h
new file mode 100644
index 000000000..5bf8cf573
--- /dev/null
+++ b/src/libcharon/processing/processor.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup processor processor
+ * @{ @ingroup processing
+ */
+
+#ifndef PROCESSOR_H_
+#define PROCESSOR_H_
+
+typedef struct processor_t processor_t;
+
+#include <stdlib.h>
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+/**
+ * The processor uses threads to process queued jobs.
+ */
+struct processor_t {
+
+	/**
+	 * Get the total number of threads used by the processor.
+	 *
+	 * @return				size of thread pool
+	 */
+	u_int (*get_total_threads) (processor_t *this);
+
+	/**
+	 * Get the number of threads currently waiting.
+	 *
+	 * @return				number of idle threads
+	 */
+	u_int (*get_idle_threads) (processor_t *this);
+
+	/**
+	 * Get the number of queued jobs.
+	 *
+	 * @returns 			number of items in queue
+	 */
+	u_int (*get_job_load) (processor_t *this);
+
+	/**
+	 * Adds a job to the queue.
+	 *
+	 * This function is non blocking and adds a job_t to the queue.
+	 *
+	 * @param job 			job to add to the queue
+	 */
+	void (*queue_job) (processor_t *this, job_t *job);
+
+	/**
+	 * Set the number of threads to use in the processor.
+	 *
+	 * If the number of threads is smaller than number of currently running
+	 * threads, thread count is decreased. Use 0 to disable the processor.
+	 * This call blocks if it decreases thread count until threads have
+	 * terminated, so make sure there are not too many blocking jobs.
+	 *
+	 * @param count			number of threads to allocate
+	 */
+	void (*set_threads)(processor_t *this, u_int count);
+
+	/**
+	 * Destroy a processor object.
+	 */
+	void (*destroy) (processor_t *processor);
+};
+
+/**
+ * Create the thread pool without any threads.
+ *
+ * Use the set_threads method to start processing jobs.
+ *
+ * @return					processor_t object
+ */
+processor_t *processor_create();
+
+#endif /** PROCESSOR_H_ @}*/
diff --git a/src/libcharon/processing/scheduler.c b/src/libcharon/processing/scheduler.c
new file mode 100644
index 000000000..345af502a
--- /dev/null
+++ b/src/libcharon/processing/scheduler.c
@@ -0,0 +1,358 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "scheduler.h"
+
+#include <daemon.h>
+#include <processing/processor.h>
+#include <processing/jobs/callback_job.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+
+/* the initial size of the heap */
+#define HEAP_SIZE_DEFAULT 64
+
+typedef struct event_t event_t;
+
+/**
+ * Event containing a job and a schedule time
+ */
+struct event_t {
+	/**
+	 * Time to fire the event.
+	 */
+	timeval_t time;
+
+	/**
+	 * Every event has its assigned job.
+	 */
+	job_t *job;
+};
+
+/**
+ * destroy an event and its job
+ */
+static void event_destroy(event_t *event)
+{
+	event->job->destroy(event->job);
+	free(event);
+}
+
+typedef struct private_scheduler_t private_scheduler_t;
+
+/**
+ * Private data of a scheduler_t object.
+ */
+struct private_scheduler_t {
+
+	/**
+	 * Public part of a scheduler_t object.
+	 */
+	 scheduler_t public;
+
+	/**
+	 * Job which queues scheduled jobs to the processor.
+	 */
+	callback_job_t *job;
+
+	/**
+	 * The heap in which the events are stored.
+	 */
+	event_t **heap;
+
+	/**
+	 * The size of the heap.
+	 */
+	u_int heap_size;
+
+	/**
+	 * The number of scheduled events.
+	 */
+	u_int event_count;
+
+	/**
+	 * Exclusive access to list
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for next job.
+	 */
+	condvar_t *condvar;
+};
+
+/**
+ * Comparse two timevals, return >0 if a > b, <0 if a < b and =0 if equal
+ */
+static int timeval_cmp(timeval_t *a, timeval_t *b)
+{
+	if (a->tv_sec > b->tv_sec)
+	{
+		return 1;
+	}
+	if (a->tv_sec < b->tv_sec)
+	{
+		return -1;
+	}
+	if (a->tv_usec > b->tv_usec)
+	{
+		return 1;
+	}
+	if (a->tv_usec < b->tv_usec)
+	{
+		return -1;
+	}
+	return 0;
+}
+
+/**
+ * Returns the top event without removing it. Returns NULL if the heap is empty.
+ */
+static event_t *peek_event(private_scheduler_t *this)
+{
+	return this->event_count > 0 ? this->heap[1] : NULL;
+}
+
+/**
+ * Removes the top event from the heap and returns it. Returns NULL if the heap
+ * is empty.
+ */
+static event_t *remove_event(private_scheduler_t *this)
+{
+	event_t *event, *top;
+	if (!this->event_count)
+	{
+		return NULL;
+	}
+
+	/* store the value to return */
+	event = this->heap[1];
+	/* move the bottom event to the top */
+	top = this->heap[1] = this->heap[this->event_count];
+
+	if (--this->event_count > 1)
+	{
+		/* seep down the top event */
+		u_int position = 1;
+		while ((position << 1) <= this->event_count)
+		{
+			u_int child = position << 1;
+
+			if ((child + 1) <= this->event_count &&
+				timeval_cmp(&this->heap[child + 1]->time,
+							&this->heap[child]->time) < 0)
+			{
+				/* the "right" child is smaller */
+				child++;
+			}
+
+			if (timeval_cmp(&top->time, &this->heap[child]->time) <= 0)
+			{
+				/* the top event fires before the smaller of the two children,
+				 * stop */
+				break;
+			}
+
+			/* swap with the smaller child */
+			this->heap[position] = this->heap[child];
+			position = child;
+		}
+		this->heap[position] = top;
+	}
+	return event;
+}
+
+/**
+ * Get events from the queue and pass it to the processor
+ */
+static job_requeue_t schedule(private_scheduler_t * this)
+{
+	timeval_t now;
+	event_t *event;
+	bool timed = FALSE, oldstate;
+
+	this->mutex->lock(this->mutex);
+
+	time_monotonic(&now);
+
+	if ((event = peek_event(this)) != NULL)
+	{
+		if (timeval_cmp(&now, &event->time) >= 0)
+		{
+			remove_event(this);
+			this->mutex->unlock(this->mutex);
+			DBG2(DBG_JOB, "got event, queuing job for execution");
+			charon->processor->queue_job(charon->processor, event->job);
+			free(event);
+			return JOB_REQUEUE_DIRECT;
+		}
+		timersub(&event->time, &now, &now);
+		if (now.tv_sec)
+		{
+			DBG2(DBG_JOB, "next event in %ds %dms, waiting",
+				 now.tv_sec, now.tv_usec/1000);
+		}
+		else
+		{
+			DBG2(DBG_JOB, "next event in %dms, waiting", now.tv_usec/1000);
+		}
+		timed = TRUE;
+	}
+	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+	oldstate = thread_cancelability(TRUE);
+
+	if (timed)
+	{
+		this->condvar->timed_wait_abs(this->condvar, this->mutex, event->time);
+	}
+	else
+	{
+		DBG2(DBG_JOB, "no events, waiting");
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+	thread_cancelability(oldstate);
+	thread_cleanup_pop(TRUE);
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Implements scheduler_t.get_job_load
+ */
+static u_int get_job_load(private_scheduler_t *this)
+{
+	int count;
+	this->mutex->lock(this->mutex);
+	count = this->event_count;
+	this->mutex->unlock(this->mutex);
+	return count;
+}
+
+/**
+ * Implements scheduler_t.schedule_job_tv.
+ */
+static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
+{
+	event_t *event;
+	u_int position;
+
+	event = malloc_thing(event_t);
+	event->job = job;
+	event->time = tv;
+
+	this->mutex->lock(this->mutex);
+
+	this->event_count++;
+	if (this->event_count > this->heap_size)
+	{
+		/* double the size of the heap */
+		this->heap_size <<= 1;
+		this->heap = (event_t**)realloc(this->heap,
+									(this->heap_size + 1) * sizeof(event_t*));
+	}
+	/* "put" the event to the bottom */
+	position = this->event_count;
+
+	/* then bubble it up */
+	while (position > 1 && timeval_cmp(&this->heap[position >> 1]->time,
+									   &event->time) > 0)
+	{
+		/* parent has to be fired after the new event, move up */
+		this->heap[position] = this->heap[position >> 1];
+		position >>= 1;
+	}
+	this->heap[position] = event;
+
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implements scheduler_t.schedule_job.
+ */
+static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
+{
+	timeval_t tv;
+
+	time_monotonic(&tv);
+	tv.tv_sec += s;
+
+	schedule_job_tv(this, job, tv);
+}
+
+/**
+ * Implements scheduler_t.schedule_job_ms.
+ */
+static void schedule_job_ms(private_scheduler_t *this, job_t *job, u_int32_t ms)
+{
+	timeval_t tv, add;
+
+	time_monotonic(&tv);
+	add.tv_sec = ms / 1000;
+	add.tv_usec = (ms % 1000) * 1000;
+
+	timeradd(&tv, &add, &tv);
+
+	schedule_job_tv(this, job, tv);
+}
+
+/**
+ * Implementation of scheduler_t.destroy.
+ */
+static void destroy(private_scheduler_t *this)
+{
+	event_t *event;
+	this->job->cancel(this->job);
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
+	while ((event = remove_event(this)) != NULL)
+	{
+		event_destroy(event);
+	}
+	free(this->heap);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+scheduler_t * scheduler_create()
+{
+	private_scheduler_t *this = malloc_thing(private_scheduler_t);
+
+	this->public.get_job_load = (u_int (*) (scheduler_t *this)) get_job_load;
+	this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t s)) schedule_job;
+	this->public.schedule_job_ms = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job_ms;
+	this->public.schedule_job_tv = (void (*) (scheduler_t *this, job_t *job, timeval_t tv)) schedule_job_tv;
+	this->public.destroy = (void(*)(scheduler_t*)) destroy;
+
+	/* Note: the root of the heap is at index 1 */
+	this->event_count = 0;
+	this->heap_size = HEAP_SIZE_DEFAULT;
+	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
+
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+
+	this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/processing/scheduler.h b/src/libcharon/processing/scheduler.h
new file mode 100644
index 000000000..5f5d2a563
--- /dev/null
+++ b/src/libcharon/processing/scheduler.h
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup scheduler scheduler
+ * @{ @ingroup processing
+ */
+
+#ifndef SCHEDULER_H_
+#define SCHEDULER_H_
+
+typedef struct scheduler_t scheduler_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+/**
+ * The scheduler queues timed events which are then passed to the processor.
+ *
+ * The scheduler is implemented as a heap. A heap is a special kind of tree-
+ * based data structure that satisfies the following property: if B is a child
+ * node of A, then key(A) >= (or <=) key(B). So either the element with the
+ * greatest (max-heap) or the smallest (min-heap) key is the root of the heap.
+ * We use a min-heap whith the key being the absolute unix time at which an
+ * event is scheduled. So the root is always the event that will fire next.
+ *
+ * An earlier implementation of the scheduler used a sorted linked list to store
+ * the events. That had the advantage that removing the next event was extremely
+ * fast, also, adding an event scheduled before or after all other events was
+ * equally fast (all in O(1)). The problem was, though, that adding an event
+ * in-between got slower, as the number of events grew larger (O(n)).
+ * For each connection there could be several events: IKE-rekey, NAT-keepalive,
+ * retransmissions, expire (half-open), and others. So a gateway that probably
+ * has to handle thousands of concurrent connnections has to be able to queue a
+ * large number of events as fast as possible. Locking makes this even worse, to
+ * provide thread-safety, no events can be processed, while an event is queued,
+ * so making the insertion fast is even more important.
+ *
+ * That's the advantage of the heap. Adding an element to the heap can be
+ * achieved in O(log n) - on the other hand, removing the root node also
+ * requires O(log n) operations. Consider 10000 queued events. Inserting a new
+ * event in the list implementation required up to 10000 comparisons. In the
+ * heap implementation, the worst case is about 13.3 comparisons. That's a
+ * drastic improvement.
+ *
+ * The implementation itself uses a binary tree mapped to a one-based array to
+ * store the elements. This reduces storage overhead and simplifies navigation:
+ * the children of the node at position n are at position 2n and 2n+1 (likewise
+ * the parent node of the node at position n is at position [n/2]). Thus,
+ * navigating up and down the tree is reduced to simple index computations.
+ *
+ * Adding an element to the heap works as follows: The heap is always filled
+ * from left to right, until a row is full, then the next row is filled. Mapped
+ * to an array this gets as simple as putting the new element to the first free
+ * position. In a one-based array that position equals the number of elements
+ * currently stored in the heap. Then the heap property has to be restored, i.e.
+ * the new element has to be "bubbled up" the tree until the parent node's key
+ * is smaller or the element got the new root of the tree.
+ *
+ * Removing the next event from the heap works similarly. The event itself is
+ * the root node and stored at position 1 of the array. After removing it, the
+ * root has to be replaced and the heap property has to be restored. This is
+ * done by moving the bottom element (last row, rightmost element) to the root
+ * and then "seep it down" by swapping it with child nodes until none of the
+ * children has a smaller key or it is again a leaf node.
+ */
+struct scheduler_t {
+
+	/**
+	 * Adds a event to the queue, using a relative time offset in s.
+	 *
+	 * @param job 			job to schedule
+	 * @param time 			relative time to schedule job, in s
+	 */
+	void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t s);
+
+	/**
+	 * Adds a event to the queue, using a relative time offset in ms.
+	 *
+	 * @param job 			job to schedule
+	 * @param time 			relative time to schedule job, in ms
+	 */
+	void (*schedule_job_ms) (scheduler_t *this, job_t *job, u_int32_t ms);
+
+	/**
+	 * Adds a event to the queue, using an absolut time.
+	 *
+	 * The passed timeval should be calculated based on the time_monotonic()
+	 * function.
+	 *
+	 * @param job 			job to schedule
+	 * @param time 			absolut time to schedule job
+	 */
+	void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
+
+	/**
+	 * Returns number of jobs scheduled.
+	 *
+	 * @return 				number of scheduled jobs
+	 */
+	u_int (*get_job_load) (scheduler_t *this);
+
+	/**
+	 * Destroys a scheduler object.
+	 */
+	void (*destroy) (scheduler_t *this);
+};
+
+/**
+ * Create a scheduler.
+ *
+ * @return 		scheduler_t object
+ */
+scheduler_t *scheduler_create(void);
+
+#endif /** SCHEDULER_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c
new file mode 100644
index 000000000..13586a23e
--- /dev/null
+++ b/src/libcharon/sa/authenticators/authenticator.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "authenticator.h"
+
+#include <sa/authenticators/pubkey_authenticator.h>
+#include <sa/authenticators/psk_authenticator.h>
+#include <sa/authenticators/eap_authenticator.h>
+#include <encoding/payloads/auth_payload.h>
+
+
+ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
+	"RSA signature",
+	"pre-shared key",
+	"DSS signature");
+ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS,
+	"ECDSA-256 signature",
+	"ECDSA-384 signature",
+	"ECDSA-521 signature");
+ENUM_END(auth_method_names, AUTH_ECDSA_521);
+
+ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
+	"any",
+	"public key",
+	"pre-shared key",
+	"EAP",
+);
+
+/**
+ * Described in header.
+ */
+authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init)
+{
+	switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
+	{
+		case AUTH_CLASS_ANY:
+			/* defaults to PUBKEY */
+		case AUTH_CLASS_PUBKEY:
+			return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
+											received_nonce, sent_init);
+		case AUTH_CLASS_PSK:
+			return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
+											received_nonce, sent_init);
+		case AUTH_CLASS_EAP:
+			return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
+						received_nonce, sent_nonce, received_init, sent_init);
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Described in header.
+ */
+authenticator_t *authenticator_create_verifier(
+									ike_sa_t *ike_sa, message_t *message,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init)
+{
+	auth_payload_t *auth_payload;
+
+	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	if (auth_payload == NULL)
+	{
+		return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
+						received_nonce, sent_nonce, received_init, sent_init);
+	}
+	switch (auth_payload->get_auth_method(auth_payload))
+	{
+		case AUTH_RSA:
+		case AUTH_ECDSA_256:
+		case AUTH_ECDSA_384:
+		case AUTH_ECDSA_521:
+			return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
+													sent_nonce, received_init);
+		case AUTH_PSK:
+			return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
+													sent_nonce, received_init);
+		default:
+			return NULL;
+	}
+}
+
diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h
new file mode 100644
index 000000000..fff91ed34
--- /dev/null
+++ b/src/libcharon/sa/authenticators/authenticator.h
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup authenticator authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef AUTHENTICATOR_H_
+#define AUTHENTICATOR_H_
+
+typedef enum auth_method_t auth_method_t;
+typedef enum auth_class_t auth_class_t;
+typedef struct authenticator_t authenticator_t;
+
+#include <library.h>
+#include <config/auth_cfg.h>
+#include <sa/ike_sa.h>
+
+/**
+ * Method to use for authentication, as defined in IKEv2.
+ */
+enum auth_method_t {
+	/**
+	 * Computed as specified in section 2.15 of RFC using
+	 * an RSA private key over a PKCS#1 padded hash.
+	 */
+	AUTH_RSA = 1,
+
+	/**
+	 * Computed as specified in section 2.15 of RFC using the
+	 * shared key associated with the identity in the ID payload
+	 * and the negotiated prf function
+	 */
+	AUTH_PSK = 2,
+
+	/**
+	 * Computed as specified in section 2.15 of RFC using a
+	 * DSS private key over a SHA-1 hash.
+	 */
+	AUTH_DSS = 3,
+
+	/**
+	 * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
+	 */
+	AUTH_ECDSA_256 = 9,
+
+	/**
+	 * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
+	 */
+	AUTH_ECDSA_384 = 10,
+
+	/**
+	 * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
+	 */
+	AUTH_ECDSA_521 = 11,
+};
+
+/**
+ * enum names for auth_method_t.
+ */
+extern enum_name_t *auth_method_names;
+
+/**
+ * Class of authentication to use. This is different to auth_method_t in that
+ * it does not specify a method, but a class of acceptable methods. The found
+ * certificate finally dictates wich method is used.
+ */
+enum auth_class_t {
+	/** any class acceptable */
+	AUTH_CLASS_ANY = 0,
+	/** authentication using public keys (RSA, ECDSA) */
+	AUTH_CLASS_PUBKEY = 1,
+	/** authentication using a pre-shared secrets */
+	AUTH_CLASS_PSK = 2,
+	/** authentication using EAP */
+	AUTH_CLASS_EAP = 3,
+};
+
+/**
+ * enum strings for auth_class_t
+ */
+extern enum_name_t *auth_class_names;
+
+/**
+ * Authenticator interface implemented by the various authenticators.
+ *
+ * An authenticator implementation handles AUTH and EAP payloads. Received
+ * messages are passed to the process() method, to send authentication data
+ * the message is passed to the build() method.
+ */
+struct authenticator_t {
+
+	/**
+	 * Process an incoming message using the authenticator.
+	 *
+	 * @param message		message containing authentication payloads
+	 * @return
+	 *						- SUCCESS if authentication successful
+	 *						- FAILED if authentication failed
+	 *						- NEED_MORE if another exchange required
+	 */
+	status_t (*process)(authenticator_t *this, message_t *message);
+
+	/**
+	 * Attach authentication data to an outgoing message.
+	 *
+	 * @param message		message to add authentication data to
+	 * @return
+	 *						- SUCCESS if authentication successful
+	 *						- FAILED if authentication failed
+	 *						- NEED_MORE if another exchange required
+	 */
+	status_t (*build)(authenticator_t *this, message_t *message);
+
+	/**
+	 * Check if the authenticator is capable of mutual authentication.
+	 *
+	 * Some authenticator authenticate both peers, e.g. EAP. To support
+	 * mutual authentication with only a single authenticator (EAP-only
+	 * authentication), it must be mutual. This method is invoked in ike_auth
+	 * to check if the given authenticator is capable of doing so.
+	 */
+	bool (*is_mutual)(authenticator_t *this);
+
+	/**
+	 * Destroy authenticator instance.
+	 */
+	void (*destroy) (authenticator_t *this);
+};
+
+/**
+ * Create an authenticator to build signatures.
+ *
+ * @param ike_sa			associated ike_sa
+ * @param cfg				authentication configuration
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					authenticator, NULL if not supported
+ */
+authenticator_t *authenticator_create_builder(
+									ike_sa_t *ike_sa, auth_cfg_t *cfg,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init);
+
+/**
+ * Create an authenticator to verify signatures.
+ *
+ * @param ike_sa			associated ike_sa
+ * @param message			message containing authentication data
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					authenticator, NULL if not supported
+ */
+authenticator_t *authenticator_create_verifier(
+									ike_sa_t *ike_sa, message_t *message,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init);
+
+#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap/eap_manager.c b/src/libcharon/sa/authenticators/eap/eap_manager.c
new file mode 100644
index 000000000..f795183f0
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap/eap_manager.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_manager.h"
+
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_eap_manager_t private_eap_manager_t;
+typedef struct eap_entry_t eap_entry_t;
+
+/**
+ * EAP constructor entry
+ */
+struct eap_entry_t {
+
+	/**
+	 * EAP method type, vendor specific if vendor is set
+	 */
+	eap_type_t type;
+
+	/**
+	 * vendor ID, 0 for default EAP methods
+	 */
+	u_int32_t vendor;
+
+	/**
+	 * Role of the method returned by the constructor, EAP_SERVER or EAP_PEER
+	 */
+	eap_role_t role;
+
+	/**
+	 * constructor function to create instance
+	 */
+	eap_constructor_t constructor;
+};
+
+/**
+ * private data of eap_manager
+ */
+struct private_eap_manager_t {
+
+	/**
+	 * public functions
+	 */
+	eap_manager_t public;
+
+	/**
+	 * list of eap_entry_t's
+	 */
+	linked_list_t *methods;
+
+	/**
+	 * rwlock to lock methods
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * Implementation of eap_manager_t.add_method.
+ */
+static void add_method(private_eap_manager_t *this, eap_type_t type,
+					   u_int32_t vendor, eap_role_t role,
+					   eap_constructor_t constructor)
+{
+	eap_entry_t *entry = malloc_thing(eap_entry_t);
+
+	entry->type = type;
+	entry->vendor = vendor;
+	entry->role = role;
+	entry->constructor = constructor;
+
+	this->lock->write_lock(this->lock);
+	this->methods->insert_last(this->methods, entry);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of eap_manager_t.remove_method.
+ */
+static void remove_method(private_eap_manager_t *this, eap_constructor_t constructor)
+{
+	enumerator_t *enumerator;
+	eap_entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->methods->create_enumerator(this->methods);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (constructor == entry->constructor)
+		{
+			this->methods->remove_at(this->methods, enumerator);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of eap_manager_t.create_instance.
+ */
+static eap_method_t* create_instance(private_eap_manager_t *this,
+									 eap_type_t type, u_int32_t vendor,
+									 eap_role_t role, identification_t *server,
+									 identification_t *peer)
+{
+	enumerator_t *enumerator;
+	eap_entry_t *entry;
+	eap_method_t *method = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->methods->create_enumerator(this->methods);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (type == entry->type && vendor == entry->vendor &&
+			role == entry->role)
+		{
+			method = entry->constructor(server, peer);
+			if (method)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return method;
+}
+
+/**
+ * Implementation of 2008_t.destroy
+ */
+static void destroy(private_eap_manager_t *this)
+{
+	this->methods->destroy_function(this->methods, free);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+eap_manager_t *eap_manager_create()
+{
+	private_eap_manager_t *this = malloc_thing(private_eap_manager_t);
+
+	this->public.add_method = (void(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, eap_constructor_t constructor))add_method;
+	this->public.remove_method = (void(*)(eap_manager_t*, eap_constructor_t constructor))remove_method;
+	this->public.create_instance = (eap_method_t*(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, identification_t*,identification_t*))create_instance;
+	this->public.destroy = (void(*)(eap_manager_t*))destroy;
+
+	this->methods = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/authenticators/eap/eap_manager.h b/src/libcharon/sa/authenticators/eap/eap_manager.h
new file mode 100644
index 000000000..0333fb6da
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap/eap_manager.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_manager eap_manager
+ * @{ @ingroup eap
+ */
+
+#ifndef EAP_MANAGER_H_
+#define EAP_MANAGER_H_
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct eap_manager_t eap_manager_t;
+
+/**
+ * The EAP manager manages all EAP implementations and creates instances.
+ *
+ * A plugin registers it's implemented EAP method at the manager by
+ * providing type and a contructor function. The manager then instanciates
+ * eap_method_t instances through the provided constructor to handle
+ * EAP authentication.
+ */
+struct eap_manager_t {
+
+	/**
+	 * Register a EAP method implementation.
+	 *
+	 * @param method		vendor specific method, if vendor != 0
+	 * @param vendor		vendor ID, 0 for non-vendor (default) EAP methods
+	 * @param role			EAP role of the registered method
+	 * @param constructor	constructor function, returns an eap_method_t
+	 */
+	void (*add_method)(eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+					   eap_role_t role, eap_constructor_t constructor);
+
+	/**
+	 * Unregister a EAP method implementation using it's constructor.
+	 *
+	 * @param constructor	constructor function to remove, as added in add_method
+	 */
+	void (*remove_method)(eap_manager_t *this, eap_constructor_t constructor);
+
+	/**
+	 * Create a new EAP method instance.
+	 *
+	 * @param type			type of the EAP method
+	 * @param vendor		vendor ID, 0 for non-vendor (default) EAP methods
+	 * @param role			role of EAP method, either EAP_SERVER or EAP_PEER
+	 * @param server		identity of the server
+	 * @param peer			identity of the peer (client)
+	 * @return				EAP method instance, NULL if no constructor found
+	 */
+	eap_method_t* (*create_instance)(eap_manager_t *this, eap_type_t type,
+									 u_int32_t vendor, eap_role_t role,
+									 identification_t *server,
+									 identification_t *peer);
+
+	/**
+	 * Destroy a eap_manager instance.
+	 */
+	void (*destroy)(eap_manager_t *this);
+};
+
+/**
+ * Create a eap_manager instance.
+ */
+eap_manager_t *eap_manager_create();
+
+#endif /** EAP_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/authenticators/eap/eap_method.c
new file mode 100644
index 000000000..91fa5305f
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap/eap_method.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_method.h"
+
+ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
+	"EAP_IDENTITY",
+	"EAP_NOTIFICATION",
+	"EAP_NAK",
+	"EAP_MD5",
+	"EAP_OTP",
+	"EAP_GTC");
+ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC,
+	"EAP_SIM");
+ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
+	"EAP_AKA");
+ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+	"EAP_MSCHAPV2");
+ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
+	"EAP_RADIUS",
+	"EAP_EXPANDED",
+	"EAP_EXPERIMENTAL");
+ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
+
+ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
+	"ID",
+	"NTF",
+	"NAK",
+	"MD5",
+	"OTP",
+	"GTC");
+ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC,
+	"SIM");
+ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM,
+	"AKA");
+ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+	"MSCHAPV2");
+ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
+	"RAD",
+	"EXP",
+	"XP");
+ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
+
+/*
+ * See header
+ */
+eap_type_t eap_type_from_string(char *name)
+{
+	int i;
+	static struct {
+		char *name;
+		eap_type_t type;
+	} types[] = {
+		{"identity",	EAP_IDENTITY},
+		{"md5",			EAP_MD5},
+		{"otp",			EAP_OTP},
+		{"gtc",			EAP_GTC},
+		{"sim",			EAP_SIM},
+		{"aka",			EAP_AKA},
+		{"mschapv2",	EAP_MSCHAPV2},
+		{"radius",		EAP_RADIUS},
+	};
+
+	for (i = 0; i < countof(types); i++)
+	{
+		if (strcaseeq(name, types[i].name))
+		{
+			return types[i].type;
+		}
+	}
+	return 0;
+}
+
+ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
+	"EAP_REQUEST",
+	"EAP_RESPONSE",
+	"EAP_SUCCESS",
+	"EAP_FAILURE",
+);
+
+ENUM(eap_code_short_names, EAP_REQUEST, EAP_FAILURE,
+	"REQ",
+	"RES",
+	"SUCC",
+	"FAIL",
+);
+
+ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
+	"EAP_SERVER",
+	"EAP_PEER",
+);
+
+
+
+
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/authenticators/eap/eap_method.h
new file mode 100644
index 000000000..4cab84535
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap/eap_method.h
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_method eap_method
+ * @{ @ingroup eap
+ */
+
+#ifndef EAP_METHOD_H_
+#define EAP_METHOD_H_
+
+typedef struct eap_method_t eap_method_t;
+typedef enum eap_role_t eap_role_t;
+typedef enum eap_type_t eap_type_t;
+typedef enum eap_code_t eap_code_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <encoding/payloads/eap_payload.h>
+
+/**
+ * Role of an eap_method, SERVER or PEER (client)
+ */
+enum eap_role_t {
+	EAP_SERVER,
+	EAP_PEER,
+};
+/**
+ * enum names for eap_role_t.
+ */
+extern enum_name_t *eap_role_names;
+
+/**
+ * EAP types, defines the EAP method implementation
+ */
+enum eap_type_t {
+	EAP_IDENTITY = 1,
+	EAP_NOTIFICATION = 2,
+	EAP_NAK = 3,
+	EAP_MD5 = 4,
+	EAP_OTP = 5,
+	EAP_GTC = 6,
+	EAP_SIM = 18,
+	EAP_AKA = 23,
+	EAP_MSCHAPV2 = 26,
+	/** not a method, but an implementation providing different methods */
+	EAP_RADIUS = 253,
+	EAP_EXPANDED = 254,
+	EAP_EXPERIMENTAL = 255,
+};
+
+/**
+ * enum names for eap_type_t.
+ */
+extern enum_name_t *eap_type_names;
+
+/**
+ * short string enum names for eap_type_t.
+ */
+extern enum_name_t *eap_type_short_names;
+
+/**
+ * Lookup the EAP method type from a string.
+ *
+ * @param name		EAP method name (such as "md5", "aka")
+ * @return			method type, 0 if unkown
+ */
+eap_type_t eap_type_from_string(char *name);
+
+/**
+ * EAP code, type of an EAP message
+ */
+enum eap_code_t {
+	EAP_REQUEST = 1,
+	EAP_RESPONSE = 2,
+	EAP_SUCCESS = 3,
+	EAP_FAILURE = 4,
+};
+
+/**
+ * enum names for eap_code_t.
+ */
+extern enum_name_t *eap_code_names;
+
+/**
+ * short string enum names for eap_code_t.
+ */
+extern enum_name_t *eap_code_short_names;
+
+/**
+ * Interface of an EAP method for server and client side.
+ *
+ * An EAP method initiates an EAP exchange and processes requests and
+ * responses. An EAP method may need multiple exchanges before succeeding, and
+ * the eap_authentication may use multiple EAP methods to authenticate a peer.
+ * To accomplish these requirements, all EAP methods have their own
+ * implementation while the eap_authenticatior uses one or more of these
+ * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
+ * of the method, the eap_authenticator does this.
+ * An EAP method may establish a MSK, this is used the complete the
+ * authentication. Even if a mutual EAP method is used, the traditional
+ * AUTH payloads are required. Only these include the nonces and messages from
+ * ike_sa_init and therefore prevent man in the middle attacks.
+ * The EAP method must use an initial EAP identifier value != 0, as a preceding
+ * EAP-Identity exchange always uses identifier 0.
+ */
+struct eap_method_t {
+
+	/**
+	 * Initiate the EAP exchange.
+	 *
+	 * initiate() is only useable for server implementations, as clients only
+	 * reply to server requests.
+	 * A eap_payload is created in "out" if result is NEED_MORE.
+	 *
+	 * @param out		eap_payload to send to the client
+	 * @return
+	 * 					- NEED_MORE, if an other exchange is required
+	 * 					- FAILED, if unable to create eap request payload
+	 */
+	status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
+
+	/**
+	 * Process a received EAP message.
+	 *
+	 * A eap_payload is created in "out" if result is NEED_MORE.
+	 *
+	 * @param in		eap_payload response received
+	 * @param out		created eap_payload to send
+	 * @return
+	 * 					- NEED_MORE, if an other exchange is required
+	 * 					- FAILED, if EAP method failed
+	 * 					- SUCCESS, if EAP method succeeded
+	 */
+	status_t (*process) (eap_method_t *this, eap_payload_t *in,
+						 eap_payload_t **out);
+
+	/**
+	 * Get the EAP type implemented in this method.
+	 *
+	 * @param vendor	pointer receiving vendor identifier for type, 0 for none
+	 * @return			type of the EAP method
+	 */
+	eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
+
+	/**
+	 * Check if this EAP method authenticates the server.
+	 *
+	 * Some EAP methods provide mutual authentication and
+	 * allow authentication using only EAP, if the peer supports it.
+	 *
+	 * @return			TRUE if methods provides mutual authentication
+	 */
+	bool (*is_mutual) (eap_method_t *this);
+
+	/**
+	 * Get the MSK established by this EAP method.
+	 *
+	 * Not all EAP methods establish a shared secret. For implementations of
+	 * the EAP-Identity method, get_msk() returns the received identity.
+	 *
+	 * @param msk		chunk receiving internal stored MSK
+	 * @return
+	 *					- SUCCESS, or
+	 * 					- FAILED, if MSK not established (yet)
+	 */
+	status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
+
+	/**
+	 * Destroys a eap_method_t object.
+	 */
+	void (*destroy) (eap_method_t *this);
+};
+
+/**
+ * Constructor definition for a pluggable EAP method.
+ *
+ * Each EAP module must define a constructor function which will return
+ * an initialized object with the methods defined in eap_method_t.
+ * Constructors for server and peers are identical, to support both roles
+ * of a EAP method, a plugin needs register two constructors in the
+ * eap_manager_t.
+ * The passed identites are of type ID_EAP and valid only during the
+ * constructor invocation.
+ *
+ * @param server		ID of the server to use for credential lookup
+ * @param peer			ID of the peer to use for credential lookup
+ * @return				implementation of the eap_method_t interface
+ */
+typedef eap_method_t *(*eap_constructor_t)(identification_t *server,
+										   identification_t *peer);
+
+#endif /** EAP_METHOD_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap/sim_manager.c b/src/libcharon/sa/authenticators/eap/sim_manager.c
new file mode 100644
index 000000000..157865083
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap/sim_manager.c
@@ -0,0 +1,534 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sim_manager.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+
+typedef struct private_sim_manager_t private_sim_manager_t;
+
+/**
+ * Private data of an sim_manager_t object.
+ */
+struct private_sim_manager_t {
+
+	/**
+	 * Public sim_manager_t interface.
+	 */
+	sim_manager_t public;
+
+	/**
+	 * list of added cards
+	 */
+	linked_list_t *cards;
+
+	/**
+	 * list of added provider
+	 */
+	linked_list_t *providers;
+
+	/**
+	 * list of added hooks
+	 */
+	linked_list_t *hooks;
+};
+
+/**
+ * Implementation of sim_manager_t.add_card
+ */
+static void add_card(private_sim_manager_t *this, sim_card_t *card)
+{
+	this->cards->insert_last(this->cards, card);
+}
+
+/**
+ * Implementation of sim_manager_t.remove_card
+ */
+static void remove_card(private_sim_manager_t *this, sim_card_t *card)
+{
+	this->cards->remove(this->cards, card, NULL);
+}
+
+/**
+ * Implementation of sim_manager_t.card_get_triplet
+ */
+static bool card_get_triplet(private_sim_manager_t *this, identification_t *id,
+							 char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+							 char kc[SIM_KC_LEN])
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+	int tried = 0;
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		if (card->get_triplet(card, id, rand, sres, kc))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+		tried++;
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_IKE, "tried %d SIM cards, but none has triplets for '%Y'",
+		 tried, id);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_manager_t.card_get_quintuplet
+ */
+static status_t card_get_quintuplet(private_sim_manager_t *this,
+								identification_t *id, char rand[AKA_RAND_LEN],
+								char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
+								char ik[AKA_IK_LEN], char res[AKA_RES_MAX],
+								int *res_len)
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+	status_t status = NOT_FOUND;
+	int tried = 0;
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		status = card->get_quintuplet(card, id, rand, autn, ck, ik, res, res_len);
+		switch (status)
+		{	/* try next on error, but not on INVALID_STATE */
+			case SUCCESS:
+			case INVALID_STATE:
+				enumerator->destroy(enumerator);
+				return status;
+			case NOT_SUPPORTED:
+			case FAILED:
+			default:
+				tried++;
+				continue;
+		}
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_IKE, "tried %d SIM cards, but none has quintuplets for '%Y'",
+		 tried, id);
+	return status;
+}
+
+/**
+ * Implementation of sim_manager_t.card_resync
+ */
+static bool card_resync(private_sim_manager_t *this, identification_t *id,
+						char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		if (card->resync(card, id, rand, auts))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_manager_t.card_set_pseudonym
+ */
+static void card_set_pseudonym(private_sim_manager_t *this,
+							identification_t *id, identification_t *pseudonym)
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+
+	DBG1(DBG_IKE, "storing pseudonym '%Y' for '%Y'", pseudonym, id);
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		card->set_pseudonym(card, id, pseudonym);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of sim_manager_t.card_get_pseudonym
+ */
+static identification_t* card_get_pseudonym(private_sim_manager_t *this,
+											identification_t *id)
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+	identification_t *pseudonym = NULL;
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		pseudonym = card->get_pseudonym(card, id);
+		if (pseudonym)
+		{
+			DBG1(DBG_IKE, "using stored pseudonym identity '%Y' "
+				 "instead of '%Y'", pseudonym, id);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return pseudonym;
+}
+
+/**
+ * Implementation of sim_manager_t.card_set_reauth
+ */
+static void card_set_reauth(private_sim_manager_t *this, identification_t *id,
+							identification_t *next, char mk[HASH_SIZE_SHA1],
+							u_int16_t counter)
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+
+	DBG1(DBG_IKE, "storing next reauthentication identity '%Y' for '%Y'",
+		 next, id);
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		card->set_reauth(card, id, next, mk, counter);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of sim_manager_t.card_get_reauth
+ */
+static identification_t* card_get_reauth(private_sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter)
+{
+	enumerator_t *enumerator;
+	sim_card_t *card;
+	identification_t *reauth = NULL;
+
+	enumerator = this->cards->create_enumerator(this->cards);
+	while (enumerator->enumerate(enumerator, &card))
+	{
+		reauth = card->get_reauth(card, id, mk, counter);
+		if (reauth)
+		{
+			DBG1(DBG_IKE, "using stored reauthentication identity '%Y' "
+				 "instead of '%Y'", reauth, id);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return reauth;
+}
+
+/**
+ * Implementation of sim_manager_t.add_provider
+ */
+static void add_provider(private_sim_manager_t *this, sim_provider_t *provider)
+{
+	this->providers->insert_last(this->providers, provider);
+}
+
+/**
+ * Implementation of sim_manager_t.remove_provider
+ */
+static void remove_provider(private_sim_manager_t *this,
+							sim_provider_t *provider)
+{
+	this->providers->remove(this->providers, provider, NULL);
+}
+
+/**
+ * Implementation of sim_manager_t.provider_get_triplet
+ */
+static bool provider_get_triplet(private_sim_manager_t *this,
+								 identification_t *id, char rand[SIM_RAND_LEN],
+								 char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	int tried = 0;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		if (provider->get_triplet(provider, id, rand, sres, kc))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+		tried++;
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
+		 tried, id);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_get_quintuplet
+ */
+static bool provider_get_quintuplet(private_sim_manager_t *this,
+								identification_t *id, char rand[AKA_RAND_LEN],
+								char xres[AKA_RES_MAX], int *xres_len,
+								char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+								char autn[AKA_AUTN_LEN])
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	int tried = 0;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		if (provider->get_quintuplet(provider, id, rand, xres, xres_len,
+									 ck, ik, autn))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	DBG1(DBG_IKE, "tried %d SIM providers, but none had a quintuplet for '%Y'",
+		 tried, id);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_resync
+ */
+static bool provider_resync(private_sim_manager_t *this, identification_t *id,
+							char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		if (provider->resync(provider, id, rand, auts))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_is_pseudonym
+ */
+static identification_t* provider_is_pseudonym(private_sim_manager_t *this,
+											   identification_t *id)
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	identification_t *permanent = NULL;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		permanent = provider->is_pseudonym(provider, id);
+		if (permanent)
+		{
+			DBG1(DBG_IKE, "received pseudonym identity '%Y' "
+				 "mapping to '%Y'", id, permanent);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return permanent;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_gen_pseudonym
+ */
+static identification_t* provider_gen_pseudonym(private_sim_manager_t *this,
+												identification_t *id)
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	identification_t *pseudonym = NULL;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		pseudonym = provider->gen_pseudonym(provider, id);
+		if (pseudonym)
+		{
+			DBG1(DBG_IKE, "proposing new pseudonym '%Y'", pseudonym);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return pseudonym;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_is_reauth
+ */
+static identification_t* provider_is_reauth(private_sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter)
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	identification_t *permanent = NULL;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		permanent = provider->is_reauth(provider, id, mk, counter);
+		if (permanent)
+		{
+			DBG1(DBG_IKE, "received reauthentication identity '%Y' "
+				 "mapping to '%Y'", id, permanent);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return permanent;
+}
+
+/**
+ * Implementation of sim_manager_t.provider_gen_reauth
+ */
+static identification_t* provider_gen_reauth(private_sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1])
+{
+	enumerator_t *enumerator;
+	sim_provider_t *provider;
+	identification_t *reauth = NULL;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		reauth = provider->gen_reauth(provider, id, mk);
+		if (reauth)
+		{
+			DBG1(DBG_IKE, "proposing new reauthentication identity '%Y'", reauth);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return reauth;
+}
+
+/**
+ * Implementation of sim_manager_t.add_hooks
+ */
+static void add_hooks(private_sim_manager_t *this, sim_hooks_t *hooks)
+{
+	this->hooks->insert_last(this->hooks, hooks);
+}
+
+/**
+ * Implementation of sim_manager_t.remove_hooks
+ */
+static void remove_hooks(private_sim_manager_t *this, sim_hooks_t *hooks)
+{
+	this->hooks->remove(this->hooks, hooks, NULL);
+}
+
+/**
+ * Implementation of sim_manager_t.message_hook
+ */
+static void message_hook(private_sim_manager_t *this,
+						 simaka_message_t *message, bool inbound, bool decrypted)
+{
+	enumerator_t *enumerator;
+	sim_hooks_t *hooks;
+
+	enumerator = this->hooks->create_enumerator(this->hooks);
+	while (enumerator->enumerate(enumerator, &hooks))
+	{
+		hooks->message(hooks, message, inbound, decrypted);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of sim_manager_t.key_hook
+ */
+static void key_hook(private_sim_manager_t *this,
+					 chunk_t k_encr, chunk_t k_auth)
+{
+	enumerator_t *enumerator;
+	sim_hooks_t *hooks;
+
+	enumerator = this->hooks->create_enumerator(this->hooks);
+	while (enumerator->enumerate(enumerator, &hooks))
+	{
+		hooks->keys(hooks, k_encr, k_auth);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of sim_manager_t.destroy.
+ */
+static void destroy(private_sim_manager_t *this)
+{
+	this->cards->destroy(this->cards);
+	this->providers->destroy(this->providers);
+	this->hooks->destroy(this->hooks);
+	free(this);
+}
+
+/**
+ * See header
+ */
+sim_manager_t *sim_manager_create()
+{
+	private_sim_manager_t *this = malloc_thing(private_sim_manager_t);
+
+	this->public.add_card = (void(*)(sim_manager_t*, sim_card_t *card))add_card;
+	this->public.remove_card = (void(*)(sim_manager_t*, sim_card_t *card))remove_card;
+	this->public.card_get_triplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))card_get_triplet;
+	this->public.card_get_quintuplet = (status_t(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))card_get_quintuplet;
+	this->public.card_resync = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))card_resync;
+	this->public.card_set_pseudonym = (void(*)(sim_manager_t*, identification_t *id, identification_t *pseudonym))card_set_pseudonym;
+	this->public.card_get_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))card_get_pseudonym;
+	this->public.card_set_reauth = (void(*)(sim_manager_t*, identification_t *id, identification_t *next, char mk[HASH_SIZE_SHA1], u_int16_t counter))card_set_reauth;
+	this->public.card_get_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))card_get_reauth;
+	this->public.add_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))add_provider;
+	this->public.remove_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))remove_provider;
+	this->public.provider_get_triplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))provider_get_triplet;
+	this->public.provider_get_quintuplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))provider_get_quintuplet;
+	this->public.provider_resync = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))provider_resync;
+	this->public.provider_is_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))provider_is_pseudonym;
+	this->public.provider_gen_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))provider_gen_pseudonym;
+	this->public.provider_is_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))provider_is_reauth;
+	this->public.provider_gen_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))provider_gen_reauth;
+	this->public.add_hooks = (void(*)(sim_manager_t*, sim_hooks_t *hooks))add_hooks;
+	this->public.remove_hooks = (void(*)(sim_manager_t*, sim_hooks_t *hooks))remove_hooks;
+	this->public.message_hook = (void(*)(sim_manager_t*, simaka_message_t *message, bool inbound, bool decrypted))message_hook;
+	this->public.key_hook = (void(*)(sim_manager_t*, chunk_t k_encr, chunk_t k_auth))key_hook;
+	this->public.destroy = (void(*)(sim_manager_t*))destroy;
+
+	this->cards = linked_list_create();
+	this->providers = linked_list_create();
+	this->hooks = linked_list_create();
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/authenticators/eap/sim_manager.h b/src/libcharon/sa/authenticators/eap/sim_manager.h
new file mode 100644
index 000000000..9aa661ac8
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap/sim_manager.h
@@ -0,0 +1,514 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sim_manager sim_manager
+ * @{ @ingroup eap
+ */
+
+#ifndef SIM_MANAGER_H_
+#define SIM_MANAGER_H_
+
+#include <crypto/hashers/hasher.h>
+#include <utils/identification.h>
+#include <utils/enumerator.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct sim_manager_t sim_manager_t;
+typedef struct sim_card_t sim_card_t;
+typedef struct sim_provider_t sim_provider_t;
+typedef struct sim_hooks_t sim_hooks_t;
+
+/** implemented in libsimaka, but we need it for the message hook */
+typedef struct simaka_message_t simaka_message_t;
+
+#define SIM_RAND_LEN	16
+#define SIM_SRES_LEN	 4
+#define SIM_KC_LEN		 8
+
+#define AKA_RAND_LEN	16
+#define AKA_RES_MAX		16
+#define AKA_CK_LEN		16
+#define AKA_IK_LEN		16
+#define AKA_AUTN_LEN	16
+#define AKA_AUTS_LEN	14
+
+/**
+ * Interface for a (U)SIM card (used as EAP client).
+ *
+ * The SIM card completes triplets/quintuplets requested in a challenge
+ * received from the server.
+ * An implementation supporting only one of SIM/AKA authentication may
+ * implement the other methods with return_false()/return NOT_SUPPORTED/NULL.
+ */
+struct sim_card_t {
+
+	/**
+	 * Calculate SRES/KC from a RAND for SIM authentication.
+	 *
+	 * @param id		permanent identity to get a triplet for
+	 * @param rand		RAND input buffer, fixed size 16 bytes
+	 * @param sres		SRES output buffer, fixed size 4 byte
+	 * @param kc		KC output buffer, fixed size 8 bytes
+	 * @return			TRUE if SRES/KC calculated, FALSE on error/wrong identity
+	 */
+	bool (*get_triplet)(sim_card_t *this, identification_t *id,
+						char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+						char kc[SIM_KC_LEN]);
+
+	/**
+	 * Calculate CK/IK/RES from RAND/AUTN for AKA authentication.
+	 *
+	 * If the received sequence number (in autn) is out of sync, INVALID_STATE
+	 * is returned.
+	 * The RES value is the only one with variable length. Pass a buffer
+	 * of at least AKA_RES_MAX, the actual number of bytes is written to the
+	 * res_len value. While the standard would allow any bit length between
+	 * 32 and 128 bits, we support only full bytes for now.
+	 *
+	 * @param id		permanent identity to request quintuplet for
+	 * @param rand		random value rand
+	 * @param autn		authentication token autn
+	 * @param ck		buffer receiving encryption key ck
+	 * @param ik		buffer receiving integrity key ik
+	 * @param res		buffer receiving authentication result res
+	 * @param res_len	nubmer of bytes written to res buffer
+	 * @return			SUCCESS, FAILED, or INVALID_STATE if out of sync
+	 */
+	status_t (*get_quintuplet)(sim_card_t *this, identification_t *id,
+							   char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
+							   char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+							   char res[AKA_RES_MAX], int *res_len);
+
+	/**
+	 * Calculate AUTS from RAND for AKA resynchronization.
+	 *
+	 * @param id		permanent identity to request quintuplet for
+	 * @param rand		random value rand
+	 * @param auts		resynchronization parameter auts
+	 * @return			TRUE if parameter generated successfully
+	 */
+	bool (*resync)(sim_card_t *this, identification_t *id,
+				   char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+	/**
+	 * Set the pseudonym to use for next authentication.
+	 *
+	 * @param id		permanent identity of the peer
+	 * @param pseudonym	pseudonym identity received from the server
+	 */
+	void (*set_pseudonym)(sim_card_t *this, identification_t *id,
+						  identification_t *pseudonym);
+
+	/**
+	 * Get the pseudonym previously stored via set_pseudonym().
+	 *
+	 * @param id		permanent identity of the peer
+	 * @return			associated pseudonym identity, NULL if none stored
+	 */
+	identification_t* (*get_pseudonym)(sim_card_t *this, identification_t *id);
+
+	/**
+	 * Store parameters to use for the next fast reauthentication.
+	 *
+	 * @param id		permanent identity of the peer
+	 * @param next		next fast reauthentication identity to use
+	 * @param mk		master key MK to store for reauthentication
+	 * @param counter	counter value to store, host order
+	 */
+	void (*set_reauth)(sim_card_t *this, identification_t *id,
+					   identification_t *next, char mk[HASH_SIZE_SHA1],
+					   u_int16_t counter);
+
+	/**
+	 * Retrieve parameters for fast reauthentication stored via set_reauth().
+	 *
+	 * @param id		permanent identity of the peer
+	 * @param mk		buffer receiving master key MK
+	 * @param counter	pointer receiving counter value, in host order
+	 * @return			fast reauthentication identity, NULL if not found
+	 */
+	identification_t* (*get_reauth)(sim_card_t *this, identification_t *id,
+									char mk[HASH_SIZE_SHA1], u_int16_t *counter);
+};
+
+/**
+ * Interface for a triplet/quintuplet provider (used as EAP server).
+ *
+ * A SIM provider hands out triplets for SIM authentication and quintuplets
+ * for AKA authentication. Multiple SIM provider instances can serve as
+ * authentication backend to authenticate clients using SIM/AKA.
+ * An implementation supporting only one of SIM/AKA authentication may
+ * implement the other methods with return_false().
+ */
+struct sim_provider_t {
+
+	/**
+	 * Create a challenge for SIM authentication.
+	 *
+	 * @param id		permanent identity of peer to gen triplet for
+	 * @param rand		RAND output buffer, fixed size 16 bytes
+	 * @param sres		SRES output buffer, fixed size 4 byte
+	 * @param kc		KC output buffer, fixed size 8 bytes
+	 * @return			TRUE if triplet received, FALSE otherwise
+	 */
+	bool (*get_triplet)(sim_provider_t *this, identification_t *id,
+						char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+						char kc[SIM_KC_LEN]);
+
+	/**
+	 * Create a challenge for AKA authentication.
+	 *
+	 * The XRES value is the only one with variable length. Pass a buffer
+	 * of at least AKA_RES_MAX, the actual number of bytes is written to the
+	 * xres_len value. While the standard would allow any bit length between
+	 * 32 and 128 bits, we support only full bytes for now.
+	 *
+	 * @param id		permanent identity of peer to create challenge for
+	 * @param rand		buffer receiving random value rand
+	 * @param xres		buffer receiving expected authentication result xres
+	 * @param xres_len	nubmer of bytes written to xres buffer
+	 * @param ck		buffer receiving encryption key ck
+	 * @param ik		buffer receiving integrity key ik
+	 * @param autn		authentication token autn
+	 * @return			TRUE if quintuplet generated successfully
+	 */
+	bool (*get_quintuplet)(sim_provider_t *this, identification_t *id,
+						   char rand[AKA_RAND_LEN],
+						   char xres[AKA_RES_MAX], int *xres_len,
+						   char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+						   char autn[AKA_AUTN_LEN]);
+
+	/**
+	 * Process AKA resynchroniusation request of a peer.
+	 *
+	 * @param id		permanent identity of peer requesting resynchronisation
+	 * @param rand		random value rand
+	 * @param auts		synchronization parameter auts
+	 * @return			TRUE if resynchronized successfully
+	 */
+	bool (*resync)(sim_provider_t *this, identification_t *id,
+				   char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+	/**
+	 * Check if peer uses a pseudonym, get permanent identity.
+	 *
+	 * @param id		pseudonym identity candidate
+	 * @return			permanent identity, NULL if id not a pseudonym
+	 */
+	identification_t* (*is_pseudonym)(sim_provider_t *this,
+									  identification_t *id);
+
+	/**
+	 * Generate a pseudonym identitiy for a given peer identity.
+	 *
+	 * @param id		permanent identity to generate a pseudonym for
+	 * @return			generated pseudonym, NULL to not use a pseudonym identity
+	 */
+	identification_t* (*gen_pseudonym)(sim_provider_t *this,
+									   identification_t *id);
+
+	/**
+	 * Check if peer uses reauthentication, retrieve reauth parameters.
+	 *
+	 * @param id		reauthentication identity (candidate)
+	 * @param mk		buffer receiving master key MK
+	 * @param counter	pointer receiving current counter value, host order
+	 * @return			permanent identity, NULL if id not a reauth identity
+	 */
+	identification_t* (*is_reauth)(sim_provider_t *this, identification_t *id,
+								   char mk[HASH_SIZE_SHA1], u_int16_t *counter);
+
+	/**
+	 * Generate a fast reauthentication identity, associated to a master key.
+	 *
+	 * @param id		permanent peer identity
+	 * @param mk		master key to store along with generated identity
+	 * @return			fast reauthentication identity, NULL to not use reauth
+	 */
+	identification_t* (*gen_reauth)(sim_provider_t *this, identification_t *id,
+									char mk[HASH_SIZE_SHA1]);
+};
+
+/**
+ * Additional hooks invoked during EAP-SIM/AKA message processing.
+ */
+struct sim_hooks_t {
+
+	/**
+	 * SIM/AKA message parsing.
+	 *
+	 * As a SIM/AKA optionally contains encrypted attributes, the hook
+	 * might get invoked twice, once before and once after decryption.
+	 *
+	 * @param message	SIM/AKA message
+	 * @param inbound	TRUE for incoming messages, FALSE for outgoing
+	 * @param decrypted	TRUE if AT_ENCR_DATA has been decrypted
+	 */
+	void (*message)(sim_hooks_t *this, simaka_message_t *message,
+					bool inbound, bool decrypted);
+
+	/**
+	 * SIM/AKA encryption/authentication key hooks.
+	 *
+	 * @param k_encr	derived SIM/AKA encryption key k_encr
+	 * @param k_auth	derived SIM/AKA authentication key k_auth
+	 */
+	void (*keys)(sim_hooks_t *this, chunk_t k_encr, chunk_t k_auth);
+};
+
+/**
+ * The SIM manager handles multiple (U)SIM cards/providers and hooks.
+ */
+struct sim_manager_t {
+
+	/**
+	 * Register a SIM card (client) at the manager.
+	 *
+	 * @param card		sim card to register
+	 */
+	void (*add_card)(sim_manager_t *this, sim_card_t *card);
+
+	/**
+	 * Unregister a previously registered card from the manager.
+	 *
+	 * @param card		sim card to unregister
+	 */
+	void (*remove_card)(sim_manager_t *this, sim_card_t *card);
+
+	/**
+	 * Calculate SIM triplets on one of the registered SIM cards.
+	 *
+	 * @param id		permanent identity to get a triplet for
+	 * @param rand		RAND input buffer, fixed size 16 bytes
+	 * @param sres		SRES output buffer, fixed size 4 byte
+	 * @param kc		KC output buffer, fixed size 8 bytes
+	 * @return			TRUE if calculated, FALSE if no matching card found
+	 */
+	bool (*card_get_triplet)(sim_manager_t *this, identification_t *id,
+							 char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+							 char kc[SIM_KC_LEN]);
+
+	/**
+	 * Calculate AKA quitpulets on one of the registered SIM cards.
+	 *
+	 * @param id		permanent identity to request quintuplet for
+	 * @param rand		random value rand
+	 * @param autn		authentication token autn
+	 * @param ck		buffer receiving encryption key ck
+	 * @param ik		buffer receiving integrity key ik
+	 * @param res		buffer receiving authentication result res
+	 * @param res_len	nubmer of bytes written to res buffer
+	 * @return			SUCCESS, FAILED, or INVALID_STATE if out of sync
+	 */
+	status_t (*card_get_quintuplet)(sim_manager_t *this, identification_t *id,
+								char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
+								char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+								char res[AKA_RES_MAX], int *res_len);
+
+	/**
+	 * Calculate resynchronization data on one of the registered SIM cards.
+	 *
+	 * @param id		permanent identity to request quintuplet for
+	 * @param rand		random value rand
+	 * @param auts		resynchronization parameter auts
+	 * @return			TRUE if calculated, FALSE if no matcing card found
+	 */
+	bool (*card_resync)(sim_manager_t *this, identification_t *id,
+						char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+	/**
+	 * Store a received pseudonym on one of the registered SIM cards.
+	 *
+	 * @param id		permanent identity of the peer
+	 * @param pseudonym	pseudonym identity received from the server
+	 */
+	void (*card_set_pseudonym)(sim_manager_t *this, identification_t *id,
+							   identification_t *pseudonym);
+
+	/**
+	 * Get a stored pseudonym from one of the registerd SIM cards.
+	 *
+	 * @param id		permanent identity of the peer
+	 * @return			associated pseudonym identity, NULL if none found
+	 */
+	identification_t* (*card_get_pseudonym)(sim_manager_t *this,
+											identification_t *id);
+
+	/**
+	 * Store fast reauthentication parameters on one of the registered cards.
+	 *
+	 * @param id		permanent identity of the peer
+	 * @param next		next fast reauthentication identity to use
+	 * @param mk		master key MK to store for reauthentication
+	 * @param counter	counter value to store, host order
+	 */
+	void (*card_set_reauth)(sim_manager_t *this, identification_t *id,
+							identification_t *next, char mk[HASH_SIZE_SHA1],
+							u_int16_t counter);
+
+	/**
+	 * Retrieve fast reauthentication parameters from one of the registerd cards.
+	 *
+	 * @param id		permanent identity of the peer
+	 * @param mk		buffer receiving master key MK
+	 * @param counter	pointer receiving counter value, in host order
+	 * @return			fast reauthentication identity, NULL if none found
+	 */
+	identification_t* (*card_get_reauth)(sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter);
+
+	/**
+	 * Register a triplet provider (server) at the manager.
+	 *
+	 * @param card		sim card to register
+	 */
+	void (*add_provider)(sim_manager_t *this, sim_provider_t *provider);
+
+	/**
+	 * Unregister a previously registered provider from the manager.
+	 *
+	 * @param card		sim card to unregister
+	 */
+	void (*remove_provider)(sim_manager_t *this, sim_provider_t *provider);
+
+	/**
+	 * Get a SIM triplet from one of the registered providers.
+	 *
+	 * @param id		permanent identity of peer to gen triplet for
+	 * @param rand		RAND output buffer, fixed size 16 bytes
+	 * @param sres		SRES output buffer, fixed size 4 byte
+	 * @param kc		KC output buffer, fixed size 8 bytes
+	 * @return			TRUE if triplet received, FALSE if no match found
+	 */
+	bool (*provider_get_triplet)(sim_manager_t *this, identification_t *id,
+							char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+							char kc[SIM_KC_LEN]);
+
+	/**
+	 * Get a AKA quintuplet from one of the registered providers.
+	 *
+	 * @param id		permanent identity of peer to create challenge for
+	 * @param rand		buffer receiving random value rand
+	 * @param xres		buffer receiving expected authentication result xres
+	 * @param ck		buffer receiving encryption key ck
+	 * @param ik		buffer receiving integrity key ik
+	 * @param autn		authentication token autn
+	 * @return			TRUE if quintuplet received, FALSE if no match found
+	 */
+	bool (*provider_get_quintuplet)(sim_manager_t *this, identification_t *id,
+							char rand[AKA_RAND_LEN],
+							char xres[AKA_RES_MAX], int *xres_len,
+							char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+							char autn[AKA_AUTN_LEN]);
+
+	/**
+	 * Pass AKA resynchronization data to one of the registered providers.
+	 *
+	 * @param id		permanent identity of peer requesting resynchronisation
+	 * @param rand		random value rand
+	 * @param auts		synchronization parameter auts
+	 * @return			TRUE if resynchronized, FALSE if not handled
+	 */
+	bool (*provider_resync)(sim_manager_t *this, identification_t *id,
+							char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+	/**
+	 * Check if a peer uses a pseudonym using one of the registered providers.
+	 *
+	 * @param id		pseudonym identity candidate
+	 * @return			permanent identity, NULL if id not a pseudonym
+	 */
+	identification_t* (*provider_is_pseudonym)(sim_manager_t *this,
+											   identification_t *id);
+
+	/**
+	 * Generate a new pseudonym using one of the registered providers.
+	 *
+	 * @param id		permanent identity to generate a pseudonym for
+	 * @return			generated pseudonym, NULL to not use a pseudonym identity
+	 */
+	identification_t* (*provider_gen_pseudonym)(sim_manager_t *this,
+												identification_t *id);
+
+	/**
+	 * Check if a peer uses a reauth id using one of the registered providers.
+	 *
+	 * @param id		reauthentication identity (candidate)
+	 * @param mk		buffer receiving master key MK
+	 * @param counter	pointer receiving current counter value, host order
+	 * @return			permanent identity, NULL if not a known reauth identity
+	 */
+	identification_t* (*provider_is_reauth)(sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1],
+								u_int16_t *counter);
+
+	/**
+	 * Generate a fast reauth id using one of the registered providers.
+	 *
+	 * @param id		permanent peer identity
+	 * @param mk		master key to store along with generated identity
+	 * @return			fast reauthentication identity, NULL to not use reauth
+	 */
+	identification_t* (*provider_gen_reauth)(sim_manager_t *this,
+								identification_t *id, char mk[HASH_SIZE_SHA1]);
+
+	/**
+	 * Register a set of hooks to the manager.
+	 *
+	 * @param hooks		hook interface implementation to register
+	 */
+	void (*add_hooks)(sim_manager_t *this, sim_hooks_t *hooks);
+
+	/**
+	 * Unregister a set of hooks from the manager.
+	 *
+	 * @param hooks		hook interface implementation to unregister
+	 */
+	void (*remove_hooks)(sim_manager_t *this, sim_hooks_t *hooks);
+
+	/**
+	 * Invoke SIM/AKA message hook.
+	 *
+	 * @param message	SIM message
+	 * @param inbound	TRUE for incoming messages, FALSE for outgoing
+	 * @param decrypted	TRUE if AT_ENCR_DATA has been decrypted
+	 */
+	void (*message_hook)(sim_manager_t *this, simaka_message_t *message,
+						 bool inbound, bool decrypted);
+
+	/**
+	 * Invoke SIM/AKA key hook.
+	 *
+	 * @param k_encr	SIM/AKA encryption key k_encr
+	 * @param k_auth	SIM/AKA authentication key k_auth
+	 */
+	void (*key_hook)(sim_manager_t *this, chunk_t k_encr, chunk_t k_auth);
+
+	/**
+	 * Destroy a manager instance.
+	 */
+	void (*destroy)(sim_manager_t *this);
+};
+
+/**
+ * Create an SIM manager to handle multiple (U)SIM cards/providers.
+ *
+ * @return			sim_t object
+ */
+sim_manager_t *sim_manager_create();
+
+#endif /** SIM_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c
new file mode 100644
index 000000000..4617c4d8d
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap_authenticator.c
@@ -0,0 +1,705 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_authenticator.h"
+
+#include <daemon.h>
+#include <sa/authenticators/eap/eap_method.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/eap_payload.h>
+
+typedef struct private_eap_authenticator_t private_eap_authenticator_t;
+
+/**
+ * Private data of an eap_authenticator_t object.
+ */
+struct private_eap_authenticator_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_authenticator_t public;
+
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * others nonce to include in AUTH calculation
+	 */
+	chunk_t received_nonce;
+
+	/**
+	 * our nonce to include in AUTH calculation
+	 */
+	chunk_t sent_nonce;
+
+	/**
+	 * others IKE_SA_INIT message data to include in AUTH calculation
+	 */
+	chunk_t received_init;
+
+	/**
+	 * our IKE_SA_INIT message data to include in AUTH calculation
+	 */
+	chunk_t sent_init;
+
+	/**
+	 * Current EAP method processing
+	 */
+	eap_method_t *method;
+
+	/**
+	 * MSK used to build and verify auth payload
+	 */
+	chunk_t msk;
+
+	/**
+	 * EAP authentication method completed successfully
+	 */
+	bool eap_complete;
+
+	/**
+	 * Set if we require mutual EAP due EAP-only authentication
+	 */
+	bool require_mutual;
+
+	/**
+	 * authentication payload verified successfully
+	 */
+	bool auth_complete;
+
+	/**
+	 * generated EAP payload
+	 */
+	eap_payload_t *eap_payload;
+
+	/**
+	 * EAP identity of peer
+	 */
+	identification_t *eap_identity;
+};
+
+/**
+ * load an EAP method
+ */
+static eap_method_t *load_method(private_eap_authenticator_t *this,
+							eap_type_t type, u_int32_t vendor, eap_role_t role)
+{
+	identification_t *server, *peer;
+
+	if (role == EAP_SERVER)
+	{
+		server = this->ike_sa->get_my_id(this->ike_sa);
+		peer = this->ike_sa->get_other_id(this->ike_sa);
+	}
+	else
+	{
+		server = this->ike_sa->get_other_id(this->ike_sa);
+		peer = this->ike_sa->get_my_id(this->ike_sa);
+	}
+	if (this->eap_identity)
+	{
+		peer = this->eap_identity;
+	}
+	return charon->eap->create_instance(charon->eap, type, vendor,
+										role, server, peer);
+}
+
+/**
+ * Initiate EAP conversation as server
+ */
+static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
+										  bool do_identity)
+{
+	auth_cfg_t *auth;
+	eap_type_t type;
+	identification_t *id;
+	u_int32_t vendor;
+	eap_payload_t *out;
+	char *action;
+
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+
+	/* initiate EAP-Identity exchange if required */
+	if (!this->eap_identity && do_identity)
+	{
+		id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+		if (id)
+		{
+			this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER);
+			if (this->method)
+			{
+				if (this->method->initiate(this->method, &out) == NEED_MORE)
+				{
+					DBG1(DBG_IKE, "initiating EAP-Identity request");
+					return out;
+				}
+				this->method->destroy(this->method);
+			}
+			DBG1(DBG_IKE, "EAP-Identity request configured, but not supported");
+		}
+	}
+	/* invoke real EAP method */
+	type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
+	vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
+	action = "loading";
+	this->method = load_method(this, type, vendor, EAP_SERVER);
+	if (this->method)
+	{
+		action = "initiating";
+		if (this->method->initiate(this->method, &out) == NEED_MORE)
+		{
+			if (vendor)
+			{
+				DBG1(DBG_IKE, "initiating EAP vendor type %d-%d method",
+							  type, vendor);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "initiating %N method", eap_type_names, type);
+			}
+			return out;
+		}
+	}
+	if (vendor)
+	{
+		DBG1(DBG_IKE, "%s EAP vendor type %d-%d method failed",
+					  action, type,	vendor);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "%s %N method failed", action, eap_type_names, type);
+	}
+	return eap_payload_create_code(EAP_FAILURE, 0);
+}
+
+/**
+ * Replace the existing EAP-Identity in other auth config
+ */
+static void replace_eap_identity(private_eap_authenticator_t *this)
+{
+	enumerator_t *enumerator;
+	auth_rule_t rule;
+	auth_cfg_t *cfg;
+	void *ptr;
+
+	cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	enumerator = cfg->create_enumerator(cfg);
+	while (enumerator->enumerate(enumerator, &rule, &ptr))
+	{
+		if (rule == AUTH_RULE_EAP_IDENTITY)
+		{
+			cfg->replace(cfg, enumerator, AUTH_RULE_EAP_IDENTITY,
+						 this->eap_identity->clone(this->eap_identity));
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Handle EAP exchange as server
+ */
+static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
+										 eap_payload_t *in)
+{
+	eap_type_t type, received_type;
+	u_int32_t vendor, received_vendor;
+	eap_payload_t *out;
+	auth_cfg_t *cfg;
+
+	if (in->get_code(in) != EAP_RESPONSE)
+	{
+		DBG1(DBG_IKE, "received %N, sending %N",
+			 eap_code_names, in->get_code(in), eap_code_names, EAP_FAILURE);
+		return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
+	}
+
+	type = this->method->get_type(this->method, &vendor);
+	received_type = in->get_type(in, &received_vendor);
+	if (type != received_type || vendor != received_vendor)
+	{
+		if (received_vendor == 0 && received_type == EAP_NAK)
+		{
+			DBG1(DBG_IKE, "received %N, sending %N",
+				 eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received invalid EAP response, sending %N",
+				 eap_code_names, EAP_FAILURE);
+		}
+		return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
+	}
+
+	switch (this->method->process(this->method, in, &out))
+	{
+		case NEED_MORE:
+			return out;
+		case SUCCESS:
+			if (!vendor && type == EAP_IDENTITY)
+			{
+				chunk_t data;
+
+				if (this->method->get_msk(this->method, &data) == SUCCESS)
+				{
+					this->eap_identity = identification_create_from_data(data);
+					DBG1(DBG_IKE, "received EAP identity '%Y'",
+						 this->eap_identity);
+					replace_eap_identity(this);
+				}
+				/* restart EAP exchange, but with real method */
+				this->method->destroy(this->method);
+				return server_initiate_eap(this, FALSE);
+			}
+			if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+			{
+				this->msk = chunk_clone(this->msk);
+			}
+			if (vendor)
+			{
+				DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
+					 "%sMSK established", type, vendor,
+					 this->msk.ptr ? "" : "no ");
+			}
+			else
+			{
+				DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
+					 eap_type_names, type, this->msk.ptr ? "" : "no ");
+			}
+			this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED,
+										TRUE);
+			cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+			cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+			if (vendor)
+			{
+				cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+			}
+			this->eap_complete = TRUE;
+			return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
+		case FAILED:
+		default:
+			if (vendor)
+			{
+				DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
+					 "peer %Y", type, vendor,
+					 this->ike_sa->get_other_id(this->ike_sa));
+			}
+			else
+			{
+				DBG1(DBG_IKE, "EAP method %N failed for peer %Y",
+					 eap_type_names, type,
+					 this->ike_sa->get_other_id(this->ike_sa));
+			}
+			return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
+	}
+}
+
+/**
+ * Processing method for a peer
+ */
+static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
+										 eap_payload_t *in)
+{
+	eap_type_t type;
+	u_int32_t vendor;
+	auth_cfg_t *auth;
+	eap_payload_t *out;
+	identification_t *id;
+
+	type = in->get_type(in, &vendor);
+
+	if (!vendor && type == EAP_IDENTITY)
+	{
+		DESTROY_IF(this->eap_identity);
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+		if (!id || id->get_type(id) == ID_ANY)
+		{
+			id = this->ike_sa->get_my_id(this->ike_sa);
+		}
+		DBG1(DBG_IKE, "server requested %N, sending '%Y'",
+			 eap_type_names, type, id);
+		this->eap_identity = id->clone(id);
+
+		this->method = load_method(this, type, vendor, EAP_PEER);
+		if (this->method)
+		{
+			if (this->method->process(this->method, in, &out) == SUCCESS)
+			{
+				this->method->destroy(this->method);
+				this->method = NULL;
+				return out;
+			}
+			this->method->destroy(this->method);
+			this->method = NULL;
+		}
+		DBG1(DBG_IKE, "%N not supported, sending EAP_NAK",
+			 eap_type_names, type);
+		return eap_payload_create_nak(in->get_identifier(in));
+	}
+	if (this->method == NULL)
+	{
+		if (vendor)
+		{
+			DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
+				 type, vendor);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "server requested %N authentication",
+				 eap_type_names, type);
+		}
+		this->method = load_method(this, type, vendor, EAP_PEER);
+		if (!this->method)
+		{
+			DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
+			return eap_payload_create_nak(in->get_identifier(in));
+		}
+	}
+
+	type = this->method->get_type(this->method, &vendor);
+
+	if (this->method->process(this->method, in, &out) == NEED_MORE)
+	{	/* client methods should never return SUCCESS */
+		return out;
+	}
+
+	if (vendor)
+	{
+		DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", type, vendor);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+	}
+	return NULL;
+}
+
+/**
+ * Verify AUTH payload
+ */
+static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
+						chunk_t nonce, chunk_t init)
+{
+	auth_payload_t *auth_payload;
+	chunk_t auth_data, recv_auth_data;
+	identification_t *other_id;
+	auth_cfg_t *auth;
+	keymat_t *keymat;
+
+	auth_payload = (auth_payload_t*)message->get_payload(message,
+														 AUTHENTICATION);
+	if (!auth_payload)
+	{
+		DBG1(DBG_IKE, "AUTH payload missing");
+		return FALSE;
+	}
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
+									this->msk, other_id);
+	recv_auth_data = auth_payload->get_data(auth_payload);
+	if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
+	{
+		DBG1(DBG_IKE, "verification of AUTH payload with%s EAP MSK failed",
+			 this->msk.ptr ? "" : "out");
+		chunk_free(&auth_data);
+		return FALSE;
+	}
+	chunk_free(&auth_data);
+
+	DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+		 other_id, auth_class_names, AUTH_CLASS_EAP);
+	this->auth_complete = TRUE;
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+	return TRUE;
+}
+
+/**
+ * Build AUTH payload
+ */
+static void build_auth(private_eap_authenticator_t *this, message_t *message,
+					   chunk_t nonce, chunk_t init)
+{
+	auth_payload_t *auth_payload;
+	identification_t *my_id;
+	chunk_t auth_data;
+	keymat_t *keymat;
+
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+
+	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
+		 my_id, auth_class_names, AUTH_CLASS_EAP);
+
+	auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
+	auth_payload = auth_payload_create();
+	auth_payload->set_auth_method(auth_payload, AUTH_PSK);
+	auth_payload->set_data(auth_payload, auth_data);
+	message->add_payload(message, (payload_t*)auth_payload);
+	chunk_free(&auth_data);
+}
+
+/**
+ * Implementation of authenticator_t.process for a server
+ */
+static status_t process_server(private_eap_authenticator_t *this,
+							   message_t *message)
+{
+	eap_payload_t *eap_payload;
+
+	if (this->eap_complete)
+	{
+		if (!verify_auth(this, message, this->sent_nonce, this->received_init))
+		{
+			return FAILED;
+		}
+		return NEED_MORE;
+	}
+
+	if (!this->method)
+	{
+		this->eap_payload = server_initiate_eap(this, TRUE);
+	}
+	else
+	{
+		eap_payload = (eap_payload_t*)message->get_payload(message,
+													EXTENSIBLE_AUTHENTICATION);
+		if (!eap_payload)
+		{
+			return FAILED;
+		}
+		this->eap_payload = server_process_eap(this, eap_payload);
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of authenticator_t.build for a server
+ */
+static status_t build_server(private_eap_authenticator_t *this,
+							 message_t *message)
+{
+	if (this->eap_payload)
+	{
+		eap_code_t code;
+
+		code = this->eap_payload->get_code(this->eap_payload);
+		message->add_payload(message, (payload_t*)this->eap_payload);
+		this->eap_payload = NULL;
+		if (code == EAP_FAILURE)
+		{
+			return FAILED;
+		}
+		return NEED_MORE;
+	}
+	if (this->eap_complete && this->auth_complete)
+	{
+		build_auth(this, message, this->received_nonce, this->sent_init);
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of authenticator_t.process for a client
+ */
+static status_t process_client(private_eap_authenticator_t *this,
+							   message_t *message)
+{
+	eap_payload_t *eap_payload;
+
+	if (this->eap_complete)
+	{
+		if (!verify_auth(this, message, this->sent_nonce, this->received_init))
+		{
+			return FAILED;
+		}
+		if (this->require_mutual && !this->method->is_mutual(this->method))
+		{	/* we require mutual authentication due to EAP-only */
+			u_int32_t vendor;
+
+			DBG1(DBG_IKE, "EAP-only authentication requires a mutual and "
+				 "MSK deriving EAP method, but %N is not",
+				 eap_type_names, this->method->get_type(this->method, &vendor));
+			return FAILED;
+		}
+		return SUCCESS;
+	}
+
+	eap_payload = (eap_payload_t*)message->get_payload(message,
+													EXTENSIBLE_AUTHENTICATION);
+	if (eap_payload)
+	{
+		switch (eap_payload->get_code(eap_payload))
+		{
+			case EAP_REQUEST:
+			{
+				this->eap_payload = client_process_eap(this, eap_payload);
+				if (this->eap_payload)
+				{
+					return NEED_MORE;
+				}
+				return FAILED;
+			}
+			case EAP_SUCCESS:
+			{
+				eap_type_t type;
+				u_int32_t vendor;
+				auth_cfg_t *cfg;
+
+				if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+				{
+					this->msk = chunk_clone(this->msk);
+				}
+				type = this->method->get_type(this->method, &vendor);
+				if (vendor)
+				{
+					DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
+						 "%sMSK established", type, vendor,
+						 this->msk.ptr ? "" : "no ");
+				}
+				else
+				{
+					DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
+						 eap_type_names, type, this->msk.ptr ? "" : "no ");
+				}
+				cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+				cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+				if (vendor)
+				{
+					cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+				}
+				this->eap_complete = TRUE;
+				return NEED_MORE;
+			}
+			case EAP_FAILURE:
+			default:
+			{
+				DBG1(DBG_IKE, "received %N, EAP authentication failed",
+					 eap_code_names, eap_payload->get_code(eap_payload));
+				return FAILED;
+			}
+		}
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of authenticator_t.build for a client
+ */
+static status_t build_client(private_eap_authenticator_t *this,
+							 message_t *message)
+{
+	if (this->eap_payload)
+	{
+		message->add_payload(message, (payload_t*)this->eap_payload);
+		this->eap_payload = NULL;
+		return NEED_MORE;
+	}
+	if (this->eap_complete)
+	{
+		build_auth(this, message, this->received_nonce, this->sent_init);
+		return NEED_MORE;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of authenticator_t.is_mutual.
+ */
+static bool is_mutual(private_eap_authenticator_t *this)
+{
+	/* we don't know yet, but insist on it after EAP is complete */
+	this->require_mutual = TRUE;
+	return TRUE;
+}
+
+/**
+ * Implementation of authenticator_t.destroy.
+ */
+static void destroy(private_eap_authenticator_t *this)
+{
+	DESTROY_IF(this->method);
+	DESTROY_IF(this->eap_payload);
+	DESTROY_IF(this->eap_identity);
+	chunk_free(&this->msk);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init)
+{
+	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
+
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+	this->ike_sa = ike_sa;
+	this->received_init = received_init;
+	this->received_nonce = received_nonce;
+	this->sent_init = sent_init;
+	this->sent_nonce = sent_nonce;
+	this->msk = chunk_empty;
+	this->method = NULL;
+	this->eap_payload = NULL;
+	this->eap_complete = FALSE;
+	this->auth_complete = FALSE;
+	this->eap_identity = NULL;
+	this->require_mutual = FALSE;
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init)
+{
+	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
+
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+	this->ike_sa = ike_sa;
+	this->received_init = received_init;
+	this->received_nonce = received_nonce;
+	this->sent_init = sent_init;
+	this->sent_nonce = sent_nonce;
+	this->msk = chunk_empty;
+	this->method = NULL;
+	this->eap_payload = NULL;
+	this->eap_complete = FALSE;
+	this->auth_complete = FALSE;
+	this->eap_identity = NULL;
+	this->require_mutual = FALSE;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.h b/src/libcharon/sa/authenticators/eap_authenticator.h
new file mode 100644
index 000000000..41eb6a8c9
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap_authenticator.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_authenticator eap_authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef EAP_AUTHENTICATOR_H_
+#define EAP_AUTHENTICATOR_H_
+
+typedef struct eap_authenticator_t eap_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using EAP authentication.
+ *
+ * Authentication using EAP involves the most complex authenticator. It stays
+ * alive over multiple ike_auth transactions and handles multiple EAP
+ * messages.
+ *
+ * @verbatim
+                          ike_sa_init
+                   ------------------------->
+                   <-------------------------
+                 followed by multiple ike_auth:
+
+     +--------+                                +--------+
+     |  EAP   |       IDi, [IDr,] SA, TS       |  EAP   |
+     | client |  --------------------------->  | server |
+     |        |          ID, AUTH, EAP         |        |
+     |        |  <---------------------------  |        |
+     |        |              EAP               |        |
+     |        |  --------------------------->  |        |
+     |        |              EAP               |        |
+     |        |  <---------------------------  |        |
+     |        |              EAP               |        |
+     |        |  --------------------------->  |        |
+     |        |           EAP(SUCCESS)         |        |
+     |        |  <---------------------------  |        |
+     |        |              AUTH              |        |  If EAP establishes
+     |        |  --------------------------->  |        |  a session key, AUTH
+     |        |          AUTH, SA, TS          |        |  payloads use this
+     |        |  <---------------------------  |        |  key, not SK_pi/pr
+     +--------+                                +--------+
+
+   @endverbatim
+ */
+struct eap_authenticator_t {
+
+	/**
+	 * Implemented authenticator_t interface.
+	 */
+	authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to authenticate against an EAP server.
+ *
+ * @param ike_sa			associated ike_sa
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					EAP authenticator
+ */
+eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init);
+
+/**
+ * Create an authenticator to authenticate EAP clients.
+ *
+ * @param ike_sa			associated ike_sa
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					EAP authenticator
+ */
+eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init);
+
+#endif /** EAP_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c
new file mode 100644
index 000000000..67197d690
--- /dev/null
+++ b/src/libcharon/sa/authenticators/psk_authenticator.c
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "psk_authenticator.h"
+
+#include <daemon.h>
+#include <encoding/payloads/auth_payload.h>
+
+typedef struct private_psk_authenticator_t private_psk_authenticator_t;
+
+/**
+ * Private data of an psk_authenticator_t object.
+ */
+struct private_psk_authenticator_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	psk_authenticator_t public;
+
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * nonce to include in AUTH calculation
+	 */
+	chunk_t nonce;
+
+	/**
+	 * IKE_SA_INIT message data to include in AUTH calculation
+	 */
+	chunk_t ike_sa_init;
+};
+
+/*
+ * Implementation of authenticator_t.build for builder
+ */
+static status_t build(private_psk_authenticator_t *this, message_t *message)
+{
+	identification_t *my_id, *other_id;
+	auth_payload_t *auth_payload;
+	shared_key_t *key;
+	chunk_t auth_data;
+	keymat_t *keymat;
+
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
+		 my_id, auth_method_names, AUTH_PSK);
+	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
+										  my_id, other_id);
+	if (key == NULL)
+	{
+		DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
+		return NOT_FOUND;
+	}
+	auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
+									this->nonce, key->get_key(key), my_id);
+	key->destroy(key);
+	DBG2(DBG_IKE, "successfully created shared key MAC");
+	auth_payload = auth_payload_create();
+	auth_payload->set_auth_method(auth_payload, AUTH_PSK);
+	auth_payload->set_data(auth_payload, auth_data);
+	chunk_free(&auth_data);
+	message->add_payload(message, (payload_t*)auth_payload);
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.process for verifier
+ */
+static status_t process(private_psk_authenticator_t *this, message_t *message)
+{
+	chunk_t auth_data, recv_auth_data;
+	identification_t *my_id, *other_id;
+	auth_payload_t *auth_payload;
+	auth_cfg_t *auth;
+	shared_key_t *key;
+	enumerator_t *enumerator;
+	bool authenticated = FALSE;
+	int keys_found = 0;
+	keymat_t *keymat;
+
+	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	if (!auth_payload)
+	{
+		return FAILED;
+	}
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	recv_auth_data = auth_payload->get_data(auth_payload);
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	enumerator = charon->credentials->create_shared_enumerator(
+							charon->credentials, SHARED_IKE, my_id, other_id);
+	while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
+	{
+		keys_found++;
+
+		auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
+									this->nonce, key->get_key(key), other_id);
+		if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
+		{
+			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+				 other_id, auth_method_names, AUTH_PSK);
+			authenticated = TRUE;
+		}
+		chunk_free(&auth_data);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!authenticated)
+	{
+		if (keys_found == 0)
+		{
+			DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
+			return NOT_FOUND;
+		}
+		DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched",
+			 keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
+		return FAILED;
+	}
+
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.process for builder
+ * Implementation of authenticator_t.build for verifier
+ */
+static status_t return_failed()
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of authenticator_t.destroy.
+ */
+static void destroy(private_psk_authenticator_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_init)
+{
+	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
+
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+	this->ike_sa = ike_sa;
+	this->ike_sa_init = sent_init;
+	this->nonce = received_nonce;
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t sent_nonce, chunk_t received_init)
+{
+	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
+
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+	this->ike_sa = ike_sa;
+	this->ike_sa_init = received_init;
+	this->nonce = sent_nonce;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.h b/src/libcharon/sa/authenticators/psk_authenticator.h
new file mode 100644
index 000000000..0fab11095
--- /dev/null
+++ b/src/libcharon/sa/authenticators/psk_authenticator.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup psk_authenticator psk_authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef PSK_AUTHENTICATOR_H_
+#define PSK_AUTHENTICATOR_H_
+
+typedef struct psk_authenticator_t psk_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using pre-shared keys.
+ */
+struct psk_authenticator_t {
+
+	/**
+	 * Implemented authenticator_t interface.
+	 */
+	authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build PSK signatures.
+ *
+ * @param ike_sa			associated ike_sa
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					PSK authenticator
+ */
+psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_init);
+
+/**
+ * Create an authenticator to verify PSK signatures.
+ *
+ * @param ike_sa			associated ike_sa
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @return					PSK authenticator
+ */
+psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t sent_nonce, chunk_t received_init);
+
+#endif /** PSK_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c
new file mode 100644
index 000000000..f1dca2702
--- /dev/null
+++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pubkey_authenticator.h"
+
+#include <daemon.h>
+#include <encoding/payloads/auth_payload.h>
+
+typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
+
+/**
+ * Private data of an pubkey_authenticator_t object.
+ */
+struct private_pubkey_authenticator_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	pubkey_authenticator_t public;
+
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * nonce to include in AUTH calculation
+	 */
+	chunk_t nonce;
+
+	/**
+	 * IKE_SA_INIT message data to include in AUTH calculation
+	 */
+	chunk_t ike_sa_init;
+};
+
+/**
+ * Implementation of authenticator_t.build for builder
+ */
+static status_t build(private_pubkey_authenticator_t *this, message_t *message)
+{
+	chunk_t octets, auth_data;
+	status_t status = FAILED;
+	private_key_t *private;
+	identification_t *id;
+	auth_cfg_t *auth;
+	auth_payload_t *auth_payload;
+	auth_method_t auth_method;
+	signature_scheme_t scheme;
+	keymat_t *keymat;
+
+	id = this->ike_sa->get_my_id(this->ike_sa);
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+	private = charon->credentials->get_private(charon->credentials, KEY_ANY,
+											   id, auth);
+	if (private == NULL)
+	{
+		DBG1(DBG_IKE, "no private key found for '%Y'", id);
+		return NOT_FOUND;
+	}
+
+	switch (private->get_type(private))
+	{
+		case KEY_RSA:
+			/* we currently use always SHA1 for signatures,
+			 * TODO: support other hashes depending on configuration/auth */
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			auth_method = AUTH_RSA;
+			break;
+		case KEY_ECDSA:
+			/* we try to deduct the signature scheme from the keysize */
+			switch (private->get_keysize(private))
+			{
+				case 32:
+					scheme = SIGN_ECDSA_256;
+					auth_method = AUTH_ECDSA_256;
+					break;
+				case 48:
+					scheme = SIGN_ECDSA_384;
+					auth_method = AUTH_ECDSA_384;
+					break;
+				case 66:
+					scheme = SIGN_ECDSA_521;
+					auth_method = AUTH_ECDSA_521;
+					break;
+				default:
+					DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
+							private->get_keysize(private));
+					return status;
+			}
+			break;
+		default:
+			DBG1(DBG_IKE, "private key of type %N not supported",
+					key_type_names, private->get_type(private));
+			return status;
+	}
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+									 this->nonce, id);
+	if (private->sign(private, scheme, octets, &auth_data))
+	{
+		auth_payload = auth_payload_create();
+		auth_payload->set_auth_method(auth_payload, auth_method);
+		auth_payload->set_data(auth_payload, auth_data);
+		chunk_free(&auth_data);
+		message->add_payload(message, (payload_t*)auth_payload);
+		status = SUCCESS;
+	}
+	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
+		 auth_method_names, auth_method,
+		 (status == SUCCESS)? "successful":"failed");
+	chunk_free(&octets);
+	private->destroy(private);
+
+	return status;
+}
+
+/**
+ * Implementation of authenticator_t.process for verifier
+ */
+static status_t process(private_pubkey_authenticator_t *this, message_t *message)
+{
+	public_key_t *public;
+	auth_method_t auth_method;
+	auth_payload_t *auth_payload;
+	chunk_t auth_data, octets;
+	identification_t *id;
+	auth_cfg_t *auth, *current_auth;
+	enumerator_t *enumerator;
+	key_type_t key_type = KEY_ECDSA;
+	signature_scheme_t scheme;
+	status_t status = NOT_FOUND;
+	keymat_t *keymat;
+
+	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	if (!auth_payload)
+	{
+		return FAILED;
+	}
+	auth_method = auth_payload->get_auth_method(auth_payload);
+	switch (auth_method)
+	{
+		case AUTH_RSA:
+			/* We currently accept SHA1 signatures only
+			 * TODO: allow other hash algorithms and note it in "auth" */
+			key_type = KEY_RSA;
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			break;
+		case AUTH_ECDSA_256:
+			scheme = SIGN_ECDSA_256;
+			break;
+		case AUTH_ECDSA_384:
+			scheme = SIGN_ECDSA_384;
+			break;
+		case AUTH_ECDSA_521:
+			scheme = SIGN_ECDSA_521;
+			break;
+		default:
+			return INVALID_ARG;
+	}
+	auth_data = auth_payload->get_data(auth_payload);
+	id = this->ike_sa->get_other_id(this->ike_sa);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
+									 this->nonce, id);
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	enumerator = charon->credentials->create_public_enumerator(
+										charon->credentials, key_type, id, auth);
+	while (enumerator->enumerate(enumerator, &public, &current_auth))
+	{
+		if (public->verify(public, scheme, octets, auth_data))
+		{
+			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+						   id, auth_method_names, auth_method);
+			status = SUCCESS;
+			auth->merge(auth, current_auth, FALSE);
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+			break;
+		}
+		else
+		{
+			status = FAILED;
+			DBG1(DBG_IKE, "signature validation failed, looking for another key");
+		}
+	}
+	enumerator->destroy(enumerator);
+	chunk_free(&octets);
+	if (status == NOT_FOUND)
+	{
+		DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
+			 key_type_names, key_type, id);
+	}
+	return status;
+}
+
+/**
+ * Implementation of authenticator_t.process for builder
+ * Implementation of authenticator_t.build for verifier
+ */
+static status_t return_failed()
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of authenticator_t.destroy.
+ */
+static void destroy(private_pubkey_authenticator_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_init)
+{
+	private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
+
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+	this->ike_sa = ike_sa;
+	this->ike_sa_init = sent_init;
+	this->nonce = received_nonce;
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t sent_nonce, chunk_t received_init)
+{
+	private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
+
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+	this->ike_sa = ike_sa;
+	this->ike_sa_init = received_init;
+	this->nonce = sent_nonce;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.h b/src/libcharon/sa/authenticators/pubkey_authenticator.h
new file mode 100644
index 000000000..be369cb89
--- /dev/null
+++ b/src/libcharon/sa/authenticators/pubkey_authenticator.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pubkey_authenticator pubkey_authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef PUBKEY_AUTHENTICATOR_H_
+#define PUBKEY_AUTHENTICATOR_H_
+
+typedef struct pubkey_authenticator_t pubkey_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using public key authenitcation.
+ */
+struct pubkey_authenticator_t {
+
+	/**
+	 * Implemented authenticator_t interface.
+	 */
+	authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build public key signatures.
+ *
+ * @param ike_sa			associated ike_sa
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @return					public key authenticator
+ */
+pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_init);
+
+/**
+ * Create an authenticator to verify public key signatures.
+ *
+ * @param ike_sa			associated ike_sa
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @return					public key authenticator
+ */
+pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t sent_nonce, chunk_t received_init);
+
+#endif /** PUBKEY_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
new file mode 100644
index 000000000..3fdfb51ad
--- /dev/null
+++ b/src/libcharon/sa/child_sa.c
@@ -0,0 +1,1015 @@
+/*
+ * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include "child_sa.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#include <daemon.h>
+
+ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
+	"CREATED",
+	"ROUTED",
+	"INSTALLING",
+	"INSTALLED",
+	"UPDATING",
+	"REKEYING",
+	"DELETING",
+	"DESTROYING",
+);
+
+typedef struct private_child_sa_t private_child_sa_t;
+
+/**
+ * Private data of a child_sa_t object.
+ */
+struct private_child_sa_t {
+	/**
+	 * Public interface of child_sa_t.
+	 */
+	child_sa_t public;
+
+	/**
+	 * address of us
+	 */
+	host_t *my_addr;
+
+	/**
+	 * address of remote
+	 */
+	host_t *other_addr;
+
+	/**
+	 * our actually used SPI, 0 if unused
+	 */
+	u_int32_t my_spi;
+
+	/**
+	 * others used SPI, 0 if unused
+	 */
+	u_int32_t other_spi;
+
+	/**
+	 * our Compression Parameter Index (CPI) used, 0 if unused
+	 */
+	u_int16_t my_cpi;
+
+	/**
+	 * others Compression Parameter Index (CPI) used, 0 if unused
+	 */
+	u_int16_t other_cpi;
+
+	/**
+	 * List for local traffic selectors
+	 */
+	linked_list_t *my_ts;
+
+	/**
+	 * List for remote traffic selectors
+	 */
+	linked_list_t *other_ts;
+
+	/**
+	 * Protocol used to protect this SA, ESP|AH
+	 */
+	protocol_id_t protocol;
+
+	/**
+	 * reqid used for this child_sa
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * absolute time when rekeying is scheduled
+	 */
+	time_t rekey_time;
+
+	/**
+	 * absolute time when the SA expires
+	 */
+	time_t expire_time;
+
+	/**
+	 * state of the CHILD_SA
+	 */
+	child_sa_state_t state;
+
+	/**
+	 * Specifies if UDP encapsulation is enabled (NAT traversal)
+	 */
+	bool encap;
+
+	/**
+	 * Specifies the IPComp transform used (IPCOMP_NONE if disabled)
+	 */
+	ipcomp_transform_t ipcomp;
+
+	/**
+	 * mode this SA uses, tunnel/transport
+	 */
+	ipsec_mode_t mode;
+
+	/**
+	 * selected proposal
+	 */
+	proposal_t *proposal;
+
+	/**
+	 * config used to create this child
+	 */
+	child_cfg_t *config;
+
+	/**
+	 * time of last use in seconds (inbound)
+	 */
+	u_int32_t my_usetime;
+
+	/**
+	 * time of last use in seconds (outbound)
+	 */
+	u_int32_t other_usetime;
+
+	/**
+	 * last number of inbound bytes
+	 */
+	u_int64_t my_usebytes;
+
+	/**
+	 * last number of outbound bytes
+	 */
+	u_int64_t other_usebytes;
+};
+
+/**
+ * Implementation of child_sa_t.get_name
+ */
+static char *get_name(private_child_sa_t *this)
+{
+	return this->config->get_name(this->config);
+}
+
+/**
+ * Implements child_sa_t.get_reqid
+ */
+static u_int32_t get_reqid(private_child_sa_t *this)
+{
+	return this->reqid;
+}
+
+/**
+ * Implements child_sa_t.get_config
+ */
+static child_cfg_t* get_config(private_child_sa_t *this)
+{
+	return this->config;
+}
+
+/**
+ * Implements child_sa_t.set_state
+ */
+static void set_state(private_child_sa_t *this, child_sa_state_t state)
+{
+	charon->bus->child_state_change(charon->bus, &this->public, state);
+	this->state = state;
+}
+
+/**
+ * Implements child_sa_t.get_state
+ */
+static child_sa_state_t get_state(private_child_sa_t *this)
+{
+	return this->state;
+}
+
+/**
+ * Implements child_sa_t.get_spi
+ */
+u_int32_t get_spi(private_child_sa_t *this, bool inbound)
+{
+	return inbound ? this->my_spi : this->other_spi;
+}
+
+/**
+ * Implements child_sa_t.get_cpi
+ */
+u_int16_t get_cpi(private_child_sa_t *this, bool inbound)
+{
+	return inbound ? this->my_cpi : this->other_cpi;
+}
+
+/**
+ * Implements child_sa_t.get_protocol
+ */
+protocol_id_t get_protocol(private_child_sa_t *this)
+{
+	return this->protocol;
+}
+
+/**
+ * Implementation of child_sa_t.set_protocol
+ */
+static void set_protocol(private_child_sa_t *this, protocol_id_t protocol)
+{
+	this->protocol = protocol;
+}
+
+/**
+ * Implementation of child_sa_t.get_mode
+ */
+static ipsec_mode_t get_mode(private_child_sa_t *this)
+{
+	return this->mode;
+}
+
+/**
+ * Implementation of child_sa_t.set_mode
+ */
+static void set_mode(private_child_sa_t *this, ipsec_mode_t mode)
+{
+	this->mode = mode;
+}
+
+/**
+ * Implementation of child_sa_t.has_encap
+ */
+static bool has_encap(private_child_sa_t *this)
+{
+	return this->encap;
+}
+
+/**
+ * Implementation of child_sa_t.get_ipcomp
+ */
+static ipcomp_transform_t get_ipcomp(private_child_sa_t *this)
+{
+	return this->ipcomp;
+}
+
+/**
+ * Implementation of child_sa_t.set_ipcomp.
+ */
+static void set_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp)
+{
+	this->ipcomp = ipcomp;
+}
+
+/**
+ * Implementation of child_sa_t.get_proposal
+ */
+static proposal_t* get_proposal(private_child_sa_t *this)
+{
+	return this->proposal;
+}
+
+/**
+ * Implementation of child_sa_t.set_proposal
+ */
+static void set_proposal(private_child_sa_t *this, proposal_t *proposal)
+{
+	this->proposal = proposal->clone(proposal);
+}
+
+/**
+ * Implementation of child_sa_t.get_traffic_selectors.
+ */
+static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local)
+{
+	return local ? this->my_ts : this->other_ts;
+}
+
+typedef struct policy_enumerator_t policy_enumerator_t;
+
+/**
+ * Private policy enumerator
+ */
+struct policy_enumerator_t {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** enumerator over own TS */
+	enumerator_t *mine;
+	/** enumerator over others TS */
+	enumerator_t *other;
+	/** list of others TS, to recreate enumerator */
+	linked_list_t *list;
+	/** currently enumerating TS for "me" side */
+	traffic_selector_t *ts;
+};
+
+/**
+ * enumerator function of create_policy_enumerator()
+ */
+static bool policy_enumerate(policy_enumerator_t *this,
+				 traffic_selector_t **my_out, traffic_selector_t **other_out)
+{
+	traffic_selector_t *other_ts;
+
+	while (this->ts || this->mine->enumerate(this->mine, &this->ts))
+	{
+		if (!this->other->enumerate(this->other, &other_ts))
+		{	/* end of others list, restart with new of mine */
+			this->other->destroy(this->other);
+			this->other = this->list->create_enumerator(this->list);
+			this->ts = NULL;
+			continue;
+		}
+		if (this->ts->get_type(this->ts) != other_ts->get_type(other_ts))
+		{	/* family mismatch */
+			continue;
+		}
+		if (this->ts->get_protocol(this->ts) &&
+			other_ts->get_protocol(other_ts) &&
+			this->ts->get_protocol(this->ts) != other_ts->get_protocol(other_ts))
+		{	/* protocol mismatch */
+			continue;
+		}
+		*my_out = this->ts;
+		*other_out = other_ts;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * destroy function of create_policy_enumerator()
+ */
+static void policy_destroy(policy_enumerator_t *this)
+{
+	this->mine->destroy(this->mine);
+	this->other->destroy(this->other);
+	free(this);
+}
+
+/**
+ * Implementation of child_sa_t.create_policy_enumerator
+ */
+static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
+{
+	policy_enumerator_t *e = malloc_thing(policy_enumerator_t);
+
+	e->public.enumerate = (void*)policy_enumerate;
+	e->public.destroy = (void*)policy_destroy;
+	e->mine = this->my_ts->create_enumerator(this->my_ts);
+	e->other = this->other_ts->create_enumerator(this->other_ts);
+	e->list = this->other_ts;
+	e->ts = NULL;
+
+	return &e->public;
+}
+
+/**
+ * update the cached usebytes
+ * returns SUCCESS if the usebytes have changed, FAILED if not or no SPIs
+ * are available, and NOT_SUPPORTED if the kernel interface does not support
+ * querying the usebytes.
+ */
+static status_t update_usebytes(private_child_sa_t *this, bool inbound)
+{
+	status_t status = FAILED;
+	u_int64_t bytes;
+
+	if (inbound)
+	{
+		if (this->my_spi)
+		{
+			status = charon->kernel_interface->query_sa(
+									charon->kernel_interface,
+									this->other_addr, this->my_addr,
+									this->my_spi, this->protocol, &bytes);
+			if (status == SUCCESS)
+			{
+				if (bytes > this->my_usebytes)
+				{
+					this->my_usebytes = bytes;
+					return SUCCESS;
+				}
+				return FAILED;
+			}
+		}
+	}
+	else
+	{
+		if (this->other_spi)
+		{
+			status = charon->kernel_interface->query_sa(
+									charon->kernel_interface,
+									this->my_addr, this->other_addr,
+									this->other_spi, this->protocol, &bytes);
+			if (status == SUCCESS)
+			{
+				if (bytes > this->other_usebytes)
+				{
+					this->other_usebytes = bytes;
+					return SUCCESS;
+				}
+				return FAILED;
+			}
+		}
+	}
+	return status;
+}
+
+/**
+ * updates the cached usetime
+ */
+static void update_usetime(private_child_sa_t *this, bool inbound)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *my_ts, *other_ts;
+	u_int32_t last_use = 0;
+
+	enumerator = create_policy_enumerator(this);
+	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+	{
+		u_int32_t in, out, fwd;
+
+		if (inbound)
+		{
+			if (charon->kernel_interface->query_policy(charon->kernel_interface,
+								other_ts, my_ts, POLICY_IN, &in) == SUCCESS)
+			{
+				last_use = max(last_use, in);
+			}
+			if (this->mode != MODE_TRANSPORT)
+			{
+				if (charon->kernel_interface->query_policy(charon->kernel_interface,
+								other_ts, my_ts, POLICY_FWD, &fwd) == SUCCESS)
+				{
+					last_use = max(last_use, fwd);
+				}
+			}
+		}
+		else
+		{
+			if (charon->kernel_interface->query_policy(charon->kernel_interface,
+								my_ts, other_ts, POLICY_OUT, &out) == SUCCESS)
+			{
+				last_use = max(last_use, out);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (last_use == 0)
+	{
+		return;
+	}
+	if (inbound)
+	{
+		this->my_usetime = last_use;
+	}
+	else
+	{
+		this->other_usetime = last_use;
+	}
+}
+
+/**
+ * Implementation of child_sa_t.get_usestats
+ */
+static void get_usestats(private_child_sa_t *this, bool inbound,
+						 time_t *time, u_int64_t *bytes)
+{
+	if (update_usebytes(this, inbound) != FAILED)
+	{
+		/* there was traffic since last update or the kernel interface
+		 * does not support querying the number of usebytes.
+		 */
+		update_usetime(this, inbound);
+	}
+	if (time)
+	{
+		*time = inbound ? this->my_usetime : this->other_usetime;
+	}
+	if (bytes)
+	{
+		*bytes = inbound ? this->my_usebytes : this->other_usebytes;
+	}
+}
+
+/**
+ * Implementation of child_sa_t.get_lifetime
+ */
+static time_t get_lifetime(private_child_sa_t *this, bool hard)
+{
+	return hard ? this->expire_time : this->rekey_time;
+}
+
+/**
+ * Implementation of child_sa_t.alloc_spi
+ */
+static u_int32_t alloc_spi(private_child_sa_t *this, protocol_id_t protocol)
+{
+	if (charon->kernel_interface->get_spi(charon->kernel_interface,
+							this->other_addr, this->my_addr, protocol,
+							this->reqid, &this->my_spi) == SUCCESS)
+	{
+		return this->my_spi;
+	}
+	return 0;
+}
+
+/**
+ * Implementation of child_sa_t.alloc_cpi
+ */
+static u_int16_t alloc_cpi(private_child_sa_t *this)
+{
+	if (charon->kernel_interface->get_cpi(charon->kernel_interface,
+					this->other_addr, this->my_addr, this->reqid,
+					&this->my_cpi) == SUCCESS)
+	{
+		return this->my_cpi;
+	}
+	return 0;
+}
+
+/**
+ * Implementation of child_sa_t.install
+ */
+static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
+						u_int32_t spi, u_int16_t cpi, bool inbound,
+						linked_list_t *my_ts, linked_list_t *other_ts)
+{
+	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
+	traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
+	time_t now;
+	lifetime_cfg_t *lifetime;
+	host_t *src, *dst;
+	status_t status;
+	bool update = FALSE;
+
+	/* now we have to decide which spi to use. Use self allocated, if "in",
+	 * or the one in the proposal, if not "in" (others). Additionally,
+	 * source and dest host switch depending on the role */
+	if (inbound)
+	{
+		dst = this->my_addr;
+		src = this->other_addr;
+		if (this->my_spi == spi)
+		{	/* alloc_spi has been called, do an SA update */
+			update = TRUE;
+		}
+		this->my_spi = spi;
+		this->my_cpi = cpi;
+	}
+	else
+	{
+		src = this->my_addr;
+		dst = this->other_addr;
+		this->other_spi = spi;
+		this->other_cpi = cpi;
+	}
+
+	DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
+		 protocol_id_names, this->protocol);
+
+	/* send SA down to the kernel */
+	DBG2(DBG_CHD, "  SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
+
+	this->proposal->get_algorithm(this->proposal, ENCRYPTION_ALGORITHM,
+								  &enc_alg, &size);
+	this->proposal->get_algorithm(this->proposal, INTEGRITY_ALGORITHM,
+								  &int_alg, &size);
+
+	lifetime = this->config->get_lifetime(this->config);
+
+	now = time_monotonic(NULL);
+	if (lifetime->time.rekey)
+	{
+		this->rekey_time = now + lifetime->time.rekey;
+	}
+	if (lifetime->time.life)
+	{
+		this->expire_time = now + lifetime->time.life;
+	}
+
+	if (!lifetime->time.jitter && !inbound)
+	{	/* avoid triggering multiple rekey events */
+		lifetime->time.rekey = 0;
+	}
+
+	if (this->mode == MODE_BEET)
+	{
+		/* BEET requires the bound address from the traffic selectors.
+		 * TODO: We add just the first traffic selector for now, as the
+		 * kernel accepts a single TS per SA only */
+		if (inbound)
+		{
+			my_ts->get_first(my_ts, (void**)&dst_ts);
+			other_ts->get_first(other_ts, (void**)&src_ts);
+		}
+		else
+		{
+			my_ts->get_first(my_ts, (void**)&src_ts);
+			other_ts->get_first(other_ts, (void**)&dst_ts);
+		}
+	}
+
+	status = charon->kernel_interface->add_sa(charon->kernel_interface,
+				src, dst, spi, this->protocol, this->reqid, lifetime,
+				enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi,
+				this->encap, update, src_ts, dst_ts);
+
+	free(lifetime);
+
+	return status;
+}
+
+/**
+ * Implementation of child_sa_t.add_policies
+ */
+static status_t add_policies(private_child_sa_t *this,
+					linked_list_t *my_ts_list, linked_list_t *other_ts_list)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *my_ts, *other_ts;
+	status_t status = SUCCESS;
+	bool routed = (this->state == CHILD_CREATED);
+
+	/* apply traffic selectors */
+	enumerator = my_ts_list->create_enumerator(my_ts_list);
+	while (enumerator->enumerate(enumerator, &my_ts))
+	{
+		this->my_ts->insert_last(this->my_ts, my_ts->clone(my_ts));
+	}
+	enumerator->destroy(enumerator);
+	enumerator = other_ts_list->create_enumerator(other_ts_list);
+	while (enumerator->enumerate(enumerator, &other_ts))
+	{
+		this->other_ts->insert_last(this->other_ts, other_ts->clone(other_ts));
+	}
+	enumerator->destroy(enumerator);
+
+	if (this->config->install_policy(this->config))
+	{
+		/* enumerate pairs of traffic selectors */
+		enumerator = create_policy_enumerator(this);
+		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+		{
+			/* install 3 policies: out, in and forward */
+			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
+					this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT,
+					this->other_spi, this->protocol, this->reqid, this->mode,
+					this->ipcomp, this->other_cpi, routed);
+
+			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
+					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN,
+					this->my_spi, this->protocol, this->reqid, this->mode,
+					this->ipcomp, this->my_cpi, routed);
+			if (this->mode != MODE_TRANSPORT)
+			{
+				status |= charon->kernel_interface->add_policy(charon->kernel_interface,
+					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD,
+					this->my_spi, this->protocol, this->reqid, this->mode,
+					this->ipcomp, this->my_cpi, routed);
+			}
+
+			if (status != SUCCESS)
+			{
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (status == SUCCESS && this->state == CHILD_CREATED)
+	{	/* switch to routed state if no SAD entry set up */
+		set_state(this, CHILD_ROUTED);
+	}
+	return status;
+}
+
+/**
+ * Implementation of child_sa_t.update.
+ */
+static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
+					   host_t *vip, bool encap)
+{
+	child_sa_state_t old;
+	bool transport_proxy_mode;
+
+	/* anything changed at all? */
+	if (me->equals(me, this->my_addr) &&
+		other->equals(other, this->other_addr) && this->encap == encap)
+	{
+		return SUCCESS;
+	}
+
+	old = this->state;
+	set_state(this, CHILD_UPDATING);
+	transport_proxy_mode = this->config->use_proxy_mode(this->config) &&
+						   this->mode == MODE_TRANSPORT;
+
+	if (!transport_proxy_mode)
+	{
+		/* update our (initator) SA */
+		if (this->my_spi)
+		{
+			if (charon->kernel_interface->update_sa(charon->kernel_interface,
+							this->my_spi, this->protocol,
+							this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
+							this->other_addr, this->my_addr, other, me,
+							this->encap, encap) == NOT_SUPPORTED)
+			{
+				return NOT_SUPPORTED;
+			}
+		}
+
+		/* update his (responder) SA */
+		if (this->other_spi)
+		{
+			if (charon->kernel_interface->update_sa(charon->kernel_interface,
+							this->other_spi, this->protocol,
+							this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
+							this->my_addr, this->other_addr, me, other,
+							this->encap, encap) == NOT_SUPPORTED)
+			{
+				return NOT_SUPPORTED;
+			}
+		}
+	}
+
+	if (this->config->install_policy(this->config))
+	{
+		/* update policies */
+		if (!me->ip_equals(me, this->my_addr) ||
+			!other->ip_equals(other, this->other_addr))
+		{
+			enumerator_t *enumerator;
+			traffic_selector_t *my_ts, *other_ts;
+
+			/* always use high priorities, as hosts getting updated are INSTALLED */
+			enumerator = create_policy_enumerator(this);
+			while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+			{
+				/* remove old policies first */
+				charon->kernel_interface->del_policy(charon->kernel_interface,
+											my_ts, other_ts, POLICY_OUT, FALSE);
+				charon->kernel_interface->del_policy(charon->kernel_interface,
+											other_ts, my_ts,  POLICY_IN, FALSE);
+				if (this->mode != MODE_TRANSPORT)
+				{
+					charon->kernel_interface->del_policy(charon->kernel_interface,
+											other_ts, my_ts, POLICY_FWD, FALSE);
+				}
+
+				/* check whether we have to update a "dynamic" traffic selector */
+				if (!me->ip_equals(me, this->my_addr) &&
+					my_ts->is_host(my_ts, this->my_addr))
+				{
+					my_ts->set_address(my_ts, me);
+				}
+				if (!other->ip_equals(other, this->other_addr) &&
+					other_ts->is_host(other_ts, this->other_addr))
+				{
+					other_ts->set_address(other_ts, other);
+				}
+
+				/* we reinstall the virtual IP to handle interface roaming
+				 * correctly */
+				if (vip)
+				{
+					charon->kernel_interface->del_ip(charon->kernel_interface, vip);
+					charon->kernel_interface->add_ip(charon->kernel_interface, vip, me);
+				}
+
+				/* reinstall updated policies */
+				charon->kernel_interface->add_policy(charon->kernel_interface,
+						me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
+						this->protocol, this->reqid, this->mode, this->ipcomp,
+						this->other_cpi, FALSE);
+				charon->kernel_interface->add_policy(charon->kernel_interface,
+						other, me, other_ts, my_ts, POLICY_IN, this->my_spi,
+						this->protocol, this->reqid, this->mode, this->ipcomp,
+						this->my_cpi, FALSE);
+				if (this->mode != MODE_TRANSPORT)
+				{
+					charon->kernel_interface->add_policy(charon->kernel_interface,
+						other, me, other_ts, my_ts, POLICY_FWD, this->my_spi,
+						this->protocol, this->reqid, this->mode, this->ipcomp,
+						this->my_cpi, FALSE);
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+
+	if (!transport_proxy_mode)
+	{
+		/* apply hosts */
+		if (!me->equals(me, this->my_addr))
+		{
+			this->my_addr->destroy(this->my_addr);
+			this->my_addr = me->clone(me);
+		}
+		if (!other->equals(other, this->other_addr))
+		{
+			this->other_addr->destroy(this->other_addr);
+			this->other_addr = other->clone(other);
+		}
+	}
+
+	this->encap = encap;
+	set_state(this, old);
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of child_sa_t.destroy.
+ */
+static void destroy(private_child_sa_t *this)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *my_ts, *other_ts;
+	bool unrouted = (this->state == CHILD_ROUTED);
+
+	set_state(this, CHILD_DESTROYING);
+
+	/* delete SAs in the kernel, if they are set up */
+	if (this->my_spi)
+	{
+		/* if CHILD was not established, use PROTO_ESP used during alloc_spi().
+		 * TODO: For AH support, we have to store protocol specific SPI.s */
+		if (this->protocol == PROTO_NONE)
+		{
+			this->protocol = PROTO_ESP;
+		}
+		charon->kernel_interface->del_sa(charon->kernel_interface,
+					this->other_addr, this->my_addr, this->my_spi,
+					this->protocol, this->my_cpi);
+	}
+	if (this->other_spi)
+	{
+		charon->kernel_interface->del_sa(charon->kernel_interface,
+					this->my_addr, this->other_addr, this->other_spi,
+					this->protocol, this->other_cpi);
+	}
+
+	if (this->config->install_policy(this->config))
+	{
+		/* delete all policies in the kernel */
+		enumerator = create_policy_enumerator(this);
+		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+		{
+			charon->kernel_interface->del_policy(charon->kernel_interface,
+										my_ts, other_ts, POLICY_OUT, unrouted);
+			charon->kernel_interface->del_policy(charon->kernel_interface,
+										other_ts, my_ts, POLICY_IN, unrouted);
+			if (this->mode != MODE_TRANSPORT)
+			{
+				charon->kernel_interface->del_policy(charon->kernel_interface,
+										other_ts, my_ts, POLICY_FWD, unrouted);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
+	this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
+	this->my_addr->destroy(this->my_addr);
+	this->other_addr->destroy(this->other_addr);
+	DESTROY_IF(this->proposal);
+	this->config->destroy(this->config);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_sa_t * child_sa_create(host_t *me, host_t* other,
+							 child_cfg_t *config, u_int32_t rekey, bool encap)
+{
+	static u_int32_t reqid = 0;
+	private_child_sa_t *this = malloc_thing(private_child_sa_t);
+
+	/* public functions */
+	this->public.get_name = (char*(*)(child_sa_t*))get_name;
+	this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid;
+	this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
+	this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
+	this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
+	this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
+	this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi;
+	this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
+	this->public.set_protocol = (void(*)(child_sa_t*, protocol_id_t protocol))set_protocol;
+	this->public.get_mode = (ipsec_mode_t(*)(child_sa_t*))get_mode;
+	this->public.set_mode = (void(*)(child_sa_t*, ipsec_mode_t mode))set_mode;
+	this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal;
+	this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal;
+	this->public.get_lifetime = (time_t(*)(child_sa_t*, bool))get_lifetime;
+	this->public.get_usestats = (void(*)(child_sa_t*,bool,time_t*,u_int64_t*))get_usestats;
+	this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
+	this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
+	this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp;
+	this->public.alloc_spi = (u_int32_t(*)(child_sa_t*, protocol_id_t protocol))alloc_spi;
+	this->public.alloc_cpi = (u_int16_t(*)(child_sa_t*))alloc_cpi;
+	this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound, linked_list_t *my_ts_list, linked_list_t *other_ts_list))install;
+	this->public.update = (status_t (*)(child_sa_t*,host_t*,host_t*,host_t*,bool))update;
+	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*))add_policies;
+	this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
+	this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
+	this->public.destroy = (void(*)(child_sa_t*))destroy;
+
+	/* private data */
+	this->my_addr = me->clone(me);
+	this->other_addr = other->clone(other);
+	this->my_spi = 0;
+	this->other_spi = 0;
+	this->my_cpi = 0;
+	this->other_cpi = 0;
+	this->encap = encap;
+	this->ipcomp = IPCOMP_NONE;
+	this->state = CHILD_CREATED;
+	this->my_usetime = 0;
+	this->other_usetime = 0;
+	this->my_usebytes = 0;
+	this->other_usebytes = 0;
+	/* reuse old reqid if we are rekeying an existing CHILD_SA */
+	this->reqid = rekey ? rekey : ++reqid;
+	this->my_ts = linked_list_create();
+	this->other_ts = linked_list_create();
+	this->protocol = PROTO_NONE;
+	this->mode = MODE_TUNNEL;
+	this->proposal = NULL;
+	this->rekey_time = 0;
+	this->expire_time = 0;
+	this->config = config;
+	config->get_ref(config);
+
+	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
+	if (config->get_mode(config) == MODE_TRANSPORT &&
+		config->use_proxy_mode(config))
+	{
+		ts_type_t type;
+		int family;
+		chunk_t addr;
+		host_t *host;
+		enumerator_t *enumerator;
+		linked_list_t *my_ts_list, *other_ts_list;
+		traffic_selector_t *my_ts, *other_ts;
+
+		this->mode = MODE_TRANSPORT;
+
+		my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, me);
+		enumerator = my_ts_list->create_enumerator(my_ts_list);
+		if (enumerator->enumerate(enumerator, &my_ts))
+		{
+			if (my_ts->is_host(my_ts, NULL) &&
+			   !my_ts->is_host(my_ts, this->my_addr))
+			{
+				type = my_ts->get_type(my_ts);
+				family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
+				addr = my_ts->get_from_address(my_ts);
+				host = host_create_from_chunk(family, addr, 0);
+				free(addr.ptr);
+				DBG1(DBG_CHD, "my address: %H is a transport mode proxy for %H",
+							   this->my_addr, host);
+				this->my_addr->destroy(this->my_addr);
+				this->my_addr = host;
+			}
+		}
+		enumerator->destroy(enumerator);
+		my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy));
+
+		other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, other);
+		enumerator = other_ts_list->create_enumerator(other_ts_list);
+		if (enumerator->enumerate(enumerator, &other_ts))
+		{
+			if (other_ts->is_host(other_ts, NULL) &&
+			   !other_ts->is_host(other_ts, this->other_addr))
+			{
+				type = other_ts->get_type(other_ts);
+				family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
+				addr = other_ts->get_from_address(other_ts);
+				host = host_create_from_chunk(family, addr, 0);
+				free(addr.ptr);
+				DBG1(DBG_CHD, "other address: %H is a transport mode proxy for %H",
+							   this->other_addr, host);
+				this->other_addr->destroy(this->other_addr);
+				this->other_addr = host;
+			}
+		}
+		enumerator->destroy(enumerator);
+		other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy));
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
new file mode 100644
index 000000000..e6c603504
--- /dev/null
+++ b/src/libcharon/sa/child_sa.h
@@ -0,0 +1,337 @@
+/*
+ * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup child_sa child_sa
+ * @{ @ingroup sa
+ */
+
+#ifndef CHILD_SA_H_
+#define CHILD_SA_H_
+
+typedef enum child_sa_state_t child_sa_state_t;
+typedef struct child_sa_t child_sa_t;
+
+#include <library.h>
+#include <crypto/prf_plus.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <config/proposal.h>
+#include <config/child_cfg.h>
+
+/**
+ * States of a CHILD_SA
+ */
+enum child_sa_state_t {
+
+	/**
+	 * Just created, uninstalled CHILD_SA
+	 */
+	CHILD_CREATED,
+
+	/**
+	 * Installed SPD, but no SAD entries
+	 */
+	CHILD_ROUTED,
+
+	/**
+	 * Installing an in-use CHILD_SA
+	 */
+	CHILD_INSTALLING,
+
+	/**
+	 * Installed an in-use CHILD_SA
+	 */
+	CHILD_INSTALLED,
+
+	/**
+	 * While updating hosts, in update_hosts()
+	 */
+	CHILD_UPDATING,
+
+	/**
+	 * CHILD_SA which is rekeying
+	 */
+	CHILD_REKEYING,
+
+	/**
+	 * CHILD_SA in progress of delete
+	 */
+	CHILD_DELETING,
+
+	/**
+	 * CHILD_SA object gets destroyed
+	 */
+	CHILD_DESTROYING,
+};
+
+/**
+ * enum strings for child_sa_state_t.
+ */
+extern enum_name_t *child_sa_state_names;
+
+/**
+ * Represents an IPsec SAs between two hosts.
+ *
+ * A child_sa_t contains two SAs. SAs for both
+ * directions are managed in one child_sa_t object. Both
+ * SAs and the policies have the same reqid.
+ *
+ * The procedure for child sa setup is as follows:
+ * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc
+ * - A send the proposals with the allocated SPIs to B
+ * - B selects a suitable proposal
+ * - B allocates an SPI for the selected protocol
+ * - B calls child_sa_t.install for both, the allocated and received SPI
+ * - B sends the proposal with the allocated SPI to A
+ * - A calls child_sa_t.install for both, the allocated and recevied SPI
+ *
+ * Once SAs are set up, policies can be added using add_policies.
+ */
+struct child_sa_t {
+
+	/**
+	 * Get the name of the config this CHILD_SA uses.
+	 *
+	 * @return			name
+	 */
+	char* (*get_name) (child_sa_t *this);
+
+	/**
+	 * Get the reqid of the CHILD SA.
+	 *
+	 * Every CHILD_SA has a reqid. The kernel uses this ID to
+	 * identify it.
+	 *
+	 * @return 			reqid of the CHILD SA
+	 */
+	u_int32_t (*get_reqid)(child_sa_t *this);
+
+	/**
+	 * Get the config used to set up this child sa.
+	 *
+	 * @return			child_cfg
+	 */
+	child_cfg_t* (*get_config) (child_sa_t *this);
+
+	/**
+	 * Get the state of the CHILD_SA.
+	 *
+	 * @return 			CHILD_SA state
+	 */
+	child_sa_state_t (*get_state) (child_sa_t *this);
+
+	/**
+	 * Set the state of the CHILD_SA.
+	 *
+	 * @param state		state to set on CHILD_SA
+	 */
+	void (*set_state) (child_sa_t *this, child_sa_state_t state);
+
+	/**
+	 * Get the SPI of this CHILD_SA.
+	 *
+	 * Set the boolean parameter inbound to TRUE to
+	 * get the SPI for which we receive packets, use
+	 * FALSE to get those we use for sending packets.
+	 *
+	 * @param inbound	TRUE to get inbound SPI, FALSE for outbound.
+	 * @return 			SPI of the CHILD SA
+	 */
+	u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
+
+	/**
+	 * Get the CPI of this CHILD_SA.
+	 *
+	 * Set the boolean parameter inbound to TRUE to
+	 * get the CPI for which we receive packets, use
+	 * FALSE to get those we use for sending packets.
+	 *
+	 * @param inbound	TRUE to get inbound CPI, FALSE for outbound.
+	 * @return 			CPI of the CHILD SA
+	 */
+	u_int16_t (*get_cpi) (child_sa_t *this, bool inbound);
+
+	/**
+	 * Get the protocol which this CHILD_SA uses to protect traffic.
+	 *
+	 * @return 			AH | ESP
+	 */
+	protocol_id_t (*get_protocol) (child_sa_t *this);
+
+	/**
+	 * Set the negotiated protocol to use for this CHILD_SA.
+	 *
+	 * @param protocol	AH | ESP
+	 */
+	void (*set_protocol)(child_sa_t *this, protocol_id_t protocol);
+
+	/**
+	 * Get the IPsec mode of this CHILD_SA.
+	 *
+	 * @return			TUNNEL | TRANSPORT | BEET
+	 */
+	ipsec_mode_t (*get_mode)(child_sa_t *this);
+
+	/**
+	 * Set the negotiated IPsec mode to use.
+	 *
+	 * @param mode		TUNNEL | TRANPORT | BEET
+	 */
+	void (*set_mode)(child_sa_t *this, ipsec_mode_t mode);
+
+	/**
+	 * Get the used IPComp algorithm.
+	 *
+	 * @return			IPComp compression algorithm.
+	 */
+	ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
+
+	/**
+	 * Set the IPComp algorithm to use.
+	 *
+	 * @param ipcomp	the IPComp transform to use
+	 */
+	void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
+
+	/**
+	 * Get the selected proposal.
+	 *
+	 * @return			selected proposal
+	 */
+	proposal_t* (*get_proposal)(child_sa_t *this);
+
+	/**
+	 * Set the negotiated proposal.
+	 *
+	 * @param proposal	selected proposal
+	 */
+	void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
+
+	/**
+	 * Check if this CHILD_SA uses UDP encapsulation.
+	 *
+	 * @return			TRUE if SA encapsulates ESP packets
+	 */
+	bool (*has_encap)(child_sa_t *this);
+
+	/**
+	 * Get the absolute time when the CHILD_SA expires or gets rekeyed.
+	 *
+	 * @param hard		TRUE for hard lifetime, FALSE for soft (rekey) lifetime
+	 * @return			absolute time
+	 */
+	time_t (*get_lifetime)(child_sa_t *this, bool hard);
+
+	/**
+	 * Get last use time and the number of bytes processed.
+	 *
+	 * @param inbound		TRUE for inbound traffic, FALSE for outbound
+	 * @param[out] time		time of last use in seconds (NULL to ignore)
+	 * @param[out] bytes	number of processed bytes (NULL to ignore)
+	 */
+	void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
+						 u_int64_t *bytes);
+
+	/**
+	 * Get the traffic selectors list added for one side.
+	 *
+	 * @param local		TRUE for own traffic selectors, FALSE for remote
+	 * @return			list of traffic selectors
+	 */
+	linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
+
+	/**
+	 * Create an enumerator over installed policies.
+	 *
+	 * @return			enumerator over pairs of traffic selectors.
+	 */
+	enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
+
+	/**
+	 * Allocate an SPI to include in a proposal.
+	 *
+	 * @param protocol	protocol to allocate SPI for (ESP|AH)
+	 * @param spi		SPI output pointer
+	 * @return			SPI, 0 on failure
+	 */
+	u_int32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
+
+	/**
+	 * Allocate a CPI to use for IPComp.
+	 *
+	 * @return			CPI, 0 on failure
+	 */
+	u_int16_t (*alloc_cpi)(child_sa_t *this);
+
+	/**
+	 * Install an IPsec SA for one direction.
+	 *
+	 * @param encr		encryption key, if any
+	 * @param integ		integrity key
+	 * @param spi		SPI to use, allocated for inbound
+	 * @param cpi		CPI to use, allocated for outbound
+	 * @param inbound	TRUE to install an inbound SA, FALSE for outbound
+	 * @param my_ts		negotiated local traffic selector list
+	 * @param other_ts	negotiated remote traffic selector list
+	 * @return			SUCCESS or FAILED
+	 */
+	status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
+						u_int32_t spi, u_int16_t cpi, bool inbound,
+						linked_list_t *my_ts, linked_list_t *other_ts);
+	/**
+	 * Install the policies using some traffic selectors.
+	 *
+	 * Supplied lists of traffic_selector_t's specify the policies
+	 * to use for this child sa.
+	 *
+	 * @param my_ts		traffic selectors for local site
+	 * @param other_ts	traffic selectors for remote site
+	 * @return			SUCCESS or FAILED
+	 */
+	status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
+							 linked_list_t *other_ts_list);
+	/**
+	 * Update hosts and ecapulation mode in the kernel SAs and policies.
+	 *
+	 * @param me		the new local host
+	 * @param other		the new remote host
+	 * @param vip		virtual IP, if any
+	 * @param			TRUE to use UDP encapsulation for NAT traversal
+	 * @return			SUCCESS or FAILED
+	 */
+	status_t (*update)(child_sa_t *this, host_t *me, host_t *other,
+					   host_t *vip, bool encap);
+	/**
+	 * Destroys a child_sa.
+	 */
+	void (*destroy) (child_sa_t *this);
+};
+
+/**
+ * Constructor to create a child SA negotiated with IKE.
+ *
+ * @param me				own address
+ * @param other				remote address
+ * @param config			config to use for this CHILD_SA
+ * @param reqid				reqid of old CHILD_SA when rekeying, 0 otherwise
+ * @param encap				TRUE to enable UDP encapsulation (NAT traversal)
+ * @return					child_sa_t object
+ */
+child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
+							 u_int32_t reqid, bool encap);
+
+#endif /** CHILD_SA_H_ @}*/
diff --git a/src/libcharon/sa/connect_manager.c b/src/libcharon/sa/connect_manager.c
new file mode 100644
index 000000000..b78ba070d
--- /dev/null
+++ b/src/libcharon/sa/connect_manager.c
@@ -0,0 +1,1623 @@
+/*
+ * Copyright (C) 2007-2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "connect_manager.h"
+
+#include <math.h>
+
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+#include <crypto/hashers/hasher.h>
+
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/initiate_mediation_job.h>
+#include <encoding/payloads/endpoint_notify.h>
+
+/* base timeout
+ * the check interval is ME_INTERVAL */
+#define ME_INTERVAL 25 /* ms */
+/* retransmission timeout is first ME_INTERVAL for ME_BOOST retransmissions
+ * then gets reduced to ME_INTERVAL * ME_RETRANS_BASE ^ (sent retransmissions - ME_BOOST). */
+/* number of initial retransmissions sent in short interval */
+#define ME_BOOST 2
+/* base for retransmissions */
+#define ME_RETRANS_BASE 1.8
+/* max number of retransmissions */
+#define ME_MAX_RETRANS 13
+
+/* time to wait before the initiator finishes the connectivity checks after
+ * the first check has succeeded */
+#define ME_WAIT_TO_FINISH 1000 /* ms */
+
+typedef struct private_connect_manager_t private_connect_manager_t;
+
+/**
+ * Additional private members of connect_manager_t.
+ */
+struct private_connect_manager_t {
+	/**
+	 * Public interface of connect_manager_t.
+	 */
+	 connect_manager_t public;
+
+	 /**
+	  * Lock for exclusivly accessing the manager.
+	  */
+	 mutex_t *mutex;
+
+	 /**
+	  * Hasher to generate signatures
+	  */
+	 hasher_t *hasher;
+
+	 /**
+	  * Linked list with initiated mediated connections
+	  */
+	 linked_list_t *initiated;
+
+	 /**
+	  * Linked list with checklists (hash table with connect ID as key would
+	  * be better).
+	  */
+	 linked_list_t *checklists;
+};
+
+typedef enum check_state_t check_state_t;
+
+enum check_state_t {
+	CHECK_NONE,
+	CHECK_WAITING,
+	CHECK_IN_PROGRESS,
+	CHECK_SUCCEEDED,
+	CHECK_FAILED
+};
+
+typedef struct endpoint_pair_t endpoint_pair_t;
+
+/**
+ * An entry in the check list.
+ */
+struct endpoint_pair_t {
+	/** pair id */
+	u_int32_t id;
+
+	/** priority */
+	u_int64_t priority;
+
+	/** local endpoint */
+	host_t *local;
+
+	/** remote endpoint */
+	host_t *remote;
+
+	/** state */
+	check_state_t state;
+
+	/** number of retransmissions */
+	u_int32_t retransmitted;
+
+	/** the generated packet */
+	packet_t *packet;
+};
+
+/**
+ * Destroys an endpoint pair
+ */
+static void endpoint_pair_destroy(endpoint_pair_t *this)
+{
+	DESTROY_IF(this->local);
+	DESTROY_IF(this->remote);
+	DESTROY_IF(this->packet);
+	free(this);
+}
+
+/**
+ * Creates a new entry for the list.
+ */
+static endpoint_pair_t *endpoint_pair_create(endpoint_notify_t *initiator,
+		endpoint_notify_t *responder, bool initiator_is_local)
+{
+	endpoint_pair_t *this = malloc_thing(endpoint_pair_t);
+
+	this->id = 0;
+
+	u_int32_t pi = initiator->get_priority(initiator);
+	u_int32_t pr = responder->get_priority(responder);
+	this->priority = pow(2, 32) * min(pi, pr) + 2 * max(pi, pr) + (pi > pr ? 1 : 0);
+
+	this->local = initiator_is_local ? initiator->get_base(initiator)
+									 : responder->get_base(responder);
+	this->local = this->local->clone(this->local);
+	this->remote = initiator_is_local ? responder->get_host(responder)
+									  : initiator->get_host(initiator);
+	this->remote = this->remote->clone(this->remote);
+
+	this->state = CHECK_WAITING;
+	this->retransmitted = 0;
+	this->packet = NULL;
+
+	return this;
+}
+
+
+typedef struct check_list_t check_list_t;
+
+/**
+ * An entry in the linked list.
+ */
+struct check_list_t {
+
+	struct {
+		/** initiator's id */
+		identification_t *id;
+
+		/** initiator's key */
+		chunk_t key;
+
+		/** initiator's endpoints */
+		linked_list_t *endpoints;
+	} initiator;
+
+	struct {
+		/** responder's id */
+		identification_t *id;
+
+		/** responder's key */
+		chunk_t key;
+
+		/** responder's endpoints */
+		linked_list_t *endpoints;
+	} responder;
+
+	/** connect id */
+	chunk_t connect_id;
+
+	/** list of endpoint pairs */
+	linked_list_t *pairs;
+
+	/** pairs queued for triggered checks */
+	linked_list_t *triggered;
+
+	/** state */
+	check_state_t state;
+
+	/** TRUE if this is the initiator */
+	bool is_initiator;
+
+	/** TRUE if the initiator is finishing the checks */
+	bool is_finishing;
+
+	/** the current sender job */
+	job_t *sender;
+
+};
+
+/**
+ * Destroys a checklist
+ */
+static void check_list_destroy(check_list_t *this)
+{
+	DESTROY_IF(this->initiator.id);
+	DESTROY_IF(this->responder.id);
+
+	chunk_free(&this->connect_id);
+	chunk_free(&this->initiator.key);
+	chunk_free(&this->responder.key);
+
+	DESTROY_OFFSET_IF(this->initiator.endpoints,
+					  offsetof(endpoint_notify_t, destroy));
+	DESTROY_OFFSET_IF(this->responder.endpoints,
+					  offsetof(endpoint_notify_t, destroy));
+
+	DESTROY_FUNCTION_IF(this->pairs, (void*)endpoint_pair_destroy);
+	/* this list contains some of the elements contained in this->pairs */
+	DESTROY_IF(this->triggered);
+
+	free(this);
+}
+
+/**
+ * Creates a new checklist
+ */
+static check_list_t *check_list_create(identification_t *initiator,
+									   identification_t *responder,
+									   chunk_t connect_id,
+									   chunk_t initiator_key,
+									   linked_list_t *initiator_endpoints,
+									   bool is_initiator)
+{
+	check_list_t *this = malloc_thing(check_list_t);
+
+	this->connect_id = chunk_clone(connect_id);
+
+	this->initiator.id = initiator->clone(initiator);
+	this->initiator.key = chunk_clone(initiator_key);
+	this->initiator.endpoints = initiator_endpoints->clone_offset(initiator_endpoints, offsetof(endpoint_notify_t, clone));
+
+	this->responder.id = responder->clone(responder);
+	this->responder.key = chunk_empty;
+	this->responder.endpoints = NULL;
+
+	this->pairs = linked_list_create();
+	this->triggered = linked_list_create();
+	this->state = CHECK_NONE;
+	this->is_initiator = is_initiator;
+	this->is_finishing = FALSE;
+
+	return this;
+}
+
+typedef struct initiated_t initiated_t;
+
+/**
+ * For an initiator, the data stored about initiated mediation connections
+ */
+struct initiated_t {
+	/** my id */
+	identification_t *id;
+
+	/** peer id */
+	identification_t *peer_id;
+
+	/** list of mediated sas */
+	linked_list_t *mediated;
+};
+
+/**
+ * Destroys a queued initiation
+ */
+static void initiated_destroy(initiated_t *this)
+{
+	DESTROY_IF(this->id);
+	DESTROY_IF(this->peer_id);
+	this->mediated->destroy_offset(this->mediated,
+								   offsetof(ike_sa_id_t, destroy));
+	free(this);
+}
+
+/**
+ * Creates a queued initiation
+ */
+static initiated_t *initiated_create(identification_t *id,
+									 identification_t *peer_id)
+{
+	initiated_t *this = malloc_thing(initiated_t);
+
+	this->id = id->clone(id);
+	this->peer_id = peer_id->clone(peer_id);
+	this->mediated = linked_list_create();
+
+	return this;
+}
+
+
+typedef struct check_t check_t;
+
+/**
+ * Data exchanged in a connectivity check
+ */
+struct check_t {
+	/** message id */
+	u_int32_t mid;
+
+	/** source of the connectivity check */
+	host_t *src;
+
+	/** destination of the connectivity check */
+	host_t *dst;
+
+	/** connect id */
+	chunk_t connect_id;
+
+	/** endpoint */
+	endpoint_notify_t *endpoint;
+
+	/** raw endpoint payload (to verify the signature) */
+	chunk_t endpoint_raw;
+
+	/** connect auth */
+	chunk_t auth;
+};
+
+/**
+ * Destroys a connectivity check
+ */
+static void check_destroy(check_t *this)
+{
+	chunk_free(&this->connect_id);
+	chunk_free(&this->endpoint_raw);
+	chunk_free(&this->auth);
+	DESTROY_IF(this->src);
+	DESTROY_IF(this->dst);
+	DESTROY_IF(this->endpoint);
+	free(this);
+}
+
+/**
+ * Creates a new connectivity check
+ */
+static check_t *check_create()
+{
+	check_t *this = malloc_thing(check_t);
+
+	this->connect_id = chunk_empty;
+	this->auth = chunk_empty;
+	this->endpoint_raw = chunk_empty;
+	this->src = NULL;
+	this->dst = NULL;
+	this->endpoint = NULL;
+
+	this->mid = 0;
+
+	return this;
+}
+
+typedef struct callback_data_t callback_data_t;
+
+/**
+ * Data required by several callback jobs used in this file
+ */
+struct callback_data_t {
+	/** connect manager */
+	private_connect_manager_t *connect_manager;
+
+	/** connect id */
+	chunk_t connect_id;
+
+	/** message (pair) id */
+	u_int32_t mid;
+};
+
+/**
+ * Destroys a callback data object
+ */
+static void callback_data_destroy(callback_data_t *this)
+{
+	chunk_free(&this->connect_id);
+	free(this);
+}
+
+/**
+ * Creates a new callback data object
+ */
+static callback_data_t *callback_data_create(private_connect_manager_t *connect_manager,
+											 chunk_t connect_id)
+{
+	callback_data_t *this = malloc_thing(callback_data_t);
+	this->connect_manager = connect_manager;
+	this->connect_id = chunk_clone(connect_id);
+	this->mid = 0;
+	return this;
+}
+
+/**
+ * Creates a new retransmission data object
+ */
+static callback_data_t *retransmit_data_create(private_connect_manager_t *connect_manager,
+											   chunk_t connect_id, u_int32_t mid)
+{
+	callback_data_t *this = callback_data_create(connect_manager, connect_id);
+	this->mid = mid;
+	return this;
+}
+
+typedef struct initiate_data_t initiate_data_t;
+
+/**
+ * Data required by the initiate mediated
+ */
+struct initiate_data_t {
+	/** checklist */
+	check_list_t *checklist;
+
+	/** waiting mediated connections */
+	initiated_t *initiated;
+};
+
+/**
+ * Destroys a initiate data object
+ */
+static void initiate_data_destroy(initiate_data_t *this)
+{
+	check_list_destroy(this->checklist);
+	initiated_destroy(this->initiated);
+	free(this);
+}
+
+/**
+ * Creates a new initiate data object
+ */
+static initiate_data_t *initiate_data_create(check_list_t *checklist,
+											 initiated_t *initiated)
+{
+	initiate_data_t *this = malloc_thing(initiate_data_t);
+
+	this->checklist = checklist;
+	this->initiated = initiated;
+
+	return this;
+}
+
+/**
+ * Find an initiated connection by the peers' ids
+ */
+static bool match_initiated_by_ids(initiated_t *current, identification_t *id,
+								   identification_t *peer_id)
+{
+	return id->equals(id, current->id) && peer_id->equals(peer_id, current->peer_id);
+}
+
+static status_t get_initiated_by_ids(private_connect_manager_t *this,
+									 identification_t *id,
+									 identification_t *peer_id,
+									 initiated_t **initiated)
+{
+	return this->initiated->find_first(this->initiated,
+								(linked_list_match_t)match_initiated_by_ids,
+								(void**)initiated, id, peer_id);
+}
+
+/**
+ * Removes data about initiated connections
+ */
+static void remove_initiated(private_connect_manager_t *this,
+							 initiated_t *initiated)
+{
+	iterator_t *iterator;
+	initiated_t *current;
+
+	iterator = this->initiated->create_iterator(this->initiated, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current == initiated)
+		{
+			iterator->remove(iterator);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Find the checklist with a specific connect ID
+ */
+static bool match_checklist_by_id(check_list_t *current, chunk_t *connect_id)
+{
+	return chunk_equals(*connect_id, current->connect_id);
+}
+
+static status_t get_checklist_by_id(private_connect_manager_t *this,
+									chunk_t connect_id,
+									check_list_t **check_list)
+{
+	return this->checklists->find_first(this->checklists,
+								(linked_list_match_t)match_checklist_by_id,
+								(void**)check_list, &connect_id);
+}
+
+/**
+ * Removes a checklist
+ */
+static void remove_checklist(private_connect_manager_t *this,
+							 check_list_t *checklist)
+{
+	iterator_t *iterator;
+	check_list_t *current;
+
+	iterator = this->checklists->create_iterator(this->checklists, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current == checklist)
+		{
+			iterator->remove(iterator);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Checks if a list of endpoint_notify_t contains a certain host_t
+ */
+static bool match_endpoint_by_host(endpoint_notify_t *current, host_t *host)
+{
+	return host->equals(host, current->get_host(current));
+}
+
+static status_t endpoints_contain(linked_list_t *endpoints, host_t *host,
+								  endpoint_notify_t **endpoint)
+{
+	return endpoints->find_first(endpoints,
+								 (linked_list_match_t)match_endpoint_by_host,
+								 (void**)endpoint, host);
+}
+
+/**
+ * Inserts an endpoint pair into a list of pairs ordered by priority (high to low)
+ */
+static void insert_pair_by_priority(linked_list_t *pairs, endpoint_pair_t *pair)
+{
+	iterator_t *iterator;
+	endpoint_pair_t *current;
+	bool inserted = FALSE;
+
+	iterator = pairs->create_iterator(pairs, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current->priority < pair->priority)
+		{
+			iterator->insert_before(iterator, pair);
+			inserted = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	if (!inserted)
+	{
+		pairs->insert_last(pairs, pair);
+	}
+}
+
+/**
+ * Searches a list of endpoint_pair_t for a pair with specific host_ts
+ */
+static bool match_pair_by_hosts(endpoint_pair_t *current, host_t *local,
+								host_t *remote)
+{
+	return local->equals(local, current->local) && remote->equals(remote, current->remote);
+}
+
+static status_t get_pair_by_hosts(linked_list_t *pairs, host_t *local,
+								  host_t *remote, endpoint_pair_t **pair)
+{
+	return pairs->find_first(pairs, (linked_list_match_t)match_pair_by_hosts,
+							 (void**)pair, local, remote);
+}
+
+static bool match_pair_by_id(endpoint_pair_t *current, u_int32_t *id)
+{
+	return current->id == *id;
+}
+
+/**
+ * Searches for a pair with a specific id
+ */
+static status_t get_pair_by_id(check_list_t *checklist, u_int32_t id,
+							   endpoint_pair_t **pair)
+{
+	return checklist->pairs->find_first(checklist->pairs,
+										(linked_list_match_t)match_pair_by_id,
+										(void**)pair, &id);
+}
+
+static bool match_succeeded_pair(endpoint_pair_t *current)
+{
+	return current->state == CHECK_SUCCEEDED;
+}
+
+/**
+ * Returns the best pair of state CHECK_SUCCEEDED from a checklist.
+ */
+static status_t get_best_valid_pair(check_list_t *checklist,
+									endpoint_pair_t **pair)
+{
+	return checklist->pairs->find_first(checklist->pairs,
+									(linked_list_match_t)match_succeeded_pair,
+									(void**)pair);
+}
+
+static bool match_waiting_pair(endpoint_pair_t *current)
+{
+	return current->state == CHECK_WAITING;
+}
+
+/**
+ * Returns and *removes* the first triggered pair in state CHECK_WAITING.
+ */
+static status_t get_triggered_pair(check_list_t *checklist,
+								   endpoint_pair_t **pair)
+{
+	iterator_t *iterator;
+	endpoint_pair_t *current;
+	status_t status = NOT_FOUND;
+
+	iterator = checklist->triggered->create_iterator(checklist->triggered, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		iterator->remove(iterator);
+
+		if (current->state == CHECK_WAITING)
+		{
+			if (pair)
+			{
+				*pair = current;
+			}
+			status = SUCCESS;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	return status;
+}
+
+/**
+ * Prints all the pairs on a checklist
+ */
+static void print_checklist(check_list_t *checklist)
+{
+	iterator_t *iterator;
+	endpoint_pair_t *current;
+
+	DBG1(DBG_IKE, "pairs on checklist %#B:", &checklist->connect_id);
+	iterator = checklist->pairs->create_iterator(checklist->pairs, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		DBG1(DBG_IKE, " * %#H - %#H (%d)", current->local, current->remote,
+			 current->priority);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Prunes identical pairs with lower priority from the list
+ * Note: this function also numbers the remaining pairs serially
+ */
+static void prune_pairs(linked_list_t *pairs)
+{
+	iterator_t *iterator, *search;
+	endpoint_pair_t *current, *other;
+	u_int32_t id = 0;
+
+	iterator = pairs->create_iterator(pairs, TRUE);
+	search = pairs->create_iterator(pairs, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		current->id = ++id;
+
+		while (search->iterate(search, (void**)&other))
+		{
+			if (current == other)
+			{
+				continue;
+			}
+
+			if (current->local->equals(current->local, other->local) &&
+				current->remote->equals(current->remote, other->remote))
+			{
+				/* since the list of pairs is sorted by priority in descending
+				 * order, and we iterate the list from the beginning, we are
+				 * sure that the priority of 'other' is lower than that of
+				 * 'current', remove it */
+				DBG1(DBG_IKE, "pruning endpoint pair %#H - %#H with priority %d",
+					 other->local, other->remote, other->priority);
+				search->remove(search);
+				endpoint_pair_destroy(other);
+			}
+		}
+		search->reset(search);
+	}
+	search->destroy(search);
+	iterator->destroy(iterator);
+}
+
+/**
+ * Builds a list of endpoint pairs
+ */
+static void build_pairs(check_list_t *checklist)
+{
+	/* FIXME: limit endpoints and pairs */
+	iterator_t *iterator_i, *iterator_r;
+	endpoint_notify_t *initiator, *responder;
+
+	iterator_i = checklist->initiator.endpoints->create_iterator(
+										checklist->initiator.endpoints, TRUE);
+	while (iterator_i->iterate(iterator_i, (void**)&initiator))
+	{
+		iterator_r = checklist->responder.endpoints->create_iterator(
+										checklist->responder.endpoints, TRUE);
+		while (iterator_r->iterate(iterator_r, (void**)&responder))
+		{
+			if (initiator->get_family(initiator) != responder->get_family(responder))
+			{
+				continue;
+			}
+
+			insert_pair_by_priority(checklist->pairs, endpoint_pair_create(
+							initiator, responder, checklist->is_initiator));
+		}
+		iterator_r->destroy(iterator_r);
+	}
+	iterator_i->destroy(iterator_i);
+
+	print_checklist(checklist);
+
+	prune_pairs(checklist->pairs);
+}
+
+/**
+ * Processes the payloads of a connectivity check and returns the extracted data
+ */
+static status_t process_payloads(message_t *message, check_t *check)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) != NOTIFY)
+		{
+			DBG1(DBG_IKE, "ignoring payload of type '%N' while processing "
+				 "connectivity check", payload_type_names,
+				 payload->get_type(payload));
+			continue;
+		}
+
+		notify_payload_t *notify = (notify_payload_t*)payload;
+
+		switch (notify->get_notify_type(notify))
+		{
+			case ME_ENDPOINT:
+			{
+				if (check->endpoint)
+				{
+					DBG1(DBG_IKE, "connectivity check contains multiple "
+						 "ME_ENDPOINT notifies");
+					break;
+				}
+
+				endpoint_notify_t *endpoint = endpoint_notify_create_from_payload(notify);
+				if (!endpoint)
+				{
+					DBG1(DBG_IKE, "received invalid ME_ENDPOINT notify");
+					break;
+				}
+				check->endpoint = endpoint;
+				check->endpoint_raw = chunk_clone(notify->get_notification_data(notify));
+				DBG2(DBG_IKE, "received ME_ENDPOINT notify");
+				break;
+			}
+			case ME_CONNECTID:
+			{
+				if (check->connect_id.ptr)
+				{
+					DBG1(DBG_IKE, "connectivity check contains multiple "
+						 "ME_CONNECTID notifies");
+					break;
+				}
+				check->connect_id = chunk_clone(notify->get_notification_data(notify));
+				DBG2(DBG_IKE, "received ME_CONNECTID %#B", &check->connect_id);
+				break;
+			}
+			case ME_CONNECTAUTH:
+			{
+				if (check->auth.ptr)
+				{
+					DBG1(DBG_IKE, "connectivity check contains multiple "
+						 "ME_CONNECTAUTH notifies");
+					break;
+				}
+				check->auth = chunk_clone(notify->get_notification_data(notify));
+				DBG2(DBG_IKE, "received ME_CONNECTAUTH %#B", &check->auth);
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!check->connect_id.ptr || !check->endpoint || !check->auth.ptr)
+	{
+		DBG1(DBG_IKE, "at least one required payload was missing from the "
+			 "connectivity check");
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Builds the signature for a connectivity check
+ */
+static chunk_t build_signature(private_connect_manager_t *this,
+		check_list_t *checklist, check_t *check, bool outbound)
+{
+	u_int32_t mid;
+	chunk_t mid_chunk, key_chunk, sig_chunk;
+	chunk_t sig_hash;
+
+	mid = htonl(check->mid);
+	mid_chunk = chunk_from_thing(mid);
+
+	key_chunk = (checklist->is_initiator && outbound) || (!checklist->is_initiator && !outbound)
+					? checklist->initiator.key : checklist->responder.key;
+
+	/* signature = SHA1( MID | ME_CONNECTID | ME_ENDPOINT | ME_CONNECTKEY ) */
+	sig_chunk = chunk_cat("cccc", mid_chunk, check->connect_id,
+						  check->endpoint_raw, key_chunk);
+	this->hasher->allocate_hash(this->hasher, sig_chunk, &sig_hash);
+	DBG3(DBG_IKE, "sig_chunk %#B", &sig_chunk);
+	DBG3(DBG_IKE, "sig_hash %#B", &sig_hash);
+
+	chunk_free(&sig_chunk);
+	return sig_hash;
+}
+
+static void queue_retransmission(private_connect_manager_t *this, check_list_t *checklist, endpoint_pair_t *pair);
+static void schedule_checks(private_connect_manager_t *this, check_list_t *checklist, u_int32_t time);
+static void finish_checks(private_connect_manager_t *this, check_list_t *checklist);
+
+/**
+ * After one of the initiator's pairs has succeeded we finish the checks without
+ * waiting for all the timeouts
+ */
+static job_requeue_t initiator_finish(callback_data_t *data)
+{
+	private_connect_manager_t *this = data->connect_manager;
+
+	this->mutex->lock(this->mutex);
+
+	check_list_t *checklist;
+	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't finish "
+			 "connectivity checks", &data->connect_id);
+		this->mutex->unlock(this->mutex);
+		return JOB_REQUEUE_NONE;
+	}
+
+	finish_checks(this, checklist);
+
+	this->mutex->unlock(this->mutex);
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Updates the state of the whole checklist
+ */
+static void update_checklist_state(private_connect_manager_t *this,
+								   check_list_t *checklist)
+{
+	iterator_t *iterator;
+	endpoint_pair_t *current;
+	bool in_progress = FALSE, succeeded = FALSE;
+
+	iterator = checklist->pairs->create_iterator(checklist->pairs, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		switch(current->state)
+		{
+			case CHECK_WAITING:
+				/* at least one is still waiting -> checklist remains
+				 * in waiting state */
+				iterator->destroy(iterator);
+				return;
+			case CHECK_IN_PROGRESS:
+				in_progress = TRUE;
+				break;
+			case CHECK_SUCCEEDED:
+				succeeded = TRUE;
+				break;
+			default:
+				break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	if (checklist->is_initiator && succeeded && !checklist->is_finishing)
+	{
+		/* instead of waiting until all checks have finished (i.e. all
+		 * retransmissions have failed) the initiator finishes the checks
+		 * right after the first check has succeeded. to allow a probably
+		 * better pair to succeed, we still wait a certain time */
+		DBG2(DBG_IKE, "fast finishing checks for checklist '%#B'",
+			 &checklist->connect_id);
+
+		callback_data_t *data = callback_data_create(this, checklist->connect_id);
+		job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
+		charon->scheduler->schedule_job_ms(charon->scheduler, job, ME_WAIT_TO_FINISH);
+		checklist->is_finishing = TRUE;
+	}
+
+	if (in_progress)
+	{
+		checklist->state = CHECK_IN_PROGRESS;
+	}
+	else if (succeeded)
+	{
+		checklist->state = CHECK_SUCCEEDED;
+	}
+	else
+	{
+		checklist->state = CHECK_FAILED;
+	}
+}
+
+/**
+ * This function is triggered for each sent check after a specific timeout
+ */
+static job_requeue_t retransmit(callback_data_t *data)
+{
+	private_connect_manager_t *this = data->connect_manager;
+
+	this->mutex->lock(this->mutex);
+
+	check_list_t *checklist;
+	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't retransmit "
+			 "connectivity check", &data->connect_id);
+		this->mutex->unlock(this->mutex);
+		return JOB_REQUEUE_NONE;
+	}
+
+	endpoint_pair_t *pair;
+	if (get_pair_by_id(checklist, data->mid, &pair) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "pair with id '%d' not found, can't retransmit "
+			 "connectivity check", data->mid);
+		goto retransmit_end;
+	}
+
+	if (pair->state != CHECK_IN_PROGRESS)
+	{
+		DBG2(DBG_IKE, "pair with id '%d' is in wrong state [%d], don't "
+			 "retransmit the connectivity check", data->mid, pair->state);
+		goto retransmit_end;
+	}
+
+	if (++pair->retransmitted > ME_MAX_RETRANS)
+	{
+		DBG2(DBG_IKE, "pair with id '%d' failed after %d retransmissions",
+			 data->mid, ME_MAX_RETRANS);
+		pair->state = CHECK_FAILED;
+		goto retransmit_end;
+	}
+
+	charon->sender->send(charon->sender, pair->packet->clone(pair->packet));
+
+	queue_retransmission(this, checklist, pair);
+
+retransmit_end:
+	update_checklist_state(this, checklist);
+
+	switch(checklist->state)
+	{
+		case CHECK_SUCCEEDED:
+		case CHECK_FAILED:
+			finish_checks(this, checklist);
+			break;
+		default:
+			break;
+	}
+
+	this->mutex->unlock(this->mutex);
+
+	/* we reschedule it manually */
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Queues a retransmission job
+ */
+static void queue_retransmission(private_connect_manager_t *this, check_list_t *checklist, endpoint_pair_t *pair)
+{
+	callback_data_t *data = retransmit_data_create(this, checklist->connect_id, pair->id);
+	job_t *job = (job_t*)callback_job_create((callback_job_cb_t)retransmit, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
+
+	u_int32_t retransmission = pair->retransmitted + 1;
+	u_int32_t rto = ME_INTERVAL;
+	if (retransmission > ME_BOOST)
+	{
+		rto = (u_int32_t)(ME_INTERVAL * pow(ME_RETRANS_BASE, retransmission - ME_BOOST));
+	}
+	DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms",
+		 retransmission, pair->id, rto);
+
+	charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)job, rto);
+}
+
+/**
+ * Sends a check
+ */
+static void send_check(private_connect_manager_t *this, check_list_t *checklist,
+		check_t *check, endpoint_pair_t *pair, bool request)
+{
+	message_t *message = message_create();
+	message->set_message_id(message, check->mid);
+	message->set_exchange_type(message, INFORMATIONAL);
+	message->set_request(message, request);
+	message->set_destination(message, check->dst->clone(check->dst));
+	message->set_source(message, check->src->clone(check->src));
+
+	ike_sa_id_t *ike_sa_id = ike_sa_id_create(0, 0, request);
+	message->set_ike_sa_id(message, ike_sa_id);
+	ike_sa_id->destroy(ike_sa_id);
+
+	message->add_notify(message, FALSE, ME_CONNECTID, check->connect_id);
+	DBG2(DBG_IKE, "send ME_CONNECTID %#B", &check->connect_id);
+
+	notify_payload_t *endpoint = check->endpoint->build_notify(check->endpoint);
+	check->endpoint_raw = chunk_clone(endpoint->get_notification_data(endpoint));
+	message->add_payload(message, (payload_t*)endpoint);
+	DBG2(DBG_IKE, "send ME_ENDPOINT notify");
+
+	check->auth = build_signature(this, checklist, check, TRUE);
+	message->add_notify(message, FALSE, ME_CONNECTAUTH, check->auth);
+	DBG2(DBG_IKE, "send ME_CONNECTAUTH %#B", &check->auth);
+
+	packet_t *packet;
+	if (message->generate(message, NULL, NULL, &packet) == SUCCESS)
+	{
+		charon->sender->send(charon->sender, packet->clone(packet));
+
+		if (request)
+		{
+			DESTROY_IF(pair->packet);
+			pair->packet = packet;
+			pair->retransmitted = 0;
+			queue_retransmission(this, checklist, pair);
+		}
+		else
+		{
+			packet->destroy(packet);
+		}
+	}
+	message->destroy(message);
+}
+
+/**
+ * Queues a triggered check
+ */
+static void queue_triggered_check(private_connect_manager_t *this,
+		check_list_t *checklist, endpoint_pair_t *pair)
+{
+	DBG2(DBG_IKE, "queueing triggered check for pair '%d'", pair->id);
+	pair->state = CHECK_WAITING;
+	checklist->triggered->insert_last(checklist->triggered, pair);
+
+	if (!checklist->sender)
+	{
+		/* if the sender is not running we restart it */
+		schedule_checks(this, checklist, ME_INTERVAL);
+	}
+}
+
+/**
+ * This function is triggered for each checklist at a specific interval
+ */
+static job_requeue_t sender(callback_data_t *data)
+{
+	private_connect_manager_t *this = data->connect_manager;
+
+	this->mutex->lock(this->mutex);
+
+	check_list_t *checklist;
+	if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "checklist with id '%#B' not found, can't send "
+			 "connectivity check", &data->connect_id);
+		this->mutex->unlock(this->mutex);
+		return JOB_REQUEUE_NONE;
+	}
+
+	/* reset the sender */
+	checklist->sender = NULL;
+
+	endpoint_pair_t *pair;
+	if (get_triggered_pair(checklist, &pair) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "no triggered check queued, sending an ordinary check");
+
+		if (checklist->pairs->find_first(checklist->pairs,
+									(linked_list_match_t)match_waiting_pair,
+									(void**)&pair) != SUCCESS)
+		{
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_IKE, "no pairs in waiting state, aborting");
+			return JOB_REQUEUE_NONE;
+		}
+	}
+	else
+	{
+		DBG1(DBG_IKE, "triggered check found");
+	}
+
+	check_t *check = check_create();
+	check->mid = pair->id;
+	check->src = pair->local->clone(pair->local);
+	check->dst = pair->remote->clone(pair->remote);
+	check->connect_id = chunk_clone(checklist->connect_id);
+	check->endpoint = endpoint_notify_create_from_host(PEER_REFLEXIVE, NULL,
+													   NULL);
+
+	pair->state = CHECK_IN_PROGRESS;
+
+	send_check(this, checklist, check, pair, TRUE);
+
+	check_destroy(check);
+
+	/* schedule this job again */
+	schedule_checks(this, checklist, ME_INTERVAL);
+
+	this->mutex->unlock(this->mutex);
+
+	/* we reschedule it manually */
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedules checks for a checklist (time in ms)
+ */
+static void schedule_checks(private_connect_manager_t *this, check_list_t *checklist, u_int32_t time)
+{
+	callback_data_t *data = callback_data_create(this, checklist->connect_id);
+	checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
+	charon->scheduler->schedule_job_ms(charon->scheduler, checklist->sender, time);
+}
+
+/**
+ * Initiates waiting mediated connections
+ */
+static job_requeue_t initiate_mediated(initiate_data_t *data)
+{
+	check_list_t *checklist = data->checklist;
+	initiated_t *initiated = data->initiated;
+
+	endpoint_pair_t *pair;
+	if (get_best_valid_pair(checklist, &pair) == SUCCESS)
+	{
+		ike_sa_id_t *waiting_sa;
+		iterator_t *iterator = initiated->mediated->create_iterator(initiated->mediated, TRUE);
+		while (iterator->iterate(iterator, (void**)&waiting_sa))
+		{
+			ike_sa_t *sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, waiting_sa);
+			if (sa->initiate_mediated(sa, pair->local, pair->remote, checklist->connect_id) != SUCCESS)
+			{
+				DBG1(DBG_IKE, "establishing mediated connection failed");
+				charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+			}
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa);
+		}
+		iterator->destroy(iterator);
+	}
+	else
+	{
+		/* this should (can?) not happen */
+	}
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Finishes checks for a checklist
+ */
+static void finish_checks(private_connect_manager_t *this, check_list_t *checklist)
+{
+	if (checklist->is_initiator)
+	{
+		initiated_t *initiated;
+		if (get_initiated_by_ids(this, checklist->initiator.id,
+				checklist->responder.id, &initiated) == SUCCESS)
+		{
+			remove_checklist(this, checklist);
+			remove_initiated(this, initiated);
+
+			initiate_data_t *data = initiate_data_create(checklist, initiated);
+			job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiate_mediated, data, (callback_job_cleanup_t)initiate_data_destroy, NULL);
+			charon->processor->queue_job(charon->processor, job);
+			return;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y'"
+				 " and '%Y'", checklist->initiator.id, checklist->responder.id);
+		}
+	}
+}
+
+/**
+ * Process the response to one of our requests
+ */
+static void process_response(private_connect_manager_t *this, check_t *check,
+		check_list_t *checklist)
+{
+	endpoint_pair_t *pair;
+	if (get_pair_by_id(checklist, check->mid, &pair) == SUCCESS)
+	{
+		if (pair->local->equals(pair->local, check->dst) &&
+			pair->remote->equals(pair->remote, check->src))
+		{
+			DBG1(DBG_IKE, "endpoint pair '%d' is valid: '%#H' - '%#H'",
+				 pair->id, pair->local, pair->remote);
+			pair->state = CHECK_SUCCEEDED;
+		}
+
+		linked_list_t *local_endpoints = checklist->is_initiator ?
+			checklist->initiator.endpoints : checklist->responder.endpoints;
+
+		endpoint_notify_t *local_endpoint;
+		if (endpoints_contain(local_endpoints,
+							  check->endpoint->get_host(check->endpoint),
+							  &local_endpoint) != SUCCESS)
+		{
+			local_endpoint = endpoint_notify_create_from_host(PEER_REFLEXIVE,
+					check->endpoint->get_host(check->endpoint), pair->local);
+			local_endpoint->set_priority(local_endpoint,
+								check->endpoint->get_priority(check->endpoint));
+			local_endpoints->insert_last(local_endpoints, local_endpoint);
+		}
+
+		update_checklist_state(this, checklist);
+
+		switch(checklist->state)
+		{
+			case CHECK_SUCCEEDED:
+			case CHECK_FAILED:
+				finish_checks(this, checklist);
+				break;
+			default:
+				break;
+		}
+	}
+	else
+	{
+		DBG1(DBG_IKE, "pair with id '%d' not found", check->mid);
+	}
+}
+
+static void process_request(private_connect_manager_t *this, check_t *check,
+							check_list_t *checklist)
+{
+	linked_list_t *remote_endpoints = checklist->is_initiator ?
+				checklist->responder.endpoints : checklist->initiator.endpoints;
+
+	endpoint_notify_t *peer_reflexive, *remote_endpoint;
+	peer_reflexive = endpoint_notify_create_from_host(PEER_REFLEXIVE,
+													  check->src, NULL);
+	peer_reflexive->set_priority(peer_reflexive,
+							check->endpoint->get_priority(check->endpoint));
+
+	if (endpoints_contain(remote_endpoints, check->src, &remote_endpoint) != SUCCESS)
+	{
+		remote_endpoint = peer_reflexive->clone(peer_reflexive);
+		remote_endpoints->insert_last(remote_endpoints, remote_endpoint);
+	}
+
+	endpoint_pair_t *pair;
+	if (get_pair_by_hosts(checklist->pairs, check->dst, check->src,
+						  &pair) == SUCCESS)
+	{
+		switch(pair->state)
+		{
+			case CHECK_IN_PROGRESS:
+				/* prevent retransmissions */
+				pair->retransmitted = ME_MAX_RETRANS;
+				/* FIXME: we should wait to the next rto to send the triggered
+				 * check */
+				/* fall-through */
+			case CHECK_WAITING:
+			case CHECK_FAILED:
+				queue_triggered_check(this, checklist, pair);
+				break;
+			case CHECK_SUCCEEDED:
+			default:
+				break;
+		}
+	}
+	else
+	{
+		endpoint_notify_t *local_endpoint = endpoint_notify_create_from_host(HOST, check->dst, NULL);
+
+		endpoint_notify_t *initiator = checklist->is_initiator ? local_endpoint : remote_endpoint;
+		endpoint_notify_t *responder = checklist->is_initiator ? remote_endpoint : local_endpoint;
+
+		pair = endpoint_pair_create(initiator, responder, checklist->is_initiator);
+		pair->id = checklist->pairs->get_count(checklist->pairs) + 1;
+
+		insert_pair_by_priority(checklist->pairs, pair);
+
+		queue_triggered_check(this, checklist, pair);
+
+		local_endpoint->destroy(local_endpoint);
+	}
+
+	check_t *response = check_create();
+
+	response->mid = check->mid;
+	response->src = check->dst->clone(check->dst);
+	response->dst = check->src->clone(check->src);
+	response->connect_id = chunk_clone(check->connect_id);
+	response->endpoint = peer_reflexive;
+
+	send_check(this, checklist, response, pair, FALSE);
+
+	check_destroy(response);
+}
+
+/**
+ * Implementation of connect_manager_t.process_check.
+ */
+static void process_check(private_connect_manager_t *this, message_t *message)
+{
+	if (message->parse_body(message, NULL, NULL) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
+			 exchange_type_names, message->get_exchange_type(message),
+			 message->get_request(message) ? "request" : "response",
+			 message->get_message_id(message));
+		return;
+	}
+
+	check_t *check = check_create();
+	check->mid = message->get_message_id(message);
+	check->src = message->get_source(message);
+	check->src = check->src->clone(check->src);
+	check->dst = message->get_destination(message);
+	check->dst = check->dst->clone(check->dst);
+
+	if (process_payloads(message, check) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "invalid connectivity check %s received",
+			 message->get_request(message) ? "request" : "response");
+		check_destroy(check);
+		return;
+	}
+
+	this->mutex->lock(this->mutex);
+
+	check_list_t *checklist;
+	if (get_checklist_by_id(this, check->connect_id, &checklist) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "checklist with id '%#B' not found",
+			 &check->connect_id);
+		check_destroy(check);
+		this->mutex->unlock(this->mutex);
+		return;
+	}
+
+	chunk_t sig = build_signature(this, checklist, check, FALSE);
+	if (!chunk_equals(sig, check->auth))
+	{
+		DBG1(DBG_IKE, "connectivity check verification failed");
+		check_destroy(check);
+		chunk_free(&sig);
+		this->mutex->unlock(this->mutex);
+		return;
+	}
+	chunk_free(&sig);
+
+	if (message->get_request(message))
+	{
+		process_request(this, check, checklist);
+	}
+	else
+	{
+		process_response(this, check, checklist);
+	}
+
+	this->mutex->unlock(this->mutex);
+
+	check_destroy(check);
+}
+
+/**
+ * Implementation of connect_manager_t.check_and_register.
+ */
+static bool check_and_register(private_connect_manager_t *this,
+			identification_t *id, identification_t *peer_id,
+			ike_sa_id_t *mediated_sa)
+{
+	initiated_t *initiated;
+	bool already_there = TRUE;
+
+	this->mutex->lock(this->mutex);
+
+	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
+	{
+		DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'",
+			 peer_id);
+		initiated = initiated_create(id, peer_id);
+		this->initiated->insert_last(this->initiated, initiated);
+		already_there = FALSE;
+	}
+
+	if (initiated->mediated->find_first(initiated->mediated,
+								(linked_list_match_t)mediated_sa->equals,
+								NULL, mediated_sa) != SUCCESS)
+	{
+		initiated->mediated->insert_last(initiated->mediated,
+										 mediated_sa->clone(mediated_sa));
+	}
+
+	this->mutex->unlock(this->mutex);
+
+	return already_there;
+}
+
+/**
+ * Implementation of connect_manager_t.check_and_initiate.
+ */
+static void check_and_initiate(private_connect_manager_t *this,
+							   ike_sa_id_t *mediation_sa, identification_t *id,
+							   identification_t *peer_id)
+{
+	initiated_t *initiated;
+
+	this->mutex->lock(this->mutex);
+
+	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
+	{
+		DBG2(DBG_IKE, "no waiting mediated connections with '%Y'", peer_id);
+		this->mutex->unlock(this->mutex);
+		return;
+	}
+
+	ike_sa_id_t *waiting_sa;
+	iterator_t *iterator = initiated->mediated->create_iterator(
+													initiated->mediated, TRUE);
+	while (iterator->iterate(iterator, (void**)&waiting_sa))
+	{
+		job_t *job = (job_t*)reinitiate_mediation_job_create(mediation_sa,
+															 waiting_sa);
+		charon->processor->queue_job(charon->processor, job);
+	}
+	iterator->destroy(iterator);
+
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of connect_manager_t.set_initiator_data.
+ */
+static status_t set_initiator_data(private_connect_manager_t *this,
+								   identification_t *initiator,
+								   identification_t *responder,
+								   chunk_t connect_id, chunk_t key,
+								   linked_list_t *endpoints, bool is_initiator)
+{
+	check_list_t *checklist;
+
+	this->mutex->lock(this->mutex);
+
+	if (get_checklist_by_id(this, connect_id, NULL) == SUCCESS)
+	{
+		DBG1(DBG_IKE, "checklist with id '%#B' already exists, aborting",
+			 &connect_id);
+		this->mutex->unlock(this->mutex);
+		return FAILED;
+	}
+
+	checklist = check_list_create(initiator, responder, connect_id, key,
+								  endpoints, is_initiator);
+	this->checklists->insert_last(this->checklists, checklist);
+
+	this->mutex->unlock(this->mutex);
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of connect_manager_t.set_responder_data.
+ */
+static status_t set_responder_data(private_connect_manager_t *this,
+								   chunk_t connect_id, chunk_t key,
+								   linked_list_t *endpoints)
+{
+	check_list_t *checklist;
+
+	this->mutex->lock(this->mutex);
+
+	if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "checklist with id '%#B' not found",
+			 &connect_id);
+		this->mutex->unlock(this->mutex);
+		return NOT_FOUND;
+	}
+
+	checklist->responder.key = chunk_clone(key);
+	checklist->responder.endpoints = endpoints->clone_offset(endpoints,
+											offsetof(endpoint_notify_t, clone));
+	checklist->state = CHECK_WAITING;
+
+	build_pairs(checklist);
+
+	/* send the first check immediately */
+	schedule_checks(this, checklist, 0);
+
+	this->mutex->unlock(this->mutex);
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of connect_manager_t.stop_checks.
+ */
+static status_t stop_checks(private_connect_manager_t *this, chunk_t connect_id)
+{
+	check_list_t *checklist;
+
+	this->mutex->lock(this->mutex);
+
+	if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "checklist with id '%#B' not found",
+			 &connect_id);
+		this->mutex->unlock(this->mutex);
+		return NOT_FOUND;
+	}
+
+	DBG1(DBG_IKE, "removing checklist with id '%#B'", &connect_id);
+
+	remove_checklist(this, checklist);
+	check_list_destroy(checklist);
+
+	this->mutex->unlock(this->mutex);
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of connect_manager_t.destroy.
+ */
+static void destroy(private_connect_manager_t *this)
+{
+	this->mutex->lock(this->mutex);
+
+	this->hasher->destroy(this->hasher);
+	this->checklists->destroy_function(this->checklists, (void*)check_list_destroy);
+	this->initiated->destroy_function(this->initiated, (void*)initiated_destroy);
+
+	this->mutex->unlock(this->mutex);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+connect_manager_t *connect_manager_create()
+{
+	private_connect_manager_t *this = malloc_thing(private_connect_manager_t);
+
+	this->public.destroy = (void(*)(connect_manager_t*))destroy;
+	this->public.check_and_register = (bool(*)(connect_manager_t*,identification_t*,identification_t*,ike_sa_id_t*))check_and_register;
+	this->public.check_and_initiate = (void(*)(connect_manager_t*,ike_sa_id_t*,identification_t*,identification_t*))check_and_initiate;
+	this->public.set_initiator_data = (status_t(*)(connect_manager_t*,identification_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool))set_initiator_data;
+	this->public.set_responder_data = (status_t(*)(connect_manager_t*,chunk_t,chunk_t,linked_list_t*))set_responder_data;
+	this->public.process_check = (void(*)(connect_manager_t*,message_t*))process_check;
+	this->public.stop_checks = (status_t(*)(connect_manager_t*,chunk_t))stop_checks;
+
+	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (this->hasher == NULL)
+	{
+		DBG1(DBG_IKE, "unable to create connect manager, SHA1 not supported");
+		free(this);
+		return NULL;
+	}
+
+	this->checklists = linked_list_create();
+	this->initiated = linked_list_create();
+
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+
+	return (connect_manager_t*)this;
+}
diff --git a/src/libcharon/sa/connect_manager.h b/src/libcharon/sa/connect_manager.h
new file mode 100644
index 000000000..8fa8ff697
--- /dev/null
+++ b/src/libcharon/sa/connect_manager.h
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2007-2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup connect_manager connect_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef CONNECT_MANAGER_H_
+#define CONNECT_MANAGER_H_
+
+typedef struct connect_manager_t connect_manager_t;
+
+#include <encoding/message.h>
+#include <sa/ike_sa_id.h>
+#include <utils/identification.h>
+
+/**
+ * The connection manager is responsible for establishing a direct
+ * connection with another peer.
+ */
+struct connect_manager_t {
+
+	/**
+	 * Checks if a there is already a mediated connection registered
+	 * between two peers.
+	 *
+	 * @param id			my id
+	 * @param peer_id		the other peer's id
+	 * @param mediated_sa	the IKE_SA ID of the mediated connection
+	 * @returns
+	 *						- TRUE, if a mediated connection is registered
+	 *						- FALSE, otherwise
+	 */
+	bool (*check_and_register) (connect_manager_t *this, identification_t *id,
+								identification_t *peer_id,
+								ike_sa_id_t *mediated_sa);
+
+	/**
+	 * Checks if there are waiting connections with a specific peer.
+	 * If so, reinitiate them.
+	 *
+	 * @param id			my id
+	 * @param peer_id		the other peer's id
+	 */
+	void (*check_and_initiate) (connect_manager_t *this,
+								ike_sa_id_t *mediation_sa, identification_t *id,
+								identification_t *peer_id);
+
+	/**
+	 * Creates a checklist and sets the initiator's data.
+	 *
+	 * @param initiator		ID of the initiator
+	 * @param responder		ID of the responder
+	 * @param connect_id	the connect ID provided by the initiator
+	 * @param key			the initiator's key
+	 * @param endpoints		the initiator's endpoints
+	 * @param is_initiator	TRUE, if the caller of this method is the initiator
+	 * @returns				SUCCESS
+	 */
+	status_t (*set_initiator_data) (connect_manager_t *this,
+									identification_t *initiator,
+									identification_t *responder,
+									chunk_t connect_id, chunk_t key,
+									linked_list_t *endpoints,
+									bool is_initiator);
+
+	/**
+	 * Updates a checklist and sets the responder's data. The checklist's
+	 * state is advanced to WAITING which means that checks will be sent.
+	 *
+	 * @param connect_id	the connect ID
+	 * @param chunk_t		the responder's key
+	 * @param endpoints		the responder's endpoints
+	 * @returns
+	 *						- NOT_FOUND, if the checklist has not been found
+	 *						- SUCCESS, otherwise
+	 */
+	status_t (*set_responder_data) (connect_manager_t *this,
+									chunk_t connect_id, chunk_t key,
+									linked_list_t *endpoints);
+
+	/**
+	 * Stops checks for a checklist. Called after the responder received an
+	 * IKE_SA_INIT request which contains a ME_CONNECTID payload.
+	 *
+	 * @param connect_id	the connect ID
+	 * @returns
+	 *						- NOT_FOUND, if the checklist has not been found
+	 *						- SUCCESS, otherwise
+	 */
+	status_t (*stop_checks) (connect_manager_t *this, chunk_t connect_id);
+
+	/**
+	 * Processes a connectivity check
+	 *
+	 * @param message		the received message
+	 */
+	void (*process_check) (connect_manager_t *this, message_t *message);
+
+	/**
+	 * Destroys the manager with all data.
+	 */
+	void (*destroy) (connect_manager_t *this);
+};
+
+/**
+ * Create a manager.
+ *
+ * @returns	connect_manager_t object
+ */
+connect_manager_t *connect_manager_create(void);
+
+#endif /** CONNECT_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
new file mode 100644
index 000000000..023f0749f
--- /dev/null
+++ b/src/libcharon/sa/ike_sa.c
@@ -0,0 +1,2227 @@
+/*
+ * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <time.h>
+
+#include "ike_sa.h"
+
+#include <library.h>
+#include <daemon.h>
+#include <hydra.h>
+#include <utils/linked_list.h>
+#include <utils/lexparser.h>
+#include <sa/task_manager.h>
+#include <sa/tasks/ike_init.h>
+#include <sa/tasks/ike_natd.h>
+#include <sa/tasks/ike_mobike.h>
+#include <sa/tasks/ike_auth.h>
+#include <sa/tasks/ike_auth_lifetime.h>
+#include <sa/tasks/ike_config.h>
+#include <sa/tasks/ike_cert_pre.h>
+#include <sa/tasks/ike_cert_post.h>
+#include <sa/tasks/ike_rekey.h>
+#include <sa/tasks/ike_reauth.h>
+#include <sa/tasks/ike_delete.h>
+#include <sa/tasks/ike_dpd.h>
+#include <sa/tasks/ike_vendor.h>
+#include <sa/tasks/child_create.h>
+#include <sa/tasks/child_delete.h>
+#include <sa/tasks/child_rekey.h>
+#include <processing/jobs/retransmit_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/send_dpd_job.h>
+#include <processing/jobs/send_keepalive_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+
+#ifdef ME
+#include <sa/tasks/ike_me.h>
+#include <processing/jobs/initiate_mediation_job.h>
+#endif
+
+ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
+	"CREATED",
+	"CONNECTING",
+	"ESTABLISHED",
+	"PASSIVE",
+	"REKEYING",
+	"DELETING",
+	"DESTROYING",
+);
+
+typedef struct private_ike_sa_t private_ike_sa_t;
+typedef struct attribute_entry_t attribute_entry_t;
+
+/**
+ * Private data of an ike_sa_t object.
+ */
+struct private_ike_sa_t {
+
+	/**
+	 * Public members
+	 */
+	ike_sa_t public;
+
+	/**
+	 * Identifier for the current IKE_SA.
+	 */
+	ike_sa_id_t *ike_sa_id;
+
+	/**
+	 * unique numerical ID for this IKE_SA.
+	 */
+	u_int32_t unique_id;
+
+	/**
+	 * Current state of the IKE_SA
+	 */
+	ike_sa_state_t state;
+
+	/**
+	 * IKE configuration used to set up this IKE_SA
+	 */
+	ike_cfg_t *ike_cfg;
+
+	/**
+	 * Peer and authentication information to establish IKE_SA.
+	 */
+	peer_cfg_t *peer_cfg;
+
+	/**
+	 * currently used authentication ruleset, local (as auth_cfg_t)
+	 */
+	auth_cfg_t *my_auth;
+
+	/**
+	 * list of completed local authentication rounds
+	 */
+	linked_list_t *my_auths;
+
+	/**
+	 * list of completed remote authentication rounds
+	 */
+	linked_list_t *other_auths;
+
+	/**
+	 * currently used authentication constraints, remote (as auth_cfg_t)
+	 */
+	auth_cfg_t *other_auth;
+
+	/**
+	 * Selected IKE proposal
+	 */
+	proposal_t *proposal;
+
+	/**
+	 * Juggles tasks to process messages
+	 */
+	task_manager_t *task_manager;
+
+	/**
+	 * Address of local host
+	 */
+	host_t *my_host;
+
+	/**
+	 * Address of remote host
+	 */
+	host_t *other_host;
+
+#ifdef ME
+	/**
+	 * Are we mediation server
+	 */
+	bool is_mediation_server;
+
+	/**
+	 * Server reflexive host
+	 */
+	host_t *server_reflexive_host;
+
+	/**
+	 * Connect ID
+	 */
+	chunk_t connect_id;
+#endif /* ME */
+
+	/**
+	 * Identification used for us
+	 */
+	identification_t *my_id;
+
+	/**
+	 * Identification used for other
+	 */
+	identification_t *other_id;
+
+	/**
+	 * set of extensions the peer supports
+	 */
+	ike_extension_t extensions;
+
+	/**
+	 * set of condition flags currently enabled for this IKE_SA
+	 */
+	ike_condition_t conditions;
+
+	/**
+	 * Linked List containing the child sa's of the current IKE_SA.
+	 */
+	linked_list_t *child_sas;
+
+	/**
+	 * keymat of this IKE_SA
+	 */
+	keymat_t *keymat;
+
+	/**
+	 * Virtual IP on local host, if any
+	 */
+	host_t *my_virtual_ip;
+
+	/**
+	 * Virtual IP on remote host, if any
+	 */
+	host_t *other_virtual_ip;
+
+	/**
+	 * List of configuration attributes (attribute_entry_t)
+	 */
+	linked_list_t *attributes;
+
+	/**
+	 * list of peers additional addresses, transmitted via MOBIKE
+	 */
+	linked_list_t *additional_addresses;
+
+	/**
+	 * previously value of received DESTINATION_IP hash
+	 */
+	chunk_t nat_detection_dest;
+
+	/**
+	 * number pending UPDATE_SA_ADDRESS (MOBIKE)
+	 */
+	u_int32_t pending_updates;
+
+	/**
+	 * NAT keep alive interval
+	 */
+	u_int32_t keepalive_interval;
+
+	/**
+	 * Timestamps for this IKE_SA
+	 */
+	u_int32_t stats[STAT_MAX];
+
+	/**
+	 * how many times we have retried so far (keyingtries)
+	 */
+	u_int32_t keyingtry;
+
+	/**
+	 * local host address to be used for IKE, set via MIGRATE kernel message
+	 */
+	host_t *local_host;
+
+	/**
+	 * remote host address to be used for IKE, set via MIGRATE kernel message
+	 */
+	host_t *remote_host;
+};
+
+/**
+ * Entry to maintain install configuration attributes during IKE_SA lifetime
+ */
+struct attribute_entry_t {
+	/** handler used to install this attribute */
+	attribute_handler_t *handler;
+	/** attribute type */
+	configuration_attribute_type_t type;
+	/** attribute data */
+	chunk_t data;
+};
+
+/**
+ * get the time of the latest traffic processed by the kernel
+ */
+static time_t get_use_time(private_ike_sa_t* this, bool inbound)
+{
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	time_t use_time, current;
+
+	if (inbound)
+	{
+		use_time = this->stats[STAT_INBOUND];
+	}
+	else
+	{
+		use_time = this->stats[STAT_OUTBOUND];
+	}
+	enumerator = this->child_sas->create_enumerator(this->child_sas);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		child_sa->get_usestats(child_sa, inbound, &current, NULL);
+		use_time = max(use_time, current);
+	}
+	enumerator->destroy(enumerator);
+
+	return use_time;
+}
+
+/**
+ * Implementation of ike_sa_t.get_unique_id
+ */
+static u_int32_t get_unique_id(private_ike_sa_t *this)
+{
+	return this->unique_id;
+}
+
+/**
+ * Implementation of ike_sa_t.get_name.
+ */
+static char *get_name(private_ike_sa_t *this)
+{
+	if (this->peer_cfg)
+	{
+		return this->peer_cfg->get_name(this->peer_cfg);
+	}
+	return "(unnamed)";
+}
+
+/**
+ * Implementation of ike_sa_t.get_statistic.
+ */
+static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
+{
+	if (kind < STAT_MAX)
+	{
+		return this->stats[kind];
+	}
+	return 0;
+}
+
+/**
+ * Implementation of ike_sa_t.get_my_host.
+ */
+static host_t *get_my_host(private_ike_sa_t *this)
+{
+	return this->my_host;
+}
+
+/**
+ * Implementation of ike_sa_t.set_my_host.
+ */
+static void set_my_host(private_ike_sa_t *this, host_t *me)
+{
+	DESTROY_IF(this->my_host);
+	this->my_host = me;
+}
+
+/**
+ * Implementation of ike_sa_t.get_other_host.
+ */
+static host_t *get_other_host(private_ike_sa_t *this)
+{
+	return this->other_host;
+}
+
+/**
+ * Implementation of ike_sa_t.set_other_host.
+ */
+static void set_other_host(private_ike_sa_t *this, host_t *other)
+{
+	DESTROY_IF(this->other_host);
+	this->other_host = other;
+}
+
+/**
+ * Implementation of ike_sa_t.get_peer_cfg
+ */
+static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
+{
+	return this->peer_cfg;
+}
+
+/**
+ * Implementation of ike_sa_t.set_peer_cfg
+ */
+static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
+{
+	DESTROY_IF(this->peer_cfg);
+	peer_cfg->get_ref(peer_cfg);
+	this->peer_cfg = peer_cfg;
+
+	if (this->ike_cfg == NULL)
+	{
+		this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
+		this->ike_cfg->get_ref(this->ike_cfg);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.get_auth_cfg
+ */
+static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local)
+{
+	if (local)
+	{
+		return this->my_auth;
+	}
+	return this->other_auth;
+}
+
+/**
+ * Implementation of ike_sa_t.add_auth_cfg
+ */
+static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
+{
+	if (local)
+	{
+		this->my_auths->insert_last(this->my_auths, cfg);
+	}
+	else
+	{
+		this->other_auths->insert_last(this->other_auths, cfg);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.create_auth_cfg_enumerator
+ */
+static enumerator_t* create_auth_cfg_enumerator(private_ike_sa_t *this,
+												bool local)
+{
+	if (local)
+	{
+		return this->my_auths->create_enumerator(this->my_auths);
+	}
+	return this->other_auths->create_enumerator(this->other_auths);
+}
+
+/**
+ * Flush the stored authentication round information
+ */
+static void flush_auth_cfgs(private_ike_sa_t *this)
+{
+	auth_cfg_t *cfg;
+
+	if (lib->settings->get_bool(lib->settings, "charon.flush_auth_cfg", FALSE))
+	{
+		while (this->my_auths->remove_last(this->my_auths,
+										   (void**)&cfg) == SUCCESS)
+		{
+			cfg->destroy(cfg);
+		}
+		while (this->other_auths->remove_last(this->other_auths,
+											  (void**)&cfg) == SUCCESS)
+		{
+			cfg->destroy(cfg);
+		}
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.get_proposal
+ */
+static proposal_t* get_proposal(private_ike_sa_t *this)
+{
+	return this->proposal;
+}
+
+/**
+ * Implementation of ike_sa_t.set_proposal
+ */
+static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
+{
+	DESTROY_IF(this->proposal);
+	this->proposal = proposal->clone(proposal);
+}
+
+/**
+ * Implementation of ike_sa_t.set_message_id
+ */
+static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid)
+{
+	if (initiate)
+	{
+		this->task_manager->reset(this->task_manager, mid, UINT_MAX);
+	}
+	else
+	{
+		this->task_manager->reset(this->task_manager, UINT_MAX, mid);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.send_keepalive
+ */
+static void send_keepalive(private_ike_sa_t *this)
+{
+	send_keepalive_job_t *job;
+	time_t last_out, now, diff;
+
+	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
+	{	/* disable keep alives if we are not NATed anymore */
+		return;
+	}
+
+	last_out = get_use_time(this, FALSE);
+	now = time_monotonic(NULL);
+
+	diff = now - last_out;
+
+	if (diff >= this->keepalive_interval)
+	{
+		packet_t *packet;
+		chunk_t data;
+
+		packet = packet_create();
+		packet->set_source(packet, this->my_host->clone(this->my_host));
+		packet->set_destination(packet, this->other_host->clone(this->other_host));
+		data.ptr = malloc(1);
+		data.ptr[0] = 0xFF;
+		data.len = 1;
+		packet->set_data(packet, data);
+		DBG1(DBG_IKE, "sending keep alive");
+		charon->sender->send(charon->sender, packet);
+		diff = 0;
+	}
+	job = send_keepalive_job_create(this->ike_sa_id);
+	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
+									this->keepalive_interval - diff);
+}
+
+/**
+ * Implementation of ike_sa_t.get_ike_cfg
+ */
+static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
+{
+	return this->ike_cfg;
+}
+
+/**
+ * Implementation of ike_sa_t.set_ike_cfg
+ */
+static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
+{
+	ike_cfg->get_ref(ike_cfg);
+	this->ike_cfg = ike_cfg;
+}
+
+/**
+ * Implementation of ike_sa_t.enable_extension.
+ */
+static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
+{
+	this->extensions |= extension;
+}
+
+/**
+ * Implementation of ike_sa_t.has_extension.
+ */
+static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
+{
+	return (this->extensions & extension) != FALSE;
+}
+
+/**
+ * Implementation of ike_sa_t.has_condition.
+ */
+static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
+{
+	return (this->conditions & condition) != FALSE;
+}
+
+/**
+ * Implementation of ike_sa_t.enable_condition.
+ */
+static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
+						  bool enable)
+{
+	if (has_condition(this, condition) != enable)
+	{
+		if (enable)
+		{
+			this->conditions |= condition;
+			switch (condition)
+			{
+				case COND_NAT_HERE:
+					DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
+					this->conditions |= COND_NAT_ANY;
+					send_keepalive(this);
+					break;
+				case COND_NAT_THERE:
+					DBG1(DBG_IKE, "remote host is behind NAT");
+					this->conditions |= COND_NAT_ANY;
+					break;
+				case COND_NAT_FAKE:
+					DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
+					this->conditions |= COND_NAT_ANY;
+					break;
+				default:
+					break;
+			}
+		}
+		else
+		{
+			this->conditions &= ~condition;
+			switch (condition)
+			{
+				case COND_NAT_HERE:
+				case COND_NAT_FAKE:
+				case COND_NAT_THERE:
+					set_condition(this, COND_NAT_ANY,
+								  has_condition(this, COND_NAT_HERE) ||
+								  has_condition(this, COND_NAT_THERE) ||
+								  has_condition(this, COND_NAT_FAKE));
+					break;
+				default:
+					break;
+			}
+		}
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.send_dpd
+ */
+static status_t send_dpd(private_ike_sa_t *this)
+{
+	job_t *job;
+	time_t diff, delay;
+
+	delay = this->peer_cfg->get_dpd(this->peer_cfg);
+
+	if (delay == 0)
+	{
+		/* DPD disabled */
+		return SUCCESS;
+	}
+
+	if (this->task_manager->busy(this->task_manager))
+	{
+		/* an exchange is in the air, no need to start a DPD check */
+		diff = 0;
+	}
+	else
+	{
+		/* check if there was any inbound traffic */
+		time_t last_in, now;
+		last_in = get_use_time(this, TRUE);
+		now = time_monotonic(NULL);
+		diff = now - last_in;
+		if (diff >= delay)
+		{
+			/* to long ago, initiate dead peer detection */
+			task_t *task;
+			ike_mobike_t *mobike;
+
+			if (supports_extension(this, EXT_MOBIKE) &&
+				has_condition(this, COND_NAT_HERE))
+			{
+				/* use mobike enabled DPD to detect NAT mapping changes */
+				mobike = ike_mobike_create(&this->public, TRUE);
+				mobike->dpd(mobike);
+				task = &mobike->task;
+			}
+			else
+			{
+				task = (task_t*)ike_dpd_create(TRUE);
+			}
+			diff = 0;
+			DBG1(DBG_IKE, "sending DPD request");
+
+			this->task_manager->queue_task(this->task_manager, task);
+			this->task_manager->initiate(this->task_manager);
+		}
+	}
+	/* recheck in "interval" seconds */
+	job = (job_t*)send_dpd_job_create(this->ike_sa_id);
+	charon->scheduler->schedule_job(charon->scheduler, job, delay - diff);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of ike_sa_t.get_state.
+ */
+static ike_sa_state_t get_state(private_ike_sa_t *this)
+{
+	return this->state;
+}
+
+/**
+ * Implementation of ike_sa_t.set_state.
+ */
+static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
+{
+	DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
+		 get_name(this), this->unique_id,
+		 ike_sa_state_names, this->state,
+		 ike_sa_state_names, state);
+
+	switch (state)
+	{
+		case IKE_ESTABLISHED:
+		{
+			if (this->state == IKE_CONNECTING ||
+				this->state == IKE_PASSIVE)
+			{
+				job_t *job;
+				u_int32_t t;
+
+				/* calculate rekey, reauth and lifetime */
+				this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
+
+				/* schedule rekeying if we have a time which is smaller than
+				 * an already scheduled rekeying */
+				t = this->peer_cfg->get_rekey_time(this->peer_cfg);
+				if (t && (this->stats[STAT_REKEY] == 0 ||
+					(this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
+				{
+					this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
+					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
+					charon->scheduler->schedule_job(charon->scheduler, job, t);
+					DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
+				}
+				t = this->peer_cfg->get_reauth_time(this->peer_cfg);
+				if (t && (this->stats[STAT_REAUTH] == 0 ||
+					(this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
+				{
+					this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
+					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
+					charon->scheduler->schedule_job(charon->scheduler, job, t);
+					DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
+				}
+				t = this->peer_cfg->get_over_time(this->peer_cfg);
+				if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
+				{
+					if (this->stats[STAT_REAUTH] == 0)
+					{
+						this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
+					}
+					else if (this->stats[STAT_REKEY] == 0)
+					{
+						this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
+					}
+					else
+					{
+						this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
+													   this->stats[STAT_REAUTH]);
+					}
+					this->stats[STAT_DELETE] += t;
+					t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
+					job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
+					charon->scheduler->schedule_job(charon->scheduler, job, t);
+					DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
+				}
+
+				/* start DPD checks */
+				send_dpd(this);
+			}
+			break;
+		}
+		case IKE_DELETING:
+		{
+			/* delete may fail if a packet gets lost, so set a timeout */
+			job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
+			charon->scheduler->schedule_job(charon->scheduler, job,
+											HALF_OPEN_IKE_SA_TIMEOUT);
+			break;
+		}
+		default:
+			break;
+	}
+	charon->bus->ike_state_change(charon->bus, &this->public, state);
+	this->state = state;
+}
+
+/**
+ * Implementation of ike_sa_t.reset
+ */
+static void reset(private_ike_sa_t *this)
+{
+	/*  the responder ID is reset, as peer may choose another one */
+	if (this->ike_sa_id->is_initiator(this->ike_sa_id))
+	{
+		this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
+	}
+
+	set_state(this, IKE_CREATED);
+
+	this->task_manager->reset(this->task_manager, 0, 0);
+}
+
+/**
+ * Implementation of ike_sa_t.get_keymat
+ */
+static keymat_t* get_keymat(private_ike_sa_t *this)
+{
+	return this->keymat;
+}
+
+/**
+ * Implementation of ike_sa_t.set_virtual_ip
+ */
+static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
+{
+	if (local)
+	{
+		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
+		if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
+											 this->my_host) == SUCCESS)
+		{
+			if (this->my_virtual_ip)
+			{
+				DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
+				charon->kernel_interface->del_ip(charon->kernel_interface,
+												 this->my_virtual_ip);
+			}
+			DESTROY_IF(this->my_virtual_ip);
+			this->my_virtual_ip = ip->clone(ip);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
+			this->my_virtual_ip = NULL;
+		}
+	}
+	else
+	{
+		DESTROY_IF(this->other_virtual_ip);
+		this->other_virtual_ip = ip->clone(ip);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.get_virtual_ip
+ */
+static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
+{
+	if (local)
+	{
+		return this->my_virtual_ip;
+	}
+	else
+	{
+		return this->other_virtual_ip;
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.add_additional_address.
+ */
+static void add_additional_address(private_ike_sa_t *this, host_t *host)
+{
+	this->additional_addresses->insert_last(this->additional_addresses, host);
+}
+
+/**
+ * Implementation of ike_sa_t.create_additional_address_iterator.
+ */
+static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
+{
+	return this->additional_addresses->create_iterator(
+											this->additional_addresses, TRUE);
+}
+
+/**
+ * Implementation of ike_sa_t.has_mapping_changed
+ */
+static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash)
+{
+	if (this->nat_detection_dest.ptr == NULL)
+	{
+		this->nat_detection_dest = chunk_clone(hash);
+		return FALSE;
+	}
+	if (chunk_equals(hash, this->nat_detection_dest))
+	{
+		return FALSE;
+	}
+	free(this->nat_detection_dest.ptr);
+	this->nat_detection_dest = chunk_clone(hash);
+	return TRUE;
+}
+
+/**
+ * Implementation of ike_sa_t.set_pending_updates.
+ */
+static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
+{
+	this->pending_updates = updates;
+}
+
+/**
+ * Implementation of ike_sa_t.get_pending_updates.
+ */
+static u_int32_t get_pending_updates(private_ike_sa_t *this)
+{
+	return this->pending_updates;
+}
+
+/**
+ * Update hosts, as addresses may change (NAT)
+ */
+static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
+{
+	bool update = FALSE;
+
+	if (me == NULL)
+	{
+		me = this->my_host;
+	}
+	if (other == NULL)
+	{
+		other = this->other_host;
+	}
+
+	/* apply hosts on first received message */
+	if (this->my_host->is_anyaddr(this->my_host) ||
+		this->other_host->is_anyaddr(this->other_host))
+	{
+		set_my_host(this, me->clone(me));
+		set_other_host(this, other->clone(other));
+		update = TRUE;
+	}
+	else
+	{
+		/* update our address in any case */
+		if (!me->equals(me, this->my_host))
+		{
+			set_my_host(this, me->clone(me));
+			update = TRUE;
+		}
+
+		if (!other->equals(other, this->other_host))
+		{
+			/* update others adress if we are NOT NATed,
+			 * and allow port changes if we are NATed */
+			if (!has_condition(this, COND_NAT_HERE) ||
+				other->ip_equals(other, this->other_host))
+			{
+				set_other_host(this, other->clone(other));
+				update = TRUE;
+			}
+		}
+	}
+
+	/* update all associated CHILD_SAs, if required */
+	if (update)
+	{
+		iterator_t *iterator;
+		child_sa_t *child_sa;
+
+		iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+		while (iterator->iterate(iterator, (void**)&child_sa))
+		{
+			if (child_sa->update(child_sa, this->my_host,
+						this->other_host, this->my_virtual_ip,
+						has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
+			{
+				this->public.rekey_child_sa(&this->public,
+						child_sa->get_protocol(child_sa),
+						child_sa->get_spi(child_sa, TRUE));
+			}
+		}
+		iterator->destroy(iterator);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.generate
+ */
+static status_t generate_message(private_ike_sa_t *this, message_t *message,
+								 packet_t **packet)
+{
+	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
+	message->set_ike_sa_id(message, this->ike_sa_id);
+	return message->generate(message,
+				this->keymat->get_crypter(this->keymat, FALSE),
+				this->keymat->get_signer(this->keymat, FALSE), packet);
+}
+
+/**
+ * send a notify back to the sender
+ */
+static void send_notify_response(private_ike_sa_t *this, message_t *request,
+								 notify_type_t type)
+{
+	message_t *response;
+	packet_t *packet;
+
+	response = message_create();
+	response->set_exchange_type(response, request->get_exchange_type(request));
+	response->set_request(response, FALSE);
+	response->set_message_id(response, request->get_message_id(request));
+	response->add_notify(response, FALSE, type, chunk_empty);
+	if (this->my_host->is_anyaddr(this->my_host))
+	{
+		this->my_host->destroy(this->my_host);
+		this->my_host = request->get_destination(request);
+		this->my_host = this->my_host->clone(this->my_host);
+	}
+	if (this->other_host->is_anyaddr(this->other_host))
+	{
+		this->other_host->destroy(this->other_host);
+		this->other_host = request->get_source(request);
+		this->other_host = this->other_host->clone(this->other_host);
+	}
+	response->set_source(response, this->my_host->clone(this->my_host));
+	response->set_destination(response, this->other_host->clone(this->other_host));
+	if (generate_message(this, response, &packet) == SUCCESS)
+	{
+		charon->sender->send(charon->sender, packet);
+	}
+	response->destroy(response);
+}
+
+/**
+ * Implementation of ike_sa_t.set_kmaddress.
+ */
+static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote)
+{
+	DESTROY_IF(this->local_host);
+	DESTROY_IF(this->remote_host);
+	this->local_host = local->clone(local);
+	this->remote_host = remote->clone(remote);
+}
+
+#ifdef ME
+/**
+ * Implementation of ike_sa_t.act_as_mediation_server.
+ */
+static void act_as_mediation_server(private_ike_sa_t *this)
+{
+	charon->mediation_manager->update_sa_id(charon->mediation_manager,
+			this->other_id, this->ike_sa_id);
+	this->is_mediation_server = TRUE;
+}
+
+/**
+ * Implementation of ike_sa_t.get_server_reflexive_host.
+ */
+static host_t *get_server_reflexive_host(private_ike_sa_t *this)
+{
+	return this->server_reflexive_host;
+}
+
+/**
+ * Implementation of ike_sa_t.set_server_reflexive_host.
+ */
+static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
+{
+	DESTROY_IF(this->server_reflexive_host);
+	this->server_reflexive_host = host;
+}
+
+/**
+ * Implementation of ike_sa_t.get_connect_id.
+ */
+static chunk_t get_connect_id(private_ike_sa_t *this)
+{
+	return this->connect_id;
+}
+
+/**
+ * Implementation of ike_sa_t.respond
+ */
+static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
+						chunk_t connect_id)
+{
+	ike_me_t *task = ike_me_create(&this->public, TRUE);
+	task->respond(task, peer_id, connect_id);
+	this->task_manager->queue_task(this->task_manager, (task_t*)task);
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.callback
+ */
+static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
+{
+	ike_me_t *task = ike_me_create(&this->public, TRUE);
+	task->callback(task, peer_id);
+	this->task_manager->queue_task(this->task_manager, (task_t*)task);
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.relay
+ */
+static status_t relay(private_ike_sa_t *this, identification_t *requester,
+					  chunk_t connect_id, chunk_t connect_key,
+					  linked_list_t *endpoints, bool response)
+{
+	ike_me_t *task = ike_me_create(&this->public, TRUE);
+	task->relay(task, requester, connect_id, connect_key, endpoints, response);
+	this->task_manager->queue_task(this->task_manager, (task_t*)task);
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.initiate_mediation
+ */
+static status_t initiate_mediation(private_ike_sa_t *this,
+								   peer_cfg_t *mediated_cfg)
+{
+	ike_me_t *task = ike_me_create(&this->public, TRUE);
+	task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
+	this->task_manager->queue_task(this->task_manager, (task_t*)task);
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.initiate_mediated
+ */
+static status_t initiate_mediated(private_ike_sa_t *this, host_t *me,
+								  host_t *other, chunk_t connect_id)
+{
+	set_my_host(this, me->clone(me));
+	set_other_host(this, other->clone(other));
+	chunk_free(&this->connect_id);
+	this->connect_id = chunk_clone(connect_id);
+	return this->task_manager->initiate(this->task_manager);
+}
+#endif /* ME */
+
+/**
+ * Resolve DNS host in configuration
+ */
+static void resolve_hosts(private_ike_sa_t *this)
+{
+	host_t *host;
+
+	if (this->remote_host)
+	{
+		host = this->remote_host->clone(this->remote_host);
+		host->set_port(host, IKEV2_UDP_PORT);
+	}
+	else
+	{
+		host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
+								0, this->ike_cfg->get_other_port(this->ike_cfg));
+	}
+	if (host)
+	{
+		set_other_host(this, host);
+	}
+
+	if (this->local_host)
+	{
+		host = this->local_host->clone(this->local_host);
+		host->set_port(host, IKEV2_UDP_PORT);
+	}
+	else
+	{
+		int family = 0;
+
+		/* use same address family as for other */
+		if (!this->other_host->is_anyaddr(this->other_host))
+		{
+			family = this->other_host->get_family(this->other_host);
+		}
+		host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
+							family, this->ike_cfg->get_my_port(this->ike_cfg));
+
+		if (host && host->is_anyaddr(host) &&
+			!this->other_host->is_anyaddr(this->other_host))
+		{
+			host->destroy(host);
+			host = charon->kernel_interface->get_source_addr(
+							charon->kernel_interface, this->other_host, NULL);
+			if (host)
+			{
+				host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
+			}
+			else
+			{	/* fallback to address family specific %any(6), if configured */
+				host = host_create_from_dns(
+								this->ike_cfg->get_my_addr(this->ike_cfg),
+								0, this->ike_cfg->get_my_port(this->ike_cfg));
+			}
+		}
+	}
+	if (host)
+	{
+		set_my_host(this, host);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.initiate
+ */
+static status_t initiate(private_ike_sa_t *this,
+						 child_cfg_t *child_cfg, u_int32_t reqid,
+						 traffic_selector_t *tsi, traffic_selector_t *tsr)
+{
+	task_t *task;
+
+	if (this->state == IKE_CREATED)
+	{
+		resolve_hosts(this);
+
+		if (this->other_host->is_anyaddr(this->other_host)
+#ifdef ME
+			&& !this->peer_cfg->get_mediated_by(this->peer_cfg)
+#endif /* ME */
+			)
+		{
+			child_cfg->destroy(child_cfg);
+			DBG1(DBG_IKE, "unable to initiate to %%any");
+			return DESTROY_ME;
+		}
+
+		set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
+
+		task = (task_t*)ike_vendor_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_natd_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_auth_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_cert_post_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_config_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		if (this->peer_cfg->use_mobike(this->peer_cfg))
+		{
+			task = (task_t*)ike_mobike_create(&this->public, TRUE);
+			this->task_manager->queue_task(this->task_manager, task);
+		}
+#ifdef ME
+		task = (task_t*)ike_me_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+#endif /* ME */
+	}
+
+#ifdef ME
+	if (this->peer_cfg->is_mediation(this->peer_cfg))
+	{
+		if (this->state == IKE_ESTABLISHED)
+		{
+			/* mediation connection is already established, retrigger state
+			 * change to notify bus listeners */
+			DBG1(DBG_IKE, "mediation connection is already up");
+			set_state(this, IKE_ESTABLISHED);
+		}
+		DESTROY_IF(child_cfg);
+	}
+	else
+#endif /* ME */
+	{
+		/* normal IKE_SA with CHILD_SA */
+		task = (task_t*)child_create_create(&this->public, child_cfg, FALSE,
+											tsi, tsr);
+		child_cfg->destroy(child_cfg);
+		if (reqid)
+		{
+			child_create_t *child_create = (child_create_t*)task;
+			child_create->use_reqid(child_create, reqid);
+		}
+		this->task_manager->queue_task(this->task_manager, task);
+
+#ifdef ME
+		if (this->peer_cfg->get_mediated_by(this->peer_cfg))
+		{
+			/* mediated connection, initiate mediation process */
+			job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
+			charon->processor->queue_job(charon->processor, job);
+			return SUCCESS;
+		}
+#endif /* ME */
+	}
+
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.process_message.
+ */
+static status_t process_message(private_ike_sa_t *this, message_t *message)
+{
+	status_t status;
+	bool is_request;
+
+	if (this->state == IKE_PASSIVE)
+	{	/* do not handle messages in passive state */
+		return FAILED;
+	}
+
+	is_request = message->get_request(message);
+
+	status = message->parse_body(message,
+								 this->keymat->get_crypter(this->keymat, TRUE),
+								 this->keymat->get_signer(this->keymat, TRUE));
+	if (status != SUCCESS)
+	{
+
+		if (is_request)
+		{
+			switch (status)
+			{
+				case NOT_SUPPORTED:
+					DBG1(DBG_IKE, "critical unknown payloads found");
+					if (is_request)
+					{
+						send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
+					}
+					break;
+				case PARSE_ERROR:
+					DBG1(DBG_IKE, "message parsing failed");
+					if (is_request)
+					{
+						send_notify_response(this, message, INVALID_SYNTAX);
+					}
+					break;
+				case VERIFY_ERROR:
+					DBG1(DBG_IKE, "message verification failed");
+					if (is_request)
+					{
+						send_notify_response(this, message, INVALID_SYNTAX);
+					}
+					break;
+				case FAILED:
+					DBG1(DBG_IKE, "integrity check failed");
+					/* ignored */
+					break;
+				case INVALID_STATE:
+					DBG1(DBG_IKE, "found encrypted message, but no keys available");
+					if (is_request)
+					{
+						send_notify_response(this, message, INVALID_SYNTAX);
+					}
+				default:
+					break;
+			}
+		}
+		DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
+			 exchange_type_names, message->get_exchange_type(message),
+			 message->get_request(message) ? "request" : "response",
+			 message->get_message_id(message));
+
+		if (this->state == IKE_CREATED)
+		{	/* invalid initiation attempt, close SA */
+			return DESTROY_ME;
+		}
+	}
+	else
+	{
+		host_t *me, *other;
+
+		me = message->get_destination(message);
+		other = message->get_source(message);
+
+		/* if this IKE_SA is virgin, we check for a config */
+		if (this->ike_cfg == NULL)
+		{
+			job_t *job;
+			this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
+														  me, other);
+			if (this->ike_cfg == NULL)
+			{
+				/* no config found for these hosts, destroy */
+				DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
+					 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
+				send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
+				return DESTROY_ME;
+			}
+			/* add a timeout if peer does not establish it completely */
+			job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
+			charon->scheduler->schedule_job(charon->scheduler, job,
+											HALF_OPEN_IKE_SA_TIMEOUT);
+		}
+		this->stats[STAT_INBOUND] = time_monotonic(NULL);
+		/* check if message is trustworthy, and update host information */
+		if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
+			message->get_exchange_type(message) != IKE_SA_INIT)
+		{
+			if (!supports_extension(this, EXT_MOBIKE))
+			{	/* with MOBIKE, we do no implicit updates */
+				update_hosts(this, me, other);
+			}
+		}
+		status = this->task_manager->process_message(this->task_manager, message);
+		if (message->get_exchange_type(message) == IKE_AUTH &&
+			this->state == IKE_ESTABLISHED)
+		{	/* authentication completed */
+			flush_auth_cfgs(this);
+		}
+	}
+	return status;
+}
+
+/**
+ * Implementation of ike_sa_t.get_id.
+ */
+static ike_sa_id_t* get_id(private_ike_sa_t *this)
+{
+	return this->ike_sa_id;
+}
+
+/**
+ * Implementation of ike_sa_t.get_my_id.
+ */
+static identification_t* get_my_id(private_ike_sa_t *this)
+{
+	return this->my_id;
+}
+
+/**
+ * Implementation of ike_sa_t.set_my_id.
+ */
+static void set_my_id(private_ike_sa_t *this, identification_t *me)
+{
+	DESTROY_IF(this->my_id);
+	this->my_id = me;
+}
+
+/**
+ * Implementation of ike_sa_t.get_other_id.
+ */
+static identification_t* get_other_id(private_ike_sa_t *this)
+{
+	return this->other_id;
+}
+
+/**
+ * Implementation of ike_sa_t.get_other_eap_id.
+ */
+static identification_t* get_other_eap_id(private_ike_sa_t *this)
+{
+	identification_t *id = NULL, *current;
+	enumerator_t *enumerator;
+	auth_cfg_t *cfg;
+
+	enumerator = this->other_auths->create_enumerator(this->other_auths);
+	while (enumerator->enumerate(enumerator, &cfg))
+	{
+		/* prefer EAP-Identity of last round */
+		current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
+		if (!current || current->get_type(current) == ID_ANY)
+		{
+			current = cfg->get(cfg, AUTH_RULE_IDENTITY);
+		}
+		if (current && current->get_type(current) != ID_ANY)
+		{
+			id = current;
+			continue;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (id)
+	{
+		return id;
+	}
+	return this->other_id;
+}
+
+/**
+ * Implementation of ike_sa_t.set_other_id.
+ */
+static void set_other_id(private_ike_sa_t *this, identification_t *other)
+{
+	DESTROY_IF(this->other_id);
+	this->other_id = other;
+}
+
+/**
+ * Implementation of ike_sa_t.add_child_sa.
+ */
+static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
+{
+	this->child_sas->insert_last(this->child_sas, child_sa);
+}
+
+/**
+ * Implementation of ike_sa_t.get_child_sa.
+ */
+static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
+								u_int32_t spi, bool inbound)
+{
+	iterator_t *iterator;
+	child_sa_t *current, *found = NULL;
+
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current->get_spi(current, inbound) == spi &&
+			current->get_protocol(current) == protocol)
+		{
+			found = current;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * Implementation of ike_sa_t.create_child_sa_iterator.
+ */
+static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
+{
+	return this->child_sas->create_iterator(this->child_sas, TRUE);
+}
+
+/**
+ * Implementation of ike_sa_t.rekey_child_sa.
+ */
+static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
+							   u_int32_t spi)
+{
+	child_rekey_t *child_rekey;
+
+	child_rekey = child_rekey_create(&this->public, protocol, spi);
+	this->task_manager->queue_task(this->task_manager, &child_rekey->task);
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.delete_child_sa.
+ */
+static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
+								u_int32_t spi)
+{
+	child_delete_t *child_delete;
+
+	child_delete = child_delete_create(&this->public, protocol, spi);
+	this->task_manager->queue_task(this->task_manager, &child_delete->task);
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.destroy_child_sa.
+ */
+static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
+								 u_int32_t spi)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	status_t status = NOT_FOUND;
+
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		if (child_sa->get_protocol(child_sa) == protocol &&
+			child_sa->get_spi(child_sa, TRUE) == spi)
+		{
+			child_sa->destroy(child_sa);
+			iterator->remove(iterator);
+			status = SUCCESS;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return status;
+}
+
+/**
+ * Implementation of public_ike_sa_t.delete.
+ */
+static status_t delete_(private_ike_sa_t *this)
+{
+	ike_delete_t *ike_delete;
+
+	switch (this->state)
+	{
+		case IKE_ESTABLISHED:
+		case IKE_REKEYING:
+			ike_delete = ike_delete_create(&this->public, TRUE);
+			this->task_manager->queue_task(this->task_manager, &ike_delete->task);
+			return this->task_manager->initiate(this->task_manager);
+		case IKE_CREATED:
+			DBG1(DBG_IKE, "deleting unestablished IKE_SA");
+			break;
+		case IKE_PASSIVE:
+			break;
+		default:
+			DBG1(DBG_IKE, "destroying IKE_SA in state %N "
+				"without notification", ike_sa_state_names, this->state);
+			charon->bus->ike_updown(charon->bus, &this->public, FALSE);
+			break;
+	}
+	return DESTROY_ME;
+}
+
+/**
+ * Implementation of ike_sa_t.rekey.
+ */
+static status_t rekey(private_ike_sa_t *this)
+{
+	ike_rekey_t *ike_rekey;
+
+	ike_rekey = ike_rekey_create(&this->public, TRUE);
+
+	this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.reauth
+ */
+static status_t reauth(private_ike_sa_t *this)
+{
+	task_t *task;
+
+	/* we can't reauthenticate as responder when we use EAP or virtual IPs.
+	 * If the peer does not support RFC4478, there is no way to keep the
+	 * IKE_SA up. */
+	if (!has_condition(this, COND_ORIGINAL_INITIATOR))
+	{
+		DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
+		if (this->other_virtual_ip != NULL ||
+			has_condition(this, COND_EAP_AUTHENTICATED)
+#ifdef ME
+			/* as mediation server we too cannot reauth the IKE_SA */
+			|| this->is_mediation_server
+#endif /* ME */
+			)
+		{
+			time_t now = time_monotonic(NULL);
+
+			DBG1(DBG_IKE, "IKE_SA will timeout in %V",
+				 &now, &this->stats[STAT_DELETE]);
+			return FAILED;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "reauthenticating actively");
+		}
+	}
+	task = (task_t*)ike_reauth_create(&this->public);
+	this->task_manager->queue_task(this->task_manager, task);
+
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.reestablish
+ */
+static status_t reestablish(private_ike_sa_t *this)
+{
+	ike_sa_t *new;
+	host_t *host;
+	action_t action;
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	child_cfg_t *child_cfg;
+	bool restart = FALSE;
+	status_t status = FAILED;
+
+	/* check if we have children to keep up at all */
+	iterator = create_child_sa_iterator(this);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		child_cfg = child_sa->get_config(child_sa);
+		if (this->state == IKE_DELETING)
+		{
+			action = child_cfg->get_close_action(child_cfg);
+		}
+		else
+		{
+			action = child_cfg->get_dpd_action(child_cfg);
+		}
+		switch (action)
+		{
+			case ACTION_RESTART:
+				restart = TRUE;
+				break;
+			case ACTION_ROUTE:
+				charon->traps->install(charon->traps, this->peer_cfg, child_cfg);
+				break;
+			default:
+				break;
+		}
+	}
+	iterator->destroy(iterator);
+#ifdef ME
+	/* mediation connections have no children, keep them up anyway */
+	if (this->peer_cfg->is_mediation(this->peer_cfg))
+	{
+		restart = TRUE;
+	}
+#endif /* ME */
+	if (!restart)
+	{
+		return FAILED;
+	}
+
+	/* check if we are able to reestablish this IKE_SA */
+	if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
+		(this->other_virtual_ip != NULL ||
+		 has_condition(this, COND_EAP_AUTHENTICATED)
+#ifdef ME
+		 || this->is_mediation_server
+#endif /* ME */
+		))
+	{
+		DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
+		return FAILED;
+	}
+
+	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
+	new->set_peer_cfg(new, this->peer_cfg);
+	host = this->other_host;
+	new->set_other_host(new, host->clone(host));
+	host = this->my_host;
+	new->set_my_host(new, host->clone(host));
+	/* if we already have a virtual IP, we reuse it */
+	host = this->my_virtual_ip;
+	if (host)
+	{
+		new->set_virtual_ip(new, TRUE, host);
+	}
+
+#ifdef ME
+	if (this->peer_cfg->is_mediation(this->peer_cfg))
+	{
+		status = new->initiate(new, NULL, 0, NULL, NULL);
+	}
+	else
+#endif /* ME */
+	{
+		iterator = create_child_sa_iterator(this);
+		while (iterator->iterate(iterator, (void**)&child_sa))
+		{
+			child_cfg = child_sa->get_config(child_sa);
+			if (this->state == IKE_DELETING)
+			{
+				action = child_cfg->get_close_action(child_cfg);
+			}
+			else
+			{
+				action = child_cfg->get_dpd_action(child_cfg);
+			}
+			switch (action)
+			{
+				case ACTION_RESTART:
+					DBG1(DBG_IKE, "restarting CHILD_SA %s",
+						 child_cfg->get_name(child_cfg));
+					child_cfg->get_ref(child_cfg);
+					status = new->initiate(new, child_cfg, 0, NULL, NULL);
+					break;
+				default:
+					continue;
+			}
+			if (status == DESTROY_ME)
+			{
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+	}
+
+	if (status == DESTROY_ME)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
+		status = FAILED;
+	}
+	else
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
+		status = SUCCESS;
+	}
+	charon->bus->set_sa(charon->bus, &this->public);
+	return status;
+}
+
+/**
+ * Implementation of ike_sa_t.retransmit.
+ */
+static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
+{
+	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
+	if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
+	{
+		/* send a proper signal to brief interested bus listeners */
+		switch (this->state)
+		{
+			case IKE_CONNECTING:
+			{
+				/* retry IKE_SA_INIT if we have multiple keyingtries */
+				u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
+				this->keyingtry++;
+				if (tries == 0 || tries > this->keyingtry)
+				{
+					DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
+						 this->keyingtry + 1, tries);
+					reset(this);
+					return this->task_manager->initiate(this->task_manager);
+				}
+				DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
+				break;
+			}
+			case IKE_DELETING:
+				DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
+				break;
+			case IKE_REKEYING:
+				DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
+				/* FALL */
+			default:
+				reestablish(this);
+				break;
+		}
+		return DESTROY_ME;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of ike_sa_t.set_auth_lifetime.
+ */
+static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
+{
+	u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
+	u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction;
+
+	if (lifetime < reduction)
+	{
+		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
+			 lifetime);
+		charon->processor->queue_job(charon->processor,
+					(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
+	}
+	else if (this->stats[STAT_REAUTH] == 0 ||
+			 this->stats[STAT_REAUTH] > reauth_time)
+	{
+		this->stats[STAT_REAUTH] = reauth_time;
+		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
+			 " in %ds", lifetime, lifetime - reduction);
+		charon->scheduler->schedule_job(charon->scheduler,
+						(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
+						lifetime - reduction);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
+			 "reauthentication already scheduled in %ds", lifetime,
+			 this->stats[STAT_REAUTH] - time_monotonic(NULL));
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.roam.
+ */
+static status_t roam(private_ike_sa_t *this, bool address)
+{
+	host_t *src;
+	ike_mobike_t *mobike;
+
+	switch (this->state)
+	{
+		case IKE_CREATED:
+		case IKE_DELETING:
+		case IKE_DESTROYING:
+		case IKE_PASSIVE:
+			return SUCCESS;
+		default:
+			break;
+	}
+	/* responder just updates the peer about changed address config */
+	if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
+	{
+		if (supports_extension(this, EXT_MOBIKE) && address)
+		{
+			DBG1(DBG_IKE, "sending address list update using MOBIKE");
+			mobike = ike_mobike_create(&this->public, TRUE);
+			this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
+			return this->task_manager->initiate(this->task_manager);
+		}
+		return SUCCESS;
+	}
+
+	/* keep existing path if possible */
+	src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+											this->other_host, this->my_host);
+	if (src)
+	{
+		if (src->ip_equals(src, this->my_host))
+		{
+			DBG2(DBG_IKE, "keeping connection path %H - %H",
+				 src, this->other_host);
+			src->destroy(src);
+			set_condition(this, COND_STALE, FALSE);
+			return SUCCESS;
+		}
+		src->destroy(src);
+
+	}
+	else
+	{
+		/* check if we find a route at all */
+		enumerator_t *enumerator;
+		host_t *addr;
+
+		src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+														this->other_host, NULL);
+		if (!src)
+		{
+			enumerator = this->additional_addresses->create_enumerator(
+													this->additional_addresses);
+			while (enumerator->enumerate(enumerator, &addr))
+			{
+				DBG1(DBG_IKE, "looking for a route to %H ...", addr);
+				src = charon->kernel_interface->get_source_addr(
+										charon->kernel_interface, addr, NULL);
+				if (src)
+				{
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		if (!src)
+		{
+			DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
+				 this->other_host);
+			set_condition(this, COND_STALE, TRUE);
+			return SUCCESS;
+		}
+		src->destroy(src);
+	}
+	set_condition(this, COND_STALE, FALSE);
+
+	/* update addresses with mobike, if supported ... */
+	if (supports_extension(this, EXT_MOBIKE))
+	{
+		DBG1(DBG_IKE, "requesting address change using MOBIKE");
+		mobike = ike_mobike_create(&this->public, TRUE);
+		mobike->roam(mobike, address);
+		this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
+		return this->task_manager->initiate(this->task_manager);
+	}
+	DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
+	/* ... reauth if not */
+	return reauth(this);
+}
+
+/**
+ * Implementation of ike_sa_t.add_configuration_attribute
+ */
+static void add_configuration_attribute(private_ike_sa_t *this,
+							attribute_handler_t *handler,
+							configuration_attribute_type_t type, chunk_t data)
+{
+	attribute_entry_t *entry = malloc_thing(attribute_entry_t);
+
+	entry->handler = handler;
+	entry->type = type;
+	entry->data = chunk_clone(data);
+
+	this->attributes->insert_last(this->attributes, entry);
+}
+
+/**
+ * Implementation of ike_sa_t.inherit.
+ */
+static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
+{
+	child_sa_t *child_sa;
+	attribute_entry_t *entry;
+
+	/* apply hosts and ids */
+	this->my_host->destroy(this->my_host);
+	this->other_host->destroy(this->other_host);
+	this->my_id->destroy(this->my_id);
+	this->other_id->destroy(this->other_id);
+	this->my_host = other->my_host->clone(other->my_host);
+	this->other_host = other->other_host->clone(other->other_host);
+	this->my_id = other->my_id->clone(other->my_id);
+	this->other_id = other->other_id->clone(other->other_id);
+
+	/* apply virtual assigned IPs... */
+	if (other->my_virtual_ip)
+	{
+		this->my_virtual_ip = other->my_virtual_ip;
+		other->my_virtual_ip = NULL;
+	}
+	if (other->other_virtual_ip)
+	{
+		this->other_virtual_ip = other->other_virtual_ip;
+		other->other_virtual_ip = NULL;
+	}
+
+	/* ... and configuration attributes */
+	while (other->attributes->remove_last(other->attributes,
+										  (void**)&entry) == SUCCESS)
+	{
+		this->attributes->insert_first(this->attributes, entry);
+	}
+
+	/* inherit all conditions */
+	this->conditions = other->conditions;
+	if (this->conditions & COND_NAT_HERE)
+	{
+		send_keepalive(this);
+	}
+
+#ifdef ME
+	if (other->is_mediation_server)
+	{
+		act_as_mediation_server(this);
+	}
+	else if (other->server_reflexive_host)
+	{
+		this->server_reflexive_host = other->server_reflexive_host->clone(
+				other->server_reflexive_host);
+	}
+#endif /* ME */
+
+	/* adopt all children */
+	while (other->child_sas->remove_last(other->child_sas,
+										 (void**)&child_sa) == SUCCESS)
+	{
+		this->child_sas->insert_first(this->child_sas, (void*)child_sa);
+	}
+
+	/* move pending tasks to the new IKE_SA */
+	this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
+
+	/* reauthentication timeout survives a rekeying */
+	if (other->stats[STAT_REAUTH])
+	{
+		time_t reauth, delete, now = time_monotonic(NULL);
+
+		this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
+		reauth = this->stats[STAT_REAUTH] - now;
+		delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
+		this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
+		DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
+			 "lifetime reduced to %ds", reauth, delete);
+		charon->scheduler->schedule_job(charon->scheduler,
+				(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
+		charon->scheduler->schedule_job(charon->scheduler,
+				(job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
+	}
+	/* we have to initate here, there may be new tasks to handle */
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.destroy.
+ */
+static void destroy(private_ike_sa_t *this)
+{
+	attribute_entry_t *entry;
+
+	charon->bus->set_sa(charon->bus, &this->public);
+
+	set_state(this, IKE_DESTROYING);
+
+	/* remove attributes first, as we pass the IKE_SA to the handler */
+	while (this->attributes->remove_last(this->attributes,
+										 (void**)&entry) == SUCCESS)
+	{
+		hydra->attributes->release(hydra->attributes, entry->handler,
+								   this->other_id, entry->type, entry->data);
+		free(entry->data.ptr);
+		free(entry);
+	}
+	this->attributes->destroy(this->attributes);
+
+	this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
+
+	/* unset SA after here to avoid usage by the listeners */
+	charon->bus->set_sa(charon->bus, NULL);
+
+	this->task_manager->destroy(this->task_manager);
+	this->keymat->destroy(this->keymat);
+
+	if (this->my_virtual_ip)
+	{
+		charon->kernel_interface->del_ip(charon->kernel_interface,
+										 this->my_virtual_ip);
+		this->my_virtual_ip->destroy(this->my_virtual_ip);
+	}
+	if (this->other_virtual_ip)
+	{
+		if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
+		{
+			hydra->attributes->release_address(hydra->attributes,
+							this->peer_cfg->get_pool(this->peer_cfg),
+							this->other_virtual_ip, get_other_eap_id(this));
+		}
+		this->other_virtual_ip->destroy(this->other_virtual_ip);
+	}
+	this->additional_addresses->destroy_offset(this->additional_addresses,
+													offsetof(host_t, destroy));
+#ifdef ME
+	if (this->is_mediation_server)
+	{
+		charon->mediation_manager->remove(charon->mediation_manager,
+										  this->ike_sa_id);
+	}
+	DESTROY_IF(this->server_reflexive_host);
+	chunk_free(&this->connect_id);
+#endif /* ME */
+	free(this->nat_detection_dest.ptr);
+
+	DESTROY_IF(this->my_host);
+	DESTROY_IF(this->other_host);
+	DESTROY_IF(this->my_id);
+	DESTROY_IF(this->other_id);
+	DESTROY_IF(this->local_host);
+	DESTROY_IF(this->remote_host);
+
+	DESTROY_IF(this->ike_cfg);
+	DESTROY_IF(this->peer_cfg);
+	DESTROY_IF(this->proposal);
+	this->my_auth->destroy(this->my_auth);
+	this->other_auth->destroy(this->other_auth);
+	this->my_auths->destroy_offset(this->my_auths,
+								   offsetof(auth_cfg_t, destroy));
+	this->other_auths->destroy_offset(this->other_auths,
+									  offsetof(auth_cfg_t, destroy));
+
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
+{
+	private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
+	static u_int32_t unique_id = 0;
+
+	/* Public functions */
+	this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
+	this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
+	this->public.get_name = (char* (*)(ike_sa_t*))get_name;
+	this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
+	this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
+	this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*,u_int32_t,traffic_selector_t*,traffic_selector_t*)) initiate;
+	this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
+	this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
+	this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
+	this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
+	this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg;
+	this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(ike_sa_t*, bool local))create_auth_cfg_enumerator;
+	this->public.add_auth_cfg = (void(*)(ike_sa_t*, bool local, auth_cfg_t *cfg))add_auth_cfg;
+	this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
+	this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
+	this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
+	this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
+	this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
+	this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
+	this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
+	this->public.set_message_id = (void(*)(ike_sa_t*, bool inbound, u_int32_t mid))set_message_id;
+	this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
+	this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
+	this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
+	this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
+	this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
+	this->public.get_other_eap_id = (identification_t* (*)(ike_sa_t*)) get_other_eap_id;
+	this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
+	this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
+	this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
+	this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
+	this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
+	this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
+	this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
+	this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
+	this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
+	this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
+	this->public.delete = (status_t (*)(ike_sa_t*))delete_;
+	this->public.destroy = (void (*)(ike_sa_t*))destroy;
+	this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
+	this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
+	this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat;
+	this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
+	this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
+	this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
+	this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
+	this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
+	this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
+	this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
+	this->public.reauth = (status_t (*)(ike_sa_t*))reauth;
+	this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
+	this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
+	this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
+	this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
+	this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
+	this->public.reset = (void (*)(ike_sa_t*))reset;
+	this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
+	this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
+	this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
+	this->public.add_configuration_attribute = (void(*)(ike_sa_t*, attribute_handler_t *handler,configuration_attribute_type_t type, chunk_t data))add_configuration_attribute;
+	this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
+#ifdef ME
+	this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
+	this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
+	this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
+	this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
+	this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
+	this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated;
+	this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
+	this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
+	this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
+#endif /* ME */
+
+	/* initialize private fields */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	this->child_sas = linked_list_create();
+	this->my_host = host_create_any(AF_INET);
+	this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
+	this->other_host = host_create_any(AF_INET);
+	this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
+	this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
+	this->extensions = 0;
+	this->conditions = 0;
+	this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id));
+	this->state = IKE_CREATED;
+	this->keepalive_interval = lib->settings->get_time(lib->settings,
+									"charon.keep_alive", KEEPALIVE_INTERVAL);
+	memset(this->stats, 0, sizeof(this->stats));
+	this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
+	this->ike_cfg = NULL;
+	this->peer_cfg = NULL;
+	this->my_auth = auth_cfg_create();
+	this->other_auth = auth_cfg_create();
+	this->my_auths = linked_list_create();
+	this->other_auths = linked_list_create();
+	this->proposal = NULL;
+	this->task_manager = task_manager_create(&this->public);
+	this->unique_id = ++unique_id;
+	this->my_virtual_ip = NULL;
+	this->other_virtual_ip = NULL;
+	this->additional_addresses = linked_list_create();
+	this->attributes = linked_list_create();
+	this->nat_detection_dest = chunk_empty;
+	this->pending_updates = 0;
+	this->keyingtry = 0;
+	this->local_host = NULL;
+	this->remote_host = NULL;
+#ifdef ME
+	this->is_mediation_server = FALSE;
+	this->server_reflexive_host = NULL;
+	this->connect_id = chunk_empty;
+#endif /* ME */
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
new file mode 100644
index 000000000..c61502edf
--- /dev/null
+++ b/src/libcharon/sa/ike_sa.h
@@ -0,0 +1,921 @@
+/*
+ * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_sa ike_sa
+ * @{ @ingroup sa
+ */
+
+#ifndef IKE_SA_H_
+#define IKE_SA_H_
+
+typedef enum ike_extension_t ike_extension_t;
+typedef enum ike_condition_t ike_condition_t;
+typedef enum ike_sa_state_t ike_sa_state_t;
+typedef enum statistic_t statistic_t;
+typedef struct ike_sa_t ike_sa_t;
+
+#include <library.h>
+#include <attributes/attribute_handler.h>
+#include <encoding/message.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <encoding/payloads/configuration_attribute.h>
+#include <sa/ike_sa_id.h>
+#include <sa/child_sa.h>
+#include <sa/tasks/task.h>
+#include <sa/keymat.h>
+#include <config/peer_cfg.h>
+#include <config/ike_cfg.h>
+#include <config/auth_cfg.h>
+
+/**
+ * Timeout in seconds after that a half open IKE_SA gets deleted.
+ */
+#define HALF_OPEN_IKE_SA_TIMEOUT 30
+
+/**
+ * Interval to send keepalives when NATed, in seconds.
+ */
+#define KEEPALIVE_INTERVAL 20
+
+/**
+ * After which time rekeying should be retried if it failed, in seconds.
+ */
+#define RETRY_INTERVAL 30
+
+/**
+ * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
+ */
+#define RETRY_JITTER 20
+
+/**
+ * Extensions (or optional features) the peer supports
+ */
+enum ike_extension_t {
+
+	/**
+	 * peer supports NAT traversal as specified in RFC4306
+	 */
+	EXT_NATT = (1<<0),
+
+	/**
+	 * peer supports MOBIKE (RFC4555)
+	 */
+	EXT_MOBIKE = (1<<1),
+
+	/**
+	 * peer supports HTTP cert lookups as specified in RFC4306
+	 */
+	EXT_HASH_AND_URL = (1<<2),
+
+	/**
+	 * peer supports multiple authentication exchanges, RFC4739
+	 */
+	EXT_MULTIPLE_AUTH = (1<<3),
+
+	/**
+	 * peer uses strongSwan, accept private use extensions
+	 */
+	EXT_STRONGSWAN = (1<<4),
+
+	/**
+	 * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
+	 */
+	EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
+};
+
+/**
+ * Conditions of an IKE_SA, change during its lifetime
+ */
+enum ike_condition_t {
+
+	/**
+	 * Connection is natted (or faked) somewhere
+	 */
+	COND_NAT_ANY = (1<<0),
+
+	/**
+	 * we are behind NAT
+	 */
+	COND_NAT_HERE = (1<<1),
+
+	/**
+	 * other is behind NAT
+	 */
+	COND_NAT_THERE = (1<<2),
+
+	/**
+	 * Faking NAT to enforce UDP encapsulation
+	 */
+	COND_NAT_FAKE = (1<<3),
+
+	/**
+	 * peer has been authenticated using EAP at least once
+	 */
+	COND_EAP_AUTHENTICATED = (1<<4),
+
+	/**
+	 * received a certificate request from the peer
+	 */
+	COND_CERTREQ_SEEN = (1<<5),
+
+	/**
+	 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
+	 */
+	COND_ORIGINAL_INITIATOR = (1<<6),
+
+	/**
+	 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
+	 */
+	COND_STALE = (1<<7),
+};
+
+/**
+ * Timing information and statistics to query from an SA
+ */
+enum statistic_t {
+	/** Timestamp of SA establishement */
+	STAT_ESTABLISHED = 0,
+	/** Timestamp of scheudled rekeying */
+	STAT_REKEY,
+	/** Timestamp of scheudled reauthentication */
+	STAT_REAUTH,
+	/** Timestamp of scheudled delete */
+	STAT_DELETE,
+	/** Timestamp of last inbound IKE packet */
+	STAT_INBOUND,
+	/** Timestamp of last outbound IKE packet */
+	STAT_OUTBOUND,
+
+	STAT_MAX
+};
+
+/**
+ * State of an IKE_SA.
+ *
+ * An IKE_SA passes various states in its lifetime. A newly created
+ * SA is in the state CREATED.
+ * @verbatim
+                 +----------------+
+                 ¦   SA_CREATED   ¦
+                 +----------------+
+                         ¦
+    on initiate()--->    ¦   <----- on IKE_SA_INIT received
+                         V
+                 +----------------+
+                 ¦ SA_CONNECTING  ¦
+                 +----------------+
+                         ¦
+                         ¦   <----- on IKE_AUTH successfully completed
+                         V
+                 +----------------+
+                 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
+                 +----------------+                         ¦
+                         ¦                                  V
+    on delete()--->      ¦   <----- on IKE_SA        +-------------+
+                         ¦          delete request   ¦ SA_REKEYING ¦
+                         ¦          received         +-------------+
+                         V                                  ¦
+                 +----------------+                         ¦
+                 ¦  SA_DELETING   ¦<------------------------+ <-- after rekeying
+                 +----------------+
+                         ¦
+                         ¦   <----- after delete() acknowledged
+                         ¦
+                        \V/
+                         X
+                        / \
+   @endverbatim
+ */
+enum ike_sa_state_t {
+
+	/**
+	 * IKE_SA just got created, but is not initiating nor responding yet.
+	 */
+	IKE_CREATED,
+
+	/**
+	 * IKE_SA gets initiated actively or passively
+	 */
+	IKE_CONNECTING,
+
+	/**
+	 * IKE_SA is fully established
+	 */
+	IKE_ESTABLISHED,
+
+	/**
+	 * IKE_SA is managed externally and does not process messages
+	 */
+	IKE_PASSIVE,
+
+	/**
+	 * IKE_SA rekeying in progress
+	 */
+	IKE_REKEYING,
+
+	/**
+	 * IKE_SA is in progress of deletion
+	 */
+	IKE_DELETING,
+
+	/**
+	 * IKE_SA object gets destroyed
+	 */
+	IKE_DESTROYING,
+};
+
+/**
+ * enum names for ike_sa_state_t.
+ */
+extern enum_name_t *ike_sa_state_names;
+
+/**
+ * Class ike_sa_t representing an IKE_SA.
+ *
+ * An IKE_SA contains crypto information related to a connection
+ * with a peer. It contains multiple IPsec CHILD_SA, for which
+ * it is responsible. All traffic is handled by an IKE_SA, using
+ * the task manager and its tasks.
+ */
+struct ike_sa_t {
+
+	/**
+	 * Get the id of the SA.
+	 *
+	 * Returned ike_sa_id_t object is not getting cloned!
+	 *
+	 * @return 				ike_sa's ike_sa_id_t
+	 */
+	ike_sa_id_t* (*get_id) (ike_sa_t *this);
+
+	/**
+	 * Get the numerical ID uniquely defining this IKE_SA.
+	 *
+	 * @return 				unique ID
+	 */
+	u_int32_t (*get_unique_id) (ike_sa_t *this);
+
+	/**
+	 * Get the state of the IKE_SA.
+	 *
+	 * @return				state of the IKE_SA
+	 */
+	ike_sa_state_t (*get_state) (ike_sa_t *this);
+
+	/**
+	 * Set the state of the IKE_SA.
+	 *
+	 * @param state			state to set for the IKE_SA
+	 */
+	void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
+
+	/**
+	 * Get the name of the connection this IKE_SA uses.
+	 *
+	 * @return				name
+	 */
+	char* (*get_name) (ike_sa_t *this);
+
+	/**
+	 * Get statistic values from the IKE_SA.
+	 *
+	 * @param kind			kind of requested value
+	 * @return				value as integer
+	 */
+	u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
+
+	/**
+	 * Get the own host address.
+	 *
+	 * @return				host address
+	 */
+	host_t* (*get_my_host) (ike_sa_t *this);
+
+	/**
+	 * Set the own host address.
+	 *
+	 * @param me			host address
+	 */
+	void (*set_my_host) (ike_sa_t *this, host_t *me);
+
+	/**
+	 * Get the other peers host address.
+	 *
+	 * @return				host address
+	 */
+	host_t* (*get_other_host) (ike_sa_t *this);
+
+	/**
+	 * Set the others host address.
+	 *
+	 * @param other			host address
+	 */
+	void (*set_other_host) (ike_sa_t *this, host_t *other);
+
+	/**
+	 * Update the IKE_SAs host.
+	 *
+	 * Hosts may be NULL to use current host.
+	 *
+	 * @param me			new local host address, or NULL
+	 * @param other			new remote host address, or NULL
+	 */
+	void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
+
+	/**
+	 * Get the own identification.
+	 *
+	 * @return				identification
+	 */
+	identification_t* (*get_my_id) (ike_sa_t *this);
+
+	/**
+	 * Set the own identification.
+	 *
+	 * @param me			identification
+	 */
+	void (*set_my_id) (ike_sa_t *this, identification_t *me);
+
+	/**
+	 * Get the other peer's identification.
+	 *
+	 * @return				identification
+	 */
+	identification_t* (*get_other_id) (ike_sa_t *this);
+
+	/**
+	 * Get the others peer identity, but prefer an EAP-Identity.
+	 *
+	 * @return				EAP or IKEv2 identity
+	 */
+	identification_t* (*get_other_eap_id)(ike_sa_t *this);
+
+	/**
+	 * Set the other peer's identification.
+	 *
+	 * @param other			identification
+	 */
+	void (*set_other_id) (ike_sa_t *this, identification_t *other);
+
+	/**
+	 * Get the config used to setup this IKE_SA.
+	 *
+	 * @return				ike_config
+	 */
+	ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
+
+	/**
+	 * Set the config to setup this IKE_SA.
+	 *
+	 * @param config		ike_config to use
+	 */
+	void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
+
+	/**
+	 * Get the peer config used by this IKE_SA.
+	 *
+	 * @return				peer_config
+	 */
+	peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
+
+	/**
+	 * Set the peer config to use with this IKE_SA.
+	 *
+	 * @param config		peer_config to use
+	 */
+	void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
+
+	/**
+	 * Get the authentication config with rules of the current auth round.
+	 *
+	 * @param local			TRUE for local rules, FALSE for remote constraints
+	 * @return				current cfg
+	 */
+	auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
+
+	/**
+	 * Insert a completed authentication round.
+	 *
+	 * @param local			TRUE for own rules, FALSE for others constraints
+	 * @param cfg			auth config to append
+	 */
+	void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
+
+	/**
+	 * Create an enumerator over added authentication rounds.
+	 *
+	 * @param local			TRUE for own rules, FALSE for others constraints
+	 * @return				enumerator over auth_cfg_t
+	 */
+	enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
+
+	/**
+	 * Get the selected proposal of this IKE_SA.
+	 *
+	 * @return				selected proposal
+	 */
+	proposal_t* (*get_proposal)(ike_sa_t *this);
+
+	/**
+	 * Set the proposal selected for this IKE_SA.
+	 *
+	 * @param				selected proposal
+	 */
+	void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
+
+	/**
+	 * Set the message id of the IKE_SA.
+	 *
+	 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
+	 * and one to respond to exchanges (expect).
+	 *
+	 * @param initiate		TRUE to set message ID for initiating
+	 * @param mid			message id to set
+	 */
+	void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
+
+	/**
+	 * Add an additional address for the peer.
+	 *
+	 * In MOBIKE, a peer may transmit additional addresses where it is
+	 * reachable. These are stored in the IKE_SA.
+	 * The own list of addresses is not stored, they are queried from
+	 * the kernel when required.
+	 *
+	 * @param host			host to add to list
+	 */
+	void (*add_additional_address)(ike_sa_t *this, host_t *host);
+
+	/**
+	 * Create an iterator over all additional addresses of the peer.
+	 *
+	 * @return 				iterator over addresses
+	 */
+	iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
+
+	/**
+	 * Check if mappings have changed on a NAT for our source address.
+	 *
+	 * @param hash			received DESTINATION_IP hash
+	 * @return				TRUE if mappings have changed
+	 */
+	bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
+
+	/**
+	 * Enable an extension the peer supports.
+	 *
+	 * If support for an IKE extension is detected, this method is called
+	 * to enable that extension and behave accordingly.
+	 *
+	 * @param extension		extension to enable
+	 */
+	void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
+
+	/**
+	 * Check if the peer supports an extension.
+	 *
+	 * @param extension		extension to check for support
+	 * @return				TRUE if peer supports it, FALSE otherwise
+	 */
+	bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
+
+	/**
+	 * Enable/disable a condition flag for this IKE_SA.
+	 *
+	 * @param condition		condition to enable/disable
+	 * @param enable		TRUE to enable condition, FALSE to disable
+	 */
+	void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
+
+	/**
+	 * Check if a condition flag is set.
+	 *
+	 * @param condition		condition to check
+	 * @return				TRUE if condition flag set, FALSE otherwise
+	 */
+	bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
+
+	/**
+	 * Get the number of queued MOBIKE address updates.
+	 *
+	 * @return				number of pending updates
+	 */
+	u_int32_t (*get_pending_updates)(ike_sa_t *this);
+
+	/**
+	 * Set the number of queued MOBIKE address updates.
+	 *
+	 * @param updates		number of pending updates
+	 */
+	void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
+
+#ifdef ME
+	/**
+	 * Activate mediation server functionality for this IKE_SA.
+	 */
+	void (*act_as_mediation_server) (ike_sa_t *this);
+
+	/**
+	 * Get the server reflexive host.
+	 *
+	 * @return				server reflexive host
+	 */
+	host_t* (*get_server_reflexive_host) (ike_sa_t *this);
+
+	/**
+	 * Set the server reflexive host.
+	 *
+	 * @param host			server reflexive host
+	 */
+	void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
+
+	/**
+	 * Get the connect ID.
+	 *
+	 * @return				connect ID
+	 */
+	chunk_t (*get_connect_id) (ike_sa_t *this);
+
+	/**
+	 * Initiate the mediation of a mediated connection (i.e. initiate a
+	 * ME_CONNECT exchange to a mediation server).
+	 *
+	 * @param mediated_cfg	peer_cfg of the mediated connection
+	 * @return
+	 * 						- SUCCESS if initialization started
+	 * 						- DESTROY_ME if initialization failed
+	 */
+	status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
+
+	/**
+	 * Initiate the mediated connection
+	 *
+	 * @param me			local endpoint (gets cloned)
+	 * @param other			remote endpoint (gets cloned)
+	 * @param connect_id	connect ID (gets cloned)
+	 * @return
+	 * 						- SUCCESS if initialization started
+	 * 						- DESTROY_ME if initialization failed
+	 */
+	status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
+								   chunk_t connect_id);
+
+	/**
+	 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
+	 * to a peer).
+	 *
+	 * Data is cloned.
+	 *
+	 * @param requester		ID of the requesting peer
+	 * @param connect_id	data of the ME_CONNECTID payload
+	 * @param connect_key	data of the ME_CONNECTKEY payload
+	 * @param endpoints		endpoints
+	 * @param response		TRUE if this is a response
+	 * @return
+	 * 						- SUCCESS if relay started
+	 * 						- DESTROY_ME if relay failed
+	 */
+	status_t (*relay) (ike_sa_t *this, identification_t *requester,
+					   chunk_t connect_id, chunk_t connect_key,
+					   linked_list_t *endpoints, bool response);
+
+	/**
+	 * Send a callback to a peer.
+	 *
+	 * Data is cloned.
+	 *
+	 * @param peer_id		ID of the other peer
+	 * @return
+	 * 						- SUCCESS if response started
+	 * 						- DESTROY_ME if response failed
+	 */
+	status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
+
+	/**
+	 * Respond to a ME_CONNECT request.
+	 *
+	 * Data is cloned.
+	 *
+	 * @param peer_id		ID of the other peer
+	 * @param connect_id	the connect ID supplied by the initiator
+	 * @return
+	 * 						- SUCCESS if response started
+	 * 						- DESTROY_ME if response failed
+	 */
+	status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
+						 chunk_t connect_id);
+#endif /* ME */
+
+	/**
+	 * Initiate a new connection.
+	 *
+	 * The configs are owned by the IKE_SA after the call. If the initiate
+	 * is triggered by a packet, traffic selectors of the packet can be added
+	 * to the CHILD_SA.
+	 *
+	 * @param child_cfg		child config to create CHILD from
+	 * @param reqid			reqid to use for CHILD_SA, 0 assigne uniquely
+	 * @param tsi			source of triggering packet
+	 * @param tsr			destination of triggering packet.
+	 * @return
+	 * 						- SUCCESS if initialization started
+	 * 						- DESTROY_ME if initialization failed
+	 */
+	status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
+						  u_int32_t reqid, traffic_selector_t *tsi,
+						  traffic_selector_t *tsr);
+
+	/**
+	 * Initiates the deletion of an IKE_SA.
+	 *
+	 * Sends a delete message to the remote peer and waits for
+	 * its response. If the response comes in, or a timeout occurs,
+	 * the IKE SA gets deleted.
+	 *
+	 * @return
+	 * 						- SUCCESS if deletion is initialized
+	 * 						- DESTROY_ME, if the IKE_SA is not in
+	 * 						  an established state and can not be
+	 * 						  deleted (but destroyed).
+	 */
+	status_t (*delete) (ike_sa_t *this);
+
+	/**
+	 * Update IKE_SAs after network interfaces have changed.
+	 *
+	 * Whenever the network interface configuration changes, the kernel
+	 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
+	 * the new network config requires changes, and handles appropriate.
+	 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
+	 * restarted.
+	 *
+	 * @param address		TRUE if address list changed, FALSE otherwise
+	 * @return				SUCCESS, FAILED, DESTROY_ME
+	 */
+	status_t (*roam)(ike_sa_t *this, bool address);
+
+	/**
+	 * Processes a incoming IKEv2-Message.
+	 *
+	 * Message processing may fail. If a critical failure occurs,
+	 * process_message() return DESTROY_ME. Then the caller must
+	 * destroy the IKE_SA immediatly, as it is unusable.
+	 *
+	 * @param message 		message to process
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED
+	 * 						- DESTROY_ME if this IKE_SA MUST be deleted
+	 */
+	status_t (*process_message) (ike_sa_t *this, message_t *message);
+
+	/**
+	 * Generate a IKE message to send it to the peer.
+	 *
+	 * This method generates all payloads in the message and encrypts/signs
+	 * the packet.
+	 *
+	 * @param message 		message to generate
+	 * @param packet		generated output packet
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED
+	 * 						- DESTROY_ME if this IKE_SA MUST be deleted
+	 */
+	status_t (*generate_message) (ike_sa_t *this, message_t *message,
+								  packet_t **packet);
+
+	/**
+	 * Retransmits a request.
+	 *
+	 * @param message_id	ID of the request to retransmit
+	 * @return
+	 * 						- SUCCESS
+	 * 						- NOT_FOUND if request doesn't have to be retransmited
+	 */
+	status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
+
+	/**
+	 * Sends a DPD request to the peer.
+	 *
+	 * To check if a peer is still alive, periodic
+	 * empty INFORMATIONAL messages are sent if no
+	 * other traffic was received.
+	 *
+	 * @return
+	 * 						- SUCCESS
+	 * 						- DESTROY_ME, if peer did not respond
+	 */
+	status_t (*send_dpd) (ike_sa_t *this);
+
+	/**
+	 * Sends a keep alive packet.
+	 *
+	 * To refresh NAT tables in a NAT router
+	 * between the peers, periodic empty
+	 * UDP packets are sent if no other traffic
+	 * was sent.
+	 */
+	void (*send_keepalive) (ike_sa_t *this);
+
+	/**
+	 * Get the keying material of this IKE_SA.
+	 *
+	 * @return				per IKE_SA keymat instance
+	 */
+	keymat_t* (*get_keymat)(ike_sa_t *this);
+
+	/**
+	 * Associates a child SA to this IKE SA
+	 *
+	 * @param child_sa		child_sa to add
+	 */
+	void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
+
+	/**
+	 * Get a CHILD_SA identified by protocol and SPI.
+	 *
+	 * @param protocol		protocol of the SA
+	 * @param spi			SPI of the CHILD_SA
+	 * @param inbound		TRUE if SPI is inbound, FALSE if outbound
+	 * @return				child_sa, or NULL if none found
+	 */
+	child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
+								 u_int32_t spi, bool inbound);
+
+	/**
+	 * Create an iterator over all CHILD_SAs.
+	 *
+	 * @return				iterator
+	 */
+	iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
+
+	/**
+	 * Rekey the CHILD SA with the specified reqid.
+	 *
+	 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
+	 *
+	 * @param protocol		protocol of the SA
+	 * @param spi			inbound SPI of the CHILD_SA
+	 * @return
+	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
+	 * 						- SUCCESS, if rekeying initiated
+	 */
+	status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
+
+	/**
+	 * Close the CHILD SA with the specified protocol/SPI.
+	 *
+	 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
+	 * notify's the remote peer about the delete. The associated
+	 * states and policies in the kernel get deleted, if they exist.
+	 *
+	 * @param protocol		protocol of the SA
+	 * @param spi			inbound SPI of the CHILD_SA
+	 * @return
+	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
+	 * 						- SUCCESS, if delete message sent
+	 */
+	status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
+
+	/**
+	 * Destroy a CHILD SA with the specified protocol/SPI.
+	 *
+	 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
+	 *
+	 * @param protocol		protocol of the SA
+	 * @param spi			inbound SPI of the CHILD_SA
+	 * @return
+	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
+	 * 						- SUCCESS
+	 */
+	status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
+
+	/**
+	 * Rekey the IKE_SA.
+	 *
+	 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
+	 *
+	 * @return				- SUCCESS, if IKE_SA rekeying initiated
+	 */
+	status_t (*rekey) (ike_sa_t *this);
+
+	/**
+	 * Reauthenticate the IKE_SA.
+	 *
+	 * Create a completely new IKE_SA with authentication, recreates all children
+	 * within the IKE_SA, closes this IKE_SA.
+	 *
+	 * @return				DESTROY_ME to destroy the IKE_SA
+	 */
+	status_t (*reauth) (ike_sa_t *this);
+
+	/**
+	 * Restablish the IKE_SA.
+	 *
+	 * Reestablish an IKE_SA after it has been closed.
+	 *
+	 * @return				DESTROY_ME to destroy the IKE_SA
+	 */
+	status_t (*reestablish) (ike_sa_t *this);
+
+	/**
+	 * Set the lifetime limit received from a AUTH_LIFETIME notify.
+	 *
+	 * @param lifetime		lifetime in seconds
+	 */
+	void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
+
+	/**
+	 * Set the virtual IP to use for this IKE_SA and its children.
+	 *
+	 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
+	 * lifetime as the IKE_SA.
+	 *
+	 * @param local			TRUE to set local address, FALSE for remote
+	 * @param ip			IP to set as virtual IP
+	 */
+	void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
+
+	/**
+	 * Get the virtual IP configured.
+	 *
+	 * @param local			TRUE to get local virtual IP, FALSE for remote
+	 * @return				host_t *virtual IP
+	 */
+	host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
+
+	/**
+	 * Register a configuration attribute to the IKE_SA.
+	 *
+	 * If an IRAS sends a configuration attribute it is installed and
+	 * registered at the IKE_SA. Attributes are inherit()ed and get released
+	 * when the IKE_SA is closed.
+	 *
+	 * @param handler		handler installed the attribute, use for release()
+	 * @param type			configuration attribute type
+	 * @param data			associated attribute data
+	 */
+	void (*add_configuration_attribute)(ike_sa_t *this,
+							attribute_handler_t *handler,
+							configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Set local and remote host addresses to be used for IKE.
+	 *
+	 * These addresses are communicated via the KMADDRESS field of a MIGRATE
+	 * message sent via the NETLINK or PF _KEY kernel socket interface.
+	 *
+	 * @param local			local kmaddress
+	 * @param remote		remote kmaddress
+	 */
+	void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
+
+	/**
+	 * Inherit all attributes of other to this after rekeying.
+	 *
+	 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
+	 * outstanding tasks are moved from other to this.
+	 * As this call may initiate inherited tasks, a status is returned.
+	 *
+	 * @param other			other task to inherit from
+	 * @return				DESTROY_ME if initiation of inherited task failed
+	 */
+	status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
+
+	/**
+	 * Reset the IKE_SA, useable when initiating fails
+	 */
+	void (*reset) (ike_sa_t *this);
+
+	/**
+	 * Destroys a ike_sa_t object.
+	 */
+	void (*destroy) (ike_sa_t *this);
+};
+
+/**
+ * Creates an ike_sa_t object with a specific ID.
+ *
+ * @param ike_sa_id 	ike_sa_id_t object to associate with new IKE_SA
+ * @return 				ike_sa_t object
+ */
+ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
+
+#endif /** IKE_SA_H_ @}*/
diff --git a/src/libcharon/sa/ike_sa_id.c b/src/libcharon/sa/ike_sa_id.c
new file mode 100644
index 000000000..94c5405f2
--- /dev/null
+++ b/src/libcharon/sa/ike_sa_id.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_sa_id.h"
+
+#include <stdio.h>
+
+
+typedef struct private_ike_sa_id_t private_ike_sa_id_t;
+
+/**
+ * Private data of an ike_sa_id_t object.
+ */
+struct private_ike_sa_id_t {
+	/**
+	 * Public interface of ike_sa_id_t.
+	 */
+	ike_sa_id_t public;
+
+	 /**
+	  * SPI of Initiator.
+	  */
+	u_int64_t initiator_spi;
+
+	 /**
+	  * SPI of Responder.
+	  */
+	u_int64_t responder_spi;
+
+	/**
+	 * Role for specific IKE_SA.
+	 */
+	bool is_initiator_flag;
+};
+
+/**
+ * Implementation of ike_sa_id_t.set_responder_spi.
+ */
+static void set_responder_spi (private_ike_sa_id_t *this, u_int64_t responder_spi)
+{
+	this->responder_spi = responder_spi;
+}
+
+/**
+ * Implementation of ike_sa_id_t.set_initiator_spi.
+ */
+static void set_initiator_spi(private_ike_sa_id_t *this, u_int64_t initiator_spi)
+{
+	this->initiator_spi = initiator_spi;
+}
+
+/**
+ * Implementation of ike_sa_id_t.get_initiator_spi.
+ */
+static u_int64_t get_initiator_spi (private_ike_sa_id_t *this)
+{
+	return this->initiator_spi;
+}
+
+/**
+ * Implementation of ike_sa_id_t.get_responder_spi.
+ */
+static u_int64_t get_responder_spi (private_ike_sa_id_t *this)
+{
+	return this->responder_spi;
+}
+
+/**
+ * Implementation of ike_sa_id_t.equals.
+ */
+static bool equals (private_ike_sa_id_t *this, private_ike_sa_id_t *other)
+{
+	if (other == NULL)
+	{
+		return FALSE;
+	}
+	if ((this->is_initiator_flag == other->is_initiator_flag) &&
+		(this->initiator_spi == other->initiator_spi) &&
+		(this->responder_spi == other->responder_spi))
+	{
+		/* private_ike_sa_id's are equal */
+		return TRUE;
+	}
+	else
+	{
+		/* private_ike_sa_id's are not equal */
+		return FALSE;
+	}
+}
+
+/**
+ * Implementation of ike_sa_id_t.replace_values.
+ */
+static void replace_values(private_ike_sa_id_t *this, private_ike_sa_id_t *other)
+{
+	this->initiator_spi = other->initiator_spi;
+	this->responder_spi = other->responder_spi;
+	this->is_initiator_flag = other->is_initiator_flag;
+}
+
+/**
+ * Implementation of ike_sa_id_t.is_initiator.
+ */
+static bool is_initiator(private_ike_sa_id_t *this)
+{
+	return this->is_initiator_flag;
+}
+
+/**
+ * Implementation of ike_sa_id_t.switch_initiator.
+ */
+static bool switch_initiator(private_ike_sa_id_t *this)
+{
+	if (this->is_initiator_flag)
+	{
+		this->is_initiator_flag = FALSE;
+	}
+	else
+	{
+		this->is_initiator_flag = TRUE;
+	}
+	return this->is_initiator_flag;
+}
+
+/**
+ * Implementation of ike_sa_id_t.clone.
+ */
+static ike_sa_id_t* clone_(private_ike_sa_id_t *this)
+{
+	return ike_sa_id_create(this->initiator_spi, this->responder_spi, this->is_initiator_flag);
+}
+
+/**
+ * Implementation of ike_sa_id_t.destroy.
+ */
+static void destroy(private_ike_sa_id_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi, bool is_initiator_flag)
+{
+	private_ike_sa_id_t *this = malloc_thing(private_ike_sa_id_t);
+
+	/* public functions */
+	this->public.set_responder_spi = (void(*)(ike_sa_id_t*,u_int64_t)) set_responder_spi;
+	this->public.set_initiator_spi = (void(*)(ike_sa_id_t*,u_int64_t)) set_initiator_spi;
+	this->public.get_responder_spi = (u_int64_t(*)(ike_sa_id_t*)) get_responder_spi;
+	this->public.get_initiator_spi = (u_int64_t(*)(ike_sa_id_t*)) get_initiator_spi;
+	this->public.equals = (bool(*)(ike_sa_id_t*,ike_sa_id_t*)) equals;
+	this->public.replace_values = (void(*)(ike_sa_id_t*,ike_sa_id_t*)) replace_values;
+	this->public.is_initiator = (bool(*)(ike_sa_id_t*)) is_initiator;
+	this->public.switch_initiator = (bool(*)(ike_sa_id_t*)) switch_initiator;
+	this->public.clone = (ike_sa_id_t*(*)(ike_sa_id_t*)) clone_;
+	this->public.destroy = (void(*)(ike_sa_id_t*))destroy;
+
+	/* private data */
+	this->initiator_spi = initiator_spi;
+	this->responder_spi = responder_spi;
+	this->is_initiator_flag = is_initiator_flag;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ike_sa_id.h b/src/libcharon/sa/ike_sa_id.h
new file mode 100644
index 000000000..a833aa9d6
--- /dev/null
+++ b/src/libcharon/sa/ike_sa_id.h
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_sa_id ike_sa_id
+ * @{ @ingroup sa
+ */
+
+#ifndef IKE_SA_ID_H_
+#define IKE_SA_ID_H_
+
+typedef struct ike_sa_id_t ike_sa_id_t;
+
+#include <library.h>
+
+/**
+ * An object of type ike_sa_id_t is used to identify an IKE_SA.
+ *
+ * An IKE_SA is identified by its initiator and responder spi's.
+ * Additionaly it contains the role of the actual running IKEv2-Daemon
+ * for the specific IKE_SA (original initiator or responder).
+ */
+struct ike_sa_id_t {
+
+	/**
+	 * Set the SPI of the responder.
+	 *
+	 * This function is called when a request or reply of a IKE_SA_INIT is received.
+	 *
+	 * @param responder_spi 	SPI of responder to set
+	 */
+	void (*set_responder_spi) (ike_sa_id_t *this, u_int64_t responder_spi);
+
+	/**
+	 * Set the SPI of the initiator.
+	 *
+	 * @param initiator_spi 	SPI to set
+	 */
+	void (*set_initiator_spi) (ike_sa_id_t *this, u_int64_t initiator_spi);
+
+	/**
+	 * Get the initiator SPI.
+	 *
+	 * @return 					SPI of the initiator
+	 */
+	u_int64_t (*get_initiator_spi) (ike_sa_id_t *this);
+
+	/**
+	 * Get the responder SPI.
+	 *
+	 * @return 					SPI of the responder
+	 */
+	u_int64_t (*get_responder_spi) (ike_sa_id_t *this);
+
+	/**
+	 * Check if two ike_sa_id_t objects are equal.
+	 *
+	 * Two ike_sa_id_t objects are equal if both SPI values and the role matches.
+	 *
+	 * @param other 			ike_sa_id_t object to check if equal
+	 * @return 					TRUE if given ike_sa_id_t are equal, FALSE otherwise
+	 */
+	bool (*equals) (ike_sa_id_t *this, ike_sa_id_t *other);
+
+	/**
+	 * Replace all values of a given ike_sa_id_t object with values.
+	 * from another ike_sa_id_t object.
+	 *
+	 * After calling this function, both objects are equal.
+	 *
+	 * @param other 			ike_sa_id_t object from which values will be taken
+	 */
+	void (*replace_values) (ike_sa_id_t *this, ike_sa_id_t *other);
+
+	/**
+	 * Get the initiator flag.
+	 *
+	 * @return 					TRUE if we are the original initator
+	 */
+	bool (*is_initiator) (ike_sa_id_t *this);
+
+	/**
+	 * Switche the original initiator flag.
+	 *
+	 * @return 					TRUE if we are the original initator after switch, FALSE otherwise
+	 */
+	bool (*switch_initiator) (ike_sa_id_t *this);
+
+	/**
+	 * Clones a given ike_sa_id_t object.
+	 *
+	 * @return 					cloned ike_sa_id_t object
+	 */
+	ike_sa_id_t *(*clone) (ike_sa_id_t *this);
+
+	/**
+	 * Destroys an ike_sa_id_t object.
+	 */
+	void (*destroy) (ike_sa_id_t *this);
+};
+
+/**
+ * Creates an ike_sa_id_t object with specific SPI's and defined role.
+ *
+ * @param initiator_spi			initiators SPI
+ * @param responder_spi			responders SPI
+ * @param is_initiaor			TRUE if we are the original initiator
+ * @return						ike_sa_id_t object
+ */
+ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi,
+							   bool is_initiaor);
+
+#endif /** IKE_SA_ID_H_ @}*/
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
new file mode 100644
index 000000000..3ef0f3bb0
--- /dev/null
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -0,0 +1,1741 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "ike_sa_manager.h"
+
+#include <daemon.h>
+#include <sa/ike_sa_id.h>
+#include <bus/bus.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+#include <crypto/hashers/hasher.h>
+
+/* the default size of the hash table (MUST be a power of 2) */
+#define DEFAULT_HASHTABLE_SIZE 1
+
+/* the maximum size of the hash table (MUST be a power of 2) */
+#define MAX_HASHTABLE_SIZE (1 << 30)
+
+/* the default number of segments (MUST be a power of 2) */
+#define DEFAULT_SEGMENT_COUNT 1
+
+typedef struct entry_t entry_t;
+
+/**
+ * An entry in the linked list, contains IKE_SA, locking and lookup data.
+ */
+struct entry_t {
+
+	/**
+	 * Number of threads waiting for this ike_sa_t object.
+	 */
+	int waiting_threads;
+
+	/**
+	 * Condvar where threads can wait until ike_sa_t object is free for use again.
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * Is this ike_sa currently checked out?
+	 */
+	bool checked_out;
+
+	/**
+	 * Does this SA drives out new threads?
+	 */
+	bool driveout_new_threads;
+
+	/**
+	 * Does this SA drives out waiting threads?
+	 */
+	bool driveout_waiting_threads;
+
+	/**
+	 * Identification of an IKE_SA (SPIs).
+	 */
+	ike_sa_id_t *ike_sa_id;
+
+	/**
+	 * The contained ike_sa_t object.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * hash of the IKE_SA_INIT message, used to detect retransmissions
+	 */
+	chunk_t init_hash;
+
+	/**
+	 * remote host address, required for DoS detection
+	 */
+	host_t *other;
+
+	/**
+	 * As responder: Is this SA half-open?
+	 */
+	bool half_open;
+
+	/**
+	 * own identity, required for duplicate checking
+	 */
+	identification_t *my_id;
+
+	/**
+	 * remote identity, required for duplicate checking
+	 */
+	identification_t *other_id;
+
+	/**
+	 * message ID currently processing, if any
+	 */
+	u_int32_t message_id;
+};
+
+/**
+ * Implementation of entry_t.destroy.
+ */
+static status_t entry_destroy(entry_t *this)
+{
+	/* also destroy IKE SA */
+	this->ike_sa->destroy(this->ike_sa);
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	chunk_free(&this->init_hash);
+	DESTROY_IF(this->other);
+	DESTROY_IF(this->my_id);
+	DESTROY_IF(this->other_id);
+	this->condvar->destroy(this->condvar);
+	free(this);
+	return SUCCESS;
+}
+
+/**
+ * Creates a new entry for the ike_sa_t list.
+ */
+static entry_t *entry_create()
+{
+	entry_t *this = malloc_thing(entry_t);
+
+	this->waiting_threads = 0;
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+
+	/* we set checkout flag when we really give it out */
+	this->checked_out = FALSE;
+	this->driveout_new_threads = FALSE;
+	this->driveout_waiting_threads = FALSE;
+	this->message_id = -1;
+	this->init_hash = chunk_empty;
+	this->other = NULL;
+	this->half_open = FALSE;
+	this->my_id = NULL;
+	this->other_id = NULL;
+	this->ike_sa_id = NULL;
+	this->ike_sa = NULL;
+
+	return this;
+}
+
+/**
+ * Function that matches entry_t objects by initiator SPI and the hash of the
+ * IKE_SA_INIT message.
+ */
+static bool entry_match_by_hash(entry_t *entry, ike_sa_id_t *id, chunk_t *hash)
+{
+	return id->get_responder_spi(id) == 0 &&
+		id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+		id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id) &&
+		chunk_equals(*hash, entry->init_hash);
+}
+
+/**
+ * Function that matches entry_t objects by ike_sa_id_t.
+ */
+static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id)
+{
+	if (id->equals(id, entry->ike_sa_id))
+	{
+		return TRUE;
+	}
+	if ((id->get_responder_spi(id) == 0 ||
+		 entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) &&
+		id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+		id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id))
+	{
+		/* this is TRUE for IKE_SAs that we initiated but have not yet received a response */
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Function that matches entry_t objects by ike_sa_t pointers.
+ */
+static bool entry_match_by_sa(entry_t *entry, ike_sa_t *ike_sa)
+{
+	return entry->ike_sa == ike_sa;
+}
+
+/**
+ * Hash function for ike_sa_id_t objects.
+ */
+static u_int ike_sa_id_hash(ike_sa_id_t *ike_sa_id)
+{
+	/* we always use initiator spi as key */
+	return ike_sa_id->get_initiator_spi(ike_sa_id);
+}
+
+typedef struct half_open_t half_open_t;
+
+/**
+ * Struct to manage half-open IKE_SAs per peer.
+ */
+struct half_open_t {
+	/** chunk of remote host address */
+	chunk_t other;
+
+	/** the number of half-open IKE_SAs with that host */
+	u_int count;
+};
+
+/**
+ * Destroys a half_open_t object.
+ */
+static void half_open_destroy(half_open_t *this)
+{
+	chunk_free(&this->other);
+	free(this);
+}
+
+/**
+ * Function that matches half_open_t objects by the given IP address chunk.
+ */
+static bool half_open_match(half_open_t *half_open, chunk_t *addr)
+{
+	return chunk_equals(*addr, half_open->other);
+}
+
+typedef struct connected_peers_t connected_peers_t;
+
+struct connected_peers_t {
+	/** own identity */
+	identification_t *my_id;
+
+	/** remote identity */
+	identification_t *other_id;
+
+	/** list of ike_sa_id_t objects of IKE_SAs between the two identities */
+	linked_list_t *sas;
+};
+
+static void connected_peers_destroy(connected_peers_t *this)
+{
+	this->my_id->destroy(this->my_id);
+	this->other_id->destroy(this->other_id);
+	this->sas->destroy(this->sas);
+	free(this);
+}
+
+/**
+ * Function that matches connected_peers_t objects by the given ids.
+ */
+static bool connected_peers_match(connected_peers_t *connected_peers,
+							identification_t *my_id, identification_t *other_id)
+{
+	return my_id->equals(my_id, connected_peers->my_id) &&
+		   other_id->equals(other_id, connected_peers->other_id);
+}
+
+typedef struct segment_t segment_t;
+
+/**
+ * Struct to manage segments of the hash table.
+ */
+struct segment_t {
+	/** mutex to access a segment exclusively */
+	mutex_t *mutex;
+
+	/** the number of entries in this segment */
+	u_int count;
+};
+
+typedef struct shareable_segment_t shareable_segment_t;
+
+/**
+ * Struct to manage segments of the "half-open" and "connected peers" hash tables.
+ */
+struct shareable_segment_t {
+	/** rwlock to access a segment non-/exclusively */
+	rwlock_t *lock;
+
+	/** the number of entries in this segment - in case of the "half-open table"
+	 * it's the sum of all half_open_t.count in a segment. */
+	u_int count;
+};
+
+typedef struct private_ike_sa_manager_t private_ike_sa_manager_t;
+
+/**
+ * Additional private members of ike_sa_manager_t.
+ */
+struct private_ike_sa_manager_t {
+	/**
+	 * Public interface of ike_sa_manager_t.
+	 */
+	 ike_sa_manager_t public;
+
+	 /**
+	  * Hash table with entries for the ike_sa_t objects.
+	  */
+	 linked_list_t **ike_sa_table;
+
+	 /**
+	  * The size of the hash table.
+	  */
+	 u_int table_size;
+
+	 /**
+	  * Mask to map the hashes to table rows.
+	  */
+	 u_int table_mask;
+
+	 /**
+	  * Segments of the hash table.
+	  */
+	 segment_t *segments;
+
+	 /**
+	  * The number of segments.
+	  */
+	 u_int segment_count;
+
+	 /**
+	  * Mask to map a table row to a segment.
+	  */
+	 u_int segment_mask;
+
+	 /**
+	  * Hash table with half_open_t objects.
+	  */
+	 linked_list_t **half_open_table;
+
+	 /**
+	  * Segments of the "half-open" hash table.
+	  */
+	 shareable_segment_t *half_open_segments;
+
+	 /**
+	  * Hash table with connected_peers_t objects.
+	  */
+	 linked_list_t **connected_peers_table;
+
+	 /**
+	  * Segments of the "connected peers" hash table.
+	  */
+	 shareable_segment_t *connected_peers_segments;
+
+	 /**
+	  * RNG to get random SPIs for our side
+	  */
+	 rng_t *rng;
+
+	 /**
+	  * SHA1 hasher for IKE_SA_INIT retransmit detection
+	  */
+	 hasher_t *hasher;
+
+	/**
+	 * reuse existing IKE_SAs in checkout_by_config
+	 */
+	 bool reuse_ikesa;
+};
+
+/**
+ * Acquire a lock to access the segment of the table row with the given index.
+ * It also works with the segment index directly.
+ */
+static void lock_single_segment(private_ike_sa_manager_t *this, u_int index)
+{
+	mutex_t *lock = this->segments[index & this->segment_mask].mutex;
+
+	lock->lock(lock);
+}
+
+/**
+ * Release the lock required to access the segment of the table row with the given index.
+ * It also works with the segment index directly.
+ */
+static void unlock_single_segment(private_ike_sa_manager_t *this, u_int index)
+{
+	mutex_t *lock = this->segments[index & this->segment_mask].mutex;
+
+	lock->unlock(lock);
+}
+
+/**
+ * Lock all segments
+ */
+static void lock_all_segments(private_ike_sa_manager_t *this)
+{
+	u_int i;
+
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->segments[i].mutex->lock(this->segments[i].mutex);
+	}
+}
+
+/**
+ * Unlock all segments
+ */
+static void unlock_all_segments(private_ike_sa_manager_t *this)
+{
+	u_int i;
+
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->segments[i].mutex->unlock(this->segments[i].mutex);
+	}
+}
+
+typedef struct private_enumerator_t private_enumerator_t;
+
+/**
+ * hash table enumerator implementation
+ */
+struct private_enumerator_t {
+
+	/**
+	 * implements enumerator interface
+	 */
+	enumerator_t enumerator;
+
+	/**
+	 * associated ike_sa_manager_t
+	 */
+	private_ike_sa_manager_t *manager;
+
+	/**
+	 * current segment index
+	 */
+	u_int segment;
+
+	/**
+	 * currently enumerating entry
+	 */
+	entry_t *entry;
+
+	/**
+	 * current table row index
+	 */
+	u_int row;
+
+	/**
+	 * enumerator for the current table row
+	 */
+	enumerator_t *current;
+};
+
+/**
+ * Implementation of private_enumerator_t.enumerator.enumerate.
+ */
+static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segment)
+{
+	if (this->entry)
+	{
+		this->entry->condvar->signal(this->entry->condvar);
+		this->entry = NULL;
+	}
+	while (this->segment < this->manager->segment_count)
+	{
+		while (this->row < this->manager->table_size)
+		{
+			if (this->current)
+			{
+				entry_t *item;
+
+				if (this->current->enumerate(this->current, &item))
+				{
+					*entry = this->entry = item;
+					*segment = this->segment;
+					return TRUE;
+				}
+				this->current->destroy(this->current);
+				this->current = NULL;
+				unlock_single_segment(this->manager, this->segment);
+			}
+			else
+			{
+				linked_list_t *list;
+
+				lock_single_segment(this->manager, this->segment);
+				if ((list = this->manager->ike_sa_table[this->row]) != NULL &&
+					 list->get_count(list))
+				{
+					this->current = list->create_enumerator(list);
+					continue;
+				}
+				unlock_single_segment(this->manager, this->segment);
+			}
+			this->row += this->manager->segment_count;
+		}
+		this->segment++;
+		this->row = this->segment;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of private_enumerator_t.enumerator.destroy.
+ */
+static void enumerator_destroy(private_enumerator_t *this)
+{
+	if (this->entry)
+	{
+		this->entry->condvar->signal(this->entry->condvar);
+	}
+	if (this->current)
+	{
+		this->current->destroy(this->current);
+		unlock_single_segment(this->manager, this->segment);
+	}
+	free(this);
+}
+
+/**
+ * Creates an enumerator to enumerate the entries in the hash table.
+ */
+static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
+{
+	private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
+
+	enumerator->enumerator.enumerate = (void*)enumerate;
+	enumerator->enumerator.destroy = (void*)enumerator_destroy;
+	enumerator->manager = this;
+	enumerator->segment = 0;
+	enumerator->entry = NULL;
+	enumerator->row = 0;
+	enumerator->current = NULL;
+
+	return &enumerator->enumerator;
+}
+
+/**
+ * Put an entry into the hash table.
+ * Note: The caller has to unlock the returned segment.
+ */
+static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	linked_list_t *list;
+	u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
+	u_int segment = row & this->segment_mask;
+
+	lock_single_segment(this, segment);
+	if ((list = this->ike_sa_table[row]) == NULL)
+	{
+		list = this->ike_sa_table[row] = linked_list_create();
+	}
+	list->insert_last(list, entry);
+	this->segments[segment].count++;
+	return segment;
+}
+
+/**
+ * Remove an entry from the hash table.
+ * Note: The caller MUST have a lock on the segment of this entry.
+ */
+static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	linked_list_t *list;
+	u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
+	u_int segment = row & this->segment_mask;
+
+	if ((list = this->ike_sa_table[row]) != NULL)
+	{
+		entry_t *current;
+
+		enumerator_t *enumerator = list->create_enumerator(list);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (current == entry)
+			{
+				list->remove_at(list, enumerator);
+				this->segments[segment].count--;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Remove the entry at the current enumerator position.
+ */
+static void remove_entry_at(private_enumerator_t *this)
+{
+	this->entry = NULL;
+	if (this->current)
+	{
+		linked_list_t *list = this->manager->ike_sa_table[this->row];
+		list->remove_at(list, this->current);
+		this->manager->segments[this->segment].count--;
+	}
+}
+
+/**
+ * Find an entry using the provided match function to compare the entries for
+ * equality.
+ */
+static status_t get_entry_by_match_function(private_ike_sa_manager_t *this,
+					ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment,
+					linked_list_match_t match, void *p1, void *p2)
+{
+	entry_t *current;
+	linked_list_t *list;
+	u_int row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
+	u_int seg = row & this->segment_mask;
+
+	lock_single_segment(this, seg);
+	if ((list = this->ike_sa_table[row]) != NULL)
+	{
+		if (list->find_first(list, match, (void**)&current, p1, p2) == SUCCESS)
+		{
+			*entry = current;
+			*segment = seg;
+			/* the locked segment has to be unlocked by the caller */
+			return SUCCESS;
+		}
+	}
+	unlock_single_segment(this, seg);
+	return NOT_FOUND;
+}
+
+/**
+ * Find an entry by ike_sa_id_t.
+ * Note: On SUCCESS, the caller has to unlock the segment.
+ */
+static status_t get_entry_by_id(private_ike_sa_manager_t *this,
+						ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment)
+{
+	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
+				(linked_list_match_t)entry_match_by_id, ike_sa_id, NULL);
+}
+
+/**
+ * Find an entry by initiator SPI and IKE_SA_INIT hash.
+ * Note: On SUCCESS, the caller has to unlock the segment.
+ */
+static status_t get_entry_by_hash(private_ike_sa_manager_t *this,
+			ike_sa_id_t *ike_sa_id, chunk_t hash, entry_t **entry, u_int *segment)
+{
+	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
+				(linked_list_match_t)entry_match_by_hash, ike_sa_id, &hash);
+}
+
+/**
+ * Find an entry by IKE_SA pointer.
+ * Note: On SUCCESS, the caller has to unlock the segment.
+ */
+static status_t get_entry_by_sa(private_ike_sa_manager_t *this,
+			ike_sa_id_t *ike_sa_id, ike_sa_t *ike_sa, entry_t **entry, u_int *segment)
+{
+	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
+				(linked_list_match_t)entry_match_by_sa, ike_sa, NULL);
+}
+
+/**
+ * Wait until no other thread is using an IKE_SA, return FALSE if entry not
+ * acquirable.
+ */
+static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry,
+						   u_int segment)
+{
+	if (entry->driveout_new_threads)
+	{
+		/* we are not allowed to get this */
+		return FALSE;
+	}
+	while (entry->checked_out && !entry->driveout_waiting_threads)
+	{
+		/* so wait until we can get it for us.
+		 * we register us as waiting. */
+		entry->waiting_threads++;
+		entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
+		entry->waiting_threads--;
+	}
+	/* hm, a deletion request forbids us to get this SA, get next one */
+	if (entry->driveout_waiting_threads)
+	{
+		/* we must signal here, others may be waiting on it, too */
+		entry->condvar->signal(entry->condvar);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Put a half-open SA into the hash table.
+ */
+static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	half_open_t *half_open = NULL;
+	linked_list_t *list;
+	chunk_t addr = entry->other->get_address(entry->other);
+	u_int row = chunk_hash(addr) & this->table_mask;
+	u_int segment = row & this->segment_mask;
+
+	rwlock_t *lock = this->half_open_segments[segment].lock;
+	lock->write_lock(lock);
+	if ((list = this->half_open_table[row]) == NULL)
+	{
+		list = this->half_open_table[row] = linked_list_create();
+	}
+	else
+	{
+		half_open_t *current;
+		if (list->find_first(list, (linked_list_match_t)half_open_match,
+							 (void**)&current, &addr) == SUCCESS)
+		{
+			half_open = current;
+			half_open->count++;
+			this->half_open_segments[segment].count++;
+		}
+	}
+
+	if (!half_open)
+	{
+		half_open = malloc_thing(half_open_t);
+		half_open->other = chunk_clone(addr);
+		half_open->count = 1;
+		list->insert_last(list, half_open);
+		this->half_open_segments[segment].count++;
+	}
+	lock->unlock(lock);
+}
+
+/**
+ * Remove a half-open SA from the hash table.
+ */
+static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	linked_list_t *list;
+	chunk_t addr = entry->other->get_address(entry->other);
+	u_int row = chunk_hash(addr) & this->table_mask;
+	u_int segment = row & this->segment_mask;
+
+	rwlock_t *lock = this->half_open_segments[segment].lock;
+	lock->write_lock(lock);
+	if ((list = this->half_open_table[row]) != NULL)
+	{
+		half_open_t *current;
+		enumerator_t *enumerator = list->create_enumerator(list);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (half_open_match(current, &addr))
+			{
+				if (--current->count == 0)
+				{
+					list->remove_at(list, enumerator);
+					half_open_destroy(current);
+				}
+				this->half_open_segments[segment].count--;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	lock->unlock(lock);
+}
+
+/**
+ * Put an SA between two peers into the hash table.
+ */
+static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	linked_list_t *list;
+	connected_peers_t *connected_peers = NULL;
+	chunk_t my_id = entry->my_id->get_encoding(entry->my_id),
+			other_id = entry->other_id->get_encoding(entry->other_id);
+	u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
+	u_int segment = row & this->segment_mask;
+
+	rwlock_t *lock = this->connected_peers_segments[segment].lock;
+	lock->write_lock(lock);
+	if ((list = this->connected_peers_table[row]) == NULL)
+	{
+		list = this->connected_peers_table[row] = linked_list_create();
+	}
+	else
+	{
+		connected_peers_t *current;
+		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
+					(void**)&current, entry->my_id, entry->other_id) == SUCCESS)
+		{
+			connected_peers = current;
+			if (connected_peers->sas->find_first(connected_peers->sas,
+					(linked_list_match_t)entry->ike_sa_id->equals,
+					NULL, entry->ike_sa_id) == SUCCESS)
+			{
+				lock->unlock(lock);
+				return;
+			}
+		}
+	}
+
+	if (!connected_peers)
+	{
+		connected_peers = malloc_thing(connected_peers_t);
+		connected_peers->my_id = entry->my_id->clone(entry->my_id);
+		connected_peers->other_id = entry->other_id->clone(entry->other_id);
+		connected_peers->sas = linked_list_create();
+		list->insert_last(list, connected_peers);
+	}
+	connected_peers->sas->insert_last(connected_peers->sas,
+									  entry->ike_sa_id->clone(entry->ike_sa_id));
+	this->connected_peers_segments[segment].count++;
+	lock->unlock(lock);
+}
+
+/**
+ * Remove an SA between two peers from the hash table.
+ */
+static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	linked_list_t *list;
+	chunk_t my_id = entry->my_id->get_encoding(entry->my_id),
+			other_id = entry->other_id->get_encoding(entry->other_id);
+	u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
+	u_int segment = row & this->segment_mask;
+
+	rwlock_t *lock = this->connected_peers_segments[segment].lock;
+	lock->write_lock(lock);
+	if ((list = this->connected_peers_table[row]) != NULL)
+	{
+		connected_peers_t *current;
+		enumerator_t *enumerator = list->create_enumerator(list);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (connected_peers_match(current, entry->my_id, entry->other_id))
+			{
+				ike_sa_id_t *ike_sa_id;
+				enumerator_t *inner = current->sas->create_enumerator(current->sas);
+				while (inner->enumerate(inner, &ike_sa_id))
+				{
+					if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id))
+					{
+						current->sas->remove_at(current->sas, inner);
+						ike_sa_id->destroy(ike_sa_id);
+						this->connected_peers_segments[segment].count--;
+						break;
+					}
+				}
+				inner->destroy(inner);
+				if (current->sas->get_count(current->sas) == 0)
+				{
+					list->remove_at(list, enumerator);
+					connected_peers_destroy(current);
+				}
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	lock->unlock(lock);
+}
+
+/**
+ * Implementation of private_ike_sa_manager_t.get_next_spi.
+ */
+static u_int64_t get_next_spi(private_ike_sa_manager_t *this)
+{
+	u_int64_t spi;
+
+	this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi);
+	return spi;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout.
+ */
+static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
+{
+	ike_sa_t *ike_sa = NULL;
+	entry_t *entry;
+	u_int segment;
+
+	DBG2(DBG_MGR, "checkout IKE_SA");
+
+	if (get_entry_by_id(this, ike_sa_id, &entry, &segment) == SUCCESS)
+	{
+		if (wait_for_entry(this, entry, segment))
+		{
+			DBG2(DBG_MGR, "IKE_SA successfully checked out");
+			entry->checked_out = TRUE;
+			ike_sa = entry->ike_sa;
+		}
+		unlock_single_segment(this, segment);
+	}
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return ike_sa;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout_new.
+ */
+static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
+{
+	ike_sa_id_t *ike_sa_id;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	u_int segment;
+
+	if (initiator)
+	{
+		ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
+	}
+	else
+	{
+		ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE);
+	}
+	ike_sa = ike_sa_create(ike_sa_id);
+
+	DBG2(DBG_MGR, "created IKE_SA");
+
+	if (!initiator)
+	{
+		ike_sa_id->destroy(ike_sa_id);
+		return ike_sa;
+	}
+
+	entry = entry_create();
+	entry->ike_sa_id = ike_sa_id;
+	entry->ike_sa = ike_sa;
+	segment = put_entry(this, entry);
+	entry->checked_out = TRUE;
+	unlock_single_segment(this, segment);
+	return entry->ike_sa;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout_by_message.
+ */
+static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
+									 message_t *message)
+{
+	u_int segment;
+	entry_t *entry;
+	ike_sa_t *ike_sa = NULL;
+	ike_sa_id_t *id = message->get_ike_sa_id(message);
+
+	id = id->clone(id);
+	id->switch_initiator(id);
+
+	DBG2(DBG_MGR, "checkout IKE_SA by message");
+
+	if (message->get_request(message) &&
+		message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		/* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */
+		chunk_t data, hash;
+
+		data = message->get_packet_data(message);
+		this->hasher->allocate_hash(this->hasher, data, &hash);
+		chunk_free(&data);
+
+		if (get_entry_by_hash(this, id, hash, &entry, &segment) == SUCCESS)
+		{
+			if (entry->message_id == 0)
+			{
+				unlock_single_segment(this, segment);
+				chunk_free(&hash);
+				id->destroy(id);
+				DBG1(DBG_MGR, "ignoring IKE_SA_INIT, already processing");
+				return NULL;
+			}
+			else if (wait_for_entry(this, entry, segment))
+			{
+				DBG2(DBG_MGR, "IKE_SA checked out by hash");
+				entry->checked_out = TRUE;
+				entry->message_id = message->get_message_id(message);
+				ike_sa = entry->ike_sa;
+			}
+			unlock_single_segment(this, segment);
+		}
+
+		if (ike_sa == NULL)
+		{
+			if (id->get_responder_spi(id) == 0 &&
+				message->get_exchange_type(message) == IKE_SA_INIT)
+			{
+				/* no IKE_SA found, create a new one */
+				id->set_responder_spi(id, get_next_spi(this));
+				entry = entry_create();
+				entry->ike_sa = ike_sa_create(id);
+				entry->ike_sa_id = id->clone(id);
+
+				segment = put_entry(this, entry);
+				entry->checked_out = TRUE;
+				unlock_single_segment(this, segment);
+
+				entry->message_id = message->get_message_id(message);
+				entry->init_hash = hash;
+				ike_sa = entry->ike_sa;
+
+				DBG2(DBG_MGR, "created IKE_SA");
+			}
+			else
+			{
+				chunk_free(&hash);
+				DBG1(DBG_MGR, "ignoring message, no such IKE_SA");
+			}
+		}
+		else
+		{
+			chunk_free(&hash);
+		}
+		id->destroy(id);
+		charon->bus->set_sa(charon->bus, ike_sa);
+		return ike_sa;
+	}
+
+	if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS)
+	{
+		/* only check out if we are not processing this request */
+		if (message->get_request(message) &&
+			message->get_message_id(message) == entry->message_id)
+		{
+			DBG1(DBG_MGR, "ignoring request with ID %d, already processing",
+				 entry->message_id);
+		}
+		else if (wait_for_entry(this, entry, segment))
+		{
+			ike_sa_id_t *ike_id = entry->ike_sa->get_id(entry->ike_sa);
+			DBG2(DBG_MGR, "IKE_SA successfully checked out");
+			entry->checked_out = TRUE;
+			entry->message_id = message->get_message_id(message);
+			if (ike_id->get_responder_spi(ike_id) == 0)
+			{
+				ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
+			}
+			ike_sa = entry->ike_sa;
+		}
+		unlock_single_segment(this, segment);
+	}
+	id->destroy(id);
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return ike_sa;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout_by_config.
+ */
+static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
+									peer_cfg_t *peer_cfg)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	ike_sa_t *ike_sa = NULL;
+	peer_cfg_t *current_peer;
+	ike_cfg_t *current_ike;
+	u_int segment;
+
+	if (!this->reuse_ikesa)
+	{	/* IKE_SA reuse disable by config */
+		ike_sa = checkout_new(this, TRUE);
+		charon->bus->set_sa(charon->bus, ike_sa);
+		return ike_sa;
+	}
+
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
+	{
+		if (!wait_for_entry(this, entry, segment))
+		{
+			continue;
+		}
+		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
+		{	/* skip IKE_SAs which are not usable */
+			continue;
+		}
+
+		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+		if (current_peer && current_peer->equals(current_peer, peer_cfg))
+		{
+			current_ike = current_peer->get_ike_cfg(current_peer);
+			if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
+			{
+				DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config",
+					 current_peer->get_name(current_peer));
+				entry->checked_out = TRUE;
+				ike_sa = entry->ike_sa;
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!ike_sa)
+	{	/* no IKE_SA using such a config, hand out a new */
+		ike_sa = checkout_new(this, TRUE);
+	}
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return ike_sa;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout_by_id.
+ */
+static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
+								bool child)
+{
+	enumerator_t *enumerator;
+	iterator_t *children;
+	entry_t *entry;
+	ike_sa_t *ike_sa = NULL;
+	child_sa_t *child_sa;
+	u_int segment;
+
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
+	{
+		if (wait_for_entry(this, entry, segment))
+		{
+			/* look for a child with such a reqid ... */
+			if (child)
+			{
+				children = entry->ike_sa->create_child_sa_iterator(entry->ike_sa);
+				while (children->iterate(children, (void**)&child_sa))
+				{
+					if (child_sa->get_reqid(child_sa) == id)
+					{
+						ike_sa = entry->ike_sa;
+						break;
+					}
+				}
+				children->destroy(children);
+			}
+			else /* ... or for a IKE_SA with such a unique id */
+			{
+				if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
+				{
+					ike_sa = entry->ike_sa;
+				}
+			}
+			/* got one, return */
+			if (ike_sa)
+			{
+				entry->checked_out = TRUE;
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return ike_sa;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout_by_name.
+ */
+static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
+								  bool child)
+{
+	enumerator_t *enumerator;
+	iterator_t *children;
+	entry_t *entry;
+	ike_sa_t *ike_sa = NULL;
+	child_sa_t *child_sa;
+	u_int segment;
+
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
+	{
+		if (wait_for_entry(this, entry, segment))
+		{
+			/* look for a child with such a policy name ... */
+			if (child)
+			{
+				children = entry->ike_sa->create_child_sa_iterator(entry->ike_sa);
+				while (children->iterate(children, (void**)&child_sa))
+				{
+					if (streq(child_sa->get_name(child_sa), name))
+					{
+						ike_sa = entry->ike_sa;
+						break;
+					}
+				}
+				children->destroy(children);
+			}
+			else /* ... or for a IKE_SA with such a connection name */
+			{
+				if (streq(entry->ike_sa->get_name(entry->ike_sa), name))
+				{
+					ike_sa = entry->ike_sa;
+				}
+			}
+			/* got one, return */
+			if (ike_sa)
+			{
+				entry->checked_out = TRUE;
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return ike_sa;
+}
+
+/**
+ * enumerator filter function
+ */
+static bool enumerator_filter(private_ike_sa_manager_t *this,
+							  entry_t **in, ike_sa_t **out, u_int *segment)
+{
+	if (wait_for_entry(this, *in, *segment))
+	{
+		*out = (*in)->ike_sa;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of ike_sa_manager_t.create_enumerator.
+ */
+static enumerator_t *create_enumerator(private_ike_sa_manager_t* this)
+{
+	return enumerator_create_filter(
+						create_table_enumerator(this),
+						(void*)enumerator_filter, this, NULL);
+}
+
+/**
+ * Implementation of ike_sa_manager_t.checkin.
+ */
+static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+{
+	/* to check the SA back in, we look for the pointer of the ike_sa
+	 * in all entries.
+	 * The lookup is done by initiator SPI, so even if the SPI has changed (e.g.
+	 * on reception of a IKE_SA_INIT response) the lookup will work but
+	 * updating of the SPI MAY be necessary...
+	 */
+	entry_t *entry;
+	ike_sa_id_t *ike_sa_id;
+	host_t *other;
+	identification_t *my_id, *other_id;
+	u_int segment;
+
+	ike_sa_id = ike_sa->get_id(ike_sa);
+	my_id = ike_sa->get_my_id(ike_sa);
+	other_id = ike_sa->get_other_id(ike_sa);
+	other = ike_sa->get_other_host(ike_sa);
+
+	DBG2(DBG_MGR, "checkin IKE_SA");
+
+	/* look for the entry */
+	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
+	{
+		/* ike_sa_id must be updated */
+		entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
+		/* signal waiting threads */
+		entry->checked_out = FALSE;
+		entry->message_id = -1;
+		/* check if this SA is half-open */
+		if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING)
+		{
+			/* not half open anymore */
+			entry->half_open = FALSE;
+			remove_half_open(this, entry);
+		}
+		else if (entry->half_open && !other->ip_equals(other, entry->other))
+		{
+			/* the other host's IP has changed, we must update the hash table */
+			remove_half_open(this, entry);
+			DESTROY_IF(entry->other);
+			entry->other = other->clone(other);
+			put_half_open(this, entry);
+		}
+		else if (!entry->half_open &&
+				 !entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+				 ike_sa->get_state(ike_sa) == IKE_CONNECTING)
+		{
+			/* this is a new half-open SA */
+			entry->half_open = TRUE;
+			entry->other = other->clone(other);
+			put_half_open(this, entry);
+		}
+		DBG2(DBG_MGR, "check-in of IKE_SA successful.");
+		entry->condvar->signal(entry->condvar);
+	}
+	else
+	{
+		entry = entry_create();
+		entry->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+		entry->ike_sa = ike_sa;
+		segment = put_entry(this, entry);
+	}
+
+	/* apply identities for duplicate test (only as responder) */
+	if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+		ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+		entry->my_id == NULL && entry->other_id == NULL)
+	{
+		entry->my_id = my_id->clone(my_id);
+		entry->other_id = other_id->clone(other_id);
+		put_connected_peers(this, entry);
+	}
+
+	unlock_single_segment(this, segment);
+
+	charon->bus->set_sa(charon->bus, NULL);
+}
+
+/**
+ * Implementation of ike_sa_manager_t.checkin_and_destroy.
+ */
+static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+{
+	/* deletion is a bit complex, we must ensure that no thread is waiting for
+	 * this SA.
+	 * We take this SA from the table, and start signaling while threads
+	 * are in the condvar.
+	 */
+	entry_t *entry;
+	ike_sa_id_t *ike_sa_id;
+	u_int segment;
+
+	ike_sa_id = ike_sa->get_id(ike_sa);
+
+	DBG2(DBG_MGR, "checkin and destroy IKE_SA");
+
+	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
+	{
+		/* drive out waiting threads, as we are in hurry */
+		entry->driveout_waiting_threads = TRUE;
+		/* mark it, so no new threads can get this entry */
+		entry->driveout_new_threads = TRUE;
+		/* wait until all workers have done their work */
+		while (entry->waiting_threads)
+		{
+			/* wake up all */
+			entry->condvar->broadcast(entry->condvar);
+			/* they will wake us again when their work is done */
+			entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
+		}
+		remove_entry(this, entry);
+		unlock_single_segment(this, segment);
+
+		if (entry->half_open)
+		{
+			remove_half_open(this, entry);
+		}
+		if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+			entry->my_id && entry->other_id)
+		{
+			remove_connected_peers(this, entry);
+		}
+
+		entry_destroy(entry);
+
+		DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
+	}
+	else
+	{
+		DBG1(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
+		ike_sa->destroy(ike_sa);
+	}
+	charon->bus->set_sa(charon->bus, NULL);
+}
+
+
+/**
+ * Implementation of ike_sa_manager_t.check_uniqueness.
+ */
+static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+{
+	bool cancel = FALSE;
+	peer_cfg_t *peer_cfg;
+	unique_policy_t policy;
+	linked_list_t *list, *duplicate_ids = NULL;
+	enumerator_t *enumerator;
+	ike_sa_id_t *duplicate_id = NULL;
+	identification_t *me, *other;
+	u_int row, segment;
+	rwlock_t *lock;
+
+	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+	policy = peer_cfg->get_unique_policy(peer_cfg);
+	if (policy == UNIQUE_NO)
+	{
+		return FALSE;
+	}
+
+	me = ike_sa->get_my_id(ike_sa);
+	other = ike_sa->get_other_id(ike_sa);
+
+	row = chunk_hash_inc(other->get_encoding(other),
+						 chunk_hash(me->get_encoding(me))) & this->table_mask;
+	segment = row & this->segment_mask;
+
+	lock = this->connected_peers_segments[segment & this->segment_mask].lock;
+	lock->read_lock(lock);
+	if ((list = this->connected_peers_table[row]) != NULL)
+	{
+		connected_peers_t *current;
+
+		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
+							 (void**)&current, me, other) == SUCCESS)
+		{
+			/* clone the list, so we can release the lock */
+			duplicate_ids = current->sas->clone_offset(current->sas,
+												offsetof(ike_sa_id_t, clone));
+		}
+	}
+	lock->unlock(lock);
+
+	if (!duplicate_ids)
+	{
+		return FALSE;
+	}
+
+	enumerator = duplicate_ids->create_enumerator(duplicate_ids);
+	while (enumerator->enumerate(enumerator, &duplicate_id))
+	{
+		status_t status = SUCCESS;
+		ike_sa_t *duplicate;
+
+		duplicate = checkout(this, duplicate_id);
+		if (!duplicate)
+		{
+			continue;
+		}
+		peer_cfg = duplicate->get_peer_cfg(duplicate);
+		if (peer_cfg && peer_cfg->equals(peer_cfg, ike_sa->get_peer_cfg(ike_sa)))
+		{
+			switch (duplicate->get_state(duplicate))
+			{
+				case IKE_ESTABLISHED:
+				case IKE_REKEYING:
+					switch (policy)
+					{
+						case UNIQUE_REPLACE:
+							DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
+									"'%Y' due to uniqueness policy", other);
+							status = duplicate->delete(duplicate);
+							break;
+						case UNIQUE_KEEP:
+							cancel = TRUE;
+							/* we keep the first IKE_SA and delete all
+							 * other duplicates that might exist */
+							policy = UNIQUE_REPLACE;
+							break;
+						default:
+							break;
+					}
+					break;
+				default:
+					break;
+			}
+		}
+		if (status == DESTROY_ME)
+		{
+			checkin_and_destroy(this, duplicate);
+		}
+		else
+		{
+			checkin(this, duplicate);
+		}
+	}
+	enumerator->destroy(enumerator);
+	duplicate_ids->destroy_offset(duplicate_ids, offsetof(ike_sa_id_t, destroy));
+	/* reset thread's current IKE_SA after checkin */
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return cancel;
+}
+
+/**
+ * Implementation of ike_sa_manager_t.get_half_open_count.
+ */
+static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
+{
+	int count = 0;
+
+	if (ip)
+	{
+		linked_list_t *list;
+		chunk_t addr = ip->get_address(ip);
+		u_int row = chunk_hash(addr) & this->table_mask;
+		u_int segment = row & this->segment_mask;
+
+		rwlock_t *lock = this->half_open_segments[segment & this->segment_mask].lock;
+		lock->read_lock(lock);
+		if ((list = this->half_open_table[row]) != NULL)
+		{
+			half_open_t *current;
+
+			if (list->find_first(list, (linked_list_match_t)half_open_match,
+								 (void**)&current, &addr) == SUCCESS)
+			{
+				count = current->count;
+			}
+		}
+		lock->unlock(lock);
+	}
+	else
+	{
+		u_int segment;
+
+		for (segment = 0; segment < this->segment_count; ++segment)
+		{
+			rwlock_t *lock;
+			lock = this->half_open_segments[segment & this->segment_mask].lock;
+			lock->read_lock(lock);
+			count += this->half_open_segments[segment].count;
+			lock->unlock(lock);
+		}
+	}
+
+	return count;
+}
+
+/**
+ * Implementation of ike_sa_manager_t.flush.
+ */
+static void flush(private_ike_sa_manager_t *this)
+{
+	/* destroy all list entries */
+	enumerator_t *enumerator;
+	entry_t *entry;
+	u_int segment;
+
+	lock_all_segments(this);
+	DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
+	/* Step 1: drive out all waiting threads  */
+	DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's");
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
+	{
+		/* do not accept new threads, drive out waiting threads */
+		entry->driveout_new_threads = TRUE;
+		entry->driveout_waiting_threads = TRUE;
+	}
+	enumerator->destroy(enumerator);
+	DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
+	/* Step 2: wait until all are gone */
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
+	{
+		while (entry->waiting_threads || entry->checked_out)
+		{
+			/* wake up all */
+			entry->condvar->broadcast(entry->condvar);
+			/* go sleeping until they are gone */
+			entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
+		}
+	}
+	enumerator->destroy(enumerator);
+	DBG2(DBG_MGR, "delete all IKE_SA's");
+	/* Step 3: initiate deletion of all IKE_SAs */
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
+	{
+		charon->bus->set_sa(charon->bus, entry->ike_sa);
+		/* as the delete never gets processed, fire down events */
+		switch (entry->ike_sa->get_state(entry->ike_sa))
+		{
+			case IKE_ESTABLISHED:
+			case IKE_REKEYING:
+			case IKE_DELETING:
+				charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE);
+				break;
+			default:
+				break;
+		}
+		entry->ike_sa->delete(entry->ike_sa);
+	}
+	enumerator->destroy(enumerator);
+
+	DBG2(DBG_MGR, "destroy all entries");
+	/* Step 4: destroy all entries */
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
+	{
+		charon->bus->set_sa(charon->bus, entry->ike_sa);
+		if (entry->half_open)
+		{
+			remove_half_open(this, entry);
+		}
+		if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+			entry->my_id && entry->other_id)
+		{
+			remove_connected_peers(this, entry);
+		}
+		remove_entry_at((private_enumerator_t*)enumerator);
+		entry_destroy(entry);
+	}
+	enumerator->destroy(enumerator);
+	charon->bus->set_sa(charon->bus, NULL);
+	unlock_all_segments(this);
+}
+
+/**
+ * Implementation of ike_sa_manager_t.destroy.
+ */
+static void destroy(private_ike_sa_manager_t *this)
+{
+	u_int i;
+
+	for (i = 0; i < this->table_size; ++i)
+	{
+		linked_list_t *list;
+
+		if ((list = this->ike_sa_table[i]) != NULL)
+		{
+			list->destroy(list);
+		}
+		if ((list = this->half_open_table[i]) != NULL)
+		{
+			list->destroy(list);
+		}
+		if ((list = this->connected_peers_table[i]) != NULL)
+		{
+			list->destroy(list);
+		}
+	}
+	free(this->ike_sa_table);
+	free(this->half_open_table);
+	free(this->connected_peers_table);
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->segments[i].mutex->destroy(this->segments[i].mutex);
+		this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock);
+		this->connected_peers_segments[i].lock->destroy(this->connected_peers_segments[i].lock);
+	}
+	free(this->segments);
+	free(this->half_open_segments);
+	free(this->connected_peers_segments);
+
+	this->rng->destroy(this->rng);
+	this->hasher->destroy(this->hasher);
+	free(this);
+}
+
+/**
+ * This function returns the next-highest power of two for the given number.
+ * The algorithm works by setting all bits on the right-hand side of the most
+ * significant 1 to 1 and then increments the whole number so it rolls over
+ * to the nearest power of two. Note: returns 0 for n == 0
+ */
+static u_int get_nearest_powerof2(u_int n)
+{
+	u_int i;
+
+	--n;
+	for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
+	{
+		n |= n >> i;
+	}
+	return ++n;
+}
+
+/*
+ * Described in header.
+ */
+ike_sa_manager_t *ike_sa_manager_create()
+{
+	u_int i;
+	private_ike_sa_manager_t *this = malloc_thing(private_ike_sa_manager_t);
+
+	/* assign public functions */
+	this->public.flush = (void(*)(ike_sa_manager_t*))flush;
+	this->public.destroy = (void(*)(ike_sa_manager_t*))destroy;
+	this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout;
+	this->public.checkout_new = (ike_sa_t*(*)(ike_sa_manager_t*,bool))checkout_new;
+	this->public.checkout_by_message = (ike_sa_t*(*)(ike_sa_manager_t*,message_t*))checkout_by_message;
+	this->public.checkout_by_config = (ike_sa_t*(*)(ike_sa_manager_t*,peer_cfg_t*))checkout_by_config;
+	this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t,bool))checkout_by_id;
+	this->public.checkout_by_name = (ike_sa_t*(*)(ike_sa_manager_t*,char*,bool))checkout_by_name;
+	this->public.check_uniqueness = (bool(*)(ike_sa_manager_t*, ike_sa_t *ike_sa))check_uniqueness;
+	this->public.create_enumerator = (enumerator_t*(*)(ike_sa_manager_t*))create_enumerator;
+	this->public.checkin = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
+	this->public.checkin_and_destroy = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
+	this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count;
+
+	/* initialize private variables */
+	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
+	if (this->hasher == NULL)
+	{
+		DBG1(DBG_MGR, "manager initialization failed, no hasher supported");
+		free(this);
+		return NULL;
+	}
+	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (this->rng == NULL)
+	{
+		DBG1(DBG_MGR, "manager initialization failed, no RNG supported");
+		this->hasher->destroy(this->hasher);
+		free(this);
+		return NULL;
+	}
+	this->table_size = get_nearest_powerof2(lib->settings->get_int(lib->settings,
+						"charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE));
+	this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
+	this->table_mask = this->table_size - 1;
+
+	this->segment_count = get_nearest_powerof2(lib->settings->get_int(lib->settings,
+						"charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT));
+	this->segment_count = max(1, min(this->segment_count, this->table_size));
+	this->segment_mask = this->segment_count - 1;
+
+	this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*));
+
+	this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+		this->segments[i].count = 0;
+	}
+
+	/* we use the same table parameters for the table to track half-open SAs */
+	this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*));
+	this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+		this->half_open_segments[i].count = 0;
+	}
+
+	/* also for the hash table used for duplicate tests */
+	this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*));
+	this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
+	for (i = 0; i < this->segment_count; ++i)
+	{
+		this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+		this->connected_peers_segments[i].count = 0;
+	}
+
+	this->reuse_ikesa = lib->settings->get_bool(lib->settings,
+												"charon.reuse_ikesa", TRUE);
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
new file mode 100644
index 000000000..38f5454e1
--- /dev/null
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -0,0 +1,220 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_sa_manager ike_sa_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef IKE_SA_MANAGER_H_
+#define IKE_SA_MANAGER_H_
+
+typedef struct ike_sa_manager_t ike_sa_manager_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <encoding/message.h>
+#include <config/peer_cfg.h>
+
+/**
+ * Manages and synchronizes access to all IKE_SAs.
+ *
+ * To synchronize access to thread-unsave IKE_SAs, they are checked out for
+ * use and checked in afterwards. A checked out SA is exclusively accessible
+ * by the owning thread.
+ */
+struct ike_sa_manager_t {
+
+	/**
+	 * Checkout an existing IKE_SA.
+	 *
+	 * @param ike_sa_id			the SA identifier, will be updated
+	 * @returns
+	 * 							- checked out IKE_SA if found
+	 * 							- NULL, if specified IKE_SA is not found.
+	 */
+	ike_sa_t* (*checkout) (ike_sa_manager_t* this, ike_sa_id_t *sa_id);
+
+	/**
+	 * Create and check out a new IKE_SA.
+	 *
+	 * @note If initiator equals FALSE, the returned IKE_SA is not registered
+	 * in the manager.
+	 *
+	 * @param initiator			TRUE for initiator, FALSE otherwise
+	 * @returns 				created and checked out IKE_SA
+	 */
+	ike_sa_t* (*checkout_new) (ike_sa_manager_t* this, bool initiator);
+
+	/**
+	 * Checkout an IKE_SA by a message.
+	 *
+	 * In some situations, it is necessary that the manager knows the
+	 * message to use for the checkout. This has the following reasons:
+	 *
+	 * 1. If the targeted IKE_SA is already processing a message, we do not
+	 *    check it out if the message ID is the same.
+	 * 2. If it is an IKE_SA_INIT request, we have to check if it is a
+	 *    retransmission. If so, we have to drop the message, we would
+	 *    create another unneeded IKE_SA for each retransmitted packet.
+	 *
+	 * A call to checkout_by_message() returns a (maybe new created) IKE_SA.
+	 * If processing the message does not make sense (for the reasons above),
+	 * NULL is returned.
+	 *
+	 * @param ike_sa_id			the SA identifier, will be updated
+	 * @returns
+	 * 							- checked out/created IKE_SA
+	 * 							- NULL to not process message further
+	 */
+	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
+
+	/**
+	 * Checkout an IKE_SA for initiation by a peer_config.
+	 *
+	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
+	 * This call checks for an existing IKE_SA by comparing the configuration.
+	 * If the CHILD_SA can be created in an existing IKE_SA, the matching SA
+	 * is returned.
+	 * If no IKE_SA is found, a new one is created. This is also the case when
+	 * the found IKE_SA is in the DELETING state.
+	 *
+	 * @param peer_cfg			configuration used to find an existing IKE_SA
+	 * @return					checked out/created IKE_SA
+	 */
+	ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this,
+									 peer_cfg_t *peer_cfg);
+
+	/**
+	 * Check for duplicates of the given IKE_SA.
+	 *
+	 * Measures are taken according to the uniqueness policy of the IKE_SA.
+	 * The return value indicates whether duplicates have been found and if
+	 * further measures should be taken (e.g. cancelling an IKE_AUTH exchange).
+	 * check_uniqueness() must be called before the IKE_SA is complete,
+	 * deadlocks occur otherwise.
+	 *
+	 * @param ike_sa			ike_sa to check
+	 * @return					TRUE, if the given IKE_SA has duplicates and
+	 * 							should be deleted
+	 */
+	bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa);
+
+	/**
+	 * Check out an IKE_SA a unique ID.
+	 *
+	 * Every IKE_SA and every CHILD_SA is uniquely identified by an ID.
+	 * These checkout function uses, depending
+	 * on the child parameter, the unique ID of the IKE_SA or the reqid
+	 * of one of a IKE_SAs CHILD_SA.
+	 *
+	 * @param id				unique ID of the object
+	 * @param child				TRUE to use CHILD, FALSE to use IKE_SA
+	 * @return
+	 * 							- checked out IKE_SA, if found
+	 * 							- NULL, if not found
+	 */
+	ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id,
+								 bool child);
+
+	/**
+	 * Check out an IKE_SA by the policy/connection name.
+	 *
+	 * Check out the IKE_SA by the configuration name, either from the IKE- or
+	 * one of its CHILD_SAs.
+	 *
+	 * @param name				name of the connection/policy
+	 * @param child				TRUE to use policy name, FALSE to use conn name
+	 * @return
+	 * 							- checked out IKE_SA, if found
+	 * 							- NULL, if not found
+	 */
+	ike_sa_t* (*checkout_by_name) (ike_sa_manager_t* this, char *name,
+								   bool child);
+
+	/**
+	 * Create an enumerator over all stored IKE_SAs.
+	 *
+	 * While enumerating an IKE_SA, it is temporarily checked out and
+	 * automatically checked in after the current enumeration step.
+	 *
+	 * @return					enumerator over all IKE_SAs.
+	 */
+	enumerator_t *(*create_enumerator) (ike_sa_manager_t* this);
+
+	/**
+	 * Checkin the SA after usage.
+	 *
+	 * If the IKE_SA is not registered in the manager, a new entry is created.
+	 *
+	 * @param ike_sa_id			the SA identifier, will be updated
+	 * @param ike_sa			checked out SA
+	 */
+	void (*checkin) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
+
+	/**
+	 * Destroy a checked out SA.
+	 *
+	 * The IKE SA is destroyed without notification of the remote peer.
+	 * Use this only if the other peer doesn't respond or behaves not
+	 * as predicted.
+	 * Checking in and destruction is an atomic operation (for the IKE_SA),
+	 * so this can be called if the SA is in a "unclean" state, without the
+	 * risk that another thread can get the SA.
+	 *
+	 * @param ike_sa			SA to delete
+	 */
+	void (*checkin_and_destroy) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
+
+	/**
+	 * Get the number of IKE_SAs which are in the connecting state.
+	 *
+	 * To prevent the server from resource exhaustion, cookies and other
+	 * mechanisms are used. The number of half open IKE_SAs is a good
+	 * indicator to see if a peer is flooding the server.
+	 * If a host is supplied, only the number of half open IKE_SAs initiated
+	 * from this IP are counted.
+	 * Only SAs for which we are the responder are counted.
+	 *
+	 * @param ip				NULL for all, IP for half open IKE_SAs with IP
+	 * @return					number of half open IKE_SAs
+	 */
+	int (*get_half_open_count) (ike_sa_manager_t *this, host_t *ip);
+
+	/**
+	 * Delete all existing IKE_SAs and destroy them immediately.
+	 *
+	 * Threads will be driven out, so all SAs can be deleted cleanly.
+	 */
+	void (*flush)(ike_sa_manager_t *this);
+
+	/**
+	 * Destroys the manager with all associated SAs.
+	 *
+	 * A call to flush() is required before calling destroy.
+	 */
+	void (*destroy) (ike_sa_manager_t *this);
+};
+
+/**
+ * Create the IKE_SA manager.
+ *
+ * @returns 	ike_sa_manager_t object, NULL if initialization fails
+ */
+ike_sa_manager_t *ike_sa_manager_create(void);
+
+#endif /** IKE_SA_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c
new file mode 100644
index 000000000..837cbe428
--- /dev/null
+++ b/src/libcharon/sa/keymat.c
@@ -0,0 +1,617 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "keymat.h"
+
+#include <daemon.h>
+#include <crypto/prf_plus.h>
+
+typedef struct private_keymat_t private_keymat_t;
+
+/**
+ * Private data of an keymat_t object.
+ */
+struct private_keymat_t {
+
+	/**
+	 * Public keymat_t interface.
+	 */
+	keymat_t public;
+
+	/**
+	 * IKE_SA Role, initiator or responder
+	 */
+	bool initiator;
+
+	/**
+	 * inbound signer (verify)
+	 */
+	signer_t *signer_in;
+
+	/**
+	 * outbound signer (sign)
+	 */
+	signer_t *signer_out;
+
+	/**
+	 * inbound crypter (decrypt)
+	 */
+	crypter_t *crypter_in;
+
+	/**
+	 * outbound crypter (encrypt)
+	 */
+	crypter_t *crypter_out;
+
+	/**
+	 * General purpose PRF
+	 */
+	prf_t *prf;
+
+	/**
+	 * Negotiated PRF algorithm
+	 */
+	pseudo_random_function_t prf_alg;
+
+	/**
+	 * Key to derive key material from for CHILD_SAs, rekeying
+	 */
+	chunk_t skd;
+
+	/**
+	 * Key to build outging authentication data (SKp)
+	 */
+	chunk_t skp_build;
+
+	/**
+	 * Key to verify incoming authentication data (SKp)
+	 */
+	chunk_t skp_verify;
+};
+
+typedef struct keylen_entry_t keylen_entry_t;
+
+/**
+ * Implicit key length for an algorithm
+ */
+struct keylen_entry_t {
+	/** IKEv2 algorithm identifier */
+	int algo;
+	/** key length in bits */
+	int len;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Keylen for encryption algos
+ */
+keylen_entry_t keylen_enc[] = {
+	{ENCR_DES,					 64},
+	{ENCR_3DES,					192},
+	{END_OF_LIST,				  0}
+};
+
+/**
+ * Keylen for integrity algos
+ */
+keylen_entry_t keylen_int[] = {
+	{AUTH_HMAC_MD5_96,			128},
+	{AUTH_HMAC_SHA1_96,			160},
+	{AUTH_HMAC_SHA2_256_96,		256},
+	{AUTH_HMAC_SHA2_256_128,	256},
+	{AUTH_HMAC_SHA2_384_192,	384},
+	{AUTH_HMAC_SHA2_512_256,	512},
+	{AUTH_AES_XCBC_96,			128},
+	{END_OF_LIST,				  0}
+};
+
+/**
+ * Lookup key length of an algorithm
+ */
+static int lookup_keylen(keylen_entry_t *list, int algo)
+{
+	while (list->algo != END_OF_LIST)
+	{
+		if (algo == list->algo)
+		{
+			return list->len;
+		}
+		list++;
+	}
+	return 0;
+}
+
+/**
+ * Implementation of keymat_t.create_dh
+ */
+static diffie_hellman_t* create_dh(private_keymat_t *this,
+								   diffie_hellman_group_t group)
+{
+	return lib->crypto->create_dh(lib->crypto, group);;
+}
+
+/**
+ * Implementation of keymat_t.derive_keys
+ */
+static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
+							diffie_hellman_t *dh, chunk_t nonce_i,
+							chunk_t nonce_r, ike_sa_id_t *id,
+							pseudo_random_function_t rekey_function,
+							chunk_t rekey_skd)
+{
+	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
+	chunk_t spi_i, spi_r;
+	crypter_t *crypter_i, *crypter_r;
+	signer_t *signer_i, *signer_r;
+	prf_plus_t *prf_plus;
+	u_int16_t alg, key_size;
+	prf_t *rekey_prf = NULL;
+
+	spi_i = chunk_alloca(sizeof(u_int64_t));
+	spi_r = chunk_alloca(sizeof(u_int64_t));
+
+	if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+	{
+		return FALSE;
+	}
+
+	/* Create SAs general purpose PRF first, we may use it here */
+	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
+	{
+		DBG1(DBG_IKE, "no %N selected",
+			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
+		return FALSE;
+	}
+	this->prf_alg = alg;
+	this->prf = lib->crypto->create_prf(lib->crypto, alg);
+	if (this->prf == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
+			 pseudo_random_function_names, alg);
+		return FALSE;
+	}
+	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
+	/* full nonce is used as seed for PRF+ ... */
+	full_nonce = chunk_cat("cc", nonce_i, nonce_r);
+	/* but the PRF may need a fixed key which only uses the first bytes of
+	 * the nonces. */
+	switch (alg)
+	{
+		case PRF_AES128_XCBC:
+			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
+			 * not and therefore fixed key semantics apply to XCBC for key
+			 * derivation. */
+			key_size = this->prf->get_key_size(this->prf)/2;
+			nonce_i.len = min(nonce_i.len, key_size);
+			nonce_r.len = min(nonce_r.len, key_size);
+			break;
+		default:
+			/* all other algorithms use variable key length, full nonce */
+			break;
+	}
+	fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
+	*((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
+	*((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
+	prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
+
+	/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
+	 *
+	 * if we are rekeying, SKEYSEED is built on another way
+	 */
+	if (rekey_function == PRF_UNDEFINED) /* not rekeying */
+	{
+		/* SKEYSEED = prf(Ni | Nr, g^ir) */
+		this->prf->set_key(this->prf, fixed_nonce);
+		this->prf->allocate_bytes(this->prf, secret, &skeyseed);
+		this->prf->set_key(this->prf, skeyseed);
+		prf_plus = prf_plus_create(this->prf, prf_plus_seed);
+	}
+	else
+	{
+		/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
+		 * use OLD SAs PRF functions for both prf_plus and prf */
+		rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
+		if (!rekey_prf)
+		{
+			DBG1(DBG_IKE, "PRF of old SA %N not supported!",
+				 pseudo_random_function_names, rekey_function);
+			chunk_free(&full_nonce);
+			chunk_free(&fixed_nonce);
+			chunk_clear(&prf_plus_seed);
+			return FALSE;
+		}
+		secret = chunk_cat("mc", secret, full_nonce);
+		rekey_prf->set_key(rekey_prf, rekey_skd);
+		rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed);
+		rekey_prf->set_key(rekey_prf, skeyseed);
+		prf_plus = prf_plus_create(rekey_prf, prf_plus_seed);
+	}
+	DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
+
+	chunk_clear(&skeyseed);
+	chunk_clear(&secret);
+	chunk_free(&full_nonce);
+	chunk_free(&fixed_nonce);
+	chunk_clear(&prf_plus_seed);
+
+	/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
+
+	/* SK_d is used for generating CHILD_SA key mat => store for later use */
+	key_size = this->prf->get_key_size(this->prf);
+	prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
+	DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
+
+	/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
+	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
+	{
+		DBG1(DBG_IKE, "no %N selected",
+			 transform_type_names, INTEGRITY_ALGORITHM);
+		prf_plus->destroy(prf_plus);
+		DESTROY_IF(rekey_prf);
+		return FALSE;
+	}
+	signer_i = lib->crypto->create_signer(lib->crypto, alg);
+	signer_r = lib->crypto->create_signer(lib->crypto, alg);
+	if (signer_i == NULL || signer_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, INTEGRITY_ALGORITHM,
+			 integrity_algorithm_names ,alg);
+		prf_plus->destroy(prf_plus);
+		DESTROY_IF(rekey_prf);
+		return FALSE;
+	}
+	key_size = signer_i->get_key_size(signer_i);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
+	signer_i->set_key(signer_i, key);
+	chunk_clear(&key);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
+	signer_r->set_key(signer_r, key);
+	chunk_clear(&key);
+
+	if (this->initiator)
+	{
+		this->signer_in = signer_r;
+		this->signer_out = signer_i;
+	}
+	else
+	{
+		this->signer_in = signer_i;
+		this->signer_out = signer_r;
+	}
+
+	/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
+	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
+	{
+		DBG1(DBG_IKE, "no %N selected",
+			 transform_type_names, ENCRYPTION_ALGORITHM);
+		prf_plus->destroy(prf_plus);
+		DESTROY_IF(rekey_prf);
+		return FALSE;
+	}
+	crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	if (crypter_i == NULL || crypter_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, alg, key_size);
+		prf_plus->destroy(prf_plus);
+		DESTROY_IF(rekey_prf);
+		return FALSE;
+	}
+	key_size = crypter_i->get_key_size(crypter_i);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
+	crypter_i->set_key(crypter_i, key);
+	chunk_clear(&key);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_er secret %B", &key);
+	crypter_r->set_key(crypter_r, key);
+	chunk_clear(&key);
+
+	if (this->initiator)
+	{
+		this->crypter_in = crypter_r;
+		this->crypter_out = crypter_i;
+	}
+	else
+	{
+		this->crypter_in = crypter_i;
+		this->crypter_out = crypter_r;
+	}
+
+	/* SK_pi/SK_pr used for authentication => stored for later */
+	key_size = this->prf->get_key_size(this->prf);
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_pi secret %B", &key);
+	if (this->initiator)
+	{
+		this->skp_build = key;
+	}
+	else
+	{
+		this->skp_verify = key;
+	}
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_pr secret %B", &key);
+	if (this->initiator)
+	{
+		this->skp_verify = key;
+	}
+	else
+	{
+		this->skp_build = key;
+	}
+
+	/* all done, prf_plus not needed anymore */
+	prf_plus->destroy(prf_plus);
+	DESTROY_IF(rekey_prf);
+
+	return TRUE;
+}
+
+/**
+ * Implementation of keymat_t.derive_child_keys
+ */
+static bool derive_child_keys(private_keymat_t *this,
+							  proposal_t *proposal, diffie_hellman_t *dh,
+							  chunk_t nonce_i, chunk_t nonce_r,
+							  chunk_t *encr_i, chunk_t *integ_i,
+							  chunk_t *encr_r, chunk_t *integ_r)
+{
+	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
+	chunk_t seed, secret = chunk_empty;
+	prf_plus_t *prf_plus;
+
+	if (dh)
+	{
+		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+		{
+			return FALSE;
+		}
+		DBG4(DBG_CHD, "DH secret %B", &secret);
+	}
+	seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
+	DBG4(DBG_CHD, "seed %B", &seed);
+
+	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+								&enc_alg, &enc_size))
+	{
+		DBG2(DBG_CHD, "  using %N for encryption",
+			 encryption_algorithm_names, enc_alg);
+
+		if (!enc_size)
+		{
+			enc_size = lookup_keylen(keylen_enc, enc_alg);
+		}
+		if (enc_alg != ENCR_NULL && !enc_size)
+		{
+			DBG1(DBG_CHD, "no keylength defined for %N",
+				 encryption_algorithm_names, enc_alg);
+			return FALSE;
+		}
+		/* to bytes */
+		enc_size /= 8;
+
+		/* CCM/GCM/CTR/GMAC needs additional bytes */
+		switch (enc_alg)
+		{
+			case ENCR_AES_CCM_ICV8:
+			case ENCR_AES_CCM_ICV12:
+			case ENCR_AES_CCM_ICV16:
+			case ENCR_CAMELLIA_CCM_ICV8:
+			case ENCR_CAMELLIA_CCM_ICV12:
+			case ENCR_CAMELLIA_CCM_ICV16:
+				enc_size += 3;
+				break;
+			case ENCR_AES_GCM_ICV8:
+			case ENCR_AES_GCM_ICV12:
+			case ENCR_AES_GCM_ICV16:
+			case ENCR_AES_CTR:
+			case ENCR_NULL_AUTH_AES_GMAC:
+				enc_size += 4;
+				break;
+			default:
+				break;
+		}
+	}
+
+	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+								&int_alg, &int_size))
+	{
+		DBG2(DBG_CHD, "  using %N for integrity",
+			 integrity_algorithm_names, int_alg);
+
+		if (!int_size)
+		{
+			int_size = lookup_keylen(keylen_int, int_alg);
+		}
+		if (!int_size)
+		{
+			DBG1(DBG_CHD, "no keylength defined for %N",
+				 integrity_algorithm_names, int_alg);
+			return FALSE;
+		}
+		/* to bytes */
+		int_size /= 8;
+	}
+
+	this->prf->set_key(this->prf, this->skd);
+	prf_plus = prf_plus_create(this->prf, seed);
+
+	prf_plus->allocate_bytes(prf_plus, enc_size, encr_i);
+	prf_plus->allocate_bytes(prf_plus, int_size, integ_i);
+	prf_plus->allocate_bytes(prf_plus, enc_size, encr_r);
+	prf_plus->allocate_bytes(prf_plus, int_size, integ_r);
+
+	prf_plus->destroy(prf_plus);
+
+	if (enc_size)
+	{
+		DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
+		DBG4(DBG_CHD, "encryption responder key %B", encr_r);
+	}
+	if (int_size)
+	{
+		DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
+		DBG4(DBG_CHD, "integrity responder key %B", integ_r);
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of keymat_t.get_skd
+ */
+static pseudo_random_function_t get_skd(private_keymat_t *this, chunk_t *skd)
+{
+	*skd = this->skd;
+	return this->prf_alg;
+}
+
+/**
+ * Implementation of keymat_t.get_signer
+ */
+static signer_t* get_signer(private_keymat_t *this, bool in)
+{
+	return in ? this->signer_in : this->signer_out;
+}
+
+/**
+ * Implementation of keymat_t.get_crypter
+ */
+static crypter_t* get_crypter(private_keymat_t *this, bool in)
+{
+	return in ? this->crypter_in : this->crypter_out;
+}
+
+/**
+ * Implementation of keymat_t.get_auth_octets
+ */
+static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
+							   chunk_t ike_sa_init, chunk_t nonce,
+							   identification_t *id)
+{
+	chunk_t chunk, idx, octets;
+	chunk_t skp;
+
+	skp = verify ? this->skp_verify : this->skp_build;
+
+	chunk = chunk_alloca(4);
+	memset(chunk.ptr, 0, chunk.len);
+	chunk.ptr[0] = id->get_type(id);
+	idx = chunk_cata("cc", chunk, id->get_encoding(id));
+
+	DBG3(DBG_IKE, "IDx' %B", &idx);
+	DBG3(DBG_IKE, "SK_p %B", &skp);
+	this->prf->set_key(this->prf, skp);
+	this->prf->allocate_bytes(this->prf, idx, &chunk);
+
+	octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
+	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
+	return octets;
+}
+
+/**
+ * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
+ */
+#define IKEV2_KEY_PAD "Key Pad for IKEv2"
+#define IKEV2_KEY_PAD_LENGTH 17
+
+/**
+ * Implementation of keymat_t.get_psk_sig
+ */
+static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
+						   chunk_t ike_sa_init, chunk_t nonce, chunk_t secret,
+						   identification_t *id)
+{
+	chunk_t key_pad, key, sig, octets;
+
+	if (!secret.len)
+	{	/* EAP uses SK_p if no MSK has been established */
+		secret = verify ? this->skp_verify : this->skp_build;
+	}
+	octets = get_auth_octets(this, verify, ike_sa_init, nonce, id);
+	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
+	key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
+	this->prf->set_key(this->prf, secret);
+	this->prf->allocate_bytes(this->prf, key_pad, &key);
+	this->prf->set_key(this->prf, key);
+	this->prf->allocate_bytes(this->prf, octets, &sig);
+	DBG4(DBG_IKE, "secret %B", &secret);
+	DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
+	DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
+	chunk_free(&octets);
+	chunk_free(&key);
+
+	return sig;
+}
+
+/**
+ * Implementation of keymat_t.destroy.
+ */
+static void destroy(private_keymat_t *this)
+{
+	DESTROY_IF(this->signer_in);
+	DESTROY_IF(this->signer_out);
+	DESTROY_IF(this->crypter_in);
+	DESTROY_IF(this->crypter_out);
+	DESTROY_IF(this->prf);
+	chunk_clear(&this->skd);
+	chunk_clear(&this->skp_verify);
+	chunk_clear(&this->skp_build);
+	free(this);
+}
+
+/**
+ * See header
+ */
+keymat_t *keymat_create(bool initiator)
+{
+	private_keymat_t *this = malloc_thing(private_keymat_t);
+
+	this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
+	this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys;
+	this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
+	this->public.get_skd = (pseudo_random_function_t(*)(keymat_t*, chunk_t *skd))get_skd;
+	this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
+	this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
+	this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
+	this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig;
+	this->public.destroy = (void(*)(keymat_t*))destroy;
+
+	this->initiator = initiator;
+
+	this->signer_in = NULL;
+	this->signer_out = NULL;
+	this->crypter_in = NULL;
+	this->crypter_out = NULL;
+	this->prf = NULL;
+	this->prf_alg = PRF_UNDEFINED;
+	this->skd = chunk_empty;
+	this->skp_verify = chunk_empty;
+	this->skp_build = chunk_empty;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h
new file mode 100644
index 000000000..e51709e8d
--- /dev/null
+++ b/src/libcharon/sa/keymat.h
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup keymat keymat
+ * @{ @ingroup sa
+ */
+
+#ifndef KEYMAT_H_
+#define KEYMAT_H_
+
+#include <library.h>
+#include <utils/identification.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <config/proposal.h>
+#include <sa/ike_sa_id.h>
+
+typedef struct keymat_t keymat_t;
+
+/**
+ * Derivation an management of sensitive keying material.
+ */
+struct keymat_t {
+
+	/**
+	 * Create a diffie hellman object for key agreement.
+	 *
+	 * The diffie hellman is either for IKE negotiation/rekeying or
+	 * CHILD_SA rekeying (using PFS). The resulting DH object must be passed
+	 * to derive_keys or to derive_child_keys and destroyed after use
+	 *
+	 * @param group			diffie hellman group
+	 * @return				DH object, NULL if group not supported
+	 */
+	diffie_hellman_t* (*create_dh)(keymat_t *this, diffie_hellman_group_t group);
+
+	/**
+	 * Derive keys for the IKE_SA.
+	 *
+	 * These keys are not handed out, but are used by the associated signers,
+	 * crypters and authentication functions.
+	 *
+	 * @param proposal	selected algorithms
+	 * @param dh		diffie hellman key allocated by create_dh()
+	 * @param nonce_i	initiators nonce value
+	 * @param nonce_r	responders nonce value
+	 * @param id		IKE_SA identifier
+	 * @param rekey_prf	PRF of old SA if rekeying, PRF_UNDEFINED otherwise
+	 * @param rekey_sdk	SKd of old SA if rekeying
+	 * @return			TRUE on success
+	 */
+	bool (*derive_ike_keys)(keymat_t *this, proposal_t *proposal,
+							diffie_hellman_t *dh, chunk_t nonce_i,
+							chunk_t nonce_r, ike_sa_id_t *id,
+							pseudo_random_function_t rekey_function,
+							chunk_t rekey_skd);
+	/**
+	 * Derive keys for a CHILD_SA.
+	 *
+	 * The keys for the CHILD_SA are allocated in the integ and encr chunks.
+	 * An implementation might hand out encrypted keys only, which are
+	 * decrypted in the kernel before use.
+	 * If no PFS is used for the CHILD_SA, dh can be NULL.
+	 *
+	 * @param proposal	selected algorithms
+	 * @param dh		diffie hellman key allocated by create_dh(), or NULL
+	 * @param nonce_i	initiators nonce value
+	 * @param nonce_r	responders nonce value
+	 * @param encr_i	chunk to write initiators encryption key to
+	 * @param integ_i	chunk to write initiators integrity key to
+	 * @param encr_r	chunk to write responders encryption key to
+	 * @param integ_r	chunk to write responders integrity key to
+	 * @return			TRUE on success
+	 */
+	bool (*derive_child_keys)(keymat_t *this,
+							  proposal_t *proposal, diffie_hellman_t *dh,
+							  chunk_t nonce_i, chunk_t nonce_r,
+							  chunk_t *encr_i, chunk_t *integ_i,
+							  chunk_t *encr_r, chunk_t *integ_r);
+	/**
+	 * Get SKd to pass to derive_ikey_keys() during rekeying.
+	 *
+	 * @param skd		chunk to write SKd to (internal data)
+	 * @return			PRF function to derive keymat
+	 */
+	pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd);
+
+	/**
+	 * Get a signer to sign/verify IKE messages.
+	 *
+	 * @param in		TRUE for inbound (verify), FALSE for outbound (sign)
+	 * @return			signer
+	 */
+	signer_t* (*get_signer)(keymat_t *this, bool in);
+
+	/*
+	 * Get a crypter to en-/decrypt IKE messages.
+	 *
+	 * @param in		TRUE for inbound (decrypt), FALSE for outbound (encrypt)
+	 * @return			crypter
+	 */
+	crypter_t* (*get_crypter)(keymat_t *this, bool in);
+
+	/**
+	 * Generate octets to use for authentication procedure (RFC4306 2.15).
+	 *
+	 * This method creates the plain octets and is usually signed by a private
+	 * key. PSK and EAP authentication include a secret into the data, use
+	 * the get_psk_sig() method instead.
+	 *
+	 * @param verify		TRUE to create for verfification, FALSE to sign
+	 * @param ike_sa_init	encoded ike_sa_init message
+	 * @param nonce			nonce value
+	 * @param id			identity
+	 * @return				authentication octets
+	 */
+	chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init,
+							   chunk_t nonce, identification_t *id);
+	/**
+	 * Build the shared secret signature used for PSK and EAP authentication.
+	 *
+	 * This method wraps the get_auth_octets() method and additionally
+	 * includes the secret into the signature. If no secret is given, SK_p is
+	 * used as secret (used for EAP methods without MSK).
+	 *
+	 * @param verify		TRUE to create for verfification, FALSE to sign
+	 * @param ike_sa_init	encoded ike_sa_init message
+	 * @param nonce			nonce value
+	 * @param secret		optional secret to include into signature
+	 * @param id			identity
+	 * @return				signature octets
+	 */
+	chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init,
+						   chunk_t nonce, chunk_t secret, identification_t *id);
+	/**
+	 * Destroy a keymat_t.
+	 */
+	void (*destroy)(keymat_t *this);
+};
+
+/**
+ * Create a keymat instance.
+ *
+ * @param initiator		TRUE if we are the initiator
+ * @return				keymat instance
+ */
+keymat_t *keymat_create(bool initiator);
+
+#endif /** KEYMAT_H_ @}*/
diff --git a/src/libcharon/sa/mediation_manager.c b/src/libcharon/sa/mediation_manager.c
new file mode 100644
index 000000000..035f49053
--- /dev/null
+++ b/src/libcharon/sa/mediation_manager.c
@@ -0,0 +1,341 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mediation_manager.h"
+
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/mediation_job.h>
+
+typedef struct peer_t peer_t;
+
+/**
+ * An entry in the linked list.
+ */
+struct peer_t {
+	/** id of the peer */
+	identification_t *id;
+
+	/** sa id of the peer, NULL if offline */
+	ike_sa_id_t *ike_sa_id;
+
+	/** list of peer ids that reuested this peer */
+	linked_list_t *requested_by;
+};
+
+/**
+ * Implementation of peer_t.destroy.
+ */
+static void peer_destroy(peer_t *this)
+{
+	DESTROY_IF(this->id);
+	DESTROY_IF(this->ike_sa_id);
+	this->requested_by->destroy_offset(this->requested_by,
+									   offsetof(identification_t, destroy));
+	free(this);
+}
+
+/**
+ * Creates a new entry for the list.
+ */
+static peer_t *peer_create(identification_t *id, ike_sa_id_t* ike_sa_id)
+{
+	peer_t *this = malloc_thing(peer_t);
+
+	/* clone everything */
+	this->id = id->clone(id);
+	this->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
+	this->requested_by = linked_list_create();
+
+	return this;
+}
+
+typedef struct private_mediation_manager_t private_mediation_manager_t;
+
+/**
+ * Additional private members of mediation_manager_t.
+ */
+struct private_mediation_manager_t {
+	/**
+	 * Public interface of mediation_manager_t.
+	 */
+	 mediation_manager_t public;
+
+	 /**
+	  * Lock for exclusivly accessing the manager.
+	  */
+	 mutex_t *mutex;
+
+	 /**
+	  * Linked list with state entries.
+	  */
+	 linked_list_t *peers;
+};
+
+/**
+ * Registers a peer's ID at another peer, if it is not yet registered
+ */
+static void register_peer(peer_t *peer, identification_t *peer_id)
+{
+	iterator_t *iterator;
+	identification_t *current;
+
+	iterator = peer->requested_by->create_iterator(peer->requested_by, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (peer_id->equals(peer_id, current))
+		{
+			iterator->destroy(iterator);
+			return;
+		}
+	}
+	iterator->destroy(iterator);
+
+	peer->requested_by->insert_last(peer->requested_by,
+									peer_id->clone(peer_id));
+}
+
+/**
+ * Get a peer_t object by a peer's id
+ */
+static status_t get_peer_by_id(private_mediation_manager_t *this,
+							   identification_t *id, peer_t **peer)
+{
+	iterator_t *iterator;
+	peer_t *current;
+	status_t status = NOT_FOUND;
+
+	iterator = this->peers->create_iterator(this->peers, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (id->equals(id, current->id))
+		{
+			if (peer)
+			{
+				*peer = current;
+			}
+			status = SUCCESS;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	return status;
+}
+
+/**
+ * Check if a given peer is registered at other peers. If so, remove it there
+ * and then remove peers completely that are not online and have no registered
+ * peers.
+ */
+static void unregister_peer(private_mediation_manager_t *this,
+							identification_t *peer_id)
+{
+	iterator_t *iterator, *iterator_r;
+	peer_t *peer;
+	identification_t *registered;
+
+	iterator = this->peers->create_iterator(this->peers, TRUE);
+	while (iterator->iterate(iterator, (void**)&peer))
+	{
+		iterator_r = peer->requested_by->create_iterator(peer->requested_by,
+														 TRUE);
+		while (iterator_r->iterate(iterator_r, (void**)&registered))
+		{
+			if (peer_id->equals(peer_id, registered))
+			{
+				iterator_r->remove(iterator_r);
+				registered->destroy(registered);
+				break;
+			}
+		}
+		iterator_r->destroy(iterator_r);
+
+		if (!peer->ike_sa_id && !peer->requested_by->get_count(peer->requested_by))
+		{
+			iterator->remove(iterator);
+			peer_destroy(peer);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of mediation_manager_t.remove
+ */
+static void remove_sa(private_mediation_manager_t *this, ike_sa_id_t *ike_sa_id)
+{
+	iterator_t *iterator;
+	peer_t *peer;
+
+	this->mutex->lock(this->mutex);
+
+	iterator = this->peers->create_iterator(this->peers, TRUE);
+	while (iterator->iterate(iterator, (void**)&peer))
+	{
+		if (ike_sa_id->equals(ike_sa_id, peer->ike_sa_id))
+		{
+			iterator->remove(iterator);
+
+			unregister_peer(this, peer->id);
+
+			peer_destroy(peer);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of mediation_manager_t.update_sa_id
+ */
+static void update_sa_id(private_mediation_manager_t *this, identification_t *peer_id, ike_sa_id_t *ike_sa_id)
+{
+	iterator_t *iterator;
+	peer_t *peer;
+	bool found = FALSE;
+
+	this->mutex->lock(this->mutex);
+
+	iterator = this->peers->create_iterator(this->peers, TRUE);
+	while (iterator->iterate(iterator, (void**)&peer))
+	{
+		if (peer_id->equals(peer_id, peer->id))
+		{
+			DESTROY_IF(peer->ike_sa_id);
+			found = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	if (!found)
+	{
+		DBG2(DBG_IKE, "adding peer '%Y'", peer_id);
+		peer = peer_create(peer_id, NULL);
+		this->peers->insert_last(this->peers, peer);
+	}
+
+	DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);
+	peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
+
+	/* send callbacks to registered peers */
+	identification_t *requester;
+	while(peer->requested_by->remove_last(peer->requested_by,
+										  (void**)&requester) == SUCCESS)
+	{
+		job_t *job = (job_t*)mediation_callback_job_create(requester, peer_id);
+		charon->processor->queue_job(charon->processor, job);
+		requester->destroy(requester);
+	}
+
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of mediation_manager_t.check.
+ */
+static ike_sa_id_t *check(private_mediation_manager_t *this,
+			identification_t *peer_id)
+{
+	peer_t *peer;
+	ike_sa_id_t *ike_sa_id;
+
+	this->mutex->lock(this->mutex);
+
+	if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		return NULL;
+	}
+
+	ike_sa_id = peer->ike_sa_id;
+
+	this->mutex->unlock(this->mutex);
+
+	return ike_sa_id;
+}
+
+/**
+ * Implementation of mediation_manager_t.check_and_register.
+ */
+static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
+			identification_t *peer_id, identification_t *requester)
+{
+	peer_t *peer;
+	ike_sa_id_t *ike_sa_id;
+
+	this->mutex->lock(this->mutex);
+
+	if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
+	{
+		DBG2(DBG_IKE, "adding peer %Y", peer_id);
+		peer = peer_create(peer_id, NULL);
+		this->peers->insert_last(this->peers, peer);
+	}
+
+	if (!peer->ike_sa_id)
+	{
+		/* the peer is not online */
+		DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'",
+			 peer_id, requester);
+		register_peer(peer, requester);
+		this->mutex->unlock(this->mutex);
+		return NULL;
+	}
+
+	ike_sa_id = peer->ike_sa_id;
+
+	this->mutex->unlock(this->mutex);
+
+	return ike_sa_id;
+}
+
+/**
+ * Implementation of mediation_manager_t.destroy.
+ */
+static void destroy(private_mediation_manager_t *this)
+{
+	this->mutex->lock(this->mutex);
+
+	this->peers->destroy_function(this->peers, (void*)peer_destroy);
+
+	this->mutex->unlock(this->mutex);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+mediation_manager_t *mediation_manager_create()
+{
+	private_mediation_manager_t *this = malloc_thing(private_mediation_manager_t);
+
+	this->public.destroy = (void(*)(mediation_manager_t*))destroy;
+	this->public.remove = (void(*)(mediation_manager_t*,ike_sa_id_t*))remove_sa;
+	this->public.update_sa_id = (void(*)(mediation_manager_t*,identification_t*,ike_sa_id_t*))update_sa_id;
+	this->public.check = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*))check;
+	this->public.check_and_register = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*,identification_t*))check_and_register;
+
+	this->peers = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+
+	return (mediation_manager_t*)this;
+}
diff --git a/src/libcharon/sa/mediation_manager.h b/src/libcharon/sa/mediation_manager.h
new file mode 100644
index 000000000..31a16f69c
--- /dev/null
+++ b/src/libcharon/sa/mediation_manager.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mediation_manager mediation_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef MEDIATION_MANAGER_H_
+#define MEDIATION_MANAGER_H_
+
+typedef struct mediation_manager_t mediation_manager_t;
+
+#include <sa/ike_sa_id.h>
+#include <utils/identification.h>
+
+/**
+ * The mediation manager is responsible for managing currently online
+ * peers and registered requests for offline peers on the mediation server.
+ */
+struct mediation_manager_t {
+
+	/**
+	 * Remove the IKE_SA of a peer.
+	 *
+	 * @param ike_sa_id			the IKE_SA ID of the peer's SA
+	 */
+	void (*remove) (mediation_manager_t* this, ike_sa_id_t *ike_sa_id);
+
+	/**
+	 * Update the ike_sa_id that is assigned to a peer's ID. If the peer
+	 * is new, it gets a new record assigned.
+	 *
+	 * @param peer_id			the peer's ID
+	 * @param ike_sa_id			the IKE_SA ID of the peer's SA
+	 */
+	void (*update_sa_id) (mediation_manager_t* this, identification_t *peer_id,
+						  ike_sa_id_t *ike_sa_id);
+
+	/**
+	 * Checks if a specific peer is online.
+	 *
+	 * @param peer_id			the peer's ID
+	 * @returns
+	 *							- IKE_SA ID of the peer's SA.
+	 *							- NULL, if the peer is not online.
+	 */
+	ike_sa_id_t* (*check) (mediation_manager_t* this,
+						   identification_t *peer_id);
+
+	/**
+	 * Checks if a specific peer is online and registers the requesting
+	 * peer if it is not.
+	 *
+	 * @param peer_id			the peer's ID
+	 * @param requester			the requesters ID
+	 * @returns
+	 *							- IKE_SA ID of the peer's SA.
+	 *							- NULL, if the peer is not online.
+	 */
+	ike_sa_id_t* (*check_and_register) (mediation_manager_t* this,
+										identification_t *peer_id,
+										identification_t *requester);
+
+	/**
+	 * Destroys the manager with all data.
+	 */
+	void (*destroy) (mediation_manager_t *this);
+};
+
+/**
+ * Create a manager.
+ *
+ * @returns	mediation_manager_t object
+ */
+mediation_manager_t *mediation_manager_create(void);
+
+#endif /** MEDIATION_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c
new file mode 100644
index 000000000..eeda6c860
--- /dev/null
+++ b/src/libcharon/sa/task_manager.c
@@ -0,0 +1,1083 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "task_manager.h"
+
+#include <math.h>
+
+#include <daemon.h>
+#include <sa/tasks/ike_init.h>
+#include <sa/tasks/ike_natd.h>
+#include <sa/tasks/ike_mobike.h>
+#include <sa/tasks/ike_auth.h>
+#include <sa/tasks/ike_auth_lifetime.h>
+#include <sa/tasks/ike_cert_pre.h>
+#include <sa/tasks/ike_cert_post.h>
+#include <sa/tasks/ike_rekey.h>
+#include <sa/tasks/ike_delete.h>
+#include <sa/tasks/ike_config.h>
+#include <sa/tasks/ike_dpd.h>
+#include <sa/tasks/ike_vendor.h>
+#include <sa/tasks/child_create.h>
+#include <sa/tasks/child_rekey.h>
+#include <sa/tasks/child_delete.h>
+#include <encoding/payloads/delete_payload.h>
+#include <processing/jobs/retransmit_job.h>
+
+#ifdef ME
+#include <sa/tasks/ike_me.h>
+#endif
+
+typedef struct exchange_t exchange_t;
+
+/**
+ * An exchange in the air, used do detect and handle retransmission
+ */
+struct exchange_t {
+
+	/**
+	 * Message ID used for this transaction
+	 */
+	u_int32_t mid;
+
+	/**
+	 * generated packet for retransmission
+	 */
+	packet_t *packet;
+};
+
+typedef struct private_task_manager_t private_task_manager_t;
+
+/**
+ * private data of the task manager
+ */
+struct private_task_manager_t {
+
+	/**
+	 * public functions
+	 */
+	task_manager_t public;
+
+	/**
+	 * associated IKE_SA we are serving
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Exchange we are currently handling as responder
+	 */
+	struct {
+		/**
+		 * Message ID of the exchange
+		 */
+		u_int32_t mid;
+
+		/**
+		 * packet for retransmission
+		 */
+		packet_t *packet;
+
+	} responding;
+
+	/**
+	 * Exchange we are currently handling as initiator
+	 */
+	struct {
+		/**
+		 * Message ID of the exchange
+		 */
+		u_int32_t mid;
+
+		/**
+		 * how many times we have retransmitted so far
+		 */
+		u_int retransmitted;
+
+		/**
+		 * packet for retransmission
+		 */
+		packet_t *packet;
+
+		/**
+		 * type of the initated exchange
+		 */
+		exchange_type_t type;
+
+	} initiating;
+
+	/**
+	 * List of queued tasks not yet in action
+	 */
+	linked_list_t *queued_tasks;
+
+	/**
+	 * List of active tasks, initiated by ourselve
+	 */
+	linked_list_t *active_tasks;
+
+	/**
+	 * List of tasks initiated by peer
+	 */
+	linked_list_t *passive_tasks;
+
+	/**
+	 * the task manager has been reset
+	 */
+	bool reset;
+
+	/**
+	 * Number of times we retransmit messages before giving up
+	 */
+	u_int retransmit_tries;
+
+	/**
+	 * Retransmission timeout
+	 */
+	double retransmit_timeout;
+
+	/**
+	 * Base to calculate retransmission timeout
+	 */
+	double retransmit_base;
+};
+
+/**
+ * flush all tasks in the task manager
+ */
+static void flush(private_task_manager_t *this)
+{
+	this->queued_tasks->destroy_offset(this->queued_tasks,
+										offsetof(task_t, destroy));
+	this->passive_tasks->destroy_offset(this->passive_tasks,
+										offsetof(task_t, destroy));
+	this->active_tasks->destroy_offset(this->active_tasks,
+										offsetof(task_t, destroy));
+	this->queued_tasks = linked_list_create();
+	this->passive_tasks = linked_list_create();
+	this->active_tasks = linked_list_create();
+}
+
+/**
+ * move a task of a specific type from the queue to the active list
+ */
+static bool activate_task(private_task_manager_t *this, task_type_t type)
+{
+	iterator_t *iterator;
+	task_t *task;
+	bool found = FALSE;
+
+	iterator = this->queued_tasks->create_iterator(this->queued_tasks, TRUE);
+	while (iterator->iterate(iterator, (void**)&task))
+	{
+		if (task->get_type(task) == type)
+		{
+			DBG2(DBG_IKE, "  activating %N task", task_type_names, type);
+			iterator->remove(iterator);
+			this->active_tasks->insert_last(this->active_tasks, task);
+			found = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * Implementation of task_manager_t.retransmit
+ */
+static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
+{
+	if (message_id == this->initiating.mid)
+	{
+		u_int32_t timeout;
+		job_t *job;
+		iterator_t *iterator;
+		packet_t *packet;
+		task_t *task;
+		ike_mobike_t *mobike = NULL;
+
+		/* check if we are retransmitting a MOBIKE routability check */
+		iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
+		while (iterator->iterate(iterator, (void*)&task))
+		{
+			if (task->get_type(task) == IKE_MOBIKE)
+			{
+				mobike = (ike_mobike_t*)task;
+				if (!mobike->is_probing(mobike))
+				{
+					mobike = NULL;
+				}
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+
+		if (mobike == NULL)
+		{
+			if (this->initiating.retransmitted <= this->retransmit_tries)
+			{
+				timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
+					pow(this->retransmit_base, this->initiating.retransmitted));
+			}
+			else
+			{
+				DBG1(DBG_IKE, "giving up after %d retransmits",
+					 this->initiating.retransmitted - 1);
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				{
+					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				}
+				return DESTROY_ME;
+			}
+
+			if (this->initiating.retransmitted)
+			{
+				DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
+					 this->initiating.retransmitted, message_id);
+			}
+			packet = this->initiating.packet->clone(this->initiating.packet);
+			charon->sender->send(charon->sender, packet);
+		}
+		else
+		{	/* for routeability checks, we use a more aggressive behavior */
+			if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
+			{
+				timeout = ROUTEABILITY_CHECK_INTERVAL;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "giving up after %d path probings",
+					 this->initiating.retransmitted - 1);
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				return DESTROY_ME;
+			}
+
+			if (this->initiating.retransmitted)
+			{
+				DBG1(DBG_IKE, "path probing attempt %d",
+					 this->initiating.retransmitted);
+			}
+			mobike->transmit(mobike, this->initiating.packet);
+		}
+
+		this->initiating.retransmitted++;
+		job = (job_t*)retransmit_job_create(this->initiating.mid,
+											this->ike_sa->get_id(this->ike_sa));
+		charon->scheduler->schedule_job_ms(charon->scheduler, job, timeout);
+	}
+	return SUCCESS;
+}
+
+/**
+ * build a request using the active task list
+ * Implementation of task_manager_t.initiate
+ */
+static status_t build_request(private_task_manager_t *this)
+{
+	iterator_t *iterator;
+	task_t *task;
+	message_t *message;
+	host_t *me, *other;
+	status_t status;
+	exchange_type_t exchange = 0;
+
+	if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
+	{
+		DBG2(DBG_IKE, "delaying task initiation, exchange in progress");
+		/* do not initiate if we already have a message in the air */
+		return SUCCESS;
+	}
+
+	if (this->active_tasks->get_count(this->active_tasks) == 0)
+	{
+		DBG2(DBG_IKE, "activating new tasks");
+		switch (this->ike_sa->get_state(this->ike_sa))
+		{
+			case IKE_CREATED:
+				activate_task(this, IKE_VENDOR);
+				if (activate_task(this, IKE_INIT))
+				{
+					this->initiating.mid = 0;
+					exchange = IKE_SA_INIT;
+					activate_task(this, IKE_NATD);
+					activate_task(this, IKE_CERT_PRE);
+#ifdef ME
+					/* this task has to be activated before the IKE_AUTHENTICATE
+					 * task, because that task pregenerates the packet after
+					 * which no payloads can be added to the message anymore.
+					 */
+					activate_task(this, IKE_ME);
+#endif /* ME */
+					activate_task(this, IKE_AUTHENTICATE);
+					activate_task(this, IKE_CERT_POST);
+					activate_task(this, IKE_CONFIG);
+					activate_task(this, CHILD_CREATE);
+					activate_task(this, IKE_AUTH_LIFETIME);
+					activate_task(this, IKE_MOBIKE);
+				}
+				break;
+			case IKE_ESTABLISHED:
+				if (activate_task(this, CHILD_CREATE))
+				{
+					exchange = CREATE_CHILD_SA;
+					break;
+				}
+				if (activate_task(this, CHILD_DELETE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, CHILD_REKEY))
+				{
+					exchange = CREATE_CHILD_SA;
+					break;
+				}
+				if (activate_task(this, IKE_DELETE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, IKE_REKEY))
+				{
+					exchange = CREATE_CHILD_SA;
+					break;
+				}
+				if (activate_task(this, IKE_REAUTH))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, IKE_MOBIKE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, IKE_DPD))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+#ifdef ME
+				if (activate_task(this, IKE_ME))
+				{
+					exchange = ME_CONNECT;
+					break;
+				}
+#endif /* ME */
+			case IKE_REKEYING:
+				if (activate_task(this, IKE_DELETE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+			case IKE_DELETING:
+			default:
+				break;
+		}
+	}
+	else
+	{
+		DBG2(DBG_IKE, "reinitiating already active tasks");
+		iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
+		while (iterator->iterate(iterator, (void**)&task))
+		{
+			DBG2(DBG_IKE, "  %N task", task_type_names, task->get_type(task));
+			switch (task->get_type(task))
+			{
+				case IKE_INIT:
+					exchange = IKE_SA_INIT;
+					break;
+				case IKE_AUTHENTICATE:
+					exchange = IKE_AUTH;
+					break;
+				case CHILD_CREATE:
+				case CHILD_REKEY:
+				case IKE_REKEY:
+					exchange = CREATE_CHILD_SA;
+					break;
+				case IKE_MOBIKE:
+					exchange = INFORMATIONAL;
+				default:
+					continue;
+			}
+			break;
+		}
+		iterator->destroy(iterator);
+	}
+
+	if (exchange == 0)
+	{
+		DBG2(DBG_IKE, "nothing to initiate");
+		/* nothing to do yet... */
+		return SUCCESS;
+	}
+
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+
+	message = message_create();
+	message->set_message_id(message, this->initiating.mid);
+	message->set_source(message, me->clone(me));
+	message->set_destination(message, other->clone(other));
+	message->set_exchange_type(message, exchange);
+	this->initiating.type = exchange;
+	this->initiating.retransmitted = 0;
+
+	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
+	while (iterator->iterate(iterator, (void*)&task))
+	{
+		switch (task->build(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				iterator->remove(iterator);
+				task->destroy(task);
+				break;
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				break;
+			case FAILED:
+			default:
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				{
+					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				}
+				/* FALL */
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				iterator->destroy(iterator);
+				message->destroy(message);
+				flush(this);
+				return DESTROY_ME;
+		}
+	}
+	iterator->destroy(iterator);
+
+	/* update exchange type if a task changed it */
+	this->initiating.type = message->get_exchange_type(message);
+
+	charon->bus->message(charon->bus, message, FALSE);
+	status = this->ike_sa->generate_message(this->ike_sa, message,
+											&this->initiating.packet);
+	if (status != SUCCESS)
+	{
+		/* message generation failed. There is nothing more to do than to
+		 * close the SA */
+		message->destroy(message);
+		flush(this);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+		return DESTROY_ME;
+	}
+	message->destroy(message);
+
+	return retransmit(this, this->initiating.mid);
+}
+
+/**
+ * handle an incoming response message
+ */
+static status_t process_response(private_task_manager_t *this,
+								 message_t *message)
+{
+	iterator_t *iterator;
+	task_t *task;
+
+	if (message->get_exchange_type(message) != this->initiating.type)
+	{
+		DBG1(DBG_IKE, "received %N response, but expected %N",
+			 exchange_type_names, message->get_exchange_type(message),
+			 exchange_type_names, this->initiating.type);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+		return DESTROY_ME;
+	}
+
+	/* catch if we get resetted while processing */
+	this->reset = FALSE;
+	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
+	while (iterator->iterate(iterator, (void*)&task))
+	{
+		switch (task->process(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				iterator->remove(iterator);
+				task->destroy(task);
+				break;
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				break;
+			case FAILED:
+			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				iterator->remove(iterator);
+				iterator->destroy(iterator);
+				task->destroy(task);
+				return DESTROY_ME;
+		}
+		if (this->reset)
+		{	/* start all over again if we were reset */
+			this->reset = FALSE;
+			iterator->destroy(iterator);
+			return build_request(this);
+		}
+	}
+	iterator->destroy(iterator);
+
+	this->initiating.mid++;
+	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+	this->initiating.packet->destroy(this->initiating.packet);
+	this->initiating.packet = NULL;
+
+	return build_request(this);
+}
+
+/**
+ * handle exchange collisions
+ */
+static void handle_collisions(private_task_manager_t *this, task_t *task)
+{
+	iterator_t *iterator;
+	task_t *active;
+	task_type_t type;
+
+	type = task->get_type(task);
+
+	/* do we have to check  */
+	if (type == IKE_REKEY || type == CHILD_REKEY ||
+		type == CHILD_DELETE || type == IKE_DELETE || type == IKE_REAUTH)
+	{
+		/* find an exchange collision, and notify these tasks */
+		iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
+		while (iterator->iterate(iterator, (void**)&active))
+		{
+			switch (active->get_type(active))
+			{
+				case IKE_REKEY:
+					if (type == IKE_REKEY || type == IKE_DELETE ||
+						type == IKE_REAUTH)
+					{
+						ike_rekey_t *rekey = (ike_rekey_t*)active;
+						rekey->collide(rekey, task);
+						break;
+					}
+					continue;
+				case CHILD_REKEY:
+					if (type == CHILD_REKEY || type == CHILD_DELETE)
+					{
+						child_rekey_t *rekey = (child_rekey_t*)active;
+						rekey->collide(rekey, task);
+						break;
+					}
+					continue;
+				default:
+					continue;
+			}
+			iterator->destroy(iterator);
+			return;
+		}
+		iterator->destroy(iterator);
+	}
+	/* destroy task if not registered in any active task */
+	task->destroy(task);
+}
+
+/**
+ * build a response depending on the "passive" task list
+ */
+static status_t build_response(private_task_manager_t *this, message_t *request)
+{
+	iterator_t *iterator;
+	task_t *task;
+	message_t *message;
+	host_t *me, *other;
+	bool delete = FALSE;
+	status_t status;
+
+	me = request->get_destination(request);
+	other = request->get_source(request);
+
+	message = message_create();
+	message->set_exchange_type(message, request->get_exchange_type(request));
+	/* send response along the path the request came in */
+	message->set_source(message, me->clone(me));
+	message->set_destination(message, other->clone(other));
+	message->set_message_id(message, this->responding.mid);
+	message->set_request(message, FALSE);
+
+	iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
+	while (iterator->iterate(iterator, (void*)&task))
+	{
+		switch (task->build(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				iterator->remove(iterator);
+				handle_collisions(this, task);
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				break;
+			case FAILED:
+			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
+				/* destroy IKE_SA, but SEND response first */
+				delete = TRUE;
+				break;
+		}
+		if (delete)
+		{
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	/* remove resonder SPI if IKE_SA_INIT failed */
+	if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
+	{
+		ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
+		id->set_responder_spi(id, 0);
+	}
+
+	/* message complete, send it */
+	DESTROY_IF(this->responding.packet);
+	this->responding.packet = NULL;
+	charon->bus->message(charon->bus, message, FALSE);
+	status = this->ike_sa->generate_message(this->ike_sa, message,
+											&this->responding.packet);
+	message->destroy(message);
+	if (status != SUCCESS)
+	{
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+		return DESTROY_ME;
+	}
+
+	charon->sender->send(charon->sender,
+						 this->responding.packet->clone(this->responding.packet));
+	if (delete)
+	{
+		return DESTROY_ME;
+	}
+	return SUCCESS;
+}
+
+/**
+ * handle an incoming request message
+ */
+static status_t process_request(private_task_manager_t *this,
+								message_t *message)
+{
+	enumerator_t *enumerator;
+	iterator_t *iterator;
+	task_t *task = NULL;
+	payload_t *payload;
+	notify_payload_t *notify;
+	delete_payload_t *delete;
+
+	if (this->passive_tasks->get_count(this->passive_tasks) == 0)
+	{	/* create tasks depending on request type, if not already some queued */
+		switch (message->get_exchange_type(message))
+		{
+			case IKE_SA_INIT:
+			{
+				task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+#ifdef ME
+				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+#endif /* ME */
+				task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_config_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
+													NULL, NULL);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				break;
+			}
+			case CREATE_CHILD_SA:
+			{	/* FIXME: we should prevent this on mediation connections */
+				bool notify_found = FALSE, ts_found = FALSE;
+				enumerator = message->create_payload_enumerator(message);
+				while (enumerator->enumerate(enumerator, &payload))
+				{
+					switch (payload->get_type(payload))
+					{
+						case NOTIFY:
+						{	/* if we find a rekey notify, its CHILD_SA rekeying */
+							notify = (notify_payload_t*)payload;
+							if (notify->get_notify_type(notify) == REKEY_SA &&
+								(notify->get_protocol_id(notify) == PROTO_AH ||
+								 notify->get_protocol_id(notify) == PROTO_ESP))
+							{
+								notify_found = TRUE;
+							}
+							break;
+						}
+						case TRAFFIC_SELECTOR_INITIATOR:
+						case TRAFFIC_SELECTOR_RESPONDER:
+						{	/* if we don't find a TS, its IKE rekeying */
+							ts_found = TRUE;
+							break;
+						}
+						default:
+							break;
+					}
+				}
+				enumerator->destroy(enumerator);
+
+				if (ts_found)
+				{
+					if (notify_found)
+					{
+						task = (task_t*)child_rekey_create(this->ike_sa,
+														   PROTO_NONE, 0);
+					}
+					else
+					{
+						task = (task_t*)child_create_create(this->ike_sa, NULL,
+															FALSE, NULL, NULL);
+					}
+				}
+				else
+				{
+					task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
+				}
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				break;
+			}
+			case INFORMATIONAL:
+			{
+				enumerator = message->create_payload_enumerator(message);
+				while (enumerator->enumerate(enumerator, &payload))
+				{
+					switch (payload->get_type(payload))
+					{
+						case NOTIFY:
+						{
+							notify = (notify_payload_t*)payload;
+							switch (notify->get_notify_type(notify))
+							{
+								case ADDITIONAL_IP4_ADDRESS:
+								case ADDITIONAL_IP6_ADDRESS:
+								case NO_ADDITIONAL_ADDRESSES:
+								case UPDATE_SA_ADDRESSES:
+								case NO_NATS_ALLOWED:
+								case UNACCEPTABLE_ADDRESSES:
+								case UNEXPECTED_NAT_DETECTED:
+								case COOKIE2:
+								case NAT_DETECTION_SOURCE_IP:
+								case NAT_DETECTION_DESTINATION_IP:
+									task = (task_t*)ike_mobike_create(
+															this->ike_sa, FALSE);
+									break;
+								case AUTH_LIFETIME:
+									task = (task_t*)ike_auth_lifetime_create(
+															this->ike_sa, FALSE);
+									break;
+								default:
+									break;
+							}
+							break;
+						}
+						case DELETE:
+						{
+							delete = (delete_payload_t*)payload;
+							if (delete->get_protocol_id(delete) == PROTO_IKE)
+							{
+								task = (task_t*)ike_delete_create(this->ike_sa,
+																FALSE);
+							}
+							else
+							{
+								task = (task_t*)child_delete_create(this->ike_sa,
+																PROTO_NONE, 0);
+							}
+							break;
+						}
+						default:
+							break;
+					}
+					if (task)
+					{
+						break;
+					}
+				}
+				enumerator->destroy(enumerator);
+
+				if (task == NULL)
+				{
+					task = (task_t*)ike_dpd_create(FALSE);
+				}
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				break;
+			}
+#ifdef ME
+			case ME_CONNECT:
+			{
+				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+			}
+#endif /* ME */
+			default:
+				break;
+		}
+	}
+
+	/* let the tasks process the message */
+	iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
+	while (iterator->iterate(iterator, (void*)&task))
+	{
+		switch (task->process(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				iterator->remove(iterator);
+				task->destroy(task);
+				break;
+			case NEED_MORE:
+				/* processed, but task needs at least another call to build() */
+				break;
+			case FAILED:
+			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				iterator->remove(iterator);
+				iterator->destroy(iterator);
+				task->destroy(task);
+				return DESTROY_ME;
+		}
+	}
+	iterator->destroy(iterator);
+
+	return build_response(this, message);
+}
+
+/**
+ * Implementation of task_manager_t.process_message
+ */
+static status_t process_message(private_task_manager_t *this, message_t *msg)
+{
+	u_int32_t mid = msg->get_message_id(msg);
+
+	if (msg->get_request(msg))
+	{
+		if (mid == this->responding.mid)
+		{
+			charon->bus->message(charon->bus, msg, TRUE);
+			if (process_request(this, msg) != SUCCESS)
+			{
+				flush(this);
+				return DESTROY_ME;
+			}
+			this->responding.mid++;
+		}
+		else if ((mid == this->responding.mid - 1) && this->responding.packet)
+		{
+			packet_t *clone;
+			host_t *me, *other;
+
+			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
+				 "retransmitting response", mid);
+			clone = this->responding.packet->clone(this->responding.packet);
+			me = msg->get_destination(msg);
+			other = msg->get_source(msg);
+			clone->set_source(clone, me->clone(me));
+			clone->set_destination(clone, other->clone(other));
+			charon->sender->send(charon->sender, clone);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
+				 mid, this->responding.mid);
+		}
+	}
+	else
+	{
+		if (mid == this->initiating.mid)
+		{
+			charon->bus->message(charon->bus, msg, TRUE);
+			if (process_response(this, msg) != SUCCESS)
+			{
+				flush(this);
+				return DESTROY_ME;
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
+				 mid, this->initiating.mid);
+			return SUCCESS;
+		}
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_manager_t.queue_task
+ */
+static void queue_task(private_task_manager_t *this, task_t *task)
+{
+	if (task->get_type(task) == IKE_MOBIKE)
+	{	/*  there is no need to queue more than one mobike task */
+		iterator_t *iterator;
+		task_t *current;
+
+		iterator = this->queued_tasks->create_iterator(this->queued_tasks, TRUE);
+		while (iterator->iterate(iterator, (void**)&current))
+		{
+			if (current->get_type(current) == IKE_MOBIKE)
+			{
+				iterator->destroy(iterator);
+				task->destroy(task);
+				return;
+			}
+		}
+		iterator->destroy(iterator);
+	}
+	DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
+	this->queued_tasks->insert_last(this->queued_tasks, task);
+}
+
+/**
+ * Implementation of task_manager_t.adopt_tasks
+ */
+static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *other)
+{
+	task_t *task;
+
+	/* move queued tasks from other to this */
+	while (other->queued_tasks->remove_last(other->queued_tasks,
+												(void**)&task) == SUCCESS)
+	{
+		DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
+		task->migrate(task, this->ike_sa);
+		this->queued_tasks->insert_first(this->queued_tasks, task);
+	}
+}
+
+/**
+ * Implementation of task_manager_t.busy
+ */
+static bool busy(private_task_manager_t *this)
+{
+	return (this->active_tasks->get_count(this->active_tasks) > 0);
+}
+
+/**
+ * Implementation of task_manager_t.reset
+ */
+static void reset(private_task_manager_t *this,
+				  u_int32_t initiate, u_int32_t respond)
+{
+	task_t *task;
+
+	/* reset message counters and retransmit packets */
+	DESTROY_IF(this->responding.packet);
+	DESTROY_IF(this->initiating.packet);
+	this->responding.packet = NULL;
+	this->initiating.packet = NULL;
+	if (initiate != UINT_MAX)
+	{
+		this->initiating.mid = initiate;
+	}
+	if (respond != UINT_MAX)
+	{
+		this->responding.mid = respond;
+	}
+	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+
+	/* reset active tasks */
+	while (this->active_tasks->remove_last(this->active_tasks,
+										   (void**)&task) == SUCCESS)
+	{
+		task->migrate(task, this->ike_sa);
+		this->queued_tasks->insert_first(this->queued_tasks, task);
+	}
+
+	this->reset = TRUE;
+}
+
+/**
+ * Implementation of task_manager_t.destroy
+ */
+static void destroy(private_task_manager_t *this)
+{
+	flush(this);
+
+	this->active_tasks->destroy(this->active_tasks);
+	this->queued_tasks->destroy(this->queued_tasks);
+	this->passive_tasks->destroy(this->passive_tasks);
+
+	DESTROY_IF(this->responding.packet);
+	DESTROY_IF(this->initiating.packet);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+task_manager_t *task_manager_create(ike_sa_t *ike_sa)
+{
+	private_task_manager_t *this = malloc_thing(private_task_manager_t);
+
+	this->public.process_message = (status_t(*)(task_manager_t*,message_t*))process_message;
+	this->public.queue_task = (void(*)(task_manager_t*,task_t*))queue_task;
+	this->public.initiate = (status_t(*)(task_manager_t*))build_request;
+	this->public.retransmit = (status_t(*)(task_manager_t*,u_int32_t))retransmit;
+	this->public.reset = (void(*)(task_manager_t*,u_int32_t,u_int32_t))reset;
+	this->public.adopt_tasks = (void(*)(task_manager_t*,task_manager_t*))adopt_tasks;
+	this->public.busy = (bool(*)(task_manager_t*))busy;
+	this->public.destroy = (void(*)(task_manager_t*))destroy;
+
+	this->ike_sa = ike_sa;
+	this->responding.packet = NULL;
+	this->initiating.packet = NULL;
+	this->responding.mid = 0;
+	this->initiating.mid = 0;
+	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+	this->queued_tasks = linked_list_create();
+	this->active_tasks = linked_list_create();
+	this->passive_tasks = linked_list_create();
+	this->reset = FALSE;
+
+	this->retransmit_tries = lib->settings->get_int(lib->settings,
+								"charon.retransmit_tries", RETRANSMIT_TRIES);
+	this->retransmit_timeout = lib->settings->get_double(lib->settings,
+								"charon.retransmit_timeout", RETRANSMIT_TIMEOUT);
+	this->retransmit_base = lib->settings->get_double(lib->settings,
+								"charon.retransmit_base", RETRANSMIT_BASE);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
new file mode 100644
index 000000000..731ed4898
--- /dev/null
+++ b/src/libcharon/sa/task_manager.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup task_manager task_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef TASK_MANAGER_H_
+#define TASK_MANAGER_H_
+
+typedef struct task_manager_t task_manager_t;
+
+#include <limits.h>
+
+#include <library.h>
+#include <encoding/message.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * First retransmit timeout in seconds.
+ */
+#define RETRANSMIT_TIMEOUT 4.0
+
+/**
+ * Base which is raised to the power of the retransmission try.
+ */
+#define RETRANSMIT_BASE 1.8
+
+/**
+ * Number of retransmits done before giving up.
+ */
+#define RETRANSMIT_TRIES 5
+
+/**
+ * Interval for mobike routability checks in ms.
+ */
+#define ROUTEABILITY_CHECK_INTERVAL 2500
+
+/**
+ * Number of routability checks before giving up
+ */
+#define ROUTEABILITY_CHECK_TRIES 10
+
+
+/**
+ * The task manager, juggles task and handles message exchanges.
+ *
+ * On incoming requests, the task manager creates new tasks on demand and
+ * juggles the request through all available tasks. Each task inspects the
+ * request and adds payloads as necessary to the response.
+ * On outgoing requests, the task manager delivers the request through the tasks
+ * to build it, the response gets processed by each task to complete.
+ * The task manager has an internal Queue to store task which should get
+ * completed.
+ * For the initial IKE_SA setup, several tasks are queued: One for the
+ * unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup
+ * and maybe one for virtual IP assignement.
+ * The task manager is also responsible for retransmission. It uses a backoff
+ * algorithm. The timeout is calculated using
+ * RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try).
+ * When try reaches RETRANSMIT_TRIES, retransmission is given up.
+ *
+ * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us:
+ * @verbatim
+                   | relative | absolute
+   ---------------------------------------------------------
+   4s * (1.8 ** 0) =    4s         4s
+   4s * (1.8 ** 1) =    7s        11s
+   4s * (1.8 ** 2) =   13s        24s
+   4s * (1.8 ** 3) =   23s        47s
+   4s * (1.8 ** 4) =   42s        89s
+   4s * (1.8 ** 5) =   76s       165s
+
+   @endverbatim
+ * The peer is considered dead after 2min 45s when no reply comes in.
+ */
+struct task_manager_t {
+
+	/**
+	 * Process an incoming message.
+	 *
+	 * @param message		message to add payloads to
+	 * @return
+	 *						- DESTROY_ME if IKE_SA must be closed
+	 *						- SUCCESS otherwise
+	 */
+	status_t (*process_message) (task_manager_t *this, message_t *message);
+
+	/**
+	 * Initiate an exchange with the currently queued tasks.
+	 */
+	status_t (*initiate) (task_manager_t *this);
+
+	/**
+	 * Queue a task in the manager.
+	 *
+	 * @param task			task to queue
+	 */
+	void (*queue_task) (task_manager_t *this, task_t *task);
+
+	/**
+	 * Retransmit a request if it hasn't been acknowledged yet.
+	 *
+	 * A return value of INVALID_STATE means that the message was already
+	 * acknowledged and has not to be retransmitted. A return value of SUCCESS
+	 * means retransmission was required and the message has been resent.
+	 *
+	 * @param message_id	ID of the message to retransmit
+	 * @return
+	 *						- INVALID_STATE if retransmission not required
+	 *						- SUCCESS if retransmission sent
+	 */
+	status_t (*retransmit) (task_manager_t *this, u_int32_t message_id);
+
+	/**
+	 * Migrate all tasks from other to this.
+	 *
+	 * To rekey or reestablish an IKE_SA completely, all queued or active
+	 * tasks should get migrated to the new IKE_SA.
+	 *
+	 * @param other			manager which gives away its tasks
+	 */
+	void (*adopt_tasks) (task_manager_t *this, task_manager_t *other);
+
+	/**
+	 * Reset message ID counters of the task manager.
+	 *
+	 * The IKEv2 protocol requires to restart exchanges with message IDs
+	 * reset to zero (INVALID_KE_PAYLOAD, COOKIES, ...). The reset() method
+	 * resets the message IDs and resets all active tasks using the migrate()
+	 * method.
+	 * Use a value of UINT_MAX to keep the current message ID.
+	 *
+	 * @param initiate		message ID to initiate exchanges (send)
+	 * @param respond		message ID to respond to exchanges (expect)
+	 */
+	void (*reset) (task_manager_t *this, u_int32_t initiate, u_int32_t respond);
+
+	/**
+	 * Check if we are currently waiting for a reply.
+	 *
+	 * @return				TRUE if we are waiting, FALSE otherwise
+	 */
+	bool (*busy) (task_manager_t *this);
+
+	/**
+	 * Destroy the task_manager_t.
+	 */
+	void (*destroy) (task_manager_t *this);
+};
+
+/**
+ * Create an instance of the task manager.
+ *
+ * @param ike_sa		IKE_SA to manage.
+ */
+task_manager_t *task_manager_create(ike_sa_t *ike_sa);
+
+#endif /** TASK_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
new file mode 100644
index 000000000..bea4f73d5
--- /dev/null
+++ b/src/libcharon/sa/tasks/child_create.c
@@ -0,0 +1,1351 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_create.h"
+
+#include <daemon.h>
+#include <crypto/diffie_hellman.h>
+#include <credentials/certificates/x509.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/inactivity_job.h>
+
+
+typedef struct private_child_create_t private_child_create_t;
+
+/**
+ * Private members of a child_create_t task.
+ */
+struct private_child_create_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	child_create_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * nonce chosen by us
+	 */
+	chunk_t my_nonce;
+
+	/**
+	 * nonce chosen by peer
+	 */
+	chunk_t other_nonce;
+
+	/**
+	 * config to create the CHILD_SA from
+	 */
+	child_cfg_t *config;
+
+	/**
+	 * list of proposal candidates
+	 */
+	linked_list_t *proposals;
+
+	/**
+	 * selected proposal to use for CHILD_SA
+	 */
+	proposal_t *proposal;
+
+	/**
+	 * traffic selectors for initiators side
+	 */
+	linked_list_t *tsi;
+
+	/**
+	 * traffic selectors for responders side
+	 */
+	linked_list_t *tsr;
+
+	/**
+	 * source of triggering packet
+	 */
+	traffic_selector_t *packet_tsi;
+
+	/**
+	 * destination of triggering packet
+	 */
+	traffic_selector_t *packet_tsr;
+
+	/**
+	 * optional diffie hellman exchange
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * group used for DH exchange
+	 */
+	diffie_hellman_group_t dh_group;
+
+	/**
+	 * IKE_SAs keymat
+	 */
+	keymat_t *keymat;
+
+	/**
+	 * mode the new CHILD_SA uses (transport/tunnel/beet)
+	 */
+	ipsec_mode_t mode;
+
+	/**
+	 * IPComp transform to use
+	 */
+	ipcomp_transform_t ipcomp;
+
+	/**
+	 * IPComp transform proposed or accepted by the other peer
+	 */
+	ipcomp_transform_t ipcomp_received;
+
+	/**
+	 * Own allocated SPI
+	 */
+	u_int32_t my_spi;
+
+	/**
+	 * SPI received in proposal
+	 */
+	u_int32_t other_spi;
+
+	/**
+	 * Own allocated Compression Parameter Index (CPI)
+	 */
+	u_int16_t my_cpi;
+
+	/**
+	 * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
+	 */
+	u_int16_t other_cpi;
+
+	/**
+	 * reqid to use if we are rekeying
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * CHILD_SA which gets established
+	 */
+	child_sa_t *child_sa;
+
+	/**
+	 * successfully established the CHILD?
+	 */
+	bool established;
+
+	/**
+	 * whether the CHILD_SA rekeys an existing one
+	 */
+	bool rekey;
+};
+
+/**
+ * get the nonce from a message
+ */
+static status_t get_nonce(message_t *message, chunk_t *nonce)
+{
+	nonce_payload_t *payload;
+
+	payload = (nonce_payload_t*)message->get_payload(message, NONCE);
+	if (payload == NULL)
+	{
+		return FAILED;
+	}
+	*nonce = payload->get_nonce(payload);
+	return NEED_MORE;
+}
+
+/**
+ * generate a new nonce to include in a CREATE_CHILD_SA message
+ */
+static status_t generate_nonce(chunk_t *nonce)
+{
+	rng_t *rng;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "error generating nonce value, no RNG found");
+		return FAILED;
+	}
+	rng->allocate_bytes(rng, NONCE_SIZE, nonce);
+	rng->destroy(rng);
+	return SUCCESS;
+}
+
+/**
+ * Check a list of traffic selectors if any selector belongs to host
+ */
+static bool ts_list_is_host(linked_list_t *list, host_t *host)
+{
+	traffic_selector_t *ts;
+	bool is_host = TRUE;
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+
+	while (is_host && iterator->iterate(iterator, (void**)&ts))
+	{
+		is_host = is_host && ts->is_host(ts, host);
+	}
+	iterator->destroy(iterator);
+	return is_host;
+}
+
+/**
+ * Allocate SPIs and update proposals
+ */
+static bool allocate_spi(private_child_create_t *this)
+{
+	enumerator_t *enumerator;
+	proposal_t *proposal;
+
+	/* TODO: allocate additional SPI for AH if we have such proposals */
+	this->my_spi = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+	if (this->my_spi)
+	{
+		if (this->initiator)
+		{
+			enumerator = this->proposals->create_enumerator(this->proposals);
+			while (enumerator->enumerate(enumerator, &proposal))
+			{
+				proposal->set_spi(proposal, this->my_spi);
+			}
+			enumerator->destroy(enumerator);
+		}
+		else
+		{
+			this->proposal->set_spi(this->proposal, this->my_spi);
+		}
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Schedule inactivity timeout for CHILD_SA with reqid, if enabled
+ */
+static void schedule_inactivity_timeout(private_child_create_t *this)
+{
+	u_int32_t timeout;
+	bool close_ike;
+
+	timeout = this->config->get_inactivity(this->config);
+	if (timeout)
+	{
+		close_ike = lib->settings->get_bool(lib->settings,
+										"charon.inactivity_close_ike", FALSE);
+		charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
+									  timeout, close_ike), timeout);
+	}
+}
+
+/**
+ * Install a CHILD_SA for usage, return value:
+ * - FAILED: no acceptable proposal
+ * - INVALID_ARG: diffie hellman group inacceptable
+ * - NOT_FOUND: TS inacceptable
+ */
+static status_t select_and_install(private_child_create_t *this, bool no_dh)
+{
+	status_t status, status_i, status_o;
+	chunk_t nonce_i, nonce_r;
+	chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
+	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
+	linked_list_t *my_ts, *other_ts;
+	host_t *me, *other, *other_vip, *my_vip;
+	bool private;
+
+	if (this->proposals == NULL)
+	{
+		DBG1(DBG_IKE, "SA payload missing in message");
+		return FAILED;
+	}
+	if (this->tsi == NULL || this->tsr == NULL)
+	{
+		DBG1(DBG_IKE, "TS payloads missing in message");
+		return NOT_FOUND;
+	}
+
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+	my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+	other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
+
+	private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+	this->proposal = this->config->select_proposal(this->config,
+											this->proposals, no_dh, private);
+	if (this->proposal == NULL)
+	{
+		DBG1(DBG_IKE, "no acceptable proposal found");
+		return FAILED;
+	}
+	this->other_spi = this->proposal->get_spi(this->proposal);
+
+	if (!this->initiator && !allocate_spi(this))
+	{	/* responder has no SPI allocated yet */
+		DBG1(DBG_IKE, "allocating SPI failed");
+		return FAILED;
+	}
+	this->child_sa->set_proposal(this->child_sa, this->proposal);
+
+	if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
+	{
+		u_int16_t group;
+
+		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
+										  &group, NULL))
+		{
+			DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
+				 diffie_hellman_group_names, this->dh_group,
+				 diffie_hellman_group_names, group);
+			this->dh_group = group;
+			return INVALID_ARG;
+		}
+		/* the selected proposal does not use a DH group */
+		DBG1(DBG_IKE, "ignoring KE exchange, agreed on a non-PFS proposal");
+		DESTROY_IF(this->dh);
+		this->dh = NULL;
+		this->dh_group = MODP_NONE;
+	}
+
+	if (my_vip == NULL)
+	{
+		my_vip = me;
+	}
+	if (other_vip == NULL)
+	{
+		other_vip = other;
+	}
+
+	if (this->initiator)
+	{
+		nonce_i = this->my_nonce;
+		nonce_r = this->other_nonce;
+		my_ts = this->tsi;
+		other_ts = this->tsr;
+	}
+	else
+	{
+		nonce_r = this->my_nonce;
+		nonce_i = this->other_nonce;
+		my_ts = this->tsr;
+		other_ts = this->tsi;
+	}
+	my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
+												my_vip);
+	other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
+												   other_vip);
+
+	if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
+	{
+		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+		DBG1(DBG_IKE, "no acceptable traffic selectors found");
+		return NOT_FOUND;
+	}
+
+	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	if (this->initiator)
+	{
+		this->tsi = my_ts;
+		this->tsr = other_ts;
+	}
+	else
+	{
+		this->tsr = my_ts;
+		this->tsi = other_ts;
+	}
+
+	if (!this->initiator)
+	{
+		/* check if requested mode is acceptable, downgrade if required */
+		switch (this->mode)
+		{
+			case MODE_TRANSPORT:
+				if (!this->config->use_proxy_mode(this->config) &&
+					   (!ts_list_is_host(this->tsi, other) ||
+						!ts_list_is_host(this->tsr, me))
+				   )
+				{
+					this->mode = MODE_TUNNEL;
+					DBG1(DBG_IKE, "not using transport mode, not host-to-host");
+				}
+				else if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+				{
+					this->mode = MODE_TUNNEL;
+					DBG1(DBG_IKE, "not using transport mode, connection NATed");
+				}
+				break;
+			case MODE_BEET:
+				if (!ts_list_is_host(this->tsi, NULL) ||
+					!ts_list_is_host(this->tsr, NULL))
+				{
+					this->mode = MODE_TUNNEL;
+					DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
+				}
+				break;
+			default:
+				break;
+		}
+	}
+
+	/* check for any certificate-based IP address block constraints */
+	if (this->mode == MODE_BEET || this->mode == MODE_TUNNEL)
+	{
+		auth_cfg_t *auth;
+		enumerator_t *auth_enum;
+		certificate_t *cert = NULL;
+
+		auth_enum = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
+		while (auth_enum->enumerate(auth_enum, &auth))
+		{
+			cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
+			if (cert)
+			{
+				break;
+			}
+		}
+		auth_enum->destroy(auth_enum);
+
+		if (cert && cert->get_type(cert) == CERT_X509)
+		{
+			x509_t *x509 = (x509_t*)cert;
+
+			if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+			{
+				enumerator_t *enumerator, *block_enum;
+				traffic_selector_t *ts, *block_ts;
+
+				DBG1(DBG_IKE, "checking certificate-based traffic selector "
+							  "constraints [RFC 3779]");
+				enumerator = other_ts->create_enumerator(other_ts);
+				while (enumerator->enumerate(enumerator, &ts))
+				{
+					bool contained = FALSE;
+
+					block_enum = x509->create_ipAddrBlock_enumerator(x509);
+					while (block_enum->enumerate(block_enum, &block_ts))
+					{
+						if (ts->is_contained_in(ts, block_ts))
+						{
+							DBG1(DBG_IKE, "  TS %R is contained in address block"
+										  " constraint %R", ts, block_ts);
+							contained = TRUE;
+							break;
+						}
+					}
+					block_enum->destroy(block_enum);
+
+					if (!contained)
+					{
+						DBG1(DBG_IKE, "  TS %R is not contained in any"
+									  " address block constraint", ts);
+						enumerator->destroy(enumerator);
+						return FAILED;
+					}
+				}
+				enumerator->destroy(enumerator);
+			}
+		}
+	}
+
+	this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
+	this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
+	this->child_sa->set_mode(this->child_sa, this->mode);
+	this->child_sa->set_protocol(this->child_sa,
+								 this->proposal->get_protocol(this->proposal));
+
+	if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
+	{
+		this->my_cpi = this->other_cpi = 0;
+		this->ipcomp = IPCOMP_NONE;
+	}
+	status_i = status_o = FAILED;
+	if (this->keymat->derive_child_keys(this->keymat, this->proposal,
+			this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
+	{
+		if (this->initiator)
+		{
+			status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
+					this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
+			status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
+					this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
+		}
+		else
+		{
+			status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
+					this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
+			status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
+					this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
+		}
+	}
+	chunk_clear(&integ_i);
+	chunk_clear(&integ_r);
+	chunk_clear(&encr_i);
+	chunk_clear(&encr_r);
+
+	if (status_i != SUCCESS || status_o != SUCCESS)
+	{
+		DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
+			(status_i != SUCCESS) ? "inbound " : "",
+			(status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
+			(status_o != SUCCESS) ? "outbound " : "");
+		return FAILED;
+	}
+
+	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
+		return NOT_FOUND;
+	}
+
+	charon->bus->child_keys(charon->bus, this->child_sa, this->dh,
+							nonce_i, nonce_r);
+
+	/* add to IKE_SA, and remove from task */
+	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
+	this->established = TRUE;
+
+	if (!this->rekey)
+	{	/* a rekeyed SA uses the same reqid, no need for a new job */
+		schedule_inactivity_timeout(this);
+	}
+	return SUCCESS;
+}
+
+/**
+ * build the payloads for the message
+ */
+static void build_payloads(private_child_create_t *this, message_t *message)
+{
+	sa_payload_t *sa_payload;
+	nonce_payload_t *nonce_payload;
+	ke_payload_t *ke_payload;
+	ts_payload_t *ts_payload;
+
+	/* add SA payload */
+	if (this->initiator)
+	{
+		sa_payload = sa_payload_create_from_proposal_list(this->proposals);
+	}
+	else
+	{
+		sa_payload = sa_payload_create_from_proposal(this->proposal);
+	}
+	message->add_payload(message, (payload_t*)sa_payload);
+
+	/* add nonce payload if not in IKE_AUTH */
+	if (message->get_exchange_type(message) == CREATE_CHILD_SA)
+	{
+		nonce_payload = nonce_payload_create();
+		nonce_payload->set_nonce(nonce_payload, this->my_nonce);
+		message->add_payload(message, (payload_t*)nonce_payload);
+	}
+
+	/* diffie hellman exchange, if PFS enabled */
+	if (this->dh)
+	{
+		ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
+		message->add_payload(message, (payload_t*)ke_payload);
+	}
+
+	/* add TSi/TSr payloads */
+	ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
+	message->add_payload(message, (payload_t*)ts_payload);
+	ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
+	message->add_payload(message, (payload_t*)ts_payload);
+
+	/* add a notify if we are not in tunnel mode */
+	switch (this->mode)
+	{
+		case MODE_TRANSPORT:
+			message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
+			break;
+		case MODE_BEET:
+			message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
+ */
+static void add_ipcomp_notify(private_child_create_t *this,
+								  message_t *message, u_int8_t ipcomp)
+{
+	if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+	{
+		DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
+			 "IPComp disabled");
+		return;
+	}
+
+	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
+	if (this->my_cpi)
+	{
+		this->ipcomp = ipcomp;
+		message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
+							chunk_cata("cc", chunk_from_thing(this->my_cpi),
+									   chunk_from_thing(ipcomp)));
+	}
+	else
+	{
+		DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
+	}
+}
+
+/**
+ * handle a received notify payload
+ */
+static void handle_notify(private_child_create_t *this, notify_payload_t *notify)
+{
+	switch (notify->get_notify_type(notify))
+	{
+		case USE_TRANSPORT_MODE:
+			this->mode = MODE_TRANSPORT;
+			break;
+		case USE_BEET_MODE:
+			if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+			{	/* handle private use notify only if we know its meaning */
+				this->mode = MODE_BEET;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received a notify strongSwan uses for BEET "
+					 "mode, but peer implementation unknown, skipped");
+			}
+			break;
+		case IPCOMP_SUPPORTED:
+		{
+			ipcomp_transform_t ipcomp;
+			u_int16_t cpi;
+			chunk_t data;
+
+			data = notify->get_notification_data(notify);
+			cpi = *(u_int16_t*)data.ptr;
+			ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
+			switch (ipcomp)
+			{
+				case IPCOMP_DEFLATE:
+					this->other_cpi = cpi;
+					this->ipcomp_received = ipcomp;
+					break;
+				case IPCOMP_LZS:
+				case IPCOMP_LZJH:
+				default:
+					DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a "
+						 "transform ID we don't support %N",
+						 ipcomp_transform_names, ipcomp);
+					break;
+			}
+		}
+		default:
+			break;
+	}
+}
+
+/**
+ * Read payloads from message
+ */
+static void process_payloads(private_child_create_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	sa_payload_t *sa_payload;
+	ke_payload_t *ke_payload;
+	ts_payload_t *ts_payload;
+
+	/* defaults to TUNNEL mode */
+	this->mode = MODE_TUNNEL;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		switch (payload->get_type(payload))
+		{
+			case SECURITY_ASSOCIATION:
+				sa_payload = (sa_payload_t*)payload;
+				this->proposals = sa_payload->get_proposals(sa_payload);
+				break;
+			case KEY_EXCHANGE:
+				ke_payload = (ke_payload_t*)payload;
+				if (!this->initiator)
+				{
+					this->dh_group = ke_payload->get_dh_group_number(ke_payload);
+					this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+				}
+				if (this->dh)
+				{
+					this->dh->set_other_public_value(this->dh,
+								ke_payload->get_key_exchange_data(ke_payload));
+				}
+				break;
+			case TRAFFIC_SELECTOR_INITIATOR:
+				ts_payload = (ts_payload_t*)payload;
+				this->tsi = ts_payload->get_traffic_selectors(ts_payload);
+				break;
+			case TRAFFIC_SELECTOR_RESPONDER:
+				ts_payload = (ts_payload_t*)payload;
+				this->tsr = ts_payload->get_traffic_selectors(ts_payload);
+				break;
+			case NOTIFY:
+				handle_notify(this, (notify_payload_t*)payload);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_child_create_t *this, message_t *message)
+{
+	host_t *me, *other, *vip;
+	peer_cfg_t *peer_cfg;
+
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->my_nonce);
+		case CREATE_CHILD_SA:
+			if (generate_nonce(&this->my_nonce) != SUCCESS)
+			{
+				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+				return SUCCESS;
+			}
+			if (this->dh_group == MODP_NONE)
+			{
+				this->dh_group = this->config->get_dh_group(this->config);
+			}
+			break;
+		case IKE_AUTH:
+			if (message->get_message_id(message) != 1)
+			{
+				/* send only in the first request, not in subsequent rounds */
+				return NEED_MORE;
+			}
+			break;
+		default:
+			break;
+	}
+
+	if (this->reqid)
+	{
+		DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
+			 this->config->get_name(this->config), this->reqid);
+	}
+	else
+	{
+		DBG0(DBG_IKE, "establishing CHILD_SA %s",
+			 this->config->get_name(this->config));
+	}
+
+	/* reuse virtual IP if we already have one */
+	me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+	if (me == NULL)
+	{
+		me = this->ike_sa->get_my_host(this->ike_sa);
+	}
+	other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
+	if (other == NULL)
+	{
+		other = this->ike_sa->get_other_host(this->ike_sa);
+	}
+
+	/* check if we want a virtual IP, but don't have one */
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	vip = peer_cfg->get_virtual_ip(peer_cfg);
+	if (!this->reqid && vip)
+	{
+		/* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
+		vip = host_create_any(vip->get_family(vip));
+		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
+														NULL, vip);
+		vip->destroy(vip);
+	}
+	else
+	{	/* but narrow it for host2host / if we already have a vip */
+		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
+														NULL, me);
+	}
+	this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
+													NULL, other);
+
+	if (this->packet_tsi)
+	{
+		this->tsi->insert_first(this->tsi,
+								this->packet_tsi->clone(this->packet_tsi));
+	}
+	if (this->packet_tsr)
+	{
+		this->tsr->insert_first(this->tsr,
+								this->packet_tsr->clone(this->packet_tsr));
+	}
+	this->proposals = this->config->get_proposals(this->config,
+												  this->dh_group == MODP_NONE);
+	this->mode = this->config->get_mode(this->config);
+	if (this->mode == MODE_TRANSPORT &&
+		this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+	{
+		this->mode = MODE_TUNNEL;
+		DBG1(DBG_IKE, "not using transport mode, connection NATed");
+	}
+
+	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
+			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+
+	if (!allocate_spi(this))
+	{
+		DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
+		return FAILED;
+	}
+
+	if (this->dh_group != MODP_NONE)
+	{
+		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+	}
+
+	if (this->config->use_ipcomp(this->config))
+	{
+		/* IPCOMP_DEFLATE is the only transform we support at the moment */
+		add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
+	}
+
+	build_payloads(this, message);
+
+	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+	this->tsi = NULL;
+	this->tsr = NULL;
+	this->proposals = NULL;
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_child_create_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->other_nonce);
+		case CREATE_CHILD_SA:
+			get_nonce(message, &this->other_nonce);
+			break;
+		case IKE_AUTH:
+			if (message->get_message_id(message) != 1)
+			{
+				/* only handle first AUTH payload, not additional rounds */
+				return NEED_MORE;
+			}
+		default:
+			break;
+	}
+
+	process_payloads(this, message);
+
+	return NEED_MORE;
+}
+
+/**
+ * handle CHILD_SA setup failure
+ */
+static void handle_child_sa_failure(private_child_create_t *this,
+									message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		lib->settings->get_bool(lib->settings,
+								"charon.close_ike_on_child_failure", FALSE))
+	{
+		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
+		 * first */
+		DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
+		charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
+			delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
+			100);
+	}
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_child_create_t *this, message_t *message)
+{
+	peer_cfg_t *peer_cfg;
+	payload_t *payload;
+	enumerator_t *enumerator;
+	bool no_dh = TRUE;
+
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->my_nonce);
+		case CREATE_CHILD_SA:
+			if (generate_nonce(&this->my_nonce) != SUCCESS)
+			{
+				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
+									chunk_empty);
+				return SUCCESS;
+			}
+			no_dh = FALSE;
+			break;
+		case IKE_AUTH:
+			if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+			{	/* wait until all authentication round completed */
+				return NEED_MORE;
+			}
+		default:
+			break;
+	}
+
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
+	{
+		DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
+		message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
+		return SUCCESS;
+	}
+
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg && this->tsi && this->tsr)
+	{
+		host_t *me, *other;
+
+		me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+		if (me == NULL)
+		{
+			me = this->ike_sa->get_my_host(this->ike_sa);
+		}
+		other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
+		if (other == NULL)
+		{
+			other = this->ike_sa->get_other_host(this->ike_sa);
+		}
+		this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
+												  this->tsi, me, other);
+	}
+
+	if (this->config == NULL)
+	{
+		DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
+			 this->tsr, this->tsi);
+		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+		handle_child_sa_failure(this, message);
+		return SUCCESS;
+	}
+
+	/* check if ike_config_t included non-critical error notifies */
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+
+			switch (notify->get_notify_type(notify))
+			{
+				case INTERNAL_ADDRESS_FAILURE:
+				case FAILED_CP_REQUIRED:
+				{
+					DBG1(DBG_IKE,"configuration payload negotation "
+						 "failed, no CHILD_SA built");
+					enumerator->destroy(enumerator);
+					handle_child_sa_failure(this, message);
+					return SUCCESS;
+				}
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
+			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+
+	if (this->ipcomp_received != IPCOMP_NONE)
+	{
+		if (this->config->use_ipcomp(this->config))
+		{
+			add_ipcomp_notify(this, message, this->ipcomp_received);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
+				 notify_type_names, IPCOMP_SUPPORTED);
+		}
+	}
+
+	switch (select_and_install(this, no_dh))
+	{
+		case SUCCESS:
+			break;
+		case NOT_FOUND:
+			message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+			handle_child_sa_failure(this, message);
+			return SUCCESS;
+		case INVALID_ARG:
+		{
+			u_int16_t group = htons(this->dh_group);
+			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
+								chunk_from_thing(group));
+			handle_child_sa_failure(this, message);
+			return SUCCESS;
+		}
+		case FAILED:
+		default:
+			message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+			handle_child_sa_failure(this, message);
+			return SUCCESS;
+	}
+
+	build_payloads(this, message);
+
+	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
+		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+		 this->child_sa->get_name(this->child_sa),
+		 this->child_sa->get_reqid(this->child_sa),
+		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
+		 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
+		 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+
+	if (!this->rekey)
+	{	/* invoke the child_up() hook if we are not rekeying */
+		charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_child_create_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	bool no_dh = TRUE;
+
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->other_nonce);
+		case CREATE_CHILD_SA:
+			get_nonce(message, &this->other_nonce);
+			no_dh = FALSE;
+			break;
+		case IKE_AUTH:
+			if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+			{	/* wait until all authentication round completed */
+				return NEED_MORE;
+			}
+		default:
+			break;
+	}
+
+	/* check for erronous notifies */
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			notify_type_t type = notify->get_notify_type(notify);
+
+			switch (type)
+			{
+				/* handle notify errors related to CHILD_SA only */
+				case NO_PROPOSAL_CHOSEN:
+				case SINGLE_PAIR_REQUIRED:
+				case NO_ADDITIONAL_SAS:
+				case INTERNAL_ADDRESS_FAILURE:
+				case FAILED_CP_REQUIRED:
+				case TS_UNACCEPTABLE:
+				case INVALID_SELECTORS:
+				{
+					DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
+						 notify_type_names, type);
+					enumerator->destroy(enumerator);
+					handle_child_sa_failure(this, message);
+					/* an error in CHILD_SA creation is not critical */
+					return SUCCESS;
+				}
+				case INVALID_KE_PAYLOAD:
+				{
+					chunk_t data;
+					u_int16_t group = MODP_NONE;
+
+					data = notify->get_notification_data(notify);
+					if (data.len == sizeof(group))
+					{
+						memcpy(&group, data.ptr, data.len);
+						group = ntohs(group);
+					}
+					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
+						 "it requested %N", diffie_hellman_group_names,
+						 this->dh_group, diffie_hellman_group_names, group);
+					this->dh_group = group;
+					this->public.task.migrate(&this->public.task, this->ike_sa);
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	process_payloads(this, message);
+
+	if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
+	{
+		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
+			 " one, no CHILD_SA built");
+		handle_child_sa_failure(this, message);
+		return SUCCESS;
+	}
+	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
+	{
+		DBG1(DBG_IKE, "peer didn't accept our proposed IPComp transforms, "
+			 "IPComp is disabled");
+		this->ipcomp = IPCOMP_NONE;
+	}
+	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
+	{
+		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
+			 "no CHILD_SA built");
+		handle_child_sa_failure(this, message);
+		return SUCCESS;
+	}
+
+	if (select_and_install(this, no_dh) == SUCCESS)
+	{
+		DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
+			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+			 this->child_sa->get_name(this->child_sa),
+			 this->child_sa->get_reqid(this->child_sa),
+			 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+			 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
+			 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
+			 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+
+		if (!this->rekey)
+		{	/* invoke the child_up() hook if we are not rekeying */
+			charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+		}
+	}
+	else
+	{
+		handle_child_sa_failure(this, message);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_child_create_t *this)
+{
+	return CHILD_CREATE;
+}
+
+/**
+ * Implementation of child_create_t.use_reqid
+ */
+static void use_reqid(private_child_create_t *this, u_int32_t reqid)
+{
+	this->reqid = reqid;
+}
+
+/**
+ * Implementation of child_create_t.get_child
+ */
+static child_sa_t* get_child(private_child_create_t *this)
+{
+	return this->child_sa;
+}
+
+/**
+ * Implementation of child_create_t.get_lower_nonce
+ */
+static chunk_t get_lower_nonce(private_child_create_t *this)
+{
+	if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
+			   min(this->my_nonce.len, this->other_nonce.len)) < 0)
+	{
+		return this->my_nonce;
+	}
+	else
+	{
+		return this->other_nonce;
+	}
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
+{
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	if (this->tsi)
+	{
+		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	}
+	if (this->tsr)
+	{
+		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	}
+	DESTROY_IF(this->child_sa);
+	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->dh);
+	if (this->proposals)
+	{
+		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+	}
+
+	this->ike_sa = ike_sa;
+	this->keymat = ike_sa->get_keymat(ike_sa);
+	this->proposal = NULL;
+	this->proposals = NULL;
+	this->tsi = NULL;
+	this->tsr = NULL;
+	this->dh = NULL;
+	this->child_sa = NULL;
+	this->mode = MODE_TUNNEL;
+	this->ipcomp = IPCOMP_NONE;
+	this->ipcomp_received = IPCOMP_NONE;
+	this->other_cpi = 0;
+	this->reqid = 0;
+	this->established = FALSE;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_child_create_t *this)
+{
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	if (this->tsr)
+	{
+		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	}
+	if (this->tsi)
+	{
+		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	}
+	if (!this->established)
+	{
+		DESTROY_IF(this->child_sa);
+	}
+	DESTROY_IF(this->packet_tsi);
+	DESTROY_IF(this->packet_tsr);
+	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->dh);
+	if (this->proposals)
+	{
+		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+	}
+
+	DESTROY_IF(this->config);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_create_t *child_create_create(ike_sa_t *ike_sa,
+							child_cfg_t *config, bool rekey,
+							traffic_selector_t *tsi, traffic_selector_t *tsr)
+{
+	private_child_create_t *this = malloc_thing(private_child_create_t);
+
+	this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child;
+	this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce;
+	this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	if (config)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		this->initiator = TRUE;
+		config->get_ref(config);
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->initiator = FALSE;
+	}
+
+	this->ike_sa = ike_sa;
+	this->config = config;
+	this->my_nonce = chunk_empty;
+	this->other_nonce = chunk_empty;
+	this->proposals = NULL;
+	this->proposal = NULL;
+	this->tsi = NULL;
+	this->tsr = NULL;
+	this->packet_tsi = tsi ? tsi->clone(tsi) : NULL;
+	this->packet_tsr = tsr ? tsr->clone(tsr) : NULL;
+	this->dh = NULL;
+	this->dh_group = MODP_NONE;
+	this->keymat = ike_sa->get_keymat(ike_sa);
+	this->child_sa = NULL;
+	this->mode = MODE_TUNNEL;
+	this->ipcomp = IPCOMP_NONE;
+	this->ipcomp_received = IPCOMP_NONE;
+	this->my_spi = 0;
+	this->other_spi = 0;
+	this->my_cpi = 0;
+	this->other_cpi = 0;
+	this->reqid = 0;
+	this->established = FALSE;
+	this->rekey = rekey;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/child_create.h b/src/libcharon/sa/tasks/child_create.h
new file mode 100644
index 000000000..5dedeb8b1
--- /dev/null
+++ b/src/libcharon/sa/tasks/child_create.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup child_create child_create
+ * @{ @ingroup tasks
+ */
+
+#ifndef CHILD_CREATE_H_
+#define CHILD_CREATE_H_
+
+typedef struct child_create_t child_create_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+#include <config/child_cfg.h>
+
+/**
+ * Task of type CHILD_CREATE, established a new CHILD_SA.
+ *
+ * This task may be included in the IKE_AUTH message or in a separate
+ * CREATE_CHILD_SA exchange.
+ */
+struct child_create_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+
+	/**
+	 * Use a specific reqid for the CHILD_SA.
+	 *
+	 * When this task is used for rekeying, the same reqid is used
+	 * for the new CHILD_SA.
+	 *
+	 * @param reqid		reqid to use
+	 */
+	void (*use_reqid) (child_create_t *this, u_int32_t reqid);
+
+	/**
+	 * Get the lower of the two nonces, used for rekey collisions.
+	 *
+	 * @return			lower nonce
+	 */
+	chunk_t (*get_lower_nonce) (child_create_t *this);
+
+	/**
+	 * Get the CHILD_SA established/establishing by this task.
+	 *
+	 * @return			child_sa
+	 */
+	child_sa_t* (*get_child) (child_create_t *this);
+};
+
+/**
+ * Create a new child_create task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param config		child_cfg if task initiator, NULL if responder
+ * @param rekey			whether we do a rekey or not
+ * @param tsi			source of triggering packet, or NULL
+ * @param tsr			destination of triggering packet, or NULL
+ * @return				child_create task to handle by the task_manager
+ */
+child_create_t *child_create_create(ike_sa_t *ike_sa,
+							child_cfg_t *config, bool rekey,
+							traffic_selector_t *tsi, traffic_selector_t *tsr);
+
+#endif /** CHILD_CREATE_H_ @}*/
diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/tasks/child_delete.c
new file mode 100644
index 000000000..d7c6b0541
--- /dev/null
+++ b/src/libcharon/sa/tasks/child_delete.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_delete.h"
+
+#include <daemon.h>
+#include <encoding/payloads/delete_payload.h>
+
+
+typedef struct private_child_delete_t private_child_delete_t;
+
+/**
+ * Private members of a child_delete_t task.
+ */
+struct private_child_delete_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	child_delete_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Protocol of CHILD_SA to delete
+	 */
+	protocol_id_t protocol;
+
+	/**
+	 * Inbound SPI of CHILD_SA to delete
+	 */
+	u_int32_t spi;
+
+	/**
+	 * whether to enforce delete action policy
+	 */
+	bool check_delete_action;
+
+	/**
+	 * is this delete exchange following a rekey?
+	 */
+	bool rekeyed;
+
+	/**
+	 * CHILD_SAs which get deleted
+	 */
+	linked_list_t *child_sas;
+};
+
+/**
+ * build the delete payloads from the listed child_sas
+ */
+static void build_payloads(private_child_delete_t *this, message_t *message)
+{
+	delete_payload_t *ah = NULL, *esp = NULL;
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		protocol_id_t protocol = child_sa->get_protocol(child_sa);
+		u_int32_t spi = child_sa->get_spi(child_sa, TRUE);
+
+		switch (protocol)
+		{
+			case PROTO_ESP:
+				if (esp == NULL)
+				{
+					esp = delete_payload_create(PROTO_ESP);
+					message->add_payload(message, (payload_t*)esp);
+				}
+				esp->add_spi(esp, spi);
+				DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+							   protocol_id_names, protocol, ntohl(spi));
+				break;
+			case PROTO_AH:
+				if (ah == NULL)
+				{
+					ah = delete_payload_create(PROTO_AH);
+					message->add_payload(message, (payload_t*)ah);
+				}
+				ah->add_spi(ah, spi);
+				DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+							   protocol_id_names, protocol, ntohl(spi));
+				break;
+			default:
+				break;
+		}
+		child_sa->set_state(child_sa, CHILD_DELETING);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * read in payloads and find the children to delete
+ */
+static void process_payloads(private_child_delete_t *this, message_t *message)
+{
+	enumerator_t *payloads;
+	iterator_t *spis;
+	payload_t *payload;
+	delete_payload_t *delete_payload;
+	u_int32_t *spi;
+	protocol_id_t protocol;
+	child_sa_t *child_sa;
+
+	payloads = message->create_payload_enumerator(message);
+	while (payloads->enumerate(payloads, &payload))
+	{
+		if (payload->get_type(payload) == DELETE)
+		{
+			delete_payload = (delete_payload_t*)payload;
+			protocol = delete_payload->get_protocol_id(delete_payload);
+			if (protocol != PROTO_ESP && protocol != PROTO_AH)
+			{
+				continue;
+			}
+			spis = delete_payload->create_spi_iterator(delete_payload);
+			while (spis->iterate(spis, (void**)&spi))
+			{
+				child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
+													  *spi, FALSE);
+				if (child_sa == NULL)
+				{
+					DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x, "
+						 "but no such SA", protocol_id_names, protocol, ntohl(*spi));
+					continue;
+				}
+				DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
+						protocol_id_names, protocol, ntohl(*spi));
+
+				switch (child_sa->get_state(child_sa))
+				{
+					case CHILD_REKEYING:
+						this->rekeyed = TRUE;
+						/* we reply as usual, rekeying will fail */
+						break;
+					case CHILD_DELETING:
+						/* we don't send back a delete if we initiated ourself */
+						if (!this->initiator)
+						{
+							this->ike_sa->destroy_child_sa(this->ike_sa,
+														   protocol, *spi);
+							continue;
+						}
+					case CHILD_INSTALLED:
+						if (!this->initiator)
+						{	/* reestablish installed children if required */
+							this->check_delete_action = TRUE;
+						}
+					default:
+						break;
+				}
+
+				this->child_sas->insert_last(this->child_sas, child_sa);
+			}
+			spis->destroy(spis);
+		}
+	}
+	payloads->destroy(payloads);
+}
+
+/**
+ * destroy the children listed in this->child_sas, reestablish by policy
+ */
+static status_t destroy_and_reestablish(private_child_delete_t *this)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	child_cfg_t *child_cfg;
+	protocol_id_t protocol;
+	u_int32_t spi;
+	status_t status = SUCCESS;
+
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		/* signal child down event if we are not rekeying */
+		if (!this->rekeyed)
+		{
+			charon->bus->child_updown(charon->bus, child_sa, FALSE);
+		}
+		spi = child_sa->get_spi(child_sa, TRUE);
+		protocol = child_sa->get_protocol(child_sa);
+		child_cfg = child_sa->get_config(child_sa);
+		child_cfg->get_ref(child_cfg);
+		this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
+		if (this->check_delete_action)
+		{	/* enforce child_cfg policy if deleted passively */
+			switch (child_cfg->get_close_action(child_cfg))
+			{
+				case ACTION_RESTART:
+					child_cfg->get_ref(child_cfg);
+					status = this->ike_sa->initiate(this->ike_sa, child_cfg, 0,
+													NULL, NULL);
+					break;
+				case ACTION_ROUTE:
+					charon->traps->install(charon->traps,
+							this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg);
+					break;
+				default:
+					break;
+			}
+		}
+		child_cfg->destroy(child_cfg);
+		if (status != SUCCESS)
+		{
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return status;
+}
+
+/**
+ * send closing signals for all CHILD_SAs over the bus
+ */
+static void log_children(private_child_delete_t *this)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	u_int64_t bytes_in, bytes_out;
+
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
+		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
+
+		DBG0(DBG_IKE, "closing CHILD_SA %s{%d} "
+			 "with SPIs %.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
+			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			 ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
+			 ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
+			 child_sa->get_traffic_selectors(child_sa, TRUE),
+			 child_sa->get_traffic_selectors(child_sa, FALSE));
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_child_delete_t *this, message_t *message)
+{
+	child_sa_t *child_sa;
+
+	child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+										  this->spi, TRUE);
+	if (!child_sa)
+	{	/* check if it is an outbound sa */
+		child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+											  this->spi, FALSE);
+		if (!child_sa)
+		{	/* child does not exist anymore */
+			return SUCCESS;
+		}
+		/* we work only with the inbound SPI */
+		this->spi = child_sa->get_spi(child_sa, TRUE);
+	}
+	this->child_sas->insert_last(this->child_sas, child_sa);
+	if (child_sa->get_state(child_sa) == CHILD_REKEYING)
+	{
+		this->rekeyed = TRUE;
+	}
+	log_children(this);
+	build_payloads(this, message);
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_child_delete_t *this, message_t *message)
+{
+	/* flush the list before adding new SAs */
+	this->child_sas->destroy(this->child_sas);
+	this->child_sas = linked_list_create();
+
+	process_payloads(this, message);
+	DBG1(DBG_IKE, "CHILD_SA closed");
+	return destroy_and_reestablish(this);
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_r(private_child_delete_t *this, message_t *message)
+{
+	process_payloads(this, message);
+	log_children(this);
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_child_delete_t *this, message_t *message)
+{
+	/* if we are rekeying, we send an empty informational */
+	if (this->ike_sa->get_state(this->ike_sa) != IKE_REKEYING)
+	{
+		build_payloads(this, message);
+	}
+	DBG1(DBG_IKE, "CHILD_SA closed");
+	return destroy_and_reestablish(this);
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_child_delete_t *this)
+{
+	return CHILD_DELETE;
+}
+
+/**
+ * Implementation of child_delete_t.get_child
+ */
+static child_sa_t* get_child(private_child_delete_t *this)
+{
+	child_sa_t *child_sa = NULL;
+	this->child_sas->get_first(this->child_sas, (void**)&child_sa);
+	return child_sa;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_child_delete_t *this, ike_sa_t *ike_sa)
+{
+	this->check_delete_action = FALSE;
+	this->ike_sa = ike_sa;
+
+	this->child_sas->destroy(this->child_sas);
+	this->child_sas = linked_list_create();
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_child_delete_t *this)
+{
+	this->child_sas->destroy(this->child_sas);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+									u_int32_t spi)
+{
+	private_child_delete_t *this = malloc_thing(private_child_delete_t);
+
+	this->public.get_child = (child_sa_t*(*)(child_delete_t*))get_child;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	this->ike_sa = ike_sa;
+	this->check_delete_action = FALSE;
+	this->child_sas = linked_list_create();
+	this->protocol = protocol;
+	this->spi = spi;
+	this->rekeyed = FALSE;
+
+	if (protocol != PROTO_NONE)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		this->initiator = TRUE;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->initiator = FALSE;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/child_delete.h b/src/libcharon/sa/tasks/child_delete.h
new file mode 100644
index 000000000..365807c68
--- /dev/null
+++ b/src/libcharon/sa/tasks/child_delete.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup child_delete child_delete
+ * @{ @ingroup tasks
+ */
+
+#ifndef CHILD_DELETE_H_
+#define CHILD_DELETE_H_
+
+typedef struct child_delete_t child_delete_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+#include <sa/child_sa.h>
+
+/**
+ * Task of type child_delete, delete a CHILD_SA.
+ */
+struct child_delete_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+
+	/**
+	 * Get the CHILD_SA to delete by this task.
+	 *
+	 * @return			child_sa
+	 */
+	child_sa_t* (*get_child) (child_delete_t *this);
+};
+
+/**
+ * Create a new child_delete task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param protocol		protocol of CHILD_SA to delete, PROTO_NONE as responder
+ * @param spi			inbound SPI of CHILD_SA to delete
+ * @return				child_delete task to handle by the task_manager
+ */
+child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+									u_int32_t spi);
+
+#endif /** CHILD_DELETE_H_ @}*/
diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c
new file mode 100644
index 000000000..b5e4e84b4
--- /dev/null
+++ b/src/libcharon/sa/tasks/child_rekey.c
@@ -0,0 +1,430 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_rekey.h"
+
+#include <daemon.h>
+#include <encoding/payloads/notify_payload.h>
+#include <sa/tasks/child_create.h>
+#include <sa/tasks/child_delete.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+
+
+typedef struct private_child_rekey_t private_child_rekey_t;
+
+/**
+ * Private members of a child_rekey_t task.
+ */
+struct private_child_rekey_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	child_rekey_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Protocol of CHILD_SA to rekey
+	 */
+	protocol_id_t protocol;
+
+	/**
+	 * Inbound SPI of CHILD_SA to rekey
+	 */
+	u_int32_t spi;
+
+	/**
+	 * the CHILD_CREATE task which is reused to simplify rekeying
+	 */
+	child_create_t *child_create;
+
+	/**
+	 * the CHILD_DELETE task to delete rekeyed CHILD_SA
+	 */
+	child_delete_t *child_delete;
+
+	/**
+	 * CHILD_SA which gets rekeyed
+	 */
+	child_sa_t *child_sa;
+
+	/**
+	 * colliding task, may be delete or rekey
+	 */
+	task_t *collision;
+};
+
+/**
+ * Implementation of task_t.build for initiator, after rekeying
+ */
+static status_t build_i_delete(private_child_rekey_t *this, message_t *message)
+{
+	/* update exchange type to INFORMATIONAL for the delete */
+	message->set_exchange_type(message, INFORMATIONAL);
+
+	return this->child_delete->task.build(&this->child_delete->task, message);
+}
+
+/**
+ * Implementation of task_t.process for initiator, after rekeying
+ */
+static status_t process_i_delete(private_child_rekey_t *this, message_t *message)
+{
+	return this->child_delete->task.process(&this->child_delete->task, message);
+}
+
+/**
+ * find a child using the REKEY_SA notify
+ */
+static void find_child(private_child_rekey_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	protocol_id_t protocol;
+	u_int32_t spi;
+
+	notify = message->get_notify(message, REKEY_SA);
+	if (notify)
+	{
+		protocol = notify->get_protocol_id(notify);
+		spi = notify->get_spi(notify);
+
+		if (protocol == PROTO_ESP || protocol == PROTO_AH)
+		{
+			this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
+														spi, FALSE);
+		}
+	}
+}
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_child_rekey_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	u_int32_t reqid;
+	child_cfg_t *config;
+
+	this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+												this->spi, TRUE);
+	if (!this->child_sa)
+	{	/* check if it is an outbound CHILD_SA */
+		this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+													this->spi, FALSE);
+		if (!this->child_sa)
+		{	/* CHILD_SA is gone, unable to rekey. As an empty CREATE_CHILD_SA
+			 * exchange is invalid, we fall back to an INFORMATIONAL exchange.*/
+			message->set_exchange_type(message, INFORMATIONAL);
+			return SUCCESS;
+		}
+		/* we work only with the inbound SPI */
+		this->spi = this->child_sa->get_spi(this->child_sa, TRUE);
+	}
+	config = this->child_sa->get_config(this->child_sa);
+
+	/* we just need the rekey notify ... */
+	notify = notify_payload_create_from_protocol_and_type(this->protocol,
+														  REKEY_SA);
+	notify->set_spi(notify, this->spi);
+	message->add_payload(message, (payload_t*)notify);
+
+	/* ... our CHILD_CREATE task does the hard work for us. */
+	if (!this->child_create)
+	{
+		this->child_create = child_create_create(this->ike_sa, config, TRUE,
+												 NULL, NULL);
+	}
+	reqid = this->child_sa->get_reqid(this->child_sa);
+	this->child_create->use_reqid(this->child_create, reqid);
+	this->child_create->task.build(&this->child_create->task, message);
+
+	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_r(private_child_rekey_t *this, message_t *message)
+{
+	/* let the CHILD_CREATE task process the message */
+	this->child_create->task.process(&this->child_create->task, message);
+
+	find_child(this, message);
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_child_rekey_t *this, message_t *message)
+{
+	u_int32_t reqid;
+
+	if (this->child_sa == NULL ||
+		this->child_sa->get_state(this->child_sa) == CHILD_DELETING)
+	{
+		DBG1(DBG_IKE, "unable to rekey, CHILD_SA not found");
+		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return SUCCESS;
+	}
+
+	/* let the CHILD_CREATE task build the response */
+	reqid = this->child_sa->get_reqid(this->child_sa);
+	this->child_create->use_reqid(this->child_create, reqid);
+	this->child_create->task.build(&this->child_create->task, message);
+
+	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
+	{
+		/* rekeying failed, reuse old child */
+		this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+		return SUCCESS;
+	}
+
+	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
+
+	/* invoke rekey hook */
+	charon->bus->child_rekey(charon->bus, this->child_sa,
+							 this->child_create->get_child(this->child_create));
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_child_rekey_t *this, message_t *message)
+{
+	protocol_id_t protocol;
+	u_int32_t spi;
+	child_sa_t *to_delete;
+
+	if (message->get_notify(message, NO_ADDITIONAL_SAS))
+	{
+		DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
+			 "starting reauthentication");
+		this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+		charon->processor->queue_job(charon->processor,
+				(job_t*)rekey_ike_sa_job_create(
+							this->ike_sa->get_id(this->ike_sa), TRUE));
+		return SUCCESS;
+	}
+
+	if (this->child_create->task.process(&this->child_create->task,
+										 message) == NEED_MORE)
+	{
+		/* bad DH group while rekeying, try again */
+		this->child_create->task.migrate(&this->child_create->task, this->ike_sa);
+		return NEED_MORE;
+	}
+	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
+	{
+		/* establishing new child failed, reuse old. but not when we
+		 * recieved a delete in the meantime */
+		if (!(this->collision &&
+			  this->collision->get_type(this->collision) == CHILD_DELETE))
+		{
+			job_t *job;
+			u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
+
+			job = (job_t*)rekey_child_sa_job_create(
+								this->child_sa->get_reqid(this->child_sa),
+								this->child_sa->get_protocol(this->child_sa),
+								this->child_sa->get_spi(this->child_sa, TRUE));
+			DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
+								"trying again in %d seconds", retry);
+			this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+			charon->scheduler->schedule_job(charon->scheduler, job, retry);
+		}
+		return SUCCESS;
+	}
+
+	to_delete = this->child_sa;
+
+	/* check for rekey collisions */
+	if (this->collision &&
+		this->collision->get_type(this->collision) == CHILD_REKEY)
+	{
+		chunk_t this_nonce, other_nonce;
+		private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
+
+		this_nonce = this->child_create->get_lower_nonce(this->child_create);
+		other_nonce = other->child_create->get_lower_nonce(other->child_create);
+
+		/* if we have the lower nonce, delete rekeyed SA. If not, delete
+		 * the redundant. */
+		if (memcmp(this_nonce.ptr, other_nonce.ptr,
+				   min(this_nonce.len, other_nonce.len)) < 0)
+		{
+			DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting rekeyed child");
+		}
+		else
+		{
+			DBG1(DBG_IKE, "CHILD_SA rekey collision lost, deleting redundant child");
+			to_delete = this->child_create->get_child(this->child_create);
+			if (to_delete == NULL)
+			{
+				/* ooops, should not happen, fallback */
+				to_delete = this->child_sa;
+			}
+		}
+	}
+
+	if (to_delete != this->child_create->get_child(this->child_create))
+	{	/* invoke rekey hook if rekeying successful */
+		charon->bus->child_rekey(charon->bus, this->child_sa,
+							this->child_create->get_child(this->child_create));
+	}
+
+	spi = to_delete->get_spi(to_delete, TRUE);
+	protocol = to_delete->get_protocol(to_delete);
+
+	/* rekeying done, delete the obsolete CHILD_SA using a subtask */
+	this->child_delete = child_delete_create(this->ike_sa, protocol, spi);
+	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
+	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_child_rekey_t *this)
+{
+	return CHILD_REKEY;
+}
+
+/**
+ * Implementation of child_rekey_t.collide
+ */
+static void collide(private_child_rekey_t *this, task_t *other)
+{
+	/* the task manager only detects exchange collision, but not if
+	 * the collision is for the same child. we check it here. */
+	if (other->get_type(other) == CHILD_REKEY)
+	{
+		private_child_rekey_t *rekey = (private_child_rekey_t*)other;
+		if (rekey == NULL || rekey->child_sa != this->child_sa)
+		{
+			/* not the same child => no collision */
+			other->destroy(other);
+			return;
+		}
+	}
+	else if (other->get_type(other) == CHILD_DELETE)
+	{
+		child_delete_t *del = (child_delete_t*)other;
+		if (del == NULL || del->get_child(del) != this->child_sa)
+		{
+			/* not the same child => no collision */
+			other->destroy(other);
+			return;
+		}
+	}
+	else
+	{
+		/* any other task is not critical for collisisions, ignore */
+		other->destroy(other);
+		return;
+	}
+	DESTROY_IF(this->collision);
+	this->collision = other;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_child_rekey_t *this, ike_sa_t *ike_sa)
+{
+	if (this->child_create)
+	{
+		this->child_create->task.migrate(&this->child_create->task, ike_sa);
+	}
+	if (this->child_delete)
+	{
+		this->child_delete->task.migrate(&this->child_delete->task, ike_sa);
+	}
+	DESTROY_IF(this->collision);
+
+	this->ike_sa = ike_sa;
+	this->collision = NULL;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_child_rekey_t *this)
+{
+	if (this->child_create)
+	{
+		this->child_create->task.destroy(&this->child_create->task);
+	}
+	if (this->child_delete)
+	{
+		this->child_delete->task.destroy(&this->child_delete->task);
+	}
+	DESTROY_IF(this->collision);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+								  u_int32_t spi)
+{
+	private_child_rekey_t *this = malloc_thing(private_child_rekey_t);
+
+	this->public.collide = (void (*)(child_rekey_t*,task_t*))collide;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	if (protocol != PROTO_NONE)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		this->initiator = TRUE;
+		this->child_create = NULL;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->initiator = FALSE;
+		this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL);
+	}
+
+	this->ike_sa = ike_sa;
+	this->child_sa = NULL;
+	this->protocol = protocol;
+	this->spi = spi;
+	this->collision = NULL;
+	this->child_delete = NULL;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/child_rekey.h b/src/libcharon/sa/tasks/child_rekey.h
new file mode 100644
index 000000000..9b1aea5fa
--- /dev/null
+++ b/src/libcharon/sa/tasks/child_rekey.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup child_rekey child_rekey
+ * @{ @ingroup tasks
+ */
+
+#ifndef CHILD_REKEY_H_
+#define CHILD_REKEY_H_
+
+typedef struct child_rekey_t child_rekey_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/child_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type CHILD_REKEY, rekey an established CHILD_SA.
+ */
+struct child_rekey_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+
+	/**
+	 * Register a rekeying task which collides with this one
+	 *
+	 * If two peers initiate rekeying at the same time, the collision must
+	 * be handled gracefully. The task manager is aware of what exchanges
+	 * are going on and notifies the outgoing task by passing the incoming.
+	 *
+	 * @param other		incoming task
+	 */
+	void (*collide)(child_rekey_t* this, task_t *other);
+};
+
+/**
+ * Create a new CHILD_REKEY task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param protocol		protocol of CHILD_SA to rekey, PROTO_NONE as responder
+ * @param spi			inbound SPI of CHILD_SA to rekey
+ * @return				child_rekey task to handle by the task_manager
+ */
+child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+								  u_int32_t spi);
+
+#endif /** CHILD_REKEY_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
new file mode 100644
index 000000000..a07f96767
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -0,0 +1,1041 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details
+ */
+
+#include "ike_auth.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/eap_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <sa/authenticators/eap_authenticator.h>
+
+typedef struct private_ike_auth_t private_ike_auth_t;
+
+/**
+ * Private members of a ike_auth_t task.
+ */
+struct private_ike_auth_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_auth_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Nonce chosen by us in ike_init
+	 */
+	chunk_t my_nonce;
+
+	/**
+	 * Nonce chosen by peer in ike_init
+	 */
+	chunk_t other_nonce;
+
+	/**
+	 * IKE_SA_INIT message sent by us
+	 */
+	packet_t *my_packet;
+
+	/**
+	 * IKE_SA_INIT message sent by peer
+	 */
+	packet_t *other_packet;
+
+	/**
+	 * currently active authenticator, to authenticate us
+	 */
+	authenticator_t *my_auth;
+
+	/**
+	 * currently active authenticator, to authenticate peer
+	 */
+	authenticator_t *other_auth;
+
+	/**
+	 * peer_cfg candidates, ordered by priority
+	 */
+	linked_list_t *candidates;
+
+	/**
+	 * selected peer config (might change when using multiple authentications)
+	 */
+	peer_cfg_t *peer_cfg;
+
+	/**
+	 * have we planned an(other) authentication exchange?
+	 */
+	bool do_another_auth;
+
+	/**
+	 * has the peer announced another authentication exchange?
+	 */
+	bool expect_another_auth;
+
+	/**
+	 * should we send a AUTHENTICATION_FAILED notify?
+	 */
+	bool authentication_failed;
+};
+
+/**
+ * check if multiple authentication extension is enabled, configuration-wise
+ */
+static bool multiple_auth_enabled()
+{
+	return lib->settings->get_bool(lib->settings,
+								   "charon.multiple_authentication", TRUE);
+}
+
+/**
+ * collect the needed information in the IKE_SA_INIT exchange from our message
+ */
+static status_t collect_my_init_data(private_ike_auth_t *this,
+									 message_t *message)
+{
+	nonce_payload_t *nonce;
+
+	/* get the nonce that was generated in ike_init */
+	nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+	if (nonce == NULL)
+	{
+		return FAILED;
+	}
+	this->my_nonce = nonce->get_nonce(nonce);
+
+	/* pre-generate the message, keep a copy */
+	if (this->ike_sa->generate_message(this->ike_sa, message,
+									   &this->my_packet) != SUCCESS)
+	{
+		return FAILED;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * collect the needed information in the IKE_SA_INIT exchange from others message
+ */
+static status_t collect_other_init_data(private_ike_auth_t *this,
+										message_t *message)
+{
+	/* we collect the needed information in the IKE_SA_INIT exchange */
+	nonce_payload_t *nonce;
+
+	/* get the nonce that was generated in ike_init */
+	nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+	if (nonce == NULL)
+	{
+		return FAILED;
+	}
+	this->other_nonce = nonce->get_nonce(nonce);
+
+	/* keep a copy of the received packet */
+	this->other_packet = message->get_packet(message);
+	return NEED_MORE;
+}
+
+/**
+ * Get the next authentication configuration
+ */
+static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
+{
+	enumerator_t *e1, *e2;
+	auth_cfg_t *c1, *c2, *next = NULL;
+
+	/* find an available config not already done */
+	e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
+	while (e1->enumerate(e1, &c1))
+	{
+		bool found = FALSE;
+
+		e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
+		while (e2->enumerate(e2, &c2))
+		{
+			if (c2->complies(c2, c1, FALSE))
+			{
+				found = TRUE;
+				break;
+			}
+		}
+		e2->destroy(e2);
+		if (!found)
+		{
+			next = c1;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	return next;
+}
+
+/**
+ * Check if we have should initiate another authentication round
+ */
+static bool do_another_auth(private_ike_auth_t *this)
+{
+	bool do_another = FALSE;
+	enumerator_t *done, *todo;
+	auth_cfg_t *done_cfg, *todo_cfg;
+
+	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
+	{
+		return FALSE;
+	}
+
+	done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
+	todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
+	while (todo->enumerate(todo, &todo_cfg))
+	{
+		if (!done->enumerate(done, &done_cfg))
+		{
+			done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		}
+		if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
+		{
+			do_another = TRUE;
+			break;
+		}
+	}
+	done->destroy(done);
+	todo->destroy(todo);
+	return do_another;
+}
+
+/**
+ * Get peer configuration candidates from backends
+ */
+static bool load_cfg_candidates(private_ike_auth_t *this)
+{
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+	host_t *me, *other;
+	identification_t *my_id, *other_id;
+
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+
+	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+													me, other, my_id, other_id);
+	while (enumerator->enumerate(enumerator, &peer_cfg))
+	{
+		peer_cfg->get_ref(peer_cfg);
+		if (this->peer_cfg == NULL)
+		{	/* best match */
+			this->peer_cfg = peer_cfg;
+			this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
+		}
+		else
+		{
+			this->candidates->insert_last(this->candidates, peer_cfg);
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (this->peer_cfg)
+	{
+		DBG1(DBG_CFG, "selected peer config '%s'",
+			 this->peer_cfg->get_name(this->peer_cfg));
+		return TRUE;
+	}
+	DBG1(DBG_CFG, "no matching peer config found");
+	return FALSE;
+}
+
+/**
+ * update the current peer candidate if necessary, using candidates
+ */
+static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
+{
+	do
+	{
+		if (this->peer_cfg)
+		{
+			bool complies = TRUE;
+			enumerator_t *e1, *e2, *tmp;
+			auth_cfg_t *c1, *c2;
+
+			e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
+			e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
+
+			if (strict)
+			{	/* swap lists in strict mode: all configured rounds must be
+				 * fulfilled. If !strict, we check only the rounds done so far. */
+				tmp = e1;
+				e1 = e2;
+				e2 = tmp;
+			}
+			while (e1->enumerate(e1, &c1))
+			{
+				/* check if done authentications comply to configured ones */
+				if ((!e2->enumerate(e2, &c2)) ||
+					(!strict && !c1->complies(c1, c2, TRUE)) ||
+					(strict && !c2->complies(c2, c1, TRUE)))
+				{
+					complies = FALSE;
+					break;
+				}
+			}
+			e1->destroy(e1);
+			e2->destroy(e2);
+			if (complies)
+			{
+				break;
+			}
+			DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
+				 this->peer_cfg->get_name(this->peer_cfg));
+			this->peer_cfg->destroy(this->peer_cfg);
+		}
+		if (this->candidates->remove_first(this->candidates,
+										(void**)&this->peer_cfg) != SUCCESS)
+		{
+			DBG1(DBG_CFG, "no alternative config found");
+			this->peer_cfg = NULL;
+		}
+		else
+		{
+			DBG1(DBG_CFG, "switching to peer config '%s'",
+				 this->peer_cfg->get_name(this->peer_cfg));
+			this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
+		}
+	}
+	while (this->peer_cfg);
+
+	return this->peer_cfg != NULL;
+}
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_ike_auth_t *this, message_t *message)
+{
+	auth_cfg_t *cfg;
+
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		return collect_my_init_data(this, message);
+	}
+
+	if (this->peer_cfg == NULL)
+	{
+		this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+		this->peer_cfg->get_ref(this->peer_cfg);
+	}
+
+	if (message->get_message_id(message) == 1)
+	{	/* in the first IKE_AUTH ... */
+		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
+		{	/* indicate support for multiple authentication */
+			message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
+								chunk_empty);
+		}
+		/* indicate support for EAP-only authentication */
+		message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
+							chunk_empty);
+	}
+
+	if (!this->do_another_auth && !this->my_auth)
+	{	/* we have done our rounds */
+		return NEED_MORE;
+	}
+
+	/* check if an authenticator is in progress */
+	if (this->my_auth == NULL)
+	{
+		identification_t *id;
+		id_payload_t *id_payload;
+
+		/* clean up authentication config from a previous round */
+		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		cfg->purge(cfg, TRUE);
+
+		/* add (optional) IDr */
+		cfg = get_auth_cfg(this, FALSE);
+		if (cfg)
+		{
+			id = cfg->get(cfg, AUTH_RULE_IDENTITY);
+			if (id && !id->contains_wildcards(id))
+			{
+				this->ike_sa->set_other_id(this->ike_sa, id->clone(id));
+				id_payload = id_payload_create_from_identification(
+															ID_RESPONDER, id);
+				message->add_payload(message, (payload_t*)id_payload);
+			}
+		}
+		/* add IDi */
+		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
+		id = cfg->get(cfg, AUTH_RULE_IDENTITY);
+		if (!id)
+		{
+			DBG1(DBG_CFG, "configuration misses IDi");
+			return FAILED;
+		}
+		this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
+		id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
+		message->add_payload(message, (payload_t*)id_payload);
+
+		/* build authentication data */
+		this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+							this->other_nonce, this->my_nonce,
+							this->other_packet->get_data(this->other_packet),
+							this->my_packet->get_data(this->my_packet));
+		if (!this->my_auth)
+		{
+			return FAILED;
+		}
+	}
+	switch (this->my_auth->build(this->my_auth, message))
+	{
+		case SUCCESS:
+			/* authentication step complete, reset authenticator */
+			cfg = auth_cfg_create();
+			cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
+			this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+			this->my_auth->destroy(this->my_auth);
+			this->my_auth = NULL;
+			break;
+		case NEED_MORE:
+			break;
+		default:
+			return FAILED;
+	}
+
+	/* check for additional authentication rounds */
+	if (do_another_auth(this))
+	{
+		if (message->get_payload(message, AUTHENTICATION))
+		{
+			message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
+		}
+	}
+	else
+	{
+		this->do_another_auth = FALSE;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_auth_t *this, message_t *message)
+{
+	auth_cfg_t *cfg, *cand;
+	id_payload_t *id_payload;
+	identification_t *id;
+
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		return collect_other_init_data(this, message);
+	}
+
+	if (this->my_auth == NULL && this->do_another_auth)
+	{
+		/* handle (optional) IDr payload, apply proposed identity */
+		id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
+		if (id_payload)
+		{
+			id = id_payload->get_identification(id_payload);
+		}
+		else
+		{
+			id = identification_create_from_encoding(ID_ANY, chunk_empty);
+		}
+		this->ike_sa->set_my_id(this->ike_sa, id);
+	}
+
+	if (!this->expect_another_auth)
+	{
+		return NEED_MORE;
+	}
+
+	if (message->get_message_id(message) == 1)
+	{	/* check for extensions in the first IKE_AUTH */
+		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
+		{
+			this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+		}
+		if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
+			message->get_notify(message, EAP_ONLY_AUTHENTICATION))
+		{	/* EAP-only has no official notify, accept only from strongSwan */
+			this->ike_sa->enable_extension(this->ike_sa,
+										   EXT_EAP_ONLY_AUTHENTICATION);
+		}
+	}
+
+	if (this->other_auth == NULL)
+	{
+		/* handle IDi payload */
+		id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
+		if (!id_payload)
+		{
+			DBG1(DBG_IKE, "IDi payload missing");
+			return FAILED;
+		}
+		id = id_payload->get_identification(id_payload);
+		this->ike_sa->set_other_id(this->ike_sa, id);
+		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+		cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
+
+		if (this->peer_cfg == NULL)
+		{
+			if (!load_cfg_candidates(this))
+			{
+				this->authentication_failed = TRUE;
+				return NEED_MORE;
+			}
+		}
+		if (message->get_payload(message, AUTHENTICATION) == NULL)
+		{	/* before authenticating with EAP, we need a EAP config */
+			cand = get_auth_cfg(this, FALSE);
+			while (!cand || (
+					(uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
+					(uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
+			{	/* peer requested EAP, but current config does not match */
+				this->peer_cfg->destroy(this->peer_cfg);
+				this->peer_cfg = NULL;
+				if (!update_cfg_candidates(this, FALSE))
+				{
+					this->authentication_failed = TRUE;
+					return NEED_MORE;
+				}
+				cand = get_auth_cfg(this, FALSE);
+			}
+			cfg->merge(cfg, cand, TRUE);
+		}
+
+		/* verify authentication data */
+		this->other_auth = authenticator_create_verifier(this->ike_sa,
+							message, this->other_nonce, this->my_nonce,
+							this->other_packet->get_data(this->other_packet),
+							this->my_packet->get_data(this->my_packet));
+		if (!this->other_auth)
+		{
+			this->authentication_failed = TRUE;
+			return NEED_MORE;
+		}
+	}
+	switch (this->other_auth->process(this->other_auth, message))
+	{
+		case SUCCESS:
+			this->other_auth->destroy(this->other_auth);
+			this->other_auth = NULL;
+			break;
+		case NEED_MORE:
+			if (message->get_payload(message, AUTHENTICATION))
+			{	/* AUTH verification successful, but another build() needed */
+				break;
+			}
+			return NEED_MORE;
+		default:
+			this->authentication_failed = TRUE;
+			return NEED_MORE;
+	}
+
+	/* store authentication information */
+	cfg = auth_cfg_create();
+	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+	this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+
+	/* another auth round done, invoke authorize hook */
+	if (!charon->bus->authorize(charon->bus, FALSE))
+	{
+		DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
+		this->authentication_failed = TRUE;
+		return NEED_MORE;
+	}
+
+	if (!update_cfg_candidates(this, FALSE))
+	{
+		this->authentication_failed = TRUE;
+		return NEED_MORE;
+	}
+
+	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
+	{
+		this->expect_another_auth = FALSE;
+		if (!update_cfg_candidates(this, TRUE))
+		{
+			this->authentication_failed = TRUE;
+			return NEED_MORE;
+		}
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_auth_t *this, message_t *message)
+{
+	auth_cfg_t *cfg;
+
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		if (multiple_auth_enabled())
+		{
+			message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
+								chunk_empty);
+		}
+		return collect_my_init_data(this, message);
+	}
+
+	if (this->authentication_failed || this->peer_cfg == NULL)
+	{
+		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+		return FAILED;
+	}
+
+	if (this->my_auth == NULL && this->do_another_auth)
+	{
+		identification_t *id, *id_cfg;
+		id_payload_t *id_payload;
+
+		/* add IDr */
+		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		cfg->purge(cfg, TRUE);
+		cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
+
+		id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
+		id = this->ike_sa->get_my_id(this->ike_sa);
+		if (id->get_type(id) == ID_ANY)
+		{	/* no IDr received, apply configured ID */
+			if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
+			{
+				DBG1(DBG_CFG, "IDr not configured and negotiation failed");
+				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+									chunk_empty);
+				return FAILED;
+			}
+			this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
+			id = id_cfg;
+		}
+		else
+		{	/* IDr received, check if it matches configuration */
+			if (id_cfg && !id->matches(id, id_cfg))
+			{
+				DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
+				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+									chunk_empty);
+				return FAILED;
+			}
+		}
+
+		id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
+		message->add_payload(message, (payload_t*)id_payload);
+
+		if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
+		{	/* EAP-only authentication */
+			if (!this->ike_sa->supports_extension(this->ike_sa,
+												  EXT_EAP_ONLY_AUTHENTICATION))
+			{
+				DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
+					 "does not support it");
+				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+									chunk_empty);
+				return FAILED;
+			}
+		}
+		else
+		{
+			/* build authentication data */
+			this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+								this->other_nonce, this->my_nonce,
+								this->other_packet->get_data(this->other_packet),
+								this->my_packet->get_data(this->my_packet));
+			if (!this->my_auth)
+			{
+				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+									chunk_empty);
+				return FAILED;
+			}
+		}
+	}
+
+	if (this->other_auth)
+	{
+		switch (this->other_auth->build(this->other_auth, message))
+		{
+			case SUCCESS:
+				this->other_auth->destroy(this->other_auth);
+				this->other_auth = NULL;
+				break;
+			case NEED_MORE:
+				break;
+			default:
+				if (!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
+				{	/* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
+					message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+										chunk_empty);
+				}
+				return FAILED;
+		}
+	}
+	if (this->my_auth)
+	{
+		switch (this->my_auth->build(this->my_auth, message))
+		{
+			case SUCCESS:
+				cfg = auth_cfg_create();
+				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
+						   TRUE);
+				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+				this->my_auth->destroy(this->my_auth);
+				this->my_auth = NULL;
+				break;
+			case NEED_MORE:
+				break;
+			default:
+				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+									chunk_empty);
+				return FAILED;
+		}
+	}
+
+	/* check for additional authentication rounds */
+	if (do_another_auth(this))
+	{
+		message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
+	}
+	else
+	{
+		this->do_another_auth = FALSE;
+	}
+	if (!this->do_another_auth && !this->expect_another_auth)
+	{
+		if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+													 this->ike_sa))
+		{
+			DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
+			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+								chunk_empty);
+			return FAILED;
+		}
+		if (!charon->bus->authorize(charon->bus, TRUE))
+		{
+			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+								chunk_empty);
+			return FAILED;
+		}
+		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+			 this->ike_sa->get_name(this->ike_sa),
+			 this->ike_sa->get_unique_id(this->ike_sa),
+			 this->ike_sa->get_my_host(this->ike_sa),
+			 this->ike_sa->get_my_id(this->ike_sa),
+			 this->ike_sa->get_other_host(this->ike_sa),
+			 this->ike_sa->get_other_id(this->ike_sa));
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_auth_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	auth_cfg_t *cfg;
+	bool mutual_eap = FALSE;
+
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
+			multiple_auth_enabled())
+		{
+			this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+		}
+		return collect_other_init_data(this, message);
+	}
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			notify_type_t type = notify->get_notify_type(notify);
+
+			switch (type)
+			{
+				case NO_PROPOSAL_CHOSEN:
+				case SINGLE_PAIR_REQUIRED:
+				case NO_ADDITIONAL_SAS:
+				case INTERNAL_ADDRESS_FAILURE:
+				case FAILED_CP_REQUIRED:
+				case TS_UNACCEPTABLE:
+				case INVALID_SELECTORS:
+					/* these are errors, but are not critical as only the
+					 * CHILD_SA won't get build, but IKE_SA establishes anyway */
+					break;
+				case MOBIKE_SUPPORTED:
+				case ADDITIONAL_IP4_ADDRESS:
+				case ADDITIONAL_IP6_ADDRESS:
+					/* handled in ike_mobike task */
+					break;
+				case AUTH_LIFETIME:
+					/* handled in ike_auth_lifetime task */
+					break;
+				case ME_ENDPOINT:
+					/* handled in ike_me task */
+					break;
+				default:
+				{
+					if (type < 16383)
+					{
+						DBG1(DBG_IKE, "received %N notify error",
+							 notify_type_names, type);
+						enumerator->destroy(enumerator);
+						return FAILED;
+					}
+					DBG2(DBG_IKE, "received %N notify",
+						notify_type_names, type);
+					break;
+				}
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (this->expect_another_auth)
+	{
+		if (this->other_auth == NULL)
+		{
+			id_payload_t *id_payload;
+			identification_t *id;
+
+			/* handle IDr payload */
+			id_payload = (id_payload_t*)message->get_payload(message,
+															 ID_RESPONDER);
+			if (!id_payload)
+			{
+				DBG1(DBG_IKE, "IDr payload missing");
+				return FAILED;
+			}
+			id = id_payload->get_identification(id_payload);
+			this->ike_sa->set_other_id(this->ike_sa, id);
+			cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+			cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
+
+			if (message->get_payload(message, AUTHENTICATION))
+			{
+				/* verify authentication data */
+				this->other_auth = authenticator_create_verifier(this->ike_sa,
+								message, this->other_nonce, this->my_nonce,
+								this->other_packet->get_data(this->other_packet),
+								this->my_packet->get_data(this->my_packet));
+				if (!this->other_auth)
+				{
+					return FAILED;
+				}
+			}
+			else
+			{
+				/* responder omitted AUTH payload, indicating EAP-only */
+				mutual_eap = TRUE;
+			}
+		}
+		if (this->other_auth)
+		{
+			switch (this->other_auth->process(this->other_auth, message))
+			{
+				case SUCCESS:
+					break;
+				case NEED_MORE:
+					return NEED_MORE;
+				default:
+					return FAILED;
+			}
+			this->other_auth->destroy(this->other_auth);
+			this->other_auth = NULL;
+		}
+		/* store authentication information, reset authenticator */
+		cfg = auth_cfg_create();
+		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+		this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+
+		/* another auth round done, invoke authorize hook */
+		if (!charon->bus->authorize(charon->bus, FALSE))
+		{
+			DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
+			return FAILED;
+		}
+	}
+
+	if (this->my_auth)
+	{
+		switch (this->my_auth->process(this->my_auth, message))
+		{
+			case SUCCESS:
+				cfg = auth_cfg_create();
+				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
+						   TRUE);
+				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+				this->my_auth->destroy(this->my_auth);
+				this->my_auth = NULL;
+				this->do_another_auth = do_another_auth(this);
+				break;
+			case NEED_MORE:
+				break;
+			default:
+				return FAILED;
+		}
+	}
+	if (mutual_eap)
+	{
+		if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
+		{
+			DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
+			return FAILED;
+		}
+		DBG1(DBG_IKE, "allow mutual EAP-only authentication");
+	}
+
+	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
+	{
+		this->expect_another_auth = FALSE;
+	}
+	if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
+	{
+		if (!update_cfg_candidates(this, TRUE))
+		{
+			return FAILED;
+		}
+		if (!charon->bus->authorize(charon->bus, TRUE))
+		{
+			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+			return FAILED;
+		}
+		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+			 this->ike_sa->get_name(this->ike_sa),
+			 this->ike_sa->get_unique_id(this->ike_sa),
+			 this->ike_sa->get_my_host(this->ike_sa),
+			 this->ike_sa->get_my_id(this->ike_sa),
+			 this->ike_sa->get_other_host(this->ike_sa),
+			 this->ike_sa->get_other_id(this->ike_sa));
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_auth_t *this)
+{
+	return IKE_AUTHENTICATE;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
+{
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	DESTROY_IF(this->my_packet);
+	DESTROY_IF(this->other_packet);
+	DESTROY_IF(this->peer_cfg);
+	DESTROY_IF(this->my_auth);
+	DESTROY_IF(this->other_auth);
+	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
+
+	this->my_packet = NULL;
+	this->other_packet = NULL;
+	this->ike_sa = ike_sa;
+	this->peer_cfg = NULL;
+	this->my_auth = NULL;
+	this->other_auth = NULL;
+	this->do_another_auth = TRUE;
+	this->expect_another_auth = TRUE;
+	this->authentication_failed = FALSE;
+	this->candidates = linked_list_create();
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_auth_t *this)
+{
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	DESTROY_IF(this->my_packet);
+	DESTROY_IF(this->other_packet);
+	DESTROY_IF(this->my_auth);
+	DESTROY_IF(this->other_auth);
+	DESTROY_IF(this->peer_cfg);
+	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->my_nonce = chunk_empty;
+	this->other_nonce = chunk_empty;
+	this->my_packet = NULL;
+	this->other_packet = NULL;
+	this->peer_cfg = NULL;
+	this->candidates = linked_list_create();
+	this->my_auth = NULL;
+	this->other_auth = NULL;
+	this->do_another_auth = TRUE;
+	this->expect_another_auth = TRUE;
+	this->authentication_failed = FALSE;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/tasks/ike_auth.h b/src/libcharon/sa/tasks/ike_auth.h
new file mode 100644
index 000000000..bba46d961
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_auth.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_auth ike_auth
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_AUTH_H_
+#define IKE_AUTH_H_
+
+typedef struct ike_auth_t ike_auth_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type ike_auth, authenticates an IKE_SA using authenticators.
+ *
+ * The ike_auth task authenticates the IKE_SA using the IKE_AUTH
+ * exchange. It processes and build IDi and IDr payloads and also
+ * handles AUTH payloads. The AUTH payloads are passed to authenticator_t's,
+ * which do the actual authentication process. If the ike_auth task is used
+ * with EAP authentication, it stays alive over multiple exchanges until
+ * EAP has completed.
+ */
+struct ike_auth_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new task of type IKE_AUTHENTICATE.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if thask is the initator of an exchange
+ * @return				ike_auth task to handle by the task_manager
+ */
+ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_AUTH_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_auth_lifetime.c b/src/libcharon/sa/tasks/ike_auth_lifetime.c
new file mode 100644
index 000000000..75ff35168
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_auth_lifetime.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_auth_lifetime.h"
+
+#include <time.h>
+
+#include <daemon.h>
+#include <encoding/payloads/notify_payload.h>
+
+
+typedef struct private_ike_auth_lifetime_t private_ike_auth_lifetime_t;
+
+/**
+ * Private members of a ike_auth_lifetime_t task.
+ */
+struct private_ike_auth_lifetime_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_auth_lifetime_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+};
+
+/**
+ * add the AUTH_LIFETIME notify to the message
+ */
+static void add_auth_lifetime(private_ike_auth_lifetime_t *this, message_t *message)
+{
+	chunk_t chunk;
+	u_int32_t lifetime;
+
+	lifetime = this->ike_sa->get_statistic(this->ike_sa, STAT_REAUTH);
+	if (lifetime)
+	{
+		lifetime -= time_monotonic(NULL);
+		chunk = chunk_from_thing(lifetime);
+		*(u_int32_t*)chunk.ptr = htonl(lifetime);
+		message->add_notify(message, FALSE, AUTH_LIFETIME, chunk);
+	}
+}
+
+/**
+ * read notifys from message and evaluate them
+ */
+static void process_payloads(private_ike_auth_lifetime_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	chunk_t data;
+	u_int32_t lifetime;
+
+	notify = message->get_notify(message, AUTH_LIFETIME);
+	if (notify)
+	{
+		data = notify->get_notification_data(notify);
+		lifetime = ntohl(*(u_int32_t*)data.ptr);
+		this->ike_sa->set_auth_lifetime(this->ike_sa, lifetime);
+	}
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_auth_lifetime_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == INFORMATIONAL)
+	{
+		add_auth_lifetime(this, message);
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_auth_lifetime_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == INFORMATIONAL)
+	{
+		process_payloads(this, message);
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_auth_lifetime_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{
+		add_auth_lifetime(this, message);
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_auth_lifetime_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{
+		process_payloads(this, message);
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_auth_lifetime_t *this)
+{
+	return IKE_AUTH_LIFETIME;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_auth_lifetime_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_auth_lifetime_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_auth_lifetime_t *this = malloc_thing(private_ike_auth_lifetime_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+
+	this->ike_sa = ike_sa;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/tasks/ike_auth_lifetime.h b/src/libcharon/sa/tasks/ike_auth_lifetime.h
new file mode 100644
index 000000000..3b129b9e3
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_auth_lifetime.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_auth_lifetime ike_auth_lifetime
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_AUTH_LIFETIME_H_
+#define IKE_AUTH_LIFETIME_H_
+
+typedef struct ike_auth_lifetime_t ike_auth_lifetime_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type IKE_AUTH_LIFETIME, implements RFC4478.
+ *
+ * This task exchanges lifetimes for IKE_AUTH to force a client to
+ * reauthenticate before the responders lifetime reaches the limit.
+ */
+struct ike_auth_lifetime_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new IKE_AUTH_LIFETIME task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if taks is initiated by us
+ * @return				ike_auth_lifetime task to handle by the task_manager
+ */
+ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_MOBIKE_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_cert_post.c b/src/libcharon/sa/tasks/ike_cert_post.c
new file mode 100644
index 000000000..c831df975
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_cert_post.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_cert_post.h"
+
+#include <daemon.h>
+#include <sa/ike_sa.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <credentials/certificates/x509.h>
+
+
+typedef struct private_ike_cert_post_t private_ike_cert_post_t;
+
+/**
+ * Private members of a ike_cert_post_t task.
+ */
+struct private_ike_cert_post_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_cert_post_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+};
+
+/**
+ * Generates the cert payload, if possible with "Hash and URL"
+ */
+static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
+										 certificate_t *cert)
+{
+	hasher_t *hasher;
+	identification_t *id;
+	chunk_t hash, encoded ;
+	enumerator_t *enumerator;
+	char *url;
+	cert_payload_t *payload = NULL;
+
+	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_HASH_AND_URL))
+	{
+		return cert_payload_create_from_cert(cert);
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
+		return cert_payload_create_from_cert(cert);
+	}
+
+	encoded = cert->get_encoding(cert);
+	hasher->allocate_hash(hasher, encoded, &hash);
+	chunk_free(&encoded);
+	hasher->destroy(hasher);
+	id = identification_create_from_encoding(ID_KEY_ID, hash);
+
+	enumerator = charon->credentials->create_cdp_enumerator(charon->credentials,
+															CERT_X509, id);
+	if (enumerator->enumerate(enumerator, &url))
+	{
+		payload = cert_payload_create_from_hash_and_url(hash, url);
+	}
+	else
+	{
+		payload = cert_payload_create_from_cert(cert);
+	}
+	enumerator->destroy(enumerator);
+	chunk_free(&hash);
+	id->destroy(id);
+	return payload;
+}
+
+/**
+ * add certificates to message
+ */
+static void build_certs(private_ike_cert_post_t *this, message_t *message)
+{
+	peer_cfg_t *peer_cfg;
+	auth_payload_t *payload;
+
+	payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (!peer_cfg || !payload || payload->get_auth_method(payload) == AUTH_PSK)
+	{	/* no CERT payload for EAP/PSK */
+		return;
+	}
+
+	switch (peer_cfg->get_cert_policy(peer_cfg))
+	{
+		case CERT_NEVER_SEND:
+			break;
+		case CERT_SEND_IF_ASKED:
+			if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
+			{
+				break;
+			}
+			/* FALL */
+		case CERT_ALWAYS_SEND:
+		{
+			cert_payload_t *payload;
+			enumerator_t *enumerator;
+			certificate_t *cert;
+			auth_rule_t type;
+			auth_cfg_t *auth;
+
+			auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+
+			/* get subject cert first, then issuing certificates */
+			cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+			if (!cert)
+			{
+				break;
+			}
+			payload = build_cert_payload(this, cert);
+			if (!payload)
+			{
+				break;
+			}
+			DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
+				 cert->get_subject(cert));
+			message->add_payload(message, (payload_t*)payload);
+
+			enumerator = auth->create_enumerator(auth);
+			while (enumerator->enumerate(enumerator, &type, &cert))
+			{
+				if (type == AUTH_RULE_IM_CERT)
+				{
+					payload = cert_payload_create_from_cert(cert);
+					if (payload)
+					{
+						DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
+							 cert->get_subject(cert));
+						message->add_payload(message, (payload_t*)payload);
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_cert_post_t *this, message_t *message)
+{
+	build_certs(this, message);
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_cert_post_t *this, message_t *message)
+{
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_cert_post_t *this, message_t *message)
+{
+	build_certs(this, message);
+
+	if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+	{	/* stay alive, we might have additional rounds with certs */
+		return NEED_MORE;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_cert_post_t *this, message_t *message)
+{
+	if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+	{	/* stay alive, we might have additional rounds with CERTS */
+		return NEED_MORE;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_cert_post_t *this)
+{
+	return IKE_CERT_POST;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_cert_post_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_cert_post_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_cert_post_t *this = malloc_thing(private_ike_cert_post_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/tasks/ike_cert_post.h b/src/libcharon/sa/tasks/ike_cert_post.h
new file mode 100644
index 000000000..a21f45927
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_cert_post.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_cert_post ike_cert_post
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_CERT_POST_H_
+#define IKE_CERT_POST_H_
+
+typedef struct ike_cert_post_t ike_cert_post_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type ike_cert_post, certificate processing after authentication.
+ */
+struct ike_cert_post_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_cert_post task.
+ *
+ * The initiator parameter means the original initiator, not the initiator
+ * of the certificate request.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if thask is the original initator
+ * @return				ike_cert_post task to handle by the task_manager
+ */
+ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_CERT_POST_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c
new file mode 100644
index 000000000..0805d0290
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_cert_pre.c
@@ -0,0 +1,524 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_cert_pre.h"
+
+#include <daemon.h>
+#include <sa/ike_sa.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <credentials/certificates/x509.h>
+
+
+typedef struct private_ike_cert_pre_t private_ike_cert_pre_t;
+
+/**
+ * Private members of a ike_cert_pre_t task.
+ */
+struct private_ike_cert_pre_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_cert_pre_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Do we accept HTTP certificate lookup requests
+	 */
+	bool do_http_lookup;
+
+	/**
+	 * wheter this is the final authentication round
+	 */
+	bool final;
+};
+
+/**
+ * read certificate requests
+ */
+static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	auth_cfg_t *auth;
+
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		switch (payload->get_type(payload))
+		{
+			case CERTIFICATE_REQUEST:
+			{
+				certreq_payload_t *certreq = (certreq_payload_t*)payload;
+				enumerator_t *enumerator;
+				chunk_t keyid;
+
+				this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
+
+				if (certreq->get_cert_type(certreq) != CERT_X509)
+				{
+					DBG1(DBG_IKE, "cert payload %N not supported - ignored",
+						 certificate_type_names, certreq->get_cert_type(certreq));
+					break;
+				}
+				enumerator = certreq->create_keyid_enumerator(certreq);
+				while (enumerator->enumerate(enumerator, &keyid))
+				{
+					identification_t *id;
+					certificate_t *cert;
+
+					id = identification_create_from_encoding(ID_KEY_ID, keyid);
+					cert = charon->credentials->get_cert(charon->credentials,
+											CERT_X509, KEY_ANY, id, TRUE);
+					if (cert)
+					{
+						DBG1(DBG_IKE, "received cert request for \"%Y\"",
+							 cert->get_subject(cert));
+						auth->add(auth, AUTH_RULE_CA_CERT, cert);
+					}
+					else
+					{
+						DBG1(DBG_IKE, "received cert request for unknown ca "
+									  "with keyid %Y", id);
+					}
+					id->destroy(id);
+				}
+				enumerator->destroy(enumerator);
+				break;
+			}
+			case NOTIFY:
+			{
+				notify_payload_t *notify = (notify_payload_t*)payload;
+
+				/* we only handle one type of notify here */
+				if (notify->get_notify_type(notify) == HTTP_CERT_LOOKUP_SUPPORTED)
+				{
+					this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL);
+				}
+				break;
+			}
+			default:
+				/* ignore other payloads here, these are handled elsewhere */
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * tries to extract a certificate from the cert payload or the credential
+ * manager (based on the hash of a "Hash and URL" encoded cert).
+ * Note: the returned certificate (if any) has to be destroyed
+ */
+static certificate_t *try_get_cert(cert_payload_t *cert_payload)
+{
+	certificate_t *cert = NULL;
+
+	switch (cert_payload->get_cert_encoding(cert_payload))
+	{
+		case ENC_X509_SIGNATURE:
+		{
+			cert = cert_payload->get_cert(cert_payload);
+			break;
+		}
+		case ENC_X509_HASH_AND_URL:
+		{
+			identification_t *id;
+			chunk_t hash = cert_payload->get_hash(cert_payload);
+			if (!hash.ptr)
+			{
+				/* invalid "Hash and URL" data (logged elsewhere) */
+				break;
+			}
+			id = identification_create_from_encoding(ID_KEY_ID, hash);
+			cert = charon->credentials->get_cert(charon->credentials,
+												 CERT_X509, KEY_ANY, id, FALSE);
+			id->destroy(id);
+			break;
+		}
+		default:
+		{
+			break;
+		}
+	}
+	return cert;
+}
+
+/**
+ * import certificates
+ */
+static void process_certs(private_ike_cert_pre_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	auth_cfg_t *auth;
+	bool first = TRUE;
+
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == CERTIFICATE)
+		{
+			cert_payload_t *cert_payload;
+			cert_encoding_t encoding;
+			certificate_t *cert;
+			char *url;
+
+			cert_payload = (cert_payload_t*)payload;
+			encoding = cert_payload->get_cert_encoding(cert_payload);
+
+			switch (encoding)
+			{
+				case ENC_X509_HASH_AND_URL:
+				{
+					if (!this->do_http_lookup)
+					{
+						DBG1(DBG_IKE, "received hash-and-url encoded cert, but"
+								" we don't accept them, ignore");
+						break;
+					}
+					/* FALL */
+				}
+				case ENC_X509_SIGNATURE:
+				{
+					cert = try_get_cert(cert_payload);
+					if (cert)
+					{
+						if (first)
+						{	/* the first is an end entity certificate */
+							DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+								 cert->get_subject(cert));
+							auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
+							first = FALSE;
+						}
+						else
+						{
+							DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+								 cert->get_subject(cert));
+							auth->add(auth, AUTH_HELPER_IM_CERT, cert);
+						}
+					}
+					else if (encoding == ENC_X509_HASH_AND_URL)
+					{
+						/* we fetch the certificate not yet, but only if
+						 * it is really needed during authentication */
+						url = cert_payload->get_url(cert_payload);
+						if (!url)
+						{
+							DBG1(DBG_IKE, "received invalid hash-and-url "
+								 "encoded cert, ignore");
+							break;
+						}
+						url = strdup(url);
+						if (first)
+						{	/* first URL is for an end entity certificate */
+							DBG1(DBG_IKE, "received hash-and-url for end"
+								 " entity cert \"%s\"", url);
+							auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
+							first = FALSE;
+						}
+						else
+						{
+							DBG1(DBG_IKE, "received hash-and-url for issuer"
+									" cert \"%s\"", url);
+							auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
+						}
+					}
+					break;
+				}
+				case ENC_PKCS7_WRAPPED_X509:
+				case ENC_PGP:
+				case ENC_DNS_SIGNED_KEY:
+				case ENC_KERBEROS_TOKEN:
+				case ENC_CRL:
+				case ENC_ARL:
+				case ENC_SPKI:
+				case ENC_X509_ATTRIBUTE:
+				case ENC_RAW_RSA_KEY:
+				case ENC_X509_HASH_AND_URL_BUNDLE:
+				case ENC_OCSP_CONTENT:
+				default:
+					DBG1(DBG_ENC, "certificate encoding %N not supported",
+						 cert_encoding_names, encoding);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * add the keyid of a certificate to the certificate request payload
+ */
+static void add_certreq(certreq_payload_t **req, certificate_t *cert)
+{
+	switch (cert->get_type(cert))
+	{
+		case CERT_X509:
+		{
+			public_key_t *public;
+			chunk_t keyid;
+			x509_t *x509 = (x509_t*)cert;
+
+			if (!(x509->get_flags(x509) & X509_CA))
+			{	/* no CA cert, skip */
+				break;
+			}
+			public = cert->get_public_key(cert);
+			if (!public)
+			{
+				break;
+			}
+			if (*req == NULL)
+			{
+				*req = certreq_payload_create_type(CERT_X509);
+			}
+			if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+			{
+				(*req)->add_keyid(*req, keyid);
+				DBG1(DBG_IKE, "sending cert request for \"%Y\"",
+					 cert->get_subject(cert));
+			}
+			public->destroy(public);
+			break;
+		}
+		default:
+			break;
+	}
+}
+
+/**
+ * add a auth_cfg's CA certificates to the certificate request
+ */
+static void add_certreqs(certreq_payload_t **req, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	auth_rule_t type;
+	void *value;
+
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		switch (type)
+		{
+			case AUTH_RULE_CA_CERT:
+				add_certreq(req, (certificate_t*)value);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * build certificate requests
+ */
+static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	certificate_t *cert;
+	auth_cfg_t *auth;
+	certreq_payload_t *req = NULL;
+
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+	if (!ike_cfg->send_certreq(ike_cfg))
+	{
+		return;
+	}
+
+	/* check if we require a specific CA for that peer */
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
+		while (enumerator->enumerate(enumerator, &auth))
+		{
+			add_certreqs(&req, auth);
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (!req)
+	{
+		/* otherwise add all trusted CA certificates */
+		enumerator = charon->credentials->create_cert_enumerator(
+							charon->credentials, CERT_ANY, KEY_ANY, NULL, TRUE);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			add_certreq(&req, cert);
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (req)
+	{
+		message->add_payload(message, (payload_t*)req);
+
+		if (lib->settings->get_bool(lib->settings, "charon.hash_and_url", FALSE))
+		{
+			message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
+								chunk_empty);
+			this->do_http_lookup = TRUE;
+		}
+	}
+}
+
+/**
+ * Check if this is the final authentication round
+ */
+static bool final_auth(message_t *message)
+{
+	/* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */
+	if (message->get_payload(message, AUTHENTICATION) == NULL)
+	{
+		return FALSE;
+	}
+	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_cert_pre_t *this, message_t *message)
+{
+	if (message->get_message_id(message) == 1)
+	{	/* initiator sends CERTREQs in first IKE_AUTH */
+		build_certreqs(this, message);
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_cert_pre_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) != IKE_SA_INIT)
+	{	/* handle certreqs/certs in any IKE_AUTH, just in case */
+		process_certreqs(this, message);
+		process_certs(this, message);
+	}
+	this->final = final_auth(message);
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_cert_pre_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		build_certreqs(this, message);
+	}
+	if (this->final)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_cert_pre_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		process_certreqs(this, message);
+	}
+	process_certs(this, message);
+
+	if (final_auth(message))
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_cert_pre_t *this)
+{
+	return IKE_CERT_PRE;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_cert_pre_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_cert_pre_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_cert_pre_t *this = malloc_thing(private_ike_cert_pre_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->do_http_lookup = FALSE;
+	this->final = FALSE;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/ike_cert_pre.h b/src/libcharon/sa/tasks/ike_cert_pre.h
new file mode 100644
index 000000000..1541b80e5
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_cert_pre.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_cert_pre ike_cert_pre
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_CERT_PRE_H_
+#define IKE_CERT_PRE_H_
+
+typedef struct ike_cert_pre_t ike_cert_pre_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type ike_cert_post, certificate processing before authentication.
+ */
+struct ike_cert_pre_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_cert_pre task.
+ *
+ * The initiator parameter means the original initiator, not the initiator
+ * of the certificate request.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if thask is the original initator
+ * @return				ike_cert_pre task to handle by the task_manager
+ */
+ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_CERT_PRE_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_config.c b/src/libcharon/sa/tasks/ike_config.c
new file mode 100644
index 000000000..58bcf0762
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_config.c
@@ -0,0 +1,448 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_config.h"
+
+#include <daemon.h>
+#include <hydra.h>
+#include <encoding/payloads/cp_payload.h>
+
+typedef struct private_ike_config_t private_ike_config_t;
+
+/**
+ * Private members of a ike_config_t task.
+ */
+struct private_ike_config_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_config_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * virtual ip
+	 */
+	host_t *virtual_ip;
+
+	/**
+	 * list of attributes requested and its handler, entry_t
+	 */
+	linked_list_t *requested;
+};
+
+/**
+ * Entry for a requested attribute and the requesting handler
+ */
+typedef struct {
+	/** attribute requested */
+	configuration_attribute_type_t type;
+	/** handler requesting this attribute */
+	attribute_handler_t *handler;
+} entry_t;
+
+/**
+ * build INTERNAL_IPV4/6_ADDRESS attribute from virtual ip
+ */
+static configuration_attribute_t *build_vip(host_t *vip)
+{
+	configuration_attribute_type_t type;
+	chunk_t chunk, prefix;
+
+	if (vip->get_family(vip) == AF_INET)
+	{
+		type = INTERNAL_IP4_ADDRESS;
+		if (vip->is_anyaddr(vip))
+		{
+			chunk = chunk_empty;
+		}
+		else
+		{
+			chunk = vip->get_address(vip);
+		}
+	}
+	else
+	{
+		type = INTERNAL_IP6_ADDRESS;
+		if (vip->is_anyaddr(vip))
+		{
+			chunk = chunk_empty;
+		}
+		else
+		{
+			prefix = chunk_alloca(1);
+			*prefix.ptr = 64;
+			chunk = vip->get_address(vip);
+			chunk = chunk_cata("cc", chunk, prefix);
+		}
+	}
+	return configuration_attribute_create_value(type, chunk);
+}
+
+/**
+ * Handle a received attribute as initiator
+ */
+static void handle_attribute(private_ike_config_t *this,
+							 configuration_attribute_t *ca)
+{
+	attribute_handler_t *handler = NULL;
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	/* find the handler which requested this attribute */
+	enumerator = this->requested->create_enumerator(this->requested);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->type == ca->get_type(ca))
+		{
+			handler = entry->handler;
+			this->requested->remove_at(this->requested, enumerator);
+			free(entry);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* and pass it to the handle function */
+	handler = hydra->attributes->handle(hydra->attributes,
+							this->ike_sa->get_other_id(this->ike_sa), handler,
+							ca->get_type(ca), ca->get_value(ca));
+	if (handler)
+	{
+		this->ike_sa->add_configuration_attribute(this->ike_sa,
+				handler, ca->get_type(ca), ca->get_value(ca));
+	}
+}
+
+/**
+ * process a single configuration attribute
+ */
+static void process_attribute(private_ike_config_t *this,
+							  configuration_attribute_t *ca)
+{
+	host_t *ip;
+	chunk_t addr;
+	int family = AF_INET6;
+
+	switch (ca->get_type(ca))
+	{
+		case INTERNAL_IP4_ADDRESS:
+			family = AF_INET;
+			/* fall */
+		case INTERNAL_IP6_ADDRESS:
+		{
+			addr = ca->get_value(ca);
+			if (addr.len == 0)
+			{
+				ip = host_create_any(family);
+			}
+			else
+			{
+				/* skip prefix byte in IPv6 payload*/
+				if (family == AF_INET6)
+				{
+					addr.len--;
+				}
+				ip = host_create_from_chunk(family, addr, 0);
+			}
+			if (ip)
+			{
+				DESTROY_IF(this->virtual_ip);
+				this->virtual_ip = ip;
+			}
+			break;
+		}
+		default:
+		{
+			if (this->initiator)
+			{
+				handle_attribute(this, ca);
+			}
+		}
+	}
+}
+
+/**
+ * Scan for configuration payloads and attributes
+ */
+static void process_payloads(private_ike_config_t *this, message_t *message)
+{
+	enumerator_t *enumerator, *attributes;
+	payload_t *payload;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == CONFIGURATION)
+		{
+			cp_payload_t *cp = (cp_payload_t*)payload;
+			configuration_attribute_t *ca;
+
+			switch (cp->get_type(cp))
+			{
+				case CFG_REQUEST:
+				case CFG_REPLY:
+				{
+					attributes = cp->create_attribute_enumerator(cp);
+					while (attributes->enumerate(attributes, &ca))
+					{
+						DBG2(DBG_IKE, "processing %N attribute",
+							 configuration_attribute_type_names, ca->get_type(ca));
+						process_attribute(this, ca);
+					}
+					attributes->destroy(attributes);
+					break;
+				}
+				default:
+					DBG1(DBG_IKE, "ignoring %N config payload",
+						 config_type_names, cp->get_type(cp));
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_config_t *this, message_t *message)
+{
+	if (message->get_message_id(message) == 1)
+	{	/* in first IKE_AUTH only */
+		cp_payload_t *cp = NULL;
+		enumerator_t *enumerator;
+		attribute_handler_t *handler;
+		peer_cfg_t *config;
+		configuration_attribute_type_t type;
+		chunk_t data;
+		host_t *vip;
+
+		/* reuse virtual IP if we already have one */
+		vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+		if (!vip)
+		{
+			config = this->ike_sa->get_peer_cfg(this->ike_sa);
+			vip = config->get_virtual_ip(config);
+		}
+		if (vip)
+		{
+			cp = cp_payload_create_type(CFG_REQUEST);
+			cp->add_attribute(cp, build_vip(vip));
+		}
+
+		enumerator = hydra->attributes->create_initiator_enumerator(hydra->attributes,
+								this->ike_sa->get_other_id(this->ike_sa), vip);
+		while (enumerator->enumerate(enumerator, &handler, &type, &data))
+		{
+			configuration_attribute_t *ca;
+			entry_t *entry;
+
+			/* create configuration attribute */
+			DBG2(DBG_IKE, "building %N attribute",
+				 configuration_attribute_type_names, type);
+			ca = configuration_attribute_create_value(type, data);
+			if (!cp)
+			{
+				cp = cp_payload_create_type(CFG_REQUEST);
+			}
+			cp->add_attribute(cp, ca);
+
+			/* save handler along with requested type */
+			entry = malloc_thing(entry_t);
+			entry->type = type;
+			entry->handler = handler;
+
+			this->requested->insert_last(this->requested, entry);
+		}
+		enumerator->destroy(enumerator);
+
+		if (cp)
+		{
+			message->add_payload(message, (payload_t*)cp);
+		}
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_config_t *this, message_t *message)
+{
+	if (message->get_message_id(message) == 1)
+	{	/* in first IKE_AUTH only */
+		process_payloads(this, message);
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_config_t *this, message_t *message)
+{
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{	/* in last IKE_AUTH exchange */
+		enumerator_t *enumerator;
+		configuration_attribute_type_t type;
+		chunk_t value;
+		host_t *vip = NULL;
+		cp_payload_t *cp = NULL;
+		peer_cfg_t *config;
+		identification_t *id;
+
+		id = this->ike_sa->get_other_eap_id(this->ike_sa);
+
+		config = this->ike_sa->get_peer_cfg(this->ike_sa);
+		if (config && this->virtual_ip)
+		{
+			DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
+			if (config->get_pool(config))
+			{
+				vip = hydra->attributes->acquire_address(hydra->attributes,
+							config->get_pool(config), id, this->virtual_ip);
+			}
+			if (vip == NULL)
+			{
+				DBG1(DBG_IKE, "no virtual IP found, sending %N",
+					 notify_type_names, INTERNAL_ADDRESS_FAILURE);
+				message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE,
+									chunk_empty);
+				return SUCCESS;
+			}
+			DBG1(DBG_IKE, "assigning virtual IP %H to peer", vip);
+			this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip);
+
+			cp = cp_payload_create_type(CFG_REPLY);
+			cp->add_attribute(cp, build_vip(vip));
+		}
+
+		/* query registered providers for additional attributes to include */
+		enumerator = hydra->attributes->create_responder_enumerator(
+													hydra->attributes, id, vip);
+		while (enumerator->enumerate(enumerator, &type, &value))
+		{
+			if (!cp)
+			{
+				cp = cp_payload_create_type(CFG_REPLY);
+			}
+			DBG2(DBG_IKE, "building %N attribute",
+				 configuration_attribute_type_names, type);
+			cp->add_attribute(cp,
+						configuration_attribute_create_value(type, value));
+		}
+		enumerator->destroy(enumerator);
+
+		if (cp)
+		{
+			message->add_payload(message, (payload_t*)cp);
+		}
+		DESTROY_IF(vip);
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_config_t *this, message_t *message)
+{
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{	/* in last IKE_AUTH exchange */
+
+		process_payloads(this, message);
+
+		if (this->virtual_ip)
+		{
+			this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip);
+		}
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_config_t *this)
+{
+	return IKE_CONFIG;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa)
+{
+	DESTROY_IF(this->virtual_ip);
+
+	this->ike_sa = ike_sa;
+	this->virtual_ip = NULL;
+	this->requested->destroy_function(this->requested, free);
+	this->requested = linked_list_create();
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_config_t *this)
+{
+	DESTROY_IF(this->virtual_ip);
+	this->requested->destroy_function(this->requested, free);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_config_t *this = malloc_thing(private_ike_config_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	this->initiator = initiator;
+	this->ike_sa = ike_sa;
+	this->virtual_ip = NULL;
+	this->requested = linked_list_create();
+
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/tasks/ike_config.h b/src/libcharon/sa/tasks/ike_config.h
new file mode 100644
index 000000000..8cef08697
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_config.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_config ike_config
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_CONFIG_H_
+#define IKE_CONFIG_H_
+
+typedef struct ike_config_t ike_config_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type IKE_CONFIG, sets up a virtual IP and other
+ * configurations for an IKE_SA.
+ */
+struct ike_config_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_config task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE for initiator
+ * @return				ike_config task to handle by the task_manager
+ */
+ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_CONFIG_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_delete.c b/src/libcharon/sa/tasks/ike_delete.c
new file mode 100644
index 000000000..130948836
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_delete.c
@@ -0,0 +1,210 @@
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_delete.h"
+
+#include <daemon.h>
+#include <encoding/payloads/delete_payload.h>
+
+
+typedef struct private_ike_delete_t private_ike_delete_t;
+
+/**
+ * Private members of a ike_delete_t task.
+ */
+struct private_ike_delete_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_delete_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * are we deleting a rekeyed SA?
+	 */
+	bool rekeyed;
+
+	/**
+	 * are we responding to a delete, but have initated our own?
+	 */
+	bool simultaneous;
+};
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_ike_delete_t *this, message_t *message)
+{
+	delete_payload_t *delete_payload;
+
+	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+
+	delete_payload = delete_payload_create(PROTO_IKE);
+	message->add_payload(message, (payload_t*)delete_payload);
+
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
+	{
+		this->rekeyed = TRUE;
+	}
+	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+
+	DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa));
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_delete_t *this, message_t *message)
+{
+	DBG0(DBG_IKE, "IKE_SA deleted");
+	if (!this->rekeyed)
+	{	/* invoke ike_down() hook if SA has not been rekeyed */
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+	}
+	/* completed, delete IKE_SA by returning DESTROY_ME */
+	return DESTROY_ME;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_delete_t *this, message_t *message)
+{
+	/* we don't even scan the payloads, as the message wouldn't have
+	 * come so far without being correct */
+	DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa));
+	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+
+	switch (this->ike_sa->get_state(this->ike_sa))
+	{
+		case IKE_ESTABLISHED:
+			this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+			this->ike_sa->reestablish(this->ike_sa);
+			return NEED_MORE;
+		case IKE_REKEYING:
+			this->rekeyed = TRUE;
+			break;
+		case IKE_DELETING:
+			this->simultaneous = TRUE;
+			break;
+		default:
+			break;
+	}
+	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_delete_t *this, message_t *message)
+{
+	DBG0(DBG_IKE, "IKE_SA deleted");
+
+	if (this->simultaneous)
+	{
+		/* wait for peer's response for our delete request, but set a timeout */
+		return SUCCESS;
+	}
+	if (!this->rekeyed)
+	{	/* invoke ike_down() hook if SA has not been rekeyed */
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+	}
+	/* completed, delete IKE_SA by returning DESTROY_ME */
+	return DESTROY_ME;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_delete_t *this)
+{
+	return IKE_DELETE;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_delete_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	this->simultaneous = FALSE;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_delete_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_delete_t *this = malloc_thing(private_ike_delete_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->rekeyed = FALSE;
+	this->simultaneous = FALSE;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/ike_delete.h b/src/libcharon/sa/tasks/ike_delete.h
new file mode 100644
index 000000000..82782f393
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_delete.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_delete ike_delete
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_DELETE_H_
+#define IKE_DELETE_H_
+
+typedef struct ike_delete_t ike_delete_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type ike_delete, delete an IKE_SA.
+ */
+struct ike_delete_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_delete task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if we initiate the delete
+ * @return				ike_delete task to handle by the task_manager
+ */
+ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_DELETE_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_dpd.c b/src/libcharon/sa/tasks/ike_dpd.c
new file mode 100644
index 000000000..4c6ba7662
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_dpd.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_dpd.h"
+
+#include <daemon.h>
+
+
+typedef struct private_ike_dpd_t private_ike_dpd_t;
+
+/**
+ * Private members of a ike_dpd_t task.
+ */
+struct private_ike_dpd_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_dpd_t public;
+};
+
+/**
+ * Implementation of task_t.build for initiator
+ * Implementation of task_t.process for responder
+ */
+static status_t return_need_more(private_ike_dpd_t *this, message_t *message)
+{
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ * Implementation of task_t.build for responder
+ */
+static status_t return_success(private_ike_dpd_t *this, message_t *message)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_dpd_t *this)
+{
+	return IKE_DPD;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_dpd_t *this, ike_sa_t *ike_sa)
+{
+
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_dpd_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_dpd_t *ike_dpd_create(bool initiator)
+{
+	private_ike_dpd_t *this = malloc_thing(private_ike_dpd_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))return_need_more;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))return_success;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))return_success;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))return_need_more;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/ike_dpd.h b/src/libcharon/sa/tasks/ike_dpd.h
new file mode 100644
index 000000000..36388d15b
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_dpd.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_dpd ike_dpd
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_DPD_H_
+#define IKE_DPD_H_
+
+typedef struct ike_dpd_t ike_dpd_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type ike_dpd, detects dead peers.
+ *
+ * The DPD task actually does nothing, as a DPD has no associated payloads.
+ */
+struct ike_dpd_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_dpd task.
+ *
+ * @param initiator		TRUE if thask is the original initator
+ * @return				ike_dpd task to handle by the task_manager
+ */
+ike_dpd_t *ike_dpd_create(bool initiator);
+
+#endif /** IKE_DPD_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c
new file mode 100644
index 000000000..5eb33b540
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_init.c
@@ -0,0 +1,600 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_init.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <crypto/diffie_hellman.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+
+/** maximum retries to do with cookies/other dh groups */
+#define MAX_RETRIES 5
+
+typedef struct private_ike_init_t private_ike_init_t;
+
+/**
+ * Private members of a ike_init_t task.
+ */
+struct private_ike_init_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_init_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * IKE config to establish
+	 */
+	ike_cfg_t *config;
+
+	/**
+	 * diffie hellman group to use
+	 */
+	diffie_hellman_group_t dh_group;
+
+	/**
+	 * diffie hellman key exchange
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * Keymat derivation (from IKE_SA)
+	 */
+	keymat_t *keymat;
+
+	/**
+	 * nonce chosen by us
+	 */
+	chunk_t my_nonce;
+
+	/**
+	 * nonce chosen by peer
+	 */
+	chunk_t other_nonce;
+
+	/**
+	 * Negotiated proposal used for IKE_SA
+	 */
+	proposal_t *proposal;
+
+	/**
+	 * Old IKE_SA which gets rekeyed
+	 */
+	ike_sa_t *old_sa;
+
+	/**
+	 * cookie received from responder
+	 */
+	chunk_t cookie;
+
+	/**
+	 * retries done so far after failure (cookie or bad dh group)
+	 */
+	u_int retry;
+};
+
+/**
+ * build the payloads for the message
+ */
+static void build_payloads(private_ike_init_t *this, message_t *message)
+{
+	sa_payload_t *sa_payload;
+	ke_payload_t *ke_payload;
+	nonce_payload_t *nonce_payload;
+	linked_list_t *proposal_list;
+	ike_sa_id_t *id;
+	proposal_t *proposal;
+	iterator_t *iterator;
+
+	id = this->ike_sa->get_id(this->ike_sa);
+
+	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
+
+	if (this->initiator)
+	{
+		proposal_list = this->config->get_proposals(this->config);
+		if (this->old_sa)
+		{
+			/* include SPI of new IKE_SA when we are rekeying */
+			iterator = proposal_list->create_iterator(proposal_list, TRUE);
+			while (iterator->iterate(iterator, (void**)&proposal))
+			{
+				proposal->set_spi(proposal, id->get_initiator_spi(id));
+			}
+			iterator->destroy(iterator);
+		}
+
+		sa_payload = sa_payload_create_from_proposal_list(proposal_list);
+		proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
+	}
+	else
+	{
+		if (this->old_sa)
+		{
+			/* include SPI of new IKE_SA when we are rekeying */
+			this->proposal->set_spi(this->proposal, id->get_responder_spi(id));
+		}
+		sa_payload = sa_payload_create_from_proposal(this->proposal);
+	}
+	message->add_payload(message, (payload_t*)sa_payload);
+
+	nonce_payload = nonce_payload_create();
+	nonce_payload->set_nonce(nonce_payload, this->my_nonce);
+	ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
+
+	if (this->old_sa)
+	{	/* payload order differs if we are rekeying */
+		message->add_payload(message, (payload_t*)nonce_payload);
+		message->add_payload(message, (payload_t*)ke_payload);
+	}
+	else
+	{
+		message->add_payload(message, (payload_t*)ke_payload);
+		message->add_payload(message, (payload_t*)nonce_payload);
+	}
+}
+
+/**
+ * Read payloads from message
+ */
+static void process_payloads(private_ike_init_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		switch (payload->get_type(payload))
+		{
+			case SECURITY_ASSOCIATION:
+			{
+				sa_payload_t *sa_payload = (sa_payload_t*)payload;
+				linked_list_t *proposal_list;
+				bool private;
+
+				proposal_list = sa_payload->get_proposals(sa_payload);
+				private = this->ike_sa->supports_extension(this->ike_sa,
+														   EXT_STRONGSWAN);
+				this->proposal = this->config->select_proposal(this->config,
+														proposal_list, private);
+				proposal_list->destroy_offset(proposal_list,
+											  offsetof(proposal_t, destroy));
+				break;
+			}
+			case KEY_EXCHANGE:
+			{
+				ke_payload_t *ke_payload = (ke_payload_t*)payload;
+
+				this->dh_group = ke_payload->get_dh_group_number(ke_payload);
+				if (!this->initiator)
+				{
+					this->dh = this->keymat->create_dh(this->keymat,
+													   this->dh_group);
+				}
+				if (this->dh)
+				{
+					this->dh->set_other_public_value(this->dh,
+								ke_payload->get_key_exchange_data(ke_payload));
+				}
+				break;
+			}
+			case NONCE:
+			{
+				nonce_payload_t *nonce_payload = (nonce_payload_t*)payload;
+
+				this->other_nonce = nonce_payload->get_nonce(nonce_payload);
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_init_t *this, message_t *message)
+{
+	rng_t *rng;
+
+	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
+	DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa));
+	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+
+	if (this->retry >= MAX_RETRIES)
+	{
+		DBG1(DBG_IKE, "giving up after %d retries", MAX_RETRIES);
+		return FAILED;
+	}
+
+	/* if the DH group is set via use_dh_group(), we already have a DH object */
+	if (!this->dh)
+	{
+		this->dh_group = this->config->get_dh_group(this->config);
+		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+		if (!this->dh)
+		{
+			DBG1(DBG_IKE, "configured DH group %N not supported",
+				diffie_hellman_group_names, this->dh_group);
+			return FAILED;
+		}
+	}
+
+	/* generate nonce only when we are trying the first time */
+	if (this->my_nonce.ptr == NULL)
+	{
+		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		if (!rng)
+		{
+			DBG1(DBG_IKE, "error generating nonce");
+			return FAILED;
+		}
+		rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
+		rng->destroy(rng);
+	}
+
+	if (this->cookie.ptr)
+	{
+		message->add_notify(message, FALSE, COOKIE, this->cookie);
+	}
+
+	build_payloads(this, message);
+
+#ifdef ME
+	{
+		chunk_t connect_id = this->ike_sa->get_connect_id(this->ike_sa);
+		if (connect_id.ptr)
+		{
+			message->add_notify(message, FALSE, ME_CONNECTID, connect_id);
+		}
+	}
+#endif /* ME */
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_init_t *this, message_t *message)
+{
+	rng_t *rng;
+
+	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
+	DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message));
+	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "error generating nonce");
+		return FAILED;
+	}
+	rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
+	rng->destroy(rng);
+
+#ifdef ME
+	{
+		notify_payload_t *notify = message->get_notify(message, ME_CONNECTID);
+		if (notify)
+		{
+			chunk_t connect_id = notify->get_notification_data(notify);
+			DBG2(DBG_IKE, "received ME_CONNECTID %#B", &connect_id);
+			charon->connect_manager->stop_checks(charon->connect_manager,
+												 connect_id);
+		}
+	}
+#endif /* ME */
+
+	process_payloads(this, message);
+
+	return NEED_MORE;
+}
+
+/**
+ * Derive the keymat for the IKE_SA
+ */
+static bool derive_keys(private_ike_init_t *this,
+						chunk_t nonce_i, chunk_t nonce_r)
+{
+	keymat_t *old_keymat;
+	pseudo_random_function_t prf_alg = PRF_UNDEFINED;
+	chunk_t skd = chunk_empty;
+	ike_sa_id_t *id;
+
+	id = this->ike_sa->get_id(this->ike_sa);
+	if (this->old_sa)
+	{
+		/* rekeying: Include old SKd, use old PRF, apply SPI */
+		old_keymat = this->old_sa->get_keymat(this->old_sa);
+		prf_alg = old_keymat->get_skd(old_keymat, &skd);
+		if (this->initiator)
+		{
+			id->set_responder_spi(id, this->proposal->get_spi(this->proposal));
+		}
+		else
+		{
+			id->set_initiator_spi(id, this->proposal->get_spi(this->proposal));
+		}
+	}
+	if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
+									   nonce_i, nonce_r, id, prf_alg, skd))
+	{
+		return FALSE;
+	}
+	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
+						  nonce_i, nonce_r, this->old_sa);
+	return TRUE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_init_t *this, message_t *message)
+{
+	/* check if we have everything we need */
+	if (this->proposal == NULL ||
+		this->other_nonce.len == 0 || this->my_nonce.len == 0)
+	{
+		DBG1(DBG_IKE, "received proposals inacceptable");
+		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return FAILED;
+	}
+	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
+
+	if (this->dh == NULL ||
+		!this->proposal->has_dh_group(this->proposal, this->dh_group))
+	{
+		u_int16_t group;
+
+		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
+										  &group, NULL))
+		{
+			DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
+				 diffie_hellman_group_names, this->dh_group,
+				 diffie_hellman_group_names, group);
+			this->dh_group = group;
+			group = htons(group);
+			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
+								chunk_from_thing(group));
+		}
+		else
+		{
+			DBG1(DBG_IKE, "no acceptable proposal found");
+		}
+		return FAILED;
+	}
+
+	if (!derive_keys(this, this->other_nonce, this->my_nonce))
+	{
+		DBG1(DBG_IKE, "key derivation failed");
+		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return FAILED;
+	}
+	build_payloads(this, message);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_init_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+
+	/* check for erronous notifies */
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			notify_type_t type = notify->get_notify_type(notify);
+
+			switch (type)
+			{
+				case INVALID_KE_PAYLOAD:
+				{
+					chunk_t data;
+					diffie_hellman_group_t bad_group;
+
+					bad_group = this->dh_group;
+					data = notify->get_notification_data(notify);
+					this->dh_group = ntohs(*((u_int16_t*)data.ptr));
+					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
+						 "it requested %N", diffie_hellman_group_names,
+						 bad_group, diffie_hellman_group_names, this->dh_group);
+
+					if (this->old_sa == NULL)
+					{	/* reset the IKE_SA if we are not rekeying */
+						this->ike_sa->reset(this->ike_sa);
+					}
+
+					enumerator->destroy(enumerator);
+					this->retry++;
+					return NEED_MORE;
+				}
+				case NAT_DETECTION_SOURCE_IP:
+				case NAT_DETECTION_DESTINATION_IP:
+					/* skip, handled in ike_natd_t */
+					break;
+				case MULTIPLE_AUTH_SUPPORTED:
+					/* handled in ike_auth_t */
+					break;
+				case COOKIE:
+				{
+					chunk_free(&this->cookie);
+					this->cookie = chunk_clone(notify->get_notification_data(notify));
+					this->ike_sa->reset(this->ike_sa);
+					enumerator->destroy(enumerator);
+					DBG2(DBG_IKE, "received %N notify", notify_type_names, type);
+					this->retry++;
+					return NEED_MORE;
+				}
+				default:
+				{
+					if (type < 16383)
+					{
+						DBG1(DBG_IKE, "received %N notify error",
+							 notify_type_names, type);
+						enumerator->destroy(enumerator);
+						return FAILED;
+					}
+					DBG2(DBG_IKE, "received %N notify",
+						notify_type_names, type);
+					break;
+				}
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	process_payloads(this, message);
+
+	/* check if we have everything */
+	if (this->proposal == NULL ||
+		this->other_nonce.len == 0 || this->my_nonce.len == 0)
+	{
+		DBG1(DBG_IKE, "peers proposal selection invalid");
+		return FAILED;
+	}
+	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
+
+	if (this->dh == NULL ||
+		!this->proposal->has_dh_group(this->proposal, this->dh_group))
+	{
+		DBG1(DBG_IKE, "peer DH group selection invalid");
+		return FAILED;
+	}
+
+	if (!derive_keys(this, this->my_nonce, this->other_nonce))
+	{
+		DBG1(DBG_IKE, "key derivation failed");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_init_t *this)
+{
+	return IKE_INIT;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static chunk_t get_lower_nonce(private_ike_init_t *this)
+{
+	if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
+			   min(this->my_nonce.len, this->other_nonce.len)) < 0)
+	{
+		return this->my_nonce;
+	}
+	else
+	{
+		return this->other_nonce;
+	}
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa)
+{
+	DESTROY_IF(this->proposal);
+	chunk_free(&this->other_nonce);
+
+	this->ike_sa = ike_sa;
+	this->proposal = NULL;
+	DESTROY_IF(this->dh);
+	this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_init_t *this)
+{
+	DESTROY_IF(this->dh);
+	DESTROY_IF(this->proposal);
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	chunk_free(&this->cookie);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
+{
+	private_ike_init_t *this = malloc_thing(private_ike_init_t);
+
+	this->public.get_lower_nonce = (chunk_t(*)(ike_init_t*))get_lower_nonce;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->dh_group = MODP_NONE;
+	this->dh = NULL;
+	this->keymat = ike_sa->get_keymat(ike_sa);
+	this->my_nonce = chunk_empty;
+	this->other_nonce = chunk_empty;
+	this->cookie = chunk_empty;
+	this->proposal = NULL;
+	this->config = NULL;
+	this->old_sa = old_sa;
+	this->retry = 0;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/ike_init.h b/src/libcharon/sa/tasks/ike_init.h
new file mode 100644
index 000000000..7bd784cff
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_init.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_init ike_init
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_INIT_H_
+#define IKE_INIT_H_
+
+typedef struct ike_init_t ike_init_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type IKE_INIT, creates an IKE_SA without authentication.
+ *
+ * The authentication of is handle in the ike_auth task.
+ */
+struct ike_init_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+
+	/**
+	 * Get the lower of the two nonces, used for rekey collisions.
+	 *
+	 * @return			lower nonce
+	 */
+	chunk_t (*get_lower_nonce) (ike_init_t *this);
+};
+
+/**
+ * Create a new IKE_INIT task.
+ *
+ * @param ike_sa		IKE_SA this task works for (new one when rekeying)
+ * @param initiator		TRUE if thask is the original initator
+ * @param old_sa		old IKE_SA when we are rekeying
+ * @return				ike_init task to handle by the task_manager
+ */
+ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa);
+
+#endif /** IKE_INIT_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_me.c b/src/libcharon/sa/tasks/ike_me.c
new file mode 100644
index 000000000..2d2847ae0
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_me.c
@@ -0,0 +1,856 @@
+/*
+ * Copyright (C) 2007-2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_me.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <config/peer_cfg.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <encoding/payloads/endpoint_notify.h>
+#include <processing/jobs/mediation_job.h>
+
+#define ME_CONNECTID_LEN 4
+#define ME_CONNECTKEY_LEN 16
+
+typedef struct private_ike_me_t private_ike_me_t;
+
+/**
+ * Private members of a ike_me_t task.
+ */
+struct private_ike_me_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_me_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Is this a mediation connection?
+	 */
+	bool mediation;
+
+	/**
+	 * Is this the response from another peer?
+	 */
+	bool response;
+
+	/**
+	 * Gathered endpoints
+	 */
+	linked_list_t *local_endpoints;
+
+	/**
+	 * Parsed endpoints
+	 */
+	linked_list_t *remote_endpoints;
+
+	/**
+	 * Did the peer request a callback?
+	 */
+	bool callback;
+
+	/**
+	 * Did the connect fail?
+	 */
+	bool failed;
+
+	/**
+	 * Was there anything wrong with the payloads?
+	 */
+	bool invalid_syntax;
+
+	/**
+	 * The requested peer
+	 */
+	identification_t *peer_id;
+	/**
+	 * Received ID used for connectivity checks
+	 */
+	chunk_t connect_id;
+
+	/**
+	 * Received key used for connectivity checks
+	 */
+	chunk_t connect_key;
+
+	/**
+	 * Peer config of the mediated connection
+	 */
+	peer_cfg_t *mediated_cfg;
+
+};
+
+/**
+ * Adds a list of endpoints as notifies to a given message
+ */
+static void add_endpoints_to_message(message_t *message, linked_list_t *endpoints)
+{
+	iterator_t *iterator;
+	endpoint_notify_t *endpoint;
+
+	iterator = endpoints->create_iterator(endpoints, TRUE);
+	while (iterator->iterate(iterator, (void**)&endpoint))
+	{
+		message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Gathers endpoints and adds them to the current message
+ */
+static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	host_t *addr, *host;
+	u_int16_t port;
+
+	/* get the port that is used to communicate with the ms */
+	host = this->ike_sa->get_my_host(this->ike_sa);
+	port = host->get_port(host);
+
+	enumerator = charon->kernel_interface->create_address_enumerator(
+										charon->kernel_interface, FALSE, FALSE);
+	while (enumerator->enumerate(enumerator, (void**)&addr))
+	{
+		host = addr->clone(addr);
+		host->set_port(host, port);
+
+		this->local_endpoints->insert_last(this->local_endpoints,
+				endpoint_notify_create_from_host(HOST, host, NULL));
+
+		host->destroy(host);
+	}
+	enumerator->destroy(enumerator);
+
+	host = this->ike_sa->get_server_reflexive_host(this->ike_sa);
+	if (host)
+	{
+		this->local_endpoints->insert_last(this->local_endpoints,
+				endpoint_notify_create_from_host(SERVER_REFLEXIVE, host,
+						this->ike_sa->get_my_host(this->ike_sa)));
+	}
+
+	add_endpoints_to_message(message, this->local_endpoints);
+}
+
+/**
+ * read notifys from message and evaluate them
+ */
+static void process_payloads(private_ike_me_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) != NOTIFY)
+		{
+			continue;
+		}
+
+		notify_payload_t *notify = (notify_payload_t*)payload;
+
+		switch (notify->get_notify_type(notify))
+		{
+			case ME_CONNECT_FAILED:
+			{
+				DBG2(DBG_IKE, "received ME_CONNECT_FAILED notify");
+				this->failed = TRUE;
+				break;
+			}
+			case ME_MEDIATION:
+			{
+				DBG2(DBG_IKE, "received ME_MEDIATION notify");
+				this->mediation = TRUE;
+				break;
+			}
+			case ME_ENDPOINT:
+			{
+				endpoint_notify_t *endpoint;
+				endpoint = endpoint_notify_create_from_payload(notify);
+				if (!endpoint)
+				{
+					DBG1(DBG_IKE, "received invalid ME_ENDPOINT notify");
+					break;
+				}
+				DBG1(DBG_IKE, "received %N ME_ENDPOINT %#H",
+					 me_endpoint_type_names, endpoint->get_type(endpoint),
+					 endpoint->get_host(endpoint));
+
+				this->remote_endpoints->insert_last(this->remote_endpoints,
+													endpoint);
+				break;
+			}
+			case ME_CALLBACK:
+			{
+				DBG2(DBG_IKE, "received ME_CALLBACK notify");
+				this->callback = TRUE;
+				break;
+			}
+			case ME_CONNECTID:
+			{
+				chunk_free(&this->connect_id);
+				this->connect_id = chunk_clone(notify->get_notification_data(notify));
+				DBG2(DBG_IKE, "received ME_CONNECTID %#B", &this->connect_id);
+				break;
+			}
+			case ME_CONNECTKEY:
+			{
+				chunk_free(&this->connect_key);
+				this->connect_key = chunk_clone(notify->get_notification_data(notify));
+				DBG4(DBG_IKE, "received ME_CONNECTKEY %#B", &this->connect_key);
+				break;
+			}
+			case ME_RESPONSE:
+			{
+				DBG2(DBG_IKE, "received ME_RESPONSE notify");
+				this->response = TRUE;
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_ike_me_t *this, message_t *message)
+{
+	switch(message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+		{
+			peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+			if (peer_cfg->is_mediation(peer_cfg))
+			{
+				DBG2(DBG_IKE, "adding ME_MEDIATION");
+				message->add_notify(message, FALSE, ME_MEDIATION, chunk_empty);
+			}
+			else
+			{
+				return SUCCESS;
+			}
+			break;
+		}
+		case IKE_AUTH:
+		{
+			if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
+			{
+				endpoint_notify_t *endpoint;
+				endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE,
+															NULL, NULL);
+				message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
+				endpoint->destroy(endpoint);
+			}
+			break;
+		}
+		case ME_CONNECT:
+		{
+			rng_t *rng;
+			id_payload_t *id_payload;
+			id_payload = id_payload_create_from_identification(ID_PEER,
+															   this->peer_id);
+			message->add_payload(message, (payload_t*)id_payload);
+
+			rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+			if (!rng)
+			{
+				DBG1(DBG_IKE, "unable to generate connect ID for ME_CONNECT");
+				return FAILED;
+			}
+			if (!this->response)
+			{
+				/* only the initiator creates a connect ID. the responder
+				 * returns the connect ID that it received from the initiator */
+				rng->allocate_bytes(rng, ME_CONNECTID_LEN, &this->connect_id);
+			}
+			rng->allocate_bytes(rng, ME_CONNECTKEY_LEN, &this->connect_key);
+			rng->destroy(rng);
+
+			message->add_notify(message, FALSE, ME_CONNECTID, this->connect_id);
+			message->add_notify(message, FALSE, ME_CONNECTKEY, this->connect_key);
+
+			if (this->response)
+			{
+				message->add_notify(message, FALSE, ME_RESPONSE, chunk_empty);
+			}
+			else
+			{
+				/* FIXME: should we make this configurable? */
+				message->add_notify(message, FALSE, ME_CALLBACK, chunk_empty);
+			}
+
+			gather_and_add_endpoints(this, message);
+
+			break;
+		}
+		default:
+			break;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_me_t *this, message_t *message)
+{
+	switch(message->get_exchange_type(message))
+	{
+		case ME_CONNECT:
+		{
+			id_payload_t *id_payload;
+			id_payload = (id_payload_t*)message->get_payload(message, ID_PEER);
+			if (!id_payload)
+			{
+				DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload"
+					 ", aborting");
+				break;
+			}
+			this->peer_id = id_payload->get_identification(id_payload);
+
+			process_payloads(this, message);
+
+			if (this->callback)
+			{
+				DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id);
+				break;
+			}
+
+			if (!this->connect_id.ptr)
+			{
+				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify"
+					 ", aborting");
+				this->invalid_syntax = TRUE;
+				break;
+			}
+
+			if (!this->connect_key.ptr)
+			{
+				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY "
+					 "notify, aborting");
+				this->invalid_syntax = TRUE;
+				break;
+			}
+
+			if (!this->remote_endpoints->get_count(this->remote_endpoints))
+			{
+				DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT "
+					 "payloads, aborting");
+				this->invalid_syntax = TRUE;
+				break;
+			}
+
+			DBG1(DBG_IKE, "received ME_CONNECT");
+			break;
+		}
+		default:
+			break;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_me_t *this, message_t *message)
+{
+	switch(message->get_exchange_type(message))
+	{
+		case ME_CONNECT:
+		{
+			if (this->invalid_syntax)
+			{
+				message->add_notify(message, TRUE, INVALID_SYNTAX, chunk_empty);
+				break;
+			}
+
+			if (this->callback)
+			{
+				/* we got a callback from the mediation server, initiate the
+				 * queued mediated connecction */
+				charon->connect_manager->check_and_initiate(
+						charon->connect_manager,
+						this->ike_sa->get_id(this->ike_sa),
+						this->ike_sa->get_my_id(this->ike_sa), this->peer_id);
+				return SUCCESS;
+			}
+
+			if (this->response)
+			{
+				/* FIXME: handle result of set_responder_data
+				 * as initiator, upon receiving a response from another peer,
+				 * update the checklist and start sending checks */
+				charon->connect_manager->set_responder_data(
+						charon->connect_manager,
+						this->connect_id, this->connect_key,
+						this->remote_endpoints);
+			}
+			else
+			{
+				/* FIXME: handle result of set_initiator_data
+				 * as responder, create a checklist with the initiator's data */
+				charon->connect_manager->set_initiator_data(
+						charon->connect_manager,
+						this->peer_id, this->ike_sa->get_my_id(this->ike_sa),
+						this->connect_id, this->connect_key,
+						this->remote_endpoints, FALSE);
+				if (this->ike_sa->respond(this->ike_sa, this->peer_id,
+										  this->connect_id) != SUCCESS)
+				{
+					return FAILED;
+				}
+			}
+			break;
+		}
+		default:
+			break;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_me_t *this, message_t *message)
+{
+	switch(message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+		{
+			process_payloads(this, message);
+			if (!this->mediation)
+			{
+				DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting");
+				return FAILED;
+			}
+			return NEED_MORE;
+		}
+		case IKE_AUTH:
+		{
+			process_payloads(this, message);
+			/* FIXME: we should update the server reflexive endpoint somehow,
+			 * if mobike notices a change */
+			endpoint_notify_t *reflexive;
+			if (this->remote_endpoints->get_first(this->remote_endpoints,
+											(void**)&reflexive) == SUCCESS &&
+				reflexive->get_type(reflexive) == SERVER_REFLEXIVE)
+			{	/* FIXME: should we accept this endpoint even if we did not send
+				 * a request? */
+				host_t *endpoint = reflexive->get_host(reflexive);
+				endpoint = endpoint->clone(endpoint);
+				this->ike_sa->set_server_reflexive_host(this->ike_sa, endpoint);
+			}
+			break;
+		}
+		case ME_CONNECT:
+		{
+			process_payloads(this, message);
+
+			if (this->failed)
+			{
+				DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id);
+				/* FIXME: notify the mediated connection (job?) */
+			}
+			else
+			{
+				if (this->response)
+				{
+					/* FIXME: handle result of set_responder_data. */
+					/* as responder, we update the checklist and start sending
+					 * checks */
+					charon->connect_manager->set_responder_data(
+							charon->connect_manager, this->connect_id,
+							this->connect_key, this->local_endpoints);
+				}
+				else
+				{
+					/* FIXME: handle result of set_initiator_data */
+					/* as initiator, we create a checklist and set the
+					 * initiator's data */
+					charon->connect_manager->set_initiator_data(
+							charon->connect_manager,
+							this->ike_sa->get_my_id(this->ike_sa),
+							this->peer_id, this->connect_id, this->connect_key,
+							this->local_endpoints, TRUE);
+					/* FIXME: also start a timer for the whole transaction
+					 * (maybe within the connect_manager?) */
+				}
+			}
+			break;
+		}
+		default:
+			break;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.build for initiator (mediation server)
+ */
+static status_t build_i_ms(private_ike_me_t *this, message_t *message)
+{
+	switch(message->get_exchange_type(message))
+	{
+		case ME_CONNECT:
+		{
+			id_payload_t *id_payload;
+			id_payload = id_payload_create_from_identification(ID_PEER,
+															   this->peer_id);
+			message->add_payload(message, (payload_t*)id_payload);
+
+			if (this->callback)
+			{
+				message->add_notify(message, FALSE, ME_CALLBACK, chunk_empty);
+			}
+			else
+			{
+				if (this->response)
+				{
+					message->add_notify(message, FALSE, ME_RESPONSE,
+										chunk_empty);
+				}
+				message->add_notify(message, FALSE, ME_CONNECTID,
+									this->connect_id);
+				message->add_notify(message, FALSE, ME_CONNECTKEY,
+									this->connect_key);
+				add_endpoints_to_message(message, this->remote_endpoints);
+			}
+			break;
+		}
+		default:
+			break;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder (mediation server)
+ */
+static status_t process_r_ms(private_ike_me_t *this, message_t *message)
+{
+	switch(message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+		{
+			/* FIXME: we should check for SA* and TS* payloads. if there are
+			 * any, send NO_ADDITIONAL_SAS back and delete this SA */
+			process_payloads(this, message);
+			return this->mediation ? NEED_MORE : SUCCESS;
+		}
+		case IKE_AUTH:
+		{
+			/* FIXME: we should check whether the current peer_config is
+			 * configured as mediation connection */
+			process_payloads(this, message);
+			break;
+		}
+		case CREATE_CHILD_SA:
+		{
+			/* FIXME: if this is not to rekey the IKE SA we have to return a
+			 * NO_ADDITIONAL_SAS and then delete the SA */
+			break;
+		}
+		case ME_CONNECT:
+		{
+			id_payload_t *id_payload;
+			id_payload = (id_payload_t*)message->get_payload(message, ID_PEER);
+			if (!id_payload)
+			{
+				DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload"
+					 ", aborting");
+				this->invalid_syntax = TRUE;
+				break;
+			}
+			this->peer_id = id_payload->get_identification(id_payload);
+
+			process_payloads(this, message);
+
+			if (!this->connect_id.ptr)
+			{
+				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify"
+					 ", aborting");
+				this->invalid_syntax = TRUE;
+				break;
+			}
+
+			if (!this->connect_key.ptr)
+			{
+				DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY notify"
+					 ", aborting");
+				this->invalid_syntax = TRUE;
+				break;
+			}
+
+			if (!this->remote_endpoints->get_count(this->remote_endpoints))
+			{
+				DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT "
+					 "payloads, aborting");
+				this->invalid_syntax = TRUE;
+				break;
+			}
+			break;
+		}
+		default:
+			break;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder (mediation server)
+ */
+static status_t build_r_ms(private_ike_me_t *this, message_t *message)
+{
+	switch(message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+		{
+			message->add_notify(message, FALSE, ME_MEDIATION, chunk_empty);
+			return NEED_MORE;
+		}
+		case IKE_AUTH:
+		{
+			endpoint_notify_t *endpoint;
+			if (this->remote_endpoints->get_first(this->remote_endpoints,
+											(void**)&endpoint) == SUCCESS &&
+				endpoint->get_type(endpoint) == SERVER_REFLEXIVE)
+			{
+				host_t *host = this->ike_sa->get_other_host(this->ike_sa);
+				DBG2(DBG_IKE, "received request for a server reflexive "
+					 "endpoint sending: %#H", host);
+				endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE,
+															host, NULL);
+				message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
+				endpoint->destroy(endpoint);
+			}
+			this->ike_sa->act_as_mediation_server(this->ike_sa);
+			break;
+		}
+		case ME_CONNECT:
+		{
+			if (this->invalid_syntax)
+			{
+				message->add_notify(message, TRUE, INVALID_SYNTAX, chunk_empty);
+				break;
+			}
+
+			ike_sa_id_t *peer_sa;
+			if (this->callback)
+			{
+				peer_sa = charon->mediation_manager->check_and_register(
+									charon->mediation_manager, this->peer_id,
+									this->ike_sa->get_other_id(this->ike_sa));
+			}
+			else
+			{
+				peer_sa = charon->mediation_manager->check(
+									charon->mediation_manager, this->peer_id);
+			}
+
+			if (!peer_sa)
+			{
+				/* the peer is not online */
+				message->add_notify(message, TRUE, ME_CONNECT_FAILED,
+									chunk_empty);
+				break;
+			}
+
+			job_t *job = (job_t*)mediation_job_create(this->peer_id,
+					this->ike_sa->get_other_id(this->ike_sa), this->connect_id,
+					this->connect_key, this->remote_endpoints, this->response);
+			charon->processor->queue_job(charon->processor, job);
+			break;
+		}
+		default:
+			break;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator (mediation server)
+ */
+static status_t process_i_ms(private_ike_me_t *this, message_t *message)
+{
+	/* FIXME: theoretically we should be prepared to receive a ME_CONNECT_FAILED
+	 * here if the responding peer is not able to proceed. in this case we shall
+	 * notify the initiating peer with a ME_CONNECT request containing only a
+	 * ME_CONNECT_FAILED */
+	return SUCCESS;
+}
+
+/**
+ * Implementation of ike_me.connect
+ */
+static void me_connect(private_ike_me_t *this, identification_t *peer_id)
+{
+	this->peer_id = peer_id->clone(peer_id);
+}
+
+/**
+ * Implementation of ike_me.respond
+ */
+static void me_respond(private_ike_me_t *this, identification_t *peer_id,
+					   chunk_t connect_id)
+{
+	this->peer_id = peer_id->clone(peer_id);
+	this->connect_id = chunk_clone(connect_id);
+	this->response = TRUE;
+}
+
+/**
+ * Implementation of ike_me.callback
+ */
+static void me_callback(private_ike_me_t *this, identification_t *peer_id)
+{
+	this->peer_id = peer_id->clone(peer_id);
+	this->callback = TRUE;
+}
+
+/**
+ * Implementation of ike_me.relay
+ */
+static void relay(private_ike_me_t *this, identification_t *requester,
+				  chunk_t connect_id, chunk_t connect_key,
+				  linked_list_t *endpoints, bool response)
+{
+	this->peer_id = requester->clone(requester);
+	this->connect_id = chunk_clone(connect_id);
+	this->connect_key = chunk_clone(connect_key);
+
+	this->remote_endpoints->destroy_offset(this->remote_endpoints,
+										offsetof(endpoint_notify_t, destroy));
+	this->remote_endpoints = endpoints->clone_offset(endpoints,
+										offsetof(endpoint_notify_t, clone));
+
+	this->response = response;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_me_t *this)
+{
+	return IKE_ME;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_me_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_me_t *this)
+{
+	DESTROY_IF(this->peer_id);
+
+	chunk_free(&this->connect_id);
+	chunk_free(&this->connect_key);
+
+	this->local_endpoints->destroy_offset(this->local_endpoints,
+										offsetof(endpoint_notify_t, destroy));
+	this->remote_endpoints->destroy_offset(this->remote_endpoints,
+										offsetof(endpoint_notify_t, destroy));
+
+	DESTROY_IF(this->mediated_cfg);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_me_t *this = malloc_thing(private_ike_me_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
+	{
+		if (initiator)
+		{
+			this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+			this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		}
+		else
+		{
+			this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+			this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		}
+	}
+	else
+	{
+		/* mediation server */
+		if (initiator)
+		{
+			this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_ms;
+			this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_ms;
+		}
+		else
+		{
+			this->public.task.build = (status_t(*)(task_t*,message_t*))build_r_ms;
+			this->public.task.process = (status_t(*)(task_t*,message_t*))process_r_ms;
+		}
+	}
+
+	this->public.connect = (void(*)(ike_me_t*,identification_t*))me_connect;
+	this->public.respond = (void(*)(ike_me_t*,identification_t*,chunk_t))me_respond;
+	this->public.callback = (void(*)(ike_me_t*,identification_t*))me_callback;
+	this->public.relay = (void(*)(ike_me_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool))relay;
+
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+
+	this->peer_id = NULL;
+	this->connect_id = chunk_empty;
+	this->connect_key = chunk_empty;
+	this->local_endpoints = linked_list_create();
+	this->remote_endpoints = linked_list_create();
+	this->mediation = FALSE;
+	this->response = FALSE;
+	this->callback = FALSE;
+	this->failed = FALSE;
+	this->invalid_syntax = FALSE;
+
+	this->mediated_cfg = NULL;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/ike_me.h b/src/libcharon/sa/tasks/ike_me.h
new file mode 100644
index 000000000..31285a426
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_me.h
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_me ike_me
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_ME_H_
+#define IKE_ME_H_
+
+typedef struct ike_me_t ike_me_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type IKE_ME, detects and handles IKE-ME extensions.
+ *
+ * This tasks handles the ME_MEDIATION Notify exchange to setup a mediation
+ * connection, allows to initiate mediated connections using ME_CONNECT
+ * exchanges and to request reflexive addresses from the mediation server using
+ * ME_ENDPOINT notifies.
+ *
+ * @note This task has to be activated before the IKE_AUTH task, because that
+ * task generates the IKE_SA_INIT message so that no more payloads can be added
+ * to it afterwards.
+ */
+struct ike_me_t {
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+
+	/**
+	 * Initiates a connection with another peer (i.e. sends a ME_CONNECT
+	 * to the mediation server)
+	 *
+	 * @param peer_id			ID of the other peer (gets cloned)
+	 */
+	void (*connect)(ike_me_t *this, identification_t *peer_id);
+
+	/**
+	 * Responds to a ME_CONNECT from another peer (i.e. sends a ME_CONNECT
+	 * to the mediation server)
+	 *
+	 * Data gets cloned.
+	 *
+	 * @param peer_id			ID of the other peer
+	 * @param connect_id		the connect ID as provided by the initiator
+	 */
+	void (*respond)(ike_me_t *this, identification_t *peer_id,
+					chunk_t connect_id);
+
+	/**
+	 * Sends a ME_CALLBACK to a peer that previously requested some other peer.
+	 *
+	 * @param peer_id			ID of the other peer (gets cloned)
+	 */
+	void (*callback)(ike_me_t *this, identification_t *peer_id);
+
+	/**
+	 * Relays data to another peer (i.e. sends a ME_CONNECT to the peer)
+	 *
+	 * Data gets cloned.
+	 *
+	 * @param requester			ID of the requesting peer
+	 * @param connect_id		content of the ME_CONNECTID notify
+	 * @param connect_key		content of the ME_CONNECTKEY notify
+	 * @param endpoints			endpoints
+	 * @param response			TRUE if this is a response
+	 */
+	void (*relay)(ike_me_t *this, identification_t *requester,
+				  chunk_t connect_id, chunk_t connect_key,
+				  linked_list_t *endpoints, bool response);
+};
+
+/**
+ * Create a new ike_me task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if task is initiated by us
+ * @return				ike_me task to be handled by the task_manager
+ */
+ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_ME_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_mobike.c b/src/libcharon/sa/tasks/ike_mobike.c
new file mode 100644
index 000000000..a62886f02
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_mobike.c
@@ -0,0 +1,659 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_mobike.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <sa/tasks/ike_natd.h>
+#include <encoding/payloads/notify_payload.h>
+
+#define COOKIE2_SIZE 16
+#define MAX_ADDITIONAL_ADDRS 8
+
+typedef struct private_ike_mobike_t private_ike_mobike_t;
+
+/**
+ * Private members of a ike_mobike_t task.
+ */
+struct private_ike_mobike_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_mobike_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * cookie2 value to verify new addresses
+	 */
+	chunk_t cookie2;
+
+	/**
+	 * NAT discovery reusing the IKE_NATD task
+	 */
+	ike_natd_t *natd;
+
+	/**
+	 * use task to update addresses
+	 */
+	bool update;
+
+	/**
+	 * do routability check
+	 */
+	bool check;
+
+	/**
+	 * include address list update
+	 */
+	bool address;
+};
+
+/**
+ * flush the IKE_SAs list of additional addresses
+ */
+static void flush_additional_addresses(private_ike_mobike_t *this)
+{
+	iterator_t *iterator;
+	host_t *host;
+
+	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
+	while (iterator->iterate(iterator, (void**)&host))
+	{
+		iterator->remove(iterator);
+		host->destroy(host);
+	}
+	iterator->destroy(iterator);
+}
+
+
+/**
+ * read notifys from message and evaluate them
+ */
+static void process_payloads(private_ike_mobike_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	bool first = TRUE;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		int family = AF_INET;
+		notify_payload_t *notify;
+		chunk_t data;
+		host_t *host;
+
+		if (payload->get_type(payload) != NOTIFY)
+		{
+			continue;
+		}
+		notify = (notify_payload_t*)payload;
+		switch (notify->get_notify_type(notify))
+		{
+			case MOBIKE_SUPPORTED:
+			{
+				peer_cfg_t *peer_cfg;
+
+				peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+				if (!this->initiator &&
+					peer_cfg && !peer_cfg->use_mobike(peer_cfg))
+				{
+					DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
+				}
+				else
+				{
+					DBG1(DBG_IKE, "peer supports MOBIKE");
+					this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
+				}
+				break;
+			}
+			case COOKIE2:
+			{
+				chunk_free(&this->cookie2);
+				this->cookie2 = chunk_clone(notify->get_notification_data(notify));
+				break;
+			}
+			case ADDITIONAL_IP6_ADDRESS:
+			{
+				family = AF_INET6;
+				/* fall through */
+			}
+			case ADDITIONAL_IP4_ADDRESS:
+			{
+				if (first)
+				{	/* an ADDITIONAL_*_ADDRESS means replace, so flush once */
+					flush_additional_addresses(this);
+					first = FALSE;
+				}
+				data = notify->get_notification_data(notify);
+				host = host_create_from_chunk(family, data, 0);
+				DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
+				this->ike_sa->add_additional_address(this->ike_sa, host);
+				break;
+			}
+			case UPDATE_SA_ADDRESSES:
+			{
+				this->update = TRUE;
+				break;
+			}
+			case NO_ADDITIONAL_ADDRESSES:
+			{
+				flush_additional_addresses(this);
+				break;
+			}
+			case NAT_DETECTION_SOURCE_IP:
+			case NAT_DETECTION_DESTINATION_IP:
+			{
+				/* NAT check in this MOBIKE exchange, create subtask for it */
+				if (this->natd == NULL)
+				{
+					this->natd = ike_natd_create(this->ike_sa, this->initiator);
+				}
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
+ */
+static void build_address_list(private_ike_mobike_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	host_t *host, *me;
+	notify_type_t type;
+	int added = 0;
+
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	enumerator = charon->kernel_interface->create_address_enumerator(
+										charon->kernel_interface, FALSE, FALSE);
+	while (enumerator->enumerate(enumerator, (void**)&host))
+	{
+		if (me->ip_equals(me, host))
+		{	/* "ADDITIONAL" means do not include IKE_SAs host */
+			continue;
+		}
+		switch (host->get_family(host))
+		{
+			case AF_INET:
+				type = ADDITIONAL_IP4_ADDRESS;
+				break;
+			case AF_INET6:
+				type = ADDITIONAL_IP6_ADDRESS;
+				break;
+			default:
+				continue;
+		}
+		message->add_notify(message, FALSE, type, host->get_address(host));
+		if (++added >= MAX_ADDITIONAL_ADDRS)
+		{	/* limit number of notifys, some implementations do not like too
+			 * many of them (f.e. strongSwan ;-) */
+			break;
+		}
+	}
+	if (!added)
+	{
+		message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * build a cookie and add it to the message
+ */
+static void build_cookie(private_ike_mobike_t *this, message_t *message)
+{
+	rng_t *rng;
+
+	chunk_free(&this->cookie2);
+	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	if (rng)
+	{
+		rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
+		rng->destroy(rng);
+		message->add_notify(message, FALSE, COOKIE2, this->cookie2);
+	}
+}
+
+/**
+ * update addresses of associated CHILD_SAs
+ */
+static void update_children(private_ike_mobike_t *this)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+
+	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		if (child_sa->update(child_sa,
+				this->ike_sa->get_my_host(this->ike_sa),
+				this->ike_sa->get_other_host(this->ike_sa),
+				this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
+				this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
+		{
+			this->ike_sa->rekey_child_sa(this->ike_sa,
+					child_sa->get_protocol(child_sa),
+					child_sa->get_spi(child_sa, TRUE));
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Apply port of old address if it equals new, port otherwise
+ */
+static void apply_port(private_ike_mobike_t *this, host_t *host, host_t *old,
+					   u_int16_t port)
+{
+	if (host->ip_equals(host, old))
+	{
+		host->set_port(host, old->get_port(old));
+	}
+	else
+	{
+		if (port == IKEV2_UDP_PORT)
+		{
+			host->set_port(host, IKEV2_NATT_PORT);
+		}
+		else
+		{
+			host->set_port(host, port);
+		}
+	}
+}
+
+/**
+ * Implementation of ike_mobike_t.transmit
+ */
+static void transmit(private_ike_mobike_t *this, packet_t *packet)
+{
+	host_t *me, *other, *me_old, *other_old;
+	iterator_t *iterator;
+	ike_cfg_t *ike_cfg;
+	packet_t *copy;
+
+	if (!this->check)
+	{
+		return;
+	}
+
+	me_old = this->ike_sa->get_my_host(this->ike_sa);
+	other_old = this->ike_sa->get_other_host(this->ike_sa);
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+
+	me = charon->kernel_interface->get_source_addr(
+									charon->kernel_interface, other_old, NULL);
+	if (me)
+	{
+		apply_port(this, me, me_old, ike_cfg->get_my_port(ike_cfg));
+		DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old);
+		copy = packet->clone(packet);
+		copy->set_source(copy, me);
+		charon->sender->send(charon->sender, copy);
+	}
+
+	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
+	while (iterator->iterate(iterator, (void**)&other))
+	{
+		me = charon->kernel_interface->get_source_addr(
+										charon->kernel_interface, other, NULL);
+		if (me)
+		{
+			if (me->get_family(me) != other->get_family(other))
+			{
+				me->destroy(me);
+				continue;
+			}
+			/* reuse port for an active address, 4500 otherwise */
+			apply_port(this, me, me_old, ike_cfg->get_my_port(ike_cfg));
+			other = other->clone(other);
+			apply_port(this, other, other_old, ike_cfg->get_other_port(ike_cfg));
+			DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
+			copy = packet->clone(packet);
+			copy->set_source(copy, me);
+			copy->set_destination(copy, other);
+			charon->sender->send(charon->sender, copy);
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_mobike_t *this, message_t *message)
+{
+	if (message->get_message_id(message) == 1)
+	{	/* only in first IKE_AUTH */
+		message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
+		build_address_list(this, message);
+	}
+	else if (message->get_exchange_type(message) == INFORMATIONAL)
+	{
+		host_t *old, *new;
+
+		/* we check if the existing address is still valid */
+		old = message->get_source(message);
+		new = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+										message->get_destination(message), old);
+		if (new)
+		{
+			if (!new->ip_equals(new, old))
+			{
+				new->set_port(new, old->get_port(old));
+				message->set_source(message, new);
+			}
+			else
+			{
+				new->destroy(new);
+			}
+		}
+		if (this->update)
+		{
+			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
+			build_cookie(this, message);
+			update_children(this);
+		}
+		if (this->address)
+		{
+			build_address_list(this, message);
+		}
+		if (this->natd)
+		{
+			this->natd->task.build(&this->natd->task, message);
+		}
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_mobike_t *this, message_t *message)
+{
+	if (message->get_message_id(message) == 1)
+	{	/* only first IKE_AUTH */
+		process_payloads(this, message);
+	}
+	else if (message->get_exchange_type(message) == INFORMATIONAL)
+	{
+		process_payloads(this, message);
+		if (this->update)
+		{
+			host_t *me, *other;
+
+			me = message->get_destination(message);
+			other = message->get_source(message);
+			this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
+			this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
+		}
+
+		if (this->natd)
+		{
+			this->natd->task.process(&this->natd->task, message);
+		}
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_mobike_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{
+		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+		{
+			message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
+			build_address_list(this, message);
+		}
+		return SUCCESS;
+	}
+	else if (message->get_exchange_type(message) == INFORMATIONAL)
+	{
+		if (this->natd)
+		{
+			this->natd->task.build(&this->natd->task, message);
+		}
+		if (this->cookie2.ptr)
+		{
+			message->add_notify(message, FALSE, COOKIE2, this->cookie2);
+			chunk_free(&this->cookie2);
+		}
+		if (this->update)
+		{
+			update_children(this);
+		}
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_mobike_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{
+		process_payloads(this, message);
+		return SUCCESS;
+	}
+	else if (message->get_exchange_type(message) == INFORMATIONAL)
+	{
+		u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
+		this->ike_sa->set_pending_updates(this->ike_sa, updates);
+		if (updates > 0)
+		{
+			/* newer update queued, ignore this one */
+			return SUCCESS;
+		}
+		if (this->cookie2.ptr)
+		{	/* check cookie if we included one */
+			chunk_t cookie2;
+
+			cookie2 = this->cookie2;
+			this->cookie2 = chunk_empty;
+			process_payloads(this, message);
+			if (!chunk_equals(cookie2, this->cookie2))
+			{
+				chunk_free(&cookie2);
+				DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
+				return FAILED;
+			}
+			chunk_free(&cookie2);
+		}
+		else
+		{
+			process_payloads(this, message);
+		}
+		if (this->natd)
+		{
+			this->natd->task.process(&this->natd->task, message);
+			if (this->natd->has_mapping_changed(this->natd))
+			{
+				/* force an update if mappings have changed */
+				this->update = this->check = TRUE;
+				DBG1(DBG_IKE, "detected changes in NAT mappings, "
+					 "initiating MOBIKE update");
+			}
+		}
+		if (this->update)
+		{
+			/* update again, as NAT state may have changed */
+			update_children(this);
+		}
+		if (this->check)
+		{
+			host_t *me_new, *me_old, *other_new, *other_old;
+
+			me_new = message->get_destination(message);
+			other_new = message->get_source(message);
+			me_old = this->ike_sa->get_my_host(this->ike_sa);
+			other_old = this->ike_sa->get_other_host(this->ike_sa);
+
+			if (!me_new->equals(me_new, me_old))
+			{
+				this->update = TRUE;
+				this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
+			}
+			if (!other_new->equals(other_new, other_old))
+			{
+				this->update = TRUE;
+				this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
+			}
+			if (this->update)
+			{
+				/* start the update with the same task */
+				this->check = FALSE;
+				this->address = FALSE;
+				if (this->natd)
+				{
+					this->natd->task.destroy(&this->natd->task);
+				}
+				this->natd = ike_natd_create(this->ike_sa, this->initiator);
+				this->ike_sa->set_pending_updates(this->ike_sa, 1);
+				return NEED_MORE;
+			}
+		}
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of ike_mobike_t.roam.
+ */
+static void roam(private_ike_mobike_t *this, bool address)
+{
+	this->check = TRUE;
+	this->address = address;
+	this->ike_sa->set_pending_updates(this->ike_sa,
+							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+}
+
+/**
+ * Implementation of ike_mobike_t.dpd
+ */
+static void dpd(private_ike_mobike_t *this)
+{
+	if (!this->natd)
+	{
+		this->natd = ike_natd_create(this->ike_sa, this->initiator);
+	}
+	this->address = FALSE;
+	this->ike_sa->set_pending_updates(this->ike_sa,
+							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+}
+
+/**
+ * Implementation of ike_mobike_t.is_probing.
+ */
+static bool is_probing(private_ike_mobike_t *this)
+{
+	return this->check;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_mobike_t *this)
+{
+	return IKE_MOBIKE;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa)
+{
+	chunk_free(&this->cookie2);
+	this->ike_sa = ike_sa;
+	if (this->natd)
+	{
+		this->natd->task.migrate(&this->natd->task, ike_sa);
+	}
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_mobike_t *this)
+{
+	chunk_free(&this->cookie2);
+	if (this->natd)
+	{
+		this->natd->task.destroy(&this->natd->task);
+	}
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t);
+
+	this->public.roam = (void(*)(ike_mobike_t*,bool))roam;
+	this->public.dpd = (void(*)(ike_mobike_t*))dpd;
+	this->public.transmit = (void(*)(ike_mobike_t*,packet_t*))transmit;
+	this->public.is_probing = (bool(*)(ike_mobike_t*))is_probing;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->update = FALSE;
+	this->check = FALSE;
+	this->address = TRUE;
+	this->cookie2 = chunk_empty;
+	this->natd = NULL;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/tasks/ike_mobike.h b/src/libcharon/sa/tasks/ike_mobike.h
new file mode 100644
index 000000000..05b2224d1
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_mobike.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_mobike ike_mobike
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_MOBIKE_H_
+#define IKE_MOBIKE_H_
+
+typedef struct ike_mobike_t ike_mobike_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+#include <network/packet.h>
+
+/**
+ * Task of type ike_mobike, detects and handles MOBIKE extension.
+ *
+ * The MOBIKE extension is defined in RFC4555. It allows to update IKE
+ * and IPsec tunnel addresses.
+ * This tasks handles the MOBIKE_SUPPORTED notify exchange to detect MOBIKE
+ * support, allows the exchange of ADDITIONAL_*_ADDRESS to exchange additional
+ * endpoints and handles the UPDATE_SA_ADDRESS notify to finally update
+ * endpoints.
+ */
+struct ike_mobike_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+
+	/**
+	 * Use the task to roam to other addresses.
+	 *
+	 * @param address		TRUE to include address list update
+	 */
+	void (*roam)(ike_mobike_t *this, bool address);
+
+	/**
+	 * Use the task for a DPD check which detects changes in NAT mappings.
+	 */
+	void (*dpd)(ike_mobike_t *this);
+
+	/**
+	 * Transmision hook, called by task manager.
+	 *
+	 * The task manager calls this hook whenever it transmits a packet. It
+	 * allows the mobike task to send the packet on multiple paths to do path
+	 * probing.
+	 *
+	 * @param packet		the packet to transmit
+	 */
+	void (*transmit)(ike_mobike_t *this, packet_t *packet);
+
+	/**
+	 * Check if this task is probing for routability.
+	 *
+	 * @return				TRUE if task is probing
+	 */
+	bool (*is_probing)(ike_mobike_t *this);
+};
+
+/**
+ * Create a new ike_mobike task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if taks is initiated by us
+ * @return				ike_mobike task to handle by the task_manager
+ */
+ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_MOBIKE_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_natd.c b/src/libcharon/sa/tasks/ike_natd.c
new file mode 100644
index 000000000..9ea20ba36
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_natd.c
@@ -0,0 +1,490 @@
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_natd.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <config/peer_cfg.h>
+#include <crypto/hashers/hasher.h>
+#include <encoding/payloads/notify_payload.h>
+
+
+typedef struct private_ike_natd_t private_ike_natd_t;
+
+/**
+ * Private members of a ike_natd_t task.
+ */
+struct private_ike_natd_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_natd_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Hasher used to build NAT detection hashes
+	 */
+	hasher_t *hasher;
+
+	/**
+	 * Did we process any NAT detection notifys for a source address?
+	 */
+	bool src_seen;
+
+	/**
+	 * Did we process any NAT detection notifys for a destination address?
+	 */
+	bool dst_seen;
+
+	/**
+	 * Have we found a matching source address NAT hash?
+	 */
+	bool src_matched;
+
+	/**
+	 * Have we found a matching destination address NAT hash?
+	 */
+	bool dst_matched;
+
+	/**
+	 * whether NAT mappings for our NATed address has changed
+	 */
+	bool mapping_changed;
+};
+
+
+/**
+ * Build NAT detection hash for a host
+ */
+static chunk_t generate_natd_hash(private_ike_natd_t *this,
+								  ike_sa_id_t *ike_sa_id, host_t *host)
+{
+	chunk_t natd_chunk, spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk;
+	chunk_t natd_hash;
+	u_int64_t spi_i, spi_r;
+	u_int16_t port;
+
+	/* prepare all required chunks */
+	spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+	spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+	spi_i_chunk.ptr = (void*)&spi_i;
+	spi_i_chunk.len = sizeof(spi_i);
+	spi_r_chunk.ptr = (void*)&spi_r;
+	spi_r_chunk.len = sizeof(spi_r);
+	port = htons(host->get_port(host));
+	port_chunk.ptr = (void*)&port;
+	port_chunk.len = sizeof(port);
+	addr_chunk = host->get_address(host);
+
+	/*  natd_hash = SHA1( spi_i | spi_r | address | port ) */
+	natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
+	this->hasher->allocate_hash(this->hasher, natd_chunk, &natd_hash);
+	DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
+	DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
+
+	chunk_free(&natd_chunk);
+	return natd_hash;
+}
+
+/**
+ * build a faked NATD payload to enforce UDP encap
+ */
+static chunk_t generate_natd_hash_faked(private_ike_natd_t *this)
+{
+	rng_t *rng;
+	chunk_t chunk;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "unable to get random bytes for NATD fake");
+		return chunk_empty;
+	}
+	rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk);
+	rng->destroy(rng);
+	return chunk;
+}
+
+/**
+ * Build a NAT detection notify payload.
+ */
+static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
+											notify_type_t type, host_t *host)
+{
+	chunk_t hash;
+	notify_payload_t *notify;
+	ike_sa_id_t *ike_sa_id;
+	ike_cfg_t *config;
+
+	ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+	config = this->ike_sa->get_ike_cfg(this->ike_sa);
+	if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
+	{
+		hash = generate_natd_hash_faked(this);
+	}
+	else
+	{
+		hash = generate_natd_hash(this, ike_sa_id, host);
+	}
+	notify = notify_payload_create();
+	notify->set_notify_type(notify, type);
+	notify->set_notification_data(notify, hash);
+	chunk_free(&hash);
+
+	return notify;
+}
+
+/**
+ * read notifys from message and evaluate them
+ */
+static void process_payloads(private_ike_natd_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	notify_payload_t *notify;
+	chunk_t hash, src_hash, dst_hash;
+	ike_sa_id_t *ike_sa_id;
+	host_t *me, *other;
+	ike_cfg_t *config;
+
+	/* Precompute NAT-D hashes for incoming NAT notify comparison */
+	ike_sa_id = message->get_ike_sa_id(message);
+	me = message->get_destination(message);
+	other = message->get_source(message);
+	dst_hash = generate_natd_hash(this, ike_sa_id, me);
+	src_hash = generate_natd_hash(this, ike_sa_id, other);
+
+	DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
+	DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) != NOTIFY)
+		{
+			continue;
+		}
+		notify = (notify_payload_t*)payload;
+		switch (notify->get_notify_type(notify))
+		{
+			case NAT_DETECTION_DESTINATION_IP:
+			{
+				this->dst_seen = TRUE;
+				hash = notify->get_notification_data(notify);
+				if (!this->dst_matched)
+				{
+					DBG3(DBG_IKE, "received dst_hash %B", &hash);
+					if (chunk_equals(hash, dst_hash))
+					{
+						this->dst_matched = TRUE;
+					}
+				}
+				/* RFC4555 says we should also compare against IKE_SA_INIT
+				 * NATD payloads, but this does not work: We are running
+				 * there at port 500, but use 4500 afterwards... */
+				if (message->get_exchange_type(message) == INFORMATIONAL &&
+					this->initiator && !this->dst_matched)
+				{
+					this->mapping_changed = this->ike_sa->has_mapping_changed(
+															this->ike_sa, hash);
+				}
+				break;
+			}
+			case NAT_DETECTION_SOURCE_IP:
+			{
+				this->src_seen = TRUE;
+				if (!this->src_matched)
+				{
+					hash = notify->get_notification_data(notify);
+					DBG3(DBG_IKE, "received src_hash %B", &hash);
+					if (chunk_equals(hash, src_hash))
+					{
+						this->src_matched = TRUE;
+					}
+				}
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	chunk_free(&src_hash);
+	chunk_free(&dst_hash);
+
+	if (this->src_seen && this->dst_seen)
+	{
+		this->ike_sa->enable_extension(this->ike_sa, EXT_NATT);
+
+		this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
+									!this->dst_matched);
+		this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
+									!this->src_matched);
+		config = this->ike_sa->get_ike_cfg(this->ike_sa);
+		if (this->dst_matched && this->src_matched &&
+			config->force_encap(config))
+		{
+			this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
+		}
+	}
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_natd_t *this, message_t *message)
+{
+	process_payloads(this, message);
+
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+
+#ifdef ME
+		/* if we are on a mediated connection we have already switched to
+		 * port 4500 and the correct destination port is already configured,
+		 * therefore we must not switch again */
+		if (peer_cfg->get_mediated_by(peer_cfg))
+		{
+			return SUCCESS;
+		}
+#endif /* ME */
+
+		if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
+#ifdef ME
+			/* if we are on a mediation connection we switch to port 4500 even
+			 * if no NAT is detected. */
+			peer_cfg->is_mediation(peer_cfg) ||
+#endif /* ME */
+			/* if peer supports NAT-T, we switch to port 4500 even
+			 * if no NAT is detected. MOBIKE requires this. */
+			(peer_cfg->use_mobike(peer_cfg) &&
+			 this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
+		{
+			host_t *me, *other;
+
+			/* do not switch if we have a custom port from mobike/NAT */
+			me = this->ike_sa->get_my_host(this->ike_sa);
+			if (me->get_port(me) == IKEV2_UDP_PORT)
+			{
+				me->set_port(me, IKEV2_NATT_PORT);
+			}
+			other = this->ike_sa->get_other_host(this->ike_sa);
+			if (other->get_port(other) == IKEV2_UDP_PORT)
+			{
+				other->set_port(other, IKEV2_NATT_PORT);
+			}
+		}
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_natd_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	enumerator_t *enumerator;
+	ike_cfg_t *ike_cfg;
+	host_t *host;
+
+	if (this->hasher == NULL)
+	{
+		DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
+		return NEED_MORE;
+	}
+
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+
+	/* destination is always set */
+	host = message->get_destination(message);
+	notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
+	message->add_payload(message, (payload_t*)notify);
+
+	/* source may be any, we have 3 possibilities to get our source address:
+	 * 1. It is defined in the config => use the one of the IKE_SA
+	 * 2. We do a routing lookup in the kernel interface
+	 * 3. Include all possbile addresses
+	 */
+	host = message->get_source(message);
+	if (!host->is_anyaddr(host))
+	{	/* 1. */
+		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+		message->add_payload(message, (payload_t*)notify);
+	}
+	else
+	{
+		host = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+							this->ike_sa->get_other_host(this->ike_sa), NULL);
+		if (host)
+		{	/* 2. */
+			host->set_port(host, ike_cfg->get_my_port(ike_cfg));
+			notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+			message->add_payload(message, (payload_t*)notify);
+			host->destroy(host);
+		}
+		else
+		{	/* 3. */
+			enumerator = charon->kernel_interface->create_address_enumerator(
+										charon->kernel_interface, FALSE, FALSE);
+			while (enumerator->enumerate(enumerator, (void**)&host))
+			{
+				/* apply port 500 to host, but work on a copy */
+				host = host->clone(host);
+				host->set_port(host, ike_cfg->get_my_port(ike_cfg));
+				notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+				host->destroy(host);
+				message->add_payload(message, (payload_t*)notify);
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_natd_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	host_t *me, *other;
+
+	/* only add notifies on successfull responses. */
+	if (message->get_exchange_type(message) == IKE_SA_INIT &&
+		message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
+	{
+		return SUCCESS;
+	}
+
+	if (this->src_seen && this->dst_seen)
+	{
+		if (this->hasher == NULL)
+		{
+			DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
+			return SUCCESS;
+		}
+
+		/* initiator seems to support NAT detection, add response */
+		me = message->get_source(message);
+		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, me);
+		message->add_payload(message, (payload_t*)notify);
+
+		other = message->get_destination(message);
+		notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, other);
+		message->add_payload(message, (payload_t*)notify);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_natd_t *this, message_t *message)
+{
+	process_payloads(this, message);
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_natd_t *this)
+{
+	return IKE_NATD;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_natd_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	this->src_seen = FALSE;
+	this->dst_seen = FALSE;
+	this->src_matched = FALSE;
+	this->dst_matched = FALSE;
+	this->mapping_changed = FALSE;
+}
+
+/**
+ * Implementation of ike_natd_t.has_mapping_changed
+ */
+static bool has_mapping_changed(private_ike_natd_t *this)
+{
+	return this->mapping_changed;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_natd_t *this)
+{
+	DESTROY_IF(this->hasher);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_natd_t *this = malloc_thing(private_ike_natd_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+
+	this->public.has_mapping_changed = (bool(*)(ike_natd_t*))has_mapping_changed;
+
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	this->src_seen = FALSE;
+	this->dst_seen = FALSE;
+	this->src_matched = FALSE;
+	this->dst_matched = FALSE;
+	this->mapping_changed = FALSE;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/ike_natd.h b/src/libcharon/sa/tasks/ike_natd.h
new file mode 100644
index 000000000..97b652ead
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_natd.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_natd ike_natd
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_NATD_H_
+#define IKE_NATD_H_
+
+typedef struct ike_natd_t ike_natd_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type ike_natd, detects NAT situation in IKE_SA_INIT exchange.
+ */
+struct ike_natd_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+
+	/**
+	 * Check if the NAT mapping has changed for our address.
+	 *
+	 * MOBIKE uses NAT payloads in DPD to detect changes in the NAT mappings.
+	 *
+	 * @return 	TRUE if mappings have changed
+	 */
+	bool (*has_mapping_changed)(ike_natd_t *this);
+};
+
+/**
+ * Create a new ike_natd task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if thask is the original initator
+ * @return			  ike_natd task to handle by the task_manager
+ */
+ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_NATD_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_reauth.c b/src/libcharon/sa/tasks/ike_reauth.c
new file mode 100644
index 000000000..ac89c358b
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_reauth.c
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_reauth.h"
+
+#include <daemon.h>
+#include <sa/tasks/ike_delete.h>
+
+
+typedef struct private_ike_reauth_t private_ike_reauth_t;
+
+/**
+ * Private members of a ike_reauth_t task.
+ */
+struct private_ike_reauth_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_reauth_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * reused ike_delete task
+	 */
+	ike_delete_t *ike_delete;
+};
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_ike_reauth_t *this, message_t *message)
+{
+	return this->ike_delete->task.build(&this->ike_delete->task, message);
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_reauth_t *this, message_t *message)
+{
+	ike_sa_t *new;
+	host_t *host;
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	peer_cfg_t *peer_cfg;
+
+	/* process delete response first */
+	this->ike_delete->task.process(&this->ike_delete->task, message);
+
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+
+	/* reauthenticate only if we have children */
+	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
+	if (iterator->get_count(iterator) == 0
+#ifdef ME
+		/* we allow peers to reauth mediation connections (without children) */
+		&& !peer_cfg->is_mediation(peer_cfg)
+#endif /* ME */
+		)
+	{
+		DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA to recreate");
+		iterator->destroy(iterator);
+		return FAILED;
+	}
+
+	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
+
+	new->set_peer_cfg(new, peer_cfg);
+	host = this->ike_sa->get_other_host(this->ike_sa);
+	new->set_other_host(new, host->clone(host));
+	host = this->ike_sa->get_my_host(this->ike_sa);
+	new->set_my_host(new, host->clone(host));
+	/* if we already have a virtual IP, we reuse it */
+	host = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+	if (host)
+	{
+		new->set_virtual_ip(new, TRUE, host);
+	}
+
+#ifdef ME
+	/* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
+	if (peer_cfg->is_mediation(peer_cfg))
+	{
+		if (new->initiate(new, NULL, 0, NULL, NULL) == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(
+								charon->ike_sa_manager, new);
+			/* set threads active IKE_SA after checkin */
+			charon->bus->set_sa(charon->bus, this->ike_sa);
+			DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
+			return FAILED;
+		}
+	}
+#endif /* ME */
+
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		switch (child_sa->get_state(child_sa))
+		{
+			case CHILD_ROUTED:
+			{
+				/* move routed child directly */
+				iterator->remove(iterator);
+				new->add_child_sa(new, child_sa);
+				break;
+			}
+			default:
+			{
+				/* initiate/queue all child SAs */
+				child_cfg_t *child_cfg = child_sa->get_config(child_sa);
+				child_cfg->get_ref(child_cfg);
+				if (new->initiate(new, child_cfg, 0, NULL, NULL) == DESTROY_ME)
+				{
+					iterator->destroy(iterator);
+					charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager, new);
+					/* set threads active IKE_SA after checkin */
+					charon->bus->set_sa(charon->bus, this->ike_sa);
+					DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
+					return FAILED;
+				}
+				break;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
+	/* set threads active IKE_SA after checkin */
+	charon->bus->set_sa(charon->bus, this->ike_sa);
+
+	/* we always return failed to delete the obsolete IKE_SA */
+	return FAILED;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_reauth_t *this)
+{
+	return IKE_REAUTH;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_reauth_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_delete->task.migrate(&this->ike_delete->task, ike_sa);
+	this->ike_sa = ike_sa;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_reauth_t *this)
+{
+	this->ike_delete->task.destroy(&this->ike_delete->task);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa)
+{
+	private_ike_reauth_t *this = malloc_thing(private_ike_reauth_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+
+	this->ike_sa = ike_sa;
+	this->ike_delete = ike_delete_create(ike_sa, TRUE);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/tasks/ike_reauth.h b/src/libcharon/sa/tasks/ike_reauth.h
new file mode 100644
index 000000000..5e97b719c
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_reauth.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_reauth ike_reauth
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_REAUTH_H_
+#define IKE_REAUTH_H_
+
+typedef struct ike_reauth_t ike_reauth_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type ike_reauth, reestablishes an IKE_SA.
+ */
+struct ike_reauth_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_reauth task.
+ *
+ * This task is initiator only.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @return				ike_reauth task to handle by the task_manager
+ */
+ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa);
+
+#endif /** IKE_REAUTH_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c
new file mode 100644
index 000000000..a2275e796
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_rekey.c
@@ -0,0 +1,409 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_rekey.h"
+
+#include <daemon.h>
+#include <encoding/payloads/notify_payload.h>
+#include <sa/tasks/ike_init.h>
+#include <sa/tasks/ike_delete.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+
+
+typedef struct private_ike_rekey_t private_ike_rekey_t;
+
+/**
+ * Private members of a ike_rekey_t task.
+ */
+struct private_ike_rekey_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_rekey_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * New IKE_SA which replaces the current one
+	 */
+	ike_sa_t *new_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * the IKE_INIT task which is reused to simplify rekeying
+	 */
+	ike_init_t *ike_init;
+
+	/**
+	 * IKE_DELETE task to delete the old IKE_SA after rekeying was successful
+	 */
+	ike_delete_t *ike_delete;
+
+	/**
+	 * colliding task detected by the task manager
+	 */
+	task_t *collision;
+};
+
+/**
+ * Implementation of task_t.build for initiator, after rekeying
+ */
+static status_t build_i_delete(private_ike_rekey_t *this, message_t *message)
+{
+	/* update exchange type to INFORMATIONAL for the delete */
+	message->set_exchange_type(message, INFORMATIONAL);
+
+	return this->ike_delete->task.build(&this->ike_delete->task, message);
+}
+
+/**
+ * Implementation of task_t.process for initiator, after rekeying
+ */
+static status_t process_i_delete(private_ike_rekey_t *this, message_t *message)
+{
+	return this->ike_delete->task.process(&this->ike_delete->task, message);
+}
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_ike_rekey_t *this, message_t *message)
+{
+	peer_cfg_t *peer_cfg;
+	host_t *other_host;
+
+	/* create new SA only on first try */
+	if (this->new_sa == NULL)
+	{
+		this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+															TRUE);
+
+		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+		other_host = this->ike_sa->get_other_host(this->ike_sa);
+		this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
+		this->new_sa->set_other_host(this->new_sa, other_host->clone(other_host));
+		this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
+		this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
+	}
+	this->ike_init->task.build(&this->ike_init->task, message);
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_rekey_t *this, message_t *message)
+{
+	peer_cfg_t *peer_cfg;
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
+	{
+		DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
+		return NEED_MORE;
+	}
+
+	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		switch (child_sa->get_state(child_sa))
+		{
+			case CHILD_CREATED:
+			case CHILD_REKEYING:
+			case CHILD_DELETING:
+				/* we do not allow rekeying while we have children in-progress */
+				DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
+				iterator->destroy(iterator);
+				return NEED_MORE;
+			default:
+				break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+														FALSE);
+
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
+	this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa);
+	this->ike_init->task.process(&this->ike_init->task, message);
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_rekey_t *this, message_t *message)
+{
+	if (this->new_sa == NULL)
+	{
+		/* IKE_SA/a CHILD_SA is in an inacceptable state, deny rekeying */
+		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return SUCCESS;
+	}
+
+	if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
+	{
+		return SUCCESS;
+	}
+
+	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
+	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+		 this->new_sa->get_name(this->new_sa),
+		 this->new_sa->get_unique_id(this->new_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_rekey_t *this, message_t *message)
+{
+	if (message->get_notify(message, NO_ADDITIONAL_SAS))
+	{
+		DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
+			 "starting reauthentication");
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+		charon->processor->queue_job(charon->processor,
+				(job_t*)rekey_ike_sa_job_create(
+							this->ike_sa->get_id(this->ike_sa), TRUE));
+		return SUCCESS;
+	}
+
+	switch (this->ike_init->task.process(&this->ike_init->task, message))
+	{
+		case FAILED:
+			/* rekeying failed, fallback to old SA */
+			if (!(this->collision && (
+				this->collision->get_type(this->collision) == IKE_DELETE ||
+				this->collision->get_type(this->collision) == IKE_REAUTH)))
+			{
+				job_t *job;
+				u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
+				job = (job_t*)rekey_ike_sa_job_create(
+										this->ike_sa->get_id(this->ike_sa), FALSE);
+				DBG1(DBG_IKE, "IKE_SA rekeying failed, "
+										"trying again in %d seconds", retry);
+				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+				charon->scheduler->schedule_job(charon->scheduler, job, retry);
+			}
+			return SUCCESS;
+		case NEED_MORE:
+			/* bad dh group, try again */
+			this->ike_init->task.migrate(&this->ike_init->task, this->new_sa);
+			return NEED_MORE;
+		default:
+			break;
+	}
+
+	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+		 this->new_sa->get_name(this->new_sa),
+		 this->new_sa->get_unique_id(this->new_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+
+	/* check for collisions */
+	if (this->collision &&
+		this->collision->get_type(this->collision) == IKE_REKEY)
+	{
+		chunk_t this_nonce, other_nonce;
+		host_t *host;
+		private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
+
+		this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
+		other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
+
+		/* if we have the lower nonce, delete rekeyed SA. If not, delete
+		 * the redundant. */
+		if (memcmp(this_nonce.ptr, other_nonce.ptr,
+				   min(this_nonce.len, other_nonce.len)) < 0)
+		{
+			/* peer should delete this SA. Add a timeout just in case. */
+			job_t *job = (job_t*)delete_ike_sa_job_create(
+									other->new_sa->get_id(other->new_sa), TRUE);
+			charon->scheduler->schedule_job(charon->scheduler, job, 10);
+			DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
+			other->new_sa = NULL;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA");
+			/* apply host for a proper delete */
+			host = this->ike_sa->get_my_host(this->ike_sa);
+			this->new_sa->set_my_host(this->new_sa, host->clone(host));
+			host = this->ike_sa->get_other_host(this->ike_sa);
+			this->new_sa->set_other_host(this->new_sa, host->clone(host));
+			this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+			if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
+			{
+				charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager, this->new_sa);
+			}
+			else
+			{
+				charon->ike_sa_manager->checkin(
+										charon->ike_sa_manager, this->new_sa);
+			}
+			/* set threads active IKE_SA after checkin */
+			charon->bus->set_sa(charon->bus, this->ike_sa);
+			/* inherit to other->new_sa in destroy() */
+			this->new_sa = other->new_sa;
+			other->new_sa = NULL;
+			return SUCCESS;
+		}
+		/* set threads active IKE_SA after checkin */
+		charon->bus->set_sa(charon->bus, this->ike_sa);
+	}
+
+	/* rekeying successful, delete the IKE_SA using a subtask */
+	this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
+	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
+	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_rekey_t *this)
+{
+	return IKE_REKEY;
+}
+
+static void collide(private_ike_rekey_t* this, task_t *other)
+{
+	DESTROY_IF(this->collision);
+	this->collision = other;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
+{
+	if (this->ike_init)
+	{
+		this->ike_init->task.destroy(&this->ike_init->task);
+	}
+	if (this->ike_delete)
+	{
+		this->ike_delete->task.destroy(&this->ike_delete->task);
+	}
+	if (this->new_sa)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+													this->new_sa);
+		/* set threads active IKE_SA after checkin */
+		charon->bus->set_sa(charon->bus, this->ike_sa);
+	}
+	DESTROY_IF(this->collision);
+
+	this->collision = NULL;
+	this->ike_sa = ike_sa;
+	this->new_sa = NULL;
+	this->ike_init = NULL;
+	this->ike_delete = NULL;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_rekey_t *this)
+{
+	if (this->new_sa)
+	{
+		if (this->new_sa->get_state(this->new_sa) == IKE_ESTABLISHED &&
+			this->new_sa->inherit(this->new_sa, this->ike_sa) != DESTROY_ME)
+		{
+			/* invoke hook if rekeying was successful */
+			charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														this->new_sa);
+		}
+		/* set threads active IKE_SA after checkin */
+		charon->bus->set_sa(charon->bus, this->ike_sa);
+	}
+	if (this->ike_init)
+	{
+		this->ike_init->task.destroy(&this->ike_init->task);
+	}
+	if (this->ike_delete)
+	{
+		this->ike_delete->task.destroy(&this->ike_delete->task);
+	}
+	DESTROY_IF(this->collision);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_rekey_t *this = malloc_thing(private_ike_rekey_t);
+
+	this->public.collide = (void(*)(ike_rekey_t*,task_t*))collide;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+
+	this->ike_sa = ike_sa;
+	this->new_sa = NULL;
+	this->ike_init = NULL;
+	this->ike_delete = NULL;
+	this->initiator = initiator;
+	this->collision = NULL;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/ike_rekey.h b/src/libcharon/sa/tasks/ike_rekey.h
new file mode 100644
index 000000000..1c9550768
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_rekey.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_rekey ike_rekey
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_REKEY_H_
+#define IKE_REKEY_H_
+
+typedef struct ike_rekey_t ike_rekey_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type IKE_REKEY, rekey an established IKE_SA.
+ */
+struct ike_rekey_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+
+	/**
+	 * Register a rekeying task which collides with this one.
+	 *
+	 * If two peers initiate rekeying at the same time, the collision must
+	 * be handled gracefully. The task manager is aware of what exchanges
+	 * are going on and notifies the outgoing task by passing the incoming.
+	 *
+	 * @param other		incoming task
+	 */
+	void (*collide)(ike_rekey_t* this, task_t *other);
+};
+
+/**
+ * Create a new IKE_REKEY task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE for initiator, FALSE for responder
+ * @return				IKE_REKEY task to handle by the task_manager
+ */
+ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_REKEY_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_vendor.c b/src/libcharon/sa/tasks/ike_vendor.c
new file mode 100644
index 000000000..7c435b6d1
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_vendor.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_vendor.h"
+
+#include <daemon.h>
+#include <encoding/payloads/vendor_id_payload.h>
+
+typedef struct private_ike_vendor_t private_ike_vendor_t;
+
+/**
+ * Private data of an ike_vendor_t object.
+ */
+struct private_ike_vendor_t {
+
+	/**
+	 * Public ike_vendor_t interface.
+	 */
+	ike_vendor_t public;
+
+	/**
+	 * Associated IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the inititator of this task
+	 */
+	bool initiator;
+};
+
+/**
+ * strongSwan specific vendor ID without version, MD5("strongSwan")
+ */
+static chunk_t strongswan_vid = chunk_from_chars(
+	0x88,0x2f,0xe5,0x6d,0x6f,0xd2,0x0d,0xbc,
+	0x22,0x51,0x61,0x3b,0x2e,0xbe,0x5b,0xeb
+);
+
+METHOD(task_t, build, status_t,
+	private_ike_vendor_t *this, message_t *message)
+{
+	if (lib->settings->get_bool(lib->settings,
+								"charon.send_vendor_id", FALSE))
+	{
+		vendor_id_payload_t *vid;
+
+		vid = vendor_id_payload_create_data(chunk_clone(strongswan_vid));
+		message->add_payload(message, &vid->payload_interface);
+	}
+
+	return this->initiator ? NEED_MORE : SUCCESS;
+}
+
+METHOD(task_t, process, status_t,
+	private_ike_vendor_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == VENDOR_ID)
+		{
+			vendor_id_payload_t *vid;
+			chunk_t data;
+
+			vid = (vendor_id_payload_t*)payload;
+			data = vid->get_data(vid);
+
+			if (chunk_equals(data, strongswan_vid))
+			{
+				DBG1(DBG_IKE, "received strongSwan vendor id");
+				this->ike_sa->enable_extension(this->ike_sa, EXT_STRONGSWAN);
+			}
+			else
+			{
+				DBG1(DBG_ENC, "received unknown vendor id: %#B", &data);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return this->initiator ? SUCCESS : NEED_MORE;
+}
+
+METHOD(task_t, migrate, void,
+	private_ike_vendor_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_ike_vendor_t *this)
+{
+	return IKE_VENDOR;
+}
+
+METHOD(task_t, destroy, void,
+	private_ike_vendor_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_vendor_t *this;
+
+	INIT(this,
+		.public.task = {
+			.build = _build,
+			.process = _process,
+			.migrate = _migrate,
+			.get_type = _get_type,
+			.destroy = _destroy,
+		},
+		.initiator = initiator,
+		.ike_sa = ike_sa,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/tasks/ike_vendor.h b/src/libcharon/sa/tasks/ike_vendor.h
new file mode 100644
index 000000000..dcdd37424
--- /dev/null
+++ b/src/libcharon/sa/tasks/ike_vendor.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_vendor ike_vendor
+ * @{ @ingroup tasks
+ */
+
+#ifndef IKE_VENDOR_H_
+#define IKE_VENDOR_H_
+
+typedef struct ike_vendor_t ike_vendor_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Vendor ID processing task.
+ */
+struct ike_vendor_t {
+
+	/**
+	 * Implements task interface.
+	 */
+	task_t task;
+};
+
+/**
+ * Create a ike_vendor instance.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if thask is the original initator
+ */
+ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_VENDOR_H_ @}*/
diff --git a/src/libcharon/sa/tasks/task.c b/src/libcharon/sa/tasks/task.c
new file mode 100644
index 000000000..0d7383141
--- /dev/null
+++ b/src/libcharon/sa/tasks/task.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "task.h"
+
+#ifdef ME
+ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
+	"IKE_INIT",
+	"IKE_NATD",
+	"IKE_MOBIKE",
+	"IKE_AUTHENTICATE",
+	"IKE_AUTH_LIFETIME",
+	"IKE_CERT_PRE",
+	"IKE_CERT_POST",
+	"IKE_CONFIG",
+	"IKE_REKEY",
+	"IKE_REAUTH",
+	"IKE_DELETE",
+	"IKE_DPD",
+	"IKE_VENDOR",
+	"IKE_ME",
+	"CHILD_CREATE",
+	"CHILD_DELETE",
+	"CHILD_REKEY",
+);
+#else
+ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
+	"IKE_INIT",
+	"IKE_NATD",
+	"IKE_MOBIKE",
+	"IKE_AUTHENTICATE",
+	"IKE_AUTH_LIFETIME",
+	"IKE_CERT_PRE",
+	"IKE_CERT_POST",
+	"IKE_CONFIG",
+	"IKE_REKEY",
+	"IKE_REAUTH",
+	"IKE_DELETE",
+	"IKE_DPD",
+	"IKE_VENDOR",
+	"CHILD_CREATE",
+	"CHILD_DELETE",
+	"CHILD_REKEY",
+);
+#endif /* ME */
diff --git a/src/libcharon/sa/tasks/task.h b/src/libcharon/sa/tasks/task.h
new file mode 100644
index 000000000..4468f2ebe
--- /dev/null
+++ b/src/libcharon/sa/tasks/task.h
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup task task
+ * @{ @ingroup tasks
+ */
+
+#ifndef TASK_H_
+#define TASK_H_
+
+typedef enum task_type_t task_type_t;
+typedef struct task_t task_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <encoding/message.h>
+
+/**
+ * Different kinds of tasks.
+ */
+enum task_type_t {
+	/** establish an unauthenticated IKE_SA */
+	IKE_INIT,
+	/** detect NAT situation */
+	IKE_NATD,
+	/** handle MOBIKE stuff */
+	IKE_MOBIKE,
+	/** authenticate the initiated IKE_SA */
+	IKE_AUTHENTICATE,
+	/** AUTH_LIFETIME negotiation, RFC4478 */
+	IKE_AUTH_LIFETIME,
+	/** certificate processing before authentication (certreqs, cert parsing) */
+	IKE_CERT_PRE,
+	/** certificate processing after authentication (certs payload generation) */
+	IKE_CERT_POST,
+	/** Configuration payloads, virtual IP and such */
+	IKE_CONFIG,
+	/** rekey an IKE_SA */
+	IKE_REKEY,
+	/** reestablish a complete IKE_SA */
+	IKE_REAUTH,
+	/** delete an IKE_SA */
+	IKE_DELETE,
+	/** liveness check */
+	IKE_DPD,
+	/** Vendor ID processing */
+	IKE_VENDOR,
+#ifdef ME
+	/** handle ME stuff */
+	IKE_ME,
+#endif /* ME */
+	/** establish a CHILD_SA within an IKE_SA */
+	CHILD_CREATE,
+	/** delete an established CHILD_SA */
+	CHILD_DELETE,
+	/** rekey an CHILD_SA */
+	CHILD_REKEY,
+};
+
+/**
+ * enum names for task_type_t.
+ */
+extern enum_name_t *task_type_names;
+
+/**
+ * Interface for a task, an operation handled within exchanges.
+ *
+ * A task is an elemantary operation. It may be handled by a single or by
+ * multiple exchanges. An exchange may even complete multiple tasks.
+ * A task has a build() and an process() operation. The build() operation
+ * creates payloads and adds it to the message. The process() operation
+ * inspects a message and handles its payloads. An initiator of an exchange
+ * first calls build() to build the request, and processes the response message
+ * with the process() method.
+ * A responder does the opposite; it calls process() first to handle an incoming
+ * request and secondly calls build() to build an appropriate response.
+ * Both methods return either SUCCESS, NEED_MORE or FAILED. A SUCCESS indicates
+ * that the task completed, even when the task completed unsuccesfully. The
+ * manager then removes the task from the list. A NEED_MORE is returned when
+ * the task needs further build()/process() calls to complete, the manager
+ * leaves the taks in the queue. A returned FAILED indicates a critical failure.
+ * The manager closes the IKE_SA whenever a task returns FAILED.
+ */
+struct task_t {
+
+	/**
+	 * Build a request or response message for this task.
+	 *
+	 * @param message		message to add payloads to
+	 * @return
+	 *						- FAILED if a critical error occured
+	 *						- DESTROY_ME if IKE_SA has been properly deleted
+	 *						- NEED_MORE if another call to build/process needed
+	 *						- SUCCESS if task completed
+	 */
+	status_t (*build) (task_t *this, message_t *message);
+
+	/**
+	 * Process a request or response message for this task.
+	 *
+	 * @param message		message to read payloads from
+	 * @return
+	 * 						- FAILED if a critical error occured
+	 *						- DESTROY_ME if IKE_SA has been properly deleted
+	 *						- NEED_MORE if another call to build/process needed
+	 *						- SUCCESS if task completed
+	 */
+	status_t (*process) (task_t *this, message_t *message);
+
+	/**
+	 * Get the type of the task implementation.
+	 */
+	task_type_t (*get_type) (task_t *this);
+
+	/**
+	 * Migrate a task to a new IKE_SA.
+	 *
+	 * After migrating a task, it goes back to a state where it can be
+	 * used again to initate an exchange. This is useful when a task
+	 * has to get migrated to a new IKE_SA.
+	 * A special usage is when a INVALID_KE_PAYLOAD is received. A call
+	 * to reset resets the task, but uses another DH group for the next
+	 * try.
+	 * The ike_sa is the new IKE_SA this task belongs to and operates on.
+	 *
+	 * @param ike_sa		new IKE_SA this task works for
+	 */
+	void (*migrate) (task_t *this, ike_sa_t *ike_sa);
+
+	/**
+	 * Destroys a task_t object.
+	 */
+	void (*destroy) (task_t *this);
+};
+
+#endif /** TASK_H_ @}*/
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
new file mode 100644
index 000000000..878170c83
--- /dev/null
+++ b/src/libcharon/sa/trap_manager.c
@@ -0,0 +1,403 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "trap_manager.h"
+
+#include <daemon.h>
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_trap_manager_t private_trap_manager_t;
+typedef struct trap_listener_t trap_listener_t;
+
+/**
+ * listener to track acquires
+ */
+struct trap_listener_t {
+
+	/**
+	 * Implements listener interface
+	 */
+	listener_t listener;
+
+	/**
+	 * points to trap_manager
+	 */
+	private_trap_manager_t *traps;
+};
+
+/**
+ * Private data of an trap_manager_t object.
+ */
+struct private_trap_manager_t {
+
+	/**
+	 * Public trap_manager_t interface.
+	 */
+	trap_manager_t public;
+
+	/**
+	 * Installed traps, as entry_t
+	 */
+	linked_list_t *traps;
+
+	/**
+	 * read write lock for traps list
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * listener to track acquiring IKE_SAs
+	 */
+	trap_listener_t listener;
+};
+
+/**
+ * A installed trap entry
+ */
+typedef struct {
+	/** ref to peer_cfg to initiate */
+	peer_cfg_t *peer_cfg;
+	/** ref to instanciated CHILD_SA */
+	child_sa_t *child_sa;
+	/** pending IKE_SA connecting upon acquire */
+	ike_sa_t *pending;
+} entry_t;
+
+/**
+ * actually uninstall and destroy an installed entry
+ */
+static void destroy_entry(entry_t *entry)
+{
+	entry->child_sa->destroy(entry->child_sa);
+	entry->peer_cfg->destroy(entry->peer_cfg);
+	free(entry);
+}
+
+/**
+ * Implementation of trap_manager_t.install
+ */
+static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
+					 child_cfg_t *child)
+{
+	entry_t *entry;
+	ike_cfg_t *ike_cfg;
+	child_sa_t *child_sa;
+	host_t *me, *other;
+	linked_list_t *my_ts, *other_ts;
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	status_t status;
+	u_int32_t reqid;
+
+	/* check if not already done */
+	this->lock->read_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (streq(entry->child_sa->get_name(entry->child_sa),
+				  child->get_name(child)))
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	if (found)
+	{
+		DBG1(DBG_CFG, "CHILD_SA named '%s' already routed",
+			 child->get_name(child));
+		return 0;
+	}
+
+	/* try to resolve addresses */
+	ike_cfg = peer->get_ike_cfg(peer);
+	other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg),
+								 0, ike_cfg->get_other_port(ike_cfg));
+	if (!other)
+	{
+		DBG1(DBG_CFG, "installing trap failed, remote address unknown");
+		return 0;
+	}
+	me = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg),
+					other->get_family(other), ike_cfg->get_my_port(ike_cfg));
+	if (!me || me->is_anyaddr(me))
+	{
+		DESTROY_IF(me);
+		me = charon->kernel_interface->get_source_addr(
+									charon->kernel_interface, other, NULL);
+		if (!me)
+		{
+			DBG1(DBG_CFG, "installing trap failed, local address unknown");
+			other->destroy(other);
+			return 0;
+		}
+		me->set_port(me, ike_cfg->get_my_port(ike_cfg));
+	}
+
+	/* create and route CHILD_SA */
+	child_sa = child_sa_create(me, other, child, 0, FALSE);
+	my_ts = child->get_traffic_selectors(child, TRUE, NULL, me);
+	other_ts = child->get_traffic_selectors(child, FALSE, NULL, other);
+	me->destroy(me);
+	other->destroy(other);
+
+	/* while we don't know the finally negotiated protocol (ESP|AH), we
+	 * could iterate all proposals for a best guest (TODO). But as we
+	 * support ESP only for now, we set here. */
+	child_sa->set_protocol(child_sa, PROTO_ESP);
+	child_sa->set_mode(child_sa, child->get_mode(child));
+	status = child_sa->add_policies(child_sa, my_ts, other_ts);
+	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+	if (status != SUCCESS)
+	{
+		child_sa->destroy(child_sa);
+		DBG1(DBG_CFG, "installing trap failed");
+		return 0;
+	}
+
+	reqid = child_sa->get_reqid(child_sa);
+	entry = malloc_thing(entry_t);
+	entry->child_sa = child_sa;
+	entry->peer_cfg = peer->get_ref(peer);
+	entry->pending = NULL;
+
+	this->lock->write_lock(this->lock);
+	this->traps->insert_last(this->traps, entry);
+	this->lock->unlock(this->lock);
+
+	return reqid;
+}
+
+/**
+ * Implementation of trap_manager_t.uninstall
+ */
+static bool uninstall(private_trap_manager_t *this, u_int32_t reqid)
+{
+	enumerator_t *enumerator;
+	entry_t *entry, *found = NULL;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
+		{
+			this->traps->remove_at(this->traps, enumerator);
+			found = entry;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "trap %d not found to uninstall", reqid);
+		return FALSE;
+	}
+
+	destroy_entry(found);
+	return TRUE;
+}
+
+/**
+ * convert enumerated entries to peer_cfg, child_sa
+ */
+static bool trap_filter(rwlock_t *lock, entry_t **entry, peer_cfg_t **peer_cfg,
+						void *none, child_sa_t **child_sa)
+{
+	if (peer_cfg)
+	{
+		*peer_cfg = (*entry)->peer_cfg;
+	}
+	if (child_sa)
+	{
+		*child_sa = (*entry)->child_sa;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of trap_manager_t.create_enumerator
+ */
+static enumerator_t* create_enumerator(private_trap_manager_t *this)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->traps->create_enumerator(this->traps),
+									(void*)trap_filter, this->lock,
+									(void*)this->lock->unlock);
+}
+
+/**
+ * Implementation of trap_manager_t.acquire
+ */
+static void acquire(private_trap_manager_t *this, u_int32_t reqid,
+					traffic_selector_t *src, traffic_selector_t *dst)
+{
+	enumerator_t *enumerator;
+	entry_t *entry, *found = NULL;
+	peer_cfg_t *peer;
+	child_cfg_t *child;
+	ike_sa_t *ike_sa;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
+		{
+			found = entry;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "trap not found, unable to acquire reqid %d",reqid);
+	}
+	else if (found->pending)
+	{
+		DBG1(DBG_CFG, "ignoring acquire, connection attempt pending");
+	}
+	else
+	{
+		child = found->child_sa->get_config(found->child_sa);
+		peer = found->peer_cfg;
+		ike_sa = charon->ike_sa_manager->checkout_by_config(
+												charon->ike_sa_manager, peer);
+		if (ike_sa->get_peer_cfg(ike_sa) == NULL)
+		{
+			ike_sa->set_peer_cfg(ike_sa, peer);
+		}
+		child->get_ref(child);
+		reqid = found->child_sa->get_reqid(found->child_sa);
+		if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME)
+		{
+			found->pending = ike_sa;
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
+		}
+	}
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Complete the acquire, if successful or failed
+ */
+static void complete(private_trap_manager_t *this, ike_sa_t *ike_sa,
+					 child_sa_t *child_sa)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->pending != ike_sa)
+		{
+			continue;
+		}
+		if (child_sa && child_sa->get_reqid(child_sa) !=
+									entry->child_sa->get_reqid(entry->child_sa))
+		{
+			continue;
+		}
+		entry->pending = NULL;
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(trap_listener_t *listener, ike_sa_t *ike_sa,
+							 ike_sa_state_t state)
+{
+	switch (state)
+	{
+		case IKE_DESTROYING:
+			complete(listener->traps, ike_sa, NULL);
+			return TRUE;
+		default:
+			return TRUE;
+	}
+}
+
+/**
+ * Implementation of listener_t.child_state_change
+ */
+static bool child_state_change(trap_listener_t *listener, ike_sa_t *ike_sa,
+							   child_sa_t *child_sa, child_sa_state_t state)
+{
+	switch (state)
+	{
+		case CHILD_INSTALLED:
+		case CHILD_DESTROYING:
+			complete(listener->traps, ike_sa, child_sa);
+			return TRUE;
+		default:
+			return TRUE;
+	}
+}
+
+/**
+ * Implementation of trap_manager_t.destroy.
+ */
+static void destroy(private_trap_manager_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->listener.listener);
+	this->traps->invoke_function(this->traps, (void*)destroy_entry);
+	this->traps->destroy(this->traps);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+trap_manager_t *trap_manager_create()
+{
+	private_trap_manager_t *this = malloc_thing(private_trap_manager_t);
+
+	this->public.install = (u_int(*)(trap_manager_t*, peer_cfg_t *peer, child_cfg_t *child))install;
+	this->public.uninstall = (bool(*)(trap_manager_t*, u_int32_t id))uninstall;
+	this->public.create_enumerator = (enumerator_t*(*)(trap_manager_t*))create_enumerator;
+	this->public.acquire = (void(*)(trap_manager_t*, u_int32_t reqid, traffic_selector_t *src, traffic_selector_t *dst))acquire;
+	this->public.destroy = (void(*)(trap_manager_t*))destroy;
+
+	this->traps = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	/* register listener for IKE state changes */
+	this->listener.traps = this;
+	memset(&this->listener.listener, 0, sizeof(listener_t));
+	this->listener.listener.ike_state_change = (void*)ike_state_change;
+	this->listener.listener.child_state_change = (void*)child_state_change;
+	charon->bus->add_listener(charon->bus, &this->listener.listener);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/sa/trap_manager.h b/src/libcharon/sa/trap_manager.h
new file mode 100644
index 000000000..37b42e2b0
--- /dev/null
+++ b/src/libcharon/sa/trap_manager.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup trap_manager trap_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef TRAP_MANAGER_H_
+#define TRAP_MANAGER_H_
+
+#include <library.h>
+#include <utils/enumerator.h>
+#include <config/peer_cfg.h>
+
+typedef struct trap_manager_t trap_manager_t;
+
+/**
+ * Manage policies to create SAs from traffic.
+ */
+struct trap_manager_t {
+
+	/**
+	 * Install a policy as a trap.
+	 *
+	 * @param peer		peer configuration to initiate on trap
+	 * @param child 	child configuration to install as a trap
+	 * @return			reqid of installed CHILD_SA, 0 if failed
+	 */
+	u_int32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
+						 child_cfg_t *child);
+
+	/**
+	 * Uninstall a trap policy.
+	 *
+	 * @param id		reqid of CHILD_SA to uninstall, returned by install()
+	 * @return			TRUE if uninstalled successfully
+	 */
+	bool (*uninstall)(trap_manager_t *this, u_int32_t reqid);
+
+	/**
+	 * Create an enumerator over all installed traps.
+	 *
+	 * @return			enumerator over (peer_cfg_t, child_sa_t)
+	 */
+	enumerator_t* (*create_enumerator)(trap_manager_t *this);
+
+	/**
+	 * Acquire an SA triggered by an installed trap.
+	 *
+	 * @param reqid		requid of the triggering CHILD_SA
+	 * @param src		source of the triggering packet
+	 * @param dst		destination of the triggering packet
+	 */
+	void (*acquire)(trap_manager_t *this, u_int32_t reqid,
+					traffic_selector_t *src, traffic_selector_t *dst);
+
+	/**
+	 * Destroy a trap_manager_t.
+	 */
+	void (*destroy)(trap_manager_t *this);
+};
+
+/**
+ * Create a trap_manager instance.
+ */
+trap_manager_t *trap_manager_create();
+
+#endif /** TRAP_MANAGER_H_ @}*/
diff --git a/src/libfast/Makefile.am b/src/libfast/Makefile.am
index 870dcd6f1..5a1193658 100644
--- a/src/libfast/Makefile.am
+++ b/src/libfast/Makefile.am
@@ -1,7 +1,7 @@
 lib_LTLIBRARIES = libfast.la
 
 libfast_la_SOURCES = context.h dispatcher.c request.h session.h \
-  controller.h dispatcher.h request.c session.c filter.h
+  controller.h dispatcher.h request.c session.c filter.h smtp.c smtp.h
 libfast_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
   -lfcgi -lneo_cgi -lneo_cs -lneo_utl -lz $(PTHREADLIB)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I/usr/include/ClearSilver
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index e5ed4a289..f6d1f20a5 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -77,7 +77,7 @@ am__DEPENDENCIES_1 =
 libfast_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1)
-am_libfast_la_OBJECTS = dispatcher.lo request.lo session.lo
+am_libfast_la_OBJECTS = dispatcher.lo request.lo session.lo smtp.lo
 libfast_la_OBJECTS = $(am_libfast_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -217,6 +217,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -253,7 +254,7 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 lib_LTLIBRARIES = libfast.la
 libfast_la_SOURCES = context.h dispatcher.c request.h session.h \
-  controller.h dispatcher.h request.c session.c filter.h
+  controller.h dispatcher.h request.c session.c filter.h smtp.c smtp.h
 
 libfast_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
   -lfcgi -lneo_cgi -lneo_cs -lneo_utl -lz $(PTHREADLIB)
@@ -337,6 +338,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dispatcher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/request.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/session.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smtp.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libfast/request.c b/src/libfast/request.c
index 3f4894c45..6bf596fd8 100644
--- a/src/libfast/request.c
+++ b/src/libfast/request.c
@@ -203,15 +203,21 @@ static char* get_query_data(private_request_t *this, char *name)
 	return hdf_get_valuef(this->hdf, "Query.%s", name);
 }
 
+/**
+ * Implementation of request_t.get_base.
+ */
+static char* get_base(private_request_t *this)
+{
+	return FCGX_GetParam("SCRIPT_NAME", this->req.envp);
+}
+
 /**
  * Implementation of request_t.add_cookie.
  */
 static void add_cookie(private_request_t *this, char *name, char *value)
 {
 	thread_this->set(thread_this, this);
-	cgi_cookie_set (this->cgi, name, value,
-					FCGX_GetParam("SCRIPT_NAME", this->req.envp),
-					NULL, NULL, 0, 0);
+	cgi_cookie_set (this->cgi, name, value, get_base(this), NULL, NULL, 0, 0);
 }
 
 /**
@@ -222,8 +228,7 @@ static void redirect(private_request_t *this, char *fmt, ...)
 	va_list args;
 
 	FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
-	FCGX_FPrintF(this->req.out, "Location: %s%s",
-				 FCGX_GetParam("SCRIPT_NAME", this->req.envp),
+	FCGX_FPrintF(this->req.out, "Location: %s%s", get_base(this),
 				 *fmt == '/' ? "" : "/");
 	va_start(args, fmt);
 	FCGX_VFPrintF(this->req.out, fmt, args);
@@ -232,21 +237,30 @@ static void redirect(private_request_t *this, char *fmt, ...)
 }
 
 /**
- * Implementation of request_t.to_referer.
+ * Implementation of request_t.get_referer.
  */
-static void to_referer(private_request_t *this)
+static char* get_referer(private_request_t *this)
 {
-	FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
-	FCGX_FPrintF(this->req.out, "Location: %s\n\n",
-				 FCGX_GetParam("HTTP_REFERER", this->req.envp));
+	return FCGX_GetParam("HTTP_REFERER", this->req.envp);
 }
 
 /**
- * Implementation of request_t.get_base.
+ * Implementation of request_t.to_referer.
  */
-static char* get_base(private_request_t *this)
+static void to_referer(private_request_t *this)
 {
-	return FCGX_GetParam("SCRIPT_NAME", this->req.envp);
+	char *referer;
+
+	referer = get_referer(this);
+	if (referer)
+	{
+		FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
+		FCGX_FPrintF(this->req.out, "Location: %s\n\n", referer);
+	}
+	else
+	{
+		redirect(this, "/");
+	}
 }
 
 /**
@@ -396,6 +410,7 @@ request_t *request_create(int fd, bool debug)
 	this->public.session_closed = (bool(*)(request_t*))session_closed;
 	this->public.close_session = (void(*)(request_t*))close_session;
 	this->public.redirect = (void(*)(request_t*, char *fmt,...))redirect;
+	this->public.get_referer = (char*(*)(request_t*))get_referer;
 	this->public.to_referer = (void(*)(request_t*))to_referer;
 	this->public.render = (void(*)(request_t*,char*))render;
 	this->public.streamf = (int(*)(request_t*, char *format, ...))streamf;
diff --git a/src/libfast/request.h b/src/libfast/request.h
index 61e2d59f0..af0f8e4f5 100644
--- a/src/libfast/request.h
+++ b/src/libfast/request.h
@@ -106,7 +106,14 @@ struct request_t {
 	void (*redirect)(request_t *this, char *fmt, ...);
 
 	/**
-	 * Redirect the client to the referer.
+	 * Get the HTTP referer.
+	 *
+	 * @return			HTTP referer
+	 */
+	char* (*get_referer)(request_t *this);
+
+	/**
+	 * Redirect back to the referer.
 	 */
 	void (*to_referer)(request_t *this);
 
diff --git a/src/libfast/session.c b/src/libfast/session.c
index f03b75542..7c4548ee5 100644
--- a/src/libfast/session.c
+++ b/src/libfast/session.c
@@ -177,7 +177,9 @@ static void process(private_session_t *this, request_t *request)
 		if (this->controllers->get_first(this->controllers,
 										 (void**)&current) == SUCCESS)
 		{
-			request->redirect(request, current->get_name(current));
+			request->streamf(request,
+				"Status: 301 Moved permanently\nLocation: %s/%s\n\n",
+				request->get_base(request), current->get_name(current));
 		}
 	}
 }
diff --git a/src/libfast/smtp.c b/src/libfast/smtp.c
new file mode 100644
index 000000000..4118c74a6
--- /dev/null
+++ b/src/libfast/smtp.c
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "smtp.h"
+
+#include <unistd.h>
+#include <errno.h>
+
+#include <debug.h>
+
+typedef struct private_smtp_t private_smtp_t;
+
+/**
+ * Private data of an smtp_t object.
+ */
+struct private_smtp_t {
+
+	/**
+	 * Public smtp_t interface.
+	 */
+	smtp_t public;
+
+	/**
+	 * file stream to SMTP server
+	 */
+	FILE *f;
+};
+
+/**
+ * Read the response code from an SMTP server
+ */
+static int read_response(private_smtp_t *this)
+{
+	char buf[256], *end;
+	int res = 0;
+
+	while (TRUE)
+	{
+		if (!fgets(buf, sizeof(buf), this->f))
+		{
+			return 0;
+		}
+		res = strtol(buf, &end, 10);
+		switch (*end)
+		{
+			case '-':
+				continue;
+			case ' ':
+			case '\0':
+			case '\n':
+				break;
+			default:
+				return 0;
+		}
+		break;
+	}
+	return res;
+}
+
+/**
+ * write a SMTP command to the server, read response code
+ */
+static int write_cmd(private_smtp_t *this, char *fmt, ...)
+{
+	char buf[256];
+	va_list args;
+
+	va_start(args, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, args);
+	va_end(args);
+
+	if (fprintf(this->f, "%s\n", buf) < 1)
+	{
+		DBG1(DBG_LIB, "sending SMTP command failed");
+		return 0;
+	}
+	return read_response(this);
+}
+
+METHOD(smtp_t, send_mail, bool,
+	private_smtp_t *this, char *from, char *to, char *subject, char *fmt, ...)
+{
+	va_list args;
+
+	if (write_cmd(this, "MAIL FROM:<%s>", from) != 250)
+	{
+		DBG1(DBG_LIB, "SMTP MAIL FROM failed");
+		return FALSE;
+	}
+	if (write_cmd(this, "RCPT TO:<%s>", to) != 250)
+	{
+		DBG1(DBG_LIB, "SMTP RCPT TO failed");
+		return FALSE;
+	}
+	if (write_cmd(this, "DATA") != 354)
+	{
+		DBG1(DBG_LIB, "SMTP DATA failed");
+		return FALSE;
+	}
+
+	fprintf(this->f, "From: %s\n", from);
+	fprintf(this->f, "To: %s\n", to);
+	fprintf(this->f, "Subject: %s\n", subject);
+	fprintf(this->f, "\n");
+	va_start(args, fmt);
+	vfprintf(this->f, fmt, args);
+	va_end(args);
+	fprintf(this->f, "\n.\n");
+	return read_response(this) == 250;
+}
+
+
+METHOD(smtp_t, destroy, void,
+	private_smtp_t *this)
+{
+	write_cmd(this, "QUIT");
+	fclose(this->f);
+	free(this);
+}
+
+/**
+ * See header
+ */
+smtp_t *smtp_create()
+{
+	private_smtp_t *this;
+	struct sockaddr_in addr;
+	int s;
+
+	INIT(this,
+		.public = {
+			.send_mail = _send_mail,
+			.destroy = _destroy,
+		},
+	);
+
+	s = socket(AF_INET, SOCK_STREAM, 0);
+	if (s < 0)
+	{
+		DBG1(DBG_LIB, "opening SMTP socket failed: %s", strerror(errno));
+		free(this);
+		return NULL;
+	}
+	addr.sin_family = AF_INET;
+	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+	addr.sin_port = htons(25);
+	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_LIB, "connecting to SMTP server failed: %s", strerror(errno));
+		close(s);
+		free(this);
+		return NULL;
+	}
+	this->f = fdopen(s, "a+");
+	if (!this->f)
+	{
+		DBG1(DBG_LIB, "opening stream to SMTP server failed: %s",
+			 strerror(errno));
+		close(s);
+		free(this);
+		return NULL;
+	}
+	if (read_response(this) != 220 ||
+		write_cmd(this, "EHLO localhost") != 250)
+	{
+		DBG1(DBG_LIB, "SMTP EHLO failed");
+		fclose(this->f);
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libfast/smtp.h b/src/libfast/smtp.h
new file mode 100644
index 000000000..910f18127
--- /dev/null
+++ b/src/libfast/smtp.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup smtp smtp
+ * @{ @ingroup libfast
+ */
+
+#ifndef SMTP_H_
+#define SMTP_H_
+
+typedef struct smtp_t smtp_t;
+
+#include <library.h>
+
+/**
+ * Ultra-minimalistic SMTP client. Works at most with Exim on localhost.
+ */
+struct smtp_t {
+
+	/**
+	 * Send an e-mail message.
+	 *
+	 * @param from		sender address
+	 * @param to		receipient address
+	 * @param subject	mail subject
+	 * @param fmt		mail body format string
+	 * @param ...		arguments for body format string
+	 */
+	bool (*send_mail)(smtp_t *this, char *from, char *to,
+					  char *subject, char *fmt, ...);
+
+	/**
+	 * Destroy a smtp_t.
+	 */
+	void (*destroy)(smtp_t *this);
+};
+
+/**
+ * Create a smtp instance.
+ */
+smtp_t *smtp_create();
+
+#endif /** SMTP_H_ @}*/
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index e72759bca..e752df82d 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -234,6 +234,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
diff --git a/src/libfreeswan/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h
index 685db1273..725997ebc 100644
--- a/src/libfreeswan/pfkeyv2.h
+++ b/src/libfreeswan/pfkeyv2.h
@@ -337,6 +337,7 @@ struct sadb_protocol {
 #define SADB_X_EALG_AES_GCM_ICV12	19
 #define SADB_X_EALG_AES_GCM_ICV16	20
 #define SADB_X_EALG_CAMELLIACBC		22
+#define SADB_X_EALG_NULL_AES_GMAC	23
 #define SADB_EALG_MAX			253 /* last EALG */
 /* private allocations should use 249-255 (RFC2407) */
 #define SADB_X_EALG_SERPENTCBC  252     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
new file mode 100644
index 000000000..caad7447a
--- /dev/null
+++ b/src/libhydra/Android.mk
@@ -0,0 +1,34 @@
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+# copy-n-paste from Makefile.am
+LOCAL_SRC_FILES := \
+hydra.c hydra.h \
+attributes/attributes.c attributes/attributes.h \
+attributes/attribute_provider.h attributes/attribute_handler.h \
+attributes/attribute_manager.c attributes/attribute_manager.h \
+attributes/mem_pool.c attributes/mem_pool.h
+
+# adding the plugin source files
+
+LOCAL_SRC_FILES += $(call add_plugin, attr)
+
+# build libcharon --------------------------------------------------------------
+
+LOCAL_C_INCLUDES += \
+	$(libvstr_PATH) \
+	$(strongswan_PATH)/src/include \
+	$(strongswan_PATH)/src/libstrongswan
+
+LOCAL_CFLAGS := $(strongswan_CFLAGS)
+
+LOCAL_MODULE := libhydra
+
+LOCAL_ARM_MODE := arm
+
+LOCAL_PRELINK_MODULE := false
+
+LOCAL_SHARED_LIBRARIES += libstrongswan
+
+include $(BUILD_SHARED_LIBRARY)
+
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
new file mode 100644
index 000000000..601a56e38
--- /dev/null
+++ b/src/libhydra/Makefile.am
@@ -0,0 +1,42 @@
+lib_LTLIBRARIES = libhydra.la
+
+libhydra_la_SOURCES = \
+hydra.c hydra.h \
+attributes/attributes.c attributes/attributes.h \
+attributes/attribute_provider.h attributes/attribute_handler.h \
+attributes/attribute_manager.c attributes/attribute_manager.h \
+attributes/mem_pool.c attributes/mem_pool.h
+
+libhydra_la_LIBADD =
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = \
+-DIPSEC_DIR=\"${ipsecdir}\" \
+-DPLUGINDIR=\"${plugindir}\" \
+-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+
+EXTRA_DIST = Android.mk
+
+# build optional plugins
+########################
+
+if MONOLITHIC
+SUBDIRS =
+else
+SUBDIRS = .
+endif
+
+if USE_ATTR
+  SUBDIRS += plugins/attr
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/attr/libstrongswan-attr.la
+endif
+endif
+
+if USE_ATTR_SQL
+  SUBDIRS += plugins/attr_sql
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/attr_sql/libstrongswan-attr-sql.la
+endif
+endif
+
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
new file mode 100644
index 000000000..32027d1ea
--- /dev/null
+++ b/src/libhydra/Makefile.in
@@ -0,0 +1,762 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@USE_ATTR_TRUE@am__append_1 = plugins/attr
+@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_2 = plugins/attr/libstrongswan-attr.la
+@USE_ATTR_SQL_TRUE@am__append_3 = plugins/attr_sql
+@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_4 = plugins/attr_sql/libstrongswan-attr-sql.la
+subdir = src/libhydra
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(libdir)"
+LTLIBRARIES = $(lib_LTLIBRARIES)
+libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4)
+am_libhydra_la_OBJECTS = hydra.lo attributes.lo attribute_manager.lo \
+	mem_pool.lo
+libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS)
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libhydra_la_SOURCES)
+DIST_SOURCES = $(libhydra_la_SOURCES)
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
+	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
+	distdir
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = . plugins/attr plugins/attr_sql
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+lib_LTLIBRARIES = libhydra.la
+libhydra_la_SOURCES = \
+hydra.c hydra.h \
+attributes/attributes.c attributes/attributes.h \
+attributes/attribute_provider.h attributes/attribute_handler.h \
+attributes/attribute_manager.c attributes/attribute_manager.h \
+attributes/mem_pool.c attributes/mem_pool.h
+
+libhydra_la_LIBADD = $(am__append_2) $(am__append_4)
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = \
+-DIPSEC_DIR=\"${ipsecdir}\" \
+-DPLUGINDIR=\"${plugindir}\" \
+-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+
+EXTRA_DIST = Android.mk
+@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3)
+
+# build optional plugins
+########################
+@MONOLITHIC_TRUE@SUBDIRS = $(am__append_1) $(am__append_3)
+all: all-recursive
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libhydra/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
+	}
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
+	done
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) 
+	$(LINK) -rpath $(libdir) $(libhydra_la_OBJECTS) $(libhydra_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attribute_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attributes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem_pool.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+attributes.lo: attributes/attributes.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attributes.lo -MD -MP -MF $(DEPDIR)/attributes.Tpo -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/attributes.Tpo $(DEPDIR)/attributes.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/attributes.c' object='attributes.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
+
+attribute_manager.lo: attributes/attribute_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attribute_manager.lo -MD -MP -MF $(DEPDIR)/attribute_manager.Tpo -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/attribute_manager.Tpo $(DEPDIR)/attribute_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/attribute_manager.c' object='attribute_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
+
+mem_pool.lo: attributes/mem_pool.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_pool.lo -MD -MP -MF $(DEPDIR)/mem_pool.Tpo -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mem_pool.Tpo $(DEPDIR)/mem_pool.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/mem_pool.c' object='mem_pool.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
+	    || exit 1; \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+		am__skip_mode_fix=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-recursive
+all-am: Makefile $(LTLIBRARIES)
+installdirs: installdirs-recursive
+installdirs-am:
+	for dir in "$(DESTDIR)$(libdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-recursive
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+html-am:
+
+info: info-recursive
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-recursive
+
+install-dvi-am:
+
+install-exec-am: install-libLTLIBRARIES
+
+install-html: install-html-recursive
+
+install-html-am:
+
+install-info: install-info-recursive
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-recursive
+
+install-pdf-am:
+
+install-ps: install-ps-recursive
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am: uninstall-libLTLIBRARIES
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
+	install-am install-strip tags-recursive
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am check check-am clean clean-generic \
+	clean-libLTLIBRARIES clean-libtool ctags ctags-recursive \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-libLTLIBRARIES install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags tags-recursive uninstall uninstall-am \
+	uninstall-libLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libhydra/attributes/attribute_handler.h b/src/libhydra/attributes/attribute_handler.h
new file mode 100644
index 000000000..d042f47ef
--- /dev/null
+++ b/src/libhydra/attributes/attribute_handler.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attribute_handler attribute_handler
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_HANDLER_H_
+#define ATTRIBUTE_HANDLER_H_
+
+#include <chunk.h>
+#include <utils/host.h>
+#include <utils/identification.h>
+
+#include "attributes.h"
+
+typedef struct attribute_handler_t attribute_handler_t;
+
+/**
+ * Interface to handle configuration payload attributes.
+ */
+struct attribute_handler_t {
+
+	/**
+	 * Handle a configuration attribute.
+	 *
+	 * After receiving a configuration attriubte, it is passed to each
+	 * attribute handler until it is handled.
+	 *
+	 * @param server	server from which the attribute was received
+	 * @param type		type of configuration attribute to handle
+	 * @param data		associated attribute data
+	 * @return			TRUE if attribute handled
+	 */
+	bool (*handle)(attribute_handler_t *this, identification_t *server,
+				   configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Release an attribute handled during handle().
+	 *
+	 * A handler that handle()d an attribute gets a call to release() when the
+	 * connection gets closed. Depending on the implementation, this is required
+	 * to remove the attribute.
+	 */
+	void (*release)(attribute_handler_t *this, identification_t *server,
+					configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Enumerate attributes to request from a server.
+	 *
+	 * @param server		server identity to request attributes from
+	 * @param vip			virtual IP we are requesting, if any
+	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
+	 */
+	enumerator_t* (*create_attribute_enumerator)(attribute_handler_t *this,
+										identification_t *server, host_t *vip);
+};
+
+#endif /** ATTRIBUTE_HANDLER_H_ @}*/
diff --git a/src/libhydra/attributes/attribute_manager.c b/src/libhydra/attributes/attribute_manager.c
new file mode 100644
index 000000000..3080b56eb
--- /dev/null
+++ b/src/libhydra/attributes/attribute_manager.c
@@ -0,0 +1,374 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "attribute_manager.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_attribute_manager_t private_attribute_manager_t;
+
+/**
+ * private data of attribute_manager
+ */
+struct private_attribute_manager_t {
+
+	/**
+	 * public functions
+	 */
+	attribute_manager_t public;
+
+	/**
+	 * list of registered providers
+	 */
+	linked_list_t *providers;
+
+	/**
+	 * list of registered handlers
+	 */
+	linked_list_t *handlers;
+
+	/**
+	 * rwlock provider list
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * Data to pass to enumerator filters
+ */
+typedef struct {
+	/** server/peer identity */
+	identification_t *id;
+	/** requesting/assigned virtual IP */
+	host_t *vip;
+} enum_data_t;
+
+/**
+ * Implementation of attribute_manager_t.acquire_address.
+ */
+static host_t* acquire_address(private_attribute_manager_t *this,
+							   char *pool, identification_t *id,
+							   host_t *requested)
+{
+	enumerator_t *enumerator;
+	attribute_provider_t *current;
+	host_t *host = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		host = current->acquire_address(current, pool, id, requested);
+		if (host)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	if (!host)
+	{
+		DBG1(DBG_CFG, "acquiring address from pool '%s' failed", pool);
+	}
+	return host;
+}
+
+/**
+ * Implementation of attribute_manager_t.release_address.
+ */
+static void release_address(private_attribute_manager_t *this,
+							char *pool, host_t *address, identification_t *id)
+{
+	enumerator_t *enumerator;
+	attribute_provider_t *current;
+	bool found = FALSE;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current->release_address(current, pool, address, id))
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "releasing address to pool '%s' failed", pool);
+	}
+}
+
+/**
+ * inner enumerator constructor for responder attributes
+ */
+static enumerator_t *responder_enum_create(attribute_provider_t *provider,
+										   enum_data_t *data)
+{
+	return provider->create_attribute_enumerator(provider, data->id, data->vip);
+}
+
+/**
+ * Implementation of attribute_manager_t.create_responder_enumerator
+ */
+static enumerator_t* create_responder_enumerator(
+			private_attribute_manager_t *this, identification_t *id, host_t *vip)
+{
+	enum_data_t *data = malloc_thing(enum_data_t);
+
+	data->id = id;
+	data->vip = vip;
+	this->lock->read_lock(this->lock);
+	return enumerator_create_cleaner(
+				enumerator_create_nested(
+					this->providers->create_enumerator(this->providers),
+					(void*)responder_enum_create, data, free),
+				(void*)this->lock->unlock, this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.add_provider.
+ */
+static void add_provider(private_attribute_manager_t *this,
+						 attribute_provider_t *provider)
+{
+	this->lock->write_lock(this->lock);
+	this->providers->insert_last(this->providers, provider);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.remove_provider.
+ */
+static void remove_provider(private_attribute_manager_t *this,
+							attribute_provider_t *provider)
+{
+	this->lock->write_lock(this->lock);
+	this->providers->remove(this->providers, provider, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.handle
+ */
+static attribute_handler_t* handle(private_attribute_manager_t *this,
+						identification_t *server, attribute_handler_t *handler,
+						configuration_attribute_type_t type, chunk_t data)
+{
+	enumerator_t *enumerator;
+	attribute_handler_t *current, *handled = NULL;
+
+	this->lock->read_lock(this->lock);
+
+	/* try to find the passed handler */
+	enumerator = this->handlers->create_enumerator(this->handlers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current == handler && current->handle(current, server, type, data))
+		{
+			handled = current;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!handled)
+	{	/* handler requesting this attribute not found, try any other */
+		enumerator = this->handlers->create_enumerator(this->handlers);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (current->handle(current, server, type, data))
+			{
+				handled = current;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	this->lock->unlock(this->lock);
+
+	if (!handled)
+	{
+		DBG1(DBG_CFG, "handling %N attribute failed",
+			 configuration_attribute_type_names, type);
+	}
+	return handled;
+}
+
+/**
+ * Implementation of attribute_manager_t.release
+ */
+static void release(private_attribute_manager_t *this,
+					attribute_handler_t *handler,
+					identification_t *server,
+					configuration_attribute_type_t type, chunk_t data)
+{
+	enumerator_t *enumerator;
+	attribute_handler_t *current;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->handlers->create_enumerator(this->handlers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current == handler)
+		{
+			current->release(current, server, type, data);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Enumerator implementation to enumerate nested initiator attributes
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** back ref */
+	private_attribute_manager_t *this;
+	/** currently processing handler */
+	attribute_handler_t *handler;
+	/** outer enumerator over handlers */
+	enumerator_t *outer;
+	/** inner enumerator over current handlers attributes */
+	enumerator_t *inner;
+	/** server ID we want attributes for */
+	identification_t *id;
+	/** virtual IP we are requesting along with attriubutes */
+	host_t *vip;
+} initiator_enumerator_t;
+
+/**
+ * Enumerator implementation for initiator attributes
+ */
+static bool initiator_enumerate(initiator_enumerator_t *this,
+								attribute_handler_t **handler,
+								configuration_attribute_type_t *type,
+								chunk_t *value)
+{
+	/* enumerate inner attributes using outer handler enumerator */
+	while (!this->inner || !this->inner->enumerate(this->inner, type, value))
+	{
+		if (!this->outer->enumerate(this->outer, &this->handler))
+		{
+			return FALSE;
+		}
+		DESTROY_IF(this->inner);
+		this->inner = this->handler->create_attribute_enumerator(this->handler,
+														this->id, this->vip);
+	}
+	/* inject the handler as additional attribute */
+	*handler = this->handler;
+	return TRUE;
+}
+
+/**
+ * Cleanup function of initiator attribute enumerator
+ */
+static void initiator_destroy(initiator_enumerator_t *this)
+{
+	this->this->lock->unlock(this->this->lock);
+	this->outer->destroy(this->outer);
+	DESTROY_IF(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of attribute_manager_t.create_initiator_enumerator
+ */
+static enumerator_t* create_initiator_enumerator(
+		private_attribute_manager_t *this, identification_t *id, host_t *vip)
+{
+	initiator_enumerator_t *enumerator = malloc_thing(initiator_enumerator_t);
+
+	this->lock->read_lock(this->lock);
+	enumerator->public.enumerate = (void*)initiator_enumerate;
+	enumerator->public.destroy = (void*)initiator_destroy;
+	enumerator->this = this;
+	enumerator->id = id;
+	enumerator->vip = vip;
+	enumerator->outer = this->handlers->create_enumerator(this->handlers);
+	enumerator->inner = NULL;
+	enumerator->handler = NULL;
+
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of attribute_manager_t.add_handler
+ */
+static void add_handler(private_attribute_manager_t *this,
+						attribute_handler_t *handler)
+{
+	this->lock->write_lock(this->lock);
+	this->handlers->insert_last(this->handlers, handler);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.remove_handler
+ */
+static void remove_handler(private_attribute_manager_t *this,
+						attribute_handler_t *handler)
+{
+	this->lock->write_lock(this->lock);
+	this->handlers->remove(this->handlers, handler, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.destroy
+ */
+static void destroy(private_attribute_manager_t *this)
+{
+	this->providers->destroy(this->providers);
+	this->handlers->destroy(this->handlers);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+attribute_manager_t *attribute_manager_create()
+{
+	private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t);
+
+	this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address;
+	this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address;
+	this->public.create_responder_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t*, host_t*))create_responder_enumerator;
+	this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider;
+	this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider;
+	this->public.handle = (attribute_handler_t*(*)(attribute_manager_t*,identification_t*, attribute_handler_t*, configuration_attribute_type_t, chunk_t))handle;
+	this->public.release = (void(*)(attribute_manager_t*, attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))release;
+	this->public.create_initiator_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t*, host_t*))create_initiator_enumerator;
+	this->public.add_handler = (void(*)(attribute_manager_t*, attribute_handler_t*))add_handler;
+	this->public.remove_handler = (void(*)(attribute_manager_t*, attribute_handler_t*))remove_handler;
+	this->public.destroy = (void(*)(attribute_manager_t*))destroy;
+
+	this->providers = linked_list_create();
+	this->handlers = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	return &this->public;
+}
+
diff --git a/src/libhydra/attributes/attribute_manager.h b/src/libhydra/attributes/attribute_manager.h
new file mode 100644
index 000000000..642662366
--- /dev/null
+++ b/src/libhydra/attributes/attribute_manager.h
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attribute_manager attribute_manager
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_MANAGER_H_
+#define ATTRIBUTE_MANAGER_H_
+
+#include "attribute_provider.h"
+#include "attribute_handler.h"
+
+typedef struct attribute_manager_t attribute_manager_t;
+
+/**
+ * The attribute manager hands out attributes or handles them.
+ *
+ * The attribute manager manages both, attribute providers and attribute
+ * handlers. Attribute providers are responsible to hand out attributes if
+ * a connecting peer requests them. Handlers handle such attributes if they
+ * are received on the requesting peer.
+ */
+struct attribute_manager_t {
+
+	/**
+	 * Acquire a virtual IP address to assign to a peer.
+	 *
+	 * @param pool			pool name to acquire address from
+	 * @param id			peer identity to get address forua
+	 * @param requested		IP in configuration request
+	 * @return				allocated address, NULL to serve none
+	 */
+	host_t* (*acquire_address)(attribute_manager_t *this,
+							   char *pool, identification_t *id,
+							   host_t *requested);
+
+	/**
+	 * Release a previously acquired address.
+	 *
+	 * @param pool			pool name from which the address was acquired
+	 * @param address		address to release
+	 * @param id			peer identity to get address for
+	 */
+	void (*release_address)(attribute_manager_t *this,
+							char *pool, host_t *address, identification_t *id);
+
+	/**
+	 * Create an enumerator over attributes to hand out to a peer.
+	 *
+	 * @param id			peer identity to hand out attributes to
+	 * @param vip			virtual IP to assign to peer, if any
+	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
+	 */
+	enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this,
+											identification_t *id, host_t *vip);
+
+	/**
+	 * Register an attribute provider to the manager.
+	 *
+	 * @param provider		attribute provider to register
+	 */
+	void (*add_provider)(attribute_manager_t *this,
+						 attribute_provider_t *provider);
+	/**
+	 * Unregister an attribute provider from the manager.
+	 *
+	 * @param provider		attribute provider to unregister
+	 */
+	void (*remove_provider)(attribute_manager_t *this,
+							attribute_provider_t *provider);
+
+	/**
+	 * Handle a configuration attribute by passing them to the handlers.
+	 *
+	 * @param server		server from which the attribute was received
+	 * @param handler		handler we requested the attribute for, if any
+	 * @param type			type of configuration attribute
+	 * @param data			associated attribute data
+	 * @return				handler which handled this attribute, NULL if none
+	 */
+	attribute_handler_t* (*handle)(attribute_manager_t *this,
+						identification_t *server, attribute_handler_t *handler,
+						configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Release an attribute previously handle()d by a handler.
+	 *
+	 * @param handler		handler returned by handle() for this attribute
+	 * @param server		server from which the attribute was received
+	 * @param type			type of attribute to release
+	 * @param data			associated attribute data
+	 */
+	void (*release)(attribute_manager_t *this, attribute_handler_t *handler,
+						identification_t *server,
+						configuration_attribute_type_t type,
+						chunk_t data);
+
+	/**
+	 * Create an enumerator over attributes to request from server.
+	 *
+	 * @param id			server identity to hand out attributes to
+	 * @param vip			virtual IP going to request, if any
+	 * @return				enumerator (attribute_handler_t, ca_type_t, chunk_t)
+	 */
+	enumerator_t* (*create_initiator_enumerator)(attribute_manager_t *this,
+											identification_t *id, host_t *vip);
+
+	/**
+	 * Register an attribute handler to the manager.
+	 *
+	 * @param handler		attribute handler to register
+	 */
+	void (*add_handler)(attribute_manager_t *this,
+						attribute_handler_t *handler);
+
+	/**
+	 * Unregister an attribute handler from the manager.
+	 *
+	 * @param handler		attribute handler to unregister
+	 */
+	void (*remove_handler)(attribute_manager_t *this,
+						   attribute_handler_t *handler);
+
+	/**
+	 * Destroy a attribute_manager instance.
+	 */
+	void (*destroy)(attribute_manager_t *this);
+};
+
+/**
+ * Create a attribute_manager instance.
+ */
+attribute_manager_t *attribute_manager_create();
+
+#endif /** ATTRIBUTE_MANAGER_H_ @}*/
diff --git a/src/libhydra/attributes/attribute_provider.h b/src/libhydra/attributes/attribute_provider.h
new file mode 100644
index 000000000..f8485cc6c
--- /dev/null
+++ b/src/libhydra/attributes/attribute_provider.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attribute_provider attribute_provider
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_PROVIDER_H_
+#define ATTRIBUTE_PROVIDER_H_
+
+#include <utils/host.h>
+#include <utils/identification.h>
+
+typedef struct attribute_provider_t attribute_provider_t;
+
+/**
+ * Interface to provide attributes to peers through attribute manager.
+ */
+struct attribute_provider_t {
+
+	/**
+	 * Acquire a virtual IP address to assign to a peer.
+	 *
+	 * @param pool			name of the pool to acquire address from
+	 * @param id			peer ID
+	 * @param requested		IP in configuration request
+	 * @return				allocated address, NULL to serve none
+	 */
+	host_t* (*acquire_address)(attribute_provider_t *this,
+							   char *pool, identification_t *id,
+							   host_t *requested);
+	/**
+	 * Release a previously acquired address.
+	 *
+	 * @param pool			name of the pool this address was acquired from
+	 * @param address		address to release
+	 * @param id			peer ID
+	 * @return				TRUE if the address has been released by the provider
+	 */
+	bool (*release_address)(attribute_provider_t *this,
+							char *pool, host_t *address, identification_t *id);
+
+	/**
+	 * Create an enumerator over attributes to hand out to a peer.
+	 *
+	 * @param id			peer ID
+	 * @param vip			virtual IP to assign to peer, if any
+	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
+	 */
+	enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this,
+											identification_t *id, host_t *vip);
+};
+
+#endif /** ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/libhydra/attributes/attributes.c b/src/libhydra/attributes/attributes.c
new file mode 100644
index 000000000..83feed17e
--- /dev/null
+++ b/src/libhydra/attributes/attributes.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "attributes.h"
+
+ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP6_PREFIX,
+	"INTERNAL_IP4_ADDRESS",
+	"INTERNAL_IP4_NETMASK",
+	"INTERNAL_IP4_DNS",
+	"INTERNAL_IP4_NBNS",
+	"INTERNAL_ADDRESS_EXPIRY",
+	"INTERNAL_IP4_DHCP",
+	"APPLICATION_VERSION",
+	"INTERNAL_IP6_ADDRESS",
+	"INTERNAL_IP6_NETMASK",
+	"INTERNAL_IP6_DNS",
+	"INTERNAL_IP6_NBNS",
+	"INTERNAL_IP6_DHCP",
+	"INTERNAL_IP4_SUBNET",
+	"SUPPORTED_ATTRIBUTES",
+	"INTERNAL_IP6_SUBNET",
+	"MIP6_HOME_PREFIX",
+	"INTERNAL_IP6_LINK",
+	"INTERNAL_IP6_PREFIX");
+ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, INTERNAL_IP6_PREFIX,
+	"INTERNAL_IP4_SERVER",
+	"INTERNAL_IP6_SERVER");
+ENUM_END(configuration_attribute_type_names, INTERNAL_IP6_SERVER);
+
diff --git a/src/libhydra/attributes/attributes.h b/src/libhydra/attributes/attributes.h
new file mode 100644
index 000000000..f4a396f21
--- /dev/null
+++ b/src/libhydra/attributes/attributes.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attributes_g attributes
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTES_H_
+#define ATTRIBUTES_H_
+
+typedef enum configuration_attribute_type_t configuration_attribute_type_t;
+
+#include <enum.h>
+
+/**
+ * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig.
+ */
+enum configuration_attribute_type_t {
+	INTERNAL_IP4_ADDRESS = 1,
+	INTERNAL_IP4_NETMASK = 2,
+	INTERNAL_IP4_DNS = 3,
+	INTERNAL_IP4_NBNS = 4,
+	INTERNAL_ADDRESS_EXPIRY = 5,
+	INTERNAL_IP4_DHCP = 6,
+	APPLICATION_VERSION = 7,
+	INTERNAL_IP6_ADDRESS = 8,
+	INTERNAL_IP6_NETMASK = 9,
+	INTERNAL_IP6_DNS = 10,
+	INTERNAL_IP6_NBNS = 11,
+	INTERNAL_IP6_DHCP = 12,
+	INTERNAL_IP4_SUBNET = 13,
+	SUPPORTED_ATTRIBUTES = 14,
+	INTERNAL_IP6_SUBNET = 15,
+	MIP6_HOME_PREFIX = 16,
+	INTERNAL_IP6_LINK = 17,
+	INTERNAL_IP6_PREFIX = 18,
+	/* proprietary Microsoft attributes */
+	INTERNAL_IP4_SERVER = 23456,
+	INTERNAL_IP6_SERVER = 23457
+};
+
+/**
+ * enum names for configuration_attribute_type_t.
+ */
+extern enum_name_t *configuration_attribute_type_names;
+
+
+#endif /** ATTRIBUTES_H_ @}*/
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
new file mode 100644
index 000000000..65018e3a9
--- /dev/null
+++ b/src/libhydra/attributes/mem_pool.c
@@ -0,0 +1,451 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mem_pool.h"
+
+#include <debug.h>
+#include <utils/hashtable.h>
+#include <threading/rwlock.h>
+
+#define POOL_LIMIT (sizeof(uintptr_t)*8)
+
+typedef struct private_mem_pool_t private_mem_pool_t;
+
+/**
+ * private data of mem_pool_t
+ */
+struct private_mem_pool_t {
+	/**
+	 * public interface
+	 */
+	mem_pool_t public;
+
+	/**
+	 * name of the pool
+	 */
+	char *name;
+
+	/**
+	 * base address of the pool
+	 */
+	host_t *base;
+
+	/**
+	 * size of the pool
+	 */
+	u_int size;
+
+	/**
+	 * next unused address
+	 */
+	u_int unused;
+
+	/**
+	 * hashtable [identity => offset], for online leases
+	 */
+	hashtable_t *online;
+
+	/**
+	 * hashtable [identity => offset], for offline leases
+	 */
+	hashtable_t *offline;
+
+	/**
+	 * hashtable [identity => identity], handles identity references
+	 */
+	hashtable_t *ids;
+
+	/**
+	 * lock to safely access the pool
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * hashtable hash function for identities
+ */
+static u_int id_hash(identification_t *id)
+{
+	return chunk_hash(id->get_encoding(id));
+}
+
+/**
+ * hashtable equals function for identities
+ */
+static bool id_equals(identification_t *a, identification_t *b)
+{
+	return a->equals(a, b);
+}
+
+/**
+ * convert a pool offset to an address
+ */
+static host_t* offset2host(private_mem_pool_t *pool, int offset)
+{
+	chunk_t addr;
+	host_t *host;
+	u_int32_t *pos;
+
+	offset--;
+	if (offset > pool->size)
+	{
+		return NULL;
+	}
+
+	addr = chunk_clone(pool->base->get_address(pool->base));
+	if (pool->base->get_family(pool->base) == AF_INET6)
+	{
+		pos = (u_int32_t*)(addr.ptr + 12);
+	}
+	else
+	{
+		pos = (u_int32_t*)addr.ptr;
+	}
+	*pos = htonl(offset + ntohl(*pos));
+	host = host_create_from_chunk(pool->base->get_family(pool->base), addr, 0);
+	free(addr.ptr);
+	return host;
+}
+
+/**
+ * convert a host to a pool offset
+ */
+static int host2offset(private_mem_pool_t *pool, host_t *addr)
+{
+	chunk_t host, base;
+	u_int32_t hosti, basei;
+
+	if (addr->get_family(addr) != pool->base->get_family(pool->base))
+	{
+		return -1;
+	}
+	host = addr->get_address(addr);
+	base = pool->base->get_address(pool->base);
+	if (addr->get_family(addr) == AF_INET6)
+	{
+		/* only look at last /32 block */
+		if (!memeq(host.ptr, base.ptr, 12))
+		{
+			return -1;
+		}
+		host = chunk_skip(host, 12);
+		base = chunk_skip(base, 12);
+	}
+	hosti = ntohl(*(u_int32_t*)(host.ptr));
+	basei = ntohl(*(u_int32_t*)(base.ptr));
+	if (hosti > basei + pool->size)
+	{
+		return -1;
+	}
+	return hosti - basei + 1;
+}
+
+METHOD(mem_pool_t, get_name, const char*,
+	   private_mem_pool_t *this)
+{
+	return this->name;
+}
+
+METHOD(mem_pool_t, get_size, u_int,
+	   private_mem_pool_t *this)
+{
+	return this->size;
+}
+
+METHOD(mem_pool_t, get_online, u_int,
+	   private_mem_pool_t *this)
+{
+	u_int count;
+	this->lock->read_lock(this->lock);
+	count = this->online->get_count(this->online);
+	this->lock->unlock(this->lock);
+	return count;
+}
+
+METHOD(mem_pool_t, get_offline, u_int,
+	   private_mem_pool_t *this)
+{
+	u_int count;
+	this->lock->read_lock(this->lock);
+	count = this->offline->get_count(this->offline);
+	this->lock->unlock(this->lock);
+	return count;
+}
+
+METHOD(mem_pool_t, acquire_address, host_t*,
+	   private_mem_pool_t *this, identification_t *id, host_t *requested)
+{
+	uintptr_t offset = 0;
+	enumerator_t *enumerator;
+	identification_t *old_id;
+
+	/* if the pool is empty (e.g. in the %config case) we simply return the
+	 * requested address */
+	if (this->size == 0)
+	{
+		return requested->clone(requested);
+	}
+
+	if (!requested->is_anyaddr(requested) &&
+		requested->get_family(requested) !=
+		this->base->get_family(this->base))
+	{
+		DBG1(DBG_CFG, "IP pool address family mismatch");
+		return NULL;
+	}
+
+	this->lock->write_lock(this->lock);
+	while (TRUE)
+	{
+		/* check for a valid offline lease, refresh */
+		offset = (uintptr_t)this->offline->remove(this->offline, id);
+		if (offset)
+		{
+			id = this->ids->get(this->ids, id);
+			if (id)
+			{
+				DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
+				this->online->put(this->online, id, (void*)offset);
+				break;
+			}
+		}
+
+		/* check for a valid online lease, reassign */
+		offset = (uintptr_t)this->online->get(this->online, id);
+		if (offset && offset == host2offset(this, requested))
+		{
+			DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
+			break;
+		}
+
+		if (this->unused < this->size)
+		{
+			/* assigning offset, starting by 1. Handling 0 in hashtable
+			 * is difficult. */
+			offset = ++this->unused;
+			id = id->clone(id);
+			this->ids->put(this->ids, id, id);
+			this->online->put(this->online, id, (void*)offset);
+			DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
+			break;
+		}
+
+		/* no more addresses, replace the first found offline lease */
+		enumerator = this->offline->create_enumerator(this->offline);
+		if (enumerator->enumerate(enumerator, &old_id, &offset))
+		{
+			offset = (uintptr_t)this->offline->remove(this->offline, old_id);
+			if (offset)
+			{
+				/* destroy reference to old ID */
+				old_id = this->ids->remove(this->ids, old_id);
+				DBG1(DBG_CFG, "reassigning existing offline lease by '%Y'"
+					 " to '%Y'", old_id, id);
+				if (old_id)
+				{
+					old_id->destroy(old_id);
+				}
+				id = id->clone(id);
+				this->ids->put(this->ids, id, id);
+				this->online->put(this->online, id, (void*)offset);
+				enumerator->destroy(enumerator);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		DBG1(DBG_CFG, "pool '%s' is full, unable to assign address",
+			 this->name);
+		break;
+	}
+	this->lock->unlock(this->lock);
+
+	if (offset)
+	{
+		return offset2host(this, offset);
+	}
+	return NULL;
+}
+
+METHOD(mem_pool_t, release_address, bool,
+	   private_mem_pool_t *this, host_t *address, identification_t *id)
+{
+	bool found = FALSE;
+	if (this->size != 0)
+	{
+		uintptr_t offset;
+		this->lock->write_lock(this->lock);
+		offset = (uintptr_t)this->online->remove(this->online, id);
+		if (offset)
+		{
+			id = this->ids->get(this->ids, id);
+			if (id)
+			{
+				DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id);
+				this->offline->put(this->offline, id, (void*)offset);
+				found = TRUE;
+			}
+		}
+		this->lock->unlock(this->lock);
+	}
+	return found;
+}
+
+/**
+ * lease enumerator
+ */
+typedef struct {
+	/** implemented enumerator interface */
+	enumerator_t public;
+	/** inner hash-table enumerator */
+	enumerator_t *inner;
+	/** enumerated pool */
+	private_mem_pool_t *pool;
+	/** currently enumerated lease address */
+	host_t *current;
+} lease_enumerator_t;
+
+METHOD(enumerator_t, lease_enumerate, bool,
+	   lease_enumerator_t *this, identification_t **id_out, host_t **addr_out,
+	   bool *online)
+{
+	identification_t *id;
+	uintptr_t offset;
+
+	DESTROY_IF(this->current);
+	this->current = NULL;
+
+	if (this->inner->enumerate(this->inner, &id, NULL))
+	{
+		offset = (uintptr_t)this->pool->online->get(this->pool->online, id);
+		if (offset)
+		{
+			*id_out = id;
+			*addr_out = this->current = offset2host(this->pool, offset);
+			*online = TRUE;
+			return TRUE;
+		}
+		offset = (uintptr_t)this->pool->offline->get(this->pool->offline, id);
+		if (offset)
+		{
+			*id_out = id;
+			*addr_out = this->current = offset2host(this->pool, offset);
+			*online = FALSE;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, lease_enumerator_destroy, void,
+	   lease_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	this->pool->lock->unlock(this->pool->lock);
+	free(this);
+}
+
+METHOD(mem_pool_t, create_lease_enumerator, enumerator_t*,
+	   private_mem_pool_t *this)
+{
+	lease_enumerator_t *enumerator;
+	this->lock->read_lock(this->lock);
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_lease_enumerate,
+			.destroy = (void*)_lease_enumerator_destroy,
+		},
+		.pool = this,
+		.inner = this->ids->create_enumerator(this->ids),
+	);
+	return &enumerator->public;
+}
+
+METHOD(mem_pool_t, destroy, void,
+	   private_mem_pool_t *this)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+
+	enumerator = this->ids->create_enumerator(this->ids);
+	while (enumerator->enumerate(enumerator, &id, NULL))
+	{
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	this->ids->destroy(this->ids);
+	this->online->destroy(this->online);
+	this->offline->destroy(this->offline);
+	this->lock->destroy(this->lock);
+	DESTROY_IF(this->base);
+	free(this->name);
+	free(this);
+}
+
+/**
+ * Described in header
+ */
+mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
+{
+	private_mem_pool_t *this;
+
+	INIT(this,
+		.public = {
+			.get_name = _get_name,
+			.get_size = _get_size,
+			.get_online = _get_online,
+			.get_offline = _get_offline,
+			.acquire_address = _acquire_address,
+			.release_address = _release_address,
+			.create_lease_enumerator = _create_lease_enumerator,
+			.destroy = _destroy,
+		},
+		.name = strdup(name),
+		.online = hashtable_create((hashtable_hash_t)id_hash,
+								   (hashtable_equals_t)id_equals, 16),
+		.offline = hashtable_create((hashtable_hash_t)id_hash,
+									(hashtable_equals_t)id_equals, 16),
+		.ids = hashtable_create((hashtable_hash_t)id_hash,
+								(hashtable_equals_t)id_equals, 16),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	if (base)
+	{
+		int addr_bits = base->get_family(base) == AF_INET ? 32 : 128;
+		/* net bits -> host bits */
+		bits = addr_bits - bits;
+		if (bits > POOL_LIMIT)
+		{
+			bits = POOL_LIMIT;
+			DBG1(DBG_CFG, "virtual IP pool too large, limiting to %H/%d",
+				 base, addr_bits - bits);
+		}
+		this->size = 1 << (bits);
+
+		if (this->size > 2)
+		{	/* do not use first and last addresses of a block */
+			this->unused++;
+			this->size--;
+		}
+		this->base = base->clone(base);
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libhydra/attributes/mem_pool.h b/src/libhydra/attributes/mem_pool.h
new file mode 100644
index 000000000..bb963de93
--- /dev/null
+++ b/src/libhydra/attributes/mem_pool.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mem_pool mem_pool
+ * @{ @ingroup attributes
+ */
+
+#ifndef MEM_POOL_H
+#define MEM_POOL_H
+
+typedef struct mem_pool_t mem_pool_t;
+
+#include <utils/host.h>
+#include <utils/identification.h>
+
+/**
+ * An in-memory IP address pool.
+ */
+struct mem_pool_t {
+
+	/**
+	 * Get the name of this pool.
+	 *
+	 * @return			the name of this pool
+	 */
+	const char* (*get_name)(mem_pool_t *this);
+
+	/**
+	 * Get the size (i.e. number of addresses) of this pool.
+	 *
+	 * @return			the size of this pool
+	 */
+	u_int (*get_size)(mem_pool_t *this);
+
+	/**
+	 * Get the number of online leases.
+	 *
+	 * @return			the number of offline leases
+	 */
+	u_int (*get_online)(mem_pool_t *this);
+
+	/**
+	 * Get the number of offline leases.
+	 *
+	 * @return			the number of online leases
+	 */
+	u_int (*get_offline)(mem_pool_t *this);
+
+	/**
+	 * Acquire an address for the given id from this pool.
+	 *
+	 * @param id		the id to acquire an address for
+	 * @param requested	acquire this address, if possible
+	 * @return			the acquired address
+	 */
+	host_t* (*acquire_address)(mem_pool_t *this, identification_t *id,
+							   host_t *requested);
+
+	/**
+	 * Release a previously acquired address.
+	 *
+	 * @param address	the address to release
+	 * @param id		the id the address was assigned to
+	 * @return			TRUE, if the lease was found
+	 */
+	bool (*release_address)(mem_pool_t *this, host_t *address,
+							identification_t *id);
+
+	/**
+	 * Create an enumerator over the leases of this pool.
+	 *
+	 * Enumerator enumerates over
+	 * identification_t *id, host_t *address, bool online
+	 *
+	 * @return			enumerator
+	 */
+	enumerator_t* (*create_lease_enumerator)(mem_pool_t *this);
+
+	/**
+	 * Destroy a mem_pool_t instance.
+	 */
+	void (*destroy)(mem_pool_t *this);
+};
+
+/**
+ * Create an in-memory IP address pool.
+ *
+ * An empty pool just returns the requested address.
+ *
+ * @param name		name of this pool
+ * @param base		base address of this pool, NULL to create an empty pool
+ * @param bits		net mask
+ */
+mem_pool_t *mem_pool_create(char *name, host_t *base, int bits);
+
+#endif /** MEM_POOL_H_ @} */
+
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
new file mode 100644
index 000000000..16a8193ea
--- /dev/null
+++ b/src/libhydra/hydra.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hydra.h"
+
+#include <debug.h>
+
+typedef struct private_hydra_t private_hydra_t;
+
+/**
+ * Private additions to hydra_t.
+ */
+struct private_hydra_t {
+
+	/**
+	 * Public members of hydra_t.
+	 */
+	hydra_t public;
+};
+
+/**
+ * Single instance of hydra_t.
+ */
+hydra_t *hydra;
+
+/**
+ * Described in header.
+ */
+void libhydra_deinit()
+{
+	private_hydra_t *this = (private_hydra_t*)hydra;
+	this->public.attributes->destroy(this->public.attributes);
+	free((void*)this->public.daemon);
+	free(this);
+	hydra = NULL;
+}
+
+/**
+ * Described in header.
+ */
+bool libhydra_init(const char *daemon)
+{
+	private_hydra_t *this;
+
+	INIT(this,
+		.public = {
+			.attributes = attribute_manager_create(),
+			.daemon = strdup(daemon ?: "libhydra"),
+		},
+	);
+	hydra = &this->public;
+
+	if (lib->integrity &&
+		!lib->integrity->check(lib->integrity, "libhydra", libhydra_init))
+	{
+		DBG1(DBG_LIB, "integrity check of libhydra failed");
+		return FALSE;
+	}
+	return TRUE;
+}
+
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
new file mode 100644
index 000000000..8670f3969
--- /dev/null
+++ b/src/libhydra/hydra.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libhydra libhydra
+ *
+ * @defgroup attributes attributes
+ * @ingroup libhydra
+ *
+ * @defgroup hplugins plugins
+ * @ingroup libhydra
+ *
+ * @addtogroup libhydra
+ * @{
+ */
+
+#ifndef HYDRA_H_
+#define HYDRA_H_
+
+typedef struct hydra_t hydra_t;
+
+#include <attributes/attribute_manager.h>
+
+#include <library.h>
+
+/**
+ * IKE Daemon support object.
+ */
+struct hydra_t {
+
+	/**
+	 * manager for payload attributes
+	 */
+	attribute_manager_t *attributes;
+
+	/**
+	 * name of the daemon that initialized the library
+	 */
+	const char *daemon;
+};
+
+/**
+ * The single instance of hydra_t.
+ *
+ * Set between calls to libhydra_init() and libhydra_deinit() calls.
+ */
+extern hydra_t *hydra;
+
+/**
+ * Initialize libhydra.
+ *
+ * The daemon's name is used to load daemon-specific settings.
+ *
+ * @param daemon		name of the daemon that initializes the library
+ * @return				FALSE if integrity check failed
+ */
+bool libhydra_init(const char *daemon);
+
+/**
+ * Deinitialize libhydra.
+ */
+void libhydra_deinit();
+
+#endif /** HYDRA_H_ @}*/
diff --git a/src/libhydra/plugins/attr/Makefile.am b/src/libhydra/plugins/attr/Makefile.am
new file mode 100644
index 000000000..71401648e
--- /dev/null
+++ b/src/libhydra/plugins/attr/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-attr.la
+else
+plugin_LTLIBRARIES = libstrongswan-attr.la
+endif
+
+libstrongswan_attr_la_SOURCES = \
+	attr_plugin.h attr_plugin.c \
+	attr_provider.h attr_provider.c
+
+libstrongswan_attr_la_LDFLAGS = -module -avoid-version
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
new file mode 100644
index 000000000..54aa64beb
--- /dev/null
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -0,0 +1,586 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libhydra/plugins/attr
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_attr_la_LIBADD =
+am_libstrongswan_attr_la_OBJECTS = attr_plugin.lo attr_provider.lo
+libstrongswan_attr_la_OBJECTS = $(am_libstrongswan_attr_la_OBJECTS)
+libstrongswan_attr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_attr_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_attr_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_attr_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_attr_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_attr_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr.la
+libstrongswan_attr_la_SOURCES = \
+	attr_plugin.h attr_plugin.c \
+	attr_provider.h attr_provider.c
+
+libstrongswan_attr_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/attr/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/attr/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) 
+	$(libstrongswan_attr_la_LINK) $(am_libstrongswan_attr_la_rpath) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libhydra/plugins/attr/attr_plugin.c
new file mode 100644
index 000000000..24c00bb44
--- /dev/null
+++ b/src/libhydra/plugins/attr/attr_plugin.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "attr_plugin.h"
+#include "attr_provider.h"
+
+#include <hydra.h>
+
+typedef struct private_attr_plugin_t private_attr_plugin_t;
+
+/**
+ * private data of attr plugin
+ */
+struct private_attr_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	attr_plugin_t public;
+
+	/**
+	 * CFG attributes provider
+	 */
+	attr_provider_t *provider;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_attr_plugin_t *this)
+{
+	hydra->attributes->remove_provider(hydra->attributes, &this->provider->provider);
+	this->provider->destroy(this->provider);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *attr_plugin_create()
+{
+	private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->provider = attr_provider_create();
+	hydra->attributes->add_provider(hydra->attributes, &this->provider->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libhydra/plugins/attr/attr_plugin.h b/src/libhydra/plugins/attr/attr_plugin.h
new file mode 100644
index 000000000..29fb33839
--- /dev/null
+++ b/src/libhydra/plugins/attr/attr_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attr attr
+ * @ingroup hplugins
+ *
+ * @defgroup attr_plugin attr_plugin
+ * @{ @ingroup attr
+ */
+
+#ifndef ATTR_PLUGIN_H_
+#define ATTR_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct attr_plugin_t attr_plugin_t;
+
+/**
+ * Plugin providing configuration attribute through strongswan.conf.
+ */
+struct attr_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ATTR_PLUGIN_H_ @}*/
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
new file mode 100644
index 000000000..9d6daa892
--- /dev/null
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -0,0 +1,240 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "attr_provider.h"
+
+#include <time.h>
+
+#include <hydra.h>
+#include <debug.h>
+#include <utils/linked_list.h>
+
+#define SERVER_MAX		2
+
+typedef struct private_attr_provider_t private_attr_provider_t;
+typedef struct attribute_entry_t attribute_entry_t;
+
+/**
+ * private data of attr_provider
+ */
+struct private_attr_provider_t {
+
+	/**
+	 * public functions
+	 */
+	attr_provider_t public;
+
+	/**
+	 * List of attributes, attribute_entry_t
+	 */
+	linked_list_t *attributes;
+};
+
+struct attribute_entry_t {
+	/** type of attribute */
+	configuration_attribute_type_t type;
+	/** attribute value */
+	chunk_t value;
+};
+
+/**
+ * convert enumerator value from attribute_entry
+ */
+static bool attr_enum_filter(void *null, attribute_entry_t **in,
+			configuration_attribute_type_t *type, void* none, chunk_t *value)
+{
+	*type = (*in)->type;
+	*value = (*in)->value;
+	return TRUE;
+}
+
+/**
+ * Implementation of attribute_provider_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(private_attr_provider_t *this,
+											identification_t *id, host_t *vip)
+{
+	if (vip)
+	{
+		return enumerator_create_filter(
+						this->attributes->create_enumerator(this->attributes),
+						(void*)attr_enum_filter, NULL, NULL);
+	}
+	return enumerator_create_empty();
+}
+
+/**
+ * Implementation of attr_provider_t.destroy
+ */
+static void destroy(private_attr_provider_t *this)
+{
+	attribute_entry_t *entry;
+
+	while (this->attributes->remove_last(this->attributes,
+										 (void**)&entry) == SUCCESS)
+	{
+		free(entry->value.ptr);
+		free(entry);
+	}
+	this->attributes->destroy(this->attributes);
+	free(this);
+}
+
+/**
+ * Add an attribute entry to the list
+ */
+static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
+							 configuration_attribute_type_t type)
+{
+	attribute_entry_t *entry;
+	host_t *host;
+	char *str;
+
+	str = lib->settings->get_str(lib->settings, "%s.%s%d", NULL, hydra->daemon,
+								 key, nr);
+	if (str)
+	{
+		host = host_create_from_string(str, 0);
+		if (host)
+		{
+			entry = malloc_thing(attribute_entry_t);
+
+			if (host->get_family(host) == AF_INET6)
+			{
+				switch (type)
+				{
+					case INTERNAL_IP4_DNS:
+						type = INTERNAL_IP6_DNS;
+						break;
+					case INTERNAL_IP4_NBNS:
+						type = INTERNAL_IP6_NBNS;
+						break;
+					default:
+						break;
+				}
+			}
+			entry->type = type;
+			entry->value = chunk_clone(host->get_address(host));
+			host->destroy(host);
+			this->attributes->insert_last(this->attributes, entry);
+		}
+	}
+}
+
+/**
+ * Key to attribute type mappings, for v4 and v6 attributes
+ */
+static struct {
+	char *name;
+	configuration_attribute_type_t v4;
+	configuration_attribute_type_t v6;
+} keys[] = {
+	{"address",		INTERNAL_IP4_ADDRESS,	INTERNAL_IP6_ADDRESS},
+	{"dns",			INTERNAL_IP4_DNS,		INTERNAL_IP6_DNS},
+	{"nbns",		INTERNAL_IP4_NBNS,		INTERNAL_IP6_NBNS},
+	{"dhcp",		INTERNAL_IP4_DHCP,		INTERNAL_IP6_DHCP},
+	{"netmask",		INTERNAL_IP4_NETMASK,	INTERNAL_IP6_NETMASK},
+	{"server",		INTERNAL_IP4_SERVER,	INTERNAL_IP6_SERVER},
+};
+
+/**
+ * Load (numerical) entries from the plugins.attr namespace
+ */
+static void load_entries(private_attr_provider_t *this)
+{
+	enumerator_t *enumerator, *tokens;
+	char *key, *value, *token;
+
+	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
+											"%s.plugins.attr", hydra->daemon);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		configuration_attribute_type_t type;
+		attribute_entry_t *entry;
+		host_t *host;
+		int i;
+
+		type = atoi(key);
+		tokens = enumerator_create_token(value, ",", " ");
+		while (tokens->enumerate(tokens, &token))
+		{
+			host = host_create_from_string(token, 0);
+			if (!host)
+			{
+				DBG1(DBG_CFG, "invalid host in key %s: %s", key, token);
+				continue;
+			}
+			if (!type)
+			{
+				for (i = 0; i < countof(keys); i++)
+				{
+					if (streq(key, keys[i].name))
+					{
+						if (host->get_family(host) == AF_INET)
+						{
+							type = keys[i].v4;
+						}
+						else
+						{
+							type = keys[i].v6;
+						}
+					}
+				}
+				if (!type)
+				{
+					DBG1(DBG_CFG, "mapping attribute type %s failed", key);
+					break;
+				}
+			}
+			entry = malloc_thing(attribute_entry_t);
+			entry->type = type;
+			entry->value = chunk_clone(host->get_address(host));
+			host->destroy(host);
+			this->attributes->insert_last(this->attributes, entry);
+		}
+		tokens->destroy(tokens);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/*
+ * see header file
+ */
+attr_provider_t *attr_provider_create(database_t *db)
+{
+	private_attr_provider_t *this;
+	int i;
+
+	this = malloc_thing(private_attr_provider_t);
+
+	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null;
+	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false;
+	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))create_attribute_enumerator;
+	this->public.destroy = (void(*)(attr_provider_t*))destroy;
+
+	this->attributes = linked_list_create();
+
+	for (i = 1; i <= SERVER_MAX; i++)
+	{
+		add_legacy_entry(this, "dns", i, INTERNAL_IP4_DNS);
+		add_legacy_entry(this, "nbns", i, INTERNAL_IP4_NBNS);
+	}
+
+	load_entries(this);
+
+	return &this->public;
+}
+
diff --git a/src/libhydra/plugins/attr/attr_provider.h b/src/libhydra/plugins/attr/attr_provider.h
new file mode 100644
index 000000000..a41466718
--- /dev/null
+++ b/src/libhydra/plugins/attr/attr_provider.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attr_provider attr_provider
+ * @{ @ingroup attr
+ */
+
+#ifndef ATTR_PROVIDER_H_
+#define ATTR_PROVIDER_H_
+
+#include <attributes/attribute_provider.h>
+
+typedef struct attr_provider_t attr_provider_t;
+
+/**
+ * Provide configuration attributes through static strongswan.conf definition.
+ */
+struct attr_provider_t {
+
+	/**
+	 * Implements attribute provider interface
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Destroy a attr_provider instance.
+	 */
+	void (*destroy)(attr_provider_t *this);
+};
+
+/**
+ * Create a attr_provider instance.
+ */
+attr_provider_t *attr_provider_create();
+
+#endif /** ATTR_PROVIDER @}*/
diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am
new file mode 100644
index 000000000..376a8259c
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/Makefile.am
@@ -0,0 +1,23 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = \
+	-rdynamic \
+	-DPLUGINS=\""${libstrongswan_plugins}\""
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-attr-sql.la
+else
+plugin_LTLIBRARIES = libstrongswan-attr-sql.la
+endif
+
+libstrongswan_attr_sql_la_SOURCES = \
+	attr_sql_plugin.h attr_sql_plugin.c \
+	sql_attribute.h sql_attribute.c
+
+libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = pool
+pool_SOURCES = pool.c
+pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pool.o :	$(top_builddir)/config.status
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
new file mode 100644
index 000000000..99e97cefc
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -0,0 +1,649 @@
+# Makefile.in generated by automake 1.11 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = pool$(EXEEXT)
+subdir = src/libhydra/plugins/attr_sql
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_attr_sql_la_LIBADD =
+am_libstrongswan_attr_sql_la_OBJECTS = attr_sql_plugin.lo \
+	sql_attribute.lo
+libstrongswan_attr_sql_la_OBJECTS =  \
+	$(am_libstrongswan_attr_sql_la_OBJECTS)
+libstrongswan_attr_sql_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_sql_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_attr_sql_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_attr_sql_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_pool_OBJECTS = pool.$(OBJEXT)
+pool_OBJECTS = $(am_pool_OBJECTS)
+pool_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
+DIST_SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
+AM_CFLAGS = \
+	-rdynamic \
+	-DPLUGINS=\""${libstrongswan_plugins}\""
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr-sql.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr-sql.la
+libstrongswan_attr_sql_la_SOURCES = \
+	attr_sql_plugin.h attr_sql_plugin.c \
+	sql_attribute.h sql_attribute.c
+
+libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
+pool_SOURCES = pool.c
+pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/attr_sql/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/attr_sql/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) 
+	$(libstrongswan_attr_sql_la_LINK) $(am_libstrongswan_attr_sql_la_rpath) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) 
+	@rm -f pool$(EXEEXT)
+	$(LINK) $(pool_OBJECTS) $(pool_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-pluginLTLIBRARIES
+
+pool.o :	$(top_builddir)/config.status
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
new file mode 100644
index 000000000..70e7a2247
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <hydra.h>
+#include <debug.h>
+
+#include "attr_sql_plugin.h"
+#include "sql_attribute.h"
+
+typedef struct private_attr_sql_plugin_t private_attr_sql_plugin_t;
+
+/**
+ * private data of attr_sql plugin
+ */
+struct private_attr_sql_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	attr_sql_plugin_t public;
+
+	/**
+	 * database connection instance
+	 */
+	database_t *db;
+
+	/**
+	 * configuration attributes
+	 */
+	sql_attribute_t *attribute;
+
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_attr_sql_plugin_t *this)
+{
+	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
+	this->attribute->destroy(this->attribute);
+	this->db->destroy(this->db);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *attr_sql_plugin_create()
+{
+	char *uri;
+	private_attr_sql_plugin_t *this;
+
+	uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL);
+	if (!uri)
+	{
+		DBG1(DBG_CFG, "attr-sql plugin: database URI not set");
+		return NULL;
+	}
+
+	this = malloc_thing(private_attr_sql_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->db = lib->db->create(lib->db, uri);
+	if (!this->db)
+	{
+		DBG1(DBG_CFG, "attr-sql plugin failed to connect to database");
+		free(this);
+		return NULL;
+	}
+	this->attribute = sql_attribute_create(this->db);
+	hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.h b/src/libhydra/plugins/attr_sql/attr_sql_plugin.h
new file mode 100644
index 000000000..ba85a6b28
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attr_sql attr_sql
+ * @ingroup hplugins
+ *
+ * @defgroup sql_plugin sql_plugin
+ * @{ @ingroup attr_sql
+ */
+
+#ifndef ATTR_SQL_PLUGIN_H_
+#define ATTR_SQL_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct attr_sql_plugin_t attr_sql_plugin_t;
+
+/**
+ * SQL database attribute configuration plugin
+ */
+struct attr_sql_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ATTR_SQL_PLUGIN_H_ @}*/
diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c
new file mode 100644
index 000000000..fed89fc51
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/pool.c
@@ -0,0 +1,1402 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <getopt.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <time.h>
+#include <string.h>
+#include <errno.h>
+
+#include <debug.h>
+#include <library.h>
+#include <utils/host.h>
+#include <utils/identification.h>
+#include <attributes/attributes.h>
+
+/**
+ * global database handle
+ */
+database_t *db;
+
+/**
+ * --start/--end/--server addresses of various subcommands
+ */
+host_t *start = NULL, *end = NULL, *server = NULL;
+
+/**
+ * whether --add should --replace an existing pool
+ */
+bool replace_pool = FALSE;
+
+/**
+ * forward declarations
+ */
+static void del(char *name);
+static void do_args(int argc, char *argv[]);
+
+/**
+ * nesting counter for database transaction functions
+ */
+int nested_transaction = 0;
+
+/**
+ * start a database transaction
+ */
+static void begin_transaction()
+{
+	if (db->get_driver(db) == DB_SQLITE)
+	{
+		if (!nested_transaction)
+		{
+			db->execute(db, NULL, "BEGIN EXCLUSIVE TRANSACTION");
+		}
+		++nested_transaction;
+	}
+}
+
+/**
+ * commit a database transaction
+ */
+static void commit_transaction()
+{
+	if (db->get_driver(db) == DB_SQLITE)
+	{
+		--nested_transaction;
+		if (!nested_transaction)
+		{
+			db->execute(db, NULL, "END TRANSACTION");
+		}
+	}
+}
+
+/**
+ * Create or replace a pool by name
+ */
+static u_int create_pool(char *name, chunk_t start, chunk_t end, int timeout)
+{
+	enumerator_t *e;
+	int pool;
+
+	e = db->query(db, "SELECT id FROM pools WHERE name = ?",
+			DB_TEXT, name, DB_UINT);
+	if (e && e->enumerate(e, &pool))
+	{
+		if (replace_pool == FALSE)
+		{
+			fprintf(stderr, "pool '%s' exists.\n", name);
+			e->destroy(e);
+			exit(EXIT_FAILURE);
+		}
+		del(name);
+	}
+	DESTROY_IF(e);
+	if (db->execute(db, &pool,
+			"INSERT INTO pools (name, start, end, timeout) VALUES (?, ?, ?, ?)",
+			DB_TEXT, name, DB_BLOB, start, DB_BLOB, end,
+			DB_INT, timeout*3600) != 1)
+	{
+		fprintf(stderr, "creating pool failed.\n");
+		exit(EXIT_FAILURE);
+	}
+
+	return pool;
+}
+
+/**
+ * instead of a pool handle a DNS or NBNS attribute
+ */
+static bool is_attribute(char *name)
+{
+	return strcaseeq(name, "dns") || strcaseeq(name, "nbns") ||
+		   strcaseeq(name, "wins");
+}
+
+/**
+ * determine configuration attribute type
+ */
+static configuration_attribute_type_t get_attribute_type(char *name, host_t* addr)
+{
+	if (strcaseeq(name, "dns"))
+	{
+		return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_DNS :
+													 INTERNAL_IP6_DNS;
+	}
+	else
+	{
+		return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_NBNS :
+													 INTERNAL_IP6_NBNS;
+	}
+}
+
+/**
+ * calculate the size of a pool using start and end address chunk
+ */
+static u_int get_pool_size(chunk_t start, chunk_t end)
+{
+	u_int *start_ptr, *end_ptr;
+
+	if (start.len < sizeof(u_int) || end.len < sizeof(u_int))
+	{
+		return 0;
+	}
+	start_ptr = (u_int*)(start.ptr + start.len - sizeof(u_int));
+	end_ptr = (u_int*)(end.ptr + end.len - sizeof(u_int));
+	return ntohl(*end_ptr) -  ntohl(*start_ptr) + 1;
+}
+
+/**
+ * print usage info
+ */
+static void usage(void)
+{
+	printf("\
+Usage:\n\
+  ipsec pool --status|--add|--replace|--del|--resize|--purge [options]\n\
+  \n\
+  ipsec pool --status\n\
+    Show a list of installed pools with statistics.\n\
+  \n\
+  ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\
+  ipsec pool --replace <name> --start <start> --end <end> [--timeout <timeout>]\n\
+    Add a new pool to or replace an existing pool in the database.\n\
+      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
+      start:   Start address of the pool\n\
+      end:     End address of the pool\n\
+      timeout: Lease time in hours, 0 for static leases\n\
+  \n\
+  ipsec pool --add <name> --addresses <file> [--timeout <timeout>]\n\
+  ipsec pool --replace <name> --addresses <file> [--timeout <timeout>]\n\
+    Add a new pool to or replace an existing pool in the database.\n\
+      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
+      file:    File newline separated addresses for the pool are read from.\n\
+               Optionally each address can be pre-assigned to a roadwarrior\n\
+               identity, e.g. 10.231.14.2=alice@strongswan.org.\n\
+               If a - (hyphen) is given instead of a file name, the addresses\n\
+               are read from STDIN. Reading addresses stops at the end of file\n\
+               or an empty line. Pools created with this command can not be\n\
+               resized.\n\
+      timeout: Lease time in hours, 0 for static leases\n\
+  \n\
+  ipsec pool --add dns|nbns|wins --server <server>\n\
+    Add a new DNS or NBNS server to the database.\n\
+      server:  IP address of the name server\n\
+  \n\
+  ipsec pool --del <name>\n\
+    Delete a pool from the database.\n\
+      name:    Name of the pool to delete\n\
+  \n\
+  ipsec pool --del dns|nbns|wins [--server <server>]\n\
+    Delete a specific or all DNS or NBNS servers from the database.\n\
+      server:  IP address of the name server to delete\n\
+  \n\
+  ipsec pool --resize <name> --end <end>\n\
+    Grow or shrink an existing pool.\n\
+      name:    Name of the pool to resize\n\
+      end:     New end address for the pool\n\
+  \n\
+  ipsec pool --leases [--filter <filter>] [--utc]\n\
+    Show lease information using filters:\n\
+      filter:  Filter string containing comma separated key=value filters,\n\
+               e.g. id=alice@strongswan.org,addr=1.1.1.1\n\
+                  pool:   name of the pool\n\
+                  id:     assigned identity of the lease\n\
+                  addr:   lease IP address\n\
+                  tstamp: UNIX timestamp when lease was valid, as integer\n\
+                  status: status of the lease: online|valid|expired\n\
+      utc:    Show times in UTC instead of local time\n\
+  \n\
+  ipsec pool --purge <name>\n\
+    Delete lease history of a pool:\n\
+      name:    Name of the pool to purge\n\
+  \n\
+  ipsec pool --batch <file>\n\
+    Read commands from a file and execute them atomically.\n\
+      file:    File to read the newline separated commands from. Commands\n\
+               appear as they are written on the command line, e.g.\n\
+                  --replace mypool --start 10.0.0.1 --end 10.0.0.254\n\
+                  --del dns\n\
+                  --add dns --server 10.1.0.1\n\
+                  --add dns --server 10.1.1.1\n\
+               If a - (hyphen) is given as a file name, the commands are read\n\
+               from STDIN. Readin commands stops at the end of file. Empty\n\
+               lines are ignored. The file may not contain a --batch command.\n\
+  \n");
+}
+
+/**
+ * ipsec pool --status - show pool overview
+ */
+static void status(void)
+{
+	enumerator_t *ns, *pool, *lease;
+	host_t *server;
+	chunk_t value;
+	bool found = FALSE;
+
+	/* enumerate IPv4 DNS servers */
+	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
+				   DB_INT, INTERNAL_IP4_DNS, DB_BLOB);
+	if (ns)
+	{
+		while (ns->enumerate(ns, &value))
+		{
+			if (!found)
+			{
+				printf("dns servers:");
+				found = TRUE;
+			}
+			server = host_create_from_chunk(AF_INET, value, 0);
+			if (server)
+			{
+				printf(" %H", server);
+				server->destroy(server);
+			}
+		}
+		ns->destroy(ns);
+	}
+
+	/* enumerate IPv6 DNS servers */
+	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
+				   DB_INT, INTERNAL_IP6_DNS, DB_BLOB);
+	if (ns)
+	{
+		while (ns->enumerate(ns, &value))
+		{
+			if (!found)
+			{
+				printf("dns servers:");
+				found = TRUE;
+			}
+			server = host_create_from_chunk(AF_INET6, value, 0);
+			if (server)
+			{
+				printf(" %H", server);
+				server->destroy(server);
+			}
+		}
+		ns->destroy(ns);
+	}
+	if (found)
+	{
+		printf("\n");
+	}
+	else
+	{
+		printf("no dns servers found.\n");
+	}
+	found = FALSE;
+
+	/* enumerate IPv4 NBNS servers */
+	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
+				   DB_INT, INTERNAL_IP4_NBNS, DB_BLOB);
+	if (ns)
+	{
+		while (ns->enumerate(ns, &value))
+		{
+			if (!found)
+			{
+				printf("nbns servers:");
+				found = TRUE;
+			}
+			server = host_create_from_chunk(AF_INET, value, 0);
+			if (server)
+			{
+				printf(" %H", server);
+				server->destroy(server);
+			}
+		}
+		ns->destroy(ns);
+	}
+
+	/* enumerate IPv6 NBNS servers */
+	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
+				   DB_INT, INTERNAL_IP6_NBNS, DB_BLOB);
+	if (ns)
+	{
+		while (ns->enumerate(ns, &value))
+		{
+			if (!found)
+			{
+				printf("nbns servers:");
+				found = TRUE;
+			}
+			server = host_create_from_chunk(AF_INET6, value, 0);
+			if (server)
+			{
+				printf(" %H", server);
+				server->destroy(server);
+			}
+		}
+		ns->destroy(ns);
+	}
+	if (found)
+	{
+		printf("\n");
+	}
+	else
+	{
+		printf("no nbns servers found.\n");
+	}
+	found = FALSE;
+
+	pool = db->query(db, "SELECT id, name, start, end, timeout FROM pools",
+					 DB_INT, DB_TEXT, DB_BLOB, DB_BLOB, DB_UINT);
+	if (pool)
+	{
+		char *name;
+		chunk_t start_chunk, end_chunk;
+		host_t *start, *end;
+		u_int id, timeout, online = 0, used = 0, size = 0;
+
+		while (pool->enumerate(pool, &id, &name,
+							   &start_chunk, &end_chunk, &timeout))
+		{
+			if (!found)
+			{
+				printf("%8s %15s %15s %8s %6s %11s %11s\n", "name", "start",
+					   "end", "timeout", "size", "online", "usage");
+				found = TRUE;
+			}
+
+			start = host_create_from_chunk(AF_UNSPEC, start_chunk, 0);
+			end = host_create_from_chunk(AF_UNSPEC, end_chunk, 0);
+			if (start->is_anyaddr(start) && end->is_anyaddr(end))
+			{
+				printf("%8s %15s %15s ", name, "n/a", "n/a");
+			}
+			else
+			{
+				printf("%8s %15H %15H ", name, start, end);
+			}
+			if (timeout)
+			{
+				printf("%7dh ", timeout/3600);
+			}
+			else
+			{
+				printf("%8s ", "static");
+			}
+			/* get total number of hosts in the pool */
+			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
+							  "WHERE pool = ?", DB_UINT, id, DB_INT);
+			if (lease)
+			{
+				lease->enumerate(lease, &size);
+				lease->destroy(lease);
+			}
+			printf("%6d ", size);
+			/* get number of online hosts */
+			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
+							  "WHERE pool = ? AND released = 0",
+							  DB_UINT, id, DB_INT);
+			if (lease)
+			{
+				lease->enumerate(lease, &online);
+				lease->destroy(lease);
+			}
+			printf("%5d (%2d%%) ", online, online*100/size);
+			/* get number of online or valid lieases */
+			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
+							  "WHERE addresses.pool = ? "
+							  "AND ((? AND acquired != 0) "
+							  "     OR released = 0 OR released > ?) ",
+							  DB_UINT, id, DB_UINT, !timeout,
+							  DB_UINT, time(NULL) - timeout, DB_UINT);
+			if (lease)
+			{
+				lease->enumerate(lease, &used);
+				lease->destroy(lease);
+			}
+			printf("%5d (%2d%%) ", used, used*100/size);
+
+			printf("\n");
+			DESTROY_IF(start);
+			DESTROY_IF(end);
+		}
+		pool->destroy(pool);
+	}
+	if (!found)
+	{
+		printf("no pools found.\n");
+	}
+}
+
+/**
+ * ipsec pool --add - add a new pool
+ */
+static void add(char *name, host_t *start, host_t *end, int timeout)
+{
+	chunk_t start_addr, end_addr, cur_addr;
+	u_int id, count;
+
+	start_addr = start->get_address(start);
+	end_addr = end->get_address(end);
+	cur_addr = chunk_clonea(start_addr);
+	count = get_pool_size(start_addr, end_addr);
+
+	if (start_addr.len != end_addr.len ||
+		memcmp(start_addr.ptr, end_addr.ptr, start_addr.len) > 0)
+	{
+		fprintf(stderr, "invalid start/end pair specified.\n");
+		exit(EXIT_FAILURE);
+	}
+	id = create_pool(name, start_addr, end_addr, timeout);
+	printf("allocating %d addresses... ", count);
+	fflush(stdout);
+	/* run population in a transaction for sqlite */
+	begin_transaction();
+	while (TRUE)
+	{
+		db->execute(db, NULL,
+			"INSERT INTO addresses (pool, address, identity, acquired, released) "
+			"VALUES (?, ?, ?, ?, ?)",
+			DB_UINT, id, DB_BLOB, cur_addr,	DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
+		if (chunk_equals(cur_addr, end_addr))
+		{
+			break;
+		}
+		chunk_increment(cur_addr);
+	}
+	commit_transaction();
+	printf("done.\n", count);
+}
+
+static bool add_address(u_int pool_id, char *address_str, int *family)
+{
+	host_t *address;
+	int user_id = 0;
+
+	char *pos_eq = strchr(address_str, '=');
+	if (pos_eq != NULL)
+	{
+		enumerator_t *e;
+		identification_t *id = identification_create_from_string(pos_eq + 1);
+
+		/* look for peer identity in the identities table */
+		e = db->query(db,
+				"SELECT id FROM identities WHERE type = ? AND data = ?",
+				DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
+				DB_UINT);
+
+		if (!e || !e->enumerate(e, &user_id))
+		{
+			/* not found, insert new one */
+			if (db->execute(db, &user_id,
+					"INSERT INTO identities (type, data) VALUES (?, ?)",
+					DB_INT, id->get_type(id),
+					DB_BLOB, id->get_encoding(id)) != 1)
+			{
+				fprintf(stderr, "creating id '%s' failed.\n", pos_eq + 1);
+				return FALSE;
+			}
+		}
+		DESTROY_IF(e);
+		id->destroy(id);
+		*pos_eq = '\0';
+	}
+
+	address = host_create_from_string(address_str, 0);
+	if (address == NULL)
+	{
+		fprintf(stderr, "invalid address '%s'.\n", address_str);
+		return FALSE;
+	}
+	if (family && *family && *family != address->get_family(address))
+	{
+		fprintf(stderr, "invalid address family '%s'.\n", address_str);
+		return FALSE;
+	}
+
+	if (db->execute(db, NULL,
+			"INSERT INTO addresses "
+			"(pool, address, identity, acquired, released) "
+			"VALUES (?, ?, ?, ?, ?)",
+			DB_UINT, pool_id, DB_BLOB, address->get_address(address),
+			DB_UINT, user_id, DB_UINT, 0, DB_UINT, 1) != 1)
+	{
+		fprintf(stderr, "inserting address '%s' failed.\n", address_str);
+		return FALSE;
+	}
+	*family = address->get_family(address);
+	address->destroy(address);
+
+	return TRUE;
+}
+
+static void add_addresses(char *pool, char *path, int timeout)
+{
+	u_int pool_id, count = 0;
+	int family = AF_UNSPEC;
+	char address_str[512];
+	host_t *addr;
+	FILE *file;
+
+	/* run population in a transaction for sqlite */
+	begin_transaction();
+
+	addr = host_create_from_string("%any", 0);
+	pool_id = create_pool(pool, addr->get_address(addr),
+						  addr->get_address(addr), timeout);
+	addr->destroy(addr);
+
+	file = (strcmp(path, "-") == 0 ? stdin : fopen(path, "r"));
+	if (file == NULL)
+	{
+		fprintf(stderr, "opening '%s' failed: %s\n", path, strerror(errno));
+		exit(-1);
+	}
+
+	printf("starting allocation... ");
+	fflush(stdout);
+
+	while (fgets(address_str, sizeof(address_str), file))
+	{
+		size_t addr_len = strlen(address_str);
+		char *last_chr = address_str + addr_len - 1;
+		if (*last_chr == '\n')
+		{
+			if (addr_len == 1)
+			{	/* end of input */
+				break;
+			}
+			*last_chr = '\0';
+		}
+		if (add_address(pool_id, address_str, &family) == FALSE)
+		{
+			exit(EXIT_FAILURE);
+		}
+		++count;
+	}
+
+	if (file != stdin)
+	{
+		fclose(file);
+	}
+
+	commit_transaction();
+
+	printf("%d addresses done.\n", count);
+}
+
+/**
+ * ipsec pool --add dns|nbns|wins - add a DNS or NBNS server entry
+ */
+static void add_attr(char *name, host_t *server)
+{
+	configuration_attribute_type_t type;
+	chunk_t value;
+
+	type = get_attribute_type(name, server);
+	value = server->get_address(server);
+	if (db->execute(db, NULL,
+			"INSERT INTO attributes (type, value) VALUES (?, ?)",
+			DB_INT, type, DB_BLOB, value) != 1)
+	{
+		fprintf(stderr, "adding %s server %H failed.\n", name, server);
+		exit(EXIT_FAILURE);
+	}
+	printf("added %s server %H\n", name, server);
+}
+
+/**
+ * ipsec pool --del - delete a pool
+ */
+static void del(char *name)
+{
+	enumerator_t *query;
+	u_int id;
+	bool found = FALSE;
+
+	query = db->query(db, "SELECT id FROM pools WHERE name = ?",
+					  DB_TEXT, name, DB_UINT);
+	if (!query)
+	{
+		fprintf(stderr, "deleting pool failed.\n");
+		exit(EXIT_FAILURE);
+	}
+	while (query->enumerate(query, &id))
+	{
+		found = TRUE;
+		if (db->execute(db, NULL,
+				"DELETE FROM leases WHERE address IN ("
+				" SELECT id FROM addresses WHERE pool = ?)", DB_UINT, id) < 0 ||
+			db->execute(db, NULL,
+				"DELETE FROM addresses WHERE pool = ?", DB_UINT, id) < 0 ||
+			db->execute(db, NULL,
+				"DELETE FROM pools WHERE id = ?", DB_UINT, id) < 0)
+		{
+			fprintf(stderr, "deleting pool failed.\n");
+			query->destroy(query);
+			exit(EXIT_FAILURE);
+		}
+	}
+	query->destroy(query);
+	if (!found)
+	{
+		fprintf(stderr, "pool '%s' not found.\n", name);
+		exit(EXIT_FAILURE);
+	}
+}
+
+/**
+ * ipsec pool --del dns|nbns|wins - delete a DNS or NBNS server entry
+ */
+static void del_attr(char *name, host_t *server)
+{
+	configuration_attribute_type_t type;
+	chunk_t value;
+	u_int id;
+	enumerator_t *query;
+	bool found = FALSE;
+
+	if (server)
+	{
+		type = get_attribute_type(name, server);
+		value = server->get_address(server);
+		query = db->query(db,
+					"SELECT id, type, value FROM attributes "
+					"WHERE type = ? AND value = ?",
+					DB_INT, type, DB_BLOB, value,
+					DB_UINT, DB_INT, DB_BLOB);
+	}
+	else
+	{
+		configuration_attribute_type_t type_ip4, type_ip6;
+
+		if (strcaseeq(name, "dns"))
+		{
+			type_ip4 = INTERNAL_IP4_DNS;
+			type_ip6 = INTERNAL_IP6_DNS;
+		}
+		else
+		{
+			type_ip4 = INTERNAL_IP4_NBNS;
+			type_ip6 = INTERNAL_IP6_NBNS;
+		}
+
+		query = db->query(db,
+					"SELECT id, type, value FROM attributes "
+					"WHERE type = ? OR type = ?",
+					DB_INT, type_ip4, DB_INT, type_ip6,
+					DB_UINT, DB_INT, DB_BLOB);
+	}
+	if (!query)
+	{
+		fprintf(stderr, "deleting %s servers failed.\n", name);
+		exit(EXIT_FAILURE);
+	}
+
+	while (query->enumerate(query, &id, &type, &value))
+	{
+		int family;
+		host_t *host;
+
+		found = TRUE;
+		family = (type == INTERNAL_IP4_DNS || type == INTERNAL_IP4_NBNS) ?
+				  AF_INET : AF_INET6;
+		host = host_create_from_chunk(family, value, 0);
+		if (db->execute(db, NULL,
+					"DELETE FROM attributes WHERE id = ?",
+					 DB_UINT, id) != 1)
+		{
+			fprintf(stderr, "deleting %s server %H failed\n", name, host);
+			query->destroy(query);
+			DESTROY_IF(host);
+			exit(EXIT_FAILURE);
+		}
+		printf("deleted %s server %H\n", name, host);
+		DESTROY_IF(host);
+	}
+	query->destroy(query);
+
+	if (!found && server)
+	{
+		printf("%s server %H not found\n", name, server);
+		exit(EXIT_FAILURE);
+	}
+	else if (!found)
+	{
+		printf("no %s servers found\n", name);
+	}
+}
+
+/**
+ * ipsec pool --resize - resize a pool
+ */
+static void resize(char *name, host_t *end)
+{
+	enumerator_t *query;
+	chunk_t old_addr, new_addr, cur_addr;
+	u_int id, count;
+	host_t *old_end;
+
+	new_addr = end->get_address(end);
+
+	query = db->query(db, "SELECT id, end FROM pools WHERE name = ?",
+					  DB_TEXT, name, DB_UINT, DB_BLOB);
+	if (!query || !query->enumerate(query, &id, &old_addr))
+	{
+		DESTROY_IF(query);
+		fprintf(stderr, "resizing pool failed.\n");
+		exit(EXIT_FAILURE);
+	}
+	if (old_addr.len != new_addr.len ||
+		memcmp(new_addr.ptr, old_addr.ptr, old_addr.len) < 0)
+	{
+		fprintf(stderr, "shrinking of pools not supported.\n");
+		query->destroy(query);
+		exit(EXIT_FAILURE);
+	}
+	cur_addr = chunk_clonea(old_addr);
+	count = get_pool_size(old_addr, new_addr) - 1;
+	query->destroy(query);
+
+	/* Check whether pool is resizable */
+	old_end = host_create_from_chunk(AF_UNSPEC, old_addr, 0);
+	if (old_end && old_end->is_anyaddr(old_end))
+	{
+		fprintf(stderr, "pool is not resizable.\n");
+		old_end->destroy(old_end);
+		exit(EXIT_FAILURE);
+	}
+	DESTROY_IF(old_end);
+
+	if (db->execute(db, NULL,
+			"UPDATE pools SET end = ? WHERE name = ?",
+			DB_BLOB, new_addr, DB_TEXT, name) <= 0)
+	{
+		fprintf(stderr, "pool '%s' not found.\n", name);
+		exit(EXIT_FAILURE);
+	}
+
+	printf("allocating %d new addresses... ", count);
+	fflush(stdout);
+	/* run population in a transaction for sqlite */
+	begin_transaction();
+	while (count-- > 0)
+	{
+		chunk_increment(cur_addr);
+		db->execute(db, NULL,
+			"INSERT INTO addresses (pool, address, identity, acquired, released) "
+			"VALUES (?, ?, ?, ?, ?)",
+			DB_UINT, id, DB_BLOB, cur_addr,	DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
+	}
+	commit_transaction();
+	printf("done.\n", count);
+
+}
+
+/**
+ * create the lease query using the filter string
+ */
+static enumerator_t *create_lease_query(char *filter)
+{
+	enumerator_t *query;
+	identification_t *id = NULL;
+	host_t *addr = NULL;
+	u_int tstamp = 0;
+	bool online = FALSE, valid = FALSE, expired = FALSE;
+	char *value, *pos, *pool = NULL;
+	enum {
+		FIL_POOL = 0,
+		FIL_ID,
+		FIL_ADDR,
+		FIL_TSTAMP,
+		FIL_STATE,
+	};
+	char *const token[] = {
+		[FIL_POOL] = "pool",
+		[FIL_ID] = "id",
+		[FIL_ADDR] = "addr",
+		[FIL_TSTAMP] = "tstamp",
+		[FIL_STATE] = "status",
+		NULL
+	};
+
+	/* if the filter string contains a distinguished name as a ID, we replace
+	 * ", " by "/ " in order to not confuse the getsubopt parser */
+	pos = filter;
+	while ((pos = strchr(pos, ',')))
+	{
+		if (pos[1] == ' ')
+		{
+			pos[0] = '/';
+		}
+		pos++;
+	}
+
+	while (filter && *filter != '\0')
+	{
+		switch (getsubopt(&filter, token, &value))
+		{
+			case FIL_POOL:
+				if (value)
+				{
+					pool = value;
+				}
+				break;
+			case FIL_ID:
+				if (value)
+				{
+					id = identification_create_from_string(value);
+				}
+				break;
+			case FIL_ADDR:
+				if (value)
+				{
+					addr = host_create_from_string(value, 0);
+				}
+				if (!addr)
+				{
+					fprintf(stderr, "invalid 'addr' in filter string.\n");
+					exit(EXIT_FAILURE);
+				}
+				break;
+			case FIL_TSTAMP:
+				if (value)
+				{
+					tstamp = atoi(value);
+				}
+				if (tstamp == 0)
+				{
+					online = TRUE;
+				}
+				break;
+			case FIL_STATE:
+				if (value)
+				{
+					if (streq(value, "online"))
+					{
+						online = TRUE;
+					}
+					else if (streq(value, "valid"))
+					{
+						valid = TRUE;
+					}
+					else if (streq(value, "expired"))
+					{
+						expired = TRUE;
+					}
+					else
+					{
+						fprintf(stderr, "invalid 'state' in filter string.\n");
+						exit(EXIT_FAILURE);
+					}
+				}
+				break;
+			default:
+				fprintf(stderr, "invalid filter string.\n");
+				exit(EXIT_FAILURE);
+				break;
+		}
+	}
+	query = db->query(db,
+				"SELECT name, addresses.address, identities.type, "
+				"identities.data, leases.acquired, leases.released, timeout "
+				"FROM leases JOIN addresses ON leases.address = addresses.id "
+				"JOIN pools ON addresses.pool = pools.id "
+				"JOIN identities ON leases.identity = identities.id "
+				"WHERE (? OR name = ?) "
+				"AND (? OR (identities.type = ? AND identities.data = ?)) "
+				"AND (? OR addresses.address = ?) "
+				"AND (? OR (? >= leases.acquired AND (? <= leases.released))) "
+				"AND (? OR leases.released > ? - timeout) "
+				"AND (? OR leases.released < ? - timeout) "
+				"AND ? "
+				"UNION "
+				"SELECT name, address, identities.type, identities.data, "
+				"acquired, released, timeout FROM addresses "
+				"JOIN pools ON addresses.pool = pools.id "
+				"JOIN identities ON addresses.identity = identities.id "
+				"WHERE ? AND released = 0 "
+				"AND (? OR name = ?) "
+				"AND (? OR (identities.type = ? AND identities.data = ?)) "
+				"AND (? OR address = ?)",
+				DB_INT, pool == NULL, DB_TEXT, pool,
+				DB_INT, id == NULL,
+					DB_INT, id ? id->get_type(id) : 0,
+					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
+				DB_INT, addr == NULL,
+					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
+				DB_INT, tstamp == 0, DB_UINT, tstamp, DB_UINT, tstamp,
+				DB_INT, !valid, DB_INT, time(NULL),
+				DB_INT, !expired, DB_INT, time(NULL),
+				DB_INT, !online,
+				/* union */
+				DB_INT, !(valid || expired),
+				DB_INT, pool == NULL, DB_TEXT, pool,
+				DB_INT, id == NULL,
+					DB_INT, id ? id->get_type(id) : 0,
+					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
+				DB_INT, addr == NULL,
+					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
+				/* res */
+				DB_TEXT, DB_BLOB, DB_INT, DB_BLOB, DB_UINT, DB_UINT, DB_UINT);
+	/* id and addr leak but we can't destroy them until query is destroyed. */
+	return query;
+}
+
+/**
+ * ipsec pool --leases - show lease information of a pool
+ */
+static void leases(char *filter, bool utc)
+{
+	enumerator_t *query;
+	chunk_t address_chunk, identity_chunk;
+	int identity_type;
+	char *name;
+	u_int db_acquired, db_released, db_timeout;
+	time_t acquired, released, timeout;
+	host_t *address;
+	identification_t *identity;
+	bool found = FALSE;
+
+	query = create_lease_query(filter);
+	if (!query)
+	{
+		fprintf(stderr, "querying leases failed.\n");
+		exit(EXIT_FAILURE);
+	}
+	while (query->enumerate(query, &name, &address_chunk, &identity_type,
+							&identity_chunk, &db_acquired, &db_released, &db_timeout))
+	{
+		if (!found)
+		{
+			int len = utc ? 25 : 21;
+
+			found = TRUE;
+			printf("%-8s %-15s %-7s  %-*s %-*s %s\n",
+				   "name", "address", "status", len, "start", len, "end", "identity");
+		}
+		address = host_create_from_chunk(AF_UNSPEC, address_chunk, 0);
+		identity = identification_create_from_encoding(identity_type, identity_chunk);
+
+		/* u_int is not always equal to time_t */
+		acquired = (time_t)db_acquired;
+		released = (time_t)db_released;
+		timeout  = (time_t)db_timeout;
+
+		printf("%-8s %-15H ", name, address);
+		if (released == 0)
+		{
+			printf("%-7s ", "online");
+		}
+		else if (timeout == 0)
+		{
+			printf("%-7s ", "static");
+		}
+		else if (released >= time(NULL) - timeout)
+		{
+			printf("%-7s ", "valid");
+		}
+		else
+		{
+			printf("%-7s ", "expired");
+		}
+
+		printf(" %T  ", &acquired, utc);
+		if (released)
+		{
+			printf("%T  ", &released, utc);
+		}
+		else
+		{
+			printf("                      ");
+			if (utc)
+			{
+				printf("    ");
+			}
+		}
+		printf("%Y\n", identity);
+		DESTROY_IF(address);
+		identity->destroy(identity);
+	}
+	query->destroy(query);
+	if (!found)
+	{
+		fprintf(stderr, "no matching leases found.\n");
+		exit(EXIT_FAILURE);
+	}
+}
+
+/**
+ * ipsec pool --purge - delete expired leases
+ */
+static void purge(char *name)
+{
+	int purged = 0;
+
+	purged = db->execute(db, NULL,
+				"DELETE FROM leases WHERE address IN ("
+				" SELECT id FROM addresses WHERE pool IN ("
+				"  SELECT id FROM pools WHERE name = ?))",
+				DB_TEXT, name);
+	if (purged < 0)
+	{
+		fprintf(stderr, "purging pool '%s' failed.\n", name);
+		exit(EXIT_FAILURE);
+	}
+	fprintf(stderr, "purged %d leases in pool '%s'.\n", purged, name);
+}
+
+#define ARGV_SIZE 32
+
+static void argv_add(char **argv, int argc, char *value)
+{
+	if (argc >= ARGV_SIZE)
+	{
+		fprintf(stderr, "too many arguments: %s\n", value);
+		exit(EXIT_FAILURE);
+	}
+	argv[argc] = value;
+}
+
+/**
+ * ipsec pool --batch - read commands from a file
+ */
+static void batch(char *argv0, char *name)
+{
+	char command[512];
+
+	FILE *file = strncmp(name, "-", 1) == 0 ? stdin : fopen(name, "r");
+	if (file == NULL)
+	{
+		fprintf(stderr, "opening '%s' failed: %s\n", name, strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+	begin_transaction();
+	while (fgets(command, sizeof(command), file))
+	{
+		char *argv[ARGV_SIZE], *start;
+		int i, argc = 0;
+		size_t cmd_len = strlen(command);
+
+		/* ignore empty lines */
+		if (cmd_len == 1 && *(command + cmd_len - 1) == '\n')
+		{
+			continue;
+		}
+
+		/* parse command into argv */
+		start = command;
+		argv_add(argv, argc++, argv0);
+		for (i = 0; i < cmd_len; ++i)
+		{
+			if (command[i] == ' ' || command[i] == '\n')
+			{
+				if (command + i == start)
+				{
+					/* ignore leading whitespace */
+					++start;
+					continue;
+				}
+				command[i] = '\0';
+				argv_add(argv, argc++, start);
+				start = command + i + 1;
+			}
+		}
+		if (strlen(start) > 0)
+		{
+			argv_add(argv, argc++, start);
+		}
+		argv_add(argv, argc, NULL);
+
+		do_args(argc, argv);
+	}
+	commit_transaction();
+
+	if (file != stdin)
+	{
+		fclose(file);
+	}
+}
+
+/**
+ * atexit handler to close db on shutdown
+ */
+static void cleanup(void)
+{
+	db->destroy(db);
+	DESTROY_IF(start);
+	DESTROY_IF(end);
+	DESTROY_IF(server);
+}
+
+static void do_args(int argc, char *argv[])
+{
+	char *name = "", *filter = "", *addresses = NULL;
+	int timeout = 0;
+	bool utc = FALSE;
+	enum {
+		OP_UNDEF,
+		OP_USAGE,
+		OP_STATUS,
+		OP_ADD,
+		OP_ADD_ATTR,
+		OP_DEL,
+		OP_DEL_ATTR,
+		OP_RESIZE,
+		OP_LEASES,
+		OP_PURGE,
+		OP_BATCH
+	} operation = OP_UNDEF;
+
+	/* reinit getopt state */
+	optind = 0;
+
+	while (TRUE)
+	{
+		int c;
+
+		struct option long_opts[] = {
+			{ "help", no_argument, NULL, 'h' },
+
+			{ "utc", no_argument, NULL, 'u' },
+			{ "status", no_argument, NULL, 'w' },
+			{ "add", required_argument, NULL, 'a' },
+			{ "replace", required_argument, NULL, 'c' },
+			{ "del", required_argument, NULL, 'd' },
+			{ "resize", required_argument, NULL, 'r' },
+			{ "leases", no_argument, NULL, 'l' },
+			{ "purge", required_argument, NULL, 'p' },
+			{ "batch", required_argument, NULL, 'b' },
+
+			{ "start", required_argument, NULL, 's' },
+			{ "end", required_argument, NULL, 'e' },
+			{ "addresses", required_argument, NULL, 'x' },
+			{ "timeout", required_argument, NULL, 't' },
+			{ "filter", required_argument, NULL, 'f' },
+			{ "server", required_argument, NULL, 'v' },
+			{ 0,0,0,0 }
+		};
+
+		c = getopt_long(argc, argv, "", long_opts, NULL);
+		switch (c)
+		{
+			case EOF:
+				break;
+			case 'h':
+				operation = OP_USAGE;
+				break;
+			case 'w':
+				operation = OP_STATUS;
+				break;
+			case 'u':
+				utc = TRUE;
+				continue;
+			case 'c':
+				replace_pool = TRUE;
+				/* fallthrough */
+			case 'a':
+				name = optarg;
+				operation = is_attribute(name) ? OP_ADD_ATTR : OP_ADD;
+				if (replace_pool && operation == OP_ADD_ATTR)
+				{
+					fprintf(stderr, "invalid pool name: '%s'.\n", optarg);
+					usage();
+					exit(EXIT_FAILURE);
+				}
+				continue;
+			case 'd':
+				name = optarg;
+				operation = is_attribute(name) ? OP_DEL_ATTR : OP_DEL;
+				continue;
+			case 'r':
+				name = optarg;
+				operation = OP_RESIZE;
+				continue;
+			case 'l':
+				operation = OP_LEASES;
+				continue;
+			case 'p':
+				name = optarg;
+				operation = OP_PURGE;
+				continue;
+			case 'b':
+				name = optarg;
+				if (operation == OP_BATCH)
+				{
+					fprintf(stderr, "--batch commands can not be nested\n");
+					exit(EXIT_FAILURE);
+				}
+				operation = OP_BATCH;
+				continue;
+			case 's':
+				DESTROY_IF(start);
+				start = host_create_from_string(optarg, 0);
+				if (start == NULL)
+				{
+					fprintf(stderr, "invalid start address: '%s'.\n", optarg);
+					usage();
+					exit(EXIT_FAILURE);
+				}
+				continue;
+			case 'e':
+				DESTROY_IF(end);
+				end = host_create_from_string(optarg, 0);
+				if (end == NULL)
+				{
+					fprintf(stderr, "invalid end address: '%s'.\n", optarg);
+					usage();
+					exit(EXIT_FAILURE);
+				}
+				continue;
+			case 't':
+				timeout = atoi(optarg);
+				if (timeout == 0 && strcmp(optarg, "0") != 0)
+				{
+					fprintf(stderr, "invalid timeout '%s'.\n", optarg);
+					usage();
+					exit(EXIT_FAILURE);
+				}
+				continue;
+			case 'f':
+				filter = optarg;
+				continue;
+			case 'x':
+				addresses = optarg;
+				continue;
+			case 'v':
+				DESTROY_IF(server);
+				server = host_create_from_string(optarg, 0);
+				if (server == NULL)
+				{
+					fprintf(stderr, "invalid server address: '%s'.\n", optarg);
+					usage();
+					exit(EXIT_FAILURE);
+				}
+				continue;
+			default:
+				usage();
+				exit(EXIT_FAILURE);
+				break;
+		}
+		break;
+	}
+
+	switch (operation)
+	{
+		case OP_USAGE:
+			usage();
+			break;
+		case OP_STATUS:
+			status();
+			break;
+		case OP_ADD:
+			if (addresses != NULL)
+			{
+				add_addresses(name, addresses, timeout);
+			}
+			else if (start != NULL && end != NULL)
+			{
+				add(name, start, end, timeout);
+			}
+			else
+			{
+				fprintf(stderr, "missing arguments.\n");
+				usage();
+				exit(EXIT_FAILURE);
+			}
+			break;
+		case OP_ADD_ATTR:
+			if (server == NULL)
+			{
+				fprintf(stderr, "missing arguments.\n");
+				usage();
+				exit(EXIT_FAILURE);
+			}
+			add_attr(name, server);
+			break;
+		case OP_DEL:
+			del(name);
+			break;
+		case OP_DEL_ATTR:
+			del_attr(name, server);
+			break;
+		case OP_RESIZE:
+			if (end == NULL)
+			{
+				fprintf(stderr, "missing arguments.\n");
+				usage();
+				exit(EXIT_FAILURE);
+			}
+			resize(name, end);
+			break;
+		case OP_LEASES:
+			leases(filter, utc);
+			break;
+		case OP_PURGE:
+			purge(name);
+			break;
+		case OP_BATCH:
+			if (name == NULL)
+			{
+				fprintf(stderr, "missing arguments.\n");
+				usage();
+				exit(EXIT_FAILURE);
+			}
+			batch(argv[0], name);
+			break;
+		default:
+			usage();
+			exit(EXIT_FAILURE);
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	char *uri;
+
+	atexit(library_deinit);
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "pool", argv[0]))
+	{
+		fprintf(stderr, "integrity check of pool failed\n");
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "pool.load", PLUGINS)))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL);
+	if (!uri)
+	{
+		fprintf(stderr, "database URI libhydra.plugins.attr-sql.database not set.\n");
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	db = lib->db->create(lib->db, uri);
+	if (!db)
+	{
+		fprintf(stderr, "opening database failed.\n");
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	atexit(cleanup);
+
+	do_args(argc, argv);
+
+	exit(EXIT_SUCCESS);
+}
+
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c
new file mode 100644
index 000000000..a7cfde649
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/sql_attribute.c
@@ -0,0 +1,384 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+
+#include <debug.h>
+#include <library.h>
+
+#include "sql_attribute.h"
+
+typedef struct private_sql_attribute_t private_sql_attribute_t;
+
+/**
+ * private data of sql_attribute
+ */
+struct private_sql_attribute_t {
+
+	/**
+	 * public functions
+	 */
+	sql_attribute_t public;
+
+	/**
+	 * database connection
+	 */
+	database_t *db;
+
+	/**
+	 * wheter to record lease history in lease table
+	 */
+	bool history;
+};
+
+/**
+ * lookup/insert an identity
+ */
+static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
+{
+	enumerator_t *e;
+	u_int row;
+
+	/* look for peer identity in the identities table */
+	e = this->db->query(this->db,
+						"SELECT id FROM identities WHERE type = ? AND data = ?",
+						DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
+						DB_UINT);
+
+	if (e && e->enumerate(e, &row))
+	{
+		e->destroy(e);
+		return row;
+	}
+	DESTROY_IF(e);
+	/* not found, insert new one */
+	if (this->db->execute(this->db, &row,
+				  "INSERT INTO identities (type, data) VALUES (?, ?)",
+				  DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) == 1)
+	{
+		return row;
+	}
+	return 0;
+}
+
+/**
+ * Lookup pool by name
+ */
+static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
+{
+	enumerator_t *e;
+	u_int pool;
+
+	e = this->db->query(this->db, "SELECT id, timeout FROM pools WHERE name = ?",
+						DB_TEXT, name, DB_UINT, DB_UINT);
+	if (e && e->enumerate(e, &pool, timeout))
+	{
+		e->destroy(e);
+		return pool;
+	}
+	DESTROY_IF(e);
+	return 0;
+}
+
+/**
+ * Look up an existing lease
+ */
+static host_t* check_lease(private_sql_attribute_t *this, char *name,
+						   u_int pool, u_int identity)
+{
+	while (TRUE)
+	{
+		u_int id;
+		chunk_t address;
+		enumerator_t *e;
+		time_t now = time(NULL);
+
+		e = this->db->query(this->db,
+				"SELECT id, address FROM addresses "
+				"WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1",
+				DB_UINT, pool, DB_UINT, identity, DB_UINT, DB_BLOB);
+		if (!e || !e->enumerate(e, &id, &address))
+		{
+			DESTROY_IF(e);
+			break;
+		}
+		address = chunk_clonea(address);
+		e->destroy(e);
+
+		if (this->db->execute(this->db, NULL,
+				"UPDATE addresses SET acquired = ?, released = 0 "
+				"WHERE id = ? AND identity = ? AND released != 0",
+				DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0)
+		{
+			host_t *host;
+
+			host = host_create_from_chunk(AF_UNSPEC, address, 0);
+			if (host)
+			{
+				DBG1(DBG_CFG, "acquired existing lease for address %H in"
+					 " pool '%s'", host, name);
+				return host;
+			}
+		}
+	}
+	return NULL;
+}
+
+/**
+ * We check for unallocated addresses or expired leases. First we select an
+ * address as a candidate, but double check later on if it is still available
+ * during the update operation. This allows us to work without locking.
+ */
+static host_t* get_lease(private_sql_attribute_t *this, char *name,
+						 u_int pool, u_int timeout, u_int identity)
+{
+	while (TRUE)
+	{
+		u_int id;
+		chunk_t address;
+		enumerator_t *e;
+		time_t now = time(NULL);
+		int hits;
+
+		if (timeout)
+		{
+			/* check for an expired lease */
+			e = this->db->query(this->db,
+				"SELECT id, address FROM addresses "
+				"WHERE pool = ? AND released != 0 AND released < ? LIMIT 1",
+				DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB);
+		}
+		else
+		{
+			/* with static leases, check for an unallocated address */
+			e = this->db->query(this->db,
+				"SELECT id, address FROM addresses "
+				"WHERE pool = ? AND identity = 0 LIMIT 1",
+				DB_UINT, pool, DB_UINT, DB_BLOB);
+
+		}
+
+		if (!e || !e->enumerate(e, &id, &address))
+		{
+			DESTROY_IF(e);
+			break;
+		}
+		address = chunk_clonea(address);
+		e->destroy(e);
+
+		if (timeout)
+		{
+			hits = this->db->execute(this->db, NULL,
+						"UPDATE addresses SET "
+						"acquired = ?, released = 0, identity = ? "
+						"WHERE id = ? AND released != 0 AND released < ?",
+						DB_UINT, now, DB_UINT, identity,
+						DB_UINT, id, DB_UINT, now - timeout);
+		}
+		else
+		{
+			hits = this->db->execute(this->db, NULL,
+						"UPDATE addresses SET "
+						"acquired = ?, released = 0, identity = ? "
+						"WHERE id = ? AND identity = 0",
+						DB_UINT, now, DB_UINT, identity, DB_UINT, id);
+		}
+		if (hits > 0)
+		{
+			host_t *host;
+
+			host = host_create_from_chunk(AF_UNSPEC, address, 0);
+			if (host)
+			{
+				DBG1(DBG_CFG, "acquired new lease for address %H in pool '%s'",
+					 host, name);
+				return host;
+			}
+		}
+	}
+	DBG1(DBG_CFG, "no available address found in pool '%s'", name);
+	return NULL;
+}
+
+/**
+ * Implementation of attribute_provider_t.acquire_address
+ */
+static host_t* acquire_address(private_sql_attribute_t *this,
+							   char *names, identification_t *id,
+							   host_t *requested)
+{
+	host_t *address = NULL;
+	u_int identity, pool, timeout;
+
+	identity = get_identity(this, id);
+	if (identity)
+	{
+		/* check for a single pool first (no concatenation and enumeration) */
+		if (strchr(names, ',') == NULL)
+		{
+			pool = get_pool(this, names, &timeout);
+			if (pool)
+			{
+				/* check for an existing lease */
+				address = check_lease(this, names, pool, identity);
+				if (address == NULL)
+				{
+					/* get an unallocated address or expired lease */
+					address = get_lease(this, names, pool, timeout, identity);
+				}
+			}
+		}
+		else
+		{
+			enumerator_t *enumerator;
+			char *name;
+
+			/* in a first step check for an existing lease over all pools */
+			enumerator = enumerator_create_token(names, ",", " ");
+			while (enumerator->enumerate(enumerator, &name))
+			{
+				pool = get_pool(this, name, &timeout);
+				if (pool)
+				{
+					address = check_lease(this, name, pool, identity);
+					if (address)
+					{
+						enumerator->destroy(enumerator);
+						return address;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			/* in a second step get an unallocated address or expired lease */
+			enumerator = enumerator_create_token(names, ",", " ");
+			while (enumerator->enumerate(enumerator, &name))
+			{
+				pool = get_pool(this, name, &timeout);
+				if (pool)
+				{
+					address = get_lease(this, name, pool, timeout, identity);
+					if (address)
+					{
+						break;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+	return address;
+}
+
+/**
+ * Implementation of attribute_provider_t.release_address
+ */
+static bool release_address(private_sql_attribute_t *this,
+							char *name, host_t *address, identification_t *id)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	time_t now = time(NULL);
+
+	enumerator = enumerator_create_token(name, ",", " ");
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		u_int pool, timeout;
+
+		pool = get_pool(this, name, &timeout);
+		if (pool)
+		{
+			if (this->history)
+			{
+				this->db->execute(this->db, NULL,
+					"INSERT INTO leases (address, identity, acquired, released)"
+					" SELECT id, identity, acquired, ? FROM addresses "
+					" WHERE pool = ? AND address = ?",
+					DB_UINT, now, DB_UINT, pool,
+					DB_BLOB, address->get_address(address));
+			}
+			if (this->db->execute(this->db, NULL,
+					"UPDATE addresses SET released = ? WHERE "
+					"pool = ? AND address = ?", DB_UINT, time(NULL),
+					DB_UINT, pool, DB_BLOB, address->get_address(address)) > 0)
+			{
+				found = TRUE;
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Implementation of sql_attribute_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(private_sql_attribute_t *this,
+											identification_t *id, host_t *vip)
+{
+	if (vip)
+	{
+		enumerator_t *enumerator;
+
+		enumerator = this->db->query(this->db,
+						"SELECT type, value FROM attributes", DB_INT, DB_BLOB);
+		if (enumerator)
+		{
+			return enumerator;
+		}
+	}
+	return enumerator_create_empty();
+}
+
+/**
+ * Implementation of sql_attribute_t.destroy
+ */
+static void destroy(private_sql_attribute_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+sql_attribute_t *sql_attribute_create(database_t *db)
+{
+	private_sql_attribute_t *this = malloc_thing(private_sql_attribute_t);
+	time_t now = time(NULL);
+
+	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))acquire_address;
+	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
+	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *host))create_attribute_enumerator;
+	this->public.destroy = (void(*)(sql_attribute_t*))destroy;
+
+	this->db = db;
+	this->history = lib->settings->get_bool(lib->settings,
+						"libhydra.plugins.attr-sql.lease_history", TRUE);
+
+	/* close any "online" leases in the case we crashed */
+	if (this->history)
+	{
+		this->db->execute(this->db, NULL,
+					"INSERT INTO leases (address, identity, acquired, released)"
+					" SELECT id, identity, acquired, ? FROM addresses "
+					" WHERE released = 0", DB_UINT, now);
+	}
+	this->db->execute(this->db, NULL,
+					  "UPDATE addresses SET released = ? WHERE released = 0",
+					  DB_UINT, now);
+	return &this->public;
+}
+
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.h b/src/libhydra/plugins/attr_sql/sql_attribute.h
new file mode 100644
index 000000000..ca87eb27e
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/sql_attribute.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sql_attribute sql_attribute
+ * @{ @ingroup attr_sql
+ */
+
+#ifndef SQL_ATTRIBUTE_H_
+#define SQL_ATTRIBUTE_H_
+
+#include <attributes/attribute_provider.h>
+#include <database/database.h>
+
+typedef struct sql_attribute_t sql_attribute_t;
+
+/**
+ * SQL database based IKEv2 cfg attribute provider.
+ */
+struct sql_attribute_t {
+
+	/**
+	 * Implements attribute provider interface
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Destroy a sql_attribute instance.
+	 */
+	void (*destroy)(sql_attribute_t *this);
+};
+
+/**
+ * Create a sql_attribute instance.
+ */
+sql_attribute_t *sql_attribute_create(database_t *db);
+
+#endif /** SQL_ATTRIBUTE_H_ @}*/
diff --git a/src/libsimaka/Makefile.am b/src/libsimaka/Makefile.am
index f64e4dba3..8e7a1f0d3 100644
--- a/src/libsimaka/Makefile.am
+++ b/src/libsimaka/Makefile.am
@@ -1,5 +1,5 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
 
 noinst_LTLIBRARIES = libsimaka.la
 libsimaka_la_SOURCES = simaka_message.h simaka_message.c \
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index 9a448ef02..ab07cb214 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -192,6 +192,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -226,7 +227,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
 noinst_LTLIBRARIES = libsimaka.la
 libsimaka_la_SOURCES = simaka_message.h simaka_message.c \
   simaka_crypto.h simaka_crypto.c
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index 22d111bfd..e0319e918 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -256,16 +256,12 @@ static void add_attribute(private_simaka_message_t *this,
 {
 	attr_t *attr;
 
-	if (!charon->sim->attribute_hook(charon->sim, this->hdr->code,
-							this->hdr->type, this->hdr->subtype, type, data))
-	{
-		attr = malloc(sizeof(attr_t) + data.len);
-		attr->len = data.len;
-		attr->type = type;
-		memcpy(attr->data, data.ptr, data.len);
+	attr = malloc(sizeof(attr_t) + data.len);
+	attr->len = data.len;
+	attr->type = type;
+	memcpy(attr->data, data.ptr, data.len);
 
-		this->attributes->insert_last(this->attributes, attr);
-	}
+	this->attributes->insert_last(this->attributes, attr);
 }
 
 /**
@@ -463,6 +459,9 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in)
 				break;
 		}
 	}
+
+	charon->sim->message_hook(charon->sim, &this->public, TRUE, this->encrypted);
+
 	return TRUE;
 }
 
@@ -604,6 +603,8 @@ static eap_payload_t* generate(private_simaka_message_t *this, chunk_t sigdata)
 	u_int16_t len;
 	signer_t *signer;
 
+	charon->sim->message_hook(charon->sim, &this->public, FALSE, TRUE);
+
 	out = chunk_create(out_buf, sizeof(out_buf));
 	encr = chunk_create(encr_buf, sizeof(encr_buf));
 
@@ -814,6 +815,9 @@ static eap_payload_t* generate(private_simaka_message_t *this, chunk_t sigdata)
 		data = chunk_cata("cc", out, sigdata);
 		signer->get_signature(signer, data, mac.ptr);
 	}
+
+	charon->sim->message_hook(charon->sim, &this->public, FALSE, FALSE);
+
 	return eap_payload_create_data(out);
 }
 
diff --git a/src/libsimaka/simaka_message.h b/src/libsimaka/simaka_message.h
index ee9b3ebec..341f72959 100644
--- a/src/libsimaka/simaka_message.h
+++ b/src/libsimaka/simaka_message.h
@@ -31,7 +31,6 @@
 
 #include "simaka_crypto.h"
 
-typedef struct simaka_message_t simaka_message_t;
 typedef enum simaka_attribute_t simaka_attribute_t;
 typedef enum simaka_subtype_t simaka_subtype_t;
 typedef enum simaka_notification_t simaka_notification_t;
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
new file mode 100644
index 000000000..d639220e3
--- /dev/null
+++ b/src/libstrongswan/Android.mk
@@ -0,0 +1,121 @@
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+# copy-n-paste from Makefile.am
+LOCAL_SRC_FILES := \
+library.c library.h \
+chunk.c chunk.h \
+debug.c debug.h \
+enum.c enum.h \
+settings.h settings.c \
+printf_hook.c printf_hook.h \
+asn1/asn1.c asn1/asn1.h \
+asn1/asn1_parser.c asn1/asn1_parser.h \
+asn1/oid.c asn1/oid.h \
+crypto/crypters/crypter.c crypto/crypters/crypter.h \
+crypto/hashers/hasher.h crypto/hashers/hasher.c \
+crypto/pkcs9.c crypto/pkcs9.h \
+crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords.h \
+crypto/prfs/prf.c crypto/prfs/prf.h \
+crypto/rngs/rng.c crypto/rngs/rng.h \
+crypto/prf_plus.h crypto/prf_plus.c \
+crypto/signers/signer.c crypto/signers/signer.h \
+crypto/crypto_factory.c crypto/crypto_factory.h \
+crypto/crypto_tester.c crypto/crypto_tester.h \
+crypto/diffie_hellman.c crypto/diffie_hellman.h \
+crypto/transform.c crypto/transform.h \
+credentials/credential_factory.c credentials/credential_factory.h \
+credentials/builder.c credentials/builder.h \
+credentials/keys/key_encoding.c credentials/keys/key_encoding.h \
+credentials/keys/private_key.c credentials/keys/private_key.h \
+credentials/keys/public_key.c credentials/keys/public_key.h \
+credentials/keys/shared_key.c credentials/keys/shared_key.h \
+credentials/certificates/certificate.c credentials/certificates/certificate.h \
+credentials/certificates/x509.h credentials/certificates/x509.c \
+credentials/certificates/ac.h \
+credentials/certificates/crl.h credentials/certificates/crl.c \
+credentials/certificates/pkcs10.h \
+credentials/certificates/ocsp_request.h \
+credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \
+credentials/certificates/pgp_certificate.h \
+credentials/ietf_attributes/ietf_attributes.c credentials/ietf_attributes/ietf_attributes.h \
+database/database.h database/database_factory.h database/database_factory.c \
+fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+selectors/traffic_selector.c selectors/traffic_selector.h \
+threading/thread.h threading/thread.c \
+threading/thread_value.h threading/thread_value.c \
+threading/mutex.h threading/mutex.c threading/condvar.h  \
+threading/rwlock.h threading/rwlock.c \
+threading/lock_profiler.h \
+utils.h utils.c \
+utils/host.c utils/host.h \
+utils/identification.c utils/identification.h \
+utils/iterator.h \
+utils/lexparser.c utils/lexparser.h \
+utils/linked_list.c utils/linked_list.h \
+utils/hashtable.c utils/hashtable.h \
+utils/enumerator.c utils/enumerator.h \
+utils/optionsfrom.c utils/optionsfrom.h \
+utils/backtrace.c utils/backtrace.h \
+plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
+
+# adding the plugin source files
+
+LOCAL_SRC_FILES += $(call add_plugin, aes)
+
+LOCAL_SRC_FILES += $(call add_plugin, des)
+
+LOCAL_SRC_FILES += $(call add_plugin, fips-prf)
+
+LOCAL_SRC_FILES += $(call add_plugin, gmp)
+ifneq ($(call plugin_enabled, gmp)),)
+LOCAL_C_INCLUDES += $(libgmp_PATH)
+LOCAL_SHARED_LIBRARIES += libgmp
+endif
+
+LOCAL_SRC_FILES += $(call add_plugin, hmac)
+
+LOCAL_SRC_FILES += $(call add_plugin, md4)
+
+LOCAL_SRC_FILES += $(call add_plugin, md5)
+
+LOCAL_SRC_FILES += $(call add_plugin, openssl)
+ifneq ($(call plugin_enabled, openssl)),)
+LOCAL_C_INCLUDES += external/openssl/include
+LOCAL_SHARED_LIBRARIES += libcrypto
+endif
+
+LOCAL_SRC_FILES += $(call add_plugin, pem)
+
+LOCAL_SRC_FILES += $(call add_plugin, pkcs1)
+
+LOCAL_SRC_FILES += $(call add_plugin, pubkey)
+
+LOCAL_SRC_FILES += $(call add_plugin, random)
+
+LOCAL_SRC_FILES += $(call add_plugin, sha1)
+
+LOCAL_SRC_FILES += $(call add_plugin, sha2)
+
+LOCAL_SRC_FILES += $(call add_plugin, x509)
+
+LOCAL_SRC_FILES += $(call add_plugin, xcbc)
+
+# build libstrongswan ----------------------------------------------------------
+
+LOCAL_C_INCLUDES += \
+	$(libvstr_PATH)
+
+LOCAL_CFLAGS := $(strongswan_CFLAGS) \
+	-include $(LOCAL_PATH)/AndroidConfigLocal.h
+
+LOCAL_MODULE := libstrongswan
+
+LOCAL_ARM_MODE := arm
+
+LOCAL_PRELINK_MODULE := false
+
+LOCAL_SHARED_LIBRARIES += libdl libvstr
+
+include $(BUILD_SHARED_LIBRARY)
+
diff --git a/src/libstrongswan/AndroidConfigLocal.h b/src/libstrongswan/AndroidConfigLocal.h
new file mode 100644
index 000000000..a6da3276a
--- /dev/null
+++ b/src/libstrongswan/AndroidConfigLocal.h
@@ -0,0 +1,9 @@
+/* stuff defined in AndroidConfig.h, which is included using the -include
+ * command-line option, thus cannot be undefined using -U CFLAGS options.
+ * the reason we have to undefine these flags in the first place, is that
+ * AndroidConfig.h defines them as 0, which in turn means that they are
+ * actually defined. */
+
+#undef HAVE_BACKTRACE
+#undef HAVE_DLADDR
+
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 7ee15052c..157d37b5e 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -10,9 +10,6 @@ printf_hook.c printf_hook.h \
 asn1/asn1.c asn1/asn1.h \
 asn1/asn1_parser.c asn1/asn1_parser.h \
 asn1/oid.c asn1/oid.h \
-attributes/attributes.c attributes/attributes.h \
-attributes/attribute_provider.h attributes/attribute_handler.h \
-attributes/attribute_manager.c attributes/attribute_manager.h \
 crypto/crypters/crypter.c crypto/crypters/crypter.h \
 crypto/hashers/hasher.h crypto/hashers/hasher.c \
 crypto/pkcs9.c crypto/pkcs9.h \
@@ -90,7 +87,8 @@ endif
 
 EXTRA_DIST = \
 asn1/oid.txt asn1/oid.pl \
-crypto/proposal/proposal_keywords.txt
+crypto/proposal/proposal_keywords.txt \
+Android.mk AndroidConfigLocal.h
 
 BUILT_SOURCES = \
 $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
@@ -115,116 +113,197 @@ $(srcdir)/crypto/proposal/proposal_keywords.c:	$(srcdir)/crypto/proposal/proposa
 # build plugins with their own Makefile
 #######################################
 
+if MONOLITHIC
+SUBDIRS =
+else
 SUBDIRS = .
+endif
 
 if USE_AES
   SUBDIRS += plugins/aes
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/aes/libstrongswan-aes.la
+endif
 endif
 
 if USE_DES
   SUBDIRS += plugins/des
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/des/libstrongswan-des.la
+endif
 endif
 
 if USE_BLOWFISH
   SUBDIRS += plugins/blowfish
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/blowfish/libstrongswan-blowfish.la
+endif
 endif
 
 if USE_MD4
   SUBDIRS += plugins/md4
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/md4/libstrongswan-md4.la
+endif
 endif
 
 if USE_MD5
   SUBDIRS += plugins/md5
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/md5/libstrongswan-md5.la
+endif
 endif
 
 if USE_SHA1
   SUBDIRS += plugins/sha1
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/sha1/libstrongswan-sha1.la
+endif
 endif
 
 if USE_SHA2
   SUBDIRS += plugins/sha2
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/sha2/libstrongswan-sha2.la
 endif
-
-if USE_FIPS_PRF
-  SUBDIRS += plugins/fips_prf
 endif
 
 if USE_GMP
   SUBDIRS += plugins/gmp
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/gmp/libstrongswan-gmp.la
+endif
 endif
 
 if USE_RANDOM
   SUBDIRS += plugins/random
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/random/libstrongswan-random.la
+endif
 endif
 
 if USE_HMAC
   SUBDIRS += plugins/hmac
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/hmac/libstrongswan-hmac.la
+endif
 endif
 
 if USE_XCBC
   SUBDIRS += plugins/xcbc
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/xcbc/libstrongswan-xcbc.la
+endif
 endif
 
 if USE_X509
   SUBDIRS += plugins/x509
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/x509/libstrongswan-x509.la
+endif
 endif
 
 if USE_PUBKEY
   SUBDIRS += plugins/pubkey
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pubkey/libstrongswan-pubkey.la
+endif
 endif
 
 if USE_PKCS1
   SUBDIRS += plugins/pkcs1
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pkcs1/libstrongswan-pkcs1.la
+endif
 endif
 
 if USE_PGP
   SUBDIRS += plugins/pgp
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pgp/libstrongswan-pgp.la
+endif
 endif
 
 if USE_DNSKEY
   SUBDIRS += plugins/dnskey
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/dnskey/libstrongswan-dnskey.la
+endif
 endif
 
 if USE_PEM
   SUBDIRS += plugins/pem
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pem/libstrongswan-pem.la
+endif
 endif
 
 if USE_CURL
   SUBDIRS += plugins/curl
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/curl/libstrongswan-curl.la
+endif
 endif
 
 if USE_LDAP
   SUBDIRS += plugins/ldap
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/ldap/libstrongswan-ldap.la
+endif
 endif
 
 if USE_MYSQL
   SUBDIRS += plugins/mysql
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/mysql/libstrongswan-mysql.la
+endif
 endif
 
 if USE_SQLITE
   SUBDIRS += plugins/sqlite
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/sqlite/libstrongswan-sqlite.la
 endif
-
-if USE_ATTR_SQL
-  SUBDIRS += plugins/attr_sql
 endif
 
 if USE_PADLOCK
   SUBDIRS += plugins/padlock
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/padlock/libstrongswan-padlock.la
+endif
 endif
 
 if USE_OPENSSL
   SUBDIRS += plugins/openssl
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/openssl/libstrongswan-openssl.la
+endif
 endif
 
 if USE_GCRYPT
   SUBDIRS += plugins/gcrypt
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/gcrypt/libstrongswan-gcrypt.la
+endif
+endif
+
+if USE_FIPS_PRF
+  SUBDIRS += plugins/fips_prf
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/fips_prf/libstrongswan-fips-prf.la
+endif
 endif
 
 if USE_AGENT
   SUBDIRS += plugins/agent
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/agent/libstrongswan-agent.la
+endif
 endif
 
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/test_vectors/libstrongswan-test-vectors.la
+endif
 endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 729d32eb3..b8d967d4a 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -45,33 +45,59 @@ host_triplet = @host@
 
 @USE_VSTR_TRUE@am__append_6 = -lvstr
 @USE_AES_TRUE@am__append_7 = plugins/aes
-@USE_DES_TRUE@am__append_8 = plugins/des
-@USE_BLOWFISH_TRUE@am__append_9 = plugins/blowfish
-@USE_MD4_TRUE@am__append_10 = plugins/md4
-@USE_MD5_TRUE@am__append_11 = plugins/md5
-@USE_SHA1_TRUE@am__append_12 = plugins/sha1
-@USE_SHA2_TRUE@am__append_13 = plugins/sha2
-@USE_FIPS_PRF_TRUE@am__append_14 = plugins/fips_prf
-@USE_GMP_TRUE@am__append_15 = plugins/gmp
-@USE_RANDOM_TRUE@am__append_16 = plugins/random
-@USE_HMAC_TRUE@am__append_17 = plugins/hmac
-@USE_XCBC_TRUE@am__append_18 = plugins/xcbc
-@USE_X509_TRUE@am__append_19 = plugins/x509
-@USE_PUBKEY_TRUE@am__append_20 = plugins/pubkey
-@USE_PKCS1_TRUE@am__append_21 = plugins/pkcs1
-@USE_PGP_TRUE@am__append_22 = plugins/pgp
-@USE_DNSKEY_TRUE@am__append_23 = plugins/dnskey
-@USE_PEM_TRUE@am__append_24 = plugins/pem
-@USE_CURL_TRUE@am__append_25 = plugins/curl
-@USE_LDAP_TRUE@am__append_26 = plugins/ldap
-@USE_MYSQL_TRUE@am__append_27 = plugins/mysql
-@USE_SQLITE_TRUE@am__append_28 = plugins/sqlite
-@USE_ATTR_SQL_TRUE@am__append_29 = plugins/attr_sql
-@USE_PADLOCK_TRUE@am__append_30 = plugins/padlock
-@USE_OPENSSL_TRUE@am__append_31 = plugins/openssl
-@USE_GCRYPT_TRUE@am__append_32 = plugins/gcrypt
-@USE_AGENT_TRUE@am__append_33 = plugins/agent
-@USE_TEST_VECTORS_TRUE@am__append_34 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_8 = plugins/aes/libstrongswan-aes.la
+@USE_DES_TRUE@am__append_9 = plugins/des
+@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_10 = plugins/des/libstrongswan-des.la
+@USE_BLOWFISH_TRUE@am__append_11 = plugins/blowfish
+@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_12 = plugins/blowfish/libstrongswan-blowfish.la
+@USE_MD4_TRUE@am__append_13 = plugins/md4
+@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_14 = plugins/md4/libstrongswan-md4.la
+@USE_MD5_TRUE@am__append_15 = plugins/md5
+@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_16 = plugins/md5/libstrongswan-md5.la
+@USE_SHA1_TRUE@am__append_17 = plugins/sha1
+@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_18 = plugins/sha1/libstrongswan-sha1.la
+@USE_SHA2_TRUE@am__append_19 = plugins/sha2
+@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_20 = plugins/sha2/libstrongswan-sha2.la
+@USE_GMP_TRUE@am__append_21 = plugins/gmp
+@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_22 = plugins/gmp/libstrongswan-gmp.la
+@USE_RANDOM_TRUE@am__append_23 = plugins/random
+@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_24 = plugins/random/libstrongswan-random.la
+@USE_HMAC_TRUE@am__append_25 = plugins/hmac
+@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_26 = plugins/hmac/libstrongswan-hmac.la
+@USE_XCBC_TRUE@am__append_27 = plugins/xcbc
+@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_28 = plugins/xcbc/libstrongswan-xcbc.la
+@USE_X509_TRUE@am__append_29 = plugins/x509
+@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_30 = plugins/x509/libstrongswan-x509.la
+@USE_PUBKEY_TRUE@am__append_31 = plugins/pubkey
+@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_32 = plugins/pubkey/libstrongswan-pubkey.la
+@USE_PKCS1_TRUE@am__append_33 = plugins/pkcs1
+@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_34 = plugins/pkcs1/libstrongswan-pkcs1.la
+@USE_PGP_TRUE@am__append_35 = plugins/pgp
+@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_36 = plugins/pgp/libstrongswan-pgp.la
+@USE_DNSKEY_TRUE@am__append_37 = plugins/dnskey
+@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_38 = plugins/dnskey/libstrongswan-dnskey.la
+@USE_PEM_TRUE@am__append_39 = plugins/pem
+@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_40 = plugins/pem/libstrongswan-pem.la
+@USE_CURL_TRUE@am__append_41 = plugins/curl
+@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_42 = plugins/curl/libstrongswan-curl.la
+@USE_LDAP_TRUE@am__append_43 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_44 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_45 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_46 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_47 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_48 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_49 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_50 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_51 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_52 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_53 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_54 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_55 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_56 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_57 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_58 = plugins/agent/libstrongswan-agent.la
+@USE_TEST_VECTORS_TRUE@am__append_59 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_60 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -115,14 +141,20 @@ am__DEPENDENCIES_1 =
 libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1)
+	$(am__DEPENDENCIES_1) $(am__append_8) $(am__append_10) \
+	$(am__append_12) $(am__append_14) $(am__append_16) \
+	$(am__append_18) $(am__append_20) $(am__append_22) \
+	$(am__append_24) $(am__append_26) $(am__append_28) \
+	$(am__append_30) $(am__append_32) $(am__append_34) \
+	$(am__append_36) $(am__append_38) $(am__append_40) \
+	$(am__append_42) $(am__append_44) $(am__append_46) \
+	$(am__append_48) $(am__append_50) $(am__append_52) \
+	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_60)
 am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
 	printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \
 	asn1/asn1_parser.c asn1/asn1_parser.h asn1/oid.c asn1/oid.h \
-	attributes/attributes.c attributes/attributes.h \
-	attributes/attribute_provider.h attributes/attribute_handler.h \
-	attributes/attribute_manager.c attributes/attribute_manager.h \
 	crypto/crypters/crypter.c crypto/crypters/crypter.h \
 	crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \
 	crypto/pkcs9.h crypto/proposal/proposal_keywords.c \
@@ -173,10 +205,10 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 @USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
 am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
 	settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \
-	attributes.lo attribute_manager.lo crypter.lo hasher.lo \
-	pkcs9.lo proposal_keywords.lo prf.lo rng.lo prf_plus.lo \
-	signer.lo crypto_factory.lo crypto_tester.lo diffie_hellman.lo \
-	transform.lo credential_factory.lo builder.lo key_encoding.lo \
+	crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo prf.lo \
+	rng.lo prf_plus.lo signer.lo crypto_factory.lo \
+	crypto_tester.lo diffie_hellman.lo transform.lo \
+	credential_factory.lo builder.lo key_encoding.lo \
 	private_key.lo public_key.lo shared_key.lo certificate.lo \
 	x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \
 	database_factory.lo fetcher_manager.lo traffic_selector.lo \
@@ -215,13 +247,12 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \
-	plugins/md5 plugins/sha1 plugins/sha2 plugins/fips_prf \
-	plugins/gmp plugins/random plugins/hmac plugins/xcbc \
-	plugins/x509 plugins/pubkey plugins/pkcs1 plugins/pgp \
-	plugins/dnskey plugins/pem plugins/curl plugins/ldap \
-	plugins/mysql plugins/sqlite plugins/attr_sql plugins/padlock \
-	plugins/openssl plugins/gcrypt plugins/agent \
-	plugins/test_vectors
+	plugins/md5 plugins/sha1 plugins/sha2 plugins/gmp \
+	plugins/random plugins/hmac plugins/xcbc plugins/x509 \
+	plugins/pubkey plugins/pkcs1 plugins/pgp plugins/dnskey \
+	plugins/pem plugins/curl plugins/ldap plugins/mysql \
+	plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \
+	plugins/fips_prf plugins/agent plugins/test_vectors
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -368,6 +399,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -407,9 +439,6 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	debug.h enum.c enum.h settings.h settings.c printf_hook.c \
 	printf_hook.h asn1/asn1.c asn1/asn1.h asn1/asn1_parser.c \
 	asn1/asn1_parser.h asn1/oid.c asn1/oid.h \
-	attributes/attributes.c attributes/attributes.h \
-	attributes/attribute_provider.h attributes/attribute_handler.h \
-	attributes/attribute_manager.c attributes/attribute_manager.h \
 	crypto/crypters/crypter.c crypto/crypters/crypter.h \
 	crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \
 	crypto/pkcs9.h crypto/proposal/proposal_keywords.c \
@@ -456,14 +485,24 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \
 	$(am__append_5)
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
-	$(RTLIB) $(am__append_6)
+	$(RTLIB) $(am__append_6) $(am__append_8) $(am__append_10) \
+	$(am__append_12) $(am__append_14) $(am__append_16) \
+	$(am__append_18) $(am__append_20) $(am__append_22) \
+	$(am__append_24) $(am__append_26) $(am__append_28) \
+	$(am__append_30) $(am__append_32) $(am__append_34) \
+	$(am__append_36) $(am__append_38) $(am__append_40) \
+	$(am__append_42) $(am__append_44) $(am__append_46) \
+	$(am__append_48) $(am__append_50) $(am__append_52) \
+	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_60)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \
 	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \
 	$(am__append_3) $(am__append_4)
 EXTRA_DIST = \
 asn1/oid.txt asn1/oid.pl \
-crypto/proposal/proposal_keywords.txt
+crypto/proposal/proposal_keywords.txt \
+Android.mk AndroidConfigLocal.h
 
 BUILT_SOURCES = \
 $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
@@ -473,19 +512,37 @@ MAINTAINERCLEANFILES = \
 $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
 $(srcdir)/crypto/proposal/proposal_keywords.c
 
+@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_7) $(am__append_9) \
+@MONOLITHIC_FALSE@	$(am__append_11) $(am__append_13) \
+@MONOLITHIC_FALSE@	$(am__append_15) $(am__append_17) \
+@MONOLITHIC_FALSE@	$(am__append_19) $(am__append_21) \
+@MONOLITHIC_FALSE@	$(am__append_23) $(am__append_25) \
+@MONOLITHIC_FALSE@	$(am__append_27) $(am__append_29) \
+@MONOLITHIC_FALSE@	$(am__append_31) $(am__append_33) \
+@MONOLITHIC_FALSE@	$(am__append_35) $(am__append_37) \
+@MONOLITHIC_FALSE@	$(am__append_39) $(am__append_41) \
+@MONOLITHIC_FALSE@	$(am__append_43) $(am__append_45) \
+@MONOLITHIC_FALSE@	$(am__append_47) $(am__append_49) \
+@MONOLITHIC_FALSE@	$(am__append_51) $(am__append_53) \
+@MONOLITHIC_FALSE@	$(am__append_55) $(am__append_57) \
+@MONOLITHIC_FALSE@	$(am__append_59)
 
 # build plugins with their own Makefile
 #######################################
-SUBDIRS = . $(am__append_7) $(am__append_8) $(am__append_9) \
-	$(am__append_10) $(am__append_11) $(am__append_12) \
-	$(am__append_13) $(am__append_14) $(am__append_15) \
-	$(am__append_16) $(am__append_17) $(am__append_18) \
-	$(am__append_19) $(am__append_20) $(am__append_21) \
-	$(am__append_22) $(am__append_23) $(am__append_24) \
-	$(am__append_25) $(am__append_26) $(am__append_27) \
-	$(am__append_28) $(am__append_29) $(am__append_30) \
-	$(am__append_31) $(am__append_32) $(am__append_33) \
-	$(am__append_34)
+@MONOLITHIC_TRUE@SUBDIRS = $(am__append_7) $(am__append_9) \
+@MONOLITHIC_TRUE@	$(am__append_11) $(am__append_13) \
+@MONOLITHIC_TRUE@	$(am__append_15) $(am__append_17) \
+@MONOLITHIC_TRUE@	$(am__append_19) $(am__append_21) \
+@MONOLITHIC_TRUE@	$(am__append_23) $(am__append_25) \
+@MONOLITHIC_TRUE@	$(am__append_27) $(am__append_29) \
+@MONOLITHIC_TRUE@	$(am__append_31) $(am__append_33) \
+@MONOLITHIC_TRUE@	$(am__append_35) $(am__append_37) \
+@MONOLITHIC_TRUE@	$(am__append_39) $(am__append_41) \
+@MONOLITHIC_TRUE@	$(am__append_43) $(am__append_45) \
+@MONOLITHIC_TRUE@	$(am__append_47) $(am__append_49) \
+@MONOLITHIC_TRUE@	$(am__append_51) $(am__append_53) \
+@MONOLITHIC_TRUE@	$(am__append_55) $(am__append_57) \
+@MONOLITHIC_TRUE@	$(am__append_59)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -563,8 +620,6 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attribute_manager.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backtrace.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@
@@ -657,20 +712,6 @@ oid.lo: asn1/oid.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
 
-attributes.lo: attributes/attributes.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attributes.lo -MD -MP -MF $(DEPDIR)/attributes.Tpo -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/attributes.Tpo $(DEPDIR)/attributes.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/attributes.c' object='attributes.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
-
-attribute_manager.lo: attributes/attribute_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attribute_manager.lo -MD -MP -MF $(DEPDIR)/attribute_manager.Tpo -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/attribute_manager.Tpo $(DEPDIR)/attribute_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/attribute_manager.c' object='attribute_manager.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
-
 crypter.lo: crypto/crypters/crypter.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 763caafc4..6264bdc54 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -19,7 +19,6 @@
 #include <string.h>
 #include <time.h>
 
-#include <utils.h>
 #include <debug.h>
 
 #include "oid.h"
@@ -134,7 +133,7 @@ size_t asn1_length(chunk_t *blob)
 
 	if (blob->len < 2)
 	{
-		DBG2("insufficient number of octets to parse ASN.1 length");
+		DBG2(DBG_LIB, "insufficient number of octets to parse ASN.1 length");
 		return ASN1_INVALID_LENGTH;
 	}
 
@@ -146,7 +145,7 @@ size_t asn1_length(chunk_t *blob)
 	{	/* single length octet */
 		if (n > blob->len)
 		{
-			DBG2("length is larger than remaining blob size");
+			DBG2(DBG_LIB, "length is larger than remaining blob size");
 			return ASN1_INVALID_LENGTH;
 		}
 		return n;
@@ -157,14 +156,14 @@ size_t asn1_length(chunk_t *blob)
 
 	if (n == 0 || n > blob->len)
 	{
-		DBG2("number of length octets invalid");
+		DBG2(DBG_LIB, "number of length octets invalid");
 		return ASN1_INVALID_LENGTH;
 	}
 
 	if (n > sizeof(len))
 	{
-		DBG2("number of length octets is larger than limit of %d octets",
-			 (int)sizeof(len));
+		DBG2(DBG_LIB, "number of length octets is larger than limit of"
+			 " %d octets", (int)sizeof(len));
 		return ASN1_INVALID_LENGTH;
 	}
 
@@ -177,7 +176,7 @@ size_t asn1_length(chunk_t *blob)
 	}
 	if (len > blob->len)
 	{
-		DBG2("length is larger than remaining blob size");
+		DBG2(DBG_LIB, "length is larger than remaining blob size");
 		return ASN1_INVALID_LENGTH;
 	}
 	return len;
@@ -377,7 +376,7 @@ void asn1_debug_simple_object(chunk_t object, asn1_t type, bool private)
 			oid = asn1_known_oid(object);
 			if (oid != OID_UNKNOWN)
 			{
-				DBG2("  '%s'", oid_names[oid].name);
+				DBG2(DBG_LIB, "  '%s'", oid_names[oid].name);
 				return;
 			}
 			break;
@@ -386,14 +385,14 @@ void asn1_debug_simple_object(chunk_t object, asn1_t type, bool private)
 		case ASN1_PRINTABLESTRING:
 		case ASN1_T61STRING:
 		case ASN1_VISIBLESTRING:
-			DBG2("  '%.*s'", (int)object.len, object.ptr);
+			DBG2(DBG_LIB, "  '%.*s'", (int)object.len, object.ptr);
 			return;
 		case ASN1_UTCTIME:
 		case ASN1_GENERALIZEDTIME:
 			{
 				time_t time = asn1_to_time(&object, type);
 
-				DBG2("  '%T'", &time, TRUE);
+				DBG2(DBG_LIB, "  '%T'", &time, TRUE);
 			}
 			return;
 		default:
@@ -401,11 +400,11 @@ void asn1_debug_simple_object(chunk_t object, asn1_t type, bool private)
 	}
 	if (private)
 	{
-		DBG4("%B", &object);
+		DBG4(DBG_LIB, "%B", &object);
 	}
 	else
 	{
-		DBG3("%B", &object);
+		DBG3(DBG_LIB, "%B", &object);
 	}
 }
 
@@ -419,13 +418,14 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level, const c
 	/* an ASN.1 object must possess at least a tag and length field */
 	if (object->len < 2)
 	{
-		DBG2("L%d - %s:  ASN.1 object smaller than 2 octets", level, name);
+		DBG2(DBG_LIB, "L%d - %s:  ASN.1 object smaller than 2 octets", level,
+			 name);
 		return FALSE;
 	}
 
 	if (*object->ptr != type)
 	{
-		DBG2("L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
+		DBG2(DBG_LIB, "L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
 			 level, name, type, *object->ptr);
 		return FALSE;
 	}
@@ -434,12 +434,12 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level, const c
 
 	if (len == ASN1_INVALID_LENGTH || object->len < len)
 	{
-		DBG2("L%d - %s:  length of ASN.1 object invalid or too large",
+		DBG2(DBG_LIB, "L%d - %s:  length of ASN.1 object invalid or too large",
 			 level, name);
 		return FALSE;
 	}
 
-	DBG2("L%d - %s:", level, name);
+	DBG2(DBG_LIB, "L%d - %s:", level, name);
 	asn1_debug_simple_object(*object, type, FALSE);
 	return TRUE;
 }
@@ -501,7 +501,7 @@ bool is_asn1(chunk_t blob)
 
 	if (tag != ASN1_SEQUENCE && tag != ASN1_SET && tag != ASN1_OCTET_STRING)
 	{
-		DBG2("  file content is not binary ASN.1");
+		DBG2(DBG_LIB, "  file content is not binary ASN.1");
 		return FALSE;
 	}
 
@@ -519,7 +519,7 @@ bool is_asn1(chunk_t blob)
 		return TRUE;
 	}
 
-	DBG2("  file size does not match ASN.1 coded length");
+	DBG2(DBG_LIB, "  file size does not match ASN.1 coded length");
 	return FALSE;
 }
 
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index d29190df7..866c28095 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -25,8 +25,7 @@
 
 #include <stdarg.h>
 
-#include <utils.h>
-#include <chunk.h>
+#include <library.h>
 
 /**
  * Definition of some primitive ASN1 types
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index dc7726ad7..3e5bbbabd 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -19,7 +19,6 @@
 #include <string.h>
 #include <time.h>
 
-#include <utils.h>
 #include <debug.h>
 
 #include "asn1.h"
@@ -123,7 +122,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 	if ((obj.flags & ASN1_DEF) && (blob->len == 0 || *start_ptr != obj.type) )
 	{
 		/* field is missing */
-		DBG2("L%d - %s:", level, obj.name);
+		DBG2(DBG_LIB, "L%d - %s:", level, obj.name);
 		if (obj.type & ASN1_CONSTRUCTED)
 		{
 			this->line++ ;  /* skip context-specific tag */
@@ -150,7 +149,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 
 	if (blob->len < 2)
 	{
-		DBG1("L%d - %s:  ASN.1 object smaller than 2 octets",
+		DBG1(DBG_LIB, "L%d - %s:  ASN.1 object smaller than 2 octets",
 					level, obj.name);
 		this->success = FALSE;
 		goto end;
@@ -160,7 +159,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 
 	if (blob1->len == ASN1_INVALID_LENGTH)
 	{
-		DBG1("L%d - %s:  length of ASN.1 object invalid or too large",
+		DBG1(DBG_LIB, "L%d - %s:  length of ASN.1 object invalid or too large",
 					level, obj.name);
 		this->success = FALSE;
 	}
@@ -173,7 +172,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 
 	if (obj.flags & ASN1_RAW)
 	{
-		DBG2("L%d - %s:", level, obj.name);
+		DBG2(DBG_LIB, "L%d - %s:", level, obj.name);
 		object->ptr = start_ptr;
 		object->len = (size_t)(blob->ptr - start_ptr);
 		goto end;
@@ -181,14 +180,14 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 
 	if (*start_ptr != obj.type && !(this->implicit && this->line == 0))
 	{
-		DBG1("L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
+		DBG1(DBG_LIB, "L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
 					level, obj.name, obj.type, *start_ptr);
-		DBG3("%b", start_ptr, (u_int)(blob->ptr - start_ptr));
+		DBG3(DBG_LIB, "%b", start_ptr, (u_int)(blob->ptr - start_ptr));
 		this->success = FALSE;
 		goto end;
 	}
 
-	DBG2("L%d - %s:", level, obj.name);
+	DBG2(DBG_LIB, "L%d - %s:", level, obj.name);
 
 	/* In case of "SEQUENCE OF" or "SET OF" start a loop */
 	if (obj.flags & ASN1_LOOP)
@@ -217,11 +216,11 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 		object->len = (size_t)(blob->ptr - start_ptr);
 		if (this->private)
 		{
-			DBG4("%B", object);
+			DBG4(DBG_LIB, "%B", object);
 		}
 		else
 		{
-			DBG3("%B", object);
+			DBG3(DBG_LIB, "%B", object);
 		}
 	}
 	else if (obj.flags & ASN1_BODY)
diff --git a/src/libstrongswan/asn1/asn1_parser.h b/src/libstrongswan/asn1/asn1_parser.h
index 49325232d..0edc22c23 100644
--- a/src/libstrongswan/asn1/asn1_parser.h
+++ b/src/libstrongswan/asn1/asn1_parser.h
@@ -25,9 +25,9 @@
 
 #include <stdarg.h>
 
-#include <utils.h>
-#include <chunk.h>
-#include <asn1/asn1.h>
+#include <library.h>
+
+#include "asn1.h"
 
 /**
  * Definition of ASN.1 flags
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 32e2eb033..aa1fd31b0 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -41,6 +41,7 @@ extern const oid_t oid_names[];
 #define OID_UNIQUE_IDENTIFIER				34
 #define OID_ROLE							35
 #define OID_SUBJECT_KEY_ID					38
+#define OID_KEY_USAGE						39
 #define OID_SUBJECT_ALT_NAME				41
 #define OID_BASIC_CONSTRAINTS				43
 #define OID_CRL_NUMBER						44
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 203bc1f28..5d729c2eb 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -37,7 +37,7 @@
   0x1D                       "id-ce"
     0x09                     "subjectDirectoryAttrs"
     0x0E                     "subjectKeyIdentifier"		OID_SUBJECT_KEY_ID
-    0x0F                     "keyUsage"
+    0x0F                     "keyUsage"					OID_KEY_USAGE
     0x10                     "privateKeyUsagePeriod"
     0x11                     "subjectAltName"			OID_SUBJECT_ALT_NAME
     0x12                     "issuerAltName"
diff --git a/src/libstrongswan/attributes/attribute_handler.h b/src/libstrongswan/attributes/attribute_handler.h
deleted file mode 100644
index d042f47ef..000000000
--- a/src/libstrongswan/attributes/attribute_handler.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup attribute_handler attribute_handler
- * @{ @ingroup attributes
- */
-
-#ifndef ATTRIBUTE_HANDLER_H_
-#define ATTRIBUTE_HANDLER_H_
-
-#include <chunk.h>
-#include <utils/host.h>
-#include <utils/identification.h>
-
-#include "attributes.h"
-
-typedef struct attribute_handler_t attribute_handler_t;
-
-/**
- * Interface to handle configuration payload attributes.
- */
-struct attribute_handler_t {
-
-	/**
-	 * Handle a configuration attribute.
-	 *
-	 * After receiving a configuration attriubte, it is passed to each
-	 * attribute handler until it is handled.
-	 *
-	 * @param server	server from which the attribute was received
-	 * @param type		type of configuration attribute to handle
-	 * @param data		associated attribute data
-	 * @return			TRUE if attribute handled
-	 */
-	bool (*handle)(attribute_handler_t *this, identification_t *server,
-				   configuration_attribute_type_t type, chunk_t data);
-
-	/**
-	 * Release an attribute handled during handle().
-	 *
-	 * A handler that handle()d an attribute gets a call to release() when the
-	 * connection gets closed. Depending on the implementation, this is required
-	 * to remove the attribute.
-	 */
-	void (*release)(attribute_handler_t *this, identification_t *server,
-					configuration_attribute_type_t type, chunk_t data);
-
-	/**
-	 * Enumerate attributes to request from a server.
-	 *
-	 * @param server		server identity to request attributes from
-	 * @param vip			virtual IP we are requesting, if any
-	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
-	 */
-	enumerator_t* (*create_attribute_enumerator)(attribute_handler_t *this,
-										identification_t *server, host_t *vip);
-};
-
-#endif /** ATTRIBUTE_HANDLER_H_ @}*/
diff --git a/src/libstrongswan/attributes/attribute_manager.c b/src/libstrongswan/attributes/attribute_manager.c
deleted file mode 100644
index 91fa1ebb5..000000000
--- a/src/libstrongswan/attributes/attribute_manager.c
+++ /dev/null
@@ -1,374 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "attribute_manager.h"
-
-#include <debug.h>
-#include <utils/linked_list.h>
-#include <threading/rwlock.h>
-
-typedef struct private_attribute_manager_t private_attribute_manager_t;
-
-/**
- * private data of attribute_manager
- */
-struct private_attribute_manager_t {
-
-	/**
-	 * public functions
-	 */
-	attribute_manager_t public;
-
-	/**
-	 * list of registered providers
-	 */
-	linked_list_t *providers;
-
-	/**
-	 * list of registered handlers
-	 */
-	linked_list_t *handlers;
-
-	/**
-	 * rwlock provider list
-	 */
-	rwlock_t *lock;
-};
-
-/**
- * Data to pass to enumerator filters
- */
-typedef struct {
-	/** server/peer identity */
-	identification_t *id;
-	/** requesting/assigned virtual IP */
-	host_t *vip;
-} enum_data_t;
-
-/**
- * Implementation of attribute_manager_t.acquire_address.
- */
-static host_t* acquire_address(private_attribute_manager_t *this,
-							   char *pool, identification_t *id,
-							   host_t *requested)
-{
-	enumerator_t *enumerator;
-	attribute_provider_t *current;
-	host_t *host = NULL;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		host = current->acquire_address(current, pool, id, requested);
-		if (host)
-		{
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-
-	if (!host)
-	{
-		DBG1("acquiring address from pool '%s' failed", pool);
-	}
-	return host;
-}
-
-/**
- * Implementation of attribute_manager_t.release_address.
- */
-static void release_address(private_attribute_manager_t *this,
-							char *pool, host_t *address, identification_t *id)
-{
-	enumerator_t *enumerator;
-	attribute_provider_t *current;
-	bool found = FALSE;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (current->release_address(current, pool, address, id))
-		{
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-
-	if (!found)
-	{
-		DBG1("releasing address to pool '%s' failed", pool);
-	}
-}
-
-/**
- * inner enumerator constructor for responder attributes
- */
-static enumerator_t *responder_enum_create(attribute_provider_t *provider,
-										   enum_data_t *data)
-{
-	return provider->create_attribute_enumerator(provider, data->id, data->vip);
-}
-
-/**
- * Implementation of attribute_manager_t.create_responder_enumerator
- */
-static enumerator_t* create_responder_enumerator(
-			private_attribute_manager_t *this, identification_t *id, host_t *vip)
-{
-	enum_data_t *data = malloc_thing(enum_data_t);
-
-	data->id = id;
-	data->vip = vip;
-	this->lock->read_lock(this->lock);
-	return enumerator_create_cleaner(
-				enumerator_create_nested(
-					this->providers->create_enumerator(this->providers),
-					(void*)responder_enum_create, data, free),
-				(void*)this->lock->unlock, this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.add_provider.
- */
-static void add_provider(private_attribute_manager_t *this,
-						 attribute_provider_t *provider)
-{
-	this->lock->write_lock(this->lock);
-	this->providers->insert_last(this->providers, provider);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.remove_provider.
- */
-static void remove_provider(private_attribute_manager_t *this,
-							attribute_provider_t *provider)
-{
-	this->lock->write_lock(this->lock);
-	this->providers->remove(this->providers, provider, NULL);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.handle
- */
-static attribute_handler_t* handle(private_attribute_manager_t *this,
-						identification_t *server, attribute_handler_t *handler,
-						configuration_attribute_type_t type, chunk_t data)
-{
-	enumerator_t *enumerator;
-	attribute_handler_t *current, *handled = NULL;
-
-	this->lock->read_lock(this->lock);
-
-	/* try to find the passed handler */
-	enumerator = this->handlers->create_enumerator(this->handlers);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (current == handler && current->handle(current, server, type, data))
-		{
-			handled = current;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!handled)
-	{	/* handler requesting this attribute not found, try any other */
-		enumerator = this->handlers->create_enumerator(this->handlers);
-		while (enumerator->enumerate(enumerator, &current))
-		{
-			if (current->handle(current, server, type, data))
-			{
-				handled = current;
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	this->lock->unlock(this->lock);
-
-	if (!handled)
-	{
-		DBG1("handling %N attribute failed",
-			 configuration_attribute_type_names, type);
-	}
-	return handled;
-}
-
-/**
- * Implementation of attribute_manager_t.release
- */
-static void release(private_attribute_manager_t *this,
-					attribute_handler_t *handler,
-					identification_t *server,
-					configuration_attribute_type_t type, chunk_t data)
-{
-	enumerator_t *enumerator;
-	attribute_handler_t *current;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->handlers->create_enumerator(this->handlers);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (current == handler)
-		{
-			current->release(current, server, type, data);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Enumerator implementation to enumerate nested initiator attributes
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** back ref */
-	private_attribute_manager_t *this;
-	/** currently processing handler */
-	attribute_handler_t *handler;
-	/** outer enumerator over handlers */
-	enumerator_t *outer;
-	/** inner enumerator over current handlers attributes */
-	enumerator_t *inner;
-	/** server ID we want attributes for */
-	identification_t *id;
-	/** virtual IP we are requesting along with attriubutes */
-	host_t *vip;
-} initiator_enumerator_t;
-
-/**
- * Enumerator implementation for initiator attributes
- */
-static bool initiator_enumerate(initiator_enumerator_t *this,
-								attribute_handler_t **handler,
-								configuration_attribute_type_t *type,
-								chunk_t *value)
-{
-	/* enumerate inner attributes using outer handler enumerator */
-	while (!this->inner || !this->inner->enumerate(this->inner, type, value))
-	{
-		if (!this->outer->enumerate(this->outer, &this->handler))
-		{
-			return FALSE;
-		}
-		DESTROY_IF(this->inner);
-		this->inner = this->handler->create_attribute_enumerator(this->handler,
-														this->id, this->vip);
-	}
-	/* inject the handler as additional attribute */
-	*handler = this->handler;
-	return TRUE;
-}
-
-/**
- * Cleanup function of initiator attribute enumerator
- */
-static void initiator_destroy(initiator_enumerator_t *this)
-{
-	this->this->lock->unlock(this->this->lock);
-	this->outer->destroy(this->outer);
-	DESTROY_IF(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of attribute_manager_t.create_initiator_enumerator
- */
-static enumerator_t* create_initiator_enumerator(
-		private_attribute_manager_t *this, identification_t *id, host_t *vip)
-{
-	initiator_enumerator_t *enumerator = malloc_thing(initiator_enumerator_t);
-
-	this->lock->read_lock(this->lock);
-	enumerator->public.enumerate = (void*)initiator_enumerate;
-	enumerator->public.destroy = (void*)initiator_destroy;
-	enumerator->this = this;
-	enumerator->id = id;
-	enumerator->vip = vip;
-	enumerator->outer = this->handlers->create_enumerator(this->handlers);
-	enumerator->inner = NULL;
-	enumerator->handler = NULL;
-
-	return &enumerator->public;
-}
-
-/**
- * Implementation of attribute_manager_t.add_handler
- */
-static void add_handler(private_attribute_manager_t *this,
-						attribute_handler_t *handler)
-{
-	this->lock->write_lock(this->lock);
-	this->handlers->insert_last(this->handlers, handler);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.remove_handler
- */
-static void remove_handler(private_attribute_manager_t *this,
-						attribute_handler_t *handler)
-{
-	this->lock->write_lock(this->lock);
-	this->handlers->remove(this->handlers, handler, NULL);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of attribute_manager_t.destroy
- */
-static void destroy(private_attribute_manager_t *this)
-{
-	this->providers->destroy(this->providers);
-	this->handlers->destroy(this->handlers);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/*
- * see header file
- */
-attribute_manager_t *attribute_manager_create()
-{
-	private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t);
-
-	this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address;
-	this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address;
-	this->public.create_responder_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t*, host_t*))create_responder_enumerator;
-	this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider;
-	this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider;
-	this->public.handle = (attribute_handler_t*(*)(attribute_manager_t*,identification_t*, attribute_handler_t*, configuration_attribute_type_t, chunk_t))handle;
-	this->public.release = (void(*)(attribute_manager_t*, attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))release;
-	this->public.create_initiator_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t*, host_t*))create_initiator_enumerator;
-	this->public.add_handler = (void(*)(attribute_manager_t*, attribute_handler_t*))add_handler;
-	this->public.remove_handler = (void(*)(attribute_manager_t*, attribute_handler_t*))remove_handler;
-	this->public.destroy = (void(*)(attribute_manager_t*))destroy;
-
-	this->providers = linked_list_create();
-	this->handlers = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/attributes/attribute_manager.h b/src/libstrongswan/attributes/attribute_manager.h
deleted file mode 100644
index 642662366..000000000
--- a/src/libstrongswan/attributes/attribute_manager.h
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup attribute_manager attribute_manager
- * @{ @ingroup attributes
- */
-
-#ifndef ATTRIBUTE_MANAGER_H_
-#define ATTRIBUTE_MANAGER_H_
-
-#include "attribute_provider.h"
-#include "attribute_handler.h"
-
-typedef struct attribute_manager_t attribute_manager_t;
-
-/**
- * The attribute manager hands out attributes or handles them.
- *
- * The attribute manager manages both, attribute providers and attribute
- * handlers. Attribute providers are responsible to hand out attributes if
- * a connecting peer requests them. Handlers handle such attributes if they
- * are received on the requesting peer.
- */
-struct attribute_manager_t {
-
-	/**
-	 * Acquire a virtual IP address to assign to a peer.
-	 *
-	 * @param pool			pool name to acquire address from
-	 * @param id			peer identity to get address forua
-	 * @param requested		IP in configuration request
-	 * @return				allocated address, NULL to serve none
-	 */
-	host_t* (*acquire_address)(attribute_manager_t *this,
-							   char *pool, identification_t *id,
-							   host_t *requested);
-
-	/**
-	 * Release a previously acquired address.
-	 *
-	 * @param pool			pool name from which the address was acquired
-	 * @param address		address to release
-	 * @param id			peer identity to get address for
-	 */
-	void (*release_address)(attribute_manager_t *this,
-							char *pool, host_t *address, identification_t *id);
-
-	/**
-	 * Create an enumerator over attributes to hand out to a peer.
-	 *
-	 * @param id			peer identity to hand out attributes to
-	 * @param vip			virtual IP to assign to peer, if any
-	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
-	 */
-	enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this,
-											identification_t *id, host_t *vip);
-
-	/**
-	 * Register an attribute provider to the manager.
-	 *
-	 * @param provider		attribute provider to register
-	 */
-	void (*add_provider)(attribute_manager_t *this,
-						 attribute_provider_t *provider);
-	/**
-	 * Unregister an attribute provider from the manager.
-	 *
-	 * @param provider		attribute provider to unregister
-	 */
-	void (*remove_provider)(attribute_manager_t *this,
-							attribute_provider_t *provider);
-
-	/**
-	 * Handle a configuration attribute by passing them to the handlers.
-	 *
-	 * @param server		server from which the attribute was received
-	 * @param handler		handler we requested the attribute for, if any
-	 * @param type			type of configuration attribute
-	 * @param data			associated attribute data
-	 * @return				handler which handled this attribute, NULL if none
-	 */
-	attribute_handler_t* (*handle)(attribute_manager_t *this,
-						identification_t *server, attribute_handler_t *handler,
-						configuration_attribute_type_t type, chunk_t data);
-
-	/**
-	 * Release an attribute previously handle()d by a handler.
-	 *
-	 * @param handler		handler returned by handle() for this attribute
-	 * @param server		server from which the attribute was received
-	 * @param type			type of attribute to release
-	 * @param data			associated attribute data
-	 */
-	void (*release)(attribute_manager_t *this, attribute_handler_t *handler,
-						identification_t *server,
-						configuration_attribute_type_t type,
-						chunk_t data);
-
-	/**
-	 * Create an enumerator over attributes to request from server.
-	 *
-	 * @param id			server identity to hand out attributes to
-	 * @param vip			virtual IP going to request, if any
-	 * @return				enumerator (attribute_handler_t, ca_type_t, chunk_t)
-	 */
-	enumerator_t* (*create_initiator_enumerator)(attribute_manager_t *this,
-											identification_t *id, host_t *vip);
-
-	/**
-	 * Register an attribute handler to the manager.
-	 *
-	 * @param handler		attribute handler to register
-	 */
-	void (*add_handler)(attribute_manager_t *this,
-						attribute_handler_t *handler);
-
-	/**
-	 * Unregister an attribute handler from the manager.
-	 *
-	 * @param handler		attribute handler to unregister
-	 */
-	void (*remove_handler)(attribute_manager_t *this,
-						   attribute_handler_t *handler);
-
-	/**
-	 * Destroy a attribute_manager instance.
-	 */
-	void (*destroy)(attribute_manager_t *this);
-};
-
-/**
- * Create a attribute_manager instance.
- */
-attribute_manager_t *attribute_manager_create();
-
-#endif /** ATTRIBUTE_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/attributes/attribute_provider.h b/src/libstrongswan/attributes/attribute_provider.h
deleted file mode 100644
index f8485cc6c..000000000
--- a/src/libstrongswan/attributes/attribute_provider.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup attribute_provider attribute_provider
- * @{ @ingroup attributes
- */
-
-#ifndef ATTRIBUTE_PROVIDER_H_
-#define ATTRIBUTE_PROVIDER_H_
-
-#include <utils/host.h>
-#include <utils/identification.h>
-
-typedef struct attribute_provider_t attribute_provider_t;
-
-/**
- * Interface to provide attributes to peers through attribute manager.
- */
-struct attribute_provider_t {
-
-	/**
-	 * Acquire a virtual IP address to assign to a peer.
-	 *
-	 * @param pool			name of the pool to acquire address from
-	 * @param id			peer ID
-	 * @param requested		IP in configuration request
-	 * @return				allocated address, NULL to serve none
-	 */
-	host_t* (*acquire_address)(attribute_provider_t *this,
-							   char *pool, identification_t *id,
-							   host_t *requested);
-	/**
-	 * Release a previously acquired address.
-	 *
-	 * @param pool			name of the pool this address was acquired from
-	 * @param address		address to release
-	 * @param id			peer ID
-	 * @return				TRUE if the address has been released by the provider
-	 */
-	bool (*release_address)(attribute_provider_t *this,
-							char *pool, host_t *address, identification_t *id);
-
-	/**
-	 * Create an enumerator over attributes to hand out to a peer.
-	 *
-	 * @param id			peer ID
-	 * @param vip			virtual IP to assign to peer, if any
-	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
-	 */
-	enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this,
-											identification_t *id, host_t *vip);
-};
-
-#endif /** ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/libstrongswan/attributes/attributes.c b/src/libstrongswan/attributes/attributes.c
deleted file mode 100644
index 83feed17e..000000000
--- a/src/libstrongswan/attributes/attributes.c
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "attributes.h"
-
-ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP6_PREFIX,
-	"INTERNAL_IP4_ADDRESS",
-	"INTERNAL_IP4_NETMASK",
-	"INTERNAL_IP4_DNS",
-	"INTERNAL_IP4_NBNS",
-	"INTERNAL_ADDRESS_EXPIRY",
-	"INTERNAL_IP4_DHCP",
-	"APPLICATION_VERSION",
-	"INTERNAL_IP6_ADDRESS",
-	"INTERNAL_IP6_NETMASK",
-	"INTERNAL_IP6_DNS",
-	"INTERNAL_IP6_NBNS",
-	"INTERNAL_IP6_DHCP",
-	"INTERNAL_IP4_SUBNET",
-	"SUPPORTED_ATTRIBUTES",
-	"INTERNAL_IP6_SUBNET",
-	"MIP6_HOME_PREFIX",
-	"INTERNAL_IP6_LINK",
-	"INTERNAL_IP6_PREFIX");
-ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, INTERNAL_IP6_PREFIX,
-	"INTERNAL_IP4_SERVER",
-	"INTERNAL_IP6_SERVER");
-ENUM_END(configuration_attribute_type_names, INTERNAL_IP6_SERVER);
-
diff --git a/src/libstrongswan/attributes/attributes.h b/src/libstrongswan/attributes/attributes.h
deleted file mode 100644
index f4a396f21..000000000
--- a/src/libstrongswan/attributes/attributes.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup attributes_g attributes
- * @{ @ingroup attributes
- */
-
-#ifndef ATTRIBUTES_H_
-#define ATTRIBUTES_H_
-
-typedef enum configuration_attribute_type_t configuration_attribute_type_t;
-
-#include <enum.h>
-
-/**
- * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig.
- */
-enum configuration_attribute_type_t {
-	INTERNAL_IP4_ADDRESS = 1,
-	INTERNAL_IP4_NETMASK = 2,
-	INTERNAL_IP4_DNS = 3,
-	INTERNAL_IP4_NBNS = 4,
-	INTERNAL_ADDRESS_EXPIRY = 5,
-	INTERNAL_IP4_DHCP = 6,
-	APPLICATION_VERSION = 7,
-	INTERNAL_IP6_ADDRESS = 8,
-	INTERNAL_IP6_NETMASK = 9,
-	INTERNAL_IP6_DNS = 10,
-	INTERNAL_IP6_NBNS = 11,
-	INTERNAL_IP6_DHCP = 12,
-	INTERNAL_IP4_SUBNET = 13,
-	SUPPORTED_ATTRIBUTES = 14,
-	INTERNAL_IP6_SUBNET = 15,
-	MIP6_HOME_PREFIX = 16,
-	INTERNAL_IP6_LINK = 17,
-	INTERNAL_IP6_PREFIX = 18,
-	/* proprietary Microsoft attributes */
-	INTERNAL_IP4_SERVER = 23456,
-	INTERNAL_IP6_SERVER = 23457
-};
-
-/**
- * enum names for configuration_attribute_type_t.
- */
-extern enum_name_t *configuration_attribute_type_names;
-
-
-#endif /** ATTRIBUTES_H_ @}*/
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index 86436e997..ef69eb4e7 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -22,8 +22,7 @@
 #include <ctype.h>
 
 #include "chunk.h"
-
-#include <debug.h>
+#include "debug.h"
 
 /* required for chunk_hash */
 #undef get16bits
@@ -222,7 +221,7 @@ bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force
 
 	if (!force && access(path, F_OK) == 0)
 	{
-		DBG1("  %s file '%s' already exists", label, path);
+		DBG1(DBG_LIB, "  %s file '%s' already exists", label, path);
 		return FALSE;
 	}
 	oldmask = umask(mask);
@@ -231,20 +230,21 @@ bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force
 	{
 		if (fwrite(chunk.ptr, sizeof(u_char), chunk.len, fd) == chunk.len)
 		{
-			DBG1("  written %s file '%s' (%d bytes)",
+			DBG1(DBG_LIB, "  written %s file '%s' (%d bytes)",
 				 label, path, chunk.len);
 			good = TRUE;
 		}
 		else
 		{
-			DBG1("  writing %s file '%s' failed: %s",
+			DBG1(DBG_LIB, "  writing %s file '%s' failed: %s",
 				 label, path, strerror(errno));
 		}
 		fclose(fd);
 	}
 	else
 	{
-		DBG1("  could not open %s file '%s': %s", label, path, strerror(errno));
+		DBG1(DBG_LIB, "  could not open %s file '%s': %s", label, path,
+			 strerror(errno));
 	}
 	umask(oldmask);
 	return good;
@@ -497,7 +497,7 @@ bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
  * Described in header.
  *
  * The implementation is based on Paul Hsieh's SuperFastHash:
- * 	 http://www.azillionmonkeys.com/qed/hash.html
+ *	 http://www.azillionmonkeys.com/qed/hash.html
  */
 u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
 {
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index a526f4a89..f0f9a7366 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -42,7 +42,7 @@ struct chunk_t {
 	size_t len;
 };
 
-#include <utils.h>
+#include "utils.h"
 
 /**
  * A { NULL, 0 }-chunk handy for initialization.
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 5139ad504..7cc7dbe0e 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -151,7 +151,7 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
 		{
 			names = certificate_type_names;
 		}
-		DBG1("building %N - %N failed, tried %d builders",
+		DBG1(DBG_LIB, "building %N - %N failed, tried %d builders",
 			 credential_type_names, type, names, subtype, failures);
 	}
 	this->recursive->set(this->recursive, (void*)level);
diff --git a/src/libstrongswan/credentials/keys/key_encoding.h b/src/libstrongswan/credentials/keys/key_encoding.h
index 384117166..d8435f4b4 100644
--- a/src/libstrongswan/credentials/keys/key_encoding.h
+++ b/src/libstrongswan/credentials/keys/key_encoding.h
@@ -79,7 +79,7 @@ enum key_encoding_type_t {
 	KEY_PRIV_ASN1_DER,
 	/** subjectPublicKeyInfo encoding */
 	KEY_PUB_SPKI_ASN1_DER,
-	/** PEM oncoded PKCS#1 key */
+	/** PEM encoded PKCS#1 key */
 	KEY_PUB_PEM,
 	KEY_PRIV_PEM,
 	/** PGP key encoding */
diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h
index fe7bc86be..d00b8d12e 100644
--- a/src/libstrongswan/credentials/keys/shared_key.h
+++ b/src/libstrongswan/credentials/keys/shared_key.h
@@ -41,6 +41,8 @@ enum shared_key_type_t {
 	SHARED_PRIVATE_KEY_PASS,
 	/** PIN to unlock a smartcard */
 	SHARED_PIN,
+	/** Calculated NT Hash = MD4(UTF-16LE(password)) */
+	SHARED_NT_HASH,
 };
 
 /**
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 46b50329d..fee71953d 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -686,7 +686,7 @@ static void add_test_vector(private_crypto_factory_t *this,
 		case RANDOM_NUMBER_GENERATOR:
 			return this->tester->add_rng_vector(this->tester, vector);
 		default:
-			DBG1("%N test vectors not supported, ignored",
+			DBG1(DBG_LIB, "%N test vectors not supported, ignored",
 				 transform_type_names, type);
 	}
 }
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 86daf65f9..76cc1cf2c 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -136,7 +136,7 @@ static bool test_crypter(private_crypto_tester_t *this,
 		crypter->destroy(crypter);
 		if (failed)
 		{
-			DBG1("disabled %N: test vector %u failed",
+			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
 				 encryption_algorithm_names, alg, tested);
 			break;
 		}
@@ -144,14 +144,14 @@ static bool test_crypter(private_crypto_tester_t *this,
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1("%s %N: no test vectors found",
+		DBG1(DBG_LIB, "%s %N: no test vectors found",
 			 this->required ? "disabled" : "enabled ",
 			 encryption_algorithm_names, alg);
 		return !this->required;
 	}
 	if (!failed)
 	{
-		DBG1("enabled  %N: passed %u test vectors",
+		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
 			 encryption_algorithm_names, alg, tested);
 	}
 	return !failed;
@@ -183,7 +183,7 @@ static bool test_signer(private_crypto_tester_t *this,
 		signer = create(alg);
 		if (!signer)
 		{
-			DBG1("disabled %N: creating instance failed",
+			DBG1(DBG_LIB, "disabled %N: creating instance failed",
 				 integrity_algorithm_names, alg);
 			failed = TRUE;
 			break;
@@ -240,7 +240,7 @@ static bool test_signer(private_crypto_tester_t *this,
 		signer->destroy(signer);
 		if (failed)
 		{
-			DBG1("disabled %N: test vector %u failed",
+			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
 				 integrity_algorithm_names, alg, tested);
 			break;
 		}
@@ -248,14 +248,14 @@ static bool test_signer(private_crypto_tester_t *this,
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1("%s %N: no test vectors found",
+		DBG1(DBG_LIB, "%s %N: no test vectors found",
 			 this->required ? "disabled" : "enabled ",
 			 integrity_algorithm_names, alg);
 		return !this->required;
 	}
 	if (!failed)
 	{
-		DBG1("enabled  %N: passed %u test vectors",
+		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
 			 integrity_algorithm_names, alg, tested);
 	}
 	return !failed;
@@ -287,7 +287,7 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 		hasher = create(alg);
 		if (!hasher)
 		{
-			DBG1("disabled %N: creating instance failed",
+			DBG1(DBG_LIB, "disabled %N: creating instance failed",
 				 hash_algorithm_names, alg);
 			failed = TRUE;
 			break;
@@ -330,7 +330,7 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 		hasher->destroy(hasher);
 		if (failed)
 		{
-			DBG1("disabled %N: test vector %u failed",
+			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
 				 hash_algorithm_names, alg, tested);
 			break;
 		}
@@ -338,14 +338,14 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1("%s %N: no test vectors found",
+		DBG1(DBG_LIB, "%s %N: no test vectors found",
 			 this->required ? "disabled" : "enabled ",
 			 hash_algorithm_names, alg);
 		return !this->required;
 	}
 	if (!failed)
 	{
-		DBG1("enabled  %N: passed %u test vectors",
+		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
 			 hash_algorithm_names, alg, tested);
 	}
 	return !failed;
@@ -377,7 +377,7 @@ static bool test_prf(private_crypto_tester_t *this,
 		prf = create(alg);
 		if (!prf)
 		{
-			DBG1("disabled %N: creating instance failed",
+			DBG1(DBG_LIB, "disabled %N: creating instance failed",
 				 pseudo_random_function_names, alg);
 			failed = TRUE;
 			break;
@@ -431,7 +431,7 @@ static bool test_prf(private_crypto_tester_t *this,
 		prf->destroy(prf);
 		if (failed)
 		{
-			DBG1("disabled %N: test vector %u failed",
+			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
 				 pseudo_random_function_names, alg, tested);
 			break;
 		}
@@ -439,14 +439,14 @@ static bool test_prf(private_crypto_tester_t *this,
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1("%s %N: no test vectors found",
+		DBG1(DBG_LIB, "%s %N: no test vectors found",
 			 this->required ? "disabled" : "enabled ",
 			 pseudo_random_function_names, alg);
 		return !this->required;
 	}
 	if (!failed)
 	{
-		DBG1("enabled  %N: passed %u test vectors",
+		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
 			 pseudo_random_function_names, alg, tested);
 	}
 	return !failed;
@@ -465,7 +465,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 
 	if (!this->rng_true && quality == RNG_TRUE)
 	{
-		DBG1("enabled  %N: skipping test (disabled by config)",
+		DBG1(DBG_LIB, "enabled  %N: skipping test (disabled by config)",
 			 rng_quality_names, quality);
 		return TRUE;
 	}
@@ -485,7 +485,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 		rng = create(quality);
 		if (!rng)
 		{
-			DBG1("disabled %N: creating instance failed",
+			DBG1(DBG_LIB, "disabled %N: creating instance failed",
 				 rng_quality_names, quality);
 			failed = TRUE;
 			break;
@@ -515,7 +515,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 		rng->destroy(rng);
 		if (failed)
 		{
-			DBG1("disabled %N: test vector %u failed",
+			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
 				 rng_quality_names, quality, tested);
 			break;
 		}
@@ -523,14 +523,14 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1("%s %N: no test vectors found",
+		DBG1(DBG_LIB, "%s %N: no test vectors found",
 			 this->required ? ", disabled" : "enabled ",
 			 rng_quality_names, quality);
 		return !this->required;
 	}
 	if (!failed)
 	{
-		DBG1("enabled  %N: passed %u test vectors",
+		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
 			 rng_quality_names, quality, tested);
 	}
 	return !failed;
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 18d532697..9bd8991fc 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -31,10 +32,412 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_2048_BIT, ECP_521_BIT, MODP_1536_BIT,
 	"ECP_256",
 	"ECP_384",
 	"ECP_521");
-ENUM_NEXT(diffie_hellman_group_names, ECP_192_BIT, ECP_224_BIT, ECP_521_BIT,
+ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_224_BIT, ECP_521_BIT,
+	"MODP_1024_160",
+	"MODP_2048_224",
+	"MODP_2048_256",
 	"ECP_192",
 	"ECP_224");
 ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_224_BIT,
 	"MODP_NULL");
 ENUM_END(diffie_hellman_group_names, MODP_NULL);
 
+
+/**
+ * List of known diffie hellman group parameters.
+ */
+static struct {
+	/* Public part of the struct */
+	diffie_hellman_params_t public;
+	/* The group identifier as specified in IKEv2 */
+	diffie_hellman_group_t group;
+	/* Optimal length of the exponent (in bytes), as specified in RFC 3526. */
+	size_t opt_exp;
+} dh_params[] = {
+	{
+		.group = MODP_768_BIT, .opt_exp = 32, .public = {
+			.generator = chunk_from_chars(0x02),
+			.prime = chunk_from_chars(
+				0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+				0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+				0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+				0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+				0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+				0xF4,0x4C,0x42,0xE9,0xA6,0x3A,0x36,0x20,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF)
+		},
+	},{
+		.group = MODP_1024_BIT, .opt_exp = 32, .public = {
+			.generator = chunk_from_chars(0x02),
+			.prime = chunk_from_chars(
+				0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+				0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+				0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+				0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+				0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+				0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+				0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+				0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF)
+		},
+	},{
+		.group = MODP_1536_BIT, .opt_exp = 32, .public = {
+			.generator = chunk_from_chars(0x02),
+			.prime = chunk_from_chars(
+				0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+				0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+				0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+				0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+				0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+				0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+				0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+				0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+				0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+				0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+				0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+				0xF1,0x74,0x6C,0x08,0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF)
+		},
+	},{
+		.group = MODP_2048_BIT, .opt_exp = 48, .public = {
+			.generator = chunk_from_chars(0x02),
+			.prime = chunk_from_chars(
+				0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+				0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+				0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+				0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+				0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+				0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+				0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+				0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+				0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+				0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+				0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+				0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+				0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+				0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+				0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+				0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF)
+		},
+	},{
+		.group = MODP_3072_BIT, .opt_exp = 48, .public = {
+			.generator = chunk_from_chars(0x02),
+			.prime = chunk_from_chars(
+				0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+				0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+				0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+				0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+				0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+				0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+				0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+				0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+				0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+				0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+				0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+				0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+				0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+				0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+				0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+				0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+				0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+				0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+				0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+				0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+				0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+				0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+				0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+				0x4B,0x82,0xD1,0x20,0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF)
+		},
+	},{
+		.group = MODP_4096_BIT, .opt_exp = 64, .public = {
+			.generator = chunk_from_chars(0x02),
+			.prime = chunk_from_chars(
+				0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+				0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+				0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+				0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+				0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+				0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+				0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+				0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+				0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+				0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+				0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+				0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+				0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+				0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+				0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+				0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+				0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+				0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+				0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+				0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+				0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+				0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+				0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+				0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+				0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+				0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+				0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+				0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+				0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+				0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+				0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+				0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF)
+		},
+	},{
+		.group = MODP_6144_BIT, .opt_exp = 64, .public = {
+			.generator = chunk_from_chars(0x02),
+			.prime = chunk_from_chars(
+				0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+				0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+				0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+				0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+				0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+				0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+				0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+				0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+				0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+				0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+				0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+				0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+				0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+				0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+				0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+				0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+				0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+				0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+				0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+				0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+				0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+				0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+				0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+				0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+				0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+				0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+				0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+				0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+				0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+				0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+				0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+				0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
+				0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
+				0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
+				0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
+				0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
+				0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
+				0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
+				0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
+				0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
+				0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
+				0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
+				0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
+				0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
+				0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
+				0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
+				0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
+				0xE6,0x94,0xF9,0x1E,0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF)
+		},
+	},{
+		.group = MODP_8192_BIT, .opt_exp = 64, .public = {
+			.generator = chunk_from_chars(0x02),
+			.prime = chunk_from_chars(
+				0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+				0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+				0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+				0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+				0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+				0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+				0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+				0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+				0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+				0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+				0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+				0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+				0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+				0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+				0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+				0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+				0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+				0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+				0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+				0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+				0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+				0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+				0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+				0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+				0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+				0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+				0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+				0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+				0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+				0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+				0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+				0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
+				0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
+				0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
+				0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
+				0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
+				0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
+				0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
+				0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
+				0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
+				0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
+				0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
+				0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
+				0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
+				0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
+				0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
+				0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
+				0xE6,0x94,0xF9,0x1E,0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,
+				0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,0x73,0xB9,0x31,0xBA,
+				0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,
+				0x25,0x76,0xF6,0x93,0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,
+				0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,0xE3,0x9D,0x65,0x2D,
+				0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,
+				0x13,0xEB,0x57,0xA8,0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,
+				0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,0xA2,0xC0,0x87,0xE8,
+				0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,
+				0x6D,0x2A,0x13,0xF8,0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,
+				0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,0x08,0x46,0x85,0x1D,
+				0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,
+				0xFA,0xF3,0x6B,0xC3,0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,
+				0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,0xD5,0xEE,0x38,0x2B,
+				0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,
+				0x9E,0x30,0x50,0xE2,0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,
+				0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF)
+		},
+	},{
+		.group = MODP_1024_160, .opt_exp = 20, .public = {
+			.subgroup = chunk_from_chars(
+				0xF5,0x18,0xAA,0x87,0x81,0xA8,0xDF,0x27,0x8A,0xBA,0x4E,0x7D,0x64,0xB7,0xCB,0x9D,
+				0x49,0x46,0x23,0x53),
+			.generator = chunk_from_chars(
+				0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,0xEF,0xB9,0x99,0x05,
+				0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,
+				0x26,0x6F,0xEA,0x1E,0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
+				0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,0x9E,0x27,0x49,0xF4,
+				0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,
+				0xA6,0xA2,0x4C,0x08,0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
+				0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,0x18,0xD0,0x8B,0xC8,
+				0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5),
+			.prime = chunk_from_chars(
+				0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,0xAE,0x5D,0x54,0xEC,
+				0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,
+				0x60,0x73,0xE2,0x86,0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
+				0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,0xD4,0x9B,0x83,0xBF,
+				0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,
+				0x4E,0xFF,0xD6,0xFA,0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
+				0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,0x36,0x5C,0x1A,0x65,
+				0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71),
+		},
+	}, {
+		.group = MODP_2048_224, .opt_exp = 28, .public = {
+			.subgroup = chunk_from_chars(
+				0x80,0x1C,0x0D,0x34,0xC5,0x8D,0x93,0xFE,0x99,0x71,0x77,0x10,0x1F,0x80,0x53,0x5A,
+				0x47,0x38,0xCE,0xBC,0xBF,0x38,0x9A,0x99,0xB3,0x63,0x71,0xEB),
+			.generator = chunk_from_chars(
+				0xAC,0x40,0x32,0xEF,0x4F,0x2D,0x9A,0xE3,0x9D,0xF3,0x0B,0x5C,0x8F,0xFD,0xAC,0x50,
+				0x6C,0xDE,0xBE,0x7B,0x89,0x99,0x8C,0xAF,0x74,0x86,0x6A,0x08,0xCF,0xE4,0xFF,0xE3,
+				0xA6,0x82,0x4A,0x4E,0x10,0xB9,0xA6,0xF0,0xDD,0x92,0x1F,0x01,0xA7,0x0C,0x4A,0xFA,
+				0xAB,0x73,0x9D,0x77,0x00,0xC2,0x9F,0x52,0xC5,0x7D,0xB1,0x7C,0x62,0x0A,0x86,0x52,
+				0xBE,0x5E,0x90,0x01,0xA8,0xD6,0x6A,0xD7,0xC1,0x76,0x69,0x10,0x19,0x99,0x02,0x4A,
+				0xF4,0xD0,0x27,0x27,0x5A,0xC1,0x34,0x8B,0xB8,0xA7,0x62,0xD0,0x52,0x1B,0xC9,0x8A,
+				0xE2,0x47,0x15,0x04,0x22,0xEA,0x1E,0xD4,0x09,0x93,0x9D,0x54,0xDA,0x74,0x60,0xCD,
+				0xB5,0xF6,0xC6,0xB2,0x50,0x71,0x7C,0xBE,0xF1,0x80,0xEB,0x34,0x11,0x8E,0x98,0xD1,
+				0x19,0x52,0x9A,0x45,0xD6,0xF8,0x34,0x56,0x6E,0x30,0x25,0xE3,0x16,0xA3,0x30,0xEF,
+				0xBB,0x77,0xA8,0x6F,0x0C,0x1A,0xB1,0x5B,0x05,0x1A,0xE3,0xD4,0x28,0xC8,0xF8,0xAC,
+				0xB7,0x0A,0x81,0x37,0x15,0x0B,0x8E,0xEB,0x10,0xE1,0x83,0xED,0xD1,0x99,0x63,0xDD,
+				0xD9,0xE2,0x63,0xE4,0x77,0x05,0x89,0xEF,0x6A,0xA2,0x1E,0x7F,0x5F,0x2F,0xF3,0x81,
+				0xB5,0x39,0xCC,0xE3,0x40,0x9D,0x13,0xCD,0x56,0x6A,0xFB,0xB4,0x8D,0x6C,0x01,0x91,
+				0x81,0xE1,0xBC,0xFE,0x94,0xB3,0x02,0x69,0xED,0xFE,0x72,0xFE,0x9B,0x6A,0xA4,0xBD,
+				0x7B,0x5A,0x0F,0x1C,0x71,0xCF,0xFF,0x4C,0x19,0xC4,0x18,0xE1,0xF6,0xEC,0x01,0x79,
+				0x81,0xBC,0x08,0x7F,0x2A,0x70,0x65,0xB3,0x84,0xB8,0x90,0xD3,0x19,0x1F,0x2B,0xFA),
+			.prime = chunk_from_chars(
+				0xAD,0x10,0x7E,0x1E,0x91,0x23,0xA9,0xD0,0xD6,0x60,0xFA,0xA7,0x95,0x59,0xC5,0x1F,
+				0xA2,0x0D,0x64,0xE5,0x68,0x3B,0x9F,0xD1,0xB5,0x4B,0x15,0x97,0xB6,0x1D,0x0A,0x75,
+				0xE6,0xFA,0x14,0x1D,0xF9,0x5A,0x56,0xDB,0xAF,0x9A,0x3C,0x40,0x7B,0xA1,0xDF,0x15,
+				0xEB,0x3D,0x68,0x8A,0x30,0x9C,0x18,0x0E,0x1D,0xE6,0xB8,0x5A,0x12,0x74,0xA0,0xA6,
+				0x6D,0x3F,0x81,0x52,0xAD,0x6A,0xC2,0x12,0x90,0x37,0xC9,0xED,0xEF,0xDA,0x4D,0xF8,
+				0xD9,0x1E,0x8F,0xEF,0x55,0xB7,0x39,0x4B,0x7A,0xD5,0xB7,0xD0,0xB6,0xC1,0x22,0x07,
+				0xC9,0xF9,0x8D,0x11,0xED,0x34,0xDB,0xF6,0xC6,0xBA,0x0B,0x2C,0x8B,0xBC,0x27,0xBE,
+				0x6A,0x00,0xE0,0xA0,0xB9,0xC4,0x97,0x08,0xB3,0xBF,0x8A,0x31,0x70,0x91,0x88,0x36,
+				0x81,0x28,0x61,0x30,0xBC,0x89,0x85,0xDB,0x16,0x02,0xE7,0x14,0x41,0x5D,0x93,0x30,
+				0x27,0x82,0x73,0xC7,0xDE,0x31,0xEF,0xDC,0x73,0x10,0xF7,0x12,0x1F,0xD5,0xA0,0x74,
+				0x15,0x98,0x7D,0x9A,0xDC,0x0A,0x48,0x6D,0xCD,0xF9,0x3A,0xCC,0x44,0x32,0x83,0x87,
+				0x31,0x5D,0x75,0xE1,0x98,0xC6,0x41,0xA4,0x80,0xCD,0x86,0xA1,0xB9,0xE5,0x87,0xE8,
+				0xBE,0x60,0xE6,0x9C,0xC9,0x28,0xB2,0xB9,0xC5,0x21,0x72,0xE4,0x13,0x04,0x2E,0x9B,
+				0x23,0xF1,0x0B,0x0E,0x16,0xE7,0x97,0x63,0xC9,0xB5,0x3D,0xCF,0x4B,0xA8,0x0A,0x29,
+				0xE3,0xFB,0x73,0xC1,0x6B,0x8E,0x75,0xB9,0x7E,0xF3,0x63,0xE2,0xFF,0xA3,0x1F,0x71,
+				0xCF,0x9D,0xE5,0x38,0x4E,0x71,0xB8,0x1C,0x0A,0xC4,0xDF,0xFE,0x0C,0x10,0xE6,0x4F)
+		},
+	},{
+		.group = MODP_2048_256, .opt_exp = 32, .public = {
+			.subgroup = chunk_from_chars(
+				0x8C,0xF8,0x36,0x42,0xA7,0x09,0xA0,0x97,0xB4,0x47,0x99,0x76,0x40,0x12,0x9D,0xA2,
+				0x99,0xB1,0xA4,0x7D,0x1E,0xB3,0x75,0x0B,0xA3,0x08,0xB0,0xFE,0x64,0xF5,0xFB,0xD3),
+			.generator = chunk_from_chars(
+				0x3F,0xB3,0x2C,0x9B,0x73,0x13,0x4D,0x0B,0x2E,0x77,0x50,0x66,0x60,0xED,0xBD,0x48,
+				0x4C,0xA7,0xB1,0x8F,0x21,0xEF,0x20,0x54,0x07,0xF4,0x79,0x3A,0x1A,0x0B,0xA1,0x25,
+				0x10,0xDB,0xC1,0x50,0x77,0xBE,0x46,0x3F,0xFF,0x4F,0xED,0x4A,0xAC,0x0B,0xB5,0x55,
+				0xBE,0x3A,0x6C,0x1B,0x0C,0x6B,0x47,0xB1,0xBC,0x37,0x73,0xBF,0x7E,0x8C,0x6F,0x62,
+				0x90,0x12,0x28,0xF8,0xC2,0x8C,0xBB,0x18,0xA5,0x5A,0xE3,0x13,0x41,0x00,0x0A,0x65,
+				0x01,0x96,0xF9,0x31,0xC7,0x7A,0x57,0xF2,0xDD,0xF4,0x63,0xE5,0xE9,0xEC,0x14,0x4B,
+				0x77,0x7D,0xE6,0x2A,0xAA,0xB8,0xA8,0x62,0x8A,0xC3,0x76,0xD2,0x82,0xD6,0xED,0x38,
+				0x64,0xE6,0x79,0x82,0x42,0x8E,0xBC,0x83,0x1D,0x14,0x34,0x8F,0x6F,0x2F,0x91,0x93,
+				0xB5,0x04,0x5A,0xF2,0x76,0x71,0x64,0xE1,0xDF,0xC9,0x67,0xC1,0xFB,0x3F,0x2E,0x55,
+				0xA4,0xBD,0x1B,0xFF,0xE8,0x3B,0x9C,0x80,0xD0,0x52,0xB9,0x85,0xD1,0x82,0xEA,0x0A,
+				0xDB,0x2A,0x3B,0x73,0x13,0xD3,0xFE,0x14,0xC8,0x48,0x4B,0x1E,0x05,0x25,0x88,0xB9,
+				0xB7,0xD2,0xBB,0xD2,0xDF,0x01,0x61,0x99,0xEC,0xD0,0x6E,0x15,0x57,0xCD,0x09,0x15,
+				0xB3,0x35,0x3B,0xBB,0x64,0xE0,0xEC,0x37,0x7F,0xD0,0x28,0x37,0x0D,0xF9,0x2B,0x52,
+				0xC7,0x89,0x14,0x28,0xCD,0xC6,0x7E,0xB6,0x18,0x4B,0x52,0x3D,0x1D,0xB2,0x46,0xC3,
+				0x2F,0x63,0x07,0x84,0x90,0xF0,0x0E,0xF8,0xD6,0x47,0xD1,0x48,0xD4,0x79,0x54,0x51,
+				0x5E,0x23,0x27,0xCF,0xEF,0x98,0xC5,0x82,0x66,0x4B,0x4C,0x0F,0x6C,0xC4,0x16,0x59),
+			.prime = chunk_from_chars(
+				0x87,0xA8,0xE6,0x1D,0xB4,0xB6,0x66,0x3C,0xFF,0xBB,0xD1,0x9C,0x65,0x19,0x59,0x99,
+				0x8C,0xEE,0xF6,0x08,0x66,0x0D,0xD0,0xF2,0x5D,0x2C,0xEE,0xD4,0x43,0x5E,0x3B,0x00,
+				0xE0,0x0D,0xF8,0xF1,0xD6,0x19,0x57,0xD4,0xFA,0xF7,0xDF,0x45,0x61,0xB2,0xAA,0x30,
+				0x16,0xC3,0xD9,0x11,0x34,0x09,0x6F,0xAA,0x3B,0xF4,0x29,0x6D,0x83,0x0E,0x9A,0x7C,
+				0x20,0x9E,0x0C,0x64,0x97,0x51,0x7A,0xBD,0x5A,0x8A,0x9D,0x30,0x6B,0xCF,0x67,0xED,
+				0x91,0xF9,0xE6,0x72,0x5B,0x47,0x58,0xC0,0x22,0xE0,0xB1,0xEF,0x42,0x75,0xBF,0x7B,
+				0x6C,0x5B,0xFC,0x11,0xD4,0x5F,0x90,0x88,0xB9,0x41,0xF5,0x4E,0xB1,0xE5,0x9B,0xB8,
+				0xBC,0x39,0xA0,0xBF,0x12,0x30,0x7F,0x5C,0x4F,0xDB,0x70,0xC5,0x81,0xB2,0x3F,0x76,
+				0xB6,0x3A,0xCA,0xE1,0xCA,0xA6,0xB7,0x90,0x2D,0x52,0x52,0x67,0x35,0x48,0x8A,0x0E,
+				0xF1,0x3C,0x6D,0x9A,0x51,0xBF,0xA4,0xAB,0x3A,0xD8,0x34,0x77,0x96,0x52,0x4D,0x8E,
+				0xF6,0xA1,0x67,0xB5,0xA4,0x18,0x25,0xD9,0x67,0xE1,0x44,0xE5,0x14,0x05,0x64,0x25,
+				0x1C,0xCA,0xCB,0x83,0xE6,0xB4,0x86,0xF6,0xB3,0xCA,0x3F,0x79,0x71,0x50,0x60,0x26,
+				0xC0,0xB8,0x57,0xF6,0x89,0x96,0x28,0x56,0xDE,0xD4,0x01,0x0A,0xBD,0x0B,0xE6,0x21,
+				0xC3,0xA3,0x96,0x0A,0x54,0xE7,0x10,0xC3,0x75,0xF2,0x63,0x75,0xD7,0x01,0x41,0x03,
+				0xA4,0xB5,0x43,0x30,0xC1,0x98,0xAF,0x12,0x61,0x16,0xD2,0x27,0x6E,0x11,0x71,0x5F,
+				0x69,0x38,0x77,0xFA,0xD7,0xEF,0x09,0xCA,0xDB,0x09,0x4A,0xE9,0x1E,0x1A,0x15,0x97)
+		},
+	},
+};
+
+/**
+ * Described in header.
+ */
+diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
+{
+	int i;
+
+	for (i = 0; i < countof(dh_params); i++)
+	{
+		if (dh_params[i].group == group)
+		{
+			if (!dh_params[i].public.exp_len)
+			{
+				if (!dh_params[i].public.subgroup.len &&
+					lib->settings->get_int(lib->settings,
+								"libstrongswan.dh_exponent_ansi_x9_42", TRUE))
+				{
+					dh_params[i].public.exp_len = dh_params[i].public.prime.len;
+				}
+				else
+				{
+					dh_params[i].public.exp_len = dh_params[i].opt_exp;
+				}
+			}
+			return &dh_params[i].public;
+		}
+	}
+	return NULL;
+}
+
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index 842938c3b..cdc9c785e 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -24,6 +25,7 @@
 
 typedef enum diffie_hellman_group_t diffie_hellman_group_t;
 typedef struct diffie_hellman_t diffie_hellman_t;
+typedef struct diffie_hellman_params_t diffie_hellman_params_t;
 
 #include <library.h>
 
@@ -48,6 +50,9 @@ enum diffie_hellman_group_t {
 	ECP_256_BIT   = 19,
 	ECP_384_BIT   = 20,
 	ECP_521_BIT   = 21,
+	MODP_1024_160 = 22,
+	MODP_2048_224 = 23,
+	MODP_2048_256 = 24,
 	ECP_192_BIT   = 25,
 	ECP_224_BIT   = 26,
 	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
@@ -70,8 +75,8 @@ struct diffie_hellman_t {
 	 * Space for returned secret is allocated and must be
 	 * freed by the caller.
 	 *
-	 * @param secret 	shared secret will be written into this chunk
-	 * @return 			SUCCESS, FAILED if not both DH values are set
+	 * @param secret	shared secret will be written into this chunk
+	 * @return			SUCCESS, FAILED if not both DH values are set
 	 */
 	status_t (*get_shared_secret) (diffie_hellman_t *this, chunk_t *secret);
 
@@ -80,7 +85,7 @@ struct diffie_hellman_t {
 	 *
 	 * Chunk gets cloned and can be destroyed afterwards.
 	 *
-	 * @param value 	public value of partner
+	 * @param value		public value of partner
 	 */
 	void (*set_other_public_value) (diffie_hellman_t *this, chunk_t value);
 
@@ -106,4 +111,38 @@ struct diffie_hellman_t {
 	void (*destroy) (diffie_hellman_t *this);
 };
 
+/**
+ * Parameters for a specific diffie hellman group.
+ */
+struct diffie_hellman_params_t {
+
+	/**
+	 * The prime of the group
+	 */
+	const chunk_t prime;
+
+	/**
+	 * Generator of the group
+	 */
+	const chunk_t generator;
+
+	/**
+	 * Exponent length to use
+	 */
+	size_t exp_len;
+
+	/**
+	 * Prime order subgroup; for MODP Groups 22-24
+	 */
+	const chunk_t subgroup;
+};
+
+/**
+ * Get the parameters associated with the specified diffie hellman group.
+ *
+ * @param group			DH group
+ * @return				The parameters or NULL, if the group is not supported
+ */
+diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group);
+
 #endif /** DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index 75816e8b3..a43dde7ea 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -59,12 +59,12 @@ struct proposal_token {
     u_int16_t         keysize;
 };
 
-#define TOTAL_KEYWORDS 89
+#define TOTAL_KEYWORDS 95
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 12
-#define MIN_HASH_VALUE 4
-#define MAX_HASH_VALUE 123
-/* maximum key range = 120, duplicates = 0 */
+#define MIN_HASH_VALUE 5
+#define MAX_HASH_VALUE 137
+/* maximum key range = 133, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -80,32 +80,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124,  11,
-        2,  23,   5,  27,  21,   8,   5,   0, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124,  22, 124,  24,   0,   1,
-        8,   2,  50,   0,  11,  54, 124, 124,   0, 124,
-       42,   0, 124, 124,   5,   9,  34,   6, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124, 124, 124, 124,
-      124, 124, 124, 124, 124, 124, 124
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138,   3,  11,
+        2,  23,  29,  27,  21,  16,   5,   0, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138,  17, 138,   1,   0,   1,
+        9,   9,  50,   0,   4,  54, 138, 138,   1, 138,
+       35,   0, 138, 138,  71,   3,  38,  22, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
+      138, 138, 138, 138, 138, 138, 138
     };
   register int hval = len;
 
@@ -135,108 +135,115 @@ hash (str, len)
 
 static const struct proposal_token wordlist[] =
   {
-    {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                0},
-    {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           192},
-    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,         0},
-    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           128},
-    {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           128},
-    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                 0},
-    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           192},
-    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           128},
-    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                0},
-    {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      192},
-    {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      192},
-    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      128},
-    {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      128},
-    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     192},
-    {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     192},
-    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     128},
-    {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     128},
-    {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     192},
-    {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     192},
-    {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     128},
-    {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     128},
-    {"aes192gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     192},
-    {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     192},
-    {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     128},
-    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     128},
-    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,              128},
-    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      192},
-    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      192},
-    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      128},
-    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      128},
-    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           256},
-    {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     192},
-    {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     192},
-    {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     128},
-    {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     128},
-    {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      256},
-    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      256},
-    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0},
-    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0},
-    {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     256},
-    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     256},
-    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0},
-    {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           256},
-    {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     256},
-    {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     256},
-    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,            0},
-    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,              0},
-    {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     256},
-    {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     256},
-    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0},
-    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,            0},
-    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,              0},
-    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      256},
-    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      256},
-    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,              0},
-    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,             0},
-    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,            0},
-    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,              0},
-    {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     256},
-    {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     256},
-    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,         0},
-    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          192},
-    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0},
-    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      192},
-    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,            0},
-    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0},
-    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128},
-    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128},
-    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,            0},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,            0},
-    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       192},
-    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       192},
-    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128},
-    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       128},
-    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128},
-    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                0},
-    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128},
-    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,              0},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,            0},
-    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       128},
-    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0},
-    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,    0},
-    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,    0},
-    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          256},
-    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      256},
-    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       256},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       256}
+    {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
+    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
+    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
+    {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
+    {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
+    {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
+    {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
+    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
+    {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
+    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
+    {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
+    {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
+    {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
+    {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
+    {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
+    {"aes192gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
+    {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
+    {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
+    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
+    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
+    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
+    {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
+    {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
+    {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
+    {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
+    {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
+    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
+    {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
+    {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
+    {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
+    {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
+    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
+    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
+    {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
+    {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
+    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
+    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
+    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
+    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
+    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
+    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
+    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
+    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
+    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
+    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
+    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
+    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
+    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
+    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256}
   };
 
 static const short lookup[] =
   {
-    -1, -1, -1, -1,  0, -1, -1, -1,  1, -1,  2, -1,  3,  4,
-     5,  6, -1,  7,  8, -1,  9, 10, 11, 12, 13, 14, 15, 16,
-    17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, -1,
-    30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43,
-    44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57,
-    58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, -1, 70,
-    71, 72, -1, -1, 73, 74, 75, 76, 77, -1, 78, -1, -1, -1,
-    -1, -1, -1, -1, -1, -1, 79, 80, -1, -1, -1, -1, -1, 81,
-    82, 83, -1, 84, -1, -1, -1, 85, -1, 86, 87, 88
+    -1, -1, -1, -1, -1,  0,  1, -1,  2, -1,  3, -1,  4,  5,
+     6,  7, -1, -1, -1, -1,  8,  9, 10, 11, 12, 13, 14, 15,
+    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, 26, -1, -1,
+    27, 28, 29, 30, 31, 32, 33, -1, 34, 35, 36, 37, 38, 39,
+    40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53,
+    54, 55, 56, 57, 58, -1, 59, 60, 61, 62, 63, 64, 65, 66,
+    67, 68, -1, 69, 70, 71, 72, 73, 74, 75, 76, -1, -1, 77,
+    78, 79, 80, 81, -1, -1, 82, 83, -1, -1, 84, 85, -1, 86,
+    87, 88, 89, -1, -1, -1, -1, -1, -1, -1, 90, 91, -1, -1,
+    -1, -1, -1, -1, 92, -1, 93, -1, -1, -1, -1, 94
   };
 
 #ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.txt b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
index 139d689ca..338993821 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
@@ -29,92 +29,98 @@ struct proposal_token {
     u_int16_t         keysize;
 };
 %%
-null,             ENCRYPTION_ALGORITHM, ENCR_NULL,                0
-des,              ENCRYPTION_ALGORITHM, ENCR_DES,                 0
-3des,             ENCRYPTION_ALGORITHM, ENCR_3DES,                0
-aes,              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           128
-aes128,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           128
-aes192,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           192
-aes256,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           256
-aes128ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           128
-aes192ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           192
-aes256ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           256
-aes128ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      128
-aes128ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      128
-aes128ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     128
-aes128ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     128
-aes128ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     128
-aes128ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     128
-aes192ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      192
-aes192ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      192
-aes192ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     192
-aes192ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     192
-aes192ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     192
-aes192ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     192
-aes256ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      256
-aes256ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,      256
-aes256ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     256
-aes256ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,     256
-aes256ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     256
-aes256ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,     256
-aes128gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      128
-aes128gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      128
-aes128gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     128
-aes128gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     128
-aes128gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     128
-aes128gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     128
-aes192gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      192
-aes192gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      192
-aes192gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     192
-aes192gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     192
-aes192gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     192
-aes192gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     192
-aes256gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      256
-aes256gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,      256
-aes256gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     256
-aes256gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,     256
-aes256gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     256
-aes256gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     256
-blowfish,         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128
-blowfish128,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128
-blowfish192,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          192
-blowfish256,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          256
-camellia,         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128
-camellia128,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128
-camellia192,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      192
-camellia256,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      256
-cast128,          ENCRYPTION_ALGORITHM, ENCR_CAST,              128
-serpent,          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       128
-serpent128,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       128
-serpent192,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       192
-serpent256,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,       256
-twofish,          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128
-twofish128,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       128
-twofish192,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       192
-twofish256,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,       256
-sha,              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0
-sha1,             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0
-sha256,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0
-sha2_256,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0
-sha256_96,        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,    0
-sha2_256_96,      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,    0
-sha384,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0
-sha2_384,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,   0
-sha512,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0
-sha2_512,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,   0
-md5,              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,         0
-aesxcbc,          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,         0
-modpnull,         DIFFIE_HELLMAN_GROUP, MODP_NULL,                0
-modp768,          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,             0
-modp1024,         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,            0
-modp1536,         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,            0
-modp2048,         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,            0
-modp3072,         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,            0
-modp4096,         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,            0
-modp6144,         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,            0
-modp8192,         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,            0
-ecp192,           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,              0
-ecp224,           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,              0
-ecp256,           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,              0
-ecp384,           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,              0
-ecp521,           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,              0
+null,             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0
+des,              ENCRYPTION_ALGORITHM, ENCR_DES,                  0
+3des,             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0
+aes,              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128
+aes128,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128
+aes192,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192
+aes256,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256
+aes128ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128
+aes192ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192
+aes256ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256
+aes128ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128
+aes128ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128
+aes128ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128
+aes128ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128
+aes128ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128
+aes128ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128
+aes192ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192
+aes192ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192
+aes192ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192
+aes192ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192
+aes192ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192
+aes192ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192
+aes256ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256
+aes256ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256
+aes256ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256
+aes256ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256
+aes256ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256
+aes256ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256
+aes128gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128
+aes128gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128
+aes128gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128
+aes128gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128
+aes128gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128
+aes128gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128
+aes192gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192
+aes192gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192
+aes192gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192
+aes192gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192
+aes192gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192
+aes192gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192
+aes256gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256
+aes256gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256
+aes256gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256
+aes256gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256
+aes256gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256
+aes256gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256
+aes128gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128
+aes192gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192
+aes256gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256
+blowfish,         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
+blowfish128,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
+blowfish192,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192
+blowfish256,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256
+camellia,         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128
+camellia128,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128
+camellia192,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192
+camellia256,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256
+cast128,          ENCRYPTION_ALGORITHM, ENCR_CAST,               128
+serpent,          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128
+serpent128,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128
+serpent192,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192
+serpent256,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256
+twofish,          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128
+twofish128,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128
+twofish192,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192
+twofish256,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256
+sha,              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0
+sha1,             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0
+sha256,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0
+sha2_256,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0
+sha256_96,        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0
+sha2_256_96,      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0
+sha384,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0
+sha2_384,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0
+sha512,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0
+sha2_512,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0
+md5,              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0
+aesxcbc,          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0
+modpnull,         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0
+modp768,          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0
+modp1024,         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0
+modp1536,         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0
+modp2048,         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0
+modp3072,         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0
+modp4096,         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0
+modp6144,         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0
+modp8192,         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0
+ecp192,           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0
+ecp224,           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0
+ecp256,           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0
+ecp384,           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0
+ecp521,           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0
+modp1024s160,     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0
+modp2048s224,     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0
+modp2048s256,     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0
diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/debug.c
index 51b7875d8..21a7e63dd 100644
--- a/src/libstrongswan/debug.c
+++ b/src/libstrongswan/debug.c
@@ -17,10 +17,36 @@
 
 #include "debug.h"
 
+ENUM(debug_names, DBG_DMN, DBG_LIB,
+	"DMN",
+	"MGR",
+	"IKE",
+	"CHD",
+	"JOB",
+	"CFG",
+	"KNL",
+	"NET",
+	"ENC",
+	"LIB",
+);
+
+ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
+	"dmn",
+	"mgr",
+	"ike",
+	"chd",
+	"job",
+	"cfg",
+	"knl",
+	"net",
+	"enc",
+	"lib",
+);
+
 /**
  * level logged by the default logger
  */
-static int default_level = 1;
+static level_t default_level = 1;
 
 /**
  * stream logged to by the default logger
@@ -30,7 +56,7 @@ static FILE *default_stream = NULL;
 /**
  * default dbg function which printf all to stderr
  */
-void dbg_default(int level, char *fmt, ...)
+void dbg_default(debug_t group, level_t level, char *fmt, ...)
 {
 	if (!default_stream)
 	{
@@ -50,7 +76,7 @@ void dbg_default(int level, char *fmt, ...)
 /**
  * set the level logged by the default stderr logger
  */
-void dbg_default_set_level(int level)
+void dbg_default_set_level(level_t level)
 {
 	default_level = level;
 }
@@ -66,5 +92,5 @@ void dbg_default_set_stream(FILE *stream)
 /**
  * The registered debug hook.
  */
-void (*dbg) (int level, char *fmt, ...) = dbg_default;
+void (*dbg) (debug_t group, level_t level, char *fmt, ...) = dbg_default;
 
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h
index 085795acb..a21111d93 100644
--- a/src/libstrongswan/debug.h
+++ b/src/libstrongswan/debug.h
@@ -21,26 +21,95 @@
 #ifndef DEBUG_H_
 #define DEBUG_H_
 
+typedef enum debug_t debug_t;
+typedef enum level_t level_t;
+
 #include <stdio.h>
 
+#include "enum.h"
+
+/**
+ * Debug message group.
+ */
+enum debug_t {
+	/** daemon specific */
+	DBG_DMN,
+	/** IKE_SA_MANAGER */
+	DBG_MGR,
+	/** IKE_SA */
+	DBG_IKE,
+	/** CHILD_SA */
+	DBG_CHD,
+	/** job processing */
+	DBG_JOB,
+	/** configuration backends */
+	DBG_CFG,
+	/** kernel interface */
+	DBG_KNL,
+	/** networking/sockets */
+	DBG_NET,
+	/** message encoding/decoding */
+	DBG_ENC,
+	/** libstrongswan */
+	DBG_LIB,
+	/** number of groups */
+	DBG_MAX,
+	/** pseudo group with all groups */
+	DBG_ANY = DBG_MAX,
+};
+
+/**
+ * short names of debug message group.
+ */
+extern enum_name_t *debug_names;
+
+/**
+ * short names of debug message group, lower case.
+ */
+extern enum_name_t *debug_lower_names;
+
+/**
+ * Debug levels used to control output verbosity.
+ */
+enum level_t {
+	/** absolutely silent */
+	LEVEL_SILENT = -1,
+	/** most important auditing logs */
+	LEVEL_AUDIT =   0,
+	/** control flow */
+	LEVEL_CTRL =    1,
+	/** diagnose problems */
+	LEVEL_DIAG =    2,
+	/** raw binary blobs */
+	LEVEL_RAW =     3,
+	/** including sensitive data (private keys) */
+	LEVEL_PRIVATE = 4,
+};
+
 #ifndef DEBUG_LEVEL
 # define DEBUG_LEVEL 4
 #endif /* DEBUG_LEVEL */
 
 /** debug macros, they call the dbg function hook */
+#if DEBUG_LEVEL >= 0
+# define DBG0(group, fmt, ...) dbg(group, 0, fmt, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
 #if DEBUG_LEVEL >= 1
-# define DBG1(fmt, ...) dbg(1, fmt, ##__VA_ARGS__)
+# define DBG1(group, fmt, ...) dbg(group, 1, fmt, ##__VA_ARGS__)
 #endif /* DEBUG_LEVEL */
 #if DEBUG_LEVEL >= 2
-# define DBG2(fmt, ...) dbg(2, fmt, ##__VA_ARGS__)
+# define DBG2(group, fmt, ...) dbg(group, 2, fmt, ##__VA_ARGS__)
 #endif /* DEBUG_LEVEL */
 #if DEBUG_LEVEL >= 3
-# define DBG3(fmt, ...) dbg(3, fmt, ##__VA_ARGS__)
+# define DBG3(group, fmt, ...) dbg(group, 3, fmt, ##__VA_ARGS__)
 #endif /* DEBUG_LEVEL */
 #if DEBUG_LEVEL >= 4
-# define DBG4(fmt, ...) dbg(4, fmt, ##__VA_ARGS__)
+# define DBG4(group, fmt, ...) dbg(group, 4, fmt, ##__VA_ARGS__)
 #endif /* DEBUG_LEVEL */
 
+#ifndef DBG0
+# define DBG0(...) {}
+#endif
 #ifndef DBG1
 # define DBG1(...) {}
 #endif
@@ -55,13 +124,13 @@
 #endif
 
 /** dbg function hook, uses dbg_default() by default */
-extern void (*dbg) (int level, char *fmt, ...);
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
 
 /** default logging function */
-void dbg_default(int level, char *fmt, ...);
+void dbg_default(debug_t group, level_t level, char *fmt, ...);
 
 /** set the level logged by dbg_default() */
-void dbg_default_set_level(int level);
+void dbg_default_set_level(level_t level);
 
 /** set the stream logged by dbg_default() to */
 void dbg_default_set_stream(FILE *stream);
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/enum.h
index 6b9fd7eaa..691f9f2bc 100644
--- a/src/libstrongswan/enum.h
+++ b/src/libstrongswan/enum.h
@@ -22,7 +22,7 @@
 #ifndef ENUM_H_
 #define ENUM_H_
 
-#include <printf_hook.h>
+#include "printf_hook.h"
 
 typedef struct enum_name_t enum_name_t;
 
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index b73bfacf6..c81de032c 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -134,7 +134,7 @@ static status_t fetch(private_fetcher_manager_t *this,
 	this->lock->unlock(this->lock);
 	if (!capable)
 	{
-		DBG1("unable to fetch from %s, no capable fetcher found", url);
+		DBG1(DBG_LIB, "unable to fetch from %s, no capable fetcher found", url);
 	}
 	return status;
 }
diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c
index 51da4e725..c9cad44ae 100644
--- a/src/libstrongswan/integrity_checker.c
+++ b/src/libstrongswan/integrity_checker.c
@@ -26,8 +26,8 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
-#include <debug.h>
-#include <library.h>
+#include "debug.h"
+#include "library.h"
 
 typedef struct private_integrity_checker_t private_integrity_checker_t;
 
@@ -72,13 +72,14 @@ static u_int32_t build_file(private_integrity_checker_t *this, char *file,
 	fd = open(file, O_RDONLY);
 	if (fd == -1)
 	{
-		DBG1("  opening '%s' failed: %s", file, strerror(errno));
+		DBG1(DBG_LIB, "  opening '%s' failed: %s", file, strerror(errno));
 		return 0;
 	}
 
 	if (fstat(fd, &sb) == -1)
 	{
-		DBG1("  getting file size of '%s' failed: %s", file, strerror(errno));
+		DBG1(DBG_LIB, "  getting file size of '%s' failed: %s", file,
+			 strerror(errno));
 		close(fd);
 		return 0;
 	}
@@ -86,7 +87,7 @@ static u_int32_t build_file(private_integrity_checker_t *this, char *file,
 	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
 	if (addr == MAP_FAILED)
 	{
-		DBG1("  mapping '%s' failed: %s", file, strerror(errno));
+		DBG1(DBG_LIB, "  mapping '%s' failed: %s", file, strerror(errno));
 		close(fd);
 		return 0;
 	}
@@ -146,13 +147,13 @@ static u_int32_t build_segment(private_integrity_checker_t *this, void *sym,
 
 	if (dladdr(sym, &dli) == 0)
 	{
-		DBG1("  unable to locate symbol: %s", dlerror());
+		DBG1(DBG_LIB, "  unable to locate symbol: %s", dlerror());
 		return 0;
 	}
 	/* we reuse the Dl_info struct as in/out parameter */
 	if (!dl_iterate_phdr((void*)callback, &dli))
 	{
-		DBG1("  executable section not found");
+		DBG1(DBG_LIB, "  executable section not found");
 		return 0;
 	}
 
@@ -192,7 +193,7 @@ static bool check_file(private_integrity_checker_t *this,
 	cs = find_checksum(this, name);
 	if (!cs)
 	{
-		DBG1("  '%s' file checksum not found", name);
+		DBG1(DBG_LIB, "  '%s' file checksum not found", name);
 		return FALSE;
 	}
 	sum = build_file(this, file, &len);
@@ -202,17 +203,17 @@ static bool check_file(private_integrity_checker_t *this,
 	}
 	if (cs->file_len != len)
 	{
-		DBG1("  invalid '%s' file size: %u bytes, expected %u bytes",
+		DBG1(DBG_LIB, "  invalid '%s' file size: %u bytes, expected %u bytes",
 			 name, len, cs->file_len);
 		return FALSE;
 	}
 	if (cs->file != sum)
 	{
-		DBG1("  invalid '%s' file checksum: %08x, expected %08x",
+		DBG1(DBG_LIB, "  invalid '%s' file checksum: %08x, expected %08x",
 			 name, sum, cs->file);
 		return FALSE;
 	}
-	DBG2("  valid '%s' file checksum: %08x", name, sum);
+	DBG2(DBG_LIB, "  valid '%s' file checksum: %08x", name, sum);
 	return TRUE;
 }
 
@@ -229,7 +230,7 @@ static bool check_segment(private_integrity_checker_t *this,
 	cs = find_checksum(this, name);
 	if (!cs)
 	{
-		DBG1("  '%s' segment checksum not found", name);
+		DBG1(DBG_LIB, "  '%s' segment checksum not found", name);
 		return FALSE;
 	}
 	sum = build_segment(this, sym, &len);
@@ -239,17 +240,17 @@ static bool check_segment(private_integrity_checker_t *this,
 	}
 	if (cs->segment_len != len)
 	{
-		DBG1("  invalid '%s' segment size: %u bytes, expected %u bytes",
-			 name, len, cs->segment_len);
+		DBG1(DBG_LIB, "  invalid '%s' segment size: %u bytes,"
+			 " expected %u bytes", name, len, cs->segment_len);
 		return FALSE;
 	}
 	if (cs->segment != sum)
 	{
-		DBG1("  invalid '%s' segment checksum: %08x, expected %08x",
+		DBG1(DBG_LIB, "  invalid '%s' segment checksum: %08x, expected %08x",
 			 name, sum, cs->segment);
 		return FALSE;
 	}
-	DBG2("  valid '%s' segment checksum: %08x", name, sum);
+	DBG2(DBG_LIB, "  valid '%s' segment checksum: %08x", name, sum);
 	return TRUE;
 }
 
@@ -262,7 +263,7 @@ static bool check(private_integrity_checker_t *this, char *name, void *sym)
 
 	if (dladdr(sym, &dli) == 0)
 	{
-		DBG1("unable to locate symbol: %s", dlerror());
+		DBG1(DBG_LIB, "unable to locate symbol: %s", dlerror());
 		return FALSE;
 	}
 	if (!check_file(this, name, (char*)dli.dli_fname))
@@ -319,12 +320,14 @@ integrity_checker_t *integrity_checker_create(char *checksum_library)
 			}
 			else
 			{
-				DBG1("checksum library '%s' invalid", checksum_library);
+				DBG1(DBG_LIB, "checksum library '%s' invalid",
+					 checksum_library);
 			}
 		}
 		else
 		{
-			DBG1("loading checksum library '%s' failed", checksum_library);
+			DBG1(DBG_LIB, "loading checksum library '%s' failed",
+				 checksum_library);
 		}
 	}
 	return &this->public;
diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/integrity_checker.h
index 7349353f3..55a4658f7 100644
--- a/src/libstrongswan/integrity_checker.h
+++ b/src/libstrongswan/integrity_checker.h
@@ -21,8 +21,8 @@
 #ifndef INTEGRITY_CHECKER_H_
 #define INTEGRITY_CHECKER_H_
 
-#include <utils.h>
-#include <plugins/plugin.h>
+#include "utils.h"
+#include "plugins/plugin.h"
 
 typedef struct integrity_checker_t integrity_checker_t;
 typedef struct integrity_checksum_t integrity_checksum_t;
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 4e8bb87d0..108ac2ca0 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -18,14 +18,12 @@
 
 #include <stdlib.h>
 
-#include <utils.h>
-#include <chunk.h>
-#include <debug.h>
-#include <threading/thread.h>
-#include <utils/identification.h>
-#include <utils/host.h>
+#include "debug.h"
+#include "threading/thread.h"
+#include "utils/identification.h"
+#include "utils/host.h"
 #ifdef LEAK_DETECTIVE
-#include <utils/leak_detective.h>
+#include "utils/leak_detective.h"
 #endif
 
 #define CHECKSUM_LIBRARY IPSEC_DIR"/libchecksum.so"
@@ -68,7 +66,6 @@ void library_deinit()
 	this->public.encoding->destroy(this->public.encoding);
 	this->public.crypto->destroy(this->public.crypto);
 	this->public.fetcher->destroy(this->public.fetcher);
-	this->public.attributes->destroy(this->public.attributes);
 	this->public.db->destroy(this->public.db);
 	this->public.printf_hook->destroy(this->public.printf_hook);
 	if (this->public.integrity)
@@ -133,7 +130,6 @@ bool library_init(char *settings)
 	this->public.creds = credential_factory_create();
 	this->public.encoding = key_encoding_create();
 	this->public.fetcher = fetcher_manager_create();
-	this->public.attributes = attribute_manager_create();
 	this->public.db = database_factory_create();
 	this->public.plugins = plugin_loader_create();
 	this->public.integrity = NULL;
@@ -145,11 +141,11 @@ bool library_init(char *settings)
 		this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY);
 		if (!lib->integrity->check(lib->integrity, "libstrongswan", library_init))
 		{
-			DBG1("integrity check of libstrongswan failed");
+			DBG1(DBG_LIB, "integrity check of libstrongswan failed");
 			return FALSE;
 		}
 #else /* !INTEGRITY_TEST */
-		DBG1("integrity test enabled, but not supported");
+		DBG1(DBG_LIB, "integrity test enabled, but not supported");
 		return FALSE;
 #endif /* INTEGRITY_TEST */
 	}
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 78a6fe0a9..241084155 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -55,18 +55,17 @@
 #ifndef LIBRARY_H_
 #define LIBRARY_H_
 
-#include <printf_hook.h>
-#include <utils.h>
-#include <chunk.h>
-#include <settings.h>
-#include <integrity_checker.h>
-#include <plugins/plugin_loader.h>
-#include <crypto/crypto_factory.h>
-#include <fetcher/fetcher_manager.h>
-#include <attributes/attribute_manager.h>
-#include <database/database_factory.h>
-#include <credentials/credential_factory.h>
-#include <credentials/keys/key_encoding.h>
+#include "printf_hook.h"
+#include "utils.h"
+#include "chunk.h"
+#include "settings.h"
+#include "integrity_checker.h"
+#include "plugins/plugin_loader.h"
+#include "crypto/crypto_factory.h"
+#include "fetcher/fetcher_manager.h"
+#include "database/database_factory.h"
+#include "credentials/credential_factory.h"
+#include "credentials/keys/key_encoding.h"
 
 typedef struct library_t library_t;
 
@@ -100,11 +99,6 @@ struct library_t {
 	 */
 	fetcher_manager_t *fetcher;
 
-	/**
-	 * manager for payload attributes
-	 */
-	attribute_manager_t *attributes;
-
 	/**
 	 * database construction factory
 	 */
diff --git a/src/libstrongswan/plugins/aes/Makefile.am b/src/libstrongswan/plugins/aes/Makefile.am
index a3101172f..e72daeb44 100644
--- a/src/libstrongswan/plugins/aes/Makefile.am
+++ b/src/libstrongswan/plugins/aes/Makefile.am
@@ -3,8 +3,13 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-aes.la
+else
 plugin_LTLIBRARIES = libstrongswan-aes.la
+endif
 
-libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
-libstrongswan_aes_la_LDFLAGS = -module -avoid-version
+libstrongswan_aes_la_SOURCES = \
+	aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
 
+libstrongswan_aes_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 03ef465e0..391d23049 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -72,13 +72,15 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_aes_la_LIBADD =
 am_libstrongswan_aes_la_OBJECTS = aes_plugin.lo aes_crypter.lo
 libstrongswan_aes_la_OBJECTS = $(am_libstrongswan_aes_la_OBJECTS)
 libstrongswan_aes_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_aes_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_aes_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_aes_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -217,6 +219,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -253,8 +256,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-aes.la
-libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-aes.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-aes.la
+libstrongswan_aes_la_SOURCES = \
+	aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
+
 libstrongswan_aes_la_LDFLAGS = -module -avoid-version
 all: all-am
 
@@ -290,6 +296,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -322,7 +337,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-aes.la: $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_DEPENDENCIES) 
-	$(libstrongswan_aes_la_LINK) -rpath $(plugindir) $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_LIBADD) $(LIBS)
+	$(libstrongswan_aes_la_LINK) $(am_libstrongswan_aes_la_rpath) $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -476,8 +491,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -548,18 +563,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c
index c6215cc7f..1e920f8cc 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.c
+++ b/src/libstrongswan/plugins/aes/aes_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_aes_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *aes_plugin_create()
 {
 	private_aes_plugin_t *this = malloc_thing(private_aes_plugin_t);
 
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.h b/src/libstrongswan/plugins/aes/aes_plugin.h
index a6ff620ed..f0f0e8154 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.h
+++ b/src/libstrongswan/plugins/aes/aes_plugin.h
@@ -39,9 +39,4 @@ struct aes_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a aes_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** AES_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am
index e1000e562..ffa6e8b7f 100644
--- a/src/libstrongswan/plugins/agent/Makefile.am
+++ b/src/libstrongswan/plugins/agent/Makefile.am
@@ -3,10 +3,14 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-agent.la
+else
 plugin_LTLIBRARIES = libstrongswan-agent.la
+endif
 
-libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
-  agent_private_key.c agent_private_key.h
+libstrongswan_agent_la_SOURCES = \
+	agent_plugin.h agent_plugin.c \
+	agent_private_key.c agent_private_key.h
 
 libstrongswan_agent_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 5bf52aa56..bd6465374 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_agent_la_LIBADD =
 am_libstrongswan_agent_la_OBJECTS = agent_plugin.lo \
 	agent_private_key.lo
@@ -80,6 +80,9 @@ libstrongswan_agent_la_OBJECTS = $(am_libstrongswan_agent_la_OBJECTS)
 libstrongswan_agent_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_agent_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_agent_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_agent_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -218,6 +221,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -254,9 +258,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-agent.la
-libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
-  agent_private_key.c agent_private_key.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-agent.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-agent.la
+libstrongswan_agent_la_SOURCES = \
+	agent_plugin.h agent_plugin.c \
+	agent_private_key.c agent_private_key.h
 
 libstrongswan_agent_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -293,6 +299,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -325,7 +340,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-agent.la: $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_DEPENDENCIES) 
-	$(libstrongswan_agent_la_LINK) -rpath $(plugindir) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
+	$(libstrongswan_agent_la_LINK) $(am_libstrongswan_agent_la_rpath) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -479,8 +494,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -551,18 +566,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index 299b2cc1d..d40b437bb 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_agent_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *agent_plugin_create()
 {
 	private_agent_plugin_t *this = malloc_thing(private_agent_plugin_t);
 
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.h b/src/libstrongswan/plugins/agent/agent_plugin.h
index e49af42d8..d352c305c 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.h
+++ b/src/libstrongswan/plugins/agent/agent_plugin.h
@@ -39,9 +39,4 @@ struct agent_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a agent_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** AGENT_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index d0a2da87f..4247f849e 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -137,7 +137,8 @@ static int open_connection(char *path)
 	s = socket(AF_UNIX, SOCK_STREAM, 0);
 	if (s == -1)
 	{
-		DBG1("opening ssh-agent socket %s failed: %s:", path, strerror(errno));
+		DBG1(DBG_LIB, "opening ssh-agent socket %s failed: %s:", path,
+			 strerror(errno));
 		return -1;
 	}
 
@@ -147,7 +148,8 @@ static int open_connection(char *path)
 
 	if (connect(s, (struct sockaddr*)&addr, SUN_LEN(&addr)) != 0)
 	{
-		DBG1("connecting to ssh-agent socket failed: %s", strerror(errno));
+		DBG1(DBG_LIB, "connecting to ssh-agent socket failed: %s",
+			 strerror(errno));
 		close(s);
 		return -1;
 	}
@@ -168,7 +170,7 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
 		write(this->socket, &buf, 1) != 1)
 	{
-		DBG1("writing to ssh-agent failed");
+		DBG1(DBG_LIB, "writing to ssh-agent failed");
 		return FALSE;
 	}
 
@@ -179,7 +181,7 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 		read_uint32(&blob) != blob.len ||
 		read_byte(&blob) != SSH_AGENT_ID_RESPONSE)
 	{
-		DBG1("received invalid ssh-agent identity response");
+		DBG1(DBG_LIB, "received invalid ssh-agent identity response");
 		return FALSE;
 	}
 	count = read_uint32(&blob);
@@ -231,7 +233,7 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 
 	if (scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
 	{
-		DBG1("signature scheme %N not supported by ssh-agent",
+		DBG1(DBG_LIB, "signature scheme %N not supported by ssh-agent",
 			 signature_scheme_names, scheme);
 		return FALSE;
 	}
@@ -241,7 +243,7 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
 		write(this->socket, &buf, 1) != 1)
 	{
-		DBG1("writing to ssh-agent failed");
+		DBG1(DBG_LIB, "writing to ssh-agent failed");
 		return FALSE;
 	}
 
@@ -249,7 +251,7 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
 		write(this->socket, this->key.ptr, this->key.len) != this->key.len)
 	{
-		DBG1("writing to ssh-agent failed");
+		DBG1(DBG_LIB, "writing to ssh-agent failed");
 		return FALSE;
 	}
 
@@ -257,14 +259,14 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
 		write(this->socket, data.ptr, data.len) != data.len)
 	{
-		DBG1("writing to ssh-agent failed");
+		DBG1(DBG_LIB, "writing to ssh-agent failed");
 		return FALSE;
 	}
 
 	flags = htonl(0);
 	if (write(this->socket, &flags, sizeof(flags)) != sizeof(flags))
 	{
-		DBG1("writing to ssh-agent failed");
+		DBG1(DBG_LIB, "writing to ssh-agent failed");
 		return FALSE;
 	}
 
@@ -274,7 +276,7 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 		read_uint32(&blob) != blob.len ||
 		read_byte(&blob) != SSH_AGENT_SIGN_RESPONSE)
 	{
-		DBG1("received invalid ssh-agent signature response");
+		DBG1(DBG_LIB, "received invalid ssh-agent signature response");
 		return FALSE;
 	}
 	/* parse length */
@@ -285,7 +287,7 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	blob = read_string(&blob);
 	if (!blob.len)
 	{
-		DBG1("received invalid ssh-agent signature response");
+		DBG1(DBG_LIB, "received invalid ssh-agent signature response");
 		return FALSE;
 	}
 	*signature =  chunk_clone(blob);
@@ -306,7 +308,7 @@ static key_type_t get_type(private_agent_private_key_t *this)
 static bool decrypt(private_agent_private_key_t *this,
 					chunk_t crypto, chunk_t *plain)
 {
-	DBG1("private key decryption not supported by ssh-agent");
+	DBG1(DBG_LIB, "private key decryption not supported by ssh-agent");
 	return FALSE;
 }
 
diff --git a/src/libstrongswan/plugins/attr_sql/Makefile.am b/src/libstrongswan/plugins/attr_sql/Makefile.am
deleted file mode 100644
index 5be310abf..000000000
--- a/src/libstrongswan/plugins/attr_sql/Makefile.am
+++ /dev/null
@@ -1,15 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
-
-plugin_LTLIBRARIES = libstrongswan-attr-sql.la
-libstrongswan_attr_sql_la_SOURCES = \
-  attr_sql_plugin.h attr_sql_plugin.c \
-  sql_attribute.h sql_attribute.c
-libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
-
-ipsec_PROGRAMS = pool
-pool_SOURCES = pool.c
-pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/libstrongswan/plugins/attr_sql/Makefile.in b/src/libstrongswan/plugins/attr_sql/Makefile.in
deleted file mode 100644
index e157a9b78..000000000
--- a/src/libstrongswan/plugins/attr_sql/Makefile.in
+++ /dev/null
@@ -1,633 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-ipsec_PROGRAMS = pool$(EXEEXT)
-subdir = src/libstrongswan/plugins/attr_sql
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_attr_sql_la_LIBADD =
-am_libstrongswan_attr_sql_la_OBJECTS = attr_sql_plugin.lo \
-	sql_attribute.lo
-libstrongswan_attr_sql_la_OBJECTS =  \
-	$(am_libstrongswan_attr_sql_la_OBJECTS)
-libstrongswan_attr_sql_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_sql_la_LDFLAGS) \
-	$(LDFLAGS) -o $@
-PROGRAMS = $(ipsec_PROGRAMS)
-am_pool_OBJECTS = pool.$(OBJEXT)
-pool_OBJECTS = $(am_pool_OBJECTS)
-pool_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
-DIST_SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
-
-plugin_LTLIBRARIES = libstrongswan-attr-sql.la
-libstrongswan_attr_sql_la_SOURCES = \
-  attr_sql_plugin.h attr_sql_plugin.c \
-  sql_attribute.h sql_attribute.c
-
-libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
-pool_SOURCES = pool.c
-pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/attr_sql/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/attr_sql/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) 
-	$(libstrongswan_attr_sql_la_LINK) -rpath $(plugindir) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS)
-install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
-	for p in $$list; do echo "$$p $$p"; done | \
-	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p || test -f $$p1; \
-	  then echo "$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
-	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
-	sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
-	    else { print "f", $$3 "/" $$4, $$1; } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	    test -z "$$files" || { \
-	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
-	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
-	    } \
-	; done
-
-uninstall-ipsecPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' `; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
-
-clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) 
-	@rm -f pool$(EXEEXT)
-	$(LINK) $(pool_OBJECTS) $(pool_LDADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-ipsecPROGRAMS clean-libtool clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-man install-pdf \
-	install-pdf-am install-pluginLTLIBRARIES install-ps \
-	install-ps-am install-strip installcheck installcheck-am \
-	installdirs maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
-	uninstall-am uninstall-ipsecPROGRAMS \
-	uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.c b/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.c
deleted file mode 100644
index 66b309c67..000000000
--- a/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <debug.h>
-
-#include "attr_sql_plugin.h"
-#include "sql_attribute.h"
-
-typedef struct private_attr_sql_plugin_t private_attr_sql_plugin_t;
-
-/**
- * private data of attr_sql plugin
- */
-struct private_attr_sql_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	attr_sql_plugin_t public;
-
-	/**
-	 * database connection instance
-	 */
-	database_t *db;
-
-	/**
-	 * configuration attributes
-	 */
-	sql_attribute_t *attribute;
-
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_attr_sql_plugin_t *this)
-{
-	lib->attributes->remove_provider(lib->attributes, &this->attribute->provider);
-	this->attribute->destroy(this->attribute);
-	this->db->destroy(this->db);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
-	char *uri;
-	private_attr_sql_plugin_t *this;
-
-	uri = lib->settings->get_str(lib->settings, "libstrongswan.plugins.attr-sql.database", NULL);
-	if (!uri)
-	{
-		DBG1("attr-sql plugin: database URI not set");
-		return NULL;
-	}
-
-	this = malloc_thing(private_attr_sql_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	this->db = lib->db->create(lib->db, uri);
-	if (!this->db)
-	{
-		DBG1("attr-sql plugin failed to connect to database");
-		free(this);
-		return NULL;
-	}
-	this->attribute = sql_attribute_create(this->db);
-	lib->attributes->add_provider(lib->attributes, &this->attribute->provider);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.h b/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.h
deleted file mode 100644
index 3a60ea0d2..000000000
--- a/src/libstrongswan/plugins/attr_sql/attr_sql_plugin.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup attr_sql attr_sql
- * @ingroup plugins
- *
- * @defgroup sql_plugin sql_plugin
- * @{ @ingroup attr_sql
- */
-
-#ifndef ATTR_SQL_PLUGIN_H_
-#define ATTR_SQL_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct attr_sql_plugin_t attr_sql_plugin_t;
-
-/**
- * SQL database attribute configuration plugin
- */
-struct attr_sql_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-/**
- * Create a sql_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /** ATTR_SQL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/attr_sql/pool.c b/src/libstrongswan/plugins/attr_sql/pool.c
deleted file mode 100644
index 85b30a70f..000000000
--- a/src/libstrongswan/plugins/attr_sql/pool.c
+++ /dev/null
@@ -1,1050 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <getopt.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <time.h>
-
-#include <debug.h>
-#include <library.h>
-#include <utils/host.h>
-#include <utils/identification.h>
-#include <attributes/attributes.h>
-
-/**
- * global database handle
- */
-database_t *db;
-
-/**
- * --start/--end/--server addresses of various subcommands
- */
-host_t *start = NULL, *end = NULL, *server = NULL;
-
-/**
- * instead of a pool handle a DNS or NBNS attribute
- */
-static bool is_attribute(char *name)
-{
-	return strcaseeq(name, "dns") || strcaseeq(name, "nbns") ||
-		   strcaseeq(name, "wins");
-}
-
-/**
- * determine configuration attribute type
- */
-static configuration_attribute_type_t get_attribute_type(char *name, host_t* addr)
-{
-	if (strcaseeq(name, "dns"))
-	{
-		return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_DNS :
-													 INTERNAL_IP6_DNS;
-	}
-	else
-	{
-		return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_NBNS :
-													 INTERNAL_IP6_NBNS;
-	}
-}
-
-/**
- * calculate the size of a pool using start and end address chunk
- */
-static u_int get_pool_size(chunk_t start, chunk_t end)
-{
-	u_int *start_ptr, *end_ptr;
-
-	if (start.len < sizeof(u_int) || end.len < sizeof(u_int))
-	{
-		return 0;
-	}
-	start_ptr = (u_int*)(start.ptr + start.len - sizeof(u_int));
-	end_ptr = (u_int*)(end.ptr + end.len - sizeof(u_int));
-	return ntohl(*end_ptr) -  ntohl(*start_ptr) + 1;
-}
-
-/**
- * print usage info
- */
-static void usage(void)
-{
-	printf("\
-Usage:\n\
-  ipsec pool --status|--add|--del|--resize|--purge [options]\n\
-  \n\
-  ipsec pool --status\n\
-    Show a list of installed pools with statistics.\n\
-  \n\
-  ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\
-    Add a new pool to the database.\n\
-      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
-      start:   Start address of the pool\n\
-      end:     End address of the pool\n\
-      timeout: Lease time in hours, 0 for static leases\n\
-  \n\
-  ipsec pool --add dns|nbns|wins --server <server>\n\
-    Add a new DNS or NBNS server to the database.\n\
-      server:  IP address of the name server\n\
-  \n\
-  ipsec pool --del <name>\n\
-    Delete a pool from the database.\n\
-      name:    Name of the pool to delete\n\
-  \n\
-  ipsec pool --del dns|nbns|wins [--server <server>]\n\
-    Delete a specific or all DNS or NBNS servers from the database.\n\
-      server:  IP address of the name server to delete\n\
-  \n\
-  ipsec pool --resize <name> --end <end>\n\
-    Grow or shrink an existing pool.\n\
-      name:    Name of the pool to resize\n\
-      end:     New end address for the pool\n\
-  \n\
-  ipsec pool --leases [--filter <filter>] [--utc]\n\
-    Show lease information using filters:\n\
-      filter:  Filter string containing comma separated key=value filters,\n\
-               e.g. id=alice@strongswan.org,addr=1.1.1.1\n\
-                  pool:   name of the pool\n\
-                  id:     assigned identity of the lease\n\
-                  addr:   lease IP address\n\
-                  tstamp: UNIX timestamp when lease was valid, as integer\n\
-                  status: status of the lease: online|valid|expired\n\
-      utc:    Show times in UTC instead of local time\n\
-  \n\
-  ipsec pool --purge <name>\n\
-    Delete lease history of a pool:\n\
-      name:    Name of the pool to purge\n\
-  \n");
-	exit(0);
-}
-
-/**
- * ipsec pool --status - show pool overview
- */
-static void status(void)
-{
-	enumerator_t *ns, *pool, *lease;
-	host_t *server;
-	chunk_t value;
-	bool found = FALSE;
-
-	/* enumerate IPv4 DNS servers */
-	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
-				   DB_INT, INTERNAL_IP4_DNS, DB_BLOB);
-	if (ns)
-	{
-		while (ns->enumerate(ns, &value))
-		{
-			if (!found)
-			{
-				printf("dns servers:");
-				found = TRUE;
-			}
-			server = host_create_from_chunk(AF_INET, value, 0);
-			if (server)
-			{
-				printf(" %H", server);
-				server->destroy(server);
-			}
-		}
-		ns->destroy(ns);
-	}
-
-	/* enumerate IPv6 DNS servers */
-	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
-				   DB_INT, INTERNAL_IP6_DNS, DB_BLOB);
-	if (ns)
-	{
-		while (ns->enumerate(ns, &value))
-		{
-			if (!found)
-			{
-				printf("dns servers:");
-				found = TRUE;
-			}
-			server = host_create_from_chunk(AF_INET6, value, 0);
-			if (server)
-			{
-				printf(" %H", server);
-				server->destroy(server);
-			}
-		}
-		ns->destroy(ns);
-	}
-	if (found)
-	{
-		printf("\n");
-	}
-	else
-	{
-		printf("no dns servers found.\n");
-	}
-	found = FALSE;
-
-	/* enumerate IPv4 NBNS servers */
-	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
-				   DB_INT, INTERNAL_IP4_NBNS, DB_BLOB);
-	if (ns)
-	{
-		while (ns->enumerate(ns, &value))
-		{
-			if (!found)
-			{
-				printf("nbns servers:");
-				found = TRUE;
-			}
-			server = host_create_from_chunk(AF_INET, value, 0);
-			if (server)
-			{
-				printf(" %H", server);
-				server->destroy(server);
-			}
-		}
-		ns->destroy(ns);
-	}
-
-	/* enumerate IPv6 NBNS servers */
-	ns = db->query(db, "SELECT value FROM attributes WHERE type = ?",
-				   DB_INT, INTERNAL_IP6_NBNS, DB_BLOB);
-	if (ns)
-	{
-		while (ns->enumerate(ns, &value))
-		{
-			if (!found)
-			{
-				printf("nbns servers:");
-				found = TRUE;
-			}
-			server = host_create_from_chunk(AF_INET6, value, 0);
-			if (server)
-			{
-				printf(" %H", server);
-				server->destroy(server);
-			}
-		}
-		ns->destroy(ns);
-	}
-	if (found)
-	{
-		printf("\n");
-	}
-	else
-	{
-		printf("no nbns servers found.\n");
-	}
-	found = FALSE;
-
-	pool = db->query(db, "SELECT id, name, start, end, timeout FROM pools",
-					 DB_INT, DB_TEXT, DB_BLOB, DB_BLOB, DB_UINT);
-	if (pool)
-	{
-		char *name;
-		chunk_t start_chunk, end_chunk;
-		host_t *start, *end;
-		u_int id, timeout, online = 0, used = 0, size = 0;
-
-		while (pool->enumerate(pool, &id, &name,
-							   &start_chunk, &end_chunk, &timeout))
-		{
-			if (!found)
-			{
-				printf("%8s %15s %15s %8s %6s %11s %11s\n", "name", "start",
-					   "end", "timeout", "size", "online", "usage");
-				found = TRUE;
-			}
-
-			start = host_create_from_chunk(AF_UNSPEC, start_chunk, 0);
-			end = host_create_from_chunk(AF_UNSPEC, end_chunk, 0);
-			size = get_pool_size(start_chunk, end_chunk);
-			printf("%8s %15H %15H ", name, start, end);
-			if (timeout)
-			{
-				printf("%7dh ", timeout/3600);
-			}
-			else
-			{
-				printf("%8s ", "static");
-			}
-			printf("%6d ", size);
-			/* get number of online hosts */
-			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
-							  "WHERE pool = ? AND released = 0",
-							  DB_UINT, id, DB_INT);
-			if (lease)
-			{
-				lease->enumerate(lease, &online);
-				lease->destroy(lease);
-			}
-			printf("%5d (%2d%%) ", online, online*100/size);
-			/* get number of online or valid lieases */
-			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
-							  "WHERE addresses.pool = ? "
-							  "AND ((? AND acquired != 0) "
-							  "     OR released = 0 OR released > ?) ",
-							  DB_UINT, id, DB_UINT, !timeout,
-							  DB_UINT, time(NULL) - timeout, DB_UINT);
-			if (lease)
-			{
-				lease->enumerate(lease, &used);
-				lease->destroy(lease);
-			}
-			printf("%5d (%2d%%) ", used, used*100/size);
-
-			printf("\n");
-			DESTROY_IF(start);
-			DESTROY_IF(end);
-		}
-		pool->destroy(pool);
-	}
-	if (!found)
-	{
-		printf("no pools found.\n");
-	}
-	exit(0);
-}
-
-/**
- * ipsec pool --add - add a new pool
- */
-static void add(char *name, host_t *start, host_t *end, int timeout)
-{
-	chunk_t start_addr, end_addr, cur_addr;
-	u_int id, count;
-
-	start_addr = start->get_address(start);
-	end_addr = end->get_address(end);
-	cur_addr = chunk_clonea(start_addr);
-	count = get_pool_size(start_addr, end_addr);
-
-	if (start_addr.len != end_addr.len ||
-		memcmp(start_addr.ptr, end_addr.ptr, start_addr.len) > 0)
-	{
-		fprintf(stderr, "invalid start/end pair specified.\n");
-		exit(-1);
-	}
-	if (db->execute(db, &id,
-			"INSERT INTO pools (name, start, end, timeout) "
-			"VALUES (?, ?, ?, ?)",
-			DB_TEXT, name, DB_BLOB, start_addr,
-			DB_BLOB, end_addr, DB_INT, timeout*3600) != 1)
-	{
-		fprintf(stderr, "creating pool failed.\n");
-		exit(-1);
-	}
-	printf("allocating %d addresses... ", count);
-	fflush(stdout);
-	if (db->get_driver(db) == DB_SQLITE)
-	{	/* run population in a transaction for sqlite */
-		db->execute(db, NULL, "BEGIN TRANSACTION");
-	}
-	while (TRUE)
-	{
-		db->execute(db, NULL,
-			"INSERT INTO addresses (pool, address, identity, acquired, released) "
-			"VALUES (?, ?, ?, ?, ?)",
-			DB_UINT, id, DB_BLOB, cur_addr,	DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
-		if (chunk_equals(cur_addr, end_addr))
-		{
-			break;
-		}
-		chunk_increment(cur_addr);
-	}
-	if (db->get_driver(db) == DB_SQLITE)
-	{
-		db->execute(db, NULL, "END TRANSACTION");
-	}
-	printf("done.\n", count);
-
-	exit(0);
-}
-
-/**
- * ipsec pool --add dns|nbns|wins - add a DNS or NBNS server entry
- */
-static void add_attr(char *name, host_t *server)
-{
-	configuration_attribute_type_t type;
-	chunk_t value;
-
-	type = get_attribute_type(name, server);
-	value = server->get_address(server);
-	if (db->execute(db, NULL,
-			"INSERT INTO attributes (type, value) VALUES (?, ?)",
-			DB_INT, type, DB_BLOB, value) != 1)
-	{
-		fprintf(stderr, "adding %s server %H failed.\n", name, server);
-		exit(-1);
-	}
-	printf("added %s server %H\n", name, server);
-	exit(0);
-}
-
-/**
- * ipsec pool --del - delete a pool
- */
-static void del(char *name)
-{
-	enumerator_t *query;
-	u_int id;
-	bool found = FALSE;
-
-	query = db->query(db, "SELECT id FROM pools WHERE name = ?",
-					  DB_TEXT, name, DB_UINT);
-	if (!query)
-	{
-		fprintf(stderr, "deleting pool failed.\n");
-		exit(-1);
-	}
-	while (query->enumerate(query, &id))
-	{
-		found = TRUE;
-		if (db->execute(db, NULL,
-				"DELETE FROM leases WHERE address IN ("
-				" SELECT id FROM addresses WHERE pool = ?)", DB_UINT, id) < 0 ||
-			db->execute(db, NULL,
-				"DELETE FROM addresses WHERE pool = ?", DB_UINT, id) < 0 ||
-			db->execute(db, NULL,
-				"DELETE FROM pools WHERE id = ?", DB_UINT, id) < 0)
-		{
-			fprintf(stderr, "deleting pool failed.\n");
-			query->destroy(query);
-			exit(-1);
-		}
-	}
-	query->destroy(query);
-	if (!found)
-	{
-		fprintf(stderr, "pool '%s' not found.\n", name);
-		exit(-1);
-	}
-	exit(0);
-}
-
-/**
- * ipsec pool --del dns|nbns|wins - delete a DNS or NBNS server entry
- */
-static void del_attr(char *name, host_t *server)
-{
-	configuration_attribute_type_t type;
-	chunk_t value;
-	u_int id;
-	enumerator_t *query;
-	bool found = FALSE;
-
-	if (server)
-	{
-		type = get_attribute_type(name, server);
-		value = server->get_address(server);
-		query = db->query(db, 
-					"SELECT id, type, value FROM attributes "
-					"WHERE type = ? AND value = ?",
-					DB_INT, type, DB_BLOB, value,
-					DB_UINT, DB_INT, DB_BLOB);
-	}
-	else
-	{
-		configuration_attribute_type_t type_ip4, type_ip6;
-
-		if (strcaseeq(name, "dns"))
-		{
-			type_ip4 = INTERNAL_IP4_DNS;
-			type_ip6 = INTERNAL_IP6_DNS;
-		}
-		else
-		{
-			type_ip4 = INTERNAL_IP4_NBNS;
-			type_ip6 = INTERNAL_IP6_NBNS;
-		}
-			
-		query = db->query(db,
-					"SELECT id, type, value FROM attributes "
-					"WHERE type = ? OR type = ?",
-					DB_INT, type_ip4, DB_INT, type_ip6,
-					DB_UINT, DB_INT, DB_BLOB);
-	}	
-	if (!query)
-	{
-		fprintf(stderr, "deleting %s servers failed.\n", name);
-		exit(-1);
-	}
-
-	while (query->enumerate(query, &id, &type, &value))
-	{
-		int family;
-		host_t *host;
-
-		found = TRUE;
-		family = (type == INTERNAL_IP4_DNS || type == INTERNAL_IP4_NBNS) ?
-				  AF_INET : AF_INET6;
-		host = host_create_from_chunk(family, value, 0);
-		if (db->execute(db, NULL,
-					"DELETE FROM attributes WHERE id = ?",
-					 DB_UINT, id) != 1)
-		{
-			fprintf(stderr, "deleting %s server %H failed\n", name, host);
-			query->destroy(query);
-			DESTROY_IF(host);
-			exit(-1);
-		}
-		printf("deleted %s server %H\n", name, host);
-		DESTROY_IF(host);
-	}
-	query->destroy(query);
-
-	if (!found)
-	{
-		printf("no matching %s servers found\n", name);
-		exit(-1);		
-	}
-	exit(0);
-}
-
-/**
- * ipsec pool --resize - resize a pool		if (db->execute(db, NULL,
-					"DELETE FROM attributes WHERE type = ? AND value = ?",
-					 DB_INT, type, DB_BLOB, value) != 1)
-		{
-			fprintf(stderr, "deleting %s server %H failed\n", name, server);
-			exit(-1);
-		}
-		printf("deleted %s server %H\n", name, server);
-		if (db->execute(db, NULL,
-					"DELETE FROM attributes WHERE type = ? AND value = ?",
-					 DB_INT, type, DB_BLOB, value) != 1)
-		{
-			fprintf(stderr, "deleting %s server %H failed\n", name, server);
-			exit(-1);
-		}
-		printf("deleted %s server %H\n", name, server);
-
- */
-static void resize(char *name, host_t *end)
-{
-	enumerator_t *query;
-	chunk_t old_addr, new_addr, cur_addr;
-	u_int id, count;
-
-	new_addr = end->get_address(end);
-
-	query = db->query(db, "SELECT id, end FROM pools WHERE name = ?",
-					  DB_TEXT, name, DB_UINT, DB_BLOB);
-	if (!query || !query->enumerate(query, &id, &old_addr))
-	{
-		DESTROY_IF(query);
-		fprintf(stderr, "resizing pool failed.\n");
-		exit(-1);
-	}
-	if (old_addr.len != new_addr.len ||
-		memcmp(new_addr.ptr, old_addr.ptr, old_addr.len) < 0)
-	{
-		fprintf(stderr, "shrinking of pools not supported.\n");
-		query->destroy(query);
-		exit(-1);
-	}
-	cur_addr = chunk_clonea(old_addr);
-	count = get_pool_size(old_addr, new_addr) - 1;
-	query->destroy(query);
-
-	if (db->execute(db, NULL,
-			"UPDATE pools SET end = ? WHERE name = ?",
-			DB_BLOB, new_addr, DB_TEXT, name) <= 0)
-	{
-		fprintf(stderr, "pool '%s' not found.\n", name);
-		exit(-1);
-	}
-
-	printf("allocating %d new addresses... ", count);
-	fflush(stdout);
-	if (db->get_driver(db) == DB_SQLITE)
-	{	/* run population in a transaction for sqlite */
-		db->execute(db, NULL, "BEGIN TRANSACTION");
-	}
-	while (count-- > 0)
-	{
-		chunk_increment(cur_addr);
-		db->execute(db, NULL,
-			"INSERT INTO addresses (pool, address, identity, acquired, released) "
-			"VALUES (?, ?, ?, ?, ?)",
-			DB_UINT, id, DB_BLOB, cur_addr,	DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
-	}
-	if (db->get_driver(db) == DB_SQLITE)
-	{
-		db->execute(db, NULL, "END TRANSACTION");
-	}
-	printf("done.\n", count);
-
-	exit(0);
-}
-
-/**
- * create the lease query using the filter string
- */
-static enumerator_t *create_lease_query(char *filter)
-{
-	enumerator_t *query;
-	identification_t *id = NULL;
-	host_t *addr = NULL;
-	u_int tstamp = 0;
-	bool online = FALSE, valid = FALSE, expired = FALSE;
-	char *value, *pos, *pool = NULL;
-	enum {
-		FIL_POOL = 0,
-		FIL_ID,
-		FIL_ADDR,
-		FIL_TSTAMP,
-		FIL_STATE,
-	};
-	char *const token[] = {
-		[FIL_POOL] = "pool",
-		[FIL_ID] = "id",
-		[FIL_ADDR] = "addr",
-		[FIL_TSTAMP] = "tstamp",
-		[FIL_STATE] = "status",
-		NULL
-	};
-
-	/* if the filter string contains a distinguished name as a ID, we replace
-	 * ", " by "/ " in order to not confuse the getsubopt parser */
-	pos = filter;
-	while ((pos = strchr(pos, ',')))
-	{
-		if (pos[1] == ' ')
-		{
-			pos[0] = '/';
-		}
-		pos++;
-	}
-
-	while (filter && *filter != '\0')
-	{
-		switch (getsubopt(&filter, token, &value))
-		{
-			case FIL_POOL:
-				if (value)
-				{
-					pool = value;
-				}
-				break;
-			case FIL_ID:
-				if (value)
-				{
-					id = identification_create_from_string(value);
-				}
-				break;
-			case FIL_ADDR:
-				if (value)
-				{
-					addr = host_create_from_string(value, 0);
-				}
-				if (!addr)
-				{
-					fprintf(stderr, "invalid 'addr' in filter string.\n");
-					exit(-1);
-				}
-				break;
-			case FIL_TSTAMP:
-				if (value)
-				{
-					tstamp = atoi(value);
-				}
-				if (tstamp == 0)
-				{
-					online = TRUE;
-				}
-				break;
-			case FIL_STATE:
-				if (value)
-				{
-					if (streq(value, "online"))
-					{
-						online = TRUE;
-					}
-					else if (streq(value, "valid"))
-					{
-						valid = TRUE;
-					}
-					else if (streq(value, "expired"))
-					{
-						expired = TRUE;
-					}
-					else
-					{
-						fprintf(stderr, "invalid 'state' in filter string.\n");
-						exit(-1);
-					}
-				}
-				break;
-			default:
-				fprintf(stderr, "invalid filter string.\n");
-				exit(-1);
-				break;
-		}
-	}
-	query = db->query(db,
-				"SELECT name, addresses.address, identities.type, "
-				"identities.data, leases.acquired, leases.released, timeout "
-				"FROM leases JOIN addresses ON leases.address = addresses.id "
-				"JOIN pools ON addresses.pool = pools.id "
-				"JOIN identities ON leases.identity = identities.id "
-				"WHERE (? OR name = ?) "
-				"AND (? OR (identities.type = ? AND identities.data = ?)) "
-				"AND (? OR addresses.address = ?) "
-				"AND (? OR (? >= leases.acquired AND (? <= leases.released))) "
-				"AND (? OR leases.released > ? - timeout) "
-				"AND (? OR leases.released < ? - timeout) "
-				"AND ? "
-				"UNION "
-				"SELECT name, address, identities.type, identities.data, "
-				"acquired, released, timeout FROM addresses "
-				"JOIN pools ON addresses.pool = pools.id "
-				"JOIN identities ON addresses.identity = identities.id "
-				"WHERE ? AND released = 0 "
-				"AND (? OR name = ?) "
-				"AND (? OR (identities.type = ? AND identities.data = ?)) "
-				"AND (? OR address = ?)",
-				DB_INT, pool == NULL, DB_TEXT, pool,
-				DB_INT, id == NULL,
-					DB_INT, id ? id->get_type(id) : 0,
-					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
-				DB_INT, addr == NULL,
-					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
-				DB_INT, tstamp == 0, DB_UINT, tstamp, DB_UINT, tstamp,
-				DB_INT, !valid, DB_INT, time(NULL),
-				DB_INT, !expired, DB_INT, time(NULL),
-				DB_INT, !online,
-				/* union */
-				DB_INT, !(valid || expired),
-				DB_INT, pool == NULL, DB_TEXT, pool,
-				DB_INT, id == NULL,
-					DB_INT, id ? id->get_type(id) : 0,
-					DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
-				DB_INT, addr == NULL,
-					DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
-				/* res */
-				DB_TEXT, DB_BLOB, DB_INT, DB_BLOB, DB_UINT, DB_UINT, DB_UINT);
-	/* id and addr leak but we can't destroy them until query is destroyed. */
-	return query;
-}
-
-/**
- * ipsec pool --leases - show lease information of a pool
- */
-static void leases(char *filter, bool utc)
-{
-	enumerator_t *query;
-	chunk_t address_chunk, identity_chunk;
-	int identity_type;
-	char *name;
-	u_int acquired, released, timeout;
-	host_t *address;
-	identification_t *identity;
-	bool found = FALSE;
-
-	query = create_lease_query(filter);
-	if (!query)
-	{
-		fprintf(stderr, "querying leases failed.\n");
-		exit(-1);
-	}
-	while (query->enumerate(query, &name, &address_chunk, &identity_type,
-							&identity_chunk, &acquired, &released, &timeout))
-	{
-		if (!found)
-		{
-			int len = utc ? 25 : 21;
-
-			found = TRUE;
-			printf("%-8s %-15s %-7s  %-*s %-*s %s\n",
-				   "name", "address", "status", len, "start", len, "end", "identity");
-		}
-		address = host_create_from_chunk(AF_UNSPEC, address_chunk, 0);
-		identity = identification_create_from_encoding(identity_type, identity_chunk);
-
-		printf("%-8s %-15H ", name, address);
-		if (released == 0)
-		{
-			printf("%-7s ", "online");
-		}
-		else if (timeout == 0)
-		{
-			printf("%-7s ", "static");
-		}
-		else if (released >= time(NULL) - timeout)
-		{
-			printf("%-7s ", "valid");
-		}
-		else
-		{
-			printf("%-7s ", "expired");
-		}
-
-		printf(" %T  ", &acquired, utc);
-		if (released)
-		{
-			printf("%T  ", &released, utc);
-		}
-		else
-		{
-			printf("                      ");
-			if (utc)
-			{
-				printf("    ");
-			}
-		}
-		printf("%Y\n", identity);
-		DESTROY_IF(address);
-		identity->destroy(identity);
-	}
-	query->destroy(query);
-	if (!found)
-	{
-		fprintf(stderr, "no matching leases found.\n");
-		exit(-1);
-	}
-	exit(0);
-}
-
-/**
- * ipsec pool --purge - delete expired leases
- */
-static void purge(char *name)
-{
-	int purged = 0;
-
-	purged = db->execute(db, NULL,
-				"DELETE FROM leases WHERE address IN ("
-				" SELECT id FROM addresses WHERE pool IN ("
-				"  SELECT id FROM pools WHERE name = ?))",
-				DB_TEXT, name);
-	if (purged < 0)
-	{
-		fprintf(stderr, "purging pool '%s' failed.\n", name);
-		exit(-1);
-	}
-	fprintf(stderr, "purged %d leases in pool '%s'.\n", purged, name);
-	exit(0);
-}
-
-/**
- * atexit handler to close db on shutdown
- */
-static void cleanup(void)
-{
-	db->destroy(db);
-	DESTROY_IF(start);
-	DESTROY_IF(end);
-	DESTROY_IF(server);
-}
-
-int main(int argc, char *argv[])
-{
-	char *uri, *name = "", *filter = "";
-	int timeout = 0;
-	bool utc = FALSE;
-	enum {
-		OP_USAGE,
-		OP_STATUS,
-		OP_ADD,
-		OP_ADD_ATTR,
-		OP_DEL,
-		OP_DEL_ATTR,
-		OP_RESIZE,
-		OP_LEASES,
-		OP_PURGE
-	} operation = OP_USAGE;
-
-	atexit(library_deinit);
-
-	/* initialize library */
-	if (!library_init(NULL))
-	{
-		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
-	}
-	if (lib->integrity &&
-		!lib->integrity->check_file(lib->integrity, "pool", argv[0]))
-	{
-		fprintf(stderr, "integrity check of pool failed\n");
-		exit(SS_RC_DAEMON_INTEGRITY);
-	}
-	if (!lib->plugins->load(lib->plugins, NULL,
-			lib->settings->get_str(lib->settings, "pool.load", PLUGINS)))
-	{
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-
-	uri = lib->settings->get_str(lib->settings, "libstrongswan.plugins.attr-sql.database", NULL);
-	if (!uri)
-	{
-		fprintf(stderr, "database URI libstrongswan.plugins.attr-sql.database not set.\n");
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-	db = lib->db->create(lib->db, uri);
-	if (!db)
-	{
-		fprintf(stderr, "opening database failed.\n");
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-	atexit(cleanup);
-
-	while (TRUE)
-	{
-		int c;
-
-		struct option long_opts[] = {
-			{ "help", no_argument, NULL, 'h' },
-
-			{ "utc", no_argument, NULL, 'u' },
-			{ "status", no_argument, NULL, 'w' },
-			{ "add", required_argument, NULL, 'a' },
-			{ "del", required_argument, NULL, 'd' },
-			{ "resize", required_argument, NULL, 'r' },
-			{ "leases", no_argument, NULL, 'l' },
-			{ "purge", required_argument, NULL, 'p' },
-
-			{ "start", required_argument, NULL, 's' },
-			{ "end", required_argument, NULL, 'e' },
-			{ "timeout", required_argument, NULL, 't' },
-			{ "filter", required_argument, NULL, 'f' },
-			{ "server", required_argument, NULL, 'v' },
-			{ 0,0,0,0 }
-		};
-
-		c = getopt_long(argc, argv, "", long_opts, NULL);
-		switch (c)
-		{
-			case EOF:
-				break;
-			case 'h':
-				break;
-			case 'w':
-				operation = OP_STATUS;
-				break;
-			case 'u':
-				utc = TRUE;
-				continue;
-			case 'a':
-				name = optarg;
-				operation = is_attribute(name) ? OP_ADD_ATTR : OP_ADD;
-				continue;
-			case 'd':
-				name = optarg;
-				operation = is_attribute(name) ? OP_DEL_ATTR : OP_DEL;
-				continue;
-			case 'r':
-				name = optarg;
-				operation = OP_RESIZE;
-				continue;
-			case 'l':
-				operation = OP_LEASES;
-				continue;
-			case 'p':
-				name = optarg;
-				operation = OP_PURGE;
-				continue;
-			case 's':
-				start = host_create_from_string(optarg, 0);
-				if (start == NULL)
-				{
-					fprintf(stderr, "invalid start address: '%s'.\n", optarg);
-					operation = OP_USAGE;
-					break;
-				}
-				continue;
-			case 'e':
-				end = host_create_from_string(optarg, 0);
-				if (end == NULL)
-				{
-					fprintf(stderr, "invalid end address: '%s'.\n", optarg);
-					operation = OP_USAGE;
-					break;
-				}
-				continue;
-			case 't':
-				timeout = atoi(optarg);
-				if (timeout == 0 && strcmp(optarg, "0") != 0)
-				{
-					fprintf(stderr, "invalid timeout '%s'.\n", optarg);
-					operation = OP_USAGE;
-					break;
-				}
-				continue;
-			case 'f':
-				filter = optarg;
-				continue;
-			case 'v':
-				server = host_create_from_string(optarg, 0);
-				if (server == NULL)
-				{
-					fprintf(stderr, "invalid server address: '%s'.\n", optarg);
-					operation = OP_USAGE;
-					break;
-				}
-				continue;
-			default:
-				operation = OP_USAGE;
-				break;
-		}
-		break;
-	}
-
-	switch (operation)
-	{
-		case OP_USAGE:
-			usage();
-			break;
-		case OP_STATUS:
-			status();
-			break;
-		case OP_ADD:
-			if (start == NULL || end == NULL)
-			{
-				fprintf(stderr, "missing arguments.\n");
-				usage();
-			}
-			add(name, start, end, timeout);
-			break;
-		case OP_ADD_ATTR:
-			if (server == NULL)
-			{
-				fprintf(stderr, "missing arguments.\n");
-				usage();
-			}
-			add_attr(name, server);
-			break;
-		case OP_DEL:
-			del(name);
-			break;
-		case OP_DEL_ATTR:
-			del_attr(name, server);
-			break;
-		case OP_RESIZE:
-			if (end == NULL)
-			{
-				fprintf(stderr, "missing arguments.\n");
-				usage();
-			}
-			resize(name, end);
-			break;
-		case OP_LEASES:
-			leases(filter, utc);
-			break;
-		case OP_PURGE:
-			purge(name);
-			break;
-	}
-	exit(0);
-}
-
diff --git a/src/libstrongswan/plugins/attr_sql/sql_attribute.c b/src/libstrongswan/plugins/attr_sql/sql_attribute.c
deleted file mode 100644
index a89195b6d..000000000
--- a/src/libstrongswan/plugins/attr_sql/sql_attribute.c
+++ /dev/null
@@ -1,384 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <time.h>
-
-#include <debug.h>
-#include <library.h>
-
-#include "sql_attribute.h"
-
-typedef struct private_sql_attribute_t private_sql_attribute_t;
-
-/**
- * private data of sql_attribute
- */
-struct private_sql_attribute_t {
-
-	/**
-	 * public functions
-	 */
-	sql_attribute_t public;
-
-	/**
-	 * database connection
-	 */
-	database_t *db;
-
-	/**
-	 * wheter to record lease history in lease table
-	 */
-	bool history;
-};
-
-/**
- * lookup/insert an identity
- */
-static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
-{
-	enumerator_t *e;
-	u_int row;
-
-	/* look for peer identity in the identities table */
-	e = this->db->query(this->db,
-						"SELECT id FROM identities WHERE type = ? AND data = ?",
-						DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
-						DB_UINT);
-
-	if (e && e->enumerate(e, &row))
-	{
-		e->destroy(e);
-		return row;
-	}
-	DESTROY_IF(e);
-	/* not found, insert new one */
-	if (this->db->execute(this->db, &row,
-				  "INSERT INTO identities (type, data) VALUES (?, ?)",
-				  DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) == 1)
-	{
-		return row;
-	}
-	return 0;
-}
-
-/**
- * Lookup pool by name
- */
-static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
-{
-	enumerator_t *e;
-	u_int pool;
-
-	e = this->db->query(this->db, "SELECT id, timeout FROM pools WHERE name = ?",
-						DB_TEXT, name, DB_UINT, DB_UINT);
-	if (e && e->enumerate(e, &pool, timeout))
-	{
-		e->destroy(e);
-		return pool;
-	}
-	DESTROY_IF(e);
-	return 0;
-}
-
-/**
- * Look up an existing lease
- */
-static host_t* check_lease(private_sql_attribute_t *this, char *name,
-						   u_int pool, u_int identity)
-{
-	while (TRUE)
-	{
-		u_int id;
-		chunk_t address;
-		enumerator_t *e;
-		time_t now = time(NULL);
-
-		e = this->db->query(this->db,
-				"SELECT id, address FROM addresses "
-				"WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1",
-				DB_UINT, pool, DB_UINT, identity, DB_UINT, DB_BLOB);
-		if (!e || !e->enumerate(e, &id, &address))
-		{
-			DESTROY_IF(e);
-			break;
-		}
-		address = chunk_clonea(address);
-		e->destroy(e);
-
-		if (this->db->execute(this->db, NULL,
-				"UPDATE addresses SET acquired = ?, released = 0 "
-				"WHERE id = ? AND identity = ? AND released != 0",
-				DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0)
-		{
-			host_t *host;
-
-			host = host_create_from_chunk(AF_UNSPEC, address, 0);
-			if (host)
-			{
-				DBG1("acquired existing lease for address %H in pool '%s'",
-					 host, name);
-				return host;
-			}
-		}
-	}
-	return NULL;
-}
-
-/**
- * We check for unallocated addresses or expired leases. First we select an
- * address as a candidate, but double check later on if it is still available
- * during the update operation. This allows us to work without locking.
- */
-static host_t* get_lease(private_sql_attribute_t *this, char *name,
-						 u_int pool, u_int timeout, u_int identity)
-{
-	while (TRUE)
-	{
-		u_int id;
-		chunk_t address;
-		enumerator_t *e;
-		time_t now = time(NULL);
-		int hits;
-
-		if (timeout)
-		{
-			/* check for an expired lease */
-			e = this->db->query(this->db,
-				"SELECT id, address FROM addresses "
-				"WHERE pool = ? AND released != 0 AND released < ? LIMIT 1",
-				DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB);
-		}
-		else
-		{
-			/* with static leases, check for an unallocated address */
-			e = this->db->query(this->db,
-				"SELECT id, address FROM addresses "
-				"WHERE pool = ? AND identity = 0 LIMIT 1",
-				DB_UINT, pool, DB_UINT, DB_BLOB);
-
-		}
-
-		if (!e || !e->enumerate(e, &id, &address))
-		{
-			DESTROY_IF(e);
-			break;
-		}
-		address = chunk_clonea(address);
-		e->destroy(e);
-
-		if (timeout)
-		{
-			hits = this->db->execute(this->db, NULL,
-						"UPDATE addresses SET "
-						"acquired = ?, released = 0, identity = ? "
-						"WHERE id = ? AND released != 0 AND released < ?",
-						DB_UINT, now, DB_UINT, identity,
-						DB_UINT, id, DB_UINT, now - timeout);
-		}
-		else
-		{
-			hits = this->db->execute(this->db, NULL,
-						"UPDATE addresses SET "
-						"acquired = ?, released = 0, identity = ? "
-						"WHERE id = ? AND identity = 0",
-						DB_UINT, now, DB_UINT, identity, DB_UINT, id);
-		}
-		if (hits > 0)
-		{
-			host_t *host;
-
-			host = host_create_from_chunk(AF_UNSPEC, address, 0);
-			if (host)
-			{
-				DBG1("acquired new lease for address %H in pool '%s'",
-					 host, name);
-				return host;
-			}
-		}
-	}
-	DBG1("no available address found in pool '%s'", name);
-	return NULL;
-}
-
-/**
- * Implementation of attribute_provider_t.acquire_address
- */
-static host_t* acquire_address(private_sql_attribute_t *this,
-							   char *names, identification_t *id,
-							   host_t *requested)
-{
-	host_t *address = NULL;
-	u_int identity, pool, timeout;
-
-	identity = get_identity(this, id);
-	if (identity)
-	{
-		/* check for a single pool first (no concatenation and enumeration) */
-		if (strchr(names, ',') == NULL)
-		{
-			pool = get_pool(this, names, &timeout);
-			if (pool)
-			{
-				/* check for an existing lease */
-				address = check_lease(this, names, pool, identity);
-				if (address == NULL)
-				{
-					/* get an unallocated address or expired lease */
-					address = get_lease(this, names, pool, timeout, identity);
-				}
-			}
-		}
-		else
-		{
-			enumerator_t *enumerator;
-			char *name;
-
-			/* in a first step check for an existing lease over all pools */
-			enumerator = enumerator_create_token(names, ",", " ");
-			while (enumerator->enumerate(enumerator, &name))
-			{
-				pool = get_pool(this, name, &timeout);
-				if (pool)
-				{
-					address = check_lease(this, name, pool, identity);
-					if (address)
-					{
-						enumerator->destroy(enumerator);
-						return address;
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
-
-			/* in a second step get an unallocated address or expired lease */
-			enumerator = enumerator_create_token(names, ",", " ");
-			while (enumerator->enumerate(enumerator, &name))
-			{
-				pool = get_pool(this, name, &timeout);
-				if (pool)
-				{
-					address = get_lease(this, name, pool, timeout, identity);
-					if (address)
-					{
-						break;
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-	}
-	return address;
-}
-
-/**
- * Implementation of attribute_provider_t.release_address
- */
-static bool release_address(private_sql_attribute_t *this,
-							char *name, host_t *address, identification_t *id)
-{
-	enumerator_t *enumerator;
-	bool found = FALSE;
-	time_t now = time(NULL);
-
-	enumerator = enumerator_create_token(name, ",", " ");
-	while (enumerator->enumerate(enumerator, &name))
-	{
-		u_int pool, timeout;
-
-		pool = get_pool(this, name, &timeout);
-		if (pool)
-		{
-			if (this->history)
-			{
-				this->db->execute(this->db, NULL,
-					"INSERT INTO leases (address, identity, acquired, released)"
-					" SELECT id, identity, acquired, ? FROM addresses "
-					" WHERE pool = ? AND address = ?",
-					DB_UINT, now, DB_UINT, pool,
-					DB_BLOB, address->get_address(address));
-			}
-			if (this->db->execute(this->db, NULL,
-					"UPDATE addresses SET released = ? WHERE "
-					"pool = ? AND address = ?", DB_UINT, time(NULL),
-					DB_UINT, pool, DB_BLOB, address->get_address(address)) > 0)
-			{
-				found = TRUE;
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * Implementation of sql_attribute_t.create_attribute_enumerator
- */
-static enumerator_t* create_attribute_enumerator(private_sql_attribute_t *this,
-											identification_t *id, host_t *vip)
-{
-	if (vip)
-	{
-		enumerator_t *enumerator;
-
-		enumerator = this->db->query(this->db,
-						"SELECT type, value FROM attributes", DB_INT, DB_BLOB);
-		if (enumerator)
-		{
-			return enumerator;
-		}
-	}
-	return enumerator_create_empty();
-}
-
-/**
- * Implementation of sql_attribute_t.destroy
- */
-static void destroy(private_sql_attribute_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-sql_attribute_t *sql_attribute_create(database_t *db)
-{
-	private_sql_attribute_t *this = malloc_thing(private_sql_attribute_t);
-	time_t now = time(NULL);
-
-	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))acquire_address;
-	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
-	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *host))create_attribute_enumerator;
-	this->public.destroy = (void(*)(sql_attribute_t*))destroy;
-
-	this->db = db;
-	this->history = lib->settings->get_bool(lib->settings,
-						"libstrongswan.plugins.attr-sql.lease_history", TRUE);
-
-	/* close any "online" leases in the case we crashed */
-	if (this->history)
-	{
-		this->db->execute(this->db, NULL,
-					"INSERT INTO leases (address, identity, acquired, released)"
-					" SELECT id, identity, acquired, ? FROM addresses "
-					" WHERE released = 0", DB_UINT, now);
-	}
-	this->db->execute(this->db, NULL,
-					  "UPDATE addresses SET released = ? WHERE released = 0",
-					  DB_UINT, now);
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/plugins/attr_sql/sql_attribute.h b/src/libstrongswan/plugins/attr_sql/sql_attribute.h
deleted file mode 100644
index ca87eb27e..000000000
--- a/src/libstrongswan/plugins/attr_sql/sql_attribute.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup sql_attribute sql_attribute
- * @{ @ingroup attr_sql
- */
-
-#ifndef SQL_ATTRIBUTE_H_
-#define SQL_ATTRIBUTE_H_
-
-#include <attributes/attribute_provider.h>
-#include <database/database.h>
-
-typedef struct sql_attribute_t sql_attribute_t;
-
-/**
- * SQL database based IKEv2 cfg attribute provider.
- */
-struct sql_attribute_t {
-
-	/**
-	 * Implements attribute provider interface
-	 */
-	attribute_provider_t provider;
-
-	/**
-	 * Destroy a sql_attribute instance.
-	 */
-	void (*destroy)(sql_attribute_t *this);
-};
-
-/**
- * Create a sql_attribute instance.
- */
-sql_attribute_t *sql_attribute_create(database_t *db);
-
-#endif /** SQL_ATTRIBUTE_H_ @}*/
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am
index de8948445..95c414204 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.am
+++ b/src/libstrongswan/plugins/blowfish/Makefile.am
@@ -3,10 +3,14 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-blowfish.la
+else
 plugin_LTLIBRARIES = libstrongswan-blowfish.la
+endif
 
 libstrongswan_blowfish_la_SOURCES = \
-blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
-bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
-libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
+	blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
+	bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
 
+libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 7b55d69c7..f95a4abe5 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_blowfish_la_LIBADD =
 am_libstrongswan_blowfish_la_OBJECTS = blowfish_plugin.lo \
 	blowfish_crypter.lo bf_skey.lo bf_enc.lo
@@ -82,6 +82,9 @@ libstrongswan_blowfish_la_LINK = $(LIBTOOL) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_blowfish_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_blowfish_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_blowfish_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -220,6 +223,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -256,10 +260,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-blowfish.la
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-blowfish.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-blowfish.la
 libstrongswan_blowfish_la_SOURCES = \
-blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
-bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
+	blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
+	bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
 
 libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -296,6 +301,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -328,7 +342,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-blowfish.la: $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_DEPENDENCIES) 
-	$(libstrongswan_blowfish_la_LINK) -rpath $(plugindir) $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_LIBADD) $(LIBS)
+	$(libstrongswan_blowfish_la_LINK) $(am_libstrongswan_blowfish_la_rpath) $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -484,8 +498,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -556,18 +570,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
index 993dc8b3b..f9fb605b3 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -45,7 +45,7 @@ static void destroy(private_blowfish_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *blowfish_plugin_create()
 {
 	private_blowfish_plugin_t *this = malloc_thing(private_blowfish_plugin_t);
 
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.h b/src/libstrongswan/plugins/blowfish/blowfish_plugin.h
index 596a7c791..6a87f42ee 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.h
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.h
@@ -40,9 +40,4 @@ struct blowfish_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a blowfish_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** BLOWFISH_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/curl/Makefile.am b/src/libstrongswan/plugins/curl/Makefile.am
index f0a41e4ad..43718f678 100644
--- a/src/libstrongswan/plugins/curl/Makefile.am
+++ b/src/libstrongswan/plugins/curl/Makefile.am
@@ -3,9 +3,14 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-curl.la
+else
 plugin_LTLIBRARIES = libstrongswan-curl.la
+endif
+
+libstrongswan_curl_la_SOURCES = \
+	curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
 
-libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
 libstrongswan_curl_la_LDFLAGS = -module -avoid-version
 libstrongswan_curl_la_LIBADD  = -lcurl
-
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 32b2504fe..1952b22e7 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -72,13 +72,15 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_curl_la_DEPENDENCIES =
 am_libstrongswan_curl_la_OBJECTS = curl_plugin.lo curl_fetcher.lo
 libstrongswan_curl_la_OBJECTS = $(am_libstrongswan_curl_la_OBJECTS)
 libstrongswan_curl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_curl_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_curl_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_curl_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -217,6 +219,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -253,8 +256,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-curl.la
-libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-curl.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-curl.la
+libstrongswan_curl_la_SOURCES = \
+	curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
+
 libstrongswan_curl_la_LDFLAGS = -module -avoid-version
 libstrongswan_curl_la_LIBADD = -lcurl
 all: all-am
@@ -291,6 +297,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -323,7 +338,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-curl.la: $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_DEPENDENCIES) 
-	$(libstrongswan_curl_la_LINK) -rpath $(plugindir) $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_LIBADD) $(LIBS)
+	$(libstrongswan_curl_la_LINK) $(am_libstrongswan_curl_la_rpath) $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -477,8 +492,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -549,18 +564,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 08315e932..2341c9052 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -84,7 +84,7 @@ METHOD(fetcher_t, fetch, status_t,
 		curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers);
 	}
 
-	DBG2("  sending http request to '%s'...", uri);
+	DBG2(DBG_LIB, "  sending http request to '%s'...", uri);
 	switch (curl_easy_perform(this->curl))
 	{
 		case CURLE_UNSUPPORTED_PROTOCOL:
@@ -94,7 +94,7 @@ METHOD(fetcher_t, fetch, status_t,
 			status = SUCCESS;
 			break;
 		default:
-			DBG1("libcurl http request failed: %s", error);
+			DBG1(DBG_LIB, "libcurl http request failed: %s", error);
 			status = FAILED;
 			break;
 	}
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
index 13dfa053f..e00fcfc03 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -48,7 +48,7 @@ static void destroy(private_curl_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *curl_plugin_create()
 {
 	CURLcode res;
 	private_curl_plugin_t *this = malloc_thing(private_curl_plugin_t);
@@ -69,7 +69,7 @@ plugin_t *plugin_create()
 	}
 	else
 	{
-		DBG1("global libcurl initializing failed: %s, curl disabled",
+		DBG1(DBG_LIB, "global libcurl initializing failed: %s, curl disabled",
 			 curl_easy_strerror(res));
 	}
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.h b/src/libstrongswan/plugins/curl/curl_plugin.h
index 1b748446b..ae17285c2 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.h
+++ b/src/libstrongswan/plugins/curl/curl_plugin.h
@@ -39,9 +39,4 @@ struct curl_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a curl_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** CURL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/des/Makefile.am b/src/libstrongswan/plugins/des/Makefile.am
index 76cfbc419..c7d9ce915 100644
--- a/src/libstrongswan/plugins/des/Makefile.am
+++ b/src/libstrongswan/plugins/des/Makefile.am
@@ -3,8 +3,13 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-des.la
+else
 plugin_LTLIBRARIES = libstrongswan-des.la
+endif
 
-libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
-libstrongswan_des_la_LDFLAGS = -module -avoid-version
+libstrongswan_des_la_SOURCES = \
+	des_plugin.h des_plugin.c des_crypter.c des_crypter.h
 
+libstrongswan_des_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index f68b4bd03..af351cfe3 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -72,13 +72,15 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_des_la_LIBADD =
 am_libstrongswan_des_la_OBJECTS = des_plugin.lo des_crypter.lo
 libstrongswan_des_la_OBJECTS = $(am_libstrongswan_des_la_OBJECTS)
 libstrongswan_des_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_des_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_des_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_des_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -217,6 +219,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -253,8 +256,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-des.la
-libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-des.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-des.la
+libstrongswan_des_la_SOURCES = \
+	des_plugin.h des_plugin.c des_crypter.c des_crypter.h
+
 libstrongswan_des_la_LDFLAGS = -module -avoid-version
 all: all-am
 
@@ -290,6 +296,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -322,7 +337,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-des.la: $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_DEPENDENCIES) 
-	$(libstrongswan_des_la_LINK) -rpath $(plugindir) $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_LIBADD) $(LIBS)
+	$(libstrongswan_des_la_LINK) $(am_libstrongswan_des_la_rpath) $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -476,8 +491,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -548,18 +563,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index 649d224ab..afc82e8d4 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_des_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *des_plugin_create()
 {
 	private_des_plugin_t *this = malloc_thing(private_des_plugin_t);
 
diff --git a/src/libstrongswan/plugins/des/des_plugin.h b/src/libstrongswan/plugins/des/des_plugin.h
index 17df220bc..cfff420c0 100644
--- a/src/libstrongswan/plugins/des/des_plugin.h
+++ b/src/libstrongswan/plugins/des/des_plugin.h
@@ -39,9 +39,4 @@ struct des_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a des_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** DES_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.am b/src/libstrongswan/plugins/dnskey/Makefile.am
index fd020f505..fbba95e0a 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.am
+++ b/src/libstrongswan/plugins/dnskey/Makefile.am
@@ -3,10 +3,14 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-dnskey.la
+else
 plugin_LTLIBRARIES = libstrongswan-dnskey.la
+endif
 
-libstrongswan_dnskey_la_SOURCES = dnskey_plugin.h dnskey_plugin.c \
-  dnskey_builder.h dnskey_builder.c
+libstrongswan_dnskey_la_SOURCES = \
+	dnskey_plugin.h dnskey_plugin.c \
+	dnskey_builder.h dnskey_builder.c
 
 libstrongswan_dnskey_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index d7d5ff29b..1f1f90127 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_dnskey_la_LIBADD =
 am_libstrongswan_dnskey_la_OBJECTS = dnskey_plugin.lo \
 	dnskey_builder.lo
@@ -81,6 +81,9 @@ libstrongswan_dnskey_la_OBJECTS =  \
 libstrongswan_dnskey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_dnskey_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_dnskey_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_dnskey_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -219,6 +222,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -255,9 +259,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-dnskey.la
-libstrongswan_dnskey_la_SOURCES = dnskey_plugin.h dnskey_plugin.c \
-  dnskey_builder.h dnskey_builder.c
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-dnskey.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-dnskey.la
+libstrongswan_dnskey_la_SOURCES = \
+	dnskey_plugin.h dnskey_plugin.c \
+	dnskey_builder.h dnskey_builder.c
 
 libstrongswan_dnskey_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -294,6 +300,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -326,7 +341,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-dnskey.la: $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_DEPENDENCIES) 
-	$(libstrongswan_dnskey_la_LINK) -rpath $(plugindir) $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_LIBADD) $(LIBS)
+	$(libstrongswan_dnskey_la_LINK) $(am_libstrongswan_dnskey_la_rpath) $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -480,8 +495,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -552,18 +567,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_builder.c b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
index ba20e7158..ea4eb6cda 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_builder.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
@@ -52,7 +52,7 @@ static dnskey_public_key_t *parse_public_key(chunk_t blob)
 
 	if (blob.len < sizeof(dnskey_rr_t))
 	{
-		DBG1("DNSKEY too short");
+		DBG1(DBG_LIB, "DNSKEY too short");
 		return NULL;
 	}
 	blob = chunk_skip(blob, sizeof(dnskey_rr_t));
@@ -63,7 +63,8 @@ static dnskey_public_key_t *parse_public_key(chunk_t blob)
 			return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
 									  BUILD_BLOB_DNSKEY, blob, BUILD_END);
 		default:
-			DBG1("DNSKEY public key algorithm %d not supported", rr->algorithm);
+			DBG1(DBG_LIB, "DNSKEY public key algorithm %d not supported",
+				 rr->algorithm);
 			return NULL;
 	}
 }
@@ -77,7 +78,7 @@ static dnskey_public_key_t *parse_rsa_public_key(chunk_t blob)
 
 	if (blob.len < 3)
 	{
-		DBG1("RFC 3110 public key blob too short for exponent length");
+		DBG1(DBG_LIB, "RFC 3110 public key blob too short for exponent length");
 		return NULL;
 	}
 
@@ -94,7 +95,7 @@ static dnskey_public_key_t *parse_rsa_public_key(chunk_t blob)
 	e.ptr = blob.ptr;
 	if (e.len >= blob.len)
 	{
-		DBG1("RFC 3110 public key blob too short for exponent");
+		DBG1(DBG_LIB, "RFC 3110 public key blob too short for exponent");
 		return NULL;
 	}
 	n = chunk_skip(blob, e.len);
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
index 83dbe31a1..125047b05 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_dnskey_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *dnskey_plugin_create()
 {
 	private_dnskey_plugin_t *this = malloc_thing(private_dnskey_plugin_t);
 
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.h b/src/libstrongswan/plugins/dnskey/dnskey_plugin.h
index 17790e1c6..8b49bd6cb 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.h
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.h
@@ -39,9 +39,4 @@ struct dnskey_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a dnskey_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** DNSKEY_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.am b/src/libstrongswan/plugins/fips_prf/Makefile.am
index d9431947e..c9cf2c977 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.am
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.am
@@ -3,8 +3,13 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-fips-prf.la
+else
 plugin_LTLIBRARIES = libstrongswan-fips-prf.la
+endif
 
-libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
-libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
+libstrongswan_fips_prf_la_SOURCES = \
+	fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
 
+libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index b23af6def..70553fbd8 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_fips_prf_la_LIBADD =
 am_libstrongswan_fips_prf_la_OBJECTS = fips_prf_plugin.lo fips_prf.lo
 libstrongswan_fips_prf_la_OBJECTS =  \
@@ -81,6 +81,9 @@ libstrongswan_fips_prf_la_LINK = $(LIBTOOL) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_fips_prf_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_fips_prf_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_fips_prf_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -219,6 +222,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -255,8 +259,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-fips-prf.la
-libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-fips-prf.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-fips-prf.la
+libstrongswan_fips_prf_la_SOURCES = \
+	fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
+
 libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
 all: all-am
 
@@ -292,6 +299,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -324,7 +340,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-fips-prf.la: $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_DEPENDENCIES) 
-	$(libstrongswan_fips_prf_la_LINK) -rpath $(plugindir) $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_LIBADD) $(LIBS)
+	$(libstrongswan_fips_prf_la_LINK) $(am_libstrongswan_fips_prf_la_rpath) $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -478,8 +494,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -550,18 +566,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
index 123d2a244..ad03fa585 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -126,14 +126,14 @@ static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
 	{
 		/* a. XVAL = (XKEY + XSEED j) mod 2^b */
 		add_mod(this->b, xkey, xseed, xval);
-		DBG3("XVAL %b", xval, this->b);
+		DBG3(DBG_LIB, "XVAL %b", xval, this->b);
 		/* b. wi = G(t, XVAL ) */
 		this->g(this, chunk_create(xval, this->b), &w[i * this->b]);
-		DBG3("w[%d] %b", i, &w[i * this->b], this->b);
+		DBG3(DBG_LIB, "w[%d] %b", i, &w[i * this->b], this->b);
 		/* c. XKEY = (1 + XKEY + wi) mod 2b */
 		add_mod(this->b, xkey, &w[i * this->b], sum);
 		add_mod(this->b, sum, one, xkey);
-		DBG3("XKEY %b", xkey, this->b);
+		DBG3(DBG_LIB, "XKEY %b", xkey, this->b);
 	}
 
 	/* 3.3 done already, mod q not used */
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
index 6c0842f81..f41265637 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_fips_prf_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *fips_prf_plugin_create()
 {
 	private_fips_prf_plugin_t *this = malloc_thing(private_fips_prf_plugin_t);
 
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h
index 8d65254ba..3bd26ad45 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.h
@@ -39,9 +39,4 @@ struct fips_prf_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a fips_prf_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** FIPS_PRF_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am
index a468a5ed9..48bf916ab 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.am
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.am
@@ -3,9 +3,14 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-gcrypt.la
+else
 plugin_LTLIBRARIES = libstrongswan-gcrypt.la
+endif
 
-libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
+libstrongswan_gcrypt_la_SOURCES = \
+	gcrypt_plugin.h gcrypt_plugin.c \
 	gcrypt_rsa_public_key.h gcrypt_rsa_public_key.c \
 	gcrypt_rsa_private_key.h gcrypt_rsa_private_key.c \
 	gcrypt_dh.h gcrypt_dh.c \
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index c3081e2dd..35829c950 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gcrypt_la_DEPENDENCIES =
 am_libstrongswan_gcrypt_la_OBJECTS = gcrypt_plugin.lo \
 	gcrypt_rsa_public_key.lo gcrypt_rsa_private_key.lo \
@@ -82,6 +82,9 @@ libstrongswan_gcrypt_la_OBJECTS =  \
 libstrongswan_gcrypt_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_gcrypt_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_gcrypt_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_gcrypt_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -220,6 +223,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -256,8 +260,10 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-gcrypt.la
-libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gcrypt.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gcrypt.la
+libstrongswan_gcrypt_la_SOURCES = \
+	gcrypt_plugin.h gcrypt_plugin.c \
 	gcrypt_rsa_public_key.h gcrypt_rsa_public_key.c \
 	gcrypt_rsa_private_key.h gcrypt_rsa_private_key.c \
 	gcrypt_dh.h gcrypt_dh.c \
@@ -301,6 +307,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -333,7 +348,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-gcrypt.la: $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_DEPENDENCIES) 
-	$(libstrongswan_gcrypt_la_LINK) -rpath $(plugindir) $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_LIBADD) $(LIBS)
+	$(libstrongswan_gcrypt_la_LINK) $(am_libstrongswan_gcrypt_la_rpath) $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -492,8 +507,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -564,18 +579,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
index 1eee6226d..5dbdde32c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -234,7 +234,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 	err = gcry_cipher_open(&this->h, gcrypt_alg, mode, 0);
 	if (err)
 	{
-		DBG1("grcy_cipher_open(%N) failed: %s",
+		DBG1(DBG_LIB, "grcy_cipher_open(%N) failed: %s",
 			 encryption_algorithm_names, algo, gpg_strerror(err));
 		free(this);
 		return NULL;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index 59c82f1e7..08d6239ad 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -19,310 +20,6 @@
 
 #include <debug.h>
 
-/**
- * Modulus of Group 1 (MODP_768_BIT).
- */
-static u_int8_t group1_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x3A,0x36,0x20,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 2 (MODP_1024_BIT).
- */
-static u_int8_t group2_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 5 (MODP_1536_BIT).
- */
-static u_int8_t group5_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-/**
- * Modulus of Group 14 (MODP_2048_BIT).
- */
-static u_int8_t group14_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
-	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
-	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
-	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
-	0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 15 (MODP_3072_BIT).
- */
-static u_int8_t group15_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
-	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
-	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
-	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
-	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
-	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
-	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
-	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
-	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
-	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
-	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
-	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
-	0x4B,0x82,0xD1,0x20,0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 16 (MODP_4096_BIT).
- */
-static u_int8_t group16_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
-	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
-	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
-	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
-	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
-	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
-	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
-	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
-	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
-	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
-	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
-	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
-	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
-	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
-	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
-	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
-	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
-	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
-	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
-	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
-	0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 17 (MODP_6144_BIT).
- */
-static u_int8_t group17_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
-	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
-	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
-	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
-	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
-	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
-	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
-	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
-	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
-	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
-	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
-	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
-	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
-	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
-	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
-	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
-	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
-	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
-	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
-	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
-	0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
-	0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
-	0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
-	0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
-	0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
-	0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
-	0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
-	0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
-	0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
-	0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
-	0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
-	0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
-	0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
-	0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
-	0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
-	0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
-	0xE6,0x94,0xF9,0x1E,0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 18 (MODP_8192_BIT).
- */
-static u_int8_t group18_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
-	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
-	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
-	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
-	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
-	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
-	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
-	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
-	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
-	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
-	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
-	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
-	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
-	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
-	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
-	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
-	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
-	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
-	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
-	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
-	0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
-	0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
-	0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
-	0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
-	0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
-	0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
-	0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
-	0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
-	0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
-	0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
-	0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
-	0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
-	0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
-	0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
-	0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
-	0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
-	0xE6,0x94,0xF9,0x1E,0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,
-	0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,0x73,0xB9,0x31,0xBA,
-	0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,
-	0x25,0x76,0xF6,0x93,0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,
-	0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,0xE3,0x9D,0x65,0x2D,
-	0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,
-	0x13,0xEB,0x57,0xA8,0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,
-	0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,0xA2,0xC0,0x87,0xE8,
-	0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,
-	0x6D,0x2A,0x13,0xF8,0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,
-	0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,0x08,0x46,0x85,0x1D,
-	0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,
-	0xFA,0xF3,0x6B,0xC3,0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,
-	0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,0xD5,0xEE,0x38,0x2B,
-	0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,
-	0x9E,0x30,0x50,0xE2,0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,
-	0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
-};
-
-typedef struct modulus_entry_t modulus_entry_t;
-
-/**
- * Entry of the modulus list.
- */
-struct modulus_entry_t {
-	/** IKEv2 DH group */
-	diffie_hellman_group_t group;
-	/** modulus */
-	chunk_t modulus;
-	/** optimum length of exponent in bytes */
-	size_t opt_len;
-	/** generator */
-	u_int16_t g;
-};
-
-/**
- * All supported modulus values - optimum exponent size according to RFC 3526.
- */
-static modulus_entry_t modulus_entries[] = {
-	{MODP_768_BIT,  {group1_modulus,  sizeof(group1_modulus)},  32, 2},
-	{MODP_1024_BIT, {group2_modulus,  sizeof(group2_modulus)},  32, 2},
-	{MODP_1536_BIT, {group5_modulus,  sizeof(group5_modulus)},  32, 2},
-	{MODP_2048_BIT, {group14_modulus, sizeof(group14_modulus)}, 48, 2},
-	{MODP_3072_BIT, {group15_modulus, sizeof(group15_modulus)}, 48, 2},
-	{MODP_4096_BIT, {group16_modulus, sizeof(group16_modulus)}, 64, 2},
-	{MODP_6144_BIT, {group17_modulus, sizeof(group17_modulus)}, 64, 2},
-	{MODP_8192_BIT, {group18_modulus, sizeof(group18_modulus)}, 64, 2},
-};
-
-/**
- * Lookup the modulus in modulo table
- */
-static modulus_entry_t *find_entry(diffie_hellman_group_t group)
-{
-	int i;
-
-	for (i = 0; i < countof(modulus_entries); i++)
-	{
-		if (modulus_entries[i].group == group)
-		{
-			return &modulus_entries[i];
-		}
-	}
-	return NULL;
-}
-
 typedef struct private_gcrypt_dh_t private_gcrypt_dh_t;
 
 /**
@@ -392,7 +89,7 @@ static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value)
 	err = gcry_mpi_scan(&this->yb, GCRYMPI_FMT_USG, value.ptr, value.len, NULL);
 	if (err)
 	{
-		DBG1("importing mpi yb failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "importing mpi yb failed: %s", gpg_strerror(err));
 		return;
 	}
 
@@ -413,7 +110,8 @@ static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value)
 	}
 	else
 	{
-		DBG1("public DH value verification failed: y < 2 || y > p - 1 ");
+		DBG1(DBG_LIB, "public DH value verification failed:"
+			 " y < 2 || y > p - 1 ");
 	}
 	gcry_mpi_release(p_min_1);
 }
@@ -485,14 +183,13 @@ static void destroy(private_gcrypt_dh_t *this)
 gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 {
 	private_gcrypt_dh_t *this;
-	modulus_entry_t *entry;
+	diffie_hellman_params_t *params;
 	gcry_error_t err;
 	chunk_t random;
 	rng_t *rng;
-	size_t len;
 
-	entry = find_entry(group);
-	if (!entry)
+	params = diffie_hellman_get_params(group);
+	if (!params)
 	{
 		return NULL;
 	}
@@ -506,53 +203,53 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
 
 	this->group = group;
-	this->p_len = entry->modulus.len;
+	this->p_len = params->prime.len;
 	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG,
-						entry->modulus.ptr, entry->modulus.len, NULL);
+						params->prime.ptr, params->prime.len, NULL);
 	if (err)
 	{
-		DBG1("importing mpi modulus failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "importing mpi modulus failed: %s", gpg_strerror(err));
 		free(this);
 		return NULL;
 	}
-	if (lib->settings->get_int(lib->settings,
-								"libstrongswan.dh_exponent_ansi_x9_42", TRUE))
-	{
-		len = this->p_len;
-	}
-	else
+	err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG,
+						params->generator.ptr, params->generator.len, NULL);
+	if (err)
 	{
-		len = entry->opt_len;
+		DBG1(DBG_LIB, "importing mpi generator failed: %s", gpg_strerror(err));
+		gcry_mpi_release(this->p);
+		free(this);
+		return NULL;
 	}
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (rng)
 	{	/* prefer external randomizer */
-		rng->allocate_bytes(rng, len, &random);
+		rng->allocate_bytes(rng, params->exp_len, &random);
 		rng->destroy(rng);
 		err = gcry_mpi_scan(&this->xa, GCRYMPI_FMT_USG,
 							random.ptr, random.len, NULL);
 		chunk_clear(&random);
 		if (err)
 		{
-			DBG1("importing mpi xa failed: %s", gpg_strerror(err));
+			DBG1(DBG_LIB, "importing mpi xa failed: %s", gpg_strerror(err));
 			gcry_mpi_release(this->p);
+			gcry_mpi_release(this->g);
 			free(this);
 			return NULL;
 		}
 	}
 	else
 	{	/* fallback to gcrypt internal randomizer, shouldn't ever happen */
-		this->xa = gcry_mpi_new(len * 8);
-		gcry_mpi_randomize(this->xa, len * 8, GCRY_STRONG_RANDOM);
+		this->xa = gcry_mpi_new(params->exp_len * 8);
+		gcry_mpi_randomize(this->xa, params->exp_len * 8, GCRY_STRONG_RANDOM);
 	}
-	if (len == this->p_len)
+	if (params->exp_len == this->p_len)
 	{
 		/* achieve bitsof(p)-1 by setting MSB to 0 */
-		gcry_mpi_clear_bit(this->xa, len * 8 - 1);
+		gcry_mpi_clear_bit(this->xa, params->exp_len * 8 - 1);
 	}
 
-	this->g = gcry_mpi_set_ui(NULL, entry->g);
 	this->ya = gcry_mpi_new(this->p_len * 8);
 	this->yb = NULL;
 	this->zz = NULL;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index d12fe11d5..39609c16c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -137,7 +137,7 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 	err = gcry_md_open(&this->hd, gcrypt_alg, 0);
 	if (err)
 	{
-		DBG1("grcy_md_open(%N) failed: %s",
+		DBG1(DBG_LIB, "grcy_md_open(%N) failed: %s",
 			 hash_algorithm_names, algo, gpg_strerror(err));
 		free(this);
 		return NULL;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 8c9ea893b..039036b2c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -118,7 +118,7 @@ static void destroy(private_gcrypt_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *gcrypt_plugin_create()
 {
 	private_gcrypt_plugin_t *this;
 
@@ -126,7 +126,7 @@ plugin_t *plugin_create()
 
 	if (!gcry_check_version(GCRYPT_VERSION))
 	{
-		DBG1("libgcrypt version mismatch");
+		DBG1(DBG_LIB, "libgcrypt version mismatch");
 		return NULL;
 	}
 
@@ -190,6 +190,10 @@ plugin_t *plugin_create()
 	/* diffie hellman groups, using modp */
 	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_2048_224,
+					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_2048_256,
+					(dh_constructor_t)gcrypt_dh_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
 	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
@@ -202,6 +206,8 @@ plugin_t *plugin_create()
 					(dh_constructor_t)gcrypt_dh_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1024_160,
+					(dh_constructor_t)gcrypt_dh_create);
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.h b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.h
index f2247ed5c..05e5e7014 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.h
@@ -39,9 +39,4 @@ struct gcrypt_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a gcrypt_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** GCRYPT_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index cd156961e..2cb13c5f3 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -130,14 +130,15 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this,
 	chunk_free(&em);
 	if (err)
 	{
-		DBG1("building signature S-expression failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "building signature S-expression failed: %s",
+			 gpg_strerror(err));
 		return FALSE;
 	}
 	err = gcry_pk_sign(&out, in, this->key);
 	gcry_sexp_release(in);
 	if (err)
 	{
-		DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "creating pkcs1 signature failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
 	*signature = gcrypt_rsa_find_token(out, "s", this->key);
@@ -176,14 +177,14 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 	chunk_free(&hash);
 	if (err)
 	{
-		DBG1("building signature S-expression failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "building signature S-expression failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
 	err = gcry_pk_sign(&out, in, this->key);
 	gcry_sexp_release(in);
 	if (err)
 	{
-		DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "creating pkcs1 signature failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
 	*signature = gcrypt_rsa_find_token(out, "s", this->key);
@@ -222,7 +223,7 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 			return sign_pkcs1(this, HASH_MD5, "md5", data, sig);
 		default:
-			DBG1("signature scheme %N not supported in RSA",
+			DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
 				 signature_scheme_names, scheme);
 			return FALSE;
 	}
@@ -243,14 +244,15 @@ static bool decrypt(private_gcrypt_rsa_private_key_t *this,
 						  encrypted.len, encrypted.ptr);
 	if (err)
 	{
-		DBG1("building decryption S-expression failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "building decryption S-expression failed: %s",
+			 gpg_strerror(err));
 		return FALSE;
 	}
 	err = gcry_pk_decrypt(&out, in, this->key);
 	gcry_sexp_release(in);
 	if (err)
 	{
-		DBG1("decrypting pkcs1 data failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "decrypting pkcs1 data failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
 	padded.ptr = (u_char*)gcry_sexp_nth_data(out, 1, &padded.len);
@@ -269,7 +271,7 @@ static bool decrypt(private_gcrypt_rsa_private_key_t *this,
 	gcry_sexp_release(out);
 	if (!pos)
 	{
-		DBG1("decrypted data has invalid pkcs1 padding");
+		DBG1(DBG_LIB, "decrypted data has invalid pkcs1 padding");
 		return FALSE;
 	}
 	return TRUE;
@@ -329,7 +331,7 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
 		chunk_clear(&cp);
 		chunk_clear(&cq);
 		chunk_clear(&cd);
-		DBG1("scanning mpi for export failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "scanning mpi for export failed: %s", gpg_strerror(err));
 		return FALSE;
 	}
 
@@ -340,7 +342,7 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
 
 	gcry_mpi_sub_ui(q, q, 1);
 	exp2 = gcry_mpi_new(gcry_pk_get_nbits(this->key));
-	gcry_mpi_mod(exp1, d, q);
+	gcry_mpi_mod(exp2, d, q);
 	gcry_mpi_release(q);
 
 	err = gcry_mpi_aprint(GCRYMPI_FMT_USG, &cexp1.ptr, &cexp1.len, exp1)
@@ -352,7 +354,7 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
 
 	if (err)
 	{
-		DBG1("printing mpi for export failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "printing mpi for export failed: %s", gpg_strerror(err));
 		chunk_clear(&cp);
 		chunk_clear(&cq);
 		chunk_clear(&cd);
@@ -488,7 +490,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type,
 	err = gcry_sexp_build(&param, NULL, "(genkey(rsa(nbits %d)))", key_size);
 	if (err)
 	{
-		DBG1("building S-expression failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "building S-expression failed: %s", gpg_strerror(err));
 		return NULL;
 	}
 	this = gcrypt_rsa_private_key_create_empty();
@@ -497,7 +499,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type,
 	if (err)
 	{
 		free(this);
-		DBG1("generating RSA key failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "generating RSA key failed: %s", gpg_strerror(err));
 		return NULL;
 	}
 	return &this->public;
@@ -557,14 +559,14 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type,
 					p.len, p.ptr, q.len, q.ptr, u.len, u.ptr);
 	if (err)
 	{
-		DBG1("loading private key failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "loading private key failed: %s", gpg_strerror(err));
 		free(this);
 		return NULL;
 	}
 	err = gcry_pk_testkey(this->key);
 	if (err)
 	{
-		DBG1("private key sanity check failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "private key sanity check failed: %s", gpg_strerror(err));
 		destroy(this);
 		return NULL;
 	}
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index e083fac94..5fd15d9a3 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -83,14 +83,16 @@ static bool verify_raw(private_gcrypt_rsa_public_key_t *this,
 	chunk_free(&em);
 	if (err)
 	{
-		DBG1("building data S-expression failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "building data S-expression failed: %s",
+			 gpg_strerror(err));
 		return FALSE;
 	}
 	err = gcry_sexp_build(&sig, NULL, "(sig-val(rsa(s %b)))",
 						  signature.len, signature.ptr);
 	if (err)
 	{
-		DBG1("building signature S-expression failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "building signature S-expression failed: %s",
+			 gpg_strerror(err));
 		gcry_sexp_release(in);
 		return FALSE;
 	}
@@ -99,7 +101,8 @@ static bool verify_raw(private_gcrypt_rsa_public_key_t *this,
 	gcry_sexp_release(sig);
 	if (err)
 	{
-		DBG1("RSA signature verification failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "RSA signature verification failed: %s",
+			 gpg_strerror(err));
 		return FALSE;
 	}
 	return TRUE;
@@ -130,7 +133,8 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 	chunk_free(&hash);
 	if (err)
 	{
-		DBG1("building data S-expression failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "building data S-expression failed: %s",
+			 gpg_strerror(err));
 		return FALSE;
 	}
 
@@ -138,7 +142,8 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 						  signature.len, signature.ptr);
 	if (err)
 	{
-		DBG1("building signature S-expression failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "building signature S-expression failed: %s",
+			 gpg_strerror(err));
 		gcry_sexp_release(in);
 		return FALSE;
 	}
@@ -147,7 +152,8 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 	gcry_sexp_release(sig);
 	if (err)
 	{
-		DBG1("RSA signature verification failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "RSA signature verification failed: %s",
+			 gpg_strerror(err));
 		return FALSE;
 	}
 	return TRUE;
@@ -184,7 +190,7 @@ static bool verify(private_gcrypt_rsa_public_key_t *this,
 		case SIGN_RSA_EMSA_PKCS1_SHA512:
 			return verify_pkcs1(this, HASH_SHA512, "sha512", data, signature);
 		default:
-			DBG1("signature scheme %N not supported in RSA",
+			DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
 				 signature_scheme_names, scheme);
 			return FALSE;
 	}
@@ -205,14 +211,16 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
 						  plain.len, plain.ptr);
 	if (err)
 	{
-		DBG1("building encryption S-expression failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "building encryption S-expression failed: %s",
+			 gpg_strerror(err));
 		return FALSE;
 	}
 	err = gcry_pk_encrypt(&out, in, this->key);
 	gcry_sexp_release(in);
 	if (err)
 	{
-		DBG1("encrypting data using pkcs1 failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "encrypting data using pkcs1 failed: %s",
+			 gpg_strerror(err));
 		return FALSE;
 	}
 	*encrypted = gcrypt_rsa_find_token(out, "a", this->key);
@@ -343,7 +351,7 @@ gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type,
 						  n.len, n.ptr, e.len, e.ptr);
 	if (err)
 	{
-		DBG1("loading public key failed: %s", gpg_strerror(err));
+		DBG1(DBG_LIB, "loading public key failed: %s", gpg_strerror(err));
 		free(this);
 		return NULL;
 	}
diff --git a/src/libstrongswan/plugins/gmp/Makefile.am b/src/libstrongswan/plugins/gmp/Makefile.am
index 1ab358328..cc8ad34db 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.am
+++ b/src/libstrongswan/plugins/gmp/Makefile.am
@@ -3,13 +3,17 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-gmp.la
+else
 plugin_LTLIBRARIES = libstrongswan-gmp.la
+endif
 
-libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \
-  gmp_diffie_hellman.c gmp_diffie_hellman.h \
-  gmp_rsa_private_key.c gmp_rsa_private_key.h \
-  gmp_rsa_public_key.c gmp_rsa_public_key.h
+libstrongswan_gmp_la_SOURCES = \
+	gmp_plugin.h gmp_plugin.c \
+	gmp_diffie_hellman.c gmp_diffie_hellman.h \
+	gmp_rsa_private_key.c gmp_rsa_private_key.h \
+	gmp_rsa_public_key.c gmp_rsa_public_key.h
 
 libstrongswan_gmp_la_LDFLAGS = -module -avoid-version
-libstrongswan_gmp_la_LIBADD = -lgmp
-
+libstrongswan_gmp_la_LIBADD  = -lgmp
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 3077ea7e8..5c1a1fcd9 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gmp_la_DEPENDENCIES =
 am_libstrongswan_gmp_la_OBJECTS = gmp_plugin.lo gmp_diffie_hellman.lo \
 	gmp_rsa_private_key.lo gmp_rsa_public_key.lo
@@ -80,6 +80,8 @@ libstrongswan_gmp_la_OBJECTS = $(am_libstrongswan_gmp_la_OBJECTS)
 libstrongswan_gmp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_gmp_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_gmp_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_gmp_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -218,6 +220,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -254,11 +257,13 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-gmp.la
-libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \
-  gmp_diffie_hellman.c gmp_diffie_hellman.h \
-  gmp_rsa_private_key.c gmp_rsa_private_key.h \
-  gmp_rsa_public_key.c gmp_rsa_public_key.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gmp.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gmp.la
+libstrongswan_gmp_la_SOURCES = \
+	gmp_plugin.h gmp_plugin.c \
+	gmp_diffie_hellman.c gmp_diffie_hellman.h \
+	gmp_rsa_private_key.c gmp_rsa_private_key.h \
+	gmp_rsa_public_key.c gmp_rsa_public_key.h
 
 libstrongswan_gmp_la_LDFLAGS = -module -avoid-version
 libstrongswan_gmp_la_LIBADD = -lgmp
@@ -296,6 +301,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -328,7 +342,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-gmp.la: $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_DEPENDENCIES) 
-	$(libstrongswan_gmp_la_LINK) -rpath $(plugindir) $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_LIBADD) $(LIBS)
+	$(libstrongswan_gmp_la_LINK) $(am_libstrongswan_gmp_la_rpath) $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -484,8 +498,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -556,18 +570,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index ea7e6fdd2..4ee449890 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
  * Copyright (C) 1999, 2000, 2001  Henry Spencer.
+ * Copyright (C) 2010 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -22,309 +23,10 @@
 
 #include <debug.h>
 
-
-/**
- * Modulus of Group 1 (MODP_768_BIT).
- */
-static u_int8_t group1_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x3A,0x36,0x20,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 2 (MODP_1024_BIT).
- */
-static u_int8_t group2_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 5 (MODP_1536_BIT).
- */
-static u_int8_t group5_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-/**
- * Modulus of Group 14 (MODP_2048_BIT).
- */
-static u_int8_t group14_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
-	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
-	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
-	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
-	0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 15 (MODP_3072_BIT).
- */
-static u_int8_t group15_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
-	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
-	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
-	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
-	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
-	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
-	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
-	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
-	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
-	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
-	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
-	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
-	0x4B,0x82,0xD1,0x20,0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 16 (MODP_4096_BIT).
- */
-static u_int8_t group16_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
-	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
-	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
-	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
-	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
-	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
-	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
-	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
-	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
-	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
-	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
-	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
-	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
-	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
-	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
-	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
-	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
-	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
-	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
-	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
-	0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 17 (MODP_6144_BIT).
- */
-static u_int8_t group17_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
-	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
-	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
-	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
-	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
-	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
-	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
-	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
-	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
-	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
-	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
-	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
-	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
-	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
-	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
-	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
-	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
-	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
-	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
-	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
-	0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
-	0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
-	0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
-	0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
-	0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
-	0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
-	0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
-	0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
-	0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
-	0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
-	0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
-	0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
-	0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
-	0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
-	0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
-	0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
-	0xE6,0x94,0xF9,0x1E,0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
-};
-
-/**
- * Modulus of Group 18 (MODP_8192_BIT).
- */
-static u_int8_t group18_modulus[] = {
-	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
-	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
-	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
-	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
-	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
-	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
-	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
-	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
-	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
-	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
-	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
-	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
-	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
-	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
-	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
-	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
-	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
-	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
-	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
-	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
-	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
-	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
-	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
-	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
-	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
-	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
-	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
-	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
-	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
-	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
-	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
-	0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
-	0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
-	0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
-	0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
-	0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
-	0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
-	0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
-	0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
-	0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
-	0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
-	0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
-	0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
-	0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
-	0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
-	0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
-	0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
-	0xE6,0x94,0xF9,0x1E,0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,
-	0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,0x73,0xB9,0x31,0xBA,
-	0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,
-	0x25,0x76,0xF6,0x93,0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,
-	0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,0xE3,0x9D,0x65,0x2D,
-	0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,
-	0x13,0xEB,0x57,0xA8,0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,
-	0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,0xA2,0xC0,0x87,0xE8,
-	0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,
-	0x6D,0x2A,0x13,0xF8,0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,
-	0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,0x08,0x46,0x85,0x1D,
-	0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,
-	0xFA,0xF3,0x6B,0xC3,0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,
-	0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,0xD5,0xEE,0x38,0x2B,
-	0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,
-	0x9E,0x30,0x50,0xE2,0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,
-	0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
-};
-
-typedef struct modulus_entry_t modulus_entry_t;
-
-/**
- * Entry of the modulus list.
- */
-struct modulus_entry_t {
-	/**
-	 * Group number as it is defined in file transform_substructure.h.
-	 */
-	diffie_hellman_group_t group;
-
-	/**
-	 * Pointer to first byte of modulus (network order).
-	 */
-	u_int8_t *modulus;
-
-	/*
-	 * Length of modulus in bytes.
-	 */
-	size_t modulus_len;
-
-	/*
-	 * Optimum length of exponent in bytes.
-	 */
-	size_t opt_exponent_len;
-
-	/*
-	 * Generator value.
-	 */
-	u_int16_t generator;
-};
-
-/**
- * All supported modulus values - optimum exponent size according to RFC 3526.
- */
-static modulus_entry_t modulus_entries[] = {
-	{MODP_768_BIT,  group1_modulus,  sizeof(group1_modulus),  32, 2},
-	{MODP_1024_BIT, group2_modulus,  sizeof(group2_modulus),  32, 2},
-	{MODP_1536_BIT, group5_modulus,  sizeof(group5_modulus),  32, 2},
-	{MODP_2048_BIT, group14_modulus, sizeof(group14_modulus), 48, 2},
-	{MODP_3072_BIT, group15_modulus, sizeof(group15_modulus), 48, 2},
-	{MODP_4096_BIT, group16_modulus, sizeof(group16_modulus), 64, 2},
-	{MODP_6144_BIT, group17_modulus, sizeof(group17_modulus), 64, 2},
-	{MODP_8192_BIT, group18_modulus, sizeof(group18_modulus), 64, 2},
-};
+#ifdef HAVE_MPZ_POWM_SEC
+# undef mpz_powm
+# define mpz_powm mpz_powm_sec
+#endif
 
 typedef struct private_gmp_diffie_hellman_t private_gmp_diffie_hellman_t;
 
@@ -377,11 +79,6 @@ struct private_gmp_diffie_hellman_t {
 	 */
 	size_t p_len;
 
-	/**
-	 * Optimal exponent length.
-	 */
-	size_t opt_exponent_len;
-
 	/**
 	 * True if shared secret is computed and stored in my_public_value.
 	 */
@@ -409,10 +106,20 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 #ifdef EXTENDED_DH_TEST
 		/* 3. test if y ^ q mod p = 1, where q = (p - 1)/2. */
 		mpz_t q, one;
+		diffie_hellman_params_t *params;
 
 		mpz_init(q);
 		mpz_init(one);
-		mpz_fdiv_q_2exp(q, p_min_1, 1);
+
+		params = diffie_hellman_get_params(this->group);
+		if (!params->subgroup.len)
+		{
+			mpz_fdiv_q_2exp(q, p_min_1, 1);
+		}
+		else
+		{
+			mpz_import(q, params->subgroup.len, 1, 1, 1, 0, params->subgroup.ptr);
+		}
 		mpz_powm(one, this->yb, q, this->p);
 		mpz_clear(q);
 		if (mpz_cmp_ui(one, 1) == 0)
@@ -422,7 +129,8 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 		}
 		else
 		{
-			DBG1("public DH value verification failed: y ^ q mod p != 1");
+			DBG1(DBG_LIB, "public DH value verification failed:"
+				 " y ^ q mod p != 1");
 		}
 		mpz_clear(one);
 #else
@@ -432,7 +140,8 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 	}
 	else
 	{
-		DBG1("public DH value verification failed: y < 2 || y > p - 1 ");
+		DBG1(DBG_LIB, "public DH value verification failed:"
+			 " y < 2 || y > p - 1 ");
 	}
 	mpz_clear(p_min_1);
 }
@@ -476,32 +185,6 @@ static diffie_hellman_group_t get_dh_group(private_gmp_diffie_hellman_t *this)
 	return this->group;
 }
 
-/**
- * Lookup the modulus in modulo table
- */
-static status_t set_modulus(private_gmp_diffie_hellman_t *this)
-{
-	int i;
-	status_t status = NOT_FOUND;
-
-	for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
-	{
-		if (modulus_entries[i].group == this->group)
-		{
-			chunk_t chunk;
-			chunk.ptr = modulus_entries[i].modulus;
-			chunk.len = modulus_entries[i].modulus_len;
-			mpz_import(this->p, chunk.len, 1, 1, 1, 0, chunk.ptr);
-			this->p_len = chunk.len;
-			this->opt_exponent_len = modulus_entries[i].opt_exponent_len;
-			mpz_set_ui(this->g, modulus_entries[i].generator);
-			status = SUCCESS;
-			break;
-		}
-	}
-	return status;
-}
-
 /**
  * Implementation of gmp_diffie_hellman_t.destroy.
  */
@@ -521,11 +204,18 @@ static void destroy(private_gmp_diffie_hellman_t *this)
  */
 gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 {
-	private_gmp_diffie_hellman_t *this = malloc_thing(private_gmp_diffie_hellman_t);
+	private_gmp_diffie_hellman_t *this;
+	diffie_hellman_params_t *params;
 	rng_t *rng;
 	chunk_t random;
-	bool ansi_x9_42;
-	size_t exponent_len;
+
+	params = diffie_hellman_get_params(group);
+	if (!params)
+	{
+		return NULL;
+	}
+
+	this = malloc_thing(private_gmp_diffie_hellman_t);
 
 	/* public functions */
 	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
@@ -544,35 +234,31 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	mpz_init(this->g);
 
 	this->computed = FALSE;
+	this->p_len = params->prime.len;
+	mpz_import(this->p, params->prime.len, 1, 1, 1, 0, params->prime.ptr);
+	mpz_import(this->g, params->generator.len, 1, 1, 1, 0, params->generator.ptr);
 
-	/* find a modulus according to group */
-	if (set_modulus(this) != SUCCESS)
-	{
-		destroy(this);
-		return NULL;
-	}
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (!rng)
 	{
-		DBG1("no RNG found for quality %N", rng_quality_names, RNG_STRONG);
+		DBG1(DBG_LIB, "no RNG found for quality %N", rng_quality_names,
+			 RNG_STRONG);
 		destroy(this);
 		return NULL;
 	}
 
-	ansi_x9_42 = lib->settings->get_int(lib->settings,
-					 "libstrongswan.dh_exponent_ansi_x9_42", TRUE);
-	exponent_len = (ansi_x9_42) ? this->p_len : this->opt_exponent_len;
-	rng->allocate_bytes(rng, exponent_len, &random);
+	rng->allocate_bytes(rng, params->exp_len, &random);
 	rng->destroy(rng);
 
-	if (ansi_x9_42)
+	if (params->exp_len == this->p_len)
 	{
 		/* achieve bitsof(p)-1 by setting MSB to 0 */
 		*random.ptr &= 0x7F;
 	}
 	mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr);
 	chunk_free(&random);
-	DBG2("size of DH secret exponent: %u bits", mpz_sizeinbase(this->xa, 2));
+	DBG2(DBG_LIB, "size of DH secret exponent: %u bits",
+		 mpz_sizeinbase(this->xa, 2));
 
 	mpz_powm(this->ya, this->g, this->xa, this->p);
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index b70ff881c..fbce9732f 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -52,7 +52,7 @@ static void destroy(private_gmp_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *gmp_plugin_create()
 {
 	private_gmp_plugin_t *this = malloc_thing(private_gmp_plugin_t);
 
@@ -60,6 +60,10 @@ plugin_t *plugin_create()
 
 	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_2048_224,
+						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_2048_256,
+						(dh_constructor_t)gmp_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
@@ -72,6 +76,8 @@ plugin_t *plugin_create()
 						(dh_constructor_t)gmp_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1024_160,
+						(dh_constructor_t)gmp_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.h b/src/libstrongswan/plugins/gmp/gmp_plugin.h
index 77d53965d..e4a87c8e2 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.h
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.h
@@ -39,9 +39,4 @@ struct gmp_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a gmp_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** GMP_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index 1829bd459..f70b0b545 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -27,6 +27,11 @@
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 
+#ifdef HAVE_MPZ_POWM_SEC
+# undef mpz_powm
+# define mpz_powm mpz_powm_sec
+#endif
+
 /**
  *  Public exponent to use for key generation.
  */
@@ -136,7 +141,8 @@ static status_t compute_prime(private_gmp_rsa_private_key_t *this,
 	rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
 	if (!rng)
 	{
-		DBG1("no RNG of quality %N found", rng_quality_names, RNG_TRUE);
+		DBG1(DBG_LIB, "no RNG of quality %N found", rng_quality_names,
+			 RNG_TRUE);
 		return FAILED;
 	}
 
@@ -144,8 +150,8 @@ static status_t compute_prime(private_gmp_rsa_private_key_t *this,
 	do
 	{
 		rng->allocate_bytes(rng, prime_size, &random_bytes);
-		/* make sure most significant bit is set */
-		random_bytes.ptr[0] = random_bytes.ptr[0] | 0x80;
+		/* make sure the two most significant bits are set */
+		random_bytes.ptr[0] = random_bytes.ptr[0] | 0xC0;
 
 		mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
 		mpz_nextprime (*prime, *prime);
@@ -243,7 +249,8 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 	if (data.len > this->k - 3)
 	{
 		free(digestInfo.ptr);
-		DBG1("unable to sign %d bytes using a %dbit key", data.len, this->k * 8);
+		DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len,
+			 this->k * 8);
 		return FALSE;
 	}
 
@@ -304,7 +311,7 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 			return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
 		default:
-			DBG1("signature scheme %N not supported in RSA",
+			DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
 				 signature_scheme_names, scheme);
 			return FALSE;
 	}
@@ -327,7 +334,7 @@ static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
 	/* check for hex pattern 00 02 in decrypted message */
 	if ((*stripped.ptr++ != 0x00) || (*(stripped.ptr++) != 0x02))
 	{
-		DBG1("incorrect padding - probably wrong rsa key");
+		DBG1(DBG_LIB, "incorrect padding - probably wrong rsa key");
 		goto end;
 	}
 	stripped.len -= 2;
@@ -337,7 +344,7 @@ static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
 
 	if (stripped.len == 0)
 	{
-		DBG1("no plaintext data");
+		DBG1(DBG_LIB, "no plaintext data");
 		goto end;
 	}
 
@@ -494,14 +501,14 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	 */
 	if (this->k < 512 / BITS_PER_BYTE)
 	{
-		DBG1("key shorter than 512 bits");
+		DBG1(DBG_LIB, "key shorter than 512 bits");
 		return FAILED;
 	}
 
 	/* we picked a max modulus size to simplify buffer allocation */
 	if (this->k > 8192 / BITS_PER_BYTE)
 	{
-		DBG1("key larger than 8192 bits");
+		DBG1(DBG_LIB, "key larger than 8192 bits");
 		return FAILED;
 	}
 
@@ -575,7 +582,7 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	mpz_clear_sensitive(q1);
 	if (status != SUCCESS)
 	{
-		DBG1("key integrity tests failed");
+		DBG1(DBG_LIB, "key integrity tests failed");
 	}
 	return status;
 }
@@ -664,7 +671,7 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 
 	mpz_mul(n, p, q);						/* n = p*q */
 	mpz_init_set_ui(e, PUBLIC_EXPONENT);	/* assign public exponent */
-	mpz_init_set(m, p); 					/* m = p */
+	mpz_init_set(m, p);					/* m = p */
 	mpz_sub_ui(m, m, 1);					/* m = m -1 */
 	mpz_init_set(q1, q);					/* q1 = q */
 	mpz_sub_ui(q1, q1, 1);					/* q1 = q1 -1 */
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 5fea69131..98dbb1922 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -28,6 +28,11 @@
 #include <asn1/asn1_parser.h>
 #include <crypto/hashers/hasher.h>
 
+#ifdef HAVE_MPZ_POWM_SEC
+# undef mpz_powm
+# define mpz_powm mpz_powm_sec
+#endif
+
 typedef struct private_gmp_rsa_public_key_t private_gmp_rsa_public_key_t;
 
 /**
@@ -178,8 +183,8 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 	{   /* IKEv1 signatures without digestInfo */
 		if (em.len != data.len)
 		{
-			DBG1("hash size in signature is %u bytes instead of %u bytes",
-				 em.len, data.len);
+			DBG1(DBG_LIB, "hash size in signature is %u bytes instead of"
+				 " %u bytes", em.len, data.len);
 			goto end;
 		}
 		success = memeq(em.ptr, data.ptr, data.len);
@@ -191,7 +196,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 		int objectID;
 		hash_algorithm_t hash_algorithm = HASH_UNKNOWN;
 
-		DBG2("signature verification:");
+		DBG2(DBG_LIB, "signature verification:");
 		parser = asn1_parser_create(digestInfoObjects, em);
 
 		while (parser->iterate(parser, &objectID, &object))
@@ -202,7 +207,8 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 				{
 					if (em.len > object.len)
 					{
-						DBG1("digestInfo field in signature is followed by %u surplus bytes",
+						DBG1(DBG_LIB, "digestInfo field in signature is"
+							 " followed by %u surplus bytes",
 							 em.len - object.len);
 						goto end_parser;
 					}
@@ -216,8 +222,8 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 					hash_algorithm = hasher_algorithm_from_oid(hash_oid);
 					if (hash_algorithm == HASH_UNKNOWN || hash_algorithm != algorithm)
 					{
-						DBG1("expected hash algorithm %N, but found %N (OID: %#B)",
-							 hash_algorithm_names, algorithm,
+						DBG1(DBG_LIB, "expected hash algorithm %N, but found"
+							 " %N (OID: %#B)", hash_algorithm_names, algorithm,
 							 hash_algorithm_names, hash_algorithm,  &object);
 						goto end_parser;
 					}
@@ -231,15 +237,16 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 					hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
 					if (hasher == NULL)
 					{
-						DBG1("hash algorithm %N not supported",
+						DBG1(DBG_LIB, "hash algorithm %N not supported",
 							 hash_algorithm_names, hash_algorithm);
 						goto end_parser;
 					}
 
 					if (object.len != hasher->get_hash_size(hasher))
 					{
-						DBG1("hash size in signature is %u bytes instead of %u "
-							 "bytes", object.len, hasher->get_hash_size(hasher));
+						DBG1(DBG_LIB, "hash size in signature is %u bytes"
+							 " instead of %u bytes", object.len,
+							 hasher->get_hash_size(hasher));
 						hasher->destroy(hasher);
 						goto end_parser;
 					}
@@ -297,7 +304,7 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
 		case SIGN_RSA_EMSA_PKCS1_SHA512:
 			return verify_emsa_pkcs1_signature(this, HASH_SHA512, data, signature);
 		default:
-			DBG1("signature scheme %N not supported in RSA",
+			DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
 				 signature_scheme_names, scheme);
 			return FALSE;
 	}
@@ -319,7 +326,7 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (rng == NULL)
 	{
-		DBG1("no random generator available");
+		DBG1(DBG_LIB, "no random generator available");
 		return FALSE;
 	}
 
@@ -327,13 +334,14 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 	padding = this->k - plain.len - 3;
 	if (padding < MIN_PS_PADDING)
 	{
-		DBG1("pseudo-random padding must be at least %d octets", MIN_PS_PADDING);
+		DBG1(DBG_LIB, "pseudo-random padding must be at least %d octets",
+			 MIN_PS_PADDING);
 		return FALSE;
 	}
 
 	/* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */
-	DBG2("padding %u bytes of data to the rsa modulus size of %u bytes",
-		 plain.len, this->k);
+	DBG2(DBG_LIB, "padding %u bytes of data to the rsa modulus size of"
+		 " %u bytes", plain.len, this->k);
 	em.len = this->k;
 	em.ptr = malloc(em.len);
 	pos = em.ptr;
@@ -359,11 +367,11 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 
 	/* now add the data */
 	memcpy(pos, plain.ptr, plain.len);
-	DBG3("padded data before rsa encryption: %B", &em);
+	DBG3(DBG_LIB, "padded data before rsa encryption: %B", &em);
 
 	/* rsa encryption using PKCS#1 RSAEP */
 	*crypto = rsaep(this, em);
-	DBG3("rsa encrypted data: %B", crypto);
+	DBG3(DBG_LIB, "rsa encrypted data: %B", crypto);
 	chunk_clear(&em);
 	return TRUE;
 }
diff --git a/src/libstrongswan/plugins/hmac/Makefile.am b/src/libstrongswan/plugins/hmac/Makefile.am
index 1856cad2d..77aa0ffd1 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.am
+++ b/src/libstrongswan/plugins/hmac/Makefile.am
@@ -3,9 +3,14 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-hmac.la
+else
 plugin_LTLIBRARIES = libstrongswan-hmac.la
+endif
 
-libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
+libstrongswan_hmac_la_SOURCES = \
+	hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
 	hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
-libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
 
+libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index 7dc8269a4..c965f7392 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_hmac_la_LIBADD =
 am_libstrongswan_hmac_la_OBJECTS = hmac_plugin.lo hmac.lo hmac_prf.lo \
 	hmac_signer.lo
@@ -80,6 +80,8 @@ libstrongswan_hmac_la_OBJECTS = $(am_libstrongswan_hmac_la_OBJECTS)
 libstrongswan_hmac_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_hmac_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_hmac_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_hmac_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -218,6 +220,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -254,8 +257,10 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-hmac.la
-libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-hmac.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-hmac.la
+libstrongswan_hmac_la_SOURCES = \
+	hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
 	hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
 
 libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
@@ -293,6 +298,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -325,7 +339,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-hmac.la: $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_DEPENDENCIES) 
-	$(libstrongswan_hmac_la_LINK) -rpath $(plugindir) $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_LIBADD) $(LIBS)
+	$(libstrongswan_hmac_la_LINK) $(am_libstrongswan_hmac_la_rpath) $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -481,8 +495,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -553,18 +567,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index 94332ee36..e6b9f7a74 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -47,7 +47,7 @@ static void destroy(private_hmac_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *hmac_plugin_create()
 {
 	private_hmac_plugin_t *this = malloc_thing(private_hmac_plugin_t);
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.h b/src/libstrongswan/plugins/hmac/hmac_plugin.h
index 5c3afa7d6..03d1d1cf9 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.h
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.h
@@ -39,9 +39,4 @@ struct hmac_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a hmac_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** HMAC_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/ldap/Makefile.am b/src/libstrongswan/plugins/ldap/Makefile.am
index 6ad073d97..2b2f7d31d 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.am
+++ b/src/libstrongswan/plugins/ldap/Makefile.am
@@ -3,9 +3,14 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ldap.la
+else
 plugin_LTLIBRARIES = libstrongswan-ldap.la
+endif
+
+libstrongswan_ldap_la_SOURCES = \
+	ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
 
-libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
 libstrongswan_ldap_la_LDFLAGS = -module -avoid-version
 libstrongswan_ldap_la_LIBADD  = -lldap -llber
-
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index d9ebb0147..3b69f082f 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -72,13 +72,15 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ldap_la_DEPENDENCIES =
 am_libstrongswan_ldap_la_OBJECTS = ldap_plugin.lo ldap_fetcher.lo
 libstrongswan_ldap_la_OBJECTS = $(am_libstrongswan_ldap_la_OBJECTS)
 libstrongswan_ldap_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_ldap_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ldap_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ldap_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -217,6 +219,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -253,8 +256,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-ldap.la
-libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ldap.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ldap.la
+libstrongswan_ldap_la_SOURCES = \
+	ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
+
 libstrongswan_ldap_la_LDFLAGS = -module -avoid-version
 libstrongswan_ldap_la_LIBADD = -lldap -llber
 all: all-am
@@ -291,6 +297,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -323,7 +338,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-ldap.la: $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_DEPENDENCIES) 
-	$(libstrongswan_ldap_la_LINK) -rpath $(plugindir) $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_LIBADD) $(LIBS)
+	$(libstrongswan_ldap_la_LINK) $(am_libstrongswan_ldap_la_rpath) $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -477,8 +492,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -549,18 +564,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index ce5b7d56b..59e655cd5 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -73,27 +73,27 @@ static bool parse(LDAP *ldap, LDAPMessage *result, chunk_t *response)
 				}
 				else
 				{
-					DBG1("LDAP response contains no values");
+					DBG1(DBG_LIB, "LDAP response contains no values");
 				}
 				ldap_value_free_len(values);
 			}
 			else
 			{
-				DBG1("getting LDAP values failed: %s",
+				DBG1(DBG_LIB, "getting LDAP values failed: %s",
 					 ldap_err2string(ldap_result2error(ldap, entry, 0)));
 			}
 			ldap_memfree(attr);
 		}
 		else
 		{
-			DBG1("finding LDAP attributes failed: %s",
+			DBG1(DBG_LIB, "finding LDAP attributes failed: %s",
 				 ldap_err2string(ldap_result2error(ldap, entry, 0)));
 		}
 		ber_free(ber, 0);
 	}
 	else
 	{
-		DBG1("finding first LDAP entry failed: %s",
+		DBG1(DBG_LIB, "finding first LDAP entry failed: %s",
 			 ldap_err2string(ldap_result2error(ldap, entry, 0)));
 	}
 	return success;
@@ -122,7 +122,7 @@ static status_t fetch(private_ldap_fetcher_t *this, char *url,
 	ldap = ldap_init(lurl->lud_host, lurl->lud_port);
 	if (ldap == NULL)
 	{
-		DBG1("LDAP initialization failed: %s", strerror(errno));
+		DBG1(DBG_LIB, "LDAP initialization failed: %s", strerror(errno));
 		ldap_free_urldesc(lurl);
 		return FAILED;
 	}
@@ -133,7 +133,7 @@ static status_t fetch(private_ldap_fetcher_t *this, char *url,
 	ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
 	ldap_set_option(ldap, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
 
-	DBG2("sending LDAP request to '%s'...", url);
+	DBG2(DBG_LIB, "sending LDAP request to '%s'...", url);
 
 	res = ldap_simple_bind_s(ldap, NULL, NULL);
 	if (res == LDAP_SUCCESS)
@@ -152,12 +152,13 @@ static status_t fetch(private_ldap_fetcher_t *this, char *url,
 		}
 		else
 		{
-			DBG1("LDAP search failed: %s", ldap_err2string(res));
+			DBG1(DBG_LIB, "LDAP search failed: %s", ldap_err2string(res));
 		}
 	}
 	else
 	{
-		DBG1("LDAP bind to '%s' failed: %s", url, ldap_err2string(res));
+		DBG1(DBG_LIB, "LDAP bind to '%s' failed: %s", url,
+			 ldap_err2string(res));
 	}
 	ldap_unbind_s(ldap);
 	ldap_free_urldesc(lurl);
diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.c b/src/libstrongswan/plugins/ldap/ldap_plugin.c
index a31308bbf..372ac9f93 100644
--- a/src/libstrongswan/plugins/ldap/ldap_plugin.c
+++ b/src/libstrongswan/plugins/ldap/ldap_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_ldap_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *ldap_plugin_create()
 {
 	private_ldap_plugin_t *this = malloc_thing(private_ldap_plugin_t);
 
diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.h b/src/libstrongswan/plugins/ldap/ldap_plugin.h
index de4ff3422..e4fcebaa3 100644
--- a/src/libstrongswan/plugins/ldap/ldap_plugin.h
+++ b/src/libstrongswan/plugins/ldap/ldap_plugin.h
@@ -39,9 +39,4 @@ struct ldap_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a ldap_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** LDAP_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/md4/Makefile.am b/src/libstrongswan/plugins/md4/Makefile.am
index a47da2e8e..904af70c0 100644
--- a/src/libstrongswan/plugins/md4/Makefile.am
+++ b/src/libstrongswan/plugins/md4/Makefile.am
@@ -3,8 +3,13 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-md4.la
+else
 plugin_LTLIBRARIES = libstrongswan-md4.la
+endif
 
-libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
-libstrongswan_md4_la_LDFLAGS = -module -avoid-version
+libstrongswan_md4_la_SOURCES = \
+	md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
 
+libstrongswan_md4_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 6014ddcf8..cb3307bbc 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -72,13 +72,15 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_md4_la_LIBADD =
 am_libstrongswan_md4_la_OBJECTS = md4_plugin.lo md4_hasher.lo
 libstrongswan_md4_la_OBJECTS = $(am_libstrongswan_md4_la_OBJECTS)
 libstrongswan_md4_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_md4_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_md4_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_md4_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -217,6 +219,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -253,8 +256,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-md4.la
-libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-md4.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-md4.la
+libstrongswan_md4_la_SOURCES = \
+	md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
+
 libstrongswan_md4_la_LDFLAGS = -module -avoid-version
 all: all-am
 
@@ -290,6 +296,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -322,7 +337,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-md4.la: $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_DEPENDENCIES) 
-	$(libstrongswan_md4_la_LINK) -rpath $(plugindir) $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_LIBADD) $(LIBS)
+	$(libstrongswan_md4_la_LINK) $(am_libstrongswan_md4_la_rpath) $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -476,8 +491,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -548,18 +563,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/md4/md4_plugin.c b/src/libstrongswan/plugins/md4/md4_plugin.c
index ba4041d2d..38ae0d4bc 100644
--- a/src/libstrongswan/plugins/md4/md4_plugin.c
+++ b/src/libstrongswan/plugins/md4/md4_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_md4_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *md4_plugin_create()
 {
 	private_md4_plugin_t *this = malloc_thing(private_md4_plugin_t);
 
diff --git a/src/libstrongswan/plugins/md4/md4_plugin.h b/src/libstrongswan/plugins/md4/md4_plugin.h
index b13002d7b..9fde665e6 100644
--- a/src/libstrongswan/plugins/md4/md4_plugin.h
+++ b/src/libstrongswan/plugins/md4/md4_plugin.h
@@ -39,9 +39,4 @@ struct md4_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a md4_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** MD4_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/md5/Makefile.am b/src/libstrongswan/plugins/md5/Makefile.am
index ce0611c13..b2eb2abd2 100644
--- a/src/libstrongswan/plugins/md5/Makefile.am
+++ b/src/libstrongswan/plugins/md5/Makefile.am
@@ -3,8 +3,13 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-md5.la
+else
 plugin_LTLIBRARIES = libstrongswan-md5.la
+endif
 
-libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
-libstrongswan_md5_la_LDFLAGS = -module -avoid-version
+libstrongswan_md5_la_SOURCES = \
+	md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
 
+libstrongswan_md5_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index fcb921316..8948ddcc5 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -72,13 +72,15 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_md5_la_LIBADD =
 am_libstrongswan_md5_la_OBJECTS = md5_plugin.lo md5_hasher.lo
 libstrongswan_md5_la_OBJECTS = $(am_libstrongswan_md5_la_OBJECTS)
 libstrongswan_md5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_md5_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_md5_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_md5_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -217,6 +219,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -253,8 +256,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-md5.la
-libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-md5.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-md5.la
+libstrongswan_md5_la_SOURCES = \
+	md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
+
 libstrongswan_md5_la_LDFLAGS = -module -avoid-version
 all: all-am
 
@@ -290,6 +296,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -322,7 +337,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-md5.la: $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_DEPENDENCIES) 
-	$(libstrongswan_md5_la_LINK) -rpath $(plugindir) $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_LIBADD) $(LIBS)
+	$(libstrongswan_md5_la_LINK) $(am_libstrongswan_md5_la_rpath) $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -476,8 +491,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -548,18 +563,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c
index 7592c20df..cfbf6acea 100644
--- a/src/libstrongswan/plugins/md5/md5_plugin.c
+++ b/src/libstrongswan/plugins/md5/md5_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_md5_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *md5_plugin_create()
 {
 	private_md5_plugin_t *this = malloc_thing(private_md5_plugin_t);
 
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.h b/src/libstrongswan/plugins/md5/md5_plugin.h
index 057689ad3..c4ca619dc 100644
--- a/src/libstrongswan/plugins/md5/md5_plugin.h
+++ b/src/libstrongswan/plugins/md5/md5_plugin.h
@@ -39,9 +39,4 @@ struct md5_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a md5_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** MD5_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am
index c64481fd5..801a7a7be 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.am
+++ b/src/libstrongswan/plugins/mysql/Makefile.am
@@ -3,10 +3,16 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic $(MYSQLCFLAG)
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-mysql.la
+else
 plugin_LTLIBRARIES = libstrongswan-mysql.la
+endif
 
-libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c  \
+libstrongswan_mysql_la_SOURCES = \
+	mysql_plugin.h mysql_plugin.c  \
 	mysql_database.h mysql_database.c
+
 libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
-libstrongswan_mysql_la_LIBADD = $(MYSQLLIB)
+libstrongswan_mysql_la_LIBADD  = $(MYSQLLIB)
 
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index dc56940d2..1a97c620e 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_mysql_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_mysql_la_OBJECTS = mysql_plugin.lo mysql_database.lo
@@ -80,6 +80,9 @@ libstrongswan_mysql_la_OBJECTS = $(am_libstrongswan_mysql_la_OBJECTS)
 libstrongswan_mysql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_mysql_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_mysql_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_mysql_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -218,6 +221,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -254,8 +258,10 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic $(MYSQLCFLAG)
-plugin_LTLIBRARIES = libstrongswan-mysql.la
-libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c  \
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-mysql.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-mysql.la
+libstrongswan_mysql_la_SOURCES = \
+	mysql_plugin.h mysql_plugin.c  \
 	mysql_database.h mysql_database.c
 
 libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
@@ -294,6 +300,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -326,7 +341,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-mysql.la: $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_DEPENDENCIES) 
-	$(libstrongswan_mysql_la_LINK) -rpath $(plugindir) $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_LIBADD) $(LIBS)
+	$(libstrongswan_mysql_la_LINK) $(am_libstrongswan_mysql_la_rpath) $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -480,8 +495,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -552,18 +567,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 2338428f2..8005b9149 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -203,7 +203,7 @@ static conn_t *conn_get(private_mysql_database_t *this)
 								this->password, this->database, this->port,
 								NULL, 0))
 		{
-			DBG1("connecting to mysql://%s:***@%s:%d/%s failed: %s",
+			DBG1(DBG_LIB, "connecting to mysql://%s:***@%s:%d/%s failed: %s",
 				 this->username, this->host, this->port, this->database,
 				 mysql_error(found->mysql));
 			conn_destroy(found);
@@ -213,7 +213,7 @@ static conn_t *conn_get(private_mysql_database_t *this)
 		{
 			this->mutex->lock(this->mutex);
 			this->pool->insert_last(this->pool, found);
-			DBG2("increased MySQL connection pool size to %d",
+			DBG2(DBG_LIB, "increased MySQL connection pool size to %d",
 				 this->pool->get_count(this->pool));
 			this->mutex->unlock(this->mutex);
 		}
@@ -232,12 +232,14 @@ static MYSQL_STMT* run(MYSQL *mysql, char *sql, va_list *args)
 	stmt = mysql_stmt_init(mysql);
 	if (stmt == NULL)
 	{
-		DBG1("creating MySQL statement failed: %s", mysql_error(mysql));
+		DBG1(DBG_LIB, "creating MySQL statement failed: %s",
+			 mysql_error(mysql));
 		return NULL;
 	}
 	if (mysql_stmt_prepare(stmt, sql, strlen(sql)))
 	{
-		DBG1("preparing MySQL statement failed: %s", mysql_stmt_error(stmt));
+		DBG1(DBG_LIB, "preparing MySQL statement failed: %s",
+			 mysql_stmt_error(stmt));
 		mysql_stmt_close(stmt);
 		return NULL;
 	}
@@ -303,21 +305,23 @@ static MYSQL_STMT* run(MYSQL *mysql, char *sql, va_list *args)
 					break;
 				}
 				default:
-					DBG1("invalid data type supplied");
+					DBG1(DBG_LIB, "invalid data type supplied");
 					mysql_stmt_close(stmt);
 					return NULL;
 			}
 		}
 		if (mysql_stmt_bind_param(stmt, bind))
 		{
-			DBG1("binding MySQL param failed: %s", mysql_stmt_error(stmt));
+			DBG1(DBG_LIB, "binding MySQL param failed: %s",
+				 mysql_stmt_error(stmt));
 			mysql_stmt_close(stmt);
 			return NULL;
 		}
 	}
 	if (mysql_stmt_execute(stmt))
 	{
-		DBG1("executing MySQL statement failed: %s", mysql_stmt_error(stmt));
+		DBG1(DBG_LIB, "executing MySQL statement failed: %s",
+			 mysql_stmt_error(stmt));
 		mysql_stmt_close(stmt);
 		return NULL;
 	}
@@ -413,7 +417,8 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...)
 		case MYSQL_NO_DATA:
 			return FALSE;
 		default:
-			DBG1("fetching MySQL row failed: %s", mysql_stmt_error(this->stmt));
+			DBG1(DBG_LIB, "fetching MySQL row failed: %s",
+				 mysql_stmt_error(this->stmt));
 			return FALSE;
 	}
 
@@ -536,7 +541,7 @@ static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
 					break;
 				}
 				default:
-					DBG1("invalid result data type supplied");
+					DBG1(DBG_LIB, "invalid result data type supplied");
 					mysql_enumerator_destroy(enumerator);
 					va_end(args);
 					return NULL;
@@ -544,7 +549,8 @@ static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
 		}
 		if (mysql_stmt_bind_result(stmt, enumerator->bind))
 		{
-			DBG1("binding MySQL result failed: %s", mysql_stmt_error(stmt));
+			DBG1(DBG_LIB, "binding MySQL result failed: %s",
+				 mysql_stmt_error(stmt));
 			mysql_enumerator_destroy(enumerator);
 			enumerator = NULL;
 		}
@@ -653,7 +659,7 @@ static bool parse_uri(private_mysql_database_t *this, char *uri)
 			}
 		}
 	}
-	DBG1("parsing MySQL database uri '%s' failed", uri);
+	DBG1(DBG_LIB, "parsing MySQL database uri '%s' failed", uri);
 	return FALSE;
 }
 
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c
index 0e64bbc3d..a13aa8091 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.c
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c
@@ -46,13 +46,13 @@ static void destroy(private_mysql_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *mysql_plugin_create()
 {
 	private_mysql_plugin_t *this;
 
 	if (!mysql_database_init())
 	{
-		DBG1("MySQL client library initialization failed");
+		DBG1(DBG_LIB, "MySQL client library initialization failed");
 		return NULL;
 	}
 
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.h b/src/libstrongswan/plugins/mysql/mysql_plugin.h
index fa53c2b7a..d1f21870c 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.h
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.h
@@ -39,9 +39,4 @@ struct mysql_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a mysql_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** MYSQL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index 25cc5aa1d..a50799798 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -3,12 +3,18 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-openssl.la
+else
 plugin_LTLIBRARIES = libstrongswan-openssl.la
+endif
 
-libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
+libstrongswan_openssl_la_SOURCES = \
+	openssl_plugin.h openssl_plugin.c \
 	openssl_util.c openssl_util.h \
 	openssl_crypter.c openssl_crypter.h \
 	openssl_hasher.c openssl_hasher.h \
+	openssl_sha1_prf.c openssl_sha1_prf.h \
 	openssl_diffie_hellman.c openssl_diffie_hellman.h \
 	openssl_rsa_private_key.c openssl_rsa_private_key.h \
 	openssl_rsa_public_key.c openssl_rsa_public_key.h \
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index aa8ecf06c..a2a931d42 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -72,18 +72,22 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_openssl_la_DEPENDENCIES =
 am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
 	openssl_util.lo openssl_crypter.lo openssl_hasher.lo \
-	openssl_diffie_hellman.lo openssl_rsa_private_key.lo \
-	openssl_rsa_public_key.lo openssl_ec_diffie_hellman.lo \
-	openssl_ec_private_key.lo openssl_ec_public_key.lo
+	openssl_sha1_prf.lo openssl_diffie_hellman.lo \
+	openssl_rsa_private_key.lo openssl_rsa_public_key.lo \
+	openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \
+	openssl_ec_public_key.lo
 libstrongswan_openssl_la_OBJECTS =  \
 	$(am_libstrongswan_openssl_la_OBJECTS)
 libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_openssl_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_openssl_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_openssl_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -222,6 +226,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -258,11 +263,14 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-openssl.la
-libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-openssl.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-openssl.la
+libstrongswan_openssl_la_SOURCES = \
+	openssl_plugin.h openssl_plugin.c \
 	openssl_util.c openssl_util.h \
 	openssl_crypter.c openssl_crypter.h \
 	openssl_hasher.c openssl_hasher.h \
+	openssl_sha1_prf.c openssl_sha1_prf.h \
 	openssl_diffie_hellman.c openssl_diffie_hellman.h \
 	openssl_rsa_private_key.c openssl_rsa_private_key.h \
 	openssl_rsa_public_key.c openssl_rsa_public_key.h \
@@ -306,6 +314,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -338,7 +355,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES) 
-	$(libstrongswan_openssl_la_LINK) -rpath $(plugindir) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
+	$(libstrongswan_openssl_la_LINK) $(am_libstrongswan_openssl_la_rpath) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -355,6 +372,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_private_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_sha1_prf.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_util.Plo@am__quote@
 
 .c.o:
@@ -500,8 +518,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -572,18 +590,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index 80a1ee878..9a032c54f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -20,47 +20,6 @@
 
 #include <debug.h>
 
-typedef struct modulus_entry_t modulus_entry_t;
-
-/**
- * Entry of the modulus list.
- */
-struct modulus_entry_t {
-	/**
-	 * Group number as it is defined in file transform_substructure.h.
-	 */
-	diffie_hellman_group_t group;
-
-	/**
-	 * Pointer to the function to get the modulus.
-	 */
-	BIGNUM *(*get_prime)(BIGNUM *bn);
-
-	/*
-	 * Optimum length of exponent in bits.
-	 */
-	long opt_exponent_len;
-
-	/*
-	 * Generator value.
-	 */
-	u_int16_t generator;
-};
-
-/**
- * All supported modulus values - optimum exponent size according to RFC 3526.
- */
-static modulus_entry_t modulus_entries[] = {
-	{MODP_768_BIT,  get_rfc2409_prime_768,  256, 2},
-	{MODP_1024_BIT, get_rfc2409_prime_1024, 256, 2},
-	{MODP_1536_BIT, get_rfc3526_prime_1536, 256, 2},
-	{MODP_2048_BIT, get_rfc3526_prime_2048, 384, 2},
-	{MODP_3072_BIT, get_rfc3526_prime_3072, 384, 2},
-	{MODP_4096_BIT, get_rfc3526_prime_4096, 512, 2},
-	{MODP_6144_BIT, get_rfc3526_prime_6144, 512, 2},
-	{MODP_8192_BIT, get_rfc3526_prime_8192, 512, 2},
-};
-
 typedef struct private_openssl_diffie_hellman_t private_openssl_diffie_hellman_t;
 
 /**
@@ -125,7 +84,6 @@ static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
 	memset(secret->ptr, 0, secret->len);
 	memcpy(secret->ptr + secret->len - this->shared_secret.len,
 		   this->shared_secret.ptr, this->shared_secret.len);
-
 	return SUCCESS;
 }
 
@@ -145,7 +103,7 @@ static void set_other_public_value(private_openssl_diffie_hellman_t *this,
 	len = DH_compute_key(this->shared_secret.ptr, this->pub_key, this->dh);
 	if (len < 0)
 	{
-		DBG1("DH shared secret computation failed");
+		DBG1(DBG_LIB, "DH shared secret computation failed");
 		return;
 	}
 	this->shared_secret.len = len;
@@ -165,27 +123,18 @@ static diffie_hellman_group_t get_dh_group(private_openssl_diffie_hellman_t *thi
  */
 static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 {
-	int i;
-	bool ansi_x9_42;
-
-	ansi_x9_42 = lib->settings->get_bool(lib->settings,
-										 "libstrongswan.dh_exponent_ansi_x9_42", TRUE);
-
-	for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
+	diffie_hellman_params_t *params = diffie_hellman_get_params(this->group);
+	if (!params)
 	{
-		if (modulus_entries[i].group == this->group)
-		{
-			this->dh->p = modulus_entries[i].get_prime(NULL);
-			this->dh->g = BN_new();
-			BN_set_word(this->dh->g, modulus_entries[i].generator);
-			if (!ansi_x9_42)
-			{
-				this->dh->length = modulus_entries[i].opt_exponent_len;
-			}
-			return SUCCESS;
-		}
+		return NOT_FOUND;
 	}
-	return NOT_FOUND;
+	this->dh->p = BN_bin2bn(params->prime.ptr, params->prime.len, NULL);
+	this->dh->g = BN_bin2bn(params->generator.ptr, params->generator.len, NULL);
+	if (params->exp_len != params->prime.len)
+	{
+		this->dh->length = params->exp_len * 8;
+	}
+	return SUCCESS;
 }
 
 /**
@@ -237,7 +186,8 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 		destroy(this);
 		return NULL;
 	}
-	DBG2("size of DH secret exponent: %d bits", BN_num_bits(this->dh->priv_key));
+	DBG2(DBG_LIB, "size of DH secret exponent: %d bits",
+		 BN_num_bits(this->dh->priv_key));
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 671fa41e2..faec411cd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -212,14 +212,14 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
 {
 	if (!chunk2ecp(this->ec_group, value, this->pub_key))
 	{
-		DBG1("ECDH public value is malformed");
+		DBG1(DBG_LIB, "ECDH public value is malformed");
 		return;
 	}
 
 	chunk_free(&this->shared_secret);
 
 	if (!compute_shared_key(this, &this->shared_secret)) {
-		DBG1("ECDH shared secret computation failed");
+		DBG1(DBG_LIB, "ECDH shared secret computation failed");
 		return;
 	}
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 89ced5a9a..bdcfda974 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -84,14 +84,14 @@ static bool build_curve_signature(private_openssl_ec_private_key_t *this,
 	req_group = EC_GROUP_new_by_curve_name(nid_curve);
 	if (!req_group)
 	{
-		DBG1("signature scheme %N not supported in EC (required curve "
+		DBG1(DBG_LIB, "signature scheme %N not supported in EC (required curve "
 			 "not supported)", signature_scheme_names, scheme);
 		return FALSE;
 	}
 	my_group = EC_KEY_get0_group(this->ec);
 	if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
 	{
-		DBG1("signature scheme %N not supported by private key",
+		DBG1(DBG_LIB, "signature scheme %N not supported by private key",
 			 signature_scheme_names, scheme);
 		return FALSE;
 	}
@@ -162,7 +162,7 @@ static bool sign(private_openssl_ec_private_key_t *this,
 			return build_curve_signature(this, scheme, NID_sha512,
 										 NID_secp521r1, data, signature);
 		default:
-			DBG1("signature scheme %N not supported",
+			DBG1(DBG_LIB, "signature scheme %N not supported",
 				 signature_scheme_names, scheme);
 			return FALSE;
 	}
@@ -174,7 +174,7 @@ static bool sign(private_openssl_ec_private_key_t *this,
 static bool decrypt(private_openssl_ec_private_key_t *this,
 					chunk_t crypto, chunk_t *plain)
 {
-	DBG1("EC private key decryption not implemented");
+	DBG1(DBG_LIB, "EC private key decryption not implemented");
 	return FALSE;
 }
 
@@ -233,11 +233,24 @@ static bool get_encoding(private_openssl_ec_private_key_t *this,
 	switch (type)
 	{
 		case KEY_PRIV_ASN1_DER:
+		case KEY_PRIV_PEM:
 		{
+			bool success = TRUE;
+
 			*encoding = chunk_alloc(i2d_ECPrivateKey(this->ec, NULL));
 			p = encoding->ptr;
 			i2d_ECPrivateKey(this->ec, &p);
-			return TRUE;
+
+			if (type == KEY_PRIV_PEM)
+			{
+				chunk_t asn1_encoding = *encoding;
+
+				success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM,
+								NULL, encoding, KEY_PART_ECDSA_PRIV_ASN1_DER,
+								asn1_encoding, KEY_PART_END);
+				chunk_clear(&asn1_encoding);
+			}
+			return success;
 		}
 		default:
 			return FALSE;
@@ -335,13 +348,13 @@ openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
 			this->ec = EC_KEY_new_by_curve_name(NID_secp521r1);
 			break;
 		default:
-			DBG1("EC private key size %d not supported", key_size);
+			DBG1(DBG_LIB, "EC private key size %d not supported", key_size);
 			destroy(this);
 			return NULL;
 	}
 	if (EC_KEY_generate_key(this->ec) != 1)
 	{
-		DBG1("EC private key generation failed", key_size);
+		DBG1(DBG_LIB, "EC private key generation failed", key_size);
 		destroy(this);
 		return NULL;
 	}
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index f37c736b1..790a8487d 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -82,14 +82,14 @@ static bool verify_curve_signature(private_openssl_ec_public_key_t *this,
 	req_group = EC_GROUP_new_by_curve_name(nid_curve);
 	if (!req_group)
 	{
-		DBG1("signature scheme %N not supported in EC (required curve "
+		DBG1(DBG_LIB, "signature scheme %N not supported in EC (required curve "
 			 "not supported)", signature_scheme_names, scheme);
 		return FALSE;
 	}
 	my_group = EC_KEY_get0_group(this->ec);
 	if (EC_GROUP_cmp(my_group, req_group, NULL) != 0)
 	{
-		DBG1("signature scheme %N not supported by private key",
+		DBG1(DBG_LIB, "signature scheme %N not supported by private key",
 			 signature_scheme_names, scheme);
 		return FALSE;
 	}
@@ -162,7 +162,7 @@ static bool verify(private_openssl_ec_public_key_t *this,
 			return verify_curve_signature(this, scheme, NID_sha512,
 										  NID_secp521r1, data, signature);
 		default:
-			DBG1("signature scheme %N not supported in EC",
+			DBG1(DBG_LIB, "signature scheme %N not supported in EC",
 				 signature_scheme_names, scheme);
 			return FALSE;
 	}
@@ -174,7 +174,7 @@ static bool verify(private_openssl_ec_public_key_t *this,
 static bool encrypt_(private_openssl_ec_public_key_t *this,
 					 chunk_t crypto, chunk_t *plain)
 {
-	DBG1("EC public key encryption not implemented");
+	DBG1(DBG_LIB, "EC public key encryption not implemented");
 	return FALSE;
 }
 
@@ -217,7 +217,7 @@ bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp)
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher)
 	{
-		DBG1("SHA1 hash algorithm not supported, fingerprinting failed");
+		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed");
 		free(key.ptr);
 		return FALSE;
 	}
@@ -248,11 +248,24 @@ static bool get_encoding(private_openssl_ec_public_key_t *this,
 	switch (type)
 	{
 		case KEY_PUB_SPKI_ASN1_DER:
+		case KEY_PUB_PEM:
 		{
+			bool success = TRUE;
+
 			*encoding = chunk_alloc(i2d_EC_PUBKEY(this->ec, NULL));
 			p = encoding->ptr;
 			i2d_EC_PUBKEY(this->ec, &p);
-			return TRUE;
+
+			if (type == KEY_PUB_PEM)
+			{
+				chunk_t asn1_encoding = *encoding;
+
+				success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM,
+								NULL, encoding, KEY_PART_ECDSA_PUB_ASN1_DER,
+								asn1_encoding, KEY_PART_END);
+				chunk_clear(&asn1_encoding);
+			}
+			return success;
 		}
 		default:
 			return FALSE;
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 548a76bb4..c1545ffb8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -27,6 +27,7 @@
 #include "openssl_util.h"
 #include "openssl_crypter.h"
 #include "openssl_hasher.h"
+#include "openssl_sha1_prf.h"
 #include "openssl_diffie_hellman.h"
 #include "openssl_ec_diffie_hellman.h"
 #include "openssl_rsa_private_key.h"
@@ -170,6 +171,8 @@ static void destroy(private_openssl_plugin_t *this)
 					(crypter_constructor_t)openssl_crypter_create);
 	lib->crypto->remove_hasher(lib->crypto,
 					(hasher_constructor_t)openssl_hasher_create);
+	lib->crypto->remove_prf(lib->crypto,
+					(prf_constructor_t)openssl_sha1_prf_create);
 	lib->crypto->remove_dh(lib->crypto,
 					(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->remove_dh(lib->crypto,
@@ -201,7 +204,7 @@ static void destroy(private_openssl_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *openssl_plugin_create()
 {
 	private_openssl_plugin_t *this = malloc_thing(private_openssl_plugin_t);
 
@@ -256,9 +259,17 @@ plugin_t *plugin_create()
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
 					(hasher_constructor_t)openssl_hasher_create);
 
+	/* prf */
+	lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
+					(prf_constructor_t)openssl_sha1_prf_create);
+
 	/* (ec) diffie hellman */
 	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_2048_224,
+						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_2048_256,
+						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
@@ -281,6 +292,8 @@ plugin_t *plugin_create()
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_1024_160,
+						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.h b/src/libstrongswan/plugins/openssl/openssl_plugin.h
index 9f422c9d0..0762c37b9 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.h
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.h
@@ -39,9 +39,4 @@ struct openssl_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a openssl_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** OPENSSL_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 078f889a6..de751fe89 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -160,7 +160,7 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 			return build_emsa_pkcs1_signature(this, NID_md5, data, signature);
 		default:
-			DBG1("signature scheme %N not supported in RSA",
+			DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
 				 signature_scheme_names, scheme);
 			return FALSE;
 	}
@@ -172,7 +172,7 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
 static bool decrypt(private_openssl_rsa_private_key_t *this,
 					chunk_t crypto, chunk_t *plain)
 {
-	DBG1("RSA private key decryption not implemented");
+	DBG1(DBG_LIB, "RSA private key decryption not implemented");
 	return FALSE;
 }
 
@@ -226,11 +226,24 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this,
 	switch (type)
 	{
 		case KEY_PRIV_ASN1_DER:
+		case KEY_PRIV_PEM:
 		{
+			bool success = TRUE;
+
 			*encoding = chunk_alloc(i2d_RSAPrivateKey(this->rsa, NULL));
 			p = encoding->ptr;
 			i2d_RSAPrivateKey(this->rsa, &p);
-			return TRUE;
+
+			if (type == KEY_PRIV_PEM)
+			{
+				chunk_t asn1_encoding = *encoding;
+
+				success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM,
+								NULL, encoding, KEY_PART_RSA_PRIV_ASN1_DER,
+								asn1_encoding, KEY_PART_END);
+				chunk_clear(&asn1_encoding);
+			}
+			return success;
 		}
 		default:
 			return FALSE;
@@ -296,6 +309,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
 {
 	private_openssl_rsa_private_key_t *this;
 	u_int key_size = 0;
+	RSA *rsa = NULL;
+	BIGNUM *e = NULL;
 
 	while (TRUE)
 	{
@@ -315,10 +330,31 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
 	{
 		return NULL;
 	}
+	e = BN_new();
+	if (!e || !BN_set_word(e, PUBLIC_EXPONENT))
+	{
+		goto error;
+	}
+	rsa = RSA_new();
+	if (!rsa || !RSA_generate_key_ex(rsa, key_size, e, NULL))
+	{
+		goto error;
+	}
 	this = create_empty();
-	this->rsa = RSA_generate_key(key_size, PUBLIC_EXPONENT, NULL, NULL);
-
+	this->rsa = rsa;
+	BN_free(e);
 	return &this->public;
+
+error:
+	if (e)
+	{
+		BN_free(e);
+	}
+	if (rsa)
+	{
+		RSA_free(rsa);
+	}
+	return NULL;
 }
 
 /**
@@ -440,22 +476,22 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 	}
 
 	engine_id = lib->settings->get_str(lib->settings,
-								"library.plugins.openssl.engine_id", "pkcs11");
+						"libstrongswan.plugins.openssl.engine_id", "pkcs11");
 	engine = ENGINE_by_id(engine_id);
 	if (!engine)
 	{
-		DBG1("engine '%s' is not available", engine_id);
+		DBG1(DBG_LIB, "engine '%s' is not available", engine_id);
 		return NULL;
 	}
 	if (!ENGINE_init(engine))
 	{
-		DBG1("failed to initialize engine '%s'", engine_id);
+		DBG1(DBG_LIB, "failed to initialize engine '%s'", engine_id);
 		ENGINE_free(engine);
 		return NULL;
 	}
 	if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
 	{
-		DBG1("failed to set PIN on engine '%s'", engine_id);
+		DBG1(DBG_LIB, "failed to set PIN on engine '%s'", engine_id);
 		ENGINE_free(engine);
 		return NULL;
 	}
@@ -463,8 +499,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 	key = ENGINE_load_private_key(engine, keyid, NULL, NULL);
 	if (!key)
 	{
-		DBG1("failed to load private key with ID '%s' from engine '%s'",
-			 keyid, engine_id);
+		DBG1(DBG_LIB, "failed to load private key with ID '%s' from "
+			 "engine '%s'", keyid, engine_id);
 		ENGINE_free(engine);
 		return NULL;
 	}
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 422262b19..ffa575a97 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -145,7 +145,7 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 			return verify_emsa_pkcs1_signature(this, NID_md5, data, signature);
 		default:
-			DBG1("signature scheme %N not supported in RSA",
+			DBG1(DBG_LIB, "signature scheme %N not supported in RSA",
 				 signature_scheme_names, scheme);
 			return FALSE;
 	}
@@ -157,7 +157,7 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 static bool encrypt_(private_openssl_rsa_public_key_t *this,
 					 chunk_t crypto, chunk_t *plain)
 {
-	DBG1("RSA public key encryption not implemented");
+	DBG1(DBG_LIB, "RSA public key encryption not implemented");
 	return FALSE;
 }
 
@@ -200,7 +200,7 @@ bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp)
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher)
 	{
-		DBG1("SHA1 hash algorithm not supported, fingerprinting failed");
+		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed");
 		free(key.ptr);
 		return FALSE;
 	}
@@ -231,11 +231,24 @@ static bool get_encoding(private_openssl_rsa_public_key_t *this,
 	switch (type)
 	{
 		case KEY_PUB_SPKI_ASN1_DER:
+		case KEY_PUB_PEM:
 		{
+			bool success = TRUE;
+
 			*encoding = chunk_alloc(i2d_RSA_PUBKEY(this->rsa, NULL));
 			p = encoding->ptr;
 			i2d_RSA_PUBKEY(this->rsa, &p);
-			return TRUE;
+
+			if (type == KEY_PUB_PEM)
+			{
+				chunk_t asn1_encoding = *encoding;
+
+				success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM,
+								NULL, encoding, KEY_PART_RSA_PUB_ASN1_DER,
+								asn1_encoding, KEY_PART_END);
+				chunk_clear(&asn1_encoding);
+			}
+			return success;
 		}
 		case KEY_PUB_ASN1_DER:
 		{
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
new file mode 100644
index 000000000..b65388010
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "openssl_sha1_prf.h"
+
+#include <openssl/sha.h>
+
+typedef struct private_openssl_sha1_prf_t private_openssl_sha1_prf_t;
+
+/**
+ * Private data of an openssl_sha1_prf_t object.
+ */
+struct private_openssl_sha1_prf_t {
+
+	/**
+	 * Public openssl_sha1_prf_t interface.
+	 */
+	openssl_sha1_prf_t public;
+
+	/**
+	 * SHA1 context
+	 */
+	SHA_CTX ctx;
+};
+
+METHOD(prf_t, get_bytes, void,
+	private_openssl_sha1_prf_t *this, chunk_t seed, u_int8_t *bytes)
+{
+	SHA1_Update(&this->ctx, seed.ptr, seed.len);
+
+	if (bytes)
+	{
+		u_int32_t *hash = (u_int32_t*)bytes;
+
+		hash[0] = htonl(this->ctx.h0);
+		hash[1] = htonl(this->ctx.h1);
+		hash[2] = htonl(this->ctx.h2);
+		hash[3] = htonl(this->ctx.h3);
+		hash[4] = htonl(this->ctx.h4);
+	}
+}
+
+METHOD(prf_t, get_block_size, size_t,
+	private_openssl_sha1_prf_t *this)
+{
+	return HASH_SIZE_SHA1;
+}
+
+METHOD(prf_t, allocate_bytes, void,
+	private_openssl_sha1_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+	if (chunk)
+	{
+		*chunk = chunk_alloc(HASH_SIZE_SHA1);
+		get_bytes(this, seed, chunk->ptr);
+	}
+	else
+	{
+		get_bytes(this, seed, NULL);
+	}
+}
+
+METHOD(prf_t, get_key_size, size_t,
+	private_openssl_sha1_prf_t *this)
+{
+	return HASH_SIZE_SHA1;
+}
+
+METHOD(prf_t, set_key, void,
+	private_openssl_sha1_prf_t *this, chunk_t key)
+{
+	SHA1_Init(&this->ctx);
+
+	if (key.len >= 4)
+	{
+		this->ctx.h0 ^= untoh32(key.ptr);
+	}
+	if (key.len >= 8)
+	{
+		this->ctx.h1 ^= untoh32(key.ptr + 4);
+	}
+	if (key.len >= 12)
+	{
+		this->ctx.h2 ^= untoh32(key.ptr + 8);
+	}
+	if (key.len >= 16)
+	{
+		this->ctx.h3 ^= untoh32(key.ptr + 12);
+	}
+	if (key.len >= 20)
+	{
+		this->ctx.h4 ^= untoh32(key.ptr + 16);
+	}
+}
+
+METHOD(prf_t, destroy, void,
+	private_openssl_sha1_prf_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo)
+{
+	private_openssl_sha1_prf_t *this;
+
+	if (algo != PRF_KEYED_SHA1)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public.prf = {
+			.get_block_size = _get_block_size,
+			.get_bytes = _get_bytes,
+			.allocate_bytes = _allocate_bytes,
+			.get_key_size = _get_key_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h
new file mode 100644
index 000000000..9a24e7ee1
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_sha1_prf openssl_sha1_prf
+ * @{ @ingroup sha1_p
+ */
+
+#ifndef OPENSSL_SHA1_PRF_H_
+#define OPENSSL_SHA1_PRF_H_
+
+typedef struct openssl_sha1_prf_t openssl_sha1_prf_t;
+
+#include <crypto/prfs/prf.h>
+
+/**
+ * Implementation of prf_t interface using keyed SHA1 algorithm as used
+ * in EAP-AKA/FIPS_PRF.
+ */
+struct openssl_sha1_prf_t {
+
+	/**
+	 * Implements prf_t interface.
+	 */
+	prf_t prf;
+};
+
+/**
+ * Creates a new openssl_sha1_prf_t.
+ *
+ * @param algo		algorithm, must be PRF_KEYED_SHA1
+ * @return			sha1_keyed_prf_tobject
+ */
+openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo);
+
+#endif /** OPENSSL_SHA1_PRF_H_ @}*/
diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am
index b2b1f9d85..6706d26cb 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.am
+++ b/src/libstrongswan/plugins/padlock/Makefile.am
@@ -3,11 +3,16 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-padlock.la
+else
 plugin_LTLIBRARIES = libstrongswan-padlock.la
+endif
 
-libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
+libstrongswan_padlock_la_SOURCES = \
+	padlock_plugin.h padlock_plugin.c \
 	padlock_aes_crypter.c padlock_aes_crypter.h \
 	padlock_sha1_hasher.c padlock_sha1_hasher.h \
 	padlock_rng.c padlock_rng.h
-libstrongswan_padlock_la_LDFLAGS = -module -avoid-version
 
+libstrongswan_padlock_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 59ea98799..84c2ef2fb 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_padlock_la_LIBADD =
 am_libstrongswan_padlock_la_OBJECTS = padlock_plugin.lo \
 	padlock_aes_crypter.lo padlock_sha1_hasher.lo padlock_rng.lo
@@ -81,6 +81,9 @@ libstrongswan_padlock_la_OBJECTS =  \
 libstrongswan_padlock_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_padlock_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_padlock_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_padlock_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -219,6 +222,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -255,8 +259,10 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-padlock.la
-libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-padlock.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-padlock.la
+libstrongswan_padlock_la_SOURCES = \
+	padlock_plugin.h padlock_plugin.c \
 	padlock_aes_crypter.c padlock_aes_crypter.h \
 	padlock_sha1_hasher.c padlock_sha1_hasher.h \
 	padlock_rng.c padlock_rng.h
@@ -296,6 +302,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -328,7 +343,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-padlock.la: $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_DEPENDENCIES) 
-	$(libstrongswan_padlock_la_LINK) -rpath $(plugindir) $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_LIBADD) $(LIBS)
+	$(libstrongswan_padlock_la_LINK) $(am_libstrongswan_padlock_la_rpath) $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -484,8 +499,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -556,18 +571,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index 32b18ec4b..c9606ae15 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -97,7 +97,7 @@ static padlock_feature_t get_padlock_features()
 			return d;
 		}
 	}
-	DBG1("Padlock not found, CPU is %s", vendor);
+	DBG1(DBG_LIB, "Padlock not found, CPU is %s", vendor);
 	return 0;
 }
 
@@ -131,7 +131,7 @@ static void destroy(private_padlock_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *padlock_plugin_create()
 {
 	private_padlock_plugin_t *this = malloc_thing(private_padlock_plugin_t);
 
@@ -143,7 +143,7 @@ plugin_t *plugin_create()
 		free(this);
 		return NULL;
 	}
-	DBG1("Padlock found, supports:%s%s%s%s%s, enabled:%s%s%s%s%s",
+	DBG1(DBG_LIB, "Padlock found, supports:%s%s%s%s%s, enabled:%s%s%s%s%s",
 		 this->features & PADLOCK_RNG_AVAILABLE ? " RNG" : "",
 		 this->features & PADLOCK_ACE_AVAILABLE ? " ACE" : "",
 		 this->features & PADLOCK_ACE2_AVAILABLE ? " ACE2" : "",
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.h b/src/libstrongswan/plugins/padlock/padlock_plugin.h
index 76f4d1135..d99d4db0f 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.h
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.h
@@ -39,9 +39,4 @@ struct padlock_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a padlock_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** PADLOCK_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pem/Makefile.am b/src/libstrongswan/plugins/pem/Makefile.am
index 98f356aaf..b815b1e0b 100644
--- a/src/libstrongswan/plugins/pem/Makefile.am
+++ b/src/libstrongswan/plugins/pem/Makefile.am
@@ -3,10 +3,15 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pem.la
+else
 plugin_LTLIBRARIES = libstrongswan-pem.la
+endif
 
-libstrongswan_pem_la_SOURCES = pem_plugin.h pem_plugin.c \
-  pem_builder.c pem_builder.h
+libstrongswan_pem_la_SOURCES = \
+	pem_plugin.h pem_plugin.c \
+	pem_builder.c pem_builder.h \
+	pem_encoder.c pem_encoder.h
 
 libstrongswan_pem_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index e81b4f78f..4e39c8f7b 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -72,13 +72,16 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pem_la_LIBADD =
-am_libstrongswan_pem_la_OBJECTS = pem_plugin.lo pem_builder.lo
+am_libstrongswan_pem_la_OBJECTS = pem_plugin.lo pem_builder.lo \
+	pem_encoder.lo
 libstrongswan_pem_la_OBJECTS = $(am_libstrongswan_pem_la_OBJECTS)
 libstrongswan_pem_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_pem_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pem_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pem_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -217,6 +220,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -253,9 +257,12 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-pem.la
-libstrongswan_pem_la_SOURCES = pem_plugin.h pem_plugin.c \
-  pem_builder.c pem_builder.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pem.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pem.la
+libstrongswan_pem_la_SOURCES = \
+	pem_plugin.h pem_plugin.c \
+	pem_builder.c pem_builder.h \
+	pem_encoder.c pem_encoder.h
 
 libstrongswan_pem_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -292,6 +299,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -324,7 +340,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pem.la: $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_DEPENDENCIES) 
-	$(libstrongswan_pem_la_LINK) -rpath $(plugindir) $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_LIBADD) $(LIBS)
+	$(libstrongswan_pem_la_LINK) $(am_libstrongswan_pem_la_rpath) $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -333,6 +349,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem_encoder.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem_plugin.Plo@am__quote@
 
 .c.o:
@@ -478,8 +495,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -550,18 +567,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 2f285e9bc..65be9501b 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -73,7 +73,7 @@ static bool find_boundary(char* tag, chunk_t *line)
 	{
 		if (present("-----", line))
 		{
-			DBG2("  -----%s %.*s-----", tag, (int)name.len, name.ptr);
+			DBG2(DBG_LIB, "  -----%s %.*s-----", tag, (int)name.len, name.ptr);
 			return TRUE;
 		}
 		line->ptr++;  line->len--;  name.len++;
@@ -99,7 +99,7 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
 	if (hasher == NULL)
 	{
-		DBG1("  MD5 hash algorithm not available");
+		DBG1(DBG_LIB, "  MD5 hash algorithm not available");
 		return NOT_SUPPORTED;
 	}
 	hash.len = hasher->get_hash_size(hasher);
@@ -121,7 +121,7 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size);
 	if (crypter == NULL)
 	{
-		DBG1("  %N encryption algorithm not available",
+		DBG1(DBG_LIB, "  %N encryption algorithm not available",
 			 encryption_algorithm_names, alg);
 		return NOT_SUPPORTED;
 	}
@@ -131,7 +131,7 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 		blob->len % iv.len)
 	{
 		crypter->destroy(crypter);
-		DBG1("  data size is not multiple of block size");
+		DBG1(DBG_LIB, "  data size is not multiple of block size");
 		return PARSE_ERROR;
 	}
 	crypter->decrypt(crypter, *blob, iv, &decrypted);
@@ -155,7 +155,7 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 	{
 		if (*last_padding_pos != padding)
 		{
-			DBG1("  invalid passphrase");
+			DBG1(DBG_LIB, "  invalid passphrase");
 			return INVALID_ARG;
 		}
 	}
@@ -234,7 +234,7 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 				}
 
 				/* we are looking for a parameter: value pair */
-				DBG2("  %.*s", (int)line.len, line.ptr);
+				DBG2(DBG_LIB, "  %.*s", (int)line.len, line.ptr);
 				ugh = extract_parameter_value(&name, &value, &line);
 				if (ugh != NULL)
 				{
@@ -274,8 +274,8 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 					}
 					else
 					{
-						DBG1("  encryption algorithm '%.*s' not supported",
-							 dek.len, dek.ptr);
+						DBG1(DBG_LIB, "  encryption algorithm '%.*s'"
+							 " not supported", dek.len, dek.ptr);
 						return NOT_SUPPORTED;
 					}
 					eat_whitespace(&value);
@@ -298,7 +298,8 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 					*pgp = TRUE;
 					data.ptr++;
 					data.len--;
-					DBG2("  armor checksum: %.*s", (int)data.len, data.ptr);
+					DBG2(DBG_LIB, "  armor checksum: %.*s", (int)data.len,
+						 data.ptr);
 					continue;
 				}
 
@@ -318,7 +319,7 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 
 	if (state != PEM_POST)
 	{
-		DBG1("  file coded in unknown format, discarded");
+		DBG1(DBG_LIB, "  file coded in unknown format, discarded");
 		return PARSE_ERROR;
 	}
 	if (!encrypted)
@@ -327,7 +328,7 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 	}
 	if (!cb)
 	{
-		DBG1("  missing passphrase");
+		DBG1(DBG_LIB, "  missing passphrase");
 		return INVALID_ARG;
 	}
 	while (TRUE)
@@ -404,13 +405,14 @@ static void *load_from_file(char *file, credential_type_t type, int subtype,
 	fd = open(file, O_RDONLY);
 	if (fd == -1)
 	{
-		DBG1("  opening '%s' failed: %s", file, strerror(errno));
+		DBG1(DBG_LIB, "  opening '%s' failed: %s", file, strerror(errno));
 		return NULL;
 	}
 
 	if (fstat(fd, &sb) == -1)
 	{
-		DBG1("  getting file size of '%s' failed: %s", file, strerror(errno));
+		DBG1(DBG_LIB, "  getting file size of '%s' failed: %s", file,
+			 strerror(errno));
 		close(fd);
 		return NULL;
 	}
@@ -418,7 +420,7 @@ static void *load_from_file(char *file, credential_type_t type, int subtype,
 	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
 	if (addr == MAP_FAILED)
 	{
-		DBG1("  mapping '%s' failed: %s", file, strerror(errno));
+		DBG1(DBG_LIB, "  mapping '%s' failed: %s", file, strerror(errno));
 		close(fd);
 		return NULL;
 	}
@@ -447,7 +449,8 @@ static void *load_from_fd(int fd, credential_type_t type, int subtype,
 		len = read(fd, pos, buf + sizeof(buf) - pos);
 		if (len < 0)
 		{
-			DBG1("reading from file descriptor failed: %s", strerror(errno));
+			DBG1(DBG_LIB, "reading from file descriptor failed: %s",
+				 strerror(errno));
 			return NULL;
 		}
 		if (len == 0)
@@ -457,7 +460,7 @@ static void *load_from_fd(int fd, credential_type_t type, int subtype,
 		total += len;
 		if (total == sizeof(buf))
 		{
-			DBG1("buffer too small to read from file descriptor");
+			DBG1(DBG_LIB, "buffer too small to read from file descriptor");
 			return NULL;
 		}
 	}
diff --git a/src/libstrongswan/plugins/pem/pem_builder.h b/src/libstrongswan/plugins/pem/pem_builder.h
index 189a5430f..87f5a2c69 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.h
+++ b/src/libstrongswan/plugins/pem/pem_builder.h
@@ -18,8 +18,8 @@
  * @{ @ingroup pem_p
  */
 
-#ifndef PEM_PRIVATE_KEY_H_
-#define PEM_PRIVATE_KEY_H_
+#ifndef PEM_BUILDER_H_
+#define PEM_BUILDER_H_
 
 #include <credentials/builder.h>
 #include <credentials/credential_factory.h>
@@ -53,5 +53,5 @@ public_key_t *pem_public_key_load(key_type_t type, va_list args);
  */
 certificate_t *pem_certificate_load(certificate_type_t type, va_list args);
 
-#endif /** PEM_PRIVATE_KEY_H_ @}*/
+#endif /** PEM_BUILDER_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c
new file mode 100644
index 000000000..13c99a958
--- /dev/null
+++ b/src/libstrongswan/plugins/pem/pem_encoder.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pem_encoder.h"
+
+#define BYTES_PER_LINE	48
+
+/**
+ * See header.
+ */
+bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+						va_list args)
+{
+	chunk_t asn1;
+	char *label;
+	u_char *pos;
+	size_t len, written, pem_chars, pem_lines;
+	chunk_t n, e, d, p, q, exp1, exp2, coeff, to_free = chunk_empty;
+
+	switch (type)
+	{
+		case KEY_PUB_PEM:
+			label ="PUBLIC KEY";
+			/* direct PKCS#1 PEM encoding */
+			if (key_encoding_args(args, KEY_PART_RSA_PUB_ASN1_DER,
+									&asn1, KEY_PART_END) ||
+				key_encoding_args(args, KEY_PART_ECDSA_PUB_ASN1_DER,
+									&asn1, KEY_PART_END))
+			{
+				break;
+			}
+			/* indirect PEM encoding from components */
+			if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
+									KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
+			{
+				if (lib->encoding->encode(lib->encoding, KEY_PUB_SPKI_ASN1_DER,
+									NULL, &asn1, KEY_PART_RSA_MODULUS, n,
+									KEY_PART_RSA_PUB_EXP, e, KEY_PART_END))
+				{
+					to_free = asn1;
+					break;
+				}
+			}
+			return FALSE;
+		case KEY_PRIV_PEM:
+			label ="RSA PRIVATE KEY";
+			/* direct PKCS#1 PEM encoding */
+			if (key_encoding_args(args, KEY_PART_RSA_PRIV_ASN1_DER,
+									&asn1, KEY_PART_END))
+			{
+				break;
+			}
+			/* indirect PEM encoding from components */
+			if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
+							KEY_PART_RSA_PUB_EXP, &e, KEY_PART_RSA_PRIV_EXP, &d,
+							KEY_PART_RSA_PRIME1, &p, KEY_PART_RSA_PRIME2, &q,
+							KEY_PART_RSA_EXP1, &exp1, KEY_PART_RSA_EXP2, &exp2,
+							KEY_PART_RSA_COEFF, &coeff, KEY_PART_END))
+			{
+				if (lib->encoding->encode(lib->encoding, KEY_PRIV_ASN1_DER, NULL,
+							&asn1, KEY_PART_RSA_MODULUS, n,
+							KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d,
+							KEY_PART_RSA_PRIME1, p, KEY_PART_RSA_PRIME2, q,
+							KEY_PART_RSA_EXP1, exp1, KEY_PART_RSA_EXP2, exp2,
+							KEY_PART_RSA_COEFF, coeff, KEY_PART_END))
+				{
+					to_free = asn1;
+					break;
+				}
+			}
+			if (key_encoding_args(args, KEY_PART_ECDSA_PRIV_ASN1_DER,
+								   &asn1, KEY_PART_END))
+			{
+				label ="EC PRIVATE KEY";
+				break;
+			}
+			return FALSE;
+		default:
+			return FALSE;
+	}
+
+	/* compute and allocate maximum size of PEM object */
+	pem_chars = 4*(asn1.len + 2)/3;
+	pem_lines = (asn1.len + BYTES_PER_LINE - 1) / BYTES_PER_LINE;
+	*encoding = chunk_alloc(5 + 2*(6 + strlen(label) + 6) + 3 + pem_chars + pem_lines);
+	pos = encoding->ptr;
+	len = encoding->len;
+
+	/* write PEM header */
+	written = snprintf(pos, len, "-----BEGIN %s-----\n", label);
+	pos += written;
+	len -= written;
+
+	/* write PEM body */
+	while (pem_lines--)
+	{
+		chunk_t asn1_line, pem_line;
+
+		asn1_line = chunk_create(asn1.ptr, min(asn1.len, BYTES_PER_LINE));
+		asn1.ptr += asn1_line.len;
+		asn1.len -= asn1_line.len;
+		pem_line =  chunk_to_base64(asn1_line, pos);
+		pos += pem_line.len;
+		len -= pem_line.len;
+		*pos = '\n';
+		pos++;
+		len--;
+	}
+
+	chunk_clear(&to_free);
+
+	/* write PEM trailer */
+	written = snprintf(pos, len, "-----END %s-----", label);
+	pos += written;
+	len -= written;
+
+	/* replace termination null character with newline */
+	*pos = '\n';
+	pos++;
+	len--;
+
+	/* compute effective length of PEM object */
+	encoding->len = pos - encoding->ptr;
+	return TRUE;
+}
+
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.h b/src/libstrongswan/plugins/pem/pem_encoder.h
new file mode 100644
index 000000000..a181133b7
--- /dev/null
+++ b/src/libstrongswan/plugins/pem/pem_encoder.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pem_encoder pem_encoder
+ * @{ @ingroup pem_p
+ */
+
+#ifndef PEM_ENCODER_H_
+#define PEM_ENCODER_H_
+
+#include <credentials/keys/key_encoding.h>
+
+/**
+ * Encoding from ASN.1 to PEM format.
+ */
+bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+						va_list args);
+
+#endif /** PEM_ENCODER_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index 5a5149ca8..810901b7a 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -16,7 +16,9 @@
 #include "pem_plugin.h"
 
 #include <library.h>
+
 #include "pem_builder.h"
+#include "pem_encoder.h"
 
 typedef struct private_pem_plugin_t private_pem_plugin_t;
 
@@ -48,7 +50,7 @@ static void destroy(private_pem_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *pem_plugin_create()
 {
 	private_pem_plugin_t *this = malloc_thing(private_pem_plugin_t);
 
@@ -100,6 +102,9 @@ plugin_t *plugin_create()
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
 							(builder_function_t)pem_certificate_load);
 
+	/* register PEM encoder */
+	lib->encoding->add_encoder(lib->encoding, pem_encoder_encode);
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.h b/src/libstrongswan/plugins/pem/pem_plugin.h
index 75616c496..944a3fc85 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.h
+++ b/src/libstrongswan/plugins/pem/pem_plugin.h
@@ -39,9 +39,4 @@ struct pem_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a pem_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** PEM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pgp/Makefile.am b/src/libstrongswan/plugins/pgp/Makefile.am
index c232971bb..4b414616d 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.am
+++ b/src/libstrongswan/plugins/pgp/Makefile.am
@@ -3,13 +3,17 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pgp.la
+else
 plugin_LTLIBRARIES = libstrongswan-pgp.la
+endif
 
-libstrongswan_pgp_la_SOURCES = pgp_plugin.h pgp_plugin.c \
-  pgp_utils.h pgp_utils.c \
-  pgp_cert.h pgp_cert.c \
-  pgp_encoder.h pgp_encoder.c \
-  pgp_builder.h pgp_builder.c
+libstrongswan_pgp_la_SOURCES = \
+	pgp_plugin.h pgp_plugin.c \
+	pgp_utils.h pgp_utils.c \
+	pgp_cert.h pgp_cert.c \
+	pgp_encoder.h pgp_encoder.c \
+	pgp_builder.h pgp_builder.c
 
 libstrongswan_pgp_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 70840c400..5d487364f 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pgp_la_LIBADD =
 am_libstrongswan_pgp_la_OBJECTS = pgp_plugin.lo pgp_utils.lo \
 	pgp_cert.lo pgp_encoder.lo pgp_builder.lo
@@ -80,6 +80,8 @@ libstrongswan_pgp_la_OBJECTS = $(am_libstrongswan_pgp_la_OBJECTS)
 libstrongswan_pgp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_pgp_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pgp_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pgp_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -218,6 +220,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -254,12 +257,14 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-pgp.la
-libstrongswan_pgp_la_SOURCES = pgp_plugin.h pgp_plugin.c \
-  pgp_utils.h pgp_utils.c \
-  pgp_cert.h pgp_cert.c \
-  pgp_encoder.h pgp_encoder.c \
-  pgp_builder.h pgp_builder.c
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pgp.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pgp.la
+libstrongswan_pgp_la_SOURCES = \
+	pgp_plugin.h pgp_plugin.c \
+	pgp_utils.h pgp_utils.c \
+	pgp_cert.h pgp_cert.c \
+	pgp_encoder.h pgp_encoder.c \
+	pgp_builder.h pgp_builder.c
 
 libstrongswan_pgp_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -296,6 +301,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -328,7 +342,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pgp.la: $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_DEPENDENCIES) 
-	$(libstrongswan_pgp_la_LINK) -rpath $(plugindir) $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_LIBADD) $(LIBS)
+	$(libstrongswan_pgp_la_LINK) $(am_libstrongswan_pgp_la_rpath) $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -485,8 +499,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -557,18 +571,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c
index d262d18ff..84c9bfddd 100644
--- a/src/libstrongswan/plugins/pgp/pgp_builder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_builder.c
@@ -41,7 +41,7 @@ static public_key_t *parse_public_key(chunk_t blob)
 									 BUILD_BLOB_PGP, blob, BUILD_END);
 			break;
 		default:
-			DBG1("PGP public key algorithm %N not supported",
+			DBG1(DBG_LIB, "PGP public key algorithm %N not supported",
 				 pgp_pubkey_alg_names, alg);
 			return NULL;
 	}
@@ -90,12 +90,13 @@ static private_key_t *parse_rsa_private_key(chunk_t blob)
 	}
 	if (s2k == 255 || s2k == 254)
 	{
-		DBG1("string-to-key specifiers not supported");
+		DBG1(DBG_LIB, "string-to-key specifiers not supported");
 		return NULL;
 	}
 	if (s2k != PGP_SYM_ALG_PLAIN)
 	{
-		DBG1("%N private key encryption not supported", pgp_sym_alg_names, s2k);
+		DBG1(DBG_LIB, "%N private key encryption not supported",
+			 pgp_sym_alg_names, s2k);
 		return NULL;
 	}
 
@@ -121,7 +122,7 @@ static private_key_t *parse_rsa_private_key(chunk_t blob)
 static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme,
 							 chunk_t data, chunk_t *signature)
 {
-	DBG1("signing failed - decryption only key");
+	DBG1(DBG_LIB, "signing failed - decryption only key");
 	return FALSE;
 }
 
@@ -131,7 +132,7 @@ static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme,
 static bool decrypt_not_allowed(private_key_t *this,
 								chunk_t crypto, chunk_t *plain)
 {
-	DBG1("decryption failed - signature only key");
+	DBG1(DBG_LIB, "decryption failed - signature only key");
 	return FALSE;
 }
 
@@ -164,7 +165,7 @@ static private_key_t *parse_private_key(chunk_t blob)
 		case 4:
 			break;
 		default:
-			DBG1("PGP packet version V%d not supported", version);
+			DBG1(DBG_LIB, "PGP packet version V%d not supported", version);
 			return FALSE;
 	}
 	if (!pgp_read_scalar(&packet, 4, &created))
diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c
index fa2612285..cd04f3d1a 100644
--- a/src/libstrongswan/plugins/pgp/pgp_cert.c
+++ b/src/libstrongswan/plugins/pgp/pgp_cert.c
@@ -198,9 +198,9 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 	this->get_validity(this, &now, &this_update, NULL);
 	that->get_validity(that, &now, &that_update, NULL);
 	new = this_update > that_update;
-	DBG1("  certificate from %T is %s - existing certificate from %T %s",
-				&this_update, FALSE, new ? "newer":"not newer",
-				&that_update, FALSE, new ? "replaced":"retained");
+	DBG1(DBG_LIB, "  certificate from %T is %s - existing certificate"
+		 " from %T %s", &this_update, FALSE, new ? "newer" : "not newer",
+		 &that_update, FALSE, new ? "replaced" : "retained");
 	return new;
 }
 
@@ -322,16 +322,18 @@ static bool parse_public_key(private_pgp_cert_t *this, chunk_t packet)
 			}
 			break;
 		default:
-			DBG1("PGP packet version V%d not supported", this->version);
+			DBG1(DBG_LIB, "PGP packet version V%d not supported",
+				 this->version);
 			return FALSE;
 	}
 	if (this->valid)
 	{
-		DBG2("L2 - created %T, valid %d days", &this->created, FALSE, this->valid);
+		DBG2(DBG_LIB, "L2 - created %T, valid %d days", &this->created, FALSE,
+			 this->valid);
 	}
 	else
 	{
-		DBG2("L2 - created %T, never expires", &this->created, FALSE);
+		DBG2(DBG_LIB, "L2 - created %T, never expires", &this->created, FALSE);
 	}
 	DESTROY_IF(this->key);
 	this->key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
@@ -352,13 +354,13 @@ static bool parse_public_key(private_pgp_cert_t *this, chunk_t packet)
 		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 		if (hasher == NULL)
 		{
-			DBG1("no SHA-1 hasher available");
+			DBG1(DBG_LIB, "no SHA-1 hasher available");
 			return FALSE;
 		}
 		hasher->allocate_hash(hasher, pubkey_packet_header, NULL);
 		hasher->allocate_hash(hasher, pubkey_packet, &this->fingerprint);
 		hasher->destroy(hasher);
-		DBG2("L2 - v4 fingerprint %#B", &this->fingerprint);
+		DBG2(DBG_LIB, "L2 - v4 fingerprint %#B", &this->fingerprint);
 	}
 	else
 	{
@@ -369,7 +371,7 @@ static bool parse_public_key(private_pgp_cert_t *this, chunk_t packet)
 			return FALSE;
 		}
 		this->fingerprint = chunk_clone(this->fingerprint);
-		DBG2("L2 - v3 fingerprint %#B", &this->fingerprint);
+		DBG2(DBG_LIB, "L2 - v3 fingerprint %#B", &this->fingerprint);
 	}
 	return TRUE;
 }
@@ -389,7 +391,7 @@ static bool parse_signature(private_pgp_cert_t *this, chunk_t packet)
 	/* we parse only v3 or v4 signature packets */
 	if (version != 3 && version != 4)
 	{
-		DBG2("L2 - v%d signature ignored", version);
+		DBG2(DBG_LIB, "L2 - v%d signature ignored", version);
 		return TRUE;
 	}
 	if (version == 4)
@@ -398,7 +400,7 @@ static bool parse_signature(private_pgp_cert_t *this, chunk_t packet)
 		{
 			return FALSE;
 		}
-		DBG2("L2 - v%d signature of type 0x%02x", version, type);
+		DBG2(DBG_LIB, "L2 - v%d signature of type 0x%02x", version, type);
 	}
 	else
 	{
@@ -411,8 +413,8 @@ static bool parse_signature(private_pgp_cert_t *this, chunk_t packet)
 		{
 			return FALSE;
 		}
-		DBG2("L2 - v3 signature of type 0x%02x, created %T", type,
-												&created, FALSE);
+		DBG2(DBG_LIB, "L2 - v3 signature of type 0x%02x, created %T", type,
+			 &created, FALSE);
 	}
 	/* TODO: parse and save signature to a list */
 	return TRUE;
@@ -425,7 +427,7 @@ static bool parse_user_id(private_pgp_cert_t *this, chunk_t packet)
 {
 	DESTROY_IF(this->user_id);
 	this->user_id = identification_create_from_encoding(ID_KEY_ID, packet);
-	DBG2("L2 - '%Y'", this->user_id);
+	DBG2(DBG_LIB, "L2 - '%Y'", this->user_id);
 	return TRUE;
 }
 
@@ -486,7 +488,7 @@ pgp_cert_t *pgp_cert_load(certificate_type_t type, va_list args)
 				}
 				break;
 			default:
-				DBG1("ignoring %N packet in PGP certificate",
+				DBG1(DBG_LIB, "ignoring %N packet in PGP certificate",
 					 pgp_packet_tag_names, tag);
 				break;
 		}
diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c
index 56acac597..d5c3df590 100644
--- a/src/libstrongswan/plugins/pgp/pgp_encoder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c
@@ -31,7 +31,8 @@ static bool build_v3_fingerprint(chunk_t *encoding, va_list args)
 		hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
 		if (!hasher)
 		{
-			DBG1("MD5 hash algorithm not supported, PGP fingerprinting failed");
+			DBG1(DBG_LIB, "MD5 hash algorithm not supported, PGP"
+				 " fingerprinting failed");
 			return FALSE;
 		}
 		/* remove leading zero bytes before hashing modulus and exponent */
diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c
index eabb3695f..3ed1faf01 100644
--- a/src/libstrongswan/plugins/pgp/pgp_plugin.c
+++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c
@@ -54,7 +54,7 @@ static void destroy(private_pgp_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *pgp_plugin_create()
 {
 	private_pgp_plugin_t *this = malloc_thing(private_pgp_plugin_t);
 
diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.h b/src/libstrongswan/plugins/pgp/pgp_plugin.h
index 95765cd76..8a0ab89d6 100644
--- a/src/libstrongswan/plugins/pgp/pgp_plugin.h
+++ b/src/libstrongswan/plugins/pgp/pgp_plugin.h
@@ -39,9 +39,4 @@ struct pgp_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a pgp_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** PGP_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pgp/pgp_utils.c b/src/libstrongswan/plugins/pgp/pgp_utils.c
index 1658f3232..2d85cc0c8 100644
--- a/src/libstrongswan/plugins/pgp/pgp_utils.c
+++ b/src/libstrongswan/plugins/pgp/pgp_utils.c
@@ -79,7 +79,7 @@ bool pgp_read_scalar(chunk_t *blob, size_t bytes, u_int32_t *scalar)
 
 	if (bytes > blob->len)
 	{
-		DBG1("PGP data too short to read %d byte scalar", bytes);
+		DBG1(DBG_LIB, "PGP data too short to read %d byte scalar", bytes);
 		return FALSE;
 	}
 	while (bytes-- > 0)
@@ -100,13 +100,13 @@ bool pgp_read_mpi(chunk_t *blob, chunk_t *mpi)
 
 	if (!pgp_read_scalar(blob, 2, &bits))
 	{
-		DBG1("PGP data too short to read MPI length");
+		DBG1(DBG_LIB, "PGP data too short to read MPI length");
 		return FALSE;
 	}
 	bytes = (bits + 7) / 8;
 	if (bytes > blob->len)
 	{
-		DBG1("PGP data too short to read %d byte MPI", bytes);
+		DBG1(DBG_LIB, "PGP data too short to read %d byte MPI", bytes);
 		return FALSE;
 	}
 	*mpi = chunk_create(blob->ptr, bytes);
@@ -146,7 +146,7 @@ bool pgp_read_packet(chunk_t *blob, chunk_t *data, pgp_packet_tag_t *tag)
 
 	if (!blob->len)
 	{
-		DBG1("missing input");
+		DBG1(DBG_LIB, "missing input");
 		return FALSE;
 	}
 	t = blob->ptr[0];
@@ -154,27 +154,27 @@ bool pgp_read_packet(chunk_t *blob, chunk_t *data, pgp_packet_tag_t *tag)
 	/* bit 7 must be set */
 	if (!(t & 0x80))
 	{
-		DBG1("invalid packet tag");
+		DBG1(DBG_LIB, "invalid packet tag");
 		return FALSE;
 	}
 	/* bit 6 set defines new packet format */
 	if (t & 0x40)
 	{
-		DBG1("new PGP packet format not supported");
+		DBG1(DBG_LIB, "new PGP packet format not supported");
 		return FALSE;
 	}
 
 	t = (t & 0x3C) >> 2;
 	if (!pgp_old_packet_length(blob, &len) || len > blob->len)
 	{
-		DBG1("invalid packet length");
+		DBG1(DBG_LIB, "invalid packet length");
 		return FALSE;
 	}
 	*data = chunk_create(blob->ptr, len);
 	*blob = chunk_skip(*blob, len);
 	*tag = t;
-	DBG2("L1 - PGP %N (%u bytes)", pgp_packet_tag_names, t, len);
-	DBG3("%B", data);
+	DBG2(DBG_LIB, "L1 - PGP %N (%u bytes)", pgp_packet_tag_names, t, len);
+	DBG3(DBG_LIB, "%B", data);
 	return TRUE;
 }
 
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.am b/src/libstrongswan/plugins/pkcs1/Makefile.am
index 88d25a26b..bd3203dae 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.am
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.am
@@ -3,11 +3,15 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pkcs1.la
+else
 plugin_LTLIBRARIES = libstrongswan-pkcs1.la
+endif
 
-libstrongswan_pkcs1_la_SOURCES = pkcs1_plugin.h pkcs1_plugin.c \
-  pkcs1_encoder.h pkcs1_encoder.c \
-  pkcs1_builder.h pkcs1_builder.c
+libstrongswan_pkcs1_la_SOURCES = \
+	pkcs1_plugin.h pkcs1_plugin.c \
+	pkcs1_encoder.h pkcs1_encoder.c \
+	pkcs1_builder.h pkcs1_builder.c
 
 libstrongswan_pkcs1_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 4439cd60f..3fdcd0590 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs1_la_LIBADD =
 am_libstrongswan_pkcs1_la_OBJECTS = pkcs1_plugin.lo pkcs1_encoder.lo \
 	pkcs1_builder.lo
@@ -80,6 +80,9 @@ libstrongswan_pkcs1_la_OBJECTS = $(am_libstrongswan_pkcs1_la_OBJECTS)
 libstrongswan_pkcs1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_pkcs1_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pkcs1_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pkcs1_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -218,6 +221,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -254,10 +258,12 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-pkcs1.la
-libstrongswan_pkcs1_la_SOURCES = pkcs1_plugin.h pkcs1_plugin.c \
-  pkcs1_encoder.h pkcs1_encoder.c \
-  pkcs1_builder.h pkcs1_builder.c
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs1.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs1.la
+libstrongswan_pkcs1_la_SOURCES = \
+	pkcs1_plugin.h pkcs1_plugin.c \
+	pkcs1_encoder.h pkcs1_encoder.c \
+	pkcs1_builder.h pkcs1_builder.c
 
 libstrongswan_pkcs1_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -294,6 +300,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -326,7 +341,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pkcs1.la: $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_DEPENDENCIES) 
-	$(libstrongswan_pkcs1_la_LINK) -rpath $(plugindir) $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_LIBADD) $(LIBS)
+	$(libstrongswan_pkcs1_la_LINK) $(am_libstrongswan_pkcs1_la_rpath) $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -481,8 +496,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -553,18 +568,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index fbd35e830..88c848899 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -81,10 +81,10 @@ static public_key_t *parse_public_key(chunk_t blob)
 					/* skip initial bit string octet defining 0 unused bits */
 					object = chunk_skip(object, 1);
 				}
-				DBG2("-- > --");
+				DBG2(DBG_LIB, "-- > --");
 				key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type,
 										 BUILD_BLOB_ASN1_DER, object, BUILD_END);
-				DBG2("-- < --");
+				DBG2(DBG_LIB, "-- < --");
 				break;
 		}
 	}
@@ -197,7 +197,7 @@ static private_key_t *parse_rsa_private_key(chunk_t blob)
 			case PRIV_KEY_VERSION:
 				if (object.len > 0 && *object.ptr != 0)
 				{
-					DBG1("PKCS#1 private key format is not version 1");
+					DBG1(DBG_LIB, "PKCS#1 private key format is not version 1");
 					goto end;
 				}
 				break;
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.h b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.h
index 62ca9f351..9f251833e 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.h
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.h
@@ -14,7 +14,7 @@
  */
 
 /**
- * @defgroup pkcs1_public_key pkcs1_public_key
+ * @defgroup pkcs1_builder pkcs1_builder
  * @{ @ingroup pkcs1
  */
 
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
index 0a8da815a..e46062d97 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
@@ -97,7 +97,8 @@ static bool hash_pubkey(chunk_t pubkey, chunk_t *hash)
 	if (hasher == NULL)
 	{
 		chunk_free(&pubkey);
-		DBG1("SHA1 hash algorithm not supported, fingerprinting failed");
+		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, "
+			 "fingerprinting failed");
 		return FALSE;
 	}
 	hasher->allocate_hash(hasher, pubkey, hash);
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index 9d71e1388..35ec2d2bf 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -50,7 +50,7 @@ static void destroy(private_pkcs1_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *pkcs1_plugin_create()
 {
 	private_pkcs1_plugin_t *this = malloc_thing(private_pkcs1_plugin_t);
 
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.h b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.h
index 465c7ef2c..588bde559 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.h
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.h
@@ -39,9 +39,4 @@ struct pkcs1_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a pkcs1_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** PKCS1_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin.h b/src/libstrongswan/plugins/plugin.h
index 28c800c0c..6d8a370fb 100644
--- a/src/libstrongswan/plugins/plugin.h
+++ b/src/libstrongswan/plugins/plugin.h
@@ -38,9 +38,9 @@ struct plugin_t {
 /**
  * Plugin constructor function definiton.
  *
- * Each plugin has a constructor functions. This function is called on daemon
+ * Each plugin has a constructor function. This function is called on daemon
  * startup to initialize each plugin.
- * The plugin function is named plugin_create().
+ * The plugin function is named plugin_name_plugin_create().
  *
  * @return				plugin_t instance
  */
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index d4513f25a..cad279a9d 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -49,37 +50,83 @@ struct private_plugin_loader_t {
 	linked_list_t *names;
 };
 
+#ifdef MONOLITHIC
+/**
+ * load a single plugin in monolithic mode
+ */
+static plugin_t* load_plugin(private_plugin_loader_t *this,
+							 char *path, char *name)
+{
+	char create[128];
+	plugin_t *plugin;
+	plugin_constructor_t constructor;
+
+	if (snprintf(create, sizeof(create), "%s_plugin_create",
+				 name) >= sizeof(create))
+	{
+		return NULL;
+	}
+	translate(create, "-", "_");
+	constructor = dlsym(RTLD_DEFAULT, create);
+	if (constructor == NULL)
+	{
+		DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name,
+			 create);
+		return NULL;
+	}
+	plugin = constructor();
+	if (plugin == NULL)
+	{
+		DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name,
+			 create);
+		return NULL;
+	}
+	DBG2(DBG_LIB, "plugin '%s': loaded successfully", name);
+
+	return plugin;
+}
+#else
 /**
  * load a single plugin
  */
 static plugin_t* load_plugin(private_plugin_loader_t *this,
 							 char *path, char *name)
 {
+	char create[128];
 	char file[PATH_MAX];
 	void *handle;
 	plugin_t *plugin;
 	plugin_constructor_t constructor;
 
-	snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name);
-
+	if (snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path,
+				 name) >= sizeof(file) ||
+		snprintf(create, sizeof(create), "%s_plugin_create",
+				 name) >= sizeof(create))
+	{
+		return NULL;
+	}
+	translate(create, "-", "_");
 	if (lib->integrity)
 	{
 		if (!lib->integrity->check_file(lib->integrity, name, file))
 		{
-			DBG1("plugin '%s': failed file integrity test of '%s'", name, file);
+			DBG1(DBG_LIB, "plugin '%s': failed file integrity test of '%s'",
+				 name, file);
 			return NULL;
 		}
 	}
 	handle = dlopen(file, RTLD_LAZY);
 	if (handle == NULL)
 	{
-		DBG1("plugin '%s': failed to load '%s' - %s", name, file, dlerror());
+		DBG1(DBG_LIB, "plugin '%s': failed to load '%s' - %s", name, file,
+			 dlerror());
 		return NULL;
 	}
-	constructor = dlsym(handle, "plugin_create");
+	constructor = dlsym(handle, create);
 	if (constructor == NULL)
 	{
-		DBG1("plugin '%s': failed to load - no plugin_create() function", name);
+		DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name,
+			 create);
 		dlclose(handle);
 		return NULL;
 	}
@@ -87,25 +134,28 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
 	{
 		if (!lib->integrity->check_segment(lib->integrity, name, constructor))
 		{
-			DBG1("plugin '%s': failed segment integrity test", name);
+			DBG1(DBG_LIB, "plugin '%s': failed segment integrity test", name);
 			dlclose(handle);
 			return NULL;
 		}
-		DBG1("plugin '%s': passed file and segment integrity tests", name);
+		DBG1(DBG_LIB, "plugin '%s': passed file and segment integrity tests",
+			 name);
 	}
 	plugin = constructor();
 	if (plugin == NULL)
 	{
-		DBG1("plugin '%s': failed to load - plugin_create() returned NULL", name);
+		DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name,
+			 create);
 		dlclose(handle);
 		return NULL;
 	}
-	DBG2("plugin '%s': loaded successfully", name);
+	DBG2(DBG_LIB, "plugin '%s': loaded successfully", name);
 
 	/* we do not store or free dlopen() handles, leak_detective requires
 	 * the modules to keep loaded until leak report */
 	return plugin;
 }
+#endif
 
 /**
  * Implementation of plugin_loader_t.load_plugins.
@@ -116,10 +166,12 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
 	char *token;
 	bool critical_failed = FALSE;
 
+#ifndef MONOLITHIC
 	if (path == NULL)
 	{
 		path = PLUGINDIR;
 	}
+#endif
 
 	enumerator = enumerator_create_token(list, " ", " ");
 	while (!critical_failed && enumerator->enumerate(enumerator, &token))
@@ -147,7 +199,7 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
 			if (critical)
 			{
 				critical_failed = TRUE;
-				DBG1("loading critical plugin '%s' failed", token);
+				DBG1(DBG_LIB, "loading critical plugin '%s' failed", token);
 			}
 			free(token);
 		}
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am
index 770d77325..c2974a585 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.am
+++ b/src/libstrongswan/plugins/pubkey/Makefile.am
@@ -3,10 +3,14 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pubkey.la
+else
 plugin_LTLIBRARIES = libstrongswan-pubkey.la
+endif
 
-libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
-  pubkey_cert.h pubkey_cert.c
+libstrongswan_pubkey_la_SOURCES = \
+	pubkey_plugin.h pubkey_plugin.c \
+	pubkey_cert.h pubkey_cert.c
 
 libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index f95e7b357..5fe3d58f1 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pubkey_la_LIBADD =
 am_libstrongswan_pubkey_la_OBJECTS = pubkey_plugin.lo pubkey_cert.lo
 libstrongswan_pubkey_la_OBJECTS =  \
@@ -80,6 +80,9 @@ libstrongswan_pubkey_la_OBJECTS =  \
 libstrongswan_pubkey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_pubkey_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pubkey_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pubkey_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -218,6 +221,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -254,9 +258,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-pubkey.la
-libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
-  pubkey_cert.h pubkey_cert.c
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pubkey.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pubkey.la
+libstrongswan_pubkey_la_SOURCES = \
+	pubkey_plugin.h pubkey_plugin.c \
+	pubkey_cert.h pubkey_cert.c
 
 libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -293,6 +299,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -325,7 +340,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-pubkey.la: $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_DEPENDENCIES) 
-	$(libstrongswan_pubkey_la_LINK) -rpath $(plugindir) $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_LIBADD) $(LIBS)
+	$(libstrongswan_pubkey_la_LINK) $(am_libstrongswan_pubkey_la_rpath) $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -479,8 +494,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -551,18 +566,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
index ad84eed99..b0eabc9ee 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_pubkey_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *pubkey_plugin_create()
 {
 	private_pubkey_plugin_t *this = malloc_thing(private_pubkey_plugin_t);
 
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.h b/src/libstrongswan/plugins/pubkey/pubkey_plugin.h
index a3fd2f155..db71bddc0 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.h
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.h
@@ -39,9 +39,4 @@ struct pubkey_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a pubkey_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** PUBKEY_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am
index 7c2283ae7..5df992718 100644
--- a/src/libstrongswan/plugins/random/Makefile.am
+++ b/src/libstrongswan/plugins/random/Makefile.am
@@ -5,9 +5,14 @@ AM_CFLAGS = -rdynamic \
 -DDEV_RANDOM=\"${random_device}\" \
 -DDEV_URANDOM=\"${urandom_device}\"
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-random.la
+else
 plugin_LTLIBRARIES = libstrongswan-random.la
+endif
 
-libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
-  random_rng.c random_rng.h
-libstrongswan_random_la_LDFLAGS = -module -avoid-version
+libstrongswan_random_la_SOURCES = \
+	random_plugin.h random_plugin.c \
+	random_rng.c random_rng.h
 
+libstrongswan_random_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 355ab14bc..27360aa8c 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_random_la_LIBADD =
 am_libstrongswan_random_la_OBJECTS = random_plugin.lo random_rng.lo
 libstrongswan_random_la_OBJECTS =  \
@@ -80,6 +80,9 @@ libstrongswan_random_la_OBJECTS =  \
 libstrongswan_random_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_random_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_random_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_random_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -218,6 +221,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -257,9 +261,11 @@ AM_CFLAGS = -rdynamic \
 -DDEV_RANDOM=\"${random_device}\" \
 -DDEV_URANDOM=\"${urandom_device}\"
 
-plugin_LTLIBRARIES = libstrongswan-random.la
-libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
-  random_rng.c random_rng.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-random.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-random.la
+libstrongswan_random_la_SOURCES = \
+	random_plugin.h random_plugin.c \
+	random_rng.c random_rng.h
 
 libstrongswan_random_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -296,6 +302,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -328,7 +343,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-random.la: $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_DEPENDENCIES) 
-	$(libstrongswan_random_la_LINK) -rpath $(plugindir) $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_LIBADD) $(LIBS)
+	$(libstrongswan_random_la_LINK) $(am_libstrongswan_random_la_rpath) $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -482,8 +497,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -554,18 +569,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index df0a8f556..39678ba71 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_random_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *random_plugin_create()
 {
 	private_random_plugin_t *this = malloc_thing(private_random_plugin_t);
 
diff --git a/src/libstrongswan/plugins/random/random_plugin.h b/src/libstrongswan/plugins/random/random_plugin.h
index 6ce0f71be..7e22c3e5f 100644
--- a/src/libstrongswan/plugins/random/random_plugin.h
+++ b/src/libstrongswan/plugins/random/random_plugin.h
@@ -39,9 +39,4 @@ struct random_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a random_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** RANDOM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 34f300296..b09f3f57a 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -71,7 +71,7 @@ static void get_bytes(private_random_rng_t *this, size_t bytes,
 		got = read(this->dev, buffer + done, bytes - done);
 		if (got <= 0)
 		{
-			DBG1("reading from \"%s\" failed: %s, retrying...",
+			DBG1(DBG_LIB, "reading from \"%s\" failed: %s, retrying...",
 				 this->file, strerror(errno));
 			close(this->dev);
 			sleep(1);
@@ -124,7 +124,7 @@ random_rng_t *random_rng_create(rng_quality_t quality)
 	this->dev = open(this->file, 0);
 	if (this->dev < 0)
 	{
-		DBG1("opening \"%s\" failed: %s", this->file, strerror(errno));
+		DBG1(DBG_LIB, "opening \"%s\" failed: %s", this->file, strerror(errno));
 		free(this);
 		return NULL;
 	}
diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am
index ead51a45a..4e539fd83 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.am
+++ b/src/libstrongswan/plugins/sha1/Makefile.am
@@ -3,9 +3,14 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-sha1.la
+else
 plugin_LTLIBRARIES = libstrongswan-sha1.la
+endif
 
-libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
+libstrongswan_sha1_la_SOURCES = \
+	sha1_plugin.h sha1_plugin.c \
 	sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
-libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
 
+libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 4f08b882c..dacb5be4b 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sha1_la_LIBADD =
 am_libstrongswan_sha1_la_OBJECTS = sha1_plugin.lo sha1_hasher.lo \
 	sha1_prf.lo
@@ -80,6 +80,8 @@ libstrongswan_sha1_la_OBJECTS = $(am_libstrongswan_sha1_la_OBJECTS)
 libstrongswan_sha1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_sha1_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_sha1_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_sha1_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -218,6 +220,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -254,8 +257,10 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-sha1.la
-libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sha1.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sha1.la
+libstrongswan_sha1_la_SOURCES = \
+	sha1_plugin.h sha1_plugin.c \
 	sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
 
 libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
@@ -293,6 +298,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -325,7 +339,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-sha1.la: $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_DEPENDENCIES) 
-	$(libstrongswan_sha1_la_LINK) -rpath $(plugindir) $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_LIBADD) $(LIBS)
+	$(libstrongswan_sha1_la_LINK) $(am_libstrongswan_sha1_la_rpath) $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -480,8 +494,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -552,18 +566,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c
index a038228da..7b9cf878f 100644
--- a/src/libstrongswan/plugins/sha1/sha1_plugin.c
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c
@@ -47,7 +47,7 @@ static void destroy(private_sha1_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *sha1_plugin_create()
 {
 	private_sha1_plugin_t *this = malloc_thing(private_sha1_plugin_t);
 
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.h b/src/libstrongswan/plugins/sha1/sha1_plugin.h
index 36b12b91e..cd1ff615d 100644
--- a/src/libstrongswan/plugins/sha1/sha1_plugin.h
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.h
@@ -39,9 +39,4 @@ struct sha1_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a sha1_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** SHA1_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha2/Makefile.am b/src/libstrongswan/plugins/sha2/Makefile.am
index 5422e1d4e..a255d0609 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.am
+++ b/src/libstrongswan/plugins/sha2/Makefile.am
@@ -3,8 +3,13 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-sha2.la
+else
 plugin_LTLIBRARIES = libstrongswan-sha2.la
+endif
 
-libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
-libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
+libstrongswan_sha2_la_SOURCES = \
+	sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
 
+libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index e4ea58094..6db4374c8 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -72,13 +72,15 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sha2_la_LIBADD =
 am_libstrongswan_sha2_la_OBJECTS = sha2_plugin.lo sha2_hasher.lo
 libstrongswan_sha2_la_OBJECTS = $(am_libstrongswan_sha2_la_OBJECTS)
 libstrongswan_sha2_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_sha2_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_sha2_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_sha2_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -217,6 +219,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -253,8 +256,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-sha2.la
-libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sha2.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sha2.la
+libstrongswan_sha2_la_SOURCES = \
+	sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
+
 libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
 all: all-am
 
@@ -290,6 +296,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -322,7 +337,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-sha2.la: $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_DEPENDENCIES) 
-	$(libstrongswan_sha2_la_LINK) -rpath $(plugindir) $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_LIBADD) $(LIBS)
+	$(libstrongswan_sha2_la_LINK) $(am_libstrongswan_sha2_la_rpath) $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -476,8 +491,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -548,18 +563,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c
index 90f7cec77..810d9922a 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.c
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_sha2_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *sha2_plugin_create()
 {
 	private_sha2_plugin_t *this = malloc_thing(private_sha2_plugin_t);
 
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.h b/src/libstrongswan/plugins/sha2/sha2_plugin.h
index b80f7560e..48ee2d94c 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.h
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.h
@@ -39,9 +39,4 @@ struct sha2_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a sha2_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** SHA2_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.am b/src/libstrongswan/plugins/sqlite/Makefile.am
index f26e31294..2e1d9733f 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.am
+++ b/src/libstrongswan/plugins/sqlite/Makefile.am
@@ -3,10 +3,16 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-sqlite.la
+else
 plugin_LTLIBRARIES = libstrongswan-sqlite.la
+endif
 
-libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c  \
+libstrongswan_sqlite_la_SOURCES = \
+	sqlite_plugin.h sqlite_plugin.c \
 	sqlite_database.h sqlite_database.c
+
 libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
-libstrongswan_sqlite_la_LIBADD = -lsqlite3
+libstrongswan_sqlite_la_LIBADD  = -lsqlite3
 
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 831408c9e..cb466ad03 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sqlite_la_DEPENDENCIES =
 am_libstrongswan_sqlite_la_OBJECTS = sqlite_plugin.lo \
 	sqlite_database.lo
@@ -81,6 +81,9 @@ libstrongswan_sqlite_la_OBJECTS =  \
 libstrongswan_sqlite_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_sqlite_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_sqlite_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_sqlite_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -219,6 +222,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -255,8 +259,10 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-sqlite.la
-libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c  \
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sqlite.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sqlite.la
+libstrongswan_sqlite_la_SOURCES = \
+	sqlite_plugin.h sqlite_plugin.c \
 	sqlite_database.h sqlite_database.c
 
 libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
@@ -295,6 +301,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -327,7 +342,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-sqlite.la: $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_DEPENDENCIES) 
-	$(libstrongswan_sqlite_la_LINK) -rpath $(plugindir) $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_LIBADD) $(LIBS)
+	$(libstrongswan_sqlite_la_LINK) $(am_libstrongswan_sqlite_la_rpath) $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -481,8 +496,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -553,18 +568,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index 721f1a126..3e20dbb51 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -110,11 +110,13 @@ static sqlite3_stmt* run(private_sqlite_database_t *this, char *sql,
 	}
 	else
 	{
-		DBG1("preparing sqlite statement failed: %s", sqlite3_errmsg(this->db));
+		DBG1(DBG_LIB, "preparing sqlite statement failed: %s",
+			 sqlite3_errmsg(this->db));
 	}
 	if (res != SQLITE_OK)
 	{
-		DBG1("binding sqlite statement failed: %s", sqlite3_errmsg(this->db));
+		DBG1(DBG_LIB, "binding sqlite statement failed: %s",
+			 sqlite3_errmsg(this->db));
 		sqlite3_finalize(stmt);
 		return NULL;
 	}
@@ -160,7 +162,7 @@ static bool sqlite_enumerator_enumerate(sqlite_enumerator_t *this, ...)
 		case SQLITE_ROW:
 			break;
 		default:
-			DBG1("stepping sqlite statement failed: %s",
+			DBG1(DBG_LIB, "stepping sqlite statement failed: %s",
 				 sqlite3_errmsg(this->database->db));
 			/* fall */
 		case SQLITE_DONE:
@@ -203,7 +205,7 @@ static bool sqlite_enumerator_enumerate(sqlite_enumerator_t *this, ...)
 				break;
 			}
 			default:
-				DBG1("invalid result type supplied");
+				DBG1(DBG_LIB, "invalid result type supplied");
 				return FALSE;
 		}
 	}
@@ -272,7 +274,8 @@ static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...)
 		}
 		else
 		{
-			DBG1("sqlite execute failed: %s", sqlite3_errmsg(this->db));
+			DBG1(DBG_LIB, "sqlite execute failed: %s",
+				 sqlite3_errmsg(this->db));
 		}
 		sqlite3_finalize(stmt);
 	}
@@ -337,7 +340,7 @@ sqlite_database_t *sqlite_database_create(char *uri)
 
 	if (sqlite3_open(file, &this->db) != SQLITE_OK)
 	{
-		DBG1("opening SQLite database '%s' failed: %s",
+		DBG1(DBG_LIB, "opening SQLite database '%s' failed: %s",
 			 file, sqlite3_errmsg(this->db));
 		destroy(this);
 		return NULL;
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
index 955402bf9..332d82318 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
@@ -44,7 +44,7 @@ static void destroy(private_sqlite_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *sqlite_plugin_create()
 {
 	private_sqlite_plugin_t *this = malloc_thing(private_sqlite_plugin_t);
 
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.h b/src/libstrongswan/plugins/sqlite/sqlite_plugin.h
index 82735a311..dbc461cf4 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.h
+++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.h
@@ -39,9 +39,4 @@ struct sqlite_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a sqlite_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** SQLITE_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 6028805c4..6d3b05d19 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -3,7 +3,11 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-test-vectors.la
+else
 plugin_LTLIBRARIES = libstrongswan-test-vectors.la
+endif
 
 libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
@@ -29,5 +33,5 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/sha2_hmac.c \
 	test_vectors/fips_prf.c \
 	test_vectors/rng.c
-libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
 
+libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index a8674d282..dbe62c056 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_test_vectors_la_LIBADD =
 am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
 	3des_cbc.lo aes_cbc.lo aes_xcbc.lo blowfish.lo camellia_cbc.lo \
@@ -85,6 +85,9 @@ libstrongswan_test_vectors_la_LINK = $(LIBTOOL) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_test_vectors_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_test_vectors_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_test_vectors_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -223,6 +226,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -259,7 +263,8 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-test-vectors.la
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-test-vectors.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-test-vectors.la
 libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
 	test_vectors/3des_cbc.c \
@@ -320,6 +325,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -352,7 +366,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-test-vectors.la: $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_DEPENDENCIES) 
-	$(libstrongswan_test_vectors_la_LINK) -rpath $(plugindir) $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_LIBADD) $(LIBS)
+	$(libstrongswan_test_vectors_la_LINK) $(am_libstrongswan_test_vectors_la_rpath) $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -681,8 +695,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -753,18 +767,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
index 4dc1cc174..18e0c9278 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
@@ -44,7 +44,7 @@ static bool test_monobit(monobit_t *param, chunk_t data)
 			}
 		}
 	}
-	DBG2("  Monobit: %d/%d bits set", bits, data.len * 8);
+	DBG2(DBG_LIB, "  Monobit: %d/%d bits set", bits, data.len * 8);
 	if (bits > param->lower && bits < param->upper)
 	{
 		return TRUE;
@@ -101,7 +101,7 @@ static bool test_poker(poker_t *param, chunk_t data)
 		sum += (counter[i] * counter[i]) / 5000.0 * 16.0;
 	}
 	sum -= 5000.0;
-	DBG2("  Poker: %f", sum);
+	DBG2(DBG_LIB, "  Poker: %f", sum);
 	if (sum > param->lower && sum < param->upper)
 	{
 		return TRUE;
@@ -190,7 +190,7 @@ static bool test_runs(runs_t *param, chunk_t data)
 		}
 	}
 
-	DBG2("  Runs: zero: %d/%d/%d/%d/%d/%d, one: %d/%d/%d/%d/%d/%d, "
+	DBG2(DBG_LIB, "  Runs: zero: %d/%d/%d/%d/%d/%d, one: %d/%d/%d/%d/%d/%d, "
 		 "longruns: %d",
 		 zero_runs[1], zero_runs[2], zero_runs[3],
 		 zero_runs[4], zero_runs[5], zero_runs[6],
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index 7ad8c3c73..234d237f3 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -104,7 +104,7 @@ static void destroy(private_test_vectors_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *test_vectors_plugin_create()
 {
 	private_test_vectors_plugin_t *this = malloc_thing(private_test_vectors_plugin_t);
 	int i;
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.h b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.h
index 9cb959c88..661529295 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.h
@@ -39,9 +39,4 @@ struct test_vectors_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a test_vectors_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** TEST_VECTORS_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am
index 853b1cebc..4b50d78dc 100644
--- a/src/libstrongswan/plugins/x509/Makefile.am
+++ b/src/libstrongswan/plugins/x509/Makefile.am
@@ -3,14 +3,19 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-x509.la
+else
 plugin_LTLIBRARIES = libstrongswan-x509.la
+endif
 
-libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
-  x509_cert.h x509_cert.c \
-  x509_crl.h x509_crl.c \
-  x509_ac.h x509_ac.c \
-  x509_pkcs10.h x509_pkcs10.c \
-  x509_ocsp_request.h x509_ocsp_request.c \
-  x509_ocsp_response.h x509_ocsp_response.c
-libstrongswan_x509_la_LDFLAGS = -module -avoid-version
+libstrongswan_x509_la_SOURCES = \
+	x509_plugin.h x509_plugin.c \
+	x509_cert.h x509_cert.c \
+	x509_crl.h x509_crl.c \
+	x509_ac.h x509_ac.c \
+	x509_pkcs10.h x509_pkcs10.c \
+	x509_ocsp_request.h x509_ocsp_request.c \
+	x509_ocsp_response.h x509_ocsp_response.c
 
+libstrongswan_x509_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 428643254..2bee453cd 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_x509_la_LIBADD =
 am_libstrongswan_x509_la_OBJECTS = x509_plugin.lo x509_cert.lo \
 	x509_crl.lo x509_ac.lo x509_pkcs10.lo x509_ocsp_request.lo \
@@ -81,6 +81,8 @@ libstrongswan_x509_la_OBJECTS = $(am_libstrongswan_x509_la_OBJECTS)
 libstrongswan_x509_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_x509_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_x509_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_x509_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -219,6 +221,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -255,14 +258,16 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-x509.la
-libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
-  x509_cert.h x509_cert.c \
-  x509_crl.h x509_crl.c \
-  x509_ac.h x509_ac.c \
-  x509_pkcs10.h x509_pkcs10.c \
-  x509_ocsp_request.h x509_ocsp_request.c \
-  x509_ocsp_response.h x509_ocsp_response.c
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-x509.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-x509.la
+libstrongswan_x509_la_SOURCES = \
+	x509_plugin.h x509_plugin.c \
+	x509_cert.h x509_cert.c \
+	x509_crl.h x509_crl.c \
+	x509_ac.h x509_ac.c \
+	x509_pkcs10.h x509_pkcs10.c \
+	x509_ocsp_request.h x509_ocsp_request.c \
+	x509_ocsp_response.h x509_ocsp_response.c
 
 libstrongswan_x509_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -299,6 +304,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -331,7 +345,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-x509.la: $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_DEPENDENCIES) 
-	$(libstrongswan_x509_la_LINK) -rpath $(plugindir) $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_LIBADD) $(LIBS)
+	$(libstrongswan_x509_la_LINK) $(am_libstrongswan_x509_la_rpath) $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -490,8 +504,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -562,18 +576,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 79ff80933..95e72789e 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -192,7 +192,7 @@ static bool parse_directoryName(chunk_t blob, int level, bool implicit, identifi
 			}
 			else
 			{
-				DBG1("more than one directory name - first selected");
+				DBG1(DBG_LIB, "more than one directory name - first selected");
 				directoryName->destroy(directoryName);
 			}
 		}
@@ -200,7 +200,7 @@ static bool parse_directoryName(chunk_t blob, int level, bool implicit, identifi
 	}
 	else
 	{
-		DBG1("no directoryName found");
+		DBG1(DBG_LIB, "no directoryName found");
 	}
 
 	list->destroy(list);
@@ -359,10 +359,11 @@ static bool parse_certificate(private_x509_ac_t *this)
 				break;
 			case AC_OBJ_VERSION:
 				this->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
-				DBG2("  v%d", this->version);
+				DBG2(DBG_LIB, "  v%d", this->version);
 				if (this->version != 2)
 				{
-					DBG1("v%d attribute certificates are not supported", this->version);
+					DBG1(DBG_LIB, "v%d attribute certificates are not "
+						 "supported", this->version);
 					goto end;
 				}
 				break;
@@ -407,20 +408,20 @@ static bool parse_certificate(private_x509_ac_t *this)
 				switch (type)
 				{
 					case OID_AUTHENTICATION_INFO:
-						DBG2("  need to parse authenticationInfo");
+						DBG2(DBG_LIB, "  need to parse authenticationInfo");
 						break;
 					case OID_ACCESS_IDENTITY:
-						DBG2("  need to parse accessIdentity");
+						DBG2(DBG_LIB, "  need to parse accessIdentity");
 						break;
 					case OID_CHARGING_IDENTITY:
-						DBG2("-- > --");
+						DBG2(DBG_LIB, "-- > --");
 						this->charging = ietf_attributes_create_from_encoding(object);
-						DBG2("-- < --");
+						DBG2(DBG_LIB, "-- < --");
 						break;
 					case OID_GROUP:
-						DBG2("-- > --");
+						DBG2(DBG_LIB, "-- > --");
 						this->groups = ietf_attributes_create_from_encoding(object);
-						DBG2("-- < --");
+						DBG2(DBG_LIB, "-- < --");
 						break;
 					case OID_ROLE:
 						parse_roleSyntax(object, level);
@@ -435,21 +436,21 @@ static bool parse_certificate(private_x509_ac_t *this)
 				break;
 			case AC_OBJ_CRITICAL:
 				critical = object.len && *object.ptr;
-				DBG2("  %s",(critical)?"TRUE":"FALSE");
+				DBG2(DBG_LIB, "  %s",(critical)?"TRUE":"FALSE");
 				break;
 			case AC_OBJ_EXTN_VALUE:
 			{
 				switch (extn_oid)
 				{
 					case OID_CRL_DISTRIBUTION_POINTS:
-						DBG2("  need to parse crlDistributionPoints");
+						DBG2(DBG_LIB, "  need to parse crlDistributionPoints");
 						break;
 					case OID_AUTHORITY_KEY_ID:
 						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
 													level, &this->authKeySerialNumber);
 						break;
 					case OID_TARGET_INFORMATION:
-						DBG2("  need to parse targetInformation");
+						DBG2(DBG_LIB, "  need to parse targetInformation");
 						break;
 					case OID_NO_REV_AVAIL:
 						this->noRevAvail = TRUE;
@@ -464,7 +465,7 @@ static bool parse_certificate(private_x509_ac_t *this)
 																 NULL);
 				if (this->algorithm != sig_alg)
 				{
-					DBG1("  signature algorithms do not agree");
+					DBG1(DBG_LIB, "  signature algorithms do not agree");
 					success = FALSE;
 					goto end;
 				}
@@ -824,9 +825,9 @@ static bool is_newer(private_x509_ac_t *this, ac_t *that)
 	this_cert->get_validity(this_cert, &now, &this_update, NULL);
 	that_cert->get_validity(that_cert, &now, &that_update, NULL);
 	new = this_update > that_update;
-	DBG1("  attr cert from %T is %s - existing attr cert from %T %s",
-			&this_update, FALSE, new ? "newer":"not newer",
-			&that_update, FALSE, new ? "replaced":"retained");
+	DBG1(DBG_LIB, "  attr cert from %T is %s - existing attr cert from %T %s",
+		 &this_update, FALSE, new ? "newer":"not newer",
+		 &that_update, FALSE, new ? "replaced":"retained");
 	return new;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 3b729236e..bdbaa8d4a 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -219,7 +219,7 @@ static void parse_basicConstraints(chunk_t blob, int level0,
 		{
 			case BASIC_CONSTRAINTS_CA:
 				isCA = object.len && *object.ptr;
-				DBG2("  %s", isCA ? "TRUE" : "FALSE");
+				DBG2(DBG_LIB, "  %s", isCA ? "TRUE" : "FALSE");
 				if (isCA)
 				{
 					this->flags |= X509_CA;
@@ -383,7 +383,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 		if (id_type != ID_ANY)
 		{
 			gn = identification_create_from_encoding(id_type, object);
-			DBG2("  '%Y'", gn);
+			DBG2(DBG_LIB, "  '%Y'", gn);
 			goto end;
 		}
 	}
@@ -539,7 +539,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
 								/* parsing went wrong - abort */
 								goto end;
 							}
-							DBG2("  '%Y'", id);
+							DBG2(DBG_LIB, "  '%Y'", id);
 							if (accessMethod == OID_OCSP &&
 								asprintf(&uri, "%Y", id) > 0)
 							{
@@ -704,34 +704,36 @@ static bool check_address_object(ts_type_t ts_type, chunk_t object)
 		case TS_IPV4_ADDR_RANGE:
 			if (object.len > 5)
 			{
-				DBG1("IPv4 address object is larger than 5 octets");
+				DBG1(DBG_LIB, "IPv4 address object is larger than 5 octets");
 				return FALSE;
 			}
 			break;
 		case TS_IPV6_ADDR_RANGE:
 			if (object.len > 17)
 			{
-				DBG1("IPv6 address object is larger than 17 octets");
+				DBG1(DBG_LIB, "IPv6 address object is larger than 17 octets");
 				return FALSE;
 			}
 			break;
 		default:
-			DBG1("unknown address family");
+			DBG1(DBG_LIB, "unknown address family");
 			return FALSE;
 	}
 	if (object.len == 0)
 	{
-		DBG1("An ASN.1 bit string must contain at least the initial octet");
+		DBG1(DBG_LIB, "An ASN.1 bit string must contain at least the "
+			 "initial octet");
 		return FALSE;
 	}
 	if (object.len == 1 && object.ptr[0] != 0)
 	{
-		DBG1("An empty ASN.1 bit string must contain a zero initial octet");
+		DBG1(DBG_LIB, "An empty ASN.1 bit string must contain a zero "
+			 "initial octet");
 		return FALSE;
 	}
 	if (object.ptr[0] > 7)
 	{
-		DBG1("number of unused bits is too large");
+		DBG1(DBG_LIB, "number of unused bits is too large");
 		return FALSE;
 	}
 	return TRUE;
@@ -769,11 +771,11 @@ static void parse_ipAddrBlocks(chunk_t blob, int level0,
 					{
 						break;
 					}
-					DBG2("  %N", ts_type_name, ts_type);
+					DBG2(DBG_LIB, "  %N", ts_type_name, ts_type);
 				}
 				break;
 			case IP_ADDR_BLOCKS_INHERIT:
-				DBG1("inherit choice is not supported");
+				DBG1(DBG_LIB, "inherit choice is not supported");
 				break;
 			case IP_ADDR_BLOCKS_PREFIX:
 				if (!check_address_object(ts_type, object))
@@ -782,7 +784,7 @@ static void parse_ipAddrBlocks(chunk_t blob, int level0,
 				}
 				ts = traffic_selector_create_from_rfc3779_format(ts_type,
 													object, object);
-				DBG2("  %R", ts);
+				DBG2(DBG_LIB, "  %R", ts);
 				this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
 				break;
 			case IP_ADDR_BLOCKS_MIN:
@@ -799,7 +801,7 @@ static void parse_ipAddrBlocks(chunk_t blob, int level0,
 				}
 				ts = traffic_selector_create_from_rfc3779_format(ts_type,
 													min_object, object);
-				DBG2("  %R", ts);
+				DBG2(DBG_LIB, "  %R", ts);
 				this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
 				break;
 			default:
@@ -893,12 +895,12 @@ static bool parse_certificate(private_x509_cert_t *this)
 				this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
 				if (this->version < 1 || this->version > 3)
 				{
-					DBG1("X.509v%d not supported", this->version);
+					DBG1(DBG_LIB, "X.509v%d not supported", this->version);
 					goto end;
 				}
 				else
 				{
-					DBG2("  X.509v%d", this->version);
+					DBG2(DBG_LIB, "  X.509v%d", this->version);
 				}
 				break;
 			case X509_OBJ_SERIAL_NUMBER:
@@ -909,7 +911,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 				break;
 			case X509_OBJ_ISSUER:
 				this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2("  '%Y'", this->issuer);
+				DBG2(DBG_LIB, "  '%Y'", this->issuer);
 				break;
 			case X509_OBJ_NOT_BEFORE:
 				this->notBefore = asn1_parse_time(object, level);
@@ -919,13 +921,13 @@ static bool parse_certificate(private_x509_cert_t *this)
 				break;
 			case X509_OBJ_SUBJECT:
 				this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2("  '%Y'", this->subject);
+				DBG2(DBG_LIB, "  '%Y'", this->subject);
 				break;
 			case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
-				DBG2("-- > --");
+				DBG2(DBG_LIB, "-- > --");
 				this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
 						KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END);
-				DBG2("-- < --");
+				DBG2(DBG_LIB, "-- < --");
 				if (this->public_key == NULL)
 				{
 					goto end;
@@ -934,7 +936,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 			case X509_OBJ_OPTIONAL_EXTENSIONS:
 				if (this->version != 3)
 				{
-					DBG1("Only X.509v3 certificates have extensions");
+					DBG1(DBG_LIB, "Only X.509v3 certificates have extensions");
 					goto end;
 				}
 				break;
@@ -943,7 +945,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 				break;
 			case X509_OBJ_CRITICAL:
 				critical = object.len && *object.ptr;
-				DBG2("  %s", critical ? "TRUE" : "FALSE");
+				DBG2(DBG_LIB, "  %s", critical ? "TRUE" : "FALSE");
 				break;
 			case X509_OBJ_EXTN_VALUE:
 			{
@@ -974,6 +976,9 @@ static bool parse_certificate(private_x509_cert_t *this)
 					case OID_AUTHORITY_INFO_ACCESS:
 						parse_authorityInfoAccess(object, level, this);
 						break;
+					case OID_KEY_USAGE:
+						/* TODO parse the flags */
+						break;
 					case OID_EXTENDED_KEY_USAGE:
 						parse_extendedKeyUsage(object, level, this);
 						break;
@@ -994,7 +999,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 						if (critical && lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.x509.enforce_critical", FALSE))
 						{
-							DBG1("critical %s extension not supported",
+							DBG1(DBG_LIB, "critical %s extension not supported",
 								 (extn_oid == OID_UNKNOWN) ? "unknown" :
 								 (char*)oid_names[extn_oid].name);
 							goto end;
@@ -1007,7 +1012,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 				this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
 				if (this->algorithm != sig_alg)
 				{
-					DBG1("  signature algorithms do not agree");
+					DBG1(DBG_LIB, "  signature algorithms do not agree");
 					goto end;
 				}
 				break;
@@ -1035,7 +1040,7 @@ end:
 		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 		if (hasher == NULL)
 		{
-			DBG1("  unable to create hash of certificate, SHA1 not supported");
+			DBG1(DBG_LIB, "  unable to create hash of certificate, SHA1 not supported");
 			return NULL;
 		}
 		hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
@@ -1214,9 +1219,9 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 	this->get_validity(this, &now, &this_update, NULL);
 	that->get_validity(that, &now, &that_update, NULL);
 	new = this_update > that_update;
-	DBG1("  certificate from %T is %s - existing certificate from %T %s",
-				&this_update, FALSE, new ? "newer":"not newer",
-				&that_update, FALSE, new ? "replaced":"retained");
+	DBG1(DBG_LIB, "  certificate from %T is %s - existing certificate "
+		 "from %T %s", &this_update, FALSE, new ? "newer":"not newer",
+		 &that_update, FALSE, new ? "replaced":"retained");
 	return new;
 }
 
@@ -1453,7 +1458,7 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list)
 				context = ASN1_CONTEXT_S_7;
 				break;
 			default:
-				DBG1("encoding %N as subjectAltName not supported",
+				DBG1(DBG_LIB, "encoding %N as subjectAltName not supported",
 					 id_type_names, id->get_type(id));
 				enumerator->destroy(enumerator);
 				free(subjectAltNames.ptr);
@@ -1481,7 +1486,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
 	chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
 	chunk_t ocspSigning = chunk_empty;
-	chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
+	chunk_t basicConstraints = chunk_empty;
+	chunk_t keyUsage = chunk_empty;
+	chunk_t subjectAltNames = chunk_empty;
 	chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
 	chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
 	identification_t *issuer, *subject;
@@ -1583,7 +1590,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 						asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
 	}
 
-	/* build CA basicConstraint for CA certificates */
+	/* build CA basicConstraint and keyUsage flags for CA certificates */
 	if (cert->flags & X509_CA)
 	{
 		chunk_t pathLenConstraint = chunk_empty;
@@ -1603,6 +1610,13 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 											asn1_wrap(ASN1_BOOLEAN, "c",
 												chunk_from_chars(0xFF)),
 											pathLenConstraint)));
+		keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm",
+								asn1_build_known_oid(OID_KEY_USAGE),
+								asn1_wrap(ASN1_BOOLEAN, "c",
+									chunk_from_chars(0xFF)),
+								asn1_wrap(ASN1_OCTET_STRING, "m",
+										asn1_wrap(ASN1_BIT_STRING, "c",
+												chunk_from_chars(0x01, 0x06))));
 	}
 
 	/* add serverAuth extendedKeyUsage flag */
@@ -1663,8 +1677,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 		crlDistributionPoints.ptr)
 	{
 		extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
-						asn1_wrap(ASN1_SEQUENCE, "mmmmmmm",
-							basicConstraints, subjectKeyIdentifier,
+						asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm",
+							basicConstraints, keyUsage, subjectKeyIdentifier,
 							authKeyIdentifier, subjectAltNames,
 							extendedKeyUsage, crlDistributionPoints,
 							authorityInfoAccess));
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index b9ef3218b..c755d7f63 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -216,14 +216,14 @@ static bool parse(private_x509_crl_t *this)
 				break;
 			case CRL_OBJ_VERSION:
 				this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
-				DBG2("  v%d", this->version);
+				DBG2(DBG_LIB, "  v%d", this->version);
 				break;
 			case CRL_OBJ_SIG_ALG:
 				sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
 				break;
 			case CRL_OBJ_ISSUER:
 				this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2("  '%Y'", this->issuer);
+				DBG2(DBG_LIB, "  '%Y'", this->issuer);
 				break;
 			case CRL_OBJ_THIS_UPDATE:
 				this->thisUpdate = asn1_parse_time(object, level);
@@ -248,7 +248,7 @@ static bool parse(private_x509_crl_t *this)
 			case CRL_OBJ_CRL_ENTRY_CRITICAL:
 			case CRL_OBJ_CRITICAL:
 				critical = object.len && *object.ptr;
-				DBG2("  %s", critical ? "TRUE" : "FALSE");
+				DBG2(DBG_LIB, "  %s", critical ? "TRUE" : "FALSE");
 				break;
 			case CRL_OBJ_CRL_ENTRY_EXTN_VALUE:
 			case CRL_OBJ_EXTN_VALUE:
@@ -262,7 +262,8 @@ static bool parse(private_x509_crl_t *this)
 						{
 							revoked->reason = *object.ptr;
 						}
-						DBG2("  '%N'", crl_reason_names, revoked->reason);
+						DBG2(DBG_LIB, "  '%N'", crl_reason_names,
+							 revoked->reason);
 					}
 					else if (extn_oid == OID_AUTHORITY_KEY_ID)
 					{
@@ -286,7 +287,7 @@ static bool parse(private_x509_crl_t *this)
 				this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
 				if (this->algorithm != sig_alg)
 				{
-					DBG1("  signature algorithms do not agree");
+					DBG1(DBG_LIB, "  signature algorithms do not agree");
 					goto end;
 				}
 				break;
@@ -483,7 +484,7 @@ static bool is_newer(private_x509_crl_t *this, crl_t *that)
 	if (this->crlNumber.ptr != NULL && that_crlNumber.ptr != NULL)
 	{
 		new = chunk_compare(this->crlNumber, that_crlNumber) > 0;
-		DBG1("  crl #%#B is %s - existing crl #%#B %s",
+		DBG1(DBG_LIB, "  crl #%#B is %s - existing crl #%#B %s",
 				&this->crlNumber, new ? "newer":"not newer",
 				&that_crlNumber,  new ? "replaced":"retained");
 	}
@@ -497,7 +498,7 @@ static bool is_newer(private_x509_crl_t *this, crl_t *that)
 		this_cert->get_validity(this_cert, &now, &this_update, NULL);
 		that_cert->get_validity(that_cert, &now, &that_update, NULL);
 		new = this_update > that_update;
-		DBG1("  crl from %T is %s - existing crl from %T %s",
+		DBG1(DBG_LIB, "  crl from %T is %s - existing crl from %T %s",
 				&this_update, FALSE, new ? "newer":"not newer",
 				&that_update, FALSE, new ? "replaced":"retained");
 	}
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index f86f87751..c835d5dc8 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -179,13 +179,14 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this)
 		}
 		else
 		{
-			DBG1("creating OCSP request failed, SHA1 not supported");
+			DBG1(DBG_LIB, "creating OCSP request failed, SHA1 not supported");
 		}
 		public->destroy(public);
 	}
 	else
 	{
-		DBG1("creating OCSP request failed, CA certificate has no public key");
+		DBG1(DBG_LIB, "creating OCSP request failed, CA certificate has "
+			 "no public key");
 	}
 	return asn1_wrap(ASN1_SEQUENCE, "m", list);
 }
@@ -205,7 +206,7 @@ static chunk_t build_nonce(private_x509_ocsp_request_t *this)
 		return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
 					asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
 	}
-	DBG1("creating OCSP request nonce failed, no RNG found");
+	DBG1(DBG_LIB, "creating OCSP request nonce failed, no RNG found");
 	return chunk_empty;
 }
 
@@ -263,14 +264,14 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
 			scheme = SIGN_ECDSA_WITH_SHA1_DER;
 			break;
 		default:
-			DBG1("unable to sign OCSP request, %N signature not supported",
-				 key_type_names, this->key->get_type(this->key));
+			DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not "
+				 "supported", key_type_names, this->key->get_type(this->key));
 			return chunk_empty;
 	}
 
 	if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
 	{
-		DBG1("creating OCSP signature failed, skipped");
+		DBG1(DBG_LIB, "creating OCSP signature failed, skipped");
 		return chunk_empty;
 	}
 	if (this->cert)
@@ -378,7 +379,7 @@ static id_match_t has_issuer(private_x509_ocsp_request_t *this,
  */
 static bool issued_by(private_x509_ocsp_request_t *this, certificate_t *issuer)
 {
-	DBG1("OCSP request validation not implemented!");
+	DBG1(DBG_LIB, "OCSP request validation not implemented!");
 	return FALSE;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 948d7ad85..c70d461df 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -509,7 +509,8 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 
 				if (version != OCSP_BASIC_RESPONSE_VERSION)
 				{
-					DBG1("  ocsp ResponseData version %d not supported", version);
+					DBG1(DBG_LIB, "  ocsp ResponseData version %d not "
+						 "supported", version);
 					goto end;
 				}
 				break;
@@ -517,12 +518,12 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 			case BASIC_RESPONSE_ID_BY_NAME:
 				this->responderId = identification_create_from_encoding(
 													ID_DER_ASN1_DN, object);
-				DBG2("  '%Y'", this->responderId);
+				DBG2(DBG_LIB, "  '%Y'", this->responderId);
 				break;
 			case BASIC_RESPONSE_ID_BY_KEY:
 				this->responderId = identification_create_from_encoding(
 													ID_KEY_ID, object);
-				DBG2("  '%Y'", this->responderId);
+				DBG2(DBG_LIB, "  '%Y'", this->responderId);
 				break;
 			case BASIC_RESPONSE_PRODUCED_AT:
 				this->producedAt = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
@@ -536,7 +537,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 				break;
 			case BASIC_RESPONSE_CRITICAL:
 				critical = object.len && *object.ptr;
-				DBG2("  %s", critical ? "TRUE" : "FALSE");
+				DBG2(DBG_LIB, "  %s", critical ? "TRUE" : "FALSE");
 				break;
 			case BASIC_RESPONSE_EXT_VALUE:
 				if (extn_oid == OID_NONCE)
@@ -622,7 +623,7 @@ static bool parse_OCSPResponse(private_x509_ocsp_response_t *this)
 					case OCSP_SUCCESSFUL:
 						break;
 					default:
-						DBG1("  ocsp response status: %N",
+						DBG1(DBG_LIB, "  ocsp response status: %N",
 							 ocsp_status_names, status);
 						goto end;
 				}
@@ -638,7 +639,8 @@ static bool parse_OCSPResponse(private_x509_ocsp_response_t *this)
 												parser->get_level(parser)+1);
 						break;
 					default:
-						DBG1("  ocsp response type %#B not supported", &object);
+						DBG1(DBG_LIB, "  ocsp response type %#B not supported",
+							 &object);
 						goto end;
 				}
 				break;
@@ -772,9 +774,9 @@ static bool is_newer(certificate_t *this, certificate_t *that)
 	this->get_validity(this, &now, &this_update, NULL);
 	that->get_validity(that, &now, &that_update, NULL);
 	new = this_update > that_update;
-	DBG1("  ocsp response from %T is %s - existing ocsp response from %T %s",
-				&this_update, FALSE, new ? "newer":"not newer",
-				&that_update, FALSE, new ? "replaced":"retained");
+	DBG1(DBG_LIB, "  ocsp response from %T is %s - existing ocsp response "
+		 "from %T %s", &this_update, FALSE, new ? "newer" : "not newer",
+		 &that_update, FALSE, new ? "replaced" : "retained");
 	return new;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index 6d750c98c..1009ec931 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -297,7 +297,7 @@ static bool parse_extension_request(private_x509_pkcs10_t *this, chunk_t blob, i
 				break;
 			case PKCS10_EXTN_CRITICAL:
 				critical = object.len && *object.ptr;
-				DBG2("  %s", critical ? "TRUE" : "FALSE");
+				DBG2(DBG_LIB, "  %s", critical ? "TRUE" : "FALSE");
 				break;
 			case PKCS10_EXTN_VALUE:
 			{
@@ -330,25 +330,25 @@ static bool parse_challengePassword(private_x509_pkcs10_t *this, chunk_t blob, i
 
 	if (blob.len < 2)
 	{
-		DBG1("L%d - challengePassword:  ASN.1 object smaller than 2 octets",
-					level);
+		DBG1(DBG_LIB, "L%d - challengePassword:  ASN.1 object smaller "
+			 "than 2 octets", level);
 		return FALSE;
 	}
 	tag = *blob.ptr;
 	if (tag < ASN1_UTF8STRING || tag > ASN1_IA5STRING)
 	{
-		DBG1("L%d - challengePassword:  ASN.1 object is not a character string",
-					level);
+		DBG1(DBG_LIB, "L%d - challengePassword:  ASN.1 object is not "
+			 "a character string", level);
 		return FALSE;
 	}
 	if (asn1_length(&blob) == ASN1_INVALID_LENGTH)
 	{
-		DBG1("L%d - challengePassword:  ASN.1 object has an invalid length",
-					level);
+		DBG1(DBG_LIB, "L%d - challengePassword:  ASN.1 object has an "
+			 "invalid length", level);
 		return FALSE;
-	}		
-	DBG2("L%d - challengePassword:", level);
-	DBG4("  '%.*s'", blob.len, blob.ptr);
+	}
+	DBG2(DBG_LIB, "L%d - challengePassword:", level);
+	DBG4(DBG_LIB, "  '%.*s'", blob.len, blob.ptr);
 	return TRUE;
 }
 
@@ -406,13 +406,14 @@ static bool parse_certificate_request(private_x509_pkcs10_t *this)
 			case PKCS10_VERSION:
 				if (object.len > 0 && *object.ptr != 0)
 				{
-					DBG1("PKCS#10 certificate request format is not version 1");
+					DBG1(DBG_LIB, "PKCS#10 certificate request format is "
+						 "not version 1");
 					goto end;
 				}
 				break;
 			case PKCS10_SUBJECT:
 				this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2("  '%Y'", this->subject);
+				DBG2(DBG_LIB, "  '%Y'", this->subject);
 				break;
 			case PKCS10_SUBJECT_PUBLIC_KEY_INFO:
 				this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
@@ -467,7 +468,7 @@ end:
 		}
 		else
 		{
-			DBG1("certificate request is not self-signed");
+			DBG1(DBG_LIB, "certificate request is not self-signed");
 			success = FALSE;
 		}
 	}
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 94c49b1e1..e71c55efc 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -65,7 +65,7 @@ static void destroy(private_x509_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *x509_plugin_create()
 {
 	private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t);
 
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.h b/src/libstrongswan/plugins/x509/x509_plugin.h
index fe8c0b31f..e3f959ffa 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.h
+++ b/src/libstrongswan/plugins/x509/x509_plugin.h
@@ -39,9 +39,4 @@ struct x509_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a x509_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** X509_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.am b/src/libstrongswan/plugins/xcbc/Makefile.am
index 515b75031..7de306832 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.am
+++ b/src/libstrongswan/plugins/xcbc/Makefile.am
@@ -3,9 +3,14 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
 AM_CFLAGS = -rdynamic
 
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xcbc.la
+else
 plugin_LTLIBRARIES = libstrongswan-xcbc.la
+endif
 
-libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
+libstrongswan_xcbc_la_SOURCES = \
+	xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
 	xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
-libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
 
+libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 3720aeaeb..c49e2b76a 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -72,7 +72,7 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xcbc_la_LIBADD =
 am_libstrongswan_xcbc_la_OBJECTS = xcbc_plugin.lo xcbc.lo xcbc_prf.lo \
 	xcbc_signer.lo
@@ -80,6 +80,8 @@ libstrongswan_xcbc_la_OBJECTS = $(am_libstrongswan_xcbc_la_OBJECTS)
 libstrongswan_xcbc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_xcbc_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_xcbc_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_xcbc_la_rpath =
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -218,6 +220,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -254,8 +257,10 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-xcbc.la
-libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xcbc.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xcbc.la
+libstrongswan_xcbc_la_SOURCES = \
+	xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
 	xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
 
 libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
@@ -293,6 +298,15 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
@@ -325,7 +339,7 @@ clean-pluginLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan-xcbc.la: $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_DEPENDENCIES) 
-	$(libstrongswan_xcbc_la_LINK) -rpath $(plugindir) $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_LIBADD) $(LIBS)
+	$(libstrongswan_xcbc_la_LINK) $(am_libstrongswan_xcbc_la_rpath) $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -481,8 +495,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -553,18 +567,19 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
index 3eb7f0927..9d903bfaa 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -47,7 +47,7 @@ static void destroy(private_xcbc_plugin_t *this)
 /*
  * see header file
  */
-plugin_t *plugin_create()
+plugin_t *xcbc_plugin_create()
 {
 	private_xcbc_plugin_t *this = malloc_thing(private_xcbc_plugin_t);
 
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.h b/src/libstrongswan/plugins/xcbc/xcbc_plugin.h
index 803d847aa..9824088c6 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.h
@@ -39,9 +39,4 @@ struct xcbc_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a xcbc_plugin instance.
- */
-plugin_t *plugin_create();
-
 #endif /** XCBC_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c
index 0b516c99e..037f0b918 100644
--- a/src/libstrongswan/printf_hook.c
+++ b/src/libstrongswan/printf_hook.c
@@ -16,8 +16,8 @@
 
 #include "printf_hook.h"
 
-#include <utils.h>
-#include <debug.h>
+#include "utils.h"
+#include "debug.h"
 
 #include <stdio.h>
 #include <stdarg.h>
@@ -333,7 +333,8 @@ static void add_handler(private_printf_hook_t *this, char spec,
 
 	if (!IS_VALID_SPEC(spec))
 	{
-		DBG1("'%c' is not a valid printf hook specifier, not registered!", spec);
+		DBG1(DBG_LIB, "'%c' is not a valid printf hook specifier, "
+			 "not registered!", spec);
 		return;
 	}
 
@@ -345,7 +346,8 @@ static void add_handler(private_printf_hook_t *this, char spec,
 	{
 		if (++i >= ARGS_MAX)
 		{
-			DBG1("Too many arguments for printf hook with specifier '%c', not registered!", spec);
+			DBG1(DBG_LIB, "Too many arguments for printf hook with "
+				 "specifier '%c', not registered!", spec);
 			va_end(args);
 			free(handler);
 			return;
@@ -427,7 +429,7 @@ printf_hook_t *printf_hook_create()
 #ifdef USE_VSTR
 	if (!vstr_init())
 	{
-		DBG1("failed to initialize Vstr library!");
+		DBG1(DBG_LIB, "failed to initialize Vstr library!");
 		free(this);
 		return NULL;
 	}
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index b5964b541..257da3f24 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -74,8 +74,8 @@ struct traffic_selector_t {
 	 *
 	 * @param other		traffic selector to compare
 	 * @return
-	 * 					- created subset of them
-	 * 					- or NULL if no match between this and other
+	 *					- created subset of them
+	 *					- or NULL if no match between this and other
 	 */
 	traffic_selector_t *(*get_subset)  (traffic_selector_t *this,
 										traffic_selector_t *other);
@@ -173,7 +173,7 @@ struct traffic_selector_t {
 	 * Compare two traffic selectors for equality.
 	 *
 	 * @param other		ts to compare with this
-	 * @return 			TRUE if equal, FALSE otherwise
+	 * @return			TRUE if equal, FALSE otherwise
 	 */
 	bool (*equals) (traffic_selector_t *this, traffic_selector_t *other);
 
@@ -215,15 +215,15 @@ struct traffic_selector_t {
 /**
  * Create a new traffic selector using human readable params.
  *
- * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param protocol		protocol for this ts, such as TCP or UDP
  * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
  * @param from_addr		start of address range as string
  * @param from_port		port number in host order
  * @param to_addr		end of address range as string
  * @param to_port		port number in host order
  * @return
- * 						- traffic_selector_t object
- * 						- NULL if invalid address strings/protocol
+ *						- traffic_selector_t object
+ *						- NULL if invalid address strings/protocol
  */
 traffic_selector_t *traffic_selector_create_from_string(
 									u_int8_t protocol, ts_type_t type,
@@ -237,11 +237,11 @@ traffic_selector_t *traffic_selector_create_from_string(
  * But the parser gives us this data in this format, so we
  * don't have to convert twice.
  *
- * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param protocol		protocol for this ts, such as TCP or UDP
  * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
- * @param from_addr		start of address range, network order
+ * @param from_address	start of address range, network order
  * @param from_port		port number, host order
- * @param to_addr		end of address range, network order
+ * @param to_address	end of address range, network order
  * @param to_port		port number, host order
  * @return				traffic_selector_t object
  */
@@ -273,11 +273,11 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
  *
  * @param net			subnet to use
  * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
- * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param protocol		protocol for this ts, such as TCP or UDP
  * @param port			port number, host order
  * @return
- * 						- traffic_selector_t object
- * 						- NULL if address family of net not supported
+ *						- traffic_selector_t object
+ *						- NULL if address family of net not supported
  */
 traffic_selector_t *traffic_selector_create_from_subnet(
 									host_t *net, u_int8_t netbits,
@@ -295,8 +295,8 @@ traffic_selector_t *traffic_selector_create_from_subnet(
  * @param from_port		start of allowed port range
  * @param to_port		end of range
  * @return
- * 						- traffic_selector_t object
- * 						- NULL if type not supported
+ *						- traffic_selector_t object
+ *						- NULL if type not supported
  */
 traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
 									u_int16_t from_port, u_int16_t to_port);
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c
index 4a822bcbf..610e2b8ea 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/settings.c
@@ -21,8 +21,8 @@
 
 #include "settings.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include "debug.h"
+#include "utils/linked_list.h"
 
 
 typedef struct private_settings_t private_settings_t;
@@ -293,8 +293,8 @@ static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, ..
 	if (value)
 	{
 		errno = 0;
-		timeval = strtol(value, &endptr, 10);
-		if (errno == 0 && timeval >= 0)
+		timeval = strtoul(value, &endptr, 10);
+		if (errno == 0)
 		{
 			switch (*endptr)
 			{
@@ -497,7 +497,7 @@ static section_t* parse_section(char **text, char *name)
 						continue;
 					}
 				}
-				DBG1("matching '}' not found near %s", *text);
+				DBG1(DBG_LIB, "matching '}' not found near %s", *text);
 				break;
 			case '=':
 				if (parse(text, "\t ", "\n", NULL, &value))
@@ -508,7 +508,7 @@ static section_t* parse_section(char **text, char *name)
 					section->kv->insert_last(section->kv, kv);
 					continue;
 				}
-				DBG1("parsing value failed near %s", *text);
+				DBG1(DBG_LIB, "parsing value failed near %s", *text);
 				break;
 			case '#':
 				parse(text, "", "\n", NULL, &value);
@@ -566,7 +566,7 @@ settings_t *settings_create(char *file)
 	fd = fopen(file, "r");
 	if (fd == NULL)
 	{
-		DBG1("'%s' does not exist or is not readable", file);
+		DBG1(DBG_LIB, "'%s' does not exist or is not readable", file);
 		return &this->public;
 	}
 	fseek(fd, 0, SEEK_END);
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
index 9e8d75cc0..f274fb33c 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/settings.h
@@ -23,8 +23,8 @@
 
 typedef struct settings_t settings_t;
 
-#include <utils.h>
-#include <utils/enumerator.h>
+#include "utils.h"
+#include "utils/enumerator.h"
 
 /**
  * Generic configuration options read from a config file.
diff --git a/src/libstrongswan/threading/mutex.c b/src/libstrongswan/threading/mutex.c
index a35695624..8597abb44 100644
--- a/src/libstrongswan/threading/mutex.c
+++ b/src/libstrongswan/threading/mutex.c
@@ -108,7 +108,7 @@ static void lock(private_mutex_t *this)
 	err = pthread_mutex_lock(&this->mutex);
 	if (err)
 	{
-		DBG1("!!! MUTEX LOCK ERROR: %s !!!", strerror(err));
+		DBG1(DBG_LIB, "!!! MUTEX LOCK ERROR: %s !!!", strerror(err));
 	}
 	profiler_end(&this->profile);
 }
@@ -123,7 +123,7 @@ static void unlock(private_mutex_t *this)
 	err = pthread_mutex_unlock(&this->mutex);
 	if (err)
 	{
-		DBG1("!!! MUTEX UNLOCK ERROR: %s !!!", strerror(err));
+		DBG1(DBG_LIB, "!!! MUTEX UNLOCK ERROR: %s !!!", strerror(err));
 	}
 }
 
diff --git a/src/libstrongswan/threading/rwlock.c b/src/libstrongswan/threading/rwlock.c
index ee9fb10be..cec43f59c 100644
--- a/src/libstrongswan/threading/rwlock.c
+++ b/src/libstrongswan/threading/rwlock.c
@@ -98,7 +98,7 @@ static void read_lock(private_rwlock_t *this)
 	err = pthread_rwlock_rdlock(&this->rwlock);
 	if (err != 0)
 	{
-		DBG1("!!! RWLOCK READ LOCK ERROR: %s !!!", strerror(err));
+		DBG1(DBG_LIB, "!!! RWLOCK READ LOCK ERROR: %s !!!", strerror(err));
 	}
 	profiler_end(&this->profile);
 }
@@ -114,7 +114,7 @@ static void write_lock(private_rwlock_t *this)
 	err = pthread_rwlock_wrlock(&this->rwlock);
 	if (err != 0)
 	{
-		DBG1("!!! RWLOCK WRITE LOCK ERROR: %s !!!", strerror(err));
+		DBG1(DBG_LIB, "!!! RWLOCK WRITE LOCK ERROR: %s !!!", strerror(err));
 	}
 	profiler_end(&this->profile);
 }
@@ -137,7 +137,7 @@ static void rw_unlock(private_rwlock_t *this)
 	err = pthread_rwlock_unlock(&this->rwlock);
 	if (err != 0)
 	{
-		DBG1("!!! RWLOCK UNLOCK ERROR: %s !!!", strerror(err));
+		DBG1(DBG_LIB, "!!! RWLOCK UNLOCK ERROR: %s !!!", strerror(err));
 	}
 }
 
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index bbfb2c2c6..3751bb749 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -155,7 +155,7 @@ static void cancel(private_thread_t *this)
 	if (pthread_equal(this->thread_id, pthread_self()))
 	{
 		this->mutex->unlock(this->mutex);
-		DBG1("!!! CANNOT CANCEL CURRENT THREAD !!!");
+		DBG1(DBG_LIB, "!!! CANNOT CANCEL CURRENT THREAD !!!");
 		return;
 	}
 #ifdef HAVE_PTHREAD_CANCEL
@@ -180,7 +180,7 @@ static void _kill(private_thread_t *this, int sig)
 		 * returned, so depending on the signal, the lock might not get
 		 * unlocked. */
 		this->mutex->unlock(this->mutex);
-		DBG1("!!! CANNOT SEND SIGNAL TO CURRENT THREAD !!!");
+		DBG1(DBG_LIB, "!!! CANNOT SEND SIGNAL TO CURRENT THREAD !!!");
 		return;
 	}
 	pthread_kill(this->thread_id, sig);
@@ -209,13 +209,13 @@ static void *join(private_thread_t *this)
 	if (pthread_equal(this->thread_id, pthread_self()))
 	{
 		this->mutex->unlock(this->mutex);
-		DBG1("!!! CANNOT JOIN CURRENT THREAD !!!");
+		DBG1(DBG_LIB, "!!! CANNOT JOIN CURRENT THREAD !!!");
 		return NULL;
 	}
 	if (this->detached_or_joined)
 	{
 		this->mutex->unlock(this->mutex);
-		DBG1("!!! CANNOT JOIN DETACHED THREAD !!!");
+		DBG1(DBG_LIB, "!!! CANNOT JOIN DETACHED THREAD !!!");
 		return NULL;
 	}
 	thread_id = this->thread_id;
@@ -299,7 +299,8 @@ thread_t *thread_create(thread_main_t main, void *arg)
 	this->arg = arg;
 	if (pthread_create(&this->thread_id, NULL, (void*)thread_main, this) != 0)
 	{
-		DBG1("failed to create thread!");
+		DBG1(DBG_LIB, "failed to create thread!");
+		this->mutex->lock(this->mutex);
 		thread_destroy(this);
 		return NULL;
 	}
@@ -354,7 +355,7 @@ void thread_cleanup_pop(bool execute)
 											(void**)&handler) != SUCCESS)
 	{
 		this->mutex->unlock(this->mutex);
-		DBG1("!!! THREAD CLEANUP ERROR !!!");
+		DBG1(DBG_LIB, "!!! THREAD CLEANUP ERROR !!!");
 		return;
 	}
 	this->mutex->unlock(this->mutex);
@@ -433,6 +434,7 @@ void threads_init()
 void threads_deinit()
 {
 	private_thread_t *main_thread = (private_thread_t*)thread_current();
+	main_thread->mutex->lock(main_thread->mutex);
 	thread_destroy(main_thread);
 	current_thread->destroy(current_thread);
 	id_mutex->destroy(id_mutex);
diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h
index 6bf8fac79..31b9e1b3a 100644
--- a/src/libstrongswan/threading/thread.h
+++ b/src/libstrongswan/threading/thread.h
@@ -24,6 +24,12 @@
 typedef struct thread_t thread_t;
 
 #ifdef __APPLE__
+/* thread_create is a syscall used to create Mach kernel threads and although
+ * there are no errors or warnings during compilation or linkage the dynamic
+ * linker does not use our implementation, therefore we rename it here
+ */
+#define thread_create(main, arg) strongswan_thread_create(main, arg)
+
 /* on Mac OS X 10.5 several system calls we use are no cancellation points.
  * fortunately, select isn't one of them, so we wrap some of the others with
  * calls to select(2).
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index e331ac0d0..63958593d 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -25,8 +25,8 @@
 #include <dirent.h>
 #include <time.h>
 
-#include <enum.h>
-#include <debug.h>
+#include "enum.h"
+#include "debug.h"
 
 ENUM(status_names, SUCCESS, DESTROY_ME,
 	"SUCCESS",
@@ -116,12 +116,34 @@ void *memstr(const void *haystack, const char *needle, size_t n)
 	return NULL;
 }
 
+/**
+ * Described in header.
+ */
+char* translate(char *str, const char *from, const char *to)
+{
+	char *pos = str;
+	if (strlen(from) != strlen(to))
+	{
+		return str;
+	}
+	while (pos && *pos)
+	{
+		char *match;
+		if ((match = strchr(from, *pos)) != NULL)
+		{
+			*pos = to[match - from];
+		}
+		pos++;
+	}
+	return str;
+}
+
 /**
  * Described in header.
  */
 bool mkdir_p(const char *path, mode_t mode)
 {
-	size_t len;
+	int len;
 	char *pos, full[PATH_MAX];
 	pos = full;
 	if (!path || *path == '\0')
@@ -131,7 +153,7 @@ bool mkdir_p(const char *path, mode_t mode)
 	len = snprintf(full, sizeof(full)-1, "%s", path);
 	if (len < 0 || len >= sizeof(full)-1)
 	{
-		DBG1("path string %s too long", path);
+		DBG1(DBG_LIB, "path string %s too long", path);
 		return FALSE;
 	}
 	/* ensure that the path ends with a '/' */
@@ -152,7 +174,7 @@ bool mkdir_p(const char *path, mode_t mode)
 		{
 			if (mkdir(full, mode) < 0)
 			{
-				DBG1("failed to create directory %s", full);
+				DBG1(DBG_LIB, "failed to create directory %s", full);
 				return FALSE;
 			}
 		}
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index 964cbd1d2..04551835e 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -29,7 +29,7 @@
 #include <arpa/inet.h>
 #include <string.h>
 
-#include <enum.h>
+#include "enum.h"
 
 /**
  * strongSwan program return codes
@@ -125,7 +125,7 @@
 #define METHOD(iface, name, ret, this, ...) \
 	static ret name(union {iface *_public; this;} \
 	__attribute__((transparent_union)), ##__VA_ARGS__); \
-	const static typeof(name) *_##name = (const typeof(name)*)name; \
+	static const typeof(name) *_##name = (const typeof(name)*)name; \
 	static ret name(this, ##__VA_ARGS__)
 
 /**
@@ -134,7 +134,7 @@
 #define METHOD2(iface1, iface2, name, ret, this, ...) \
 	static ret name(union {iface1 *_public1; iface2 *_public2; this;} \
 	__attribute__((transparent_union)), ##__VA_ARGS__); \
-	const static typeof(name) *_##name = (const typeof(name)*)name; \
+	static const typeof(name) *_##name = (const typeof(name)*)name; \
 	static ret name(this, ##__VA_ARGS__)
 
 /**
@@ -150,7 +150,7 @@
 /**
  * Ignore result of functions tagged with warn_unused_result attributes
  */
-#define ignore_result(call) { if(call); }
+#define ignore_result(call) { if(call){}; }
 
 /**
  * Assign a function as a class method
@@ -310,6 +310,14 @@ void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
  */
 void *memstr(const void *haystack, const char *needle, size_t n);
 
+/**
+ * Translates the characters in the given string, searching for characters
+ * in 'from' and mapping them to characters in 'to'.
+ * The two characters sets 'from' and 'to' must contain the same number of
+ * characters.
+ */
+char *translate(char *str, const char *from, const char *to);
+
 /**
  * Creates a directory and all required parent directories.
  *
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c
index 7efdd883e..fb461b448 100644
--- a/src/libstrongswan/utils/enumerator.c
+++ b/src/libstrongswan/utils/enumerator.c
@@ -76,7 +76,8 @@ static bool enumerate_dir_enum(dir_enum_t *this, char **relative,
 							   char **absolute, struct stat *st)
 {
 	struct dirent *entry = readdir(this->dir);
-	size_t len, remaining;
+	size_t remaining;
+	int len;
 
 	if (!entry)
 	{
@@ -96,7 +97,8 @@ static bool enumerate_dir_enum(dir_enum_t *this, char **relative,
 		len = snprintf(this->full_end, remaining, "%s", entry->d_name);
 		if (len < 0 || len >= remaining)
 		{
-			DBG1("buffer too small to enumerate file '%s'", entry->d_name);
+			DBG1(DBG_LIB, "buffer too small to enumerate file '%s'",
+				 entry->d_name);
 			return FALSE;
 		}
 		if (absolute)
@@ -107,7 +109,8 @@ static bool enumerate_dir_enum(dir_enum_t *this, char **relative,
 		{
 			if (stat(this->full, st))
 			{
-				DBG1("stat() on '%s' failed: %s", this->full, strerror(errno));
+				DBG1(DBG_LIB, "stat() on '%s' failed: %s", this->full,
+					 strerror(errno));
 				return FALSE;
 			}
 		}
@@ -120,7 +123,7 @@ static bool enumerate_dir_enum(dir_enum_t *this, char **relative,
  */
 enumerator_t* enumerator_create_directory(char *path)
 {
-	size_t len;
+	int len;
 	dir_enum_t *this = malloc_thing(dir_enum_t);
 	this->public.enumerate = (void*)enumerate_dir_enum;
 	this->public.destroy = (void*)destroy_dir_enum;
@@ -132,7 +135,7 @@ enumerator_t* enumerator_create_directory(char *path)
 	len = snprintf(this->full, sizeof(this->full)-1, "%s", path);
 	if (len < 0 || len >= sizeof(this->full)-1)
 	{
-		DBG1("path string '%s' too long", path);
+		DBG1(DBG_LIB, "path string '%s' too long", path);
 		free(this);
 		return NULL;
 	}
@@ -147,7 +150,7 @@ enumerator_t* enumerator_create_directory(char *path)
 	this->dir = opendir(path);
 	if (this->dir == NULL)
 	{
-		DBG1("opening directory '%s' failed: %s", path, strerror(errno));
+		DBG1(DBG_LIB, "opening directory '%s' failed: %s", path, strerror(errno));
 		free(this);
 		return NULL;
 	}
diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/utils/enumerator.h
index 3056498b1..537bf69e1 100644
--- a/src/libstrongswan/utils/enumerator.h
+++ b/src/libstrongswan/utils/enumerator.h
@@ -23,7 +23,7 @@
 
 typedef struct enumerator_t enumerator_t;
 
-#include <utils.h>
+#include "../utils.h"
 
 /**
  * Enumerate is simpler, but more flexible than iterator.
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index a610b3a4d..112d07e5c 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -482,7 +482,7 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 	error = getaddrinfo(string, NULL, &hints, &result);
 	if (error != 0)
 	{
-		DBG1("resolving '%s' failed: %s", string, gai_strerror(error));
+		DBG1(DBG_LIB, "resolving '%s' failed: %s", string, gai_strerror(error));
 		return NULL;
 	}
 	/* result is a linked list, but we use only the first address */
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index b0da340bc..6a3c3936c 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -798,7 +798,7 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	return print_in_hook(dst, len, "%*s", spec->width, buf);
 }
 
-METHOD(identification_t, clone, identification_t*,
+METHOD(identification_t, clone_, identification_t*,
 	private_identification_t *this)
 {
 	private_identification_t *clone = malloc_thing(private_identification_t);
@@ -830,7 +830,7 @@ static private_identification_t *identification_create(id_type_t type)
 			.get_encoding = _get_encoding,
 			.get_type = _get_type,
 			.create_part_enumerator = _create_part_enumerator,
-			.clone = _clone,
+			.clone = _clone_,
 			.destroy = _destroy,
 		},
 		.type = type,
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 2c2a36af3..2f8a7187c 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -167,6 +167,7 @@ char *whitelist[] = {
 	"tzset",
 	"inet_ntoa",
 	"strerror",
+	"getprotobyname",
 	"getprotobynumber",
 	"getservbyport",
 	"getservbyname",
diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c
index bf528caa0..d8f635c62 100644
--- a/src/libstrongswan/utils/optionsfrom.c
+++ b/src/libstrongswan/utils/optionsfrom.c
@@ -80,14 +80,15 @@ bool from(private_options_t *this, char *filename, int *argcp, char **argvp[],
 	this->nuses++;
 	if (this->nuses >= MAX_USES)
 	{
-		DBG1("optionsfrom called %d times by \"%s\" - looping?", this->nuses + 1, (*argvp)[0]);
+		DBG1(DBG_LIB, "optionsfrom called %d times by \"%s\" - looping?",
+			 this->nuses + 1, (*argvp)[0]);
 		return FALSE;
 	}
 
 	fd = fopen(filename, "r");
 	if (fd == NULL)
 	{
-		DBG1("optionsfrom: unable to open file '%s': %s",
+		DBG1(DBG_LIB, "optionsfrom: unable to open file '%s': %s",
 			 filename, strerror(errno));
 		return FALSE;
 	}
@@ -132,7 +133,7 @@ bool from(private_options_t *this, char *filename, int *argcp, char **argvp[],
 				line.len--;
 				if (!extract_token(&token, delimiter, &line))
 				{
-					DBG1("optionsfrom: missing terminator at %s:%d",
+					DBG1(DBG_LIB, "optionsfrom: missing terminator at %s:%d",
 						 filename, linepos);
 					good = FALSE;
 					break;
diff --git a/src/manager/Makefile.am b/src/manager/Makefile.am
index e6c31e9b4..e67335673 100644
--- a/src/manager/Makefile.am
+++ b/src/manager/Makefile.am
@@ -10,7 +10,8 @@ controller/control_controller.c controller/control_controller.h \
 controller/config_controller.c controller/config_controller.h \
 controller/gateway_controller.c controller/gateway_controller.h
 
-manager_fcgi_LDADD = $(top_builddir)/src/libfast/libfast.la ${xml_LIBS}
+manager_fcgi_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la ${xml_LIBS}
+main.o :	$(top_builddir)/config.status
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_CFLAGS}
 AM_CFLAGS = -rdynamic \
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 20438acc3..54e2cc11c 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -68,8 +68,9 @@ am_manager_fcgi_OBJECTS = main.$(OBJEXT) manager.$(OBJEXT) \
 	gateway_controller.$(OBJEXT)
 manager_fcgi_OBJECTS = $(am_manager_fcgi_OBJECTS)
 am__DEPENDENCIES_1 =
-manager_fcgi_DEPENDENCIES = $(top_builddir)/src/libfast/libfast.la \
-	$(am__DEPENDENCIES_1)
+manager_fcgi_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libfast/libfast.la $(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -235,6 +236,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -278,7 +280,7 @@ controller/control_controller.c controller/control_controller.h \
 controller/config_controller.c controller/config_controller.h \
 controller/gateway_controller.c controller/gateway_controller.h
 
-manager_fcgi_LDADD = $(top_builddir)/src/libfast/libfast.la ${xml_LIBS}
+manager_fcgi_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la ${xml_LIBS}
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_CFLAGS}
 AM_CFLAGS = -rdynamic \
   -DIPSECDIR=\"${ipsecdir}\" \
@@ -881,6 +883,7 @@ uninstall-am: uninstall-managerPROGRAMS \
 	uninstall-manager_templates_ikesaDATA \
 	uninstall-manager_templates_staticDATA
 
+main.o :	$(top_builddir)/config.status
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/manager/main.c b/src/manager/main.c
index 1f5c45113..5c297cf0c 100644
--- a/src/manager/main.c
+++ b/src/manager/main.c
@@ -48,7 +48,8 @@ int main (int arc, char *argv[])
 	database = lib->settings->get_str(lib->settings, "manager.database", NULL);
 	if (!database)
 	{
-		DBG1("database URI undefined, set manager.database in strongswan.conf");
+		DBG1(DBG_LIB, "database URI undefined, set manager.database "
+			 "in strongswan.conf");
 		return 1;
 	}
 
diff --git a/src/medsrv/Makefile.am b/src/medsrv/Makefile.am
index 9f5c9e2f7..bdec08190 100644
--- a/src/medsrv/Makefile.am
+++ b/src/medsrv/Makefile.am
@@ -7,7 +7,8 @@ main.c filter/auth_filter.c filter/auth_filter.h \
 controller/user_controller.c controller/user_controller.h \
 controller/peer_controller.c controller/peer_controller.h
 
-medsrv_fcgi_LDADD = $(top_builddir)/src/libfast/libfast.la
+medsrv_fcgi_LDADD = $(top_srcdir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la
+main.o :	$(top_builddir)/config.status
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
 AM_CFLAGS = -rdynamic \
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 8f602930d..2f79ca4d4 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -62,7 +62,9 @@ am_medsrv_fcgi_OBJECTS = user.$(OBJEXT) main.$(OBJEXT) \
 	auth_filter.$(OBJEXT) user_controller.$(OBJEXT) \
 	peer_controller.$(OBJEXT)
 medsrv_fcgi_OBJECTS = $(am_medsrv_fcgi_OBJECTS)
-medsrv_fcgi_DEPENDENCIES = $(top_builddir)/src/libfast/libfast.la
+medsrv_fcgi_DEPENDENCIES =  \
+	$(top_srcdir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libfast/libfast.la
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -224,6 +226,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -264,7 +267,7 @@ main.c filter/auth_filter.c filter/auth_filter.h \
 controller/user_controller.c controller/user_controller.h \
 controller/peer_controller.c controller/peer_controller.h
 
-medsrv_fcgi_LDADD = $(top_builddir)/src/libfast/libfast.la
+medsrv_fcgi_LDADD = $(top_srcdir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
 AM_CFLAGS = -rdynamic \
   -DIPSECDIR=\"${ipsecdir}\" \
@@ -751,6 +754,7 @@ uninstall-am: uninstall-medsrvPROGRAMS uninstall-medsrv_templatesDATA \
 	uninstall-medsrv_templates_staticDATA \
 	uninstall-medsrv_templates_userDATA
 
+main.o :	$(top_builddir)/config.status
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
index ca6238258..a278cdd17 100644
--- a/src/openac/Makefile.am
+++ b/src/openac/Makefile.am
@@ -7,4 +7,4 @@ AM_CFLAGS = \
   -DIPSEC_CONFDIR=\"${sysconfdir}\" \
   -DPLUGINS=\""${libstrongswan_plugins}\""
 openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-
+openac.o :		$(top_builddir)/config.status
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 08f621395..9f0f96561 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -220,6 +220,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -633,6 +634,7 @@ uninstall-man: uninstall-man8
 	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
 	uninstall-man uninstall-man8
 
+openac.o :		$(top_builddir)/config.status
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 2b9270ff9..a280192c2 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -105,7 +105,8 @@ static chunk_t read_serial(void)
 	}
 	else
 	{
-		DBG1("  file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
+		DBG1(DBG_LIB, "  file '%s' does not exist yet - serial number "
+			 "set to 01", OPENAC_SERIAL);
 	}
 	if (!serial.len)
 	{
@@ -129,7 +130,7 @@ static void write_serial(chunk_t serial)
 	{
 		chunk_t hex_serial;
 
-		DBG1("  serial number is %#B", &serial);
+		DBG1(DBG_LIB, "  serial number is %#B", &serial);
 		hex_serial = chunk_to_hex(serial, NULL, FALSE);
 		fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
 		fclose(fd);
@@ -137,7 +138,7 @@ static void write_serial(chunk_t serial)
 	}
 	else
 	{
-		DBG1("  could not open file '%s' for writing", OPENAC_SERIAL);
+		DBG1(DBG_LIB, "  could not open file '%s' for writing", OPENAC_SERIAL);
 	}
 }
 
@@ -151,7 +152,7 @@ static bool stderr_quiet = FALSE;
 /**
  * openac dbg function
  */
-static void openac_dbg(int level, char *fmt, ...)
+static void openac_dbg(debug_t group, level_t level, char *fmt, ...)
 {
 	int priority = LOG_INFO;
 	char buffer[8192];
@@ -431,7 +432,7 @@ int main(int argc, char **argv)
 		goto end;
 	}
 
-	DBG1("starting openac (strongSwan Version %s)", VERSION);
+	DBG1(DBG_LIB, "starting openac (strongSwan Version %s)", VERSION);
 
 	/* load the signer's RSA private key */
 	if (keyfile != NULL)
@@ -444,7 +445,7 @@ int main(int argc, char **argv)
 		{
 			goto end;
 		}
-		DBG1("  loaded private key file '%s'", keyfile);
+		DBG1(DBG_LIB, "  loaded private key file '%s'", keyfile);
 	}
 
 	/* load the signer's X.509 certificate */
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index a471b6477..8eac07afc 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -7,9 +7,11 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/pub.c \
 	commands/req.c \
 	commands/self.c \
-	commands/verify.c 
+	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pki.o :	$(top_builddir)/config.status
+
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
 	-DPLUGINS=\""${libstrongswan_plugins}\""
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 1261d7fa8..522b9e887 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -196,6 +196,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -237,7 +238,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/pub.c \
 	commands/req.c \
 	commands/self.c \
-	commands/verify.c 
+	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
@@ -667,6 +668,7 @@ uninstall-am: uninstall-ipsecPROGRAMS
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
 
+pki.o :	$(top_builddir)/config.status
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index 16d8d48d4..b2769da54 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -47,7 +47,7 @@ static int gen()
 					return command_usage("invalid key type");
 				}
 				continue;
-			case 'o':
+			case 'f':
 				if (!get_form(arg, &form, FALSE))
 				{
 					return command_usage("invalid key output format");
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 07ab9066a..fcd758f87 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -161,7 +161,7 @@ static int issue()
 		}
 	}
 
-	DBG2("Reading ca certificate:");
+	DBG2(DBG_LIB, "Reading ca certificate:");
 	ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 							BUILD_FROM_FILE, cacert, BUILD_END);
 	if (!ca)
@@ -182,7 +182,7 @@ static int issue()
 		goto end;
 	}
 
-	DBG2("Reading ca private key:");
+	DBG2(DBG_LIB, "Reading ca private key:");
 	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
 								 public->get_type(public),
 								 BUILD_FROM_FILE, cakey, BUILD_END);
@@ -212,6 +212,11 @@ static int issue()
 			goto end;
 		}
 		rng->allocate_bytes(rng, 8, &serial);
+		while (*serial.ptr == 0x00)
+		{
+			/* we don't accept a serial number with leading zeroes */
+			rng->get_bytes(rng, 1, serial.ptr);
+		}
 		rng->destroy(rng);
 	}
 
@@ -221,7 +226,7 @@ static int issue()
 		identification_t *subjectAltName;
 		pkcs10_t *req;
 
-		DBG2("Reading certificate request");
+		DBG2(DBG_LIB, "Reading certificate request");
 		if (file)
 		{
 			cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
@@ -261,7 +266,7 @@ static int issue()
 	}
 	else
 	{
-		DBG2("Reading public key:");
+		DBG2(DBG_LIB, "Reading public key:");
 		if (file)
 		{
 			public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 30ae23be5..d283daa6a 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -158,6 +158,11 @@ static int self()
 			goto end;
 		}
 		rng->allocate_bytes(rng, 8, &serial);
+		while (*serial.ptr == 0x00)
+		{
+			/* we don't accept a serial number with leading zeroes */
+			rng->get_bytes(rng, 1, serial.ptr);
+		}
 		rng->destroy(rng);
 	}
 	not_before = time(NULL);
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index b83e4be33..a264e642e 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -46,6 +46,7 @@ state.c state.h \
 timer.c timer.h \
 vendor.c vendor.h \
 virtual.c virtual.h \
+whack_attribute.c whack_attribute.h \
 xauth.c xauth.h \
 x509.c x509.h \
 builder.c builder.h \
@@ -53,13 +54,17 @@ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 
 _pluto_adns_SOURCES = adns.c adns.h
 
+plutomain.o :	$(top_builddir)/config.status
+
 LIBSTRONGSWANDIR=$(top_builddir)/src/libstrongswan
 LIBFREESWANDIR=$(top_builddir)/src/libfreeswan
+LIBHYDRADIR=$(top_builddir)/src/libhydra
 
 INCLUDES = \
 -I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/whack
 
 AM_CFLAGS = \
@@ -75,6 +80,7 @@ AM_CFLAGS = \
 pluto_LDADD = \
 $(LIBSTRONGSWANDIR)/libstrongswan.la \
 $(LIBFREESWANDIR)/libfreeswan.a \
+$(LIBHYDRADIR)/libhydra.la \
 -lresolv $(PTHREADLIB) $(DLLIB)
 
 _pluto_adns_LDADD = \
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index c93756c44..47be9acf7 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -94,12 +94,13 @@ am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \
 	pkcs7.$(OBJEXT) plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) \
 	server.$(OBJEXT) smartcard.$(OBJEXT) spdb.$(OBJEXT) \
 	state.$(OBJEXT) timer.$(OBJEXT) vendor.$(OBJEXT) \
-	virtual.$(OBJEXT) xauth.$(OBJEXT) x509.$(OBJEXT) \
-	builder.$(OBJEXT)
+	virtual.$(OBJEXT) whack_attribute.$(OBJEXT) xauth.$(OBJEXT) \
+	x509.$(OBJEXT) builder.$(OBJEXT)
 pluto_OBJECTS = $(am_pluto_OBJECTS)
 pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \
-	$(LIBFREESWANDIR)/libfreeswan.a $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+	$(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -263,6 +264,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -339,6 +341,7 @@ state.c state.h \
 timer.c timer.h \
 vendor.c vendor.h \
 virtual.c virtual.h \
+whack_attribute.c whack_attribute.h \
 xauth.c xauth.h \
 x509.c x509.h \
 builder.c builder.h \
@@ -347,10 +350,12 @@ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 _pluto_adns_SOURCES = adns.c adns.h
 LIBSTRONGSWANDIR = $(top_builddir)/src/libstrongswan
 LIBFREESWANDIR = $(top_builddir)/src/libfreeswan
+LIBHYDRADIR = $(top_builddir)/src/libhydra
 INCLUDES = \
 -I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/whack
 
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
@@ -362,8 +367,8 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	$(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5) $(am__append_7)
 pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \
-	$(LIBFREESWANDIR)/libfreeswan.a -lresolv $(PTHREADLIB) \
-	$(DLLIB) $(am__append_6)
+	$(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \
+	-lresolv $(PTHREADLIB) $(DLLIB) $(am__append_6)
 _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
@@ -501,6 +506,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timer.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/virtual.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whack_attribute.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth.Po@am__quote@
 
@@ -826,6 +832,8 @@ uninstall-man: uninstall-man5 uninstall-man8
 	uninstall-man8
 
 
+plutomain.o :	$(top_builddir)/config.status
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/pluto/ac.c b/src/pluto/ac.c
index d8b16112f..3ee05d213 100644
--- a/src/pluto/ac.c
+++ b/src/pluto/ac.c
@@ -88,16 +88,17 @@ bool ac_verify_cert(certificate_t *cert, bool strict)
 	cert_t *aacert;
 	time_t notBefore, valid_until;
 
-	DBG1("holder: '%Y'", subject);
-	DBG1("issuer: '%Y'", issuer);
+	DBG1(DBG_LIB, "holder: '%Y'", subject);
+	DBG1(DBG_LIB, "issuer: '%Y'", issuer);
 
 	if (!cert->get_validity(cert, NULL, NULL, &valid_until))
 	{
-		DBG1("attribute certificate is invalid (valid from %T to %T)",
+		DBG1(DBG_LIB, "attribute certificate is invalid (valid from %T to %T)",
 			 &notBefore, FALSE, &valid_until, FALSE);
 		return FALSE;
 	}
-	DBG1("attribute certificate is valid until %T", &valid_until, FALSE);
+	DBG1(DBG_LIB, "attribute certificate is valid until %T", &valid_until,
+		 FALSE);
 
 	lock_authcert_list("verify_x509acert");
 	aacert = get_authcert(issuer, authKeyID, X509_AA);
@@ -105,17 +106,17 @@ bool ac_verify_cert(certificate_t *cert, bool strict)
 
 	if (aacert == NULL)
 	{
-		DBG1("issuer aacert not found");
+		DBG1(DBG_LIB, "issuer aacert not found");
 		return FALSE;
 	}
-	DBG2("issuer aacert found");
+	DBG2(DBG_LIB, "issuer aacert found");
 
 	if (!cert->issued_by(cert, aacert->cert))
 	{
-		DBG1("attribute certificate signature is invalid");
+		DBG1(DBG_LIB, "attribute certificate signature is invalid");
 		return FALSE;
 	}
-	DBG1("attribute certificate signature is valid");
+	DBG1(DBG_LIB, "attribute certificate signature is valid");
 
 	return verify_x509cert(aacert, strict, &valid_until);
 }
@@ -175,8 +176,8 @@ bool match_group_membership(ietf_attributes_t *peer_attributes, char *conn,
 	}
 
 	match = conn_attributes->matches(conn_attributes, peer_attributes);
-	DBG1("%s: peer with attributes '%s' is %sa member of the groups '%s'",
-		 conn, peer_attributes->get_string(peer_attributes),
+	DBG1(DBG_LIB, "%s: peer with attributes '%s' is %sa member of the "
+		 "groups '%s'", conn, peer_attributes->get_string(peer_attributes),
 		 match ? "" : "not ", conn_attributes->get_string(conn_attributes));
 
 	return match;
@@ -191,7 +192,7 @@ void ac_load_certs(void)
 	struct stat st;
 	char *file;
 
-	DBG1("loading attribute certificates from '%s'", A_CERT_PATH);
+	DBG1(DBG_LIB, "loading attribute certificates from '%s'", A_CERT_PATH);
 
 	enumerator = enumerator_create_directory(A_CERT_PATH);
 	if (!enumerator)
@@ -212,7 +213,7 @@ void ac_load_certs(void)
 								  BUILD_FROM_FILE, file, BUILD_END);
 		if (cert)
 		{
-			DBG1("  loaded attribute certificate from '%s'", file);
+			DBG1(DBG_LIB, "  loaded attribute certificate from '%s'", file);
 			ac_add_cert(cert);
 		}
 	}
@@ -266,7 +267,7 @@ void ac_list_certs(bool utc)
 			whack_log(RC_COMMENT, "  hserial:   %#B", &holderSerial);
 		}
 
-		groups = ac->get_groups(ac);		
+		groups = ac->get_groups(ac);
 		if (groups)
 		{
 			whack_log(RC_COMMENT, "  groups:    %s", groups->get_string(groups));
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index edecf14c6..32fd46ef4 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -139,6 +139,7 @@ static bool is_authenticated_encryption(int ealg_id)
 		case ESP_AES_GCM_8:
 		case ESP_AES_GCM_12:
 		case ESP_AES_GCM_16:
+		case ESP_AES_GMAC:
 			return TRUE;
 	}
 	return FALSE;
@@ -474,7 +475,7 @@ struct alg_info_ike *alg_info_ike_create_from_str(char *alg_str)
 
 	if (alg_info_parse_str((struct alg_info *)alg_info_ike, alg_str) == SUCCESS)
 	{
-		alg_info_ike->ref_cnt = 1;	
+		alg_info_ike->ref_cnt = 1;
 		return alg_info_ike;
 	}
 	else
diff --git a/src/pluto/ca.c b/src/pluto/ca.c
index e25e7f6f5..2654774fa 100644
--- a/src/pluto/ca.c
+++ b/src/pluto/ca.c
@@ -293,12 +293,12 @@ void load_authcerts(char *type, char *path, x509_flag_t auth_flags)
 	struct stat st;
 	char *file;
 
-	DBG1("loading %s certificates from '%s'", type, path);
+	DBG1(DBG_LIB, "loading %s certificates from '%s'", type, path);
 
 	enumerator = enumerator_create_directory(path);
 	if (!enumerator)
 	{
-		DBG1("  reading directory '%s' failed");
+		DBG1(DBG_LIB, "  reading directory '%s' failed", path);
 		return;
 	}
 
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index fece34eec..dd193042a 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -30,6 +30,7 @@
 #include <freeswan.h>
 #include "kameipsec.h"
 
+#include <hydra.h>
 #include <credentials/certificates/ac.h>
 #include <credentials/keys/private_key.h>
 
@@ -61,6 +62,7 @@
 #include "kernel_alg.h"
 #include "nat_traversal.h"
 #include "virtual.h"
+#include "whack_attribute.h"
 
 static void flush_pending_by_connection(connection_t *c);  /* forward */
 
@@ -104,7 +106,7 @@ bool his_id_was_instantiated(const connection_t *c)
 	{
 		identification_t *host;
 		bool equal;
-	
+
 		host = identification_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_addr);
 		equal = host->equals(host, c->spd.that.id);
 		host->destroy(host);
@@ -113,7 +115,7 @@ bool his_id_was_instantiated(const connection_t *c)
 	else
 	{
 		return TRUE;
-	} 
+	}
 }
 
 /**
@@ -369,11 +371,16 @@ void delete_connection(connection_t *c, bool relations)
 		host_t *vip;
 
 		vip = host_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_srcip);
-		lib->attributes->release_address(lib->attributes, c->spd.that.pool,
-										 vip, c->spd.that.id);
+		hydra->attributes->release_address(hydra->attributes, c->spd.that.pool,
+										   vip, c->spd.that.id);
 		vip->destroy(vip);
 	}
 
+	if (c->kind != CK_GOING_AWAY)
+	{
+		whack_attr->del_pool(whack_attr, c->name);
+	}
+
 	/* free internal data */
 #ifdef DEBUG
 	cur_debugging = old_cur_debugging;
@@ -683,7 +690,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this,
 	}
 
 	/* id */
-	snprintf(host_id, sizeof(host_id), "[%Y]", this->id); 
+	snprintf(host_id, sizeof(host_id), "[%Y]", this->id);
 
 	/* [---hop] */
 	hop[0] = '\0';
@@ -769,7 +776,7 @@ static void load_end_certificate(char *filename, struct end *dst)
 	cert_t *cert = NULL;
 	certificate_t *certificate;
 	bool cached_cert = FALSE;
-	
+
 	/* initialize end certificate */
 	dst->cert = NULL;
 
@@ -853,10 +860,11 @@ static void load_end_certificate(char *filename, struct end *dst)
 }
 
 static bool extract_end(struct end *dst, const whack_end_t *src,
-						const char *which)
+						const char *name, bool is_left)
 {
 	bool same_ca = FALSE;
 
+	dst->is_left = is_left;
 	dst->id = identification_create_from_string(src->id);
 	dst->ca = NULL;
 
@@ -1117,15 +1125,14 @@ void add_connection(const whack_message_t *wm)
 		c->tunnel_addr_family = wm->tunnel_addr_family;
 
 		c->requested_ca = NULL;
+		same_leftca  = extract_end(&c->spd.this, &wm->left, wm->name, TRUE);
+		same_rightca = extract_end(&c->spd.that, &wm->right, wm->name, FALSE);
 
-		same_leftca  = extract_end(&c->spd.this, &wm->left, "left");
-		same_rightca = extract_end(&c->spd.that, &wm->right, "right");
-
-		if (same_rightca)
+		if (same_rightca && c->spd.this.ca)
 		{
 			c->spd.that.ca = c->spd.this.ca->clone(c->spd.this.ca);
 		}
-		else if (same_leftca)
+		else if (same_leftca && c->spd.that.ca)
 		{
 			c->spd.this.ca = c->spd.that.ca->clone(c->spd.that.ca);
 		}
@@ -1196,6 +1203,17 @@ void add_connection(const whack_message_t *wm)
 
 		(void)orient(c);
 
+		/* if rightsourceip defines a subnet then create an in-memory pool */
+		if (whack_attr->add_pool(whack_attr, c->name,
+							c->spd.this.is_left ? &wm->right : &wm->left))
+		{
+			c->spd.that.pool = clone_str(c->name);
+			c->spd.that.modecfg = TRUE;
+			c->spd.that.has_client = FALSE;
+			/* reset the host_srcip so that it gets assigned in modecfg */
+			anyaddr(AF_INET, &c->spd.that.host_srcip);
+		}
+
 		if (c->ikev1)
 		{
 			connect_to_host_pair(c);
@@ -1794,7 +1812,7 @@ connection_t *build_outgoing_opportunistic_connection(struct gw_info *gw,
 	else
 	{
 		chunk_t encoding = gw->gw_id->get_encoding(gw->gw_id);
-		id_type_t type   = gw->gw_id->get_type(gw->gw_id); 
+		id_type_t type   = gw->gw_id->get_type(gw->gw_id);
 		ip_address ip_addr;
 
 		initaddr(encoding.ptr, encoding.len,
@@ -2758,7 +2776,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 					addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
 					loglog(RC_OPPOFAILURE,
 							"no suitable connection for opportunism "
-						  	"between %s and %s with %Y as peer",
+							"between %s and %s with %Y as peer",
 							 ocb, pcb, ac->gateways_from_dns->gw_id);
 
 #ifdef KLIPS
@@ -3379,7 +3397,7 @@ connection_t *refine_host_connection(const struct state *st,
 			id_match_t match_level = peer_id->matches(peer_id, d->spd.that.id);
 
 			bool matching_id = match_level > ID_MATCH_NONE;
-				
+
 			bool matching_auth = (d->policy & auth_policy) != LEMPTY;
 
 			bool matching_trust = trusted_ca(peer_ca
@@ -3580,7 +3598,7 @@ static connection_t *fc_try(const connection_t *c, struct host_pair *hp,
 	policy_prio_t best_prio = BOTTOM_PRIO;
 	id_match_t match_level;
 	int pathlen;
-	
+
 
 	const bool peer_net_is_host = subnetisaddr(peer_net, &c->spd.that.host_addr);
 
@@ -3675,7 +3693,8 @@ static connection_t *fc_try(const connection_t *c, struct host_pair *hp,
 			}
 			else
 			{
-				if (!peer_net_is_host)
+				if (!peer_net_is_host && !(sr->that.modecfg && c->spd.that.modecfg &&
+						subnetisaddr(peer_net, &c->spd.that.host_srcip)))
 				{
 					continue;
 				}
@@ -3843,7 +3862,7 @@ void get_peer_ca_and_groups(connection_t *c,
 		if (cert && ac_verify_cert(cert, strict_crl_policy))
 		{
 			ac_t *ac = (ac_t*)cert;
-		
+
 			*peer_attributes = ac->get_groups(ac);
 		}
 		else
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
index ee2e00da6..66aea1541 100644
--- a/src/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -137,6 +137,7 @@ struct end {
 		host_srcip;
 	ip_subnet client;
 
+	bool is_left;
 	bool key_from_DNS_on_demand;
 	bool has_client;
 	bool has_client_wildcard;
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index 6f991fd69..63a37009b 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -392,7 +392,8 @@ static const char *const esp_transform_name[] = {
 	"AES_GCM_12",
 	"AES_GCM_16",
 	"SEED_CBC",
-	"CAMELLIA_CBC"
+	"CAMELLIA_CBC",
+	"AES_GMAC"
 };
 
 static const char *const esp_transform_name_high[] = {
@@ -404,7 +405,7 @@ enum_names esp_transform_names_high =
 	{ ESP_SERPENT, ESP_TWOFISH, esp_transform_name_high, NULL };
 
 enum_names esp_transform_names =
-	{ ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transform_names_high };
+	{ ESP_DES_IV64, ESP_AES_GMAC, esp_transform_name, &esp_transform_names_high };
 
 /* IPCOMP transform values */
 
@@ -919,12 +920,15 @@ static const char *const oakley_group_name_rfc4753[] = {
 };
 
 static const char *const oakley_group_name_rfc5114[] = {
+	"MODP_1024_160",
+	"MODP_2048_224",
+	"MODP_2048_256",
 	"ECP_192",
 	"ECP_224"
 };
 
 enum_names oakley_group_names_rfc5114 =
-	{ ECP_192_BIT, ECP_224_BIT,
+	{ MODP_1024_160, ECP_224_BIT,
 			oakley_group_name_rfc5114, NULL };
 
 enum_names oakley_group_names_rfc4753 =
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index 8c574ebc5..e9567c07a 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -125,10 +125,10 @@ extern const char sparse_end[];
 #define MAX_DIGEST_LEN          HASH_SIZE_SHA512
 
 /* RFC 2404 "HMAC-SHA-1-96" section 3 */
-#define HMAC_SHA1_KEY_LEN		HASH_SIZE_SHA1
+#define HMAC_SHA1_KEY_LEN       HASH_SIZE_SHA1
 
 /* RFC 2403 "HMAC-MD5-96" section 3 */
-#define HMAC_MD5_KEY_LEN   		HASH_SIZE_MD5
+#define HMAC_MD5_KEY_LEN        HASH_SIZE_MD5
 
 #define IKE_UDP_PORT    500
 
@@ -150,7 +150,7 @@ enum ipsec_authentication_algo {
 	AH_AES_128_GMAC = 11,
 	AH_AES_192_GMAC = 12,
 	AH_AES_256_GMAC = 13,
-	AH_SHA2_256_96  = 252  
+	AH_SHA2_256_96  = 252
 };
 
 extern enum_names ah_transform_names;
@@ -184,6 +184,7 @@ enum ipsec_cipher_algo {
 	ESP_AES_GCM_16    = 20,
 	ESP_SEED_CBC      = 21,
 	ESP_CAMELLIA      = 22,
+	ESP_AES_GMAC      = 23,
 	ESP_SERPENT       = 252,
 	ESP_TWOFISH       = 253
 };
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index 2113cecbc..a62e7632d 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -237,6 +237,27 @@ static struct dh_desc dh_desc_ecp_521 = {
 	ke_size:    2*528 / BITS_PER_BYTE
 };
 
+static struct dh_desc dh_desc_modp_1024_160 = {
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_1024_160,
+	algo_next:  NULL,
+	ke_size:    1024 / BITS_PER_BYTE
+};
+
+static struct dh_desc dh_desc_modp_2048_224 = {
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_2048_224,
+	algo_next:  NULL,
+	ke_size:    2048 / BITS_PER_BYTE
+};
+
+static struct dh_desc dh_desc_modp_2048_256 = {
+	algo_type:  IKE_ALG_DH_GROUP,
+	algo_id:    MODP_2048_256,
+	algo_next:  NULL,
+	ke_size:    2048 / BITS_PER_BYTE
+};
+
 static struct dh_desc dh_desc_ecp_192 = {
 	algo_type:  IKE_ALG_DH_GROUP,
 	algo_id:    ECP_192_BIT,
@@ -370,6 +391,15 @@ bool init_crypto(void)
 			case ECP_521_BIT:
 				desc = &dh_desc_ecp_521;
 				break;
+			case MODP_1024_160:
+				desc = &dh_desc_modp_1024_160;
+				break;
+			case MODP_2048_224:
+				desc = &dh_desc_modp_2048_224;
+				break;
+			case MODP_2048_256:
+				desc = &dh_desc_modp_2048_256;
+				break;
 			case ECP_192_BIT:
 				desc = &dh_desc_ecp_192;
 				break;
@@ -580,9 +610,11 @@ int esp_from_encryption_algorithm(encryption_algorithm_t alg)
 			return ESP_AES_GCM_16;
 		case ENCR_CAMELLIA_CBC:
 			return ESP_CAMELLIA;
+		case ENCR_NULL_AUTH_AES_GMAC:
+			return ESP_AES_GMAC;
 		case ENCR_SERPENT_CBC:
 			return ESP_SERPENT;
-	case ENCR_TWOFISH_CBC:
+		case ENCR_TWOFISH_CBC:
 			return ESP_TWOFISH;
 		default:
 			return 0;
diff --git a/src/pluto/demux.h b/src/pluto/demux.h
index 4faf6e532..2161bbd02 100644
--- a/src/pluto/demux.h
+++ b/src/pluto/demux.h
@@ -61,6 +61,7 @@ struct msg_digest {
 	notification_t note;        /* reason for failure */
 	bool dpd;                   /* peer supports RFC 3706 DPD */
 	bool openpgp;               /* peer supports OpenPGP certificates */
+	bool ms_nt5;                /* peer is a windows 2000+ host */
 
 #   define PAYLIMIT 40
 	struct payload_digest
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
index 6172165bd..1d2d13371 100644
--- a/src/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -266,10 +266,10 @@ x509crl_t* fetch_crl(char *url)
 	x509crl_t *crl;
 	chunk_t blob;
 
-	DBG1("  fetching crl from '%s' ...", url);
+	DBG1(DBG_LIB, "  fetching crl from '%s' ...", url);
 	if (lib->fetcher->fetch(lib->fetcher, url, &blob, FETCH_END) != SUCCESS)
 	{
-		DBG1("crl fetching failed");
+		DBG1(DBG_LIB, "crl fetching failed");
 		return FALSE;
 	}
 	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
@@ -277,7 +277,8 @@ x509crl_t* fetch_crl(char *url)
 	free(blob.ptr);
 	if (!crl)
 	{
-		DBG1("crl fetched successfully but data coded in unknown format");
+		DBG1(DBG_LIB, "crl fetched successfully but data coded in unknown "
+			 "format");
 	}
 	return crl;
 }
@@ -395,7 +396,7 @@ static void fetch_ocsp_status(ocsp_location_t* location)
 	chunk_t request = build_ocsp_request(location);
 	chunk_t response = chunk_empty;
 
-	DBG1("  requesting ocsp status from '%s' ...", location->uri);
+	DBG1(DBG_LIB, "  requesting ocsp status from '%s' ...", location->uri);
 	if (lib->fetcher->fetch(lib->fetcher, location->uri, &response,
 							FETCH_REQUEST_DATA, request,
 							FETCH_REQUEST_TYPE, "application/ocsp-request",
@@ -405,7 +406,7 @@ static void fetch_ocsp_status(ocsp_location_t* location)
 	}
 	else
 	{
-		DBG1("ocsp request to %s failed", location->uri);
+		DBG1(DBG_LIB, "ocsp request to %s failed", location->uri);
 	}
 
 	free(request.ptr);
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 1f8917d79..34c42e294 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -702,6 +702,8 @@ void accept_delete(struct state *st, struct msg_digest *md,
 				   struct payload_digest *p)
 {
 	struct isakmp_delete *d = &(p->payload.delete);
+	identification_t *this_id, *that_id;
+	ip_address peer_addr;
 	size_t sizespi;
 	int i;
 
@@ -759,6 +761,15 @@ void accept_delete(struct state *st, struct msg_digest *md,
 		return;
 	}
 
+	if (d->isad_protoid == PROTO_ISAKMP)
+	{
+		struct end *this = &st->st_connection->spd.this;
+		struct end *that = &st->st_connection->spd.that;
+		this_id = this->id->clone(this->id);
+		that_id = that->id->clone(that->id);
+		peer_addr = st->st_connection->spd.that.host_addr;
+	}
+
 	for (i = 0; i < d->isad_nospi; i++)
 	{
 		u_char *spi = p->pbs.cur + (i * sizespi);
@@ -770,7 +781,7 @@ void accept_delete(struct state *st, struct msg_digest *md,
 			 */
 			struct state *dst = find_state(spi /*iCookie*/
 				, spi+COOKIE_SIZE /*rCookie*/
-				, &st->st_connection->spd.that.host_addr
+				, &peer_addr
 				, MAINMODE_MSGID);
 
 			if (dst == NULL)
@@ -778,7 +789,8 @@ void accept_delete(struct state *st, struct msg_digest *md,
 				loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
 					"ISAKMP SA not found (maybe expired)");
 			}
-			else if (!same_peer_ids(st->st_connection, dst->st_connection, NULL))
+			else if (! this_id->equals(this_id, dst->st_connection->spd.this.id) ||
+					 ! that_id->equals(that_id, dst->st_connection->spd.that.id))
 			{
 				/* we've not authenticated the relevant identities */
 				loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
@@ -876,6 +888,12 @@ void accept_delete(struct state *st, struct msg_digest *md,
 			}
 		}
 	}
+
+	if (d->isad_protoid == PROTO_ISAKMP)
+	{
+		this_id->destroy(this_id);
+		that_id->destroy(that_id);
+	}
 }
 
 /* The whole message must be a multiple of 4 octets.
@@ -2753,6 +2771,7 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid,
 				case ESP_AES_GCM_12:
 				case ESP_AES_GCM_16:
 				case ESP_AES_CTR:
+				case ESP_AES_GMAC:
 					needed_len += 4;
 					break;
 				default:
@@ -3620,7 +3639,7 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 	if (send_cert)
 	{
 		bool success;
-		chunk_t cert_encoding;	
+		chunk_t cert_encoding;
 		pb_stream cert_pbs;
 
 		struct isakmp_cert cert_hd;
@@ -3634,7 +3653,7 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 		cert_encoding = mycert->cert->get_encoding(mycert->cert);
 		success = out_chunk(cert_encoding, &cert_pbs, "CERT");
 		free(cert_encoding.ptr);
-		if (!success)	
+		if (!success)
 		{
 			return STF_INTERNAL_ERROR;
 		}
@@ -4076,7 +4095,7 @@ main_inI3_outR3_tail(struct msg_digest *md
 		success = out_chunk(cert_encoding, &cert_pbs, "CERT");
 		free(cert_encoding.ptr);
 		if (!success)
-		{	
+		{
 			return STF_INTERNAL_ERROR;
 		}
 		close_output_pbs(&cert_pbs);
@@ -4871,6 +4890,21 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 					 */
 					p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
 								, his_net, c->spd.that.id);
+
+					/* inherit any virtual IP assigned by a Mode Config exchange */ 
+					if (p->spd.that.modecfg && c->spd.that.modecfg &&
+						subnetisaddr(his_net, &c->spd.that.host_srcip))
+					{
+						char srcip[ADDRTOT_BUF];
+
+						DBG(DBG_CONTROL,
+							addrtot(&c->spd.that.host_srcip, 0, srcip, sizeof(srcip));
+							DBG_log("inheriting virtual IP source address %s from ModeCfg", srcip)
+						)
+						p->spd.that.host_srcip = c->spd.that.host_srcip;
+						p->spd.that.client = c->spd.that.client;
+						p->spd.that.has_client = TRUE;
+					}
 				}
 			}
 #ifdef DEBUG
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index fe4655d3f..ee22fb55e 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1993,6 +1993,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 			case ESP_AES_GCM_12:
 			case ESP_AES_GCM_16:
 			case ESP_AES_CTR:
+			case ESP_AES_GMAC:
 				key_len += 4;
 				break;
 			default:
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index bf67315e6..7c2855edc 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -395,6 +395,10 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 						kernel_alg_add(satype, supp_exttype, &alg);
 					}
 				}
+
+				/* also register AES_GMAC */
+				alg.sadb_alg_id = SADB_X_EALG_NULL_AES_GMAC;
+				kernel_alg_add(satype, supp_exttype, &alg);
 			}
 			/* if SHA2_256 is registered then also register SHA2_256_96 */
 			if (satype == SADB_SATYPE_ESP &&
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index 289714b50..75d0c98d3 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -112,6 +112,7 @@ static sparse_names ealg_list = {
 	{ SADB_X_EALG_AES_GCM_ICV8,  "rfc4106(gcm(aes))" },
 	{ SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
 	{ SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
+	{ SADB_X_EALG_NULL_AES_GMAC, "rfc4543(gcm(aes))" },
 	{ SADB_X_EALG_CAMELLIACBC,   "cbc(camellia)" },
 	{ SADB_X_EALG_SERPENTCBC,    "serpent" },
 	{ SADB_X_EALG_TWOFISHCBC,    "twofish" },
@@ -687,6 +688,7 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 			break;
 		case SADB_X_EALG_AES_CCM_ICV16:
 		case SADB_X_EALG_AES_GCM_ICV16:
+		case SADB_X_EALG_NULL_AES_GMAC:
 			icv_size += 32;
 			/* FALL */
 		case SADB_X_EALG_AES_CCM_ICV12:
diff --git a/src/pluto/lex.c b/src/pluto/lex.c
index f48d24a54..d5ebdaba9 100644
--- a/src/pluto/lex.c
+++ b/src/pluto/lex.c
@@ -205,7 +205,7 @@ flushline(const char *m)
 	{
 		if (m != NULL)
 			loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s", flp->filename, flp->lino, m);
-		do ; while (shift());
+		do {} while (shift());
 		return FALSE;
 	}
 }
diff --git a/src/pluto/log.c b/src/pluto/log.c
index 2f3536ff3..444ac2220 100644
--- a/src/pluto/log.c
+++ b/src/pluto/log.c
@@ -40,7 +40,8 @@
 #include "connections.h"
 #include "myid.h"
 #include "kernel.h"
-#include "whack.h"      /* needs connections.h */
+#include "whack.h"
+#include "whack_attribute.h"
 #include "timer.h"
 
 /* close one per-peer log */
@@ -85,7 +86,7 @@ u_int16_t cur_from_port;        /* host order */
 /**
  * pluto dbg function for libstrongswan
  */
-static void pluto_dbg(int level, char *fmt, ...)
+static void pluto_dbg(debug_t group, level_t level, char *fmt, ...)
 {
 	int priority = LOG_INFO;
 	int debug_level;
@@ -856,6 +857,7 @@ void show_status(bool all, const char *name)
 		show_myid_status();
 		show_loaded_plugins();
 		show_debug_status();
+		show_pools(name);
 		whack_log(RC_COMMENT, BLANK_FORMAT);    /* spacer */
 	}
 	show_connections_status(all, name);
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index 03ec7f41f..0c4f2bd6b 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -26,6 +26,7 @@
 #include <freeswan.h>
 
 #include <library.h>
+#include <hydra.h>
 #include <attributes/attributes.h>
 #include <crypto/prfs/prf.h>
 
@@ -119,7 +120,7 @@ static void init_internal_addr(internal_addr_t *ia)
 static void get_internal_addr(connection_t *c, host_t *requested_vip,
 							  internal_addr_t *ia)
 {
-	int i, dns_idx = 0, nbns_idx = 0;
+	int dns_idx = 0, nbns_idx = 0;
 	enumerator_t *enumerator;
 	configuration_attribute_type_t type;
 	chunk_t value;
@@ -129,13 +130,13 @@ static void get_internal_addr(connection_t *c, host_t *requested_vip,
 	{
 		if (c->spd.that.pool)
 		{
-			vip = lib->attributes->acquire_address(lib->attributes,
+			vip = hydra->attributes->acquire_address(hydra->attributes,
 										c->spd.that.pool, c->spd.that.id,
 										requested_vip);
 			if (vip)
 			{
 				chunk_t addr = vip->get_address(vip);
-		
+
 				plog("assigning virtual IP %H to peer", vip);
 				initaddr(addr.ptr, addr.len, vip->get_family(vip), &ia->ipaddr);
 
@@ -150,7 +151,7 @@ static void get_internal_addr(connection_t *c, host_t *requested_vip,
 	{
 		ia->ipaddr = c->spd.that.host_srcip;
 		vip = host_create_from_sockaddr((sockaddr_t*)&ia->ipaddr);
-		plog("assigning virtual IP  %H to peer", vip);
+		plog("assigning virtual IP %H to peer", vip);
 	}
 
 	if (!isanyaddr(&ia->ipaddr))        /* We got an IP address, send it */
@@ -164,67 +165,15 @@ static void get_internal_addr(connection_t *c, host_t *requested_vip,
 					 | LELEM(INTERNAL_IP4_NETMASK);
 	}
 
-	/* assign DNS servers from strongswan.conf */
-	for (i = 1; i <= DNS_SERVER_MAX; i++)
-	{
-		char dns_key[16], *dns_str;
-
-		snprintf(dns_key, sizeof(dns_key), "pluto.dns%d", i);
-		dns_str = lib->settings->get_str(lib->settings, dns_key, NULL);
-		if (dns_str)
-		{
-			err_t ugh;
-			sa_family_t family = strchr(dns_str, ':') ? AF_INET6 : AF_INET;
-
-			ugh = ttoaddr(dns_str, 0, family, &ia->dns[dns_idx]);
-			if (ugh)
-			{
-				plog("error in DNS server address: %s", ugh);
-				continue;
-			}
-			plog("assigning DNS server %s to peer", dns_str);
-
-			/* differentiate between IP4 and IP6 in modecfg_build_msg() */
-			ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
-			dns_idx++;
-		}
-	}
-
-	/* assign NBNS servers from strongswan.conf */
-	for (i = 1; i <= NBNS_SERVER_MAX; i++)
-	{
-		char nbns_key[16], *nbns_str;
-
-		snprintf(nbns_key, sizeof(nbns_key), "pluto.nbns%d", i);
-		nbns_str = lib->settings->get_str(lib->settings, nbns_key, NULL);
-		if (nbns_str)
-		{
-			err_t ugh;
-			sa_family_t family = strchr(nbns_str, ':') ? AF_INET6 : AF_INET;
-
-			ugh = ttoaddr(nbns_str, 0, family, &ia->nbns[nbns_idx]);
-			if (ugh)
-			{
-				plog("error in NBNS server address: %s", ugh);
-				continue;
-			}
-			plog("assigning NBNS server %s to peer", nbns_str);
-
-			/* differentiate between IP4 and IP6 in modecfg_build_msg() */
-			ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
-			nbns_idx++;
-		}
-	}
-
 	/* assign attributes from registered providers */
-	enumerator = lib->attributes->create_responder_enumerator(lib->attributes,
+	enumerator = hydra->attributes->create_responder_enumerator(hydra->attributes,
 											c->spd.that.id, vip);
 	while (enumerator->enumerate(enumerator, &type, &value))
 	{
 		err_t ugh;
 		host_t *server;
 		sa_family_t family = AF_INET;
-		
+
 		switch (type)
 		{
 			case INTERNAL_IP6_DNS:
@@ -257,7 +206,7 @@ static void get_internal_addr(connection_t *c, host_t *requested_vip,
 				/* fallthrough */
 			case INTERNAL_IP4_NBNS:
 				if (nbns_idx >= NBNS_SERVER_MAX)
- 				{
+				{
 					plog("exceeded the maximum number of %d NBNS servers",
 						 NBNS_SERVER_MAX);
 					break;
@@ -279,7 +228,7 @@ static void get_internal_addr(connection_t *c, host_t *requested_vip,
 
 			default:
 				break;
-		}			
+		}
 	}
 	enumerator->destroy(enumerator);
 	DESTROY_IF(vip);
diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c
index 733dd2623..b24ef1a8c 100644
--- a/src/pluto/pkcs7.c
+++ b/src/pluto/pkcs7.c
@@ -146,7 +146,7 @@ bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0, contentInfo_t *cInfo)
 			if (cInfo->type < OID_PKCS7_DATA
 			||  cInfo->type > OID_PKCS7_ENCRYPTED_DATA)
 			{
-				DBG1("unknown pkcs7 content type");
+				DBG1(DBG_LIB, "unknown pkcs7 content type");
 				goto end;
 			}
 		}
@@ -187,7 +187,7 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
 	}
 	if (cInfo.type != OID_PKCS7_SIGNED_DATA)
 	{
-		DBG1("pkcs7 content type is not signedData");
+		DBG1(DBG_LIB, "pkcs7 content type is not signedData");
 		return FALSE;
 	}
 
@@ -202,7 +202,7 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
 		{
 		case PKCS7_SIGNED_VERSION:
 			version = object.len ? (int)*object.ptr : 0;
-			DBG2("  v%d", version);
+			DBG2(DBG_LIB, "  v%d", version);
 			break;
 		case PKCS7_DIGEST_ALG:
 			digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
@@ -217,7 +217,7 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
 			{
 				certificate_t *cert;
 
-				DBG2("  parsing pkcs7-wrapped certificate");
+				DBG2(DBG_LIB, "  parsing pkcs7-wrapped certificate");
 				cert = lib->creds->create(lib->creds,
 								  		  CRED_CERTIFICATE, CERT_X509,
 								  		  BUILD_BLOB_ASN1_DER, object,
@@ -230,17 +230,17 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
 			break;
 		case PKCS7_SIGNER_INFO:
 			signerInfos++;
-			DBG2("  signer #%d", signerInfos);
+			DBG2(DBG_LIB, "  signer #%d", signerInfos);
 			break;
 		case PKCS7_SIGNER_INFO_VERSION:
 			version = object.len ? (int)*object.ptr : 0;
-			DBG2("  v%d", version);
+			DBG2(DBG_LIB, "  v%d", version);
 			break;
 		case PKCS7_SIGNED_ISSUER:
 			{
 				identification_t *issuer = identification_create_from_encoding(
 													ID_DER_ASN1_DN, object);
-				DBG2("  \"%Y\"", issuer);
+				DBG2(DBG_LIB, "  \"%Y\"", issuer);
 				issuer->destroy(issuer);
 				break;
 			}
@@ -277,27 +277,27 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
 		scheme = signature_scheme_from_oid(digest_alg);
 		if (scheme == SIGN_UNKNOWN)
 		{
-			DBG1("unsupported signature scheme");
+			DBG1(DBG_LIB, "unsupported signature scheme");
 			return FALSE;
 		}
 		if (signerInfos == 0)
 		{
-			DBG1("no signerInfo object found");
+			DBG1(DBG_LIB, "no signerInfo object found");
 			return FALSE;
 		}
 		else if (signerInfos > 1)
 		{
-			DBG1("more than one signerInfo object found");
+			DBG1(DBG_LIB, "more than one signerInfo object found");
 			return FALSE;
 		}
 		if (attributes->ptr == NULL)
 		{
-			DBG1("no authenticatedAttributes object found");
+			DBG1(DBG_LIB, "no authenticatedAttributes object found");
 			return FALSE;
 		}
 		if (enc_alg != OID_RSA_ENCRYPTION)
 		{
-			DBG1("only RSA digest encryption supported");
+			DBG1(DBG_LIB, "only RSA digest encryption supported");
 			return FALSE;
 		}
 
@@ -305,16 +305,16 @@ bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
 		key = cacert->get_public_key(cacert);
 		if (key == NULL)
 		{
-			DBG1("no public key found in CA certificate");
+			DBG1(DBG_LIB, "no public key found in CA certificate");
 			return FALSE;
 		}
 		if (key->verify(key, scheme, *attributes, encrypted_digest))
 		{
-			DBG2("signature is valid");
+			DBG2(DBG_LIB, "signature is valid");
 		}
 		else
 		{
-			DBG1("invalid signature");
+			DBG1(DBG_LIB, "invalid signature");
 			success = FALSE;
 		}
 		key->destroy(key);
@@ -352,7 +352,7 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
 	}
 	if (cInfo.type != OID_PKCS7_ENVELOPED_DATA)
 	{
-		DBG1("pkcs7 content type is not envelopedData");
+		DBG1(DBG_LIB, "pkcs7 content type is not envelopedData");
 		goto failed;
 	}
 
@@ -367,19 +367,19 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
 		{
 		case PKCS7_ENVELOPED_VERSION:
 			version = object.len ? (int)*object.ptr : 0;
-			DBG2("  v%d", version);
+			DBG2(DBG_LIB, "  v%d", version);
 			if (version != 0)
 			{
-				DBG1("envelopedData version is not 0");
+				DBG1(DBG_LIB, "envelopedData version is not 0");
 				goto end;
 			}
 			break;
 		case PKCS7_RECIPIENT_INFO_VERSION:
 			version = object.len ? (int)*object.ptr : 0;
-			DBG2("  v%d", version);
+			DBG2(DBG_LIB, "  v%d", version);
 			if (version != 0)
 			{
-				DBG1("recipient info version is not 0");
+				DBG1(DBG_LIB, "recipient info version is not 0");
 				goto end;
 			}
 			break;
@@ -387,14 +387,14 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
 			{
 				identification_t *issuer = identification_create_from_encoding(
 													ID_DER_ASN1_DN, object);
-				DBG2("  \"%Y\"", issuer);
+				DBG2(DBG_LIB, "  \"%Y\"", issuer);
 				issuer->destroy(issuer);
 				break;
 			}
 		case PKCS7_SERIAL_NUMBER:
 			if (!chunk_equals(serialNumber, object))
 			{
-				DBG1("serial numbers do not match");
+				DBG1(DBG_LIB, "serial numbers do not match");
 				goto end;
 			}
 			break;
@@ -402,22 +402,22 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
 			enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
 			if (enc_alg != OID_RSA_ENCRYPTION)
 			{
-				DBG1("only rsa encryption supported");
+				DBG1(DBG_LIB, "only rsa encryption supported");
 				goto end;
 			}
 			break;
 		case PKCS7_ENCRYPTED_KEY:
 			if (!key->decrypt(key, object, &symmetric_key))
 			{
-				DBG1("symmetric key could not be decrypted with rsa");
+				DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
 				goto end;
 			}
-			DBG4("symmetric key %B", &symmetric_key);
+			DBG4(DBG_LIB, "symmetric key %B", &symmetric_key);
 			break;
 		case PKCS7_CONTENT_TYPE:
 			if (asn1_known_oid(object) != OID_PKCS7_DATA)
 			{
-				 DBG1("encrypted content not of type pkcs7 data");
+				 DBG1(DBG_LIB, "encrypted content not of type pkcs7 data");
 				 goto end;
 			}
 			break;
@@ -426,12 +426,12 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
 
 			if (content_enc_alg == OID_UNKNOWN)
 			{
-				DBG1("unknown content encryption algorithm");
+				DBG1(DBG_LIB, "unknown content encryption algorithm");
 				goto end;
 			}
 			if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV"))
 			{
-				DBG1("IV could not be parsed");
+				DBG1(DBG_LIB, "IV could not be parsed");
 				goto end;
 			}
 			break;
@@ -459,28 +459,28 @@ end:
 		alg = encryption_algorithm_from_oid(content_enc_alg, &key_size);
 		if (alg == ENCR_UNDEFINED)
 		{
-			DBG1("unsupported content encryption algorithm");
+			DBG1(DBG_LIB, "unsupported content encryption algorithm");
 			goto failed;
 		}
 		crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size);
 		if (crypter == NULL)
 		{
-			DBG1("crypter %N not available", encryption_algorithm_names, alg);
+			DBG1(DBG_LIB, "crypter %N not available", encryption_algorithm_names, alg);
 			goto failed;
 		}
 		if (symmetric_key.len != crypter->get_key_size(crypter))
 		{
-			DBG1("symmetric key length %d is wrong", symmetric_key.len);
+			DBG1(DBG_LIB, "symmetric key length %d is wrong", symmetric_key.len);
 			goto failed;
 		}
 		if (iv.len != crypter->get_block_size(crypter))
 		{
-			DBG1("IV length %d is wrong", iv.len);
+			DBG1(DBG_LIB, "IV length %d is wrong", iv.len);
 			goto failed;
 		}
 		crypter->set_key(crypter, symmetric_key);
 		crypter->decrypt(crypter, encrypted_content, iv, data);
-		DBG4("decrypted content with padding: %B", data);
+		DBG4(DBG_LIB, "decrypted content with padding: %B", data);
 	}
 
 	/* remove the padding */
@@ -491,7 +491,7 @@ end:
 
 		if (padding > data->len)
 		{
-			DBG1("padding greater than data length");
+			DBG1(DBG_LIB, "padding greater than data length");
 			goto failed;
 		}
 		data->len -= padding;
@@ -500,7 +500,7 @@ end:
 		{
 			if (*pos-- != pattern)
 			{
-				DBG1("wrong padding pattern");
+				DBG1(DBG_LIB, "wrong padding pattern");
 				goto failed;
 			}
 		}
@@ -631,7 +631,7 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
 				, asn1_wrap(ASN1_SET, "m", signerInfo));
 
 	cInfo = pkcs7_build_contentInfo(&signedData);
-	DBG3("signedData %B", &cInfo);
+	DBG3(DBG_LIB, "signedData %B", &cInfo);
 
 	free(pkcs7Data.content.ptr);
 	free(signedData.content.ptr);
@@ -653,7 +653,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg
 										  alg_key_size/BITS_PER_BYTE);
 	if (crypter == NULL)
 	{
-		DBG1("crypter for %N not available", encryption_algorithm_names, alg);
+		DBG1(DBG_LIB, "crypter for %N not available", encryption_algorithm_names, alg);
 		return chunk_empty;
 	}
 
@@ -663,12 +663,12 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg
 
 		rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
 		rng->allocate_bytes(rng, crypter->get_key_size(crypter), &symmetricKey);
-		DBG4("symmetric encryption key %B", &symmetricKey);
+		DBG4(DBG_LIB, "symmetric encryption key %B", &symmetricKey);
 		rng->destroy(rng);
 
 		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 		rng->allocate_bytes(rng, crypter->get_block_size(crypter), &iv);
-		DBG4("initialization vector: %B", &iv);
+		DBG4(DBG_LIB, "initialization vector: %B", &iv);
 		rng->destroy(rng);
 	}
 
@@ -680,7 +680,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg
 		in.len = data.len + padding;
 		in.ptr = malloc(in.len);
 
-		DBG2("padding %u bytes of data to multiple block size of %u bytes",
+		DBG2(DBG_LIB, "padding %u bytes of data to multiple block size of %u bytes",
 			 data.len, in.len);
 
 		/* copy data */
@@ -688,14 +688,14 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg
 		/* append padding */
 		memset(in.ptr + data.len, padding, padding);
 	}
-	DBG3("padded unencrypted data %B", &in);
+	DBG3(DBG_LIB, "padded unencrypted data %B", &in);
 
 	/* symmetric encryption of data object */
 	crypter->set_key(crypter, symmetricKey);
 	crypter->encrypt(crypter, in, iv, &out);
 	crypter->destroy(crypter);
 	chunk_clear(&in);
-    DBG3("encrypted data %B", &out);
+    DBG3(DBG_LIB, "encrypted data %B", &out);
 
 	/* protect symmetric key by public key encryption */
 	{
@@ -703,7 +703,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg
 
 		if (key == NULL)
 		{
-			DBG1("public key not found in encryption certificate");
+			DBG1(DBG_LIB, "public key not found in encryption certificate");
 			chunk_clear(&symmetricKey);
 			chunk_free(&iv);
 			chunk_free(&out);
@@ -744,7 +744,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg
 					, encryptedContentInfo);
 
 		cInfo = pkcs7_build_contentInfo(&envelopedData);
-		DBG3("envelopedData %B", &cInfo);
+		DBG3(DBG_LIB, "envelopedData %B", &cInfo);
 
 		chunk_free(&envelopedData.content);
 		chunk_free(&iv);
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index 8b922df8c..aa04594bc 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -38,6 +38,7 @@
 
 #include <freeswan.h>
 
+#include <hydra.h>
 #include <library.h>
 #include <debug.h>
 #include <utils/enumerator.h>
@@ -74,6 +75,7 @@
 #include "timer.h"
 #include "vendor.h"
 #include "builder.h"
+#include "whack_attribute.h"
 
 static void usage(const char *mess)
 {
@@ -242,7 +244,7 @@ static void print_plugins()
 		len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
 	}
 	enumerator->destroy(enumerator);
-	DBG1("loaded plugins: %s", buf);
+	DBG1(DBG_DMN, "loaded plugins: %s", buf);
 }
 
 int main(int argc, char **argv)
@@ -273,6 +275,12 @@ int main(int argc, char **argv)
 		library_deinit();
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
+	if (!libhydra_init("pluto"))
+	{
+		libhydra_deinit();
+		library_deinit();
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
 	options = options_create();
 
 	/* handle arguments */
@@ -648,6 +656,7 @@ int main(int argc, char **argv)
 	{
 		plog("integrity tests enabled:");
 		plog("lib    'libstrongswan': passed file and segment integrity tests");
+		plog("lib    'libhydra': passed file and segment integrity tests");
 		plog("daemon 'pluto': passed file integrity test");
 	}
 
@@ -676,6 +685,7 @@ int main(int argc, char **argv)
 	init_myid();
 	fetch_initialize();
 	ac_initialize();
+	whack_attribute_initialize();
 
 	/* drop unneeded capabilities and change UID/GID */
 	prctl(PR_SET_KEEPCAPS, 1);
@@ -750,6 +760,7 @@ void exit_pluto(int status)
 	free_preshared_secrets();
 	free_remembered_public_keys();
 	delete_every_connection();
+	whack_attribute_finalize(); /* free in-memory pools */
 	fetch_finalize();           /* stop fetching thread */
 	free_crl_fetch();           /* free chain of crl fetch requests */
 	free_ocsp_fetch();          /* free chain of ocsp fetch requests */
@@ -770,6 +781,8 @@ void exit_pluto(int status)
 	free_builder();
 	delete_lock();
 	options->destroy(options);
+	lib->plugins->unload(lib->plugins);
+	libhydra_deinit();
 	library_deinit();
 	close_log();
 	exit(status);
diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c
index 826a1aa6e..bf5ccb10c 100644
--- a/src/pluto/rcv_whack.c
+++ b/src/pluto/rcv_whack.c
@@ -57,6 +57,7 @@
 #include "myid.h"
 #include "kernel_alg.h"
 #include "ike_alg.h"
+#include "whack_attribute.h"
 
 /* helper variables and function to decode strings from whack message */
 
@@ -326,6 +327,8 @@ void whack_handle(int whackctlfd)
 		|| !unpack_str(&msg.ike)                /* string 24 */
 		|| !unpack_str(&msg.esp)                /* string 25 */
 		|| !unpack_str(&msg.sc_data)            /* string 26 */
+		|| !unpack_str(&msg.whack_lease_ip)     /* string 27 */
+		|| !unpack_str(&msg.whack_lease_id)     /* string 28 */
 		|| str_roof - next_str != (ptrdiff_t)msg.keyval.len)    /* check chunk */
 		{
 			ugh = "message from whack contains bad string";
@@ -376,7 +379,9 @@ void whack_handle(int whackctlfd)
 	}
 
 	if (msg.whack_myid)
+	{
 		set_myid(MYID_SPECIFIED, msg.myid);
+	}
 
 	/* Deleting combined with adding a connection works as replace.
 	 * To make this more useful, in only this combination,
@@ -385,9 +390,13 @@ void whack_handle(int whackctlfd)
 	if (msg.whack_delete)
 	{
 		if (msg.whack_ca)
+		{
 			find_ca_info_by_name(msg.name, TRUE);
+		}
 		else
+		{
 			delete_connections_by_name(msg.name, !msg.whack_connection);
+		}
 	}
 
 	if (msg.whack_deletestate)
@@ -406,13 +415,19 @@ void whack_handle(int whackctlfd)
 	}
 
 	if (msg.whack_crash)
+	{
 		delete_states_by_peer(&msg.whack_crash_peer);
+	}
 
 	if (msg.whack_connection)
+	{
 		add_connection(&msg);
+	}
 
 	if (msg.whack_ca && msg.cacert != NULL)
+	{
 		add_ca_info(&msg);
+	}
 
 	/* process "listen" before any operation that could require it */
 	if (msg.whack_listen)
@@ -469,7 +484,12 @@ void whack_handle(int whackctlfd)
 		free_ocsp_cache();
 	}
 
-   if (msg.whack_list & LIST_PUBKEYS)
+	if (msg.whack_leases)
+	{
+		list_leases(msg.name, msg.whack_lease_ip, msg.whack_lease_id);
+	}
+
+	if (msg.whack_list & LIST_PUBKEYS)
 	{
 		list_public_keys(msg.whack_utc);
 	}
@@ -552,12 +572,18 @@ void whack_handle(int whackctlfd)
 			{
 				set_cur_connection(c);
 				if (!oriented(*c))
+				{
 					whack_log(RC_ORIENT
 						, "we have no ipsecN interface for either end of this connection");
+				}
 				else if (c->policy & POLICY_GROUP)
+				{
 					route_group(c);
+				}
 				else if (!trap_connection(c))
+				{
 					whack_log(RC_ROUTE, "could not route");
+				}
 				reset_cur_connection();
 			}
 		}
@@ -584,14 +610,22 @@ void whack_handle(int whackctlfd)
 				for (sr = &c->spd; sr != NULL; sr = sr->next)
 				{
 					if (sr->routing >= RT_ROUTED_TUNNEL)
+					{
 						fail++;
+					}
 				}
 				if (fail > 0)
+				{
 					whack_log(RC_RTBUSY, "cannot unroute: route busy");
+				}
 				else if (c->policy & POLICY_GROUP)
+				{
 					unroute_group(c);
+				}
 				else
+				{
 					unroute_connection(c);
+				}
 				reset_cur_connection();
 			}
 		}
@@ -618,11 +652,15 @@ void whack_handle(int whackctlfd)
 	if (msg.whack_oppo_initiate)
 	{
 		if (!listening)
+		{
 			whack_log(RC_DEAF, "need --listen before opportunistic initiation");
+		}
 		else
+		{
 			initiate_opportunistic(&msg.oppo_my_client, &msg.oppo_peer_client, 0
 				, FALSE
 				, msg.whack_async? NULL_FD : dup_any(whackfd));
+		}
 	}
 
 	if (msg.whack_terminate)
@@ -639,7 +677,9 @@ void whack_handle(int whackctlfd)
 	}
 
 	if (msg.whack_status)
+	{
 		show_status(msg.whack_statusall, msg.name);
+	}
 
 	if (msg.whack_shutdown)
 	{
@@ -650,10 +690,14 @@ void whack_handle(int whackctlfd)
 	if (msg.whack_sc_op != SC_OP_NONE)
 	{
 		if (pkcs11_proxy)
+		{
 			scx_op_via_whack(msg.sc_data, msg.inbase, msg.outbase
 						   , msg.whack_sc_op, msg.keyid, whackfd);
+		}
 		else
+		{
 		   plog("pkcs11 access to smartcard not allowed (set pkcs11proxy=yes)");
+		}
 	}
 
 	whack_log_fd = NULL_FD;
diff --git a/src/pluto/timer.c b/src/pluto/timer.c
index 74806a40c..b112d67f6 100644
--- a/src/pluto/timer.c
+++ b/src/pluto/timer.c
@@ -48,7 +48,7 @@ time_t now(void)
 {
 	static time_t delta = 0
 		, last_time = 0;
-	time_t n = time((time_t)NULL);
+	time_t n = time(NULL);
 
 	passert(n != (time_t)-1);
 	if (last_time > n)
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index 7d3c96c87..99cfc5734 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -198,6 +198,7 @@ static struct vid_struct _vid_tab[] = {
 		 * strongSwan
 		 */
 		DEC_MD5_VID(STRONGSWAN,       "strongSwan")
+
 		DEC_MD5_VID(STRONGSWAN_4_3_5, "strongSwan 4.3.5")
 		DEC_MD5_VID(STRONGSWAN_4_3_4, "strongSwan 4.3.4")
 		DEC_MD5_VID(STRONGSWAN_4_3_3, "strongSwan 4.3.3")
@@ -234,14 +235,6 @@ static struct vid_struct _vid_tab[] = {
 		DEC_MD5_VID(STRONGSWAN_4_1_2, "strongSwan 4.1.2")
 		DEC_MD5_VID(STRONGSWAN_4_1_1, "strongSwan 4.1.1")
 		DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0")
-		DEC_MD5_VID(STRONGSWAN_4_0_7, "strongSwan 4.0.7")
-		DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6")
-		DEC_MD5_VID(STRONGSWAN_4_0_5, "strongSwan 4.0.5")
-		DEC_MD5_VID(STRONGSWAN_4_0_4, "strongSwan 4.0.4")
-		DEC_MD5_VID(STRONGSWAN_4_0_3, "strongSwan 4.0.3")
-		DEC_MD5_VID(STRONGSWAN_4_0_2, "strongSwan 4.0.2")
-		DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
-		DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
 
 		DEC_MD5_VID(STRONGSWAN_2_8_11,"strongSwan 2.8.11")
 		DEC_MD5_VID(STRONGSWAN_2_8_10,"strongSwan 2.8.10")
@@ -255,34 +248,6 @@ static struct vid_struct _vid_tab[] = {
 		DEC_MD5_VID(STRONGSWAN_2_8_2, "strongSwan 2.8.2")
 		DEC_MD5_VID(STRONGSWAN_2_8_1, "strongSwan 2.8.1")
 		DEC_MD5_VID(STRONGSWAN_2_8_0, "strongSwan 2.8.0")
-		DEC_MD5_VID(STRONGSWAN_2_7_3, "strongSwan 2.7.3")
-		DEC_MD5_VID(STRONGSWAN_2_7_2, "strongSwan 2.7.2")
-		DEC_MD5_VID(STRONGSWAN_2_7_1, "strongSwan 2.7.1")
-		DEC_MD5_VID(STRONGSWAN_2_7_0, "strongSwan 2.7.0")
-		DEC_MD5_VID(STRONGSWAN_2_6_4, "strongSwan 2.6.4")
-		DEC_MD5_VID(STRONGSWAN_2_6_3, "strongSwan 2.6.3")
-		DEC_MD5_VID(STRONGSWAN_2_6_2, "strongSwan 2.6.2")
-		DEC_MD5_VID(STRONGSWAN_2_6_1, "strongSwan 2.6.1")
-		DEC_MD5_VID(STRONGSWAN_2_6_0, "strongSwan 2.6.0")
-		DEC_MD5_VID(STRONGSWAN_2_5_7, "strongSwan 2.5.7")
-		DEC_MD5_VID(STRONGSWAN_2_5_6, "strongSwan 2.5.6")
-		DEC_MD5_VID(STRONGSWAN_2_5_5, "strongSwan 2.5.5")
-		DEC_MD5_VID(STRONGSWAN_2_5_4, "strongSwan 2.5.4")
-		DEC_MD5_VID(STRONGSWAN_2_5_3, "strongSwan 2.5.3")
-		DEC_MD5_VID(STRONGSWAN_2_5_2, "strongSwan 2.5.2")
-		DEC_MD5_VID(STRONGSWAN_2_5_1, "strongSwan 2.5.1")
-		DEC_MD5_VID(STRONGSWAN_2_5_0, "strongSwan 2.5.0")
-		DEC_MD5_VID(STRONGSWAN_2_4_4, "strongSwan 2.4.4")
-		DEC_MD5_VID(STRONGSWAN_2_4_3, "strongSwan 2.4.3")
-		DEC_MD5_VID(STRONGSWAN_2_4_2, "strongSwan 2.4.2")
-		DEC_MD5_VID(STRONGSWAN_2_4_1, "strongSwan 2.4.1")
-		DEC_MD5_VID(STRONGSWAN_2_4_0, "strongSwan 2.4.0")
-		DEC_MD5_VID(STRONGSWAN_2_3_2, "strongSwan 2.3.2")
-		DEC_MD5_VID(STRONGSWAN_2_3_1, "strongSwan 2.3.1")
-		DEC_MD5_VID(STRONGSWAN_2_3_0, "strongSwan 2.3.0")
-		DEC_MD5_VID(STRONGSWAN_2_2_2, "strongSwan 2.2.2")
-		DEC_MD5_VID(STRONGSWAN_2_2_1, "strongSwan 2.2.1")
-		DEC_MD5_VID(STRONGSWAN_2_2_0, "strongSwan 2.2.0")
 
 		/* NAT-Traversal */
 
@@ -375,51 +340,63 @@ static void handle_known_vendorid (struct msg_digest *md, const char *vidstr,
 	bool vid_useful = FALSE;
 	size_t i, j;
 
-	switch (vid->id) {
-	/* Remote side supports OpenPGP certificates */
-	case VID_OPENPGP:
-		md->openpgp = TRUE;
-		vid_useful = TRUE;
-		break;
+	switch (vid->id)
+	 {
+		/* Remote side is a strongSwan host */
+		case VID_STRONGSWAN:
+			vid_useful = TRUE;
+			break;
+		
+		/* Remote side supports OpenPGP certificates */
+		case VID_OPENPGP:
+			md->openpgp = TRUE;
+			vid_useful = TRUE;
+			break;
 
-	/*
-	 * Use most recent supported NAT-Traversal method and ignore the
-	 * other ones (implementations will send all supported methods but
-	 * only one will be used)
-	 *
-	 * Note: most recent == higher id in vendor.h
-	 */
-	case VID_NATT_IETF_00:
-		if (!nat_traversal_support_non_ike)
+		/* Remote side is a Windows 2000+ host */
+		case VID_MS_NT5:
+			md->ms_nt5 = TRUE;
+			vid_useful = TRUE;
 			break;
-		if ((nat_traversal_enabled) && (!md->nat_traversal_vid))
-		{
-			md->nat_traversal_vid = vid->id;
+
+		/*
+		 * Use most recent supported NAT-Traversal method and ignore the
+		 * other ones (implementations will send all supported methods but
+		 * only one will be used)
+		 *
+		 * Note: most recent == higher id in vendor.h
+		 */
+		case VID_NATT_IETF_00:
+			if (!nat_traversal_support_non_ike)
+				break;
+			if ((nat_traversal_enabled) && (!md->nat_traversal_vid))
+			{
+				md->nat_traversal_vid = vid->id;
+				vid_useful = TRUE;
+			}
+			break;
+		case VID_NATT_IETF_02:
+		case VID_NATT_IETF_02_N:
+		case VID_NATT_IETF_03:
+		case VID_NATT_RFC:
+			if (nat_traversal_support_port_floating
+			&& md->nat_traversal_vid < vid->id)
+			{
+				md->nat_traversal_vid = vid->id;
+				vid_useful = TRUE;
+			}
+			break;
+
+		/* Remote side would like to do DPD with us on this connection */
+		case VID_MISC_DPD:
+			md->dpd = TRUE;
 			vid_useful = TRUE;
-		}
-		break;
-	case VID_NATT_IETF_02:
-	case VID_NATT_IETF_02_N:
-	case VID_NATT_IETF_03:
-	case VID_NATT_RFC:
-		if (nat_traversal_support_port_floating
-		&& md->nat_traversal_vid < vid->id)
-		{
-			md->nat_traversal_vid = vid->id;
+			break;
+		case VID_MISC_XAUTH:
 			vid_useful = TRUE;
-		}
-		break;
-
-	/* Remote side would like to do DPD with us on this connection */
-	case VID_MISC_DPD:
-		md->dpd = TRUE;
-		vid_useful = TRUE;
-		break;
-	case VID_MISC_XAUTH:
-		vid_useful = TRUE;
-		break;
-	default:
-		break;
+			break;
+		default:
+			break;
 	}
 
 	if (vid->flags & VID_SUBSTRING_DUMPHEXA)
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 3df1a8196..ac6b0d420 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -53,56 +53,21 @@ enum known_vendorid {
   VID_VISTA_AUTHIP2             = 34,
   VID_VISTA_AUTHIP3             = 35,
 
-  VID_STRONGSWAN                = 37,
-  VID_STRONGSWAN_2_2_0          = 38,
-  VID_STRONGSWAN_2_2_1          = 39,
-  VID_STRONGSWAN_2_2_2          = 40,
-  VID_STRONGSWAN_2_3_0          = 41,
-  VID_STRONGSWAN_2_3_1          = 42,
-  VID_STRONGSWAN_2_3_2          = 43,
-  VID_STRONGSWAN_2_4_0          = 44,
-  VID_STRONGSWAN_2_4_1          = 45,
-  VID_STRONGSWAN_2_4_2          = 46,
-  VID_STRONGSWAN_2_4_3          = 47,
-  VID_STRONGSWAN_2_4_4          = 48,
-  VID_STRONGSWAN_2_5_0          = 49,
-  VID_STRONGSWAN_2_5_1          = 50,
-  VID_STRONGSWAN_2_5_2          = 51,
-  VID_STRONGSWAN_2_5_3          = 52,
-  VID_STRONGSWAN_2_5_4          = 53,
-  VID_STRONGSWAN_2_5_5          = 54,
-  VID_STRONGSWAN_2_5_6          = 55,
-  VID_STRONGSWAN_2_5_7          = 56,
-  VID_STRONGSWAN_2_6_0          = 57,
-  VID_STRONGSWAN_2_6_1          = 58,
-  VID_STRONGSWAN_2_6_2          = 59,
-  VID_STRONGSWAN_2_6_3          = 60,
-  VID_STRONGSWAN_2_6_4          = 61,
-  VID_STRONGSWAN_2_7_0          = 62,
-  VID_STRONGSWAN_2_7_1          = 63,
-  VID_STRONGSWAN_2_7_2          = 64,
-  VID_STRONGSWAN_2_7_3          = 65,
-  VID_STRONGSWAN_2_8_0          = 66,
-  VID_STRONGSWAN_2_8_1          = 67,
-  VID_STRONGSWAN_2_8_2          = 68,
-  VID_STRONGSWAN_2_8_3          = 69,
-  VID_STRONGSWAN_2_8_4          = 70,
-  VID_STRONGSWAN_2_8_5          = 71,
-  VID_STRONGSWAN_2_8_6          = 72,
-  VID_STRONGSWAN_2_8_7          = 73,
-  VID_STRONGSWAN_2_8_8          = 74,
-  VID_STRONGSWAN_2_8_9          = 75,
-  VID_STRONGSWAN_2_8_10         = 76,
-  VID_STRONGSWAN_2_8_11         = 77,
+  VID_STRONGSWAN                = 36,
+
+  VID_STRONGSWAN_2_8_0          = 37,
+  VID_STRONGSWAN_2_8_1          = 38,
+  VID_STRONGSWAN_2_8_2          = 39,
+  VID_STRONGSWAN_2_8_3          = 40,
+  VID_STRONGSWAN_2_8_4          = 41,
+  VID_STRONGSWAN_2_8_5          = 42,
+  VID_STRONGSWAN_2_8_6          = 43,
+  VID_STRONGSWAN_2_8_7          = 44,
+  VID_STRONGSWAN_2_8_8          = 45,
+  VID_STRONGSWAN_2_8_9          = 46,
+  VID_STRONGSWAN_2_8_10         = 47,
+  VID_STRONGSWAN_2_8_11         = 48,
 
-  VID_STRONGSWAN_4_0_0          = 80,
-  VID_STRONGSWAN_4_0_1          = 81,
-  VID_STRONGSWAN_4_0_2          = 82,
-  VID_STRONGSWAN_4_0_3          = 83,
-  VID_STRONGSWAN_4_0_4          = 84,
-  VID_STRONGSWAN_4_0_5          = 85,
-  VID_STRONGSWAN_4_0_6          = 86,
-  VID_STRONGSWAN_4_0_7          = 87,
   VID_STRONGSWAN_4_1_0          = 88,
   VID_STRONGSWAN_4_1_1          = 89,
   VID_STRONGSWAN_4_1_2          = 90,
@@ -115,7 +80,6 @@ enum known_vendorid {
   VID_STRONGSWAN_4_1_9          = 97,
   VID_STRONGSWAN_4_1_10         = 98,
   VID_STRONGSWAN_4_1_11         = 99,
-
   VID_STRONGSWAN_4_2_0          =100,
   VID_STRONGSWAN_4_2_1          =101,
   VID_STRONGSWAN_4_2_2          =102,
diff --git a/src/pluto/whack_attribute.c b/src/pluto/whack_attribute.c
new file mode 100644
index 000000000..6a12f0c09
--- /dev/null
+++ b/src/pluto/whack_attribute.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "whack_attribute.h"
+
+#include "log.h"
+
+/* these are defined as constants in constant.h but redefined as enum values in
+ * attributes/attributes.h */
+#undef INTERNAL_IP4_SERVER
+#undef INTERNAL_IP6_SERVER
+
+#include <hydra.h>
+#include <attributes/mem_pool.h>
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_whack_attribute_t private_whack_attribute_t;
+
+/**
+ * private data of whack_attribute
+ */
+struct private_whack_attribute_t {
+
+	/**
+	 * public functions
+	 */
+	whack_attribute_t public;
+
+	/**
+	 * list of pools, contains mem_pool_t
+	 */
+	linked_list_t *pools;
+
+	/**
+	 * rwlock to lock access to pools
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * global object
+ */
+whack_attribute_t *whack_attr;
+
+/**
+ * compare pools by name
+ */
+static bool pool_match(mem_pool_t *current, char *name)
+{
+	return name && streq(name, current->get_name(current));
+}
+
+/**
+ * find a pool by name
+ */
+static mem_pool_t *find_pool(private_whack_attribute_t *this, char *name)
+{
+	mem_pool_t *found;
+	if (this->pools->find_first(this->pools, (linked_list_match_t)pool_match,
+		(void**)&found, name) == SUCCESS)
+	{
+		return found;
+	}
+	return NULL;
+}
+
+METHOD(attribute_provider_t, acquire_address, host_t*,
+	   private_whack_attribute_t *this, char *name, identification_t *id,
+	   host_t *requested)
+{
+	mem_pool_t *pool;
+	host_t *addr = NULL;
+	this->lock->read_lock(this->lock);
+	pool = find_pool(this, name);
+	if (pool)
+	{
+		addr = pool->acquire_address(pool, id, requested);
+	}
+	this->lock->unlock(this->lock);
+	return addr;
+}
+
+METHOD(attribute_provider_t, release_address, bool,
+	   private_whack_attribute_t *this, char *name, host_t *address,
+	   identification_t *id)
+{
+	mem_pool_t *pool;
+	bool found = FALSE;
+	this->lock->read_lock(this->lock);
+	pool = find_pool(this, name);
+	if (pool)
+	{
+		found = pool->release_address(pool, address, id);
+	}
+	this->lock->unlock(this->lock);
+	return found;
+}
+
+METHOD(whack_attribute_t, add_pool, bool,
+	   private_whack_attribute_t *this, const char *name,
+	   const whack_end_t *right)
+{
+	mem_pool_t *pool;
+	host_t *base = NULL;
+	u_int32_t bits = 0;
+
+	/* named pool */
+	if (right->sourceip_mask <= 0)
+	{
+		return FALSE;
+	}
+
+	/* if %config, add an empty pool, otherwise */
+	if (right->sourceip)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("adding virtual IP address pool '%s': %s/%d",
+					name, right->sourceip, right->sourceip_mask);
+		);
+		base = host_create_from_string(right->sourceip, 0);
+		if (!base)
+		{
+			loglog(RC_LOG_SERIOUS, "virtual IP address invalid, discarded");
+			return FALSE;
+		}
+		bits = right->sourceip_mask;
+	}
+	pool = mem_pool_create((char*)name, base, bits);
+	DESTROY_IF(base);
+
+	this->lock->write_lock(this->lock);
+	this->pools->insert_last(this->pools, pool);
+	this->lock->unlock(this->lock);
+	return TRUE;
+}
+
+METHOD(whack_attribute_t, del_pool, void,
+	   private_whack_attribute_t *this, char *name)
+{
+	enumerator_t *enumerator;
+	mem_pool_t *pool;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->pools->create_enumerator(this->pools);
+	while (enumerator->enumerate(enumerator, &pool))
+	{
+		if (streq(name, pool->get_name(pool)))
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("deleting virtual IP address pool '%s'", name)
+			);
+			this->pools->remove_at(this->pools, enumerator);
+			pool->destroy(pool);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Pool enumerator filter function, converts pool_t to name, size, ...
+ */
+static bool pool_filter(void *lock, mem_pool_t **poolp, const char **name,
+						void *d1, u_int *size, void *d2, u_int *online,
+						void *d3, u_int *offline)
+{
+	mem_pool_t *pool = *poolp;
+	*name = pool->get_name(pool);
+	*size = pool->get_size(pool);
+	*online = pool->get_online(pool);
+	*offline = pool->get_offline(pool);
+	return TRUE;
+}
+
+METHOD(whack_attribute_t, create_pool_enumerator, enumerator_t*,
+	   private_whack_attribute_t *this)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->pools->create_enumerator(this->pools),
+									(void*)pool_filter,
+									this->lock, (void*)this->lock->unlock);
+}
+
+METHOD(whack_attribute_t, create_lease_enumerator, enumerator_t*,
+	   private_whack_attribute_t *this, char *name)
+{
+	mem_pool_t *pool;
+	this->lock->read_lock(this->lock);
+	pool = find_pool(this, name);
+	if (!pool)
+	{
+		this->lock->unlock(this->lock);
+		return NULL;
+	}
+	return enumerator_create_cleaner(pool->create_lease_enumerator(pool),
+									 (void*)this->lock->unlock, this->lock);
+}
+
+/**
+ * see header file
+ */
+void whack_attribute_finalize()
+{
+	private_whack_attribute_t *this;
+
+	if (whack_attr)
+	{
+ 		this = (private_whack_attribute_t*)whack_attr;
+		hydra->attributes->remove_provider(hydra->attributes,
+									   &this->public.provider);
+		this->lock->destroy(this->lock);
+		this->pools->destroy_offset(this->pools, offsetof(mem_pool_t, destroy));
+		free(this);
+	}
+}
+
+/**
+ * see header file
+ */
+void whack_attribute_initialize()
+{
+	private_whack_attribute_t *this;
+
+	INIT(this,
+		.public = {
+			.provider = {
+				.acquire_address = _acquire_address,
+				.release_address = _release_address,
+				.create_attribute_enumerator = enumerator_create_empty,
+			},
+			.add_pool = _add_pool,
+			.del_pool = _del_pool,
+			.create_pool_enumerator = _create_pool_enumerator,
+			.create_lease_enumerator = _create_lease_enumerator,
+		},
+		.pools = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	hydra->attributes->add_provider(hydra->attributes, &this->public.provider);
+
+	whack_attr = &this->public;
+}
+
+/**
+ * list leases of a single pool
+ */
+static void pool_leases(char *pool, host_t *address,
+						identification_t *identification,
+						u_int size, u_int online, u_int offline)
+{
+
+	enumerator_t *enumerator;
+	identification_t *id;
+	host_t *lease;
+	bool on, found = FALSE;
+
+	whack_log(RC_COMMENT, "Leases in pool '%s', usage: %lu/%lu, %lu online",
+			  pool, online + offline, size, online);
+	enumerator = whack_attr->create_lease_enumerator(whack_attr, pool);
+	while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on))
+	{
+		if ((!address && !identification) ||
+			(address && address->ip_equals(address, lease)) ||
+			(identification && identification->equals(identification, id)))
+		{
+			whack_log(RC_COMMENT, "  %15H   %s   '%Y'",
+					  lease, on ? "online" : "offline", id);
+			found = TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		whack_log(RC_COMMENT, "  no matching leases found");
+	}
+}
+
+/**
+ * see header file
+ */
+void list_leases(char *name, char *addr, char *id)
+{
+	identification_t *identification = NULL;
+	host_t *address = NULL;
+	bool found = FALSE;
+	enumerator_t *enumerator;
+	u_int size, online, offline;
+	char *pool;
+
+	if (addr)
+	{
+		address = host_create_from_string(addr, 0);
+	}
+	if (id)
+	{
+		identification = identification_create_from_string(id);
+	}
+
+	enumerator = whack_attr->create_pool_enumerator(whack_attr);
+	while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
+	{
+		if (!name || streq(name, pool))
+		{
+			pool_leases(pool, address, identification, size, online, offline);
+			found = TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		if (name)
+		{
+			whack_log(RC_COMMENT, "pool '%s' not found", name);
+		}
+		else
+		{
+			whack_log(RC_COMMENT, "no pools found");
+		}
+	}
+	DESTROY_IF(identification);
+	DESTROY_IF(address);
+}
+
+/**
+ * see header file
+ */
+void show_pools(const char *name)
+{
+	enumerator_t *enumerator;
+	u_int size, online, offline;
+	char *pool;
+	bool first = TRUE;
+
+	enumerator = whack_attr->create_pool_enumerator(whack_attr);
+	while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
+	{
+		if (name && !streq(name, pool))
+		{
+			continue;
+		}
+		if (first)
+		{
+			first = FALSE;
+			whack_log(RC_COMMENT, "Virtual IP pools (size/online/offline):");
+		}
+		whack_log(RC_COMMENT, "\"%s\": %u/%u/%u", pool, size, online, offline);
+	}
+	enumerator->destroy(enumerator);
+}
diff --git a/src/pluto/whack_attribute.h b/src/pluto/whack_attribute.h
new file mode 100644
index 000000000..58441b973
--- /dev/null
+++ b/src/pluto/whack_attribute.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup whack_attribute
+ * @{ @ingroup pluto
+ */
+
+#ifndef WHACK_ATTRIBUTE_H_
+#define WHACK_ATTRIBUTE_H_
+
+#include <whack.h>
+#include <attributes/attribute_provider.h>
+
+typedef struct whack_attribute_t whack_attribute_t;
+
+/**
+ * Whack attribute provider (basically an in-memory IP address pool)
+ */
+struct whack_attribute_t {
+
+	/**
+	 * Implements attribute provider interface
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Add a virtual IP address pool.
+	 *
+	 * @param name		name of the pool
+	 * @param right		"right" end of whack message
+	 * @return			TRUE, if the pool was successfully added
+	 */
+	bool (*add_pool)(whack_attribute_t *this, const char *name,
+					 const whack_end_t *right);
+
+	/**
+	 * Remove a virtual IP address pool.
+	 *
+	 * @param name		name of the pool
+	 */
+	void (*del_pool)(whack_attribute_t *this, char *name);
+
+	/**
+	 * Create an enumerator over installed pools.
+	 *
+	 * Enumerator enumerates over
+	 * char *pool, u_int size, u_int offline, u_int online.
+	 *
+	 * @return			enumerator
+	 */
+	enumerator_t* (*create_pool_enumerator)(whack_attribute_t *this);
+
+	/**
+	 * Create an enumerator over the leases of a pool.
+	 *
+	 * Enumerator enumerates over
+	 * identification_t *id, host_t *address, bool online
+	 *
+	 * @param name		name of the pool to enumerate
+	 * @return			enumerator, NULL if pool not found
+	 */
+	enumerator_t* (*create_lease_enumerator)(whack_attribute_t *this,
+											 char *name);
+};
+
+/**
+ * Global object to manage pools. Set between calls to
+ * whack_attribute_initialize() and whack_attribute_finalize().
+ */
+extern whack_attribute_t *whack_attr;
+
+/**
+ * Initialize the whack attribute provider
+ */
+void whack_attribute_initialize();
+
+/**
+ * Finalize the whack attribute provider
+ */
+void whack_attribute_finalize();
+
+/**
+ * List the leases matching the given parameters.
+ *
+ * @param name		name of the pool, NULL for all pools
+ * @param addr		ip address of the lease to list, NULL to ignore
+ * @param id		id of the lease to list, NULL to ignore
+ */
+void list_leases(char *name, char *addr, char *id);
+
+/**
+ * List either all pools or the pool with a given name
+ *
+ * @param name		name of the pool, NULL for all pools
+ */
+void show_pools(const char *name);
+
+#endif /** WHACK_ATTRIBUTE_H_ @}*/
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index d8e887955..0a29830ea 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -419,11 +419,11 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
 				check_expiry(notAfter, CA_CERT_WARNING_INTERVAL, TRUE));
 
 			key = certificate->get_public_key(certificate);
-			if (key);
+			if (key)
 			{
 				whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
 					key_type_names, key->get_type(key),
-					key->get_keysize(key) * BITS_PER_BYTE,				
+					key->get_keysize(key) * BITS_PER_BYTE,
 					cert->smartcard ? ", on smartcard" :
 					(has_private_key(cert)? ", has private key" : ""));
 
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index 3693b7532..dd4a4a63d 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -1,16 +1,20 @@
 ipsec_PROGRAMS = scepclient
 scepclient_SOURCES = scepclient.c scep.c scep.h loglite.c
 
+scepclient.o :	$(top_builddir)/config.status
+
 PLUTODIR=$(top_srcdir)/src/pluto
 OPENACDIR=$(top_srcdir)/src/openac
 WHACKDIR=$(top_srcdir)/src/whack
 LIBFREESWANDIR=$(top_srcdir)/src/libfreeswan
 LIBSTRONGSWANDIR=$(top_srcdir)/src/libstrongswan
+LIBHYDRADIR=$(top_srcdir)/src/libhydra
 LIBCRYPTODIR=$(top_srcdir)/src/libcrypto
 
 INCLUDES = \
 -I$(LIBFREESWANDIR) \
 -I$(LIBSTRONGSWANDIR) \
+-I$(LIBHYDRADIR) \
 -I$(PLUTODIR) \
 -I$(LIBCRYPTODIR) \
 -I$(WHACKDIR)
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 8438b81f9..db930756a 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -228,6 +228,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -268,10 +269,12 @@ OPENACDIR = $(top_srcdir)/src/openac
 WHACKDIR = $(top_srcdir)/src/whack
 LIBFREESWANDIR = $(top_srcdir)/src/libfreeswan
 LIBSTRONGSWANDIR = $(top_srcdir)/src/libstrongswan
+LIBHYDRADIR = $(top_srcdir)/src/libhydra
 LIBCRYPTODIR = $(top_srcdir)/src/libcrypto
 INCLUDES = \
 -I$(LIBFREESWANDIR) \
 -I$(LIBSTRONGSWANDIR) \
+-I$(LIBHYDRADIR) \
 -I$(PLUTODIR) \
 -I$(LIBCRYPTODIR) \
 -I$(WHACKDIR)
@@ -659,6 +662,8 @@ uninstall-man: uninstall-man8
 	uninstall-man uninstall-man8
 
 
+scepclient.o :	$(top_builddir)/config.status
+
 constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c
index 539bb5f72..96dc54390 100644
--- a/src/scepclient/loglite.c
+++ b/src/scepclient/loglite.c
@@ -41,7 +41,7 @@ bool
 /**
  * @brief scepclient dbg function
  */
-static void scepclient_dbg(int level, char *fmt, ...)
+static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...)
 {
 	int priority = LOG_INFO;
 	int debug_level;
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 576ce1dc5..385f6f328 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -289,7 +289,7 @@ static void print_plugins()
 		len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
 	}
 	enumerator->destroy(enumerator);
-	DBG1("  loaded plugins: %s", buf);
+	DBG1(DBG_LIB, "  loaded plugins: %s", buf);
 }
 
 /**
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 7524b5f26..a235013f2 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -38,7 +38,7 @@ if USE_CHARON
   AM_CFLAGS += -DSTART_CHARON
 endif
 
-lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h
+lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
 		$(LEX) $(srcdir)/parser.l
 
 y.tab.c:	$(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 79ea9de32..11449f465 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -232,6 +232,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
@@ -718,7 +719,7 @@ uninstall-man: uninstall-man5 uninstall-man8
 	uninstall-man8
 
 
-lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h
+lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
 		$(LEX) $(srcdir)/parser.l
 
 y.tab.c:	$(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
diff --git a/src/starter/args.c b/src/starter/args.c
index ebbd42cc8..512f2f46f 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -248,11 +248,12 @@ static const token_info_t token_info[] =
 
 	/* end keywords */
 	{ ARG_MISC, 0, NULL  /* KW_HOST */                                             },
+	{ ARG_UINT, offsetof(starter_end_t, ikeport), NULL                             },
 	{ ARG_MISC, 0, NULL  /* KW_NEXTHOP */                                          },
 	{ ARG_STR, offsetof(starter_end_t, subnet), NULL                               },
 	{ ARG_MISC, 0, NULL  /* KW_SUBNETWITHIN */                                     },
 	{ ARG_MISC, 0, NULL  /* KW_PROTOPORT */                                        },
-	{ ARG_MISC, 0, NULL  /* KW_SOURCEIP */		                                   },
+	{ ARG_STR,  offsetof(starter_end_t, sourceip), NULL                            },
 	{ ARG_MISC, 0, NULL  /* KW_NATIP */                                            },
 	{ ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool                        },
 	{ ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool                      },
diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index 8462a4819..33a057b44 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -43,6 +43,7 @@ starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
 	{
 		ADDCMP(addr);
 	}
+	VARCMP(ikeport);
 	ADDCMP(nexthop);
 	VARCMP(has_client);
 	VARCMP(has_client_wildcard);
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 07cc11503..e9b9028d5 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -96,6 +96,8 @@ static void default_values(starter_config_t *cfg)
 	anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
 	anyaddr(AF_INET, &cfg->conn_default.right.addr);
 	anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
+	cfg->conn_default.left.ikeport = 500;
+	cfg->conn_default.right.ikeport = 500;
 
 	cfg->ca_default.seen = LEMPTY;
 }
@@ -105,8 +107,7 @@ static void default_values(starter_config_t *cfg)
 		else if (streq(kw->value, sn)) { conn->policy &= ~fl; } \
 		else { plog("# bad policy value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
 
-static void
-load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
+static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
 {
 	kw_list_t *kw;
 
@@ -193,11 +194,13 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
 				streq(value, "%config") || streq(value, "%cfg"))
 			{
 				/* request ip via config payload */
+				free(end->sourceip);
 				end->sourceip = NULL;
 				end->sourceip_mask = 1;
 			}
 			else
 			{	/* %poolname, strip %, serve ip requests */
+				free(end->sourceip);
 				end->sourceip = clone_str(value+1);
 				end->sourceip_mask = 0;
 			}
@@ -221,6 +224,7 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
 					goto err;
 				 }
 				*pos = '\0';
+				free(end->sourceip);
 				end->sourceip = clone_str(value);
 				end->sourceip_mask = atoi(pos + 1);
 			}
@@ -232,7 +236,6 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
 					plog("# bad addr: %s=%s [%s]", name, value, ugh);
 					goto err;
 				}
-				end->sourceip = clone_str(value);
 				end->sourceip_mask = (conn->tunnel_addr_family == AF_INET) ?
 									  32 : 128;
 			}
@@ -419,8 +422,8 @@ err:
 /*
  * handles left|right=<FQDN> DNS resolution failure
  */
-static void
-handle_dns_failure( const char *label, starter_end_t *end, starter_config_t *cfg)
+static void handle_dns_failure(const char *label, starter_end_t *end,
+							   starter_config_t *cfg)
 {
 	if (end->dns_failed)
 	{
@@ -440,8 +443,8 @@ handle_dns_failure( const char *label, starter_end_t *end, starter_config_t *cfg
 /*
  * handles left|rightfirewall and left|rightupdown parameters
  */
-static void
-handle_firewall( const char *label, starter_end_t *end, starter_config_t *cfg)
+static void handle_firewall(const char *label, starter_end_t *end,
+							starter_config_t *cfg)
 {
 	if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
 	{
@@ -461,8 +464,7 @@ handle_firewall( const char *label, starter_end_t *end, starter_config_t *cfg)
 /*
  * parse a conn section
  */
-static void
-load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
+static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 {
 	char *conn_name = (conn->name == NULL)? "%default":conn->name;
 
@@ -718,8 +720,7 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 /*
  * initialize a conn object with the default conn
  */
-static void
-conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
+static void conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
 {
 	memcpy(conn, def, sizeof(starter_conn_t));
 	conn->name = clone_str(name);
@@ -732,8 +733,7 @@ conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
 /*
  * parse a ca section
  */
-static void
-load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
+static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
 {
 	char *ca_name = (ca->name == NULL)? "%default":ca->name;
 
@@ -786,8 +786,7 @@ load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
 /*
  * initialize a ca object with the default ca
  */
-static void
-ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
+static void ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
 {
 	memcpy(ca, def, sizeof(starter_ca_t));
 	ca->name = clone_str(name);
@@ -795,11 +794,11 @@ ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
 	clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
 }
 
-static kw_list_t*
-find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg);
+static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn,
+								 starter_config_t *cfg);
 
-static void
-load_also_conns(starter_conn_t *conn, also_t *also, starter_config_t *cfg)
+static void load_also_conns(starter_conn_t *conn, also_t *also,
+							starter_config_t *cfg)
 {
 	while (also != NULL)
 	{
@@ -825,8 +824,8 @@ load_also_conns(starter_conn_t *conn, also_t *also, starter_config_t *cfg)
 /*
  * find a conn included by also
  */
-static kw_list_t*
-find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg)
+static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn, 
+								 starter_config_t *cfg)
 {
 	starter_conn_t *c = cfg->conn_first;
 
@@ -852,11 +851,10 @@ find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg)
 	return NULL;
 }
 
-static kw_list_t*
-find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg);
+static kw_list_t* find_also_ca(const char* name, starter_ca_t *ca,
+							   starter_config_t *cfg);
 
-static void
-load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
+static void load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
 {
 	while (also != NULL)
 	{
@@ -882,8 +880,8 @@ load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
 /*
  * find a ca included by also
  */
-static kw_list_t*
-find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg)
+static kw_list_t* find_also_ca(const char* name, starter_ca_t *ca,
+							   starter_config_t *cfg)
 {
 	starter_ca_t *c = cfg->ca_first;
 
@@ -912,8 +910,7 @@ find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg)
 /*
  * free the memory used by also_t objects
  */
-static void
-free_also(also_t *head)
+static void free_also(also_t *head)
 {
 	while (head != NULL)
 	{
@@ -928,8 +925,7 @@ free_also(also_t *head)
 /*
  * free the memory used by a starter_conn_t object
  */
-static void
-confread_free_conn(starter_conn_t *conn)
+static void confread_free_conn(starter_conn_t *conn)
 {
 	free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->left);
 	free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->right);
@@ -950,8 +946,7 @@ confread_free_ca(starter_ca_t *ca)
 /*
  * free the memory used by a starter_config_t object
  */
-void
-confread_free(starter_config_t *cfg)
+void confread_free(starter_config_t *cfg)
 {
 	starter_conn_t *conn = cfg->conn_first;
 	starter_ca_t   *ca   = cfg->ca_first;
@@ -986,8 +981,7 @@ confread_free(starter_config_t *cfg)
 /*
  * load and parse an IPsec configuration file
  */
-starter_config_t *
-confread_load(const char *file)
+starter_config_t* confread_load(const char *file)
 {
 	starter_config_t *cfg = NULL;
 	config_parsed_t  *cfgp;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 7f3211628..199fab642 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -66,6 +66,7 @@ struct starter_end {
 		char            *groups;
 		char            *iface;
 		ip_address      addr;
+		u_int           ikeport;
 		ip_address      nexthop;
 		char            *subnet;
 		bool            has_client;
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index d4dd7238f..4cb1cb0fc 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -604,6 +604,13 @@ identity to use for a second authentication for the left participant
 (IKEv2 only); defaults to
 .BR leftid .
 .TP
+.B leftikeport
+UDP port the left participant uses for IKE communication. Currently supported in
+IKEv2 connections only. If unspecified, port 500 is used with port floating to
+4500 if NAT is detected or MOBIKE enabled. Specifying a local IKE port
+different from the default additionally requires a socket implementation that
+listens to this port.
+.TP
 .B leftnexthop
 this parameter is not needed any more because the NETKEY IPsec stack does
 not require explicit routing entries for the traffic to be tunneled.
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index e379f78e9..df39f0dc7 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 119
+#define TOTAL_KEYWORDS 121
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 17
-#define MAX_HASH_VALUE 215
-/* maximum key range = 199, duplicates = 0 */
+#define MIN_HASH_VALUE 11
+#define MAX_HASH_VALUE 230
+/* maximum key range = 220, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216,  12,
-       78, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216,   4, 216,  20, 216,  45,
-       55,   4,  77,  14,  78,   4, 216, 119,   4,  89,
-       46,  34,  29, 216,   6,  12,   5,  56,  34, 216,
-        4,  20,   5, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
-      216, 216, 216, 216, 216, 216
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231,  26,
+       75, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231,   2, 231,  25, 231,  40,
+       61,   2, 114,  24,   3,   2, 231, 101,   2,  96,
+       48,  35,  23, 231,   4,  10,   3,  69,  25, 231,
+        2,  18,  16, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
+      231, 231, 231, 231, 231, 231
     };
   register int hval = len;
 
@@ -128,119 +128,121 @@ static const struct kw_entry wordlist[] =
     {"right",             KW_RIGHT},
     {"lifetime",          KW_KEYLIFE},
     {"leftcert",          KW_LEFTCERT,},
+    {"reauth",            KW_REAUTH},
     {"leftfirewall",      KW_LEFTFIREWALL},
     {"leftsendcert",      KW_LEFTSENDCERT},
+    {"rightikeport",      KW_RIGHTIKEPORT},
     {"leftprotoport",     KW_LEFTPROTOPORT},
     {"type",              KW_TYPE},
-    {"rekey",             KW_REKEY},
     {"leftgroups",        KW_LEFTGROUPS},
+    {"rekey",             KW_REKEY},
     {"rightsubnet",       KW_RIGHTSUBNET},
     {"rightsendcert",     KW_RIGHTSENDCERT},
+    {"righthostaccess",   KW_RIGHTHOSTACCESS},
+    {"xauth",             KW_XAUTH},
     {"leftallowany",      KW_LEFTALLOWANY},
-    {"rightgroups",       KW_RIGHTGROUPS},
     {"esp",               KW_ESP},
+    {"leftnexthop",       KW_LEFTNEXTHOP},
     {"lifebytes",         KW_LIFEBYTES},
     {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
-    {"lifepackets",       KW_LIFEPACKETS},
-    {"leftnexthop",       KW_LEFTNEXTHOP},
+    {"rightauth",         KW_RIGHTAUTH},
     {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {"leftca",            KW_LEFTCA},
-    {"eap",               KW_EAP},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
     {"rightprotoport",    KW_RIGHTPROTOPORT},
     {"plutostart",        KW_PLUTOSTART},
-    {"also",              KW_ALSO},
-    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {"lifepackets",       KW_LIFEPACKETS},
+    {"rightgroups",       KW_RIGHTGROUPS},
     {"rightsourceip",     KW_RIGHTSOURCEIP},
+    {"eap",               KW_EAP},
     {"crluri",            KW_CRLURI},
-    {"leftnatip",         KW_LEFTNATIP},
-    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"hidetos",           KW_HIDETOS},
     {"rightcert",         KW_RIGHTCERT},
     {"certuribase",       KW_CERTURIBASE},
+    {"leftca",            KW_LEFTCA},
+    {"leftnatip",         KW_LEFTNATIP},
+    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
+    {"also",              KW_ALSO},
     {"packetdefault",     KW_PACKETDEFAULT},
+    {"virtual_private",   KW_VIRTUAL_PRIVATE},
     {"plutostderrlog",    KW_PLUTOSTDERRLOG},
-    {"crluri1",           KW_CRLURI},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
+    {"leftsourceip",      KW_LEFTSOURCEIP},
     {"rightid",           KW_RIGHTID},
-    {"virtual_private",   KW_VIRTUAL_PRIVATE},
-    {"leftsubnet",        KW_LEFTSUBNET},
     {"cacert",            KW_CACERT},
     {"rightca",           KW_RIGHTCA},
-    {"leftsourceip",      KW_LEFTSOURCEIP},
+    {"crluri1",           KW_CRLURI},
     {"inactivity",        KW_INACTIVITY},
     {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
     {"installpolicy",     KW_INSTALLPOLICY},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"ldapbase",          KW_LDAPBASE},
+    {"leftauth",          KW_LEFTAUTH},
     {"leftupdown",        KW_LEFTUPDOWN},
+    {"leftsubnet",        KW_LEFTSUBNET},
     {"rightnatip",        KW_RIGHTNATIP},
     {"ocspuri",           KW_OCSPURI},
     {"rightnexthop",      KW_RIGHTNEXTHOP},
     {"leftcert2",         KW_LEFTCERT2,},
     {"rightid2",          KW_RIGHTID2},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
     {"compress",          KW_COMPRESS},
-    {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"ocspuri1",          KW_OCSPURI},
-    {"ldaphost",          KW_LDAPHOST},
-    {"xauth",             KW_XAUTH},
+    {"ldapbase",          KW_LDAPBASE},
+    {"auth",              KW_AUTH},
     {"postpluto",         KW_POSTPLUTO},
-    {"eap_identity",      KW_EAP_IDENTITY},
-    {"plutodebug",        KW_PLUTODEBUG},
+    {"charonstart",       KW_CHARONSTART},
+    {"ike",               KW_IKE},
+    {"ldaphost",          KW_LDAPHOST},
     {"leftca2",           KW_LEFTCA2},
-    {"auto",              KW_AUTO},
-    {"righthostaccess",   KW_RIGHTHOSTACCESS},
     {"dpddelay",          KW_DPDDELAY},
-    {"rightauth",         KW_RIGHTAUTH},
+    {"ocspuri1",          KW_OCSPURI},
     {"rightauth2",        KW_RIGHTAUTH2},
-    {"pfs",               KW_PFS},
-    {"authby",            KW_AUTHBY},
-    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"eap_identity",      KW_EAP_IDENTITY},
+    {"leftikeport",       KW_LEFTIKEPORT},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"cachecrls",         KW_CACHECRLS},
+    {"charondebug",       KW_CHARONDEBUG},
+    {"crluri2",           KW_CRLURI2},
+    {"rightca2",          KW_RIGHTCA2},
+    {"mediated_by",       KW_MEDIATED_BY},
+    {"rightcert2",        KW_RIGHTCERT2},
     {"leftid",            KW_LEFTID},
+    {"auto",              KW_AUTO},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"rightfirewall",     KW_RIGHTFIREWALL},
+    {"authby",            KW_AUTHBY},
     {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
     {"uniqueids",         KW_UNIQUEIDS},
-    {"dumpdir",           KW_DUMPDIR},
-    {"mediated_by",       KW_MEDIATED_BY},
-    {"ike",               KW_IKE},
-    {"cachecrls",         KW_CACHECRLS},
     {"prepluto",          KW_PREPLUTO},
-    {"force_keepalive",   KW_FORCE_KEEPALIVE},
-    {"hidetos",           KW_HIDETOS},
+    {"keep_alive",        KW_KEEP_ALIVE},
     {"mobike",	           KW_MOBIKE},
-    {"forceencaps",       KW_FORCEENCAPS},
     {"overridemtu",       KW_OVERRIDEMTU},
-    {"crluri2",           KW_CRLURI2},
-    {"rightca2",          KW_RIGHTCA2},
-    {"rightcert2",        KW_RIGHTCERT2},
+    {"dumpdir",           KW_DUMPDIR},
     {"dpdaction",         KW_DPDACTION},
-    {"nocrsend",          KW_NOCRSEND},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
     {"leftid2",           KW_LEFTID2},
-    {"interfaces",        KW_INTERFACES},
-    {"leftauth",          KW_LEFTAUTH},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"pfs",               KW_PFS},
+    {"nocrsend",          KW_NOCRSEND},
+    {"keyexchange",       KW_KEYEXCHANGE},
     {"leftauth2",         KW_LEFTAUTH2},
     {"mediation",         KW_MEDIATION},
     {"rekeymargin",       KW_REKEYMARGIN},
-    {"keep_alive",        KW_KEEP_ALIVE},
-    {"auth",              KW_AUTH},
-    {"keyingtries",       KW_KEYINGTRIES},
-    {"me_peerid",         KW_ME_PEERID},
-    {"fragicmp",          KW_FRAGICMP},
-    {"margintime",        KW_REKEYMARGIN},
     {"ocspuri2",          KW_OCSPURI2},
-    {"reauth",            KW_REAUTH},
     {"pkcs11module",      KW_PKCS11MODULE},
-    {"pfsgroup",          KW_PFSGROUP},
-    {"marginbytes",       KW_MARGINBYTES},
     {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
-    {"marginpackets",     KW_MARGINPACKETS},
-    {"modeconfig",        KW_MODECONFIG},
-    {"keyexchange",       KW_KEYEXCHANGE},
-    {"charonstart",       KW_CHARONSTART},
+    {"force_keepalive",   KW_FORCE_KEEPALIVE},
+    {"me_peerid",         KW_ME_PEERID},
+    {"forceencaps",       KW_FORCEENCAPS},
     {"pkcs11initargs",    KW_PKCS11INITARGS},
-    {"dpdtimeout",        KW_DPDTIMEOUT},
     {"pkcs11proxy",       KW_PKCS11PROXY},
-    {"charondebug",       KW_CHARONDEBUG},
+    {"margintime",        KW_REKEYMARGIN},
+    {"interfaces",        KW_INTERFACES},
+    {"fragicmp",          KW_FRAGICMP},
+    {"marginbytes",       KW_MARGINBYTES},
+    {"marginpackets",     KW_MARGINPACKETS},
+    {"dpdtimeout",        KW_DPDTIMEOUT},
     {"klipsdebug",        KW_KLIPSDEBUG},
+    {"modeconfig",        KW_MODECONFIG},
+    {"pfsgroup",          KW_PFSGROUP},
     {"keylife",           KW_KEYLIFE},
     {"ikelifetime",       KW_IKELIFETIME}
   };
@@ -248,27 +250,29 @@ static const struct kw_entry wordlist[] =
 static const short lookup[] =
   {
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,  -1,  -1,
-      1,  -1,  -1,  -1,   2,   3,  -1,  -1,   4,   5,
-     -1,  -1,   6,   7,  -1,   8,   9,  -1,  10,  -1,
-     11,  -1,  -1,  -1,  12,  -1,  -1,  13,  14,  15,
-     16,  17,  18,  19,  20,  -1,  21,  22,  23,  -1,
-     24,  -1,  25,  26,  27,  28,  29,  -1,  30,  31,
-     32,  -1,  33,  34,  35,  36,  37,  38,  -1,  39,
-     -1,  40,  41,  42,  43,  44,  -1,  45,  -1,  46,
-     -1,  47,  -1,  48,  -1,  49,  50,  51,  -1,  52,
-     53,  54,  -1,  55,  56,  57,  58,  59,  -1,  -1,
-     60,  61,  62,  63,  64,  65,  66,  67,  68,  -1,
-     -1,  69,  70,  71,  72,  -1,  73,  74,  75,  76,
-     77,  78,  -1,  79,  80,  81,  -1,  82,  83,  84,
-     85,  86,  -1,  87,  88,  -1,  -1,  89,  90,  91,
-     92,  93,  -1,  94,  -1,  -1,  95,  96,  97,  -1,
-     98,  99,  -1,  -1,  -1, 100,  -1,  -1,  -1, 101,
-     -1, 102, 103,  -1,  -1,  -1, 104, 105, 106, 107,
-    108, 109,  -1, 110,  -1, 111, 112,  -1, 113,  -1,
-     -1, 114,  -1,  -1, 115,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1, 116,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1, 117,  -1,  -1,  -1, 118
+     -1,   0,  -1,  -1,   1,  -1,   2,   3,   4,  -1,
+      5,   6,  -1,   7,   8,  -1,  -1,   9,  10,  11,
+     12,  -1,  13,  -1,  14,  15,  16,  -1,  17,  -1,
+     18,  19,  20,  21,  -1,  22,  23,  -1,  24,  25,
+     26,  27,  28,  29,  30,  -1,  -1,  31,  32,  33,
+     34,  35,  36,  37,  38,  -1,  39,  40,  -1,  41,
+     -1,  -1,  -1,  42,  43,  -1,  44,  45,  46,  47,
+     48,  49,  -1,  50,  51,  52,  53,  54,  55,  56,
+     57,  58,  59,  -1,  -1,  60,  -1,  -1,  61,  -1,
+     -1,  62,  -1,  -1,  63,  64,  -1,  -1,  65,  66,
+     -1,  67,  68,  69,  -1,  -1,  70,  -1,  71,  72,
+     73,  -1,  -1,  -1,  74,  -1,  75,  -1,  76,  77,
+     78,  79,  80,  81,  82,  83,  84,  85,  86,  87,
+     88,  89,  90,  91,  92,  93,  -1,  94,  95,  -1,
+     96,  -1,  -1,  -1,  97,  -1,  98,  99, 100,  -1,
+     -1, 101, 102,  -1, 103,  -1,  -1, 104, 105,  -1,
+    106,  -1, 107,  -1, 108,  -1,  -1,  -1,  -1, 109,
+     -1, 110,  -1,  -1, 111,  -1,  -1,  -1,  -1, 112,
+    113,  -1, 114, 115,  -1,  -1,  -1,  -1, 116,  -1,
+    117,  -1,  -1, 118,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1, 119,  -1,  -1,  -1,
+    120
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 8be31d148..6c3907a6a 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -118,6 +118,7 @@ typedef enum {
    /* end keywords */
 	KW_HOST,
 	KW_NEXTHOP,
+	KW_IKEPORT,
 	KW_SUBNET,
 	KW_SUBNETWITHIN,
 	KW_PROTOPORT,
@@ -145,6 +146,7 @@ typedef enum {
 
    /* left end keywords */
 	KW_LEFT,
+	KW_LEFTIKEPORT,
 	KW_LEFTNEXTHOP,
 	KW_LEFTSUBNET,
 	KW_LEFTSUBNETWITHIN,
@@ -172,6 +174,7 @@ typedef enum {
 
    /* right end keywords */
 	KW_RIGHT,
+	KW_RIGHTIKEPORT,
 	KW_RIGHTNEXTHOP,
 	KW_RIGHTSUBNET,
 	KW_RIGHTSUBNETWITHIN,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index adf3069bf..12037a685 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -98,6 +98,7 @@ ocspuri1,          KW_OCSPURI
 ocspuri2,          KW_OCSPURI2
 certuribase,       KW_CERTURIBASE
 left,              KW_LEFT
+leftikeport,       KW_LEFTIKEPORT
 leftnexthop,       KW_LEFTNEXTHOP
 leftsubnet,        KW_LEFTSUBNET
 leftsubnetwithin,  KW_LEFTSUBNETWITHIN
@@ -120,6 +121,7 @@ leftca,            KW_LEFTCA
 leftca2,           KW_LEFTCA2
 leftgroups,        KW_LEFTGROUPS
 right,             KW_RIGHT
+rightikeport,      KW_RIGHTIKEPORT
 rightnexthop,      KW_RIGHTNEXTHOP
 rightsubnet,       KW_RIGHTSUBNET
 rightsubnetwithin, KW_RIGHTSUBNETWITHIN
diff --git a/src/starter/lex.yy.c b/src/starter/lex.yy.c
index 4596c0cc3..13bf87f0b 100644
--- a/src/starter/lex.yy.c
+++ b/src/starter/lex.yy.c
@@ -513,7 +513,8 @@ char *yytext;
 #define MAX_INCLUDE_DEPTH  20
 
 extern void yyerror(const char *);
-extern int yylex (void);
+extern int yylex(void);
+extern int yylex_destroy(void);
 
 static struct {
 	int stack_ptr;
@@ -557,6 +558,7 @@ void _parser_y_fini (void)
 			fclose(__parser_y_private.file[i]);
 	}
 	memset(&__parser_y_private, 0, sizeof(__parser_y_private));
+	yylex_destroy();
 }
 
 int _parser_y_include (const char *filename)
@@ -617,7 +619,7 @@ int _parser_y_include (const char *filename)
 	return 0;
 }
 
-#line 621 "lex.yy.c"
+#line 623 "lex.yy.c"
 
 #define INITIAL 0
 
@@ -805,10 +807,10 @@ YY_DECL
 	register char *yy_cp, *yy_bp;
 	register int yy_act;
     
-#line 133 "./parser.l"
+#line 135 "./parser.l"
 
 
-#line 812 "lex.yy.c"
+#line 814 "lex.yy.c"
 
 	if ( !(yy_init) )
 		{
@@ -893,7 +895,7 @@ do_action:	/* This label is used only to access EOF actions. */
 			goto yy_find_action;
 
 case YY_STATE_EOF(INITIAL):
-#line 135 "./parser.l"
+#line 137 "./parser.l"
 {
 		if (__parser_y_private.filename[__parser_y_private.stack_ptr]) {
 				free(__parser_y_private.filename[__parser_y_private.stack_ptr]);
@@ -913,23 +915,23 @@ case YY_STATE_EOF(INITIAL):
 	YY_BREAK
 case 1:
 YY_RULE_SETUP
-#line 152 "./parser.l"
+#line 154 "./parser.l"
 return FIRST_SPACES;
 	YY_BREAK
 case 2:
 YY_RULE_SETUP
-#line 154 "./parser.l"
+#line 156 "./parser.l"
 /* ignore spaces in line */ ;
 	YY_BREAK
 case 3:
 YY_RULE_SETUP
-#line 156 "./parser.l"
+#line 158 "./parser.l"
 return EQUAL;
 	YY_BREAK
 case 4:
 /* rule 4 can match eol */
 YY_RULE_SETUP
-#line 158 "./parser.l"
+#line 160 "./parser.l"
 {
 										__parser_y_private.line[__parser_y_private.stack_ptr]++;
 										return EOL;
@@ -937,37 +939,37 @@ YY_RULE_SETUP
 	YY_BREAK
 case 5:
 YY_RULE_SETUP
-#line 163 "./parser.l"
+#line 165 "./parser.l"
 return CONFIG;
 	YY_BREAK
 case 6:
 YY_RULE_SETUP
-#line 164 "./parser.l"
+#line 166 "./parser.l"
 return SETUP;
 	YY_BREAK
 case 7:
 YY_RULE_SETUP
-#line 165 "./parser.l"
+#line 167 "./parser.l"
 return CONN;
 	YY_BREAK
 case 8:
 YY_RULE_SETUP
-#line 166 "./parser.l"
+#line 168 "./parser.l"
 return CA;
 	YY_BREAK
 case 9:
 YY_RULE_SETUP
-#line 167 "./parser.l"
+#line 169 "./parser.l"
 return INCLUDE;
 	YY_BREAK
 case 10:
 YY_RULE_SETUP
-#line 168 "./parser.l"
+#line 170 "./parser.l"
 return FILE_VERSION;
 	YY_BREAK
 case 11:
 YY_RULE_SETUP
-#line 170 "./parser.l"
+#line 172 "./parser.l"
 {
 										yylval.s = strdup(yytext);
 										return STRING;
@@ -975,7 +977,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 12:
 YY_RULE_SETUP
-#line 175 "./parser.l"
+#line 177 "./parser.l"
 {
 										yylval.s = strdup(yytext+1);
 										if (yylval.s) yylval.s[strlen(yylval.s)-1]='\0';
@@ -984,15 +986,15 @@ YY_RULE_SETUP
 	YY_BREAK
 case 13:
 YY_RULE_SETUP
-#line 181 "./parser.l"
+#line 183 "./parser.l"
 yyerror(yytext);
 	YY_BREAK
 case 14:
 YY_RULE_SETUP
-#line 183 "./parser.l"
+#line 185 "./parser.l"
 ECHO;
 	YY_BREAK
-#line 996 "lex.yy.c"
+#line 998 "lex.yy.c"
 
 	case YY_END_OF_BUFFER:
 		{
@@ -1954,7 +1956,7 @@ void yyfree (void * ptr )
 
 #define YYTABLES_NAME "yytables"
 
-#line 183 "./parser.l"
+#line 185 "./parser.l"
 
 
 
diff --git a/src/starter/parser.l b/src/starter/parser.l
index 5857c0815..c45847c5c 100644
--- a/src/starter/parser.l
+++ b/src/starter/parser.l
@@ -24,7 +24,8 @@
 #define MAX_INCLUDE_DEPTH  20
 
 extern void yyerror(const char *);
-extern int yylex (void);
+extern int yylex(void);
+extern int yylex_destroy(void);
 
 static struct {
 	int stack_ptr;
@@ -68,6 +69,7 @@ void _parser_y_fini (void)
 			fclose(__parser_y_private.file[i]);
 	}
 	memset(&__parser_y_private, 0, sizeof(__parser_y_private));
+	yylex_destroy();
 }
 
 int _parser_y_include (const char *filename)
diff --git a/src/starter/parser.y b/src/starter/parser.y
index 4533228c2..b0b1f6f21 100644
--- a/src/starter/parser.y
+++ b/src/starter/parser.y
@@ -156,21 +156,20 @@ statement_kw:
 
 %%
 
-void
-yyerror(const char *s)
+void yyerror(const char *s)
 {
 	if (_save_errors_)
 		_parser_y_error(parser_errstring, ERRSTRING_LEN, s);
 }
 
-config_parsed_t *
-parser_load_conf(const char *file)
+config_parsed_t *parser_load_conf(const char *file)
 {
 	config_parsed_t *cfg = NULL;
 	int err = 0;
 	FILE *f;
 
-	extern void _parser_y_init (const char *f);
+	extern void _parser_y_init(const char *f);
+	extern void _parser_y_fini(void);
 	extern FILE *yyin;
 
 	memset(parser_errstring, 0, ERRSTRING_LEN+1);
@@ -231,11 +230,11 @@ parser_load_conf(const char *file)
 		cfg = NULL;
 	}
 
+	_parser_y_fini();
 	return cfg;
 }
 
-static void
-parser_free_kwlist(kw_list_t *list)
+static void parser_free_kwlist(kw_list_t *list)
 {
 	kw_list_t *elt;
 
@@ -248,8 +247,7 @@ parser_free_kwlist(kw_list_t *list)
 	}
 }
 
-void
-parser_free_conf(config_parsed_t *cfg)
+void parser_free_conf(config_parsed_t *cfg)
 {
 	section_list_t *sec;
 	if (cfg)
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 0aab76d43..50ef9c07b 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -28,6 +28,7 @@
 #include <grp.h>
 
 #include <freeswan.h>
+#include <library.h>
 
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
@@ -245,6 +246,9 @@ int main (int argc, char **argv)
 	log_to_stderr = TRUE;
 	base_debugging = DBG_NONE;
 
+	library_init(NULL);
+	atexit(library_deinit);
+
 	/* parse command line */
 	for (i = 1; i < argc; i++)
 	{
@@ -358,6 +362,7 @@ int main (int argc, char **argv)
 	if (stat(STARTER_PID_FILE, &stb) == 0)
 	{
 		plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
+		confread_free(cfg);
 		exit(LSB_RC_SUCCESS);
 	}
 
@@ -388,6 +393,7 @@ int main (int argc, char **argv)
 				plog("can't fork: %s", strerror(errno));
 				break;
 			default:
+				confread_free(cfg);
 				exit(LSB_RC_SUCCESS);
 		}
 	}
@@ -422,11 +428,8 @@ int main (int argc, char **argv)
 			confread_free(cfg);
 			unlink(STARTER_PID_FILE);
 			unlink(INFO_FILE);
-#ifdef LEAK_DETECTIVE
-			report_leaks();
-#endif /* LEAK_DETECTIVE */
-			close_log();
 			plog("ipsec starter stopped");
+			close_log();
 			exit(LSB_RC_SUCCESS);
 		}
 
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 665350c00..d877661ec 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -186,6 +186,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->updown = push_string(msg, conn_end->updown);
 	ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
 	msg_end->address = push_string(msg, buffer);
+	msg_end->ikeport = conn_end->ikeport;
 	msg_end->subnets = push_string(msg, conn_end->subnet);
 	msg_end->sourceip = push_string(msg, conn_end->sourceip);
 	msg_end->sourceip_mask = conn_end->sourceip_mask;
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 67916395f..527142a4e 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -91,6 +91,8 @@ static int send_whack_msg (whack_message_t *msg)
 	||  !pack_str(&msg->ike,            &str_next, &str_roof)
 	||  !pack_str(&msg->esp,            &str_next, &str_roof)
 	||  !pack_str(&msg->sc_data,        &str_next, &str_roof)
+	||  !pack_str(&msg->whack_lease_ip, &str_next, &str_roof)
+	||  !pack_str(&msg->whack_lease_id, &str_next, &str_roof)
 	||  (str_roof - str_next < msg->keyval.len))
 	{
 		plog("send_wack_msg(): can't pack strings");
@@ -138,14 +140,12 @@ static void init_whack_msg(whack_message_t *msg)
 	msg->magic = WHACK_MAGIC;
 }
 
-static char *connection_name(starter_conn_t *conn)
+static char *connection_name(starter_conn_t *conn, char *buf, size_t size)
 {
 	/* if connection name is '%auto', create a new name like conn_xxxxx */
-	static char buf[32];
-
 	if (streq(conn->name, "%auto"))
 	{
-		sprintf(buf, "conn_%ld", conn->id);
+		snprintf(buf, size, "conn_%ld", conn->id);
 		return buf;
 	}
 	return conn->name;
@@ -161,7 +161,7 @@ static void set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family
 	w->has_client          = end->has_client;
 	w->sourceip            = end->sourceip;
 	w->sourceip_mask       = end->sourceip_mask;
-	
+
 	if (end->sourceip && end->sourceip_mask > 0)
 	{
 		ttoaddr(end->sourceip, 0, ip_version(end->sourceip), &w->host_srcip);
@@ -226,10 +226,11 @@ starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end
 {
 	const char *err;
 	static char keyspace[1024 + 4];
-	char buf[ADDRTOT_BUF];
+	char buf[ADDRTOT_BUF], name[32];
 	whack_message_t msg;
 
 	init_whack_msg(&msg);
+	connection_name(conn, name, sizeof(name));
 
 	msg.whack_key = TRUE;
 	msg.pubkey_alg = PUBKEY_ALG_RSA;
@@ -246,7 +247,7 @@ starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end
 		err = atobytes(end->rsakey, 0, keyspace, sizeof(keyspace), &msg.keyval.len);
 		if (err)
 		{
-			plog("conn %s/%s: rsakey malformed [%s]", connection_name(conn), lr, err);
+			plog("conn %s/%s: rsakey malformed [%s]", name, lr, err);
 			return 1;
 		}
 		if (end->id)
@@ -266,13 +267,14 @@ starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end
 
 int starter_whack_add_conn(starter_conn_t *conn)
 {
+	char esp_buf[256], name[32];
 	whack_message_t msg;
 	int r;
 
 	init_whack_msg(&msg);
 
 	msg.whack_connection = TRUE;
-	msg.name = connection_name(conn);
+	msg.name = connection_name(conn, name, sizeof(name));
 
 	msg.ikev1                 = conn->keyexchange != KEY_EXCHANGE_IKEV2;
 	msg.addr_family           = conn->addr_family;
@@ -302,8 +304,6 @@ int starter_whack_add_conn(starter_conn_t *conn)
 	/* taken from pluto/whack.c */
 	if (msg.pfsgroup)
 	{
-		char esp_buf[256];
-
 		snprintf(esp_buf, sizeof (esp_buf), "%s;%s"
 				   , msg.esp ? msg.esp : ""
 				   , msg.pfsgroup ? msg.pfsgroup : "");
@@ -331,32 +331,35 @@ int starter_whack_add_conn(starter_conn_t *conn)
 
 int starter_whack_del_conn(starter_conn_t *conn)
 {
+	char name[32];
 	whack_message_t msg;
 
 	init_whack_msg(&msg);
 	msg.whack_delete = TRUE;
-	msg.name = connection_name(conn);
+	msg.name = connection_name(conn, name, sizeof(name));
 	return send_whack_msg(&msg);
 }
 
 int starter_whack_route_conn(starter_conn_t *conn)
 {
+	char name[32];
 	whack_message_t msg;
 
 	init_whack_msg(&msg);
 	msg.whack_route = TRUE;
-	msg.name = connection_name(conn);
+	msg.name = connection_name(conn, name, sizeof(name));
 	return send_whack_msg(&msg);
 }
 
 int starter_whack_initiate_conn(starter_conn_t *conn)
 {
+	char name[32];
 	whack_message_t msg;
 
 	init_whack_msg(&msg);
 	msg.whack_initiate = TRUE;
 	msg.whack_async = TRUE;
-	msg.name = connection_name(conn);
+	msg.name = connection_name(conn, name, sizeof(name));
 	return send_whack_msg(&msg);
 }
 
diff --git a/src/starter/y.tab.c b/src/starter/y.tab.c
index b78c1b1f9..504b5589e 100644
--- a/src/starter/y.tab.c
+++ b/src/starter/y.tab.c
@@ -1,24 +1,23 @@
-/* A Bison parser, made by GNU Bison 2.3.  */
 
-/* Skeleton implementation for Bison's Yacc-like parsers in C
+/* A Bison parser, made by GNU Bison 2.4.1.  */
 
-   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+/* Skeleton implementation for Bison's Yacc-like parsers in C
+   
+      Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
    Free Software Foundation, Inc.
-
-   This program is free software; you can redistribute it and/or modify
+   
+   This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2, or (at your option)
-   any later version.
-
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+   
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-
+   
    You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 51 Franklin Street, Fifth Floor,
-   Boston, MA 02110-1301, USA.  */
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
 
 /* As a special exception, you may create a larger work that contains
    part or all of the Bison parser skeleton and distribute that work
@@ -29,7 +28,7 @@
    special exception, which will cause the skeleton and the resulting
    Bison output files to be licensed under the GNU General Public
    License without this special exception.
-
+   
    This special exception was added by the Free Software Foundation in
    version 2.2 of Bison.  */
 
@@ -47,7 +46,7 @@
 #define YYBISON 1
 
 /* Bison version.  */
-#define YYBISON_VERSION "2.3"
+#define YYBISON_VERSION "2.4.1"
 
 /* Skeleton name.  */
 #define YYSKELETON_NAME "yacc.c"
@@ -55,45 +54,20 @@
 /* Pure parsers.  */
 #define YYPURE 0
 
-/* Using locations.  */
-#define YYLSP_NEEDED 0
-
+/* Push parsers.  */
+#define YYPUSH 0
 
+/* Pull parsers.  */
+#define YYPULL 1
 
-/* Tokens.  */
-#ifndef YYTOKENTYPE
-# define YYTOKENTYPE
-   /* Put the tokens into the symbol table, so that GDB and other debuggers
-      know about them.  */
-   enum yytokentype {
-     EQUAL = 258,
-     FIRST_SPACES = 259,
-     EOL = 260,
-     CONFIG = 261,
-     SETUP = 262,
-     CONN = 263,
-     CA = 264,
-     INCLUDE = 265,
-     FILE_VERSION = 266,
-     STRING = 267
-   };
-#endif
-/* Tokens.  */
-#define EQUAL 258
-#define FIRST_SPACES 259
-#define EOL 260
-#define CONFIG 261
-#define SETUP 262
-#define CONN 263
-#define CA 264
-#define INCLUDE 265
-#define FILE_VERSION 266
-#define STRING 267
-
+/* Using locations.  */
+#define YYLSP_NEEDED 0
 
 
 
 /* Copy the first part of user declarations.  */
+
+/* Line 189 of yacc.c  */
 #line 1 "./parser.y"
 
 /* strongSwan config file parser (parser.y)
@@ -148,6 +122,9 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 
 
 
+/* Line 189 of yacc.c  */
+#line 127 "y.tab.c"
+
 /* Enabling traces.  */
 #ifndef YYDEBUG
 # define YYDEBUG 0
@@ -166,25 +143,63 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 # define YYTOKEN_TABLE 0
 #endif
 
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     EQUAL = 258,
+     FIRST_SPACES = 259,
+     EOL = 260,
+     CONFIG = 261,
+     SETUP = 262,
+     CONN = 263,
+     CA = 264,
+     INCLUDE = 265,
+     FILE_VERSION = 266,
+     STRING = 267
+   };
+#endif
+/* Tokens.  */
+#define EQUAL 258
+#define FIRST_SPACES 259
+#define EOL 260
+#define CONFIG 261
+#define SETUP 262
+#define CONN 263
+#define CA 264
+#define INCLUDE 265
+#define FILE_VERSION 266
+#define STRING 267
+
+
+
+
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef union YYSTYPE
+{
+
+/* Line 214 of yacc.c  */
 #line 54 "./parser.y"
-{ char *s; }
-/* Line 187 of yacc.c.  */
-#line 175 "y.tab.c"
-	YYSTYPE;
+ char *s; 
+
+
+/* Line 214 of yacc.c  */
+#line 191 "y.tab.c"
+} YYSTYPE;
+# define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
-# define YYSTYPE_IS_TRIVIAL 1
 #endif
 
 
-
 /* Copy the second part of user declarations.  */
 
 
-/* Line 216 of yacc.c.  */
-#line 188 "y.tab.c"
+/* Line 264 of yacc.c  */
+#line 203 "y.tab.c"
 
 #ifdef short
 # undef short
@@ -259,14 +274,14 @@ typedef short int yytype_int16;
 #if (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 static int
-YYID (int i)
+YYID (int yyi)
 #else
 static int
-YYID (i)
-    int i;
+YYID (yyi)
+    int yyi;
 #endif
 {
-  return i;
+  return yyi;
 }
 #endif
 
@@ -347,9 +362,9 @@ void free (void *); /* INFRINGES ON USER NAME SPACE */
 /* A type that is properly aligned for any stack member.  */
 union yyalloc
 {
-  yytype_int16 yyss;
-  YYSTYPE yyvs;
-  };
+  yytype_int16 yyss_alloc;
+  YYSTYPE yyvs_alloc;
+};
 
 /* The size of the maximum gap between one aligned stack and the next.  */
 # define YYSTACK_GAP_MAXIMUM (sizeof (union yyalloc) - 1)
@@ -383,12 +398,12 @@ union yyalloc
    elements in the stack, and YYPTR gives the new location of the
    stack.  Advance YYPTR to a properly aligned location for the next
    stack.  */
-# define YYSTACK_RELOCATE(Stack)					\
+# define YYSTACK_RELOCATE(Stack_alloc, Stack)				\
     do									\
       {									\
 	YYSIZE_T yynewbytes;						\
-	YYCOPY (&yyptr->Stack, Stack, yysize);				\
-	Stack = &yyptr->Stack;						\
+	YYCOPY (&yyptr->Stack_alloc, Stack, yysize);			\
+	Stack = &yyptr->Stack_alloc;					\
 	yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
 	yyptr += yynewbytes / sizeof (*yyptr);				\
       }									\
@@ -484,7 +499,7 @@ static const char *const yytname[] =
 {
   "$end", "error", "$undefined", "EQUAL", "FIRST_SPACES", "EOL", "CONFIG",
   "SETUP", "CONN", "CA", "INCLUDE", "FILE_VERSION", "STRING", "$accept",
-  "config_file", "section_or_include", "@1", "@2", "@3", "@4",
+  "config_file", "section_or_include", "$@1", "$@2", "$@3", "$@4",
   "kw_section", "statement_kw", 0
 };
 #endif
@@ -758,17 +773,20 @@ yy_symbol_print (yyoutput, yytype, yyvaluep)
 #if (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 static void
-yy_stack_print (yytype_int16 *bottom, yytype_int16 *top)
+yy_stack_print (yytype_int16 *yybottom, yytype_int16 *yytop)
 #else
 static void
-yy_stack_print (bottom, top)
-    yytype_int16 *bottom;
-    yytype_int16 *top;
+yy_stack_print (yybottom, yytop)
+    yytype_int16 *yybottom;
+    yytype_int16 *yytop;
 #endif
 {
   YYFPRINTF (stderr, "Stack now");
-  for (; bottom <= top; ++bottom)
-    YYFPRINTF (stderr, " %d", *bottom);
+  for (; yybottom <= yytop; yybottom++)
+    {
+      int yybot = *yybottom;
+      YYFPRINTF (stderr, " %d", yybot);
+    }
   YYFPRINTF (stderr, "\n");
 }
 
@@ -802,11 +820,11 @@ yy_reduce_print (yyvsp, yyrule)
   /* The symbols being reduced.  */
   for (yyi = 0; yyi < yynrhs; yyi++)
     {
-      fprintf (stderr, "   $%d = ", yyi + 1);
+      YYFPRINTF (stderr, "   $%d = ", yyi + 1);
       yy_symbol_print (stderr, yyrhs[yyprhs[yyrule] + yyi],
 		       &(yyvsp[(yyi + 1) - (yynrhs)])
 		       		       );
-      fprintf (stderr, "\n");
+      YYFPRINTF (stderr, "\n");
     }
 }
 
@@ -1086,10 +1104,8 @@ yydestruct (yymsg, yytype, yyvaluep)
 	break;
     }
 }
-
 
 /* Prevent warnings from -Wmissing-prototypes.  */
-
 #ifdef YYPARSE_PARAM
 #if defined __STDC__ || defined __cplusplus
 int yyparse (void *YYPARSE_PARAM);
@@ -1105,11 +1121,10 @@ int yyparse ();
 #endif /* ! YYPARSE_PARAM */
 
 
-
-/* The look-ahead symbol.  */
+/* The lookahead symbol.  */
 int yychar;
 
-/* The semantic value of the look-ahead symbol.  */
+/* The semantic value of the lookahead symbol.  */
 YYSTYPE yylval;
 
 /* Number of syntax errors so far.  */
@@ -1117,9 +1132,9 @@ int yynerrs;
 
 
 
-/*----------.
-| yyparse.  |
-`----------*/
+/*-------------------------.
+| yyparse or yypush_parse.  |
+`-------------------------*/
 
 #ifdef YYPARSE_PARAM
 #if (defined __STDC__ || defined __C99__FUNC__ \
@@ -1143,66 +1158,68 @@ yyparse ()
 #endif
 #endif
 {
-  
-  int yystate;
-  int yyn;
-  int yyresult;
-  /* Number of tokens to shift before error messages enabled.  */
-  int yyerrstatus;
-  /* Look-ahead token as an internal (translated) token number.  */
-  int yytoken = 0;
-#if YYERROR_VERBOSE
-  /* Buffer for error messages, and its allocated size.  */
-  char yymsgbuf[128];
-  char *yymsg = yymsgbuf;
-  YYSIZE_T yymsg_alloc = sizeof yymsgbuf;
-#endif
 
-  /* Three stacks and their tools:
-     `yyss': related to states,
-     `yyvs': related to semantic values,
-     `yyls': related to locations.
 
-     Refer to the stacks thru separate pointers, to allow yyoverflow
-     to reallocate them elsewhere.  */
+    int yystate;
+    /* Number of tokens to shift before error messages enabled.  */
+    int yyerrstatus;
 
-  /* The state stack.  */
-  yytype_int16 yyssa[YYINITDEPTH];
-  yytype_int16 *yyss = yyssa;
-  yytype_int16 *yyssp;
+    /* The stacks and their tools:
+       `yyss': related to states.
+       `yyvs': related to semantic values.
 
-  /* The semantic value stack.  */
-  YYSTYPE yyvsa[YYINITDEPTH];
-  YYSTYPE *yyvs = yyvsa;
-  YYSTYPE *yyvsp;
+       Refer to the stacks thru separate pointers, to allow yyoverflow
+       to reallocate them elsewhere.  */
 
+    /* The state stack.  */
+    yytype_int16 yyssa[YYINITDEPTH];
+    yytype_int16 *yyss;
+    yytype_int16 *yyssp;
 
+    /* The semantic value stack.  */
+    YYSTYPE yyvsa[YYINITDEPTH];
+    YYSTYPE *yyvs;
+    YYSTYPE *yyvsp;
 
-#define YYPOPSTACK(N)   (yyvsp -= (N), yyssp -= (N))
-
-  YYSIZE_T yystacksize = YYINITDEPTH;
+    YYSIZE_T yystacksize;
 
+  int yyn;
+  int yyresult;
+  /* Lookahead token as an internal (translated) token number.  */
+  int yytoken;
   /* The variables used to return semantic value and location from the
      action routines.  */
   YYSTYPE yyval;
 
+#if YYERROR_VERBOSE
+  /* Buffer for error messages, and its allocated size.  */
+  char yymsgbuf[128];
+  char *yymsg = yymsgbuf;
+  YYSIZE_T yymsg_alloc = sizeof yymsgbuf;
+#endif
+
+#define YYPOPSTACK(N)   (yyvsp -= (N), yyssp -= (N))
 
   /* The number of symbols on the RHS of the reduced rule.
      Keep to zero when no symbol should be popped.  */
   int yylen = 0;
 
+  yytoken = 0;
+  yyss = yyssa;
+  yyvs = yyvsa;
+  yystacksize = YYINITDEPTH;
+
   YYDPRINTF ((stderr, "Starting parse\n"));
 
   yystate = 0;
   yyerrstatus = 0;
   yynerrs = 0;
-  yychar = YYEMPTY;		/* Cause a token to be read.  */
+  yychar = YYEMPTY; /* Cause a token to be read.  */
 
   /* Initialize stack pointers.
      Waste one element of value and location stack
      so that they stay on the same level as the state stack.
      The wasted elements are never initialized.  */
-
   yyssp = yyss;
   yyvsp = yyvs;
 
@@ -1232,7 +1249,6 @@ yyparse ()
 	YYSTYPE *yyvs1 = yyvs;
 	yytype_int16 *yyss1 = yyss;
 
-
 	/* Each stack pointer address is followed by the size of the
 	   data in use in that stack, in bytes.  This used to be a
 	   conditional around just the two extra args, but that might
@@ -1240,7 +1256,6 @@ yyparse ()
 	yyoverflow (YY_("memory exhausted"),
 		    &yyss1, yysize * sizeof (*yyssp),
 		    &yyvs1, yysize * sizeof (*yyvsp),
-
 		    &yystacksize);
 
 	yyss = yyss1;
@@ -1263,9 +1278,8 @@ yyparse ()
 	  (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
 	if (! yyptr)
 	  goto yyexhaustedlab;
-	YYSTACK_RELOCATE (yyss);
-	YYSTACK_RELOCATE (yyvs);
-
+	YYSTACK_RELOCATE (yyss_alloc, yyss);
+	YYSTACK_RELOCATE (yyvs_alloc, yyvs);
 #  undef YYSTACK_RELOCATE
 	if (yyss1 != yyssa)
 	  YYSTACK_FREE (yyss1);
@@ -1276,7 +1290,6 @@ yyparse ()
       yyssp = yyss + yysize - 1;
       yyvsp = yyvs + yysize - 1;
 
-
       YYDPRINTF ((stderr, "Stack size increased to %lu\n",
 		  (unsigned long int) yystacksize));
 
@@ -1286,6 +1299,9 @@ yyparse ()
 
   YYDPRINTF ((stderr, "Entering state %d\n", yystate));
 
+  if (yystate == YYFINAL)
+    YYACCEPT;
+
   goto yybackup;
 
 /*-----------.
@@ -1294,16 +1310,16 @@ yyparse ()
 yybackup:
 
   /* Do appropriate processing given the current state.  Read a
-     look-ahead token if we need one and don't already have one.  */
+     lookahead token if we need one and don't already have one.  */
 
-  /* First try to decide what to do without reference to look-ahead token.  */
+  /* First try to decide what to do without reference to lookahead token.  */
   yyn = yypact[yystate];
   if (yyn == YYPACT_NINF)
     goto yydefault;
 
-  /* Not known => get a look-ahead token if don't already have one.  */
+  /* Not known => get a lookahead token if don't already have one.  */
 
-  /* YYCHAR is either YYEMPTY or YYEOF or a valid look-ahead symbol.  */
+  /* YYCHAR is either YYEMPTY or YYEOF or a valid lookahead symbol.  */
   if (yychar == YYEMPTY)
     {
       YYDPRINTF ((stderr, "Reading a token: "));
@@ -1335,20 +1351,16 @@ yybackup:
       goto yyreduce;
     }
 
-  if (yyn == YYFINAL)
-    YYACCEPT;
-
   /* Count tokens shifted since error; after three, turn off error
      status.  */
   if (yyerrstatus)
     yyerrstatus--;
 
-  /* Shift the look-ahead token.  */
+  /* Shift the lookahead token.  */
   YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
 
-  /* Discard the shifted token unless it is eof.  */
-  if (yychar != YYEOF)
-    yychar = YYEMPTY;
+  /* Discard the shifted token.  */
+  yychar = YYEMPTY;
 
   yystate = yyn;
   *++yyvsp = yylval;
@@ -1388,6 +1400,8 @@ yyreduce:
   switch (yyn)
     {
         case 4:
+
+/* Line 1455 of yacc.c  */
 #line 71 "./parser.y"
     {
 		free((yyvsp[(2) - (3)].s));
@@ -1395,6 +1409,8 @@ yyreduce:
     break;
 
   case 5:
+
+/* Line 1455 of yacc.c  */
 #line 75 "./parser.y"
     {
 		_parser_kw = &(_parser_cfg->config_setup);
@@ -1403,6 +1419,8 @@ yyreduce:
     break;
 
   case 7:
+
+/* Line 1455 of yacc.c  */
 #line 80 "./parser.y"
     {
 		section_list_t *section = malloc_thing(section_list_t);
@@ -1422,6 +1440,8 @@ yyreduce:
     break;
 
   case 9:
+
+/* Line 1455 of yacc.c  */
 #line 96 "./parser.y"
     {
 		section_list_t *section = malloc_thing(section_list_t);
@@ -1440,6 +1460,8 @@ yyreduce:
     break;
 
   case 11:
+
+/* Line 1455 of yacc.c  */
 #line 111 "./parser.y"
     {
 		extern void _parser_y_include (const char *f);
@@ -1449,6 +1471,8 @@ yyreduce:
     break;
 
   case 16:
+
+/* Line 1455 of yacc.c  */
 #line 126 "./parser.y"
     {
 		kw_list_t  *new;
@@ -1477,6 +1501,8 @@ yyreduce:
     break;
 
   case 17:
+
+/* Line 1455 of yacc.c  */
 #line 151 "./parser.y"
     {
 		free((yyvsp[(1) - (2)].s));
@@ -1484,8 +1510,9 @@ yyreduce:
     break;
 
 
-/* Line 1267 of yacc.c.  */
-#line 1489 "y.tab.c"
+
+/* Line 1455 of yacc.c  */
+#line 1516 "y.tab.c"
       default: break;
     }
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@@ -1496,7 +1523,6 @@ yyreduce:
 
   *++yyvsp = yyval;
 
-
   /* Now `shift' the result of the reduction.  Determine what state
      that goes to, based on the state we popped back to and the rule
      number reduced by.  */
@@ -1561,7 +1587,7 @@ yyerrlab:
 
   if (yyerrstatus == 3)
     {
-      /* If just tried and failed to reuse look-ahead token after an
+      /* If just tried and failed to reuse lookahead token after an
 	 error, discard it.  */
 
       if (yychar <= YYEOF)
@@ -1578,7 +1604,7 @@ yyerrlab:
 	}
     }
 
-  /* Else will try to reuse look-ahead token after shifting the error
+  /* Else will try to reuse lookahead token after shifting the error
      token.  */
   goto yyerrlab1;
 
@@ -1635,9 +1661,6 @@ yyerrlab1:
       YY_STACK_PRINT (yyss, yyssp);
     }
 
-  if (yyn == YYFINAL)
-    YYACCEPT;
-
   *++yyvsp = yylval;
 
 
@@ -1662,7 +1685,7 @@ yyabortlab:
   yyresult = 1;
   goto yyreturn;
 
-#ifndef yyoverflow
+#if !defined(yyoverflow) || YYERROR_VERBOSE
 /*-------------------------------------------------.
 | yyexhaustedlab -- memory exhaustion comes here.  |
 `-------------------------------------------------*/
@@ -1673,7 +1696,7 @@ yyexhaustedlab:
 #endif
 
 yyreturn:
-  if (yychar != YYEOF && yychar != YYEMPTY)
+  if (yychar != YYEMPTY)
      yydestruct ("Cleanup: discarding lookahead",
 		 yytoken, &yylval);
   /* Do not reclaim the symbols of the rule which action triggered
@@ -1699,24 +1722,25 @@ yyreturn:
 }
 
 
+
+/* Line 1675 of yacc.c  */
 #line 157 "./parser.y"
 
 
-void
-yyerror(const char *s)
+void yyerror(const char *s)
 {
 	if (_save_errors_)
 		_parser_y_error(parser_errstring, ERRSTRING_LEN, s);
 }
 
-config_parsed_t *
-parser_load_conf(const char *file)
+config_parsed_t *parser_load_conf(const char *file)
 {
 	config_parsed_t *cfg = NULL;
 	int err = 0;
 	FILE *f;
 
-	extern void _parser_y_init (const char *f);
+	extern void _parser_y_init(const char *f);
+	extern void _parser_y_fini(void);
 	extern FILE *yyin;
 
 	memset(parser_errstring, 0, ERRSTRING_LEN+1);
@@ -1777,11 +1801,11 @@ parser_load_conf(const char *file)
 		cfg = NULL;
 	}
 
+	_parser_y_fini();
 	return cfg;
 }
 
-static void
-parser_free_kwlist(kw_list_t *list)
+static void parser_free_kwlist(kw_list_t *list)
 {
 	kw_list_t *elt;
 
@@ -1794,8 +1818,7 @@ parser_free_kwlist(kw_list_t *list)
 	}
 }
 
-void
-parser_free_conf(config_parsed_t *cfg)
+void parser_free_conf(config_parsed_t *cfg)
 {
 	section_list_t *sec;
 	if (cfg)
diff --git a/src/starter/y.tab.h b/src/starter/y.tab.h
index 871de1e97..caf6ea172 100644
--- a/src/starter/y.tab.h
+++ b/src/starter/y.tab.h
@@ -1,24 +1,23 @@
-/* A Bison parser, made by GNU Bison 2.3.  */
 
-/* Skeleton interface for Bison's Yacc-like parsers in C
+/* A Bison parser, made by GNU Bison 2.4.1.  */
 
-   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+/* Skeleton interface for Bison's Yacc-like parsers in C
+   
+      Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
    Free Software Foundation, Inc.
-
-   This program is free software; you can redistribute it and/or modify
+   
+   This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2, or (at your option)
-   any later version.
-
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+   
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-
+   
    You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 51 Franklin Street, Fifth Floor,
-   Boston, MA 02110-1301, USA.  */
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
 
 /* As a special exception, you may create a larger work that contains
    part or all of the Bison parser skeleton and distribute that work
@@ -29,10 +28,11 @@
    special exception, which will cause the skeleton and the resulting
    Bison output files to be licensed under the GNU General Public
    License without this special exception.
-
+   
    This special exception was added by the Free Software Foundation in
    version 2.2 of Bison.  */
 
+
 /* Tokens.  */
 #ifndef YYTOKENTYPE
 # define YYTOKENTYPE
@@ -68,15 +68,21 @@
 
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef union YYSTYPE
+{
+
+/* Line 1676 of yacc.c  */
 #line 54 "./parser.y"
-{ char *s; }
-/* Line 1489 of yacc.c.  */
-#line 75 "y.tab.h"
-	YYSTYPE;
+ char *s; 
+
+
+/* Line 1676 of yacc.c  */
+#line 80 "y.tab.h"
+} YYSTYPE;
+# define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
-# define YYSTYPE_IS_TRIVIAL 1
 #endif
 
 extern YYSTYPE yylval;
 
+
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 82f2be13d..4353928b5 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -197,6 +197,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 955e49535..4fa0f76a8 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -27,6 +27,8 @@
 #include <stddef.h>
 #include <string.h>
 
+#include <library.h>
+
 #include "stroke_msg.h"
 #include "stroke_keywords.h"
 
@@ -96,7 +98,7 @@ static int send_stroke_msg (stroke_msg_t *msg)
 		{
 			if (fgets(buffer, sizeof(buffer), stdin))
 			{
-				if (write(sock, buffer, strlen(buffer)));
+				ignore_result(write(sock, buffer, strlen(buffer)));
 			}
 		}
 	}
@@ -129,11 +131,13 @@ static int add_connection(char *name,
 
 	msg.add_conn.me.id = push_string(&msg, my_id);
 	msg.add_conn.me.address = push_string(&msg, my_addr);
+	msg.add_conn.me.ikeport = 500;
 	msg.add_conn.me.subnets = push_string(&msg, my_nets);
 	msg.add_conn.me.sendcert = 1;
 
 	msg.add_conn.other.id = push_string(&msg, other_id);
 	msg.add_conn.other.address = push_string(&msg, other_addr);
+	msg.add_conn.other.ikeport = 500;
 	msg.add_conn.other.subnets = push_string(&msg, other_nets);
 	msg.add_conn.other.sendcert = 1;
 
@@ -355,6 +359,9 @@ int main(int argc, char *argv[])
 	const stroke_token_t *token;
 	int res = 0;
 
+	library_init(NULL);
+	atexit(library_deinit);
+
 	if (argc < 2)
 	{
 		exit_usage(NULL);
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 56a7a158f..ffc67039e 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -137,6 +137,7 @@ struct stroke_end_t {
 	char *groups;
 	char *updown;
 	char *address;
+	u_int16_t ikeport;
 	char *sourceip;
 	int sourceip_mask;
 	char *subnets;
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index eb6238d80..098e5110e 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -196,6 +196,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
diff --git a/src/whack/whack.c b/src/whack/whack.c
index c458d6760..5f986108b 100644
--- a/src/whack/whack.c
+++ b/src/whack/whack.c
@@ -185,6 +185,10 @@ static void help(void)
 			" [--debug-private]"
 			"\n\n"
 #endif
+		"leases: whack --leases"
+			" [--name <connection_name>]"
+			" [--lease-addr <ip-address> | --lease-id <identity>]"
+			"\n\n"
 		"listen: whack"
 			" (--listen | --unlisten)"
 			"\n\n"
@@ -322,6 +326,10 @@ enum {
 	OPT_LISTEN,
 	OPT_UNLISTEN,
 
+	OPT_LEASES,
+	OPT_LEASEADDR,
+	OPT_LEASEID,
+
 	OPT_PURGEOCSP,
 
 	OPT_REREADSECRETS,
@@ -519,6 +527,10 @@ static const struct option long_opts[] = {
 	{ "listen", no_argument, NULL, OPT_LISTEN + OO },
 	{ "unlisten", no_argument, NULL, OPT_UNLISTEN + OO },
 
+	{ "leases", no_argument, NULL, OPT_LEASES + OO },
+	{ "lease-addr", required_argument, NULL, OPT_LEASEADDR + OO },
+	{ "lease-id", required_argument, NULL, OPT_LEASEID + OO },
+
 	{ "purgeocsp", no_argument, NULL, OPT_PURGEOCSP + OO },
 
 	{ "rereadsecrets", no_argument, NULL, OPT_REREADSECRETS + OO },
@@ -1103,6 +1115,18 @@ int main(int argc, char **argv)
 				diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
 			continue;
 
+		case OPT_LEASES:        /* --leases */
+			msg.whack_leases = TRUE;
+			continue;
+
+		case OPT_LEASEADDR:     /* --lease-addr <ip-address> */
+			msg.whack_lease_ip = optarg;      /* decoded by Pluto */
+			continue;
+
+		case OPT_LEASEID:       /* --lease-id <identity> */
+			msg.whack_lease_id = optarg;      /* decoded by Pluto */
+			continue;
+
 		case OPT_LISTEN:        /* --listen */
 			msg.whack_listen = TRUE;
 			continue;
@@ -1618,6 +1642,12 @@ int main(int argc, char **argv)
 		break;
 	}
 
+	/* check leases */
+	if (LHAS(opts_seen, OPT_LEASEADDR) && LHAS(opts_seen, OPT_LEASEID))
+	{
+		diag("--lease-addr and --lease-id cannot be used together");
+	}
+
 	/* check connection description */
 	if (LHAS(opts_seen, OPT_CD))
 	{
@@ -1682,7 +1712,7 @@ int main(int argc, char **argv)
 		if (!LHAS(opts_seen, OPT_NAME) && !msg.whack_ca)
 			diag("missing --name <connection_name>");
 	}
-	else if (!msg.whack_options && !msg.whack_status)
+	else if (!msg.whack_options && !msg.whack_status && !msg.whack_leases)
 	{
 		if (LHAS(opts_seen, OPT_NAME))
 			diag("no reason for --name");
@@ -1698,9 +1728,10 @@ int main(int argc, char **argv)
 	|| msg.whack_delete || msg.whack_deletestate
 	|| msg.whack_initiate || msg.whack_oppo_initiate || msg.whack_terminate
 	|| msg.whack_route || msg.whack_unroute || msg.whack_listen
-	|| msg.whack_unlisten || msg.whack_list || msg.whack_purgeocsp || msg.whack_reread
-	|| msg.whack_ca || msg.whack_status || msg.whack_options || msg.whack_shutdown
-	|| msg.whack_sc_op))
+	|| msg.whack_unlisten || msg.whack_list || msg.whack_purgeocsp
+	|| msg.whack_reread || msg.whack_ca || msg.whack_status
+	|| msg.whack_options || msg.whack_shutdown || msg.whack_sc_op
+	|| msg.whack_leases))
 	{
 		diag("no action specified; try --help for hints");
 	}
@@ -1771,6 +1802,8 @@ int main(int argc, char **argv)
 	||  !pack_str(&msg.ike)              /* string 24 */
 	||  !pack_str(&msg.esp)              /* string 25 */
 	||  !pack_str(&msg.sc_data)          /* string 26 */
+	||  !pack_str(&msg.whack_lease_ip)   /* string 27 */
+	||  !pack_str(&msg.whack_lease_id)   /* string 28 */
 	||  str_roof - next_str < (ptrdiff_t)msg.keyval.len)
 		diag("too many bytes of strings to fit in message to pluto");
 
diff --git a/src/whack/whack.h b/src/whack/whack.h
index 3f66a7b4f..b495d3489 100644
--- a/src/whack/whack.h
+++ b/src/whack/whack.h
@@ -65,7 +65,7 @@ struct whack_end {
 	int   sourceip_mask;
 	ip_address host_addr;
 	ip_address host_nexthop;
-	ip_address host_srcip;	
+	ip_address host_srcip;
 	ip_subnet client;
 	bool key_from_DNS_on_demand;
 	bool has_client;
@@ -177,6 +177,10 @@ struct whack_message {
 	bool whack_deletestate;
 	so_serial_t whack_deletestateno;
 
+	/* for WHACK_LEASES: */
+	bool whack_leases;
+	char *whack_lease_ip, *whack_lease_id;
+
 	/* for WHACK_LISTEN: */
 	bool whack_listen, whack_unlisten;
 
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 6a5fd31f2..c60f9b2ea 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -175,6 +175,7 @@ ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
 libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
diff --git a/testing/do-tests.in b/testing/do-tests.in
index 7dbb5487a..2a869515d 100755
--- a/testing/do-tests.in
+++ b/testing/do-tests.in
@@ -348,7 +348,7 @@ do
 	    do
 		host=`echo $host_iface | awk -F ":" '{print $1}'`
 		iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
-		tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &"
+		tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &"
 		echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
 		ssh root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
 		eval TDUP_${host}="true"
diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts
index 7d343d857..fb07a2f6e 100644
--- a/testing/hosts/default/etc/hosts
+++ b/testing/hosts/default/etc/hosts
@@ -14,6 +14,10 @@
 
 10.1.0.10	alice.strongswan.org	alice
 10.1.0.20	venus.strongswan.org	venus
+10.1.0.30	carol2.strongswan.org	carol2
+10.1.0.40	dave2.strongswan.org	dave2
+10.1.0.50	carol3.strongswan.org	carol3
+10.1.0.51	dave3.strongswan.org	dave3
 10.1.0.1	moon1.strongswan.org	moon1
 192.168.0.1	moon.strongswan.org	moon
 192.168.0.50	alice1.strongswan.org	alice1
diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql
index a7c5f1d81..0e880826d 100644
--- a/testing/hosts/default/etc/ipsec.d/tables.sql
+++ b/testing/hosts/default/etc/ipsec.d/tables.sql
@@ -197,9 +197,9 @@ CREATE TABLE ike_sas (
   id INTEGER NOT NULL,
   initiator INTEGER NOT NULL,
   local_id_type INTEGER NOT NULL,
-  local_id_data BLOB NOT NULL,
+  local_id_data BLOB DEFAULT NULL,
   remote_id_type INTEGER NOT NULL,
-  remote_id_data BLOB NOT NULL,
+  remote_id_data BLOB DEFAULT NULL,
   host_family INTEGER NOT NULL,
   local_host_data BLOB NOT NULL,
   remote_host_data BLOB NOT NULL,
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index abdbb857b..58a88a3cb 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -8,11 +8,11 @@ R	090909112548Z	041226135423Z,keyCompromise	07	unknown	/C=CH/O=Linux strongSwan/
 R	090909112651Z	090827094754Z,superseded	08	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
 R	091118162928Z	091124124946Z,superseded	09	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
 R	091231214318Z	090827113123Z,superseded	0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V	100216084430Z		0B	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
+R	100216084430Z	100227205840Z,superseded	0B	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 R	140321062536Z	050621195214Z,CACompromise	0C	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
-V	140321062916Z		0D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+R	140321062916Z	100406094423Z,superseded	0D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 R	100607191714Z	070427213122Z,superseded	0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
-V	100620195806Z		0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+R	100620195806Z	100406093001Z,superseded	0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	111007105811Z		10	unknown	/C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
 V	111007121250Z		11	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
 V	111007122112Z		12	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
@@ -28,3 +28,6 @@ R	140826103106Z	090827103405Z,keyCompromise	1B	unknown	/C=CH/O=Linux strongSwan/
 V	140826103739Z		1C	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
 V	140826104451Z		1D	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	141123125153Z		1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+V	150226210530Z		1F	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
+V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index 67a737e0e..5fd137735 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -8,11 +8,11 @@ R	090909112548Z	041226135423Z,keyCompromise	07	unknown	/C=CH/O=Linux strongSwan/
 R	090909112651Z	090827094754Z,superseded	08	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
 R	091118162928Z	091124124946Z,superseded	09	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
 R	091231214318Z	090827113123Z,superseded	0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V	100216084430Z		0B	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
+R	100216084430Z	100227205840Z,superseded	0B	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 R	140321062536Z	050621195214Z,CACompromise	0C	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
-V	140321062916Z		0D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+R	140321062916Z	100406094423Z,superseded	0D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 R	100607191714Z	070427213122Z,superseded	0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
-V	100620195806Z		0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+R	100620195806Z	100406093001Z,superseded	0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	111007105811Z		10	unknown	/C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
 V	111007121250Z		11	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
 V	111007122112Z		12	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
@@ -27,3 +27,6 @@ V	140826100818Z		1A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongsw
 R	140826103106Z	090827103405Z,keyCompromise	1B	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	140826103739Z		1C	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
 V	140826104451Z		1D	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	141123125153Z		1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+V	150226210530Z		1F	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
+V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/1F.pem b/testing/hosts/winnetou/etc/openssl/newcerts/1F.pem
new file mode 100644
index 000000000..61d1c34e2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/1F.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEKjCCAxKgAwIBAgIBHzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDIyNzIxMDUzMFoXDTE1MDIyNjIxMDUzMFowZjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv
+cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKw0NWg8FpkrWoItNzexEiaS
+dESF+blw2+2y51vVmbDk9edfJcjkzBNIEvY/0GXODmcthjExiTNgmNuCdQwapCHx
+p39HaD902rzmvflI40dZTmlFcn0Pp41wNbvjVaOpn7f6Mov68YmsoLQr47+OU6sn
+d3c8rx+BXO4g6YyRB0xpwB2kfO34FZh7FwOe4sVAJu5E7urK0hij2W1+adZNFg7K
+SP2i7llfooxWpS+6Vi6ZjuJ/dcGyvXpXnr0H2x58sZeaB5n8Ay+mhPDX72xXfwEm
+s7fztkhqmmix2TVEH96dR99ouCENF1Cm8OCbR1kkhWReL6P0tCbirbwFbZxKtOUC
+AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFEvO
+LmT1B7kU0IJsJtK+0nZMwxXgMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq
+Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh
+QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry
+b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQADggEBAI2K
+atqWeSWcxmcylrBJXkXDOsZtFZAE/kGWD5+T/lDFzE5D0GeDWfHehojtooWGpnL3
+u7xo3h3+qVliYcCFy1zKtPE0lwkBWKFPSw4UNfOmaF4De6Tp1V6FSQE9JPNpcTL/
+aPWFkX69Py8elR8OIsXPlFtOfTbtjZxoGuLNn7BX1XjctG5iIhKs/3TVMdzcyjVL
+wKiDE1xq8/Es2pPTgvF8jk7VcNyIGhrlj1IYq35h0RKTSXTCRlczf+lzoPo6Duov
+G0r/8VLpI4bBmKN4cIvaRCa4zew8SWpJzg/06zm2QT8eEJVVB499usVf9OVS3Qa5
+8mcNXcKmqcyP2Tlnvbo=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/20.pem b/testing/hosts/winnetou/etc/openssl/newcerts/20.pem
new file mode 100644
index 000000000..d51918e89
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/20.pem
@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 32 (0x20)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=CH, O=Linux strongSwan, CN=strongSwan Root CA
+        Validity
+            Not Before: Apr  6 09:53:50 2010 GMT
+            Not After : Apr  4 09:53:50 2019 GMT
+        Subject: C=CH, O=Linux strongSwan, OU=Research, CN=Research CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:b6:39:b2:3a:a6:e0:07:5b:58:a7:3f:4f:b2:5a:
+                    85:6a:72:f7:1b:5d:3d:b1:e7:80:13:7a:95:b9:e9:
+                    61:a1:df:af:19:c6:b2:f9:83:14:21:59:1c:27:7b:
+                    7a:04:6a:43:f0:2e:24:71:dc:12:fd:c3:51:d7:c9:
+                    59:60:32:a5:59:d4:bd:d9:5c:a7:9f:21:06:3a:71:
+                    7d:33:d7:3f:d2:03:07:1c:d0:69:0c:94:ce:c1:31:
+                    20:65:8e:55:46:36:7b:bc:49:e4:12:81:9d:75:64:
+                    a2:4d:e1:b5:8e:07:af:51:9d:a8:d8:7e:dc:b1:26:
+                    6d:e8:09:06:78:13:45:24:71:e0:f2:89:e7:81:4e:
+                    fd:be:fc:2d:4c:c1:fa:b3:31:af:3c:70:fe:59:c8:
+                    f2:31:26:02:d2:a5:ba:04:3b:73:d6:ae:31:e1:42:
+                    cf:e3:66:95:27:e7:4a:85:a1:1c:de:6a:9b:ed:22:
+                    34:ac:b4:0b:ed:b9:22:e1:3c:36:af:a2:de:3b:41:
+                    88:8f:01:c0:1a:87:63:7b:b6:22:e7:e5:52:1f:4d:
+                    73:d7:7f:47:ab:c6:b1:13:cc:1e:cd:f4:5f:51:da:
+                    fe:6d:14:83:8f:78:fb:0c:2a:c1:f1:01:65:18:f3:
+                    c4:c9:8c:17:fd:52:1b:82:35:13:74:c3:38:9d:ec:
+                    ae:39
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                E7:75:F0:A0:F2:AD:20:CD:CD:60:23:CC:C7:C8:0F:29:F3:DD:54:20
+            X509v3 Authority Key Identifier: 
+                keyid:5D:A7:DD:70:06:51:32:7E:E7:B6:6D:B3:B5:E5:E0:60:EA:2E:4D:EF
+                DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA
+                serial:00
+
+    Signature Algorithm: sha256WithRSAEncryption
+        8d:6d:a1:6d:1b:2d:cc:81:5c:0a:32:15:e2:ca:1b:2e:12:89:
+        b7:0d:05:9b:3f:ae:80:a1:73:05:1a:bf:47:e8:c8:b7:42:60:
+        c6:05:28:47:87:38:bb:c8:b1:32:23:89:fa:58:e0:c3:f2:dd:
+        20:60:43:95:e9:72:ce:6f:38:5c:16:f7:b8:cc:e9:87:c1:ca:
+        a8:f1:e3:ee:ea:4c:1a:8e:68:b3:17:05:b7:89:dc:b2:30:43:
+        22:62:ae:9a:87:67:39:6c:3a:c7:1c:87:10:a3:70:c0:0c:3c:
+        e0:46:99:68:e9:74:ea:94:2e:82:e5:c1:7f:44:16:10:40:da:
+        b1:19:07:58:9a:9a:06:d4:27:93:39:79:13:44:b9:b9:bc:c5:
+        1e:81:6b:0f:f4:39:1c:ff:b6:df:ad:c4:2f:63:c5:c8:c7:a0:
+        99:ce:15:5d:2c:b3:b5:ec:dd:dd:f6:3e:a8:6f:28:68:01:c6:
+        35:4b:67:2a:b7:cc:3f:eb:30:6d:b1:5d:5c:8a:3d:4e:3a:cd:
+        e9:4c:08:fd:54:76:c3:3a:da:d2:f5:73:00:22:e2:ca:24:6b:
+        4d:86:42:b3:ff:af:00:61:1e:dd:b6:6c:93:0d:e2:03:6c:e4:
+        d4:af:85:37:63:8e:0c:15:63:32:ee:eb:72:05:60:1b:d6:f2:
+        c1:66:89:92
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/21.pem b/testing/hosts/winnetou/etc/openssl/newcerts/21.pem
new file mode 100644
index 000000000..965543286
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/21.pem
@@ -0,0 +1,83 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 33 (0x21)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=CH, O=Linux strongSwan, CN=strongSwan Root CA
+        Validity
+            Not Before: Apr  6 09:54:33 2010 GMT
+            Not After : Apr  4 09:54:33 2019 GMT
+        Subject: C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:c2:4e:4d:26:99:8c:37:b9:51:1f:a1:25:ba:1d:
+                    70:4e:34:58:1c:56:9b:ea:f4:16:20:fe:14:b7:36:
+                    73:48:47:fd:07:16:9b:55:df:aa:77:3d:a9:a3:cf:
+                    1a:8c:4e:d8:17:f0:5e:01:44:1d:f3:9d:43:31:c6:
+                    ba:d8:61:b2:f7:4c:3e:49:96:3f:56:77:b8:3a:f0:
+                    b1:ca:ab:98:bc:aa:e0:92:3c:ed:ec:52:7a:7d:60:
+                    82:60:95:12:26:f9:e5:3e:1f:37:1a:d3:20:62:5a:
+                    a1:ee:89:9f:db:fd:67:01:b6:07:e5:2b:de:71:40:
+                    ff:07:5c:91:27:6a:27:17:3a:5c:bf:43:29:c4:64:
+                    dd:3c:59:b6:ff:52:b8:37:ed:13:d1:bb:f3:b3:ba:
+                    3c:94:b2:7f:25:18:86:57:73:d4:46:5e:e4:f4:ec:
+                    52:80:1b:04:9d:03:0d:72:71:df:9e:b6:90:3b:5f:
+                    41:dc:1e:cd:ab:74:2c:0c:8e:b1:56:9b:62:af:f4:
+                    1b:f7:c1:67:02:cb:7a:be:2a:18:5d:be:dc:2b:2f:
+                    3f:b8:cd:5e:78:51:61:e4:af:db:ee:22:da:60:23:
+                    81:b0:51:23:50:37:8a:aa:14:dc:da:b5:bc:f0:2a:
+                    ce:b7:a4:38:8f:d1:57:d1:eb:7b:d2:f5:af:c5:f5:
+                    74:81
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                5F:9B:13:46:F9:20:72:C8:00:D5:88:B5:A7:4C:2E:97:EA:0B:93:28
+            X509v3 Authority Key Identifier: 
+                keyid:5D:A7:DD:70:06:51:32:7E:E7:B6:6D:B3:B5:E5:E0:60:EA:2E:4D:EF
+                DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA
+                serial:00
+
+    Signature Algorithm: sha256WithRSAEncryption
+        24:65:4e:a5:cc:8c:7c:bb:af:ba:d6:9e:af:f4:f7:21:67:4d:
+        de:9d:fb:2e:8a:90:78:fd:92:f6:12:03:9a:bb:c5:87:66:3f:
+        72:38:f9:83:f6:aa:93:e7:62:34:9e:c9:f3:02:97:86:48:c8:
+        c5:e7:7d:46:f3:e4:eb:ee:5e:9e:12:09:2d:20:21:42:7a:98:
+        ae:be:e5:fd:5a:dd:44:9d:07:80:9e:d0:e7:78:9a:45:08:42:
+        62:f3:28:50:91:4a:a7:61:5a:85:73:34:9a:e5:f8:14:f5:6b:
+        97:7d:f9:a2:d6:00:be:52:da:9a:94:a1:03:e0:1b:ae:0c:3e:
+        08:72:dd:2c:94:6f:8a:81:7a:99:64:dc:97:51:ff:a3:a0:03:
+        92:d0:78:db:4b:88:8e:d8:fd:d6:cc:33:64:6f:9f:6f:38:44:
+        82:31:a7:64:ea:37:61:ee:a7:a0:4d:2c:7b:fa:7c:b8:b1:74:
+        9a:4c:fa:71:bb:66:31:98:7f:ee:dd:9e:e6:3a:64:38:6f:22:
+        dd:7c:ce:bf:f6:9f:51:0b:05:03:e1:33:94:a3:62:11:90:21:
+        95:66:37:33:43:ac:a1:95:00:ab:5a:e4:b1:bc:07:00:46:8b:
+        4b:97:73:d7:c1:5d:64:5c:7d:f2:37:37:5f:c8:66:3f:e8:6f:
+        9b:77:58:28
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 75e87f2c9..98aa9e3e4 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -1,5 +1,6 @@
-V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+R	100322070423Z	100407091025Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
 V	140323203747Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
 V	151103161503Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
+V	150406092057Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 26e68d4f3..2a68119f8 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -1,4 +1,5 @@
-V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+R	100322070423Z	100407091025Z	01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
 V	140323203747Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
+V	151103161503Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/06.pem
new file mode 100644
index 000000000..69e5c05e3
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/06.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
index 693af7c28..23f120b29 100644
--- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
@@ -42,7 +42,7 @@ crl_extensions	= crl_ext  		  # The extentions to add to the CRL
 
 default_days    = 1825                    # how long to certify for
 default_crl_days= 30			  # how long before next CRL
-default_md      = sha1                    # which md to use.
+default_md      = sha256                  # which md to use.
 preserve        = no                      # keep passed DN ordering
 email_in_dn	= no			  # allow/forbid EMail in DN
 
@@ -74,7 +74,7 @@ emailAddress		= optional
 ####################################################################
 
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
diff --git a/testing/hosts/winnetou/etc/openssl/research/researchCert.der b/testing/hosts/winnetou/etc/openssl/research/researchCert.der
index 2a52f620d..0cbb57b99 100644
Binary files a/testing/hosts/winnetou/etc/openssl/research/researchCert.der and b/testing/hosts/winnetou/etc/openssl/research/researchCert.der differ
diff --git a/testing/hosts/winnetou/etc/openssl/research/researchCert.pem b/testing/hosts/winnetou/etc/openssl/research/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/hosts/winnetou/etc/openssl/research/researchCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/research/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index cd672a533..2c7456e3e 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-06
+07
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index eeee65ec4..cd672a533 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-05
+06
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt
index 3e39e973b..c4e05f253 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt
@@ -1,4 +1,5 @@
-V	100322071017Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
+R	100322071017Z	100407093948Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
 V	100615195536Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	120323211811Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
 V	140323211053Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org
+V	150406094241Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr.old
new file mode 100644
index 000000000..8f7e63a34
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr.old
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
index ab3c06416..f377c3588 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
@@ -1,3 +1,4 @@
-V	100322071017Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
+R	100322071017Z	100407093948Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
 V	100615195536Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	120323211811Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
+V	140323211053Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/05.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/05.pem
new file mode 100644
index 000000000..91df37a81
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/05.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi
+0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6
+J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz
+VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH
+K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/
+5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV
+MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq
+OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5
+xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb
+E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e
+q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+
+JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
index 75816c432..547b2edbc 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -42,7 +42,7 @@ crl_extensions	= crl_ext  		  # The extentions to add to the CRL
 
 default_days    = 1825                    # how long to certify for
 default_crl_days= 30			  # how long before next CRL
-default_md      = sha1                    # which md to use.
+default_md      = sha256                  # which md to use.
 preserve        = no                      # keep passed DN ordering
 email_in_dn	= no			  # allow/forbid EMail in DN
 
@@ -74,7 +74,7 @@ emailAddress		= optional
 ####################################################################
 
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesCert.der b/testing/hosts/winnetou/etc/openssl/sales/salesCert.der
index 529fd2d45..dafc9ed48 100644
Binary files a/testing/hosts/winnetou/etc/openssl/sales/salesCert.der and b/testing/hosts/winnetou/etc/openssl/sales/salesCert.der differ
diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem b/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial
index eeee65ec4..cd672a533 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial
@@ -1 +1 @@
-05
+06
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old
index 64969239d..eeee65ec4 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old
@@ -1 +1 @@
-04
+05
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index 33c1ce6c7..2bd5a0a98 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-1F
+22
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index e28e17eb7..aabe6ec39 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-1E
+21
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index 4a561b857..16dd843b9 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -206,9 +206,9 @@ then
     echo -n " --enable-leak-detective" >> $INSTALLSHELL
 fi
 
-if [ "$USE_LOAD_TESTS" = "yes" ]
+if [ "$USE_LOAD_TESTER" = "yes" ]
 then
-    echo -n " --enable-load-tests" >> $INSTALLSHELL
+    echo -n " --enable-load-tester" >> $INSTALLSHELL
 fi
 
 if [ "$USE_TEST_VECTORS" = "yes" ]
@@ -221,6 +221,26 @@ then
     echo -n " --enable-gcrypt" >> $INSTALLSHELL
 fi
 
+if [ "$USE_SOCKET_DEFAULT" = "yes" ]
+then
+    echo -n " --enable-socket-default" >> $INSTALLSHELL
+fi
+
+if [ "$USE_SOCKET_DYNAMIC" = "yes" ]
+then
+    echo -n " --enable-socket-dynamic" >> $INSTALLSHELL
+fi
+
+if [ "$USE_DHCP" = "yes" ]
+then
+    echo -n " --enable-dhcp" >> $INSTALLSHELL
+fi
+
+if [ "$USE_FARP" = "yes" ]
+then
+    echo -n " --enable-farp" >> $INSTALLSHELL
+fi
+
 echo "" >> $INSTALLSHELL
 echo "make" >> $INSTALLSHELL
 echo "make install" >> $INSTALLSHELL
diff --git a/testing/testing.conf b/testing/testing.conf
index e86f60ae2..c7852d28f 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.31.5.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.33.3.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.31
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.33
 
 # Bzipped uml patch for kernel
-#UMLPATCH=$UMLTESTDIR/aead_init.patch.bz2
+UMLPATCH=$UMLTESTDIR/aes_gmac.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.3.6.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.4.0.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -49,15 +49,19 @@ USE_BLOWFISH="yes"
 USE_KERNEL_PFKEY="yes"
 USE_INTEGRITY_TEST="yes"
 USE_LEAK_DETECTIVE="yes"
-USE_LOAD_TESTS="yes"
+USE_LOAD_TESTER="yes"
 USE_TEST_VECTORS="yes"
 USE_GCRYPT="yes"
+USE_SOCKET_DEFAULT="yes"
+USE_SOCKET_DYNAMIC="yes"
+USE_DHCP="yes"
+USE_FARP="yes"
 
 # Gentoo linux root filesystem
 ROOTFS=$UMLTESTDIR/gentoo-fs-20090615.tar.bz2
 
 # Size of the finished root filesystem in MB
-ROOTFSSIZE=600
+ROOTFSSIZE=700
 
 # Amount of Memory to use per UML [MB].
 # If "auto" is stated 1/12 of total host ram will be used.
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index 586a3dc5e..48b36cec7 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink updown
+  load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index 586a3dc5e..48b36cec7 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink updown
+  load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index b15a55fa5..0113aa780 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink updown
+  load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index ab6f08e2d..6fcefc56a 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index b15a55fa5..0113aa780 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink updown
+  load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
index 6f4ec2510..774042329 100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index ff3faf993..1f442a7dd 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink socket-raw
 }
 
 pluto {
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index cf4893014..831790f1e 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink socket-raw
 }
 
 pluto {
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ike2/description.txt b/testing/tests/ike2/description.txt
new file mode 100644
index 000000000..31d24cda6
--- /dev/null
+++ b/testing/tests/ike2/description.txt
@@ -0,0 +1,6 @@
+The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
+to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
+virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
+specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
+which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
+This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.
diff --git a/testing/tests/ike2/evaltest.dat b/testing/tests/ike2/evaltest.dat
new file mode 100644
index 000000000..75d5ffbd3
--- /dev/null
+++ b/testing/tests/ike2/evaltest.dat
@@ -0,0 +1,8 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
+bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES
diff --git a/testing/tests/ike2/hosts/bob/etc/hosts b/testing/tests/ike2/hosts/bob/etc/hosts
new file mode 100644
index 000000000..ee854da09
--- /dev/null
+++ b/testing/tests/ike2/hosts/bob/etc/hosts
@@ -0,0 +1,70 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+10.1.0.10	alice.strongswan.org	alice
+10.1.0.20	venus.strongswan.org	venus
+10.1.0.1	moon1.strongswan.org	moon1
+192.168.0.1	moon.strongswan.org	moon
+192.168.0.50	alice1.strongswan.org	alice1
+192.168.0.100	carol.strongswan.org	carol
+10.3.0.1	carol1.strongswan.org	carol1
+192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+192.168.0.200	dave.strongswan.org	dave
+10.3.0.2	dave1.strongswan.org	dave1
+192.168.0.2	sun.strongswan.org	sun
+10.2.0.1	sun1.strongswan.org	sun1
+10.2.0.10	bob.strongswan.org	bob
+10.4.0.1	alice2.strongswan.org	alice2
+
+# IPv6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+# IPv6 solicited-node multicast addresses
+ff02::1:ff00:1	ip6-mcast-1
+ff02::1:ff00:2	ip6-mcast-2
+ff02::1:ff00:10	ip6-mcast-10
+ff02::1:ff00:15	ip6-mcast-15
+ff02::1:ff00:20	ip6-mcast-20
+
+# IPv6 site-local addresses
+fec0::5		ip6-alice1.strongswan.org   ip6-alice1
+fec1::10	ip6-alice.strongswan.org    ip6-alice
+fec1::20	ip6-venus.strongswan.org    ip6-venus
+fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
+fec0::1 	ip6-moon.strongswan.org     ip6-moon
+fec0::10	ip6-carol.strongswan.org    ip6-carol
+fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
+fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
+fec0::20	ip6-dave.strongswan.org     ip6-dave
+fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
+fec0::2 	ip6-sun.strongswan.org      ip6-sun
+fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
+fec2::10	ip6-bob.strongswan.org      ip6-bob
+
+# IPv6 link-local HW derived addresses
+fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
+fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
+fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
+fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
+fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
+fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
+fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
+fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
+fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
+fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ike2/hosts/moon/etc/ipsec.conf b/testing/tests/ike2/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e43e0d785
--- /dev/null
+++ b/testing/tests/ike2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/nat_updown
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ike2/hosts/moon/etc/nat_updown b/testing/tests/ike2/hosts/moon/etc/nat_updown
new file mode 100755
index 000000000..aab1df687
--- /dev/null
+++ b/testing/tests/ike2/hosts/moon/etc/nat_updown
@@ -0,0 +1,152 @@
+#! /bin/sh
+# NAT updown script
+#
+# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
+export PATH
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+case "$PLUTO_VERB:$1" in
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+        iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+         iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+        echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2    
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ike2/hosts/moon/etc/strongswan.conf b/testing/tests/ike2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..161934454
--- /dev/null
+++ b/testing/tests/ike2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ike2/hosts/sun/etc/ipsec.conf b/testing/tests/ike2/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..9cede8d56
--- /dev/null
+++ b/testing/tests/ike2/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsourceip=10.4.0.0/24
+	auto=add
diff --git a/testing/tests/ike2/hosts/sun/etc/strongswan.conf b/testing/tests/ike2/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..161934454
--- /dev/null
+++ b/testing/tests/ike2/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ike2/posttest.dat b/testing/tests/ike2/posttest.dat
new file mode 100644
index 000000000..b121de27d
--- /dev/null
+++ b/testing/tests/ike2/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::conntrack -F
diff --git a/testing/tests/ike2/pretest.dat b/testing/tests/ike2/pretest.dat
new file mode 100644
index 000000000..abbca90d7
--- /dev/null
+++ b/testing/tests/ike2/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::conntrack -F
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ike2/test.conf b/testing/tests/ike2/test.conf
new file mode 100644
index 000000000..1971a33ab
--- /dev/null
+++ b/testing/tests/ike2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/alg-modp-subgroup/description.txt b/testing/tests/ikev1/alg-modp-subgroup/description.txt
new file mode 100644
index 000000000..cb7d11720
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/description.txt
@@ -0,0 +1,14 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b> using the <b>MODP Diffie-Hellman Groups 22, 23, and 24</b>
+with <b>Prime Order Subgroups</b>.
+<p/>
+<b>carol</b> proposes the DH groups MODP_2048_224 and MODP_1024_160 whereas
+<b>dave</b> proposes MODP_2048_224 and MODP_2048_256.
+Since <b>moon</b> does not support MODP_2048_224 the roadwarriors fall back to
+MODP_1024_160 and MODP_2048_256, respectively.
+<p/>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
new file mode 100644
index 000000000..0f71ba5f5
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
@@ -0,0 +1,13 @@
+moon::cat /var/log/auth.log::MODP_2048_224.*refused due to strict flag::YES
+moon::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024_160::YES
+dave::ipsec statusall::IPsec SA established::YES
+dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..944524020
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes128-sha1-modp2048s224,aes128-sha1-modp1024s160!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..a9de84e91
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes128-sha256-modp2048s224,aes128-sha256-modp2048s256!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..424f78bb4
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes128-sha256-modp2048s256,aes128-sha1-modp1024s160!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/alg-modp-subgroup/test.conf b/testing/tests/ikev1/alg-modp-subgroup/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
index 3c5c5d91d..61d1c34e2 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEKjCCAxKgAwIBAgIBHzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDIxNzA4NDQzMFoXDTEwMDIxNjA4NDQzMFowZjELMAkGA1UE
+b290IENBMB4XDTEwMDIyNzIxMDUzMFoXDTE1MDIyNjIxMDUzMFowZjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv
 cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2Czo4Mds6Jz15DWop6ExWI
-wWt9zU8Xu//ow1F0Kf9a4DLjo8qO+km3gybByNQQv1LrZ1eq+82Gy4RYXU1FnhC6
-dc8aobDmUQkY/8uYXtUmevKF5QcbYciDLp01W1q0DONAlc/9wmvJWhvjs9itWOBC
-fAUcH3eUNvMgkc7hlQTqreZTH4zyJ6M54JibkTsyfVg/1yOT41zUU3b+vI/r9kNB
-CYcp2DrdhdxX6mEiSTyDA/OMlgvCa7kPinUL4FJtQOFBozCsGcD28ONLc8Abkggf
-NABXCclPVAXOTawJF3dRWcMhIlNLWxWMVRvEt5OkAEdy/mXGBvtVArmGnmA+8zcC
-AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFA+6
-5KwThPKc9Vxn0048uRThft1tMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKw0NWg8FpkrWoItNzexEiaS
+dESF+blw2+2y51vVmbDk9edfJcjkzBNIEvY/0GXODmcthjExiTNgmNuCdQwapCHx
+p39HaD902rzmvflI40dZTmlFcn0Pp41wNbvjVaOpn7f6Mov68YmsoLQr47+OU6sn
+d3c8rx+BXO4g6YyRB0xpwB2kfO34FZh7FwOe4sVAJu5E7urK0hij2W1+adZNFg7K
+SP2i7llfooxWpS+6Vi6ZjuJ/dcGyvXpXnr0H2x58sZeaB5n8Ay+mhPDX72xXfwEm
+s7fztkhqmmix2TVEH96dR99ouCENF1Cm8OCbR1kkhWReL6P0tCbirbwFbZxKtOUC
+AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFEvO
+LmT1B7kU0IJsJtK+0nZMwxXgMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq
 Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
 bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh
 QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry
-b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIeg
-CjgR2yIGSuyrFolvEM/qoT3j+LpQREDZbx9BKr3kGmbqF75clwfpysJ4FlXZZ2CR
-aH2GoPOZGXwsYc3poqGeeWSxo+fpt4XIGUc1eREXm1rKVMd+qb0u0PXuhq2+u1aY
-ZJDY0yqUU2/7AInXjzG7lI120W+K6tuTM/5UVI5EPpAFwUVlCxnMh4Sl4VkgZ2Hw
-YnO3/8SEHmHR03/GhOd5d8hD8a0AGHtdOPpZnUOR9PH5FszpQ/alUdn+NTdQ7O2v
-Q8jqPCeQSAAkJbBBRvGA4bD6KXt1k74fXXUofiKWpQUozlO1Cc978Kfl5/do5bov
-wTLSA/z7c8nVCVoZI9Y=
+b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQADggEBAI2K
+atqWeSWcxmcylrBJXkXDOsZtFZAE/kGWD5+T/lDFzE5D0GeDWfHehojtooWGpnL3
+u7xo3h3+qVliYcCFy1zKtPE0lwkBWKFPSw4UNfOmaF4De6Tp1V6FSQE9JPNpcTL/
+aPWFkX69Py8elR8OIsXPlFtOfTbtjZxoGuLNn7BX1XjctG5iIhKs/3TVMdzcyjVL
+wKiDE1xq8/Es2pPTgvF8jk7VcNyIGhrlj1IYq35h0RKTSXTCRlczf+lzoPo6Duov
+G0r/8VLpI4bBmKN4cIvaRCa4zew8SWpJzg/06zm2QT8eEJVVB499usVf9OVS3Qa5
+8mcNXcKmqcyP2Tlnvbo=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem
index 209b48f3a..250441ad0 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAvYLOjgx2zonPXkNainoTFYjBa33NTxe7/+jDUXQp/1rgMuOj
-yo76SbeDJsHI1BC/UutnV6r7zYbLhFhdTUWeELp1zxqhsOZRCRj/y5he1SZ68oXl
-BxthyIMunTVbWrQM40CVz/3Ca8laG+Oz2K1Y4EJ8BRwfd5Q28yCRzuGVBOqt5lMf
-jPInozngmJuROzJ9WD/XI5PjXNRTdv68j+v2Q0EJhynYOt2F3FfqYSJJPIMD84yW
-C8JruQ+KdQvgUm1A4UGjMKwZwPbw40tzwBuSCB80AFcJyU9UBc5NrAkXd1FZwyEi
-U0tbFYxVG8S3k6QAR3L+ZcYG+1UCuYaeYD7zNwIDAQABAoIBAQCCGgsz+dqWcIWs
-cRD3gFcZsYkYAoWwhtrKFUIB6X3rkLfaN+16Yi3x7cpcES2OaPDwPCv2Q6warS+K
-7B8hrWmWkmvOgrn+eB+p3z+8xh5UttYxKTrSZjn7LhQSWU8eNf2jBfPTlqKi3Ni/
-zNLrLhaV3w7Fc0knDtmqj/GJ1dQ4SrUpME3sREpWbGSzjJ2UsR7iqQiDsYwWHzK2
-nWWwzrSmpObhDR3jiyOwBy/DEjXRC7h0fUL8eBghJvLWgFgifI5Z36FXa0FasxQr
-zKZnQdwuJHqQz7+sVjAmKtNd7x7RE5Ii0oQYiWDFr0OAwKD5UfMNydpcOVC/bV2n
-SKWmguoBAoGBAO73MTPP9ne4cfC7t4k2+F9hkb7mAjAbk9GbTyZyEKSDKH2bL02W
-G4kXdlkvZVgKhIDg8PCouRSQKv2IxubDrarFURb5KMJlyfBV1Q8JSxpVtxK69clq
-yIu/AtiiBE/n11MdmdoJLr6l2nNStJummj2jw5OyN8sdJarf83rCy+ITAoGBAMsF
-IfivZ+Tueavy0tGRb1qqKalIhwzLBRmWCna39bB9rK4eTNio5Oes95mC7t8mslmO
-18enKUTO87svWLzo8NVYIKSqg5B+kIN44hROErlV6HHPVd5vJzZFjH7SSfy5y8Ka
-wmsA1xiG6NEgEndc6F6uQ2YdaZAHWFO6CiTNpq7NAoGADXglb9QzAkCFO5p5F+Tf
-TxEC1A3G5ctII7JrXbFkOsGh0KKkoezqFGocI57GSZYeLd1/9zCrbftKUQwamftB
-mLSSg4b7wylVnpRX9AcEErHuJcIgBIBeWXIkyO0o7RAWVPsAJwgJeHmEvKdWwsc7
-PmoypeqPtoUoEF+bK7o7H70CgYAYlYaHlrX+AuK4766XsgTJ9dEVrrKr2enEL2cU
-+THHLXC7pO+pTMprQ4a4ECLc4tK2BZYblyJoMqdRA2q7dXm0W/eX+Q31cV4OjZTS
-4KFj0ANVxMWhKdSVvdZFhTFwaQ9DgXoJexCQ58VJjZiu25FH5dJDi0w9JKaNfPm9
-eym0AQKBgHhfqD9EXxazoP27NyZAFUSA3r4u06qFjbAEjbuJVAJNSuEu6Sht2uIg
-lCHpTPssDLHVSY0faQwY4vPqJZVg0k/rAu2VlvbJxYrdzXr8eTfPRJrhv/s/Tbro
-n1rmisBKov1P2Cu2e03a8+GDO3lpSZr9YNG/e7wggSbfAvqCoUDF
+MIIEowIBAAKCAQEArDQ1aDwWmStagi03N7ESJpJ0RIX5uXDb7bLnW9WZsOT1518l
+yOTME0gS9j/QZc4OZy2GMTGJM2CY24J1DBqkIfGnf0doP3TavOa9+UjjR1lOaUVy
+fQ+njXA1u+NVo6mft/oyi/rxiaygtCvjv45Tqyd3dzyvH4Fc7iDpjJEHTGnAHaR8
+7fgVmHsXA57ixUAm7kTu6srSGKPZbX5p1k0WDspI/aLuWV+ijFalL7pWLpmO4n91
+wbK9eleevQfbHnyxl5oHmfwDL6aE8NfvbFd/ASazt/O2SGqaaLHZNUQf3p1H32i4
+IQ0XUKbw4JtHWSSFZF4vo/S0JuKtvAVtnEq05QIDAQABAoIBAQCbfhUPhtp8+imi
+zANFFW2nSK0VxsgEi4T7MIU6Zjh+A3CLuF2c9gPUEUuV8W9SzeoxfmjieLFDpCDC
+bR0VjeTRBazR//+A9RoiYlP+CbO4FEr6QYwsovsPetf6TT9iJeMjtBb6UODTCP6f
+UdY3fOPN8zgrga87yorINw3MMJSfiI21zSzCkueOQloktBgih5Wueu8FDFUB2fVa
+uLTUa+wOhXUBPyF5OXLox5TxE6gBPkiUsnNXP8X/kHLPk2iBQmdxz+uwG/Pz6pS2
+JsmX2WzFJ0+Rj4cJpoa4Ev5uAx79kcXnQT3d5/HIwuh7ZEMKorb1m8w8lhAW4ARU
+ddjhLkWhAoGBAOCpDGfLwQHWVejOcjEwfWts0hHLdlNfZEgsLSex2k/U6Mk1TjCo
+tAHQOvmqxZDxypJEem3RPaWZh+gttTpHvGkS9fsvTpyARcDp0FXI40hwARPsnMbI
+0fDmpVfOOLZdQKMDg42TrZC/mipU68gFP/rYC7xalJs0pe0LL3ffsSC5AoGBAMQ5
+3V6nuucpL87I0fKg56z0/3lcRxI46KuIXhHSAjxNb76cQuxiK8s5TPCot3Unq6GQ
+R7Y+dYd1FVEh2i3Q7/Yh/BSeYiDcDf5aELCwY32O/OnSSoNTbgGR5FT+/SHJK5bg
+j/O5S7+dajqtC2JZJl8smOeB5c187bc4FU72+6eNAoGAZUiRSTI434Ur0ftQzBBa
+WtYClvctb0TwRwFzkhPCon8QO7YGfDVygebIz8pHq6L2ep7Yuy28Jy5icTA6Jf41
+WQGtWALp4/CIggJnZGVe4kdslPj1bUEYNQ0mucFFHCJKg7OP2YIcm8dlz3PdoJ2N
+TJ+eGtqTaK2BqK6ERfzZNDECgYBbVTOcYyWzgpAmB4LxE8PB1Sc0LadG7AYgERD3
+6m/v8XsZlVHxBKCtrrYJLf52IUjZonY+dUPvEKgjY0ZSHPYT8i2Ky02RTduVkAZE
+t1UXk/5UNvVHuwVw5Z8JkMXxe9k2GL/oCU8gmPxg4zpxRF1/3xosZ2G3C3b52LjS
+UFNB4QKBgDX2UmLgRHAXDsmksNZaMUSNk+xws0B1M/EDd9h7e79ilENkOPDLo5+E
+z22WPNrgzKEUz44FZZOsislfPE7ffgQcRTxtNWqoElwxuHLuy46jaReL7zJSDtpv
+wtn4YoOpH0DnC994nziTQif33FBF/2o8hWoq4vcXKNSMGTwGzi/a
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
new file mode 100644
index 000000000..bc9b7c760
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the authentication-only
+ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac!</b>
+in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
+the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
new file mode 100644
index 000000000..3ec271cf1
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec statusall::rw.*IPsec SA established::YES
+carol::ipsec statusall::home.*IPsec SA established::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec statusall::ESP proposal: AES_GMAC_256::YES
+carol::ipsec statusall::ESP proposal: AES_GMAC_256::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..69ef8d49d
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha384-modp2048!
+	esp=aes256gmac!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..41a583763
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha384-modp2048!
+	esp=aes256gmac!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
index 5a444f19c..90eb30a9b 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
@@ -4,7 +4,7 @@ pluto {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
index 5a444f19c..90eb30a9b 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -4,7 +4,7 @@ pluto {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/ikev1/ip-pool/description.txt b/testing/tests/ikev1/ip-pool/description.txt
new file mode 100644
index 000000000..b3f584c57
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order. 
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev1/ip-pool/evaltest.dat b/testing/tests/ikev1/ip-pool/evaltest.dat
new file mode 100644
index 000000000..f67ab321b
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status::home.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave::ipsec status::home.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::cat /var/log/auth.log::adding virtual IP address pool::YES
+moon::cat /var/log/auth.log::peer requested virtual IP %any::YES
+moon::cat /var/log/auth.log::assigning virtual IP::YES
+moon::ipsec leases rw::2/15, 2 online::YES
+moon::ipsec leases rw 10.3.0.1::carol@strongswan.org::YES
+moon::ipsec leases rw 10.3.0.2::dave@strongswan.org::YES
+moon::ipsec statusall::rw.*carol@strongswan.org.*erouted::YES
+moon::ipsec statusall::rw.*dave@strongswan.org.*erouted::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..0c770de9f
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ba5dbdd1d
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..163c19516
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ba5dbdd1d
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ddedd7e7b
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsourceip=10.3.0.0/28
+	auto=add
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ba5dbdd1d
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/ip-pool/posttest.dat b/testing/tests/ikev1/ip-pool/posttest.dat
new file mode 100644
index 000000000..a68e84cbd
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del 10.3.0.1/32 dev eth0
+dave::ip addr del 10.3.0.2/32 dev eth0
diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat
new file mode 100644
index 000000000..014e80517
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/ip-pool/test.conf b/testing/tests/ikev1/ip-pool/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev1/ip-pool/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/description.txt b/testing/tests/ikev1/ip-two-pools-mixed/description.txt
new file mode 100644
index 000000000..3869ced0a
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/description.txt
@@ -0,0 +1,9 @@
+The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
+Both hosts request a <b>virtual IP</b> via the IKEv1 Mode Config payload by using the
+<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
+addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
+to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from an SQLite-based pool
+named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
+<p>
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and 
+both ping the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat
new file mode 100644
index 000000000..f237ce53f
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat
@@ -0,0 +1,17 @@
+carol::ipsec status::home.*IPsec SA established::YES
+alice::ipsec status::home.*IPsec SA established::YES
+moon::ipsec status::ext.*carol@strongswan.org.*erouted::YES
+moon::ipsec status::int.*alice@strongswan.org.*erouted::YES
+moon::cat /var/log/auth.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
+moon::ipsec leases ext::1/15, 1 online::YES
+moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
+moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
+moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
+alice::cat /var/log/auth.log::setting virtual IP source address to 10.4.0.1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..97b773645
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..e8077b22a
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+		
+conn home 
+	left=%defaultroute
+	leftsourceip=%config
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON1
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ba5dbdd1d
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..99a8c60ff
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ba5dbdd1d
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..bb9d03acd
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,91 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# masquerade crl fetches to winnetou
+	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e844ba989
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+
+conn int 
+	left=PH_IP_MOON1
+	rightsourceip=%intpool
+	auto=add
+
+conn ext 
+	left=PH_IP_MOON
+	rightsourceip=10.3.0.0/28
+	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..90eb30a9b
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+}
+
+libhydra {
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat
new file mode 100644
index 000000000..74e3cf2c0
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat
@@ -0,0 +1,13 @@
+carol::ipsec stop
+alice::ipsec stop
+moon::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+alice::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del 10.3.0.1/32 dev eth0
+alice::ip addr del 10.4.0.1/32 dev eth0
+moon::ip route del 10.3.0.0/16 via PH_IP_MOON
+moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
+moon::conntrack -F
+moon::ipsec pool --del intpool 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat
new file mode 100644
index 000000000..21e28ce0c
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat
@@ -0,0 +1,15 @@
+moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
+moon::ip route add 10.3.0.0/16 via PH_IP_MOON
+moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+alice::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+alice::ipsec up home
+alice::sleep 1
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/test.conf b/testing/tests/ikev1/ip-two-pools-mixed/test.conf
new file mode 100644
index 000000000..329774c0a
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools-mixed/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice carol"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev1/ip-two-pools/description.txt b/testing/tests/ikev1/ip-two-pools/description.txt
new file mode 100644
index 000000000..33a5187c5
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/description.txt
@@ -0,0 +1,9 @@
+The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
+Both hosts request a <b>virtual IP</b> via the IKEv1 Mode Config payload by using the
+<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
+addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
+to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a simple pool defined 
+by <b>rightsourceip=10.4.0.0/28</b> to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
+<p>
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and 
+both ping the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/ip-two-pools/evaltest.dat b/testing/tests/ikev1/ip-two-pools/evaltest.dat
new file mode 100644
index 000000000..2f19a77ba
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/evaltest.dat
@@ -0,0 +1,18 @@
+carol::ipsec status::home.*IPsec SA established::YES
+alice::ipsec status::home.*IPsec SA established::YES
+moon::ipsec status::ext.*carol@strongswan.org.*erouted::YES
+moon::ipsec status::int.*alice@strongswan.org.*erouted::YES
+moon::cat /var/log/auth.log::adding virtual IP address pool.*int.*10.4.0.0/28::YES
+moon::cat /var/log/auth.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
+moon::ipsec leases ext::1/15, 1 online::YES
+moon::ipsec leases int::1/15, 1 online::YES
+moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
+moon::ipsec leases int 10.4.0.1::alice@strongswan.org::YES
+carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
+alice::cat /var/log/auth.log::setting virtual IP source address to 10.4.0.1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..97b773645
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..e8077b22a
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+		
+conn home 
+	left=%defaultroute
+	leftsourceip=%config
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON1
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ba5dbdd1d
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..99a8c60ff
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ba5dbdd1d
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..bb9d03acd
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,91 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# masquerade crl fetches to winnetou
+	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..4771e26d6
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+
+conn int 
+	left=PH_IP_MOON1
+	rightsourceip=10.4.0.0/28
+	auto=add
+
+conn ext 
+	left=PH_IP_MOON
+	rightsourceip=10.3.0.0/28
+	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ba5dbdd1d
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/ip-two-pools/posttest.dat b/testing/tests/ikev1/ip-two-pools/posttest.dat
new file mode 100644
index 000000000..4474e5ade
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/posttest.dat
@@ -0,0 +1,12 @@
+alice::ipsec stop
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+alice::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del 10.3.0.1/32 dev eth0
+alice::ip addr del 10.4.0.1/32 dev eth0
+moon::ip route del 10.3.0.0/16 via 192.168.0.1
+moon::ip route del 10.4.0.0/16 via 10.1.0.1
+moon::conntrack -F
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-two-pools/pretest.dat b/testing/tests/ikev1/ip-two-pools/pretest.dat
new file mode 100644
index 000000000..8091a6ed2
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/pretest.dat
@@ -0,0 +1,12 @@
+moon::ip route add 10.3.0.0/16 via 192.168.0.1
+moon::ip route add 10.4.0.0/16 via 10.1.0.1
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+moon::ipsec start
+alice::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+alice::ipsec up home
+alice::sleep 1 
diff --git a/testing/tests/ikev1/ip-two-pools/test.conf b/testing/tests/ikev1/ip-two-pools/test.conf
new file mode 100644
index 000000000..329774c0a
--- /dev/null
+++ b/testing/tests/ikev1/ip-two-pools/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice carol"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
index 83cdb0d28..21493adc3 100644
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP6_VENUS
 }
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
index 83cdb0d28..21493adc3 100644
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP6_VENUS
 }
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..91df37a81 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
 BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
-GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi
+0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6
+J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz
+VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH
+K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/
+5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV
+MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
-p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
-ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
-Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
-DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
-Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq
+OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5
+xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb
+E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e
+q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+
+JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..86740e86a 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv
+MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII
+s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn
+J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF
+VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf
+anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk
+lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn
+PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph
+6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah
+sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m
+RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX
+lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw
+CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/
+l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ
+if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v
+yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH
+dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx
+h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct
+Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh
+w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK
+LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl
+7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u
+5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6
+4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA
+fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..91df37a81 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
 BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
-GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi
+0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6
+J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz
+VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH
+K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/
+5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV
+MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
-p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
-ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
-Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
-DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
-Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq
+OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5
+xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb
+E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e
+q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+
+JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..86740e86a 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv
+MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII
+s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn
+J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF
+VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf
+anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk
+lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn
+PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph
+6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah
+sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m
+RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX
+lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw
+CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/
+l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ
+if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v
+yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH
+dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx
+h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct
+Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh
+w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK
+LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl
+7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u
+5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6
+4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA
+fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..91df37a81 100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
 BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
-GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi
+0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6
+J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz
+VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH
+K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/
+5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV
+MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
-p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
-ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
-Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
-DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
-Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq
+OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5
+xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb
+E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e
+q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+
+JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..86740e86a 100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv
+MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII
+s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn
+J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF
+VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf
+anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk
+lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn
+PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph
+6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah
+sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m
+RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX
+lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw
+CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/
+l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ
+if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v
+yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH
+dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx
+h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct
+Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh
+w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK
+LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl
+7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u
+5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6
+4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA
+fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat
index b1fc81827..d52aeaeb8 100644
--- a/testing/tests/ikev1/protoport-route/pretest.dat
+++ b/testing/tests/ikev1/protoport-route/pretest.dat
@@ -2,7 +2,7 @@ moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 carol::ipsec start
-carol::sleep 1
+carol::sleep 3 
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname
-carol::ping -c 1 PH_IP_ALICE > /dev/null
-carol::sleep 2
+carol::ping -c 1 PH_IP_MOON1 > /dev/null
+carol::sleep 2 
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index 95ec73753..336227af7 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index 95ec73753..336227af7 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index 95ec73753..336227af7 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-modp-subgroup/description.txt b/testing/tests/ikev2/alg-modp-subgroup/description.txt
new file mode 100644
index 000000000..cb7d11720
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/description.txt
@@ -0,0 +1,14 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b> using the <b>MODP Diffie-Hellman Groups 22, 23, and 24</b>
+with <b>Prime Order Subgroups</b>.
+<p/>
+<b>carol</b> proposes the DH groups MODP_2048_224 and MODP_1024_160 whereas
+<b>dave</b> proposes MODP_2048_224 and MODP_2048_256.
+Since <b>moon</b> does not support MODP_2048_224 the roadwarriors fall back to
+MODP_1024_160 and MODP_2048_256, respectively.
+<p/>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
new file mode 100644
index 000000000..80df206bf
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
@@ -0,0 +1,15 @@
+carol::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_1024_160::YES
+dave::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES
+moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..257923d02
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha1-modp2048s224,aes128-sha1-modp1024s160!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..de9ae45cc
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..9b5247973
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-modp2048s224,aes128-sha256-modp2048s256!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..de9ae45cc
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2b66e3400
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-modp2048s256,aes128-sha1-modp1024s160!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..de9ae45cc
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/alg-modp-subgroup/test.conf b/testing/tests/ikev2/alg-modp-subgroup/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/alg-modp-subgroup/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
index 4ae78cec5..06304115b 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
index 4ae78cec5..06304115b 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
index 86a0257ad..3fbdad4f9 100644
--- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
index 86a0257ad..3fbdad4f9 100644
--- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
index 86a0257ad..3fbdad4f9 100644
--- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
index 86a0257ad..3fbdad4f9 100644
--- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
index ff38e227b..5af37dc90 100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
index ff38e227b..5af37dc90 100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index 51810734d..223ed67a3 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown attr
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
index c9e6722ae..bb4af2c75 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
index c9e6722ae..bb4af2c75 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
index c466dc8cf..4890be7cc 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 scepclient {
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
index c466dc8cf..4890be7cc 100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 scepclient {
diff --git a/testing/tests/ikev2/dhcp-dynamic/description.txt b/testing/tests/ikev2/dhcp-dynamic/description.txt
new file mode 100644
index 000000000..b29a1de78
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>leftsourceip=%config</b>
+parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS server
+information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned dynamically
+by <b>venus</b> from the pool 10.1.0.50..10.1.0.60 so that <b>carol</b> and <b>dave</b> become full members
+of the subnet 10.1.0.0/16 hidden behind gateway <b>moon</b>. And this thanks to the <b>farp</b> plugin
+through which <b>moon</b> acts as a proxy for ARP requests e.g. from <b>alice</b> who wants to ping
+<b>carol</b> and <b>dave</b>. 
diff --git a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
new file mode 100644
index 000000000..b3814084f
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
@@ -0,0 +1,22 @@
+carol::ipsec status::home.*INSTALLED::YES
+alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ipsec status::home.*INSTALLED::YES
+alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.50/32::YES
+moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.51/32::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::arp reply carol3.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::arp reply dave3.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a19f6cfae
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5af37dc90
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..1a89f4e5d
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5af37dc90
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
new file mode 100644
index 000000000..0340d5669
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
@@ -0,0 +1,9 @@
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option routers 10.1.0.1;
+  option broadcast-address 10.1.255.255;
+  option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
+  option netbios-name-servers PH_IP_VENUS;
+
+  # dynamic address pool for visitors
+  range 10.1.0.30 10.1.0.50;
+}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..058bebb2d
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,91 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow bootpc and bootps
+	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+	# allow broadcasts from eth1
+	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+        # log dropped packets
+        iptables -A INPUT  -j LOG --log-prefix " IN: "
+        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..3868a7a38
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn rw
+	right=%any
+	rightsourceip=%dhcp
+	auto=add
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..146c81f48
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  plugins {
+    dhcp {
+      server = 10.1.255.255
+    }
+  }
+}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf
new file mode 100644
index 000000000..2176af702
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf
@@ -0,0 +1,14 @@
+# dhcpd configuration file
+
+ddns-update-style none;
+
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option domain-name          "strongswan.org";
+  option domain-name-servers   10.1.0.20;
+  option netbios-name-servers  10.1.0.10;
+  option routers               10.1.0.1;
+  option broadcast-address     10.1.255.255;
+  next-server                  10.1.0.20;
+
+  range 10.1.0.50 10.1.0.60;
+}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
new file mode 100644
index 000000000..2d35dfd64
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
@@ -0,0 +1,7 @@
+interface=eth0
+dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
+dhcp-option=option:router,10.1.0.1
+dhcp-option=option:dns-server,10.1.0.20
+dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:domain-name,strongswan.org
+log-dhcp
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
new file mode 100755
index 000000000..4044dcc35
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
@@ -0,0 +1,24 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop"
+
+depend() {
+	need net
+	need logger
+}
+
+start() {
+	ebegin "Starting DHCP server"
+	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping DHCP server"
+	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
+	rm -f /var/state/dhcp/dhcpd.leases
+	touch /var/state/dhcp/dhcpd.leases
+	eend $?
+}
diff --git a/testing/tests/ikev2/dhcp-dynamic/posttest.dat b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
new file mode 100644
index 000000000..1f5487596
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+venus::cat /var/state/dhcp/dhcpd.leases
+venus::/etc/init.d/dhcpd stop 2> /dev/null
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+alice::arp -d 10.1.0.50
+alice::arp -d 10.1.0.51
diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
new file mode 100644
index 000000000..bd36b4fe3
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+venus::cat /etc/dhcpd.conf
+venus::/etc/init.d/dhcpd start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-dynamic/test.conf b/testing/tests/ikev2/dhcp-dynamic/test.conf
new file mode 100644
index 000000000..a2ad7b25f
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dhcp-static-client-id/description.txt b/testing/tests/ikev2/dhcp-static-client-id/description.txt
new file mode 100644
index 000000000..d253a8865
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>leftsourceip=%config</b>
+parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS/WINS server
+information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned statically 
+by <b>venus</b> based on the IKEv2 peer identities <b>carol@strongswan.org</b> and <b>dave@strongswan.org</b>,
+respectively, included by the dhcp plugin as a <b>dhcp-client-identity</b> option in the DHCP request.
+<p/> 
+With the static assignment of 10.1.0.30 and 10.1.0.40, respectively, <b>carol</b> and <b>dave</b>
+become full members of the subnet 10.1.0.0/16 hidden behind gateway <b>moon</b>. And this thanks to
+the <b>farp</b> plugin through which <b>moon</b> acts as a proxy for ARP requests e.g. from <b>alice</b>
+who wants to ping <b>carol</b> and <b>dave</b>. 
diff --git a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
new file mode 100644
index 000000000..8abd2416a
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
@@ -0,0 +1,22 @@
+carol::ipsec status::home.*INSTALLED::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ipsec status::home.*INSTALLED::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.30/32::YES
+moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.40/32::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a19f6cfae
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5af37dc90
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..1a89f4e5d
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5af37dc90
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf
new file mode 100644
index 000000000..0340d5669
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf
@@ -0,0 +1,9 @@
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option routers 10.1.0.1;
+  option broadcast-address 10.1.255.255;
+  option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
+  option netbios-name-servers PH_IP_VENUS;
+
+  # dynamic address pool for visitors
+  range 10.1.0.30 10.1.0.50;
+}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..058bebb2d
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,91 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow bootpc and bootps
+	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+	# allow broadcasts from eth1
+	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+        # log dropped packets
+        iptables -A INPUT  -j LOG --log-prefix " IN: "
+        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..3868a7a38
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn rw
+	right=%any
+	rightsourceip=%dhcp
+	auto=add
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..146c81f48
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  plugins {
+    dhcp {
+      server = 10.1.255.255
+    }
+  }
+}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf
new file mode 100644
index 000000000..44ee681b6
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf
@@ -0,0 +1,25 @@
+# dhcpd configuration file
+
+ddns-update-style none;
+
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option domain-name            "strongswan.org";
+  option domain-name-servers     10.1.0.20;
+  option netbios-name-servers    10.1.0.10;
+  option routers                 10.1.0.1;
+  option broadcast-address       10.1.255.255;
+  next-server                    10.1.0.20;
+
+  range 10.1.0.50 10.1.0.60;
+}
+
+host carol {
+  option dhcp-client-identifier "carol@strongswan.org";
+  fixed-address                  10.1.0.30;
+}
+
+host dave {
+  option dhcp-client-identifier "dave@strongswan.org";
+  fixed-address                  10.1.0.40;
+}
+
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
new file mode 100644
index 000000000..5672236a0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
@@ -0,0 +1,9 @@
+interface=eth0
+dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
+dhcp-host=id:carol@strongswan.org,10.1.0.30
+dhcp-host=id:dave@strongswan.org,10.1.0.40
+dhcp-option=option:router,10.1.0.1
+dhcp-option=option:dns-server,10.1.0.20
+dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:domain-name,strongswan.org
+log-dhcp
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
new file mode 100755
index 000000000..4044dcc35
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
@@ -0,0 +1,24 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop"
+
+depend() {
+	need net
+	need logger
+}
+
+start() {
+	ebegin "Starting DHCP server"
+	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping DHCP server"
+	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
+	rm -f /var/state/dhcp/dhcpd.leases
+	touch /var/state/dhcp/dhcpd.leases
+	eend $?
+}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
new file mode 100644
index 000000000..e1aadc618
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
@@ -0,0 +1,9 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+venus::/etc/init.d/dhcpd stop 2> /dev/null
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+alice::arp -d 10.1.0.30
+alice::arp -d 10.1.0.40
diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
new file mode 100644
index 000000000..bd36b4fe3
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+venus::cat /etc/dhcpd.conf
+venus::/etc/init.d/dhcpd start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-client-id/test.conf b/testing/tests/ikev2/dhcp-static-client-id/test.conf
new file mode 100644
index 000000000..a2ad7b25f
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dhcp-static-mac/description.txt b/testing/tests/ikev2/dhcp-static-mac/description.txt
new file mode 100644
index 000000000..ed7525c87
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/description.txt
@@ -0,0 +1,12 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>leftsourceip=%config</b>
+parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS/WINS server
+information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned statically 
+by <b>venus</b> based on the user-defined MAC address derived by the <b>dhcp</b> plugin from a hash over
+the client identity. This deterministic MAC generation is activated with the strongswan.conf setting
+<b>charon.plugins.dhcp.identity_lease = yes</b>.
+<p/> 
+With the static assignment of 10.1.0.30 and 10.1.0.40, respectively, <b>carol</b> and <b>dave</b>
+become full members of the subnet 10.1.0.0/16 hidden behind gateway <b>moon</b>. And this thanks to
+the <b>farp</b> plugin through which <b>moon</b> acts as a proxy for ARP requests e.g. from <b>alice</b>
+who wants to ping <b>carol</b> and <b>dave</b>. 
diff --git a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
new file mode 100644
index 000000000..8abd2416a
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
@@ -0,0 +1,22 @@
+carol::ipsec status::home.*INSTALLED::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ipsec status::home.*INSTALLED::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.30/32::YES
+moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.40/32::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a19f6cfae
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5af37dc90
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..1a89f4e5d
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5af37dc90
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf
new file mode 100644
index 000000000..0340d5669
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf
@@ -0,0 +1,9 @@
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option routers 10.1.0.1;
+  option broadcast-address 10.1.255.255;
+  option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
+  option netbios-name-servers PH_IP_VENUS;
+
+  # dynamic address pool for visitors
+  range 10.1.0.30 10.1.0.50;
+}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..058bebb2d
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,91 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow bootpc and bootps
+	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+	# allow broadcasts from eth1
+	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+        # log dropped packets
+        iptables -A INPUT  -j LOG --log-prefix " IN: "
+        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..3868a7a38
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn rw
+	right=%any
+	rightsourceip=%dhcp
+	auto=add
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..40c3c2418
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  plugins {
+    dhcp {
+      server = 10.1.255.255
+      identity_lease = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf
new file mode 100644
index 000000000..20666f701
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf
@@ -0,0 +1,25 @@
+# dhcpd configuration file
+
+ddns-update-style none;
+
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option domain-name          "strongswan.org";
+  option domain-name-servers   10.1.0.20;
+  option netbios-name-servers  10.1.0.10;
+  option routers               10.1.0.1;
+  option broadcast-address     10.1.255.255;
+  next-server                  10.1.0.20;
+
+  range 10.1.0.50 10.1.0.60;
+}
+
+host carol {
+  hardware ethernet            7a:a7:8f:fc:db:3b;
+  fixed-address                10.1.0.30;
+}
+
+host dave {
+  hardware ethernet            7a:a7:35:78:bc:85;
+  fixed-address                10.1.0.40;
+}
+
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
new file mode 100644
index 000000000..e3729081f
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
@@ -0,0 +1,9 @@
+interface=eth0
+dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
+dhcp-host=7a:a7:8f:fc:db:3b,10.1.0.30
+dhcp-host=7a:a7:35:78:bc:85,10.1.0.40
+dhcp-option=option:router,10.1.0.1
+dhcp-option=option:dns-server,10.1.0.20
+dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:domain-name,strongswan.org
+log-dhcp
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
new file mode 100755
index 000000000..4044dcc35
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
@@ -0,0 +1,24 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop"
+
+depend() {
+	need net
+	need logger
+}
+
+start() {
+	ebegin "Starting DHCP server"
+	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping DHCP server"
+	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
+	rm -f /var/state/dhcp/dhcpd.leases
+	touch /var/state/dhcp/dhcpd.leases
+	eend $?
+}
diff --git a/testing/tests/ikev2/dhcp-static-mac/posttest.dat b/testing/tests/ikev2/dhcp-static-mac/posttest.dat
new file mode 100644
index 000000000..e1aadc618
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/posttest.dat
@@ -0,0 +1,9 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+venus::/etc/init.d/dhcpd stop 2> /dev/null
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+alice::arp -d 10.1.0.30
+alice::arp -d 10.1.0.40
diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
new file mode 100644
index 000000000..bd36b4fe3
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+venus::cat /etc/dhcpd.conf
+venus::/etc/init.d/dhcpd start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-mac/test.conf b/testing/tests/ikev2/dhcp-static-mac/test.conf
new file mode 100644
index 000000000..a2ad7b25f
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/description.txt b/testing/tests/ikev2/esp-alg-aes-gmac/description.txt
new file mode 100644
index 000000000..823ec253d
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the authentication-only
+ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-modp2048!</b>
+in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
+the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
new file mode 100644
index 000000000..534f6d452
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec statusall::NULL_AES_GMAC_256::YES
+carol::ipsec statusall::NULL_AES_GMAC_256::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..f3a266c7d
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-aesxcbc-modp2048!
+	esp=aes256gmac-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..de9ae45cc
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..bbdb38301
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-aesxcbc-modp2048!
+	esp=aes256gmac-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..de9ae45cc
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/farp/description.txt b/testing/tests/ikev2/farp/description.txt
new file mode 100644
index 000000000..04e1c10e5
--- /dev/null
+++ b/testing/tests/ikev2/farp/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>leftsourceip=%config</b>
+parameter. The virtual addresses assigned to the clients by gateway <b>moon</b> belong to the
+subnet 10.1.0.0/16 hidden behind the gateway so that <b>carol</b> and <b>dave</b> become full members of
+this network. And this thanks to the <b>farp</b> plugin through which <b>moon</b> acts as a proxy
+for ARP requests e.g. from <b>alice</b> who wants to ping <b>carol</b> and <b>dave</b>. 
diff --git a/testing/tests/ikev2/farp/evaltest.dat b/testing/tests/ikev2/farp/evaltest.dat
new file mode 100644
index 000000000..d48812f47
--- /dev/null
+++ b/testing/tests/ikev2/farp/evaltest.dat
@@ -0,0 +1,22 @@
+carol::ipsec status::home.*INSTALLED::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ipsec status::home.*INSTALLED::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw-carol.*INSTALLED::YES
+moon::ipsec status::rw-dave.*INSTALLED::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a19f6cfae
--- /dev/null
+++ b/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5af37dc90
--- /dev/null
+++ b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..1a89f4e5d
--- /dev/null
+++ b/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5af37dc90
--- /dev/null
+++ b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..19dd5d3e6
--- /dev/null
+++ b/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn rw-carol
+	right=%any
+	rightid=carol@strongswan.org
+	rightsourceip=10.1.0.30
+	auto=add
+
+conn rw-dave
+	right=%any
+	rightid=dave@strongswan.org
+	rightsourceip=10.1.0.40
+	auto=add
diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4585d928a
--- /dev/null
+++ b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+}
diff --git a/testing/tests/ikev2/farp/posttest.dat b/testing/tests/ikev2/farp/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/farp/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2/farp/pretest.dat
new file mode 100644
index 000000000..709931e1b
--- /dev/null
+++ b/testing/tests/ikev2/farp/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::arp -d 10.1.0.30
+alice::arp -d 10.1.0.40
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/farp/test.conf b/testing/tests/ikev2/farp/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev2/farp/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
index 9af403198..291f08db1 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
index 9af403198..291f08db1 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
index ff38e227b..5af37dc90 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
index ff38e227b..5af37dc90 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index b7c598fca..626bec3ed 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink sqlite attr-sql updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index b7c598fca..626bec3ed 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink sqlite attr-sql updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
index 1ce52a848..70d66b20b 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index 1ce52a848..70d66b20b 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
index 49f69ff0c..2435403a4 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
index 49f69ff0c..2435403a4 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
index 9f3c6bfa3..f0e7da85e 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..91df37a81 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
 BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
-GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi
+0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6
+J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz
+VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH
+K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/
+5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV
+MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
-p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
-ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
-Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
-DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
-Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq
+OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5
+xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb
+E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e
+q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+
+JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..86740e86a 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv
+MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII
+s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn
+J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF
+VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf
+anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk
+lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn
+PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph
+6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah
+sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m
+RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX
+lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw
+CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/
+l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ
+if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v
+yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH
+dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx
+h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct
+Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh
+w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK
+LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl
+7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u
+5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6
+4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA
+fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..91df37a81 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
 BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
-GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi
+0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6
+J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz
+VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH
+K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/
+5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV
+MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
-p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
-ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
-Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
-DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
-Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq
+OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5
+xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb
+E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e
+q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+
+JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..86740e86a 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv
+MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII
+s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn
+J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF
+VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf
+anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk
+lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn
+PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph
+6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah
+sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m
+RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX
+lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw
+CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/
+l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ
+if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v
+yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH
+dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx
+h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct
+Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh
+w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK
+LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl
+7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u
+5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6
+4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA
+fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index 3db5e8aef..908f85ac5 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..91df37a81 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
 BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
-GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi
+0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6
+J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz
+VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH
+K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/
+5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV
+MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
-p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
-ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
-Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
-DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
-Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq
+OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5
+xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb
+E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e
+q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+
+JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..86740e86a 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv
+MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII
+s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn
+J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF
+VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf
+anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk
+lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn
+PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph
+6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah
+sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m
+RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX
+lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw
+CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/
+l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ
+if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v
+yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH
+dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx
+h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct
+Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh
+w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK
+LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl
+7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u
+5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6
+4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA
+fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index 3db5e8aef..908f85ac5 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index c9e6722ae..bb4af2c75 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..91df37a81 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
 BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
-GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi
+0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6
+J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz
+VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH
+K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/
+5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV
+MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
-p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
-ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
-Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
-DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
-Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq
+OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5
+xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb
+E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e
+q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+
+JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..86740e86a 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv
+MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII
+s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn
+J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF
+VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf
+anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk
+lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn
+PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph
+6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah
+sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m
+RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX
+lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw
+CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/
+l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ
+if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v
+yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH
+dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx
+h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct
+Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh
+w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK
+LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl
+7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u
+5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6
+4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA
+fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..91df37a81 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
 BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
-GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi
+0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6
+J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz
+VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH
+K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/
+5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV
+MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
-p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
-ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
-Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
-DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
-Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq
+OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5
+xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb
+E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e
+q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+
+JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..86740e86a 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv
+MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII
+s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn
+J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF
+VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf
+anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk
+lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn
+PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph
+6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah
+sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m
+RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX
+lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw
+CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/
+l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ
+if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v
+yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH
+dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx
+h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct
+Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh
+w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK
+LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl
+7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u
+5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6
+4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA
+fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
index 77f09f216..79348686d 100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   keep_alive = 1d 
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index 9af403198..291f08db1 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index 9af403198..291f08db1 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
index 39d7154e2..949b9af16 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
index 39d7154e2..949b9af16 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
index 39d7154e2..949b9af16 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
index 39d7154e2..949b9af16 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
index 87fa5b2e9..4e2fcf17b 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
index 87fa5b2e9..4e2fcf17b 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
index 9af403198..291f08db1 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
index 9af403198..291f08db1 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
index 9af403198..291f08db1 100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
index 9af403198..291f08db1 100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
index 9af403198..291f08db1 100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
index 9af403198..291f08db1 100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..69e5c05e3 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
-M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
+N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
-dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
-dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
-57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
-5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
-hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
-qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
+dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
+hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
+HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
+3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
+Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
+AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
 YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
-FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
-Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
-7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
-+OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
-wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
-MWjwPJs52qVJ3Ph++EF6bw==
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
+ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
+il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
+CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
+n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
+8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
+pwU12A3BovJKUaR0B7Uy2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..53e18680b 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
+azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
+nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
+b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
+H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
+GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
+N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
+er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
+kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
+BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
+Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
+DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
+waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
+1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
+RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
+CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
+eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
+FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
+auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
+rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
+iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
+qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
+/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
+hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
+5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..91df37a81 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
 BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
-zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
-1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
-P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
-+eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
-aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
-GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi
+0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6
+J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz
+VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH
+K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/
+5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV
+MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
-p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
-ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
-Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
-DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
-Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq
+OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5
+xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb
+E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e
+q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+
+JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..86740e86a 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv
+MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII
+s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn
+J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF
+VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf
+anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk
+lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn
+PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph
+6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah
+sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m
+RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX
+lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw
+CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/
+l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ
+if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v
+yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH
+dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx
+h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct
+Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh
+w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK
+LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl
+7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u
+5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6
+4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA
+fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..d53365f78 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
 cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
 VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
 BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
-Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
-fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
-3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
-0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
-IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
-Tfcyi+M=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
+FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
+cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
+POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
+xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
+dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
+8sFmiZI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..a10a18cba 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
 MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
@@ -13,10 +13,10 @@ vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
 MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
 VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
 MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
-IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
-8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
-9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
-iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
-uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
-xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
+Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
+CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
+AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
+RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
+M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 3361ca6a4..ee0e454da 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 3361ca6a4..ee0e454da 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 3361ca6a4..ee0e454da 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
index 5e93e0fe7..df11f5ea3 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
index 5e93e0fe7..df11f5ea3 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index cc2bb91d2..eef03e3b4 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-aka eap-aka-3gpp2 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index cc2bb91d2..eef03e3b4 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-aka eap-aka-3gpp2 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
index 6922ecc15..6609a2115 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-md5 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
index 9f3c6bfa3..f0e7da85e 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
index 6495d6f6a..6fcf5999e 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
index af2bc1675..a7f7b99ec 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
index 6495d6f6a..6fcf5999e 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
index 6495d6f6a..6fcf5999e 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
index 921db4c51..8d2f57828 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-mschapv2 eap-identity updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
index 921db4c51..8d2f57828 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-mschapv2 eap-identity updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
index 49f69ff0c..2435403a4 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
index 9f3c6bfa3..f0e7da85e 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
index fa662875d..e4ef757fb 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
index fa662875d..e4ef757fb 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
index ac8f98b70..d77218b77 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   send_vendor_id = yes
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
index fcb1cf201..6e1818c9e 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
index fcb1cf201..6e1818c9e 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
index af2bc1675..a7f7b99ec 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index fcb1cf201..6e1818c9e 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index fcb1cf201..6e1818c9e 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
index 572cf39cb..dd2df0670 100644
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
index c77902caa..29132e757 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   install_routes = no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
index 6e9280e41..73d687a0c 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
   install_routes=no
 }
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
index f82f32d1d..882ea04a5 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
index 4732113fa..b71db18dd 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index 97526cf99..807ca9411 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index 97526cf99..807ca9411 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index 97526cf99..807ca9411 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index dd817a963..6420b3414 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index dd817a963..6420b3414 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 52a4e0d52..b8038df01 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 20d891cdc..f988d90b4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 52a4e0d52..b8038df01 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 52a4e0d52..b8038df01 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 20d891cdc..f988d90b4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 52a4e0d52..b8038df01 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 97526cf99..807ca9411 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 97526cf99..807ca9411 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 97526cf99..807ca9411 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 06480bae6..a442b244d 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index ab6f08e2d..6fcefc56a 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index dbb64dbb4..aa50403d8 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink updown
+  load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
index 06b1e9f48..de9ae45cc 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
index 0768c2bb5..1d17b3614 100644
--- a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index 867d256bb..7d8cda47e 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index 867d256bb..7d8cda47e 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index 867d256bb..7d8cda47e 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index e377047a4..e99a7c505 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -6,10 +6,10 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index e377047a4..e99a7c505 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,10 +6,10 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat
index 1d64321b5..b5108051c 100644
--- a/testing/tests/sql/ip-pool-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat
@@ -17,3 +17,4 @@ dave::ipsec start
 carol::sleep 1
 dave::ipsec up home
 carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
index 9df154ee2..aed370ffa 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
index 9df154ee2..aed370ffa 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index e377047a4..e99a7c505 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -6,10 +6,10 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
index e377047a4..e99a7c505 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,10 +6,10 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index e377047a4..e99a7c505 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -6,10 +6,10 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
-libstrongswan {
+libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
index 4d7891f5c..0dd41b380 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
index 4d7891f5c..0dd41b380 100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index 66be5fab4..49de2788e 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index 66be5fab4..49de2788e 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index 66be5fab4..49de2788e 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index c45b3ebd8..a5a7d2017 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql eap-aka eap-aka-3gpp2
+  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index d892e54ad..52de80b19 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql eap-aka eap-aka-3gpp2
+  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 4d7891f5c..0dd41b380 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 4d7891f5c..0dd41b380 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 4d7891f5c..0dd41b380 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
index 4d7891f5c..0dd41b380 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
index 4d7891f5c..0dd41b380 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
index 4d7891f5c..0dd41b380 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index f66e8ba8a..a0d88cff1 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
index ab0431b00..6e6641fa5 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
index ab0431b00..6e6641fa5 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
index ab0431b00..6e6641fa5 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
index ab0431b00..6e6641fa5 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
index ab0431b00..6e6641fa5 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
index ab0431b00..6e6641fa5 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
-- 
cgit v1.2.3


From b8064f4099997a9e2179f3ad4ace605f5ccac3a1 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Mon, 9 Aug 2010 08:09:54 +0000
Subject: [svn-upgrade] new version strongswan (4.4.1)

---
 Android.mk                                         |   17 +-
 Android.mk.in                                      |   15 +-
 Makefile.am                                        |    5 +-
 Makefile.in                                        |   50 +-
 NEWS                                               |   49 +
 aclocal.m4                                         |   10 +-
 config.guess                                       |   58 +-
 config.sub                                         |   15 +-
 configure                                          |  565 +++++--
 configure.in                                       |   65 +-
 ltmain.sh                                          |    8 +-
 m4/config/libtool.m4                               |   13 +-
 m4/config/ltversion.m4                             |   10 +-
 scripts/Makefile.in                                |    2 +-
 scripts/key2keyid.c                                |   16 +-
 scripts/keyid2sql.c                                |    4 +-
 src/Makefile.in                                    |    6 +-
 src/_copyright/Makefile.in                         |    2 +-
 src/_updown/Makefile.in                            |    2 +-
 src/_updown/_updown.in                             |   13 +
 src/_updown_espmark/Makefile.in                    |    2 +-
 src/_updown_espmark/_updown_espmark                |   13 +
 src/charon/Makefile.in                             |    2 +-
 src/charon/charon.c                                |   61 +-
 src/checksum/Makefile.am                           |    1 +
 src/checksum/Makefile.in                           |    7 +-
 src/checksum/checksum_builder.c                    |    3 +
 src/dumm/Makefile.in                               |    2 +-
 src/include/Makefile.in                            |    2 +-
 src/include/linux/xfrm.h                           |   39 +-
 src/ipsec/Makefile.am                              |   11 +-
 src/ipsec/Makefile.in                              |   13 +-
 src/ipsec/ipsec.8                                  |  373 ++---
 src/ipsec/ipsec.8.in                               |  302 ++++
 src/libcharon/Android.mk                           |   17 +-
 src/libcharon/Makefile.am                          |   34 +-
 src/libcharon/Makefile.in                          |  251 ++-
 src/libcharon/bus/bus.c                            |  212 ++-
 src/libcharon/bus/bus.h                            |   42 +-
 src/libcharon/bus/listeners/file_logger.c          |   32 +-
 src/libcharon/bus/listeners/file_logger.h          |    7 +-
 src/libcharon/bus/listeners/listener.h             |   19 +-
 src/libcharon/bus/listeners/sys_logger.c           |    1 +
 src/libcharon/bus/listeners/sys_logger.h           |    2 -
 src/libcharon/config/auth_cfg.c                    |  768 ---------
 src/libcharon/config/auth_cfg.h                    |  201 ---
 src/libcharon/config/child_cfg.c                   |   58 +-
 src/libcharon/config/child_cfg.h                   |   34 +-
 src/libcharon/config/peer_cfg.h                    |    2 +-
 src/libcharon/credentials/credential_manager.c     | 1681 --------------------
 src/libcharon/credentials/credential_manager.h     |  203 ---
 src/libcharon/credentials/credential_set.h         |  108 --
 src/libcharon/credentials/sets/auth_cfg_wrapper.c  |  223 ---
 src/libcharon/credentials/sets/auth_cfg_wrapper.h  |   53 -
 src/libcharon/credentials/sets/cert_cache.c        |  390 -----
 src/libcharon/credentials/sets/cert_cache.h        |   71 -
 .../credentials/sets/ocsp_response_wrapper.c       |  147 --
 .../credentials/sets/ocsp_response_wrapper.h       |   53 -
 src/libcharon/daemon.c                             |   60 +-
 src/libcharon/daemon.h                             |   12 -
 src/libcharon/encoding/message.c                   |   34 +
 src/libcharon/encoding/payloads/cert_payload.c     |    7 +-
 src/libcharon/kernel/kernel_interface.c            |   36 +-
 src/libcharon/kernel/kernel_interface.h            |   26 +-
 src/libcharon/kernel/kernel_ipsec.h                |   26 +-
 src/libcharon/network/receiver.c                   |   51 +-
 src/libcharon/network/sender.c                     |   41 +-
 src/libcharon/plugins/addrblock/Makefile.am        |   18 +
 src/libcharon/plugins/addrblock/Makefile.in        |  592 +++++++
 src/libcharon/plugins/addrblock/addrblock_narrow.c |  154 ++
 src/libcharon/plugins/addrblock/addrblock_narrow.h |   49 +
 src/libcharon/plugins/addrblock/addrblock_plugin.c |   72 +
 src/libcharon/plugins/addrblock/addrblock_plugin.h |   42 +
 .../plugins/addrblock/addrblock_validator.c        |  124 ++
 .../plugins/addrblock/addrblock_validator.h        |   49 +
 src/libcharon/plugins/android/Makefile.am          |    5 +-
 src/libcharon/plugins/android/Makefile.in          |   13 +-
 src/libcharon/plugins/android/android_creds.c      |  294 ++++
 src/libcharon/plugins/android/android_creds.h      |   73 +
 src/libcharon/plugins/android/android_handler.c    |    4 +-
 src/libcharon/plugins/android/android_logger.c     |   96 ++
 src/libcharon/plugins/android/android_logger.h     |   52 +
 src/libcharon/plugins/android/android_plugin.c     |   41 +-
 src/libcharon/plugins/android/android_service.c    |  385 +++++
 src/libcharon/plugins/android/android_service.h    |   54 +
 src/libcharon/plugins/dhcp/Makefile.in             |    2 +-
 src/libcharon/plugins/dhcp/dhcp_provider.c         |    3 +-
 src/libcharon/plugins/eap_aka/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_aka/eap_aka_peer.c       |    1 -
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |    2 +-
 .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c |    3 +-
 src/libcharon/plugins/eap_gtc/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_gtc/eap_gtc.c            |    4 +-
 src/libcharon/plugins/eap_identity/Makefile.in     |    2 +-
 src/libcharon/plugins/eap_md5/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_md5/eap_md5.c            |    3 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |    2 +-
 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c  |    8 +-
 src/libcharon/plugins/eap_radius/Makefile.am       |    2 +
 src/libcharon/plugins/eap_radius/Makefile.in       |    9 +-
 src/libcharon/plugins/eap_radius/eap_radius.c      |  131 +-
 .../plugins/eap_radius/eap_radius_plugin.c         |  150 +-
 .../plugins/eap_radius/eap_radius_plugin.h         |    8 +
 src/libcharon/plugins/eap_radius/radius_client.c   |  464 +-----
 src/libcharon/plugins/eap_radius/radius_client.h   |   34 +-
 src/libcharon/plugins/eap_radius/radius_message.c  |  123 +-
 src/libcharon/plugins/eap_radius/radius_server.c   |  212 +++
 src/libcharon/plugins/eap_radius/radius_server.h   |   88 +
 src/libcharon/plugins/eap_radius/radius_socket.c   |  309 ++++
 src/libcharon/plugins/eap_radius/radius_socket.h   |   74 +
 src/libcharon/plugins/eap_sim/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_sim/eap_sim_peer.c       |    1 -
 src/libcharon/plugins/eap_sim_file/Makefile.in     |    2 +-
 .../plugins/eap_simaka_pseudonym/Makefile.in       |    2 +-
 .../plugins/eap_simaka_reauth/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.am   |   18 +
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |  592 +++++++
 .../plugins/eap_simaka_sql/eap_simaka_sql_card.c   |  177 +++
 .../plugins/eap_simaka_sql/eap_simaka_sql_card.h   |   54 +
 .../plugins/eap_simaka_sql/eap_simaka_sql_plugin.c |  100 ++
 .../plugins/eap_simaka_sql/eap_simaka_sql_plugin.h |   42 +
 .../eap_simaka_sql/eap_simaka_sql_provider.c       |  180 +++
 .../eap_simaka_sql/eap_simaka_sql_provider.h       |   54 +
 src/libcharon/plugins/farp/Makefile.in             |    2 +-
 src/libcharon/plugins/farp/farp_spoofer.c          |    4 +-
 src/libcharon/plugins/ha/Makefile.am               |    4 +-
 src/libcharon/plugins/ha/Makefile.in               |   11 +-
 src/libcharon/plugins/ha/ha_attribute.c            |  364 +++++
 src/libcharon/plugins/ha/ha_attribute.h            |   60 +
 src/libcharon/plugins/ha/ha_cache.c                |  362 +++++
 src/libcharon/plugins/ha/ha_cache.h                |   78 +
 src/libcharon/plugins/ha/ha_child.c                |   84 +-
 src/libcharon/plugins/ha/ha_child.h                |   12 +-
 src/libcharon/plugins/ha/ha_ctl.c                  |   26 +-
 src/libcharon/plugins/ha/ha_ctl.h                  |    6 +-
 src/libcharon/plugins/ha/ha_dispatcher.c           |  209 ++-
 src/libcharon/plugins/ha/ha_dispatcher.h           |   11 +-
 src/libcharon/plugins/ha/ha_ike.c                  |  101 +-
 src/libcharon/plugins/ha/ha_ike.h                  |   11 +-
 src/libcharon/plugins/ha/ha_kernel.c               |   96 +-
 src/libcharon/plugins/ha/ha_kernel.h               |   28 +-
 src/libcharon/plugins/ha/ha_message.c              |  102 +-
 src/libcharon/plugins/ha/ha_message.h              |   26 +-
 src/libcharon/plugins/ha/ha_plugin.c               |   45 +-
 src/libcharon/plugins/ha/ha_plugin.h               |    2 +-
 src/libcharon/plugins/ha/ha_segments.c             |  220 +--
 src/libcharon/plugins/ha/ha_segments.h             |   23 +-
 src/libcharon/plugins/ha/ha_socket.c               |   58 +-
 src/libcharon/plugins/ha/ha_socket.h               |    4 +-
 src/libcharon/plugins/ha/ha_tunnel.c               |   78 +-
 src/libcharon/plugins/ha/ha_tunnel.h               |    2 +-
 src/libcharon/plugins/kernel_klips/Makefile.in     |    2 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.c      |   27 +-
 src/libcharon/plugins/kernel_netlink/Makefile.in   |    2 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |  323 +++-
 src/libcharon/plugins/kernel_pfkey/Makefile.in     |    2 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |  125 +-
 src/libcharon/plugins/kernel_pfroute/Makefile.in   |    2 +-
 src/libcharon/plugins/load_tester/Makefile.in      |    2 +-
 .../plugins/load_tester/load_tester_config.c       |    5 +-
 .../plugins/load_tester/load_tester_ipsec.c        |  154 +-
 .../plugins/load_tester/load_tester_plugin.c       |    4 +-
 src/libcharon/plugins/medcli/Makefile.in           |    2 +-
 src/libcharon/plugins/medcli/medcli_config.c       |    8 +-
 src/libcharon/plugins/medcli/medcli_plugin.c       |    4 +-
 src/libcharon/plugins/medsrv/Makefile.in           |    2 +-
 src/libcharon/plugins/medsrv/medsrv_plugin.c       |    4 +-
 src/libcharon/plugins/nm/Makefile.in               |    2 +-
 src/libcharon/plugins/nm/nm_plugin.c               |    4 +-
 src/libcharon/plugins/nm/nm_service.c              |    3 +-
 src/libcharon/plugins/resolve/Makefile.am          |   18 -
 src/libcharon/plugins/resolve/Makefile.in          |  591 -------
 src/libcharon/plugins/resolve/resolve_handler.c    |  251 ---
 src/libcharon/plugins/resolve/resolve_handler.h    |   49 -
 src/libcharon/plugins/resolve/resolve_plugin.c     |   62 -
 src/libcharon/plugins/resolve/resolve_plugin.h     |   42 -
 src/libcharon/plugins/smp/Makefile.in              |    2 +-
 src/libcharon/plugins/socket_default/Makefile.in   |    2 +-
 src/libcharon/plugins/socket_dynamic/Makefile.in   |    2 +-
 src/libcharon/plugins/socket_raw/Makefile.in       |    2 +-
 .../plugins/socket_raw/socket_raw_socket.c         |   14 +-
 src/libcharon/plugins/sql/Makefile.in              |    2 +-
 src/libcharon/plugins/sql/sql_config.c             |    2 +-
 src/libcharon/plugins/sql/sql_plugin.c             |    4 +-
 src/libcharon/plugins/stroke/Makefile.in           |    2 +-
 src/libcharon/plugins/stroke/stroke_ca.c           |   23 +-
 src/libcharon/plugins/stroke/stroke_config.c       |   22 +-
 src/libcharon/plugins/stroke/stroke_control.c      |    5 +
 src/libcharon/plugins/stroke/stroke_cred.c         |   10 +-
 src/libcharon/plugins/stroke/stroke_list.c         |   59 +-
 src/libcharon/plugins/stroke/stroke_socket.c       |   11 +-
 src/libcharon/plugins/uci/Makefile.in              |    2 +-
 src/libcharon/plugins/uci/uci_config.c             |    3 +-
 src/libcharon/plugins/uci/uci_plugin.c             |    4 +-
 src/libcharon/plugins/unit_tester/Makefile.am      |    3 +-
 src/libcharon/plugins/unit_tester/Makefile.in      |   15 +-
 src/libcharon/plugins/unit_tester/tests.h          |    1 +
 .../plugins/unit_tester/tests/test_auth_info.c     |    2 +-
 .../plugins/unit_tester/tests/test_hashtable.c     |  111 ++
 .../plugins/unit_tester/tests/test_med_db.c        |    6 +-
 src/libcharon/plugins/updown/Makefile.in           |    2 +-
 src/libcharon/plugins/updown/updown_listener.c     |   71 +-
 src/libcharon/sa/authenticators/authenticator.c    |    7 -
 src/libcharon/sa/authenticators/authenticator.h    |   24 +-
 src/libcharon/sa/authenticators/eap/eap_method.c   |   38 -
 src/libcharon/sa/authenticators/eap/eap_method.h   |   30 -
 .../sa/authenticators/eap_authenticator.c          |   30 +-
 .../sa/authenticators/psk_authenticator.c          |    7 +-
 .../sa/authenticators/pubkey_authenticator.c       |    7 +-
 src/libcharon/sa/child_sa.c                        |  138 +-
 src/libcharon/sa/child_sa.h                        |   28 +
 src/libcharon/sa/ike_sa.c                          |  726 ++++-----
 src/libcharon/sa/ike_sa.h                          |   12 +-
 src/libcharon/sa/ike_sa_manager.c                  |   34 +-
 src/libcharon/sa/task_manager.c                    |  139 +-
 src/libcharon/sa/task_manager.h                    |   21 +
 src/libcharon/sa/tasks/child_create.c              |  111 +-
 src/libcharon/sa/tasks/child_delete.c              |    4 +-
 src/libcharon/sa/tasks/child_rekey.c               |   95 +-
 src/libcharon/sa/tasks/ike_auth.c                  |   12 +-
 src/libcharon/sa/tasks/ike_cert_post.c             |   10 +-
 src/libcharon/sa/tasks/ike_cert_pre.c              |   14 +-
 src/libcharon/sa/tasks/ike_config.c                |    4 +-
 src/libcharon/sa/tasks/ike_init.c                  |    1 +
 src/libcharon/sa/trap_manager.c                    |    2 +-
 src/libfast/Makefile.in                            |    2 +-
 src/libfast/request.c                              |    9 +
 src/libfast/request.h                              |    9 +
 src/libfreeswan/Makefile.in                        |    2 +-
 src/libhydra/Makefile.am                           |    7 +
 src/libhydra/Makefile.in                           |   21 +-
 src/libhydra/attributes/attribute_manager.c        |   11 +-
 src/libhydra/attributes/attribute_manager.h        |    3 +-
 src/libhydra/attributes/attribute_provider.h       |    3 +-
 src/libhydra/attributes/attributes.c               |   73 +-
 src/libhydra/attributes/attributes.h               |   66 +-
 src/libhydra/attributes/mem_pool.c                 |   13 +-
 src/libhydra/plugins/attr/Makefile.in              |    2 +-
 src/libhydra/plugins/attr/attr_provider.c          |   36 +-
 src/libhydra/plugins/attr_sql/Makefile.am          |    6 +-
 src/libhydra/plugins/attr_sql/Makefile.in          |   18 +-
 src/libhydra/plugins/attr_sql/pool.c               |  325 ++--
 src/libhydra/plugins/attr_sql/pool_attributes.c    |  715 +++++++++
 src/libhydra/plugins/attr_sql/pool_attributes.h    |   65 +
 src/libhydra/plugins/attr_sql/pool_usage.c         |  127 ++
 src/libhydra/plugins/attr_sql/pool_usage.h         |   26 +
 src/libhydra/plugins/attr_sql/sql_attribute.c      |  117 +-
 src/libhydra/plugins/resolve/Makefile.am           |   18 +
 src/libhydra/plugins/resolve/Makefile.in           |  591 +++++++
 src/libhydra/plugins/resolve/resolve_handler.c     |  252 +++
 src/libhydra/plugins/resolve/resolve_handler.h     |   49 +
 src/libhydra/plugins/resolve/resolve_plugin.c      |   62 +
 src/libhydra/plugins/resolve/resolve_plugin.h      |   42 +
 src/libsimaka/Makefile.in                          |    2 +-
 src/libstrongswan/Android.mk                       |   12 +-
 src/libstrongswan/Makefile.am                      |   15 +-
 src/libstrongswan/Makefile.in                      |  167 +-
 src/libstrongswan/asn1/asn1.c                      |    8 +-
 src/libstrongswan/chunk.c                          |   63 +
 src/libstrongswan/chunk.h                          |   12 +
 src/libstrongswan/credentials/auth_cfg.c           |  830 ++++++++++
 src/libstrongswan/credentials/auth_cfg.h           |  255 +++
 src/libstrongswan/credentials/builder.c            |    1 +
 src/libstrongswan/credentials/builder.h            |    2 +
 src/libstrongswan/credentials/cert_validator.h     |   51 +
 .../credentials/certificates/certificate.c         |   22 +
 .../credentials/certificates/certificate.h         |   26 +-
 src/libstrongswan/credentials/certificates/crl.c   |   28 +
 src/libstrongswan/credentials/certificates/crl.h   |   10 +-
 src/libstrongswan/credentials/certificates/x509.h  |    1 -
 src/libstrongswan/credentials/cred_encoding.c      |  300 ++++
 src/libstrongswan/credentials/cred_encoding.h      |  224 +++
 src/libstrongswan/credentials/credential_manager.c | 1097 +++++++++++++
 src/libstrongswan/credentials/credential_manager.h |  270 ++++
 src/libstrongswan/credentials/credential_set.h     |  108 ++
 .../credentials/ietf_attributes/ietf_attributes.c  |   13 +-
 src/libstrongswan/credentials/keys/key_encoding.c  |  299 ----
 src/libstrongswan/credentials/keys/key_encoding.h  |  203 ---
 src/libstrongswan/credentials/keys/private_key.c   |   12 +-
 src/libstrongswan/credentials/keys/private_key.h   |    9 +-
 src/libstrongswan/credentials/keys/public_key.c    |    8 +-
 src/libstrongswan/credentials/keys/public_key.h    |   11 +-
 .../credentials/sets/auth_cfg_wrapper.c            |  223 +++
 .../credentials/sets/auth_cfg_wrapper.h            |   53 +
 src/libstrongswan/credentials/sets/cert_cache.c    |  389 +++++
 src/libstrongswan/credentials/sets/cert_cache.h    |   71 +
 .../credentials/sets/ocsp_response_wrapper.c       |  146 ++
 .../credentials/sets/ocsp_response_wrapper.h       |   53 +
 src/libstrongswan/library.c                        |   22 +-
 src/libstrongswan/library.h                        |   15 +-
 src/libstrongswan/plugins/aes/Makefile.in          |    2 +-
 src/libstrongswan/plugins/agent/Makefile.in        |    2 +-
 .../plugins/agent/agent_private_key.c              |   10 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |    2 +-
 src/libstrongswan/plugins/curl/Makefile.in         |    2 +-
 src/libstrongswan/plugins/des/Makefile.in          |    2 +-
 src/libstrongswan/plugins/dnskey/Makefile.in       |    2 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |    2 +-
 src/libstrongswan/plugins/gcrypt/Makefile.am       |    2 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |    4 +-
 .../plugins/gcrypt/gcrypt_rsa_private_key.c        |   22 +-
 .../plugins/gcrypt/gcrypt_rsa_public_key.c         |   16 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |    2 +-
 .../plugins/gmp/gmp_rsa_private_key.c              |   20 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |   12 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |    2 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |    2 +-
 src/libstrongswan/plugins/md4/Makefile.in          |    2 +-
 src/libstrongswan/plugins/md5/Makefile.in          |    2 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |    2 +-
 src/libstrongswan/plugins/openssl/Makefile.am      |    4 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |   10 +-
 src/libstrongswan/plugins/openssl/openssl_crl.c    |  530 ++++++
 src/libstrongswan/plugins/openssl/openssl_crl.h    |   48 +
 .../plugins/openssl/openssl_ec_diffie_hellman.c    |    6 +
 .../plugins/openssl/openssl_ec_private_key.c       |   27 +-
 .../plugins/openssl/openssl_ec_public_key.c        |   31 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |   36 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |   28 +-
 .../plugins/openssl/openssl_rsa_public_key.c       |   44 +-
 .../plugins/openssl/openssl_sha1_prf.h             |    2 +-
 src/libstrongswan/plugins/openssl/openssl_util.c   |   83 +-
 src/libstrongswan/plugins/openssl/openssl_util.h   |   56 +-
 src/libstrongswan/plugins/openssl/openssl_x509.c   |  871 ++++++++++
 src/libstrongswan/plugins/openssl/openssl_x509.h   |   50 +
 src/libstrongswan/plugins/padlock/Makefile.in      |    2 +-
 src/libstrongswan/plugins/pem/Makefile.in          |    2 +-
 src/libstrongswan/plugins/pem/pem_builder.c        |    2 +-
 src/libstrongswan/plugins/pem/pem_encoder.c        |   73 +-
 src/libstrongswan/plugins/pem/pem_encoder.h        |    4 +-
 src/libstrongswan/plugins/pgp/Makefile.in          |    2 +-
 src/libstrongswan/plugins/pgp/pgp_cert.c           |   38 +-
 src/libstrongswan/plugins/pgp/pgp_encoder.c        |   10 +-
 src/libstrongswan/plugins/pgp/pgp_encoder.h        |    4 +-
 src/libstrongswan/plugins/pkcs1/Makefile.in        |    2 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c    |   30 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h    |    4 +-
 src/libstrongswan/plugins/plugin_loader.c          |    3 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |    2 +-
 src/libstrongswan/plugins/pubkey/pubkey_cert.c     |   28 +-
 src/libstrongswan/plugins/random/Makefile.in       |    2 +-
 src/libstrongswan/plugins/revocation/Makefile.am   |   16 +
 src/libstrongswan/plugins/revocation/Makefile.in   |  588 +++++++
 .../plugins/revocation/revocation_plugin.c         |   61 +
 .../plugins/revocation/revocation_plugin.h         |   42 +
 .../plugins/revocation/revocation_validator.c      |  587 +++++++
 .../plugins/revocation/revocation_validator.h      |   49 +
 src/libstrongswan/plugins/sha1/Makefile.in         |    2 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |    2 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |    2 +-
 src/libstrongswan/plugins/test_vectors/Makefile.in |    2 +-
 src/libstrongswan/plugins/x509/Makefile.in         |    2 +-
 src/libstrongswan/plugins/x509/x509_ac.c           |   42 +-
 src/libstrongswan/plugins/x509/x509_cert.c         |   56 +-
 src/libstrongswan/plugins/x509/x509_crl.c          |  366 +++--
 src/libstrongswan/plugins/x509/x509_crl.h          |    9 +
 src/libstrongswan/plugins/x509/x509_ocsp_request.c |   28 +-
 .../plugins/x509/x509_ocsp_response.c              |   42 +-
 src/libstrongswan/plugins/x509/x509_pkcs10.c       |   33 +-
 src/libstrongswan/plugins/x509/x509_plugin.c       |    4 +
 src/libstrongswan/plugins/xcbc/Makefile.in         |    2 +-
 src/libstrongswan/threading/lock_profiler.h        |    2 +-
 src/libstrongswan/utils/backtrace.c                |   42 +-
 src/libstrongswan/utils/backtrace.h                |    5 +-
 src/libstrongswan/utils/hashtable.c                |  135 +-
 src/libstrongswan/utils/hashtable.h                |   14 +-
 src/libstrongswan/utils/identification.c           |   16 +-
 src/libstrongswan/utils/identification.h           |    5 -
 src/libstrongswan/utils/leak_detective.c           |   61 +-
 src/libstrongswan/utils/leak_detective.h           |    9 +
 src/manager/Makefile.in                            |    2 +-
 src/medsrv/Makefile.in                             |    2 +-
 src/medsrv/controller/peer_controller.c            |    4 +-
 src/openac/Makefile.in                             |    2 +-
 src/openac/openac.c                                |   10 +-
 src/pki/Makefile.am                                |    2 +
 src/pki/Makefile.in                                |   37 +-
 src/pki/command.c                                  |    2 +-
 src/pki/commands/gen.c                             |    4 +-
 src/pki/commands/issue.c                           |   21 +-
 src/pki/commands/keyid.c                           |   12 +-
 src/pki/commands/print.c                           |  368 +++++
 src/pki/commands/pub.c                             |    4 +-
 src/pki/commands/req.c                             |   13 +-
 src/pki/commands/self.c                            |   33 +-
 src/pki/commands/signcrl.c                         |  382 +++++
 src/pki/pki.c                                      |   53 +-
 src/pki/pki.h                                      |    2 +-
 src/pluto/Makefile.am                              |   30 +-
 src/pluto/Makefile.in                              |  286 +++-
 src/pluto/ac.c                                     |    2 +-
 src/pluto/certs.c                                  |    4 +-
 src/pluto/connections.c                            |   73 +-
 src/pluto/connections.h                            |   13 +-
 src/pluto/constants.h                              |   39 -
 src/pluto/crl.c                                    |   14 +-
 src/pluto/demux.c                                  |    2 +-
 src/pluto/demux.h                                  |    7 +-
 src/pluto/dnskey.c                                 |    2 +-
 src/pluto/ipsec.secrets.5                          |  214 +--
 src/pluto/ipsec.secrets.5.in                       |  175 ++
 src/pluto/ipsec_doi.c                              |   78 +-
 src/pluto/kernel.c                                 |   24 +-
 src/pluto/keys.c                                   |  465 +++---
 src/pluto/keys.h                                   |   17 +-
 src/pluto/modecfg.c                                | 1378 ++++++++--------
 src/pluto/modecfg.h                                |   37 +-
 src/pluto/ocsp.c                                   |   18 +-
 src/pluto/pkcs7.c                                  |    5 +-
 src/pluto/plugins/xauth/Makefile.am                |   15 +
 src/pluto/plugins/xauth/Makefile.in                |  577 +++++++
 src/pluto/plugins/xauth/xauth_default_provider.c   |   66 +
 src/pluto/plugins/xauth/xauth_default_provider.h   |   33 +
 src/pluto/plugins/xauth/xauth_default_verifier.c   |   74 +
 src/pluto/plugins/xauth/xauth_default_verifier.h   |   33 +
 src/pluto/plugins/xauth/xauth_plugin.c             |   43 +
 src/pluto/plugins/xauth/xauth_plugin.h             |   42 +
 src/pluto/pluto.c                                  |   71 +
 src/pluto/pluto.h                                  |   69 +
 src/pluto/plutomain.c                              |   63 +-
 src/pluto/rcv_whack.c                              |    1 +
 src/pluto/state.h                                  |    5 +
 src/pluto/x509.c                                   |    8 +-
 src/pluto/x509.h                                   |    2 +
 src/pluto/xauth.c                                  |   77 -
 src/pluto/xauth.h                                  |   48 -
 src/pluto/xauth/xauth_manager.c                    |  127 ++
 src/pluto/xauth/xauth_manager.h                    |   80 +
 src/pluto/xauth/xauth_provider.h                   |   56 +
 src/pluto/xauth/xauth_verifier.h                   |   56 +
 src/scepclient/Makefile.in                         |    2 +-
 src/scepclient/scep.c                              |    2 +-
 src/scepclient/scepclient.c                        |   15 +-
 src/starter/Makefile.am                            |   12 +-
 src/starter/Makefile.in                            |   14 +-
 src/starter/args.c                                 |    5 +
 src/starter/cmp.c                                  |    4 +
 src/starter/confread.c                             |   55 +
 src/starter/confread.h                             |   11 +
 src/starter/ipsec.conf.5                           |  311 ++--
 src/starter/ipsec.conf.5.in                        | 1330 ++++++++++++++++
 src/starter/keywords.c                             |  256 +--
 src/starter/keywords.h                             |    7 +-
 src/starter/keywords.txt                           |    5 +
 src/starter/starter.c                              |   16 +
 src/starter/starterstroke.c                        |    5 +
 src/starter/starterwhack.c                         |    7 +
 src/stroke/Makefile.in                             |    2 +-
 src/stroke/stroke_msg.h                            |    5 +
 src/strongswan.conf                                |   15 +-
 src/whack/Makefile.in                              |    2 +-
 src/whack/whack.c                                  |    1 +
 src/whack/whack.h                                  |   56 +-
 testing/INSTALL                                    |   11 +-
 testing/Makefile.in                                |    2 +-
 testing/hosts/default/etc/ipsec.d/tables.sql       |   18 +-
 .../winnetou/etc/openssl/research/carolReq.pem     |   17 -
 .../hosts/winnetou/etc/openssl/research/index.txt  |    3 +-
 .../winnetou/etc/openssl/research/index.txt.old    |    5 +-
 .../winnetou/etc/openssl/research/newcerts/07.pem  |   88 +
 testing/hosts/winnetou/etc/openssl/research/serial |    2 +-
 .../hosts/winnetou/etc/openssl/research/serial.old |    2 +-
 testing/hosts/winnetou/etc/openssl/sales/index.txt |    3 +-
 .../hosts/winnetou/etc/openssl/sales/index.txt.old |    3 +-
 .../winnetou/etc/openssl/sales/newcerts/06.pem     |   88 +
 testing/hosts/winnetou/etc/openssl/sales/serial    |    2 +-
 .../hosts/winnetou/etc/openssl/sales/serial.old    |    2 +-
 testing/scripts/build-umlrootfs                    |    5 +
 testing/testing.conf                               |    3 +-
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 .../ike/rw-cert/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ike/rw-cert/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw_v1-net_v2/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf |    2 +-
 testing/tests/ike2/description.txt                 |    6 -
 testing/tests/ike2/evaltest.dat                    |    8 -
 testing/tests/ike2/hosts/bob/etc/hosts             |   70 -
 testing/tests/ike2/hosts/moon/etc/ipsec.conf       |   25 -
 testing/tests/ike2/hosts/moon/etc/nat_updown       |  152 --
 testing/tests/ike2/hosts/moon/etc/strongswan.conf  |    6 -
 testing/tests/ike2/hosts/sun/etc/ipsec.conf        |   25 -
 testing/tests/ike2/hosts/sun/etc/strongswan.conf   |    6 -
 testing/tests/ike2/posttest.dat                    |    5 -
 testing/tests/ike2/pretest.dat                     |    9 -
 testing/tests/ike2/test.conf                       |   21 -
 testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat   |    2 +
 testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat   |    2 +
 testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat  |    2 +
 testing/tests/ikev1/ip-pool-db-push/evaltest.dat   |    9 +-
 .../hosts/carol/etc/strongswan.conf                |    8 +-
 .../ip-pool-db-push/hosts/dave/etc/strongswan.conf |    8 +-
 testing/tests/ikev1/ip-pool-db-push/pretest.dat    |    6 +-
 testing/tests/ikev1/ip-pool-db/evaltest.dat        |    9 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |    8 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |    8 +-
 testing/tests/ikev1/ip-pool-db/pretest.dat         |    7 +-
 .../mode-config-multiple/hosts/moon/etc/ipsec.conf |    6 +-
 testing/tests/ikev1/mode-config-push/evaltest.dat  |    2 +
 .../mode-config-push/hosts/carol/etc/ipsec.conf    |    1 +
 .../hosts/carol/etc/strongswan.conf                |   11 +
 .../hosts/dave/etc/strongswan.conf                 |   11 +
 .../hosts/moon/etc/strongswan.conf                 |   13 +
 testing/tests/ikev1/mode-config/evaltest.dat       |    4 +-
 .../mode-config/hosts/carol/etc/strongswan.conf    |   11 +
 .../mode-config/hosts/dave/etc/strongswan.conf     |   11 +
 .../ikev1/mode-config/hosts/moon/etc/ipsec.conf    |    1 +
 .../mode-config/hosts/moon/etc/strongswan.conf     |    2 +-
 .../etc/ipsec.d/cacerts/research_by_salesCert.pem  |   20 +-
 .../etc/ipsec.d/cacerts/sales_by_researchCert.pem  |   22 +-
 .../ikev1/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev1/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../ikev1/xauth-id-psk-mode-config/description.txt |   11 +
 .../ikev1/xauth-id-psk-mode-config/evaltest.dat    |   16 +
 .../hosts/carol/etc/ipsec.conf                     |   25 +
 .../hosts/carol/etc/ipsec.secrets                  |    9 +
 .../hosts/carol/etc/strongswan.conf                |   11 +
 .../hosts/dave/etc/ipsec.conf                      |   25 +
 .../hosts/dave/etc/ipsec.secrets                   |    5 +
 .../hosts/dave/etc/strongswan.conf                 |   11 +
 .../hosts/moon/etc/ipsec.conf                      |   24 +
 .../hosts/moon/etc/ipsec.secrets                   |    7 +
 .../hosts/moon/etc/strongswan.conf                 |   11 +
 .../ikev1/xauth-id-psk-mode-config/posttest.dat    |    8 +
 .../ikev1/xauth-id-psk-mode-config/pretest.dat     |   12 +
 .../tests/ikev1/xauth-id-psk-mode-config/test.conf |   21 +
 testing/tests/ikev1/xauth-id-psk/description.txt   |    9 +
 testing/tests/ikev1/xauth-id-psk/evaltest.dat      |   14 +
 .../ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf  |   22 +
 .../xauth-id-psk/hosts/carol/etc/ipsec.secrets     |    5 +
 .../xauth-id-psk/hosts/carol/etc/strongswan.conf   |   11 +
 .../ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf   |   22 +
 .../xauth-id-psk/hosts/dave/etc/ipsec.secrets      |    5 +
 .../xauth-id-psk/hosts/dave/etc/strongswan.conf    |   11 +
 .../ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf   |   22 +
 .../xauth-id-psk/hosts/moon/etc/ipsec.secrets      |    7 +
 .../xauth-id-psk/hosts/moon/etc/strongswan.conf    |   11 +
 testing/tests/ikev1/xauth-id-psk/posttest.dat      |    6 +
 testing/tests/ikev1/xauth-id-psk/pretest.dat       |   12 +
 testing/tests/ikev1/xauth-id-psk/test.conf         |   21 +
 testing/tests/ikev1/xauth-id-rsa/description.txt   |   10 +
 testing/tests/ikev1/xauth-id-rsa/evaltest.dat      |   14 +
 .../ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf  |   25 +
 .../xauth-id-rsa/hosts/carol/etc/ipsec.secrets     |    5 +
 .../xauth-id-rsa/hosts/carol/etc/strongswan.conf   |   11 +
 .../ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf   |   25 +
 .../xauth-id-rsa/hosts/dave/etc/ipsec.secrets      |    5 +
 .../xauth-id-rsa/hosts/dave/etc/strongswan.conf    |   11 +
 .../ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf   |   24 +
 .../xauth-id-rsa/hosts/moon/etc/ipsec.secrets      |    7 +
 .../xauth-id-rsa/hosts/moon/etc/strongswan.conf    |   11 +
 testing/tests/ikev1/xauth-id-rsa/posttest.dat      |    6 +
 testing/tests/ikev1/xauth-id-rsa/pretest.dat       |    9 +
 testing/tests/ikev1/xauth-id-rsa/test.conf         |   21 +
 .../ikev1/xauth-psk-mode-config/description.txt    |   11 -
 .../tests/ikev1/xauth-psk-mode-config/evaltest.dat |   18 -
 .../hosts/carol/etc/ipsec.conf                     |   24 -
 .../hosts/carol/etc/ipsec.secrets                  |    9 -
 .../hosts/carol/etc/strongswan.conf                |   11 -
 .../hosts/dave/etc/ipsec.conf                      |   24 -
 .../hosts/dave/etc/ipsec.secrets                   |    5 -
 .../hosts/dave/etc/strongswan.conf                 |   11 -
 .../hosts/moon/etc/ipsec.conf                      |   29 -
 .../hosts/moon/etc/ipsec.secrets                   |    7 -
 .../hosts/moon/etc/strongswan.conf                 |   11 -
 .../tests/ikev1/xauth-psk-mode-config/posttest.dat |    8 -
 .../tests/ikev1/xauth-psk-mode-config/pretest.dat  |   12 -
 .../tests/ikev1/xauth-psk-mode-config/test.conf    |   21 -
 testing/tests/ikev1/xauth-psk/evaltest.dat         |    2 +
 .../ikev1/xauth-psk/hosts/carol/etc/ipsec.conf     |    2 +
 .../ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets  |    2 +-
 .../xauth-psk/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev1/xauth-psk/hosts/dave/etc/ipsec.conf      |    2 +
 .../ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets   |    2 +-
 .../ikev1/xauth-psk/hosts/dave/etc/strongswan.conf |    2 +-
 .../ikev1/xauth-psk/hosts/moon/etc/ipsec.conf      |    1 +
 .../ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets   |    6 +-
 .../ikev1/xauth-psk/hosts/moon/etc/strongswan.conf |    2 +-
 .../xauth-rsa-fail/hosts/carol/etc/ipsec.secrets   |    2 +-
 .../xauth-rsa-fail/hosts/carol/etc/strongswan.conf |   11 +
 .../xauth-rsa-fail/hosts/moon/etc/ipsec.secrets    |    2 +-
 .../xauth-rsa-fail/hosts/moon/etc/strongswan.conf  |   11 +
 .../hosts/carol/etc/ipsec.secrets                  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |   11 +
 .../hosts/dave/etc/ipsec.secrets                   |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |   11 +
 .../hosts/moon/etc/ipsec.secrets                   |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |   11 +
 .../xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |   11 +
 .../xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf   |    2 +-
 .../hosts/moon/etc/ipsec.secrets                   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |   11 +
 testing/tests/ikev1/xauth-rsa/description.txt      |    4 +-
 testing/tests/ikev1/xauth-rsa/evaltest.dat         |    2 +
 .../ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets  |    2 +-
 .../xauth-rsa/hosts/carol/etc/strongswan.conf      |   11 +
 .../ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets   |    2 +-
 .../ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf |   11 +
 .../ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf      |    2 +-
 .../ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets   |    4 +-
 .../ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf |   11 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../alg-3des-md5/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-3des-md5/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |    2 +-
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../alg-sha256-96/hosts/carol/etc/strongswan.conf  |    2 +-
 .../alg-sha256-96/hosts/moon/etc/strongswan.conf   |    2 +-
 .../alg-sha256/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha256/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |    2 +-
 .../any-interface/hosts/alice/etc/strongswan.conf  |    2 +-
 .../any-interface/hosts/bob/etc/strongswan.conf    |    2 +-
 .../any-interface/hosts/moon/etc/strongswan.conf   |    2 +-
 .../any-interface/hosts/sun/etc/strongswan.conf    |    2 +-
 .../ikev2/compress/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/compress/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../config-payload/hosts/carol/etc/strongswan.conf |    2 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |    2 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |    2 +-
 .../crl-from-cache/hosts/carol/etc/strongswan.conf |    2 +-
 .../crl-from-cache/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ikev2/crl-ldap/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/crl-ldap/hosts/moon/etc/strongswan.conf  |    2 +-
 .../crl-revoked/hosts/carol/etc/strongswan.conf    |    2 +-
 .../crl-revoked/hosts/moon/etc/strongswan.conf     |    2 +-
 .../crl-to-cache/hosts/carol/etc/strongswan.conf   |    2 +-
 .../crl-to-cache/hosts/moon/etc/strongswan.conf    |    2 +-
 .../default-keys/hosts/carol/etc/strongswan.conf   |    4 +-
 .../default-keys/hosts/moon/etc/strongswan.conf    |    4 +-
 .../dhcp-dynamic/hosts/carol/etc/strongswan.conf   |    2 +-
 .../dhcp-dynamic/hosts/dave/etc/strongswan.conf    |    2 +-
 .../dhcp-dynamic/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../dhcp-static-mac/hosts/dave/etc/strongswan.conf |    2 +-
 .../dhcp-static-mac/hosts/moon/etc/strongswan.conf |    2 +-
 .../double-nat-net/hosts/alice/etc/strongswan.conf |    2 +-
 .../double-nat-net/hosts/bob/etc/strongswan.conf   |    2 +-
 .../double-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/double-nat/hosts/bob/etc/strongswan.conf |    2 +-
 .../dpd-clear/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/dpd-clear/hosts/moon/etc/strongswan.conf |    2 +-
 .../ikev2/dpd-hold/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/dpd-hold/hosts/moon/etc/strongswan.conf  |    2 +-
 .../dpd-restart/hosts/carol/etc/strongswan.conf    |    2 +-
 .../dpd-restart/hosts/moon/etc/strongswan.conf     |    2 +-
 testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat   |    2 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf |    2 +-
 testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat   |    2 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf |    2 +-
 testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat  |    2 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |    2 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ikev2/farp/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ikev2/farp/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ikev2/farp/hosts/moon/etc/strongswan.conf      |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../force-udp-encaps/hosts/sun/etc/strongswan.conf |    2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    2 +-
 testing/tests/ikev2/ip-pool-db/pretest.dat         |    6 +-
 .../ip-pool-wish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-pool-wish/hosts/dave/etc/strongswan.conf    |    2 +-
 .../ip-pool-wish/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ikev2/ip-pool/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/ip-pool/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/ip-pool/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 testing/tests/ikev2/ip-two-pools-db/evaltest.dat   |    4 +
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ip-two-pools-db/hosts/dave/etc/strongswan.conf |    2 +-
 .../ip-two-pools-db/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 testing/tests/ikev2/ip-two-pools-db/posttest.dat   |    3 +
 testing/tests/ikev2/ip-two-pools-db/pretest.dat    |    4 +
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ip-two-pools/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/moon/etc/strongswan.conf    |    2 +-
 .../mobike-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/mobike-nat/hosts/sun/etc/strongswan.conf |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ikev2/mobike/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ikev2/mobike/hosts/sun/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../etc/ipsec.d/cacerts/research_by_salesCert.pem  |   20 +-
 .../etc/ipsec.d/cacerts/sales_by_researchCert.pem  |   22 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../multi-level-ca/hosts/carol/etc/strongswan.conf |    2 +-
 .../multi-level-ca/hosts/dave/etc/strongswan.conf  |    2 +-
 .../multi-level-ca/hosts/moon/etc/strongswan.conf  |    2 +-
 .../nat-one-rw/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf |    2 +-
 .../tests/ikev2/nat-two-rw-mark/description.txt    |   16 +
 testing/tests/ikev2/nat-two-rw-mark/evaltest.dat   |   16 +
 .../nat-two-rw-mark/hosts/alice/etc/ipsec.conf     |   25 +
 .../hosts/alice/etc/strongswan.conf                |    5 +
 .../ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf |   35 +
 .../nat-two-rw-mark/hosts/sun/etc/mark_updown      |  527 ++++++
 .../nat-two-rw-mark/hosts/sun/etc/strongswan.conf  |    5 +
 .../nat-two-rw-mark/hosts/venus/etc/ipsec.conf     |   25 +
 .../hosts/venus/etc/strongswan.conf                |    5 +
 testing/tests/ikev2/nat-two-rw-mark/posttest.dat   |   11 +
 testing/tests/ikev2/nat-two-rw-mark/pretest.dat    |   21 +
 testing/tests/ikev2/nat-two-rw-mark/test.conf      |   21 +
 .../nat-two-rw/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf |    2 +-
 .../nat-two-rw/hosts/venus/etc/strongswan.conf     |    2 +-
 testing/tests/ikev2/nat-virtual-ip/description.txt |    6 +
 testing/tests/ikev2/nat-virtual-ip/evaltest.dat    |    8 +
 .../tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts |   70 +
 .../ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf |   25 +
 .../ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown |  152 ++
 .../nat-virtual-ip/hosts/moon/etc/strongswan.conf  |    6 +
 .../ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf  |   25 +
 .../nat-virtual-ip/hosts/sun/etc/strongswan.conf   |    6 +
 testing/tests/ikev2/nat-virtual-ip/posttest.dat    |    6 +
 testing/tests/ikev2/nat-virtual-ip/pretest.dat     |    9 +
 testing/tests/ikev2/nat-virtual-ip/test.conf       |   21 +
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    2 +-
 .../tests/ikev2/net2net-psk-dscp/description.txt   |   13 +
 testing/tests/ikev2/net2net-psk-dscp/evaltest.dat  |    8 +
 .../net2net-psk-dscp/hosts/moon/etc/ipsec.conf     |   38 +
 .../net2net-psk-dscp/hosts/moon/etc/ipsec.secrets  |    3 +
 .../hosts/moon/etc/strongswan.conf                 |    6 +
 .../net2net-psk-dscp/hosts/sun/etc/ipsec.conf      |   38 +
 .../net2net-psk-dscp/hosts/sun/etc/ipsec.secrets   |    7 +
 .../net2net-psk-dscp/hosts/sun/etc/strongswan.conf |    6 +
 testing/tests/ikev2/net2net-psk-dscp/posttest.dat  |    8 +
 testing/tests/ikev2/net2net-psk-dscp/pretest.dat   |   17 +
 testing/tests/ikev2/net2net-psk-dscp/test.conf     |   21 +
 .../net2net-rfc3779/hosts/moon/etc/strongswan.conf |    2 +-
 .../net2net-rfc3779/hosts/sun/etc/strongswan.conf  |    2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    2 +-
 .../tests/ikev2/net2net-same-nets/description.txt  |   15 +
 testing/tests/ikev2/net2net-same-nets/evaltest.dat |   10 +
 .../net2net-same-nets/hosts/moon/etc/ipsec.conf    |   25 +
 .../hosts/moon/etc/strongswan.conf                 |    6 +
 .../net2net-same-nets/hosts/sun/etc/ipsec.conf     |   27 +
 .../net2net-same-nets/hosts/sun/etc/mark_updown    |  224 +++
 .../hosts/sun/etc/strongswan.conf                  |    6 +
 testing/tests/ikev2/net2net-same-nets/posttest.dat |    7 +
 testing/tests/ikev2/net2net-same-nets/pretest.dat  |    6 +
 testing/tests/ikev2/net2net-same-nets/test.conf    |   21 +
 .../net2net-start/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-start/hosts/sun/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ocsp-local-cert/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ocsp-revoked/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ocsp-revoked/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ocsp-root-cert/hosts/carol/etc/strongswan.conf |    2 +-
 .../ocsp-root-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |    2 +-
 .../reauth-early/hosts/carol/etc/strongswan.conf   |    2 +-
 .../reauth-early/hosts/moon/etc/strongswan.conf    |    2 +-
 .../reauth-late/hosts/carol/etc/strongswan.conf    |    2 +-
 .../reauth-late/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-hash-and-url/hosts/dave/etc/strongswan.conf |    2 +-
 .../rw-hash-and-url/hosts/moon/etc/strongswan.conf |    2 +-
 testing/tests/ikev2/rw-mark-in-out/description.txt |   16 +
 testing/tests/ikev2/rw-mark-in-out/evaltest.dat    |   16 +
 .../rw-mark-in-out/hosts/alice/etc/init.d/iptables |   77 +
 .../rw-mark-in-out/hosts/alice/etc/ipsec.conf      |   25 +
 .../rw-mark-in-out/hosts/alice/etc/strongswan.conf |    5 +
 .../ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf  |   37 +
 .../ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown |  527 ++++++
 .../rw-mark-in-out/hosts/sun/etc/strongswan.conf   |    5 +
 .../rw-mark-in-out/hosts/venus/etc/init.d/iptables |   77 +
 .../rw-mark-in-out/hosts/venus/etc/ipsec.conf      |   25 +
 .../rw-mark-in-out/hosts/venus/etc/strongswan.conf |    5 +
 testing/tests/ikev2/rw-mark-in-out/posttest.dat    |   12 +
 testing/tests/ikev2/rw-mark-in-out/pretest.dat     |   18 +
 testing/tests/ikev2/rw-mark-in-out/test.conf       |   21 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../two-certs/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/two-certs/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../virtual-ip/hosts/carol/etc/strongswan.conf     |    2 +-
 .../virtual-ip/hosts/dave/etc/strongswan.conf      |    2 +-
 .../virtual-ip/hosts/moon/etc/strongswan.conf      |    2 +-
 .../wildcards/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/wildcards/hosts/dave/etc/strongswan.conf |    2 +-
 .../ikev2/wildcards/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev2/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev2/hosts/sun/etc/strongswan.conf  |    2 +-
 .../net2net-ikev2/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-ikev2/hosts/sun/etc/strongswan.conf    |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../transport-ikev2/hosts/moon/etc/strongswan.conf |    2 +-
 .../transport-ikev2/hosts/sun/etc/strongswan.conf  |    2 +-
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    2 +-
 .../openssl-ikev1/alg-ecp-high/description.txt     |    6 +-
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |    2 +-
 .../openssl-ikev1/alg-ecp-low/description.txt      |    6 +-
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |    2 +-
 .../openssl-ikev1/ecdsa-certs/description.txt      |    2 +-
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |    2 +-
 .../tests/openssl-ikev1/rw-cert/description.txt    |    6 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |    2 +-
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    2 +-
 .../openssl-ikev2/alg-ecp-high/description.txt     |    8 +-
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-ecp-high/hosts/dave/etc/strongswan.conf    |    2 +-
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |    2 +-
 .../openssl-ikev2/alg-ecp-low/description.txt      |    8 +-
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-ecp-low/hosts/dave/etc/strongswan.conf     |    2 +-
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |    2 +-
 .../openssl-ikev2/ecdsa-certs/description.txt      |    2 +-
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |    2 +-
 .../tests/openssl-ikev2/rw-cert/description.txt    |    6 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../medsrv-psk/hosts/alice/etc/strongswan.conf     |    2 +-
 .../medsrv-psk/hosts/bob/etc/strongswan.conf       |    2 +-
 .../medsrv-psk/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |    2 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |    2 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../nat-two-rw/hosts/alice/etc/strongswan.conf     |    2 +-
 .../pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf |    2 +-
 .../nat-two-rw/hosts/venus/etc/strongswan.conf     |    2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |    2 +-
 .../pfkey/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../pfkey/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../pfkey/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |   26 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |   20 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |   34 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |   26 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |   26 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |   34 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ip-pool-db/hosts/carol/etc/ipsec.d/data.sql    |   24 +-
 .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf |    2 +-
 .../sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql |   24 +-
 .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf  |    2 +-
 .../sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql |   24 +-
 .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |   26 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |   25 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |   37 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |   26 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |   26 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |   26 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../net2net-cert/hosts/moon/etc/ipsec.d/data.sql   |   26 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-cert/hosts/sun/etc/ipsec.d/data.sql    |   26 +-
 .../sql/net2net-cert/hosts/sun/etc/strongswan.conf |    2 +-
 .../sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql   |   26 +-
 .../sql/rw-cert/hosts/carol/etc/strongswan.conf    |    2 +-
 .../sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql    |   26 +-
 .../sql/rw-cert/hosts/dave/etc/strongswan.conf     |    2 +-
 .../sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql    |   26 +-
 .../sql/rw-cert/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |   20 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql |   26 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |   20 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |   20 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |   34 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql  |    4 +-
 .../rw-rsa-keyid/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql   |    4 +-
 .../rw-rsa-keyid/hosts/dave/etc/strongswan.conf    |    2 +-
 .../rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql   |    6 +-
 .../rw-rsa-keyid/hosts/moon/etc/strongswan.conf    |    2 +-
 .../sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql    |    4 +-
 .../sql/rw-rsa/hosts/carol/etc/strongswan.conf     |    2 +-
 .../sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql     |    4 +-
 .../sql/rw-rsa/hosts/dave/etc/strongswan.conf      |    2 +-
 .../sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql     |    6 +-
 .../sql/rw-rsa/hosts/moon/etc/strongswan.conf      |    2 +-
 1044 files changed, 30010 insertions(+), 12421 deletions(-)
 create mode 100644 src/ipsec/ipsec.8.in
 delete mode 100644 src/libcharon/config/auth_cfg.c
 delete mode 100644 src/libcharon/config/auth_cfg.h
 delete mode 100644 src/libcharon/credentials/credential_manager.c
 delete mode 100644 src/libcharon/credentials/credential_manager.h
 delete mode 100644 src/libcharon/credentials/credential_set.h
 delete mode 100644 src/libcharon/credentials/sets/auth_cfg_wrapper.c
 delete mode 100644 src/libcharon/credentials/sets/auth_cfg_wrapper.h
 delete mode 100644 src/libcharon/credentials/sets/cert_cache.c
 delete mode 100644 src/libcharon/credentials/sets/cert_cache.h
 delete mode 100644 src/libcharon/credentials/sets/ocsp_response_wrapper.c
 delete mode 100644 src/libcharon/credentials/sets/ocsp_response_wrapper.h
 create mode 100644 src/libcharon/plugins/addrblock/Makefile.am
 create mode 100644 src/libcharon/plugins/addrblock/Makefile.in
 create mode 100644 src/libcharon/plugins/addrblock/addrblock_narrow.c
 create mode 100644 src/libcharon/plugins/addrblock/addrblock_narrow.h
 create mode 100644 src/libcharon/plugins/addrblock/addrblock_plugin.c
 create mode 100644 src/libcharon/plugins/addrblock/addrblock_plugin.h
 create mode 100644 src/libcharon/plugins/addrblock/addrblock_validator.c
 create mode 100644 src/libcharon/plugins/addrblock/addrblock_validator.h
 create mode 100644 src/libcharon/plugins/android/android_creds.c
 create mode 100644 src/libcharon/plugins/android/android_creds.h
 create mode 100644 src/libcharon/plugins/android/android_logger.c
 create mode 100644 src/libcharon/plugins/android/android_logger.h
 create mode 100644 src/libcharon/plugins/android/android_service.c
 create mode 100644 src/libcharon/plugins/android/android_service.h
 create mode 100644 src/libcharon/plugins/eap_radius/radius_server.c
 create mode 100644 src/libcharon/plugins/eap_radius/radius_server.h
 create mode 100644 src/libcharon/plugins/eap_radius/radius_socket.c
 create mode 100644 src/libcharon/plugins/eap_radius/radius_socket.h
 create mode 100644 src/libcharon/plugins/eap_simaka_sql/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_simaka_sql/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c
 create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h
 create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
 create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h
 create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c
 create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h
 create mode 100644 src/libcharon/plugins/ha/ha_attribute.c
 create mode 100644 src/libcharon/plugins/ha/ha_attribute.h
 create mode 100644 src/libcharon/plugins/ha/ha_cache.c
 create mode 100644 src/libcharon/plugins/ha/ha_cache.h
 delete mode 100644 src/libcharon/plugins/resolve/Makefile.am
 delete mode 100644 src/libcharon/plugins/resolve/Makefile.in
 delete mode 100644 src/libcharon/plugins/resolve/resolve_handler.c
 delete mode 100644 src/libcharon/plugins/resolve/resolve_handler.h
 delete mode 100644 src/libcharon/plugins/resolve/resolve_plugin.c
 delete mode 100644 src/libcharon/plugins/resolve/resolve_plugin.h
 create mode 100644 src/libcharon/plugins/unit_tester/tests/test_hashtable.c
 create mode 100644 src/libhydra/plugins/attr_sql/pool_attributes.c
 create mode 100644 src/libhydra/plugins/attr_sql/pool_attributes.h
 create mode 100644 src/libhydra/plugins/attr_sql/pool_usage.c
 create mode 100644 src/libhydra/plugins/attr_sql/pool_usage.h
 create mode 100644 src/libhydra/plugins/resolve/Makefile.am
 create mode 100644 src/libhydra/plugins/resolve/Makefile.in
 create mode 100644 src/libhydra/plugins/resolve/resolve_handler.c
 create mode 100644 src/libhydra/plugins/resolve/resolve_handler.h
 create mode 100644 src/libhydra/plugins/resolve/resolve_plugin.c
 create mode 100644 src/libhydra/plugins/resolve/resolve_plugin.h
 create mode 100644 src/libstrongswan/credentials/auth_cfg.c
 create mode 100644 src/libstrongswan/credentials/auth_cfg.h
 create mode 100644 src/libstrongswan/credentials/cert_validator.h
 create mode 100644 src/libstrongswan/credentials/cred_encoding.c
 create mode 100644 src/libstrongswan/credentials/cred_encoding.h
 create mode 100644 src/libstrongswan/credentials/credential_manager.c
 create mode 100644 src/libstrongswan/credentials/credential_manager.h
 create mode 100644 src/libstrongswan/credentials/credential_set.h
 delete mode 100644 src/libstrongswan/credentials/keys/key_encoding.c
 delete mode 100644 src/libstrongswan/credentials/keys/key_encoding.h
 create mode 100644 src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
 create mode 100644 src/libstrongswan/credentials/sets/auth_cfg_wrapper.h
 create mode 100644 src/libstrongswan/credentials/sets/cert_cache.c
 create mode 100644 src/libstrongswan/credentials/sets/cert_cache.h
 create mode 100644 src/libstrongswan/credentials/sets/ocsp_response_wrapper.c
 create mode 100644 src/libstrongswan/credentials/sets/ocsp_response_wrapper.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_crl.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_crl.h
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_x509.c
 create mode 100644 src/libstrongswan/plugins/openssl/openssl_x509.h
 create mode 100644 src/libstrongswan/plugins/revocation/Makefile.am
 create mode 100644 src/libstrongswan/plugins/revocation/Makefile.in
 create mode 100644 src/libstrongswan/plugins/revocation/revocation_plugin.c
 create mode 100644 src/libstrongswan/plugins/revocation/revocation_plugin.h
 create mode 100644 src/libstrongswan/plugins/revocation/revocation_validator.c
 create mode 100644 src/libstrongswan/plugins/revocation/revocation_validator.h
 create mode 100644 src/pki/commands/print.c
 create mode 100644 src/pki/commands/signcrl.c
 create mode 100644 src/pluto/ipsec.secrets.5.in
 create mode 100644 src/pluto/plugins/xauth/Makefile.am
 create mode 100644 src/pluto/plugins/xauth/Makefile.in
 create mode 100644 src/pluto/plugins/xauth/xauth_default_provider.c
 create mode 100644 src/pluto/plugins/xauth/xauth_default_provider.h
 create mode 100644 src/pluto/plugins/xauth/xauth_default_verifier.c
 create mode 100644 src/pluto/plugins/xauth/xauth_default_verifier.h
 create mode 100644 src/pluto/plugins/xauth/xauth_plugin.c
 create mode 100644 src/pluto/plugins/xauth/xauth_plugin.h
 create mode 100644 src/pluto/pluto.c
 create mode 100644 src/pluto/pluto.h
 delete mode 100644 src/pluto/xauth.c
 delete mode 100644 src/pluto/xauth.h
 create mode 100644 src/pluto/xauth/xauth_manager.c
 create mode 100644 src/pluto/xauth/xauth_manager.h
 create mode 100644 src/pluto/xauth/xauth_provider.h
 create mode 100644 src/pluto/xauth/xauth_verifier.h
 create mode 100644 src/starter/ipsec.conf.5.in
 delete mode 100644 testing/hosts/winnetou/etc/openssl/research/carolReq.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem
 delete mode 100644 testing/tests/ike2/description.txt
 delete mode 100644 testing/tests/ike2/evaltest.dat
 delete mode 100644 testing/tests/ike2/hosts/bob/etc/hosts
 delete mode 100755 testing/tests/ike2/hosts/moon/etc/ipsec.conf
 delete mode 100755 testing/tests/ike2/hosts/moon/etc/nat_updown
 delete mode 100644 testing/tests/ike2/hosts/moon/etc/strongswan.conf
 delete mode 100755 testing/tests/ike2/hosts/sun/etc/ipsec.conf
 delete mode 100644 testing/tests/ike2/hosts/sun/etc/strongswan.conf
 delete mode 100644 testing/tests/ike2/posttest.dat
 delete mode 100644 testing/tests/ike2/pretest.dat
 delete mode 100644 testing/tests/ike2/test.conf
 create mode 100644 testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/description.txt
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat
 create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/test.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk/description.txt
 create mode 100644 testing/tests/ikev1/xauth-id-psk/evaltest.dat
 create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-id-psk/posttest.dat
 create mode 100644 testing/tests/ikev1/xauth-id-psk/pretest.dat
 create mode 100644 testing/tests/ikev1/xauth-id-psk/test.conf
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/description.txt
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/evaltest.dat
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/posttest.dat
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/pretest.dat
 create mode 100644 testing/tests/ikev1/xauth-id-rsa/test.conf
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/description.txt
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/posttest.dat
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/pretest.dat
 delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/test.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/nat-two-rw-mark/description.txt
 create mode 100644 testing/tests/ikev2/nat-two-rw-mark/evaltest.dat
 create mode 100755 testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
 create mode 100755 testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
 create mode 100644 testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/nat-two-rw-mark/posttest.dat
 create mode 100644 testing/tests/ikev2/nat-two-rw-mark/pretest.dat
 create mode 100644 testing/tests/ikev2/nat-two-rw-mark/test.conf
 create mode 100644 testing/tests/ikev2/nat-virtual-ip/description.txt
 create mode 100644 testing/tests/ikev2/nat-virtual-ip/evaltest.dat
 create mode 100644 testing/tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts
 create mode 100755 testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf
 create mode 100755 testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
 create mode 100644 testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/nat-virtual-ip/posttest.dat
 create mode 100644 testing/tests/ikev2/nat-virtual-ip/pretest.dat
 create mode 100644 testing/tests/ikev2/nat-virtual-ip/test.conf
 create mode 100644 testing/tests/ikev2/net2net-psk-dscp/description.txt
 create mode 100644 testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
 create mode 100755 testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/net2net-psk-dscp/posttest.dat
 create mode 100644 testing/tests/ikev2/net2net-psk-dscp/pretest.dat
 create mode 100644 testing/tests/ikev2/net2net-psk-dscp/test.conf
 create mode 100644 testing/tests/ikev2/net2net-same-nets/description.txt
 create mode 100644 testing/tests/ikev2/net2net-same-nets/evaltest.dat
 create mode 100755 testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf
 create mode 100755 testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
 create mode 100644 testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/net2net-same-nets/posttest.dat
 create mode 100644 testing/tests/ikev2/net2net-same-nets/pretest.dat
 create mode 100644 testing/tests/ikev2/net2net-same-nets/test.conf
 create mode 100644 testing/tests/ikev2/rw-mark-in-out/description.txt
 create mode 100644 testing/tests/ikev2/rw-mark-in-out/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf
 create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
 create mode 100644 testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-mark-in-out/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-mark-in-out/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-mark-in-out/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/Android.mk b/Android.mk
index 0cda18302..0a9fc5387 100644
--- a/Android.mk
+++ b/Android.mk
@@ -3,8 +3,9 @@ include $(CLEAR_VARS)
 
 # this is the list of plugins that are built into libstrongswan and charon
 # also these plugins are loaded by default (if not changed in strongswan.conf)
-strongswan_PLUGINS := openssl fips-prf random x509 pubkey pkcs1 \
-	pem xcbc hmac kernel-netlink socket-default android
+strongswan_PLUGINS := openssl fips-prf random pubkey pkcs1 \
+	pem xcbc hmac kernel-netlink socket-default android \
+	eap-identity eap-mschapv2 eap-md5
 
 # helper macros to only add source files for plugins included in the list above
 # source files are relative to the android.mk that called the macro
@@ -12,7 +13,9 @@ plugin_enabled = $(findstring $(1), $(strongswan_PLUGINS))
 add_plugin = $(if $(call plugin_enabled,$(1)), \
                $(patsubst $(LOCAL_PATH)/%,%, \
                  $(wildcard \
-                   $(LOCAL_PATH)/plugins/$(subst -,_,$(strip $(1)))/*.c \
+                   $(subst %,$(subst -,_,$(strip $(1))), \
+                     $(LOCAL_PATH)/plugins/%/%*.c \
+                    ) \
                   ) \
                 ) \
               )
@@ -40,11 +43,17 @@ strongswan_CFLAGS := \
 	-DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY \
 	-DHAVE_IPSEC_MODE_BEET \
 	-DHAVE_IPSEC_DIR_FWD \
+	-DOPENSSL_NO_EC \
+	-DOPENSSL_NO_ECDSA \
+	-DOPENSSL_NO_ECDH \
+	-DOPENSSL_NO_ENGINE \
+	-DCAPABILITIES \
+	-DCAPABILITIES_NATIVE \
 	-DMONOLITHIC \
 	-DUSE_VSTR \
 	-DROUTING_TABLE=0 \
 	-DROUTING_TABLE_PRIO=220 \
-	-DVERSION=\"4.4.0\" \
+	-DVERSION=\"4.4.1\" \
 	-DPLUGINS='"$(strongswan_PLUGINS)"' \
 	-DIPSEC_DIR=\"/system/bin\" \
 	-DIPSEC_PIDDIR=\"/data/misc/vpn\" \
diff --git a/Android.mk.in b/Android.mk.in
index 4a4b7df96..1ad0b27fe 100644
--- a/Android.mk.in
+++ b/Android.mk.in
@@ -3,8 +3,9 @@ include $(CLEAR_VARS)
 
 # this is the list of plugins that are built into libstrongswan and charon
 # also these plugins are loaded by default (if not changed in strongswan.conf)
-strongswan_PLUGINS := openssl fips-prf random x509 pubkey pkcs1 \
-	pem xcbc hmac kernel-netlink socket-default android
+strongswan_PLUGINS := openssl fips-prf random pubkey pkcs1 \
+	pem xcbc hmac kernel-netlink socket-default android \
+	eap-identity eap-mschapv2 eap-md5
 
 # helper macros to only add source files for plugins included in the list above
 # source files are relative to the android.mk that called the macro
@@ -12,7 +13,9 @@ plugin_enabled = $(findstring $(1), $(strongswan_PLUGINS))
 add_plugin = $(if $(call plugin_enabled,$(1)), \
                $(patsubst $(LOCAL_PATH)/%,%, \
                  $(wildcard \
-                   $(LOCAL_PATH)/plugins/$(subst -,_,$(strip $(1)))/*.c \
+                   $(subst %,$(subst -,_,$(strip $(1))), \
+                     $(LOCAL_PATH)/plugins/%/%*.c \
+                    ) \
                   ) \
                 ) \
               )
@@ -40,6 +43,12 @@ strongswan_CFLAGS := \
 	-DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY \
 	-DHAVE_IPSEC_MODE_BEET \
 	-DHAVE_IPSEC_DIR_FWD \
+	-DOPENSSL_NO_EC \
+	-DOPENSSL_NO_ECDSA \
+	-DOPENSSL_NO_ECDH \
+	-DOPENSSL_NO_ENGINE \
+	-DCAPABILITIES \
+	-DCAPABILITIES_NATIVE \
 	-DMONOLITHIC \
 	-DUSE_VSTR \
 	-DROUTING_TABLE=0 \
diff --git a/Makefile.am b/Makefile.am
index 6ed121f67..af0465fee 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -7,7 +7,7 @@ endif
 ACLOCAL_AMFLAGS = -I m4/config
 
 EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk
-CLEANFILES = apidoc Doxyfile
+CLEANFILES = Doxyfile
 BUILT_SOURCES = Android.mk
 MAINTAINERCLEANFILES = Android.mk
 
@@ -25,3 +25,6 @@ Doxyfile :	Doxyfile.in
 
 apidoc :	Doxyfile
 		doxygen
+
+clean-local:
+		rm -rf apidoc
diff --git a/Makefile.in b/Makefile.in
index d4f18d054..522683ab1 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -267,7 +267,7 @@ xml_LIBS = @xml_LIBS@
 SUBDIRS = src testing $(am__append_1)
 ACLOCAL_AMFLAGS = -I m4/config
 EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk
-CLEANFILES = apidoc Doxyfile
+CLEANFILES = Doxyfile
 BUILT_SOURCES = Android.mk
 MAINTAINERCLEANFILES = Android.mk
 all: $(BUILT_SOURCES)
@@ -327,7 +327,7 @@ distclean-libtool:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@failcom='exit 1'; \
+	@fail= failcom='exit 1'; \
 	for f in x $$MAKEFLAGS; do \
 	  case $$f in \
 	    *=* | --[!k]*);; \
@@ -352,7 +352,7 @@ $(RECURSIVE_TARGETS):
 	fi; test -z "$$fail"
 
 $(RECURSIVE_CLEAN_TARGETS):
-	@failcom='exit 1'; \
+	@fail= failcom='exit 1'; \
 	for f in x $$MAKEFLAGS; do \
 	  case $$f in \
 	    *=* | --[!k]*);; \
@@ -516,7 +516,8 @@ distdir: $(DISTFILES)
 	  fi; \
 	done
 	-test -n "$(am__skip_mode_fix)" \
-	|| find "$(distdir)" -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	|| find "$(distdir)" -type d ! -perm -755 \
+		-exec chmod u+rwx,go+rx {} \; -o \
 	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
 	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
 	  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
@@ -560,17 +561,17 @@ dist dist-all: distdir
 distcheck: dist
 	case '$(DIST_ARCHIVES)' in \
 	*.tar.gz*) \
-	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(am__untar) ;;\
+	  GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
 	*.tar.bz2*) \
-	  bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\
+	  bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
 	*.tar.lzma*) \
-	  unlzma -c $(distdir).tar.lzma | $(am__untar) ;;\
+	  lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
 	*.tar.xz*) \
 	  xz -dc $(distdir).tar.xz | $(am__untar) ;;\
 	*.tar.Z*) \
 	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
 	*.shar.gz*) \
-	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).shar.gz | unshar ;;\
+	  GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
 	esac
@@ -666,7 +667,7 @@ maintainer-clean-generic:
 	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
 clean: clean-recursive
 
-clean-am: clean-generic clean-libtool mostlyclean-am
+clean-am: clean-generic clean-libtool clean-local mostlyclean-am
 
 distclean: distclean-recursive
 	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
@@ -740,19 +741,19 @@ uninstall-am:
 
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am am--refresh check check-am clean clean-generic \
-	clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
-	dist-gzip dist-lzma dist-shar dist-tarZ dist-xz dist-zip \
-	distcheck distclean distclean-generic distclean-libtool \
-	distclean-tags distcleancheck distdir distuninstallcheck dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs installdirs-am \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am
+	clean-libtool clean-local ctags ctags-recursive dist dist-all \
+	dist-bzip2 dist-gzip dist-lzma dist-shar dist-tarZ dist-xz \
+	dist-zip distcheck distclean distclean-generic \
+	distclean-libtool distclean-tags distcleancheck distdir \
+	distuninstallcheck dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	installdirs-am maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+	ps ps-am tags tags-recursive uninstall uninstall-am
 
 
 Android.mk :	Android.mk.in configure.in
@@ -770,6 +771,9 @@ Doxyfile :	Doxyfile.in
 apidoc :	Doxyfile
 		doxygen
 
+clean-local:
+		rm -rf apidoc
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/NEWS b/NEWS
index bd4e770cd..a5f4a16ff 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,52 @@
+strongswan-4.4.1
+----------------
+
+- Support of xfrm marks in IPsec SAs and IPsec policies introduced
+  with the Linux 2.6.34 kernel. For details see the example scenarios
+  ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
+
+- The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used
+  in a user-specific updown script to set marks on inbound ESP or
+  ESP_IN_UDP packets.
+
+- The openssl plugin now supports X.509 certificate and CRL functions.
+
+- OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled
+  by default. Plase update manual load directives in strongswan.conf.
+
+- RFC3779 ipAddrBlock constraint checking has been moved to the addrblock
+  plugin, disabled by default. Enable it and update manual load directives
+  in strongswan.conf, if required.
+
+- The pki utility supports CRL generation using the --signcrl command.
+
+- The ipsec pki --self, --issue and --req commands now support output in
+  PEM format using the --outform pem option.
+
+- The major refactoring of the IKEv1 Mode Config functionality now allows
+  the transport and handling of any Mode Config attribute.
+
+- The RADIUS proxy plugin eap-radius now supports multiple servers. Configured
+  servers are chosen randomly, with the option to prefer a specific server.
+  Non-responding servers are degraded by the selection process.
+
+- The ipsec pool tool manages arbitrary configuration attributes stored
+  in an SQL database. ipsec pool --help gives the details.
+
+- The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA,
+  reading triplets/quintuplets from an SQL database.
+
+- The High Availability plugin now supports a HA enabled in-memory address
+  pool and Node reintegration without IKE_SA rekeying. The latter allows
+  clients without IKE_SA rekeying support to keep connected during
+  reintegration. Additionally, many other issues have been fixed in the ha
+  plugin.
+
+- Fixed a potential remote code execution vulnerability resulting from
+  the misuse of snprintf(). The vulnerability is exploitable by
+  unauthenticated users.
+
+
 strongswan-4.4.0
 ----------------
 
diff --git a/aclocal.m4 b/aclocal.m4
index dea9d6f31..23b7e59ee 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
-# generated automatically by aclocal 1.11 -*- Autoconf -*-
+# generated automatically by aclocal 1.11.1 -*- Autoconf -*-
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
 # 2005, 2006, 2007, 2008, 2009  Free Software Foundation, Inc.
@@ -13,8 +13,8 @@
 
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.64],,
-[m4_warning([this file was generated for autoconf 2.64.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.65],,
+[m4_warning([this file was generated for autoconf 2.65.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
@@ -378,7 +378,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
 [am__api_version='1.11'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.11], [],
+m4_if([$1], [1.11.1], [],
       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
 
@@ -394,7 +394,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.11])dnl
+[AM_AUTOMAKE_VERSION([1.11.1])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
diff --git a/config.guess b/config.guess
index da8331460..e3a2116a7 100755
--- a/config.guess
+++ b/config.guess
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
 #   Free Software Foundation, Inc.
 
-timestamp='2009-04-27'
+timestamp='2009-06-10'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -170,7 +170,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
 		eval $set_cc_for_build
 		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
-			| grep __ELF__ >/dev/null
+			| grep -q __ELF__
 		then
 		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
 		    # Return netbsd for either.  FIX?
@@ -656,7 +656,7 @@ EOF
 	    # => hppa64-hp-hpux11.23
 
 	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
-		grep __LP64__ >/dev/null
+		grep -q __LP64__
 	    then
 		HP_ARCH="hppa2.0w"
 	    else
@@ -822,6 +822,9 @@ EOF
     [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
 	echo i${UNAME_MACHINE}-pc-mks
 	exit ;;
+    8664:Windows_NT:*)
+	echo x86_64-pc-mks
+	exit ;;
     i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
 	# How do we know it's Interix rather than the generic POSIX subsystem?
 	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
@@ -882,40 +885,17 @@ EOF
     m68*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
-    mips:Linux:*:*)
+    mips:Linux:*:* | mips64:Linux:*:*)
 	eval $set_cc_for_build
 	sed 's/^	//' << EOF >$dummy.c
 	#undef CPU
-	#undef mips
-	#undef mipsel
+	#undef ${UNAME_MACHINE}
+	#undef ${UNAME_MACHINE}el
 	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mipsel
+	CPU=${UNAME_MACHINE}el
 	#else
 	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
-	    /^CPU/{
-		s: ::g
-		p
-	    }'`"
-	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
-	;;
-    mips64:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips64
-	#undef mips64el
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mips64el
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips64
+	CPU=${UNAME_MACHINE}
 	#else
 	CPU=
 	#endif
@@ -947,7 +927,7 @@ EOF
 	  EV67)  UNAME_MACHINE=alphaev67 ;;
 	  EV68*) UNAME_MACHINE=alphaev68 ;;
         esac
-	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
+	objdump --private-headers /bin/sh | grep -q ld.so.1
 	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
 	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
 	exit ;;
@@ -1001,14 +981,6 @@ EOF
 	  elf32-i386)
 		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
 		;;
-	  a.out-i386-linux)
-		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
-		exit ;;
-	  "")
-		# Either a pre-BFD a.out linker (linux-gnuoldld) or
-		# one that does not give us useful --help.
-		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
-		exit ;;
 	esac
 	# Determine whether the default compiler is a.out or elf
 	eval $set_cc_for_build
@@ -1074,7 +1046,7 @@ EOF
     i*86:syllable:*:*)
 	echo ${UNAME_MACHINE}-pc-syllable
 	exit ;;
-    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*)
 	echo i386-unknown-lynxos${UNAME_RELEASE}
 	exit ;;
     i*86:*DOS:*:*)
@@ -1182,7 +1154,7 @@ EOF
     rs6000:LynxOS:2.*:*)
 	echo rs6000-unknown-lynxos${UNAME_RELEASE}
 	exit ;;
-    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*)
 	echo powerpc-unknown-lynxos${UNAME_RELEASE}
 	exit ;;
     SM[BE]S:UNIX_SV:*:*)
diff --git a/config.sub b/config.sub
index a39437d01..eb0389a69 100755
--- a/config.sub
+++ b/config.sub
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
 #   Free Software Foundation, Inc.
 
-timestamp='2009-04-17'
+timestamp='2009-06-11'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -153,6 +153,9 @@ case $os in
 		os=
 		basic_machine=$1
 		;;
+        -bluegene*)
+	        os=-cnk
+		;;
 	-sim | -cisco | -oki | -wec | -winbond)
 		os=
 		basic_machine=$1
@@ -467,6 +470,10 @@ case $basic_machine in
 		basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'`
 		os=-linux
 		;;
+	bluegene*)
+		basic_machine=powerpc-ibm
+		os=-cnk
+		;;
 	c90)
 		basic_machine=c90-cray
 		os=-unicos
@@ -1260,7 +1267,7 @@ case $os in
 	# Each alternative MUST END IN A *, to match a version number.
 	# -sysv* is not here because it comes later, after sysvr4.
 	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
-	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
 	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
 	      | -kopensolaris* \
 	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
@@ -1613,7 +1620,7 @@ case $basic_machine in
 			-sunos*)
 				vendor=sun
 				;;
-			-aix*)
+			-cnk*|-aix*)
 				vendor=ibm
 				;;
 			-beos*)
diff --git a/configure b/configure
index 952734d15..64ecd2c57 100755
--- a/configure
+++ b/configure
@@ -1,10 +1,12 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.64 for strongSwan 4.4.0.
+# Generated by GNU Autoconf 2.65 for strongSwan 4.4.1.
+#
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software
-# Foundation, Inc.
+# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+#
 #
 # This configure script is free software; the Free Software Foundation
 # gives unlimited permission to copy, distribute and modify it.
@@ -673,7 +675,8 @@ fi
 
 
 
-exec 7<&0 </dev/null 6>&1
+test -n "$DJDIR" || exec 7<&0 </dev/null
+exec 6>&1
 
 # Name of the host.
 # hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
@@ -695,8 +698,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.4.0'
-PACKAGE_STRING='strongSwan 4.4.0'
+PACKAGE_VERSION='4.4.1'
+PACKAGE_STRING='strongSwan 4.4.1'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -746,6 +749,8 @@ USE_SIMAKA_FALSE
 USE_SIMAKA_TRUE
 USE_VSTR_FALSE
 USE_VSTR_TRUE
+USE_LIBCAP_FALSE
+USE_LIBCAP_TRUE
 USE_FILE_CONFIG_FALSE
 USE_FILE_CONFIG_TRUE
 USE_LIBHYDRA_FALSE
@@ -762,8 +767,8 @@ USE_THREADS_FALSE
 USE_THREADS_TRUE
 USE_PLUTO_FALSE
 USE_PLUTO_TRUE
-USE_CAPABILITIES_FALSE
-USE_CAPABILITIES_TRUE
+USE_LOAD_WARNING_FALSE
+USE_LOAD_WARNING_TRUE
 USE_INTEGRITY_TEST_FALSE
 USE_INTEGRITY_TEST_TRUE
 USE_ME_FALSE
@@ -788,6 +793,16 @@ USE_CISCO_QUIRKS_FALSE
 USE_CISCO_QUIRKS_TRUE
 USE_SMARTCARD_FALSE
 USE_SMARTCARD_TRUE
+USE_XAUTH_FALSE
+USE_XAUTH_TRUE
+USE_RESOLVE_FALSE
+USE_RESOLVE_TRUE
+USE_ATTR_SQL_FALSE
+USE_ATTR_SQL_TRUE
+USE_ATTR_FALSE
+USE_ATTR_TRUE
+USE_ADDRBLOCK_FALSE
+USE_ADDRBLOCK_TRUE
 USE_FARP_FALSE
 USE_FARP_TRUE
 USE_SOCKET_DYNAMIC_FALSE
@@ -822,6 +837,8 @@ USE_EAP_SIMAKA_REAUTH_FALSE
 USE_EAP_SIMAKA_REAUTH_TRUE
 USE_EAP_SIMAKA_PSEUDONYM_FALSE
 USE_EAP_SIMAKA_PSEUDONYM_TRUE
+USE_EAP_SIMAKA_SQL_FALSE
+USE_EAP_SIMAKA_SQL_TRUE
 USE_EAP_SIM_FILE_FALSE
 USE_EAP_SIM_FILE_TRUE
 USE_EAP_SIM_FALSE
@@ -832,12 +849,8 @@ USE_LOAD_TESTER_FALSE
 USE_LOAD_TESTER_TRUE
 USE_UNIT_TESTS_FALSE
 USE_UNIT_TESTS_TRUE
-USE_RESOLVE_FALSE
-USE_RESOLVE_TRUE
 USE_DHCP_FALSE
 USE_DHCP_TRUE
-USE_ATTR_FALSE
-USE_ATTR_TRUE
 USE_UPDOWN_FALSE
 USE_UPDOWN_TRUE
 USE_SQL_FALSE
@@ -864,8 +877,6 @@ USE_OPENSSL_FALSE
 USE_OPENSSL_TRUE
 USE_PADLOCK_FALSE
 USE_PADLOCK_TRUE
-USE_ATTR_SQL_FALSE
-USE_ATTR_SQL_TRUE
 USE_SQLITE_FALSE
 USE_SQLITE_TRUE
 USE_MYSQL_FALSE
@@ -884,6 +895,8 @@ USE_PKCS1_FALSE
 USE_PKCS1_TRUE
 USE_PUBKEY_FALSE
 USE_PUBKEY_TRUE
+USE_REVOCATION_FALSE
+USE_REVOCATION_TRUE
 USE_X509_FALSE
 USE_X509_TRUE
 USE_RANDOM_FALSE
@@ -1094,6 +1107,7 @@ enable_fips_prf
 enable_gmp
 enable_random
 enable_x509
+enable_revocation
 enable_pubkey
 enable_pkcs1
 enable_pgp
@@ -1117,6 +1131,7 @@ enable_unit_tests
 enable_load_tester
 enable_eap_sim
 enable_eap_sim_file
+enable_eap_simaka_sql
 enable_eap_simaka_pseudonym
 enable_eap_simaka_reauth
 enable_eap_identity
@@ -1142,7 +1157,9 @@ enable_fast
 enable_manager
 enable_mediation
 enable_integrity_test
+enable_load_warning
 enable_pluto
+enable_xauth
 enable_threads
 enable_charon
 enable_tools
@@ -1156,6 +1173,7 @@ enable_padlock
 enable_openssl
 enable_gcrypt
 enable_agent
+enable_addrblock
 enable_uci
 enable_android
 enable_nm
@@ -1730,7 +1748,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.4.0 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.4.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1800,7 +1818,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.4.0:";;
+     short | recursive ) echo "Configuration of strongSwan 4.4.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1825,6 +1843,7 @@ Optional Features:
                           plugin.
   --disable-random        disable RNG implementation on top of /dev/(u)random.
   --disable-x509          disable X509 certificate implementation plugin.
+  --disable-revocation    disable X509 CRL/OCSP revocation check plugin.
   --disable-pubkey        disable RAW public key support plugin.
   --disable-pkcs1         disable PKCS1 key decoding plugin.
   --disable-pgp           disable PGP key decoding plugin.
@@ -1853,6 +1872,8 @@ Optional Features:
   --enable-load-tester    enable load testing plugin for IKEv2 daemon.
   --enable-eap-sim        enable SIM authenication module for EAP.
   --enable-eap-sim-file   enable EAP-SIM backend based on a triplet file.
+  --enable-eap-simaka-sql enable EAP-SIM/AKA backend based on a
+                          triplet/quintuplet SQL database.
   --enable-eap-simaka-pseudonym
                           enable EAP-SIM/AKA pseudonym storage plugin.
   --enable-eap-simaka-reauth
@@ -1890,7 +1911,10 @@ Optional Features:
   --enable-mediation      enable IKEv2 Mediation Extension.
   --enable-integrity-test enable integrity testing of libstrongswan and
                           plugins.
+  --disable-load-warning  disable the charon/pluto plugin load option warning
+                          in starter.
   --disable-pluto         disable the IKEv1 keying daemon pluto.
+  --disable-xauth         disable xauth plugin.
   --disable-threads       disable the use of threads in pluto. Charon always
                           uses threads.
   --disable-charon        disable the IKEv2 keying daemon charon.
@@ -1908,6 +1932,7 @@ Optional Features:
   --enable-openssl        enables the OpenSSL crypto plugin.
   --enable-gcrypt         enables the libgcrypt plugin.
   --enable-agent          enables the ssh-agent signing plugin.
+  --enable-addrblock      enables RFC 3779 address block constraint support.
   --enable-uci            enable OpenWRT UCI configuration plugin.
   --enable-android        enable Android specific plugin.
   --enable-nm             enable NetworkManager plugin.
@@ -1958,8 +1983,8 @@ Optional Packages:
                           220).
   --with-routing-table-prio=arg
                           set priority for IPsec routing table (default: 220).
-  --with-capabilities=arg set capability dropping library. Currently only the
-                          value "libcap" is supported (default: no).
+  --with-capabilities=arg set capability dropping library. Currently supported
+                          values are "libcap" and "native" (default: no).
   --with-mpz_powm_sec=arg use the more side-channel resistant mpz_powm_sec in
                           libgmp, if available (default: yes).
   --with-xauth-module=lib set the path to the XAUTH module
@@ -1980,7 +2005,7 @@ Some influential environment variables:
   LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
               nonstandard directory <lib dir>
   LIBS        libraries to pass to the linker, e.g. -l<library>
-  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
+  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
               you have headers in a nonstandard directory <include dir>
   CPP         C preprocessor
   YACC        The `Yet Another C Compiler' implementation to use. Defaults to
@@ -2061,8 +2086,8 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.4.0
-generated by GNU Autoconf 2.64
+strongSwan configure 4.4.1
+generated by GNU Autoconf 2.65
 
 Copyright (C) 2009 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
@@ -2109,7 +2134,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 	ac_retval=1
 fi
   eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-  return $ac_retval
+  as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_compile
 
@@ -2151,7 +2176,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 fi
   rm -rf conftest.dSYM conftest_ipa8_conftest.oo
   eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-  return $ac_retval
+  as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_run
 
@@ -2188,7 +2213,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
     ac_retval=1
 fi
   eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-  return $ac_retval
+  as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_cpp
 
@@ -2265,7 +2290,7 @@ fi
   # left behind by Apple's compiler.  We do this before executing the actions.
   rm -rf conftest.dSYM conftest_ipa8_conftest.oo
   eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-  return $ac_retval
+  as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_link
 
@@ -2537,8 +2562,8 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.4.0, which was
-generated by GNU Autoconf 2.64.  Invocation command line was
+It was created by strongSwan $as_me 4.4.1, which was
+generated by GNU Autoconf 2.65.  Invocation command line was
 
   $ $0 $@
 
@@ -2791,7 +2816,7 @@ fi
 for ac_site_file in "$ac_site_file1" "$ac_site_file2"
 do
   test "x$ac_site_file" = xNONE && continue
-  if test -r "$ac_site_file"; then
+  if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
 $as_echo "$as_me: loading site script $ac_site_file" >&6;}
     sed 's/^/| /' "$ac_site_file" >&5
@@ -2800,9 +2825,9 @@ $as_echo "$as_me: loading site script $ac_site_file" >&6;}
 done
 
 if test -r "$cache_file"; then
-  # Some versions of bash will fail to source /dev/null (special
-  # files actually), so we avoid doing that.
-  if test -f "$cache_file"; then
+  # Some versions of bash will fail to source /dev/null (special files
+  # actually), so we avoid doing that.  DJGPP emulates it as a regular file.
+  if test /dev/null != "$cache_file" && test -f "$cache_file"; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
 $as_echo "$as_me: loading cache $cache_file" >&6;}
     case $cache_file in
@@ -3221,6 +3246,7 @@ IFS=$as_save_IFS
 
 fi
 
+  test -d ./--version && rmdir ./--version
   if test "${ac_cv_path_mkdir+set}" = set; then
     MKDIR_P="$ac_cv_path_mkdir -p"
   else
@@ -3228,7 +3254,6 @@ fi
     # value for MKDIR_P within a source directory, because that will
     # break other packages using the cache if that directory is
     # removed, or if the value is a relative name.
-    test -d ./--version && rmdir ./--version
     MKDIR_P="$ac_install_sh -d"
   fi
 fi
@@ -3345,7 +3370,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.4.0'
+ VERSION='4.4.1'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -4010,6 +4035,21 @@ else
 fi
 
 
+# Check whether --enable-revocation was given.
+if test "${enable_revocation+set}" = set; then :
+  enableval=$enable_revocation; revocation_given=true
+		if test x$enableval = xyes; then
+			revocation=true
+		 else
+			revocation=false
+		fi
+else
+  revocation=true
+		revocation_given=false
+
+fi
+
+
 # Check whether --enable-pubkey was given.
 if test "${enable_pubkey+set}" = set; then :
   enableval=$enable_pubkey; pubkey_given=true
@@ -4355,6 +4395,21 @@ else
 fi
 
 
+# Check whether --enable-eap-simaka-sql was given.
+if test "${enable_eap_simaka_sql+set}" = set; then :
+  enableval=$enable_eap_simaka_sql; eap_simaka_sql_given=true
+		if test x$enableval = xyes; then
+			eap_simaka_sql=true
+		 else
+			eap_simaka_sql=false
+		fi
+else
+  eap_simaka_sql=false
+		eap_simaka_sql_given=false
+
+fi
+
+
 # Check whether --enable-eap-simaka-pseudonym was given.
 if test "${enable_eap_simaka_pseudonym+set}" = set; then :
   enableval=$enable_eap_simaka_pseudonym; eap_simaka_pseudonym_given=true
@@ -4730,6 +4785,21 @@ else
 fi
 
 
+# Check whether --enable-load-warning was given.
+if test "${enable_load_warning+set}" = set; then :
+  enableval=$enable_load_warning; load_warning_given=true
+		if test x$enableval = xyes; then
+			load_warning=true
+		 else
+			load_warning=false
+		fi
+else
+  load_warning=true
+		load_warning_given=false
+
+fi
+
+
 # Check whether --enable-pluto was given.
 if test "${enable_pluto+set}" = set; then :
   enableval=$enable_pluto; pluto_given=true
@@ -4745,6 +4815,21 @@ else
 fi
 
 
+# Check whether --enable-xauth was given.
+if test "${enable_xauth+set}" = set; then :
+  enableval=$enable_xauth; xauth_given=true
+		if test x$enableval = xyes; then
+			xauth=true
+		 else
+			xauth=false
+		fi
+else
+  xauth=true
+		xauth_given=false
+
+fi
+
+
 # Check whether --enable-threads was given.
 if test "${enable_threads+set}" = set; then :
   enableval=$enable_threads; threads_given=true
@@ -4940,6 +5025,21 @@ else
 fi
 
 
+# Check whether --enable-addrblock was given.
+if test "${enable_addrblock+set}" = set; then :
+  enableval=$enable_addrblock; addrblock_given=true
+		if test x$enableval = xyes; then
+			addrblock=true
+		 else
+			addrblock=false
+		fi
+else
+  addrblock=false
+		addrblock_given=false
+
+fi
+
+
 # Check whether --enable-uci was given.
 if test "${enable_uci+set}" = set; then :
   enableval=$enable_uci; uci_given=true
@@ -5357,32 +5457,30 @@ $as_echo "$ac_try_echo"; } >&5
 ... rest of stderr output deleted ...
          10q' conftest.err >conftest.er1
     cat conftest.er1 >&5
-    rm -f conftest.er1 conftest.err
   fi
+  rm -f conftest.er1 conftest.err
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }
 done
 
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-#include <stdio.h>
+
 int
 main ()
 {
-FILE *f = fopen ("conftest.out", "w");
- return ferror (f) || fclose (f) != 0;
 
   ;
   return 0;
 }
 _ACEOF
 ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out conftest.out"
+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
 # Try to create an executable without -o first, disregard a.out.
 # It will help us diagnose broken compilers, and finding out an intuition
 # of exeext.
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
-$as_echo_n "checking for C compiler default output file name... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
+$as_echo_n "checking whether the C compiler works... " >&6; }
 ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
 
 # The possible output files:
@@ -5444,10 +5542,10 @@ test "$ac_cv_exeext" = no && ac_cv_exeext=
 else
   ac_file=''
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
-$as_echo "$ac_file" >&6; }
 if test -z "$ac_file"; then :
-  $as_echo "$as_me: failed program was:" >&5
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+$as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
@@ -5455,51 +5553,18 @@ $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 { as_fn_set_status 77
 as_fn_error "C compiler cannot create executables
 See \`config.log' for more details." "$LINENO" 5; }; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
 fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
+$as_echo_n "checking for C compiler default output file name... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
+$as_echo "$ac_file" >&6; }
 ac_exeext=$ac_cv_exeext
 
-# Check that the compiler produces executables we can run.  If not, either
-# the compiler is broken, or we cross compile.
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
-$as_echo_n "checking whether the C compiler works... " >&6; }
-# If not cross compiling, check that we can run a simple program.
-if test "$cross_compiling" != yes; then
-  if { ac_try='./$ac_file'
-  { { case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; }; then
-    cross_compiling=no
-  else
-    if test "$cross_compiling" = maybe; then
-	cross_compiling=yes
-    else
-	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." "$LINENO" 5; }
-    fi
-  fi
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-
-rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out conftest.out
+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
 ac_clean_files=$ac_clean_files_save
-# Check that the compiler produces executables we can run.  If not, either
-# the compiler is broken, or we cross compile.
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
-$as_echo_n "checking whether we are cross compiling... " >&6; }
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
-$as_echo "$cross_compiling" >&6; }
-
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
 $as_echo_n "checking for suffix of executables... " >&6; }
 if { { ac_try="$ac_link"
@@ -5532,13 +5597,72 @@ $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error "cannot compute suffix of executables: cannot compile and link
 See \`config.log' for more details." "$LINENO" 5; }
 fi
-rm -f conftest$ac_cv_exeext
+rm -f conftest conftest$ac_cv_exeext
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
 $as_echo "$ac_cv_exeext" >&6; }
 
 rm -f conftest.$ac_ext
 EXEEXT=$ac_cv_exeext
 ac_exeext=$EXEEXT
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdio.h>
+int
+main ()
+{
+FILE *f = fopen ("conftest.out", "w");
+ return ferror (f) || fclose (f) != 0;
+
+  ;
+  return 0;
+}
+_ACEOF
+ac_clean_files="$ac_clean_files conftest.out"
+# Check that the compiler produces executables we can run.  If not, either
+# the compiler is broken, or we cross compile.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
+$as_echo_n "checking whether we are cross compiling... " >&6; }
+if test "$cross_compiling" != yes; then
+  { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+  if { ac_try='./conftest$ac_cv_exeext'
+  { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then
+    cross_compiling=no
+  else
+    if test "$cross_compiling" = maybe; then
+	cross_compiling=yes
+    else
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error "cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." "$LINENO" 5; }
+    fi
+  fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
+$as_echo "$cross_compiling" >&6; }
+
+rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
+ac_clean_files=$ac_clean_files_save
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
 $as_echo_n "checking for suffix of object files... " >&6; }
 if test "${ac_cv_objext+set}" = set; then :
@@ -6845,8 +6969,8 @@ esac
 
 
 
-macro_version='2.2.6'
-macro_revision='1.3012'
+macro_version='2.2.6b'
+macro_revision='1.3017'
 
 
 
@@ -7316,13 +7440,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:7319: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:7443: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7322: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:7446: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7325: output\"" >&5)
+  (eval echo "\"\$as_me:7449: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -7788,7 +7912,7 @@ irix5* | irix6* | nonstopux*)
   ;;
 
 # This must be Linux ELF.
-linux* | k*bsd*-gnu)
+linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -8527,7 +8651,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8530 "configure"' > conftest.$ac_ext
+  echo '#line 8654 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9789,11 +9913,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9792: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9916: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9796: \$? = $ac_status" >&5
+   echo "$as_me:9920: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9958,7 +10082,7 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_static='-non_shared'
       ;;
 
-    linux* | k*bsd*-gnu)
+    linux* | k*bsd*-gnu | kopensolaris*-gnu)
       case $cc_basename in
       # old Intel for x86_64 which still supported -KPIC.
       ecc*)
@@ -10128,11 +10252,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10131: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10255: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10135: \$? = $ac_status" >&5
+   echo "$as_me:10259: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -10233,11 +10357,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10236: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10360: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10240: \$? = $ac_status" >&5
+   echo "$as_me:10364: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10288,11 +10412,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10291: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10415: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10295: \$? = $ac_status" >&5
+   echo "$as_me:10419: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10431,6 +10555,7 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
     fi
     supports_anon_versioning=no
     case `$LD -v 2>&1` in
+      *GNU\ gold*) supports_anon_versioning=yes ;;
       *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
       *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
       *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
@@ -10522,7 +10647,7 @@ _LT_EOF
       archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
       ;;
 
-    gnu* | linux* | tpf* | k*bsd*-gnu)
+    gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu)
       tmp_diet=no
       if test "$host_os" = linux-dietlibc; then
 	case $cc_basename in
@@ -11984,7 +12109,7 @@ linux*oldld* | linux*aout* | linux*coff*)
   ;;
 
 # This must be Linux ELF.
-linux* | k*bsd*-gnu)
+linux* | k*bsd*-gnu | kopensolaris*-gnu)
   version_type=linux
   need_lib_prefix=no
   need_version=no
@@ -12671,7 +12796,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12674 "configure"
+#line 12799 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12767,7 +12892,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12770 "configure"
+#line 12895 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -14261,6 +14386,18 @@ fi
 done
 
 
+for ac_func in mallinfo
+do :
+  ac_fn_c_check_func "$LINENO" "mallinfo" "ac_cv_func_mallinfo"
+if test "x$ac_cv_func_mallinfo" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_MALLINFO 1
+_ACEOF
+
+fi
+done
+
+
 for ac_header in sys/sockio.h
 do :
   ac_fn_c_check_header_mongrel "$LINENO" "sys/sockio.h" "ac_cv_header_sys_sockio_h" "$ac_includes_default"
@@ -15401,7 +15538,7 @@ if test "${ac_cv_lib_gcrypt_main+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lgcrypt  $LIBS"
+LIBS="-lgcrypt -lgpg-error $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -15803,6 +15940,32 @@ else
 fi
 
 
+fi
+
+if test x$capabilities = xnative; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&5
+$as_echo "$as_me: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&6;}
+			for ac_header in sys/capability.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SYS_CAPABILITY_H 1
+_ACEOF
+
+fi
+
+done
+
+	ac_fn_c_check_func "$LINENO" "capset" "ac_cv_func_capset"
+if test "x$ac_cv_func_capset" = x""yes; then :
+
+else
+  as_fn_error "capset() not found!" "$LINENO" 5
+fi
+
+	$as_echo "#define CAPABILITIES_NATIVE 1" >>confdefs.h
+
 fi
 
 if test x$capabilities = xlibcap; then
@@ -15845,12 +16008,15 @@ ac_cv_lib_cap=ac_cv_lib_cap_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
 if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
+  $as_echo "#define HAVE_SYS_CAPABILITY_H 1" >>confdefs.h
 
 else
   as_fn_error "libcap header sys/capability.h not found!" "$LINENO" 5
 fi
 
 
+	$as_echo "#define CAPABILITIES_LIBCAP 1" >>confdefs.h
+
 fi
 
 if test x$integrity_test = xtrue; then
@@ -15956,6 +16122,9 @@ if test x$x509 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" x509"
 	pluto_plugins=${pluto_plugins}" x509"
 fi
+if test x$revocation = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" revocation"
+fi
 if test x$pubkey = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
 	pluto_plugins=${pluto_plugins}" pubkey"
@@ -16012,13 +16181,17 @@ if test x$gmp = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
 	pluto_plugins=${pluto_plugins}" gmp"
 fi
+if test x$xauth = xtrue; then
+	pluto_plugins=${pluto_plugins}" xauth"
+fi
 if test x$attr = xtrue; then
 	libhydra_plugins=${libhydra_plugins}" attr"
-	pluto_plugins=${pluto_plugins}" attr"
 fi
 if test x$attr_sql = xtrue -o x$sql = xtrue; then
 	libhydra_plugins=${libhydra_plugins}" attr-sql"
-	pluto_plugins=${pluto_plugins}" attr-sql"
+fi
+if test x$resolve = xtrue; then
+	libhydra_plugins=${libhydra_plugins}" resolve"
 fi
 
 
@@ -16138,6 +16311,14 @@ else
   USE_X509_FALSE=
 fi
 
+ if test x$revocation = xtrue; then
+  USE_REVOCATION_TRUE=
+  USE_REVOCATION_FALSE='#'
+else
+  USE_REVOCATION_TRUE='#'
+  USE_REVOCATION_FALSE=
+fi
+
  if test x$pubkey = xtrue; then
   USE_PUBKEY_TRUE=
   USE_PUBKEY_FALSE='#'
@@ -16210,14 +16391,6 @@ else
   USE_SQLITE_FALSE=
 fi
 
- if test x$attr_sql = xtrue -o x$sql = xtrue; then
-  USE_ATTR_SQL_TRUE=
-  USE_ATTR_SQL_FALSE='#'
-else
-  USE_ATTR_SQL_TRUE='#'
-  USE_ATTR_SQL_FALSE=
-fi
-
  if test x$padlock = xtrue; then
   USE_PADLOCK_TRUE=
   USE_PADLOCK_FALSE='#'
@@ -16323,14 +16496,6 @@ else
   USE_UPDOWN_FALSE=
 fi
 
- if test x$attr = xtrue; then
-  USE_ATTR_TRUE=
-  USE_ATTR_FALSE='#'
-else
-  USE_ATTR_TRUE='#'
-  USE_ATTR_FALSE=
-fi
-
  if test x$dhcp = xtrue; then
   USE_DHCP_TRUE=
   USE_DHCP_FALSE='#'
@@ -16339,14 +16504,6 @@ else
   USE_DHCP_FALSE=
 fi
 
- if test x$resolve = xtrue; then
-  USE_RESOLVE_TRUE=
-  USE_RESOLVE_FALSE='#'
-else
-  USE_RESOLVE_TRUE='#'
-  USE_RESOLVE_FALSE=
-fi
-
  if test x$unit_tests = xtrue; then
   USE_UNIT_TESTS_TRUE=
   USE_UNIT_TESTS_FALSE='#'
@@ -16387,6 +16544,14 @@ else
   USE_EAP_SIM_FILE_FALSE=
 fi
 
+ if test x$eap_simaka_sql = xtrue; then
+  USE_EAP_SIMAKA_SQL_TRUE=
+  USE_EAP_SIMAKA_SQL_FALSE='#'
+else
+  USE_EAP_SIMAKA_SQL_TRUE='#'
+  USE_EAP_SIMAKA_SQL_FALSE=
+fi
+
  if test x$eap_simaka_pseudonym = xtrue; then
   USE_EAP_SIMAKA_PSEUDONYM_TRUE=
   USE_EAP_SIMAKA_PSEUDONYM_FALSE='#'
@@ -16523,6 +16688,48 @@ else
   USE_FARP_FALSE=
 fi
 
+ if test x$addrblock = xtrue; then
+  USE_ADDRBLOCK_TRUE=
+  USE_ADDRBLOCK_FALSE='#'
+else
+  USE_ADDRBLOCK_TRUE='#'
+  USE_ADDRBLOCK_FALSE=
+fi
+
+
+ if test x$attr = xtrue; then
+  USE_ATTR_TRUE=
+  USE_ATTR_FALSE='#'
+else
+  USE_ATTR_TRUE='#'
+  USE_ATTR_FALSE=
+fi
+
+ if test x$attr_sql = xtrue -o x$sql = xtrue; then
+  USE_ATTR_SQL_TRUE=
+  USE_ATTR_SQL_FALSE='#'
+else
+  USE_ATTR_SQL_TRUE='#'
+  USE_ATTR_SQL_FALSE=
+fi
+
+ if test x$resolve = xtrue; then
+  USE_RESOLVE_TRUE=
+  USE_RESOLVE_FALSE='#'
+else
+  USE_RESOLVE_TRUE='#'
+  USE_RESOLVE_FALSE=
+fi
+
+
+ if test x$xauth = xtrue; then
+  USE_XAUTH_TRUE=
+  USE_XAUTH_FALSE='#'
+else
+  USE_XAUTH_TRUE='#'
+  USE_XAUTH_FALSE=
+fi
+
 
  if test x$smartcard = xtrue; then
   USE_SMARTCARD_TRUE=
@@ -16620,12 +16827,12 @@ else
   USE_INTEGRITY_TEST_FALSE=
 fi
 
- if test x$capabilities = xlibcap; then
-  USE_CAPABILITIES_TRUE=
-  USE_CAPABILITIES_FALSE='#'
+ if test x$load_warning = xtrue; then
+  USE_LOAD_WARNING_TRUE=
+  USE_LOAD_WARNING_FALSE='#'
 else
-  USE_CAPABILITIES_TRUE='#'
-  USE_CAPABILITIES_FALSE=
+  USE_LOAD_WARNING_TRUE='#'
+  USE_LOAD_WARNING_FALSE=
 fi
 
  if test x$pluto = xtrue; then
@@ -16692,6 +16899,14 @@ else
   USE_FILE_CONFIG_FALSE=
 fi
 
+ if test x$capabilities = xlibcap; then
+  USE_LIBCAP_TRUE=
+  USE_LIBCAP_FALSE='#'
+else
+  USE_LIBCAP_TRUE='#'
+  USE_LIBCAP_FALSE=
+fi
+
  if test x$vstr = xtrue; then
   USE_VSTR_TRUE=
   USE_VSTR_FALSE='#'
@@ -16722,7 +16937,7 @@ if test x$mediation = xtrue; then
 	$as_echo "#define ME 1" >>confdefs.h
 
 fi
-if test x$capabilities = xlibcap; then
+if test x$capabilities = xlibcap -o x$capabilities = xnative; then
 	$as_echo "#define CAPABILITIES 1" >>confdefs.h
 
 fi
@@ -16733,7 +16948,7 @@ fi
 
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_klips/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_klips/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -16941,6 +17156,10 @@ if test -z "${USE_X509_TRUE}" && test -z "${USE_X509_FALSE}"; then
   as_fn_error "conditional \"USE_X509\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_REVOCATION_TRUE}" && test -z "${USE_REVOCATION_FALSE}"; then
+  as_fn_error "conditional \"USE_REVOCATION\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then
   as_fn_error "conditional \"USE_PUBKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -16977,10 +17196,6 @@ if test -z "${USE_SQLITE_TRUE}" && test -z "${USE_SQLITE_FALSE}"; then
   as_fn_error "conditional \"USE_SQLITE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then
-  as_fn_error "conditional \"USE_ATTR_SQL\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_PADLOCK_TRUE}" && test -z "${USE_PADLOCK_FALSE}"; then
   as_fn_error "conditional \"USE_PADLOCK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -17033,18 +17248,10 @@ if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
   as_fn_error "conditional \"USE_UPDOWN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then
-  as_fn_error "conditional \"USE_ATTR\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_DHCP_TRUE}" && test -z "${USE_DHCP_FALSE}"; then
   as_fn_error "conditional \"USE_DHCP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
-  as_fn_error "conditional \"USE_RESOLVE\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then
   as_fn_error "conditional \"USE_UNIT_TESTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -17065,6 +17272,10 @@ if test -z "${USE_EAP_SIM_FILE_TRUE}" && test -z "${USE_EAP_SIM_FILE_FALSE}"; th
   as_fn_error "conditional \"USE_EAP_SIM_FILE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_EAP_SIMAKA_SQL_TRUE}" && test -z "${USE_EAP_SIMAKA_SQL_FALSE}"; then
+  as_fn_error "conditional \"USE_EAP_SIMAKA_SQL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_EAP_SIMAKA_PSEUDONYM_TRUE}" && test -z "${USE_EAP_SIMAKA_PSEUDONYM_FALSE}"; then
   as_fn_error "conditional \"USE_EAP_SIMAKA_PSEUDONYM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -17133,6 +17344,26 @@ if test -z "${USE_FARP_TRUE}" && test -z "${USE_FARP_FALSE}"; then
   as_fn_error "conditional \"USE_FARP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_ADDRBLOCK_TRUE}" && test -z "${USE_ADDRBLOCK_FALSE}"; then
+  as_fn_error "conditional \"USE_ADDRBLOCK\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then
+  as_fn_error "conditional \"USE_ATTR\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then
+  as_fn_error "conditional \"USE_ATTR_SQL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
+  as_fn_error "conditional \"USE_RESOLVE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_XAUTH_TRUE}" && test -z "${USE_XAUTH_FALSE}"; then
+  as_fn_error "conditional \"USE_XAUTH\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
   as_fn_error "conditional \"USE_SMARTCARD\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -17181,8 +17412,8 @@ if test -z "${USE_INTEGRITY_TEST_TRUE}" && test -z "${USE_INTEGRITY_TEST_FALSE}"
   as_fn_error "conditional \"USE_INTEGRITY_TEST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_CAPABILITIES_TRUE}" && test -z "${USE_CAPABILITIES_FALSE}"; then
-  as_fn_error "conditional \"USE_CAPABILITIES\" was never defined.
+if test -z "${USE_LOAD_WARNING_TRUE}" && test -z "${USE_LOAD_WARNING_FALSE}"; then
+  as_fn_error "conditional \"USE_LOAD_WARNING\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PLUTO_TRUE}" && test -z "${USE_PLUTO_FALSE}"; then
@@ -17217,6 +17448,10 @@ if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
   as_fn_error "conditional \"USE_FILE_CONFIG\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_LIBCAP_TRUE}" && test -z "${USE_LIBCAP_FALSE}"; then
+  as_fn_error "conditional \"USE_LIBCAP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_VSTR_TRUE}" && test -z "${USE_VSTR_FALSE}"; then
   as_fn_error "conditional \"USE_VSTR\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -17637,8 +17872,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.4.0, which was
-generated by GNU Autoconf 2.64.  Invocation command line was
+This file was extended by strongSwan $as_me 4.4.1, which was
+generated by GNU Autoconf 2.65.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -17674,6 +17909,7 @@ Usage: $0 [OPTION]... [TAG]...
 
   -h, --help       print this help, then exit
   -V, --version    print version number and configuration settings, then exit
+      --config     print configuration, then exit
   -q, --quiet, --silent
                    do not print progress messages
   -d, --debug      don't remove temporary files
@@ -17691,10 +17927,11 @@ Report bugs to the package provider."
 
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 4.4.0
-configured by $0, generated by GNU Autoconf 2.64,
-  with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
+strongSwan config.status 4.4.1
+configured by $0, generated by GNU Autoconf 2.65,
+  with options \\"\$ac_cs_config\\"
 
 Copyright (C) 2009 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
@@ -17732,6 +17969,8 @@ do
     ac_cs_recheck=: ;;
   --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
     $as_echo "$ac_cs_version"; exit ;;
+  --config | --confi | --conf | --con | --co | --c )
+    $as_echo "$ac_cs_config"; exit ;;
   --debug | --debu | --deb | --de | --d | -d )
     debug=: ;;
   --file | --fil | --fi | --f )
@@ -18076,6 +18315,7 @@ do
     "src/libstrongswan/plugins/hmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/hmac/Makefile" ;;
     "src/libstrongswan/plugins/xcbc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/xcbc/Makefile" ;;
     "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;;
+    "src/libstrongswan/plugins/revocation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/revocation/Makefile" ;;
     "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;;
     "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;;
     "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;;
@@ -18093,9 +18333,11 @@ do
     "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
     "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;;
     "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;;
+    "src/libhydra/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/resolve/Makefile" ;;
     "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
     "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
     "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
+    "src/pluto/plugins/xauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/plugins/xauth/Makefile" ;;
     "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
     "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
     "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;;
@@ -18106,6 +18348,7 @@ do
     "src/libcharon/plugins/eap_gtc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_gtc/Makefile" ;;
     "src/libcharon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_sim/Makefile" ;;
     "src/libcharon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_sim_file/Makefile" ;;
+    "src/libcharon/plugins/eap_simaka_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_sql/Makefile" ;;
     "src/libcharon/plugins/eap_simaka_pseudonym/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_pseudonym/Makefile" ;;
     "src/libcharon/plugins/eap_simaka_reauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_reauth/Makefile" ;;
     "src/libcharon/plugins/eap_mschapv2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_mschapv2/Makefile" ;;
@@ -18123,13 +18366,13 @@ do
     "src/libcharon/plugins/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/medsrv/Makefile" ;;
     "src/libcharon/plugins/medcli/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/medcli/Makefile" ;;
     "src/libcharon/plugins/nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/nm/Makefile" ;;
+    "src/libcharon/plugins/addrblock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/addrblock/Makefile" ;;
     "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
     "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
     "src/libcharon/plugins/android/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android/Makefile" ;;
     "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
     "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;;
     "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;;
-    "src/libcharon/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/resolve/Makefile" ;;
     "src/libcharon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unit_tester/Makefile" ;;
     "src/libcharon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/load_tester/Makefile" ;;
     "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
@@ -18251,7 +18494,7 @@ s/'"$ac_delim"'$//
 t delim
 :nl
 h
-s/\(.\{148\}\).*/\1/
+s/\(.\{148\}\)..*/\1/
 t more1
 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
 p
@@ -18265,7 +18508,7 @@ s/.\{148\}//
 t nl
 :delim
 h
-s/\(.\{148\}\).*/\1/
+s/\(.\{148\}\)..*/\1/
 t more2
 s/["\\]/\\&/g; s/^/"/; s/$/"/
 p
diff --git a/configure.in b/configure.in
index efcccbb42..d829071ea 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.4.0)
+AC_INIT(strongSwan,4.4.1)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_CONFIG_MACRO_DIR([m4/config])
 PKG_PROG_PKG_CONFIG
@@ -40,7 +40,7 @@ ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set director
 ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
 ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
 
-ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently only the value "libcap" is supported])
+ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
 ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
 
 AC_ARG_WITH(
@@ -78,6 +78,7 @@ ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin
 ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
 ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
 ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
+ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.])
 ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
 ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
 ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
@@ -101,6 +102,7 @@ ARG_ENABL_SET([unit-tests],     [enable unit tests on IKEv2 daemon startup.])
 ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
 ARG_ENABL_SET([eap-sim],        [enable SIM authenication module for EAP.])
 ARG_ENABL_SET([eap-sim-file],   [enable EAP-SIM backend based on a triplet file.])
+ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
 ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
 ARG_ENABL_SET([eap-simaka-reauth],    [enable EAP-SIM/AKA reauthentication data storage plugin.])
 ARG_ENABL_SET([eap-identity],   [enable EAP module providing EAP-Identity helper.])
@@ -126,7 +128,9 @@ ARG_ENABL_SET([fast],           [enable libfast (FastCGI Application Server w/ t
 ARG_ENABL_SET([manager],        [enable web management console (proof of concept).])
 ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
 ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
+ARG_DISBL_SET([load-warning],   [disable the charon/pluto plugin load option warning in starter.])
 ARG_DISBL_SET([pluto],          [disable the IKEv1 keying daemon pluto.])
+ARG_DISBL_SET([xauth],          [disable xauth plugin.])
 ARG_DISBL_SET([threads],        [disable the use of threads in pluto. Charon always uses threads.])
 ARG_DISBL_SET([charon],         [disable the IKEv2 keying daemon charon.])
 ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
@@ -140,6 +144,7 @@ ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
 ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
 ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
 ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
+ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
 ARG_ENABL_SET([android],        [enable Android specific plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager plugin.])
@@ -334,6 +339,8 @@ LIBS=$saved_LIBS
 
 AC_CHECK_FUNCS(prctl)
 
+AC_CHECK_FUNCS(mallinfo)
+
 AC_CHECK_HEADERS(sys/sockio.h)
 AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
 
@@ -572,7 +579,7 @@ if test x$openssl = xtrue; then
 fi
 
 if test x$gcrypt = xtrue; then
-	AC_HAVE_LIBRARY([gcrypt],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])])
+	AC_HAVE_LIBRARY([gcrypt],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
 	AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
 	AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
 	AC_TRY_COMPILE(
@@ -611,9 +618,21 @@ if test x$eap_gtc = xtrue; then
 	AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
 fi
 
+if test x$capabilities = xnative; then
+	AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead])
+	dnl Linux requires the following for capset(), Android does not have it,
+	dnl but defines capset() in unistd.h instead.
+	AC_CHECK_HEADERS([sys/capability.h])
+	AC_CHECK_FUNC(capset,,[AC_MSG_ERROR([capset() not found!])])
+	AC_DEFINE(CAPABILITIES_NATIVE)
+fi
+
 if test x$capabilities = xlibcap; then
 	AC_HAVE_LIBRARY([cap],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])])
-	AC_CHECK_HEADER([sys/capability.h],,[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
+	AC_CHECK_HEADER([sys/capability.h],
+		[AC_DEFINE(HAVE_SYS_CAPABILITY_H)],
+		[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
+	AC_DEFINE(CAPABILITIES_LIBCAP)
 fi
 
 if test x$integrity_test = xtrue; then
@@ -690,6 +709,9 @@ if test x$x509 = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" x509"
 	pluto_plugins=${pluto_plugins}" x509"
 fi
+if test x$revocation = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" revocation"
+fi
 if test x$pubkey = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
 	pluto_plugins=${pluto_plugins}" pubkey"
@@ -746,13 +768,17 @@ if test x$gmp = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
 	pluto_plugins=${pluto_plugins}" gmp"
 fi
+if test x$xauth = xtrue; then
+	pluto_plugins=${pluto_plugins}" xauth"
+fi
 if test x$attr = xtrue; then
 	libhydra_plugins=${libhydra_plugins}" attr"
-	pluto_plugins=${pluto_plugins}" attr"
 fi
 if test x$attr_sql = xtrue -o x$sql = xtrue; then
 	libhydra_plugins=${libhydra_plugins}" attr-sql"
-	pluto_plugins=${pluto_plugins}" attr-sql"
+fi
+if test x$resolve = xtrue; then
+	libhydra_plugins=${libhydra_plugins}" resolve"
 fi
 
 AC_SUBST(libstrongswan_plugins)
@@ -779,6 +805,7 @@ AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
 AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
 AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
 AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
+AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue)
 AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
 AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
 AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
@@ -788,7 +815,6 @@ AM_CONDITIONAL(USE_HMAC, test x$hmac = xtrue)
 AM_CONDITIONAL(USE_XCBC, test x$xcbc = xtrue)
 AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue)
 AM_CONDITIONAL(USE_SQLITE, test x$sqlite = xtrue)
-AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue)
 AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
 AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
 AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
@@ -805,14 +831,13 @@ AM_CONDITIONAL(USE_ANDROID, test x$android = xtrue)
 AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
 AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
-AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
 AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
-AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
 AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tests = xtrue)
 AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
 AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
+AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue)
 AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue)
 AM_CONDITIONAL(USE_EAP_SIMAKA_REAUTH, test x$eap_simaka_reauth = xtrue)
 AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
@@ -830,6 +855,17 @@ AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
 AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
 AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
+AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
+
+dnl hydra plugins
+dnl =============
+AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
+AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue)
+AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
+
+dnl pluto plugins
+dnl =============
+AM_CONDITIONAL(USE_XAUTH, test x$xauth = xtrue)
 
 dnl other options
 dnl =============
@@ -845,7 +881,7 @@ AM_CONDITIONAL(USE_FAST, test x$fast = xtrue)
 AM_CONDITIONAL(USE_MANAGER, test x$manager = xtrue)
 AM_CONDITIONAL(USE_ME, test x$mediation = xtrue)
 AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
-AM_CONDITIONAL(USE_CAPABILITIES, test x$capabilities = xlibcap)
+AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue)
 AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
 AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
@@ -854,6 +890,7 @@ AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
 AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue)
 AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
+AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
 AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
@@ -865,7 +902,7 @@ dnl ==============================
 if test x$mediation = xtrue; then
 	AC_DEFINE(ME)
 fi
-if test x$capabilities = xlibcap; then
+if test x$capabilities = xlibcap -o x$capabilities = xnative; then
 	AC_DEFINE(CAPABILITIES)
 fi
 if test x$monolithic = xtrue; then
@@ -895,6 +932,7 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/hmac/Makefile
 	src/libstrongswan/plugins/xcbc/Makefile
 	src/libstrongswan/plugins/x509/Makefile
+	src/libstrongswan/plugins/revocation/Makefile
 	src/libstrongswan/plugins/pubkey/Makefile
 	src/libstrongswan/plugins/pkcs1/Makefile
 	src/libstrongswan/plugins/pgp/Makefile
@@ -912,9 +950,11 @@ AC_OUTPUT(
 	src/libhydra/Makefile
 	src/libhydra/plugins/attr/Makefile
 	src/libhydra/plugins/attr_sql/Makefile
+	src/libhydra/plugins/resolve/Makefile
 	src/libfreeswan/Makefile
 	src/libsimaka/Makefile
 	src/pluto/Makefile
+	src/pluto/plugins/xauth/Makefile
 	src/whack/Makefile
 	src/charon/Makefile
 	src/libcharon/Makefile
@@ -925,6 +965,7 @@ AC_OUTPUT(
 	src/libcharon/plugins/eap_gtc/Makefile
 	src/libcharon/plugins/eap_sim/Makefile
 	src/libcharon/plugins/eap_sim_file/Makefile
+	src/libcharon/plugins/eap_simaka_sql/Makefile
 	src/libcharon/plugins/eap_simaka_pseudonym/Makefile
 	src/libcharon/plugins/eap_simaka_reauth/Makefile
 	src/libcharon/plugins/eap_mschapv2/Makefile
@@ -942,13 +983,13 @@ AC_OUTPUT(
 	src/libcharon/plugins/medsrv/Makefile
 	src/libcharon/plugins/medcli/Makefile
 	src/libcharon/plugins/nm/Makefile
+	src/libcharon/plugins/addrblock/Makefile
 	src/libcharon/plugins/uci/Makefile
 	src/libcharon/plugins/ha/Makefile
 	src/libcharon/plugins/android/Makefile
 	src/libcharon/plugins/stroke/Makefile
 	src/libcharon/plugins/updown/Makefile
 	src/libcharon/plugins/dhcp/Makefile
-	src/libcharon/plugins/resolve/Makefile
 	src/libcharon/plugins/unit_tester/Makefile
 	src/libcharon/plugins/load_tester/Makefile
 	src/stroke/Makefile
diff --git a/ltmain.sh b/ltmain.sh
index 3506ead39..7ed280bc9 100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,6 +1,6 @@
 # Generated from ltmain.m4sh.
 
-# ltmain.sh (GNU libtool) 2.2.6
+# ltmain.sh (GNU libtool) 2.2.6b
 # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc.
@@ -65,7 +65,7 @@
 #       compiler:		$LTCC
 #       compiler flags:		$LTCFLAGS
 #       linker:		$LD (gnu? $with_gnu_ld)
-#       $progname:		(GNU libtool) 2.2.6 Debian-2.2.6a-4
+#       $progname:		(GNU libtool) 2.2.6b Debian-2.2.6b-2ubuntu1
 #       automake:		$automake_version
 #       autoconf:		$autoconf_version
 #
@@ -73,9 +73,9 @@
 
 PROGRAM=ltmain.sh
 PACKAGE=libtool
-VERSION="2.2.6 Debian-2.2.6a-4"
+VERSION="2.2.6b Debian-2.2.6b-2ubuntu1"
 TIMESTAMP=""
-package_revision=1.3012
+package_revision=1.3017
 
 # Be Bourne compatible
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
diff --git a/m4/config/libtool.m4 b/m4/config/libtool.m4
index 1e7ea47c0..a3fee5360 100644
--- a/m4/config/libtool.m4
+++ b/m4/config/libtool.m4
@@ -2445,7 +2445,7 @@ linux*oldld* | linux*aout* | linux*coff*)
   ;;
 
 # This must be Linux ELF.
-linux* | k*bsd*-gnu)
+linux* | k*bsd*-gnu | kopensolaris*-gnu)
   version_type=linux
   need_lib_prefix=no
   need_version=no
@@ -3084,7 +3084,7 @@ irix5* | irix6* | nonstopux*)
   ;;
 
 # This must be Linux ELF.
-linux* | k*bsd*-gnu)
+linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -3705,7 +3705,7 @@ m4_if([$1], [CXX], [
 	    ;;
 	esac
 	;;
-      linux* | k*bsd*-gnu)
+      linux* | k*bsd*-gnu | kopensolaris*-gnu)
 	case $cc_basename in
 	  KCC*)
 	    # KAI C++ Compiler
@@ -3989,7 +3989,7 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
       ;;
 
-    linux* | k*bsd*-gnu)
+    linux* | k*bsd*-gnu | kopensolaris*-gnu)
       case $cc_basename in
       # old Intel for x86_64 which still supported -KPIC.
       ecc*)
@@ -4285,6 +4285,7 @@ dnl Note also adjust exclude_expsyms for C++ above.
     fi
     supports_anon_versioning=no
     case `$LD -v 2>&1` in
+      *GNU\ gold*) supports_anon_versioning=yes ;;
       *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
       *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
       *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
@@ -4376,7 +4377,7 @@ _LT_EOF
       _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
       ;;
 
-    gnu* | linux* | tpf* | k*bsd*-gnu)
+    gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu)
       tmp_diet=no
       if test "$host_os" = linux-dietlibc; then
 	case $cc_basename in
@@ -5860,7 +5861,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         _LT_TAGVAR(inherit_rpath, $1)=yes
         ;;
 
-      linux* | k*bsd*-gnu)
+      linux* | k*bsd*-gnu | kopensolaris*-gnu)
         case $cc_basename in
           KCC*)
 	    # Kuck and Associates, Inc. (KAI) C++ Compiler
diff --git a/m4/config/ltversion.m4 b/m4/config/ltversion.m4
index b8e154fe6..f3c530980 100644
--- a/m4/config/ltversion.m4
+++ b/m4/config/ltversion.m4
@@ -9,15 +9,15 @@
 
 # Generated from ltversion.in.
 
-# serial 3012 ltversion.m4
+# serial 3017 ltversion.m4
 # This file is part of GNU Libtool
 
-m4_define([LT_PACKAGE_VERSION], [2.2.6])
-m4_define([LT_PACKAGE_REVISION], [1.3012])
+m4_define([LT_PACKAGE_VERSION], [2.2.6b])
+m4_define([LT_PACKAGE_REVISION], [1.3017])
 
 AC_DEFUN([LTVERSION_VERSION],
-[macro_version='2.2.6'
-macro_revision='1.3012'
+[macro_version='2.2.6b'
+macro_revision='1.3017'
 _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
 _LT_DECL(, macro_revision, 0)
 ])
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 6a75fa7ae..20e6df94c 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
index cd6ebc1ed..551d031c6 100644
--- a/scripts/key2keyid.c
+++ b/scripts/key2keyid.c
@@ -37,17 +37,17 @@ int main(int argc, char *argv[])
 		printf("parsed %d bits %N private key.\n",
 			   private->get_keysize(private)*8,
 			   key_type_names, private->get_type(private));
-		if (private->get_fingerprint(private, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
+		if (private->get_fingerprint(private, KEYID_PUBKEY_INFO_SHA1, &chunk))
 		{
 			printf("subjectPublicKeyInfo keyid: %#B\n", &chunk);
 		}
-		if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &chunk))
+		if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &chunk))
 		{
 			printf("subjectPublicKey keyid:     %#B\n", &chunk);
 		}
-		if (private->get_fingerprint(private, KEY_ID_PGPV3, &chunk))
+		if (private->get_fingerprint(private, KEYID_PGPV3, &chunk))
 		{
-			printf("PGP verison 3 keyid:        %#B\n", &chunk);
+			printf("PGP version 3 keyid:        %#B\n", &chunk);
 		}
 		private->destroy(private);
 		return 0;
@@ -67,17 +67,17 @@ int main(int argc, char *argv[])
 		printf("parsed %d bits %N public key.\n",
 			   public->get_keysize(public)*8,
 			   key_type_names, public->get_type(public));
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
+		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
 		{
 			printf("subjectPublicKeyInfo keyid: %#B\n", &chunk);
 		}
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+		if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
 		{
 			printf("subjectPublicKey keyid:     %#B\n", &chunk);
 		}
-		if (public->get_fingerprint(public, KEY_ID_PGPV3, &chunk))
+		if (public->get_fingerprint(public, KEYID_PGPV3, &chunk))
 		{
-			printf("PGP verison 3 keyid:        %#B\n", &chunk);
+			printf("PGP version 3 keyid:        %#B\n", &chunk);
 		}
 		public->destroy(public);
 		return 0;
diff --git a/scripts/keyid2sql.c b/scripts/keyid2sql.c
index 2d17c273d..e37303c08 100644
--- a/scripts/keyid2sql.c
+++ b/scripts/keyid2sql.c
@@ -34,7 +34,7 @@ int main(int argc, char *argv[])
 								 BUILD_END);
 	if (private)
 	{
-		if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &chunk))
+		if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &chunk))
 		{
 			printf("%d, X'", ID_KEY_ID);
 			for (n = 0; n < chunk.len; n++)
@@ -58,7 +58,7 @@ int main(int argc, char *argv[])
 	}
 	if (public)
 	{
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+		if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
 		{
 			printf("%d, X'", ID_KEY_ID);
 			for (n = 0; n < chunk.len; n++)
diff --git a/src/Makefile.in b/src/Makefile.in
index 2a04c8b19..0bd728397 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -317,7 +317,7 @@ clean-libtool:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@failcom='exit 1'; \
+	@fail= failcom='exit 1'; \
 	for f in x $$MAKEFLAGS; do \
 	  case $$f in \
 	    *=* | --[!k]*);; \
@@ -342,7 +342,7 @@ $(RECURSIVE_TARGETS):
 	fi; test -z "$$fail"
 
 $(RECURSIVE_CLEAN_TARGETS):
-	@failcom='exit 1'; \
+	@fail= failcom='exit 1'; \
 	for f in x $$MAKEFLAGS; do \
 	  case $$f in \
 	    *=* | --[!k]*);; \
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index d4e1c157b..eb52fc52e 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index cf153461d..73ecf1abb 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 2cc311665..430a0cff6 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -115,6 +115,19 @@
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
 #              restricted on the peer side.
 #
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_ESP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
 
 # define a minimum PATH environment in case it is not set
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index a4379b44c..10ea4312f 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark
index 74de0722d..42cd3607b 100644
--- a/src/_updown_espmark/_updown_espmark
+++ b/src/_updown_espmark/_updown_espmark
@@ -115,6 +115,19 @@
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
 #              restricted on the peer side.
 #
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_ESP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
 
 # logging of VPN connections
 #
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 66690a37a..72abca97e 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 9b552fb62..84cd54615 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -38,11 +38,21 @@
 #include <utils/backtrace.h>
 #include <threading/thread.h>
 
+#ifdef ANDROID
+#include <private/android_filesystem_config.h>
+#endif
+
+
 /**
  * PID file, in which charon stores its process id
  */
 #define PID_FILE IPSEC_PIDDIR "/charon.pid"
 
+/**
+ * Global reference to PID file (required to truncate, if undeletable)
+ */
+static FILE *pidfile = NULL;
+
 /**
  * hook in library for debugging messages
  */
@@ -177,6 +187,9 @@ static bool lookup_uid_gid()
 		}
 		charon->gid = grp->gr_gid;
 	}
+#endif
+#ifdef ANDROID
+	charon->uid = AID_VPN;
 #endif
 	return TRUE;
 }
@@ -190,7 +203,7 @@ static void segv_handler(int signal)
 
 	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
 	backtrace = backtrace_create(2);
-	backtrace->log(backtrace, stderr);
+	backtrace->log(backtrace, stderr, TRUE);
 	backtrace->destroy(backtrace);
 
 	DBG1(DBG_DMN, "killing ourself, received critical signal");
@@ -203,22 +216,21 @@ static void segv_handler(int signal)
 static bool check_pidfile()
 {
 	struct stat stb;
-	FILE *file;
 
 	if (stat(PID_FILE, &stb) == 0)
 	{
-		file = fopen(PID_FILE, "r");
-		if (file)
+		pidfile = fopen(PID_FILE, "r");
+		if (pidfile)
 		{
 			char buf[64];
 			pid_t pid = 0;
 
 			memset(buf, 0, sizeof(buf));
-			if (fread(buf, 1, sizeof(buf), file))
+			if (fread(buf, 1, sizeof(buf), pidfile))
 			{
 				pid = atoi(buf);
 			}
-			fclose(file);
+			fclose(pidfile);
 			if (pid && kill(pid, 0) == 0)
 			{	/* such a process is running */
 				return TRUE;
@@ -229,16 +241,34 @@ static bool check_pidfile()
 	}
 
 	/* create new pidfile */
-	file = fopen(PID_FILE, "w");
-	if (file)
+	pidfile = fopen(PID_FILE, "w");
+	if (pidfile)
 	{
-		fprintf(file, "%d\n", getpid());
-		ignore_result(fchown(fileno(file), charon->uid, charon->gid));
-		fclose(file);
+		ignore_result(fchown(fileno(pidfile), charon->uid, charon->gid));
+		fprintf(pidfile, "%d\n", getpid());
+		fflush(pidfile);
 	}
 	return FALSE;
 }
 
+/**
+ * Delete/truncate the PID file
+ */
+static void unlink_pidfile()
+{
+	/* because unlinking the PID file may fail, we truncate it to ensure the
+	 * daemon can be properly restarted.  one probable cause for this is the
+	 * combination of not running as root and the effective user lacking
+	 * permissions on the parent dir(s) of the PID file */
+	if (pidfile)
+	{
+		ignore_result(ftruncate(fileno(pidfile), 0));
+		fclose(pidfile);
+	}
+	unlink(PID_FILE);
+}
+
+
 /**
  * print command line usage and exit
  */
@@ -258,7 +288,6 @@ static void usage(const char *msg)
 					"                                    2 = controlmore, 3 = raw, 4 = private)\n"
 					"\n"
 		   );
-	exit(msg == NULL? 0 : 1);
 }
 
 /**
@@ -337,7 +366,8 @@ int main(int argc, char *argv[])
 				break;
 			case 'h':
 				usage(NULL);
-				break;
+				status = 0;
+				goto deinit;
 			case 'v':
 				printf("Linux strongSwan %s\n", VERSION);
 				status = 0;
@@ -351,7 +381,8 @@ int main(int argc, char *argv[])
 				continue;
 			default:
 				usage("");
-				break;
+				status = 1;
+				goto deinit;
 		}
 		break;
 	}
@@ -405,7 +436,7 @@ int main(int argc, char *argv[])
 	run();
 
 	/* normal termination, cleanup and exit */
-	unlink(PID_FILE);
+	unlink_pidfile();
 	status = 0;
 
 deinit:
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index 27d615dab..ad2923799 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -19,6 +19,7 @@ AM_CFLAGS = -rdynamic
 libs =	$(shell find $(top_builddir)/src/libstrongswan \
 			$(top_builddir)/src/libcharon \
 			$(top_builddir)/src/libhydra \
+			$(top_builddir)/src/pluto \
 			-name 'libstrongswan*.so')
 
 if USE_LIBHYDRA
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 3e0ab1e69..05e90a9a1 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -288,8 +288,9 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -rdynamic
 libs = $(shell find $(top_builddir)/src/libstrongswan \
 	$(top_builddir)/src/libcharon $(top_builddir)/src/libhydra \
-	-name 'libstrongswan*.so') $(am__append_1) $(am__append_2) \
-	$(am__append_3) $(am__append_4) $(am__append_5)
+	$(top_builddir)/src/pluto -name 'libstrongswan*.so') \
+	$(am__append_1) $(am__append_2) $(am__append_3) \
+	$(am__append_4) $(am__append_5)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index b68a25a19..2db68054e 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -20,6 +20,9 @@
 
 #include <library.h>
 
+/* we need to fake the pluto symbol to dlopen() the xauth plugin */
+void *pluto;
+
 int main(int argc, char* argv[])
 {
 	int i;
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 36fdbff28..37751b856 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 720ba3a11..c47e6e451 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h
index d28e85310..b971e3848 100644
--- a/src/include/linux/xfrm.h
+++ b/src/include/linux/xfrm.h
@@ -10,8 +10,7 @@
 /* Structure to encapsulate addresses. I do not want to use
  * "standard" structure. My apologies.
  */
-typedef union
-{
+typedef union {
 	__be32		a4;
 	__be32		a6[4];
 } xfrm_address_t;
@@ -20,8 +19,7 @@ typedef union
  * the state by (spi,daddr,ah/esp) or to store information about
  * spi, protocol and tunnel address on output.
  */
-struct xfrm_id
-{
+struct xfrm_id {
 	xfrm_address_t	daddr;
 	__be32		spi;
 	__u8		proto;
@@ -45,8 +43,7 @@ struct xfrm_sec_ctx {
 
 /* Selector, used as selector both on policy rules (SPD) and SAs. */
 
-struct xfrm_selector
-{
+struct xfrm_selector {
 	xfrm_address_t	daddr;
 	xfrm_address_t	saddr;
 	__be16	dport;
@@ -63,8 +60,7 @@ struct xfrm_selector
 
 #define XFRM_INF (~(__u64)0)
 
-struct xfrm_lifetime_cfg
-{
+struct xfrm_lifetime_cfg {
 	__u64	soft_byte_limit;
 	__u64	hard_byte_limit;
 	__u64	soft_packet_limit;
@@ -75,16 +71,14 @@ struct xfrm_lifetime_cfg
 	__u64	hard_use_expires_seconds;
 };
 
-struct xfrm_lifetime_cur
-{
+struct xfrm_lifetime_cur {
 	__u64	bytes;
 	__u64	packets;
 	__u64	add_time;
 	__u64	use_time;
 };
 
-struct xfrm_replay_state
-{
+struct xfrm_replay_state {
 	__u32	oseq;
 	__u32	seq;
 	__u32	bitmap;
@@ -116,16 +110,14 @@ struct xfrm_stats {
 	__u32	integrity_failed;
 };
 
-enum
-{
+enum {
 	XFRM_POLICY_TYPE_MAIN	= 0,
 	XFRM_POLICY_TYPE_SUB	= 1,
 	XFRM_POLICY_TYPE_MAX	= 2,
 	XFRM_POLICY_TYPE_ANY	= 255
 };
 
-enum
-{
+enum {
 	XFRM_POLICY_IN	= 0,
 	XFRM_POLICY_OUT	= 1,
 	XFRM_POLICY_FWD	= 2,
@@ -133,8 +125,7 @@ enum
 	XFRM_POLICY_MAX	= 3
 };
 
-enum
-{
+enum {
 	XFRM_SHARE_ANY,		/* No limitations */
 	XFRM_SHARE_SESSION,	/* For this session only */
 	XFRM_SHARE_USER,	/* For this user only */
@@ -276,8 +267,8 @@ enum xfrm_attr_type_t {
 	XFRMA_ALG_COMP,		/* struct xfrm_algo */
 	XFRMA_ENCAP,		/* struct xfrm_algo + struct xfrm_encap_tmpl */
 	XFRMA_TMPL,		/* 1 or more struct xfrm_user_tmpl */
-	XFRMA_SA,
-	XFRMA_POLICY,
+	XFRMA_SA,		/* struct xfrm_usersa_info  */
+	XFRMA_POLICY,		/*struct xfrm_userpolicy_info */
 	XFRMA_SEC_CTX,		/* struct xfrm_sec_ctx */
 	XFRMA_LTIME_VAL,
 	XFRMA_REPLAY_VAL,
@@ -285,17 +276,23 @@ enum xfrm_attr_type_t {
 	XFRMA_ETIMER_THRESH,
 	XFRMA_SRCADDR,		/* xfrm_address_t */
 	XFRMA_COADDR,		/* xfrm_address_t */
-	XFRMA_LASTUSED,
+	XFRMA_LASTUSED,		/* unsigned long  */
 	XFRMA_POLICY_TYPE,	/* struct xfrm_userpolicy_type */
 	XFRMA_MIGRATE,
 	XFRMA_ALG_AEAD,		/* struct xfrm_algo_aead */
 	XFRMA_KMADDRESS,        /* struct xfrm_user_kmaddress */
 	XFRMA_ALG_AUTH_TRUNC,	/* struct xfrm_algo_auth */
+	XFRMA_MARK,		/* struct xfrm_mark */
 	__XFRMA_MAX
 
 #define XFRMA_MAX (__XFRMA_MAX - 1)
 };
 
+struct xfrm_mark {
+	__u32           v; /* value */
+	__u32           m; /* mask */
+};
+
 enum xfrm_sadattr_type_t {
 	XFRMA_SAD_UNSPEC,
 	XFRMA_SAD_CNT,
diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
index f3ca1ca06..510f1021a 100644
--- a/src/ipsec/Makefile.am
+++ b/src/ipsec/Makefile.am
@@ -1,7 +1,12 @@
 sbin_SCRIPTS = ipsec
-CLEANFILES = ipsec
+CLEANFILES = ipsec ipsec.8
 dist_man8_MANS = ipsec.8
-EXTRA_DIST = ipsec.in
+EXTRA_DIST = ipsec.in ipsec.8.in
+
+ipsec.8 : ipsec.8.in
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
 
 ipsec : ipsec.in
 	sed \
@@ -10,7 +15,7 @@ ipsec : ipsec.in
 	-e "s:@IPSEC_DISTRO@::" \
 	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
 	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
-	-e "s:@IPSEC_CONFDIR@:$(confdir):" \
+	-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
 	-e "s:@IPSEC_PIDDIR@:$(piddir):" \
 	$(srcdir)/$@.in > $@
 	chmod +x $@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 3834b672a..2b4b14b49 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -236,9 +236,9 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 sbin_SCRIPTS = ipsec
-CLEANFILES = ipsec
+CLEANFILES = ipsec ipsec.8
 dist_man8_MANS = ipsec.8
-EXTRA_DIST = ipsec.in
+EXTRA_DIST = ipsec.in ipsec.8.in
 all: all-am
 
 .SUFFIXES:
@@ -513,6 +513,11 @@ uninstall-man: uninstall-man8
 	uninstall-sbinSCRIPTS
 
 
+ipsec.8 : ipsec.8.in
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
+
 ipsec : ipsec.in
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
@@ -520,7 +525,7 @@ ipsec : ipsec.in
 	-e "s:@IPSEC_DISTRO@::" \
 	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
 	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
-	-e "s:@IPSEC_CONFDIR@:$(confdir):" \
+	-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
 	-e "s:@IPSEC_PIDDIR@:$(piddir):" \
 	$(srcdir)/$@.in > $@
 	chmod +x $@
diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8
index 0cd9914cc..150fefc12 100644
--- a/src/ipsec/ipsec.8
+++ b/src/ipsec/ipsec.8
@@ -1,128 +1,23 @@
-.TH IPSEC 8 "9 February 2006"
+.TH IPSEC 8 "2010-05-30" "4.4.1rc3" "strongSwan"
 .SH NAME
 ipsec \- invoke IPsec utilities
 .SH SYNOPSIS
 .B ipsec
-command [ argument ...]
-.sp
-.B ipsec start|update|reload|restart|stop
-.sp
-.B ipsec up|down|route|unroute
-\fIconnectionname\fP
-.sp
-.B ipsec status|statusall
-[
-\fIconnectionname\fP
-]
-.sp
-.B ipsec listalgs|listpubkeys|listcerts
-[
-.B \-\-utc
-]
-.br
-.B ipsec listcacerts|listaacerts|listocspcerts
-[
-.B \-\-utc
-]
-.br
-.B ipsec listacerts|listgroups|listcainfos
-[
-.B \-\-utc
-]
-.br
-.B ipsec listcrls|listocsp|listcards|listall
-[
-.B \-\-utc
-]
-.sp
-.B ipsec rereadsecrets|rereadgroups
-.br
-.B ipsec rereadcacerts|rereadaacerts|rereadocspcerts
-.br
-.B ipsec rereadacerts|rereadcrls|rereadall
-.sp
-.B ipsec purgeocsp
-.sp
-.B ipsec
-[
-.B \-\-help
-] [
-.B \-\-version
-] [
-.B \-\-versioncode
-] [
-.B \-\-copyright
-]
-.br
-.B ipsec
-[
-.B \-\-directory
-] [
-.B \-\-confdir
-]
+\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ]
+.PP
 .SH DESCRIPTION
-.I Ipsec
-invokes any of several utilities involved in controlling the IPsec
-encryption/authentication system,
-running the specified
-.I command
-with the specified
-.IR argument s
-as if it had been invoked directly.
-This largely eliminates possible name collisions with other software,
+The
+.B ipsec
+utility invokes any of several utilities involved in controlling and monitoring
+the IPsec encryption/authentication system, running the specified \fIcommand\fP
+with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked
+directly. This largely eliminates possible name collisions with other software,
 and also permits some centralized services.
 .PP
-The commands
-.BR start ,
-.BR update ,
-.BR reload ,
-.BR restart ,
-and
-.BR stop
-are built-in and are used to control the
-.BR "ipsec starter"
-utility, an extremely fast replacement for the traditional
-.BR ipsec
-.BR setup
-script.
-.PP
-The commands
-.BR up,
-.BR down,
-.BR route,
-.BR unroute,
-.BR status,
-.BR statusall,
-.BR listalgs,
-.BR listpubkeys,
-.BR listcerts,
-.BR listcacerts,
-.BR listaacerts,
-.BR listocspcerts,
-.BR listacerts,
-.BR listgroups,
-.BR listcainfos,
-.BR listcrls,
-.BR listocsp,
-.BR listcards,
-.BR listall,
-.BR rereadsecrets,
-.BR rereadgroups,
-.BR rereadcacerts,
-.BR rereadaacerts,
-.BR rereadocspcerts,
-.BR rereadacerts,
-.BR rereadcrls,
-and
-.BR rereadall
-are also built-in and completely replace the corresponding
-.BR "ipsec auto"
-\-\-\fIoperation\fP"
-commands. Communication with the pluto daemon happens via the
-.BR "ipsec whack"
-socket interface.
-.PP
-In particular,
+All the commands described in this manual page are built-in and are used to
+control and monitor IPsec connections as well as the IKE daemons.
+.PP
+For other commands
 .I ipsec
 supplies the invoked
 .I command
@@ -134,173 +29,243 @@ the full pathname of the directory where the IPsec utilities are stored,
 the full pathname of the directory where the configuration files live,
 and the IPsec version number.
 .PP
-.B "ipsec start"
+.SS CONTROL COMMANDS
+.TP
+.B "ipsec start [ starter options ]"
 calls
 .BR "ipsec starter"
-which in turn starts \fIpluto\fR.
+which in turn parses \fIipsec.conf\fR and starts the IKEv1 \fIpluto\fR and
+IKEv2 \fIcharon\fR daemons.
 .PP
+.TP
 .B "ipsec update"
 sends a \fIHUP\fR signal to
 .BR "ipsec starter"
 which in turn determines any changes in \fIipsec.conf\fR
-and updates the configuration on the running \fIpluto\fR daemon, correspondingly.
+and updates the configuration on the running IKEv1 \fIpluto\fR and IKEv2
+\fIcharon\fR daemons, correspondingly.
 .PP
+.TP
 .B "ipsec reload"
 sends a \fIUSR1\fR signal to
 .BR "ipsec starter"
-which in turn reloads the whole configuration on the running \fIpluto\fR daemon
-based on the actual \fIipsec.conf\fR.
+which in turn reloads the whole configuration on the running IKEv1 \fIpluto\fR
+and IKEv2 \fIcharon\fR daemons based on the actual \fIipsec.conf\fR.
 .PP
+.TP
 .B "ipsec restart"
-executes
+is equivalent to
 .B "ipsec stop"
 followed by
-.BR "ipsec start".
+.B "ipsec start"
+after a guard of 2 seconds.
 .PP
+.TP
 .B "ipsec stop"
-stops \fIipsec\fR by sending a \fITERM\fR signal to
+terminates all IPsec connections and stops the IKEv1 \fIpluto\fR and IKEv2
+\fIcharon\fR daemons by sending a \fITERM\fR signal to
 .BR "ipsec starter".
 .PP
-.B "ipsec up"
-\fIname\fP tells the \fIpluto\fP daemon to start up connection \fIname\fP.
+.TP
+.B "ipsec up \fIname\fP"
+tells the responsible IKE daemon to start up connection \fIname\fP.
+.PP
+.TP
+.B "ipsec down \fIname\fP"
+tells the responsible IKE daemon to terminate connection \fIname\fP.
+.PP
+.TP
+.B "ipsec down \fIname{n}\fP"
+terminates IKEv2 CHILD SA instance \fIn\fP of connection \fIname\fP.
 .PP
-.B "ipsec down"
-\fIname\fP tells the \fIpluto\fP daemon to take down connection \fIname\fP.
+.TP
+.B "ipsec down \fIname{*}\fP"
+terminates all IKEv2 CHILD SA instances of connection \fIname\fP.
 .PP
-.B "ipsec route"
-\fIname\fP tells the \fIpluto\fP daemon to install a route for connection
-\fIname\fP.
+.TP
+.B "ipsec down \fIname[n]\fP"
+terminates all IKEv2 IKE SA instance \fIn\fP of connection \fIname\fP.
 .PP
-.B "ipsec unroute"
-\fIname\fP tells the \fIpluto\fP daemon to take down the route for connection
-\fIname\fP.
+.TP
+.B "ipsec down \fIname[*]\fP"
+terminates all IKEv2 IKE SA instances of connection \fIname\fP.
 .PP
-.B "ipsec status"
-[ \fIname\fP ]  gives concise status information either on connection
-\fIname\fP or if the \fIname\fP argument is lacking, on all connections.
+.TP
+.B "ipsec route \fIname\fP"
+tells the responsible IKE daemon to insert an IPsec policy in the kernel
+for connection \fIname\fP. The first payload packet matching the IPsec policy
+will automatically trigger an IKE connection setup.
 .PP
-.B "ipsec statusall"
-[ \fIname\fP ]  gives detailed status information either on connection
-\fIname\fP or if the \fIname\fP argument is lacking, on all connections.
+.TP
+.B "ipsec unroute \fIname\fP"
+remove the IPsec policy in the kernel for connection \fIname\fP.
 .PP
+.TP
+.B "ipsec status [ \fIname\fP ]"
+returns concise status information either on connection
+\fIname\fP or if the argument is lacking, on all connections.
+.PP
+.TP
+.B "ipsec statusall [ \fIname\fP ]"
+returns detailed status information either on connection
+\fIname\fP or if the argument is lacking, on all connections.
+.PP
+.SS LIST COMMANDS
+.TP
 .B "ipsec listalgs"
 returns a list all supported IKE encryption and hash algorithms, the available
-Diffie-Hellman groups, as well as all supported ESP encryption and authentication
-algorithms.
+Diffie-Hellman groups, as well as all supported ESP encryption and
+authentication algorithms registered via the Linux kernel's Crypto API.
+.br
+Supported by the IKEv1 \fIpluto\fP daemon only.
 .PP
-.B "ipsec listpubkeys"
+.TP
+.B "ipsec listpubkeys [ --utc ]"
 returns a list of RSA public keys that were either loaded in raw key format
 or extracted from X.509 and|or OpenPGP certificates.
+.br
+Supported by the IKEv1 \fIpluto\fP daemon only.
 .PP
-.B "ipsec listcerts"
-returns a list of X.509 and|or OpenPGP certificates that were loaded locally
-by the \fIpluto\fP daemon.
+.TP
+.B "ipsec listcerts [ --utc ]"
+returns a list of X.509 and|or OpenPGP certificates that were either loaded
+locally by the IKE daemon or received via the IKEv2 protocol.
 .PP
-.B "ipsec listcacerts"
+.TP
+.B "ipsec listcacerts [ --utc ]"
 returns a list of X.509 Certification Authority (CA) certificates that were
-loaded locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/cacerts/\fP
-directory or received in PKCS#7-wrapped certificate payloads via the  IKE
+loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
+directory or received in PKCS#7-wrapped certificate payloads via the IKE
 protocol.
 .PP
-.B "ipsec listaacerts"
+.TP
+.B "ipsec listaacerts [ --utc ]"
 returns a list of X.509 Authorization Authority (AA) certificates that were
-loaded locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/aacerts/\fP
+loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
 directory.
 .PP
-.B "ipsec listocspcerts"
+.TP
+.B "ipsec listocspcerts [ --utc ]"
 returns a list of X.509 OCSP Signer certificates that were either loaded
-locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
+locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
 directory or were sent by an OCSP server.
 .PP
-.B "ipsec listacerts"
+.TP
+.B "ipsec listacerts [ --utc ]"
 returns a list of X.509 Attribute certificates that were loaded locally by
-the \fIpluto\fP daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
+the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
 .PP
-.B "ipsec listgroups"
+.TP
+.B "ipsec listgroups [ --utc ]"
 returns a list of groups that are used to define user authorization profiles.
+.br
+Supported by the IKEv1 \fIpluto\fP daemon only.
 .PP
-.B "ipsec listcainfos"
+.TP
+.B "ipsec listcainfos [ --utc ]"
 returns certification authority information (CRL distribution points, OCSP URIs,
 LDAP servers) that were defined by
 .BR ca
 sections in \fIipsec.conf\fP.
 .PP
-.B "ipsec listcrls"
-returns a list of Certificate Revocation Lists (CRLs).
+.TP
+.B "ipsec listcrls [ --utc ]"
+returns a list of Certificate Revocation Lists (CRLs) that were either loaded
+by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
+an HTTP- or LDAP-based CRL distribution point.
 .PP
-.B "ipsec listocsp"
+.TP
+.B "ipsec listocsp [ --utc ]"
 returns revocation information fetched from OCSP servers.
 .PP
-.B "ipsec listcards"
-returns a list of certificates residing on smartcards.
+.TP
+.B "ipsec listcards [ --utc ]"
+list all certificates found on attached smart cards.
+.br
+Supported by the IKEv1 \fIpluto\fP daemon only.
 .PP
-.B "ipsec listall"
+.TP
+.B "ipsec listall [ --utc ]"
 returns all information generated by the list commands above. Each list command 
 can be called with the
-\-\-url
+\fB\-\-utc\fP
 option which displays all dates in UTC instead of local time.
 .PP
+.SS REREAD COMMANDS
+.TP
 .B "ipsec rereadsecrets"
-flushes and rereads all secrets defined in \fIipsec.conf\fP.
+flushes and rereads all secrets defined in \fIipsec.secrets\fP.
 .PP
+.TP
 .B "ipsec rereadcacerts"
 reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
-directory and adds them to \fIpluto\fP's list of Certification Authority (CA) certificates.
+directory and adds them to the list of Certification Authority (CA)
+certificates.
 .PP
+.TP
 .B "ipsec rereadaacerts"
 reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
-directory and adds them to \fIpluto\fP's list of Authorization Authority (AA) certificates.
+directory and adds them to the list of Authorization Authority (AA)
+certificates.
 .PP
+.TP
 .B "ipsec rereadocspcerts" 
 reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
-directory and adds them to \fIpluto\fP's list of OCSP signer certificates.
+directory and adds them to the list of OCSP signer certificates.
 .PP
+.TP
 .B "ipsec rereadacerts"
-operation reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
-directory and adds them to \fIpluto\fP's list of attribute certificates.
+reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
+directory and adds them to the list of attribute certificates.
 .PP
+.TP
 .B "ipsec rereadcrls"
 reads  all Certificate  Revocation Lists (CRLs) contained in the
-\fI/etc/ipsec.d/crls/\fP directory and adds them to \fIpluto\fP's list of CRLs.
+\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
 .PP
+.TP
 .B "ipsec rereadall"
-is  equivalent  to  the  execution  of  \fBrereadsecrets\fP,
-\fBrereadcacerts\fP, \fBrereadaacerts\fP, \fBrereadocspcerts\fP,
-\fBrereadacerts\fP, and \fBrereadcrls\fP.
+executes all reread commands listed above.
+.PP
+.SS PURGE COMMANDS
+.TP
+.B "ipsec purgeike"
+purges IKEv2 SAs that don't have a CHILD SA.
 .PP
+.TP
+.B "ipsec purgeocsp"
+purges all cached OCSP information records.
+.PP
+.SS INFO COMMANDS
+.TP
 .B "ipsec \-\-help"
-lists the available commands.
-Most have their own manual pages, e.g.
-.IR ipsec_auto (8)
-for
-.IR auto .
+returns the usage information for the ipsec command.
 .PP
+.TP
 .B "ipsec \-\-version"
-outputs version information about Linux strongSwan.
-A version code of the form ``U\fIxxx\fR/K\fIyyy\fR''
-indicates that the user-level utilities are version \fIxxx\fR
-but the kernel portion appears to be version \fIyyy\fR
-(this form is used only if the two disagree).
+returns the version in the form of
+.B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>
+if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
+running on.
 .PP
+.TP
 .B "ipsec \-\-versioncode"
-outputs \fIjust\fR the version code,
-with none of
-.BR \-\-version 's
-supporting information,
-for use by scripts.
+returns the version number in the form of
+.B U<strongSwan userland version>/K<Linux kernel version>
+if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
+running on.
 .PP
+.TP
 .B "ipsec \-\-copyright"
-supplies boring copyright details.
+returns the copyright information.
 .PP
+.TP
 .B "ipsec \-\-directory"
-reports where
-.I ipsec
-thinks the IPsec utilities are stored.
+returns the \fILIBEXECDIR\fP directory as defined by the configure options.
 .PP
+.TP
 .B "ipsec \-\-confdir"
-reports where
-.I ipsec
-thinks the IPsec configuration files are stored.
+returns the \fISYSCONFDIR\fP directory as defined by the configure options.
 .SH FILES
 /usr/local/lib/ipsec	usual utilities directory
 .SH ENVIRONMENT
@@ -327,15 +292,11 @@ IPSEC_CHARON_PID	PID file for IKEv2 keying daemon
 .SH SEE ALSO
 .hy 0
 .na
-ipsec.conf(5), ipsec.secrets(5),
-ipsec_barf(8),
+ipsec.conf(5), ipsec.secrets(5)
 .ad
 .hy
 .PP
 .SH HISTORY
-Written for Linux FreeS/WAN
-<http://www.freeswan.org>
-by Henry Spencer.
-Updated and extended for Linux strongSwan
-<http://www.strongswan.org>
-by Andreas Steffen.
+Originally written for the FreeS/WAN project by Henry Spencer.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner and Andreas Steffen.
diff --git a/src/ipsec/ipsec.8.in b/src/ipsec/ipsec.8.in
new file mode 100644
index 000000000..24a796392
--- /dev/null
+++ b/src/ipsec/ipsec.8.in
@@ -0,0 +1,302 @@
+.TH IPSEC 8 "2010-05-30" "@IPSEC_VERSION@" "strongSwan"
+.SH NAME
+ipsec \- invoke IPsec utilities
+.SH SYNOPSIS
+.B ipsec
+\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ]
+.PP
+.SH DESCRIPTION
+The
+.B ipsec
+utility invokes any of several utilities involved in controlling and monitoring
+the IPsec encryption/authentication system, running the specified \fIcommand\fP
+with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked
+directly. This largely eliminates possible name collisions with other software,
+and also permits some centralized services.
+.PP
+All the commands described in this manual page are built-in and are used to
+control and monitor IPsec connections as well as the IKE daemons.
+.PP
+For other commands
+.I ipsec
+supplies the invoked
+.I command
+with a suitable PATH environment variable,
+and also provides IPSEC_DIR,
+IPSEC_CONFS, and IPSEC_VERSION environment variables,
+containing respectively
+the full pathname of the directory where the IPsec utilities are stored,
+the full pathname of the directory where the configuration files live,
+and the IPsec version number.
+.PP
+.SS CONTROL COMMANDS
+.TP
+.B "ipsec start [ starter options ]"
+calls
+.BR "ipsec starter"
+which in turn parses \fIipsec.conf\fR and starts the IKEv1 \fIpluto\fR and
+IKEv2 \fIcharon\fR daemons.
+.PP
+.TP
+.B "ipsec update"
+sends a \fIHUP\fR signal to
+.BR "ipsec starter"
+which in turn determines any changes in \fIipsec.conf\fR
+and updates the configuration on the running IKEv1 \fIpluto\fR and IKEv2
+\fIcharon\fR daemons, correspondingly.
+.PP
+.TP
+.B "ipsec reload"
+sends a \fIUSR1\fR signal to
+.BR "ipsec starter"
+which in turn reloads the whole configuration on the running IKEv1 \fIpluto\fR
+and IKEv2 \fIcharon\fR daemons based on the actual \fIipsec.conf\fR.
+.PP
+.TP
+.B "ipsec restart"
+is equivalent to
+.B "ipsec stop"
+followed by
+.B "ipsec start"
+after a guard of 2 seconds.
+.PP
+.TP
+.B "ipsec stop"
+terminates all IPsec connections and stops the IKEv1 \fIpluto\fR and IKEv2
+\fIcharon\fR daemons by sending a \fITERM\fR signal to
+.BR "ipsec starter".
+.PP
+.TP
+.B "ipsec up \fIname\fP"
+tells the responsible IKE daemon to start up connection \fIname\fP.
+.PP
+.TP
+.B "ipsec down \fIname\fP"
+tells the responsible IKE daemon to terminate connection \fIname\fP.
+.PP
+.TP
+.B "ipsec down \fIname{n}\fP"
+terminates IKEv2 CHILD SA instance \fIn\fP of connection \fIname\fP.
+.PP
+.TP
+.B "ipsec down \fIname{*}\fP"
+terminates all IKEv2 CHILD SA instances of connection \fIname\fP.
+.PP
+.TP
+.B "ipsec down \fIname[n]\fP"
+terminates all IKEv2 IKE SA instance \fIn\fP of connection \fIname\fP.
+.PP
+.TP
+.B "ipsec down \fIname[*]\fP"
+terminates all IKEv2 IKE SA instances of connection \fIname\fP.
+.PP
+.TP
+.B "ipsec route \fIname\fP"
+tells the responsible IKE daemon to insert an IPsec policy in the kernel
+for connection \fIname\fP. The first payload packet matching the IPsec policy
+will automatically trigger an IKE connection setup.
+.PP
+.TP
+.B "ipsec unroute \fIname\fP"
+remove the IPsec policy in the kernel for connection \fIname\fP.
+.PP
+.TP
+.B "ipsec status [ \fIname\fP ]"
+returns concise status information either on connection
+\fIname\fP or if the argument is lacking, on all connections.
+.PP
+.TP
+.B "ipsec statusall [ \fIname\fP ]"
+returns detailed status information either on connection
+\fIname\fP or if the argument is lacking, on all connections.
+.PP
+.SS LIST COMMANDS
+.TP
+.B "ipsec listalgs"
+returns a list all supported IKE encryption and hash algorithms, the available
+Diffie-Hellman groups, as well as all supported ESP encryption and
+authentication algorithms registered via the Linux kernel's Crypto API.
+.br
+Supported by the IKEv1 \fIpluto\fP daemon only.
+.PP
+.TP
+.B "ipsec listpubkeys [ --utc ]"
+returns a list of RSA public keys that were either loaded in raw key format
+or extracted from X.509 and|or OpenPGP certificates.
+.br
+Supported by the IKEv1 \fIpluto\fP daemon only.
+.PP
+.TP
+.B "ipsec listcerts [ --utc ]"
+returns a list of X.509 and|or OpenPGP certificates that were either loaded
+locally by the IKE daemon or received via the IKEv2 protocol.
+.PP
+.TP
+.B "ipsec listcacerts [ --utc ]"
+returns a list of X.509 Certification Authority (CA) certificates that were
+loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
+directory or received in PKCS#7-wrapped certificate payloads via the IKE
+protocol.
+.PP
+.TP
+.B "ipsec listaacerts [ --utc ]"
+returns a list of X.509 Authorization Authority (AA) certificates that were
+loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
+directory.
+.PP
+.TP
+.B "ipsec listocspcerts [ --utc ]"
+returns a list of X.509 OCSP Signer certificates that were either loaded
+locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
+directory or were sent by an OCSP server.
+.PP
+.TP
+.B "ipsec listacerts [ --utc ]"
+returns a list of X.509 Attribute certificates that were loaded locally by
+the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
+.PP
+.TP
+.B "ipsec listgroups [ --utc ]"
+returns a list of groups that are used to define user authorization profiles.
+.br
+Supported by the IKEv1 \fIpluto\fP daemon only.
+.PP
+.TP
+.B "ipsec listcainfos [ --utc ]"
+returns certification authority information (CRL distribution points, OCSP URIs,
+LDAP servers) that were defined by
+.BR ca
+sections in \fIipsec.conf\fP.
+.PP
+.TP
+.B "ipsec listcrls [ --utc ]"
+returns a list of Certificate Revocation Lists (CRLs) that were either loaded
+by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
+an HTTP- or LDAP-based CRL distribution point.
+.PP
+.TP
+.B "ipsec listocsp [ --utc ]"
+returns revocation information fetched from OCSP servers.
+.PP
+.TP
+.B "ipsec listcards [ --utc ]"
+list all certificates found on attached smart cards.
+.br
+Supported by the IKEv1 \fIpluto\fP daemon only.
+.PP
+.TP
+.B "ipsec listall [ --utc ]"
+returns all information generated by the list commands above. Each list command 
+can be called with the
+\fB\-\-utc\fP
+option which displays all dates in UTC instead of local time.
+.PP
+.SS REREAD COMMANDS
+.TP
+.B "ipsec rereadsecrets"
+flushes and rereads all secrets defined in \fIipsec.secrets\fP.
+.PP
+.TP
+.B "ipsec rereadcacerts"
+reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
+directory and adds them to the list of Certification Authority (CA)
+certificates.
+.PP
+.TP
+.B "ipsec rereadaacerts"
+reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
+directory and adds them to the list of Authorization Authority (AA)
+certificates.
+.PP
+.TP
+.B "ipsec rereadocspcerts" 
+reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
+directory and adds them to the list of OCSP signer certificates.
+.PP
+.TP
+.B "ipsec rereadacerts"
+reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
+directory and adds them to the list of attribute certificates.
+.PP
+.TP
+.B "ipsec rereadcrls"
+reads  all Certificate  Revocation Lists (CRLs) contained in the
+\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
+.PP
+.TP
+.B "ipsec rereadall"
+executes all reread commands listed above.
+.PP
+.SS PURGE COMMANDS
+.TP
+.B "ipsec purgeike"
+purges IKEv2 SAs that don't have a CHILD SA.
+.PP
+.TP
+.B "ipsec purgeocsp"
+purges all cached OCSP information records.
+.PP
+.SS INFO COMMANDS
+.TP
+.B "ipsec \-\-help"
+returns the usage information for the ipsec command.
+.PP
+.TP
+.B "ipsec \-\-version"
+returns the version in the form of
+.B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>
+if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
+running on.
+.PP
+.TP
+.B "ipsec \-\-versioncode"
+returns the version number in the form of
+.B U<strongSwan userland version>/K<Linux kernel version>
+if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
+running on.
+.PP
+.TP
+.B "ipsec \-\-copyright"
+returns the copyright information.
+.PP
+.TP
+.B "ipsec \-\-directory"
+returns the \fILIBEXECDIR\fP directory as defined by the configure options.
+.PP
+.TP
+.B "ipsec \-\-confdir"
+returns the \fISYSCONFDIR\fP directory as defined by the configure options.
+.SH FILES
+/usr/local/lib/ipsec	usual utilities directory
+.SH ENVIRONMENT
+.PP
+The following environment variables control where strongSwan finds its
+components.
+The
+.B ipsec
+command sets them if they are not already set.
+.nf
+.na
+
+IPSEC_DIR 		directory containing ipsec programs and utilities
+IPSEC_SBINDIR		directory containing \fBipsec\fP command
+IPSEC_CONFDIR 		directory containing configuration files
+IPSEC_PIDDIR		directory containing PID files
+IPSEC_NAME 		name of ipsec distribution
+IPSEC_VERSION 		version numer of ipsec userland and kernel
+IPSEC_STARTER_PID 	PID file for ipsec starter
+IPSEC_PLUTO_PID 	PID file for IKEv1 keying daemon
+IPSEC_CHARON_PID	PID file for IKEv2 keying daemon
+.ad
+.fi
+.SH SEE ALSO
+.hy 0
+.na
+ipsec.conf(5), ipsec.secrets(5)
+.ad
+.hy
+.PP
+.SH HISTORY
+Originally written for the FreeS/WAN project by Henry Spencer.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner and Andreas Steffen.
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index d473b455e..3297654e9 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -12,7 +12,6 @@ config/child_cfg.c config/child_cfg.h \
 config/ike_cfg.c config/ike_cfg.h \
 config/peer_cfg.c config/peer_cfg.h \
 config/proposal.c config/proposal.h \
-config/auth_cfg.c config/auth_cfg.h \
 control/controller.c control/controller.h \
 daemon.c daemon.h \
 encoding/generator.c encoding/generator.h \
@@ -95,17 +94,13 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
 sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
 sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
-sa/tasks/task.c sa/tasks/task.h \
-credentials/credential_manager.c credentials/credential_manager.h \
-credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
-credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
-credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-credentials/credential_set.h
+sa/tasks/task.c sa/tasks/task.h
 
 # adding the plugin source files
 
 LOCAL_SRC_FILES += $(call add_plugin, android)
-ifneq ($(call plugin_enabled, android)),)
+ifneq ($(call plugin_enabled, android),)
+LOCAL_C_INCLUDES += frameworks/base/cmds/keystore
 LOCAL_SHARED_LIBRARIES += libcutils
 endif
 
@@ -114,7 +109,7 @@ LOCAL_SRC_FILES += $(call add_plugin, attr)
 LOCAL_SRC_FILES += $(call add_plugin, eap-aka)
 
 LOCAL_SRC_FILES += $(call add_plugin, eap-aka-3gpp2)
-ifneq ($(call plugin_enabled, eap-aka-3gpp2)),)
+ifneq ($(call plugin_enabled, eap-aka-3gpp2),)
 LOCAL_C_INCLUDES += $(libgmp_PATH)
 LOCAL_SHARED_LIBRARIES += libgmp
 endif
@@ -129,6 +124,8 @@ LOCAL_SRC_FILES += $(call add_plugin, eap-mschapv2)
 
 LOCAL_SRC_FILES += $(call add_plugin, eap-sim)
 
+LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-sql)
+
 LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-pseudonym)
 
 LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-reauth)
@@ -146,6 +143,8 @@ endif
 
 LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
 
+LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
+
 LOCAL_SRC_FILES += $(call add_plugin, load-tester)
 
 LOCAL_SRC_FILES += $(call add_plugin, socket-default)
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 0eaccf7a0..44501c0d0 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -10,7 +10,6 @@ config/child_cfg.c config/child_cfg.h \
 config/ike_cfg.c config/ike_cfg.h \
 config/peer_cfg.c config/peer_cfg.h \
 config/proposal.c config/proposal.h \
-config/auth_cfg.c config/auth_cfg.h \
 control/controller.c control/controller.h \
 daemon.c daemon.h \
 encoding/generator.c encoding/generator.h \
@@ -93,12 +92,7 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
 sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
 sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
-sa/tasks/task.c sa/tasks/task.h \
-credentials/credential_manager.c credentials/credential_manager.h \
-credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
-credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
-credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-credentials/credential_set.h
+sa/tasks/task.c sa/tasks/task.h
 
 daemon.lo :		$(top_builddir)/config.status
 
@@ -128,7 +122,7 @@ if USE_ME
     sa/tasks/ike_me.c sa/tasks/ike_me.h
 endif
 
-if USE_CAPABILITIES
+if USE_LIBCAP
   libcharon_la_LIBADD += -lcap
 endif
 
@@ -271,6 +265,14 @@ if MONOLITHIC
 endif
 endif
 
+if USE_EAP_SIMAKA_SQL
+  SUBDIRS += plugins/eap_simaka_sql
+  PLUGINS += eap-simaka-sql
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+endif
+endif
+
 if USE_EAP_SIMAKA_PSEUDONYM
   SUBDIRS += plugins/eap_simaka_pseudonym
   PLUGINS += eap-simaka-pseudonym
@@ -374,14 +376,6 @@ if MONOLITHIC
 endif
 endif
 
-if USE_RESOLVE
-  SUBDIRS += plugins/resolve
-  PLUGINS += resolve
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/resolve/libstrongswan-resolve.la
-endif
-endif
-
 if USE_ANDROID
   SUBDIRS += plugins/android
   PLUGINS += android
@@ -406,6 +400,14 @@ if MONOLITHIC
 endif
 endif
 
+if USE_ADDRBLOCK
+  SUBDIRS += plugins/addrblock
+  PLUGINS += addrblock
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/uci/libstrongswan-addrblock.la
+endif
+endif
+
 if USE_UNIT_TESTS
   SUBDIRS += plugins/unit_tester
   PLUGINS += unit-tester
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 0eb6f36f4..8e58b0e2e 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -44,7 +44,7 @@ host_triplet = @host@
 @USE_ME_TRUE@    sa/mediation_manager.c sa/mediation_manager.h \
 @USE_ME_TRUE@    sa/tasks/ike_me.c sa/tasks/ike_me.h
 
-@USE_CAPABILITIES_TRUE@am__append_2 = -lcap
+@USE_LIBCAP_TRUE@am__append_2 = -lcap
 @USE_LOAD_TESTER_TRUE@am__append_3 = plugins/load_tester
 @USE_LOAD_TESTER_TRUE@am__append_4 = load-tester
 @MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_5 = plugins/load_tester/libstrongswan-load-tester.la
@@ -93,46 +93,46 @@ host_triplet = @host@
 @USE_EAP_SIM_FILE_TRUE@am__append_48 = plugins/eap_sim_file
 @USE_EAP_SIM_FILE_TRUE@am__append_49 = eap-sim-file
 @MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_50 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_51 = plugins/eap_simaka_pseudonym
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_52 = eap-simaka-pseudonym
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_53 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_54 = plugins/eap_simaka_reauth
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_55 = eap-simaka-reauth
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_56 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
-@USE_EAP_AKA_TRUE@am__append_57 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_58 = eap-aka
-@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_59 = plugins/eap_aka/libstrongswan-eap-aka.la
-@USE_EAP_AKA_3GPP2_TRUE@am__append_60 = plugins/eap_aka_3gpp2
-@USE_EAP_AKA_3GPP2_TRUE@am__append_61 = eap-aka-3gpp2
-@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_62 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
-@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_63 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_EAP_MD5_TRUE@am__append_64 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_65 = eap-md5
-@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_66 = plugins/eap_md5/libstrongswan-eap-md5.la
-@USE_EAP_GTC_TRUE@am__append_67 = plugins/eap_gtc
-@USE_EAP_GTC_TRUE@am__append_68 = eap-gtc
-@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_69 = plugins/eap_gtc/libstrongswan-eap-gtc.la
-@USE_EAP_MSCHAPV2_TRUE@am__append_70 = plugins/eap_mschapv2
-@USE_EAP_MSCHAPV2_TRUE@am__append_71 = eap-mschapv2
-@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_72 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
-@USE_EAP_RADIUS_TRUE@am__append_73 = plugins/eap_radius
-@USE_EAP_RADIUS_TRUE@am__append_74 = eap-radius
-@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_75 = plugins/eap_radius/libstrongswan-eap-radius.la
-@USE_MEDSRV_TRUE@am__append_76 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_77 = medsrv
-@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_78 = plugins/medsrv/libstrongswan-medsrv.la
-@USE_MEDCLI_TRUE@am__append_79 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_80 = medcli
-@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_81 = plugins/medcli/libstrongswan-medcli.la
-@USE_NM_TRUE@am__append_82 = plugins/nm
-@USE_NM_TRUE@am__append_83 = nm
-@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_84 = plugins/nm/libstrongswan-nm.la
-@USE_DHCP_TRUE@am__append_85 = plugins/dhcp
-@USE_DHCP_TRUE@am__append_86 = dhcp
-@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_87 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_RESOLVE_TRUE@am__append_88 = plugins/resolve
-@USE_RESOLVE_TRUE@am__append_89 = resolve
-@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_90 = plugins/resolve/libstrongswan-resolve.la
+@USE_EAP_SIMAKA_SQL_TRUE@am__append_51 = plugins/eap_simaka_sql
+@USE_EAP_SIMAKA_SQL_TRUE@am__append_52 = eap-simaka-sql
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_53 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_54 = plugins/eap_simaka_pseudonym
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_55 = eap-simaka-pseudonym
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_56 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_57 = plugins/eap_simaka_reauth
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_58 = eap-simaka-reauth
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_59 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+@USE_EAP_AKA_TRUE@am__append_60 = plugins/eap_aka
+@USE_EAP_AKA_TRUE@am__append_61 = eap-aka
+@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_62 = plugins/eap_aka/libstrongswan-eap-aka.la
+@USE_EAP_AKA_3GPP2_TRUE@am__append_63 = plugins/eap_aka_3gpp2
+@USE_EAP_AKA_3GPP2_TRUE@am__append_64 = eap-aka-3gpp2
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_65 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_66 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_EAP_MD5_TRUE@am__append_67 = plugins/eap_md5
+@USE_EAP_MD5_TRUE@am__append_68 = eap-md5
+@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_69 = plugins/eap_md5/libstrongswan-eap-md5.la
+@USE_EAP_GTC_TRUE@am__append_70 = plugins/eap_gtc
+@USE_EAP_GTC_TRUE@am__append_71 = eap-gtc
+@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_72 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+@USE_EAP_MSCHAPV2_TRUE@am__append_73 = plugins/eap_mschapv2
+@USE_EAP_MSCHAPV2_TRUE@am__append_74 = eap-mschapv2
+@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_75 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+@USE_EAP_RADIUS_TRUE@am__append_76 = plugins/eap_radius
+@USE_EAP_RADIUS_TRUE@am__append_77 = eap-radius
+@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_78 = plugins/eap_radius/libstrongswan-eap-radius.la
+@USE_MEDSRV_TRUE@am__append_79 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_80 = medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_81 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_82 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_83 = medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_84 = plugins/medcli/libstrongswan-medcli.la
+@USE_NM_TRUE@am__append_85 = plugins/nm
+@USE_NM_TRUE@am__append_86 = nm
+@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_87 = plugins/nm/libstrongswan-nm.la
+@USE_DHCP_TRUE@am__append_88 = plugins/dhcp
+@USE_DHCP_TRUE@am__append_89 = dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_90 = plugins/dhcp/libstrongswan-dhcp.la
 @USE_ANDROID_TRUE@am__append_91 = plugins/android
 @USE_ANDROID_TRUE@am__append_92 = android
 @MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_93 = plugins/android/libstrongswan-android.la
@@ -142,9 +142,12 @@ host_triplet = @host@
 @USE_UCI_TRUE@am__append_97 = plugins/uci
 @USE_UCI_TRUE@am__append_98 = uci
 @MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_99 = plugins/uci/libstrongswan-uci.la
-@USE_UNIT_TESTS_TRUE@am__append_100 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_101 = unit-tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_102 = plugins/unit_tester/libstrongswan-unit-tester.la
+@USE_ADDRBLOCK_TRUE@am__append_100 = plugins/addrblock
+@USE_ADDRBLOCK_TRUE@am__append_101 = addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_102 = plugins/uci/libstrongswan-addrblock.la
+@USE_UNIT_TESTS_TRUE@am__append_103 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_104 = unit-tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_105 = plugins/unit_tester/libstrongswan-unit-tester.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -194,11 +197,11 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_38) $(am__append_41) $(am__append_44) \
 	$(am__append_47) $(am__append_50) $(am__append_53) \
 	$(am__append_56) $(am__append_59) $(am__append_62) \
-	$(am__append_63) $(am__append_66) $(am__append_69) \
+	$(am__append_65) $(am__append_66) $(am__append_69) \
 	$(am__append_72) $(am__append_75) $(am__append_78) \
 	$(am__append_81) $(am__append_84) $(am__append_87) \
 	$(am__append_90) $(am__append_93) $(am__append_96) \
-	$(am__append_99) $(am__append_102)
+	$(am__append_99) $(am__append_102) $(am__append_105)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/file_logger.c \
 	bus/listeners/file_logger.h bus/listeners/sys_logger.c \
@@ -206,11 +209,10 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	config/backend_manager.h config/backend.h config/child_cfg.c \
 	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
 	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
-	config/proposal.h config/auth_cfg.c config/auth_cfg.h \
-	control/controller.c control/controller.h daemon.c daemon.h \
-	encoding/generator.c encoding/generator.h encoding/message.c \
-	encoding/message.h encoding/parser.c encoding/parser.h \
-	encoding/payloads/auth_payload.c \
+	config/proposal.h control/controller.c control/controller.h \
+	daemon.c daemon.h encoding/generator.c encoding/generator.h \
+	encoding/message.c encoding/message.h encoding/parser.c \
+	encoding/parser.h encoding/payloads/auth_payload.c \
 	encoding/payloads/auth_payload.h \
 	encoding/payloads/cert_payload.c \
 	encoding/payloads/cert_payload.h \
@@ -311,14 +313,6 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
 	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
 	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	credentials/credential_manager.c \
-	credentials/credential_manager.h \
-	credentials/sets/auth_cfg_wrapper.c \
-	credentials/sets/auth_cfg_wrapper.h \
-	credentials/sets/ocsp_response_wrapper.c \
-	credentials/sets/ocsp_response_wrapper.h \
-	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-	credentials/credential_set.h \
 	encoding/payloads/endpoint_notify.c \
 	encoding/payloads/endpoint_notify.h \
 	processing/jobs/initiate_mediation_job.c \
@@ -332,32 +326,31 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 @USE_ME_TRUE@	connect_manager.lo mediation_manager.lo ike_me.lo
 am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \
 	backend_manager.lo child_cfg.lo ike_cfg.lo peer_cfg.lo \
-	proposal.lo auth_cfg.lo controller.lo daemon.lo generator.lo \
-	message.lo parser.lo auth_payload.lo cert_payload.lo \
-	certreq_payload.lo configuration_attribute.lo cp_payload.lo \
-	delete_payload.lo eap_payload.lo encodings.lo \
-	encryption_payload.lo id_payload.lo ike_header.lo \
-	ke_payload.lo nonce_payload.lo notify_payload.lo payload.lo \
-	proposal_substructure.lo sa_payload.lo \
-	traffic_selector_substructure.lo transform_attribute.lo \
-	transform_substructure.lo ts_payload.lo unknown_payload.lo \
-	vendor_id_payload.lo kernel_interface.lo kernel_ipsec.lo \
-	packet.lo receiver.lo sender.lo socket_manager.lo \
-	acquire_job.lo callback_job.lo delete_child_sa_job.lo \
-	delete_ike_sa_job.lo migrate_job.lo process_message_job.lo \
-	rekey_child_sa_job.lo rekey_ike_sa_job.lo retransmit_job.lo \
-	send_dpd_job.lo send_keepalive_job.lo roam_job.lo \
-	update_sa_job.lo inactivity_job.lo scheduler.lo processor.lo \
-	authenticator.lo eap_authenticator.lo eap_method.lo \
-	eap_manager.lo sim_manager.lo psk_authenticator.lo \
-	pubkey_authenticator.lo child_sa.lo ike_sa.lo ike_sa_id.lo \
-	ike_sa_manager.lo task_manager.lo keymat.lo trap_manager.lo \
-	child_create.lo child_delete.lo child_rekey.lo ike_auth.lo \
-	ike_cert_pre.lo ike_cert_post.lo ike_config.lo ike_delete.lo \
-	ike_dpd.lo ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \
+	proposal.lo controller.lo daemon.lo generator.lo message.lo \
+	parser.lo auth_payload.lo cert_payload.lo certreq_payload.lo \
+	configuration_attribute.lo cp_payload.lo delete_payload.lo \
+	eap_payload.lo encodings.lo encryption_payload.lo \
+	id_payload.lo ike_header.lo ke_payload.lo nonce_payload.lo \
+	notify_payload.lo payload.lo proposal_substructure.lo \
+	sa_payload.lo traffic_selector_substructure.lo \
+	transform_attribute.lo transform_substructure.lo ts_payload.lo \
+	unknown_payload.lo vendor_id_payload.lo kernel_interface.lo \
+	kernel_ipsec.lo packet.lo receiver.lo sender.lo \
+	socket_manager.lo acquire_job.lo callback_job.lo \
+	delete_child_sa_job.lo delete_ike_sa_job.lo migrate_job.lo \
+	process_message_job.lo rekey_child_sa_job.lo \
+	rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \
+	send_keepalive_job.lo roam_job.lo update_sa_job.lo \
+	inactivity_job.lo scheduler.lo processor.lo authenticator.lo \
+	eap_authenticator.lo eap_method.lo eap_manager.lo \
+	sim_manager.lo psk_authenticator.lo pubkey_authenticator.lo \
+	child_sa.lo ike_sa.lo ike_sa_id.lo ike_sa_manager.lo \
+	task_manager.lo keymat.lo trap_manager.lo child_create.lo \
+	child_delete.lo child_rekey.lo ike_auth.lo ike_cert_pre.lo \
+	ike_cert_post.lo ike_config.lo ike_delete.lo ike_dpd.lo \
+	ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \
 	ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \
-	credential_manager.lo auth_cfg_wrapper.lo \
-	ocsp_response_wrapper.lo cert_cache.lo $(am__objects_1)
+	$(am__objects_1)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -394,12 +387,12 @@ DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
 	plugins/socket_raw plugins/socket_dynamic plugins/farp \
 	plugins/stroke plugins/smp plugins/sql plugins/updown \
 	plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \
-	plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \
-	plugins/eap_aka plugins/eap_aka_3gpp2 plugins/eap_md5 \
-	plugins/eap_gtc plugins/eap_mschapv2 plugins/eap_radius \
-	plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \
-	plugins/resolve plugins/android plugins/ha plugins/uci \
-	plugins/unit_tester
+	plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
+	plugins/eap_simaka_reauth plugins/eap_aka \
+	plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
+	plugins/eap_mschapv2 plugins/eap_radius plugins/medsrv \
+	plugins/medcli plugins/nm plugins/dhcp plugins/android \
+	plugins/ha plugins/uci plugins/addrblock plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -589,10 +582,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	config/backend.h config/child_cfg.c config/child_cfg.h \
 	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
 	config/peer_cfg.h config/proposal.c config/proposal.h \
-	config/auth_cfg.c config/auth_cfg.h control/controller.c \
-	control/controller.h daemon.c daemon.h encoding/generator.c \
-	encoding/generator.h encoding/message.c encoding/message.h \
-	encoding/parser.c encoding/parser.h \
+	control/controller.c control/controller.h daemon.c daemon.h \
+	encoding/generator.c encoding/generator.h encoding/message.c \
+	encoding/message.h encoding/parser.c encoding/parser.h \
 	encoding/payloads/auth_payload.c \
 	encoding/payloads/auth_payload.h \
 	encoding/payloads/cert_payload.c \
@@ -694,14 +686,7 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
 	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
 	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	credentials/credential_manager.c \
-	credentials/credential_manager.h \
-	credentials/sets/auth_cfg_wrapper.c \
-	credentials/sets/auth_cfg_wrapper.h \
-	credentials/sets/ocsp_response_wrapper.c \
-	credentials/sets/ocsp_response_wrapper.h \
-	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-	credentials/credential_set.h $(am__append_1)
+	$(am__append_1)
 INCLUDES = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
@@ -718,11 +703,11 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
 	$(am__append_38) $(am__append_41) $(am__append_44) \
 	$(am__append_47) $(am__append_50) $(am__append_53) \
 	$(am__append_56) $(am__append_59) $(am__append_62) \
-	$(am__append_63) $(am__append_66) $(am__append_69) \
+	$(am__append_65) $(am__append_66) $(am__append_69) \
 	$(am__append_72) $(am__append_75) $(am__append_78) \
 	$(am__append_81) $(am__append_84) $(am__append_87) \
 	$(am__append_90) $(am__append_93) $(am__append_96) \
-	$(am__append_99) $(am__append_102)
+	$(am__append_99) $(am__append_102) $(am__append_105)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_6) \
 @MONOLITHIC_FALSE@	$(am__append_9) $(am__append_12) \
@@ -734,13 +719,13 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_45) $(am__append_48) \
 @MONOLITHIC_FALSE@	$(am__append_51) $(am__append_54) \
 @MONOLITHIC_FALSE@	$(am__append_57) $(am__append_60) \
-@MONOLITHIC_FALSE@	$(am__append_64) $(am__append_67) \
+@MONOLITHIC_FALSE@	$(am__append_63) $(am__append_67) \
 @MONOLITHIC_FALSE@	$(am__append_70) $(am__append_73) \
 @MONOLITHIC_FALSE@	$(am__append_76) $(am__append_79) \
 @MONOLITHIC_FALSE@	$(am__append_82) $(am__append_85) \
 @MONOLITHIC_FALSE@	$(am__append_88) $(am__append_91) \
 @MONOLITHIC_FALSE@	$(am__append_94) $(am__append_97) \
-@MONOLITHIC_FALSE@	$(am__append_100)
+@MONOLITHIC_FALSE@	$(am__append_100) $(am__append_103)
 
 # build optional plugins
 ########################
@@ -754,13 +739,13 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_45) $(am__append_48) \
 @MONOLITHIC_TRUE@	$(am__append_51) $(am__append_54) \
 @MONOLITHIC_TRUE@	$(am__append_57) $(am__append_60) \
-@MONOLITHIC_TRUE@	$(am__append_64) $(am__append_67) \
+@MONOLITHIC_TRUE@	$(am__append_63) $(am__append_67) \
 @MONOLITHIC_TRUE@	$(am__append_70) $(am__append_73) \
 @MONOLITHIC_TRUE@	$(am__append_76) $(am__append_79) \
 @MONOLITHIC_TRUE@	$(am__append_82) $(am__append_85) \
 @MONOLITHIC_TRUE@	$(am__append_88) $(am__append_91) \
 @MONOLITHIC_TRUE@	$(am__append_94) $(am__append_97) \
-@MONOLITHIC_TRUE@	$(am__append_100)
+@MONOLITHIC_TRUE@	$(am__append_100) $(am__append_103)
 PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} $(am__append_4) \
 	$(am__append_7) $(am__append_10) $(am__append_13) \
 	$(am__append_16) $(am__append_19) $(am__append_22) \
@@ -768,11 +753,11 @@ PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} $(am__append_4) \
 	$(am__append_34) $(am__append_37) $(am__append_40) \
 	$(am__append_43) $(am__append_46) $(am__append_49) \
 	$(am__append_52) $(am__append_55) $(am__append_58) \
-	$(am__append_61) $(am__append_65) $(am__append_68) \
+	$(am__append_61) $(am__append_64) $(am__append_68) \
 	$(am__append_71) $(am__append_74) $(am__append_77) \
 	$(am__append_80) $(am__append_83) $(am__append_86) \
 	$(am__append_89) $(am__append_92) $(am__append_95) \
-	$(am__append_98) $(am__append_101)
+	$(am__append_98) $(am__append_101) $(am__append_104)
 all: all-recursive
 
 .SUFFIXES:
@@ -848,14 +833,11 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Plo@am__quote@
@@ -867,7 +849,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connect_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/controller.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cp_payload.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_child_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_ike_sa_job.Plo@am__quote@
@@ -913,7 +894,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/migrate_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/notify_payload.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Plo@am__quote@
@@ -1025,13 +1005,6 @@ proposal.lo: config/proposal.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
 
-auth_cfg.lo: config/auth_cfg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
-
 controller.lo: control/controller.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.lo -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Plo
@@ -1592,34 +1565,6 @@ task.lo: sa/tasks/task.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
 
-credential_manager.lo: credentials/credential_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
-
-auth_cfg_wrapper.lo: credentials/sets/auth_cfg_wrapper.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
-
-ocsp_response_wrapper.lo: credentials/sets/ocsp_response_wrapper.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
-
-cert_cache.lo: credentials/sets/cert_cache.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
-
 endpoint_notify.lo: encoding/payloads/endpoint_notify.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo
@@ -1675,7 +1620,7 @@ clean-libtool:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@failcom='exit 1'; \
+	@fail= failcom='exit 1'; \
 	for f in x $$MAKEFLAGS; do \
 	  case $$f in \
 	    *=* | --[!k]*);; \
@@ -1700,7 +1645,7 @@ $(RECURSIVE_TARGETS):
 	fi; test -z "$$fail"
 
 $(RECURSIVE_CLEAN_TARGETS):
-	@failcom='exit 1'; \
+	@fail= failcom='exit 1'; \
 	for f in x $$MAKEFLAGS; do \
 	  case $$f in \
 	    *=* | --[!k]*);; \
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index 764744a41..441009e5e 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -102,20 +102,16 @@ static void entry_destroy(entry_t *entry)
 	free(entry);
 }
 
-/**
- * Implementation of bus_t.add_listener.
- */
-static void add_listener(private_bus_t *this, listener_t *listener)
+METHOD(bus_t, add_listener, void,
+	private_bus_t *this, listener_t *listener)
 {
 	this->mutex->lock(this->mutex);
 	this->listeners->insert_last(this->listeners, entry_create(listener, FALSE));
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of bus_t.remove_listener.
- */
-static void remove_listener(private_bus_t *this, listener_t *listener)
+METHOD(bus_t, remove_listener, void,
+	private_bus_t *this, listener_t *listener)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -156,10 +152,8 @@ static void listener_cleanup(cleanup_data_t *data)
 	entry_destroy(data->entry);
 }
 
-/**
- * Implementation of bus_t.listen.
- */
-static void listen_(private_bus_t *this, listener_t *listener, job_t *job)
+METHOD(bus_t, listen_, void,
+	private_bus_t *this, listener_t *listener, job_t *job)
 {
 	bool old;
 	cleanup_data_t data;
@@ -184,18 +178,14 @@ static void listen_(private_bus_t *this, listener_t *listener, job_t *job)
 	entry_destroy(data.entry);
 }
 
-/**
- * Implementation of bus_t.set_sa.
- */
-static void set_sa(private_bus_t *this, ike_sa_t *ike_sa)
+METHOD(bus_t, set_sa, void,
+	private_bus_t *this, ike_sa_t *ike_sa)
 {
 	this->thread_sa->set(this->thread_sa, ike_sa);
 }
 
-/**
- * Implementation of bus_t.get_sa
- */
-static ike_sa_t* get_sa(private_bus_t *this)
+METHOD(bus_t, get_sa, ike_sa_t*,
+	private_bus_t *this)
 {
 	return this->thread_sa->get(this->thread_sa);
 }
@@ -252,11 +242,9 @@ static bool log_cb(entry_t *entry, log_data_t *data)
 	return FALSE;
 }
 
-/**
- * Implementation of bus_t.vlog.
- */
-static void vlog(private_bus_t *this, debug_t group, level_t level,
-				 char* format, va_list args)
+METHOD(bus_t, vlog, void,
+	private_bus_t *this, debug_t group, level_t level,
+	char* format, va_list args)
 {
 	log_data_t data;
 
@@ -276,11 +264,8 @@ static void vlog(private_bus_t *this, debug_t group, level_t level,
 	va_end(data.args);
 }
 
-/**
- * Implementation of bus_t.log.
- */
-static void log_(private_bus_t *this, debug_t group, level_t level,
-				 char* format, ...)
+METHOD(bus_t, log_, void,
+	private_bus_t *this, debug_t group, level_t level, char* format, ...)
 {
 	va_list args;
 
@@ -307,10 +292,8 @@ static void unregister_listener(private_bus_t *this, entry_t *entry,
 	this->listeners->remove_at(this->listeners, enumerator);
 }
 
-/**
- * Implementation of bus_t.alert
- */
-static void alert(private_bus_t *this, alert_t alert, ...)
+METHOD(bus_t, alert, void,
+	private_bus_t *this, alert_t alert, ...)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
@@ -342,11 +325,8 @@ static void alert(private_bus_t *this, alert_t alert, ...)
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of bus_t.ike_state_change
- */
-static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa,
-							 ike_sa_state_t state)
+METHOD(bus_t, ike_state_change, void,
+	private_bus_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -372,11 +352,8 @@ static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa,
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of bus_t.child_state_change
- */
-static void child_state_change(private_bus_t *this, child_sa_t *child_sa,
-							   child_sa_state_t state)
+METHOD(bus_t, child_state_change, void,
+	private_bus_t *this, child_sa_t *child_sa, child_sa_state_t state)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
@@ -406,10 +383,8 @@ static void child_state_change(private_bus_t *this, child_sa_t *child_sa,
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of bus_t.message
- */
-static void message(private_bus_t *this, message_t *message, bool incoming)
+METHOD(bus_t, message, void,
+	private_bus_t *this, message_t *message, bool incoming)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
@@ -439,12 +414,9 @@ static void message(private_bus_t *this, message_t *message, bool incoming)
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of bus_t.ike_keys
- */
-static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa,
-					 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
-					 ike_sa_t *rekey)
+METHOD(bus_t, ike_keys, void,
+	private_bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -471,11 +443,9 @@ static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa,
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of bus_t.child_keys
- */
-static void child_keys(private_bus_t *this, child_sa_t *child_sa,
-					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
+METHOD(bus_t, child_keys, void,
+	private_bus_t *this, child_sa_t *child_sa, bool initiator,
+	diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
@@ -494,7 +464,7 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa,
 		}
 		entry->calling++;
 		keep = entry->listener->child_keys(entry->listener, ike_sa, child_sa,
-										   dh, nonce_i, nonce_r);
+										   initiator, dh, nonce_i, nonce_r);
 		entry->calling--;
 		if (!keep)
 		{
@@ -505,10 +475,8 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa,
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of bus_t.child_updown
- */
-static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up)
+METHOD(bus_t, child_updown, void,
+	private_bus_t *this, child_sa_t *child_sa, bool up)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
@@ -538,10 +506,8 @@ static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up)
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of bus_t.child_rekey
- */
-static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new)
+METHOD(bus_t, child_rekey, void,
+	private_bus_t *this, child_sa_t *old, child_sa_t *new)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
@@ -570,10 +536,8 @@ static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new)
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of bus_t.ike_updown
- */
-static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up)
+METHOD(bus_t, ike_updown, void,
+	private_bus_t *this, ike_sa_t *ike_sa, bool up)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -613,10 +577,8 @@ static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up)
 	}
 }
 
-/**
- * Implementation of bus_t.ike_rekey
- */
-static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
+METHOD(bus_t, ike_rekey, void,
+	private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -642,10 +604,8 @@ static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of bus_t.authorize
- */
-static bool authorize(private_bus_t *this, bool final)
+METHOD(bus_t, authorize, bool,
+	private_bus_t *this, bool final)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
@@ -680,10 +640,40 @@ static bool authorize(private_bus_t *this, bool final)
 	return success;
 }
 
-/**
- * Implementation of bus_t.destroy.
- */
-static void destroy(private_bus_t *this)
+METHOD(bus_t, narrow, void,
+	private_bus_t *this, child_sa_t *child_sa, narrow_hook_t type,
+	linked_list_t *local, linked_list_t *remote)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	bool keep;
+
+	ike_sa = this->thread_sa->get(this->thread_sa);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->narrow)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->narrow(entry->listener, ike_sa, child_sa,
+									   type, local, remote);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(bus_t, destroy, void,
+	private_bus_t *this)
 {
 	this->thread_sa->destroy(this->thread_sa);
 	this->mutex->destroy(this->mutex);
@@ -696,31 +686,35 @@ static void destroy(private_bus_t *this)
  */
 bus_t *bus_create()
 {
-	private_bus_t *this = malloc_thing(private_bus_t);
-
-	this->public.add_listener = (void(*)(bus_t*,listener_t*))add_listener;
-	this->public.remove_listener = (void(*)(bus_t*,listener_t*))remove_listener;
-	this->public.listen = (void(*)(bus_t*, listener_t *listener, job_t *job))listen_;
-	this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa;
-	this->public.get_sa = (ike_sa_t*(*)(bus_t*))get_sa;
-	this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_;
-	this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog;
-	this->public.alert = (void(*)(bus_t*, alert_t alert, ...))alert;
-	this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change;
-	this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change;
-	this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
-	this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
-	this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
-	this->public.ike_updown = (void(*)(bus_t*, ike_sa_t *ike_sa, bool up))ike_updown;
-	this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey;
-	this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown;
-	this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey;
-	this->public.authorize = (bool(*)(bus_t*, bool final))authorize;
-	this->public.destroy = (void(*)(bus_t*)) destroy;
-
-	this->listeners = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-	this->thread_sa = thread_value_create(NULL);
+	private_bus_t *this;
+
+	INIT(this,
+		.public = {
+			.add_listener = _add_listener,
+			.remove_listener = _remove_listener,
+			.listen = _listen_,
+			.set_sa = _set_sa,
+			.get_sa = _get_sa,
+			.log = _log_,
+			.vlog = _vlog,
+			.alert = _alert,
+			.ike_state_change = _ike_state_change,
+			.child_state_change = _child_state_change,
+			.message = _message,
+			.ike_keys = _ike_keys,
+			.child_keys = _child_keys,
+			.ike_updown = _ike_updown,
+			.ike_rekey = _ike_rekey,
+			.child_updown = _child_updown,
+			.child_rekey = _child_rekey,
+			.authorize = _authorize,
+			.narrow = _narrow,
+			.destroy = _destroy,
+		},
+		.listeners = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
+		.thread_sa = thread_value_create(NULL),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index 8cf392eae..6a306afcc 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -22,6 +22,7 @@
 #define BUS_H_
 
 typedef enum alert_t alert_t;
+typedef enum narrow_hook_t narrow_hook_t;
 typedef struct bus_t bus_t;
 
 #include <stdarg.h>
@@ -85,6 +86,31 @@ enum alert_t {
 	ALERT_SHUTDOWN_SIGNAL,
 };
 
+/**
+ * Kind of narrow hook.
+ *
+ * There is a non-authenticated (IKE_AUTH) and a authenticated
+ * (CREATE_CHILD_SA) narrowing hook for the initiator. Only one of these
+ * hooks is invoked before the exchange.
+ * To verify the traffic selectors negotiated, each PRE hook has a POST
+ * counterpart that follows. POST hooks are invoked with an authenticated peer.
+ * It is usually not a good idea to narrow in the POST hooks,
+ * as the resulting traffic selector is not negotiated and results
+ * in non-matching policies.
+ */
+enum narrow_hook_t {
+	/** invoked as initiator before exchange, peer is not yet authenticated */
+	NARROW_INITIATOR_PRE_NOAUTH,
+	/** invoked as initiator before exchange, peer is authenticated */
+	NARROW_INITIATOR_PRE_AUTH,
+	/** invoked as responder during exchange, peer is authenticated */
+	NARROW_RESPONDER,
+	/** invoked as initiator after exchange, follows a INITIATOR_PRE_NOAUTH */
+	NARROW_INITIATOR_POST_NOAUTH,
+	/** invoked as initiator after exchange, follows a INITIATOR_PRE_AUTH */
+	NARROW_INITIATOR_POST_AUTH,
+};
+
 /**
  * The bus receives events and sends them to all registered listeners.
  *
@@ -216,6 +242,17 @@ struct bus_t {
 	 */
 	bool (*authorize)(bus_t *this, bool final);
 
+	/**
+	 * CHILD_SA traffic selector narrowing hook.
+	 *
+	 * @param child_sa	CHILD_SA set up with these traffic selectors
+	 * @param type		type of hook getting invoked
+	 * @param local		list of local traffic selectors to narrow
+	 * @param remote	list of remote traffic selectors to narrow
+	 */
+	void (*narrow)(bus_t *this, child_sa_t *child_sa, narrow_hook_t type,
+				   linked_list_t *local, linked_list_t *remote);
+
 	/**
 	 * IKE_SA keymat hook.
 	 *
@@ -231,12 +268,13 @@ struct bus_t {
 	 * CHILD_SA keymat hook.
 	 *
 	 * @param child_sa	CHILD_SA this keymat is used for
+	 * @param initiator	initiator of the CREATE_CHILD_SA exchange
 	 * @param dh		diffie hellman shared secret
 	 * @param nonce_i	initiators nonce
 	 * @param nonce_r	responders nonce
 	 */
-	void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
-					   chunk_t nonce_i, chunk_t nonce_r);
+	void (*child_keys)(bus_t *this, child_sa_t *child_sa, bool initiator,
+					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
 
 	/**
 	 * IKE_SA up/down hook.
diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c
index 12587deaf..87db532f5 100644
--- a/src/libcharon/bus/listeners/file_logger.c
+++ b/src/libcharon/bus/listeners/file_logger.c
@@ -15,6 +15,7 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <time.h>
 
 #include "file_logger.h"
 
@@ -40,6 +41,11 @@ struct private_file_logger_t {
 	 * Maximum level to log, for each group
 	 */
 	level_t levels[DBG_MAX];
+
+	/**
+	 * strftime() format of time prefix, if any
+	 */
+	char *time_format;
 };
 
 /**
@@ -50,8 +56,17 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level,
 {
 	if (level <= this->levels[group])
 	{
-		char buffer[8192];
+		char buffer[8192], timestr[128];
 		char *current = buffer, *next;
+		struct tm tm;
+		time_t t;
+
+		if (this->time_format)
+		{
+			t = time(NULL);
+			localtime_r(&t, &tm);
+			strftime(timestr, sizeof(timestr), this->time_format, &tm);
+		}
 
 		/* write in memory buffer first */
 		vsnprintf(buffer, sizeof(buffer), format, args);
@@ -64,8 +79,16 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level,
 			{
 				*(next++) = '\0';
 			}
-			fprintf(this->out, "%.2d[%N] %s\n",
-					thread, debug_names, group, current);
+			if (this->time_format)
+			{
+				fprintf(this->out, "%s %.2d[%N] %s\n",
+						timestr, thread, debug_names, group, current);
+			}
+			else
+			{
+				fprintf(this->out, "%.2d[%N] %s\n",
+						thread, debug_names, group, current);
+			}
 			current = next;
 		}
 	}
@@ -106,7 +129,7 @@ static void destroy(private_file_logger_t *this)
 /*
  * Described in header.
  */
-file_logger_t *file_logger_create(FILE *out)
+file_logger_t *file_logger_create(FILE *out, char *time_format)
 {
 	private_file_logger_t *this = malloc_thing(private_file_logger_t);
 
@@ -118,6 +141,7 @@ file_logger_t *file_logger_create(FILE *out)
 
 	/* private variables */
 	this->out = out;
+	this->time_format = time_format;
 	set_level(this, DBG_ANY, LEVEL_SILENT);
 
 	return &this->public;
diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h
index bd443fdb8..e02a12c0c 100644
--- a/src/libcharon/bus/listeners/file_logger.h
+++ b/src/libcharon/bus/listeners/file_logger.h
@@ -52,9 +52,10 @@ struct file_logger_t {
 /**
  * Constructor to create a file_logger_t object.
  *
- * @param out		FILE to write to
- * @return			file_logger_t object
+ * @param out			FILE to write to
+ * @param time_format	format of timestamp prefix, as in strftime()
+ * @return				file_logger_t object
  */
-file_logger_t *file_logger_create(FILE *out);
+file_logger_t *file_logger_create(FILE *out, char *time_format);
 
 #endif /** FILE_LOGGER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index 9a51a2ef4..e7873ee8c 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -110,13 +110,15 @@ struct listener_t {
 	 *
 	 * @param ike_sa	IKE_SA the child sa belongs to
 	 * @param child_sa	CHILD_SA this keymat is used for
+	 * @param initiator	initiator of the CREATE_CHILD_SA exchange
 	 * @param dh		diffie hellman shared secret
 	 * @param nonce_i	initiators nonce
 	 * @param nonce_r	responders nonce
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
 	bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-					   diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
+					   bool initiator, diffie_hellman_t *dh,
+					   chunk_t nonce_i, chunk_t nonce_r);
 
 	/**
 	 * Hook called if an IKE_SA gets up or down.
@@ -173,6 +175,21 @@ struct listener_t {
 	 */
 	bool (*authorize)(listener_t *this, ike_sa_t *ike_sa,
 					  bool final, bool *success);
+
+	/**
+	 * CHILD_SA traffic selector narrowing hook.
+	 *
+	 * This hook is invoked for each CHILD_SA and allows plugins to modify
+	 * the traffic selector list negotiated for this CHILD_SA.
+	 *
+	 * @param ike_sa	IKE_SA the created CHILD_SA is created in
+	 * @param child_sa	CHILD_SA set up with these traffic selectors
+	 * @param type		type of hook getting invoked
+	 * @param local		list of local traffic selectors to narrow
+	 * @param remote	list of remote traffic selectors to narrow
+	 */
+	bool (*narrow)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+				narrow_hook_t type, linked_list_t *local, linked_list_t *remote);
 };
 
 #endif /** LISTENER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c
index 11421ad05..5bc1d581a 100644
--- a/src/libcharon/bus/listeners/sys_logger.c
+++ b/src/libcharon/bus/listeners/sys_logger.c
@@ -15,6 +15,7 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <syslog.h>
 
 #include "sys_logger.h"
 
diff --git a/src/libcharon/bus/listeners/sys_logger.h b/src/libcharon/bus/listeners/sys_logger.h
index 730890d68..58d4de529 100644
--- a/src/libcharon/bus/listeners/sys_logger.h
+++ b/src/libcharon/bus/listeners/sys_logger.h
@@ -21,8 +21,6 @@
 #ifndef SYS_LOGGER_H_
 #define SYS_LOGGER_H_
 
-#include <syslog.h>
-
 #include <bus/listeners/listener.h>
 
 typedef struct sys_logger_t sys_logger_t;
diff --git a/src/libcharon/config/auth_cfg.c b/src/libcharon/config/auth_cfg.c
deleted file mode 100644
index 94362c756..000000000
--- a/src/libcharon/config/auth_cfg.c
+++ /dev/null
@@ -1,768 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "auth_cfg.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-#include <credentials/certificates/certificate.h>
-
-ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
-	"RULE_IDENTITY",
-	"RULE_AUTH_CLASS",
-	"RULE_EAP_IDENTITY",
-	"RULE_EAP_TYPE",
-	"RULE_EAP_VENDOR",
-	"RULE_CA_CERT",
-	"RULE_IM_CERT",
-	"RULE_SUBJECT_CERT",
-	"RULE_CRL_VALIDATION",
-	"RULE_OCSP_VALIDATION",
-	"RULE_AC_GROUP",
-	"HELPER_IM_CERT",
-	"HELPER_SUBJECT_CERT",
-	"HELPER_IM_HASH_URL",
-	"HELPER_SUBJECT_HASH_URL",
-);
-
-typedef struct private_auth_cfg_t private_auth_cfg_t;
-
-/**
- * private data of item_set
- */
-struct private_auth_cfg_t {
-
-	/**
-	 * public functions
-	 */
-	auth_cfg_t public;
-
-	/**
-	 * list of entry_t
-	 */
-	linked_list_t *entries;
-};
-
-typedef struct entry_t entry_t;
-
-struct entry_t {
-	/** rule type */
-	auth_rule_t type;
-	/** associated value */
-	void *value;
-};
-
-/**
- * enumerator for auth_cfg_t.create_enumerator()
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** inner enumerator from linked_list_t */
-	enumerator_t *inner;
-	/** current entry */
-	entry_t *current;
-} entry_enumerator_t;
-
-/**
- * enumerate function for item_enumerator_t
- */
-static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value)
-{
-	entry_t *entry;
-
-	if (this->inner->enumerate(this->inner, &entry))
-	{
-		this->current = entry;
-		*type = entry->type;
-		*value = entry->value;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * destroy function for item_enumerator_t
- */
-static void entry_enumerator_destroy(entry_enumerator_t *this)
-{
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * Implementation of auth_cfg_t.create_enumerator.
- */
-static enumerator_t* create_enumerator(private_auth_cfg_t *this)
-{
-	entry_enumerator_t *enumerator;
-
-	enumerator = malloc_thing(entry_enumerator_t);
-	enumerator->inner = this->entries->create_enumerator(this->entries);
-	enumerator->public.enumerate = (void*)enumerate;
-	enumerator->public.destroy = (void*)entry_enumerator_destroy;
-	enumerator->current = NULL;
-	return &enumerator->public;
-}
-
-/**
- * Destroy the value associated with an entry
- */
-static void destroy_entry_value(entry_t *entry)
-{
-	switch (entry->type)
-	{
-		case AUTH_RULE_IDENTITY:
-		case AUTH_RULE_EAP_IDENTITY:
-		case AUTH_RULE_AC_GROUP:
-		{
-			identification_t *id = (identification_t*)entry->value;
-			id->destroy(id);
-			break;
-		}
-		case AUTH_RULE_CA_CERT:
-		case AUTH_RULE_IM_CERT:
-		case AUTH_RULE_SUBJECT_CERT:
-		case AUTH_HELPER_IM_CERT:
-		case AUTH_HELPER_SUBJECT_CERT:
-		{
-			certificate_t *cert = (certificate_t*)entry->value;
-			cert->destroy(cert);
-			break;
-		}
-		case AUTH_HELPER_IM_HASH_URL:
-		case AUTH_HELPER_SUBJECT_HASH_URL:
-		{
-			free(entry->value);
-			break;
-		}
-		case AUTH_RULE_AUTH_CLASS:
-		case AUTH_RULE_EAP_TYPE:
-		case AUTH_RULE_EAP_VENDOR:
-		case AUTH_RULE_CRL_VALIDATION:
-		case AUTH_RULE_OCSP_VALIDATION:
-			break;
-	}
-}
-
-/**
- * Implementation of auth_cfg_t.replace.
- */
-static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
-					auth_rule_t type, ...)
-{
-	if (enumerator->current)
-	{
-		va_list args;
-
-		va_start(args, type);
-
-		destroy_entry_value(enumerator->current);
-		enumerator->current->type = type;
-		switch (type)
-		{
-			case AUTH_RULE_AUTH_CLASS:
-			case AUTH_RULE_EAP_TYPE:
-			case AUTH_RULE_EAP_VENDOR:
-			case AUTH_RULE_CRL_VALIDATION:
-			case AUTH_RULE_OCSP_VALIDATION:
-				/* integer type */
-				enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
-				break;
-			case AUTH_RULE_IDENTITY:
-			case AUTH_RULE_EAP_IDENTITY:
-			case AUTH_RULE_AC_GROUP:
-			case AUTH_RULE_CA_CERT:
-			case AUTH_RULE_IM_CERT:
-			case AUTH_RULE_SUBJECT_CERT:
-			case AUTH_HELPER_IM_CERT:
-			case AUTH_HELPER_SUBJECT_CERT:
-			case AUTH_HELPER_IM_HASH_URL:
-			case AUTH_HELPER_SUBJECT_HASH_URL:
-				/* pointer type */
-				enumerator->current->value = va_arg(args, void*);
-				break;
-		}
-		va_end(args);
-	}
-}
-
-/**
- * Implementation of auth_cfg_t.get.
- */
-static void* get(private_auth_cfg_t *this, auth_rule_t type)
-{
-	enumerator_t *enumerator;
-	void *current_value, *best_value = NULL;
-	auth_rule_t current_type;
-	bool found = FALSE;
-
-	enumerator = create_enumerator(this);
-	while (enumerator->enumerate(enumerator, &current_type, &current_value))
-	{
-		if (type == current_type)
-		{
-			if (type == AUTH_RULE_CRL_VALIDATION ||
-				type == AUTH_RULE_OCSP_VALIDATION)
-			{	/* for CRL/OCSP validation, always get() the highest value */
-				if (!found || current_value > best_value)
-				{
-					best_value = current_value;
-				}
-				found = TRUE;
-				continue;
-			}
-			best_value = current_value;
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (found)
-	{
-		return best_value;
-	}
-	switch (type)
-	{
-		/* use some sane defaults if we don't find an entry */
-		case AUTH_RULE_AUTH_CLASS:
-			return (void*)AUTH_CLASS_ANY;
-		case AUTH_RULE_EAP_TYPE:
-			return (void*)EAP_NAK;
-		case AUTH_RULE_EAP_VENDOR:
-			return (void*)0;
-		case AUTH_RULE_CRL_VALIDATION:
-		case AUTH_RULE_OCSP_VALIDATION:
-			return (void*)VALIDATION_FAILED;
-		case AUTH_RULE_IDENTITY:
-		case AUTH_RULE_EAP_IDENTITY:
-		case AUTH_RULE_AC_GROUP:
-		case AUTH_RULE_CA_CERT:
-		case AUTH_RULE_IM_CERT:
-		case AUTH_RULE_SUBJECT_CERT:
-		case AUTH_HELPER_IM_CERT:
-		case AUTH_HELPER_SUBJECT_CERT:
-		case AUTH_HELPER_IM_HASH_URL:
-		case AUTH_HELPER_SUBJECT_HASH_URL:
-		default:
-			return NULL;
-	}
-}
-
-/**
- * Implementation of auth_cfg_t.add.
- */
-static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
-{
-	entry_t *entry = malloc_thing(entry_t);
-	va_list args;
-
-	va_start(args, type);
-	entry->type = type;
-	switch (type)
-	{
-		case AUTH_RULE_AUTH_CLASS:
-		case AUTH_RULE_EAP_TYPE:
-		case AUTH_RULE_EAP_VENDOR:
-		case AUTH_RULE_CRL_VALIDATION:
-		case AUTH_RULE_OCSP_VALIDATION:
-			/* integer type */
-			entry->value = (void*)(uintptr_t)va_arg(args, u_int);
-			break;
-		case AUTH_RULE_IDENTITY:
-		case AUTH_RULE_EAP_IDENTITY:
-		case AUTH_RULE_AC_GROUP:
-		case AUTH_RULE_CA_CERT:
-		case AUTH_RULE_IM_CERT:
-		case AUTH_RULE_SUBJECT_CERT:
-		case AUTH_HELPER_IM_CERT:
-		case AUTH_HELPER_SUBJECT_CERT:
-		case AUTH_HELPER_IM_HASH_URL:
-		case AUTH_HELPER_SUBJECT_HASH_URL:
-			/* pointer type */
-			entry->value = va_arg(args, void*);
-			break;
-	}
-	va_end(args);
-	this->entries->insert_last(this->entries, entry);
-}
-
-/**
- * Implementation of auth_cfg_t.complies.
- */
-static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
-					 bool log_error)
-{
-	enumerator_t *e1, *e2;
-	bool success = TRUE;
-	auth_rule_t t1, t2;
-	void *value;
-
-	e1 = constraints->create_enumerator(constraints);
-	while (e1->enumerate(e1, &t1, &value))
-	{
-		switch (t1)
-		{
-			case AUTH_RULE_CA_CERT:
-			case AUTH_RULE_IM_CERT:
-			{
-				certificate_t *c1, *c2;
-
-				c1 = (certificate_t*)value;
-
-				success = FALSE;
-				e2 = create_enumerator(this);
-				while (e2->enumerate(e2, &t2, &c2))
-				{
-					if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
-						c1->equals(c1, c2))
-					{
-						success = TRUE;
-					}
-				}
-				e2->destroy(e2);
-				if (!success && log_error)
-				{
-					DBG1(DBG_CFG, "constraint check failed: peer not "
-						 "authenticated by CA '%Y'.", c1->get_subject(c1));
-				}
-				break;
-			}
-			case AUTH_RULE_SUBJECT_CERT:
-			{
-				certificate_t *c1, *c2;
-
-				c1 = (certificate_t*)value;
-				c2 = get(this, AUTH_RULE_SUBJECT_CERT);
-				if (!c2 || !c1->equals(c1, c2))
-				{
-					success = FALSE;
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "constraint check failed: peer not "
-							 "authenticated with peer cert '%Y'.",
-							 c1->get_subject(c1));
-					}
-				}
-				break;
-			}
-			case AUTH_RULE_CRL_VALIDATION:
-			case AUTH_RULE_OCSP_VALIDATION:
-			{
-				cert_validation_t validated, required;
-
-				required = (uintptr_t)value;
-				validated = (uintptr_t)get(this, t1);
-				switch (required)
-				{
-					case VALIDATION_FAILED:
-						/* no constraint */
-						break;
-					case VALIDATION_SKIPPED:
-						if (validated == VALIDATION_SKIPPED)
-						{
-							break;
-						}
-						/* FALL */
-					case VALIDATION_GOOD:
-						if (validated == VALIDATION_GOOD)
-						{
-							break;
-						}
-						/* FALL */
-					default:
-						success = FALSE;
-						if (log_error)
-						{
-							DBG1(DBG_CFG, "constraint check failed: %N is %N, "
-								 "but requires at least %N", auth_rule_names,
-								 t1, cert_validation_names, validated,
-								 cert_validation_names, required);
-						}
-						break;
-				}
-				break;
-			}
-			case AUTH_RULE_IDENTITY:
-			case AUTH_RULE_EAP_IDENTITY:
-			{
-				identification_t *id1, *id2;
-
-				id1 = (identification_t*)value;
-				id2 = get(this, t1);
-				if (!id2 || !id2->matches(id2, id1))
-				{
-					success = FALSE;
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'"
-							 " required ", t1 == AUTH_RULE_IDENTITY ? "" :
-							 "EAP ", id1);
-					}
-				}
-				break;
-			}
-			case AUTH_RULE_AUTH_CLASS:
-			{
-				if ((uintptr_t)value != AUTH_CLASS_ANY &&
-					(uintptr_t)value != (uintptr_t)get(this, t1))
-				{
-					success = FALSE;
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "constraint requires %N authentication, "
-							 "but %N was used", auth_class_names, (uintptr_t)value,
-							 auth_class_names, (uintptr_t)get(this, t1));
-					}
-				}
-				break;
-			}
-			case AUTH_RULE_EAP_TYPE:
-			{
-				if ((uintptr_t)value != (uintptr_t)get(this, t1))
-				{
-					success = FALSE;
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "constraint requires %N, "
-							 "but %N was used", eap_type_names, (uintptr_t)value,
-							 eap_type_names,  (uintptr_t)get(this, t1));
-					}
-				}
-				break;
-			}
-			case AUTH_RULE_EAP_VENDOR:
-			{
-				if ((uintptr_t)value != (uintptr_t)get(this, t1))
-				{
-					success = FALSE;
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "constraint requires EAP vendor %d, "
-							 "but %d was used", (uintptr_t)value,
-							 (uintptr_t)get(this, t1));
-					}
-				}
-				break;
-			}
-			case AUTH_RULE_AC_GROUP:
-			{
-				success = FALSE;
-				if (log_error)
-				{
-					DBG1(DBG_CFG, "constraint check %N not implemented!",
-						 auth_rule_names, t1);
-				}
-				break;
-			}
-			case AUTH_HELPER_IM_CERT:
-			case AUTH_HELPER_SUBJECT_CERT:
-			case AUTH_HELPER_IM_HASH_URL:
-			case AUTH_HELPER_SUBJECT_HASH_URL:
-				/* skip helpers */
-				continue;
-		}
-		if (!success)
-		{
-			break;
-		}
-	}
-	e1->destroy(e1);
-	return success;
-}
-
-/**
- * Implementation of auth_cfg_t.merge.
- */
-static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy)
-{
-	if (!other)
-	{	/* nothing to merge */
-		return;
-	}
-	if (copy)
-	{
-		enumerator_t *enumerator;
-		auth_rule_t type;
-		void *value;
-
-		enumerator = create_enumerator(other);
-		while (enumerator->enumerate(enumerator, &type, &value))
-		{
-			switch (type)
-			{
-				case AUTH_RULE_CA_CERT:
-				case AUTH_RULE_IM_CERT:
-				case AUTH_RULE_SUBJECT_CERT:
-				case AUTH_HELPER_IM_CERT:
-				case AUTH_HELPER_SUBJECT_CERT:
-				{
-					certificate_t *cert = (certificate_t*)value;
-
-					add(this, type, cert->get_ref(cert));
-					break;
-				}
-				case AUTH_RULE_CRL_VALIDATION:
-				case AUTH_RULE_OCSP_VALIDATION:
-				case AUTH_RULE_AUTH_CLASS:
-				case AUTH_RULE_EAP_TYPE:
-				case AUTH_RULE_EAP_VENDOR:
-				{
-					add(this, type, (uintptr_t)value);
-					break;
-				}
-				case AUTH_RULE_IDENTITY:
-				case AUTH_RULE_EAP_IDENTITY:
-				case AUTH_RULE_AC_GROUP:
-				{
-					identification_t *id = (identification_t*)value;
-
-					add(this, type, id->clone(id));
-					break;
-				}
-				case AUTH_HELPER_IM_HASH_URL:
-				case AUTH_HELPER_SUBJECT_HASH_URL:
-				{
-					add(this, type, strdup((char*)value));
-					break;
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	else
-	{
-		entry_t *entry;
-
-		while (other->entries->remove_first(other->entries,
-											(void**)&entry) == SUCCESS)
-		{
-			this->entries->insert_last(this->entries, entry);
-		}
-	}
-}
-
-/**
- * Implementation of auth_cfg_t.equals.
- */
-static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
-{
-	enumerator_t *e1, *e2;
-	entry_t *i1, *i2;
-	bool equal = TRUE, found;
-
-	if (this->entries->get_count(this->entries) !=
-		other->entries->get_count(other->entries))
-	{
-		return FALSE;
-	}
-	e1 = this->entries->create_enumerator(this->entries);
-	while (e1->enumerate(e1, &i1))
-	{
-		found = FALSE;
-		e2 = other->entries->create_enumerator(other->entries);
-		while (e2->enumerate(e2, &i2))
-		{
-			if (i1->type == i2->type)
-			{
-				switch (i1->type)
-				{
-					case AUTH_RULE_AUTH_CLASS:
-					case AUTH_RULE_EAP_TYPE:
-					case AUTH_RULE_EAP_VENDOR:
-					case AUTH_RULE_CRL_VALIDATION:
-					case AUTH_RULE_OCSP_VALIDATION:
-					{
-						if (i1->value == i2->value)
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-					case AUTH_RULE_CA_CERT:
-					case AUTH_RULE_IM_CERT:
-					case AUTH_RULE_SUBJECT_CERT:
-					case AUTH_HELPER_IM_CERT:
-					case AUTH_HELPER_SUBJECT_CERT:
-					{
-						certificate_t *c1, *c2;
-
-						c1 = (certificate_t*)i1->value;
-						c2 = (certificate_t*)i2->value;
-
-						if (c1->equals(c1, c2))
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-					case AUTH_RULE_IDENTITY:
-					case AUTH_RULE_EAP_IDENTITY:
-					case AUTH_RULE_AC_GROUP:
-					{
-						identification_t *id1, *id2;
-
-						id1 = (identification_t*)i1->value;
-						id2 = (identification_t*)i2->value;
-
-						if (id1->equals(id1, id2))
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-					case AUTH_HELPER_IM_HASH_URL:
-					case AUTH_HELPER_SUBJECT_HASH_URL:
-					{
-						if (streq(i1->value, i2->value))
-						{
-							found = TRUE;
-							break;
-						}
-						continue;
-					}
-				}
-				break;
-			}
-		}
-		e2->destroy(e2);
-		if (!found)
-		{
-			equal = FALSE;
-			break;
-		}
-	}
-	e1->destroy(e1);
-	return equal;
-}
-
-/**
- * Implementation of auth_cfg_t.purge
- */
-static void purge(private_auth_cfg_t *this, bool keep_ca)
-{
-	entry_t *entry;
-	linked_list_t *cas;
-
-	cas = linked_list_create();
-	while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
-	{
-		if (keep_ca && entry->type == AUTH_RULE_CA_CERT)
-		{
-			cas->insert_first(cas, entry);
-		}
-		else
-		{
-			destroy_entry_value(entry);
-			free(entry);
-		}
-	}
-	while (cas->remove_last(cas, (void**)&entry) == SUCCESS)
-	{
-		this->entries->insert_first(this->entries, entry);
-	}
-	cas->destroy(cas);
-}
-
-/**
- * Implementation of auth_cfg_t.clone
- */
-static auth_cfg_t* clone_(private_auth_cfg_t *this)
-{
-	enumerator_t *enumerator;
-	auth_cfg_t *clone;
-	entry_t *entry;
-
-	clone = auth_cfg_create();
-	enumerator = this->entries->create_enumerator(this->entries);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		switch (entry->type)
-		{
-			case AUTH_RULE_IDENTITY:
-			case AUTH_RULE_EAP_IDENTITY:
-			case AUTH_RULE_AC_GROUP:
-			{
-				identification_t *id = (identification_t*)entry->value;
-				clone->add(clone, entry->type, id->clone(id));
-				break;
-			}
-			case AUTH_RULE_CA_CERT:
-			case AUTH_RULE_IM_CERT:
-			case AUTH_RULE_SUBJECT_CERT:
-			case AUTH_HELPER_IM_CERT:
-			case AUTH_HELPER_SUBJECT_CERT:
-			{
-				certificate_t *cert = (certificate_t*)entry->value;
-				clone->add(clone, entry->type, cert->get_ref(cert));
-				break;
-			}
-			case AUTH_HELPER_IM_HASH_URL:
-			case AUTH_HELPER_SUBJECT_HASH_URL:
-			{
-				clone->add(clone, entry->type, strdup(entry->value));
-				break;
-			}
-			case AUTH_RULE_AUTH_CLASS:
-			case AUTH_RULE_EAP_TYPE:
-			case AUTH_RULE_EAP_VENDOR:
-			case AUTH_RULE_CRL_VALIDATION:
-			case AUTH_RULE_OCSP_VALIDATION:
-				clone->add(clone, entry->type, (uintptr_t)entry->value);
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return clone;
-}
-
-/**
- * Implementation of auth_cfg_t.destroy
- */
-static void destroy(private_auth_cfg_t *this)
-{
-	purge(this, FALSE);
-	this->entries->destroy(this->entries);
-	free(this);
-}
-
-/*
- * see header file
- */
-auth_cfg_t *auth_cfg_create()
-{
-	private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t);
-
-	this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add;
-	this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get;
-	this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator;
-	this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace;
-	this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies;
-	this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge;
-	this->public.purge = (void(*)(auth_cfg_t*,bool))purge;
-	this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals;
-	this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_;
-	this->public.destroy = (void(*)(auth_cfg_t*))destroy;
-
-	this->entries = linked_list_create();
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/config/auth_cfg.h b/src/libcharon/config/auth_cfg.h
deleted file mode 100644
index 5e6215a4a..000000000
--- a/src/libcharon/config/auth_cfg.h
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup auth_cfg auth_cfg
- * @{ @ingroup config
- */
-
-#ifndef AUTH_CFG_H_
-#define AUTH_CFG_H_
-
-#include <utils/enumerator.h>
-
-typedef struct auth_cfg_t auth_cfg_t;
-typedef enum auth_rule_t auth_rule_t;
-
-/**
- * Authentication config to use during authentication process.
- *
- * Each authentication config contains a set of rules. These rule-sets are used
- * in two ways:
- * - For configs specifying local authentication behavior, the rules define
- *   which authentication method in which way.
- * - For configs specifying remote peer authentication, the rules define
- *   constraints the peer has to fullfill.
- *
- * Additionally to the rules, there is a set of helper items. These are used
- * to transport credentials during the authentication process.
- */
-enum auth_rule_t {
-
-	/** identity to use for IKEv2 authentication exchange, identification_t* */
-	AUTH_RULE_IDENTITY,
-	/** authentication class, auth_class_t */
-	AUTH_RULE_AUTH_CLASS,
-	/** EAP identity to use within EAP-Identity exchange, identification_t* */
-	AUTH_RULE_EAP_IDENTITY,
-	/** EAP type to propose for peer authentication, eap_type_t */
-	AUTH_RULE_EAP_TYPE,
-	/** EAP vendor for vendor specific type, u_int32_t */
-	AUTH_RULE_EAP_VENDOR,
-	/** certificate authority, certificate_t* */
-	AUTH_RULE_CA_CERT,
-	/** intermediate certificate in trustchain, certificate_t* */
-	AUTH_RULE_IM_CERT,
-	/** subject certificate, certificate_t* */
-	AUTH_RULE_SUBJECT_CERT,
-	/** result of a CRL validation, cert_validation_t */
-	AUTH_RULE_CRL_VALIDATION,
-	/** result of a OCSP validation, cert_validation_t */
-	AUTH_RULE_OCSP_VALIDATION,
-	/** subject is in attribute certificate group, identification_t* */
-	AUTH_RULE_AC_GROUP,
-
-	/** intermediate certificate, certificate_t* */
-	AUTH_HELPER_IM_CERT,
-	/** subject certificate, certificate_t* */
-	AUTH_HELPER_SUBJECT_CERT,
-	/** Hash and URL of a intermediate certificate, char* */
-	AUTH_HELPER_IM_HASH_URL,
-	/** Hash and URL of a end-entity certificate, char* */
-	AUTH_HELPER_SUBJECT_HASH_URL,
-};
-
-/**
- * enum name for auth_rule_t.
- */
-extern enum_name_t *auth_rule_names;
-
-/**
- * Authentication/Authorization round.
- *
- * RFC4739 defines multiple authentication rounds. This class defines such
- * a round from a configuration perspective, either for the local or the remote
- * peer. Local config are called "rulesets", as they define how we authenticate.
- * Remote peer configs are called "constraits", they define what is needed to
- * complete the authentication round successfully.
- *
- * @verbatim
-
-   [Repeat for each configuration]
-   +--------------------------------------------------+
-   |                                                  |
-   |                                                  |
-   |   +----------+     IKE_AUTH       +--------- +   |
-   |   |  config  |   ----------->     |          |   |
-   |   |  ruleset |                    |          |   |
-   |   +----------+ [ <----------- ]   |          |   |
-   |                [ optional EAP ]   |   Peer   |   |
-   |   +----------+ [ -----------> ]   |          |   |
-   |   |  config  |                    |          |   |
-   |   |  constr. |   <-----------     |          |   |
-   |   +----------+     IKE_AUTH       +--------- +   |
-   |                                                  |
-   |                                                  |
-   +--------------------------------------------------+
-
-   @endverbatim
- *
- * Values for each items are either pointers (casted to void*) or short
- * integers (use uintptr_t cast).
- */
-struct auth_cfg_t {
-
-	/**
-	 * Add an rule to the set.
-	 *
-	 * @param rule		rule type
-	 * @param ...		associated value to rule
-	 */
-	void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
-
-	/**
-	 * Get an rule value.
-	 *
-	 * @param rule		rule type
-	 * @return			bool if item has been found
-	 */
-	void* (*get)(auth_cfg_t *this, auth_rule_t rule);
-
-	/**
-	 * Create an enumerator over added rules.
-	 *
-	 * @return			enumerator over (auth_rule_t, union{void*,uintpr_t})
-	 */
-	enumerator_t* (*create_enumerator)(auth_cfg_t *this);
-
-	/**
-	 * Replace an rule at enumerator position.
-	 *
-	 * @param pos		enumerator position position
-	 * @param rule		rule type
-	 * @param ...		associated value to rule
-	 */
-	void (*replace)(auth_cfg_t *this, enumerator_t *pos,
-					auth_rule_t rule, ...);
-
-	/**
-	 * Check if a used config fulfills a set of configured constraints.
-	 *
-	 * @param constraints	required authorization rules
-	 * @param log_error		wheter to log compliance errors
-	 * @return				TRUE if this complies with constraints
-	 */
-	bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
-
-	/**
-	 * Merge items from other into this.
-	 *
-	 * @param other		items to read for merge
-	 * @param copy		TRUE to copy items, FALSE to move them
-	 */
-	void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
-
-	/**
-	 * Purge all rules in a config.
-	 *
-	 * @param keep_ca	wheter to keep AUTH_RULE_CA_CERT entries
-	 */
-	void (*purge)(auth_cfg_t *this, bool keep_ca);
-
-	/**
-	 * Check two configs for equality.
-	 *
-	 * @param other		other config to compaire against this
-	 * @return			TRUE if auth infos identical
-	 */
-	bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
-
-	/**
-	 * Clone a authentication config, including all rules.
-	 *
-	 * @return			cloned configuration
-	 */
-	auth_cfg_t* (*clone)(auth_cfg_t *this);
-
-	/**
-	 * Destroy a config with all associated rules/values.
-	 */
-	void (*destroy)(auth_cfg_t *this);
-};
-
-/**
- * Create a authentication config.
- */
-auth_cfg_t *auth_cfg_create();
-
-#endif /** AUTH_CFG_H_ @}*/
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 8410b3fe5..70f38b285 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -17,6 +17,8 @@
 
 #include "child_cfg.h"
 
+#include <stdint.h>
+
 #include <daemon.h>
 
 ENUM(action_names, ACTION_NONE, ACTION_RESTART,
@@ -111,6 +113,20 @@ struct private_child_cfg_t {
 	 */
 	u_int32_t inactivity;
 
+	/**
+	 * Reqid to install CHILD_SA with
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * Optional mark to install inbound CHILD_SA with
+	 */
+	mark_t mark_in;
+
+	/**
+	 * Optional mark to install outbound CHILD_SA with
+	 */
+	mark_t mark_out;
 	/**
 	 * set up IPsec transport SA in MIPv6 proxy mode
 	 */
@@ -445,6 +461,22 @@ static u_int32_t get_inactivity(private_child_cfg_t *this)
 	return this->inactivity;
 }
 
+/**
+ * Implementation of child_cfg_t.get_reqid.
+ */
+static u_int32_t get_reqid(private_child_cfg_t *this)
+{
+	return this->reqid;
+}
+
+/**
+ * Implementation of child_cfg_t.get_mark.
+ */
+static mark_t get_mark(private_child_cfg_t *this, bool inbound)
+{
+	return inbound ? this->mark_in : this->mark_out;
+}
+
 /**
  * Implementation of child_cfg_t.set_mipv6_options.
  */
@@ -506,7 +538,8 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 							  char *updown, bool hostaccess,
 							  ipsec_mode_t mode, action_t dpd_action,
 							  action_t close_action, bool ipcomp,
-							  u_int32_t inactivity)
+							  u_int32_t inactivity, u_int32_t reqid,
+							  mark_t *mark_in, mark_t *mark_out)
 {
 	private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
 
@@ -526,6 +559,8 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 	this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
 	this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
 	this->public.get_inactivity = (u_int32_t (*) (child_cfg_t *))get_inactivity;
+	this->public.get_reqid = (u_int32_t (*) (child_cfg_t *))get_reqid;
+	this->public.get_mark = (mark_t (*) (child_cfg_t *,bool))get_mark;
 	this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode;
 	this->public.install_policy = (bool (*) (child_cfg_t *))install_policy;
 	this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref;
@@ -539,6 +574,27 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 	this->close_action = close_action;
 	this->use_ipcomp = ipcomp;
 	this->inactivity = inactivity;
+	this->reqid = reqid;
+
+	if (mark_in)
+	{
+		this->mark_in = *mark_in;
+	}
+	else
+	{
+		this->mark_in.value = 0;
+		this->mark_in.mask  = 0;
+	}
+	if (mark_out)
+	{
+		this->mark_out = *mark_out;
+	}
+	else
+	{
+		this->mark_out.value = 0;
+		this->mark_out.mask  = 0;
+	}
+
 	this->proxy_mode = FALSE;
 	this->install_policy = TRUE;
 	this->refcount = 1;
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index c6186ea36..d34835ead 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -26,6 +26,7 @@
 typedef enum action_t action_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct lifetime_cfg_t lifetime_cfg_t;
+typedef struct mark_t mark_t;
 typedef struct child_cfg_t child_cfg_t;
 
 #include <library.h>
@@ -82,6 +83,16 @@ struct lifetime_cfg_t {
 	} time, bytes, packets;
 };
 
+/**
+ * A mark_t defines an optional mark in a CHILD_SA.
+ */
+struct mark_t {
+	/** Mark value */
+	u_int32_t value;
+	/** Mark mask */
+	u_int32_t mask;
+};
+
 /**
  * A child_cfg_t defines the config template for a CHILD_SA.
  *
@@ -238,6 +249,21 @@ struct child_cfg_t {
 	 */
 	u_int32_t (*get_inactivity)(child_cfg_t *this);
 
+	/**
+	 * Specific reqid to use for CHILD_SA
+	 *
+	 * @return				reqid
+	 */
+	u_int32_t (*get_reqid)(child_cfg_t *this);
+
+	/**
+	 * Optional mark for CHILD_SA
+	 *
+	 * @param inbound		TRUE for inbound, FALSE for outbound 
+	 * @return				mark
+	 */
+	mark_t (*get_mark)(child_cfg_t *this, bool inbound);
+
 	/**
 	 * Sets two options needed for Mobile IPv6 interoperability
 	 *
@@ -299,12 +325,16 @@ struct child_cfg_t {
  * @param close_action		close action
  * @param ipcomp			use IPComp, if peer supports it
  * @param inactivity		inactivity timeout in s before closing a CHILD_SA
- * @return 					child_cfg_t object
+ * @param reqid				specific reqid to use for CHILD_SA, 0 for auto assign
+ * @param mark_in			optional inbound mark (can be NULL)
+ * @param mark_out			optional outbound mark (can be NULL)
+ * @return					child_cfg_t object
  */
 child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 							  char *updown, bool hostaccess,
 							  ipsec_mode_t mode, action_t dpd_action,
 							  action_t close_action, bool ipcomp,
-							  u_int32_t inactivity);
+							  u_int32_t inactivity, u_int32_t reqid,
+							  mark_t *mark_in, mark_t *mark_out);
 
 #endif /** CHILD_CFG_H_ @}*/
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 6855276f8..723435cbb 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -36,7 +36,7 @@ typedef struct peer_cfg_t peer_cfg_t;
 #include <config/child_cfg.h>
 #include <sa/authenticators/authenticator.h>
 #include <sa/authenticators/eap/eap_method.h>
-#include <config/auth_cfg.h>
+#include <credentials/auth_cfg.h>
 
 /**
  * Certificate sending policy. This is also used for certificate
diff --git a/src/libcharon/credentials/credential_manager.c b/src/libcharon/credentials/credential_manager.c
deleted file mode 100644
index adea0b4be..000000000
--- a/src/libcharon/credentials/credential_manager.c
+++ /dev/null
@@ -1,1681 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "credential_manager.h"
-
-#include <daemon.h>
-#include <threading/thread_value.h>
-#include <threading/mutex.h>
-#include <threading/rwlock.h>
-#include <utils/linked_list.h>
-#include <credentials/sets/cert_cache.h>
-#include <credentials/sets/auth_cfg_wrapper.h>
-#include <credentials/sets/ocsp_response_wrapper.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ocsp_request.h>
-#include <credentials/certificates/ocsp_response.h>
-
-typedef struct private_credential_manager_t private_credential_manager_t;
-
-/**
- * private data of credential_manager
- */
-struct private_credential_manager_t {
-
-	/**
-	 * public functions
-	 */
-	credential_manager_t public;
-
-	/**
-	 * list of credential sets
-	 */
-	linked_list_t *sets;
-
-	/**
-	 * thread local set of credentials, linked_list_t with credential_set_t's
-	 */
-	thread_value_t *local_sets;
-
-	/**
-	 * trust relationship and certificate cache
-	 */
-	cert_cache_t *cache;
-
-	/**
-	 * certificates queued for persistent caching
-	 */
-	linked_list_t *cache_queue;
-
-	/**
-	 * read-write lock to sets list
-	 */
-	rwlock_t *lock;
-
-	/**
-	 * mutex for cache queue
-	 */
-	mutex_t *queue_mutex;
-};
-
-/** data to pass to create_private_enumerator */
-typedef struct {
-	private_credential_manager_t *this;
-	key_type_t type;
-	identification_t* keyid;
-} private_data_t;
-
-/** data to pass to create_cert_enumerator */
-typedef struct {
-	private_credential_manager_t *this;
-	certificate_type_t cert;
-	key_type_t key;
-	identification_t *id;
-	bool trusted;
-} cert_data_t;
-
-/** data to pass to create_cdp_enumerator */
-typedef struct {
-	private_credential_manager_t *this;
-	certificate_type_t type;
-	identification_t *id;
-} cdp_data_t;
-
-/** data to pass to create_shared_enumerator */
-typedef struct {
-	private_credential_manager_t *this;
-	shared_key_type_t type;
-	identification_t *me;
-	identification_t *other;
-} shared_data_t;
-
-/** enumerator over local and global sets */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** enumerator over global sets */
-	enumerator_t *global;
-	/** enumerator over local sets */
-	enumerator_t *local;
-} sets_enumerator_t;
-
-/**
- * destroy a sets_enumerator_t
- */
-static void sets_enumerator_destroy(sets_enumerator_t *this)
-{
-	DESTROY_IF(this->global);
-	DESTROY_IF(this->local);
-	free(this);
-}
-
-/**
- * sets_enumerator_t.enumerate
- */
-static bool sets_enumerator_enumerate(sets_enumerator_t *this,
-									  credential_set_t **set)
-{
-	if (this->global)
-	{
-		if (this->global->enumerate(this->global, set))
-		{
-			return TRUE;
-		}
-		/* end of global sets, look for local */
-		this->global->destroy(this->global);
-		this->global = NULL;
-	}
-	if (this->local)
-	{
-		return this->local->enumerate(this->local, set);
-	}
-	return FALSE;
-}
-
-/**
- * create an enumerator over both, global and local sets
- */
-static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
-{
-	linked_list_t *local;
-	sets_enumerator_t *enumerator = malloc_thing(sets_enumerator_t);
-
-	enumerator->public.enumerate = (void*)sets_enumerator_enumerate;
-	enumerator->public.destroy = (void*)sets_enumerator_destroy;
-	enumerator->global = this->sets->create_enumerator(this->sets);
-	enumerator->local = NULL;
-	local = this->local_sets->get(this->local_sets);
-	if (local)
-	{
-		enumerator->local = local->create_enumerator(local);
-	}
-	return &enumerator->public;
-}
-
-/**
- * cleanup function for cert data
- */
-static void destroy_cert_data(cert_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * enumerator constructor for certificates
- */
-static enumerator_t *create_cert(credential_set_t *set, cert_data_t *data)
-{
-	return set->create_cert_enumerator(set, data->cert, data->key,
-									   data->id, data->trusted);
-}
-
-/**
- * Implementation of credential_manager_t.create_cert_enumerator.
- */
-static enumerator_t *create_cert_enumerator(private_credential_manager_t *this,
-						certificate_type_t certificate, key_type_t key,
-						identification_t *id, bool trusted)
-{
-	cert_data_t *data = malloc_thing(cert_data_t);
-	data->this = this;
-	data->cert = certificate;
-	data->key = key;
-	data->id = id;
-	data->trusted = trusted;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_nested(create_sets_enumerator(this),
-									(void*)create_cert, data,
-									(void*)destroy_cert_data);
-}
-
-/**
- * Implementation of credential_manager_t.get_cert.
- */
-static certificate_t *get_cert(private_credential_manager_t *this,
-						certificate_type_t cert, key_type_t key,
-						identification_t *id, bool trusted)
-{
-	certificate_t *current, *found = NULL;
-	enumerator_t *enumerator;
-
-	enumerator = create_cert_enumerator(this, cert, key, id, trusted);
-	if (enumerator->enumerate(enumerator, &current))
-	{
-		/* TODO: best match? order by keyid, subject, sualtname */
-		found = current->get_ref(current);
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-
-/**
- * cleanup function for cdp data
- */
-static void destroy_cdp_data(cdp_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * enumerator constructor for CDPs
- */
-static enumerator_t *create_cdp(credential_set_t *set, cdp_data_t *data)
-{
-	return set->create_cdp_enumerator(set, data->type, data->id);
-}
-/**
- * Implementation of credential_manager_t.create_cdp_enumerator.
- */
-static enumerator_t * create_cdp_enumerator(private_credential_manager_t *this,
-								certificate_type_t type, identification_t *id)
-{
-	cdp_data_t *data = malloc_thing(cdp_data_t);
-	data->this = this;
-	data->type = type;
-	data->id = id;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_nested(create_sets_enumerator(this),
-									(void*)create_cdp, data,
-									(void*)destroy_cdp_data);
-}
-
-/**
- * cleanup function for private data
- */
-static void destroy_private_data(private_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * enumerator constructor for private keys
- */
-static enumerator_t *create_private(credential_set_t *set, private_data_t *data)
-{
-	return set->create_private_enumerator(set, data->type, data->keyid);
-}
-
-/**
- * Implementation of credential_manager_t.create_private_enumerator.
- */
-static enumerator_t* create_private_enumerator(
-									private_credential_manager_t *this,
-									key_type_t key, identification_t *keyid)
-{
-	private_data_t *data;
-
-	data = malloc_thing(private_data_t);
-	data->this = this;
-	data->type = key;
-	data->keyid = keyid;
-	this->lock->read_lock(this->lock);
-	return enumerator_create_nested(create_sets_enumerator(this),
-									(void*)create_private, data,
-									(void*)destroy_private_data);
-}
-
-/**
- * Implementation of credential_manager_t.get_private_by_keyid.
- */
-static private_key_t *get_private_by_keyid(private_credential_manager_t *this,
-										key_type_t key, identification_t *keyid)
-{
-	private_key_t *found = NULL;
-	enumerator_t *enumerator;
-
-	enumerator = create_private_enumerator(this, key, keyid);
-	if (enumerator->enumerate(enumerator, &found))
-	{
-		found->get_ref(found);
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * cleanup function for shared data
- */
-static void destroy_shared_data(shared_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * enumerator constructor for shared keys
- */
-static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data)
-{
-	return set->create_shared_enumerator(set, data->type, data->me, data->other);
-}
-
-/**
- * Implementation of credential_manager_t.create_shared_enumerator.
- */
-static enumerator_t *create_shared_enumerator(private_credential_manager_t *this,
-						shared_key_type_t type,
-						identification_t *me, identification_t *other)
-{
-	shared_data_t *data = malloc_thing(shared_data_t);
-	data->this = this;
-	data->type = type;
-	data->me = me;
-	data->other = other;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_nested(create_sets_enumerator(this),
-									(void*)create_shared, data,
-									(void*)destroy_shared_data);
-}
-
-/**
- * Implementation of credential_manager_t.get_shared.
- */
-static shared_key_t *get_shared(private_credential_manager_t *this,
-								shared_key_type_t type,	identification_t *me,
-								identification_t *other)
-{
-	shared_key_t *current, *found = NULL;
-	id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE;
-	id_match_t *match_me, *match_other;
-	enumerator_t *enumerator;
-
-	enumerator = create_shared_enumerator(this, type, me, other);
-	while (enumerator->enumerate(enumerator, &current, &match_me, &match_other))
-	{
-		if (match_other > best_other ||
-			(match_other == best_other && match_me > best_me))
-		{
-			DESTROY_IF(found);
-			found = current->get_ref(current);
-			best_me = match_me;
-			best_other = match_other;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * add a credential set to the thread local list
- */
-static void add_local_set(private_credential_manager_t *this,
-						  credential_set_t *set)
-{
-	linked_list_t *sets;
-
-	sets = this->local_sets->get(this->local_sets);
-	if (!sets)
-	{	/* first invocation */
-		sets = linked_list_create();
-		this->local_sets->set(this->local_sets, sets);
-	}
-	sets->insert_last(sets, set);
-}
-
-/**
- * remove a credential set from the thread local list
- */
-static void remove_local_set(private_credential_manager_t *this,
-							 credential_set_t *set)
-{
-	linked_list_t *sets;
-
-	sets = this->local_sets->get(this->local_sets);
-	sets->remove(sets, set, NULL);
-}
-
-/**
- * Implementation of credential_manager_t.cache_cert.
- */
-static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
-{
-	credential_set_t *set;
-	enumerator_t *enumerator;
-
-	if (this->lock->try_write_lock(this->lock))
-	{
-		enumerator = this->sets->create_enumerator(this->sets);
-		while (enumerator->enumerate(enumerator, &set))
-		{
-			set->cache_cert(set, cert);
-		}
-		enumerator->destroy(enumerator);
-		this->lock->unlock(this->lock);
-	}
-	else
-	{	/* we can't cache now as other threads are active, queue for later */
-		this->queue_mutex->lock(this->queue_mutex);
-		this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert));
-		this->queue_mutex->unlock(this->queue_mutex);
-	}
-}
-
-/**
- * Try to cache certificates queued for caching
- */
-static void cache_queue(private_credential_manager_t *this)
-{
-	credential_set_t *set;
-	certificate_t *cert;
-	enumerator_t *enumerator;
-
-	this->queue_mutex->lock(this->queue_mutex);
-	if (this->cache_queue->get_count(this->cache_queue) > 0 &&
-		this->lock->try_write_lock(this->lock))
-	{
-		while (this->cache_queue->remove_last(this->cache_queue,
-											  (void**)&cert) == SUCCESS)
-		{
-			enumerator = this->sets->create_enumerator(this->sets);
-			while (enumerator->enumerate(enumerator, &set))
-			{
-				set->cache_cert(set, cert);
-			}
-			enumerator->destroy(enumerator);
-			cert->destroy(cert);
-		}
-		this->lock->unlock(this->lock);
-	}
-	this->queue_mutex->unlock(this->queue_mutex);
-}
-
-/**
- * forward declaration
- */
-static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
-					key_type_t type, identification_t *id, bool crl, bool ocsp);
-
-/**
- * Do an OCSP request
- */
-static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
-								 certificate_t *subject, certificate_t *issuer)
-{
-	certificate_t *request, *response;
-	chunk_t send, receive;
-
-	/* TODO: requestor name, signature */
-	request = lib->creds->create(lib->creds,
-						CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
-						BUILD_CA_CERT, issuer,
-						BUILD_CERT, subject, BUILD_END);
-	if (!request)
-	{
-		DBG1(DBG_CFG, "generating ocsp request failed");
-		return NULL;
-	}
-
-	send = request->get_encoding(request);
-	request->destroy(request);
-
-	DBG1(DBG_CFG, "  requesting ocsp status from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &receive,
-							FETCH_REQUEST_DATA, send,
-							FETCH_REQUEST_TYPE, "application/ocsp-request",
-							FETCH_END) != SUCCESS)
-	{
-		DBG1(DBG_CFG, "ocsp request to %s failed", url);
-		chunk_free(&send);
-		return NULL;
-	}
-	chunk_free(&send);
-
-	response = lib->creds->create(lib->creds,
-								  CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
-								  BUILD_BLOB_ASN1_DER, receive, BUILD_END);
-	chunk_free(&receive);
-	if (!response)
-	{
-		DBG1(DBG_CFG, "parsing ocsp response failed");
-		return NULL;
-	}
-	return response;
-}
-
-/**
- * check the signature of an OCSP response
- */
-static bool verify_ocsp(private_credential_manager_t *this,
-						ocsp_response_t *response)
-{
-	certificate_t *issuer, *subject;
-	identification_t *responder;
-	ocsp_response_wrapper_t *wrapper;
-	enumerator_t *enumerator;
-	bool verified = FALSE;
-
-	wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
-	add_local_set(this, &wrapper->set);
-
-	subject = &response->certificate;
-	responder = subject->get_issuer(subject);
-	enumerator = create_trusted_enumerator(this, KEY_ANY, responder, FALSE, FALSE);
-	while (enumerator->enumerate(enumerator, &issuer, NULL))
-	{
-		if (this->cache->issued_by(this->cache, subject, issuer))
-		{
-			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
-							 issuer->get_subject(issuer));
-			verified = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	remove_local_set(this, &wrapper->set);
-	wrapper->destroy(wrapper);
-	return verified;
-}
-
-/**
- * Get the better of two OCSP responses, and check for usable OCSP info
- */
-static certificate_t *get_better_ocsp(private_credential_manager_t *this,
-									  certificate_t *cand, certificate_t *best,
-									  x509_t *subject, x509_t *issuer,
-									  cert_validation_t *valid, bool cache)
-{
-	ocsp_response_t *response;
-	time_t revocation, this_update, next_update, valid_until;
-	crl_reason_t reason;
-	bool revoked = FALSE;
-
-	response = (ocsp_response_t*)cand;
-
-	/* check ocsp signature */
-	if (!verify_ocsp(this, response))
-	{
-		DBG1(DBG_CFG, "ocsp response verification failed");
-		cand->destroy(cand);
-		return best;
-	}
-	/* check if response contains our certificate */
-	switch (response->get_status(response, subject, issuer, &revocation, &reason,
-								 &this_update, &next_update))
-	{
-		case VALIDATION_REVOKED:
-			/* subject has been revoked by a valid OCSP response */
-			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
-						  &revocation, TRUE, crl_reason_names, reason);
-			revoked = TRUE;
-			break;
-		case VALIDATION_GOOD:
-			/* results in either good or stale */
-			break;
-		default:
-		case VALIDATION_FAILED:
-			/* candidate unusable, does not contain our cert */
-			DBG1(DBG_CFG, "  ocsp response contains no status on our certificate");
-			cand->destroy(cand);
-			return best;
-	}
-
-	/* select the better of the two responses */
-	if (best == NULL || cand->is_newer(cand, best))
-	{
-		DESTROY_IF(best);
-		best = cand;
-		if (best->get_validity(best, NULL, NULL, &valid_until))
-		{
-			DBG1(DBG_CFG, "  ocsp response is valid: until %T",
-							 &valid_until, FALSE);
-			*valid = VALIDATION_GOOD;
-			if (cache)
-			{	/* cache non-stale only, stale certs get refetched */
-				cache_cert(this, best);
-			}
-		}
-		else
-		{
-			DBG1(DBG_CFG, "  ocsp response is stale: since %T",
-							 &valid_until, FALSE);
-			*valid = VALIDATION_STALE;
-		}
-	}
-	else
-	{
-		*valid = VALIDATION_STALE;
-		cand->destroy(cand);
-	}
-	if (revoked)
-	{	/* revoked always counts, even if stale */
-		*valid = VALIDATION_REVOKED;
-	}
-	return best;
-}
-
-/**
- * validate a x509 certificate using OCSP
- */
-static cert_validation_t check_ocsp(private_credential_manager_t *this,
-									x509_t *subject, x509_t *issuer,
-									auth_cfg_t *auth)
-{
-	enumerator_t *enumerator;
-	cert_validation_t valid = VALIDATION_SKIPPED;
-	certificate_t *best = NULL, *current;
-	identification_t *keyid = NULL;
-	public_key_t *public;
-	chunk_t chunk;
-	char *uri = NULL;
-
-	/** lookup cache for valid OCSP responses */
-	enumerator = create_cert_enumerator(this, CERT_X509_OCSP_RESPONSE,
-										KEY_ANY, NULL, FALSE);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		current->get_ref(current);
-		best = get_better_ocsp(this, current, best, subject, issuer,
-							   &valid, FALSE);
-		if (best && valid != VALIDATION_STALE)
-		{
-			DBG1(DBG_CFG, "  using cached ocsp response");
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* derive the authorityKeyIdentifier from the issuer's public key */
-	current = &issuer->interface;
-	public = current->get_public_key(current);
-	if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
-	{
-		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
-	}
-	/** fetch from configured OCSP responder URLs */
-	if (keyid && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
-	{
-		enumerator = create_cdp_enumerator(this, CERT_X509_OCSP_RESPONSE, keyid);
-		while (enumerator->enumerate(enumerator, &uri))
-		{
-			current = fetch_ocsp(this, uri, &subject->interface,
-								 &issuer->interface);
-			if (current)
-			{
-				best = get_better_ocsp(this, current, best, subject, issuer,
-									   &valid, TRUE);
-				if (best && valid != VALIDATION_STALE)
-				{
-					break;
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	DESTROY_IF(public);
-	DESTROY_IF(keyid);
-
-	/* fallback to URL fetching from subject certificate's URIs */
-	if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
-	{
-		enumerator = subject->create_ocsp_uri_enumerator(subject);
-		while (enumerator->enumerate(enumerator, &uri))
-		{
-			current = fetch_ocsp(this, uri, &subject->interface,
-								 &issuer->interface);
-			if (current)
-			{
-				best = get_better_ocsp(this, current, best, subject, issuer,
-									   &valid, TRUE);
-				if (best && valid != VALIDATION_STALE)
-				{
-					break;
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	/* an uri was found, but no result. switch validation state to failed */
-	if (valid == VALIDATION_SKIPPED && uri)
-	{
-		valid = VALIDATION_FAILED;
-	}
-	if (auth)
-	{
-		auth->add(auth, AUTH_RULE_OCSP_VALIDATION, valid);
-		if (valid == VALIDATION_GOOD)
-		{	/* successful OCSP check fulfills also CRL constraint */
-			auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
-		}
-	}
-	DESTROY_IF(best);
-	return valid;
-}
-
-/**
- * fetch a CRL from an URL
- */
-static certificate_t* fetch_crl(private_credential_manager_t *this, char *url)
-{
-	certificate_t *crl;
-	chunk_t chunk;
-
-	DBG1(DBG_CFG, "  fetching crl from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &chunk, FETCH_END) != SUCCESS)
-	{
-		DBG1(DBG_CFG, "crl fetching failed");
-		return NULL;
-	}
-	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
-							 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
-	chunk_free(&chunk);
-	if (!crl)
-	{
-		DBG1(DBG_CFG, "crl fetched successfully but parsing failed");
-		return NULL;
-	}
-	return crl;
-}
-
-/**
- * check the signature of an CRL
- */
-static bool verify_crl(private_credential_manager_t *this, certificate_t *crl)
-{
-	certificate_t *issuer;
-	enumerator_t *enumerator;
-	bool verified = FALSE;
-
-	enumerator = create_trusted_enumerator(this, KEY_ANY, crl->get_issuer(crl),
-										   FALSE, FALSE);
-	while (enumerator->enumerate(enumerator, &issuer, NULL))
-	{
-		if (this->cache->issued_by(this->cache, crl, issuer))
-		{
-			DBG1(DBG_CFG, "  crl correctly signed by \"%Y\"",
-						   issuer->get_subject(issuer));
-			verified = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	return verified;
-}
-
-/**
- * Get the better of two CRLs, and check for usable CRL info
- */
-static certificate_t *get_better_crl(private_credential_manager_t *this,
-									 certificate_t *cand, certificate_t *best,
-									 x509_t *subject, x509_t *issuer,
-									 cert_validation_t *valid, bool cache)
-{
-	enumerator_t *enumerator;
-	time_t revocation, valid_until;
-	crl_reason_t reason;
-	chunk_t serial;
-	crl_t *crl;
-
-	/* check CRL signature */
-	if (!verify_crl(this, cand))
-	{
-		DBG1(DBG_CFG, "crl response verification failed");
-		cand->destroy(cand);
-		return best;
-	}
-
-	crl = (crl_t*)cand;
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
-	{
-		if (chunk_equals(serial, subject->get_serial(subject)))
-		{
-			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
-				 &revocation, TRUE, crl_reason_names, reason);
-			*valid = VALIDATION_REVOKED;
-			enumerator->destroy(enumerator);
-			DESTROY_IF(best);
-			return cand;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* select the better of the two CRLs */
-	if (best == NULL || cand->is_newer(cand, best))
-	{
-		DESTROY_IF(best);
-		best = cand;
-		if (best->get_validity(best, NULL, NULL, &valid_until))
-		{
-			DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
-			*valid = VALIDATION_GOOD;
-			if (cache)
-			{	/* we cache non-stale crls only, as a stale crls are refetched */
-				cache_cert(this, best);
-			}
-		}
-		else
-		{
-			DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
-			*valid = VALIDATION_STALE;
-		}
-	}
-	else
-	{
-		*valid = VALIDATION_STALE;
-		cand->destroy(cand);
-	}
-	return best;
-}
-
-/**
- * validate a x509 certificate using CRL
- */
-static cert_validation_t check_crl(private_credential_manager_t *this,
-								   x509_t *subject, x509_t *issuer,
-								   auth_cfg_t *auth)
-{
-	cert_validation_t valid = VALIDATION_SKIPPED;
-	identification_t *keyid = NULL;
-	certificate_t *best = NULL;
-	certificate_t *current;
-	public_key_t *public;
-	enumerator_t *enumerator;
-	chunk_t chunk;
-	char *uri = NULL;
-
-	/* derive the authorityKeyIdentifier from the issuer's public key */
-	current = &issuer->interface;
-	public = current->get_public_key(current);
-	if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
-	{
-		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
-
-		/* find a cached crl by authorityKeyIdentifier */
-		enumerator = create_cert_enumerator(this, CERT_X509_CRL, KEY_ANY,
-											keyid, FALSE);
-		while (enumerator->enumerate(enumerator, &current))
-		{
-			current->get_ref(current);
-			best = get_better_crl(this, current, best, subject, issuer,
-								  &valid, FALSE);
-			if (best && valid != VALIDATION_STALE)
-			{
-				DBG1(DBG_CFG, "  using cached crl");
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-
-		/* fallback to fetching crls from credential sets cdps */
-		if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
-		{
-			enumerator = create_cdp_enumerator(this, CERT_X509_CRL, keyid);
-
-			while (enumerator->enumerate(enumerator, &uri))
-			{
-				current = fetch_crl(this, uri);
-				if (current)
-				{
-					best = get_better_crl(this, current, best, subject, issuer,
-										  &valid, TRUE);
-					if (best && valid != VALIDATION_STALE)
-					{
-						break;
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-		keyid->destroy(keyid);
-	}
-	DESTROY_IF(public);
-
-	/* fallback to fetching crls from cdps from subject's certificate */
-	if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
-	{
-		enumerator = subject->create_crl_uri_enumerator(subject);
-
-		while (enumerator->enumerate(enumerator, &uri))
-		{
-			current = fetch_crl(this, uri);
-			if (current)
-			{
-				best = get_better_crl(this, current, best, subject, issuer,
-									  &valid, TRUE);
-				if (best && valid != VALIDATION_STALE)
-				{
-					break;
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	/* an uri was found, but no result. switch validation state to failed */
-	if (valid == VALIDATION_SKIPPED && uri)
-	{
-		valid = VALIDATION_FAILED;
-	}
-	if (auth)
-	{
-		if (valid == VALIDATION_SKIPPED)
-		{	/* if we skipped CRL validation, we use the result of OCSP for
-			 * constraint checking */
-			auth->add(auth, AUTH_RULE_CRL_VALIDATION,
-					  auth->get(auth, AUTH_RULE_OCSP_VALIDATION));
-		}
-		else
-		{
-			auth->add(auth, AUTH_RULE_CRL_VALIDATION, valid);
-		}
-	}
-	DESTROY_IF(best);
-	return valid;
-}
-
-/**
- * check a certificate for optional IP address block constraints
- */
-static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
-{
-	bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
-	bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
-	bool contained = TRUE;
-
-	enumerator_t *subject_enumerator, *issuer_enumerator;
-	traffic_selector_t *subject_ts, *issuer_ts;
-
-	if (!subject_constraint && !issuer_constraint)
-	{
-		return TRUE;		
-	}
-	if (!subject_constraint)
-	{
-		DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
-		return FALSE;
-	}
-	if (!issuer_constraint)
-	{
-		DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
-		return FALSE;		
-	}
-	subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
-	while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
-	{
-		contained = FALSE;
-
-		issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
-		while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
-		{
-			if (subject_ts->is_contained_in(subject_ts, issuer_ts))
-			{
-				DBG2(DBG_CFG, "  subject address block %R is contained in "
-							  "issuer address block %R", subject_ts, issuer_ts);
-				contained = TRUE;
-				break;
-			}
-		}
-		issuer_enumerator->destroy(issuer_enumerator);
-		if (!contained)
-		{
-			DBG1(DBG_CFG, "subject address block %R is not contained in any "
-						  "issuer address block", subject_ts);
-			break;
-		}
-	}
-	subject_enumerator->destroy(subject_enumerator);
-	return contained;	
-}
-
-/**
- * check a certificate for its lifetime
- */
-static bool check_certificate(private_credential_manager_t *this,
-							  certificate_t *subject, certificate_t *issuer,
-							  bool crl, bool ocsp, auth_cfg_t *auth)
-{
-	time_t not_before, not_after;
-
-	if (!subject->get_validity(subject, NULL, &not_before, &not_after))
-	{
-		DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
-			 &not_before, FALSE, &not_after, FALSE);
-		return FALSE;
-	}
-	if (!issuer->get_validity(issuer, NULL, &not_before, &not_after))
-	{
-		DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)",
-			 &not_before, FALSE, &not_after, FALSE);
-		return FALSE;
-	}
-	if (issuer->get_type(issuer) == CERT_X509 &&
-		subject->get_type(subject) == CERT_X509)
-	{
-		if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer))
-		{
-			return FALSE;
-		}
-		if (ocsp || crl)
-		{
-			DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
-						   subject->get_subject(subject));
-		}
-		if (ocsp)
-		{
-			switch (check_ocsp(this, (x509_t*)subject, (x509_t*)issuer, auth))
-			{
-				case VALIDATION_GOOD:
-					DBG1(DBG_CFG, "certificate status is good");
-					return TRUE;
-				case VALIDATION_REVOKED:
-					/* has already been logged */
-					return FALSE;
-				case VALIDATION_SKIPPED:
-					DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
-					break;
-				case VALIDATION_STALE:
-					DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
-					break;
-				case VALIDATION_FAILED:
-					DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
-					break;
-			}
-		}
-		if (crl)
-		{
-			switch (check_crl(this, (x509_t*)subject, (x509_t*)issuer, auth))
-			{
-				case VALIDATION_GOOD:
-					DBG1(DBG_CFG, "certificate status is good");
-					return TRUE;
-				case VALIDATION_REVOKED:
-					/* has already been logged */
-					return FALSE;
-				case VALIDATION_FAILED:
-				case VALIDATION_SKIPPED:
-					DBG1(DBG_CFG, "certificate status is not available");
-					break;
-				case VALIDATION_STALE:
-					DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
-					break;
-			}
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Get a trusted certificate from a credential set
- */
-static certificate_t *get_pretrusted_cert(private_credential_manager_t *this,
-										  key_type_t type, identification_t *id)
-{
-	certificate_t *subject;
-	public_key_t *public;
-
-	subject = get_cert(this, CERT_ANY, type, id, TRUE);
-	if (!subject)
-	{
-		return NULL;
-	}
-	public = subject->get_public_key(subject);
-	if (!public)
-	{
-		subject->destroy(subject);
-		return NULL;
-	}
-	public->destroy(public);
-	return subject;
-}
-
-/**
- * Get the issuing certificate of a subject certificate
- */
-static certificate_t *get_issuer_cert(private_credential_manager_t *this,
-									  certificate_t *subject, bool trusted)
-{
-	enumerator_t *enumerator;
-	certificate_t *issuer = NULL, *candidate;
-
-	enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY,
-										subject->get_issuer(subject), trusted);
-	while (enumerator->enumerate(enumerator, &candidate))
-	{
-		if (this->cache->issued_by(this->cache, subject, candidate))
-		{
-			issuer = candidate->get_ref(candidate);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return issuer;
-}
-
-/**
- * try to verify the trust chain of subject, return TRUE if trusted
- */
-static bool verify_trust_chain(private_credential_manager_t *this,
-							   certificate_t *subject, auth_cfg_t *result,
-							   bool trusted, bool crl, bool ocsp)
-{
-	certificate_t *current, *issuer;
-	x509_t *x509;
-	auth_cfg_t *auth;
-	int pathlen, pathlen_constraint;
-
-	auth = auth_cfg_create();
-	current = subject->get_ref(subject);
-
-	for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++)
-	{
-		issuer = get_issuer_cert(this, current, TRUE);
-		if (issuer)
-		{
-			/* accept only self-signed CAs as trust anchor */
-			if (this->cache->issued_by(this->cache, issuer, issuer))
-			{
-				auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
-				DBG1(DBG_CFG, "  using trusted ca certificate \"%Y\"",
-							  issuer->get_subject(issuer));
-				trusted = TRUE;
-			}
-			else
-			{
-				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
-				DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
-					 "\"%Y\"", issuer->get_subject(issuer));
-			}
-		}
-		else
-		{
-			issuer = get_issuer_cert(this, current, FALSE);
-			if (issuer)
-			{
-				if (current->equals(current, issuer))
-				{
-					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not trusted",
-						 current->get_subject(current));
-					issuer->destroy(issuer);
-					break;
-				}
-				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
-				DBG1(DBG_CFG, "  using untrusted intermediate certificate "
-					 "\"%Y\"", issuer->get_subject(issuer));
-			}
-			else
-			{
-				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
-					 current->get_subject(current));
-				break;
-			}
-		}
-		if (!check_certificate(this, current, issuer, crl, ocsp,
-							   current == subject ? auth : NULL))
-		{
-			trusted = FALSE;
-			issuer->destroy(issuer);
-			break;
-		}
-
-		/* check path length constraint */
-		x509 = (x509_t*)issuer;
-		pathlen_constraint = x509->get_pathLenConstraint(x509);
-		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
-			pathlen > pathlen_constraint)
-		{
-			DBG1(DBG_CFG, "path length of %d violates constraint of %d",
-				 pathlen, pathlen_constraint);
-			trusted = FALSE;
-			issuer->destroy(issuer);
-			break;
-		}
-		current->destroy(current);
-		current = issuer;
-		if (trusted)
-		{
-			DBG1(DBG_CFG, "  reached self-signed root ca with a path length of %d",
-						  pathlen);
-			break;
-		}
-	}
-	current->destroy(current);
-	if (pathlen > X509_MAX_PATH_LEN)
-	{
-		DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN);
-	}
-	if (trusted)
-	{
-		result->merge(result, auth, FALSE);
-	}
-	auth->destroy(auth);
-	return trusted;
-}
-
-/**
- * enumerator for trusted certificates
- */
-typedef struct {
-	/** implements enumerator_t interface */
-	enumerator_t public;
-	/** enumerator over candidate peer certificates */
-	enumerator_t *candidates;
-	/** reference to the credential_manager */
-	private_credential_manager_t *this;
-	/** type of the requested key */
-	key_type_t type;
-	/** identity the requested key belongs to */
-	identification_t *id;
-	/** TRUE to do CRL checking */
-	bool crl;
-	/** TRUE to do OCSP checking */
-	bool ocsp;
-	/** pretrusted certificate we have served at first invocation */
-	certificate_t *pretrusted;
-	/** currently enumerating auth config */
-	auth_cfg_t *auth;
-} trusted_enumerator_t;
-
-/**
- * Implements trusted_enumerator_t.enumerate
- */
-static bool trusted_enumerate(trusted_enumerator_t *this,
-							  certificate_t **cert, auth_cfg_t **auth)
-{
-	certificate_t *current;
-
-	DESTROY_IF(this->auth);
-	this->auth = auth_cfg_create();
-
-	if (!this->candidates)
-	{
-		/* first invocation, build enumerator for next one */
-		this->candidates = create_cert_enumerator(this->this, CERT_ANY,
-												  this->type, this->id, FALSE);
-		/* check if we have a trusted certificate for that peer */
-		this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id);
-		if (this->pretrusted)
-		{
-			/* if we find a trusted self signed certificate, we just accept it.
-			 * However, in order to fulfill authorization rules, we try to build
-			 * the trust chain if it is not self signed */
-			if (this->this->cache->issued_by(this->this->cache,
-								   this->pretrusted, this->pretrusted) ||
-				verify_trust_chain(this->this, this->pretrusted, this->auth,
-								   TRUE, this->crl, this->ocsp))
-			{
-				this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
-								this->pretrusted->get_ref(this->pretrusted));
-				DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
-					 this->pretrusted->get_subject(this->pretrusted));
-				*cert = this->pretrusted;
-				if (auth)
-				{
-					*auth = this->auth;
-				}
-				return TRUE;
-			}
-		}
-	}
-	/* try to verify the trust chain for each certificate found */
-	while (this->candidates->enumerate(this->candidates, &current))
-	{
-		if (this->pretrusted &&
-			this->pretrusted->equals(this->pretrusted, current))
-		{	/* skip pretrusted certificate we already served */
-			continue;
-		}
-
-		DBG1(DBG_CFG, "  using certificate \"%Y\"",
-			 current->get_subject(current));
-		if (verify_trust_chain(this->this, current, this->auth, FALSE,
-							   this->crl, this->ocsp))
-		{
-			*cert = current;
-			if (auth)
-			{
-				*auth = this->auth;
-			}
-			return TRUE;
-		}
-	}
-	return FALSE;
-}
-
-/**
- * Implements trusted_enumerator_t.destroy
- */
-static void trusted_destroy(trusted_enumerator_t *this)
-{
-	DESTROY_IF(this->pretrusted);
-	DESTROY_IF(this->auth);
-	DESTROY_IF(this->candidates);
-	free(this);
-}
-
-/**
- * create an enumerator over trusted certificates and their trustchain
- */
-static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
-					key_type_t type, identification_t *id, bool crl, bool ocsp)
-{
-	trusted_enumerator_t *enumerator = malloc_thing(trusted_enumerator_t);
-
-	enumerator->public.enumerate = (void*)trusted_enumerate;
-	enumerator->public.destroy = (void*)trusted_destroy;
-
-	enumerator->candidates = NULL;
-	enumerator->this = this;
-	enumerator->type = type;
-	enumerator->id = id;
-	enumerator->crl = crl;
-	enumerator->ocsp = ocsp;
-	enumerator->pretrusted = NULL;
-	enumerator->auth = NULL;
-
-	return &enumerator->public;
-}
-
-/**
- * enumerator for public keys
- */
-typedef struct {
-	/** implements enumerator_t interface */
-	enumerator_t public;
-	/** enumerator over candidate peer certificates */
-	enumerator_t *inner;
-	/** reference to the credential_manager */
-	private_credential_manager_t *this;
-	/** currently enumerating key */
-	public_key_t *current;
-	/** credset wrapper around auth config */
-	auth_cfg_wrapper_t *wrapper;
-} public_enumerator_t;
-
-/**
- * Implements public_enumerator_t.enumerate
- */
-static bool public_enumerate(public_enumerator_t *this,
-							 public_key_t **key, auth_cfg_t **auth)
-{
-	certificate_t *cert;
-
-	while (this->inner->enumerate(this->inner, &cert, auth))
-	{
-		DESTROY_IF(this->current);
-		this->current = cert->get_public_key(cert);
-		if (this->current)
-		{
-			*key = this->current;
-			return TRUE;
-		}
-	}
-	return FALSE;
-}
-
-/**
- * Implements public_enumerator_t.destroy
- */
-static void public_destroy(public_enumerator_t *this)
-{
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	if (this->wrapper)
-	{
-		remove_local_set(this->this, &this->wrapper->set);
-		this->wrapper->destroy(this->wrapper);
-	}
-	this->this->lock->unlock(this->this->lock);
-
-	/* check for delayed certificate cache queue */
-	cache_queue(this->this);
-	free(this);
-}
-
-/**
- * Implementation of credential_manager_t.create_public_enumerator.
- */
-static enumerator_t* create_public_enumerator(private_credential_manager_t *this,
-						key_type_t type, identification_t *id, auth_cfg_t *auth)
-{
-	public_enumerator_t *enumerator = malloc_thing(public_enumerator_t);
-
-	enumerator->public.enumerate = (void*)public_enumerate;
-	enumerator->public.destroy = (void*)public_destroy;
-	enumerator->inner = create_trusted_enumerator(this, type, id, TRUE, TRUE);
-	enumerator->this = this;
-	enumerator->current = NULL;
-	enumerator->wrapper = NULL;
-	if (auth)
-	{
-		enumerator->wrapper = auth_cfg_wrapper_create(auth);
-		add_local_set(this, &enumerator->wrapper->set);
-	}
-	this->lock->read_lock(this->lock);
-	return &enumerator->public;
-}
-
-/**
- * Check if a certificate's keyid is contained in the auth helper
- */
-static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert)
-{
-	enumerator_t *enumerator;
-	identification_t *value;
-	auth_rule_t type;
-	bool found = FALSE;
-
-	enumerator = auth->create_enumerator(auth);
-	while (enumerator->enumerate(enumerator, &type, &value))
-	{
-		if (type == AUTH_RULE_CA_CERT &&
-			cert->equals(cert, (certificate_t*)value))
-		{
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * build a trustchain from subject up to a trust anchor in trusted
- */
-static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
-									 certificate_t *subject, auth_cfg_t *auth)
-{
-	certificate_t *issuer, *current;
-	auth_cfg_t *trustchain;
-	int pathlen = 0;
-
-	trustchain = auth_cfg_create();
-
-	current = auth->get(auth, AUTH_RULE_CA_CERT);
-	if (!current)
-	{
-		/* no trust anchor specified, return this cert only */
-		trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT,
-						subject->get_ref(subject));
-		return trustchain;
-	}
-	current = subject->get_ref(subject);
-	while (TRUE)
-	{
-		if (auth_contains_cacert(auth, current))
-		{
-			trustchain->add(trustchain, AUTH_RULE_CA_CERT, current);
-			return trustchain;
-		}
-		if (subject == current)
-		{
-			trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current);
-		}
-		else
-		{
-			trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
-		}
-		issuer = get_issuer_cert(this, current, FALSE);
-		if (!issuer || issuer->equals(issuer, current) ||
-			pathlen > X509_MAX_PATH_LEN)
-		{
-			DESTROY_IF(issuer);
-			break;
-		}
-		current = issuer;
-		pathlen++;
-	}
-	trustchain->destroy(trustchain);
-	return NULL;
-}
-
-/**
- * find a private key of a give certificate
- */
-static private_key_t *get_private_by_cert(private_credential_manager_t *this,
-										  certificate_t *cert, key_type_t type)
-{
-	private_key_t *private = NULL;
-	identification_t *keyid;
-	chunk_t chunk;
-	public_key_t *public;
-
-	public = cert->get_public_key(cert);
-	if (public)
-	{
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
-		{
-			keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
-			private = get_private_by_keyid(this, type, keyid);
-			keyid->destroy(keyid);
-		}
-		public->destroy(public);
-	}
-	return private;
-}
-
-/**
- * Implementation of credential_manager_t.get_private.
- */
-static private_key_t *get_private(private_credential_manager_t *this,
-								  key_type_t type, identification_t *id,
-								  auth_cfg_t *auth)
-{
-	enumerator_t *enumerator;
-	certificate_t *cert;
-	private_key_t *private = NULL;
-	auth_cfg_t *trustchain;
-
-	/* check if this is a lookup by key ID, and do it if so */
-	if (id && id->get_type(id) == ID_KEY_ID)
-	{
-		private = get_private_by_keyid(this, type, id);
-		if (private)
-		{
-			return private;
-		}
-	}
-
-	/* if a specific certificate is preferred, check for a matching key */
-	cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
-	if (cert)
-	{
-		private = get_private_by_cert(this, cert, type);
-		if (private)
-		{
-			trustchain = build_trustchain(this, cert, auth);
-			if (trustchain)
-			{
-				auth->merge(auth, trustchain, FALSE);
-				trustchain->destroy(trustchain);
-			}
-			return private;
-		}
-	}
-
-	/* try to build a trust chain for each certificate found */
-	enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
-	while (enumerator->enumerate(enumerator, &cert))
-	{
-		private = get_private_by_cert(this, cert, type);
-		if (private)
-		{
-			trustchain = build_trustchain(this, cert, auth);
-			if (trustchain)
-			{
-				auth->merge(auth, trustchain, FALSE);
-				trustchain->destroy(trustchain);
-				break;
-			}
-			private->destroy(private);
-			private = NULL;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* if no valid trustchain was found, fall back to the first usable cert */
-	if (!private)
-	{
-		enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
-		while (enumerator->enumerate(enumerator, &cert))
-		{
-			private = get_private_by_cert(this, cert, type);
-			if (private)
-			{
-				auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	return private;
-}
-
-/**
- * Implementation of credential_manager_t.flush_cache.
- */
-static void flush_cache(private_credential_manager_t *this,
-						certificate_type_t type)
-{
-	this->cache->flush(this->cache, type);
-}
-
-/**
- * Implementation of credential_manager_t.add_set.
- */
-static void add_set(private_credential_manager_t *this,
-							   credential_set_t *set)
-{
-	this->lock->write_lock(this->lock);
-	this->sets->insert_last(this->sets, set);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of credential_manager_t.remove_set.
- */
-static void remove_set(private_credential_manager_t *this, credential_set_t *set)
-{
-	this->lock->write_lock(this->lock);
-	this->sets->remove(this->sets, set, NULL);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of credential_manager_t.destroy
- */
-static void destroy(private_credential_manager_t *this)
-{
-	cache_queue(this);
-	this->cache_queue->destroy(this->cache_queue);
-	this->sets->remove(this->sets, this->cache, NULL);
-	this->sets->destroy(this->sets);
-	this->local_sets->destroy(this->local_sets);
-	this->cache->destroy(this->cache);
-	this->lock->destroy(this->lock);
-	this->queue_mutex->destroy(this->queue_mutex);
-	free(this);
-}
-
-/*
- * see header file
- */
-credential_manager_t *credential_manager_create()
-{
-	private_credential_manager_t *this = malloc_thing(private_credential_manager_t);
-
-	this->public.create_cert_enumerator = (enumerator_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *id,bool))create_cert_enumerator;
-	this->public.create_shared_enumerator = (enumerator_t *(*)(credential_manager_t *this, shared_key_type_t type,identification_t *me, identification_t *other))create_shared_enumerator;
-	this->public.create_cdp_enumerator = (enumerator_t *(*)(credential_manager_t*, certificate_type_t type, identification_t *id))create_cdp_enumerator;
-	this->public.get_cert = (certificate_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *, bool))get_cert;
-	this->public.get_shared = (shared_key_t *(*)(credential_manager_t *this,shared_key_type_t type,identification_t *me, identification_t *other))get_shared;
-	this->public.get_private = (private_key_t*(*)(credential_manager_t*, key_type_t type, identification_t *, auth_cfg_t*))get_private;
-	this->public.create_public_enumerator = (enumerator_t*(*)(credential_manager_t*, key_type_t type, identification_t *id, auth_cfg_t *aut))create_public_enumerator;
-	this->public.flush_cache = (void(*)(credential_manager_t*, certificate_type_t type))flush_cache;
-	this->public.cache_cert = (void(*)(credential_manager_t*, certificate_t *cert))cache_cert;
-	this->public.add_set = (void(*)(credential_manager_t*, credential_set_t *set))add_set;
-	this->public.remove_set = (void(*)(credential_manager_t*, credential_set_t *set))remove_set;
-	this->public.destroy = (void(*)(credential_manager_t*))destroy;
-
-	this->sets = linked_list_create();
-	this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
-	this->cache = cert_cache_create();
-	this->cache_queue = linked_list_create();
-	this->sets->insert_first(this->sets, this->cache);
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	this->queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/credentials/credential_manager.h b/src/libcharon/credentials/credential_manager.h
deleted file mode 100644
index 0448da992..000000000
--- a/src/libcharon/credentials/credential_manager.h
+++ /dev/null
@@ -1,203 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup credential_manager credential_manager
- * @{ @ingroup ccredentials
- */
-
-#ifndef CREDENTIAL_MANAGER_H_
-#define CREDENTIAL_MANAGER_H_
-
-#include <utils/identification.h>
-#include <utils/enumerator.h>
-#include <config/auth_cfg.h>
-#include <credentials/credential_set.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/keys/shared_key.h>
-#include <credentials/certificates/certificate.h>
-
-typedef struct credential_manager_t credential_manager_t;
-
-/**
- * Manages credentials using credential_sets.
- *
- * The credential manager is the entry point of the credential framework. It
- * uses so called "sets" to access credentials in a modular fashion, these
- * are implemented through the credential_set_t interface.
- * The manager additionally does trust chain verification and trust status
- * chaching. A set may call the managers methods if it needs credentials itself,
- * the manager uses recursive locking.
- *
- * @verbatim
-
-  +-------+        +----------------+
-  |   A   |        |                |          +------------------+
-  |   u   | -----> |                | ------>  |  +------------------+
-  |   t   |        |   credential-  |          |  |  +------------------+
-  |   h   | -----> |     manager    | ------>  +--|  |   credential-    | => IPC
-  |   e   |        |                |             +--|       sets       |
-  |   n   |   +--> |                | ------>        +------------------+
-  |   t   |   |    |                |                        |
-  |   i   |   |    |                |                        |
-  |   c   |   |    +----------------+                        |
-  |   a   |   |                                              |
-  |   t   |   +----------------------------------------------+
-  |   o   |                    may be recursive
-  |   r   |
-  +-------+
-
-   @endverbatim
- *
- * The credential manager uses rwlocks for performance reasons, credential
- * sets must be fully thread save.
- */
-struct credential_manager_t {
-
-	/**
-	 * Create an enumerator over all certificates.
-	 *
-	 * @param cert		kind of certificate
-	 * @param key		kind of key in certificate
-	 * @param id		subject this certificate belongs to
-	 * @param trusted	TRUE to list trusted certificates only
-	 * @return			enumerator over the certificates
-	 */
-	enumerator_t *(*create_cert_enumerator)(credential_manager_t *this,
-								certificate_type_t cert, key_type_t key,
-								identification_t *id, bool trusted);
-	/**
-	 * Create an enumerator over all shared keys.
-	 *
-	 * The enumerator enumerates over:
-	 *  shared_key_t*, id_match_t me, id_match_t other
-	 * But must accepts values for the id_matches.
-	 *
-	 * @param type		kind of requested shared key
-	 * @param first		first subject between key is shared
-	 * @param second	second subject between key is shared
-	 * @return			enumerator over shared keys
-	 */
-	enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
-								shared_key_type_t type,
-								identification_t *first, identification_t *second);
-	/**
-	 * Create an enumerator over all Certificate Distribution Points.
-	 *
-	 * @param type		kind of certificate the point distributes
-	 * @param id		identification of the distributed certificate
-	 * @return			enumerator of CDPs as char*
-	 */
-	enumerator_t *(*create_cdp_enumerator)(credential_manager_t *this,
-								certificate_type_t type, identification_t *id);
-	/**
-	 * Get a trusted or untrusted certificate.
-	 *
-	 * @param cert		kind of certificate
-	 * @param key		kind of key in certificate
-	 * @param id		subject this certificate belongs to
-	 * @param trusted	TRUE to get a trusted certificate only
-	 * @return			certificate, if found, NULL otherwise
-	 */
-	certificate_t *(*get_cert)(credential_manager_t *this,
-							   certificate_type_t cert, key_type_t key,
-							   identification_t *id, bool trusted);
-	/**
-	 * Get the best matching shared key for two IDs.
-	 *
-	 * @param type		kind of requested shared key
-	 * @param me		own identity
-	 * @param other		peers identity
-	 * @return			shared_key_t, NULL if none found
-	 */
-	shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
-								identification_t *me, identification_t *other);
-	/**
-	 * Get a private key to create a signature.
-	 *
-	 * The get_private() method gets a secret private key identified by either
-	 * the keyid itself or an id the key belongs to.
-	 * The auth parameter contains additional information, such as receipients
-	 * trusted CA certs. Auth gets filled with subject and CA certificates
-	 * needed to validate a created signature.
-	 *
-	 * @param type		type of the key to get
-	 * @param id		identification the key belongs to
-	 * @param auth		auth config, including trusted CA certificates
-	 * @return			private_key_t, NULL if none found
-	 */
-	private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
-								  identification_t *id, auth_cfg_t *auth);
-
-	/**
-	 * Create an enumerator over trusted public keys.
-	 *
-	 * This method gets a an enumerator over trusted public keys to verify a
-	 * signature created by id. The auth parameter contains additional
-	 * authentication infos, e.g. peer and intermediate certificates.
-	 * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
-	 * where the auth config helper contains rules for constraint checks.
-	 *
-	 * @param type		type of the key to get
-	 * @param id		owner of the key, signer of the signature
-	 * @param auth		authentication infos
-	 * @return			enumerator
-	 */
-	enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
-					key_type_t type, identification_t *id, auth_cfg_t *auth);
-
-	/**
-	 * Cache a certificate by invoking cache_cert() on all registerd sets.
-	 *
-	 * @param cert		certificate to cache
-	 */
-	void (*cache_cert)(credential_manager_t *this, certificate_t *cert);
-
-	/**
-	 * Flush the certificate cache.
-	 *
-	 * Only the managers local cache is flushed, but not the sets cache filled
-	 * by the cache_cert() method.
-	 *
-	 * @param type		type of certificate to flush, or CERT_ANY
-	 */
-	void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
-
-	/**
-	 * Register a credential set to the manager.
-	 *
-	 * @param set		set to register
-	 */
-	void (*add_set)(credential_manager_t *this, credential_set_t *set);
-
-	/**
-	 * Unregister a credential set from the manager.
-	 *
-	 * @param set		set to unregister
-	 */
-	void (*remove_set)(credential_manager_t *this, credential_set_t *set);
-
-	/**
-	 * Destroy a credential_manager instance.
-	 */
-	void (*destroy)(credential_manager_t *this);
-};
-
-/**
- * Create a credential_manager instance.
- */
-credential_manager_t *credential_manager_create();
-
-#endif /** CREDENTIAL_MANAGER_H_ @}*/
diff --git a/src/libcharon/credentials/credential_set.h b/src/libcharon/credentials/credential_set.h
deleted file mode 100644
index 274eb3feb..000000000
--- a/src/libcharon/credentials/credential_set.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup credential_set credential_set
- * @{ @ingroup ccredentials
- */
-
-#ifndef CREDENTIAL_SET_H_
-#define CREDENTIAL_SET_H_
-
-#include <credentials/keys/public_key.h>
-#include <credentials/keys/shared_key.h>
-#include <credentials/certificates/certificate.h>
-
-typedef struct credential_set_t credential_set_t;
-
-/**
- * A set of credentials.
- *
- * Contains private keys, shared keys and different kinds of certificates.
- * Enumerators are used because queries might return multiple matches.
- * Filter parameters restrict enumeration over specific items only.
- * See credential_manager_t for an overview of the credential framework.
- *
- * A credential set enumerator may not block the credential set, i.e. multiple
- * threads must be able to hold multiple enumerators, as the credential manager
- * is higly parallelized. The best way to achieve this is by using shared
- * read locks for the enumerators only. Otherwiese deadlocks will occur.
- * The writing cache_cert() routine is called by the manager only if no
- * enumerator is alive, so it is save to use a write lock there.
- */
-struct credential_set_t {
-
-	/**
-	 * Create an enumerator over private keys (private_key_t).
-	 *
-	 * The id is either a key identifier of the requested key, or an identity
-	 * of the key owner.
-	 *
-	 * @param type		type of requested private key
-	 * @param id		key identifier/owner
-	 * @return			enumerator over private_key_t's.
-	 */
-	enumerator_t *(*create_private_enumerator)(credential_set_t *this,
-						key_type_t type, identification_t *id);
-	/**
-	 * Create an enumerator over certificates (certificate_t).
-	 *
-	 * @param cert		kind of certificate
-	 * @param key		kind of key in certificate
-	 * @param id		identity (subject) this certificate belongs to
-	 * @param trusted	whether the certificate must be trustworthy
-	 * @return			enumerator as described above
-	 */
-	enumerator_t *(*create_cert_enumerator)(credential_set_t *this,
-						certificate_type_t cert, key_type_t key,
-						identification_t *id, bool trusted);
-	/**
-	 * Create an enumerator over shared keys (shared_key_t).
-	 *
-	 * The enumerator enumerates over:
-	 *  shared_key_t*, id_match_t me, id_match_t other
-	 * But must accept NULL values for the id_matches.
-	 *
-	 * @param type		kind of requested shared key
-	 * @param me		own identity
-	 * @param other		other identity who owns that secret
-	 * @return			enumerator as described above
-	 */
-	enumerator_t *(*create_shared_enumerator)(credential_set_t *this,
-						shared_key_type_t type,
-						identification_t *me, identification_t *other);
-
-	/**
-	 * Create an enumerator over certificate distribution points.
-	 *
-	 * @param type		type of the certificate to get a CDP
-	 * @param id		identification of the distributed certificate
-	 * @return			an enumerator over CDPs as char*
-	 */
-	enumerator_t *(*create_cdp_enumerator)(credential_set_t *this,
-						certificate_type_t type, identification_t *id);
-
-	/**
-	 * Cache a certificate in the credential set.
-	 *
-	 * The caching policy is implementation dependent, the sets may cache the
-	 * certificate in-memory, persistent on disk or not at all.
-	 *
-	 * @param cert		certificate to cache
-	 */
-	void (*cache_cert)(credential_set_t *this, certificate_t *cert);
-};
-
-#endif /** CREDENTIAL_SET_H_ @}*/
diff --git a/src/libcharon/credentials/sets/auth_cfg_wrapper.c b/src/libcharon/credentials/sets/auth_cfg_wrapper.c
deleted file mode 100644
index 82e33d283..000000000
--- a/src/libcharon/credentials/sets/auth_cfg_wrapper.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-
-#include "auth_cfg_wrapper.h"
-
-typedef struct private_auth_cfg_wrapper_t private_auth_cfg_wrapper_t;
-
-/**
- * private data of auth_cfg_wrapper
- */
-struct private_auth_cfg_wrapper_t {
-
-	/**
-	 * public functions
-	 */
-	auth_cfg_wrapper_t public;
-
-	/**
-	 * wrapped auth info
-	 */
-	auth_cfg_t *auth;
-};
-
-/**
- * enumerator for auth_cfg_wrapper_t.create_cert_enumerator()
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** inner enumerator from auth_cfg */
-	enumerator_t *inner;
-	/** wrapped auth round */
-	auth_cfg_t *auth;
-	/** enumerated cert type */
-	certificate_type_t cert;
-	/** enumerated key type */
-	key_type_t key;
-	/** enumerated id */
-	identification_t *id;
-} wrapper_enumerator_t;
-
-/**
- * Tries to fetch a certificate that was supplied as "Hash and URL"
- * (replaces rule type and value in place).
- */
-static bool fetch_cert(wrapper_enumerator_t *enumerator,
-					   auth_rule_t *rule, void **value)
-{
-	char *url = (char*)*value;
-	if (!url)
-	{
-		/* fetching the certificate previously failed */
-		return FALSE;
-	}
-
-	chunk_t data;
-	certificate_t *cert;
-
-	DBG1(DBG_CFG, "  fetching certificate from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
-	{
-		DBG1(DBG_CFG, "  fetching certificate failed");
-		/* we set the item to NULL, so we can skip it */
-		enumerator->auth->replace(enumerator->auth, enumerator->inner,
-								  *rule, NULL);
-		return FALSE;
-	}
-
-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							  BUILD_BLOB_ASN1_DER, data, BUILD_END);
-	free(data.ptr);
-
-	if (!cert)
-	{
-		DBG1(DBG_CFG, "  parsing fetched certificate failed");
-		/* we set the item to NULL, so we can skip it */
-		enumerator->auth->replace(enumerator->auth, enumerator->inner,
-								  *rule, NULL);
-		return FALSE;
-	}
-
-	DBG1(DBG_CFG, "  fetched certificate \"%Y\"", cert->get_subject(cert));
-	charon->credentials->cache_cert(charon->credentials, cert);
-
-	if (*rule == AUTH_HELPER_IM_HASH_URL)
-	{
-		*rule = AUTH_HELPER_IM_CERT;
-	}
-	else
-	{
-		*rule = AUTH_HELPER_SUBJECT_CERT;
-	}
-	*value = cert;
-	enumerator->auth->replace(enumerator->auth, enumerator->inner,
-							  *rule, cert->get_ref(cert));
-	return TRUE;
-}
-
-/**
- * enumerate function for wrapper_enumerator_t
- */
-static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
-{
-	auth_rule_t rule;
-	certificate_t *current;
-	public_key_t *public;
-
-	while (this->inner->enumerate(this->inner, &rule, &current))
-	{
-		if (rule == AUTH_HELPER_IM_HASH_URL ||
-			rule == AUTH_HELPER_SUBJECT_HASH_URL)
-		{	/* on-demand fetching of hash and url certificates */
-			if (!fetch_cert(this, &rule, (void**)&current))
-			{
-				continue;
-			}
-		}
-		else if (rule != AUTH_HELPER_SUBJECT_CERT &&
-				 rule != AUTH_HELPER_IM_CERT)
-		{	/* handle only HELPER certificates */
-			continue;
-		}
-		if (this->cert != CERT_ANY && this->cert != current->get_type(current))
-		{	/* CERT type requested, but does not match */
-			continue;
-		}
-		public = current->get_public_key(current);
-		if (this->key != KEY_ANY && !public)
-		{	/* key type requested, but no public key */
-			DESTROY_IF(public);
-			continue;
-		}
-		if (this->key != KEY_ANY && public && this->key != public->get_type(public))
-		{	/* key type requested, but public key has another type */
-			DESTROY_IF(public);
-			continue;
-		}
-		DESTROY_IF(public);
-		if (this->id && !current->has_subject(current, this->id))
-		{	/* subject requested, but does not match */
-			continue;
-		}
-		*cert = current;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * destroy function for wrapper_enumerator_t
- */
-static void wrapper_enumerator_destroy(wrapper_enumerator_t *this)
-{
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator
- */
-static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this,
-									   certificate_type_t cert, key_type_t key,
-									   identification_t *id, bool trusted)
-{
-	wrapper_enumerator_t *enumerator;
-
-	if (trusted)
-	{
-		return NULL;
-	}
-	enumerator = malloc_thing(wrapper_enumerator_t);
-	enumerator->auth = this->auth;
-	enumerator->cert = cert;
-	enumerator->key = key;
-	enumerator->id = id;
-	enumerator->inner = this->auth->create_enumerator(this->auth);
-	enumerator->public.enumerate = (void*)enumerate;
-	enumerator->public.destroy = (void*)wrapper_enumerator_destroy;
-	return &enumerator->public;
-}
-
-/**
- * Implementation of auth_cfg_wrapper_t.destroy
- */
-static void destroy(private_auth_cfg_wrapper_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth)
-{
-	private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t);
-
-	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)create_enumerator;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)nop;
-	this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy;
-
-	this->auth = auth;
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/credentials/sets/auth_cfg_wrapper.h b/src/libcharon/credentials/sets/auth_cfg_wrapper.h
deleted file mode 100644
index 7653fcdbf..000000000
--- a/src/libcharon/credentials/sets/auth_cfg_wrapper.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup auth_cfg_wrapper auth_cfg_wrapper
- * @{ @ingroup sets
- */
-
-#ifndef AUTH_CFG_WRAPPER_H_
-#define AUTH_CFG_WRAPPER_H_
-
-#include <config/auth_cfg.h>
-#include <credentials/credential_set.h>
-
-typedef struct auth_cfg_wrapper_t auth_cfg_wrapper_t;
-
-/**
- * A wrapper around auth_cfg_t to handle it as a credential set.
- */
-struct auth_cfg_wrapper_t {
-
-	/**
-	 * implements credential_set_t
-	 */
-	credential_set_t set;
-
-	/**
-	 * Destroy a auth_cfg_wrapper instance.
-	 */
-	void (*destroy)(auth_cfg_wrapper_t *this);
-};
-
-/**
- * Create a auth_cfg_wrapper instance.
- *
- * @param auth		the wrapped auth info
- * @return			wrapper around auth
- */
-auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth);
-
-#endif /** AUTH_CFG_WRAPPER_H_ @}*/
diff --git a/src/libcharon/credentials/sets/cert_cache.c b/src/libcharon/credentials/sets/cert_cache.c
deleted file mode 100644
index 176accce2..000000000
--- a/src/libcharon/credentials/sets/cert_cache.c
+++ /dev/null
@@ -1,390 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "cert_cache.h"
-
-#include <time.h>
-#include <sched.h>
-
-#include <daemon.h>
-#include <threading/rwlock.h>
-#include <utils/linked_list.h>
-
-/** cache size, a power of 2 for fast modulo */
-#define CACHE_SIZE 32
-
-/** attempts to acquire a cache lock */
-#define REPLACE_TRIES 5
-
-typedef struct private_cert_cache_t private_cert_cache_t;
-typedef struct relation_t relation_t;
-
-/**
- * A trusted relation between subject and issuer
- */
-struct relation_t {
-
-	/**
-	 * subject of this relation
-	 */
-	certificate_t *subject;
-
-	/**
-	 * issuer of this relation
-	 */
-	certificate_t *issuer;
-
-	/**
-	 * Cache hits
-	 */
-	u_int hits;
-
-	/**
-	 * Lock for this relation
-	 */
-	rwlock_t *lock;
-};
-
-/**
- * private data of cert_cache
- */
-struct private_cert_cache_t {
-
-	/**
-	 * public functions
-	 */
-	cert_cache_t public;
-
-	/**
-	 * array of trusted subject-issuer relations
-	 */
-	relation_t relations[CACHE_SIZE];
-};
-
-/**
- * Cache relation in a free slot/replace an other
- */
-static void cache(private_cert_cache_t *this,
-				  certificate_t *subject, certificate_t *issuer)
-{
-	relation_t *rel;
-	int i, offset, try;
-	u_int total_hits = 0;
-
-	/* check for a unused relation slot first */
-	for (i = 0; i < CACHE_SIZE; i++)
-	{
-		rel = &this->relations[i];
-
-		if (!rel->subject && rel->lock->try_write_lock(rel->lock))
-		{
-			/* double-check having lock */
-			if (!rel->subject)
-			{
-				rel->subject = subject->get_ref(subject);
-				rel->issuer = issuer->get_ref(issuer);
-				return rel->lock->unlock(rel->lock);
-			}
-			rel->lock->unlock(rel->lock);
-		}
-		total_hits += rel->hits;
-	}
-	/* run several attempts to replace a random slot, never block. */
-	for (try = 0; try < REPLACE_TRIES; try++)
-	{
-		/* replace a random relation */
-		offset = random();
-		for (i = 0; i < CACHE_SIZE; i++)
-		{
-			rel = &this->relations[(i + offset) % CACHE_SIZE];
-
-			if (rel->hits > total_hits / CACHE_SIZE)
-			{	/* skip often used slots */
-				continue;
-			}
-			if (rel->lock->try_write_lock(rel->lock))
-			{
-				if (rel->subject)
-				{
-					rel->subject->destroy(rel->subject);
-					rel->issuer->destroy(rel->issuer);
-				}
-				rel->subject = subject->get_ref(subject);
-				rel->issuer = issuer->get_ref(issuer);
-				rel->hits = 0;
-				return rel->lock->unlock(rel->lock);
-			}
-		}
-		/* give other threads a chance to release locks */
-		sched_yield();
-	}
-}
-
-/**
- * Implementation of cert_cache_t.issued_by.
- */
-static bool issued_by(private_cert_cache_t *this,
-					  certificate_t *subject, certificate_t *issuer)
-{
-	relation_t *found = NULL, *current;
-	int i;
-
-	for (i = 0; i < CACHE_SIZE; i++)
-	{
-		current = &this->relations[i];
-
-		current->lock->read_lock(current->lock);
-		if (current->subject)
-		{
-			/* check for equal issuer */
-			if (issuer->equals(issuer, current->issuer))
-			{
-				/* reuse issuer instance in cache() */
-				issuer = current->issuer;
-				if (subject->equals(subject, current->subject))
-				{
-					/* write hit counter is not locked, but not critical */
-					current->hits++;
-					found = current;
-				}
-			}
-		}
-		current->lock->unlock(current->lock);
-		if (found)
-		{
-			return TRUE;
-		}
-	}
-	/* no cache hit, check and cache signature */
-	if (subject->issued_by(subject, issuer))
-	{
-		cache(this, subject, issuer);
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * certificate enumerator implemenation
- */
-typedef struct {
-	/** implements enumerator_t interface */
-	enumerator_t public;
-	/** type of requested certificate */
-	certificate_type_t cert;
-	/** type of requested key */
-	key_type_t key;
-	/** ID to get a cert for */
-	identification_t *id;
-	/** cache */
-	relation_t *relations;
-	/** current position in array cache */
-	int index;
-	/** currently locked relation */
-	int locked;
-} cert_enumerator_t;
-
-/**
- * filter function for certs enumerator
- */
-static bool cert_enumerate(cert_enumerator_t *this, certificate_t **out)
-{
-	public_key_t *public;
-	relation_t *rel;
-
-	if (this->locked >= 0)
-	{
-		rel = &this->relations[this->locked];
-		rel->lock->unlock(rel->lock);
-		this->locked = -1;
-	}
-
-	while (++this->index < CACHE_SIZE)
-	{
-		rel = &this->relations[this->index];
-		rel->lock->read_lock(rel->lock);
-		this->locked = this->index;
-		if (rel->subject)
-		{
-			/* CRL lookup is done using issuer/authkeyidentifier */
-			if (this->key == KEY_ANY && this->id &&
-				(this->cert == CERT_ANY || this->cert == CERT_X509_CRL) &&
-				rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
-				rel->subject->has_issuer(rel->subject, this->id))
-			{
-				*out = rel->subject;
-				return TRUE;
-			}
-			if ((this->cert == CERT_ANY ||
-				 rel->subject->get_type(rel->subject) == this->cert) &&
-				(!this->id || rel->subject->has_subject(rel->subject, this->id)))
-			{
-				if (this->key == KEY_ANY)
-				{
-					*out = rel->subject;
-					return TRUE;
-				}
-				public = rel->subject->get_public_key(rel->subject);
-				if (public)
-				{
-					if (public->get_type(public) == this->key)
-					{
-						public->destroy(public);
-						*out = rel->subject;
-						return TRUE;
-					}
-					public->destroy(public);
-				}
-			}
-		}
-		this->locked = -1;
-		rel->lock->unlock(rel->lock);
-	}
-	return FALSE;
-}
-
-/**
- * clean up enumeration data
- */
-static void cert_enumerator_destroy(cert_enumerator_t *this)
-{
-	relation_t *rel;
-
-	if (this->locked >= 0)
-	{
-		rel = &this->relations[this->locked];
-		rel->lock->unlock(rel->lock);
-	}
-	free(this);
-}
-
-/**
- * implementation of credential_set_t.create_cert_enumerator
- */
-static enumerator_t *create_enumerator(private_cert_cache_t *this,
-									   certificate_type_t cert, key_type_t key,
-									   identification_t *id, bool trusted)
-{
-	cert_enumerator_t *enumerator;
-
-	if (trusted)
-	{
-		return NULL;
-	}
-	enumerator = malloc_thing(cert_enumerator_t);
-	enumerator->public.enumerate = (void*)cert_enumerate;
-	enumerator->public.destroy = (void*)cert_enumerator_destroy;
-	enumerator->cert = cert;
-	enumerator->key = key;
-	enumerator->id = id;
-	enumerator->relations = this->relations;
-	enumerator->index = -1;
-	enumerator->locked = -1;
-
-	return &enumerator->public;
-}
-
-/**
- * Implementation of cert_cache_t.flush.
- */
-static void flush(private_cert_cache_t *this, certificate_type_t type)
-{
-	relation_t *rel;
-	int i;
-
-	for (i = 0; i < CACHE_SIZE; i++)
-	{
-		rel = &this->relations[i];
-		if (!rel->subject)
-		{
-			continue;
-		}
-		/* check with cheap read lock first */
-		if (type != CERT_ANY)
-		{
-			rel->lock->read_lock(rel->lock);
-			if (!rel->subject || type != rel->subject->get_type(rel->subject))
-			{
-				rel->lock->unlock(rel->lock);
-				continue;
-			}
-			rel->lock->unlock(rel->lock);
-		}
-		/* double check in write lock */
-		rel->lock->write_lock(rel->lock);
-		if (rel->subject)
-		{
-			if (type == CERT_ANY || type == rel->subject->get_type(rel->subject))
-			{
-				rel->subject->destroy(rel->subject);
-				rel->issuer->destroy(rel->issuer);
-				rel->subject = NULL;
-				rel->issuer = NULL;
-				rel->hits = 0;
-			}
-		}
-		rel->lock->unlock(rel->lock);
-	}
-}
-
-/**
- * Implementation of cert_cache_t.destroy
- */
-static void destroy(private_cert_cache_t *this)
-{
-	relation_t *rel;
-	int i;
-
-	for (i = 0; i < CACHE_SIZE; i++)
-	{
-		rel = &this->relations[i];
-		if (rel->subject)
-		{
-			rel->subject->destroy(rel->subject);
-			rel->issuer->destroy(rel->issuer);
-		}
-		rel->lock->destroy(rel->lock);
-	}
-	free(this);
-}
-
-/*
- * see header file
- */
-cert_cache_t *cert_cache_create()
-{
-	private_cert_cache_t *this;
-	int i;
-
-	this = malloc_thing(private_cert_cache_t);
-	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)create_enumerator;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)nop;
-	this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
-	this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
-	this->public.destroy = (void(*)(cert_cache_t*))destroy;
-
-	for (i = 0; i < CACHE_SIZE; i++)
-	{
-		this->relations[i].subject = NULL;
-		this->relations[i].issuer = NULL;
-		this->relations[i].hits = 0;
-		this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	}
-	return &this->public;
-}
-
diff --git a/src/libcharon/credentials/sets/cert_cache.h b/src/libcharon/credentials/sets/cert_cache.h
deleted file mode 100644
index d2721866e..000000000
--- a/src/libcharon/credentials/sets/cert_cache.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup cert_cache cert_cache
- * @{ @ingroup sets
- */
-
-#ifndef CERT_CACHE_H_
-#define CERT_CACHE_H_
-
-#include <credentials/credential_set.h>
-
-typedef struct cert_cache_t cert_cache_t;
-
-/**
- * Certificate signature verification and certificate cache.
- *
- * This cache serves all certificates seen in its issued_by method
- * and serves them as untrusted through the credential set interface. Further,
- * it caches valid subject-issuer relationships to speed up the issued_by
- * method.
- */
-struct cert_cache_t {
-
-	/**
-	 * Implements credential_set_t.
-	 */
-	credential_set_t set;
-
-	/**
-	 * Caching wrapper around certificate_t.issued_by.
-	 *
-	 * @param subject		certificate to verify
-	 * @param issuer		issuing certificate to verify subject
-	 * @return				TRUE if subject issued by issuer
-	 */
-	bool (*issued_by)(cert_cache_t *this,
-					  certificate_t *subject, certificate_t *issuer);
-
-	/**
-	 * Flush the certificate cache.
-	 *
-	 * @param type			type of certificate to flush, or CERT_ANY
-	 */
-	void (*flush)(cert_cache_t *this, certificate_type_t type);
-
-	/**
-	 * Destroy a cert_cache instance.
-	 */
-	void (*destroy)(cert_cache_t *this);
-};
-
-/**
- * Create a cert_cache instance.
- */
-cert_cache_t *cert_cache_create();
-
-#endif /** CERT_CACHE_H_ @}*/
diff --git a/src/libcharon/credentials/sets/ocsp_response_wrapper.c b/src/libcharon/credentials/sets/ocsp_response_wrapper.c
deleted file mode 100644
index 82079209a..000000000
--- a/src/libcharon/credentials/sets/ocsp_response_wrapper.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ocsp_response_wrapper.h"
-
-typedef struct private_ocsp_response_wrapper_t private_ocsp_response_wrapper_t;
-
-/**
- * private data of ocsp_response_wrapper
- */
-struct private_ocsp_response_wrapper_t {
-
-	/**
-	 * public functions
-	 */
-	ocsp_response_wrapper_t public;
-
-	/**
-	 * wrapped OCSP response
-	 */
-	ocsp_response_t *response;
-};
-
-/**
- * enumerator for ocsp_response_wrapper_t.create_cert_enumerator()
- */
-typedef struct {
-	/** implements enumerator_t */
-	enumerator_t public;
-	/** enumerator over ocsp response */
-	enumerator_t *inner;
-	/** type of cert */
-	certificate_type_t cert;
-	/** type of key */
-	key_type_t key;
-	/** filtering identity */
-	identification_t *id;
-} wrapper_enumerator_t;
-
-/**
- * enumerate function wrapper_enumerator_t
- */
-static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
-{
-	certificate_t *current;
-	public_key_t *public;
-
-	while (this->inner->enumerate(this->inner, &current))
-	{
-		if (this->cert != CERT_ANY && this->cert != current->get_type(current))
-		{	/* CERT type requested, but does not match */
-			continue;
-		}
-		public = current->get_public_key(current);
-		if (this->key != KEY_ANY && !public)
-		{	/* key type requested, but no public key */
-			DESTROY_IF(public);
-			continue;
-		}
-		if (this->key != KEY_ANY && public && this->key != public->get_type(public))
-		{	/* key type requested, but public key has another type */
-			DESTROY_IF(public);
-			continue;
-		}
-		DESTROY_IF(public);
-		if (this->id && !current->has_subject(current, this->id))
-		{	/* subject requested, but does not match */
-			continue;
-		}
-		*cert = current;
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * destroy function for wrapper_enumerator_t
- */
-static void enumerator_destroy(wrapper_enumerator_t *this)
-{
-	this->inner->destroy(this->inner);
-	free(this);
-}
-
-/**
- * implementation of ocsp_response_wrapper_t.set.create_cert_enumerator
- */
-static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this,
-									   certificate_type_t cert, key_type_t key,
-									   identification_t *id, bool trusted)
-{
-	wrapper_enumerator_t *enumerator;
-
-	if (trusted)
-	{
-		return NULL;
-	}
-
-	enumerator = malloc_thing(wrapper_enumerator_t);
-	enumerator->cert = cert;
-	enumerator->key = key;
-	enumerator->id = id;
-	enumerator->inner = this->response->create_cert_enumerator(this->response);
-	enumerator->public.enumerate = (void*)enumerate;
-	enumerator->public.destroy = (void*)enumerator_destroy;
-	return &enumerator->public;
-}
-
-/**
- * Implementation of ocsp_response_wrapper_t.destroy
- */
-static void destroy(private_ocsp_response_wrapper_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response)
-{
-	private_ocsp_response_wrapper_t *this = malloc_thing(private_ocsp_response_wrapper_t);
-
-	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)create_enumerator;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)nop;
-	this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy;
-
-	this->response = response;
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/credentials/sets/ocsp_response_wrapper.h b/src/libcharon/credentials/sets/ocsp_response_wrapper.h
deleted file mode 100644
index dc4b451df..000000000
--- a/src/libcharon/credentials/sets/ocsp_response_wrapper.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ocsp_response_wrapper ocsp_response_wrapper
- * @{ @ingroup sets
- */
-
-#ifndef OCSP_RESPONSE_WRAPPER_H_
-#define OCSP_RESPONSE_WRAPPER_H_
-
-#include <credentials/credential_set.h>
-#include <credentials/certificates/ocsp_response.h>
-
-typedef struct ocsp_response_wrapper_t ocsp_response_wrapper_t;
-
-/**
- * A wrapper around ocsp_response_t to handle it like a credential set.
- */
-struct ocsp_response_wrapper_t {
-
-	/**
-	 * implements credential_set_t
-	 */
-	credential_set_t set;
-
-	/**
-	 * Destroy a ocsp_response_wrapper instance.
-	 */
-	void (*destroy)(ocsp_response_wrapper_t *this);
-};
-
-/**
- * Create a ocsp_response_wrapper instance.
- *
- * @param response	the wrapped OCSP response
- * @return			wrapper around response
- */
-ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response);
-
-#endif /** OCSP_RESPONSE_WRAPPER_H_ @}*/
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 11c94beb9..c0227027c 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -19,16 +19,19 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include <syslog.h>
 #include <time.h>
 #include <errno.h>
+
 #ifdef CAPABILITIES
+#ifdef HAVE_SYS_CAPABILITY_H
 #include <sys/capability.h>
+#endif /* HAVE_SYS_CAPABILITY_H */
 #endif /* CAPABILITIES */
 
 #include "daemon.h"
 
 #include <library.h>
-#include <selectors/traffic_selector.h>
 #include <config/proposal.h>
 
 #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
@@ -46,12 +49,16 @@ struct private_daemon_t {
 	 */
 	daemon_t public;
 
-#ifdef CAPABILITIES
 	/**
 	 * capabilities to keep
 	 */
+#ifdef CAPABILITIES_LIBCAP
 	cap_t caps;
-#endif /* CAPABILITIES */
+#endif /* CAPABILITIES_LIBCAP */
+#ifdef CAPABILITIES_NATIVE
+	struct __user_cap_data_struct caps;
+#endif /* CAPABILITIES_NATIVE */
+
 };
 
 /**
@@ -97,11 +104,12 @@ static void destroy(private_daemon_t *this)
 		this->public.ike_sa_manager->flush(this->public.ike_sa_manager);
 	}
 	DESTROY_IF(this->public.receiver);
+	DESTROY_IF(this->public.sender);
 	/* unload plugins to release threads */
 	lib->plugins->unload(lib->plugins);
-#ifdef CAPABILITIES
+#ifdef CAPABILITIES_LIBCAP
 	cap_free(this->caps);
-#endif /* CAPABILITIES */
+#endif /* CAPABILITIES_LIBCAP */
 	DESTROY_IF(this->public.traps);
 	DESTROY_IF(this->public.ike_sa_manager);
 	DESTROY_IF(this->public.kernel_interface);
@@ -114,8 +122,6 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.mediation_manager);
 #endif /* ME */
 	DESTROY_IF(this->public.backends);
-	DESTROY_IF(this->public.credentials);
-	DESTROY_IF(this->public.sender);
 	DESTROY_IF(this->public.socket);
 	/* wait until all threads are gone */
 	DESTROY_IF(this->public.processor);
@@ -133,22 +139,36 @@ static void destroy(private_daemon_t *this)
 METHOD(daemon_t, keep_cap, void,
 	   private_daemon_t *this, u_int cap)
 {
-#ifdef CAPABILITIES
+#ifdef CAPABILITIES_LIBCAP
 	cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
 	cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET);
 	cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET);
-#endif /* CAPABILITIES */
+#endif /* CAPABILITIES_LIBCAP */
+#ifdef CAPABILITIES_NATIVE
+	this->caps.effective |= 1 << cap;
+	this->caps.permitted |= 1 << cap;
+	this->caps.inheritable |= 1 << cap;
+#endif /* CAPABILITIES_NATIVE */
 }
 
 METHOD(daemon_t, drop_capabilities, bool,
 	   private_daemon_t *this)
 {
-#ifdef CAPABILITIES
+#ifdef CAPABILITIES_LIBCAP
 	if (cap_set_proc(this->caps) != 0)
 	{
 		return FALSE;
 	}
-#endif /* CAPABILITIES */
+#endif /* CAPABILITIES_LIBCAP */
+#ifdef CAPABILITIES_NATIVE
+	struct __user_cap_header_struct header = {
+		.version = _LINUX_CAPABILITY_VERSION,
+	};
+	if (capset(&header, &this->caps) != 0)
+	{
+		return FALSE;
+	}
+#endif /* CAPABILITIES_NATIVE */
 	return TRUE;
 }
 
@@ -254,8 +274,15 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 					 filename, strerror(errno));
 				continue;
 			}
+			if (lib->settings->get_bool(lib->settings,
+							"charon.filelog.%s.flush_line", FALSE, filename))
+			{
+				setlinebuf(file);
+			}
 		}
-		file_logger = file_logger_create(file);
+		file_logger = file_logger_create(file,
+						lib->settings->get_str(lib->settings,
+							"charon.filelog.%s.time_format", NULL, filename));
 		def = lib->settings->get_int(lib->settings,
 									 "charon.filelog.%s.default", 1, filename);
 		for (group = 0; group < DBG_MAX; group++)
@@ -276,7 +303,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 	if (!loggers_defined)
 	{
 		/* set up default stdout file_logger */
-		file_logger = file_logger_create(stdout);
+		file_logger = file_logger_create(stdout, NULL);
 		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
 		this->public.file_loggers->insert_last(this->public.file_loggers,
 											   file_logger);
@@ -331,7 +358,6 @@ METHOD(daemon_t, initialize, bool,
 	/* load secrets, ca certificates and crls */
 	this->public.processor = processor_create();
 	this->public.scheduler = scheduler_create();
-	this->public.credentials = credential_manager_create();
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
 	this->public.sim = sim_manager_create();
@@ -392,7 +418,9 @@ private_daemon_t *daemon_create()
 	);
 
 #ifdef CAPABILITIES
+#ifdef CAPABILITIES_LIBCAP
 	this->caps = cap_init();
+#endif /* CAPABILITIES_LIBCAP */
 	keep_cap(this, CAP_NET_ADMIN);
 	if (lib->leak_detective)
 	{
@@ -423,10 +451,6 @@ bool libcharon_init()
 	this = daemon_create();
 	charon = &this->public;
 
-	lib->printf_hook->add_handler(lib->printf_hook, 'R',
-								  traffic_selector_printf_hook,
-								  PRINTF_HOOK_ARGTYPE_POINTER,
-								  PRINTF_HOOK_ARGTYPE_END);
 	lib->printf_hook->add_handler(lib->printf_hook, 'P',
 								  proposal_printf_hook,
 								  PRINTF_HOOK_ARGTYPE_POINTER,
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 9b6d97060..38f0256e7 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -31,12 +31,6 @@
  * @defgroup control control
  * @ingroup libcharon
  *
- * @defgroup ccredentials credentials
- * @ingroup libcharon
- *
- * @defgroup sets sets
- * @ingroup ccredentials
- *
  * @defgroup encoding encoding
  * @ingroup libcharon
  *
@@ -156,7 +150,6 @@ typedef struct daemon_t daemon_t;
 #include <sa/ike_sa_manager.h>
 #include <sa/trap_manager.h>
 #include <config/backend_manager.h>
-#include <credentials/credential_manager.h>
 #include <sa/authenticators/eap/eap_manager.h>
 #include <sa/authenticators/eap/sim_manager.h>
 
@@ -205,11 +198,6 @@ struct daemon_t {
 	 */
 	backend_manager_t *backends;
 
-	/**
-	 * Manager for the credential backends
-	 */
-	credential_manager_t *credentials;
-
 	/**
 	 * The Sender-Thread.
 	 */
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index acfc0fd44..ee49a6686 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -31,6 +31,7 @@
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/encryption_payload.h>
 #include <encoding/payloads/unknown_payload.h>
+#include <encoding/payloads/cp_payload.h>
 
 /**
  * Max number of notify payloads per IKEv2 Message
@@ -975,6 +976,39 @@ static char* get_string(private_message_t *this, char *buf, int len)
 			pos += written;
 			len -= written;
 		}
+		if (payload->get_type(payload) == CONFIGURATION)
+		{
+			cp_payload_t *cp = (cp_payload_t*)payload;
+			enumerator_t *attributes;
+			configuration_attribute_t *attribute;
+			bool first = TRUE;
+
+			attributes = cp->create_attribute_enumerator(cp);
+			while (attributes->enumerate(attributes, &attribute))
+			{
+				written = snprintf(pos, len, "%s%N", first ? "(" : " ",
+								   configuration_attribute_type_short_names,
+								   attribute->get_type(attribute));
+				if (written >= len || written < 0)
+				{
+					return buf;
+				}
+				pos += written;
+				len -= written;
+				first = FALSE;
+			}
+			attributes->destroy(attributes);
+			if (!first)
+			{
+				written = snprintf(pos, len, ")");
+				if (written >= len || written < 0)
+				{
+					return buf;
+				}
+				pos += written;
+				len -= written;
+			}
+		}
 	}
 	enumerator->destroy(enumerator);
 
diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index 6dd3141f0..80239f654 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -320,7 +320,12 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert)
 			free(this);
 			return NULL;
 	}
-	this->data = cert->get_encoding(cert);
+	if (!cert->get_encoding(cert, CERT_ASN1_DER, &this->data))
+	{
+		DBG1(DBG_ENC, "encoding certificate for cert payload failed");
+		free(this);
+		return NULL;
+	}
 	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
 	return &this->public;
 }
diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c
index 64a43a7fc..837e628bc 100644
--- a/src/libcharon/kernel/kernel_interface.c
+++ b/src/libcharon/kernel/kernel_interface.c
@@ -67,8 +67,8 @@ METHOD(kernel_interface_t, get_cpi, status_t,
 METHOD(kernel_interface_t, add_sa, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
-	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+	mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key,	ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
 	traffic_selector_t *dst_ts)
 {
@@ -77,82 +77,84 @@ METHOD(kernel_interface_t, add_sa, status_t,
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
-			lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi,
-			encap, inbound, src_ts, dst_ts);
+			mark, lifetime, enc_alg, enc_key, int_alg, int_key,	mode, ipcomp,
+			cpi, encap, inbound, src_ts, dst_ts);
 }
 
 METHOD(kernel_interface_t, update_sa, status_t,
 	private_kernel_interface_t *this, u_int32_t spi, protocol_id_t protocol,
 	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap)
+	bool encap, bool new_encap, mark_t mark)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
-								  new_src, new_dst, encap, new_encap);
+								  new_src, new_dst, encap, new_encap, mark);
 }
 
 METHOD(kernel_interface_t, query_sa, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
+	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, bytes);
+	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, bytes);
 }
 
 METHOD(kernel_interface_t, del_sa, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	protocol_id_t protocol, u_int16_t cpi)
+	protocol_id_t protocol, u_int16_t cpi, mark_t mark)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi);
+	return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi, mark);
 }
 
 METHOD(kernel_interface_t, add_policy, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-	bool routed)
+	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi,	bool routed)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-			direction, spi, protocol, reqid, mode, ipcomp, cpi, routed);
+			direction, spi, protocol, reqid, mark, mode, ipcomp, cpi, routed);
 }
 
 METHOD(kernel_interface_t, query_policy, status_t,
 	private_kernel_interface_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts,
-									 direction, use_time);
+									 direction, mark, use_time);
 }
 
 METHOD(kernel_interface_t, del_policy, status_t,
 	private_kernel_interface_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	bool unrouted)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts,
-								   direction, unrouted);
+								   direction, mark, unrouted);
 }
 
 METHOD(kernel_interface_t, get_source_addr, host_t*,
diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h
index 4a62e76b8..92d85f9c9 100644
--- a/src/libcharon/kernel/kernel_interface.h
+++ b/src/libcharon/kernel/kernel_interface.h
@@ -90,6 +90,7 @@ struct kernel_interface_t {
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param reqid			unique ID for this SA
+	 * @param mark			optional mark for this SA
 	 * @param lifetime		lifetime_cfg_t for this SA
 	 * @param enc_alg		Algorithm to use for encryption (ESP only)
 	 * @param enc_key		key to use for encryption
@@ -106,7 +107,7 @@ struct kernel_interface_t {
 	 */
 	status_t (*add_sa) (kernel_interface_t *this,
 						host_t *src, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int32_t reqid,
+						protocol_id_t protocol, u_int32_t reqid, mark_t mark,
 						lifetime_cfg_t *lifetime,
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
@@ -131,6 +132,7 @@ struct kernel_interface_t {
 	 * @param new_dst		new destination address
 	 * @param encap			current use of UDP encapsulation
 	 * @param new_encap		new use of UDP encapsulation
+	 * @param mark			optional mark for this SA
 	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
 	 *					  the kernel interface can't update the SA
 	 */
@@ -138,7 +140,7 @@ struct kernel_interface_t {
 						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
 						  host_t *src, host_t *dst,
 						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap);
+						  bool encap, bool new_encap, mark_t mark);
 
 	/**
 	 * Query the number of bytes processed by an SA from the SAD.
@@ -147,11 +149,13 @@ struct kernel_interface_t {
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param mark			optional mark for this SA
 	 * @param[out] bytes	the number of bytes processed by SA
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
-						  u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
+						  u_int32_t spi, protocol_id_t protocol, mark_t mark,
+						  u_int64_t *bytes);
 
 	/**
 	 * Delete a previously installed SA from the SAD.
@@ -161,10 +165,12 @@ struct kernel_interface_t {
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param cpi			CPI for IPComp or 0
+	 * @param mark			optional mark for this SA
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
+						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						mark_t mark);
 
 	/**
 	 * Add a policy to the SPD.
@@ -180,6 +186,7 @@ struct kernel_interface_t {
 	 * @param spi			SPI of SA
 	 * @param protocol		protocol to use to protect traffic (AH/ESP)
 	 * @param reqid			unique ID of an SA to use to enforce policy
+	 * @param mark			mark for this policy
 	 * @param mode			mode of SA (tunnel, transport)
 	 * @param ipcomp		the IPComp transform used
 	 * @param cpi			CPI for IPComp
@@ -192,8 +199,8 @@ struct kernel_interface_t {
 							traffic_selector_t *dst_ts,
 							policy_dir_t direction, u_int32_t spi,
 							protocol_id_t protocol, u_int32_t reqid,
-							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-							bool routed);
+							mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
+							u_int16_t cpi, bool routed);
 
 	/**
 	 * Query the use time of a policy.
@@ -204,13 +211,15 @@ struct kernel_interface_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param mark			optional mark
 	 * @param[out] use_time	the time of this SA's last use
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_policy) (kernel_interface_t *this,
 							  traffic_selector_t *src_ts,
 							  traffic_selector_t *dst_ts,
-							  policy_dir_t direction, u_int32_t *use_time);
+							  policy_dir_t direction, mark_t mark,
+							  u_int32_t *use_time);
 
 	/**
 	 * Remove a policy from the SPD.
@@ -223,13 +232,14 @@ struct kernel_interface_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param mark			optional mark
 	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_policy) (kernel_interface_t *this,
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction,
+							policy_dir_t direction, mark_t mark,
 							bool unrouted);
 
 	/**
diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h
index 300464cf6..d09265cc9 100644
--- a/src/libcharon/kernel/kernel_ipsec.h
+++ b/src/libcharon/kernel/kernel_ipsec.h
@@ -121,6 +121,7 @@ struct kernel_ipsec_t {
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param reqid			unique ID for this SA
+	 * @param mark			mark for this SA
 	 * @param lifetime		lifetime_cfg_t for this SA
 	 * @param enc_alg		Algorithm to use for encryption (ESP only)
 	 * @param enc_key		key to use for encryption
@@ -138,7 +139,7 @@ struct kernel_ipsec_t {
 	status_t (*add_sa) (kernel_ipsec_t *this,
 						host_t *src, host_t *dst, u_int32_t spi,
 						protocol_id_t protocol, u_int32_t reqid,
-						lifetime_cfg_t *lifetime,
+						mark_t mark, lifetime_cfg_t *lifetime,
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
@@ -162,6 +163,7 @@ struct kernel_ipsec_t {
 	 * @param new_dst		new destination address
 	 * @param encap			current use of UDP encapsulation
 	 * @param new_encap		new use of UDP encapsulation
+	 * @param mark			optional mark for this SA
 	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
 	 *					  the kernel interface can't update the SA
 	 */
@@ -169,7 +171,7 @@ struct kernel_ipsec_t {
 						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
 						  host_t *src, host_t *dst,
 						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap);
+						  bool encap, bool new_encap, mark_t mark);
 
 	/**
 	 * Query the number of bytes processed by an SA from the SAD.
@@ -178,11 +180,13 @@ struct kernel_ipsec_t {
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param mark			optional mark for this SA
 	 * @param[out] bytes	the number of bytes processed by SA
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
-						  u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
+						  u_int32_t spi, protocol_id_t protocol, mark_t mark,
+						  u_int64_t *bytes);
 
 	/**
 	 * Delete a previusly installed SA from the SAD.
@@ -192,10 +196,12 @@ struct kernel_ipsec_t {
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param cpi			CPI for IPComp or 0
+	 * @param mark			optional mark for this SA
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
+						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						mark_t mark);
 
 	/**
 	 * Add a policy to the SPD.
@@ -211,6 +217,7 @@ struct kernel_ipsec_t {
 	 * @param spi			SPI of SA
 	 * @param protocol		protocol to use to protect traffic (AH/ESP)
 	 * @param reqid			unique ID of an SA to use to enforce policy
+	 * @param mark			mark for this policy
 	 * @param mode			mode of SA (tunnel, transport)
 	 * @param ipcomp		the IPComp transform used
 	 * @param cpi			CPI for IPComp
@@ -223,8 +230,8 @@ struct kernel_ipsec_t {
 							traffic_selector_t *dst_ts,
 							policy_dir_t direction, u_int32_t spi,
 							protocol_id_t protocol, u_int32_t reqid,
-							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-							bool routed);
+							mark_t mark, ipsec_mode_t mode,
+							u_int16_t ipcomp, u_int16_t cpi, bool routed);
 
 	/**
 	 * Query the use time of a policy.
@@ -236,13 +243,15 @@ struct kernel_ipsec_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param mark			optional mark
 	 * @param[out] use_time	the monotonic timestamp of this SA's last use
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_policy) (kernel_ipsec_t *this,
 							  traffic_selector_t *src_ts,
 							  traffic_selector_t *dst_ts,
-							  policy_dir_t direction, u_int32_t *use_time);
+							  policy_dir_t direction, mark_t mark,
+							  u_int32_t *use_time);
 
 	/**
 	 * Remove a policy from the SPD.
@@ -255,13 +264,14 @@ struct kernel_ipsec_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param mark			optional mark
 	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_policy) (kernel_ipsec_t *this,
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction,
+							policy_dir_t direction, mark_t mark,
 							bool unrouted);
 
 	/**
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index df897021a..63a8cab58 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -103,7 +103,22 @@ struct private_receiver_t {
 	/**
 	 * Delay for receiving incoming packets, to simulate larger RTT
 	 */
-	u_int receive_delay;
+	int receive_delay;
+
+	/**
+	 * Specific message type to delay, 0 for any
+	 */
+	int receive_delay_type;
+
+	/**
+	 * Delay request messages?
+	 */
+	bool receive_delay_request;
+
+	/**
+	 * Delay response messages?
+	 */
+	bool receive_delay_response;
 };
 
 /**
@@ -242,7 +257,7 @@ static bool cookie_required(private_receiver_t *this, message_t *message)
 /**
  * check if peer has to many half open IKE_SAs
  */
-static bool peer_to_aggressive(private_receiver_t *this, message_t *message)
+static bool peer_too_aggressive(private_receiver_t *this, message_t *message)
 {
 	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
 						message->get_source(message)) >= this->block_threshold)
@@ -259,7 +274,6 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 {
 	packet_t *packet;
 	message_t *message;
-	job_t *job;
 
 	/* read in a packet */
 	if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
@@ -321,7 +335,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 		}
 
 		/* check if peer has not too many IKE_SAs half open */
-		if (this->block_threshold && peer_to_aggressive(this, message))
+		if (this->block_threshold && peer_too_aggressive(this, message))
 		{
 			DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
 				 "peer too aggressive", message->get_source(message));
@@ -329,16 +343,25 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 			return JOB_REQUEUE_DIRECT;
 		}
 	}
-	job = (job_t*)process_message_job_create(message);
 	if (this->receive_delay)
 	{
-		charon->scheduler->schedule_job_ms(charon->scheduler,
-										   job, this->receive_delay);
-	}
-	else
-	{
-		charon->processor->queue_job(charon->processor, job);
+		if (this->receive_delay_type == 0 ||
+			this->receive_delay_type == message->get_exchange_type(message))
+		{
+			if ((message->get_request(message) && this->receive_delay_request) ||
+				(!message->get_request(message) && this->receive_delay_response))
+			{
+				DBG1(DBG_NET, "using receive delay: %dms",
+					 this->receive_delay);
+				charon->scheduler->schedule_job_ms(charon->scheduler,
+								(job_t*)process_message_job_create(message),
+								this->receive_delay);
+				return JOB_REQUEUE_DIRECT;
+			}
+		}
 	}
+	charon->processor->queue_job(charon->processor,
+								 (job_t*)process_message_job_create(message));
 	return JOB_REQUEUE_DIRECT;
 }
 
@@ -374,6 +397,12 @@ receiver_t *receiver_create()
 	}
 	this->receive_delay = lib->settings->get_int(lib->settings,
 						"charon.receive_delay", 0);
+	this->receive_delay_type = lib->settings->get_int(lib->settings,
+						"charon.receive_delay_type", 0),
+	this->receive_delay_request = lib->settings->get_bool(lib->settings,
+						"charon.receive_delay_request", TRUE),
+	this->receive_delay_response = lib->settings->get_int(lib->settings,
+						"charon.receive_delay_response", TRUE),
 
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
 	if (this->hasher == NULL)
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
index c18f1138e..bb6d50605 100644
--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
@@ -67,6 +67,21 @@ struct private_sender_t {
 	 * Delay for sending outgoing packets, to simulate larger RTT
 	 */
 	int send_delay;
+
+	/**
+	 * Specific message type to delay, 0 for any
+	 */
+	int send_delay_type;
+
+	/**
+	 * Delay request messages?
+	 */
+	bool send_delay_request;
+
+	/**
+	 * Delay response messages?
+	 */
+	bool send_delay_response;
 };
 
 METHOD(sender_t, send_, void,
@@ -80,7 +95,23 @@ METHOD(sender_t, send_, void,
 
 	if (this->send_delay)
 	{
-		usleep(this->send_delay * 1000);
+		message_t *message;
+
+		message = message_create_from_packet(packet->clone(packet));
+		if (message->parse_header(message) == SUCCESS)
+		{
+			if (this->send_delay_type == 0 ||
+				this->send_delay_type == message->get_exchange_type(message))
+			{
+				if ((message->get_request(message) && this->send_delay_request) ||
+					(!message->get_request(message) && this->send_delay_response))
+				{
+					DBG1(DBG_NET, "using send delay: %dms", this->send_delay);
+					usleep(this->send_delay * 1000);
+				}
+			}
+		}
+		message->destroy(message);
 	}
 
 	this->mutex->lock(this->mutex);
@@ -155,7 +186,13 @@ sender_t * sender_create()
 		.job = callback_job_create((callback_job_cb_t)send_packets,
 									this, NULL, NULL),
 		.send_delay = lib->settings->get_int(lib->settings,
-											 "charon.send_delay", 0),
+											"charon.send_delay", 0),
+		.send_delay_type = lib->settings->get_int(lib->settings,
+											"charon.send_delay_type", 0),
+		.send_delay_request = lib->settings->get_bool(lib->settings,
+											"charon.send_delay_request", TRUE),
+		.send_delay_response = lib->settings->get_int(lib->settings,
+											"charon.send_delay_response", TRUE),
 	);
 
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
diff --git a/src/libcharon/plugins/addrblock/Makefile.am b/src/libcharon/plugins/addrblock/Makefile.am
new file mode 100644
index 000000000..50d0457f8
--- /dev/null
+++ b/src/libcharon/plugins/addrblock/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-addrblock.la
+else
+plugin_LTLIBRARIES = libstrongswan-addrblock.la
+endif
+
+libstrongswan_addrblock_la_SOURCES = \
+	addrblock_plugin.h addrblock_plugin.c \
+	addrblock_narrow.h addrblock_narrow.c \
+	addrblock_validator.h addrblock_validator.c
+
+libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
new file mode 100644
index 000000000..4cb047929
--- /dev/null
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -0,0 +1,592 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/addrblock
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_addrblock_la_LIBADD =
+am_libstrongswan_addrblock_la_OBJECTS = addrblock_plugin.lo \
+	addrblock_narrow.lo addrblock_validator.lo
+libstrongswan_addrblock_la_OBJECTS =  \
+	$(am_libstrongswan_addrblock_la_OBJECTS)
+libstrongswan_addrblock_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_addrblock_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_addrblock_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_addrblock_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_addrblock_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_addrblock_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-addrblock.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-addrblock.la
+libstrongswan_addrblock_la_SOURCES = \
+	addrblock_plugin.h addrblock_plugin.c \
+	addrblock_narrow.h addrblock_narrow.c \
+	addrblock_validator.h addrblock_validator.c
+
+libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/addrblock/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/addrblock/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-addrblock.la: $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_DEPENDENCIES) 
+	$(libstrongswan_addrblock_la_LINK) $(am_libstrongswan_addrblock_la_rpath) $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_narrow.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_validator.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.c b/src/libcharon/plugins/addrblock/addrblock_narrow.c
new file mode 100644
index 000000000..f85fa78d6
--- /dev/null
+++ b/src/libcharon/plugins/addrblock/addrblock_narrow.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_narrow.h"
+
+#include <daemon.h>
+#include <credentials/certificates/x509.h>
+
+typedef struct private_addrblock_narrow_t private_addrblock_narrow_t;
+
+/**
+ * Private data of an addrblock_narrow_t object.
+ */
+struct private_addrblock_narrow_t {
+
+	/**
+	 * Public addrblock_narrow_t interface.
+	 */
+	addrblock_narrow_t public;
+};
+
+/**
+ * Check if the negotiated TS list is acceptable by X509 ipAddrBlock constraints
+ */
+static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
+{
+	auth_cfg_t *auth;
+	enumerator_t *auth_enum;
+	certificate_t *cert = NULL;
+
+	auth_enum = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+	while (auth_enum->enumerate(auth_enum, &auth))
+	{
+		cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
+		if (cert)
+		{
+			break;
+		}
+	}
+	auth_enum->destroy(auth_enum);
+
+	if (cert && cert->get_type(cert) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)cert;
+
+		if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+		{
+			enumerator_t *enumerator, *block_enum;
+			traffic_selector_t *ts, *block_ts;
+
+			DBG1(DBG_IKE, "checking certificate-based traffic selector "
+						  "constraints [RFC 3779]");
+			enumerator = list->create_enumerator(list);
+			while (enumerator->enumerate(enumerator, &ts))
+			{
+				bool contained = FALSE;
+
+				block_enum = x509->create_ipAddrBlock_enumerator(x509);
+				while (block_enum->enumerate(block_enum, &block_ts))
+				{
+					if (ts->is_contained_in(ts, block_ts))
+					{
+						DBG1(DBG_IKE, "  TS %R is contained in address block"
+									  " constraint %R", ts, block_ts);
+						contained = TRUE;
+						break;
+					}
+				}
+				block_enum->destroy(block_enum);
+
+				if (!contained)
+				{
+					DBG1(DBG_IKE, "  TS %R is not contained in any"
+								  " address block constraint", ts);
+					enumerator->destroy(enumerator);
+					return FALSE;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Delete all traffic selectors in a list
+ */
+static void flush_ts_list(linked_list_t *list)
+{
+	traffic_selector_t *ts;
+
+	while (list->remove_last(list, (void**)&ts) == SUCCESS)
+	{
+		ts->destroy(ts);
+	}
+}
+
+METHOD(listener_t, narrow, bool,
+	private_addrblock_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	narrow_hook_t type, linked_list_t *local, linked_list_t *remote)
+{
+	switch (type)
+	{
+		case NARROW_RESPONDER:
+		case NARROW_INITIATOR_POST_AUTH:
+		case NARROW_INITIATOR_POST_NOAUTH:
+			if (!check_constraints(ike_sa, remote))
+			{
+				flush_ts_list(local);
+				flush_ts_list(remote);
+			}
+			break;
+		default:
+			break;
+	}
+	return TRUE;
+}
+
+METHOD(addrblock_narrow_t, destroy, void,
+	private_addrblock_narrow_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+addrblock_narrow_t *addrblock_narrow_create()
+{
+	private_addrblock_narrow_t *this;
+
+	INIT(this,
+		.public = {
+			.listener.narrow = _narrow,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.h b/src/libcharon/plugins/addrblock/addrblock_narrow.h
new file mode 100644
index 000000000..9ab32e671
--- /dev/null
+++ b/src/libcharon/plugins/addrblock/addrblock_narrow.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock_narrow addrblock_narrow
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_NARROW_H_
+#define ADDRBLOCK_NARROW_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct addrblock_narrow_t addrblock_narrow_t;
+
+/**
+ * Listener that checks traffic selectors against addrblock constraints.
+ */
+struct addrblock_narrow_t {
+
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a addrblock_narrow_t.
+	 */
+	void (*destroy)(addrblock_narrow_t *this);
+};
+
+/**
+ * Create a addrblock_narrow instance.
+ */
+addrblock_narrow_t *addrblock_narrow_create();
+
+#endif /** ADDRBLOCK_NARROW_H_ @}*/
diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.c b/src/libcharon/plugins/addrblock/addrblock_plugin.c
new file mode 100644
index 000000000..1c407035d
--- /dev/null
+++ b/src/libcharon/plugins/addrblock/addrblock_plugin.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_plugin.h"
+
+#include <daemon.h>
+
+#include "addrblock_validator.h"
+#include "addrblock_narrow.h"
+
+typedef struct private_addrblock_plugin_t private_addrblock_plugin_t;
+
+/**
+ * private data of addrblock_plugin
+ */
+struct private_addrblock_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	addrblock_plugin_t public;
+
+	/**
+	 * Validator implementation instance.
+	 */
+	addrblock_validator_t *validator;
+
+	/**
+	 * Listener to check TS list
+	 */
+	addrblock_narrow_t *narrower;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_addrblock_plugin_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->narrower->listener);
+	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+	this->narrower->destroy(this->narrower);
+	this->validator->destroy(this->validator);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *addrblock_plugin_create()
+{
+	private_addrblock_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+		.validator = addrblock_validator_create(),
+		.narrower = addrblock_narrow_create(),
+	);
+	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+	charon->bus->add_listener(charon->bus, &this->narrower->listener);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.h b/src/libcharon/plugins/addrblock/addrblock_plugin.h
new file mode 100644
index 000000000..87bd516f9
--- /dev/null
+++ b/src/libcharon/plugins/addrblock/addrblock_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock addrblock
+ * @ingroup cplugins
+ *
+ * @defgroup addrblock_plugin addrblock_plugin
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_PLUGIN_H_
+#define ADDRBLOCK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct addrblock_plugin_t addrblock_plugin_t;
+
+/**
+ * RFC 3779 address block checking.
+ */
+struct addrblock_plugin_t {
+
+	/**
+	 * Implements plugin_t. interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ADDRBLOCK_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
new file mode 100644
index 000000000..44ef38d85
--- /dev/null
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_validator.h"
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+#include <selectors/traffic_selector.h>
+
+typedef struct private_addrblock_validator_t private_addrblock_validator_t;
+
+/**
+ * Private data of an addrblock_validator_t object.
+ */
+struct private_addrblock_validator_t {
+
+	/**
+	 * Public addrblock_validator_t interface.
+	 */
+	addrblock_validator_t public;
+};
+
+/**
+ * Do the addrblock check for two x509 plugins
+ */
+static bool check_addrblock(x509_t *subject, x509_t *issuer)
+{
+	bool subject_const, issuer_const, contained = TRUE;
+	enumerator_t *subject_enumerator, *issuer_enumerator;
+	traffic_selector_t *subject_ts, *issuer_ts;
+
+	subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
+	issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
+
+	if (!subject_const && !issuer_const)
+	{
+		return TRUE;
+	}
+	if (!subject_const)
+	{
+		DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
+		return FALSE;
+	}
+	if (!issuer_const)
+	{
+		DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
+		return FALSE;
+	}
+	subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
+	while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
+	{
+		contained = FALSE;
+
+		issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
+		while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
+		{
+			if (subject_ts->is_contained_in(subject_ts, issuer_ts))
+			{
+				DBG2(DBG_CFG, "  subject address block %R is contained in "
+							  "issuer address block %R", subject_ts, issuer_ts);
+				contained = TRUE;
+				break;
+			}
+		}
+		issuer_enumerator->destroy(issuer_enumerator);
+		if (!contained)
+		{
+			DBG1(DBG_CFG, "subject address block %R is not contained in any "
+						  "issuer address block", subject_ts);
+			break;
+		}
+	}
+	subject_enumerator->destroy(subject_enumerator);
+	return contained;
+}
+
+METHOD(cert_validator_t, validate, bool,
+	private_addrblock_validator_t *this, certificate_t *subject,
+	certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+{
+	if (subject->get_type(subject) == CERT_X509 &&
+		issuer->get_type(issuer) == CERT_X509)
+	{
+		return check_addrblock((x509_t*)subject, (x509_t*)issuer);
+	}
+	return TRUE;
+}
+
+METHOD(addrblock_validator_t, destroy, void,
+	private_addrblock_validator_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+addrblock_validator_t *addrblock_validator_create()
+{
+	private_addrblock_validator_t *this;
+
+	INIT(this,
+		.public = {
+			.validator.validate = _validate,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.h b/src/libcharon/plugins/addrblock/addrblock_validator.h
new file mode 100644
index 000000000..423f0d41a
--- /dev/null
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock_validator addrblock_validator
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_VALIDATOR_H_
+#define ADDRBLOCK_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct addrblock_validator_t addrblock_validator_t;
+
+/**
+ * RFC 3779 address block X509 certificate validator.
+ */
+struct addrblock_validator_t {
+
+	/**
+	 * Implements cert_validator_t interface.
+	 */
+	cert_validator_t validator;
+
+	/**
+	 * Destroy a addrblock_validator_t.
+	 */
+	void (*destroy)(addrblock_validator_t *this);
+};
+
+/**
+ * Create a addrblock_validator instance.
+ */
+addrblock_validator_t *addrblock_validator_create();
+
+#endif /** ADDRBLOCK_VALIDATOR_H_ @}*/
diff --git a/src/libcharon/plugins/android/Makefile.am b/src/libcharon/plugins/android/Makefile.am
index e8423589c..b922ef4af 100644
--- a/src/libcharon/plugins/android/Makefile.am
+++ b/src/libcharon/plugins/android/Makefile.am
@@ -12,7 +12,10 @@ endif
 
 libstrongswan_android_la_SOURCES = \
 	android_plugin.c android_plugin.h \
-	android_handler.c android_handler.h
+	android_service.c android_service.h \
+	android_handler.c android_handler.h \
+	android_logger.c android_logger.h \
+	android_creds.c android_creds.h
 
 libstrongswan_android_la_LDFLAGS = -module -avoid-version
 libstrongswan_android_la_LIBADD  = -lcutils
diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in
index 9f12a9c75..6e4903ee1 100644
--- a/src/libcharon/plugins/android/Makefile.in
+++ b/src/libcharon/plugins/android/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -75,7 +75,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_android_la_DEPENDENCIES =
 am_libstrongswan_android_la_OBJECTS = android_plugin.lo \
-	android_handler.lo
+	android_service.lo android_handler.lo android_logger.lo \
+	android_creds.lo
 libstrongswan_android_la_OBJECTS =  \
 	$(am_libstrongswan_android_la_OBJECTS)
 libstrongswan_android_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -265,7 +266,10 @@ AM_CFLAGS = -rdynamic
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android.la
 libstrongswan_android_la_SOURCES = \
 	android_plugin.c android_plugin.h \
-	android_handler.c android_handler.h
+	android_service.c android_service.h \
+	android_handler.c android_handler.h \
+	android_logger.c android_logger.h \
+	android_creds.c android_creds.h
 
 libstrongswan_android_la_LDFLAGS = -module -avoid-version
 libstrongswan_android_la_LIBADD = -lcutils
@@ -352,8 +356,11 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_creds.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_logger.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_service.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c
new file mode 100644
index 000000000..aa7fc6f92
--- /dev/null
+++ b/src/libcharon/plugins/android/android_creds.c
@@ -0,0 +1,294 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <keystore_get.h>
+
+#include "android_creds.h"
+
+#include <daemon.h>
+#include <threading/rwlock.h>
+
+typedef struct private_android_creds_t private_android_creds_t;
+
+/**
+ * Private data of an android_creds_t object
+ */
+struct private_android_creds_t {
+
+	/**
+	 * Public interface
+	 */
+	android_creds_t public;
+
+	/**
+	 * List of trusted certificates, certificate_t*
+	 */
+	linked_list_t *certs;
+
+	/**
+	 * User name (ID)
+	 */
+	identification_t *user;
+
+	/**
+	 * User password
+	 */
+	char *pass;
+
+	/**
+	 * read/write lock
+	 */
+	rwlock_t *lock;
+
+};
+
+/**
+ * Certificate enumerator data
+ */
+typedef struct {
+	private_android_creds_t *this;
+	key_type_t key;
+	identification_t *id;
+} cert_data_t;
+
+/**
+ * Filter function for certificates enumerator
+ */
+static bool cert_filter(cert_data_t *data, certificate_t **in,
+						certificate_t **out)
+{
+	certificate_t *cert = *in;
+	public_key_t *public;
+
+	public = cert->get_public_key(cert);
+	if (!public)
+	{
+		return FALSE;
+	}
+	if (data->key != KEY_ANY && public->get_type(public) != data->key)
+	{
+		public->destroy(public);
+		return FALSE;
+	}
+	if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
+		public->has_fingerprint(public, data->id->get_encoding(data->id)))
+	{
+		public->destroy(public);
+		*out = cert;
+		return TRUE;
+	}
+	public->destroy(public);
+	if (data->id && !cert->has_subject(cert, data->id))
+	{
+		return FALSE;
+	}
+	*out = cert;
+	return TRUE;
+}
+
+/**
+ * Destroy certificate enumerator data
+ */
+static void cert_data_destroy(cert_data_t *this)
+{
+	this->this->lock->unlock(this->this->lock);
+	free(this);
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	   private_android_creds_t *this, certificate_type_t cert, key_type_t key,
+	   identification_t *id, bool trusted)
+{
+	if (cert == CERT_X509 || cert == CERT_ANY)
+	{
+		cert_data_t *data;
+		this->lock->read_lock(this->lock);
+		INIT(data, .this = this, .id = id, .key = key);
+		return enumerator_create_filter(
+						this->certs->create_enumerator(this->certs),
+						(void*)cert_filter, data, (void*)cert_data_destroy);
+	}
+	return NULL;
+}
+
+/**
+ * Shared key enumerator implementation
+ */
+typedef struct {
+	enumerator_t public;
+	private_android_creds_t *this;
+	shared_key_t *key;
+	bool done;
+} shared_enumerator_t;
+
+METHOD(enumerator_t, shared_enumerate, bool,
+	   shared_enumerator_t *this, shared_key_t **key, id_match_t *me,
+	   id_match_t *other)
+{
+	if (this->done)
+	{
+		return FALSE;
+	}
+	*key = this->key;
+	*me = ID_MATCH_PERFECT;
+	*other = ID_MATCH_ANY;
+	this->done = TRUE;
+	return TRUE;
+}
+
+METHOD(enumerator_t, shared_destroy, void,
+	   shared_enumerator_t *this)
+{
+	this->key->destroy(this->key);
+	this->this->lock->unlock(this->this->lock);
+	free(this);
+}
+
+METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
+	   private_android_creds_t *this, shared_key_type_t type,
+	   identification_t *me, identification_t *other)
+{
+	shared_enumerator_t *enumerator;
+
+	this->lock->read_lock(this->lock);
+
+	if (!this->user || !this->pass)
+	{
+		this->lock->unlock(this->lock);
+		return NULL;
+	}
+	if (type != SHARED_EAP && type != SHARED_IKE)
+	{
+		this->lock->unlock(this->lock);
+		return NULL;
+	}
+	if (me && !me->equals(me, this->user))
+	{
+		this->lock->unlock(this->lock);
+		return NULL;
+	}
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_shared_enumerate,
+			.destroy = _shared_destroy,
+		},
+		.this = this,
+		.done = FALSE,
+		.key = shared_key_create(type, chunk_clone(chunk_create(this->pass,
+												   strlen(this->pass)))),
+	);
+	return &enumerator->public;
+}
+
+METHOD(android_creds_t, add_certificate, bool,
+	   private_android_creds_t *this, char *name)
+{
+	certificate_t *cert = NULL;
+	bool status = FALSE;
+	chunk_t chunk;
+#ifdef KEYSTORE_MESSAGE_SIZE
+	/* most current interface, the eclair interface (without key length) is
+	 * currently not supported */
+	char value[KEYSTORE_MESSAGE_SIZE];
+	chunk.ptr = value;
+	chunk.len = keystore_get(name, strlen(name), chunk.ptr);
+	if (chunk.len > 0)
+#else
+	/* 1.6 interface, allocates memory */
+	chunk.ptr = keystore_get(name, &chunk.len);
+	if (chunk.ptr)
+#endif /* KEYSTORE_MESSAGE_SIZE */
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_PEM, chunk, BUILD_END);
+		if (cert)
+		{
+			this->lock->write_lock(this->lock);
+			this->certs->insert_last(this->certs, cert);
+			this->lock->unlock(this->lock);
+			status = TRUE;
+		}
+#ifndef KEYSTORE_MESSAGE_SIZE
+		free(chunk.ptr);
+#endif /* KEYSTORE_MESSAGE_SIZE */
+	}
+	return status;
+}
+
+METHOD(android_creds_t, set_username_password, void,
+	   private_android_creds_t *this, identification_t *id, char *password)
+{
+	this->lock->write_lock(this->lock);
+	DESTROY_IF(this->user);
+	this->user = id->clone(id);
+	free(this->pass);
+	this->pass = password ? strdup(password) : NULL;
+	this->lock->unlock(this->lock);
+}
+
+METHOD(android_creds_t, clear, void,
+	   private_android_creds_t *this)
+{
+	certificate_t *cert;
+	this->lock->write_lock(this->lock);
+	while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
+	{
+		cert->destroy(cert);
+	}
+	DESTROY_IF(this->user);
+	free(this->pass);
+	this->user = NULL;
+	this->pass = NULL;
+	this->lock->unlock(this->lock);
+}
+
+METHOD(android_creds_t, destroy, void,
+	   private_android_creds_t *this)
+{
+	clear(this);
+	this->certs->destroy(this->certs);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+android_creds_t *android_creds_create()
+{
+	private_android_creds_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_cert_enumerator = _create_cert_enumerator,
+				.create_shared_enumerator = _create_shared_enumerator,
+				.create_private_enumerator = (void*)return_null,
+				.create_cdp_enumerator = (void*)return_null,
+				.cache_cert = (void*)nop,
+			},
+			.add_certificate = _add_certificate,
+			.set_username_password = _set_username_password,
+			.clear = _clear,
+			.destroy = _destroy,
+		},
+		.certs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/android/android_creds.h b/src/libcharon/plugins/android/android_creds.h
new file mode 100644
index 000000000..0f7b8e0ea
--- /dev/null
+++ b/src/libcharon/plugins/android/android_creds.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_creds android_creds
+ * @{ @ingroup android
+ */
+
+#ifndef ANDROID_CREDS_H_
+#define ANDROID_CREDS_H_
+
+#include <credentials/credential_set.h>
+
+typedef struct android_creds_t android_creds_t;
+
+/**
+ * Android credentials helper.
+ */
+struct android_creds_t {
+
+	/**
+	 * Implements credential_set_t
+	 */
+	credential_set_t set;
+
+	/**
+	 * Add a trusted CA certificate from the Android keystore to serve by
+	 * this set.
+	 *
+	 * @param name		name/ID of the certificate in the keystore
+	 * @return			FALSE if the certificate does not exist or is invalid
+	 */
+	bool (*add_certificate)(android_creds_t *this, char *name);
+
+	/**
+	 * Set the username and password for authentication.
+	 *
+	 * @param id		ID of the user
+	 * @param password	password to use for authentication
+	 */
+	void (*set_username_password)(android_creds_t *this, identification_t *id,
+								  char *password);
+
+	/**
+	 * Clear the stored credentials.
+	 */
+	void (*clear)(android_creds_t *this);
+
+	/**
+	 * Destroy a android_creds instance.
+	 */
+	void (*destroy)(android_creds_t *this);
+
+};
+
+/**
+ * Create an android_creds instance.
+ */
+android_creds_t *android_creds_create();
+
+#endif /** ANDROID_CREDS_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_handler.c b/src/libcharon/plugins/android/android_handler.c
index a475eeaab..ec3ff7a51 100644
--- a/src/libcharon/plugins/android/android_handler.c
+++ b/src/libcharon/plugins/android/android_handler.c
@@ -75,7 +75,7 @@ host_t *get_dns_server(int index)
 	host_t *dns = NULL;
 	char key[10], value[PROPERTY_VALUE_MAX];
 
-	if (snprintf(key, sizeof(key), "net.dns%d", index) >= sizeof(key))
+	if (snprintf(key, sizeof(key), "vpn.dns%d", index) >= sizeof(key))
 	{
 		return NULL;
 	}
@@ -94,7 +94,7 @@ bool set_dns_server(int index, host_t *dns)
 {
 	char key[10], value[PROPERTY_VALUE_MAX];
 
-	if (snprintf(key, sizeof(key), "net.dns%d", index) >= sizeof(key))
+	if (snprintf(key, sizeof(key), "vpn.dns%d", index) >= sizeof(key))
 	{
 		return FALSE;
 	}
diff --git a/src/libcharon/plugins/android/android_logger.c b/src/libcharon/plugins/android/android_logger.c
new file mode 100644
index 000000000..43c56e656
--- /dev/null
+++ b/src/libcharon/plugins/android/android_logger.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <android/log.h>
+
+#include "android_logger.h"
+
+#include <library.h>
+#include <daemon.h>
+
+typedef struct private_android_logger_t private_android_logger_t;
+
+/**
+ * Private data of an android_logger_t object
+ */
+struct private_android_logger_t {
+
+	/**
+	 * Public interface
+	 */
+	android_logger_t public;
+
+	/**
+	 * logging level
+	 */
+	int level;
+
+};
+
+
+METHOD(listener_t, log_, bool,
+	   private_android_logger_t *this, debug_t group, level_t level,
+	   int thread, ike_sa_t* ike_sa, char *format, va_list args)
+{
+	if (level <= this->level)
+	{
+		char sgroup[16], buffer[8192];
+		char *current = buffer, *next;
+		snprintf(sgroup, sizeof(sgroup), "%N", debug_names, group);
+		vsnprintf(buffer, sizeof(buffer), format, args);
+		while (current)
+		{	/* log each line seperately */
+			next = strchr(current, '\n');
+			if (next)
+			{
+				*(next++) = '\0';
+			}
+			__android_log_print(ANDROID_LOG_INFO, "charon", "%.2d[%s] %s\n",
+								thread, sgroup, current);
+			current = next;
+		}
+	}
+	/* always stay registered */
+	return TRUE;
+}
+
+METHOD(android_logger_t, destroy, void,
+	   private_android_logger_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+android_logger_t *android_logger_create()
+{
+	private_android_logger_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.log = _log_,
+			},
+			.destroy = _destroy,
+		},
+		.level = lib->settings->get_int(lib->settings,
+										"charon.plugins.android.loglevel", 1),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/android/android_logger.h b/src/libcharon/plugins/android/android_logger.h
new file mode 100644
index 000000000..c6fe5aff3
--- /dev/null
+++ b/src/libcharon/plugins/android/android_logger.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_logger android_logger
+ * @{ @ingroup android
+ */
+
+#ifndef ANDROID_LOGGER_H_
+#define ANDROID_LOGGER_H_
+
+#include <bus/bus.h>
+
+typedef struct android_logger_t android_logger_t;
+
+/**
+ * Android specific logger.
+ */
+struct android_logger_t {
+
+	/**
+	 * Implements bus_listener_t interface
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy the logger.
+	 */
+	void (*destroy)(android_logger_t *this);
+
+};
+
+/**
+ * Create an Android specific logger instance.
+ *
+ * @return			logger instance
+ */
+android_logger_t *android_logger_create();
+
+#endif /** ANDROID_LOGGER_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c
index 9a558f53b..e2c8572ef 100644
--- a/src/libcharon/plugins/android/android_plugin.c
+++ b/src/libcharon/plugins/android/android_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
  * Copyright (C) 2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +15,10 @@
  */
 
 #include "android_plugin.h"
+#include "android_logger.h"
 #include "android_handler.h"
+#include "android_creds.h"
+#include "android_service.h"
 
 #include <hydra.h>
 #include <daemon.h>
@@ -31,17 +35,39 @@ struct private_android_plugin_t {
 	 */
 	android_plugin_t public;
 
+	/**
+	 * Android specific logger
+	 */
+	android_logger_t *logger;
+
 	/**
 	 * Android specific DNS handler
 	 */
 	android_handler_t *handler;
+
+	/**
+	 * Android specific credential set
+	 */
+	android_creds_t *creds;
+
+	/**
+	 * Service that interacts with the Android Settings frontend
+	 */
+	android_service_t *service;
+
 };
 
 METHOD(plugin_t, destroy, void,
-	private_android_plugin_t *this)
+	   private_android_plugin_t *this)
 {
-	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	hydra->attributes->remove_handler(hydra->attributes,
+									  &this->handler->handler);
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	charon->bus->remove_listener(charon->bus, &this->logger->listener);
+	this->creds->destroy(this->creds);
 	this->handler->destroy(this->handler);
+	this->logger->destroy(this->logger);
+	DESTROY_IF(this->service);
 	free(this);
 }
 
@@ -56,11 +82,22 @@ plugin_t *android_plugin_create()
 		.public.plugin = {
 			.destroy = _destroy,
 		},
+		.logger = android_logger_create(),
 		.handler = android_handler_create(),
+		.creds = android_creds_create(),
 	);
 
+	charon->bus->add_listener(charon->bus, &this->logger->listener);
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
 
+	this->service = android_service_create(this->creds);
+	if (!this->service)
+	{
+		destroy(this);
+		return NULL;
+	}
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
new file mode 100644
index 000000000..538c4a9a2
--- /dev/null
+++ b/src/libcharon/plugins/android/android_service.c
@@ -0,0 +1,385 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unistd.h>
+#include <cutils/sockets.h>
+#include <cutils/properties.h>
+#include <signal.h>
+
+#include "android_service.h"
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_android_service_t private_android_service_t;
+
+/**
+ * private data of Android service
+ */
+struct private_android_service_t {
+
+	/**
+	 * public interface
+	 */
+	android_service_t public;
+
+	/**
+	 * current IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * job that handles requests from the Android control socket
+	 */
+	callback_job_t *job;
+
+	/**
+	 * android credentials
+	 */
+	android_creds_t *creds;
+
+	/**
+	 * android control socket
+	 */
+	int control;
+
+};
+
+/**
+ * Some of the error codes defined in VpnManager.java
+ */
+typedef enum {
+	/** Error code to indicate an error from authentication. */
+	VPN_ERROR_AUTH = 51,
+	/** Error code to indicate the connection attempt failed. */
+	VPN_ERROR_CONNECTION_FAILED = 101,
+	/** Error code to indicate an error of remote server hanging up. */
+	VPN_ERROR_REMOTE_HUNG_UP = 7,
+	/** Error code to indicate an error of losing connectivity. */
+	VPN_ERROR_CONNECTION_LOST = 103,
+} android_vpn_errors_t;
+
+/**
+ * send a status code back to the Android app
+ */
+static void send_status(private_android_service_t *this, u_char code)
+{
+	DBG1(DBG_CFG, "status of Android plugin changed: %d", code);
+	send(this->control, &code, 1, 0);
+}
+
+METHOD(listener_t, ike_updown, bool,
+	   private_android_service_t *this, ike_sa_t *ike_sa, bool up)
+{
+	/* this callback is only registered during initiation, so if the IKE_SA
+	 * goes down we assume an authentication error */
+	if (this->ike_sa == ike_sa && !up)
+	{
+		send_status(this, VPN_ERROR_AUTH);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, child_state_change, bool,
+	   private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	   child_sa_state_t state)
+{
+	/* this callback is only registered during initiation, so we still have
+	 * the control socket open */
+	if (this->ike_sa == ike_sa && state == CHILD_DESTROYING)
+	{
+		send_status(this, VPN_ERROR_CONNECTION_FAILED);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Callback used to shutdown the daemon
+ */
+static job_requeue_t shutdown_callback(void *data)
+{
+	kill(0, SIGTERM);
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(listener_t, child_updown, bool,
+	   private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	   bool up)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		if (up)
+		{
+			/* disable the hooks registered to catch initiation failures */
+			this->public.listener.ike_updown = NULL;
+			this->public.listener.child_state_change = NULL;
+			property_set("vpn.status", "ok");
+		}
+		else
+		{
+			callback_job_t *job;
+			/* the control socket is closed as soon as vpn.status is set to "ok"
+			 * and the daemon proxy then only checks for terminated daemons to
+			 * detect lost connections, so... */
+			DBG1(DBG_CFG, "connection lost, raising delayed SIGTERM");
+			/* to avoid any conflicts we send the SIGTERM not directly from this
+			 * callback, but from a different thread. we also delay it to avoid
+			 * a race condition during a regular shutdown */
+			job = callback_job_create(shutdown_callback, NULL, NULL, NULL);
+			charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, 1);
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	   private_android_service_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	if (this->ike_sa == old)
+	{
+		this->ike_sa = new;
+	}
+	return TRUE;
+}
+
+/**
+ * Read a string argument from the Android control socket
+ */
+static char *read_argument(int fd, u_char length)
+{
+	int offset = 0;
+	char *data = malloc(length + 1);
+	while (offset < length)
+	{
+		int n = recv(fd, &data[offset], length - offset, 0);
+		if (n < 0)
+		{
+			DBG1(DBG_CFG, "failed to read argument from Android"
+				 " control socket: %s", strerror(errno));
+			free(data);
+			return NULL;
+		}
+		offset += n;
+	}
+	data[length] = '\0';
+	DBG3(DBG_CFG, "received argument from Android control socket: %s", data);
+	return data;
+}
+
+/**
+ * handle the request received from the Android control socket
+ */
+static job_requeue_t initiate(private_android_service_t *this)
+{
+	bool oldstate;
+	int fd, i = 0;
+	char *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL;
+	identification_t *gateway = NULL, *user = NULL;
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	traffic_selector_t *ts;
+	ike_sa_t *ike_sa;
+	auth_cfg_t *auth;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = 10800, /* 3h */
+			.rekey = 10200, /* 2h50min */
+			.jitter = 300 /* 5min */
+		}
+	};
+
+	fd = accept(this->control, NULL, 0);
+	if (fd < 0)
+	{
+		DBG1(DBG_CFG, "accept on Android control socket failed: %s",
+			 strerror(errno));
+		return JOB_REQUEUE_NONE;
+	}
+	/* the original control socket is not used anymore */
+	close(this->control);
+	this->control = fd;
+
+	while (TRUE)
+	{
+		u_char length;
+		if (recv(fd, &length, 1, 0) != 1)
+		{
+			DBG1(DBG_CFG, "failed to read from Android control socket: %s",
+				 strerror(errno));
+			return JOB_REQUEUE_NONE;
+		}
+
+		if (length == 0xFF)
+		{	/* last argument */
+			break;
+		}
+		else
+		{
+			switch (i++)
+			{
+				case 0: /* gateway */
+					hostname = read_argument(fd, length);
+					break;
+				case 1: /* CA certificate name */
+					cacert = read_argument(fd, length);
+					break;
+				case 2: /* username */
+					username = read_argument(fd, length);
+					break;
+				case 3: /* password */
+					password = read_argument(fd, length);
+					break;
+			}
+		}
+	}
+
+	if (cacert)
+	{
+		if (!this->creds->add_certificate(this->creds, cacert))
+		{
+			DBG1(DBG_CFG, "failed to load CA certificate");
+		}
+		/* if this is a server cert we could use the cert subject as id
+		 * but we have to test first if that possible to configure */
+	}
+
+	gateway = identification_create_from_string(hostname);
+	DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway);
+
+	if (username)
+	{
+		user = identification_create_from_string(username);
+		this->creds->set_username_password(this->creds, user, password);
+	}
+
+	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
+							 hostname, IKEV2_UDP_PORT);
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+
+	peer_cfg = peer_cfg_create("android", 2, ike_cfg, CERT_SEND_IF_ASKED,
+							   UNIQUE_REPLACE, 1, /* keyingtries */
+							   36000, 0, /* rekey 10h, reauth none */
+							   600, 600, /* jitter, over 10min */
+							   TRUE, 0, /* mobike, DPD */
+							   host_create_from_string("0.0.0.0", 0) /* virt */,
+							   NULL, FALSE, NULL, NULL); /* pool, mediation */
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+	auth->add(auth, AUTH_RULE_IDENTITY, user);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+
+	child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
+								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+								 NULL, NULL);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
+											 0, "255.255.255.255", 65535);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+	/* get an additional reference because initiate consumes one */
+	child_cfg->get_ref(child_cfg);
+
+	/* get us an IKE_SA */
+	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+														peer_cfg);
+	if (!ike_sa->get_peer_cfg(ike_sa))
+	{
+		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+	}
+	peer_cfg->destroy(peer_cfg);
+
+	/* store the IKE_SA so we can track its progress */
+	this->ike_sa = ike_sa;
+
+	/* confirm that we received the request */
+	send_status(this, i);
+
+	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "failed to initiate tunnel");
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+													ike_sa);
+		send_status(this, VPN_ERROR_CONNECTION_FAILED);
+		return JOB_REQUEUE_NONE;
+	}
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(android_service_t, destroy, void,
+	   private_android_service_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->public.listener);
+	close(this->control);
+	free(this);
+}
+
+/**
+ * See header
+ */
+android_service_t *android_service_create(android_creds_t *creds)
+{
+	private_android_service_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_updown = _ike_updown,
+				.child_state_change = _child_state_change,
+				.child_updown = _child_updown,
+				.ike_rekey = _ike_rekey,
+			},
+			.destroy = _destroy,
+		},
+		.creds = creds,
+	);
+
+	this->control = android_get_control_socket("charon");
+	if (this->control == -1)
+	{
+		DBG1(DBG_CFG, "failed to get Android control socket");
+		free(this);
+		return NULL;
+	}
+
+	if (listen(this->control, 1) < 0)
+	{
+		DBG1(DBG_CFG, "failed to listen on Android control socket: %s",
+			 strerror(errno));
+		close(this->control);
+		free(this);
+		return NULL;
+	}
+
+	charon->bus->add_listener(charon->bus, &this->public.listener);
+	this->job = callback_job_create((callback_job_cb_t)initiate, this,
+									NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/android/android_service.h b/src/libcharon/plugins/android/android_service.h
new file mode 100644
index 000000000..d096d6cd5
--- /dev/null
+++ b/src/libcharon/plugins/android/android_service.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_service android_service
+ * @{ @ingroup android
+ */
+
+#ifndef ANDROID_SERVICE_H_
+#define ANDROID_SERVICE_H_
+
+typedef struct android_service_t android_service_t;
+
+#include <bus/listeners/listener.h>
+
+#include "android_creds.h"
+
+/**
+ * Service that interacts with the Android Settings frontend.
+ */
+struct android_service_t {
+
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a android_service_t.
+	 */
+	void (*destroy)(android_service_t *this);
+
+};
+
+/**
+ * Create an Android service instance.
+ *
+ * @param creds		Android credentials
+ */
+android_service_t *android_service_create(android_creds_t *creds);
+
+#endif /** ANDROID_SERVICE_H_ @}*/
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 7606b963c..b34654fb7 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c
index dbcceb6ce..a6a887780 100644
--- a/src/libcharon/plugins/dhcp/dhcp_provider.c
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.c
@@ -129,7 +129,8 @@ METHOD(attribute_provider_t, release_address, bool,
 }
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
-	private_dhcp_provider_t *this, identification_t *id, host_t *vip)
+	private_dhcp_provider_t *this, char *pool, identification_t *id,
+	host_t *vip)
 {
 	dhcp_transaction_t *transaction;
 
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 1cea81a9b..14bf3f15d 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.c b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
index 26546809d..dfcc69710 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_peer.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
@@ -421,7 +421,6 @@ static status_t process_notification(private_eap_aka_peer_t *this,
 			/* test success bit */
 			if (!(data.ptr[0] & 0x80))
 			{
-				success = FALSE;
 				DBG1(DBG_IKE, "received EAP-AKA notification error '%N'",
 					 simaka_notification_names, code);
 			}
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index d0b0f5601..b41b59616 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
index 9817fff8f..a9767ad91 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
@@ -52,8 +52,7 @@ bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN])
 	shared_key_t *shared;
 	chunk_t key;
 
-	shared = charon->credentials->get_shared(charon->credentials,
-											 SHARED_EAP, id, NULL);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
 	if (shared == NULL)
 	{
 		return FALSE;
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 110e1528b..57952f621 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
index c7f55fa70..f641ad13a 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -168,8 +168,8 @@ static status_t process_peer(private_eap_gtc_t *this,
 	chunk_t key;
 	size_t len;
 
-	shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP,
-											 this->peer, this->server);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
+									  this->peer, this->server);
 	if (shared == NULL)
 	{
 		DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index bbb987dd6..d78957438 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 943811604..5bfc59fa4 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
index 0eda8f755..3554ae12e 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5.c
+++ b/src/libcharon/plugins/eap_md5/eap_md5.c
@@ -85,8 +85,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response,
 	chunk_t concat;
 	hasher_t *hasher;
 
-	shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP,
-											 me, other);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other);
 	if (shared == NULL)
 	{
 		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", me, other);
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 2f6c65df4..d61cc9e5d 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index c1ccf72eb..3cd8d994c 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -614,8 +614,7 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me,
 	chunk_t password;
 
 	/* try to find a stored NT_HASH first */
-	shared = charon->credentials->get_shared(charon->credentials,
-											SHARED_NT_HASH, me, other);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_NT_HASH, me, other);
 	if (shared )
 	{
 		*nt_hash = chunk_clone(shared->get_key(shared));
@@ -624,8 +623,7 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me,
 	}
 
 	/* fallback to plaintext password */
-	shared = charon->credentials->get_shared(charon->credentials,
-											SHARED_EAP, me, other);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other);
 	if (shared)
 	{
 		password = ascii_to_unicode(shared->get_key(shared));
@@ -820,7 +818,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 	eap_mschapv2_header_t *eap;
 	chunk_t data;
 	char *message, *token, *msg = NULL;
-	int message_len, error, retryable;
+	int message_len, error = 0, retryable;
 	chunk_t challenge = chunk_empty;
 
 	data = in->get_data(in);
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am
index a3abd4124..afc50bced 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.am
+++ b/src/libcharon/plugins/eap_radius/Makefile.am
@@ -13,6 +13,8 @@ endif
 libstrongswan_eap_radius_la_SOURCES = \
 	eap_radius_plugin.h eap_radius_plugin.c \
 	eap_radius.h eap_radius.c \
+	radius_server.h radius_server.c \
+	radius_socket.h radius_socket.c \
 	radius_client.h radius_client.c \
 	radius_message.h radius_message.c
 
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 18427adef..bb372d13c 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -75,7 +75,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_radius_la_LIBADD =
 am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \
-	eap_radius.lo radius_client.lo radius_message.lo
+	eap_radius.lo radius_server.lo radius_socket.lo \
+	radius_client.lo radius_message.lo
 libstrongswan_eap_radius_la_OBJECTS =  \
 	$(am_libstrongswan_eap_radius_la_OBJECTS)
 libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \
@@ -267,6 +268,8 @@ AM_CFLAGS = -rdynamic
 libstrongswan_eap_radius_la_SOURCES = \
 	eap_radius_plugin.h eap_radius_plugin.c \
 	eap_radius.h eap_radius.c \
+	radius_server.h radius_server.c \
+	radius_socket.h radius_socket.c \
 	radius_client.h radius_client.c \
 	radius_message.h radius_message.c
 
@@ -358,6 +361,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_client.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_message.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_server.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_socket.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index f041fda54..65b868bc6 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -52,11 +52,6 @@ struct private_eap_radius_t {
 	 */
 	u_int32_t vendor;
 
-	/**
-	 * EAP MSK, if method established one
-	 */
-	chunk_t msk;
-
 	/**
 	 * RADIUS client instance
 	 */
@@ -71,6 +66,11 @@ struct private_eap_radius_t {
 	 * Prefix to prepend to EAP identity
 	 */
 	char *id_prefix;
+
+	/**
+	 * Handle the Class attribute as group membership information?
+	 */
+	bool class_group;
 };
 
 /**
@@ -140,10 +140,8 @@ static bool radius2ike(private_eap_radius_t *this,
 	return FALSE;
 }
 
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate, status_t,
+	private_eap_radius_t *this, eap_payload_t **out)
 {
 	radius_message_t *request, *response;
 	status_t status = FAILED;
@@ -177,10 +175,44 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
 }
 
 /**
- * Implementation of eap_method_t.process
+ * Handle the Class attribute as group membership information
  */
-static status_t process(private_eap_radius_t *this,
-						eap_payload_t *in, eap_payload_t **out)
+static void process_class(private_eap_radius_t *this, radius_message_t *msg)
+{
+	enumerator_t *enumerator;
+	chunk_t data;
+	int type;
+
+	enumerator = msg->create_enumerator(msg);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == RAT_CLASS)
+		{
+			identification_t *id;
+			ike_sa_t *ike_sa;
+			auth_cfg_t *auth;
+
+			if (data.len >= 44)
+			{	/* quirk: ignore long class attributes, these are used for
+				 * other purposes by some RADIUS servers (such as NPS). */
+				continue;
+			}
+
+			ike_sa = charon->bus->get_sa(charon->bus);
+			if (ike_sa)
+			{
+				auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+				id = identification_create_from_data(data);
+				DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
+				auth->add(auth, AUTH_RULE_GROUP, id);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(eap_method_t, process, status_t,
+	private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
 {
 	radius_message_t *request, *response;
 	status_t status = FAILED;
@@ -211,8 +243,10 @@ static status_t process(private_eap_radius_t *this,
 				status = FAILED;
 				break;
 			case RMC_ACCESS_ACCEPT:
-				this->msk = this->client->decrypt_msk(this->client,
-													  response, request);
+				if (this->class_group)
+				{
+					process_class(this, response);
+				}
 				status = SUCCESS;
 				break;
 			case RMC_ACCESS_REJECT:
@@ -228,32 +262,29 @@ static status_t process(private_eap_radius_t *this,
 	return status;
 }
 
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_radius_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_radius_t *this, u_int32_t *vendor)
 {
 	*vendor = this->vendor;
 	return this->type;
 }
 
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_radius_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_radius_t *this, chunk_t *out)
 {
-	if (this->msk.ptr)
+	chunk_t msk;
+
+	msk = this->client->get_msk(this->client);
+	if (msk.len)
 	{
-		*msk = this->msk;
+		*out = msk;
 		return SUCCESS;
 	}
 	return FAILED;
 }
 
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_radius_t *this)
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_radius_t *this)
 {
 	switch (this->type)
 	{
@@ -265,15 +296,12 @@ static bool is_mutual(private_eap_radius_t *this)
 	}
 }
 
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_radius_t *this)
+METHOD(eap_method_t, destroy, void,
+	private_eap_radius_t *this)
 {
 	this->peer->destroy(this->peer);
 	this->server->destroy(this->server);
 	this->client->destroy(this->client);
-	chunk_clear(&this->msk);
 	free(this);
 }
 
@@ -282,15 +310,26 @@ static void destroy(private_eap_radius_t *this)
  */
 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
 {
-	private_eap_radius_t *this = malloc_thing(private_eap_radius_t);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
+	private_eap_radius_t *this;
+
+	INIT(this,
+		.public.eap_method_interface = {
+			.initiate = _initiate,
+			.process = _process,
+			.get_type = _get_type,
+			.is_mutual = _is_mutual,
+			.get_msk = _get_msk,
+			.destroy = _destroy,
+		},
+		/* initially EAP_RADIUS, but is set to the method selected by RADIUS */
+		.type = EAP_RADIUS,
+		.eap_start = lib->settings->get_bool(lib->settings,
+								"charon.plugins.eap-radius.eap_start", FALSE),
+		.id_prefix = lib->settings->get_str(lib->settings,
+								"charon.plugins.eap-radius.id_prefix", ""),
+		.class_group = lib->settings->get_bool(lib->settings,
+								"charon.plugins.eap-radius.class_group", FALSE),
+	);
 	this->client = radius_client_create();
 	if (!this->client)
 	{
@@ -299,14 +338,6 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 	}
 	this->peer = peer->clone(peer);
 	this->server = server->clone(server);
-	/* initially EAP_RADIUS, but is set to the method selected by RADIUS */
-	this->type = EAP_RADIUS;
-	this->vendor = 0;
-	this->msk = chunk_empty;
-	this->eap_start = lib->settings->get_bool(lib->settings,
-								"charon.plugins.eap-radius.eap_start", FALSE);
-	this->id_prefix = lib->settings->get_str(lib->settings,
-								"charon.plugins.eap-radius.id_prefix", "");
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 7d2788c3e..91aae2f62 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -17,17 +17,130 @@
 
 #include "eap_radius.h"
 #include "radius_client.h"
+#include "radius_server.h"
 
 #include <daemon.h>
 
 /**
- * Implementation of plugin_t.destroy
+ * Default RADIUS server port, when not configured
  */
-static void destroy(eap_radius_plugin_t *this)
+#define RADIUS_PORT 1812
+
+typedef struct private_eap_radius_plugin_t private_eap_radius_plugin_t;
+
+/**
+ * Private data of an eap_radius_plugin_t object.
+ */
+struct private_eap_radius_plugin_t {
+
+	/**
+	 * Public radius_plugin_t interface.
+	 */
+	eap_radius_plugin_t public;
+
+	/**
+	 * List of RADIUS servers
+	 */
+	linked_list_t *servers;
+};
+
+/**
+ * Instance of the EAP plugin
+ */
+static private_eap_radius_plugin_t *instance = NULL;
+
+METHOD(plugin_t, destroy, void,
+	private_eap_radius_plugin_t *this)
 {
 	charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_radius_create);
-	radius_client_cleanup();
+	this->servers->destroy_offset(this->servers,
+								  offsetof(radius_server_t, destroy));
 	free(this);
+	instance = NULL;
+}
+
+/**
+ * Load RADIUS servers from configuration
+ */
+static bool load_servers(private_eap_radius_plugin_t *this)
+{
+	enumerator_t *enumerator;
+	radius_server_t *server;
+	char *nas_identifier, *secret, *address, *section;
+	int port, sockets, preference;
+
+	address = lib->settings->get_str(lib->settings,
+					"charon.plugins.eap-radius.server", NULL);
+	if (address)
+	{	/* legacy configuration */
+		secret = lib->settings->get_str(lib->settings,
+					"charon.plugins.eap-radius.secret", NULL);
+		if (!secret)
+		{
+			DBG1(DBG_CFG, "no RADUIS secret defined");
+			return FALSE;
+		}
+		nas_identifier = lib->settings->get_str(lib->settings,
+					"charon.plugins.eap-radius.nas_identifier", "strongSwan");
+		port = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-radius.port", RADIUS_PORT);
+		sockets = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-radius.sockets", 1);
+		server = radius_server_create(address, port, nas_identifier,
+									  secret, sockets, 0);
+		if (!server)
+		{
+			DBG1(DBG_CFG, "no RADUIS server defined");
+			return FALSE;
+		}
+		this->servers->insert_last(this->servers, server);
+		return TRUE;
+	}
+
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+										"charon.plugins.eap-radius.servers");
+	while (enumerator->enumerate(enumerator, &section))
+	{
+		address = lib->settings->get_str(lib->settings,
+			"charon.plugins.eap-radius.servers.%s.address", NULL, section);
+		if (!address)
+		{
+			DBG1(DBG_CFG, "RADIUS server '%s' misses address, skipped", section);
+			continue;
+		}
+		secret = lib->settings->get_str(lib->settings,
+			"charon.plugins.eap-radius.servers.%s.secret", NULL, section);
+		if (!secret)
+		{
+			DBG1(DBG_CFG, "RADIUS server '%s' misses secret, skipped", section);
+			continue;
+		}
+		nas_identifier = lib->settings->get_str(lib->settings,
+			"charon.plugins.eap-radius.servers.%s.nas_identifier",
+			"strongSwan", section);
+		port = lib->settings->get_int(lib->settings,
+			"charon.plugins.eap-radius.servers.%s.port", RADIUS_PORT, section);
+		sockets = lib->settings->get_int(lib->settings,
+			"charon.plugins.eap-radius.servers.%s.sockets", 1, section);
+		preference = lib->settings->get_int(lib->settings,
+			"charon.plugins.eap-radius.servers.%s.preference", 0, section);
+		server = radius_server_create(address, port, nas_identifier,
+									  secret, sockets, preference);
+		if (!server)
+		{
+			DBG1(DBG_CFG, "loading RADIUS server '%s' failed, skipped", section);
+			continue;
+		}
+		this->servers->insert_last(this->servers, server);
+	}
+	enumerator->destroy(enumerator);
+
+	if (this->servers->get_count(this->servers) == 0)
+	{
+		DBG1(DBG_CFG, "no valid RADIUS server configuration found");
+		return FALSE;
+	}
+	return TRUE;
 }
 
 /*
@@ -35,20 +148,35 @@ static void destroy(eap_radius_plugin_t *this)
  */
 plugin_t *eap_radius_plugin_create()
 {
-	eap_radius_plugin_t *this;
+	private_eap_radius_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+		.servers = linked_list_create(),
+	);
 
-	if (!radius_client_init())
+	if (!load_servers(this))
 	{
-		DBG1(DBG_CFG, "RADIUS plugin initialization failed");
+		destroy(this);
 		return NULL;
 	}
-
-	this = malloc_thing(eap_radius_plugin_t);
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
 	charon->eap->add_method(charon->eap, EAP_RADIUS, 0,
 							EAP_SERVER, (eap_constructor_t)eap_radius_create);
 
-	return &this->plugin;
+	instance = this;
+
+	return &this->public.plugin;
+}
+
+/**
+ * See header
+ */
+enumerator_t *eap_radius_create_server_enumerator()
+{
+	if (instance)
+	{
+		return instance->servers->create_enumerator(instance->servers);
+	}
+	return enumerator_create_empty();
 }
 
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
index f2b8b5082..cb724364a 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
@@ -25,6 +25,7 @@
 #define EAP_RADIUS_PLUGIN_H_
 
 #include <plugins/plugin.h>
+#include <utils/enumerator.h>
 
 typedef struct eap_radius_plugin_t eap_radius_plugin_t;
 
@@ -42,4 +43,11 @@ struct eap_radius_plugin_t {
 	plugin_t plugin;
 };
 
+/**
+ * Create an enumerator over all loaded RADIUS servers.
+ *
+ * @return			enumerator over radius_server_t
+ */
+enumerator_t *eap_radius_create_server_enumerator();
+
 #endif /** EAP_RADIUS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/radius_client.c b/src/libcharon/plugins/eap_radius/radius_client.c
index 1d1f21742..232b9135e 100644
--- a/src/libcharon/plugins/eap_radius/radius_client.c
+++ b/src/libcharon/plugins/eap_radius/radius_client.c
@@ -15,6 +15,9 @@
 
 #include "radius_client.h"
 
+#include "eap_radius_plugin.h"
+#include "radius_server.h"
+
 #include <unistd.h>
 #include <errno.h>
 
@@ -24,42 +27,8 @@
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 
-/**
- * Default RADIUS server port, when not configured
- */
-#define RADIUS_PORT 1812
-
-/**
- * Vendor-Id of Microsoft specific attributes
- */
-#define VENDOR_ID_MICROSOFT 311
-
-/**
- * Microsoft specific vendor attributes
- */
-#define MS_MPPE_SEND_KEY 16
-#define MS_MPPE_RECV_KEY 17
-
 typedef struct private_radius_client_t private_radius_client_t;
 
-typedef struct entry_t entry_t;
-
-/**
- * A socket pool entry.
- */
-struct entry_t {
-	/** socket file descriptor */
-	int fd;
-	/** current RADIUS identifier */
-	u_int8_t identifier;
-	/** hasher to use for response verification */
-	hasher_t *hasher;
-	/** HMAC-MD5 signer to build Message-Authenticator attribute */
-	signer_t *signer;
-	/** random number generator for RADIUS request authenticator */
-	rng_t *rng;
-};
-
 /**
  * Private data of an radius_client_t object.
  */
@@ -70,171 +39,21 @@ struct private_radius_client_t {
 	 */
 	radius_client_t public;
 
+	/**
+	 * Selected RADIUS server
+	 */
+	radius_server_t *server;
+
 	/**
 	 * RADIUS servers State attribute
 	 */
 	chunk_t state;
-};
 
-/**
- * Global list of radius sockets, contains entry_t's
- */
-static linked_list_t *sockets;
-
-/**
- * mutex to lock sockets list
- */
-static mutex_t *mutex;
-
-/**
- * condvar to wait for sockets
- */
-static condvar_t *condvar;
-
-/**
- * RADIUS secret
- */
-static chunk_t secret;
-
-/**
- * NAS-Identifier
- */
-static chunk_t nas_identifier;
-
-/**
- * Clean up socket list
- */
-void radius_client_cleanup()
-{
-	entry_t *entry;
-
-	mutex->destroy(mutex);
-	condvar->destroy(condvar);
-	while (sockets->remove_last(sockets, (void**)&entry) == SUCCESS)
-	{
-		entry->rng->destroy(entry->rng);
-		entry->hasher->destroy(entry->hasher);
-		entry->signer->destroy(entry->signer);
-		close(entry->fd);
-		free(entry);
-	}
-	sockets->destroy(sockets);
-}
-
-/**
- * Initialize the socket list
- */
-bool radius_client_init()
-{
-	int i, count, fd;
-	u_int16_t port;
-	entry_t *entry;
-	host_t *host;
-	char *server;
-
-	nas_identifier.ptr = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-radius.nas_identifier", "strongSwan");
-	nas_identifier.len = strlen(nas_identifier.ptr);
-
-	secret.ptr = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-radius.secret", NULL);
-	if (!secret.ptr)
-	{
-		DBG1(DBG_CFG, "no RADUIS secret defined");
-		return FALSE;
-	}
-	secret.len = strlen(secret.ptr);
-	server = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-radius.server", NULL);
-	if (!server)
-	{
-		DBG1(DBG_CFG, "no RADUIS server defined");
-		return FALSE;
-	}
-	port = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-radius.port", RADIUS_PORT);
-	host = host_create_from_dns(server, 0, port);
-	if (!host)
-	{
-		return FALSE;
-	}
-	count = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-radius.sockets", 1);
-
-	sockets = linked_list_create();
-	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	for (i = 0; i < count; i++)
-	{
-		fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP);
-		if (fd < 0)
-		{
-			DBG1(DBG_CFG, "opening RADIUS socket failed");
-			host->destroy(host);
-			radius_client_cleanup();
-			return FALSE;
-		}
-		if (connect(fd, host->get_sockaddr(host),
-					*host->get_sockaddr_len(host)) < 0)
-		{
-			DBG1(DBG_CFG, "connecting RADIUS socket failed");
-			host->destroy(host);
-			radius_client_cleanup();
-			return FALSE;
-		}
-		entry = malloc_thing(entry_t);
-		entry->fd = fd;
-		/* we use per-socket crypto elements: this reduces overhead, but
-		 * is still thread-save. */
-		entry->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-		entry->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128);
-		entry->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		if (!entry->hasher || !entry->signer || !entry->rng)
-		{
-			DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
-			DESTROY_IF(entry->hasher);
-			DESTROY_IF(entry->signer);
-			DESTROY_IF(entry->rng);
-			free(entry);
-			host->destroy(host);
-			radius_client_cleanup();
-			return FALSE;
-		}
-		entry->signer->set_key(entry->signer, secret);
-		/* we use a random identifier, helps if we restart often (testing) */
-		entry->identifier = random();
-		sockets->insert_last(sockets, entry);
-	}
-	host->destroy(host);
-	return TRUE;
-}
-
-/**
- * Get a socket from the pool, block if none available
- */
-static entry_t* get_socket()
-{
-	entry_t *entry;
-
-	mutex->lock(mutex);
-	while (sockets->remove_first(sockets, (void**)&entry) != SUCCESS)
-	{
-		condvar->wait(condvar, mutex);
-	}
-	mutex->unlock(mutex);
-	return entry;
-}
-
-/**
- * Release a socket to the pool
- */
-static void put_socket(entry_t *entry)
-{
-	mutex->lock(mutex);
-	sockets->insert_last(sockets, entry);
-	mutex->unlock(mutex);
-	condvar->signal(condvar);
-}
+	/**
+	 * EAP MSK, from MPPE keys
+	 */
+	chunk_t msk;
+};
 
 /**
  * Save the state attribute to include in further request
@@ -261,234 +80,103 @@ static void save_state(private_radius_client_t *this, radius_message_t *msg)
 	chunk_free(&this->state);
 }
 
-/**
- * Implementation of radius_client_t.request
- */
-static radius_message_t* request(private_radius_client_t *this,
-								 radius_message_t *req)
+METHOD(radius_client_t, request, radius_message_t*,
+	private_radius_client_t *this, radius_message_t *req)
 {
 	char virtual[] = {0x00,0x00,0x00,0x05};
-	entry_t *socket;
-	chunk_t data;
-	int i;
+	radius_socket_t *socket;
+	radius_message_t *res;
 
-	socket = get_socket();
-
-	/* set Message Identifier */
-	req->set_identifier(req, socket->identifier++);
 	/* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */
 	req->add(req, RAT_NAS_PORT_TYPE, chunk_create(virtual, sizeof(virtual)));
 	/* add our NAS-Identifier */
-	req->add(req, RAT_NAS_IDENTIFIER, nas_identifier);
+	req->add(req, RAT_NAS_IDENTIFIER,
+			 this->server->get_nas_identifier(this->server));
 	/* add State attribute, if server sent one */
 	if (this->state.ptr)
 	{
 		req->add(req, RAT_STATE, this->state);
 	}
-	/* sign the request */
-	req->sign(req, socket->rng, socket->signer);
-
-	data = req->get_encoding(req);
-	/* timeout after 2, 3, 4, 5 seconds */
-	for (i = 2; i <= 5; i++)
+	socket = this->server->get_socket(this->server);
+	DBG1(DBG_CFG, "sending RADIUS %N to %#H", radius_message_code_names,
+		 req->get_code(req), this->server->get_address(this->server));
+	res = socket->request(socket, req);
+	if (res)
 	{
-		radius_message_t *response;
-		bool retransmit = FALSE;
-		struct timeval tv;
-		char buf[4096];
-		fd_set fds;
-		int res;
-
-		if (send(socket->fd, data.ptr, data.len, 0) != data.len)
-		{
-			DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
-			put_socket(socket);
-			return NULL;
-		}
-		tv.tv_sec = i;
-		tv.tv_usec = 0;
-
-		while (TRUE)
+		DBG1(DBG_CFG, "received RADIUS %N from %#H", radius_message_code_names,
+			 res->get_code(res), this->server->get_address(this->server));
+		save_state(this, res);
+		if (res->get_code(res) == RMC_ACCESS_ACCEPT)
 		{
-			FD_ZERO(&fds);
-			FD_SET(socket->fd, &fds);
-			res = select(socket->fd + 1, &fds, NULL, NULL, &tv);
-			/* TODO: updated tv to time not waited. Linux does this for us. */
-			if (res < 0)
-			{	/* failed */
-				DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
-					 strerror(errno));
-				break;
-			}
-			if (res == 0)
-			{	/* timeout */
-				DBG1(DBG_CFG, "retransmitting RADIUS message");
-				retransmit = TRUE;
-				break;
-			}
-			res = recv(socket->fd, buf, sizeof(buf), MSG_DONTWAIT);
-			if (res <= 0)
-			{
-				DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
-					 strerror(errno));
-				break;
-			}
-			response = radius_message_parse_response(chunk_create(buf, res));
-			if (response)
-			{
-				if (response->verify(response, req->get_authenticator(req),
-							secret, socket->hasher, socket->signer))
-				{
-					save_state(this, response);
-					put_socket(socket);
-					return response;
-				}
-				response->destroy(response);
-			}
-			DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
-		}
-		if (!retransmit)
-		{
-			break;
+			chunk_clear(&this->msk);
+			this->msk = socket->decrypt_msk(socket, req, res);
 		}
+		this->server->put_socket(this->server, socket, TRUE);
+		return res;
 	}
-	DBG1(DBG_CFG, "RADIUS server is not responding");
-	put_socket(socket);
+	this->server->put_socket(this->server, socket, FALSE);
 	charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
 	return NULL;
 }
 
-/**
- * Decrypt a MS-MPPE-Send/Recv-Key
- */
-static chunk_t decrypt_mppe_key(private_radius_client_t *this, u_int16_t salt,
-								chunk_t C, radius_message_t *request)
+METHOD(radius_client_t, get_msk, chunk_t,
+	private_radius_client_t *this)
 {
-	chunk_t A, R, P, seed;
-	u_char *c, *p;
-	hasher_t *hasher;
-
-	/**
-	 * From RFC2548 (encryption):
-	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
-	 * b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
-	 *      . . .
-	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
-	 */
-
-	if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
-	{
-		return chunk_empty;
-	}
-
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-	if (!hasher)
-	{
-		return chunk_empty;
-	}
-
-	A = chunk_create((u_char*)&salt, sizeof(salt));
-	R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
-	P = chunk_alloca(C.len);
-	p = P.ptr;
-	c = C.ptr;
-
-	seed = chunk_cata("cc", R, A);
-
-	while (c < C.ptr + C.len)
-	{
-		/* b(i) = MD5(S + c(i-1)) */
-		hasher->get_hash(hasher, secret, NULL);
-		hasher->get_hash(hasher, seed, p);
-
-		/* p(i) = b(i) xor c(1) */
-		memxor(p, c, HASH_SIZE_MD5);
-
-		/* prepare next round */
-		seed = chunk_create(c, HASH_SIZE_MD5);
-		c += HASH_SIZE_MD5;
-		p += HASH_SIZE_MD5;
-	}
-	hasher->destroy(hasher);
+	return this->msk;
+}
 
-	/* remove truncation, first byte is key length */
-	if (*P.ptr >= P.len)
-	{	/* decryption failed? */
-		return chunk_empty;
-	}
-	return chunk_clone(chunk_create(P.ptr + 1, *P.ptr));
+METHOD(radius_client_t, destroy, void,
+	private_radius_client_t *this)
+{
+	chunk_clear(&this->msk);
+	free(this->state.ptr);
+	free(this);
 }
 
 /**
- * Implementation of radius_client_t.decrypt_msk
+ * See header
  */
-static chunk_t decrypt_msk(private_radius_client_t *this,
-						   radius_message_t *response, radius_message_t *request)
+radius_client_t *radius_client_create()
 {
-	struct {
-		u_int32_t id;
-		u_int8_t type;
-		u_int8_t length;
-		u_int16_t salt;
-		u_int8_t key[];
-	} __attribute__((packed)) *mppe_key;
+	private_radius_client_t *this;
 	enumerator_t *enumerator;
-	chunk_t data, send = chunk_empty, recv = chunk_empty;
-	int type;
-
-	enumerator = response->create_enumerator(response);
-	while (enumerator->enumerate(enumerator, &type, &data))
+	radius_server_t *server;
+	int current, best = -1;
+
+	INIT(this,
+		.public = {
+			.request = _request,
+			.get_msk = _get_msk,
+			.destroy = _destroy,
+		},
+	);
+
+	enumerator = eap_radius_create_server_enumerator();
+	while (enumerator->enumerate(enumerator, &server))
 	{
-		if (type == RAT_VENDOR_SPECIFIC &&
-			data.len > sizeof(*mppe_key))
+		current = server->get_preference(server);
+		if (current > best ||
+			/* for two with equal preference, 50-50 chance */
+			(current == best && random() % 2 == 0))
+		{
+			DBG2(DBG_CFG, "RADIUS server %H is candidate: %d",
+				 server->get_address(server), current);
+			best = current;
+			this->server = server;
+		}
+		else
 		{
-			mppe_key = (void*)data.ptr;
-			if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT &&
-				mppe_key->length == data.len - sizeof(mppe_key->id))
-			{
-				data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key));
-				if (mppe_key->type == MS_MPPE_SEND_KEY)
-				{
-					send = decrypt_mppe_key(this, mppe_key->salt, data, request);
-				}
-				if (mppe_key->type == MS_MPPE_RECV_KEY)
-				{
-					recv = decrypt_mppe_key(this, mppe_key->salt, data, request);
-				}
-			}
+			DBG2(DBG_CFG, "RADIUS server %H skipped: %d",
+				 server->get_address(server), current);
 		}
 	}
 	enumerator->destroy(enumerator);
-	if (send.ptr && recv.ptr)
+
+	if (!this->server)
 	{
-		return chunk_cat("mm", recv, send);
+		free(this);
+		return NULL;
 	}
-	chunk_clear(&send);
-	chunk_clear(&recv);
-	return chunk_empty;
-}
-
-/**
- * Implementation of radius_client_t.destroy.
- */
-static void destroy(private_radius_client_t *this)
-{
-	free(this->state.ptr);
-	free(this);
-}
-
-/**
- * See header
- */
-radius_client_t *radius_client_create()
-{
-	private_radius_client_t *this = malloc_thing(private_radius_client_t);
-
-	this->public.request = (radius_message_t*(*)(radius_client_t*, radius_message_t *msg))request;
-	this->public.decrypt_msk = (chunk_t(*)(radius_client_t*, radius_message_t *, radius_message_t *))decrypt_msk;
-	this->public.destroy = (void(*)(radius_client_t*))destroy;
-
-	this->state = chunk_empty;
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_radius/radius_client.h b/src/libcharon/plugins/eap_radius/radius_client.h
index 77ba94807..e4f3a7222 100644
--- a/src/libcharon/plugins/eap_radius/radius_client.h
+++ b/src/libcharon/plugins/eap_radius/radius_client.h
@@ -29,19 +29,14 @@ typedef struct radius_client_t radius_client_t;
  * RADIUS client functionality.
  *
  * To communicate with a RADIUS server, create a client and send messages over
- * it. All instances share a fixed size pool of sockets. The client reserves
- * a socket during request() and releases it afterwards.
+ * it. The client allocates a socket from the best RADIUS server abailable.
  */
 struct radius_client_t {
 
 	/**
 	 * Send a RADIUS request and wait for the response.
 	 *
-	 * The client fills in RADIUS Message identifier, NAS-Identifier,
-	 * NAS-Port-Type, builds a Request-Authenticator and calculates the
-	 * Message-Authenticator attribute.
-	 * The received response gets verified using the Response-Identifier
-	 * and the Message-Authenticator attribute.
+	 * The client fills in NAS-Identifier nad NAS-Port-Type
 	 *
 	 * @param msg			RADIUS request message to send
 	 * @return				response, NULL if timed out/verification failed
@@ -49,14 +44,11 @@ struct radius_client_t {
 	radius_message_t* (*request)(radius_client_t *this, radius_message_t *msg);
 
 	/**
-	 * Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key.
+	 * Get the EAP MSK after successful RADIUS authentication.
 	 *
-	 * @param response		RADIUS response message containing attributes
-	 * @param request		associated RADIUS request message
-	 * @return				allocated MSK, empty chunk if none found
+	 * @return				MSK, allocated
 	 */
-	chunk_t (*decrypt_msk)(radius_client_t *this, radius_message_t *response,
-						   radius_message_t *request);
+	chunk_t (*get_msk)(radius_client_t *this);
 
 	/**
 	 * Destroy the client, release the socket.
@@ -65,24 +57,10 @@ struct radius_client_t {
 };
 
 /**
- * Create a RADIUS client, acquire a socket.
- *
- * This call might block if the socket pool is empty.
+ * Create a RADIUS client.
  *
  * @return			radius_client_t object
  */
 radius_client_t *radius_client_create();
 
-/**
- * Initialize the socket pool.
- *
- * @return 			TRUE if initialization successful
- */
-bool radius_client_init();
-
-/**
- * Cleanup the socket pool.
- */
-void radius_client_cleanup();
-
 #endif /** RADIUS_CLIENT_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/radius_message.c b/src/libcharon/plugins/eap_radius/radius_message.c
index 11a1d8dfc..23a29b772 100644
--- a/src/libcharon/plugins/eap_radius/radius_message.c
+++ b/src/libcharon/plugins/eap_radius/radius_message.c
@@ -215,13 +215,8 @@ typedef struct {
 	int left;
 } attribute_enumerator_t;
 
-
-/**
- * Implementation of attribute_enumerator_t.enumerate
- */
-static bool attribute_enumerate(attribute_enumerator_t *this,
-								int *type, chunk_t *data)
-
+METHOD(enumerator_t, attribute_enumerate, bool,
+	attribute_enumerator_t *this, int *type, chunk_t *data)
 {
 	if (this->left == 0)
 	{
@@ -241,10 +236,8 @@ static bool attribute_enumerate(attribute_enumerator_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of radius_message_t.create_enumerator
- */
-static enumerator_t* create_enumerator(private_radius_message_t *this)
+METHOD(radius_message_t, create_enumerator, enumerator_t*,
+	private_radius_message_t *this)
 {
 	attribute_enumerator_t *e;
 
@@ -252,20 +245,19 @@ static enumerator_t* create_enumerator(private_radius_message_t *this)
 	{
 		return enumerator_create_empty();
 	}
-
-	e = malloc_thing(attribute_enumerator_t);
-	e->public.enumerate = (void*)attribute_enumerate;
-	e->public.destroy = (void*)free;
-	e->next = (rattr_t*)this->msg->attributes;
-	e->left = ntohs(this->msg->length) - sizeof(rmsg_t);
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_attribute_enumerate,
+			.destroy = (void*)free,
+		},
+		.next = (rattr_t*)this->msg->attributes,
+		.left = ntohs(this->msg->length) - sizeof(rmsg_t),
+	);
 	return &e->public;
 }
 
-/**
- * Implementation of radius_message_t.add
- */
-static void add(private_radius_message_t *this, radius_attribute_type_t type,
-				chunk_t data)
+METHOD(radius_message_t, add, void,
+	private_radius_message_t *this, radius_attribute_type_t type, chunk_t data)
 {
 	rattr_t *attribute;
 
@@ -279,10 +271,8 @@ static void add(private_radius_message_t *this, radius_attribute_type_t type,
 	this->msg->length = htons(ntohs(this->msg->length) + attribute->length);
 }
 
-/**
- * Implementation of radius_message_t.sign
- */
-static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer)
+METHOD(radius_message_t, sign, void,
+	private_radius_message_t *this, rng_t *rng, signer_t *signer)
 {
 	char buf[HASH_SIZE_MD5];
 
@@ -297,11 +287,9 @@ static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer)
 				((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5);
 }
 
-/**
- * Implementation of radius_message_t.verify
- */
-static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
-				   chunk_t secret, hasher_t *hasher, signer_t *signer)
+METHOD(radius_message_t, verify, bool,
+	private_radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
+	hasher_t *hasher, signer_t *signer)
 {
 	char buf[HASH_SIZE_MD5], res_auth[HASH_SIZE_MD5];
 	enumerator_t *enumerator;
@@ -369,51 +357,39 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
 	return TRUE;
 }
 
-/**
- * Implementation of radius_message_t.get_code
- */
-static radius_message_code_t get_code(private_radius_message_t *this)
+METHOD(radius_message_t, get_code, radius_message_code_t,
+	private_radius_message_t *this)
 {
 	return this->msg->code;
 }
 
-/**
- * Implementation of radius_message_t.get_identifier
- */
-static u_int8_t get_identifier(private_radius_message_t *this)
+METHOD(radius_message_t, get_identifier, u_int8_t,
+	private_radius_message_t *this)
 {
 	return this->msg->identifier;
 }
 
-/**
- * Implementation of radius_message_t.set_identifier
- */
-static void set_identifier(private_radius_message_t *this, u_int8_t identifier)
+METHOD(radius_message_t, set_identifier, void,
+	private_radius_message_t *this, u_int8_t identifier)
 {
 	this->msg->identifier = identifier;
 }
 
-/**
- * Implementation of radius_message_t.get_authenticator
- */
-static u_int8_t* get_authenticator(private_radius_message_t *this)
+METHOD(radius_message_t, get_authenticator, u_int8_t*,
+	private_radius_message_t *this)
 {
 	return this->msg->authenticator;
 }
 
 
-/**
- * Implementation of radius_message_t.get_encoding
- */
-static chunk_t get_encoding(private_radius_message_t *this)
+METHOD(radius_message_t, get_encoding, chunk_t,
+	private_radius_message_t *this)
 {
 	return chunk_create((u_char*)this->msg, ntohs(this->msg->length));
 }
 
-/**
- * Implementation of radius_message_t.destroy.
- */
-static void destroy(private_radius_message_t *this)
+METHOD(radius_message_t, destroy, void,
+	private_radius_message_t *this)
 {
 	free(this->msg);
 	free(this);
@@ -424,18 +400,22 @@ static void destroy(private_radius_message_t *this)
  */
 static private_radius_message_t *radius_message_create()
 {
-	private_radius_message_t *this = malloc_thing(private_radius_message_t);
-
-	this->public.create_enumerator = (enumerator_t*(*)(radius_message_t*))create_enumerator;
-	this->public.add = (void(*)(radius_message_t*, radius_attribute_type_t,chunk_t))add;
-	this->public.get_code = (radius_message_code_t(*)(radius_message_t*))get_code;
-	this->public.get_identifier = (u_int8_t(*)(radius_message_t*))get_identifier;
-	this->public.set_identifier = (void(*)(radius_message_t*, u_int8_t identifier))set_identifier;
-	this->public.get_authenticator = (u_int8_t*(*)(radius_message_t*))get_authenticator;
-	this->public.get_encoding = (chunk_t(*)(radius_message_t*))get_encoding;
-	this->public.sign = (void(*)(radius_message_t*, rng_t *rng, signer_t *signer))sign;
-	this->public.verify = (bool(*)(radius_message_t*, u_int8_t *req_auth, chunk_t secret, hasher_t *hasher, signer_t *signer))verify;
-	this->public.destroy = (void(*)(radius_message_t*))destroy;
+	private_radius_message_t *this;
+
+	INIT(this,
+		.public = {
+			.create_enumerator = _create_enumerator,
+			.add = _add,
+			.get_code = _get_code,
+			.get_identifier = _get_identifier,
+			.set_identifier = _set_identifier,
+			.get_authenticator = _get_authenticator,
+			.get_encoding = _get_encoding,
+			.sign = _sign,
+			.verify = _verify,
+			.destroy = _destroy,
+		},
+	);
 
 	return this;
 }
@@ -447,10 +427,11 @@ radius_message_t *radius_message_create_request()
 {
 	private_radius_message_t *this = radius_message_create();
 
-	this->msg = malloc_thing(rmsg_t);
-	this->msg->code = RMC_ACCESS_REQUEST;
-	this->msg->identifier = 0;
-	this->msg->length = htons(sizeof(rmsg_t));
+	INIT(this->msg,
+		.code = RMC_ACCESS_REQUEST,
+		.identifier = 0,
+		.length = htons(sizeof(rmsg_t)),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_radius/radius_server.c b/src/libcharon/plugins/eap_radius/radius_server.c
new file mode 100644
index 000000000..f54b8b2cd
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/radius_server.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "radius_server.h"
+
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <utils/linked_list.h>
+
+typedef struct private_radius_server_t private_radius_server_t;
+
+/**
+ * Private data of an radius_server_t object.
+ */
+struct private_radius_server_t {
+
+	/**
+	 * Public radius_server_t interface.
+	 */
+	radius_server_t public;
+
+	/**
+	 * RADIUS server address
+	 */
+	host_t *host;
+
+	/**
+	 * list of radius sockets, as radius_socket_t
+	 */
+	linked_list_t *sockets;
+
+	/**
+	 * Total number of sockets, in list + currently in use
+	 */
+	int socket_count;
+
+	/**
+	 * mutex to lock sockets list
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * condvar to wait for sockets
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * RADIUS secret
+	 */
+	chunk_t secret;
+
+	/**
+	 * NAS-Identifier
+	 */
+	chunk_t nas_identifier;
+
+	/**
+	 * Preference boost for this server
+	 */
+	int preference;
+
+	/**
+	 * Is the server currently reachable
+	 */
+	bool reachable;
+
+	/**
+	 * Retry counter for unreachable servers
+	 */
+	int retry;
+};
+
+METHOD(radius_server_t, get_socket, radius_socket_t*,
+	private_radius_server_t *this)
+{
+	radius_socket_t *skt;
+
+	this->mutex->lock(this->mutex);
+	while (this->sockets->remove_first(this->sockets, (void**)&skt) != SUCCESS)
+	{
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+	this->mutex->unlock(this->mutex);
+	return skt;
+}
+
+METHOD(radius_server_t, put_socket, void,
+	private_radius_server_t *this, radius_socket_t *skt, bool result)
+{
+	this->mutex->lock(this->mutex);
+	this->sockets->insert_last(this->sockets, skt);
+	this->mutex->unlock(this->mutex);
+	this->condvar->signal(this->condvar);
+	this->reachable = result;
+}
+
+METHOD(radius_server_t, get_nas_identifier, chunk_t,
+	private_radius_server_t *this)
+{
+	return this->nas_identifier;
+}
+
+METHOD(radius_server_t, get_preference, int,
+	private_radius_server_t *this)
+{
+	int pref;
+
+	if (this->socket_count == 0)
+	{	/* don't have sockets, huh? */
+		return -1;
+	}
+	/* calculate preference between 0-100 + boost */
+	pref = this->preference;
+	pref += this->sockets->get_count(this->sockets) * 100 / this->socket_count;
+	if (this->reachable)
+	{	/* reachable server get a boost: pref = 110-210 + boost */
+		return pref + 110;
+	}
+	/* Not reachable. Increase preference randomly to let it retry from
+	 * time to time, especially if other servers have high load. */
+	this->retry++;
+	if (this->retry % 128 == 0)
+	{	/* every 64th request gets 210, same as unloaded reachable */
+		return pref + 110;
+	}
+	if (this->retry % 32 == 0)
+	{	/* every 32th request gets 190, wins against average loaded */
+		return pref + 90;
+	}
+	if (this->retry % 8 == 0)
+	{	/* every 8th request gets 110, same as server under load */
+		return pref + 10;
+	}
+	/* other get ~100, less than fully loaded */
+	return pref;
+}
+
+METHOD(radius_server_t, get_address, host_t*,
+	private_radius_server_t *this)
+{
+	return this->host;
+}
+
+METHOD(radius_server_t, destroy, void,
+	private_radius_server_t *this)
+{
+	DESTROY_IF(this->host);
+	this->mutex->destroy(this->mutex);
+	this->condvar->destroy(this->condvar);
+	this->sockets->destroy_offset(this->sockets,
+								  offsetof(radius_socket_t, destroy));
+	free(this);
+}
+
+/**
+ * See header
+ */
+radius_server_t *radius_server_create(char *server, u_int16_t port,
+				char *nas_identifier, char *secret, int sockets, int preference)
+{
+	private_radius_server_t *this;
+	radius_socket_t *socket;
+
+	INIT(this,
+		.public = {
+			.get_socket = _get_socket,
+			.put_socket = _put_socket,
+			.get_nas_identifier = _get_nas_identifier,
+			.get_preference = _get_preference,
+			.get_address = _get_address,
+			.destroy = _destroy,
+		},
+		.reachable = TRUE,
+		.nas_identifier = chunk_create(nas_identifier, strlen(nas_identifier)),
+		.socket_count = sockets,
+		.sockets = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.host = host_create_from_dns(server, 0, port),
+		.preference = preference,
+	);
+
+	if (!this->host)
+	{
+		destroy(this);
+		return NULL;
+	}
+	while (sockets--)
+	{
+		socket = radius_socket_create(this->host,
+									  chunk_create(secret, strlen(secret)));
+		if (!socket)
+		{
+			destroy(this);
+			return NULL;
+		}
+		this->sockets->insert_last(this->sockets, socket);
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_radius/radius_server.h b/src/libcharon/plugins/eap_radius/radius_server.h
new file mode 100644
index 000000000..b820cb583
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/radius_server.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup radius_server radius_server
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef RADIUS_SERVER_H_
+#define RADIUS_SERVER_H_
+
+typedef struct radius_server_t radius_server_t;
+
+#include "radius_socket.h"
+
+/**
+ * RADIUS server configuration.
+ */
+struct radius_server_t {
+
+	/**
+	 * Get a RADIUS socket from the pool to communicate with this server.
+	 *
+	 * @return			RADIUS socket
+	 */
+	radius_socket_t* (*get_socket)(radius_server_t *this);
+
+	/**
+	 * Release a socket to the pool after use.
+	 *
+	 * @param skt		RADIUS socket to release
+	 * @param result	result of the socket use, TRUE for success
+	 */
+	void (*put_socket)(radius_server_t *this, radius_socket_t *skt, bool result);
+
+	/**
+	 * Get the NAS-Identifier to use with this server.
+	 *
+	 * @return			NAS-Identifier, internal data
+	 */
+	chunk_t (*get_nas_identifier)(radius_server_t *this);
+
+	/**
+	 * Get the preference of this server.
+	 *
+	 * Based on the available sockets and the server reachability a preference
+	 * value is calculated: better servers return a higher value.
+	 */
+	int (*get_preference)(radius_server_t *this);
+
+	/**
+	 * Get the address of the RADIUS server.
+	 *
+	 * @return			address, internal data
+	 */
+	host_t* (*get_address)(radius_server_t *this);
+
+	/**
+	 * Destroy a radius_server_t.
+	 */
+	void (*destroy)(radius_server_t *this);
+};
+
+/**
+ * Create a radius_server instance.
+ *
+ * @param server			server address
+ * @param port				server port
+ * @param nas_identifier	NAS-Identifier to use with this server
+ * @param sockets			number of sockets to create in pool
+ * @param preference		preference boost for this server
+ */
+radius_server_t *radius_server_create(char *server, u_int16_t port,
+			char *nas_identifier, char *secret, int sockets, int preference);
+
+#endif /** RADIUS_SERVER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/radius_socket.c b/src/libcharon/plugins/eap_radius/radius_socket.c
new file mode 100644
index 000000000..f46c27ede
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/radius_socket.c
@@ -0,0 +1,309 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "radius_socket.h"
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <debug.h>
+
+/**
+ * Vendor-Id of Microsoft specific attributes
+ */
+#define VENDOR_ID_MICROSOFT 311
+
+/**
+ * Microsoft specific vendor attributes
+ */
+#define MS_MPPE_SEND_KEY 16
+#define MS_MPPE_RECV_KEY 17
+
+typedef struct private_radius_socket_t private_radius_socket_t;
+
+/**
+ * Private data of an radius_socket_t object.
+ */
+struct private_radius_socket_t {
+
+	/**
+	 * Public radius_socket_t interface.
+	 */
+	radius_socket_t public;
+
+	/**
+	 * socket file descriptor
+	 */
+	int fd;
+
+	/**
+	 * current RADIUS identifier
+	 */
+	u_int8_t identifier;
+
+	/**
+	 * hasher to use for response verification
+	 */
+	hasher_t *hasher;
+
+	/**
+	 * HMAC-MD5 signer to build Message-Authenticator attribute
+	 */
+	signer_t *signer;
+
+	/**
+	 * random number generator for RADIUS request authenticator
+	 */
+	rng_t *rng;
+
+	/**
+	 * RADIUS secret
+	 */
+	chunk_t secret;
+};
+
+METHOD(radius_socket_t, request, radius_message_t*,
+	private_radius_socket_t *this, radius_message_t *request)
+{
+	chunk_t data;
+	int i;
+
+	/* set Message Identifier */
+	request->set_identifier(request, this->identifier++);
+	/* sign the request */
+	request->sign(request, this->rng, this->signer);
+
+	data = request->get_encoding(request);
+	/* timeout after 2, 3, 4, 5 seconds */
+	for (i = 2; i <= 5; i++)
+	{
+		radius_message_t *response;
+		bool retransmit = FALSE;
+		struct timeval tv;
+		char buf[4096];
+		fd_set fds;
+		int res;
+
+		if (send(this->fd, data.ptr, data.len, 0) != data.len)
+		{
+			DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
+			return NULL;
+		}
+		tv.tv_sec = i;
+		tv.tv_usec = 0;
+
+		while (TRUE)
+		{
+			FD_ZERO(&fds);
+			FD_SET(this->fd, &fds);
+			res = select(this->fd + 1, &fds, NULL, NULL, &tv);
+			/* TODO: updated tv to time not waited. Linux does this for us. */
+			if (res < 0)
+			{	/* failed */
+				DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
+					 strerror(errno));
+				break;
+			}
+			if (res == 0)
+			{	/* timeout */
+				DBG1(DBG_CFG, "retransmitting RADIUS message");
+				retransmit = TRUE;
+				break;
+			}
+			res = recv(this->fd, buf, sizeof(buf), MSG_DONTWAIT);
+			if (res <= 0)
+			{
+				DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
+					 strerror(errno));
+				break;
+			}
+			response = radius_message_parse_response(chunk_create(buf, res));
+			if (response)
+			{
+				if (response->verify(response,
+							request->get_authenticator(request), this->secret,
+							this->hasher, this->signer))
+				{
+					return response;
+				}
+				response->destroy(response);
+			}
+			DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+		}
+		if (!retransmit)
+		{
+			break;
+		}
+	}
+	DBG1(DBG_CFG, "RADIUS server is not responding");
+	return NULL;
+}
+
+/**
+ * Decrypt a MS-MPPE-Send/Recv-Key
+ */
+static chunk_t decrypt_mppe_key(private_radius_socket_t *this, u_int16_t salt,
+								chunk_t C, radius_message_t *request)
+{
+	chunk_t A, R, P, seed;
+	u_char *c, *p;
+
+	/**
+	 * From RFC2548 (encryption):
+	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
+	 * b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
+	 *      . . .
+	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
+	 */
+
+	if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
+	{
+		return chunk_empty;
+	}
+
+	A = chunk_create((u_char*)&salt, sizeof(salt));
+	R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
+	P = chunk_alloca(C.len);
+	p = P.ptr;
+	c = C.ptr;
+
+	seed = chunk_cata("cc", R, A);
+
+	while (c < C.ptr + C.len)
+	{
+		/* b(i) = MD5(S + c(i-1)) */
+		this->hasher->get_hash(this->hasher, this->secret, NULL);
+		this->hasher->get_hash(this->hasher, seed, p);
+
+		/* p(i) = b(i) xor c(1) */
+		memxor(p, c, HASH_SIZE_MD5);
+
+		/* prepare next round */
+		seed = chunk_create(c, HASH_SIZE_MD5);
+		c += HASH_SIZE_MD5;
+		p += HASH_SIZE_MD5;
+	}
+
+	/* remove truncation, first byte is key length */
+	if (*P.ptr >= P.len)
+	{	/* decryption failed? */
+		return chunk_empty;
+	}
+	return chunk_clone(chunk_create(P.ptr + 1, *P.ptr));
+}
+
+METHOD(radius_socket_t, decrypt_msk, chunk_t,
+	private_radius_socket_t *this, radius_message_t *request,
+	radius_message_t *response)
+{
+	struct {
+		u_int32_t id;
+		u_int8_t type;
+		u_int8_t length;
+		u_int16_t salt;
+		u_int8_t key[];
+	} __attribute__((packed)) *mppe_key;
+	enumerator_t *enumerator;
+	chunk_t data, send = chunk_empty, recv = chunk_empty;
+	int type;
+
+	enumerator = response->create_enumerator(response);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		if (type == RAT_VENDOR_SPECIFIC &&
+			data.len > sizeof(*mppe_key))
+		{
+			mppe_key = (void*)data.ptr;
+			if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT &&
+				mppe_key->length == data.len - sizeof(mppe_key->id))
+			{
+				data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key));
+				if (mppe_key->type == MS_MPPE_SEND_KEY)
+				{
+					send = decrypt_mppe_key(this, mppe_key->salt, data, request);
+				}
+				if (mppe_key->type == MS_MPPE_RECV_KEY)
+				{
+					recv = decrypt_mppe_key(this, mppe_key->salt, data, request);
+				}
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (send.ptr && recv.ptr)
+	{
+		return chunk_cat("mm", recv, send);
+	}
+	chunk_clear(&send);
+	chunk_clear(&recv);
+	return chunk_empty;
+}
+
+METHOD(radius_socket_t, destroy, void,
+	private_radius_socket_t *this)
+{
+	DESTROY_IF(this->hasher);
+	DESTROY_IF(this->signer);
+	DESTROY_IF(this->rng);
+	close(this->fd);
+	free(this);
+}
+
+/**
+ * See header
+ */
+radius_socket_t *radius_socket_create(host_t *host, chunk_t secret)
+{
+	private_radius_socket_t *this;
+
+	INIT(this,
+		.public = {
+			.request = _request,
+			.decrypt_msk = _decrypt_msk,
+			.destroy = _destroy,
+		},
+	);
+
+	this->fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP);
+	if (this->fd < 0)
+	{
+		DBG1(DBG_CFG, "opening RADIUS socket failed: %s", strerror(errno));
+		free(this);
+		return NULL;
+	}
+	if (connect(this->fd, host->get_sockaddr(host),
+				*host->get_sockaddr_len(host)) < 0)
+	{
+		DBG1(DBG_CFG, "connecting RADIUS socket failed");
+		close(this->fd);
+		free(this);
+		return NULL;
+	}
+	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+	this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128);
+	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!this->hasher || !this->signer || !this->rng)
+	{
+		DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
+		destroy(this);
+		return NULL;
+	}
+	this->secret = secret;
+	this->signer->set_key(this->signer, secret);
+	/* we use a random identifier, helps if we restart often */
+	this->identifier = random();
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_radius/radius_socket.h b/src/libcharon/plugins/eap_radius/radius_socket.h
new file mode 100644
index 000000000..fe8491a8f
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/radius_socket.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup radius_socket radius_socket
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef RADIUS_SOCKET_H_
+#define RADIUS_SOCKET_H_
+
+typedef struct radius_socket_t radius_socket_t;
+
+#include "radius_message.h"
+
+#include <utils/host.h>
+
+/**
+ * RADIUS socket to a server.
+ */
+struct radius_socket_t {
+
+	/**
+	 * Send a RADIUS request, wait for response.
+
+	 * The socket fills in RADIUS Message identifier, builds a
+	 * Request-Authenticator and calculates the Message-Authenticator
+	 * attribute.
+	 * The received response gets verified using the Response-Identifier
+	 * and the Message-Authenticator attribute.
+	 *
+	 * @param request		request message
+	 * @return				response message, NULL if timed out
+	 */
+	radius_message_t* (*request)(radius_socket_t *this,
+								 radius_message_t *request);
+
+	/**
+	 * Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key.
+	 *
+	 * @param request		associated RADIUS request message
+	 * @param response		RADIUS response message containing attributes
+	 * @return				allocated MSK, empty chunk if none found
+	 */
+	chunk_t (*decrypt_msk)(radius_socket_t *this, radius_message_t *request,
+						   radius_message_t *response);
+
+	/**
+	 * Destroy a radius_socket_t.
+	 */
+	void (*destroy)(radius_socket_t *this);
+};
+
+/**
+ * Create a radius_socket instance.
+ *
+ * @param host		RADIUS server address to connect to
+ * @param secret	RADIUS secret
+ */
+radius_socket_t *radius_socket_create(host_t *host, chunk_t secret);
+
+#endif /** RADIUS_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 588965113..d0f44e925 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.c b/src/libcharon/plugins/eap_sim/eap_sim_peer.c
index 961cfd30d..a3506f4ba 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_peer.c
+++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.c
@@ -484,7 +484,6 @@ static status_t process_notification(private_eap_sim_peer_t *this,
 			/* test success bit */
 			if (!(data.ptr[0] & 0x80))
 			{
-				success = FALSE;
 				DBG1(DBG_IKE, "received EAP-SIM notification error '%N'",
 					 simaka_notification_names, code);
 			}
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 2d998dbcc..2aa0ac832 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 6c44ea2bb..7d80f8019 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 35d8e7c3b..fc26f4497 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.am b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
new file mode 100644
index 000000000..73768be0e
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
+endif
+
+libstrongswan_eap_simaka_sql_la_SOURCES = \
+	eap_simaka_sql_plugin.h eap_simaka_sql_plugin.c \
+	eap_simaka_sql_card.h eap_simaka_sql_card.c \
+	eap_simaka_sql_provider.h eap_simaka_sql_provider.c
+
+libstrongswan_eap_simaka_sql_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
new file mode 100644
index 000000000..f2e82df0a
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -0,0 +1,592 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_simaka_sql
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_simaka_sql_la_LIBADD =
+am_libstrongswan_eap_simaka_sql_la_OBJECTS = eap_simaka_sql_plugin.lo \
+	eap_simaka_sql_card.lo eap_simaka_sql_provider.lo
+libstrongswan_eap_simaka_sql_la_OBJECTS =  \
+	$(am_libstrongswan_eap_simaka_sql_la_OBJECTS)
+libstrongswan_eap_simaka_sql_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_simaka_sql_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_simaka_sql_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_simaka_sql_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
+libstrongswan_eap_simaka_sql_la_SOURCES = \
+	eap_simaka_sql_plugin.h eap_simaka_sql_plugin.c \
+	eap_simaka_sql_card.h eap_simaka_sql_card.c \
+	eap_simaka_sql_provider.h eap_simaka_sql_provider.c
+
+libstrongswan_eap_simaka_sql_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_sql/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_sql/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-simaka-sql.la: $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_DEPENDENCIES) 
+	$(libstrongswan_eap_simaka_sql_la_LINK) $(am_libstrongswan_eap_simaka_sql_la_rpath) $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_card.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c
new file mode 100644
index 000000000..b7590405f
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_sql_card.h"
+
+#include <time.h>
+
+#include <daemon.h>
+
+typedef struct private_eap_simaka_sql_card_t private_eap_simaka_sql_card_t;
+
+/**
+ * Private data of an eap_simaka_sql_card_t object.
+ */
+struct private_eap_simaka_sql_card_t {
+
+	/**
+	 * Public eap_simaka_sql_card_t interface.
+	 */
+	eap_simaka_sql_card_t public;
+
+	/**
+	 * Triplet/quintuplet database
+	 */
+	database_t *db;
+
+	/**
+	 * Remove used triplets/quintuplets from database
+	 */
+	bool remove_used;
+};
+
+METHOD(sim_card_t, get_triplet, bool,
+	private_eap_simaka_sql_card_t *this, identification_t *id,
+	char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
+{
+	chunk_t sres_chunk, kc_chunk;
+	enumerator_t *query;
+	bool found = FALSE;
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%Y", id);
+	query = this->db->query(this->db,
+				"select sres, kc from triplets where rand = ? and id = ? "
+				"order by use limit 1",
+				DB_BLOB, chunk_create(rand, SIM_RAND_LEN), DB_TEXT, buf,
+				DB_BLOB, DB_BLOB);
+	if (query)
+	{
+		if (query->enumerate(query, &sres_chunk, &kc_chunk))
+		{
+			if (sres_chunk.len == SIM_SRES_LEN &&
+				kc_chunk.len == SIM_KC_LEN)
+			{
+				memcpy(sres, sres_chunk.ptr, SIM_SRES_LEN);
+				memcpy(kc, kc_chunk.ptr, SIM_KC_LEN);
+				found = TRUE;
+			}
+		}
+		query->destroy(query);
+	}
+	if (found)
+	{
+		if (this->remove_used)
+		{
+			this->db->execute(this->db, NULL,
+					"delete from triplets where id = ? and rand = ?",
+					DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN));
+		}
+		else
+		{
+			this->db->execute(this->db, NULL,
+					"update triplets set use = ? where id = ? and rand = ?",
+					DB_UINT, time(NULL), DB_TEXT, buf,
+					DB_BLOB, chunk_create(rand, SIM_RAND_LEN));
+		}
+	}
+	return found;
+}
+
+METHOD(sim_card_t, get_quintuplet, status_t,
+	private_eap_simaka_sql_card_t *this, identification_t *id,
+	char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
+	char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len)
+{
+	chunk_t ck_chunk, ik_chunk, res_chunk;
+	enumerator_t *query;
+	status_t found = FAILED;
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%Y", id);
+	query = this->db->query(this->db, "select ck, ik, res from quintuplets "
+				"where rand = ? and autn = ? and id = ? order by use limit 1",
+				DB_BLOB, chunk_create(rand, AKA_RAND_LEN),
+				DB_BLOB, chunk_create(autn, AKA_AUTN_LEN), DB_TEXT, buf,
+				DB_BLOB, DB_BLOB, DB_BLOB);
+	if (query)
+	{
+		if (query->enumerate(query, &ck_chunk, &ik_chunk, &res_chunk))
+		{
+			if (ck_chunk.len == AKA_CK_LEN &&
+				ik_chunk.len == AKA_IK_LEN &&
+				res_chunk.len <= AKA_RES_MAX)
+			{
+				memcpy(ck, ck_chunk.ptr, AKA_CK_LEN);
+				memcpy(ik, ik_chunk.ptr, AKA_IK_LEN);
+				memcpy(res, res_chunk.ptr, res_chunk.len);
+				*res_len = res_chunk.len;
+				found = SUCCESS;
+			}
+		}
+		query->destroy(query);
+	}
+	if (found == SUCCESS)
+	{
+		if (this->remove_used)
+		{
+			this->db->execute(this->db, NULL,
+					"delete from quintuplets where id = ? and rand = ?",
+					DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN));
+		}
+		else
+		{
+			this->db->execute(this->db, NULL,
+					"update quintuplets set use = ? where id = ? and rand = ?",
+					DB_UINT, time(NULL), DB_TEXT, buf,
+					DB_BLOB, chunk_create(rand, AKA_RAND_LEN));
+		}
+	}
+	return found;
+}
+
+METHOD(eap_simaka_sql_card_t, destroy, void,
+	private_eap_simaka_sql_card_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_sql_card_t *eap_simaka_sql_card_create(database_t *db,
+												  bool remove_used)
+{
+	private_eap_simaka_sql_card_t *this;
+
+	INIT(this,
+		.public = {
+			.card = {
+				.get_triplet = _get_triplet,
+				.get_quintuplet = _get_quintuplet,
+				.resync = (void*)return_false,
+				.get_pseudonym = (void*)return_null,
+				.set_pseudonym = (void*)nop,
+				.get_reauth = (void*)return_null,
+				.set_reauth = (void*)nop,
+			},
+			.destroy = _destroy,
+		},
+		.db = db,
+		.remove_used = remove_used,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h
new file mode 100644
index 000000000..46b7de25e
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_sql_card eap_simaka_sql_card
+ * @{ @ingroup eap_simaka_sql
+ */
+
+#ifndef EAP_SIMAKA_SQL_CARD_H_
+#define EAP_SIMAKA_SQL_CARD_H_
+
+#include <database/database.h>
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_simaka_sql_card_t eap_simaka_sql_card_t;
+
+/**
+ * SIM card implementation using a triplet/quintuplet database backend.
+ */
+struct eap_simaka_sql_card_t {
+
+	/**
+	 * Implements sim_card_t interface
+	 */
+	sim_card_t card;
+
+	/**
+	 * Destroy a eap_simaka_sql_card_t.
+	 */
+	void (*destroy)(eap_simaka_sql_card_t *this);
+};
+
+/**
+ * Create a eap_simaka_sql_card instance.
+ *
+ * @param db		triplet/quintuplet database
+ * @param remove_used	TRUE to remove used triplets/quintuplets from db
+ */
+eap_simaka_sql_card_t *eap_simaka_sql_card_create(database_t *db,
+												  bool remove_used);
+
+#endif /** EAP_SIMAKA_SQL_CARD_H_ @}*/
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
new file mode 100644
index 000000000..0f5319792
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_sql_plugin.h"
+#include "eap_simaka_sql_card.h"
+#include "eap_simaka_sql_provider.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_simaka_sql_t private_eap_simaka_sql_t;
+
+/**
+ * Private data of an eap_simaka_sql_t object.
+ */
+struct private_eap_simaka_sql_t {
+
+	/**
+	 * Public eap_simaka_sql_plugin_t interface.
+	 */
+	eap_simaka_sql_plugin_t public;
+
+	/**
+	 * (U)SIM card
+	 */
+	eap_simaka_sql_card_t *card;
+
+	/**
+	 * (U)SIM provider
+	 */
+	eap_simaka_sql_provider_t *provider;
+
+	/**
+	 * Database with triplets/quintuplets
+	 */
+	database_t *db;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_eap_simaka_sql_t *this)
+{
+	charon->sim->remove_card(charon->sim, &this->card->card);
+	charon->sim->remove_provider(charon->sim, &this->provider->provider);
+	this->card->destroy(this->card);
+	this->provider->destroy(this->provider);
+	this->db->destroy(this->db);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *eap_simaka_sql_plugin_create()
+{
+	private_eap_simaka_sql_t *this;
+	database_t *db;
+	bool remove_used;
+	char *uri;
+
+	uri = lib->settings->get_str(lib->settings,
+							"charon.plugins.eap-simaka-sql.database", NULL);
+	if (!uri)
+	{
+		DBG1(DBG_CFG, "eap-simaka-sql database URI missing");
+		return NULL;
+	}
+	db = lib->db->create(lib->db, uri);
+	if (!db)
+	{
+		DBG1(DBG_CFG, "opening eap-simaka-sql database failed");
+		return NULL;
+	}
+	remove_used = lib->settings->get_bool(lib->settings,
+							"charon.plugins.eap-simaka-sql.remove_used", FALSE);
+
+	INIT(this,
+		.public.plugin =  {
+			.destroy = _destroy,
+		},
+		.db = db,
+		.provider = eap_simaka_sql_provider_create(db, remove_used),
+		.card = eap_simaka_sql_card_create(db, remove_used),
+	);
+
+	charon->sim->add_card(charon->sim, &this->card->card);
+	charon->sim->add_provider(charon->sim, &this->provider->provider);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h
new file mode 100644
index 000000000..3064580bf
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_sql eap_simaka_sql
+ * @ingroup cplugins
+ *
+ * @defgroup eap_simaka_sql_plugin eap_simaka_sql_plugin
+ * @{ @ingroup eap_simaka_sql
+ */
+
+#ifndef EAP_SIMAKA_SQL_PLUGIN_H_
+#define EAP_SIMAKA_SQL_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_simaka_sql_plugin_t eap_simaka_sql_plugin_t;
+
+/**
+ * Plugin to provide SIM/AKA cards/providers using triplets from a database.
+ */
+struct eap_simaka_sql_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_SIMAKA_SQL_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c
new file mode 100644
index 000000000..73cccf549
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_sql_provider.h"
+
+#include <time.h>
+
+#include <daemon.h>
+
+typedef struct private_eap_simaka_sql_provider_t private_eap_simaka_sql_provider_t;
+
+/**
+ * Private data of an eap_simaka_sql_provider_t object.
+ */
+struct private_eap_simaka_sql_provider_t {
+
+	/**
+	 * Public eap_simaka_sql_provider_t interface.
+	 */
+	eap_simaka_sql_provider_t public;
+
+	/**
+	 * Triplet/quintuplet database
+	 */
+	database_t *db;
+
+	/**
+	 * Remove used triplets/quintuplets from database
+	 */
+	bool remove_used;
+};
+
+METHOD(sim_provider_t, get_triplet, bool,
+	private_eap_simaka_sql_provider_t *this, identification_t *id,
+	char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
+{
+	chunk_t rand_chunk, sres_chunk, kc_chunk;
+	enumerator_t *query;
+	bool found = FALSE;
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%Y", id);
+	query = this->db->query(this->db,
+				"select rand, sres, kc from triplets where id = ? order by use",
+				DB_TEXT, buf, DB_BLOB, DB_BLOB, DB_BLOB);
+	if (query)
+	{
+		if (query->enumerate(query, &rand_chunk, &sres_chunk, &kc_chunk))
+		{
+			if (rand_chunk.len == SIM_RAND_LEN &&
+				sres_chunk.len == SIM_SRES_LEN &&
+				kc_chunk.len == SIM_KC_LEN)
+			{
+				memcpy(rand, rand_chunk.ptr, SIM_RAND_LEN);
+				memcpy(sres, sres_chunk.ptr, SIM_SRES_LEN);
+				memcpy(kc, kc_chunk.ptr, SIM_KC_LEN);
+				found = TRUE;
+			}
+		}
+		query->destroy(query);
+	}
+	if (found)
+	{
+		if (this->remove_used)
+		{
+			this->db->execute(this->db, NULL,
+					"delete from triplets where id = ? and rand = ?",
+					DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN));
+		}
+		else
+		{
+			this->db->execute(this->db, NULL,
+					"update triplets set use = ? where id = ? and rand = ?",
+					DB_UINT, time(NULL), DB_TEXT, buf,
+					DB_BLOB, chunk_create(rand, SIM_RAND_LEN));
+		}
+	}
+	return found;
+}
+
+METHOD(sim_provider_t, get_quintuplet, bool,
+	private_eap_simaka_sql_provider_t *this, identification_t *id,
+	char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len,
+	char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN])
+{
+	chunk_t rand_chunk, xres_chunk, ck_chunk, ik_chunk, autn_chunk;
+	enumerator_t *query;
+	bool found = FALSE;
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%Y", id);
+	query = this->db->query(this->db, "select rand, res, ck, ik, autn "
+				"from quintuplets where id = ? order by use", DB_TEXT, buf,
+				DB_BLOB, DB_BLOB, DB_BLOB, DB_BLOB, DB_BLOB);
+	if (query)
+	{
+		if (query->enumerate(query, &rand_chunk, &xres_chunk,
+							 &ck_chunk, &ik_chunk, &autn_chunk))
+		{
+			if (rand_chunk.len == AKA_RAND_LEN &&
+				xres_chunk.len <= AKA_RES_MAX &&
+				ck_chunk.len == AKA_CK_LEN &&
+				ik_chunk.len == AKA_IK_LEN &&
+				autn_chunk.len == AKA_AUTN_LEN)
+			{
+				memcpy(rand, rand_chunk.ptr, AKA_RAND_LEN);
+				memcpy(xres, xres_chunk.ptr, xres_chunk.len);
+				*xres_len = xres_chunk.len;
+				memcpy(ck, ck_chunk.ptr, AKA_CK_LEN);
+				memcpy(ik, ik_chunk.ptr, AKA_IK_LEN);
+				memcpy(autn, autn_chunk.ptr, AKA_AUTN_LEN);
+				found = TRUE;
+			}
+		}
+		query->destroy(query);
+	}
+	if (found)
+	{
+		if (this->remove_used)
+		{
+			this->db->execute(this->db, NULL,
+					"delete from quintuplets where id = ? and rand = ?",
+					DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN));
+		}
+		else
+		{
+			this->db->execute(this->db, NULL,
+					"update quintuplets set use = ? where id = ? and rand = ?",
+					DB_UINT, time(NULL), DB_TEXT, buf,
+					DB_BLOB, chunk_create(rand, AKA_RAND_LEN));
+		}
+	}
+	return found;
+}
+
+METHOD(eap_simaka_sql_provider_t, destroy, void,
+	private_eap_simaka_sql_provider_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_sql_provider_t *eap_simaka_sql_provider_create(database_t *db,
+														  bool remove_used)
+{
+	private_eap_simaka_sql_provider_t *this;
+
+	INIT(this,
+		.public = {
+			.provider = {
+				.get_triplet = _get_triplet,
+				.get_quintuplet = _get_quintuplet,
+				.resync = (void*)return_false,
+				.is_pseudonym = (void*)return_null,
+				.gen_pseudonym = (void*)return_null,
+				.is_reauth = (void*)return_null,
+				.gen_reauth = (void*)return_null,
+			},
+			.destroy = _destroy,
+		},
+		.db = db,
+		.remove_used = remove_used,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h
new file mode 100644
index 000000000..ecb0c8cb0
--- /dev/null
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_simaka_sql_provider eap_simaka_sql_provider
+ * @{ @ingroup eap_simaka_sql
+ */
+
+#ifndef EAP_SIMAKA_SQL_PROVIDER_H_
+#define EAP_SIMAKA_SQL_PROVIDER_H_
+
+#include <database/database.h>
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_simaka_sql_provider_t eap_simaka_sql_provider_t;
+
+/**
+ * SIM provider implementation using a triplet/quintuplet database backend.
+ */
+struct eap_simaka_sql_provider_t {
+
+	/**
+	 * Implements sim_provider_t interface
+	 */
+	sim_provider_t provider;
+
+	/**
+	 * Destroy a eap_simaka_sql_provider_t.
+	 */
+	void (*destroy)(eap_simaka_sql_provider_t *this);
+};
+
+/**
+ * Create a eap_simaka_sql_provider instance.
+ *
+ * @param db			triplet/quintuplet database
+ * @param remove_used	TRUE to remove used triplets/quintuplets from db
+ */
+eap_simaka_sql_provider_t *eap_simaka_sql_provider_create(database_t *db,
+														  bool remove_used);
+
+#endif /** EAP_SIMAKA_SQL_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 20ac77080..47952b99e 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c
index 29e64e32d..20bb44fd3 100644
--- a/src/libcharon/plugins/farp/farp_spoofer.c
+++ b/src/libcharon/plugins/farp/farp_spoofer.c
@@ -156,8 +156,8 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
 		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, opcode)),
 		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 3),
 		BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0),
-		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 28, 0, 1),
-		BPF_STMT(BPF_RET+BPF_A, 0),
+		BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, sizeof(arp_t), 0, 1),
+		BPF_STMT(BPF_RET+BPF_K, sizeof(arp_t)),
 		BPF_STMT(BPF_RET+BPF_K, 0),
 	};
 	struct sock_fprog arp_request_filter = {
diff --git a/src/libcharon/plugins/ha/Makefile.am b/src/libcharon/plugins/ha/Makefile.am
index 74fe1f4c7..0df1b8d91 100644
--- a/src/libcharon/plugins/ha/Makefile.am
+++ b/src/libcharon/plugins/ha/Makefile.am
@@ -17,9 +17,11 @@ libstrongswan_ha_la_SOURCES = \
   ha_tunnel.h ha_tunnel.c \
   ha_dispatcher.h ha_dispatcher.c \
   ha_segments.h ha_segments.c \
+  ha_cache.h ha_cache.c \
   ha_kernel.h ha_kernel.c \
   ha_ctl.h ha_ctl.c \
   ha_ike.h ha_ike.c \
-  ha_child.h ha_child.c
+  ha_child.h ha_child.c \
+  ha_attribute.h ha_attribute.c
 libstrongswan_ha_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index c60d3bf56..5ca9b464b 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -76,7 +76,8 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ha_la_LIBADD =
 am_libstrongswan_ha_la_OBJECTS = ha_plugin.lo ha_message.lo \
 	ha_socket.lo ha_tunnel.lo ha_dispatcher.lo ha_segments.lo \
-	ha_kernel.lo ha_ctl.lo ha_ike.lo ha_child.lo
+	ha_cache.lo ha_kernel.lo ha_ctl.lo ha_ike.lo ha_child.lo \
+	ha_attribute.lo
 libstrongswan_ha_la_OBJECTS = $(am_libstrongswan_ha_la_OBJECTS)
 libstrongswan_ha_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -269,10 +270,12 @@ libstrongswan_ha_la_SOURCES = \
   ha_tunnel.h ha_tunnel.c \
   ha_dispatcher.h ha_dispatcher.c \
   ha_segments.h ha_segments.c \
+  ha_cache.h ha_cache.c \
   ha_kernel.h ha_kernel.c \
   ha_ctl.h ha_ctl.c \
   ha_ike.h ha_ike.c \
-  ha_child.h ha_child.c
+  ha_child.h ha_child.c \
+  ha_attribute.h ha_attribute.c
 
 libstrongswan_ha_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -358,6 +361,8 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_attribute.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_cache.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_child.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_ctl.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_dispatcher.Plo@am__quote@
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
new file mode 100644
index 000000000..b08abe1a9
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -0,0 +1,364 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_attribute.h"
+
+#include <utils/linked_list.h>
+#include <threading/mutex.h>
+
+typedef struct private_ha_attribute_t private_ha_attribute_t;
+
+/**
+ * Private data of an ha_attribute_t object.
+ */
+struct private_ha_attribute_t {
+
+	/**
+	 * Public ha_attribute_t interface.
+	 */
+	ha_attribute_t public;
+
+	/**
+	 * List of pools, pool_t
+	 */
+	linked_list_t *pools;
+
+	/**
+	 * Mutex to lock mask
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Kernel helper
+	 */
+	ha_kernel_t *kernel;
+
+	/**
+	 * Segment responsibility
+	 */
+	ha_segments_t *segments;
+};
+
+/**
+ * In-memory pool.
+ */
+typedef struct {
+	/** name of the pool */
+	char *name;
+	/** base address of pool */
+	host_t *base;
+	/** total number of addresses in this pool */
+	int size;
+	/** bitmask for address usage */
+	u_char *mask;
+} pool_t;
+
+/**
+ * Clean up a pool entry
+ */
+static void pool_destroy(pool_t *pool)
+{
+	pool->base->destroy(pool->base);
+	free(pool->name);
+	free(pool->mask);
+	free(pool);
+}
+
+/**
+ * convert a pool offset to an address
+ */
+static host_t* offset2host(pool_t *pool, int offset)
+{
+	chunk_t addr;
+	host_t *host;
+	u_int32_t *pos;
+
+	if (offset > pool->size)
+	{
+		return NULL;
+	}
+
+	addr = chunk_clone(pool->base->get_address(pool->base));
+	if (pool->base->get_family(pool->base) == AF_INET6)
+	{
+		pos = (u_int32_t*)(addr.ptr + 12);
+	}
+	else
+	{
+		pos = (u_int32_t*)addr.ptr;
+	}
+	*pos = htonl(offset + ntohl(*pos));
+	host = host_create_from_chunk(pool->base->get_family(pool->base), addr, 0);
+	free(addr.ptr);
+	return host;
+}
+
+/**
+ * convert a host to a pool offset
+ */
+static int host2offset(pool_t *pool, host_t *addr)
+{
+	chunk_t host, base;
+	u_int32_t hosti, basei;
+
+	if (addr->get_family(addr) != pool->base->get_family(pool->base))
+	{
+		return -1;
+	}
+	host = addr->get_address(addr);
+	base = pool->base->get_address(pool->base);
+	if (addr->get_family(addr) == AF_INET6)
+	{
+		/* only look at last /32 block */
+		if (!memeq(host.ptr, base.ptr, 12))
+		{
+			return -1;
+		}
+		host = chunk_skip(host, 12);
+		base = chunk_skip(base, 12);
+	}
+	hosti = ntohl(*(u_int32_t*)(host.ptr));
+	basei = ntohl(*(u_int32_t*)(base.ptr));
+	if (hosti > basei + pool->size)
+	{
+		return -1;
+	}
+	return hosti - basei;
+}
+
+/**
+ * Find a pool by its name
+ */
+static pool_t* get_pool(private_ha_attribute_t *this, char *name)
+{
+	enumerator_t *enumerator;
+	pool_t *pool, *found = NULL;
+
+	enumerator = this->pools->create_enumerator(this->pools);
+	while (enumerator->enumerate(enumerator, &pool))
+	{
+		if (streq(name, pool->name))
+		{
+			found = pool;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Check if we are responsible for a bit in our bitmask
+ */
+static bool responsible_for(private_ha_attribute_t *this, int bit)
+{
+	u_int segment;
+
+	segment = this->kernel->get_segment_int(this->kernel, bit);
+	return this->segments->is_active(this->segments, segment);
+}
+
+METHOD(attribute_provider_t, acquire_address, host_t*,
+	private_ha_attribute_t *this, char *name, identification_t *id,
+	host_t *requested)
+{
+	pool_t *pool;
+	int offset = -1, byte, bit;
+	host_t *address;
+
+	this->mutex->lock(this->mutex);
+	pool = get_pool(this, name);
+	if (pool)
+	{
+		for (byte = 0; byte < pool->size / 8; byte++)
+		{
+			if (pool->mask[byte] != 0xFF)
+			{
+				for (bit = 0; bit < 8; bit++)
+				{
+					if (!(pool->mask[byte] & 1 << bit) &&
+						responsible_for(this, bit))
+					{
+						offset = byte * 8 + bit;
+						pool->mask[byte] |= 1 << bit;
+						break;
+					}
+				}
+			}
+			if (offset != -1)
+			{
+				break;
+			}
+		}
+		if (offset == -1)
+		{
+			DBG1(DBG_CFG, "no address left in HA pool '%s' belonging to"
+				 "a responsible segment", name);
+		}
+	}
+	this->mutex->unlock(this->mutex);
+	if (offset != -1)
+	{
+		address = offset2host(pool, offset);
+		DBG1(DBG_CFG, "acquired address %H from HA pool '%s'", address, name);
+		return address;
+	}
+	return NULL;
+}
+
+METHOD(attribute_provider_t, release_address, bool,
+	private_ha_attribute_t *this, char *name, host_t *address,
+	identification_t *id)
+{
+	pool_t *pool;
+	int offset;
+	bool found = FALSE;
+
+	this->mutex->lock(this->mutex);
+	pool = get_pool(this, name);
+	if (pool)
+	{
+		offset = host2offset(pool, address);
+		if (offset > 0 && offset < pool->size)
+		{
+			pool->mask[offset / 8] &= ~(1 << (offset % 8));
+			DBG1(DBG_CFG, "released address %H to HA pool '%s'", address, name);
+			found = TRUE;
+		}
+	}
+	this->mutex->unlock(this->mutex);
+	return found;
+}
+
+METHOD(ha_attribute_t, reserve, void,
+	private_ha_attribute_t *this, char *name, host_t *address)
+{
+	pool_t *pool;
+	int offset;
+
+	this->mutex->lock(this->mutex);
+	pool = get_pool(this, name);
+	if (pool)
+	{
+		offset = host2offset(pool, address);
+		if (offset > 0 && offset < pool->size)
+		{
+			pool->mask[offset / 8] |= 1 << (offset % 8);
+			DBG1(DBG_CFG, "reserved address %H in HA pool '%s'", address, name);
+		}
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(ha_attribute_t, destroy, void,
+	private_ha_attribute_t *this)
+{
+	this->pools->destroy_function(this->pools, (void*)pool_destroy);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * Load the configured pools.
+ */
+static void load_pools(private_ha_attribute_t *this)
+{
+	enumerator_t *enumerator;
+	char *name, *net, *bits;
+	host_t *base;
+	int mask, maxbits;
+	pool_t *pool;
+
+	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
+													"charon.plugins.ha.pools");
+	while (enumerator->enumerate(enumerator, &name, &net))
+	{
+		net = strdup(net);
+		bits = strchr(net, '/');
+		if (!bits)
+		{
+			DBG1(DBG_CFG, "invalid HA pool '%s' subnet, skipped", name);
+			free(net);
+			continue;
+		}
+		*bits++ = '\0';
+
+		base = host_create_from_string(net, 0);
+		mask = atoi(bits);
+		free(net);
+		if (!base || !mask)
+		{
+			DESTROY_IF(base);
+			DBG1(DBG_CFG, "invalid HA pool '%s', skipped", name);
+			continue;
+		}
+		maxbits = base->get_family(base) == AF_INET ? 32 : 128;
+		mask = maxbits - mask;
+		if (mask > 24)
+		{
+			mask = 24;
+			DBG1(DBG_CFG, "size of HA pool '%s' limited to /%d",
+				 name, maxbits - mask);
+		}
+		if (mask < 3)
+		{
+			DBG1(DBG_CFG, "HA pool '%s' too small, skipped", name);
+			base->destroy(base);
+			continue;
+		}
+
+		INIT(pool,
+			.name = strdup(name),
+			.base = base,
+			.size = (1 << mask),
+		);
+		pool->mask = calloc(pool->size / 8, 1);
+		/* do not use first/last address of pool */
+		pool->mask[0] |= 0x01;
+		pool->mask[pool->size / 8 - 1] |= 0x80;
+
+		DBG1(DBG_CFG, "loaded HA pool '%s' %H/%d (%d addresses)",
+			 pool->name, pool->base, maxbits - mask, pool->size - 2);
+		this->pools->insert_last(this->pools, pool);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * See header
+ */
+ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments)
+{
+	private_ha_attribute_t *this;
+
+	INIT(this,
+		.public = {
+			.provider = {
+				.acquire_address = _acquire_address,
+				.release_address = _release_address,
+				.create_attribute_enumerator = enumerator_create_empty,
+			},
+			.reserve = _reserve,
+			.destroy = _destroy,
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.pools = linked_list_create(),
+		.kernel = kernel,
+		.segments = segments,
+	);
+
+	load_pools(this);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/ha/ha_attribute.h b/src/libcharon/plugins/ha/ha_attribute.h
new file mode 100644
index 000000000..d1e4f5e89
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_attribute.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_attribute ha_attribute
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_ATTRIBUTE_H_
+#define HA_ATTRIBUTE_H_
+
+#include "ha_kernel.h"
+#include "ha_segments.h"
+
+#include <attributes/attribute_provider.h>
+
+typedef struct ha_attribute_t ha_attribute_t;
+
+/**
+ * A HA enabled in memory address pool attribute provider.
+ */
+struct ha_attribute_t {
+
+	/**
+	 * Implements attribute provider interface.
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Reserve an address for a passive IKE_SA.
+	 *
+	 * @param name			pool name to reserve address in
+	 * @param address		address to reserve
+	 */
+	void (*reserve)(ha_attribute_t *this, char *name, host_t *address);
+
+	/**
+	 * Destroy a ha_attribute_t.
+	 */
+	void (*destroy)(ha_attribute_t *this);
+};
+
+/**
+ * Create a ha_attribute instance.
+ */
+ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments);
+
+#endif /** HA_ATTRIBUTE_H_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
new file mode 100644
index 000000000..1ebc33ca4
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -0,0 +1,362 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ha_cache.h"
+
+#include <utils/hashtable.h>
+#include <utils/linked_list.h>
+#include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_ha_cache_t private_ha_cache_t;
+
+/**
+ * Private data of an ha_cache_t object.
+ */
+struct private_ha_cache_t {
+
+	/**
+	 * Public ha_cache_t interface.
+	 */
+	ha_cache_t public;
+
+	/**
+	 * Kernel helper functions
+	 */
+	ha_kernel_t *kernel;
+
+	/**
+	 * Socket to send sync messages over
+	 */
+	ha_socket_t *socket;
+
+	/**
+	 * Total number of segments
+	 */
+	u_int count;
+
+	/**
+	 * cached entries (ike_sa_t, entry_t)
+	 */
+	hashtable_t *cache;
+
+	/**
+	 * Mutex to lock cache
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(void *key)
+{
+	return (uintptr_t)key;
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(void *a, void *b)
+{
+	return a == b;
+}
+
+/**
+ * Cache entry for an IKE_SA
+ */
+typedef struct {
+	/* segment this entry is associate to */
+	u_int segment;
+	/* ADD message */
+	ha_message_t *add;
+	/* list of updates UPDATE message */
+	linked_list_t *updates;
+	/* last initiator mid */
+	ha_message_t *midi;
+	/* last responder mid */
+	ha_message_t *midr;
+} entry_t;
+
+/**
+ * Create a entry with an add message
+ */
+static entry_t *entry_create(ha_message_t *add)
+{
+	entry_t *entry;
+
+	INIT(entry,
+		.add = add,
+		.updates = linked_list_create(),
+	);
+	return entry;
+}
+
+/**
+ * clean up a entry
+ */
+static void entry_destroy(entry_t *entry)
+{
+	entry->updates->destroy_offset(entry->updates,
+									offsetof(ha_message_t, destroy));
+	entry->add->destroy(entry->add);
+	DESTROY_IF(entry->midi);
+	DESTROY_IF(entry->midr);
+	free(entry);
+}
+
+METHOD(ha_cache_t, cache, void,
+	private_ha_cache_t *this, ike_sa_t *ike_sa, ha_message_t *message)
+{
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	switch (message->get_type(message))
+	{
+		case HA_IKE_ADD:
+			entry = entry_create(message);
+			entry = this->cache->put(this->cache, ike_sa, entry);
+			if (entry)
+			{
+				entry_destroy(entry);
+			}
+			break;
+		case HA_IKE_UPDATE:
+			entry = this->cache->get(this->cache, ike_sa);
+			if (entry)
+			{
+				entry->segment = this->kernel->get_segment(this->kernel,
+											ike_sa->get_other_host(ike_sa));
+				entry->updates->insert_last(entry->updates, message);
+				break;
+			}
+			message->destroy(message);
+			break;
+		case HA_IKE_MID_INITIATOR:
+			entry = this->cache->get(this->cache, ike_sa);
+			if (entry)
+			{
+				DESTROY_IF(entry->midi);
+				entry->midi = message;
+				break;
+			}
+			message->destroy(message);
+			break;
+		case HA_IKE_MID_RESPONDER:
+			entry = this->cache->get(this->cache, ike_sa);
+			if (entry)
+			{
+				DESTROY_IF(entry->midr);
+				entry->midr = message;
+				break;
+			}
+			message->destroy(message);
+			break;
+		case HA_IKE_DELETE:
+			entry = this->cache->remove(this->cache, ike_sa);
+			if (entry)
+			{
+				entry_destroy(entry);
+			}
+			message->destroy(message);
+			break;
+		default:
+			message->destroy(message);
+			break;
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(ha_cache_t, delete_, void,
+	private_ha_cache_t *this, ike_sa_t *ike_sa)
+{
+	entry_t *entry;
+
+	entry = this->cache->remove(this->cache, ike_sa);
+	if (entry)
+	{
+		entry_destroy(entry);
+	}
+}
+
+/**
+ * Rekey all children of an IKE_SA
+ */
+static status_t rekey_children(ike_sa_t *ike_sa)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	status_t status = SUCCESS;
+
+	iterator = ike_sa->create_child_sa_iterator(ike_sa);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		DBG1(DBG_CFG, "resyncing CHILD_SA");
+		status = ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
+										child_sa->get_spi(child_sa, TRUE));
+		if (status == DESTROY_ME)
+		{
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return status;
+}
+
+/**
+ * Trigger rekeying of CHILD_SA in segment
+ */
+static void rekey_segment(private_ha_cache_t *this, u_int segment)
+{
+	ike_sa_t *ike_sa;
+	enumerator_t *enumerator;
+	linked_list_t *list;
+	ike_sa_id_t *id;
+
+	list = linked_list_create();
+
+	enumerator = charon->ike_sa_manager->create_enumerator(
+												charon->ike_sa_manager);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+			this->kernel->get_segment(this->kernel,
+						ike_sa->get_other_host(ike_sa)) == segment)
+		{
+			id = ike_sa->get_id(ike_sa);
+			list->insert_last(list, id->clone(id));
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	while (list->remove_last(list, (void**)&id) == SUCCESS)
+	{
+		ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
+		if (ike_sa)
+		{
+			if (rekey_children(ike_sa) != DESTROY_ME)
+			{
+				charon->ike_sa_manager->checkin(
+										charon->ike_sa_manager, ike_sa);
+			}
+			else
+			{
+				charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager, ike_sa);
+			}
+		}
+		id->destroy(id);
+	}
+	list->destroy(list);
+}
+
+METHOD(ha_cache_t, resync, void,
+	private_ha_cache_t *this, u_int segment)
+{
+	enumerator_t *enumerator, *updates;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	ha_message_t *message;
+
+	DBG1(DBG_CFG, "resyncing HA segment %d", segment);
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->cache->create_enumerator(this->cache);
+	while (enumerator->enumerate(enumerator, &ike_sa, &entry))
+	{
+		if (entry->segment == segment)
+		{
+			this->socket->push(this->socket, entry->add);
+			updates = entry->updates->create_enumerator(entry->updates);
+			while (updates->enumerate(updates, &message))
+			{
+				this->socket->push(this->socket, message);
+			}
+			updates->destroy(updates);
+			if (entry->midi)
+			{
+				this->socket->push(this->socket, entry->midi);
+			}
+			if (entry->midr)
+			{
+				this->socket->push(this->socket, entry->midr);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	rekey_segment(this, segment);
+}
+
+/**
+ * Request a resync of all segments
+ */
+static job_requeue_t request_resync(private_ha_cache_t *this)
+{
+	ha_message_t *message;
+	int i;
+
+	DBG1(DBG_CFG, "requesting HA resynchronization");
+
+	message = ha_message_create(HA_RESYNC);
+	for (i = 1; i <= this->count; i++)
+	{
+		message->add_attribute(message, HA_SEGMENT, i);
+	}
+	this->socket->push(this->socket, message);
+	message->destroy(message);
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(ha_cache_t, destroy, void,
+	private_ha_cache_t *this)
+{
+	this->cache->destroy(this->cache);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket,
+							bool sync, u_int count)
+{
+	private_ha_cache_t *this;
+
+	INIT(this,
+		.public = {
+			.cache = _cache,
+			.delete = _delete_,
+			.resync = _resync,
+			.destroy = _destroy,
+		},
+		.count = count,
+		.kernel = kernel,
+		.socket = socket,
+		.cache = hashtable_create(hash, equals, 8),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	if (sync)
+	{
+		/* request a resync as soon as we are up */
+		charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+						callback_job_create((callback_job_cb_t)request_resync,
+											this, NULL, NULL), 1);
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/ha/ha_cache.h b/src/libcharon/plugins/ha/ha_cache.h
new file mode 100644
index 000000000..39f1947a8
--- /dev/null
+++ b/src/libcharon/plugins/ha/ha_cache.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ha_cache ha_cache
+ * @{ @ingroup ha
+ */
+
+#ifndef HA_CACHE_H_
+#define HA_CACHE_H_
+
+typedef struct ha_cache_t ha_cache_t;
+
+#include "ha_message.h"
+#include "ha_kernel.h"
+#include "ha_socket.h"
+
+#include <utils/enumerator.h>
+
+#include <sa/ike_sa.h>
+
+/**
+ * HA message caching facility, allows reintegration of new nodes.
+ */
+struct ha_cache_t {
+
+	/**
+	 * Cache an IKE specific message.
+	 *
+	 * @param ike_sa		associated IKE_SA
+	 * @param message		message to cache
+	 */
+	void (*cache)(ha_cache_t *this, ike_sa_t *ike_sa, ha_message_t *message);
+
+	/**
+	 * Delete a cache entry for an IKE_SA.
+	 *
+	 * @param ike_sa		cache entry to delete
+	 */
+	void (*delete)(ha_cache_t *this, ike_sa_t *ike_sa);
+
+	/**
+	 * Resync a segment to the node using the cached messages.
+	 *
+	 * @param segment		segment to resync
+	 */
+	void (*resync)(ha_cache_t *this, u_int segment);
+
+	/**
+	 * Destroy a ha_cache_t.
+	 */
+	void (*destroy)(ha_cache_t *this);
+};
+
+/**
+ * Create a ha_cache instance.
+ *
+ * @param kernel		kernel helper
+ * @param socket		socket to send resync messages
+ * @param resync 		request a resync during startup?
+ * @param count			total number of segments
+ */
+ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket,
+							bool resync, u_int count);
+
+#endif /** HA_CACHE_H_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
index 2eb8e27f6..1a9425423 100644
--- a/src/libcharon/plugins/ha/ha_child.c
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -36,22 +36,30 @@ struct private_ha_child_t {
 	 * tunnel securing sync messages
 	 */
 	ha_tunnel_t *tunnel;
+
+	/**
+	 * Segment handling
+	 */
+	ha_segments_t *segments;
+
+	/**
+	 * Kernel helper
+	 */
+	ha_kernel_t *kernel;
 };
 
-/**
- * Implementation of listener_t.child_keys
- */
-static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa,
-					   child_sa_t *child_sa, diffie_hellman_t *dh,
-					   chunk_t nonce_i, chunk_t nonce_r)
+METHOD(listener_t, child_keys, bool,
+	private_ha_child_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	bool initiator, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
 {
 	ha_message_t *m;
 	chunk_t secret;
 	proposal_t *proposal;
 	u_int16_t alg, len;
-	linked_list_t *list;
+	linked_list_t *local_ts, *remote_ts;
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
+	u_int seg_i, seg_o;
 
 	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
 	{	/* do not sync SA between nodes */
@@ -61,6 +69,7 @@ static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa,
 	m = ha_message_create(HA_CHILD_ADD);
 
 	m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+	m->add_attribute(m, HA_INITIATOR, (u_int8_t)initiator);
 	m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE));
 	m->add_attribute(m, HA_OUTBOUND_SPI, child_sa->get_spi(child_sa, FALSE));
 	m->add_attribute(m, HA_INBOUND_CPI, child_sa->get_cpi(child_sa, TRUE));
@@ -90,31 +99,40 @@ static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa,
 		chunk_clear(&secret);
 	}
 
-	list = child_sa->get_traffic_selectors(child_sa, TRUE);
-	enumerator = list->create_enumerator(list);
+	local_ts = child_sa->get_traffic_selectors(child_sa, TRUE);
+	enumerator = local_ts->create_enumerator(local_ts);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
 		m->add_attribute(m, HA_LOCAL_TS, ts);
 	}
 	enumerator->destroy(enumerator);
-	list = child_sa->get_traffic_selectors(child_sa, FALSE);
-	enumerator = list->create_enumerator(list);
+	remote_ts = child_sa->get_traffic_selectors(child_sa, FALSE);
+	enumerator = remote_ts->create_enumerator(remote_ts);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
 		m->add_attribute(m, HA_REMOTE_TS, ts);
 	}
 	enumerator->destroy(enumerator);
 
+	seg_i = this->kernel->get_segment_spi(this->kernel,
+			ike_sa->get_my_host(ike_sa), child_sa->get_spi(child_sa, TRUE));
+	seg_o = this->kernel->get_segment_spi(this->kernel,
+			ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE));
+	DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R=== %#R "
+		"(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
+		child_sa->get_reqid(child_sa), local_ts, remote_ts,
+		seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
+		seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");
+
 	this->socket->push(this->socket, m);
+	m->destroy(m);
 
 	return TRUE;
 }
 
-/**
- * Implementation of listener_t.child_state_change
- */
-static bool child_state_change(private_ha_child_t *this, ike_sa_t *ike_sa,
-							   child_sa_t *child_sa, child_sa_state_t state)
+METHOD(listener_t, child_state_change, bool,
+	private_ha_child_t *this, ike_sa_t *ike_sa,
+	child_sa_t *child_sa, child_sa_state_t state)
 {
 	if (!ike_sa ||
 		ike_sa->get_state(ike_sa) == IKE_PASSIVE ||
@@ -138,14 +156,13 @@ static bool child_state_change(private_ha_child_t *this, ike_sa_t *ike_sa,
 		m->add_attribute(m, HA_INBOUND_SPI,
 						 child_sa->get_spi(child_sa, TRUE));
 		this->socket->push(this->socket, m);
+		m->destroy(m);
 	}
 	return TRUE;
 }
 
-/**
- * Implementation of ha_child_t.destroy.
- */
-static void destroy(private_ha_child_t *this)
+METHOD(ha_child_t, destroy, void,
+	private_ha_child_t *this)
 {
 	free(this);
 }
@@ -153,17 +170,24 @@ static void destroy(private_ha_child_t *this)
 /**
  * See header
  */
-ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel)
+ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
+							ha_segments_t *segments, ha_kernel_t *kernel)
 {
-	private_ha_child_t *this = malloc_thing(private_ha_child_t);
-
-	memset(&this->public.listener, 0, sizeof(listener_t));
-	this->public.listener.child_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
-	this->public.listener.child_state_change = (bool(*)(listener_t*,ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state))child_state_change;
-	this->public.destroy = (void(*)(ha_child_t*))destroy;
-
-	this->socket = socket;
-	this->tunnel = tunnel;
+	private_ha_child_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.child_keys = _child_keys,
+				.child_state_change = _child_state_change,
+			},
+			.destroy = _destroy,
+		},
+		.socket = socket,
+		.tunnel = tunnel,
+		.segments = segments,
+		.kernel = kernel,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/ha/ha_child.h b/src/libcharon/plugins/ha/ha_child.h
index ea83495f7..56cd769ba 100644
--- a/src/libcharon/plugins/ha/ha_child.h
+++ b/src/libcharon/plugins/ha/ha_child.h
@@ -21,14 +21,15 @@
 #ifndef HA_CHILD_H_
 #define HA_CHILD_H_
 
+typedef struct ha_child_t ha_child_t;
+
 #include "ha_socket.h"
 #include "ha_tunnel.h"
 #include "ha_segments.h"
+#include "ha_kernel.h"
 
 #include <daemon.h>
 
-typedef struct ha_child_t ha_child_t;
-
 /**
  * Listener to synchronize CHILD_SAs.
  */
@@ -50,8 +51,11 @@ struct ha_child_t {
  *
  * @param socket		socket to use for sending synchronization messages
  * @param tunnel		tunnel securing sync messages, if any
+ * @param segments		segment handling
+ * @param kernel		kernel helper
  * @return				CHILD listener
  */
-ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel);
+ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
+							ha_segments_t *segments, ha_kernel_t *kernel);
 
-#endif /* HA_CHILD_ @}*/
+#endif /** HA_CHILD_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
index 441d26d9e..e188a8484 100644
--- a/src/libcharon/plugins/ha/ha_ctl.c
+++ b/src/libcharon/plugins/ha/ha_ctl.c
@@ -44,6 +44,11 @@ struct private_ha_ctl_t {
 	 */
 	ha_segments_t *segments;
 
+	/**
+	 * Resynchronization message cache
+	 */
+	ha_cache_t *cache;
+
 	/**
 	 * FIFO reader thread
 	 */
@@ -84,7 +89,7 @@ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this)
 					this->segments->deactivate(this->segments, segment, TRUE);
 					break;
 				case '*':
-					this->segments->resync(this->segments, segment);
+					this->cache->resync(this->cache, segment);
 					break;
 				default:
 					break;
@@ -96,10 +101,8 @@ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this)
 	return JOB_REQUEUE_DIRECT;
 }
 
-/**
- * Implementation of ha_ctl_t.destroy.
- */
-static void destroy(private_ha_ctl_t *this)
+METHOD(ha_ctl_t, destroy, void,
+	private_ha_ctl_t *this)
 {
 	this->job->cancel(this->job);
 	free(this);
@@ -108,11 +111,17 @@ static void destroy(private_ha_ctl_t *this)
 /**
  * See header
  */
-ha_ctl_t *ha_ctl_create(ha_segments_t *segments)
+ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
 {
-	private_ha_ctl_t *this = malloc_thing(private_ha_ctl_t);
+	private_ha_ctl_t *this;
 
-	this->public.destroy = (void(*)(ha_ctl_t*))destroy;
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+		.segments = segments,
+		.cache = cache,
+	);
 
 	if (access(HA_FIFO, R_OK|W_OK) != 0)
 	{
@@ -123,7 +132,6 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments)
 		}
 	}
 
-	this->segments = segments;
 	this->job = callback_job_create((callback_job_cb_t)dispatch_fifo,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
diff --git a/src/libcharon/plugins/ha/ha_ctl.h b/src/libcharon/plugins/ha/ha_ctl.h
index f33a809be..1e717832a 100644
--- a/src/libcharon/plugins/ha/ha_ctl.h
+++ b/src/libcharon/plugins/ha/ha_ctl.h
@@ -22,6 +22,7 @@
 #define HA_CTL_H_
 
 #include "ha_segments.h"
+#include "ha_cache.h"
 
 typedef struct ha_ctl_t ha_ctl_t;
 
@@ -40,8 +41,9 @@ struct ha_ctl_t {
  * Create a ha_ctl instance.
  *
  * @param segments	segments to control
+ * @param cache		message cache for resynchronization
  * @return			HA control interface
  */
-ha_ctl_t *ha_ctl_create(ha_segments_t *segments);
+ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache);
 
-#endif /* HA_CTL_ @}*/
+#endif /** HA_CTL_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 7df2f1fa8..3bc426ea0 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -40,6 +40,21 @@ struct private_ha_dispatcher_t {
 	 */
 	ha_segments_t *segments;
 
+	/**
+	 * Cache for resync
+	 */
+	ha_cache_t *cache;
+
+	/**
+	 * Kernel helper
+	 */
+	ha_kernel_t *kernel;
+
+	/**
+	 * HA enabled pool
+	 */
+	ha_attribute_t *attr;
+
 	/**
 	 * Dispatcher job
 	 */
@@ -153,6 +168,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 				old_sa = NULL;
 			}
 			ike_sa->set_state(ike_sa, IKE_CONNECTING);
+			this->cache->cache(this->cache, ike_sa, message);
+			message = NULL;
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		}
 		else
@@ -167,6 +184,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 	{
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, old_sa);
 	}
+	DESTROY_IF(message);
 }
 
 /**
@@ -201,6 +219,8 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa = NULL;
 	peer_cfg_t *peer_cfg = NULL;
+	auth_cfg_t *auth;
+	bool received_vip = FALSE;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -222,6 +242,11 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 			case HA_REMOTE_ID:
 				ike_sa->set_other_id(ike_sa, value.id->clone(value.id));
 				break;
+			case HA_REMOTE_EAP_ID:
+				auth = auth_cfg_create();
+				auth->add(auth, AUTH_RULE_EAP_IDENTITY, value.id->clone(value.id));
+				ike_sa->add_auth_cfg(ike_sa, FALSE, auth);
+				break;
 			case HA_LOCAL_ADDR:
 				ike_sa->set_my_host(ike_sa, value.host->clone(value.host));
 				break;
@@ -233,6 +258,7 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 				break;
 			case HA_REMOTE_VIP:
 				ike_sa->set_virtual_ip(ike_sa, FALSE, value.host);
+				received_vip = TRUE;
 				break;
 			case HA_ADDITIONAL_ADDR:
 				ike_sa->add_additional_address(ike_sa,
@@ -265,12 +291,6 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 				set_condition(ike_sa, value.u32, COND_CERTREQ_SEEN);
 				set_condition(ike_sa, value.u32, COND_ORIGINAL_INITIATOR);
 				break;
-			case HA_INITIATE_MID:
-				ike_sa->set_message_id(ike_sa, TRUE, value.u32);
-				break;
-			case HA_RESPOND_MID:
-				ike_sa->set_message_id(ike_sa, FALSE, value.u32);
-				break;
 			default:
 				break;
 		}
@@ -282,10 +302,81 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 		if (ike_sa->get_state(ike_sa) == IKE_CONNECTING &&
 			ike_sa->get_peer_cfg(ike_sa))
 		{
+			DBG1(DBG_CFG, "installed HA passive IKE_SA '%s' %H[%Y]...%H[%Y]",
+				 ike_sa->get_name(ike_sa),
+				 ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
+				 ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
 			ike_sa->set_state(ike_sa, IKE_PASSIVE);
 		}
+		if (received_vip)
+		{
+			host_t *vip;
+			char *pool;
+
+			peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+			vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
+			if (peer_cfg && vip)
+			{
+				pool = peer_cfg->get_pool(peer_cfg);
+				if (pool)
+				{
+					this->attr->reserve(this->attr, pool, vip);
+				}
+			}
+		}
+		this->cache->cache(this->cache, ike_sa, message);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
+	else
+	{
+		DBG1(DBG_CFG, "passive HA IKE_SA to update not found");
+		message->destroy(message);
+	}
+}
+
+/**
+ * Process messages of type IKE_MID_INITIATOR/RESPONDER
+ */
+static void process_ike_mid(private_ha_dispatcher_t *this,
+							   ha_message_t *message, bool initiator)
+{
+	ha_message_attribute_t attribute;
+	ha_message_value_t value;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa = NULL;
+	u_int32_t mid = 0;
+
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		switch (attribute)
+		{
+			case HA_IKE_ID:
+				ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+														  value.ike_sa_id);
+				break;
+			case HA_MID:
+				mid = value.u32;
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (ike_sa)
+	{
+		if (mid)
+		{
+			ike_sa->set_message_id(ike_sa, initiator, mid);
+		}
+		this->cache->cache(this->cache, ike_sa, message);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	else
+	{
+		message->destroy(message);
+	}
 }
 
 /**
@@ -297,7 +388,7 @@ static void process_ike_delete(private_ha_dispatcher_t *this,
 	ha_message_attribute_t attribute;
 	ha_message_value_t value;
 	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
+	ike_sa_t *ike_sa = NULL;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -307,17 +398,22 @@ static void process_ike_delete(private_ha_dispatcher_t *this,
 			case HA_IKE_ID:
 				ike_sa = charon->ike_sa_manager->checkout(
 									charon->ike_sa_manager, value.ike_sa_id);
-				if (ike_sa)
-				{
-					charon->ike_sa_manager->checkin_and_destroy(
-									charon->ike_sa_manager, ike_sa);
-				}
 				break;
 			default:
 				break;
 		}
 	}
 	enumerator->destroy(enumerator);
+	if (ike_sa)
+	{
+		this->cache->cache(this->cache, ike_sa, message);
+		charon->ike_sa_manager->checkin_and_destroy(
+						charon->ike_sa_manager, ike_sa);
+	}
+	else
+	{
+		message->destroy(message);
+	}
 }
 
 /**
@@ -366,6 +462,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	u_int16_t inbound_cpi = 0, outbound_cpi = 0;
 	u_int8_t mode = MODE_TUNNEL, ipcomp = 0;
 	u_int16_t encr = ENCR_UNDEFINED, integ = AUTH_UNDEFINED, len = 0;
+	u_int seg_i, seg_o;
 	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty;
 	chunk_t encr_i, integ_i, encr_r, integ_r;
 	linked_list_t *local_ts, *remote_ts;
@@ -381,11 +478,13 @@ static void process_child_add(private_ha_dispatcher_t *this,
 			case HA_IKE_ID:
 				ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 														  value.ike_sa_id);
-				initiator = value.ike_sa_id->is_initiator(value.ike_sa_id);
 				break;
 			case HA_CONFIG_NAME:
 				config_name = value.str;
 				break;
+			case HA_INITIATOR:
+				initiator = value.u8;
+				break;
 			case HA_INBOUND_SPI:
 				inbound_spi = value.u32;
 				break;
@@ -431,6 +530,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	if (!ike_sa)
 	{
 		DBG1(DBG_CHD, "IKE_SA for HA CHILD_SA not found");
+		message->destroy(message);
 		return;
 	}
 	config = find_child_cfg(ike_sa, config_name);
@@ -438,6 +538,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	{
 		DBG1(DBG_CHD, "HA is missing nodes child configuration");
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		message->destroy(message);
 		return;
 	}
 
@@ -524,15 +625,27 @@ static void process_child_add(private_ha_dispatcher_t *this,
 		local_ts->destroy_offset(local_ts, offsetof(traffic_selector_t, destroy));
 		remote_ts->destroy_offset(remote_ts, offsetof(traffic_selector_t, destroy));
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		message->destroy(message);
 		return;
 	}
 
+	seg_i = this->kernel->get_segment_spi(this->kernel,
+								ike_sa->get_my_host(ike_sa), inbound_spi);
+	seg_o = this->kernel->get_segment_spi(this->kernel,
+								ike_sa->get_other_host(ike_sa), outbound_spi);
+
+	DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R=== %#R "
+		"(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
+		child_sa->get_reqid(child_sa), local_ts, remote_ts,
+		seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
+		seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");
 	child_sa->add_policies(child_sa, local_ts, remote_ts);
 	local_ts->destroy_offset(local_ts, offsetof(traffic_selector_t, destroy));
 	remote_ts->destroy_offset(remote_ts, offsetof(traffic_selector_t, destroy));
 
 	child_sa->set_state(child_sa, CHILD_INSTALLED);
 	ike_sa->add_child_sa(ike_sa, child_sa);
+	message->destroy(message);
 	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 }
 
@@ -546,6 +659,8 @@ static void process_child_delete(private_ha_dispatcher_t *this,
 	ha_message_value_t value;
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa = NULL;
+	child_sa_t *child_sa;
+	u_int32_t spi = 0;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -557,20 +672,24 @@ static void process_child_delete(private_ha_dispatcher_t *this,
 														  value.ike_sa_id);
 				break;
 			case HA_INBOUND_SPI:
-				if (ike_sa)
-				{
-					ike_sa->destroy_child_sa(ike_sa, PROTO_ESP, value.u32);
-				}
+				spi = value.u32;
 				break;
 			default:
 				break;
 		}
 	}
+	enumerator->destroy(enumerator);
+
 	if (ike_sa)
 	{
+		child_sa = ike_sa->get_child_sa(ike_sa, PROTO_ESP, spi, TRUE);
+		if (child_sa)
+		{
+			ike_sa->destroy_child_sa(ike_sa, PROTO_ESP, spi);
+		}
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
-	enumerator->destroy(enumerator);
+	message->destroy(message);
 }
 
 /**
@@ -605,6 +724,7 @@ static void process_segment(private_ha_dispatcher_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
+	message->destroy(message);
 }
 
 /**
@@ -633,6 +753,7 @@ static void process_status(private_ha_dispatcher_t *this,
 	enumerator->destroy(enumerator);
 
 	this->segments->handle_status(this->segments, mask);
+	message->destroy(message);
 }
 
 /**
@@ -651,13 +772,14 @@ static void process_resync(private_ha_dispatcher_t *this,
 		switch (attribute)
 		{
 			case HA_SEGMENT:
-				this->segments->resync(this->segments, value.u16);
+				this->cache->resync(this->cache, value.u16);
 				break;
 			default:
 				break;
 		}
 	}
 	enumerator->destroy(enumerator);
+	message->destroy(message);
 }
 
 /**
@@ -666,9 +788,16 @@ static void process_resync(private_ha_dispatcher_t *this,
 static job_requeue_t dispatch(private_ha_dispatcher_t *this)
 {
 	ha_message_t *message;
+	ha_message_type_t type;
 
 	message = this->socket->pull(this->socket);
-	switch (message->get_type(message))
+	type = message->get_type(message);
+	if (type != HA_STATUS)
+	{
+		DBG2(DBG_CFG, "received HA %N message", ha_message_type_names,
+			 message->get_type(message));
+	}
+	switch (type)
 	{
 		case HA_IKE_ADD:
 			process_ike_add(this, message);
@@ -676,6 +805,12 @@ static job_requeue_t dispatch(private_ha_dispatcher_t *this)
 		case HA_IKE_UPDATE:
 			process_ike_update(this, message);
 			break;
+		case HA_IKE_MID_INITIATOR:
+			process_ike_mid(this, message, TRUE);
+			break;
+		case HA_IKE_MID_RESPONDER:
+			process_ike_mid(this, message, FALSE);
+			break;
 		case HA_IKE_DELETE:
 			process_ike_delete(this, message);
 			break;
@@ -698,19 +833,15 @@ static job_requeue_t dispatch(private_ha_dispatcher_t *this)
 			process_resync(this, message);
 			break;
 		default:
-			DBG1(DBG_CFG, "received unknown HA message type %d",
-				 message->get_type(message));
+			DBG1(DBG_CFG, "received unknown HA message type %d", type);
+			message->destroy(message);
 			break;
 	}
-	message->destroy(message);
-
 	return JOB_REQUEUE_DIRECT;
 }
 
-/**
- * Implementation of ha_dispatcher_t.destroy.
- */
-static void destroy(private_ha_dispatcher_t *this)
+METHOD(ha_dispatcher_t, destroy, void,
+	private_ha_dispatcher_t *this)
 {
 	this->job->cancel(this->job);
 	free(this);
@@ -720,14 +851,22 @@ static void destroy(private_ha_dispatcher_t *this)
  * See header
  */
 ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
-									  ha_segments_t *segments)
+									ha_segments_t *segments, ha_cache_t *cache,
+									ha_kernel_t *kernel, ha_attribute_t *attr)
 {
-	private_ha_dispatcher_t *this = malloc_thing(private_ha_dispatcher_t);
-
-	this->public.destroy = (void(*)(ha_dispatcher_t*))destroy;
-
-	this->socket = socket;
-	this->segments = segments;
+	private_ha_dispatcher_t *this;
+
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+		.socket = socket,
+		.segments = segments,
+		.cache = cache,
+		.kernel = kernel,
+		.attr = attr,
+	);
 	this->job = callback_job_create((callback_job_cb_t)dispatch,
 									this, NULL, NULL);
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.h b/src/libcharon/plugins/ha/ha_dispatcher.h
index d2baace3f..105a40473 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.h
+++ b/src/libcharon/plugins/ha/ha_dispatcher.h
@@ -23,6 +23,9 @@
 
 #include "ha_socket.h"
 #include "ha_segments.h"
+#include "ha_cache.h"
+#include "ha_kernel.h"
+#include "ha_attribute.h"
 
 typedef struct ha_dispatcher_t ha_dispatcher_t;
 
@@ -42,9 +45,13 @@ struct ha_dispatcher_t {
  *
  * @param socket		socket to pull messages from
  * @param segments		segments to control based on received messages
+ * @param cache			message cache to use for resynchronization
+ * @param kernel		kernel helper
+ * @param attr			HA enabled pool
  * @return				dispatcher object
  */
 ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
-									  ha_segments_t *segments);
+									ha_segments_t *segments, ha_cache_t *cache,
+									ha_kernel_t *kernel, ha_attribute_t *attr);
 
-#endif /* HA_DISPATCHER_ @}*/
+#endif /** HA_DISPATCHER_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 1f025d0e5..1efba4e8f 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -36,6 +36,11 @@ struct private_ha_ike_t {
 	 * tunnel securing sync messages
 	 */
 	ha_tunnel_t *tunnel;
+
+	/**
+	 * message cache
+	 */
+	ha_cache_t *cache;
 };
 
 /**
@@ -62,12 +67,9 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
 	return 0;
 }
 
-/**
- * Implementation of listener_t.ike_keys
- */
-static bool ike_keys(private_ha_ike_t *this, ike_sa_t *ike_sa,
-					 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
-					 ike_sa_t *rekey)
+METHOD(listener_t, ike_keys, bool,
+	private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey)
 {
 	ha_message_t *m;
 	chunk_t secret;
@@ -120,14 +122,13 @@ static bool ike_keys(private_ha_ike_t *this, ike_sa_t *ike_sa,
 	chunk_clear(&secret);
 
 	this->socket->push(this->socket, m);
+	this->cache->cache(this->cache, ike_sa, m);
 
 	return TRUE;
 }
 
-/**
- * Implementation of listener_t.ike_updown
- */
-static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
+METHOD(listener_t, ike_updown, bool,
+	private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
 {
 	ha_message_t *m;
 
@@ -147,6 +148,7 @@ static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
 		u_int32_t extension, condition;
 		host_t *addr;
 		ike_sa_id_t *id;
+		identification_t *eap_id;
 
 		peer_cfg = ike_sa->get_peer_cfg(ike_sa);
 
@@ -168,6 +170,11 @@ static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
 		m->add_attribute(m, HA_IKE_ID, id);
 		m->add_attribute(m, HA_LOCAL_ID, ike_sa->get_my_id(ike_sa));
 		m->add_attribute(m, HA_REMOTE_ID, ike_sa->get_other_id(ike_sa));
+		eap_id = ike_sa->get_other_eap_id(ike_sa);
+		if (!eap_id->equals(eap_id, ike_sa->get_other_id(ike_sa)))
+		{
+			m->add_attribute(m, HA_REMOTE_EAP_ID, eap_id);
+		}
 		m->add_attribute(m, HA_LOCAL_ADDR, ike_sa->get_my_host(ike_sa));
 		m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
 		m->add_attribute(m, HA_CONDITIONS, condition);
@@ -186,24 +193,31 @@ static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
 		m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
 	}
 	this->socket->push(this->socket, m);
+	this->cache->cache(this->cache, ike_sa, m);
 	return TRUE;
 }
 
-/**
- * Implementation of listener_t.ike_rekey
- */
-static bool ike_rekey(private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new)
+METHOD(listener_t, ike_rekey, bool,
+	private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new)
 {
 	ike_updown(this, old, FALSE);
 	ike_updown(this, new, TRUE);
 	return TRUE;
 }
 
-/**
- * Implementation of listener_t.message
- */
-static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa,
-						 message_t *message, bool incoming)
+METHOD(listener_t, ike_state_change, bool,
+	private_ha_ike_t *this, ike_sa_t *ike_sa, ike_sa_state_t new)
+{
+	/* delete any remaining cache entry if IKE_SA gets destroyed */
+	if (new == IKE_DESTROYING)
+	{
+		this->cache->delete(this->cache, ike_sa);
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_ha_ike_t *this, ike_sa_t *ike_sa, message_t *message, bool incoming)
 {
 	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
 	{	/* do not sync SA between nodes */
@@ -214,20 +228,19 @@ static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa,
 		message->get_request(message))
 	{	/* we sync on requests, but skip it on IKE_SA_INIT */
 		ha_message_t *m;
-		u_int32_t mid;
 
-		m = ha_message_create(HA_IKE_UPDATE);
-		m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
-		mid = message->get_message_id(message) + 1;
 		if (incoming)
 		{
-			m->add_attribute(m, HA_RESPOND_MID, mid);
+			m = ha_message_create(HA_IKE_MID_RESPONDER);
 		}
 		else
 		{
-			m->add_attribute(m, HA_INITIATE_MID, mid);
+			m = ha_message_create(HA_IKE_MID_INITIATOR);
 		}
+		m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+		m->add_attribute(m, HA_MID, message->get_message_id(message) + 1);
 		this->socket->push(this->socket, m);
+		this->cache->cache(this->cache, ike_sa, m);
 	}
 	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
 		message->get_exchange_type(message) == IKE_AUTH &&
@@ -245,15 +258,14 @@ static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa,
 			m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
 			m->add_attribute(m, HA_REMOTE_VIP, vip);
 			this->socket->push(this->socket, m);
+			this->cache->cache(this->cache, ike_sa, m);
 		}
 	}
 	return TRUE;
 }
 
-/**
- * Implementation of ha_ike_t.destroy.
- */
-static void destroy(private_ha_ike_t *this)
+METHOD(ha_ike_t, destroy, void,
+	private_ha_ike_t *this)
 {
 	free(this);
 }
@@ -261,19 +273,26 @@ static void destroy(private_ha_ike_t *this)
 /**
  * See header
  */
-ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel)
+ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
+						ha_cache_t *cache)
 {
-	private_ha_ike_t *this = malloc_thing(private_ha_ike_t);
-
-	memset(&this->public.listener, 0, sizeof(listener_t));
-	this->public.listener.ike_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh,chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
-	this->public.listener.ike_updown = (bool(*)(listener_t*,ike_sa_t *ike_sa, bool up))ike_updown;
-	this->public.listener.ike_rekey = (bool(*)(listener_t*,ike_sa_t *old, ike_sa_t *new))ike_rekey;
-	this->public.listener.message = (bool(*)(listener_t*, ike_sa_t *, message_t *,bool))message_hook;
-	this->public.destroy = (void(*)(ha_ike_t*))destroy;
-
-	this->socket = socket;
-	this->tunnel = tunnel;
+	private_ha_ike_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_keys = _ike_keys,
+				.ike_updown = _ike_updown,
+				.ike_rekey = _ike_rekey,
+				.ike_state_change = _ike_state_change,
+				.message = _message_hook,
+			},
+			.destroy = _destroy,
+		},
+		.socket = socket,
+		.tunnel = tunnel,
+		.cache = cache,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/ha/ha_ike.h b/src/libcharon/plugins/ha/ha_ike.h
index 9de210e67..b22cd6250 100644
--- a/src/libcharon/plugins/ha/ha_ike.h
+++ b/src/libcharon/plugins/ha/ha_ike.h
@@ -21,14 +21,15 @@
 #ifndef HA_IKE_H_
 #define HA_IKE_H_
 
+typedef struct ha_ike_t ha_ike_t;
+
 #include "ha_socket.h"
 #include "ha_tunnel.h"
 #include "ha_segments.h"
+#include "ha_cache.h"
 
 #include <daemon.h>
 
-typedef struct ha_ike_t ha_ike_t;
-
 /**
  * Listener to synchronize IKE_SAs.
  */
@@ -50,8 +51,10 @@ struct ha_ike_t {
  *
  * @param socket		socket to use for sending synchronization messages
  * @param tunnel		tunnel securing sync messages, if any
+ * @param cache			message cache
  * @return				IKE listener
  */
-ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel);
+ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
+						ha_cache_t *cache);
 
-#endif /* HA_IKE_ @}*/
+#endif /** HA_IKE_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c
index 0ad9c22c3..10a63453a 100644
--- a/src/libcharon/plugins/ha/ha_kernel.c
+++ b/src/libcharon/plugins/ha/ha_kernel.c
@@ -52,24 +52,57 @@ struct private_ha_kernel_t {
 };
 
 /**
- * Implementation of ha_kernel_t.in_segment
+ * Segmentate a calculated hash
  */
-static bool in_segment(private_ha_kernel_t *this, host_t *host, u_int segment)
+static u_int hash2segment(private_ha_kernel_t *this, u_int64_t hash)
+{
+	return ((hash * this->count) >> 32) + 1;
+}
+
+/**
+ * Get a host as an integer for hashing
+ */
+static u_int32_t host2int(host_t *host)
 {
 	if (host->get_family(host) == AF_INET)
 	{
-		unsigned long hash;
-		u_int32_t addr;
+		return *(u_int32_t*)host->get_address(host).ptr;
+	}
+	return 0;
+}
 
-		addr = *(u_int32_t*)host->get_address(host).ptr;
-		hash = jhash_1word(ntohl(addr), this->initval);
+METHOD(ha_kernel_t, get_segment, u_int,
+	private_ha_kernel_t *this, host_t *host)
+{
+	unsigned long hash;
+	u_int32_t addr;
 
-		if ((((u_int64_t)hash * this->count) >> 32) + 1 == segment)
-		{
-			return TRUE;
-		}
-	}
-	return FALSE;
+	addr = host2int(host);
+	hash = jhash_1word(ntohl(addr), this->initval);
+
+	return hash2segment(this, hash);
+}
+
+METHOD(ha_kernel_t, get_segment_spi, u_int,
+	private_ha_kernel_t *this, host_t *host, u_int32_t spi)
+{
+	unsigned long hash;
+	u_int32_t addr;
+
+	addr = host2int(host);
+	hash = jhash_2words(ntohl(addr), ntohl(spi), this->initval);
+
+	return hash2segment(this, hash);
+}
+
+METHOD(ha_kernel_t, get_segment_int, u_int,
+	private_ha_kernel_t *this, int n)
+{
+	unsigned long hash;
+
+	hash = jhash_1word(ntohl(n), this->initval);
+
+	return hash2segment(this, hash);
 }
 
 /**
@@ -142,10 +175,8 @@ static segment_mask_t get_active(private_ha_kernel_t *this, char *file)
 	return mask;
 }
 
-/**
- * Implementation of ha_kernel_t.activate
- */
-static void activate(private_ha_kernel_t *this, u_int segment)
+METHOD(ha_kernel_t, activate, void,
+	private_ha_kernel_t *this, u_int segment)
 {
 	enumerator_t *enumerator;
 	char *file;
@@ -158,10 +189,8 @@ static void activate(private_ha_kernel_t *this, u_int segment)
 	enumerator->destroy(enumerator);
 }
 
-/**
- * Implementation of ha_kernel_t.deactivate
- */
-static void deactivate(private_ha_kernel_t *this, u_int segment)
+METHOD(ha_kernel_t, deactivate, void,
+	private_ha_kernel_t *this, u_int segment)
 {
 	enumerator_t *enumerator;
 	char *file;
@@ -199,10 +228,8 @@ static void disable_all(private_ha_kernel_t *this)
 	enumerator->destroy(enumerator);
 }
 
-/**
- * Implementation of ha_kernel_t.destroy.
- */
-static void destroy(private_ha_kernel_t *this)
+METHOD(ha_kernel_t, destroy, void,
+	private_ha_kernel_t *this)
 {
 	free(this);
 }
@@ -212,15 +239,20 @@ static void destroy(private_ha_kernel_t *this)
  */
 ha_kernel_t *ha_kernel_create(u_int count)
 {
-	private_ha_kernel_t *this = malloc_thing(private_ha_kernel_t);
-
-	this->public.in_segment = (bool(*)(ha_kernel_t*, host_t *host, u_int segment))in_segment;
-	this->public.activate = (void(*)(ha_kernel_t*, u_int segment))activate;
-	this->public.deactivate = (void(*)(ha_kernel_t*, u_int segment))deactivate;
-	this->public.destroy = (void(*)(ha_kernel_t*))destroy;
+	private_ha_kernel_t *this;
 
-	this->initval = 0;
-	this->count = count;
+	INIT(this,
+		.public = {
+			.get_segment = _get_segment,
+			.get_segment_spi = _get_segment_spi,
+			.get_segment_int = _get_segment_int,
+			.activate = _activate,
+			.deactivate = _deactivate,
+			.destroy = _destroy,
+		},
+		.initval = 0,
+		.count = count,
+	);
 
 	disable_all(this);
 
diff --git a/src/libcharon/plugins/ha/ha_kernel.h b/src/libcharon/plugins/ha/ha_kernel.h
index b37cc7667..7b56f1e3a 100644
--- a/src/libcharon/plugins/ha/ha_kernel.h
+++ b/src/libcharon/plugins/ha/ha_kernel.h
@@ -31,13 +31,28 @@ typedef struct ha_kernel_t ha_kernel_t;
 struct ha_kernel_t {
 
 	/**
-	 * Check if a host is in a segment.
+	 * Get the segment a host is in.
 	 *
-	 * @param host		host to check
-	 * @param segment	segment
-	 * @return 			TRUE if host belongs to segment
+	 * @param host		host to get segment for
+	 * @return			segment number
 	 */
-	bool (*in_segment)(ha_kernel_t *this, host_t *host, u_int segment);
+	u_int (*get_segment)(ha_kernel_t *this, host_t *host);
+
+	/**
+	 * Get the segment a host/SPI is in, as used for CHILD_SA segmentation.
+	 *
+	 * @param host		host to get segment for
+	 * @param spi		SPI to include in hash
+	 * @return			segment number
+	 */
+	u_int (*get_segment_spi)(ha_kernel_t *this, host_t *host, u_int32_t spi);
+
+	/**
+	 * Get the segment an arbitrary integer is in.
+	 *
+	 * @param n			integer to segmentate
+	 */
+	u_int (*get_segment_int)(ha_kernel_t *this, int n);
 
 	/**
 	 * Activate a segment at kernel level for all cluster addresses.
@@ -63,8 +78,7 @@ struct ha_kernel_t {
  * Create a ha_kernel instance.
  *
  * @param count			total number of segments to use
- * @param active		bitmask of initially active segments
  */
 ha_kernel_t *ha_kernel_create(u_int count);
 
-#endif /* HA_KERNEL_ @}*/
+#endif /** HA_KERNEL_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c
index 54b10f05d..7ce9cbe09 100644
--- a/src/libcharon/plugins/ha/ha_message.c
+++ b/src/libcharon/plugins/ha/ha_message.c
@@ -46,6 +46,20 @@ struct private_ha_message_t {
 	chunk_t buf;
 };
 
+ENUM(ha_message_type_names, HA_IKE_ADD, HA_RESYNC,
+	"IKE_ADD",
+	"IKE_UPDATE",
+	"IKE_MID_INITIATOR",
+	"IKE_MID_RESPONDER",
+	"IKE_DELETE",
+	"CHILD_ADD",
+	"CHILD_DELETE",
+	"SEGMENT_DROP",
+	"SEGMENT_TAKE",
+	"STATUS",
+	"RESYNC",
+);
+
 typedef struct ike_sa_id_encoding_t ike_sa_id_encoding_t;
 
 /**
@@ -93,10 +107,8 @@ struct ts_encoding_t {
 	char encoding[];
 } __attribute__((packed));
 
-/**
- * Implementation of ha_message_t.get_type
- */
-static ha_message_type_t get_type(private_ha_message_t *this)
+METHOD(ha_message_t, get_type, ha_message_type_t,
+	private_ha_message_t *this)
 {
 	return this->buf.ptr[1];
 }
@@ -119,11 +131,8 @@ static void check_buf(private_ha_message_t *this, size_t len)
 	}
 }
 
-/**
- * Implementation of ha_message_t.add_attribute
- */
-static void add_attribute(private_ha_message_t *this,
-						  ha_message_attribute_t attribute, ...)
+METHOD(ha_message_t, add_attribute, void,
+	private_ha_message_t *this, ha_message_attribute_t attribute, ...)
 {
 	size_t len;
 	va_list args;
@@ -154,6 +163,7 @@ static void add_attribute(private_ha_message_t *this,
 		/* identification_t* */
 		case HA_LOCAL_ID:
 		case HA_REMOTE_ID:
+		case HA_REMOTE_EAP_ID:
 		{
 			identification_encoding_t *enc;
 			identification_t *id;
@@ -203,6 +213,7 @@ static void add_attribute(private_ha_message_t *this,
 			break;
 		}
 		/* u_int8_t */
+		case HA_INITIATOR:
 		case HA_IPSEC_MODE:
 		case HA_IPCOMP:
 		{
@@ -237,8 +248,7 @@ static void add_attribute(private_ha_message_t *this,
 		case HA_EXTENSIONS:
 		case HA_INBOUND_SPI:
 		case HA_OUTBOUND_SPI:
-		case HA_INITIATE_MID:
-		case HA_RESPOND_MID:
+		case HA_MID:
 		{
 			u_int32_t val;
 
@@ -310,12 +320,9 @@ typedef struct {
 	void *cleanup_data;
 } attribute_enumerator_t;
 
-/**
- * Implementation of create_attribute_enumerator().enumerate
- */
-static bool attribute_enumerate(attribute_enumerator_t *this,
-								ha_message_attribute_t *attr_out,
-								ha_message_value_t *value)
+METHOD(enumerator_t, attribute_enumerate, bool,
+	attribute_enumerator_t *this, ha_message_attribute_t *attr_out,
+	ha_message_value_t *value)
 {
 	ha_message_attribute_t attr;
 
@@ -354,6 +361,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this,
 		/* identification_t* */
 		case HA_LOCAL_ID:
 		case HA_REMOTE_ID:
+		case HA_REMOTE_EAP_ID:
 		{
 			identification_encoding_t *enc;
 
@@ -417,6 +425,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this,
 			return TRUE;
 		}
 		/* u_int8_t */
+		case HA_INITIATOR:
 		case HA_IPSEC_MODE:
 		case HA_IPCOMP:
 		{
@@ -453,8 +462,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this,
 		case HA_EXTENSIONS:
 		case HA_INBOUND_SPI:
 		case HA_OUTBOUND_SPI:
-		case HA_INITIATE_MID:
-		case HA_RESPOND_MID:
+		case HA_MID:
 		{
 			if (this->buf.len < sizeof(u_int32_t))
 			{
@@ -559,10 +567,8 @@ static bool attribute_enumerate(attribute_enumerator_t *this,
 	}
 }
 
-/**
- * Implementation of create_attribute_enumerator().destroy
- */
-static void enum_destroy(attribute_enumerator_t *this)
+METHOD(enumerator_t, enum_destroy, void,
+	attribute_enumerator_t *this)
 {
 	if (this->cleanup)
 	{
@@ -571,35 +577,30 @@ static void enum_destroy(attribute_enumerator_t *this)
 	free(this);
 }
 
-/**
- * Implementation of ha_message_t.create_attribute_enumerator
- */
-static enumerator_t* create_attribute_enumerator(private_ha_message_t *this)
+METHOD(ha_message_t, create_attribute_enumerator, enumerator_t*,
+	private_ha_message_t *this)
 {
-	attribute_enumerator_t *e = malloc_thing(attribute_enumerator_t);
-
-	e->public.enumerate = (void*)attribute_enumerate;
-	e->public.destroy = (void*)enum_destroy;
+	attribute_enumerator_t *e;
 
-	e->buf = chunk_skip(this->buf, 2);
-	e->cleanup = NULL;
-	e->cleanup_data = NULL;
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_attribute_enumerate,
+			.destroy = _enum_destroy,
+		},
+		.buf = chunk_skip(this->buf, 2),
+	);
 
 	return &e->public;
 }
 
-/**
- * Implementation of ha_message_t.get_encoding
- */
-static chunk_t get_encoding(private_ha_message_t *this)
+METHOD(ha_message_t, get_encoding, chunk_t,
+	private_ha_message_t *this)
 {
 	return this->buf;
 }
 
-/**
- * Implementation of ha_message_t.destroy.
- */
-static void destroy(private_ha_message_t *this)
+METHOD(ha_message_t, destroy, void,
+	private_ha_message_t *this)
 {
 	free(this->buf.ptr);
 	free(this);
@@ -608,14 +609,17 @@ static void destroy(private_ha_message_t *this)
 
 static private_ha_message_t *ha_message_create_generic()
 {
-	private_ha_message_t *this = malloc_thing(private_ha_message_t);
-
-	this->public.get_type = (ha_message_type_t(*)(ha_message_t*))get_type;
-	this->public.add_attribute = (void(*)(ha_message_t*, ha_message_attribute_t attribute, ...))add_attribute;
-	this->public.create_attribute_enumerator = (enumerator_t*(*)(ha_message_t*))create_attribute_enumerator;
-	this->public.get_encoding = (chunk_t(*)(ha_message_t*))get_encoding;
-	this->public.destroy = (void(*)(ha_message_t*))destroy;
+	private_ha_message_t *this;
 
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.add_attribute = _add_attribute,
+			.create_attribute_enumerator = _create_attribute_enumerator,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+	);
 	return this;
 }
 
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
index b2bc23724..50e11830f 100644
--- a/src/libcharon/plugins/ha/ha_message.h
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -30,7 +30,7 @@
 /**
  * Protocol version of this implementation
  */
-#define HA_MESSAGE_VERSION 1
+#define HA_MESSAGE_VERSION 2
 
 typedef struct ha_message_t ha_message_t;
 typedef enum ha_message_type_t ha_message_type_t;
@@ -43,8 +43,12 @@ typedef union ha_message_value_t ha_message_value_t;
 enum ha_message_type_t {
 	/** add a completely new IKE_SA */
 	HA_IKE_ADD = 1,
-	/** update an existing IKE_SA (message IDs, address update, ...) */
+	/** update an existing IKE_SA (identities, address update, ...) */
 	HA_IKE_UPDATE,
+	/** update initiator message id */
+	HA_IKE_MID_INITIATOR,
+	/** update responder message id */
+	HA_IKE_MID_RESPONDER,
 	/** delete an existing IKE_SA */
 	HA_IKE_DELETE,
 	/** add a new CHILD_SA */
@@ -61,6 +65,11 @@ enum ha_message_type_t {
 	HA_RESYNC,
 };
 
+/**
+ * Enum names for message types
+ */
+extern enum_name_t *ha_message_type_names;
+
 /**
  * Type of attributes contained in a message
  */
@@ -73,6 +82,8 @@ enum ha_message_attribute_t {
 	HA_LOCAL_ID,
 	/** identification_t*, remote identity */
 	HA_REMOTE_ID,
+	/** identification_t*, remote EAP identity */
+	HA_REMOTE_EAP_ID,
 	/** host_t*, local address */
 	HA_LOCAL_ADDR,
 	/** host_t*, remote address */
@@ -89,6 +100,8 @@ enum ha_message_attribute_t {
 	HA_REMOTE_VIP,
 	/** host_t*, additional MOBIKE peer address */
 	HA_ADDITIONAL_ADDR,
+	/** u_int8_t, initiator of an exchange, TRUE for local */
+	HA_INITIATOR,
 	/** chunk_t, initiators nonce */
 	HA_NONCE_I,
 	/** chunk_t, responders nonce */
@@ -123,10 +136,8 @@ enum ha_message_attribute_t {
 	HA_LOCAL_TS,
 	/** traffic_selector_t*, remote traffic selector */
 	HA_REMOTE_TS,
-	/** u_int32_t, initiating message ID */
-	HA_INITIATE_MID,
-	/** u_int32_t, responding message ID */
-	HA_RESPOND_MID,
+	/** u_int32_t, message ID */
+	HA_MID,
 	/** u_int16_t, HA segment */
 	HA_SEGMENT,
 };
@@ -190,7 +201,6 @@ struct ha_message_t {
 /**
  * Create a new ha_message instance, ready for adding attributes
  *
- * @param version			protocol version to create a message from
  * @param type				type of the message
  */
 ha_message_t *ha_message_create(ha_message_type_t type);
@@ -202,4 +212,4 @@ ha_message_t *ha_message_create(ha_message_type_t type);
  */
 ha_message_t *ha_message_parse(chunk_t data);
 
-#endif /* HA_MESSAGE_ @}*/
+#endif /** HA_MESSAGE_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index ea255c8ab..e722b4f3a 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -21,8 +21,11 @@
 #include "ha_dispatcher.h"
 #include "ha_segments.h"
 #include "ha_ctl.h"
+#include "ha_cache.h"
+#include "ha_attribute.h"
 
 #include <daemon.h>
+#include <hydra.h>
 #include <config/child_cfg.h>
 
 typedef struct private_ha_plugin_t private_ha_plugin_t;
@@ -76,20 +79,31 @@ struct private_ha_plugin_t {
 	 * Segment control interface via FIFO
 	 */
 	ha_ctl_t *ctl;
+
+	/**
+	 * Message cache for resynchronization
+	 */
+	ha_cache_t *cache;
+
+	/**
+	 * Attribute provider
+	 */
+	ha_attribute_t *attr;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_ha_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_ha_plugin_t *this)
 {
 	DESTROY_IF(this->ctl);
+	hydra->attributes->remove_provider(hydra->attributes, &this->attr->provider);
 	charon->bus->remove_listener(charon->bus, &this->segments->listener);
 	charon->bus->remove_listener(charon->bus, &this->ike->listener);
 	charon->bus->remove_listener(charon->bus, &this->child->listener);
 	this->ike->destroy(this->ike);
 	this->child->destroy(this->child);
 	this->dispatcher->destroy(this->dispatcher);
+	this->attr->destroy(this->attr);
+	this->cache->destroy(this->cache);
 	this->segments->destroy(this->segments);
 	this->kernel->destroy(this->kernel);
 	this->socket->destroy(this->socket);
@@ -127,11 +141,9 @@ plugin_t *ha_plugin_create()
 		return NULL;
 	}
 
-	this = malloc_thing(private_ha_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	this->tunnel = NULL;
-	this->ctl = NULL;
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+	);
 
 	if (secret)
 	{
@@ -146,17 +158,22 @@ plugin_t *ha_plugin_create()
 	}
 	this->kernel = ha_kernel_create(count);
 	this->segments = ha_segments_create(this->socket, this->kernel, this->tunnel,
-							count, strcmp(local, remote) > 0, monitor, resync);
+							count, strcmp(local, remote) > 0, monitor);
+	this->cache = ha_cache_create(this->kernel, this->socket, resync, count);
 	if (fifo)
 	{
-		this->ctl = ha_ctl_create(this->segments);
+		this->ctl = ha_ctl_create(this->segments, this->cache);
 	}
-	this->dispatcher = ha_dispatcher_create(this->socket, this->segments);
-	this->ike = ha_ike_create(this->socket, this->tunnel);
-	this->child = ha_child_create(this->socket, this->tunnel);
+	this->attr = ha_attribute_create(this->kernel, this->segments);
+	this->dispatcher = ha_dispatcher_create(this->socket, this->segments,
+										this->cache, this->kernel, this->attr);
+	this->ike = ha_ike_create(this->socket, this->tunnel, this->cache);
+	this->child = ha_child_create(this->socket, this->tunnel, this->segments,
+								  this->kernel);
 	charon->bus->add_listener(charon->bus, &this->segments->listener);
 	charon->bus->add_listener(charon->bus, &this->ike->listener);
 	charon->bus->add_listener(charon->bus, &this->child->listener);
+	hydra->attributes->add_provider(hydra->attributes, &this->attr->provider);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/ha/ha_plugin.h b/src/libcharon/plugins/ha/ha_plugin.h
index 1ae2fe6dd..d4d746f91 100644
--- a/src/libcharon/plugins/ha/ha_plugin.h
+++ b/src/libcharon/plugins/ha/ha_plugin.h
@@ -44,4 +44,4 @@ struct ha_plugin_t {
 	plugin_t plugin;
 };
 
-#endif /* HA_PLUGIN_H_ @}*/
+#endif /** HA_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index 2199671fc..be2d7e428 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -22,8 +22,8 @@
 #include <utils/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
-#define HEARTBEAT_DELAY 1000
-#define HEARTBEAT_TIMEOUT 2100
+#define DEFAULT_HEARTBEAT_DELAY 1000
+#define DEFAULT_HEARTBEAT_TIMEOUT 2100
 
 typedef struct private_ha_segments_t private_ha_segments_t;
 
@@ -81,6 +81,16 @@ struct private_ha_segments_t {
 	 * Node number
 	 */
 	u_int node;
+
+	/**
+	 * Interval we send hearbeats
+	 */
+	int heartbeat_delay;
+
+	/**
+	 * Timeout for heartbeats received from other node
+	 */
+	int heartbeat_timeout;
 };
 
 /**
@@ -168,8 +178,8 @@ static void enable_disable(private_ha_segments_t *this, u_int segment,
 			{
 				continue;
 			}
-			if (this->kernel->in_segment(this->kernel,
-									ike_sa->get_other_host(ike_sa), segment))
+			if (this->kernel->get_segment(this->kernel,
+									ike_sa->get_other_host(ike_sa)) == segment)
 			{
 				ike_sa->set_state(ike_sa, new);
 			}
@@ -183,6 +193,7 @@ static void enable_disable(private_ha_segments_t *this, u_int segment,
 		message = ha_message_create(type);
 		message->add_attribute(message, HA_SEGMENT, segment);
 		this->socket->push(this->socket, message);
+		message->destroy(message);
 	}
 }
 
@@ -209,134 +220,36 @@ static void enable_disable_all(private_ha_segments_t *this, u_int segment,
 	this->mutex->unlock(this->mutex);
 }
 
-/**
- * Implementation of ha_segments_t.activate
- */
-static void activate(private_ha_segments_t *this, u_int segment, bool notify)
+METHOD(ha_segments_t, activate, void,
+	private_ha_segments_t *this, u_int segment, bool notify)
 {
 	enable_disable_all(this, segment, TRUE, notify);
 }
 
-/**
- * Implementation of ha_segments_t.deactivate
- */
-static void deactivate(private_ha_segments_t *this, u_int segment, bool notify)
+METHOD(ha_segments_t, deactivate, void,
+	private_ha_segments_t *this, u_int segment, bool notify)
 {
 	enable_disable_all(this, segment, FALSE, notify);
 }
 
-/**
- * Rekey all children of an IKE_SA
- */
-static status_t rekey_children(ike_sa_t *ike_sa)
+METHOD(listener_t, alert_hook, bool,
+	private_ha_segments_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args)
 {
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-	status_t status = SUCCESS;
-
-	iterator = ike_sa->create_child_sa_iterator(ike_sa);
-	while (iterator->iterate(iterator, (void**)&child_sa))
-	{
-		DBG1(DBG_CFG, "resyncing CHILD_SA");
-		status = ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
-										child_sa->get_spi(child_sa, TRUE));
-		if (status == DESTROY_ME)
-		{
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	return status;
-}
-
-/**
- * Implementation of ha_segments_t.resync
- */
-static void resync(private_ha_segments_t *this, u_int segment)
-{
-	ike_sa_t *ike_sa;
-	enumerator_t *enumerator;
-	linked_list_t *list;
-	ike_sa_id_t *id;
-
-	list = linked_list_create();
-	this->mutex->lock(this->mutex);
-
-	if (segment > 0 && segment <= this->count)
+	if (alert == ALERT_SHUTDOWN_SIGNAL)
 	{
-		DBG1(DBG_CFG, "resyncing HA segment %d", segment);
-
-		/* we do the actual rekeying in a seperate loop to avoid rekeying
-		 * an SA twice. */
-		enumerator = charon->ike_sa_manager->create_enumerator(
-													charon->ike_sa_manager);
-		while (enumerator->enumerate(enumerator, &ike_sa))
+		if (this->job)
 		{
-			if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
-				this->kernel->in_segment(this->kernel,
-									ike_sa->get_other_host(ike_sa), segment))
-			{
-				id = ike_sa->get_id(ike_sa);
-				list->insert_last(list, id->clone(id));
-			}
+			DBG1(DBG_CFG, "HA heartbeat active, dropping all segments");
+			deactivate(this, 0, TRUE);
 		}
-		enumerator->destroy(enumerator);
-	}
-	this->mutex->unlock(this->mutex);
-
-	while (list->remove_last(list, (void**)&id) == SUCCESS)
-	{
-		ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
-		id->destroy(id);
-		if (ike_sa)
+		else
 		{
-			DBG1(DBG_CFG, "resyncing IKE_SA");
-			if (ike_sa->rekey(ike_sa) != DESTROY_ME)
-			{
-				if (rekey_children(ike_sa) != DESTROY_ME)
-				{
-					charon->ike_sa_manager->checkin(
-										charon->ike_sa_manager, ike_sa);
-					continue;
-				}
-			}
-			charon->ike_sa_manager->checkin_and_destroy(
-										charon->ike_sa_manager, ike_sa);
+			DBG1(DBG_CFG, "no HA heartbeat active, closing IKE_SAs");
 		}
 	}
-	list->destroy(list);
-}
-
-/**
- * Implementation of listener_t.alert
- */
-static bool alert_hook(private_ha_segments_t *this, ike_sa_t *ike_sa,
-					   alert_t alert, va_list args)
-{
-	if (alert == ALERT_SHUTDOWN_SIGNAL)
-	{
-		deactivate(this, 0, TRUE);
-	}
 	return TRUE;
 }
 
-/**
- * Request a resync of all segments
- */
-static job_requeue_t request_resync(private_ha_segments_t *this)
-{
-	ha_message_t *message;
-	int i;
-
-	message = ha_message_create(HA_RESYNC);
-	for (i = 1; i <= this->count; i++)
-	{
-		message->add_attribute(message, HA_SEGMENT, i);
-	}
-	this->socket->push(this->socket, message);
-	return JOB_REQUEUE_NONE;
-}
-
 /**
  * Monitor heartbeat activity of remote node
  */
@@ -349,7 +262,7 @@ static job_requeue_t watchdog(private_ha_segments_t *this)
 	pthread_cleanup_push((void*)this->mutex->unlock, this->mutex);
 	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
 	timeout = this->condvar->timed_wait(this->condvar, this->mutex,
-										HEARTBEAT_TIMEOUT);
+										this->heartbeat_timeout);
 	pthread_setcancelstate(oldstate, NULL);
 	pthread_cleanup_pop(TRUE);
 	if (timeout)
@@ -373,10 +286,8 @@ static void start_watchdog(private_ha_segments_t *this)
 	charon->processor->queue_job(charon->processor, (job_t*)this->job);
 }
 
-/**
- * Implementation of ha_segments_t.handle_status
- */
-static void handle_status(private_ha_segments_t *this, segment_mask_t mask)
+METHOD(ha_segments_t, handle_status, void,
+	private_ha_segments_t *this, segment_mask_t mask)
 {
 	segment_mask_t missing;
 	int i;
@@ -431,20 +342,25 @@ static job_requeue_t send_status(private_ha_segments_t *this)
 	}
 
 	this->socket->push(this->socket, message);
+	message->destroy(message);
 
 	/* schedule next invocation */
 	charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
 									callback_job_create((callback_job_cb_t)
 										send_status, this, NULL, NULL),
-									HEARTBEAT_DELAY);
+									this->heartbeat_delay);
 
 	return JOB_REQUEUE_NONE;
 }
 
-/**
- * Implementation of ha_segments_t.destroy.
- */
-static void destroy(private_ha_segments_t *this)
+METHOD(ha_segments_t, is_active, bool,
+	private_ha_segments_t *this, u_int segment)
+{
+	return (this->active & SEGMENTS_BIT(segment)) != 0;
+}
+
+METHOD(ha_segments_t, destroy, void,
+	private_ha_segments_t *this)
 {
 	if (this->job)
 	{
@@ -460,44 +376,40 @@ static void destroy(private_ha_segments_t *this)
  */
 ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
 								  ha_tunnel_t *tunnel, u_int count, u_int node,
-								  bool monitor, bool sync)
+								  bool monitor)
 {
-	private_ha_segments_t *this = malloc_thing(private_ha_segments_t);
-
-	memset(&this->public.listener, 0, sizeof(listener_t));
-	this->public.listener.alert = (bool(*)(listener_t*, ike_sa_t *, alert_t, va_list))alert_hook;
-	this->public.activate = (void(*)(ha_segments_t*, u_int segment,bool))activate;
-	this->public.deactivate = (void(*)(ha_segments_t*, u_int segment,bool))deactivate;
-	this->public.resync = (void(*)(ha_segments_t*, u_int segment))resync;
-	this->public.handle_status = (void(*)(ha_segments_t*, segment_mask_t mask))handle_status;
-	this->public.destroy = (void(*)(ha_segments_t*))destroy;
-
-	this->socket = socket;
-	this->tunnel = tunnel;
-	this->kernel = kernel;
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->count = count;
-	this->node = node;
-	this->job = NULL;
-
-	/* initially all segments are deactivated */
-	this->active = 0;
+	private_ha_segments_t *this;
+
+	INIT(this,
+		.public = {
+			.listener.alert = _alert_hook,
+			.activate = _activate,
+			.deactivate = _deactivate,
+			.handle_status = _handle_status,
+			.is_active = _is_active,
+			.destroy = _destroy,
+		},
+		.socket = socket,
+		.tunnel = tunnel,
+		.kernel = kernel,
+		.count = count,
+		.node = node,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.heartbeat_delay = lib->settings->get_int(lib->settings,
+			"charon.plugins.ha.heartbeat_delay", DEFAULT_HEARTBEAT_DELAY),
+		.heartbeat_timeout = lib->settings->get_int(lib->settings,
+			"charon.plugins.ha.heartbeat_timeout", DEFAULT_HEARTBEAT_TIMEOUT),
+	);
 
 	if (monitor)
 	{
+		DBG1(DBG_CFG, "starting HA heartbeat, delay %dms, timeout %dms",
+			 this->heartbeat_delay, this->heartbeat_timeout);
 		send_status(this);
 		start_watchdog(this);
 	}
 
-	if (sync)
-	{
-		/* request a resync as soon as we are up */
-		charon->processor->queue_job(charon->processor, (job_t*)
-						callback_job_create((callback_job_cb_t)request_resync,
-											this, NULL, NULL));
-	}
-
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/ha/ha_segments.h b/src/libcharon/plugins/ha/ha_segments.h
index 6d1cd5441..eb9e5c1d5 100644
--- a/src/libcharon/plugins/ha/ha_segments.h
+++ b/src/libcharon/plugins/ha/ha_segments.h
@@ -68,23 +68,19 @@ struct ha_segments_t {
 	void (*deactivate)(ha_segments_t *this, u_int segment, bool notify);
 
 	/**
-	 * Resync an active segment.
-	 *
-	 * To reintegrade a node into the cluster, resynchronization is reqired.
-	 * IKE_SAs and CHILD_SAs are synced automatically during rekeying. A call
-	 * to this method enforces a rekeying immediately sync all state of a
-	 * segment.
+	 * Handle a status message from the remote node.
 	 *
-	 * @param segment	segment to resync
+	 * @param mask		segments the remote node is serving actively
 	 */
-	void (*resync)(ha_segments_t *this, u_int segment);
+	void (*handle_status)(ha_segments_t *this, segment_mask_t mask);
 
 	/**
-	 * Handle a status message from the remote node.
+	 * Check if a given segment is currently active.
 	 *
-	 * @param mask		segments the remote node is serving actively
+	 * @param segment	segment to check
+	 * @return			TRUE if segment active
 	 */
-	void (*handle_status)(ha_segments_t *this, segment_mask_t mask);
+	bool (*is_active)(ha_segments_t *this, u_int segment);
 
 	/**
 	 * Destroy a ha_segments_t.
@@ -101,11 +97,10 @@ struct ha_segments_t {
  * @param count			number of segments the cluster uses
  * @param node			node, currently 1 or 0
  * @param monitor		should we use monitoring functionality
- * @param resync		request a complete resync on startup
  * @return				segment object
  */
 ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
 								  ha_tunnel_t *tunnel, u_int count, u_int node,
-								  bool monitor, bool resync);
+								  bool monitor);
 
-#endif /* HA_SEGMENTS_ @}*/
+#endif /** HA_SEGMENTS_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c
index b84b02868..21e6eb6d5 100644
--- a/src/libcharon/plugins/ha/ha_socket.c
+++ b/src/libcharon/plugins/ha/ha_socket.c
@@ -58,8 +58,8 @@ struct private_ha_socket_t {
  * Data to pass to the send_message() callback job
  */
 typedef struct {
-	ha_message_t *message;
-	private_ha_socket_t *this;
+	chunk_t chunk;
+	int fd;
 } job_data_t;
 
 /**
@@ -67,7 +67,7 @@ typedef struct {
  */
 static void job_data_destroy(job_data_t *this)
 {
-	this->message->destroy(this->message);
+	free(this->chunk.ptr);
 	free(this);
 }
 
@@ -76,22 +76,15 @@ static void job_data_destroy(job_data_t *this)
  */
 static job_requeue_t send_message(job_data_t *data)
 {
-	private_ha_socket_t *this;
-	chunk_t chunk;
-
-	this = data->this;
-	chunk = data->message->get_encoding(data->message);
-	if (send(this->fd, chunk.ptr, chunk.len, 0) < chunk.len)
+	if (send(data->fd, data->chunk.ptr, data->chunk.len, 0) < data->chunk.len)
 	{
 		DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno));
 	}
 	return JOB_REQUEUE_NONE;
 }
 
-/**
- * Implementation of ha_socket_t.push
- */
-static void push(private_ha_socket_t *this, ha_message_t *message)
+METHOD(ha_socket_t, push, void,
+	private_ha_socket_t *this, ha_message_t *message)
 {
 	chunk_t chunk;
 
@@ -107,9 +100,10 @@ static void push(private_ha_socket_t *this, ha_message_t *message)
 			/* Fallback to asynchronous transmission. This is required, as sendto()
 			 * is a blocking call if it acquires a policy. We could end up in a
 			 * deadlock, as we own an IKE_SA. */
-			data = malloc_thing(job_data_t);
-			data->message = message;
-			data->this = this;
+			INIT(data,
+				.chunk = chunk_clone(chunk),
+				.fd = this->fd,
+			);
 
 			job = callback_job_create((callback_job_cb_t)send_message,
 									  data, (void*)job_data_destroy, NULL);
@@ -118,13 +112,10 @@ static void push(private_ha_socket_t *this, ha_message_t *message)
 		}
 		DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno));
 	}
-	message->destroy(message);
 }
 
-/**
- * Implementation of ha_socket_t.pull
- */
-static ha_message_t *pull(private_ha_socket_t *this)
+METHOD(ha_socket_t, pull, ha_message_t*,
+	private_ha_socket_t *this)
 {
 	while (TRUE)
 	{
@@ -189,10 +180,8 @@ static bool open_socket(private_ha_socket_t *this)
 	return TRUE;
 }
 
-/**
- * Implementation of ha_socket_t.destroy.
- */
-static void destroy(private_ha_socket_t *this)
+METHOD(ha_socket_t, destroy, void,
+	private_ha_socket_t *this)
 {
 	if (this->fd != -1)
 	{
@@ -208,15 +197,18 @@ static void destroy(private_ha_socket_t *this)
  */
 ha_socket_t *ha_socket_create(char *local, char *remote)
 {
-	private_ha_socket_t *this = malloc_thing(private_ha_socket_t);
-
-	this->public.push = (void(*)(ha_socket_t*, ha_message_t*))push;
-	this->public.pull = (ha_message_t*(*)(ha_socket_t*))pull;
-	this->public.destroy = (void(*)(ha_socket_t*))destroy;
+	private_ha_socket_t *this;
 
-	this->local = host_create_from_dns(local, 0, HA_PORT);
-	this->remote = host_create_from_dns(remote, 0, HA_PORT);
-	this->fd = -1;
+	INIT(this,
+		.public = {
+			.push = _push,
+			.pull = _pull,
+			.destroy = _destroy,
+		},
+		.local = host_create_from_dns(local, 0, HA_PORT),
+		.remote = host_create_from_dns(remote, 0, HA_PORT),
+		.fd = -1,
+	);
 
 	if (!this->local || !this->remote)
 	{
diff --git a/src/libcharon/plugins/ha/ha_socket.h b/src/libcharon/plugins/ha/ha_socket.h
index 8d398e22b..a4789a51d 100644
--- a/src/libcharon/plugins/ha/ha_socket.h
+++ b/src/libcharon/plugins/ha/ha_socket.h
@@ -35,7 +35,7 @@ struct ha_socket_t {
 	/**
 	 * Push synchronization information to the responsible node.
 	 *
-	 * @param message	message to send, gets destroyed by push()
+	 * @param message	message to send
 	 */
 	void (*push)(ha_socket_t *this, ha_message_t *message);
 
@@ -57,4 +57,4 @@ struct ha_socket_t {
  */
 ha_socket_t *ha_socket_create(char *local, char *remote);
 
-#endif /* HA_SOCKET_ @}*/
+#endif /** HA_SOCKET_ @}*/
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index b3511e5f0..fef84a430 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -92,10 +92,8 @@ struct private_ha_tunnel_t {
 	ha_creds_t creds;
 };
 
-/**
- * Implementation of ha_tunnel_t.is_sa
- */
-static bool is_sa(private_ha_tunnel_t *this, ike_sa_t *ike_sa)
+METHOD(ha_tunnel_t, is_sa, bool,
+	private_ha_tunnel_t *this, ike_sa_t *ike_sa)
 {
 	peer_cfg_t *cfg = this->backend.cfg;
 
@@ -112,11 +110,8 @@ typedef struct {
 	shared_key_t *key;
 } shared_enum_t;
 
-/**
- * Implementation of shared_enum_t.enumerate
- */
-static bool shared_enumerate(shared_enum_t *this, shared_key_t **key,
-							 id_match_t *me, id_match_t *other)
+METHOD(enumerator_t, shared_enumerate, bool,
+	shared_enum_t *this, shared_key_t **key, id_match_t *me, id_match_t *other)
 {
 	if (this->key)
 	{
@@ -135,12 +130,9 @@ static bool shared_enumerate(shared_enum_t *this, shared_key_t **key,
 	return FALSE;
 }
 
-/**
- * Implements ha_creds_t.create_shared_enumerator
- */
-static enumerator_t* create_shared_enumerator(ha_creds_t *this,
-							shared_key_type_t type, identification_t *me,
-							identification_t *other)
+METHOD(ha_creds_t, create_shared_enumerator, enumerator_t*,
+	ha_creds_t *this, shared_key_type_t type,
+	identification_t *me, identification_t *other)
 {
 	shared_enum_t *enumerator;
 
@@ -157,28 +149,25 @@ static enumerator_t* create_shared_enumerator(ha_creds_t *this,
 		return NULL;
 	}
 
-	enumerator = malloc_thing(shared_enum_t);
-	enumerator->public.enumerate = (void*)shared_enumerate;
-	enumerator->public.destroy = (void*)free;
-	enumerator->key = this->key;
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_shared_enumerate,
+			.destroy = (void*)free,
+		},
+		.key = this->key,
+	);
 
 	return &enumerator->public;
 }
 
-/**
- * Implementation of backend_t.create_peer_cfg_enumerator.
- */
-static enumerator_t* create_peer_cfg_enumerator(ha_backend_t *this,
-								identification_t *me, identification_t *other)
+METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
+	ha_backend_t *this, identification_t *me, identification_t *other)
 {
 	return enumerator_create_single(this->cfg, NULL);
 }
 
-/**
- * Implementation of backend_t.create_ike_cfg_enumerator.
- */
-static enumerator_t* create_ike_cfg_enumerator(ha_backend_t *this,
-											   host_t *me, host_t *other)
+METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
+	ha_backend_t *this, host_t *me, host_t *other)
 {
 	return enumerator_create_single(this->cfg->get_ike_cfg(this->cfg), NULL);
 }
@@ -207,11 +196,11 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 							chunk_clone(chunk_create(secret, strlen(secret))));
 	this->creds.public.create_private_enumerator = (void*)return_null;
 	this->creds.public.create_cert_enumerator = (void*)return_null;
-	this->creds.public.create_shared_enumerator = (void*)create_shared_enumerator;
+	this->creds.public.create_shared_enumerator = (void*)_create_shared_enumerator;
 	this->creds.public.create_cdp_enumerator = (void*)return_null;
 	this->creds.public.cache_cert = (void*)nop;
 
-	charon->credentials->add_set(charon->credentials, &this->creds.public);
+	lib->credmgr->add_set(lib->credmgr, &this->creds.public);
 
 	/* create config and backend */
 	ike_cfg = ike_cfg_create(FALSE, FALSE, local, IKEV2_UDP_PORT,
@@ -233,8 +222,9 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 				  identification_create_from_string(remote));
 	peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
 
-	child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE,
-						MODE_TRANSPORT, ACTION_NONE, ACTION_NONE, FALSE, 0);
+	child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT,
+					 			 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+								 NULL, NULL);
 	ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 	ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
@@ -247,8 +237,8 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
 
 	this->backend.cfg = peer_cfg;
-	this->backend.public.create_peer_cfg_enumerator = (void*)create_peer_cfg_enumerator;
-	this->backend.public.create_ike_cfg_enumerator = (void*)create_ike_cfg_enumerator;
+	this->backend.public.create_peer_cfg_enumerator = (void*)_create_peer_cfg_enumerator;
+	this->backend.public.create_ike_cfg_enumerator = (void*)_create_ike_cfg_enumerator;
 	this->backend.public.get_peer_cfg_by_name = (void*)return_null;
 
 	charon->backends->add_backend(charon->backends, &this->backend.public);
@@ -257,10 +247,8 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	this->trap = charon->traps->install(charon->traps, peer_cfg, child_cfg);
 }
 
-/**
- * Implementation of ha_tunnel_t.destroy.
- */
-static void destroy(private_ha_tunnel_t *this)
+METHOD(ha_tunnel_t, destroy, void,
+	private_ha_tunnel_t *this)
 {
 	if (this->backend.cfg)
 	{
@@ -269,7 +257,7 @@ static void destroy(private_ha_tunnel_t *this)
 	}
 	if (this->creds.key)
 	{
-		charon->credentials->remove_set(charon->credentials, &this->creds.public);
+		lib->credmgr->remove_set(lib->credmgr, &this->creds.public);
 		this->creds.key->destroy(this->creds.key);
 	}
 	this->creds.local->destroy(this->creds.local);
@@ -286,10 +274,14 @@ static void destroy(private_ha_tunnel_t *this)
  */
 ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret)
 {
-	private_ha_tunnel_t *this = malloc_thing(private_ha_tunnel_t);
+	private_ha_tunnel_t *this;
 
-	this->public.is_sa = (bool(*)(ha_tunnel_t*, ike_sa_t *ike_sa))is_sa;
-	this->public.destroy = (void(*)(ha_tunnel_t*))destroy;
+	INIT(this,
+		.public = {
+			.is_sa = _is_sa,
+			.destroy = _destroy,
+		},
+	);
 
 	setup_tunnel(this, local, remote, secret);
 
diff --git a/src/libcharon/plugins/ha/ha_tunnel.h b/src/libcharon/plugins/ha/ha_tunnel.h
index 085fb6122..549e33055 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.h
+++ b/src/libcharon/plugins/ha/ha_tunnel.h
@@ -54,4 +54,4 @@ struct ha_tunnel_t {
  */
 ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret);
 
-#endif /* HA_TUNNEL_H_ @}*/
+#endif /** HA_TUNNEL_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_klips/Makefile.in b/src/libcharon/plugins/kernel_klips/Makefile.in
index f0d112a0f..9cac89ec3 100644
--- a/src/libcharon/plugins/kernel_klips/Makefile.in
+++ b/src/libcharon/plugins/kernel_klips/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c
index 01df4f71a..6b5aeb342 100644
--- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1690,10 +1690,11 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime,
-	u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key,
-	ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
-	bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1849,7 +1850,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 METHOD(kernel_ipsec_t, update_sa, status_t,
 	private_kernel_klips_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
 	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap)
+	bool encap, bool new_encap, mark_t mark)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1920,14 +1921,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
+	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	return NOT_SUPPORTED;  /* TODO */
 }
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1992,8 +1993,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-	bool routed)
+	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool routed)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -2210,7 +2211,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 METHOD(kernel_ipsec_t, query_policy, status_t,
 	private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
 {
 	#define IDLE_PREFIX "idle="
 	static const char *path_eroute = "/proc/net/ipsec_eroute";
@@ -2365,7 +2367,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
 	private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	bool unrouted)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg = (struct sadb_msg*)request, *out;
@@ -2574,7 +2577,7 @@ METHOD(kernel_ipsec_t, destroy, void,
 	{
 		close(this->socket);
 	}
-	if (this->socket_evnets > 0)
+	if (this->socket_events > 0)
 	{
 		close(this->socket_events);
 	}
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in
index 8c9965467..49cc895bc 100644
--- a/src/libcharon/plugins/kernel_netlink/Makefile.in
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 1b8c1b879..019ec93f8 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -280,6 +280,9 @@ struct policy_entry_t {
 	/** parameters of installed policy */
 	struct xfrm_selector sel;
 
+	/** optional mark */
+	u_int32_t mark;
+
 	/** associated route installed for this policy */
 	route_entry_t *route;
 
@@ -292,7 +295,8 @@ struct policy_entry_t {
  */
 static u_int policy_hash(policy_entry_t *key)
 {
-	chunk_t chunk = chunk_create((void*)&key->sel, sizeof(struct xfrm_selector));
+	chunk_t chunk = chunk_create((void*)&key->sel,
+						 	sizeof(struct xfrm_selector) + sizeof(u_int32_t));
 	return chunk_hash(chunk);
 }
 
@@ -301,7 +305,8 @@ static u_int policy_hash(policy_entry_t *key)
  */
 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
 {
-	return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
+	return memeq(&key->sel, &other_key->sel, 
+				 sizeof(struct xfrm_selector) + sizeof(u_int32_t)) &&
 		   key->direction == other_key->direction;
 }
 
@@ -917,11 +922,11 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
+	u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool inbound, traffic_selector_t* src_ts,
-	traffic_selector_t* dst_ts)
+	u_int16_t int_alg, chunk_t int_key,	ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool encap, bool inbound,
+	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
 	netlink_buf_t request;
 	char *alg_name;
@@ -934,8 +939,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	if (ipcomp != IPCOMP_NONE && cpi != 0)
 	{
 		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
-		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft,
-			   ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
+		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
+			   &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
 			   mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
@@ -944,9 +949,16 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 
 	memset(&request, 0, sizeof(request));
 
-	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
-		 ntohl(spi), reqid);
-
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}  "
+					  "(mark %u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
+					   ntohl(spi), reqid);
+	}
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
@@ -1151,6 +1163,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 
 	if (encap)
 	{
+		struct xfrm_encap_tmpl *tmpl;
+
 		rthdr->rta_type = XFRMA_ENCAP;
 		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
 
@@ -1160,7 +1174,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			return FAILED;
 		}
 
-		struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
+		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
 		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
 		tmpl->encap_sport = htons(src->get_port(src));
 		tmpl->encap_dport = htons(dst->get_port(dst));
@@ -1177,9 +1191,36 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		if (mark.value)
+		{
+			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x  "
+						  "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		}
 		return FAILED;
 	}
 	return SUCCESS;
@@ -1275,7 +1316,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
+	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *out = NULL, *hdr;
@@ -1285,8 +1326,15 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 
 	memset(&request, 0, sizeof(request));
 
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "querying SAD entry with SPI %.8x  (mark %u/0x%8x)",
+					   ntohl(spi), mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+	}
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETSA;
@@ -1298,6 +1346,24 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	sa_id->proto = proto_ike2kernel(protocol);
 	sa_id->family = dst->get_family(dst);
 
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1313,8 +1379,20 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 				case NLMSG_ERROR:
 				{
 					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)",
-						 ntohl(spi), strerror(-err->error), -err->error);
+					
+					if (mark.value)
+					{
+						DBG1(DBG_KNL, "querying SAD entry with SPI %.8x  "
+									  "(mark %u/0x%8x) failed: %s (%d)",
+									   ntohl(spi), mark.value, mark.mask,
+									   strerror(-err->error), -err->error);
+					}
+					else
+					{
+						DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
+									  "failed: %s (%d)", ntohl(spi),
+									   strerror(-err->error), -err->error);
+					}
 					break;
 				}
 				default:
@@ -1341,7 +1419,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
@@ -1350,13 +1428,20 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	/* if IPComp was used, we first delete the additional IPComp SA */
 	if (cpi)
 	{
-		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
+		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
 	}
 
 	memset(&request, 0, sizeof(request));
 
-	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x  (mark %u/0x%8x)",
+					   ntohl(spi), mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+	}
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_DELSA;
@@ -1368,19 +1453,53 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	sa_id->proto = proto_ike2kernel(protocol);
 	sa_id->family = dst->get_family(dst);
 
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		if (mark.value)
+		{
+			DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x  "
+						  "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		}
 		return FAILED;
 	}
-	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x  (mark %u/0x%8x)",
+					   ntohl(spi), mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	}
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
 	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool old_encap, bool new_encap)
+	bool old_encap, bool new_encap, mark_t mark)
 {
 	netlink_buf_t request;
 	u_char *pos;
@@ -1398,7 +1517,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	if (cpi)
 	{
 		update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
-				  src, dst, new_src, new_dst, FALSE, FALSE);
+				  src, dst, new_src, new_dst, FALSE, FALSE, mark);
 	}
 
 	memset(&request, 0, sizeof(request));
@@ -1459,7 +1578,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	}
 
 	/* delete the old SA (without affecting the IPComp SA) */
-	if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
+	if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
 		free(out);
@@ -1558,8 +1677,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-	bool routed)
+	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi,	bool routed)
 {
 	policy_entry_t *current, *policy;
 	bool found = FALSE;
@@ -1571,6 +1690,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	policy = malloc_thing(policy_entry_t);
 	memset(policy, 0, sizeof(policy_entry_t));
 	policy->sel = ts2selector(src_ts, dst_ts);
+	policy->mark = mark.value & mark.mask;
 	policy->direction = direction;
 
 	/* find the policy, which matches EXACTLY */
@@ -1580,9 +1700,19 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	{
 		/* use existing policy */
 		current->refcount++;
-		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
-					  "refcount", src_ts, dst_ts,
-					   policy_dir_names, direction);
+		if (mark.value)
+		{
+			DBG2(DBG_KNL, "policy %R === %R %N  (mark %u/0x%8x) "
+						  "already exists, increasing refcount",
+						   src_ts, dst_ts, policy_dir_names, direction,
+					  	   mark.value, mark.mask);
+		}
+		else
+		{
+			DBG2(DBG_KNL, "policy %R === %R %N "
+						  "already exists, increasing refcount",
+						   src_ts, dst_ts, policy_dir_names, direction);
+		}
 		free(policy);
 		policy = current;
 		found = TRUE;
@@ -1593,8 +1723,17 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		policy->refcount = 1;
 	}
 
-	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "adding policy %R === %R %N  (mark %u/0x%8x)",
+					   src_ts, dst_ts, policy_dir_names, direction,
+					   mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "adding policy %R === %R %N",
+					   src_ts, dst_ts, policy_dir_names, direction);
+	}
 
 	memset(&request, 0, sizeof(request));
 	hdr = (struct nlmsghdr*)request;
@@ -1673,6 +1812,25 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
 	tmpl->mode = mode2kernel(mode);
 	tmpl->family = src->get_family(src);
+	rthdr = XFRM_RTA_NEXT(rthdr);
+
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
 
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
@@ -1741,7 +1899,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 METHOD(kernel_ipsec_t, query_policy, status_t,
 	private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *out = NULL, *hdr;
@@ -1751,9 +1910,17 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 	memset(&request, 0, sizeof(request));
 
-	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "querying policy %R === %R %N  (mark %u/0x%8x)",
+					   src_ts, dst_ts, policy_dir_names, direction,
+					   mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+	}
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
@@ -1763,6 +1930,25 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 	policy_id->sel = ts2selector(src_ts, dst_ts);
 	policy_id->dir = direction;
 
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1816,7 +2002,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
 	private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
+	traffic_selector_t *dst_ts, policy_dir_t direction,	mark_t mark,
+	bool unrouted)
 {
 	policy_entry_t *current, policy, *to_delete = NULL;
 	route_entry_t *route;
@@ -1824,12 +2011,22 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	struct nlmsghdr *hdr;
 	struct xfrm_userpolicy_id *policy_id;
 
-	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%8x)",
+					   src_ts, dst_ts, policy_dir_names, direction,
+					   mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "deleting policy %R === %R %N",
+					   src_ts, dst_ts, policy_dir_names, direction);
+	}
 
 	/* create a policy */
 	memset(&policy, 0, sizeof(policy_entry_t));
 	policy.sel = ts2selector(src_ts, dst_ts);
+	policy.mark = mark.value & mark.mask;
 	policy.direction = direction;
 
 	/* find the policy */
@@ -1851,8 +2048,17 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	this->mutex->unlock(this->mutex);
 	if (!to_delete)
 	{
-		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
+		if (mark.value)
+		{
+			DBG1(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%8x) "
+						  "failed, not found", src_ts, dst_ts, policy_dir_names,
+						   direction, mark.value, mark.mask);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found",
+						   src_ts, dst_ts, policy_dir_names, direction);
+		}
 		return NOT_FOUND;
 	}
 
@@ -1867,13 +2073,40 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	policy_id->sel = to_delete->sel;
 	policy_id->dir = direction;
 
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
 	route = to_delete->route;
 	free(to_delete);
 
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
+		if (mark.value)
+		{
+			DBG1(DBG_KNL, "unable to delete policy %R === %R %N  "
+                          "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names,
+						   direction, mark.value, mark.mask);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "unable to delete policy %R === %R %N",
+						   src_ts, dst_ts, policy_dir_names, direction);
+		}
 		return FAILED;
 	}
 
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
index 2b028ba71..1dda6827b 100644
--- a/src/libcharon/plugins/kernel_pfkey/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 8a7883c8a..a64c27f6f 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
  * Copyright (C) 2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
@@ -67,8 +67,10 @@
 
 /** non linux specific */
 #ifndef IPPROTO_COMP
+#ifdef IPPROTO_IPCOMP
 #define IPPROTO_COMP IPPROTO_IPCOMP
 #endif
+#endif
 
 #ifndef SADB_X_AALG_SHA2_256HMAC
 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
@@ -600,17 +602,43 @@ static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
 }
 
 /**
- * add a host behind a sadb_address extension
+ * Copy a host_t as sockaddr_t to the given memory location. Ports are
+ * reset to zero as per RFC 2367.
+ * @return		the number of bytes copied
  */
-static void host2ext(host_t *host, struct sadb_address *ext)
+static size_t hostcpy(void *dest, host_t *host)
 {
-	sockaddr_t *host_addr = host->get_sockaddr(host);
+	sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
 	socklen_t *len = host->get_sockaddr_len(host);
+	memcpy(dest, addr, *len);
 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
-	host_addr->sa_len = *len;
+	dest_addr->sa_len = *len;
 #endif
-	memcpy((char*)(ext + 1), host_addr, *len);
-	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+	switch (dest_addr->sa_family)
+	{
+		case AF_INET:
+		{
+			struct sockaddr_in *sin = dest;
+			sin->sin_port = 0;
+			break;
+		}
+		case AF_INET6:
+		{
+			struct sockaddr_in6 *sin6 = dest;
+			sin6->sin6_port = 0;
+			break;
+		}
+	}
+	return *len;
+}
+
+/**
+ * add a host behind an sadb_address extension
+ */
+static void host2ext(host_t *host, struct sadb_address *ext)
+{
+	size_t len = hostcpy(ext + 1, host);
+	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
 }
 
 /**
@@ -1019,7 +1047,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 }
 #endif /*SADB_X_MIGRATE*/
 
-#ifdef HAVE_NATT
+#ifdef SADB_X_NAT_T_NEW_MAPPING
 /**
  * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
  */
@@ -1075,7 +1103,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 		}
 	}
 }
-#endif /*HAVE_NATT*/
+#endif /*SADB_X_NAT_T_NEW_MAPPING*/
 
 /**
  * Receives events from kernel
@@ -1137,11 +1165,11 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 			process_migrate(this, msg);
 			break;
 #endif /*SADB_X_MIGRATE*/
-#ifdef HAVE_NATT
+#ifdef SADB_X_NAT_T_NEW_MAPPING
 		case SADB_X_NAT_T_NEW_MAPPING:
 			process_mapping(this, msg);
 			break;
-#endif /*HAVE_NATT*/
+#endif /*SADB_X_NAT_T_NEW_MAPPING*/
 		default:
 			break;
 	}
@@ -1217,10 +1245,11 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime,
-	u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key,
-	ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
-	bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1364,7 +1393,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 METHOD(kernel_ipsec_t, update_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
 	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap)
+	bool encap, bool new_encap, mark_t mark)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1497,7 +1526,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
+	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1553,7 +1582,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1604,8 +1633,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-	bool routed)
+	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool routed)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1679,14 +1708,10 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
 	if (mode == MODE_TUNNEL)
 	{
-		sockaddr_t *sa;
-		socklen_t sl;
-		sa = src->get_sockaddr(src);
-		sl = *src->get_sockaddr_len(src);
-		memcpy(req + 1, sa, sl);
-		sa = dst->get_sockaddr(dst);
-		memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
-		req->sadb_x_ipsecrequest_len += sl * 2;
+		len = hostcpy(req + 1, src);
+		req->sadb_x_ipsecrequest_len += len;
+		len = hostcpy((char*)(req + 1) + len, dst);
+		req->sadb_x_ipsecrequest_len += len;
 	}
 
 	pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
@@ -1771,22 +1796,30 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 			route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
 			route->prefixlen = policy->src.mask;
 
-			switch (charon->kernel_interface->add_route(charon->kernel_interface,
-					route->dst_net, route->prefixlen, route->gateway,
-					route->src_ip, route->if_name))
+			if (route->if_name)
+			{
+				switch (charon->kernel_interface->add_route(
+									charon->kernel_interface, route->dst_net,
+									route->prefixlen, route->gateway,
+									route->src_ip, route->if_name))
+				{
+					default:
+						DBG1(DBG_KNL, "unable to install source route for %H",
+							 route->src_ip);
+						/* FALL */
+					case ALREADY_DONE:
+						/* route exists, do not uninstall */
+						route_entry_destroy(route);
+						break;
+					case SUCCESS:
+						/* cache the installed route */
+						policy->route = route;
+						break;
+				}
+			}
+			else
 			{
-				default:
-					DBG1(DBG_KNL, "unable to install source route for %H",
-						 route->src_ip);
-					/* FALL */
-				case ALREADY_DONE:
-					/* route exists, do not uninstall */
-					route_entry_destroy(route);
-					break;
-				case SUCCESS:
-					/* cache the installed route */
-					policy->route = route;
-					break;
+				route_entry_destroy(route);
 			}
 		}
 		else
@@ -1802,7 +1835,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 METHOD(kernel_ipsec_t, query_policy, status_t,
 	private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1905,7 +1939,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
 	private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	bool unrouted)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in
index 3a4d2c3b5..f78a97013 100644
--- a/src/libcharon/plugins/kernel_pfroute/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 8965aff78..d049bb41b 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index c1f98f2fe..a230aa3f5 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -223,8 +223,9 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 		generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
 	}
 
-	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE,
-								 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0);
+	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL,
+								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+								 NULL, NULL);
 	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
 	child_cfg->add_proposal(child_cfg, proposal);
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index 1218443cc..43c0ef009 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -34,118 +34,89 @@ struct private_load_tester_ipsec_t {
 	u_int32_t spi;
 };
 
-/**
- * Implementation of kernel_interface_t.get_spi.
- */
-static status_t get_spi(private_load_tester_ipsec_t *this,
-						host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid,
-						u_int32_t *spi)
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
+	   protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
 	*spi = ++this->spi;
 	return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.get_cpi.
- */
-static status_t get_cpi(private_load_tester_ipsec_t *this,
-						host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi)
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
+	   u_int32_t reqid, u_int16_t *cpi)
 {
 	return FAILED;
 }
 
-/**
- * Implementation of kernel_interface_t.add_sa.
- */
-static status_t add_sa(private_load_tester_ipsec_t *this,
-					   host_t *src, host_t *dst, u_int32_t spi,
-					   protocol_id_t protocol, u_int32_t reqid,
-					   lifetime_cfg_t *lifetime,
-					   u_int16_t enc_alg, chunk_t enc_key,
-					   u_int16_t int_alg, chunk_t int_key,
-					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound, traffic_selector_t *src_ts,
-					   traffic_selector_t *dst_ts)
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
+	   u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+	   lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	   u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+	   u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
+	   traffic_selector_t *dst_ts)
 {
 	return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.update_sa.
- */
-static status_t update_sa(private_load_tester_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap)
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	   private_load_tester_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+	   u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src,
+	   host_t *new_dst, bool encap, bool new_encap, mark_t mark)
 {
 	return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.query_sa.
- */
-static status_t query_sa(private_load_tester_ipsec_t *this, host_t *src,
-						 host_t *dst, u_int32_t spi, protocol_id_t protocol,
-						 u_int64_t *bytes)
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
+	   u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	return NOT_SUPPORTED;
 }
 
-/**
- * Implementation of kernel_interface_t.del_sa.
- */
-static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src,
-					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
-					   u_int16_t cpi)
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
+	   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
 {
 	return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.add_policy.
- */
-static status_t add_policy(private_load_tester_ipsec_t *this,
-						   host_t *src, host_t *dst,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, u_int32_t spi,
-						   protocol_id_t protocol, u_int32_t reqid,
-						   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						   bool routed)
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
+	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	   policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+	   u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
+	   u_int16_t cpi, bool routed)
 {
 	return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.query_policy.
- */
-static status_t query_policy(private_load_tester_ipsec_t *this,
-							 traffic_selector_t *src_ts,
-							 traffic_selector_t *dst_ts,
-							 policy_dir_t direction, u_int32_t *use_time)
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	   private_load_tester_ipsec_t *this, traffic_selector_t *src_ts,
+	   traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	   u_int32_t *use_time)
 {
 	*use_time = time_monotonic(NULL);
 	return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.del_policy.
- */
-static status_t del_policy(private_load_tester_ipsec_t *this,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, bool unrouted)
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	   private_load_tester_ipsec_t *this, traffic_selector_t *src_ts,
+	   traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	   bool unrouted)
 {
 	return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.destroy.
- */
-static void destroy(private_load_tester_ipsec_t *this)
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_load_tester_ipsec_t *this, int fd, int family)
+{
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	   private_load_tester_ipsec_t *this)
 {
 	free(this);
 }
@@ -155,21 +126,26 @@ static void destroy(private_load_tester_ipsec_t *this)
  */
 load_tester_ipsec_t *load_tester_ipsec_create()
 {
-	private_load_tester_ipsec_t *this = malloc_thing(private_load_tester_ipsec_t);
-
-	/* public functions */
-	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
-	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
-	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
-	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
-	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
-	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-	this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
-
-	this->spi = 0;
+	private_load_tester_ipsec_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.bypass_socket = _bypass_socket,
+				.destroy = _destroy,
+			},
+		},
+		.spi = 0,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 46145b803..15dbccb00 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -158,7 +158,7 @@ static void destroy(private_load_tester_plugin_t *this)
 	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->credentials->remove_set(charon->credentials, &this->creds->credential_set);
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
 	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->config->destroy(this->config);
 	this->creds->destroy(this->creds);
@@ -209,7 +209,7 @@ plugin_t *load_tester_plugin_create()
 	this->creds = load_tester_creds_create();
 	this->listener = load_tester_listener_create(shutdown_on);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
-	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
+	lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
 	charon->bus->add_listener(charon->bus, &this->listener->listener);
 
 	if (lib->settings->get_bool(lib->settings,
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 539890ec3..c26d325a9 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index e355d55f7..6cbaf36f2 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -181,8 +181,9 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 			  identification_create_from_encoding(ID_KEY_ID, other));
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
-	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE,
-							  MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0);
+	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
+								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+								 NULL, NULL);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
@@ -260,7 +261,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	this->current->add_auth_cfg(this->current, auth, FALSE);
 
 	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, FALSE, 0);
+								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+								 NULL, NULL);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
diff --git a/src/libcharon/plugins/medcli/medcli_plugin.c b/src/libcharon/plugins/medcli/medcli_plugin.c
index 397168d46..6befbf440 100644
--- a/src/libcharon/plugins/medcli/medcli_plugin.c
+++ b/src/libcharon/plugins/medcli/medcli_plugin.c
@@ -61,7 +61,7 @@ static void destroy(private_medcli_plugin_t *this)
 {
 	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->credentials->remove_set(charon->credentials, &this->creds->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
 	this->listener->destroy(this->listener);
 	this->config->destroy(this->config);
 	this->creds->destroy(this->creds);
@@ -100,7 +100,7 @@ plugin_t *medcli_plugin_create()
 	this->config = medcli_config_create(this->db);
 	this->listener = medcli_listener_create(this->db);
 
-	charon->credentials->add_set(charon->credentials, &this->creds->set);
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	charon->bus->add_listener(charon->bus, &this->listener->listener);
 
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index a103a1340..4dc9c00d0 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.c b/src/libcharon/plugins/medsrv/medsrv_plugin.c
index 262d26d6b..c150346cb 100644
--- a/src/libcharon/plugins/medsrv/medsrv_plugin.c
+++ b/src/libcharon/plugins/medsrv/medsrv_plugin.c
@@ -54,7 +54,7 @@ struct private_medsrv_plugin_t {
 static void destroy(private_medsrv_plugin_t *this)
 {
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->credentials->remove_set(charon->credentials, &this->creds->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
 	this->config->destroy(this->config);
 	this->creds->destroy(this->creds);
 	this->db->destroy(this->db);
@@ -91,7 +91,7 @@ plugin_t *medsrv_plugin_create()
 	this->creds = medsrv_creds_create(this->db);
 	this->config = medsrv_config_create(this->db);
 
-	charon->credentials->add_set(charon->credentials, &this->creds->set);
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 
 	return &this->public.plugin;
diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in
index c7f288f54..1b3e4c5a6 100644
--- a/src/libcharon/plugins/nm/Makefile.in
+++ b/src/libcharon/plugins/nm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/nm/nm_plugin.c b/src/libcharon/plugins/nm/nm_plugin.c
index 6087f6589..250e6f7f9 100644
--- a/src/libcharon/plugins/nm/nm_plugin.c
+++ b/src/libcharon/plugins/nm/nm_plugin.c
@@ -84,7 +84,7 @@ static void destroy(private_nm_plugin_t *this)
 	{
 		g_object_unref(this->plugin);
 	}
-	charon->credentials->remove_set(charon->credentials, &this->creds->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
 	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
 	this->creds->destroy(this->creds);
 	this->handler->destroy(this->handler);
@@ -110,7 +110,7 @@ plugin_t *nm_plugin_create()
 	this->creds = nm_creds_create();
 	this->handler = nm_handler_create();
 	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
-	charon->credentials->add_set(charon->credentials, &this->creds->set);
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 	this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
 	if (!this->plugin)
 	{
diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c
index cdf7dc962..07318bbbf 100644
--- a/src/libcharon/plugins/nm/nm_service.c
+++ b/src/libcharon/plugins/nm/nm_service.c
@@ -444,7 +444,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 
 	child_cfg = child_cfg_create(priv->name, &lifetime,
 								 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
-								 ACTION_NONE, ACTION_NONE, ipcomp, 0);
+								 ACTION_NONE, ACTION_NONE, ipcomp, 0, 0,
+								 NULL, NULL);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
diff --git a/src/libcharon/plugins/resolve/Makefile.am b/src/libcharon/plugins/resolve/Makefile.am
deleted file mode 100644
index f8830d42e..000000000
--- a/src/libcharon/plugins/resolve/Makefile.am
+++ /dev/null
@@ -1,18 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
-	-DRESOLV_CONF=\"${resolv_conf}\"
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-resolve.la
-else
-plugin_LTLIBRARIES = libstrongswan-resolve.la
-endif
-
-libstrongswan_resolve_la_SOURCES = \
-	resolve_plugin.h resolve_plugin.c \
-	resolve_handler.h resolve_handler.c
-
-libstrongswan_resolve_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in
deleted file mode 100644
index 92ee85539..000000000
--- a/src/libcharon/plugins/resolve/Makefile.in
+++ /dev/null
@@ -1,591 +0,0 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcharon/plugins/resolve
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_resolve_la_LIBADD =
-am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \
-	resolve_handler.lo
-libstrongswan_resolve_la_OBJECTS =  \
-	$(am_libstrongswan_resolve_la_OBJECTS)
-libstrongswan_resolve_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_resolve_la_LDFLAGS) $(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_resolve_la_rpath = -rpath \
-@MONOLITHIC_FALSE@	$(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_resolve_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_resolve_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
-	-DRESOLV_CONF=\"${resolv_conf}\"
-
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-resolve.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-resolve.la
-libstrongswan_resolve_la_SOURCES = \
-	resolve_plugin.h resolve_plugin.c \
-	resolve_handler.h resolve_handler.c
-
-libstrongswan_resolve_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) 
-	$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_handler.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcharon/plugins/resolve/resolve_handler.c b/src/libcharon/plugins/resolve/resolve_handler.c
deleted file mode 100644
index 714c751a6..000000000
--- a/src/libcharon/plugins/resolve/resolve_handler.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "resolve_handler.h"
-
-#include <unistd.h>
-
-#include <daemon.h>
-#include <threading/mutex.h>
-
-typedef struct private_resolve_handler_t private_resolve_handler_t;
-
-/**
- * Private data of an resolve_handler_t object.
- */
-struct private_resolve_handler_t {
-
-	/**
-	 * Public resolve_handler_t interface.
-	 */
-	resolve_handler_t public;
-
-	/**
-	 * resolv.conf file to use
-	 */
-	char *file;
-
-	/**
-	 * Mutex to access file exclusively
-	 */
-	mutex_t *mutex;
-};
-
-/**
- * Implementation of attribute_handler_t.handle
- */
-static bool handle(private_resolve_handler_t *this, identification_t *server,
-				   configuration_attribute_type_t type, chunk_t data)
-{
-	FILE *in, *out;
-	char buf[1024];
-	host_t *addr;
-	size_t len;
-	bool handled = FALSE;
-
-	switch (type)
-	{
-		case INTERNAL_IP4_DNS:
-			addr = host_create_from_chunk(AF_INET, data, 0);
-			break;
-		case INTERNAL_IP6_DNS:
-			addr = host_create_from_chunk(AF_INET6, data, 0);
-			break;
-		default:
-			return FALSE;
-	}
-
-	if (!addr || addr->is_anyaddr(addr))
-	{
-		DESTROY_IF(addr);
-		return FALSE;
-	}
-	this->mutex->lock(this->mutex);
-
-	in = fopen(this->file, "r");
-	/* allows us to stream from in to out */
-	unlink(this->file);
-	out = fopen(this->file, "w");
-	if (out)
-	{
-		fprintf(out, "nameserver %H   # by strongSwan, from %Y\n", addr, server);
-		DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
-		handled = TRUE;
-
-		/* copy rest of the file */
-		if (in)
-		{
-			while ((len = fread(buf, 1, sizeof(buf), in)))
-			{
-				ignore_result(fwrite(buf, 1, len, out));
-			}
-		}
-		fclose(out);
-	}
-	if (in)
-	{
-		fclose(in);
-	}
-	this->mutex->unlock(this->mutex);
-	addr->destroy(addr);
-
-	if (!handled)
-	{
-		DBG1(DBG_IKE, "adding DNS server failed", this->file);
-	}
-	return handled;
-}
-
-/**
- * Implementation of attribute_handler_t.release
- */
-static void release(private_resolve_handler_t *this, identification_t *server,
-					configuration_attribute_type_t type, chunk_t data)
-{
-	FILE *in, *out;
-	char line[1024], matcher[512], *pos;
-	host_t *addr;
-	int family;
-
-	switch (type)
-	{
-		case INTERNAL_IP4_DNS:
-			family = AF_INET;
-			break;
-		case INTERNAL_IP6_DNS:
-			family = AF_INET6;
-			break;
-		default:
-			return;
-	}
-
-	this->mutex->lock(this->mutex);
-
-	in = fopen(this->file, "r");
-	if (in)
-	{
-		/* allows us to stream from in to out */
-		unlink(this->file);
-		out = fopen(this->file, "w");
-		if (out)
-		{
-			addr = host_create_from_chunk(family, data, 0);
-			snprintf(matcher, sizeof(matcher),
-					 "nameserver %H   # by strongSwan, from %Y\n",
-					 addr, server);
-
-			/* copy all, but matching line */
-			while ((pos = fgets(line, sizeof(line), in)))
-			{
-				if (strneq(line, matcher, strlen(matcher)))
-				{
-					DBG1(DBG_IKE, "removing DNS server %H from %s",
-						 addr, this->file);
-				}
-				else
-				{
-					fputs(line, out);
-				}
-			}
-			addr->destroy(addr);
-			fclose(out);
-		}
-		fclose(in);
-	}
-
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Attribute enumerator implementation
- */
-typedef struct {
-	/** implements enumerator_t interface */
-	enumerator_t public;
-	/** virtual IP we are requesting */
-	host_t *vip;
-} attribute_enumerator_t;
-
-/**
- * Implementation of create_attribute_enumerator().enumerate()
- */
-static bool attribute_enumerate(attribute_enumerator_t *this,
-						configuration_attribute_type_t *type, chunk_t *data)
-{
-	switch (this->vip->get_family(this->vip))
-	{
-		case AF_INET:
-			*type = INTERNAL_IP4_DNS;
-			break;
-		case AF_INET6:
-			*type = INTERNAL_IP6_DNS;
-			break;
-		default:
-			return FALSE;
-	}
-	*data = chunk_empty;
-	/* enumerate only once */
-	this->public.enumerate = (void*)return_false;
-	return TRUE;
-}
-
-/**
- * Implementation of attribute_handler_t.create_attribute_enumerator
- */
-static enumerator_t* create_attribute_enumerator(private_resolve_handler_t *this,
-										identification_t *server, host_t *vip)
-{
-	if (vip)
-	{
-		attribute_enumerator_t *enumerator;
-
-		enumerator = malloc_thing(attribute_enumerator_t);
-		enumerator->public.enumerate = (void*)attribute_enumerate;
-		enumerator->public.destroy = (void*)free;
-		enumerator->vip = vip;
-
-		return &enumerator->public;
-	}
-	return enumerator_create_empty();
-}
-
-/**
- * Implementation of resolve_handler_t.destroy.
- */
-static void destroy(private_resolve_handler_t *this)
-{
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/**
- * See header
- */
-resolve_handler_t *resolve_handler_create()
-{
-	private_resolve_handler_t *this = malloc_thing(private_resolve_handler_t);
-
-	this->public.handler.handle = (bool(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))handle;
-	this->public.handler.release = (void(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))release;
-	this->public.handler.create_attribute_enumerator = (enumerator_t*(*)(attribute_handler_t*, identification_t *server, host_t *vip))create_attribute_enumerator;
-	this->public.destroy = (void(*)(resolve_handler_t*))destroy;
-
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->file = lib->settings->get_str(lib->settings,
-								"charon.plugins.resolve.file", RESOLV_CONF);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/resolve/resolve_handler.h b/src/libcharon/plugins/resolve/resolve_handler.h
deleted file mode 100644
index 77bf9781c..000000000
--- a/src/libcharon/plugins/resolve/resolve_handler.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup resolve_handler resolve_handler
- * @{ @ingroup resolve
- */
-
-#ifndef RESOLVE_HANDLER_H_
-#define RESOLVE_HANDLER_H_
-
-#include <attributes/attribute_handler.h>
-
-typedef struct resolve_handler_t resolve_handler_t;
-
-/**
- * Handle DNS configuration attributes by mangling a resolv.conf file.
- */
-struct resolve_handler_t {
-
-	/**
-	 * Implements the attribute_handler_t interface
-	 */
-	attribute_handler_t handler;
-
-	/**
-	 * Destroy a resolve_handler_t.
-	 */
-	void (*destroy)(resolve_handler_t *this);
-};
-
-/**
- * Create a resolve_handler instance.
- */
-resolve_handler_t *resolve_handler_create();
-
-#endif /** RESOLVE_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/resolve/resolve_plugin.c b/src/libcharon/plugins/resolve/resolve_plugin.c
deleted file mode 100644
index 502129593..000000000
--- a/src/libcharon/plugins/resolve/resolve_plugin.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "resolve_plugin.h"
-#include "resolve_handler.h"
-
-#include <hydra.h>
-
-typedef struct private_resolve_plugin_t private_resolve_plugin_t;
-
-/**
- * private data of resolve plugin
- */
-struct private_resolve_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	resolve_plugin_t public;
-
-	/**
-	 * The registerd DNS attribute handler
-	 */
-	resolve_handler_t *handler;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_resolve_plugin_t *this)
-{
-	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
-	this->handler->destroy(this->handler);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *resolve_plugin_create()
-{
-	private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	this->handler = resolve_handler_create();
-	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/libcharon/plugins/resolve/resolve_plugin.h b/src/libcharon/plugins/resolve/resolve_plugin.h
deleted file mode 100644
index 0148b10d7..000000000
--- a/src/libcharon/plugins/resolve/resolve_plugin.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup resolve resolve
- * @ingroup cplugins
- *
- * @defgroup resolve_plugin resolve_plugin
- * @{ @ingroup resolve
- */
-
-#ifndef RESOLVE_PLUGIN_H_
-#define RESOLVE_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct resolve_plugin_t resolve_plugin_t;
-
-/**
- * Plugin that writes received DNS servers in a resolv.conf file.
- */
-struct resolve_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-#endif /** RESOLVE_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index b88283f38..35fb8367f 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 03c438acd..df63d862e 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 3a5fb3778..8a3a15188 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in
index 65ad6a7a9..32bd9e0a1 100644
--- a/src/libcharon/plugins/socket_raw/Makefile.in
+++ b/src/libcharon/plugins/socket_raw/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.c b/src/libcharon/plugins/socket_raw/socket_raw_socket.c
index e0155fa87..166870421 100644
--- a/src/libcharon/plugins/socket_raw/socket_raw_socket.c
+++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.c
@@ -538,11 +538,12 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family)
 		/* Destination Port must be either port or natt_port */
 		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, udp_header + 2),
 		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_UDP_PORT, 1, 0),
-		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_NATT_PORT, 5, 12),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_NATT_PORT, 6, 14),
 		/* port */
-			/* IKE version must be 2.0 */
+			/* IKE version must be 2.x */
 			BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + IKE_VERSION_OFFSET),
-			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 10),
+			BPF_STMT(BPF_ALU+BPF_RSH+BPF_K, 4),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 2, 0, 11),
 			/* packet length is length in IKEv2 header + ip header + udp header */
 			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + IKE_LENGTH_OFFSET),
 			BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN),
@@ -550,10 +551,11 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family)
 		/* natt_port */
 			/* nat-t: check for marker */
 			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header),
-			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 5),
-			/* nat-t: IKE version must be 2.0 */
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 6),
+			/* nat-t: IKE version must be 2.x */
 			BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + MARKER_LEN + IKE_VERSION_OFFSET),
-			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3),
+			BPF_STMT(BPF_ALU+BPF_RSH+BPF_K, 4),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 2, 0, 3),
 			/* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */
 			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + MARKER_LEN + IKE_LENGTH_OFFSET),
 			BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN + MARKER_LEN),
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 5803dc898..e32dc7b57 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index 23366898a..a47d93f7b 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -134,7 +134,7 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
 			.time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
 		};
 		child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
-									 dpd, close, ipcomp, 0);
+									 dpd, close, ipcomp, 0, 0, NULL, NULL);
 		/* TODO: read proposal from db */
 		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 		add_traffic_selectors(this, child_cfg, id);
diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c
index e2d2d63b3..7b0a198d1 100644
--- a/src/libcharon/plugins/sql/sql_plugin.c
+++ b/src/libcharon/plugins/sql/sql_plugin.c
@@ -59,7 +59,7 @@ struct private_sql_plugin_t {
 static void destroy(private_sql_plugin_t *this)
 {
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->credentials->remove_set(charon->credentials, &this->cred->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
 	charon->bus->remove_listener(charon->bus, &this->logger->listener);
 	this->config->destroy(this->config);
 	this->cred->destroy(this->cred);
@@ -99,7 +99,7 @@ plugin_t *sql_plugin_create()
 	this->logger = sql_logger_create(this->db);
 
 	charon->backends->add_backend(charon->backends, &this->config->backend);
-	charon->credentials->add_set(charon->credentials, &this->cred->set);
+	lib->credmgr->add_set(lib->credmgr, &this->cred->set);
 	charon->bus->add_listener(charon->bus, &this->logger->listener);
 
 	return &this->public.plugin;
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 8815ba741..e094200ca 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
index 49146f18b..9a3ae0ab9 100644
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -306,7 +306,8 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
 		return;
 	}
 	ca_section_destroy(ca);
-	/* TODO: flush cached certs */
+
+	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
 }
 
 /**
@@ -356,12 +357,16 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 	{
 		if (section->certuribase && cert->issued_by(cert, section->cert))
 		{
-			chunk_t hash, encoded = cert->get_encoding(cert);
-			hasher->allocate_hash(hasher, encoded, &hash);
-			section->hashes->insert_last(section->hashes,
-					identification_create_from_encoding(ID_KEY_ID, hash));
-			chunk_free(&hash);
-			chunk_free(&encoded);
+			chunk_t hash, encoded;
+
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
+			{
+				hasher->allocate_hash(hasher, encoded, &hash);
+				section->hashes->insert_last(section->hashes,
+						identification_create_from_encoding(ID_KEY_ID, hash));
+				chunk_free(&hash);
+				chunk_free(&encoded);
+			}
 			break;
 		}
 	}
@@ -400,11 +405,11 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 		/* list authkey and keyid */
 		if (public)
 		{
-			if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+			if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
 			{
 				fprintf(out, "  authkey:      %#B\n", &chunk);
 			}
-			if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
+			if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
 			{
 				fprintf(out, "  keyid:        %#B\n", &chunk);
 			}
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index bbc1e7a31..617069432 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -399,8 +399,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	if (ca)
 	{
 		identity = identification_create_from_string(ca);
-		certificate = charon->credentials->get_cert(charon->credentials,
-											CERT_X509, KEY_ANY, identity, TRUE);
+		certificate = lib->credmgr->get_cert(lib->credmgr, CERT_X509,
+											 KEY_ANY, identity, TRUE);
 		identity->destroy(identity);
 		if (certificate)
 		{
@@ -413,7 +413,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		}
 	}
 
-	/* AC groups */
+	/* groups */
 	if (end->groups)
 	{
 		enumerator_t *enumerator;
@@ -422,9 +422,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		enumerator = enumerator_create_token(end->groups, ",", " ");
 		while (enumerator->enumerate(enumerator, &group))
 		{
-			identity = identification_create_from_encoding(ID_IETF_ATTR_STRING,
-											chunk_create(group, strlen(group)));
-			cfg->add(cfg, AUTH_RULE_AC_GROUP, identity);
+			cfg->add(cfg, AUTH_RULE_GROUP,
+					 identification_create_from_string(group));
 		}
 		enumerator->destroy(enumerator);
 	}
@@ -769,6 +768,14 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 			.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
 		}
 	};
+	mark_t mark_in = {
+		.value = msg->add_conn.mark_in.value,
+		.mask = msg->add_conn.mark_in.mask
+	};
+	mark_t mark_out = {
+		.value = msg->add_conn.mark_out.value,
+		.mask = msg->add_conn.mark_out.mask
+	};
 
 	switch (msg->add_conn.dpd.action)
 	{	/* map startes magic values to our action type */
@@ -787,7 +794,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 				msg->add_conn.name, &lifetime,
 				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
 				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
-				msg->add_conn.inactivity);
+				msg->add_conn.inactivity, msg->add_conn.reqid,
+				&mark_in, &mark_out);
 	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
 											msg->add_conn.install_policy);
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index a03aef697..f64421551 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -186,6 +186,11 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 	}
 	else
 	{
+		if (!pos)
+		{
+			DBG1(DBG_CFG, "error parsing string");
+			return;
+		}
 		if (*(pos + 1) == '*')
 		{	/* is name[*] */
 			all = TRUE;
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index e0a5210a9..2816b9bb2 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -378,7 +378,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 			}
 			if (found)
 			{
-				new = cert->is_newer(cert, current);
+				new = crl_is_newer(crl, crl_c);
 				if (new)
 				{
 					this->certs->remove_at(this->certs, enumerator);
@@ -587,9 +587,11 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 			snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex);
 			free(hex.ptr);
 
-			chunk = cert->get_encoding(cert);
-			chunk_write(chunk, buf, "crl", 022, TRUE);
-			free(chunk.ptr);
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
+			{
+				chunk_write(chunk, buf, "crl", 022, TRUE);
+				free(chunk.ptr);
+			}
 		}
 	}
 }
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index c2a98da33..a6de35466 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -17,6 +17,10 @@
 
 #include <time.h>
 
+#ifdef HAVE_MALLINFO
+#include <malloc.h>
+#endif /* HAVE_MALLINFO */
+
 #include <daemon.h>
 #include <utils/linked_list.h>
 #include <credentials/certificates/x509.h>
@@ -54,6 +58,33 @@ struct private_stroke_list_t {
 	stroke_attribute_t *attribute;
 };
 
+/**
+ * Log tasks of a specific queue to out
+ */
+static void log_task_q(FILE *out, ike_sa_t *ike_sa, task_queue_t q, char *name)
+{
+	enumerator_t *enumerator;
+	bool has = FALSE;
+	task_t *task;
+
+	enumerator = ike_sa->create_task_enumerator(ike_sa, q);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (!has)
+		{
+			fprintf(out, "%12s[%d]: Tasks %s: ", ike_sa->get_name(ike_sa),
+					ike_sa->get_unique_id(ike_sa), name);
+			has = TRUE;
+		}
+		fprintf(out, "%N ", task_type_names, task->get_type(task));
+	}
+	enumerator->destroy(enumerator);
+	if (has)
+	{
+		fprintf(out, "\n");
+	}
+}
+
 /**
  * log an IKE_SA to out
  */
@@ -140,6 +171,10 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
 					buf+4);
 		}
+
+		log_task_q(out, ike_sa, TASK_QUEUE_QUEUED, "queued");
+		log_task_q(out, ike_sa, TASK_QUEUE_ACTIVE, "active");
+		log_task_q(out, ike_sa, TASK_QUEUE_PASSIVE, "passive");
 	}
 }
 
@@ -342,7 +377,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 		rules = auth->create_enumerator(auth);
 		while (rules->enumerate(rules, &rule, &id))
 		{
-			if (rule == AUTH_RULE_AC_GROUP)
+			if (rule == AUTH_RULE_GROUP)
 			{
 				fprintf(out, "%12s:    group: %Y\n", name, id);
 			}
@@ -373,12 +408,19 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		u_int32_t dpd;
 		time_t since, now;
 		u_int size, online, offline;
-
 		now = time_monotonic(NULL);
 		since = time(NULL) - (now - this->uptime);
 
 		fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n");
 		fprintf(out, "  uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE);
+#ifdef HAVE_MALLINFO
+		{
+			struct mallinfo mi = mallinfo();
+
+			fprintf(out, "  malloc: sbrk %d, mmap %d, used %d, free %d\n",
+				    mi.arena, mi.hblkhd, mi.uordblks, mi.fordblks);
+		}
+#endif /* HAVE_MALLINFO */
 		fprintf(out, "  worker threads: %d idle of %d,",
 				charon->processor->get_idle_threads(charon->processor),
 				charon->processor->get_total_threads(charon->processor));
@@ -534,9 +576,8 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 static linked_list_t* create_unique_cert_list(certificate_type_t type)
 {
 	linked_list_t *list = linked_list_create();
-	enumerator_t *enumerator = charon->credentials->create_cert_enumerator(
-									charon->credentials, type, KEY_ANY,
-									NULL, FALSE);
+	enumerator_t *enumerator = lib->credmgr->create_cert_enumerator(
+									lib->credmgr, type, KEY_ANY, NULL, FALSE);
 	certificate_t *cert;
 
 	while (enumerator->enumerate(enumerator, (void**)&cert))
@@ -585,11 +626,11 @@ static void list_public_key(public_key_t *public, FILE *out)
 	identification_t *id;
 	auth_cfg_t *auth;
 
-	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+	if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
 	{
 		id = identification_create_from_encoding(ID_KEY_ID, keyid);
 		auth = auth_cfg_create();
-		private = charon->credentials->get_private(charon->credentials,
+		private = lib->credmgr->get_private(lib->credmgr,
 									public->get_type(public), id, auth);
 		auth->destroy(auth);
 		id->destroy(id);
@@ -599,11 +640,11 @@ static void list_public_key(public_key_t *public, FILE *out)
 			key_type_names, public->get_type(public),
 			public->get_keysize(public) * 8,
 			private ? ", has private key" : "");
-	if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+	if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
 	{
 		fprintf(out, "  keyid:     %#B\n", &keyid);
 	}
-	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+	if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
 	{
 		fprintf(out, "  subjkey:   %#B\n", &keyid);
 	}
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 56c18da38..18afa5af4 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -344,8 +344,7 @@ static void stroke_purge(private_stroke_socket_t *this,
 {
 	if (msg->purge.flags & PURGE_OCSP)
 	{
-		charon->credentials->flush_cache(charon->credentials,
-										 CERT_X509_OCSP_RESPONSE);
+		lib->credmgr->flush_cache(lib->credmgr, CERT_X509_OCSP_RESPONSE);
 	}
 	if (msg->purge.flags & PURGE_IKE)
 	{
@@ -622,8 +621,8 @@ static bool open_socket(private_stroke_socket_t *this)
 static void destroy(private_stroke_socket_t *this)
 {
 	this->job->cancel(this->job);
-	charon->credentials->remove_set(charon->credentials, &this->ca->set);
-	charon->credentials->remove_set(charon->credentials, &this->cred->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->ca->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
 	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
 	this->cred->destroy(this->cred);
@@ -657,8 +656,8 @@ stroke_socket_t *stroke_socket_create()
 	this->control = stroke_control_create();
 	this->list = stroke_list_create(this->attribute);
 
-	charon->credentials->add_set(charon->credentials, &this->ca->set);
-	charon->credentials->add_set(charon->credentials, &this->cred->set);
+	lib->credmgr->add_set(lib->credmgr, &this->ca->set);
+	lib->credmgr->add_set(lib->credmgr, &this->cred->set);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
 
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index c10829bb3..934ab6080 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
index bd58afbf0..ddddae782 100644
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -196,7 +196,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
 
 		child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-									 ACTION_NONE, ACTION_NONE, FALSE, 0);
+									 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+									 NULL, NULL);
 		child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
 		child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
 		child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
diff --git a/src/libcharon/plugins/uci/uci_plugin.c b/src/libcharon/plugins/uci/uci_plugin.c
index 742fcf4d0..4790ef4e7 100644
--- a/src/libcharon/plugins/uci/uci_plugin.c
+++ b/src/libcharon/plugins/uci/uci_plugin.c
@@ -64,7 +64,7 @@ struct private_uci_plugin_t {
 static void destroy(private_uci_plugin_t *this)
 {
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	charon->credentials->remove_set(charon->credentials, &this->creds->credential_set);
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
 	this->config->destroy(this->config);
 	this->creds->destroy(this->creds);
 	this->parser->destroy(this->parser);
@@ -86,7 +86,7 @@ plugin_t *uci_plugin_create()
 	this->creds = uci_creds_create(this->parser);
 	this->control = uci_control_create();
 	charon->backends->add_backend(charon->backends, &this->config->backend);
-	charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
+	lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/unit_tester/Makefile.am b/src/libcharon/plugins/unit_tester/Makefile.am
index e27d1f859..c46d2b85d 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.am
+++ b/src/libcharon/plugins/unit_tester/Makefile.am
@@ -24,6 +24,7 @@ libstrongswan_unit_tester_la_SOURCES = \
 	tests/test_chunk.c \
 	tests/test_pool.c \
 	tests/test_agent.c \
-	tests/test_id.c
+	tests/test_id.c \
+	tests/test_hashtable.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 6ca43a38f..47850c1c5 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -78,7 +78,7 @@ am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
 	test_enumerator.lo test_auth_info.lo test_curl.lo \
 	test_mysql.lo test_sqlite.lo test_mutex.lo test_rsa_gen.lo \
 	test_cert.lo test_med_db.lo test_chunk.lo test_pool.lo \
-	test_agent.lo test_id.lo
+	test_agent.lo test_id.lo test_hashtable.lo
 libstrongswan_unit_tester_la_OBJECTS =  \
 	$(am_libstrongswan_unit_tester_la_OBJECTS)
 libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \
@@ -281,7 +281,8 @@ libstrongswan_unit_tester_la_SOURCES = \
 	tests/test_chunk.c \
 	tests/test_pool.c \
 	tests/test_agent.c \
-	tests/test_id.c
+	tests/test_id.c \
+	tests/test_hashtable.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -373,6 +374,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_enumerator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_hashtable.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_id.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_med_db.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@
@@ -494,6 +496,13 @@ test_id.lo: tests/test_id.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
 
+test_hashtable.lo: tests/test_hashtable.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_hashtable.lo -MD -MP -MF $(DEPDIR)/test_hashtable.Tpo -c -o test_hashtable.lo `test -f 'tests/test_hashtable.c' || echo '$(srcdir)/'`tests/test_hashtable.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_hashtable.Tpo $(DEPDIR)/test_hashtable.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_hashtable.c' object='test_hashtable.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_hashtable.lo `test -f 'tests/test_hashtable.c' || echo '$(srcdir)/'`tests/test_hashtable.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
diff --git a/src/libcharon/plugins/unit_tester/tests.h b/src/libcharon/plugins/unit_tester/tests.h
index 96313d390..cd38c8a99 100644
--- a/src/libcharon/plugins/unit_tester/tests.h
+++ b/src/libcharon/plugins/unit_tester/tests.h
@@ -19,6 +19,7 @@
  */
 
 DEFINE_TEST("linked_list_t->remove()", test_list_remove, FALSE)
+DEFINE_TEST("hashtable_t->remove_at()", test_hashtable_remove_at, FALSE)
 DEFINE_TEST("simple enumerator", test_enumerate, FALSE)
 DEFINE_TEST("nested enumerator", test_enumerate_nested, FALSE)
 DEFINE_TEST("filtered enumerator", test_enumerate_filtered, FALSE)
diff --git a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c
index d6abe7a05..c250c356f 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c
@@ -15,7 +15,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <config/auth_cfg.h>
+#include <credentials/auth_cfg.h>
 
 
 static chunk_t certchunk = chunk_from_chars(
diff --git a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
new file mode 100644
index 000000000..bd79e12f7
--- /dev/null
+++ b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <utils/hashtable.h>
+
+static u_int hash(char *key)
+{
+	return chunk_hash(chunk_create(key, strlen(key)));
+}
+
+static u_int equals(char *key1, char *key2)
+{
+	return streq(key1, key2);
+}
+
+/**
+ * Test the remove_at method
+ */
+bool test_hashtable_remove_at()
+{
+	char *k1 = "key1", *k2 = "key2", *k3 = "key3", *key;
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
+	enumerator_t *enumerator;
+	hashtable_t *ht = hashtable_create((hashtable_hash_t)hash,
+									   (hashtable_equals_t)equals, 0);
+
+	ht->put(ht, k1, v1);
+	ht->put(ht, k2, v2);
+	ht->put(ht, k3, v3);
+
+	if (ht->get_count(ht) != 3)
+	{
+		return FALSE;
+	}
+
+	enumerator = ht->create_enumerator(ht);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		if (streq(key, k2))
+		{
+			ht->remove_at(ht, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (ht->get_count(ht) != 2)
+	{
+		return FALSE;
+	}
+
+	if (ht->get(ht, k1) == NULL ||
+		ht->get(ht, k3) == NULL)
+	{
+		return FALSE;
+	}
+
+	if (ht->get(ht, k2) != NULL)
+	{
+		return FALSE;
+	}
+
+	ht->put(ht, k2, v2);
+
+	if (ht->get_count(ht) != 3)
+	{
+		return FALSE;
+	}
+
+	if (ht->get(ht, k1) == NULL ||
+		ht->get(ht, k2) == NULL ||
+		ht->get(ht, k3) == NULL)
+	{
+		return FALSE;
+	}
+
+	enumerator = ht->create_enumerator(ht);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		ht->remove_at(ht, enumerator);
+	}
+	enumerator->destroy(enumerator);
+
+	if (ht->get_count(ht) != 0)
+	{
+		return FALSE;
+	}
+
+	if (ht->get(ht, k1) != NULL ||
+		ht->get(ht, k2) != NULL ||
+		ht->get(ht, k3) != NULL)
+	{
+		return FALSE;
+	}
+
+	ht->destroy(ht);
+
+	return TRUE;
+}
diff --git a/src/libcharon/plugins/unit_tester/tests/test_med_db.c b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
index 7fd78b0bc..ae1d08e15 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_med_db.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
@@ -37,11 +37,11 @@ bool test_med_db()
 	bool good = FALSE;
 
 	id = identification_create_from_encoding(ID_KEY_ID, keyid);
-	enumerator = charon->credentials->create_public_enumerator(
-									charon->credentials, KEY_ANY, id, NULL);
+	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+														KEY_ANY, id, NULL);
 	while (enumerator->enumerate(enumerator, &public, &auth))
 	{
-		good = public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &found);
+		good = public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &found);
 		if (good)
 		{
 			good = chunk_equals(id->get_encoding(id), found);
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index d3c509a32..ce233ad04 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 5a6746f92..ea4a792c2 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -115,7 +115,8 @@ METHOD(listener_t, child_updown, bool,
 	{
 		char command[1024];
 		char *my_client, *other_client, *my_client_mask, *other_client_mask;
-		char *pos, *virtual_ip, *iface;
+		char *pos, *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc;
+		mark_t mark;
 		bool is_host, is_ipv6;
 		FILE *shell;
 
@@ -160,6 +161,61 @@ METHOD(listener_t, child_updown, bool,
 			}
 		}
 
+		/* check for the presence of an inbound mark */
+		mark = config->get_mark(config, TRUE);
+		if (mark.value)
+		{
+			if (asprintf(&mark_in, "PLUTO_MARK_IN='%u/0x%08x' ",
+						 mark.value, mark.mask ) < 0)
+			{
+				mark_in = NULL;
+			}
+		}
+		else
+		{
+			if (asprintf(&mark_in, "") < 0)
+			{
+				mark_in = NULL;
+			}
+		}
+
+		/* check for the presence of an outbound mark */
+		mark = config->get_mark(config, FALSE);
+		if (mark.value)
+		{
+			if (asprintf(&mark_out, "PLUTO_MARK_OUT='%u/0x%08x' ",
+						 mark.value, mark.mask ) < 0)
+			{
+				mark_out = NULL;
+			}
+		}
+		else
+		{
+			if (asprintf(&mark_out, "") < 0)
+			{
+				mark_out = NULL;
+			}
+		}
+
+		/* check for a NAT condition causing ESP_IN_UDP encapsulation */
+		if (ike_sa->has_condition(ike_sa, COND_NAT_ANY))
+		{
+			if (asprintf(&udp_enc, "PLUTO_UDP_ENC='%u' ",
+						 other->get_port(other)) < 0)
+			{
+				udp_enc = NULL;
+			}
+
+		}
+		else
+		{
+			if (asprintf(&udp_enc, "") < 0)
+			{
+				udp_enc = NULL;
+			}
+
+		}
+
 		if (up)
 		{
 			iface = charon->kernel_interface->get_interface(
@@ -205,6 +261,9 @@ METHOD(listener_t, child_updown, bool,
 				"PLUTO_PEER_PROTOCOL='%u' "
 				"%s"
 				"%s"
+				"%s"
+				"%s"
+				"%s"
 				"%s",
 				 up ? "up" : "down",
 				 is_host ? "-host" : "-client",
@@ -223,11 +282,17 @@ METHOD(listener_t, child_updown, bool,
 				 other_ts->get_from_port(other_ts),
 				 other_ts->get_protocol(other_ts),
 				 virtual_ip,
+				 mark_in,
+				 mark_out,
+				 udp_enc,
 				 config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "",
 				 script);
 		free(my_client);
 		free(other_client);
 		free(virtual_ip);
+		free(mark_in);
+		free(mark_out);
+		free(udp_enc);
 		free(iface);
 
 		DBG3(DBG_CHD, "running updown script: %s", command);
@@ -283,7 +348,9 @@ updown_listener_t *updown_listener_create()
 
 	INIT(this,
 		.public = {
-			.listener.child_updown = _child_updown,
+			.listener = {
+				.child_updown = _child_updown,
+			},
 			.destroy = _destroy,
 		},
 		.iface_cache = linked_list_create(),
diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c
index 13586a23e..cd340e53e 100644
--- a/src/libcharon/sa/authenticators/authenticator.c
+++ b/src/libcharon/sa/authenticators/authenticator.c
@@ -34,13 +34,6 @@ ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS,
 	"ECDSA-521 signature");
 ENUM_END(auth_method_names, AUTH_ECDSA_521);
 
-ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
-	"any",
-	"public key",
-	"pre-shared key",
-	"EAP",
-);
-
 /**
  * Described in header.
  */
diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h
index fff91ed34..89178b5cf 100644
--- a/src/libcharon/sa/authenticators/authenticator.h
+++ b/src/libcharon/sa/authenticators/authenticator.h
@@ -24,11 +24,10 @@
 #define AUTHENTICATOR_H_
 
 typedef enum auth_method_t auth_method_t;
-typedef enum auth_class_t auth_class_t;
 typedef struct authenticator_t authenticator_t;
 
 #include <library.h>
-#include <config/auth_cfg.h>
+#include <credentials/auth_cfg.h>
 #include <sa/ike_sa.h>
 
 /**
@@ -75,27 +74,6 @@ enum auth_method_t {
  */
 extern enum_name_t *auth_method_names;
 
-/**
- * Class of authentication to use. This is different to auth_method_t in that
- * it does not specify a method, but a class of acceptable methods. The found
- * certificate finally dictates wich method is used.
- */
-enum auth_class_t {
-	/** any class acceptable */
-	AUTH_CLASS_ANY = 0,
-	/** authentication using public keys (RSA, ECDSA) */
-	AUTH_CLASS_PUBKEY = 1,
-	/** authentication using a pre-shared secrets */
-	AUTH_CLASS_PSK = 2,
-	/** authentication using EAP */
-	AUTH_CLASS_EAP = 3,
-};
-
-/**
- * enum strings for auth_class_t
- */
-extern enum_name_t *auth_class_names;
-
 /**
  * Authenticator interface implemented by the various authenticators.
  *
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/authenticators/eap/eap_method.c
index 91fa5305f..ad7b92cfa 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.c
+++ b/src/libcharon/sa/authenticators/eap/eap_method.c
@@ -15,44 +15,6 @@
 
 #include "eap_method.h"
 
-ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
-	"EAP_IDENTITY",
-	"EAP_NOTIFICATION",
-	"EAP_NAK",
-	"EAP_MD5",
-	"EAP_OTP",
-	"EAP_GTC");
-ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC,
-	"EAP_SIM");
-ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
-	"EAP_AKA");
-ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
-	"EAP_MSCHAPV2");
-ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
-	"EAP_RADIUS",
-	"EAP_EXPANDED",
-	"EAP_EXPERIMENTAL");
-ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
-
-ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
-	"ID",
-	"NTF",
-	"NAK",
-	"MD5",
-	"OTP",
-	"GTC");
-ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC,
-	"SIM");
-ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM,
-	"AKA");
-ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
-	"MSCHAPV2");
-ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
-	"RAD",
-	"EXP",
-	"XP");
-ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
-
 /*
  * See header
  */
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/authenticators/eap/eap_method.h
index 4cab84535..df354edb4 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.h
+++ b/src/libcharon/sa/authenticators/eap/eap_method.h
@@ -23,7 +23,6 @@
 
 typedef struct eap_method_t eap_method_t;
 typedef enum eap_role_t eap_role_t;
-typedef enum eap_type_t eap_type_t;
 typedef enum eap_code_t eap_code_t;
 
 #include <library.h>
@@ -42,35 +41,6 @@ enum eap_role_t {
  */
 extern enum_name_t *eap_role_names;
 
-/**
- * EAP types, defines the EAP method implementation
- */
-enum eap_type_t {
-	EAP_IDENTITY = 1,
-	EAP_NOTIFICATION = 2,
-	EAP_NAK = 3,
-	EAP_MD5 = 4,
-	EAP_OTP = 5,
-	EAP_GTC = 6,
-	EAP_SIM = 18,
-	EAP_AKA = 23,
-	EAP_MSCHAPV2 = 26,
-	/** not a method, but an implementation providing different methods */
-	EAP_RADIUS = 253,
-	EAP_EXPANDED = 254,
-	EAP_EXPERIMENTAL = 255,
-};
-
-/**
- * enum names for eap_type_t.
- */
-extern enum_name_t *eap_type_names;
-
-/**
- * short string enum names for eap_type_t.
- */
-extern enum_name_t *eap_type_short_names;
-
 /**
  * Lookup the EAP method type from a string.
  *
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c
index 4617c4d8d..3c0f3c358 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/authenticators/eap_authenticator.c
@@ -140,17 +140,26 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
 		id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
 		if (id)
 		{
-			this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER);
-			if (this->method)
+			if (id->get_type(id) == ID_ANY)
 			{
-				if (this->method->initiate(this->method, &out) == NEED_MORE)
+				this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER);
+				if (this->method)
 				{
-					DBG1(DBG_IKE, "initiating EAP-Identity request");
-					return out;
+					if (this->method->initiate(this->method, &out) == NEED_MORE)
+					{
+						DBG1(DBG_IKE, "initiating EAP-Identity request");
+						return out;
+					}
+					this->method->destroy(this->method);
 				}
-				this->method->destroy(this->method);
+				DBG1(DBG_IKE, "EAP-Identity request configured, "
+					 "but not supported");
+			}
+			else
+			{
+				DBG1(DBG_IKE, "using configured EAP-Identity %Y", id);
+				this->eap_identity = id->clone(id);
 			}
-			DBG1(DBG_IKE, "EAP-Identity request configured, but not supported");
 		}
 	}
 	/* invoke real EAP method */
@@ -220,7 +229,6 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 	eap_type_t type, received_type;
 	u_int32_t vendor, received_vendor;
 	eap_payload_t *out;
-	auth_cfg_t *cfg;
 
 	if (in->get_code(in) != EAP_RESPONSE)
 	{
@@ -283,12 +291,6 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 			}
 			this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED,
 										TRUE);
-			cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-			cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
-			if (vendor)
-			{
-				cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
-			}
 			this->eap_complete = TRUE;
 			return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
 		case FAILED:
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c
index 67197d690..e69f30dcf 100644
--- a/src/libcharon/sa/authenticators/psk_authenticator.c
+++ b/src/libcharon/sa/authenticators/psk_authenticator.c
@@ -63,8 +63,7 @@ static status_t build(private_psk_authenticator_t *this, message_t *message)
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
 		 my_id, auth_method_names, AUTH_PSK);
-	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
-										  my_id, other_id);
+	key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id);
 	if (key == NULL)
 	{
 		DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
@@ -107,8 +106,8 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
 	recv_auth_data = auth_payload->get_data(auth_payload);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	enumerator = charon->credentials->create_shared_enumerator(
-							charon->credentials, SHARED_IKE, my_id, other_id);
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+												SHARED_IKE, my_id, other_id);
 	while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
 	{
 		keys_found++;
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c
index f1dca2702..3c67f6db6 100644
--- a/src/libcharon/sa/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c
@@ -65,8 +65,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 
 	id = this->ike_sa->get_my_id(this->ike_sa);
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-	private = charon->credentials->get_private(charon->credentials, KEY_ANY,
-											   id, auth);
+	private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
 	if (private == NULL)
 	{
 		DBG1(DBG_IKE, "no private key found for '%Y'", id);
@@ -178,8 +177,8 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message
 	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
 									 this->nonce, id);
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-	enumerator = charon->credentials->create_public_enumerator(
-										charon->credentials, key_type, id, auth);
+	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+														key_type, id, auth);
 	while (enumerator->enumerate(enumerator, &public, &current_auth))
 	{
 		if (public->verify(public, scheme, octets, auth_data))
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 3fdfb51ad..bd41cba56 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -97,6 +97,16 @@ struct private_child_sa_t {
 	 */
 	u_int32_t reqid;
 
+	/**
+	 * inbound mark used for this child_sa
+	 */
+	mark_t mark_in;
+
+	/**
+	 * outbound mark used for this child_sa
+	 */
+	mark_t mark_out;
+
 	/**
 	 * absolute time when rekeying is scheduled
 	 */
@@ -127,6 +137,16 @@ struct private_child_sa_t {
 	 */
 	ipsec_mode_t mode;
 
+	/**
+	 * Action to enforce if peer closes the CHILD_SA
+	 */
+	action_t close_action;
+
+	/**
+	 * Action to enforce if peer is considered dead
+	 */
+	action_t dpd_action;
+
 	/**
 	 * selected proposal
 	 */
@@ -271,6 +291,38 @@ static void set_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp)
 	this->ipcomp = ipcomp;
 }
 
+/**
+ * Implementation of child_sa_t.set_close_action.
+ */
+static void set_close_action(private_child_sa_t *this, action_t action)
+{
+	this->close_action = action;
+}
+
+/**
+ * Implementation of child_sa_t.get_close_action.
+ */
+static action_t get_close_action(private_child_sa_t *this)
+{
+	return this->close_action;
+}
+
+/**
+ * Implementation of child_sa_t.set_dpd_action.
+ */
+static void set_dpd_action(private_child_sa_t *this, action_t action)
+{
+	this->dpd_action = action;
+}
+
+/**
+ * Implementation of child_sa_t.get_dpd_action.
+ */
+static action_t get_dpd_action(private_child_sa_t *this)
+{
+	return this->dpd_action;
+}
+
 /**
  * Implementation of child_sa_t.get_proposal
  */
@@ -389,10 +441,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->my_spi)
 		{
-			status = charon->kernel_interface->query_sa(
-									charon->kernel_interface,
+			status = charon->kernel_interface->query_sa(charon->kernel_interface,
 									this->other_addr, this->my_addr,
-									this->my_spi, this->protocol, &bytes);
+									this->my_spi, this->protocol,
+									this->mark_in, &bytes);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->my_usebytes)
@@ -408,10 +460,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->other_spi)
 		{
-			status = charon->kernel_interface->query_sa(
-									charon->kernel_interface,
+			status = charon->kernel_interface->query_sa(charon->kernel_interface,
 									this->my_addr, this->other_addr,
-									this->other_spi, this->protocol, &bytes);
+									this->other_spi, this->protocol,
+									this->mark_out,	&bytes);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->other_usebytes)
@@ -443,14 +495,14 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 		if (inbound)
 		{
 			if (charon->kernel_interface->query_policy(charon->kernel_interface,
-								other_ts, my_ts, POLICY_IN, &in) == SUCCESS)
+						other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
 			{
 				last_use = max(last_use, in);
 			}
 			if (this->mode != MODE_TRANSPORT)
 			{
 				if (charon->kernel_interface->query_policy(charon->kernel_interface,
-								other_ts, my_ts, POLICY_FWD, &fwd) == SUCCESS)
+						other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
 				{
 					last_use = max(last_use, fwd);
 				}
@@ -459,7 +511,7 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 		else
 		{
 			if (charon->kernel_interface->query_policy(charon->kernel_interface,
-								my_ts, other_ts, POLICY_OUT, &out) == SUCCESS)
+						my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
 			{
 				last_use = max(last_use, out);
 			}
@@ -623,9 +675,10 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
 	}
 
 	status = charon->kernel_interface->add_sa(charon->kernel_interface,
-				src, dst, spi, this->protocol, this->reqid, lifetime,
-				enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi,
-				this->encap, update, src_ts, dst_ts);
+				src, dst, spi, this->protocol, this->reqid,
+				inbound ? this->mark_in : this->mark_out,
+				lifetime, enc_alg, encr, int_alg, integ, this->mode,
+				this->ipcomp, cpi, this->encap, update, src_ts, dst_ts);
 
 	free(lifetime);
 
@@ -666,19 +719,19 @@ static status_t add_policies(private_child_sa_t *this,
 			/* install 3 policies: out, in and forward */
 			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
 					this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT,
-					this->other_spi, this->protocol, this->reqid, this->mode,
-					this->ipcomp, this->other_cpi, routed);
+					this->other_spi, this->protocol, this->reqid, this->mark_out,
+					this->mode, this->ipcomp, this->other_cpi, routed);
 
 			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
 					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN,
-					this->my_spi, this->protocol, this->reqid, this->mode,
-					this->ipcomp, this->my_cpi, routed);
+					this->my_spi, this->protocol, this->reqid, this->mark_in,
+					this->mode,	this->ipcomp, this->my_cpi, routed);
 			if (this->mode != MODE_TRANSPORT)
 			{
 				status |= charon->kernel_interface->add_policy(charon->kernel_interface,
 					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD,
-					this->my_spi, this->protocol, this->reqid, this->mode,
-					this->ipcomp, this->my_cpi, routed);
+					this->my_spi, this->protocol, this->reqid, this->mark_in,
+					this->mode,	this->ipcomp, this->my_cpi, routed);
 			}
 
 			if (status != SUCCESS)
@@ -726,7 +779,7 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 							this->my_spi, this->protocol,
 							this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
 							this->other_addr, this->my_addr, other, me,
-							this->encap, encap) == NOT_SUPPORTED)
+							this->encap, encap, this->mark_in) == NOT_SUPPORTED)
 			{
 				return NOT_SUPPORTED;
 			}
@@ -739,7 +792,7 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 							this->other_spi, this->protocol,
 							this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
 							this->my_addr, this->other_addr, me, other,
-							this->encap, encap) == NOT_SUPPORTED)
+							this->encap, encap, this->mark_out) == NOT_SUPPORTED)
 			{
 				return NOT_SUPPORTED;
 			}
@@ -761,13 +814,13 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 			{
 				/* remove old policies first */
 				charon->kernel_interface->del_policy(charon->kernel_interface,
-											my_ts, other_ts, POLICY_OUT, FALSE);
+							my_ts, other_ts, POLICY_OUT, this->mark_out, FALSE);
 				charon->kernel_interface->del_policy(charon->kernel_interface,
-											other_ts, my_ts,  POLICY_IN, FALSE);
+							other_ts, my_ts,  POLICY_IN, this->mark_in, FALSE);
 				if (this->mode != MODE_TRANSPORT)
 				{
 					charon->kernel_interface->del_policy(charon->kernel_interface,
-											other_ts, my_ts, POLICY_FWD, FALSE);
+							other_ts, my_ts, POLICY_FWD, this->mark_in, FALSE);
 				}
 
 				/* check whether we have to update a "dynamic" traffic selector */
@@ -793,18 +846,18 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 				/* reinstall updated policies */
 				charon->kernel_interface->add_policy(charon->kernel_interface,
 						me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
-						this->protocol, this->reqid, this->mode, this->ipcomp,
-						this->other_cpi, FALSE);
+						this->protocol, this->reqid, this->mark_out, this->mode,
+						this->ipcomp, this->other_cpi, FALSE);
 				charon->kernel_interface->add_policy(charon->kernel_interface,
 						other, me, other_ts, my_ts, POLICY_IN, this->my_spi,
-						this->protocol, this->reqid, this->mode, this->ipcomp,
-						this->my_cpi, FALSE);
+						this->protocol, this->reqid, this->mark_in, this->mode,
+						this->ipcomp, this->my_cpi, FALSE);
 				if (this->mode != MODE_TRANSPORT)
 				{
 					charon->kernel_interface->add_policy(charon->kernel_interface,
 						other, me, other_ts, my_ts, POLICY_FWD, this->my_spi,
-						this->protocol, this->reqid, this->mode, this->ipcomp,
-						this->my_cpi, FALSE);
+						this->protocol, this->reqid, this->mark_in, this->mode,
+						this->ipcomp, this->my_cpi, FALSE);
 				}
 			}
 			enumerator->destroy(enumerator);
@@ -854,13 +907,13 @@ static void destroy(private_child_sa_t *this)
 		}
 		charon->kernel_interface->del_sa(charon->kernel_interface,
 					this->other_addr, this->my_addr, this->my_spi,
-					this->protocol, this->my_cpi);
+					this->protocol, this->my_cpi, this->mark_in);
 	}
 	if (this->other_spi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
 					this->my_addr, this->other_addr, this->other_spi,
-					this->protocol, this->other_cpi);
+					this->protocol, this->other_cpi, this->mark_out);
 	}
 
 	if (this->config->install_policy(this->config))
@@ -870,13 +923,13 @@ static void destroy(private_child_sa_t *this)
 		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 		{
 			charon->kernel_interface->del_policy(charon->kernel_interface,
-										my_ts, other_ts, POLICY_OUT, unrouted);
+							my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted);
 			charon->kernel_interface->del_policy(charon->kernel_interface,
-										other_ts, my_ts, POLICY_IN, unrouted);
+							other_ts, my_ts, POLICY_IN, this->mark_in, unrouted);
 			if (this->mode != MODE_TRANSPORT)
 			{
 				charon->kernel_interface->del_policy(charon->kernel_interface,
-										other_ts, my_ts, POLICY_FWD, unrouted);
+							other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted);
 			}
 		}
 		enumerator->destroy(enumerator);
@@ -919,6 +972,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
 	this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
 	this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp;
+	this->public.get_close_action = (action_t(*)(child_sa_t*))get_close_action;
+	this->public.set_close_action = (void(*)(child_sa_t*,action_t))set_close_action;
+	this->public.get_dpd_action = (action_t(*)(child_sa_t*))get_dpd_action;
+	this->public.set_dpd_action = (void(*)(child_sa_t*,action_t))set_dpd_action;
 	this->public.alloc_spi = (u_int32_t(*)(child_sa_t*, protocol_id_t protocol))alloc_spi;
 	this->public.alloc_cpi = (u_int16_t(*)(child_sa_t*))alloc_cpi;
 	this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound, linked_list_t *my_ts_list, linked_list_t *other_ts_list))install;
@@ -942,17 +999,26 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->other_usetime = 0;
 	this->my_usebytes = 0;
 	this->other_usebytes = 0;
-	/* reuse old reqid if we are rekeying an existing CHILD_SA */
-	this->reqid = rekey ? rekey : ++reqid;
 	this->my_ts = linked_list_create();
 	this->other_ts = linked_list_create();
 	this->protocol = PROTO_NONE;
 	this->mode = MODE_TUNNEL;
+	this->close_action = config->get_close_action(config);
+	this->dpd_action = config->get_dpd_action(config);
 	this->proposal = NULL;
 	this->rekey_time = 0;
 	this->expire_time = 0;
 	this->config = config;
 	config->get_ref(config);
+	this->reqid = config->get_reqid(config);
+	this->mark_in = config->get_mark(config, TRUE);
+	this->mark_out = config->get_mark(config, FALSE);
+
+	if (!this->reqid)
+	{
+		/* reuse old reqid if we are rekeying an existing CHILD_SA */
+		this->reqid = rekey ? rekey : ++reqid;
+	}
 
 	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
 	if (config->get_mode(config) == MODE_TRANSPORT &&
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index e6c603504..95bc297b0 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -207,6 +207,34 @@ struct child_sa_t {
 	 */
 	void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
 
+	/**
+	 * Get the action to enforce if the remote peer closes the CHILD_SA.
+	 *
+	 * @return			close action
+	 */
+	action_t (*get_close_action)(child_sa_t *this);
+
+	/**
+	 * Override the close action specified by the CHILD_SA config.
+	 *
+	 * @param			close action to enforce
+	 */
+	void (*set_close_action)(child_sa_t *this, action_t action);
+
+	/**
+	 * Get the action to enforce if the peer is considered dead.
+	 *
+	 * @return			dpd action
+	 */
+	action_t (*get_dpd_action)(child_sa_t *this);
+
+	/**
+	 * Override the DPD action specified by the CHILD_SA config.
+	 *
+	 * @param			close action to enforce
+	 */
+	void (*set_dpd_action)(child_sa_t *this, action_t action);
+
 	/**
 	 * Get the selected proposal.
 	 *
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 023f0749f..7536662ca 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -287,18 +287,14 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 	return use_time;
 }
 
-/**
- * Implementation of ike_sa_t.get_unique_id
- */
-static u_int32_t get_unique_id(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_unique_id, u_int32_t,
+	private_ike_sa_t *this)
 {
 	return this->unique_id;
 }
 
-/**
- * Implementation of ike_sa_t.get_name.
- */
-static char *get_name(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_name, char*,
+	private_ike_sa_t *this)
 {
 	if (this->peer_cfg)
 	{
@@ -307,10 +303,8 @@ static char *get_name(private_ike_sa_t *this)
 	return "(unnamed)";
 }
 
-/**
- * Implementation of ike_sa_t.get_statistic.
- */
-static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
+METHOD(ike_sa_t, get_statistic, u_int32_t,
+	private_ike_sa_t *this, statistic_t kind)
 {
 	if (kind < STAT_MAX)
 	{
@@ -319,52 +313,40 @@ static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
 	return 0;
 }
 
-/**
- * Implementation of ike_sa_t.get_my_host.
- */
-static host_t *get_my_host(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_my_host, host_t*,
+	private_ike_sa_t *this)
 {
 	return this->my_host;
 }
 
-/**
- * Implementation of ike_sa_t.set_my_host.
- */
-static void set_my_host(private_ike_sa_t *this, host_t *me)
+METHOD(ike_sa_t, set_my_host, void,
+	private_ike_sa_t *this, host_t *me)
 {
 	DESTROY_IF(this->my_host);
 	this->my_host = me;
 }
 
-/**
- * Implementation of ike_sa_t.get_other_host.
- */
-static host_t *get_other_host(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_other_host, host_t*,
+	private_ike_sa_t *this)
 {
 	return this->other_host;
 }
 
-/**
- * Implementation of ike_sa_t.set_other_host.
- */
-static void set_other_host(private_ike_sa_t *this, host_t *other)
+METHOD(ike_sa_t, set_other_host, void,
+	private_ike_sa_t *this, host_t *other)
 {
 	DESTROY_IF(this->other_host);
 	this->other_host = other;
 }
 
-/**
- * Implementation of ike_sa_t.get_peer_cfg
- */
-static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
+	private_ike_sa_t *this)
 {
 	return this->peer_cfg;
 }
 
-/**
- * Implementation of ike_sa_t.set_peer_cfg
- */
-static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
+METHOD(ike_sa_t, set_peer_cfg, void,
+	private_ike_sa_t *this, peer_cfg_t *peer_cfg)
 {
 	DESTROY_IF(this->peer_cfg);
 	peer_cfg->get_ref(peer_cfg);
@@ -377,10 +359,8 @@ static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
 	}
 }
 
-/**
- * Implementation of ike_sa_t.get_auth_cfg
- */
-static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local)
+METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
+	private_ike_sa_t *this, bool local)
 {
 	if (local)
 	{
@@ -389,10 +369,8 @@ static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local)
 	return this->other_auth;
 }
 
-/**
- * Implementation of ike_sa_t.add_auth_cfg
- */
-static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
+METHOD(ike_sa_t, add_auth_cfg, void,
+	private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
 {
 	if (local)
 	{
@@ -404,11 +382,8 @@ static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
 	}
 }
 
-/**
- * Implementation of ike_sa_t.create_auth_cfg_enumerator
- */
-static enumerator_t* create_auth_cfg_enumerator(private_ike_sa_t *this,
-												bool local)
+METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
+	private_ike_sa_t *this, bool local)
 {
 	if (local)
 	{
@@ -424,42 +399,33 @@ static void flush_auth_cfgs(private_ike_sa_t *this)
 {
 	auth_cfg_t *cfg;
 
-	if (lib->settings->get_bool(lib->settings, "charon.flush_auth_cfg", FALSE))
+	while (this->my_auths->remove_last(this->my_auths,
+									   (void**)&cfg) == SUCCESS)
 	{
-		while (this->my_auths->remove_last(this->my_auths,
-										   (void**)&cfg) == SUCCESS)
-		{
-			cfg->destroy(cfg);
-		}
-		while (this->other_auths->remove_last(this->other_auths,
-											  (void**)&cfg) == SUCCESS)
-		{
-			cfg->destroy(cfg);
-		}
+		cfg->destroy(cfg);
+	}
+	while (this->other_auths->remove_last(this->other_auths,
+										  (void**)&cfg) == SUCCESS)
+	{
+		cfg->destroy(cfg);
 	}
 }
 
-/**
- * Implementation of ike_sa_t.get_proposal
- */
-static proposal_t* get_proposal(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_proposal, proposal_t*,
+	private_ike_sa_t *this)
 {
 	return this->proposal;
 }
 
-/**
- * Implementation of ike_sa_t.set_proposal
- */
-static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
+METHOD(ike_sa_t, set_proposal, void,
+	private_ike_sa_t *this, proposal_t *proposal)
 {
 	DESTROY_IF(this->proposal);
 	this->proposal = proposal->clone(proposal);
 }
 
-/**
- * Implementation of ike_sa_t.set_message_id
- */
-static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid)
+METHOD(ike_sa_t, set_message_id, void,
+	private_ike_sa_t *this, bool initiate, u_int32_t mid)
 {
 	if (initiate)
 	{
@@ -471,10 +437,8 @@ static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid)
 	}
 }
 
-/**
- * Implementation of ike_sa_t.send_keepalive
- */
-static void send_keepalive(private_ike_sa_t *this)
+METHOD(ike_sa_t, send_keepalive, void,
+	private_ike_sa_t *this)
 {
 	send_keepalive_job_t *job;
 	time_t last_out, now, diff;
@@ -510,52 +474,39 @@ static void send_keepalive(private_ike_sa_t *this)
 									this->keepalive_interval - diff);
 }
 
-/**
- * Implementation of ike_sa_t.get_ike_cfg
- */
-static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
+	private_ike_sa_t *this)
 {
 	return this->ike_cfg;
 }
 
-/**
- * Implementation of ike_sa_t.set_ike_cfg
- */
-static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
+METHOD(ike_sa_t, set_ike_cfg, void,
+	private_ike_sa_t *this, ike_cfg_t *ike_cfg)
 {
 	ike_cfg->get_ref(ike_cfg);
 	this->ike_cfg = ike_cfg;
 }
 
-/**
- * Implementation of ike_sa_t.enable_extension.
- */
-static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
+METHOD(ike_sa_t, enable_extension, void,
+	private_ike_sa_t *this, ike_extension_t extension)
 {
 	this->extensions |= extension;
 }
 
-/**
- * Implementation of ike_sa_t.has_extension.
- */
-static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
+METHOD(ike_sa_t, supports_extension, bool,
+	private_ike_sa_t *this, ike_extension_t extension)
 {
 	return (this->extensions & extension) != FALSE;
 }
 
-/**
- * Implementation of ike_sa_t.has_condition.
- */
-static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
+METHOD(ike_sa_t, has_condition, bool,
+	private_ike_sa_t *this, ike_condition_t condition)
 {
 	return (this->conditions & condition) != FALSE;
 }
 
-/**
- * Implementation of ike_sa_t.enable_condition.
- */
-static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
-						  bool enable)
+METHOD(ike_sa_t, set_condition, void,
+	private_ike_sa_t *this, ike_condition_t condition, bool enable)
 {
 	if (has_condition(this, condition) != enable)
 	{
@@ -601,10 +552,8 @@ static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
 	}
 }
 
-/**
- * Implementation of ike_sa_t.send_dpd
- */
-static status_t send_dpd(private_ike_sa_t *this)
+METHOD(ike_sa_t, send_dpd, status_t,
+	private_ike_sa_t *this)
 {
 	job_t *job;
 	time_t diff, delay;
@@ -660,18 +609,14 @@ static status_t send_dpd(private_ike_sa_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of ike_sa_t.get_state.
- */
-static ike_sa_state_t get_state(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_state, ike_sa_state_t,
+	private_ike_sa_t *this)
 {
 	return this->state;
 }
 
-/**
- * Implementation of ike_sa_t.set_state.
- */
-static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
+METHOD(ike_sa_t, set_state, void,
+	private_ike_sa_t *this, ike_sa_state_t state)
 {
 	DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
 		 get_name(this), this->unique_id,
@@ -754,10 +699,8 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 	this->state = state;
 }
 
-/**
- * Implementation of ike_sa_t.reset
- */
-static void reset(private_ike_sa_t *this)
+METHOD(ike_sa_t, reset, void,
+	private_ike_sa_t *this)
 {
 	/*  the responder ID is reset, as peer may choose another one */
 	if (this->ike_sa_id->is_initiator(this->ike_sa_id))
@@ -767,21 +710,22 @@ static void reset(private_ike_sa_t *this)
 
 	set_state(this, IKE_CREATED);
 
+	flush_auth_cfgs(this);
+
+	this->keymat->destroy(this->keymat);
+	this->keymat = keymat_create(this->ike_sa_id->is_initiator(this->ike_sa_id));
+
 	this->task_manager->reset(this->task_manager, 0, 0);
 }
 
-/**
- * Implementation of ike_sa_t.get_keymat
- */
-static keymat_t* get_keymat(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_keymat, keymat_t*,
+	private_ike_sa_t *this)
 {
 	return this->keymat;
 }
 
-/**
- * Implementation of ike_sa_t.set_virtual_ip
- */
-static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
+METHOD(ike_sa_t, set_virtual_ip, void,
+	private_ike_sa_t *this, bool local, host_t *ip)
 {
 	if (local)
 	{
@@ -811,10 +755,8 @@ static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
 	}
 }
 
-/**
- * Implementation of ike_sa_t.get_virtual_ip
- */
-static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
+METHOD(ike_sa_t, get_virtual_ip, host_t*,
+	private_ike_sa_t *this, bool local)
 {
 	if (local)
 	{
@@ -826,27 +768,21 @@ static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
 	}
 }
 
-/**
- * Implementation of ike_sa_t.add_additional_address.
- */
-static void add_additional_address(private_ike_sa_t *this, host_t *host)
+METHOD(ike_sa_t, add_additional_address, void,
+	private_ike_sa_t *this, host_t *host)
 {
 	this->additional_addresses->insert_last(this->additional_addresses, host);
 }
 
-/**
- * Implementation of ike_sa_t.create_additional_address_iterator.
- */
-static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
+METHOD(ike_sa_t, create_additional_address_iterator, iterator_t*,
+	private_ike_sa_t *this)
 {
 	return this->additional_addresses->create_iterator(
 											this->additional_addresses, TRUE);
 }
 
-/**
- * Implementation of ike_sa_t.has_mapping_changed
- */
-static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash)
+METHOD(ike_sa_t, has_mapping_changed, bool,
+	private_ike_sa_t *this, chunk_t hash)
 {
 	if (this->nat_detection_dest.ptr == NULL)
 	{
@@ -862,26 +798,20 @@ static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash)
 	return TRUE;
 }
 
-/**
- * Implementation of ike_sa_t.set_pending_updates.
- */
-static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
+METHOD(ike_sa_t, set_pending_updates, void,
+	private_ike_sa_t *this, u_int32_t updates)
 {
 	this->pending_updates = updates;
 }
 
-/**
- * Implementation of ike_sa_t.get_pending_updates.
- */
-static u_int32_t get_pending_updates(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_pending_updates, u_int32_t,
+	private_ike_sa_t *this)
 {
 	return this->pending_updates;
 }
 
-/**
- * Update hosts, as addresses may change (NAT)
- */
-static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
+METHOD(ike_sa_t, update_hosts, void,
+	private_ike_sa_t *this, host_t *me, host_t *other)
 {
 	bool update = FALSE;
 
@@ -946,11 +876,8 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 	}
 }
 
-/**
- * Implementation of ike_sa_t.generate
- */
-static status_t generate_message(private_ike_sa_t *this, message_t *message,
-								 packet_t **packet)
+METHOD(ike_sa_t, generate_message, status_t,
+	private_ike_sa_t *this, message_t *message, packet_t **packet)
 {
 	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
 	message->set_ike_sa_id(message, this->ike_sa_id);
@@ -994,10 +921,8 @@ static void send_notify_response(private_ike_sa_t *this, message_t *request,
 	response->destroy(response);
 }
 
-/**
- * Implementation of ike_sa_t.set_kmaddress.
- */
-static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote)
+METHOD(ike_sa_t, set_kmaddress, void,
+	private_ike_sa_t *this, host_t *local, host_t *remote)
 {
 	DESTROY_IF(this->local_host);
 	DESTROY_IF(this->remote_host);
@@ -1006,46 +931,35 @@ static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote)
 }
 
 #ifdef ME
-/**
- * Implementation of ike_sa_t.act_as_mediation_server.
- */
-static void act_as_mediation_server(private_ike_sa_t *this)
+METHOD(ike_sa_t, act_as_mediation_server, void,
+	private_ike_sa_t *this)
 {
 	charon->mediation_manager->update_sa_id(charon->mediation_manager,
 			this->other_id, this->ike_sa_id);
 	this->is_mediation_server = TRUE;
 }
 
-/**
- * Implementation of ike_sa_t.get_server_reflexive_host.
- */
-static host_t *get_server_reflexive_host(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
+	private_ike_sa_t *this)
 {
 	return this->server_reflexive_host;
 }
 
-/**
- * Implementation of ike_sa_t.set_server_reflexive_host.
- */
-static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
+METHOD(ike_sa_t, set_server_reflexive_host, void,
+	private_ike_sa_t *this, host_t *host)
 {
 	DESTROY_IF(this->server_reflexive_host);
 	this->server_reflexive_host = host;
 }
 
-/**
- * Implementation of ike_sa_t.get_connect_id.
- */
-static chunk_t get_connect_id(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_connect_id, chunk_t,
+	private_ike_sa_t *this)
 {
 	return this->connect_id;
 }
 
-/**
- * Implementation of ike_sa_t.respond
- */
-static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
-						chunk_t connect_id)
+METHOD(ike_sa_t, respond, status_t,
+	private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
 {
 	ike_me_t *task = ike_me_create(&this->public, TRUE);
 	task->respond(task, peer_id, connect_id);
@@ -1053,10 +967,8 @@ static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.callback
- */
-static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
+METHOD(ike_sa_t, callback, status_t,
+	private_ike_sa_t *this, identification_t *peer_id)
 {
 	ike_me_t *task = ike_me_create(&this->public, TRUE);
 	task->callback(task, peer_id);
@@ -1064,12 +976,9 @@ static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.relay
- */
-static status_t relay(private_ike_sa_t *this, identification_t *requester,
-					  chunk_t connect_id, chunk_t connect_key,
-					  linked_list_t *endpoints, bool response)
+METHOD(ike_sa_t, relay, status_t,
+	private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
+	chunk_t connect_key, linked_list_t *endpoints, bool response)
 {
 	ike_me_t *task = ike_me_create(&this->public, TRUE);
 	task->relay(task, requester, connect_id, connect_key, endpoints, response);
@@ -1077,11 +986,8 @@ static status_t relay(private_ike_sa_t *this, identification_t *requester,
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.initiate_mediation
- */
-static status_t initiate_mediation(private_ike_sa_t *this,
-								   peer_cfg_t *mediated_cfg)
+METHOD(ike_sa_t, initiate_mediation, status_t,
+	private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
 {
 	ike_me_t *task = ike_me_create(&this->public, TRUE);
 	task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
@@ -1089,11 +995,8 @@ static status_t initiate_mediation(private_ike_sa_t *this,
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.initiate_mediated
- */
-static status_t initiate_mediated(private_ike_sa_t *this, host_t *me,
-								  host_t *other, chunk_t connect_id)
+METHOD(ike_sa_t, initiate_mediated, status_t,
+	private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
 {
 	set_my_host(this, me->clone(me));
 	set_other_host(this, other->clone(other));
@@ -1166,12 +1069,9 @@ static void resolve_hosts(private_ike_sa_t *this)
 	}
 }
 
-/**
- * Implementation of ike_sa_t.initiate
- */
-static status_t initiate(private_ike_sa_t *this,
-						 child_cfg_t *child_cfg, u_int32_t reqid,
-						 traffic_selector_t *tsi, traffic_selector_t *tsr)
+METHOD(ike_sa_t, initiate, status_t,
+	private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
+	traffic_selector_t *tsi, traffic_selector_t *tsr)
 {
 	task_t *task;
 
@@ -1259,10 +1159,8 @@ static status_t initiate(private_ike_sa_t *this,
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.process_message.
- */
-static status_t process_message(private_ike_sa_t *this, message_t *message)
+METHOD(ike_sa_t, process_message, status_t,
+	private_ike_sa_t *this, message_t *message)
 {
 	status_t status;
 	bool is_request;
@@ -1367,7 +1265,9 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 		}
 		status = this->task_manager->process_message(this->task_manager, message);
 		if (message->get_exchange_type(message) == IKE_AUTH &&
-			this->state == IKE_ESTABLISHED)
+			this->state == IKE_ESTABLISHED &&
+			lib->settings->get_bool(lib->settings,
+									"charon.flush_auth_cfg", FALSE))
 		{	/* authentication completed */
 			flush_auth_cfgs(this);
 		}
@@ -1375,43 +1275,33 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 	return status;
 }
 
-/**
- * Implementation of ike_sa_t.get_id.
- */
-static ike_sa_id_t* get_id(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_id, ike_sa_id_t*,
+	private_ike_sa_t *this)
 {
 	return this->ike_sa_id;
 }
 
-/**
- * Implementation of ike_sa_t.get_my_id.
- */
-static identification_t* get_my_id(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_my_id, identification_t*,
+	private_ike_sa_t *this)
 {
 	return this->my_id;
 }
 
-/**
- * Implementation of ike_sa_t.set_my_id.
- */
-static void set_my_id(private_ike_sa_t *this, identification_t *me)
+METHOD(ike_sa_t, set_my_id, void,
+	private_ike_sa_t *this, identification_t *me)
 {
 	DESTROY_IF(this->my_id);
 	this->my_id = me;
 }
 
-/**
- * Implementation of ike_sa_t.get_other_id.
- */
-static identification_t* get_other_id(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_other_id, identification_t*,
+	private_ike_sa_t *this)
 {
 	return this->other_id;
 }
 
-/**
- * Implementation of ike_sa_t.get_other_eap_id.
- */
-static identification_t* get_other_eap_id(private_ike_sa_t *this)
+METHOD(ike_sa_t, get_other_eap_id, identification_t*,
+	private_ike_sa_t *this)
 {
 	identification_t *id = NULL, *current;
 	enumerator_t *enumerator;
@@ -1440,28 +1330,21 @@ static identification_t* get_other_eap_id(private_ike_sa_t *this)
 	return this->other_id;
 }
 
-/**
- * Implementation of ike_sa_t.set_other_id.
- */
-static void set_other_id(private_ike_sa_t *this, identification_t *other)
+METHOD(ike_sa_t, set_other_id, void,
+	private_ike_sa_t *this, identification_t *other)
 {
 	DESTROY_IF(this->other_id);
 	this->other_id = other;
 }
 
-/**
- * Implementation of ike_sa_t.add_child_sa.
- */
-static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
+METHOD(ike_sa_t, add_child_sa, void,
+	private_ike_sa_t *this, child_sa_t *child_sa)
 {
 	this->child_sas->insert_last(this->child_sas, child_sa);
 }
 
-/**
- * Implementation of ike_sa_t.get_child_sa.
- */
-static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
-								u_int32_t spi, bool inbound)
+METHOD(ike_sa_t, get_child_sa, child_sa_t*,
+	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
 {
 	iterator_t *iterator;
 	child_sa_t *current, *found = NULL;
@@ -1479,19 +1362,14 @@ static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
 	return found;
 }
 
-/**
- * Implementation of ike_sa_t.create_child_sa_iterator.
- */
-static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
+METHOD(ike_sa_t, create_child_sa_iterator, iterator_t*,
+	private_ike_sa_t *this)
 {
 	return this->child_sas->create_iterator(this->child_sas, TRUE);
 }
 
-/**
- * Implementation of ike_sa_t.rekey_child_sa.
- */
-static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
-							   u_int32_t spi)
+METHOD(ike_sa_t, rekey_child_sa, status_t,
+	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
 {
 	child_rekey_t *child_rekey;
 
@@ -1500,11 +1378,8 @@ static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.delete_child_sa.
- */
-static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
-								u_int32_t spi)
+METHOD(ike_sa_t, delete_child_sa, status_t,
+	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
 {
 	child_delete_t *child_delete;
 
@@ -1513,11 +1388,8 @@ static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.destroy_child_sa.
- */
-static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
-								 u_int32_t spi)
+METHOD(ike_sa_t, destroy_child_sa, status_t,
+	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
 {
 	iterator_t *iterator;
 	child_sa_t *child_sa;
@@ -1539,10 +1411,8 @@ static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
 	return status;
 }
 
-/**
- * Implementation of public_ike_sa_t.delete.
- */
-static status_t delete_(private_ike_sa_t *this)
+METHOD(ike_sa_t, delete_, status_t,
+	private_ike_sa_t *this)
 {
 	ike_delete_t *ike_delete;
 
@@ -1567,10 +1437,8 @@ static status_t delete_(private_ike_sa_t *this)
 	return DESTROY_ME;
 }
 
-/**
- * Implementation of ike_sa_t.rekey.
- */
-static status_t rekey(private_ike_sa_t *this)
+METHOD(ike_sa_t, rekey, status_t,
+	private_ike_sa_t *this)
 {
 	ike_rekey_t *ike_rekey;
 
@@ -1580,10 +1448,8 @@ static status_t rekey(private_ike_sa_t *this)
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.reauth
- */
-static status_t reauth(private_ike_sa_t *this)
+METHOD(ike_sa_t, reauth, status_t,
+	private_ike_sa_t *this)
 {
 	task_t *task;
 
@@ -1618,10 +1484,8 @@ static status_t reauth(private_ike_sa_t *this)
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.reestablish
- */
-static status_t reestablish(private_ike_sa_t *this)
+METHOD(ike_sa_t, reestablish, status_t,
+	private_ike_sa_t *this)
 {
 	ike_sa_t *new;
 	host_t *host;
@@ -1636,14 +1500,13 @@ static status_t reestablish(private_ike_sa_t *this)
 	iterator = create_child_sa_iterator(this);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
-		child_cfg = child_sa->get_config(child_sa);
 		if (this->state == IKE_DELETING)
 		{
-			action = child_cfg->get_close_action(child_cfg);
+			action = child_sa->get_close_action(child_sa);
 		}
 		else
 		{
-			action = child_cfg->get_dpd_action(child_cfg);
+			action = child_sa->get_dpd_action(child_sa);
 		}
 		switch (action)
 		{
@@ -1651,7 +1514,8 @@ static status_t reestablish(private_ike_sa_t *this)
 				restart = TRUE;
 				break;
 			case ACTION_ROUTE:
-				charon->traps->install(charon->traps, this->peer_cfg, child_cfg);
+				charon->traps->install(charon->traps, this->peer_cfg,
+									   child_sa->get_config(child_sa));
 				break;
 			default:
 				break;
@@ -1707,18 +1571,18 @@ static status_t reestablish(private_ike_sa_t *this)
 		iterator = create_child_sa_iterator(this);
 		while (iterator->iterate(iterator, (void**)&child_sa))
 		{
-			child_cfg = child_sa->get_config(child_sa);
 			if (this->state == IKE_DELETING)
 			{
-				action = child_cfg->get_close_action(child_cfg);
+				action = child_sa->get_close_action(child_sa);
 			}
 			else
 			{
-				action = child_cfg->get_dpd_action(child_cfg);
+				action = child_sa->get_dpd_action(child_sa);
 			}
 			switch (action)
 			{
 				case ACTION_RESTART:
+					child_cfg = child_sa->get_config(child_sa);
 					DBG1(DBG_IKE, "restarting CHILD_SA %s",
 						 child_cfg->get_name(child_cfg));
 					child_cfg->get_ref(child_cfg);
@@ -1750,9 +1614,41 @@ static status_t reestablish(private_ike_sa_t *this)
 }
 
 /**
- * Implementation of ike_sa_t.retransmit.
+ * Requeue the IKE_SA_INIT tasks for initiation, if required
  */
-static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
+static void requeue_init_tasks(private_ike_sa_t *this)
+{
+	enumerator_t *enumerator;
+	bool has_init = FALSE;
+	task_t *task;
+
+	/* if we have advanced to IKE_AUTH, the IKE_INIT and related tasks
+	 * have already completed. Recreate them if necessary. */
+	enumerator = this->task_manager->create_task_enumerator(
+										this->task_manager, TASK_QUEUE_QUEUED);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == IKE_INIT)
+		{
+			has_init = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!has_init)
+	{
+		task = (task_t*)ike_vendor_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_natd_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
+		this->task_manager->queue_task(this->task_manager, task);
+	}
+}
+
+METHOD(ike_sa_t, retransmit, status_t,
+	private_ike_sa_t *this, u_int32_t message_id)
 {
 	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
 	if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
@@ -1770,6 +1666,7 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 					DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
 						 this->keyingtry + 1, tries);
 					reset(this);
+					requeue_init_tasks(this);
 					return this->task_manager->initiate(this->task_manager);
 				}
 				DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
@@ -1790,10 +1687,8 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 	return SUCCESS;
 }
 
-/**
- * Implementation of ike_sa_t.set_auth_lifetime.
- */
-static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
+METHOD(ike_sa_t, set_auth_lifetime, void,
+	private_ike_sa_t *this, u_int32_t lifetime)
 {
 	u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
 	u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction;
@@ -1823,10 +1718,8 @@ static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
 	}
 }
 
-/**
- * Implementation of ike_sa_t.roam.
- */
-static status_t roam(private_ike_sa_t *this, bool address)
+METHOD(ike_sa_t, roam, status_t,
+	private_ike_sa_t *this, bool address)
 {
 	host_t *src;
 	ike_mobike_t *mobike;
@@ -1919,12 +1812,9 @@ static status_t roam(private_ike_sa_t *this, bool address)
 	return reauth(this);
 }
 
-/**
- * Implementation of ike_sa_t.add_configuration_attribute
- */
-static void add_configuration_attribute(private_ike_sa_t *this,
-							attribute_handler_t *handler,
-							configuration_attribute_type_t type, chunk_t data)
+METHOD(ike_sa_t, add_configuration_attribute, void,
+	private_ike_sa_t *this, attribute_handler_t *handler,
+	configuration_attribute_type_t type, chunk_t data)
 {
 	attribute_entry_t *entry = malloc_thing(attribute_entry_t);
 
@@ -1935,11 +1825,16 @@ static void add_configuration_attribute(private_ike_sa_t *this,
 	this->attributes->insert_last(this->attributes, entry);
 }
 
-/**
- * Implementation of ike_sa_t.inherit.
- */
-static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
+METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
+	private_ike_sa_t *this, task_queue_t queue)
+{
+	return this->task_manager->create_task_enumerator(this->task_manager, queue);
+}
+
+METHOD(ike_sa_t, inherit, status_t,
+	private_ike_sa_t *this, ike_sa_t *other_public)
 {
+	private_ike_sa_t *other = (private_ike_sa_t*)other_public;
 	child_sa_t *child_sa;
 	attribute_entry_t *entry;
 
@@ -2021,10 +1916,8 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 	return this->task_manager->initiate(this->task_manager);
 }
 
-/**
- * Implementation of ike_sa_t.destroy.
- */
-static void destroy(private_ike_sa_t *this)
+METHOD(ike_sa_t, destroy, void,
+	private_ike_sa_t *this)
 {
 	attribute_entry_t *entry;
 
@@ -2106,122 +1999,107 @@ static void destroy(private_ike_sa_t *this)
  */
 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 {
-	private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
+	private_ike_sa_t *this;
 	static u_int32_t unique_id = 0;
 
-	/* Public functions */
-	this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
-	this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
-	this->public.get_name = (char* (*)(ike_sa_t*))get_name;
-	this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
-	this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
-	this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*,u_int32_t,traffic_selector_t*,traffic_selector_t*)) initiate;
-	this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
-	this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
-	this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
-	this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
-	this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg;
-	this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(ike_sa_t*, bool local))create_auth_cfg_enumerator;
-	this->public.add_auth_cfg = (void(*)(ike_sa_t*, bool local, auth_cfg_t *cfg))add_auth_cfg;
-	this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
-	this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
-	this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
-	this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
-	this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
-	this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
-	this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
-	this->public.set_message_id = (void(*)(ike_sa_t*, bool inbound, u_int32_t mid))set_message_id;
-	this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
-	this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
-	this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
-	this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
-	this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
-	this->public.get_other_eap_id = (identification_t* (*)(ike_sa_t*)) get_other_eap_id;
-	this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
-	this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
-	this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
-	this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
-	this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
-	this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
-	this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
-	this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
-	this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
-	this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
-	this->public.delete = (status_t (*)(ike_sa_t*))delete_;
-	this->public.destroy = (void (*)(ike_sa_t*))destroy;
-	this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
-	this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
-	this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat;
-	this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
-	this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
-	this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
-	this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
-	this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
-	this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
-	this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
-	this->public.reauth = (status_t (*)(ike_sa_t*))reauth;
-	this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
-	this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
-	this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
-	this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
-	this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
-	this->public.reset = (void (*)(ike_sa_t*))reset;
-	this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
-	this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
-	this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
-	this->public.add_configuration_attribute = (void(*)(ike_sa_t*, attribute_handler_t *handler,configuration_attribute_type_t type, chunk_t data))add_configuration_attribute;
-	this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
+	INIT(this,
+		.public = {
+			.get_state = _get_state,
+			.set_state = _set_state,
+			.get_name = _get_name,
+			.get_statistic = _get_statistic,
+			.process_message = _process_message,
+			.initiate = _initiate,
+			.get_ike_cfg = _get_ike_cfg,
+			.set_ike_cfg = _set_ike_cfg,
+			.get_peer_cfg = _get_peer_cfg,
+			.set_peer_cfg = _set_peer_cfg,
+			.get_auth_cfg = _get_auth_cfg,
+			.create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
+			.add_auth_cfg = _add_auth_cfg,
+			.get_proposal = _get_proposal,
+			.set_proposal = _set_proposal,
+			.get_id = _get_id,
+			.get_my_host = _get_my_host,
+			.set_my_host = _set_my_host,
+			.get_other_host = _get_other_host,
+			.set_other_host = _set_other_host,
+			.set_message_id = _set_message_id,
+			.update_hosts = _update_hosts,
+			.get_my_id = _get_my_id,
+			.set_my_id = _set_my_id,
+			.get_other_id = _get_other_id,
+			.set_other_id = _set_other_id,
+			.get_other_eap_id = _get_other_eap_id,
+			.enable_extension = _enable_extension,
+			.supports_extension = _supports_extension,
+			.set_condition = _set_condition,
+			.has_condition = _has_condition,
+			.set_pending_updates = _set_pending_updates,
+			.get_pending_updates = _get_pending_updates,
+			.create_additional_address_iterator = _create_additional_address_iterator,
+			.add_additional_address = _add_additional_address,
+			.has_mapping_changed = _has_mapping_changed,
+			.retransmit = _retransmit,
+			.delete = _delete_,
+			.destroy = _destroy,
+			.send_dpd = _send_dpd,
+			.send_keepalive = _send_keepalive,
+			.get_keymat = _get_keymat,
+			.add_child_sa = _add_child_sa,
+			.get_child_sa = _get_child_sa,
+			.create_child_sa_iterator = _create_child_sa_iterator,
+			.rekey_child_sa = _rekey_child_sa,
+			.delete_child_sa = _delete_child_sa,
+			.destroy_child_sa = _destroy_child_sa,
+			.rekey = _rekey,
+			.reauth = _reauth,
+			.reestablish = _reestablish,
+			.set_auth_lifetime = _set_auth_lifetime,
+			.roam = _roam,
+			.inherit = _inherit,
+			.generate_message = _generate_message,
+			.reset = _reset,
+			.get_unique_id = _get_unique_id,
+			.set_virtual_ip = _set_virtual_ip,
+			.get_virtual_ip = _get_virtual_ip,
+			.add_configuration_attribute = _add_configuration_attribute,
+			.set_kmaddress = _set_kmaddress,
+			.create_task_enumerator = _create_task_enumerator,
 #ifdef ME
-	this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
-	this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
-	this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
-	this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
-	this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
-	this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated;
-	this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
-	this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
-	this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
+			.act_as_mediation_server = _act_as_mediation_server,
+			.get_server_reflexive_host = _get_server_reflexive_host,
+			.set_server_reflexive_host = _set_server_reflexive_host,
+			.get_connect_id = _get_connect_id,
+			.initiate_mediation = _initiate_mediation,
+			.initiate_mediated = _initiate_mediated,
+			.relay = _relay,
+			.callback = _callback,
+			.respond = _respond,
 #endif /* ME */
-
-	/* initialize private fields */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-	this->child_sas = linked_list_create();
-	this->my_host = host_create_any(AF_INET);
+		},
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+		.child_sas = linked_list_create(),
+		.my_host = host_create_any(AF_INET),
+		.other_host = host_create_any(AF_INET),
+		.my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
+		.other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
+		.keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id)),
+		.state = IKE_CREATED,
+		.stats[STAT_INBOUND] = time_monotonic(NULL),
+		.stats[STAT_OUTBOUND] = time_monotonic(NULL),
+		.my_auth = auth_cfg_create(),
+		.other_auth = auth_cfg_create(),
+		.my_auths = linked_list_create(),
+		.other_auths = linked_list_create(),
+		.task_manager = task_manager_create(&this->public),
+		.unique_id = ++unique_id,
+		.additional_addresses = linked_list_create(),
+		.attributes = linked_list_create(),
+		.keepalive_interval = lib->settings->get_time(lib->settings,
+									"charon.keep_alive", KEEPALIVE_INTERVAL),
+	);
 	this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
-	this->other_host = host_create_any(AF_INET);
-	this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
-	this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
-	this->extensions = 0;
-	this->conditions = 0;
-	this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id));
-	this->state = IKE_CREATED;
-	this->keepalive_interval = lib->settings->get_time(lib->settings,
-									"charon.keep_alive", KEEPALIVE_INTERVAL);
-	memset(this->stats, 0, sizeof(this->stats));
-	this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
-	this->ike_cfg = NULL;
-	this->peer_cfg = NULL;
-	this->my_auth = auth_cfg_create();
-	this->other_auth = auth_cfg_create();
-	this->my_auths = linked_list_create();
-	this->other_auths = linked_list_create();
-	this->proposal = NULL;
-	this->task_manager = task_manager_create(&this->public);
-	this->unique_id = ++unique_id;
-	this->my_virtual_ip = NULL;
-	this->other_virtual_ip = NULL;
-	this->additional_addresses = linked_list_create();
-	this->attributes = linked_list_create();
-	this->nat_detection_dest = chunk_empty;
-	this->pending_updates = 0;
-	this->keyingtry = 0;
-	this->local_host = NULL;
-	this->remote_host = NULL;
-#ifdef ME
-	this->is_mediation_server = FALSE;
-	this->server_reflexive_host = NULL;
-	this->connect_id = chunk_empty;
-#endif /* ME */
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index c61502edf..34842a573 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -37,11 +37,11 @@ typedef struct ike_sa_t ike_sa_t;
 #include <encoding/payloads/configuration_attribute.h>
 #include <sa/ike_sa_id.h>
 #include <sa/child_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task_manager.h>
 #include <sa/keymat.h>
 #include <config/peer_cfg.h>
 #include <config/ike_cfg.h>
-#include <config/auth_cfg.h>
+#include <credentials/auth_cfg.h>
 
 /**
  * Timeout in seconds after that a half open IKE_SA gets deleted.
@@ -887,6 +887,14 @@ struct ike_sa_t {
 	 */
 	void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
 
+	/**
+	 * Create enumerator over a task queue of this IKE_SA.
+	 *
+	 * @param				queue type to enumerate
+	 * @return				enumerator over task_t
+	 */
+	enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
+
 	/**
 	 * Inherit all attributes of other to this after rekeying.
 	 *
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 3ef0f3bb0..c71c3b297 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -886,9 +886,10 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
 	{
 		if (wait_for_entry(this, entry, segment))
 		{
-			DBG2(DBG_MGR, "IKE_SA successfully checked out");
 			entry->checked_out = TRUE;
 			ike_sa = entry->ike_sa;
+			DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
+					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 		}
 		unlock_single_segment(this, segment);
 	}
@@ -916,7 +917,8 @@ static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
 	}
 	ike_sa = ike_sa_create(ike_sa_id);
 
-	DBG2(DBG_MGR, "created IKE_SA");
+	DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
+			ike_sa->get_unique_id(ike_sa));
 
 	if (!initiator)
 	{
@@ -971,10 +973,11 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 			}
 			else if (wait_for_entry(this, entry, segment))
 			{
-				DBG2(DBG_MGR, "IKE_SA checked out by hash");
 				entry->checked_out = TRUE;
 				entry->message_id = message->get_message_id(message);
 				ike_sa = entry->ike_sa;
+				DBG2(DBG_MGR, "IKE_SA %s[%u] checked out by hash",
+						ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 			}
 			unlock_single_segment(this, segment);
 		}
@@ -998,7 +1001,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 				entry->init_hash = hash;
 				ike_sa = entry->ike_sa;
 
-				DBG2(DBG_MGR, "created IKE_SA");
+				DBG2(DBG_MGR, "created IKE_SA %s[%u]",
+						ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 			}
 			else
 			{
@@ -1027,7 +1031,6 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 		else if (wait_for_entry(this, entry, segment))
 		{
 			ike_sa_id_t *ike_id = entry->ike_sa->get_id(entry->ike_sa);
-			DBG2(DBG_MGR, "IKE_SA successfully checked out");
 			entry->checked_out = TRUE;
 			entry->message_id = message->get_message_id(message);
 			if (ike_id->get_responder_spi(ike_id) == 0)
@@ -1035,6 +1038,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 				ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
 			}
 			ike_sa = entry->ike_sa;
+			DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
+					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 		}
 		unlock_single_segment(this, segment);
 	}
@@ -1056,6 +1061,8 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 	ike_cfg_t *current_ike;
 	u_int segment;
 
+	DBG2(DBG_MGR, "checkout IKE_SA by config");
+
 	if (!this->reuse_ikesa)
 	{	/* IKE_SA reuse disable by config */
 		ike_sa = checkout_new(this, TRUE);
@@ -1081,10 +1088,11 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 			current_ike = current_peer->get_ike_cfg(current_peer);
 			if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
 			{
-				DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config",
-					 current_peer->get_name(current_peer));
 				entry->checked_out = TRUE;
 				ike_sa = entry->ike_sa;
+				DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
+						ike_sa->get_unique_id(ike_sa),
+						current_peer->get_name(current_peer));
 				break;
 			}
 		}
@@ -1112,6 +1120,8 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
 	child_sa_t *child_sa;
 	u_int segment;
 
+	DBG2(DBG_MGR, "checkout IKE_SA by ID");
+
 	enumerator = create_table_enumerator(this);
 	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
@@ -1142,6 +1152,8 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
 			if (ike_sa)
 			{
 				entry->checked_out = TRUE;
+				DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
+						ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 				break;
 			}
 		}
@@ -1195,6 +1207,8 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
 			if (ike_sa)
 			{
 				entry->checked_out = TRUE;
+				DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
+						ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 				break;
 			}
 		}
@@ -1251,7 +1265,8 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 	other_id = ike_sa->get_other_id(ike_sa);
 	other = ike_sa->get_other_host(ike_sa);
 
-	DBG2(DBG_MGR, "checkin IKE_SA");
+	DBG2(DBG_MGR, "checkin IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
+			ike_sa->get_unique_id(ike_sa));
 
 	/* look for the entry */
 	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
@@ -1327,7 +1342,8 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
 
 	ike_sa_id = ike_sa->get_id(ike_sa);
 
-	DBG2(DBG_MGR, "checkin and destroy IKE_SA");
+	DBG2(DBG_MGR, "checkin and destroy IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
+			ike_sa->get_unique_id(ike_sa));
 
 	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
 	{
diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c
index eeda6c860..a68826440 100644
--- a/src/libcharon/sa/task_manager.c
+++ b/src/libcharon/sa/task_manager.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2007-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -195,10 +195,8 @@ static bool activate_task(private_task_manager_t *this, task_type_t type)
 	return found;
 }
 
-/**
- * Implementation of task_manager_t.retransmit
- */
-static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
+METHOD(task_manager_t, retransmit, status_t,
+	private_task_manager_t *this, u_int32_t message_id)
 {
 	if (message_id == this->initiating.mid)
 	{
@@ -281,11 +279,8 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
 	return SUCCESS;
 }
 
-/**
- * build a request using the active task list
- * Implementation of task_manager_t.initiate
- */
-static status_t build_request(private_task_manager_t *this)
+METHOD(task_manager_t, initiate, status_t,
+	private_task_manager_t *this)
 {
 	iterator_t *iterator;
 	task_t *task;
@@ -296,7 +291,8 @@ static status_t build_request(private_task_manager_t *this)
 
 	if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
 	{
-		DBG2(DBG_IKE, "delaying task initiation, exchange in progress");
+		DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
+				exchange_type_names, this->initiating.type);
 		/* do not initiate if we already have a message in the air */
 		return SUCCESS;
 	}
@@ -534,7 +530,7 @@ static status_t process_response(private_task_manager_t *this,
 		{	/* start all over again if we were reset */
 			this->reset = FALSE;
 			iterator->destroy(iterator);
-			return build_request(this);
+			return initiate(this);
 		}
 	}
 	iterator->destroy(iterator);
@@ -544,7 +540,7 @@ static status_t process_response(private_task_manager_t *this,
 	this->initiating.packet->destroy(this->initiating.packet);
 	this->initiating.packet = NULL;
 
-	return build_request(this);
+	return initiate(this);
 }
 
 /**
@@ -883,10 +879,8 @@ static status_t process_request(private_task_manager_t *this,
 	return build_response(this, message);
 }
 
-/**
- * Implementation of task_manager_t.process_message
- */
-static status_t process_message(private_task_manager_t *this, message_t *msg)
+METHOD(task_manager_t, process_message, status_t,
+	private_task_manager_t *this, message_t *msg)
 {
 	u_int32_t mid = msg->get_message_id(msg);
 
@@ -943,10 +937,8 @@ static status_t process_message(private_task_manager_t *this, message_t *msg)
 	return SUCCESS;
 }
 
-/**
- * Implementation of task_manager_t.queue_task
- */
-static void queue_task(private_task_manager_t *this, task_t *task)
+METHOD(task_manager_t, queue_task, void,
+	private_task_manager_t *this, task_t *task)
 {
 	if (task->get_type(task) == IKE_MOBIKE)
 	{	/*  there is no need to queue more than one mobike task */
@@ -969,11 +961,10 @@ static void queue_task(private_task_manager_t *this, task_t *task)
 	this->queued_tasks->insert_last(this->queued_tasks, task);
 }
 
-/**
- * Implementation of task_manager_t.adopt_tasks
- */
-static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *other)
+METHOD(task_manager_t, adopt_tasks, void,
+	private_task_manager_t *this, task_manager_t *other_public)
 {
+	private_task_manager_t *other = (private_task_manager_t*)other_public;
 	task_t *task;
 
 	/* move queued tasks from other to this */
@@ -986,20 +977,16 @@ static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *ot
 	}
 }
 
-/**
- * Implementation of task_manager_t.busy
- */
-static bool busy(private_task_manager_t *this)
+METHOD(task_manager_t, busy, bool,
+	private_task_manager_t *this)
 {
 	return (this->active_tasks->get_count(this->active_tasks) > 0);
 }
 
-/**
- * Implementation of task_manager_t.reset
- */
-static void reset(private_task_manager_t *this,
-				  u_int32_t initiate, u_int32_t respond)
+METHOD(task_manager_t, reset, void,
+	private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
 {
+	enumerator_t *enumerator;
 	task_t *task;
 
 	/* reset message counters and retransmit packets */
@@ -1017,6 +1004,14 @@ static void reset(private_task_manager_t *this,
 	}
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
 
+	/* reset queued tasks */
+	enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		task->migrate(task, this->ike_sa);
+	}
+	enumerator->destroy(enumerator);
+
 	/* reset active tasks */
 	while (this->active_tasks->remove_last(this->active_tasks,
 										   (void**)&task) == SUCCESS)
@@ -1028,10 +1023,24 @@ static void reset(private_task_manager_t *this,
 	this->reset = TRUE;
 }
 
-/**
- * Implementation of task_manager_t.destroy
- */
-static void destroy(private_task_manager_t *this)
+METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
+	private_task_manager_t *this, task_queue_t queue)
+{
+	switch (queue)
+	{
+		case TASK_QUEUE_ACTIVE:
+			return this->active_tasks->create_enumerator(this->active_tasks);
+		case TASK_QUEUE_PASSIVE:
+			return this->passive_tasks->create_enumerator(this->passive_tasks);
+		case TASK_QUEUE_QUEUED:
+			return this->queued_tasks->create_enumerator(this->queued_tasks);
+		default:
+			return enumerator_create_empty();
+	}
+}
+
+METHOD(task_manager_t, destroy, void,
+	private_task_manager_t *this)
 {
 	flush(this);
 
@@ -1049,34 +1058,32 @@ static void destroy(private_task_manager_t *this)
  */
 task_manager_t *task_manager_create(ike_sa_t *ike_sa)
 {
-	private_task_manager_t *this = malloc_thing(private_task_manager_t);
-
-	this->public.process_message = (status_t(*)(task_manager_t*,message_t*))process_message;
-	this->public.queue_task = (void(*)(task_manager_t*,task_t*))queue_task;
-	this->public.initiate = (status_t(*)(task_manager_t*))build_request;
-	this->public.retransmit = (status_t(*)(task_manager_t*,u_int32_t))retransmit;
-	this->public.reset = (void(*)(task_manager_t*,u_int32_t,u_int32_t))reset;
-	this->public.adopt_tasks = (void(*)(task_manager_t*,task_manager_t*))adopt_tasks;
-	this->public.busy = (bool(*)(task_manager_t*))busy;
-	this->public.destroy = (void(*)(task_manager_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->responding.packet = NULL;
-	this->initiating.packet = NULL;
-	this->responding.mid = 0;
-	this->initiating.mid = 0;
-	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-	this->queued_tasks = linked_list_create();
-	this->active_tasks = linked_list_create();
-	this->passive_tasks = linked_list_create();
-	this->reset = FALSE;
-
-	this->retransmit_tries = lib->settings->get_int(lib->settings,
-								"charon.retransmit_tries", RETRANSMIT_TRIES);
-	this->retransmit_timeout = lib->settings->get_double(lib->settings,
-								"charon.retransmit_timeout", RETRANSMIT_TIMEOUT);
-	this->retransmit_base = lib->settings->get_double(lib->settings,
-								"charon.retransmit_base", RETRANSMIT_BASE);
+	private_task_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.process_message = _process_message,
+			.queue_task = _queue_task,
+			.initiate = _initiate,
+			.retransmit = _retransmit,
+			.reset = _reset,
+			.adopt_tasks = _adopt_tasks,
+			.busy = _busy,
+			.create_task_enumerator = _create_task_enumerator,
+			.destroy = _destroy,
+		},
+		.ike_sa = ike_sa,
+		.initiating.type = EXCHANGE_TYPE_UNDEFINED,
+		.queued_tasks = linked_list_create(),
+		.active_tasks = linked_list_create(),
+		.passive_tasks = linked_list_create(),
+		.retransmit_tries = lib->settings->get_int(lib->settings,
+								"charon.retransmit_tries", RETRANSMIT_TRIES),
+		.retransmit_timeout = lib->settings->get_double(lib->settings,
+								"charon.retransmit_timeout", RETRANSMIT_TIMEOUT),
+		.retransmit_base = lib->settings->get_double(lib->settings,
+								"charon.retransmit_base", RETRANSMIT_BASE),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index 731ed4898..14fccd5f9 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -22,6 +22,7 @@
 #define TASK_MANAGER_H_
 
 typedef struct task_manager_t task_manager_t;
+typedef enum task_queue_t task_queue_t;
 
 #include <limits.h>
 
@@ -55,6 +56,17 @@ typedef struct task_manager_t task_manager_t;
  */
 #define ROUTEABILITY_CHECK_TRIES 10
 
+/**
+ * Type of task queues the task manager uses to handle tasks
+ */
+enum task_queue_t {
+	/** tasks currently active, initiated by us */
+	TASK_QUEUE_ACTIVE,
+	/** passive tasks initiated by the remote peer */
+	TASK_QUEUE_PASSIVE,
+	/** tasks queued for initiated, but not yet activated */
+	TASK_QUEUE_QUEUED,
+};
 
 /**
  * The task manager, juggles task and handles message exchanges.
@@ -157,6 +169,15 @@ struct task_manager_t {
 	 */
 	bool (*busy) (task_manager_t *this);
 
+	/**
+	 * Create an enumerator over tasks in a specific queue.
+	 *
+	 * @param queue			queue to create an enumerator over
+	 * @return				enumerator over task_t
+	 */
+	enumerator_t* (*create_task_enumerator)(task_manager_t *this,
+											task_queue_t queue);
+
 	/**
 	 * Destroy the task_manager_t.
 	 */
diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
index bea4f73d5..3de27ee3f 100644
--- a/src/libcharon/sa/tasks/child_create.c
+++ b/src/libcharon/sa/tasks/child_create.c
@@ -273,7 +273,8 @@ static void schedule_inactivity_timeout(private_child_create_t *this)
  * - INVALID_ARG: diffie hellman group inacceptable
  * - NOT_FOUND: TS inacceptable
  */
-static status_t select_and_install(private_child_create_t *this, bool no_dh)
+static status_t select_and_install(private_child_create_t *this,
+								   bool no_dh, bool ike_auth)
 {
 	status_t status, status_i, status_o;
 	chunk_t nonce_i, nonce_r;
@@ -364,6 +365,25 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
 												   other_vip);
 
+	if (this->initiator)
+	{
+		if (ike_auth)
+		{
+			charon->bus->narrow(charon->bus, this->child_sa,
+								NARROW_INITIATOR_POST_NOAUTH, my_ts, other_ts);
+		}
+		else
+		{
+			charon->bus->narrow(charon->bus, this->child_sa,
+								NARROW_INITIATOR_POST_AUTH, my_ts, other_ts);
+		}
+	}
+	else
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_RESPONDER, my_ts, other_ts);
+	}
+
 	if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
 	{
 		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
@@ -418,66 +438,6 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		}
 	}
 
-	/* check for any certificate-based IP address block constraints */
-	if (this->mode == MODE_BEET || this->mode == MODE_TUNNEL)
-	{
-		auth_cfg_t *auth;
-		enumerator_t *auth_enum;
-		certificate_t *cert = NULL;
-
-		auth_enum = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
-		while (auth_enum->enumerate(auth_enum, &auth))
-		{
-			cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
-			if (cert)
-			{
-				break;
-			}
-		}
-		auth_enum->destroy(auth_enum);
-
-		if (cert && cert->get_type(cert) == CERT_X509)
-		{
-			x509_t *x509 = (x509_t*)cert;
-
-			if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
-			{
-				enumerator_t *enumerator, *block_enum;
-				traffic_selector_t *ts, *block_ts;
-
-				DBG1(DBG_IKE, "checking certificate-based traffic selector "
-							  "constraints [RFC 3779]");
-				enumerator = other_ts->create_enumerator(other_ts);
-				while (enumerator->enumerate(enumerator, &ts))
-				{
-					bool contained = FALSE;
-
-					block_enum = x509->create_ipAddrBlock_enumerator(x509);
-					while (block_enum->enumerate(block_enum, &block_ts))
-					{
-						if (ts->is_contained_in(ts, block_ts))
-						{
-							DBG1(DBG_IKE, "  TS %R is contained in address block"
-										  " constraint %R", ts, block_ts);
-							contained = TRUE;
-							break;
-						}
-					}
-					block_enum->destroy(block_enum);
-
-					if (!contained)
-					{
-						DBG1(DBG_IKE, "  TS %R is not contained in any"
-									  " address block constraint", ts);
-						enumerator->destroy(enumerator);
-						return FAILED;
-					}
-				}
-				enumerator->destroy(enumerator);
-			}
-		}
-	}
-
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
 	this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
 	this->child_sa->set_mode(this->child_sa, this->mode);
@@ -529,8 +489,8 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 		return NOT_FOUND;
 	}
 
-	charon->bus->child_keys(charon->bus, this->child_sa, this->dh,
-							nonce_i, nonce_r);
+	charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
+							this->dh, nonce_i, nonce_r);
 
 	/* add to IKE_SA, and remove from task */
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
@@ -848,6 +808,17 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 		add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
 	}
 
+	if (message->get_exchange_type(message) == IKE_AUTH)
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_INITIATOR_PRE_NOAUTH, this->tsi, this->tsr);
+	}
+	else
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr);
+	}
+
 	build_payloads(this, message);
 
 	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
@@ -914,7 +885,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 	peer_cfg_t *peer_cfg;
 	payload_t *payload;
 	enumerator_t *enumerator;
-	bool no_dh = TRUE;
+	bool no_dh = TRUE, ike_auth = FALSE;
 
 	switch (message->get_exchange_type(message))
 	{
@@ -934,6 +905,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 			{	/* wait until all authentication round completed */
 				return NEED_MORE;
 			}
+			ike_auth = TRUE;
 		default:
 			break;
 	}
@@ -1016,7 +988,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		}
 	}
 
-	switch (select_and_install(this, no_dh))
+	switch (select_and_install(this, no_dh, ike_auth))
 	{
 		case SUCCESS:
 			break;
@@ -1064,7 +1036,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
-	bool no_dh = TRUE;
+	bool no_dh = TRUE, ike_auth = FALSE;
 
 	switch (message->get_exchange_type(message))
 	{
@@ -1079,6 +1051,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 			{	/* wait until all authentication round completed */
 				return NEED_MORE;
 			}
+			ike_auth = TRUE;
 		default:
 			break;
 	}
@@ -1159,7 +1132,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 		return SUCCESS;
 	}
 
-	if (select_and_install(this, no_dh) == SUCCESS)
+	if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
 	{
 		DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
 			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
@@ -1229,11 +1202,11 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
 {
 	chunk_free(&this->my_nonce);
 	chunk_free(&this->other_nonce);
-	if (this->tsi)
+	if (this->tsr)
 	{
 		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
 	}
-	if (this->tsr)
+	if (this->tsi)
 	{
 		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
 	}
diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/tasks/child_delete.c
index d7c6b0541..b0cd30e1e 100644
--- a/src/libcharon/sa/tasks/child_delete.c
+++ b/src/libcharon/sa/tasks/child_delete.c
@@ -191,6 +191,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 	child_cfg_t *child_cfg;
 	protocol_id_t protocol;
 	u_int32_t spi;
+	action_t action;
 	status_t status = SUCCESS;
 
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
@@ -205,10 +206,11 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 		protocol = child_sa->get_protocol(child_sa);
 		child_cfg = child_sa->get_config(child_sa);
 		child_cfg->get_ref(child_cfg);
+		action = child_sa->get_close_action(child_sa);
 		this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
 		if (this->check_delete_action)
 		{	/* enforce child_cfg policy if deleted passively */
-			switch (child_cfg->get_close_action(child_cfg))
+			switch (action)
 			{
 				case ACTION_RESTART:
 					child_cfg->get_ref(child_cfg);
diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c
index b5e4e84b4..fb3452efd 100644
--- a/src/libcharon/sa/tasks/child_rekey.c
+++ b/src/libcharon/sa/tasks/child_rekey.c
@@ -214,6 +214,64 @@ static status_t build_r(private_child_rekey_t *this, message_t *message)
 	return SUCCESS;
 }
 
+/**
+ * Handle a rekey collision
+ */
+static child_sa_t *handle_collision(private_child_rekey_t *this)
+{
+	child_sa_t *to_delete;
+
+	if (this->collision->get_type(this->collision) == CHILD_REKEY)
+	{
+		chunk_t this_nonce, other_nonce;
+		private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
+
+		this_nonce = this->child_create->get_lower_nonce(this->child_create);
+		other_nonce = other->child_create->get_lower_nonce(other->child_create);
+
+		/* if we have the lower nonce, delete rekeyed SA. If not, delete
+		 * the redundant. */
+		if (memcmp(this_nonce.ptr, other_nonce.ptr,
+				   min(this_nonce.len, other_nonce.len)) < 0)
+		{
+			child_sa_t *child_sa;
+
+			DBG1(DBG_IKE, "CHILD_SA rekey collision won, "
+				 "deleting rekeyed child");
+			to_delete = this->child_sa;
+			/* disable close action for the redundand child */
+			child_sa = other->child_create->get_child(other->child_create);
+			child_sa->set_close_action(child_sa, ACTION_NONE);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "CHILD_SA rekey collision lost, "
+				 "deleting redundant child");
+			to_delete = this->child_create->get_child(this->child_create);
+		}
+	}
+	else
+	{	/* CHILD_DELETE */
+		child_delete_t *del = (child_delete_t*)this->collision;
+
+		/* we didn't had a chance to compare the nonces, so we delete
+		 * the CHILD_SA the other is not deleting. */
+		if (del->get_child(del) != this->child_sa)
+		{
+			DBG1(DBG_IKE, "CHILD_SA rekey/delete collision, "
+				 "deleting rekeyed child");
+			to_delete = this->child_sa;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "CHILD_SA rekey/delete collision, "
+				 "deleting redundant child");
+			to_delete = this->child_create->get_child(this->child_create);
+		}
+	}
+	return to_delete;
+}
+
 /**
  * Implementation of task_t.process for initiator
  */
@@ -263,35 +321,14 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 		return SUCCESS;
 	}
 
-	to_delete = this->child_sa;
-
 	/* check for rekey collisions */
-	if (this->collision &&
-		this->collision->get_type(this->collision) == CHILD_REKEY)
+	if (this->collision)
 	{
-		chunk_t this_nonce, other_nonce;
-		private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
-
-		this_nonce = this->child_create->get_lower_nonce(this->child_create);
-		other_nonce = other->child_create->get_lower_nonce(other->child_create);
-
-		/* if we have the lower nonce, delete rekeyed SA. If not, delete
-		 * the redundant. */
-		if (memcmp(this_nonce.ptr, other_nonce.ptr,
-				   min(this_nonce.len, other_nonce.len)) < 0)
-		{
-			DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting rekeyed child");
-		}
-		else
-		{
-			DBG1(DBG_IKE, "CHILD_SA rekey collision lost, deleting redundant child");
-			to_delete = this->child_create->get_child(this->child_create);
-			if (to_delete == NULL)
-			{
-				/* ooops, should not happen, fallback */
-				to_delete = this->child_sa;
-			}
-		}
+		to_delete = handle_collision(this);
+	}
+	else
+	{
+		to_delete = this->child_sa;
 	}
 
 	if (to_delete != this->child_create->get_child(this->child_create))
@@ -300,6 +337,10 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 							this->child_create->get_child(this->child_create));
 	}
 
+	if (to_delete == NULL)
+	{
+		return SUCCESS;
+	}
 	spi = to_delete->get_spi(to_delete, TRUE);
 	protocol = to_delete->get_protocol(to_delete);
 
diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
index a07f96767..a954782f2 100644
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -518,6 +518,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 					(uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
 					(uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
 			{	/* peer requested EAP, but current config does not match */
+				DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
 				this->peer_cfg->destroy(this->peer_cfg);
 				this->peer_cfg = NULL;
 				if (!update_cfg_candidates(this, FALSE))
@@ -527,7 +528,16 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 				}
 				cand = get_auth_cfg(this, FALSE);
 			}
-			cfg->merge(cfg, cand, TRUE);
+			/* copy over the EAP specific rules for authentication */
+			cfg->add(cfg, AUTH_RULE_EAP_TYPE,
+					 cand->get(cand, AUTH_RULE_EAP_TYPE));
+			cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
+					 cand->get(cand, AUTH_RULE_EAP_VENDOR));
+			id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
+			if (id)
+			{
+				cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
+			}
 		}
 
 		/* verify authentication data */
diff --git a/src/libcharon/sa/tasks/ike_cert_post.c b/src/libcharon/sa/tasks/ike_cert_post.c
index c831df975..cc810a49a 100644
--- a/src/libcharon/sa/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/tasks/ike_cert_post.c
@@ -72,14 +72,18 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
 		return cert_payload_create_from_cert(cert);
 	}
 
-	encoded = cert->get_encoding(cert);
+	if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
+	{
+		DBG1(DBG_IKE, "encoding certificate for cert payload failed");
+		hasher->destroy(hasher);
+		return NULL;
+	}
 	hasher->allocate_hash(hasher, encoded, &hash);
 	chunk_free(&encoded);
 	hasher->destroy(hasher);
 	id = identification_create_from_encoding(ID_KEY_ID, hash);
 
-	enumerator = charon->credentials->create_cdp_enumerator(charon->credentials,
-															CERT_X509, id);
+	enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, CERT_X509, id);
 	if (enumerator->enumerate(enumerator, &url))
 	{
 		payload = cert_payload_create_from_hash_and_url(hash, url);
diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c
index 0805d0290..1c0c54727 100644
--- a/src/libcharon/sa/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/tasks/ike_cert_pre.c
@@ -93,8 +93,8 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 					certificate_t *cert;
 
 					id = identification_create_from_encoding(ID_KEY_ID, keyid);
-					cert = charon->credentials->get_cert(charon->credentials,
-											CERT_X509, KEY_ANY, id, TRUE);
+					cert = lib->credmgr->get_cert(lib->credmgr,
+												  CERT_X509, KEY_ANY, id, TRUE);
 					if (cert)
 					{
 						DBG1(DBG_IKE, "received cert request for \"%Y\"",
@@ -156,8 +156,8 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload)
 				break;
 			}
 			id = identification_create_from_encoding(ID_KEY_ID, hash);
-			cert = charon->credentials->get_cert(charon->credentials,
-												 CERT_X509, KEY_ANY, id, FALSE);
+			cert = lib->credmgr->get_cert(lib->credmgr,
+										  CERT_X509, KEY_ANY, id, FALSE);
 			id->destroy(id);
 			break;
 		}
@@ -299,7 +299,7 @@ static void add_certreq(certreq_payload_t **req, certificate_t *cert)
 			{
 				*req = certreq_payload_create_type(CERT_X509);
 			}
-			if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+			if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
 			{
 				(*req)->add_keyid(*req, keyid);
 				DBG1(DBG_IKE, "sending cert request for \"%Y\"",
@@ -370,8 +370,8 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
 	if (!req)
 	{
 		/* otherwise add all trusted CA certificates */
-		enumerator = charon->credentials->create_cert_enumerator(
-							charon->credentials, CERT_ANY, KEY_ANY, NULL, TRUE);
+		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+												CERT_ANY, KEY_ANY, NULL, TRUE);
 		while (enumerator->enumerate(enumerator, &cert))
 		{
 			add_certreq(&req, cert);
diff --git a/src/libcharon/sa/tasks/ike_config.c b/src/libcharon/sa/tasks/ike_config.c
index 58bcf0762..c92b5bca5 100644
--- a/src/libcharon/sa/tasks/ike_config.c
+++ b/src/libcharon/sa/tasks/ike_config.c
@@ -333,7 +333,7 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
 									chunk_empty);
 				return SUCCESS;
 			}
-			DBG1(DBG_IKE, "assigning virtual IP %H to peer", vip);
+			DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", vip, id);
 			this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip);
 
 			cp = cp_payload_create_type(CFG_REPLY);
@@ -342,7 +342,7 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
 
 		/* query registered providers for additional attributes to include */
 		enumerator = hydra->attributes->create_responder_enumerator(
-													hydra->attributes, id, vip);
+						hydra->attributes, config->get_pool(config), id, vip);
 		while (enumerator->enumerate(enumerator, &type, &value))
 		{
 			if (!cp)
diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c
index 5eb33b540..38fb572f4 100644
--- a/src/libcharon/sa/tasks/ike_init.c
+++ b/src/libcharon/sa/tasks/ike_init.c
@@ -543,6 +543,7 @@ static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa)
 	chunk_free(&this->other_nonce);
 
 	this->ike_sa = ike_sa;
+	this->keymat = ike_sa->get_keymat(ike_sa);
 	this->proposal = NULL;
 	DESTROY_IF(this->dh);
 	this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 878170c83..80bf647cd 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -128,7 +128,7 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
 	ike_cfg = peer->get_ike_cfg(peer);
 	other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg),
 								 0, ike_cfg->get_other_port(ike_cfg));
-	if (!other)
+	if (!other || other->is_anyaddr(other))
 	{
 		DBG1(DBG_CFG, "installing trap failed, remote address unknown");
 		return 0;
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index f6d1f20a5..a84b272dc 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libfast/request.c b/src/libfast/request.c
index 6bf596fd8..16c1ae583 100644
--- a/src/libfast/request.c
+++ b/src/libfast/request.c
@@ -203,6 +203,14 @@ static char* get_query_data(private_request_t *this, char *name)
 	return hdf_get_valuef(this->hdf, "Query.%s", name);
 }
 
+/**
+ * Implementation of request_t.read_data.
+ */
+static int read_data(private_request_t *this, char *buf, int len)
+{
+	return FCGX_GetStr(buf, len, this->req.in);
+}
+
 /**
  * Implementation of request_t.get_base.
  */
@@ -407,6 +415,7 @@ request_t *request_create(int fd, bool debug)
 	this->public.add_cookie = (void(*)(request_t*, char *name, char *value))add_cookie;
 	this->public.get_cookie = (char*(*)(request_t*,char*))get_cookie;
 	this->public.get_query_data = (char*(*)(request_t*, char *name))get_query_data;
+	this->public.read_data = (int(*)(request_t*, char*, int))read_data;
 	this->public.session_closed = (bool(*)(request_t*))session_closed;
 	this->public.close_session = (void(*)(request_t*))close_session;
 	this->public.redirect = (void(*)(request_t*, char *fmt,...))redirect;
diff --git a/src/libfast/request.h b/src/libfast/request.h
index af0f8e4f5..9ca74a91e 100644
--- a/src/libfast/request.h
+++ b/src/libfast/request.h
@@ -85,6 +85,15 @@ struct request_t {
 	 */
 	char* (*get_query_data)(request_t *this, char *name);
 
+	/**
+	 * Read raw POST/PUT data from HTTP request.
+	 *
+	 * @param buf		buffer to read data into
+	 * @param len		size of the supplied buffer
+	 * @return			number of bytes read, < 0 on error
+	 */
+	int (*read_data)(request_t *this, char *buf, int len);
+
 	/**
 	 * Close the session and it's context after handling.
 	 */
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index e752df82d..6d640d778 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
index 601a56e38..4e5c55d3f 100644
--- a/src/libhydra/Makefile.am
+++ b/src/libhydra/Makefile.am
@@ -40,3 +40,10 @@ if MONOLITHIC
 endif
 endif
 
+if USE_RESOLVE
+  SUBDIRS += plugins/resolve
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/resolve/libstrongswan-resolve.la
+endif
+endif
+
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index 32027d1ea..a3aec26c9 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -38,6 +38,8 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_2 = plugins/attr/libstrongswan-attr.la
 @USE_ATTR_SQL_TRUE@am__append_3 = plugins/attr_sql
 @MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_4 = plugins/attr_sql/libstrongswan-attr-sql.la
+@USE_RESOLVE_TRUE@am__append_5 = plugins/resolve
+@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_6 = plugins/resolve/libstrongswan-resolve.la
 subdir = src/libhydra
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -77,7 +79,8 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(libdir)"
 LTLIBRARIES = $(lib_LTLIBRARIES)
-libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4)
+libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \
+	$(am__append_6)
 am_libhydra_la_OBJECTS = hydra.lo attributes.lo attribute_manager.lo \
 	mem_pool.lo
 libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS)
@@ -110,7 +113,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/attr plugins/attr_sql
+DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/resolve
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -300,7 +303,7 @@ attributes/attribute_provider.h attributes/attribute_handler.h \
 attributes/attribute_manager.c attributes/attribute_manager.h \
 attributes/mem_pool.c attributes/mem_pool.h
 
-libhydra_la_LIBADD = $(am__append_2) $(am__append_4)
+libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
 -DIPSEC_DIR=\"${ipsecdir}\" \
@@ -308,11 +311,13 @@ AM_CFLAGS = \
 -DSTRONGSWAN_CONF=\"${strongswan_conf}\"
 
 EXTRA_DIST = Android.mk
-@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3)
+@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3) \
+@MONOLITHIC_FALSE@	$(am__append_5)
 
 # build optional plugins
 ########################
-@MONOLITHIC_TRUE@SUBDIRS = $(am__append_1) $(am__append_3)
+@MONOLITHIC_TRUE@SUBDIRS = $(am__append_1) $(am__append_3) \
+@MONOLITHIC_TRUE@	$(am__append_5)
 all: all-recursive
 
 .SUFFIXES:
@@ -447,7 +452,7 @@ clean-libtool:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@failcom='exit 1'; \
+	@fail= failcom='exit 1'; \
 	for f in x $$MAKEFLAGS; do \
 	  case $$f in \
 	    *=* | --[!k]*);; \
@@ -472,7 +477,7 @@ $(RECURSIVE_TARGETS):
 	fi; test -z "$$fail"
 
 $(RECURSIVE_CLEAN_TARGETS):
-	@failcom='exit 1'; \
+	@fail= failcom='exit 1'; \
 	for f in x $$MAKEFLAGS; do \
 	  case $$f in \
 	    *=* | --[!k]*);; \
diff --git a/src/libhydra/attributes/attribute_manager.c b/src/libhydra/attributes/attribute_manager.c
index 3080b56eb..0d4cbda82 100644
--- a/src/libhydra/attributes/attribute_manager.c
+++ b/src/libhydra/attributes/attribute_manager.c
@@ -51,6 +51,8 @@ struct private_attribute_manager_t {
  * Data to pass to enumerator filters
  */
 typedef struct {
+	/** attribute group pool */
+	char *pool;
 	/** server/peer identity */
 	identification_t *id;
 	/** requesting/assigned virtual IP */
@@ -123,17 +125,20 @@ static void release_address(private_attribute_manager_t *this,
 static enumerator_t *responder_enum_create(attribute_provider_t *provider,
 										   enum_data_t *data)
 {
-	return provider->create_attribute_enumerator(provider, data->id, data->vip);
+	return provider->create_attribute_enumerator(provider, data->pool,
+												 data->id, data->vip);
 }
 
 /**
  * Implementation of attribute_manager_t.create_responder_enumerator
  */
 static enumerator_t* create_responder_enumerator(
-			private_attribute_manager_t *this, identification_t *id, host_t *vip)
+								private_attribute_manager_t *this, char *pool,
+								identification_t *id, host_t *vip)
 {
 	enum_data_t *data = malloc_thing(enum_data_t);
 
+	data->pool = pool;
 	data->id = id;
 	data->vip = vip;
 	this->lock->read_lock(this->lock);
@@ -355,7 +360,7 @@ attribute_manager_t *attribute_manager_create()
 
 	this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address;
 	this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address;
-	this->public.create_responder_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t*, host_t*))create_responder_enumerator;
+	this->public.create_responder_enumerator = (enumerator_t*(*)(attribute_manager_t*, char *name, identification_t*, host_t*))create_responder_enumerator;
 	this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider;
 	this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider;
 	this->public.handle = (attribute_handler_t*(*)(attribute_manager_t*,identification_t*, attribute_handler_t*, configuration_attribute_type_t, chunk_t))handle;
diff --git a/src/libhydra/attributes/attribute_manager.h b/src/libhydra/attributes/attribute_manager.h
index 642662366..56afef7c6 100644
--- a/src/libhydra/attributes/attribute_manager.h
+++ b/src/libhydra/attributes/attribute_manager.h
@@ -61,12 +61,13 @@ struct attribute_manager_t {
 	/**
 	 * Create an enumerator over attributes to hand out to a peer.
 	 *
+	 * @param pool			pool name to get attributes from
 	 * @param id			peer identity to hand out attributes to
 	 * @param vip			virtual IP to assign to peer, if any
 	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
 	 */
 	enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this,
-											identification_t *id, host_t *vip);
+								char *pool, identification_t *id, host_t *vip);
 
 	/**
 	 * Register an attribute provider to the manager.
diff --git a/src/libhydra/attributes/attribute_provider.h b/src/libhydra/attributes/attribute_provider.h
index f8485cc6c..e4b4e13f3 100644
--- a/src/libhydra/attributes/attribute_provider.h
+++ b/src/libhydra/attributes/attribute_provider.h
@@ -56,12 +56,13 @@ struct attribute_provider_t {
 	/**
 	 * Create an enumerator over attributes to hand out to a peer.
 	 *
+	 * @param pool			pool name to get attributes from
 	 * @param id			peer ID
 	 * @param vip			virtual IP to assign to peer, if any
 	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
 	 */
 	enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this,
-											identification_t *id, host_t *vip);
+							char *pool, identification_t *id, host_t *vip);
 };
 
 #endif /** ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/libhydra/attributes/attributes.c b/src/libhydra/attributes/attributes.c
index 83feed17e..ea87109e2 100644
--- a/src/libhydra/attributes/attributes.c
+++ b/src/libhydra/attributes/attributes.c
@@ -36,8 +36,77 @@ ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP
 	"MIP6_HOME_PREFIX",
 	"INTERNAL_IP6_LINK",
 	"INTERNAL_IP6_PREFIX");
-ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, INTERNAL_IP6_PREFIX,
+ENUM_NEXT(configuration_attribute_type_names, XAUTH_TYPE, XAUTH_ANSWER, INTERNAL_IP6_PREFIX,
+	"XAUTH_TYPE",
+	"XAUTH_USER_NAME",
+	"XAUTH_USER_PASSWORD",
+	"XAUTH_PASSCODE",
+	"XAUTH_MESSAGE",
+	"XAUTH_CHALLENGE",
+	"XAUTH_DOMAIN",
+	"XAUTH_STATUS",
+	"XAUTH_NEXT_PIN",
+	"XAUTH_ANSWER");
+ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER,
 	"INTERNAL_IP4_SERVER",
 	"INTERNAL_IP6_SERVER");
-ENUM_END(configuration_attribute_type_names, INTERNAL_IP6_SERVER);
+ENUM_NEXT(configuration_attribute_type_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER,
+	"UNITY_BANNER",
+	"UNITY_SAVE_PASSWD",
+	"UNITY_DEF_DOMAIN",
+	"UNITY_SPLITDNS_NAME",
+	"UNITY_SPLIT_INCLUDE",
+	"UNITY_NATT_PORT",
+	"UNITY_LOCAL_LAN",
+	"UNITY_PFS",
+	"UNITY_FW_TYPE",
+	"UNITY_BACKUP_SERVERS",
+	"UNITY_DDNS_HOSTNAME");
+ENUM_END(configuration_attribute_type_names, UNITY_DDNS_HOSTNAME);
 
+ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP6_PREFIX,
+	"ADDR",
+	"MASK",
+	"DNS",
+	"NBNS",
+	"EXP",
+	"DHCP",
+	"VER",
+	"ADDR6",
+	"MASK6",
+	"DNS6",
+	"NBNS6",
+	"DHCP6",
+	"SUBNET",
+	"SUPPORTED",
+	"SUBNET6",
+	"MIP6HPFX",
+	"LINK6",
+	"PFX6");
+ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_TYPE, XAUTH_ANSWER, INTERNAL_IP6_PREFIX,
+	"XAUTH_TYPE",
+	"XAUTH_USER_NAME",
+	"XAUTH_USER_PASSWORD",
+	"XAUTH_PASSCODE",
+	"XAUTH_MESSAGE",
+	"XAUTH_CHALLENGE",
+	"XAUTH_DOMAIN",
+	"XAUTH_STATUS",
+	"XAUTH_NEXT_PIN",
+	"XAUTH_ANSWER");
+ENUM_NEXT(configuration_attribute_type_short_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER,
+	"SRV",
+	"SRV6");
+ENUM_NEXT(configuration_attribute_type_short_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER,
+	"UNITY_BANNER",
+	"UNITY_SAVE_PASSWD",
+	"UNITY_DEF_DOMAIN",
+	"UNITY_SPLITDNS_NAME",
+	"UNITY_SPLIT_INCLUDE",
+	"UNITY_NATT_PORT",
+	"UNITY_LOCAL_LAN",
+	"UNITY_PFS",
+	"UNITY_FW_TYPE",
+	"UNITY_BACKUP_SERVERS",
+	"UNITY_DDNS_HOSTNAME");
+ENUM_END(configuration_attribute_type_short_names, UNITY_DDNS_HOSTNAME);
diff --git a/src/libhydra/attributes/attributes.h b/src/libhydra/attributes/attributes.h
index f4a396f21..3a40ba367 100644
--- a/src/libhydra/attributes/attributes.h
+++ b/src/libhydra/attributes/attributes.h
@@ -30,27 +30,50 @@ typedef enum configuration_attribute_type_t configuration_attribute_type_t;
  * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig.
  */
 enum configuration_attribute_type_t {
-	INTERNAL_IP4_ADDRESS = 1,
-	INTERNAL_IP4_NETMASK = 2,
-	INTERNAL_IP4_DNS = 3,
-	INTERNAL_IP4_NBNS = 4,
+	INTERNAL_IP4_ADDRESS    = 1,
+	INTERNAL_IP4_NETMASK    = 2,
+	INTERNAL_IP4_DNS        = 3,
+	INTERNAL_IP4_NBNS       = 4,
 	INTERNAL_ADDRESS_EXPIRY = 5,
-	INTERNAL_IP4_DHCP = 6,
-	APPLICATION_VERSION = 7,
-	INTERNAL_IP6_ADDRESS = 8,
-	INTERNAL_IP6_NETMASK = 9,
-	INTERNAL_IP6_DNS = 10,
-	INTERNAL_IP6_NBNS = 11,
-	INTERNAL_IP6_DHCP = 12,
-	INTERNAL_IP4_SUBNET = 13,
-	SUPPORTED_ATTRIBUTES = 14,
-	INTERNAL_IP6_SUBNET = 15,
-	MIP6_HOME_PREFIX = 16,
-	INTERNAL_IP6_LINK = 17,
-	INTERNAL_IP6_PREFIX = 18,
+	INTERNAL_IP4_DHCP       = 6,
+	APPLICATION_VERSION     = 7,
+	INTERNAL_IP6_ADDRESS    = 8,
+	INTERNAL_IP6_NETMASK    = 9,
+	INTERNAL_IP6_DNS        = 10,
+	INTERNAL_IP6_NBNS       = 11,
+	INTERNAL_IP6_DHCP       = 12,
+	INTERNAL_IP4_SUBNET     = 13,
+	SUPPORTED_ATTRIBUTES    = 14,
+	INTERNAL_IP6_SUBNET     = 15,
+	MIP6_HOME_PREFIX        = 16,
+	INTERNAL_IP6_LINK       = 17,
+	INTERNAL_IP6_PREFIX     = 18,
+	/* XAUTH attributes */
+	XAUTH_TYPE              = 16520,
+	XAUTH_USER_NAME         = 16521,
+	XAUTH_USER_PASSWORD     = 16522,
+	XAUTH_PASSCODE          = 16523,
+	XAUTH_MESSAGE           = 16524,
+	XAUTH_CHALLENGE         = 16525,
+	XAUTH_DOMAIN            = 16526,
+	XAUTH_STATUS            = 16527,
+	XAUTH_NEXT_PIN          = 16528,
+	XAUTH_ANSWER            = 16529,
 	/* proprietary Microsoft attributes */
-	INTERNAL_IP4_SERVER = 23456,
-	INTERNAL_IP6_SERVER = 23457
+	INTERNAL_IP4_SERVER     = 23456,
+	INTERNAL_IP6_SERVER     = 23457,
+	/* proprietary Cisco Unity attributes */
+	UNITY_BANNER            = 28672,
+	UNITY_SAVE_PASSWD       = 28673,
+	UNITY_DEF_DOMAIN        = 28674,
+	UNITY_SPLITDNS_NAME     = 28675,
+	UNITY_SPLIT_INCLUDE     = 28676,
+	UNITY_NATT_PORT         = 28677,
+	UNITY_LOCAL_LAN         = 28678,
+	UNITY_PFS               = 28679,
+	UNITY_FW_TYPE           = 28680,
+	UNITY_BACKUP_SERVERS    = 28681,
+	UNITY_DDNS_HOSTNAME     = 28682
 };
 
 /**
@@ -58,5 +81,10 @@ enum configuration_attribute_type_t {
  */
 extern enum_name_t *configuration_attribute_type_names;
 
+/**
+ * Short enum names for configuration_attribute_type_t.
+ */
+extern enum_name_t *configuration_attribute_type_short_names;
+
 
 #endif /** ATTRIBUTES_H_ @}*/
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
index 65018e3a9..e1d69fd6b 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libhydra/attributes/mem_pool.c
@@ -225,9 +225,18 @@ METHOD(mem_pool_t, acquire_address, host_t*,
 
 		/* check for a valid online lease, reassign */
 		offset = (uintptr_t)this->online->get(this->online, id);
-		if (offset && offset == host2offset(this, requested))
+		if (offset)
 		{
-			DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
+			if (offset == host2offset(this, requested))
+			{
+				DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "'%Y' already has an online lease, "
+					 "unable to assign address", id);
+				offset = 0;
+			}
 			break;
 		}
 
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index 54aa64beb..71402fc7f 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index 9d6daa892..b3c0cc076 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -65,7 +65,7 @@ static bool attr_enum_filter(void *null, attribute_entry_t **in,
  * Implementation of attribute_provider_t.create_attribute_enumerator
  */
 static enumerator_t* create_attribute_enumerator(private_attr_provider_t *this,
-											identification_t *id, host_t *vip)
+								char *pool, identification_t *id, host_t *vip)
 {
 	if (vip)
 	{
@@ -148,6 +148,7 @@ static struct {
 	{"dhcp",		INTERNAL_IP4_DHCP,		INTERNAL_IP6_DHCP},
 	{"netmask",		INTERNAL_IP4_NETMASK,	INTERNAL_IP6_NETMASK},
 	{"server",		INTERNAL_IP4_SERVER,	INTERNAL_IP6_SERVER},
+	{"subnet",		INTERNAL_IP4_SUBNET,	INTERNAL_IP6_SUBNET},
 };
 
 /**
@@ -165,12 +166,19 @@ static void load_entries(private_attr_provider_t *this)
 		configuration_attribute_type_t type;
 		attribute_entry_t *entry;
 		host_t *host;
-		int i;
+		char *pos;
+		int i, mask = -1;
 
 		type = atoi(key);
 		tokens = enumerator_create_token(value, ",", " ");
 		while (tokens->enumerate(tokens, &token))
 		{
+			pos = strchr(token, '/');
+			if (pos)
+			{
+				*(pos++) = '\0';
+				mask = atoi(pos);
+			}
 			host = host_create_from_string(token, 0);
 			if (!host)
 			{
@@ -201,7 +209,27 @@ static void load_entries(private_attr_provider_t *this)
 			}
 			entry = malloc_thing(attribute_entry_t);
 			entry->type = type;
-			entry->value = chunk_clone(host->get_address(host));
+			if (mask == -1)
+			{
+				entry->value = chunk_clone(host->get_address(host));
+			}
+			else
+			{
+				if (host->get_family(host) == AF_INET)
+				{	/* IPv4 attributes contain a subnet mask */
+					u_int32_t netmask;
+
+					mask = 32 - mask;
+					netmask = htonl((0xFFFFFFFF >> mask) << mask);
+					entry->value = chunk_cat("cc", host->get_address(host),
+											 chunk_from_thing(netmask));
+				}
+				else
+				{	/* IPv6 addresses the prefix only */
+					entry->value = chunk_cat("cc", host->get_address(host),
+											 chunk_from_chars(mask));
+				}
+			}
 			host->destroy(host);
 			this->attributes->insert_last(this->attributes, entry);
 		}
@@ -222,7 +250,7 @@ attr_provider_t *attr_provider_create(database_t *db)
 
 	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null;
 	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false;
-	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))create_attribute_enumerator;
+	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, char *names, identification_t *id, host_t *vip))create_attribute_enumerator;
 	this->public.destroy = (void(*)(attr_provider_t*))destroy;
 
 	this->attributes = linked_list_create();
diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am
index 376a8259c..a3dac863f 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.am
+++ b/src/libhydra/plugins/attr_sql/Makefile.am
@@ -18,6 +18,8 @@ libstrongswan_attr_sql_la_SOURCES = \
 libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
 
 ipsec_PROGRAMS = pool
-pool_SOURCES = pool.c
-pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pool_SOURCES = pool.c pool_attributes.c pool_attributes.h \
+			   pool_usage.h pool_usage.c
+pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+			 $(top_builddir)/src/libhydra/libhydra.la
 pool.o :	$(top_builddir)/config.status
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 99e97cefc..edf51059b 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,10 +88,12 @@ libstrongswan_attr_sql_la_LINK = $(LIBTOOL) --tag=CC \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_attr_sql_la_rpath =
 PROGRAMS = $(ipsec_PROGRAMS)
-am_pool_OBJECTS = pool.$(OBJEXT)
+am_pool_OBJECTS = pool.$(OBJEXT) pool_attributes.$(OBJEXT) \
+	pool_usage.$(OBJEXT)
 pool_OBJECTS = $(am_pool_OBJECTS)
 pool_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -277,8 +279,12 @@ libstrongswan_attr_sql_la_SOURCES = \
 	sql_attribute.h sql_attribute.c
 
 libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
-pool_SOURCES = pool.c
-pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pool_SOURCES = pool.c pool_attributes.c pool_attributes.h \
+			   pool_usage.h pool_usage.c
+
+pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+			 $(top_builddir)/src/libhydra/libhydra.la
+
 all: all-am
 
 .SUFFIXES:
@@ -410,6 +416,8 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool_attributes.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool_usage.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@
 
 .c.o:
diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c
index fed89fc51..b4bdfc629 100644
--- a/src/libhydra/plugins/attr_sql/pool.c
+++ b/src/libhydra/plugins/attr_sql/pool.c
@@ -27,15 +27,18 @@
 #include <utils/identification.h>
 #include <attributes/attributes.h>
 
+#include "pool_attributes.h"
+#include "pool_usage.h"
+
 /**
  * global database handle
  */
 database_t *db;
 
 /**
- * --start/--end/--server addresses of various subcommands
+ * --start/--end addresses of various subcommands
  */
-host_t *start = NULL, *end = NULL, *server = NULL;
+host_t *start = NULL, *end = NULL;
 
 /**
  * whether --add should --replace an existing pool
@@ -125,23 +128,6 @@ static bool is_attribute(char *name)
 		   strcaseeq(name, "wins");
 }
 
-/**
- * determine configuration attribute type
- */
-static configuration_attribute_type_t get_attribute_type(char *name, host_t* addr)
-{
-	if (strcaseeq(name, "dns"))
-	{
-		return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_DNS :
-													 INTERNAL_IP6_DNS;
-	}
-	else
-	{
-		return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_NBNS :
-													 INTERNAL_IP6_NBNS;
-	}
-}
-
 /**
  * calculate the size of a pool using start and end address chunk
  */
@@ -158,85 +144,6 @@ static u_int get_pool_size(chunk_t start, chunk_t end)
 	return ntohl(*end_ptr) -  ntohl(*start_ptr) + 1;
 }
 
-/**
- * print usage info
- */
-static void usage(void)
-{
-	printf("\
-Usage:\n\
-  ipsec pool --status|--add|--replace|--del|--resize|--purge [options]\n\
-  \n\
-  ipsec pool --status\n\
-    Show a list of installed pools with statistics.\n\
-  \n\
-  ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\
-  ipsec pool --replace <name> --start <start> --end <end> [--timeout <timeout>]\n\
-    Add a new pool to or replace an existing pool in the database.\n\
-      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
-      start:   Start address of the pool\n\
-      end:     End address of the pool\n\
-      timeout: Lease time in hours, 0 for static leases\n\
-  \n\
-  ipsec pool --add <name> --addresses <file> [--timeout <timeout>]\n\
-  ipsec pool --replace <name> --addresses <file> [--timeout <timeout>]\n\
-    Add a new pool to or replace an existing pool in the database.\n\
-      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
-      file:    File newline separated addresses for the pool are read from.\n\
-               Optionally each address can be pre-assigned to a roadwarrior\n\
-               identity, e.g. 10.231.14.2=alice@strongswan.org.\n\
-               If a - (hyphen) is given instead of a file name, the addresses\n\
-               are read from STDIN. Reading addresses stops at the end of file\n\
-               or an empty line. Pools created with this command can not be\n\
-               resized.\n\
-      timeout: Lease time in hours, 0 for static leases\n\
-  \n\
-  ipsec pool --add dns|nbns|wins --server <server>\n\
-    Add a new DNS or NBNS server to the database.\n\
-      server:  IP address of the name server\n\
-  \n\
-  ipsec pool --del <name>\n\
-    Delete a pool from the database.\n\
-      name:    Name of the pool to delete\n\
-  \n\
-  ipsec pool --del dns|nbns|wins [--server <server>]\n\
-    Delete a specific or all DNS or NBNS servers from the database.\n\
-      server:  IP address of the name server to delete\n\
-  \n\
-  ipsec pool --resize <name> --end <end>\n\
-    Grow or shrink an existing pool.\n\
-      name:    Name of the pool to resize\n\
-      end:     New end address for the pool\n\
-  \n\
-  ipsec pool --leases [--filter <filter>] [--utc]\n\
-    Show lease information using filters:\n\
-      filter:  Filter string containing comma separated key=value filters,\n\
-               e.g. id=alice@strongswan.org,addr=1.1.1.1\n\
-                  pool:   name of the pool\n\
-                  id:     assigned identity of the lease\n\
-                  addr:   lease IP address\n\
-                  tstamp: UNIX timestamp when lease was valid, as integer\n\
-                  status: status of the lease: online|valid|expired\n\
-      utc:    Show times in UTC instead of local time\n\
-  \n\
-  ipsec pool --purge <name>\n\
-    Delete lease history of a pool:\n\
-      name:    Name of the pool to purge\n\
-  \n\
-  ipsec pool --batch <file>\n\
-    Read commands from a file and execute them atomically.\n\
-      file:    File to read the newline separated commands from. Commands\n\
-               appear as they are written on the command line, e.g.\n\
-                  --replace mypool --start 10.0.0.1 --end 10.0.0.254\n\
-                  --del dns\n\
-                  --add dns --server 10.1.0.1\n\
-                  --add dns --server 10.1.1.1\n\
-               If a - (hyphen) is given as a file name, the commands are read\n\
-               from STDIN. Readin commands stops at the end of file. Empty\n\
-               lines are ignored. The file may not contain a --batch command.\n\
-  \n");
-}
-
 /**
  * ipsec pool --status - show pool overview
  */
@@ -483,29 +390,14 @@ static bool add_address(u_int pool_id, char *address_str, int *family)
 	char *pos_eq = strchr(address_str, '=');
 	if (pos_eq != NULL)
 	{
-		enumerator_t *e;
 		identification_t *id = identification_create_from_string(pos_eq + 1);
+		user_id = get_identity(id);
+		id->destroy(id);
 
-		/* look for peer identity in the identities table */
-		e = db->query(db,
-				"SELECT id FROM identities WHERE type = ? AND data = ?",
-				DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
-				DB_UINT);
-
-		if (!e || !e->enumerate(e, &user_id))
+		if (user_id == 0)
 		{
-			/* not found, insert new one */
-			if (db->execute(db, &user_id,
-					"INSERT INTO identities (type, data) VALUES (?, ?)",
-					DB_INT, id->get_type(id),
-					DB_BLOB, id->get_encoding(id)) != 1)
-			{
-				fprintf(stderr, "creating id '%s' failed.\n", pos_eq + 1);
-				return FALSE;
-			}
+			return FALSE;
 		}
-		DESTROY_IF(e);
-		id->destroy(id);
 		*pos_eq = '\0';
 	}
 
@@ -592,26 +484,6 @@ static void add_addresses(char *pool, char *path, int timeout)
 	printf("%d addresses done.\n", count);
 }
 
-/**
- * ipsec pool --add dns|nbns|wins - add a DNS or NBNS server entry
- */
-static void add_attr(char *name, host_t *server)
-{
-	configuration_attribute_type_t type;
-	chunk_t value;
-
-	type = get_attribute_type(name, server);
-	value = server->get_address(server);
-	if (db->execute(db, NULL,
-			"INSERT INTO attributes (type, value) VALUES (?, ?)",
-			DB_INT, type, DB_BLOB, value) != 1)
-	{
-		fprintf(stderr, "adding %s server %H failed.\n", name, server);
-		exit(EXIT_FAILURE);
-	}
-	printf("added %s server %H\n", name, server);
-}
-
 /**
  * ipsec pool --del - delete a pool
  */
@@ -652,88 +524,6 @@ static void del(char *name)
 	}
 }
 
-/**
- * ipsec pool --del dns|nbns|wins - delete a DNS or NBNS server entry
- */
-static void del_attr(char *name, host_t *server)
-{
-	configuration_attribute_type_t type;
-	chunk_t value;
-	u_int id;
-	enumerator_t *query;
-	bool found = FALSE;
-
-	if (server)
-	{
-		type = get_attribute_type(name, server);
-		value = server->get_address(server);
-		query = db->query(db,
-					"SELECT id, type, value FROM attributes "
-					"WHERE type = ? AND value = ?",
-					DB_INT, type, DB_BLOB, value,
-					DB_UINT, DB_INT, DB_BLOB);
-	}
-	else
-	{
-		configuration_attribute_type_t type_ip4, type_ip6;
-
-		if (strcaseeq(name, "dns"))
-		{
-			type_ip4 = INTERNAL_IP4_DNS;
-			type_ip6 = INTERNAL_IP6_DNS;
-		}
-		else
-		{
-			type_ip4 = INTERNAL_IP4_NBNS;
-			type_ip6 = INTERNAL_IP6_NBNS;
-		}
-
-		query = db->query(db,
-					"SELECT id, type, value FROM attributes "
-					"WHERE type = ? OR type = ?",
-					DB_INT, type_ip4, DB_INT, type_ip6,
-					DB_UINT, DB_INT, DB_BLOB);
-	}
-	if (!query)
-	{
-		fprintf(stderr, "deleting %s servers failed.\n", name);
-		exit(EXIT_FAILURE);
-	}
-
-	while (query->enumerate(query, &id, &type, &value))
-	{
-		int family;
-		host_t *host;
-
-		found = TRUE;
-		family = (type == INTERNAL_IP4_DNS || type == INTERNAL_IP4_NBNS) ?
-				  AF_INET : AF_INET6;
-		host = host_create_from_chunk(family, value, 0);
-		if (db->execute(db, NULL,
-					"DELETE FROM attributes WHERE id = ?",
-					 DB_UINT, id) != 1)
-		{
-			fprintf(stderr, "deleting %s server %H failed\n", name, host);
-			query->destroy(query);
-			DESTROY_IF(host);
-			exit(EXIT_FAILURE);
-		}
-		printf("deleted %s server %H\n", name, host);
-		DESTROY_IF(host);
-	}
-	query->destroy(query);
-
-	if (!found && server)
-	{
-		printf("%s server %H not found\n", name, server);
-		exit(EXIT_FAILURE);
-	}
-	else if (!found)
-	{
-		printf("no %s servers found\n", name);
-	}
-}
-
 /**
  * ipsec pool --resize - resize a pool
  */
@@ -1134,22 +924,26 @@ static void cleanup(void)
 	db->destroy(db);
 	DESTROY_IF(start);
 	DESTROY_IF(end);
-	DESTROY_IF(server);
 }
 
 static void do_args(int argc, char *argv[])
 {
-	char *name = "", *filter = "", *addresses = NULL;
+	char *name = "", *value = "", *filter = "";
+	char *pool = NULL, *identity = NULL, *addresses = NULL;
+	value_type_t value_type = VALUE_NONE;
 	int timeout = 0;
-	bool utc = FALSE;
+	bool utc = FALSE, hexout = FALSE;
+
 	enum {
 		OP_UNDEF,
 		OP_USAGE,
 		OP_STATUS,
+		OP_STATUS_ATTR,
 		OP_ADD,
 		OP_ADD_ATTR,
 		OP_DEL,
 		OP_DEL_ATTR,
+		OP_SHOW_ATTR,
 		OP_RESIZE,
 		OP_LEASES,
 		OP_PURGE,
@@ -1174,14 +968,26 @@ static void do_args(int argc, char *argv[])
 			{ "resize", required_argument, NULL, 'r' },
 			{ "leases", no_argument, NULL, 'l' },
 			{ "purge", required_argument, NULL, 'p' },
+			{ "statusattr", no_argument, NULL, '1' },
+			{ "addattr", required_argument, NULL, '2' },
+			{ "delattr", required_argument, NULL, '3' },
+			{ "showattr", no_argument, NULL, '4' },
 			{ "batch", required_argument, NULL, 'b' },
 
 			{ "start", required_argument, NULL, 's' },
 			{ "end", required_argument, NULL, 'e' },
-			{ "addresses", required_argument, NULL, 'x' },
+			{ "addresses", required_argument, NULL, 'y' },
 			{ "timeout", required_argument, NULL, 't' },
 			{ "filter", required_argument, NULL, 'f' },
+			{ "addr", required_argument, NULL, 'v' },
+			{ "mask", required_argument, NULL, 'v' },
 			{ "server", required_argument, NULL, 'v' },
+			{ "subnet", required_argument, NULL, 'n' },
+			{ "string", required_argument, NULL, 'g' },
+			{ "hex", required_argument, NULL, 'x' },
+			{ "hexout", no_argument, NULL, '5' },
+			{ "pool", required_argument, NULL, '6' },
+			{ "identity", required_argument, NULL, '7' },
 			{ 0,0,0,0 }
 		};
 
@@ -1196,6 +1002,8 @@ static void do_args(int argc, char *argv[])
 			case 'w':
 				operation = OP_STATUS;
 				break;
+			case '1':
+				operation = OP_STATUS_ATTR;
 			case 'u':
 				utc = TRUE;
 				continue;
@@ -1207,15 +1015,27 @@ static void do_args(int argc, char *argv[])
 				operation = is_attribute(name) ? OP_ADD_ATTR : OP_ADD;
 				if (replace_pool && operation == OP_ADD_ATTR)
 				{
-					fprintf(stderr, "invalid pool name: '%s'.\n", optarg);
+					fprintf(stderr, "invalid pool name: "
+									"reserved for '%s' attribute.\n", optarg);
 					usage();
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			case '2':
+				name = optarg;
+				operation = OP_ADD_ATTR;
+				continue;
 			case 'd':
 				name = optarg;
 				operation = is_attribute(name) ? OP_DEL_ATTR : OP_DEL;
 				continue;
+			case '3':
+				name = optarg;
+				operation = OP_DEL_ATTR;
+				continue;
+			case '4':
+				operation = OP_SHOW_ATTR;
+				continue;
 			case 'r':
 				name = optarg;
 				operation = OP_RESIZE;
@@ -1268,18 +1088,33 @@ static void do_args(int argc, char *argv[])
 			case 'f':
 				filter = optarg;
 				continue;
-			case 'x':
+			case 'y':
 				addresses = optarg;
 				continue;
+			case 'g':
+				value_type = VALUE_STRING;
+				value = optarg;
+				continue;
+			case 'n':
+				value_type = VALUE_SUBNET;
+				value = optarg;
+				continue;
 			case 'v':
-				DESTROY_IF(server);
-				server = host_create_from_string(optarg, 0);
-				if (server == NULL)
-				{
-					fprintf(stderr, "invalid server address: '%s'.\n", optarg);
-					usage();
-					exit(EXIT_FAILURE);
-				}
+				value_type = VALUE_ADDR;
+				value = optarg;
+				continue;
+			case 'x':
+				value_type = VALUE_HEX;
+				value = optarg;
+				continue;
+			case '5':
+				hexout = TRUE;
+				continue;
+			case '6':
+				pool = optarg;
+				continue;
+			case '7':
+				identity = optarg;
 				continue;
 			default:
 				usage();
@@ -1297,6 +1132,9 @@ static void do_args(int argc, char *argv[])
 		case OP_STATUS:
 			status();
 			break;
+		case OP_STATUS_ATTR:
+			status_attr(hexout);
+			break;
 		case OP_ADD:
 			if (addresses != NULL)
 			{
@@ -1314,19 +1152,34 @@ static void do_args(int argc, char *argv[])
 			}
 			break;
 		case OP_ADD_ATTR:
-			if (server == NULL)
+			if (value_type == VALUE_NONE)
 			{
 				fprintf(stderr, "missing arguments.\n");
 				usage();
 				exit(EXIT_FAILURE);
 			}
-			add_attr(name, server);
+			if (identity && !pool)
+			{
+				fprintf(stderr, "--identity option can't be used without --pool.\n");
+				usage();
+				exit(EXIT_FAILURE);
+			}
+			add_attr(name, pool, identity, value, value_type);
 			break;
 		case OP_DEL:
 			del(name);
 			break;
 		case OP_DEL_ATTR:
-			del_attr(name, server);
+			if (identity && !pool)
+			{
+				fprintf(stderr, "--identity option can't be used without --pool.\n");
+				usage();
+				exit(EXIT_FAILURE);
+			}
+			del_attr(name, pool, identity, value, value_type);
+			break;
+		case OP_SHOW_ATTR:
+			show_attr();
 			break;
 		case OP_RESIZE:
 			if (end == NULL)
diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.c b/src/libhydra/plugins/attr_sql/pool_attributes.c
new file mode 100644
index 000000000..5f7afdfcd
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/pool_attributes.c
@@ -0,0 +1,715 @@
+/*
+ * Copyright (C) 2009-2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+
+#include <library.h>
+#include <utils/host.h>
+
+#include "pool_attributes.h"
+#include "pool_usage.h"
+
+/**
+ * global database handle
+ */
+extern database_t *db;
+
+#define UNITY_NETWORK_LEN	14
+
+ENUM(value_type_names, VALUE_HEX, VALUE_SUBNET,
+	"hex",
+	"string",
+	"addr",
+	"subnet"
+);
+
+typedef struct attr_info_t attr_info_t;
+
+struct attr_info_t {
+	char*                           keyword;
+	value_type_t                    value_type;
+	configuration_attribute_type_t  type;
+	configuration_attribute_type_t  type_ip6;
+};
+
+static const attr_info_t attr_info[] = {
+	{ "internal_ip4_netmask", VALUE_ADDR,   INTERNAL_IP4_NETMASK, 0 },
+	{ "internal_ip6_netmask", VALUE_ADDR,   INTERNAL_IP6_NETMASK, 0 },
+	{ "netmask",              VALUE_ADDR,   INTERNAL_IP4_NETMASK,
+							 				INTERNAL_IP6_NETMASK    },
+	{ "internal_ip4_dns",     VALUE_ADDR,   INTERNAL_IP4_DNS,     0 },
+	{ "internal_ip6_dns",     VALUE_ADDR,   INTERNAL_IP6_DNS,     0 },
+	{ "dns",                  VALUE_ADDR,   INTERNAL_IP4_DNS,
+											INTERNAL_IP6_DNS        },
+	{ "internal_ip4_nbns",    VALUE_ADDR,   INTERNAL_IP4_NBNS,    0 },
+	{ "internal_ip6_nbns",    VALUE_ADDR,   INTERNAL_IP6_NBNS,    0 },
+	{ "nbns",                 VALUE_ADDR,   INTERNAL_IP4_NBNS,
+							 				INTERNAL_IP6_NBNS       },
+	{ "wins",                 VALUE_ADDR,   INTERNAL_IP4_NBNS,
+											INTERNAL_IP6_NBNS       },
+	{ "internal_ip4_dhcp",    VALUE_ADDR,   INTERNAL_IP4_DHCP,    0 },
+	{ "internal_ip6_dhcp",    VALUE_ADDR,   INTERNAL_IP6_DHCP,    0 },
+	{ "dhcp",                 VALUE_ADDR,   INTERNAL_IP4_DHCP,
+											INTERNAL_IP6_DHCP       },
+	{ "internal_ip4_server",  VALUE_ADDR,   INTERNAL_IP4_SERVER,  0 },
+	{ "internal_ip6_server",  VALUE_ADDR,   INTERNAL_IP6_SERVER,  0 },
+	{ "server",               VALUE_ADDR,   INTERNAL_IP4_SERVER,
+											INTERNAL_IP6_SERVER     },
+	{ "application_version",  VALUE_STRING, APPLICATION_VERSION,  0 },
+	{ "version",              VALUE_STRING, APPLICATION_VERSION,  0 },
+	{ "unity_banner",         VALUE_STRING, UNITY_BANNER,         0 },
+	{ "banner",               VALUE_STRING, UNITY_BANNER,         0 },
+	{ "unity_def_domain",     VALUE_STRING, UNITY_DEF_DOMAIN,     0 },
+	{ "unity_splitdns_name",  VALUE_STRING, UNITY_SPLITDNS_NAME,  0 },
+	{ "unity_split_include",  VALUE_SUBNET, UNITY_SPLIT_INCLUDE,  0 },
+	{ "unity_local_lan",      VALUE_SUBNET, UNITY_LOCAL_LAN,      0 },
+};
+
+/**
+ * Determine the type of the attribute and its value
+ */
+static bool parse_attributes(char *name, char *value, value_type_t *value_type,
+							 configuration_attribute_type_t *type,
+							 configuration_attribute_type_t *type_ip6,
+							 chunk_t *blob)
+{
+	host_t *addr = NULL, *mask = NULL;
+	chunk_t addr_chunk, mask_chunk, blob_next;
+	char *text = "", *pos_addr, *pos_mask, *pos_next, *endptr;
+	int i;
+
+	switch (*value_type)
+	{
+		case VALUE_STRING:
+			*blob = chunk_create(value, strlen(value));
+			*blob = chunk_clone(*blob);
+			break;
+		case VALUE_HEX:
+			*blob = chunk_from_hex(chunk_create(value, strlen(value)), NULL);
+			break;
+		case VALUE_ADDR:
+			addr = host_create_from_string(value, 0);
+			if (addr == NULL)
+			{
+				fprintf(stderr, "invalid IP address: '%s'.\n", value);
+				return FALSE;
+			}
+			addr_chunk = addr->get_address(addr);
+			*blob = chunk_clone(addr_chunk);
+			break;
+		case VALUE_SUBNET:
+			*blob = chunk_empty;
+			pos_next = value;
+
+			do
+			{
+				pos_addr = pos_next;
+				pos_next = strchr(pos_next, ',');
+				if (pos_next)
+				{
+					*pos_next = '\0';
+					pos_next += 1;
+				}
+				pos_mask = strchr(pos_addr, '/');
+				if (pos_mask == NULL)
+				{
+					fprintf(stderr, "invalid IPv4 subnet: '%s'.\n", pos_addr);
+					free(blob->ptr);
+					return FALSE;
+				}
+				*pos_mask = '\0';
+				pos_mask += 1;
+				addr = host_create_from_string(pos_addr, 0);
+				mask = host_create_from_string(pos_mask, 0);
+				if (addr == NULL || addr->get_family(addr) != AF_INET ||
+					mask == NULL || mask->get_family(addr) != AF_INET)
+				{
+					fprintf(stderr, "invalid IPv4 subnet: '%s/%s'.\n",
+									pos_addr, pos_mask);
+					DESTROY_IF(addr);
+					DESTROY_IF(mask);
+					free(blob->ptr);
+					return FALSE;
+				}
+				addr_chunk = addr->get_address(addr);
+				mask_chunk = mask->get_address(mask);
+				blob_next = chunk_alloc(blob->len + UNITY_NETWORK_LEN);
+				memcpy(blob_next.ptr, blob->ptr, blob->len);
+				pos_addr = blob_next.ptr + blob->len;
+				memset(pos_addr, 0x00, UNITY_NETWORK_LEN);
+				memcpy(pos_addr,     addr_chunk.ptr, 4);
+				memcpy(pos_addr + 4, mask_chunk.ptr, 4);
+				addr->destroy(addr);
+				mask->destroy(mask);
+				chunk_free(blob);
+				*blob = blob_next;
+			}
+			while (pos_next);
+			break;
+		case VALUE_NONE:
+			*blob = chunk_empty;
+			break;
+	}
+
+	/* init the attribute type */
+	*type     = 0;
+	*type_ip6 = 0;
+
+	for (i = 0; i < countof(attr_info); i++)
+	{
+		if (strcaseeq(name, attr_info[i].keyword))
+		{
+			*type      = attr_info[i].type;
+			*type_ip6  = attr_info[i].type_ip6;
+
+			if (*value_type == VALUE_NONE)
+			{
+				*value_type = attr_info[i].value_type;
+				return TRUE;
+			}
+
+			if (*value_type != attr_info[i].value_type &&
+				*value_type != VALUE_HEX)
+			{
+				switch (attr_info[i].value_type)
+				{
+					case VALUE_STRING:
+						text = "a string";
+						break;
+					case VALUE_HEX:
+						text = "a hex";
+						break;
+					case VALUE_ADDR:
+						text = "an IP address";
+						break;
+					case VALUE_SUBNET:
+						text = "a subnet";
+						break;
+					case VALUE_NONE:
+						text = "no";
+						break;
+				}
+				fprintf(stderr, "the %s attribute requires %s value.\n",
+								 name, text);
+				DESTROY_IF(addr);
+				free(blob->ptr);
+				return FALSE;
+			}
+
+			if (*value_type == VALUE_ADDR)
+			{
+				*type = (addr->get_family(addr) == AF_INET) ?
+						 	attr_info[i].type : attr_info[i].type_ip6;
+				addr->destroy(addr);
+			}
+			else if (*value_type == VALUE_HEX)
+			{
+				*value_type = attr_info[i].value_type;
+
+				if (*value_type == VALUE_ADDR)
+				{
+					if (blob->len == 16)
+					{
+						*type = attr_info[i].type_ip6;
+					}
+					else if (blob->len != 4)
+					{
+						fprintf(stderr, "the %s attribute requires "
+										"a valid IP address.\n", name);
+						free(blob->ptr);
+						return FALSE;
+					}
+				}
+			}
+			return TRUE;
+		}
+	}
+
+	/* clean up */
+	DESTROY_IF(addr);
+
+	/* is the attribute type numeric? */	
+	*type = strtol(name, &endptr, 10);
+
+	if (*endptr != '\0')
+	{
+		fprintf(stderr, "the %s attribute is not recognized.\n", name);
+		free(blob->ptr);
+		return FALSE;
+	}
+	if (*type < 1 || *type > 32767)
+	{
+		fprintf(stderr, "the attribute type must lie in the range 1..32767.\n");
+		free(blob->ptr);
+		return FALSE;
+	}
+	if (*value_type == VALUE_NONE)
+	{
+		*value_type = VALUE_HEX;
+	}
+	return TRUE;
+}
+ 
+/**
+ * Lookup/insert an attribute pool by name
+ */
+static u_int get_attr_pool(char *name)
+{
+	enumerator_t *e;
+	u_int row = 0;
+
+	/* look for an existing attribute pool in the table */
+	e = db->query(db, "SELECT id FROM attribute_pools WHERE name = ?",
+				  DB_TEXT, name, DB_UINT);
+	if (e && e->enumerate(e, &row))
+	{
+		e->destroy(e);
+		return row;
+	}
+	DESTROY_IF(e);
+	/* not found, insert new one */
+	if (db->execute(db, &row, "INSERT INTO attribute_pools (name) VALUES (?)",
+					DB_TEXT, name) != 1)
+	{
+		fprintf(stderr, "creating attribute pool '%s' failed.\n", name);
+		return 0;
+	}
+	return row;
+}
+
+/**
+ * Lookup/insert an identity
+ */
+u_int get_identity(identification_t *id)
+{
+	enumerator_t *e;
+	u_int row;
+
+	/* look for peer identity in the identities table */
+	e = db->query(db, "SELECT id FROM identities WHERE type = ? AND data = ?",
+			DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), DB_UINT);
+	if (e && e->enumerate(e, &row))
+	{
+		e->destroy(e);
+		return row;
+	}
+	DESTROY_IF(e);
+	/* not found, insert new one */
+	if (db->execute(db, &row, "INSERT INTO identities (type,data) VALUES (?,?)",
+				  DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) != 1)
+	{
+		fprintf(stderr, "creating id '%Y' failed.\n", id);
+		return 0;
+	}
+	return row;
+}
+
+/**
+ * ipsec pool --addattr <type> - add attribute entry
+ */
+void add_attr(char *name, char *pool, char *identity,
+			  char *value, value_type_t value_type)
+{
+	configuration_attribute_type_t type, type_ip6;
+	u_int pool_id = 0, identity_id = 0;
+	char id_pool_str[128] = "";
+	chunk_t blob;
+	bool success;
+
+	if (pool)
+	{
+		pool_id = get_attr_pool(pool);
+		if (pool_id == 0)
+		{
+			exit(EXIT_FAILURE);
+		}
+
+		if (identity)
+		{
+			identification_t *id;
+
+			id = identification_create_from_string(identity);
+			identity_id = get_identity(id);
+			id->destroy(id);
+			if (identity_id == 0)
+			{
+				exit(EXIT_FAILURE);
+			}
+			snprintf(id_pool_str, sizeof(id_pool_str),
+					 " for '%s' in pool '%s'", identity, pool);
+		}
+		else
+		{
+			snprintf(id_pool_str, sizeof(id_pool_str), " in pool '%s'", pool);
+		}
+	}
+
+	if (value_type == VALUE_NONE)
+	{
+		fprintf(stderr, "the value of the %s attribute is missing.\n", name);
+		usage();
+	}
+	if (!parse_attributes(name, value, &value_type, &type, &type_ip6, &blob))
+	{
+		exit(EXIT_FAILURE);
+	}
+
+	success = db->execute(db, NULL,
+				"INSERT INTO attributes (identity, pool, type, value) "
+				"VALUES (?, ?, ?, ?)", DB_UINT, identity_id, DB_UINT, pool_id,
+				DB_INT, type, DB_BLOB, blob) == 1;
+	free(blob.ptr);
+
+	if (success)
+	{
+		printf("added %s attribute (%N)%s.\n", name,
+			   configuration_attribute_type_names, type, id_pool_str);
+	}
+	else
+	{
+		fprintf(stderr, "adding %s attribute (%N)%s failed.\n", name,
+						configuration_attribute_type_names, type, id_pool_str);
+	}
+}
+
+/**
+ * ipsec pool --delattr <type> - delete attribute entry
+ */
+void del_attr(char *name, char *pool, char *identity,
+			  char *value, value_type_t value_type)
+{
+	configuration_attribute_type_t type, type_ip6, type_db;
+	u_int pool_id = 0, identity_id = 0;
+	char id_pool_str[128] = "";
+	chunk_t blob, blob_db;
+	u_int id;
+	enumerator_t *query;
+	bool found = FALSE;
+
+	if (pool)
+	{
+		pool_id = get_attr_pool(pool);
+		if (pool_id == 0)
+		{
+			exit(EXIT_FAILURE);
+		}
+
+		if (identity)
+		{
+			identification_t *id;
+
+			id = identification_create_from_string(identity);
+			identity_id = get_identity(id);
+			id->destroy(id);
+			if (identity_id == 0)
+			{
+				exit(EXIT_FAILURE);
+			}
+			snprintf(id_pool_str, sizeof(id_pool_str),
+					 " for '%s' in pool '%s'", identity, pool);
+		}
+		else
+		{
+			snprintf(id_pool_str, sizeof(id_pool_str), " in pool '%s'", pool);
+		}
+	}
+
+	if (!parse_attributes(name, value, &value_type, &type, &type_ip6, &blob))
+	{
+		exit(EXIT_FAILURE);
+	}
+
+	if (blob.len > 0)
+	{
+		query = db->query(db,
+					"SELECT id, type, value FROM attributes "
+					"WHERE identity = ? AND pool = ? AND type = ? AND value = ?",
+					DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type,
+					DB_BLOB, blob, DB_UINT, DB_INT, DB_BLOB);
+	}
+	else if (type_ip6 == 0)
+	{
+		query = db->query(db,
+					"SELECT id, type, value FROM attributes "
+					"WHERE identity = ? AND pool = ? AND type = ?",
+					DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type,
+					DB_UINT, DB_INT, DB_BLOB);
+	}
+	else
+	{
+		query = db->query(db,
+					"SELECT id, type, value FROM attributes "
+					"WHERE identity = ? AND pool = ? AND (type = ? OR type = ?)",
+					DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type,
+					DB_INT, type_ip6, DB_UINT, DB_INT, DB_BLOB);
+	}
+
+	if (!query)
+	{
+		fprintf(stderr, "deleting '%s' attribute (%N)%s failed.\n",
+				name, configuration_attribute_type_names, type, id_pool_str);
+		free(blob.ptr);
+		exit(EXIT_FAILURE);
+	}
+
+	while (query->enumerate(query, &id, &type_db, &blob_db))
+	{
+		host_t *server = NULL;
+
+		found = TRUE;
+
+		if (value_type == VALUE_ADDR)
+		{
+			int family = (type_db == type_ip6) ? AF_INET6 : AF_INET;
+
+			server = host_create_from_chunk(family, blob_db, 0);
+		}
+
+		if (db->execute(db, NULL,
+					"DELETE FROM attributes WHERE id = ?",
+					 DB_UINT, id) != 1)
+		{
+			if (server)
+			{
+				fprintf(stderr, "deleting %s server %H%s failed\n",
+						name, server, id_pool_str);
+				server->destroy(server);
+			}
+			else if (value_type == VALUE_STRING)
+			{
+				fprintf(stderr, "deleting %s attribute (%N) with value '%.*s'%s failed.\n",
+						 		name, configuration_attribute_type_names, type,
+								blob_db.len, blob_db.ptr, id_pool_str);
+			}
+
+			else
+			{
+				fprintf(stderr, "deleting %s attribute (%N) with value %#B%s failed.\n",
+						 		name, configuration_attribute_type_names, type,
+								&blob_db, id_pool_str);
+			}
+			query->destroy(query);
+			free(blob.ptr);
+			exit(EXIT_FAILURE);
+		}
+		if (server)
+		{
+			printf("deleted %s server %H%s\n", name, server, id_pool_str);
+			server->destroy(server);
+		}
+		else if (value_type == VALUE_STRING)
+		{
+			printf("deleted %s attribute (%N) with value '%.*s'%s.\n",
+				   name, configuration_attribute_type_names, type,
+				   blob_db.len, blob_db.ptr, id_pool_str);
+		}
+		else
+		{
+			printf("deleted %s attribute (%N) with value %#B%s.\n",
+				   name, configuration_attribute_type_names, type,
+				   &blob_db, id_pool_str);
+		}
+	}
+	query->destroy(query);
+
+	if (!found)
+	{
+	 	if (blob.len == 0)
+		{
+			if (type_ip6 == 0)
+			{
+				fprintf(stderr, "no %s attribute (%N) was found%s.\n", name,
+						configuration_attribute_type_names, type, id_pool_str);
+			}
+			else
+			{
+				fprintf(stderr, "no %s attribute%s was found.\n",
+						name, id_pool_str);
+			}
+		}
+		else
+		{	
+			if (value_type == VALUE_ADDR)
+			{
+				host_t *server = host_create_from_chunk(AF_UNSPEC, blob, 0);
+	
+				fprintf(stderr, "the %s server %H%s was not found.\n", name,
+								 server, id_pool_str);
+				server->destroy(server);
+			}
+			else
+			{
+				fprintf(stderr, "the %s attribute (%N) with value '%.*s'%s "
+								"was not found.\n", name,
+								 configuration_attribute_type_names, type,
+								 blob.len, blob.ptr, id_pool_str);
+			}
+		}
+	}
+	free(blob.ptr);
+}
+
+/**
+ * ipsec pool --statusattr - show all attribute entries
+ */
+void status_attr(bool hexout)
+{
+	configuration_attribute_type_t type;
+	value_type_t value_type;
+	chunk_t value, addr_chunk, mask_chunk, identity_chunk;
+	identification_t *identity;
+	enumerator_t *enumerator;
+	host_t *addr, *mask;
+	char type_name[30];
+	bool first = TRUE;
+	int i, identity_type;
+	char *pool_name;
+
+	/* enumerate over all attributes */
+	enumerator = db->query(db,
+					"SELECT attributes.type, attribute_pools.name, "
+					"identities.type, identities.data, attributes.value "
+					"FROM attributes "
+					"LEFT OUTER JOIN identities "
+					"ON attributes.identity = identities.id "
+					"LEFT OUTER JOIN attribute_pools "
+					"ON attributes.pool = attribute_pools.id "
+					"ORDER BY attributes.type, attribute_pools.name, "
+					"identities.type, identities.data, attributes.value",
+					DB_INT, DB_TEXT, DB_INT, DB_BLOB, DB_BLOB);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &type,&pool_name,
+									 &identity_type, &identity_chunk, &value))
+		{
+			if (first)
+			{
+				printf(" type  description           pool       "
+					   " identity              value\n");
+				first = FALSE;
+			}
+			snprintf(type_name, sizeof(type_name), "%N",
+					 configuration_attribute_type_names, type);
+			if (type_name[0] == '(')
+			{
+				type_name[0] = '\0';
+			}
+			printf("%5d  %-20s ",type, type_name);
+
+			printf(" %-10s ", (pool_name ? pool_name : ""));
+
+			if (identity_type)
+			{
+				identity = identification_create_from_encoding(identity_type, identity_chunk);
+				printf(" %-20.20Y ", identity);
+				identity->destroy(identity);
+			}
+			else
+			{
+				printf("                      ");
+			}
+
+			value_type = VALUE_HEX;
+			if (!hexout)
+			{
+				for (i = 0; i < countof(attr_info); i++)
+				{
+					if (type == attr_info[i].type)
+					{
+						value_type = attr_info[i].value_type;
+						break; 
+					}
+				}
+			}
+			switch (value_type)
+			{
+				case VALUE_ADDR:
+					addr = host_create_from_chunk(AF_UNSPEC, value, 0);
+					if (addr)
+					{
+						printf(" %H\n", addr);
+						addr->destroy(addr);
+					}
+					else
+					{
+						/* value cannot be represented as an IP address */
+						printf(" %#B\n", &value);
+					}
+					break;
+				case VALUE_SUBNET:
+					if (value.len % UNITY_NETWORK_LEN == 0)
+					{
+						for (i = 0; i < value.len / UNITY_NETWORK_LEN; i++)
+						{
+							addr_chunk = chunk_create(value.ptr + i*UNITY_NETWORK_LEN, 4);
+							addr = host_create_from_chunk(AF_INET, addr_chunk, 0);
+							mask_chunk = chunk_create(addr_chunk.ptr + 4, 4);
+							mask = host_create_from_chunk(AF_INET, mask_chunk, 0);
+							printf("%s%H/%H", (i > 0) ? "," : " ", addr, mask);
+							addr->destroy(addr);
+							mask->destroy(mask);
+						}
+						printf("\n");
+					}
+					else
+					{
+						/* value cannot be represented as a list of subnets */
+						printf(" %#B\n", &value);
+					}
+					break;
+				case VALUE_STRING:
+					printf("\"%.*s\"\n", value.len, value.ptr);
+					break;					
+				case VALUE_HEX:
+				default:
+					printf(" %#B\n", &value);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * ipsec pool --showattr - show all supported attribute keywords
+ */
+void show_attr(void)
+{
+	int i;
+
+	for (i = 0; i < countof(attr_info); i++)
+	{
+		char value_name[10];
+		
+		
+		snprintf(value_name, sizeof(value_name), "%N",
+			value_type_names, attr_info[i].value_type);
+	
+		printf("%-20s  --%-6s  (%N", 
+				attr_info[i].keyword, value_name, 
+				configuration_attribute_type_names, attr_info[i].type);
+
+		if (attr_info[i].type_ip6)
+		{
+			printf(", %N)\n",
+				configuration_attribute_type_names, attr_info[i].type_ip6);
+		}
+		else
+		{
+			printf(")\n");
+		}
+	}
+}
+
diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.h b/src/libhydra/plugins/attr_sql/pool_attributes.h
new file mode 100644
index 000000000..a42291f57
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/pool_attributes.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2009-2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef POOL_ATTRIBUTES_H_
+#define POOL_ATTRIBUTES_H_
+
+#include <attributes/attributes.h>
+
+typedef enum value_type_t value_type_t;
+
+enum value_type_t {
+	VALUE_NONE,
+	VALUE_HEX,
+	VALUE_STRING,
+	VALUE_ADDR,
+	VALUE_SUBNET
+};
+
+/**
+ * enum names for value_type_t.
+ */
+extern enum_name_t *value_type_names;
+
+/**
+ * lookup/insert an identity
+ */
+u_int get_identity(identification_t *id);
+
+/**
+ * ipsec pool --addattr <type>  - add attribute entry
+ */
+void add_attr(char *name, char *pool, char *identity,
+			  char *value, value_type_t value_type);
+
+/**
+ * ipsec pool --delattr <type>  - delete attribute entry
+ */
+void del_attr(char *name, char *pool, char *identity,
+			  char *value, value_type_t value_type);
+
+/**
+ * ipsec pool --statusattr      - show all attribute entries
+ */
+void status_attr(bool hexout);
+
+/**
+ * ipsec pool --showattr - show all supported attribute keywords
+ */
+void show_attr(void);
+
+#endif /* POOL_ATTRIBUTES_H_ */
+
+
diff --git a/src/libhydra/plugins/attr_sql/pool_usage.c b/src/libhydra/plugins/attr_sql/pool_usage.c
new file mode 100644
index 000000000..985bc3ae8
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/pool_usage.c
@@ -0,0 +1,127 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2009-2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+/**
+ * print pool usage info
+ */
+void usage(void)
+{
+	printf("\
+Usage:\n\
+  ipsec pool --status|--add|--replace|--del|--resize|--leases|--purge [options]\n\
+  ipsec pool --showattr|--statusattr|--addattr|--delattr [options]\n\
+  \n\
+  ipsec pool --status\n\
+    Show a list of installed pools with statistics plus nameserver info.\n\
+  \n\
+  ipsec pool --statusattr [--hexout]\n\
+    Show a list of all attributes stored in the database with the values\n\
+    converted to the correct format if the type is known by --showattr or\n\
+    in hex format otherwise.\n\
+      hexout:  Output all values in hex format\n\
+  \n\
+  ipsec pool --showattr\n\
+    Show a keyword list of the major attribute types.\n\
+  \n\
+  ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\
+  ipsec pool --replace <name> --start <start> --end <end> [--timeout <timeout>]\n\
+    Add a new pool to or replace an existing pool in the database.\n\
+      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
+      start:   Start address of the pool\n\
+      end:     End address of the pool\n\
+      timeout: Lease time in hours, 0 for static leases\n\
+  \n\
+  ipsec pool --add <name> --addresses <file> [--timeout <timeout>]\n\
+  ipsec pool --replace <name> --addresses <file> [--timeout <timeout>]\n\
+    Add a new pool to or replace an existing pool in the database.\n\
+      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
+      file:    File newline separated addresses for the pool are read from.\n\
+               Optionally each address can be pre-assigned to a roadwarrior\n\
+               identity, e.g. 10.231.14.2=alice@strongswan.org.\n\
+               If a - (hyphen) is given instead of a file name, the addresses\n\
+               are read from STDIN. Reading addresses stops at the end of file\n\
+               or an empty line. Pools created with this command can not be\n\
+               resized.\n\
+      timeout: Lease time in hours, 0 for static leases\n\
+  \n\
+  ipsec pool --addattr <type> [--pool <name> [--identity <id>]]\n\
+             --addr|--mask|--server|--subnet|--string|--hex <value>\n\
+    Add a new attribute to the database. Attributes can be bundled by using\n\
+    the --pool and --identity options. If a bundle matches a peer the contained\n\
+    attributes are sent to that peer instead of the global ones.\n\
+      type:    a keyword from --showattr or a number from the range 1..32767\n\
+      name:    the name of the pool this attribute is added to\n\
+      id:      identity of the peer this attribute is bound to\n\
+      addr:    IPv4 or IPv6 address\n\
+      mask:    IPv4 or IPv6 netmask (synonym for --addr)\n\
+      server:  IPv4 or IPv6 address of a server (synonym for --addr)\n\
+      subnet:  IPv4 subnet[s] given by network/mask[,network/mask,...]\n\
+      string:  value of a string-type attribute\n\
+      hex:     hex value of any attribute\n\
+  \n\
+  ipsec pool --del <name>\n\
+    Delete a pool from the database.\n\
+      name:    Name of the pool to delete\n\
+  \n\
+  ipsec pool --delattr <type> [--pool <name> [--identity <id>]]\n\
+             [--addr|--mask|--server|--subnet|--string|--hex <value>]\n\
+    Delete a specific or all attributes of a given type from the database.\n\
+      type:    a keyword from --showattr or a number from the range 1..32767\n\
+      name:    the name of the pool this attribute is added to\n\
+      id:      identity of the peer this attribute is bound to\n\
+      addr:    IPv4 or IPv6 address\n\
+      mask:    IPv4 or IPv6 netmask (synonym for --addr)\n\
+      server:  IPv4 or IPv6 address of a server (synonym for --addr)\n\
+      subnet:  IPv4 subnet[s] given by network/mask[,network/mask,...]\n\
+      string:  value of a string-type attribute\n\
+      hex:     hex value of any attribute\n\
+  \n\
+  ipsec pool --resize <name> --end <end>\n\
+    Grow or shrink an existing pool.\n\
+      name:    Name of the pool to resize\n\
+      end:     New end address for the pool\n\
+  \n\
+  ipsec pool --leases [--filter <filter>] [--utc]\n\
+    Show lease information using filters:\n\
+      filter:  Filter string containing comma separated key=value filters,\n\
+               e.g. id=alice@strongswan.org,addr=1.1.1.1\n\
+                  pool:   name of the pool\n\
+                  id:     assigned identity of the lease\n\
+                  addr:   lease IP address\n\
+                  tstamp: UNIX timestamp when lease was valid, as integer\n\
+                  status: status of the lease: online|valid|expired\n\
+      utc:    Show times in UTC instead of local time\n\
+  \n\
+  ipsec pool --purge <name>\n\
+    Delete lease history of a pool:\n\
+      name:    Name of the pool to purge\n\
+  \n\
+  ipsec pool --batch <file>\n\
+    Read commands from a file and execute them atomically.\n\
+      file:    File to read the newline separated commands from. Commands\n\
+               appear as they are written on the command line, e.g.\n\
+                  --replace mypool --start 10.0.0.1 --end 10.0.0.254\n\
+                  --del dns\n\
+                  --add dns --server 10.1.0.1\n\
+                  --add dns --server 10.1.1.1\n\
+               If a - (hyphen) is given as a file name, the commands are read\n\
+               from STDIN. Readin commands stops at the end of file. Empty\n\
+               lines are ignored. The file may not contain a --batch command.\n\
+  \n");
+}
+
diff --git a/src/libhydra/plugins/attr_sql/pool_usage.h b/src/libhydra/plugins/attr_sql/pool_usage.h
new file mode 100644
index 000000000..a98b0d680
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/pool_usage.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2009-2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef POOL_USAGE_H_
+#define POOL_USAGE_H_
+
+/**
+ * print pool usage info
+ */
+void usage(void);
+
+
+#endif /* POOL_USAGE_H_ */
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c
index a7cfde649..7f7bb190c 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.c
+++ b/src/libhydra/plugins/attr_sql/sql_attribute.c
@@ -73,6 +73,26 @@ static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
 	return 0;
 }
 
+/**
+ * Lookup an attribute pool by name
+ */
+static u_int get_attr_pool(private_sql_attribute_t *this, char *name)
+{
+	enumerator_t *e;
+	u_int row = 0;
+
+	e = this->db->query(this->db,
+						"SELECT id FROM attribute_pools WHERE name = ?",
+						DB_TEXT, name, DB_UINT);
+	if (e)
+	{
+		e->enumerate(e, &row);
+	}
+	DESTROY_IF(e);
+
+	return row;
+}
+
 /**
  * Lookup pool by name
  */
@@ -327,20 +347,101 @@ static bool release_address(private_sql_attribute_t *this,
  * Implementation of sql_attribute_t.create_attribute_enumerator
  */
 static enumerator_t* create_attribute_enumerator(private_sql_attribute_t *this,
-											identification_t *id, host_t *vip)
+								char *names, identification_t *id, host_t *vip)
 {
+	enumerator_t *attr_enumerator = NULL;
+
 	if (vip)
 	{
-		enumerator_t *enumerator;
+		enumerator_t *names_enumerator;
+		u_int count;
+		char *name;
 
-		enumerator = this->db->query(this->db,
-						"SELECT type, value FROM attributes", DB_INT, DB_BLOB);
-		if (enumerator)
+		this->db->execute(this->db, NULL, "BEGIN EXCLUSIVE TRANSACTION");
+
+		/* in a first step check for attributes that match name and id */
+		if (id)
 		{
-			return enumerator;
+			u_int identity = get_identity(this, id);
+
+			names_enumerator = enumerator_create_token(names, ",", " ");
+			while (names_enumerator->enumerate(names_enumerator, &name))
+			{
+				u_int attr_pool = get_attr_pool(this, name);
+				if (!attr_pool)
+				{
+					continue;
+				}
+
+				attr_enumerator = this->db->query(this->db,
+								"SELECT count(*) FROM attributes "
+								"WHERE pool = ? AND identity = ?",
+								DB_UINT, attr_pool, DB_UINT, identity, DB_UINT);
+
+				if (attr_enumerator &&
+					attr_enumerator->enumerate(attr_enumerator, &count) &&
+					count != 0)
+				{
+					attr_enumerator->destroy(attr_enumerator);
+					attr_enumerator = this->db->query(this->db,
+								"SELECT type, value FROM attributes "
+								"WHERE pool = ? AND identity = ?", DB_UINT,
+								attr_pool, DB_UINT, identity, DB_INT, DB_BLOB);
+					break;
+				}
+				DESTROY_IF(attr_enumerator);
+				attr_enumerator = NULL;
+			}
+			names_enumerator->destroy(names_enumerator);
+		}
+
+		/* in a second step check for attributes that match name */
+		if (!attr_enumerator)
+		{
+			names_enumerator = enumerator_create_token(names, ",", " ");
+			while (names_enumerator->enumerate(names_enumerator, &name))
+			{
+				u_int attr_pool = get_attr_pool(this, name);
+				if (!attr_pool)
+				{
+					continue;
+				}
+
+				attr_enumerator = this->db->query(this->db,
+									"SELECT count(*) FROM attributes "
+									"WHERE pool = ? AND identity = 0",
+									DB_UINT, attr_pool, DB_UINT);
+
+				if (attr_enumerator &&
+					attr_enumerator->enumerate(attr_enumerator, &count) &&
+					count != 0)
+				{
+					attr_enumerator->destroy(attr_enumerator);
+					attr_enumerator = this->db->query(this->db,
+									"SELECT type, value FROM attributes "
+									"WHERE pool = ? AND identity = 0",
+									DB_UINT, attr_pool, DB_INT, DB_BLOB);
+					break;
+				}
+				DESTROY_IF(attr_enumerator);
+				attr_enumerator = NULL;
+			}
+			names_enumerator->destroy(names_enumerator);
+		}
+
+		this->db->execute(this->db, NULL, "END TRANSACTION");
+
+		/* lastly try to find global attributes */
+		if (!attr_enumerator)
+		{
+			attr_enumerator = this->db->query(this->db,
+									"SELECT type, value FROM attributes "
+									"WHERE pool = 0 AND identity = 0",
+									DB_INT, DB_BLOB);
 		}
 	}
-	return enumerator_create_empty();
+
+	return (attr_enumerator ? attr_enumerator : enumerator_create_empty());
 }
 
 /**
@@ -361,7 +462,7 @@ sql_attribute_t *sql_attribute_create(database_t *db)
 
 	this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))acquire_address;
 	this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
-	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *host))create_attribute_enumerator;
+	this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, char *names, identification_t *id, host_t *host))create_attribute_enumerator;
 	this->public.destroy = (void(*)(sql_attribute_t*))destroy;
 
 	this->db = db;
diff --git a/src/libhydra/plugins/resolve/Makefile.am b/src/libhydra/plugins/resolve/Makefile.am
new file mode 100644
index 000000000..f8830d42e
--- /dev/null
+++ b/src/libhydra/plugins/resolve/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DRESOLV_CONF=\"${resolv_conf}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-resolve.la
+else
+plugin_LTLIBRARIES = libstrongswan-resolve.la
+endif
+
+libstrongswan_resolve_la_SOURCES = \
+	resolve_plugin.h resolve_plugin.c \
+	resolve_handler.h resolve_handler.c
+
+libstrongswan_resolve_la_LDFLAGS = -module -avoid-version
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
new file mode 100644
index 000000000..e16c66923
--- /dev/null
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -0,0 +1,591 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libhydra/plugins/resolve
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_resolve_la_LIBADD =
+am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \
+	resolve_handler.lo
+libstrongswan_resolve_la_OBJECTS =  \
+	$(am_libstrongswan_resolve_la_OBJECTS)
+libstrongswan_resolve_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_resolve_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_resolve_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_resolve_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_resolve_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DRESOLV_CONF=\"${resolv_conf}\"
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-resolve.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-resolve.la
+libstrongswan_resolve_la_SOURCES = \
+	resolve_plugin.h resolve_plugin.c \
+	resolve_handler.h resolve_handler.c
+
+libstrongswan_resolve_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) 
+	$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c
new file mode 100644
index 000000000..cdc639038
--- /dev/null
+++ b/src/libhydra/plugins/resolve/resolve_handler.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolve_handler.h"
+
+#include <unistd.h>
+
+#include <hydra.h>
+#include <debug.h>
+#include <threading/mutex.h>
+
+typedef struct private_resolve_handler_t private_resolve_handler_t;
+
+/**
+ * Private data of an resolve_handler_t object.
+ */
+struct private_resolve_handler_t {
+
+	/**
+	 * Public resolve_handler_t interface.
+	 */
+	resolve_handler_t public;
+
+	/**
+	 * resolv.conf file to use
+	 */
+	char *file;
+
+	/**
+	 * Mutex to access file exclusively
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Implementation of attribute_handler_t.handle
+ */
+static bool handle(private_resolve_handler_t *this, identification_t *server,
+				   configuration_attribute_type_t type, chunk_t data)
+{
+	FILE *in, *out;
+	char buf[1024];
+	host_t *addr;
+	size_t len;
+	bool handled = FALSE;
+
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			addr = host_create_from_chunk(AF_INET, data, 0);
+			break;
+		case INTERNAL_IP6_DNS:
+			addr = host_create_from_chunk(AF_INET6, data, 0);
+			break;
+		default:
+			return FALSE;
+	}
+
+	if (!addr || addr->is_anyaddr(addr))
+	{
+		DESTROY_IF(addr);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+
+	in = fopen(this->file, "r");
+	/* allows us to stream from in to out */
+	unlink(this->file);
+	out = fopen(this->file, "w");
+	if (out)
+	{
+		fprintf(out, "nameserver %H   # by strongSwan, from %Y\n", addr, server);
+		DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
+		handled = TRUE;
+
+		/* copy rest of the file */
+		if (in)
+		{
+			while ((len = fread(buf, 1, sizeof(buf), in)))
+			{
+				ignore_result(fwrite(buf, 1, len, out));
+			}
+		}
+		fclose(out);
+	}
+	if (in)
+	{
+		fclose(in);
+	}
+	this->mutex->unlock(this->mutex);
+	addr->destroy(addr);
+
+	if (!handled)
+	{
+		DBG1(DBG_IKE, "adding DNS server failed", this->file);
+	}
+	return handled;
+}
+
+/**
+ * Implementation of attribute_handler_t.release
+ */
+static void release(private_resolve_handler_t *this, identification_t *server,
+					configuration_attribute_type_t type, chunk_t data)
+{
+	FILE *in, *out;
+	char line[1024], matcher[512], *pos;
+	host_t *addr;
+	int family;
+
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			family = AF_INET;
+			break;
+		case INTERNAL_IP6_DNS:
+			family = AF_INET6;
+			break;
+		default:
+			return;
+	}
+
+	this->mutex->lock(this->mutex);
+
+	in = fopen(this->file, "r");
+	if (in)
+	{
+		/* allows us to stream from in to out */
+		unlink(this->file);
+		out = fopen(this->file, "w");
+		if (out)
+		{
+			addr = host_create_from_chunk(family, data, 0);
+			snprintf(matcher, sizeof(matcher),
+					 "nameserver %H   # by strongSwan, from %Y\n",
+					 addr, server);
+
+			/* copy all, but matching line */
+			while ((pos = fgets(line, sizeof(line), in)))
+			{
+				if (strneq(line, matcher, strlen(matcher)))
+				{
+					DBG1(DBG_IKE, "removing DNS server %H from %s",
+						 addr, this->file);
+				}
+				else
+				{
+					fputs(line, out);
+				}
+			}
+			addr->destroy(addr);
+			fclose(out);
+		}
+		fclose(in);
+	}
+
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Attribute enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator_t interface */
+	enumerator_t public;
+	/** virtual IP we are requesting */
+	host_t *vip;
+} attribute_enumerator_t;
+
+/**
+ * Implementation of create_attribute_enumerator().enumerate()
+ */
+static bool attribute_enumerate(attribute_enumerator_t *this,
+						configuration_attribute_type_t *type, chunk_t *data)
+{
+	switch (this->vip->get_family(this->vip))
+	{
+		case AF_INET:
+			*type = INTERNAL_IP4_DNS;
+			break;
+		case AF_INET6:
+			*type = INTERNAL_IP6_DNS;
+			break;
+		default:
+			return FALSE;
+	}
+	*data = chunk_empty;
+	/* enumerate only once */
+	this->public.enumerate = (void*)return_false;
+	return TRUE;
+}
+
+/**
+ * Implementation of attribute_handler_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(private_resolve_handler_t *this,
+										identification_t *server, host_t *vip)
+{
+	if (vip)
+	{
+		attribute_enumerator_t *enumerator;
+
+		enumerator = malloc_thing(attribute_enumerator_t);
+		enumerator->public.enumerate = (void*)attribute_enumerate;
+		enumerator->public.destroy = (void*)free;
+		enumerator->vip = vip;
+
+		return &enumerator->public;
+	}
+	return enumerator_create_empty();
+}
+
+/**
+ * Implementation of resolve_handler_t.destroy.
+ */
+static void destroy(private_resolve_handler_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+resolve_handler_t *resolve_handler_create()
+{
+	private_resolve_handler_t *this = malloc_thing(private_resolve_handler_t);
+
+	this->public.handler.handle = (bool(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))handle;
+	this->public.handler.release = (void(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))release;
+	this->public.handler.create_attribute_enumerator = (enumerator_t*(*)(attribute_handler_t*, identification_t *server, host_t *vip))create_attribute_enumerator;
+	this->public.destroy = (void(*)(resolve_handler_t*))destroy;
+
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->file = lib->settings->get_str(lib->settings,
+								"%s.plugins.resolve.file", RESOLV_CONF, hydra->daemon);
+
+	return &this->public;
+}
+
diff --git a/src/libhydra/plugins/resolve/resolve_handler.h b/src/libhydra/plugins/resolve/resolve_handler.h
new file mode 100644
index 000000000..77bf9781c
--- /dev/null
+++ b/src/libhydra/plugins/resolve/resolve_handler.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolve_handler resolve_handler
+ * @{ @ingroup resolve
+ */
+
+#ifndef RESOLVE_HANDLER_H_
+#define RESOLVE_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct resolve_handler_t resolve_handler_t;
+
+/**
+ * Handle DNS configuration attributes by mangling a resolv.conf file.
+ */
+struct resolve_handler_t {
+
+	/**
+	 * Implements the attribute_handler_t interface
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Destroy a resolve_handler_t.
+	 */
+	void (*destroy)(resolve_handler_t *this);
+};
+
+/**
+ * Create a resolve_handler instance.
+ */
+resolve_handler_t *resolve_handler_create();
+
+#endif /** RESOLVE_HANDLER_H_ @}*/
diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c
new file mode 100644
index 000000000..502129593
--- /dev/null
+++ b/src/libhydra/plugins/resolve/resolve_plugin.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolve_plugin.h"
+#include "resolve_handler.h"
+
+#include <hydra.h>
+
+typedef struct private_resolve_plugin_t private_resolve_plugin_t;
+
+/**
+ * private data of resolve plugin
+ */
+struct private_resolve_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	resolve_plugin_t public;
+
+	/**
+	 * The registerd DNS attribute handler
+	 */
+	resolve_handler_t *handler;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_resolve_plugin_t *this)
+{
+	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *resolve_plugin_create()
+{
+	private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	this->handler = resolve_handler_create();
+	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libhydra/plugins/resolve/resolve_plugin.h b/src/libhydra/plugins/resolve/resolve_plugin.h
new file mode 100644
index 000000000..0148b10d7
--- /dev/null
+++ b/src/libhydra/plugins/resolve/resolve_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolve resolve
+ * @ingroup cplugins
+ *
+ * @defgroup resolve_plugin resolve_plugin
+ * @{ @ingroup resolve
+ */
+
+#ifndef RESOLVE_PLUGIN_H_
+#define RESOLVE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct resolve_plugin_t resolve_plugin_t;
+
+/**
+ * Plugin that writes received DNS servers in a resolv.conf file.
+ */
+struct resolve_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** RESOLVE_PLUGIN_H_ @}*/
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index ab07cb214..d53df9bb2 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index d639220e3..1931dfa45 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -26,7 +26,7 @@ crypto/diffie_hellman.c crypto/diffie_hellman.h \
 crypto/transform.c crypto/transform.h \
 credentials/credential_factory.c credentials/credential_factory.h \
 credentials/builder.c credentials/builder.h \
-credentials/keys/key_encoding.c credentials/keys/key_encoding.h \
+credentials/cred_encoding.c credentials/cred_encoding.h \
 credentials/keys/private_key.c credentials/keys/private_key.h \
 credentials/keys/public_key.c credentials/keys/public_key.h \
 credentials/keys/shared_key.c credentials/keys/shared_key.h \
@@ -39,6 +39,12 @@ credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \
 credentials/certificates/pgp_certificate.h \
 credentials/ietf_attributes/ietf_attributes.c credentials/ietf_attributes/ietf_attributes.h \
+credentials/credential_manager.c credentials/credential_manager.h \
+credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
+credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
+credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
+credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
 selectors/traffic_selector.c selectors/traffic_selector.h \
@@ -68,7 +74,7 @@ LOCAL_SRC_FILES += $(call add_plugin, des)
 LOCAL_SRC_FILES += $(call add_plugin, fips-prf)
 
 LOCAL_SRC_FILES += $(call add_plugin, gmp)
-ifneq ($(call plugin_enabled, gmp)),)
+ifneq ($(call plugin_enabled, gmp),)
 LOCAL_C_INCLUDES += $(libgmp_PATH)
 LOCAL_SHARED_LIBRARIES += libgmp
 endif
@@ -80,7 +86,7 @@ LOCAL_SRC_FILES += $(call add_plugin, md4)
 LOCAL_SRC_FILES += $(call add_plugin, md5)
 
 LOCAL_SRC_FILES += $(call add_plugin, openssl)
-ifneq ($(call plugin_enabled, openssl)),)
+ifneq ($(call plugin_enabled, openssl),)
 LOCAL_C_INCLUDES += external/openssl/include
 LOCAL_SHARED_LIBRARIES += libcrypto
 endif
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 157d37b5e..3678abd5d 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -24,7 +24,7 @@ crypto/diffie_hellman.c crypto/diffie_hellman.h \
 crypto/transform.c crypto/transform.h \
 credentials/credential_factory.c credentials/credential_factory.h \
 credentials/builder.c credentials/builder.h \
-credentials/keys/key_encoding.c credentials/keys/key_encoding.h \
+credentials/cred_encoding.c credentials/cred_encoding.h \
 credentials/keys/private_key.c credentials/keys/private_key.h \
 credentials/keys/public_key.c credentials/keys/public_key.h \
 credentials/keys/shared_key.c credentials/keys/shared_key.h \
@@ -37,6 +37,12 @@ credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \
 credentials/certificates/pgp_certificate.h \
 credentials/ietf_attributes/ietf_attributes.c credentials/ietf_attributes/ietf_attributes.h \
+credentials/credential_manager.c credentials/credential_manager.h \
+credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
+credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
+credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
+credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
 selectors/traffic_selector.c selectors/traffic_selector.h \
@@ -203,6 +209,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_REVOCATION
+  SUBDIRS += plugins/revocation
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/revocation/libstrongswan-revocation.la
+endif
+endif
+
 if USE_PUBKEY
   SUBDIRS += plugins/pubkey
 if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index b8d967d4a..b6dcf6be5 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -68,36 +68,38 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_28 = plugins/xcbc/libstrongswan-xcbc.la
 @USE_X509_TRUE@am__append_29 = plugins/x509
 @MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_30 = plugins/x509/libstrongswan-x509.la
-@USE_PUBKEY_TRUE@am__append_31 = plugins/pubkey
-@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_32 = plugins/pubkey/libstrongswan-pubkey.la
-@USE_PKCS1_TRUE@am__append_33 = plugins/pkcs1
-@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_34 = plugins/pkcs1/libstrongswan-pkcs1.la
-@USE_PGP_TRUE@am__append_35 = plugins/pgp
-@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_36 = plugins/pgp/libstrongswan-pgp.la
-@USE_DNSKEY_TRUE@am__append_37 = plugins/dnskey
-@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_38 = plugins/dnskey/libstrongswan-dnskey.la
-@USE_PEM_TRUE@am__append_39 = plugins/pem
-@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_40 = plugins/pem/libstrongswan-pem.la
-@USE_CURL_TRUE@am__append_41 = plugins/curl
-@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_42 = plugins/curl/libstrongswan-curl.la
-@USE_LDAP_TRUE@am__append_43 = plugins/ldap
-@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_44 = plugins/ldap/libstrongswan-ldap.la
-@USE_MYSQL_TRUE@am__append_45 = plugins/mysql
-@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_46 = plugins/mysql/libstrongswan-mysql.la
-@USE_SQLITE_TRUE@am__append_47 = plugins/sqlite
-@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_48 = plugins/sqlite/libstrongswan-sqlite.la
-@USE_PADLOCK_TRUE@am__append_49 = plugins/padlock
-@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_50 = plugins/padlock/libstrongswan-padlock.la
-@USE_OPENSSL_TRUE@am__append_51 = plugins/openssl
-@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_52 = plugins/openssl/libstrongswan-openssl.la
-@USE_GCRYPT_TRUE@am__append_53 = plugins/gcrypt
-@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_54 = plugins/gcrypt/libstrongswan-gcrypt.la
-@USE_FIPS_PRF_TRUE@am__append_55 = plugins/fips_prf
-@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_56 = plugins/fips_prf/libstrongswan-fips-prf.la
-@USE_AGENT_TRUE@am__append_57 = plugins/agent
-@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_58 = plugins/agent/libstrongswan-agent.la
-@USE_TEST_VECTORS_TRUE@am__append_59 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_60 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_REVOCATION_TRUE@am__append_31 = plugins/revocation
+@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_32 = plugins/revocation/libstrongswan-revocation.la
+@USE_PUBKEY_TRUE@am__append_33 = plugins/pubkey
+@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_34 = plugins/pubkey/libstrongswan-pubkey.la
+@USE_PKCS1_TRUE@am__append_35 = plugins/pkcs1
+@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_36 = plugins/pkcs1/libstrongswan-pkcs1.la
+@USE_PGP_TRUE@am__append_37 = plugins/pgp
+@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_38 = plugins/pgp/libstrongswan-pgp.la
+@USE_DNSKEY_TRUE@am__append_39 = plugins/dnskey
+@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_40 = plugins/dnskey/libstrongswan-dnskey.la
+@USE_PEM_TRUE@am__append_41 = plugins/pem
+@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_42 = plugins/pem/libstrongswan-pem.la
+@USE_CURL_TRUE@am__append_43 = plugins/curl
+@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_44 = plugins/curl/libstrongswan-curl.la
+@USE_LDAP_TRUE@am__append_45 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_46 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_47 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_48 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_49 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_50 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_51 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_52 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_53 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_54 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_55 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_56 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_57 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_58 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_59 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_60 = plugins/agent/libstrongswan-agent.la
+@USE_TEST_VECTORS_TRUE@am__append_61 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_62 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -150,7 +152,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_42) $(am__append_44) $(am__append_46) \
 	$(am__append_48) $(am__append_50) $(am__append_52) \
 	$(am__append_54) $(am__append_56) $(am__append_58) \
-	$(am__append_60)
+	$(am__append_60) $(am__append_62)
 am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
 	printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \
@@ -167,8 +169,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
 	credentials/credential_factory.c \
 	credentials/credential_factory.h credentials/builder.c \
-	credentials/builder.h credentials/keys/key_encoding.c \
-	credentials/keys/key_encoding.h credentials/keys/private_key.c \
+	credentials/builder.h credentials/cred_encoding.c \
+	credentials/cred_encoding.h credentials/keys/private_key.c \
 	credentials/keys/private_key.h credentials/keys/public_key.c \
 	credentials/keys/public_key.h credentials/keys/shared_key.c \
 	credentials/keys/shared_key.h \
@@ -184,6 +186,15 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	credentials/certificates/pgp_certificate.h \
 	credentials/ietf_attributes/ietf_attributes.c \
 	credentials/ietf_attributes/ietf_attributes.h \
+	credentials/credential_manager.c \
+	credentials/credential_manager.h \
+	credentials/sets/auth_cfg_wrapper.c \
+	credentials/sets/auth_cfg_wrapper.h \
+	credentials/sets/ocsp_response_wrapper.c \
+	credentials/sets/ocsp_response_wrapper.h \
+	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+	credentials/auth_cfg.c credentials/auth_cfg.h \
+	credentials/credential_set.h credentials/cert_validator.h \
 	database/database.h database/database_factory.h \
 	database/database_factory.c fetcher/fetcher.h \
 	fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
@@ -208,9 +219,11 @@ am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
 	crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo prf.lo \
 	rng.lo prf_plus.lo signer.lo crypto_factory.lo \
 	crypto_tester.lo diffie_hellman.lo transform.lo \
-	credential_factory.lo builder.lo key_encoding.lo \
+	credential_factory.lo builder.lo cred_encoding.lo \
 	private_key.lo public_key.lo shared_key.lo certificate.lo \
 	x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \
+	credential_manager.lo auth_cfg_wrapper.lo \
+	ocsp_response_wrapper.lo cert_cache.lo auth_cfg.lo \
 	database_factory.lo fetcher_manager.lo traffic_selector.lo \
 	thread.lo thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \
 	identification.lo lexparser.lo linked_list.lo hashtable.lo \
@@ -249,10 +262,11 @@ CTAGS = ctags
 DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \
 	plugins/md5 plugins/sha1 plugins/sha2 plugins/gmp \
 	plugins/random plugins/hmac plugins/xcbc plugins/x509 \
-	plugins/pubkey plugins/pkcs1 plugins/pgp plugins/dnskey \
-	plugins/pem plugins/curl plugins/ldap plugins/mysql \
-	plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \
-	plugins/fips_prf plugins/agent plugins/test_vectors
+	plugins/revocation plugins/pubkey plugins/pkcs1 plugins/pgp \
+	plugins/dnskey plugins/pem plugins/curl plugins/ldap \
+	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
+	plugins/gcrypt plugins/fips_prf plugins/agent \
+	plugins/test_vectors
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -451,8 +465,8 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
 	credentials/credential_factory.c \
 	credentials/credential_factory.h credentials/builder.c \
-	credentials/builder.h credentials/keys/key_encoding.c \
-	credentials/keys/key_encoding.h credentials/keys/private_key.c \
+	credentials/builder.h credentials/cred_encoding.c \
+	credentials/cred_encoding.h credentials/keys/private_key.c \
 	credentials/keys/private_key.h credentials/keys/public_key.c \
 	credentials/keys/public_key.h credentials/keys/shared_key.c \
 	credentials/keys/shared_key.h \
@@ -468,6 +482,15 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	credentials/certificates/pgp_certificate.h \
 	credentials/ietf_attributes/ietf_attributes.c \
 	credentials/ietf_attributes/ietf_attributes.h \
+	credentials/credential_manager.c \
+	credentials/credential_manager.h \
+	credentials/sets/auth_cfg_wrapper.c \
+	credentials/sets/auth_cfg_wrapper.h \
+	credentials/sets/ocsp_response_wrapper.c \
+	credentials/sets/ocsp_response_wrapper.h \
+	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+	credentials/auth_cfg.c credentials/auth_cfg.h \
+	credentials/credential_set.h credentials/cert_validator.h \
 	database/database.h database/database_factory.h \
 	database/database_factory.c fetcher/fetcher.h \
 	fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
@@ -494,7 +517,7 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_42) $(am__append_44) $(am__append_46) \
 	$(am__append_48) $(am__append_50) $(am__append_52) \
 	$(am__append_54) $(am__append_56) $(am__append_58) \
-	$(am__append_60)
+	$(am__append_60) $(am__append_62)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \
 	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \
@@ -525,7 +548,7 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
 @MONOLITHIC_FALSE@	$(am__append_47) $(am__append_49) \
 @MONOLITHIC_FALSE@	$(am__append_51) $(am__append_53) \
 @MONOLITHIC_FALSE@	$(am__append_55) $(am__append_57) \
-@MONOLITHIC_FALSE@	$(am__append_59)
+@MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61)
 
 # build plugins with their own Makefile
 #######################################
@@ -542,7 +565,7 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
 @MONOLITHIC_TRUE@	$(am__append_47) $(am__append_49) \
 @MONOLITHIC_TRUE@	$(am__append_51) $(am__append_53) \
 @MONOLITHIC_TRUE@	$(am__append_55) $(am__append_57) \
-@MONOLITHIC_TRUE@	$(am__append_59)
+@MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -620,11 +643,16 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backtrace.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cred_encoding.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_factory.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_factory.Plo@am__quote@
@@ -641,13 +669,13 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key_encoding.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/linked_list.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mutex.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs9.Plo@am__quote@
@@ -810,12 +838,12 @@ builder.lo: credentials/builder.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
 
-key_encoding.lo: credentials/keys/key_encoding.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT key_encoding.lo -MD -MP -MF $(DEPDIR)/key_encoding.Tpo -c -o key_encoding.lo `test -f 'credentials/keys/key_encoding.c' || echo '$(srcdir)/'`credentials/keys/key_encoding.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/key_encoding.Tpo $(DEPDIR)/key_encoding.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/key_encoding.c' object='key_encoding.lo' libtool=yes @AMDEPBACKSLASH@
+cred_encoding.lo: credentials/cred_encoding.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cred_encoding.lo -MD -MP -MF $(DEPDIR)/cred_encoding.Tpo -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cred_encoding.Tpo $(DEPDIR)/cred_encoding.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/cred_encoding.c' object='cred_encoding.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o key_encoding.lo `test -f 'credentials/keys/key_encoding.c' || echo '$(srcdir)/'`credentials/keys/key_encoding.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c
 
 private_key.lo: credentials/keys/private_key.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT private_key.lo -MD -MP -MF $(DEPDIR)/private_key.Tpo -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
@@ -873,6 +901,41 @@ ietf_attributes.lo: credentials/ietf_attributes/ietf_attributes.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
 
+credential_manager.lo: credentials/credential_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
+
+auth_cfg_wrapper.lo: credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
+
+ocsp_response_wrapper.lo: credentials/sets/ocsp_response_wrapper.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
+
+cert_cache.lo: credentials/sets/cert_cache.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
+
+auth_cfg.lo: credentials/auth_cfg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
+
 database_factory.lo: database/database_factory.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo
@@ -1005,7 +1068,7 @@ clean-libtool:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@failcom='exit 1'; \
+	@fail= failcom='exit 1'; \
 	for f in x $$MAKEFLAGS; do \
 	  case $$f in \
 	    *=* | --[!k]*);; \
@@ -1030,7 +1093,7 @@ $(RECURSIVE_TARGETS):
 	fi; test -z "$$fail"
 
 $(RECURSIVE_CLEAN_TARGETS):
-	@failcom='exit 1'; \
+	@fail= failcom='exit 1'; \
 	for f in x $$MAKEFLAGS; do \
 	  case $$f in \
 	    *=* | --[!k]*);; \
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 6264bdc54..6f549d42d 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -497,8 +497,14 @@ int asn1_parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters
 bool is_asn1(chunk_t blob)
 {
 	u_int len;
-	u_char tag = *blob.ptr;
+	u_char tag;
 
+	if (!blob.len || !blob.ptr)
+	{
+		return FALSE;
+	}
+
+	tag = *blob.ptr;
 	if (tag != ASN1_SEQUENCE && tag != ASN1_SET && tag != ASN1_OCTET_STRING)
 	{
 		DBG2(DBG_LIB, "  file content is not binary ASN.1");
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index ef69eb4e7..4d115a816 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -434,6 +434,69 @@ chunk_t chunk_from_base64(chunk_t base64, char *buf)
 	return chunk_create(buf, outlen);
 }
 
+/** base 32 conversion digits */
+static char b32digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_to_base32(chunk_t chunk, char *buf)
+{
+	int i, len;
+	char *pos;
+
+	len = chunk.len + ((5 - chunk.len % 5) % 5);
+	if (!buf)
+	{
+		buf = malloc(len * 8 / 5 + 1);
+	}
+	pos = buf;
+	for (i = 0; i < len; i+=5)
+	{
+		*pos++ = b32digits[chunk.ptr[i] >> 3];
+		if (i+1 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i] & 0x07) << 2];
+			memset(pos, '=', 6);
+			pos += 6;
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i] & 0x07) << 2) |
+						   (chunk.ptr[i+1] >> 6)];
+		*pos++ = b32digits[(chunk.ptr[i+1] & 0x3E) >> 1];
+		if (i+2 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i+1] & 0x01) << 4];
+			memset(pos, '=', 4);
+			pos += 4;
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i+1] & 0x01) << 4) |
+						   (chunk.ptr[i+2] >> 4)];
+		if (i+3 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i+2] & 0x0F) << 1];
+			memset(pos, '=', 3);
+			pos += 3;
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i+2] & 0x0F) << 1) |
+						   (chunk.ptr[i+3] >> 7)];
+		*pos++ = b32digits[(chunk.ptr[i+3] & 0x7F) >> 2];
+		if (i+4 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i+3] & 0x03) << 3];
+			*pos++ = '=';
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i+3] & 0x03) << 3) |
+						   (chunk.ptr[i+4] >> 5)];
+		*pos++ = b32digits[chunk.ptr[i+4] & 0x1F];
+	}
+	*pos = '\0';
+	return chunk_create(buf, len * 8 / 5);
+}
+
 /**
  * Described in header.
  */
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index f0f9a7366..5441ccf3c 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -147,6 +147,18 @@ chunk_t chunk_to_base64(chunk_t chunk, char *buf);
  */
 chunk_t chunk_from_base64(chunk_t base64, char *buf);
 
+/**
+ * Convert a chunk of data to its base32 encoding.
+ *
+ * The resulting string is '\\0' terminated, but the chunk does not include
+ * the '\\0'. If buf is supplied, it must hold (chunk.len * 8 / 5 + 1) bytes.
+ *
+ * @param chunk			data to convert
+ * @param buf			buffer to write to, NULL to malloc
+ * @return				chunk of encoded data
+ */
+chunk_t chunk_to_base32(chunk_t chunk, char *buf);
+
 /**
  * Free contents of a chunk
  */
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
new file mode 100644
index 000000000..2573d0327
--- /dev/null
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -0,0 +1,830 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "auth_cfg.h"
+
+#include <library.h>
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <credentials/certificates/certificate.h>
+
+ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
+	"any",
+	"public key",
+	"pre-shared key",
+	"EAP",
+);
+
+ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
+	"EAP_IDENTITY",
+	"EAP_NOTIFICATION",
+	"EAP_NAK",
+	"EAP_MD5",
+	"EAP_OTP",
+	"EAP_GTC");
+ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC,
+	"EAP_SIM");
+ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
+	"EAP_AKA");
+ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+	"EAP_MSCHAPV2");
+ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
+	"EAP_RADIUS",
+	"EAP_EXPANDED",
+	"EAP_EXPERIMENTAL");
+ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
+
+ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
+	"ID",
+	"NTF",
+	"NAK",
+	"MD5",
+	"OTP",
+	"GTC");
+ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC,
+	"SIM");
+ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM,
+	"AKA");
+ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+	"MSCHAPV2");
+ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
+	"RAD",
+	"EXP",
+	"XP");
+ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
+
+ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
+	"RULE_IDENTITY",
+	"RULE_AUTH_CLASS",
+	"RULE_EAP_IDENTITY",
+	"RULE_EAP_TYPE",
+	"RULE_EAP_VENDOR",
+	"RULE_CA_CERT",
+	"RULE_IM_CERT",
+	"RULE_SUBJECT_CERT",
+	"RULE_CRL_VALIDATION",
+	"RULE_OCSP_VALIDATION",
+	"RULE_GROUP",
+	"HELPER_IM_CERT",
+	"HELPER_SUBJECT_CERT",
+	"HELPER_IM_HASH_URL",
+	"HELPER_SUBJECT_HASH_URL",
+);
+
+typedef struct private_auth_cfg_t private_auth_cfg_t;
+
+/**
+ * private data of item_set
+ */
+struct private_auth_cfg_t {
+
+	/**
+	 * public functions
+	 */
+	auth_cfg_t public;
+
+	/**
+	 * list of entry_t
+	 */
+	linked_list_t *entries;
+};
+
+typedef struct entry_t entry_t;
+
+struct entry_t {
+	/** rule type */
+	auth_rule_t type;
+	/** associated value */
+	void *value;
+};
+
+/**
+ * enumerator for auth_cfg_t.create_enumerator()
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** inner enumerator from linked_list_t */
+	enumerator_t *inner;
+	/** current entry */
+	entry_t *current;
+} entry_enumerator_t;
+
+/**
+ * enumerate function for item_enumerator_t
+ */
+static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value)
+{
+	entry_t *entry;
+
+	if (this->inner->enumerate(this->inner, &entry))
+	{
+		this->current = entry;
+		*type = entry->type;
+		*value = entry->value;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * destroy function for item_enumerator_t
+ */
+static void entry_enumerator_destroy(entry_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of auth_cfg_t.create_enumerator.
+ */
+static enumerator_t* create_enumerator(private_auth_cfg_t *this)
+{
+	entry_enumerator_t *enumerator;
+
+	enumerator = malloc_thing(entry_enumerator_t);
+	enumerator->inner = this->entries->create_enumerator(this->entries);
+	enumerator->public.enumerate = (void*)enumerate;
+	enumerator->public.destroy = (void*)entry_enumerator_destroy;
+	enumerator->current = NULL;
+	return &enumerator->public;
+}
+
+/**
+ * Destroy the value associated with an entry
+ */
+static void destroy_entry_value(entry_t *entry)
+{
+	switch (entry->type)
+	{
+		case AUTH_RULE_IDENTITY:
+		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_GROUP:
+		{
+			identification_t *id = (identification_t*)entry->value;
+			id->destroy(id);
+			break;
+		}
+		case AUTH_RULE_CA_CERT:
+		case AUTH_RULE_IM_CERT:
+		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_HELPER_IM_CERT:
+		case AUTH_HELPER_SUBJECT_CERT:
+		{
+			certificate_t *cert = (certificate_t*)entry->value;
+			cert->destroy(cert);
+			break;
+		}
+		case AUTH_HELPER_IM_HASH_URL:
+		case AUTH_HELPER_SUBJECT_HASH_URL:
+		{
+			free(entry->value);
+			break;
+		}
+		case AUTH_RULE_AUTH_CLASS:
+		case AUTH_RULE_EAP_TYPE:
+		case AUTH_RULE_EAP_VENDOR:
+		case AUTH_RULE_CRL_VALIDATION:
+		case AUTH_RULE_OCSP_VALIDATION:
+			break;
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.replace.
+ */
+static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
+					auth_rule_t type, ...)
+{
+	if (enumerator->current)
+	{
+		va_list args;
+
+		va_start(args, type);
+
+		destroy_entry_value(enumerator->current);
+		enumerator->current->type = type;
+		switch (type)
+		{
+			case AUTH_RULE_AUTH_CLASS:
+			case AUTH_RULE_EAP_TYPE:
+			case AUTH_RULE_EAP_VENDOR:
+			case AUTH_RULE_CRL_VALIDATION:
+			case AUTH_RULE_OCSP_VALIDATION:
+				/* integer type */
+				enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
+				break;
+			case AUTH_RULE_IDENTITY:
+			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_GROUP:
+			case AUTH_RULE_CA_CERT:
+			case AUTH_RULE_IM_CERT:
+			case AUTH_RULE_SUBJECT_CERT:
+			case AUTH_HELPER_IM_CERT:
+			case AUTH_HELPER_SUBJECT_CERT:
+			case AUTH_HELPER_IM_HASH_URL:
+			case AUTH_HELPER_SUBJECT_HASH_URL:
+				/* pointer type */
+				enumerator->current->value = va_arg(args, void*);
+				break;
+		}
+		va_end(args);
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.get.
+ */
+static void* get(private_auth_cfg_t *this, auth_rule_t type)
+{
+	enumerator_t *enumerator;
+	void *current_value, *best_value = NULL;
+	auth_rule_t current_type;
+	bool found = FALSE;
+
+	enumerator = create_enumerator(this);
+	while (enumerator->enumerate(enumerator, &current_type, &current_value))
+	{
+		if (type == current_type)
+		{
+			if (type == AUTH_RULE_CRL_VALIDATION ||
+				type == AUTH_RULE_OCSP_VALIDATION)
+			{	/* for CRL/OCSP validation, always get() the highest value */
+				if (!found || current_value > best_value)
+				{
+					best_value = current_value;
+				}
+				found = TRUE;
+				continue;
+			}
+			best_value = current_value;
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (found)
+	{
+		return best_value;
+	}
+	switch (type)
+	{
+		/* use some sane defaults if we don't find an entry */
+		case AUTH_RULE_AUTH_CLASS:
+			return (void*)AUTH_CLASS_ANY;
+		case AUTH_RULE_EAP_TYPE:
+			return (void*)EAP_NAK;
+		case AUTH_RULE_EAP_VENDOR:
+			return (void*)0;
+		case AUTH_RULE_CRL_VALIDATION:
+		case AUTH_RULE_OCSP_VALIDATION:
+			return (void*)VALIDATION_FAILED;
+		case AUTH_RULE_IDENTITY:
+		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_GROUP:
+		case AUTH_RULE_CA_CERT:
+		case AUTH_RULE_IM_CERT:
+		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_HELPER_IM_CERT:
+		case AUTH_HELPER_SUBJECT_CERT:
+		case AUTH_HELPER_IM_HASH_URL:
+		case AUTH_HELPER_SUBJECT_HASH_URL:
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.add.
+ */
+static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
+{
+	entry_t *entry = malloc_thing(entry_t);
+	va_list args;
+
+	va_start(args, type);
+	entry->type = type;
+	switch (type)
+	{
+		case AUTH_RULE_AUTH_CLASS:
+		case AUTH_RULE_EAP_TYPE:
+		case AUTH_RULE_EAP_VENDOR:
+		case AUTH_RULE_CRL_VALIDATION:
+		case AUTH_RULE_OCSP_VALIDATION:
+			/* integer type */
+			entry->value = (void*)(uintptr_t)va_arg(args, u_int);
+			break;
+		case AUTH_RULE_IDENTITY:
+		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_GROUP:
+		case AUTH_RULE_CA_CERT:
+		case AUTH_RULE_IM_CERT:
+		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_HELPER_IM_CERT:
+		case AUTH_HELPER_SUBJECT_CERT:
+		case AUTH_HELPER_IM_HASH_URL:
+		case AUTH_HELPER_SUBJECT_HASH_URL:
+			/* pointer type */
+			entry->value = va_arg(args, void*);
+			break;
+	}
+	va_end(args);
+	this->entries->insert_last(this->entries, entry);
+}
+
+/**
+ * Implementation of auth_cfg_t.complies.
+ */
+static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
+					 bool log_error)
+{
+	enumerator_t *e1, *e2;
+	bool success = TRUE, has_group = FALSE, group_match = FALSE;
+	auth_rule_t t1, t2;
+	void *value;
+
+	e1 = constraints->create_enumerator(constraints);
+	while (e1->enumerate(e1, &t1, &value))
+	{
+		switch (t1)
+		{
+			case AUTH_RULE_CA_CERT:
+			case AUTH_RULE_IM_CERT:
+			{
+				certificate_t *c1, *c2;
+
+				c1 = (certificate_t*)value;
+
+				success = FALSE;
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &c2))
+				{
+					if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
+						c1->equals(c1, c2))
+					{
+						success = TRUE;
+					}
+				}
+				e2->destroy(e2);
+				if (!success && log_error)
+				{
+					DBG1(DBG_CFG, "constraint check failed: peer not "
+						 "authenticated by CA '%Y'.", c1->get_subject(c1));
+				}
+				break;
+			}
+			case AUTH_RULE_SUBJECT_CERT:
+			{
+				certificate_t *c1, *c2;
+
+				c1 = (certificate_t*)value;
+				c2 = get(this, AUTH_RULE_SUBJECT_CERT);
+				if (!c2 || !c1->equals(c1, c2))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint check failed: peer not "
+							 "authenticated with peer cert '%Y'.",
+							 c1->get_subject(c1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_CRL_VALIDATION:
+			case AUTH_RULE_OCSP_VALIDATION:
+			{
+				cert_validation_t validated, required;
+
+				required = (uintptr_t)value;
+				validated = (uintptr_t)get(this, t1);
+				switch (required)
+				{
+					case VALIDATION_FAILED:
+						/* no constraint */
+						break;
+					case VALIDATION_SKIPPED:
+						if (validated == VALIDATION_SKIPPED)
+						{
+							break;
+						}
+						/* FALL */
+					case VALIDATION_GOOD:
+						if (validated == VALIDATION_GOOD)
+						{
+							break;
+						}
+						/* FALL */
+					default:
+						success = FALSE;
+						if (log_error)
+						{
+							DBG1(DBG_CFG, "constraint check failed: %N is %N, "
+								 "but requires at least %N", auth_rule_names,
+								 t1, cert_validation_names, validated,
+								 cert_validation_names, required);
+						}
+						break;
+				}
+				break;
+			}
+			case AUTH_RULE_IDENTITY:
+			case AUTH_RULE_EAP_IDENTITY:
+			{
+				identification_t *id1, *id2;
+
+				id1 = (identification_t*)value;
+				id2 = get(this, t1);
+				if (!id2 || !id2->matches(id2, id1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'"
+							 " required ", t1 == AUTH_RULE_IDENTITY ? "" :
+							 "EAP ", id1);
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_AUTH_CLASS:
+			{
+				if ((uintptr_t)value != AUTH_CLASS_ANY &&
+					(uintptr_t)value != (uintptr_t)get(this, t1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint requires %N authentication, "
+							 "but %N was used", auth_class_names, (uintptr_t)value,
+							 auth_class_names, (uintptr_t)get(this, t1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_EAP_TYPE:
+			{
+				if ((uintptr_t)value != (uintptr_t)get(this, t1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint requires %N, "
+							 "but %N was used", eap_type_names, (uintptr_t)value,
+							 eap_type_names,  (uintptr_t)get(this, t1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_EAP_VENDOR:
+			{
+				if ((uintptr_t)value != (uintptr_t)get(this, t1))
+				{
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint requires EAP vendor %d, "
+							 "but %d was used", (uintptr_t)value,
+							 (uintptr_t)get(this, t1));
+					}
+				}
+				break;
+			}
+			case AUTH_RULE_GROUP:
+			{
+				identification_t *id1, *id2;
+
+				/* for groups, a match of a single group is sufficient */
+				has_group = TRUE;
+				id1 = (identification_t*)value;
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &id2))
+				{
+					if (t2 == AUTH_RULE_GROUP && id2->matches(id2, id1))
+					{
+						group_match = TRUE;
+					}
+				}
+				e2->destroy(e2);
+				break;
+			}
+			case AUTH_HELPER_IM_CERT:
+			case AUTH_HELPER_SUBJECT_CERT:
+			case AUTH_HELPER_IM_HASH_URL:
+			case AUTH_HELPER_SUBJECT_HASH_URL:
+				/* skip helpers */
+				continue;
+		}
+		if (!success)
+		{
+			break;
+		}
+	}
+	e1->destroy(e1);
+
+	if (has_group && !group_match)
+	{
+		if (log_error)
+		{
+			DBG1(DBG_CFG, "constraint check failed: group membership required");
+		}
+		return FALSE;
+	}
+	return success;
+}
+
+/**
+ * Implementation of auth_cfg_t.merge.
+ */
+static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy)
+{
+	if (!other)
+	{	/* nothing to merge */
+		return;
+	}
+	if (copy)
+	{
+		enumerator_t *enumerator;
+		auth_rule_t type;
+		void *value;
+
+		enumerator = create_enumerator(other);
+		while (enumerator->enumerate(enumerator, &type, &value))
+		{
+			switch (type)
+			{
+				case AUTH_RULE_CA_CERT:
+				case AUTH_RULE_IM_CERT:
+				case AUTH_RULE_SUBJECT_CERT:
+				case AUTH_HELPER_IM_CERT:
+				case AUTH_HELPER_SUBJECT_CERT:
+				{
+					certificate_t *cert = (certificate_t*)value;
+
+					add(this, type, cert->get_ref(cert));
+					break;
+				}
+				case AUTH_RULE_CRL_VALIDATION:
+				case AUTH_RULE_OCSP_VALIDATION:
+				case AUTH_RULE_AUTH_CLASS:
+				case AUTH_RULE_EAP_TYPE:
+				case AUTH_RULE_EAP_VENDOR:
+				{
+					add(this, type, (uintptr_t)value);
+					break;
+				}
+				case AUTH_RULE_IDENTITY:
+				case AUTH_RULE_EAP_IDENTITY:
+				case AUTH_RULE_GROUP:
+				{
+					identification_t *id = (identification_t*)value;
+
+					add(this, type, id->clone(id));
+					break;
+				}
+				case AUTH_HELPER_IM_HASH_URL:
+				case AUTH_HELPER_SUBJECT_HASH_URL:
+				{
+					add(this, type, strdup((char*)value));
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		entry_t *entry;
+
+		while (other->entries->remove_first(other->entries,
+											(void**)&entry) == SUCCESS)
+		{
+			this->entries->insert_last(this->entries, entry);
+		}
+	}
+}
+
+/**
+ * Implementation of auth_cfg_t.equals.
+ */
+static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
+{
+	enumerator_t *e1, *e2;
+	entry_t *i1, *i2;
+	bool equal = TRUE, found;
+
+	if (this->entries->get_count(this->entries) !=
+		other->entries->get_count(other->entries))
+	{
+		return FALSE;
+	}
+	e1 = this->entries->create_enumerator(this->entries);
+	while (e1->enumerate(e1, &i1))
+	{
+		found = FALSE;
+		e2 = other->entries->create_enumerator(other->entries);
+		while (e2->enumerate(e2, &i2))
+		{
+			if (i1->type == i2->type)
+			{
+				switch (i1->type)
+				{
+					case AUTH_RULE_AUTH_CLASS:
+					case AUTH_RULE_EAP_TYPE:
+					case AUTH_RULE_EAP_VENDOR:
+					case AUTH_RULE_CRL_VALIDATION:
+					case AUTH_RULE_OCSP_VALIDATION:
+					{
+						if (i1->value == i2->value)
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+					case AUTH_RULE_CA_CERT:
+					case AUTH_RULE_IM_CERT:
+					case AUTH_RULE_SUBJECT_CERT:
+					case AUTH_HELPER_IM_CERT:
+					case AUTH_HELPER_SUBJECT_CERT:
+					{
+						certificate_t *c1, *c2;
+
+						c1 = (certificate_t*)i1->value;
+						c2 = (certificate_t*)i2->value;
+
+						if (c1->equals(c1, c2))
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+					case AUTH_RULE_IDENTITY:
+					case AUTH_RULE_EAP_IDENTITY:
+					case AUTH_RULE_GROUP:
+					{
+						identification_t *id1, *id2;
+
+						id1 = (identification_t*)i1->value;
+						id2 = (identification_t*)i2->value;
+
+						if (id1->equals(id1, id2))
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+					case AUTH_HELPER_IM_HASH_URL:
+					case AUTH_HELPER_SUBJECT_HASH_URL:
+					{
+						if (streq(i1->value, i2->value))
+						{
+							found = TRUE;
+							break;
+						}
+						continue;
+					}
+				}
+				break;
+			}
+		}
+		e2->destroy(e2);
+		if (!found)
+		{
+			equal = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	return equal;
+}
+
+/**
+ * Implementation of auth_cfg_t.purge
+ */
+static void purge(private_auth_cfg_t *this, bool keep_ca)
+{
+	entry_t *entry;
+	linked_list_t *cas;
+
+	cas = linked_list_create();
+	while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
+	{
+		if (keep_ca && entry->type == AUTH_RULE_CA_CERT)
+		{
+			cas->insert_first(cas, entry);
+		}
+		else
+		{
+			destroy_entry_value(entry);
+			free(entry);
+		}
+	}
+	while (cas->remove_last(cas, (void**)&entry) == SUCCESS)
+	{
+		this->entries->insert_first(this->entries, entry);
+	}
+	cas->destroy(cas);
+}
+
+/**
+ * Implementation of auth_cfg_t.clone
+ */
+static auth_cfg_t* clone_(private_auth_cfg_t *this)
+{
+	enumerator_t *enumerator;
+	auth_cfg_t *clone;
+	entry_t *entry;
+
+	clone = auth_cfg_create();
+	enumerator = this->entries->create_enumerator(this->entries);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		switch (entry->type)
+		{
+			case AUTH_RULE_IDENTITY:
+			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_GROUP:
+			{
+				identification_t *id = (identification_t*)entry->value;
+				clone->add(clone, entry->type, id->clone(id));
+				break;
+			}
+			case AUTH_RULE_CA_CERT:
+			case AUTH_RULE_IM_CERT:
+			case AUTH_RULE_SUBJECT_CERT:
+			case AUTH_HELPER_IM_CERT:
+			case AUTH_HELPER_SUBJECT_CERT:
+			{
+				certificate_t *cert = (certificate_t*)entry->value;
+				clone->add(clone, entry->type, cert->get_ref(cert));
+				break;
+			}
+			case AUTH_HELPER_IM_HASH_URL:
+			case AUTH_HELPER_SUBJECT_HASH_URL:
+			{
+				clone->add(clone, entry->type, strdup(entry->value));
+				break;
+			}
+			case AUTH_RULE_AUTH_CLASS:
+			case AUTH_RULE_EAP_TYPE:
+			case AUTH_RULE_EAP_VENDOR:
+			case AUTH_RULE_CRL_VALIDATION:
+			case AUTH_RULE_OCSP_VALIDATION:
+				clone->add(clone, entry->type, (uintptr_t)entry->value);
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return clone;
+}
+
+/**
+ * Implementation of auth_cfg_t.destroy
+ */
+static void destroy(private_auth_cfg_t *this)
+{
+	purge(this, FALSE);
+	this->entries->destroy(this->entries);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+auth_cfg_t *auth_cfg_create()
+{
+	private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t);
+
+	this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add;
+	this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get;
+	this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator;
+	this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace;
+	this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies;
+	this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge;
+	this->public.purge = (void(*)(auth_cfg_t*,bool))purge;
+	this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals;
+	this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_;
+	this->public.destroy = (void(*)(auth_cfg_t*))destroy;
+
+	this->entries = linked_list_create();
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
new file mode 100644
index 000000000..713e16372
--- /dev/null
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup auth_cfg auth_cfg
+ * @{ @ingroup credentials
+ */
+
+#ifndef AUTH_CFG_H_
+#define AUTH_CFG_H_
+
+#include <utils/enumerator.h>
+
+typedef struct auth_cfg_t auth_cfg_t;
+typedef enum auth_rule_t auth_rule_t;
+typedef enum auth_class_t auth_class_t;
+typedef enum eap_type_t eap_type_t;
+
+/**
+ * Class of authentication to use. This is different to auth_method_t in that
+ * it does not specify a method, but a class of acceptable methods. The found
+ * certificate finally dictates wich method is used.
+ */
+enum auth_class_t {
+	/** any class acceptable */
+	AUTH_CLASS_ANY = 0,
+	/** authentication using public keys (RSA, ECDSA) */
+	AUTH_CLASS_PUBKEY = 1,
+	/** authentication using a pre-shared secrets */
+	AUTH_CLASS_PSK = 2,
+	/** authentication using EAP */
+	AUTH_CLASS_EAP = 3,
+};
+
+/**
+ * enum strings for auth_class_t
+ */
+extern enum_name_t *auth_class_names;
+
+/**
+ * EAP types, defines the EAP method implementation
+ */
+enum eap_type_t {
+	EAP_IDENTITY = 1,
+	EAP_NOTIFICATION = 2,
+	EAP_NAK = 3,
+	EAP_MD5 = 4,
+	EAP_OTP = 5,
+	EAP_GTC = 6,
+	EAP_SIM = 18,
+	EAP_AKA = 23,
+	EAP_MSCHAPV2 = 26,
+	/** not a method, but an implementation providing different methods */
+	EAP_RADIUS = 253,
+	EAP_EXPANDED = 254,
+	EAP_EXPERIMENTAL = 255,
+};
+
+/**
+ * enum names for eap_type_t.
+ */
+extern enum_name_t *eap_type_names;
+
+/**
+ * short string enum names for eap_type_t.
+ */
+extern enum_name_t *eap_type_short_names;
+
+/**
+ * Authentication config to use during authentication process.
+ *
+ * Each authentication config contains a set of rules. These rule-sets are used
+ * in two ways:
+ * - For configs specifying local authentication behavior, the rules define
+ *   which authentication method in which way.
+ * - For configs specifying remote peer authentication, the rules define
+ *   constraints the peer has to fullfill.
+ *
+ * Additionally to the rules, there is a set of helper items. These are used
+ * to transport credentials during the authentication process.
+ */
+enum auth_rule_t {
+
+	/** identity to use for IKEv2 authentication exchange, identification_t* */
+	AUTH_RULE_IDENTITY,
+	/** authentication class, auth_class_t */
+	AUTH_RULE_AUTH_CLASS,
+	/** EAP identity to use within EAP-Identity exchange, identification_t* */
+	AUTH_RULE_EAP_IDENTITY,
+	/** EAP type to propose for peer authentication, eap_type_t */
+	AUTH_RULE_EAP_TYPE,
+	/** EAP vendor for vendor specific type, u_int32_t */
+	AUTH_RULE_EAP_VENDOR,
+	/** certificate authority, certificate_t* */
+	AUTH_RULE_CA_CERT,
+	/** intermediate certificate in trustchain, certificate_t* */
+	AUTH_RULE_IM_CERT,
+	/** subject certificate, certificate_t* */
+	AUTH_RULE_SUBJECT_CERT,
+	/** result of a CRL validation, cert_validation_t */
+	AUTH_RULE_CRL_VALIDATION,
+	/** result of a OCSP validation, cert_validation_t */
+	AUTH_RULE_OCSP_VALIDATION,
+	/** subject is member of a group, identification_t*
+	 * The group membership constraint is fulfilled if the subject is member of
+	 * one group defined in the constraints. */
+	AUTH_RULE_GROUP,
+
+	/** intermediate certificate, certificate_t* */
+	AUTH_HELPER_IM_CERT,
+	/** subject certificate, certificate_t* */
+	AUTH_HELPER_SUBJECT_CERT,
+	/** Hash and URL of a intermediate certificate, char* */
+	AUTH_HELPER_IM_HASH_URL,
+	/** Hash and URL of a end-entity certificate, char* */
+	AUTH_HELPER_SUBJECT_HASH_URL,
+};
+
+/**
+ * enum name for auth_rule_t.
+ */
+extern enum_name_t *auth_rule_names;
+
+/**
+ * Authentication/Authorization round.
+ *
+ * RFC4739 defines multiple authentication rounds. This class defines such
+ * a round from a configuration perspective, either for the local or the remote
+ * peer. Local config are called "rulesets", as they define how we authenticate.
+ * Remote peer configs are called "constraits", they define what is needed to
+ * complete the authentication round successfully.
+ *
+ * @verbatim
+
+   [Repeat for each configuration]
+   +--------------------------------------------------+
+   |                                                  |
+   |                                                  |
+   |   +----------+     IKE_AUTH       +--------- +   |
+   |   |  config  |   ----------->     |          |   |
+   |   |  ruleset |                    |          |   |
+   |   +----------+ [ <----------- ]   |          |   |
+   |                [ optional EAP ]   |   Peer   |   |
+   |   +----------+ [ -----------> ]   |          |   |
+   |   |  config  |                    |          |   |
+   |   |  constr. |   <-----------     |          |   |
+   |   +----------+     IKE_AUTH       +--------- +   |
+   |                                                  |
+   |                                                  |
+   +--------------------------------------------------+
+
+   @endverbatim
+ *
+ * Values for each items are either pointers (casted to void*) or short
+ * integers (use uintptr_t cast).
+ */
+struct auth_cfg_t {
+
+	/**
+	 * Add an rule to the set.
+	 *
+	 * @param rule		rule type
+	 * @param ...		associated value to rule
+	 */
+	void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
+
+	/**
+	 * Get an rule value.
+	 *
+	 * @param rule		rule type
+	 * @return			bool if item has been found
+	 */
+	void* (*get)(auth_cfg_t *this, auth_rule_t rule);
+
+	/**
+	 * Create an enumerator over added rules.
+	 *
+	 * @return			enumerator over (auth_rule_t, union{void*,uintpr_t})
+	 */
+	enumerator_t* (*create_enumerator)(auth_cfg_t *this);
+
+	/**
+	 * Replace an rule at enumerator position.
+	 *
+	 * @param pos		enumerator position position
+	 * @param rule		rule type
+	 * @param ...		associated value to rule
+	 */
+	void (*replace)(auth_cfg_t *this, enumerator_t *pos,
+					auth_rule_t rule, ...);
+
+	/**
+	 * Check if a used config fulfills a set of configured constraints.
+	 *
+	 * @param constraints	required authorization rules
+	 * @param log_error		wheter to log compliance errors
+	 * @return				TRUE if this complies with constraints
+	 */
+	bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
+
+	/**
+	 * Merge items from other into this.
+	 *
+	 * @param other		items to read for merge
+	 * @param copy		TRUE to copy items, FALSE to move them
+	 */
+	void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
+
+	/**
+	 * Purge all rules in a config.
+	 *
+	 * @param keep_ca	wheter to keep AUTH_RULE_CA_CERT entries
+	 */
+	void (*purge)(auth_cfg_t *this, bool keep_ca);
+
+	/**
+	 * Check two configs for equality.
+	 *
+	 * @param other		other config to compaire against this
+	 * @return			TRUE if auth infos identical
+	 */
+	bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
+
+	/**
+	 * Clone a authentication config, including all rules.
+	 *
+	 * @return			cloned configuration
+	 */
+	auth_cfg_t* (*clone)(auth_cfg_t *this);
+
+	/**
+	 * Destroy a config with all associated rules/values.
+	 */
+	void (*destroy)(auth_cfg_t *this);
+};
+
+/**
+ * Create a authentication config.
+ */
+auth_cfg_t *auth_cfg_create();
+
+#endif /** AUTH_CFG_H_ @}*/
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 8be1c1576..cfb708e33 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -44,6 +44,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_OCSP_ACCESS_LOCATIONS",
 	"BUILD_PATHLEN",
 	"BUILD_X509_FLAG",
+	"BUILD_REVOKED_ENUMERATOR",
 	"BUILD_SMARTCARD_KEYID",
 	"BUILD_SMARTCARD_PIN",
 	"BUILD_RSA_MODULUS",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 62a6ffaaf..ffb09f72a 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -101,6 +101,8 @@ enum builder_part_t {
 	BUILD_PATHLEN,
 	/** enforce an additional X509 flag, x509_flag_t */
 	BUILD_X509_FLAG,
+	/** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */
+	BUILD_REVOKED_ENUMERATOR,
 	/** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */
 	BUILD_SMARTCARD_KEYID,
 	/** pin to access a key on a smartcard, null terminated char* */
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h
new file mode 100644
index 000000000..1e67c23ab
--- /dev/null
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup cert_validator cert_validator
+ * @{ @ingroup credentials
+ */
+
+#ifndef CERT_VALIDATOR_H_
+#define CERT_VALIDATOR_H_
+
+typedef struct cert_validator_t cert_validator_t;
+
+#include <library.h>
+
+/**
+ * Certificate validator interface.
+ *
+ * A certificate validator checks constraints or revocation in a certificate
+ * or its issuing CA certificate. The interface allows plugins to do
+ * revocation checking or similar tasks.
+ */
+struct cert_validator_t {
+
+	/**
+	 * Validate a subject certificate in relation to its issuer.
+	 *
+	 * @param subject		subject certificate to check
+	 * @param issuer		issuer of subject
+	 * @param online		wheter to do online revocation checking
+	 * @param pathlen		the current length of the path up to the root CA
+	 * @param auth			container for resulting authentication info
+	 */
+	bool (*validate)(cert_validator_t *this, certificate_t *subject,
+					 certificate_t *issuer, bool online, int pathlen,
+					 auth_cfg_t *auth);
+};
+
+#endif /** CERT_VALIDATOR_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 156d12358..661b69e36 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -15,6 +15,7 @@
 
 #include "certificate.h"
 
+#include <debug.h>
 #include <credentials/certificates/x509.h>
 
 ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
@@ -40,3 +41,24 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
 	"REVOKED",
 );
 
+/**
+ * See header
+ */
+bool certificate_is_newer(certificate_t *this, certificate_t *other)
+{
+	time_t this_update, that_update;
+	char *type = "certificate";
+	bool newer;
+
+	if (this->get_type(this) == CERT_X509_CRL)
+	{
+		type = "crl";
+	}
+	this->get_validity(this, NULL, &this_update, NULL);
+	other->get_validity(other, NULL, &that_update, NULL);
+	newer = this_update > that_update;
+	DBG1(DBG_LIB, "  %s from %T is %s - existing %s from %T %s",
+		 type, &this_update, FALSE, newer ? "newer" : "not newer",
+		 type, &that_update, FALSE, newer ? "replaced" : "retained");
+	return newer;
+}
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index a4f9aa3e0..43bfe3dc1 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -28,6 +28,7 @@ typedef enum cert_validation_t cert_validation_t;
 #include <library.h>
 #include <utils/identification.h>
 #include <credentials/keys/public_key.h>
+#include <credentials/cred_encoding.h>
 
 /**
  * Kind of a certificate_t
@@ -163,18 +164,14 @@ struct certificate_t {
 						 time_t *not_before, time_t *not_after);
 
 	/**
-	 * Is this newer than that?
+	 * Get the certificate in an encoded form as a chunk.
 	 *
-	 * @return			TRUE if newer, FALSE otherwise
+	 * @param type		type of the encoding, one of CERT_*
+	 * @param encoding	encoding of the key, allocated
+	 * @return			TRUE if encoding supported
 	 */
-	bool (*is_newer)(certificate_t *this, certificate_t *that);
-
-	/**
-	 * Get the certificate in an encoded form.
-	 *
-	 * @return				allocated chunk of encoded cert
-	 */
-	chunk_t (*get_encoding)(certificate_t *this);
+	bool (*get_encoding)(certificate_t *this, cred_encoding_type_t type,
+						 chunk_t *encoding);
 
 	/**
 	 * Check if two certificates are equal.
@@ -197,4 +194,13 @@ struct certificate_t {
 	void (*destroy)(certificate_t *this);
 };
 
+/**
+ * Generic check if a given certificate is newer than another.
+ *
+ * @param this			first certificate to check
+ * @param other			second certificate
+ * @return				TRUE if this newer than other
+ */
+bool certificate_is_newer(certificate_t *this, certificate_t *other);
+
 #endif /** CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 085ad16cc..69bd80b84 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,6 +16,8 @@
 
 #include "crl.h"
 
+#include <debug.h>
+
 ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"unspecified",
 	"key compromise",
@@ -27,3 +29,29 @@ ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"reason #7",
 	"remove from crl",
 );
+
+/**
+ * Check if this CRL is newer
+ */
+bool crl_is_newer(crl_t *this, crl_t *other)
+{
+	chunk_t this_num, other_num;
+	bool newer;
+
+	this_num = this->get_serial(this);
+	other_num = other->get_serial(other);
+
+	/* compare crlNumbers if available - otherwise use generic cert compare */
+	if (this_num.ptr != NULL && other_num.ptr != NULL)
+	{
+		newer = chunk_compare(this_num, other_num) > 0;
+		DBG1(DBG_LIB, "  crl #%#B is %s - existing crl #%#B %s",
+			 &this_num, newer ? "newer" : "not newer",
+			 &other_num, newer ? "replaced" : "retained");
+	}
+	else
+	{
+		newer = certificate_is_newer(&this->certificate, &other->certificate);
+	}
+	return newer;
+}
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 4b612390c..9425311fb 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -80,7 +80,15 @@ struct crl_t {
 	 * @return			enumerator over revoked certificates.
 	 */
 	enumerator_t* (*create_enumerator)(crl_t *this);
-
 };
 
+/**
+ * Generic check if a given CRL is newer than another.
+ *
+ * @param this			first CRL to check
+ * @param other			second CRL
+ * @return				TRUE if this newer than other
+ */
+bool crl_is_newer(crl_t *this, crl_t *other);
+
 #endif /** CRL_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 172bd9696..6e0a5002a 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -25,7 +25,6 @@
 #include <credentials/certificates/certificate.h>
 
 #define X509_NO_PATH_LEN_CONSTRAINT		-1
-#define X509_MAX_PATH_LEN				 7
 
 typedef struct x509_t x509_t;
 typedef enum x509_flag_t x509_flag_t;
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
new file mode 100644
index 000000000..edd76205b
--- /dev/null
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -0,0 +1,300 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cred_encoding.h"
+
+#include <stdint.h>
+
+#include <utils/linked_list.h>
+#include <utils/hashtable.h>
+#include <threading/rwlock.h>
+
+typedef struct private_cred_encoding_t private_cred_encoding_t;
+
+/**
+ * Private data of an cred_encoding_t object.
+ */
+struct private_cred_encoding_t {
+
+	/**
+	 * Public cred_encoding_t interface.
+	 */
+	cred_encoding_t public;
+
+	/**
+	 * cached encodings, a table for each encoding_type_t, containing chunk_t*
+	 */
+	hashtable_t *cache[CRED_ENCODING_MAX];
+
+	/**
+	 * Registered encoding fuctions, cred_encoder_t
+	 */
+	linked_list_t *encoders;
+
+	/**
+	 * lock to access cache/encoders
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * See header.
+ */
+bool cred_encoding_args(va_list args, ...)
+{
+	va_list parts, copy;
+	bool failed = FALSE;
+
+	va_start(parts, args);
+
+	while (!failed)
+	{
+		cred_encoding_part_t current, target;
+		chunk_t *out, data;
+
+		/* get the part we are looking for */
+		target = va_arg(parts, cred_encoding_part_t);
+		if (target == CRED_PART_END)
+		{
+			break;
+		}
+		out = va_arg(parts, chunk_t*);
+
+		va_copy(copy, args);
+		while (!failed)
+		{
+			current = va_arg(copy, cred_encoding_part_t);
+			if (current == CRED_PART_END)
+			{
+				failed = TRUE;
+				break;
+			}
+			data = va_arg(copy, chunk_t);
+			if (current == target)
+			{
+				*out = data;
+				break;
+			}
+		}
+		va_end(copy);
+	}
+	va_end(parts);
+	return !failed;
+}
+
+/**
+ * hashtable hash() function
+ */
+static u_int hash(void *key)
+{
+	return (uintptr_t)key;
+}
+
+/**
+ * hashtable equals() function
+ */
+static bool equals(void *key1, void *key2)
+{
+	return key1 == key2;
+}
+
+/**
+ * Implementation of cred_encoding_t.get_cache
+ */
+static bool get_cache(private_cred_encoding_t *this, cred_encoding_type_t type,
+					  void *cache, chunk_t *encoding)
+{
+	chunk_t *chunk;
+
+	if (type >= CRED_ENCODING_MAX || type < 0)
+	{
+		return FALSE;
+	}
+	this->lock->read_lock(this->lock);
+	chunk = this->cache[type]->get(this->cache[type], cache);
+	if (chunk)
+	{
+		*encoding = *chunk;
+	}
+	this->lock->unlock(this->lock);
+	return !!chunk;
+}
+
+/**
+ * Implementation of cred_encoding_t.encode
+ */
+static bool encode(private_cred_encoding_t *this, cred_encoding_type_t type,
+				   void *cache, chunk_t *encoding, ...)
+{
+	enumerator_t *enumerator;
+	va_list args, copy;
+	cred_encoder_t encode;
+	bool success = FALSE;
+	chunk_t *chunk;
+
+	if (type >= CRED_ENCODING_MAX || type < 0)
+	{
+		return FALSE;
+	}
+	this->lock->read_lock(this->lock);
+	if (cache)
+	{
+		chunk = this->cache[type]->get(this->cache[type], cache);
+		if (chunk)
+		{
+			*encoding = *chunk;
+			this->lock->unlock(this->lock);
+			return TRUE;
+		}
+	}
+	va_start(args, encoding);
+	enumerator = this->encoders->create_enumerator(this->encoders);
+	while (enumerator->enumerate(enumerator, &encode))
+	{
+		va_copy(copy, args);
+		success = encode(type, encoding, copy);
+		va_end(copy);
+		if (success)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	va_end(args);
+
+	if (success && cache)
+	{
+		chunk = malloc_thing(chunk_t);
+		*chunk = *encoding;
+		this->lock->write_lock(this->lock);
+		this->cache[type]->put(this->cache[type], cache, chunk);
+		this->lock->unlock(this->lock);
+	}
+	return success;
+}
+
+/**
+ * Implementation of cred_encoding_t.cache
+ */
+static void cache(private_cred_encoding_t *this, cred_encoding_type_t type,
+				  void *cache, chunk_t encoding)
+{
+	chunk_t *chunk;
+
+	if (type >= CRED_ENCODING_MAX || type < 0)
+	{
+		return free(encoding.ptr);
+	}
+	chunk = malloc_thing(chunk_t);
+	*chunk = encoding;
+	this->lock->write_lock(this->lock);
+	chunk = this->cache[type]->put(this->cache[type], cache, chunk);
+	this->lock->unlock(this->lock);
+	/* free an encoding already associated to the cache */
+	if (chunk)
+	{
+		free(chunk->ptr);
+		free(chunk);
+	}
+}
+
+/**
+ * Implementation of cred_encoding_t.clear_cache
+ */
+static void clear_cache(private_cred_encoding_t *this, void *cache)
+{
+	cred_encoding_type_t type;
+	chunk_t *chunk;
+
+	this->lock->write_lock(this->lock);
+	for (type = 0; type < CRED_ENCODING_MAX; type++)
+	{
+		chunk = this->cache[type]->remove(this->cache[type], cache);
+		if (chunk)
+		{
+			chunk_free(chunk);
+			free(chunk);
+		}
+	}
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of cred_encoding_t.add_encoder
+ */
+static void add_encoder(private_cred_encoding_t *this, cred_encoder_t encoder)
+{
+	this->lock->write_lock(this->lock);
+	this->encoders->insert_last(this->encoders, encoder);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of cred_encoding_t.remove_encoder
+ */
+static void remove_encoder(private_cred_encoding_t *this, cred_encoder_t encoder)
+{
+	this->lock->write_lock(this->lock);
+	this->encoders->remove(this->encoders, encoder, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of cred_encoder_t.destroy.
+ */
+static void destroy(private_cred_encoding_t *this)
+{
+	cred_encoding_type_t type;
+
+	for (type = 0; type < CRED_ENCODING_MAX; type++)
+	{
+		/* We explicitly do not free remaining encodings. All creds should
+		 * have gone now, and they are responsible for cleaning out their
+		 * cache entries. Not flushing here allows the leak detective to
+		 * complain if a credential did not flush cached encodings. */
+		this->cache[type]->destroy(this->cache[type]);
+	}
+	this->encoders->destroy(this->encoders);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+cred_encoding_t *cred_encoding_create()
+{
+	private_cred_encoding_t *this = malloc_thing(private_cred_encoding_t);
+	cred_encoding_type_t type;
+
+	this->public.encode = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode;
+	this->public.get_cache = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding))get_cache;
+	this->public.cache = (void(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t encoding))cache;
+	this->public.clear_cache = (void(*)(cred_encoding_t*, void *cache))clear_cache;
+	this->public.add_encoder = (void(*)(cred_encoding_t*, cred_encoder_t encoder))add_encoder;
+	this->public.remove_encoder = (void(*)(cred_encoding_t*, cred_encoder_t encoder))remove_encoder;
+	this->public.destroy = (void(*)(cred_encoding_t*))destroy;
+
+	for (type = 0; type < CRED_ENCODING_MAX; type++)
+	{
+		this->cache[type] = hashtable_create(hash, equals, 8);
+	}
+	this->encoders = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
new file mode 100644
index 000000000..e2d69691e
--- /dev/null
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup cred_encoding cred_encoding
+ * @{ @ingroup credentials
+ */
+
+#ifndef CRED_ENCODING_H_
+#define CRED_ENCODING_H_
+
+typedef struct cred_encoding_t cred_encoding_t;
+typedef enum cred_encoding_type_t cred_encoding_type_t;
+typedef enum cred_encoding_part_t cred_encoding_part_t;
+
+#include <library.h>
+
+/**
+ * Credential encoder function implementing encoding/fingerprinting.
+ *
+ * The variable argument list takes cred_encoding_part_t, followed by part
+ * specific arguments, terminated by KEY_PART_END.
+ *
+ * @param type		format to encode the credential to
+ * @param args		list of (cred_encoding_part_t, data)
+ * @param encoding	encoding result, allocated
+ * @return			TRUE if encoding successful
+ */
+typedef bool (*cred_encoder_t)(cred_encoding_type_t type, chunk_t *encoding,
+							   va_list args);
+
+/**
+ * Helper function for cred_encoder_t implementations to parse argument list.
+ *
+ * Credential encoder functions get a variable argument list to parse. To
+ * simplify the job, this function reads the arguments and returns chunks for
+ * each part.
+ * The argument list of this function takes a cred_encoding_part_t, followed
+ * by a data pointer receiving the value, terminated by CRED_PART_END.
+ *
+ * @param args		argument list passed to credential encoder function
+ * @param ...		list of (cred_encoding_part_t, data*)
+ * @return			TRUE if all parts found, FALSE otherwise
+ */
+bool cred_encoding_args(va_list args, ...);
+
+/**
+ * Encoding type of a fingerprint/credential.
+ *
+ * Fingerprints have have the KEYID_*, public keys the PUBKEY_* and
+ * private keys the PRIVKEY_* prefix.
+ */
+enum cred_encoding_type_t {
+	/** SHA1 fingerprint over subjectPublicKeyInfo */
+	KEYID_PUBKEY_INFO_SHA1 = 0,
+	/** SHA1 fingerprint over subjectPublicKey */
+	KEYID_PUBKEY_SHA1,
+	/** PGPv3 fingerprint */
+	KEYID_PGPV3,
+	/** PGPv4 fingerprint */
+	KEYID_PGPV4,
+
+	KEYID_MAX,
+
+	/** PKCS#1 and similar ASN.1 key encoding */
+	PUBKEY_ASN1_DER,
+	PRIVKEY_ASN1_DER,
+	/** subjectPublicKeyInfo encoding */
+	PUBKEY_SPKI_ASN1_DER,
+	/** PEM encoded PKCS#1 key */
+	PUBKEY_PEM,
+	PRIVKEY_PEM,
+	/** PGP key encoding */
+	PUBKEY_PGP,
+	PRIVKEY_PGP,
+
+	/** ASN.1 DER encoded certificate */
+	CERT_ASN1_DER,
+	/** PEM encoded certificate */
+	CERT_PEM,
+	/** PGP Packet encoded certificate */
+	CERT_PGP_PKT,
+
+	CRED_ENCODING_MAX,
+};
+
+/**
+ * Parts of a credential to encode.
+ */
+enum cred_encoding_part_t {
+	/** modulus of a RSA key, n */
+	CRED_PART_RSA_MODULUS,
+	/** public exponent of a RSA key, e */
+	CRED_PART_RSA_PUB_EXP,
+	/** private exponent of a RSA key, d */
+	CRED_PART_RSA_PRIV_EXP,
+	/** prime1 a RSA key, p */
+	CRED_PART_RSA_PRIME1,
+	/** prime2 a RSA key, q */
+	CRED_PART_RSA_PRIME2,
+	/** exponent1 a RSA key, exp1 */
+	CRED_PART_RSA_EXP1,
+	/** exponent1 a RSA key, exp2 */
+	CRED_PART_RSA_EXP2,
+	/** coefficient of RSA key, coeff */
+	CRED_PART_RSA_COEFF,
+	/** a DER encoded RSA public key */
+	CRED_PART_RSA_PUB_ASN1_DER,
+	/** a DER encoded RSA private key */
+	CRED_PART_RSA_PRIV_ASN1_DER,
+	/** a DER encoded ECDSA public key */
+	CRED_PART_ECDSA_PUB_ASN1_DER,
+	/** a DER encoded ECDSA private key */
+	CRED_PART_ECDSA_PRIV_ASN1_DER,
+	/** a DER encoded X509 certificate */
+	CRED_PART_X509_ASN1_DER,
+	/** a DER encoded X509 CRL */
+	CRED_PART_X509_CRL_ASN1_DER,
+	/** a DER encoded X509 OCSP request */
+	CRED_PART_X509_OCSP_REQ_ASN1_DER,
+	/** a DER encoded X509 OCSP response */
+	CRED_PART_X509_OCSP_RES_ASN1_DER,
+	/** a DER encoded X509 attribute certificate */
+	CRED_PART_X509_AC_ASN1_DER,
+	/** a DER encoded PKCS10 certificate request */
+	CRED_PART_PKCS10_ASN1_DER,
+	/** a PGP encoded certificate */
+	CRED_PART_PGP_CERT,
+
+	CRED_PART_END,
+};
+
+/**
+ * Credential encoding and fingerprinting facility.
+ */
+struct cred_encoding_t {
+
+	/**
+	 * Encode a credential in a format using several parts, optional caching.
+	 *
+	 * The variable argument list takes cred_encoding_part_t, followed by part
+	 * specific arguments, terminated by CRED_PART_END.
+	 * If a cache key is given, the returned encoding points to internal data:
+	 * do not free or modify. If no cache key is given, the encoding is
+	 * allocated and must be freed by the caller.
+	 *
+	 * @param type			format the credential should be encoded to
+	 * @param cache			key to use for caching, NULL to not cache
+	 * @param encoding		encoding result, allocated if caching disabled
+	 * @param ...			list of (cred_encoding_part_t, data)
+	 * @return				TRUE if encoding successful
+	 */
+	bool (*encode)(cred_encoding_t *this, cred_encoding_type_t type, void *cache,
+				   chunk_t *encoding, ...);
+
+	/**
+	 * Clear all cached encodings of a given cache key.
+	 *
+	 * @param cache			key used in encode() for caching
+	 */
+	void (*clear_cache)(cred_encoding_t *this, void *cache);
+
+	/**
+	 * Check for a cached encoding.
+	 *
+	 * @param type			format of the credential encoding
+	 * @param cache			key to use for caching, as given to encode()
+	 * @param encoding		encoding result, internal data
+	 * @return				TRUE if cache entry found
+	 */
+	bool (*get_cache)(cred_encoding_t *this, cred_encoding_type_t type,
+					  void *cache, chunk_t *encoding);
+
+	/**
+	 * Cache a credential encoding created externally.
+	 *
+	 * After calling cache(), the passed encoding is owned by the cred encoding
+	 * facility.
+	 *
+	 * @param type			format of the credential encoding
+	 * @param cache			key to use for caching, as given to encode()
+	 * @param encoding		encoding to cache, gets owned by this
+	 */
+	void (*cache)(cred_encoding_t *this, cred_encoding_type_t type, void *cache,
+				  chunk_t encoding);
+
+	/**
+	 * Register a credential encoder function.
+	 *
+	 * @param encoder		credential encoder function to add
+	 */
+	void (*add_encoder)(cred_encoding_t *this, cred_encoder_t encoder);
+
+	/**
+	 * Unregister a previously registered credential encoder function.
+	 *
+	 * @param encoder		credential encoder function to remove
+	 */
+	void (*remove_encoder)(cred_encoding_t *this, cred_encoder_t encoder);
+
+	/**
+	 * Destroy a cred_encoding_t.
+	 */
+	void (*destroy)(cred_encoding_t *this);
+};
+
+/**
+ * Create a cred_encoding instance.
+ */
+cred_encoding_t *cred_encoding_create();
+
+#endif /** CRED_ENCODING_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
new file mode 100644
index 000000000..46c36c941
--- /dev/null
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -0,0 +1,1097 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "credential_manager.h"
+
+#include <library.h>
+#include <debug.h>
+#include <threading/thread_value.h>
+#include <threading/mutex.h>
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+#include <credentials/sets/cert_cache.h>
+#include <credentials/sets/auth_cfg_wrapper.h>
+#include <credentials/certificates/x509.h>
+
+/**
+ * Maximum length of a certificate trust chain
+ */
+#define MAX_TRUST_PATH_LEN 7
+
+typedef struct private_credential_manager_t private_credential_manager_t;
+
+/**
+ * private data of credential_manager
+ */
+struct private_credential_manager_t {
+
+	/**
+	 * public functions
+	 */
+	credential_manager_t public;
+
+	/**
+	 * list of credential sets
+	 */
+	linked_list_t *sets;
+
+	/**
+	 * thread local set of credentials, linked_list_t with credential_set_t's
+	 */
+	thread_value_t *local_sets;
+
+	/**
+	 * trust relationship and certificate cache
+	 */
+	cert_cache_t *cache;
+
+	/**
+	 * certificates queued for persistent caching
+	 */
+	linked_list_t *cache_queue;
+
+	/**
+	 * list of certificate validators, cert_validator_t
+	 */
+	linked_list_t *validators;
+
+	/**
+	 * read-write lock to sets list
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * mutex for cache queue
+	 */
+	mutex_t *queue_mutex;
+};
+
+/** data to pass to create_private_enumerator */
+typedef struct {
+	private_credential_manager_t *this;
+	key_type_t type;
+	identification_t* keyid;
+} private_data_t;
+
+/** data to pass to create_cert_enumerator */
+typedef struct {
+	private_credential_manager_t *this;
+	certificate_type_t cert;
+	key_type_t key;
+	identification_t *id;
+	bool trusted;
+} cert_data_t;
+
+/** data to pass to create_cdp_enumerator */
+typedef struct {
+	private_credential_manager_t *this;
+	certificate_type_t type;
+	identification_t *id;
+} cdp_data_t;
+
+/** data to pass to create_shared_enumerator */
+typedef struct {
+	private_credential_manager_t *this;
+	shared_key_type_t type;
+	identification_t *me;
+	identification_t *other;
+} shared_data_t;
+
+/** enumerator over local and global sets */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** enumerator over global sets */
+	enumerator_t *global;
+	/** enumerator over local sets */
+	enumerator_t *local;
+} sets_enumerator_t;
+
+
+METHOD(enumerator_t, sets_enumerate, bool,
+	sets_enumerator_t *this, credential_set_t **set)
+{
+	if (this->global)
+	{
+		if (this->global->enumerate(this->global, set))
+		{
+			return TRUE;
+		}
+		/* end of global sets, look for local */
+		this->global->destroy(this->global);
+		this->global = NULL;
+	}
+	if (this->local)
+	{
+		return this->local->enumerate(this->local, set);
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, sets_destroy, void,
+	sets_enumerator_t *this)
+{
+	DESTROY_IF(this->global);
+	DESTROY_IF(this->local);
+	free(this);
+}
+
+/**
+ * create an enumerator over both, global and local sets
+ */
+static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
+{
+	sets_enumerator_t *enumerator;
+	linked_list_t *local;
+
+	INIT(enumerator,
+		.public.enumerate = (void*)_sets_enumerate,
+		.public.destroy = _sets_destroy,
+		.global = this->sets->create_enumerator(this->sets),
+	);
+	local = this->local_sets->get(this->local_sets);
+	if (local)
+	{
+		enumerator->local = local->create_enumerator(local);
+	}
+	return &enumerator->public;
+}
+
+/**
+ * cleanup function for cert data
+ */
+static void destroy_cert_data(cert_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * enumerator constructor for certificates
+ */
+static enumerator_t *create_cert(credential_set_t *set, cert_data_t *data)
+{
+	return set->create_cert_enumerator(set, data->cert, data->key,
+									   data->id, data->trusted);
+}
+
+METHOD(credential_manager_t, create_cert_enumerator, enumerator_t*,
+	private_credential_manager_t *this, certificate_type_t certificate,
+	key_type_t key, identification_t *id, bool trusted)
+{
+	cert_data_t *data = malloc_thing(cert_data_t);
+	data->this = this;
+	data->cert = certificate;
+	data->key = key;
+	data->id = id;
+	data->trusted = trusted;
+
+	this->lock->read_lock(this->lock);
+	return enumerator_create_nested(create_sets_enumerator(this),
+									(void*)create_cert, data,
+									(void*)destroy_cert_data);
+}
+
+METHOD(credential_manager_t, get_cert, certificate_t*,
+	private_credential_manager_t *this, certificate_type_t cert, key_type_t key,
+	identification_t *id, bool trusted)
+{
+	certificate_t *current, *found = NULL;
+	enumerator_t *enumerator;
+
+	enumerator = create_cert_enumerator(this, cert, key, id, trusted);
+	if (enumerator->enumerate(enumerator, &current))
+	{
+		/* TODO: best match? order by keyid, subject, sualtname */
+		found = current->get_ref(current);
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+
+/**
+ * cleanup function for cdp data
+ */
+static void destroy_cdp_data(cdp_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * enumerator constructor for CDPs
+ */
+static enumerator_t *create_cdp(credential_set_t *set, cdp_data_t *data)
+{
+	return set->create_cdp_enumerator(set, data->type, data->id);
+}
+
+METHOD(credential_manager_t, create_cdp_enumerator, enumerator_t*,
+	private_credential_manager_t *this, certificate_type_t type,
+	identification_t *id)
+{
+	cdp_data_t *data;
+
+	INIT(data,
+		.this = this,
+		.type = type,
+		.id = id,
+	);
+	this->lock->read_lock(this->lock);
+	return enumerator_create_nested(create_sets_enumerator(this),
+									(void*)create_cdp, data,
+									(void*)destroy_cdp_data);
+}
+
+/**
+ * cleanup function for private data
+ */
+static void destroy_private_data(private_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * enumerator constructor for private keys
+ */
+static enumerator_t *create_private(credential_set_t *set, private_data_t *data)
+{
+	return set->create_private_enumerator(set, data->type, data->keyid);
+}
+
+/**
+ * Create an enumerator over private keys
+ */
+static enumerator_t *create_private_enumerator(
+	private_credential_manager_t *this, key_type_t key, identification_t *keyid)
+{
+	private_data_t *data;
+
+	INIT(data,
+		.this = this,
+		.type = key,
+		.keyid = keyid,
+	);
+	this->lock->read_lock(this->lock);
+	return enumerator_create_nested(create_sets_enumerator(this),
+									(void*)create_private, data,
+									(void*)destroy_private_data);
+}
+
+/**
+ * Look up a private key by its key identifier
+ */
+static private_key_t* get_private_by_keyid(private_credential_manager_t *this,
+									key_type_t key, identification_t *keyid)
+{
+	private_key_t *found = NULL;
+	enumerator_t *enumerator;
+
+	enumerator = create_private_enumerator(this, key, keyid);
+	if (enumerator->enumerate(enumerator, &found))
+	{
+		found->get_ref(found);
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * cleanup function for shared data
+ */
+static void destroy_shared_data(shared_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * enumerator constructor for shared keys
+ */
+static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data)
+{
+	return set->create_shared_enumerator(set, data->type, data->me, data->other);
+}
+
+METHOD(credential_manager_t, create_shared_enumerator, enumerator_t*,
+	private_credential_manager_t *this, shared_key_type_t type,
+	identification_t *me, identification_t *other)
+{
+	shared_data_t *data;
+
+	INIT(data,
+		.this = this,
+		.type = type,
+		.me = me,
+		.other = other,
+	);
+	this->lock->read_lock(this->lock);
+	return enumerator_create_nested(create_sets_enumerator(this),
+									(void*)create_shared, data,
+									(void*)destroy_shared_data);
+}
+
+METHOD(credential_manager_t, get_shared, shared_key_t*,
+	private_credential_manager_t *this, shared_key_type_t type,
+	identification_t *me, identification_t *other)
+{
+	shared_key_t *current, *found = NULL;
+	id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE;
+	id_match_t *match_me, *match_other;
+	enumerator_t *enumerator;
+
+	enumerator = create_shared_enumerator(this, type, me, other);
+	while (enumerator->enumerate(enumerator, &current, &match_me, &match_other))
+	{
+		if (match_other > best_other ||
+			(match_other == best_other && match_me > best_me))
+		{
+			DESTROY_IF(found);
+			found = current->get_ref(current);
+			best_me = match_me;
+			best_other = match_other;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+METHOD(credential_manager_t, add_local_set, void,
+	private_credential_manager_t *this, credential_set_t *set)
+{
+	linked_list_t *sets;
+
+	sets = this->local_sets->get(this->local_sets);
+	if (!sets)
+	{	/* first invocation */
+		sets = linked_list_create();
+		this->local_sets->set(this->local_sets, sets);
+	}
+	sets->insert_last(sets, set);
+}
+
+METHOD(credential_manager_t, remove_local_set, void,
+	private_credential_manager_t *this, credential_set_t *set)
+{
+	linked_list_t *sets;
+
+	sets = this->local_sets->get(this->local_sets);
+	sets->remove(sets, set, NULL);
+}
+
+METHOD(credential_manager_t, cache_cert, void,
+	private_credential_manager_t *this, certificate_t *cert)
+{
+	credential_set_t *set;
+	enumerator_t *enumerator;
+
+	if (this->lock->try_write_lock(this->lock))
+	{
+		enumerator = this->sets->create_enumerator(this->sets);
+		while (enumerator->enumerate(enumerator, &set))
+		{
+			set->cache_cert(set, cert);
+		}
+		enumerator->destroy(enumerator);
+		this->lock->unlock(this->lock);
+	}
+	else
+	{	/* we can't cache now as other threads are active, queue for later */
+		this->queue_mutex->lock(this->queue_mutex);
+		this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert));
+		this->queue_mutex->unlock(this->queue_mutex);
+	}
+}
+
+/**
+ * Try to cache certificates queued for caching
+ */
+static void cache_queue(private_credential_manager_t *this)
+{
+	credential_set_t *set;
+	certificate_t *cert;
+	enumerator_t *enumerator;
+
+	this->queue_mutex->lock(this->queue_mutex);
+	if (this->cache_queue->get_count(this->cache_queue) > 0 &&
+		this->lock->try_write_lock(this->lock))
+	{
+		while (this->cache_queue->remove_last(this->cache_queue,
+											  (void**)&cert) == SUCCESS)
+		{
+			enumerator = this->sets->create_enumerator(this->sets);
+			while (enumerator->enumerate(enumerator, &set))
+			{
+				set->cache_cert(set, cert);
+			}
+			enumerator->destroy(enumerator);
+			cert->destroy(cert);
+		}
+		this->lock->unlock(this->lock);
+	}
+	this->queue_mutex->unlock(this->queue_mutex);
+}
+
+/**
+ * check a certificate for its lifetime
+ */
+static bool check_certificate(private_credential_manager_t *this,
+							  certificate_t *subject, certificate_t *issuer,
+							  bool online, int pathlen, auth_cfg_t *auth)
+{
+	time_t not_before, not_after;
+	cert_validator_t *validator;
+	enumerator_t *enumerator;
+
+	if (!subject->get_validity(subject, NULL, &not_before, &not_after))
+	{
+		DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
+			 &not_before, FALSE, &not_after, FALSE);
+		return FALSE;
+	}
+	if (!issuer->get_validity(issuer, NULL, &not_before, &not_after))
+	{
+		DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)",
+			 &not_before, FALSE, &not_after, FALSE);
+		return FALSE;
+	}
+	if (issuer->get_type(issuer) == CERT_X509 &&
+		subject->get_type(subject) == CERT_X509)
+	{
+		int pathlen_constraint;
+		x509_t *x509;
+
+		/* check path length constraint */
+		x509 = (x509_t*)issuer;
+		pathlen_constraint = x509->get_pathLenConstraint(x509);
+		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+			pathlen > pathlen_constraint)
+		{
+			DBG1(DBG_CFG, "path length of %d violates constraint of %d",
+				 pathlen, pathlen_constraint);
+			return FALSE;
+		}
+	}
+
+	enumerator = this->validators->create_enumerator(this->validators);
+	while (enumerator->enumerate(enumerator, &validator))
+	{
+		if (!validator->validate(validator, subject, issuer,
+								 online, pathlen, auth))
+		{
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return TRUE;
+}
+
+/**
+ * Get a trusted certificate from a credential set
+ */
+static certificate_t *get_pretrusted_cert(private_credential_manager_t *this,
+										  key_type_t type, identification_t *id)
+{
+	certificate_t *subject;
+	public_key_t *public;
+
+	subject = get_cert(this, CERT_ANY, type, id, TRUE);
+	if (!subject)
+	{
+		return NULL;
+	}
+	public = subject->get_public_key(subject);
+	if (!public)
+	{
+		subject->destroy(subject);
+		return NULL;
+	}
+	public->destroy(public);
+	return subject;
+}
+
+/**
+ * Get the issuing certificate of a subject certificate
+ */
+static certificate_t *get_issuer_cert(private_credential_manager_t *this,
+									  certificate_t *subject, bool trusted)
+{
+	enumerator_t *enumerator;
+	certificate_t *issuer = NULL, *candidate;
+
+	enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY,
+										subject->get_issuer(subject), trusted);
+	while (enumerator->enumerate(enumerator, &candidate))
+	{
+		if (this->cache->issued_by(this->cache, subject, candidate))
+		{
+			issuer = candidate->get_ref(candidate);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return issuer;
+}
+
+/**
+ * try to verify the trust chain of subject, return TRUE if trusted
+ */
+static bool verify_trust_chain(private_credential_manager_t *this,
+							   certificate_t *subject, auth_cfg_t *result,
+							   bool trusted, bool online)
+{
+	certificate_t *current, *issuer;
+	auth_cfg_t *auth;
+	int pathlen;
+
+	auth = auth_cfg_create();
+	current = subject->get_ref(subject);
+
+	for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++)
+	{
+		issuer = get_issuer_cert(this, current, TRUE);
+		if (issuer)
+		{
+			/* accept only self-signed CAs as trust anchor */
+			if (this->cache->issued_by(this->cache, issuer, issuer))
+			{
+				auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
+				DBG1(DBG_CFG, "  using trusted ca certificate \"%Y\"",
+							  issuer->get_subject(issuer));
+				trusted = TRUE;
+			}
+			else
+			{
+				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
+				DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
+					 "\"%Y\"", issuer->get_subject(issuer));
+			}
+		}
+		else
+		{
+			issuer = get_issuer_cert(this, current, FALSE);
+			if (issuer)
+			{
+				if (current->equals(current, issuer))
+				{
+					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not trusted",
+						 current->get_subject(current));
+					issuer->destroy(issuer);
+					break;
+				}
+				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
+				DBG1(DBG_CFG, "  using untrusted intermediate certificate "
+					 "\"%Y\"", issuer->get_subject(issuer));
+			}
+			else
+			{
+				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
+					 current->get_subject(current));
+				break;
+			}
+		}
+		if (!check_certificate(this, current, issuer, online, pathlen,
+							   current == subject ? auth : NULL))
+		{
+			trusted = FALSE;
+			issuer->destroy(issuer);
+			break;
+		}
+		current->destroy(current);
+		current = issuer;
+		if (trusted)
+		{
+			DBG1(DBG_CFG, "  reached self-signed root ca with a path length of %d",
+						  pathlen);
+			break;
+		}
+	}
+	current->destroy(current);
+	if (pathlen > MAX_TRUST_PATH_LEN)
+	{
+		DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
+	}
+	if (trusted)
+	{
+		result->merge(result, auth, FALSE);
+	}
+	auth->destroy(auth);
+	return trusted;
+}
+
+/**
+ * enumerator for trusted certificates
+ */
+typedef struct {
+	/** implements enumerator_t interface */
+	enumerator_t public;
+	/** enumerator over candidate peer certificates */
+	enumerator_t *candidates;
+	/** reference to the credential_manager */
+	private_credential_manager_t *this;
+	/** type of the requested key */
+	key_type_t type;
+	/** identity the requested key belongs to */
+	identification_t *id;
+	/** TRUE to do CRL/OCSP checking */
+	bool online;
+	/** pretrusted certificate we have served at first invocation */
+	certificate_t *pretrusted;
+	/** currently enumerating auth config */
+	auth_cfg_t *auth;
+} trusted_enumerator_t;
+
+METHOD(enumerator_t, trusted_enumerate, bool,
+	trusted_enumerator_t *this, certificate_t **cert, auth_cfg_t **auth)
+{
+	certificate_t *current;
+
+	DESTROY_IF(this->auth);
+	this->auth = auth_cfg_create();
+
+	if (!this->candidates)
+	{
+		/* first invocation, build enumerator for next one */
+		this->candidates = create_cert_enumerator(this->this, CERT_ANY,
+												  this->type, this->id, FALSE);
+		/* check if we have a trusted certificate for that peer */
+		this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id);
+		if (this->pretrusted)
+		{
+			/* if we find a trusted self signed certificate, we just accept it.
+			 * However, in order to fulfill authorization rules, we try to build
+			 * the trust chain if it is not self signed */
+			if (this->this->cache->issued_by(this->this->cache,
+								   this->pretrusted, this->pretrusted) ||
+				verify_trust_chain(this->this, this->pretrusted, this->auth,
+								   TRUE, this->online))
+			{
+				this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
+								this->pretrusted->get_ref(this->pretrusted));
+				DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
+					 this->pretrusted->get_subject(this->pretrusted));
+				*cert = this->pretrusted;
+				if (auth)
+				{
+					*auth = this->auth;
+				}
+				return TRUE;
+			}
+		}
+	}
+	/* try to verify the trust chain for each certificate found */
+	while (this->candidates->enumerate(this->candidates, &current))
+	{
+		if (this->pretrusted &&
+			this->pretrusted->equals(this->pretrusted, current))
+		{	/* skip pretrusted certificate we already served */
+			continue;
+		}
+
+		DBG1(DBG_CFG, "  using certificate \"%Y\"",
+			 current->get_subject(current));
+		if (verify_trust_chain(this->this, current, this->auth, FALSE,
+							   this->online))
+		{
+			*cert = current;
+			if (auth)
+			{
+				*auth = this->auth;
+			}
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, trusted_destroy, void,
+	trusted_enumerator_t *this)
+{
+	DESTROY_IF(this->pretrusted);
+	DESTROY_IF(this->auth);
+	DESTROY_IF(this->candidates);
+	free(this);
+}
+
+METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*,
+	private_credential_manager_t *this, key_type_t type,
+	identification_t *id, bool online)
+{
+	trusted_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_trusted_enumerate,
+			.destroy = _trusted_destroy,
+		},
+		.this = this,
+		.type = type,
+		.id = id,
+		.online = online,
+	);
+	return &enumerator->public;
+}
+
+/**
+ * enumerator for public keys
+ */
+typedef struct {
+	/** implements enumerator_t interface */
+	enumerator_t public;
+	/** enumerator over candidate peer certificates */
+	enumerator_t *inner;
+	/** reference to the credential_manager */
+	private_credential_manager_t *this;
+	/** currently enumerating key */
+	public_key_t *current;
+	/** credset wrapper around auth config */
+	auth_cfg_wrapper_t *wrapper;
+} public_enumerator_t;
+
+METHOD(enumerator_t, public_enumerate, bool,
+	public_enumerator_t *this, public_key_t **key, auth_cfg_t **auth)
+{
+	certificate_t *cert;
+
+	while (this->inner->enumerate(this->inner, &cert, auth))
+	{
+		DESTROY_IF(this->current);
+		this->current = cert->get_public_key(cert);
+		if (this->current)
+		{
+			*key = this->current;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, public_destroy, void,
+	public_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	if (this->wrapper)
+	{
+		remove_local_set(this->this, &this->wrapper->set);
+		this->wrapper->destroy(this->wrapper);
+	}
+	this->this->lock->unlock(this->this->lock);
+
+	/* check for delayed certificate cache queue */
+	cache_queue(this->this);
+	free(this);
+}
+
+METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
+	private_credential_manager_t *this, key_type_t type, identification_t *id,
+	auth_cfg_t *auth)
+{
+	public_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_public_enumerate,
+			.destroy = _public_destroy,
+		},
+		.inner = create_trusted_enumerator(this, type, id, TRUE),
+		.this = this,
+	);
+	if (auth)
+	{
+		enumerator->wrapper = auth_cfg_wrapper_create(auth);
+		add_local_set(this, &enumerator->wrapper->set);
+	}
+	this->lock->read_lock(this->lock);
+	return &enumerator->public;
+}
+
+/**
+ * Check if a certificate's keyid is contained in the auth helper
+ */
+static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert)
+{
+	enumerator_t *enumerator;
+	identification_t *value;
+	auth_rule_t type;
+	bool found = FALSE;
+
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		if (type == AUTH_RULE_CA_CERT &&
+			cert->equals(cert, (certificate_t*)value))
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * build a trustchain from subject up to a trust anchor in trusted
+ */
+static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
+									 certificate_t *subject, auth_cfg_t *auth)
+{
+	certificate_t *issuer, *current;
+	auth_cfg_t *trustchain;
+	int pathlen = 0;
+
+	trustchain = auth_cfg_create();
+
+	current = auth->get(auth, AUTH_RULE_CA_CERT);
+	if (!current)
+	{
+		/* no trust anchor specified, return this cert only */
+		trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT,
+						subject->get_ref(subject));
+		return trustchain;
+	}
+	current = subject->get_ref(subject);
+	while (TRUE)
+	{
+		if (auth_contains_cacert(auth, current))
+		{
+			trustchain->add(trustchain, AUTH_RULE_CA_CERT, current);
+			return trustchain;
+		}
+		if (subject == current)
+		{
+			trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current);
+		}
+		else
+		{
+			trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
+		}
+		issuer = get_issuer_cert(this, current, FALSE);
+		if (!issuer || issuer->equals(issuer, current) ||
+			pathlen > MAX_TRUST_PATH_LEN)
+		{
+			DESTROY_IF(issuer);
+			break;
+		}
+		current = issuer;
+		pathlen++;
+	}
+	trustchain->destroy(trustchain);
+	return NULL;
+}
+
+/**
+ * find a private key of a give certificate
+ */
+static private_key_t *get_private_by_cert(private_credential_manager_t *this,
+										  certificate_t *cert, key_type_t type)
+{
+	private_key_t *private = NULL;
+	identification_t *keyid;
+	chunk_t chunk;
+	public_key_t *public;
+
+	public = cert->get_public_key(cert);
+	if (public)
+	{
+		if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
+		{
+			keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+			private = get_private_by_keyid(this, type, keyid);
+			keyid->destroy(keyid);
+		}
+		public->destroy(public);
+	}
+	return private;
+}
+
+METHOD(credential_manager_t, get_private, private_key_t*,
+	private_credential_manager_t *this, key_type_t type, identification_t *id,
+	auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	private_key_t *private = NULL;
+	auth_cfg_t *trustchain;
+
+	/* check if this is a lookup by key ID, and do it if so */
+	if (id && id->get_type(id) == ID_KEY_ID)
+	{
+		private = get_private_by_keyid(this, type, id);
+		if (private)
+		{
+			return private;
+		}
+	}
+
+	/* if a specific certificate is preferred, check for a matching key */
+	cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+	if (cert)
+	{
+		private = get_private_by_cert(this, cert, type);
+		if (private)
+		{
+			trustchain = build_trustchain(this, cert, auth);
+			if (trustchain)
+			{
+				auth->merge(auth, trustchain, FALSE);
+				trustchain->destroy(trustchain);
+			}
+			return private;
+		}
+	}
+
+	/* try to build a trust chain for each certificate found */
+	enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		private = get_private_by_cert(this, cert, type);
+		if (private)
+		{
+			trustchain = build_trustchain(this, cert, auth);
+			if (trustchain)
+			{
+				auth->merge(auth, trustchain, FALSE);
+				trustchain->destroy(trustchain);
+				break;
+			}
+			private->destroy(private);
+			private = NULL;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* if no valid trustchain was found, fall back to the first usable cert */
+	if (!private)
+	{
+		enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			private = get_private_by_cert(this, cert, type);
+			if (private)
+			{
+				auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return private;
+}
+
+METHOD(credential_manager_t, flush_cache, void,
+	private_credential_manager_t *this, certificate_type_t type)
+{
+	this->cache->flush(this->cache, type);
+}
+
+METHOD(credential_manager_t, issued_by, bool,
+	private_credential_manager_t *this, certificate_t *subject,
+	certificate_t *issuer)
+{
+	return this->cache->issued_by(this->cache, subject, issuer);
+}
+
+METHOD(credential_manager_t, add_set, void,
+	private_credential_manager_t *this, credential_set_t *set)
+{
+	this->lock->write_lock(this->lock);
+	this->sets->insert_last(this->sets, set);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(credential_manager_t, remove_set, void,
+	private_credential_manager_t *this, credential_set_t *set)
+{
+	this->lock->write_lock(this->lock);
+	this->sets->remove(this->sets, set, NULL);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(credential_manager_t, add_validator, void,
+	private_credential_manager_t *this, cert_validator_t *vdtr)
+{
+	this->lock->write_lock(this->lock);
+	this->sets->insert_last(this->validators, vdtr);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(credential_manager_t, remove_validator, void,
+	private_credential_manager_t *this, cert_validator_t *vdtr)
+{
+	this->lock->write_lock(this->lock);
+	this->validators->remove(this->validators, vdtr, NULL);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(credential_manager_t, destroy, void,
+	private_credential_manager_t *this)
+{
+	cache_queue(this);
+	this->cache_queue->destroy(this->cache_queue);
+	this->sets->remove(this->sets, this->cache, NULL);
+	this->sets->destroy(this->sets);
+	this->local_sets->destroy(this->local_sets);
+	this->cache->destroy(this->cache);
+	this->validators->destroy(this->validators);
+	this->lock->destroy(this->lock);
+	this->queue_mutex->destroy(this->queue_mutex);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+credential_manager_t *credential_manager_create()
+{
+	private_credential_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.create_cert_enumerator = _create_cert_enumerator,
+			.create_shared_enumerator = _create_shared_enumerator,
+			.create_cdp_enumerator = _create_cdp_enumerator,
+			.get_cert = _get_cert,
+			.get_shared = _get_shared,
+			.get_private = _get_private,
+			.create_trusted_enumerator = _create_trusted_enumerator,
+			.create_public_enumerator = _create_public_enumerator,
+			.flush_cache = _flush_cache,
+			.cache_cert = _cache_cert,
+			.issued_by = _issued_by,
+			.add_set = _add_set,
+			.remove_set = _remove_set,
+			.add_local_set = _add_local_set,
+			.remove_local_set = _remove_local_set,
+			.add_validator = _add_validator,
+			.remove_validator = _remove_validator,
+			.destroy = _destroy,
+		},
+		.sets = linked_list_create(),
+		.validators = linked_list_create(),
+		.cache = cert_cache_create(),
+		.cache_queue = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
+	this->sets->insert_first(this->sets, this->cache);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
new file mode 100644
index 000000000..04269cfbf
--- /dev/null
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -0,0 +1,270 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup credential_manager credential_manager
+ * @{ @ingroup credentials
+ */
+
+#ifndef CREDENTIAL_MANAGER_H_
+#define CREDENTIAL_MANAGER_H_
+
+typedef struct credential_manager_t credential_manager_t;
+
+#include <utils/identification.h>
+#include <utils/enumerator.h>
+#include <credentials/auth_cfg.h>
+#include <credentials/credential_set.h>
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/shared_key.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/cert_validator.h>
+
+/**
+ * Manages credentials using credential_sets.
+ *
+ * The credential manager is the entry point of the credential framework. It
+ * uses so called "sets" to access credentials in a modular fashion, these
+ * are implemented through the credential_set_t interface.
+ * The manager additionally does trust chain verification and trust status
+ * chaching. A set may call the managers methods if it needs credentials itself,
+ * the manager uses recursive locking.
+ *
+ * @verbatim
+
+  +-------+        +----------------+
+  |   A   |        |                |          +------------------+
+  |   u   | -----> |                | ------>  |  +------------------+
+  |   t   |        |   credential-  |          |  |  +------------------+
+  |   h   | -----> |     manager    | ------>  +--|  |   credential-    | => IPC
+  |   e   |        |                |             +--|       sets       |
+  |   n   |   +--> |                | ------>        +------------------+
+  |   t   |   |    |                |                        |
+  |   i   |   |    |                |                        |
+  |   c   |   |    +----------------+                        |
+  |   a   |   |                                              |
+  |   t   |   +----------------------------------------------+
+  |   o   |                    may be recursive
+  |   r   |
+  +-------+
+
+   @endverbatim
+ *
+ * The credential manager uses rwlocks for performance reasons, credential
+ * sets must be fully thread save.
+ */
+struct credential_manager_t {
+
+	/**
+	 * Create an enumerator over all certificates.
+	 *
+	 * @param cert		kind of certificate
+	 * @param key		kind of key in certificate
+	 * @param id		subject this certificate belongs to
+	 * @param trusted	TRUE to list trusted certificates only
+	 * @return			enumerator over the certificates
+	 */
+	enumerator_t *(*create_cert_enumerator)(credential_manager_t *this,
+								certificate_type_t cert, key_type_t key,
+								identification_t *id, bool trusted);
+	/**
+	 * Create an enumerator over all shared keys.
+	 *
+	 * The enumerator enumerates over:
+	 *  shared_key_t*, id_match_t me, id_match_t other
+	 * But must accepts values for the id_matches.
+	 *
+	 * @param type		kind of requested shared key
+	 * @param first		first subject between key is shared
+	 * @param second	second subject between key is shared
+	 * @return			enumerator over shared keys
+	 */
+	enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
+								shared_key_type_t type,
+								identification_t *first, identification_t *second);
+	/**
+	 * Create an enumerator over all Certificate Distribution Points.
+	 *
+	 * @param type		kind of certificate the point distributes
+	 * @param id		identification of the distributed certificate
+	 * @return			enumerator of CDPs as char*
+	 */
+	enumerator_t *(*create_cdp_enumerator)(credential_manager_t *this,
+								certificate_type_t type, identification_t *id);
+	/**
+	 * Get a trusted or untrusted certificate.
+	 *
+	 * @param cert		kind of certificate
+	 * @param key		kind of key in certificate
+	 * @param id		subject this certificate belongs to
+	 * @param trusted	TRUE to get a trusted certificate only
+	 * @return			certificate, if found, NULL otherwise
+	 */
+	certificate_t *(*get_cert)(credential_manager_t *this,
+							   certificate_type_t cert, key_type_t key,
+							   identification_t *id, bool trusted);
+	/**
+	 * Get the best matching shared key for two IDs.
+	 *
+	 * @param type		kind of requested shared key
+	 * @param me		own identity
+	 * @param other		peers identity
+	 * @return			shared_key_t, NULL if none found
+	 */
+	shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
+								identification_t *me, identification_t *other);
+	/**
+	 * Get a private key to create a signature.
+	 *
+	 * The get_private() method gets a secret private key identified by either
+	 * the keyid itself or an id the key belongs to.
+	 * The auth parameter contains additional information, such as receipients
+	 * trusted CA certs. Auth gets filled with subject and CA certificates
+	 * needed to validate a created signature.
+	 *
+	 * @param type		type of the key to get
+	 * @param id		identification the key belongs to
+	 * @param auth		auth config, including trusted CA certificates
+	 * @return			private_key_t, NULL if none found
+	 */
+	private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
+								  identification_t *id, auth_cfg_t *auth);
+
+	/**
+	 * Create an enumerator over trusted certificates.
+	 *
+	 * This method creates an enumerator over trusted certificates. The auth
+	 * parameter (if given) recevies the trustchain used to validate
+	 * the certificate. The resulting enumerator enumerates over
+	 * certificate_t*, auth_cfg_t*.
+	 * If online is set, revocations are checked online for the whole
+	 * trustchain.
+	 *
+	 * @param type		type of the key we want a certificate for
+	 * @param id		subject of the certificate
+	 * @param online	whether revocations should be checked online
+	 * @return			enumerator
+	 */
+	enumerator_t* (*create_trusted_enumerator)(credential_manager_t *this,
+					key_type_t type, identification_t *id, bool online);
+
+	/**
+	 * Create an enumerator over trusted public keys.
+	 *
+	 * This method gets a an enumerator over trusted public keys to verify a
+	 * signature created by id. The auth parameter contains additional
+	 * authentication infos, e.g. peer and intermediate certificates.
+	 * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
+	 * where the auth config helper contains rules for constraint checks.
+	 * This function is very similar to create_trusted_enumerator(), but
+	 * gets public keys directly.
+	 *
+	 * @param type		type of the key to get
+	 * @param id		owner of the key, signer of the signature
+	 * @param auth		authentication infos
+	 * @return			enumerator
+	 */
+	enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
+					key_type_t type, identification_t *id, auth_cfg_t *auth);
+
+	/**
+	 * Cache a certificate by invoking cache_cert() on all registerd sets.
+	 *
+	 * @param cert		certificate to cache
+	 */
+	void (*cache_cert)(credential_manager_t *this, certificate_t *cert);
+
+	/**
+	 * Flush the certificate cache.
+	 *
+	 * Only the managers local cache is flushed, but not the sets cache filled
+	 * by the cache_cert() method.
+	 *
+	 * @param type		type of certificate to flush, or CERT_ANY
+	 */
+	void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
+
+	/**
+	 * Check if a given subject certificate is issued by an issuer certificate.
+	 *
+	 * This operation does signature verification, but uses the credential
+	 * managers cache for to speed up the operation.
+	 *
+	 * @param subject	subject certificate to check
+	 * @param issuer	issuer certificate that potentially has signed subject
+	 * @return			TRUE if issuer signed subject
+	 */
+	bool (*issued_by)(credential_manager_t *this,
+					  certificate_t *subject, certificate_t *issuer);
+
+	/**
+	 * Register a credential set to the manager.
+	 *
+	 * @param set		set to register
+	 */
+	void (*add_set)(credential_manager_t *this, credential_set_t *set);
+
+	/**
+	 * Unregister a credential set from the manager.
+	 *
+	 * @param set		set to unregister
+	 */
+	void (*remove_set)(credential_manager_t *this, credential_set_t *set);
+
+	/**
+	 * Register a thread local credential set to the manager.
+	 *
+	 * To add a credential set for the current trustchain verification
+	 * operation, sets may be added for the calling thread only. This
+	 * does not require a write lock and is therefore a much less expensive
+	 * operation.
+	 *
+	 * @param set		set to register
+	 */
+	void (*add_local_set)(credential_manager_t *this, credential_set_t *set);
+
+	/**
+	 * Unregister a thread local credential set from the manager.
+	 *
+	 * @param set		set to unregister
+	 */
+	void (*remove_local_set)(credential_manager_t *this, credential_set_t *set);
+
+	/**
+	 * Register a certificate validator to the manager.
+	 *
+	 * @param vdtr		validator to register
+	 */
+	void (*add_validator)(credential_manager_t *this, cert_validator_t *vdtr);
+
+	/**
+	 * Remove a certificate validator from the manager.
+	 *
+	 * @param vdtr		validator to unregister
+	 */
+	void (*remove_validator)(credential_manager_t *this, cert_validator_t *vdtr);
+
+	/**
+	 * Destroy a credential_manager instance.
+	 */
+	void (*destroy)(credential_manager_t *this);
+};
+
+/**
+ * Create a credential_manager instance.
+ */
+credential_manager_t *credential_manager_create();
+
+#endif /** CREDENTIAL_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_set.h b/src/libstrongswan/credentials/credential_set.h
new file mode 100644
index 000000000..0eee237cb
--- /dev/null
+++ b/src/libstrongswan/credentials/credential_set.h
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup credential_set credential_set
+ * @{ @ingroup credentials
+ */
+
+#ifndef CREDENTIAL_SET_H_
+#define CREDENTIAL_SET_H_
+
+typedef struct credential_set_t credential_set_t;
+
+#include <credentials/keys/public_key.h>
+#include <credentials/keys/shared_key.h>
+#include <credentials/certificates/certificate.h>
+
+/**
+ * A set of credentials.
+ *
+ * Contains private keys, shared keys and different kinds of certificates.
+ * Enumerators are used because queries might return multiple matches.
+ * Filter parameters restrict enumeration over specific items only.
+ * See credential_manager_t for an overview of the credential framework.
+ *
+ * A credential set enumerator may not block the credential set, i.e. multiple
+ * threads must be able to hold multiple enumerators, as the credential manager
+ * is higly parallelized. The best way to achieve this is by using shared
+ * read locks for the enumerators only. Otherwiese deadlocks will occur.
+ * The writing cache_cert() routine is called by the manager only if no
+ * enumerator is alive, so it is save to use a write lock there.
+ */
+struct credential_set_t {
+
+	/**
+	 * Create an enumerator over private keys (private_key_t).
+	 *
+	 * The id is either a key identifier of the requested key, or an identity
+	 * of the key owner.
+	 *
+	 * @param type		type of requested private key
+	 * @param id		key identifier/owner
+	 * @return			enumerator over private_key_t's.
+	 */
+	enumerator_t *(*create_private_enumerator)(credential_set_t *this,
+						key_type_t type, identification_t *id);
+	/**
+	 * Create an enumerator over certificates (certificate_t).
+	 *
+	 * @param cert		kind of certificate
+	 * @param key		kind of key in certificate
+	 * @param id		identity (subject) this certificate belongs to
+	 * @param trusted	whether the certificate must be trustworthy
+	 * @return			enumerator as described above
+	 */
+	enumerator_t *(*create_cert_enumerator)(credential_set_t *this,
+						certificate_type_t cert, key_type_t key,
+						identification_t *id, bool trusted);
+	/**
+	 * Create an enumerator over shared keys (shared_key_t).
+	 *
+	 * The enumerator enumerates over:
+	 *  shared_key_t*, id_match_t me, id_match_t other
+	 * But must accept NULL values for the id_matches.
+	 *
+	 * @param type		kind of requested shared key
+	 * @param me		own identity
+	 * @param other		other identity who owns that secret
+	 * @return			enumerator as described above
+	 */
+	enumerator_t *(*create_shared_enumerator)(credential_set_t *this,
+						shared_key_type_t type,
+						identification_t *me, identification_t *other);
+
+	/**
+	 * Create an enumerator over certificate distribution points.
+	 *
+	 * @param type		type of the certificate to get a CDP
+	 * @param id		identification of the distributed certificate
+	 * @return			an enumerator over CDPs as char*
+	 */
+	enumerator_t *(*create_cdp_enumerator)(credential_set_t *this,
+						certificate_type_t type, identification_t *id);
+
+	/**
+	 * Cache a certificate in the credential set.
+	 *
+	 * The caching policy is implementation dependent, the sets may cache the
+	 * certificate in-memory, persistent on disk or not at all.
+	 *
+	 * @param cert		certificate to cache
+	 */
+	void (*cache_cert)(credential_set_t *this, certificate_t *cert);
+};
+
+#endif /** CREDENTIAL_SET_H_ @}*/
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
index ff3ddeb6f..de5b85bae 100644
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
@@ -159,7 +159,7 @@ static char* get_string(private_ietf_attributes_t *this)
 		enumerator = this->list->create_enumerator(this->list);
 		while (enumerator->enumerate(enumerator, &attr))
 		{
-			int written = 0;
+			int written;
 
 			if (first)
 			{
@@ -168,8 +168,12 @@ static char* get_string(private_ietf_attributes_t *this)
 			else
 			{
 				written = snprintf(pos, len, ", ");
+				if (written < 0 || written >= len)
+				{
+					break;
+				}
 				pos += written;
-				len -= written; 
+				len -= written;
 			}
 
 			switch (attr->type)
@@ -194,8 +198,13 @@ static char* get_string(private_ietf_attributes_t *this)
 					break;
 				}
 				default:
+					written = 0;
 					break;
 			}
+			if (written < 0 || written >= len)
+			{
+				break;
+			}
 			pos += written;
 			len -= written;
 		}
diff --git a/src/libstrongswan/credentials/keys/key_encoding.c b/src/libstrongswan/credentials/keys/key_encoding.c
deleted file mode 100644
index 89b25226c..000000000
--- a/src/libstrongswan/credentials/keys/key_encoding.c
+++ /dev/null
@@ -1,299 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "key_encoding.h"
-
-#include <stdint.h>
-
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
-#include <threading/rwlock.h>
-
-typedef struct private_key_encoding_t private_key_encoding_t;
-
-/**
- * Private data of an key_encoding_t object.
- */
-struct private_key_encoding_t {
-
-	/**
-	 * Public key_encoding_t interface.
-	 */
-	key_encoding_t public;
-
-	/**
-	 * cached encodings, a table for each encoding_type_t, containing chunk_t*
-	 */
-	hashtable_t *cache[KEY_ENCODING_MAX];
-
-	/**
-	 * Registered encoding fuctions, key_encoder_t
-	 */
-	linked_list_t *encoders;
-
-	/**
-	 * lock to access cache/encoders
-	 */
-	rwlock_t *lock;
-};
-
-/**
- * See header.
- */
-bool key_encoding_args(va_list args, ...)
-{
-	va_list parts, copy;
-	bool failed = FALSE;
-
-	va_start(parts, args);
-
-	while (!failed)
-	{
-		key_encoding_part_t current, target;
-		chunk_t *out, data;
-
-		/* get the part we are looking for */
-		target = va_arg(parts, key_encoding_part_t);
-		if (target == KEY_PART_END)
-		{
-			break;
-		}
-		out = va_arg(parts, chunk_t*);
-
-		va_copy(copy, args);
-		while (!failed)
-		{
-			current = va_arg(copy, key_encoding_part_t);
-			if (current == KEY_PART_END)
-			{
-				failed = TRUE;
-				break;
-			}
-			data = va_arg(copy, chunk_t);
-			if (current == target)
-			{
-				*out = data;
-				break;
-			}
-		}
-		va_end(copy);
-	}
-	va_end(parts);
-	return !failed;
-}
-
-/**
- * hashtable hash() function
- */
-static u_int hash(void *key)
-{
-	return (uintptr_t)key;
-}
-
-/**
- * hashtable equals() function
- */
-static bool equals(void *key1, void *key2)
-{
-	return key1 == key2;
-}
-
-/**
- * Implementation of key_encoding_t.get_cache
- */
-static bool get_cache(private_key_encoding_t *this, key_encoding_type_t type,
-					  void *cache, chunk_t *encoding)
-{
-	chunk_t *chunk;
-
-	if (type >= KEY_ENCODING_MAX || type < 0)
-	{
-		return FALSE;
-	}
-	this->lock->read_lock(this->lock);
-	chunk = this->cache[type]->get(this->cache[type], cache);
-	if (chunk)
-	{
-		*encoding = *chunk;
-	}
-	this->lock->unlock(this->lock);
-	return !!chunk;
-}
-
-/**
- * Implementation of key_encoding_t.encode
- */
-static bool encode(private_key_encoding_t *this, key_encoding_type_t type,
-				   void *cache, chunk_t *encoding, ...)
-{
-	enumerator_t *enumerator;
-	va_list args, copy;
-	key_encoder_t encode;
-	bool success = FALSE;
-	chunk_t *chunk;
-
-	if (type >= KEY_ENCODING_MAX || type < 0)
-	{
-		return FALSE;
-	}
-	this->lock->read_lock(this->lock);
-	if (cache)
-	{
-		chunk = this->cache[type]->get(this->cache[type], cache);
-		if (chunk)
-		{
-			*encoding = *chunk;
-			this->lock->unlock(this->lock);
-			return TRUE;
-		}
-	}
-	va_start(args, encoding);
-	enumerator = this->encoders->create_enumerator(this->encoders);
-	while (enumerator->enumerate(enumerator, &encode))
-	{
-		va_copy(copy, args);
-		success = encode(type, encoding, copy);
-		va_end(copy);
-		if (success)
-		{
-			if (cache)
-			{
-				chunk = malloc_thing(chunk_t);
-				*chunk = *encoding;
-				this->lock->unlock(this->lock);
-				this->lock->write_lock(this->lock);
-				this->cache[type]->put(this->cache[type], cache, chunk);
-			}
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	va_end(args);
-	this->lock->unlock(this->lock);
-	return success;
-}
-
-/**
- * Implementation of key_encoding_t.cache
- */
-static void cache(private_key_encoding_t *this, key_encoding_type_t type,
-				  void *cache, chunk_t encoding)
-{
-	chunk_t *chunk;
-
-	if (type >= KEY_ENCODING_MAX || type < 0)
-	{
-		return free(encoding.ptr);
-	}
-	chunk = malloc_thing(chunk_t);
-	*chunk = encoding;
-	this->lock->write_lock(this->lock);
-	chunk = this->cache[type]->put(this->cache[type], cache, chunk);
-	this->lock->unlock(this->lock);
-	/* free an encoding already associated to the cache */
-	if (chunk)
-	{
-		free(chunk->ptr);
-		free(chunk);
-	}
-}
-
-/**
- * Implementation of key_encoding_t.clear_cache
- */
-static void clear_cache(private_key_encoding_t *this, void *cache)
-{
-	key_encoding_type_t type;
-	chunk_t *chunk;
-
-	this->lock->write_lock(this->lock);
-	for (type = 0; type < KEY_ENCODING_MAX; type++)
-	{
-		chunk = this->cache[type]->remove(this->cache[type], cache);
-		if (chunk)
-		{
-			chunk_free(chunk);
-			free(chunk);
-		}
-	}
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of key_encoding_t.add_encoder
- */
-static void add_encoder(private_key_encoding_t *this, key_encoder_t encoder)
-{
-	this->lock->write_lock(this->lock);
-	this->encoders->insert_last(this->encoders, encoder);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of key_encoding_t.remove_encoder
- */
-static void remove_encoder(private_key_encoding_t *this, key_encoder_t encoder)
-{
-	this->lock->write_lock(this->lock);
-	this->encoders->remove(this->encoders, encoder, NULL);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Implementation of key_encoder_t.destroy.
- */
-static void destroy(private_key_encoding_t *this)
-{
-	key_encoding_type_t type;
-
-	for (type = 0; type < KEY_ENCODING_MAX; type++)
-	{
-		/* We explicitly do not free remaining encodings. All keys should
-		 * have gone now, and they are responsible for cleaning out their
-		 * cache entries. Not flushing here allows the leak detective to
-		 * complain if a key did not flush cached encodings. */
-		this->cache[type]->destroy(this->cache[type]);
-	}
-	this->encoders->destroy(this->encoders);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/**
- * See header
- */
-key_encoding_t *key_encoding_create()
-{
-	private_key_encoding_t *this = malloc_thing(private_key_encoding_t);
-	key_encoding_type_t type;
-
-	this->public.encode = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode;
-	this->public.get_cache = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding))get_cache;
-	this->public.cache = (void(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t encoding))cache;
-	this->public.clear_cache = (void(*)(key_encoding_t*, void *cache))clear_cache;
-	this->public.add_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))add_encoder;
-	this->public.remove_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))remove_encoder;
-	this->public.destroy = (void(*)(key_encoding_t*))destroy;
-
-	for (type = 0; type < KEY_ENCODING_MAX; type++)
-	{
-		this->cache[type] = hashtable_create(hash, equals, 8);
-	}
-	this->encoders = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/credentials/keys/key_encoding.h b/src/libstrongswan/credentials/keys/key_encoding.h
deleted file mode 100644
index d8435f4b4..000000000
--- a/src/libstrongswan/credentials/keys/key_encoding.h
+++ /dev/null
@@ -1,203 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup key_encoding key_encoding
- * @{ @ingroup keys
- */
-
-#ifndef KEY_ENCODING_H_
-#define KEY_ENCODING_H_
-
-typedef struct key_encoding_t key_encoding_t;
-typedef enum key_encoding_type_t key_encoding_type_t;
-typedef enum key_encoding_part_t key_encoding_part_t;
-
-#include <library.h>
-
-/**
- * Key encoder function implementing encoding/fingerprinting.
- *
- * The variable argument list takes key_encoding_part_t, followed by part
- * specific arguments, terminated by KEY_PART_END.
- *
- * @param type		format to encode the key to
- * @param args		list of (key_encoding_part_t, data)
- * @param encoding	encoding result, allocated
- * @return			TRUE if encoding successful
- */
-typedef bool (*key_encoder_t)(key_encoding_type_t type, chunk_t *encoding,
-							  va_list args);
-
-/**
- * Helper function for key_encoder_t implementations to parse argument list.
- *
- * Key encoder functions get a variable argument list to parse. To simplify
- * the job, this function reads the arguments and returns chunks for each
- * part.
- * The argument list of this function takes a key_encoding_part_t, followed
- * by a data pointer receiving the value, terminated by KEY_PART_END.
- *
- * @param args		argument list passed to key encoder function
- * @param ...		list of (key_encoding_part_t, data*)
- * @return			TRUE if all parts found, FALSE otherwise
- */
-bool key_encoding_args(va_list args, ...);
-
-/**
- * Encoding type of a fingerprint/private-/public-key.
- *
- * Fingerprints have have the KEY_ID_*, public keys the KEY_PUB_* and
- * private keys the KEY_PRIV_* prefix.
- */
-enum key_encoding_type_t {
-	/** SHA1 fingerprint over subjectPublicKeyInfo */
-	KEY_ID_PUBKEY_INFO_SHA1 = 0,
-	/** SHA1 fingerprint over subjectPublicKey */
-	KEY_ID_PUBKEY_SHA1,
-	/** PGPv3 fingerprint */
-	KEY_ID_PGPV3,
-	/** PGPv4 fingerprint */
-	KEY_ID_PGPV4,
-
-	KEY_ID_MAX,
-
-	/** PKCS#1 and similar ASN.1 key encoding */
-	KEY_PUB_ASN1_DER,
-	KEY_PRIV_ASN1_DER,
-	/** subjectPublicKeyInfo encoding */
-	KEY_PUB_SPKI_ASN1_DER,
-	/** PEM encoded PKCS#1 key */
-	KEY_PUB_PEM,
-	KEY_PRIV_PEM,
-	/** PGP key encoding */
-	KEY_PUB_PGP,
-	KEY_PRIV_PGP,
-
-	KEY_ENCODING_MAX,
-};
-
-/**
- * Parts of a key to encode.
- */
-enum key_encoding_part_t {
-	/** modulus of a RSA key, n */
-	KEY_PART_RSA_MODULUS,
-	/** public exponent of a RSA key, e */
-	KEY_PART_RSA_PUB_EXP,
-	/** private exponent of a RSA key, d */
-	KEY_PART_RSA_PRIV_EXP,
-	/** prime1 a RSA key, p */
-	KEY_PART_RSA_PRIME1,
-	/** prime2 a RSA key, q */
-	KEY_PART_RSA_PRIME2,
-	/** exponent1 a RSA key, exp1 */
-	KEY_PART_RSA_EXP1,
-	/** exponent1 a RSA key, exp2 */
-	KEY_PART_RSA_EXP2,
-	/** coefficient of RSA key, coeff */
-	KEY_PART_RSA_COEFF,
-	/** a DER encoded RSA public key */
-	KEY_PART_RSA_PUB_ASN1_DER,
-	/** a DER encoded RSA private key */
-	KEY_PART_RSA_PRIV_ASN1_DER,
-	/** a DER encoded ECDSA public key */
-	KEY_PART_ECDSA_PUB_ASN1_DER,
-	/** a DER encoded ECDSA private key */
-	KEY_PART_ECDSA_PRIV_ASN1_DER,
-
-	KEY_PART_END,
-};
-
-/**
- * Private/Public key encoding and fingerprinting facility.
- */
-struct key_encoding_t {
-
-	/**
-	 * Encode a key into a format using several key parts, optional caching.
-	 *
-	 * The variable argument list takes key_encoding_part_t, followed by part
-	 * specific arguments, terminated by KEY_PART_END.
-	 * If a cache key is given, the returned encoding points to internal data:
-	 * do not free or modify. If no cache key is given, the encoding is
-	 * allocated and must be freed by the caller.
-	 *
-	 * @param type			format the key should be encoded to
-	 * @param cache			key to use for caching, NULL to not cache
-	 * @param encoding		encoding result, allocated if caching disabled
-	 * @param ...			list of (key_encoding_part_t, data)
-	 * @return				TRUE if encoding successful
-	 */
-	bool (*encode)(key_encoding_t *this, key_encoding_type_t type, void *cache,
-				   chunk_t *encoding, ...);
-
-	/**
-	 * Clear all cached encodings of a given cache key.
-	 *
-	 * @param cache			key used in encode() for caching
-	 */
-	void (*clear_cache)(key_encoding_t *this, void *cache);
-
-	/**
-	 * Check for a cached encoding.
-	 *
-	 * @param type			format of the key encoding
-	 * @param cache			key to use for caching, as given to encode()
-	 * @param encoding		encoding result, internal data
-	 * @return				TRUE if cache entry found
-	 */
-	bool (*get_cache)(key_encoding_t *this, key_encoding_type_t type,
-					  void *cache, chunk_t *encoding);
-
-	/**
-	 * Cache a key encoding created externally.
-	 *
-	 * After calling cache(), the passed encoding is owned by the key encoding
-	 * facility.
-	 *
-	 * @param type			format of the key encoding
-	 * @param cache			key to use for caching, as given to encode()
-	 * @param encoding		encoding to cache, gets owned by this
-	 */
-	void (*cache)(key_encoding_t *this, key_encoding_type_t type, void *cache,
-				  chunk_t encoding);
-
-	/**
-	 * Register a key encoder function.
-	 *
-	 * @param encoder		key encoder function to add
-	 */
-	void (*add_encoder)(key_encoding_t *this, key_encoder_t encoder);
-
-	/**
-	 * Unregister a previously registered key encoder function.
-	 *
-	 * @param encoder		key encoder function to remove
-	 */
-	void (*remove_encoder)(key_encoding_t *this, key_encoder_t encoder);
-
-	/**
-	 * Destroy a key_encoding_t.
-	 */
-	void (*destroy)(key_encoding_t *this);
-};
-
-/**
- * Create a key_encoding instance.
- */
-key_encoding_t *key_encoding_create();
-
-#endif /** KEY_ENCODING_H_ @}*/
diff --git a/src/libstrongswan/credentials/keys/private_key.c b/src/libstrongswan/credentials/keys/private_key.c
index c3b5ac55b..8292af495 100644
--- a/src/libstrongswan/credentials/keys/private_key.c
+++ b/src/libstrongswan/credentials/keys/private_key.c
@@ -20,7 +20,7 @@
  */
 bool private_key_equals(private_key_t *this, private_key_t *other)
 {
-	key_encoding_type_t type;
+	cred_encoding_type_t type;
 	chunk_t a, b;
 
 	if (this == other)
@@ -28,7 +28,7 @@ bool private_key_equals(private_key_t *this, private_key_t *other)
 		return TRUE;
 	}
 
-	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	for (type = 0; type < CRED_ENCODING_MAX; type++)
 	{
 		if (this->get_fingerprint(this, type, &a) &&
 			other->get_fingerprint(other, type, &b))
@@ -44,10 +44,10 @@ bool private_key_equals(private_key_t *this, private_key_t *other)
  */
 bool private_key_belongs_to(private_key_t *private, public_key_t *public)
 {
-	key_encoding_type_t type;
+	cred_encoding_type_t type;
 	chunk_t a, b;
 
-	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	for (type = 0; type < CRED_ENCODING_MAX; type++)
 	{
 		if (private->get_fingerprint(private, type, &a) &&
 			public->get_fingerprint(public, type, &b))
@@ -63,10 +63,10 @@ bool private_key_belongs_to(private_key_t *private, public_key_t *public)
  */
 bool private_key_has_fingerprint(private_key_t *private, chunk_t fingerprint)
 {
-	key_encoding_type_t type;
+	cred_encoding_type_t type;
 	chunk_t current;
 
-	for (type = 0; type < KEY_ID_MAX; type++)
+	for (type = 0; type < KEYID_MAX; type++)
 	{
 		if (private->get_fingerprint(private, type, &current) &&
 			chunk_equals(current, fingerprint))
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
index d4517f296..27f4ab098 100644
--- a/src/libstrongswan/credentials/keys/private_key.h
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -23,6 +23,7 @@
 
 typedef struct private_key_t private_key_t;
 
+#include <credentials/cred_encoding.h>
 #include <credentials/keys/public_key.h>
 
 /**
@@ -89,11 +90,11 @@ struct private_key_t {
 	/**
 	 * Get the fingerprint of the key.
 	 *
-	 * @param type		type of fingerprint, one of KEY_ID_*
+	 * @param type		type of fingerprint, one of KEYID_*
 	 * @param fp		fingerprint, points to internal data
 	 * @return			TRUE if fingerprint type supported
 	 */
-	bool (*get_fingerprint)(private_key_t *this, key_encoding_type_t type,
+	bool (*get_fingerprint)(private_key_t *this, cred_encoding_type_t type,
 							chunk_t *fp);
 
 	/**
@@ -107,11 +108,11 @@ struct private_key_t {
 	/**
 	 * Get the key in an encoded form as a chunk.
 	 *
-	 * @param type		type of the encoding, one of KEY_PRIV_*
+	 * @param type		type of the encoding, one of PRIVKEY_*
 	 * @param encoding	encoding of the key, allocated
 	 * @return			TRUE if encoding supported
 	 */
-	bool (*get_encoding)(private_key_t *this, key_encoding_type_t type,
+	bool (*get_encoding)(private_key_t *this, cred_encoding_type_t type,
 						 chunk_t *encoding);
 
 	/**
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index ba3036793..ce342de33 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -47,7 +47,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
  */
 bool public_key_equals(public_key_t *this, public_key_t *other)
 {
-	key_encoding_type_t type;
+	cred_encoding_type_t type;
 	chunk_t a, b;
 
 	if (this == other)
@@ -55,7 +55,7 @@ bool public_key_equals(public_key_t *this, public_key_t *other)
 		return TRUE;
 	}
 
-	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	for (type = 0; type < CRED_ENCODING_MAX; type++)
 	{
 		if (this->get_fingerprint(this, type, &a) &&
 			other->get_fingerprint(other, type, &b))
@@ -71,10 +71,10 @@ bool public_key_equals(public_key_t *this, public_key_t *other)
  */
 bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint)
 {
-	key_encoding_type_t type;
+	cred_encoding_type_t type;
 	chunk_t current;
 
-	for (type = 0; type < KEY_ID_MAX; type++)
+	for (type = 0; type < KEYID_MAX; type++)
 	{
 		if (public->get_fingerprint(public, type, &current) &&
 			chunk_equals(current, fingerprint))
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index a421e7b5b..ff827a189 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -23,12 +23,11 @@
 
 typedef struct public_key_t public_key_t;
 typedef enum key_type_t key_type_t;
-typedef enum key_id_type_t key_id_type_t;
 typedef enum signature_scheme_t signature_scheme_t;
 
 #include <library.h>
 #include <utils/identification.h>
-#include <credentials/keys/key_encoding.h>
+#include <credentials/cred_encoding.h>
 
 /**
  * Type of a key pair, the used crypto system
@@ -147,11 +146,11 @@ struct public_key_t {
 	/**
 	 * Get the fingerprint of the key.
 	 *
-	 * @param type		type of fingerprint, one of KEY_ID_*
+	 * @param type		type of fingerprint, one of KEYID_*
 	 * @param fp		fingerprint, points to internal data
 	 * @return			TRUE if fingerprint type supported
 	 */
-	bool (*get_fingerprint)(public_key_t *this, key_encoding_type_t type,
+	bool (*get_fingerprint)(public_key_t *this, cred_encoding_type_t type,
 							chunk_t *fp);
 
 	/**
@@ -165,11 +164,11 @@ struct public_key_t {
 	/**
 	 * Get the key in an encoded form as a chunk.
 	 *
-	 * @param type		type of the encoding, one of KEY_PRIV_*
+	 * @param type		type of the encoding, one of PRIVKEY_*
 	 * @param encoding	encoding of the key, allocated
 	 * @return			TRUE if encoding supported
 	 */
-	bool (*get_encoding)(public_key_t *this, key_encoding_type_t type,
+	bool (*get_encoding)(public_key_t *this, cred_encoding_type_t type,
 						 chunk_t *encoding);
 
 	/**
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
new file mode 100644
index 000000000..5e8458616
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <debug.h>
+
+#include "auth_cfg_wrapper.h"
+
+typedef struct private_auth_cfg_wrapper_t private_auth_cfg_wrapper_t;
+
+/**
+ * private data of auth_cfg_wrapper
+ */
+struct private_auth_cfg_wrapper_t {
+
+	/**
+	 * public functions
+	 */
+	auth_cfg_wrapper_t public;
+
+	/**
+	 * wrapped auth info
+	 */
+	auth_cfg_t *auth;
+};
+
+/**
+ * enumerator for auth_cfg_wrapper_t.create_cert_enumerator()
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** inner enumerator from auth_cfg */
+	enumerator_t *inner;
+	/** wrapped auth round */
+	auth_cfg_t *auth;
+	/** enumerated cert type */
+	certificate_type_t cert;
+	/** enumerated key type */
+	key_type_t key;
+	/** enumerated id */
+	identification_t *id;
+} wrapper_enumerator_t;
+
+/**
+ * Tries to fetch a certificate that was supplied as "Hash and URL"
+ * (replaces rule type and value in place).
+ */
+static bool fetch_cert(wrapper_enumerator_t *enumerator,
+					   auth_rule_t *rule, void **value)
+{
+	char *url = (char*)*value;
+	if (!url)
+	{
+		/* fetching the certificate previously failed */
+		return FALSE;
+	}
+
+	chunk_t data;
+	certificate_t *cert;
+
+	DBG1(DBG_CFG, "  fetching certificate from '%s' ...", url);
+	if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "  fetching certificate failed");
+		/* we set the item to NULL, so we can skip it */
+		enumerator->auth->replace(enumerator->auth, enumerator->inner,
+								  *rule, NULL);
+		return FALSE;
+	}
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+	free(data.ptr);
+
+	if (!cert)
+	{
+		DBG1(DBG_CFG, "  parsing fetched certificate failed");
+		/* we set the item to NULL, so we can skip it */
+		enumerator->auth->replace(enumerator->auth, enumerator->inner,
+								  *rule, NULL);
+		return FALSE;
+	}
+
+	DBG1(DBG_CFG, "  fetched certificate \"%Y\"", cert->get_subject(cert));
+	lib->credmgr->cache_cert(lib->credmgr, cert);
+
+	if (*rule == AUTH_HELPER_IM_HASH_URL)
+	{
+		*rule = AUTH_HELPER_IM_CERT;
+	}
+	else
+	{
+		*rule = AUTH_HELPER_SUBJECT_CERT;
+	}
+	*value = cert;
+	enumerator->auth->replace(enumerator->auth, enumerator->inner,
+							  *rule, cert->get_ref(cert));
+	return TRUE;
+}
+
+/**
+ * enumerate function for wrapper_enumerator_t
+ */
+static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
+{
+	auth_rule_t rule;
+	certificate_t *current;
+	public_key_t *public;
+
+	while (this->inner->enumerate(this->inner, &rule, &current))
+	{
+		if (rule == AUTH_HELPER_IM_HASH_URL ||
+			rule == AUTH_HELPER_SUBJECT_HASH_URL)
+		{	/* on-demand fetching of hash and url certificates */
+			if (!fetch_cert(this, &rule, (void**)&current))
+			{
+				continue;
+			}
+		}
+		else if (rule != AUTH_HELPER_SUBJECT_CERT &&
+				 rule != AUTH_HELPER_IM_CERT)
+		{	/* handle only HELPER certificates */
+			continue;
+		}
+		if (this->cert != CERT_ANY && this->cert != current->get_type(current))
+		{	/* CERT type requested, but does not match */
+			continue;
+		}
+		public = current->get_public_key(current);
+		if (this->key != KEY_ANY && !public)
+		{	/* key type requested, but no public key */
+			DESTROY_IF(public);
+			continue;
+		}
+		if (this->key != KEY_ANY && public && this->key != public->get_type(public))
+		{	/* key type requested, but public key has another type */
+			DESTROY_IF(public);
+			continue;
+		}
+		DESTROY_IF(public);
+		if (this->id && !current->has_subject(current, this->id))
+		{	/* subject requested, but does not match */
+			continue;
+		}
+		*cert = current;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * destroy function for wrapper_enumerator_t
+ */
+static void wrapper_enumerator_destroy(wrapper_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator
+ */
+static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this,
+									   certificate_type_t cert, key_type_t key,
+									   identification_t *id, bool trusted)
+{
+	wrapper_enumerator_t *enumerator;
+
+	if (trusted)
+	{
+		return NULL;
+	}
+	enumerator = malloc_thing(wrapper_enumerator_t);
+	enumerator->auth = this->auth;
+	enumerator->cert = cert;
+	enumerator->key = key;
+	enumerator->id = id;
+	enumerator->inner = this->auth->create_enumerator(this->auth);
+	enumerator->public.enumerate = (void*)enumerate;
+	enumerator->public.destroy = (void*)wrapper_enumerator_destroy;
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of auth_cfg_wrapper_t.destroy
+ */
+static void destroy(private_auth_cfg_wrapper_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth)
+{
+	private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t);
+
+	this->public.set.create_private_enumerator = (void*)return_null;
+	this->public.set.create_cert_enumerator = (void*)create_enumerator;
+	this->public.set.create_shared_enumerator = (void*)return_null;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+	this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy;
+
+	this->auth = auth;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.h b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.h
new file mode 100644
index 000000000..3a4b197ac
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup auth_cfg_wrapper auth_cfg_wrapper
+ * @{ @ingroup sets
+ */
+
+#ifndef AUTH_CFG_WRAPPER_H_
+#define AUTH_CFG_WRAPPER_H_
+
+#include <credentials/auth_cfg.h>
+#include <credentials/credential_set.h>
+
+typedef struct auth_cfg_wrapper_t auth_cfg_wrapper_t;
+
+/**
+ * A wrapper around auth_cfg_t to handle it as a credential set.
+ */
+struct auth_cfg_wrapper_t {
+
+	/**
+	 * implements credential_set_t
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy a auth_cfg_wrapper instance.
+	 */
+	void (*destroy)(auth_cfg_wrapper_t *this);
+};
+
+/**
+ * Create a auth_cfg_wrapper instance.
+ *
+ * @param auth		the wrapped auth info
+ * @return			wrapper around auth
+ */
+auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth);
+
+#endif /** AUTH_CFG_WRAPPER_H_ @}*/
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
new file mode 100644
index 000000000..7161ac9ac
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -0,0 +1,389 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cert_cache.h"
+
+#include <time.h>
+#include <sched.h>
+
+#include <library.h>
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+
+/** cache size, a power of 2 for fast modulo */
+#define CACHE_SIZE 32
+
+/** attempts to acquire a cache lock */
+#define REPLACE_TRIES 5
+
+typedef struct private_cert_cache_t private_cert_cache_t;
+typedef struct relation_t relation_t;
+
+/**
+ * A trusted relation between subject and issuer
+ */
+struct relation_t {
+
+	/**
+	 * subject of this relation
+	 */
+	certificate_t *subject;
+
+	/**
+	 * issuer of this relation
+	 */
+	certificate_t *issuer;
+
+	/**
+	 * Cache hits
+	 */
+	u_int hits;
+
+	/**
+	 * Lock for this relation
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * private data of cert_cache
+ */
+struct private_cert_cache_t {
+
+	/**
+	 * public functions
+	 */
+	cert_cache_t public;
+
+	/**
+	 * array of trusted subject-issuer relations
+	 */
+	relation_t relations[CACHE_SIZE];
+};
+
+/**
+ * Cache relation in a free slot/replace an other
+ */
+static void cache(private_cert_cache_t *this,
+				  certificate_t *subject, certificate_t *issuer)
+{
+	relation_t *rel;
+	int i, offset, try;
+	u_int total_hits = 0;
+
+	/* check for a unused relation slot first */
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		rel = &this->relations[i];
+
+		if (!rel->subject && rel->lock->try_write_lock(rel->lock))
+		{
+			/* double-check having lock */
+			if (!rel->subject)
+			{
+				rel->subject = subject->get_ref(subject);
+				rel->issuer = issuer->get_ref(issuer);
+				return rel->lock->unlock(rel->lock);
+			}
+			rel->lock->unlock(rel->lock);
+		}
+		total_hits += rel->hits;
+	}
+	/* run several attempts to replace a random slot, never block. */
+	for (try = 0; try < REPLACE_TRIES; try++)
+	{
+		/* replace a random relation */
+		offset = random();
+		for (i = 0; i < CACHE_SIZE; i++)
+		{
+			rel = &this->relations[(i + offset) % CACHE_SIZE];
+
+			if (rel->hits > total_hits / CACHE_SIZE)
+			{	/* skip often used slots */
+				continue;
+			}
+			if (rel->lock->try_write_lock(rel->lock))
+			{
+				if (rel->subject)
+				{
+					rel->subject->destroy(rel->subject);
+					rel->issuer->destroy(rel->issuer);
+				}
+				rel->subject = subject->get_ref(subject);
+				rel->issuer = issuer->get_ref(issuer);
+				rel->hits = 0;
+				return rel->lock->unlock(rel->lock);
+			}
+		}
+		/* give other threads a chance to release locks */
+		sched_yield();
+	}
+}
+
+/**
+ * Implementation of cert_cache_t.issued_by.
+ */
+static bool issued_by(private_cert_cache_t *this,
+					  certificate_t *subject, certificate_t *issuer)
+{
+	relation_t *found = NULL, *current;
+	int i;
+
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		current = &this->relations[i];
+
+		current->lock->read_lock(current->lock);
+		if (current->subject)
+		{
+			/* check for equal issuer */
+			if (issuer->equals(issuer, current->issuer))
+			{
+				/* reuse issuer instance in cache() */
+				issuer = current->issuer;
+				if (subject->equals(subject, current->subject))
+				{
+					/* write hit counter is not locked, but not critical */
+					current->hits++;
+					found = current;
+				}
+			}
+		}
+		current->lock->unlock(current->lock);
+		if (found)
+		{
+			return TRUE;
+		}
+	}
+	/* no cache hit, check and cache signature */
+	if (subject->issued_by(subject, issuer))
+	{
+		cache(this, subject, issuer);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * certificate enumerator implemenation
+ */
+typedef struct {
+	/** implements enumerator_t interface */
+	enumerator_t public;
+	/** type of requested certificate */
+	certificate_type_t cert;
+	/** type of requested key */
+	key_type_t key;
+	/** ID to get a cert for */
+	identification_t *id;
+	/** cache */
+	relation_t *relations;
+	/** current position in array cache */
+	int index;
+	/** currently locked relation */
+	int locked;
+} cert_enumerator_t;
+
+/**
+ * filter function for certs enumerator
+ */
+static bool cert_enumerate(cert_enumerator_t *this, certificate_t **out)
+{
+	public_key_t *public;
+	relation_t *rel;
+
+	if (this->locked >= 0)
+	{
+		rel = &this->relations[this->locked];
+		rel->lock->unlock(rel->lock);
+		this->locked = -1;
+	}
+
+	while (++this->index < CACHE_SIZE)
+	{
+		rel = &this->relations[this->index];
+		rel->lock->read_lock(rel->lock);
+		this->locked = this->index;
+		if (rel->subject)
+		{
+			/* CRL lookup is done using issuer/authkeyidentifier */
+			if (this->key == KEY_ANY && this->id &&
+				(this->cert == CERT_ANY || this->cert == CERT_X509_CRL) &&
+				rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
+				rel->subject->has_issuer(rel->subject, this->id))
+			{
+				*out = rel->subject;
+				return TRUE;
+			}
+			if ((this->cert == CERT_ANY ||
+				 rel->subject->get_type(rel->subject) == this->cert) &&
+				(!this->id || rel->subject->has_subject(rel->subject, this->id)))
+			{
+				if (this->key == KEY_ANY)
+				{
+					*out = rel->subject;
+					return TRUE;
+				}
+				public = rel->subject->get_public_key(rel->subject);
+				if (public)
+				{
+					if (public->get_type(public) == this->key)
+					{
+						public->destroy(public);
+						*out = rel->subject;
+						return TRUE;
+					}
+					public->destroy(public);
+				}
+			}
+		}
+		this->locked = -1;
+		rel->lock->unlock(rel->lock);
+	}
+	return FALSE;
+}
+
+/**
+ * clean up enumeration data
+ */
+static void cert_enumerator_destroy(cert_enumerator_t *this)
+{
+	relation_t *rel;
+
+	if (this->locked >= 0)
+	{
+		rel = &this->relations[this->locked];
+		rel->lock->unlock(rel->lock);
+	}
+	free(this);
+}
+
+/**
+ * implementation of credential_set_t.create_cert_enumerator
+ */
+static enumerator_t *create_enumerator(private_cert_cache_t *this,
+									   certificate_type_t cert, key_type_t key,
+									   identification_t *id, bool trusted)
+{
+	cert_enumerator_t *enumerator;
+
+	if (trusted)
+	{
+		return NULL;
+	}
+	enumerator = malloc_thing(cert_enumerator_t);
+	enumerator->public.enumerate = (void*)cert_enumerate;
+	enumerator->public.destroy = (void*)cert_enumerator_destroy;
+	enumerator->cert = cert;
+	enumerator->key = key;
+	enumerator->id = id;
+	enumerator->relations = this->relations;
+	enumerator->index = -1;
+	enumerator->locked = -1;
+
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of cert_cache_t.flush.
+ */
+static void flush(private_cert_cache_t *this, certificate_type_t type)
+{
+	relation_t *rel;
+	int i;
+
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		rel = &this->relations[i];
+		if (!rel->subject)
+		{
+			continue;
+		}
+		/* check with cheap read lock first */
+		if (type != CERT_ANY)
+		{
+			rel->lock->read_lock(rel->lock);
+			if (!rel->subject || type != rel->subject->get_type(rel->subject))
+			{
+				rel->lock->unlock(rel->lock);
+				continue;
+			}
+			rel->lock->unlock(rel->lock);
+		}
+		/* double check in write lock */
+		rel->lock->write_lock(rel->lock);
+		if (rel->subject)
+		{
+			if (type == CERT_ANY || type == rel->subject->get_type(rel->subject))
+			{
+				rel->subject->destroy(rel->subject);
+				rel->issuer->destroy(rel->issuer);
+				rel->subject = NULL;
+				rel->issuer = NULL;
+				rel->hits = 0;
+			}
+		}
+		rel->lock->unlock(rel->lock);
+	}
+}
+
+/**
+ * Implementation of cert_cache_t.destroy
+ */
+static void destroy(private_cert_cache_t *this)
+{
+	relation_t *rel;
+	int i;
+
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		rel = &this->relations[i];
+		if (rel->subject)
+		{
+			rel->subject->destroy(rel->subject);
+			rel->issuer->destroy(rel->issuer);
+		}
+		rel->lock->destroy(rel->lock);
+	}
+	free(this);
+}
+
+/*
+ * see header file
+ */
+cert_cache_t *cert_cache_create()
+{
+	private_cert_cache_t *this;
+	int i;
+
+	this = malloc_thing(private_cert_cache_t);
+	this->public.set.create_private_enumerator = (void*)return_null;
+	this->public.set.create_cert_enumerator = (void*)create_enumerator;
+	this->public.set.create_shared_enumerator = (void*)return_null;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+	this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
+	this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
+	this->public.destroy = (void(*)(cert_cache_t*))destroy;
+
+	for (i = 0; i < CACHE_SIZE; i++)
+	{
+		this->relations[i].subject = NULL;
+		this->relations[i].issuer = NULL;
+		this->relations[i].hits = 0;
+		this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/sets/cert_cache.h b/src/libstrongswan/credentials/sets/cert_cache.h
new file mode 100644
index 000000000..d2721866e
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/cert_cache.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup cert_cache cert_cache
+ * @{ @ingroup sets
+ */
+
+#ifndef CERT_CACHE_H_
+#define CERT_CACHE_H_
+
+#include <credentials/credential_set.h>
+
+typedef struct cert_cache_t cert_cache_t;
+
+/**
+ * Certificate signature verification and certificate cache.
+ *
+ * This cache serves all certificates seen in its issued_by method
+ * and serves them as untrusted through the credential set interface. Further,
+ * it caches valid subject-issuer relationships to speed up the issued_by
+ * method.
+ */
+struct cert_cache_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Caching wrapper around certificate_t.issued_by.
+	 *
+	 * @param subject		certificate to verify
+	 * @param issuer		issuing certificate to verify subject
+	 * @return				TRUE if subject issued by issuer
+	 */
+	bool (*issued_by)(cert_cache_t *this,
+					  certificate_t *subject, certificate_t *issuer);
+
+	/**
+	 * Flush the certificate cache.
+	 *
+	 * @param type			type of certificate to flush, or CERT_ANY
+	 */
+	void (*flush)(cert_cache_t *this, certificate_type_t type);
+
+	/**
+	 * Destroy a cert_cache instance.
+	 */
+	void (*destroy)(cert_cache_t *this);
+};
+
+/**
+ * Create a cert_cache instance.
+ */
+cert_cache_t *cert_cache_create();
+
+#endif /** CERT_CACHE_H_ @}*/
diff --git a/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c
new file mode 100644
index 000000000..4786495da
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ocsp_response_wrapper.h"
+
+typedef struct private_ocsp_response_wrapper_t private_ocsp_response_wrapper_t;
+
+/**
+ * private data of ocsp_response_wrapper
+ */
+struct private_ocsp_response_wrapper_t {
+
+	/**
+	 * public functions
+	 */
+	ocsp_response_wrapper_t public;
+
+	/**
+	 * wrapped OCSP response
+	 */
+	ocsp_response_t *response;
+};
+
+/**
+ * enumerator for ocsp_response_wrapper_t.create_cert_enumerator()
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** enumerator over ocsp response */
+	enumerator_t *inner;
+	/** type of cert */
+	certificate_type_t cert;
+	/** type of key */
+	key_type_t key;
+	/** filtering identity */
+	identification_t *id;
+} wrapper_enumerator_t;
+
+/**
+ * enumerate function wrapper_enumerator_t
+ */
+static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
+{
+	certificate_t *current;
+	public_key_t *public;
+
+	while (this->inner->enumerate(this->inner, &current))
+	{
+		if (this->cert != CERT_ANY && this->cert != current->get_type(current))
+		{	/* CERT type requested, but does not match */
+			continue;
+		}
+		public = current->get_public_key(current);
+		if (this->key != KEY_ANY && !public)
+		{	/* key type requested, but no public key */
+			DESTROY_IF(public);
+			continue;
+		}
+		if (this->key != KEY_ANY && public && this->key != public->get_type(public))
+		{	/* key type requested, but public key has another type */
+			DESTROY_IF(public);
+			continue;
+		}
+		DESTROY_IF(public);
+		if (this->id && !current->has_subject(current, this->id))
+		{	/* subject requested, but does not match */
+			continue;
+		}
+		*cert = current;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * destroy function for wrapper_enumerator_t
+ */
+static void enumerator_destroy(wrapper_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * implementation of ocsp_response_wrapper_t.set.create_cert_enumerator
+ */
+static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this,
+									   certificate_type_t cert, key_type_t key,
+									   identification_t *id, bool trusted)
+{
+	wrapper_enumerator_t *enumerator;
+
+	if (trusted)
+	{
+		return NULL;
+	}
+
+	enumerator = malloc_thing(wrapper_enumerator_t);
+	enumerator->cert = cert;
+	enumerator->key = key;
+	enumerator->id = id;
+	enumerator->inner = this->response->create_cert_enumerator(this->response);
+	enumerator->public.enumerate = (void*)enumerate;
+	enumerator->public.destroy = (void*)enumerator_destroy;
+	return &enumerator->public;
+}
+
+/**
+ * Implementation of ocsp_response_wrapper_t.destroy
+ */
+static void destroy(private_ocsp_response_wrapper_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response)
+{
+	private_ocsp_response_wrapper_t *this = malloc_thing(private_ocsp_response_wrapper_t);
+
+	this->public.set.create_private_enumerator = (void*)return_null;
+	this->public.set.create_cert_enumerator = (void*)create_enumerator;
+	this->public.set.create_shared_enumerator = (void*)return_null;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.set.cache_cert = (void*)nop;
+	this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy;
+
+	this->response = response;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/sets/ocsp_response_wrapper.h b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.h
new file mode 100644
index 000000000..dc4b451df
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ocsp_response_wrapper ocsp_response_wrapper
+ * @{ @ingroup sets
+ */
+
+#ifndef OCSP_RESPONSE_WRAPPER_H_
+#define OCSP_RESPONSE_WRAPPER_H_
+
+#include <credentials/credential_set.h>
+#include <credentials/certificates/ocsp_response.h>
+
+typedef struct ocsp_response_wrapper_t ocsp_response_wrapper_t;
+
+/**
+ * A wrapper around ocsp_response_t to handle it like a credential set.
+ */
+struct ocsp_response_wrapper_t {
+
+	/**
+	 * implements credential_set_t
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy a ocsp_response_wrapper instance.
+	 */
+	void (*destroy)(ocsp_response_wrapper_t *this);
+};
+
+/**
+ * Create a ocsp_response_wrapper instance.
+ *
+ * @param response	the wrapped OCSP response
+ * @return			wrapper around response
+ */
+ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response);
+
+#endif /** OCSP_RESPONSE_WRAPPER_H_ @}*/
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 108ac2ca0..b61bdf7a0 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -18,12 +18,13 @@
 
 #include <stdlib.h>
 
-#include "debug.h"
-#include "threading/thread.h"
-#include "utils/identification.h"
-#include "utils/host.h"
+#include <debug.h>
+#include <threading/thread.h>
+#include <utils/identification.h>
+#include <utils/host.h>
+#include <selectors/traffic_selector.h>
 #ifdef LEAK_DETECTIVE
-#include "utils/leak_detective.h"
+#include <utils/leak_detective.h>
 #endif
 
 #define CHECKSUM_LIBRARY IPSEC_DIR"/libchecksum.so"
@@ -59,9 +60,14 @@ library_t *lib;
 void library_deinit()
 {
 	private_library_t *this = (private_library_t*)lib;
+	bool detailed;
+
+	detailed = lib->settings->get_bool(lib->settings,
+								"libstrongswan.leak_detective.detailed", TRUE);
 
 	this->public.plugins->destroy(this->public.plugins);
 	this->public.settings->destroy(this->public.settings);
+	this->public.credmgr->destroy(this->public.credmgr);
 	this->public.creds->destroy(this->public.creds);
 	this->public.encoding->destroy(this->public.encoding);
 	this->public.crypto->destroy(this->public.crypto);
@@ -76,6 +82,7 @@ void library_deinit()
 #ifdef LEAK_DETECTIVE
 	if (this->detective)
 	{
+		this->detective->report(this->detective, detailed);
 		this->detective->destroy(this->detective);
 	}
 #endif /* LEAK_DETECTIVE */
@@ -124,11 +131,14 @@ bool library_init(char *settings)
 					 PRINTF_HOOK_ARGTYPE_END);
 	pfh->add_handler(pfh, 'Y', identification_printf_hook,
 					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
+	pfh->add_handler(pfh, 'R', traffic_selector_printf_hook,
+					 PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
 
 	this->public.settings = settings_create(settings);
 	this->public.crypto = crypto_factory_create();
 	this->public.creds = credential_factory_create();
-	this->public.encoding = key_encoding_create();
+	this->public.credmgr = credential_manager_create();
+	this->public.encoding = cred_encoding_create();
 	this->public.fetcher = fetcher_manager_create();
 	this->public.db = database_factory_create();
 	this->public.plugins = plugin_loader_create();
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 241084155..cd5dfb479 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -28,6 +28,9 @@
  * @defgroup certificates certificates
  * @ingroup credentials
  *
+ * @defgroup sets sets
+ * @ingroup credentials
+ *
  * @defgroup crypto crypto
  * @ingroup libstrongswan
  *
@@ -65,7 +68,8 @@
 #include "fetcher/fetcher_manager.h"
 #include "database/database_factory.h"
 #include "credentials/credential_factory.h"
-#include "credentials/keys/key_encoding.h"
+#include "credentials/credential_manager.h"
+#include "credentials/cred_encoding.h"
 
 typedef struct library_t library_t;
 
@@ -90,9 +94,14 @@ struct library_t {
 	credential_factory_t *creds;
 
 	/**
-	 * key encoding registry and factory
+	 * Manager for the credential set backends
+	 */
+	credential_manager_t *credmgr;
+
+	/**
+	 * Credential encoding registry and factory
 	 */
-	key_encoding_t *encoding;
+	cred_encoding_t *encoding;
 
 	/**
 	 * URL fetching facility
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 391d23049..9859b75cf 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index bd6465374..c95e7b778 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 4247f849e..51ddbecc6 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -340,7 +340,7 @@ static public_key_t* get_public_key(private_agent_private_key_t *this)
  * Implementation of private_key_t.get_encoding
  */
 static bool get_encoding(private_agent_private_key_t *this,
-						 key_encoding_type_t type, chunk_t *encoding)
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
 	return FALSE;
 }
@@ -349,7 +349,7 @@ static bool get_encoding(private_agent_private_key_t *this,
  * Implementation of private_key_t.get_fingerprint
  */
 static bool get_fingerprint(private_agent_private_key_t *this,
-							key_encoding_type_t type, chunk_t *fp)
+							cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e, key;
 
@@ -363,7 +363,7 @@ static bool get_fingerprint(private_agent_private_key_t *this,
 	n = read_string(&key);
 
 	return lib->encoding->encode(lib->encoding, type, this, fp,
-				KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
 }
 
 /**
@@ -429,9 +429,9 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
 	this->public.interface.belongs_to = private_key_belongs_to;
 	this->public.interface.equals = private_key_equals;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
 	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
 
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index f95a4abe5..6a82ce94a 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 1952b22e7..fc3b0ab1a 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index af351cfe3..319baa04c 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 1f1f90127..73f81f4db 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 70553fbd8..4ed8276c4 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am
index 48bf916ab..57f3f5016 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.am
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.am
@@ -19,4 +19,4 @@ libstrongswan_gcrypt_la_SOURCES = \
 	gcrypt_hasher.h gcrypt_hasher.c
 
 libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
-libstrongswan_gcrypt_la_LIBADD  = -lgcrypt
+libstrongswan_gcrypt_la_LIBADD  = -lgcrypt -lgpg-error
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 35829c950..09131c4be 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -272,7 +272,7 @@ libstrongswan_gcrypt_la_SOURCES = \
 	gcrypt_hasher.h gcrypt_hasher.c
 
 libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
-libstrongswan_gcrypt_la_LIBADD = -lgcrypt
+libstrongswan_gcrypt_la_LIBADD = -lgcrypt -lgpg-error
 all: all-am
 
 .SUFFIXES:
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index 2cb13c5f3..b8e86aba0 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -308,7 +308,7 @@ static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
  * Implementation of private_key_t.get_encoding
  */
 static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
-						 key_encoding_type_t type, chunk_t *encoding)
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
 	chunk_t cn, ce, cp, cq, cd, cu, cexp1 = chunk_empty, cexp2 = chunk_empty;
 	gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2;
@@ -368,11 +368,11 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
 	cu = gcrypt_rsa_find_token(this->key, "u", NULL);
 
 	success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
-							KEY_PART_RSA_MODULUS, cn,
-							KEY_PART_RSA_PUB_EXP, ce, KEY_PART_RSA_PRIV_EXP, cd,
-							KEY_PART_RSA_PRIME1, cp, KEY_PART_RSA_PRIME2, cq,
-							KEY_PART_RSA_EXP1, cexp1, KEY_PART_RSA_EXP2, cexp2,
-							KEY_PART_RSA_COEFF, cu, KEY_PART_END);
+						CRED_PART_RSA_MODULUS, cn,
+						CRED_PART_RSA_PUB_EXP, ce, CRED_PART_RSA_PRIV_EXP, cd,
+						CRED_PART_RSA_PRIME1, cp, CRED_PART_RSA_PRIME2, cq,
+						CRED_PART_RSA_EXP1, cexp1, CRED_PART_RSA_EXP2, cexp2,
+						CRED_PART_RSA_COEFF, cu, CRED_PART_END);
 	chunk_free(&cn);
 	chunk_free(&ce);
 	chunk_clear(&cd);
@@ -389,7 +389,7 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
  * Implementation of private_key_t.get_fingerprint
  */
 static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
-							key_encoding_type_t type, chunk_t *fp)
+							cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -402,8 +402,8 @@ static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
 	e = gcrypt_rsa_find_token(this->key, "e", NULL);
 
 	success = lib->encoding->encode(lib->encoding,
-								type, this, fp, KEY_PART_RSA_MODULUS, n,
-								KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+								type, this, fp, CRED_PART_RSA_MODULUS, n,
+								CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
 	chunk_free(&n);
 	chunk_free(&e);
 	return success;
@@ -445,9 +445,9 @@ static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty()
 	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
 	this->public.interface.equals = private_key_equals;
 	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
 	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 5fd15d9a3..80a91b976 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -240,7 +240,7 @@ static size_t get_keysize(private_gcrypt_rsa_public_key_t *this)
  * Implementation of private_key_t.get_encoding
  */
 static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
-						 key_encoding_type_t type, chunk_t *encoding)
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
 	chunk_t n, e;
 	bool success;
@@ -248,8 +248,8 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
 	n = gcrypt_rsa_find_token(this->key, "n", NULL);
 	e = gcrypt_rsa_find_token(this->key, "e", NULL);
 	success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
-							KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e,
-							KEY_PART_END);
+							CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e,
+							CRED_PART_END);
 	chunk_free(&n);
 	chunk_free(&e);
 
@@ -260,7 +260,7 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
  * Implementation of private_key_t.get_fingerprint
  */
 static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
-							key_encoding_type_t type, chunk_t *fp)
+							cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -273,8 +273,8 @@ static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
 	e = gcrypt_rsa_find_token(this->key, "e", NULL);
 
 	success = lib->encoding->encode(lib->encoding,
-								type, this, fp, KEY_PART_RSA_MODULUS, n,
-								KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+								type, this, fp, CRED_PART_RSA_MODULUS, n,
+								CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
 	chunk_free(&n);
 	chunk_free(&e);
 	return success;
@@ -338,9 +338,9 @@ gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type,
 	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
 	this->public.interface.equals = public_key_equals;
 	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
 	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
 
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 5c1a1fcd9..bd7100b27 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index f70b0b545..cc9985320 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -403,7 +403,7 @@ static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public
  * Implementation of private_key_t.get_encoding
  */
 static bool get_encoding(private_gmp_rsa_private_key_t *this,
-						 key_encoding_type_t type, chunk_t *encoding)
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
 	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 	bool success;
@@ -418,11 +418,11 @@ static bool get_encoding(private_gmp_rsa_private_key_t *this,
 	coeff = gmp_mpz_to_chunk(this->coeff);
 
 	success = lib->encoding->encode(lib->encoding,
-							type, NULL, encoding, KEY_PART_RSA_MODULUS, n,
-							KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d,
-							KEY_PART_RSA_PRIME1, p, KEY_PART_RSA_PRIME2, q,
-							KEY_PART_RSA_EXP1, exp1, KEY_PART_RSA_EXP2, exp2,
-							KEY_PART_RSA_COEFF, coeff, KEY_PART_END);
+							type, NULL, encoding, CRED_PART_RSA_MODULUS, n,
+							CRED_PART_RSA_PUB_EXP, e, CRED_PART_RSA_PRIV_EXP, d,
+							CRED_PART_RSA_PRIME1, p, CRED_PART_RSA_PRIME2, q,
+							CRED_PART_RSA_EXP1, exp1, CRED_PART_RSA_EXP2, exp2,
+							CRED_PART_RSA_COEFF, coeff, CRED_PART_END);
 	chunk_free(&n);
 	chunk_free(&e);
 	chunk_clear(&d);
@@ -439,7 +439,7 @@ static bool get_encoding(private_gmp_rsa_private_key_t *this,
  * Implementation of private_key_t.get_fingerprint
  */
 static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
-							key_encoding_type_t type, chunk_t *fp)
+							cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -452,7 +452,7 @@ static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
 	e = gmp_mpz_to_chunk(this->e);
 
 	success = lib->encoding->encode(lib->encoding, type, this, fp,
-				KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
 	chunk_free(&n);
 	chunk_free(&e);
 
@@ -601,9 +601,9 @@ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
 	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
 	this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
 	this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
 	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
 	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 98dbb1922..c114ae80d 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -396,7 +396,7 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this)
  * Implementation of public_key_t.get_encoding
  */
 static bool get_encoding(private_gmp_rsa_public_key_t *this,
-						 key_encoding_type_t type, chunk_t *encoding)
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
 	chunk_t n, e;
 	bool success;
@@ -405,7 +405,7 @@ static bool get_encoding(private_gmp_rsa_public_key_t *this,
 	e = gmp_mpz_to_chunk(this->e);
 
 	success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
-				KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
 	chunk_free(&n);
 	chunk_free(&e);
 
@@ -416,7 +416,7 @@ static bool get_encoding(private_gmp_rsa_public_key_t *this,
  * Implementation of public_key_t.get_fingerprint
  */
 static bool get_fingerprint(private_gmp_rsa_public_key_t *this,
-							key_encoding_type_t type, chunk_t *fp)
+							cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -429,7 +429,7 @@ static bool get_fingerprint(private_gmp_rsa_public_key_t *this,
 	e = gmp_mpz_to_chunk(this->e);
 
 	success = lib->encoding->encode(lib->encoding, type, this, fp,
-				KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
+			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
 	chunk_free(&n);
 	chunk_free(&e);
 
@@ -497,9 +497,9 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
 	this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_;
 	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
 	this->public.interface.get_keysize = (size_t (*) (public_key_t*))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
 	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*) (public_key_t *this))destroy;
 
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index c965f7392..b03ff44a6 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 3b69f082f..b96fd5abf 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index cb3307bbc..874ee07a2 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 8948ddcc5..cc32bca88 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 1a97c620e..83c1188b6 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index a50799798..5c845a19c 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -20,7 +20,9 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_rsa_public_key.c openssl_rsa_public_key.h \
 	openssl_ec_diffie_hellman.c openssl_ec_diffie_hellman.h \
 	openssl_ec_private_key.c openssl_ec_private_key.h \
-	openssl_ec_public_key.c openssl_ec_public_key.h
+	openssl_ec_public_key.c openssl_ec_public_key.h \
+	openssl_x509.c openssl_x509.h \
+	openssl_crl.c openssl_crl.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD  = -lcrypto
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index a2a931d42..de9df7271 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -79,7 +79,7 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
 	openssl_sha1_prf.lo openssl_diffie_hellman.lo \
 	openssl_rsa_private_key.lo openssl_rsa_public_key.lo \
 	openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \
-	openssl_ec_public_key.lo
+	openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo
 libstrongswan_openssl_la_OBJECTS =  \
 	$(am_libstrongswan_openssl_la_OBJECTS)
 libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -276,7 +276,9 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_rsa_public_key.c openssl_rsa_public_key.h \
 	openssl_ec_diffie_hellman.c openssl_ec_diffie_hellman.h \
 	openssl_ec_private_key.c openssl_ec_private_key.h \
-	openssl_ec_public_key.c openssl_ec_public_key.h
+	openssl_ec_public_key.c openssl_ec_public_key.h \
+	openssl_x509.c openssl_x509.h \
+	openssl_crl.c openssl_crl.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD = -lcrypto
@@ -363,6 +365,7 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_crl.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_crypter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_diffie_hellman.Plo@am__quote@
@@ -374,6 +377,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_sha1_prf.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_util.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x509.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
new file mode 100644
index 000000000..5645d72d7
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -0,0 +1,530 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * Copyright (C) 2010 secunet Security Networks AG
+ * Copyright (C) 2010 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "openssl_crl.h"
+#include "openssl_util.h"
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include <debug.h>
+#include <utils/enumerator.h>
+#include <credentials/certificates/x509.h>
+
+typedef struct private_openssl_crl_t private_openssl_crl_t;
+
+/**
+ * Private data of an openssl_crl_t object.
+ */
+struct private_openssl_crl_t {
+
+	/**
+	 * Public openssl_crl_t interface.
+	 */
+	openssl_crl_t public;
+
+	/**
+	 * OpenSSL representation of a CRL
+	 */
+	X509_CRL *crl;
+
+	/**
+	 * DER encoding of the CRL
+	 */
+	chunk_t encoding;
+
+	/**
+	 * Serial Number (crlNumber) of the CRL)
+	 */
+	chunk_t serial;
+
+	/**
+	 * AuthorityKeyIdentifier of the issuing CA
+	 */
+	chunk_t authKeyIdentifier;
+
+	/**
+	 * Date of this CRL
+	 */
+	time_t thisUpdate;
+
+	/**
+	 * Date of next CRL expected
+	 */
+	time_t nextUpdate;
+
+	/**
+	 * Issuer of this CRL
+	 */
+	identification_t *issuer;
+
+	/**
+	 * Signature scheme used in this CRL
+	 */
+	signature_scheme_t scheme;
+
+	/**
+	 * References to this CRL
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Enumerator over revoked certificates
+ */
+typedef struct {
+	/**
+	 * Implements enumerator_t
+	 */
+	enumerator_t public;
+
+	/**
+	 * stack of revoked certificates
+	 */
+	STACK_OF(X509_REVOKED) *stack;
+
+	/**
+	 * Total number of revoked certificates
+	 */
+	int num;
+
+	/**
+	 * Current position of enumerator
+	 */
+	int i;
+} crl_enumerator_t;
+
+
+METHOD(enumerator_t, crl_enumerate, bool,
+	crl_enumerator_t *this, chunk_t *serial, time_t *date, crl_reason_t *reason)
+{
+	if (this->i < this->num)
+	{
+		X509_REVOKED *revoked;
+		ASN1_ENUMERATED *crlrsn;
+
+		revoked = sk_X509_REVOKED_value(this->stack, this->i);
+		if (serial)
+		{
+			*serial = openssl_asn1_str2chunk(revoked->serialNumber);
+		}
+		if (date)
+		{
+			*date = openssl_asn1_to_time(revoked->revocationDate);
+		}
+		if (reason)
+		{
+			*reason = CRL_REASON_UNSPECIFIED;
+			crlrsn = X509_REVOKED_get_ext_d2i(revoked, NID_crl_reason,
+											  NULL, NULL);
+			if (crlrsn)
+			{
+				if (ASN1_STRING_type(crlrsn) == V_ASN1_ENUMERATED &&
+					ASN1_STRING_length(crlrsn) == 1)
+				{
+					*reason = *ASN1_STRING_data(crlrsn);
+				}
+				ASN1_STRING_free(crlrsn);
+			}
+		}
+		this->i++;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(crl_t, create_enumerator, enumerator_t*,
+	private_openssl_crl_t *this)
+{
+	crl_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_crl_enumerate,
+			.destroy = (void*)free,
+		},
+		.stack = X509_CRL_get_REVOKED(this->crl),
+	);
+	if (!enumerator->stack)
+	{
+		free(enumerator);
+		return enumerator_create_empty();
+	}
+	enumerator->num = sk_X509_EXTENSION_num(enumerator->stack);
+	return &enumerator->public;
+}
+
+METHOD(crl_t, get_serial, chunk_t,
+	private_openssl_crl_t *this)
+{
+	return this->serial;
+}
+
+METHOD(crl_t, get_authKeyIdentifier, chunk_t,
+	private_openssl_crl_t *this)
+{
+	return this->authKeyIdentifier;
+}
+
+METHOD(certificate_t, get_type, certificate_type_t,
+	private_openssl_crl_t *this)
+{
+	return CERT_X509_CRL;
+}
+
+METHOD(certificate_t, get_subject_or_issuer, identification_t*,
+	private_openssl_crl_t *this)
+{
+	return this->issuer;
+}
+
+METHOD(certificate_t, has_subject_or_issuer, id_match_t,
+	private_openssl_crl_t *this, identification_t *id)
+{
+	if (id->get_type(id) == ID_KEY_ID &&
+		chunk_equals(this->authKeyIdentifier, id->get_encoding(id)))
+	{
+		return ID_MATCH_PERFECT;
+	}
+	return this->issuer->matches(this->issuer, id);
+}
+
+METHOD(certificate_t, issued_by, bool,
+	private_openssl_crl_t *this, certificate_t *issuer)
+{
+	chunk_t fingerprint, tbs;
+	public_key_t *key;
+	x509_t *x509;
+	bool valid;
+
+	if (issuer->get_type(issuer) != CERT_X509)
+	{
+		return FALSE;
+	}
+	x509 = (x509_t*)issuer;
+	if (!(x509->get_flags(x509) & X509_CA))
+	{
+		return FALSE;
+	}
+	key = issuer->get_public_key(issuer);
+	if (!key)
+	{
+		return FALSE;
+	}
+	if (this->authKeyIdentifier.ptr && key)
+	{
+		if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
+			!chunk_equals(fingerprint, this->authKeyIdentifier))
+		{
+			return FALSE;
+		}
+	}
+	else
+	{
+		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+		{
+			return FALSE;
+		}
+	}
+	if (this->scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
+	tbs = openssl_i2chunk(X509_CRL_INFO, this->crl->crl);
+	valid = key->verify(key, this->scheme, tbs,
+						openssl_asn1_str2chunk(this->crl->signature));
+	free(tbs.ptr);
+	key->destroy(key);
+	return valid;
+}
+
+METHOD(certificate_t, get_public_key, public_key_t*,
+	private_openssl_crl_t *this)
+{
+	return NULL;
+}
+
+METHOD(certificate_t, get_validity, bool,
+	private_openssl_crl_t *this,
+	time_t *when, time_t *not_before, time_t *not_after)
+{
+	time_t t = when ? *when : time(NULL);
+
+	if (not_before)
+	{
+		*not_before = this->thisUpdate;
+	}
+	if (not_after)
+	{
+		*not_after = this->nextUpdate;
+	}
+	return t <= this->nextUpdate;
+}
+
+METHOD(certificate_t, get_encoding, bool,
+	private_openssl_crl_t *this, cred_encoding_type_t type, chunk_t *encoding)
+{
+	if (type == CERT_ASN1_DER)
+	{
+		*encoding = chunk_clone(this->encoding);
+		return TRUE;
+	}
+	return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+					CRED_PART_X509_CRL_ASN1_DER, this->encoding, CRED_PART_END);
+}
+
+METHOD(certificate_t, equals, bool,
+	private_openssl_crl_t *this, certificate_t *other)
+{
+	chunk_t encoding;
+	bool equal;
+
+	if (&this->public.crl.certificate == other)
+	{
+		return TRUE;
+	}
+	if (other->equals == (void*)equals)
+	{	/* skip allocation if we have the same implementation */
+		return chunk_equals(this->encoding,
+							((private_openssl_crl_t*)other)->encoding);
+	}
+	if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+	{
+		return FALSE;
+	}
+	equal = chunk_equals(this->encoding, encoding);
+	free(encoding.ptr);
+	return equal;
+}
+
+METHOD(certificate_t, get_ref, certificate_t*,
+	private_openssl_crl_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.crl.certificate;
+}
+
+METHOD(certificate_t, destroy, void,
+	private_openssl_crl_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		if (this->crl)
+		{
+			X509_CRL_free(this->crl);
+		}
+		DESTROY_IF(this->issuer);
+		free(this->authKeyIdentifier.ptr);
+		free(this->serial.ptr);
+		free(this->encoding.ptr);
+		free(this);
+	}
+}
+
+/**
+ * Create an empty CRL.
+ */
+static private_openssl_crl_t *create_empty()
+{
+	private_openssl_crl_t *this;
+
+	INIT(this,
+		.public = {
+			.crl = {
+				.certificate = {
+					.get_type = _get_type,
+					.get_subject = _get_subject_or_issuer,
+					.get_issuer = _get_subject_or_issuer,
+					.has_subject = _has_subject_or_issuer,
+					.has_issuer = _has_subject_or_issuer,
+					.issued_by = _issued_by,
+					.get_public_key = _get_public_key,
+					.get_validity = _get_validity,
+					.get_encoding = _get_encoding,
+					.equals = _equals,
+					.get_ref = _get_ref,
+					.destroy = _destroy,
+				},
+				.get_serial = _get_serial,
+				.get_authKeyIdentifier = _get_authKeyIdentifier,
+				.create_enumerator = _create_enumerator,
+			},
+		},
+		.ref = 1,
+	);
+	return this;
+}
+
+/**
+ * Parse the authKeyIdentifier extension
+ */
+static bool parse_authKeyIdentifier_ext(private_openssl_crl_t *this,
+										X509_EXTENSION *ext)
+{
+	AUTHORITY_KEYID *keyid;
+
+	keyid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext);
+	if (keyid)
+	{
+		free(this->authKeyIdentifier.ptr);
+		this->authKeyIdentifier = chunk_clone(
+						openssl_asn1_str2chunk(keyid->keyid));
+		AUTHORITY_KEYID_free(keyid);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Parse the crlNumber extension
+ */
+static bool parse_crlNumber_ext(private_openssl_crl_t *this,
+								X509_EXTENSION *ext)
+{
+	free(this->serial.ptr);
+	this->serial = chunk_clone(
+						openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext)));
+	return this->serial.len != 0;
+}
+
+/**
+ * Parse X509 CRL extensions
+ */
+static bool parse_extensions(private_openssl_crl_t *this)
+{
+	bool ok;
+	int i, num;
+	X509_EXTENSION *ext;
+	STACK_OF(X509_EXTENSION) *extensions;
+
+	extensions = this->crl->crl->extensions;
+	if (extensions)
+	{
+		num = sk_X509_EXTENSION_num(extensions);
+		for (i = 0; i < num; ++i)
+		{
+			ext = sk_X509_EXTENSION_value(extensions, i);
+
+			switch (OBJ_obj2nid(X509_EXTENSION_get_object(ext)))
+			{
+				case NID_authority_key_identifier:
+					ok = parse_authKeyIdentifier_ext(this, ext);
+					break;
+				case NID_crl_number:
+					ok = parse_crlNumber_ext(this, ext);
+					break;
+				default:
+					ok = TRUE;
+					break;
+			}
+			if (!ok)
+			{
+				return FALSE;
+			}
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Parse a X509 CRL
+ */
+static bool parse_crl(private_openssl_crl_t *this)
+{
+	const unsigned char *ptr = this->encoding.ptr;
+
+	this->crl = d2i_X509_CRL(NULL, &ptr, this->encoding.len);
+	if (!this->crl)
+	{
+		return FALSE;
+	}
+
+	if (!chunk_equals(
+			openssl_asn1_obj2chunk(this->crl->crl->sig_alg->algorithm),
+			openssl_asn1_obj2chunk(this->crl->sig_alg->algorithm)))
+	{
+		return FALSE;
+	}
+	this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid(
+												this->crl->sig_alg->algorithm));
+
+	this->issuer = openssl_x509_name2id(X509_CRL_get_issuer(this->crl));
+	if (!this->issuer)
+	{
+		return FALSE;
+	}
+	this->thisUpdate = openssl_asn1_to_time(X509_CRL_get_lastUpdate(this->crl));
+	this->nextUpdate = openssl_asn1_to_time(X509_CRL_get_nextUpdate(this->crl));
+
+	return parse_extensions(this);
+}
+
+/**
+ * Load the CRL.
+ */
+openssl_crl_t *openssl_crl_load(certificate_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.ptr)
+	{
+		private_openssl_crl_t *this = create_empty();
+
+		this->encoding = chunk_clone(blob);
+		if (parse_crl(this))
+		{
+			return &this->public;
+		}
+		destroy(this);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.h b/src/libstrongswan/plugins/openssl/openssl_crl.h
new file mode 100644
index 000000000..a0837cf50
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_crl openssl_crl
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_CRL_H_
+#define OPENSSL_CRL_H_
+
+typedef struct openssl_crl_t openssl_crl_t;
+
+#include <credentials/certificates/crl.h>
+
+/**
+ * X.509 Certificate Revocation list implemented with OpenSSL.
+ */
+struct openssl_crl_t {
+
+	/**
+	 * Implements the crl_t interface.
+	 */
+	crl_t crl;
+};
+
+/**
+ * Load a X.509 CRL using OpenSSL.
+ *
+ * @param type		certificate type, CERT_X509_CRL only
+ * @param args		builder_part_t argument list
+ * @return			X.509 CRL, NULL on failure
+ */
+openssl_crl_t *openssl_crl_load(certificate_type_t type, va_list args);
+
+#endif /** OPENSSL_CRL_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index faec411cd..a53e8aea0 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -13,6 +13,10 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_EC
+
 #include <openssl/ec.h>
 #include <openssl/objects.h>
 
@@ -331,3 +335,5 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro
 
 	return &this->public;
 }
+#endif /* OPENSSL_NO_EC */
+
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index bdcfda974..281155913 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -14,6 +14,10 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_EC
+
 #include "openssl_ec_private_key.h"
 #include "openssl_ec_public_key.h"
 #include "openssl_util.h"
@@ -47,7 +51,7 @@ struct private_openssl_ec_private_key_t {
 };
 
 /* from ec public key */
-bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp);
+bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp);
 
 /**
  * Build a signature as in RFC 4754
@@ -217,7 +221,7 @@ static public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
  * Implementation of private_key_t.get_fingerprint.
  */
 static bool get_fingerprint(private_openssl_ec_private_key_t *this,
-							key_encoding_type_t type, chunk_t *fingerprint)
+							cred_encoding_type_t type, chunk_t *fingerprint)
 {
 	return openssl_ec_fingerprint(this->ec, type, fingerprint);
 }
@@ -226,14 +230,14 @@ static bool get_fingerprint(private_openssl_ec_private_key_t *this,
  * Implementation of private_key_t.get_encoding.
  */
 static bool get_encoding(private_openssl_ec_private_key_t *this,
-						 key_encoding_type_t type, chunk_t *encoding)
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
 	u_char *p;
 
 	switch (type)
 	{
-		case KEY_PRIV_ASN1_DER:
-		case KEY_PRIV_PEM:
+		case PRIVKEY_ASN1_DER:
+		case PRIVKEY_PEM:
 		{
 			bool success = TRUE;
 
@@ -241,13 +245,13 @@ static bool get_encoding(private_openssl_ec_private_key_t *this,
 			p = encoding->ptr;
 			i2d_ECPrivateKey(this->ec, &p);
 
-			if (type == KEY_PRIV_PEM)
+			if (type == PRIVKEY_PEM)
 			{
 				chunk_t asn1_encoding = *encoding;
 
-				success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM,
-								NULL, encoding, KEY_PART_ECDSA_PRIV_ASN1_DER,
-								asn1_encoding, KEY_PART_END);
+				success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM,
+								NULL, encoding, CRED_PART_ECDSA_PRIV_ASN1_DER,
+								asn1_encoding, CRED_PART_END);
 				chunk_clear(&asn1_encoding);
 			}
 			return success;
@@ -296,9 +300,9 @@ static private_openssl_ec_private_key_t *create_empty(void)
 	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
 	this->public.interface.equals = private_key_equals;
 	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
 	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
 
@@ -402,4 +406,5 @@ openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type,
 	}
 	return &this->public;
 }
+#endif /* OPENSSL_NO_EC */
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 790a8487d..def36c92f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -14,6 +14,10 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_EC
+
 #include "openssl_ec_public_key.h"
 #include "openssl_util.h"
 
@@ -189,7 +193,7 @@ static size_t get_keysize(private_openssl_ec_public_key_t *this)
 /**
  * Calculate fingerprint from a EC_KEY, also used in ec private key.
  */
-bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp)
+bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp)
 {
 	hasher_t *hasher;
 	chunk_t key;
@@ -201,12 +205,12 @@ bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp)
 	}
 	switch (type)
 	{
-		case KEY_ID_PUBKEY_SHA1:
+		case KEYID_PUBKEY_SHA1:
 			key = chunk_alloc(i2o_ECPublicKey(ec, NULL));
 			p = key.ptr;
 			i2o_ECPublicKey(ec, &p);
 			break;
-		case KEY_ID_PUBKEY_INFO_SHA1:
+		case KEYID_PUBKEY_INFO_SHA1:
 			key = chunk_alloc(i2d_EC_PUBKEY(ec, NULL));
 			p = key.ptr;
 			i2d_EC_PUBKEY(ec, &p);
@@ -232,7 +236,7 @@ bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp)
  * Implementation of private_key_t.get_fingerprint.
  */
 static bool get_fingerprint(private_openssl_ec_public_key_t *this,
-							key_encoding_type_t type, chunk_t *fingerprint)
+							cred_encoding_type_t type, chunk_t *fingerprint)
 {
 	return openssl_ec_fingerprint(this->ec, type, fingerprint);
 }
@@ -241,14 +245,14 @@ static bool get_fingerprint(private_openssl_ec_public_key_t *this,
  * Implementation of private_key_t.get_encoding.
  */
 static bool get_encoding(private_openssl_ec_public_key_t *this,
-						 key_encoding_type_t type, chunk_t *encoding)
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
 	u_char *p;
 
 	switch (type)
 	{
-		case KEY_PUB_SPKI_ASN1_DER:
-		case KEY_PUB_PEM:
+		case PUBKEY_SPKI_ASN1_DER:
+		case PUBKEY_PEM:
 		{
 			bool success = TRUE;
 
@@ -256,13 +260,13 @@ static bool get_encoding(private_openssl_ec_public_key_t *this,
 			p = encoding->ptr;
 			i2d_EC_PUBKEY(this->ec, &p);
 
-			if (type == KEY_PUB_PEM)
+			if (type == PUBKEY_PEM)
 			{
 				chunk_t asn1_encoding = *encoding;
 
-				success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM,
-								NULL, encoding, KEY_PART_ECDSA_PUB_ASN1_DER,
-								asn1_encoding, KEY_PART_END);
+				success = lib->encoding->encode(lib->encoding, PUBKEY_PEM,
+								NULL, encoding, CRED_PART_ECDSA_PUB_ASN1_DER,
+								asn1_encoding, CRED_PART_END);
 				chunk_clear(&asn1_encoding);
 			}
 			return success;
@@ -309,9 +313,9 @@ static private_openssl_ec_public_key_t *create_empty()
 	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
 	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
 	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
 	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
 
@@ -358,4 +362,5 @@ openssl_ec_public_key_t *openssl_ec_public_key_load(key_type_t type,
 	}
 	return &this->public;
 }
+#endif /* OPENSSL_NO_EC */
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index c1545ffb8..31697dcb8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -14,10 +14,12 @@
  * for more details.
  */
 
-#include <openssl/conf.h>
 #include <openssl/evp.h>
-#include <openssl/engine.h>
+#include <openssl/conf.h>
 #include <openssl/crypto.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 #include "openssl_plugin.h"
 
@@ -34,6 +36,8 @@
 #include "openssl_rsa_public_key.h"
 #include "openssl_ec_private_key.h"
 #include "openssl_ec_public_key.h"
+#include "openssl_x509.h"
+#include "openssl_crl.h"
 
 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
 
@@ -175,8 +179,6 @@ static void destroy(private_openssl_plugin_t *this)
 					(prf_constructor_t)openssl_sha1_prf_create);
 	lib->crypto->remove_dh(lib->crypto,
 					(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->remove_dh(lib->crypto,
-					(dh_constructor_t)openssl_ec_diffie_hellman_create);
 	lib->creds->remove_builder(lib->creds,
 					(builder_function_t)openssl_rsa_private_key_load);
 	lib->creds->remove_builder(lib->creds,
@@ -185,14 +187,24 @@ static void destroy(private_openssl_plugin_t *this)
 					(builder_function_t)openssl_rsa_private_key_connect);
 	lib->creds->remove_builder(lib->creds,
 					(builder_function_t)openssl_rsa_public_key_load);
+#ifndef OPENSSL_NO_EC
+	lib->crypto->remove_dh(lib->crypto,
+					(dh_constructor_t)openssl_ec_diffie_hellman_create);
 	lib->creds->remove_builder(lib->creds,
 					(builder_function_t)openssl_ec_private_key_load);
 	lib->creds->remove_builder(lib->creds,
 					(builder_function_t)openssl_ec_private_key_gen);
 	lib->creds->remove_builder(lib->creds,
 					(builder_function_t)openssl_ec_public_key_load);
+#endif /* OPENSSL_NO_EC */
+	lib->creds->remove_builder(lib->creds,
+					(builder_function_t)openssl_x509_load);
+	lib->creds->remove_builder(lib->creds,
+					(builder_function_t)openssl_crl_load);
 
+#ifndef OPENSSL_NO_ENGINE
 	ENGINE_cleanup();
+#endif /* OPENSSL_NO_ENGINE */
 	EVP_cleanup();
 	CONF_modules_free();
 
@@ -215,9 +227,11 @@ plugin_t *openssl_plugin_create()
 	OPENSSL_config(NULL);
 	OpenSSL_add_all_algorithms();
 
+#ifndef OPENSSL_NO_ENGINE
 	/* activate support for hardware accelerators */
 	ENGINE_load_builtin_engines();
 	ENGINE_register_all_complete();
+#endif /* OPENSSL_NO_ENGINE */
 
 	/* crypter */
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
@@ -272,6 +286,7 @@ plugin_t *openssl_plugin_create()
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
+#ifndef OPENSSL_NO_EC
 	lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, ECP_384_BIT,
@@ -282,6 +297,7 @@ plugin_t *openssl_plugin_create()
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
+#endif /* OPENSSL_NO_EC */
 	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
@@ -306,14 +322,24 @@ plugin_t *openssl_plugin_create()
 					(builder_function_t)openssl_rsa_private_key_connect);
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
 					(builder_function_t)openssl_rsa_public_key_load);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+					(builder_function_t)openssl_rsa_public_key_load);
 
-	/* ec */
+#ifndef OPENSSL_NO_EC
+	/* ecdsa */
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
 					(builder_function_t)openssl_ec_private_key_load);
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
 					(builder_function_t)openssl_ec_private_key_gen);
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
 					(builder_function_t)openssl_ec_public_key_load);
+#endif /* OPENSSL_NO_EC */
+
+	/* X509 certificates */
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+					(builder_function_t)openssl_x509_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+					(builder_function_t)openssl_crl_load);
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index de751fe89..5817ade9e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -21,7 +21,9 @@
 
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif /* OPENSSL_NO_ENGINE */
 
 /**
  *  Public exponent to use for key generation.
@@ -56,7 +58,7 @@ struct private_openssl_rsa_private_key_t {
 };
 
 /* implemented in rsa public key */
-bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp);
+bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp);
 
 /**
  * Build an EMPSA PKCS1 signature described in PKCS#1
@@ -206,7 +208,7 @@ static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
  * Implementation of public_key_t.get_fingerprint.
  */
 static bool get_fingerprint(private_openssl_rsa_private_key_t *this,
-							key_encoding_type_t type, chunk_t *fingerprint)
+							cred_encoding_type_t type, chunk_t *fingerprint)
 {
 	return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
 }
@@ -215,7 +217,7 @@ static bool get_fingerprint(private_openssl_rsa_private_key_t *this,
  * Implementation of public_key_t.get_encoding.
  */
 static bool get_encoding(private_openssl_rsa_private_key_t *this,
-						 key_encoding_type_t type, chunk_t *encoding)
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
 	u_char *p;
 
@@ -225,8 +227,8 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this,
 	}
 	switch (type)
 	{
-		case KEY_PRIV_ASN1_DER:
-		case KEY_PRIV_PEM:
+		case PRIVKEY_ASN1_DER:
+		case PRIVKEY_PEM:
 		{
 			bool success = TRUE;
 
@@ -234,13 +236,13 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this,
 			p = encoding->ptr;
 			i2d_RSAPrivateKey(this->rsa, &p);
 
-			if (type == KEY_PRIV_PEM)
+			if (type == PRIVKEY_PEM)
 			{
 				chunk_t asn1_encoding = *encoding;
 
-				success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM,
-								NULL, encoding, KEY_PART_RSA_PRIV_ASN1_DER,
-								asn1_encoding, KEY_PART_END);
+				success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM,
+								NULL, encoding, CRED_PART_RSA_PRIV_ASN1_DER,
+								asn1_encoding, CRED_PART_END);
 				chunk_clear(&asn1_encoding);
 			}
 			return success;
@@ -289,9 +291,9 @@ static private_openssl_rsa_private_key_t *create_empty(void)
 	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
 	this->public.interface.equals = private_key_equals;
 	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
 	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
 	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
 
@@ -447,6 +449,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 														   va_list args)
 {
+#ifndef OPENSSL_NO_ENGINE
 	private_openssl_rsa_private_key_t *this;
 	char *keyid = NULL, *pin = NULL;
 	EVP_PKEY *key;
@@ -511,5 +514,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 	this->engine = TRUE;
 
 	return &this->public;
+#else /* OPENSSL_NO_ENGINE */
+	return NULL;
+#endif /* OPENSSL_NO_ENGINE */
 }
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index ffa575a97..6ac61a65c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -172,7 +172,7 @@ static size_t get_keysize(private_openssl_rsa_public_key_t *this)
 /**
  * Calculate fingerprint from a RSA key, also used in rsa private key.
  */
-bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp)
+bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp)
 {
 	hasher_t *hasher;
 	chunk_t key;
@@ -184,12 +184,12 @@ bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp)
 	}
 	switch (type)
 	{
-		case KEY_ID_PUBKEY_SHA1:
+		case KEYID_PUBKEY_SHA1:
 			key = chunk_alloc(i2d_RSAPublicKey(rsa, NULL));
 			p = key.ptr;
 			i2d_RSAPublicKey(rsa, &p);
 			break;
-		case KEY_ID_PUBKEY_INFO_SHA1:
+		case KEYID_PUBKEY_INFO_SHA1:
 			key = chunk_alloc(i2d_RSA_PUBKEY(rsa, NULL));
 			p = key.ptr;
 			i2d_RSA_PUBKEY(rsa, &p);
@@ -215,7 +215,7 @@ bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp)
  * Implementation of public_key_t.get_fingerprint.
  */
 static bool get_fingerprint(private_openssl_rsa_public_key_t *this,
-							key_encoding_type_t type, chunk_t *fingerprint)
+							cred_encoding_type_t type, chunk_t *fingerprint)
 {
 	return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
 }
@@ -224,14 +224,14 @@ static bool get_fingerprint(private_openssl_rsa_public_key_t *this,
  * Implementation of public_key_t.get_encoding.
  */
 static bool get_encoding(private_openssl_rsa_public_key_t *this,
-						 key_encoding_type_t type, chunk_t *encoding)
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
 	u_char *p;
 
 	switch (type)
 	{
-		case KEY_PUB_SPKI_ASN1_DER:
-		case KEY_PUB_PEM:
+		case PUBKEY_SPKI_ASN1_DER:
+		case PUBKEY_PEM:
 		{
 			bool success = TRUE;
 
@@ -239,18 +239,18 @@ static bool get_encoding(private_openssl_rsa_public_key_t *this,
 			p = encoding->ptr;
 			i2d_RSA_PUBKEY(this->rsa, &p);
 
-			if (type == KEY_PUB_PEM)
+			if (type == PUBKEY_PEM)
 			{
 				chunk_t asn1_encoding = *encoding;
 
-				success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM,
-								NULL, encoding, KEY_PART_RSA_PUB_ASN1_DER,
-								asn1_encoding, KEY_PART_END);
+				success = lib->encoding->encode(lib->encoding, PUBKEY_PEM,
+								NULL, encoding, CRED_PART_RSA_PUB_ASN1_DER,
+								asn1_encoding, CRED_PART_END);
 				chunk_clear(&asn1_encoding);
 			}
 			return success;
 		}
-		case KEY_PUB_ASN1_DER:
+		case PUBKEY_ASN1_DER:
 		{
 			*encoding = chunk_alloc(i2d_RSAPublicKey(this->rsa, NULL));
 			p = encoding->ptr;
@@ -299,9 +299,9 @@ static private_openssl_rsa_public_key_t *create_empty()
 	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
 	this->public.interface.equals = public_key_equals;
 	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint;
+	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
 	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
+	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
 	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
 
@@ -345,13 +345,25 @@ openssl_rsa_public_key_t *openssl_rsa_public_key_load(key_type_t type,
 	this = create_empty();
 	if (blob.ptr)
 	{
-		this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&blob.ptr, blob.len);
+		switch (type)
+		{
+			case KEY_ANY:
+				this->rsa = d2i_RSA_PUBKEY(NULL, (const u_char**)&blob.ptr,
+										   blob.len);
+				break;
+			case KEY_RSA:
+				this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&blob.ptr,
+											 blob.len);
+				break;
+			default:
+				break;
+		}
 		if (this->rsa)
 		{
 			return &this->public;
 		}
 	}
-	else if (n.ptr && e.ptr)
+	else if (n.ptr && e.ptr && type == KEY_RSA)
 	{
 		this->rsa = RSA_new();
 		this->rsa->n = BN_bin2bn((const u_char*)n.ptr, n.len, NULL);
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h
index 9a24e7ee1..384e328e2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup openssl_sha1_prf openssl_sha1_prf
- * @{ @ingroup sha1_p
+ * @{ @ingroup openssl_p
  */
 
 #ifndef OPENSSL_SHA1_PRF_H_
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index 55b18a524..99dca3631 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -100,7 +100,6 @@ error:
 	return FALSE;
 }
 
-
 /**
  * Described in header.
  */
@@ -124,3 +123,85 @@ bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b)
 	return TRUE;
 }
 
+/**
+ * Described in header.
+ */
+chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1)
+{
+	if (asn1)
+	{
+		return chunk_create(asn1->data, asn1->length);
+	}
+	return chunk_empty;
+}
+
+/**
+ * Described in header.
+ */
+chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1)
+{
+	if (asn1)
+	{
+		return chunk_create(ASN1_STRING_data(asn1), ASN1_STRING_length(asn1));
+	}
+	return chunk_empty;
+}
+
+/**
+ * Convert a X509 name to a ID_DER_ASN1_DN identification_t
+ */
+identification_t *openssl_x509_name2id(X509_NAME *name)
+{
+	if (name)
+	{
+		identification_t *id;
+		chunk_t chunk;
+
+		chunk = openssl_i2chunk(X509_NAME, name);
+		if (chunk.len)
+		{
+			id = identification_create_from_encoding(ID_DER_ASN1_DN, chunk);
+			free(chunk.ptr);
+			return id;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * We can't include <asn1/asn1.h>, as the ASN1_ definitions would clash
+ * with OpenSSL. Redeclare what we need.
+ */
+int asn1_known_oid(chunk_t);
+time_t asn1_to_time(chunk_t *,int);
+
+/**
+ * Described in header.
+ */
+int openssl_asn1_known_oid(ASN1_OBJECT *obj)
+{
+	return asn1_known_oid(openssl_asn1_obj2chunk(obj));
+}
+
+/**
+ * Described in header.
+ */
+time_t openssl_asn1_to_time(ASN1_TIME *time)
+{
+	chunk_t chunk;
+
+	if (time)
+	{
+		chunk = openssl_asn1_str2chunk(time);
+		switch (time->type)
+		{
+			case V_ASN1_UTCTIME:
+			case V_ASN1_GENERALIZEDTIME:
+				return asn1_to_time(&chunk, time->type);
+			default:
+				break;
+		}
+	}
+	DBG1(DBG_LIB, "invalid ASN1 time");
+	return 0;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
index 538008f2c..25c692a1a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.h
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -23,6 +23,7 @@
 
 #include <library.h>
 #include <openssl/bn.h>
+#include <openssl/asn1.h>
 
 /**
  * Returns the length in bytes of a field element
@@ -37,7 +38,7 @@
  * @param hash_type	NID of the hash
  * @param data		the chunk of data to hash
  * @param hash		chunk that contains the hash
- * @return 			TRUE on success, FALSE otherwise
+ * @return			TRUE on success, FALSE otherwise
  */
 bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash);
 
@@ -65,4 +66,57 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk);
  */
 bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b);
 
+
+/**
+ * Allocate a chunk using the i2d function of a given object
+ *
+ * @param type		type of the object
+ * @param obj		object to convert to DER
+ * @returns			allocated chunk of the object, or chunk_empty
+ */
+#define openssl_i2chunk(type, obj) ({ \
+					unsigned char *ptr = NULL; \
+					int len = i2d_##type(obj, &ptr); \
+					len < 0 ? chunk_empty : chunk_create(ptr, len);})
+
+/**
+ * Convert an OpenSSL ASN1_OBJECT to a chunk.
+ *
+ * @param asn1		asn1 object to convert
+ * @return			chunk, pointing into asn1 object
+ */
+chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1);
+
+/**
+ * Convert an OpenSSL ASN1_STRING to a chunk.
+ *
+ * @param asn1		asn1 string to convert
+ * @return			chunk, pointing into asn1 string
+ */
+chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1);
+
+/**
+ * Convert an openssl X509_NAME to a identification_t of type ID_DER_ASN1_DN.
+ *
+ * @param name		name to convert
+ * @return			identification_t, NULL on error
+ */
+identification_t *openssl_x509_name2id(X509_NAME *name);
+
+/**
+ * Check if an ASN1 oid is a an OID known by libstrongswan.
+ *
+ * @param obj		openssl ASN1 object
+ * @returns			OID, as defined in <asn1/oid.h>
+ */
+int openssl_asn1_known_oid(ASN1_OBJECT *obj);
+
+/**
+ * Convert an OpenSSL ASN1_TIME to a time_t.
+ *
+ * @param time		openssl ASN1_TIME
+ * @returns			time_t, 0 on error
+ */
+time_t openssl_asn1_to_time(ASN1_TIME *time);
+
 #endif /** OPENSSL_UTIL_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
new file mode 100644
index 000000000..1c9bb699e
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -0,0 +1,871 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * Copyright (C) 2010 secunet Security Networks AG
+ * Copyright (C) 2010 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "openssl_x509.h"
+#include "openssl_util.h"
+
+#include <debug.h>
+#include <asn1/oid.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_openssl_x509_t private_openssl_x509_t;
+
+/**
+ * Private data of an openssl_x509_t object.
+ */
+struct private_openssl_x509_t {
+
+	/**
+	 * Public openssl_x509_t interface.
+	 */
+	openssl_x509_t public;
+
+	/**
+	 * OpenSSL certificate representation
+	 */
+	X509 *x509;
+
+	/**
+	 * DER encoded certificate
+	 */
+	chunk_t encoding;
+
+	/**
+	 * SHA1 hash of the certificate
+	 */
+	chunk_t hash;
+
+	/**
+	 * X509 flags
+	 */
+	x509_flag_t flags;
+
+	/**
+	 * Pathlen constraint
+	 */
+	int pathlen;
+
+	/**
+	 * certificate subject
+	 */
+	identification_t *subject;
+
+	/**
+	 * certificate issuer
+	 */
+	identification_t *issuer;
+
+	/**
+	 * Certificates public key
+	 */
+	public_key_t *pubkey;
+
+	/**
+	 * subjectKeyIdentifier as read from cert
+	 */
+	chunk_t subjectKeyIdentifier;
+
+	/**
+	 * authorityKeyIdentifier as read from cert
+	 */
+	chunk_t authKeyIdentifier;
+
+	/**
+	 * Start time of certificate validity
+	 */
+	time_t notBefore;
+
+	/**
+	 * End time of certificate validity
+	 */
+	time_t notAfter;
+
+	/**
+	 * Signature scheme of the certificate
+	 */
+	signature_scheme_t scheme;
+
+	/**
+	 * subjectAltNames
+	 */
+	linked_list_t *subjectAltNames;
+
+	/**
+	 * issuerAltNames
+	 */
+	linked_list_t *issuerAltNames;
+
+	/**
+	 * List of CRL URIs
+	 */
+	linked_list_t *crl_uris;
+
+	/**
+	 * List of OCSP URIs
+	 */
+	linked_list_t *ocsp_uris;
+
+	/**
+	 * References to this cert
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Convert a GeneralName to an identification_t.
+ */
+static identification_t *general_name2id(GENERAL_NAME *name)
+{
+	if (!name)
+	{
+		return NULL;
+	}
+	switch (name->type)
+	{
+		case GEN_EMAIL:
+			return identification_create_from_encoding(ID_RFC822_ADDR,
+					openssl_asn1_str2chunk(name->d.rfc822Name));
+		case GEN_DNS:
+			return identification_create_from_encoding(ID_FQDN,
+					openssl_asn1_str2chunk(name->d.dNSName));
+		case GEN_URI:
+			return identification_create_from_encoding(ID_DER_ASN1_GN_URI,
+					openssl_asn1_str2chunk(name->d.uniformResourceIdentifier));
+		case GEN_IPADD:
+		{
+			chunk_t chunk = openssl_asn1_str2chunk(name->d.iPAddress);
+			if (chunk.len == 4)
+			{
+				return identification_create_from_encoding(ID_IPV4_ADDR, chunk);
+			}
+			if (chunk.len == 16)
+			{
+				return identification_create_from_encoding(ID_IPV6_ADDR, chunk);
+			}
+			return NULL;
+		}
+		case GEN_DIRNAME :
+			return openssl_x509_name2id(name->d.directoryName);
+		default:
+			return NULL;
+	}
+}
+
+METHOD(x509_t, get_flags, x509_flag_t,
+	private_openssl_x509_t *this)
+{
+	return this->flags;
+}
+
+METHOD(x509_t, get_serial, chunk_t,
+	private_openssl_x509_t *this)
+{
+	return openssl_asn1_str2chunk(X509_get_serialNumber(this->x509));
+}
+
+METHOD(x509_t, get_subjectKeyIdentifier, chunk_t,
+	private_openssl_x509_t *this)
+{
+	chunk_t fingerprint;
+
+	if (this->subjectKeyIdentifier.len)
+	{
+		return this->subjectKeyIdentifier;
+	}
+	if (this->pubkey->get_fingerprint(this->pubkey, KEYID_PUBKEY_SHA1,
+									  &fingerprint))
+	{
+		return fingerprint;
+	}
+	return chunk_empty;
+}
+
+METHOD(x509_t, get_authKeyIdentifier, chunk_t,
+	private_openssl_x509_t *this)
+{
+	if (this->authKeyIdentifier.len)
+	{
+		return this->authKeyIdentifier;
+	}
+	return chunk_empty;
+}
+
+METHOD(x509_t, get_pathLenConstraint, int,
+	private_openssl_x509_t *this)
+{
+	return this->pathlen;
+}
+
+METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
+	private_openssl_x509_t *this)
+{
+	return this->subjectAltNames->create_enumerator(this->subjectAltNames);
+}
+
+METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
+	private_openssl_x509_t *this)
+{
+	return this->crl_uris->create_enumerator(this->crl_uris);
+}
+
+METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
+	private_openssl_x509_t *this)
+{
+	return this->ocsp_uris->create_enumerator(this->ocsp_uris);
+}
+
+METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
+	private_openssl_x509_t *this)
+{
+	/* TODO */
+	return enumerator_create_empty();
+}
+
+METHOD(certificate_t, get_type, certificate_type_t,
+	private_openssl_x509_t *this)
+{
+	return CERT_X509;
+}
+
+METHOD(certificate_t, get_subject, identification_t*,
+	private_openssl_x509_t *this)
+{
+	return this->subject;
+}
+
+METHOD(certificate_t, get_issuer, identification_t*,
+	private_openssl_x509_t *this)
+{
+	return this->issuer;
+}
+
+METHOD(certificate_t, has_subject, id_match_t,
+	private_openssl_x509_t *this, identification_t *subject)
+{
+	identification_t *current;
+	enumerator_t *enumerator;
+	id_match_t match, best;
+
+	if (subject->get_type(subject) == ID_KEY_ID)
+	{
+		if (chunk_equals(this->hash, subject->get_encoding(subject)))
+		{
+			return ID_MATCH_PERFECT;
+		}
+	}
+	best = this->subject->matches(this->subject, subject);
+	enumerator = create_subjectAltName_enumerator(this);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		match = current->matches(current, subject);
+		if (match > best)
+		{
+			best = match;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return best;
+}
+
+METHOD(certificate_t, has_issuer, id_match_t,
+	private_openssl_x509_t *this, identification_t *issuer)
+{
+	/* issuerAltNames currently not supported */
+	return this->issuer->matches(this->issuer, issuer);
+}
+
+METHOD(certificate_t, issued_by, bool,
+	private_openssl_x509_t *this, certificate_t *issuer)
+{
+	public_key_t *key;
+	bool valid;
+	x509_t *x509 = (x509_t*)issuer;
+	chunk_t tbs;
+
+	if (&this->public.x509.interface == issuer)
+	{
+		if (this->flags & X509_SELF_SIGNED)
+		{
+			return TRUE;
+		}
+	}
+	else
+	{
+		if (issuer->get_type(issuer) != CERT_X509)
+		{
+			return FALSE;
+		}
+		if (!(x509->get_flags(x509) & X509_CA))
+		{
+			return FALSE;
+		}
+		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
+		{
+			return FALSE;
+		}
+	}
+	if (this->scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
+	key = issuer->get_public_key(issuer);
+	if (!key)
+	{
+		return FALSE;
+	}
+	tbs = openssl_i2chunk(X509_CINF, this->x509->cert_info);
+	valid = key->verify(key, this->scheme, tbs,
+						openssl_asn1_str2chunk(this->x509->signature));
+	free(tbs.ptr);
+	key->destroy(key);
+	return valid;
+}
+
+METHOD(certificate_t, get_public_key, public_key_t*,
+	private_openssl_x509_t *this)
+{
+	return this->pubkey->get_ref(this->pubkey);
+}
+
+METHOD(certificate_t, get_validity, bool,
+	private_openssl_x509_t *this,
+	time_t *when, time_t *not_before, time_t *not_after)
+{
+	time_t t;
+
+	if (when)
+	{
+		t = *when;
+	}
+	else
+	{
+		t = time(NULL);
+	}
+	if (not_before)
+	{
+		*not_before = this->notBefore;
+	}
+	if (not_after)
+	{
+		*not_after = this->notAfter;
+	}
+	return (t >= this->notBefore && t <= this->notAfter);
+}
+
+METHOD(certificate_t, get_encoding, bool,
+	private_openssl_x509_t *this, cred_encoding_type_t type, chunk_t *encoding)
+{
+	if (type == CERT_ASN1_DER)
+	{
+		*encoding = chunk_clone(this->encoding);
+		return TRUE;
+	}
+	return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+						CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
+}
+
+
+METHOD(certificate_t, equals, bool,
+	private_openssl_x509_t *this, certificate_t *other)
+{
+	chunk_t encoding;
+	bool equal;
+
+	if (this == (private_openssl_x509_t*)other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != CERT_X509)
+	{
+		return FALSE;
+	}
+	if (other->equals == (void*)equals)
+	{	/* skip allocation if we have the same implementation */
+		encoding = ((private_openssl_x509_t*)other)->encoding;
+		return chunk_equals(this->encoding, encoding);
+	}
+	if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+	{
+		return FALSE;
+	}
+	equal = chunk_equals(this->encoding, encoding);
+	free(encoding.ptr);
+	return equal;
+}
+
+METHOD(certificate_t, get_ref, certificate_t*,
+	private_openssl_x509_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.x509.interface;
+}
+
+METHOD(certificate_t, destroy, void,
+	private_openssl_x509_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		if (this->x509)
+		{
+			X509_free(this->x509);
+		}
+		DESTROY_IF(this->subject);
+		DESTROY_IF(this->issuer);
+		DESTROY_IF(this->pubkey);
+		free(this->subjectKeyIdentifier.ptr);
+		free(this->authKeyIdentifier.ptr);
+		free(this->encoding.ptr);
+		free(this->hash.ptr);
+		this->subjectAltNames->destroy_offset(this->subjectAltNames,
+										offsetof(identification_t, destroy));
+		this->issuerAltNames->destroy_offset(this->issuerAltNames,
+										offsetof(identification_t, destroy));
+		this->crl_uris->destroy_function(this->crl_uris, free);
+		this->ocsp_uris->destroy_function(this->ocsp_uris, free);
+		free(this);
+	}
+}
+
+/**
+ * Create an empty certificate
+ */
+static private_openssl_x509_t *create_empty()
+{
+	private_openssl_x509_t *this;
+
+	INIT(this,
+		.public = {
+			.x509 = {
+				.interface = {
+					.get_type = _get_type,
+					.get_subject = _get_subject,
+					.get_issuer = _get_issuer,
+					.has_subject = _has_subject,
+					.has_issuer = _has_issuer,
+					.issued_by = _issued_by,
+					.get_public_key = _get_public_key,
+					.get_validity = _get_validity,
+					.get_encoding = _get_encoding,
+					.equals = _equals,
+					.get_ref = _get_ref,
+					.destroy = _destroy,
+				},
+				.get_flags = _get_flags,
+				.get_serial = _get_serial,
+				.get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
+				.get_authKeyIdentifier = _get_authKeyIdentifier,
+				.get_pathLenConstraint = _get_pathLenConstraint,
+				.create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
+				.create_crl_uri_enumerator = _create_crl_uri_enumerator,
+				.create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
+				.create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
+			},
+		},
+		.subjectAltNames = linked_list_create(),
+		.issuerAltNames = linked_list_create(),
+		.crl_uris = linked_list_create(),
+		.ocsp_uris = linked_list_create(),
+		.pathlen = X509_NO_PATH_LEN_CONSTRAINT,
+		.ref = 1,
+	);
+
+	return this;
+}
+
+/**
+ * parse an extionsion containing GENERAL_NAMES into a list
+ */
+static bool parse_generalNames_ext(linked_list_t *list,
+								   X509_EXTENSION *ext)
+{
+	GENERAL_NAMES *names;
+	GENERAL_NAME *name;
+	identification_t *id;
+	int i, num;
+
+	names = X509V3_EXT_d2i(ext);
+	if (!names)
+	{
+		return FALSE;
+	}
+
+	num = sk_GENERAL_NAME_num(names);
+	for (i = 0; i < num; i++)
+	{
+		name = sk_GENERAL_NAME_value(names, i);
+		id = general_name2id(name);
+		if (id)
+		{
+			list->insert_last(list, id);
+		}
+		GENERAL_NAME_free(name);
+	}
+	sk_GENERAL_NAME_free(names);
+	return TRUE;
+}
+
+/**
+ * parse basic constraints
+ */
+static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
+									   X509_EXTENSION *ext)
+{
+	BASIC_CONSTRAINTS *constraints;
+
+	constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext);
+	if (constraints)
+	{
+		if (constraints->ca)
+		{
+			this->flags |= X509_CA;
+		}
+		if (constraints->pathlen)
+		{
+			this->pathlen = ASN1_INTEGER_get(constraints->pathlen);
+		}
+		BASIC_CONSTRAINTS_free(constraints);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Parse CRL distribution points
+ */
+static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
+											X509_EXTENSION *ext)
+{
+	CRL_DIST_POINTS *cdps;
+	DIST_POINT *cdp;
+	identification_t *id;
+	char *uri;
+	int i, j, point_num, name_num;
+
+	cdps = X509V3_EXT_d2i(ext);
+	if (!cdps)
+	{
+		return FALSE;
+	}
+	point_num = sk_DIST_POINT_num(cdps);
+	for (i = 0; i < point_num; i++)
+	{
+		cdp = sk_DIST_POINT_value(cdps, i);
+		if (cdp)
+		{
+			if (cdp->distpoint && cdp->distpoint->type == 0 &&
+				cdp->distpoint->name.fullname)
+			{
+				name_num = sk_GENERAL_NAME_num(cdp->distpoint->name.fullname);
+				for (j = 0; j < name_num; j++)
+				{
+					id = general_name2id(sk_GENERAL_NAME_value(
+											cdp->distpoint->name.fullname, j));
+					if (id)
+					{
+						if (asprintf(&uri, "%Y", id) > 0)
+						{
+							this->crl_uris->insert_first(this->crl_uris, uri);
+						}
+						id->destroy(id);
+					}
+				}
+			}
+			DIST_POINT_free(cdp);
+		}
+	}
+	sk_DIST_POINT_free(cdps);
+	return TRUE;
+}
+
+/**
+ * Parse authorityInfoAccess with OCSP URIs
+ */
+static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this,
+										  X509_EXTENSION *ext)
+{
+	AUTHORITY_INFO_ACCESS *infos;
+	ACCESS_DESCRIPTION *desc;
+	identification_t *id;
+	int i, num;
+	char *uri;
+
+	infos = X509V3_EXT_d2i(ext);
+	if (!infos)
+	{
+		return FALSE;
+	}
+	num = sk_ACCESS_DESCRIPTION_num(infos);
+	for (i = 0; i < num; i++)
+	{
+		desc = sk_ACCESS_DESCRIPTION_value(infos, i);
+		if (desc)
+		{
+			if (openssl_asn1_known_oid(desc->method) == OID_OCSP)
+			{
+				id = general_name2id(desc->location);
+				if (id)
+				{
+					if (asprintf(&uri, "%Y", id) > 0)
+					{
+						this->ocsp_uris->insert_first(this->ocsp_uris, uri);
+					}
+					id->destroy(id);
+				}
+			}
+			ACCESS_DESCRIPTION_free(desc);
+		}
+	}
+	sk_ACCESS_DESCRIPTION_free(infos);
+	return TRUE;
+}
+
+/**
+ * Parse authorityKeyIdentifier extension
+ */
+static bool parse_authKeyIdentifier_ext(private_openssl_x509_t *this,
+										X509_EXTENSION *ext)
+{
+	AUTHORITY_KEYID *keyid;
+
+	keyid = (AUTHORITY_KEYID*)X509V3_EXT_d2i(ext);
+	if (keyid)
+	{
+		free(this->authKeyIdentifier.ptr);
+		this->authKeyIdentifier = chunk_clone(
+										openssl_asn1_str2chunk(keyid->keyid));
+		AUTHORITY_KEYID_free(keyid);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Parse subjectKeyIdentifier extension
+ */
+static bool parse_subjectKeyIdentifier_ext(private_openssl_x509_t *this,
+										   X509_EXTENSION *ext)
+{
+	chunk_t ostr;
+
+	ostr = openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext));
+	/* quick and dirty unwrap of octet string */
+	if (ostr.len > 2 &&
+		ostr.ptr[0] == V_ASN1_OCTET_STRING && ostr.ptr[1] == ostr.len - 2)
+	{
+		free(this->subjectKeyIdentifier.ptr);
+		this->subjectKeyIdentifier = chunk_clone(chunk_skip(ostr, 2));
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Parse X509 extensions we are interested in
+ */
+static bool parse_extensions(private_openssl_x509_t *this)
+{
+	STACK_OF(X509_EXTENSION) *extensions;
+	int i, num;
+
+	extensions = this->x509->cert_info->extensions;
+	if (extensions)
+	{
+		num = sk_X509_EXTENSION_num(extensions);
+
+		for (i = 0; i < num; i++)
+		{
+			X509_EXTENSION *ext;
+			bool ok;
+
+			ext = sk_X509_EXTENSION_value(extensions, i);
+			switch (OBJ_obj2nid(X509_EXTENSION_get_object(ext)))
+			{
+				case NID_info_access:
+					ok = parse_authorityInfoAccess_ext(this, ext);
+					break;
+				case NID_authority_key_identifier:
+					ok = parse_authKeyIdentifier_ext(this, ext);
+					break;
+				case NID_subject_key_identifier:
+					ok = parse_subjectKeyIdentifier_ext(this, ext);
+					break;
+				case NID_subject_alt_name:
+					ok = parse_generalNames_ext(this->subjectAltNames, ext);
+					break;
+				case NID_issuer_alt_name:
+					ok = parse_generalNames_ext(this->issuerAltNames, ext);
+					break;
+				case NID_basic_constraints:
+					ok = parse_basicConstraints_ext(this, ext);
+					break;
+				case NID_crl_distribution_points:
+					ok = parse_crlDistributionPoints_ext(this, ext);
+					break;
+				default:
+					ok = TRUE;
+					break;
+			}
+			if (!ok)
+			{
+				return FALSE;
+			}
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Parse a DER encoded x509 certificate
+ */
+static bool parse_certificate(private_openssl_x509_t *this)
+{
+	const unsigned char *ptr = this->encoding.ptr;
+	hasher_t *hasher;
+	chunk_t chunk;
+
+	this->x509 = d2i_X509(NULL, &ptr, this->encoding.len);
+	if (!this->x509)
+	{
+		return FALSE;
+	}
+	this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509));
+	this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509));
+
+	switch (openssl_asn1_known_oid(this->x509->cert_info->key->algor->algorithm))
+	{
+		case OID_RSA_ENCRYPTION:
+			this->pubkey = lib->creds->create(lib->creds,
+					CRED_PUBLIC_KEY, KEY_RSA, BUILD_BLOB_ASN1_DER,
+					openssl_asn1_str2chunk(X509_get0_pubkey_bitstr(this->x509)),
+					BUILD_END);
+			break;
+		case OID_EC_PUBLICKEY:
+			/* for ECDSA, we need the full subjectPublicKeyInfo, as it contains
+			 * the curve parameters. */
+			chunk = openssl_i2chunk(X509_PUBKEY, X509_get_X509_PUBKEY(this->x509));
+			this->pubkey = lib->creds->create(lib->creds,
+					CRED_PUBLIC_KEY, KEY_ECDSA, BUILD_BLOB_ASN1_DER,
+					chunk, BUILD_END);
+			free(chunk.ptr);
+			break;
+		default:
+			DBG1(DBG_LIB, "unsupported public key algorithm");
+			break;
+	}
+	if (!this->subject || !this->issuer || !this->pubkey)
+	{
+		return FALSE;
+	}
+
+	this->notBefore = openssl_asn1_to_time(X509_get_notBefore(this->x509));
+	this->notAfter = openssl_asn1_to_time(X509_get_notAfter(this->x509));
+
+	if (!chunk_equals(
+			openssl_asn1_obj2chunk(this->x509->cert_info->signature->algorithm),
+			openssl_asn1_obj2chunk(this->x509->sig_alg->algorithm)))
+	{
+		return FALSE;
+	}
+	this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid(
+												this->x509->sig_alg->algorithm));
+
+	if (!parse_extensions(this))
+	{
+		return TRUE;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+	hasher->allocate_hash(hasher, this->encoding, &this->hash);
+	hasher->destroy(hasher);
+
+	if (issued_by(this, &this->public.x509.interface))
+	{
+		this->flags |= X509_SELF_SIGNED;
+	}
+	return TRUE;
+}
+
+openssl_x509_t *openssl_x509_load(certificate_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+	x509_flag_t flags = 0;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_X509_FLAG:
+				flags |= va_arg(args, x509_flag_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (blob.ptr)
+	{
+		private_openssl_x509_t *this;
+
+		this = create_empty();
+		this->encoding = chunk_clone(blob);
+		this->flags |= flags;
+		if (parse_certificate(this))
+		{
+			return &this->public;
+		}
+		DBG1(DBG_LIB, "OpenSSL X.509 parsing failed");
+		destroy(this);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.h b/src/libstrongswan/plugins/openssl/openssl_x509.h
new file mode 100644
index 000000000..52555925a
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_x509 openssl_x509
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_X509_H_
+#define OPENSSL_X509_H_
+
+#include <credentials/certificates/x509.h>
+
+typedef struct openssl_x509_t openssl_x509_t;
+
+/**
+ * X.509 certificate implementation using OpenSSL.
+ */
+struct openssl_x509_t {
+
+	/**
+	 * Implements x509_t interface.
+	 */
+	x509_t x509;
+};
+
+/**
+ * Load a X.509 certificate.
+ *
+ * This function takes a BUILD_BLOB_ASN1_DER.
+ *
+ * @param type		certificate type, CERT_X509 only
+ * @param args		builder_part_t argument list
+ * @return			X.509 certificate, NULL on failure
+ */
+openssl_x509_t *openssl_x509_load(certificate_type_t type, va_list args);
+
+#endif /** OPENSSL_X509_H_ @}*/
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 84c2ef2fb..adb8f08d1 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 4e39c8f7b..e19a66fa5 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 65be9501b..a15c3f258 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -528,7 +528,7 @@ static void *pem_load(credential_type_t type, int subtype, va_list args)
 		break;
 	}
 
-	if (pem.ptr)
+	if (pem.len)
 	{
 		return load_from_blob(pem, type, subtype, cb, cb_data, flags);
 	}
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c
index 13c99a958..e255d6fd0 100644
--- a/src/libstrongswan/plugins/pem/pem_encoder.c
+++ b/src/libstrongswan/plugins/pem/pem_encoder.c
@@ -20,7 +20,7 @@
 /**
  * See header.
  */
-bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
 						va_list args)
 {
 	chunk_t asn1;
@@ -31,62 +31,81 @@ bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
 
 	switch (type)
 	{
-		case KEY_PUB_PEM:
+		case PUBKEY_PEM:
 			label ="PUBLIC KEY";
 			/* direct PKCS#1 PEM encoding */
-			if (key_encoding_args(args, KEY_PART_RSA_PUB_ASN1_DER,
-									&asn1, KEY_PART_END) ||
-				key_encoding_args(args, KEY_PART_ECDSA_PUB_ASN1_DER,
-									&asn1, KEY_PART_END))
+			if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER,
+									&asn1, CRED_PART_END) ||
+				cred_encoding_args(args, CRED_PART_ECDSA_PUB_ASN1_DER,
+									&asn1, CRED_PART_END))
 			{
 				break;
 			}
 			/* indirect PEM encoding from components */
-			if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
-									KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
+			if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n,
+									CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END))
 			{
-				if (lib->encoding->encode(lib->encoding, KEY_PUB_SPKI_ASN1_DER,
-									NULL, &asn1, KEY_PART_RSA_MODULUS, n,
-									KEY_PART_RSA_PUB_EXP, e, KEY_PART_END))
+				if (lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER,
+									NULL, &asn1, CRED_PART_RSA_MODULUS, n,
+									CRED_PART_RSA_PUB_EXP, e, CRED_PART_END))
 				{
 					to_free = asn1;
 					break;
 				}
 			}
 			return FALSE;
-		case KEY_PRIV_PEM:
+		case PRIVKEY_PEM:
 			label ="RSA PRIVATE KEY";
 			/* direct PKCS#1 PEM encoding */
-			if (key_encoding_args(args, KEY_PART_RSA_PRIV_ASN1_DER,
-									&asn1, KEY_PART_END))
+			if (cred_encoding_args(args, CRED_PART_RSA_PRIV_ASN1_DER,
+									&asn1, CRED_PART_END))
 			{
 				break;
 			}
 			/* indirect PEM encoding from components */
-			if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
-							KEY_PART_RSA_PUB_EXP, &e, KEY_PART_RSA_PRIV_EXP, &d,
-							KEY_PART_RSA_PRIME1, &p, KEY_PART_RSA_PRIME2, &q,
-							KEY_PART_RSA_EXP1, &exp1, KEY_PART_RSA_EXP2, &exp2,
-							KEY_PART_RSA_COEFF, &coeff, KEY_PART_END))
+			if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n,
+						CRED_PART_RSA_PUB_EXP, &e, CRED_PART_RSA_PRIV_EXP, &d,
+						CRED_PART_RSA_PRIME1, &p, CRED_PART_RSA_PRIME2, &q,
+						CRED_PART_RSA_EXP1, &exp1, CRED_PART_RSA_EXP2, &exp2,
+						CRED_PART_RSA_COEFF, &coeff, CRED_PART_END))
 			{
-				if (lib->encoding->encode(lib->encoding, KEY_PRIV_ASN1_DER, NULL,
-							&asn1, KEY_PART_RSA_MODULUS, n,
-							KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d,
-							KEY_PART_RSA_PRIME1, p, KEY_PART_RSA_PRIME2, q,
-							KEY_PART_RSA_EXP1, exp1, KEY_PART_RSA_EXP2, exp2,
-							KEY_PART_RSA_COEFF, coeff, KEY_PART_END))
+				if (lib->encoding->encode(lib->encoding, PRIVKEY_ASN1_DER, NULL,
+						&asn1, CRED_PART_RSA_MODULUS, n,
+						CRED_PART_RSA_PUB_EXP, e, CRED_PART_RSA_PRIV_EXP, d,
+						CRED_PART_RSA_PRIME1, p, CRED_PART_RSA_PRIME2, q,
+						CRED_PART_RSA_EXP1, exp1, CRED_PART_RSA_EXP2, exp2,
+						CRED_PART_RSA_COEFF, coeff, CRED_PART_END))
 				{
 					to_free = asn1;
 					break;
 				}
 			}
-			if (key_encoding_args(args, KEY_PART_ECDSA_PRIV_ASN1_DER,
-								   &asn1, KEY_PART_END))
+			if (cred_encoding_args(args, CRED_PART_ECDSA_PRIV_ASN1_DER,
+								   &asn1, CRED_PART_END))
 			{
 				label ="EC PRIVATE KEY";
 				break;
 			}
 			return FALSE;
+		case CERT_PEM:
+			if (cred_encoding_args(args, CRED_PART_X509_ASN1_DER,
+								   &asn1, CRED_PART_END))
+			{	/* PEM encode x509 certificate */
+				label = "CERTIFICATE";
+				break;
+			}
+			if (cred_encoding_args(args, CRED_PART_X509_CRL_ASN1_DER,
+								   &asn1, CRED_PART_END))
+			{	/* PEM encode CRL */
+				label = "X509 CRL";
+				break;
+			}
+			if (cred_encoding_args(args, CRED_PART_PKCS10_ASN1_DER,
+								   &asn1, CRED_PART_END))
+			{	/* PEM encode PKCS10 certificate reqeuest */
+				label = "CERTIFICATE REQUEST";
+				break;
+			}
 		default:
 			return FALSE;
 	}
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.h b/src/libstrongswan/plugins/pem/pem_encoder.h
index a181133b7..d8f05dd73 100644
--- a/src/libstrongswan/plugins/pem/pem_encoder.h
+++ b/src/libstrongswan/plugins/pem/pem_encoder.h
@@ -21,12 +21,12 @@
 #ifndef PEM_ENCODER_H_
 #define PEM_ENCODER_H_
 
-#include <credentials/keys/key_encoding.h>
+#include <credentials/cred_encoding.h>
 
 /**
  * Encoding from ASN.1 to PEM format.
  */
-bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
 						va_list args);
 
 #endif /** PEM_ENCODER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 5d487364f..a5bc5eb39 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c
index cd04f3d1a..5b21b46d4 100644
--- a/src/libstrongswan/plugins/pgp/pgp_cert.c
+++ b/src/libstrongswan/plugins/pgp/pgp_cert.c
@@ -187,29 +187,19 @@ static bool get_validity(private_pgp_cert_t *this, time_t *when,
 	return (t >= this->valid && t <= until);
 }
 
-/**
- * Implementation of certificate_t.is_newer.
- */
-static bool is_newer(certificate_t *this, certificate_t *that)
-{
-	time_t this_update, that_update, now = time(NULL);
-	bool new;
-
-	this->get_validity(this, &now, &this_update, NULL);
-	that->get_validity(that, &now, &that_update, NULL);
-	new = this_update > that_update;
-	DBG1(DBG_LIB, "  certificate from %T is %s - existing certificate"
-		 " from %T %s", &this_update, FALSE, new ? "newer" : "not newer",
-		 &that_update, FALSE, new ? "replaced" : "retained");
-	return new;
-}
-
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_pgp_cert_t *this)
+static bool get_encoding(private_pgp_cert_t *this, cred_encoding_type_t type,
+						 chunk_t *encoding)
 {
-	return chunk_clone(this->encoding);
+	if (type == CERT_PGP_PKT)
+	{
+		*encoding = chunk_clone(this->encoding);
+		return TRUE;
+	}
+	return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+						CRED_PART_PGP_CERT, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -232,7 +222,10 @@ static bool equals(private_pgp_cert_t *this, certificate_t *other)
 	{	/* skip allocation if we have the same implementation */
 		return chunk_equals(this->encoding, ((private_pgp_cert_t*)other)->encoding);
 	}
-	encoding = other->get_encoding(other);
+	if (!other->get_encoding(other, CERT_PGP_PKT, &encoding))
+	{
+		return FALSE;
+	}
 	equal = chunk_equals(this->encoding, encoding);
 	free(encoding.ptr);
 	return equal;
@@ -276,8 +269,7 @@ private_pgp_cert_t *create_empty()
 	this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
 	this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
 	this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
-	this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer;
-	this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
+	this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
 	this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
 	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
 	this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
@@ -365,7 +357,7 @@ static bool parse_public_key(private_pgp_cert_t *this, chunk_t packet)
 	else
 	{
 		/* V3 fingerprint is computed by public_key_t class */
-		if (!this->key->get_fingerprint(this->key, KEY_ID_PGPV3,
+		if (!this->key->get_fingerprint(this->key, KEYID_PGPV3,
 										&this->fingerprint))
 		{
 			return FALSE;
diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c
index d5c3df590..9043cdb9f 100644
--- a/src/libstrongswan/plugins/pgp/pgp_encoder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c
@@ -25,8 +25,8 @@ static bool build_v3_fingerprint(chunk_t *encoding, va_list args)
 	hasher_t *hasher;
 	chunk_t n, e;
 
-	if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
-						  KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
+	if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n,
+						   CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END))
 	{
 		hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
 		if (!hasher)
@@ -55,12 +55,12 @@ static bool build_v3_fingerprint(chunk_t *encoding, va_list args)
 /**
  * See header.
  */
-bool pgp_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
-						  va_list args)
+bool pgp_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						va_list args)
 {
 	switch (type)
 	{
-		case KEY_ID_PGPV3:
+		case KEYID_PGPV3:
 			return build_v3_fingerprint(encoding, args);
 		default:
 			return FALSE;
diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.h b/src/libstrongswan/plugins/pgp/pgp_encoder.h
index 9df143399..b5bc2af44 100644
--- a/src/libstrongswan/plugins/pgp/pgp_encoder.h
+++ b/src/libstrongswan/plugins/pgp/pgp_encoder.h
@@ -21,12 +21,12 @@
 #ifndef PGP_ENCODER_H_
 #define PGP_ENCODER_H_
 
-#include <credentials/keys/key_encoding.h>
+#include <credentials/cred_encoding.h>
 
 /**
  * Encoding function for PGP fingerprints.
  */
-bool pgp_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+bool pgp_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
 						va_list args);
 
 #endif /** PGP_ENCODER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 3fdcd0590..947f52d82 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
index e46062d97..6957b2ad1 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
@@ -26,8 +26,8 @@ bool build_pub(chunk_t *encoding, va_list args)
 {
 	chunk_t n, e;
 
-	if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
-						  KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
+	if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n,
+						   CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END))
 	{
 		*encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
 						asn1_wrap(ASN1_INTEGER, "c", n),
@@ -44,8 +44,8 @@ bool build_pub_info(chunk_t *encoding, va_list args)
 {
 	chunk_t n, e;
 
-	if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
-						  KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
+	if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n,
+						   CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END))
 	{
 		*encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
 						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
@@ -65,11 +65,11 @@ bool build_priv(chunk_t *encoding, va_list args)
 {
 	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 
-	if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
-					KEY_PART_RSA_PUB_EXP, &e, KEY_PART_RSA_PRIV_EXP, &d,
-					KEY_PART_RSA_PRIME1, &p, KEY_PART_RSA_PRIME2, &q,
-					KEY_PART_RSA_EXP1, &exp1, KEY_PART_RSA_EXP2, &exp2,
-					KEY_PART_RSA_COEFF, &coeff, KEY_PART_END))
+	if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n,
+					CRED_PART_RSA_PUB_EXP, &e, CRED_PART_RSA_PRIV_EXP, &d,
+					CRED_PART_RSA_PRIME1, &p, CRED_PART_RSA_PRIME2, &q,
+					CRED_PART_RSA_EXP1, &exp1, CRED_PART_RSA_EXP2, &exp2,
+					CRED_PART_RSA_COEFF, &coeff, CRED_PART_END))
 	{
 		*encoding = asn1_wrap(ASN1_SEQUENCE, "cmmssssss",
 						ASN1_INTEGER_0,
@@ -138,20 +138,20 @@ static bool build_sha1(chunk_t *encoding, va_list args)
 /**
  * See header.
  */
-bool pkcs1_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+bool pkcs1_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
 						  va_list args)
 {
 	switch (type)
 	{
-		case KEY_ID_PUBKEY_INFO_SHA1:
+		case KEYID_PUBKEY_INFO_SHA1:
 			return build_info_sha1(encoding, args);
-		case KEY_ID_PUBKEY_SHA1:
+		case KEYID_PUBKEY_SHA1:
 			return build_sha1(encoding, args);
-		case KEY_PUB_ASN1_DER:
+		case PUBKEY_ASN1_DER:
 			return build_pub(encoding, args);
-		case KEY_PUB_SPKI_ASN1_DER:
+		case PUBKEY_SPKI_ASN1_DER:
 			return build_pub_info(encoding, args);
-		case KEY_PRIV_ASN1_DER:
+		case PRIVKEY_ASN1_DER:
 			return build_priv(encoding, args);
 		default:
 			return FALSE;
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h
index 11d9f27f2..2eec736f1 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h
@@ -21,12 +21,12 @@
 #ifndef PKCS1_ENCODER_H_
 #define PKCS1_ENCODER_H_
 
-#include <credentials/keys/key_encoding.h>
+#include <credentials/cred_encoding.h>
 
 /**
  * Encoding function for PKCS#1/ASN.1 fingerprints/key formats.
  */
-bool pkcs1_encoder_encode(key_encoding_type_t type, chunk_t *encoding,
+bool pkcs1_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
 						  va_list args);
 
 #endif /** PKCS1_ENCODER_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index cad279a9d..336d0bc02 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -118,8 +118,7 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
 	handle = dlopen(file, RTLD_LAZY);
 	if (handle == NULL)
 	{
-		DBG1(DBG_LIB, "plugin '%s': failed to load '%s' - %s", name, file,
-			 dlerror());
+		DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror());
 		return NULL;
 	}
 	constructor = dlsym(handle, create);
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 5fe3d58f1..4dc5985cd 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index f149f6379..c50189a8b 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -82,10 +82,10 @@ static id_match_t has_subject(private_pubkey_cert_t *this,
 {
 	if (subject->get_type(subject) == ID_KEY_ID)
 	{
-		key_encoding_type_t type;
+		cred_encoding_type_t type;
 		chunk_t fingerprint;
 
-		for (type = 0; type < KEY_ENCODING_MAX; type++)
+		for (type = 0; type < CRED_ENCODING_MAX; type++)
 		{
 			if (this->key->get_fingerprint(this->key, type, &fingerprint) &&
 				chunk_equals(fingerprint, subject->get_encoding(subject)))
@@ -160,26 +160,13 @@ static bool get_validity(private_pubkey_cert_t *this, time_t *when,
 	return TRUE;
 }
 
-/**
- * Implementation of certificate_t.is_newer.
- */
-static bool is_newer(certificate_t *this, certificate_t *that)
-{
-	return FALSE;
-}
-
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_pubkey_cert_t *this)
+static bool get_encoding(private_pubkey_cert_t *this, cred_encoding_type_t type,
+						 chunk_t *encoding)
 {
-	chunk_t encoding;
-
-	if (this->key->get_encoding(this->key, KEY_PUB_ASN1_DER, &encoding))
-	{
-		return encoding;
-	}
-	return chunk_empty;
+	return this->key->get_encoding(this->key, PUBKEY_ASN1_DER, encoding);
 }
 
 /**
@@ -221,8 +208,7 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key)
 	this->public.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
 	this->public.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
 	this->public.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-	this->public.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
-	this->public.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
+	this->public.interface.get_encoding = (bool (*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
 	this->public.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
 	this->public.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
 	this->public.interface.destroy = (void (*)(certificate_t *this))destroy;
@@ -230,7 +216,7 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key)
 	this->ref = 1;
 	this->key = key;
 	this->issuer = identification_create_from_encoding(ID_ANY, chunk_empty);
-	if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &fingerprint))
+	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fingerprint))
 	{
 		this->subject = identification_create_from_encoding(ID_KEY_ID, fingerprint);
 	}
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 27360aa8c..af929080d 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/revocation/Makefile.am b/src/libstrongswan/plugins/revocation/Makefile.am
new file mode 100644
index 000000000..fb6d01926
--- /dev/null
+++ b/src/libstrongswan/plugins/revocation/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-revocation.la
+else
+plugin_LTLIBRARIES = libstrongswan-revocation.la
+endif
+
+libstrongswan_revocation_la_SOURCES = \
+	revocation_plugin.h revocation_plugin.c \
+	revocation_validator.h revocation_validator.c
+
+libstrongswan_revocation_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
new file mode 100644
index 000000000..871566e65
--- /dev/null
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -0,0 +1,588 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/revocation
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_revocation_la_LIBADD =
+am_libstrongswan_revocation_la_OBJECTS = revocation_plugin.lo \
+	revocation_validator.lo
+libstrongswan_revocation_la_OBJECTS =  \
+	$(am_libstrongswan_revocation_la_OBJECTS)
+libstrongswan_revocation_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_revocation_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_revocation_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_revocation_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_revocation_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_revocation_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-revocation.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-revocation.la
+libstrongswan_revocation_la_SOURCES = \
+	revocation_plugin.h revocation_plugin.c \
+	revocation_validator.h revocation_validator.c
+
+libstrongswan_revocation_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/revocation/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/revocation/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-revocation.la: $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_DEPENDENCIES) 
+	$(libstrongswan_revocation_la_LINK) $(am_libstrongswan_revocation_la_rpath) $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revocation_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revocation_validator.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c
new file mode 100644
index 000000000..d352a9583
--- /dev/null
+++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "revocation_plugin.h"
+
+#include <library.h>
+#include "revocation_validator.h"
+
+typedef struct private_revocation_plugin_t private_revocation_plugin_t;
+
+/**
+ * private data of revocation_plugin
+ */
+struct private_revocation_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	revocation_plugin_t public;
+
+	/**
+	 * Validator implementation instance.
+	 */
+	revocation_validator_t *validator;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_revocation_plugin_t *this)
+{
+	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+	this->validator->destroy(this->validator);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *revocation_plugin_create()
+{
+	private_revocation_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+		.validator = revocation_validator_create(),
+	);
+	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.h b/src/libstrongswan/plugins/revocation/revocation_plugin.h
new file mode 100644
index 000000000..fb886d53c
--- /dev/null
+++ b/src/libstrongswan/plugins/revocation/revocation_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup revocation revocation
+ * @ingroup plugins
+ *
+ * @defgroup revocation_plugin revocation_plugin
+ * @{ @ingroup revocation
+ */
+
+#ifndef REVOCATION_PLUGIN_H_
+#define REVOCATION_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct revocation_plugin_t revocation_plugin_t;
+
+/**
+ * X509 certificate revocation support using CRL and OCSP.
+ */
+struct revocation_plugin_t {
+
+	/**
+	 * Implements plugin_t. interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** REVOCATION_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
new file mode 100644
index 000000000..29d2bc128
--- /dev/null
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -0,0 +1,587 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "revocation_validator.h"
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/crl.h>
+#include <credentials/certificates/ocsp_request.h>
+#include <credentials/certificates/ocsp_response.h>
+#include <credentials/sets/ocsp_response_wrapper.h>
+#include <selectors/traffic_selector.h>
+
+typedef struct private_revocation_validator_t private_revocation_validator_t;
+
+/**
+ * Private data of an revocation_validator_t object.
+ */
+struct private_revocation_validator_t {
+
+	/**
+	 * Public revocation_validator_t interface.
+	 */
+	revocation_validator_t public;
+};
+
+/**
+ * Do an OCSP request
+ */
+static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
+								 certificate_t *issuer)
+{
+	certificate_t *request, *response;
+	chunk_t send, receive;
+
+	/* TODO: requestor name, signature */
+	request = lib->creds->create(lib->creds,
+						CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+						BUILD_CA_CERT, issuer,
+						BUILD_CERT, subject, BUILD_END);
+	if (!request)
+	{
+		DBG1(DBG_CFG, "generating ocsp request failed");
+		return NULL;
+	}
+
+	if (!request->get_encoding(request, CERT_ASN1_DER, &send))
+	{
+		DBG1(DBG_CFG, "encoding ocsp request failed");
+		request->destroy(request);
+		return NULL;
+	}
+	request->destroy(request);
+
+	DBG1(DBG_CFG, "  requesting ocsp status from '%s' ...", url);
+	if (lib->fetcher->fetch(lib->fetcher, url, &receive,
+							FETCH_REQUEST_DATA, send,
+							FETCH_REQUEST_TYPE, "application/ocsp-request",
+							FETCH_END) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "ocsp request to %s failed", url);
+		chunk_free(&send);
+		return NULL;
+	}
+	chunk_free(&send);
+
+	response = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+								  BUILD_BLOB_ASN1_DER, receive, BUILD_END);
+	chunk_free(&receive);
+	if (!response)
+	{
+		DBG1(DBG_CFG, "parsing ocsp response failed");
+		return NULL;
+	}
+	return response;
+}
+
+/**
+ * check the signature of an OCSP response
+ */
+static bool verify_ocsp(ocsp_response_t *response)
+{
+	certificate_t *issuer, *subject;
+	identification_t *responder;
+	ocsp_response_wrapper_t *wrapper;
+	enumerator_t *enumerator;
+	bool verified = FALSE;
+
+	wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
+	lib->credmgr->add_local_set(lib->credmgr, &wrapper->set);
+
+	subject = &response->certificate;
+	responder = subject->get_issuer(subject);
+	enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+													KEY_ANY, responder, FALSE);
+	while (enumerator->enumerate(enumerator, &issuer, NULL))
+	{
+		if (lib->credmgr->issued_by(lib->credmgr, subject, issuer))
+		{
+			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
+							 issuer->get_subject(issuer));
+			verified = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
+	wrapper->destroy(wrapper);
+	return verified;
+}
+
+/**
+ * Get the better of two OCSP responses, and check for usable OCSP info
+ */
+static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
+		x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache)
+{
+	ocsp_response_t *response;
+	time_t revocation, this_update, next_update, valid_until;
+	crl_reason_t reason;
+	bool revoked = FALSE;
+
+	response = (ocsp_response_t*)cand;
+
+	/* check ocsp signature */
+	if (!verify_ocsp(response))
+	{
+		DBG1(DBG_CFG, "ocsp response verification failed");
+		cand->destroy(cand);
+		return best;
+	}
+	/* check if response contains our certificate */
+	switch (response->get_status(response, subject, issuer, &revocation, &reason,
+								 &this_update, &next_update))
+	{
+		case VALIDATION_REVOKED:
+			/* subject has been revoked by a valid OCSP response */
+			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
+						  &revocation, TRUE, crl_reason_names, reason);
+			revoked = TRUE;
+			break;
+		case VALIDATION_GOOD:
+			/* results in either good or stale */
+			break;
+		default:
+		case VALIDATION_FAILED:
+			/* candidate unusable, does not contain our cert */
+			DBG1(DBG_CFG, "  ocsp response contains no status on our certificate");
+			cand->destroy(cand);
+			return best;
+	}
+
+	/* select the better of the two responses */
+	if (best == NULL || certificate_is_newer(cand, best))
+	{
+		DESTROY_IF(best);
+		best = cand;
+		if (best->get_validity(best, NULL, NULL, &valid_until))
+		{
+			DBG1(DBG_CFG, "  ocsp response is valid: until %T",
+							 &valid_until, FALSE);
+			*valid = VALIDATION_GOOD;
+			if (cache)
+			{	/* cache non-stale only, stale certs get refetched */
+				lib->credmgr->cache_cert(lib->credmgr, best);
+			}
+		}
+		else
+		{
+			DBG1(DBG_CFG, "  ocsp response is stale: since %T",
+							 &valid_until, FALSE);
+			*valid = VALIDATION_STALE;
+		}
+	}
+	else
+	{
+		*valid = VALIDATION_STALE;
+		cand->destroy(cand);
+	}
+	if (revoked)
+	{	/* revoked always counts, even if stale */
+		*valid = VALIDATION_REVOKED;
+	}
+	return best;
+}
+
+/**
+ * validate a x509 certificate using OCSP
+ */
+static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
+									auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	cert_validation_t valid = VALIDATION_SKIPPED;
+	certificate_t *best = NULL, *current;
+	identification_t *keyid = NULL;
+	public_key_t *public;
+	chunk_t chunk;
+	char *uri = NULL;
+
+	/** lookup cache for valid OCSP responses */
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+								CERT_X509_OCSP_RESPONSE, KEY_ANY, NULL, FALSE);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		current->get_ref(current);
+		best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE);
+		if (best && valid != VALIDATION_STALE)
+		{
+			DBG1(DBG_CFG, "  using cached ocsp response");
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* derive the authorityKeyIdentifier from the issuer's public key */
+	current = &issuer->interface;
+	public = current->get_public_key(current);
+	if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
+	{
+		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+	}
+	/** fetch from configured OCSP responder URLs */
+	if (keyid && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+	{
+		enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr,
+											CERT_X509_OCSP_RESPONSE, keyid);
+		while (enumerator->enumerate(enumerator, &uri))
+		{
+			current = fetch_ocsp(uri, &subject->interface, &issuer->interface);
+			if (current)
+			{
+				best = get_better_ocsp(current, best, subject, issuer,
+									   &valid, TRUE);
+				if (best && valid != VALIDATION_STALE)
+				{
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	DESTROY_IF(public);
+	DESTROY_IF(keyid);
+
+	/* fallback to URL fetching from subject certificate's URIs */
+	if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+	{
+		enumerator = subject->create_ocsp_uri_enumerator(subject);
+		while (enumerator->enumerate(enumerator, &uri))
+		{
+			current = fetch_ocsp(uri, &subject->interface, &issuer->interface);
+			if (current)
+			{
+				best = get_better_ocsp(current, best, subject, issuer,
+									   &valid, TRUE);
+				if (best && valid != VALIDATION_STALE)
+				{
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	/* an uri was found, but no result. switch validation state to failed */
+	if (valid == VALIDATION_SKIPPED && uri)
+	{
+		valid = VALIDATION_FAILED;
+	}
+	if (auth)
+	{
+		auth->add(auth, AUTH_RULE_OCSP_VALIDATION, valid);
+		if (valid == VALIDATION_GOOD)
+		{	/* successful OCSP check fulfills also CRL constraint */
+			auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
+		}
+	}
+	DESTROY_IF(best);
+	return valid;
+}
+
+/**
+ * fetch a CRL from an URL
+ */
+static certificate_t* fetch_crl(char *url)
+{
+	certificate_t *crl;
+	chunk_t chunk;
+
+	DBG1(DBG_CFG, "  fetching crl from '%s' ...", url);
+	if (lib->fetcher->fetch(lib->fetcher, url, &chunk, FETCH_END) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "crl fetching failed");
+		return NULL;
+	}
+	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+							 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	chunk_free(&chunk);
+	if (!crl)
+	{
+		DBG1(DBG_CFG, "crl fetched successfully but parsing failed");
+		return NULL;
+	}
+	return crl;
+}
+
+/**
+ * check the signature of an CRL
+ */
+static bool verify_crl(certificate_t *crl)
+{
+	certificate_t *issuer;
+	enumerator_t *enumerator;
+	bool verified = FALSE;
+
+	enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+										KEY_ANY, crl->get_issuer(crl), FALSE);
+	while (enumerator->enumerate(enumerator, &issuer, NULL))
+	{
+		if (lib->credmgr->issued_by(lib->credmgr, crl, issuer))
+		{
+			DBG1(DBG_CFG, "  crl correctly signed by \"%Y\"",
+						   issuer->get_subject(issuer));
+			verified = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return verified;
+}
+
+/**
+ * Get the better of two CRLs, and check for usable CRL info
+ */
+static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
+		x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache)
+{
+	enumerator_t *enumerator;
+	time_t revocation, valid_until;
+	crl_reason_t reason;
+	chunk_t serial;
+	crl_t *crl;
+
+	/* check CRL signature */
+	if (!verify_crl(cand))
+	{
+		DBG1(DBG_CFG, "crl response verification failed");
+		cand->destroy(cand);
+		return best;
+	}
+
+	crl = (crl_t*)cand;
+	enumerator = crl->create_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
+	{
+		if (chunk_equals(serial, subject->get_serial(subject)))
+		{
+			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
+				 &revocation, TRUE, crl_reason_names, reason);
+			*valid = VALIDATION_REVOKED;
+			enumerator->destroy(enumerator);
+			DESTROY_IF(best);
+			return cand;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* select the better of the two CRLs */
+	if (best == NULL || crl_is_newer(crl, (crl_t*)best))
+	{
+		DESTROY_IF(best);
+		best = cand;
+		if (best->get_validity(best, NULL, NULL, &valid_until))
+		{
+			DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
+			*valid = VALIDATION_GOOD;
+			if (cache)
+			{	/* we cache non-stale crls only, as a stale crls are refetched */
+				lib->credmgr->cache_cert(lib->credmgr, best);
+			}
+		}
+		else
+		{
+			DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
+			*valid = VALIDATION_STALE;
+		}
+	}
+	else
+	{
+		*valid = VALIDATION_STALE;
+		cand->destroy(cand);
+	}
+	return best;
+}
+
+/**
+ * validate a x509 certificate using CRL
+ */
+static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
+								   auth_cfg_t *auth)
+{
+	cert_validation_t valid = VALIDATION_SKIPPED;
+	identification_t *keyid = NULL;
+	certificate_t *best = NULL;
+	certificate_t *current;
+	public_key_t *public;
+	enumerator_t *enumerator;
+	chunk_t chunk;
+	char *uri = NULL;
+
+	/* derive the authorityKeyIdentifier from the issuer's public key */
+	current = &issuer->interface;
+	public = current->get_public_key(current);
+	if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
+	{
+		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+
+		/* find a cached crl by authorityKeyIdentifier */
+		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+										CERT_X509_CRL, KEY_ANY, keyid, FALSE);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			current->get_ref(current);
+			best = get_better_crl(current, best, subject, issuer,
+								  &valid, FALSE);
+			if (best && valid != VALIDATION_STALE)
+			{
+				DBG1(DBG_CFG, "  using cached crl");
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* fallback to fetching crls from credential sets cdps */
+		if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+		{
+			enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr,
+														CERT_X509_CRL, keyid);
+			while (enumerator->enumerate(enumerator, &uri))
+			{
+				current = fetch_crl(uri);
+				if (current)
+				{
+					best = get_better_crl(current, best, subject, issuer,
+										  &valid, TRUE);
+					if (best && valid != VALIDATION_STALE)
+					{
+						break;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		keyid->destroy(keyid);
+	}
+	DESTROY_IF(public);
+
+	/* fallback to fetching crls from cdps from subject's certificate */
+	if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+	{
+		enumerator = subject->create_crl_uri_enumerator(subject);
+
+		while (enumerator->enumerate(enumerator, &uri))
+		{
+			current = fetch_crl(uri);
+			if (current)
+			{
+				best = get_better_crl(current, best, subject, issuer,
+									  &valid, TRUE);
+				if (best && valid != VALIDATION_STALE)
+				{
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	/* an uri was found, but no result. switch validation state to failed */
+	if (valid == VALIDATION_SKIPPED && uri)
+	{
+		valid = VALIDATION_FAILED;
+	}
+	if (auth)
+	{
+		if (valid == VALIDATION_SKIPPED)
+		{	/* if we skipped CRL validation, we use the result of OCSP for
+			 * constraint checking */
+			auth->add(auth, AUTH_RULE_CRL_VALIDATION,
+					  auth->get(auth, AUTH_RULE_OCSP_VALIDATION));
+		}
+		else
+		{
+			auth->add(auth, AUTH_RULE_CRL_VALIDATION, valid);
+		}
+	}
+	DESTROY_IF(best);
+	return valid;
+}
+
+METHOD(cert_validator_t, validate, bool,
+	private_revocation_validator_t *this, certificate_t *subject,
+	certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+{
+	if (subject->get_type(subject) == CERT_X509 &&
+		issuer->get_type(issuer) == CERT_X509 &&
+		online)
+	{
+		DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
+					   subject->get_subject(subject));
+		switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth))
+		{
+			case VALIDATION_GOOD:
+				DBG1(DBG_CFG, "certificate status is good");
+				return TRUE;
+			case VALIDATION_REVOKED:
+				/* has already been logged */
+				return FALSE;
+			case VALIDATION_SKIPPED:
+				DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
+				break;
+			case VALIDATION_STALE:
+				DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
+				break;
+			case VALIDATION_FAILED:
+				DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
+				break;
+		}
+		switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth))
+		{
+			case VALIDATION_GOOD:
+				DBG1(DBG_CFG, "certificate status is good");
+				return TRUE;
+			case VALIDATION_REVOKED:
+				/* has already been logged */
+				return FALSE;
+			case VALIDATION_FAILED:
+			case VALIDATION_SKIPPED:
+				DBG1(DBG_CFG, "certificate status is not available");
+				break;
+			case VALIDATION_STALE:
+				DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
+				break;
+		}
+	}
+	return TRUE;
+}
+
+METHOD(revocation_validator_t, destroy, void,
+	private_revocation_validator_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+revocation_validator_t *revocation_validator_create()
+{
+	private_revocation_validator_t *this;
+
+	INIT(this,
+		.public = {
+			.validator.validate = _validate,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.h b/src/libstrongswan/plugins/revocation/revocation_validator.h
new file mode 100644
index 000000000..82cbde26b
--- /dev/null
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup revocation_validator revocation_validator
+ * @{ @ingroup revocation
+ */
+
+#ifndef REVOCATION_VALIDATOR_H_
+#define REVOCATION_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct revocation_validator_t revocation_validator_t;
+
+/**
+ * Certificate validator doing CRL/OCSP checking of X509 certificates.
+ */
+struct revocation_validator_t {
+
+	/**
+	 * Implements cert_validator_t interface.
+	 */
+	cert_validator_t validator;
+
+	/**
+	 * Destroy a revocation_validator_t.
+	 */
+	void (*destroy)(revocation_validator_t *this);
+};
+
+/**
+ * Create a revocation_validator instance.
+ */
+revocation_validator_t *revocation_validator_create();
+
+#endif /** REVOCATION_VALIDATOR_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index dacb5be4b..703764e5e 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 6db4374c8..5e490f2e5 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index cb466ad03..6d81d0d81 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index dbe62c056..20a6db81e 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 2bee453cd..f40427f3f 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 95e72789e..ba0357cc4 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -568,7 +568,7 @@ static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this)
 	public = this->signerCert->get_public_key(this->signerCert);
 	if (public)
 	{
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyIdentifier))
+		if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyIdentifier))
 		{
 			this->authKeyIdentifier = chunk_clone(keyIdentifier);
 		}
@@ -749,7 +749,7 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer)
 	{
 		chunk_t fingerprint;
 
-		if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+		if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
 			!chunk_equals(fingerprint, this->authKeyIdentifier))
 		{
 			return FALSE;
@@ -812,31 +812,19 @@ static bool get_validity(private_x509_ac_t *this, time_t *when,
 	return (t >= this->notBefore && t <= this->notAfter);
 }
 
-/**
- * Implementation of certificate_t.is_newer.
- */
-static bool is_newer(private_x509_ac_t *this, ac_t *that)
-{
-	certificate_t *this_cert = &this->public.interface.certificate;
-	certificate_t *that_cert = &that->certificate;
-	time_t this_update, that_update, now = time(NULL);
-	bool new;
-
-	this_cert->get_validity(this_cert, &now, &this_update, NULL);
-	that_cert->get_validity(that_cert, &now, &that_update, NULL);
-	new = this_update > that_update;
-	DBG1(DBG_LIB, "  attr cert from %T is %s - existing attr cert from %T %s",
-		 &this_update, FALSE, new ? "newer":"not newer",
-		 &that_update, FALSE, new ? "replaced":"retained");
-	return new;
-}
-
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_x509_ac_t *this)
+static bool get_encoding(private_x509_ac_t *this, cred_encoding_type_t type,
+						 chunk_t *encoding)
 {
-	return chunk_clone(this->encoding);
+	if (type == CERT_ASN1_DER)
+	{
+		*encoding = chunk_clone(this->encoding);
+		return TRUE;
+	}
+	return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+					CRED_PART_X509_AC_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -855,7 +843,10 @@ static bool equals(private_x509_ac_t *this, certificate_t *other)
 	{	/* skip allocation if we have the same implementation */
 		return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding);
 	}
-	encoding = other->get_encoding(other);
+	if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+	{
+		return FALSE;
+	}
 	equal = chunk_equals(this->encoding, encoding);
 	free(encoding.ptr);
 	return equal;
@@ -904,8 +895,7 @@ static private_x509_ac_t *create_empty(void)
 	this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
 	this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
 	this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-	this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
-	this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
+	this->public.interface.certificate.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
 	this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
 	this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
 	this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index bdbaa8d4a..92b576aa5 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -366,7 +366,17 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 				id_type = ID_DER_ASN1_DN;
 				break;
 			case GN_OBJ_IP_ADDRESS:
-				id_type = ID_IPV4_ADDR;
+				switch (object.len)
+				{
+					case 4:
+						id_type = ID_IPV4_ADDR;
+						break;
+					case 16:
+						id_type = ID_IPV6_ADDR;
+						break;
+					default:
+						break;
+				}
 				break;
 			case GN_OBJ_OTHER_NAME:
 				if (!parse_otherName(object, parser->get_level(parser)+1))
@@ -1208,29 +1218,19 @@ static bool get_validity(private_x509_cert_t *this, time_t *when,
 	return (t >= this->notBefore && t <= this->notAfter);
 }
 
-/**
- * Implementation of certificate_t.is_newer.
- */
-static bool is_newer(certificate_t *this, certificate_t *that)
-{
-	time_t this_update, that_update, now = time(NULL);
-	bool new;
-
-	this->get_validity(this, &now, &this_update, NULL);
-	that->get_validity(that, &now, &that_update, NULL);
-	new = this_update > that_update;
-	DBG1(DBG_LIB, "  certificate from %T is %s - existing certificate "
-		 "from %T %s", &this_update, FALSE, new ? "newer":"not newer",
-		 &that_update, FALSE, new ? "replaced":"retained");
-	return new;
-}
-
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_x509_cert_t *this)
+static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type,
+						 chunk_t *encoding)
 {
-	return chunk_clone(this->encoding);
+	if (type == CERT_ASN1_DER)
+	{
+		*encoding = chunk_clone(this->encoding);
+		return TRUE;
+	}
+	return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+						CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -1253,7 +1253,10 @@ static bool equals(private_x509_cert_t *this, certificate_t *other)
 	{	/* skip allocation if we have the same implementation */
 		return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
 	}
-	encoding = other->get_encoding(other);
+	if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+	{
+		return FALSE;
+	}
 	equal = chunk_equals(this->encoding, encoding);
 	free(encoding.ptr);
 	return equal;
@@ -1281,7 +1284,7 @@ static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this)
 		chunk_t fingerprint;
 
 		if (this->public_key->get_fingerprint(this->public_key,
-					 				KEY_ID_PUBKEY_SHA1, &fingerprint))
+					 				KEYID_PUBKEY_SHA1, &fingerprint))
 		{
 			return fingerprint;
 		}
@@ -1383,8 +1386,7 @@ static private_x509_cert_t* create_empty(void)
 	this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
 	this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
 	this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
-	this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer;
-	this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
+	this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
 	this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
 	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
 	this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
@@ -1536,7 +1538,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	scheme = signature_scheme_from_oid(cert->algorithm);
 
 	if (!cert->public_key->get_encoding(cert->public_key,
-										KEY_PUB_SPKI_ASN1_DER, &key_info))
+										PUBKEY_SPKI_ASN1_DER, &key_info))
 	{
 		return FALSE;
 	}
@@ -1650,7 +1652,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 		chunk_t keyid;
 
 		if (cert->public_key->get_fingerprint(cert->public_key,
-											  KEY_ID_PUBKEY_SHA1, &keyid))
+											  KEYID_PUBKEY_SHA1, &keyid))
 		{
 			subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
 									asn1_build_known_oid(OID_SUBJECT_KEY_ID),
@@ -1664,7 +1666,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	{
 		chunk_t keyid;
 
-		if (sign_key->get_fingerprint(sign_key, KEY_ID_PUBKEY_SHA1, &keyid))
+		if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid))
 		{
 			authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm",
 							asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index c755d7f63..4bd0470d3 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -26,6 +26,7 @@ typedef struct revoked_t revoked_t;
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/keys/private_key.h>
 #include <utils/linked_list.h>
 
 /**
@@ -118,6 +119,11 @@ struct private_x509_crl_t {
 	 */
 	chunk_t signature;
 
+	/**
+	 * has this CRL been generated
+	 */
+	bool generated;
+
 	/**
 	 * reference counter
 	 */
@@ -236,7 +242,7 @@ static bool parse(private_x509_crl_t *this)
 				break;
 			case CRL_OBJ_REVOCATION_DATE:
 				revoked = malloc_thing(revoked_t);
-				revoked->serial = userCertificate;
+				revoked->serial = chunk_clone(userCertificate);
 				revoked->date = asn1_parse_time(object, level);
 				revoked->reason = CRL_REASON_UNSPECIFIED;
 				this->revoked->insert_last(this->revoked, (void *)revoked);
@@ -267,7 +273,6 @@ static bool parse(private_x509_crl_t *this)
 					}
 					else if (extn_oid == OID_AUTHORITY_KEY_ID)
 					{
-
 						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
 														level, &this->authKeySerialNumber);
 					}
@@ -327,52 +332,40 @@ static bool filter(void *data, revoked_t **revoked, chunk_t *serial, void *p2,
 	return TRUE;
 }
 
-/**
- * Implementation of crl_t.get_serial.
- */
-static chunk_t get_serial(private_x509_crl_t *this)
+METHOD(crl_t, get_serial, chunk_t,
+	private_x509_crl_t *this)
 {
 	return this->crlNumber;
 }
 
-/**
- * Implementation of crl_t.get_authKeyIdentifier.
- */
-static chunk_t get_authKeyIdentifier(private_x509_crl_t *this)
+METHOD(crl_t, get_authKeyIdentifier, chunk_t,
+	private_x509_crl_t *this)
 {
 	return this->authKeyIdentifier;
 }
 
-/**
- * Implementation of crl_t.create_enumerator.
- */
-static enumerator_t* create_enumerator(private_x509_crl_t *this)
+METHOD(crl_t, create_enumerator, enumerator_t*,
+	private_x509_crl_t *this)
 {
 	return enumerator_create_filter(
 								this->revoked->create_enumerator(this->revoked),
 								(void*)filter, NULL, NULL);
 }
 
-/**
- * Implementation of certificate_t.get_type
- */
-static certificate_type_t get_type(private_x509_crl_t *this)
+METHOD(certificate_t, get_type, certificate_type_t,
+	private_x509_crl_t *this)
 {
 	return CERT_X509_CRL;
 }
 
-/**
- * Implementation of certificate_t.get_issuer and get_subject
- */
-static identification_t* get_issuer(private_x509_crl_t *this)
+METHOD(certificate_t, get_issuer, identification_t*,
+	private_x509_crl_t *this)
 {
 	return this->issuer;
 }
 
-/**
- * Implementation of certificate_t.has_subject and has_issuer.
- */
-static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer)
+METHOD(certificate_t, has_issuer, id_match_t,
+	private_x509_crl_t *this, identification_t *issuer)
 {
 	if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr &&
 		chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer)))
@@ -382,10 +375,8 @@ static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer)
 	return this->issuer->matches(this->issuer, issuer);
 }
 
-/**
- * Implementation of certificate_t.issued_by
- */
-static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
+METHOD(certificate_t, issued_by, bool,
+	private_x509_crl_t *this, certificate_t *issuer)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -410,7 +401,7 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
 	{
 		chunk_t fingerprint;
 
-		if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+		if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
 			!chunk_equals(fingerprint, this->authKeyIdentifier))
 		{
 			return FALSE;
@@ -436,28 +427,22 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
 	return valid;
 }
 
-/**
- * Implementation of certificate_t.get_public_key
- */
-static public_key_t* get_public_key(private_x509_crl_t *this)
+METHOD(certificate_t, get_public_key, public_key_t*,
+	private_x509_crl_t *this)
 {
 	return NULL;
 }
 
-/**
- * Implementation of certificate_t.asdf
- */
-static private_x509_crl_t* get_ref(private_x509_crl_t *this)
+METHOD(certificate_t, get_ref, certificate_t*,
+	private_x509_crl_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.crl.certificate;
 }
 
-/**
- * Implementation of certificate_t.get_validity.
- */
-static bool get_validity(private_x509_crl_t *this, time_t *when,
-						 time_t *not_before, time_t *not_after)
+METHOD(certificate_t, get_validity, bool,
+	private_x509_crl_t *this, time_t *when,
+	time_t *not_before, time_t *not_after)
 {
 	time_t t = when ? *when : time(NULL);
 
@@ -472,51 +457,20 @@ static bool get_validity(private_x509_crl_t *this, time_t *when,
 	return (t <= this->nextUpdate);
 }
 
-/**
- * Implementation of certificate_t.is_newer.
- */
-static bool is_newer(private_x509_crl_t *this, crl_t *that)
+METHOD(certificate_t, get_encoding, bool,
+	private_x509_crl_t *this, cred_encoding_type_t type, chunk_t *encoding)
 {
-	chunk_t that_crlNumber = that->get_serial(that);
-	bool new;
-
-	/* compare crlNumbers if available - otherwise use thisUpdate */
-	if (this->crlNumber.ptr != NULL && that_crlNumber.ptr != NULL)
+	if (type == CERT_ASN1_DER)
 	{
-		new = chunk_compare(this->crlNumber, that_crlNumber) > 0;
-		DBG1(DBG_LIB, "  crl #%#B is %s - existing crl #%#B %s",
-				&this->crlNumber, new ? "newer":"not newer",
-				&that_crlNumber,  new ? "replaced":"retained");
-	}
-	else
-	{
-		certificate_t *this_cert = &this->public.crl.certificate;
-		certificate_t *that_cert = &that->certificate;
-
-		time_t this_update, that_update, now = time(NULL);
-
-		this_cert->get_validity(this_cert, &now, &this_update, NULL);
-		that_cert->get_validity(that_cert, &now, &that_update, NULL);
-		new = this_update > that_update;
-		DBG1(DBG_LIB, "  crl from %T is %s - existing crl from %T %s",
-				&this_update, FALSE, new ? "newer":"not newer",
-				&that_update, FALSE, new ? "replaced":"retained");
+		*encoding = chunk_clone(this->encoding);
+		return TRUE;
 	}
-	return new;
-}
-
-/**
- * Implementation of certificate_t.get_encoding.
- */
-static chunk_t get_encoding(private_x509_crl_t *this)
-{
-	return chunk_clone(this->encoding);
+	return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+					CRED_PART_X509_CRL_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
-/**
- * Implementation of certificate_t.equals.
- */
-static bool equals(private_x509_crl_t *this, certificate_t *other)
+METHOD(certificate_t, equals, bool,
+	private_x509_crl_t *this, certificate_t *other)
 {
 	chunk_t encoding;
 	bool equal;
@@ -529,23 +483,39 @@ static bool equals(private_x509_crl_t *this, certificate_t *other)
 	{	/* skip allocation if we have the same implementation */
 		return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding);
 	}
-	encoding = other->get_encoding(other);
+	if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+	{
+		return FALSE;
+	}
 	equal = chunk_equals(this->encoding, encoding);
 	free(encoding.ptr);
 	return equal;
 }
 
 /**
- * Implementation of certificate_t.destroy
+ * Destroy a revoked_t entry
  */
-static void destroy(private_x509_crl_t *this)
+static void revoked_destroy(revoked_t *revoked)
+{
+	free(revoked->serial.ptr);
+	free(revoked);
+}
+
+METHOD(certificate_t, destroy, void,
+	private_x509_crl_t *this)
 {
 	if (ref_put(&this->ref))
 	{
-		this->revoked->destroy_function(this->revoked, free);
+		this->revoked->destroy_function(this->revoked, (void*)revoked_destroy);
 		DESTROY_IF(this->issuer);
 		free(this->authKeyIdentifier.ptr);
 		free(this->encoding.ptr);
+		if (this->generated)
+		{
+			free(this->crlNumber.ptr);
+			free(this->signature.ptr);
+			free(this->tbsCertList.ptr);
+		}
 		free(this);
 	}
 }
@@ -555,34 +525,33 @@ static void destroy(private_x509_crl_t *this)
  */
 static private_x509_crl_t* create_empty(void)
 {
-	private_x509_crl_t *this = malloc_thing(private_x509_crl_t);
-
-	this->public.crl.get_serial = (chunk_t (*)(crl_t*))get_serial;
-	this->public.crl.get_authKeyIdentifier = (chunk_t (*)(crl_t*))get_authKeyIdentifier;
-	this->public.crl.create_enumerator = (enumerator_t* (*)(crl_t*))create_enumerator;
-	this->public.crl.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
-	this->public.crl.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer;
-	this->public.crl.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
-	this->public.crl.certificate.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_issuer;
-	this->public.crl.certificate.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer;
-	this->public.crl.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
-	this->public.crl.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
-	this->public.crl.certificate.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-	this->public.crl.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
-	this->public.crl.certificate.get_encoding = (chunk_t (*)(certificate_t*))get_encoding;
-	this->public.crl.certificate.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
-	this->public.crl.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
-	this->public.crl.certificate.destroy = (void (*)(certificate_t *this))destroy;
-
-	this->encoding = chunk_empty;
-	this->tbsCertList = chunk_empty;
-	this->issuer = NULL;
-	this->crlNumber = chunk_empty;
-	this->revoked = linked_list_create();
-	this->authKeyIdentifier = chunk_empty;
-	this->authKeySerialNumber = chunk_empty;
-	this->ref = 1;
-
+	private_x509_crl_t *this;
+
+	INIT(this,
+		.public = {
+			.crl = {
+				.certificate = {
+					.get_type = _get_type,
+					.get_subject = _get_issuer,
+					.get_issuer = _get_issuer,
+					.has_subject = _has_issuer,
+					.has_issuer = _has_issuer,
+					.issued_by = _issued_by,
+					.get_public_key = _get_public_key,
+					.get_validity = _get_validity,
+					.get_encoding = _get_encoding,
+					.equals = _equals,
+					.get_ref = _get_ref,
+					.destroy = _destroy,
+				},
+				.get_serial = _get_serial,
+				.get_authKeyIdentifier = _get_authKeyIdentifier,
+				.create_enumerator = _create_enumerator,
+			},
+		},
+		.revoked = linked_list_create(),
+		.ref = 1,
+	);
 	return this;
 }
 
@@ -621,3 +590,166 @@ x509_crl_t *x509_crl_load(certificate_type_t type, va_list args)
 	return NULL;
 };
 
+/**
+ * Read certificate status from enumerator, copy to crl
+ */
+static void read_revoked(private_x509_crl_t *crl, enumerator_t *enumerator)
+{
+	revoked_t *revoked;
+	chunk_t serial;
+	time_t date;
+	crl_reason_t reason;
+
+	while (enumerator->enumerate(enumerator, &serial, &date, &reason))
+	{
+		INIT(revoked,
+			.serial = chunk_clone(serial),
+			.date = date,
+			.reason = reason,
+		);
+		crl->revoked->insert_last(crl->revoked, revoked);
+	}
+}
+
+/**
+ * Generate CRL encoding, sign CRL
+ */
+static bool generate(private_x509_crl_t *this, certificate_t *cert,
+					 private_key_t *key, hash_algorithm_t digest_alg)
+{
+	chunk_t extensions = chunk_empty, certList = chunk_empty, serial;
+	enumerator_t *enumerator;
+	crl_reason_t reason;
+	time_t date;
+	x509_t *x509;
+
+	x509 = (x509_t*)cert;
+
+	this->issuer = cert->get_issuer(cert);
+	this->issuer = this->issuer->clone(this->issuer);
+
+	this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509));
+
+	/* select signature scheme */
+	this->algorithm = hasher_signature_algorithm_to_oid(digest_alg,
+														key->get_type(key));
+	if (this->algorithm == OID_UNKNOWN)
+	{
+		return FALSE;
+	}
+
+	enumerator = create_enumerator(this);
+	while (enumerator->enumerate(enumerator, &serial, &date, &reason))
+	{
+		chunk_t revoked, entry_ext = chunk_empty;
+
+		if (reason != CRL_REASON_UNSPECIFIED)
+		{
+			entry_ext = asn1_wrap(ASN1_SEQUENCE, "m",
+							asn1_wrap(ASN1_SEQUENCE, "mm",
+								asn1_build_known_oid(OID_CRL_REASON_CODE),
+								asn1_wrap(ASN1_OCTET_STRING, "m",
+									asn1_wrap(ASN1_ENUMERATED, "c",
+										chunk_from_chars(reason)))));
+		}
+		revoked = asn1_wrap(ASN1_SEQUENCE, "mmm",
+							asn1_integer("c", serial),
+							asn1_from_time(&date, ASN1_UTCTIME),
+							entry_ext);
+		certList = chunk_cat("mm", certList, revoked);
+	}
+	enumerator->destroy(enumerator);
+
+	extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m",
+					asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
+							asn1_wrap(ASN1_OCTET_STRING, "m",
+								asn1_wrap(ASN1_SEQUENCE, "m",
+									asn1_wrap(ASN1_CONTEXT_S_0, "c",
+											  this->authKeyIdentifier)))),
+						asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_CRL_NUMBER),
+							asn1_wrap(ASN1_OCTET_STRING, "m",
+								asn1_integer("c", this->crlNumber))
+							)
+						));
+
+	this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm",
+							ASN1_INTEGER_1,
+							asn1_algorithmIdentifier(this->algorithm),
+							this->issuer->get_encoding(this->issuer),
+							asn1_from_time(&this->thisUpdate, ASN1_UTCTIME),
+							asn1_from_time(&this->nextUpdate, ASN1_UTCTIME),
+							asn1_wrap(ASN1_SEQUENCE, "m", certList),
+							extensions);
+
+	if (!key->sign(key, signature_scheme_from_oid(this->algorithm),
+				   this->tbsCertList, &this->signature))
+	{
+		return FALSE;
+	}
+	this->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm",
+							this->tbsCertList,
+							asn1_algorithmIdentifier(this->algorithm),
+							asn1_bitstring("c", this->signature));
+	return TRUE;
+}
+
+/**
+ * See header.
+ */
+x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args)
+{
+	hash_algorithm_t digest_alg = HASH_SHA1;
+	private_x509_crl_t *crl;
+	certificate_t *cert = NULL;
+	private_key_t *key = NULL;
+
+	crl = create_empty();
+	crl->generated = TRUE;
+	while (TRUE)
+	{
+		builder_part_t part = va_arg(args, builder_part_t);
+
+		switch (part)
+		{
+			case BUILD_SIGNING_KEY:
+				key = va_arg(args, private_key_t*);
+				continue;
+			case BUILD_SIGNING_CERT:
+				cert = va_arg(args, certificate_t*);
+				continue;
+			case BUILD_NOT_BEFORE_TIME:
+				crl->thisUpdate = va_arg(args, time_t);
+				continue;
+			case BUILD_NOT_AFTER_TIME:
+				crl->nextUpdate = va_arg(args, time_t);
+				continue;
+			case BUILD_SERIAL:
+				crl->crlNumber = va_arg(args, chunk_t);
+				crl->crlNumber = chunk_clone(crl->crlNumber);
+				continue;
+			case BUILD_DIGEST_ALG:
+				digest_alg = va_arg(args, int);
+				continue;
+			case BUILD_REVOKED_ENUMERATOR:
+				read_revoked(crl, va_arg(args, enumerator_t*));
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				destroy(crl);
+				return NULL;
+		}
+		break;
+	}
+
+	if (key && cert && cert->get_type(cert) == CERT_X509 &&
+		generate(crl, cert, key, digest_alg))
+	{
+		return &crl->public;
+	}
+	destroy(crl);
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/x509/x509_crl.h b/src/libstrongswan/plugins/x509/x509_crl.h
index 890650162..e8fe74e81 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.h
+++ b/src/libstrongswan/plugins/x509/x509_crl.h
@@ -46,4 +46,13 @@ struct x509_crl_t {
  */
 x509_crl_t *x509_crl_load(certificate_type_t type, va_list args);
 
+/**
+ * Generate a X.509 CRL.
+ *
+ * @param type		certificate type, CERT_X509_CRL only
+ * @param args		builder_part_t argument list
+ * @return			X.509 CRL, NULL on failure
+ */
+x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args);
+
 #endif /** X509_CRL_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index c835d5dc8..ea02cbab5 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -153,7 +153,7 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this)
 		hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 		if (hasher)
 		{
-			if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1,
+			if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1,
 										&issuerKeyHash))
 			{
 				enumerator_t *enumerator;
@@ -250,7 +250,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
 {
 	int oid;
 	signature_scheme_t scheme;
-	chunk_t certs, signature;
+	chunk_t certs, signature, encoding;
 
 	switch (this->key->get_type(this->key))
 	{
@@ -274,11 +274,11 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
 		DBG1(DBG_LIB, "creating OCSP signature failed, skipped");
 		return chunk_empty;
 	}
-	if (this->cert)
+	if (this->cert &&
+		this->cert->get_encoding(this->cert, CERT_ASN1_DER, &encoding))
 	{
 		certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
-					asn1_wrap(ASN1_SEQUENCE, "m",
-						this->cert->get_encoding(this->cert)));
+					asn1_wrap(ASN1_SEQUENCE, "m", encoding));
 	}
 	return asn1_wrap(ASN1_CONTEXT_C_0, "m",
 				asn1_wrap(ASN1_SEQUENCE, "cmm",
@@ -413,9 +413,16 @@ static bool get_validity(private_x509_ocsp_request_t *this, time_t *when,
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_x509_ocsp_request_t *this)
+static bool get_encoding(private_x509_ocsp_request_t *this,
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
-	return chunk_clone(this->encoding);
+	if (type == CERT_ASN1_DER)
+	{
+		*encoding = chunk_clone(this->encoding);
+		return TRUE;
+	}
+	return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+				CRED_PART_X509_OCSP_REQ_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -438,7 +445,10 @@ static bool equals(private_x509_ocsp_request_t *this, certificate_t *other)
 	{	/* skip allocation if we have the same implementation */
 		return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding);
 	}
-	encoding = other->get_encoding(other);
+	if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+	{
+		return FALSE;
+	}
 	equal = chunk_equals(this->encoding, encoding);
 	free(encoding.ptr);
 	return equal;
@@ -486,7 +496,7 @@ static private_x509_ocsp_request_t *create_empty()
 	this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
 	this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
 	this->public.interface.interface.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-	this->public.interface.interface.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
+	this->public.interface.interface.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
 	this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
 	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
 	this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index c70d461df..829f47f81 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -167,7 +167,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this,
 	{
 		hasher_t *hasher;
 		identification_t *id;
-		key_encoding_type_t type;
+		cred_encoding_type_t type;
 		chunk_t hash, fingerprint;
 
 		/* check serial first, is cheaper */
@@ -188,7 +188,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this,
 			switch (response->hashAlgorithm)
 			{
 				case OID_SHA1:
-					type = KEY_ID_PUBKEY_SHA1;
+					type = KEYID_PUBKEY_SHA1;
 					break;
 				default:
 					public->destroy(public);
@@ -698,7 +698,7 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer)
 
 		key = issuer->get_public_key(issuer);
 		if (!key ||
-			!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+			!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
 			!chunk_equals(fingerprint,
 						  this->responderId->get_encoding(this->responderId)))
 		{
@@ -763,29 +763,19 @@ static bool get_validity(private_x509_ocsp_response_t *this, time_t *when,
 	return (t < this->usableUntil);
 }
 
-/**
- * Implementation of certificate_t.is_newer.
- */
-static bool is_newer(certificate_t *this, certificate_t *that)
-{
-	time_t this_update, that_update, now = time(NULL);
-	bool new;
-
-	this->get_validity(this, &now, &this_update, NULL);
-	that->get_validity(that, &now, &that_update, NULL);
-	new = this_update > that_update;
-	DBG1(DBG_LIB, "  ocsp response from %T is %s - existing ocsp response "
-		 "from %T %s", &this_update, FALSE, new ? "newer" : "not newer",
-		 &that_update, FALSE, new ? "replaced" : "retained");
-	return new;
-}
-
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_x509_ocsp_response_t *this)
+static bool get_encoding(private_x509_ocsp_response_t *this,
+						 cred_encoding_type_t type, chunk_t *encoding)
 {
-	return chunk_clone(this->encoding);
+	if (type == CERT_ASN1_DER)
+	{
+		*encoding = chunk_clone(this->encoding);
+		return TRUE;
+	}
+	return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+				CRED_PART_X509_OCSP_RES_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -808,7 +798,10 @@ static bool equals(private_x509_ocsp_response_t *this, certificate_t *other)
 	{	/* skip allocation if we have the same implementation */
 		return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding);
 	}
-	encoding = other->get_encoding(other);
+	if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+	{
+		return FALSE;
+	}
 	equal = chunk_equals(this->encoding, encoding);
 	free(encoding.ptr);
 	return equal;
@@ -855,8 +848,7 @@ static x509_ocsp_response_t *load(chunk_t blob)
 	this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by;
 	this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key;
 	this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity;
-	this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer;
-	this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding;
+	this->public.interface.certificate.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
 	this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
 	this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
 	this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index 1009ec931..bfb0ca621 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -188,20 +188,19 @@ static bool get_validity(private_x509_pkcs10_t *this, time_t *when,
 	return TRUE;
 }
 
-/**
- * Implementation of certificate_t.is_newer.
- */
-static bool is_newer(certificate_t *this, certificate_t *that)
-{
-	return FALSE;
-}
-
 /**
  * Implementation of certificate_t.get_encoding.
  */
-static chunk_t get_encoding(private_x509_pkcs10_t *this)
+static bool get_encoding(private_x509_pkcs10_t *this, cred_encoding_type_t type,
+						 chunk_t *encoding)
 {
-	return chunk_clone(this->encoding);
+	if (type == CERT_ASN1_DER)
+	{
+		*encoding = chunk_clone(this->encoding);
+		return TRUE;
+	}
+	return lib->encoding->encode(lib->encoding, type, NULL, encoding,
+					CRED_PART_PKCS10_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
 /**
@@ -224,7 +223,10 @@ static bool equals(private_x509_pkcs10_t *this, certificate_t *other)
 	{	/* skip allocation if we have the same implementation */
 		return chunk_equals(this->encoding, ((private_x509_pkcs10_t*)other)->encoding);
 	}
-	encoding = other->get_encoding(other);
+	if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
+	{
+		return FALSE;
+	}
 	equal = chunk_equals(this->encoding, encoding);
 	free(encoding.ptr);
 	return equal;
@@ -357,7 +359,7 @@ static bool parse_challengePassword(private_x509_pkcs10_t *this, chunk_t blob, i
  */
 static const asn1Object_t certificationRequestObjects[] = {
 	{ 0, "certificationRequest",       ASN1_SEQUENCE,    ASN1_OBJ  }, /*  0 */
-	{ 1,   "certificationRequestInfo", ASN1_SEQUENCE,    ASN1_OBJ  }, /*  1 */
+	{ 1,   "certificationRequestInfo", ASN1_SEQUENCE,    ASN1_OBJ  }, /*  1 */
 	{ 2,     "version",                ASN1_INTEGER,     ASN1_BODY }, /*  2 */
 	{ 2,     "subject",                ASN1_SEQUENCE,    ASN1_OBJ  }, /*  3 */
 	{ 2,     "subjectPublicKeyInfo",   ASN1_SEQUENCE,    ASN1_RAW  }, /*  4 */
@@ -369,7 +371,7 @@ static const asn1Object_t certificationRequestObjects[] = {
 	{ 4,         "end loop",           ASN1_EOC,         ASN1_END  }, /* 10 */
 	{ 2,     "end loop",               ASN1_EOC,         ASN1_END  }, /* 11 */
 	{ 1,   "signatureAlgorithm",       ASN1_EOC,         ASN1_RAW  }, /* 12 */
-	{ 1,    "signature",               ASN1_BIT_STRING,  ASN1_BODY }, /* 13 */
+	{ 1,    "signature",               ASN1_BIT_STRING,  ASN1_BODY }, /* 13 */
 	{ 0, "exit",                       ASN1_EOC,         ASN1_EXIT }
 };
 #define PKCS10_CERT_REQUEST_INFO		 1
@@ -512,8 +514,7 @@ static private_x509_pkcs10_t* create_empty(void)
 	this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
 	this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
 	this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
-	this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer;
-	this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding;
+	this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
 	this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
 	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
 	this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
@@ -559,7 +560,7 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key,
 	scheme = signature_scheme_from_oid(cert->algorithm);
 
 	if (!cert->public_key->get_encoding(cert->public_key,
-										KEY_PUB_SPKI_ASN1_DER, &key_info))
+										PUBKEY_SPKI_ASN1_DER, &key_info))
 	{
 		return FALSE;
 	}
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index e71c55efc..8391781e2 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -51,6 +51,8 @@ static void destroy(private_x509_plugin_t *this)
 							   (builder_function_t)x509_ac_load);
 	lib->creds->remove_builder(lib->creds,
 							   (builder_function_t)x509_crl_load);
+	lib->creds->remove_builder(lib->creds,
+							   (builder_function_t)x509_crl_gen);
 	lib->creds->remove_builder(lib->creds,
 							   (builder_function_t)x509_ocsp_request_gen);
 	lib->creds->remove_builder(lib->creds,
@@ -81,6 +83,8 @@ plugin_t *x509_plugin_create()
 							(builder_function_t)x509_ac_load);
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
 							(builder_function_t)x509_crl_load);
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+							(builder_function_t)x509_crl_gen);
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
 							(builder_function_t)x509_ocsp_request_gen);
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index c49e2b76a..69bba8d6f 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libstrongswan/threading/lock_profiler.h b/src/libstrongswan/threading/lock_profiler.h
index b64453ba1..1ae496455 100644
--- a/src/libstrongswan/threading/lock_profiler.h
+++ b/src/libstrongswan/threading/lock_profiler.h
@@ -63,7 +63,7 @@ static inline void profiler_cleanup(lock_profile_t *profile)
 	{
 		fprintf(stderr, "%d.%03ds / %d times in lock created at:",
 			profile->waited.tv_sec, profile->waited.tv_usec, profile->locked);
-		profile->backtrace->log(profile->backtrace, stderr);
+		profile->backtrace->log(profile->backtrace, stderr, TRUE);
 	}
 	profile->backtrace->destroy(profile->backtrace);
 }
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index 5bba8ec21..a67245194 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -53,7 +53,7 @@ struct private_backtrace_t {
 /**
  * Implementation of backtrace_t.log
  */
-static void log_(private_backtrace_t *this, FILE *file)
+static void log_(private_backtrace_t *this, FILE *file, bool detailed)
 {
 #ifdef HAVE_BACKTRACE
 	size_t i;
@@ -78,7 +78,6 @@ static void log_(private_backtrace_t *this, FILE *file)
 			{
 				ptr = (void*)(this->frames[i] - info.dli_fbase);
 			}
-			snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", info.dli_fname, ptr);
 			if (info.dli_sname)
 			{
 				fprintf(file, "  \e[33m%s\e[0m @ %p (\e[31m%s\e[0m+0x%x) [%p]\n",
@@ -90,28 +89,33 @@ static void log_(private_backtrace_t *this, FILE *file)
 				fprintf(file, "  \e[33m%s\e[0m @ %p [%p]\n", info.dli_fname,
 						info.dli_fbase, this->frames[i]);
 			}
-			fprintf(file, "    -> \e[32m");
-			output = popen(cmd, "r");
-			if (output)
+			if (detailed)
 			{
-				while (TRUE)
+				fprintf(file, "    -> \e[32m");
+				snprintf(cmd, sizeof(cmd), "addr2line -e %s %p",
+						 info.dli_fname, ptr);
+				output = popen(cmd, "r");
+				if (output)
 				{
-					c = getc(output);
-					if (c == '\n' || c == EOF)
+					while (TRUE)
 					{
-						break;
+						c = getc(output);
+						if (c == '\n' || c == EOF)
+						{
+							break;
+						}
+						fputc(c, file);
 					}
-					fputc(c, file);
+					pclose(output);
 				}
-				pclose(output);
-			}
-			else
-			{
-#endif /* HAVE_DLADDR */
-				fprintf(file, "    %s\n", strings[i]);
-#ifdef HAVE_DLADDR
+				else
+				{
+	#endif /* HAVE_DLADDR */
+					fprintf(file, "    %s\n", strings[i]);
+	#ifdef HAVE_DLADDR
+				}
+				fprintf(file, "\n\e[0m");
 			}
-			fprintf(file, "\n\e[0m");
 		}
 		else
 		{
@@ -174,7 +178,7 @@ backtrace_t *backtrace_create(int skip)
 	memcpy(this->frames, frames + skip, frame_count * sizeof(void*));
 	this->frame_count = frame_count;
 
-	this->public.log = (void(*)(backtrace_t*,FILE*))log_;
+	this->public.log = (void(*)(backtrace_t*,FILE*,bool))log_;
 	this->public.contains_function = (bool(*)(backtrace_t*, char *function))contains_function;
 	this->public.destroy = (void(*)(backtrace_t*))destroy;
 
diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h
index c4d4284d1..c6b0ec78f 100644
--- a/src/libstrongswan/utils/backtrace.h
+++ b/src/libstrongswan/utils/backtrace.h
@@ -34,8 +34,11 @@ struct backtrace_t {
 
 	/**
 	 * Log the backtrace to a FILE stream.
+	 *
+	 * @param file		FILE to log backtrace to
+	 * @param detailed	TRUE to resolve line/file using addr2line (slow)
 	 */
-	void (*log)(backtrace_t *this, FILE *file);
+	void (*log)(backtrace_t *this, FILE *file, bool detailed);
 
 	/**
 	 * Check if the backtrace contains a frame in a specific function.
diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c
index 02c225833..dde57dc65 100644
--- a/src/libstrongswan/utils/hashtable.c
+++ b/src/libstrongswan/utils/hashtable.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -47,11 +47,13 @@ struct pair_t {
  */
 pair_t *pair_create(void *key, void *value, u_int hash)
 {
-	pair_t *this = malloc_thing(pair_t);
+	pair_t *this;
 
-	this->key = key;
-	this->value = value;
-	this->hash = hash;
+	INIT(this,
+		.key = key,
+		.value = value,
+		.hash = hash,
+	);
 
 	return this;
 }
@@ -126,6 +128,11 @@ struct private_enumerator_t {
 	 */
 	u_int row;
 
+	/**
+	 * current pair
+	 */
+	pair_t *pair;
+
 	/**
 	 * enumerator for the current row
 	 */
@@ -219,10 +226,8 @@ static void rehash(private_hashtable_t *this)
 	free(old_table);
 }
 
-/**
- * Implementation of hashtable_t.put
- */
-static void *put(private_hashtable_t *this, void *key, void *value)
+METHOD(hashtable_t, put, void*,
+	   private_hashtable_t *this, void *key, void *value)
 {
 	void *old_value = NULL;
 	linked_list_t *list;
@@ -265,10 +270,8 @@ static void *put(private_hashtable_t *this, void *key, void *value)
 	return old_value;
 }
 
-/**
- * Implementation of hashtable_t.get
- */
-static void *get(private_hashtable_t *this, void *key)
+METHOD(hashtable_t, get, void*,
+	   private_hashtable_t *this, void *key)
 {
 	void *value = NULL;
 	linked_list_t *list;
@@ -286,10 +289,8 @@ static void *get(private_hashtable_t *this, void *key)
 	return value;
 }
 
-/**
- * Implementation of hashtable_t.remove
- */
-static void *remove_(private_hashtable_t *this, void *key)
+METHOD(hashtable_t, remove_, void*,
+	   private_hashtable_t *this, void *key)
 {
 	void *value = NULL;
 	linked_list_t *list;
@@ -317,34 +318,44 @@ static void *remove_(private_hashtable_t *this, void *key)
 	return value;
 }
 
-/**
- * Implementation of hashtable_t.get_count
- */
-static u_int get_count(private_hashtable_t *this)
+METHOD(hashtable_t, remove_at, void,
+	   private_hashtable_t *this, private_enumerator_t *enumerator)
+{
+	if (enumerator->table == this && enumerator->current)
+	{
+		linked_list_t *list;
+		list = this->table[enumerator->row];
+		if (list)
+		{
+			list->remove_at(list, enumerator->current);
+			free(enumerator->pair);
+			this->count--;
+		}
+	}
+}
+
+METHOD(hashtable_t, get_count, u_int,
+	   private_hashtable_t *this)
 {
 	return this->count;
 }
 
-/**
- * Implementation of private_enumerator_t.enumerator.enumerate.
- */
-static bool enumerate(private_enumerator_t *this, void **key, void **value)
+METHOD(enumerator_t, enumerate, bool,
+	   private_enumerator_t *this, void **key, void **value)
 {
 	while (this->row < this->table->capacity)
 	{
 		if (this->current)
 		{
-			pair_t *pair;
-
-			if (this->current->enumerate(this->current, &pair))
+			if (this->current->enumerate(this->current, &this->pair))
 			{
 				if (key)
 				{
-					*key = pair->key;
+					*key = this->pair->key;
 				}
 				if (value)
 				{
-					*value = pair->value;
+					*value = this->pair->value;
 				}
 				return TRUE;
 			}
@@ -354,7 +365,6 @@ static bool enumerate(private_enumerator_t *this, void **key, void **value)
 		else
 		{
 			linked_list_t *list;
-
 			list = this->table->table[this->row];
 			if (list)
 			{
@@ -367,10 +377,8 @@ static bool enumerate(private_enumerator_t *this, void **key, void **value)
 	return FALSE;
 }
 
-/**
- * Implementation of private_enumerator_t.enumerator.destroy.
- */
-static void enumerator_destroy(private_enumerator_t *this)
+METHOD(enumerator_t, enumerator_destroy, void,
+	   private_enumerator_t *this)
 {
 	if (this->current)
 	{
@@ -379,26 +387,24 @@ static void enumerator_destroy(private_enumerator_t *this)
 	free(this);
 }
 
-/**
- * Implementation of hashtable_t.create_enumerator.
- */
-static enumerator_t* create_enumerator(private_hashtable_t *this)
+METHOD(hashtable_t, create_enumerator, enumerator_t*,
+	   private_hashtable_t *this)
 {
-	private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
+	private_enumerator_t *enumerator;
 
-	enumerator->enumerator.enumerate = (void*)enumerate;
-	enumerator->enumerator.destroy = (void*)enumerator_destroy;
-	enumerator->table = this;
-	enumerator->row = 0;
-	enumerator->current = NULL;
+	INIT(enumerator,
+		.enumerator = {
+			.enumerate = (void*)_enumerate,
+			.destroy = (void*)_enumerator_destroy,
+		},
+		.table = this,
+	);
 
 	return &enumerator->enumerator;
 }
 
-/**
- * Implementation of hashtable_t.destroy
- */
-static void destroy(private_hashtable_t *this)
+METHOD(hashtable_t, destroy, void,
+	   private_hashtable_t *this)
 {
 	linked_list_t *list;
 	u_int row;
@@ -421,22 +427,21 @@ static void destroy(private_hashtable_t *this)
 hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
 							  u_int capacity)
 {
-	private_hashtable_t *this = malloc_thing(private_hashtable_t);
-
-	this->public.put = (void*(*)(hashtable_t*,void*,void*))put;
-	this->public.get = (void*(*)(hashtable_t*,void*))get;
-	this->public.remove = (void*(*)(hashtable_t*,void*))remove_;
-	this->public.get_count = (u_int(*)(hashtable_t*))get_count;
-	this->public.create_enumerator = (enumerator_t*(*)(hashtable_t*))create_enumerator;
-	this->public.destroy = (void(*)(hashtable_t*))destroy;
-
-	this->count = 0;
-	this->capacity = 0;
-	this->mask = 0;
-	this->load_factor = 0;
-	this->table = NULL;
-	this->hash = hash;
-	this->equals = equals;
+	private_hashtable_t *this;
+
+	INIT(this,
+		.public = {
+			.put = _put,
+			.get = _get,
+			.remove = _remove_,
+			.remove_at = (void*)_remove_at,
+			.get_count = _get_count,
+			.create_enumerator = _create_enumerator,
+			.destroy = _destroy,
+		},
+		.hash = hash,
+		.equals = equals,
+	);
 
 	init_hashtable(this, capacity);
 
diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/utils/hashtable.h
index 142ea6329..27aca9b68 100644
--- a/src/libstrongswan/utils/hashtable.h
+++ b/src/libstrongswan/utils/hashtable.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -86,10 +86,18 @@ struct hashtable_t {
 	 */
 	void *(*remove) (hashtable_t *this, void *key);
 
+	/**
+	 * Removes the key and value pair from the hash table at which the given
+	 * enumerator currently points.
+	 *
+	 * @param enumerator	enumerator, from create_enumerator
+	 */
+	void (*remove_at) (hashtable_t *this, enumerator_t *enumerator);
+
 	/**
 	 * Gets the number of items in the hash table.
 	 *
-	 * @return 			number of items
+	 * @return			number of items
 	 */
 	u_int (*get_count) (hashtable_t *this);
 
@@ -106,7 +114,7 @@ struct hashtable_t {
  * @param hash			hash function
  * @param equals		equals function
  * @param capacity		initial capacity
- * @return 				hashtable_t object.
+ * @return				hashtable_t object.
  */
 hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
 							  u_int capacity);
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 6a3c3936c..3caeb8f0e 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -50,8 +50,7 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
 	"ID_DER_ASN1_GN",
 	"ID_KEY_ID");
 ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
-	"ID_DER_ASN1_GN_URI"
-	"ID_IETF_ATTR_STRING"
+	"ID_DER_ASN1_GN_URI",
 	"ID_MYID");
 ENUM_END(id_type_names, ID_MYID);
 
@@ -297,18 +296,30 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 		{
 			written = snprintf(buf, len,"%s=", oid_names[oid].name);
 		}
+		if (written < 0 || written >= len)
+		{
+			break;
+		}
 		buf += written;
 		len -= written;
 
 		chunk_printable(data, &printable, '?');
 		written = snprintf(buf, len, "%.*s", printable.len, printable.ptr);
 		chunk_free(&printable);
+		if (written < 0 || written >= len)
+		{
+			break;
+		}
 		buf += written;
 		len -= written;
 
 		if (data.ptr + data.len != dn.ptr + dn.len)
 		{
 			written = snprintf(buf, len, ", ");
+			if (written < 0 || written >= len)
+			{
+				break;
+			}
 			buf += written;
 			len -= written;
 		}
@@ -761,7 +772,6 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
-		case ID_IETF_ATTR_STRING:
 			chunk_printable(this->encoded, &proper, '?');
 			snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
 			chunk_free(&proper);
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index fe5c7d0fd..c463b0274 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -130,11 +130,6 @@ enum id_type_t {
 	 */
 	ID_DER_ASN1_GN_URI = 201,
 
-	/**
-	 * IETF Attribute Syntax String (RFC 3281)
-	 */
-	ID_IETF_ATTR_STRING = 202,
-
 	/**
 	 * Private ID used by the pluto daemon for opportunistic encryption
 	 */
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 2f8a7187c..0673878a5 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -207,6 +207,7 @@ char *whitelist[] = {
 	"ENGINE_load_builtin_engines",
 	"OPENSSL_config",
 	"ecdsa_check",
+	"ERR_put_error",
 	/* libgcrypt */
 	"gcry_control",
 	"gcry_check_version",
@@ -233,39 +234,45 @@ static bool is_whitelisted(backtrace_t *backtrace)
 /**
  * Report leaks at library destruction
  */
-void report_leaks()
+static void report(private_leak_detective_t *this, bool detailed)
 {
-	memory_header_t *hdr;
-	int leaks = 0, whitelisted = 0;
-
-	for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
+	if (lib->leak_detective)
 	{
-		if (is_whitelisted(hdr->backtrace))
+		memory_header_t *hdr;
+		int leaks = 0, whitelisted = 0;
+
+		for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
 		{
-			whitelisted++;
+			if (is_whitelisted(hdr->backtrace))
+			{
+				whitelisted++;
+			}
+			else
+			{
+				fprintf(stderr, "Leak (%d bytes at %p):\n", hdr->bytes, hdr + 1);
+				/* skip the first frame, contains leak detective logic */
+				hdr->backtrace->log(hdr->backtrace, stderr, detailed);
+				leaks++;
+			}
 		}
-		else
+		switch (leaks)
 		{
-			fprintf(stderr, "Leak (%d bytes at %p):\n", hdr->bytes, hdr + 1);
-			/* skip the first frame, contains leak detective logic */
-			hdr->backtrace->log(hdr->backtrace, stderr);
-			leaks++;
+			case 0:
+				fprintf(stderr, "No leaks detected");
+				break;
+			case 1:
+				fprintf(stderr, "One leak detected");
+				break;
+			default:
+				fprintf(stderr, "%d leaks detected", leaks);
+				break;
 		}
+		fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted);
 	}
-
-	switch (leaks)
+	else
 	{
-		case 0:
-			fprintf(stderr, "No leaks detected");
-			break;
-		case 1:
-			fprintf(stderr, "One leak detected");
-			break;
-		default:
-			fprintf(stderr, "%d leaks detected", leaks);
-			break;
+		fprintf(stderr, "Leak detective disabled\n");
 	}
-	fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted);
 }
 
 /**
@@ -395,7 +402,7 @@ void free_hook(void *ptr, const void *caller)
 			fprintf(stderr, "freeing invalid memory (%p)", ptr);
 		}
 		backtrace = backtrace_create(3);
-		backtrace->log(backtrace, stderr);
+		backtrace->log(backtrace, stderr, TRUE);
 		backtrace->destroy(backtrace);
 	}
 	else
@@ -454,7 +461,7 @@ void *realloc_hook(void *old, size_t bytes, const void *caller)
 				"header magic 0x%x, tail magic 0x%x:\n",
 				old, hdr->magic, tail->magic);
 		backtrace = backtrace_create(3);
-		backtrace->log(backtrace, stderr);
+		backtrace->log(backtrace, stderr, TRUE);
 		backtrace->destroy(backtrace);
 	}
 	/* clear tail magic, allocate, set tail magic */
@@ -487,7 +494,6 @@ static void destroy(private_leak_detective_t *this)
 	if (installed)
 	{
 		uninstall_hooks();
-		report_leaks();
 	}
 	free(this);
 }
@@ -499,6 +505,7 @@ leak_detective_t *leak_detective_create()
 {
 	private_leak_detective_t *this = malloc_thing(private_leak_detective_t);
 
+	this->public.report = (void(*)(leak_detective_t*,bool))report;
 	this->public.destroy = (void(*)(leak_detective_t*))destroy;
 
 	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
index 181f8f3db..fa45a6076 100644
--- a/src/libstrongswan/utils/leak_detective.h
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -23,6 +23,8 @@
 
 typedef struct leak_detective_t leak_detective_t;
 
+#include <library.h>
+
 /**
  * Leak detective finds leaks and bad frees using malloc hooks.
  *
@@ -33,6 +35,13 @@ typedef struct leak_detective_t leak_detective_t;
  */
 struct leak_detective_t {
 
+	/**
+	 * Report leaks to stderr.
+	 *
+	 * @param detailed 		TRUE to resolve line/filename of leak (slow)
+	 */
+	void (*report)(leak_detective_t *this, bool detailed);
+
 	/**
 	 * Destroy a leak_detective instance.
 	 */
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 54e2cc11c..63a892ee7 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 2f79ca4d4..415c35e79 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c
index e1e4661e0..5948fcfb7 100755
--- a/src/medsrv/controller/peer_controller.c
+++ b/src/medsrv/controller/peer_controller.c
@@ -139,8 +139,8 @@ static bool parse_public_key(private_peer_controller_t *this,
 		return FALSE;
 	}
 	/* TODO: use get_encoding() with an encoding type */
-	if (!public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id) ||
-		!public->get_encoding(public, KEY_PUB_SPKI_ASN1_DER, encoding))
+	if (!public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id) ||
+		!public->get_encoding(public, PUBKEY_SPKI_ASN1_DER, encoding))
 	{
 		request->setf(request, "error=Encoding public key failed.");
 		return FALSE;
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 9f0f96561..578ab7d39 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/openac/openac.c b/src/openac/openac.c
index a280192c2..3f28b0ac4 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -501,11 +501,13 @@ int main(int argc, char **argv)
 		}
 
 		/* write the attribute certificate to file */
-		attr_chunk = attr_cert->get_encoding(attr_cert);
-		if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
+		if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk))
 		{
-			write_serial(serial);
-			status = 0;
+			if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
+			{
+				write_serial(serial);
+				status = 0;
+			}
 		}
 	}
 	else
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index 8eac07afc..99e9bc581 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -7,6 +7,8 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/pub.c \
 	commands/req.c \
 	commands/self.c \
+	commands/print.c \
+	commands/signcrl.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 522b9e887..8f08777bb 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -55,7 +55,8 @@ am__installdirs = "$(DESTDIR)$(ipsecdir)"
 PROGRAMS = $(ipsec_PROGRAMS)
 am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \
 	issue.$(OBJEXT) keyid.$(OBJEXT) pub.$(OBJEXT) req.$(OBJEXT) \
-	self.$(OBJEXT) verify.$(OBJEXT)
+	self.$(OBJEXT) print.$(OBJEXT) signcrl.$(OBJEXT) \
+	verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
 pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
 DEFAULT_INCLUDES = -I.@am__isrc@
@@ -238,6 +239,8 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/pub.c \
 	commands/req.c \
 	commands/self.c \
+	commands/print.c \
+	commands/signcrl.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -337,9 +340,11 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/issue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pub.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/self.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signcrl.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@
 
 .c.o:
@@ -447,6 +452,34 @@ self.obj: commands/self.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
 
+print.o: commands/print.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.o -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/print.c' object='print.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
+
+print.obj: commands/print.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.obj -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/print.c' object='print.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
+
+signcrl.o: commands/signcrl.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.o -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/signcrl.c' object='signcrl.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
+
+signcrl.obj: commands/signcrl.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.obj -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/signcrl.c' object='signcrl.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
+
 verify.o: commands/verify.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
diff --git a/src/pki/command.c b/src/pki/command.c
index 8f53817f0..b9c35d99b 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -181,7 +181,7 @@ int command_usage(char *error)
 	{
 		for (i = 0; cmds[i].cmd; i++)
 		{
-			fprintf(out, "  pki --%-6s (-%c)  %s\n",
+			fprintf(out, "  pki --%-7s (-%c)  %s\n",
 					cmds[i].cmd, cmds[i].op, cmds[i].description);
 		}
 	}
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index b2769da54..33d9cf35d 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -20,7 +20,7 @@
  */
 static int gen()
 {
-	key_encoding_type_t form = KEY_PRIV_ASN1_DER;
+	cred_encoding_type_t form = PRIVKEY_ASN1_DER;
 	key_type_t type = KEY_RSA;
 	u_int size = 0;
 	private_key_t *key;
@@ -48,7 +48,7 @@ static int gen()
 				}
 				continue;
 			case 'f':
-				if (!get_form(arg, &form, FALSE))
+				if (!get_form(arg, &form, CRED_PRIVATE_KEY))
 				{
 					return command_usage("invalid key output format");
 				}
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index fcd758f87..2002cd555 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -28,6 +28,7 @@
  */
 static int issue()
 {
+	cred_encoding_type_t form = CERT_ASN1_DER;
 	hash_algorithm_t digest = HASH_SHA1;
 	certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
 	private_key_t *private = NULL;
@@ -37,7 +38,7 @@ static int issue()
 	char *error = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san, *cdps, *ocsp;
-	int lifetime = 1080;
+	int lifetime = 1095;
 	int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
@@ -107,7 +108,7 @@ static int issue()
 			case 'p':
 				pathlen = atoi(arg);
 				continue;
-			case 'f':
+			case 'e':
 				if (streq(arg, "serverAuth"))
 				{
 					flags |= X509_SERVER_AUTH;
@@ -121,6 +122,12 @@ static int issue()
 					flags |= X509_OCSP_SIGNER;
 				}
 				continue;
+			case 'f':
+				if (!get_form(arg, &form, CRED_CERTIFICATE))
+				{
+					return command_usage("invalid output format");
+				}
+				continue;
 			case 'u':
 				cdps->insert_last(cdps, arg);
 				continue;
@@ -301,8 +308,7 @@ static int issue()
 		error = "generating certificate failed";
 		goto end;
 	}
-	encoding = cert->get_encoding(cert);
-	if (!encoding.ptr)
+	if (!cert->get_encoding(cert, form, &encoding))
 	{
 		error = "encoding certificate failed";
 		goto end;
@@ -352,7 +358,7 @@ static void __attribute__ ((constructor))reg()
 		 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
 		 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+",
-		 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "public key/request file to issue, default: stdin"},
@@ -361,14 +367,15 @@ static void __attribute__ ((constructor))reg()
 			{"cakey",	'k', 1, "CA private key file"},
 			{"dn",		'd', 1, "distinguished name to include as subject"},
 			{"san",		'a', 1, "subjectAltName to include in certificate"},
-			{"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
+			{"lifetime",'l', 1, "days the certificate is valid, default: 1095"},
 			{"serial",	's', 1, "serial number in hex, default: random"},
 			{"ca",		'b', 0, "include CA basicConstraint, default: no"},
 			{"pathlen",	'p', 1, "set path length constraint"},
-			{"flag",	'f', 1, "include extendedKeyUsage flag"},
+			{"flag",	'e', 1, "include extendedKeyUsage flag"},
 			{"crl",		'u', 1, "CRL distribution point URI to include"},
 			{"ocsp",	'o', 1, "OCSP AuthorityInfoAccess URI to include"},
 			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
+			{"outform",	'f', 1, "encoding of generated cert, default: der"},
 		}
 	});
 }
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index c15c1193e..6d2f7b915 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -99,11 +99,11 @@ static int keyid()
 	if (type == CRED_PRIVATE_KEY)
 	{
 		private = cred;
-		if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &id))
+		if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &id))
 		{
 			printf("subjectKeyIdentifier:      %#B\n", &id);
 		}
-		if (private->get_fingerprint(private, KEY_ID_PUBKEY_INFO_SHA1, &id))
+		if (private->get_fingerprint(private, KEYID_PUBKEY_INFO_SHA1, &id))
 		{
 			printf("subjectPublicKeyInfo hash: %#B\n", &id);
 		}
@@ -112,11 +112,11 @@ static int keyid()
 	else if (type == CRED_PUBLIC_KEY)
 	{
 		public = cred;
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id))
+		if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id))
 		{
 			printf("subjectKeyIdentifier:      %#B\n", &id);
 		}
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &id))
+		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &id))
 		{
 			printf("subjectPublicKeyInfo hash: %#B\n", &id);
 		}
@@ -131,11 +131,11 @@ static int keyid()
 			fprintf(stderr, "extracting public key from certificate failed");
 			return 1;
 		}
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id))
+		if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id))
 		{
 			printf("subjectKeyIdentifier:      %#B\n", &id);
 		}
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &id))
+		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &id))
 		{
 			printf("subjectPublicKeyInfo hash: %#B\n", &id);
 		}
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
new file mode 100644
index 000000000..6d5462783
--- /dev/null
+++ b/src/pki/commands/print.c
@@ -0,0 +1,368 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pki.h"
+
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+#include <selectors/traffic_selector.h>
+
+#include <time.h>
+
+/**
+ * Print public key information
+ */
+static void print_pubkey(public_key_t *key)
+{
+	chunk_t chunk;
+
+	printf("pubkey:    %N %d bits\n", key_type_names, key->get_type(key),
+		   key->get_keysize(key) * 8);
+	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
+	{
+		printf("keyid:     %#B\n", &chunk);
+	}
+	if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
+	{
+		printf("subjkey:   %#B\n", &chunk);
+	}
+}
+
+/**
+ * Print private key information
+ */
+static void print_key(private_key_t *key)
+{
+	public_key_t *public;
+
+	public = key->get_public_key(key);
+	if (public)
+	{
+		printf("private key with:\n");
+		print_pubkey(public);
+		public->destroy(public);
+	}
+	else
+	{
+		printf("extracting public from private key failed\n");
+	}
+}
+
+/**
+ * Print X509 specific certificate information
+ */
+static void print_x509(x509_t *x509)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	traffic_selector_t *block;
+	chunk_t chunk;
+	bool first;
+	char *uri;
+	int len;
+	x509_flag_t flags;
+
+	chunk = x509->get_serial(x509);
+	printf("serial:    %#B\n", &chunk);
+
+	first = TRUE;
+	enumerator = x509->create_subjectAltName_enumerator(x509);
+	while (enumerator->enumerate(enumerator, &id))
+	{
+		if (first)
+		{
+			printf("altNames:  ");
+			first = FALSE;
+		}
+		else
+		{
+			printf(", ");
+		}
+		printf("%Y", id);
+	}
+	if (!first)
+	{
+		printf("\n");
+	}
+	enumerator->destroy(enumerator);
+
+	flags = x509->get_flags(x509);
+	printf("flags:     ");
+	if (flags & X509_CA)
+	{
+		printf("CA ");
+	}
+	if (flags & X509_AA)
+	{
+		printf("AA ");
+	}
+	if (flags & X509_OCSP_SIGNER)
+	{
+		printf("OCSP ");
+	}
+	if (flags & X509_AA)
+	{
+		printf("AA ");
+	}
+	if (flags & X509_SERVER_AUTH)
+	{
+		printf("serverAuth ");
+	}
+	if (flags & X509_CLIENT_AUTH)
+	{
+		printf("clientAuth ");
+	}
+	if (flags & X509_SELF_SIGNED)
+	{
+		printf("self-signed ");
+	}
+	printf("\n");
+
+	first = TRUE;
+	enumerator = x509->create_crl_uri_enumerator(x509);
+	while (enumerator->enumerate(enumerator, &uri))
+	{
+		if (first)
+		{
+			printf("CRL URIs:  %s\n", uri);
+			first = FALSE;
+		}
+		else
+		{
+			printf("           %s\n", uri);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	first = TRUE;
+	enumerator = x509->create_ocsp_uri_enumerator(x509);
+	while (enumerator->enumerate(enumerator, &uri))
+	{
+		if (first)
+		{
+			printf("OCSP URIs: %s\n", uri);
+			first = FALSE;
+		}
+		else
+		{
+			printf("           %s\n", uri);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	len = x509->get_pathLenConstraint(x509);
+	if (len != X509_NO_PATH_LEN_CONSTRAINT)
+	{
+		printf("pathlen:   %d\n", len);
+	}
+
+	chunk = x509->get_authKeyIdentifier(x509);
+	if (chunk.ptr)
+	{
+		printf("authkeyId: %#B\n", &chunk);
+	}
+
+	chunk = x509->get_subjectKeyIdentifier(x509);
+	if (chunk.ptr)
+	{
+		printf("subjkeyId: %#B\n", &chunk);
+	}
+	if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+	{
+		first = TRUE;
+		printf("addresses: ");
+		enumerator = x509->create_ipAddrBlock_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &block))
+		{
+			if (first)
+			{
+				first = FALSE;
+			}
+			else
+			{
+				printf(", ");
+			}
+			printf("%R", block);
+		}
+		enumerator->destroy(enumerator);
+		printf("\n");
+	}
+}
+
+/**
+ * Print certificate information
+ */
+static void print_cert(certificate_t *cert)
+{
+	time_t now, notAfter, notBefore;
+	public_key_t *key;
+
+	now = time(NULL);
+
+	printf("cert:      %N\n", certificate_type_names, cert->get_type(cert));
+	printf("subject:  \"%Y\"\n", cert->get_subject(cert));
+	printf("issuer:   \"%Y\"\n", cert->get_issuer(cert));
+
+	cert->get_validity(cert, &now, &notBefore, &notAfter);
+	printf("validity:  not before %T, ", &notBefore, FALSE);
+	if (now < notBefore)
+	{
+		printf("not valid yet (valid in %V)\n", &now, &notBefore);
+	}
+	else
+	{
+		printf("ok\n");
+	}
+	printf("           not after  %T, ", &notAfter, FALSE);
+	if (now > notAfter)
+	{
+		printf("expired (%V ago)\n", &now, &notAfter);
+	}
+	else
+	{
+		printf("ok (expires in %V)\n", &now, &notAfter);
+	}
+
+	switch (cert->get_type(cert))
+	{
+		case CERT_X509:
+			print_x509((x509_t*)cert);
+			break;
+		default:
+			printf("parsing certificate subtype %N not implemented\n",
+				   certificate_type_names, cert->get_type(cert));
+			break;
+	}
+
+	key = cert->get_public_key(cert);
+	if (key)
+	{
+		print_pubkey(key);
+		key->destroy(key);
+	}
+	else
+	{
+		printf("unable to extract public key\n");
+	}
+}
+
+/**
+ * Print a credential in a human readable form
+ */
+static int print()
+{
+	credential_type_t type = CRED_CERTIFICATE;
+	int subtype = CERT_X509;
+	void *cred;
+	char *arg, *file = NULL;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 't':
+				if (streq(arg, "x509"))
+				{
+					type = CRED_CERTIFICATE;
+					subtype = CERT_X509;
+				}
+				else if (streq(arg, "pub"))
+				{
+					type = CRED_PUBLIC_KEY;
+					subtype = KEY_ANY;
+				}
+				else if (streq(arg, "rsa-priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_RSA;
+				}
+				else if (streq(arg, "ecdsa-priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ECDSA;
+				}
+				else
+				{
+					return command_usage( "invalid input type");
+				}
+				continue;
+			case 'i':
+				file = arg;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --print option");
+		}
+		break;
+	}
+	if (file)
+	{
+		cred = lib->creds->create(lib->creds, type, subtype,
+								  BUILD_FROM_FILE, file, BUILD_END);
+	}
+	else
+	{
+		cred = lib->creds->create(lib->creds, type, subtype,
+								  BUILD_FROM_FD, 0, BUILD_END);
+	}
+	if (!cred)
+	{
+		fprintf(stderr, "parsing input failed\n");
+		return 1;
+	}
+
+	if (type == CRED_CERTIFICATE)
+	{
+		certificate_t *cert = (certificate_t*)cred;
+
+		print_cert(cert);
+		cert->destroy(cert);
+	}
+	if (type == CRED_PUBLIC_KEY)
+	{
+		public_key_t *key = (public_key_t*)cred;
+
+		print_pubkey(key);
+		key->destroy(key);
+	}
+	if (type == CRED_PRIVATE_KEY)
+	{
+		private_key_t *key = (private_key_t*)cred;
+
+		print_key(key);
+		key->destroy(key);
+	}
+	return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t)
+		{ print, 'a', "print",
+		"print a credential in a human readable form",
+		{"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"in",		'i', 1, "input file, default: stdin"},
+			{"type",	't', 1, "type of credential, default: x509"},
+		}
+	});
+}
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index de0444c1a..fc2614c7d 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -23,7 +23,7 @@
  */
 static int pub()
 {
-	key_encoding_type_t form = KEY_PUB_SPKI_ASN1_DER;
+	cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER;
 	credential_type_t type = CRED_PRIVATE_KEY;
 	int subtype = KEY_RSA;
 	certificate_t *cert;
@@ -67,7 +67,7 @@ static int pub()
 				}
 				continue;
 			case 'f':
-				if (!get_form(arg, &form, TRUE))
+				if (!get_form(arg, &form, CRED_PUBLIC_KEY))
 				{
 					return command_usage("invalid output format");
 				}
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 8335f2595..a1ae2f515 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -27,6 +27,7 @@
  */
 static int req()
 {
+	cred_encoding_type_t form = CERT_ASN1_DER;
 	key_type_t type = KEY_RSA;
 	hash_algorithm_t digest = HASH_SHA1;
 	certificate_t *cert = NULL;
@@ -81,6 +82,12 @@ static int req()
 			case 'p':
 				challenge_password = chunk_create(arg, strlen(arg));
 				continue;
+			case 'f':
+				if (!get_form(arg, &form, CRED_CERTIFICATE))
+				{
+					return command_usage("invalid output format");
+				}
+				continue;
 			case EOF:
 				break;
 			default:
@@ -128,8 +135,7 @@ static int req()
 		error = "generating certificate request failed";
 		goto end;
 	}
-	encoding = cert->get_encoding(cert);
-	if (!encoding.ptr)
+	if (!cert->get_encoding(cert, form, &encoding))
 	{
 		error = "encoding certificate request failed";
 		goto end;
@@ -170,7 +176,7 @@ static void __attribute__ ((constructor))reg()
 		{"[--in file] [--type rsa|ecdsa]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--password challengePassword]",
-		 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "private key input file, default: stdin"},
@@ -179,6 +185,7 @@ static void __attribute__ ((constructor))reg()
 			{"san",		'a', 1, "subjectAltName to include in cert request"},
 			{"password",'p', 1, "challengePassword to include in cert request"},
 			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
+			{"outform",	'f', 1, "encoding of generated request, default: der"},
 		}
 	});
 }
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index d283daa6a..71776c745 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -26,6 +26,7 @@
  */
 static int self()
 {
+	cred_encoding_type_t form = CERT_ASN1_DER;
 	key_type_t type = KEY_RSA;
 	hash_algorithm_t digest = HASH_SHA1;
 	certificate_t *cert = NULL;
@@ -34,7 +35,7 @@ static int self()
 	char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san, *ocsp;
-	int lifetime = 1080;
+	int lifetime = 1095;
 	int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
@@ -100,6 +101,26 @@ static int self()
 			case 'p':
 				pathlen = atoi(arg);
 				continue;
+			case 'e':
+				if (streq(arg, "serverAuth"))
+				{
+					flags |= X509_SERVER_AUTH;
+				}
+				else if (streq(arg, "clientAuth"))
+				{
+					flags |= X509_CLIENT_AUTH;
+				}
+				else if (streq(arg, "ocspSigning"))
+				{
+					flags |= X509_OCSP_SIGNER;
+				}
+				continue;
+			case 'f':
+				if (!get_form(arg, &form, CRED_CERTIFICATE))
+				{
+					return command_usage("invalid output format");
+				}
+				continue;
 			case 'o':
 				ocsp->insert_last(ocsp, arg);
 				continue;
@@ -179,8 +200,7 @@ static int self()
 		error = "generating certificate failed";
 		goto end;
 	}
-	encoding = cert->get_encoding(cert);
-	if (!encoding.ptr)
+	if (!cert->get_encoding(cert, form, &encoding))
 	{
 		error = "encoding certificate failed";
 		goto end;
@@ -225,19 +245,22 @@ static void __attribute__ ((constructor))reg()
 		{"[--in file] [--type rsa|ecdsa]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
-		 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
+		 "[--flag serverAuth|clientAuth|ocspSigning]+",
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "private key input file, default: stdin"},
 			{"type",	't', 1, "type of input key, default: rsa"},
 			{"dn",		'd', 1, "subject and issuer distinguished name"},
 			{"san",		'a', 1, "subjectAltName to include in certificate"},
-			{"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
+			{"lifetime",'l', 1, "days the certificate is valid, default: 1095"},
 			{"serial",	's', 1, "serial number in hex, default: random"},
 			{"ca",		'b', 0, "include CA basicConstraint, default: no"},
 			{"pathlen",	'p', 1, "set path length constraint"},
+			{"flag",	'e', 1, "include extendedKeyUsage flag"},
 			{"ocsp",	'o', 1, "OCSP AuthorityInfoAccess URI to include"},
 			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
+			{"outform",	'f', 1, "encoding of generated cert, default: der"},
 		}
 	});
 }
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
new file mode 100644
index 000000000..b7163a153
--- /dev/null
+++ b/src/pki/commands/signcrl.c
@@ -0,0 +1,382 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+
+#include "pki.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/crl.h>
+
+
+/**
+ * Entry for a revoked certificate
+ */
+typedef struct {
+	chunk_t serial;
+	crl_reason_t reason;
+	time_t date;
+} revoked_t;
+
+/**
+ * Add a revocation to the list
+ */
+static void add_revoked(linked_list_t *list,
+						chunk_t serial, crl_reason_t reason, time_t date)
+{
+	revoked_t *revoked;
+
+	INIT(revoked,
+		.serial = chunk_clone(serial),
+		.reason = reason,
+		.date = date,
+	);
+	list->insert_last(list, revoked);
+}
+
+/**
+ * Destroy a reason entry
+ */
+static void revoked_destroy(revoked_t *revoked)
+{
+	free(revoked->serial.ptr);
+	free(revoked);
+}
+
+/**
+ * Filter for revoked enumerator
+ */
+static bool filter(void *data, revoked_t **revoked, chunk_t *serial, void *p2,
+				   time_t *date, void *p3, crl_reason_t *reason)
+{
+	*serial = (*revoked)->serial;
+	*date = (*revoked)->date;
+	*reason = (*revoked)->reason;
+	return TRUE;
+}
+
+/**
+ * Extract the serial of a certificate, write it into buf
+ */
+static int read_serial(char *file, char *buf, int buflen)
+{
+	certificate_t *cert;
+	x509_t *x509;
+	chunk_t serial;
+
+	x509 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, file, BUILD_END);
+	cert = &x509->interface;
+	if (!cert)
+	{
+		return -1;
+	}
+	serial = x509->get_serial(x509);
+	if (serial.len == 0 || serial.len > buflen)
+	{
+		cert->destroy(cert);
+		return -2;
+	}
+	memcpy(buf, serial.ptr, serial.len);
+	cert->destroy(cert);
+	return serial.len;
+}
+
+/**
+ * Sign a CRL
+ */
+static int sign_crl()
+{
+	cred_encoding_type_t form = CERT_ASN1_DER;
+	private_key_t *private = NULL;
+	public_key_t *public = NULL;
+	certificate_t *ca = NULL, *crl = NULL;
+	crl_t *lastcrl = NULL;
+	x509_t *x509;
+	hash_algorithm_t digest = HASH_SHA1;
+	char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
+	char serial[512], crl_serial[8];
+	int serial_len = 0;
+	crl_reason_t reason = CRL_REASON_UNSPECIFIED;
+	time_t thisUpdate, nextUpdate, date = time(NULL);
+	int lifetime = 15;
+	linked_list_t *list;
+	enumerator_t *enumerator, *lastenum = NULL;
+	chunk_t encoding = chunk_empty;
+
+	list = linked_list_create();
+
+	memset(crl_serial, 0, sizeof(crl_serial));
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				goto usage;
+			case 'g':
+				digest = get_digest(arg);
+				if (digest == HASH_UNKNOWN)
+				{
+					error = "invalid --digest type";
+					goto usage;
+				}
+				continue;
+			case 'c':
+				cacert = arg;
+				continue;
+			case 'k':
+				cakey = arg;
+				continue;
+			case 'a':
+				lastupdate = arg;
+				continue;
+			case 'l':
+				lifetime = atoi(arg);
+				if (!lifetime)
+				{
+					error = "invalid lifetime";
+					goto usage;
+				}
+				continue;
+			case 'z':
+				serial_len = read_serial(arg, serial, sizeof(serial));
+				if (serial_len < 0)
+				{
+					snprintf(serial, sizeof(serial),
+							 "parsing certificate '%s' failed", arg);
+					error = serial;
+					goto error;
+				}
+				add_revoked(list, chunk_create(serial, serial_len), reason, date);
+				date = time(NULL);
+				serial_len = 0;
+				reason = CRL_REASON_UNSPECIFIED;
+				continue;
+			case 's':
+			{
+				chunk_t chunk;
+				int hex_len;
+
+				hex_len = strlen(arg);
+				if ((hex_len / 2) + (hex_len % 2) > sizeof(serial))
+				{
+					error = "invalid serial";
+					goto usage;
+				}
+				chunk = chunk_from_hex(chunk_create(arg, hex_len), serial);
+				serial_len = chunk.len;
+				add_revoked(list, chunk_create(serial, serial_len), reason, date);
+				date = time(NULL);
+				serial_len = 0;
+				reason = CRL_REASON_UNSPECIFIED;
+				continue;
+			}
+			case 'r':
+				if (streq(arg, "key-compromise"))
+				{
+					reason = CRL_REASON_KEY_COMPROMISE;
+				}
+				else if (streq(arg, "ca-compromise"))
+				{
+					reason = CRL_REASON_CA_COMPROMISE;
+				}
+				else if (streq(arg, "affiliation-changed"))
+				{
+					reason = CRL_REASON_AFFILIATION_CHANGED;
+				}
+				else if (streq(arg, "superseded"))
+				{
+					reason = CRL_REASON_SUPERSEDED;
+				}
+				else if (streq(arg, "cessation-of-operation"))
+				{
+					reason = CRL_REASON_CESSATION_OF_OPERATON;
+				}
+				else if (streq(arg, "certificate-hold"))
+				{
+					reason = CRL_REASON_CERTIFICATE_HOLD;
+				}
+				else
+				{
+					return command_usage( "invalid revocation reason");
+				}
+				continue;
+			case 'd':
+				date = atol(arg);
+				if (!date)
+				{
+					error = "invalid date";
+					goto usage;
+				}
+				continue;
+			case 'f':
+				if (!get_form(arg, &form, CRED_CERTIFICATE))
+				{
+					return command_usage("invalid output format");
+				}
+				continue;
+			case EOF:
+				break;
+			default:
+				error = "invalid --signcrl option";
+				goto usage;
+		}
+		break;
+	}
+
+	if (!cacert)
+	{
+		error = "--cacert is required";
+		goto usage;
+	}
+	if (!cakey)
+	{
+		error = "--cakey is required";
+		goto usage;
+	}
+
+	ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							BUILD_FROM_FILE, cacert, BUILD_END);
+	if (!ca)
+	{
+		error = "parsing CA certificate failed";
+		goto error;
+	}
+	x509 = (x509_t*)ca;
+	if (!(x509->get_flags(x509) & X509_CA))
+	{
+		error = "CA certificate misses CA basicConstraint";
+		goto error;
+	}
+	public = ca->get_public_key(ca);
+	if (!public)
+	{
+		error = "extracting CA certificate public key failed";
+		goto error;
+	}
+	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								 public->get_type(public),
+								 BUILD_FROM_FILE, cakey, BUILD_END);
+	if (!private)
+	{
+		error = "parsing CA private key failed";
+		goto error;
+	}
+	if (!private->belongs_to(private, public))
+	{
+		error = "CA private key does not match CA certificate";
+		goto error;
+	}
+
+	thisUpdate = time(NULL);
+	nextUpdate = thisUpdate + lifetime * 24 * 60 * 60;
+
+	if (lastupdate)
+	{
+		lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+									 BUILD_FROM_FILE, lastupdate, BUILD_END);
+		if (!lastcrl)
+		{
+			error = "loading lastUpdate CRL failed";
+			goto error;
+		}
+		memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr,
+			   min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial)));
+		lastenum = lastcrl->create_enumerator(lastcrl);
+	}
+
+	chunk_increment(chunk_create(crl_serial, sizeof(crl_serial)));
+
+	enumerator = enumerator_create_filter(list->create_enumerator(list),
+										  (void*)filter, NULL, NULL);
+	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+			BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
+			BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)),
+			BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate,
+			BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_DIGEST_ALG, digest,
+			lastenum ? BUILD_REVOKED_ENUMERATOR : BUILD_END, lastenum,
+			BUILD_END);
+	enumerator->destroy(enumerator);
+	DESTROY_IF(lastenum);
+	DESTROY_IF((certificate_t*)lastcrl);
+
+	if (!crl)
+	{
+		error = "generating CRL failed";
+		goto error;
+	}
+	if (!crl->get_encoding(crl, form, &encoding))
+	{
+		error = "encoding CRL failed";
+		goto error;
+	}
+	if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
+	{
+		error = "writing CRL failed";
+		goto error;
+	}
+
+error:
+	DESTROY_IF(public);
+	DESTROY_IF(private);
+	DESTROY_IF(ca);
+	DESTROY_IF(crl);
+	free(encoding.ptr);
+	list->destroy_function(list, (void*)revoked_destroy);
+	if (error)
+	{
+		fprintf(stderr, "%s\n", error);
+		return 1;
+	}
+	return 0;
+
+usage:
+	list->destroy_function(list, (void*)revoked_destroy);
+	return command_usage(error);
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		sign_crl, 'c', "signcrl",
+		"issue a CRL using a CA certificate and key",
+		{"--cacert file --cakey file --lifetime days",
+		 "[  [--reason key-compromise|ca-compromise|affiliation-changed|",
+		 "             superseded|cessation-of-operation|certificate-hold]",
+		 "   [--date timestamp]",
+		 "    --cert file | --serial hex ]*",
+		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"cacert",	'c', 1, "CA certificate file"},
+			{"cakey",	'k', 1, "CA private key file"},
+			{"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"},
+			{"lastcrl",	'a', 1, "CRL of lastUpdate to copy revocations from"},
+			{"cert",	'z', 1, "certificate file to revoke"},
+			{"serial",	's', 1, "hex encoded certificate serial number to revoke"},
+			{"reason",	'r', 1, "reason for certificate revocation"},
+			{"date",	'd', 1, "revocation date as unix timestamp, default: now"},
+			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
+			{"outform",	'f', 1, "encoding of generated crl, default: der"},
+		}
+	});
+}
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 0912d5051..d5dd03fa0 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -21,26 +21,59 @@
 /**
  * Convert a form string to a encoding type
  */
-bool get_form(char *form, key_encoding_type_t *type, bool pub)
+bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type)
 {
 	if (streq(form, "der"))
 	{
-		/* der encoded keys usually contain the complete SubjectPublicKeyInfo */
-		*type = pub ? KEY_PUB_SPKI_ASN1_DER : KEY_PRIV_ASN1_DER;
+		switch (type)
+		{
+			case CRED_CERTIFICATE:
+				*enc = CERT_ASN1_DER;
+				return TRUE;
+			case CRED_PRIVATE_KEY:
+				*enc = PRIVKEY_ASN1_DER;
+				return TRUE;
+			case CRED_PUBLIC_KEY:
+				/* der encoded keys usually contain the complete
+				 * SubjectPublicKeyInfo */
+				*enc = PUBKEY_SPKI_ASN1_DER;
+				return TRUE;
+			default:
+				return FALSE;
+		}
 	}
 	else if (streq(form, "pem"))
 	{
-		*type = pub ? KEY_PUB_PEM : KEY_PRIV_PEM;
+		switch (type)
+		{
+			case CRED_CERTIFICATE:
+				*enc = CERT_PEM;
+				return TRUE;
+			case CRED_PRIVATE_KEY:
+				*enc = PRIVKEY_PEM;
+				return TRUE;
+			case CRED_PUBLIC_KEY:
+				*enc = PUBKEY_PEM;
+				return TRUE;
+			default:
+				return FALSE;
+		}
 	}
 	else if (streq(form, "pgp"))
 	{
-		*type = pub ? KEY_PUB_PGP : KEY_PRIV_PGP;
+		switch (type)
+		{
+			case CRED_PRIVATE_KEY:
+				*enc = PRIVKEY_PGP;
+				return TRUE;
+			case CRED_PUBLIC_KEY:
+				*enc = PUBKEY_PGP;
+				return TRUE;
+			default:
+				return FALSE;
+		}
 	}
-	else
-	{
-		return FALSE;
-	}
-	return TRUE;
+	return FALSE;
 }
 
 /**
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 01b103c8f..9c145cdc0 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -29,7 +29,7 @@
 /**
  * Convert a form string to a encoding type
  */
-bool get_form(char *form, key_encoding_type_t *type, bool pub);
+bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type);
 
 /**
  * Convert a digest string to a hash algorithm
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index a264e642e..9f631ca28 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -37,6 +37,7 @@ nat_traversal.c nat_traversal.h \
 ocsp.c ocsp.h \
 packet.c packet.h \
 pkcs7.c pkcs7.h \
+pluto.c pluto.h \
 plutomain.c \
 rcv_whack.c rcv_whack.h \
 server.c server.h \
@@ -47,7 +48,8 @@ timer.c timer.h \
 vendor.c vendor.h \
 virtual.c virtual.h \
 whack_attribute.c whack_attribute.h \
-xauth.c xauth.h \
+xauth/xauth_manager.c xauth/xauth_manager.h \
+xauth/xauth_provider.h xauth/xauth_verifier.h \
 x509.c x509.h \
 builder.c builder.h \
 rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
@@ -67,12 +69,12 @@ INCLUDES = \
 -I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/whack
 
-AM_CFLAGS = \
+AM_CFLAGS = -rdynamic \
 -DIPSEC_DIR=\"${ipsecdir}\" \
 -DIPSEC_CONFDIR=\"${sysconfdir}\" \
 -DIPSEC_PIDDIR=\"${piddir}\" \
 -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
--DPLUGINS=\""${pluto_plugins}\"" \
+-DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \
 -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \
 -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \
 -DPLUTO -DKLIPS -DDEBUG
@@ -87,7 +89,12 @@ _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
 
+CLEANFILES = ipsec.secrets.5
 dist_man_MANS = pluto.8 ipsec.secrets.5
+EXTRA_DIST = ipsec.secrets.5.in
+
+# compile options
+#################
 
 # This compile option activates the sending of a strongSwan VID
 if USE_VENDORID
@@ -114,10 +121,25 @@ if USE_SMARTCARD
   AM_CFLAGS += -DSMARTCARD
 endif
 
-if USE_CAPABILITIES
+if USE_LIBCAP
   pluto_LDADD += -lcap
 endif
 
 if USE_THREADS
   AM_CFLAGS += -DTHREADS
 endif
+
+# build optional plugins
+########################
+
+SUBDIRS = .
+
+if USE_XAUTH
+  SUBDIRS += plugins/xauth
+endif
+
+ipsec.secrets.5 : ipsec.secrets.5.in
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
+
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 47be9acf7..41fc4927e 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -40,6 +40,9 @@ build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
 
+# compile options
+#################
+
 # This compile option activates the sending of a strongSwan VID
 @USE_VENDORID_TRUE@am__append_1 = -DVENDORID
 
@@ -54,8 +57,9 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
 
 # This compile option activates smartcard support
 @USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD
-@USE_CAPABILITIES_TRUE@am__append_6 = -lcap
+@USE_LIBCAP_TRUE@am__append_6 = -lcap
 @USE_THREADS_TRUE@am__append_7 = -DTHREADS
+@USE_XAUTH_TRUE@am__append_8 = plugins/xauth
 subdir = src/pluto
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
@@ -91,11 +95,11 @@ am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \
 	kernel_noklips.$(OBJEXT) kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) \
 	lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) modecfg.$(OBJEXT) \
 	nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) packet.$(OBJEXT) \
-	pkcs7.$(OBJEXT) plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) \
-	server.$(OBJEXT) smartcard.$(OBJEXT) spdb.$(OBJEXT) \
-	state.$(OBJEXT) timer.$(OBJEXT) vendor.$(OBJEXT) \
-	virtual.$(OBJEXT) whack_attribute.$(OBJEXT) xauth.$(OBJEXT) \
-	x509.$(OBJEXT) builder.$(OBJEXT)
+	pkcs7.$(OBJEXT) pluto.$(OBJEXT) plutomain.$(OBJEXT) \
+	rcv_whack.$(OBJEXT) server.$(OBJEXT) smartcard.$(OBJEXT) \
+	spdb.$(OBJEXT) state.$(OBJEXT) timer.$(OBJEXT) \
+	vendor.$(OBJEXT) virtual.$(OBJEXT) whack_attribute.$(OBJEXT) \
+	xauth_manager.$(OBJEXT) x509.$(OBJEXT) builder.$(OBJEXT)
 pluto_OBJECTS = $(am_pluto_OBJECTS)
 pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \
 	$(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \
@@ -116,6 +120,13 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES)
 DIST_SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES)
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -141,9 +152,40 @@ man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
+	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
+	distdir
 ETAGS = etags
 CTAGS = ctags
+DIST_SUBDIRS = . plugins/xauth
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
@@ -332,6 +374,7 @@ nat_traversal.c nat_traversal.h \
 ocsp.c ocsp.h \
 packet.c packet.h \
 pkcs7.c pkcs7.h \
+pluto.c pluto.h \
 plutomain.c \
 rcv_whack.c rcv_whack.h \
 server.c server.h \
@@ -342,7 +385,8 @@ timer.c timer.h \
 vendor.c vendor.h \
 virtual.c virtual.h \
 whack_attribute.c whack_attribute.h \
-xauth.c xauth.h \
+xauth/xauth_manager.c xauth/xauth_manager.h \
+xauth/xauth_provider.h xauth/xauth_verifier.h \
 x509.c x509.h \
 builder.c builder.h \
 rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
@@ -358,10 +402,10 @@ INCLUDES = \
 -I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/whack
 
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
+AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
 	-DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
-	-DPLUGINS=\""${pluto_plugins}\"" \
+	-DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \
 	-DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" -DKERNEL26_SUPPORT \
 	-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \
 	$(am__append_1) $(am__append_2) $(am__append_3) \
@@ -373,8 +417,14 @@ _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
 
+CLEANFILES = ipsec.secrets.5
 dist_man_MANS = pluto.8 ipsec.secrets.5
-all: all-am
+EXTRA_DIST = ipsec.secrets.5.in
+
+# build optional plugins
+########################
+SUBDIRS = . $(am__append_8)
+all: all-recursive
 
 .SUFFIXES:
 .SUFFIXES: .c .lo .o .obj
@@ -497,6 +547,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pluto.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plutomain.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcv_whack.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/server.Po@am__quote@
@@ -508,7 +559,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/virtual.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whack_attribute.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_manager.Po@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -531,6 +582,20 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
+xauth_manager.o: xauth/xauth_manager.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.o -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.o `test -f 'xauth/xauth_manager.c' || echo '$(srcdir)/'`xauth/xauth_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='xauth/xauth_manager.c' object='xauth_manager.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.o `test -f 'xauth/xauth_manager.c' || echo '$(srcdir)/'`xauth/xauth_manager.c
+
+xauth_manager.obj: xauth/xauth_manager.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.obj -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.obj `if test -f 'xauth/xauth_manager.c'; then $(CYGPATH_W) 'xauth/xauth_manager.c'; else $(CYGPATH_W) '$(srcdir)/xauth/xauth_manager.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='xauth/xauth_manager.c' object='xauth_manager.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.obj `if test -f 'xauth/xauth_manager.c'; then $(CYGPATH_W) 'xauth/xauth_manager.c'; else $(CYGPATH_W) '$(srcdir)/xauth/xauth_manager.c'; fi`
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -613,6 +678,76 @@ uninstall-man8:
 	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
 	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+	@fail= failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+$(RECURSIVE_CLEAN_TARGETS):
+	@fail= failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
+
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -623,10 +758,23 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	mkid -fID $$unique
 tags: TAGS
 
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	set x; \
 	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
@@ -645,7 +793,7 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  fi; \
 	fi
 ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -708,22 +856,51 @@ distdir: $(DISTFILES)
 	    || exit 1; \
 	  fi; \
 	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
+	    || exit 1; \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+		am__skip_mode_fix=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
 check-am: all-am
-check: check-am
+check: check-recursive
 all-am: Makefile $(PROGRAMS) $(MANS)
-installdirs:
+installdirs: installdirs-recursive
+installdirs-am:
 	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
 
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 
-installcheck: installcheck-am
+installcheck: installcheck-recursive
 install-strip:
 	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
 	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
@@ -732,6 +909,7 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -740,72 +918,72 @@ distclean-generic:
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
+clean: clean-recursive
 
 clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
 	mostlyclean-am
 
-distclean: distclean-am
+distclean: distclean-recursive
 	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
 
-dvi: dvi-am
+dvi: dvi-recursive
 
 dvi-am:
 
-html: html-am
+html: html-recursive
 
 html-am:
 
-info: info-am
+info: info-recursive
 
 info-am:
 
 install-data-am: install-ipsecPROGRAMS install-man
 
-install-dvi: install-dvi-am
+install-dvi: install-dvi-recursive
 
 install-dvi-am:
 
 install-exec-am:
 
-install-html: install-html-am
+install-html: install-html-recursive
 
 install-html-am:
 
-install-info: install-info-am
+install-info: install-info-recursive
 
 install-info-am:
 
 install-man: install-man5 install-man8
 
-install-pdf: install-pdf-am
+install-pdf: install-pdf-recursive
 
 install-pdf-am:
 
-install-ps: install-ps-am
+install-ps: install-ps-recursive
 
 install-ps-am:
 
 installcheck-am:
 
-maintainer-clean: maintainer-clean-am
+maintainer-clean: maintainer-clean-recursive
 	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
-mostlyclean: mostlyclean-am
+mostlyclean: mostlyclean-recursive
 
 mostlyclean-am: mostlyclean-compile mostlyclean-generic \
 	mostlyclean-libtool
 
-pdf: pdf-am
+pdf: pdf-recursive
 
 pdf-am:
 
-ps: ps-am
+ps: ps-recursive
 
 ps-am:
 
@@ -813,27 +991,35 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
 
 uninstall-man: uninstall-man5 uninstall-man8
 
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-ipsecPROGRAMS clean-libtool ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am \
-	install-ipsecPROGRAMS install-man install-man5 install-man8 \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
+	install-am install-strip tags-recursive
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags ctags-recursive \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-ipsecPROGRAMS install-man install-man5 \
+	install-man8 install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-recursive uninstall uninstall-am \
 	uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \
 	uninstall-man8
 
 
 plutomain.o :	$(top_builddir)/config.status
 
+ipsec.secrets.5 : ipsec.secrets.5.in
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/pluto/ac.c b/src/pluto/ac.c
index 3ee05d213..3339d91fb 100644
--- a/src/pluto/ac.c
+++ b/src/pluto/ac.c
@@ -141,7 +141,7 @@ static void ac_add_cert(certificate_t *cert)
 		if (hIssuer->equals(hIssuer, ac_old->get_holderIssuer(ac_old)) &&
 			   chunk_equals(hSerial, ac_old->get_holderSerial(ac_old)))
 		{
-			if (cert->is_newer(cert, cert_old))
+			if (certificate_is_newer(cert, cert_old))
 			{
 				acerts->remove_at(acerts, enumerator);
 				cert_old->destroy(cert_old);
diff --git a/src/pluto/certs.c b/src/pluto/certs.c
index 8bce4c5c2..24e8ffb27 100644
--- a/src/pluto/certs.c
+++ b/src/pluto/certs.c
@@ -318,11 +318,11 @@ void list_pgp_end_certs(bool utc)
 						key_type_names, key->get_type(key),
 						key->get_keysize(key) * BITS_PER_BYTE,
 						has_private_key(cert)? ", has private key" : "");
-				if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+				if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid))
 				{
 					whack_log(RC_COMMENT, "  keyid:     %#B", &keyid);
 				}
-				if (key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &keyid))
+				if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &keyid))
 				{
 					whack_log(RC_COMMENT, "  subjkey:   %#B", &keyid);
 				}
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index dd193042a..e1f47f2d6 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -63,6 +63,7 @@
 #include "nat_traversal.h"
 #include "virtual.h"
 #include "whack_attribute.h"
+#include "modecfg.h"
 
 static void flush_pending_by_connection(connection_t *c);  /* forward */
 
@@ -294,8 +295,10 @@ void release_connection(connection_t *c, bool relations)
 
 void delete_connection(connection_t *c, bool relations)
 {
-	connection_t *old_cur_connection
-		= cur_connection == c? NULL : cur_connection;
+	modecfg_attribute_t *ca;
+	connection_t *old_cur_connection;
+
+	old_cur_connection = cur_connection == c? NULL : cur_connection;
 #ifdef DEBUG
 	lset_t old_cur_debugging = cur_debugging;
 #endif
@@ -366,14 +369,29 @@ void delete_connection(connection_t *c, bool relations)
 
 	/* release virtual IP address lease if any */
 	if (c->spd.that.modecfg && c->spd.that.pool &&
-		!isanyaddr(&c->spd.that.host_srcip))
+		!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip))
 	{
-		host_t *vip;
-
-		vip = host_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_srcip);
 		hydra->attributes->release_address(hydra->attributes, c->spd.that.pool,
-										   vip, c->spd.that.id);
-		vip->destroy(vip);
+										   c->spd.that.host_srcip, c->spd.that.id);
+	}
+
+	/* release requested attributes if any */
+	if (c->requested)
+	{
+		c->requested->destroy_function(c->requested,
+									  (void*)modecfg_attribute_destroy);
+	}
+
+	/* release other attributes if any */
+	if (c->attributes)
+	{
+		while (c->attributes->remove_last(c->attributes, (void **)&ca) == SUCCESS)
+		{
+			hydra->attributes->release(hydra->attributes, ca->handler,
+									   c->spd.that.id, ca->type, ca->value);
+			modecfg_attribute_destroy(ca);
+		}
+		c->attributes->destroy(c->attributes);
 	}
 
 	if (c->kind != CK_GOING_AWAY)
@@ -386,14 +404,17 @@ void delete_connection(connection_t *c, bool relations)
 	cur_debugging = old_cur_debugging;
 #endif
 	free(c->name);
+	DESTROY_IF(c->xauth_identity);
 	DESTROY_IF(c->spd.this.id);
 	DESTROY_IF(c->spd.this.ca);
 	DESTROY_IF(c->spd.this.groups);
+	DESTROY_IF(c->spd.this.host_srcip);
 	free(c->spd.this.updown);
 	free(c->spd.this.pool);
 	DESTROY_IF(c->spd.that.id);
 	DESTROY_IF(c->spd.that.ca);
 	DESTROY_IF(c->spd.that.groups);
+	DESTROY_IF(c->spd.that.host_srcip);
 	free(c->spd.that.updown);
 	free(c->spd.that.pool);
 	if (c->requested_ca)
@@ -656,7 +677,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this,
 			subnettot(&this->client, 0, client, sizeof(client));
 		}
 	}
-	else if (this->modecfg && isanyaddr(&this->host_srcip))
+	else if (this->modecfg && this->host_srcip->is_anyaddr(this->host_srcip))
 	{
 		/* we are mode config client, or a server with a pool */
 		client_sep = "===";
@@ -738,9 +759,14 @@ static size_t format_connection(char *buf, size_t buf_len,
 static void unshare_connection_strings(connection_t *c)
 {
 	c->name = clone_str(c->name);
+	if (c->xauth_identity)
+	{
+		c->xauth_identity = c->xauth_identity->clone(c->xauth_identity);
+	}
 	c->spd.this.id = c->spd.this.id->clone(c->spd.this.id);
 	c->spd.this.pool = clone_str(c->spd.this.pool);
 	c->spd.this.updown = clone_str(c->spd.this.updown);
+	c->spd.this.host_srcip = c->spd.this.host_srcip->clone(c->spd.this.host_srcip);
 	scx_share(c->spd.this.sc);
 	cert_share(c->spd.this.cert);
 	if (c->spd.this.ca)
@@ -754,6 +780,7 @@ static void unshare_connection_strings(connection_t *c)
 	c->spd.that.id = c->spd.that.id->clone(c->spd.that.id);
 	c->spd.that.pool = clone_str(c->spd.that.pool);
 	c->spd.that.updown = clone_str(c->spd.that.updown);
+	c->spd.that.host_srcip = c->spd.that.host_srcip->clone(c->spd.that.host_srcip);
 	scx_share(c->spd.that.sc);
 	cert_share(c->spd.that.cert);
 	if (c->spd.that.ca)
@@ -902,7 +929,7 @@ static bool extract_end(struct end *dst, const whack_end_t *src,
 	/* the rest is simple copying of corresponding fields */
 	dst->host_addr = src->host_addr;
 	dst->host_nexthop = src->host_nexthop;
-	dst->host_srcip = src->host_srcip;
+	dst->host_srcip = host_create_from_sockaddr((sockaddr_t*)&src->host_srcip);
 	dst->has_natip = src->has_natip;
 	dst->client = src->client;
 	dst->protocol = src->protocol;
@@ -927,10 +954,14 @@ static bool extract_end(struct end *dst, const whack_end_t *src,
 	/* if host sourceip is defined but no client is present
 	 * behind the host then set client to sourceip/32
 	 */
-	if (addrbytesptr(&dst->host_srcip, NULL) &&
-		!isanyaddr(&dst->host_srcip) && !dst->has_natip && !dst->has_client)
+	if (!dst->host_srcip->is_anyaddr(dst->host_srcip) &&
+		!dst->has_natip && !dst->has_client)
 	{
-		err_t ugh = addrtosubnet(&dst->host_srcip, &dst->client);
+		ip_address addr;
+		err_t ugh;
+
+		addr = *(ip_address*)dst->host_srcip->get_sockaddr(dst->host_srcip);
+		ugh = addrtosubnet(&addr, &dst->client);
 
 		if (ugh)
 		{
@@ -1110,6 +1141,12 @@ void add_connection(const whack_message_t *wm)
 			}
 		}
 
+		if (wm->xauth_identity)
+		{
+			c->xauth_identity
+					= identification_create_from_string(wm->xauth_identity);
+		}
+
 		c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
 		c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
 		c->sa_rekey_margin = wm->sa_rekey_margin;
@@ -1211,7 +1248,8 @@ void add_connection(const whack_message_t *wm)
 			c->spd.that.modecfg = TRUE;
 			c->spd.that.has_client = FALSE;
 			/* reset the host_srcip so that it gets assigned in modecfg */
-			anyaddr(AF_INET, &c->spd.that.host_srcip);
+			DESTROY_IF(c->spd.that.host_srcip);
+			c->spd.that.host_srcip = host_create_any(AF_INET);
 		}
 
 		if (c->ikev1)
@@ -3046,7 +3084,8 @@ void ISAKMP_SA_established(connection_t *c, so_serial_t serial)
 	/* the connection is now oriented so that we are able to determine
 	 * whether we are a mode config server with a virtual IP to send.
 	 */
-	if (!isanyaddr(&c->spd.that.host_srcip) && !c->spd.that.has_natip)
+	if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip) &&
+	    !c->spd.that.has_natip)
 	{
 		c->spd.that.modecfg = TRUE;
 	}
@@ -3693,8 +3732,10 @@ static connection_t *fc_try(const connection_t *c, struct host_pair *hp,
 			}
 			else
 			{
+				host_t *vip = c->spd.that.host_srcip;
+
 				if (!peer_net_is_host && !(sr->that.modecfg && c->spd.that.modecfg &&
-						subnetisaddr(peer_net, &c->spd.that.host_srcip)))
+						subnetisaddr(peer_net, (ip_address*)vip->get_sockaddr(vip))))
 				{
 					continue;
 				}
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
index 66aea1541..b67f0b562 100644
--- a/src/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -1,6 +1,6 @@
 /* information about connections between hosts and clients
  * Copyright (C) 1998-2001  D. Hugh Redelmeier
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2009-2010  Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -18,6 +18,7 @@
 
 #include <sys/queue.h>
 
+#include <utils/host.h>
 #include <utils/linked_list.h>
 #include <utils/identification.h>
 #include <credentials/ietf_attributes/ietf_attributes.h>
@@ -131,10 +132,8 @@ struct virtual_t;
 
 struct end {
 	identification_t *id;
-	ip_address
-		host_addr,
-		host_nexthop,
-		host_srcip;
+	ip_address host_addr, host_nexthop;
+	host_t *host_srcip;
 	ip_subnet client;
 
 	bool is_left;
@@ -184,6 +183,8 @@ struct connection {
 	unsigned long sa_rekey_fuzz;
 	unsigned long sa_keying_tries;
 
+	identification_t *xauth_identity;     /* XAUTH identity */
+
 	/* RFC 3706 DPD */
 	time_t dpd_delay;
 	time_t dpd_timeout;
@@ -226,6 +227,8 @@ struct connection {
 	connection_t *hp_next;              /* host pair list link */
 	connection_t *ac_next;              /* all connections list link */
 	linked_list_t *requested_ca;        /* collected certificate requests */
+	linked_list_t *requested;           /* requested attributes with handlers */
+	linked_list_t *attributes;          /* configuration attributes with handlers */
 	bool got_certrequest;
 };
 
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index e9567c07a..790bbefa6 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -543,45 +543,6 @@ extern enum_names attr_msg_type_names;
 
 extern enum_names modecfg_attr_names;
 
-/* XAUTH attribute values */
-#define    XAUTH_TYPE                16520
-#define    XAUTH_USER_NAME           16521
-#define    XAUTH_USER_PASSWORD       16522
-#define    XAUTH_PASSCODE            16523
-#define    XAUTH_MESSAGE             16524
-#define    XAUTH_CHALLENGE           16525
-#define    XAUTH_DOMAIN              16526
-#define    XAUTH_STATUS              16527
-#define    XAUTH_NEXT_PIN            16528
-#define    XAUTH_ANSWER              16529
-
-#define    XAUTH_BASE                XAUTH_TYPE
-
-extern enum_names xauth_attr_names;
-
-/* ISAKMP mode config attributes specific to Microsoft */
-#define INTERNAL_IP4_SERVER         23456
-#define INTERNAL_IP6_SERVER         23457
-
-extern enum_names microsoft_attr_names;
-
-/* ISAKMP mode config attributes specific to the Unity vendor ID */
-#define   UNITY_BANNER              28672
-#define   UNITY_SAVE_PASSWD         28673
-#define   UNITY_DEF_DOMAIN          28674
-#define   UNITY_SPLITDNS_NAME       28675
-#define   UNITY_SPLIT_INCLUDE       28676
-#define   UNITY_NATT_PORT           28677
-#define   UNITY_LOCAL_LAN           28678
-#define   UNITY_PFS                 28679
-#define   UNITY_FW_TYPE             28680
-#define   UNITY_BACKUP_SERVERS      28681
-#define   UNITY_DDNS_HOSTNAME       28682
-
-#define   UNITY_BASE                UNITY_BANNER
-
-extern enum_names unity_attr_names;
-
 /* XAUTH authentication types */
 #define XAUTH_TYPE_GENERIC 0
 #define XAUTH_TYPE_CHAP    1
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index 84fe77554..c8fb107d5 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -159,7 +159,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
 	{
 		certificate_t *old_cert_crl = oldcrl->crl;
 
-		if (cert_crl->is_newer(cert_crl, old_cert_crl))
+		if (crl_is_newer((crl_t*)cert_crl, (crl_t*)old_cert_crl))
 		{
 			/* keep any known CRL distribution points */
 			add_distribution_points(x509crl->distributionPoints,
@@ -202,9 +202,11 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
 		snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex);
 		free(hex.ptr);
 
-		encoding = cert_crl->get_encoding(cert_crl);
-		chunk_write(encoding, buf, "crl", 022, TRUE);
-		free(encoding.ptr);
+		if (cert_crl->get_encoding(cert_crl, CERT_ASN1_DER, &encoding))
+		{
+			chunk_write(encoding, buf, "crl", 022, TRUE);
+			free(encoding.ptr);
+		}
 	}
 
 	/* is the fetched crl valid? */
@@ -313,7 +315,7 @@ void check_crls(void)
 		certificate_t *cert_crl = x509crl->crl;
 		crl_t *crl = (crl_t*)cert_crl;
 		identification_t *issuer = cert_crl->get_issuer(cert_crl);
-		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);		
+		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
 
 		cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate);
 		time_left = nextUpdate - now;
@@ -353,7 +355,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
 	char *point;
 
 	ca = get_ca_info(issuer, authKeyID);
-	
+
 	*revocationDate = UNDEFINED_TIME;
 	*revocationReason = CRL_REASON_UNSPECIFIED;
 
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
index fad1450cd..617353c6c 100644
--- a/src/pluto/demux.c
+++ b/src/pluto/demux.c
@@ -1215,7 +1215,7 @@ read_packet(struct msg_digest *md)
 
 	/* ignore IKEv2 packets - they will be handled by charon */
 	if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET
-	&&  md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION)
+	&&  (md->packet_pbs.start[IKEV2_VERSION_OFFSET] & 0xF0) == IKEV2_VERSION)
 	{
 		DBG(DBG_CONTROLMORE,
 			DBG_log("  ignoring IKEv2 packet")
diff --git a/src/pluto/demux.h b/src/pluto/demux.h
index 2161bbd02..6ce53c14f 100644
--- a/src/pluto/demux.h
+++ b/src/pluto/demux.h
@@ -12,9 +12,12 @@
  * for more details.
  */
 
+#ifndef _DEMUX_H
+#define _DEMUX_H
+
 #include "packet.h"
+#include "state.h"
 
-struct state;   /* forward declaration of tag */
 extern void init_demux(void);
 extern bool send_packet(struct state *st, const char *where);
 extern void comm_handle(const struct iface *ifp);
@@ -90,3 +93,5 @@ typedef stf_status state_transition_fn(struct msg_digest *md);
 extern void complete_state_transition(struct msg_digest **mdp, stf_status result);
 
 extern void free_md_pool(void);
+
+#endif /* _DEMUX_H */
diff --git a/src/pluto/dnskey.c b/src/pluto/dnskey.c
index ec56b8530..4f8e4ebf4 100644
--- a/src/pluto/dnskey.c
+++ b/src/pluto/dnskey.c
@@ -424,7 +424,7 @@ static err_t process_txt_rr_body(u_char *str, bool doit,
 				public_key_t *key = gi.key->public_key;
 
 				if (gi.gw_key_present &&
-					key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &keyid))
+					key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &keyid))
 				{
 					DBG_log("gateway for %s is %s with key %#B",
 							client_id, gi.gw_id, &keyid);
diff --git a/src/pluto/ipsec.secrets.5 b/src/pluto/ipsec.secrets.5
index 3cce4d3f8..6c39f86e1 100644
--- a/src/pluto/ipsec.secrets.5
+++ b/src/pluto/ipsec.secrets.5
@@ -1,148 +1,116 @@
-.TH IPSEC.SECRETS 5 "28 March 1999"
+.TH IPSEC.SECRETS 5 "2010-05-30" "4.4.1rc3" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
 The file \fIipsec.secrets\fP holds a table of secrets.
-These secrets are used by \fIipsec_pluto\fP(8), the FreeS/WAN Internet Key
-Exchange daemon, to authenticate other hosts.
-Currently there are two kinds of secrets: preshared secrets and
-.\" the private part of DSS keys.
-RSA private keys.
+These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons
+pluto (IKEv1) and charon (IKEv2) to authenticate other hosts.
 .LP
 It is vital that these secrets be protected.  The file should be owned
 by the super-user,
 and its permissions should be set to block all access by others.
 .LP
 The file is a sequence of entries and include directives.
-Here is an example.  Each entry or directive must start at the
-left margin, but if it continues beyond a single line, each continuation
-line must be indented.
+Here is an example.
 .LP
 .RS
 .nf
-# sample /etc/ipsec.secrets file for 10.1.0.1
-10.1.0.1 10.2.0.1: PSK "secret shared by two hosts"
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
 
-# an entry may be split across lines,
-# but indentation matters
-www.xs4all.nl @www.kremvax.ru
-\ \ \ \ 10.6.0.1 10.7.0.1 1.8.0.1: PSK "secret shared by 5"
+: RSA moonKey.pem
 
-.\" # Private part of our DSS key, in base 64,
-.\" # as generated by BIND 8.2.1's dnskeygen.
-.\" # Since this is the default key for this host,
-.\" # there is no need to specify indices.
-.\" : DSS 0siMs0N/hfRoCBMXA6plPtuv58/+c=
-# an RSA private key.
-# note that the lines are too wide for a
-# man page, so ... has been substituted for
-# the truncated part
-@my.com: rsa {
-\ \ \ \ Modulus:\ 0syXpo/6waam+ZhSs8Lt6jnBzu3C4grtt...
-\ \ \ \ PublicExponent:\ 0sAw==
-\ \ \ \ PrivateExponent:\ 0shlGbVR1m8Z+7rhzSyenCaBN...
-\ \ \ \ Prime1:\ 0s8njV7WTxzVzRz7AP+0OraDxmEAt1BL5l...
-\ \ \ \ Prime2:\ 0s1LgR7/oUMo9BvfU8yRFNos1s211KX5K0...
-\ \ \ \ Exponent1:\ 0soaXj85ihM5M2inVf/NfHmtLutVz4r...
-\ \ \ \ Exponent2:\ 0sjdAL9VFizF+BKU4ohguJFzOd55OG6...
-\ \ \ \ Coefficient:\ 0sK1LWwgnNrNFGZsS/2GuMBg9nYVZ...
-\ \ \ \ }
+alice@strongswan.org : EAP "x3.dEhgN"
 
-include ipsec.*.secrets	# get secrets from other files
+: XAUTH carol "4iChxLT3"
+
+: XAUTH dave "ryftzG4A"
+
+# get secrets from other files
+include ipsec.*.secrets
 .fi
 .RE
 .LP
-Each entry in the file is a list of indices, followed by a secret.
-The two parts are separated by a colon (\fB:\fP) that is
-followed by whitespace or a newline.  For compatability
-with the previous form of this file, if the key part is just a
-double-quoted string the colon may be left out.
+Each entry in the file is a list of optional ID selectors, followed by a secret.
+The two parts are separated by a colon (\fB:\fP) that is surrounded
+by whitespace. If no ID selectors are specified the line must start with a
+colon.
 .LP
-An index is an IP address, or a Fully Qualified Domain Name, user@FQDN,
+A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
 \fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
 in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded
-(or in any of the forms supported by the FreeS/WAN \fIipsec_ttoaddr\fP(3)
-routine).  In many cases it is a bad idea to use domain names because
+when the file is loaded.
+In many cases it is a bad idea to use domain names because
 the name server may not be running or may be insecure.  To denote a
 Fully Qualified Domain Name (as opposed to an IP address denoted by
 its domain name), precede the name with an at sign (\fB@\fP).
 .LP
-Matching IDs with indices is fairly straightforward: they have to be
+Matching IDs with selectors is fairly straightforward: they have to be
 equal.  In the case of a ``Road Warrior'' connection, if an equal
 match is not found for the Peer's ID, and it is in the form of an IP
-address, an index of \fB%any\fP will match the peer's IP address if IPV4
+address, a selector of \fB%any\fP will match the peer's IP address if IPV4
 and \fB%any6\fP will match a the peer's IP address if IPV6.
 Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of
 \fB%any\fP.
 .LP
-An additional complexity
+In IKEv1 an additional complexity
 arises in the case of authentication by preshared secret: the
 responder will need to look up the secret before the Peer's ID payload has
 been decoded, so the ID used will be the IP address.
 .LP
 To authenticate a connection between two hosts, the entry that most
 specifically matches the host and peer IDs is used.  An entry with no
-index will match any host and peer.  More specifically, an entry with one index will
-match a host and peer if the index matches the host's ID (the peer isn't
-considered).  Still more specifically, an entry with multiple indices will match a host and
-peer if the host ID and peer ID each match one of the indices.  If the key
-is for an asymmetric authentication technique (i.e. a public key
-system such as RSA), an entry with multiple indices will match a host
-and peer even if only the host ID matches an index (it is presumed that the
-multiple indices are all identities of the host).
+selectors will match any host and peer.  More specifically, an entry with one
+selector will match a host and peer if the selector matches the host's ID (the
+peer isn't considered).  Still more specifically, an entry with multiple
+selectors will match a host and peer if the host ID and peer ID each match one
+of the selectors.  If the key is for an asymmetric authentication technique
+(i.e. a public key system such as RSA), an entry with multiple selectors will
+match a host and peer even if only the host ID matches a selector (it is
+presumed that the selectors are all identities of the host).
 It is acceptable for two entries to be the best match as
 long as they agree about the secret or private key.
 .LP
 Authentication by preshared secret requires that both systems find the
 identical secret (the secret is not actually transmitted by the IKE
-protocol).  If both the host and peer appear in the index list, the
+protocol).  If both the host and peer appear in the selector list, the
 same entry will be suitable for both systems so verbatim copying
 between systems can be used.  This naturally extends to larger groups
-sharing the same secret.  Thus multiple-index entries are best for PSK
+sharing the same secret.  Thus multiple-selector entries are best for PSK
 authentication.
 .LP
-Authentication by RSA Signatures requires that each host have its own private
-key.  A host could reasonably use a different private keys
+Authentication by public key systems such as RSA requires that each host
+have its own private key.  A host could reasonably use a different private keys
 for different interfaces and for different peers.  But it would not
-be normal to share entries between systems.  Thus thus no-index and
-one-index forms of entry often make sense for RSA Signature authentication.
-.LP
-The key part of an entry may start with a token indicating the kind of
-key.  ``RSA'' signifies RSA private key and ``PSK'' signifies
-PreShared Key (case is ignored).  For compatability with previous
-forms of this file, PSK is the default.
-.LP
-A preshared secret is most conveniently represented as a sequence of
-characters, delimited by the double-quote
-character (\fB"\fP).  The sequence cannot contain a newline or
-double-quote.  Strictly speaking, the secret is actually the sequence
-of bytes that is used in the file to represent the sequence of
-characters (excluding the delimiters).
-A preshared secret may also be represented, without quotes, in any form supported by
-\fIipsec_ttodata\fP(3).
-.LP
-An RSA private key is a composite of eight generally large numbers.  The notation
-used is a brace-enclosed list of field name and value pairs (see the example above).
-A suitable key, in a suitable format, may be generated by \fIipsec_rsasigkey\fP(8).
-The structure is very similar to that used by BIND 8.2.2 or later, but note that
-the numbers must have a ``0s'' prefix if they are in base 64.  The order of
-the fields is fixed.
-.LP
-The first token an entry must start in
-the first column of its line.  Subsequent tokens must be
-separated by whitespace,
-except for a colon token, which only needs to be followed by whitespace.
-A newline is taken as whitespace, but every
-line of an entry after the first must be indented.
-.LP
-Whitespace at the end of a line is ignored (except in the 0t
-notation for a key).  At the start of line or
+be normal to share entries between systems.  Thus thus no-selector and
+one-selector forms of entry often make sense for public key authentication.
+.LP
+The key part of an entry must start with a token indicating the kind of
+key.  The following types of secrets are currently supported:
+.TP
+.B PSK
+defines a pre-shared key
+.TP
+.B RSA
+defines an RSA private key
+.TP
+.B ECDSA
+defines an ECDSA private key
+.TP
+.B EAP
+defines EAP credentials
+.TP
+.B XAUTH
+defines XAUTH credentials
+.TP
+.B PIN
+defines a smartcard PIN
+.LP
+Details on each type of secret are given below.
+.LP
+Whitespace at the end of a line is ignored. At the start of a line or
 after whitespace, \fB#\fP and the following text up to the end of the
-line is treated as a comment.  Within entries, all lines must be
-indented (except for lines with no tokens).
-Outside entries, no line may be indented (this is to make sure that
-the file layout reflects its structure).
+line is treated as a comment.
 .LP
 An include directive causes the contents of the named file to be processed
 before continuing with the current file.  The filename is subject to
@@ -153,23 +121,55 @@ directory containing the current file is prepended to the name.  The
 include directive is a line that starts with the word \fBinclude\fP,
 followed by whitespace, followed by the filename (which must not contain
 whitespace).
+.SS TYPES OF SECRETS
+.TP
+.B [ <selectors> ] : PSK <secret>
+A preshared secret is most conveniently represented as a sequence of
+characters, delimited by double-quote characters (\fB"\fP).
+The sequence cannot contain a newline or double-quote.
+Strictly speaking, the secret is actually the sequence
+of bytes that is used in the file to represent the sequence of
+characters (excluding the delimiters).
+.TP
+.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.TQ
+.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+For the private key file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemons to ask the user for the password
+whenever it is required to decrypt the key.
+.TP
+.B <user id> : EAP <secret>
+As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters,
+delimited by double-quote characters (\fB"\fP).
+.br
+\fBEAP\fP secrets are IKEv2 only.
+.TP
+.B : XAUTH <username> <password>
+\fBXAUTH\fP secrets are IKEv1 only.
+.TP
+.B : PIN <smartcard selector> <pin code> | %prompt
+The format
+.B "%smartcard[<slot nr>[:<key id>]]"
+is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1,
+instead of specifying the pin code statically,
+.B %prompt
+can be specified, which causes the pluto daemon to ask the user for the pin
+code.
+.LP
+
 .SH FILES
 /etc/ipsec.secrets
 .SH SEE ALSO
-The rest of the FreeS/WAN distribution, in particular
 \fIipsec.conf\fP(5),
-\fIipsec\fP(8),
-\fIipsec_newhostkey\fP(8),
-\fIipsec_rsasigkey\fP(8),
-\fIipsec_showhostkey\fP(8),
-\fIipsec_auto\fP(8) \fB\-\-rereadsecrets\fP,
-and \fIipsec_pluto\fP(8) \fB\-\-listen\fP,.
+\fIipsec\fP(8)
 .br
-BIND 8.2.2 or later, ftp://ftp.isc.org/isc/bind/src/
 .SH HISTORY
-Designed for the FreeS/WAN project
-<http://www.freeswan.org>
-by D. Hugh Redelmeier.
+Originally written for the FreeS/WAN project by D. Hugh Redelmeier.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner and Andreas Steffen.
 .SH BUGS
 If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP;
 if it is \fB0::0\fP, it will match \fB%any6\fP.
diff --git a/src/pluto/ipsec.secrets.5.in b/src/pluto/ipsec.secrets.5.in
new file mode 100644
index 000000000..adb915e4d
--- /dev/null
+++ b/src/pluto/ipsec.secrets.5.in
@@ -0,0 +1,175 @@
+.TH IPSEC.SECRETS 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan"
+.SH NAME
+ipsec.secrets \- secrets for IKE/IPsec authentication
+.SH DESCRIPTION
+The file \fIipsec.secrets\fP holds a table of secrets.
+These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons
+pluto (IKEv1) and charon (IKEv2) to authenticate other hosts.
+.LP
+It is vital that these secrets be protected.  The file should be owned
+by the super-user,
+and its permissions should be set to block all access by others.
+.LP
+The file is a sequence of entries and include directives.
+Here is an example.
+.LP
+.RS
+.nf
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
+
+: RSA moonKey.pem
+
+alice@strongswan.org : EAP "x3.dEhgN"
+
+: XAUTH carol "4iChxLT3"
+
+: XAUTH dave "ryftzG4A"
+
+# get secrets from other files
+include ipsec.*.secrets
+.fi
+.RE
+.LP
+Each entry in the file is a list of optional ID selectors, followed by a secret.
+The two parts are separated by a colon (\fB:\fP) that is surrounded
+by whitespace. If no ID selectors are specified the line must start with a
+colon.
+.LP
+A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
+\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
+in the familiar dotted quad form or as a domain name to be looked up
+when the file is loaded.
+In many cases it is a bad idea to use domain names because
+the name server may not be running or may be insecure.  To denote a
+Fully Qualified Domain Name (as opposed to an IP address denoted by
+its domain name), precede the name with an at sign (\fB@\fP).
+.LP
+Matching IDs with selectors is fairly straightforward: they have to be
+equal.  In the case of a ``Road Warrior'' connection, if an equal
+match is not found for the Peer's ID, and it is in the form of an IP
+address, a selector of \fB%any\fP will match the peer's IP address if IPV4
+and \fB%any6\fP will match a the peer's IP address if IPV6.
+Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of
+\fB%any\fP.
+.LP
+In IKEv1 an additional complexity
+arises in the case of authentication by preshared secret: the
+responder will need to look up the secret before the Peer's ID payload has
+been decoded, so the ID used will be the IP address.
+.LP
+To authenticate a connection between two hosts, the entry that most
+specifically matches the host and peer IDs is used.  An entry with no
+selectors will match any host and peer.  More specifically, an entry with one
+selector will match a host and peer if the selector matches the host's ID (the
+peer isn't considered).  Still more specifically, an entry with multiple
+selectors will match a host and peer if the host ID and peer ID each match one
+of the selectors.  If the key is for an asymmetric authentication technique
+(i.e. a public key system such as RSA), an entry with multiple selectors will
+match a host and peer even if only the host ID matches a selector (it is
+presumed that the selectors are all identities of the host).
+It is acceptable for two entries to be the best match as
+long as they agree about the secret or private key.
+.LP
+Authentication by preshared secret requires that both systems find the
+identical secret (the secret is not actually transmitted by the IKE
+protocol).  If both the host and peer appear in the selector list, the
+same entry will be suitable for both systems so verbatim copying
+between systems can be used.  This naturally extends to larger groups
+sharing the same secret.  Thus multiple-selector entries are best for PSK
+authentication.
+.LP
+Authentication by public key systems such as RSA requires that each host
+have its own private key.  A host could reasonably use a different private keys
+for different interfaces and for different peers.  But it would not
+be normal to share entries between systems.  Thus thus no-selector and
+one-selector forms of entry often make sense for public key authentication.
+.LP
+The key part of an entry must start with a token indicating the kind of
+key.  The following types of secrets are currently supported:
+.TP
+.B PSK
+defines a pre-shared key
+.TP
+.B RSA
+defines an RSA private key
+.TP
+.B ECDSA
+defines an ECDSA private key
+.TP
+.B EAP
+defines EAP credentials
+.TP
+.B XAUTH
+defines XAUTH credentials
+.TP
+.B PIN
+defines a smartcard PIN
+.LP
+Details on each type of secret are given below.
+.LP
+Whitespace at the end of a line is ignored. At the start of a line or
+after whitespace, \fB#\fP and the following text up to the end of the
+line is treated as a comment.
+.LP
+An include directive causes the contents of the named file to be processed
+before continuing with the current file.  The filename is subject to
+``globbing'' as in \fIsh\fP(1), so every file with a matching name
+is processed.  Includes may be nested to a modest
+depth (10, currently).  If the filename doesn't start with a \fB/\fP, the
+directory containing the current file is prepended to the name.  The
+include directive is a line that starts with the word \fBinclude\fP,
+followed by whitespace, followed by the filename (which must not contain
+whitespace).
+.SS TYPES OF SECRETS
+.TP
+.B [ <selectors> ] : PSK <secret>
+A preshared secret is most conveniently represented as a sequence of
+characters, delimited by double-quote characters (\fB"\fP).
+The sequence cannot contain a newline or double-quote.
+Strictly speaking, the secret is actually the sequence
+of bytes that is used in the file to represent the sequence of
+characters (excluding the delimiters).
+.TP
+.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.TQ
+.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+For the private key file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemons to ask the user for the password
+whenever it is required to decrypt the key.
+.TP
+.B <user id> : EAP <secret>
+As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters,
+delimited by double-quote characters (\fB"\fP).
+.br
+\fBEAP\fP secrets are IKEv2 only.
+.TP
+.B : XAUTH <username> <password>
+\fBXAUTH\fP secrets are IKEv1 only.
+.TP
+.B : PIN <smartcard selector> <pin code> | %prompt
+The format
+.B "%smartcard[<slot nr>[:<key id>]]"
+is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1,
+instead of specifying the pin code statically,
+.B %prompt
+can be specified, which causes the pluto daemon to ask the user for the pin
+code.
+.LP
+
+.SH FILES
+/etc/ipsec.secrets
+.SH SEE ALSO
+\fIipsec.conf\fP(5),
+\fIipsec\fP(8)
+.br
+.SH HISTORY
+Originally written for the FreeS/WAN project by D. Hugh Redelmeier.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner and Andreas Steffen.
+.SH BUGS
+If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP;
+if it is \fB0::0\fP, it will match \fB%any6\fP.
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 34c42e294..4a6a7c872 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -260,7 +260,7 @@ static linked_list_t* collect_rw_ca_candidates(struct msg_digest *md)
 				{
 					new_entry = FALSE;
 					break;
-				}					
+				}
 			}
 			enumerator->destroy(enumerator);
 
@@ -702,7 +702,7 @@ void accept_delete(struct state *st, struct msg_digest *md,
 				   struct payload_digest *p)
 {
 	struct isakmp_delete *d = &(p->payload.delete);
-	identification_t *this_id, *that_id;
+	identification_t *this_id = NULL, *that_id = NULL;
 	ip_address peer_addr;
 	size_t sizespi;
 	int i;
@@ -1568,7 +1568,7 @@ static bool take_a_crack(struct tac_state *s, pubkey_t *kr)
 
 	s->tried_cnt++;
 	scheme = oakley_to_signature_scheme(s->st->st_oakley.auth);
-	pub_key->get_fingerprint(pub_key, KEY_ID_PUBKEY_INFO_SHA1, &keyid);
+	pub_key->get_fingerprint(pub_key, KEYID_PUBKEY_INFO_SHA1, &keyid);
 
 	if (pub_key->verify(pub_key, scheme, s->hash, s->sig))
 	{
@@ -1944,27 +1944,34 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
 	bool has_client = c->spd.this.has_client || c->spd.that.has_client ||
 					  c->spd.this.protocol || c->spd.that.protocol ||
 					  c->spd.this.port || c->spd.that.port;
-
 	bool send_natoa = FALSE;
 	u_int8_t np = ISAKMP_NEXT_NONE;
+	connection_t *ph1_c = isakmp_sa->st_connection;
 
 	if (c->spd.this.modecfg && !c->spd.this.has_client &&
-		isanyaddr(&c->spd.this.host_srcip))
+		c->spd.this.host_srcip->is_anyaddr(c->spd.this.host_srcip))
 	{
-		connection_t *ph1_c = isakmp_sa->st_connection;
+		host_t * ph1_srcip = ph1_c->spd.this.host_srcip;
 
-		if (ph1_c->spd.this.modecfg && !isanyaddr(&ph1_c->spd.this.host_srcip))
+		if (ph1_c->spd.this.modecfg && !ph1_srcip->is_anyaddr(ph1_srcip))
 		{
-			char srcip[ADDRTOT_BUF];
-
-			c->spd.this.host_srcip = ph1_c->spd.this.host_srcip;
+			c->spd.this.host_srcip->destroy(c->spd.this.host_srcip);
+			c->spd.this.host_srcip = ph1_srcip->clone(ph1_srcip);
 			c->spd.this.client = ph1_c->spd.this.client;
 			c->spd.this.has_client = TRUE;
-			addrtot(&c->spd.this.host_srcip, 0, srcip, sizeof(srcip));
-			plog("inheriting virtual IP source address %s from ModeCfg", srcip);
+			plog("inheriting virtual IP source address %H from ModeCfg", ph1_srcip);
 		}
 	}
 
+	if (ph1_c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) &&
+		ph1_c->xauth_identity && !c->xauth_identity)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("inheriting XAUTH identity %Y", ph1_c->xauth_identity)
+		)
+		c->xauth_identity = ph1_c->xauth_identity->clone(ph1_c->xauth_identity);
+	}
+
 	st->st_whack_sock = whack_sock;
 	st->st_connection = c;
 	set_cur_state(st);  /* we must reset before exit */
@@ -3535,7 +3542,7 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 	struct state *const st = md->st;
 	pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
 	pb_stream id_pbs;   /* ID Payload; also used for hash calculation */
-	
+
 	connection_t *c = st->st_connection;
 	certpolicy_t cert_policy = c->spd.this.sendcert;
 	cert_t *mycert = c->spd.this.cert;
@@ -3638,7 +3645,7 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 	}
 	if (send_cert)
 	{
-		bool success;
+		bool success = FALSE;
 		chunk_t cert_encoding;
 		pb_stream cert_pbs;
 
@@ -3650,9 +3657,12 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 		{
 			return STF_INTERNAL_ERROR;
 		}
-		cert_encoding = mycert->cert->get_encoding(mycert->cert);
-		success = out_chunk(cert_encoding, &cert_pbs, "CERT");
-		free(cert_encoding.ptr);
+		if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER,
+									   &cert_encoding))
+		{
+			success = out_chunk(cert_encoding, &cert_pbs, "CERT");
+			free(cert_encoding.ptr);
+		}
 		if (!success)
 		{
 			return STF_INTERNAL_ERROR;
@@ -4079,7 +4089,7 @@ main_inI3_outR3_tail(struct msg_digest *md
 	}
 	if (send_cert)
 	{
-		bool success;
+		bool success = FALSE;
 		chunk_t cert_encoding;
 		pb_stream cert_pbs;
 		struct isakmp_cert cert_hd;
@@ -4091,9 +4101,12 @@ main_inI3_outR3_tail(struct msg_digest *md
 		{
 			return STF_INTERNAL_ERROR;
 		}
-		cert_encoding = mycert->cert->get_encoding(mycert->cert);
-		success = out_chunk(cert_encoding, &cert_pbs, "CERT");
-		free(cert_encoding.ptr);
+		if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER,
+									   &cert_encoding))
+		{
+			success = out_chunk(cert_encoding, &cert_pbs, "CERT");
+			free(cert_encoding.ptr);
+		}
 		if (!success)
 		{
 			return STF_INTERNAL_ERROR;
@@ -4888,23 +4901,32 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 					/* Plain Road Warrior:
 					 * instantiate, carrying over authenticated peer ID
 					 */
+					host_t *vip = c->spd.that.host_srcip;
+
 					p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
 								, his_net, c->spd.that.id);
 
-					/* inherit any virtual IP assigned by a Mode Config exchange */ 
+					/* inherit any virtual IP assigned by a Mode Config exchange */
 					if (p->spd.that.modecfg && c->spd.that.modecfg &&
-						subnetisaddr(his_net, &c->spd.that.host_srcip))
+						subnetisaddr(his_net, (ip_address*)vip->get_sockaddr(vip)))
 					{
-						char srcip[ADDRTOT_BUF];
-
 						DBG(DBG_CONTROL,
-							addrtot(&c->spd.that.host_srcip, 0, srcip, sizeof(srcip));
-							DBG_log("inheriting virtual IP source address %s from ModeCfg", srcip)
+							DBG_log("inheriting virtual IP source address %H from ModeCfg", vip)
 						)
-						p->spd.that.host_srcip = c->spd.that.host_srcip;
+						p->spd.that.host_srcip->destroy(p->spd.that.host_srcip);
+						p->spd.that.host_srcip = vip->clone(vip);
 						p->spd.that.client = c->spd.that.client;
 						p->spd.that.has_client = TRUE;
 					}
+
+					if (c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) &&
+						c->xauth_identity && !p->xauth_identity)
+					{
+						DBG(DBG_CONTROL,
+							DBG_log("inheriting XAUTH identity %Y", c->xauth_identity)
+						)
+						p->xauth_identity = c->xauth_identity->clone(c->xauth_identity);
+					}
 				}
 			}
 #ifdef DEBUG
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index ee22fb55e..dd7ed8893 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -464,9 +464,11 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			peerclientnet_str[ADDRTOT_BUF],
 			peerclientmask_str[ADDRTOT_BUF],
 			peerca_str[BUF_LEN],
+			xauth_id_str[BUF_LEN] = "",
 			secure_myid_str[BUF_LEN] = "",
 			secure_peerid_str[BUF_LEN] = "",
-			secure_peerca_str[BUF_LEN] = "";
+			secure_peerca_str[BUF_LEN] = "",
+			secure_xauth_id_str[BUF_LEN] = "";
 		ip_address ta;
 		pubkey_list_t *p;
 
@@ -483,16 +485,14 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			strncat(nexthop_str, "' ", sizeof(nexthop_str));
 		}
 
-		if (addrbytesptr(&sr->this.host_srcip, NULL)
-		&& !isanyaddr(&sr->this.host_srcip))
+		if (!sr->this.host_srcip->is_anyaddr(sr->this.host_srcip))
 		{
 			char *n;
 
 			strcpy(srcip_str, "PLUTO_MY_SOURCEIP='");
 			n = srcip_str + strlen(srcip_str);
-
-			addrtot(&sr->this.host_srcip, 0
-					,n , sizeof(srcip_str)-strlen(srcip_str));
+			snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H", 
+						sr->this.host_srcip);
 			strncat(srcip_str, "' ", sizeof(srcip_str));
 		}
 
@@ -505,6 +505,16 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 		maskof(&sr->this.client, &ta);
 		addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
 
+		if (c->xauth_identity &&
+			c->xauth_identity->get_type(c->xauth_identity) != ID_ANY)
+		{
+			snprintf(xauth_id_str, sizeof(xauth_id_str), "%Y", c->xauth_identity);
+			escape_metachar(xauth_id_str, secure_xauth_id_str,
+					 sizeof(secure_xauth_id_str));
+			snprintf(xauth_id_str, sizeof(xauth_id_str), "PLUTO_XAUTH_ID='%s' ",
+					 secure_xauth_id_str);
+		}
+
 		addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
 		snprintf(peerid_str, sizeof(peerid_str), "%Y", sr->that.id);
 		escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
@@ -562,6 +572,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			"PLUTO_PEER_PROTOCOL='%u' "
 			"PLUTO_PEER_CA='%s' "
 			"%s"        /* optional PLUTO_MY_SRCIP */
+			"%s"        /* optional PLUTO_XAUTH_ID */
 			"%s"        /* actual script */
 			, verb, verb_suffix
 			, c->name
@@ -585,6 +596,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			, sr->that.protocol
 			, secure_peerca_str
 			, srcip_str
+			, xauth_id_str
 			, sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
 		{
 			loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index 8cf28ace1..6db757ba7 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -53,25 +53,26 @@
 #include "whack.h"      /* for RC_LOG_SERIOUS */
 #include "timer.h"
 #include "fetch.h"
-#include "xauth.h"
 
 const char *shared_secrets_file = SHARED_SECRETS_FILE;
 
-typedef struct id_list id_list_t;
 
-struct id_list {
-	identification_t *id;
-	id_list_t *next;
+typedef enum secret_kind_t secret_kind_t;
+
+enum secret_kind_t {
+	SECRET_PSK,
+	SECRET_PUBKEY,
+	SECRET_XAUTH,
+	SECRET_PIN
 };
 
-typedef struct secret secret_t;
+typedef struct secret_t secret_t;
 
-struct secret {
-	id_list_t *ids;
-	enum PrivateKeyKind kind;
+struct secret_t {
+	linked_list_t *ids;
+	secret_kind_t kind;
 	union {
 		chunk_t        preshared_secret;
-		xauth_t        xauth_secret;
 		private_key_t *private_key;
 		smartcard_t   *smartcard;
 	} u;
@@ -92,12 +93,11 @@ static void free_public_key(pubkey_t *pk)
 
 secret_t *secrets = NULL;
 
-/* find the struct secret associated with the combination of
- * me and the peer.  We match the Id (if none, the IP address).
- * Failure is indicated by a NULL.
+/**
+ * Find the secret associated with the combination of me and the peer.
  */
-static const secret_t* get_secret(const connection_t *c,
-								  enum PrivateKeyKind kind, bool asym)
+const secret_t* match_secret(identification_t *my_id, identification_t *his_id,
+							 secret_kind_t kind)
 {
 	enum {      /* bits */
 		match_default = 0x01,
@@ -106,128 +106,92 @@ static const secret_t* get_secret(const connection_t *c,
 	};
 
 	unsigned int best_match = 0;
-	secret_t *best = NULL;
-	secret_t *s;
-	identification_t *my_id, *his_id;
+	secret_t *s, *best = NULL;
 
-	/* is there a certificate assigned to this connection? */
-	if (kind == PPK_PUBKEY && c->spd.this.cert)
+	for (s = secrets; s != NULL; s = s->next)
 	{
-		certificate_t *certificate = c->spd.this.cert->cert;
+		unsigned int match = 0;
 
-		public_key_t *pub_key = certificate->get_public_key(certificate);
-
-		for (s = secrets; s != NULL; s = s->next)
+		if (s->kind != kind)
 		{
-			if (s->kind == kind &&
-				s->u.private_key->belongs_to(s->u.private_key, pub_key))
-			{
-				best = s;
-				break; /* we have found the private key - no sense in searching further */
-			}
+			continue;
 		}
-		pub_key->destroy(pub_key);
-		return best;
-	}
-
-	my_id  = c->spd.this.id;
-
-	if (his_id_was_instantiated(c))
-	{
-		/* roadwarrior: replace him with 0.0.0.0 */
-		his_id = identification_create_from_string("%any");
-	}
-	else if (kind == PPK_PSK && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK)) &&
-		((c->kind == CK_TEMPLATE &&
-		 c->spd.that.id->get_type(c->spd.that.id) == ID_ANY) ||
-		(c->kind == CK_INSTANCE && id_is_ipaddr(c->spd.that.id))))
-	{
-		/* roadwarrior: replace him with 0.0.0.0 */
-		his_id = identification_create_from_string("%any");
-	}
-	else
-	{
-		his_id = c->spd.that.id->clone(c->spd.that.id);
-	}
 
-	for (s = secrets; s != NULL; s = s->next)
-	{
-		if (s->kind == kind)
+		if (s->ids->get_count(s->ids) == 0)
+		{
+			/* a default (signified by lack of ids):
+			 * accept if no more specific match found
+			 */
+			match = match_default;
+		}
+		else
 		{
-			unsigned int match = 0;
+			/* check if both ends match ids */
+			enumerator_t *enumerator;
+			identification_t *id;
 
-			if (s->ids == NULL)
-			{
-				/* a default (signified by lack of ids):
-				 * accept if no more specific match found
-				 */
-				match = match_default;
-			}
-			else
+			enumerator = s->ids->create_enumerator(s->ids);
+			while (enumerator->enumerate(enumerator, &id))
 			{
-				/* check if both ends match ids */
-				id_list_t *i;
-
-				for (i = s->ids; i != NULL; i = i->next)
+				if (my_id->equals(my_id, id))
 				{
-					if (my_id->equals(my_id, i->id))
-					{
-						match |= match_me;
-					}
-					if (his_id->equals(his_id, i->id))
-					{
-						match |= match_him;
-					}
+					match |= match_me;
 				}
-
-				/* If our end matched the only id in the list,
-				 * default to matching any peer.
-				 * A more specific match will trump this.
-				 */
-				if (match == match_me && s->ids->next == NULL)
+				if (his_id->equals(his_id, id))
 				{
-					match |= match_default;
+					match |= match_him;
 				}
 			}
+			enumerator->destroy(enumerator);
 
-			switch (match)
+			/* If our end matched the only id in the list,
+			 * default to matching any peer.
+			 * A more specific match will trump this.
+			 */
+			if (match == match_me && s->ids->get_count(s->ids) == 1)
 			{
+				match |= match_default;
+			}
+		}
+
+		switch (match)
+		{
 			case match_me:
 				/* if this is an asymmetric (eg. public key) system,
 				 * allow this-side-only match to count, even if
 				 * there are other ids in the list.
 				 */
-				if (!asym)
+				if (kind != SECRET_PUBKEY)
 				{
 					break;
 				}
 				/* FALLTHROUGH */
-			case match_default: /* default all */
-			case match_me | match_default:      /* default peer */
-			case match_me | match_him:  /* explicit */
+			case match_default:              /* default all */
+			case match_me | match_default:   /* default peer */
+			case match_me | match_him:       /* explicit */
 				if (match == best_match)
 				{
-					/* two good matches are equally good:
-					 * do they agree?
-					 */
+					/* two good matches are equally good: do they agree? */
 					bool same = FALSE;
 
 					switch (kind)
 					{
-					case PPK_PSK:
-						same = s->u.preshared_secret.len == best->u.preshared_secret.len
-								&& memeq(s->u.preshared_secret.ptr, best->u.preshared_secret.ptr, s->u.preshared_secret.len);
+					case SECRET_PSK:
+					case SECRET_XAUTH:
+						same = chunk_equals(s->u.preshared_secret,
+											best->u.preshared_secret);
 						break;
-					case PPK_PUBKEY:
-						same = s->u.private_key->equals(s->u.private_key, best->u.private_key);
+					case SECRET_PUBKEY:
+						same = s->u.private_key->equals(s->u.private_key,
+														best->u.private_key);
 						break;
 					default:
 						bad_case(kind);
 					}
 					if (!same)
 					{
-						loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with distinct secrets match endpoints:"
-							" first secret used");
+						loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with "
+							"distinct secrets match endpoints: first secret used");
 						best = s;       /* list is backwards: take latest in list */
 					}
 				}
@@ -237,9 +201,63 @@ static const secret_t* get_secret(const connection_t *c,
 					best_match = match;
 					best = s;
 				}
-			}
 		}
 	}
+	return best;
+}
+
+/**
+ * Retrieves an XAUTH secret primarily based on the user ID and
+ * secondarily based on the server ID
+ */
+bool get_xauth_secret(identification_t *user, identification_t *server,
+					  chunk_t *secret)
+{
+	const secret_t *s;
+
+	s = match_secret(user, server, SECRET_XAUTH);
+	if (s)
+	{
+		*secret = chunk_clone(s->u.preshared_secret);
+		return TRUE;
+	}
+	else
+	{
+		*secret = chunk_empty;
+		return FALSE;
+	}
+}
+
+/**
+ * We match the ID (if none, the IP address). Failure is indicated by a NULL.
+ */
+static const secret_t* get_secret(const connection_t *c, secret_kind_t kind)
+{
+	identification_t *my_id, *his_id;
+	const secret_t *best;
+
+	my_id  = c->spd.this.id;
+
+	if (his_id_was_instantiated(c))
+	{
+		/* roadwarrior: replace him with 0.0.0.0 */
+		his_id = identification_create_from_string("%any");
+	}
+	else if (kind == SECRET_PSK && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK)) &&
+		((c->kind == CK_TEMPLATE &&
+		 c->spd.that.id->get_type(c->spd.that.id) == ID_ANY) ||
+		(c->kind == CK_INSTANCE && id_is_ipaddr(c->spd.that.id))))
+	{
+		/* roadwarrior: replace him with 0.0.0.0 */
+		his_id = identification_create_from_string("%any");
+	}
+	else
+	{
+		his_id = c->spd.that.id->clone(c->spd.that.id);
+	}
+
+	best = match_secret(my_id, his_id, kind);
+
 	his_id->destroy(his_id);
 	return best;
 }
@@ -250,7 +268,7 @@ static const secret_t* get_secret(const connection_t *c,
  */
 const chunk_t* get_preshared_secret(const connection_t *c)
 {
-	const secret_t *s = get_secret(c, PPK_PSK, FALSE);
+	const secret_t *s = get_secret(c, SECRET_PSK);
 
 	DBG(DBG_PRIVATE,
 		if (s == NULL)
@@ -272,7 +290,7 @@ bool has_private_key(cert_t *cert)
 
 	for (s = secrets; s != NULL; s = s->next)
 	{
-		if (s->kind == PPK_PUBKEY &&
+		if (s->kind == SECRET_PUBKEY &&
 			s->u.private_key->belongs_to(s->u.private_key, pub_key))
 		{
 			has_key = TRUE;
@@ -295,7 +313,7 @@ private_key_t* get_x509_private_key(const cert_t *cert)
 	for (s = secrets; s != NULL; s = s->next)
 	{
 
-		if (s->kind == PPK_PUBKEY &&
+		if (s->kind == SECRET_PUBKEY &&
 			s->u.private_key->belongs_to(s->u.private_key, public_key))
 		{
 			private_key = s->u.private_key;
@@ -311,9 +329,33 @@ private_key_t* get_x509_private_key(const cert_t *cert)
  */
 private_key_t* get_private_key(const connection_t *c)
 {
-	const secret_t *s = get_secret(c, PPK_PUBKEY, TRUE);
+	const secret_t *s, *best = NULL;
+
+	/* is a certificate assigned to this connection? */
+	if (c->spd.this.cert)
+	{
+		certificate_t *certificate;
+		public_key_t *pub_key;
 
-	return s == NULL? NULL : s->u.private_key;
+		certificate = c->spd.this.cert->cert;
+		pub_key = certificate->get_public_key(certificate);
+
+		for (s = secrets; s != NULL; s = s->next)
+		{
+			if (s->kind == SECRET_PUBKEY &&
+				s->u.private_key->belongs_to(s->u.private_key, pub_key))
+			{
+				best = s;
+				break; /* found the private key - no sense in searching further */
+			}
+		}
+		pub_key->destroy(pub_key);
+	}
+	else
+	{
+		best = get_secret(c, SECRET_PUBKEY);
+	}
+	return best ? best->u.private_key : NULL;
 }
 
 /* digest a secrets file
@@ -555,120 +597,6 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd)
 	return *key ? NULL : "Private key file -- could not be loaded";
 }
 
-/**
- * Process xauth secret read from ipsec.secrets
- */
-static err_t process_xauth(secret_t *s)
-{
-	chunk_t user_name;
-
-	s->kind = PPK_XAUTH;
-
-	if (!shift())
-		return "missing xauth user name";
-	if (*tok == '"' || *tok == '\'')  /* quoted user name */
-	{
-		user_name.ptr = tok + 1;
-		user_name.len = flp->cur - tok - 2;
-	}
-	else
-	{
-		user_name.ptr = tok;
-		user_name.len = flp->cur - tok;
-	}
-	plog("  loaded xauth credentials of user '%.*s'"
-				, user_name.len
-				, user_name.ptr);
-	s->u.xauth_secret.user_name = chunk_clone(user_name);
-
-	if (!shift())
-		return "missing xauth user password";
-	return process_psk_secret(&s->u.xauth_secret.user_password);
-}
-
-/**
- * Get XAUTH secret from chained secrets lists
- * only one entry is currently supported
- */
-static bool xauth_get_secret(xauth_t *xauth_secret)
-{
-	secret_t *s;
-	bool found = FALSE;
-
-	for (s = secrets; s != NULL; s = s->next)
-	{
-		if (s->kind == PPK_XAUTH)
-		{
-			if (found)
-			{
-				plog("found multiple xauth secrets - first selected");
-			}
-			else
-			{
-				found = TRUE;
-				*xauth_secret = s->u.xauth_secret;
-			}
-		}
-	}
-	return found;
-}
-
-/**
- * find a matching secret
- */
-static bool xauth_verify_secret(const xauth_peer_t *peer,
-								const xauth_t *xauth_secret)
-{
-	bool found = FALSE;
-	secret_t *s;
-
-	for (s = secrets; s != NULL; s = s->next)
-	{
-		if (s->kind == PPK_XAUTH)
-		{
-			if (!chunk_equals(xauth_secret->user_name, s->u.xauth_secret.user_name))
-			{
-				continue;
-			}
-			found = TRUE;
-			if (chunk_equals(xauth_secret->user_password, s->u.xauth_secret.user_password))
-			{
-				return TRUE;
-			}
-		}
-	}
-	plog("xauth user '%.*s' %s"
-	   , xauth_secret->user_name.len, xauth_secret->user_name.ptr
-	   , found? "sent wrong password":"not found");
-	return FALSE;
-}
-
-/**
- * the global xauth_module struct is defined here
- */
-xauth_module_t xauth_module;
-
-/**
- * Assign the default xauth functions to any null function pointers
- */
-void xauth_defaults(void)
-{
-	if (xauth_module.get_secret == NULL)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("xauth module: using default get_secret() function")
-		)
-		xauth_module.get_secret = xauth_get_secret;
-	}
-	if (xauth_module.verify_secret == NULL)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("xauth module: using default verify_secret() function")
-		)
-		xauth_module.verify_secret = xauth_verify_secret;
-	}
-};
-
 /**
  * Process pin read from ipsec.secrets or prompted for it using whack
  */
@@ -677,7 +605,7 @@ static err_t process_pin(secret_t *s, int whackfd)
 	smartcard_t *sc;
 	const char *pin_status = "no pin";
 
-	s->kind = PPK_PIN;
+	s->kind = SECRET_PIN;
 
 	/* looking for the smartcard keyword */
 	if (!shift() || strncmp(tok, SCX_TOKEN, strlen(SCX_TOKEN)) != 0)
@@ -748,57 +676,69 @@ static err_t process_pin(secret_t *s, int whackfd)
 	return NULL;
 }
 
-static void log_psk(secret_t *s)
+static void log_psk(char *label, secret_t *s)
 {
 	int n = 0;
 	char buf[BUF_LEN];
-	id_list_t *id_list = s->ids;
+	enumerator_t *enumerator;
+	identification_t *id;
 
-	if (id_list == NULL)
+	if (s->ids->get_count(s->ids) == 0)
 	{
 		n = snprintf(buf, BUF_LEN, "%%any");
 	}
 	else
 	{
-		do
+		enumerator = s->ids->create_enumerator(s->ids);
+		while(enumerator->enumerate(enumerator, &id))
 		{
-			n += snprintf(buf + n, BUF_LEN - n, "%Y ", id_list->id);
+			n += snprintf(buf + n, BUF_LEN - n, "%Y ", id);
 			if (n >= BUF_LEN)
 			{
 				n = BUF_LEN - 1;
 				break;
 			}
-			id_list = id_list->next;
 		}
-		while (id_list);
+		enumerator->destroy(enumerator);
 	}
-	plog("  loaded shared key for %.*s", n, buf);
+	plog("  loaded %s secret for %.*s", label, n, buf);
 }
 
 static void process_secret(secret_t *s, int whackfd)
 {
 	err_t ugh = NULL;
 
-	s->kind = PPK_PSK;  /* default */
+	s->kind = SECRET_PSK;  /* default */
 	if (*tok == '"' || *tok == '\'')
 	{
+		log_psk("PSK", s);
+
 		/* old PSK format: just a string */
-		log_psk(s);
 		ugh = process_psk_secret(&s->u.preshared_secret);
 	}
 	else if (tokeqword("psk"))
 	{
+		log_psk("PSK", s);
+
 		/* preshared key: quoted string or ttodata format */
-		log_psk(s);
 		ugh = !shift()? "unexpected end of record in PSK"
 			: process_psk_secret(&s->u.preshared_secret);
 	}
+	else if (tokeqword("xauth"))
+	{
+		s->kind = SECRET_XAUTH;
+		log_psk("XAUTH", s);
+
+		/* xauth secret: quoted string or ttodata format */
+		ugh = !shift()? "unexpected end of record in XAUTH"
+			: process_psk_secret(&s->u.preshared_secret);
+	}
 	else if (tokeqword("rsa"))
 	{
 		/* RSA key: the fun begins.
 		 * A braced list of keyword and value pairs.
 		 */
-		s->kind = PPK_PUBKEY;
+		s->kind = SECRET_PUBKEY;
 		if (!shift())
 		{
 			ugh = "bad RSA key syntax";
@@ -814,7 +754,7 @@ static void process_secret(secret_t *s, int whackfd)
 	}
 	else if (tokeqword("ecdsa"))
 	{
-		s->kind = PPK_PUBKEY;
+		s->kind = SECRET_PUBKEY;
 		if (!shift())
 		{
 			ugh = "bad ECDSA key syntax";
@@ -824,10 +764,6 @@ static void process_secret(secret_t *s, int whackfd)
 		   ugh = process_keyfile(&s->u.private_key, KEY_ECDSA, whackfd);
 		}
 	}
-	else if (tokeqword("xauth"))
-	{
-		ugh = process_xauth(s);
-	}
 	else if (tokeqword("pin"))
 	{
 		ugh = process_pin(s, whackfd);
@@ -919,8 +855,8 @@ static void process_secret_records(int whackfd)
 			secret_t *s = malloc_thing(secret_t);
 
 			zero(s);
-			s->ids = NULL;
-			s->kind = PPK_PSK;  /* default */
+			s->ids = linked_list_create();
+			s->kind = SECRET_PSK;  /* default */
 			s->u.preshared_secret = chunk_empty;
 			s->next = NULL;
 
@@ -941,14 +877,10 @@ static void process_secret_records(int whackfd)
 				}
 				else
 				{
-					/* an id
-					 * See RFC2407 IPsec Domain of Interpretation 4.6.2
-					 */
-					id_list_t *i = malloc_thing(id_list_t);
+					identification_t *id;
 
-					i->id = identification_create_from_string(tok);
-					i->next = s->ids;
-					s->ids = i;
+					id = identification_create_from_string(tok);
+					s->ids->insert_last(s->ids, id);
 
 					if (!shift())
 					{
@@ -1035,32 +967,23 @@ void free_preshared_secrets(void)
 
 		for (s = secrets; s != NULL; s = ns)
 		{
-			id_list_t *i, *ni;
-
 			ns = s->next;
-			for (i = s->ids; i != NULL; i = ni)
-			{
-				ni = i->next; 
-				i->id->destroy(i->id);
-				free(i);
-			}
+			s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy));
+
 			switch (s->kind)
 			{
-			case PPK_PSK:
-				free(s->u.preshared_secret.ptr);
-				break;
-			case PPK_PUBKEY:
-				DESTROY_IF(s->u.private_key);
-				break;
-			case PPK_XAUTH:
-				free(s->u.xauth_secret.user_name.ptr);
-				free(s->u.xauth_secret.user_password.ptr);
-				break;
-			case PPK_PIN:
-				scx_release(s->u.smartcard);
-				break;
-			default:
-				bad_case(s->kind);
+				case SECRET_PSK:
+				case SECRET_XAUTH:
+					free(s->u.preshared_secret.ptr);
+					break;
+				case SECRET_PUBKEY:
+					DESTROY_IF(s->u.private_key);
+					break;
+				case SECRET_PIN:
+					scx_release(s->u.smartcard);
+					break;
+				default:
+					bad_case(s->kind);
 			}
 			free(s);
 		}
@@ -1315,7 +1238,7 @@ void add_public_key_from_cert(cert_t *cert , time_t until,
 
 		/* insert all subjectAltNames from X.509 certificates */
 		enumerator = x509->create_subjectAltName_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &id)) 
+		while (enumerator->enumerate(enumerator, &id))
 		{
 			if (id->get_type(id) != ID_ANY)
 			{
@@ -1404,7 +1327,7 @@ void list_public_keys(bool utc)
 			public->get_keysize(public) * BITS_PER_BYTE,
 			&key->until_time, utc,
 			check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
-		if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
 		{
 			whack_log(RC_COMMENT,"  keyid:     %#B", &keyid);
 		}
diff --git a/src/pluto/keys.h b/src/pluto/keys.h
index d856c0009..73cc21392 100644
--- a/src/pluto/keys.h
+++ b/src/pluto/keys.h
@@ -21,6 +21,7 @@
 #include <credentials/keys/public_key.h>
 
 #include "certs.h"
+#include "connections.h"
 
 #ifndef SHARED_SECRETS_FILE
 # define SHARED_SECRETS_FILE  IPSEC_CONFDIR "/ipsec.secrets"
@@ -31,20 +32,12 @@ const char *shared_secrets_file;
 extern void load_preshared_secrets(int whackfd);
 extern void free_preshared_secrets(void);
 
-enum PrivateKeyKind {
-	PPK_PSK,
-	PPK_PUBKEY,
-	PPK_XAUTH,
-	PPK_PIN
-};
-
 extern void xauth_defaults(void);
 
-/* forward declaration */
-struct connection;
-
-extern const chunk_t *get_preshared_secret(const struct connection *c);
-extern private_key_t *get_private_key(const struct connection *c);
+extern bool get_xauth_secret(identification_t *user, identification_t *server,
+							 chunk_t *secret);
+extern const chunk_t *get_preshared_secret(const connection_t *c);
+extern private_key_t *get_private_key(const connection_t *c);
 extern private_key_t *get_x509_private_key(const cert_t *cert);
 
 /* public key machinery  */
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index 0c4f2bd6b..0d0cd899c 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2001-2002 Colubris Networks
  * Copyright (C) 2003 Sean Mathews - Nu Tech Software Solutions, inc.
  * Copyright (C) 2003-2004 Xelerance Corporation
- * Copyright (C) 2006-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2006-2010 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -27,7 +27,7 @@
 
 #include <library.h>
 #include <hydra.h>
-#include <attributes/attributes.h>
+#include <utils/linked_list.h>
 #include <crypto/prfs/prf.h>
 
 #include "constants.h"
@@ -40,106 +40,121 @@
 #include "crypto.h"
 #include "modecfg.h"
 #include "whack.h"
-#include "xauth.h"
+#include "pluto.h"
 
 #define MAX_XAUTH_TRIES         3
-#define DNS_SERVER_MAX          2
-#define NBNS_SERVER_MAX         2
 
-#define SUPPORTED_ATTR_SET   ( LELEM(INTERNAL_IP4_ADDRESS)         \
-							 | LELEM(INTERNAL_IP4_NETMASK)         \
-							 | LELEM(INTERNAL_IP4_DNS)             \
-							 | LELEM(INTERNAL_IP4_NBNS)            \
-							 | LELEM(APPLICATION_VERSION)          \
-							 | LELEM(INTERNAL_IP6_DNS)             \
-							 | LELEM(INTERNAL_IP6_NBNS)            \
-							 )
+#define DEFAULT_UNITY_BANNER	"Welcome to strongSwan - the Linux VPN Solution!\n"
 
-#define SUPPORTED_UNITY_ATTR_SET ( LELEM(UNITY_BANNER - UNITY_BASE) )
+/**
+ * Creates a modecfg_attribute_t object
+ */
+static modecfg_attribute_t *modecfg_attribute_create(configuration_attribute_type_t type,
+													 chunk_t value)
+{
+	modecfg_attribute_t *this;
 
-#define UNITY_BANNER_STR    "Welcome to strongSwan - the Linux VPN Solution!\n"
+	this = malloc_thing(modecfg_attribute_t);
+	this->type = ((u_int16_t)type) & 0x7FFF;
+	this->is_tv = FALSE;
+	this->value = chunk_clone(value);
+	this->handler = NULL;
 
-/*
- * Addresses assigned (usually via ModeCfg) to the Initiator
- */
-typedef struct internal_addr internal_addr_t;
+	return this;
+}
 
-struct internal_addr
+/**
+ * Creates a modecfg_attribute_t object coded in TV format
+ */
+static modecfg_attribute_t *modecfg_attribute_create_tv(configuration_attribute_type_t type,
+															 size_t value)
 {
-	lset_t attr_set;
-	lset_t xauth_attr_set;
-	lset_t unity_attr_set;
-
-	/* ModeCfg variables */
-	ip_address ipaddr;
-	ip_address dns[DNS_SERVER_MAX];
-	ip_address nbns[NBNS_SERVER_MAX];
+	modecfg_attribute_t *this;
 
-	char *unity_banner;
+	this = modecfg_attribute_create(type, chunk_empty);
+	this->value.len = value;
+	this->is_tv = TRUE;
 
-	/* XAUTH variables */
-	u_int16_t  xauth_type;
-	xauth_t    xauth_secret;
-	bool       xauth_status;
-};
+	return this;
+}
 
 /**
- * Initialize an internal_addr struct
+ * Destroys a modecfg_attribute_t object
  */
-static void init_internal_addr(internal_addr_t *ia)
+void modecfg_attribute_destroy(modecfg_attribute_t *this)
 {
-	int i;
+	free(this->value.ptr);
+	free(this);
+}
 
-	ia->attr_set = LEMPTY;
-	ia->xauth_attr_set = LEMPTY;
-	ia->xauth_secret.user_name = chunk_empty;
-	ia->xauth_secret.user_password = chunk_empty;
-	ia->xauth_type = XAUTH_TYPE_GENERIC;
-	ia->xauth_status = XAUTH_STATUS_FAIL;
-	ia->unity_attr_set = LEMPTY;
-	ia->unity_banner = NULL;
+/**
+ * Get attributes to be sent to client
+ */
+static void get_attributes(connection_t *c, linked_list_t *ca_list)
+{
+	configuration_attribute_type_t type;
+	identification_t *client_id;
+	modecfg_attribute_t *ca;
+	enumerator_t *enumerator;
+	chunk_t value;
+	host_t *vip = NULL, *requested_vip = NULL;
+	bool want_unity_banner = FALSE;
+	int family;
 
-	anyaddr(AF_INET, &ia->ipaddr);
+#ifdef CISCO_QUIRKS
+	/* always send banner in ModeCfg push mode */
+	if (ca_list->get_count(ca_list) == 0)
+	{
+		want_unity_banner = TRUE;
+	}
+#endif
 
-	/* initialize DNS server information */
-	for (i = 0; i < DNS_SERVER_MAX; i++)
+	/* scan list of requested attributes in ModeCfg pull mode */
+	while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS)
 	{
-		anyaddr(AF_INET, &ia->dns[i]);
+		switch (ca->type)
+		{
+			case INTERNAL_IP4_ADDRESS:
+			case INTERNAL_IP6_ADDRESS:
+			{
+				int family;
+
+				family = (ca->type == INTERNAL_IP4_ADDRESS) ? AF_INET : AF_INET6;
+				requested_vip = (ca->value.len) ?
+								host_create_from_chunk(family, ca->value, 0) :
+					 			host_create_any(family);
+				plog("peer requested virtual IP %H", requested_vip);
+				break;
+			}
+#ifdef CISCO_QUIRKS
+			case UNITY_BANNER:
+				want_unity_banner = TRUE;
+				break;
+#endif
+			default:
+				break;
+		}
+		modecfg_attribute_destroy(ca);
 	}
 
-	/* initialize NBNS server information */
-	for (i = 0; i < NBNS_SERVER_MAX; i++)
+	if (requested_vip == NULL)
 	{
-		anyaddr(AF_INET, &ia->nbns[i]);
+		requested_vip = host_create_any(AF_INET);
 	}
-}
 
-/**
- * Get internal IP address for a connection
- */
-static void get_internal_addr(connection_t *c, host_t *requested_vip,
-							  internal_addr_t *ia)
-{
-	int dns_idx = 0, nbns_idx = 0;
-	enumerator_t *enumerator;
-	configuration_attribute_type_t type;
-	chunk_t value;
-	host_t *vip = NULL;
+	client_id = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id;
 
-	if (isanyaddr(&c->spd.that.host_srcip))
+	/* if no virtual IP has been assigned yet - acquire one */
+	if (c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip))
 	{
 		if (c->spd.that.pool)
 		{
 			vip = hydra->attributes->acquire_address(hydra->attributes,
-										c->spd.that.pool, c->spd.that.id,
-										requested_vip);
+								c->spd.that.pool, client_id, requested_vip);
 			if (vip)
 			{
-				chunk_t addr = vip->get_address(vip);
-
-				plog("assigning virtual IP %H to peer", vip);
-				initaddr(addr.ptr, addr.len, vip->get_family(vip), &ia->ipaddr);
-
+				c->spd.that.host_srcip->destroy(c->spd.that.host_srcip);
+				c->spd.that.host_srcip = vip;
 			}
 		}
 		else
@@ -147,132 +162,184 @@ static void get_internal_addr(connection_t *c, host_t *requested_vip,
 			plog("no virtual IP found");
 		}
 	}
-	else
-	{
-		ia->ipaddr = c->spd.that.host_srcip;
-		vip = host_create_from_sockaddr((sockaddr_t*)&ia->ipaddr);
-		plog("assigning virtual IP %H to peer", vip);
-	}
 
-	if (!isanyaddr(&ia->ipaddr))        /* We got an IP address, send it */
+	requested_vip->destroy(requested_vip);
+
+	/* if we have a virtual IP address - send it */
+	if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip))  
 	{
-		c->spd.that.host_srcip      = ia->ipaddr;
-		c->spd.that.client.addr     = ia->ipaddr;
-		c->spd.that.client.maskbits = 32;
+		vip = c->spd.that.host_srcip;
+		plog("assigning virtual IP %H to peer", vip);
+		family = vip->get_family(vip);
+		ca = modecfg_attribute_create((family == AF_INET) ?
+									   INTERNAL_IP4_ADDRESS :
+									   INTERNAL_IP6_ADDRESS,
+									   vip->get_address(vip));
+		ca_list->insert_last(ca_list, ca);
+
+		/* set the remote client subnet to virtual IP */
+		c->spd.that.client.addr     = *(ip_address*)vip->get_sockaddr(vip);
+		c->spd.that.client.maskbits = (family == AF_INET) ? 32 : 128; 
 		c->spd.that.has_client      = TRUE;
-
-		ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS)
-					 | LELEM(INTERNAL_IP4_NETMASK);
 	}
 
 	/* assign attributes from registered providers */
 	enumerator = hydra->attributes->create_responder_enumerator(hydra->attributes,
-											c->spd.that.id, vip);
+											c->spd.that.pool, client_id, vip);
 	while (enumerator->enumerate(enumerator, &type, &value))
 	{
-		err_t ugh;
-		host_t *server;
-		sa_family_t family = AF_INET;
+		ca = modecfg_attribute_create(type, value);
+		ca_list->insert_last(ca_list, ca);
+		if (type == UNITY_BANNER)
+		{
+			want_unity_banner = FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (want_unity_banner)
+	{
+		ca = modecfg_attribute_create(UNITY_BANNER,
+									  chunk_create(DEFAULT_UNITY_BANNER,
+									  strlen(DEFAULT_UNITY_BANNER)));
+		ca_list->insert_last(ca_list, ca);
+	}
+}
+
+/**
+ * Set srcip and client subnet to internal IP address
+ */
+static bool set_attributes(connection_t *c, linked_list_t *ca_list)
+{
+	host_t *vip, *srcip;
+	modecfg_attribute_t *ca, *ca_handler;
+	enumerator_t *enumerator;
+	bool vip_set = FALSE;
+
+	enumerator = ca_list->create_enumerator(ca_list);
+	while (enumerator->enumerate(enumerator, &ca))
+	{
+		int family = AF_INET6;
+		attribute_handler_t *handler = NULL;
+		enumerator_t *e;
 
-		switch (type)
+		switch (ca->type)
 		{
-			case INTERNAL_IP6_DNS:
-				family = AF_INET6;
-				/* fallthrough */
-			case INTERNAL_IP4_DNS:
-				if (dns_idx >= DNS_SERVER_MAX)
+			case INTERNAL_IP4_ADDRESS:
+				family = AF_INET;
+				/* fall */
+			case INTERNAL_IP6_ADDRESS:
+				if (ca->value.len == 0)
 				{
-					plog("exceeded the maximum number of %d DNS servers",
-						 DNS_SERVER_MAX);
-					break;
+					vip = host_create_any(family);
 				}
-				ugh = initaddr(value.ptr, value.len, family, &ia->dns[dns_idx]);
-				if (ugh)
+				else
 				{
-					plog("error in DNS server address: %s", ugh);
-					break;
+					/* skip prefix byte in IPv6 payload*/
+					if (family == AF_INET6)
+					{
+						ca->value.len = 16;
+					}
+					vip = host_create_from_chunk(family, ca->value, 0);
 				}
-				server = host_create_from_chunk(family, value, 0);
-				plog("assigning DNS server %H to peer", server);
-				server->destroy(server);
-
-				/* differentiate between IP4 and IP6 in modecfg_build_msg() */
-				ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
-				dns_idx++;
-				break;
-
-			case INTERNAL_IP6_NBNS:
-				family = AF_INET6;
-				/* fallthrough */
-			case INTERNAL_IP4_NBNS:
-				if (nbns_idx >= NBNS_SERVER_MAX)
+				if (vip)
 				{
-					plog("exceeded the maximum number of %d NBNS servers",
-						 NBNS_SERVER_MAX);
-					break;
-				}
-				ugh = initaddr(value.ptr, value.len, family, &ia->nbns[nbns_idx]);
-				if (ugh)
+					srcip = c->spd.this.host_srcip;
+
+					if (srcip->is_anyaddr(srcip) || srcip->equals(srcip, vip))
+					{
+						plog("setting virtual IP source address to %H", vip);
+					}
+					else
+					{
+						plog("replacing virtual IP source address %H by %H",
+							  srcip, vip);
+					}
+					srcip->destroy(srcip);
+					c->spd.this.host_srcip = vip;
+
+					/* setting client subnet to vip/32 */
+					addrtosubnet((ip_address*)vip->get_sockaddr(vip),
+								 &c->spd.this.client);
+					setportof(0, &c->spd.this.client.addr);
+					c->spd.this.has_client = TRUE;
+
+					vip_set = TRUE;	
+				}	
+				continue;
+			case APPLICATION_VERSION:
+#ifdef CISCO_QUIRKS
+			case UNITY_BANNER:
+#endif
+				if (ca->value.len > 0)
 				{
-					plog("error in NBNS server address: %s", ugh);
-					break;
+					DBG(DBG_PARSING | DBG_CONTROLMORE,
+						DBG_log("   '%.*s'", ca->value.len, ca->value.ptr)
+					)
 				}
-				server = host_create_from_chunk(family, value, 0);
-				plog("assigning NBNS server %H to peer", server);
-				server->destroy(server);
-
-				/* differentiate between IP4 and IP6 in modecfg_build_msg() */
-				ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
-				nbns_idx++;
 				break;
-
 			default:
 				break;
 		}
-	}
-	enumerator->destroy(enumerator);
-	DESTROY_IF(vip);
-}
-
 
-/**
- * Set srcip and client subnet to internal IP address
- */
-static bool set_internal_addr(connection_t *c, internal_addr_t *ia)
-{
-	if (ia->attr_set & LELEM(INTERNAL_IP4_ADDRESS)
-	&& !isanyaddr(&ia->ipaddr))
-	{
-		if (addrbytesptr(&c->spd.this.host_srcip, NULL) == 0
-		|| isanyaddr(&c->spd.this.host_srcip)
-		|| sameaddr(&c->spd.this.host_srcip, &ia->ipaddr))
+		/* find the first handler which requested this attribute */
+		e = c->requested->create_enumerator(c->requested);
+		while (e->enumerate(e, &ca_handler))
 		{
-			char srcip[ADDRTOT_BUF];
-
-			addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
-			plog("setting virtual IP source address to %s", srcip);
+			if (ca_handler->type == ca->type)
+			{
+				handler = ca_handler->handler;
+				break;
+			}
 		}
-		else
+		e->destroy(e);
+
+		/* and pass it to the handle function */
+		handler = hydra->attributes->handle(hydra->attributes,
+							 c->spd.that.id, handler, ca->type, ca->value);
+		if (handler)
 		{
-			char old_srcip[ADDRTOT_BUF];
-			char new_srcip[ADDRTOT_BUF];
+			ca_handler = modecfg_attribute_create(ca->type, ca->value);
+			ca_handler->handler = handler;
 
-			addrtot(&c->spd.this.host_srcip, 0, old_srcip, sizeof(old_srcip));
-			addrtot(&ia->ipaddr, 0, new_srcip, sizeof(new_srcip));
-			plog("replacing virtual IP source address %s by %s"
-				, old_srcip, new_srcip);
+			if (c->attributes == NULL)
+			{
+				c->attributes = linked_list_create();
+			}
+			c->attributes->insert_last(c->attributes, ca_handler);
 		}
+	}
+	enumerator->destroy(enumerator);
+	c->requested->destroy_function(c->requested, (void*)modecfg_attribute_destroy);
+	c->requested = NULL;
+	return vip_set;
+}
 
-		/* setting srcip */
-		c->spd.this.host_srcip = ia->ipaddr;
+/**
+ * Register configuration attribute handlers
+ */
+static void register_attribute_handlers(connection_t *c)
+{
+	configuration_attribute_type_t type;
+	modecfg_attribute_t *ca;
+	chunk_t value;
+	attribute_handler_t *handler;
+	enumerator_t *enumerator;
 
-		/* setting client subnet to srcip/32 */
-		addrtosubnet(&ia->ipaddr, &c->spd.this.client);
-		setportof(0, &c->spd.this.client.addr);
-		c->spd.this.has_client = TRUE;
-		return TRUE;
+	/* add configuration attributes requested by handlers */
+	if (c->requested == NULL)
+	{
+		c->requested = linked_list_create();
 	}
-	return FALSE;
+	enumerator = hydra->attributes->create_initiator_enumerator(
+							hydra->attributes,c->spd.that.id, c->spd.this.host_srcip);
+	while (enumerator->enumerate(enumerator, &handler, &type, &value))
+	{
+		ca = modecfg_attribute_create(type, value);
+		ca->handler = handler;
+		c->requested->insert_last(c->requested, ca);
+	}
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -307,218 +374,53 @@ static size_t modecfg_hash(u_char *dest, u_char *start, u_char *roof,
  * Generate an IKE message containing ModeCfg information (eg: IP, DNS, WINS)
  */
 static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody,
-									u_int16_t msg_type,
-									internal_addr_t *ia,
+									u_int16_t msg_type,	linked_list_t *ca_list,
 									u_int16_t ap_id)
 {
 	u_char *r_hash_start, *r_hashval;
+	struct isakmp_mode_attr attrh;
+	struct isakmp_attribute attr;
+	pb_stream strattr,attrval;
+	enumerator_t *enumerator;
+	modecfg_attribute_t *ca;
 
 	START_HASH_PAYLOAD(*rbody, ISAKMP_NEXT_ATTR);
 
-	/* ATTR out */
+	attrh.isama_np         = ISAKMP_NEXT_NONE;
+	attrh.isama_type       = msg_type;
+	attrh.isama_identifier = ap_id;
+
+	if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr))
 	{
-		struct isakmp_mode_attr attrh;
-		struct isakmp_attribute attr;
-		pb_stream strattr,attrval;
-		int attr_type, dns_attr_type, nbns_attr_type;
-		int dns_idx, nbns_idx;
-		bool dont_advance;
-		bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY;
-		bool is_unity_attr_set = ia->unity_attr_set != LEMPTY;
-		lset_t attr_set = ia->attr_set;
-
-		attrh.isama_np         = ISAKMP_NEXT_NONE;
-		attrh.isama_type       = msg_type;
-		attrh.isama_identifier = ap_id;
-
-		if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr))
+		return STF_INTERNAL_ERROR;
+	}
+
+	enumerator = ca_list->create_enumerator(ca_list);
+	while (enumerator->enumerate(enumerator, &ca))
+	{
+		DBG(DBG_CONTROLMORE,
+			DBG_log("building %N attribute", configuration_attribute_type_names, ca->type)
+		)
+		if (ca->is_tv)
 		{
-			return STF_INTERNAL_ERROR;
+			attr.isaat_af_type = ca->type | ISAKMP_ATTR_AF_TV;
+			attr.isaat_lv = ca->value.len;
+			out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval);
 		}
-		attr_type = 0;
-		dns_idx = 0;
-		nbns_idx = 0;
-
-		while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set)
+		else
 		{
-			if (attr_set == LEMPTY)
-			{
-				if (is_xauth_attr_set)
-				{
-					attr_set = ia->xauth_attr_set;
-					attr_type = XAUTH_BASE;
-					is_xauth_attr_set = FALSE;
-				}
-				else
-				{
-					attr_set = ia->unity_attr_set;
-					attr_type = UNITY_BASE;
-					is_unity_attr_set = FALSE;
-				}
-			}
-
-			dont_advance = FALSE;
-
-			if (attr_set & 1)
-			{
-				const u_char *byte_ptr;
-				u_int len;
-
-				/* ISAKMP attr out */
-				if (attr_type == XAUTH_TYPE)
-				{
-					attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
-					attr.isaat_lv = ia->xauth_type;
-				}
-				else if (attr_type == XAUTH_STATUS)
-				{
-					attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
-					attr.isaat_lv = ia->xauth_status;
-				}
-				else if (attr_type == INTERNAL_IP4_DNS && !isanyaddr(&ia->dns[dns_idx]))
-				{
-					dns_attr_type = (addrtypeof(&ia->dns[dns_idx]) == AF_INET) ?
-										INTERNAL_IP4_DNS : INTERNAL_IP6_DNS;
-					attr.isaat_af_type = dns_attr_type | ISAKMP_ATTR_AF_TLV;
-
-				}
-				else if (attr_type == INTERNAL_IP4_NBNS && !isanyaddr(&ia->nbns[nbns_idx]))
-				{
-					nbns_attr_type = (addrtypeof(&ia->nbns[nbns_idx]) == AF_INET) ?
-										INTERNAL_IP4_NBNS : INTERNAL_IP6_NBNS;
-					attr.isaat_af_type = nbns_attr_type | ISAKMP_ATTR_AF_TLV;
-
-				}
-				else
-				{
-					attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
-				}
-				out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval);
+			char buf[BUF_LEN];
 
-				switch (attr_type)
-				{
-				case INTERNAL_IP4_ADDRESS:
-					if (!isanyaddr(&ia->ipaddr))
-					{
-						len = addrbytesptr(&ia->ipaddr, &byte_ptr);
-						out_raw(byte_ptr, len, &attrval, "IP4_addr");
-					}
-					break;
-				case INTERNAL_IP4_NETMASK:
-					{
-						u_int  mask;
-#if 0
-						char mask[4],bits[8]={0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
-						int t,m=st->st_connection->that.host_addr.maskbit;
-						for (t=0; t<4; t++)
-						{
-							if (m < 8)
-								mask[t] = bits[m];
-							else
-								mask[t] = 0xff;
-							m -= 8;
-						}
-#endif
-						if (st->st_connection->spd.this.client.maskbits == 0)
-						{
-							mask = 0;
-						}
-						else
-						{
-							mask = 0xffffffff * 1;
-							out_raw(&mask, 4, &attrval, "IP4_mask");
-						}
-					}
-					break;
-				case INTERNAL_IP4_SUBNET:
-					{
-						char mask[4];
-						char bits[8] = {0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
-						int t;
-						int m = st->st_connection->spd.this.client.maskbits;
-
-						for (t = 0; t < 4; t++)
-						{
-							mask[t] = (m < 8) ? bits[m] : 0xff;
-							m -= 8;
-							if (m < 0)
-							{
-								m = 0;
-							}
-						}
-						len = addrbytesptr(&st->st_connection->spd.this.client.addr, &byte_ptr);
-						out_raw(byte_ptr, len, &attrval, "IP4_subnet");
-						out_raw(mask, sizeof(mask), &attrval, "IP4_submsk");
-					}
-					break;
-				case INTERNAL_IP4_DNS:
-				case INTERNAL_IP6_DNS:
-					if (!isanyaddr(&ia->dns[dns_idx]))
-					{
-						len = addrbytesptr(&ia->dns[dns_idx++], &byte_ptr);
-						out_raw(byte_ptr, len, &attrval, "IP_dns");
-					}
-					if (dns_idx < DNS_SERVER_MAX && !isanyaddr(&ia->dns[dns_idx]))
-					{
-						dont_advance = TRUE;
-					}
-					break;
-				case INTERNAL_IP4_NBNS:
-				case INTERNAL_IP6_NBNS:
-					if (!isanyaddr(&ia->nbns[nbns_idx]))
-					{
-						len = addrbytesptr(&ia->nbns[nbns_idx++], &byte_ptr);
-						out_raw(byte_ptr, len, &attrval, "IP_nbns");
-					}
-					if (nbns_idx < NBNS_SERVER_MAX && !isanyaddr(&ia->nbns[nbns_idx]))
-					{
-						dont_advance = TRUE;
-					}
-					break;
-				case XAUTH_TYPE:
-					break;
-				case XAUTH_USER_NAME:
-					if (ia->xauth_secret.user_name.ptr != NULL)
-					{
-						out_raw(ia->xauth_secret.user_name.ptr
-							  , ia->xauth_secret.user_name.len
-							  , &attrval, "xauth_user_name");
-					}
-					break;
-				case XAUTH_USER_PASSWORD:
-					if (ia->xauth_secret.user_password.ptr != NULL)
-					{
-						out_raw(ia->xauth_secret.user_password.ptr
-							  , ia->xauth_secret.user_password.len
-							  , &attrval, "xauth_user_password");
-					}
-					break;
-				case XAUTH_STATUS:
-					break;
-				case UNITY_BANNER:
-					if (ia->unity_banner != NULL)
-					{
-						out_raw(ia->unity_banner
-							  , strlen(ia->unity_banner)
-							  , &attrval, "UNITY_BANNER");
-					}
-					break;
-				default:
-					plog("attempt to send unsupported mode cfg attribute %s."
-						 , enum_show(&modecfg_attr_names, attr_type));
-					break;
-				}
-				close_output_pbs(&attrval);
-			}
-			if (!dont_advance)
-			{
-				attr_type++;
-				attr_set >>= 1;
-			}
+			attr.isaat_af_type = ca->type | ISAKMP_ATTR_AF_TLV;
+			out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval);
+			snprintf(buf, BUF_LEN, "%N", configuration_attribute_type_names, ca->type);
+			out_raw(ca->value.ptr, ca->value.len, &attrval, buf);
 		}
-		close_message(&strattr);
+		close_output_pbs(&attrval);
 	}
-
+	enumerator->destroy(enumerator);
+	close_message(&strattr);
+	
 	modecfg_hash(r_hashval, r_hash_start, rbody->cur, st);
 	close_message(rbody);
 	encrypt_message(rbody, st);
@@ -529,7 +431,7 @@ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody,
  * Send ModeCfg message
  */
 static stf_status modecfg_send_msg(struct state *st, int isama_type,
-								   internal_addr_t *ia)
+								   linked_list_t *ca_list)
 {
 	pb_stream msg;
 	pb_stream rbody;
@@ -561,12 +463,8 @@ static stf_status modecfg_send_msg(struct state *st, int isama_type,
 		}
 	}
 
-	/* ATTR out */
-	modecfg_build_msg(st, &rbody
-						, isama_type
-						, ia
-						, 0 /* XXX isama_id */
-					 );
+	/* ATTR out with isama_id of 0 */
+	modecfg_build_msg(st, &rbody, isama_type, ca_list, 0);
 
 	free(st->st_tpacket.ptr);
 	st->st_tpacket = chunk_create(msg.start, pbs_offset(&msg));
@@ -586,221 +484,157 @@ static stf_status modecfg_send_msg(struct state *st, int isama_type,
 /**
  * Parse a ModeCfg attribute payload
  */
-static stf_status modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
+static stf_status modecfg_parse_attributes(pb_stream *attrs, linked_list_t *ca_list)
 {
 	struct isakmp_attribute attr;
 	pb_stream strattr;
-	err_t ugh;
-	char buf[BUF_LEN];
-	int dns_idx = 0;
-	int nbns_idx = 0;
+	u_int16_t attr_type;
+	u_int16_t attr_len;
+	chunk_t attr_chunk;
+	modecfg_attribute_t *ca;
 
 	while (pbs_left(attrs) >= sizeof(struct isakmp_attribute))
 	{
-		u_int16_t attr_type;
-		u_int16_t attr_len;
-
 		if (!in_struct(&attr, &isakmp_modecfg_attribute_desc, attrs, &strattr))
 		{
 			return STF_FAIL;
 		}
 		attr_type = attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK;
 		attr_len  = attr.isaat_lv;
+		DBG(DBG_CONTROLMORE,
+			DBG_log("processing %N attribute",
+					configuration_attribute_type_names, attr_type)
+		)
 
 		switch (attr_type)
 		{
-		case INTERNAL_IP4_ADDRESS:
-			if (attr_len == 4)
-			{
-				ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->ipaddr);
-				if (ugh != NULL)
-				{
-					plog("received invalid virtual IPv4 address: %s", ugh);
-				}
-			}
-			ia->attr_set |= LELEM(attr_type);
-			break;
-		case INTERNAL_IP4_DNS:
-			if (attr_len == 4 && dns_idx < DNS_SERVER_MAX)
-			{
-				ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->dns[dns_idx]);
-				if (ugh != NULL)
-				{
-					plog("received invalid IPv4 DNS server address: %s", ugh);
-				}
-				else
-				{
-					addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN);
-					plog("received IPv4 DNS server address %s", buf);
-					dns_idx++;
-				}
-			}
-			ia->attr_set |= LELEM(attr_type);
-			break;
-		case INTERNAL_IP4_NBNS:
-			if (attr_len == 4 && nbns_idx < NBNS_SERVER_MAX)
-			{
-				ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->nbns[nbns_idx]);
-				if (ugh != NULL)
+			case INTERNAL_IP4_ADDRESS:
+			case INTERNAL_IP4_NETMASK:
+			case INTERNAL_IP4_DNS:
+			case INTERNAL_IP4_NBNS:
+			case INTERNAL_ADDRESS_EXPIRY:
+			case INTERNAL_IP4_DHCP:
+				if (attr_len != 4 && attr_len != 0)
 				{
-					plog("received invalid IPv4 NBNS server address: %s", ugh);
+					goto error;
 				}
-				else
+				break;
+			case INTERNAL_IP4_SUBNET:
+				if (attr_len != 8 && attr_len != 0)
 				{
-					addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN);
-					plog("received IPv4 NBNS server address %s", buf);
-					nbns_idx++;
+					goto error;
 				}
-			}
-			ia->attr_set |= LELEM(attr_type);
-			break;
-		case INTERNAL_IP6_DNS:
-			if (attr_len == 16 && dns_idx < DNS_SERVER_MAX)
-			{
-				ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->dns[dns_idx]);
-				if (ugh != NULL)
+				break;
+			case INTERNAL_IP6_NETMASK:
+			case INTERNAL_IP6_DNS:
+			case INTERNAL_IP6_NBNS:
+			case INTERNAL_IP6_DHCP:
+				if (attr_len != 16 && attr_len != 0)
 				{
-					plog("received invalid IPv6 DNS server address: %s", ugh);
+					goto error;
 				}
-				else
+				break;
+			case INTERNAL_IP6_ADDRESS:
+				if (attr_len != 17 && attr_len != 16 && attr_len != 0)
 				{
-					addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN);
-					plog("received IPv6 DNS server address %s", buf);
-					dns_idx++;
+					goto error;
 				}
-			}
-			ia->attr_set |= LELEM(attr_type);
-			break;
-		case INTERNAL_IP6_NBNS:
-			if (attr_len == 16 && nbns_idx < NBNS_SERVER_MAX)
-			{
-				ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->nbns[nbns_idx]);
-				if (ugh != NULL)
+				break;
+			case INTERNAL_IP6_SUBNET:
+				if (attr_len != 17 && attr_len != 0)
 				{
-					plog("received invalid IPv6 NBNS server address: %s", ugh);
+					goto error;
 				}
-				else
+				break;
+			case SUPPORTED_ATTRIBUTES:
+				if (attr_len % 2)
 				{
-					addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN);
-					plog("received IPv6 NBNS server address %s", buf);
-					nbns_idx++;
+					goto error;
 				}
-			}
-			ia->attr_set |= LELEM(attr_type);
-			break;
-		case INTERNAL_IP4_NETMASK:
-		case INTERNAL_IP4_SUBNET:
-		case INTERNAL_ADDRESS_EXPIRY:
-		case INTERNAL_IP4_DHCP:
-		case INTERNAL_IP6_ADDRESS:
-		case INTERNAL_IP6_NETMASK:
-		case INTERNAL_IP6_DHCP:
-		case SUPPORTED_ATTRIBUTES:
-		case INTERNAL_IP6_SUBNET:
-			ia->attr_set |= LELEM(attr_type);
-			break;
-		case APPLICATION_VERSION:
-			if (attr_len > 0)
-			{
-				DBG(DBG_PARSING,
-					DBG_log("   '%.*s'", attr_len, strattr.cur)
-				)
-			}
-			ia->attr_set |= LELEM(attr_type);
-			break;
-		case XAUTH_TYPE:
-			ia->xauth_type = attr.isaat_lv;
-			ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
-			break;
-		case XAUTH_USER_NAME:
-			ia->xauth_secret.user_name = chunk_create(strattr.cur, attr_len);
-			ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
-			break;
-		case XAUTH_USER_PASSWORD:
-			ia->xauth_secret.user_password = chunk_create(strattr.cur, attr_len);
-			ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
-			break;
-		case XAUTH_STATUS:
-			ia->xauth_status = attr.isaat_lv;
-			ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
-			break;
-		case XAUTH_MESSAGE:
-			if (attr_len > 0)
-			{
-				DBG(DBG_PARSING,
-					DBG_log("   '%.*s'", attr_len, strattr.cur)
-				)
-			}
-			/* fall through to set attribute flag */
-		case XAUTH_PASSCODE:
-		case XAUTH_CHALLENGE:
-		case XAUTH_DOMAIN:
-		case XAUTH_NEXT_PIN:
-		case XAUTH_ANSWER:
-			ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
-			break;
-		case UNITY_DDNS_HOSTNAME:
-			if (attr_len > 0)
-			{
-				DBG(DBG_PARSING,
-					DBG_log("   '%.*s'", attr_len, strattr.cur)
-				)
-			}
-			/* fall through to set attribute flag */
-		case UNITY_BANNER:
-		case UNITY_SAVE_PASSWD:
-		case UNITY_DEF_DOMAIN:
-		case UNITY_SPLITDNS_NAME:
-		case UNITY_SPLIT_INCLUDE:
-		case UNITY_NATT_PORT:
-		case UNITY_LOCAL_LAN:
-		case UNITY_PFS:
-		case UNITY_FW_TYPE:
-		case UNITY_BACKUP_SERVERS:
-			ia->unity_attr_set |= LELEM(attr_type - UNITY_BASE);
-			break;
-		default:
-			plog("unsupported ModeCfg attribute %s received."
-				, enum_show(&modecfg_attr_names, attr_type));
-			break;
+				break;
+			case APPLICATION_VERSION:
+				break;
+			/* XAUTH attributes */
+			case XAUTH_TYPE:
+			case XAUTH_STATUS:
+			case XAUTH_USER_NAME:
+			case XAUTH_USER_PASSWORD:
+			case XAUTH_PASSCODE:
+			case XAUTH_MESSAGE:
+			case XAUTH_CHALLENGE:
+			case XAUTH_DOMAIN:
+			case XAUTH_NEXT_PIN:
+			case XAUTH_ANSWER:
+				break;
+			/* Microsoft attributes */
+			case INTERNAL_IP4_SERVER:
+			case INTERNAL_IP6_SERVER:
+				break;
+			/* Cisco Unity attributes */
+			case UNITY_BANNER:
+			case UNITY_SAVE_PASSWD:
+			case UNITY_DEF_DOMAIN:
+			case UNITY_SPLITDNS_NAME:
+			case UNITY_SPLIT_INCLUDE:
+			case UNITY_NATT_PORT:
+			case UNITY_LOCAL_LAN:
+			case UNITY_PFS:
+			case UNITY_FW_TYPE:
+			case UNITY_BACKUP_SERVERS:
+			case UNITY_DDNS_HOSTNAME:
+				break;
+			default:
+				plog("unknown attribute type (%u)", attr_type);
+				continue;
 		}
+
+		/* add attribute */
+		if (attr.isaat_af_type & ISAKMP_ATTR_AF_TV)
+		{
+			ca = modecfg_attribute_create_tv(attr_type, attr_len);
+		}
+		else
+		{
+			attr_chunk = chunk_create(strattr.cur, attr_len);
+			ca = modecfg_attribute_create(attr_type, attr_chunk);
+		}
+		ca_list->insert_last(ca_list, ca);
 	}
 	return STF_OK;
+
+error:
+	plog("%N attribute has invalid size of %u octets",
+		 configuration_attribute_type_names, attr_type, attr_len);
+	return STF_FAIL;
 }
 
 /**
  * Parse a ModeCfg message
  */
 static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type,
-									u_int16_t *isama_id, internal_addr_t *ia)
+									u_int16_t *isama_id, linked_list_t *ca_list)
 {
+	modecfg_attribute_t *ca;
 	struct state *const st = md->st;
 	struct payload_digest *p;
 	stf_status stat;
 
 	st->st_msgid = md->hdr.isa_msgid;
 
-	CHECK_QUICK_HASH(md, modecfg_hash(hash_val
-									, hash_pbs->roof
-									, md->message_pbs.roof, st)
-					   , "MODECFG-HASH", "ISAKMP_CFG_MSG");
+	CHECK_QUICK_HASH(md, modecfg_hash(hash_val, hash_pbs->roof,
+					 md->message_pbs.roof, st), "MODECFG-HASH", "ISAKMP_CFG_MSG");
 
 	/* process the ModeCfg payloads received */
 	for (p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next)
 	{
-		internal_addr_t ia_candidate;
-
-		init_internal_addr(&ia_candidate);
-
 		if (p->payload.attribute.isama_type == isama_type)
 		{
 			*isama_id = p->payload.attribute.isama_identifier;
 
-			stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
+			stat = modecfg_parse_attributes(&p->pbs, ca_list);
 			if (stat == STF_OK)
 			{
 				/* return with a valid set of attributes */
-				*ia = ia_candidate;
 				return STF_OK;
 			}
 		}
@@ -810,34 +644,61 @@ static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type,
 				, enum_name(&attr_msg_type_names, isama_type)
 				, enum_name(&attr_msg_type_names, p->payload.attribute.isama_type));
 
-			stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
+			stat = modecfg_parse_attributes(&p->pbs, ca_list);
 		}
+
+		/* abort if a parsing error occurred */
 		if (stat != STF_OK)
 		{
+			ca_list->destroy_function(ca_list, (void*)modecfg_attribute_destroy);
 			return stat;
 		}
+			
+		/* discard the parsed attributes and look for another payload */
+		while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) {}
 	}
 	return STF_IGNORE;
 }
 
 /**
- * Send ModeCfg request message from client to server in pull mode
+ * Used in ModeCfg pull mode on the client (initiator)
+ *   called in demux.c
+ *   client -> CFG_REQUEST
+ *   STF_OK transitions to STATE_MODE_CFG_I1
  */
 stf_status modecfg_send_request(struct state *st)
 {
 	connection_t *c = st->st_connection;
 	stf_status stat;
-	internal_addr_t ia;
-
-	init_internal_addr(&ia);
-
-	ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS)
-				| LELEM(INTERNAL_IP4_NETMASK);
-	ia.ipaddr = c->spd.this.host_srcip;
+	modecfg_attribute_t *ca; 
+	enumerator_t *enumerator;
+	int family;
+	chunk_t value;
+	host_t *vip;
+	linked_list_t *ca_list = linked_list_create();
+
+	vip = c->spd.this.host_srcip;
+	value = vip->is_anyaddr(vip) ? chunk_empty : vip->get_address(vip);
+	family = vip->get_family(vip);
+	ca = modecfg_attribute_create((family == AF_INET) ?
+								   INTERNAL_IP4_ADDRESS : INTERNAL_IP6_ADDRESS,
+								   value);
+	ca_list->insert_last(ca_list, ca);
+
+	register_attribute_handlers(c);	
+	enumerator = c->requested->create_enumerator(c->requested);
+	while (enumerator->enumerate(enumerator, &ca))
+	{
+		ca = modecfg_attribute_create(ca->type, chunk_empty);
+		ca_list->insert_last(ca_list, ca);
+	}
+	enumerator->destroy(enumerator);
 
 	plog("sending ModeCfg request");
+
 	st->st_state = STATE_MODE_CFG_I1;
-	stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
+	stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, ca_list);
+	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
 	if (stat == STF_OK)
 	{
 		st->st_modecfg.started = TRUE;
@@ -845,53 +706,37 @@ stf_status modecfg_send_request(struct state *st)
 	return stat;
 }
 
-/* STATE_MODE_CFG_R0:
- * HDR*, HASH, ATTR(REQ=IP) --> HDR*, HASH, ATTR(REPLY=IP)
- *
- * used in ModeCfg pull mode, on the server (responder)
+/**
+ * Used in ModeCfg pull mode on the server (responder)
+ *   called in demux.c from STATE_MODE_CFG_R0
+ *   server <- CFG_REQUEST
+ *   server -> CFG_REPLY
+ *   STF_OK transitions to  STATE_MODE_CFG_R0
  */
 stf_status modecfg_inR0(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
-	internal_addr_t ia;
-	bool want_unity_banner;
 	stf_status stat, stat_build;
-	host_t *requested_vip;
+	linked_list_t *ca_list = linked_list_create();
 
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
+	plog("parsing ModeCfg request");
+
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, ca_list);
 	if (stat != STF_OK)
 	{
 		return stat;
 	}
 
-	if (ia.attr_set & LELEM(INTERNAL_IP4_ADDRESS))
-	{
-		requested_vip = host_create_from_sockaddr((sockaddr_t*)&ia.ipaddr);
-	}
-	else
-	{
-		requested_vip = host_create_any(AF_INET);
-	}
-	plog("peer requested virtual IP %H", requested_vip);
-
-	want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY;
-	init_internal_addr(&ia);
-	get_internal_addr(st->st_connection, requested_vip, &ia);
-	requested_vip->destroy(requested_vip);
-
-	if (want_unity_banner)
-	{
-		ia.unity_banner = UNITY_BANNER_STR;
-		ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
-	}
+	/* build the CFG_REPLY */
+	get_attributes(st->st_connection, ca_list);
 
 	plog("sending ModeCfg reply");
 
-	stat_build = modecfg_build_msg(st, &md->rbody
-									 , ISAKMP_CFG_REPLY
-									 , &ia
-									 , isama_id);
+	stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_REPLY,
+								   ca_list, isama_id);
+	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
+
 	if (stat_build != STF_OK)
 	{
 		return stat_build;
@@ -900,53 +745,50 @@ stf_status modecfg_inR0(struct msg_digest *md)
 	return STF_OK;
 }
 
-/* STATE_MODE_CFG_I1:
- * HDR*, HASH, ATTR(REPLY=IP)
- *
- * used in ModeCfg pull mode, on the client (initiator)
+/**
+ * Used in ModeCfg pull mode on the client (initiator)
+ *   called in demux.c from STATE_MODE_CFG_I1
+ *   client <- CFG_REPLY
+ *   STF_OK transitions to  STATE_MODE_CFG_I2
  */
 stf_status modecfg_inI1(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
-	internal_addr_t ia;
 	stf_status stat;
+	linked_list_t *ca_list = linked_list_create();
 
 	plog("parsing ModeCfg reply");
 
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, ca_list);
 	if (stat != STF_OK)
 	{
 		return stat;
 	}
-	st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
+	st->st_modecfg.vars_set = set_attributes(st->st_connection, ca_list);
 	st->st_msgid = 0;
+	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
 	return STF_OK;
 }
 
-
 /**
- * Send ModeCfg set message from server to client in push mode
+ * Used in ModeCfg push mode on the server (responder)
+ *   called in demux.c
+ *   server -> CFG_SET
+ *   STF_OK transitions to STATE_MODE_CFG_R3
  */
 stf_status modecfg_send_set(struct state *st)
 {
 	stf_status stat;
-	internal_addr_t ia;
-	host_t *vip;
+	linked_list_t *ca_list = linked_list_create();
 
-	init_internal_addr(&ia);
-	vip = host_create_any(AF_INET);
-	get_internal_addr(st->st_connection, vip, &ia);
-	vip->destroy(vip);
 
-#ifdef CISCO_QUIRKS
-	ia.unity_banner = UNITY_BANNER_STR;
-	ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
-#endif
+	plog("sending ModeCfg set");
 
-   plog("sending ModeCfg set");
+	get_attributes(st->st_connection, ca_list);
 	st->st_state = STATE_MODE_CFG_R3;
-	stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
+	stat = modecfg_send_msg(st, ISAKMP_CFG_SET, ca_list);
+	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
 	if (stat == STF_OK)
 	{
 		st->st_modecfg.started = TRUE;
@@ -954,41 +796,64 @@ stf_status modecfg_send_set(struct state *st)
 	return stat;
 }
 
-/* STATE_MODE_CFG_I0:
- *  HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK)
- *
- * used in ModeCfg push mode, on the client (initiator).
+/**
+ * Used in ModeCfg push mode on the client (initiator)
+ *   called in demux.c from STATE_MODE_CFG_I0
+ *   client <- CFG_SET
+ *   client -> CFG_ACK 
+ *   STF_OK transitions to  STATE_MODE_CFG_I3
  */
 stf_status modecfg_inI0(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
-	internal_addr_t ia;
-	lset_t attr_set, unity_attr_set;
 	stf_status stat, stat_build;
+	modecfg_attribute_t *ca;
+	linked_list_t *ca_list, *ca_ack_list;
 
 	plog("parsing ModeCfg set");
 
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
+	ca_list = linked_list_create();
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, ca_list);
 	if (stat != STF_OK)
 	{
 		return stat;
 	}
-	st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
+	register_attribute_handlers(st->st_connection);
+	st->st_modecfg.vars_set = set_attributes(st->st_connection, ca_list);
 
 	/* prepare ModeCfg ack which sends zero length attributes */
-	attr_set = ia.attr_set;
-	unity_attr_set = ia.unity_attr_set;
-	init_internal_addr(&ia);
-	ia.attr_set = attr_set & SUPPORTED_ATTR_SET;
-	ia.unity_attr_set = unity_attr_set & SUPPORTED_UNITY_ATTR_SET;
+	ca_ack_list = linked_list_create();
+	while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS)
+	{
+		switch (ca->type)
+		{
+			case INTERNAL_IP4_ADDRESS:
+			case INTERNAL_IP4_DNS:
+			case INTERNAL_IP4_NBNS:
+			case APPLICATION_VERSION:
+			case INTERNAL_IP6_ADDRESS:
+			case INTERNAL_IP6_DNS:
+			case INTERNAL_IP6_NBNS:
+#ifdef CISCO_QUIRKS
+			case UNITY_BANNER:
+#endif
+				/* supported attributes */
+				ca->value.len = 0;
+				ca_ack_list->insert_last(ca_ack_list, ca);
+				break;
+			default:
+				/* unsupportd attributes */
+				modecfg_attribute_destroy(ca);
+		}
+	}
+	ca_list->destroy(ca_list);
 
 	plog("sending ModeCfg ack");
 
-	stat_build = modecfg_build_msg(st, &md->rbody
-									 , ISAKMP_CFG_ACK
-									 , &ia
-									 , isama_id);
+	stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_ACK,
+								   ca_ack_list, isama_id);
+	ca_ack_list->destroy_function(ca_ack_list, (void *)modecfg_attribute_destroy);
 	if (stat_build != STF_OK)
 	{
 		return stat_build;
@@ -997,21 +862,23 @@ stf_status modecfg_inI0(struct msg_digest *md)
 	return STF_OK;
 }
 
-/* STATE_MODE_CFG_R3:
- * HDR*, HASH, ATTR(ACK,OK)
- *
- * used in ModeCfg push mode, on the server (responder)
+/**
+ * Used in ModeCfg push mode on the server (responder)
+ *   called in demux.c from STATE_MODE_CFG_R3
+ *   server <- CFG_ACK 
+ *   STF_OK transitions to  STATE_MODE_CFG_R4
  */
 stf_status modecfg_inR3(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
-	internal_addr_t ia;
 	stf_status stat;
+	linked_list_t *ca_list = linked_list_create();
 
 	plog("parsing ModeCfg ack");
 
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, ca_list);
+	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
 	if (stat != STF_OK)
 	{
 		return stat;
@@ -1021,20 +888,26 @@ stf_status modecfg_inR3(struct msg_digest *md)
 }
 
 /**
- * Send XAUTH credentials request (username + password)
+ * Used on the XAUTH server (responder)
+ *   called in demux.c
+ *   server -> CFG_REQUEST
+ *   STF_OK transitions to STATE_XAUTH_R1
  */
 stf_status xauth_send_request(struct state *st)
 {
 	stf_status stat;
-	internal_addr_t ia;
+	modecfg_attribute_t *ca;
+	linked_list_t *ca_list = linked_list_create();
 
-	init_internal_addr(&ia);
-	ia.xauth_attr_set = LELEM(XAUTH_USER_NAME     - XAUTH_BASE)
-					  | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
+	ca = modecfg_attribute_create(XAUTH_USER_NAME, chunk_empty);
+	ca_list->insert_last(ca_list, ca);
+	ca = modecfg_attribute_create(XAUTH_USER_PASSWORD, chunk_empty);
+	ca_list->insert_last(ca_list, ca);
 
 	plog("sending XAUTH request");
 	st->st_state = STATE_XAUTH_R1;
-	stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
+	stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, ca_list);
+	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
 	if (stat == STF_OK)
 	{
 		st->st_xauth.started = TRUE;
@@ -1042,53 +915,87 @@ stf_status xauth_send_request(struct state *st)
 	return stat;
 }
 
-/* STATE_XAUTH_I0:
- * HDR*, HASH, ATTR(REQ) --> HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD)
- *
- * used on the XAUTH client (initiator)
+/**
+ * Used on the XAUTH client (initiator)
+ *   called in demux.c from STATE_XAUTH_I0
+ *   client <- CFG_REQUEST
+ *   client -> CFG_REPLY
+ *   STF_OK transitions to  STATE_XAUTH_I1
  */
 stf_status xauth_inI0(struct msg_digest *md)
 {
 	struct state *const st = md->st;
+	connection_t *c = st->st_connection;
 	u_int16_t isama_id;
-	internal_addr_t ia;
 	stf_status stat, stat_build;
-	bool xauth_type_present;
+	modecfg_attribute_t *ca;
+	bool xauth_user_name_present = FALSE;
+	bool xauth_user_password_present = FALSE;
+	bool xauth_type_present = FALSE;
+	chunk_t xauth_user_name, xauth_user_password;
+	identification_t *user_id;
+	linked_list_t *ca_list = linked_list_create();
 
 	plog("parsing XAUTH request");
 
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, ca_list);
 	if (stat != STF_OK)
 	{
 		return stat;
 	}
 
-	/* check XAUTH attributes */
-	xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY;
-
-	if (xauth_type_present && ia.xauth_type != XAUTH_TYPE_GENERIC)
+	while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS)
 	{
-		plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type));
-		stat = STF_FAIL;
+		switch (ca->type)
+		{
+			case XAUTH_TYPE:
+				if (ca->value.len != XAUTH_TYPE_GENERIC)
+				{
+					plog("xauth type %s is not supported",
+						  enum_name(&xauth_type_names, ca->value.len));
+					stat = STF_FAIL;
+				}
+				else
+				{
+					xauth_type_present = TRUE;
+				}
+				break;
+			case XAUTH_USER_NAME:
+				xauth_user_name_present = TRUE;
+				break;
+			case XAUTH_USER_PASSWORD:
+				xauth_user_password_present = TRUE;
+				break;
+			case XAUTH_MESSAGE:
+				if (ca->value.len)
+				{
+					DBG(DBG_PARSING | DBG_CONTROLMORE,
+						DBG_log("   '%.*s'", ca->value.len, ca->value.ptr)
+					)
+				}
+				break;
+			default:
+				break;
+		}
+		modecfg_attribute_destroy(ca);
 	}
-	else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
+
+	if (!xauth_user_name_present)
 	{
 		plog("user name attribute is missing in XAUTH request");
 		stat = STF_FAIL;
 	}
-	else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
+	if (!xauth_user_password_present)
 	{
 		plog("user password attribute is missing in XAUTH request");
 		stat = STF_FAIL;
 	}
 
 	/* prepare XAUTH reply */
-	init_internal_addr(&ia);
-
 	if (stat == STF_OK)
 	{
 		/* get user credentials using a plugin function */
-		if (!xauth_module.get_secret(&ia.xauth_secret))
+		if (!pluto->xauth->get_secret(pluto->xauth, c, &xauth_user_password))
 		{
 			plog("xauth user credentials not found");
 			stat = STF_FAIL;
@@ -1096,35 +1003,42 @@ stf_status xauth_inI0(struct msg_digest *md)
 	}
 	if (stat == STF_OK)
 	{
+		/* insert xauth type if present */
+		if (xauth_type_present)
+		{
+			ca = modecfg_attribute_create_tv(XAUTH_TYPE, XAUTH_TYPE_GENERIC);
+			ca_list->insert_last(ca_list, ca);
+		}
+
+		/* insert xauth user name */
+		user_id = (c->xauth_identity) ? c->xauth_identity : c->spd.this.id;
+		xauth_user_name = user_id->get_encoding(user_id);
 		DBG(DBG_CONTROL,
-			DBG_log("my xauth user name is '%.*s'"
-				   , ia.xauth_secret.user_name.len
-				   , ia.xauth_secret.user_name.ptr)
+			DBG_log("my xauth user name is '%.*s'", xauth_user_name.len,
+													xauth_user_name.ptr)
 		)
+		ca = modecfg_attribute_create(XAUTH_USER_NAME, xauth_user_name);
+		ca_list->insert_last(ca_list, ca);
+
+		/* insert xauth user password */
 		DBG(DBG_PRIVATE,
-			DBG_log("my xauth user password is '%.*s'"
-				   , ia.xauth_secret.user_password.len
-				   , ia.xauth_secret.user_password.ptr)
+			DBG_log("my xauth user password is '%.*s'",	xauth_user_password.len,
+														xauth_user_password.ptr)
 		)
-		ia.xauth_attr_set = LELEM(XAUTH_USER_NAME     - XAUTH_BASE)
-						  | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
-		if (xauth_type_present)
-		{
-			ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE);
-		}
+		ca = modecfg_attribute_create(XAUTH_USER_PASSWORD, xauth_user_password);
+		ca_list->insert_last(ca_list, ca);
+		chunk_clear(&xauth_user_password);
 	}
 	else
 	{
-		ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
-		ia.xauth_status = XAUTH_STATUS_FAIL;
+		ca = modecfg_attribute_create_tv(XAUTH_STATUS, XAUTH_STATUS_FAIL);
+		ca_list->insert_last(ca_list, ca);
 	}
 
 	plog("sending XAUTH reply");
-
-	stat_build = modecfg_build_msg(st, &md->rbody
-									 , ISAKMP_CFG_REPLY
-									 , &ia
-									 , isama_id);
+	stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_REPLY,
+								   ca_list, isama_id);
+	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
 	if (stat_build != STF_OK)
 	{
 		return stat_build;
@@ -1147,79 +1061,105 @@ stf_status xauth_inI0(struct msg_digest *md)
 	}
 }
 
-/* STATE_XAUTH_R1:
- *  HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD) --> HDR*, HASH, ATTR(STATUS)
- *
- *  used on the XAUTH server (responder)
+/**
+ *  Used on the XAUTH server (responder)
+ *    called in demux.c from STATE_XAUTH_R1
+      server <- CFG_REPLY
+      server -> CFG_SET
+      STF_OK transitions to  STATE_XAUTH_R2
  */
 stf_status xauth_inR1(struct msg_digest *md)
 {
 	struct state *const st = md->st;
+	connection_t *c = st->st_connection;
 	u_int16_t isama_id;
-	internal_addr_t ia;
 	stf_status stat, stat_build;
+	chunk_t xauth_user_name, xauth_user_password;
+	int xauth_status = XAUTH_STATUS_OK;
+	modecfg_attribute_t *ca;
+	linked_list_t *ca_list = linked_list_create();
 
 	plog("parsing XAUTH reply");
 
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, ca_list);
 	if (stat != STF_OK)
 	{
 		return stat;
 	}
 
+	/* initialize xauth_secret */
+	xauth_user_name = chunk_empty;
+	xauth_user_password = chunk_empty;
+
+	while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS)
+	{
+		switch (ca->type)
+		{
+			case XAUTH_STATUS:
+				xauth_status = ca->value.len;
+				break;
+			case XAUTH_USER_NAME:
+				xauth_user_name = chunk_clone(ca->value);
+				break;
+			case XAUTH_USER_PASSWORD:
+				xauth_user_password = chunk_clone(ca->value);
+				break;
+			default:
+				break;
+		}
+		modecfg_attribute_destroy(ca);
+	}
 	/* did the client return an XAUTH FAIL status? */
-	if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY)
+	if (xauth_status == XAUTH_STATUS_FAIL)
 	{
 		plog("received FAIL status in XAUTH reply");
 
 		/* client is not able to do XAUTH, delete ISAKMP SA */
+		free(xauth_user_name.ptr);
+		free(xauth_user_password.ptr);
 		delete_state(st);
+		ca_list->destroy(ca_list);
 		return STF_IGNORE;
 	}
 
 	/* check XAUTH reply */
-	if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
+	if (xauth_user_name.ptr == NULL)
 	{
 		plog("user name attribute is missing in XAUTH reply");
 		st->st_xauth.status = FALSE;
 	}
-	else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
+	else if (xauth_user_password.ptr == NULL)
 	{
 		plog("user password attribute is missing in XAUTH reply");
 		st->st_xauth.status = FALSE;
 	}
 	else
 	{
-		xauth_peer_t peer;
-
-		peer.conn_name = st->st_connection->name;
-		addrtot(&md->sender, 0, peer.ip_address, sizeof(peer.ip_address));
-		snprintf(peer.id, sizeof(peer.id), "%Y",
-				 md->st->st_connection->spd.that.id);
-
 		DBG(DBG_CONTROL,
-			DBG_log("peer xauth user name is '%.*s'"
-				   , ia.xauth_secret.user_name.len
-				   , ia.xauth_secret.user_name.ptr)
+			DBG_log("peer xauth user name is '%.*s'", xauth_user_name.len,
+													  xauth_user_name.ptr)
 		)
+		DESTROY_IF(c->xauth_identity);
+		c->xauth_identity = identification_create_from_data(xauth_user_name);		
+
 		DBG(DBG_PRIVATE,
-			DBG_log("peer xauth user password is '%.*s'"
-				   , ia.xauth_secret.user_password.len
-				   , ia.xauth_secret.user_password.ptr)
+			DBG_log("peer xauth user password is '%.*s'", xauth_user_password.len,
+														  xauth_user_password.ptr)
 		)
 		/* verify the user credentials using a plugin function */
-		st->st_xauth.status = xauth_module.verify_secret(&peer, &ia.xauth_secret);
+		st->st_xauth.status = pluto->xauth->verify_secret(pluto->xauth, c,
+														  xauth_user_password);
 		plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
 	}
-
-	/* prepare XAUTH set which sends the authentication status */
-	init_internal_addr(&ia);
-	ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
-	ia.xauth_status = (st->st_xauth.status)? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL;
-
-	plog("sending XAUTH status:");
-
-	stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
+	chunk_clear(&xauth_user_name);
+	chunk_clear(&xauth_user_password);
+
+	plog("sending XAUTH status");
+	xauth_status = (st->st_xauth.status) ? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL;
+	ca = modecfg_attribute_create_tv(XAUTH_STATUS, xauth_status);
+	ca_list->insert_last(ca_list, ca);
+	stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, ca_list);
+	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
 	if (stat_build != STF_OK)
 	{
 		return stat_build;
@@ -1227,20 +1167,23 @@ stf_status xauth_inR1(struct msg_digest *md)
 	return STF_OK;
 }
 
-/* STATE_XAUTH_I1:
- * HDR*, HASH, ATTR(STATUS) --> HDR*, HASH, ATTR(ACK)
- *
- * used on the XAUTH client (initiator)
+/**
+ * Used on the XAUTH client (initiator)
+ *   called in demux.c from STATE_XAUTH_I1
+ *   client <- CFG_SET
+ *   client -> CFG_ACK
+ *   STF_OK transitions to  STATE_XAUTH_I2
  */
 stf_status xauth_inI1(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
-	internal_addr_t ia;
 	stf_status stat, stat_build;
+	modecfg_attribute_t *ca;
+	linked_list_t *ca_list = linked_list_create();
 
 	plog("parsing XAUTH status");
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, ca_list);
 	if (stat != STF_OK)
 	{
 		/* notification payload - not exactly the right choice, but okay */
@@ -1248,15 +1191,21 @@ stf_status xauth_inI1(struct msg_digest *md)
 		return stat;
 	}
 
-	st->st_xauth.status = ia.xauth_status;
+	st->st_xauth.status = FALSE;
+	while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS)
+	{
+		if (ca->type == XAUTH_STATUS)
+		{
+			st->st_xauth.status = (ca->value.len == XAUTH_STATUS_OK);
+		}
+		modecfg_attribute_destroy(ca);
+	}
 	plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
 
 	plog("sending XAUTH ack");
-	init_internal_addr(&ia);
-	stat_build = modecfg_build_msg(st, &md->rbody
-									 , ISAKMP_CFG_ACK
-									 , &ia
-									 , isama_id);
+	stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_ACK, ca_list, isama_id);
+	ca_list->destroy(ca_list);
+
 	if (stat_build != STF_OK)
 	{
 		return stat_build;
@@ -1278,25 +1227,27 @@ stf_status xauth_inI1(struct msg_digest *md)
 	}
 }
 
-/* STATE_XAUTH_R2:
- * HDR*, ATTR(STATUS), HASH --> Done
- *
- * used on the XAUTH server (responder)
+/**
+ * Used on the XAUTH server (responder)
+ *   called in demux.c from STATE_XAUTH_R2
+ *   server <- CFG_ACK
+ *   STF_OK transitions to  STATE_XAUTH_R3
  */
 stf_status xauth_inR2(struct msg_digest *md)
 {
 	struct state *const st = md->st;
 	u_int16_t isama_id;
-	internal_addr_t ia;
 	stf_status stat;
+	linked_list_t *ca_list = linked_list_create();
 
 	plog("parsing XAUTH ack");
 
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
+	stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, ca_list);
 	if (stat != STF_OK)
 	{
 		return stat;
 	}
+	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
 	st->st_msgid = 0;
 	if (st->st_xauth.status)
 	{
@@ -1307,4 +1258,5 @@ stf_status xauth_inR2(struct msg_digest *md)
 		delete_state(st);
 		return STF_IGNORE;
 	}
+
 }
diff --git a/src/pluto/modecfg.h b/src/pluto/modecfg.h
index bc1443012..7adf18682 100644
--- a/src/pluto/modecfg.h
+++ b/src/pluto/modecfg.h
@@ -16,8 +16,41 @@
 #ifndef _MODECFG_H
 #define _MODECFG_H
 
-struct state;
-struct msg_digest;
+#include <chunk.h>
+#include <attributes/attribute_handler.h>
+
+#include "state.h"
+#include "demux.h"
+
+typedef struct modecfg_attribute_t modecfg_attribute_t;
+
+/**
+ * Defines a modecfg_attribute_t object.
+ */
+struct modecfg_attribute_t {
+	/**
+	 * Type of the attribute.
+	 */
+	u_int16_t type;
+
+	/**
+	 * Attribute is coded as TV
+	 */
+	bool is_tv;
+
+	/**
+	 * Attribute value as chunk.
+	 */
+	chunk_t value;
+
+	/**
+	 * Attribute handler.
+	 */
+	attribute_handler_t *handler;
+};
+
+/* Destroys a modecfg_attribute_t object */
+extern void modecfg_attribute_destroy(modecfg_attribute_t *this);
 
 /* ModeConfig pull mode start function */
 extern stf_status modecfg_send_request(struct state *st);
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index b1f558ebf..8a351be6d 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -621,7 +621,7 @@ void list_ocsp_locations(ocsp_location_t *location, bool requests,
 				}
 				else
 				{
-					whack_log(RC_COMMENT, "  serial:    %#B, %s, until %T %s", 
+					whack_log(RC_COMMENT, "  serial:    %#B, %s, until %T %s",
 						&certinfo->serialNumber,
 						cert_status_names[certinfo->status],
  						&certinfo->nextUpdate, utc,
@@ -767,7 +767,7 @@ static chunk_t sc_build_sha1_signature(chunk_t tbs, smartcard_t *sc)
  */
 static chunk_t build_signature(chunk_t tbsRequest)
 {
-	chunk_t sigdata, cert, certs;
+	chunk_t sigdata, cert, certs = chunk_empty;
 
 	if (ocsp_requestor_sc)
 	{
@@ -786,10 +786,12 @@ static chunk_t build_signature(chunk_t tbsRequest)
 	}
 
 	/* include our certificate */
-	cert = ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert);
-	certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
-				asn1_wrap(ASN1_SEQUENCE, "m", cert));
-
+	if (ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert,
+												CERT_ASN1_DER, &cert))
+	{
+		certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
+					asn1_wrap(ASN1_SEQUENCE, "m", cert));
+	}
 	/* build signature comprising algorithm, signature and cert */
 	return asn1_wrap(ASN1_CONTEXT_C_0, "m"
 				, asn1_wrap(ASN1_SEQUENCE, "mmm"
@@ -1013,7 +1015,7 @@ static bool valid_ocsp_response(response_t *res)
 		{
 			plog("certificate is invalid (valid from %T to %T)",
 				 &not_before, FALSE, &not_after, FALSE);
-			
+
 			unlock_authcert_list("valid_ocsp_response");
 			return FALSE;
 		}
@@ -1154,7 +1156,7 @@ static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
 					break;
 				}
 				x509 = (x509_t*)cert->cert;
-				
+
 				if ((x509->get_flags(x509) & X509_OCSP_SIGNER) &&
 					trust_authcert_candidate(cert, NULL))
 				{
diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c
index b24ef1a8c..c0fd041a7 100644
--- a/src/pluto/pkcs7.c
+++ b/src/pluto/pkcs7.c
@@ -591,7 +591,7 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
 	contentInfo_t pkcs7Data, signedData;
 	chunk_t authenticatedAttributes = chunk_empty;
 	chunk_t encryptedDigest = chunk_empty;
-	chunk_t signerInfo, cInfo, signature;
+	chunk_t signerInfo, cInfo, signature, encoding = chunk_empty;;
 	signature_scheme_t scheme = signature_scheme_from_oid(digest_alg);
 
 	if (attributes.ptr)
@@ -622,12 +622,13 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
 	pkcs7Data.content = (data.ptr == NULL)? chunk_empty
 				: asn1_simple_object(ASN1_OCTET_STRING, data);
 
+	cert->get_encoding(cert, CERT_ASN1_DER, &encoding);
 	signedData.type = OID_PKCS7_SIGNED_DATA;
 	signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm"
 				, ASN1_INTEGER_1
 				, asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_alg))
 				, pkcs7_build_contentInfo(&pkcs7Data)
-				, asn1_wrap(ASN1_CONTEXT_C_0, "m", cert->get_encoding(cert))
+				, asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding)
 				, asn1_wrap(ASN1_SET, "m", signerInfo));
 
 	cInfo = pkcs7_build_contentInfo(&signedData);
diff --git a/src/pluto/plugins/xauth/Makefile.am b/src/pluto/plugins/xauth/Makefile.am
new file mode 100644
index 000000000..354325b35
--- /dev/null
+++ b/src/pluto/plugins/xauth/Makefile.am
@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+		   -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/whack \
+		   -I$(top_srcdir)/src/pluto
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-xauth.la
+
+libstrongswan_xauth_la_SOURCES = \
+	xauth_plugin.h xauth_plugin.c \
+	xauth_default_provider.c xauth_default_provider.h \
+	xauth_default_verifier.c xauth_default_verifier.h
+
+libstrongswan_xauth_la_LDFLAGS = -module -avoid-version
diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in
new file mode 100644
index 000000000..13749e5af
--- /dev/null
+++ b/src/pluto/plugins/xauth/Makefile.in
@@ -0,0 +1,577 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/pluto/plugins/xauth
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_xauth_la_LIBADD =
+am_libstrongswan_xauth_la_OBJECTS = xauth_plugin.lo \
+	xauth_default_provider.lo xauth_default_verifier.lo
+libstrongswan_xauth_la_OBJECTS = $(am_libstrongswan_xauth_la_OBJECTS)
+libstrongswan_xauth_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_xauth_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_xauth_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_xauth_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libhydra_plugins = @libhydra_plugins@
+libstrongswan_plugins = @libstrongswan_plugins@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+		   -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/whack \
+		   -I$(top_srcdir)/src/pluto
+
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-xauth.la
+libstrongswan_xauth_la_SOURCES = \
+	xauth_plugin.h xauth_plugin.c \
+	xauth_default_provider.c xauth_default_provider.h \
+	xauth_default_verifier.c xauth_default_verifier.h
+
+libstrongswan_xauth_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pluto/plugins/xauth/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/pluto/plugins/xauth/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-xauth.la: $(libstrongswan_xauth_la_OBJECTS) $(libstrongswan_xauth_la_DEPENDENCIES) 
+	$(libstrongswan_xauth_la_LINK) -rpath $(plugindir) $(libstrongswan_xauth_la_OBJECTS) $(libstrongswan_xauth_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_default_provider.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_default_verifier.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/pluto/plugins/xauth/xauth_default_provider.c b/src/pluto/plugins/xauth/xauth_default_provider.c
new file mode 100644
index 000000000..77c5facc4
--- /dev/null
+++ b/src/pluto/plugins/xauth/xauth_default_provider.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <keys.h>
+
+#include "xauth_default_provider.h"
+
+typedef struct private_xauth_default_provider_t private_xauth_default_provider_t;
+
+/**
+ * private data of xauth_default_provider
+ */
+struct private_xauth_default_provider_t {
+
+	/**
+	 * public functions
+	 */
+	xauth_provider_t public;
+};
+
+METHOD(xauth_provider_t, get_secret, bool,
+	private_xauth_default_provider_t *this, connection_t *c, chunk_t *secret)
+{
+	identification_t *user, *server;
+
+	server = c->spd.that.id;
+	user = (c->xauth_identity) ? c->xauth_identity : c->spd.this.id;
+
+	return get_xauth_secret(user, server, secret);
+}
+
+METHOD(xauth_provider_t, destroy, void,
+	private_xauth_default_provider_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_provider_t *xauth_default_provider_create()
+{
+	private_xauth_default_provider_t *this;
+
+	INIT(this,
+		.public = {
+			.get_secret = _get_secret,
+			.destroy = _destroy,
+		 }
+	);
+
+	return &this->public;
+}
+
diff --git a/src/pluto/plugins/xauth/xauth_default_provider.h b/src/pluto/plugins/xauth/xauth_default_provider.h
new file mode 100644
index 000000000..ff1a91d16
--- /dev/null
+++ b/src/pluto/plugins/xauth/xauth_default_provider.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_default_provider xauth_default_provider
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_DEFAULT_PROVIDER_H_
+#define XAUTH_DEFAULT_PROVIDER_H_
+
+#include <xauth/xauth_provider.h>
+
+
+/**
+ * Create an xauth_default_provider instance.
+ */
+xauth_provider_t *xauth_default_provider_create();
+
+#endif /** XAUTH_DEFAULT_PROVIDER_H_ @}*/
+
diff --git a/src/pluto/plugins/xauth/xauth_default_verifier.c b/src/pluto/plugins/xauth/xauth_default_verifier.c
new file mode 100644
index 000000000..776f77134
--- /dev/null
+++ b/src/pluto/plugins/xauth/xauth_default_verifier.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <keys.h>
+
+#include "xauth_default_verifier.h"
+
+typedef struct private_xauth_default_verifier_t private_xauth_default_verifier_t;
+
+/**
+ * private data of xauth_default_verifier
+ */
+struct private_xauth_default_verifier_t {
+
+	/**
+	 * public functions
+	 */
+	xauth_verifier_t public;
+};
+
+METHOD(xauth_verifier_t, verify_secret, bool,
+	private_xauth_default_verifier_t *this, connection_t *c, chunk_t secret)
+{
+	identification_t *user, *server;
+	chunk_t xauth_secret;
+	bool success = FALSE;
+
+	server = c->spd.this.id;
+	user = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id;
+
+	if (get_xauth_secret(user, server, &xauth_secret))
+	{
+		success = chunk_equals(secret, xauth_secret);
+		chunk_clear(&xauth_secret);
+	}
+	return success;
+}
+
+METHOD(xauth_verifier_t, destroy, void,
+	private_xauth_default_verifier_t *this)
+{
+	free(this);
+}
+
+
+/*
+ * Described in header.
+ */
+xauth_verifier_t *xauth_default_verifier_create()
+{
+	private_xauth_default_verifier_t *this;
+
+	INIT(this,
+		.public = {
+			.verify_secret = _verify_secret,
+			.destroy = _destroy,
+		 }
+	);
+
+	return &this->public;
+}
+
diff --git a/src/pluto/plugins/xauth/xauth_default_verifier.h b/src/pluto/plugins/xauth/xauth_default_verifier.h
new file mode 100644
index 000000000..e5814d7b4
--- /dev/null
+++ b/src/pluto/plugins/xauth/xauth_default_verifier.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_default_verifier xauth_default_verifier
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_DEFAULT_VERIFIER_H_
+#define XAUTH_DEFAULT_VERIFIER_H_
+
+#include <xauth/xauth_verifier.h>
+
+
+/**
+ * Create an xauth_default_verifier instance.
+ */
+xauth_verifier_t *xauth_default_verifier_create();
+
+#endif /** XAUTH_DEFAULT_VERIFIER_H_ @}*/
+
diff --git a/src/pluto/plugins/xauth/xauth_plugin.c b/src/pluto/plugins/xauth/xauth_plugin.c
new file mode 100644
index 000000000..74e16eacd
--- /dev/null
+++ b/src/pluto/plugins/xauth/xauth_plugin.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <pluto.h>
+
+#include "xauth_plugin.h"
+#include "xauth_default_provider.h"
+#include "xauth_default_verifier.h"
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(xauth_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_plugin_create()
+{
+	xauth_plugin_t *this = malloc_thing(xauth_plugin_t);
+
+	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	pluto->xauth->add_provider(pluto->xauth, xauth_default_provider_create());
+	pluto->xauth->add_verifier(pluto->xauth, xauth_default_verifier_create());
+
+	return &this->plugin;
+}
+
diff --git a/src/pluto/plugins/xauth/xauth_plugin.h b/src/pluto/plugins/xauth/xauth_plugin.h
new file mode 100644
index 000000000..4f14828d2
--- /dev/null
+++ b/src/pluto/plugins/xauth/xauth_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth xauth
+ * @ingroup pplugins
+ *
+ * @defgroup xauth_plugin xauth_plugin
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_PLUGIN_H_
+#define XAUTH_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_plugin_t xauth_plugin_t;
+
+/**
+ * XAUTH plugin
+ */
+struct xauth_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** XAUTH_PLUGIN_H_ @}*/
diff --git a/src/pluto/pluto.c b/src/pluto/pluto.c
new file mode 100644
index 000000000..e9c7c316b
--- /dev/null
+++ b/src/pluto/pluto.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pluto.h"
+
+#include <debug.h>
+
+typedef struct private_pluto_t private_pluto_t;
+
+/**
+ * Private additions to pluto_t.
+ */
+struct private_pluto_t {
+
+	/**
+	 * Public members of pluto_t.
+	 */
+	pluto_t public;
+};
+
+/**
+ * Single instance of pluto_t.
+ */
+pluto_t *pluto;
+
+/**
+ * Described in header.
+ */
+void pluto_deinit()
+{
+	private_pluto_t *this = (private_pluto_t*)pluto;
+	this->public.xauth->destroy(this->public.xauth);
+	free(this);
+	pluto = NULL;
+}
+
+/**
+ * Described in header.
+ */
+bool pluto_init(char *file)
+{
+	private_pluto_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth = xauth_manager_create(),
+		},
+	);
+	pluto = &this->public;
+
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "pluto", file))
+	{
+		DBG1(DBG_LIB, "integrity check of pluto failed");
+		return FALSE;
+	}
+	return TRUE;
+}
+
diff --git a/src/pluto/pluto.h b/src/pluto/pluto.h
new file mode 100644
index 000000000..37e6e3f33
--- /dev/null
+++ b/src/pluto/pluto.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pluto pluto
+ *
+ * @defgroup xauth xauth
+ * @ingroup pluto
+ *
+ * @defgroup pplugins plugins
+ * @ingroup pluto
+ *
+ * @addtogroup pluto
+ * @{
+ */
+
+#ifndef PLUTO_H_
+#define PLUTO_H_
+
+typedef struct pluto_t pluto_t;
+
+#include <xauth/xauth_manager.h>
+
+#include <library.h>
+
+/**
+ * Pluto daemon support object.
+ */
+struct pluto_t {
+
+	/**
+	 * manager for payload attributes
+	 */
+	xauth_manager_t *xauth;
+};
+
+/**
+ * The single instance of pluto_t.
+ *
+ * Set between calls to pluto_init() and pluto_deinit() calls.
+ */
+extern pluto_t *pluto;
+
+/**
+ * Initialize pluto.
+ *
+ * @return				FALSE if integrity check failed
+ */
+bool pluto_init(char *file);
+
+/**
+ * Deinitialize pluto.
+ */
+void pluto_deinit(void);
+
+#endif /** PLUTO_H_ @}*/
+
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index aa04594bc..89123bb8a 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -33,7 +33,9 @@
 #include <grp.h>
 
 #ifdef CAPABILITIES
+#ifdef HAVE_SYS_CAPABILITY_H
 #include <sys/capability.h>
+#endif /* HAVE_SYS_CAPABILITY_H */
 #endif /* CAPABILITIES */
 
 #include <freeswan.h>
@@ -68,7 +70,6 @@
 #include "ocsp.h"
 #include "crl.h"
 #include "fetch.h"
-#include "xauth.h"
 #include "crypto.h"
 #include "nat_traversal.h"
 #include "virtual.h"
@@ -76,6 +77,7 @@
 #include "vendor.h"
 #include "builder.h"
 #include "whack_attribute.h"
+#include "pluto.h"
 
 static void usage(const char *mess)
 {
@@ -258,7 +260,6 @@ int main(int argc, char **argv)
 	char *virtual_private = NULL;
 	int lockfd;
 #ifdef CAPABILITIES
-	cap_t caps;
 	int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
 #endif /* CAPABILITIES */
 
@@ -268,18 +269,18 @@ int main(int argc, char **argv)
 		library_deinit();
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
-	if (lib->integrity &&
-		!lib->integrity->check_file(lib->integrity, "pluto", argv[0]))
+	if (!libhydra_init("pluto"))
 	{
-		fprintf(stderr, "integrity check of pluto failed\n");
+		libhydra_deinit();
 		library_deinit();
-		exit(SS_RC_DAEMON_INTEGRITY);
+		exit(SS_RC_INITIALIZATION_FAILED);
 	}
-	if (!libhydra_init("pluto"))
+	if (!pluto_init(argv[0]))
 	{
+		pluto_deinit();
 		libhydra_deinit();
 		library_deinit();
-		exit(SS_RC_INITIALIZATION_FAILED);
+		exit(SS_RC_DAEMON_INTEGRITY);
 	}
 	options = options_create();
 
@@ -677,7 +678,6 @@ int main(int argc, char **argv)
 	init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
 	init_virtual_ip(virtual_private);
 	scx_init(pkcs11_module_path, pkcs11_init_args);
-	xauth_init();
 	init_states();
 	init_demux();
 	init_kernel();
@@ -717,18 +717,41 @@ int main(int argc, char **argv)
 		}
 #endif
 
-#ifdef CAPABILITIES
-	caps = cap_init();
-	cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET);
-	cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET);
-	cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET);
-	if (cap_set_proc(caps) != 0)
+#ifdef CAPABILITIES_LIBCAP
+	{
+		cap_t caps;
+		caps = cap_init();
+		cap_set_flag(caps, CAP_EFFECTIVE, countof(keep), keep, CAP_SET);
+		cap_set_flag(caps, CAP_INHERITABLE, countof(keep), keep, CAP_SET);
+		cap_set_flag(caps, CAP_PERMITTED, countof(keep), keep, CAP_SET);
+		if (cap_set_proc(caps) != 0)
+		{
+			plog("unable to drop daemon capabilities");
+			abort();
+		}
+		cap_free(caps);
+	}
+#endif /* CAPABILITIES_LIBCAP */
+#ifdef CAPABILITIES_NATIVE
 	{
-		plog("unable to drop daemon capabilities");
-		abort();
+		struct __user_cap_data_struct caps = { .effective = 0 };
+		struct __user_cap_header_struct header = {
+			.version = _LINUX_CAPABILITY_VERSION,
+		};
+		int i;
+		for (i = 0; i < countof(keep); i++)
+		{
+			caps.effective |= 1 << keep[i];
+			caps.permitted |= 1 << keep[i];
+			caps.inheritable |= 1 << keep[i];
+		}
+		if (capset(&header, &caps) != 0)
+		{
+			plog("unable to drop daemon capabilities");
+			abort();
+		}
 	}
-	cap_free(caps);
-#endif /* CAPABILITIES */
+#endif /* CAPABILITIES_NATIVE */
 
 	/* loading X.509 CA certificates */
 	load_authcerts("ca", CA_CERT_PATH, X509_CA);
@@ -771,7 +794,6 @@ void exit_pluto(int status)
 	free_ifaces();
 	ac_finalize();              /* free X.509 attribute certificates */
 	scx_finalize();             /* finalize and unload PKCS #11 module */
-	xauth_finalize();           /* finalize and unload XAUTH module */
 	stop_adns();
 	free_md_pool();
 	free_crypto();
@@ -781,6 +803,7 @@ void exit_pluto(int status)
 	free_builder();
 	delete_lock();
 	options->destroy(options);
+	pluto_deinit();
 	lib->plugins->unload(lib->plugins);
 	libhydra_deinit();
 	library_deinit();
diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c
index bf5ccb10c..c140095f0 100644
--- a/src/pluto/rcv_whack.c
+++ b/src/pluto/rcv_whack.c
@@ -329,6 +329,7 @@ void whack_handle(int whackctlfd)
 		|| !unpack_str(&msg.sc_data)            /* string 26 */
 		|| !unpack_str(&msg.whack_lease_ip)     /* string 27 */
 		|| !unpack_str(&msg.whack_lease_id)     /* string 28 */
+		|| !unpack_str(&msg.xauth_identity)     /* string 29 */
 		|| str_roof - next_str != (ptrdiff_t)msg.keyval.len)    /* check chunk */
 		{
 			ugh = "message from whack contains bad string";
diff --git a/src/pluto/state.h b/src/pluto/state.h
index 35ffe5a5b..c4e8db485 100644
--- a/src/pluto/state.h
+++ b/src/pluto/state.h
@@ -14,6 +14,9 @@
  * for more details.
  */
 
+#ifndef _STATE_H
+#define _STATE_H
+
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -270,3 +273,5 @@ extern void fmt_state(bool all, struct state *st, time_t n
 					 , char *state_buf, size_t state_buf_len
 					 , char *state_buf2, size_t state_buf_len2);
 extern void delete_states_by_peer(ip_address *peer);
+
+#endif /* _STATE_H */
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index 0a29830ea..2b8681246 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -393,6 +393,10 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
 				{
 					written = snprintf(pos, len, ", %Y", id);
 				}
+				if (written < 0 || written >= len)
+				{
+					break;
+				}
 				pos += written;
 				len -= written;
 			}
@@ -427,11 +431,11 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
 					cert->smartcard ? ", on smartcard" :
 					(has_private_key(cert)? ", has private key" : ""));
 
-				if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+				if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid))
 				{
 					whack_log(RC_COMMENT, "  keyid:     %#B", &keyid);
 				}
-				if (key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &subjkey))
+				if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &subjkey))
 				{
 					whack_log(RC_COMMENT, "  subjkey:   %#B", &subjkey);
 				}
diff --git a/src/pluto/x509.h b/src/pluto/x509.h
index e904618b3..3101724a6 100644
--- a/src/pluto/x509.h
+++ b/src/pluto/x509.h
@@ -26,6 +26,8 @@
 #include "constants.h"
 #include "certs.h"
 
+#define X509_MAX_PATH_LEN				 7
+
 extern bool same_keyid(chunk_t a, chunk_t b);
 extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
 								 certificate_t *issuer_cert);
diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c
deleted file mode 100644
index 2086a92cc..000000000
--- a/src/pluto/xauth.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/* Initialization and finalization of the dynamic XAUTH module
- * Copyright (C) 2006 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <dlfcn.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "xauth.h"
-#include "keys.h"
-#include "log.h"
-
-void
-xauth_init(void)
-{
-#ifdef XAUTH_DEFAULT_LIB
-	xauth_module.handle = dlopen(XAUTH_DEFAULT_LIB, RTLD_NOW);
-
-	if (xauth_module.handle != NULL)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("xauth module '%s' loading'", XAUTH_DEFAULT_LIB)
-		)
-		xauth_module.get_secret = (bool (*) (const xauth_t*))
-						dlsym(xauth_module.handle, "get_secret");
-		DBG(DBG_CONTROL,
-			if (xauth_module.get_secret != NULL)
-			{
-				DBG_log("xauth module: found get_secret() function");
-			}
-		)
-		xauth_module.verify_secret = (bool (*) (const xauth_peer_t*, const xauth_t*))
-						dlsym(xauth_module.handle, "verify_secret");
-		DBG(DBG_CONTROL,
-			if (xauth_module.verify_secret != NULL)
-			{
-				DBG_log("xauth module: found verify_secret() function");
-			}
-		)
-	}
-#endif
-	/* any null function pointers will be filled in by default functions */
-	xauth_defaults();
-}
-
-void
-xauth_finalize(void)
-{
-#ifdef XAUTH_DEFAULT_LIB
-	if (xauth_module.handle != NULL)
-	{
-		if (dlclose(xauth_module.handle))
-		{
-			plog("failed to unload xauth module");
-		}
-		else
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("xauth module unloaded")
-			)
-		}
-	}
-#endif
-}
diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h
deleted file mode 100644
index 23cae3ed8..000000000
--- a/src/pluto/xauth.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/* Interface definition of the XAUTH server and|or client module
- * Copyright (C) 2006 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _XAUTH_H
-#define _XAUTH_H
-
-#include <freeswan.h>
-#include "defs.h"
-
-/* XAUTH credentials */
-
-struct chunk_t;
-
-typedef struct {
-	char *conn_name;
-	char id[BUF_LEN];
-	char ip_address[ADDRTOT_BUF];
-} xauth_peer_t;
-
-typedef struct {
-	chunk_t user_name;
-	chunk_t user_password;
-} xauth_t;
-
-typedef struct {
-	void *handle;
-	bool (*get_secret) (xauth_t *xauth_secret);
-	bool (*verify_secret) (const xauth_peer_t *peer, const xauth_t *xauth_secret);
-} xauth_module_t;
-
-extern xauth_module_t xauth_module;
-
-extern void xauth_init(void);
-extern void xauth_finalize(void);
-
-#endif /* _XAUTH_H */
diff --git a/src/pluto/xauth/xauth_manager.c b/src/pluto/xauth/xauth_manager.c
new file mode 100644
index 000000000..2e57ccefa
--- /dev/null
+++ b/src/pluto/xauth/xauth_manager.c
@@ -0,0 +1,127 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_manager.h"
+
+typedef struct private_xauth_manager_t private_xauth_manager_t;
+
+/**
+ * private data of xauth_manager
+ */
+struct private_xauth_manager_t {
+
+	/**
+	 * public functions
+	 */
+	xauth_manager_t public;
+
+	/**
+	 * list of registered secret providers
+	 */
+	linked_list_t *providers;
+
+	/**
+	 * list of registered secret verifiers
+	 */
+	linked_list_t *verifiers;
+};
+
+METHOD(xauth_manager_t, get_secret, bool,
+	private_xauth_manager_t *this, connection_t *c, chunk_t *secret)
+{
+	xauth_provider_t *provider;
+	enumerator_t *enumerator;
+ 	bool success = FALSE;
+
+	*secret = chunk_empty;
+
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		if (provider->get_secret(provider, c, secret))
+		{
+			success = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return success;
+}
+
+METHOD(xauth_manager_t, verify_secret, bool,
+	private_xauth_manager_t *this, connection_t *c, chunk_t secret)
+{
+	xauth_verifier_t *verifier;
+	enumerator_t *enumerator;
+	bool success = FALSE;
+
+	enumerator = this->verifiers->create_enumerator(this->verifiers);
+	while (enumerator->enumerate(enumerator, &verifier))
+	{
+		if (verifier->verify_secret(verifier, c, secret))
+		{
+			success = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return success;
+}
+
+METHOD(xauth_manager_t, add_provider, void,
+	private_xauth_manager_t *this,	xauth_provider_t *provider)
+{
+	this->providers->insert_last(this->providers, provider);
+}
+
+METHOD(xauth_manager_t, add_verifier, void,
+	private_xauth_manager_t *this,	xauth_verifier_t *verifier)
+{
+	this->verifiers->insert_last(this->verifiers, verifier);
+}
+
+METHOD(xauth_manager_t, destroy, void,
+	private_xauth_manager_t *this)
+{
+	this->providers->destroy_offset(this->providers,
+									offsetof(xauth_provider_t, destroy));
+	this->verifiers->destroy_offset(this->verifiers,
+									offsetof(xauth_verifier_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_manager_t *xauth_manager_create()
+{
+	private_xauth_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.get_secret = _get_secret,
+			.verify_secret = _verify_secret,
+			.add_provider = _add_provider,
+			.add_verifier = _add_verifier,
+			.destroy = _destroy,
+		 }
+	);
+
+	this->providers = linked_list_create();
+	this->verifiers = linked_list_create();
+
+	return &this->public;
+}
+
diff --git a/src/pluto/xauth/xauth_manager.h b/src/pluto/xauth/xauth_manager.h
new file mode 100644
index 000000000..843eb2ff0
--- /dev/null
+++ b/src/pluto/xauth/xauth_manager.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_manager xauth_manager
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_MANAGER_H_
+#define XAUTH_MANAGER_H_
+
+#include "xauth_provider.h"
+#include "xauth_verifier.h"
+
+typedef struct xauth_manager_t xauth_manager_t;
+
+/**
+ * An xauth_manager registers xauth_providers and xauth_verifiers.
+ */
+struct xauth_manager_t {
+
+	/**
+	 * Register an xauth_provider
+	 *
+	 * @param provider		xauth_provider to be registered
+	 */
+	void (*add_provider)(xauth_manager_t *this, xauth_provider_t *provider);
+
+	/**
+	 * Register an xauth_verifier
+	 *
+	 * @param verifier		xauth_verifier to be registered
+	 */
+	void (*add_verifier)(xauth_manager_t *this, xauth_verifier_t *verifier);
+
+	/**
+	 * Use registered providers to retrieve an XAUTH user secret
+     * based on connection information.
+	 *
+	 * @param c				connection information
+	 * @param secret		secret if found, chunk_empty otherwise
+	 * @return				TRUE if a matching secret was found
+	 */
+	bool (*get_secret)(xauth_manager_t *this, connection_t *c, chunk_t *secret);
+
+	/**
+	 * Use registered verifiers to verify an XAUTH user secret 
+	 * based on connection information
+	 *
+	 * @param c				connection information
+	 * @param secret		secret to be compared
+	 * @return				TRUE if secret matches
+	 */
+	bool (*verify_secret)(xauth_manager_t *this, connection_t *c, chunk_t secret);
+
+	/**
+	 * Destroy an xauth_verifier instance.
+	 */
+	void (*destroy)(xauth_manager_t *this);
+};
+
+/**
+ * Create an xauth_manager instance.
+ */
+xauth_manager_t *xauth_manager_create();
+
+#endif /** XAUTH_MANAGER_H_ @}*/
+
diff --git a/src/pluto/xauth/xauth_provider.h b/src/pluto/xauth/xauth_provider.h
new file mode 100644
index 000000000..90adbff50
--- /dev/null
+++ b/src/pluto/xauth/xauth_provider.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_provider xauth_provider
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_PROVIDER_H_
+#define XAUTH_PROVIDER_H_
+
+#include <library.h>
+
+#include <connections.h>
+
+typedef struct xauth_provider_t xauth_provider_t;
+
+/**
+ * An xauth provider retrieves xauth user secrets on the client side. 
+ */
+struct xauth_provider_t {
+
+	/**
+	 * Retrieve an XAUTH user secret based on connection information.
+	 *
+	 * @param c				connection information
+	 * @param secret		secret if found, chunk_empty otherwise
+	 * @return				TRUE if a matching secret was found
+	 */
+	bool (*get_secret)(xauth_provider_t *this, connection_t *c, chunk_t *secret);
+
+	/**
+	 * Destroy an xauth_provider instance.
+	 */
+	void (*destroy)(xauth_provider_t *this);
+};
+
+/**
+ * Create an xauth_provider instance.
+ */
+xauth_provider_t *xauth_provider_create();
+
+#endif /** XAUTH_PROVIDER_H_ @}*/
+
diff --git a/src/pluto/xauth/xauth_verifier.h b/src/pluto/xauth/xauth_verifier.h
new file mode 100644
index 000000000..7c9ff3a7f
--- /dev/null
+++ b/src/pluto/xauth/xauth_verifier.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_verifier xauth_verifier
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_VERIFIER_H_
+#define XAUTH_VERIFIER_H_
+
+#include <library.h>
+
+#include <connections.h>
+
+typedef struct xauth_verifier_t xauth_verifier_t;
+
+/**
+ * An xauth verifier verifies xauth user secrets on the server side.
+ */
+struct xauth_verifier_t {
+
+	/**
+	 * Verify an XAUTH user secret base on connection information
+	 *
+	 * @param c				connection information
+	 * @param secret		secret to be compared
+	 * @return				TRUE if secret matches
+	 */
+	bool (*verify_secret)(xauth_verifier_t *this, connection_t *c, chunk_t secret);
+
+	/**
+	 * Destroy an xauth_verifier instance.
+	 */
+	void (*destroy)(xauth_verifier_t *this);
+};
+
+/**
+ * Create an xauth_verifier instance.
+ */
+xauth_verifier_t *xauth_verifier_create();
+
+#endif /** XAUTH_VERIFIER_H_ @}*/
+
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index db930756a..7832e5f66 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 598705636..29f6eab70 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -281,7 +281,7 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 	bool msb_set;
 	u_char *pos;
 
-	key->get_encoding(key, KEY_PUB_ASN1_DER, &keyEncoding);
+	key->get_encoding(key, PUBKEY_ASN1_DER, &keyEncoding);
 
 	keyInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
 						asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 385f6f328..5c32bbdef 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -398,7 +398,7 @@ int main(int argc, char **argv)
 	transID           = chunk_empty;
 	fingerprint       = chunk_empty;
 	encoding          = chunk_empty;
-	pkcs10_encoding   = chunk_empty; 
+	pkcs10_encoding   = chunk_empty;
 	issuerAndSubject  = chunk_empty;
 	challengePassword = chunk_empty;
 	getCertInitial    = chunk_empty;
@@ -866,7 +866,7 @@ int main(int argc, char **argv)
 		{
 			exit_scepclient("generating pkcs10 request failed");
 		}
-		pkcs10_encoding = pkcs10_req->get_encoding(pkcs10_req);
+		pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
 		fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
 		plog("  fingerprint:    %s", fingerprint.ptr);
 	}
@@ -900,7 +900,7 @@ int main(int argc, char **argv)
 		DBG(DBG_CONTROL,
 			DBG_log("building pkcs1 object:")
 		)
-		if (!private_key->get_encoding(private_key, KEY_PRIV_ASN1_DER, &pkcs1) ||
+		if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
 			!chunk_write(pkcs1, path, "pkcs1", 0066, force))
 		{
 			exit_scepclient("could not write pkcs1 file '%s'", path);
@@ -941,8 +941,7 @@ int main(int argc, char **argv)
 	{
 		char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
 
-		encoding = x509_signer->get_encoding(x509_signer);
-		if (!encoding.ptr)
+		if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding))
 		{
 			exit_scepclient("encoding certificate failed");
 		}
@@ -964,7 +963,7 @@ int main(int argc, char **argv)
 	 */
 	{
 		char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc);
-	
+
 		x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 										 BUILD_FROM_FILE, path, BUILD_END);
 		if (!x509_ca_enc)
@@ -1138,8 +1137,8 @@ int main(int argc, char **argv)
 				{
 					exit_scepclient("multiple certs received, only first stored");
 				}
-				encoding = cert->get_encoding(cert);
-				if (!chunk_write(encoding, path, "requested cert", 0022, force))
+				if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
+					!chunk_write(encoding, path, "requested cert", 0022, force))
 				{
 					exit_scepclient("could not write cert file '%s'", path);
 				}
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index a235013f2..9813a0c06 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -23,8 +23,9 @@ AM_CFLAGS = \
 -DDEBUG
 
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
+EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in
 dist_man_MANS = ipsec.conf.5 starter.8
+CLEANFILES = ipsec.conf.5
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 
 PLUTODIR=$(top_srcdir)/src/pluto
@@ -38,6 +39,15 @@ if USE_CHARON
   AM_CFLAGS += -DSTART_CHARON
 endif
 
+if USE_LOAD_WARNING
+  AM_CFLAGS += -DLOAD_WARNING
+endif
+
+ipsec.conf.5:	ipsec.conf.5.in
+		sed \
+		-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+		$(srcdir)/$@.in > $@
+
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
 		$(LEX) $(srcdir)/parser.l
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 11449f465..d06c8974d 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -37,6 +37,7 @@ host_triplet = @host@
 ipsec_PROGRAMS = starter$(EXEEXT)
 @USE_PLUTO_TRUE@am__append_1 = -DSTART_PLUTO
 @USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON
+@USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING
 subdir = src/starter
 DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
@@ -285,10 +286,11 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
 	-DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \
 	-DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \
-	$(am__append_2)
+	$(am__append_2) $(am__append_3)
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
+EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in
 dist_man_MANS = ipsec.conf.5 starter.8
+CLEANFILES = ipsec.conf.5
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 PLUTODIR = $(top_srcdir)/src/pluto
 SCEPCLIENTDIR = $(top_srcdir)/src/scepclient
@@ -618,6 +620,7 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -719,6 +722,11 @@ uninstall-man: uninstall-man5 uninstall-man8
 	uninstall-man8
 
 
+ipsec.conf.5:	ipsec.conf.5.in
+		sed \
+		-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+		$(srcdir)/$@.in > $@
+
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
 		$(LEX) $(srcdir)/parser.l
 
diff --git a/src/starter/args.c b/src/starter/args.c
index 512f2f46f..ab6b60509 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -230,9 +230,14 @@ static const token_info_t token_info[] =
 	{ ARG_TIME, offsetof(starter_conn_t, inactivity), NULL                         },
 	{ ARG_MISC, 0, NULL  /* KW_MODECONFIG */                                       },
 	{ ARG_MISC, 0, NULL  /* KW_XAUTH */                                            },
+	{ ARG_STR,  offsetof(starter_conn_t, xauth_identity), NULL                     },
 	{ ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool                   },
 	{ ARG_STR,  offsetof(starter_conn_t, me_mediated_by), NULL                     },
 	{ ARG_STR,  offsetof(starter_conn_t, me_peerid), NULL                          },
+	{ ARG_UINT, offsetof(starter_conn_t, reqid), NULL                              },
+	{ ARG_MISC, 0, NULL  /* KW_MARK */                                             },
+	{ ARG_MISC, 0, NULL  /* KW_MARK_IN */                                          },
+	{ ARG_MISC, 0, NULL  /* KW_MARK_OUT */                                         },
 
 	/* ca section keywords */
 	{ ARG_STR,  offsetof(starter_ca_t, name), NULL                                 },
diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index 33a057b44..0727cf5f0 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -66,6 +66,10 @@ starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
 	VARCMP(policy);
 	VARCMP(addr_family);
 	VARCMP(tunnel_addr_family);
+	VARCMP(mark_in.value);
+	VARCMP(mark_in.mask);
+	VARCMP(mark_out.value);
+	VARCMP(mark_in.mask);
 
 	if (!starter_cmp_end(&c1->left, &c2->left))
 		return FALSE;
diff --git a/src/starter/confread.c b/src/starter/confread.c
index e9b9028d5..399e17844 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -461,6 +461,41 @@ static void handle_firewall(const char *label, starter_end_t *end,
 	}
 }
 
+static bool handle_mark(char *value, mark_t *mark)	
+{
+	char *pos, *endptr;
+
+	pos = strchr(value, '/');
+	if (pos)
+	{
+		*pos = '\0';
+		mark->mask = strtoul(pos+1, &endptr, 0);
+		if (*endptr != '\0')
+		{
+			plog("# invalid mark mask: %s", pos+1);
+			return FALSE;
+		}
+	}
+	else
+	{
+		mark->mask = 0xffffffff;
+	}
+	if (value == '\0')
+	{
+		mark->value = 0;
+	}
+	else
+	{
+		mark->value = strtoul(value, &endptr, 0);
+		if (*endptr != '\0')
+		{
+			plog("# invalid mark value: %s", value);
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
 /*
  * parse a conn section
  */
@@ -671,6 +706,26 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 			}
 			break;
 		}
+		case KW_MARK:
+			if (!handle_mark(kw->value, &conn->mark_in))
+			{
+				cfg->err++;
+				break;
+			}
+			conn->mark_out = conn->mark_in;
+			break;
+		case KW_MARK_IN:
+			if (!handle_mark(kw->value, &conn->mark_in))
+			{
+				cfg->err++;
+			}
+			break;
+		case KW_MARK_OUT:
+			if (!handle_mark(kw->value, &conn->mark_out))
+			{
+				cfg->err++;
+			}
+			break;
 		case KW_KEYINGTRIES:
 			if (streq(kw->value, "%forever"))
 			{
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 199fab642..5e4356ea3 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -95,6 +95,13 @@ struct also {
 		also_t          *next;
 };
 
+typedef struct mark_t mark_t;
+
+struct mark_t{
+		u_int32_t value;
+		u_int32_t mask;
+};
+
 typedef struct starter_conn starter_conn_t;
 
 struct starter_conn {
@@ -110,6 +117,7 @@ struct starter_conn {
 		u_int32_t       eap_type;
 		u_int32_t       eap_vendor;
 		char            *eap_identity;
+		char            *xauth_identity;
 		lset_t          policy;
 		time_t          sa_ike_life_seconds;
 		time_t          sa_ipsec_life_seconds;
@@ -120,6 +128,9 @@ struct starter_conn {
 		u_int64_t	sa_ipsec_margin_packets;
 		unsigned long   sa_keying_tries;
 		unsigned long   sa_rekey_fuzz;
+		u_int32_t       reqid;
+		mark_t			mark_in;
+		mark_t			mark_out;
 		sa_family_t     addr_family;
 		sa_family_t     tunnel_addr_family;
 		bool            install_policy;
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 4cb1cb0fc..b1ae15825 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "27 Jun 2007"
+.TH IPSEC.CONF 5 "2010-05-30" "4.4.1rc3" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -7,9 +7,9 @@ The optional
 file
 specifies most configuration and control information for the
 strongSwan IPsec subsystem.
-(The major exception is secrets for authentication;
+The major exception is secrets for authentication;
 see
-.IR ipsec.secrets (5).)
+.IR ipsec.secrets (5).
 Its contents are not security-sensitive.
 .PP
 The file is a text file, consisting of one or more
@@ -61,8 +61,8 @@ indicates what type of section follows, and
 .I name
 is an arbitrary name which distinguishes the section from others
 of the same type.
-(Names must start with a letter and may contain only
-letters, digits, periods, underscores, and hyphens.)
+Names must start with a letter and may contain only
+letters, digits, periods, underscores, and hyphens.
 All subsequent non-empty lines
 which begin with white space are part of the section;
 comments within a section must begin with white space too.
@@ -169,12 +169,12 @@ conn snt
 A note on terminology: There are two kinds of communications going on:
 transmission of user IP packets, and gateway-to-gateway negotiations for
 keying, rekeying, and general control.
-The path to control the connection is called 'ISAKMP SA' in IKEv1 and
-'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
-level data path, is called 'IPsec SA'.
-strongSwan currently uses two separate keying daemons. Pluto handles
-all IKEv1 connections, Charon is the new daemon supporting the IKEv2 protocol.
-Charon does not support all keywords yet.
+The path to control the connection is called 'ISAKMP SA' in IKEv1
+and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
+level data path, is called 'IPsec SA' or 'Child SA'.
+strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
+all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
+protocol.
 .PP
 To avoid trivial editing of the configuration file to suit it to each system
 involved in a connection,
@@ -189,7 +189,17 @@ Which participant is considered
 or
 .I right
 is arbitrary;
-IPsec figures out which one it is being run on based on internal information.
+for every connection description an attempt is made to figure out whether
+the local endpoint should act as the
+.I left
+or
+.I right
+endpoint. This is done by matching the IP addresses defined for both endpoints
+with the IP addresses assigned to local network interfaces. If a match is found
+then the role (left or right) that matches is going to be considered local.
+If no match is found during startup,
+.I left
+is considered local.
 This permits using identical connection specifications on both ends.
 There are cases where there is no symmetry; a good convention is to
 use
@@ -230,7 +240,8 @@ acceptable values are
 .B esp
 (the default) and
 .BR ah .
-The IKEv2 daemon currently supports only ESP.
+.br
+The IKEv2 daemon currently supports ESP only.
 .TP
 .B authby
 how the two security gateways should authenticate each other;
@@ -255,6 +266,11 @@ and
 .B xauthrsasig
 that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
 based on shared secrets  or digital RSA signatures, respectively.
+IKEv2 additionally supports the value
+.BR eap ,
+which indicates an initiator to request EAP authentication. The EAP method
+to use is selected by the server (see
+.BR eap ).
 This parameter is deprecated for IKEv2 connections, as two peers do not need
 to agree on an authentication method. Use the
 .B leftauth
@@ -263,13 +279,12 @@ parameter instead to define authentication methods in IKEv2.
 .B auto
 what operation, if any, should be done automatically at IPsec startup;
 currently-accepted values are
-.B add
-,
-.B route
-,
+.BR add ,
+.BR route ,
 .B start
 and
-.BR ignore .
+.B ignore
+(the default).
 .B add
 loads a connection without starting it.
 .B route
@@ -305,7 +320,6 @@ A value of
 .B no
 prevents IPsec from proposing compression;
 a proposal to compress will still be accepted.
-IKEv2 does not support IP compression yet.
 .TP
 .B dpdaction
 controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
@@ -317,13 +331,12 @@ liveliness of the IPsec peer. The values
 and
 .B restart
 all activate DPD. If no activity is detected, all connections with a dead peer
-are stopped and unrouted (
-.B clear
-), put in the hold state (
-.B hold
-) or restarted (
-.B restart
-).
+are stopped and unrouted
+.RB ( clear ),
+put in the hold state
+.RB ( hold )
+or restarted
+.RB ( restart ).
 For IKEv1, the default is
 .B none
 which disables the active sending of R_U_THERE notifications.
@@ -332,9 +345,8 @@ in order to signal the readiness to act passively as a responder if the peer
 wants to use DPD. For IKEv2,
 .B none
 does't make sense, since all messages are used to detect dead peers. If specified,
-it has the same meaning as the default (
-.B clear
-).
+it has the same meaning as the default
+.RB ( clear ).
 .TP
 .B dpddelay
 defines the period time interval with which R_U_THERE messages/INFORMATIONAL
@@ -354,47 +366,70 @@ not send or receive any traffic. Currently supported in IKEv2 connections only.
 .TP
 .B eap
 defines the EAP type to propose as server if the client requests EAP
-authentication. This parameter is deprecated in the favour of
+authentication. Currently supported values are
+.B aka
+for EAP-AKA,
+.B gtc
+for EAP-GTC,
+.B md5
+for EAP-MD5,
+.B mschapv2
+for EAP-MS-CHAPv2,
+.B radius
+for the EAP-RADIUS proxy and
+.B sim
+for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
+definition in the form
+.B eap=type-vendor
+(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
+This parameter is deprecated in the favour of
 .B leftauth.
 
 To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
 set
-.B eap=radius
+.BR eap=radius .
 .TP
 .B eap_identity
 defines the identity the client uses to reply to a EAP Identity request.
 If defined on the EAP server, the defined identity will be used as peer
 identity during EAP authentication. The special value
 .B %identity
-uses the EAP Identity method to ask the client for a EAP identity. If not
+uses the EAP Identity method to ask the client for an EAP identity. If not
 defined, the IKEv2 identity will be used as EAP identity.
 .TP
 .B esp
-ESP encryption/authentication algorithm to be used
+comma-separated list of ESP encryption/authentication algorithms to be used
 for the connection, e.g.
-.B 3des-md5
-(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup
-and rekeying include a separate diffe hellman exchange (IKEv2 only).
+.BR 3des-md5 .
+The notation is
+.BR encryption-integrity-[dh-group] .
+.br
+If
+.B dh-group
+is specified, CHILD_SA setup and rekeying include a separate diffe hellman
+exchange (IKEv2 only).
 .TP
 .B forceencaps
 Force UDP encapsulation for ESP packets even if no NAT situation is detected.
-This may help to hurdle restrictive firewalls. To enforce the peer to
+This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked (IKEv2 only).
 .TP
 .B ike
-IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g.
-.B aes128-sha1-modp2048
-(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals
-may be included, such as
+comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
+to be used, e.g.
+.BR aes128-sha1-modp2048 .
+The notation is
+.BR encryption-integrity-dhgroup .
+In IKEv2, multiple algorithms and proposals may be included, such as
 .B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
 .TP
 .B ikelifetime
-how long the keying channel of a connection ('ISAKMP/IKE SA')
+how long the keying channel of a connection (ISAKMP or IKE SA)
 should last before being renegotiated.
 .TP
 .B installpolicy
 decides whether IPsec policies are installed in the kernel by the IKEv2
-charon daemon for a given connection. Allows peaceful co-existence e.g. with
+charon daemon for a given connection. Allows peaceful cooperation e.g. with
 the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
 Acceptable values are
 .B yes
@@ -412,8 +447,8 @@ daemon, unaffected from the
 .B keyexchange
 setting. The default value
 .B ike
-currently behaves exactly as
-.B ikev1.
+currently is a synonym for
+.BR ikev1 .
 .TP
 .B keyingtries
 how many attempts (a whole number or \fB%forever\fP) should be made to
@@ -430,35 +465,51 @@ synonym for
 .TP
 .B left
 (required)
-the IP address of the left participant's public-network interface,
-in any form accepted by
-.IR ttoaddr (3)
+the IP address of the left participant's public-network interface
 or one of several magic values.
 If it is
 .BR %defaultroute ,
 .B left
 will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time).
-(Either
+of the default-route interface (as determined at IPsec startup time and
+during configuration update).
+Either
 .B left
 or
 .B right
 may be
 .BR %defaultroute ,
-but not both.)
-The value
-.B %any
-signifies an address to be filled in (by automatic keying) during
-negotiation. The prefix
+but not both.
+The prefix
 .B  %
 in front of a fully-qualified domain name or an IP address will implicitly set
 .B leftallowany=yes.
-If the domain name cannot be resolved into an IP address at IPsec startup or update time
-then
+If the domain name cannot be resolved into an IP address at IPsec startup or
+update time then
 .B left=%any
 and
 .B leftallowany=no
 will be assumed.
+
+In case of an IKEv2 connection, the value
+.B %any
+for the local endpoint signifies an address to be filled in (by automatic
+keying) during negotiation. If the local peer initiates the connection setup
+the routing table will be queried to determine the correct local IP address.
+In case the local peer is responding to a connection setup then any IP address
+that is assigned to a local interface will be accepted.
+.br
+Note that specifying
+.B %any
+for the local endpoint is not supported by the IKEv1 pluto daemon.
+
+If
+.B %any
+is used for the remote endpoint it literally means any IP address.
+
+Please note that with the usage of wildcards multiple connection descriptions
+might match a given incoming connection attempt. The most specific description
+is used in that case.
 .TP
 .B leftallowany
 a modifier for
@@ -466,8 +517,8 @@ a modifier for
 , making it behave as
 .B %any
 although a concrete IP address has been assigned.
-Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or
-update time.
+Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
+startup or update time.
 Acceptable values are
 .B yes
 and
@@ -475,7 +526,8 @@ and
 (the default).
 .TP
 .B leftauth
-Authentication method to use (local) or require (remote) in this connection.
+Authentication method to use locally (left) or require from the remote (right)
+side.
 This parameter is supported in IKEv2 only. Acceptable values are
 .B pubkey
 for public key authentication (RSA/ECDSA),
@@ -486,19 +538,20 @@ to (require the) use of the Extensible Authentication Protocol. In the case
 of
 .B eap,
 an optional EAP method can be appended. Currently defined methods are
-.B eap-aka, eap-sim, eap-gtc, eap-md5
+.BR eap-aka ,
+.BR eap-gtc ,
+.BR eap-md5 ,
+.B eap-mschapv2
 and
-.B eap-mschapv2.
+.BR eap-sim .
 Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
 EAP methods are defined in the form
 .B eap-type-vendor
-(e.g.
-.B eap-7-12345
-).
+.RB "(e.g. " eap-7-12345 ).
 .TP
 .B leftauth2
 Same as
-.B leftauth,
+.BR leftauth ,
 but defines an additional authentication exchange. IKEv2 supports multiple
 authentication rounds using "Multiple Authentication Exchanges" defined
 in RFC4739. This allows, for example, separated authentication
@@ -515,8 +568,8 @@ Same as
 but for the second authentication round (IKEv2 only).
 .TP
 .B leftcert
-the path to the left participant's X.509 certificate. The file can be coded either in
-PEM or DER format. OpenPGP certificates are supported as well.
+the path to the left participant's X.509 certificate. The file can be encoded
+either in PEM or DER format. OpenPGP certificates are supported as well.
 Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
 are accepted. By default
 .B leftcert
@@ -571,9 +624,11 @@ a comma separated list of group names. If the
 .B leftgroups
 parameter is present then the peer must be a member of at least one
 of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has been
-issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts/\fP. Attribute certificates are not supported in IKEv2 yet.
+by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
+been issued to the peer by a trusted Authorization Authority stored in
+\fI/etc/ipsec.d/aacerts/\fP.
+.br
+Attribute certificates are not supported in IKEv2 yet.
 .TP
 .B lefthostaccess
 inserts a pair of INPUT and OUTPUT iptables rules using the default
@@ -587,15 +642,10 @@ and
 (the default).
 .TP
 .B leftid
-how
-the left participant
-should be identified for authentication;
+how the left participant should be identified for authentication;
 defaults to
 .BR left .
-Can be an IP address (in any
-.IR ttoaddr (3)
-syntax)
-or a fully-qualified domain name preceded by
+Can be an IP address or a fully-qualified domain name preceded by
 .B @
 (which is used as a literal string and not resolved).
 .TP
@@ -606,14 +656,18 @@ identity to use for a second authentication for the left participant
 .TP
 .B leftikeport
 UDP port the left participant uses for IKE communication. Currently supported in
-IKEv2 connections only. If unspecified, port 500 is used with port floating to
-4500 if NAT is detected or MOBIKE enabled. Specifying a local IKE port
+IKEv2 connections only. If unspecified, port 500 is used with the port floating
+to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
 different from the default additionally requires a socket implementation that
 listens to this port.
 .TP
 .B leftnexthop
-this parameter is not needed any more because the NETKEY IPsec stack does
-not require explicit routing entries for the traffic to be tunneled.
+this parameter is usually not needed any more because the NETKEY IPsec stack
+does not require explicit routing entries for the traffic to be tunneled. If
+.B leftsourceip
+is used with IKEv1 then
+.B leftnexthop
+must still be set in order for the source routes to work properly.
 .TP
 .B leftprotoport
 restrict the traffic selector to a single protocol and/or port.
@@ -656,35 +710,34 @@ or
 or
 .BR yes ,
 and
-.BR ifasked .
+.BR ifasked ,
+the latter meaning that the peer must send a certificate request payload in
+order to get a certificate in return.
 .TP
 .B leftsourceip
 The internal source IP to use in a tunnel, also known as virtual IP. If the
-value is
+value is one of the synonyms
 .BR %modeconfig ,
 .BR %modecfg ,
 .BR %config ,
 or
-.B %cfg,
-an address is requested from the peer. In IKEv2, a defined address is requested,
-but the server may change it. If the server does not support it, the address
-is enforced.
+.BR %cfg ,
+an address is requested from the peer. In IKEv2, a statically defined address
+is also requested, since the server may change it.
 .TP
 .B rightsourceip
 The internal source IP to use in a tunnel for the remote peer. If the
 value is
 .B %config
-on the responder side, the initiator must propose a address which is then echoed
-back. The IKEv2 daemon also supports address pools expressed as
+on the responder side, the initiator must propose an address which is then
+echoed back. Also supported are address pools expressed as
 \fInetwork\fB/\fInetmask\fR
-or the use of an external IP address pool using %\fIpoolname\fR
-, where \fIpoolname\fR is the name of the IP address pool used for the lookup.
+or the use of an external IP address pool using %\fIpoolname\fR,
+where \fIpoolname\fR is the name of the IP address pool used for the lookup.
 .TP
 .B leftsubnet
 private subnet behind the left participant, expressed as
-\fInetwork\fB/\fInetmask\fR
-(actually, any form acceptable to
-.IR ttosubnet (3));
+\fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
 signifying that the left end of the connection goes to the left participant
 only. When using IKEv2, the configured subnet of the peers may differ, the
@@ -710,8 +763,8 @@ See
 .IR pluto (8)
 for details.
 Relevant only locally, other end need not agree on it. IKEv2 uses the updown
-script to insert firewall rules only. Routing is not support and will be
-implemented directly into Charon.
+script to insert firewall rules only, since routing has been implemented
+directly into charon.
 .TP
 .B lifebytes
 the number of bytes transmitted over an IPsec SA before it expires (IKEv2
@@ -768,6 +821,25 @@ begin; acceptable values as for
 .BR 9m ).
 Relevant only locally, other end need not agree on it.
 .TP
+.B mark
+sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound
+IPsec SAs and policies (IKEv2 only). If the mask is missing then a default
+mask of
+.B 0xffffffff
+is assumed.
+.TP
+.B mark_in
+sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy
+(IKEv2 only). If the mask is missing then a default mask of
+.B 0xffffffff
+is assumed.
+.TP
+.B mark_out
+sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy
+(IKEv2 only). If the mask is missing then a default mask of
+.B 0xffffffff
+is assumed.
+.TP
 .B mobike
 enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
 .B yes
@@ -786,7 +858,9 @@ and
 .B pull
 (the default).
 Currently relevant for IKEv1 only since IKEv2 always uses the configuration
-payload in pull mode.
+payload in pull mode. Cisco VPN gateways usually operate in
+.B push
+mode.
 .TP
 .B pfs
 whether Perfect Forward Secrecy of keys is desired on the connection's
@@ -825,7 +899,7 @@ and
 .BR no .
 The two ends need not agree, but while a value of
 .B no
-prevents Pluto/Charon from requesting renegotiation,
+prevents pluto/charon from requesting renegotiation,
 it does not prevent responding to renegotiation requested from the other end,
 so
 .B no
@@ -863,6 +937,9 @@ Relevant only locally, other end need not agree on it.
 synonym for
 .BR margintime .
 .TP
+.B reqid
+sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only).
+.TP
 .B type
 the type of the connection; currently the accepted values
 are
@@ -879,12 +956,12 @@ signifying that no IPsec processing should be done at all;
 signifying that packets should be discarded; and
 .BR reject ,
 signifying that packets should be discarded and a diagnostic ICMP returned.
-Charon currently supports
+The IKEv2 daemon charon currently supports
 .BR tunnel ,
 .BR transport ,
 and
 .BR tunnel_proxy
-connection types, only .
+connection types, only.
 .TP
 .B xauth
 specifies the role in the XAUTH protocol if activated by
@@ -928,8 +1005,7 @@ of this connection will be used as peer ID.
 
 .SH "CA SECTIONS"
 This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA). These parameters are not
-supported in IKEv2 yet.
+parameters to a Certification Authority (CA).
 .TP 10
 .B auto
 currently can have either the value
@@ -964,6 +1040,7 @@ synonym for
 .TP
 .B ocspuri2
 defines an alternative OCSP URI. Currently used by IKEv2 only.
+.TP
 .B certuribase
 defines the base URI for the Hash and URL feature supported by IKEv2.
 Instead of exchanging complete certificates, IKEv2 allows to send an URI
@@ -974,9 +1051,7 @@ At present, the only
 .B config
 section known to the IPsec software is the one named
 .BR setup ,
-which contains information used when the software is being started
-(see
-.IR starter (8)).
+which contains information used when the software is being started.
 Here's an example:
 .PP
 .ne 8
@@ -1234,21 +1309,6 @@ must be used to denote no interfaces.
 .B overridemtu
 value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
 overriding IPsec's (large) default.
-.SH CHOOSING A CONNECTION
-.PP
-When choosing a connection to apply to an outbound packet caught with a
-.BR %trap,
-the system prefers the one with the most specific eroute that
-includes the packet's source and destination IP addresses.
-Source subnets are examined before destination subnets.
-For initiating, only routed connections are considered. For responding,
-unrouted but added connections are considered.
-.PP
-When choosing a connection to use to respond to a negotiation which
-doesn't match an ordinary conn, an opportunistic connection
-may be instantiated. Eventually, its instance will be /32 -> /32, but
-for earlier stages of the negotiation, there will not be enough
-information about the client subnets to complete the instantiation.
 .SH FILES
 .nf
 /etc/ipsec.conf
@@ -1259,12 +1319,11 @@ information about the client subnets to complete the instantiation.
 /etc/ipsec.d/crls
 
 .SH SEE ALSO
-ipsec(8), pluto(8), starter(8), ttoaddr(3), ttodata(3)
+ipsec(8), pluto(8), starter(8)
 .SH HISTORY
-Written  for  the  FreeS/WAN project by Henry Spencer.
-Extended for the strongSwan project
-<http://www.strongswan.org>
-by Andreas Steffen. IKEv2-specific features by Martin Willi.
+Originally written for the FreeS/WAN project by Henry Spencer.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner, Andreas Steffen and Martin Willi.
 .SH BUGS
 .PP
 If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in
new file mode 100644
index 000000000..3d2940a66
--- /dev/null
+++ b/src/starter/ipsec.conf.5.in
@@ -0,0 +1,1330 @@
+.TH IPSEC.CONF 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan"
+.SH NAME
+ipsec.conf \- IPsec configuration and connections
+.SH DESCRIPTION
+The optional
+.I ipsec.conf
+file
+specifies most configuration and control information for the
+strongSwan IPsec subsystem.
+The major exception is secrets for authentication;
+see
+.IR ipsec.secrets (5).
+Its contents are not security-sensitive.
+.PP
+The file is a text file, consisting of one or more
+.IR sections .
+White space followed by
+.B #
+followed by anything to the end of the line
+is a comment and is ignored,
+as are empty lines which are not within a section.
+.PP
+A line which contains
+.B include
+and a file name, separated by white space,
+is replaced by the contents of that file,
+preceded and followed by empty lines.
+If the file name is not a full pathname,
+it is considered to be relative to the directory containing the
+including file.
+Such inclusions can be nested.
+Only a single filename may be supplied, and it may not contain white space,
+but it may include shell wildcards (see
+.IR sh (1));
+for example:
+.PP
+.B include
+.B "ipsec.*.conf"
+.PP
+The intention of the include facility is mostly to permit keeping
+information on connections, or sets of connections,
+separate from the main configuration file.
+This permits such connection descriptions to be changed,
+copied to the other security gateways involved, etc.,
+without having to constantly extract them from the configuration
+file and then insert them back into it.
+Note also the
+.B also
+parameter (described below) which permits splitting a single logical
+section (e.g. a connection description) into several actual sections.
+.PP
+A section
+begins with a line of the form:
+.PP
+.I type
+.I name
+.PP
+where
+.I type
+indicates what type of section follows, and
+.I name
+is an arbitrary name which distinguishes the section from others
+of the same type.
+Names must start with a letter and may contain only
+letters, digits, periods, underscores, and hyphens.
+All subsequent non-empty lines
+which begin with white space are part of the section;
+comments within a section must begin with white space too.
+There may be only one section of a given type with a given name.
+.PP
+Lines within the section are generally of the form
+.PP
+\ \ \ \ \ \fIparameter\fB=\fIvalue\fR
+.PP
+(note the mandatory preceding white space).
+There can be white space on either side of the
+.BR = .
+Parameter names follow the same syntax as section names,
+and are specific to a section type.
+Unless otherwise explicitly specified,
+no parameter name may appear more than once in a section.
+.PP
+An empty
+.I value
+stands for the system default value (if any) of the parameter,
+i.e. it is roughly equivalent to omitting the parameter line entirely.
+A
+.I value
+may contain white space only if the entire
+.I value
+is enclosed in double quotes (\fB"\fR);
+a
+.I value
+cannot itself contain a double quote,
+nor may it be continued across more than one line.
+.PP
+Numeric values are specified to be either an ``integer''
+(a sequence of digits) or a ``decimal number''
+(sequence of digits optionally followed by `.' and another sequence of digits).
+.PP
+There is currently one parameter which is available in any type of
+section:
+.TP
+.B also
+the value is a section name;
+the parameters of that section are appended to this section,
+as if they had been written as part of it.
+The specified section must exist, must follow the current one,
+and must have the same section type.
+(Nesting is permitted,
+and there may be more than one
+.B also
+in a single section,
+although it is forbidden to append the same section more than once.)
+.PP
+A section with name
+.B %default
+specifies defaults for sections of the same type.
+For each parameter in it,
+any section of that type which does not have a parameter of the same name
+gets a copy of the one from the
+.B %default
+section.
+There may be multiple
+.B %default
+sections of a given type,
+but only one default may be supplied for any specific parameter name,
+and all
+.B %default
+sections of a given type must precede all non-\c
+.B %default
+sections of that type.
+.B %default
+sections may not contain the
+.B also
+parameter.
+.PP
+Currently there are three types of sections:
+a
+.B config
+section specifies general configuration information for IPsec, a
+.B conn
+section specifies an IPsec connection, while a
+.B ca
+section specifies special properties of a certification authority.
+.SH "CONN SECTIONS"
+A
+.B conn
+section contains a
+.IR "connection specification" ,
+defining a network connection to be made using IPsec.
+The name given is arbitrary, and is used to identify the connection.
+Here's a simple example:
+.PP
+.ne 10
+.nf
+.ft B
+.ta 1c
+conn snt
+	left=192.168.0.1
+	leftsubnet=10.1.0.0/16
+	right=192.168.0.2
+	rightsubnet=10.1.0.0/16
+	keyingtries=%forever
+	auto=add
+.ft
+.fi
+.PP
+A note on terminology: There are two kinds of communications going on:
+transmission of user IP packets, and gateway-to-gateway negotiations for
+keying, rekeying, and general control.
+The path to control the connection is called 'ISAKMP SA' in IKEv1
+and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
+level data path, is called 'IPsec SA' or 'Child SA'.
+strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
+all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
+protocol.
+.PP
+To avoid trivial editing of the configuration file to suit it to each system
+involved in a connection,
+connection specifications are written in terms of
+.I left
+and
+.I right
+participants,
+rather than in terms of local and remote.
+Which participant is considered
+.I left
+or
+.I right
+is arbitrary;
+for every connection description an attempt is made to figure out whether
+the local endpoint should act as the
+.I left
+or
+.I right
+endpoint. This is done by matching the IP addresses defined for both endpoints
+with the IP addresses assigned to local network interfaces. If a match is found
+then the role (left or right) that matches is going to be considered local.
+If no match is found during startup,
+.I left
+is considered local.
+This permits using identical connection specifications on both ends.
+There are cases where there is no symmetry; a good convention is to
+use
+.I left
+for the local side and
+.I right
+for the remote side (the first letters are a good mnemonic).
+.PP
+Many of the parameters relate to one participant or the other;
+only the ones for
+.I left
+are listed here, but every parameter whose name begins with
+.B left
+has a
+.B right
+counterpart,
+whose description is the same but with
+.B left
+and
+.B right
+reversed.
+.PP
+Parameters are optional unless marked '(required)'.
+.SS "CONN PARAMETERS"
+Unless otherwise noted, for a connection to work,
+in general it is necessary for the two ends to agree exactly
+on the values of these parameters.
+.TP 14
+.B ah
+AH authentication algorithm to be used
+for the connection, e.g.
+.B hmac-md5.
+.TP
+.B auth
+whether authentication should be done as part of
+ESP encryption, or separately using the AH protocol;
+acceptable values are
+.B esp
+(the default) and
+.BR ah .
+.br
+The IKEv2 daemon currently supports ESP only.
+.TP
+.B authby
+how the two security gateways should authenticate each other;
+acceptable values are
+.B secret
+or
+.B psk
+for pre-shared secrets,
+.B pubkey
+(the default) for public key signatures as well as the synonyms
+.B rsasig
+for RSA digital signatures and
+.B ecdsasig
+for Elliptic Curve DSA signatures.
+.B never
+can be used if negotiation is never to be attempted or accepted (useful for
+shunt-only conns).
+Digital signatures are superior in every way to shared secrets.
+IKEv1 additionally supports the values
+.B xauthpsk
+and
+.B xauthrsasig
+that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
+based on shared secrets  or digital RSA signatures, respectively.
+IKEv2 additionally supports the value
+.BR eap ,
+which indicates an initiator to request EAP authentication. The EAP method
+to use is selected by the server (see
+.BR eap ).
+This parameter is deprecated for IKEv2 connections, as two peers do not need
+to agree on an authentication method. Use the
+.B leftauth
+parameter instead to define authentication methods in IKEv2.
+.TP
+.B auto
+what operation, if any, should be done automatically at IPsec startup;
+currently-accepted values are
+.BR add ,
+.BR route ,
+.B start
+and
+.B ignore
+(the default).
+.B add
+loads a connection without starting it.
+.B route
+loads a connection and installs kernel traps. If traffic is detected between
+.B leftsubnet
+and
+.B rightsubnet
+, a connection is established.
+.B start
+loads a connection and brings it up immediatly.
+.B ignore
+ignores the connection. This is equal to delete a connection from the config
+file.
+Relevant only locally, other end need not agree on it
+(but in general, for an intended-to-be-permanent connection,
+both ends should use
+.B auto=start
+to ensure that any reboot causes immediate renegotiation).
+.TP
+.B compress
+whether IPComp compression of content is proposed on the connection
+(link-level compression does not work on encrypted data,
+so to be effective, compression must be done \fIbefore\fR encryption);
+acceptable values are
+.B yes
+and
+.B no
+(the default). A value of
+.B yes
+causes IPsec to propose both compressed and uncompressed,
+and prefer compressed.
+A value of
+.B no
+prevents IPsec from proposing compression;
+a proposal to compress will still be accepted.
+.TP
+.B dpdaction
+controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
+R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
+are periodically sent in order to check the
+liveliness of the IPsec peer. The values
+.BR clear ,
+.BR hold ,
+and
+.B restart
+all activate DPD. If no activity is detected, all connections with a dead peer
+are stopped and unrouted
+.RB ( clear ),
+put in the hold state
+.RB ( hold )
+or restarted
+.RB ( restart ).
+For IKEv1, the default is
+.B none
+which disables the active sending of R_U_THERE notifications.
+Nevertheless pluto will always send the DPD Vendor ID during connection set up
+in order to signal the readiness to act passively as a responder if the peer
+wants to use DPD. For IKEv2,
+.B none
+does't make sense, since all messages are used to detect dead peers. If specified,
+it has the same meaning as the default
+.RB ( clear ).
+.TP
+.B dpddelay
+defines the period time interval with which R_U_THERE messages/INFORMATIONAL
+exchanges are sent to the peer. These are only sent if no other traffic is
+received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
+messages and uses only standard messages (such as those to rekey) to detect
+dead peers.
+.TP
+.B dpdtimeout
+defines the timeout interval, after which all connections to a peer are deleted
+in case of inactivity. This only applies to IKEv1, in IKEv2 the default
+retransmission timeout applies, as every exchange is used to detect dead peers.
+.TP
+.B inactivity
+defines the timeout interval, after which a CHILD_SA is closed if it did
+not send or receive any traffic. Currently supported in IKEv2 connections only.
+.TP
+.B eap
+defines the EAP type to propose as server if the client requests EAP
+authentication. Currently supported values are
+.B aka
+for EAP-AKA,
+.B gtc
+for EAP-GTC,
+.B md5
+for EAP-MD5,
+.B mschapv2
+for EAP-MS-CHAPv2,
+.B radius
+for the EAP-RADIUS proxy and
+.B sim
+for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
+definition in the form
+.B eap=type-vendor
+(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
+This parameter is deprecated in the favour of
+.B leftauth.
+
+To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
+set
+.BR eap=radius .
+.TP
+.B eap_identity
+defines the identity the client uses to reply to a EAP Identity request.
+If defined on the EAP server, the defined identity will be used as peer
+identity during EAP authentication. The special value
+.B %identity
+uses the EAP Identity method to ask the client for an EAP identity. If not
+defined, the IKEv2 identity will be used as EAP identity.
+.TP
+.B esp
+comma-separated list of ESP encryption/authentication algorithms to be used
+for the connection, e.g.
+.BR 3des-md5 .
+The notation is
+.BR encryption-integrity-[dh-group] .
+.br
+If
+.B dh-group
+is specified, CHILD_SA setup and rekeying include a separate diffe hellman
+exchange (IKEv2 only).
+.TP
+.B forceencaps
+Force UDP encapsulation for ESP packets even if no NAT situation is detected.
+This may help to surmount restrictive firewalls. In order to force the peer to
+encapsulate packets, NAT detection payloads are faked (IKEv2 only).
+.TP
+.B ike
+comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
+to be used, e.g.
+.BR aes128-sha1-modp2048 .
+The notation is
+.BR encryption-integrity-dhgroup .
+In IKEv2, multiple algorithms and proposals may be included, such as
+.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.TP
+.B ikelifetime
+how long the keying channel of a connection (ISAKMP or IKE SA)
+should last before being renegotiated.
+.TP
+.B installpolicy
+decides whether IPsec policies are installed in the kernel by the IKEv2
+charon daemon for a given connection. Allows peaceful cooperation e.g. with
+the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
+Acceptable values are
+.B yes
+(the default) and
+.BR no .
+.TP
+.B keyexchange
+method of key exchange;
+which protocol should be used to initialize the connection. Connections marked with
+.B ikev1
+are initiated with pluto, those marked with
+.B ikev2
+with charon. An incoming request from the remote peer is handled by the correct
+daemon, unaffected from the
+.B keyexchange
+setting. The default value
+.B ike
+currently is a synonym for
+.BR ikev1 .
+.TP
+.B keyingtries
+how many attempts (a whole number or \fB%forever\fP) should be made to
+negotiate a connection, or a replacement for one, before giving up
+(default
+.BR %forever ).
+The value \fB%forever\fP
+means 'never give up'.
+Relevant only locally, other end need not agree on it.
+.TP
+.B keylife
+synonym for
+.BR lifetime .
+.TP
+.B left
+(required)
+the IP address of the left participant's public-network interface
+or one of several magic values.
+If it is
+.BR %defaultroute ,
+.B left
+will be filled in automatically with the local address
+of the default-route interface (as determined at IPsec startup time and
+during configuration update).
+Either
+.B left
+or
+.B right
+may be
+.BR %defaultroute ,
+but not both.
+The prefix
+.B  %
+in front of a fully-qualified domain name or an IP address will implicitly set
+.B leftallowany=yes.
+If the domain name cannot be resolved into an IP address at IPsec startup or
+update time then
+.B left=%any
+and
+.B leftallowany=no
+will be assumed.
+
+In case of an IKEv2 connection, the value
+.B %any
+for the local endpoint signifies an address to be filled in (by automatic
+keying) during negotiation. If the local peer initiates the connection setup
+the routing table will be queried to determine the correct local IP address.
+In case the local peer is responding to a connection setup then any IP address
+that is assigned to a local interface will be accepted.
+.br
+Note that specifying
+.B %any
+for the local endpoint is not supported by the IKEv1 pluto daemon.
+
+If
+.B %any
+is used for the remote endpoint it literally means any IP address.
+
+Please note that with the usage of wildcards multiple connection descriptions
+might match a given incoming connection attempt. The most specific description
+is used in that case.
+.TP
+.B leftallowany
+a modifier for
+.B left
+, making it behave as
+.B %any
+although a concrete IP address has been assigned.
+Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
+startup or update time.
+Acceptable values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.B leftauth
+Authentication method to use locally (left) or require from the remote (right)
+side.
+This parameter is supported in IKEv2 only. Acceptable values are
+.B pubkey
+for public key authentication (RSA/ECDSA),
+.B psk
+for pre-shared key authentication and
+.B eap
+to (require the) use of the Extensible Authentication Protocol. In the case
+of
+.B eap,
+an optional EAP method can be appended. Currently defined methods are
+.BR eap-aka ,
+.BR eap-gtc ,
+.BR eap-md5 ,
+.B eap-mschapv2
+and
+.BR eap-sim .
+Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
+EAP methods are defined in the form
+.B eap-type-vendor
+.RB "(e.g. " eap-7-12345 ).
+.TP
+.B leftauth2
+Same as
+.BR leftauth ,
+but defines an additional authentication exchange. IKEv2 supports multiple
+authentication rounds using "Multiple Authentication Exchanges" defined
+in RFC4739. This allows, for example, separated authentication
+of host and user (IKEv2 only).
+.TP
+.B leftca
+the distinguished name of a certificate authority which is required to
+lie in the trust path going from the left participant's certificate up
+to the root certification authority.
+.TP
+.B leftca2
+Same as
+.B leftca,
+but for the second authentication round (IKEv2 only).
+.TP
+.B leftcert
+the path to the left participant's X.509 certificate. The file can be encoded
+either in PEM or DER format. OpenPGP certificates are supported as well.
+Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
+are accepted. By default
+.B leftcert
+sets
+.B leftid
+to the distinguished name of the certificate's subject and
+.B leftca
+to the distinguished name of the certificate's issuer.
+The left participant's ID can be overriden by specifying a
+.B leftid
+value which must be certified by the certificate, though.
+.TP
+.B leftcert2
+Same as
+.B leftcert,
+but for the second authentication round (IKEv2 only).
+.TP
+.B leftfirewall
+whether the left participant is doing forwarding-firewalling
+(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
+which should be turned off (for traffic to the other subnet)
+once the connection is established;
+acceptable values are
+.B yes
+and
+.B no
+(the default).
+May not be used in the same connection description with
+.BR leftupdown .
+Implemented as a parameter to the default \fBipsec _updown\fR script.
+See notes below.
+Relevant only locally, other end need not agree on it.
+
+If one or both security gateways are doing forwarding firewalling
+(possibly including masquerading),
+and this is specified using the firewall parameters,
+tunnels established with IPsec are exempted from it
+so that packets can flow unchanged through the tunnels.
+(This means that all subnets connected in this manner must have
+distinct, non-overlapping subnet address blocks.)
+This is done by the default \fBipsec _updown\fR script (see
+.IR pluto (8)).
+
+In situations calling for more control,
+it may be preferable for the user to supply his own
+.I updown
+script,
+which makes the appropriate adjustments for his system.
+.TP
+.B leftgroups
+a comma separated list of group names. If the
+.B leftgroups
+parameter is present then the peer must be a member of at least one
+of the groups defined by the parameter. Group membership must be certified
+by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
+been issued to the peer by a trusted Authorization Authority stored in
+\fI/etc/ipsec.d/aacerts/\fP.
+.br
+Attribute certificates are not supported in IKEv2 yet.
+.TP
+.B lefthostaccess
+inserts a pair of INPUT and OUTPUT iptables rules using the default
+\fBipsec _updown\fR script, thus allowing access to the host itself
+in the case where the host's internal interface is part of the
+negotiated client subnet.
+Acceptable values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.B leftid
+how the left participant should be identified for authentication;
+defaults to
+.BR left .
+Can be an IP address or a fully-qualified domain name preceded by
+.B @
+(which is used as a literal string and not resolved).
+.TP
+.B leftid2
+identity to use for a second authentication for the left participant
+(IKEv2 only); defaults to
+.BR leftid .
+.TP
+.B leftikeport
+UDP port the left participant uses for IKE communication. Currently supported in
+IKEv2 connections only. If unspecified, port 500 is used with the port floating
+to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
+different from the default additionally requires a socket implementation that
+listens to this port.
+.TP
+.B leftnexthop
+this parameter is usually not needed any more because the NETKEY IPsec stack
+does not require explicit routing entries for the traffic to be tunneled. If
+.B leftsourceip
+is used with IKEv1 then
+.B leftnexthop
+must still be set in order for the source routes to work properly.
+.TP
+.B leftprotoport
+restrict the traffic selector to a single protocol and/or port.
+Examples:
+.B leftprotoport=tcp/http
+or
+.B leftprotoport=6/80
+or
+.B leftprotoport=udp
+.TP
+.B leftrsasigkey
+the left participant's
+public key for RSA signature authentication,
+in RFC 2537 format using
+.IR ttodata (3)
+encoding.
+The magic value
+.B %none
+means the same as not specifying a value (useful to override a default).
+The value
+.B %cert
+(the default)
+means that the key is extracted from a certificate.
+The identity used for the left participant
+must be a specific host, not
+.B %any
+or another magic value.
+.B Caution:
+if two connection descriptions
+specify different public keys for the same
+.BR leftid ,
+confusion and madness will ensue.
+.TP
+.B leftsendcert
+Accepted values are
+.B never
+or
+.BR no ,
+.B always
+or
+.BR yes ,
+and
+.BR ifasked ,
+the latter meaning that the peer must send a certificate request payload in
+order to get a certificate in return.
+.TP
+.B leftsourceip
+The internal source IP to use in a tunnel, also known as virtual IP. If the
+value is one of the synonyms
+.BR %modeconfig ,
+.BR %modecfg ,
+.BR %config ,
+or
+.BR %cfg ,
+an address is requested from the peer. In IKEv2, a statically defined address
+is also requested, since the server may change it.
+.TP
+.B rightsourceip
+The internal source IP to use in a tunnel for the remote peer. If the
+value is
+.B %config
+on the responder side, the initiator must propose an address which is then
+echoed back. Also supported are address pools expressed as
+\fInetwork\fB/\fInetmask\fR
+or the use of an external IP address pool using %\fIpoolname\fR,
+where \fIpoolname\fR is the name of the IP address pool used for the lookup.
+.TP
+.B leftsubnet
+private subnet behind the left participant, expressed as
+\fInetwork\fB/\fInetmask\fR;
+if omitted, essentially assumed to be \fIleft\fB/32\fR,
+signifying that the left end of the connection goes to the left participant
+only. When using IKEv2, the configured subnet of the peers may differ, the
+protocol narrows it to the greatest common subnet. Further, IKEv2 supports
+multiple subnets separated by commas. IKEv1 only interprets the first subnet
+of such a definition.
+.TP
+.B leftsubnetwithin
+the peer can propose any subnet or single IP address that fits within the
+range defined by
+.BR leftsubnetwithin.
+Not relevant for IKEv2, as subnets are narrowed.
+.TP
+.B leftupdown
+what ``updown'' script to run to adjust routing and/or firewalling
+when the status of the connection
+changes (default
+.BR "ipsec _updown" ).
+May include positional parameters separated by white space
+(although this requires enclosing the whole string in quotes);
+including shell metacharacters is unwise.
+See
+.IR pluto (8)
+for details.
+Relevant only locally, other end need not agree on it. IKEv2 uses the updown
+script to insert firewall rules only, since routing has been implemented
+directly into charon.
+.TP
+.B lifebytes
+the number of bytes transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.B lifepackets
+the number of packets transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.B lifetime
+how long a particular instance of a connection
+(a set of encryption/authentication keys for user packets) should last,
+from successful negotiation to expiry;
+acceptable values are an integer optionally followed by
+.BR s
+(a time in seconds)
+or a decimal number followed by
+.BR m ,
+.BR h ,
+or
+.B d
+(a time
+in minutes, hours, or days respectively)
+(default
+.BR 1h ,
+maximum
+.BR 24h ).
+Normally, the connection is renegotiated (via the keying channel)
+before it expires (see
+.BR margintime ).
+The two ends need not exactly agree on
+.BR lifetime ,
+although if they do not,
+there will be some clutter of superseded connections on the end
+which thinks the lifetime is longer.
+.TP
+.B marginbytes
+how many bytes before IPsec SA expiry (see
+.BR lifebytes )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.B marginpackets
+how many packets before IPsec SA expiry (see
+.BR lifepackets )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.B margintime
+how long before connection expiry or keying-channel expiry
+should attempts to
+negotiate a replacement
+begin; acceptable values as for
+.B lifetime
+(default
+.BR 9m ).
+Relevant only locally, other end need not agree on it.
+.TP
+.B mark
+sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound
+IPsec SAs and policies (IKEv2 only). If the mask is missing then a default
+mask of
+.B 0xffffffff
+is assumed.
+.TP
+.B mark_in
+sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy
+(IKEv2 only). If the mask is missing then a default mask of
+.B 0xffffffff
+is assumed.
+.TP
+.B mark_out
+sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy
+(IKEv2 only). If the mask is missing then a default mask of
+.B 0xffffffff
+is assumed.
+.TP
+.B mobike
+enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
+.B yes
+(the default) and
+.BR no .
+If set to
+.BR no ,
+the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
+ignore the MOBIKE_SUPPORTED notify as responder.
+.TP
+.B modeconfig
+defines which mode is used to assign a virtual IP.
+Accepted values are
+.B push
+and
+.B pull
+(the default).
+Currently relevant for IKEv1 only since IKEv2 always uses the configuration
+payload in pull mode. Cisco VPN gateways usually operate in
+.B push
+mode.
+.TP
+.B pfs
+whether Perfect Forward Secrecy of keys is desired on the connection's
+keying channel
+(with PFS, penetration of the key-exchange protocol
+does not compromise keys negotiated earlier);
+acceptable values are
+.B yes
+(the default)
+and
+.BR no.
+IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
+PFS is enforced by defining a Diffie-Hellman modp group in the
+.B esp
+parameter.
+.TP
+.B pfsgroup
+defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
+differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
+.TP
+.B reauth
+whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
+reauthentication is always done. In IKEv2, a value of
+.B no
+rekeys without uninstalling the IPsec SAs, a value of
+.B yes
+(the default) creates a new IKE_SA from scratch and tries to recreate
+all IPsec SAs.
+.TP
+.B rekey
+whether a connection should be renegotiated when it is about to expire;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+The two ends need not agree, but while a value of
+.B no
+prevents pluto/charon from requesting renegotiation,
+it does not prevent responding to renegotiation requested from the other end,
+so
+.B no
+will be largely ineffective unless both ends agree on it.
+.TP
+.B rekeyfuzz
+maximum percentage by which
+.BR marginbytes ,
+.B marginpackets
+and
+.B margintime
+should be randomly increased to randomize rekeying intervals
+(important for hosts with many connections);
+acceptable values are an integer,
+which may exceed 100,
+followed by a `%'
+(defaults to
+.BR 100% ).
+The value of
+.BR marginTYPE ,
+after this random increase,
+must not exceed
+.B lifeTYPE
+(where TYPE is one of
+.IR bytes ,
+.I packets
+or
+.IR time ).
+The value
+.B 0%
+will suppress randomization.
+Relevant only locally, other end need not agree on it.
+.TP
+.B rekeymargin
+synonym for
+.BR margintime .
+.TP
+.B reqid
+sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only).
+.TP
+.B type
+the type of the connection; currently the accepted values
+are
+.B tunnel
+(the default)
+signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
+.BR transport ,
+signifying host-to-host transport mode;
+.BR transport_proxy ,
+signifying the special Mobile IPv6 transport proxy mode;
+.BR passthrough ,
+signifying that no IPsec processing should be done at all;
+.BR drop ,
+signifying that packets should be discarded; and
+.BR reject ,
+signifying that packets should be discarded and a diagnostic ICMP returned.
+The IKEv2 daemon charon currently supports
+.BR tunnel ,
+.BR transport ,
+and
+.BR tunnel_proxy
+connection types, only.
+.TP
+.B xauth
+specifies the role in the XAUTH protocol if activated by
+.B authby=xauthpsk
+or
+.B authby=xauthrsasig.
+Accepted values are
+.B server
+and
+.B client
+(the default).
+
+.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
+The following parameters are relevant to IKEv2 Mediation Extension
+operation only.
+.TP 14
+.B mediation
+whether this connection is a mediation connection, ie. whether this
+connection is used to mediate other connections.  Mediation connections
+create no child SA. Acceptable values are
+.B no
+(the default) and
+.BR yes .
+.TP
+.B mediated_by
+the name of the connection to mediate this connection through.  If given,
+the connection will be mediated through the named mediation connection.
+The mediation connection must set
+.BR mediation=yes .
+.TP
+.B me_peerid
+ID as which the peer is known to the mediation server, ie. which the other
+end of this connection uses as its
+.B leftid
+on its connection to the mediation server.  This is the ID we request the
+mediation server to mediate us with.  If
+.B me_peerid
+is not given, the
+.B rightid
+of this connection will be used as peer ID.
+
+.SH "CA SECTIONS"
+This are optional sections that can be used to assign special
+parameters to a Certification Authority (CA).
+.TP 10
+.B auto
+currently can have either the value
+.B ignore
+or
+.B add
+.
+.TP
+.B cacert
+defines a path to the CA certificate either relative to
+\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.TP
+.B crluri
+defines a CRL distribution point (ldap, http, or file URI)
+.TP
+.B crluri1
+synonym for
+.B crluri.
+.TP
+.B crluri2
+defines an alternative CRL distribution point (ldap, http, or file URI)
+.TP
+.B ldaphost
+defines an ldap host. Currently used by IKEv1 only.
+.TP
+.B ocspuri
+defines an OCSP URI.
+.TP
+.B ocspuri1
+synonym for
+.B ocspuri.
+.TP
+.B ocspuri2
+defines an alternative OCSP URI. Currently used by IKEv2 only.
+.TP
+.B certuribase
+defines the base URI for the Hash and URL feature supported by IKEv2.
+Instead of exchanging complete certificates, IKEv2 allows to send an URI
+that resolves to the DER encoded certificate. The certificate URIs are built
+by appending the SHA1 hash of the DER encoded certificates to this base URI.
+.SH "CONFIG SECTIONS"
+At present, the only
+.B config
+section known to the IPsec software is the one named
+.BR setup ,
+which contains information used when the software is being started.
+Here's an example:
+.PP
+.ne 8
+.nf
+.ft B
+.ta 1c
+config setup
+	plutodebug=all
+	crlcheckinterval=10m
+	strictcrlpolicy=yes
+.ft
+.fi
+.PP
+Parameters are optional unless marked ``(required)''.
+The currently-accepted
+.I parameter
+names in a
+.B config
+.B setup
+section affecting both daemons are:
+.TP 14
+.B cachecrls
+certificate revocation lists (CRLs) fetched via http or ldap will be cached in
+\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
+authority's public key.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.B charonstart
+whether to start the IKEv2 Charon daemon or not.
+Accepted values are
+.B yes
+or
+.BR no .
+The default is
+.B yes
+if starter was compiled with IKEv2 support.
+.TP
+.B dumpdir
+in what directory should things started by \fBipsec starter\fR
+(notably the Pluto and Charon daemons) be allowed to dump core?
+The empty value (the default) means they are not
+allowed to.
+This feature is currently not yet supported by \fBipsec starter\fR.
+.TP
+.B plutostart
+whether to start the IKEv1 Pluto daemon or not.
+Accepted values are
+.B yes
+or
+.BR no .
+The default is
+.B yes
+if starter was compiled with IKEv1 support.
+.TP
+.B strictcrlpolicy
+defines if a fresh CRL must be available in order for the peer authentication based
+on RSA signatures to succeed.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+IKEv2 additionally recognizes
+.B ifuri
+which reverts to
+.B yes
+if at least one CRL URI is defined and to
+.B no
+if no URI is known.
+.TP
+.B uniqueids
+whether a particular participant ID should be kept unique,
+with any new (automatically keyed)
+connection using an ID from a different IP address
+deemed to replace all old ones using that ID;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+Participant IDs normally \fIare\fR unique,
+so a new (automatically-keyed) connection using the same ID is
+almost invariably intended to replace an old one.
+The IKEv2 daemon also accepts the value
+.B replace
+wich is identical to
+.B yes
+and the value
+.B keep
+to reject new IKE_SA setups and keep the duplicate established earlier.
+.PP
+The following
+.B config section
+parameters are used by the IKEv1 Pluto daemon only:
+.TP
+.B crlcheckinterval
+interval in seconds. CRL fetching is enabled if the value is greater than zero.
+Asynchronous, periodic checking for fresh CRLs is currently done by the
+IKEv1 Pluto daemon only.
+.TP
+.B keep_alive
+interval in seconds between NAT keep alive packets, the default being 20 seconds.
+.TP
+.B nat_traversal
+activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
+being able of floating to udp/4500 if a NAT situation is detected.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+Used by IKEv1 only, NAT traversal always being active in IKEv2.
+.TP
+.B nocrsend
+no certificate request payloads will be sent.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.B pkcs11initargs
+non-standard argument string for PKCS#11 C_Initialize() function;
+required by NSS softoken.
+.TP
+.B pkcs11module
+defines the path to a dynamically loadable PKCS #11 library.
+.TP
+.B pkcs11keepstate
+PKCS #11 login sessions will be kept during the whole lifetime of the keying
+daemon. Useful with pin-pad smart card readers.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.B pkcs11proxy
+Pluto will act as a PKCS #11 proxy accessible via the whack interface.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.B plutodebug
+how much Pluto debugging output should be logged.
+An empty value,
+or the magic value
+.BR none ,
+means no debugging output (the default).
+The magic value
+.B all
+means full output.
+Otherwise only the specified types of output
+(a quoted list, names without the
+.B \-\-debug\-
+prefix,
+separated by white space) are enabled;
+for details on available debugging types, see
+.IR pluto (8).
+.TP
+.B plutostderrlog
+Pluto will not use syslog, but rather log to stderr, and redirect stderr
+to the argument file.
+.TP
+.B postpluto
+shell command to run after starting Pluto
+(e.g., to remove a decrypted copy of the
+.I ipsec.secrets
+file).
+It's run in a very simple way;
+complexities like I/O redirection are best hidden within a script.
+Any output is redirected for logging,
+so running interactive commands is difficult unless they use
+.I /dev/tty
+or equivalent for their interaction.
+Default is none.
+.TP
+.B prepluto
+shell command to run before starting Pluto
+(e.g., to decrypt an encrypted copy of the
+.I ipsec.secrets
+file).
+It's run in a very simple way;
+complexities like I/O redirection are best hidden within a script.
+Any output is redirected for logging,
+so running interactive commands is difficult unless they use
+.I /dev/tty
+or equivalent for their interaction.
+Default is none.
+.TP
+.B virtual_private
+defines private networks using a wildcard notation.
+.PP
+The following
+.B config section
+parameters are used by the IKEv2 Charon daemon only:
+.TP
+.B charondebug
+how much Charon debugging output should be logged.
+A comma separated list containing type level/pairs may
+be specified, e.g:
+.B dmn 3, ike 1, net -1.
+Acceptable values for types are
+.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
+and the level is one of
+.B -1, 0, 1, 2, 3, 4
+(for silent, audit, control, controlmore, raw, private).
+.PP
+The following
+.B config section
+parameters only make sense if the KLIPS IPsec stack
+is used instead of the default NETKEY stack of the Linux 2.6 kernel:
+.TP
+.B fragicmp
+whether a tunnel's need to fragment a packet should be reported
+back with an ICMP message,
+in an attempt to make the sender lower his PMTU estimate;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+.TP
+.B hidetos
+whether a tunnel packet's TOS field should be set to
+.B 0
+rather than copied from the user packet inside;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no
+.TP
+.B interfaces
+virtual and physical interfaces for IPsec to use:
+a single
+\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
+by white space, or
+.BR %none .
+One of the pairs may be written as
+.BR %defaultroute ,
+which means: find the interface \fId\fR that the default route points to,
+and then act as if the value was ``\fBipsec0=\fId\fR''.
+.B %defaultroute
+is the default;
+.B %none
+must be used to denote no interfaces.
+.TP
+.B overridemtu
+value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
+overriding IPsec's (large) default.
+.SH FILES
+.nf
+/etc/ipsec.conf
+/etc/ipsec.d/aacerts
+/etc/ipsec.d/acerts
+/etc/ipsec.d/cacerts
+/etc/ipsec.d/certs
+/etc/ipsec.d/crls
+
+.SH SEE ALSO
+ipsec(8), pluto(8), starter(8)
+.SH HISTORY
+Originally written for the FreeS/WAN project by Henry Spencer.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner, Andreas Steffen and Martin Willi.
+.SH BUGS
+.PP
+If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
+will fail.
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index df39f0dc7..1d7cae00b 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 121
+#define TOTAL_KEYWORDS 126
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 11
-#define MAX_HASH_VALUE 230
-/* maximum key range = 220, duplicates = 0 */
+#define MIN_HASH_VALUE 20
+#define MAX_HASH_VALUE 220
+/* maximum key range = 201, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231,  26,
-       75, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231,   2, 231,  25, 231,  40,
-       61,   2, 114,  24,   3,   2, 231, 101,   2,  96,
-       48,  35,  23, 231,   4,  10,   3,  69,  25, 231,
-        2,  18,  16, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231, 231, 231, 231, 231,
-      231, 231, 231, 231, 231, 231
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221,  35,
+       77, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221,   8, 221,  31, 221,  20,
+       28,   5,  75,  26,  88,   5, 221,  97,   5,  50,
+       39,  67,  29, 221,   7,  13,   6,  89,  15, 221,
+        5,  24,   7, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+      221, 221, 221, 221, 221, 221
     };
   register int hval = len;
 
@@ -128,7 +128,6 @@ static const struct kw_entry wordlist[] =
     {"right",             KW_RIGHT},
     {"lifetime",          KW_KEYLIFE},
     {"leftcert",          KW_LEFTCERT,},
-    {"reauth",            KW_REAUTH},
     {"leftfirewall",      KW_LEFTFIREWALL},
     {"leftsendcert",      KW_LEFTSENDCERT},
     {"rightikeport",      KW_RIGHTIKEPORT},
@@ -137,142 +136,147 @@ static const struct kw_entry wordlist[] =
     {"leftgroups",        KW_LEFTGROUPS},
     {"rekey",             KW_REKEY},
     {"rightsubnet",       KW_RIGHTSUBNET},
+    {"crluri",            KW_CRLURI},
     {"rightsendcert",     KW_RIGHTSENDCERT},
-    {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"xauth",             KW_XAUTH},
-    {"leftallowany",      KW_LEFTALLOWANY},
+    {"reqid",             KW_REQID},
+    {"rightcert",         KW_RIGHTCERT},
+    {"certuribase",       KW_CERTURIBASE},
     {"esp",               KW_ESP},
+    {"leftallowany",      KW_LEFTALLOWANY},
+    {"rightid",           KW_RIGHTID},
+    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
     {"leftnexthop",       KW_LEFTNEXTHOP},
     {"lifebytes",         KW_LIFEBYTES},
     {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
-    {"rightauth",         KW_RIGHTAUTH},
     {"leftrsasigkey",     KW_LEFTRSASIGKEY},
     {"rightprotoport",    KW_RIGHTPROTOPORT},
+    {"rightgroups",       KW_RIGHTGROUPS},
     {"plutostart",        KW_PLUTOSTART},
     {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
     {"lifepackets",       KW_LIFEPACKETS},
-    {"rightgroups",       KW_RIGHTGROUPS},
     {"rightsourceip",     KW_RIGHTSOURCEIP},
     {"eap",               KW_EAP},
-    {"crluri",            KW_CRLURI},
-    {"hidetos",           KW_HIDETOS},
-    {"rightcert",         KW_RIGHTCERT},
-    {"certuribase",       KW_CERTURIBASE},
-    {"leftca",            KW_LEFTCA},
-    {"leftnatip",         KW_LEFTNATIP},
-    {"rightallowany",     KW_RIGHTALLOWANY},
-    {"lefthostaccess",    KW_LEFTHOSTACCESS},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
-    {"also",              KW_ALSO},
-    {"packetdefault",     KW_PACKETDEFAULT},
-    {"virtual_private",   KW_VIRTUAL_PRIVATE},
-    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
-    {"leftsourceip",      KW_LEFTSOURCEIP},
-    {"rightid",           KW_RIGHTID},
     {"cacert",            KW_CACERT},
     {"rightca",           KW_RIGHTCA},
+    {"virtual_private",   KW_VIRTUAL_PRIVATE},
+    {"leftid",            KW_LEFTID},
     {"crluri1",           KW_CRLURI},
-    {"inactivity",        KW_INACTIVITY},
+    {"ldapbase",          KW_LDAPBASE},
+    {"leftca",            KW_LEFTCA},
+    {"leftnatip",         KW_LEFTNATIP},
+    {"rightallowany",     KW_RIGHTALLOWANY},
     {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
+    {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"inactivity",        KW_INACTIVITY},
+    {"packetdefault",     KW_PACKETDEFAULT},
     {"installpolicy",     KW_INSTALLPOLICY},
-    {"leftauth",          KW_LEFTAUTH},
+    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
     {"leftupdown",        KW_LEFTUPDOWN},
-    {"leftsubnet",        KW_LEFTSUBNET},
     {"rightnatip",        KW_RIGHTNATIP},
-    {"ocspuri",           KW_OCSPURI},
     {"rightnexthop",      KW_RIGHTNEXTHOP},
+    {"cachecrls",         KW_CACHECRLS},
+    {"dpddelay",          KW_DPDDELAY},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
+    {"mediated_by",       KW_MEDIATED_BY},
+    {"me_peerid",         KW_ME_PEERID},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"eap_identity",      KW_EAP_IDENTITY},
     {"leftcert2",         KW_LEFTCERT2,},
     {"rightid2",          KW_RIGHTID2},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"compress",          KW_COMPRESS},
-    {"ldapbase",          KW_LDAPBASE},
-    {"auth",              KW_AUTH},
-    {"postpluto",         KW_POSTPLUTO},
-    {"charonstart",       KW_CHARONSTART},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"rightfirewall",     KW_RIGHTFIREWALL},
+    {"ocspuri",           KW_OCSPURI},
+    {"also",              KW_ALSO},
+    {"mediation",         KW_MEDIATION},
     {"ike",               KW_IKE},
+    {"dpdaction",         KW_DPDACTION},
+    {"rekeymargin",       KW_REKEYMARGIN},
+    {"compress",          KW_COMPRESS},
     {"ldaphost",          KW_LDAPHOST},
-    {"leftca2",           KW_LEFTCA2},
-    {"dpddelay",          KW_DPDDELAY},
-    {"ocspuri1",          KW_OCSPURI},
-    {"rightauth2",        KW_RIGHTAUTH2},
-    {"eap_identity",      KW_EAP_IDENTITY},
-    {"leftikeport",       KW_LEFTIKEPORT},
-    {"plutodebug",        KW_PLUTODEBUG},
-    {"cachecrls",         KW_CACHECRLS},
-    {"charondebug",       KW_CHARONDEBUG},
+    {"leftsubnet",        KW_LEFTSUBNET},
     {"crluri2",           KW_CRLURI2},
     {"rightca2",          KW_RIGHTCA2},
-    {"mediated_by",       KW_MEDIATED_BY},
+    {"leftsourceip",      KW_LEFTSOURCEIP},
     {"rightcert2",        KW_RIGHTCERT2},
-    {"leftid",            KW_LEFTID},
-    {"auto",              KW_AUTO},
-    {"rightupdown",       KW_RIGHTUPDOWN},
-    {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"authby",            KW_AUTHBY},
-    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {"uniqueids",         KW_UNIQUEIDS},
-    {"prepluto",          KW_PREPLUTO},
-    {"keep_alive",        KW_KEEP_ALIVE},
+    {"pfs",               KW_PFS},
+    {"leftid2",           KW_LEFTID2},
+    {"dpdtimeout",        KW_DPDTIMEOUT},
+    {"leftikeport",       KW_LEFTIKEPORT},
+    {"leftca2",           KW_LEFTCA2},
+    {"righthostaccess",   KW_RIGHTHOSTACCESS},
+    {"xauth",             KW_XAUTH},
+    {"rightauth2",        KW_RIGHTAUTH2},
+    {"mark_in",           KW_MARK_IN},
     {"mobike",	           KW_MOBIKE},
-    {"overridemtu",       KW_OVERRIDEMTU},
+    {"margintime",        KW_REKEYMARGIN},
     {"dumpdir",           KW_DUMPDIR},
-    {"dpdaction",         KW_DPDACTION},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
-    {"leftid2",           KW_LEFTID2},
-    {"keyingtries",       KW_KEYINGTRIES},
-    {"pfs",               KW_PFS},
-    {"nocrsend",          KW_NOCRSEND},
+    {"ocspuri1",          KW_OCSPURI},
     {"keyexchange",       KW_KEYEXCHANGE},
-    {"leftauth2",         KW_LEFTAUTH2},
-    {"mediation",         KW_MEDIATION},
-    {"rekeymargin",       KW_REKEYMARGIN},
-    {"ocspuri2",          KW_OCSPURI2},
-    {"pkcs11module",      KW_PKCS11MODULE},
-    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
-    {"force_keepalive",   KW_FORCE_KEEPALIVE},
-    {"me_peerid",         KW_ME_PEERID},
-    {"forceencaps",       KW_FORCEENCAPS},
-    {"pkcs11initargs",    KW_PKCS11INITARGS},
-    {"pkcs11proxy",       KW_PKCS11PROXY},
-    {"margintime",        KW_REKEYMARGIN},
-    {"interfaces",        KW_INTERFACES},
     {"fragicmp",          KW_FRAGICMP},
+    {"rightauth",         KW_RIGHTAUTH},
+    {"interfaces",        KW_INTERFACES},
     {"marginbytes",       KW_MARGINBYTES},
     {"marginpackets",     KW_MARGINPACKETS},
-    {"dpdtimeout",        KW_DPDTIMEOUT},
+    {"nocrsend",          KW_NOCRSEND},
+    {"keep_alive",        KW_KEEP_ALIVE},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
+    {"uniqueids",         KW_UNIQUEIDS},
+    {"mark_out",          KW_MARK_OUT},
+    {"charonstart",       KW_CHARONSTART},
     {"klipsdebug",        KW_KLIPSDEBUG},
-    {"modeconfig",        KW_MODECONFIG},
-    {"pfsgroup",          KW_PFSGROUP},
+    {"force_keepalive",   KW_FORCE_KEEPALIVE},
+    {"forceencaps",       KW_FORCEENCAPS},
+    {"authby",            KW_AUTHBY},
+    {"postpluto",         KW_POSTPLUTO},
+    {"pkcs11module",      KW_PKCS11MODULE},
+    {"ocspuri2",          KW_OCSPURI2},
+    {"hidetos",           KW_HIDETOS},
+    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
+    {"mark",              KW_MARK},
+    {"charondebug",       KW_CHARONDEBUG},
+    {"leftauth2",         KW_LEFTAUTH2},
+    {"overridemtu",       KW_OVERRIDEMTU},
+    {"pkcs11initargs",    KW_PKCS11INITARGS},
     {"keylife",           KW_KEYLIFE},
-    {"ikelifetime",       KW_IKELIFETIME}
+    {"auto",              KW_AUTO},
+    {"ikelifetime",       KW_IKELIFETIME},
+    {"reauth",            KW_REAUTH},
+    {"leftauth",          KW_LEFTAUTH},
+    {"pkcs11proxy",       KW_PKCS11PROXY},
+    {"prepluto",          KW_PREPLUTO},
+    {"pfsgroup",          KW_PFSGROUP},
+    {"auth",              KW_AUTH},
+    {"modeconfig",        KW_MODECONFIG}
   };
 
 static const short lookup[] =
   {
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,   0,  -1,  -1,   1,  -1,   2,   3,   4,  -1,
-      5,   6,  -1,   7,   8,  -1,  -1,   9,  10,  11,
-     12,  -1,  13,  -1,  14,  15,  16,  -1,  17,  -1,
-     18,  19,  20,  21,  -1,  22,  23,  -1,  24,  25,
-     26,  27,  28,  29,  30,  -1,  -1,  31,  32,  33,
-     34,  35,  36,  37,  38,  -1,  39,  40,  -1,  41,
-     -1,  -1,  -1,  42,  43,  -1,  44,  45,  46,  47,
-     48,  49,  -1,  50,  51,  52,  53,  54,  55,  56,
-     57,  58,  59,  -1,  -1,  60,  -1,  -1,  61,  -1,
-     -1,  62,  -1,  -1,  63,  64,  -1,  -1,  65,  66,
-     -1,  67,  68,  69,  -1,  -1,  70,  -1,  71,  72,
-     73,  -1,  -1,  -1,  74,  -1,  75,  -1,  76,  77,
-     78,  79,  80,  81,  82,  83,  84,  85,  86,  87,
-     88,  89,  90,  91,  92,  93,  -1,  94,  95,  -1,
-     96,  -1,  -1,  -1,  97,  -1,  98,  99, 100,  -1,
-     -1, 101, 102,  -1, 103,  -1,  -1, 104, 105,  -1,
-    106,  -1, 107,  -1, 108,  -1,  -1,  -1,  -1, 109,
-     -1, 110,  -1,  -1, 111,  -1,  -1,  -1,  -1, 112,
-    113,  -1, 114, 115,  -1,  -1,  -1,  -1, 116,  -1,
-    117,  -1,  -1, 118,  -1,  -1,  -1,  -1,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1, 119,  -1,  -1,  -1,
-    120
+      0,  -1,  -1,   1,  -1,  -1,  -1,  -1,   2,   3,
+     -1,  -1,   4,   5,  -1,   6,   7,  -1,  -1,   8,
+      9,  10,  11,  12,  13,  14,  -1,  15,  16,  -1,
+     17,  18,  19,  20,  -1,  21,  22,  23,  -1,  -1,
+     24,  25,  26,  27,  28,  29,  -1,  30,  31,  32,
+     33,  34,  35,  -1,  36,  -1,  -1,  37,  38,  39,
+     40,  41,  42,  43,  -1,  44,  45,  46,  47,  -1,
+     48,  -1,  49,  50,  51,  52,  53,  54,  55,  -1,
+     56,  57,  58,  59,  60,  61,  62,  63,  -1,  64,
+     65,  66,  67,  68,  69,  70,  71,  72,  73,  74,
+     75,  -1,  76,  77,  78,  79,  -1,  -1,  80,  81,
+     82,  -1,  83,  84,  -1,  85,  86,  87,  88,  89,
+     90,  -1,  91,  -1,  92,  -1,  93,  94,  95,  -1,
+     -1,  96,  97,  -1,  98,  99,  -1,  -1,  -1,  -1,
+     -1,  -1, 100,  -1, 101,  -1, 102,  -1,  -1,  -1,
+    103, 104,  -1,  -1, 105,  -1,  -1, 106, 107, 108,
+    109, 110, 111,  -1, 112, 113,  -1, 114, 115, 116,
+     -1, 117,  -1, 118, 119, 120, 121,  -1,  -1,  -1,
+    122,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 123,  -1,
+     -1,  -1, 124,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+    125
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 6c3907a6a..25d2ce4b9 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -93,12 +93,17 @@ typedef enum {
 	KW_INACTIVITY,
 	KW_MODECONFIG,
 	KW_XAUTH,
+	KW_XAUTH_IDENTITY,
 	KW_MEDIATION,
 	KW_MEDIATED_BY,
 	KW_ME_PEERID,
+	KW_REQID,
+	KW_MARK,
+	KW_MARK_IN,
+	KW_MARK_OUT,
 
 #define KW_CONN_FIRST   KW_CONN_SETUP
-#define KW_CONN_LAST    KW_ME_PEERID
+#define KW_CONN_LAST    KW_MARK_OUT
 
    /* ca section keywords */
 	KW_CA_NAME,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 12037a685..fcdc60cff 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -84,9 +84,14 @@ dpdaction,         KW_DPDACTION
 inactivity,        KW_INACTIVITY
 modeconfig,        KW_MODECONFIG
 xauth,             KW_XAUTH
+xauth_identity,    KW_XAUTH_IDENTITY
 mediation,         KW_MEDIATION
 mediated_by,       KW_MEDIATED_BY
 me_peerid,         KW_ME_PEERID
+reqid,             KW_REQID
+mark,              KW_MARK
+mark_in,           KW_MARK_IN
+mark_out,          KW_MARK_OUT
 cacert,            KW_CACERT
 ldaphost,          KW_LDAPHOST
 ldapbase,          KW_LDAPBASE
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 50ef9c07b..c3ba54f1d 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -241,6 +241,7 @@ int main (int argc, char **argv)
 	time_t last_reload;
 	bool no_fork = FALSE;
 	bool attach_gdb = FALSE;
+	bool load_warning = FALSE;
 
 	/* global variables defined in log.h */
 	log_to_stderr = TRUE;
@@ -300,6 +301,21 @@ int main (int argc, char **argv)
 
 	plog("Starting strongSwan "VERSION" IPsec [starter]...");
 
+#ifdef LOAD_WARNING
+	load_warning = TRUE;
+#endif
+
+	if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning))
+	{
+		if (lib->settings->get_str(lib->settings, "charon.load", NULL) ||
+			lib->settings->get_str(lib->settings, "pluto.load", NULL))
+		{
+			plog("!! Your strongswan.conf contains manual plugin load options for");
+			plog("!! pluto and/or charon. This is recommended for experts only, see");
+			plog("!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
+		}
+	}
+
 	/* verify that we can start */
 	if (getuid() != 0)
 	{
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index d877661ec..9c69ab9e5 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -269,6 +269,11 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.ikeme.mediation = conn->me_mediation;
 	msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
 	msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
+	msg.add_conn.reqid = conn->reqid;
+	msg.add_conn.mark_in.value = conn->mark_in.value;
+	msg.add_conn.mark_in.mask = conn->mark_in.mask;
+	msg.add_conn.mark_out.value = conn->mark_out.value;
+	msg.add_conn.mark_out.mask = conn->mark_out.mask;
 
 	starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
 	starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 527142a4e..58034d96b 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -93,6 +93,7 @@ static int send_whack_msg (whack_message_t *msg)
 	||  !pack_str(&msg->sc_data,        &str_next, &str_roof)
 	||  !pack_str(&msg->whack_lease_ip, &str_next, &str_roof)
 	||  !pack_str(&msg->whack_lease_id, &str_next, &str_roof)
+	||  !pack_str(&msg->xauth_identity, &str_next, &str_roof)
 	||  (str_roof - str_next < msg->keyval.len))
 	{
 		plog("send_wack_msg(): can't pack strings");
@@ -285,6 +286,12 @@ int starter_whack_add_conn(starter_conn_t *conn)
 	msg.sa_rekey_fuzz         = conn->sa_rekey_fuzz;
 	msg.sa_keying_tries       = conn->sa_keying_tries;
 	msg.policy                = conn->policy;
+	msg.xauth_identity        = conn->xauth_identity;
+	msg.reqid                 = conn->reqid;
+	msg.mark_in.value         = conn->mark_in.value;
+	msg.mark_in.mask          = conn->mark_in.mask;
+	msg.mark_out.value        = conn->mark_out.value;
+	msg.mark_out.mask         = conn->mark_out.mask;
 
 	/*
 	 * Make sure the IKEv2-only policy bits are unset for IKEv1 connections
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 4353928b5..c7f264730 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index ffc67039e..a36cc9038 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -227,6 +227,7 @@ struct stroke_msg_t {
 			time_t inactivity;
 			int proxy_mode;
 			int install_policy;
+			u_int32_t reqid;
 
 			crl_policy_t crl_policy;
 			int unique;
@@ -255,6 +256,10 @@ struct stroke_msg_t {
 				char *mediated_by;
 				char *peerid;
 			} ikeme;
+			struct {
+				u_int32_t value;
+				u_int32_t mask;
+			} mark_in, mark_out;
 			stroke_end_t me, other;
 		} add_conn;
 
diff --git a/src/strongswan.conf b/src/strongswan.conf
index 0ec4ae9ef..0d82dedfa 100644
--- a/src/strongswan.conf
+++ b/src/strongswan.conf
@@ -4,30 +4,27 @@ charon {
 
 	# number of worker threads in charon
 	threads = 16
-	
-	# plugins to load in charon
-	# load = aes des sha1 md5 sha2 hmac gmp random pubkey xcbc x509 stroke
-	
+
+	# send strongswan vendor ID?
+	# send_vendor_id = yes
+
 	plugins {
 
 		sql {
 			# loglevel to log into sql database
 			loglevel = -1
-			
+
 			# URI to the database
 			# database = sqlite:///path/to/file.db
 			# database = mysql://user:password@localhost/database
 		}
 	}
-	
+
 	# ...
 }
 
 pluto {
 
-	# plugins to load in pluto
-	# load = aes des sha1 md5 sha2 hmac gmp random pubkey
-	
 }
 
 libstrongswan {
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index 098e5110e..d163f2b58 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/whack/whack.c b/src/whack/whack.c
index 5f986108b..643e4be04 100644
--- a/src/whack/whack.c
+++ b/src/whack/whack.c
@@ -1804,6 +1804,7 @@ int main(int argc, char **argv)
 	||  !pack_str(&msg.sc_data)          /* string 26 */
 	||  !pack_str(&msg.whack_lease_ip)   /* string 27 */
 	||  !pack_str(&msg.whack_lease_id)   /* string 28 */
+	||  !pack_str(&msg.xauth_identity)   /* string 29 */
 	||  str_roof - next_str < (ptrdiff_t)msg.keyval.len)
 		diag("too many bytes of strings to fit in message to pluto");
 
diff --git a/src/whack/whack.h b/src/whack/whack.h
index b495d3489..f8e6a9a88 100644
--- a/src/whack/whack.h
+++ b/src/whack/whack.h
@@ -48,7 +48,7 @@ typedef enum {
  */
 
 #define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24)
-#define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 26)
+#define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 30)
 
 typedef struct whack_end whack_end_t;
 
@@ -129,6 +129,14 @@ struct whack_message {
 	time_t dpd_timeout;
 	dpd_action_t dpd_action;
 
+
+	/* Assign optional fixed reqid and xfrm marks to IPsec SA */
+	u_int32_t reqid;
+	struct {
+		u_int32_t value;
+		u_int32_t mask;
+	} mark_in, mark_out;
+
 	/*  note that each end contains string 2/5.id, string 3/6 cert,
 	 *  and string 4/7 updown
 	 */
@@ -214,30 +222,40 @@ struct whack_message {
 	int inbase, outbase;
 	char *sc_data;
 
+	/* XAUTH user identity */
+	char *xauth_identity;
+
 	/* space for strings (hope there is enough room):
 	 * Note that pointers don't travel on wire.
-	 *  1 connection name [name_len]
-	 *  2 left's name [left.host.name.len]
+	 *  1 connection name
+	 *  2 left's id
 	 *  3 left's cert
 	 *  4 left's ca
 	 *  5 left's groups
 	 *  6 left's updown
-	 *  7 right's name [left.host.name.len]
-	 *  8 right's cert
-	 *  9 right's ca
-	 * 10 right's groups
-	 * 11 right's updown
-	 * 12 keyid
-	 * 13 myid
-	 * 14 cacert
-	 * 15 ldaphost
-	 * 16 ldapbase
-	 * 17 crluri
-	 * 18 crluri2
-	 * 19 ocspuri
-	 * 20 ike
-	 " 21 esp
-	 * 22 rsa_data
+	 *  7 left's source ip
+	 *  8 left's virtual ip ranges
+	 *  9 right's id
+	 * 10 right's cert
+	 * 11 right's ca
+	 * 12 right's groups
+	 * 13 right's updown
+	 * 14 right's source ip
+	 * 15 right's virtual ip ranges
+	 * 16 keyid
+	 * 17 myid
+	 * 18 cacert
+	 * 19 ldaphost
+	 * 20 ldapbase
+	 * 21 crluri
+	 * 22 crluri2
+	 * 23 ocspuri
+	 * 24 ike
+	 * 25 esp
+	 * 26 smartcard data
+	 * 27 whack leases ip argument
+	 * 28 whack leases id argument
+	 * 29 xauth identity
 	 * plus keyval (limit: 8K bits + overhead), a chunk.
 	 */
 	size_t str_size;
diff --git a/testing/INSTALL b/testing/INSTALL
index 68e13d84a..27db50013 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,14 +53,15 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.31.5.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.3.tar.bz2
 
-    * The Linux kernel 2.6.31 does not require any patches for the uml guest kernel
-      to successfully start up.
+    * The Linux kernel 2.6.33.3 does not require any patches for the uml guest kernel
+      to successfully start up but the aes_gmac patch must be applied for
+      ESP AES-GMAC support.
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.31
+      http://download.strongswan.org/uml/.config-2.6.33
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
@@ -68,7 +69,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.3.6.tar.bz2
+      http://download.strongswan.org/strongswan-4.4.1.tar.bz2
 
 
 3. Creating the environment
diff --git a/testing/Makefile.in b/testing/Makefile.in
index c60f9b2ea..010f4c81b 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql
index 0e880826d..eb41533cb 100644
--- a/testing/hosts/default/etc/ipsec.d/tables.sql
+++ b/testing/hosts/default/etc/ipsec.d/tables.sql
@@ -17,7 +17,7 @@ CREATE TABLE child_configs (
   jitter INTEGER NOT NULL DEFAULT '180',
   updown TEXT DEFAULT NULL,
   hostaccess INTEGER NOT NULL DEFAULT '0',
-  mode INTEGER NOT NULL DEFAULT '1',
+  mode INTEGER NOT NULL DEFAULT '2',
   dpd_action INTEGER NOT NULL DEFAULT '0',
   close_action INTEGER NOT NULL DEFAULT '0',
   ipcomp INTEGER NOT NULL DEFAULT '0'
@@ -183,12 +183,28 @@ CREATE TABLE leases (
   released INTEGER NOT NULL
 );
 
+DROP TABLE IF EXISTS attribute_pools;
+CREATE TABLE attribute_pools (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+
 DROP TABLE IF EXISTS attributes;
 CREATE TABLE attributes (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  identity INTEGER NOT NULL DEFAULT 0,
+  pool INTEGER NOT NULL DEFAULT 0,
   type INTEGER NOT NULL,
   value BLOB NOT NULL
 );
+DROP INDEX IF EXISTS attributes_identity;
+CREATE INDEX attributes_identity ON attributes (
+  identity
+);
+DROP INDEX IF EXISTS attributes_pool;
+CREATE INDEX attributes_pool ON attributes (
+  pool
+);
 
 DROP TABLE IF EXISTS ike_sas;
 CREATE TABLE ike_sas (
diff --git a/testing/hosts/winnetou/etc/openssl/research/carolReq.pem b/testing/hosts/winnetou/etc/openssl/research/carolReq.pem
deleted file mode 100644
index f2a6b5c22..000000000
--- a/testing/hosts/winnetou/etc/openssl/research/carolReq.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
-Z1N3YW4xETAPBgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1
-ID41edDUgUjRdZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh
-8ZcR+TT8x0mOdYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+D
-Jl9XK9TtId5u57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yq
-GdPWODaN/Enw5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1a
-X7+M+IeYVwjIhzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4F
-jR8nhH4ApYMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQA9OKM8HKu5Fp/HRsdS
-3Z/tuLVjwijVq/OIge1PnoW7Ri2hnTpWeaWcU2wIexsxPJR6kYwqp9NfxM73uUUU
-e/ROCU+kZxSuzfV3SMMI8bsjufuldxKUXs1B8Nit1Qkhhj1/4uN6FRzQ5E9vz0Yf
-OuVVJxMIEgQRdBTcZ8Cuf23Mcq+sBa/2OXD/y6WTUNrXvjTjmGWv1LnryB6Ro8se
-ndI7bIiMZ/sSOrhOWrii/655bpUSYIb0RCzOnbdNAevbn/bLMEpj0qiDSam88Y/6
-FIY5sDCsdlpHsI2vkIrvPo4PUE+yzBhezmrLbVoiHjVoZhr1h091777Bomg/oUxv
-beEk
------END CERTIFICATE REQUEST-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 98aa9e3e4..844e001c7 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -1,6 +1,7 @@
 R	100322070423Z	100407091025Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+R	100615195710Z	100703145747Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
 V	140323203747Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
 V	151103161503Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
 V	150406092057Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	150702151839Z		07	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 2a68119f8..3ebf4b191 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -1,5 +1,6 @@
-R	100322070423Z	100407091025Z	01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+R	100322070423Z	100407091025Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+R	100615195710Z	100703145747Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
 V	140323203747Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
 V	151103161503Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
+V	150406092057Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem
new file mode 100644
index 000000000..8eaa6c6b7
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem
@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 7 (0x7)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=CH, O=Linux strongSwan, OU=Research, CN=Research CA
+        Validity
+            Not Before: Jul  3 15:18:39 2010 GMT
+            Not After : Jul  2 15:18:39 2015 GMT
+        Subject: C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:c2:4e:4d:26:99:8c:37:b9:51:1f:a1:25:ba:1d:
+                    70:4e:34:58:1c:56:9b:ea:f4:16:20:fe:14:b7:36:
+                    73:48:47:fd:07:16:9b:55:df:aa:77:3d:a9:a3:cf:
+                    1a:8c:4e:d8:17:f0:5e:01:44:1d:f3:9d:43:31:c6:
+                    ba:d8:61:b2:f7:4c:3e:49:96:3f:56:77:b8:3a:f0:
+                    b1:ca:ab:98:bc:aa:e0:92:3c:ed:ec:52:7a:7d:60:
+                    82:60:95:12:26:f9:e5:3e:1f:37:1a:d3:20:62:5a:
+                    a1:ee:89:9f:db:fd:67:01:b6:07:e5:2b:de:71:40:
+                    ff:07:5c:91:27:6a:27:17:3a:5c:bf:43:29:c4:64:
+                    dd:3c:59:b6:ff:52:b8:37:ed:13:d1:bb:f3:b3:ba:
+                    3c:94:b2:7f:25:18:86:57:73:d4:46:5e:e4:f4:ec:
+                    52:80:1b:04:9d:03:0d:72:71:df:9e:b6:90:3b:5f:
+                    41:dc:1e:cd:ab:74:2c:0c:8e:b1:56:9b:62:af:f4:
+                    1b:f7:c1:67:02:cb:7a:be:2a:18:5d:be:dc:2b:2f:
+                    3f:b8:cd:5e:78:51:61:e4:af:db:ee:22:da:60:23:
+                    81:b0:51:23:50:37:8a:aa:14:dc:da:b5:bc:f0:2a:
+                    ce:b7:a4:38:8f:d1:57:d1:eb:7b:d2:f5:af:c5:f5:
+                    74:81
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                5F:9B:13:46:F9:20:72:C8:00:D5:88:B5:A7:4C:2E:97:EA:0B:93:28
+            X509v3 Authority Key Identifier: 
+                keyid:E7:75:F0:A0:F2:AD:20:CD:CD:60:23:CC:C7:C8:0F:29:F3:DD:54:20
+                DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA
+                serial:20
+
+            X509v3 CRL Distribution Points: 
+                URI:http://crl.strongswan.org/research.crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+        33:e2:05:f4:db:4e:41:f0:45:da:6d:e2:20:18:ff:0c:74:00:
+        a2:b0:9c:5e:b7:eb:ed:44:fa:6f:1d:1e:7d:47:85:35:3c:15:
+        99:22:44:2b:11:49:17:71:aa:9c:e9:ac:c8:1a:ea:fe:e4:b1:
+        5d:bd:08:82:69:4d:c8:9a:0f:8f:12:db:35:8d:b2:24:36:bd:
+        f3:41:e1:47:a7:1b:8c:0a:54:6f:3b:e3:60:90:6a:40:b3:66:
+        4f:fb:32:b1:ee:b6:4f:95:0d:c3:77:a0:67:2e:e2:01:44:08:
+        fc:eb:66:26:0f:4d:5b:fb:e0:f0:85:45:f7:77:ed:26:25:5e:
+        63:74:28:5d:08:bf:38:2e:d8:33:70:24:d3:03:01:ae:ac:1e:
+        cf:bf:f0:7f:fb:05:bc:c7:c5:46:64:4f:bc:eb:4e:ec:b8:33:
+        91:46:20:a9:65:40:1c:40:2e:9f:fc:37:f2:cd:e2:fc:f4:65:
+        b2:e0:6c:d5:3b:12:8d:7a:12:29:1b:10:04:94:b3:74:9c:9a:
+        76:be:74:50:52:7d:ec:5f:d0:6f:68:aa:f1:ef:c6:35:8f:89:
+        94:70:e9:9a:d2:e5:36:64:00:4d:43:99:da:8b:5b:04:cd:ab:
+        f1:68:69:e0:d6:b2:59:60:01:da:8c:03:67:cb:ee:2f:6d:b0:
+        51:d9:55:89
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz
+OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
+BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
+/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
+4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6
+XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562
+kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj
+gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1
+p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD
+ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx
+qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7
+MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD
+Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16
+EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo
+aeDWsllgAdqMA2fL7i9tsFHZVYk=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index 2c7456e3e..adb9de8ee 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-07
+08
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index cd672a533..2c7456e3e 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-06
+07
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt
index c4e05f253..314acd784 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt
@@ -1,5 +1,6 @@
 R	100322071017Z	100407093948Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
-V	100615195536Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+R	100615195536Z	100703150410Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	120323211811Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
 V	140323211053Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org
 V	150406094241Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
+V	150702152829Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
index f377c3588..fd5485026 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
@@ -1,4 +1,5 @@
 R	100322071017Z	100407093948Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
-V	100615195536Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+R	100615195536Z	100703150410Z	02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	120323211811Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
 V	140323211053Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org
+V	150406094241Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem
new file mode 100644
index 000000000..3a40e2829
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem
@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 6 (0x6)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA
+        Validity
+            Not Before: Jul  3 15:28:29 2010 GMT
+            Not After : Jul  2 15:28:29 2015 GMT
+        Subject: C=CH, O=Linux strongSwan, OU=Research, CN=Research CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:b6:39:b2:3a:a6:e0:07:5b:58:a7:3f:4f:b2:5a:
+                    85:6a:72:f7:1b:5d:3d:b1:e7:80:13:7a:95:b9:e9:
+                    61:a1:df:af:19:c6:b2:f9:83:14:21:59:1c:27:7b:
+                    7a:04:6a:43:f0:2e:24:71:dc:12:fd:c3:51:d7:c9:
+                    59:60:32:a5:59:d4:bd:d9:5c:a7:9f:21:06:3a:71:
+                    7d:33:d7:3f:d2:03:07:1c:d0:69:0c:94:ce:c1:31:
+                    20:65:8e:55:46:36:7b:bc:49:e4:12:81:9d:75:64:
+                    a2:4d:e1:b5:8e:07:af:51:9d:a8:d8:7e:dc:b1:26:
+                    6d:e8:09:06:78:13:45:24:71:e0:f2:89:e7:81:4e:
+                    fd:be:fc:2d:4c:c1:fa:b3:31:af:3c:70:fe:59:c8:
+                    f2:31:26:02:d2:a5:ba:04:3b:73:d6:ae:31:e1:42:
+                    cf:e3:66:95:27:e7:4a:85:a1:1c:de:6a:9b:ed:22:
+                    34:ac:b4:0b:ed:b9:22:e1:3c:36:af:a2:de:3b:41:
+                    88:8f:01:c0:1a:87:63:7b:b6:22:e7:e5:52:1f:4d:
+                    73:d7:7f:47:ab:c6:b1:13:cc:1e:cd:f4:5f:51:da:
+                    fe:6d:14:83:8f:78:fb:0c:2a:c1:f1:01:65:18:f3:
+                    c4:c9:8c:17:fd:52:1b:82:35:13:74:c3:38:9d:ec:
+                    ae:39
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                E7:75:F0:A0:F2:AD:20:CD:CD:60:23:CC:C7:C8:0F:29:F3:DD:54:20
+            X509v3 Authority Key Identifier: 
+                keyid:5F:9B:13:46:F9:20:72:C8:00:D5:88:B5:A7:4C:2E:97:EA:0B:93:28
+                DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA
+                serial:21
+
+            X509v3 CRL Distribution Points: 
+                URI:http://crl.strongswan.org/sales.crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+        b4:53:55:44:bc:6e:96:f7:36:bc:16:57:f6:88:13:a2:bd:32:
+        fb:57:d6:43:f3:31:46:d9:83:29:30:3a:6e:20:d6:37:c3:9a:
+        a6:cf:c3:6f:17:e9:86:44:49:0d:81:6c:6d:50:46:1d:d2:52:
+        94:a8:4f:9b:e9:94:f7:03:e0:e0:af:dc:e4:4a:00:2c:c6:87:
+        1e:31:7a:67:7b:4e:96:0f:f1:d9:e9:b5:f9:3a:e9:c7:c5:08:
+        ff:88:b7:4b:78:84:fe:39:06:a9:60:55:97:dd:e5:90:0e:fe:
+        88:11:43:ed:ac:ef:d3:9b:73:95:cf:ab:f4:a1:1a:f0:a8:9c:
+        65:4e:3c:3b:aa:91:6a:cf:fc:84:88:31:d0:57:14:7a:a4:5b:
+        25:b6:e1:ef:ca:ce:ae:e9:3c:c1:b5:f0:47:2d:ec:d0:38:81:
+        15:d2:89:6c:74:53:7d:e5:85:63:5a:b0:fb:d2:2a:d2:a0:0b:
+        a7:5c:99:13:6a:8f:24:c7:42:81:72:d3:61:4b:80:a3:f5:a7:
+        6d:78:4e:12:e4:4a:bf:5d:80:74:fa:7b:af:51:ec:44:bd:56:
+        29:f7:0d:48:0f:b8:97:65:5d:c6:b1:fc:15:a6:ea:02:ee:82:
+        a1:dc:5d:51:85:ca:e5:4f:90:34:a0:3d:db:3a:9b:42:90:70:
+        45:67:b9:a5
+-----BEGIN CERTIFICATE-----
+MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
+CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
+rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID
+BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx
+4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q
+m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha
+/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM
+x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB
+ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B
+bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4
+hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk
+WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy
+02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF
+yuVPkDSgPds6m0KQcEVnuaU=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial
index cd672a533..2c7456e3e 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial
@@ -1 +1 @@
-06
+07
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old
index eeee65ec4..cd672a533 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old
@@ -1 +1 @@
-05
+06
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index 16dd843b9..8a083e2ec 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -241,6 +241,11 @@ then
     echo -n " --enable-farp" >> $INSTALLSHELL
 fi
 
+if [ "$USE_ADDRBLOCK" = "yes" ]
+then
+    echo -n " --enable-addrblock" >> $INSTALLSHELL
+fi
+
 echo "" >> $INSTALLSHELL
 echo "make" >> $INSTALLSHELL
 echo "make install" >> $INSTALLSHELL
diff --git a/testing/testing.conf b/testing/testing.conf
index c7852d28f..55716ebaa 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -31,7 +31,7 @@ KERNELCONFIG=$UMLTESTDIR/.config-2.6.33
 UMLPATCH=$UMLTESTDIR/aes_gmac.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.4.0.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.4.1.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -56,6 +56,7 @@ USE_SOCKET_DEFAULT="yes"
 USE_SOCKET_DYNAMIC="yes"
 USE_DHCP="yes"
 USE_FARP="yes"
+USE_ADDRBLOCK="yes"
 
 # Gentoo linux root filesystem
 ROOTFS=$UMLTESTDIR/gentoo-fs-20090615.tar.bz2
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index 48b36cec7..dafa85bd1 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index 48b36cec7..dafa85bd1 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 0113aa780..f0e57e827 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 6fcefc56a..208f1c36d 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 0113aa780..f0e57e827 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
index 774042329..3545a5734 100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index 1f442a7dd..d84d916a5 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink socket-raw
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 revocation xcbc stroke kernel-netlink socket-raw
 }
 
 pluto {
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index 831790f1e..38db1e4fc 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink socket-raw
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 revocation xcbc stroke kernel-netlink socket-raw
 }
 
 pluto {
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ike2/description.txt b/testing/tests/ike2/description.txt
deleted file mode 100644
index 31d24cda6..000000000
--- a/testing/tests/ike2/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
-to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
-virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
-specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
-which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
-This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.
diff --git a/testing/tests/ike2/evaltest.dat b/testing/tests/ike2/evaltest.dat
deleted file mode 100644
index 75d5ffbd3..000000000
--- a/testing/tests/ike2/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
-bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES
diff --git a/testing/tests/ike2/hosts/bob/etc/hosts b/testing/tests/ike2/hosts/bob/etc/hosts
deleted file mode 100644
index ee854da09..000000000
--- a/testing/tests/ike2/hosts/bob/etc/hosts
+++ /dev/null
@@ -1,70 +0,0 @@
-# /etc/hosts:  This file describes a number of hostname-to-address
-#              mappings for the TCP/IP subsystem.  It is mostly
-#              used at boot time, when no name servers are running.
-#              On small systems, this file can be used instead of a
-#              "named" name server.  Just add the names, addresses
-#              and any aliases to this file...
-#
-
-127.0.0.1	localhost
-
-192.168.0.254	uml0.strongswan.org	uml0
-10.1.0.254	uml1.strongswan.org	uml1
-10.2.0.254	uml1.strongswan.org	uml2
-
-10.1.0.10	alice.strongswan.org	alice
-10.1.0.20	venus.strongswan.org	venus
-10.1.0.1	moon1.strongswan.org	moon1
-192.168.0.1	moon.strongswan.org	moon
-192.168.0.50	alice1.strongswan.org	alice1
-192.168.0.100	carol.strongswan.org	carol
-10.3.0.1	carol1.strongswan.org	carol1
-192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
-192.168.0.200	dave.strongswan.org	dave
-10.3.0.2	dave1.strongswan.org	dave1
-192.168.0.2	sun.strongswan.org	sun
-10.2.0.1	sun1.strongswan.org	sun1
-10.2.0.10	bob.strongswan.org	bob
-10.4.0.1	alice2.strongswan.org	alice2
-
-# IPv6 versions of localhost and co
-::1 ip6-localhost ip6-loopback
-fe00::0 ip6-localnet
-ff00::0 ip6-mcastprefix
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
-ff02::3 ip6-allhosts
-
-# IPv6 solicited-node multicast addresses
-ff02::1:ff00:1	ip6-mcast-1
-ff02::1:ff00:2	ip6-mcast-2
-ff02::1:ff00:10	ip6-mcast-10
-ff02::1:ff00:15	ip6-mcast-15
-ff02::1:ff00:20	ip6-mcast-20
-
-# IPv6 site-local addresses
-fec0::5		ip6-alice1.strongswan.org   ip6-alice1
-fec1::10	ip6-alice.strongswan.org    ip6-alice
-fec1::20	ip6-venus.strongswan.org    ip6-venus
-fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
-fec0::1 	ip6-moon.strongswan.org     ip6-moon
-fec0::10	ip6-carol.strongswan.org    ip6-carol
-fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
-fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
-fec0::20	ip6-dave.strongswan.org     ip6-dave
-fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
-fec0::2 	ip6-sun.strongswan.org      ip6-sun
-fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
-fec2::10	ip6-bob.strongswan.org      ip6-bob
-
-# IPv6 link-local HW derived addresses
-fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
-fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
-fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
-fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
-fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
-fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
-fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
-fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
-fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
-fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ike2/hosts/moon/etc/ipsec.conf b/testing/tests/ike2/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index e43e0d785..000000000
--- a/testing/tests/ike2/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	mobike=no
-
-conn net-net 
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsourceip=%config
-	leftupdown=/etc/nat_updown
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ike2/hosts/moon/etc/nat_updown b/testing/tests/ike2/hosts/moon/etc/nat_updown
deleted file mode 100755
index aab1df687..000000000
--- a/testing/tests/ike2/hosts/moon/etc/nat_updown
+++ /dev/null
@@ -1,152 +0,0 @@
-#! /bin/sh
-# NAT updown script
-#
-# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-#      PLUTO_VERSION
-#              indicates  what  version of this interface is being
-#              used.  This document describes version  1.1.   This
-#              is upwardly compatible with version 1.0.
-#
-#       PLUTO_VERB
-#              specifies the name of the operation to be performed
-#              (prepare-host, prepare-client, up-host, up-client,
-#              down-host, or down-client).  If the address family
-#              for security gateway to security gateway communica-
-#              tions is IPv6, then a suffix of -v6 is added to the
-#              verb.
-#
-#       PLUTO_CONNECTION
-#              is the name of the  connection  for  which  we  are
-#              routing.
-#
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
-#       PLUTO_INTERFACE
-#              is the name of the ipsec interface to be used.
-#
-#       PLUTO_REQID
-#              is the requid of the ESP policy
-#
-#       PLUTO_ME
-#              is the IP address of our host.
-#
-#       PLUTO_MY_ID
-#              is the ID of our host.
-#
-#       PLUTO_MY_CLIENT
-#              is the IP address / count of our client subnet.  If
-#              the  client  is  just  the  host,  this will be the
-#              host's own IP address / max (where max  is  32  for
-#              IPv4 and 128 for IPv6).
-#
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
-#       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
-#
-#       PLUTO_MY_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_MY_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
-#
-#       PLUTO_PEER
-#              is the IP address of our peer.
-#
-#       PLUTO_PEER_ID
-#              is the ID of our peer.
-#
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
-#       PLUTO_PEER_CLIENT
-#              is the IP address / count of the peer's client sub-
-#              net.   If the client is just the peer, this will be
-#              the peer's own IP address / max (where  max  is  32
-#              for IPv4 and 128 for IPv6).
-#
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
-#       PLUTO_PEER_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_PEER_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
-export PATH
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-case "$PLUTO_VERB:$1" in
-up-host:)
-	# connection to me coming up
-	# If you are doing a custom version, firewall commands go here.
-	;;
-down-host:)
-	# connection to me going down
-	# If you are doing a custom version, firewall commands go here.
-	;;
-up-client:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-	    -d $PLUTO_PEER_CLIENT -j ACCEPT
-        iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
-            -s $PLUTO_PEER_CLIENT -j ACCEPT
-	iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
-	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 
-	;;
-down-client:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
-        iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-            -d $PLUTO_PEER_CLIENT -j ACCEPT
-        iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
-            -s $PLUTO_PEER_CLIENT -j ACCEPT
-         iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-            -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
-        echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2    
-	;;
-*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
-	exit 1
-	;;
-esac
diff --git a/testing/tests/ike2/hosts/moon/etc/strongswan.conf b/testing/tests/ike2/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 161934454..000000000
--- a/testing/tests/ike2/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw updown
-  multiple_authentication = no
-}
diff --git a/testing/tests/ike2/hosts/sun/etc/ipsec.conf b/testing/tests/ike2/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 9cede8d56..000000000
--- a/testing/tests/ike2/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-        keyingtries=1
-	keyexchange=ikev2
-	mobike=no
-
-conn net-net 
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftsubnet=10.2.0.0/16
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsourceip=10.4.0.0/24
-	auto=add
diff --git a/testing/tests/ike2/hosts/sun/etc/strongswan.conf b/testing/tests/ike2/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 161934454..000000000
--- a/testing/tests/ike2/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw updown
-  multiple_authentication = no
-}
diff --git a/testing/tests/ike2/posttest.dat b/testing/tests/ike2/posttest.dat
deleted file mode 100644
index b121de27d..000000000
--- a/testing/tests/ike2/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::conntrack -F
diff --git a/testing/tests/ike2/pretest.dat b/testing/tests/ike2/pretest.dat
deleted file mode 100644
index abbca90d7..000000000
--- a/testing/tests/ike2/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::ipsec start
-sun::ipsec start
-moon::sleep 1 
-moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ike2/test.conf b/testing/tests/ike2/test.conf
deleted file mode 100644
index 1971a33ab..000000000
--- a/testing/tests/ike2/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
index 14d576909..9c17ae903 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
@@ -3,5 +3,7 @@ moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::AES_CCM_12_128::YES
 carol::ipsec statusall::AES_CCM_12_128::YES
+carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
index e1fbe4653..da5d7c604 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
@@ -3,5 +3,7 @@ moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::AES_GCM_16_256::YES
 carol::ipsec statusall::AES_GCM_16_256::YES
+carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
index 3ec271cf1..4678155ee 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
@@ -3,5 +3,7 @@ carol::ipsec statusall::home.*IPsec SA established::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::ESP proposal: AES_GMAC_256::YES
 carol::ipsec statusall::ESP proposal: AES_GMAC_256::YES
+carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
+moon::ip xfrm state::aead rfc4543(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat
index 92ef9fc55..9a5c5c7ee 100644
--- a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat
@@ -1,14 +1,11 @@
-carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
-carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES
-carol::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
+carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status::home.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
-dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES
-dave::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES
 dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
 dave::ip addr list dev eth0::PH_IP_DAVE1::YES
 dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
index d6460a291..c93224ae5 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
index d6460a291..c93224ae5 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/ip-pool-db-push/pretest.dat b/testing/tests/ikev1/ip-pool-db-push/pretest.dat
index 332280acd..4a2add194 100644
--- a/testing/tests/ikev1/ip-pool-db-push/pretest.dat
+++ b/testing/tests/ikev1/ip-pool-db-push/pretest.dat
@@ -1,9 +1,9 @@
 moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
-moon::ipsec pool --add dns  --server PH_IP_WINNETOU 2> /dev/null
-moon::ipsec pool --add dns  --server PH_IP_VENUS 2> /dev/null
-moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
+moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat
index 357e01b2d..566bab972 100644
--- a/testing/tests/ikev1/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat
@@ -1,14 +1,11 @@
-carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
-carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES
-carol::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
+carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status::home.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
-dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES
-dave::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES
 dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
 dave::ip addr list dev eth0::PH_IP_DAVE1::YES
 dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
index d6460a291..c93224ae5 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
index d6460a291..c93224ae5 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat
index 332280acd..190672652 100644
--- a/testing/tests/ikev1/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev1/ip-pool-db/pretest.dat
@@ -1,9 +1,10 @@
 moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
-moon::ipsec pool --add dns  --server PH_IP_WINNETOU 2> /dev/null
-moon::ipsec pool --add dns  --server PH_IP_VENUS 2> /dev/null
-moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
+moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --statusattr
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
index 2f772cfdd..ce760a473 100755
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
@@ -20,30 +20,32 @@ conn %default
 conn carol-alice
 	also=carol
 	leftsubnet=10.1.0.10/32
+	rightsourceip=10.3.0.1
 	auto=add
 
 conn carol-venus
 	also=carol
 	leftsubnet=10.1.0.20/32
+	rightsourceip=%carol-alice
 	auto=add
 	
 conn carol
 	right=%any
 	rightid=carol@strongswan.org
-	rightsourceip=10.3.0.1
 
 conn dave-alice
         also=dave
         leftsubnet=10.1.0.10/32
+	rightsourceip=10.3.0.2
         auto=add
 
 conn dave-venus
         also=dave
         leftsubnet=10.1.0.20/32
+	rightsourceip=%dave-alice
         auto=add
 
 conn dave
         right=%any
         rightid=dave@strongswan.org
-        rightsourceip=10.3.0.2
 
diff --git a/testing/tests/ikev1/mode-config-push/evaltest.dat b/testing/tests/ikev1/mode-config-push/evaltest.dat
index 7de32d681..3135a18fb 100644
--- a/testing/tests/ikev1/mode-config-push/evaltest.dat
+++ b/testing/tests/ikev1/mode-config-push/evaltest.dat
@@ -1,4 +1,6 @@
 carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
index 36a4e2fb1..594f2c59b 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
+	rekey=no
 	keyingtries=1
 
 conn home
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c93224ae5
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c93224ae5
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..797025c4d
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat
index 69f77946e..7355a0560 100644
--- a/testing/tests/ikev1/mode-config/evaltest.dat
+++ b/testing/tests/ikev1/mode-config/evaltest.dat
@@ -1,6 +1,6 @@
 carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES
-carol::cat /var/log/auth.log::received IPv6 DNS server address fec1\:\:20::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c93224ae5
--- /dev/null
+++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c93224ae5
--- /dev/null
+++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
index 10ae2261b..ce26fc5e9 100755
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	rekey=no
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftsourceip=PH_IP_MOON1
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
index 21493adc3..797025c4d 100644
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
 pluto {
   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
   dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP6_VENUS
+  dns2 = PH_IP_VENUS
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
index efb939e3a..37ef9c665 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL
+BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
 CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
 BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
@@ -13,12 +13,12 @@ m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha
 HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM
 x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
 CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
-L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB
-AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr
-Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup
-Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg
-pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL
-rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S
-uaJ2yDwEhOHn3ihb1bqlanM=
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB
+ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B
+bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4
+hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk
+WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy
+02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF
+yuVPkDSgPds6m0KQcEVnuaU=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
index 90e207c4b..0a435b90d 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx
-MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz
+OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
 BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
 BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
 /QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
@@ -13,12 +13,12 @@ gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV
 HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1
 p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
 CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
-L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD
-ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO
-clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB
-b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI
-koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf
-Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA
-/szZoxwnE2iHtIoMAhfHZpRvOkg=
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD
+ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx
+qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7
+MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD
+Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16
+EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo
+aeDWsllgAdqMA2fL7i9tsFHZVYk=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index c2d2b14ac..72ff765c3 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 3ec745baa..72ff765c3 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 x509 gmp random curl
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt b/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt
new file mode 100644
index 000000000..191011747
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Pre-Shared Keys (<b>PSK</b>)
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a
+<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%modeconfig</b>
+parameter. The virtual IP addresses are registered under the users' XAUTH identity. 
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat
new file mode 100644
index 000000000..4552cfe61
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat
@@ -0,0 +1,16 @@
+carol::cat /var/log/auth.log::extended authentication was successful::YES
+dave::cat /var/log/auth.log::extended authentication was successful::YES
+moon::ipsec leases rw 10.3.0.1::carol::YES
+moon::ipsec leases rw 10.3.0.2::dave::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..aa0ae1289
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=xauthpsk
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftsourceip=%modeconfig
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	xauth_identity=carol
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..e5adf3e8e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,9 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org @dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq
+
+carol@strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+carol@strongswan.org @sun.strongswan.org :  PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5
+
+carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dbd431cc2
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..0243f5afb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=xauthpsk
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftsourceip=%modeconfig
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	xauth_identity=dave
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..25e8c2796
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+dave : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..dbd431cc2
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..4206f8916
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=xauthpsk
+	xauth=server
+
+conn rw
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	rightsourceip=10.3.0.0/24
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..20d8e0269
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+carol : XAUTH "4iChxLT3"
+
+dave  : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dbd431cc2
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
new file mode 100644
index 000000000..42fa8359b
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat
new file mode 100644
index 000000000..95a6be131
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf
new file mode 100644
index 000000000..75510b295
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-psk/description.txt b/testing/tests/ikev1/xauth-id-psk/description.txt
new file mode 100644
index 000000000..0ac2043c2
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Pre-Shared Keys (<b>PSK</b>)
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names and passwords.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-psk/evaltest.dat b/testing/tests/ikev1/xauth-id-psk/evaltest.dat
new file mode 100644
index 000000000..b019f8d76
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/auth.log::extended authentication was successful::YES
+dave::cat /var/log/auth.log::extended authentication was successful::YES
+moon::cat /var/log/auth.log::xauth user name is .*carol::YES
+moon::cat /var/log/auth.log::xauth user name is .*dave::YES
+moon::cat /var/log/auth.log::extended authentication was successful::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..48015ad4c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=xauthpsk
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	xauth_identity=carol
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..7a272a371
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dbd431cc2
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..baa85e32c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=xauthpsk
+
+conn home
+	left=PH_IP_DAVE
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	xauth_identity=dave
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..25e8c2796
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+dave : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..dbd431cc2
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..c92ad8748
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=xauthpsk
+	xauth=server
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..3f86fa594
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+carol : XAUTH "4iChxLT3"
+
+dave  : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dbd431cc2
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac gmp random xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk/posttest.dat b/testing/tests/ikev1/xauth-id-psk/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-psk/pretest.dat b/testing/tests/ikev1/xauth-id-psk/pretest.dat
new file mode 100644
index 000000000..95a6be131
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-psk/test.conf b/testing/tests/ikev1/xauth-id-psk/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa/description.txt b/testing/tests/ikev1/xauth-id-rsa/description.txt
new file mode 100644
index 000000000..9483c8f39
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
+respectively) and corresponding user passwords defined and stored in ipsec.secrets.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-rsa/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa/evaltest.dat
new file mode 100644
index 000000000..b019f8d76
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/auth.log::extended authentication was successful::YES
+dave::cat /var/log/auth.log::extended authentication was successful::YES
+moon::cat /var/log/auth.log::xauth user name is .*carol::YES
+moon::cat /var/log/auth.log::xauth user name is .*dave::YES
+moon::cat /var/log/auth.log::extended authentication was successful::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..32b1227bb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=xauthrsasig
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	xauth_identity=carol
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..29492b5f9
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
+
+carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..090deac77
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=xauthrsasig
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	xauth_identity=dave
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..8cf7db530
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA daveKey.pem
+
+dave : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f79a81a6f
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=xauthrsasig
+	xauth=server
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..fef50218a
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol : XAUTH "4iChxLT3"
+
+dave  : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa/posttest.dat b/testing/tests/ikev1/xauth-id-rsa/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-rsa/pretest.dat b/testing/tests/ikev1/xauth-id-rsa/pretest.dat
new file mode 100644
index 000000000..78e2d57f8
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa/test.conf b/testing/tests/ikev1/xauth-id-rsa/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/description.txt b/testing/tests/ikev1/xauth-psk-mode-config/description.txt
deleted file mode 100644
index 9abe6298c..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on Pre-Shared Keys (<b>PSK</b>)
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a
-<b>virtual IP</b> via the IKE Mode Config protocol by using the
-<b>leftsourceip=%modeconfig</b> parameter.
-<p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
-<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat
deleted file mode 100644
index 15dd054a0..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES
-moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 747f4b6bf..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	authby=xauthpsk
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftsourceip=%modeconfig
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index d2bba2f4c..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org @dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq
-
-carol@strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-carol@strongswan.org @sun.strongswan.org :  PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5
-
-: XAUTH carol "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 85e5f1aee..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 0193c0512..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	authby=xauthpsk
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftsourceip=%modeconfig
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 0690d9cde..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-: XAUTH dave "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 85e5f1aee..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 98598b04c..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	authby=xauthpsk
-	xauth=server
-	left=PH_IP_MOON
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
-
-conn carol
-	rightid=carol@strongswan.org
-	rightsourceip=PH_IP_CAROL1
-
-conn dave
-	rightid=dave@strongswan.org
-	rightsourceip=PH_IP_DAVE1
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ea69f998..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-: XAUTH carol "4iChxLT3"
-
-: XAUTH dave  "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 85e5f1aee..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat
deleted file mode 100644
index 42fa8359b..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat b/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat
deleted file mode 100644
index 95a6be131..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/test.conf b/testing/tests/ikev1/xauth-psk-mode-config/test.conf
deleted file mode 100644
index 75510b295..000000000
--- a/testing/tests/ikev1/xauth-psk-mode-config/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat
index e1dc6b5b0..786043065 100644
--- a/testing/tests/ikev1/xauth-psk/evaltest.dat
+++ b/testing/tests/ikev1/xauth-psk/evaltest.dat
@@ -1,5 +1,7 @@
 carol::cat /var/log/auth.log::extended authentication was successful::YES
 dave::cat /var/log/auth.log::extended authentication was successful::YES
+moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES
+moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES
 moon::cat /var/log/auth.log::extended authentication was successful::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
index b5ec4c4af..684ace0d3 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,9 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
+	rightid=moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets
index 70ea1dab6..a899783bd 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
 
-: XAUTH carol "4iChxLT3" 
+carol@strongswan.org : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
index 85e5f1aee..dbd431cc2 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random xauth
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
index a353e3f12..14307a7f0 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,9 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
+	rightid=moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets
index 0690d9cde..1c8506152 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
 
-: XAUTH dave "ryftzG4A" 
+dave@strongswan.org : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
index 85e5f1aee..dbd431cc2 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random xauth
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
index c92ad8748..a4e01b564 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
+	leftid=moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets
index 047d6c235..ae45ea03e 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets
@@ -1,7 +1,7 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+moon.strongswan.org %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
 
-: XAUTH carol "4iChxLT3"
+carol@strongswan.org : XAUTH "4iChxLT3"
 
-: XAUTH dave  "ryftzG4A"
+dave@strongswan.org  : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
index 85e5f1aee..dbd431cc2 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random xauth
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets
index 24506be09..13e6e0656 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
 
-: XAUTH carol "4iChxLT8" 
+carol@strongswan.org : XAUTH "4iChxLT8" 
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets
index a18e885f8..2586f5f39 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : RSA moonKey.pem
 
-: XAUTH carol "4iChxLT3" 
+carol@strongswan.org : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets
index 48fd260c1..4a77c3b97 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
 
-: XAUTH carol "4iChxLT3" 
+carol@strongswan.org : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets
index 14f088501..1c0248b84 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : RSA daveKey.pem
 
-: XAUTH dave "ryftzG4A" 
+dave@strongswan.org : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets
index 8d41919fc..1ba66971a 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets
@@ -2,6 +2,6 @@
 
 : RSA moonKey.pem
 
-: XAUTH carol "4iChxLT3"
+carol@strongswan.org : XAUTH "4iChxLT3"
 
-: XAUTH dave  "ryftzG4A"
+dave@strongswan.org  : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
index 47bf1dafc..1e21fbb97 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
+	plutodebug="control controlmore"
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	charonstart=no
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
index f79a81a6f..94cc6819d 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
+	plutodebug="control controlmore"
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	charonstart=no
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets
index a18e885f8..2586f5f39 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : RSA moonKey.pem
 
-: XAUTH carol "4iChxLT3" 
+carol@strongswan.org : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa/description.txt b/testing/tests/ikev1/xauth-rsa/description.txt
index 0cdaba1c5..a9b76b618 100644
--- a/testing/tests/ikev1/xauth-rsa/description.txt
+++ b/testing/tests/ikev1/xauth-rsa/description.txt
@@ -1,7 +1,9 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
 The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
 followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names and passwords.
+based on user names equal to the <b>IKEv1 identity</b> (<b>carol@strongswan.org</b> and
+<b>dave@strongswan.org</b>, respectively) and corresponding user passwords defined and
+stored in ipsec.secrets.
 <p>
 Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
 inserts iptables-based firewall rules that let pass the tunneled traffic.
diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat
index e1dc6b5b0..786043065 100644
--- a/testing/tests/ikev1/xauth-rsa/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat
@@ -1,5 +1,7 @@
 carol::cat /var/log/auth.log::extended authentication was successful::YES
 dave::cat /var/log/auth.log::extended authentication was successful::YES
+moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES
+moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES
 moon::cat /var/log/auth.log::extended authentication was successful::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets
index 48fd260c1..4a77c3b97 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
 
-: XAUTH carol "4iChxLT3" 
+carol@strongswan.org : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets
index 14f088501..1c0248b84 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : RSA daveKey.pem
 
-: XAUTH dave "ryftzG4A" 
+dave@strongswan.org : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
index ffbb13ec5..f79a81a6f 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control"
+	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	charonstart=no
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets
index 8d41919fc..1ba66971a 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets
@@ -2,6 +2,6 @@
 
 : RSA moonKey.pem
 
-: XAUTH carol "4iChxLT3"
+carol@strongswan.org : XAUTH "4iChxLT3"
 
-: XAUTH dave  "ryftzG4A"
+dave@strongswan.org  : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..556f76c74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index 336227af7..fed4f5ece 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index 336227af7..fed4f5ece 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index 336227af7..fed4f5ece 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
index 06304115b..53061a59b 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
index 06304115b..53061a59b 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
index 3fbdad4f9..cb1485446 100644
--- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
index 3fbdad4f9..cb1485446 100644
--- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
index 3fbdad4f9..cb1485446 100644
--- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
index 3fbdad4f9..cb1485446 100644
--- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index 223ed67a3..f763e3ef1 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
index bb4af2c75..cccd6ae27 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
index bb4af2c75..cccd6ae27 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
index 4890be7cc..eabe265ca 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
index 4890be7cc..eabe265ca 100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
 }
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
index 146c81f48..317e4ddc0 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
   plugins {
     dhcp {
       server = 10.1.255.255
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
index 146c81f48..317e4ddc0 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
   plugins {
     dhcp {
       server = 10.1.255.255
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
index 40c3c2418..ecfc51d44 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
   plugins {
     dhcp {
       server = 10.1.255.255
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
index 86ef872c0..f7959d129 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
@@ -3,5 +3,7 @@ carol::ipsec statusall::home.*INSTALLED::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::AES_CCM_12_128::YES
 carol::ipsec statusall::AES_CCM_12_128::YES
+carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
index 9805c654c..7434cc156 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
@@ -3,5 +3,7 @@ carol::ipsec statusall::home.*INSTALLED::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::AES_GCM_16_256::YES
 carol::ipsec statusall::AES_GCM_16_256::YES
+carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
index 534f6d452..9377d9fd2 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
@@ -3,5 +3,7 @@ carol::ipsec statusall::home.*INSTALLED::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec statusall::NULL_AES_GMAC_256::YES
 carol::ipsec statusall::NULL_AES_GMAC_256::YES
+carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
+moon::ip xfrm state::aead rfc4543(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
index 4585d928a..379edeefc 100644
--- a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
index 291f08db1..cb17a9e07 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
index 291f08db1..cb17a9e07 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
index 5af37dc90..cb5f6406b 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index 626bec3ed..e907021ce 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat
index 332280acd..4a2add194 100644
--- a/testing/tests/ikev2/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -1,9 +1,9 @@
 moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
-moon::ipsec pool --add dns  --server PH_IP_WINNETOU 2> /dev/null
-moon::ipsec pool --add dns  --server PH_IP_VENUS 2> /dev/null
-moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
+moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
+moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index 626bec3ed..e907021ce 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
index c2bd87c58..ba2b07a10 100644
--- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
@@ -16,6 +16,10 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 dave::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
 venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
+venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
 alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
 dave::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
 alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
index de9ae45cc..cb5f6406b 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
index de9ae45cc..cb5f6406b 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
index de9ae45cc..cb5f6406b 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
index 70d66b20b..e44a3e251 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
index de9ae45cc..cb5f6406b 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 17901fa15..83052889c 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -13,4 +13,7 @@ moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
 moon::conntrack -F
 moon::ipsec pool --del extpool 2> /dev/null
 moon::ipsec pool --del intpool 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
+moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
index fa7c122d9..e4eb8b0b9 100644
--- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
@@ -2,6 +2,10 @@ moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null 
 moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
+moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
+moon::ipsec pool --statusattr 2> /dev/null
 moon::ip route add 10.3.0.0/16 via PH_IP_MOON
 moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
 alice::/etc/init.d/iptables start 2> /dev/null
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index 70d66b20b..e44a3e251 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
index 2435403a4..7b4ab49e4 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
index 2435403a4..7b4ab49e4 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
index f0e7da85e..2a18af887 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index 908f85ac5..bbe0d3aa7 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index 908f85ac5..bbe0d3aa7 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index bb4af2c75..cccd6ae27 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
index efb939e3a..37ef9c665 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL
+BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
 CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
 BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
@@ -13,12 +13,12 @@ m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha
 HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM
 x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
 CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
-L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB
-AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr
-Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup
-Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg
-pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL
-rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S
-uaJ2yDwEhOHn3ihb1bqlanM=
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB
+ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B
+bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4
+hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk
+WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy
+02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF
+yuVPkDSgPds6m0KQcEVnuaU=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
index 90e207c4b..0a435b90d 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx
-MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz
+OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
 BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
 BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
 /QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
@@ -13,12 +13,12 @@ gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV
 HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1
 p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
 CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
-L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD
-ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO
-clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB
-b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI
-koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf
-Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA
-/szZoxwnE2iHtIoMAhfHZpRvOkg=
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD
+ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx
+qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7
+MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD
+Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16
+EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo
+aeDWsllgAdqMA2fL7i9tsFHZVYk=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
index 79348686d..6d9e62e1d 100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   keep_alive = 1d 
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw-mark/description.txt b/testing/tests/ikev2/nat-two-rw-mark/description.txt
new file mode 100644
index 000000000..2a93d11d8
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/description.txt
@@ -0,0 +1,16 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
+after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark</b> parameter in ipsec.conf.
+<p/>
+<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
+and from <b>alice</b> and <b>venus</b>, respectively.
+<p/>
+The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts 
+iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules 
+that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> 
+and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat
new file mode 100644
index 000000000..74ba178d9
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat
@@ -0,0 +1,16 @@
+alice::ipsec statusall::nat-t.*INSTALLED::YES
+venus::ipsec statusall::nat-t.*INSTALLED::YES
+sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES
+sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES
+sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
+sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
+bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..0f7c23845
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn nat-t
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..ae4644c4b
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice 
+	rightid=alice@strongswan.org
+	mark=10/0xffffffff
+	also=sun
+	auto=add
+
+conn venus
+	rightid=@venus.strongswan.org
+	mark=20  #0xffffffff is used by default
+	also=sun
+	auto=add
+
+conn sun
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftupdown=/etc/mark_updown
+	right=%any
+	rightsubnet=0.0.0.0/0
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..442233f32
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
@@ -0,0 +1,527 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_ESP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+	if [ -n "$PLUTO_UDP_ENC" ]
+	then
+	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+	else
+		SET_MARK="-p esp"
+	fi
+	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..c82c3e978
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/posttest.dat b/testing/tests/ikev2/nat-two-rw-mark/posttest.dat
new file mode 100644
index 000000000..89d5f534b
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/posttest.dat
@@ -0,0 +1,11 @@
+sun::iptables -t mangle -v -n -L PREROUTING
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
+sun::conntrack -F
+sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/nat-two-rw-mark/pretest.dat b/testing/tests/ikev2/nat-two-rw-mark/pretest.dat
new file mode 100644
index 000000000..105968f45
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/pretest.dat
@@ -0,0 +1,21 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500  -j SNAT --to PH_IP_MOON:510
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500  -j SNAT --to PH_IP_MOON:520
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up nat-t
+venus::sleep 2 
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/ikev2/nat-two-rw-mark/test.conf b/testing/tests/ikev2/nat-two-rw-mark/test.conf
new file mode 100644
index 000000000..ae3c190b8
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-mark/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/nat-virtual-ip/description.txt b/testing/tests/ikev2/nat-virtual-ip/description.txt
new file mode 100644
index 000000000..31d24cda6
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/description.txt
@@ -0,0 +1,6 @@
+The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
+to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
+virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
+specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
+which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
+This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.
diff --git a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..75d5ffbd3
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
@@ -0,0 +1,8 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
+bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts b/testing/tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts
new file mode 100644
index 000000000..ee854da09
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts
@@ -0,0 +1,70 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+10.1.0.10	alice.strongswan.org	alice
+10.1.0.20	venus.strongswan.org	venus
+10.1.0.1	moon1.strongswan.org	moon1
+192.168.0.1	moon.strongswan.org	moon
+192.168.0.50	alice1.strongswan.org	alice1
+192.168.0.100	carol.strongswan.org	carol
+10.3.0.1	carol1.strongswan.org	carol1
+192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+192.168.0.200	dave.strongswan.org	dave
+10.3.0.2	dave1.strongswan.org	dave1
+192.168.0.2	sun.strongswan.org	sun
+10.2.0.1	sun1.strongswan.org	sun1
+10.2.0.10	bob.strongswan.org	bob
+10.4.0.1	alice2.strongswan.org	alice2
+
+# IPv6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+# IPv6 solicited-node multicast addresses
+ff02::1:ff00:1	ip6-mcast-1
+ff02::1:ff00:2	ip6-mcast-2
+ff02::1:ff00:10	ip6-mcast-10
+ff02::1:ff00:15	ip6-mcast-15
+ff02::1:ff00:20	ip6-mcast-20
+
+# IPv6 site-local addresses
+fec0::5		ip6-alice1.strongswan.org   ip6-alice1
+fec1::10	ip6-alice.strongswan.org    ip6-alice
+fec1::20	ip6-venus.strongswan.org    ip6-venus
+fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
+fec0::1 	ip6-moon.strongswan.org     ip6-moon
+fec0::10	ip6-carol.strongswan.org    ip6-carol
+fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
+fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
+fec0::20	ip6-dave.strongswan.org     ip6-dave
+fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
+fec0::2 	ip6-sun.strongswan.org      ip6-sun
+fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
+fec2::10	ip6-bob.strongswan.org      ip6-bob
+
+# IPv6 link-local HW derived addresses
+fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
+fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
+fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
+fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
+fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
+fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
+fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
+fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
+fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
+fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e43e0d785
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/nat_updown
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
new file mode 100755
index 000000000..aab1df687
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -0,0 +1,152 @@
+#! /bin/sh
+# NAT updown script
+#
+# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
+export PATH
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+case "$PLUTO_VERB:$1" in
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+        iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+         iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+        echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2    
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cb3d46293
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..9cede8d56
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsourceip=10.4.0.0/24
+	auto=add
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..cb3d46293
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
new file mode 100644
index 000000000..ee30e2c59
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::conntrack -F
+moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
new file mode 100644
index 000000000..abbca90d7
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::conntrack -F
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ikev2/nat-virtual-ip/test.conf b/testing/tests/ikev2/nat-virtual-ip/test.conf
new file mode 100644
index 000000000..1971a33ab
--- /dev/null
+++ b/testing/tests/ikev2/nat-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index 291f08db1..cb17a9e07 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index 291f08db1..cb17a9e07 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk-dscp/description.txt b/testing/tests/ikev2/net2net-psk-dscp/description.txt
new file mode 100644
index 000000000..d4aefd5ce
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/description.txt
@@ -0,0 +1,13 @@
+In order to support <b>Differentiated Services</b> (DiffServ), two parallel IPsec
+connections between the subnets behind the gateways <b>moon</b> and <b>sun</b> are
+set up. Using <b>XFRM marks</b> one IPsec SA is designated for <b>Best Effort</b> (BE)
+traffic and the second SA for <b>Expedited Forwarding</b> (EF) traffic.
+<p/>
+The authentication is based on a <b>pre-shared key</b> (PSK). In order to guarantee that
+the CHILD_SA with the correct mark is selected on the responder side, each CHILD_SA is
+bound to an IKE_SA of its own with a distinct IKEv2 ID but sharing the same PSK.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
new file mode 100644
index 000000000..5881d9246
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
@@ -0,0 +1,8 @@
+moon::ipsec statusall::dscp-be.*ESTABLISHED::YES
+moon::ipsec statusall::dscp-ef.*ESTABLISHED::YES
+sun::ipsec statusall::dscp-be.*ESTABLISHED::YES
+sun::ipsec statusall::dscp-ef.*ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d78d27c1a
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,38 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn dscp-be
+	leftid=@sun-be
+	rightid=@moon-be
+	mark=10
+	also=net-net
+	auto=add
+
+conn dscp-ef
+	leftid=@sun-ef
+	rightid=@moon-ef
+	mark=20
+	also=net-net
+	auto=add
+
+conn net-net 
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	leftauth=psk
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightauth=psk
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..9079b520b
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon-be @moon-ef @sun-be @sun-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5e8f49b17
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..9d2ef7471
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,38 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn dscp-be
+	leftid=@moon-be
+	rightid=@sun-be
+	mark=10
+	also=net-net
+	auto=add
+
+conn dscp-ef
+	leftid=@moon-ef
+	rightid=@sun-ef
+	mark=20
+	also=net-net
+	auto=add
+
+conn net-net 
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	leftauth=psk
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightauth=psk
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..1d4ea790a
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@sun-be @sun-ef @moon-be @moon-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..5e8f49b17
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
new file mode 100644
index 000000000..d070c1443
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables -t mangle -F OUTPUT
+venus::iptables -t mangle -F OUTPUT
+bob::iptables -t mangle -F OUTPUT
+
diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
new file mode 100644
index 000000000..058c24f8f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
@@ -0,0 +1,17 @@
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
+venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF
+moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
+moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20
+bob::iptables -t mangle -A OUTPUT -d PH_IP_ALICE -p icmp -j DSCP --set-dscp-class BE
+bob::iptables -t mangle -A OUTPUT -d PH_IP_VENUS -p icmp -j DSCP --set-dscp-class EF
+sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up dscp-be
+moon::ipsec up dscp-ef
diff --git a/testing/tests/ikev2/net2net-psk-dscp/test.conf b/testing/tests/ikev2/net2net-psk-dscp/test.conf
new file mode 100644
index 000000000..13a8a2a48
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-dscp/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
index 291f08db1..025e1c222 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
index 291f08db1..025e1c222 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
index 291f08db1..cb17a9e07 100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
index 291f08db1..cb17a9e07 100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-same-nets/description.txt b/testing/tests/ikev2/net2net-same-nets/description.txt
new file mode 100644
index 000000000..d0eb3374f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-same-nets/description.txt
@@ -0,0 +1,15 @@
+A connection between two identical <b>10.0.0.0/14</b> networks behind the gateways <b>moon</b>
+and <b>sun</b> is set up. In order to make network routing work, the subnet behind <b>moon</b>
+sees the subnet behind <b>sun</b> as <b>10.4.0.0/14</b> whereas the subnet behind <b>sun</b>
+sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are
+done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets.
+<p/>
+Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic whereas on gateway <b>sun</b> the script indicated by
+<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the
+connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create
+the necessary NETMAP operations and forward the tunneled traffic.
+<p/>
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.
diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
new file mode 100644
index 000000000..bf99bb278
--- /dev/null
+++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
+bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES 
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..8f43a4f6e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.0.0.0/14
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.4.0.0/14
+	auto=add
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cb17a9e07
--- /dev/null
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..33e1e6656
--- /dev/null
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.4.0.0/14
+	leftupdown=/etc/mark_updown
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.0.0.0/14
+	mark_in=8
+	mark_out=4
+	auto=add
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..d7b68956c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -0,0 +1,224 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_ESP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# define NETMAP
+SAME_NET=$PLUTO_PEER_CLIENT
+IN_NET=$PLUTO_MY_CLIENT
+OUT_NET="10.8.0.0/14"
+
+# define internal interface
+INT_INTERFACE="eth1"
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+	if [ -n "$PLUTO_UDP_ENC" ]
+	then
+	    SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC"
+	else
+		SET_MARK_IN="-p esp"
+	fi
+	SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# is there an outbound mark to be set?
+if [ -n "$PLUTO_MARK_OUT" ]
+then
+	SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK_IN
+	    iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+		     -d $IN_NET -j NETMAP --to $SAME_NET 
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
+	    iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+	             -s $SAME_NET -j NETMAP --to $OUT_NET 
+	fi
+	if [ -n "$PLUTO_MARK_OUT" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK_OUT 
+	    iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -d $OUT_NET -j NETMAP --to $SAME_NET
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+            iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+                     -s $SAME_NET -j NETMAP --to $IN_NET
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK_IN
+	    iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+	             -d $IN_NET -j NETMAP --to $SAME_NET 
+	    iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
+	    iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \
+	             -s $SAME_NET -j NETMAP --to $OUT_NET 
+	fi
+	if [ -n "$PLUTO_MARK_OUT" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK_OUT
+	    iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..cb17a9e07
--- /dev/null
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat
new file mode 100644
index 000000000..e75e66650
--- /dev/null
+++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat
@@ -0,0 +1,7 @@
+sun::iptables -t mangle -n -v -L PREROUTING
+sun::iptables -t nat -n -v -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::conntrack -F
diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-same-nets/test.conf b/testing/tests/ikev2/net2net-same-nets/test.conf
new file mode 100644
index 000000000..1971a33ab
--- /dev/null
+++ b/testing/tests/ikev2/net2net-same-nets/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
index 291f08db1..cb17a9e07 100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
index 291f08db1..cb17a9e07 100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index ee0e454da..6d762c970 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index ee0e454da..6d762c970 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index ee0e454da..6d762c970 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
index df11f5ea3..ccf446f79 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
index df11f5ea3..ccf446f79 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index eef03e3b4..5821bc12d 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index eef03e3b4..5821bc12d 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
index 6609a2115..fe067d344 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
index f0e7da85e..2a18af887 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
index 6fcf5999e..57bd6cceb 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
index a7f7b99ec..f21745bcd 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
index 6fcf5999e..57bd6cceb 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
index 6fcf5999e..57bd6cceb 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
index 8d2f57828..fd717317c 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
index 8d2f57828..fd717317c 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
index 2435403a4..7b4ab49e4 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
index f0e7da85e..2a18af887 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
index e4ef757fb..9f82ffa2f 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
index e4ef757fb..9f82ffa2f 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
index d77218b77..8250ae1ab 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   send_vendor_id = yes
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
index 6e1818c9e..e468cd4f9 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
index 6e1818c9e..e468cd4f9 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
index a7f7b99ec..f21745bcd 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index 6e1818c9e..e468cd4f9 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index 6e1818c9e..e468cd4f9 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2/rw-mark-in-out/description.txt
new file mode 100644
index 000000000..4c35081b1
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/description.txt
@@ -0,0 +1,16 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
+gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
+and 10.3.0.20, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf.
+<p/>
+<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
+and from <b>alice</b> and <b>venus</b>, respectively.
+<p/>
+The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
+iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules
+that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b>
+and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
new file mode 100644
index 000000000..c248a508a
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
@@ -0,0 +1,16 @@
+alice::ipsec statusall::home.*INSTALLED::YES
+venus::ipsec statusall::home.*INSTALLED::YES
+sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES
+sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES
+sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
+sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES
+bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..5594bbf52
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,77 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..dd0240b07
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn home 
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..5fa211c2a
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice 
+	rightid=alice@strongswan.org
+	mark_in=10/0xffffffff
+	mark_out=11/0xffffffff
+	also=sun
+	auto=add
+
+conn venus
+	rightid=@venus.strongswan.org
+	mark_in=20  #0xffffffff is used by default
+	mark_out=21 #0xffffffff is used by default
+	also=sun
+	auto=add
+
+conn sun
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftupdown=/etc/mark_updown
+	right=%any
+	rightsubnet=0.0.0.0/0
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..442233f32
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -0,0 +1,527 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_ESP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+	if [ -n "$PLUTO_UDP_ENC" ]
+	then
+	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+	else
+		SET_MARK="-p esp"
+	fi
+	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
new file mode 100755
index 000000000..5594bbf52
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
@@ -0,0 +1,77 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..4af93df8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home 
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
new file mode 100644
index 000000000..fae79271b
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
@@ -0,0 +1,12 @@
+sun::iptables -t mangle -v -n -L PREROUTING
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::ip route del 10.1.0.0/16 via PH_IP_MOON
+sun::conntrack -F
+sun::rm /etc/mark_updown
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
new file mode 100644
index 000000000..3d9a5f340
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
@@ -0,0 +1,18 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON 
+sun::ip route add 10.1.0.0/16 via PH_IP_MOON 
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up home 
+venus::sleep 2 
+venus::ipsec up home
+venus::sleep 2
diff --git a/testing/tests/ikev2/rw-mark-in-out/test.conf b/testing/tests/ikev2/rw-mark-in-out/test.conf
new file mode 100644
index 000000000..ae3c190b8
--- /dev/null
+++ b/testing/tests/ikev2/rw-mark-in-out/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
index dd2df0670..88f162098 100644
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
index 29132e757..393ea64f9 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   install_routes = no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
index 73d687a0c..014b5d935 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   install_routes=no
 }
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
index b71db18dd..94873ddeb 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
index b71db18dd..94873ddeb 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
index b71db18dd..94873ddeb 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
index b71db18dd..94873ddeb 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
index b71db18dd..94873ddeb 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
index b71db18dd..d9349846c 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index 85684b1c9..4ccc387bd 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index 85684b1c9..4ccc387bd 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
index b8efbe87e..f2b26fd7c 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
@@ -1,7 +1,7 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for 
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
+functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> plugin for 
 the Elliptic Curve Diffie-Hellman groups only.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 85684b1c9..4ccc387bd 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 85684b1c9..4ccc387bd 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
index 4f043e7d9..5b0241433 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
@@ -1,7 +1,7 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for 
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
+functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> plugin for 
 the Elliptic Curve Diffie-Hellman groups only.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 2247496db..63892fd33 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 openssl random hmac curl 
+  load = pem pkcs1 openssl random hmac curl 
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 2247496db..63892fd33 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 openssl random hmac curl 
+  load = pem pkcs1 openssl random hmac curl 
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
index 2c098d898..4f855eb1a 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt
@@ -1,5 +1,5 @@
 The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
-based on the <b>OpenSSL</b> library for all cryptographical functions.
+based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 85684b1c9..4ccc387bd 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 3562ddc67..a96b54446 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 85684b1c9..4ccc387bd 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/description.txt b/testing/tests/openssl-ikev1/rw-cert/description.txt
index 0f721c52b..5185b5216 100644
--- a/testing/tests/openssl-ikev1/rw-cert/description.txt
+++ b/testing/tests/openssl-ikev1/rw-cert/description.txt
@@ -1,7 +1,7 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b>.
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
+cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b> and <b>x509</b>.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index e4d41df39..1029b8536 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors pem pkcs1 x509 openssl random hmac curl
+  load = test-vectors pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 1531d9933..edc6dbed4 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors pem pkcs1 x509 openssl random hmac curl
+  load = test-vectors pem pkcs1 openssl random hmac curl
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index 807ca9411..bdbdad2e5 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index 807ca9411..bdbdad2e5 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index 807ca9411..bdbdad2e5 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index 6420b3414..e96dfe574 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index 6420b3414..e96dfe574 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
index b8efbe87e..a1f31495d 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
@@ -1,8 +1,8 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for 
-the Elliptic Curve Diffie-Hellman groups only.
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
+cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index b8038df01..b9da84efb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index f988d90b4..8dcf8e96f 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index b8038df01..b9da84efb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
index 4f043e7d9..84b6eb4bf 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt
@@ -1,8 +1,8 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for 
-the Elliptic Curve Diffie-Hellman groups only.
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 
+certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
+cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
index b8038df01..b9da84efb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index f988d90b4..8dcf8e96f 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
index b8038df01..b9da84efb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
index 2c098d898..4f855eb1a 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt
@@ -1,5 +1,5 @@
 The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
-based on the <b>OpenSSL</b> library for all cryptographical functions.
+based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 807ca9411..bdbdad2e5 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 807ca9411..bdbdad2e5 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 807ca9411..bdbdad2e5 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt
index 0f721c52b..b16faad06 100644
--- a/testing/tests/openssl-ikev2/rw-cert/description.txt
+++ b/testing/tests/openssl-ikev2/rw-cert/description.txt
@@ -1,7 +1,7 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b>.
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
+functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp</b> and <b>x509</b>.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index a442b244d..206f029f3 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 6fcefc56a..208f1c36d 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index aa50403d8..3ae6205cb 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
index de9ae45cc..339b56987 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
index 1d17b3614..21015f8a2 100644
--- a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index 7d8cda47e..d59e04ef3 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index 7d8cda47e..d59e04ef3 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index 7d8cda47e..d59e04ef3 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql
index 9afa1b15d..38c9d9bbe 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* carol@strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
   11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, virtual
 ) VALUES (
-  'home', 1, 3, 5, '0.0.0.0'
+  'home', 1, 4, 6, '0.0.0.0'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql
index 425c180a1..5b9beb3bb 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* dave@strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
   11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
@@ -59,13 +65,13 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  2, 4 
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +85,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +105,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, virtual
 ) VALUES (
-  'home', 1, 3, 5, '0.0.0.0'
+  'home', 1, 4, 6, '0.0.0.0'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
index 8f5a5ece8..e0c5dfc37 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* moon.strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
@@ -77,13 +83,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -97,13 +109,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -117,7 +129,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, pool
 ) VALUES (
-  'rw', 1, 3, 5, 'bigpool'
+  'rw', 1, 4, 6, 'bigpool'
 );
 
 INSERT INTO child_configs (
@@ -167,13 +179,13 @@ INSERT INTO pools (
 INSERT INTO addresses (
   pool, address, identity, acquired, released
 ) VALUES (
-  1, X'0a030001', 7, 1211299013 , 1211299205
+  1, X'0a030001', 8, 1211299013 , 1211299205
 );
 
 INSERT INTO addresses (
   pool, address, identity, acquired, released
 ) VALUES (
-  1, X'0a030002', 8, 1211299031, 1211299187
+  1, X'0a030002', 9, 1211299031, 1211299187
 );
 
 INSERT INTO addresses (
@@ -203,11 +215,11 @@ INSERT INTO addresses (
 INSERT INTO leases (
   address, identity, acquired, released
 ) VALUES (
-  1, 7, 1211299013 , 1211299205
+  1, 8, 1211299013 , 1211299205
 );
 
 INSERT INTO leases (
   address, identity, acquired, released
 ) VALUES (
-  2, 8, 1211299031, 1211299187
+  2, 9, 1211299031, 1211299187
 );
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index e99a7c505..1c30841cf 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql
index 9afa1b15d..38c9d9bbe 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* carol@strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
   11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, virtual
 ) VALUES (
-  'home', 1, 3, 5, '0.0.0.0'
+  'home', 1, 4, 6, '0.0.0.0'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql
index 425c180a1..9739a7839 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* dave@strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
   11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, virtual
 ) VALUES (
-  'home', 1, 3, 5, '0.0.0.0'
+  'home', 1, 4, 6, '0.0.0.0'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
index 8e11c6a20..1ea0bd3ad 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* moon.strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
@@ -71,13 +77,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -91,13 +103,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -111,7 +123,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, pool
 ) VALUES (
-  'rw', 1, 3, 5, 'bigpool'
+  'rw', 1, 4, 6, 'bigpool'
 );
 
 INSERT INTO child_configs (
@@ -161,13 +173,13 @@ INSERT INTO pools (
 INSERT INTO addresses (
   pool, address, identity, acquired, released
 ) VALUES (
-  1, X'0a030001', 6, 1211299013 , 1211299205
+  1, X'0a030001', 7, 1211299013 , 1211299205
 );
 
 INSERT INTO addresses (
   pool, address, identity, acquired, released
 ) VALUES (
-  1, X'0a030002', 7, 1211299031, 1211299187
+  1, X'0a030002', 8, 1211299031, 1211299187
 );
 
 INSERT INTO addresses (
@@ -197,11 +209,11 @@ INSERT INTO addresses (
 INSERT INTO leases (
   address, identity, acquired, released
 ) VALUES (
-  1, 6, 1211299013 , 1211299205
+  1, 7, 1211299013 , 1211299205
 );
 
 INSERT INTO leases (
   address, identity, acquired, released
 ) VALUES (
-  2, 7, 1211299031, 1211299187
+  2, 8, 1211299031, 1211299187
 );
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index e99a7c505..1c30841cf 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql
index 5dc82a942..d2cd51deb 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql
@@ -6,6 +6,12 @@ INSERT INTO identities (
   9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
   11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, virtual
 ) VALUES (
-  'home', 1, 3, 5, '0.0.0.0'
+  'home', 1, 4, 6, '0.0.0.0'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
index aed370ffa..d5f50c361 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql
index 329cac53b..eb58e9d9c 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql
@@ -6,6 +6,12 @@ INSERT INTO identities (
   9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
   11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, virtual
 ) VALUES (
-  'home', 1, 3, 5, '0.0.0.0'
+  'home', 1, 4, 6, '0.0.0.0'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
index aed370ffa..d5f50c361 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
index 82a9e43fe..0de63133e 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
@@ -6,6 +6,12 @@ INSERT INTO identities (
   9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, pool
 ) VALUES (
-  'rw', 1, 3, 5, 'bigpool'
+  'rw', 1, 4, 6, 'bigpool'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index e99a7c505..1c30841cf 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
index 9afa1b15d..38c9d9bbe 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* carol@strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
   11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, virtual
 ) VALUES (
-  'home', 1, 3, 5, '0.0.0.0'
+  'home', 1, 4, 6, '0.0.0.0'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
index 425c180a1..acc82b8d1 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
@@ -8,10 +8,15 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
 INSERT INTO identities (
   type, data
 ) VALUES ( /* dave@strongswan.org */
@@ -20,7 +25,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
   11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
@@ -59,13 +64,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +90,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +110,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, virtual
 ) VALUES (
-  'home', 1, 3, 5, '0.0.0.0'
+  'home', 1, 4, 6, '0.0.0.0'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
index ac776f39d..3b0ea67d4 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* moon.strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
@@ -71,13 +77,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 5 
 );
 
 /* Private Keys */
@@ -91,13 +103,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -111,7 +123,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, pool
 ) VALUES (
-  'rw', 1, 3, 5, 'pool0,pool1'
+  'rw', 1, 4, 6, 'pool0,pool1'
 );
 
 INSERT INTO child_configs (
@@ -167,7 +179,7 @@ INSERT INTO pools (
 INSERT INTO addresses (
   pool, address, identity, acquired, released
 ) VALUES (
-  1, X'0a030001', 6, 1247817255, 1247817277 
+  1, X'0a030001', 7, 1247817255, 1247817277 
 );
 
 INSERT INTO addresses (
@@ -179,7 +191,7 @@ INSERT INTO addresses (
 INSERT INTO addresses (
   pool, address, identity, acquired, released
 ) VALUES (
-  2, X'0a030101', 7, 1247817257, 1247817278
+  2, X'0a030101', 8, 1247817257, 1247817278
 );
 
 INSERT INTO addresses (
@@ -191,14 +203,11 @@ INSERT INTO addresses (
 INSERT INTO leases (
   address, identity, acquired, released
 ) VALUES (
-  1, 6, 1247817255, 1247817277
+  1, 7, 1247817255, 1247817277
 );
 
 INSERT INTO leases (
   address, identity, acquired, released
 ) VALUES (
-  3, 7, 1247817257, 1247817278
+  3, 8, 1247817257, 1247817278
 );
-
-
-
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
index e99a7c505..1c30841cf 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
index 9afa1b15d..38c9d9bbe 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* carol@strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
   11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, virtual
 ) VALUES (
-  'home', 1, 3, 5, '0.0.0.0'
+  'home', 1, 4, 6, '0.0.0.0'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
index 425c180a1..9739a7839 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* dave@strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
   11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, virtual
 ) VALUES (
-  'home', 1, 3, 5, '0.0.0.0'
+  'home', 1, 4, 6, '0.0.0.0'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
index a062ac167..ae493ee64 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* moon.strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, pool
 ) VALUES (
-  'rw', 1, 3, 5, 'pool0,pool1'
+  'rw', 1, 4, 6, 'pool0,pool1'
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index e99a7c505..1c30841cf 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
index c4424bd89..54086643f 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* moon.strongswan.org */
@@ -26,7 +32,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 5
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 5
+  1, 6 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, mobike
 ) VALUES (
-  'net-net', 1, 3, 4, 0
+  'net-net', 1, 4, 5, 0
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
index d70481715..2bc8b34c8 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* moon.strongswan.org */
@@ -26,7 +32,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
   11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 5
+  2, 6 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 5
+  1, 6 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, mobike
 ) VALUES (
-  'net-net', 1, 4, 3, 0
+  'net-net', 1, 5, 4, 0
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql
index 983f1bf35..b1bf20943 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* carol@strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */
   11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id
 ) VALUES (
-  'home', 1, 3, 5
+  'home', 1, 4, 6 
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index 49de2788e..bc951c1dd 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql
index 9ccee6ce8..53168adff 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* dave@strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */
   11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id
 ) VALUES (
-  'home', 1, 3, 5
+  'home', 1, 4, 6 
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index 49de2788e..bc951c1dd 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql
index b239402e4..1a3807b80 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* moon.strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
@@ -59,13 +65,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
 );
 
 /* Private Keys */
@@ -79,13 +91,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -99,7 +111,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id
 ) VALUES (
-  'rw', 1, 3, 5
+  'rw', 1, 4, 6 
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index 49de2788e..bc951c1dd 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
index d574e380a..8a4e5275b 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* carol@strongswan.org */
@@ -44,6 +50,12 @@ INSERT INTO certificate_identity (
   1, 2
 );
 
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
 /* Shared Secrets */
 
 INSERT INTO shared_secrets (
@@ -55,13 +67,13 @@ INSERT INTO shared_secrets (
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 3 
+  1,  4 
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 4 
+  1, 5 
 );
 
 /* Configurations */
@@ -75,7 +87,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, auth_method
 ) VALUES (
-  'home', 1, 3, 4, 3
+  'home', 1, 4, 5, 3
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index a5a7d2017..f17071c95 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
index 2cd45fbf0..58a42cf00 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* moon.strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
@@ -62,6 +68,12 @@ INSERT INTO certificate_identity (
   1, 2
 );
 
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
@@ -85,13 +97,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Shared Secrets */
@@ -105,13 +117,13 @@ INSERT INTO shared_secrets (
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 6
+  1, 7 
 );
 
 /* Configurations */
@@ -125,7 +137,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, eap_type
 ) VALUES (
-  'rw-eap-aka', 1, 3, 5, 23
+  'rw-eap-aka', 1, 4, 6, 23
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index 52de80b19..d2558edf4 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql
index bb6a9ec80..7d2d17bab 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* carol@strongswan.org */
@@ -44,6 +50,12 @@ INSERT INTO certificate_identity (
   1, 2
 );
 
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
 /* Shared Secrets */
 
 INSERT INTO shared_secrets (
@@ -55,13 +67,13 @@ INSERT INTO shared_secrets (
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Configurations */
@@ -75,7 +87,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, auth_method
 ) VALUES (
-  'home', 1, 3, 4, 2
+  'home', 1, 4, 5, 2
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql
index 42082f400..53d84eec6 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* dave@strongswan.org */
@@ -44,6 +50,12 @@ INSERT INTO certificate_identity (
   1, 2
 );
 
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
 /* Shared Secrets */
 
 INSERT INTO shared_secrets (
@@ -55,13 +67,13 @@ INSERT INTO shared_secrets (
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 
@@ -76,7 +88,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id, auth_method
 ) VALUES (
-  'home', 1, 3, 4, 2
+  'home', 1, 4, 5, 2
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql
index 35598e97d..70f188453 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql
@@ -8,10 +8,16 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
   11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
  );
 
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
 INSERT INTO identities (
   type, data
 ) VALUES ( /* moon.strongswan.org */
@@ -20,7 +26,7 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
@@ -71,13 +77,19 @@ INSERT INTO certificate_identity (
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 3
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
 );
 
 INSERT INTO certificate_identity (
   certificate, identity
 ) VALUES (
-  2, 4
+  2, 5 
 );
 
 /* Private Keys */
@@ -91,13 +103,13 @@ INSERT INTO private_keys (
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO private_key_identity (
   private_key, identity
 ) VALUES (
-  1, 4
+  1, 5 
 );
 
 /* Shared Secrets */
@@ -117,25 +129,25 @@ INSERT INTO shared_secrets (
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 3
+  1, 4 
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  1, 6
+  1, 7 
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  2, 3
+  2, 4 
 );
 
 INSERT INTO shared_secret_identity (
   shared_secret, identity
 ) VALUES (
-  2, 7
+  2, 8 
 );
 
 
@@ -150,7 +162,7 @@ INSERT INTO ike_configs (
 INSERT INTO peer_configs (
   name, ike_cfg, local_id, remote_id
 ) VALUES (
-  'rw', 1, 3, 5
+  'rw', 1, 4, 6 
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index a0d88cff1..f375db9c9 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
index f5d06eaba..4f181b91b 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
@@ -14,13 +14,13 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of carol@strongswan.org */
+) VALUES ( /* subjkey of carol@strongswan.org */
   11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of moon.strongswan.org */
+) VALUES ( /* subjkey of moon.strongswan.org */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
index 6e6641fa5..34f0c571e 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
index 2e9acf5f6..9a36c2c37 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
@@ -14,13 +14,13 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of dave@strongswan.org */
+) VALUES ( /* subjkey of dave@strongswan.org */
   11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of moon.strongswan.org */
+) VALUES ( /* subjkey of moon.strongswan.org */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
index 6e6641fa5..34f0c571e 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
index ee7586925..9718a75bf 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
@@ -26,19 +26,19 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of moon.strongswan.org */
+) VALUES ( /* subjkey of moon.strongswan.org */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of carol@strongswan.org */
+) VALUES ( /* subjkey of carol@strongswan.org */
   11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of dave@strongswan.org */
+) VALUES ( /* subjkey of dave@strongswan.org */
   11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
index 6e6641fa5..34f0c571e 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
index bf086ad42..8219bdfad 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -14,13 +14,13 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of carol@strongswan.org */
+) VALUES ( /* subjkey of carol@strongswan.org */
   11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of moon.strongswan.org */
+) VALUES ( /* subjkey of moon.strongswan.org */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
index 6e6641fa5..34f0c571e 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
index cbd2ae2e0..7c9cd9fe4 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
@@ -14,13 +14,13 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of dave@strongswan.org */
+) VALUES ( /* subjkey of dave@strongswan.org */
   11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of moon.strongswan.org */
+) VALUES ( /* subjkey of moon.strongswan.org */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
index 6e6641fa5..34f0c571e 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
index 545708e67..8a4eb2d21 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -26,19 +26,19 @@ INSERT INTO identities (
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of moon.strongswan.org */
+) VALUES ( /* subjkey of moon.strongswan.org */
   11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
  );
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of carol@strongswan.org */
+) VALUES ( /* subjkey of carol@strongswan.org */
   11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c'
  );
 
 INSERT INTO identities (
   type, data
-) VALUES ( /* keyid of dave@strongswan.org */
+) VALUES ( /* subjkey of dave@strongswan.org */
   11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e'
  );
 
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
index 6e6641fa5..34f0c571e 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
 }
-- 
cgit v1.2.3


From f73fba54dc8b30c6482e1e8abf15bbf455592fcd Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Sun, 28 Nov 2010 11:42:20 +0000
Subject: [svn-upgrade] new version strongswan (4.5.0)

---
 Android.mk                                         |    2 +-
 ChangeLog                                          |    2 +-
 Doxyfile.in                                        |    7 +-
 Makefile.am                                        |    2 +-
 Makefile.in                                        |   24 +-
 NEWS                                               |   73 +-
 README                                             |    5 +-
 TODO                                               |    2 +-
 aclocal.m4                                         |  153 +-
 config.guess                                       |  149 +-
 config.sub                                         |   47 +-
 configure                                          | 2988 ++++++++++++++------
 configure.in                                       |  328 ++-
 m4/macros/add-plugin.m4                            |   10 +
 man/Makefile.am                                    |   11 +
 man/Makefile.in                                    |  507 ++++
 man/ipsec.conf.5                                   | 1358 +++++++++
 man/ipsec.conf.5.in                                | 1358 +++++++++
 man/ipsec.secrets.5                                |  176 ++
 man/ipsec.secrets.5.in                             |  176 ++
 man/strongswan.conf.5                              |  910 ++++++
 man/strongswan.conf.5.in                           |  910 ++++++
 scripts/Makefile.am                                |   16 +-
 scripts/Makefile.in                                |   52 +-
 scripts/crypt_burn.c                               |  102 +
 scripts/key2keyid.c                                |    4 +-
 scripts/pubkey_speed.c                             |   10 +-
 src/Makefile.am                                    |    4 +
 src/Makefile.in                                    |   53 +-
 src/_copyright/Makefile.in                         |   20 +-
 src/_copyright/_copyright.c                        |    5 +
 src/_updown/Makefile.in                            |   20 +-
 src/_updown/_updown.in                             |    2 +-
 src/_updown_espmark/Makefile.in                    |   20 +-
 src/_updown_espmark/_updown_espmark                |    2 +-
 src/charon/Makefile.in                             |   20 +-
 src/charon/charon.c                                |    4 +-
 src/checksum/Makefile.am                           |   12 +-
 src/checksum/Makefile.in                           |   31 +-
 src/checksum/checksum_builder.c                    |  205 +-
 src/dumm/Makefile.in                               |   20 +-
 src/dumm/cowfs.c                                   |  256 +-
 src/dumm/cowfs.h                                   |   24 +-
 src/dumm/dumm.c                                    |  157 +-
 src/dumm/dumm.h                                    |   41 +-
 src/dumm/ext/dumm.c                                |  152 +-
 src/dumm/ext/lib/dumm.rb                           |    6 +-
 src/dumm/ext/lib/dumm/guest.rb                     |   21 +-
 src/dumm/guest.c                                   |   47 +-
 src/dumm/guest.h                                   |   25 +-
 src/include/Makefile.in                            |   20 +-
 src/ipsec/Makefile.in                              |   20 +-
 src/ipsec/ipsec.8                                  |    2 +-
 src/libcharon/Android.mk                           |   16 +-
 src/libcharon/Makefile.am                          |  151 +-
 src/libcharon/Makefile.in                          |  484 ++--
 src/libcharon/bus/bus.c                            |    3 +-
 src/libcharon/bus/listeners/file_logger.c          |   35 +-
 src/libcharon/bus/listeners/file_logger.h          |    3 +-
 src/libcharon/bus/listeners/sys_logger.c           |   28 +-
 src/libcharon/bus/listeners/sys_logger.h           |    3 +-
 src/libcharon/config/child_cfg.c                   |    9 -
 src/libcharon/config/child_cfg.h                   |   53 +-
 src/libcharon/config/proposal.c                    |  205 +-
 src/libcharon/config/proposal.h                    |   10 +-
 src/libcharon/daemon.c                             |   44 +-
 src/libcharon/daemon.h                             |   32 +-
 src/libcharon/encoding/generator.c                 |   80 +-
 src/libcharon/encoding/generator.h                 |   26 +-
 src/libcharon/encoding/message.c                   |  973 +++----
 src/libcharon/encoding/message.h                   |   48 +-
 src/libcharon/encoding/payloads/delete_payload.c   |  213 +-
 src/libcharon/encoding/payloads/delete_payload.h   |    9 +-
 .../encoding/payloads/encryption_payload.c         |  610 ++--
 .../encoding/payloads/encryption_payload.h         |  118 +-
 src/libcharon/encoding/payloads/notify_payload.c   |   56 +-
 src/libcharon/encoding/payloads/notify_payload.h   |   24 +-
 .../encoding/payloads/proposal_substructure.c      |  321 +--
 .../encoding/payloads/proposal_substructure.h      |   33 +-
 src/libcharon/encoding/payloads/sa_payload.c       |  277 +-
 src/libcharon/encoding/payloads/sa_payload.h       |   22 +-
 src/libcharon/kernel/kernel_handler.c              |  163 ++
 src/libcharon/kernel/kernel_handler.h              |   50 +
 src/libcharon/kernel/kernel_interface.c            |  388 ---
 src/libcharon/kernel/kernel_interface.h            |  408 ---
 src/libcharon/kernel/kernel_ipsec.c                |   29 -
 src/libcharon/kernel/kernel_ipsec.h                |  292 --
 src/libcharon/kernel/kernel_net.h                  |  143 -
 src/libcharon/network/receiver.c                   |   29 +-
 src/libcharon/network/sender.c                     |    2 +-
 src/libcharon/network/socket.h                     |   21 +-
 src/libcharon/network/socket_manager.c             |   63 +-
 src/libcharon/network/socket_manager.h             |   14 +-
 src/libcharon/plugins/addrblock/Makefile.in        |   20 +-
 src/libcharon/plugins/addrblock/addrblock_plugin.c |    6 +-
 src/libcharon/plugins/android/Makefile.in          |   20 +-
 src/libcharon/plugins/android/android_plugin.c     |    6 +-
 src/libcharon/plugins/android/android_service.c    |    4 +-
 src/libcharon/plugins/dhcp/Makefile.in             |   20 +-
 src/libcharon/plugins/dhcp/dhcp_plugin.c           |    6 +-
 src/libcharon/plugins/dhcp/dhcp_socket.c           |   25 +-
 src/libcharon/plugins/eap_aka/Makefile.in          |   20 +-
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |   20 +-
 src/libcharon/plugins/eap_gtc/Makefile.in          |   20 +-
 src/libcharon/plugins/eap_identity/Makefile.in     |   20 +-
 src/libcharon/plugins/eap_identity/eap_identity.c  |  115 +-
 src/libcharon/plugins/eap_identity/eap_identity.h  |    2 +-
 .../plugins/eap_identity/eap_identity_plugin.c     |   15 +-
 src/libcharon/plugins/eap_md5/Makefile.in          |   20 +-
 src/libcharon/plugins/eap_md5/eap_md5.c            |  120 +-
 src/libcharon/plugins/eap_md5/eap_md5.h            |    2 +-
 src/libcharon/plugins/eap_md5/eap_md5_plugin.c     |   15 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |   20 +-
 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c  |   10 +-
 src/libcharon/plugins/eap_radius/Makefile.in       |   20 +-
 src/libcharon/plugins/eap_radius/eap_radius.c      |   91 +-
 src/libcharon/plugins/eap_radius/eap_radius.h      |    2 +-
 .../plugins/eap_radius/eap_radius_plugin.c         |    6 +-
 src/libcharon/plugins/eap_radius/radius_server.h   |    1 +
 src/libcharon/plugins/eap_sim/Makefile.in          |   20 +-
 src/libcharon/plugins/eap_sim_file/Makefile.in     |   20 +-
 .../plugins/eap_simaka_pseudonym/Makefile.in       |   20 +-
 .../plugins/eap_simaka_reauth/Makefile.in          |   20 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |   20 +-
 .../plugins/eap_simaka_sql/eap_simaka_sql_plugin.c |    6 +-
 src/libcharon/plugins/eap_tls/Makefile.am          |   17 +
 src/libcharon/plugins/eap_tls/Makefile.in          |  605 ++++
 src/libcharon/plugins/eap_tls/eap_tls.c            |  155 +
 src/libcharon/plugins/eap_tls/eap_tls.h            |   59 +
 src/libcharon/plugins/eap_tls/eap_tls_plugin.c     |   52 +
 src/libcharon/plugins/eap_tls/eap_tls_plugin.h     |   47 +
 src/libcharon/plugins/eap_tnc/Makefile.am          |   17 +
 src/libcharon/plugins/eap_tnc/Makefile.in          |  605 ++++
 src/libcharon/plugins/eap_tnc/eap_tnc.c            |  156 +
 src/libcharon/plugins/eap_tnc/eap_tnc.h            |   57 +
 src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c     |   51 +
 src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h     |   42 +
 src/libcharon/plugins/eap_ttls/Makefile.am         |   21 +
 src/libcharon/plugins/eap_ttls/Makefile.in         |  615 ++++
 src/libcharon/plugins/eap_ttls/eap_ttls.c          |  165 ++
 src/libcharon/plugins/eap_ttls/eap_ttls.h          |   59 +
 src/libcharon/plugins/eap_ttls/eap_ttls_avp.c      |  187 ++
 src/libcharon/plugins/eap_ttls/eap_ttls_avp.h      |   68 +
 src/libcharon/plugins/eap_ttls/eap_ttls_peer.c     |  316 +++
 src/libcharon/plugins/eap_ttls/eap_ttls_peer.h     |   47 +
 src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c   |   52 +
 src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h   |   47 +
 src/libcharon/plugins/eap_ttls/eap_ttls_server.c   |  365 +++
 src/libcharon/plugins/eap_ttls/eap_ttls_server.h   |   47 +
 src/libcharon/plugins/farp/Makefile.in             |   20 +-
 src/libcharon/plugins/farp/farp_plugin.c           |    6 +-
 src/libcharon/plugins/farp/farp_spoofer.c          |    2 +-
 src/libcharon/plugins/ha/Makefile.in               |   20 +-
 src/libcharon/plugins/ha/ha_cache.c                |    2 +-
 src/libcharon/plugins/ha/ha_ctl.c                  |   12 +-
 src/libcharon/plugins/ha/ha_dispatcher.c           |    6 +-
 src/libcharon/plugins/ha/ha_kernel.c               |    5 +
 src/libcharon/plugins/ha/ha_plugin.c               |    6 +-
 src/libcharon/plugins/ha/ha_segments.c             |    8 +-
 src/libcharon/plugins/ha/ha_socket.c               |    2 +-
 src/libcharon/plugins/kernel_klips/Makefile.am     |   17 -
 src/libcharon/plugins/kernel_klips/Makefile.in     |  590 ----
 .../plugins/kernel_klips/kernel_klips_ipsec.c      | 2660 -----------------
 .../plugins/kernel_klips/kernel_klips_ipsec.h      |   46 -
 .../plugins/kernel_klips/kernel_klips_plugin.c     |   56 -
 .../plugins/kernel_klips/kernel_klips_plugin.h     |   42 -
 src/libcharon/plugins/kernel_klips/pfkeyv2.h       |  322 ---
 src/libcharon/plugins/kernel_netlink/Makefile.am   |   20 -
 src/libcharon/plugins/kernel_netlink/Makefile.in   |  597 ----
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  | 2265 ---------------
 .../plugins/kernel_netlink/kernel_netlink_ipsec.h  |   46 -
 .../plugins/kernel_netlink/kernel_netlink_net.c    | 1506 ----------
 .../plugins/kernel_netlink/kernel_netlink_net.h    |   46 -
 .../plugins/kernel_netlink/kernel_netlink_plugin.c |   59 -
 .../plugins/kernel_netlink/kernel_netlink_plugin.h |   42 -
 .../plugins/kernel_netlink/kernel_netlink_shared.c |  306 --
 .../plugins/kernel_netlink/kernel_netlink_shared.h |   77 -
 src/libcharon/plugins/kernel_pfkey/Makefile.am     |   17 -
 src/libcharon/plugins/kernel_pfkey/Makefile.in     |  590 ----
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      | 2210 ---------------
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.h      |   46 -
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.c     |   56 -
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.h     |   42 -
 src/libcharon/plugins/kernel_pfroute/Makefile.am   |   17 -
 src/libcharon/plugins/kernel_pfroute/Makefile.in   |  590 ----
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |  729 -----
 .../plugins/kernel_pfroute/kernel_pfroute_net.h    |   46 -
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.c |   58 -
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.h |   42 -
 src/libcharon/plugins/led/Makefile.am              |   16 +
 src/libcharon/plugins/led/Makefile.in              |  601 ++++
 src/libcharon/plugins/led/led_listener.c           |  241 ++
 src/libcharon/plugins/led/led_listener.h           |   49 +
 src/libcharon/plugins/led/led_plugin.c             |   67 +
 src/libcharon/plugins/led/led_plugin.h             |   42 +
 src/libcharon/plugins/load_tester/Makefile.in      |   20 +-
 .../plugins/load_tester/load_tester_ipsec.c        |   15 +-
 .../plugins/load_tester/load_tester_listener.c     |    2 +-
 .../plugins/load_tester/load_tester_plugin.c       |    7 +-
 src/libcharon/plugins/maemo/Makefile.am            |   23 +
 src/libcharon/plugins/maemo/Makefile.in            |  631 +++++
 src/libcharon/plugins/maemo/maemo_plugin.c         |   70 +
 src/libcharon/plugins/maemo/maemo_plugin.h         |   42 +
 src/libcharon/plugins/maemo/maemo_service.c        |  510 ++++
 src/libcharon/plugins/maemo/maemo_service.h        |   49 +
 .../plugins/maemo/org.strongswan.charon.service    |    4 +
 src/libcharon/plugins/medcli/Makefile.in           |   20 +-
 src/libcharon/plugins/medcli/medcli_config.c       |   30 +-
 src/libcharon/plugins/medsrv/Makefile.in           |   20 +-
 src/libcharon/plugins/nm/Makefile.in               |   20 +-
 src/libcharon/plugins/nm/nm_creds.c                |   97 +-
 src/libcharon/plugins/nm/nm_creds.h                |   17 +
 src/libcharon/plugins/nm/nm_plugin.c               |    2 +-
 src/libcharon/plugins/nm/nm_service.c              |  108 +-
 src/libcharon/plugins/smp/Makefile.in              |   20 +-
 src/libcharon/plugins/smp/smp.c                    |    4 +-
 src/libcharon/plugins/socket_default/Makefile.in   |   20 +-
 .../plugins/socket_default/socket_default_plugin.c |   25 +-
 .../plugins/socket_default/socket_default_socket.c |   35 +-
 .../plugins/socket_default/socket_default_socket.h |    4 -
 src/libcharon/plugins/socket_dynamic/Makefile.in   |   20 +-
 .../plugins/socket_dynamic/socket_dynamic_plugin.c |   25 +-
 .../plugins/socket_dynamic/socket_dynamic_socket.c |   35 +-
 .../plugins/socket_dynamic/socket_dynamic_socket.h |    4 -
 src/libcharon/plugins/socket_raw/Makefile.in       |   20 +-
 .../plugins/socket_raw/socket_raw_plugin.c         |   25 +-
 .../plugins/socket_raw/socket_raw_socket.c         |   42 +-
 .../plugins/socket_raw/socket_raw_socket.h         |    4 -
 src/libcharon/plugins/sql/Makefile.am              |    3 -
 src/libcharon/plugins/sql/Makefile.in              |   23 +-
 src/libcharon/plugins/stroke/Makefile.in           |   20 +-
 src/libcharon/plugins/stroke/stroke_config.c       |   25 +-
 src/libcharon/plugins/stroke/stroke_control.c      |    2 +-
 src/libcharon/plugins/stroke/stroke_cred.c         |  715 +++--
 src/libcharon/plugins/stroke/stroke_list.c         |   41 +-
 src/libcharon/plugins/stroke/stroke_socket.c       |   59 +-
 src/libcharon/plugins/tnc_imc/Makefile.am          |   19 +
 src/libcharon/plugins/tnc_imc/Makefile.in          |  603 ++++
 src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c     |   57 +
 src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h     |   42 +
 src/libcharon/plugins/tnc_imv/Makefile.am          |   19 +
 src/libcharon/plugins/tnc_imv/Makefile.in          |  603 ++++
 src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c     |   54 +
 src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h     |   42 +
 src/libcharon/plugins/tnccs_11/Makefile.am         |   21 +
 src/libcharon/plugins/tnccs_11/Makefile.in         |  607 ++++
 src/libcharon/plugins/tnccs_11/tnccs_11.c          |  328 +++
 src/libcharon/plugins/tnccs_11/tnccs_11.h          |   36 +
 src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c   |   47 +
 src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h   |   42 +
 src/libcharon/plugins/tnccs_20/Makefile.am         |   21 +
 src/libcharon/plugins/tnccs_20/Makefile.in         |  607 ++++
 src/libcharon/plugins/tnccs_20/tnccs_20.c          |  103 +
 src/libcharon/plugins/tnccs_20/tnccs_20.h          |   36 +
 src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c   |   47 +
 src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h   |   42 +
 src/libcharon/plugins/uci/Makefile.in              |   20 +-
 src/libcharon/plugins/uci/uci_control.c            |    2 +-
 src/libcharon/plugins/unit_tester/Makefile.in      |   20 +-
 .../plugins/unit_tester/tests/test_cert.c          |    4 +-
 .../plugins/unit_tester/tests/test_rsa_gen.c       |    6 +-
 src/libcharon/plugins/updown/Makefile.in           |   20 +-
 src/libcharon/plugins/updown/updown_listener.c     |    5 +-
 src/libcharon/processing/jobs/acquire_job.h        |    2 +-
 src/libcharon/processing/jobs/callback_job.c       |  271 --
 src/libcharon/processing/jobs/callback_job.h       |  118 -
 .../processing/jobs/delete_child_sa_job.h          |    2 +-
 src/libcharon/processing/jobs/delete_ike_sa_job.h  |    2 +-
 src/libcharon/processing/jobs/inactivity_job.c     |   10 +-
 src/libcharon/processing/jobs/inactivity_job.h     |    2 +-
 .../processing/jobs/initiate_mediation_job.h       |    2 +-
 src/libcharon/processing/jobs/job.h                |   52 -
 src/libcharon/processing/jobs/mediation_job.h      |    2 +-
 src/libcharon/processing/jobs/migrate_job.h        |    2 +-
 .../processing/jobs/process_message_job.h          |    2 +-
 src/libcharon/processing/jobs/rekey_child_sa_job.h |    2 +-
 src/libcharon/processing/jobs/rekey_ike_sa_job.h   |    2 +-
 src/libcharon/processing/jobs/retransmit_job.h     |    2 +-
 src/libcharon/processing/jobs/roam_job.h           |    2 +-
 src/libcharon/processing/jobs/send_dpd_job.h       |    2 +-
 src/libcharon/processing/jobs/send_keepalive_job.h |    2 +-
 src/libcharon/processing/jobs/update_sa_job.h      |    2 +-
 src/libcharon/processing/processor.c               |  273 --
 src/libcharon/processing/processor.h               |   94 -
 src/libcharon/processing/scheduler.c               |  358 ---
 src/libcharon/processing/scheduler.h               |  130 -
 src/libcharon/sa/authenticators/eap/eap_manager.c  |   54 +-
 src/libcharon/sa/authenticators/eap/eap_method.c   |   47 -
 src/libcharon/sa/authenticators/eap/eap_method.h   |   30 +-
 .../sa/authenticators/eap_authenticator.c          |  122 +-
 .../sa/authenticators/pubkey_authenticator.c       |    6 +-
 src/libcharon/sa/child_sa.c                        |  532 ++--
 src/libcharon/sa/connect_manager.c                 |   14 +-
 src/libcharon/sa/ike_sa.c                          |  237 +-
 src/libcharon/sa/ike_sa.h                          |    8 +
 src/libcharon/sa/ike_sa_manager.c                  |    5 +-
 src/libcharon/sa/ike_sa_manager.h                  |    2 +
 src/libcharon/sa/keymat.c                          |  348 +--
 src/libcharon/sa/keymat.h                          |   15 +-
 src/libcharon/sa/mediation_manager.c               |    2 +-
 src/libcharon/sa/task_manager.c                    |   21 +-
 src/libcharon/sa/tasks/child_create.c              |    4 +-
 src/libcharon/sa/tasks/child_delete.c              |   17 +-
 src/libcharon/sa/tasks/child_rekey.c               |   31 +-
 src/libcharon/sa/tasks/ike_auth.c                  |   12 +-
 src/libcharon/sa/tasks/ike_init.c                  |    2 +-
 src/libcharon/sa/tasks/ike_me.c                    |   10 +-
 src/libcharon/sa/tasks/ike_mobike.c                |  215 +-
 src/libcharon/sa/tasks/ike_mobike.h                |    5 +
 src/libcharon/sa/tasks/ike_natd.c                  |   41 +-
 src/libcharon/sa/tasks/ike_rekey.c                 |   83 +-
 src/libcharon/sa/tasks/ike_vendor.c                |   14 +-
 src/libcharon/sa/trap_manager.c                    |    5 +-
 src/libcharon/tnccs/tnccs.c                        |   22 +
 src/libcharon/tnccs/tnccs.h                        |   52 +
 src/libcharon/tnccs/tnccs_manager.c                |  148 +
 src/libcharon/tnccs/tnccs_manager.h                |   74 +
 src/libfast/Makefile.in                            |   20 +-
 src/libfreeswan/Makefile.am                        |    1 +
 src/libfreeswan/Makefile.in                        |   21 +-
 src/libhydra/Android.mk                            |   12 +-
 src/libhydra/Makefile.am                           |   34 +-
 src/libhydra/Makefile.in                           |   77 +-
 src/libhydra/attributes/mem_pool.c                 |  301 +-
 src/libhydra/hydra.c                               |    2 +
 src/libhydra/hydra.h                               |    9 +
 src/libhydra/kernel/kernel_interface.c             |  522 ++++
 src/libhydra/kernel/kernel_interface.h             |  476 ++++
 src/libhydra/kernel/kernel_ipsec.c                 |   37 +
 src/libhydra/kernel/kernel_ipsec.h                 |  368 +++
 src/libhydra/kernel/kernel_listener.h              |   96 +
 src/libhydra/kernel/kernel_net.h                   |  145 +
 src/libhydra/plugins/attr/Makefile.am              |    3 +-
 src/libhydra/plugins/attr/Makefile.in              |   24 +-
 src/libhydra/plugins/attr_sql/Makefile.am          |    2 +-
 src/libhydra/plugins/attr_sql/Makefile.in          |   22 +-
 src/libhydra/plugins/kernel_klips/Makefile.am      |   16 +
 src/libhydra/plugins/kernel_klips/Makefile.in      |  604 ++++
 .../plugins/kernel_klips/kernel_klips_ipsec.c      | 2643 +++++++++++++++++
 .../plugins/kernel_klips/kernel_klips_ipsec.h      |   46 +
 .../plugins/kernel_klips/kernel_klips_plugin.c     |   58 +
 .../plugins/kernel_klips/kernel_klips_plugin.h     |   42 +
 src/libhydra/plugins/kernel_klips/pfkeyv2.h        |  322 +++
 src/libhydra/plugins/kernel_netlink/Makefile.am    |   21 +
 src/libhydra/plugins/kernel_netlink/Makefile.in    |  614 ++++
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  | 2221 +++++++++++++++
 .../plugins/kernel_netlink/kernel_netlink_ipsec.h  |   46 +
 .../plugins/kernel_netlink/kernel_netlink_net.c    | 1578 +++++++++++
 .../plugins/kernel_netlink/kernel_netlink_net.h    |   46 +
 .../plugins/kernel_netlink/kernel_netlink_plugin.c |   63 +
 .../plugins/kernel_netlink/kernel_netlink_plugin.h |   42 +
 .../plugins/kernel_netlink/kernel_netlink_shared.c |  306 ++
 .../plugins/kernel_netlink/kernel_netlink_shared.h |   77 +
 src/libhydra/plugins/kernel_pfkey/Makefile.am      |   17 +
 src/libhydra/plugins/kernel_pfkey/Makefile.in      |  606 ++++
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      | 2178 ++++++++++++++
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.h      |   46 +
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.c     |   58 +
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.h     |   42 +
 src/libhydra/plugins/kernel_pfroute/Makefile.am    |   17 +
 src/libhydra/plugins/kernel_pfroute/Makefile.in    |  606 ++++
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |  742 +++++
 .../plugins/kernel_pfroute/kernel_pfroute_net.h    |   46 +
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.c |   58 +
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.h |   42 +
 src/libhydra/plugins/resolve/Makefile.am           |    3 +-
 src/libhydra/plugins/resolve/Makefile.in           |   24 +-
 src/libsimaka/Makefile.in                          |   20 +-
 src/libsimaka/simaka_message.c                     |    9 +-
 src/libstrongswan/Android.mk                       |   12 +-
 src/libstrongswan/Makefile.am                      |   43 +-
 src/libstrongswan/Makefile.in                      |  188 +-
 src/libstrongswan/asn1/oid.c                       |  370 +--
 src/libstrongswan/asn1/oid.h                       |  173 +-
 src/libstrongswan/asn1/oid.txt                     |    2 +
 src/libstrongswan/chunk.c                          |   28 +-
 src/libstrongswan/chunk.h                          |    6 +-
 src/libstrongswan/credentials/auth_cfg.c           |   65 +-
 src/libstrongswan/credentials/auth_cfg.h           |   32 +-
 src/libstrongswan/credentials/builder.c            |    6 +-
 src/libstrongswan/credentials/builder.h            |   18 +-
 src/libstrongswan/credentials/credential_factory.c |   76 +-
 src/libstrongswan/credentials/credential_factory.h |   18 +-
 src/libstrongswan/credentials/credential_manager.c |   43 +-
 src/libstrongswan/credentials/keys/private_key.h   |   10 +-
 src/libstrongswan/credentials/keys/public_key.c    |   10 +
 src/libstrongswan/credentials/keys/public_key.h    |   36 +-
 src/libstrongswan/credentials/sets/callback_cred.c |  144 +
 src/libstrongswan/credentials/sets/callback_cred.h |   67 +
 src/libstrongswan/credentials/sets/mem_cred.c      |  433 +++
 src/libstrongswan/credentials/sets/mem_cred.h      |   77 +
 src/libstrongswan/crypto/aead.c                    |  162 ++
 src/libstrongswan/crypto/aead.h                    |  119 +
 src/libstrongswan/crypto/crypters/crypter.c        |   23 +-
 src/libstrongswan/crypto/crypters/crypter.h        |   39 +-
 src/libstrongswan/crypto/crypto_factory.c          |  507 ++--
 src/libstrongswan/crypto/crypto_factory.h          |   54 +-
 src/libstrongswan/crypto/crypto_tester.c           |  614 +++-
 src/libstrongswan/crypto/crypto_tester.h           |   60 +-
 src/libstrongswan/crypto/diffie_hellman.c          |   24 +-
 src/libstrongswan/crypto/diffie_hellman.h          |   10 +
 src/libstrongswan/crypto/prfs/prf.c                |    7 +-
 src/libstrongswan/crypto/prfs/prf.h                |    8 +-
 .../crypto/proposal/proposal_keywords.c            |  254 +-
 .../crypto/proposal/proposal_keywords.txt          |   22 +
 src/libstrongswan/crypto/signers/signer.c          |    9 +-
 src/libstrongswan/crypto/signers/signer.h          |   10 +
 src/libstrongswan/crypto/transform.c               |    7 +-
 src/libstrongswan/crypto/transform.h               |    1 +
 src/libstrongswan/debug.c                          |    4 +
 src/libstrongswan/debug.h                          |    4 +
 src/libstrongswan/eap/eap.c                        |  131 +
 src/libstrongswan/eap/eap.h                        |   89 +
 src/libstrongswan/enum.c                           |   29 +-
 src/libstrongswan/enum.h                           |   18 +
 src/libstrongswan/library.c                        |    4 +
 src/libstrongswan/library.h                        |   18 +
 src/libstrongswan/plugins/aes/Makefile.in          |   20 +-
 src/libstrongswan/plugins/aes/aes_crypter.c        |  109 +-
 src/libstrongswan/plugins/aes/aes_crypter.h        |    4 +-
 src/libstrongswan/plugins/aes/aes_plugin.c         |   18 +-
 src/libstrongswan/plugins/agent/Makefile.in        |   20 +-
 src/libstrongswan/plugins/agent/agent_plugin.c     |   18 +-
 .../plugins/agent/agent_private_key.c              |  103 +-
 .../plugins/agent/agent_private_key.h              |    2 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |   20 +-
 .../plugins/blowfish/blowfish_crypter.c            |   78 +-
 .../plugins/blowfish/blowfish_crypter.h            |    4 +-
 .../plugins/blowfish/blowfish_plugin.c             |   18 +-
 src/libstrongswan/plugins/ccm/Makefile.am          |   16 +
 src/libstrongswan/plugins/ccm/Makefile.in          |  600 ++++
 src/libstrongswan/plugins/ccm/ccm_aead.c           |  397 +++
 src/libstrongswan/plugins/ccm/ccm_aead.h           |   51 +
 src/libstrongswan/plugins/ccm/ccm_plugin.c         |   69 +
 src/libstrongswan/plugins/ccm/ccm_plugin.h         |   42 +
 src/libstrongswan/plugins/ctr/Makefile.am          |   16 +
 src/libstrongswan/plugins/ctr/Makefile.in          |  600 ++++
 src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c  |  173 ++
 src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h  |   54 +
 src/libstrongswan/plugins/ctr/ctr_plugin.c         |   65 +
 src/libstrongswan/plugins/ctr/ctr_plugin.h         |   42 +
 src/libstrongswan/plugins/curl/Makefile.in         |   20 +-
 src/libstrongswan/plugins/curl/curl_fetcher.c      |   10 +-
 src/libstrongswan/plugins/des/Makefile.in          |   20 +-
 src/libstrongswan/plugins/des/des_crypter.c        |  114 +-
 src/libstrongswan/plugins/des/des_crypter.h        |    4 +-
 src/libstrongswan/plugins/des/des_plugin.c         |   16 +-
 src/libstrongswan/plugins/dnskey/Makefile.in       |   20 +-
 src/libstrongswan/plugins/dnskey/dnskey_plugin.c   |    4 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |   20 +-
 src/libstrongswan/plugins/gcm/Makefile.am          |   16 +
 src/libstrongswan/plugins/gcm/Makefile.in          |  600 ++++
 src/libstrongswan/plugins/gcm/gcm_aead.c           |  425 +++
 src/libstrongswan/plugins/gcm/gcm_aead.h           |   51 +
 src/libstrongswan/plugins/gcm/gcm_plugin.c         |   63 +
 src/libstrongswan/plugins/gcm/gcm_plugin.h         |   42 +
 src/libstrongswan/plugins/gcrypt/Makefile.in       |   20 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c  |  136 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h  |    2 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_dh.c       |  113 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_dh.h       |   11 +
 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c   |   50 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h   |    2 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c   |   32 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_rng.c      |   37 +-
 .../plugins/gcrypt/gcrypt_rsa_private_key.c        |  116 +-
 .../plugins/gcrypt/gcrypt_rsa_private_key.h        |    2 +-
 .../plugins/gcrypt/gcrypt_rsa_public_key.c         |   98 +-
 .../plugins/gcrypt/gcrypt_rsa_public_key.h         |    2 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |   20 +-
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c |  106 +-
 src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h |   11 +
 src/libstrongswan/plugins/gmp/gmp_plugin.c         |   27 +-
 .../plugins/gmp/gmp_rsa_private_key.c              |  127 +-
 .../plugins/gmp/gmp_rsa_private_key.h              |    2 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |  111 +-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h |    2 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |   20 +-
 src/libstrongswan/plugins/hmac/hmac.c              |   58 +-
 src/libstrongswan/plugins/hmac/hmac_plugin.c       |   20 +-
 src/libstrongswan/plugins/hmac/hmac_prf.c          |   77 +-
 src/libstrongswan/plugins/hmac/hmac_prf.h          |    4 +-
 src/libstrongswan/plugins/hmac/hmac_signer.c       |  108 +-
 src/libstrongswan/plugins/hmac/hmac_signer.h       |    7 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |   20 +-
 src/libstrongswan/plugins/md4/Makefile.in          |   20 +-
 src/libstrongswan/plugins/md5/Makefile.in          |   20 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |   20 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |   20 +-
 src/libstrongswan/plugins/openssl/openssl_crl.c    |   17 +-
 .../plugins/openssl/openssl_crypter.c              |  174 +-
 .../plugins/openssl/openssl_crypter.h              |    4 +-
 .../plugins/openssl/openssl_diffie_hellman.c       |   72 +-
 .../plugins/openssl/openssl_diffie_hellman.h       |    5 +-
 .../plugins/openssl/openssl_ec_diffie_hellman.c    |   59 +-
 .../plugins/openssl/openssl_ec_private_key.c       |  114 +-
 .../plugins/openssl/openssl_ec_private_key.h       |    2 +-
 .../plugins/openssl/openssl_ec_public_key.c        |  104 +-
 .../plugins/openssl/openssl_ec_public_key.h        |    2 +-
 src/libstrongswan/plugins/openssl/openssl_hasher.c |   50 +-
 src/libstrongswan/plugins/openssl/openssl_hasher.h |    4 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |   72 +-
 .../plugins/openssl/openssl_rsa_private_key.c      |  229 +-
 .../plugins/openssl/openssl_rsa_private_key.h      |    2 +-
 .../plugins/openssl/openssl_rsa_public_key.c       |  123 +-
 .../plugins/openssl/openssl_rsa_public_key.h       |    2 +-
 .../plugins/openssl/openssl_sha1_prf.c             |   16 +-
 src/libstrongswan/plugins/openssl/openssl_x509.c   |   57 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |   20 +-
 .../plugins/padlock/padlock_aes_crypter.c          |   79 +-
 .../plugins/padlock/padlock_aes_crypter.h          |    4 +-
 src/libstrongswan/plugins/padlock/padlock_plugin.c |   18 +-
 src/libstrongswan/plugins/padlock/padlock_rng.c    |   46 +-
 .../plugins/padlock/padlock_sha1_hasher.c          |   55 +-
 .../plugins/padlock/padlock_sha1_hasher.h          |    2 +-
 src/libstrongswan/plugins/pem/Makefile.in          |   20 +-
 src/libstrongswan/plugins/pem/pem_builder.c        |   93 +-
 src/libstrongswan/plugins/pem/pem_plugin.c         |   38 +-
 src/libstrongswan/plugins/pgp/Makefile.in          |   20 +-
 src/libstrongswan/plugins/pgp/pgp_builder.c        |    2 +-
 src/libstrongswan/plugins/pgp/pgp_plugin.c         |   10 +-
 src/libstrongswan/plugins/pkcs1/Makefile.in        |   20 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c     |    6 +-
 src/libstrongswan/plugins/pkcs11/Makefile.am       |   21 +
 src/libstrongswan/plugins/pkcs11/Makefile.in       |  614 ++++
 src/libstrongswan/plugins/pkcs11/pkcs11.h          | 1357 +++++++++
 src/libstrongswan/plugins/pkcs11/pkcs11_creds.c    |  249 ++
 src/libstrongswan/plugins/pkcs11/pkcs11_creds.h    |   68 +
 src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c   |  323 +++
 src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h   |   47 +
 src/libstrongswan/plugins/pkcs11/pkcs11_library.c  |  869 ++++++
 src/libstrongswan/plugins/pkcs11/pkcs11_library.h  |  110 +
 src/libstrongswan/plugins/pkcs11/pkcs11_manager.c  |  407 +++
 src/libstrongswan/plugins/pkcs11/pkcs11_manager.h  |   78 +
 src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c   |  176 ++
 src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h   |   42 +
 .../plugins/pkcs11/pkcs11_private_key.c            |  600 ++++
 .../plugins/pkcs11/pkcs11_private_key.h            |   63 +
 .../plugins/pkcs11/pkcs11_public_key.c             |  473 ++++
 .../plugins/pkcs11/pkcs11_public_key.h             |   49 +
 src/libstrongswan/plugins/plugin_loader.c          |    6 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |   20 +-
 src/libstrongswan/plugins/pubkey/pubkey_plugin.c   |    2 +-
 src/libstrongswan/plugins/random/Makefile.in       |   20 +-
 src/libstrongswan/plugins/revocation/Makefile.in   |   20 +-
 .../plugins/revocation/revocation_plugin.c         |    6 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |   20 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |   20 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |   20 +-
 src/libstrongswan/plugins/test_vectors/Makefile.am |    5 +
 src/libstrongswan/plugins/test_vectors/Makefile.in |   74 +-
 .../plugins/test_vectors/test_vectors.h            |   41 +
 .../plugins/test_vectors/test_vectors/aes_ccm.c    |  157 +
 .../plugins/test_vectors/test_vectors/aes_ctr.c    |  148 +
 .../plugins/test_vectors/test_vectors/aes_gcm.c    |  139 +
 .../test_vectors/test_vectors/camellia_ctr.c       |  148 +
 .../test_vectors/test_vectors/camellia_xcbc.c      |   58 +
 .../plugins/test_vectors/test_vectors_plugin.c     |   16 +
 src/libstrongswan/plugins/x509/Makefile.in         |   20 +-
 src/libstrongswan/plugins/x509/x509_cert.c         |   52 +-
 src/libstrongswan/plugins/x509/x509_pkcs10.c       |    2 +-
 src/libstrongswan/plugins/x509/x509_plugin.c       |   20 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |   20 +-
 src/libstrongswan/plugins/xcbc/xcbc.c              |  110 +-
 src/libstrongswan/plugins/xcbc/xcbc_plugin.c       |   28 +-
 src/libstrongswan/plugins/xcbc/xcbc_prf.c          |   61 +-
 src/libstrongswan/plugins/xcbc/xcbc_prf.h          |    4 +-
 src/libstrongswan/plugins/xcbc/xcbc_signer.c       |   77 +-
 src/libstrongswan/plugins/xcbc/xcbc_signer.h       |    4 +-
 src/libstrongswan/printf_hook.c                    |  100 +-
 src/libstrongswan/printf_hook.h                    |    6 +-
 src/libstrongswan/processing/jobs/callback_job.c   |  271 ++
 src/libstrongswan/processing/jobs/callback_job.h   |  118 +
 src/libstrongswan/processing/jobs/job.h            |   52 +
 src/libstrongswan/processing/processor.c           |  273 ++
 src/libstrongswan/processing/processor.h           |   94 +
 src/libstrongswan/processing/scheduler.c           |  358 +++
 src/libstrongswan/processing/scheduler.h           |  130 +
 src/libstrongswan/settings.c                       |  128 +-
 src/libstrongswan/settings.h                       |    5 +-
 src/libstrongswan/utils.c                          |    2 +-
 src/libstrongswan/utils.h                          |   22 +
 src/libstrongswan/utils/identification.c           |   24 +-
 src/libstrongswan/utils/leak_detective.c           |    5 +
 src/libstrongswan/utils/linked_list.h              |   34 +-
 src/libtls/Makefile.am                             |   18 +
 src/libtls/Makefile.in                             |  559 ++++
 src/libtls/tls.c                                   |  481 ++++
 src/libtls/tls.h                                   |  236 ++
 src/libtls/tls_alert.c                             |  228 ++
 src/libtls/tls_alert.h                             |  126 +
 src/libtls/tls_application.h                       |   63 +
 src/libtls/tls_compression.c                       |   72 +
 src/libtls/tls_compression.h                       |   80 +
 src/libtls/tls_crypto.c                            | 1674 +++++++++++
 src/libtls/tls_crypto.h                            |  554 ++++
 src/libtls/tls_eap.c                               |  379 +++
 src/libtls/tls_eap.h                               |   81 +
 src/libtls/tls_fragmentation.c                     |  471 +++
 src/libtls/tls_fragmentation.h                     |   88 +
 src/libtls/tls_handshake.h                         |   90 +
 src/libtls/tls_peer.c                              | 1099 +++++++
 src/libtls/tls_peer.h                              |   54 +
 src/libtls/tls_prf.c                               |  190 ++
 src/libtls/tls_prf.h                               |   72 +
 src/libtls/tls_protection.c                        |  333 +++
 src/libtls/tls_protection.h                        |   98 +
 src/libtls/tls_reader.c                            |  200 ++
 src/libtls/tls_reader.h                            |  131 +
 src/libtls/tls_server.c                            | 1032 +++++++
 src/libtls/tls_server.h                            |   55 +
 src/libtls/tls_socket.c                            |  219 ++
 src/libtls/tls_socket.h                            |   75 +
 src/libtls/tls_writer.c                            |  237 ++
 src/libtls/tls_writer.h                            |  136 +
 src/manager/Makefile.am                            |    2 +-
 src/manager/Makefile.in                            |   22 +-
 src/medsrv/Makefile.am                             |    2 +-
 src/medsrv/Makefile.in                             |   22 +-
 src/openac/Makefile.am                             |    2 +-
 src/openac/Makefile.in                             |   22 +-
 src/openac/openac.c                                |   12 +-
 src/pki/Makefile.am                                |    2 +-
 src/pki/Makefile.in                                |   22 +-
 src/pki/commands/issue.c                           |   34 +-
 src/pki/commands/print.c                           |   61 +-
 src/pki/commands/pub.c                             |   18 +-
 src/pki/commands/req.c                             |    2 +-
 src/pki/commands/self.c                            |   19 +-
 src/pki/commands/signcrl.c                         |   32 +-
 src/pki/pki.c                                      |   67 +
 src/pluto/Makefile.am                              |   16 +-
 src/pluto/Makefile.in                              |  129 +-
 src/pluto/alg_info.c                               |    2 +-
 src/pluto/builder.c                                |    4 +-
 src/pluto/certs.c                                  |   99 +-
 src/pluto/certs.h                                  |    2 -
 src/pluto/connections.c                            |   85 +-
 src/pluto/connections.h                            |    4 +-
 src/pluto/constants.c                              |   10 +-
 src/pluto/constants.h                              |   21 +-
 src/pluto/crypto.c                                 |  347 +--
 src/pluto/crypto.h                                 |    7 +
 src/pluto/defs.h                                   |   15 -
 src/pluto/demux.c                                  |   15 +-
 src/pluto/event_queue.c                            |  195 ++
 src/pluto/event_queue.h                            |   69 +
 src/pluto/ike_alg.c                                |   12 +-
 src/pluto/ipsec.secrets.5                          |  175 --
 src/pluto/ipsec.secrets.5.in                       |  175 --
 src/pluto/ipsec_doi.c                              |    9 +-
 src/pluto/kernel.c                                 | 2236 +++++----------
 src/pluto/kernel.h                                 |   80 +-
 src/pluto/kernel_alg.c                             |   78 +-
 src/pluto/kernel_alg.h                             |    1 -
 src/pluto/kernel_netlink.c                         | 1319 ---------
 src/pluto/kernel_netlink.h                         |   18 -
 src/pluto/kernel_noklips.c                         |  124 -
 src/pluto/kernel_noklips.h                         |   17 -
 src/pluto/kernel_pfkey.c                           |  862 ++----
 src/pluto/kernel_pfkey.h                           |   17 +-
 src/pluto/keys.c                                   |  127 +-
 src/pluto/log.c                                    |    3 -
 src/pluto/modecfg.c                                |    2 +-
 src/pluto/nat_traversal.c                          |  108 +-
 src/pluto/nat_traversal.h                          |   14 +-
 src/pluto/pkcs7.c                                  |    8 +-
 src/pluto/plugins/xauth/Makefile.in                |   20 +-
 src/pluto/pluto.8                                  |   95 +-
 src/pluto/pluto.c                                  |    2 +
 src/pluto/pluto.h                                  |    7 +
 src/pluto/plutomain.c                              |   46 +-
 src/pluto/server.c                                 |   54 +-
 src/pluto/smartcard.c                              |   26 +-
 src/pluto/spdb.c                                   |    6 +-
 src/pluto/state.c                                  |   56 +-
 src/pluto/state.h                                  |    3 -
 src/pluto/timer.c                                  |    7 -
 src/pluto/x509.c                                   |    2 +-
 src/scepclient/Makefile.am                         |    2 +-
 src/scepclient/Makefile.in                         |   22 +-
 src/scepclient/scepclient.c                        |    4 +-
 src/starter/Makefile.am                            |   11 +-
 src/starter/Makefile.in                            |   97 +-
 src/starter/README                                 |    5 +-
 src/starter/args.c                                 |    1 +
 src/starter/confread.c                             |   37 +-
 src/starter/confread.h                             |   12 +-
 src/starter/interfaces.c                           |    4 +-
 src/starter/ipsec.conf.5                           | 1330 ---------
 src/starter/ipsec.conf.5.in                        | 1330 ---------
 src/starter/keywords.c                             |  321 +--
 src/starter/keywords.h                             |    3 +-
 src/starter/keywords.txt                           |    1 +
 src/starter/starterstroke.c                        |   12 +-
 src/starter/starterwhack.c                         |    2 +-
 src/stroke/Makefile.in                             |   20 +-
 src/stroke/stroke.c                                |   55 +-
 src/stroke/stroke_keywords.c                       |   19 +-
 src/stroke/stroke_keywords.h                       |    4 +-
 src/stroke/stroke_keywords.txt                     |    1 +
 src/stroke/stroke_msg.h                            |   19 +
 src/whack/Makefile.am                              |    1 +
 src/whack/Makefile.in                              |   21 +-
 src/whack/whack.c                                  |    7 +-
 testing/INSTALL                                    |   14 +-
 testing/Makefile.am                                |    2 +-
 testing/Makefile.in                                |   22 +-
 testing/do-tests.in                                |  106 +-
 testing/hosts/alice/etc/init.d/radiusd             |   64 +
 testing/hosts/alice/etc/ipsec.conf                 |    1 +
 testing/hosts/alice/etc/raddb/certs/aaaCert.pem    |   25 +
 testing/hosts/alice/etc/raddb/certs/aaaKey.pem     |   27 +
 testing/hosts/alice/etc/raddb/certs/dh             |    5 +
 testing/hosts/alice/etc/raddb/certs/random         |  Bin 0 -> 1024 bytes
 .../hosts/alice/etc/raddb/certs/strongswanCert.pem |   22 +
 testing/hosts/alice/etc/strongswan.conf            |    2 +-
 testing/hosts/bob/etc/ipsec.conf                   |    1 +
 testing/hosts/bob/etc/strongswan.conf              |    2 +-
 testing/hosts/carol/etc/ipsec.conf                 |    1 +
 testing/hosts/carol/etc/strongswan.conf            |    2 +-
 testing/hosts/dave/etc/ipsec.conf                  |    1 +
 testing/hosts/dave/etc/strongswan.conf             |    2 +-
 testing/hosts/moon/etc/ipsec.conf                  |    1 +
 testing/hosts/moon/etc/strongswan.conf             |    2 +-
 testing/hosts/sun/etc/ipsec.conf                   |    1 +
 testing/hosts/sun/etc/strongswan.conf              |    2 +-
 testing/hosts/venus/etc/ipsec.conf                 |    1 +
 testing/hosts/venus/etc/strongswan.conf            |    2 +-
 testing/hosts/winnetou/etc/openssl/index.txt       |    1 +
 testing/hosts/winnetou/etc/openssl/index.txt.old   |    1 +
 testing/hosts/winnetou/etc/openssl/newcerts/22.pem |   25 +
 testing/hosts/winnetou/etc/openssl/serial          |    2 +-
 testing/hosts/winnetou/etc/openssl/serial.old      |    2 +-
 testing/scripts/build-umlkernel                    |    4 +-
 testing/scripts/build-umlrootfs                    |   48 +-
 testing/scripts/gstart-umls                        |    2 +-
 testing/scripts/load-testconfig                    |   16 +-
 testing/scripts/restore-defaults                   |    2 +-
 testing/ssh_config                                 |   10 +
 testing/testing.conf                               |   22 +-
 .../alg-camellia/hosts/carol/etc/ipsec.conf        |    1 +
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-camellia/hosts/moon/etc/ipsec.conf         |    1 +
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/gcrypt-ikev1/alg-camellia/test.conf  |    4 +-
 .../alg-serpent/hosts/carol/etc/ipsec.conf         |    1 +
 .../alg-serpent/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-serpent/hosts/moon/etc/ipsec.conf          |    1 +
 .../alg-serpent/hosts/moon/etc/strongswan.conf     |    2 +-
 testing/tests/gcrypt-ikev1/alg-serpent/test.conf   |    4 +-
 .../alg-twofish/hosts/carol/etc/ipsec.conf         |    1 +
 .../alg-twofish/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-twofish/hosts/moon/etc/ipsec.conf          |    1 +
 .../alg-twofish/hosts/moon/etc/strongswan.conf     |    2 +-
 testing/tests/gcrypt-ikev1/alg-twofish/test.conf   |    4 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 testing/tests/gcrypt-ikev2/alg-camellia/test.conf  |    4 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 .../ike/rw-cert/hosts/carol/etc/strongswan.conf    |    2 +-
 .../tests/ike/rw-cert/hosts/dave/etc/ipsec.conf    |    2 +-
 .../tests/ike/rw-cert/hosts/moon/etc/ipsec.conf    |    1 +
 .../ike/rw-cert/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw_v1-net_v2/hosts/moon/etc/strongswan.conf    |    2 +-
 .../after-2038-certs/hosts/carol/etc/ipsec.conf    |    1 +
 .../after-2038-certs/hosts/moon/etc/ipsec.conf     |    1 +
 .../ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf  |    1 +
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf   |    1 +
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/ikev1/alg-blowfish/test.conf         |    4 +-
 .../ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf |    1 +
 .../ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf  |    1 +
 testing/tests/ikev1/alg-sha256-96/test.conf        |    4 +-
 .../ikev1/alg-sha256/hosts/carol/etc/ipsec.conf    |    1 +
 .../ikev1/alg-sha256/hosts/moon/etc/ipsec.conf     |    1 +
 testing/tests/ikev1/alg-sha256/test.conf           |    4 +-
 .../ikev1/alg-sha384/hosts/carol/etc/ipsec.conf    |    1 +
 .../ikev1/alg-sha384/hosts/moon/etc/ipsec.conf     |    1 +
 testing/tests/ikev1/alg-sha384/test.conf           |    4 +-
 .../ikev1/alg-sha512/hosts/carol/etc/ipsec.conf    |    1 +
 .../ikev1/alg-sha512/hosts/moon/etc/ipsec.conf     |    1 +
 testing/tests/ikev1/alg-sha512/test.conf           |    4 +-
 .../ikev1/attr-cert/hosts/carol/etc/ipsec.conf     |    1 +
 .../ikev1/attr-cert/hosts/dave/etc/ipsec.conf      |    1 +
 .../ikev1/attr-cert/hosts/moon/etc/ipsec.conf      |    1 +
 .../ikev1/attr-cert/hosts/moon/etc/strongswan.conf |    2 +-
 .../ikev1/compress/hosts/carol/etc/ipsec.conf      |    1 +
 .../tests/ikev1/compress/hosts/moon/etc/ipsec.conf |    1 +
 testing/tests/ikev1/compress/test.conf             |    4 +-
 .../crl-from-cache/hosts/carol/etc/ipsec.conf      |    1 +
 .../ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf |    1 +
 .../ikev1/crl-ldap/hosts/carol/etc/ipsec.conf      |    1 +
 .../ikev1/crl-ldap/hosts/carol/etc/strongswan.conf |    2 +-
 .../tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf |    1 +
 .../ikev1/crl-ldap/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ikev1/crl-revoked/hosts/carol/etc/ipsec.conf   |    1 +
 .../ikev1/crl-revoked/hosts/moon/etc/ipsec.conf    |    1 +
 .../ikev1/crl-strict/hosts/carol/etc/ipsec.conf    |    1 +
 .../ikev1/crl-strict/hosts/moon/etc/ipsec.conf     |    1 +
 .../ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf  |    1 +
 .../ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf   |    1 +
 .../ikev1/default-keys/hosts/carol/etc/ipsec.conf  |    1 +
 .../default-keys/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev1/default-keys/hosts/moon/etc/ipsec.conf   |    1 +
 .../default-keys/hosts/moon/etc/strongswan.conf    |    2 +-
 .../double-nat-net/hosts/alice/etc/ipsec.conf      |    1 +
 .../ikev1/double-nat-net/hosts/bob/etc/ipsec.conf  |    1 +
 .../ikev1/double-nat/hosts/alice/etc/ipsec.conf    |    1 +
 .../ikev1/dpd-clear/hosts/moon/etc/ipsec.conf      |    1 +
 .../ikev1/dpd-restart/hosts/carol/etc/ipsec.conf   |    1 +
 .../ikev1/dpd-restart/hosts/moon/etc/ipsec.conf    |    1 +
 .../dynamic-initiator/hosts/carol/etc/ipsec.conf   |    1 +
 .../dynamic-initiator/hosts/dave/etc/ipsec.conf    |    1 +
 .../dynamic-initiator/hosts/moon/etc/ipsec.conf    |    1 +
 .../dynamic-responder/hosts/carol/etc/ipsec.conf   |    1 +
 .../dynamic-responder/hosts/dave/etc/ipsec.conf    |    1 +
 .../dynamic-responder/hosts/moon/etc/ipsec.conf    |    1 +
 .../dynamic-two-peers/hosts/carol/etc/ipsec.conf   |    1 +
 .../dynamic-two-peers/hosts/dave/etc/ipsec.conf    |    1 +
 .../dynamic-two-peers/hosts/moon/etc/ipsec.conf    |    1 +
 .../esp-ah-transport/hosts/carol/etc/ipsec.conf    |    1 +
 .../esp-ah-transport/hosts/moon/etc/ipsec.conf     |    1 +
 .../ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf |    1 +
 .../ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf  |    1 +
 testing/tests/ikev1/esp-ah-tunnel/test.conf        |    4 +-
 testing/tests/ikev1/esp-alg-aes-ccm/test.conf      |    4 +-
 testing/tests/ikev1/esp-alg-aes-ctr/test.conf      |    4 +-
 testing/tests/ikev1/esp-alg-aes-gcm/test.conf      |    4 +-
 testing/tests/ikev1/esp-alg-aes-gmac/test.conf     |    4 +-
 .../esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf     |    1 +
 .../esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf      |    1 +
 testing/tests/ikev1/esp-alg-aesxcbc/test.conf      |    4 +-
 .../ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf   |    1 +
 .../ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf    |    1 +
 testing/tests/ikev1/esp-alg-des/test.conf          |    4 +-
 .../ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf  |    1 +
 .../ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf   |    1 +
 testing/tests/ikev1/esp-alg-null/test.conf         |    4 +-
 .../esp-alg-strict-fail/hosts/carol/etc/ipsec.conf |    1 +
 .../esp-alg-strict-fail/hosts/moon/etc/ipsec.conf  |    1 +
 .../esp-alg-strict/hosts/carol/etc/ipsec.conf      |    1 +
 .../ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf |    1 +
 .../ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf  |    1 +
 .../ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf   |    1 +
 .../host2host-swapped/hosts/moon/etc/ipsec.conf    |    1 +
 .../host2host-swapped/hosts/sun/etc/ipsec.conf     |    1 +
 .../host2host-transport/hosts/moon/etc/ipsec.conf  |    1 +
 .../host2host-transport/hosts/sun/etc/ipsec.conf   |    1 +
 .../ike-alg-strict-fail/hosts/carol/etc/ipsec.conf |    1 +
 .../ike-alg-strict-fail/hosts/moon/etc/ipsec.conf  |    1 +
 .../ike-alg-strict/hosts/carol/etc/ipsec.conf      |    1 +
 .../ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf |    1 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ip-pool-db-push/hosts/dave/etc/strongswan.conf |    2 +-
 .../ip-pool-db-push/hosts/moon/etc/strongswan.conf |    2 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ikev1/ip-pool/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev1/ip-pool/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev1/ip-pool/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ip-two-pools/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/ipsec.conf                     |    1 +
 .../mode-config-multiple/hosts/dave/etc/ipsec.conf |    1 +
 .../mode-config-multiple/hosts/moon/etc/ipsec.conf |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../mode-config-push/hosts/carol/etc/ipsec.conf    |    1 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../mode-config-push/hosts/dave/etc/ipsec.conf     |    1 +
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../mode-config-push/hosts/moon/etc/ipsec.conf     |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../mode-config-swapped/hosts/carol/etc/ipsec.conf |    1 +
 .../mode-config-swapped/hosts/dave/etc/ipsec.conf  |    1 +
 .../mode-config-swapped/hosts/moon/etc/ipsec.conf  |    1 +
 .../ikev1/mode-config/hosts/carol/etc/ipsec.conf   |    1 +
 .../mode-config/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ikev1/mode-config/hosts/dave/etc/ipsec.conf    |    1 +
 .../mode-config/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ikev1/mode-config/hosts/moon/etc/ipsec.conf    |    1 +
 .../mode-config/hosts/moon/etc/strongswan.conf     |    2 +-
 .../multi-level-ca-ldap/hosts/carol/etc/ipsec.conf |    1 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../multi-level-ca-ldap/hosts/dave/etc/ipsec.conf  |    1 +
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../multi-level-ca-ldap/hosts/moon/etc/ipsec.conf  |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../multi-level-ca-loop/hosts/carol/etc/ipsec.conf |    1 +
 .../multi-level-ca-loop/hosts/moon/etc/ipsec.conf  |    1 +
 .../hosts/carol/etc/ipsec.conf                     |    1 +
 .../hosts/moon/etc/ipsec.conf                      |    1 +
 .../hosts/carol/etc/ipsec.conf                     |    1 +
 .../hosts/moon/etc/ipsec.conf                      |    1 +
 .../hosts/carol/etc/ipsec.conf                     |    1 +
 .../hosts/dave/etc/ipsec.conf                      |    1 +
 .../hosts/moon/etc/ipsec.conf                      |    1 +
 .../multi-level-ca/hosts/carol/etc/ipsec.conf      |    1 +
 .../ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf |    1 +
 .../ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf |    1 +
 .../ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf |    1 +
 .../ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf  |    1 +
 .../tests/ikev1/nat-two-rw-mark/description.txt    |   16 +
 testing/tests/ikev1/nat-two-rw-mark/evaltest.dat   |   18 +
 .../nat-two-rw-mark/hosts/alice/etc/ipsec.conf     |   27 +
 .../ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf |   36 +
 .../nat-two-rw-mark/hosts/sun/etc/mark_updown      |  527 ++++
 .../nat-two-rw-mark/hosts/venus/etc/ipsec.conf     |   27 +
 testing/tests/ikev1/nat-two-rw-mark/posttest.dat   |   11 +
 testing/tests/ikev1/nat-two-rw-mark/pretest.dat    |   21 +
 testing/tests/ikev1/nat-two-rw-mark/test.conf      |   21 +
 .../nat-two-rw-psk/hosts/alice/etc/ipsec.conf      |    1 +
 .../nat-two-rw-psk/hosts/alice/etc/strongswan.conf |    2 +-
 .../ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf  |    1 +
 .../nat-two-rw-psk/hosts/sun/etc/strongswan.conf   |    2 +-
 .../nat-two-rw-psk/hosts/venus/etc/ipsec.conf      |    1 +
 .../nat-two-rw-psk/hosts/venus/etc/strongswan.conf |    2 +-
 .../ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf |    1 +
 .../net2net-pgp-v3/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf  |    1 +
 .../net2net-pgp-v3/hosts/sun/etc/strongswan.conf   |    2 +-
 .../ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf |    1 +
 .../net2net-pgp-v4/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf  |    1 +
 .../net2net-pgp-v4/hosts/sun/etc/strongswan.conf   |    2 +-
 .../net2net-psk-fail/hosts/moon/etc/ipsec.conf     |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../net2net-psk-fail/hosts/sun/etc/ipsec.conf      |    1 +
 .../net2net-psk-fail/hosts/sun/etc/strongswan.conf |    2 +-
 .../ikev1/net2net-psk/hosts/moon/etc/ipsec.conf    |    1 +
 .../net2net-psk/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ikev1/net2net-psk/hosts/sun/etc/ipsec.conf     |    1 +
 .../net2net-psk/hosts/sun/etc/strongswan.conf      |    2 +-
 .../ikev1/net2net-route/hosts/moon/etc/ipsec.conf  |    1 +
 .../ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf    |    1 +
 .../net2net-rsa/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf     |    1 +
 .../net2net-rsa/hosts/sun/etc/strongswan.conf      |    2 +-
 .../tests/ikev1/net2net-same-nets/description.txt  |   15 +
 testing/tests/ikev1/net2net-same-nets/evaltest.dat |   10 +
 .../net2net-same-nets/hosts/moon/etc/ipsec.conf    |   25 +
 .../net2net-same-nets/hosts/sun/etc/ipsec.conf     |   27 +
 .../net2net-same-nets/hosts/sun/etc/mark_updown    |  376 +++
 testing/tests/ikev1/net2net-same-nets/posttest.dat |    7 +
 testing/tests/ikev1/net2net-same-nets/pretest.dat  |    6 +
 testing/tests/ikev1/net2net-same-nets/test.conf    |   21 +
 .../ikev1/net2net-start/hosts/moon/etc/ipsec.conf  |    1 +
 .../ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf  |    1 +
 .../ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf   |    1 +
 .../ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf   |    1 +
 .../ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf    |    1 +
 .../ikev1/passthrough/hosts/moon/etc/ipsec.conf    |    1 +
 .../ikev1/passthrough/hosts/sun/etc/ipsec.conf     |    1 +
 .../protoport-dual/hosts/carol/etc/ipsec.conf      |    1 +
 .../ikev1/protoport-dual/hosts/moon/etc/ipsec.conf |    1 +
 .../protoport-pass/hosts/carol/etc/ipsec.conf      |    1 +
 .../ikev1/protoport-pass/hosts/moon/etc/ipsec.conf |    1 +
 .../protoport-route/hosts/carol/etc/ipsec.conf     |    1 +
 .../protoport-route/hosts/moon/etc/ipsec.conf      |    1 +
 .../ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf    |    1 +
 .../req-pkcs10/hosts/carol/etc/strongswan.conf     |    2 +-
 .../req-pkcs10/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ikev1/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev1/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 testing/tests/ikev1/rw-mark-in-out/description.txt |   16 +
 testing/tests/ikev1/rw-mark-in-out/evaltest.dat    |   18 +
 .../rw-mark-in-out/hosts/alice/etc/init.d/iptables |   77 +
 .../rw-mark-in-out/hosts/alice/etc/ipsec.conf      |   26 +
 .../ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf  |   37 +
 .../ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown |  527 ++++
 .../rw-mark-in-out/hosts/venus/etc/init.d/iptables |   77 +
 .../rw-mark-in-out/hosts/venus/etc/ipsec.conf      |   26 +
 testing/tests/ikev1/rw-mark-in-out/posttest.dat    |   12 +
 testing/tests/ikev1/rw-mark-in-out/pretest.dat     |   18 +
 testing/tests/ikev1/rw-mark-in-out/test.conf       |   21 +
 .../rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf   |    1 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf    |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf   |    1 +
 .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf    |    1 +
 .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf   |    1 +
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf    |    1 +
 .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-psk-no-policy/hosts/carol/etc/ipsec.conf    |    1 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-psk-no-policy/hosts/moon/etc/ipsec.conf     |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf    |    1 +
 .../rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf     |    1 +
 .../rw-rsa-no-policy/hosts/moon/etc/ipsec.conf     |    1 +
 .../ikev1/self-signed/hosts/carol/etc/ipsec.conf   |    1 +
 .../self-signed/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ikev1/self-signed/hosts/moon/etc/ipsec.conf    |    1 +
 .../self-signed/hosts/moon/etc/strongswan.conf     |    2 +-
 .../starter-also-loop/hosts/moon/etc/ipsec.conf    |    1 +
 .../ikev1/starter-also/hosts/moon/etc/ipsec.conf   |    1 +
 .../starter-includes/hosts/carol/etc/ipsec.conf    |    1 +
 .../starter-includes/hosts/dave/etc/ipsec.conf     |    1 +
 .../hosts/moon/etc/ipsec.connections               |    1 +
 .../ikev1/strong-certs/hosts/carol/etc/ipsec.conf  |    1 +
 .../ikev1/strong-certs/hosts/dave/etc/ipsec.conf   |    1 +
 .../ikev1/strong-certs/hosts/moon/etc/ipsec.conf   |    1 +
 .../virtual-ip-swapped/hosts/carol/etc/ipsec.conf  |    1 +
 .../virtual-ip-swapped/hosts/moon/etc/ipsec.conf   |    1 +
 .../ikev1/virtual-ip/hosts/carol/etc/ipsec.conf    |    1 +
 .../ikev1/virtual-ip/hosts/moon/etc/ipsec.conf     |    1 +
 .../ikev1/wildcards/hosts/carol/etc/ipsec.conf     |    1 +
 .../ikev1/wildcards/hosts/dave/etc/ipsec.conf      |    1 +
 .../ikev1/wildcards/hosts/moon/etc/ipsec.conf      |    1 +
 .../tests/ikev1/wlan/hosts/alice/etc/ipsec.conf    |    1 +
 testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf |    1 +
 .../tests/ikev1/wlan/hosts/venus/etc/ipsec.conf    |    1 +
 .../hosts/carol/etc/ipsec.conf                     |    1 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.conf                      |    1 +
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.conf                      |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../ikev1/xauth-id-psk-mode-config/posttest.dat    |    2 +-
 .../ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf  |    1 +
 .../xauth-id-psk/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf   |    1 +
 .../xauth-id-psk/hosts/dave/etc/strongswan.conf    |    2 +-
 .../ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf   |    1 +
 .../xauth-id-psk/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf  |    1 +
 .../xauth-id-rsa/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf   |    1 +
 .../xauth-id-rsa/hosts/dave/etc/strongswan.conf    |    2 +-
 .../ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf   |    1 +
 .../xauth-id-rsa/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ikev1/xauth-psk/hosts/carol/etc/ipsec.conf     |    1 +
 .../xauth-psk/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev1/xauth-psk/hosts/dave/etc/ipsec.conf      |    1 +
 .../ikev1/xauth-psk/hosts/dave/etc/strongswan.conf |    2 +-
 .../ikev1/xauth-psk/hosts/moon/etc/ipsec.conf      |    1 +
 .../ikev1/xauth-psk/hosts/moon/etc/strongswan.conf |    2 +-
 .../xauth-rsa-fail/hosts/carol/etc/ipsec.conf      |    1 +
 .../xauth-rsa-fail/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf |    1 +
 .../xauth-rsa-fail/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/ipsec.conf                     |    1 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.conf                      |    1 +
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.conf                      |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../tests/ikev1/xauth-rsa-mode-config/posttest.dat |    2 +-
 .../xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf  |    1 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf   |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf     |    1 +
 .../xauth-rsa/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf      |    1 +
 .../ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf |    2 +-
 .../ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf      |    1 +
 .../ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf |    2 +-
 testing/tests/ikev2/alg-3des-md5/test.conf         |    4 +-
 testing/tests/ikev2/alg-aes-ccm/description.txt    |    4 +
 testing/tests/ikev2/alg-aes-ccm/evaltest.dat       |   11 +
 .../ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf   |   25 +
 .../alg-aes-ccm/hosts/carol/etc/strongswan.conf    |    5 +
 .../ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf    |   24 +
 .../alg-aes-ccm/hosts/moon/etc/strongswan.conf     |    5 +
 testing/tests/ikev2/alg-aes-ccm/posttest.dat       |    4 +
 testing/tests/ikev2/alg-aes-ccm/pretest.dat        |    6 +
 testing/tests/ikev2/alg-aes-ccm/test.conf          |   21 +
 testing/tests/ikev2/alg-aes-ctr/description.txt    |    4 +
 testing/tests/ikev2/alg-aes-ctr/evaltest.dat       |   12 +
 .../ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf   |   25 +
 .../alg-aes-ctr/hosts/carol/etc/strongswan.conf    |    5 +
 .../ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf    |   24 +
 .../alg-aes-ctr/hosts/moon/etc/strongswan.conf     |    5 +
 testing/tests/ikev2/alg-aes-ctr/posttest.dat       |    4 +
 testing/tests/ikev2/alg-aes-ctr/pretest.dat        |    6 +
 testing/tests/ikev2/alg-aes-ctr/test.conf          |   21 +
 testing/tests/ikev2/alg-aes-gcm/description.txt    |    5 +
 testing/tests/ikev2/alg-aes-gcm/evaltest.dat       |   11 +
 .../ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf   |   25 +
 .../alg-aes-gcm/hosts/carol/etc/strongswan.conf    |    5 +
 .../ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf    |   24 +
 .../alg-aes-gcm/hosts/moon/etc/strongswan.conf     |    5 +
 testing/tests/ikev2/alg-aes-gcm/posttest.dat       |    4 +
 testing/tests/ikev2/alg-aes-gcm/pretest.dat        |    6 +
 testing/tests/ikev2/alg-aes-gcm/test.conf          |   21 +
 testing/tests/ikev2/alg-aes-xcbc/test.conf         |    4 +-
 testing/tests/ikev2/alg-sha256-96/test.conf        |    4 +-
 testing/tests/ikev2/alg-sha256/test.conf           |    4 +-
 testing/tests/ikev2/alg-sha384/test.conf           |    4 +-
 testing/tests/ikev2/alg-sha512/test.conf           |    4 +-
 testing/tests/ikev2/compress/test.conf             |    4 +-
 testing/tests/ikev2/dpd-hold/test.conf             |    4 +-
 .../tests/ikev2/esp-alg-aes-ccm/description.txt    |    4 -
 testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat   |    9 -
 .../esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf     |   25 -
 .../hosts/carol/etc/strongswan.conf                |    5 -
 .../esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf      |   24 -
 .../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf |    5 -
 testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat   |    4 -
 testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat    |    6 -
 testing/tests/ikev2/esp-alg-aes-ccm/test.conf      |   21 -
 .../tests/ikev2/esp-alg-aes-ctr/description.txt    |    3 -
 testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat   |   10 -
 .../esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf     |   25 -
 .../hosts/carol/etc/strongswan.conf                |    5 -
 .../esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf      |   24 -
 .../esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf |    5 -
 testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat   |    4 -
 testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat    |    6 -
 testing/tests/ikev2/esp-alg-aes-ctr/test.conf      |   21 -
 .../tests/ikev2/esp-alg-aes-gcm/description.txt    |    4 -
 testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat   |    9 -
 .../esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf     |   25 -
 .../hosts/carol/etc/strongswan.conf                |    5 -
 .../esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf      |   24 -
 .../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf |    5 -
 testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat   |    4 -
 testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat    |    6 -
 testing/tests/ikev2/esp-alg-aes-gcm/test.conf      |   21 -
 testing/tests/ikev2/esp-alg-aes-gmac/test.conf     |    4 +-
 testing/tests/ikev2/esp-alg-null/test.conf         |    4 +-
 testing/tests/ikev2/ip-pool-db/posttest.dat        |    2 +-
 testing/tests/ikev2/ip-pool-wish/posttest.dat      |    2 +-
 testing/tests/ikev2/ip-pool/posttest.dat           |    2 +-
 testing/tests/ikev2/ip-split-pools-db/posttest.dat |    2 +-
 testing/tests/ikev2/ip-two-pools-db/posttest.dat   |    2 +-
 testing/tests/ikev2/ip-two-pools/posttest.dat      |    2 +-
 .../ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat    |    2 +-
 .../nat-two-rw-mark/hosts/sun/etc/mark_updown      |    2 +-
 .../net2net-same-nets/hosts/sun/etc/mark_updown    |    2 +-
 .../tests/ikev2/ocsp-no-signer-cert/evaltest.dat   |    2 +-
 testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat |    2 +-
 .../tests/ikev2/ocsp-untrusted-cert/evaltest.dat   |    2 +-
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/alice/etc/raddb/sites-available/default  |   18 -
 .../tests/ikev2/rw-eap-md5-id-radius/pretest.dat   |    4 -
 testing/tests/ikev2/rw-eap-md5-id-radius/test.conf |    5 +
 .../hosts/alice/etc/raddb/sites-available/default  |   17 -
 testing/tests/ikev2/rw-eap-md5-radius/pretest.dat  |    4 -
 testing/tests/ikev2/rw-eap-md5-radius/test.conf    |    5 +
 .../hosts/alice/etc/raddb/sites-available/default  |   19 -
 .../tests/ikev2/rw-eap-sim-id-radius/pretest.dat   |    3 -
 testing/tests/ikev2/rw-eap-sim-id-radius/test.conf |    5 +
 .../ikev2/rw-eap-sim-only-radius/evaltest.dat      |    2 +-
 .../hosts/alice/etc/raddb/sites-available/default  |   18 -
 .../hosts/carol/etc/strongswan.conf                |    1 -
 .../hosts/dave/etc/strongswan.conf                 |    1 -
 .../hosts/moon/etc/strongswan.conf                 |    1 -
 .../tests/ikev2/rw-eap-sim-only-radius/pretest.dat |    3 -
 .../tests/ikev2/rw-eap-sim-only-radius/test.conf   |    5 +
 testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat |    2 +-
 .../ikev2/rw-eap-tls-fragments/description.txt     |    5 +
 .../tests/ikev2/rw-eap-tls-fragments/evaltest.dat  |    9 +
 .../hosts/carol/etc/ipsec.conf                     |   23 +
 .../hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der  |  Bin 0 -> 4534 bytes
 .../hosts/carol/etc/ipsec.d/certs/carol_D_cert.der |  Bin 0 -> 3432 bytes
 .../hosts/carol/etc/ipsec.d/private/carol_key.der  |  Bin 0 -> 4652 bytes
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |   12 +
 .../rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf |   24 +
 .../hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der   |  Bin 0 -> 4534 bytes
 .../hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der   |  Bin 0 -> 4542 bytes
 .../hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der   |  Bin 0 -> 4550 bytes
 .../hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der   |  Bin 0 -> 4550 bytes
 .../hosts/moon/etc/ipsec.d/certs/moon_D_cert.der   |  Bin 0 -> 3430 bytes
 .../hosts/moon/etc/ipsec.d/private/ca_A_key.der    |  Bin 0 -> 9262 bytes
 .../hosts/moon/etc/ipsec.d/private/ca_B_key.der    |  Bin 0 -> 9261 bytes
 .../hosts/moon/etc/ipsec.d/private/ca_C_key.der    |  Bin 0 -> 9261 bytes
 .../hosts/moon/etc/ipsec.d/private/ca_D_key.der    |  Bin 0 -> 9262 bytes
 .../hosts/moon/etc/ipsec.d/private/moon_key.der    |  Bin 0 -> 4651 bytes
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   12 +
 .../tests/ikev2/rw-eap-tls-fragments/posttest.dat  |   10 +
 .../tests/ikev2/rw-eap-tls-fragments/pretest.dat   |    9 +
 testing/tests/ikev2/rw-eap-tls-fragments/test.conf |   21 +
 .../tests/ikev2/rw-eap-tls-only/description.txt    |    4 +
 testing/tests/ikev2/rw-eap-tls-only/evaltest.dat   |    9 +
 .../rw-eap-tls-only/hosts/carol/etc/ipsec.conf     |   22 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../rw-eap-tls-only/hosts/moon/etc/ipsec.conf      |   23 +
 .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf |    6 +
 testing/tests/ikev2/rw-eap-tls-only/posttest.dat   |    4 +
 testing/tests/ikev2/rw-eap-tls-only/pretest.dat    |    7 +
 testing/tests/ikev2/rw-eap-tls-only/test.conf      |   21 +
 .../tests/ikev2/rw-eap-tls-radius/description.txt  |    5 +
 testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat |   11 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 +
 .../hosts/alice/etc/raddb/eap.conf                 |   13 +
 .../hosts/alice/etc/raddb/proxy.conf               |    5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 +
 .../hosts/alice/etc/raddb/sites-available/default  |   42 +
 .../rw-eap-tls-radius/hosts/alice/etc/raddb/users  |    1 +
 .../rw-eap-tls-radius/hosts/carol/etc/ipsec.conf   |   24 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../hosts/moon/etc/init.d/iptables                 |   84 +
 .../rw-eap-tls-radius/hosts/moon/etc/ipsec.conf    |   24 +
 .../rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   12 +
 testing/tests/ikev2/rw-eap-tls-radius/posttest.dat |    5 +
 testing/tests/ikev2/rw-eap-tls-radius/pretest.dat  |    8 +
 testing/tests/ikev2/rw-eap-tls-radius/test.conf    |   26 +
 .../tests/ikev2/rw-eap-tnc-block/description.txt   |    8 +
 testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat  |   12 +
 .../rw-eap-tnc-block/hosts/carol/etc/ipsec.conf    |   23 +
 .../rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets |    3 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../rw-eap-tnc-block/hosts/carol/etc/tnc_config    |    3 +
 .../rw-eap-tnc-block/hosts/dave/etc/ipsec.conf     |   23 +
 .../rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets  |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    6 +
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 +
 .../rw-eap-tnc-block/hosts/dave/etc/tnc_config     |    3 +
 .../rw-eap-tnc-block/hosts/moon/etc/ipsec.conf     |   26 +
 .../rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets  |    6 +
 .../hosts/moon/etc/strongswan.conf                 |   13 +
 .../rw-eap-tnc-block/hosts/moon/etc/tnc_config     |    3 +
 testing/tests/ikev2/rw-eap-tnc-block/posttest.dat  |    6 +
 testing/tests/ikev2/rw-eap-tnc-block/pretest.dat   |   15 +
 testing/tests/ikev2/rw-eap-tnc-block/test.conf     |   26 +
 .../ikev2/rw-eap-tnc-radius-block/description.txt  |   11 +
 .../ikev2/rw-eap-tnc-radius-block/evaltest.dat     |   14 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 +
 .../hosts/alice/etc/raddb/dictionary               |    2 +
 .../hosts/alice/etc/raddb/dictionary.tnc           |    5 +
 .../hosts/alice/etc/raddb/eap.conf                 |   25 +
 .../hosts/alice/etc/raddb/proxy.conf               |    5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 +
 .../hosts/alice/etc/raddb/sites-available/default  |   44 +
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 +
 .../etc/raddb/sites-available/inner-tunnel-second  |   23 +
 .../hosts/alice/etc/raddb/users                    |    2 +
 .../hosts/alice/etc/tnc_config                     |    3 +
 .../hosts/carol/etc/ipsec.conf                     |   24 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../hosts/carol/etc/tnc_config                     |    3 +
 .../hosts/dave/etc/ipsec.conf                      |   24 +
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    6 +
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 +
 .../hosts/dave/etc/tnc_config                      |    3 +
 .../hosts/moon/etc/init.d/iptables                 |   84 +
 .../hosts/moon/etc/ipsec.conf                      |   25 +
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   12 +
 .../ikev2/rw-eap-tnc-radius-block/posttest.dat     |    8 +
 .../ikev2/rw-eap-tnc-radius-block/pretest.dat      |   15 +
 .../tests/ikev2/rw-eap-tnc-radius-block/test.conf  |   26 +
 .../tests/ikev2/rw-eap-tnc-radius/description.txt  |   10 +
 testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat |   19 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 +
 .../hosts/alice/etc/raddb/dictionary               |    2 +
 .../hosts/alice/etc/raddb/dictionary.tnc           |    5 +
 .../hosts/alice/etc/raddb/eap.conf                 |   25 +
 .../hosts/alice/etc/raddb/proxy.conf               |    5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 +
 .../hosts/alice/etc/raddb/sites-available/default  |   44 +
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 +
 .../etc/raddb/sites-available/inner-tunnel-second  |   36 +
 .../rw-eap-tnc-radius/hosts/alice/etc/raddb/users  |    2 +
 .../rw-eap-tnc-radius/hosts/alice/etc/tnc_config   |    3 +
 .../rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf   |   24 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../rw-eap-tnc-radius/hosts/carol/etc/tnc_config   |    3 +
 .../rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf    |   24 +
 .../rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    6 +
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 +
 .../rw-eap-tnc-radius/hosts/dave/etc/tnc_config    |    3 +
 .../hosts/moon/etc/init.d/iptables                 |   84 +
 .../rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf    |   35 +
 .../rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   13 +
 testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat |    8 +
 testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat  |   18 +
 testing/tests/ikev2/rw-eap-tnc-radius/test.conf    |   26 +
 testing/tests/ikev2/rw-eap-tnc-tls/description.txt |    7 +
 testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat    |   19 +
 .../rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf      |   24 +
 .../rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf |    6 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../rw-eap-tnc-tls/hosts/carol/etc/tnc_config      |    3 +
 .../ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf |   24 +
 .../rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf  |    6 +
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 +
 .../ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config |    3 +
 .../ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf |   36 +
 .../rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets    |    6 +
 .../rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf  |   13 +
 .../ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config |    3 +
 testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat    |    6 +
 testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat     |   15 +
 testing/tests/ikev2/rw-eap-tnc-tls/test.conf       |   26 +
 testing/tests/ikev2/rw-eap-tnc/description.txt     |    9 +
 testing/tests/ikev2/rw-eap-tnc/evaltest.dat        |   19 +
 .../ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf    |   23 +
 .../ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets |    3 +
 .../rw-eap-tnc/hosts/carol/etc/strongswan.conf     |    6 +
 .../rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file   |    1 +
 .../ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config    |    3 +
 .../ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf     |   23 +
 .../ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets  |    3 +
 .../rw-eap-tnc/hosts/dave/etc/strongswan.conf      |    6 +
 .../rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file    |    1 +
 .../ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config     |    3 +
 .../ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf     |   36 +
 .../ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets  |    6 +
 .../rw-eap-tnc/hosts/moon/etc/strongswan.conf      |   13 +
 .../ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config     |    3 +
 testing/tests/ikev2/rw-eap-tnc/posttest.dat        |    6 +
 testing/tests/ikev2/rw-eap-tnc/pretest.dat         |   15 +
 testing/tests/ikev2/rw-eap-tnc/test.conf           |   26 +
 .../tests/ikev2/rw-eap-ttls-only/description.txt   |   11 +
 testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat  |   19 +
 .../rw-eap-ttls-only/hosts/carol/etc/ipsec.conf    |   23 +
 .../rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets |    3 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../rw-eap-ttls-only/hosts/dave/etc/ipsec.conf     |   23 +
 .../rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets  |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    6 +
 .../rw-eap-ttls-only/hosts/moon/etc/ipsec.conf     |   24 +
 .../rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets  |    6 +
 .../hosts/moon/etc/strongswan.conf                 |   11 +
 testing/tests/ikev2/rw-eap-ttls-only/posttest.dat  |    6 +
 testing/tests/ikev2/rw-eap-ttls-only/pretest.dat   |   10 +
 testing/tests/ikev2/rw-eap-ttls-only/test.conf     |   21 +
 .../rw-eap-ttls-phase2-piggyback/description.txt   |   10 +
 .../rw-eap-ttls-phase2-piggyback/evaltest.dat      |   19 +
 .../hosts/carol/etc/ipsec.conf                     |   23 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../hosts/dave/etc/ipsec.conf                      |   23 +
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    6 +
 .../hosts/moon/etc/ipsec.conf                      |   24 +
 .../hosts/moon/etc/ipsec.secrets                   |    6 +
 .../hosts/moon/etc/strongswan.conf                 |   12 +
 .../rw-eap-ttls-phase2-piggyback/posttest.dat      |    6 +
 .../ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat |   10 +
 .../ikev2/rw-eap-ttls-phase2-piggyback/test.conf   |   21 +
 .../tests/ikev2/rw-eap-ttls-radius/description.txt |    8 +
 .../tests/ikev2/rw-eap-ttls-radius/evaltest.dat    |   21 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 +
 .../hosts/alice/etc/raddb/eap.conf                 |   18 +
 .../hosts/alice/etc/raddb/proxy.conf               |    5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 +
 .../hosts/alice/etc/raddb/sites-available/default  |   44 +
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 +
 .../rw-eap-ttls-radius/hosts/alice/etc/raddb/users |    2 +
 .../rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf  |   24 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf   |   24 +
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    6 +
 .../hosts/moon/etc/init.d/iptables                 |   84 +
 .../rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf   |   25 +
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   12 +
 .../tests/ikev2/rw-eap-ttls-radius/posttest.dat    |    7 +
 testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat |   11 +
 testing/tests/ikev2/rw-eap-ttls-radius/test.conf   |   26 +
 .../ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown |    2 +-
 .../ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf |    1 +
 .../ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf  |    1 +
 .../ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf   |    1 +
 .../ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf    |    1 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf |    1 +
 .../tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf  |    1 +
 .../ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf   |    1 +
 .../ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf    |    1 +
 .../ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf |    1 +
 .../ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf  |    1 +
 .../alg-camellia/hosts/carol/etc/ipsec.conf        |    1 +
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-camellia/hosts/moon/etc/ipsec.conf         |    1 +
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/openssl-ikev1/alg-camellia/test.conf |    4 +-
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-ecp-high/hosts/dave/etc/strongswan.conf    |    2 +-
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-ecp-low/hosts/dave/etc/strongswan.conf     |    2 +-
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 testing/tests/openssl-ikev2/alg-camellia/test.conf |    4 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 .../openssl-ikev2/rw-eap-tls-only/description.txt  |    5 +
 .../openssl-ikev2/rw-eap-tls-only/evaltest.dat     |   10 +
 .../rw-eap-tls-only/hosts/carol/etc/ipsec.conf     |   25 +
 .../carol/etc/ipsec.d/cacerts/strongswanCert.pem   |   17 +
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   18 +
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |    8 +
 .../rw-eap-tls-only/hosts/carol/etc/ipsec.secrets  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../rw-eap-tls-only/hosts/moon/etc/ipsec.conf      |   26 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |   17 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   20 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |    7 +
 .../rw-eap-tls-only/hosts/moon/etc/ipsec.secrets   |    3 +
 .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf |   13 +
 .../openssl-ikev2/rw-eap-tls-only/posttest.dat     |    4 +
 .../openssl-ikev2/rw-eap-tls-only/pretest.dat      |    7 +
 .../tests/openssl-ikev2/rw-eap-tls-only/test.conf  |   21 +
 testing/tests/pfkey/alg-aes-xcbc/test.conf         |    4 +-
 testing/tests/pfkey/alg-sha384/test.conf           |    4 +-
 testing/tests/pfkey/alg-sha512/test.conf           |    4 +-
 testing/tests/pfkey/esp-alg-null/test.conf         |    4 +-
 testing/tests/sql/ip-pool-db-expired/posttest.dat  |    2 +-
 testing/tests/sql/ip-pool-db-restart/posttest.dat  |    2 +-
 testing/tests/sql/ip-pool-db/posttest.dat          |    2 +-
 .../sql/ip-split-pools-db-restart/posttest.dat     |    2 +-
 testing/tests/sql/ip-split-pools-db/posttest.dat   |    2 +-
 1442 files changed, 73349 insertions(+), 33038 deletions(-)
 create mode 100644 m4/macros/add-plugin.m4
 create mode 100644 man/Makefile.am
 create mode 100644 man/Makefile.in
 create mode 100644 man/ipsec.conf.5
 create mode 100644 man/ipsec.conf.5.in
 create mode 100644 man/ipsec.secrets.5
 create mode 100644 man/ipsec.secrets.5.in
 create mode 100644 man/strongswan.conf.5
 create mode 100644 man/strongswan.conf.5.in
 create mode 100644 scripts/crypt_burn.c
 create mode 100644 src/libcharon/kernel/kernel_handler.c
 create mode 100644 src/libcharon/kernel/kernel_handler.h
 delete mode 100644 src/libcharon/kernel/kernel_interface.c
 delete mode 100644 src/libcharon/kernel/kernel_interface.h
 delete mode 100644 src/libcharon/kernel/kernel_ipsec.c
 delete mode 100644 src/libcharon/kernel/kernel_ipsec.h
 delete mode 100644 src/libcharon/kernel/kernel_net.h
 create mode 100644 src/libcharon/plugins/eap_tls/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_tls/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_tls/eap_tls.c
 create mode 100644 src/libcharon/plugins/eap_tls/eap_tls.h
 create mode 100644 src/libcharon/plugins/eap_tls/eap_tls_plugin.c
 create mode 100644 src/libcharon/plugins/eap_tls/eap_tls_plugin.h
 create mode 100644 src/libcharon/plugins/eap_tnc/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_tnc/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_tnc/eap_tnc.c
 create mode 100644 src/libcharon/plugins/eap_tnc/eap_tnc.h
 create mode 100644 src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
 create mode 100644 src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h
 create mode 100644 src/libcharon/plugins/eap_ttls/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_ttls/Makefile.in
 create mode 100644 src/libcharon/plugins/eap_ttls/eap_ttls.c
 create mode 100644 src/libcharon/plugins/eap_ttls/eap_ttls.h
 create mode 100644 src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
 create mode 100644 src/libcharon/plugins/eap_ttls/eap_ttls_avp.h
 create mode 100644 src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
 create mode 100644 src/libcharon/plugins/eap_ttls/eap_ttls_peer.h
 create mode 100644 src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c
 create mode 100644 src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
 create mode 100644 src/libcharon/plugins/eap_ttls/eap_ttls_server.c
 create mode 100644 src/libcharon/plugins/eap_ttls/eap_ttls_server.h
 delete mode 100644 src/libcharon/plugins/kernel_klips/Makefile.am
 delete mode 100644 src/libcharon/plugins/kernel_klips/Makefile.in
 delete mode 100644 src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c
 delete mode 100644 src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h
 delete mode 100644 src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c
 delete mode 100644 src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h
 delete mode 100644 src/libcharon/plugins/kernel_klips/pfkeyv2.h
 delete mode 100644 src/libcharon/plugins/kernel_netlink/Makefile.am
 delete mode 100644 src/libcharon/plugins/kernel_netlink/Makefile.in
 delete mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
 delete mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
 delete mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
 delete mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
 delete mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
 delete mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
 delete mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
 delete mode 100644 src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
 delete mode 100644 src/libcharon/plugins/kernel_pfkey/Makefile.am
 delete mode 100644 src/libcharon/plugins/kernel_pfkey/Makefile.in
 delete mode 100644 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
 delete mode 100644 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
 delete mode 100644 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
 delete mode 100644 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
 delete mode 100644 src/libcharon/plugins/kernel_pfroute/Makefile.am
 delete mode 100644 src/libcharon/plugins/kernel_pfroute/Makefile.in
 delete mode 100644 src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
 delete mode 100644 src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
 delete mode 100644 src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
 delete mode 100644 src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
 create mode 100644 src/libcharon/plugins/led/Makefile.am
 create mode 100644 src/libcharon/plugins/led/Makefile.in
 create mode 100644 src/libcharon/plugins/led/led_listener.c
 create mode 100644 src/libcharon/plugins/led/led_listener.h
 create mode 100644 src/libcharon/plugins/led/led_plugin.c
 create mode 100644 src/libcharon/plugins/led/led_plugin.h
 create mode 100644 src/libcharon/plugins/maemo/Makefile.am
 create mode 100644 src/libcharon/plugins/maemo/Makefile.in
 create mode 100644 src/libcharon/plugins/maemo/maemo_plugin.c
 create mode 100644 src/libcharon/plugins/maemo/maemo_plugin.h
 create mode 100644 src/libcharon/plugins/maemo/maemo_service.c
 create mode 100644 src/libcharon/plugins/maemo/maemo_service.h
 create mode 100644 src/libcharon/plugins/maemo/org.strongswan.charon.service
 create mode 100644 src/libcharon/plugins/tnc_imc/Makefile.am
 create mode 100644 src/libcharon/plugins/tnc_imc/Makefile.in
 create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
 create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h
 create mode 100644 src/libcharon/plugins/tnc_imv/Makefile.am
 create mode 100644 src/libcharon/plugins/tnc_imv/Makefile.in
 create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
 create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h
 create mode 100644 src/libcharon/plugins/tnccs_11/Makefile.am
 create mode 100644 src/libcharon/plugins/tnccs_11/Makefile.in
 create mode 100644 src/libcharon/plugins/tnccs_11/tnccs_11.c
 create mode 100644 src/libcharon/plugins/tnccs_11/tnccs_11.h
 create mode 100644 src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
 create mode 100644 src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h
 create mode 100644 src/libcharon/plugins/tnccs_20/Makefile.am
 create mode 100644 src/libcharon/plugins/tnccs_20/Makefile.in
 create mode 100644 src/libcharon/plugins/tnccs_20/tnccs_20.c
 create mode 100644 src/libcharon/plugins/tnccs_20/tnccs_20.h
 create mode 100644 src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
 create mode 100644 src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h
 delete mode 100644 src/libcharon/processing/jobs/callback_job.c
 delete mode 100644 src/libcharon/processing/jobs/callback_job.h
 delete mode 100644 src/libcharon/processing/jobs/job.h
 delete mode 100644 src/libcharon/processing/processor.c
 delete mode 100644 src/libcharon/processing/processor.h
 delete mode 100644 src/libcharon/processing/scheduler.c
 delete mode 100644 src/libcharon/processing/scheduler.h
 create mode 100644 src/libcharon/tnccs/tnccs.c
 create mode 100644 src/libcharon/tnccs/tnccs.h
 create mode 100644 src/libcharon/tnccs/tnccs_manager.c
 create mode 100644 src/libcharon/tnccs/tnccs_manager.h
 create mode 100644 src/libhydra/kernel/kernel_interface.c
 create mode 100644 src/libhydra/kernel/kernel_interface.h
 create mode 100644 src/libhydra/kernel/kernel_ipsec.c
 create mode 100644 src/libhydra/kernel/kernel_ipsec.h
 create mode 100644 src/libhydra/kernel/kernel_listener.h
 create mode 100644 src/libhydra/kernel/kernel_net.h
 create mode 100644 src/libhydra/plugins/kernel_klips/Makefile.am
 create mode 100644 src/libhydra/plugins/kernel_klips/Makefile.in
 create mode 100644 src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
 create mode 100644 src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.h
 create mode 100644 src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
 create mode 100644 src/libhydra/plugins/kernel_klips/kernel_klips_plugin.h
 create mode 100644 src/libhydra/plugins/kernel_klips/pfkeyv2.h
 create mode 100644 src/libhydra/plugins/kernel_netlink/Makefile.am
 create mode 100644 src/libhydra/plugins/kernel_netlink/Makefile.in
 create mode 100644 src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
 create mode 100644 src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h
 create mode 100644 src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
 create mode 100644 src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h
 create mode 100644 src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
 create mode 100644 src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h
 create mode 100644 src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
 create mode 100644 src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
 create mode 100644 src/libhydra/plugins/kernel_pfkey/Makefile.am
 create mode 100644 src/libhydra/plugins/kernel_pfkey/Makefile.in
 create mode 100644 src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
 create mode 100644 src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
 create mode 100644 src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
 create mode 100644 src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h
 create mode 100644 src/libhydra/plugins/kernel_pfroute/Makefile.am
 create mode 100644 src/libhydra/plugins/kernel_pfroute/Makefile.in
 create mode 100644 src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
 create mode 100644 src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h
 create mode 100644 src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
 create mode 100644 src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h
 create mode 100644 src/libstrongswan/credentials/sets/callback_cred.c
 create mode 100644 src/libstrongswan/credentials/sets/callback_cred.h
 create mode 100644 src/libstrongswan/credentials/sets/mem_cred.c
 create mode 100644 src/libstrongswan/credentials/sets/mem_cred.h
 create mode 100644 src/libstrongswan/crypto/aead.c
 create mode 100644 src/libstrongswan/crypto/aead.h
 create mode 100644 src/libstrongswan/eap/eap.c
 create mode 100644 src/libstrongswan/eap/eap.h
 create mode 100644 src/libstrongswan/plugins/ccm/Makefile.am
 create mode 100644 src/libstrongswan/plugins/ccm/Makefile.in
 create mode 100644 src/libstrongswan/plugins/ccm/ccm_aead.c
 create mode 100644 src/libstrongswan/plugins/ccm/ccm_aead.h
 create mode 100644 src/libstrongswan/plugins/ccm/ccm_plugin.c
 create mode 100644 src/libstrongswan/plugins/ccm/ccm_plugin.h
 create mode 100644 src/libstrongswan/plugins/ctr/Makefile.am
 create mode 100644 src/libstrongswan/plugins/ctr/Makefile.in
 create mode 100644 src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c
 create mode 100644 src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
 create mode 100644 src/libstrongswan/plugins/ctr/ctr_plugin.c
 create mode 100644 src/libstrongswan/plugins/ctr/ctr_plugin.h
 create mode 100644 src/libstrongswan/plugins/gcm/Makefile.am
 create mode 100644 src/libstrongswan/plugins/gcm/Makefile.in
 create mode 100644 src/libstrongswan/plugins/gcm/gcm_aead.c
 create mode 100644 src/libstrongswan/plugins/gcm/gcm_aead.h
 create mode 100644 src/libstrongswan/plugins/gcm/gcm_plugin.c
 create mode 100644 src/libstrongswan/plugins/gcm/gcm_plugin.h
 create mode 100644 src/libstrongswan/plugins/pkcs11/Makefile.am
 create mode 100644 src/libstrongswan/plugins/pkcs11/Makefile.in
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11.h
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_library.c
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_library.h
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_manager.h
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
 create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c
 create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c
 create mode 100644 src/libstrongswan/processing/jobs/callback_job.c
 create mode 100644 src/libstrongswan/processing/jobs/callback_job.h
 create mode 100644 src/libstrongswan/processing/jobs/job.h
 create mode 100644 src/libstrongswan/processing/processor.c
 create mode 100644 src/libstrongswan/processing/processor.h
 create mode 100644 src/libstrongswan/processing/scheduler.c
 create mode 100644 src/libstrongswan/processing/scheduler.h
 create mode 100644 src/libtls/Makefile.am
 create mode 100644 src/libtls/Makefile.in
 create mode 100644 src/libtls/tls.c
 create mode 100644 src/libtls/tls.h
 create mode 100644 src/libtls/tls_alert.c
 create mode 100644 src/libtls/tls_alert.h
 create mode 100644 src/libtls/tls_application.h
 create mode 100644 src/libtls/tls_compression.c
 create mode 100644 src/libtls/tls_compression.h
 create mode 100644 src/libtls/tls_crypto.c
 create mode 100644 src/libtls/tls_crypto.h
 create mode 100644 src/libtls/tls_eap.c
 create mode 100644 src/libtls/tls_eap.h
 create mode 100644 src/libtls/tls_fragmentation.c
 create mode 100644 src/libtls/tls_fragmentation.h
 create mode 100644 src/libtls/tls_handshake.h
 create mode 100644 src/libtls/tls_peer.c
 create mode 100644 src/libtls/tls_peer.h
 create mode 100644 src/libtls/tls_prf.c
 create mode 100644 src/libtls/tls_prf.h
 create mode 100644 src/libtls/tls_protection.c
 create mode 100644 src/libtls/tls_protection.h
 create mode 100644 src/libtls/tls_reader.c
 create mode 100644 src/libtls/tls_reader.h
 create mode 100644 src/libtls/tls_server.c
 create mode 100644 src/libtls/tls_server.h
 create mode 100644 src/libtls/tls_socket.c
 create mode 100644 src/libtls/tls_socket.h
 create mode 100644 src/libtls/tls_writer.c
 create mode 100644 src/libtls/tls_writer.h
 create mode 100644 src/pluto/event_queue.c
 create mode 100644 src/pluto/event_queue.h
 delete mode 100644 src/pluto/ipsec.secrets.5
 delete mode 100644 src/pluto/ipsec.secrets.5.in
 delete mode 100644 src/pluto/kernel_netlink.c
 delete mode 100644 src/pluto/kernel_netlink.h
 delete mode 100644 src/pluto/kernel_noklips.c
 delete mode 100644 src/pluto/kernel_noklips.h
 delete mode 100644 src/starter/ipsec.conf.5
 delete mode 100644 src/starter/ipsec.conf.5.in
 create mode 100755 testing/hosts/alice/etc/init.d/radiusd
 create mode 100644 testing/hosts/alice/etc/raddb/certs/aaaCert.pem
 create mode 100644 testing/hosts/alice/etc/raddb/certs/aaaKey.pem
 create mode 100644 testing/hosts/alice/etc/raddb/certs/dh
 create mode 100644 testing/hosts/alice/etc/raddb/certs/random
 create mode 100644 testing/hosts/alice/etc/raddb/certs/strongswanCert.pem
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/22.pem
 create mode 100644 testing/ssh_config
 create mode 100644 testing/tests/ikev1/nat-two-rw-mark/description.txt
 create mode 100644 testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
 create mode 100755 testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown
 create mode 100755 testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/nat-two-rw-mark/posttest.dat
 create mode 100644 testing/tests/ikev1/nat-two-rw-mark/pretest.dat
 create mode 100644 testing/tests/ikev1/nat-two-rw-mark/test.conf
 create mode 100644 testing/tests/ikev1/net2net-same-nets/description.txt
 create mode 100644 testing/tests/ikev1/net2net-same-nets/evaltest.dat
 create mode 100755 testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
 create mode 100644 testing/tests/ikev1/net2net-same-nets/posttest.dat
 create mode 100644 testing/tests/ikev1/net2net-same-nets/pretest.dat
 create mode 100644 testing/tests/ikev1/net2net-same-nets/test.conf
 create mode 100644 testing/tests/ikev1/rw-mark-in-out/description.txt
 create mode 100644 testing/tests/ikev1/rw-mark-in-out/evaltest.dat
 create mode 100755 testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
 create mode 100755 testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown
 create mode 100755 testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
 create mode 100755 testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
 create mode 100644 testing/tests/ikev1/rw-mark-in-out/posttest.dat
 create mode 100644 testing/tests/ikev1/rw-mark-in-out/pretest.dat
 create mode 100644 testing/tests/ikev1/rw-mark-in-out/test.conf
 create mode 100644 testing/tests/ikev2/alg-aes-ccm/description.txt
 create mode 100644 testing/tests/ikev2/alg-aes-ccm/evaltest.dat
 create mode 100755 testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-aes-ccm/posttest.dat
 create mode 100644 testing/tests/ikev2/alg-aes-ccm/pretest.dat
 create mode 100644 testing/tests/ikev2/alg-aes-ccm/test.conf
 create mode 100644 testing/tests/ikev2/alg-aes-ctr/description.txt
 create mode 100644 testing/tests/ikev2/alg-aes-ctr/evaltest.dat
 create mode 100755 testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-aes-ctr/posttest.dat
 create mode 100644 testing/tests/ikev2/alg-aes-ctr/pretest.dat
 create mode 100644 testing/tests/ikev2/alg-aes-ctr/test.conf
 create mode 100644 testing/tests/ikev2/alg-aes-gcm/description.txt
 create mode 100644 testing/tests/ikev2/alg-aes-gcm/evaltest.dat
 create mode 100755 testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/alg-aes-gcm/posttest.dat
 create mode 100644 testing/tests/ikev2/alg-aes-gcm/pretest.dat
 create mode 100644 testing/tests/ikev2/alg-aes-gcm/test.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/description.txt
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
 delete mode 100755 testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
 delete mode 100755 testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/test.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/description.txt
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
 delete mode 100755 testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
 delete mode 100755 testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-ctr/test.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/description.txt
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
 delete mode 100755 testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
 delete mode 100755 testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat
 delete mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tls-fragments/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-only/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-only/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tls-only/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tls-only/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
 create mode 100755 testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-block/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-only/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
 create mode 100755 testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/test.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/Android.mk b/Android.mk
index 0a9fc5387..d6c83367f 100644
--- a/Android.mk
+++ b/Android.mk
@@ -53,7 +53,7 @@ strongswan_CFLAGS := \
 	-DUSE_VSTR \
 	-DROUTING_TABLE=0 \
 	-DROUTING_TABLE_PRIO=220 \
-	-DVERSION=\"4.4.1\" \
+	-DVERSION=\"4.5.0\" \
 	-DPLUGINS='"$(strongswan_PLUGINS)"' \
 	-DIPSEC_DIR=\"/system/bin\" \
 	-DIPSEC_PIDDIR=\"/data/misc/vpn\" \
diff --git a/ChangeLog b/ChangeLog
index 41f530506..5ddeff5f4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,3 @@
 A summary of changes is available in the NEWS file. For a more 
 detailed Changelog, use the repository (see HACKING) or the
-online interface available at http://trac.strongswan.org.
+online interface available at http://git.strongswan.org.
diff --git a/Doxyfile.in b/Doxyfile.in
index b79c9909d..e7f5b50a4 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -531,6 +531,7 @@ INPUT                  = @SRC_DIR@/src/libstrongswan \
                          @SRC_DIR@/src/libhydra \
                          @SRC_DIR@/src/libcharon \
                          @SRC_DIR@/src/libsimaka \
+                         @SRC_DIR@/src/libtls \
                          @SRC_DIR@/src/libfast \
                          @SRC_DIR@/src/manager
 
@@ -575,7 +576,7 @@ EXCLUDE_SYMLINKS       = NO
 # against the file with absolute path, so to exclude all test directories
 # for example use the pattern */test/*
 
-EXCLUDE_PATTERNS       = */.svn/*
+EXCLUDE_PATTERNS       = */.git/*
 
 # The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
 # (namespaces, classes, functions, etc.) that should be excluded from the
@@ -699,7 +700,7 @@ VERBATIM_HEADERS       = YES
 # of all compounds will be generated. Enable this if the project
 # contains a lot of classes, structs, unions or interfaces.
 
-ALPHABETICAL_INDEX     = NO
+ALPHABETICAL_INDEX     = YES
 
 # If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then
 # the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
@@ -843,7 +844,7 @@ TOC_EXPAND             = NO
 # top of each HTML page. The value NO (the default) enables the index and
 # the value YES disables it.
 
-DISABLE_INDEX          = YES
+DISABLE_INDEX          = NO
 
 # This tag can be used to set the number of enum values (range [1..20])
 # that doxygen will group on one line in the generated HTML documentation.
diff --git a/Makefile.am b/Makefile.am
index af0465fee..cba5048b1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = src testing
+SUBDIRS = src man testing
 
 if USE_SCRIPTS
   SUBDIRS += scripts
diff --git a/Makefile.in b/Makefile.in
index 522683ab1..56c31b104 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -48,6 +48,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -72,7 +73,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir dist dist-all distcheck
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = src testing scripts
+DIST_SUBDIRS = src man testing scripts
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -174,6 +175,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -205,14 +208,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -227,24 +233,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -252,7 +265,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -264,7 +280,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-SUBDIRS = src testing $(am__append_1)
+SUBDIRS = src man testing $(am__append_1)
 ACLOCAL_AMFLAGS = -I m4/config
 EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk
 CLEANFILES = Doxyfile
diff --git a/NEWS b/NEWS
index a5f4a16ff..ed0d18211 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,74 @@
+
+strongswan-4.5.0
+----------------
+
+- IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
+  from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
+  IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
+  come for IKEv1 to go into retirement and to cede its place to the much more
+  robust, powerful and versatile IKEv2 protocol!
+
+- Added new ctr, ccm and gcm plugins providing Counter, Counter with CBC-MAC
+  and Galois/Counter Modes based on existing CBC implementations. These
+  new plugins bring support for AES and Camellia Counter and CCM algorithms
+  and the AES GCM algorithms for use in IKEv2.
+
+- The new pkcs11 plugin brings full Smartcard support to the IKEv2 daemon and
+  the pki utility using one or more PKCS#11 libraries. It currently supports
+  RSA private and public key operations and loads X.509 certificates from
+  tokens.
+
+- Implemented a general purpose TLS stack based on crypto and credential
+  primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1 and 1.2,
+  ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based
+  client authentication.
+
+- Based on libtls, the eap-tls plugin brings certificate based EAP
+  authentication for client and server. It is compatible to Windows 7 IKEv2
+  Smartcard authentication and the OpenSSL based FreeRADIUS EAP-TLS backend.
+
+- Implemented the TNCCS 1.1 Trusted Network Connect protocol using the
+  libtnc library on the strongSwan client and server side via the tnccs_11
+  plugin and optionally connecting to a TNC@FHH-enhanced FreeRADIUS AAA server.
+  Depending on the resulting TNC Recommendation, strongSwan clients are granted
+  access to a network behind a strongSwan gateway (allow), are put into a
+  remediation zone (isolate) or are blocked (none), respectively. Any number
+  of Integrity Measurement Collector/Verifier pairs can be attached
+  via the tnc-imc and tnc-imv charon plugins.
+
+- The IKEv1 daemon pluto now uses the same kernel interfaces as the IKEv2
+  daemon charon. As a result of this, pluto now supports xfrm marks which
+  were introduced in charon with 4.4.1.
+
+- Applets for Maemo 5 (Nokia) allow to easily configure and control IKEv2
+  based VPN connections with EAP authentication on supported devices.
+
+- The RADIUS plugin eap-radius now supports multiple RADIUS servers for
+  redundant setups. Servers are selected by a defined priority, server load and
+  availability.
+
+- The simple led plugin controls hardware LEDs through the Linux LED subsystem.
+  It currently shows activity of the IKE daemon and is a good example how to
+  implement a simple event listener.
+
+- Improved MOBIKE behavior in several corner cases, for instance, if the
+  initial responder moves to a different address.
+
+- Fixed left-/rightnexthop option, which was broken since 4.4.0.
+
+- Fixed a bug not releasing a virtual IP address to a pool if the XAUTH
+  identity was different from the IKE identity.
+
+- Fixed the alignment of ModeConfig messages on 4-byte boundaries in the
+  case where the attributes are not a multiple of 4 bytes (e.g. Cisco's
+  UNITY_BANNER).
+
+- Fixed the interoperability of the socket_raw and socket_default
+  charon plugins.
+
+- Added man page for strongswan.conf
+
+
 strongswan-4.4.1
 ----------------
 
@@ -761,7 +832,7 @@ strongswan-4.1.7
 
 - Preview of strongSwan Manager, a web based configuration and monitoring
   application. It uses a new XML control interface to query the IKEv2 daemon
-  (see http://trac.strongswan.org/wiki/Manager).
+  (see http://wiki.strongswan.org/wiki/Manager).
 
 - Experimental SQLite configuration backend which will provide the configuration
   interface for strongSwan Manager in future releases.
diff --git a/README b/README
index 101e4838c..1d186afd9 100644
--- a/README
+++ b/README
@@ -81,7 +81,7 @@ Contents
 strongSwan is an OpenSource IPsec solution for the Linux operating system
 and currently supports the following features:
 
-  * runs both on Linux 2.4 (KLIPS) and Linux 2.6 (native IPsec) kernels.
+  * runs on Linux 2.6 (native IPsec) kernels.
 
   * strong 3DES, AES, Serpent, Twofish, or Blowfish encryption.
 
@@ -2656,9 +2656,6 @@ with the line
 
 and can be used when the following prerequisites are fulfilled:
 
-  - Linux 2.4.x kernel, KLIPS IPsec stack, and arbitrary iptables version.
-    Filtering of tunneled traffic is based on ipsecN interfaces.
-
   - Linux 2.6.16 kernel or newer, native NETKEY IPsec stack, and
     iptables-1.3.5 or newer. Filtering of tunneled traffic is based on
     IPsec policy matching rules.
diff --git a/TODO b/TODO
index c398ebab8..6b626e9ff 100644
--- a/TODO
+++ b/TODO
@@ -5,7 +5,7 @@
 This is a TODO list we should keep in mind. A roadmap of the strongSwan
 project is available online at:
 
-             http://trac.strongswan.org/roadmap
+        http://wiki.strongswan.org/projects/strongswan/roadmap
 
 Certificate support
 -------------------
diff --git a/aclocal.m4 b/aclocal.m4
index 23b7e59ee..9d68d0d80 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -13,14 +13,14 @@
 
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.65],,
-[m4_warning([this file was generated for autoconf 2.65.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.67],,
+[m4_warning([this file was generated for autoconf 2.67.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
 
-# lib-prefix.m4 serial 5 (gettext-0.15)
-dnl Copyright (C) 2001-2005 Free Software Foundation, Inc.
+# lib-prefix.m4 serial 7 (gettext-0.18)
+dnl Copyright (C) 2001-2005, 2008-2010 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
 dnl with or without modifications, as long as this notice is preserved.
@@ -174,38 +174,78 @@ AC_DEFUN([AC_LIB_WITH_FINAL_PREFIX],
   prefix="$acl_save_prefix"
 ])
 
-dnl AC_LIB_PREPARE_MULTILIB creates a variable acl_libdirstem, containing
-dnl the basename of the libdir, either "lib" or "lib64".
+dnl AC_LIB_PREPARE_MULTILIB creates
+dnl - a variable acl_libdirstem, containing the basename of the libdir, either
+dnl   "lib" or "lib64" or "lib/64",
+dnl - a variable acl_libdirstem2, as a secondary possible value for
+dnl   acl_libdirstem, either the same as acl_libdirstem or "lib/sparcv9" or
+dnl   "lib/amd64".
 AC_DEFUN([AC_LIB_PREPARE_MULTILIB],
 [
-  dnl There is no formal standard regarding lib and lib64. The current
-  dnl practice is that on a system supporting 32-bit and 64-bit instruction
-  dnl sets or ABIs, 64-bit libraries go under $prefix/lib64 and 32-bit
-  dnl libraries go under $prefix/lib. We determine the compiler's default
-  dnl mode by looking at the compiler's library search path. If at least
-  dnl of its elements ends in /lib64 or points to a directory whose absolute
-  dnl pathname ends in /lib64, we assume a 64-bit ABI. Otherwise we use the
-  dnl default, namely "lib".
+  dnl There is no formal standard regarding lib and lib64.
+  dnl On glibc systems, the current practice is that on a system supporting
+  dnl 32-bit and 64-bit instruction sets or ABIs, 64-bit libraries go under
+  dnl $prefix/lib64 and 32-bit libraries go under $prefix/lib. We determine
+  dnl the compiler's default mode by looking at the compiler's library search
+  dnl path. If at least one of its elements ends in /lib64 or points to a
+  dnl directory whose absolute pathname ends in /lib64, we assume a 64-bit ABI.
+  dnl Otherwise we use the default, namely "lib".
+  dnl On Solaris systems, the current practice is that on a system supporting
+  dnl 32-bit and 64-bit instruction sets or ABIs, 64-bit libraries go under
+  dnl $prefix/lib/64 (which is a symlink to either $prefix/lib/sparcv9 or
+  dnl $prefix/lib/amd64) and 32-bit libraries go under $prefix/lib.
+  AC_REQUIRE([AC_CANONICAL_HOST])
   acl_libdirstem=lib
-  searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
-  if test -n "$searchpath"; then
-    acl_save_IFS="${IFS= 	}"; IFS=":"
-    for searchdir in $searchpath; do
-      if test -d "$searchdir"; then
-        case "$searchdir" in
-          */lib64/ | */lib64 ) acl_libdirstem=lib64 ;;
-          *) searchdir=`cd "$searchdir" && pwd`
-             case "$searchdir" in
-               */lib64 ) acl_libdirstem=lib64 ;;
-             esac ;;
+  acl_libdirstem2=
+  case "$host_os" in
+    solaris*)
+      dnl See Solaris 10 Software Developer Collection > Solaris 64-bit Developer's Guide > The Development Environment
+      dnl <http://docs.sun.com/app/docs/doc/816-5138/dev-env?l=en&a=view>.
+      dnl "Portable Makefiles should refer to any library directories using the 64 symbolic link."
+      dnl But we want to recognize the sparcv9 or amd64 subdirectory also if the
+      dnl symlink is missing, so we set acl_libdirstem2 too.
+      AC_CACHE_CHECK([for 64-bit host], [gl_cv_solaris_64bit],
+        [AC_EGREP_CPP([sixtyfour bits], [
+#ifdef _LP64
+sixtyfour bits
+#endif
+           ], [gl_cv_solaris_64bit=yes], [gl_cv_solaris_64bit=no])
+        ])
+      if test $gl_cv_solaris_64bit = yes; then
+        acl_libdirstem=lib/64
+        case "$host_cpu" in
+          sparc*)        acl_libdirstem2=lib/sparcv9 ;;
+          i*86 | x86_64) acl_libdirstem2=lib/amd64 ;;
         esac
       fi
-    done
-    IFS="$acl_save_IFS"
-  fi
+      ;;
+    *)
+      searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
+      if test -n "$searchpath"; then
+        acl_save_IFS="${IFS= 	}"; IFS=":"
+        for searchdir in $searchpath; do
+          if test -d "$searchdir"; then
+            case "$searchdir" in
+              */lib64/ | */lib64 ) acl_libdirstem=lib64 ;;
+              */../ | */.. )
+                # Better ignore directories of this form. They are misleading.
+                ;;
+              *) searchdir=`cd "$searchdir" && pwd`
+                 case "$searchdir" in
+                   */lib64 ) acl_libdirstem=lib64 ;;
+                 esac ;;
+            esac
+          fi
+        done
+        IFS="$acl_save_IFS"
+      fi
+      ;;
+  esac
+  test -n "$acl_libdirstem2" || acl_libdirstem2="$acl_libdirstem"
 ])
 
 # pkg.m4 - Macros to locate and utilise pkg-config.            -*- Autoconf -*-
+# serial 1 (pkg-config-0.24)
 # 
 # Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
 #
@@ -233,7 +273,10 @@ AC_DEFUN([AC_LIB_PREPARE_MULTILIB],
 AC_DEFUN([PKG_PROG_PKG_CONFIG],
 [m4_pattern_forbid([^_?PKG_[A-Z_]+$])
 m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
-AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl
+AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
+AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
+AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
+
 if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
 	AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
 fi
@@ -246,7 +289,6 @@ if test -n "$PKG_CONFIG"; then
 		AC_MSG_RESULT([no])
 		PKG_CONFIG=""
 	fi
-		
 fi[]dnl
 ])# PKG_PROG_PKG_CONFIG
 
@@ -255,34 +297,31 @@ fi[]dnl
 # Check to see whether a particular set of modules exists.  Similar
 # to PKG_CHECK_MODULES(), but does not set variables or print errors.
 #
-#
-# Similar to PKG_CHECK_MODULES, make sure that the first instance of
-# this or PKG_CHECK_MODULES is called, or make sure to call
-# PKG_CHECK_EXISTS manually
+# Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+# only at the first occurence in configure.ac, so if the first place
+# it's called might be skipped (such as if it is within an "if", you
+# have to call PKG_CHECK_EXISTS manually
 # --------------------------------------------------------------
 AC_DEFUN([PKG_CHECK_EXISTS],
 [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
 if test -n "$PKG_CONFIG" && \
     AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
-  m4_ifval([$2], [$2], [:])
+  m4_default([$2], [:])
 m4_ifvaln([$3], [else
   $3])dnl
 fi])
 
-
 # _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
 # ---------------------------------------------
 m4_define([_PKG_CONFIG],
-[if test -n "$PKG_CONFIG"; then
-    if test -n "$$1"; then
-        pkg_cv_[]$1="$$1"
-    else
-        PKG_CHECK_EXISTS([$3],
-                         [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
-			 [pkg_failed=yes])
-    fi
-else
-	pkg_failed=untried
+[if test -n "$$1"; then
+    pkg_cv_[]$1="$$1"
+ elif test -n "$PKG_CONFIG"; then
+    PKG_CHECK_EXISTS([$3],
+                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
+		     [pkg_failed=yes])
+ else
+    pkg_failed=untried
 fi[]dnl
 ])# _PKG_CONFIG
 
@@ -324,16 +363,17 @@ and $1[]_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.])
 
 if test $pkg_failed = yes; then
+   	AC_MSG_RESULT([no])
         _PKG_SHORT_ERRORS_SUPPORTED
         if test $_pkg_short_errors_supported = yes; then
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"`
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "$2" 2>&1`
         else 
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"`
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors "$2" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
 
-	ifelse([$4], , [AC_MSG_ERROR(dnl
+	m4_default([$4], [AC_MSG_ERROR(
 [Package requirements ($2) were not met:
 
 $$1_PKG_ERRORS
@@ -341,25 +381,24 @@ $$1_PKG_ERRORS
 Consider adjusting the PKG_CONFIG_PATH environment variable if you
 installed software in a non-standard prefix.
 
-_PKG_TEXT
-])],
-		[AC_MSG_RESULT([no])
-                $4])
+_PKG_TEXT])dnl
+        ])
 elif test $pkg_failed = untried; then
-	ifelse([$4], , [AC_MSG_FAILURE(dnl
+     	AC_MSG_RESULT([no])
+	m4_default([$4], [AC_MSG_FAILURE(
 [The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
 _PKG_TEXT
 
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.])],
-		[$4])
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.])dnl
+        ])
 else
 	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
 	$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
         AC_MSG_RESULT([yes])
-	ifelse([$3], , :, [$3])
+	$3
 fi[]dnl
 ])# PKG_CHECK_MODULES
 
diff --git a/config.guess b/config.guess
index e3a2116a7..c2246a4f7 100755
--- a/config.guess
+++ b/config.guess
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
 #   Free Software Foundation, Inc.
 
-timestamp='2009-06-10'
+timestamp='2009-12-30'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -27,16 +27,16 @@ timestamp='2009-06-10'
 # the same distribution terms that you use for the rest of that program.
 
 
-# Originally written by Per Bothner <per@bothner.com>.
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
+# Originally written by Per Bothner.  Please send patches (context
+# diff format) to <config-patches@gnu.org> and include a ChangeLog
+# entry.
 #
 # This script attempts to guess a canonical system name similar to
 # config.sub.  If it succeeds, it prints the system name on stdout, and
 # exits with 0.  Otherwise, it exits with 1.
 #
-# The plan is that this can be called by configure scripts if you
-# don't specify an explicit build system type.
+# You can get the latest version of this script from:
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
 
 me=`echo "$0" | sed -e 's,.*/,,'`
 
@@ -56,8 +56,9 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
-2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
+Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -333,6 +334,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
 	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
 	exit ;;
+    i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*)
+	echo i386-pc-auroraux${UNAME_RELEASE}
+	exit ;;
     i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
 	eval $set_cc_for_build
 	SUN_ARCH="i386"
@@ -807,12 +811,12 @@ EOF
     i*:PW*:*)
 	echo ${UNAME_MACHINE}-pc-pw32
 	exit ;;
-    *:Interix*:[3456]*)
+    *:Interix*:*)
     	case ${UNAME_MACHINE} in
 	    x86)
 		echo i586-pc-interix${UNAME_RELEASE}
 		exit ;;
-	    EM64T | authenticamd | genuineintel)
+	    authenticamd | genuineintel | EM64T)
 		echo x86_64-unknown-interix${UNAME_RELEASE}
 		exit ;;
 	    IA64)
@@ -854,6 +858,20 @@ EOF
     i*86:Minix:*:*)
 	echo ${UNAME_MACHINE}-pc-minix
 	exit ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+        esac
+	objdump --private-headers /bin/sh | grep -q ld.so.1
+	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	exit ;;
     arm*:Linux:*:*)
 	eval $set_cc_for_build
 	if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
@@ -876,6 +894,17 @@ EOF
     frv:Linux:*:*)
     	echo frv-unknown-linux-gnu
 	exit ;;
+    i*86:Linux:*:*)
+	LIBC=gnu
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#ifdef __dietlibc__
+	LIBC=dietlibc
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
+	echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+	exit ;;
     ia64:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
@@ -901,39 +930,18 @@ EOF
 	#endif
 	#endif
 EOF
-	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
-	    /^CPU/{
-		s: ::g
-		p
-	    }'`"
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
 	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
 	;;
     or32:Linux:*:*)
 	echo or32-unknown-linux-gnu
 	exit ;;
-    ppc:Linux:*:*)
-	echo powerpc-unknown-linux-gnu
-	exit ;;
-    ppc64:Linux:*:*)
-	echo powerpc64-unknown-linux-gnu
-	exit ;;
-    alpha:Linux:*:*)
-	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
-	  EV5)   UNAME_MACHINE=alphaev5 ;;
-	  EV56)  UNAME_MACHINE=alphaev56 ;;
-	  PCA56) UNAME_MACHINE=alphapca56 ;;
-	  PCA57) UNAME_MACHINE=alphapca56 ;;
-	  EV6)   UNAME_MACHINE=alphaev6 ;;
-	  EV67)  UNAME_MACHINE=alphaev67 ;;
-	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
-	objdump --private-headers /bin/sh | grep -q ld.so.1
-	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
-	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
-	exit ;;
     padre:Linux:*:*)
 	echo sparc-unknown-linux-gnu
 	exit ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-gnu
+	exit ;;
     parisc:Linux:*:* | hppa:Linux:*:*)
 	# Look for CPU level
 	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
@@ -942,8 +950,11 @@ EOF
 	  *)    echo hppa-unknown-linux-gnu ;;
 	esac
 	exit ;;
-    parisc64:Linux:*:* | hppa64:Linux:*:*)
-	echo hppa64-unknown-linux-gnu
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-gnu
+	exit ;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-gnu
 	exit ;;
     s390:Linux:*:* | s390x:Linux:*:*)
 	echo ${UNAME_MACHINE}-ibm-linux
@@ -966,58 +977,6 @@ EOF
     xtensa*:Linux:*:*)
     	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
-    i*86:Linux:*:*)
-	# The BFD linker knows what the default object file format is, so
-	# first see if it will tell us. cd to the root directory to prevent
-	# problems with other programs or directories called `ld' in the path.
-	# Set LC_ALL=C to ensure ld outputs messages in English.
-	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
-			 | sed -ne '/supported targets:/!d
-				    s/[ 	][ 	]*/ /g
-				    s/.*supported targets: *//
-				    s/ .*//
-				    p'`
-        case "$ld_supported_targets" in
-	  elf32-i386)
-		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
-		;;
-	esac
-	# Determine whether the default compiler is a.out or elf
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <features.h>
-	#ifdef __ELF__
-	# ifdef __GLIBC__
-	#  if __GLIBC__ >= 2
-	LIBC=gnu
-	#  else
-	LIBC=gnulibc1
-	#  endif
-	# else
-	LIBC=gnulibc1
-	# endif
-	#else
-	#if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC)
-	LIBC=gnu
-	#else
-	LIBC=gnuaout
-	#endif
-	#endif
-	#ifdef __dietlibc__
-	LIBC=dietlibc
-	#endif
-EOF
-	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
-	    /^LIBC/{
-		s: ::g
-		p
-	    }'`"
-	test x"${LIBC}" != x && {
-		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
-		exit
-	}
-	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
-	;;
     i*86:DYNIX/ptx:4*:*)
 	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
 	# earlier versions are messed up and put the nodename in both
@@ -1247,6 +1206,16 @@ EOF
     *:Darwin:*:*)
 	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
 	case $UNAME_PROCESSOR in
+	    i386)
+		eval $set_cc_for_build
+		if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+		  if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
+		      (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+		      grep IS_64BIT_ARCH >/dev/null
+		  then
+		      UNAME_PROCESSOR="x86_64"
+		  fi
+		fi ;;
 	    unknown) UNAME_PROCESSOR=powerpc ;;
 	esac
 	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
diff --git a/config.sub b/config.sub
index eb0389a69..c2d125724 100755
--- a/config.sub
+++ b/config.sub
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
 #   Free Software Foundation, Inc.
 
-timestamp='2009-06-11'
+timestamp='2010-01-22'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -32,13 +32,16 @@ timestamp='2009-06-11'
 
 
 # Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
+# diff and a properly formatted GNU ChangeLog entry.
 #
 # Configuration subroutine to validate and canonicalize a configuration type.
 # Supply the specified configuration type as an argument.
 # If it is invalid, we print an error message on stderr and exit with code 1.
 # Otherwise, we print the canonical config type on stdout and succeed.
 
+# You can get the latest version of this script from:
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+
 # This file is supposed to be the same for all GNU packages
 # and recognize all the CPU types, system types and aliases
 # that are meaningful with *any* GNU software.
@@ -72,8 +75,9 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)
 
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
-2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
+Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -149,7 +153,7 @@ case $os in
 	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
 	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
 	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple | -axis | -knuth | -cray)
+	-apple | -axis | -knuth | -cray | -microblaze)
 		os=
 		basic_machine=$1
 		;;
@@ -284,6 +288,7 @@ case $basic_machine in
 	| pdp10 | pdp11 | pj | pjl \
 	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
 	| pyramid \
+	| rx \
 	| score \
 	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
@@ -291,13 +296,14 @@ case $basic_machine in
 	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
 	| spu | strongarm \
 	| tahoe | thumb | tic4x | tic80 | tron \
+	| ubicom32 \
 	| v850 | v850e \
 	| we32k \
 	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
 	| z8k | z80)
 		basic_machine=$basic_machine-unknown
 		;;
-	m6811 | m68hc11 | m6812 | m68hc12)
+	m6811 | m68hc11 | m6812 | m68hc12 | picochip)
 		# Motorola 68HC11/12.
 		basic_machine=$basic_machine-unknown
 		os=-none
@@ -340,7 +346,7 @@ case $basic_machine in
 	| lm32-* \
 	| m32c-* | m32r-* | m32rle-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-	| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \
 	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
 	| mips16-* \
 	| mips64-* | mips64el-* \
@@ -368,15 +374,17 @@ case $basic_machine in
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
 	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
 	| pyramid-* \
-	| romp-* | rs6000-* \
+	| romp-* | rs6000-* | rx-* \
 	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
 	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
 	| sparclite-* \
 	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
 	| tahoe-* | thumb-* \
-	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* | tile-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tile-* | tilegx-* \
 	| tron-* \
+	| ubicom32-* \
 	| v850-* | v850e-* | vax-* \
 	| we32k-* \
 	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
@@ -726,6 +734,9 @@ case $basic_machine in
 		basic_machine=ns32k-utek
 		os=-sysv
 		;;
+        microblaze)
+		basic_machine=microblaze-xilinx
+		;;
 	mingw32)
 		basic_machine=i386-pc
 		os=-mingw32
@@ -1076,6 +1087,11 @@ case $basic_machine in
 		basic_machine=tic6x-unknown
 		os=-coff
 		;;
+        # This must be matched before tile*.
+        tilegx*)
+		basic_machine=tilegx-unknown
+		os=-linux-gnu
+		;;
 	tile*)
 		basic_machine=tile-unknown
 		os=-linux-gnu
@@ -1247,6 +1263,9 @@ case $os in
         # First match some system type aliases
         # that might get confused with valid system types.
 	# -solaris* is a basic system type, with this one exception.
+        -auroraux)
+	        os=-auroraux
+		;;
 	-solaris1 | -solaris1.*)
 		os=`echo $os | sed -e 's|solaris1|sunos4|'`
 		;;
@@ -1268,8 +1287,8 @@ case $os in
 	# -sysv* is not here because it comes later, after sysvr4.
 	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
 	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
-	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
-	      | -kopensolaris* \
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
+	      | -sym* | -kopensolaris* \
 	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
 	      | -aos* | -aros* \
 	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
@@ -1290,7 +1309,7 @@ case $os in
 	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
 	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
 	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
-	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops*)
+	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
 	-qnx*)
@@ -1423,6 +1442,8 @@ case $os in
 	-dicos*)
 		os=-dicos
 		;;
+        -nacl*)
+	        ;;
 	-none)
 		;;
 	*)
diff --git a/configure b/configure
index 64ecd2c57..d823c3045 100755
--- a/configure
+++ b/configure
@@ -1,11 +1,11 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.65 for strongSwan 4.4.1.
+# Generated by GNU Autoconf 2.67 for strongSwan 4.5.0.
 #
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
-# Inc.
+# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
+# Foundation, Inc.
 #
 #
 # This configure script is free software; the Free Software Foundation
@@ -316,7 +316,7 @@ $as_echo X"$as_dir" |
       test -d "$as_dir" && break
     done
     test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || as_fn_error "cannot create directory $as_dir"
+  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
 
 
 } # as_fn_mkdir_p
@@ -356,19 +356,19 @@ else
 fi # as_fn_arith
 
 
-# as_fn_error ERROR [LINENO LOG_FD]
-# ---------------------------------
+# as_fn_error STATUS ERROR [LINENO LOG_FD]
+# ----------------------------------------
 # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
 # provided, also output the error to LOG_FD, referencing LINENO. Then exit the
-# script with status $?, using 1 if that was 0.
+# script with STATUS, using 1 if that was 0.
 as_fn_error ()
 {
-  as_status=$?; test $as_status -eq 0 && as_status=1
-  if test "$3"; then
-    as_lineno=${as_lineno-"$2"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-    $as_echo "$as_me:${as_lineno-$LINENO}: error: $1" >&$3
+  as_status=$1; test $as_status -eq 0 && as_status=1
+  if test "$4"; then
+    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
   fi
-  $as_echo "$as_me: error: $1" >&2
+  $as_echo "$as_me: error: $2" >&2
   as_fn_exit $as_status
 } # as_fn_error
 
@@ -679,7 +679,7 @@ test -n "$DJDIR" || exec 7<&0 </dev/null
 exec 6>&1
 
 # Name of the host.
-# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
+# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
 # so uname gets run too.
 ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
 
@@ -698,8 +698,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.4.1'
-PACKAGE_STRING='strongSwan 4.4.1'
+PACKAGE_VERSION='4.5.0'
+PACKAGE_STRING='strongSwan 4.5.0'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -745,6 +745,8 @@ LTLIBOBJS
 LIBOBJS
 MONOLITHIC_FALSE
 MONOLITHIC_TRUE
+USE_TLS_FALSE
+USE_TLS_TRUE
 USE_SIMAKA_FALSE
 USE_SIMAKA_TRUE
 USE_VSTR_FALSE
@@ -797,6 +799,14 @@ USE_XAUTH_FALSE
 USE_XAUTH_TRUE
 USE_RESOLVE_FALSE
 USE_RESOLVE_TRUE
+USE_KERNEL_PFROUTE_FALSE
+USE_KERNEL_PFROUTE_TRUE
+USE_KERNEL_PFKEY_FALSE
+USE_KERNEL_PFKEY_TRUE
+USE_KERNEL_NETLINK_FALSE
+USE_KERNEL_NETLINK_TRUE
+USE_KERNEL_KLIPS_FALSE
+USE_KERNEL_KLIPS_TRUE
 USE_ATTR_SQL_FALSE
 USE_ATTR_SQL_TRUE
 USE_ATTR_FALSE
@@ -811,16 +821,22 @@ USE_SOCKET_RAW_FALSE
 USE_SOCKET_RAW_TRUE
 USE_SOCKET_DEFAULT_FALSE
 USE_SOCKET_DEFAULT_TRUE
-USE_KERNEL_KLIPS_FALSE
-USE_KERNEL_KLIPS_TRUE
-USE_KERNEL_PFROUTE_FALSE
-USE_KERNEL_PFROUTE_TRUE
-USE_KERNEL_PFKEY_FALSE
-USE_KERNEL_PFKEY_TRUE
-USE_KERNEL_NETLINK_FALSE
-USE_KERNEL_NETLINK_TRUE
+USE_TNCCS_20_FALSE
+USE_TNCCS_20_TRUE
+USE_TNCCS_11_FALSE
+USE_TNCCS_11_TRUE
+USE_TNC_IMV_FALSE
+USE_TNC_IMV_TRUE
+USE_TNC_IMC_FALSE
+USE_TNC_IMC_TRUE
 USE_EAP_RADIUS_FALSE
 USE_EAP_RADIUS_TRUE
+USE_EAP_TNC_FALSE
+USE_EAP_TNC_TRUE
+USE_EAP_TTLS_FALSE
+USE_EAP_TTLS_TRUE
+USE_EAP_TLS_FALSE
+USE_EAP_TLS_TRUE
 USE_EAP_MSCHAPV2_FALSE
 USE_EAP_MSCHAPV2_TRUE
 USE_EAP_AKA_3GPP2_FALSE
@@ -843,6 +859,8 @@ USE_EAP_SIM_FILE_FALSE
 USE_EAP_SIM_FILE_TRUE
 USE_EAP_SIM_FALSE
 USE_EAP_SIM_TRUE
+USE_LED_FALSE
+USE_LED_TRUE
 USE_HA_FALSE
 USE_HA_TRUE
 USE_LOAD_TESTER_FALSE
@@ -857,6 +875,8 @@ USE_SQL_FALSE
 USE_SQL_TRUE
 USE_SMP_FALSE
 USE_SMP_TRUE
+USE_MAEMO_FALSE
+USE_MAEMO_TRUE
 USE_ANDROID_FALSE
 USE_ANDROID_TRUE
 USE_UCI_FALSE
@@ -869,6 +889,14 @@ USE_MEDSRV_FALSE
 USE_MEDSRV_TRUE
 USE_STROKE_FALSE
 USE_STROKE_TRUE
+USE_GCM_FALSE
+USE_GCM_TRUE
+USE_CCM_FALSE
+USE_CCM_TRUE
+USE_CTR_FALSE
+USE_CTR_TRUE
+USE_PKCS11_FALSE
+USE_PKCS11_TRUE
 USE_AGENT_FALSE
 USE_AGENT_TRUE
 USE_GCRYPT_FALSE
@@ -925,11 +953,24 @@ USE_CURL_FALSE
 USE_CURL_TRUE
 USE_TEST_VECTORS_FALSE
 USE_TEST_VECTORS_TRUE
+s_plugins
+h_plugins
+p_plugins
+c_plugins
+medsrv_plugins
+manager_plugins
+scripts_plugins
+pki_plugins
+scepclient_plugins
+openac_plugins
+pool_plugins
 pluto_plugins
-libhydra_plugins
-libstrongswan_plugins
+libcharon_plugins
 nm_LIBS
 nm_CFLAGS
+dbusservicedir
+maemo_LIBS
+maemo_CFLAGS
 MYSQLCFLAG
 MYSQLLIB
 MYSQLCONFIG
@@ -1012,6 +1053,8 @@ strongswan_conf
 urandom_device
 random_device
 default_pkcs11
+PKG_CONFIG_LIBDIR
+PKG_CONFIG_PATH
 PKG_CONFIG
 am__untar
 am__tar
@@ -1140,7 +1183,14 @@ enable_eap_gtc
 enable_eap_aka
 enable_eap_aka_3gpp2
 enable_eap_mschapv2
+enable_eap_tls
+enable_eap_ttls
+enable_eap_tnc
 enable_eap_radius
+enable_tnc_imc
+enable_tnc_imv
+enable_tnccs_11
+enable_tnccs_20
 enable_kernel_netlink
 enable_kernel_pfkey
 enable_kernel_pfroute
@@ -1173,11 +1223,17 @@ enable_padlock
 enable_openssl
 enable_gcrypt
 enable_agent
+enable_pkcs11
+enable_ctr
+enable_ccm
+enable_gcm
 enable_addrblock
 enable_uci
 enable_android
+enable_maemo
 enable_nm
 enable_ha
+enable_led
 enable_vstr
 enable_monolithic
 enable_dependency_tracking
@@ -1193,6 +1249,8 @@ enable_libtool_lock
 host_alias
 target_alias
 PKG_CONFIG
+PKG_CONFIG_PATH
+PKG_CONFIG_LIBDIR
 CC
 CFLAGS
 LDFLAGS
@@ -1205,6 +1263,8 @@ xml_CFLAGS
 xml_LIBS
 gtk_CFLAGS
 gtk_LIBS
+maemo_CFLAGS
+maemo_LIBS
 nm_CFLAGS
 nm_LIBS'
 
@@ -1269,8 +1329,9 @@ do
   fi
 
   case $ac_option in
-  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
-  *)	ac_optarg=yes ;;
+  *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+  *=)   ac_optarg= ;;
+  *)    ac_optarg=yes ;;
   esac
 
   # Accept the important Cygnus configure options, so we can diagnose typos.
@@ -1315,7 +1376,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      as_fn_error "invalid feature name: $ac_useropt"
+      as_fn_error $? "invalid feature name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1341,7 +1402,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      as_fn_error "invalid feature name: $ac_useropt"
+      as_fn_error $? "invalid feature name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1545,7 +1606,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      as_fn_error "invalid package name: $ac_useropt"
+      as_fn_error $? "invalid package name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1561,7 +1622,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      as_fn_error "invalid package name: $ac_useropt"
+      as_fn_error $? "invalid package name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1591,8 +1652,8 @@ do
   | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
     x_libraries=$ac_optarg ;;
 
-  -*) as_fn_error "unrecognized option: \`$ac_option'
-Try \`$0 --help' for more information."
+  -*) as_fn_error $? "unrecognized option: \`$ac_option'
+Try \`$0 --help' for more information"
     ;;
 
   *=*)
@@ -1600,7 +1661,7 @@ Try \`$0 --help' for more information."
     # Reject names that are not valid shell variable names.
     case $ac_envvar in #(
       '' | [0-9]* | *[!_$as_cr_alnum]* )
-      as_fn_error "invalid variable name: \`$ac_envvar'" ;;
+      as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
     esac
     eval $ac_envvar=\$ac_optarg
     export $ac_envvar ;;
@@ -1618,13 +1679,13 @@ done
 
 if test -n "$ac_prev"; then
   ac_option=--`echo $ac_prev | sed 's/_/-/g'`
-  as_fn_error "missing argument to $ac_option"
+  as_fn_error $? "missing argument to $ac_option"
 fi
 
 if test -n "$ac_unrecognized_opts"; then
   case $enable_option_checking in
     no) ;;
-    fatal) as_fn_error "unrecognized options: $ac_unrecognized_opts" ;;
+    fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
     *)     $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
   esac
 fi
@@ -1647,7 +1708,7 @@ do
     [\\/$]* | ?:[\\/]* )  continue;;
     NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
   esac
-  as_fn_error "expected an absolute directory name for --$ac_var: $ac_val"
+  as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
 done
 
 # There might be people who depend on the old broken behavior: `$host'
@@ -1661,8 +1722,8 @@ target=$target_alias
 if test "x$host_alias" != x; then
   if test "x$build_alias" = x; then
     cross_compiling=maybe
-    $as_echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
-    If a cross compiler is detected then cross compile mode will be used." >&2
+    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
+    If a cross compiler is detected then cross compile mode will be used" >&2
   elif test "x$build_alias" != "x$host_alias"; then
     cross_compiling=yes
   fi
@@ -1677,9 +1738,9 @@ test "$silent" = yes && exec 6>/dev/null
 ac_pwd=`pwd` && test -n "$ac_pwd" &&
 ac_ls_di=`ls -di .` &&
 ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
-  as_fn_error "working directory cannot be determined"
+  as_fn_error $? "working directory cannot be determined"
 test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
-  as_fn_error "pwd does not report name of working directory"
+  as_fn_error $? "pwd does not report name of working directory"
 
 
 # Find the source files, if location was not specified.
@@ -1718,11 +1779,11 @@ else
 fi
 if test ! -r "$srcdir/$ac_unique_file"; then
   test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
-  as_fn_error "cannot find sources ($ac_unique_file) in $srcdir"
+  as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
 fi
 ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
 ac_abs_confdir=`(
-	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error "$ac_msg"
+	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
 	pwd)`
 # When building in place, set srcdir=.
 if test "$ac_abs_confdir" = "$ac_pwd"; then
@@ -1748,7 +1809,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.4.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.5.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1762,7 +1823,7 @@ Configuration:
       --help=short        display options specific to this package
       --help=recursive    display the short help of all the included packages
   -V, --version           display version information and exit
-  -q, --quiet, --silent   do not print \`checking...' messages
+  -q, --quiet, --silent   do not print \`checking ...' messages
       --cache-file=FILE   cache test results in FILE [disabled]
   -C, --config-cache      alias for \`--cache-file=config.cache'
   -n, --no-create         do not create output files
@@ -1818,7 +1879,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.4.1:";;
+     short | recursive ) echo "Configuration of strongSwan 4.5.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1870,7 +1931,7 @@ Optional Features:
   --enable-lock-profiler  enable lock/mutex profiling code.
   --enable-unit-tests     enable unit tests on IKEv2 daemon startup.
   --enable-load-tester    enable load testing plugin for IKEv2 daemon.
-  --enable-eap-sim        enable SIM authenication module for EAP.
+  --enable-eap-sim        enable SIM authentication module for EAP.
   --enable-eap-sim-file   enable EAP-SIM backend based on a triplet file.
   --enable-eap-simaka-sql enable EAP-SIM/AKA backend based on a
                           triplet/quintuplet SQL database.
@@ -1880,13 +1941,20 @@ Optional Features:
                           enable EAP-SIM/AKA reauthentication data storage
                           plugin.
   --enable-eap-identity   enable EAP module providing EAP-Identity helper.
-  --enable-eap-md5        enable EAP MD5 (CHAP) authenication module.
-  --enable-eap-gtc        enable PAM based EAP GTC authenication module.
+  --enable-eap-md5        enable EAP MD5 (CHAP) authentication module.
+  --enable-eap-gtc        enable PAM based EAP GTC authentication module.
   --enable-eap-aka        enable EAP AKA authentication module.
   --enable-eap-aka-3gpp2  enable EAP AKA backend implementing 3GPP2 algorithms
                           in software. Requires libgmp.
-  --enable-eap-mschapv2   enable EAP MS-CHAPv2 authenication module.
-  --enable-eap-radius     enable RADIUS proxy authenication module.
+  --enable-eap-mschapv2   enable EAP MS-CHAPv2 authentication module.
+  --enable-eap-tls        enable EAP TLS authentication module.
+  --enable-eap-ttls       enable EAP TTLS authentication module.
+  --enable-eap-tnc        enable EAP TNC trusted network connect module.
+  --enable-eap-radius     enable RADIUS proxy authentication module.
+  --enable-tnc-imc        enable TNC IMC module.
+  --enable-tnc-imv        enable TNC IMV module.
+  --enable-tnccs-11       enable TNCCS 1.1 protocol module.
+  --enable-tnccs-20       enable TNCCS 2.0 protocol module.
   --disable-kernel-netlink
                           disable the netlink kernel interface.
   --enable-kernel-pfkey   enable the PF_KEY kernel interface.
@@ -1932,11 +2000,18 @@ Optional Features:
   --enable-openssl        enables the OpenSSL crypto plugin.
   --enable-gcrypt         enables the libgcrypt plugin.
   --enable-agent          enables the ssh-agent signing plugin.
+  --enable-pkcs11         enables the PKCS11 token support plugin.
+  --enable-ctr            enables the Counter Mode wrapper crypto plugin.
+  --enable-ccm            enables the CCM AEAD wrapper crypto plugin.
+  --enable-gcm            enables the GCM AEAD wrapper crypto plugin.
   --enable-addrblock      enables RFC 3779 address block constraint support.
   --enable-uci            enable OpenWRT UCI configuration plugin.
   --enable-android        enable Android specific plugin.
+  --enable-maemo          enable Maemo specific plugin.
   --enable-nm             enable NetworkManager plugin.
   --enable-ha             enable high availability cluster plugin.
+  --enable-led            enable plugin to control LEDs on IKEv2 activity
+                          using the Linux kernel LED subsystem.
   --enable-vstr           enforce using the Vstr string library to replace
                           glibc-like printf hooks.
   --enable-monolithic     build monolithic version of libstrongswan that
@@ -2000,6 +2075,10 @@ Optional Packages:
 
 Some influential environment variables:
   PKG_CONFIG  path to pkg-config utility
+  PKG_CONFIG_PATH
+              directories to add to pkg-config's search path
+  PKG_CONFIG_LIBDIR
+              path overriding pkg-config's built-in search path
   CC          C compiler command
   CFLAGS      C compiler flags
   LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
@@ -2017,6 +2096,9 @@ Some influential environment variables:
   xml_LIBS    linker flags for xml, overriding pkg-config
   gtk_CFLAGS  C compiler flags for gtk, overriding pkg-config
   gtk_LIBS    linker flags for gtk, overriding pkg-config
+  maemo_CFLAGS
+              C compiler flags for maemo, overriding pkg-config
+  maemo_LIBS  linker flags for maemo, overriding pkg-config
   nm_CFLAGS   C compiler flags for nm, overriding pkg-config
   nm_LIBS     linker flags for nm, overriding pkg-config
 
@@ -2086,10 +2168,10 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.4.1
-generated by GNU Autoconf 2.65
+strongSwan configure 4.5.0
+generated by GNU Autoconf 2.67
 
-Copyright (C) 2009 Free Software Foundation, Inc.
+Copyright (C) 2010 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
@@ -2138,6 +2220,43 @@ fi
 
 } # ac_fn_c_try_compile
 
+# ac_fn_c_try_cpp LINENO
+# ----------------------
+# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_cpp ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  if { { ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } > conftest.i && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+    ac_retval=1
+fi
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_cpp
+
 # ac_fn_c_try_run LINENO
 # ----------------------
 # Try to link conftest.$ac_ext, and return whether this succeeded. Assumes
@@ -2180,43 +2299,6 @@ fi
 
 } # ac_fn_c_try_run
 
-# ac_fn_c_try_cpp LINENO
-# ----------------------
-# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
-ac_fn_c_try_cpp ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  if { { ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
-  ac_status=$?
-  if test -s conftest.err; then
-    grep -v '^ *+' conftest.err >conftest.er1
-    cat conftest.er1 >&5
-    mv -f conftest.er1 conftest.err
-  fi
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then :
-  ac_retval=0
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-    ac_retval=1
-fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-  as_fn_set_status $ac_retval
-
-} # ac_fn_c_try_cpp
-
 # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
 # -------------------------------------------------------
 # Tests whether HEADER exists and can be compiled using the include files in
@@ -2226,7 +2308,7 @@ ac_fn_c_check_header_compile ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$3+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2302,7 +2384,7 @@ ac_fn_c_check_func ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$3+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2370,7 +2452,7 @@ ac_fn_c_check_type ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$3+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   eval "$3=no"
@@ -2423,10 +2505,10 @@ $as_echo "$ac_res" >&6; }
 ac_fn_c_check_header_mongrel ()
 {
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+  if eval "test \"\${$3+set}\"" = set; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$3+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 fi
 eval ac_res=\$$3
@@ -2462,7 +2544,7 @@ if ac_fn_c_try_cpp "$LINENO"; then :
 else
   ac_header_preproc=no
 fi
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.err conftest.i conftest.$ac_ext
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5
 $as_echo "$ac_header_preproc" >&6; }
 
@@ -2489,7 +2571,7 @@ $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
 esac
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$3+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   eval "$3=\$ac_header_compiler"
@@ -2511,7 +2593,7 @@ ac_fn_c_check_member ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
 $as_echo_n "checking for $2.$3... " >&6; }
-if { as_var=$4; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$4+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2562,8 +2644,8 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.4.1, which was
-generated by GNU Autoconf 2.65.  Invocation command line was
+It was created by strongSwan $as_me 4.5.0, which was
+generated by GNU Autoconf 2.67.  Invocation command line was
 
   $ $0 $@
 
@@ -2673,11 +2755,9 @@ trap 'exit_status=$?
   {
     echo
 
-    cat <<\_ASBOX
-## ---------------- ##
+    $as_echo "## ---------------- ##
 ## Cache variables. ##
-## ---------------- ##
-_ASBOX
+## ---------------- ##"
     echo
     # The following way of writing the cache mishandles newlines in values,
 (
@@ -2711,11 +2791,9 @@ $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
 )
     echo
 
-    cat <<\_ASBOX
-## ----------------- ##
+    $as_echo "## ----------------- ##
 ## Output variables. ##
-## ----------------- ##
-_ASBOX
+## ----------------- ##"
     echo
     for ac_var in $ac_subst_vars
     do
@@ -2728,11 +2806,9 @@ _ASBOX
     echo
 
     if test -n "$ac_subst_files"; then
-      cat <<\_ASBOX
-## ------------------- ##
+      $as_echo "## ------------------- ##
 ## File substitutions. ##
-## ------------------- ##
-_ASBOX
+## ------------------- ##"
       echo
       for ac_var in $ac_subst_files
       do
@@ -2746,11 +2822,9 @@ _ASBOX
     fi
 
     if test -s confdefs.h; then
-      cat <<\_ASBOX
-## ----------- ##
+      $as_echo "## ----------- ##
 ## confdefs.h. ##
-## ----------- ##
-_ASBOX
+## ----------- ##"
       echo
       cat confdefs.h
       echo
@@ -2805,7 +2879,12 @@ _ACEOF
 ac_site_file1=NONE
 ac_site_file2=NONE
 if test -n "$CONFIG_SITE"; then
-  ac_site_file1=$CONFIG_SITE
+  # We do not want a PATH search for config.site.
+  case $CONFIG_SITE in #((
+    -*)  ac_site_file1=./$CONFIG_SITE;;
+    */*) ac_site_file1=$CONFIG_SITE;;
+    *)   ac_site_file1=./$CONFIG_SITE;;
+  esac
 elif test "x$prefix" != xNONE; then
   ac_site_file1=$prefix/share/config.site
   ac_site_file2=$prefix/etc/config.site
@@ -2820,7 +2899,11 @@ do
     { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
 $as_echo "$as_me: loading site script $ac_site_file" >&6;}
     sed 's/^/| /' "$ac_site_file" >&5
-    . "$ac_site_file"
+    . "$ac_site_file" \
+      || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "failed to load site script $ac_site_file
+See \`config.log' for more details" "$LINENO" 5 ; }
   fi
 done
 
@@ -2896,7 +2979,7 @@ if $ac_cache_corrupted; then
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
   { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
 $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-  as_fn_error "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
+  as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
 fi
 ## -------------------- ##
 ## Main body of script. ##
@@ -2913,16 +2996,22 @@ am__api_version='1.11'
 
 ac_aux_dir=
 for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
-  for ac_t in install-sh install.sh shtool; do
-    if test -f "$ac_dir/$ac_t"; then
-      ac_aux_dir=$ac_dir
-      ac_install_sh="$ac_aux_dir/$ac_t -c"
-      break 2
-    fi
-  done
+  if test -f "$ac_dir/install-sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f "$ac_dir/install.sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  elif test -f "$ac_dir/shtool"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/shtool install -c"
+    break
+  fi
 done
 if test -z "$ac_aux_dir"; then
-  as_fn_error "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5
+  as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5
 fi
 
 # These three variables are undocumented and unsupported,
@@ -3038,11 +3127,11 @@ am_lf='
 '
 case `pwd` in
   *[\\\"\#\$\&\'\`$am_lf]*)
-    as_fn_error "unsafe absolute working directory name" "$LINENO" 5;;
+    as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5 ;;
 esac
 case $srcdir in
   *[\\\"\#\$\&\'\`$am_lf\ \	]*)
-    as_fn_error "unsafe srcdir value: \`$srcdir'" "$LINENO" 5;;
+    as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5 ;;
 esac
 
 # Do `set' in a subshell so we don't clobber the current shell's
@@ -3064,7 +3153,7 @@ if (
       # if, for instance, CONFIG_SHELL is bash and it inherits a
       # broken ls alias from the environment.  This has actually
       # happened.  Such a system could not be considered "sane".
-      as_fn_error "ls -t appears to fail.  Make sure there is not a broken
+      as_fn_error $? "ls -t appears to fail.  Make sure there is not a broken
 alias in your environment" "$LINENO" 5
    fi
 
@@ -3074,7 +3163,7 @@ then
    # Ok.
    :
 else
-   as_fn_error "newly created file is older than distributed files!
+   as_fn_error $? "newly created file is older than distributed files!
 Check your system clock" "$LINENO" 5
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
@@ -3312,7 +3401,7 @@ done
 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; }
 set x ${MAKE-make}
 ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
-if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   cat >conftest.make <<\_ACEOF
@@ -3320,7 +3409,7 @@ SHELL = /bin/sh
 all:
 	@echo '@@@%%%=$(MAKE)=@@@%%%'
 _ACEOF
-# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+# GNU make sometimes prints "make[1]: Entering ...", which would confuse us.
 case `${MAKE-make} -f conftest.make 2>/dev/null` in
   *@@@%%%=?*=@@@%%%*)
     eval ac_cv_prog_make_${ac_make}_set=yes;;
@@ -3354,7 +3443,7 @@ if test "`cd $srcdir && pwd`" != "`pwd`"; then
   am__isrc=' -I$(srcdir)'
   # test to see if srcdir already configured
   if test -f $srcdir/config.status; then
-    as_fn_error "source directory already configured; run \"make distclean\" there first" "$LINENO" 5
+    as_fn_error $? "source directory already configured; run \"make distclean\" there first" "$LINENO" 5
   fi
 fi
 
@@ -3370,7 +3459,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.4.1'
+ VERSION='4.5.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3494,6 +3583,10 @@ $as_echo "$am_cv_prog_tar_ustar" >&6; }
 
 
 
+
+
+
+
 if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
 	if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
@@ -3606,7 +3699,6 @@ $as_echo "yes" >&6; }
 $as_echo "no" >&6; }
 		PKG_CONFIG=""
 	fi
-
 fi
 
 
@@ -4530,6 +4622,51 @@ else
 fi
 
 
+# Check whether --enable-eap-tls was given.
+if test "${enable_eap_tls+set}" = set; then :
+  enableval=$enable_eap_tls; eap_tls_given=true
+		if test x$enableval = xyes; then
+			eap_tls=true
+		 else
+			eap_tls=false
+		fi
+else
+  eap_tls=false
+		eap_tls_given=false
+
+fi
+
+
+# Check whether --enable-eap-ttls was given.
+if test "${enable_eap_ttls+set}" = set; then :
+  enableval=$enable_eap_ttls; eap_ttls_given=true
+		if test x$enableval = xyes; then
+			eap_ttls=true
+		 else
+			eap_ttls=false
+		fi
+else
+  eap_ttls=false
+		eap_ttls_given=false
+
+fi
+
+
+# Check whether --enable-eap-tnc was given.
+if test "${enable_eap_tnc+set}" = set; then :
+  enableval=$enable_eap_tnc; eap_tnc_given=true
+		if test x$enableval = xyes; then
+			eap_tnc=true
+		 else
+			eap_tnc=false
+		fi
+else
+  eap_tnc=false
+		eap_tnc_given=false
+
+fi
+
+
 # Check whether --enable-eap-radius was given.
 if test "${enable_eap_radius+set}" = set; then :
   enableval=$enable_eap_radius; eap_radius_given=true
@@ -4545,6 +4682,66 @@ else
 fi
 
 
+# Check whether --enable-tnc-imc was given.
+if test "${enable_tnc_imc+set}" = set; then :
+  enableval=$enable_tnc_imc; tnc_imc_given=true
+		if test x$enableval = xyes; then
+			tnc_imc=true
+		 else
+			tnc_imc=false
+		fi
+else
+  tnc_imc=false
+		tnc_imc_given=false
+
+fi
+
+
+# Check whether --enable-tnc-imv was given.
+if test "${enable_tnc_imv+set}" = set; then :
+  enableval=$enable_tnc_imv; tnc_imv_given=true
+		if test x$enableval = xyes; then
+			tnc_imv=true
+		 else
+			tnc_imv=false
+		fi
+else
+  tnc_imv=false
+		tnc_imv_given=false
+
+fi
+
+
+# Check whether --enable-tnccs-11 was given.
+if test "${enable_tnccs_11+set}" = set; then :
+  enableval=$enable_tnccs_11; tnccs_11_given=true
+		if test x$enableval = xyes; then
+			tnccs_11=true
+		 else
+			tnccs_11=false
+		fi
+else
+  tnccs_11=false
+		tnccs_11_given=false
+
+fi
+
+
+# Check whether --enable-tnccs-20 was given.
+if test "${enable_tnccs_20+set}" = set; then :
+  enableval=$enable_tnccs_20; tnccs_20_given=true
+		if test x$enableval = xyes; then
+			tnccs_20=true
+		 else
+			tnccs_20=false
+		fi
+else
+  tnccs_20=false
+		tnccs_20_given=false
+
+fi
+
+
 # Check whether --enable-kernel-netlink was given.
 if test "${enable_kernel_netlink+set}" = set; then :
   enableval=$enable_kernel_netlink; kernel_netlink_given=true
@@ -5025,6 +5222,66 @@ else
 fi
 
 
+# Check whether --enable-pkcs11 was given.
+if test "${enable_pkcs11+set}" = set; then :
+  enableval=$enable_pkcs11; pkcs11_given=true
+		if test x$enableval = xyes; then
+			pkcs11=true
+		 else
+			pkcs11=false
+		fi
+else
+  pkcs11=false
+		pkcs11_given=false
+
+fi
+
+
+# Check whether --enable-ctr was given.
+if test "${enable_ctr+set}" = set; then :
+  enableval=$enable_ctr; ctr_given=true
+		if test x$enableval = xyes; then
+			ctr=true
+		 else
+			ctr=false
+		fi
+else
+  ctr=false
+		ctr_given=false
+
+fi
+
+
+# Check whether --enable-ccm was given.
+if test "${enable_ccm+set}" = set; then :
+  enableval=$enable_ccm; ccm_given=true
+		if test x$enableval = xyes; then
+			ccm=true
+		 else
+			ccm=false
+		fi
+else
+  ccm=false
+		ccm_given=false
+
+fi
+
+
+# Check whether --enable-gcm was given.
+if test "${enable_gcm+set}" = set; then :
+  enableval=$enable_gcm; gcm_given=true
+		if test x$enableval = xyes; then
+			gcm=true
+		 else
+			gcm=false
+		fi
+else
+  gcm=false
+		gcm_given=false
+
+fi
+
+
 # Check whether --enable-addrblock was given.
 if test "${enable_addrblock+set}" = set; then :
   enableval=$enable_addrblock; addrblock_given=true
@@ -5070,6 +5327,21 @@ else
 fi
 
 
+# Check whether --enable-maemo was given.
+if test "${enable_maemo+set}" = set; then :
+  enableval=$enable_maemo; maemo_given=true
+		if test x$enableval = xyes; then
+			maemo=true
+		 else
+			maemo=false
+		fi
+else
+  maemo=false
+		maemo_given=false
+
+fi
+
+
 # Check whether --enable-nm was given.
 if test "${enable_nm+set}" = set; then :
   enableval=$enable_nm; nm_given=true
@@ -5100,6 +5372,21 @@ else
 fi
 
 
+# Check whether --enable-led was given.
+if test "${enable_led+set}" = set; then :
+  enableval=$enable_led; led_given=true
+		if test x$enableval = xyes; then
+			led=true
+		 else
+			led=false
+		fi
+else
+  led=false
+		led_given=false
+
+fi
+
+
 # Check whether --enable-vstr was given.
 if test "${enable_vstr+set}" = set; then :
   enableval=$enable_vstr; vstr_given=true
@@ -5435,8 +5722,8 @@ fi
 
 test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "no acceptable C compiler found in \$PATH
-See \`config.log' for more details." "$LINENO" 5; }
+as_fn_error $? "no acceptable C compiler found in \$PATH
+See \`config.log' for more details" "$LINENO" 5 ; }
 
 # Provide some information about the compiler.
 $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
@@ -5550,9 +5837,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ as_fn_set_status 77
-as_fn_error "C compiler cannot create executables
-See \`config.log' for more details." "$LINENO" 5; }; }
+as_fn_error 77 "C compiler cannot create executables
+See \`config.log' for more details" "$LINENO" 5 ; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@@ -5594,8 +5880,8 @@ done
 else
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." "$LINENO" 5; }
+as_fn_error $? "cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 rm -f conftest conftest$ac_cv_exeext
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
@@ -5652,9 +5938,9 @@ $as_echo "$ac_try_echo"; } >&5
     else
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "cannot run C compiled programs.
+as_fn_error $? "cannot run C compiled programs.
 If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." "$LINENO" 5; }
+See \`config.log' for more details" "$LINENO" 5 ; }
     fi
   fi
 fi
@@ -5705,8 +5991,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." "$LINENO" 5; }
+as_fn_error $? "cannot compute suffix of object files: cannot compile
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
@@ -6117,7 +6403,7 @@ fi
 
 # Make sure we can run config.sub.
 $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
-  as_fn_error "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5
+  as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5
 $as_echo_n "checking build system type... " >&6; }
@@ -6128,16 +6414,16 @@ else
 test "x$ac_build_alias" = x &&
   ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
 test "x$ac_build_alias" = x &&
-  as_fn_error "cannot guess build type; you must specify one" "$LINENO" 5
+  as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5
 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
-  as_fn_error "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5
+  as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5
 
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5
 $as_echo "$ac_cv_build" >&6; }
 case $ac_cv_build in
 *-*-*) ;;
-*) as_fn_error "invalid value of canonical build" "$LINENO" 5;;
+*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5 ;;
 esac
 build=$ac_cv_build
 ac_save_IFS=$IFS; IFS='-'
@@ -6162,7 +6448,7 @@ else
   ac_cv_host=$ac_cv_build
 else
   ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
-    as_fn_error "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5
+    as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5
 fi
 
 fi
@@ -6170,7 +6456,7 @@ fi
 $as_echo "$ac_cv_host" >&6; }
 case $ac_cv_host in
 *-*-*) ;;
-*) as_fn_error "invalid value of canonical host" "$LINENO" 5;;
+*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5 ;;
 esac
 host=$ac_cv_host
 ac_save_IFS=$IFS; IFS='-'
@@ -6187,198 +6473,49 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
 
 
 
-                  acl_libdirstem=lib
-  searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
-  if test -n "$searchpath"; then
-    acl_save_IFS="${IFS= 	}"; IFS=":"
-    for searchdir in $searchpath; do
-      if test -d "$searchdir"; then
-        case "$searchdir" in
-          */lib64/ | */lib64 ) acl_libdirstem=lib64 ;;
-          *) searchdir=`cd "$searchdir" && pwd`
-             case "$searchdir" in
-               */lib64 ) acl_libdirstem=lib64 ;;
-             esac ;;
-        esac
-      fi
-    done
-    IFS="$acl_save_IFS"
-  fi
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
+$as_echo_n "checking how to run the C preprocessor... " >&6; }
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+  if test "${ac_cv_prog_CPP+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+      # Double quotes because CPP needs to be expanded
+    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
+    do
+      ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
 
-
-      if test "X$prefix" = "XNONE"; then
-    acl_final_prefix="$ac_default_prefix"
-  else
-    acl_final_prefix="$prefix"
-  fi
-  if test "X$exec_prefix" = "XNONE"; then
-    acl_final_exec_prefix='${prefix}'
-  else
-    acl_final_exec_prefix="$exec_prefix"
-  fi
-  acl_save_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  eval acl_final_exec_prefix=\"$acl_final_exec_prefix\"
-  prefix="$acl_save_prefix"
-
-
-
-
-
-
-
-    use_additional=yes
-
-  acl_save_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  acl_save_exec_prefix="$exec_prefix"
-  exec_prefix="$acl_final_exec_prefix"
-
-    eval additional_includedir=\"$includedir\"
-    eval additional_libdir=\"$libdir\"
-
-  exec_prefix="$acl_save_exec_prefix"
-  prefix="$acl_save_prefix"
-
-
-# Check whether --with-lib-prefix was given.
-if test "${with_lib_prefix+set}" = set; then :
-  withval=$with_lib_prefix;
-    if test "X$withval" = "Xno"; then
-      use_additional=no
-    else
-      if test "X$withval" = "X"; then
-
-  acl_save_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  acl_save_exec_prefix="$exec_prefix"
-  exec_prefix="$acl_final_exec_prefix"
-
-          eval additional_includedir=\"$includedir\"
-          eval additional_libdir=\"$libdir\"
-
-  exec_prefix="$acl_save_exec_prefix"
-  prefix="$acl_save_prefix"
-
-      else
-        additional_includedir="$withval/include"
-        additional_libdir="$withval/$acl_libdirstem"
-      fi
-    fi
-
-fi
-
-  if test $use_additional = yes; then
-                            if test "X$additional_includedir" != "X/usr/include"; then
-      haveit=
-      for x in $CPPFLAGS; do
-
-  acl_save_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  acl_save_exec_prefix="$exec_prefix"
-  exec_prefix="$acl_final_exec_prefix"
-  eval x=\"$x\"
-  exec_prefix="$acl_save_exec_prefix"
-  prefix="$acl_save_prefix"
-
-        if test "X$x" = "X-I$additional_includedir"; then
-          haveit=yes
-          break
-        fi
-      done
-      if test -z "$haveit"; then
-        if test "X$additional_includedir" = "X/usr/local/include"; then
-          if test -n "$GCC"; then
-            case $host_os in
-              linux* | gnu* | k*bsd*-gnu) haveit=yes;;
-            esac
-          fi
-        fi
-        if test -z "$haveit"; then
-          if test -d "$additional_includedir"; then
-                        CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir"
-          fi
-        fi
-      fi
-    fi
-                            if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then
-      haveit=
-      for x in $LDFLAGS; do
-
-  acl_save_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  acl_save_exec_prefix="$exec_prefix"
-  exec_prefix="$acl_final_exec_prefix"
-  eval x=\"$x\"
-  exec_prefix="$acl_save_exec_prefix"
-  prefix="$acl_save_prefix"
-
-        if test "X$x" = "X-L$additional_libdir"; then
-          haveit=yes
-          break
-        fi
-      done
-      if test -z "$haveit"; then
-        if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then
-          if test -n "$GCC"; then
-            case $host_os in
-              linux*) haveit=yes;;
-            esac
-          fi
-        fi
-        if test -z "$haveit"; then
-          if test -d "$additional_libdir"; then
-                        LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir"
-          fi
-        fi
-      fi
-    fi
-  fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
-$as_echo_n "checking how to run the C preprocessor... " >&6; }
-# On Suns, sometimes $CPP names a directory.
-if test -n "$CPP" && test -d "$CPP"; then
-  CPP=
-fi
-if test -z "$CPP"; then
-  if test "${ac_cv_prog_CPP+set}" = set; then :
-  $as_echo_n "(cached) " >&6
-else
-      # Double quotes because CPP needs to be expanded
-    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
-    do
-      ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if ac_fn_c_try_cpp "$LINENO"; then :
-
-else
-  # Broken: fails on valid input.
-continue
-fi
-rm -f conftest.err conftest.$ac_ext
+else
+  # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
 
   # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
@@ -6394,11 +6531,11 @@ else
 ac_preproc_ok=:
 break
 fi
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.err conftest.i conftest.$ac_ext
 
 done
 # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.i conftest.err conftest.$ac_ext
 if $ac_preproc_ok; then :
   break
 fi
@@ -6437,7 +6574,7 @@ else
   # Broken: fails on valid input.
 continue
 fi
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.err conftest.i conftest.$ac_ext
 
   # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
@@ -6453,18 +6590,18 @@ else
 ac_preproc_ok=:
 break
 fi
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.err conftest.i conftest.$ac_ext
 
 done
 # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.i conftest.err conftest.$ac_ext
 if $ac_preproc_ok; then :
 
 else
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." "$LINENO" 5; }
+as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 
 ac_ext=c
@@ -6525,7 +6662,7 @@ esac
   done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_GREP"; then
-    as_fn_error "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+    as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_GREP=$GREP
@@ -6591,7 +6728,7 @@ esac
   done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_EGREP"; then
-    as_fn_error "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+    as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_EGREP=$EGREP
@@ -6604,79 +6741,272 @@ $as_echo "$ac_cv_path_EGREP" >&6; }
  EGREP="$ac_cv_path_EGREP"
 
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
-$as_echo_n "checking for ANSI C header files... " >&6; }
-if test "${ac_cv_header_stdc+set}" = set; then :
-  $as_echo_n "(cached) " >&6
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <float.h>
 
-int
-main ()
-{
 
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  ac_cv_header_stdc=yes
+  acl_libdirstem=lib
+  acl_libdirstem2=
+  case "$host_os" in
+    solaris*)
+                                    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for 64-bit host" >&5
+$as_echo_n "checking for 64-bit host... " >&6; }
+if test "${gl_cv_solaris_64bit+set}" = set; then :
+  $as_echo_n "(cached) " >&6
 else
-  ac_cv_header_stdc=no
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-
-if test $ac_cv_header_stdc = yes; then
-  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-#include <string.h>
+
+#ifdef _LP64
+sixtyfour bits
+#endif
 
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "memchr" >/dev/null 2>&1; then :
-
+  $EGREP "sixtyfour bits" >/dev/null 2>&1; then :
+  gl_cv_solaris_64bit=yes
 else
-  ac_cv_header_stdc=no
+  gl_cv_solaris_64bit=no
 fi
 rm -f conftest*
 
+
 fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_solaris_64bit" >&5
+$as_echo "$gl_cv_solaris_64bit" >&6; }
+      if test $gl_cv_solaris_64bit = yes; then
+        acl_libdirstem=lib/64
+        case "$host_cpu" in
+          sparc*)        acl_libdirstem2=lib/sparcv9 ;;
+          i*86 | x86_64) acl_libdirstem2=lib/amd64 ;;
+        esac
+      fi
+      ;;
+    *)
+      searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
+      if test -n "$searchpath"; then
+        acl_save_IFS="${IFS= 	}"; IFS=":"
+        for searchdir in $searchpath; do
+          if test -d "$searchdir"; then
+            case "$searchdir" in
+              */lib64/ | */lib64 ) acl_libdirstem=lib64 ;;
+              */../ | */.. )
+                # Better ignore directories of this form. They are misleading.
+                ;;
+              *) searchdir=`cd "$searchdir" && pwd`
+                 case "$searchdir" in
+                   */lib64 ) acl_libdirstem=lib64 ;;
+                 esac ;;
+            esac
+          fi
+        done
+        IFS="$acl_save_IFS"
+      fi
+      ;;
+  esac
+  test -n "$acl_libdirstem2" || acl_libdirstem2="$acl_libdirstem"
 
-if test $ac_cv_header_stdc = yes; then
-  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-#include <stdlib.h>
 
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "free" >/dev/null 2>&1; then :
+      if test "X$prefix" = "XNONE"; then
+    acl_final_prefix="$ac_default_prefix"
+  else
+    acl_final_prefix="$prefix"
+  fi
+  if test "X$exec_prefix" = "XNONE"; then
+    acl_final_exec_prefix='${prefix}'
+  else
+    acl_final_exec_prefix="$exec_prefix"
+  fi
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  eval acl_final_exec_prefix=\"$acl_final_exec_prefix\"
+  prefix="$acl_save_prefix"
 
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
 
-fi
 
-if test $ac_cv_header_stdc = yes; then
-  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-  if test "$cross_compiling" = yes; then :
-  :
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-#include <ctype.h>
-#include <stdlib.h>
-#if ((' ' & 0x0FF) == 0x020)
-# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+
+
+
+
+    use_additional=yes
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+
+    eval additional_includedir=\"$includedir\"
+    eval additional_libdir=\"$libdir\"
+
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+
+# Check whether --with-lib-prefix was given.
+if test "${with_lib_prefix+set}" = set; then :
+  withval=$with_lib_prefix;
+    if test "X$withval" = "Xno"; then
+      use_additional=no
+    else
+      if test "X$withval" = "X"; then
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+
+          eval additional_includedir=\"$includedir\"
+          eval additional_libdir=\"$libdir\"
+
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+      else
+        additional_includedir="$withval/include"
+        additional_libdir="$withval/$acl_libdirstem"
+      fi
+    fi
+
+fi
+
+  if test $use_additional = yes; then
+                            if test "X$additional_includedir" != "X/usr/include"; then
+      haveit=
+      for x in $CPPFLAGS; do
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+  eval x=\"$x\"
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+        if test "X$x" = "X-I$additional_includedir"; then
+          haveit=yes
+          break
+        fi
+      done
+      if test -z "$haveit"; then
+        if test "X$additional_includedir" = "X/usr/local/include"; then
+          if test -n "$GCC"; then
+            case $host_os in
+              linux* | gnu* | k*bsd*-gnu) haveit=yes;;
+            esac
+          fi
+        fi
+        if test -z "$haveit"; then
+          if test -d "$additional_includedir"; then
+                        CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir"
+          fi
+        fi
+      fi
+    fi
+                            if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then
+      haveit=
+      for x in $LDFLAGS; do
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+  eval x=\"$x\"
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+        if test "X$x" = "X-L$additional_libdir"; then
+          haveit=yes
+          break
+        fi
+      done
+      if test -z "$haveit"; then
+        if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then
+          if test -n "$GCC"; then
+            case $host_os in
+              linux*) haveit=yes;;
+            esac
+          fi
+        fi
+        if test -z "$haveit"; then
+          if test -d "$additional_libdir"; then
+                        LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir"
+          fi
+        fi
+      fi
+    fi
+  fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
+$as_echo_n "checking for ANSI C header files... " >&6; }
+if test "${ac_cv_header_stdc+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_header_stdc=yes
+else
+  ac_cv_header_stdc=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "memchr" >/dev/null 2>&1; then :
+
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "free" >/dev/null 2>&1; then :
+
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then :
+  :
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <ctype.h>
+#include <stdlib.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
 #else
 # define ISLOWER(c) \
 		   (('a' <= (c) && (c) <= 'i') \
@@ -6723,8 +7053,7 @@ do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
 "
-eval as_val=\$$as_ac_Header
-   if test "x$as_val" = x""yes; then :
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
 #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
@@ -6954,8 +7283,8 @@ $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h
 
      ;; #(
    *)
-     as_fn_error "unknown endianness
- presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;;
+     as_fn_error $? "unknown endianness
+ presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5  ;;
  esac
 
 
@@ -7043,7 +7372,7 @@ esac
   done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_SED"; then
-    as_fn_error "no acceptable sed could be found in \$PATH" "$LINENO" 5
+    as_fn_error $? "no acceptable sed could be found in \$PATH" "$LINENO" 5
   fi
 else
   ac_cv_path_SED=$SED
@@ -7122,7 +7451,7 @@ esac
   done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_FGREP"; then
-    as_fn_error "no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+    as_fn_error $? "no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_FGREP=$FGREP
@@ -7238,7 +7567,7 @@ else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
-test -z "$LD" && as_fn_error "no acceptable ld found in \$PATH" "$LINENO" 5
+test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5
 $as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; }
 if test "${lt_cv_prog_gnu_ld+set}" = set; then :
@@ -7440,13 +7769,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:7443: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:7772: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7446: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:7775: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7449: output\"" >&5)
+  (eval echo "\"\$as_me:7778: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -8651,7 +8980,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8654 "configure"' > conftest.$ac_ext
+  echo '#line 8983 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9913,11 +10242,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9916: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10245: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9920: \$? = $ac_status" >&5
+   echo "$as_me:10249: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -10252,11 +10581,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10255: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10584: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10259: \$? = $ac_status" >&5
+   echo "$as_me:10588: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -10357,11 +10686,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10360: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10689: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10364: \$? = $ac_status" >&5
+   echo "$as_me:10693: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10412,11 +10741,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10415: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10744: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10419: \$? = $ac_status" >&5
+   echo "$as_me:10748: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12796,7 +13125,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12799 "configure"
+#line 13128 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12892,7 +13221,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12895 "configure"
+#line 13224 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13173,7 +13502,7 @@ esac
   done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_EGREP"; then
-    as_fn_error "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+    as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_EGREP=$EGREP
@@ -13313,7 +13642,7 @@ if test -f lex.yy.c; then
 elif test -f lexyy.c; then
   ac_cv_prog_lex_root=lexyy
 else
-  as_fn_error "cannot find output from $LEX; giving up" "$LINENO" 5
+  as_fn_error $? "cannot find output from $LEX; giving up" "$LINENO" 5
 fi
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_lex_root" >&5
@@ -13534,7 +13863,7 @@ if test -n "$ipsecuid"; then
 $as_echo "$ipsecuid" >&6; }
 
 else
-	as_fn_error "not found" "$LINENO" 5
+	as_fn_error $? "not found" "$LINENO" 5
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gid of group \"$ipsecgroup\"" >&5
 $as_echo_n "checking for gid of group \"$ipsecgroup\"... " >&6; }
@@ -13544,7 +13873,7 @@ if test -n "$ipsecgid"; then
 $as_echo "$ipsecgid" >&6; }
 
 else
-	as_fn_error "not found" "$LINENO" 5
+	as_fn_error $? "not found" "$LINENO" 5
 fi
 
 
@@ -13562,6 +13891,10 @@ if test x$eap_sim = xtrue; then
 	simaka=true;
 fi
 
+if test x$eap_tls = xtrue -o x$eap_ttls = xtrue; then
+	tls=true;
+fi
+
 if test x$fips_prf = xtrue; then
 	if test x$openssl = xfalse; then
 		sha1=true;
@@ -13834,8 +14167,7 @@ if test $ac_cv_os_cray = yes; then
   for ac_func in _getb67 GETB67 getb67; do
     as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-eval as_val=\$$as_ac_var
-   if test "x$as_val" = x""yes; then :
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
 
 cat >>confdefs.h <<_ACEOF
 #define CRAY_STACKSEG_END $ac_func
@@ -14414,8 +14746,7 @@ for ac_header in net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-eval as_val=\$$as_ac_Header
-   if test "x$as_val" = x""yes; then :
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
 #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
@@ -14672,7 +15003,7 @@ $as_echo "$ac_cv_lib_vstr_main" >&6; }
 if test "x$ac_cv_lib_vstr_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "Vstr string library not found" "$LINENO" 5
+  as_fn_error $? "Vstr string library not found" "$LINENO" 5
 fi
 ac_cv_lib_vstr=ac_cv_lib_vstr_main
 
@@ -14720,7 +15051,7 @@ _ACEOF
   LIBS="-lgmp $LIBS"
 
 else
-  as_fn_error "GNU Multi Precision library gmp not found" "$LINENO" 5
+  as_fn_error $? "GNU Multi Precision library gmp not found" "$LINENO" 5
 fi
 ac_cv_lib_gmp=ac_cv_lib_gmp_main
 
@@ -14777,7 +15108,7 @@ if ac_fn_c_try_compile "$LINENO"; then :
 $as_echo "yes" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }; as_fn_error "No usable gmp.h found!" "$LINENO" 5
+$as_echo "no" >&6; }; as_fn_error $? "No usable gmp.h found!" "$LINENO" 5
 
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
@@ -14817,7 +15148,7 @@ $as_echo "$ac_cv_lib_ldap_main" >&6; }
 if test "x$ac_cv_lib_ldap_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "LDAP library ldap not found" "$LINENO" 5
+  as_fn_error $? "LDAP library ldap not found" "$LINENO" 5
 fi
 ac_cv_lib_ldap=ac_cv_lib_ldap_main
 
@@ -14854,7 +15185,7 @@ $as_echo "$ac_cv_lib_lber_main" >&6; }
 if test "x$ac_cv_lib_lber_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "LDAP library lber not found" "$LINENO" 5
+  as_fn_error $? "LDAP library lber not found" "$LINENO" 5
 fi
 ac_cv_lib_lber=ac_cv_lib_lber_main
 
@@ -14862,7 +15193,7 @@ ac_cv_lib_lber=ac_cv_lib_lber_main
 if test "x$ac_cv_header_ldap_h" = x""yes; then :
 
 else
-  as_fn_error "LDAP header ldap.h not found!" "$LINENO" 5
+  as_fn_error $? "LDAP header ldap.h not found!" "$LINENO" 5
 fi
 
 
@@ -14902,7 +15233,7 @@ $as_echo "$ac_cv_lib_curl_main" >&6; }
 if test "x$ac_cv_lib_curl_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "CURL library curl not found" "$LINENO" 5
+  as_fn_error $? "CURL library curl not found" "$LINENO" 5
 fi
 ac_cv_lib_curl=ac_cv_lib_curl_main
 
@@ -14910,7 +15241,7 @@ ac_cv_lib_curl=ac_cv_lib_curl_main
 if test "x$ac_cv_header_curl_curl_h" = x""yes; then :
 
 else
-  as_fn_error "CURL header curl/curl.h not found!" "$LINENO" 5
+  as_fn_error $? "CURL header curl/curl.h not found!" "$LINENO" 5
 fi
 
 
@@ -14922,11 +15253,10 @@ pkg_failed=no
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for xml" >&5
 $as_echo_n "checking for xml... " >&6; }
 
-if test -n "$PKG_CONFIG"; then
-    if test -n "$xml_CFLAGS"; then
-        pkg_cv_xml_CFLAGS="$xml_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$xml_CFLAGS"; then
+    pkg_cv_xml_CFLAGS="$xml_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\""; } >&5
   ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
   ac_status=$?
@@ -14936,15 +15266,13 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$xml_LIBS"; then
-        pkg_cv_xml_LIBS="$xml_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$xml_LIBS"; then
+    pkg_cv_xml_LIBS="$xml_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\""; } >&5
   ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
   ac_status=$?
@@ -14954,14 +15282,15 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
 
 
 
 if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
         _pkg_short_errors_supported=yes
@@ -14969,14 +15298,14 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libxml-2.0"`
+	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libxml-2.0" 2>&1`
         else
-	        xml_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libxml-2.0"`
+	        xml_PKG_ERRORS=`$PKG_CONFIG --print-errors "libxml-2.0" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$xml_PKG_ERRORS" >&5
 
-	as_fn_error "Package requirements (libxml-2.0) were not met:
+	as_fn_error $? "Package requirements (libxml-2.0) were not met:
 
 $xml_PKG_ERRORS
 
@@ -14985,12 +15314,13 @@ installed software in a non-standard prefix.
 
 Alternatively, you may set the environment variables xml_CFLAGS
 and xml_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" "$LINENO" 5
+See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -14999,13 +15329,13 @@ and xml_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." "$LINENO" 5; }
+See \`config.log' for more details" "$LINENO" 5 ; }
 else
 	xml_CFLAGS=$pkg_cv_xml_CFLAGS
 	xml_LIBS=$pkg_cv_xml_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-	:
+
 fi
 
 
@@ -15017,11 +15347,10 @@ pkg_failed=no
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gtk" >&5
 $as_echo_n "checking for gtk... " >&6; }
 
-if test -n "$PKG_CONFIG"; then
-    if test -n "$gtk_CFLAGS"; then
-        pkg_cv_gtk_CFLAGS="$gtk_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$gtk_CFLAGS"; then
+    pkg_cv_gtk_CFLAGS="$gtk_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5
   ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
   ac_status=$?
@@ -15031,15 +15360,13 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$gtk_LIBS"; then
-        pkg_cv_gtk_LIBS="$gtk_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$gtk_LIBS"; then
+    pkg_cv_gtk_LIBS="$gtk_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5
   ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
   ac_status=$?
@@ -15049,14 +15376,15 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
 
 
 
 if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
         _pkg_short_errors_supported=yes
@@ -15064,14 +15392,14 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gtk+-2.0 vte"`
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "gtk+-2.0 vte" 2>&1`
         else
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gtk+-2.0 vte"`
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors "gtk+-2.0 vte" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$gtk_PKG_ERRORS" >&5
 
-	as_fn_error "Package requirements (gtk+-2.0 vte) were not met:
+	as_fn_error $? "Package requirements (gtk+-2.0 vte) were not met:
 
 $gtk_PKG_ERRORS
 
@@ -15080,12 +15408,13 @@ installed software in a non-standard prefix.
 
 Alternatively, you may set the environment variables gtk_CFLAGS
 and gtk_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" "$LINENO" 5
+See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -15094,13 +15423,13 @@ and gtk_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." "$LINENO" 5; }
+See \`config.log' for more details" "$LINENO" 5 ; }
 else
 	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
 	gtk_LIBS=$pkg_cv_gtk_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-	:
+
 fi
 
 
@@ -15162,14 +15491,14 @@ $as_echo "$i" >&6; }
 				fi
 			done
 			if test x"$RUBYINCLUDE" = xnone; then
-				as_fn_error "ruby.h not found" "$LINENO" 5
+				as_fn_error $? "ruby.h not found" "$LINENO" 5
 			fi
 
 		else
-			as_fn_error "unable to determine ruby configuration" "$LINENO" 5
+			as_fn_error $? "unable to determine ruby configuration" "$LINENO" 5
 		fi
 	else
-		as_fn_error "don't know how to run ruby" "$LINENO" 5
+		as_fn_error $? "don't know how to run ruby" "$LINENO" 5
 	fi
 fi
 
@@ -15207,7 +15536,7 @@ $as_echo "$ac_cv_lib_neo_cgi_main" >&6; }
 if test "x$ac_cv_lib_neo_cgi_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "ClearSilver library neo_cgi not found!" "$LINENO" 5
+  as_fn_error $? "ClearSilver library neo_cgi not found!" "$LINENO" 5
 fi
 ac_cv_lib_neo_cgi=ac_cv_lib_neo_cgi_main
 
@@ -15244,7 +15573,7 @@ $as_echo "$ac_cv_lib_neo_utl_main" >&6; }
 if test "x$ac_cv_lib_neo_utl_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "ClearSilver library neo_utl not found!" "$LINENO" 5
+  as_fn_error $? "ClearSilver library neo_utl not found!" "$LINENO" 5
 fi
 ac_cv_lib_neo_utl=ac_cv_lib_neo_utl_main
 
@@ -15281,7 +15610,7 @@ $as_echo "$ac_cv_lib_z_main" >&6; }
 if test "x$ac_cv_lib_z_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "ClearSilver dependency zlib not found!" "$LINENO" 5
+  as_fn_error $? "ClearSilver dependency zlib not found!" "$LINENO" 5
 fi
 ac_cv_lib_z=ac_cv_lib_z_main
 
@@ -15319,7 +15648,7 @@ $as_echo "$ac_cv_lib_fcgi_main" >&6; }
 if test "x$ac_cv_lib_fcgi_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "FastCGI library fcgi not found!" "$LINENO" 5
+  as_fn_error $? "FastCGI library fcgi not found!" "$LINENO" 5
 fi
 ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 
@@ -15327,7 +15656,7 @@ ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 if test "x$ac_cv_header_fcgiapp_h" = x""yes; then :
 
 else
-  as_fn_error "FastCGI header file fcgiapp.h not found!" "$LINENO" 5
+  as_fn_error $? "FastCGI header file fcgiapp.h not found!" "$LINENO" 5
 fi
 
 
@@ -15376,7 +15705,7 @@ fi
 
 
 	if test x$MYSQLCONFIG = x; then
-		as_fn_error "mysql_config not found!" "$LINENO" 5
+		as_fn_error $? "mysql_config not found!" "$LINENO" 5
 	fi
 	MYSQLLIB=`$MYSQLCONFIG --libs_r`
 
@@ -15418,7 +15747,7 @@ $as_echo "$ac_cv_lib_sqlite3_main" >&6; }
 if test "x$ac_cv_lib_sqlite3_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "SQLite library sqlite3 not found" "$LINENO" 5
+  as_fn_error $? "SQLite library sqlite3 not found" "$LINENO" 5
 fi
 ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 
@@ -15426,7 +15755,7 @@ ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 if test "x$ac_cv_header_sqlite3_h" = x""yes; then :
 
 else
-  as_fn_error "SQLite header sqlite3.h not found!" "$LINENO" 5
+  as_fn_error $? "SQLite header sqlite3.h not found!" "$LINENO" 5
 fi
 
 
@@ -15478,7 +15807,7 @@ if ac_fn_c_try_compile "$LINENO"; then :
 $as_echo "yes" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }; as_fn_error "SQLite version >= 3.3.1 required!" "$LINENO" 5
+$as_echo "no" >&6; }; as_fn_error $? "SQLite version >= 3.3.1 required!" "$LINENO" 5
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
@@ -15517,7 +15846,7 @@ $as_echo "$ac_cv_lib_crypto_main" >&6; }
 if test "x$ac_cv_lib_crypto_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "OpenSSL crypto library not found" "$LINENO" 5
+  as_fn_error $? "OpenSSL crypto library not found" "$LINENO" 5
 fi
 ac_cv_lib_crypto=ac_cv_lib_crypto_main
 
@@ -15525,7 +15854,7 @@ ac_cv_lib_crypto=ac_cv_lib_crypto_main
 if test "x$ac_cv_header_openssl_evp_h" = x""yes; then :
 
 else
-  as_fn_error "OpenSSL header openssl/evp.h not found!" "$LINENO" 5
+  as_fn_error $? "OpenSSL header openssl/evp.h not found!" "$LINENO" 5
 fi
 
 
@@ -15565,7 +15894,7 @@ $as_echo "$ac_cv_lib_gcrypt_main" >&6; }
 if test "x$ac_cv_lib_gcrypt_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "gcrypt library not found" "$LINENO" 5
+  as_fn_error $? "gcrypt library not found" "$LINENO" 5
 fi
 ac_cv_lib_gcrypt=ac_cv_lib_gcrypt_main
 
@@ -15573,7 +15902,7 @@ ac_cv_lib_gcrypt=ac_cv_lib_gcrypt_main
 if test "x$ac_cv_header_gcrypt_h" = x""yes; then :
 
 else
-  as_fn_error "gcrypt header gcrypt.h not found!" "$LINENO" 5
+  as_fn_error $? "gcrypt header gcrypt.h not found!" "$LINENO" 5
 fi
 
 
@@ -15602,6 +15931,17 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
+if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then
+	ac_fn_c_check_header_mongrel "$LINENO" "libtnc.h" "ac_cv_header_libtnc_h" "$ac_includes_default"
+if test "x$ac_cv_header_libtnc_h" = x""yes; then :
+
+else
+  as_fn_error $? "libtnc header libtnc.h not found!" "$LINENO" 5
+fi
+
+
+fi
+
 if test x$uci = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5
 $as_echo_n "checking for main in -luci... " >&6; }
@@ -15636,7 +15976,7 @@ $as_echo "$ac_cv_lib_uci_main" >&6; }
 if test "x$ac_cv_lib_uci_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "UCI library libuci not found" "$LINENO" 5
+  as_fn_error $? "UCI library libuci not found" "$LINENO" 5
 fi
 ac_cv_lib_uci=ac_cv_lib_uci_main
 
@@ -15644,7 +15984,7 @@ ac_cv_lib_uci=ac_cv_lib_uci_main
 if test "x$ac_cv_header_uci_h" = x""yes; then :
 
 else
-  as_fn_error "UCI header uci.h not found!" "$LINENO" 5
+  as_fn_error $? "UCI header uci.h not found!" "$LINENO" 5
 fi
 
 
@@ -15684,7 +16024,7 @@ $as_echo "$ac_cv_lib_cutils_main" >&6; }
 if test "x$ac_cv_lib_cutils_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "Android library libcutils not found" "$LINENO" 5
+  as_fn_error $? "Android library libcutils not found" "$LINENO" 5
 fi
 ac_cv_lib_cutils=ac_cv_lib_cutils_main
 
@@ -15692,7 +16032,7 @@ ac_cv_lib_cutils=ac_cv_lib_cutils_main
 if test "x$ac_cv_header_cutils_properties_h" = x""yes; then :
 
 else
-  as_fn_error "Android header cutils/properties.h not found!" "$LINENO" 5
+  as_fn_error $? "Android header cutils/properties.h not found!" "$LINENO" 5
 fi
 
 
@@ -15700,58 +16040,50 @@ fi
 
 fi
 
-if test x$nm = xtrue; then
-	if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnm-glib\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "libnm-glib") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
+if test x$maemo = xtrue; then
 
 pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for nm" >&5
-$as_echo_n "checking for nm... " >&6; }
-
-if test -n "$PKG_CONFIG"; then
-    if test -n "$nm_CFLAGS"; then
-        pkg_cv_nm_CFLAGS="$nm_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn") 2>&5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for maemo" >&5
+$as_echo_n "checking for maemo... " >&6; }
+
+if test -n "$maemo_CFLAGS"; then
+    pkg_cv_maemo_CFLAGS="$maemo_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"glib-2.0 gthread-2.0 libosso osso-af-settings\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings") 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
-  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>/dev/null`
+  pkg_cv_maemo_CFLAGS=`$PKG_CONFIG --cflags "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$nm_LIBS"; then
-        pkg_cv_nm_LIBS="$nm_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn") 2>&5
+if test -n "$maemo_LIBS"; then
+    pkg_cv_maemo_LIBS="$maemo_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"glib-2.0 gthread-2.0 libosso osso-af-settings\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings") 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
-  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>/dev/null`
+  pkg_cv_maemo_LIBS=`$PKG_CONFIG --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
 
 
 
 if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
         _pkg_short_errors_supported=yes
@@ -15759,43 +16091,146 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn"`
+	        maemo_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn"`
+	        maemo_PKG_ERRORS=`$PKG_CONFIG --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
-	echo "$nm_PKG_ERRORS" >&5
+	echo "$maemo_PKG_ERRORS" >&5
 
-	as_fn_error "Package requirements (NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn) were not met:
+	as_fn_error $? "Package requirements (glib-2.0 gthread-2.0 libosso osso-af-settings) were not met:
 
-$nm_PKG_ERRORS
+$maemo_PKG_ERRORS
 
 Consider adjusting the PKG_CONFIG_PATH environment variable if you
 installed software in a non-standard prefix.
 
-Alternatively, you may set the environment variables nm_CFLAGS
-and nm_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" "$LINENO" 5
+Alternatively, you may set the environment variables maemo_CFLAGS
+and maemo_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
-Alternatively, you may set the environment variables nm_CFLAGS
-and nm_LIBS to avoid the need to call pkg-config.
+Alternatively, you may set the environment variables maemo_CFLAGS
+and maemo_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." "$LINENO" 5; }
+See \`config.log' for more details" "$LINENO" 5 ; }
 else
-	nm_CFLAGS=$pkg_cv_nm_CFLAGS
-	nm_LIBS=$pkg_cv_nm_LIBS
+	maemo_CFLAGS=$pkg_cv_maemo_CFLAGS
+	maemo_LIBS=$pkg_cv_maemo_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-	:
+
+fi
+
+
+	dbusservicedir="/usr/share/dbus-1/system-services"
+
+fi
+
+if test x$nm = xtrue; then
+	if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnm-glib\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libnm-glib") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for nm" >&5
+$as_echo_n "checking for nm... " >&6; }
+
+if test -n "$nm_CFLAGS"; then
+    pkg_cv_nm_CFLAGS="$nm_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$nm_LIBS"; then
+    pkg_cv_nm_LIBS="$nm_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>&1`
+        else
+	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$nm_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn) were not met:
+
+$nm_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables nm_CFLAGS
+and nm_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5 ; }
+else
+	nm_CFLAGS=$pkg_cv_nm_CFLAGS
+	nm_LIBS=$pkg_cv_nm_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
 fi
 else
 
@@ -15803,11 +16238,10 @@ pkg_failed=no
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nm" >&5
 $as_echo_n "checking for nm... " >&6; }
 
-if test -n "$PKG_CONFIG"; then
-    if test -n "$nm_CFLAGS"; then
-        pkg_cv_nm_CFLAGS="$nm_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$nm_CFLAGS"; then
+    pkg_cv_nm_CFLAGS="$nm_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn\""; } >&5
   ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn") 2>&5
   ac_status=$?
@@ -15817,15 +16251,13 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$nm_LIBS"; then
-        pkg_cv_nm_LIBS="$nm_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$nm_LIBS"; then
+    pkg_cv_nm_LIBS="$nm_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn\""; } >&5
   ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn") 2>&5
   ac_status=$?
@@ -15835,14 +16267,15 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
 
 
 
 if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
         _pkg_short_errors_supported=yes
@@ -15850,14 +16283,14 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn"`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn" 2>&1`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn"`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
 
-	as_fn_error "Package requirements (NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn) were not met:
+	as_fn_error $? "Package requirements (NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn) were not met:
 
 $nm_PKG_ERRORS
 
@@ -15866,12 +16299,13 @@ installed software in a non-standard prefix.
 
 Alternatively, you may set the environment variables nm_CFLAGS
 and nm_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" "$LINENO" 5
+See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -15880,13 +16314,13 @@ and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." "$LINENO" 5; }
+See \`config.log' for more details" "$LINENO" 5 ; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-	:
+
 fi
 
 fi
@@ -15928,7 +16362,7 @@ $as_echo "$ac_cv_lib_pam_main" >&6; }
 if test "x$ac_cv_lib_pam_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "PAM library not found" "$LINENO" 5
+  as_fn_error $? "PAM library not found" "$LINENO" 5
 fi
 ac_cv_lib_pam=ac_cv_lib_pam_main
 
@@ -15936,7 +16370,7 @@ ac_cv_lib_pam=ac_cv_lib_pam_main
 if test "x$ac_cv_header_security_pam_appl_h" = x""yes; then :
 
 else
-  as_fn_error "PAM header security/pam_appl.h not found!" "$LINENO" 5
+  as_fn_error $? "PAM header security/pam_appl.h not found!" "$LINENO" 5
 fi
 
 
@@ -15961,7 +16395,7 @@ done
 if test "x$ac_cv_func_capset" = x""yes; then :
 
 else
-  as_fn_error "capset() not found!" "$LINENO" 5
+  as_fn_error $? "capset() not found!" "$LINENO" 5
 fi
 
 	$as_echo "#define CAPABILITIES_NATIVE 1" >>confdefs.h
@@ -16002,197 +16436,695 @@ $as_echo "$ac_cv_lib_cap_main" >&6; }
 if test "x$ac_cv_lib_cap_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "libcap library not found" "$LINENO" 5
+  as_fn_error $? "libcap library not found" "$LINENO" 5
 fi
 ac_cv_lib_cap=ac_cv_lib_cap_main
 
-	ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
-if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
-  $as_echo "#define HAVE_SYS_CAPABILITY_H 1" >>confdefs.h
+	ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
+  $as_echo "#define HAVE_SYS_CAPABILITY_H 1" >>confdefs.h
+
+else
+  as_fn_error $? "libcap header sys/capability.h not found!" "$LINENO" 5
+fi
+
+
+	$as_echo "#define CAPABILITIES_LIBCAP 1" >>confdefs.h
+
+fi
+
+if test x$integrity_test = xtrue; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for dladdr()" >&5
+$as_echo_n "checking for dladdr()... " >&6; }
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#define _GNU_SOURCE
+		 #include <dlfcn.h>
+int
+main ()
+{
+Dl_info info; dladdr(main, &info);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; };
+		 as_fn_error $? "dladdr() not supported, required by integrity-test!" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for dl_iterate_phdr()" >&5
+$as_echo_n "checking for dl_iterate_phdr()... " >&6; }
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#define _GNU_SOURCE
+		 #include <link.h>
+int
+main ()
+{
+dl_iterate_phdr((void*)0, (void*)0);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; };
+		 as_fn_error $? "dl_iterate_phdr() not supported, required by integrity-test!" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+# ADD_PLUGIN(plugin, category list)
+# -----------------------------------
+# Append the plugin name $1 to the category list variable $2_plugin
+
+
+
+# plugin lists for all components
+libcharon_plugins=
+pluto_plugins=
+pool_plugins=
+openac_plugins=
+scepclient_plugins=
+pki_plugins=
+scripts_plugins=
+manager_plugins=
+medsrv_plugins=
+
+# location specific lists for checksumming,
+# for src/libcharon, src/pluto, src/libhydra and src/libstrongswan
+c_plugins=
+p_plugins=
+h_plugins=
+s_plugins=
+
+if test x$test_vectors = xtrue; then
+		s_plugins=${s_plugins}" test-vectors"
+		libcharon_plugins=${libcharon_plugins}" test-vectors"
+		pluto_plugins=${pluto_plugins}" test-vectors"
+		openac_plugins=${openac_plugins}" test-vectors"
+		scepclient_plugins=${scepclient_plugins}" test-vectors"
+		pki_plugins=${pki_plugins}" test-vectors"
+
+	fi
+
+if test x$curl = xtrue; then
+		s_plugins=${s_plugins}" curl"
+		libcharon_plugins=${libcharon_plugins}" curl"
+		pluto_plugins=${pluto_plugins}" curl"
+		scepclient_plugins=${scepclient_plugins}" curl"
+
+	fi
+
+if test x$ldap = xtrue; then
+		s_plugins=${s_plugins}" ldap"
+		libcharon_plugins=${libcharon_plugins}" ldap"
+		pluto_plugins=${pluto_plugins}" ldap"
+		scepclient_plugins=${scepclient_plugins}" ldap"
+
+	fi
+
+if test x$mysql = xtrue; then
+		s_plugins=${s_plugins}" mysql"
+		libcharon_plugins=${libcharon_plugins}" mysql"
+		pluto_plugins=${pluto_plugins}" mysql"
+		pool_plugins=${pool_plugins}" mysql"
+		manager_plugins=${manager_plugins}" mysql"
+		medsrv_plugins=${medsrv_plugins}" mysql"
+
+	fi
+
+if test x$sqlite = xtrue; then
+		s_plugins=${s_plugins}" sqlite"
+		libcharon_plugins=${libcharon_plugins}" sqlite"
+		pluto_plugins=${pluto_plugins}" sqlite"
+		pool_plugins=${pool_plugins}" sqlite"
+		manager_plugins=${manager_plugins}" sqlite"
+		medsrv_plugins=${medsrv_plugins}" sqlite"
+
+	fi
+
+if test x$aes = xtrue; then
+		s_plugins=${s_plugins}" aes"
+		libcharon_plugins=${libcharon_plugins}" aes"
+		pluto_plugins=${pluto_plugins}" aes"
+		openac_plugins=${openac_plugins}" aes"
+		scepclient_plugins=${scepclient_plugins}" aes"
+		pki_plugins=${pki_plugins}" aes"
+		scripts_plugins=${scripts_plugins}" aes"
+
+	fi
+
+if test x$des = xtrue; then
+		s_plugins=${s_plugins}" des"
+		libcharon_plugins=${libcharon_plugins}" des"
+		pluto_plugins=${pluto_plugins}" des"
+		openac_plugins=${openac_plugins}" des"
+		scepclient_plugins=${scepclient_plugins}" des"
+		pki_plugins=${pki_plugins}" des"
+		scripts_plugins=${scripts_plugins}" des"
+
+	fi
+
+if test x$blowfish = xtrue; then
+		s_plugins=${s_plugins}" blowfish"
+		libcharon_plugins=${libcharon_plugins}" blowfish"
+		pluto_plugins=${pluto_plugins}" blowfish"
+		openac_plugins=${openac_plugins}" blowfish"
+		scepclient_plugins=${scepclient_plugins}" blowfish"
+		pki_plugins=${pki_plugins}" blowfish"
+		scripts_plugins=${scripts_plugins}" blowfish"
+
+	fi
+
+if test x$sha1 = xtrue; then
+		s_plugins=${s_plugins}" sha1"
+		libcharon_plugins=${libcharon_plugins}" sha1"
+		pluto_plugins=${pluto_plugins}" sha1"
+		openac_plugins=${openac_plugins}" sha1"
+		scepclient_plugins=${scepclient_plugins}" sha1"
+		pki_plugins=${pki_plugins}" sha1"
+		scripts_plugins=${scripts_plugins}" sha1"
+		medsrv_plugins=${medsrv_plugins}" sha1"
+
+	fi
+
+if test x$sha2 = xtrue; then
+		s_plugins=${s_plugins}" sha2"
+		libcharon_plugins=${libcharon_plugins}" sha2"
+		pluto_plugins=${pluto_plugins}" sha2"
+		openac_plugins=${openac_plugins}" sha2"
+		scepclient_plugins=${scepclient_plugins}" sha2"
+		pki_plugins=${pki_plugins}" sha2"
+		scripts_plugins=${scripts_plugins}" sha2"
+		medsrv_plugins=${medsrv_plugins}" sha2"
+
+	fi
+
+if test x$md4 = xtrue; then
+		s_plugins=${s_plugins}" md4"
+		libcharon_plugins=${libcharon_plugins}" md4"
+		openac_plugins=${openac_plugins}" md4"
+		manager_plugins=${manager_plugins}" md4"
+		scepclient_plugins=${scepclient_plugins}" md4"
+		pki_plugins=${pki_plugins}" md4"
+
+	fi
+
+if test x$md5 = xtrue; then
+		s_plugins=${s_plugins}" md5"
+		libcharon_plugins=${libcharon_plugins}" md5"
+		pluto_plugins=${pluto_plugins}" md5"
+		openac_plugins=${openac_plugins}" md5"
+		scepclient_plugins=${scepclient_plugins}" md5"
+		pki_plugins=${pki_plugins}" md5"
+
+	fi
+
+if test x$random = xtrue; then
+		s_plugins=${s_plugins}" random"
+		libcharon_plugins=${libcharon_plugins}" random"
+		pluto_plugins=${pluto_plugins}" random"
+		openac_plugins=${openac_plugins}" random"
+		scepclient_plugins=${scepclient_plugins}" random"
+		pki_plugins=${pki_plugins}" random"
+		scripts_plugins=${scripts_plugins}" random"
+		medsrv_plugins=${medsrv_plugins}" random"
+
+	fi
+
+if test x$x509 = xtrue; then
+		s_plugins=${s_plugins}" x509"
+		libcharon_plugins=${libcharon_plugins}" x509"
+		pluto_plugins=${pluto_plugins}" x509"
+		openac_plugins=${openac_plugins}" x509"
+		scepclient_plugins=${scepclient_plugins}" x509"
+		pki_plugins=${pki_plugins}" x509"
+		scripts_plugins=${scripts_plugins}" x509"
+
+	fi
+
+if test x$revocation = xtrue; then
+		s_plugins=${s_plugins}" revocation"
+		libcharon_plugins=${libcharon_plugins}" revocation"
+
+	fi
+
+if test x$pubkey = xtrue; then
+		s_plugins=${s_plugins}" pubkey"
+		libcharon_plugins=${libcharon_plugins}" pubkey"
+
+	fi
+
+if test x$pkcs1 = xtrue; then
+		s_plugins=${s_plugins}" pkcs1"
+		libcharon_plugins=${libcharon_plugins}" pkcs1"
+		pluto_plugins=${pluto_plugins}" pkcs1"
+		openac_plugins=${openac_plugins}" pkcs1"
+		scepclient_plugins=${scepclient_plugins}" pkcs1"
+		pki_plugins=${pki_plugins}" pkcs1"
+		scripts_plugins=${scripts_plugins}" pkcs1"
+		manager_plugins=${manager_plugins}" pkcs1"
+		medsrv_plugins=${medsrv_plugins}" pkcs1"
+
+	fi
+
+if test x$pgp = xtrue; then
+		s_plugins=${s_plugins}" pgp"
+		libcharon_plugins=${libcharon_plugins}" pgp"
+		pluto_plugins=${pluto_plugins}" pgp"
+
+	fi
+
+if test x$dnskey = xtrue; then
+		s_plugins=${s_plugins}" dnskey"
+		pluto_plugins=${pluto_plugins}" dnskey"
+
+	fi
+
+if test x$pem = xtrue; then
+		s_plugins=${s_plugins}" pem"
+		libcharon_plugins=${libcharon_plugins}" pem"
+		pluto_plugins=${pluto_plugins}" pem"
+		openac_plugins=${openac_plugins}" pem"
+		scepclient_plugins=${scepclient_plugins}" pem"
+		pki_plugins=${pki_plugins}" pem"
+		scripts_plugins=${scripts_plugins}" pem"
+		manager_plugins=${manager_plugins}" pem"
+		medsrv_plugins=${medsrv_plugins}" pem"
+
+	fi
+
+if test x$padlock = xtrue; then
+		s_plugins=${s_plugins}" padlock"
+		libcharon_plugins=${libcharon_plugins}" padlock"
+
+	fi
+
+if test x$openssl = xtrue; then
+		s_plugins=${s_plugins}" openssl"
+		libcharon_plugins=${libcharon_plugins}" openssl"
+		pluto_plugins=${pluto_plugins}" openssl"
+		openac_plugins=${openac_plugins}" openssl"
+		scepclient_plugins=${scepclient_plugins}" openssl"
+		pki_plugins=${pki_plugins}" openssl"
+		scripts_plugins=${scripts_plugins}" openssl"
+		manager_plugins=${manager_plugins}" openssl"
+		medsrv_plugins=${medsrv_plugins}" openssl"
+
+	fi
+
+if test x$gcrypt = xtrue; then
+		s_plugins=${s_plugins}" gcrypt"
+		libcharon_plugins=${libcharon_plugins}" gcrypt"
+		pluto_plugins=${pluto_plugins}" gcrypt"
+		openac_plugins=${openac_plugins}" gcrypt"
+		scepclient_plugins=${scepclient_plugins}" gcrypt"
+		pki_plugins=${pki_plugins}" gcrypt"
+		scripts_plugins=${scripts_plugins}" gcrypt"
+		manager_plugins=${manager_plugins}" gcrypt"
+		medsrv_plugins=${medsrv_plugins}" gcrypt"
+
+	fi
+
+if test x$fips_prf = xtrue; then
+		s_plugins=${s_plugins}" fips-prf"
+		libcharon_plugins=${libcharon_plugins}" fips-prf"
+
+	fi
+
+if test x$gmp = xtrue; then
+		s_plugins=${s_plugins}" gmp"
+		libcharon_plugins=${libcharon_plugins}" gmp"
+		pluto_plugins=${pluto_plugins}" gmp"
+		openac_plugins=${openac_plugins}" gmp"
+		scepclient_plugins=${scepclient_plugins}" gmp"
+		pki_plugins=${pki_plugins}" gmp"
+		scripts_plugins=${scripts_plugins}" gmp"
+		manager_plugins=${manager_plugins}" gmp"
+		medsrv_plugins=${medsrv_plugins}" gmp"
+
+	fi
+
+if test x$agent = xtrue; then
+		s_plugins=${s_plugins}" agent"
+		libcharon_plugins=${libcharon_plugins}" agent"
+
+	fi
+
+if test x$pkcs11 = xtrue; then
+		s_plugins=${s_plugins}" pkcs11"
+		libcharon_plugins=${libcharon_plugins}" pkcs11"
+		pki_plugins=${pki_plugins}" pkcs11"
+
+	fi
+
+if test x$xcbc = xtrue; then
+		s_plugins=${s_plugins}" xcbc"
+		libcharon_plugins=${libcharon_plugins}" xcbc"
+
+	fi
+
+if test x$hmac = xtrue; then
+		s_plugins=${s_plugins}" hmac"
+		libcharon_plugins=${libcharon_plugins}" hmac"
+		pluto_plugins=${pluto_plugins}" hmac"
+		scripts_plugins=${scripts_plugins}" hmac"
+
+	fi
+
+if test x$ctr = xtrue; then
+		s_plugins=${s_plugins}" ctr"
+		libcharon_plugins=${libcharon_plugins}" ctr"
+		scripts_plugins=${scripts_plugins}" ctr"
+
+	fi
+
+if test x$ccm = xtrue; then
+		s_plugins=${s_plugins}" ccm"
+		libcharon_plugins=${libcharon_plugins}" ccm"
+		scripts_plugins=${scripts_plugins}" ccm"
+
+	fi
+
+if test x$gcm = xtrue; then
+		s_plugins=${s_plugins}" gcm"
+		libcharon_plugins=${libcharon_plugins}" gcm"
+		scripts_plugins=${scripts_plugins}" gcm"
+
+	fi
+
+if test x$xauth = xtrue; then
+		p_plugins=${p_plugins}" xauth"
+		pluto_plugins=${pluto_plugins}" xauth"
+
+	fi
+
+if test x$attr = xtrue; then
+		h_plugins=${h_plugins}" attr"
+		libcharon_plugins=${libcharon_plugins}" attr"
+		pluto_plugins=${pluto_plugins}" attr"
+
+	fi
+
+if test x$attr_sql = xtrue; then
+		h_plugins=${h_plugins}" attr-sql"
+		libcharon_plugins=${libcharon_plugins}" attr-sql"
+		pluto_plugins=${pluto_plugins}" attr-sql"
+
+	fi
+
+if test x$kernel_pfkey = xtrue; then
+		h_plugins=${h_plugins}" kernel-pfkey"
+		libcharon_plugins=${libcharon_plugins}" kernel-pfkey"
+		pluto_plugins=${pluto_plugins}" kernel-pfkey"
+
+	fi
+
+if test x$kernel_pfroute = xtrue; then
+		h_plugins=${h_plugins}" kernel-pfroute"
+		libcharon_plugins=${libcharon_plugins}" kernel-pfroute"
+		pluto_plugins=${pluto_plugins}" kernel-pfroute"
+
+	fi
+
+if test x$kernel_klips = xtrue; then
+		h_plugins=${h_plugins}" kernel-klips"
+		libcharon_plugins=${libcharon_plugins}" kernel-klips"
+		pluto_plugins=${pluto_plugins}" kernel-klips"
+
+	fi
+
+if test x$kernel_netlink = xtrue; then
+		h_plugins=${h_plugins}" kernel-netlink"
+		libcharon_plugins=${libcharon_plugins}" kernel-netlink"
+		pluto_plugins=${pluto_plugins}" kernel-netlink"
+
+	fi
+
+if test x$resolve = xtrue; then
+		h_plugins=${h_plugins}" resolve"
+		libcharon_plugins=${libcharon_plugins}" resolve"
+		pluto_plugins=${pluto_plugins}" resolve"
+
+	fi
+
+if test x$load_tester = xtrue; then
+		c_plugins=${c_plugins}" load-tester"
+		libcharon_plugins=${libcharon_plugins}" load-tester"
+
+	fi
+
+if test x$socket_default = xtrue; then
+		c_plugins=${c_plugins}" socket-default"
+		libcharon_plugins=${libcharon_plugins}" socket-default"
+
+	fi
+
+if test x$socket_raw = xtrue; then
+		c_plugins=${c_plugins}" socket-raw"
+		libcharon_plugins=${libcharon_plugins}" socket-raw"
+
+	fi
+
+if test x$socket_dynamic = xtrue; then
+		c_plugins=${c_plugins}" socket-dynamic"
+		libcharon_plugins=${libcharon_plugins}" socket-dynamic"
+
+	fi
+
+if test x$farp = xtrue; then
+		c_plugins=${c_plugins}" farp"
+		libcharon_plugins=${libcharon_plugins}" farp"
+
+	fi
+
+if test x$stroke = xtrue; then
+		c_plugins=${c_plugins}" stroke"
+		libcharon_plugins=${libcharon_plugins}" stroke"
+
+	fi
+
+if test x$smp = xtrue; then
+		c_plugins=${c_plugins}" smp"
+		libcharon_plugins=${libcharon_plugins}" smp"
+
+	fi
+
+if test x$sql = xtrue; then
+		c_plugins=${c_plugins}" sql"
+		libcharon_plugins=${libcharon_plugins}" sql"
+
+	fi
+
+if test x$updown = xtrue; then
+		c_plugins=${c_plugins}" updown"
+		libcharon_plugins=${libcharon_plugins}" updown"
+
+	fi
+
+if test x$eap_identity = xtrue; then
+		c_plugins=${c_plugins}" eap-identity"
+		libcharon_plugins=${libcharon_plugins}" eap-identity"
+
+	fi
+
+if test x$eap_sim = xtrue; then
+		c_plugins=${c_plugins}" eap-sim"
+		libcharon_plugins=${libcharon_plugins}" eap-sim"
+
+	fi
+
+if test x$eap_sim_file = xtrue; then
+		c_plugins=${c_plugins}" eap-sim-file"
+		libcharon_plugins=${libcharon_plugins}" eap-sim-file"
+
+	fi
+
+if test x$eap_simaka_sql = xtrue; then
+		c_plugins=${c_plugins}" eap-simaka-sql"
+		libcharon_plugins=${libcharon_plugins}" eap-simaka-sql"
+
+	fi
+
+if test x$eap_simaka_pseudonym = xtrue; then
+		c_plugins=${c_plugins}" eap-simaka-pseudonym"
+		libcharon_plugins=${libcharon_plugins}" eap-simaka-pseudonym"
+
+	fi
+
+if test x$eap_simaka_reauth = xtrue; then
+		c_plugins=${c_plugins}" eap-simaka-reauth"
+		libcharon_plugins=${libcharon_plugins}" eap-simaka-reauth"
+
+	fi
+
+if test x$eap_aka = xtrue; then
+		c_plugins=${c_plugins}" eap-aka"
+		libcharon_plugins=${libcharon_plugins}" eap-aka"
+
+	fi
+
+if test x$eap_aka_3gpp2 = xtrue; then
+		c_plugins=${c_plugins}" eap-aka-3gpp2"
+		libcharon_plugins=${libcharon_plugins}" eap-aka-3gpp2"
+
+	fi
+
+if test x$eap_md5 = xtrue; then
+		c_plugins=${c_plugins}" eap-md5"
+		libcharon_plugins=${libcharon_plugins}" eap-md5"
+
+	fi
+
+if test x$eap_gtc = xtrue; then
+		c_plugins=${c_plugins}" eap-gtc"
+		libcharon_plugins=${libcharon_plugins}" eap-gtc"
+
+	fi
+
+if test x$eap_mschapv2 = xtrue; then
+		c_plugins=${c_plugins}" eap-mschapv2"
+		libcharon_plugins=${libcharon_plugins}" eap-mschapv2"
+
+	fi
+
+if test x$eap_radius = xtrue; then
+		c_plugins=${c_plugins}" eap-radius"
+		libcharon_plugins=${libcharon_plugins}" eap-radius"
+
+	fi
+
+if test x$eap_tls = xtrue; then
+		c_plugins=${c_plugins}" eap-tls"
+		libcharon_plugins=${libcharon_plugins}" eap-tls"
+
+	fi
+
+if test x$eap_ttls = xtrue; then
+		c_plugins=${c_plugins}" eap-ttls"
+		libcharon_plugins=${libcharon_plugins}" eap-ttls"
+
+	fi
+
+if test x$eap_tnc = xtrue; then
+		c_plugins=${c_plugins}" eap-tnc"
+		libcharon_plugins=${libcharon_plugins}" eap-tnc"
+
+	fi
+
+if test x$tnc_imc = xtrue; then
+		c_plugins=${c_plugins}" tnc-imc"
+		libcharon_plugins=${libcharon_plugins}" tnc-imc"
+
+	fi
+
+if test x$tnc_imv = xtrue; then
+		c_plugins=${c_plugins}" tnc-imv"
+		libcharon_plugins=${libcharon_plugins}" tnc-imv"
+
+	fi
+
+if test x$tnccs_11 = xtrue; then
+		c_plugins=${c_plugins}" tnccs-11"
+		libcharon_plugins=${libcharon_plugins}" tnccs-11"
+
+	fi
+
+if test x$tnccs_20 = xtrue; then
+		c_plugins=${c_plugins}" tnccs-20"
+		libcharon_plugins=${libcharon_plugins}" tnccs-20"
+
+	fi
+
+if test x$medsrv = xtrue; then
+		c_plugins=${c_plugins}" medsrv"
+		libcharon_plugins=${libcharon_plugins}" medsrv"
+
+	fi
+
+if test x$medcli = xtrue; then
+		c_plugins=${c_plugins}" medcli"
+		libcharon_plugins=${libcharon_plugins}" medcli"
+
+	fi
+
+if test x$nm = xtrue; then
+		c_plugins=${c_plugins}" nm"
+		libcharon_plugins=${libcharon_plugins}" nm"
+
+	fi
+
+if test x$dhcp = xtrue; then
+		c_plugins=${c_plugins}" dhcp"
+		libcharon_plugins=${libcharon_plugins}" dhcp"
+
+	fi
+
+if test x$android = xtrue; then
+		c_plugins=${c_plugins}" android"
+		libcharon_plugins=${libcharon_plugins}" android"
+
+	fi
+
+if test x$ha = xtrue; then
+		c_plugins=${c_plugins}" ha"
+		libcharon_plugins=${libcharon_plugins}" ha"
+
+	fi
+
+if test x$led = xtrue; then
+		c_plugins=${c_plugins}" led"
+		libcharon_plugins=${libcharon_plugins}" led"
+
+	fi
+
+if test x$maemo = xtrue; then
+		c_plugins=${c_plugins}" maemo"
+		libcharon_plugins=${libcharon_plugins}" maemo"
+
+	fi
+
+if test x$uci = xtrue; then
+		c_plugins=${c_plugins}" uci"
+		libcharon_plugins=${libcharon_plugins}" uci"
+
+	fi
+
+if test x$addrblock = xtrue; then
+		c_plugins=${c_plugins}" addrblock"
+		libcharon_plugins=${libcharon_plugins}" addrblock"
+
+	fi
+
+if test x$unit_tester = xtrue; then
+		c_plugins=${c_plugins}" unit-tester"
+		libcharon_plugins=${libcharon_plugins}" unit-tester"
+
+	fi
+
+
 
-else
-  as_fn_error "libcap header sys/capability.h not found!" "$LINENO" 5
-fi
 
 
-	$as_echo "#define CAPABILITIES_LIBCAP 1" >>confdefs.h
 
-fi
 
-if test x$integrity_test = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for dladdr()" >&5
-$as_echo_n "checking for dladdr()... " >&6; }
-	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-#define _GNU_SOURCE
-		 #include <dlfcn.h>
-int
-main ()
-{
-Dl_info info; dladdr(main, &info);
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; };
-		 as_fn_error "dladdr() not supported, required by integrity-test!" "$LINENO" 5
 
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for dl_iterate_phdr()" >&5
-$as_echo_n "checking for dl_iterate_phdr()... " >&6; }
-	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-#define _GNU_SOURCE
-		 #include <link.h>
-int
-main ()
-{
-dl_iterate_phdr((void*)0, (void*)0);
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; };
-		 as_fn_error "dl_iterate_phdr() not supported, required by integrity-test!" "$LINENO" 5
 
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
 
 
-libstrongswan_plugins=
-libhydra_plugins=
-pluto_plugins=
 
-if test x$test_vectors = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" test-vectors"
-	pluto_plugins=${pluto_plugins}" test-vectors"
-fi
-if test x$curl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" curl"
-	pluto_plugins=${pluto_plugins}" curl"
-fi
-if test x$ldap = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" ldap"
-	pluto_plugins=${pluto_plugins}" ldap"
-fi
-if test x$aes = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" aes"
-	pluto_plugins=${pluto_plugins}" aes"
-fi
-if test x$des = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" des"
-	pluto_plugins=${pluto_plugins}" des"
-fi
-if test x$blowfish = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" blowfish"
-	pluto_plugins=${pluto_plugins}" blowfish"
-fi
-if test x$sha1 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
-	pluto_plugins=${pluto_plugins}" sha1"
-fi
-if test x$sha2 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
-	pluto_plugins=${pluto_plugins}" sha2"
-fi
-if test x$md4 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md4"
-fi
-if test x$md5 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md5"
-	pluto_plugins=${pluto_plugins}" md5"
-fi
-if test x$random = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" random"
-	pluto_plugins=${pluto_plugins}" random"
-fi
-if test x$x509 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" x509"
-	pluto_plugins=${pluto_plugins}" x509"
-fi
-if test x$revocation = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" revocation"
-fi
-if test x$pubkey = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
-	pluto_plugins=${pluto_plugins}" pubkey"
-fi
-if test x$pkcs1 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pkcs1"
-	pluto_plugins=${pluto_plugins}" pkcs1"
-fi
-if test x$pgp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pgp"
-	pluto_plugins=${pluto_plugins}" pgp"
-fi
-if test x$dnskey = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" dnskey"
-	pluto_plugins=${pluto_plugins}" dnskey"
-fi
-if test x$pem = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pem"
-	pluto_plugins=${pluto_plugins}" pem"
-fi
-if test x$mysql = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
-	pluto_plugins=${pluto_plugins}" mysql"
-fi
-if test x$sqlite = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
-	pluto_plugins=${pluto_plugins}" sqlite"
-fi
-if test x$padlock = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
-fi
-if test x$openssl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
-	pluto_plugins=${pluto_plugins}" openssl"
-fi
-if test x$gcrypt = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gcrypt"
-	pluto_plugins=${pluto_plugins}" gcrypt"
-fi
-if test x$fips_prf = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
-fi
-if test x$xcbc = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
-fi
-if test x$hmac = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
-	pluto_plugins=${pluto_plugins}" hmac"
-fi
-if test x$agent = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" agent"
-fi
-if test x$gmp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
-	pluto_plugins=${pluto_plugins}" gmp"
-fi
-if test x$xauth = xtrue; then
-	pluto_plugins=${pluto_plugins}" xauth"
-fi
-if test x$attr = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" attr"
-fi
-if test x$attr_sql = xtrue -o x$sql = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" attr-sql"
-fi
-if test x$resolve = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" resolve"
-fi
 
 
 
@@ -16423,6 +17355,38 @@ else
   USE_AGENT_FALSE=
 fi
 
+ if test x$pkcs11 = xtrue; then
+  USE_PKCS11_TRUE=
+  USE_PKCS11_FALSE='#'
+else
+  USE_PKCS11_TRUE='#'
+  USE_PKCS11_FALSE=
+fi
+
+ if test x$ctr = xtrue; then
+  USE_CTR_TRUE=
+  USE_CTR_FALSE='#'
+else
+  USE_CTR_TRUE='#'
+  USE_CTR_FALSE=
+fi
+
+ if test x$ccm = xtrue; then
+  USE_CCM_TRUE=
+  USE_CCM_FALSE='#'
+else
+  USE_CCM_TRUE='#'
+  USE_CCM_FALSE=
+fi
+
+ if test x$gcm = xtrue; then
+  USE_GCM_TRUE=
+  USE_GCM_FALSE='#'
+else
+  USE_GCM_TRUE='#'
+  USE_GCM_FALSE=
+fi
+
 
  if test x$stroke = xtrue; then
   USE_STROKE_TRUE=
@@ -16472,6 +17436,14 @@ else
   USE_ANDROID_FALSE=
 fi
 
+ if test x$maemo = xtrue; then
+  USE_MAEMO_TRUE=
+  USE_MAEMO_FALSE='#'
+else
+  USE_MAEMO_TRUE='#'
+  USE_MAEMO_FALSE=
+fi
+
  if test x$smp = xtrue; then
   USE_SMP_TRUE=
   USE_SMP_FALSE='#'
@@ -16528,6 +17500,14 @@ else
   USE_HA_FALSE=
 fi
 
+ if test x$led = xtrue; then
+  USE_LED_TRUE=
+  USE_LED_FALSE='#'
+else
+  USE_LED_TRUE='#'
+  USE_LED_FALSE=
+fi
+
  if test x$eap_sim = xtrue; then
   USE_EAP_SIM_TRUE=
   USE_EAP_SIM_FALSE='#'
@@ -16616,6 +17596,30 @@ else
   USE_EAP_MSCHAPV2_FALSE=
 fi
 
+ if test x$eap_tls = xtrue; then
+  USE_EAP_TLS_TRUE=
+  USE_EAP_TLS_FALSE='#'
+else
+  USE_EAP_TLS_TRUE='#'
+  USE_EAP_TLS_FALSE=
+fi
+
+ if test x$eap_ttls = xtrue; then
+  USE_EAP_TTLS_TRUE=
+  USE_EAP_TTLS_FALSE='#'
+else
+  USE_EAP_TTLS_TRUE='#'
+  USE_EAP_TTLS_FALSE=
+fi
+
+ if test x$eap_tnc = xtrue; then
+  USE_EAP_TNC_TRUE=
+  USE_EAP_TNC_FALSE='#'
+else
+  USE_EAP_TNC_TRUE='#'
+  USE_EAP_TNC_FALSE=
+fi
+
  if test x$eap_radius = xtrue; then
   USE_EAP_RADIUS_TRUE=
   USE_EAP_RADIUS_FALSE='#'
@@ -16624,36 +17628,36 @@ else
   USE_EAP_RADIUS_FALSE=
 fi
 
- if test x$kernel_netlink = xtrue; then
-  USE_KERNEL_NETLINK_TRUE=
-  USE_KERNEL_NETLINK_FALSE='#'
+ if test x$tnc_imc = xtrue; then
+  USE_TNC_IMC_TRUE=
+  USE_TNC_IMC_FALSE='#'
 else
-  USE_KERNEL_NETLINK_TRUE='#'
-  USE_KERNEL_NETLINK_FALSE=
+  USE_TNC_IMC_TRUE='#'
+  USE_TNC_IMC_FALSE=
 fi
 
- if test x$kernel_pfkey = xtrue; then
-  USE_KERNEL_PFKEY_TRUE=
-  USE_KERNEL_PFKEY_FALSE='#'
+ if test x$tnc_imv = xtrue; then
+  USE_TNC_IMV_TRUE=
+  USE_TNC_IMV_FALSE='#'
 else
-  USE_KERNEL_PFKEY_TRUE='#'
-  USE_KERNEL_PFKEY_FALSE=
+  USE_TNC_IMV_TRUE='#'
+  USE_TNC_IMV_FALSE=
 fi
 
- if test x$kernel_pfroute = xtrue; then
-  USE_KERNEL_PFROUTE_TRUE=
-  USE_KERNEL_PFROUTE_FALSE='#'
+ if test x$tnccs_11 = xtrue; then
+  USE_TNCCS_11_TRUE=
+  USE_TNCCS_11_FALSE='#'
 else
-  USE_KERNEL_PFROUTE_TRUE='#'
-  USE_KERNEL_PFROUTE_FALSE=
+  USE_TNCCS_11_TRUE='#'
+  USE_TNCCS_11_FALSE=
 fi
 
- if test x$kernel_klips = xtrue; then
-  USE_KERNEL_KLIPS_TRUE=
-  USE_KERNEL_KLIPS_FALSE='#'
+ if test x$tnccs_20 = xtrue; then
+  USE_TNCCS_20_TRUE=
+  USE_TNCCS_20_FALSE='#'
 else
-  USE_KERNEL_KLIPS_TRUE='#'
-  USE_KERNEL_KLIPS_FALSE=
+  USE_TNCCS_20_TRUE='#'
+  USE_TNCCS_20_FALSE=
 fi
 
  if test x$socket_default = xtrue; then
@@ -16713,6 +17717,38 @@ else
   USE_ATTR_SQL_FALSE=
 fi
 
+ if test x$kernel_klips = xtrue; then
+  USE_KERNEL_KLIPS_TRUE=
+  USE_KERNEL_KLIPS_FALSE='#'
+else
+  USE_KERNEL_KLIPS_TRUE='#'
+  USE_KERNEL_KLIPS_FALSE=
+fi
+
+ if test x$kernel_netlink = xtrue; then
+  USE_KERNEL_NETLINK_TRUE=
+  USE_KERNEL_NETLINK_FALSE='#'
+else
+  USE_KERNEL_NETLINK_TRUE='#'
+  USE_KERNEL_NETLINK_FALSE=
+fi
+
+ if test x$kernel_pfkey = xtrue; then
+  USE_KERNEL_PFKEY_TRUE=
+  USE_KERNEL_PFKEY_FALSE='#'
+else
+  USE_KERNEL_PFKEY_TRUE='#'
+  USE_KERNEL_PFKEY_FALSE=
+fi
+
+ if test x$kernel_pfroute = xtrue; then
+  USE_KERNEL_PFROUTE_TRUE=
+  USE_KERNEL_PFROUTE_FALSE='#'
+else
+  USE_KERNEL_PFROUTE_TRUE='#'
+  USE_KERNEL_PFROUTE_FALSE=
+fi
+
  if test x$resolve = xtrue; then
   USE_RESOLVE_TRUE=
   USE_RESOLVE_FALSE='#'
@@ -16923,6 +17959,14 @@ else
   USE_SIMAKA_FALSE=
 fi
 
+ if test x$tls = xtrue; then
+  USE_TLS_TRUE=
+  USE_TLS_FALSE='#'
+else
+  USE_TLS_TRUE='#'
+  USE_TLS_FALSE=
+fi
+
  if test x$monolithic = xtrue; then
   MONOLITHIC_TRUE=
   MONOLITHIC_FALSE='#'
@@ -16948,7 +17992,7 @@ fi
 
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_klips/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -17069,6 +18113,7 @@ DEFS=`sed -n "$ac_script" confdefs.h`
 
 ac_libobjs=
 ac_ltlibobjs=
+U=
 for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
   # 1. Remove the extension, and $U if already installed.
   ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
@@ -17092,376 +18137,432 @@ else
 fi
 
 if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
-  as_fn_error "conditional \"AMDEP\" was never defined.
+  as_fn_error $? "conditional \"AMDEP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
-  as_fn_error "conditional \"am__fastdepCC\" was never defined.
+  as_fn_error $? "conditional \"am__fastdepCC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 
 if test -z "${USE_TEST_VECTORS_TRUE}" && test -z "${USE_TEST_VECTORS_FALSE}"; then
-  as_fn_error "conditional \"USE_TEST_VECTORS\" was never defined.
+  as_fn_error $? "conditional \"USE_TEST_VECTORS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
-  as_fn_error "conditional \"USE_CURL\" was never defined.
+  as_fn_error $? "conditional \"USE_CURL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LDAP_TRUE}" && test -z "${USE_LDAP_FALSE}"; then
-  as_fn_error "conditional \"USE_LDAP\" was never defined.
+  as_fn_error $? "conditional \"USE_LDAP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_AES_TRUE}" && test -z "${USE_AES_FALSE}"; then
-  as_fn_error "conditional \"USE_AES\" was never defined.
+  as_fn_error $? "conditional \"USE_AES\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_DES_TRUE}" && test -z "${USE_DES_FALSE}"; then
-  as_fn_error "conditional \"USE_DES\" was never defined.
+  as_fn_error $? "conditional \"USE_DES\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_BLOWFISH_TRUE}" && test -z "${USE_BLOWFISH_FALSE}"; then
-  as_fn_error "conditional \"USE_BLOWFISH\" was never defined.
+  as_fn_error $? "conditional \"USE_BLOWFISH\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MD4_TRUE}" && test -z "${USE_MD4_FALSE}"; then
-  as_fn_error "conditional \"USE_MD4\" was never defined.
+  as_fn_error $? "conditional \"USE_MD4\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MD5_TRUE}" && test -z "${USE_MD5_FALSE}"; then
-  as_fn_error "conditional \"USE_MD5\" was never defined.
+  as_fn_error $? "conditional \"USE_MD5\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SHA1_TRUE}" && test -z "${USE_SHA1_FALSE}"; then
-  as_fn_error "conditional \"USE_SHA1\" was never defined.
+  as_fn_error $? "conditional \"USE_SHA1\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SHA2_TRUE}" && test -z "${USE_SHA2_FALSE}"; then
-  as_fn_error "conditional \"USE_SHA2\" was never defined.
+  as_fn_error $? "conditional \"USE_SHA2\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FIPS_PRF_TRUE}" && test -z "${USE_FIPS_PRF_FALSE}"; then
-  as_fn_error "conditional \"USE_FIPS_PRF\" was never defined.
+  as_fn_error $? "conditional \"USE_FIPS_PRF\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
-  as_fn_error "conditional \"USE_GMP\" was never defined.
+  as_fn_error $? "conditional \"USE_GMP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_RANDOM_TRUE}" && test -z "${USE_RANDOM_FALSE}"; then
-  as_fn_error "conditional \"USE_RANDOM\" was never defined.
+  as_fn_error $? "conditional \"USE_RANDOM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_X509_TRUE}" && test -z "${USE_X509_FALSE}"; then
-  as_fn_error "conditional \"USE_X509\" was never defined.
+  as_fn_error $? "conditional \"USE_X509\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_REVOCATION_TRUE}" && test -z "${USE_REVOCATION_FALSE}"; then
-  as_fn_error "conditional \"USE_REVOCATION\" was never defined.
+  as_fn_error $? "conditional \"USE_REVOCATION\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then
-  as_fn_error "conditional \"USE_PUBKEY\" was never defined.
+  as_fn_error $? "conditional \"USE_PUBKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PKCS1_TRUE}" && test -z "${USE_PKCS1_FALSE}"; then
-  as_fn_error "conditional \"USE_PKCS1\" was never defined.
+  as_fn_error $? "conditional \"USE_PKCS1\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PGP_TRUE}" && test -z "${USE_PGP_FALSE}"; then
-  as_fn_error "conditional \"USE_PGP\" was never defined.
+  as_fn_error $? "conditional \"USE_PGP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_DNSKEY_TRUE}" && test -z "${USE_DNSKEY_FALSE}"; then
-  as_fn_error "conditional \"USE_DNSKEY\" was never defined.
+  as_fn_error $? "conditional \"USE_DNSKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PEM_TRUE}" && test -z "${USE_PEM_FALSE}"; then
-  as_fn_error "conditional \"USE_PEM\" was never defined.
+  as_fn_error $? "conditional \"USE_PEM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_HMAC_TRUE}" && test -z "${USE_HMAC_FALSE}"; then
-  as_fn_error "conditional \"USE_HMAC\" was never defined.
+  as_fn_error $? "conditional \"USE_HMAC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_XCBC_TRUE}" && test -z "${USE_XCBC_FALSE}"; then
-  as_fn_error "conditional \"USE_XCBC\" was never defined.
+  as_fn_error $? "conditional \"USE_XCBC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MYSQL_TRUE}" && test -z "${USE_MYSQL_FALSE}"; then
-  as_fn_error "conditional \"USE_MYSQL\" was never defined.
+  as_fn_error $? "conditional \"USE_MYSQL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SQLITE_TRUE}" && test -z "${USE_SQLITE_FALSE}"; then
-  as_fn_error "conditional \"USE_SQLITE\" was never defined.
+  as_fn_error $? "conditional \"USE_SQLITE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PADLOCK_TRUE}" && test -z "${USE_PADLOCK_FALSE}"; then
-  as_fn_error "conditional \"USE_PADLOCK\" was never defined.
+  as_fn_error $? "conditional \"USE_PADLOCK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_OPENSSL_TRUE}" && test -z "${USE_OPENSSL_FALSE}"; then
-  as_fn_error "conditional \"USE_OPENSSL\" was never defined.
+  as_fn_error $? "conditional \"USE_OPENSSL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_GCRYPT_TRUE}" && test -z "${USE_GCRYPT_FALSE}"; then
-  as_fn_error "conditional \"USE_GCRYPT\" was never defined.
+  as_fn_error $? "conditional \"USE_GCRYPT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_AGENT_TRUE}" && test -z "${USE_AGENT_FALSE}"; then
-  as_fn_error "conditional \"USE_AGENT\" was never defined.
+  as_fn_error $? "conditional \"USE_AGENT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_PKCS11_TRUE}" && test -z "${USE_PKCS11_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PKCS11\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_CTR_TRUE}" && test -z "${USE_CTR_FALSE}"; then
+  as_fn_error $? "conditional \"USE_CTR\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_CCM_TRUE}" && test -z "${USE_CCM_FALSE}"; then
+  as_fn_error $? "conditional \"USE_CCM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_GCM_TRUE}" && test -z "${USE_GCM_FALSE}"; then
+  as_fn_error $? "conditional \"USE_GCM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
-  as_fn_error "conditional \"USE_STROKE\" was never defined.
+  as_fn_error $? "conditional \"USE_STROKE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MEDSRV_TRUE}" && test -z "${USE_MEDSRV_FALSE}"; then
-  as_fn_error "conditional \"USE_MEDSRV\" was never defined.
+  as_fn_error $? "conditional \"USE_MEDSRV\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MEDCLI_TRUE}" && test -z "${USE_MEDCLI_FALSE}"; then
-  as_fn_error "conditional \"USE_MEDCLI\" was never defined.
+  as_fn_error $? "conditional \"USE_MEDCLI\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_NM_TRUE}" && test -z "${USE_NM_FALSE}"; then
-  as_fn_error "conditional \"USE_NM\" was never defined.
+  as_fn_error $? "conditional \"USE_NM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
-  as_fn_error "conditional \"USE_UCI\" was never defined.
+  as_fn_error $? "conditional \"USE_UCI\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ANDROID_TRUE}" && test -z "${USE_ANDROID_FALSE}"; then
-  as_fn_error "conditional \"USE_ANDROID\" was never defined.
+  as_fn_error $? "conditional \"USE_ANDROID\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_MAEMO_TRUE}" && test -z "${USE_MAEMO_FALSE}"; then
+  as_fn_error $? "conditional \"USE_MAEMO\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SMP_TRUE}" && test -z "${USE_SMP_FALSE}"; then
-  as_fn_error "conditional \"USE_SMP\" was never defined.
+  as_fn_error $? "conditional \"USE_SMP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SQL_TRUE}" && test -z "${USE_SQL_FALSE}"; then
-  as_fn_error "conditional \"USE_SQL\" was never defined.
+  as_fn_error $? "conditional \"USE_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
-  as_fn_error "conditional \"USE_UPDOWN\" was never defined.
+  as_fn_error $? "conditional \"USE_UPDOWN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_DHCP_TRUE}" && test -z "${USE_DHCP_FALSE}"; then
-  as_fn_error "conditional \"USE_DHCP\" was never defined.
+  as_fn_error $? "conditional \"USE_DHCP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then
-  as_fn_error "conditional \"USE_UNIT_TESTS\" was never defined.
+  as_fn_error $? "conditional \"USE_UNIT_TESTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LOAD_TESTER_TRUE}" && test -z "${USE_LOAD_TESTER_FALSE}"; then
-  as_fn_error "conditional \"USE_LOAD_TESTER\" was never defined.
+  as_fn_error $? "conditional \"USE_LOAD_TESTER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_HA_TRUE}" && test -z "${USE_HA_FALSE}"; then
-  as_fn_error "conditional \"USE_HA\" was never defined.
+  as_fn_error $? "conditional \"USE_HA\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_LED_TRUE}" && test -z "${USE_LED_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LED\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIM_TRUE}" && test -z "${USE_EAP_SIM_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_SIM\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_SIM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIM_FILE_TRUE}" && test -z "${USE_EAP_SIM_FILE_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_SIM_FILE\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_SIM_FILE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIMAKA_SQL_TRUE}" && test -z "${USE_EAP_SIMAKA_SQL_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_SIMAKA_SQL\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_SIMAKA_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIMAKA_PSEUDONYM_TRUE}" && test -z "${USE_EAP_SIMAKA_PSEUDONYM_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_SIMAKA_PSEUDONYM\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_SIMAKA_PSEUDONYM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIMAKA_REAUTH_TRUE}" && test -z "${USE_EAP_SIMAKA_REAUTH_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_SIMAKA_REAUTH\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_SIMAKA_REAUTH\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_IDENTITY_TRUE}" && test -z "${USE_EAP_IDENTITY_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_IDENTITY\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_IDENTITY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_MD5_TRUE}" && test -z "${USE_EAP_MD5_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_MD5\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_MD5\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_GTC_TRUE}" && test -z "${USE_EAP_GTC_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_GTC\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_GTC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_AKA_TRUE}" && test -z "${USE_EAP_AKA_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_AKA\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_AKA\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_AKA_3GPP2_TRUE}" && test -z "${USE_EAP_AKA_3GPP2_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_AKA_3GPP2\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_AKA_3GPP2\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_MSCHAPV2_TRUE}" && test -z "${USE_EAP_MSCHAPV2_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_MSCHAPV2\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_MSCHAPV2\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_EAP_TLS_TRUE}" && test -z "${USE_EAP_TLS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_EAP_TLS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_EAP_TTLS_TRUE}" && test -z "${USE_EAP_TTLS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_EAP_TTLS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_EAP_TNC_TRUE}" && test -z "${USE_EAP_TNC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_EAP_TNC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_RADIUS_TRUE}" && test -z "${USE_EAP_RADIUS_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_RADIUS\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_RADIUS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
-  as_fn_error "conditional \"USE_KERNEL_NETLINK\" was never defined.
+if test -z "${USE_TNC_IMC_TRUE}" && test -z "${USE_TNC_IMC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TNC_IMC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
-  as_fn_error "conditional \"USE_KERNEL_PFKEY\" was never defined.
+if test -z "${USE_TNC_IMV_TRUE}" && test -z "${USE_TNC_IMV_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TNC_IMV\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}"; then
-  as_fn_error "conditional \"USE_KERNEL_PFROUTE\" was never defined.
+if test -z "${USE_TNCCS_11_TRUE}" && test -z "${USE_TNCCS_11_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TNCCS_11\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; then
-  as_fn_error "conditional \"USE_KERNEL_KLIPS\" was never defined.
+if test -z "${USE_TNCCS_20_TRUE}" && test -z "${USE_TNCCS_20_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TNCCS_20\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SOCKET_DEFAULT_TRUE}" && test -z "${USE_SOCKET_DEFAULT_FALSE}"; then
-  as_fn_error "conditional \"USE_SOCKET_DEFAULT\" was never defined.
+  as_fn_error $? "conditional \"USE_SOCKET_DEFAULT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SOCKET_RAW_TRUE}" && test -z "${USE_SOCKET_RAW_FALSE}"; then
-  as_fn_error "conditional \"USE_SOCKET_RAW\" was never defined.
+  as_fn_error $? "conditional \"USE_SOCKET_RAW\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SOCKET_DYNAMIC_TRUE}" && test -z "${USE_SOCKET_DYNAMIC_FALSE}"; then
-  as_fn_error "conditional \"USE_SOCKET_DYNAMIC\" was never defined.
+  as_fn_error $? "conditional \"USE_SOCKET_DYNAMIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FARP_TRUE}" && test -z "${USE_FARP_FALSE}"; then
-  as_fn_error "conditional \"USE_FARP\" was never defined.
+  as_fn_error $? "conditional \"USE_FARP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ADDRBLOCK_TRUE}" && test -z "${USE_ADDRBLOCK_FALSE}"; then
-  as_fn_error "conditional \"USE_ADDRBLOCK\" was never defined.
+  as_fn_error $? "conditional \"USE_ADDRBLOCK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then
-  as_fn_error "conditional \"USE_ATTR\" was never defined.
+  as_fn_error $? "conditional \"USE_ATTR\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then
-  as_fn_error "conditional \"USE_ATTR_SQL\" was never defined.
+  as_fn_error $? "conditional \"USE_ATTR_SQL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_KLIPS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_NETLINK\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_PFKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_PFROUTE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
-  as_fn_error "conditional \"USE_RESOLVE\" was never defined.
+  as_fn_error $? "conditional \"USE_RESOLVE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_XAUTH_TRUE}" && test -z "${USE_XAUTH_FALSE}"; then
-  as_fn_error "conditional \"USE_XAUTH\" was never defined.
+  as_fn_error $? "conditional \"USE_XAUTH\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
-  as_fn_error "conditional \"USE_SMARTCARD\" was never defined.
+  as_fn_error $? "conditional \"USE_SMARTCARD\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_CISCO_QUIRKS_TRUE}" && test -z "${USE_CISCO_QUIRKS_FALSE}"; then
-  as_fn_error "conditional \"USE_CISCO_QUIRKS\" was never defined.
+  as_fn_error $? "conditional \"USE_CISCO_QUIRKS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
-  as_fn_error "conditional \"USE_LEAK_DETECTIVE\" was never defined.
+  as_fn_error $? "conditional \"USE_LEAK_DETECTIVE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LOCK_PROFILER_TRUE}" && test -z "${USE_LOCK_PROFILER_FALSE}"; then
-  as_fn_error "conditional \"USE_LOCK_PROFILER\" was never defined.
+  as_fn_error $? "conditional \"USE_LOCK_PROFILER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_NAT_TRANSPORT_TRUE}" && test -z "${USE_NAT_TRANSPORT_FALSE}"; then
-  as_fn_error "conditional \"USE_NAT_TRANSPORT\" was never defined.
+  as_fn_error $? "conditional \"USE_NAT_TRANSPORT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_VENDORID_TRUE}" && test -z "${USE_VENDORID_FALSE}"; then
-  as_fn_error "conditional \"USE_VENDORID\" was never defined.
+  as_fn_error $? "conditional \"USE_VENDORID\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_XAUTH_VID_TRUE}" && test -z "${USE_XAUTH_VID_FALSE}"; then
-  as_fn_error "conditional \"USE_XAUTH_VID\" was never defined.
+  as_fn_error $? "conditional \"USE_XAUTH_VID\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_DUMM_TRUE}" && test -z "${USE_DUMM_FALSE}"; then
-  as_fn_error "conditional \"USE_DUMM\" was never defined.
+  as_fn_error $? "conditional \"USE_DUMM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FAST_TRUE}" && test -z "${USE_FAST_FALSE}"; then
-  as_fn_error "conditional \"USE_FAST\" was never defined.
+  as_fn_error $? "conditional \"USE_FAST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MANAGER_TRUE}" && test -z "${USE_MANAGER_FALSE}"; then
-  as_fn_error "conditional \"USE_MANAGER\" was never defined.
+  as_fn_error $? "conditional \"USE_MANAGER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ME_TRUE}" && test -z "${USE_ME_FALSE}"; then
-  as_fn_error "conditional \"USE_ME\" was never defined.
+  as_fn_error $? "conditional \"USE_ME\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_INTEGRITY_TEST_TRUE}" && test -z "${USE_INTEGRITY_TEST_FALSE}"; then
-  as_fn_error "conditional \"USE_INTEGRITY_TEST\" was never defined.
+  as_fn_error $? "conditional \"USE_INTEGRITY_TEST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LOAD_WARNING_TRUE}" && test -z "${USE_LOAD_WARNING_FALSE}"; then
-  as_fn_error "conditional \"USE_LOAD_WARNING\" was never defined.
+  as_fn_error $? "conditional \"USE_LOAD_WARNING\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PLUTO_TRUE}" && test -z "${USE_PLUTO_FALSE}"; then
-  as_fn_error "conditional \"USE_PLUTO\" was never defined.
+  as_fn_error $? "conditional \"USE_PLUTO\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_THREADS_TRUE}" && test -z "${USE_THREADS_FALSE}"; then
-  as_fn_error "conditional \"USE_THREADS\" was never defined.
+  as_fn_error $? "conditional \"USE_THREADS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_CHARON_TRUE}" && test -z "${USE_CHARON_FALSE}"; then
-  as_fn_error "conditional \"USE_CHARON\" was never defined.
+  as_fn_error $? "conditional \"USE_CHARON\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_TOOLS_TRUE}" && test -z "${USE_TOOLS_FALSE}"; then
-  as_fn_error "conditional \"USE_TOOLS\" was never defined.
+  as_fn_error $? "conditional \"USE_TOOLS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SCRIPTS_TRUE}" && test -z "${USE_SCRIPTS_FALSE}"; then
-  as_fn_error "conditional \"USE_SCRIPTS\" was never defined.
+  as_fn_error $? "conditional \"USE_SCRIPTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then
-  as_fn_error "conditional \"USE_LIBSTRONGSWAN\" was never defined.
+  as_fn_error $? "conditional \"USE_LIBSTRONGSWAN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LIBHYDRA_TRUE}" && test -z "${USE_LIBHYDRA_FALSE}"; then
-  as_fn_error "conditional \"USE_LIBHYDRA\" was never defined.
+  as_fn_error $? "conditional \"USE_LIBHYDRA\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
-  as_fn_error "conditional \"USE_FILE_CONFIG\" was never defined.
+  as_fn_error $? "conditional \"USE_FILE_CONFIG\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LIBCAP_TRUE}" && test -z "${USE_LIBCAP_FALSE}"; then
-  as_fn_error "conditional \"USE_LIBCAP\" was never defined.
+  as_fn_error $? "conditional \"USE_LIBCAP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_VSTR_TRUE}" && test -z "${USE_VSTR_FALSE}"; then
-  as_fn_error "conditional \"USE_VSTR\" was never defined.
+  as_fn_error $? "conditional \"USE_VSTR\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SIMAKA_TRUE}" && test -z "${USE_SIMAKA_FALSE}"; then
-  as_fn_error "conditional \"USE_SIMAKA\" was never defined.
+  as_fn_error $? "conditional \"USE_SIMAKA\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_TLS_TRUE}" && test -z "${USE_TLS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TLS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${MONOLITHIC_TRUE}" && test -z "${MONOLITHIC_FALSE}"; then
-  as_fn_error "conditional \"MONOLITHIC\" was never defined.
+  as_fn_error $? "conditional \"MONOLITHIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 
@@ -17611,19 +18712,19 @@ export LANGUAGE
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
 
-# as_fn_error ERROR [LINENO LOG_FD]
-# ---------------------------------
+# as_fn_error STATUS ERROR [LINENO LOG_FD]
+# ----------------------------------------
 # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
 # provided, also output the error to LOG_FD, referencing LINENO. Then exit the
-# script with status $?, using 1 if that was 0.
+# script with STATUS, using 1 if that was 0.
 as_fn_error ()
 {
-  as_status=$?; test $as_status -eq 0 && as_status=1
-  if test "$3"; then
-    as_lineno=${as_lineno-"$2"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-    $as_echo "$as_me:${as_lineno-$LINENO}: error: $1" >&$3
+  as_status=$1; test $as_status -eq 0 && as_status=1
+  if test "$4"; then
+    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
   fi
-  $as_echo "$as_me: error: $1" >&2
+  $as_echo "$as_me: error: $2" >&2
   as_fn_exit $as_status
 } # as_fn_error
 
@@ -17819,7 +18920,7 @@ $as_echo X"$as_dir" |
       test -d "$as_dir" && break
     done
     test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || as_fn_error "cannot create directory $as_dir"
+  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
 
 
 } # as_fn_mkdir_p
@@ -17872,8 +18973,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.4.1, which was
-generated by GNU Autoconf 2.65.  Invocation command line was
+This file was extended by strongSwan $as_me 4.5.0, which was
+generated by GNU Autoconf 2.67.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -17929,11 +19030,11 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 4.4.1
-configured by $0, generated by GNU Autoconf 2.65,
+strongSwan config.status 4.5.0
+configured by $0, generated by GNU Autoconf 2.67,
   with options \\"\$ac_cs_config\\"
 
-Copyright (C) 2009 Free Software Foundation, Inc.
+Copyright (C) 2010 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 
@@ -17951,11 +19052,16 @@ ac_need_defaults=:
 while test $# != 0
 do
   case $1 in
-  --*=*)
+  --*=?*)
     ac_option=`expr "X$1" : 'X\([^=]*\)='`
     ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
     ac_shift=:
     ;;
+  --*=)
+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
+    ac_optarg=
+    ac_shift=:
+    ;;
   *)
     ac_option=$1
     ac_optarg=$2
@@ -17977,6 +19083,7 @@ do
     $ac_shift
     case $ac_optarg in
     *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    '') as_fn_error $? "missing file argument" ;;
     esac
     as_fn_append CONFIG_FILES " '$ac_optarg'"
     ac_need_defaults=false;;
@@ -17987,7 +19094,7 @@ do
     ac_cs_silent=: ;;
 
   # This is an error.
-  -*) as_fn_error "unrecognized option: \`$1'
+  -*) as_fn_error $? "unrecognized option: \`$1'
 Try \`$0 --help' for more information." ;;
 
   *) as_fn_append ac_config_targets " $1"
@@ -18299,6 +19406,7 @@ do
     "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
     "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;;
     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile" ;;
     "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
     "src/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/include/Makefile" ;;
     "src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;;
@@ -18329,13 +19437,22 @@ do
     "src/libstrongswan/plugins/openssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/openssl/Makefile" ;;
     "src/libstrongswan/plugins/gcrypt/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcrypt/Makefile" ;;
     "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
+    "src/libstrongswan/plugins/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs11/Makefile" ;;
+    "src/libstrongswan/plugins/ctr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ctr/Makefile" ;;
+    "src/libstrongswan/plugins/ccm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ccm/Makefile" ;;
+    "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
     "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
     "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;;
     "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;;
+    "src/libhydra/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_klips/Makefile" ;;
+    "src/libhydra/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_netlink/Makefile" ;;
+    "src/libhydra/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfkey/Makefile" ;;
+    "src/libhydra/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfroute/Makefile" ;;
     "src/libhydra/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/resolve/Makefile" ;;
     "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
     "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
+    "src/libtls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/Makefile" ;;
     "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
     "src/pluto/plugins/xauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/plugins/xauth/Makefile" ;;
     "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
@@ -18352,11 +19469,14 @@ do
     "src/libcharon/plugins/eap_simaka_pseudonym/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_pseudonym/Makefile" ;;
     "src/libcharon/plugins/eap_simaka_reauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_reauth/Makefile" ;;
     "src/libcharon/plugins/eap_mschapv2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_mschapv2/Makefile" ;;
+    "src/libcharon/plugins/eap_tls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_tls/Makefile" ;;
+    "src/libcharon/plugins/eap_ttls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_ttls/Makefile" ;;
+    "src/libcharon/plugins/eap_tnc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_tnc/Makefile" ;;
     "src/libcharon/plugins/eap_radius/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_radius/Makefile" ;;
-    "src/libcharon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_netlink/Makefile" ;;
-    "src/libcharon/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_pfkey/Makefile" ;;
-    "src/libcharon/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_pfroute/Makefile" ;;
-    "src/libcharon/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_klips/Makefile" ;;
+    "src/libcharon/plugins/tnc_imc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imc/Makefile" ;;
+    "src/libcharon/plugins/tnc_imv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imv/Makefile" ;;
+    "src/libcharon/plugins/tnccs_11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_11/Makefile" ;;
+    "src/libcharon/plugins/tnccs_20/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_20/Makefile" ;;
     "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;;
     "src/libcharon/plugins/socket_raw/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_raw/Makefile" ;;
     "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;;
@@ -18369,7 +19489,9 @@ do
     "src/libcharon/plugins/addrblock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/addrblock/Makefile" ;;
     "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
     "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
+    "src/libcharon/plugins/led/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/led/Makefile" ;;
     "src/libcharon/plugins/android/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android/Makefile" ;;
+    "src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;;
     "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
     "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;;
     "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;;
@@ -18393,7 +19515,7 @@ do
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
-  *) as_fn_error "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
+  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
   esac
 done
 
@@ -18430,7 +19552,7 @@ $debug ||
 {
   tmp=./conf$$-$RANDOM
   (umask 077 && mkdir "$tmp")
-} || as_fn_error "cannot create a temporary directory in ." "$LINENO" 5
+} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
 
 # Set up the scripts for CONFIG_FILES section.
 # No need to generate them if there are no CONFIG_FILES.
@@ -18447,7 +19569,7 @@ if test "x$ac_cr" = x; then
 fi
 ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
 if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
-  ac_cs_awk_cr='\r'
+  ac_cs_awk_cr='\\r'
 else
   ac_cs_awk_cr=$ac_cr
 fi
@@ -18461,18 +19583,18 @@ _ACEOF
   echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
   echo "_ACEOF"
 } >conf$$subs.sh ||
-  as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5
-ac_delim_num=`echo "$ac_subst_vars" | grep -c '$'`
+  as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   . ./conf$$subs.sh ||
-    as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5
+    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
 
   ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
   if test $ac_delim_n = $ac_delim_num; then
     break
   elif $ac_last_try; then
-    as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5
+    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
   else
     ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
   fi
@@ -18561,20 +19683,28 @@ if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
 else
   cat
 fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
-  || as_fn_error "could not setup config files machinery" "$LINENO" 5
+  || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
 _ACEOF
 
-# VPATH may cause trouble with some makes, so we remove $(srcdir),
-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
+# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
 # trailing colons and then remove the whole line if VPATH becomes empty
 # (actually we leave an empty line to preserve line numbers).
 if test "x$srcdir" = x.; then
-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
-s/:*\$(srcdir):*/:/
-s/:*\${srcdir}:*/:/
-s/:*@srcdir@:*/:/
-s/^\([^=]*=[	 ]*\):*/\1/
+  ac_vpsub='/^[	 ]*VPATH[	 ]*=[	 ]*/{
+h
+s///
+s/^/:/
+s/[	 ]*$/:/
+s/:\$(srcdir):/:/g
+s/:\${srcdir}:/:/g
+s/:@srcdir@:/:/g
+s/^:*//
 s/:*$//
+x
+s/\(=[	 ]*\).*/\1/
+G
+s/\n//
 s/^[^=]*=[	 ]*$//
 }'
 fi
@@ -18592,7 +19722,7 @@ do
   esac
   case $ac_mode$ac_tag in
   :[FHL]*:*);;
-  :L* | :C*:*) as_fn_error "invalid tag \`$ac_tag'" "$LINENO" 5;;
+  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
   :[FH]-) ac_tag=-:-;;
   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
   esac
@@ -18620,7 +19750,7 @@ do
 	   [\\/$]*) false;;
 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
 	   esac ||
-	   as_fn_error "cannot find input file: \`$ac_f'" "$LINENO" 5;;
+	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
       esac
       case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
       as_fn_append ac_file_inputs " '$ac_f'"
@@ -18647,7 +19777,7 @@ $as_echo "$as_me: creating $ac_file" >&6;}
 
     case $ac_tag in
     *:-:* | *:-) cat >"$tmp/stdin" \
-      || as_fn_error "could not create $ac_file" "$LINENO" 5 ;;
+      || as_fn_error $? "could not create $ac_file" "$LINENO" 5  ;;
     esac
     ;;
   esac
@@ -18784,22 +19914,22 @@ s&@MKDIR_P@&$ac_MKDIR_P&;t t
 $ac_datarootdir_hack
 "
 eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
-  || as_fn_error "could not create $ac_file" "$LINENO" 5
+  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
 
 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
   { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
   { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-which seems to be undefined.  Please make sure it is defined." >&5
+which seems to be undefined.  Please make sure it is defined" >&5
 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-which seems to be undefined.  Please make sure it is defined." >&2;}
+which seems to be undefined.  Please make sure it is defined" >&2;}
 
   rm -f "$tmp/stdin"
   case $ac_file in
   -) cat "$tmp/out" && rm -f "$tmp/out";;
   *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
   esac \
-  || as_fn_error "could not create $ac_file" "$LINENO" 5
+  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
  ;;
 
 
@@ -19550,7 +20680,7 @@ _ACEOF
 ac_clean_files=$ac_clean_files_save
 
 test $ac_write_fail = 0 ||
-  as_fn_error "write failure creating $CONFIG_STATUS" "$LINENO" 5
+  as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
 
 
 # configure is writing to config.log, and then calls config.status.
@@ -19571,7 +20701,7 @@ if test "$no_create" != yes; then
   exec 5>>config.log
   # Use ||, not &&, to avoid exiting from the if with $? = 1, which
   # would make configure fail if this is the last instruction.
-  $ac_cs_success || as_fn_exit $?
+  $ac_cs_success || as_fn_exit 1
 fi
 if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
diff --git a/configure.in b/configure.in
index d829071ea..83c35d614 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.4.1)
+AC_INIT(strongSwan,4.5.0)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_CONFIG_MACRO_DIR([m4/config])
 PKG_PROG_PKG_CONFIG
@@ -100,18 +100,25 @@ ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
 ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
 ARG_ENABL_SET([unit-tests],     [enable unit tests on IKEv2 daemon startup.])
 ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
-ARG_ENABL_SET([eap-sim],        [enable SIM authenication module for EAP.])
+ARG_ENABL_SET([eap-sim],        [enable SIM authentication module for EAP.])
 ARG_ENABL_SET([eap-sim-file],   [enable EAP-SIM backend based on a triplet file.])
 ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
 ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
 ARG_ENABL_SET([eap-simaka-reauth],    [enable EAP-SIM/AKA reauthentication data storage plugin.])
 ARG_ENABL_SET([eap-identity],   [enable EAP module providing EAP-Identity helper.])
-ARG_ENABL_SET([eap-md5],        [enable EAP MD5 (CHAP) authenication module.])
-ARG_ENABL_SET([eap-gtc],        [enable PAM based EAP GTC authenication module.])
+ARG_ENABL_SET([eap-md5],        [enable EAP MD5 (CHAP) authentication module.])
+ARG_ENABL_SET([eap-gtc],        [enable PAM based EAP GTC authentication module.])
 ARG_ENABL_SET([eap-aka],        [enable EAP AKA authentication module.])
 ARG_ENABL_SET([eap-aka-3gpp2],  [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.])
-ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authenication module.])
-ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authenication module.])
+ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authentication module.])
+ARG_ENABL_SET([eap-tls],        [enable EAP TLS authentication module.])
+ARG_ENABL_SET([eap-ttls],       [enable EAP TTLS authentication module.])
+ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
+ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
+ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
+ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
+ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module.])
+ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
 ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
 ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
@@ -144,11 +151,17 @@ ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
 ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
 ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
 ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
+ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
+ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
+ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
 ARG_ENABL_SET([android],        [enable Android specific plugin.])
+ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager plugin.])
 ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
+ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
 ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
 ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
 
@@ -224,6 +237,10 @@ if test x$eap_sim = xtrue; then
 	simaka=true;
 fi
 
+if test x$eap_tls = xtrue -o x$eap_ttls = xtrue; then
+	tls=true;
+fi
+
 if test x$fips_prf = xtrue; then
 	if test x$openssl = xfalse; then
 		sha1=true;
@@ -590,6 +607,10 @@ if test x$gcrypt = xtrue; then
 	)
 fi
 
+if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then
+	AC_CHECK_HEADER([libtnc.h],,[AC_MSG_ERROR([libtnc header libtnc.h not found!])])
+fi
+
 if test x$uci = xtrue; then
 	AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])])
 	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
@@ -604,6 +625,14 @@ if test x$android = xtrue; then
 	AC_SUBST(DLLIB)
 fi
 
+if test x$maemo = xtrue; then
+	PKG_CHECK_MODULES(maemo, [glib-2.0 gthread-2.0 libosso osso-af-settings])
+	AC_SUBST(maemo_CFLAGS)
+	AC_SUBST(maemo_LIBS)
+	dbusservicedir="/usr/share/dbus-1/system-services"
+	AC_SUBST(dbusservicedir)
+fi
+
 if test x$nm = xtrue; then
 	PKG_CHECK_EXISTS([libnm-glib],
 		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn])],
@@ -654,136 +683,124 @@ if test x$integrity_test = xtrue; then
 	)
 fi
 
-dnl ==========================================================
-dnl  collect all plugins for libstrongswan, libhydra and pluto
-dnl ==========================================================
+dnl ==============================================
+dnl  collect plugin list for strongSwan components
+dnl ==============================================
 
-libstrongswan_plugins=
-libhydra_plugins=
-pluto_plugins=
+m4_include(m4/macros/add-plugin.m4)
 
-if test x$test_vectors = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" test-vectors"
-	pluto_plugins=${pluto_plugins}" test-vectors"
-fi
-if test x$curl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" curl"
-	pluto_plugins=${pluto_plugins}" curl"
-fi
-if test x$ldap = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" ldap"
-	pluto_plugins=${pluto_plugins}" ldap"
-fi
-if test x$aes = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" aes"
-	pluto_plugins=${pluto_plugins}" aes"
-fi
-if test x$des = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" des"
-	pluto_plugins=${pluto_plugins}" des"
-fi
-if test x$blowfish = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" blowfish"
-	pluto_plugins=${pluto_plugins}" blowfish"
-fi
-if test x$sha1 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
-	pluto_plugins=${pluto_plugins}" sha1"
-fi
-if test x$sha2 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
-	pluto_plugins=${pluto_plugins}" sha2"
-fi
-if test x$md4 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md4"
-fi
-if test x$md5 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md5"
-	pluto_plugins=${pluto_plugins}" md5"
-fi
-if test x$random = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" random"
-	pluto_plugins=${pluto_plugins}" random"
-fi
-if test x$x509 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" x509"
-	pluto_plugins=${pluto_plugins}" x509"
-fi
-if test x$revocation = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" revocation"
-fi
-if test x$pubkey = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
-	pluto_plugins=${pluto_plugins}" pubkey"
-fi
-if test x$pkcs1 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pkcs1"
-	pluto_plugins=${pluto_plugins}" pkcs1"
-fi
-if test x$pgp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pgp"
-	pluto_plugins=${pluto_plugins}" pgp"
-fi
-if test x$dnskey = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" dnskey"
-	pluto_plugins=${pluto_plugins}" dnskey"
-fi
-if test x$pem = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pem"
-	pluto_plugins=${pluto_plugins}" pem"
-fi
-if test x$mysql = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
-	pluto_plugins=${pluto_plugins}" mysql"
-fi
-if test x$sqlite = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
-	pluto_plugins=${pluto_plugins}" sqlite"
-fi
-if test x$padlock = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
-fi
-if test x$openssl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
-	pluto_plugins=${pluto_plugins}" openssl"
-fi
-if test x$gcrypt = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gcrypt"
-	pluto_plugins=${pluto_plugins}" gcrypt"
-fi
-if test x$fips_prf = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
-fi
-if test x$xcbc = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
-fi
-if test x$hmac = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
-	pluto_plugins=${pluto_plugins}" hmac"
-fi
-if test x$agent = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" agent"
-fi
-if test x$gmp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
-	pluto_plugins=${pluto_plugins}" gmp"
-fi
-if test x$xauth = xtrue; then
-	pluto_plugins=${pluto_plugins}" xauth"
-fi
-if test x$attr = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" attr"
-fi
-if test x$attr_sql = xtrue -o x$sql = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" attr-sql"
-fi
-if test x$resolve = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" resolve"
-fi
-
-AC_SUBST(libstrongswan_plugins)
-AC_SUBST(libhydra_plugins)
+# plugin lists for all components
+libcharon_plugins=
+pluto_plugins=
+pool_plugins=
+openac_plugins=
+scepclient_plugins=
+pki_plugins=
+scripts_plugins=
+manager_plugins=
+medsrv_plugins=
+
+# location specific lists for checksumming,
+# for src/libcharon, src/pluto, src/libhydra and src/libstrongswan
+c_plugins=
+p_plugins=
+h_plugins=
+s_plugins=
+
+ADD_PLUGIN([test-vectors],         [s libcharon pluto openac scepclient pki])
+ADD_PLUGIN([curl],                 [s libcharon pluto scepclient])
+ADD_PLUGIN([ldap],                 [s libcharon pluto scepclient])
+ADD_PLUGIN([mysql],                [s libcharon pluto pool manager medsrv])
+ADD_PLUGIN([sqlite],               [s libcharon pluto pool manager medsrv])
+ADD_PLUGIN([aes],                  [s libcharon pluto openac scepclient pki scripts])
+ADD_PLUGIN([des],                  [s libcharon pluto openac scepclient pki scripts])
+ADD_PLUGIN([blowfish],             [s libcharon pluto openac scepclient pki scripts])
+ADD_PLUGIN([sha1],                 [s libcharon pluto openac scepclient pki scripts medsrv])
+ADD_PLUGIN([sha2],                 [s libcharon pluto openac scepclient pki scripts medsrv])
+ADD_PLUGIN([md4],                  [s libcharon openac manager scepclient pki])
+ADD_PLUGIN([md5],                  [s libcharon pluto openac scepclient pki])
+ADD_PLUGIN([random],               [s libcharon pluto openac scepclient pki scripts medsrv])
+ADD_PLUGIN([x509],                 [s libcharon pluto openac scepclient pki scripts])
+ADD_PLUGIN([revocation],           [s libcharon])
+ADD_PLUGIN([pubkey],               [s libcharon])
+ADD_PLUGIN([pkcs1],                [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([pgp],                  [s libcharon pluto])
+ADD_PLUGIN([dnskey],               [s pluto])
+ADD_PLUGIN([pem],                  [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([padlock],              [s libcharon])
+ADD_PLUGIN([openssl],              [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([gcrypt],               [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([fips-prf],             [s libcharon])
+ADD_PLUGIN([gmp],                  [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([agent],                [s libcharon])
+ADD_PLUGIN([pkcs11],               [s libcharon pki])
+ADD_PLUGIN([xcbc],                 [s libcharon])
+ADD_PLUGIN([hmac],                 [s libcharon pluto scripts])
+ADD_PLUGIN([ctr],                  [s libcharon scripts])
+ADD_PLUGIN([ccm],                  [s libcharon scripts])
+ADD_PLUGIN([gcm],                  [s libcharon scripts])
+ADD_PLUGIN([xauth],                [p pluto])
+ADD_PLUGIN([attr],                 [h libcharon pluto])
+ADD_PLUGIN([attr-sql],             [h libcharon pluto])
+ADD_PLUGIN([kernel-pfkey],         [h libcharon pluto])
+ADD_PLUGIN([kernel-pfroute],       [h libcharon pluto])
+ADD_PLUGIN([kernel-klips],         [h libcharon pluto])
+ADD_PLUGIN([kernel-netlink],       [h libcharon pluto])
+ADD_PLUGIN([resolve],              [h libcharon pluto])
+ADD_PLUGIN([load-tester],          [c libcharon])
+ADD_PLUGIN([socket-default],       [c libcharon])
+ADD_PLUGIN([socket-raw],           [c libcharon])
+ADD_PLUGIN([socket-dynamic],       [c libcharon])
+ADD_PLUGIN([farp],                 [c libcharon])
+ADD_PLUGIN([stroke],               [c libcharon])
+ADD_PLUGIN([smp],                  [c libcharon])
+ADD_PLUGIN([sql],                  [c libcharon])
+ADD_PLUGIN([updown],               [c libcharon])
+ADD_PLUGIN([eap-identity],         [c libcharon])
+ADD_PLUGIN([eap-sim],              [c libcharon])
+ADD_PLUGIN([eap-sim-file],         [c libcharon])
+ADD_PLUGIN([eap-simaka-sql],       [c libcharon])
+ADD_PLUGIN([eap-simaka-pseudonym], [c libcharon])
+ADD_PLUGIN([eap-simaka-reauth],    [c libcharon])
+ADD_PLUGIN([eap-aka],              [c libcharon])
+ADD_PLUGIN([eap-aka-3gpp2],        [c libcharon])
+ADD_PLUGIN([eap-md5],              [c libcharon])
+ADD_PLUGIN([eap-gtc],              [c libcharon])
+ADD_PLUGIN([eap-mschapv2],         [c libcharon])
+ADD_PLUGIN([eap-radius],           [c libcharon])
+ADD_PLUGIN([eap-tls],              [c libcharon])
+ADD_PLUGIN([eap-ttls],             [c libcharon])
+ADD_PLUGIN([eap-tnc],              [c libcharon])
+ADD_PLUGIN([tnc-imc],              [c libcharon])
+ADD_PLUGIN([tnc-imv],              [c libcharon])
+ADD_PLUGIN([tnccs-11],             [c libcharon])
+ADD_PLUGIN([tnccs-20],             [c libcharon])
+ADD_PLUGIN([medsrv],               [c libcharon])
+ADD_PLUGIN([medcli],               [c libcharon])
+ADD_PLUGIN([nm],                   [c libcharon])
+ADD_PLUGIN([dhcp],                 [c libcharon])
+ADD_PLUGIN([android],              [c libcharon])
+ADD_PLUGIN([ha],                   [c libcharon])
+ADD_PLUGIN([led],                  [c libcharon])
+ADD_PLUGIN([maemo],                [c libcharon])
+ADD_PLUGIN([uci],                  [c libcharon])
+ADD_PLUGIN([addrblock],            [c libcharon])
+ADD_PLUGIN([unit-tester],          [c libcharon])
+
+AC_SUBST(libcharon_plugins)
 AC_SUBST(pluto_plugins)
+AC_SUBST(pool_plugins)
+AC_SUBST(openac_plugins)
+AC_SUBST(scepclient_plugins)
+AC_SUBST(pki_plugins)
+AC_SUBST(scripts_plugins)
+AC_SUBST(manager_plugins)
+AC_SUBST(medsrv_plugins)
+
+AC_SUBST(c_plugins)
+AC_SUBST(p_plugins)
+AC_SUBST(h_plugins)
+AC_SUBST(s_plugins)
 
 dnl =========================
 dnl  set Makefile.am vars
@@ -819,6 +836,10 @@ AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
 AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
 AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
 AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
+AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
+AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
+AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
+AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
 
 dnl charon plugins
 dnl ==============
@@ -828,6 +849,7 @@ AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
 AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
 AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
 AM_CONDITIONAL(USE_ANDROID, test x$android = xtrue)
+AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
 AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
 AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
@@ -835,6 +857,7 @@ AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
 AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tests = xtrue)
 AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
 AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
+AM_CONDITIONAL(USE_LED, test x$led = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
 AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue)
@@ -846,11 +869,14 @@ AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
 AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
 AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue)
 AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
+AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue)
+AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
+AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
 AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
-AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
-AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
-AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
-AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
+AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
+AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
+AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue)
+AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
 AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
@@ -861,6 +887,10 @@ dnl hydra plugins
 dnl =============
 AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
 AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue)
+AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
+AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
 AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
 
 dnl pluto plugins
@@ -893,6 +923,7 @@ AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
 AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
 AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
+AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
 
 dnl ==============================
@@ -916,6 +947,7 @@ dnl ==============================
 
 AC_OUTPUT(
 	Makefile
+	man/Makefile
 	src/Makefile
 	src/include/Makefile
 	src/libstrongswan/Makefile
@@ -946,13 +978,22 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/openssl/Makefile
 	src/libstrongswan/plugins/gcrypt/Makefile
 	src/libstrongswan/plugins/agent/Makefile
+	src/libstrongswan/plugins/pkcs11/Makefile
+	src/libstrongswan/plugins/ctr/Makefile
+	src/libstrongswan/plugins/ccm/Makefile
+	src/libstrongswan/plugins/gcm/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libhydra/Makefile
 	src/libhydra/plugins/attr/Makefile
 	src/libhydra/plugins/attr_sql/Makefile
+	src/libhydra/plugins/kernel_klips/Makefile
+	src/libhydra/plugins/kernel_netlink/Makefile
+	src/libhydra/plugins/kernel_pfkey/Makefile
+	src/libhydra/plugins/kernel_pfroute/Makefile
 	src/libhydra/plugins/resolve/Makefile
 	src/libfreeswan/Makefile
 	src/libsimaka/Makefile
+	src/libtls/Makefile
 	src/pluto/Makefile
 	src/pluto/plugins/xauth/Makefile
 	src/whack/Makefile
@@ -969,11 +1010,14 @@ AC_OUTPUT(
 	src/libcharon/plugins/eap_simaka_pseudonym/Makefile
 	src/libcharon/plugins/eap_simaka_reauth/Makefile
 	src/libcharon/plugins/eap_mschapv2/Makefile
+	src/libcharon/plugins/eap_tls/Makefile
+	src/libcharon/plugins/eap_ttls/Makefile
+	src/libcharon/plugins/eap_tnc/Makefile
 	src/libcharon/plugins/eap_radius/Makefile
-	src/libcharon/plugins/kernel_netlink/Makefile
-	src/libcharon/plugins/kernel_pfkey/Makefile
-	src/libcharon/plugins/kernel_pfroute/Makefile
-	src/libcharon/plugins/kernel_klips/Makefile
+	src/libcharon/plugins/tnc_imc/Makefile
+	src/libcharon/plugins/tnc_imv/Makefile
+	src/libcharon/plugins/tnccs_11/Makefile
+	src/libcharon/plugins/tnccs_20/Makefile
 	src/libcharon/plugins/socket_default/Makefile
 	src/libcharon/plugins/socket_raw/Makefile
 	src/libcharon/plugins/socket_dynamic/Makefile
@@ -986,7 +1030,9 @@ AC_OUTPUT(
 	src/libcharon/plugins/addrblock/Makefile
 	src/libcharon/plugins/uci/Makefile
 	src/libcharon/plugins/ha/Makefile
+	src/libcharon/plugins/led/Makefile
 	src/libcharon/plugins/android/Makefile
+	src/libcharon/plugins/maemo/Makefile
 	src/libcharon/plugins/stroke/Makefile
 	src/libcharon/plugins/updown/Makefile
 	src/libcharon/plugins/dhcp/Makefile
diff --git a/m4/macros/add-plugin.m4 b/m4/macros/add-plugin.m4
new file mode 100644
index 000000000..4986a5449
--- /dev/null
+++ b/m4/macros/add-plugin.m4
@@ -0,0 +1,10 @@
+# ADD_PLUGIN(plugin, category list)
+# -----------------------------------
+# Append the plugin name $1 to the category list variable $2_plugin
+AC_DEFUN([ADD_PLUGIN],
+	if test [patsubst(x$$1, [-], [_])] = xtrue; then
+		[m4_foreach_w([category], [$2],
+			[m4_format([%s_plugins=${%s_plugins}" $1"], category, category)]
+		)]
+	fi
+)
diff --git a/man/Makefile.am b/man/Makefile.am
new file mode 100644
index 000000000..a74a901b8
--- /dev/null
+++ b/man/Makefile.am
@@ -0,0 +1,11 @@
+dist_man_MANS = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+EXTRA_DIST = ipsec.conf.5.in ipsec.secrets.5.in strongswan.conf.5.in
+CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+
+SUFFIXES = .in
+
+.in:
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
+
diff --git a/man/Makefile.in b/man/Makefile.in
new file mode 100644
index 000000000..4388e318b
--- /dev/null
+++ b/man/Makefile.in
@@ -0,0 +1,507 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = man
+DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+SOURCES =
+DIST_SOURCES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+man5dir = $(mandir)/man5
+am__installdirs = "$(DESTDIR)$(man5dir)"
+NROFF = nroff
+MANS = $(dist_man_MANS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+dist_man_MANS = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+EXTRA_DIST = ipsec.conf.5.in ipsec.secrets.5.in strongswan.conf.5.in
+CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+SUFFIXES = .in
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .in
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu man/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu man/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-man5: $(dist_man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
+	  fi; \
+	done; \
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
+	done; }
+
+uninstall-man5:
+	@$(NORMAL_UNINSTALL)
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(man5dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man: install-man5
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man
+
+uninstall-man: uninstall-man5
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-man5 \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-man uninstall-man5
+
+
+.in:
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
new file mode 100644
index 000000000..b1e60b280
--- /dev/null
+++ b/man/ipsec.conf.5
@@ -0,0 +1,1358 @@
+.TH IPSEC.CONF 5 "2010-10-19" "4.5.0rc2" "strongSwan"
+.SH NAME
+ipsec.conf \- IPsec configuration and connections
+.SH DESCRIPTION
+The optional
+.I ipsec.conf
+file
+specifies most configuration and control information for the
+strongSwan IPsec subsystem.
+The major exception is secrets for authentication;
+see
+.IR ipsec.secrets (5).
+Its contents are not security-sensitive.
+.PP
+The file is a text file, consisting of one or more
+.IR sections .
+White space followed by
+.B #
+followed by anything to the end of the line
+is a comment and is ignored,
+as are empty lines which are not within a section.
+.PP
+A line which contains
+.B include
+and a file name, separated by white space,
+is replaced by the contents of that file,
+preceded and followed by empty lines.
+If the file name is not a full pathname,
+it is considered to be relative to the directory containing the
+including file.
+Such inclusions can be nested.
+Only a single filename may be supplied, and it may not contain white space,
+but it may include shell wildcards (see
+.IR sh (1));
+for example:
+.PP
+.B include
+.B "ipsec.*.conf"
+.PP
+The intention of the include facility is mostly to permit keeping
+information on connections, or sets of connections,
+separate from the main configuration file.
+This permits such connection descriptions to be changed,
+copied to the other security gateways involved, etc.,
+without having to constantly extract them from the configuration
+file and then insert them back into it.
+Note also the
+.B also
+parameter (described below) which permits splitting a single logical
+section (e.g. a connection description) into several actual sections.
+.PP
+A section
+begins with a line of the form:
+.PP
+.I type
+.I name
+.PP
+where
+.I type
+indicates what type of section follows, and
+.I name
+is an arbitrary name which distinguishes the section from others
+of the same type.
+Names must start with a letter and may contain only
+letters, digits, periods, underscores, and hyphens.
+All subsequent non-empty lines
+which begin with white space are part of the section;
+comments within a section must begin with white space too.
+There may be only one section of a given type with a given name.
+.PP
+Lines within the section are generally of the form
+.PP
+\ \ \ \ \ \fIparameter\fB=\fIvalue\fR
+.PP
+(note the mandatory preceding white space).
+There can be white space on either side of the
+.BR = .
+Parameter names follow the same syntax as section names,
+and are specific to a section type.
+Unless otherwise explicitly specified,
+no parameter name may appear more than once in a section.
+.PP
+An empty
+.I value
+stands for the system default value (if any) of the parameter,
+i.e. it is roughly equivalent to omitting the parameter line entirely.
+A
+.I value
+may contain white space only if the entire
+.I value
+is enclosed in double quotes (\fB"\fR);
+a
+.I value
+cannot itself contain a double quote,
+nor may it be continued across more than one line.
+.PP
+Numeric values are specified to be either an ``integer''
+(a sequence of digits) or a ``decimal number''
+(sequence of digits optionally followed by `.' and another sequence of digits).
+.PP
+There is currently one parameter which is available in any type of
+section:
+.TP
+.B also
+the value is a section name;
+the parameters of that section are appended to this section,
+as if they had been written as part of it.
+The specified section must exist, must follow the current one,
+and must have the same section type.
+(Nesting is permitted,
+and there may be more than one
+.B also
+in a single section,
+although it is forbidden to append the same section more than once.)
+.PP
+A section with name
+.B %default
+specifies defaults for sections of the same type.
+For each parameter in it,
+any section of that type which does not have a parameter of the same name
+gets a copy of the one from the
+.B %default
+section.
+There may be multiple
+.B %default
+sections of a given type,
+but only one default may be supplied for any specific parameter name,
+and all
+.B %default
+sections of a given type must precede all non-\c
+.B %default
+sections of that type.
+.B %default
+sections may not contain the
+.B also
+parameter.
+.PP
+Currently there are three types of sections:
+a
+.B config
+section specifies general configuration information for IPsec, a
+.B conn
+section specifies an IPsec connection, while a
+.B ca
+section specifies special properties of a certification authority.
+.SH "CONN SECTIONS"
+A
+.B conn
+section contains a
+.IR "connection specification" ,
+defining a network connection to be made using IPsec.
+The name given is arbitrary, and is used to identify the connection.
+Here's a simple example:
+.PP
+.ne 10
+.nf
+.ft B
+.ta 1c
+conn snt
+	left=192.168.0.1
+	leftsubnet=10.1.0.0/16
+	right=192.168.0.2
+	rightsubnet=10.1.0.0/16
+	keyingtries=%forever
+	auto=add
+.ft
+.fi
+.PP
+A note on terminology: There are two kinds of communications going on:
+transmission of user IP packets, and gateway-to-gateway negotiations for
+keying, rekeying, and general control.
+The path to control the connection is called 'ISAKMP SA' in IKEv1
+and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
+level data path, is called 'IPsec SA' or 'Child SA'.
+strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
+all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
+protocol.
+.PP
+To avoid trivial editing of the configuration file to suit it to each system
+involved in a connection,
+connection specifications are written in terms of
+.I left
+and
+.I right
+participants,
+rather than in terms of local and remote.
+Which participant is considered
+.I left
+or
+.I right
+is arbitrary;
+for every connection description an attempt is made to figure out whether
+the local endpoint should act as the
+.I left
+or
+.I right
+endpoint. This is done by matching the IP addresses defined for both endpoints
+with the IP addresses assigned to local network interfaces. If a match is found
+then the role (left or right) that matches is going to be considered local.
+If no match is found during startup,
+.I left
+is considered local.
+This permits using identical connection specifications on both ends.
+There are cases where there is no symmetry; a good convention is to
+use
+.I left
+for the local side and
+.I right
+for the remote side (the first letters are a good mnemonic).
+.PP
+Many of the parameters relate to one participant or the other;
+only the ones for
+.I left
+are listed here, but every parameter whose name begins with
+.B left
+has a
+.B right
+counterpart,
+whose description is the same but with
+.B left
+and
+.B right
+reversed.
+.PP
+Parameters are optional unless marked '(required)'.
+.SS "CONN PARAMETERS"
+Unless otherwise noted, for a connection to work,
+in general it is necessary for the two ends to agree exactly
+on the values of these parameters.
+.TP
+.BR aaa_identity " = <id>"
+defines the identity of the AAA backend used during IKEv2 EAP authentication.
+This is required if the EAP client uses a method that verifies the server
+identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
+.TP
+.BR also " = <name>"
+includes conn section
+.BR <name> .
+.TP
+.BR auth " = " esp " | ah"
+whether authentication should be done as part of
+ESP encryption, or separately using the AH protocol;
+acceptable values are
+.B esp
+(the default) and
+.BR ah .
+.br
+The IKEv2 daemon currently supports ESP only.
+.TP
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
+how the two security gateways should authenticate each other;
+acceptable values are
+.B psk
+or
+.B secret
+for pre-shared secrets,
+.B pubkey
+(the default) for public key signatures as well as the synonyms
+.B rsasig
+for RSA digital signatures and
+.B ecdsasig
+for Elliptic Curve DSA signatures.
+.B never
+can be used if negotiation is never to be attempted or accepted (useful for
+shunt-only conns).
+Digital signatures are superior in every way to shared secrets.
+IKEv1 additionally supports the values
+.B xauthpsk
+and
+.B xauthrsasig
+that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
+based on shared secrets  or digital RSA signatures, respectively.
+IKEv2 additionally supports the value
+.BR eap ,
+which indicates an initiator to request EAP authentication. The EAP method
+to use is selected by the server (see
+.BR eap ).
+This parameter is deprecated for IKEv2 connections, as two peers do not need
+to agree on an authentication method. Use the
+.B leftauth
+parameter instead to define authentication methods in IKEv2.
+.TP
+.BR auto " = " ignore " | add | route | start"
+what operation, if any, should be done automatically at IPsec startup;
+currently-accepted values are
+.BR add ,
+.BR route ,
+.B start
+and
+.B ignore
+(the default).
+.B add
+loads a connection without starting it.
+.B route
+loads a connection and installs kernel traps. If traffic is detected between
+.B leftsubnet
+and
+.B rightsubnet
+, a connection is established.
+.B start
+loads a connection and brings it up immediatly.
+.B ignore
+ignores the connection. This is equal to delete a connection from the config
+file.
+Relevant only locally, other end need not agree on it
+(but in general, for an intended-to-be-permanent connection,
+both ends should use
+.B auto=start
+to ensure that any reboot causes immediate renegotiation).
+.TP
+.BR compress " = yes | " no
+whether IPComp compression of content is proposed on the connection
+(link-level compression does not work on encrypted data,
+so to be effective, compression must be done \fIbefore\fR encryption);
+acceptable values are
+.B yes
+and
+.B no
+(the default). A value of
+.B yes
+causes IPsec to propose both compressed and uncompressed,
+and prefer compressed.
+A value of
+.B no
+prevents IPsec from proposing compression;
+a proposal to compress will still be accepted.
+.TP
+.BR dpdaction " = " none " | clear | hold | restart"
+controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
+R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
+are periodically sent in order to check the
+liveliness of the IPsec peer. The values
+.BR clear ,
+.BR hold ,
+and
+.B restart
+all activate DPD. If no activity is detected, all connections with a dead peer
+are stopped and unrouted
+.RB ( clear ),
+put in the hold state
+.RB ( hold )
+or restarted
+.RB ( restart ).
+For IKEv1, the default is
+.B none
+which disables the active sending of R_U_THERE notifications.
+Nevertheless pluto will always send the DPD Vendor ID during connection set up
+in order to signal the readiness to act passively as a responder if the peer
+wants to use DPD. For IKEv2,
+.B none
+does't make sense, since all messages are used to detect dead peers. If specified,
+it has the same meaning as the default
+.RB ( clear ).
+.TP
+.BR dpddelay " = " 30s " | <time>"
+defines the period time interval with which R_U_THERE messages/INFORMATIONAL
+exchanges are sent to the peer. These are only sent if no other traffic is
+received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
+messages and uses only standard messages (such as those to rekey) to detect
+dead peers.
+.TP
+.BR dpdtimeout " = " 150s " | <time>"
+defines the timeout interval, after which all connections to a peer are deleted
+in case of inactivity. This only applies to IKEv1, in IKEv2 the default
+retransmission timeout applies, as every exchange is used to detect dead peers.
+See
+.IR strongswan.conf (5)
+for a description of the IKEv2 retransmission timeout.
+.TP
+.BR inactivity " = <time>"
+defines the timeout interval, after which a CHILD_SA is closed if it did
+not send or receive any traffic. Currently supported in IKEv2 connections only.
+.TP
+.BR eap " = md5 | mschapv2 | radius | ... | <type> | <type>-<vendor>
+defines the EAP type to propose as server if the client requests EAP
+authentication. Currently supported values are
+.B aka
+for EAP-AKA,
+.B gtc
+for EAP-GTC,
+.B md5
+for EAP-MD5,
+.B mschapv2
+for EAP-MS-CHAPv2,
+.B radius
+for the EAP-RADIUS proxy and
+.B sim
+for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
+definition in the form
+.B eap=type-vendor
+(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
+This parameter is deprecated in the favour of
+.B leftauth.
+
+To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
+set
+.BR eap=radius .
+.TP
+.BR eap_identity " = <id>"
+defines the identity the client uses to reply to a EAP Identity request.
+If defined on the EAP server, the defined identity will be used as peer
+identity during EAP authentication. The special value
+.B %identity
+uses the EAP Identity method to ask the client for an EAP identity. If not
+defined, the IKEv2 identity will be used as EAP identity.
+.TP
+.BR esp " = <cipher suites>"
+comma-separated list of ESP encryption/authentication algorithms to be used
+for the connection, e.g.
+.BR aes128-sha256 .
+The notation is
+.BR encryption-integrity-[dh-group] .
+.br
+If
+.B dh-group
+is specified, CHILD_SA setup and rekeying include a separate diffe hellman
+exchange (IKEv2 only).
+.TP
+.BR forceencaps " = yes | " no
+force UDP encapsulation for ESP packets even if no NAT situation is detected.
+This may help to surmount restrictive firewalls. In order to force the peer to
+encapsulate packets, NAT detection payloads are faked (IKEv2 only).
+.TP
+.BR ike " = <cipher suites>"
+comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
+to be used, e.g.
+.BR aes128-sha1-modp2048 .
+The notation is
+.BR encryption-integrity-dhgroup .
+In IKEv2, multiple algorithms and proposals may be included, such as
+.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.TP
+.BR ikelifetime " = " 3h " | <time>"
+how long the keying channel of a connection (ISAKMP or IKE SA)
+should last before being renegotiated. Also see EXPIRY/REKEY below.
+.TP
+.BR installpolicy " = " yes " | no"
+decides whether IPsec policies are installed in the kernel by the IKEv2
+charon daemon for a given connection. Allows peaceful cooperation e.g. with
+the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
+Acceptable values are
+.B yes
+(the default) and
+.BR no .
+.TP
+.BR keyexchange " = " ike " | ikev1 | ikev2"
+method of key exchange;
+which protocol should be used to initialize the connection. Connections marked with
+.B ikev1
+are initiated with pluto, those marked with
+.B ikev2
+with charon. An incoming request from the remote peer is handled by the correct
+daemon, unaffected from the
+.B keyexchange
+setting. Starting with strongSwan 4.5 the default value
+.B ike
+is a synonym for
+.BR ikev2 ,
+whereas in older strongSwan releases
+.B ikev1
+was assumed.
+.TP
+.BR keyingtries " = " %forever " | <number>"
+how many attempts (a whole number or \fB%forever\fP) should be made to
+negotiate a connection, or a replacement for one, before giving up
+(default
+.BR %forever ).
+The value \fB%forever\fP
+means 'never give up'.
+Relevant only locally, other end need not agree on it.
+.TP
+.B keylife
+synonym for
+.BR lifetime .
+.TP
+.BR left " = <ip address> | <fqdn> | %defaultroute | " %any
+(required)
+the IP address of the left participant's public-network interface
+or one of several magic values.
+If it is
+.BR %defaultroute ,
+.B left
+will be filled in automatically with the local address
+of the default-route interface (as determined at IPsec startup time and
+during configuration update).
+Either
+.B left
+or
+.B right
+may be
+.BR %defaultroute ,
+but not both.
+The prefix
+.B  %
+in front of a fully-qualified domain name or an IP address will implicitly set
+.B leftallowany=yes.
+If the domain name cannot be resolved into an IP address at IPsec startup or
+update time then
+.B left=%any
+and
+.B leftallowany=no
+will be assumed.
+
+In case of an IKEv2 connection, the value
+.B %any
+for the local endpoint signifies an address to be filled in (by automatic
+keying) during negotiation. If the local peer initiates the connection setup
+the routing table will be queried to determine the correct local IP address.
+In case the local peer is responding to a connection setup then any IP address
+that is assigned to a local interface will be accepted.
+.br
+Note that specifying
+.B %any
+for the local endpoint is not supported by the IKEv1 pluto daemon.
+
+If
+.B %any
+is used for the remote endpoint it literally means any IP address.
+
+Please note that with the usage of wildcards multiple connection descriptions
+might match a given incoming connection attempt. The most specific description
+is used in that case.
+.TP
+.BR leftallowany " = yes | " no
+a modifier for
+.B left
+, making it behave as
+.B %any
+although a concrete IP address has been assigned.
+Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
+startup or update time.
+Acceptable values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.BR leftauth " = <auth method>"
+Authentication method to use locally (left) or require from the remote (right)
+side.
+This parameter is supported in IKEv2 only. Acceptable values are
+.B pubkey
+for public key authentication (RSA/ECDSA),
+.B psk
+for pre-shared key authentication and
+.B eap
+to (require the) use of the Extensible Authentication Protocol. In the case
+of
+.B eap,
+an optional EAP method can be appended. Currently defined methods are
+.BR eap-aka ,
+.BR eap-gtc ,
+.BR eap-md5 ,
+.BR eap-tls ,
+.B eap-mschapv2
+and
+.BR eap-sim .
+Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
+EAP methods are defined in the form
+.B eap-type-vendor
+.RB "(e.g. " eap-7-12345 ).
+.TP
+.BR leftauth2 " = <auth method>"
+Same as
+.BR leftauth ,
+but defines an additional authentication exchange. IKEv2 supports multiple
+authentication rounds using "Multiple Authentication Exchanges" defined
+in RFC4739. This allows, for example, separated authentication
+of host and user (IKEv2 only).
+.TP
+.BR leftca " = <issuer dn> | %same"
+the distinguished name of a certificate authority which is required to
+lie in the trust path going from the left participant's certificate up
+to the root certification authority.
+.TP
+.BR leftca2 " = <issuer dn> | %same"
+Same as
+.BR leftca ,
+but for the second authentication round (IKEv2 only).
+.TP
+.BR leftcert " = <path>"
+the path to the left participant's X.509 certificate. The file can be encoded
+either in PEM or DER format. OpenPGP certificates are supported as well.
+Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
+are accepted. By default
+.B leftcert
+sets
+.B leftid
+to the distinguished name of the certificate's subject and
+.B leftca
+to the distinguished name of the certificate's issuer.
+The left participant's ID can be overriden by specifying a
+.B leftid
+value which must be certified by the certificate, though.
+.TP
+.BR leftcert2 " = <path>"
+Same as
+.B leftcert,
+but for the second authentication round (IKEv2 only).
+.TP
+.BR leftfirewall " = yes | " no
+whether the left participant is doing forwarding-firewalling
+(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
+which should be turned off (for traffic to the other subnet)
+once the connection is established;
+acceptable values are
+.B yes
+and
+.B no
+(the default).
+May not be used in the same connection description with
+.BR leftupdown .
+Implemented as a parameter to the default \fBipsec _updown\fR script.
+See notes below.
+Relevant only locally, other end need not agree on it.
+
+If one or both security gateways are doing forwarding firewalling
+(possibly including masquerading),
+and this is specified using the firewall parameters,
+tunnels established with IPsec are exempted from it
+so that packets can flow unchanged through the tunnels.
+(This means that all subnets connected in this manner must have
+distinct, non-overlapping subnet address blocks.)
+This is done by the default \fBipsec _updown\fR script (see
+.IR pluto (8)).
+
+In situations calling for more control,
+it may be preferable for the user to supply his own
+.I updown
+script,
+which makes the appropriate adjustments for his system.
+.TP
+.BR leftgroups " = <group list>"
+a comma separated list of group names. If the
+.B leftgroups
+parameter is present then the peer must be a member of at least one
+of the groups defined by the parameter. Group membership must be certified
+by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
+been issued to the peer by a trusted Authorization Authority stored in
+\fI/etc/ipsec.d/aacerts/\fP.
+.br
+Attribute certificates are not supported in IKEv2 yet.
+.TP
+.BR lefthostaccess " = yes | " no
+inserts a pair of INPUT and OUTPUT iptables rules using the default
+\fBipsec _updown\fR script, thus allowing access to the host itself
+in the case where the host's internal interface is part of the
+negotiated client subnet.
+Acceptable values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.BR leftid " = <id>"
+how the left participant should be identified for authentication;
+defaults to
+.BR left .
+Can be an IP address or a fully-qualified domain name preceded by
+.B @
+(which is used as a literal string and not resolved).
+.TP
+.BR leftid2 " = <id>"
+identity to use for a second authentication for the left participant
+(IKEv2 only); defaults to
+.BR leftid .
+.TP
+.BR leftikeport " = <port>"
+UDP port the left participant uses for IKE communication. Currently supported in
+IKEv2 connections only. If unspecified, port 500 is used with the port floating
+to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
+different from the default additionally requires a socket implementation that
+listens to this port.
+.TP
+.BR leftnexthop " = %direct | %defaultroute | <ip address> | <fqdn>"
+this parameter is usually not needed any more because the NETKEY IPsec stack
+does not require explicit routing entries for the traffic to be tunneled. If
+.B leftsourceip
+is used with IKEv1 then
+.B leftnexthop
+must still be set in order for the source routes to work properly.
+.TP
+.BR leftprotoport " = <protocol>/<port>"
+restrict the traffic selector to a single protocol and/or port.
+Examples:
+.B leftprotoport=tcp/http
+or
+.B leftprotoport=6/80
+or
+.B leftprotoport=udp
+.TP
+.BR leftrsasigkey " = " %cert " | <raw rsa public key>"
+the left participant's
+public key for RSA signature authentication,
+in RFC 2537 format using
+.IR ttodata (3)
+encoding.
+The magic value
+.B %none
+means the same as not specifying a value (useful to override a default).
+The value
+.B %cert
+(the default)
+means that the key is extracted from a certificate.
+The identity used for the left participant
+must be a specific host, not
+.B %any
+or another magic value.
+.B Caution:
+if two connection descriptions
+specify different public keys for the same
+.BR leftid ,
+confusion and madness will ensue.
+.TP
+.BR leftsendcert " = never | no | " ifasked " | always | yes"
+Accepted values are
+.B never
+or
+.BR no ,
+.B always
+or
+.BR yes ,
+and
+.BR ifasked " (the default),"
+the latter meaning that the peer must send a certificate request payload in
+order to get a certificate in return.
+.TP
+.BR leftsourceip " = %config | %cfg | %modeconfig | %modecfg | <ip address>"
+The internal source IP to use in a tunnel, also known as virtual IP. If the
+value is one of the synonyms
+.BR %config ,
+.BR %cfg ,
+.BR %modeconfig ,
+or
+.BR %modecfg ,
+an address is requested from the peer. In IKEv2, a statically defined address
+is also requested, since the server may change it.
+.TP
+.BR rightsourceip " = %config | <network>/<netmask> | %poolname"
+The internal source IP to use in a tunnel for the remote peer. If the
+value is
+.B %config
+on the responder side, the initiator must propose an address which is then
+echoed back. Also supported are address pools expressed as
+\fInetwork\fB/\fInetmask\fR
+or the use of an external IP address pool using %\fIpoolname\fR,
+where \fIpoolname\fR is the name of the IP address pool used for the lookup.
+.TP
+.BR leftsubnet " = <ip subnet>"
+private subnet behind the left participant, expressed as
+\fInetwork\fB/\fInetmask\fR;
+if omitted, essentially assumed to be \fIleft\fB/32\fR,
+signifying that the left end of the connection goes to the left participant
+only. When using IKEv2, the configured subnet of the peers may differ, the
+protocol narrows it to the greatest common subnet. Further, IKEv2 supports
+multiple subnets separated by commas. IKEv1 only interprets the first subnet
+of such a definition.
+.TP
+.BR leftsubnetwithin " = <ip subnet>"
+the peer can propose any subnet or single IP address that fits within the
+range defined by
+.BR leftsubnetwithin.
+Not relevant for IKEv2, as subnets are narrowed.
+.TP
+.BR leftupdown " = <path>"
+what ``updown'' script to run to adjust routing and/or firewalling
+when the status of the connection
+changes (default
+.BR "ipsec _updown" ).
+May include positional parameters separated by white space
+(although this requires enclosing the whole string in quotes);
+including shell metacharacters is unwise.
+See
+.IR pluto (8)
+for details.
+Relevant only locally, other end need not agree on it. IKEv2 uses the updown
+script to insert firewall rules only, since routing has been implemented
+directly into charon.
+.TP
+.BR lifebytes " = <number>"
+the number of bytes transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.BR lifepackets " = <number>"
+the number of packets transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.BR lifetime " = " 1h " | <time>"
+how long a particular instance of a connection
+(a set of encryption/authentication keys for user packets) should last,
+from successful negotiation to expiry;
+acceptable values are an integer optionally followed by
+.BR s
+(a time in seconds)
+or a decimal number followed by
+.BR m ,
+.BR h ,
+or
+.B d
+(a time
+in minutes, hours, or days respectively)
+(default
+.BR 1h ,
+maximum
+.BR 24h ).
+Normally, the connection is renegotiated (via the keying channel)
+before it expires (see
+.BR margintime ).
+The two ends need not exactly agree on
+.BR lifetime ,
+although if they do not,
+there will be some clutter of superseded connections on the end
+which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
+.TP
+.BR marginbytes " = <number>"
+how many bytes before IPsec SA expiry (see
+.BR lifebytes )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.BR marginpackets " = <number>"
+how many packets before IPsec SA expiry (see
+.BR lifepackets )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.BR margintime " = " 9m " | <time>"
+how long before connection expiry or keying-channel expiry
+should attempts to
+negotiate a replacement
+begin; acceptable values as for
+.B lifetime
+(default
+.BR 9m ).
+Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
+below.
+.TP
+.BR mark " = <value>[/<mask>]"
+sets an XFRM mark in the inbound and outbound
+IPsec SAs and policies. If the mask is missing then a default
+mask of
+.B 0xffffffff
+is assumed.
+.TP
+.BR mark_in " = <value>[/<mask>]"
+sets an XFRM mark in the inbound IPsec SA and
+policy. If the mask is missing then a default mask of
+.B 0xffffffff
+is assumed.
+.TP
+.BR mark_out " = <value>[/<mask>]"
+sets an XFRM mark in the outbound IPsec SA and
+policy. If the mask is missing then a default mask of
+.B 0xffffffff
+is assumed.
+.TP
+.BR mobike " = " yes " | no"
+enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
+.B yes
+(the default) and
+.BR no .
+If set to
+.BR no ,
+the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
+ignore the MOBIKE_SUPPORTED notify as responder.
+.TP
+.BR modeconfig " = push | " pull
+defines which mode is used to assign a virtual IP.
+Accepted values are
+.B push
+and
+.B pull
+(the default).
+Currently relevant for IKEv1 only since IKEv2 always uses the configuration
+payload in pull mode. Cisco VPN gateways usually operate in
+.B push
+mode.
+.TP
+.BR pfs " = " yes " | no"
+whether Perfect Forward Secrecy of keys is desired on the connection's
+keying channel
+(with PFS, penetration of the key-exchange protocol
+does not compromise keys negotiated earlier);
+acceptable values are
+.B yes
+(the default)
+and
+.BR no.
+IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
+PFS is enforced by defining a Diffie-Hellman modp group in the
+.B esp
+parameter.
+.TP
+.BR pfsgroup " = <modp group>"
+defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
+differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
+.TP
+.BR reauth " = " yes " | no"
+whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
+reauthentication is always done. In IKEv2, a value of
+.B no
+rekeys without uninstalling the IPsec SAs, a value of
+.B yes
+(the default) creates a new IKE_SA from scratch and tries to recreate
+all IPsec SAs.
+.TP
+.BR rekey " = " yes " | no"
+whether a connection should be renegotiated when it is about to expire;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+The two ends need not agree, but while a value of
+.B no
+prevents pluto/charon from requesting renegotiation,
+it does not prevent responding to renegotiation requested from the other end,
+so
+.B no
+will be largely ineffective unless both ends agree on it.
+.TP
+.BR rekeyfuzz " = " 100% " | <percentage>"
+maximum percentage by which
+.BR marginbytes ,
+.B marginpackets
+and
+.B margintime
+should be randomly increased to randomize rekeying intervals
+(important for hosts with many connections);
+acceptable values are an integer,
+which may exceed 100,
+followed by a `%'
+(defaults to
+.BR 100% ).
+The value of
+.BR marginTYPE ,
+after this random increase,
+must not exceed
+.B lifeTYPE
+(where TYPE is one of
+.IR bytes ,
+.I packets
+or
+.IR time ).
+The value
+.B 0%
+will suppress randomization.
+Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
+below.
+.TP
+.B rekeymargin
+synonym for
+.BR margintime .
+.TP
+.BR reqid " = <number>"
+sets the reqid for a given connection to a pre-configured fixed value.
+.TP
+.BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
+the type of the connection; currently the accepted values
+are
+.B tunnel
+(the default)
+signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
+.BR transport ,
+signifying host-to-host transport mode;
+.BR transport_proxy ,
+signifying the special Mobile IPv6 transport proxy mode;
+.BR passthrough ,
+signifying that no IPsec processing should be done at all;
+.BR drop ,
+signifying that packets should be discarded; and
+.BR reject ,
+signifying that packets should be discarded and a diagnostic ICMP returned
+.RB ( reject
+is currently not supported by the NETKEY stack of the Linux 2.6 kernel).
+The IKEv2 daemon charon currently supports
+.BR tunnel ,
+.BR transport ,
+and
+.BR transport_proxy
+connection types, only.
+.TP
+.BR xauth " = " client " | server"
+specifies the role in the XAUTH protocol if activated by
+.B authby=xauthpsk
+or
+.B authby=xauthrsasig.
+Accepted values are
+.B server
+and
+.B client
+(the default).
+
+.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
+The following parameters are relevant to IKEv2 Mediation Extension
+operation only.
+.TP
+.BR mediation " = yes | " no
+whether this connection is a mediation connection, ie. whether this
+connection is used to mediate other connections.  Mediation connections
+create no child SA. Acceptable values are
+.B no
+(the default) and
+.BR yes .
+.TP
+.BR mediated_by " = <name>"
+the name of the connection to mediate this connection through.  If given,
+the connection will be mediated through the named mediation connection.
+The mediation connection must set
+.BR mediation=yes .
+.TP
+.BR me_peerid " = <id>"
+ID as which the peer is known to the mediation server, ie. which the other
+end of this connection uses as its
+.B leftid
+on its connection to the mediation server.  This is the ID we request the
+mediation server to mediate us with.  If
+.B me_peerid
+is not given, the
+.B rightid
+of this connection will be used as peer ID.
+
+.SH "CA SECTIONS"
+This are optional sections that can be used to assign special
+parameters to a Certification Authority (CA).
+.TP
+.BR also " = <name>"
+includes ca section
+.BR <name> .
+.TP
+.BR auto " = " ignore " | add"
+currently can have either the value
+.B ignore
+(the default) or
+.BR add .
+.TP
+.BR cacert " = <path>"
+defines a path to the CA certificate either relative to
+\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.TP
+.BR crluri " = <uri>"
+defines a CRL distribution point (ldap, http, or file URI)
+.TP
+.B crluri1
+synonym for
+.B crluri.
+.TP
+.BR crluri2 " = <uri>"
+defines an alternative CRL distribution point (ldap, http, or file URI)
+.TP
+.BR ldaphost " = <hostname>"
+defines an ldap host. Currently used by IKEv1 only.
+.TP
+.BR ocspuri " = <uri>"
+defines an OCSP URI.
+.TP
+.B ocspuri1
+synonym for
+.B ocspuri.
+.TP
+.BR ocspuri2 " = <uri>"
+defines an alternative OCSP URI. Currently used by IKEv2 only.
+.TP
+.BR certuribase " = <uri>"
+defines the base URI for the Hash and URL feature supported by IKEv2.
+Instead of exchanging complete certificates, IKEv2 allows to send an URI
+that resolves to the DER encoded certificate. The certificate URIs are built
+by appending the SHA1 hash of the DER encoded certificates to this base URI.
+.SH "CONFIG SECTIONS"
+At present, the only
+.B config
+section known to the IPsec software is the one named
+.BR setup ,
+which contains information used when the software is being started.
+Here's an example:
+.PP
+.ne 8
+.nf
+.ft B
+.ta 1c
+config setup
+	plutodebug=all
+	crlcheckinterval=10m
+	strictcrlpolicy=yes
+.ft
+.fi
+.PP
+Parameters are optional unless marked ``(required)''.
+The currently-accepted
+.I parameter
+names in a
+.B config
+.B setup
+section affecting both daemons are:
+.TP
+.BR cachecrls " = yes | " no
+certificate revocation lists (CRLs) fetched via http or ldap will be cached in
+\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
+authority's public key.
+Accepted values are
+.B yes
+and
+.B no
+(the default). Only relevant for IKEv1, as CRLs are always cached in IKEv2.
+.TP
+.BR charonstart " = " yes " | no"
+whether to start the IKEv2 charon daemon or not.
+The default is
+.B yes
+if starter was compiled with IKEv2 support.
+.TP
+.BR plutostart " = " yes " | no"
+whether to start the IKEv1 pluto daemon or not.
+The default is
+.B yes
+if starter was compiled with IKEv1 support.
+.TP
+.BR strictcrlpolicy " = yes | ifuri | " no
+defines if a fresh CRL must be available in order for the peer authentication
+based on RSA signatures to succeed.
+IKEv2 additionally recognizes
+.B ifuri
+which reverts to
+.B yes
+if at least one CRL URI is defined and to
+.B no
+if no URI is known.
+.TP
+.BR uniqueids " = " yes " | no | replace | keep"
+whether a particular participant ID should be kept unique,
+with any new (automatically keyed)
+connection using an ID from a different IP address
+deemed to replace all old ones using that ID;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+Participant IDs normally \fIare\fR unique,
+so a new (automatically-keyed) connection using the same ID is
+almost invariably intended to replace an old one.
+The IKEv2 daemon also accepts the value
+.B replace
+wich is identical to
+.B yes
+and the value
+.B keep
+to reject new IKE_SA setups and keep the duplicate established earlier.
+.PP
+The following
+.B config section
+parameters are used by the IKEv1 Pluto daemon only:
+.TP
+.BR crlcheckinterval " = " 0s " | <time>"
+interval in seconds. CRL fetching is enabled if the value is greater than zero.
+Asynchronous, periodic checking for fresh CRLs is currently done by the
+IKEv1 Pluto daemon only.
+.TP
+.BR keep_alive " = " 20s " | <time>"
+interval in seconds between NAT keep alive packets, the default being 20 seconds.
+.TP
+.BR nat_traversal " = yes | " no
+activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
+being able of floating to udp/4500 if a NAT situation is detected.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+Used by IKEv1 only, NAT traversal is always being active in IKEv2.
+.TP
+.BR nocrsend " = yes | " no
+no certificate request payloads will be sent.
+.TP
+.BR pkcs11initargs " = <args>"
+non-standard argument string for PKCS#11 C_Initialize() function;
+required by NSS softoken.
+.TP
+.BR pkcs11module " = <args>"
+defines the path to a dynamically loadable PKCS #11 library.
+.TP
+.BR pkcs11keepstate " = yes | " no
+PKCS #11 login sessions will be kept during the whole lifetime of the keying
+daemon. Useful with pin-pad smart card readers.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.BR pkcs11proxy " = yes | " no
+Pluto will act as a PKCS #11 proxy accessible via the whack interface.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.BR plutodebug " = " none " | <debug list> | all"
+how much pluto debugging output should be logged.
+An empty value,
+or the magic value
+.BR none ,
+means no debugging output (the default).
+The magic value
+.B all
+means full output.
+Otherwise only the specified types of output
+(a quoted list, names without the
+.B \-\-debug\-
+prefix,
+separated by white space) are enabled;
+for details on available debugging types, see
+.IR pluto (8).
+.TP
+.BR plutostderrlog " = <file>"
+Pluto will not use syslog, but rather log to stderr, and redirect stderr
+to <file>.
+.TP
+.BR postpluto " = <command>"
+shell command to run after starting pluto
+(e.g., to remove a decrypted copy of the
+.I ipsec.secrets
+file).
+It's run in a very simple way;
+complexities like I/O redirection are best hidden within a script.
+Any output is redirected for logging,
+so running interactive commands is difficult unless they use
+.I /dev/tty
+or equivalent for their interaction.
+Default is none.
+.TP
+.BR prepluto " = <command>"
+shell command to run before starting pluto
+(e.g., to decrypt an encrypted copy of the
+.I ipsec.secrets
+file).
+It's run in a very simple way;
+complexities like I/O redirection are best hidden within a script.
+Any output is redirected for logging,
+so running interactive commands is difficult unless they use
+.I /dev/tty
+or equivalent for their interaction.
+Default is none.
+.TP
+.BR virtual_private " = <networks>"
+defines private networks using a wildcard notation.
+.PP
+The following
+.B config section
+parameters are used by the IKEv2 charon daemon only:
+.TP
+.BR charondebug " = <debug list>"
+how much charon debugging output should be logged.
+A comma separated list containing type level/pairs may
+be specified, e.g:
+.B dmn 3, ike 1, net -1.
+Acceptable values for types are
+.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
+and the level is one of
+.B -1, 0, 1, 2, 3, 4
+(for silent, audit, control, controlmore, raw, private).
+For more flexibility see LOGGER CONFIGURATION in
+.IR strongswan.conf (5).
+
+.SH IKEv2 EXPIRY/REKEY
+The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
+after a specific amount of time. For IPsec SAs this can also happen after a
+specified number of transmitted packets or transmitted bytes. The following
+settings can be used to configure this:
+.TS
+l r l r,- - - -,lB s lB s,a r a r.
+Setting	Default	Setting	Default
+IKE SA	IPsec SA
+ikelifetime	3h	lifebytes	-
+		lifepackets	-
+		lifetime	1h
+.TE
+.SS Rekeying
+IKE SAs as well as IPsec SAs can be rekeyed before they expire. This can be
+configured using the following settings:
+.TS
+l r l r,- - - -,lB s lB s,a r a r.
+Setting	Default	Setting	Default
+IKE and IPsec SA	IPsec SA
+margintime	9m	marginbytes	-
+		marginpackets	-
+.TE
+.SS Randomization
+To avoid collisions the specified margins are increased randomly before
+subtracting them from the expiration limits (see formula below). This is
+controlled by the
+.B rekeyfuzz
+setting:
+.TS
+l r,- -,lB s,a r.
+Setting	Default
+IKE and IPsec SA
+rekeyfuzz	100%
+.TE
+.PP
+Randomization can be disabled by setting
+.BR rekeyfuzz " to " 0% .
+.SS Formula
+The following formula is used to calculate the rekey time of IPsec SAs:
+.PP
+.EX
+ rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))
+.EE
+.PP
+It applies equally to IKE SAs and byte and packet limits for IPsec SAs.
+.SS Example
+Let's consider the default configuration:
+.PP
+.EX
+	lifetime = 1h
+	margintime = 9m
+	rekeyfuzz = 100%
+.EE
+.PP
+From the formula above follows that the rekey time lies between:
+.PP
+.EX
+	rekeytime_min = 1h - (9m + 9m) = 42m
+	rekeytime_max = 1h - (9m + 0m) = 51m
+.EE
+.PP
+Thus, the daemon will attempt to rekey the IPsec SA at a random time
+between 42 and 51 minutes after establishing the SA. Or, in other words,
+between 9 and 18 minutes before the SA expires.
+.SS Notes
+.IP \[bu]
+Since the rekeying of an SA needs some time, the margin values must not be
+too low.
+.IP \[bu]
+The value
+.B margin... + margin... * rekeyfuzz
+must not exceed the original limit. For example, specifying
+.B margintime = 30m
+in the default configuration is a bad idea as there is a chance that the rekey
+time equals zero and, thus, rekeying gets disabled.
+.SH FILES
+.nf
+/etc/ipsec.conf
+/etc/ipsec.d/aacerts
+/etc/ipsec.d/acerts
+/etc/ipsec.d/cacerts
+/etc/ipsec.d/certs
+/etc/ipsec.d/crls
+
+.SH SEE ALSO
+strongswan.conf(5), ipsec.secrets(5), ipsec(8), pluto(8)
+.SH HISTORY
+Originally written for the FreeS/WAN project by Henry Spencer.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner, Andreas Steffen and Martin Willi.
+.SH BUGS
+.PP
+If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
+will fail.
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
new file mode 100644
index 000000000..187f36957
--- /dev/null
+++ b/man/ipsec.conf.5.in
@@ -0,0 +1,1358 @@
+.TH IPSEC.CONF 5 "2010-10-19" "@IPSEC_VERSION@" "strongSwan"
+.SH NAME
+ipsec.conf \- IPsec configuration and connections
+.SH DESCRIPTION
+The optional
+.I ipsec.conf
+file
+specifies most configuration and control information for the
+strongSwan IPsec subsystem.
+The major exception is secrets for authentication;
+see
+.IR ipsec.secrets (5).
+Its contents are not security-sensitive.
+.PP
+The file is a text file, consisting of one or more
+.IR sections .
+White space followed by
+.B #
+followed by anything to the end of the line
+is a comment and is ignored,
+as are empty lines which are not within a section.
+.PP
+A line which contains
+.B include
+and a file name, separated by white space,
+is replaced by the contents of that file,
+preceded and followed by empty lines.
+If the file name is not a full pathname,
+it is considered to be relative to the directory containing the
+including file.
+Such inclusions can be nested.
+Only a single filename may be supplied, and it may not contain white space,
+but it may include shell wildcards (see
+.IR sh (1));
+for example:
+.PP
+.B include
+.B "ipsec.*.conf"
+.PP
+The intention of the include facility is mostly to permit keeping
+information on connections, or sets of connections,
+separate from the main configuration file.
+This permits such connection descriptions to be changed,
+copied to the other security gateways involved, etc.,
+without having to constantly extract them from the configuration
+file and then insert them back into it.
+Note also the
+.B also
+parameter (described below) which permits splitting a single logical
+section (e.g. a connection description) into several actual sections.
+.PP
+A section
+begins with a line of the form:
+.PP
+.I type
+.I name
+.PP
+where
+.I type
+indicates what type of section follows, and
+.I name
+is an arbitrary name which distinguishes the section from others
+of the same type.
+Names must start with a letter and may contain only
+letters, digits, periods, underscores, and hyphens.
+All subsequent non-empty lines
+which begin with white space are part of the section;
+comments within a section must begin with white space too.
+There may be only one section of a given type with a given name.
+.PP
+Lines within the section are generally of the form
+.PP
+\ \ \ \ \ \fIparameter\fB=\fIvalue\fR
+.PP
+(note the mandatory preceding white space).
+There can be white space on either side of the
+.BR = .
+Parameter names follow the same syntax as section names,
+and are specific to a section type.
+Unless otherwise explicitly specified,
+no parameter name may appear more than once in a section.
+.PP
+An empty
+.I value
+stands for the system default value (if any) of the parameter,
+i.e. it is roughly equivalent to omitting the parameter line entirely.
+A
+.I value
+may contain white space only if the entire
+.I value
+is enclosed in double quotes (\fB"\fR);
+a
+.I value
+cannot itself contain a double quote,
+nor may it be continued across more than one line.
+.PP
+Numeric values are specified to be either an ``integer''
+(a sequence of digits) or a ``decimal number''
+(sequence of digits optionally followed by `.' and another sequence of digits).
+.PP
+There is currently one parameter which is available in any type of
+section:
+.TP
+.B also
+the value is a section name;
+the parameters of that section are appended to this section,
+as if they had been written as part of it.
+The specified section must exist, must follow the current one,
+and must have the same section type.
+(Nesting is permitted,
+and there may be more than one
+.B also
+in a single section,
+although it is forbidden to append the same section more than once.)
+.PP
+A section with name
+.B %default
+specifies defaults for sections of the same type.
+For each parameter in it,
+any section of that type which does not have a parameter of the same name
+gets a copy of the one from the
+.B %default
+section.
+There may be multiple
+.B %default
+sections of a given type,
+but only one default may be supplied for any specific parameter name,
+and all
+.B %default
+sections of a given type must precede all non-\c
+.B %default
+sections of that type.
+.B %default
+sections may not contain the
+.B also
+parameter.
+.PP
+Currently there are three types of sections:
+a
+.B config
+section specifies general configuration information for IPsec, a
+.B conn
+section specifies an IPsec connection, while a
+.B ca
+section specifies special properties of a certification authority.
+.SH "CONN SECTIONS"
+A
+.B conn
+section contains a
+.IR "connection specification" ,
+defining a network connection to be made using IPsec.
+The name given is arbitrary, and is used to identify the connection.
+Here's a simple example:
+.PP
+.ne 10
+.nf
+.ft B
+.ta 1c
+conn snt
+	left=192.168.0.1
+	leftsubnet=10.1.0.0/16
+	right=192.168.0.2
+	rightsubnet=10.1.0.0/16
+	keyingtries=%forever
+	auto=add
+.ft
+.fi
+.PP
+A note on terminology: There are two kinds of communications going on:
+transmission of user IP packets, and gateway-to-gateway negotiations for
+keying, rekeying, and general control.
+The path to control the connection is called 'ISAKMP SA' in IKEv1
+and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
+level data path, is called 'IPsec SA' or 'Child SA'.
+strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
+all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
+protocol.
+.PP
+To avoid trivial editing of the configuration file to suit it to each system
+involved in a connection,
+connection specifications are written in terms of
+.I left
+and
+.I right
+participants,
+rather than in terms of local and remote.
+Which participant is considered
+.I left
+or
+.I right
+is arbitrary;
+for every connection description an attempt is made to figure out whether
+the local endpoint should act as the
+.I left
+or
+.I right
+endpoint. This is done by matching the IP addresses defined for both endpoints
+with the IP addresses assigned to local network interfaces. If a match is found
+then the role (left or right) that matches is going to be considered local.
+If no match is found during startup,
+.I left
+is considered local.
+This permits using identical connection specifications on both ends.
+There are cases where there is no symmetry; a good convention is to
+use
+.I left
+for the local side and
+.I right
+for the remote side (the first letters are a good mnemonic).
+.PP
+Many of the parameters relate to one participant or the other;
+only the ones for
+.I left
+are listed here, but every parameter whose name begins with
+.B left
+has a
+.B right
+counterpart,
+whose description is the same but with
+.B left
+and
+.B right
+reversed.
+.PP
+Parameters are optional unless marked '(required)'.
+.SS "CONN PARAMETERS"
+Unless otherwise noted, for a connection to work,
+in general it is necessary for the two ends to agree exactly
+on the values of these parameters.
+.TP
+.BR aaa_identity " = <id>"
+defines the identity of the AAA backend used during IKEv2 EAP authentication.
+This is required if the EAP client uses a method that verifies the server
+identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
+.TP
+.BR also " = <name>"
+includes conn section
+.BR <name> .
+.TP
+.BR auth " = " esp " | ah"
+whether authentication should be done as part of
+ESP encryption, or separately using the AH protocol;
+acceptable values are
+.B esp
+(the default) and
+.BR ah .
+.br
+The IKEv2 daemon currently supports ESP only.
+.TP
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
+how the two security gateways should authenticate each other;
+acceptable values are
+.B psk
+or
+.B secret
+for pre-shared secrets,
+.B pubkey
+(the default) for public key signatures as well as the synonyms
+.B rsasig
+for RSA digital signatures and
+.B ecdsasig
+for Elliptic Curve DSA signatures.
+.B never
+can be used if negotiation is never to be attempted or accepted (useful for
+shunt-only conns).
+Digital signatures are superior in every way to shared secrets.
+IKEv1 additionally supports the values
+.B xauthpsk
+and
+.B xauthrsasig
+that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
+based on shared secrets  or digital RSA signatures, respectively.
+IKEv2 additionally supports the value
+.BR eap ,
+which indicates an initiator to request EAP authentication. The EAP method
+to use is selected by the server (see
+.BR eap ).
+This parameter is deprecated for IKEv2 connections, as two peers do not need
+to agree on an authentication method. Use the
+.B leftauth
+parameter instead to define authentication methods in IKEv2.
+.TP
+.BR auto " = " ignore " | add | route | start"
+what operation, if any, should be done automatically at IPsec startup;
+currently-accepted values are
+.BR add ,
+.BR route ,
+.B start
+and
+.B ignore
+(the default).
+.B add
+loads a connection without starting it.
+.B route
+loads a connection and installs kernel traps. If traffic is detected between
+.B leftsubnet
+and
+.B rightsubnet
+, a connection is established.
+.B start
+loads a connection and brings it up immediatly.
+.B ignore
+ignores the connection. This is equal to delete a connection from the config
+file.
+Relevant only locally, other end need not agree on it
+(but in general, for an intended-to-be-permanent connection,
+both ends should use
+.B auto=start
+to ensure that any reboot causes immediate renegotiation).
+.TP
+.BR compress " = yes | " no
+whether IPComp compression of content is proposed on the connection
+(link-level compression does not work on encrypted data,
+so to be effective, compression must be done \fIbefore\fR encryption);
+acceptable values are
+.B yes
+and
+.B no
+(the default). A value of
+.B yes
+causes IPsec to propose both compressed and uncompressed,
+and prefer compressed.
+A value of
+.B no
+prevents IPsec from proposing compression;
+a proposal to compress will still be accepted.
+.TP
+.BR dpdaction " = " none " | clear | hold | restart"
+controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
+R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
+are periodically sent in order to check the
+liveliness of the IPsec peer. The values
+.BR clear ,
+.BR hold ,
+and
+.B restart
+all activate DPD. If no activity is detected, all connections with a dead peer
+are stopped and unrouted
+.RB ( clear ),
+put in the hold state
+.RB ( hold )
+or restarted
+.RB ( restart ).
+For IKEv1, the default is
+.B none
+which disables the active sending of R_U_THERE notifications.
+Nevertheless pluto will always send the DPD Vendor ID during connection set up
+in order to signal the readiness to act passively as a responder if the peer
+wants to use DPD. For IKEv2,
+.B none
+does't make sense, since all messages are used to detect dead peers. If specified,
+it has the same meaning as the default
+.RB ( clear ).
+.TP
+.BR dpddelay " = " 30s " | <time>"
+defines the period time interval with which R_U_THERE messages/INFORMATIONAL
+exchanges are sent to the peer. These are only sent if no other traffic is
+received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
+messages and uses only standard messages (such as those to rekey) to detect
+dead peers.
+.TP
+.BR dpdtimeout " = " 150s " | <time>"
+defines the timeout interval, after which all connections to a peer are deleted
+in case of inactivity. This only applies to IKEv1, in IKEv2 the default
+retransmission timeout applies, as every exchange is used to detect dead peers.
+See
+.IR strongswan.conf (5)
+for a description of the IKEv2 retransmission timeout.
+.TP
+.BR inactivity " = <time>"
+defines the timeout interval, after which a CHILD_SA is closed if it did
+not send or receive any traffic. Currently supported in IKEv2 connections only.
+.TP
+.BR eap " = md5 | mschapv2 | radius | ... | <type> | <type>-<vendor>
+defines the EAP type to propose as server if the client requests EAP
+authentication. Currently supported values are
+.B aka
+for EAP-AKA,
+.B gtc
+for EAP-GTC,
+.B md5
+for EAP-MD5,
+.B mschapv2
+for EAP-MS-CHAPv2,
+.B radius
+for the EAP-RADIUS proxy and
+.B sim
+for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
+definition in the form
+.B eap=type-vendor
+(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
+This parameter is deprecated in the favour of
+.B leftauth.
+
+To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
+set
+.BR eap=radius .
+.TP
+.BR eap_identity " = <id>"
+defines the identity the client uses to reply to a EAP Identity request.
+If defined on the EAP server, the defined identity will be used as peer
+identity during EAP authentication. The special value
+.B %identity
+uses the EAP Identity method to ask the client for an EAP identity. If not
+defined, the IKEv2 identity will be used as EAP identity.
+.TP
+.BR esp " = <cipher suites>"
+comma-separated list of ESP encryption/authentication algorithms to be used
+for the connection, e.g.
+.BR aes128-sha256 .
+The notation is
+.BR encryption-integrity-[dh-group] .
+.br
+If
+.B dh-group
+is specified, CHILD_SA setup and rekeying include a separate diffe hellman
+exchange (IKEv2 only).
+.TP
+.BR forceencaps " = yes | " no
+force UDP encapsulation for ESP packets even if no NAT situation is detected.
+This may help to surmount restrictive firewalls. In order to force the peer to
+encapsulate packets, NAT detection payloads are faked (IKEv2 only).
+.TP
+.BR ike " = <cipher suites>"
+comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
+to be used, e.g.
+.BR aes128-sha1-modp2048 .
+The notation is
+.BR encryption-integrity-dhgroup .
+In IKEv2, multiple algorithms and proposals may be included, such as
+.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.TP
+.BR ikelifetime " = " 3h " | <time>"
+how long the keying channel of a connection (ISAKMP or IKE SA)
+should last before being renegotiated. Also see EXPIRY/REKEY below.
+.TP
+.BR installpolicy " = " yes " | no"
+decides whether IPsec policies are installed in the kernel by the IKEv2
+charon daemon for a given connection. Allows peaceful cooperation e.g. with
+the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
+Acceptable values are
+.B yes
+(the default) and
+.BR no .
+.TP
+.BR keyexchange " = " ike " | ikev1 | ikev2"
+method of key exchange;
+which protocol should be used to initialize the connection. Connections marked with
+.B ikev1
+are initiated with pluto, those marked with
+.B ikev2
+with charon. An incoming request from the remote peer is handled by the correct
+daemon, unaffected from the
+.B keyexchange
+setting. Starting with strongSwan 4.5 the default value
+.B ike
+is a synonym for
+.BR ikev2 ,
+whereas in older strongSwan releases
+.B ikev1
+was assumed.
+.TP
+.BR keyingtries " = " %forever " | <number>"
+how many attempts (a whole number or \fB%forever\fP) should be made to
+negotiate a connection, or a replacement for one, before giving up
+(default
+.BR %forever ).
+The value \fB%forever\fP
+means 'never give up'.
+Relevant only locally, other end need not agree on it.
+.TP
+.B keylife
+synonym for
+.BR lifetime .
+.TP
+.BR left " = <ip address> | <fqdn> | %defaultroute | " %any
+(required)
+the IP address of the left participant's public-network interface
+or one of several magic values.
+If it is
+.BR %defaultroute ,
+.B left
+will be filled in automatically with the local address
+of the default-route interface (as determined at IPsec startup time and
+during configuration update).
+Either
+.B left
+or
+.B right
+may be
+.BR %defaultroute ,
+but not both.
+The prefix
+.B  %
+in front of a fully-qualified domain name or an IP address will implicitly set
+.B leftallowany=yes.
+If the domain name cannot be resolved into an IP address at IPsec startup or
+update time then
+.B left=%any
+and
+.B leftallowany=no
+will be assumed.
+
+In case of an IKEv2 connection, the value
+.B %any
+for the local endpoint signifies an address to be filled in (by automatic
+keying) during negotiation. If the local peer initiates the connection setup
+the routing table will be queried to determine the correct local IP address.
+In case the local peer is responding to a connection setup then any IP address
+that is assigned to a local interface will be accepted.
+.br
+Note that specifying
+.B %any
+for the local endpoint is not supported by the IKEv1 pluto daemon.
+
+If
+.B %any
+is used for the remote endpoint it literally means any IP address.
+
+Please note that with the usage of wildcards multiple connection descriptions
+might match a given incoming connection attempt. The most specific description
+is used in that case.
+.TP
+.BR leftallowany " = yes | " no
+a modifier for
+.B left
+, making it behave as
+.B %any
+although a concrete IP address has been assigned.
+Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
+startup or update time.
+Acceptable values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.BR leftauth " = <auth method>"
+Authentication method to use locally (left) or require from the remote (right)
+side.
+This parameter is supported in IKEv2 only. Acceptable values are
+.B pubkey
+for public key authentication (RSA/ECDSA),
+.B psk
+for pre-shared key authentication and
+.B eap
+to (require the) use of the Extensible Authentication Protocol. In the case
+of
+.B eap,
+an optional EAP method can be appended. Currently defined methods are
+.BR eap-aka ,
+.BR eap-gtc ,
+.BR eap-md5 ,
+.BR eap-tls ,
+.B eap-mschapv2
+and
+.BR eap-sim .
+Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
+EAP methods are defined in the form
+.B eap-type-vendor
+.RB "(e.g. " eap-7-12345 ).
+.TP
+.BR leftauth2 " = <auth method>"
+Same as
+.BR leftauth ,
+but defines an additional authentication exchange. IKEv2 supports multiple
+authentication rounds using "Multiple Authentication Exchanges" defined
+in RFC4739. This allows, for example, separated authentication
+of host and user (IKEv2 only).
+.TP
+.BR leftca " = <issuer dn> | %same"
+the distinguished name of a certificate authority which is required to
+lie in the trust path going from the left participant's certificate up
+to the root certification authority.
+.TP
+.BR leftca2 " = <issuer dn> | %same"
+Same as
+.BR leftca ,
+but for the second authentication round (IKEv2 only).
+.TP
+.BR leftcert " = <path>"
+the path to the left participant's X.509 certificate. The file can be encoded
+either in PEM or DER format. OpenPGP certificates are supported as well.
+Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
+are accepted. By default
+.B leftcert
+sets
+.B leftid
+to the distinguished name of the certificate's subject and
+.B leftca
+to the distinguished name of the certificate's issuer.
+The left participant's ID can be overriden by specifying a
+.B leftid
+value which must be certified by the certificate, though.
+.TP
+.BR leftcert2 " = <path>"
+Same as
+.B leftcert,
+but for the second authentication round (IKEv2 only).
+.TP
+.BR leftfirewall " = yes | " no
+whether the left participant is doing forwarding-firewalling
+(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
+which should be turned off (for traffic to the other subnet)
+once the connection is established;
+acceptable values are
+.B yes
+and
+.B no
+(the default).
+May not be used in the same connection description with
+.BR leftupdown .
+Implemented as a parameter to the default \fBipsec _updown\fR script.
+See notes below.
+Relevant only locally, other end need not agree on it.
+
+If one or both security gateways are doing forwarding firewalling
+(possibly including masquerading),
+and this is specified using the firewall parameters,
+tunnels established with IPsec are exempted from it
+so that packets can flow unchanged through the tunnels.
+(This means that all subnets connected in this manner must have
+distinct, non-overlapping subnet address blocks.)
+This is done by the default \fBipsec _updown\fR script (see
+.IR pluto (8)).
+
+In situations calling for more control,
+it may be preferable for the user to supply his own
+.I updown
+script,
+which makes the appropriate adjustments for his system.
+.TP
+.BR leftgroups " = <group list>"
+a comma separated list of group names. If the
+.B leftgroups
+parameter is present then the peer must be a member of at least one
+of the groups defined by the parameter. Group membership must be certified
+by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
+been issued to the peer by a trusted Authorization Authority stored in
+\fI/etc/ipsec.d/aacerts/\fP.
+.br
+Attribute certificates are not supported in IKEv2 yet.
+.TP
+.BR lefthostaccess " = yes | " no
+inserts a pair of INPUT and OUTPUT iptables rules using the default
+\fBipsec _updown\fR script, thus allowing access to the host itself
+in the case where the host's internal interface is part of the
+negotiated client subnet.
+Acceptable values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.BR leftid " = <id>"
+how the left participant should be identified for authentication;
+defaults to
+.BR left .
+Can be an IP address or a fully-qualified domain name preceded by
+.B @
+(which is used as a literal string and not resolved).
+.TP
+.BR leftid2 " = <id>"
+identity to use for a second authentication for the left participant
+(IKEv2 only); defaults to
+.BR leftid .
+.TP
+.BR leftikeport " = <port>"
+UDP port the left participant uses for IKE communication. Currently supported in
+IKEv2 connections only. If unspecified, port 500 is used with the port floating
+to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
+different from the default additionally requires a socket implementation that
+listens to this port.
+.TP
+.BR leftnexthop " = %direct | %defaultroute | <ip address> | <fqdn>"
+this parameter is usually not needed any more because the NETKEY IPsec stack
+does not require explicit routing entries for the traffic to be tunneled. If
+.B leftsourceip
+is used with IKEv1 then
+.B leftnexthop
+must still be set in order for the source routes to work properly.
+.TP
+.BR leftprotoport " = <protocol>/<port>"
+restrict the traffic selector to a single protocol and/or port.
+Examples:
+.B leftprotoport=tcp/http
+or
+.B leftprotoport=6/80
+or
+.B leftprotoport=udp
+.TP
+.BR leftrsasigkey " = " %cert " | <raw rsa public key>"
+the left participant's
+public key for RSA signature authentication,
+in RFC 2537 format using
+.IR ttodata (3)
+encoding.
+The magic value
+.B %none
+means the same as not specifying a value (useful to override a default).
+The value
+.B %cert
+(the default)
+means that the key is extracted from a certificate.
+The identity used for the left participant
+must be a specific host, not
+.B %any
+or another magic value.
+.B Caution:
+if two connection descriptions
+specify different public keys for the same
+.BR leftid ,
+confusion and madness will ensue.
+.TP
+.BR leftsendcert " = never | no | " ifasked " | always | yes"
+Accepted values are
+.B never
+or
+.BR no ,
+.B always
+or
+.BR yes ,
+and
+.BR ifasked " (the default),"
+the latter meaning that the peer must send a certificate request payload in
+order to get a certificate in return.
+.TP
+.BR leftsourceip " = %config | %cfg | %modeconfig | %modecfg | <ip address>"
+The internal source IP to use in a tunnel, also known as virtual IP. If the
+value is one of the synonyms
+.BR %config ,
+.BR %cfg ,
+.BR %modeconfig ,
+or
+.BR %modecfg ,
+an address is requested from the peer. In IKEv2, a statically defined address
+is also requested, since the server may change it.
+.TP
+.BR rightsourceip " = %config | <network>/<netmask> | %poolname"
+The internal source IP to use in a tunnel for the remote peer. If the
+value is
+.B %config
+on the responder side, the initiator must propose an address which is then
+echoed back. Also supported are address pools expressed as
+\fInetwork\fB/\fInetmask\fR
+or the use of an external IP address pool using %\fIpoolname\fR,
+where \fIpoolname\fR is the name of the IP address pool used for the lookup.
+.TP
+.BR leftsubnet " = <ip subnet>"
+private subnet behind the left participant, expressed as
+\fInetwork\fB/\fInetmask\fR;
+if omitted, essentially assumed to be \fIleft\fB/32\fR,
+signifying that the left end of the connection goes to the left participant
+only. When using IKEv2, the configured subnet of the peers may differ, the
+protocol narrows it to the greatest common subnet. Further, IKEv2 supports
+multiple subnets separated by commas. IKEv1 only interprets the first subnet
+of such a definition.
+.TP
+.BR leftsubnetwithin " = <ip subnet>"
+the peer can propose any subnet or single IP address that fits within the
+range defined by
+.BR leftsubnetwithin.
+Not relevant for IKEv2, as subnets are narrowed.
+.TP
+.BR leftupdown " = <path>"
+what ``updown'' script to run to adjust routing and/or firewalling
+when the status of the connection
+changes (default
+.BR "ipsec _updown" ).
+May include positional parameters separated by white space
+(although this requires enclosing the whole string in quotes);
+including shell metacharacters is unwise.
+See
+.IR pluto (8)
+for details.
+Relevant only locally, other end need not agree on it. IKEv2 uses the updown
+script to insert firewall rules only, since routing has been implemented
+directly into charon.
+.TP
+.BR lifebytes " = <number>"
+the number of bytes transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.BR lifepackets " = <number>"
+the number of packets transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.BR lifetime " = " 1h " | <time>"
+how long a particular instance of a connection
+(a set of encryption/authentication keys for user packets) should last,
+from successful negotiation to expiry;
+acceptable values are an integer optionally followed by
+.BR s
+(a time in seconds)
+or a decimal number followed by
+.BR m ,
+.BR h ,
+or
+.B d
+(a time
+in minutes, hours, or days respectively)
+(default
+.BR 1h ,
+maximum
+.BR 24h ).
+Normally, the connection is renegotiated (via the keying channel)
+before it expires (see
+.BR margintime ).
+The two ends need not exactly agree on
+.BR lifetime ,
+although if they do not,
+there will be some clutter of superseded connections on the end
+which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
+.TP
+.BR marginbytes " = <number>"
+how many bytes before IPsec SA expiry (see
+.BR lifebytes )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.BR marginpackets " = <number>"
+how many packets before IPsec SA expiry (see
+.BR lifepackets )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.BR margintime " = " 9m " | <time>"
+how long before connection expiry or keying-channel expiry
+should attempts to
+negotiate a replacement
+begin; acceptable values as for
+.B lifetime
+(default
+.BR 9m ).
+Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
+below.
+.TP
+.BR mark " = <value>[/<mask>]"
+sets an XFRM mark in the inbound and outbound
+IPsec SAs and policies. If the mask is missing then a default
+mask of
+.B 0xffffffff
+is assumed.
+.TP
+.BR mark_in " = <value>[/<mask>]"
+sets an XFRM mark in the inbound IPsec SA and
+policy. If the mask is missing then a default mask of
+.B 0xffffffff
+is assumed.
+.TP
+.BR mark_out " = <value>[/<mask>]"
+sets an XFRM mark in the outbound IPsec SA and
+policy. If the mask is missing then a default mask of
+.B 0xffffffff
+is assumed.
+.TP
+.BR mobike " = " yes " | no"
+enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
+.B yes
+(the default) and
+.BR no .
+If set to
+.BR no ,
+the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
+ignore the MOBIKE_SUPPORTED notify as responder.
+.TP
+.BR modeconfig " = push | " pull
+defines which mode is used to assign a virtual IP.
+Accepted values are
+.B push
+and
+.B pull
+(the default).
+Currently relevant for IKEv1 only since IKEv2 always uses the configuration
+payload in pull mode. Cisco VPN gateways usually operate in
+.B push
+mode.
+.TP
+.BR pfs " = " yes " | no"
+whether Perfect Forward Secrecy of keys is desired on the connection's
+keying channel
+(with PFS, penetration of the key-exchange protocol
+does not compromise keys negotiated earlier);
+acceptable values are
+.B yes
+(the default)
+and
+.BR no.
+IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
+PFS is enforced by defining a Diffie-Hellman modp group in the
+.B esp
+parameter.
+.TP
+.BR pfsgroup " = <modp group>"
+defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
+differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
+.TP
+.BR reauth " = " yes " | no"
+whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
+reauthentication is always done. In IKEv2, a value of
+.B no
+rekeys without uninstalling the IPsec SAs, a value of
+.B yes
+(the default) creates a new IKE_SA from scratch and tries to recreate
+all IPsec SAs.
+.TP
+.BR rekey " = " yes " | no"
+whether a connection should be renegotiated when it is about to expire;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+The two ends need not agree, but while a value of
+.B no
+prevents pluto/charon from requesting renegotiation,
+it does not prevent responding to renegotiation requested from the other end,
+so
+.B no
+will be largely ineffective unless both ends agree on it.
+.TP
+.BR rekeyfuzz " = " 100% " | <percentage>"
+maximum percentage by which
+.BR marginbytes ,
+.B marginpackets
+and
+.B margintime
+should be randomly increased to randomize rekeying intervals
+(important for hosts with many connections);
+acceptable values are an integer,
+which may exceed 100,
+followed by a `%'
+(defaults to
+.BR 100% ).
+The value of
+.BR marginTYPE ,
+after this random increase,
+must not exceed
+.B lifeTYPE
+(where TYPE is one of
+.IR bytes ,
+.I packets
+or
+.IR time ).
+The value
+.B 0%
+will suppress randomization.
+Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
+below.
+.TP
+.B rekeymargin
+synonym for
+.BR margintime .
+.TP
+.BR reqid " = <number>"
+sets the reqid for a given connection to a pre-configured fixed value.
+.TP
+.BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
+the type of the connection; currently the accepted values
+are
+.B tunnel
+(the default)
+signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
+.BR transport ,
+signifying host-to-host transport mode;
+.BR transport_proxy ,
+signifying the special Mobile IPv6 transport proxy mode;
+.BR passthrough ,
+signifying that no IPsec processing should be done at all;
+.BR drop ,
+signifying that packets should be discarded; and
+.BR reject ,
+signifying that packets should be discarded and a diagnostic ICMP returned
+.RB ( reject
+is currently not supported by the NETKEY stack of the Linux 2.6 kernel).
+The IKEv2 daemon charon currently supports
+.BR tunnel ,
+.BR transport ,
+and
+.BR transport_proxy
+connection types, only.
+.TP
+.BR xauth " = " client " | server"
+specifies the role in the XAUTH protocol if activated by
+.B authby=xauthpsk
+or
+.B authby=xauthrsasig.
+Accepted values are
+.B server
+and
+.B client
+(the default).
+
+.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
+The following parameters are relevant to IKEv2 Mediation Extension
+operation only.
+.TP
+.BR mediation " = yes | " no
+whether this connection is a mediation connection, ie. whether this
+connection is used to mediate other connections.  Mediation connections
+create no child SA. Acceptable values are
+.B no
+(the default) and
+.BR yes .
+.TP
+.BR mediated_by " = <name>"
+the name of the connection to mediate this connection through.  If given,
+the connection will be mediated through the named mediation connection.
+The mediation connection must set
+.BR mediation=yes .
+.TP
+.BR me_peerid " = <id>"
+ID as which the peer is known to the mediation server, ie. which the other
+end of this connection uses as its
+.B leftid
+on its connection to the mediation server.  This is the ID we request the
+mediation server to mediate us with.  If
+.B me_peerid
+is not given, the
+.B rightid
+of this connection will be used as peer ID.
+
+.SH "CA SECTIONS"
+This are optional sections that can be used to assign special
+parameters to a Certification Authority (CA).
+.TP
+.BR also " = <name>"
+includes ca section
+.BR <name> .
+.TP
+.BR auto " = " ignore " | add"
+currently can have either the value
+.B ignore
+(the default) or
+.BR add .
+.TP
+.BR cacert " = <path>"
+defines a path to the CA certificate either relative to
+\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.TP
+.BR crluri " = <uri>"
+defines a CRL distribution point (ldap, http, or file URI)
+.TP
+.B crluri1
+synonym for
+.B crluri.
+.TP
+.BR crluri2 " = <uri>"
+defines an alternative CRL distribution point (ldap, http, or file URI)
+.TP
+.BR ldaphost " = <hostname>"
+defines an ldap host. Currently used by IKEv1 only.
+.TP
+.BR ocspuri " = <uri>"
+defines an OCSP URI.
+.TP
+.B ocspuri1
+synonym for
+.B ocspuri.
+.TP
+.BR ocspuri2 " = <uri>"
+defines an alternative OCSP URI. Currently used by IKEv2 only.
+.TP
+.BR certuribase " = <uri>"
+defines the base URI for the Hash and URL feature supported by IKEv2.
+Instead of exchanging complete certificates, IKEv2 allows to send an URI
+that resolves to the DER encoded certificate. The certificate URIs are built
+by appending the SHA1 hash of the DER encoded certificates to this base URI.
+.SH "CONFIG SECTIONS"
+At present, the only
+.B config
+section known to the IPsec software is the one named
+.BR setup ,
+which contains information used when the software is being started.
+Here's an example:
+.PP
+.ne 8
+.nf
+.ft B
+.ta 1c
+config setup
+	plutodebug=all
+	crlcheckinterval=10m
+	strictcrlpolicy=yes
+.ft
+.fi
+.PP
+Parameters are optional unless marked ``(required)''.
+The currently-accepted
+.I parameter
+names in a
+.B config
+.B setup
+section affecting both daemons are:
+.TP
+.BR cachecrls " = yes | " no
+certificate revocation lists (CRLs) fetched via http or ldap will be cached in
+\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
+authority's public key.
+Accepted values are
+.B yes
+and
+.B no
+(the default). Only relevant for IKEv1, as CRLs are always cached in IKEv2.
+.TP
+.BR charonstart " = " yes " | no"
+whether to start the IKEv2 charon daemon or not.
+The default is
+.B yes
+if starter was compiled with IKEv2 support.
+.TP
+.BR plutostart " = " yes " | no"
+whether to start the IKEv1 pluto daemon or not.
+The default is
+.B yes
+if starter was compiled with IKEv1 support.
+.TP
+.BR strictcrlpolicy " = yes | ifuri | " no
+defines if a fresh CRL must be available in order for the peer authentication
+based on RSA signatures to succeed.
+IKEv2 additionally recognizes
+.B ifuri
+which reverts to
+.B yes
+if at least one CRL URI is defined and to
+.B no
+if no URI is known.
+.TP
+.BR uniqueids " = " yes " | no | replace | keep"
+whether a particular participant ID should be kept unique,
+with any new (automatically keyed)
+connection using an ID from a different IP address
+deemed to replace all old ones using that ID;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+Participant IDs normally \fIare\fR unique,
+so a new (automatically-keyed) connection using the same ID is
+almost invariably intended to replace an old one.
+The IKEv2 daemon also accepts the value
+.B replace
+wich is identical to
+.B yes
+and the value
+.B keep
+to reject new IKE_SA setups and keep the duplicate established earlier.
+.PP
+The following
+.B config section
+parameters are used by the IKEv1 Pluto daemon only:
+.TP
+.BR crlcheckinterval " = " 0s " | <time>"
+interval in seconds. CRL fetching is enabled if the value is greater than zero.
+Asynchronous, periodic checking for fresh CRLs is currently done by the
+IKEv1 Pluto daemon only.
+.TP
+.BR keep_alive " = " 20s " | <time>"
+interval in seconds between NAT keep alive packets, the default being 20 seconds.
+.TP
+.BR nat_traversal " = yes | " no
+activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
+being able of floating to udp/4500 if a NAT situation is detected.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+Used by IKEv1 only, NAT traversal is always being active in IKEv2.
+.TP
+.BR nocrsend " = yes | " no
+no certificate request payloads will be sent.
+.TP
+.BR pkcs11initargs " = <args>"
+non-standard argument string for PKCS#11 C_Initialize() function;
+required by NSS softoken.
+.TP
+.BR pkcs11module " = <args>"
+defines the path to a dynamically loadable PKCS #11 library.
+.TP
+.BR pkcs11keepstate " = yes | " no
+PKCS #11 login sessions will be kept during the whole lifetime of the keying
+daemon. Useful with pin-pad smart card readers.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.BR pkcs11proxy " = yes | " no
+Pluto will act as a PKCS #11 proxy accessible via the whack interface.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.BR plutodebug " = " none " | <debug list> | all"
+how much pluto debugging output should be logged.
+An empty value,
+or the magic value
+.BR none ,
+means no debugging output (the default).
+The magic value
+.B all
+means full output.
+Otherwise only the specified types of output
+(a quoted list, names without the
+.B \-\-debug\-
+prefix,
+separated by white space) are enabled;
+for details on available debugging types, see
+.IR pluto (8).
+.TP
+.BR plutostderrlog " = <file>"
+Pluto will not use syslog, but rather log to stderr, and redirect stderr
+to <file>.
+.TP
+.BR postpluto " = <command>"
+shell command to run after starting pluto
+(e.g., to remove a decrypted copy of the
+.I ipsec.secrets
+file).
+It's run in a very simple way;
+complexities like I/O redirection are best hidden within a script.
+Any output is redirected for logging,
+so running interactive commands is difficult unless they use
+.I /dev/tty
+or equivalent for their interaction.
+Default is none.
+.TP
+.BR prepluto " = <command>"
+shell command to run before starting pluto
+(e.g., to decrypt an encrypted copy of the
+.I ipsec.secrets
+file).
+It's run in a very simple way;
+complexities like I/O redirection are best hidden within a script.
+Any output is redirected for logging,
+so running interactive commands is difficult unless they use
+.I /dev/tty
+or equivalent for their interaction.
+Default is none.
+.TP
+.BR virtual_private " = <networks>"
+defines private networks using a wildcard notation.
+.PP
+The following
+.B config section
+parameters are used by the IKEv2 charon daemon only:
+.TP
+.BR charondebug " = <debug list>"
+how much charon debugging output should be logged.
+A comma separated list containing type level/pairs may
+be specified, e.g:
+.B dmn 3, ike 1, net -1.
+Acceptable values for types are
+.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
+and the level is one of
+.B -1, 0, 1, 2, 3, 4
+(for silent, audit, control, controlmore, raw, private).
+For more flexibility see LOGGER CONFIGURATION in
+.IR strongswan.conf (5).
+
+.SH IKEv2 EXPIRY/REKEY
+The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
+after a specific amount of time. For IPsec SAs this can also happen after a
+specified number of transmitted packets or transmitted bytes. The following
+settings can be used to configure this:
+.TS
+l r l r,- - - -,lB s lB s,a r a r.
+Setting	Default	Setting	Default
+IKE SA	IPsec SA
+ikelifetime	3h	lifebytes	-
+		lifepackets	-
+		lifetime	1h
+.TE
+.SS Rekeying
+IKE SAs as well as IPsec SAs can be rekeyed before they expire. This can be
+configured using the following settings:
+.TS
+l r l r,- - - -,lB s lB s,a r a r.
+Setting	Default	Setting	Default
+IKE and IPsec SA	IPsec SA
+margintime	9m	marginbytes	-
+		marginpackets	-
+.TE
+.SS Randomization
+To avoid collisions the specified margins are increased randomly before
+subtracting them from the expiration limits (see formula below). This is
+controlled by the
+.B rekeyfuzz
+setting:
+.TS
+l r,- -,lB s,a r.
+Setting	Default
+IKE and IPsec SA
+rekeyfuzz	100%
+.TE
+.PP
+Randomization can be disabled by setting
+.BR rekeyfuzz " to " 0% .
+.SS Formula
+The following formula is used to calculate the rekey time of IPsec SAs:
+.PP
+.EX
+ rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))
+.EE
+.PP
+It applies equally to IKE SAs and byte and packet limits for IPsec SAs.
+.SS Example
+Let's consider the default configuration:
+.PP
+.EX
+	lifetime = 1h
+	margintime = 9m
+	rekeyfuzz = 100%
+.EE
+.PP
+From the formula above follows that the rekey time lies between:
+.PP
+.EX
+	rekeytime_min = 1h - (9m + 9m) = 42m
+	rekeytime_max = 1h - (9m + 0m) = 51m
+.EE
+.PP
+Thus, the daemon will attempt to rekey the IPsec SA at a random time
+between 42 and 51 minutes after establishing the SA. Or, in other words,
+between 9 and 18 minutes before the SA expires.
+.SS Notes
+.IP \[bu]
+Since the rekeying of an SA needs some time, the margin values must not be
+too low.
+.IP \[bu]
+The value
+.B margin... + margin... * rekeyfuzz
+must not exceed the original limit. For example, specifying
+.B margintime = 30m
+in the default configuration is a bad idea as there is a chance that the rekey
+time equals zero and, thus, rekeying gets disabled.
+.SH FILES
+.nf
+/etc/ipsec.conf
+/etc/ipsec.d/aacerts
+/etc/ipsec.d/acerts
+/etc/ipsec.d/cacerts
+/etc/ipsec.d/certs
+/etc/ipsec.d/crls
+
+.SH SEE ALSO
+strongswan.conf(5), ipsec.secrets(5), ipsec(8), pluto(8)
+.SH HISTORY
+Originally written for the FreeS/WAN project by Henry Spencer.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner, Andreas Steffen and Martin Willi.
+.SH BUGS
+.PP
+If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
+will fail.
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
new file mode 100644
index 000000000..1e586a491
--- /dev/null
+++ b/man/ipsec.secrets.5
@@ -0,0 +1,176 @@
+.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.0rc2" "strongSwan"
+.SH NAME
+ipsec.secrets \- secrets for IKE/IPsec authentication
+.SH DESCRIPTION
+The file \fIipsec.secrets\fP holds a table of secrets.
+These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons
+pluto (IKEv1) and charon (IKEv2) to authenticate other hosts.
+.LP
+It is vital that these secrets be protected.  The file should be owned
+by the super-user,
+and its permissions should be set to block all access by others.
+.LP
+The file is a sequence of entries and include directives.
+Here is an example.
+.LP
+.RS
+.nf
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
+
+: RSA moonKey.pem
+
+alice@strongswan.org : EAP "x3.dEhgN"
+
+carol : XAUTH "4iChxLT3"
+
+dave  : XAUTH "ryftzG4A"
+
+# get secrets from other files
+include ipsec.*.secrets
+.fi
+.RE
+.LP
+Each entry in the file is a list of optional ID selectors, followed by a secret.
+The two parts are separated by a colon (\fB:\fP) that is surrounded
+by whitespace. If no ID selectors are specified the line must start with a
+colon.
+.LP
+A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
+\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
+in the familiar dotted quad form or as a domain name to be looked up
+when the file is loaded.
+In many cases it is a bad idea to use domain names because
+the name server may not be running or may be insecure.  To denote a
+Fully Qualified Domain Name (as opposed to an IP address denoted by
+its domain name), precede the name with an at sign (\fB@\fP).
+.LP
+Matching IDs with selectors is fairly straightforward: they have to be
+equal.  In the case of a ``Road Warrior'' connection, if an equal
+match is not found for the Peer's ID, and it is in the form of an IP
+address, a selector of \fB%any\fP will match the peer's IP address if IPV4
+and \fB%any6\fP will match a the peer's IP address if IPV6.
+Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of
+\fB%any\fP.
+.LP
+In IKEv1 an additional complexity
+arises in the case of authentication by preshared secret: the
+responder will need to look up the secret before the Peer's ID payload has
+been decoded, so the ID used will be the IP address.
+.LP
+To authenticate a connection between two hosts, the entry that most
+specifically matches the host and peer IDs is used.  An entry with no
+selectors will match any host and peer.  More specifically, an entry with one
+selector will match a host and peer if the selector matches the host's ID (the
+peer isn't considered).  Still more specifically, an entry with multiple
+selectors will match a host and peer if the host ID and peer ID each match one
+of the selectors.  If the key is for an asymmetric authentication technique
+(i.e. a public key system such as RSA), an entry with multiple selectors will
+match a host and peer even if only the host ID matches a selector (it is
+presumed that the selectors are all identities of the host).
+It is acceptable for two entries to be the best match as
+long as they agree about the secret or private key.
+.LP
+Authentication by preshared secret requires that both systems find the
+identical secret (the secret is not actually transmitted by the IKE
+protocol).  If both the host and peer appear in the selector list, the
+same entry will be suitable for both systems so verbatim copying
+between systems can be used.  This naturally extends to larger groups
+sharing the same secret.  Thus multiple-selector entries are best for PSK
+authentication.
+.LP
+Authentication by public key systems such as RSA requires that each host
+have its own private key.  A host could reasonably use a different private keys
+for different interfaces and for different peers.  But it would not
+be normal to share entries between systems.  Thus thus no-selector and
+one-selector forms of entry often make sense for public key authentication.
+.LP
+The key part of an entry must start with a token indicating the kind of
+key.  The following types of secrets are currently supported:
+.TP
+.B PSK
+defines a pre-shared key
+.TP
+.B RSA
+defines an RSA private key
+.TP
+.B ECDSA
+defines an ECDSA private key
+.TP
+.B EAP
+defines EAP credentials
+.TP
+.B XAUTH
+defines XAUTH credentials
+.TP
+.B PIN
+defines a smartcard PIN
+.LP
+Details on each type of secret are given below.
+.LP
+Whitespace at the end of a line is ignored. At the start of a line or
+after whitespace, \fB#\fP and the following text up to the end of the
+line is treated as a comment.
+.LP
+An include directive causes the contents of the named file to be processed
+before continuing with the current file.  The filename is subject to
+``globbing'' as in \fIsh\fP(1), so every file with a matching name
+is processed.  Includes may be nested to a modest
+depth (10, currently).  If the filename doesn't start with a \fB/\fP, the
+directory containing the current file is prepended to the name.  The
+include directive is a line that starts with the word \fBinclude\fP,
+followed by whitespace, followed by the filename (which must not contain
+whitespace).
+.SS TYPES OF SECRETS
+.TP
+.B [ <selectors> ] : PSK <secret>
+A preshared secret is most conveniently represented as a sequence of
+characters, delimited by double-quote characters (\fB"\fP).
+The sequence cannot contain a newline or double-quote.
+Strictly speaking, the secret is actually the sequence
+of bytes that is used in the file to represent the sequence of
+characters (excluding the delimiters).
+.TP
+.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.TQ
+.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+For the private key file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemons to ask the user for the password
+whenever it is required to decrypt the key.
+.TP
+.B <user id> : EAP <secret>
+As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters,
+delimited by double-quote characters (\fB"\fP).
+.br
+\fBEAP\fP secrets are IKEv2 only.
+.TP
+.B [ <servername> ] <username> : XAUTH <password>
+\fBXAUTH\fP secrets are IKEv1 only.
+.TP
+.B : PIN <smartcard selector> <pin code> | %prompt
+IKEv1 uses the format
+.B "%smartcard[<slot nr>[:<key id>]]"
+to specify the smartcard selector (e.g. %smartcard1:50).
+The IKEv2 daemon supports multiple modules with the format
+.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
+, but always requires a keyid to uniquely select the correct key. Instead of
+specifying the pin code statically,
+.B %prompt
+can be specified, which causes the daemons to ask the user for the pin code.
+.LP
+
+.SH FILES
+/etc/ipsec.secrets
+.SH SEE ALSO
+ipsec.conf(5), strongswan.conf(5), ipsec(8)
+.br
+.SH HISTORY
+Originally written for the FreeS/WAN project by D. Hugh Redelmeier.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner and Andreas Steffen.
+.SH BUGS
+If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP;
+if it is \fB0::0\fP, it will match \fB%any6\fP.
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
new file mode 100644
index 000000000..875b8e219
--- /dev/null
+++ b/man/ipsec.secrets.5.in
@@ -0,0 +1,176 @@
+.TH IPSEC.SECRETS 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan"
+.SH NAME
+ipsec.secrets \- secrets for IKE/IPsec authentication
+.SH DESCRIPTION
+The file \fIipsec.secrets\fP holds a table of secrets.
+These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons
+pluto (IKEv1) and charon (IKEv2) to authenticate other hosts.
+.LP
+It is vital that these secrets be protected.  The file should be owned
+by the super-user,
+and its permissions should be set to block all access by others.
+.LP
+The file is a sequence of entries and include directives.
+Here is an example.
+.LP
+.RS
+.nf
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
+
+: RSA moonKey.pem
+
+alice@strongswan.org : EAP "x3.dEhgN"
+
+carol : XAUTH "4iChxLT3"
+
+dave  : XAUTH "ryftzG4A"
+
+# get secrets from other files
+include ipsec.*.secrets
+.fi
+.RE
+.LP
+Each entry in the file is a list of optional ID selectors, followed by a secret.
+The two parts are separated by a colon (\fB:\fP) that is surrounded
+by whitespace. If no ID selectors are specified the line must start with a
+colon.
+.LP
+A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
+\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
+in the familiar dotted quad form or as a domain name to be looked up
+when the file is loaded.
+In many cases it is a bad idea to use domain names because
+the name server may not be running or may be insecure.  To denote a
+Fully Qualified Domain Name (as opposed to an IP address denoted by
+its domain name), precede the name with an at sign (\fB@\fP).
+.LP
+Matching IDs with selectors is fairly straightforward: they have to be
+equal.  In the case of a ``Road Warrior'' connection, if an equal
+match is not found for the Peer's ID, and it is in the form of an IP
+address, a selector of \fB%any\fP will match the peer's IP address if IPV4
+and \fB%any6\fP will match a the peer's IP address if IPV6.
+Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of
+\fB%any\fP.
+.LP
+In IKEv1 an additional complexity
+arises in the case of authentication by preshared secret: the
+responder will need to look up the secret before the Peer's ID payload has
+been decoded, so the ID used will be the IP address.
+.LP
+To authenticate a connection between two hosts, the entry that most
+specifically matches the host and peer IDs is used.  An entry with no
+selectors will match any host and peer.  More specifically, an entry with one
+selector will match a host and peer if the selector matches the host's ID (the
+peer isn't considered).  Still more specifically, an entry with multiple
+selectors will match a host and peer if the host ID and peer ID each match one
+of the selectors.  If the key is for an asymmetric authentication technique
+(i.e. a public key system such as RSA), an entry with multiple selectors will
+match a host and peer even if only the host ID matches a selector (it is
+presumed that the selectors are all identities of the host).
+It is acceptable for two entries to be the best match as
+long as they agree about the secret or private key.
+.LP
+Authentication by preshared secret requires that both systems find the
+identical secret (the secret is not actually transmitted by the IKE
+protocol).  If both the host and peer appear in the selector list, the
+same entry will be suitable for both systems so verbatim copying
+between systems can be used.  This naturally extends to larger groups
+sharing the same secret.  Thus multiple-selector entries are best for PSK
+authentication.
+.LP
+Authentication by public key systems such as RSA requires that each host
+have its own private key.  A host could reasonably use a different private keys
+for different interfaces and for different peers.  But it would not
+be normal to share entries between systems.  Thus thus no-selector and
+one-selector forms of entry often make sense for public key authentication.
+.LP
+The key part of an entry must start with a token indicating the kind of
+key.  The following types of secrets are currently supported:
+.TP
+.B PSK
+defines a pre-shared key
+.TP
+.B RSA
+defines an RSA private key
+.TP
+.B ECDSA
+defines an ECDSA private key
+.TP
+.B EAP
+defines EAP credentials
+.TP
+.B XAUTH
+defines XAUTH credentials
+.TP
+.B PIN
+defines a smartcard PIN
+.LP
+Details on each type of secret are given below.
+.LP
+Whitespace at the end of a line is ignored. At the start of a line or
+after whitespace, \fB#\fP and the following text up to the end of the
+line is treated as a comment.
+.LP
+An include directive causes the contents of the named file to be processed
+before continuing with the current file.  The filename is subject to
+``globbing'' as in \fIsh\fP(1), so every file with a matching name
+is processed.  Includes may be nested to a modest
+depth (10, currently).  If the filename doesn't start with a \fB/\fP, the
+directory containing the current file is prepended to the name.  The
+include directive is a line that starts with the word \fBinclude\fP,
+followed by whitespace, followed by the filename (which must not contain
+whitespace).
+.SS TYPES OF SECRETS
+.TP
+.B [ <selectors> ] : PSK <secret>
+A preshared secret is most conveniently represented as a sequence of
+characters, delimited by double-quote characters (\fB"\fP).
+The sequence cannot contain a newline or double-quote.
+Strictly speaking, the secret is actually the sequence
+of bytes that is used in the file to represent the sequence of
+characters (excluding the delimiters).
+.TP
+.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.TQ
+.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+For the private key file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemons to ask the user for the password
+whenever it is required to decrypt the key.
+.TP
+.B <user id> : EAP <secret>
+As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters,
+delimited by double-quote characters (\fB"\fP).
+.br
+\fBEAP\fP secrets are IKEv2 only.
+.TP
+.B [ <servername> ] <username> : XAUTH <password>
+\fBXAUTH\fP secrets are IKEv1 only.
+.TP
+.B : PIN <smartcard selector> <pin code> | %prompt
+IKEv1 uses the format
+.B "%smartcard[<slot nr>[:<key id>]]"
+to specify the smartcard selector (e.g. %smartcard1:50).
+The IKEv2 daemon supports multiple modules with the format
+.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
+, but always requires a keyid to uniquely select the correct key. Instead of
+specifying the pin code statically,
+.B %prompt
+can be specified, which causes the daemons to ask the user for the pin code.
+.LP
+
+.SH FILES
+/etc/ipsec.secrets
+.SH SEE ALSO
+ipsec.conf(5), strongswan.conf(5), ipsec(8)
+.br
+.SH HISTORY
+Originally written for the FreeS/WAN project by D. Hugh Redelmeier.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner and Andreas Steffen.
+.SH BUGS
+If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP;
+if it is \fB0::0\fP, it will match \fB%any6\fP.
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
new file mode 100644
index 000000000..2a8703503
--- /dev/null
+++ b/man/strongswan.conf.5
@@ -0,0 +1,910 @@
+.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.0rc2" "strongSwan"
+.SH NAME
+strongswan.conf \- strongSwan configuration file
+.SH DESCRIPTION
+While the
+.IR ipsec.conf (5)
+configuration file is well suited to define IPsec related configuration
+parameters, it is not useful for other strongSwan applications to read options
+from this file.
+The file is hard to parse and only
+.I ipsec starter
+is capable of doing so. As the number of components of the strongSwan project
+is continually growing, a more flexible configuration file was needed, one that
+is easy to extend and can be used by all components. With strongSwan 4.2.1
+.IR strongswan.conf (5)
+was introduced which meets these requirements.
+
+.SH SYNTAX
+The format of the strongswan.conf file consists of hierarchical
+.B sections
+and a list of
+.B key/value pairs
+in each section. Each section has a name, followed by C-Style curly brackets
+defining the section body. Each section body contains a set of subsections
+and key/value pairs:
+.PP
+.EX
+	settings := (section|keyvalue)*
+	section  := name { settings }
+	keyvalue := key = value\\n
+.EE
+.PP
+Values must be terminated by a newline.
+.PP
+Comments are possible using the \fB#\fP-character, but be careful: The parser
+implementation is currently limited and does not like brackets in comments.
+.PP
+Section names and keys may contain any printable character except:
+.PP
+.EX
+	. { } # \\n \\t space
+.EE
+.PP
+An example file in this format might look like this:
+.PP
+.EX
+	a = b
+	section-one {
+		somevalue = asdf
+		subsection {
+			othervalue = xxx
+		}
+		# yei, a comment
+		yetanother = zz
+	}
+	section-two {
+		x = 12
+	}
+.EE
+.PP
+Indentation is optional, you may use tabs or spaces.
+
+.SH READING VALUES
+Values are accessed using a dot-separated section list and a key.
+With reference to the example above, accessing
+.B section-one.subsection.othervalue
+will return
+.BR xxx .
+
+.SH DEFINED KEYS
+The following keys are currently defined (using dot notation). The default
+value (if any) is listed in brackets after the key.
+
+.SS charon section
+.TP
+.BR charon.block_threshold " [5]"
+Maximum number of half-open IKE_SAs for a single peer IP
+.TP
+.BR charon.close_ike_on_child_failure " [no]"
+Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
+.TP
+.BR charon.cookie_threshold " [10]"
+Number of half-open IKE_SAs that activate the cookie mechanism
+.TP
+.BR charon.dns1
+.TQ
+.BR charon.dns2
+DNS servers assigned to peer via configuration payload (CP)
+.TP
+.BR charon.dos_protection " [yes]"
+Enable Denial of Service protection using cookies and aggressiveness checks
+.TP
+.BR charon.filelog
+Section to define file loggers, see LOGGER CONFIGURATION
+.TP
+.BR charon.flush_auth_cfg " [no]"
+
+.TP
+.BR charon.hash_and_url " [no]"
+Enable hash and URL support
+.TP
+.BR charon.ignore_routing_tables
+A list of routing tables to be excluded from route lookup
+.TP
+.BR charon.ikesa_table_segments " [1]"
+Number of exclusively locked segments in the hash table
+.TP
+.BR charon.ikesa_table_size " [1]"
+Size of the IKE_SA hash table
+.TP
+.BR charon.inactivity_close_ike " [no]"
+Whether to close IKE_SA if the only CHILD_SA closed due to inactivity
+.TP
+.BR charon.install_routes " [yes]"
+Install routes into a separate routing table for established IPsec tunnels
+.TP
+.BR charon.install_virtual_ip " [yes]"
+Install virtual IP addresses
+.TP
+.BR charon.keep_alive " [20s]"
+NAT keep alive interval
+.TP
+.BR charon.load
+Plugins to load in the IKEv2 daemon charon
+.TP
+.BR charon.max_packet " [10000]"
+Maximum packet size accepted by charon
+.TP
+.BR charon.multiple_authentication " [yes]"
+Enable multiple authentication exchanges (RFC 4739)
+.TP
+.BR charon.nbns1
+.TQ
+.BR charon.nbns2
+WINS servers assigned to peer via configuration payload (CP)
+.TP
+.BR charon.process_route " [yes]"
+Process RTM_NEWROUTE and RTM_DELROUTE events
+.TP
+.BR charon.receive_delay " [0]"
+Delay for receiving packets, to simulate larger RTT
+.TP
+.BR charon.receive_delay_response " [yes]"
+Delay response messages
+.TP
+.BR charon.receive_delay_request " [yes]"
+Delay request messages
+.TP
+.BR charon.receive_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any
+.TP
+.BR charon.retransmit_base " [1.8]"
+Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+.TP
+.BR charon.retransmit_timeout " [4.0]
+Timeout in seconds before sending first retransmit
+.TP
+.BR charon.retransmit_tries " [5]"
+Number of times to retransmit a packet before giving up
+.TP
+.BR charon.reuse_ikesa " [yes]
+Initiate CHILD_SA within existing IKE_SAs
+.TP
+.BR charon.routing_table
+Numerical routing table to install routes to
+.TP
+.BR charon.routing_table_prio
+Priority of the routing table
+.TP
+.BR charon.send_delay " [0]"
+Delay for sending packets, to simulate larger RTT
+.TP
+.BR charon.send_delay_response " [yes]"
+Delay response messages
+.TP
+.BR charon.send_delay_request " [yes]"
+Delay request messages
+.TP
+.BR charon.send_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any
+.TP
+.BR charon.send_vendor_id " [no]
+Send strongSwan vendor ID payload
+.TP
+.BR charon.syslog
+Section to define syslog loggers, see LOGGER CONFIGURATION
+.TP
+.BR charon.threads " [16]"
+Number of worker threads in charon
+.SS charon.plugins subsection
+.TP
+.BR charon.plugins.android.loglevel " [1]"
+Loglevel for logging to Android specific logger
+.TP
+.BR charon.plugins.attr
+Section to specify arbitrary attributes that are assigned to a peer via
+configuration payload (CP)
+.TP
+.BR charon.plugins.dhcp.identity_lease " [no]"
+Derive user-defined MAC address from hash of IKEv2 identity
+.TP
+.BR charon.plugins.dhcp.server " [255.255.255.255]"
+DHCP server unicast or broadcast IP address
+.TP
+.BR charon.plugins.eap-aka.request_identity " [yes]"
+
+.TP
+.BR charon.plugins.eap-aka-3ggp2.seq_check
+
+.TP
+.BR charon.plugins.eap-gtc.pam_service " [login]"
+PAM service to be used for authentication
+.TP
+.BR charon.plugins.eap-radius.class_group " [no]"
+Use the
+.I class
+attribute sent in the RADIUS-Accept message as group membership information that
+is compared to the groups specified in the
+.B rightgroups
+option in
+.B ipsec.conf (5).
+.TP
+.BR charon.plugins.eap-radius.eap_start " [no]"
+Send EAP-Start instead of EAP-Identity to start RADIUS conversation
+.TP
+.BR charon.plugins.eap-radius.filter_id " [no]"
+If the RADIUS
+.I tunnel_type
+attribute with value
+.B ESP
+is received, use the
+.I filter_id 
+attribute sent in the RADIUS-Accept message as group membership information that
+is compared to the groups specified in the
+.B rightgroups
+option in
+.B ipsec.conf (5).
+.TP
+.BR charon.plugins.eap-radius.id_prefix
+Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+EAP method
+.TP
+.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
+NAS-Identifier to include in RADIUS messages
+.TP
+.BR charon.plugins.eap-radius.port " [1812]"
+Port of RADIUS server (authentication)
+.TP
+.BR charon.plugins.eap-radius.secret
+Shared secret between RADIUS and NAS
+.TP
+.BR charon.plugins.eap-radius.server
+IP/Hostname of RADIUS server
+.TP
+.BR charon.plugins.eap-radius.servers
+Section to specify multiple RADIUS servers. The
+.BR nas_identifier ,
+.BR secret ,
+.B sockets
+and
+.B port
+options can be specified for each server. A server's IP/Hostname can be
+configured using the
+.B address
+option. For each RADIUS server a priority can be specified using the
+.BR preference " [0]"
+option.
+.TP
+.BR charon.plugins.eap-radius.sockets " [1]"
+Number of sockets (ports) to use, increase for high load
+.TP
+.BR charon.plugins.eap-sim.request_identity " [yes]"
+
+.TP
+.BR charon.plugins.eap-simaka-sql.database
+
+.TP
+.BR charon.plugins.eap-simaka-sql.remove_used
+
+.TP
+.BR charon.plugins.eap-tls.fragment_size " [1024]"
+Maximum size of an EAP-TLS packet
+.TP
+.BR charon.plugins.eap-tls.max_message_count " [32]"
+Maximum number of processed EAP-TLS packets
+.TP
+.BR charon.plugins.eap-tnc.fragment_size " [50000]"
+Maximum size of an EAP-TNC packet
+.TP
+.BR charon.plugins.eap-tnc.max_message_count " [10]"
+Maximum number of processed EAP-TNC packets
+.TP
+.BR charon.plugins.eap-ttls.fragment_size " [1024]"
+Maximum size of an EAP-TTLS packet
+.TP
+.BR charon.plugins.eap-ttls.max_message_count " [32]"
+Maximum number of processed EAP-TTLS packets
+.TP
+.BR charon.plugins.eap-ttls.phase2_method " [md5]"
+Phase2 EAP client authentication method
+.TP
+.BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message
+.TP
+.BR charon.plugins.eap-ttls.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication
+.TP
+.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
+Request peer authentication based on a client certificate
+.TP
+.BR charon.plugins.ha.fifo_interface " [yes]"
+
+.TP
+.BR charon.plugins.ha.heartbeat_delay " [1000]"
+
+.TP
+.BR charon.plugins.ha.heartbeat_timeout " [2100]"
+
+.TP
+.BR charon.plugins.ha.local
+
+.TP
+.BR charon.plugins.ha.monitor " [yes]"
+
+.TP
+.BR charon.plugins.ha.pools
+
+.TP
+.BR charon.plugins.ha.remote
+ 
+.TP
+.BR charon.plugins.ha.resync " [yes]"
+
+.TP
+.BR charon.plugins.ha.secret
+
+.TP
+.BR charon.plugins.ha.segment_count " [1]"
+
+.TP
+.BR charon.plugins.led.activity_led
+
+.TP
+.BR charon.plugins.led.blink_time " [50]"
+
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
+Number of ipsecN devices
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
+Set MTU of ipsecN device
+.TP
+.BR charon.plugins.load-tester
+Section to configure the load-tester plugin, see LOAD TESTS
+.TP
+.BR charon.plugins.resolve.file " [/etc/resolv.conf]"
+File where to add DNS server entries
+.TP
+.BR charon.plugins.sql.database
+Database URI for charons SQL plugin
+.TP
+.BR charon.plugins.sql.loglevel " [-1]"
+Loglevel for logging to SQL database
+.TP
+.BR charon.plugins.tnc-imc.preferred_language " [en]"
+Preferred language for TNC recommendations
+.TP
+.BR charon.plugins.tnc-imc.tnc_config " [/etc/tnc_config]"
+TNC IMC configuration directory
+.TP
+.BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
+TNC IMV configuration directory
+.SS libstrongswan section
+.TP
+.BR libstrongswan.crypto_test.bench " [no]"
+
+.TP
+.BR libstrongswan.crypto_test.bench_size " [1024]"
+
+.TP
+.BR libstrongswan.crypto_test.bench_time " [50]"
+
+.TP
+.BR libstrongswan.crypto_test.on_add " [no]"
+Test crypto algorithms during registration
+.TP
+.BR libstrongswan.crypto_test.on_create " [no]"
+Test crypto algorithms on each crypto primitive instantiation
+.TP
+.BR libstrongswan.crypto_test.required " [no]"
+Strictly require at least one test vector to enable an algorithm
+.TP
+.BR libstrongswan.crypto_test.rng_true " [no]"
+Whether to test RNG with TRUE quality; requires a lot of entropy
+.TP
+.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]"
+Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical
+strength
+.TP
+.BR libstrongswan.ecp_x_coordinate_only " [yes]"
+Compliance with the errata for RFC 4753
+.TP
+.BR libstrongswan.integrity_test " [no]"
+Check daemon, libstrongswan and plugin integrity at startup
+.TP
+.BR libstrongswan.leak_detective.detailed " [yes]"
+Includes source file names and line numbers in leak detective output
+.SS libstrongswan.plugins subsection
+.TP
+.BR libstrongswan.plugins.attr-sql.database
+Database URI for attr-sql plugin used by charon and pluto
+.TP
+.BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
+Enable logging of SQL IP pool leases
+.TP
+.BR libstrongswan.plugins.gcrypt.quick_random " [no]"
+Use faster random numbers in gcrypt; for testing only, produces weak keys!
+.TP
+.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
+ENGINE ID to use in the OpenSSL plugin
+.TP
+.BR libstrongswan.plugins.pkcs11.modules
+
+.TP
+.BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
+
+.TP
+.BR libstrongswan.plugins.x509.enforce_critical " [no]"
+Discard certificates with unsupported or unknown critical extensions
+.SS libtls section
+.TP
+.BR libtls.cipher
+List of TLS encryption ciphers
+.TP
+.BR libtls.key_exchange
+List of TLS key exchange methods
+.TP
+.BR libtls.mac
+List of TLS MAC algorithms
+.TP
+.BR libtls.suites
+List of TLS cipher suites
+.SS manager section
+.TP
+.BR manager.database
+Credential database URI for manager
+.TP
+.BR manager.debug " [no]"
+Enable debugging in manager
+.TP
+.BR manager.load
+Plugins to load in manager
+.TP
+.BR manager.socket
+FastCGI socket of manager, to run it statically
+.TP
+.BR manager.threads " [10]"
+Threads to use for request handling
+.TP
+.BR manager.timeout " [15m]"
+Session timeout for manager
+.SS mediation client section
+.TP
+.BR medcli.database
+Mediation client database URI
+.TP
+.BR medcli.dpd " [5m]"
+DPD timeout to use in mediation client plugin
+.TP
+.BR medcli.rekey " [20m]"
+Rekeying time on mediation connections in mediation client plugin
+.SS mediation server section
+.TP
+.BR medsrv.database
+Mediation server database URI
+.TP
+.BR medsrv.debug " [no]"
+Debugging in mediation server web application
+.TP
+.BR medsrv.dpd " [5m]"
+DPD timeout to use in mediation server plugin
+.TP
+.BR medsrv.load
+Plugins to load in mediation server plugin
+.TP
+.BR medsrv.password_length " [6]"
+Minimum password length required for mediation server user accounts
+.TP
+.BR medsrv.rekey " [20m]"
+Rekeying time on mediation connections in mediation server plugin
+.TP
+.BR medsrv.socket
+Run Mediation server web application statically on socket
+.TP
+.BR medsrv.threads " [5]"
+Number of thread for mediation service web application
+.TP
+.BR medsrv.timeout " [15m]"
+Session timeout for mediation service
+.SS openac section
+.TP
+.BR openac.load
+Plugins to load in ipsec openac tool
+.SS pki section
+.TP
+.BR pki.load
+Plugins to load in ipsec pki tool
+.SS pluto section
+.TP
+.BR pluto.dns1
+.TQ
+.BR pluto.dns2
+DNS servers assigned to peer via Mode Config
+.TP
+.BR pluto.load
+Plugins to load in IKEv1 pluto daemon
+.TP
+.BR pluto.nbns1
+.TQ
+.BR pluto.nbns2
+WINS servers assigned to peer via Mode Config
+.TP
+.BR pluto.threads " [4]"
+Number of worker threads in pluto
+.SS pluto.plugins section
+.TP
+.BR pluto.plugins.attr
+Section to specify arbitrary attributes that are assigned to a peer via
+Mode Config
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
+Number of ipsecN devices
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
+Set MTU of ipsecN device
+.SS pool section
+.TP
+.BR pool.load
+Plugins to load in ipsec pool tool
+.SS scepclient section
+.TP
+.BR scepclient.load
+Plugins to load in ipsec scepclient tool
+.SS starter section
+.TP
+.BR starter.load_warning " [yes]"
+Disable charon/pluto plugin load option warning
+
+.SH LOGGER CONFIGURATION
+The options described below provide a much more flexible way to configure
+loggers for the IKEv2 daemon charon than using the
+.B charondebug
+option in
+.BR ipsec.conf (5).
+.PP
+.B Please note
+that if any loggers are specified in strongswan.conf,
+.B charondebug
+does not have any effect.
+.PP
+There are currently two types of loggers defined:
+.TP
+.B File loggers
+Log directly to a file and are defined by specifying the full path to the
+file as subsection in the
+.B charon.filelog
+section. To log to the console the two special filenames
+.BR stdout " and " stderr
+can be used.
+.TP
+.B Syslog loggers
+Log into a syslog facility and are defined by specifying the facility to log to
+as the name of a subsection in the
+.B charon.syslog
+section. The following facilities are currently supported:
+.BR daemon " and " auth .
+.PP
+Multiple loggers can be defined for each type with different log verbosity for
+the different subsystems of the daemon.
+.SS Options
+.TP
+.BR charon.filelog.<filename>.default " [1]"
+.TQ
+.BR charon.syslog.<facility>.default
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+.TP
+.BR charon.filelog.<filename>.<subsystem> " [<default>]"
+.TQ
+.BR charon.syslog.<facility>.<subsystem>
+Specifies the loglevel for the given subsystem.
+.TP
+.BR charon.filelog.<filename>.append " [yes]"
+If this option is enabled log entries are appended to the existing file.
+.TP
+.BR charon.filelog.<filename>.flush_line " [no]"
+Enabling this option disables block buffering and enables line buffering.
+.TP
+.BR charon.filelog.<filename>.ike_name " [no]"
+.TQ
+.BR charon.syslog.<facility>.ike_name
+Prefix each log entry with the connection name and a unique numerical
+identifier for each IKE_SA.
+.TP
+.BR charon.filelog.<filename>.time_format
+Prefix each log entry with a timestamp. The option accepts a format string as
+passed to
+.BR strftime (3).
+
+.SS Subsystems
+.TP
+.B dmn
+Main daemon setup/cleanup/signal handling
+.TP
+.B mgr
+IKE_SA manager, handling synchronization for IKE_SA access
+.TP
+.B ike
+IKE_SA
+.TP
+.B chd
+CHILD_SA
+.TP
+.B job
+Jobs queueing/processing and thread pool management
+.TP
+.B cfg
+Configuration management and plugins
+.TP
+.B knl
+IPsec/Networking kernel interface
+.TP
+.B net
+IKE network communication
+.TP
+.B enc
+Packet encoding/decoding encryption/decryption operations
+.TP
+.B tls
+libtls library messages
+.TP
+.B lib
+libstrongwan library messages
+.SS Loglevels
+.TP
+.B -1
+Absolutely silent
+.TP
+.B 0
+Very basic auditing logs, (e.g. SA up/SA down)
+.TP
+.B 1
+Generic control flow with errors, a good default to see whats going on
+.TP
+.B 2
+More detailed debugging control flow
+.TP
+.B 3
+Including RAW data dumps in Hex
+.TP
+.B 4
+Also include sensitive material in dumps, e.g. keys
+.SS Example
+.PP
+.EX
+	charon {
+		filelog {
+			/var/log/charon.log {
+				time_format = %b %e %T
+				append = no
+				default = 1
+			}
+			stderr {
+				ike = 2
+				knl = 3
+				ike_name = yes
+			}
+		}
+		syslog {
+			# enable logging to LOG_DAEMON, use defaults
+			daemon {
+			}
+			# minimalistic IKE auditing logging to LOG_AUTHPRIV
+			auth {
+				default = -1
+				ike = 0
+			}
+		}
+	}
+.EE
+
+.SH LOAD TESTS
+To do stability testing and performance optimizations, the IKEv2 daemon charon
+provides the load-tester plugin. This plugin allows to setup thousands of
+tunnels concurrently against the daemon itself or a remote host.
+.PP
+.B WARNING:
+Never enable the load-testing plugin on productive systems. It provides
+preconfigured credentials and allows an attacker to authenticate as any user.
+.SS Options
+.TP
+.BR charon.plugins.load-tester.child_rekey " [600]"
+Seconds to start CHILD_SA rekeying after setup
+.TP
+.BR charon.plugins.load-tester.delay " [0]"
+Delay between initiatons for each thread
+.TP
+.BR charon.plugins.load-tester.delete_after_established " [no]"
+Delete an IKE_SA as soon as it has been established
+.TP
+.BR charon.plugins.load-tester.dynamic_port " [0]"
+Base port to be used for requests (each client uses a different port)
+.TP
+.BR charon.plugins.load-tester.enable " [no]"
+Enable the load testing plugin
+.TP
+.BR charon.plugins.load-tester.fake_kernel " [no]"
+Fake the kernel interface to allow load-testing against self
+.TP
+.BR charon.plugins.load-tester.ike_rekey " [0]"
+Seconds to start IKE_SA rekeying after setup
+.TP
+.BR charon.plugins.load-tester.initiators " [0]"
+Number of concurrent initiator threads to use in load test
+.TP
+.BR charon.plugins.load-tester.initiator_auth " [pubkey]"
+Authentication method(s) the intiator uses
+.TP
+.BR charon.plugins.load-tester.iterations " [1]"
+Number of IKE_SAs to initate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.pool
+Provide INTERNAL_IPV4_ADDRs from a named pool
+.TP
+.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
+IKE proposal to use in load test
+.TP
+.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+Address to initiation connections to
+.TP
+.BR charon.plugins.load-tester.responder_auth " [pubkey]"
+Authentication method(s) the responder uses
+.TP
+.BR charon.plugins.load-tester.request_virtual_ip " [no]"
+Request an INTERNAL_IPV4_ADDR from the server
+.TP
+.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
+Shutdown the daemon after all IKE_SAs have been established
+.SS Configuration details
+For public key authentication, the responder uses the
+.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
+identity. For the initiator, each connection attempt uses a different identity
+in the form
+.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" ,
+where the first number inidicates the client number, the second the
+authentication round (if multiple authentication is used).
+.PP
+For PSK authentication, FQDN identities are used. The server uses
+.BR srv.strongswan.org ,
+the client uses an identity in the form
+.BR c1-r1.strongswan.org .
+.PP
+For EAP authentication, the client uses a NAI in the form
+.BR 100000000010001@strongswan.org .
+.PP
+To configure multiple authentication, concatenate multiple methods using, e.g.
+.EX
+	initiator_auth = pubkey|psk|eap-md5|eap-aka
+.EE
+.PP
+The responder uses a hardcoded certificate based on a 1024-bit RSA key.
+This certificate additionally serves as CA certificate. A peer uses the same
+private key, but generates client certificates on demand signed by the CA
+certificate. Install the Responder/CA certificate on the remote host to
+authenticate all clients.
+.PP
+To speed up testing, the load tester plugin implements a special Diffie-Hellman
+implementation called modpnull. By setting
+.EX
+	proposal = aes128-sha1-modpnull
+.EE
+this wicked fast DH implementation is used. It does not provide any security
+at all, but allows to run tests without DH calculation overhead.
+.SS Examples
+.PP
+In the simplest case, the daemon initiates IKE_SAs against itself using the
+loopback interface. This will actually establish double the number of IKE_SAs,
+as the daemon is initiator and responder for each IKE_SA at the same time.
+Installation of IPsec SAs would fails, as each SA gets installed twice. To
+simulate the correct behavior, a fake kernel interface can be enabled which does
+not install the IPsec SAs at the kernel level.
+.PP
+A simple loopback configuration might look like this:
+.PP
+.EX
+	charon {
+		# create new IKE_SAs for each CHILD_SA to simulate
+		# different clients
+		reuse_ikesa = no
+		# turn off denial of service protection
+		dos_protection = no
+
+		plugins {
+			load-tester {
+				# enable the plugin
+				enable = yes
+				# use 4 threads to initiate connections
+				# simultaneously
+				initiators = 4
+				# each thread initiates 1000 connections
+				iterations = 1000
+				# delay each initiation in each thread by 20ms
+				delay = 20
+				# enable the fake kernel interface to
+				# avoid SA conflicts
+				fake_kernel = yes
+			}
+		}
+	}
+.EE
+.PP
+This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay
+value if your box can not handle that much load, or decrease it to put more
+load on it. If the daemon starts retransmitting messages your box probably can
+not handle all connection attempts.
+.PP
+The plugin also allows to test against a remote host. This might help to test
+against a real world configuration. A connection setup to do stress testing of
+a gateway might look like this:
+.PP
+.EX
+	charon {
+		reuse_ikesa = no
+		threads = 32
+
+		plugins {
+			load-tester {
+				enable = yes
+				# 10000 connections, ten in parallel
+				initiators = 10
+				iterations = 1000
+				# use a delay of 100ms, overall time is:
+				# iterations * delay = 100s
+				delay = 100
+				# address of the gateway
+				remote = 1.2.3.4
+				# IKE-proposal to use
+				proposal = aes128-sha1-modp1024
+				# use faster PSK authentication instead
+				# of 1024bit RSA
+				initiator_auth = psk
+				responder_auth = psk
+				# request a virtual IP using configuration
+				# payloads
+				request_virtual_ip = yes
+				# enable CHILD_SA every 60s
+				child_rekey = 60
+			}
+		}
+	}
+.EE
+
+.SH IKEv2 RETRANSMISSION
+Retransmission timeouts in the IKEv2 daemon charon can be configured globally
+using the three keys listed below:
+.PP
+.RS
+.nf
+.BR charon.retransmit_base " [1.8]"
+.BR charon.retransmit_timeout " [4.0]"
+.BR charon.retransmit_tries " [5]"
+.fi
+.RE
+.PP
+The following algorithm is used to calculate the timeout:
+.PP
+.EX
+	relative timeout = retransmit_timeout * retransmit_base ^ (n-1)
+.EE
+.PP
+Where
+.I n
+is the current retransmission count.
+.PP
+Using the default values, packets are retransmitted in:
+
+.TS
+l r r
+---
+lB r r.
+Retransmission	Relative Timeout	Absolute Timeout
+1	4s	4s
+2	7s	11s
+3	13s	24s
+4	23s	47s
+5	42s	89s
+giving up	76s	165s
+.TE
+
+.SH FILES
+/etc/strongswan.conf
+
+.SH SEE ALSO
+ipsec.conf(5), ipsec.secrets(5), ipsec(8)
+.SH HISTORY
+Written for the
+.UR http://www.strongswan.org
+strongSwan project
+.UE
+by Tobias Brunner, Andreas Steffen and Martin Willi.
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
new file mode 100644
index 000000000..77db9a3c0
--- /dev/null
+++ b/man/strongswan.conf.5.in
@@ -0,0 +1,910 @@
+.TH STRONGSWAN.CONF 5 "2010-09-09" "@IPSEC_VERSION@" "strongSwan"
+.SH NAME
+strongswan.conf \- strongSwan configuration file
+.SH DESCRIPTION
+While the
+.IR ipsec.conf (5)
+configuration file is well suited to define IPsec related configuration
+parameters, it is not useful for other strongSwan applications to read options
+from this file.
+The file is hard to parse and only
+.I ipsec starter
+is capable of doing so. As the number of components of the strongSwan project
+is continually growing, a more flexible configuration file was needed, one that
+is easy to extend and can be used by all components. With strongSwan 4.2.1
+.IR strongswan.conf (5)
+was introduced which meets these requirements.
+
+.SH SYNTAX
+The format of the strongswan.conf file consists of hierarchical
+.B sections
+and a list of
+.B key/value pairs
+in each section. Each section has a name, followed by C-Style curly brackets
+defining the section body. Each section body contains a set of subsections
+and key/value pairs:
+.PP
+.EX
+	settings := (section|keyvalue)*
+	section  := name { settings }
+	keyvalue := key = value\\n
+.EE
+.PP
+Values must be terminated by a newline.
+.PP
+Comments are possible using the \fB#\fP-character, but be careful: The parser
+implementation is currently limited and does not like brackets in comments.
+.PP
+Section names and keys may contain any printable character except:
+.PP
+.EX
+	. { } # \\n \\t space
+.EE
+.PP
+An example file in this format might look like this:
+.PP
+.EX
+	a = b
+	section-one {
+		somevalue = asdf
+		subsection {
+			othervalue = xxx
+		}
+		# yei, a comment
+		yetanother = zz
+	}
+	section-two {
+		x = 12
+	}
+.EE
+.PP
+Indentation is optional, you may use tabs or spaces.
+
+.SH READING VALUES
+Values are accessed using a dot-separated section list and a key.
+With reference to the example above, accessing
+.B section-one.subsection.othervalue
+will return
+.BR xxx .
+
+.SH DEFINED KEYS
+The following keys are currently defined (using dot notation). The default
+value (if any) is listed in brackets after the key.
+
+.SS charon section
+.TP
+.BR charon.block_threshold " [5]"
+Maximum number of half-open IKE_SAs for a single peer IP
+.TP
+.BR charon.close_ike_on_child_failure " [no]"
+Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
+.TP
+.BR charon.cookie_threshold " [10]"
+Number of half-open IKE_SAs that activate the cookie mechanism
+.TP
+.BR charon.dns1
+.TQ
+.BR charon.dns2
+DNS servers assigned to peer via configuration payload (CP)
+.TP
+.BR charon.dos_protection " [yes]"
+Enable Denial of Service protection using cookies and aggressiveness checks
+.TP
+.BR charon.filelog
+Section to define file loggers, see LOGGER CONFIGURATION
+.TP
+.BR charon.flush_auth_cfg " [no]"
+
+.TP
+.BR charon.hash_and_url " [no]"
+Enable hash and URL support
+.TP
+.BR charon.ignore_routing_tables
+A list of routing tables to be excluded from route lookup
+.TP
+.BR charon.ikesa_table_segments " [1]"
+Number of exclusively locked segments in the hash table
+.TP
+.BR charon.ikesa_table_size " [1]"
+Size of the IKE_SA hash table
+.TP
+.BR charon.inactivity_close_ike " [no]"
+Whether to close IKE_SA if the only CHILD_SA closed due to inactivity
+.TP
+.BR charon.install_routes " [yes]"
+Install routes into a separate routing table for established IPsec tunnels
+.TP
+.BR charon.install_virtual_ip " [yes]"
+Install virtual IP addresses
+.TP
+.BR charon.keep_alive " [20s]"
+NAT keep alive interval
+.TP
+.BR charon.load
+Plugins to load in the IKEv2 daemon charon
+.TP
+.BR charon.max_packet " [10000]"
+Maximum packet size accepted by charon
+.TP
+.BR charon.multiple_authentication " [yes]"
+Enable multiple authentication exchanges (RFC 4739)
+.TP
+.BR charon.nbns1
+.TQ
+.BR charon.nbns2
+WINS servers assigned to peer via configuration payload (CP)
+.TP
+.BR charon.process_route " [yes]"
+Process RTM_NEWROUTE and RTM_DELROUTE events
+.TP
+.BR charon.receive_delay " [0]"
+Delay for receiving packets, to simulate larger RTT
+.TP
+.BR charon.receive_delay_response " [yes]"
+Delay response messages
+.TP
+.BR charon.receive_delay_request " [yes]"
+Delay request messages
+.TP
+.BR charon.receive_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any
+.TP
+.BR charon.retransmit_base " [1.8]"
+Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+.TP
+.BR charon.retransmit_timeout " [4.0]
+Timeout in seconds before sending first retransmit
+.TP
+.BR charon.retransmit_tries " [5]"
+Number of times to retransmit a packet before giving up
+.TP
+.BR charon.reuse_ikesa " [yes]
+Initiate CHILD_SA within existing IKE_SAs
+.TP
+.BR charon.routing_table
+Numerical routing table to install routes to
+.TP
+.BR charon.routing_table_prio
+Priority of the routing table
+.TP
+.BR charon.send_delay " [0]"
+Delay for sending packets, to simulate larger RTT
+.TP
+.BR charon.send_delay_response " [yes]"
+Delay response messages
+.TP
+.BR charon.send_delay_request " [yes]"
+Delay request messages
+.TP
+.BR charon.send_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any
+.TP
+.BR charon.send_vendor_id " [no]
+Send strongSwan vendor ID payload
+.TP
+.BR charon.syslog
+Section to define syslog loggers, see LOGGER CONFIGURATION
+.TP
+.BR charon.threads " [16]"
+Number of worker threads in charon
+.SS charon.plugins subsection
+.TP
+.BR charon.plugins.android.loglevel " [1]"
+Loglevel for logging to Android specific logger
+.TP
+.BR charon.plugins.attr
+Section to specify arbitrary attributes that are assigned to a peer via
+configuration payload (CP)
+.TP
+.BR charon.plugins.dhcp.identity_lease " [no]"
+Derive user-defined MAC address from hash of IKEv2 identity
+.TP
+.BR charon.plugins.dhcp.server " [255.255.255.255]"
+DHCP server unicast or broadcast IP address
+.TP
+.BR charon.plugins.eap-aka.request_identity " [yes]"
+
+.TP
+.BR charon.plugins.eap-aka-3ggp2.seq_check
+
+.TP
+.BR charon.plugins.eap-gtc.pam_service " [login]"
+PAM service to be used for authentication
+.TP
+.BR charon.plugins.eap-radius.class_group " [no]"
+Use the
+.I class
+attribute sent in the RADIUS-Accept message as group membership information that
+is compared to the groups specified in the
+.B rightgroups
+option in
+.B ipsec.conf (5).
+.TP
+.BR charon.plugins.eap-radius.eap_start " [no]"
+Send EAP-Start instead of EAP-Identity to start RADIUS conversation
+.TP
+.BR charon.plugins.eap-radius.filter_id " [no]"
+If the RADIUS
+.I tunnel_type
+attribute with value
+.B ESP
+is received, use the
+.I filter_id 
+attribute sent in the RADIUS-Accept message as group membership information that
+is compared to the groups specified in the
+.B rightgroups
+option in
+.B ipsec.conf (5).
+.TP
+.BR charon.plugins.eap-radius.id_prefix
+Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+EAP method
+.TP
+.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
+NAS-Identifier to include in RADIUS messages
+.TP
+.BR charon.plugins.eap-radius.port " [1812]"
+Port of RADIUS server (authentication)
+.TP
+.BR charon.plugins.eap-radius.secret
+Shared secret between RADIUS and NAS
+.TP
+.BR charon.plugins.eap-radius.server
+IP/Hostname of RADIUS server
+.TP
+.BR charon.plugins.eap-radius.servers
+Section to specify multiple RADIUS servers. The
+.BR nas_identifier ,
+.BR secret ,
+.B sockets
+and
+.B port
+options can be specified for each server. A server's IP/Hostname can be
+configured using the
+.B address
+option. For each RADIUS server a priority can be specified using the
+.BR preference " [0]"
+option.
+.TP
+.BR charon.plugins.eap-radius.sockets " [1]"
+Number of sockets (ports) to use, increase for high load
+.TP
+.BR charon.plugins.eap-sim.request_identity " [yes]"
+
+.TP
+.BR charon.plugins.eap-simaka-sql.database
+
+.TP
+.BR charon.plugins.eap-simaka-sql.remove_used
+
+.TP
+.BR charon.plugins.eap-tls.fragment_size " [1024]"
+Maximum size of an EAP-TLS packet
+.TP
+.BR charon.plugins.eap-tls.max_message_count " [32]"
+Maximum number of processed EAP-TLS packets
+.TP
+.BR charon.plugins.eap-tnc.fragment_size " [50000]"
+Maximum size of an EAP-TNC packet
+.TP
+.BR charon.plugins.eap-tnc.max_message_count " [10]"
+Maximum number of processed EAP-TNC packets
+.TP
+.BR charon.plugins.eap-ttls.fragment_size " [1024]"
+Maximum size of an EAP-TTLS packet
+.TP
+.BR charon.plugins.eap-ttls.max_message_count " [32]"
+Maximum number of processed EAP-TTLS packets
+.TP
+.BR charon.plugins.eap-ttls.phase2_method " [md5]"
+Phase2 EAP client authentication method
+.TP
+.BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message
+.TP
+.BR charon.plugins.eap-ttls.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication
+.TP
+.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
+Request peer authentication based on a client certificate
+.TP
+.BR charon.plugins.ha.fifo_interface " [yes]"
+
+.TP
+.BR charon.plugins.ha.heartbeat_delay " [1000]"
+
+.TP
+.BR charon.plugins.ha.heartbeat_timeout " [2100]"
+
+.TP
+.BR charon.plugins.ha.local
+
+.TP
+.BR charon.plugins.ha.monitor " [yes]"
+
+.TP
+.BR charon.plugins.ha.pools
+
+.TP
+.BR charon.plugins.ha.remote
+ 
+.TP
+.BR charon.plugins.ha.resync " [yes]"
+
+.TP
+.BR charon.plugins.ha.secret
+
+.TP
+.BR charon.plugins.ha.segment_count " [1]"
+
+.TP
+.BR charon.plugins.led.activity_led
+
+.TP
+.BR charon.plugins.led.blink_time " [50]"
+
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
+Number of ipsecN devices
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
+Set MTU of ipsecN device
+.TP
+.BR charon.plugins.load-tester
+Section to configure the load-tester plugin, see LOAD TESTS
+.TP
+.BR charon.plugins.resolve.file " [/etc/resolv.conf]"
+File where to add DNS server entries
+.TP
+.BR charon.plugins.sql.database
+Database URI for charons SQL plugin
+.TP
+.BR charon.plugins.sql.loglevel " [-1]"
+Loglevel for logging to SQL database
+.TP
+.BR charon.plugins.tnc-imc.preferred_language " [en]"
+Preferred language for TNC recommendations
+.TP
+.BR charon.plugins.tnc-imc.tnc_config " [/etc/tnc_config]"
+TNC IMC configuration directory
+.TP
+.BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
+TNC IMV configuration directory
+.SS libstrongswan section
+.TP
+.BR libstrongswan.crypto_test.bench " [no]"
+
+.TP
+.BR libstrongswan.crypto_test.bench_size " [1024]"
+
+.TP
+.BR libstrongswan.crypto_test.bench_time " [50]"
+
+.TP
+.BR libstrongswan.crypto_test.on_add " [no]"
+Test crypto algorithms during registration
+.TP
+.BR libstrongswan.crypto_test.on_create " [no]"
+Test crypto algorithms on each crypto primitive instantiation
+.TP
+.BR libstrongswan.crypto_test.required " [no]"
+Strictly require at least one test vector to enable an algorithm
+.TP
+.BR libstrongswan.crypto_test.rng_true " [no]"
+Whether to test RNG with TRUE quality; requires a lot of entropy
+.TP
+.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]"
+Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical
+strength
+.TP
+.BR libstrongswan.ecp_x_coordinate_only " [yes]"
+Compliance with the errata for RFC 4753
+.TP
+.BR libstrongswan.integrity_test " [no]"
+Check daemon, libstrongswan and plugin integrity at startup
+.TP
+.BR libstrongswan.leak_detective.detailed " [yes]"
+Includes source file names and line numbers in leak detective output
+.SS libstrongswan.plugins subsection
+.TP
+.BR libstrongswan.plugins.attr-sql.database
+Database URI for attr-sql plugin used by charon and pluto
+.TP
+.BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
+Enable logging of SQL IP pool leases
+.TP
+.BR libstrongswan.plugins.gcrypt.quick_random " [no]"
+Use faster random numbers in gcrypt; for testing only, produces weak keys!
+.TP
+.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
+ENGINE ID to use in the OpenSSL plugin
+.TP
+.BR libstrongswan.plugins.pkcs11.modules
+
+.TP
+.BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
+
+.TP
+.BR libstrongswan.plugins.x509.enforce_critical " [no]"
+Discard certificates with unsupported or unknown critical extensions
+.SS libtls section
+.TP
+.BR libtls.cipher
+List of TLS encryption ciphers
+.TP
+.BR libtls.key_exchange
+List of TLS key exchange methods
+.TP
+.BR libtls.mac
+List of TLS MAC algorithms
+.TP
+.BR libtls.suites
+List of TLS cipher suites
+.SS manager section
+.TP
+.BR manager.database
+Credential database URI for manager
+.TP
+.BR manager.debug " [no]"
+Enable debugging in manager
+.TP
+.BR manager.load
+Plugins to load in manager
+.TP
+.BR manager.socket
+FastCGI socket of manager, to run it statically
+.TP
+.BR manager.threads " [10]"
+Threads to use for request handling
+.TP
+.BR manager.timeout " [15m]"
+Session timeout for manager
+.SS mediation client section
+.TP
+.BR medcli.database
+Mediation client database URI
+.TP
+.BR medcli.dpd " [5m]"
+DPD timeout to use in mediation client plugin
+.TP
+.BR medcli.rekey " [20m]"
+Rekeying time on mediation connections in mediation client plugin
+.SS mediation server section
+.TP
+.BR medsrv.database
+Mediation server database URI
+.TP
+.BR medsrv.debug " [no]"
+Debugging in mediation server web application
+.TP
+.BR medsrv.dpd " [5m]"
+DPD timeout to use in mediation server plugin
+.TP
+.BR medsrv.load
+Plugins to load in mediation server plugin
+.TP
+.BR medsrv.password_length " [6]"
+Minimum password length required for mediation server user accounts
+.TP
+.BR medsrv.rekey " [20m]"
+Rekeying time on mediation connections in mediation server plugin
+.TP
+.BR medsrv.socket
+Run Mediation server web application statically on socket
+.TP
+.BR medsrv.threads " [5]"
+Number of thread for mediation service web application
+.TP
+.BR medsrv.timeout " [15m]"
+Session timeout for mediation service
+.SS openac section
+.TP
+.BR openac.load
+Plugins to load in ipsec openac tool
+.SS pki section
+.TP
+.BR pki.load
+Plugins to load in ipsec pki tool
+.SS pluto section
+.TP
+.BR pluto.dns1
+.TQ
+.BR pluto.dns2
+DNS servers assigned to peer via Mode Config
+.TP
+.BR pluto.load
+Plugins to load in IKEv1 pluto daemon
+.TP
+.BR pluto.nbns1
+.TQ
+.BR pluto.nbns2
+WINS servers assigned to peer via Mode Config
+.TP
+.BR pluto.threads " [4]"
+Number of worker threads in pluto
+.SS pluto.plugins section
+.TP
+.BR pluto.plugins.attr
+Section to specify arbitrary attributes that are assigned to a peer via
+Mode Config
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
+Number of ipsecN devices
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
+Set MTU of ipsecN device
+.SS pool section
+.TP
+.BR pool.load
+Plugins to load in ipsec pool tool
+.SS scepclient section
+.TP
+.BR scepclient.load
+Plugins to load in ipsec scepclient tool
+.SS starter section
+.TP
+.BR starter.load_warning " [yes]"
+Disable charon/pluto plugin load option warning
+
+.SH LOGGER CONFIGURATION
+The options described below provide a much more flexible way to configure
+loggers for the IKEv2 daemon charon than using the
+.B charondebug
+option in
+.BR ipsec.conf (5).
+.PP
+.B Please note
+that if any loggers are specified in strongswan.conf,
+.B charondebug
+does not have any effect.
+.PP
+There are currently two types of loggers defined:
+.TP
+.B File loggers
+Log directly to a file and are defined by specifying the full path to the
+file as subsection in the
+.B charon.filelog
+section. To log to the console the two special filenames
+.BR stdout " and " stderr
+can be used.
+.TP
+.B Syslog loggers
+Log into a syslog facility and are defined by specifying the facility to log to
+as the name of a subsection in the
+.B charon.syslog
+section. The following facilities are currently supported:
+.BR daemon " and " auth .
+.PP
+Multiple loggers can be defined for each type with different log verbosity for
+the different subsystems of the daemon.
+.SS Options
+.TP
+.BR charon.filelog.<filename>.default " [1]"
+.TQ
+.BR charon.syslog.<facility>.default
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+.TP
+.BR charon.filelog.<filename>.<subsystem> " [<default>]"
+.TQ
+.BR charon.syslog.<facility>.<subsystem>
+Specifies the loglevel for the given subsystem.
+.TP
+.BR charon.filelog.<filename>.append " [yes]"
+If this option is enabled log entries are appended to the existing file.
+.TP
+.BR charon.filelog.<filename>.flush_line " [no]"
+Enabling this option disables block buffering and enables line buffering.
+.TP
+.BR charon.filelog.<filename>.ike_name " [no]"
+.TQ
+.BR charon.syslog.<facility>.ike_name
+Prefix each log entry with the connection name and a unique numerical
+identifier for each IKE_SA.
+.TP
+.BR charon.filelog.<filename>.time_format
+Prefix each log entry with a timestamp. The option accepts a format string as
+passed to
+.BR strftime (3).
+
+.SS Subsystems
+.TP
+.B dmn
+Main daemon setup/cleanup/signal handling
+.TP
+.B mgr
+IKE_SA manager, handling synchronization for IKE_SA access
+.TP
+.B ike
+IKE_SA
+.TP
+.B chd
+CHILD_SA
+.TP
+.B job
+Jobs queueing/processing and thread pool management
+.TP
+.B cfg
+Configuration management and plugins
+.TP
+.B knl
+IPsec/Networking kernel interface
+.TP
+.B net
+IKE network communication
+.TP
+.B enc
+Packet encoding/decoding encryption/decryption operations
+.TP
+.B tls
+libtls library messages
+.TP
+.B lib
+libstrongwan library messages
+.SS Loglevels
+.TP
+.B -1
+Absolutely silent
+.TP
+.B 0
+Very basic auditing logs, (e.g. SA up/SA down)
+.TP
+.B 1
+Generic control flow with errors, a good default to see whats going on
+.TP
+.B 2
+More detailed debugging control flow
+.TP
+.B 3
+Including RAW data dumps in Hex
+.TP
+.B 4
+Also include sensitive material in dumps, e.g. keys
+.SS Example
+.PP
+.EX
+	charon {
+		filelog {
+			/var/log/charon.log {
+				time_format = %b %e %T
+				append = no
+				default = 1
+			}
+			stderr {
+				ike = 2
+				knl = 3
+				ike_name = yes
+			}
+		}
+		syslog {
+			# enable logging to LOG_DAEMON, use defaults
+			daemon {
+			}
+			# minimalistic IKE auditing logging to LOG_AUTHPRIV
+			auth {
+				default = -1
+				ike = 0
+			}
+		}
+	}
+.EE
+
+.SH LOAD TESTS
+To do stability testing and performance optimizations, the IKEv2 daemon charon
+provides the load-tester plugin. This plugin allows to setup thousands of
+tunnels concurrently against the daemon itself or a remote host.
+.PP
+.B WARNING:
+Never enable the load-testing plugin on productive systems. It provides
+preconfigured credentials and allows an attacker to authenticate as any user.
+.SS Options
+.TP
+.BR charon.plugins.load-tester.child_rekey " [600]"
+Seconds to start CHILD_SA rekeying after setup
+.TP
+.BR charon.plugins.load-tester.delay " [0]"
+Delay between initiatons for each thread
+.TP
+.BR charon.plugins.load-tester.delete_after_established " [no]"
+Delete an IKE_SA as soon as it has been established
+.TP
+.BR charon.plugins.load-tester.dynamic_port " [0]"
+Base port to be used for requests (each client uses a different port)
+.TP
+.BR charon.plugins.load-tester.enable " [no]"
+Enable the load testing plugin
+.TP
+.BR charon.plugins.load-tester.fake_kernel " [no]"
+Fake the kernel interface to allow load-testing against self
+.TP
+.BR charon.plugins.load-tester.ike_rekey " [0]"
+Seconds to start IKE_SA rekeying after setup
+.TP
+.BR charon.plugins.load-tester.initiators " [0]"
+Number of concurrent initiator threads to use in load test
+.TP
+.BR charon.plugins.load-tester.initiator_auth " [pubkey]"
+Authentication method(s) the intiator uses
+.TP
+.BR charon.plugins.load-tester.iterations " [1]"
+Number of IKE_SAs to initate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.pool
+Provide INTERNAL_IPV4_ADDRs from a named pool
+.TP
+.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
+IKE proposal to use in load test
+.TP
+.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+Address to initiation connections to
+.TP
+.BR charon.plugins.load-tester.responder_auth " [pubkey]"
+Authentication method(s) the responder uses
+.TP
+.BR charon.plugins.load-tester.request_virtual_ip " [no]"
+Request an INTERNAL_IPV4_ADDR from the server
+.TP
+.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
+Shutdown the daemon after all IKE_SAs have been established
+.SS Configuration details
+For public key authentication, the responder uses the
+.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
+identity. For the initiator, each connection attempt uses a different identity
+in the form
+.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" ,
+where the first number inidicates the client number, the second the
+authentication round (if multiple authentication is used).
+.PP
+For PSK authentication, FQDN identities are used. The server uses
+.BR srv.strongswan.org ,
+the client uses an identity in the form
+.BR c1-r1.strongswan.org .
+.PP
+For EAP authentication, the client uses a NAI in the form
+.BR 100000000010001@strongswan.org .
+.PP
+To configure multiple authentication, concatenate multiple methods using, e.g.
+.EX
+	initiator_auth = pubkey|psk|eap-md5|eap-aka
+.EE
+.PP
+The responder uses a hardcoded certificate based on a 1024-bit RSA key.
+This certificate additionally serves as CA certificate. A peer uses the same
+private key, but generates client certificates on demand signed by the CA
+certificate. Install the Responder/CA certificate on the remote host to
+authenticate all clients.
+.PP
+To speed up testing, the load tester plugin implements a special Diffie-Hellman
+implementation called modpnull. By setting
+.EX
+	proposal = aes128-sha1-modpnull
+.EE
+this wicked fast DH implementation is used. It does not provide any security
+at all, but allows to run tests without DH calculation overhead.
+.SS Examples
+.PP
+In the simplest case, the daemon initiates IKE_SAs against itself using the
+loopback interface. This will actually establish double the number of IKE_SAs,
+as the daemon is initiator and responder for each IKE_SA at the same time.
+Installation of IPsec SAs would fails, as each SA gets installed twice. To
+simulate the correct behavior, a fake kernel interface can be enabled which does
+not install the IPsec SAs at the kernel level.
+.PP
+A simple loopback configuration might look like this:
+.PP
+.EX
+	charon {
+		# create new IKE_SAs for each CHILD_SA to simulate
+		# different clients
+		reuse_ikesa = no
+		# turn off denial of service protection
+		dos_protection = no
+
+		plugins {
+			load-tester {
+				# enable the plugin
+				enable = yes
+				# use 4 threads to initiate connections
+				# simultaneously
+				initiators = 4
+				# each thread initiates 1000 connections
+				iterations = 1000
+				# delay each initiation in each thread by 20ms
+				delay = 20
+				# enable the fake kernel interface to
+				# avoid SA conflicts
+				fake_kernel = yes
+			}
+		}
+	}
+.EE
+.PP
+This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay
+value if your box can not handle that much load, or decrease it to put more
+load on it. If the daemon starts retransmitting messages your box probably can
+not handle all connection attempts.
+.PP
+The plugin also allows to test against a remote host. This might help to test
+against a real world configuration. A connection setup to do stress testing of
+a gateway might look like this:
+.PP
+.EX
+	charon {
+		reuse_ikesa = no
+		threads = 32
+
+		plugins {
+			load-tester {
+				enable = yes
+				# 10000 connections, ten in parallel
+				initiators = 10
+				iterations = 1000
+				# use a delay of 100ms, overall time is:
+				# iterations * delay = 100s
+				delay = 100
+				# address of the gateway
+				remote = 1.2.3.4
+				# IKE-proposal to use
+				proposal = aes128-sha1-modp1024
+				# use faster PSK authentication instead
+				# of 1024bit RSA
+				initiator_auth = psk
+				responder_auth = psk
+				# request a virtual IP using configuration
+				# payloads
+				request_virtual_ip = yes
+				# enable CHILD_SA every 60s
+				child_rekey = 60
+			}
+		}
+	}
+.EE
+
+.SH IKEv2 RETRANSMISSION
+Retransmission timeouts in the IKEv2 daemon charon can be configured globally
+using the three keys listed below:
+.PP
+.RS
+.nf
+.BR charon.retransmit_base " [1.8]"
+.BR charon.retransmit_timeout " [4.0]"
+.BR charon.retransmit_tries " [5]"
+.fi
+.RE
+.PP
+The following algorithm is used to calculate the timeout:
+.PP
+.EX
+	relative timeout = retransmit_timeout * retransmit_base ^ (n-1)
+.EE
+.PP
+Where
+.I n
+is the current retransmission count.
+.PP
+Using the default values, packets are retransmitted in:
+
+.TS
+l r r
+---
+lB r r.
+Retransmission	Relative Timeout	Absolute Timeout
+1	4s	4s
+2	7s	11s
+3	13s	24s
+4	23s	47s
+5	42s	89s
+giving up	76s	165s
+.TE
+
+.SH FILES
+/etc/strongswan.conf
+
+.SH SEE ALSO
+ipsec.conf(5), ipsec.secrets(5), ipsec(8)
+.SH HISTORY
+Written for the
+.UR http://www.strongswan.org
+strongSwan project
+.UE
+by Tobias Brunner, Andreas Steffen and Martin Willi.
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 70a56f697..827fb7dfb 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -1,9 +1,17 @@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls
 AM_CFLAGS = \
--DPLUGINS="\"${libstrongswan_plugins}\""
+-DPLUGINS="\"${scripts_plugins}\""
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql \
-	thread_analysis dh_speed pubkey_speed
+	thread_analysis dh_speed pubkey_speed crypt_burn
+
+if USE_TLS
+	noinst_PROGRAMS += tls_test
+	tls_test_SOURCES = tls_test.c
+	tls_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+			$(top_builddir)/src/libtls/libtls.la
+endif
+
 bin2array_SOURCES = bin2array.c
 bin2sql_SOURCES = bin2sql.c
 id2sql_SOURCES = id2sql.c
@@ -12,11 +20,13 @@ keyid2sql_SOURCES = keyid2sql.c
 thread_analysis_SOURCES = thread_analysis.c
 dh_speed_SOURCES = dh_speed.c
 pubkey_speed_SOURCES = pubkey_speed.c
+crypt_burn_SOURCES = crypt_burn.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
+crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 key2keyid.o :	$(top_builddir)/config.status
 
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 20e6df94c..e28424350 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -36,7 +36,7 @@ build_triplet = @build@
 host_triplet = @host@
 noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
 	key2keyid$(EXEEXT) keyid2sql$(EXEEXT) thread_analysis$(EXEEXT) \
-	dh_speed$(EXEEXT) pubkey_speed$(EXEEXT)
+	dh_speed$(EXEEXT) pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT)
 subdir = scripts
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -47,6 +47,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -60,6 +61,10 @@ bin2array_LDADD = $(LDADD)
 am_bin2sql_OBJECTS = bin2sql.$(OBJEXT)
 bin2sql_OBJECTS = $(am_bin2sql_OBJECTS)
 bin2sql_LDADD = $(LDADD)
+am_crypt_burn_OBJECTS = crypt_burn.$(OBJEXT)
+crypt_burn_OBJECTS = $(am_crypt_burn_OBJECTS)
+crypt_burn_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_dh_speed_OBJECTS = dh_speed.$(OBJEXT)
 dh_speed_OBJECTS = $(am_dh_speed_OBJECTS)
 dh_speed_DEPENDENCIES =  \
@@ -96,13 +101,14 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) $(dh_speed_SOURCES) \
-	$(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
+	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
 	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES)
 DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
-	$(dh_speed_SOURCES) $(id2sql_SOURCES) $(key2keyid_SOURCES) \
-	$(keyid2sql_SOURCES) $(pubkey_speed_SOURCES) \
-	$(thread_analysis_SOURCES)
+	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -171,6 +177,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +210,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +235,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +267,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -261,9 +282,9 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls
 AM_CFLAGS = \
--DPLUGINS="\"${libstrongswan_plugins}\""
+-DPLUGINS="\"${scripts_plugins}\""
 
 bin2array_SOURCES = bin2array.c
 bin2sql_SOURCES = bin2sql.c
@@ -273,11 +294,13 @@ keyid2sql_SOURCES = keyid2sql.c
 thread_analysis_SOURCES = thread_analysis.c
 dh_speed_SOURCES = dh_speed.c
 pubkey_speed_SOURCES = pubkey_speed.c
+crypt_burn_SOURCES = crypt_burn.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
+crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
 
 .SUFFIXES:
@@ -327,6 +350,9 @@ bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES)
 bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) 
 	@rm -f bin2sql$(EXEEXT)
 	$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
+crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) 
+	@rm -f crypt_burn$(EXEEXT)
+	$(LINK) $(crypt_burn_OBJECTS) $(crypt_burn_LDADD) $(LIBS)
 dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) 
 	@rm -f dh_speed$(EXEEXT)
 	$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
@@ -354,6 +380,7 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2array.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2sql.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypt_burn.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh_speed.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@
@@ -586,6 +613,11 @@ uninstall-am:
 	pdf pdf-am ps ps-am tags uninstall uninstall-am
 
 
+@USE_TLS_TRUE@	noinst_PROGRAMS += tls_test
+@USE_TLS_TRUE@	tls_test_SOURCES = tls_test.c
+@USE_TLS_TRUE@	tls_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+@USE_TLS_TRUE@			$(top_builddir)/src/libtls/libtls.la
+
 key2keyid.o :	$(top_builddir)/config.status
 
 keyid2sql.o :	$(top_builddir)/config.status
diff --git a/scripts/crypt_burn.c b/scripts/crypt_burn.c
new file mode 100644
index 000000000..25f18d47e
--- /dev/null
+++ b/scripts/crypt_burn.c
@@ -0,0 +1,102 @@
+
+#include <stdio.h>
+#include <library.h>
+#include <crypto/proposal/proposal_keywords.h>
+
+int main(int argc, char *argv[])
+{
+	const proposal_token_t *token;
+	aead_t *aead;
+	crypter_t *crypter;
+	char buffer[1024], assoc[8], iv[32];
+	size_t bs;
+	int i = 0, limit = 0;
+
+
+	library_init(NULL);
+	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	atexit(library_deinit);
+
+	printf("loaded: %s\n", PLUGINS);
+
+	memset(buffer, 0x12, sizeof(buffer));
+	memset(assoc, 0x34, sizeof(assoc));
+	memset(iv, 0x56, sizeof(iv));
+
+	if (argc < 2)
+	{
+		fprintf(stderr, "usage: %s <algorithm>!\n", argv[0]);
+		return 1;
+	}
+	if (argc > 2)
+	{
+		limit = atoi(argv[2]);
+	}
+
+	token = proposal_get_token(argv[1], strlen(argv[1]));
+	if (!token)
+	{
+		fprintf(stderr, "algorithm '%s' unknown!\n", argv[1]);
+		return 1;
+	}
+	if (token->type != ENCRYPTION_ALGORITHM)
+	{
+		fprintf(stderr, "'%s' is not an encryption/aead algorithm!\n", argv[1]);
+		return 1;
+	}
+
+	if (encryption_algorithm_is_aead(token->algorithm))
+	{
+		aead = lib->crypto->create_aead(lib->crypto,
+										token->algorithm, token->keysize / 8);
+		if (!aead)
+		{
+			fprintf(stderr, "aead '%s' not supported!\n", argv[1]);
+			return 1;
+		}
+		while (TRUE)
+		{
+			aead->encrypt(aead,
+				chunk_create(buffer, sizeof(buffer) - aead->get_icv_size(aead)),
+				chunk_from_thing(assoc),
+				chunk_create(iv, aead->get_iv_size(aead)), NULL);
+			if (!aead->decrypt(aead, chunk_create(buffer, sizeof(buffer)),
+				chunk_from_thing(assoc),
+				chunk_create(iv, aead->get_iv_size(aead)), NULL))
+			{
+				fprintf(stderr, "aead integrity check failed!\n");
+				return FALSE;
+			}
+			if (limit && ++i == limit)
+			{
+				break;
+			}
+		}
+	}
+	else
+	{
+		crypter = lib->crypto->create_crypter(lib->crypto,
+										token->algorithm, token->keysize / 8);
+		if (!crypter)
+		{
+			fprintf(stderr, "crypter '%s' not supported!\n", argv[1]);
+			return 1;
+		}
+		bs = crypter->get_block_size(crypter);
+
+		while (i--)
+		{
+			crypter->encrypt(crypter,
+				chunk_create(buffer, sizeof(buffer) / bs * bs),
+				chunk_create(iv, crypter->get_iv_size(crypter)), NULL);
+			crypter->decrypt(crypter,
+				chunk_create(buffer, sizeof(buffer) / bs * bs),
+				chunk_create(iv, crypter->get_iv_size(crypter)), NULL);
+			if (limit && ++i == limit)
+			{
+				break;
+			}
+		}
+	}
+	return 0;
+}
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
index 551d031c6..6a8301c6a 100644
--- a/scripts/key2keyid.c
+++ b/scripts/key2keyid.c
@@ -35,7 +35,7 @@ int main(int argc, char *argv[])
 	if (private)
 	{
 		printf("parsed %d bits %N private key.\n",
-			   private->get_keysize(private)*8,
+			   private->get_keysize(private),
 			   key_type_names, private->get_type(private));
 		if (private->get_fingerprint(private, KEYID_PUBKEY_INFO_SHA1, &chunk))
 		{
@@ -65,7 +65,7 @@ int main(int argc, char *argv[])
 	if (public)
 	{
 		printf("parsed %d bits %N public key.\n",
-			   public->get_keysize(public)*8,
+			   public->get_keysize(public),
 			   key_type_names, public->get_type(public));
 		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
 		{
diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c
index 255f650f5..6402e606d 100644
--- a/scripts/pubkey_speed.c
+++ b/scripts/pubkey_speed.c
@@ -79,23 +79,23 @@ int main(int argc, char *argv[])
 	{
 		switch (private->get_keysize(private))
 		{
-			case 32:
+			case 256:
 				scheme = SIGN_ECDSA_256;
 				break;
-			case 48:
+			case 384:
 				scheme = SIGN_ECDSA_384;
 				break;
-			case 66:
+			case 521:
 				scheme = SIGN_ECDSA_521;
 				break;
 			default:
 				printf("%d bit ECDSA private key size not supported",
-						private->get_keysize(private) * 8);
+						private->get_keysize(private));
 				exit(1);
 		}
 	}
 
-	printf("%4d bit %N: ", private->get_keysize(private)*8,
+	printf("%4d bit %N: ", private->get_keysize(private),
 		key_type_names, type);
 
 	sigs = malloc(sizeof(chunk_t) * rounds);
diff --git a/src/Makefile.am b/src/Makefile.am
index 8d4dd2e37..0edddc9fc 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -12,6 +12,10 @@ if USE_SIMAKA
   SUBDIRS += libsimaka
 endif
 
+if USE_TLS
+  SUBDIRS += libtls
+endif
+
 if USE_FILE_CONFIG
   SUBDIRS += libfreeswan starter ipsec _copyright
 endif
diff --git a/src/Makefile.in b/src/Makefile.in
index 0bd728397..cb688d795 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -36,17 +36,18 @@ host_triplet = @host@
 @USE_LIBSTRONGSWAN_TRUE@am__append_1 = libstrongswan
 @USE_LIBHYDRA_TRUE@am__append_2 = libhydra
 @USE_SIMAKA_TRUE@am__append_3 = libsimaka
-@USE_FILE_CONFIG_TRUE@am__append_4 = libfreeswan starter ipsec _copyright
-@USE_PLUTO_TRUE@am__append_5 = pluto whack
-@USE_CHARON_TRUE@am__append_6 = libcharon charon
-@USE_STROKE_TRUE@am__append_7 = stroke
-@USE_UPDOWN_TRUE@am__append_8 = _updown _updown_espmark
-@USE_TOOLS_TRUE@am__append_9 = libfreeswan openac scepclient pki
-@USE_DUMM_TRUE@am__append_10 = dumm
-@USE_FAST_TRUE@am__append_11 = libfast
-@USE_MANAGER_TRUE@am__append_12 = manager
-@USE_MEDSRV_TRUE@am__append_13 = medsrv
-@USE_INTEGRITY_TEST_TRUE@am__append_14 = checksum
+@USE_TLS_TRUE@am__append_4 = libtls
+@USE_FILE_CONFIG_TRUE@am__append_5 = libfreeswan starter ipsec _copyright
+@USE_PLUTO_TRUE@am__append_6 = pluto whack
+@USE_CHARON_TRUE@am__append_7 = libcharon charon
+@USE_STROKE_TRUE@am__append_8 = stroke
+@USE_UPDOWN_TRUE@am__append_9 = _updown _updown_espmark
+@USE_TOOLS_TRUE@am__append_10 = libfreeswan openac scepclient pki
+@USE_DUMM_TRUE@am__append_11 = dumm
+@USE_FAST_TRUE@am__append_12 = libfast
+@USE_MANAGER_TRUE@am__append_13 = manager
+@USE_MEDSRV_TRUE@am__append_14 = medsrv
+@USE_INTEGRITY_TEST_TRUE@am__append_15 = checksum
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -57,6 +58,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -79,10 +81,10 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libfreeswan \
-	starter ipsec _copyright pluto whack libcharon charon stroke \
-	_updown _updown_espmark openac scepclient pki dumm libfast \
-	manager medsrv checksum
+DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libtls \
+	libfreeswan starter ipsec _copyright pluto whack libcharon \
+	charon stroke _updown _updown_espmark openac scepclient pki \
+	dumm libfast manager medsrv checksum
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -174,6 +176,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -205,14 +209,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -227,24 +234,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -252,7 +266,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -268,7 +285,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5) $(am__append_6) \
 	$(am__append_7) $(am__append_8) $(am__append_9) \
 	$(am__append_10) $(am__append_11) $(am__append_12) \
-	$(am__append_13) $(am__append_14)
+	$(am__append_13) $(am__append_14) $(am__append_15)
 EXTRA_DIST = strongswan.conf
 all: all-recursive
 
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index eb52fc52e..58ebb523c 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c
index 9f0ad9785..072998345 100644
--- a/src/_copyright/_copyright.c
+++ b/src/_copyright/_copyright.c
@@ -20,7 +20,9 @@
 #include <string.h>
 #include <unistd.h>
 #include <getopt.h>
+
 #include <freeswan.h>
+#include <library.h>
 
 char usage[] = "Usage: ipsec _copyright";
 struct option opts[] = {
@@ -40,6 +42,9 @@ main(int argc, char *argv[])
 	const char **notice = ipsec_copyright_notice();
 	const char **co;
 
+	library_init(NULL);
+	atexit(library_deinit);
+
 	while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
 		switch (opt) {
 		case 'h':	/* help */
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 73ecf1abb..44c058d03 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -145,6 +146,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -176,14 +179,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -198,24 +204,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -223,7 +236,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 430a0cff6..2c742c010 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -124,7 +124,7 @@
 #       PLUTO_MARK_OUT
 #              is an optional XFRM mark set on the outbound IPsec SA
 #
-#       PLUTO_ESP_ENC
+#       PLUTO_UDP_ENC
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 10ea4312f..db44ee74e 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -145,6 +146,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -176,14 +179,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -198,24 +204,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -223,7 +236,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark
index 42cd3607b..e078dc245 100644
--- a/src/_updown_espmark/_updown_espmark
+++ b/src/_updown_espmark/_updown_espmark
@@ -124,7 +124,7 @@
 #       PLUTO_MARK_OUT
 #              is an optional XFRM mark set on the outbound IPsec SA
 #
-#       PLUTO_ESP_ENC
+#       PLUTO_UDP_ENC
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 72abca97e..5a60af3d8 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -144,6 +145,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -175,14 +178,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -197,24 +203,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -222,7 +235,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 84cd54615..fd255e919 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -283,7 +283,7 @@ static void usage(const char *msg)
 					"         [--version]\n"
 					"         [--use-syslog]\n"
 					"         [--debug-<type> <level>]\n"
-					"           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n"
+					"           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|tnc|tls|lib)\n"
 					"           <level>: log verbosity (-1 = silent, 0 = audit, 1 = control,\n"
 					"                                    2 = controlmore, 3 = raw, 4 = private)\n"
 					"\n"
@@ -355,6 +355,8 @@ int main(int argc, char *argv[])
 			{ "debug-knl", required_argument, &group, DBG_KNL },
 			{ "debug-net", required_argument, &group, DBG_NET },
 			{ "debug-enc", required_argument, &group, DBG_ENC },
+			{ "debug-tnc", required_argument, &group, DBG_TNC },
+			{ "debug-tls", required_argument, &group, DBG_TLS },
 			{ "debug-lib", required_argument, &group, DBG_LIB },
 			{ 0,0,0,0 }
 		};
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index ad2923799..3aded1d9e 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -14,13 +14,13 @@ checksum_builder_LDADD = \
 BUILT_SOURCES = checksum.c
 CLEANFILES = checksum.c
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+	-DS_PLUGINS=\""${s_plugins}\"" -DS_PATH=\""${top_builddir}/src/libstrongswan/plugins\"" \
+	-DH_PLUGINS=\""${h_plugins}\"" -DH_PATH=\""${top_builddir}/src/libhydra/plugins\"" \
+	-DP_PLUGINS=\""${p_plugins}\"" -DP_PATH=\""${top_builddir}/src/pluto/plugins\"" \
+	-DC_PLUGINS=\""${c_plugins}\"" -DC_PATH=\""${top_builddir}/src/libcharon/plugins\""
 
-libs =	$(shell find $(top_builddir)/src/libstrongswan \
-			$(top_builddir)/src/libcharon \
-			$(top_builddir)/src/libhydra \
-			$(top_builddir)/src/pluto \
-			-name 'libstrongswan*.so')
+libs = $(top_builddir)/src/libstrongswan/.libs/libstrongswan.so
 
 if USE_LIBHYDRA
   libs += $(top_builddir)/src/libhydra/.libs/libhydra.so
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 05e90a9a1..61bfc1a9d 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -55,6 +55,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -182,6 +183,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -213,14 +216,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -235,24 +241,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -260,7 +273,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -285,10 +301,13 @@ checksum_builder_LDADD = \
 BUILT_SOURCES = checksum.c
 CLEANFILES = checksum.c
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
-libs = $(shell find $(top_builddir)/src/libstrongswan \
-	$(top_builddir)/src/libcharon $(top_builddir)/src/libhydra \
-	$(top_builddir)/src/pluto -name 'libstrongswan*.so') \
+AM_CFLAGS = -rdynamic \
+	-DS_PLUGINS=\""${s_plugins}\"" -DS_PATH=\""${top_builddir}/src/libstrongswan/plugins\"" \
+	-DH_PLUGINS=\""${h_plugins}\"" -DH_PATH=\""${top_builddir}/src/libhydra/plugins\"" \
+	-DP_PLUGINS=\""${p_plugins}\"" -DP_PATH=\""${top_builddir}/src/pluto/plugins\"" \
+	-DC_PLUGINS=\""${c_plugins}\"" -DC_PATH=\""${top_builddir}/src/libcharon/plugins\""
+
+libs = $(top_builddir)/src/libstrongswan/.libs/libstrongswan.so \
 	$(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5)
 all: $(BUILT_SOURCES)
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index 2db68054e..dc1de99c3 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -19,14 +19,113 @@
 #include <dlfcn.h>
 
 #include <library.h>
+#include <utils/enumerator.h>
 
 /* we need to fake the pluto symbol to dlopen() the xauth plugin */
 void *pluto;
 
+/**
+ * Integrity checker
+ */
+integrity_checker_t *integrity;
+
+/**
+ * Create the checksum of a binary, using name and a symbol name
+ */
+static void build_checksum(char *path, char *name, char *sname)
+{
+	void *handle, *symbol;
+	u_int32_t fsum, ssum;
+	size_t fsize = 0;
+	size_t ssize = 0;
+
+	fsum = integrity->build_file(integrity, path, &fsize);
+	ssum = 0;
+	if (sname)
+	{
+		handle = dlopen(path, RTLD_LAZY);
+		if (handle)
+		{
+			symbol = dlsym(handle, sname);
+			if (symbol)
+			{
+				ssum = integrity->build_segment(integrity, symbol, &ssize);
+			}
+			else
+			{
+				fprintf(stderr, "symbol lookup failed: %s\n", dlerror());
+			}
+			dlclose(handle);
+		}
+		else
+		{
+			fprintf(stderr, "dlopen failed: %s\n", dlerror());
+		}
+	}
+	printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n",
+		   name, fsize, fsum, ssize, ssum);
+	fprintf(stderr, "\"%-20s%7u / 0x%08x       %6u / 0x%08x\n",
+			name, fsize, fsum, ssize, ssum);
+}
+
+/**
+ * Build checksums for a set of plugins in a given path prefix
+ */
+static void build_plugin_checksums(char *plugins, char *prefix)
+{
+	enumerator_t *enumerator;
+	char *plugin, path[256], under[128], sname[128], name[128];
+
+	enumerator = enumerator_create_token(plugins, " ", " ");
+	while (enumerator->enumerate(enumerator, &plugin))
+	{
+		snprintf(under, sizeof(under), "%s", plugin);
+		translate(under, "-", "_");
+		snprintf(path, sizeof(path), "%s/%s/.libs/libstrongswan-%s.so",
+				 prefix, under, plugin);
+		snprintf(sname, sizeof(sname), "%s_plugin_create", under);
+		snprintf(name, sizeof(name), "%s\",", plugin);
+		build_checksum(path, name, sname);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Build checksums for a binary/library found at path
+ */
+static void build_binary_checksum(char *path)
+{
+	char *binary, *pos, name[128], sname[128];
+
+	binary = strrchr(path, '/');
+	if (binary)
+	{
+		binary++;
+		pos = strrchr(binary, '.');
+		if (pos && streq(pos, ".so"))
+		{
+			snprintf(name, sizeof(name), "%.*s\",", pos - binary, binary);
+			if (streq(name, "libstrongswan\","))
+			{
+				snprintf(sname, sizeof(sname), "%s", "library_init");
+			}
+			else
+			{
+				snprintf(sname, sizeof(sname), "%.*s_init", pos - binary, binary);
+			}
+			build_checksum(path, name, sname);
+		}
+		else
+		{
+			snprintf(name, sizeof(name), "%s\",", binary);
+			build_checksum(path, name, NULL);
+		}
+	}
+}
+
 int main(int argc, char* argv[])
 {
 	int i;
-	integrity_checker_t *integrity;
 
 	/* avoid confusing leak reports in build process */
 	setenv("LEAK_DETECTIVE_DISABLE", "1", 0);
@@ -47,105 +146,13 @@ int main(int argc, char* argv[])
 	fprintf(stderr, "module name,       file size / checksum   segment size / checksum\n");
 	for (i = 1; i < argc; i++)
 	{
-		char *name, *path, *sname = NULL;
-		void *handle, *symbol;
-		u_int32_t fsum, ssum;
-		size_t fsize = 0;
-		size_t ssize = 0;
-
-		path = argv[i];
-
-		if ((name = strstr(path, "libstrongswan-")))
-		{
-			name = strdup(name + strlen("libstrongswan-"));
-			name[strlen(name) - 3] = '"';
-			name[strlen(name) - 2] = ',';
-			name[strlen(name) - 1] = '\0';
-			if (asprintf(&sname, "%.*s_plugin_create", strlen(name) - 2,
-						 name) < 0)
-			{
-				fprintf(stderr, "failed to format plugin constructor "
-						"for '%s', ignored", path);
-				free(name);
-				continue;
-			}
-			translate(sname, "-", "_");
-		}
-		else if (strstr(path, "libstrongswan.so"))
-		{
-			name = strdup("libstrongswan\",");
-			sname = strdup("library_init");
-		}
-		else if (strstr(path, "libhydra.so"))
-		{
-			name = strdup("libhydra\",");
-			sname = strdup("libhydra_init");
-		}
-		else if (strstr(path, "libcharon.so"))
-		{
-			name = strdup("libcharon\",");
-			sname = strdup("libcharon_init");
-		}
-		else if (strstr(path, "pool"))
-		{
-			name = strdup("pool\",");
-		}
-		else if (strstr(path, "charon"))
-		{
-			name = strdup("charon\",");
-		}
-		else if (strstr(path, "pluto"))
-		{
-			name = strdup("pluto\",");
-		}
-		else if (strstr(path, "openac"))
-		{
-			name = strdup("openac\",");
-		}
-		else if (strstr(path, "scepclient"))
-		{
-			name = strdup("scepclient\",");
-		}
-		else if (strstr(path, "pki"))
-		{
-			name = strdup("pki\",");
-		}
-		else
-		{
-			fprintf(stderr, "don't know how to handle '%s', ignored", path);
-			continue;
-		}
-
-		fsum = integrity->build_file(integrity, path, &fsize);
-		ssum = 0;
-		if (sname)
-		{
-			handle = dlopen(path, RTLD_LAZY);
-			if (handle)
-			{
-				symbol = dlsym(handle, sname);
-				if (symbol)
-				{
-					ssum = integrity->build_segment(integrity, symbol, &ssize);
-				}
-				else
-				{
-					fprintf(stderr, "symbol lookup failed: %s\n", dlerror());
-				}
-				dlclose(handle);
-			}
-			else
-			{
-				fprintf(stderr, "dlopen failed: %s\n", dlerror());
-			}
-		}
-		printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n",
-			   name, fsize, fsum, ssize, ssum);
-		fprintf(stderr, "\"%-20s%7u / 0x%08x       %6u / 0x%08x\n",
-				name, fsize, fsum, ssize, ssum);
-		free(sname);
-		free(name);
+		build_binary_checksum(argv[i]);
 	}
+	build_plugin_checksums(S_PLUGINS, S_PATH);
+	build_plugin_checksums(H_PLUGINS, H_PATH);
+	build_plugin_checksums(P_PLUGINS, P_PATH);
+	build_plugin_checksums(C_PLUGINS, C_PATH);
+
 	printf("};\n");
 	printf("\n");
 	printf("int checksum_count = countof(checksums);\n");
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 37751b856..7c22f5ec5 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +205,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +262,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/dumm/cowfs.c b/src/dumm/cowfs.c
index 70767890b..b92be53e0 100644
--- a/src/dumm/cowfs.c
+++ b/src/dumm/cowfs.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2001-2007 Miklos Szeredi
@@ -35,6 +36,8 @@
 #include <library.h>
 #include <debug.h>
 #include <threading/thread.h>
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
 
 /** define _XOPEN_SOURCE 500 fails when using libstrongswan, define popen */
 extern ssize_t pread(int fd, void *buf, size_t count, off_t offset);
@@ -55,18 +58,66 @@ struct private_cowfs_t {
 	char *master;
 	/** host filesystem path */
 	char *host;
-	/** overlay filesystem path */
-	char *over;
+	/** overlay filesystems */
+	linked_list_t *overlays;
+	/** lock for overlays */
+	rwlock_t *lock;
 	/** fd of read only master filesystem */
 	int master_fd;
 	/** copy on write overlay to master */
 	int host_fd;
-	/** optional COW overlay */
-	int over_fd;
 	/** thread processing FUSE */
 	thread_t *thread;
 };
 
+typedef struct overlay_t overlay_t;
+
+/**
+ * data for overlay filesystems
+ */
+struct overlay_t {
+	/** path to overlay */
+	char *path;
+	/** overlay fd */
+	int fd;
+};
+
+/**
+ * destroy an overlay
+ */
+static void overlay_destroy(overlay_t *this)
+{
+	close(this->fd);
+	free(this->path);
+	free(this);
+}
+
+/**
+ * compare two overlays by path
+ */
+static bool overlay_equals(overlay_t *this, overlay_t *other)
+{
+	return streq(this->path, other->path);
+}
+
+/**
+ * remove and destroy the overlay with the given absolute path.
+ * returns FALSE, if not found.
+ */
+static bool overlay_remove(private_cowfs_t *this, char *path)
+{
+	overlay_t over, *current;
+	over.path = path;
+	if (this->overlays->find_first(this->overlays,
+			(linked_list_match_t)overlay_equals, (void**)&current, &over) != SUCCESS)
+	{
+		return FALSE;
+	}
+	this->overlays->remove(this->overlays, current, NULL);
+	overlay_destroy(current);
+	return TRUE;
+}
+
 /**
  * get this pointer stored in fuse context
  */
@@ -95,12 +146,25 @@ static void rel(const char **path)
  */
 static int get_rd(const char *path)
 {
+	overlay_t *over;
+	enumerator_t *enumerator;
 	private_cowfs_t *this = get_this();
 
-	if (this->over_fd > 0 && faccessat(this->over_fd, path, F_OK, 0) == 0)
+	this->lock->read_lock(this->lock);
+	enumerator = this->overlays->create_enumerator(this->overlays);
+	while (enumerator->enumerate(enumerator, (void**)&over))
 	{
-		return this->over_fd;
+		if (faccessat(over->fd, path, F_OK, 0) == 0)
+		{
+			int fd = over->fd;
+			enumerator->destroy(enumerator);
+			this->lock->unlock(this->lock);
+			return fd;
+		}
 	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
 	if (faccessat(this->host_fd, path, F_OK, 0) == 0)
 	{
 		return this->host_fd;
@@ -113,12 +177,16 @@ static int get_rd(const char *path)
  */
 static int get_wr(const char *path)
 {
+	overlay_t *over;
 	private_cowfs_t *this = get_this();
-	if (this->over_fd > 0)
+	int fd = this->host_fd;
+	this->lock->read_lock(this->lock);
+	if (this->overlays->get_first(this->overlays, (void**)&over) == SUCCESS)
 	{
-		return this->over_fd;
+		fd = over->fd;
 	}
-	return this->host_fd;
+	this->lock->unlock(this->lock);
+	return fd;
 }
 
 /**
@@ -287,17 +355,29 @@ static DIR* get_dir(char *dir, const char *subdir)
  */
 static bool contains_dir(DIR *d, char *dirname)
 {
-	if (d)
+	struct dirent *ent;
+
+	rewinddir(d);
+	while ((ent = readdir(d)))
 	{
-		struct dirent *ent;
+		if (streq(ent->d_name, dirname))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
 
-		rewinddir(d);
-		while ((ent = readdir(d)))
+/**
+ * check if one of the higher overlays contains a directory
+ */
+static bool overlays_contain_dir(DIR **d, char *dirname)
+{
+	for (; *d; ++d)
+	{
+		if (contains_dir(*d, dirname))
 		{
-			if (streq(ent->d_name, dirname))
-			{
-				return TRUE;
-			}
+			return TRUE;
 		}
 	}
 	return FALSE;
@@ -309,56 +389,54 @@ static bool contains_dir(DIR *d, char *dirname)
 static int cowfs_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
 						 off_t offset, struct fuse_file_info *fi)
 {
+#define ADD_DIR(overlay, base, path) ({\
+	DIR *dir = get_dir(base, path);\
+	if (dir) { *(--overlay) = dir; }\
+})
 	private_cowfs_t *this = get_this();
-	DIR *d1, *d2, *d3;
+	int count;
+	DIR **d, **overlays;
 	struct stat st;
 	struct dirent *ent;
+	overlay_t *over;
+	enumerator_t *enumerator;
 
 	memset(&st, 0, sizeof(st));
 
-	d1 = get_dir(this->master, path);
-	d2 = get_dir(this->host, path);
-	d3 = get_dir(this->over, path);
+	this->lock->read_lock(this->lock);
+	/* create a null-terminated array of DIR objects for all overlays (including
+	 * the master and host layer). the order is from bottom to top */
+	count = this->overlays->get_count(this->overlays) + 2;
+	overlays = calloc(count + 1, sizeof(DIR*));
+	d = &overlays[count];
 
-	if (d1)
+	enumerator = this->overlays->create_enumerator(this->overlays);
+	while (enumerator->enumerate(enumerator, (void**)&over))
 	{
-		while ((ent = readdir(d1)))
-		{
-			if (!contains_dir(d2, ent->d_name) &&
-				!contains_dir(d3, ent->d_name))
-			{
-				st.st_ino = ent->d_ino;
-				st.st_mode = ent->d_type << 12;
-				filler(buf, ent->d_name, &st, 0);
-			}
-		}
-		closedir(d1);
+		ADD_DIR(d, over->path, path);
 	}
-	if (d2)
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	ADD_DIR(d, this->host, path);
+	ADD_DIR(d, this->master, path);
+
+	for (; *d; ++d)
 	{
-		rewinddir(d2);
-		while ((ent = readdir(d2)))
+		rewinddir(*d);
+		while((ent = readdir(*d)))
 		{
-			if (!contains_dir(d3, ent->d_name))
+			if (!overlays_contain_dir(d + 1, ent->d_name))
 			{
 				st.st_ino = ent->d_ino;
 				st.st_mode = ent->d_type << 12;
 				filler(buf, ent->d_name, &st, 0);
 			}
 		}
-		closedir(d2);
-	}
-	if (d3)
-	{
-		rewinddir(d3);
-		while ((ent = readdir(d3)))
-		{
-			st.st_ino = ent->d_ino;
-			st.st_mode = ent->d_type << 12;
-			filler(buf, ent->d_name, &st, 0);
-		}
-		closedir(d3);
+		closedir(*d);
 	}
+
+	free(overlays);
 	return 0;
 }
 
@@ -758,30 +836,53 @@ static struct fuse_operations cowfs_operations = {
 };
 
 /**
- * Implementation of cowfs_t.set_overlay.
+ * Implementation of cowfs_t.add_overlay.
  */
-static bool set_overlay(private_cowfs_t *this, char *path)
+static bool add_overlay(private_cowfs_t *this, char *path)
 {
-	if (this->over)
-	{
-		free(this->over);
-		this->over = NULL;
-	}
-	if (this->over_fd > 0)
-	{
-		close(this->over_fd);
-		this->over_fd = -1;
-	}
-	if (path)
+	overlay_t *over = malloc_thing(overlay_t);
+	over->fd = open(path, O_RDONLY | O_DIRECTORY);
+	if (over->fd < 0)
+	{
+		DBG1(DBG_LIB, "failed to open overlay directory '%s': %m", path);
+		free(over);
+		return FALSE;
+	}
+	over->path = realpath(path, NULL);
+	this->lock->write_lock(this->lock);
+	overlay_remove(this, over->path);
+	this->overlays->insert_first(this->overlays, over);
+	this->lock->unlock(this->lock);
+	return TRUE;
+}
+
+/**
+ * Implementation of cowfs_t.del_overlay.
+ */
+static bool del_overlay(private_cowfs_t *this, char *path)
+{
+	bool removed;
+	char real[PATH_MAX];
+	this->lock->write_lock(this->lock);
+	removed = overlay_remove(this, realpath(path, real));
+	this->lock->unlock(this->lock);
+	return removed;
+}
+
+/**
+ * Implementation of cowfs_t.pop_overlay.
+ */
+static bool pop_overlay(private_cowfs_t *this)
+{
+	overlay_t *over;
+	this->lock->write_lock(this->lock);
+	if (this->overlays->remove_first(this->overlays, (void**)&over) != SUCCESS)
 	{
-		this->over_fd = open(path, O_RDONLY | O_DIRECTORY);
-		if (this->over_fd < 0)
-		{
-			DBG1(DBG_LIB, "failed to open overlay directory '%s': %m", path);
-			return FALSE;
-		}
-		this->over = strdup(path);
+		this->lock->unlock(this->lock);
+		return FALSE;
 	}
+	this->lock->unlock(this->lock);
+	overlay_destroy(over);
 	return TRUE;
 }
 
@@ -794,16 +895,13 @@ static void destroy(private_cowfs_t *this)
 	fuse_unmount(this->mount, this->chan);
 	this->thread->join(this->thread);
 	fuse_destroy(this->fuse);
+	this->lock->destroy(this->lock);
+	this->overlays->destroy_function(this->overlays, (void*)overlay_destroy);
 	free(this->mount);
 	free(this->master);
 	free(this->host);
-	free(this->over);
 	close(this->master_fd);
 	close(this->host_fd);
-	if (this->over_fd > 0)
-	{
-		close(this->over_fd);
-	}
 	free(this);
 }
 
@@ -815,7 +913,9 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 	struct fuse_args args = {0, NULL, 0};
 	private_cowfs_t *this = malloc_thing(private_cowfs_t);
 
-	this->public.set_overlay = (bool(*)(cowfs_t*, char *path))set_overlay;
+	this->public.add_overlay = (bool(*)(cowfs_t*, char *path))add_overlay;
+	this->public.del_overlay = (bool(*)(cowfs_t*, char *path))del_overlay;
+	this->public.pop_overlay = (bool(*)(cowfs_t*))pop_overlay;
 	this->public.destroy = (void(*)(cowfs_t*))destroy;
 
 	this->master_fd = open(master, O_RDONLY | O_DIRECTORY);
@@ -833,7 +933,6 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 		free(this);
 		return NULL;
 	}
-	this->over_fd = -1;
 
 	this->chan = fuse_mount(mount, &args);
 	if (this->chan == NULL)
@@ -860,13 +959,16 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 	this->mount = strdup(mount);
 	this->master = strdup(master);
 	this->host = strdup(host);
-	this->over = NULL;
+	this->overlays = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 
 	this->thread = thread_create((thread_main_t)fuse_loop, this->fuse);
 	if (!this->thread)
 	{
 		DBG1(DBG_LIB, "creating thread to handle FUSE failed");
 		fuse_unmount(mount, this->chan);
+		this->lock->destroy(this->lock);
+		this->overlays->destroy(this->overlays);
 		free(this->mount);
 		free(this->master);
 		free(this->host);
diff --git a/src/dumm/cowfs.h b/src/dumm/cowfs.h
index d430597a8..b9334dc96 100644
--- a/src/dumm/cowfs.h
+++ b/src/dumm/cowfs.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -27,12 +28,29 @@ typedef struct cowfs_t cowfs_t;
 struct cowfs_t {
 
 	/**
-	 * Set an additional copy on write overlay.
+	 * Adds an additional copy on write overlay.
+	 *
+	 * If the path was already added as overlay, it is moved to the top.
+	 *
+	 * @param path		path of the overlay
+	 * @return			FALSE, if failed
+	 */
+	bool (*add_overlay)(cowfs_t *this, char *path);
+
+	/**
+	 * Remove the specified copy on write overlay.
 	 *
 	 * @param path		path of the overlay
-	 * @return 			FALSE if failed
+	 * @return			FALSE, if not found
+	 */
+	bool (*del_overlay)(cowfs_t *this, char *path);
+
+	/**
+	 * Remove the most recently added copy on write overlay.
+	 *
+	 * @return			FALSE, if no overlay was found
 	 */
-	bool (*set_overlay)(cowfs_t *this, char *path);
+	bool (*pop_overlay)(cowfs_t *this);
 
 	/**
 	 * Stop, umount and destroy a cowfs FUSE filesystem.
diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c
index 7ec340089..8cd413519 100644
--- a/src/dumm/dumm.c
+++ b/src/dumm/dumm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -128,51 +128,145 @@ static void delete_bridge(private_dumm_t *this, bridge_t *bridge)
 }
 
 /**
- * disable the currently enabled template
+ * Implementation of dumm_t.add_overlay.
  */
-static void clear_template(private_dumm_t *this)
+static bool add_overlay(private_dumm_t *this, char *dir)
 {
 	enumerator_t *enumerator;
 	guest_t *guest;
 
-	free(this->template);
-	this->template = NULL;
+	if (dir == NULL)
+	{
+		return TRUE;
+	}
+	if (strlen(dir) > PATH_MAX)
+	{
+		DBG1(DBG_LIB, "overlay directory string '%s' is too long", dir);
+		return FALSE;
+	}
+	if (access(dir, F_OK) != 0)
+	{
+		if (!mkdir_p(dir, PERME))
+		{
+			DBG1(DBG_LIB, "creating overlay directory '%s' failed: %m", dir);
+			return FALSE;
+		}
+	}
+	enumerator = this->guests->create_enumerator(this->guests);
+	while (enumerator->enumerate(enumerator, (void**)&guest))
+	{
+		char guest_dir[PATH_MAX];
+		int len = snprintf(guest_dir, sizeof(guest_dir), "%s/%s", dir,
+						   guest->get_name(guest));
+		if (len < 0 || len >= sizeof(guest_dir))
+		{
+			goto error;
+		}
+		if (access(guest_dir, F_OK) != 0)
+		{
+			if (!mkdir_p(guest_dir, PERME))
+			{
+				DBG1(DBG_LIB, "creating overlay directory for guest '%s' failed: %m",
+					 guest->get_name(guest));
+				goto error;
+			}
+		}
+		if (!guest->add_overlay(guest, guest_dir))
+		{
+			goto error;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return TRUE;
+error:
+	enumerator->destroy(enumerator);
+	this->public.del_overlay(&this->public, dir);
+	return FALSE;
+}
+
+/**
+ * Implementation of dumm_t.del_overlay.
+ */
+static bool del_overlay(private_dumm_t *this, char *dir)
+{
+	bool ret = FALSE;
+	enumerator_t *enumerator;
+	guest_t *guest;
 
 	enumerator = this->guests->create_enumerator(this->guests);
 	while (enumerator->enumerate(enumerator, (void**)&guest))
 	{
-		guest->load_template(guest, NULL);
+		char guest_dir[PATH_MAX];
+		int len = snprintf(guest_dir, sizeof(guest_dir), "%s/%s", dir,
+						   guest->get_name(guest));
+		if (len < 0 || len >= sizeof(guest_dir))
+		{
+			continue;
+		}
+		ret = guest->del_overlay(guest, guest_dir) || ret;
 	}
 	enumerator->destroy(enumerator);
+	return ret;
 }
 
 /**
- * Implementation of dumm_t.load_template.
+ * Implementation of dumm_t.pop_overlay.
  */
-static bool load_template(private_dumm_t *this, char *dir)
+static bool pop_overlay(private_dumm_t *this)
 {
+	bool ret = FALSE;
 	enumerator_t *enumerator;
 	guest_t *guest;
 
-	clear_template(this);
+	enumerator = this->guests->create_enumerator(this->guests);
+	while (enumerator->enumerate(enumerator, (void**)&guest))
+	{
+		ret = guest->pop_overlay(guest) || ret;
+	}
+	enumerator->destroy(enumerator);
+	return ret;
+}
 
-	if (dir == NULL)
+/**
+ * disable the currently enabled template
+ */
+static void clear_template(private_dumm_t *this)
+{
+	if (this->template)
+	{
+		del_overlay(this, this->template);
+		free(this->template);
+		this->template = NULL;
+	}
+}
+
+/**
+ * Implementation of dumm_t.load_template.
+ */
+static bool load_template(private_dumm_t *this, char *name)
+{
+	clear_template(this);
+	if (name == NULL)
 	{
 		return TRUE;
 	}
-	if (strlen(dir) > PATH_MAX)
+	if (strlen(name) > PATH_MAX)
 	{
-		DBG1(DBG_LIB, "template directory string '%s' is too long", dir);
+		DBG1(DBG_LIB, "template name '%s' is too long", name);
 		return FALSE;
 	}
-
-	if (asprintf(&this->template, "%s/%s", TEMPLATE_DIR, dir) < 0)
+	if (strchr(name, '/') != NULL)
+	{
+		DBG1(DBG_LIB, "template name '%s' must not contain '/' characters", name);
+		return FALSE;
+	}
+	if (asprintf(&this->template, "%s/%s", TEMPLATE_DIR, name) < 0)
 	{
 		this->template = NULL;
 		return FALSE;
 	}
 	if (access(this->template, F_OK) != 0)
-	{	/* does not exist, create template */
+	{
 		if (!mkdir_p(this->template, PERME))
 		{
 			DBG1(DBG_LIB, "creating template directory '%s' failed: %m",
@@ -180,18 +274,7 @@ static bool load_template(private_dumm_t *this, char *dir)
 			return FALSE;
 		}
 	}
-	enumerator = this->guests->create_enumerator(this->guests);
-	while (enumerator->enumerate(enumerator, (void**)&guest))
-	{
-		if (!guest->load_template(guest, this->template))
-		{
-			enumerator->destroy(enumerator);
-			clear_template(this);
-			return FALSE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return TRUE;
+	return add_overlay(this, this->template);
 }
 
 /**
@@ -205,7 +288,7 @@ typedef struct {
 } template_enumerator_t;
 
 /**
- * Implementation of template_enumerator_t.enumerate
+ * Implementation of template_enumerator_t.enumerate.
  */
 static bool template_enumerate(template_enumerator_t *this, char **template)
 {
@@ -224,7 +307,7 @@ static bool template_enumerate(template_enumerator_t *this, char **template)
 }
 
 /**
- * Implementation of template_enumerator_t.destroy
+ * Implementation of template_enumerator_t.destroy.
  */
 static void template_enumerator_destroy(template_enumerator_t *this)
 {
@@ -233,22 +316,25 @@ static void template_enumerator_destroy(template_enumerator_t *this)
 }
 
 /**
- * Implementation of dumm_t.create_template_enumerator
+ * Implementation of dumm_t.create_template_enumerator.
  */
 static enumerator_t* create_template_enumerator(private_dumm_t *this)
 {
 	template_enumerator_t *enumerator;
-
 	enumerator = malloc_thing(template_enumerator_t);
 	enumerator->public.enumerate = (void*)template_enumerate;
 	enumerator->public.destroy = (void*)template_enumerator_destroy;
 	enumerator->inner = enumerator_create_directory(TEMPLATE_DIR);
-
+	if (!enumerator->inner)
+	{
+		free(enumerator);
+		return enumerator_create_empty();
+	}
 	return &enumerator->public;
 }
 
 /**
- * Implementation of dumm_t.destroy
+ * Implementation of dumm_t.destroy.
  */
 static void destroy(private_dumm_t *this)
 {
@@ -324,7 +410,10 @@ dumm_t *dumm_create(char *dir)
 	this->public.create_bridge = (bridge_t*(*)(dumm_t*, char *name))create_bridge;
 	this->public.create_bridge_enumerator = (enumerator_t*(*)(dumm_t*))create_bridge_enumerator;
 	this->public.delete_bridge = (void(*)(dumm_t*,bridge_t*))delete_bridge;
-	this->public.load_template = (bool(*)(dumm_t*, char *name))load_template;
+	this->public.add_overlay = (bool(*)(dumm_t*,char*))add_overlay;
+	this->public.del_overlay = (bool(*)(dumm_t*,char*))del_overlay;
+	this->public.pop_overlay = (bool(*)(dumm_t*))pop_overlay;
+	this->public.load_template = (bool(*)(dumm_t*,char*))load_template;
 	this->public.create_template_enumerator = (enumerator_t*(*)(dumm_t*))create_template_enumerator;
 	this->public.destroy = (void(*)(dumm_t*))destroy;
 
diff --git a/src/dumm/dumm.h b/src/dumm/dumm.h
index 54c3fbc03..4bd20808c 100644
--- a/src/dumm/dumm.h
+++ b/src/dumm/dumm.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -82,13 +82,48 @@ struct dumm_t {
 	 */
 	void (*delete_bridge) (dumm_t *this, bridge_t *bridge);
 
+	/**
+	 * Add an overlay to all guests.
+	 *
+	 * Directories named after the guests are created, if they do not exist
+	 * in the given overlay directory.
+	 *
+	 * If adding the overlay on at lest one guest fails, FALSE is returned and
+	 * the overlay is again removed from all guests.
+	 *
+	 * @param dir		dir to the overlay
+	 * @return			FALSE, on failure
+	 */
+	bool (*add_overlay)(dumm_t *this, char *dir);
+
+	/**
+	 * Removes an overlay from all guests.
+	 *
+	 * @param dir		dir to the overlay
+	 * @return			FALSE, if the overlay was not found on any guest
+	 */
+	bool (*del_overlay)(dumm_t *this, char *dir);
+
+	/**
+	 * Remove the latest overlay from all guests.
+	 *
+	 * @return			FALSE, if no overlay was found on any guest
+	 */
+	bool (*pop_overlay)(dumm_t *this);
+
 	/**
 	 * Loads a template, create a new one if it does not exist.
 	 *
-	 * @param name		dir to the template, NULL to close
+	 * This is basically a wrapper around add/del_overlay to simplify working
+	 * with overlays. Templates are located in a predefined directory, so that
+	 * only a name for the template has to be specified here. Only one template
+	 * can be loaded at any one time (but other overlays can be added on top or
+	 * below a template).
+	 *
+	 * @param name		name of the template to load, NULL to unload
 	 * @return			FALSE if load/create failed
 	 */
-	bool (*load_template)(dumm_t *this, char *dir);
+	bool (*load_template)(dumm_t *this, char *name);
 
 	/**
 	 * Create an enumerator over all available templates.
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index 230e8ae68..a9c7cb8bd 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -85,82 +85,108 @@ static void sigchld_handler(int signal, siginfo_t *info, void* ptr)
 	enumerator->destroy(enumerator);
 }
 
+
 /**
- * Guest bindings
+ * Global Dumm bindings
  */
-static VALUE guest_find(VALUE class, VALUE key)
+static VALUE dumm_add_overlay(VALUE class, VALUE dir)
 {
-	enumerator_t *enumerator;
-	guest_t *guest, *found = NULL;
-
-	if (TYPE(key) == T_SYMBOL)
+	if (!dumm->add_overlay(dumm, StringValuePtr(dir)))
 	{
-		key = rb_convert_type(key, T_STRING, "String", "to_s");
+		rb_raise(rb_eRuntimeError, "loading overlay failed");
 	}
+	return class;
+}
+
+static VALUE dumm_del_overlay(VALUE class, VALUE dir)
+{
+	return dumm->del_overlay(dumm, StringValuePtr(dir)) ? Qtrue : Qfalse;
+}
+
+static VALUE dumm_pop_overlay(VALUE class)
+{
+	return dumm->pop_overlay(dumm) ? Qtrue : Qfalse;
+}
+
+static void dumm_init()
+{
+	rbm_dumm = rb_define_module("Dumm");
+
+	rb_define_module_function(rbm_dumm, "add_overlay", dumm_add_overlay, 1);
+	rb_define_module_function(rbm_dumm, "del_overlay", dumm_del_overlay, 1);
+	rb_define_module_function(rbm_dumm, "pop_overlay", dumm_pop_overlay, 0);
+}
+
+/**
+ * Guest bindings
+ */
+static VALUE guest_hash_create(VALUE class)
+{
+	enumerator_t *enumerator;
+	guest_t *guest;
+	VALUE hash = rb_hash_new();
 	enumerator = dumm->create_guest_enumerator(dumm);
 	while (enumerator->enumerate(enumerator, &guest))
 	{
-		if (streq(guest->get_name(guest), StringValuePtr(key)))
-		{
-			found = guest;
-			break;
-		}
+		rb_hash_aset(hash, rb_str_new2(guest->get_name(guest)),
+					 Data_Wrap_Struct(class, NULL, NULL, guest));
 	}
 	enumerator->destroy(enumerator);
-	if (!found)
+	return hash;
+}
+
+static VALUE guest_hash(VALUE class)
+{
+	ID id = rb_intern("@@guests");
+	if (!rb_cvar_defined(class, id))
 	{
-		return Qnil;
+		VALUE hash = guest_hash_create(class);
+		rb_cvar_set(class, id, hash, 0);
+		return hash;
 	}
-	return Data_Wrap_Struct(class, NULL, NULL, found);
+	return rb_cvar_get(class, id);
 }
 
-static VALUE guest_get(VALUE class, VALUE key)
+static VALUE guest_find(VALUE class, VALUE key)
 {
-	VALUE guest = guest_find(class, key);
-	if (NIL_P(guest))
+	if (TYPE(key) != T_STRING)
 	{
-		rb_raise(rb_eRuntimeError, "guest not found");
+		key = rb_convert_type(key, T_STRING, "String", "to_s");
 	}
-	return guest;
+	return rb_hash_aref(guest_hash(class), key);
 }
 
-static VALUE guest_each(int argc, VALUE *argv, VALUE class)
+static VALUE guest_get(VALUE class, VALUE key)
 {
-	linked_list_t *list;
-	enumerator_t *enumerator;
-	guest_t *guest;
+	return guest_find(class, key);
+}
 
+static VALUE guest_each(int argc, VALUE *argv, VALUE class)
+{
 	if (!rb_block_given_p())
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
 	}
-	list = linked_list_create();
-	enumerator = dumm->create_guest_enumerator(dumm);
-	while (enumerator->enumerate(enumerator, &guest))
-	{
-		list->insert_last(list, guest);
-	}
-	enumerator->destroy(enumerator);
-	while (list->remove_first(list, (void**)&guest) == SUCCESS)
-	{
-		rb_yield(Data_Wrap_Struct(class, NULL, NULL, guest));
-	}
-	list->destroy(list);
+	rb_block_call(guest_hash(class), rb_intern("each_value"), 0, 0,
+				  rb_yield, 0);
 	return class;
 }
 
 static VALUE guest_new(VALUE class, VALUE name, VALUE kernel,
 					   VALUE master, VALUE args)
 {
+	VALUE self;
 	guest_t *guest;
-
-	guest = dumm->create_guest(dumm, StringValuePtr(name), StringValuePtr(kernel),
-							   StringValuePtr(master), StringValuePtr(args));
+	guest = dumm->create_guest(dumm, StringValuePtr(name),
+							   StringValuePtr(kernel), StringValuePtr(master),
+							   StringValuePtr(args));
 	if (!guest)
 	{
 		rb_raise(rb_eRuntimeError, "creating guest failed");
 	}
-	return Data_Wrap_Struct(class, NULL, NULL, guest);
+	self = Data_Wrap_Struct(class, NULL, NULL, guest);
+	rb_hash_aset(guest_hash(class), name, self);
+	return self;
 }
 
 static VALUE guest_to_s(VALUE self)
@@ -214,11 +240,9 @@ static VALUE guest_exec(VALUE self, VALUE cmd)
 
 	block = rb_block_given_p();
 	Data_Get_Struct(self, guest_t, guest);
-	if ((ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
-					"exec %s", StringValuePtr(cmd))) != 0)
-	{
-		rb_raise(rb_eRuntimeError, "executing command failed (%d)", ret);
-	}
+	ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
+						  "exec %s", StringValuePtr(cmd));
+	rb_iv_set(self, "@execstatus", INT2NUM(ret));
 	return self;
 }
 
@@ -330,6 +354,34 @@ static VALUE guest_delete(VALUE self)
 	return Qnil;
 }
 
+static VALUE guest_add_overlay(VALUE self, VALUE dir)
+{
+	guest_t *guest;
+
+	Data_Get_Struct(self, guest_t, guest);
+	if (!guest->add_overlay(guest, StringValuePtr(dir)))
+	{
+		rb_raise(rb_eRuntimeError, "loading overlay failed");
+	}
+	return self;
+}
+
+static VALUE guest_del_overlay(VALUE self, VALUE dir)
+{
+	guest_t *guest;
+
+	Data_Get_Struct(self, guest_t, guest);
+	return guest->del_overlay(guest, StringValuePtr(dir)) ? Qtrue : Qfalse;
+}
+
+static VALUE guest_pop_overlay(VALUE self)
+{
+	guest_t *guest;
+
+	Data_Get_Struct(self, guest_t, guest);
+	return guest->pop_overlay(guest) ? Qtrue : Qfalse;
+}
+
 static void guest_init()
 {
 	rbc_guest = rb_define_class_under(rbm_dumm , "Guest", rb_cObject);
@@ -354,6 +406,11 @@ static void guest_init()
 	rb_define_method(rbc_guest, "include?", guest_find_iface, 1);
 	rb_define_method(rbc_guest, "iface?", guest_find_iface, 1);
 	rb_define_method(rbc_guest, "delete", guest_delete, 0);
+	rb_define_method(rbc_guest, "add_overlay", guest_add_overlay, 1);
+	rb_define_method(rbc_guest, "del_overlay", guest_del_overlay, 1);
+	rb_define_method(rbc_guest, "pop_overlay", guest_pop_overlay, 0);
+
+	rb_define_attr(rbc_guest, "execstatus", 1, 0);
 }
 
 /**
@@ -711,8 +768,7 @@ void Init_dumm()
 
 	dumm = dumm_create(NULL);
 
-	rbm_dumm = rb_define_module("Dumm");
-
+	dumm_init();
 	guest_init();
 	bridge_init();
 	iface_init();
diff --git a/src/dumm/ext/lib/dumm.rb b/src/dumm/ext/lib/dumm.rb
index 25939e9f4..bb60aad8f 100644
--- a/src/dumm/ext/lib/dumm.rb
+++ b/src/dumm/ext/lib/dumm.rb
@@ -1,5 +1,5 @@
 =begin
-  Copyright (C) 2008 Tobias Brunner
+  Copyright (C) 2008-2009 Tobias Brunner
   Hochschule fuer Technik Rapperswil
 
   This program is free software; you can redistribute it and/or modify it
@@ -38,11 +38,11 @@ module Dumm
     end
   end
   
-  # unload templates, reset all guests and delete bridges
+  # unload template/overlays, reset all guests and delete bridges
   def reset
     Template.unload
     Guest.each { |guest|
-      guest.reset if guest.running?
+      guest.reset
     }
     Bridge.each { |bridge|
       bridge.delete
diff --git a/src/dumm/ext/lib/dumm/guest.rb b/src/dumm/ext/lib/dumm/guest.rb
index 936f512dd..7488f1358 100644
--- a/src/dumm/ext/lib/dumm/guest.rb
+++ b/src/dumm/ext/lib/dumm/guest.rb
@@ -1,5 +1,5 @@
 =begin
-  Copyright (C) 2008 Tobias Brunner
+  Copyright (C) 2008-2010 Tobias Brunner
   Hochschule fuer Technik Rapperswil
 
   This program is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@ module Dumm
       end
       Guest[id]
     end
-    
+
     # accessor for interfaces
     # e.g. guest.eth0 instead of guest["eth0"]
     def method_missing(id, *args)
@@ -32,24 +32,21 @@ module Dumm
       end
       self[id]
     end
-    
-    # delete all interfaces
+
+    # remove all overlays, delete all interfaces
     def reset
+      while pop_overlay; end
       each {|i|
         i.delete
       }
     end
-    
+
     # has the guest booted up?
     def booted?
-      begin
-        exec("pgrep getty")
-      rescue
-        return false
-      end
-      return true
+      exec("pgrep getty")
+      execstatus == 0
     end
-    
+
     # wait until the guest has booted
     def boot
       while not booted?
diff --git a/src/dumm/guest.c b/src/dumm/guest.c
index ebd87769a..36d048dcf 100644
--- a/src/dumm/guest.c
+++ b/src/dumm/guest.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -297,37 +297,42 @@ static bool start(private_guest_t *this, invoke_function_t invoke, void* data,
 }
 
 /**
- * Implementation of guest_t.load_template.
+ * Implementation of guest_t.add_overlay.
  */
-static bool load_template(private_guest_t *this, char *path)
+static bool add_overlay(private_guest_t *this, char *path)
 {
-	char dir[PATH_MAX];
-	size_t len;
-
 	if (path == NULL)
-	{
-		return this->cowfs->set_overlay(this->cowfs, NULL);
-	}
-
-	len = snprintf(dir, sizeof(dir), "%s/%s", path, this->name);
-	if (len < 0 || len >= sizeof(dir))
 	{
 		return FALSE;
 	}
-	if (access(dir, F_OK) != 0)
+
+	if (access(path, F_OK) != 0)
 	{
-		if (!mkdir_p(dir, PERME))
+		if (!mkdir_p(path, PERME))
 		{
 			DBG1(DBG_LIB, "creating overlay for guest '%s' failed: %m",
 				 this->name);
 			return FALSE;
 		}
 	}
-	if (!this->cowfs->set_overlay(this->cowfs, dir))
-	{
-		return FALSE;
-	}
-	return TRUE;
+
+	return this->cowfs->add_overlay(this->cowfs, path);
+}
+
+/**
+ * Implementation of guest_t.del_overlay.
+ */
+static bool del_overlay(private_guest_t *this, char *path)
+{
+	return this->cowfs->del_overlay(this->cowfs, path);
+}
+
+/**
+ * Implementation of guest_t.pop_overlay.
+ */
+static bool pop_overlay(private_guest_t *this)
+{
+	return this->cowfs->pop_overlay(this->cowfs);
 }
 
 /**
@@ -567,7 +572,9 @@ static private_guest_t *guest_create_generic(char *parent, char *name,
 	this->public.create_iface_enumerator = (enumerator_t*(*)(guest_t*))create_iface_enumerator;
 	this->public.start = (void*)start;
 	this->public.stop = (void*)stop;
-	this->public.load_template = (bool(*)(guest_t*, char *path))load_template;
+	this->public.add_overlay = (bool(*)(guest_t*,char*))add_overlay;
+	this->public.del_overlay = (bool(*)(guest_t*,char*))del_overlay;
+	this->public.pop_overlay = (bool(*)(guest_t*))pop_overlay;
 	this->public.exec = (int(*)(guest_t*, void(*cb)(void*,char*,size_t),void*,char*,...))exec;
 	this->public.exec_str = (int(*)(guest_t*, void(*cb)(void*,char*),bool,void*,char*,...))exec_str;
 	this->public.sigchild = (void(*)(guest_t*))sigchild;
diff --git a/src/dumm/guest.h b/src/dumm/guest.h
index 5f812f8eb..789f2310e 100644
--- a/src/dumm/guest.h
+++ b/src/dumm/guest.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -134,12 +134,27 @@ struct guest_t {
 	enumerator_t* (*create_iface_enumerator)(guest_t *this);
 
 	/**
-	 * Set the template COWFS overlay to use.
+	 * Adds a COWFS overlay. The directory is created if it does not exist.
 	 *
-	 * @param parent	parent directory where template diff should point to
-	 * @return			FALSE if failed
+	 * @param dir		directory where overlay diff should point to
+	 * @return			FALSE, if failed
 	 */
-	bool (*load_template)(guest_t *this, char *parent);
+	bool (*add_overlay)(guest_t *this, char *dir);
+
+	/**
+	 * Removes the specified COWFS overlay.
+	 *
+	 * @param dir		directory where overlay diff points to
+	 * @return			FALSE, if no found
+	 */
+	bool (*del_overlay)(guest_t *this, char *dir);
+
+	/**
+	 * Removes the latest COWFS overlay.
+	 *
+	 * @return			FALSE, if no overlay was found
+	 */
+	bool (*pop_overlay)(guest_t *this);
 
 	/**
 	 * Execute a command on the guests mconsole.
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index c47e6e451..498fb17f1 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -43,6 +43,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -117,6 +118,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -148,14 +151,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -170,24 +176,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -195,7 +208,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 2b4b14b49..276d9f36d 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -145,6 +146,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -176,14 +179,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -198,24 +204,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -223,7 +236,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8
index 150fefc12..f995119aa 100644
--- a/src/ipsec/ipsec.8
+++ b/src/ipsec/ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2010-05-30" "4.4.1rc3" "strongSwan"
+.TH IPSEC 8 "2010-05-30" "4.5.0rc1" "strongSwan"
 .SH NAME
 ipsec \- invoke IPsec utilities
 .SH SYNOPSIS
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 3297654e9..21a2b8ee6 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -40,16 +40,12 @@ encoding/payloads/transform_substructure.c encoding/payloads/transform_substruct
 encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.h \
+kernel/kernel_handler.c kernel/kernel_handler.h \
 network/packet.c network/packet.h \
 network/receiver.c network/receiver.h \
 network/sender.c network/sender.h \
 network/socket_manager.c network/socket_manager.h network/socket.h \
-processing/jobs/job.h \
 processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
-processing/jobs/callback_job.c processing/jobs/callback_job.h \
 processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
 processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
@@ -62,8 +58,6 @@ processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-processing/scheduler.c processing/scheduler.h \
-processing/processor.c processing/processor.h  \
 sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
 sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
 sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
@@ -94,7 +88,9 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
 sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
 sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
-sa/tasks/task.c sa/tasks/task.h
+sa/tasks/task.c sa/tasks/task.h \
+tnccs/tnccs.c tnccs/tnccs.h \
+tnccs/tnccs_manager.h tnccs/tnccs_manager.c
 
 # adding the plugin source files
 
@@ -141,10 +137,6 @@ LOCAL_SRC_FILES += $(addprefix ../libsimaka/, \
 	)
 endif
 
-LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
-
-LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
-
 LOCAL_SRC_FILES += $(call add_plugin, load-tester)
 
 LOCAL_SRC_FILES += $(call add_plugin, socket-default)
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 44501c0d0..2b7646327 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -38,16 +38,12 @@ encoding/payloads/transform_substructure.c encoding/payloads/transform_substruct
 encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.h \
+kernel/kernel_handler.c kernel/kernel_handler.h \
 network/packet.c network/packet.h \
 network/receiver.c network/receiver.h \
 network/sender.c network/sender.h \
 network/socket_manager.c network/socket_manager.h network/socket.h \
-processing/jobs/job.h \
 processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
-processing/jobs/callback_job.c processing/jobs/callback_job.h \
 processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
 processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
@@ -60,8 +56,6 @@ processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-processing/scheduler.c processing/scheduler.h \
-processing/processor.c processing/processor.h  \
 sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
 sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
 sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
@@ -92,7 +86,9 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
 sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
 sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
-sa/tasks/task.c sa/tasks/task.h
+sa/tasks/task.c sa/tasks/task.h \
+tnccs/tnccs.c tnccs/tnccs.h \
+tnccs/tnccs_manager.h tnccs/tnccs_manager.c
 
 daemon.lo :		$(top_builddir)/config.status
 
@@ -104,7 +100,8 @@ INCLUDES = \
 
 AM_CFLAGS = \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PIDDIR=\"${piddir}\"
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${libcharon_plugins}\""
 
 libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
 
@@ -135,51 +132,15 @@ else
 SUBDIRS = .
 endif
 
-PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins}
-
 if USE_LOAD_TESTER
   SUBDIRS += plugins/load_tester
-  PLUGINS += load-tester
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/load_tester/libstrongswan-load-tester.la
 endif
 endif
 
-if USE_KERNEL_PFKEY
-  SUBDIRS += plugins/kernel_pfkey
-  PLUGINS += kernel-pfkey
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-endif
-endif
-
-if USE_KERNEL_PFROUTE
-  SUBDIRS += plugins/kernel_pfroute
-  PLUGINS += kernel-pfroute
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-endif
-endif
-
-if USE_KERNEL_KLIPS
-  SUBDIRS += plugins/kernel_klips
-  PLUGINS += kernel-klips
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/kernel_klips/libstrongswan-kernel-klips.la
-endif
-endif
-
-if USE_KERNEL_NETLINK
-  SUBDIRS += plugins/kernel_netlink
-  PLUGINS += kernel-netlink
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-endif
-endif
-
 if USE_SOCKET_DEFAULT
   SUBDIRS += plugins/socket_default
-  PLUGINS += socket-default
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/socket_default/libstrongswan-socket-default.la
 endif
@@ -187,7 +148,6 @@ endif
 
 if USE_SOCKET_RAW
   SUBDIRS += plugins/socket_raw
-  PLUGINS += socket-raw
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/socket_raw/libstrongswan-socket-raw.la
 endif
@@ -195,7 +155,6 @@ endif
 
 if USE_SOCKET_DYNAMIC
   SUBDIRS += plugins/socket_dynamic
-  PLUGINS += socket-dynamic
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/socket_dynamic/libstrongswan-socket-dynamic.la
 endif
@@ -203,7 +162,6 @@ endif
 
 if USE_FARP
   SUBDIRS += plugins/farp
-  PLUGINS += farp
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/farp/libstrongswan-farp.la
 endif
@@ -211,7 +169,6 @@ endif
 
 if USE_STROKE
   SUBDIRS += plugins/stroke
-  PLUGINS += stroke
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/stroke/libstrongswan-stroke.la
 endif
@@ -219,7 +176,6 @@ endif
 
 if USE_SMP
   SUBDIRS += plugins/smp
-  PLUGINS += smp
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/smp/libstrongswan-smp.la
 endif
@@ -227,7 +183,6 @@ endif
 
 if USE_SQL
   SUBDIRS += plugins/sql
-  PLUGINS += sql
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/sql/libstrongswan-sql.la
 endif
@@ -235,7 +190,6 @@ endif
 
 if USE_UPDOWN
   SUBDIRS += plugins/updown
-  PLUGINS += updown
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/updown/libstrongswan-updown.la
 endif
@@ -243,7 +197,6 @@ endif
 
 if USE_EAP_IDENTITY
   SUBDIRS += plugins/eap_identity
-  PLUGINS += eap-identity
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_identity/libstrongswan-eap-identity.la
 endif
@@ -251,7 +204,6 @@ endif
 
 if USE_EAP_SIM
   SUBDIRS += plugins/eap_sim
-  PLUGINS += eap-sim
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_sim/libstrongswan-eap-sim.la
 endif
@@ -259,7 +211,6 @@ endif
 
 if USE_EAP_SIM_FILE
   SUBDIRS += plugins/eap_sim_file
-  PLUGINS += eap-sim-file
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_sim_file/libstrongswan-eap-sim-file.la
 endif
@@ -267,7 +218,6 @@ endif
 
 if USE_EAP_SIMAKA_SQL
   SUBDIRS += plugins/eap_simaka_sql
-  PLUGINS += eap-simaka-sql
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
 endif
@@ -275,7 +225,6 @@ endif
 
 if USE_EAP_SIMAKA_PSEUDONYM
   SUBDIRS += plugins/eap_simaka_pseudonym
-  PLUGINS += eap-simaka-pseudonym
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
 endif
@@ -283,7 +232,6 @@ endif
 
 if USE_EAP_SIMAKA_REAUTH
   SUBDIRS += plugins/eap_simaka_reauth
-  PLUGINS += eap-simaka-reauth
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
 endif
@@ -291,7 +239,6 @@ endif
 
 if USE_EAP_AKA
   SUBDIRS += plugins/eap_aka
-  PLUGINS += eap-aka
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_aka/libstrongswan-eap-aka.la
 endif
@@ -299,7 +246,6 @@ endif
 
 if USE_EAP_AKA_3GPP2
   SUBDIRS += plugins/eap_aka_3gpp2
-  PLUGINS += eap-aka-3gpp2
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
 endif
@@ -314,7 +260,6 @@ endif
 
 if USE_EAP_MD5
   SUBDIRS += plugins/eap_md5
-  PLUGINS += eap-md5
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_md5/libstrongswan-eap-md5.la
 endif
@@ -322,7 +267,6 @@ endif
 
 if USE_EAP_GTC
   SUBDIRS += plugins/eap_gtc
-  PLUGINS += eap-gtc
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_gtc/libstrongswan-eap-gtc.la
 endif
@@ -330,7 +274,6 @@ endif
 
 if USE_EAP_MSCHAPV2
   SUBDIRS += plugins/eap_mschapv2
-  PLUGINS += eap-mschapv2
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
 endif
@@ -338,15 +281,69 @@ endif
 
 if USE_EAP_RADIUS
   SUBDIRS += plugins/eap_radius
-  PLUGINS += eap-radius
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_radius/libstrongswan-eap-radius.la
 endif
 endif
 
+if USE_EAP_TLS
+  SUBDIRS += plugins/eap_tls
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_tls/libstrongswan-eap-tls.la
+endif
+endif
+
+if USE_EAP_TTLS
+  SUBDIRS += plugins/eap_ttls
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_ttls/libstrongswan-eap-ttls.la
+endif
+endif
+
+if USE_EAP_TNC
+  SUBDIRS += plugins/eap_tnc
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_tnc/libstrongswan-eap-tnc.la
+endif
+endif
+
+if USE_TLS
+if MONOLITHIC
+  # otherwise this library is linked to eap_tls
+  libcharon_la_LIBADD += $(top_builddir)/src/libtls/libtls.la
+endif
+endif
+
+if USE_TNC_IMC
+  SUBDIRS += plugins/tnc_imc
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc_imc.la
+endif
+endif
+
+if USE_TNC_IMV
+  SUBDIRS += plugins/tnc_imv
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc_imv.la
+endif
+endif
+
+if USE_TNCCS_11
+  SUBDIRS += plugins/tnccs_11
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnccs_11/libstrongswan-tnccs-11.la
+endif
+endif
+
+if USE_TNCCS_20
+  SUBDIRS += plugins/tnccs_20
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnccs_20/libstrongswan-tnccs-20.la
+endif
+endif
+
 if USE_MEDSRV
   SUBDIRS += plugins/medsrv
-  PLUGINS += medsrv
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/medsrv/libstrongswan-medsrv.la
 endif
@@ -354,7 +351,6 @@ endif
 
 if USE_MEDCLI
   SUBDIRS += plugins/medcli
-  PLUGINS += medcli
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/medcli/libstrongswan-medcli.la
 endif
@@ -362,7 +358,6 @@ endif
 
 if USE_NM
   SUBDIRS += plugins/nm
-  PLUGINS += nm
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/nm/libstrongswan-nm.la
 endif
@@ -370,7 +365,6 @@ endif
 
 if USE_DHCP
   SUBDIRS += plugins/dhcp
-  PLUGINS += dhcp
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/dhcp/libstrongswan-dhcp.la
 endif
@@ -378,23 +372,34 @@ endif
 
 if USE_ANDROID
   SUBDIRS += plugins/android
-  PLUGINS += android
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/android/libstrongswan-android.la
 endif
 endif
 
+if USE_MAEMO
+  SUBDIRS += plugins/maemo
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/maemo/libstrongswan-maemo.la
+endif
+endif
+
 if USE_HA
   SUBDIRS += plugins/ha
-  PLUGINS += ha
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/ha/libstrongswan-ha.la
 endif
 endif
 
+if USE_LED
+  SUBDIRS += plugins/led
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/led/libstrongswan-led.la
+endif
+endif
+
 if USE_UCI
   SUBDIRS += plugins/uci
-  PLUGINS += uci
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/uci/libstrongswan-uci.la
 endif
@@ -402,7 +407,6 @@ endif
 
 if USE_ADDRBLOCK
   SUBDIRS += plugins/addrblock
-  PLUGINS += addrblock
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/uci/libstrongswan-addrblock.la
 endif
@@ -410,11 +414,8 @@ endif
 
 if USE_UNIT_TESTS
   SUBDIRS += plugins/unit_tester
-  PLUGINS += unit-tester
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/unit_tester/libstrongswan-unit-tester.la
 endif
 endif
 
-AM_CFLAGS += -DPLUGINS=\""${PLUGINS}\""
-
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 8e58b0e2e..8a7a99ddd 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -46,108 +46,85 @@ host_triplet = @host@
 
 @USE_LIBCAP_TRUE@am__append_2 = -lcap
 @USE_LOAD_TESTER_TRUE@am__append_3 = plugins/load_tester
-@USE_LOAD_TESTER_TRUE@am__append_4 = load-tester
-@MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_5 = plugins/load_tester/libstrongswan-load-tester.la
-@USE_KERNEL_PFKEY_TRUE@am__append_6 = plugins/kernel_pfkey
-@USE_KERNEL_PFKEY_TRUE@am__append_7 = kernel-pfkey
-@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_8 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute
-@USE_KERNEL_PFROUTE_TRUE@am__append_10 = kernel-pfroute
-@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_11 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-@USE_KERNEL_KLIPS_TRUE@am__append_12 = plugins/kernel_klips
-@USE_KERNEL_KLIPS_TRUE@am__append_13 = kernel-klips
-@MONOLITHIC_TRUE@@USE_KERNEL_KLIPS_TRUE@am__append_14 = plugins/kernel_klips/libstrongswan-kernel-klips.la
-@USE_KERNEL_NETLINK_TRUE@am__append_15 = plugins/kernel_netlink
-@USE_KERNEL_NETLINK_TRUE@am__append_16 = kernel-netlink
-@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_17 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-@USE_SOCKET_DEFAULT_TRUE@am__append_18 = plugins/socket_default
-@USE_SOCKET_DEFAULT_TRUE@am__append_19 = socket-default
-@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_20 = plugins/socket_default/libstrongswan-socket-default.la
-@USE_SOCKET_RAW_TRUE@am__append_21 = plugins/socket_raw
-@USE_SOCKET_RAW_TRUE@am__append_22 = socket-raw
-@MONOLITHIC_TRUE@@USE_SOCKET_RAW_TRUE@am__append_23 = plugins/socket_raw/libstrongswan-socket-raw.la
-@USE_SOCKET_DYNAMIC_TRUE@am__append_24 = plugins/socket_dynamic
-@USE_SOCKET_DYNAMIC_TRUE@am__append_25 = socket-dynamic
-@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_26 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
-@USE_FARP_TRUE@am__append_27 = plugins/farp
-@USE_FARP_TRUE@am__append_28 = farp
-@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_29 = plugins/farp/libstrongswan-farp.la
-@USE_STROKE_TRUE@am__append_30 = plugins/stroke
-@USE_STROKE_TRUE@am__append_31 = stroke
-@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_32 = plugins/stroke/libstrongswan-stroke.la
-@USE_SMP_TRUE@am__append_33 = plugins/smp
-@USE_SMP_TRUE@am__append_34 = smp
-@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_35 = plugins/smp/libstrongswan-smp.la
-@USE_SQL_TRUE@am__append_36 = plugins/sql
-@USE_SQL_TRUE@am__append_37 = sql
-@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_38 = plugins/sql/libstrongswan-sql.la
-@USE_UPDOWN_TRUE@am__append_39 = plugins/updown
-@USE_UPDOWN_TRUE@am__append_40 = updown
-@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_41 = plugins/updown/libstrongswan-updown.la
-@USE_EAP_IDENTITY_TRUE@am__append_42 = plugins/eap_identity
-@USE_EAP_IDENTITY_TRUE@am__append_43 = eap-identity
-@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_44 = plugins/eap_identity/libstrongswan-eap-identity.la
-@USE_EAP_SIM_TRUE@am__append_45 = plugins/eap_sim
-@USE_EAP_SIM_TRUE@am__append_46 = eap-sim
-@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_47 = plugins/eap_sim/libstrongswan-eap-sim.la
-@USE_EAP_SIM_FILE_TRUE@am__append_48 = plugins/eap_sim_file
-@USE_EAP_SIM_FILE_TRUE@am__append_49 = eap-sim-file
-@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_50 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
-@USE_EAP_SIMAKA_SQL_TRUE@am__append_51 = plugins/eap_simaka_sql
-@USE_EAP_SIMAKA_SQL_TRUE@am__append_52 = eap-simaka-sql
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_53 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_54 = plugins/eap_simaka_pseudonym
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_55 = eap-simaka-pseudonym
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_56 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_57 = plugins/eap_simaka_reauth
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_58 = eap-simaka-reauth
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_59 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
-@USE_EAP_AKA_TRUE@am__append_60 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_61 = eap-aka
-@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_62 = plugins/eap_aka/libstrongswan-eap-aka.la
-@USE_EAP_AKA_3GPP2_TRUE@am__append_63 = plugins/eap_aka_3gpp2
-@USE_EAP_AKA_3GPP2_TRUE@am__append_64 = eap-aka-3gpp2
-@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_65 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
-@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_66 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_EAP_MD5_TRUE@am__append_67 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_68 = eap-md5
-@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_69 = plugins/eap_md5/libstrongswan-eap-md5.la
-@USE_EAP_GTC_TRUE@am__append_70 = plugins/eap_gtc
-@USE_EAP_GTC_TRUE@am__append_71 = eap-gtc
-@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_72 = plugins/eap_gtc/libstrongswan-eap-gtc.la
-@USE_EAP_MSCHAPV2_TRUE@am__append_73 = plugins/eap_mschapv2
-@USE_EAP_MSCHAPV2_TRUE@am__append_74 = eap-mschapv2
-@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_75 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
-@USE_EAP_RADIUS_TRUE@am__append_76 = plugins/eap_radius
-@USE_EAP_RADIUS_TRUE@am__append_77 = eap-radius
-@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_78 = plugins/eap_radius/libstrongswan-eap-radius.la
-@USE_MEDSRV_TRUE@am__append_79 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_80 = medsrv
-@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_81 = plugins/medsrv/libstrongswan-medsrv.la
-@USE_MEDCLI_TRUE@am__append_82 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_83 = medcli
-@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_84 = plugins/medcli/libstrongswan-medcli.la
-@USE_NM_TRUE@am__append_85 = plugins/nm
-@USE_NM_TRUE@am__append_86 = nm
-@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_87 = plugins/nm/libstrongswan-nm.la
-@USE_DHCP_TRUE@am__append_88 = plugins/dhcp
-@USE_DHCP_TRUE@am__append_89 = dhcp
-@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_90 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_ANDROID_TRUE@am__append_91 = plugins/android
-@USE_ANDROID_TRUE@am__append_92 = android
-@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_93 = plugins/android/libstrongswan-android.la
-@USE_HA_TRUE@am__append_94 = plugins/ha
-@USE_HA_TRUE@am__append_95 = ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_96 = plugins/ha/libstrongswan-ha.la
-@USE_UCI_TRUE@am__append_97 = plugins/uci
-@USE_UCI_TRUE@am__append_98 = uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_99 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_100 = plugins/addrblock
-@USE_ADDRBLOCK_TRUE@am__append_101 = addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_102 = plugins/uci/libstrongswan-addrblock.la
-@USE_UNIT_TESTS_TRUE@am__append_103 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_104 = unit-tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_105 = plugins/unit_tester/libstrongswan-unit-tester.la
+@MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_4 = plugins/load_tester/libstrongswan-load-tester.la
+@USE_SOCKET_DEFAULT_TRUE@am__append_5 = plugins/socket_default
+@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_6 = plugins/socket_default/libstrongswan-socket-default.la
+@USE_SOCKET_RAW_TRUE@am__append_7 = plugins/socket_raw
+@MONOLITHIC_TRUE@@USE_SOCKET_RAW_TRUE@am__append_8 = plugins/socket_raw/libstrongswan-socket-raw.la
+@USE_SOCKET_DYNAMIC_TRUE@am__append_9 = plugins/socket_dynamic
+@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_10 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
+@USE_FARP_TRUE@am__append_11 = plugins/farp
+@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_12 = plugins/farp/libstrongswan-farp.la
+@USE_STROKE_TRUE@am__append_13 = plugins/stroke
+@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_14 = plugins/stroke/libstrongswan-stroke.la
+@USE_SMP_TRUE@am__append_15 = plugins/smp
+@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_16 = plugins/smp/libstrongswan-smp.la
+@USE_SQL_TRUE@am__append_17 = plugins/sql
+@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_18 = plugins/sql/libstrongswan-sql.la
+@USE_UPDOWN_TRUE@am__append_19 = plugins/updown
+@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_20 = plugins/updown/libstrongswan-updown.la
+@USE_EAP_IDENTITY_TRUE@am__append_21 = plugins/eap_identity
+@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_22 = plugins/eap_identity/libstrongswan-eap-identity.la
+@USE_EAP_SIM_TRUE@am__append_23 = plugins/eap_sim
+@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_24 = plugins/eap_sim/libstrongswan-eap-sim.la
+@USE_EAP_SIM_FILE_TRUE@am__append_25 = plugins/eap_sim_file
+@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_26 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+@USE_EAP_SIMAKA_SQL_TRUE@am__append_27 = plugins/eap_simaka_sql
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_28 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_29 = plugins/eap_simaka_pseudonym
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_30 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_31 = plugins/eap_simaka_reauth
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_32 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+@USE_EAP_AKA_TRUE@am__append_33 = plugins/eap_aka
+@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_34 = plugins/eap_aka/libstrongswan-eap-aka.la
+@USE_EAP_AKA_3GPP2_TRUE@am__append_35 = plugins/eap_aka_3gpp2
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_36 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_37 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_EAP_MD5_TRUE@am__append_38 = plugins/eap_md5
+@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_39 = plugins/eap_md5/libstrongswan-eap-md5.la
+@USE_EAP_GTC_TRUE@am__append_40 = plugins/eap_gtc
+@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_41 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+@USE_EAP_MSCHAPV2_TRUE@am__append_42 = plugins/eap_mschapv2
+@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_43 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+@USE_EAP_RADIUS_TRUE@am__append_44 = plugins/eap_radius
+@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_45 = plugins/eap_radius/libstrongswan-eap-radius.la
+@USE_EAP_TLS_TRUE@am__append_46 = plugins/eap_tls
+@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_47 = plugins/eap_tls/libstrongswan-eap-tls.la
+@USE_EAP_TTLS_TRUE@am__append_48 = plugins/eap_ttls
+@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_49 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+@USE_EAP_TNC_TRUE@am__append_50 = plugins/eap_tnc
+@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_51 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_52 = $(top_builddir)/src/libtls/libtls.la
+@USE_TNC_IMC_TRUE@am__append_53 = plugins/tnc_imc
+@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc_imc.la
+@USE_TNC_IMV_TRUE@am__append_55 = plugins/tnc_imv
+@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc_imv.la
+@USE_TNCCS_11_TRUE@am__append_57 = plugins/tnccs_11
+@MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_58 = plugins/tnccs_11/libstrongswan-tnccs-11.la
+@USE_TNCCS_20_TRUE@am__append_59 = plugins/tnccs_20
+@MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_60 = plugins/tnccs_20/libstrongswan-tnccs-20.la
+@USE_MEDSRV_TRUE@am__append_61 = plugins/medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_62 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_63 = plugins/medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_64 = plugins/medcli/libstrongswan-medcli.la
+@USE_NM_TRUE@am__append_65 = plugins/nm
+@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_66 = plugins/nm/libstrongswan-nm.la
+@USE_DHCP_TRUE@am__append_67 = plugins/dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_68 = plugins/dhcp/libstrongswan-dhcp.la
+@USE_ANDROID_TRUE@am__append_69 = plugins/android
+@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_70 = plugins/android/libstrongswan-android.la
+@USE_MAEMO_TRUE@am__append_71 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_72 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_73 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_74 = plugins/ha/libstrongswan-ha.la
+@USE_LED_TRUE@am__append_75 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_76 = plugins/led/libstrongswan-led.la
+@USE_UCI_TRUE@am__append_77 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_78 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_79 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_80 = plugins/uci/libstrongswan-addrblock.la
+@USE_UNIT_TESTS_TRUE@am__append_81 = plugins/unit_tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_82 = plugins/unit_tester/libstrongswan-unit-tester.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -158,6 +135,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -190,18 +168,20 @@ LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__append_5) $(am__append_8) \
-	$(am__append_11) $(am__append_14) $(am__append_17) \
-	$(am__append_20) $(am__append_23) $(am__append_26) \
-	$(am__append_29) $(am__append_32) $(am__append_35) \
-	$(am__append_38) $(am__append_41) $(am__append_44) \
-	$(am__append_47) $(am__append_50) $(am__append_53) \
-	$(am__append_56) $(am__append_59) $(am__append_62) \
-	$(am__append_65) $(am__append_66) $(am__append_69) \
-	$(am__append_72) $(am__append_75) $(am__append_78) \
-	$(am__append_81) $(am__append_84) $(am__append_87) \
-	$(am__append_90) $(am__append_93) $(am__append_96) \
-	$(am__append_99) $(am__append_102) $(am__append_105)
+	$(am__DEPENDENCIES_1) $(am__append_4) $(am__append_6) \
+	$(am__append_8) $(am__append_10) $(am__append_12) \
+	$(am__append_14) $(am__append_16) $(am__append_18) \
+	$(am__append_20) $(am__append_22) $(am__append_24) \
+	$(am__append_26) $(am__append_28) $(am__append_30) \
+	$(am__append_32) $(am__append_34) $(am__append_36) \
+	$(am__append_37) $(am__append_39) $(am__append_41) \
+	$(am__append_43) $(am__append_45) $(am__append_47) \
+	$(am__append_49) $(am__append_51) $(am__append_52) \
+	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_60) $(am__append_62) $(am__append_64) \
+	$(am__append_66) $(am__append_68) $(am__append_70) \
+	$(am__append_72) $(am__append_74) $(am__append_76) \
+	$(am__append_78) $(am__append_80) $(am__append_82)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/file_logger.c \
 	bus/listeners/file_logger.h bus/listeners/sys_logger.c \
@@ -249,16 +229,12 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	encoding/payloads/unknown_payload.c \
 	encoding/payloads/unknown_payload.h \
 	encoding/payloads/vendor_id_payload.c \
-	encoding/payloads/vendor_id_payload.h \
-	kernel/kernel_interface.c kernel/kernel_interface.h \
-	kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-	kernel/kernel_net.h network/packet.c network/packet.h \
+	encoding/payloads/vendor_id_payload.h kernel/kernel_handler.c \
+	kernel/kernel_handler.h network/packet.c network/packet.h \
 	network/receiver.c network/receiver.h network/sender.c \
 	network/sender.h network/socket_manager.c \
 	network/socket_manager.h network/socket.h \
-	processing/jobs/job.h processing/jobs/acquire_job.c \
-	processing/jobs/acquire_job.h processing/jobs/callback_job.c \
-	processing/jobs/callback_job.h \
+	processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
 	processing/jobs/delete_child_sa_job.c \
 	processing/jobs/delete_child_sa_job.h \
 	processing/jobs/delete_ike_sa_job.c \
@@ -279,9 +255,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	processing/jobs/update_sa_job.c \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
-	processing/jobs/inactivity_job.h processing/scheduler.c \
-	processing/scheduler.h processing/processor.c \
-	processing/processor.h sa/authenticators/authenticator.c \
+	processing/jobs/inactivity_job.h \
+	sa/authenticators/authenticator.c \
 	sa/authenticators/authenticator.h \
 	sa/authenticators/eap_authenticator.c \
 	sa/authenticators/eap_authenticator.h \
@@ -313,7 +288,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
 	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
 	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	encoding/payloads/endpoint_notify.c \
+	tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \
+	tnccs/tnccs_manager.c encoding/payloads/endpoint_notify.c \
 	encoding/payloads/endpoint_notify.h \
 	processing/jobs/initiate_mediation_job.c \
 	processing/jobs/initiate_mediation_job.h \
@@ -334,22 +310,21 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \
 	notify_payload.lo payload.lo proposal_substructure.lo \
 	sa_payload.lo traffic_selector_substructure.lo \
 	transform_attribute.lo transform_substructure.lo ts_payload.lo \
-	unknown_payload.lo vendor_id_payload.lo kernel_interface.lo \
-	kernel_ipsec.lo packet.lo receiver.lo sender.lo \
-	socket_manager.lo acquire_job.lo callback_job.lo \
-	delete_child_sa_job.lo delete_ike_sa_job.lo migrate_job.lo \
-	process_message_job.lo rekey_child_sa_job.lo \
+	unknown_payload.lo vendor_id_payload.lo kernel_handler.lo \
+	packet.lo receiver.lo sender.lo socket_manager.lo \
+	acquire_job.lo delete_child_sa_job.lo delete_ike_sa_job.lo \
+	migrate_job.lo process_message_job.lo rekey_child_sa_job.lo \
 	rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \
 	send_keepalive_job.lo roam_job.lo update_sa_job.lo \
-	inactivity_job.lo scheduler.lo processor.lo authenticator.lo \
-	eap_authenticator.lo eap_method.lo eap_manager.lo \
-	sim_manager.lo psk_authenticator.lo pubkey_authenticator.lo \
-	child_sa.lo ike_sa.lo ike_sa_id.lo ike_sa_manager.lo \
-	task_manager.lo keymat.lo trap_manager.lo child_create.lo \
-	child_delete.lo child_rekey.lo ike_auth.lo ike_cert_pre.lo \
-	ike_cert_post.lo ike_config.lo ike_delete.lo ike_dpd.lo \
-	ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \
-	ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \
+	inactivity_job.lo authenticator.lo eap_authenticator.lo \
+	eap_method.lo eap_manager.lo sim_manager.lo \
+	psk_authenticator.lo pubkey_authenticator.lo child_sa.lo \
+	ike_sa.lo ike_sa_id.lo ike_sa_manager.lo task_manager.lo \
+	keymat.lo trap_manager.lo child_create.lo child_delete.lo \
+	child_rekey.lo ike_auth.lo ike_cert_pre.lo ike_cert_post.lo \
+	ike_config.lo ike_delete.lo ike_dpd.lo ike_init.lo ike_natd.lo \
+	ike_mobike.lo ike_rekey.lo ike_reauth.lo ike_auth_lifetime.lo \
+	ike_vendor.lo task.lo tnccs.lo tnccs_manager.lo \
 	$(am__objects_1)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
@@ -381,18 +356,19 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
-	plugins/kernel_pfroute plugins/kernel_klips \
-	plugins/kernel_netlink plugins/socket_default \
+DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/socket_raw plugins/socket_dynamic plugins/farp \
 	plugins/stroke plugins/smp plugins/sql plugins/updown \
 	plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \
 	plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
 	plugins/eap_simaka_reauth plugins/eap_aka \
 	plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
-	plugins/eap_mschapv2 plugins/eap_radius plugins/medsrv \
-	plugins/medcli plugins/nm plugins/dhcp plugins/android \
-	plugins/ha plugins/uci plugins/addrblock plugins/unit_tester
+	plugins/eap_mschapv2 plugins/eap_radius plugins/eap_tls \
+	plugins/eap_ttls plugins/eap_tnc plugins/tnc_imc \
+	plugins/tnc_imv plugins/tnccs_11 plugins/tnccs_20 \
+	plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \
+	plugins/android plugins/maemo plugins/ha plugins/led \
+	plugins/uci plugins/addrblock plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -484,6 +460,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -515,14 +493,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -537,24 +518,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -562,7 +550,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -622,16 +613,12 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	encoding/payloads/unknown_payload.c \
 	encoding/payloads/unknown_payload.h \
 	encoding/payloads/vendor_id_payload.c \
-	encoding/payloads/vendor_id_payload.h \
-	kernel/kernel_interface.c kernel/kernel_interface.h \
-	kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-	kernel/kernel_net.h network/packet.c network/packet.h \
+	encoding/payloads/vendor_id_payload.h kernel/kernel_handler.c \
+	kernel/kernel_handler.h network/packet.c network/packet.h \
 	network/receiver.c network/receiver.h network/sender.c \
 	network/sender.h network/socket_manager.c \
 	network/socket_manager.h network/socket.h \
-	processing/jobs/job.h processing/jobs/acquire_job.c \
-	processing/jobs/acquire_job.h processing/jobs/callback_job.c \
-	processing/jobs/callback_job.h \
+	processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
 	processing/jobs/delete_child_sa_job.c \
 	processing/jobs/delete_child_sa_job.h \
 	processing/jobs/delete_ike_sa_job.c \
@@ -652,9 +639,8 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	processing/jobs/update_sa_job.c \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
-	processing/jobs/inactivity_job.h processing/scheduler.c \
-	processing/scheduler.h processing/processor.c \
-	processing/processor.h sa/authenticators/authenticator.c \
+	processing/jobs/inactivity_job.h \
+	sa/authenticators/authenticator.c \
 	sa/authenticators/authenticator.h \
 	sa/authenticators/eap_authenticator.c \
 	sa/authenticators/eap_authenticator.h \
@@ -686,78 +672,78 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
 	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
 	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	$(am__append_1)
+	tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \
+	tnccs/tnccs_manager.c $(am__append_1)
 INCLUDES = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
-	-DPLUGINS=\""${PLUGINS}\""
+AM_CFLAGS = \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${libcharon_plugins}\""
+
 libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
-	$(am__append_2) $(am__append_5) $(am__append_8) \
-	$(am__append_11) $(am__append_14) $(am__append_17) \
-	$(am__append_20) $(am__append_23) $(am__append_26) \
-	$(am__append_29) $(am__append_32) $(am__append_35) \
-	$(am__append_38) $(am__append_41) $(am__append_44) \
-	$(am__append_47) $(am__append_50) $(am__append_53) \
-	$(am__append_56) $(am__append_59) $(am__append_62) \
-	$(am__append_65) $(am__append_66) $(am__append_69) \
-	$(am__append_72) $(am__append_75) $(am__append_78) \
-	$(am__append_81) $(am__append_84) $(am__append_87) \
-	$(am__append_90) $(am__append_93) $(am__append_96) \
-	$(am__append_99) $(am__append_102) $(am__append_105)
+	$(am__append_2) $(am__append_4) $(am__append_6) \
+	$(am__append_8) $(am__append_10) $(am__append_12) \
+	$(am__append_14) $(am__append_16) $(am__append_18) \
+	$(am__append_20) $(am__append_22) $(am__append_24) \
+	$(am__append_26) $(am__append_28) $(am__append_30) \
+	$(am__append_32) $(am__append_34) $(am__append_36) \
+	$(am__append_37) $(am__append_39) $(am__append_41) \
+	$(am__append_43) $(am__append_45) $(am__append_47) \
+	$(am__append_49) $(am__append_51) $(am__append_52) \
+	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_60) $(am__append_62) $(am__append_64) \
+	$(am__append_66) $(am__append_68) $(am__append_70) \
+	$(am__append_72) $(am__append_74) $(am__append_76) \
+	$(am__append_78) $(am__append_80) $(am__append_82)
 EXTRA_DIST = Android.mk
-@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_6) \
-@MONOLITHIC_FALSE@	$(am__append_9) $(am__append_12) \
-@MONOLITHIC_FALSE@	$(am__append_15) $(am__append_18) \
-@MONOLITHIC_FALSE@	$(am__append_21) $(am__append_24) \
-@MONOLITHIC_FALSE@	$(am__append_27) $(am__append_30) \
-@MONOLITHIC_FALSE@	$(am__append_33) $(am__append_36) \
-@MONOLITHIC_FALSE@	$(am__append_39) $(am__append_42) \
-@MONOLITHIC_FALSE@	$(am__append_45) $(am__append_48) \
-@MONOLITHIC_FALSE@	$(am__append_51) $(am__append_54) \
-@MONOLITHIC_FALSE@	$(am__append_57) $(am__append_60) \
-@MONOLITHIC_FALSE@	$(am__append_63) $(am__append_67) \
-@MONOLITHIC_FALSE@	$(am__append_70) $(am__append_73) \
-@MONOLITHIC_FALSE@	$(am__append_76) $(am__append_79) \
-@MONOLITHIC_FALSE@	$(am__append_82) $(am__append_85) \
-@MONOLITHIC_FALSE@	$(am__append_88) $(am__append_91) \
-@MONOLITHIC_FALSE@	$(am__append_94) $(am__append_97) \
-@MONOLITHIC_FALSE@	$(am__append_100) $(am__append_103)
+@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_5) \
+@MONOLITHIC_FALSE@	$(am__append_7) $(am__append_9) \
+@MONOLITHIC_FALSE@	$(am__append_11) $(am__append_13) \
+@MONOLITHIC_FALSE@	$(am__append_15) $(am__append_17) \
+@MONOLITHIC_FALSE@	$(am__append_19) $(am__append_21) \
+@MONOLITHIC_FALSE@	$(am__append_23) $(am__append_25) \
+@MONOLITHIC_FALSE@	$(am__append_27) $(am__append_29) \
+@MONOLITHIC_FALSE@	$(am__append_31) $(am__append_33) \
+@MONOLITHIC_FALSE@	$(am__append_35) $(am__append_38) \
+@MONOLITHIC_FALSE@	$(am__append_40) $(am__append_42) \
+@MONOLITHIC_FALSE@	$(am__append_44) $(am__append_46) \
+@MONOLITHIC_FALSE@	$(am__append_48) $(am__append_50) \
+@MONOLITHIC_FALSE@	$(am__append_53) $(am__append_55) \
+@MONOLITHIC_FALSE@	$(am__append_57) $(am__append_59) \
+@MONOLITHIC_FALSE@	$(am__append_61) $(am__append_63) \
+@MONOLITHIC_FALSE@	$(am__append_65) $(am__append_67) \
+@MONOLITHIC_FALSE@	$(am__append_69) $(am__append_71) \
+@MONOLITHIC_FALSE@	$(am__append_73) $(am__append_75) \
+@MONOLITHIC_FALSE@	$(am__append_77) $(am__append_79) \
+@MONOLITHIC_FALSE@	$(am__append_81)
 
 # build optional plugins
 ########################
-@MONOLITHIC_TRUE@SUBDIRS = $(am__append_3) $(am__append_6) \
-@MONOLITHIC_TRUE@	$(am__append_9) $(am__append_12) \
-@MONOLITHIC_TRUE@	$(am__append_15) $(am__append_18) \
-@MONOLITHIC_TRUE@	$(am__append_21) $(am__append_24) \
-@MONOLITHIC_TRUE@	$(am__append_27) $(am__append_30) \
-@MONOLITHIC_TRUE@	$(am__append_33) $(am__append_36) \
-@MONOLITHIC_TRUE@	$(am__append_39) $(am__append_42) \
-@MONOLITHIC_TRUE@	$(am__append_45) $(am__append_48) \
-@MONOLITHIC_TRUE@	$(am__append_51) $(am__append_54) \
-@MONOLITHIC_TRUE@	$(am__append_57) $(am__append_60) \
-@MONOLITHIC_TRUE@	$(am__append_63) $(am__append_67) \
-@MONOLITHIC_TRUE@	$(am__append_70) $(am__append_73) \
-@MONOLITHIC_TRUE@	$(am__append_76) $(am__append_79) \
-@MONOLITHIC_TRUE@	$(am__append_82) $(am__append_85) \
-@MONOLITHIC_TRUE@	$(am__append_88) $(am__append_91) \
-@MONOLITHIC_TRUE@	$(am__append_94) $(am__append_97) \
-@MONOLITHIC_TRUE@	$(am__append_100) $(am__append_103)
-PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} $(am__append_4) \
-	$(am__append_7) $(am__append_10) $(am__append_13) \
-	$(am__append_16) $(am__append_19) $(am__append_22) \
-	$(am__append_25) $(am__append_28) $(am__append_31) \
-	$(am__append_34) $(am__append_37) $(am__append_40) \
-	$(am__append_43) $(am__append_46) $(am__append_49) \
-	$(am__append_52) $(am__append_55) $(am__append_58) \
-	$(am__append_61) $(am__append_64) $(am__append_68) \
-	$(am__append_71) $(am__append_74) $(am__append_77) \
-	$(am__append_80) $(am__append_83) $(am__append_86) \
-	$(am__append_89) $(am__append_92) $(am__append_95) \
-	$(am__append_98) $(am__append_101) $(am__append_104)
+@MONOLITHIC_TRUE@SUBDIRS = $(am__append_3) $(am__append_5) \
+@MONOLITHIC_TRUE@	$(am__append_7) $(am__append_9) \
+@MONOLITHIC_TRUE@	$(am__append_11) $(am__append_13) \
+@MONOLITHIC_TRUE@	$(am__append_15) $(am__append_17) \
+@MONOLITHIC_TRUE@	$(am__append_19) $(am__append_21) \
+@MONOLITHIC_TRUE@	$(am__append_23) $(am__append_25) \
+@MONOLITHIC_TRUE@	$(am__append_27) $(am__append_29) \
+@MONOLITHIC_TRUE@	$(am__append_31) $(am__append_33) \
+@MONOLITHIC_TRUE@	$(am__append_35) $(am__append_38) \
+@MONOLITHIC_TRUE@	$(am__append_40) $(am__append_42) \
+@MONOLITHIC_TRUE@	$(am__append_44) $(am__append_46) \
+@MONOLITHIC_TRUE@	$(am__append_48) $(am__append_50) \
+@MONOLITHIC_TRUE@	$(am__append_53) $(am__append_55) \
+@MONOLITHIC_TRUE@	$(am__append_57) $(am__append_59) \
+@MONOLITHIC_TRUE@	$(am__append_61) $(am__append_63) \
+@MONOLITHIC_TRUE@	$(am__append_65) $(am__append_67) \
+@MONOLITHIC_TRUE@	$(am__append_69) $(am__append_71) \
+@MONOLITHIC_TRUE@	$(am__append_73) $(am__append_75) \
+@MONOLITHIC_TRUE@	$(am__append_77) $(am__append_79) \
+@MONOLITHIC_TRUE@	$(am__append_81)
 all: all-recursive
 
 .SUFFIXES:
@@ -837,7 +823,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Plo@am__quote@
@@ -885,8 +870,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_handler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keymat.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_manager.Plo@am__quote@
@@ -899,7 +883,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer_cfg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_message_job.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/processor.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_substructure.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk_authenticator.Plo@am__quote@
@@ -910,7 +893,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retransmit_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/roam_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa_payload.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_dpd_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_keepalive_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Plo@am__quote@
@@ -919,6 +901,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Plo@am__quote@
@@ -1194,19 +1178,12 @@ vendor_id_payload.lo: encoding/payloads/vendor_id_payload.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
 
-kernel_interface.lo: kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
-
-kernel_ipsec.lo: kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@
+kernel_handler.lo: kernel/kernel_handler.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_handler.lo -MD -MP -MF $(DEPDIR)/kernel_handler.Tpo -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_handler.Tpo $(DEPDIR)/kernel_handler.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_handler.c' object='kernel_handler.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
 
 packet.lo: network/packet.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
@@ -1243,13 +1220,6 @@ acquire_job.lo: processing/jobs/acquire_job.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
 
-callback_job.lo: processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
-
 delete_child_sa_job.lo: processing/jobs/delete_child_sa_job.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Plo
@@ -1334,20 +1304,6 @@ inactivity_job.lo: processing/jobs/inactivity_job.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
 
-scheduler.lo: processing/scheduler.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
-
-processor.lo: processing/processor.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
-
 authenticator.lo: sa/authenticators/authenticator.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.lo -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.lo `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Plo
@@ -1565,6 +1521,20 @@ task.lo: sa/tasks/task.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
 
+tnccs.lo: tnccs/tnccs.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c
+
+tnccs_manager.lo: tnccs/tnccs_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c
+
 endpoint_notify.lo: encoding/payloads/endpoint_notify.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo
@@ -1934,6 +1904,8 @@ daemon.lo :		$(top_builddir)/config.status
 
 @MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@  # otherwise this library is linked to both the eap_aka and the eap_sim plugin
 
+@MONOLITHIC_TRUE@@USE_TLS_TRUE@  # otherwise this library is linked to eap_tls
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index 441009e5e..ab8d0fc48 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -17,7 +17,6 @@
 
 #include <stdint.h>
 
-#include <daemon.h>
 #include <threading/thread.h>
 #include <threading/thread_value.h>
 #include <threading/condvar.h>
@@ -163,7 +162,7 @@ METHOD(bus_t, listen_, void,
 
 	this->mutex->lock(this->mutex);
 	this->listeners->insert_last(this->listeners, data.entry);
-	charon->processor->queue_job(charon->processor, job);
+	lib->processor->queue_job(lib->processor, job);
 	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
 	thread_cleanup_push((thread_cleanup_t)listener_cleanup, &data);
 	old = thread_cancelability(TRUE);
diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c
index 87db532f5..157436a7d 100644
--- a/src/libcharon/bus/listeners/file_logger.c
+++ b/src/libcharon/bus/listeners/file_logger.c
@@ -46,6 +46,11 @@ struct private_file_logger_t {
 	 * strftime() format of time prefix, if any
 	 */
 	char *time_format;
+
+	/**
+	 * Print the name/# of the IKE_SA?
+	 */
+	bool ike_name;
 };
 
 /**
@@ -56,7 +61,7 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level,
 {
 	if (level <= this->levels[group])
 	{
-		char buffer[8192], timestr[128];
+		char buffer[8192], timestr[128], namestr[128] = "";
 		char *current = buffer, *next;
 		struct tm tm;
 		time_t t;
@@ -67,6 +72,23 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level,
 			localtime_r(&t, &tm);
 			strftime(timestr, sizeof(timestr), this->time_format, &tm);
 		}
+		if (this->ike_name && ike_sa)
+		{
+			if (ike_sa->get_peer_cfg(ike_sa))
+			{
+				snprintf(namestr, sizeof(namestr), " <%s|%d>",
+					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
+			}
+			else
+			{
+				snprintf(namestr, sizeof(namestr), " <%d>",
+					ike_sa->get_unique_id(ike_sa));
+			}
+		}
+		else
+		{
+			namestr[0] = '\0';
+		}
 
 		/* write in memory buffer first */
 		vsnprintf(buffer, sizeof(buffer), format, args);
@@ -81,13 +103,13 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level,
 			}
 			if (this->time_format)
 			{
-				fprintf(this->out, "%s %.2d[%N] %s\n",
-						timestr, thread, debug_names, group, current);
+				fprintf(this->out, "%s %.2d[%N]%s %s\n",
+						timestr, thread, debug_names, group, namestr, current);
 			}
 			else
 			{
-				fprintf(this->out, "%.2d[%N] %s\n",
-						thread, debug_names, group, current);
+				fprintf(this->out, "%.2d[%N]%s %s\n",
+						thread, debug_names, group, namestr, current);
 			}
 			current = next;
 		}
@@ -129,7 +151,7 @@ static void destroy(private_file_logger_t *this)
 /*
  * Described in header.
  */
-file_logger_t *file_logger_create(FILE *out, char *time_format)
+file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name)
 {
 	private_file_logger_t *this = malloc_thing(private_file_logger_t);
 
@@ -142,6 +164,7 @@ file_logger_t *file_logger_create(FILE *out, char *time_format)
 	/* private variables */
 	this->out = out;
 	this->time_format = time_format;
+	this->ike_name = ike_name;
 	set_level(this, DBG_ANY, LEVEL_SILENT);
 
 	return &this->public;
diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h
index e02a12c0c..d02f1701d 100644
--- a/src/libcharon/bus/listeners/file_logger.h
+++ b/src/libcharon/bus/listeners/file_logger.h
@@ -54,8 +54,9 @@ struct file_logger_t {
  *
  * @param out			FILE to write to
  * @param time_format	format of timestamp prefix, as in strftime()
+ * @param ike_name		TRUE to prefix the name of the IKE_SA
  * @return				file_logger_t object
  */
-file_logger_t *file_logger_create(FILE *out, char *time_format);
+file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name);
 
 #endif /** FILE_LOGGER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c
index 5bc1d581a..fa394ba88 100644
--- a/src/libcharon/bus/listeners/sys_logger.c
+++ b/src/libcharon/bus/listeners/sys_logger.c
@@ -41,6 +41,11 @@ struct private_sys_logger_t {
 	 * Maximum level to log, for each group
 	 */
 	level_t levels[DBG_MAX];
+
+	/**
+	 * Print the name/# of the IKE_SA?
+	 */
+	bool ike_name;
 };
 
 /**
@@ -51,12 +56,26 @@ static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
 {
 	if (level <= this->levels[group])
 	{
-		char buffer[8192];
+		char buffer[8192], namestr[128] = "";
 		char *current = buffer, *next;
 
 		/* write in memory buffer first */
 		vsnprintf(buffer, sizeof(buffer), format, args);
 
+		if (this->ike_name && ike_sa)
+		{
+			if (ike_sa->get_peer_cfg(ike_sa))
+			{
+				snprintf(namestr, sizeof(namestr), " <%s|%d>",
+					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
+			}
+			else
+			{
+				snprintf(namestr, sizeof(namestr), " <%d>",
+					ike_sa->get_unique_id(ike_sa));
+			}
+		}
+
 		/* do a syslog with every line */
 		while (current)
 		{
@@ -65,8 +84,8 @@ static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
 			{
 				*(next++) = '\0';
 			}
-			syslog(this->facility|LOG_INFO, "%.2d[%N] %s\n",
-				   thread, debug_names, group, current);
+			syslog(this->facility|LOG_INFO, "%.2d[%N]%s %s\n",
+				   thread, debug_names, group, namestr, current);
 			current = next;
 		}
 	}
@@ -104,7 +123,7 @@ static void destroy(private_sys_logger_t *this)
 /*
  * Described in header.
  */
-sys_logger_t *sys_logger_create(int facility)
+sys_logger_t *sys_logger_create(int facility, bool ike_name)
 {
 	private_sys_logger_t *this = malloc_thing(private_sys_logger_t);
 
@@ -116,6 +135,7 @@ sys_logger_t *sys_logger_create(int facility)
 
 	/* private variables */
 	this->facility = facility;
+	this->ike_name = ike_name;
 	set_level(this, DBG_ANY, LEVEL_SILENT);
 
 	return &this->public;
diff --git a/src/libcharon/bus/listeners/sys_logger.h b/src/libcharon/bus/listeners/sys_logger.h
index 58d4de529..d83715a6a 100644
--- a/src/libcharon/bus/listeners/sys_logger.h
+++ b/src/libcharon/bus/listeners/sys_logger.h
@@ -53,8 +53,9 @@ struct sys_logger_t {
  * Constructor to create a sys_logger_t object.
  *
  * @param facility	syslog facility to use
+ * @param ike_name	TRUE to prefix the name of the IKE_SA
  * @return			sys_logger_t object
  */
-sys_logger_t *sys_logger_create(int facility);
+sys_logger_t *sys_logger_create(int facility, bool ike_name);
 
 #endif /** SYS_LOGGER_H_ @}*/
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 70f38b285..1cdfd5949 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -27,15 +27,6 @@ ENUM(action_names, ACTION_NONE, ACTION_RESTART,
 	"restart",
 );
 
-ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE,
-	"IPCOMP_NONE");
-ENUM_NEXT(ipcomp_transform_names, IPCOMP_OUI, IPCOMP_LZJH, IPCOMP_NONE,
-	"IPCOMP_OUI",
-	"IPCOMP_DEFLATE",
-	"IPCOMP_LZS",
-	"IPCOMP_LZJH");
-ENUM_END(ipcomp_transform_names, IPCOMP_LZJH);
-
 typedef struct private_child_cfg_t private_child_cfg_t;
 
 /**
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index d34835ead..1e6fe3fe9 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -24,9 +24,6 @@
 #define CHILD_CFG_H_
 
 typedef enum action_t action_t;
-typedef enum ipcomp_transform_t ipcomp_transform_t;
-typedef struct lifetime_cfg_t lifetime_cfg_t;
-typedef struct mark_t mark_t;
 typedef struct child_cfg_t child_cfg_t;
 
 #include <library.h>
@@ -51,48 +48,6 @@ enum action_t {
  */
 extern enum_name_t *action_names;
 
-/**
- * IPComp transform IDs, as in RFC 4306
- */
-enum ipcomp_transform_t {
-	IPCOMP_NONE = 241,
-	IPCOMP_OUI = 1,
-	IPCOMP_DEFLATE = 2,
-	IPCOMP_LZS = 3,
-	IPCOMP_LZJH = 4,
-};
-
-/**
- * enum strings for ipcomp_transform_t.
- */
-extern enum_name_t *ipcomp_transform_names;
-
-/**
- * A lifetime_cfg_t defines the lifetime limits of a CHILD_SA.
- *
- * Set any of these values to 0 to ignore.
- */
-struct lifetime_cfg_t {
-	struct {
-		/** Limit before the CHILD_SA gets invalid. */
-		u_int64_t	life;
-		/** Limit before the CHILD_SA gets rekeyed. */
-		u_int64_t	rekey;
-		/** The range of a random value subtracted from rekey. */
-		u_int64_t	jitter;
-	} time, bytes, packets;
-};
-
-/**
- * A mark_t defines an optional mark in a CHILD_SA.
- */
-struct mark_t {
-	/** Mark value */
-	u_int32_t value;
-	/** Mark mask */
-	u_int32_t mask;
-};
-
 /**
  * A child_cfg_t defines the config template for a CHILD_SA.
  *
@@ -238,7 +193,7 @@ struct child_cfg_t {
 	 * Check whether IPComp should be used, if the other peer supports it.
 	 *
 	 * @return				TRUE, if IPComp should be used
-	 * 						FALSE, otherwise
+	 *						FALSE, otherwise
 	 */
 	bool (*use_ipcomp)(child_cfg_t *this);
 
@@ -259,7 +214,7 @@ struct child_cfg_t {
 	/**
 	 * Optional mark for CHILD_SA
 	 *
-	 * @param inbound		TRUE for inbound, FALSE for outbound 
+	 * @param inbound		TRUE for inbound, FALSE for outbound
 	 * @return				mark
 	 */
 	mark_t (*get_mark)(child_cfg_t *this, bool inbound);
@@ -277,7 +232,7 @@ struct child_cfg_t {
 	 * Check whether IPsec transport SA should be set up in proxy mode
 	 *
 	 * @return				TRUE, if proxy mode should be used
-	 * 						FALSE, otherwise
+	 *						FALSE, otherwise
 	 */
 	bool (*use_proxy_mode)(child_cfg_t *this);
 
@@ -285,7 +240,7 @@ struct child_cfg_t {
 	 * Check whether IPsec policies should be installed in the kernel
 	 *
 	 * @return				TRUE, if IPsec kernel policies should be installed
-	 * 						FALSE, otherwise
+	 *						FALSE, otherwise
 	 */
 	bool (*install_policy)(child_cfg_t *this);
 
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index e86393028..5b8294599 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008-2009 Tobias Brunner
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -87,6 +87,11 @@ struct private_proposal_t {
 	 * senders SPI
 	 */
 	u_int64_t spi;
+
+	/**
+	 * Proposal number
+	 */
+	u_int number;
 };
 
 /**
@@ -117,11 +122,9 @@ static void add_algo(linked_list_t *list, u_int16_t algo, u_int16_t key_size)
 	list->insert_last(list, (void*)algo_key);
 }
 
-/**
- * Implements proposal_t.add_algorithm
- */
-static void add_algorithm(private_proposal_t *this, transform_type_t type,
-						  u_int16_t algo, u_int16_t key_size)
+METHOD(proposal_t, add_algorithm, void,
+	private_proposal_t *this, transform_type_t type,
+	u_int16_t algo, u_int16_t key_size)
 {
 	switch (type)
 	{
@@ -160,11 +163,8 @@ static bool alg_filter(void *null, algorithm_t **in, u_int16_t *alg,
 	return TRUE;
 }
 
-/**
- * Implements proposal_t.create_enumerator.
- */
-static enumerator_t *create_enumerator(private_proposal_t *this,
-									   transform_type_t type)
+METHOD(proposal_t, create_enumerator, enumerator_t*,
+	private_proposal_t *this, transform_type_t type)
 {
 	linked_list_t *list;
 
@@ -192,11 +192,9 @@ static enumerator_t *create_enumerator(private_proposal_t *this,
 									(void*)alg_filter, NULL, NULL);
 }
 
-/**
- * Implements proposal_t.get_algorithm.
- */
-static bool get_algorithm(private_proposal_t *this, transform_type_t type,
-						  u_int16_t *alg, u_int16_t *key_size)
+METHOD(proposal_t, get_algorithm, bool,
+	private_proposal_t *this, transform_type_t type,
+	u_int16_t *alg, u_int16_t *key_size)
 {
 	enumerator_t *enumerator;
 	bool found = FALSE;
@@ -210,10 +208,8 @@ static bool get_algorithm(private_proposal_t *this, transform_type_t type,
 	return found;
 }
 
-/**
- * Implements proposal_t.has_dh_group
- */
-static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group)
+METHOD(proposal_t, has_dh_group, bool,
+	private_proposal_t *this, diffie_hellman_group_t group)
 {
 	bool result = FALSE;
 
@@ -240,10 +236,8 @@ static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group)
 	return result;
 }
 
-/**
- * Implementation of proposal_t.strip_dh.
- */
-static void strip_dh(private_proposal_t *this)
+METHOD(proposal_t, strip_dh, void,
+	private_proposal_t *this)
 {
 	algorithm_t *alg;
 
@@ -253,28 +247,6 @@ static void strip_dh(private_proposal_t *this)
 	}
 }
 
-/**
- * Returns true if the given alg is an authenticated encryption algorithm
- */
-static bool is_authenticated_encryption(u_int16_t alg)
-{
-	switch(alg)
-	{
-		case ENCR_AES_CCM_ICV8:
-		case ENCR_AES_CCM_ICV12:
-		case ENCR_AES_CCM_ICV16:
-		case ENCR_AES_GCM_ICV8:
-		case ENCR_AES_GCM_ICV12:
-		case ENCR_AES_GCM_ICV16:
-		case ENCR_CAMELLIA_CCM_ICV8:
-		case ENCR_CAMELLIA_CCM_ICV12:
-		case ENCR_CAMELLIA_CCM_ICV16:
-		case ENCR_NULL_AUTH_AES_GMAC:
-			return TRUE;
-	}
-	return FALSE;
-}
-
 /**
  * Find a matching alg/keysize in two linked lists
  */
@@ -326,12 +298,10 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
 	return FALSE;
 }
 
-/**
- * Implements proposal_t.select.
- */
-static proposal_t *select_proposal(private_proposal_t *this,
-								private_proposal_t *other, bool private)
+METHOD(proposal_t, select_proposal, proposal_t*,
+	private_proposal_t *this, proposal_t *other_pub, bool private)
 {
+	private_proposal_t *other = (private_proposal_t*)other_pub;
 	proposal_t *selected;
 	u_int16_t algo;
 	size_t key_size;
@@ -346,7 +316,7 @@ static proposal_t *select_proposal(private_proposal_t *this,
 		return NULL;
 	}
 
-	selected = proposal_create(this->protocol);
+	selected = proposal_create(this->protocol, other->number);
 
 	/* select encryption algorithm */
 	if (select_algo(this->encryption_algos, other->encryption_algos, private,
@@ -366,7 +336,7 @@ static proposal_t *select_proposal(private_proposal_t *this,
 		return NULL;
 	}
 	/* select integrity algorithm */
-	if (!is_authenticated_encryption(algo))
+	if (!encryption_algorithm_is_aead(algo))
 	{
 		if (select_algo(this->integrity_algos, other->integrity_algos, private,
 						&add, &algo, &key_size))
@@ -442,26 +412,20 @@ static proposal_t *select_proposal(private_proposal_t *this,
 	return selected;
 }
 
-/**
- * Implements proposal_t.get_protocols.
- */
-static protocol_id_t get_protocol(private_proposal_t *this)
+METHOD(proposal_t, get_protocol, protocol_id_t,
+	private_proposal_t *this)
 {
 	return this->protocol;
 }
 
-/**
- * Implements proposal_t.set_spi.
- */
-static void set_spi(private_proposal_t *this, u_int64_t spi)
+METHOD(proposal_t, set_spi, void,
+	private_proposal_t *this, u_int64_t spi)
 {
 	this->spi = spi;
 }
 
-/**
- * Implements proposal_t.get_spi.
- */
-static u_int64_t get_spi(private_proposal_t *this)
+METHOD(proposal_t, get_spi, u_int64_t,
+	private_proposal_t *this)
 {
 	return this->spi;
 }
@@ -514,19 +478,21 @@ static bool algo_list_equals(linked_list_t *l1, linked_list_t *l2)
 	return equals;
 }
 
-/**
- * Implementation of proposal_t.equals.
- */
-static bool equals(private_proposal_t *this, private_proposal_t *other)
+METHOD(proposal_t, get_number, u_int,
+	private_proposal_t *this)
+{
+	return this->number;
+}
+
+METHOD(proposal_t, equals, bool,
+	private_proposal_t *this, proposal_t *other_pub)
 {
+	private_proposal_t *other = (private_proposal_t*)other_pub;
+
 	if (this == other)
 	{
 		return TRUE;
 	}
-	if (this->public.equals != other->public.equals)
-	{
-		return FALSE;
-	}
 	return (
 		algo_list_equals(this->encryption_algos, other->encryption_algos) &&
 		algo_list_equals(this->integrity_algos, other->integrity_algos) &&
@@ -535,13 +501,12 @@ static bool equals(private_proposal_t *this, private_proposal_t *other)
 		algo_list_equals(this->esns, other->esns));
 }
 
-/**
- * Implements proposal_t.clone
- */
-static proposal_t *clone_(private_proposal_t *this)
+METHOD(proposal_t, clone_, proposal_t*,
+	private_proposal_t *this)
 {
-	private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol);
+	private_proposal_t *clone;
 
+	clone = (private_proposal_t*)proposal_create(this->protocol, 0);
 	clone_algo_list(this->encryption_algos, clone->encryption_algos);
 	clone_algo_list(this->integrity_algos, clone->integrity_algos);
 	clone_algo_list(this->prf_algos, clone->prf_algos);
@@ -549,6 +514,7 @@ static proposal_t *clone_(private_proposal_t *this)
 	clone_algo_list(this->esns, clone->esns);
 
 	clone->spi = this->spi;
+	clone->number = this->number;
 
 	return &clone->public;
 }
@@ -565,7 +531,7 @@ static void check_proposal(private_proposal_t *this)
 	e = this->encryption_algos->create_enumerator(this->encryption_algos);
 	while (e->enumerate(e, &alg))
 	{
-		if (!is_authenticated_encryption(alg->algorithm))
+		if (!encryption_algorithm_is_aead(alg->algorithm))
 		{
 			all_aead = FALSE;
 			break;
@@ -623,6 +589,9 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 			case AUTH_AES_XCBC_96:
 				prf = PRF_AES128_XCBC;
 				break;
+			case AUTH_CAMELLIA_XCBC_96:
+				prf = PRF_CAMELLIA128_XCBC;
+				break;
 			default:
 				prf = PRF_UNDEFINED;
 		}
@@ -715,10 +684,8 @@ int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	return written;
 }
 
-/**
- * Implements proposal_t.destroy.
- */
-static void destroy(private_proposal_t *this)
+METHOD(proposal_t, destroy, void,
+	private_proposal_t *this)
 {
 	this->encryption_algos->destroy_function(this->encryption_algos, free);
 	this->integrity_algos->destroy_function(this->integrity_algos, free);
@@ -731,31 +698,34 @@ static void destroy(private_proposal_t *this)
 /*
  * Describtion in header-file
  */
-proposal_t *proposal_create(protocol_id_t protocol)
+proposal_t *proposal_create(protocol_id_t protocol, u_int number)
 {
-	private_proposal_t *this = malloc_thing(private_proposal_t);
-
-	this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,u_int16_t))add_algorithm;
-	this->public.create_enumerator = (enumerator_t* (*)(proposal_t*,transform_type_t))create_enumerator;
-	this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm;
-	this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group;
-	this->public.strip_dh = (void(*)(proposal_t*))strip_dh;
-	this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*,bool))select_proposal;
-	this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
-	this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
-	this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
-	this->public.equals = (bool(*)(proposal_t*, proposal_t *other))equals;
-	this->public.clone = (proposal_t*(*)(proposal_t*))clone_;
-	this->public.destroy = (void(*)(proposal_t*))destroy;
-
-	this->spi = 0;
-	this->protocol = protocol;
-
-	this->encryption_algos = linked_list_create();
-	this->integrity_algos = linked_list_create();
-	this->prf_algos = linked_list_create();
-	this->dh_groups = linked_list_create();
-	this->esns = linked_list_create();
+	private_proposal_t *this;
+
+	INIT(this,
+		.public = {
+			.add_algorithm = _add_algorithm,
+			.create_enumerator = _create_enumerator,
+			.get_algorithm = _get_algorithm,
+			.has_dh_group = _has_dh_group,
+			.strip_dh = _strip_dh,
+			.select = _select_proposal,
+			.get_protocol = _get_protocol,
+			.set_spi = _set_spi,
+			.get_spi = _get_spi,
+			.get_number = _get_number,
+			.equals = _equals,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+		.protocol = protocol,
+		.number = number,
+		.encryption_algos = linked_list_create(),
+		.integrity_algos = linked_list_create(),
+		.prf_algos = linked_list_create(),
+		.dh_groups = linked_list_create(),
+		.esns = linked_list_create(),
+	);
 
 	return &this->public;
 }
@@ -777,19 +747,24 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 		switch (encryption)
 		{
 			case ENCR_AES_CBC:
-				/* we assume that we support all AES sizes */
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
-				break;
-			case ENCR_3DES:
 			case ENCR_AES_CTR:
+			case ENCR_CAMELLIA_CBC:
+			case ENCR_CAMELLIA_CTR:
 			case ENCR_AES_CCM_ICV8:
 			case ENCR_AES_CCM_ICV12:
 			case ENCR_AES_CCM_ICV16:
 			case ENCR_AES_GCM_ICV8:
 			case ENCR_AES_GCM_ICV12:
 			case ENCR_AES_GCM_ICV16:
+			case ENCR_CAMELLIA_CCM_ICV8:
+			case ENCR_CAMELLIA_CCM_ICV12:
+			case ENCR_CAMELLIA_CCM_ICV16:
+				/* we assume that we support all AES/Camellia sizes */
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+				break;
+			case ENCR_3DES:
 				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
 				break;
 			case ENCR_DES:
@@ -877,7 +852,7 @@ static void proposal_add_supported_ike(private_proposal_t *this)
  */
 proposal_t *proposal_create_default(protocol_id_t protocol)
 {
-	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
+	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0);
 
 	switch (protocol)
 	{
@@ -912,7 +887,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
  */
 proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
 {
-	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
+	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0);
 	chunk_t string = {(void*)algs, strlen(algs)};
 	chunk_t alg;
 	status_t status = SUCCESS;
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index 30f63b80d..97af5b60b 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -160,6 +160,13 @@ struct proposal_t {
 	 */
 	void (*set_spi) (proposal_t *this, u_int64_t spi);
 
+	/**
+	 * Get the proposal number, as encoded in SA payload
+	 *
+	 * @return				proposal number
+	 */
+	u_int (*get_number)(proposal_t *this);
+
 	/**
 	 * Check for the eqality of two proposals.
 	 *
@@ -185,9 +192,10 @@ struct proposal_t {
  * Create a child proposal for AH, ESP or IKE.
  *
  * @param protocol			protocol, such as PROTO_ESP
+ * @param number			proposal number, as encoded in SA payload
  * @return 					proposal_t object
  */
-proposal_t *proposal_create(protocol_id_t protocol);
+proposal_t *proposal_create(protocol_id_t protocol, u_int number);
 
 /**
  * Create a default proposal if nothing further specified.
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index c0227027c..4b8e1fadd 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -33,6 +33,7 @@
 
 #include <library.h>
 #include <config/proposal.h>
+#include <kernel/kernel_handler.h>
 
 #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
 #define LOG_AUTHPRIV LOG_AUTH
@@ -49,6 +50,11 @@ struct private_daemon_t {
 	 */
 	daemon_t public;
 
+	/**
+	 * Handler for kernel events
+	 */
+	kernel_handler_t *kernel_handler;
+
 	/**
 	 * capabilities to keep
 	 */
@@ -94,10 +100,8 @@ static void dbg_bus(debug_t group, level_t level, char *fmt, ...)
 static void destroy(private_daemon_t *this)
 {
 	/* terminate all idle threads */
-	if (this->public.processor)
-	{
-		this->public.processor->set_threads(this->public.processor, 0);
-	}
+	lib->processor->set_threads(lib->processor, 0);
+
 	/* close all IKE_SAs */
 	if (this->public.ike_sa_manager)
 	{
@@ -110,21 +114,19 @@ static void destroy(private_daemon_t *this)
 #ifdef CAPABILITIES_LIBCAP
 	cap_free(this->caps);
 #endif /* CAPABILITIES_LIBCAP */
+	DESTROY_IF(this->kernel_handler);
 	DESTROY_IF(this->public.traps);
 	DESTROY_IF(this->public.ike_sa_manager);
-	DESTROY_IF(this->public.kernel_interface);
-	DESTROY_IF(this->public.scheduler);
 	DESTROY_IF(this->public.controller);
 	DESTROY_IF(this->public.eap);
 	DESTROY_IF(this->public.sim);
+	DESTROY_IF(this->public.tnccs);
 #ifdef ME
 	DESTROY_IF(this->public.connect_manager);
 	DESTROY_IF(this->public.mediation_manager);
 #endif /* ME */
 	DESTROY_IF(this->public.backends);
 	DESTROY_IF(this->public.socket);
-	/* wait until all threads are gone */
-	DESTROY_IF(this->public.processor);
 
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_old;
@@ -176,7 +178,7 @@ METHOD(daemon_t, start, void,
 	   private_daemon_t *this)
 {
 	/* start the engine, go multithreaded */
-	charon->processor->set_threads(charon->processor,
+	lib->processor->set_threads(lib->processor,
 						lib->settings->get_int(lib->settings, "charon.threads",
 											   DEFAULT_THREADS));
 }
@@ -213,7 +215,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 	int loggers_defined = 0;
 	debug_t group;
 	level_t  def;
-	bool append;
+	bool append, ike_name;
 	FILE *file;
 
 	/* setup sysloggers */
@@ -222,13 +224,16 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 	while (enumerator->enumerate(enumerator, &facility))
 	{
 		loggers_defined++;
+
+		ike_name = lib->settings->get_bool(lib->settings,
+								"charon.syslog.%s.ike_name", FALSE, facility);
 		if (streq(facility, "daemon"))
 		{
-			sys_logger = sys_logger_create(LOG_DAEMON);
+			sys_logger = sys_logger_create(LOG_DAEMON, ike_name);
 		}
 		else if (streq(facility, "auth"))
 		{
-			sys_logger = sys_logger_create(LOG_AUTHPRIV);
+			sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name);
 		}
 		else
 		{
@@ -282,7 +287,9 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 		}
 		file_logger = file_logger_create(file,
 						lib->settings->get_str(lib->settings,
-							"charon.filelog.%s.time_format", NULL, filename));
+							"charon.filelog.%s.time_format", NULL, filename),
+						lib->settings->get_bool(lib->settings,
+							"charon.filelog.%s.ike_name", FALSE, filename));
 		def = lib->settings->get_int(lib->settings,
 									 "charon.filelog.%s.default", 1, filename);
 		for (group = 0; group < DBG_MAX; group++)
@@ -303,12 +310,12 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 	if (!loggers_defined)
 	{
 		/* set up default stdout file_logger */
-		file_logger = file_logger_create(stdout, NULL);
+		file_logger = file_logger_create(stdout, NULL, FALSE);
 		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
 		this->public.file_loggers->insert_last(this->public.file_loggers,
 											   file_logger);
 		/* set up default daemon sys_logger */
-		sys_logger = sys_logger_create(LOG_DAEMON);
+		sys_logger = sys_logger_create(LOG_DAEMON, FALSE);
 		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
 		this->public.sys_loggers->insert_last(this->public.sys_loggers,
 											  sys_logger);
@@ -322,7 +329,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 		}
 
 		/* set up default auth sys_logger */
-		sys_logger = sys_logger_create(LOG_AUTHPRIV);
+		sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE);
 		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
 		this->public.sys_loggers->insert_last(this->public.sys_loggers,
 											  sys_logger);
@@ -356,15 +363,14 @@ METHOD(daemon_t, initialize, bool,
 	}
 
 	/* load secrets, ca certificates and crls */
-	this->public.processor = processor_create();
-	this->public.scheduler = scheduler_create();
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
 	this->public.sim = sim_manager_create();
+	this->public.tnccs = tnccs_manager_create();
 	this->public.backends = backend_manager_create();
-	this->public.kernel_interface = kernel_interface_create();
 	this->public.socket = socket_manager_create();
 	this->public.traps = trap_manager_create();
+	this->kernel_handler = kernel_handler_create();
 
 	/* load plugins, further infrastructure may need it */
 	if (!lib->plugins->load(lib->plugins, NULL,
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 38f0256e7..c0c834b43 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -37,7 +37,7 @@
  * @defgroup payloads payloads
  * @ingroup encoding
  *
- * @defgroup kernel kernel
+ * @defgroup ckernel kernel
  * @ingroup libcharon
  *
  * @defgroup network network
@@ -46,11 +46,11 @@
  * @defgroup cplugins plugins
  * @ingroup libcharon
  *
- * @defgroup processing processing
+ * @defgroup cprocessing processing
  * @ingroup libcharon
  *
- * @defgroup jobs jobs
- * @ingroup processing
+ * @defgroup cjobs jobs
+ * @ingroup cprocessing
  *
  * @defgroup sa sa
  * @ingroup libcharon
@@ -140,9 +140,6 @@ typedef struct daemon_t daemon_t;
 #include <network/sender.h>
 #include <network/receiver.h>
 #include <network/socket_manager.h>
-#include <processing/scheduler.h>
-#include <processing/processor.h>
-#include <kernel/kernel_interface.h>
 #include <control/controller.h>
 #include <bus/bus.h>
 #include <bus/listeners/file_logger.h>
@@ -152,6 +149,7 @@ typedef struct daemon_t daemon_t;
 #include <config/backend_manager.h>
 #include <sa/authenticators/eap/eap_manager.h>
 #include <sa/authenticators/eap/sim_manager.h>
+#include <tnccs/tnccs_manager.h>
 
 #ifdef ME
 #include <sa/connect_manager.h>
@@ -208,16 +206,6 @@ struct daemon_t {
 	 */
 	receiver_t *receiver;
 
-	/**
-	 * The Scheduler-Thread.
-	 */
-	scheduler_t *scheduler;
-
-	/**
-	 * Job processing using a thread pool.
-	 */
-	processor_t *processor;
-
 	/**
 	 * The signaling bus.
 	 */
@@ -233,11 +221,6 @@ struct daemon_t {
 	 */
 	linked_list_t *sys_loggers;
 
-	/**
-	 * Kernel Interface to communicate with kernel
-	 */
-	kernel_interface_t *kernel_interface;
-
 	/**
 	 * Controller to control the daemon
 	 */
@@ -253,6 +236,11 @@ struct daemon_t {
 	 */
 	sim_manager_t *sim;
 
+	/**
+	 * TNCCS manager to maintain registered TNCCS protocols
+	 */
+	tnccs_manager_t *tnccs;
+
 #ifdef ME
 	/**
 	 * Connect manager
diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c
index 6485da492..224f76fce 100644
--- a/src/libcharon/encoding/generator.c
+++ b/src/libcharon/encoding/generator.c
@@ -42,6 +42,16 @@
 #include <encoding/payloads/configuration_attribute.h>
 #include <encoding/payloads/eap_payload.h>
 
+/**
+ * Generating is done in a data buffer.
+ * This is the start size of this buffer in bytes.
+ */
+#define GENERATOR_DATA_BUFFER_SIZE 500
+
+/**
+ * Number of bytes to increase the buffer, if it is too small.
+ */
+#define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500
 
 typedef struct private_generator_t private_generator_t;
 
@@ -453,36 +463,19 @@ static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
 	write_bytes_to_buffer(this, value->ptr, value->len);
 }
 
-/**
- * Implementation of private_generator_t.write_to_chunk.
- */
-static void write_to_chunk(private_generator_t *this,chunk_t *data)
+METHOD(generator_t, get_chunk, chunk_t,
+	private_generator_t *this, u_int32_t **lenpos)
 {
-	int data_length = get_length(this);
-	u_int32_t header_length_field = data_length;
-
-	/* write length into header length field */
-	if (this->header_length_position_offset > 0)
-	{
-		u_int32_t val = htonl(header_length_field);
-		write_bytes_to_buffer_at_offset(this, &val, sizeof(u_int32_t),
-										this->header_length_position_offset);
-	}
+	chunk_t data;
 
-	if (this->current_bit > 0)
-	{
-		data_length++;
-	}
-	*data = chunk_alloc(data_length);
-	memcpy(data->ptr, this->buffer, data_length);
-
-	DBG3(DBG_ENC, "generated data of this generator %B", data);
+	*lenpos = (u_int32_t*)(this->buffer + this->header_length_position_offset);
+	data = chunk_create(this->buffer, get_length(this));
+	DBG3(DBG_ENC, "generated data of this generator %B", &data);
+	return data;
 }
 
-/**
- * Implementation of private_generator_t.generate_payload.
- */
-static void generate_payload (private_generator_t *this,payload_t *payload)
+METHOD(generator_t, generate_payload, void,
+	private_generator_t *this,payload_t *payload)
 {
 	int i, offset_start;
 	size_t rule_count;
@@ -846,14 +839,11 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 		 this->out_position - this->buffer - offset_start);
 }
 
-/**
- * Implementation of generator_t.destroy.
- */
-static status_t destroy(private_generator_t *this)
+METHOD(generator_t, destroy, void,
+	private_generator_t *this)
 {
 	free(this->buffer);
 	free(this);
-	return SUCCESS;
 }
 
 /*
@@ -863,26 +853,18 @@ generator_t *generator_create()
 {
 	private_generator_t *this;
 
-	this = malloc_thing(private_generator_t);
-
-	/* initiate public functions */
-	this->public.generate_payload = (void(*)(generator_t*, payload_t *))generate_payload;
-	this->public.destroy = (void(*)(generator_t*)) destroy;
-	this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *))write_to_chunk;
+	INIT(this,
+		.public = {
+			.get_chunk = _get_chunk,
+			.generate_payload = _generate_payload,
+			.destroy = _destroy,
+		},
+		.buffer = malloc(GENERATOR_DATA_BUFFER_SIZE),
+	);
 
-	/* allocate memory for buffer */
-	this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE);
-
-	/* initiate private variables */
 	this->out_position = this->buffer;
 	this->roof_position = this->buffer + GENERATOR_DATA_BUFFER_SIZE;
-	this->data_struct = NULL;
-	this->current_bit = 0;
-	this->last_payload_length_position_offset = 0;
-	this->header_length_position_offset = 0;
-	this->attribute_format = FALSE;
-	this->attribute_length = 0;
-
-	return &(this->public);
+
+	return &this->public;
 }
 
diff --git a/src/libcharon/encoding/generator.h b/src/libcharon/encoding/generator.h
index 2221c84af..fe561fdfd 100644
--- a/src/libcharon/encoding/generator.h
+++ b/src/libcharon/encoding/generator.h
@@ -28,25 +28,13 @@ typedef struct generator_t generator_t;
 #include <encoding/payloads/encodings.h>
 #include <encoding/payloads/payload.h>
 
-/**
- * Generating is done in a data buffer.
- * This is the start size of this buffer in bytes.
- */
-#define GENERATOR_DATA_BUFFER_SIZE 500
-
-/**
- * Number of bytes to increase the buffer, if it is too small.
- */
-#define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500
-
-
 /**
  * A generator_t class used to generate IKEv2 payloads.
  *
  * After creation, multiple payloads can be generated with the generate_payload
  * method. The generated bytes are appended. After all payloads are added,
  * the write_to_chunk method writes out all generated data since
- * the creation of the generator. After that, the generator must be destroyed.
+ * the creation of the generator.
  * The generater uses a set of encoding rules, which it can get from
  * the supplied payload. With this rules, the generater can generate
  * the payload and all substructures automatically.
@@ -56,18 +44,20 @@ struct generator_t {
 	/**
 	 * Generates a specific payload from given payload object.
 	 *
-	 * Remember: Header and substructures are also handled as payloads.
-	 *
 	 * @param payload 		interface payload_t implementing object
 	 */
 	void (*generate_payload) (generator_t *this,payload_t *payload);
 
 	/**
-	 * Writes all generated data of the generator to a chunk.
+	 * Return a chunk for the currently generated data.
+	 *
+	 * The returned length pointer must be filled in with the length of
+	 * the generated chunk (in network order).
 	 *
-	 * @param data 		chunk to write the data to
+	 * @param lenpos		receives a pointer to fill in length value
+	 * @param return		chunk to internal buffer.
 	 */
-	void (*write_to_chunk) (generator_t *this,chunk_t *data);
+	chunk_t (*get_chunk) (generator_t *this, u_int32_t **lenpos);
 
 	/**
 	 * Destroys a generator_t object.
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index ee49a6686..d41ad4697 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2006-2007 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -43,111 +44,61 @@
  */
 #define MAX_DELETE_PAYLOADS 20
 
-
-typedef struct payload_rule_t payload_rule_t;
-
 /**
  * A payload rule defines the rules for a payload
  * in a specific message rule. It defines if and how
  * many times a payload must/can occur in a message
  * and if it must be encrypted.
  */
-struct payload_rule_t {
-	/**
-	 * Payload type.
-	 */
-	 payload_type_t payload_type;
-
-	 /**
-	  * Minimal occurence of this payload.
-	  */
-	 size_t min_occurence;
-
-	 /**
-	  * Max occurence of this payload.
-	  */
-	 size_t max_occurence;
-
-	 /**
-	  * TRUE if payload must be encrypted
-	  */
-	 bool encrypted;
-
-	 /**
-	  * If this payload occurs, the message rule is
-	  * fullfilled in any case. This applies e.g. to
-	  * notify_payloads.
-	  */
-	 bool sufficient;
-};
-
-typedef struct payload_order_t payload_order_t;
+typedef struct {
+	/* Payload type */
+	 payload_type_t type;
+	/* Minimal occurence of this payload. */
+	size_t min_occurence;
+	/* Max occurence of this payload. */
+	size_t max_occurence;
+	/* TRUE if payload must be encrypted */
+	bool encrypted;
+	/* If payload occurs, the message rule is fullfilled */
+	bool sufficient;
+} payload_rule_t;
 
 /**
  * payload ordering structure allows us to reorder payloads according to RFC.
  */
-struct payload_order_t {
-
-	/**
-	 * payload type
-	 */
+typedef struct {
+	/** payload type */
 	payload_type_t type;
-
-	/**
-	 * notify type, if payload == NOTIFY
-	 */
+	/** notify type, if payload == NOTIFY */
 	notify_type_t notify;
-};
-
-
-typedef struct message_rule_t message_rule_t;
+} payload_order_t;
 
 /**
  * A message rule defines the kind of a message,
  * if it has encrypted contents and a list
  * of payload ordering rules and payload parsing rules.
  */
-struct message_rule_t {
-	/**
-	 * Type of message.
-	 */
+typedef struct {
+	/** Type of message. */
 	exchange_type_t exchange_type;
-
-	/**
-	 * Is message a request or response.
-	 */
+	/** Is message a request or response. */
 	bool is_request;
-
-	/**
-	 * Message contains encrypted content.
-	 */
-	bool encrypted_content;
-
-	/**
-	 * Number of payload rules which will follow
-	 */
-	int payload_rule_count;
-
-	/**
-	 * Pointer to first payload rule
-	 */
-	payload_rule_t *payload_rules;
-
-	/**
-	 * Number of payload order rules
-	 */
-	int payload_order_count;
-
-	/**
-	 * payload ordering rules
-	 */
-	payload_order_t *payload_order;
-};
+	/** Message contains encrypted payloads. */
+	bool encrypted;
+	/** Number of payload rules which will follow */
+	int rule_count;
+	/** Pointer to first payload rule */
+	payload_rule_t *rules;
+	/** Number of payload order rules */
+	int order_count;
+	/** payload ordering rules */
+	payload_order_t *order;
+} message_rule_t;
 
 /**
  * Message rule for IKE_SA_INIT from initiator.
  */
-static payload_rule_t ike_sa_init_i_payload_rules[] = {
+static payload_rule_t ike_sa_init_i_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
 	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
@@ -159,7 +110,7 @@ static payload_rule_t ike_sa_init_i_payload_rules[] = {
 /**
  * payload order for IKE_SA_INIT initiator
  */
-static payload_order_t ike_sa_init_i_payload_order[] = {
+static payload_order_t ike_sa_init_i_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						COOKIE},
 	{SECURITY_ASSOCIATION,			0},
@@ -174,7 +125,7 @@ static payload_order_t ike_sa_init_i_payload_order[] = {
 /**
  * Message rule for IKE_SA_INIT from responder.
  */
-static payload_rule_t ike_sa_init_r_payload_rules[] = {
+static payload_rule_t ike_sa_init_r_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	FALSE,	TRUE},
 	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
@@ -186,7 +137,7 @@ static payload_rule_t ike_sa_init_r_payload_rules[] = {
 /**
  * payload order for IKE_SA_INIT responder
  */
-static payload_order_t ike_sa_init_r_payload_order[] = {
+static payload_order_t ike_sa_init_r_order[] = {
 /*	payload type					notify type */
 	{SECURITY_ASSOCIATION,			0},
 	{KEY_EXCHANGE,					0},
@@ -202,7 +153,7 @@ static payload_order_t ike_sa_init_r_payload_order[] = {
 /**
  * Message rule for IKE_AUTH from initiator.
  */
-static payload_rule_t ike_auth_i_payload_rules[] = {
+static payload_rule_t ike_auth_i_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
@@ -227,7 +178,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
 /**
  * payload order for IKE_AUTH initiator
  */
-static payload_order_t ike_auth_i_payload_order[] = {
+static payload_order_t ike_auth_i_order[] = {
 /*	payload type					notify type */
 	{ID_INITIATOR,					0},
 	{CERTIFICATE,					0},
@@ -256,7 +207,7 @@ static payload_order_t ike_auth_i_payload_order[] = {
 /**
  * Message rule for IKE_AUTH from responder.
  */
-static payload_rule_t ike_auth_r_payload_rules[] = {
+static payload_rule_t ike_auth_r_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
@@ -273,7 +224,7 @@ static payload_rule_t ike_auth_r_payload_rules[] = {
 /**
  * payload order for IKE_AUTH responder
  */
-static payload_order_t ike_auth_r_payload_order[] = {
+static payload_order_t ike_auth_r_order[] = {
 /*	payload type					notify type */
 	{ID_RESPONDER,					0},
 	{CERTIFICATE,					0},
@@ -299,7 +250,7 @@ static payload_order_t ike_auth_r_payload_order[] = {
 /**
  * Message rule for INFORMATIONAL from initiator.
  */
-static payload_rule_t informational_i_payload_rules[] = {
+static payload_rule_t informational_i_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
@@ -310,7 +261,7 @@ static payload_rule_t informational_i_payload_rules[] = {
 /**
  * payload order for INFORMATIONAL initiator
  */
-static payload_order_t informational_i_payload_order[] = {
+static payload_order_t informational_i_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						UPDATE_SA_ADDRESSES},
 	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
@@ -324,7 +275,7 @@ static payload_order_t informational_i_payload_order[] = {
 /**
  * Message rule for INFORMATIONAL from responder.
  */
-static payload_rule_t informational_r_payload_rules[] = {
+static payload_rule_t informational_r_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
@@ -335,7 +286,7 @@ static payload_rule_t informational_r_payload_rules[] = {
 /**
  * payload order for INFORMATIONAL responder
  */
-static payload_order_t informational_r_payload_order[] = {
+static payload_order_t informational_r_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						UPDATE_SA_ADDRESSES},
 	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
@@ -349,7 +300,7 @@ static payload_order_t informational_r_payload_order[] = {
 /**
  * Message rule for CREATE_CHILD_SA from initiator.
  */
-static payload_rule_t create_child_sa_i_payload_rules[] = {
+static payload_rule_t create_child_sa_i_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
@@ -364,7 +315,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = {
 /**
  * payload order for CREATE_CHILD_SA from initiator.
  */
-static payload_order_t create_child_sa_i_payload_order[] = {
+static payload_order_t create_child_sa_i_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						REKEY_SA},
 	{NOTIFY,						IPCOMP_SUPPORTED},
@@ -382,7 +333,7 @@ static payload_order_t create_child_sa_i_payload_order[] = {
 /**
  * Message rule for CREATE_CHILD_SA from responder.
  */
-static payload_rule_t create_child_sa_r_payload_rules[] = {
+static payload_rule_t create_child_sa_r_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
@@ -397,7 +348,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = {
 /**
  * payload order for CREATE_CHILD_SA from responder.
  */
-static payload_order_t create_child_sa_r_payload_order[] = {
+static payload_order_t create_child_sa_r_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						IPCOMP_SUPPORTED},
 	{NOTIFY,						USE_TRANSPORT_MODE},
@@ -416,7 +367,7 @@ static payload_order_t create_child_sa_r_payload_order[] = {
 /**
  * Message rule for ME_CONNECT from initiator.
  */
-static payload_rule_t me_connect_i_payload_rules[] = {
+static payload_rule_t me_connect_i_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{ID_PEER,						1,	1,						TRUE,	FALSE},
@@ -426,7 +377,7 @@ static payload_rule_t me_connect_i_payload_rules[] = {
 /**
  * payload order for ME_CONNECT from initiator.
  */
-static payload_order_t me_connect_i_payload_order[] = {
+static payload_order_t me_connect_i_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						0},
 	{ID_PEER,						0},
@@ -436,7 +387,7 @@ static payload_order_t me_connect_i_payload_order[] = {
 /**
  * Message rule for ME_CONNECT from responder.
  */
-static payload_rule_t me_connect_r_payload_rules[] = {
+static payload_rule_t me_connect_r_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{VENDOR_ID,						0,	10,						TRUE,	FALSE}
@@ -445,7 +396,7 @@ static payload_rule_t me_connect_r_payload_rules[] = {
 /**
  * payload order for ME_CONNECT from responder.
  */
-static payload_order_t me_connect_r_payload_order[] = {
+static payload_order_t me_connect_r_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						0},
 	{VENDOR_ID,						0},
@@ -457,65 +408,45 @@ static payload_order_t me_connect_r_payload_order[] = {
  */
 static message_rule_t message_rules[] = {
 	{IKE_SA_INIT,		TRUE,	FALSE,
-		(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
-		ike_sa_init_i_payload_rules,
-		(sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
-		ike_sa_init_i_payload_order,
+		countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
+		countof(ike_sa_init_i_order), ike_sa_init_i_order,
 	},
 	{IKE_SA_INIT,		FALSE,	FALSE,
-		(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
-		ike_sa_init_r_payload_rules,
-		(sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
-		ike_sa_init_r_payload_order,
+		countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
+		countof(ike_sa_init_r_order), ike_sa_init_r_order,
 	},
 	{IKE_AUTH,			TRUE,	TRUE,
-		(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
-		ike_auth_i_payload_rules,
-		(sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
-		ike_auth_i_payload_order,
+		countof(ike_auth_i_rules), ike_auth_i_rules,
+		countof(ike_auth_i_order), ike_auth_i_order,
 	},
 	{IKE_AUTH,			FALSE,	TRUE,
-		(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
-		ike_auth_r_payload_rules,
-		(sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
-		ike_auth_r_payload_order,
+		countof(ike_auth_r_rules), ike_auth_r_rules,
+		countof(ike_auth_r_order), ike_auth_r_order,
 	},
 	{INFORMATIONAL,		TRUE,	TRUE,
-		(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
-		informational_i_payload_rules,
-		(sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
-		informational_i_payload_order,
+		countof(informational_i_rules), informational_i_rules,
+		countof(informational_i_order), informational_i_order,
 	},
 	{INFORMATIONAL,		FALSE,	TRUE,
-		(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
-		informational_r_payload_rules,
-		(sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
-		informational_r_payload_order,
+		countof(informational_r_rules), informational_r_rules,
+		countof(informational_r_order), informational_r_order,
 	},
 	{CREATE_CHILD_SA,	TRUE,	TRUE,
-		(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
-		create_child_sa_i_payload_rules,
-		(sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
-		create_child_sa_i_payload_order,
+		countof(create_child_sa_i_rules), create_child_sa_i_rules,
+		countof(create_child_sa_i_order), create_child_sa_i_order,
 	},
 	{CREATE_CHILD_SA,	FALSE,	TRUE,
-		(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
-		create_child_sa_r_payload_rules,
-		(sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
-		create_child_sa_r_payload_order,
+		countof(create_child_sa_r_rules), create_child_sa_r_rules,
+		countof(create_child_sa_r_order), create_child_sa_r_order,
 	},
 #ifdef ME
 	{ME_CONNECT,		TRUE,	TRUE,
-		(sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
-		me_connect_i_payload_rules,
-		(sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
-		me_connect_i_payload_order,
+		countof(me_connect_i_rules), me_connect_i_rules,
+		countof(me_connect_i_order), me_connect_i_order,
 	},
 	{ME_CONNECT,		FALSE,	TRUE,
-		(sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
-		me_connect_r_payload_rules,
-		(sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
-		me_connect_r_payload_order,
+		countof(me_connect_r_rules), me_connect_r_rules,
+		countof(me_connect_r_order), me_connect_r_order,
 	},
 #endif /* ME */
 };
@@ -586,169 +517,132 @@ struct private_message_t {
 	/**
 	 * The message rule for this message instance
 	 */
-	message_rule_t *message_rule;
+	message_rule_t *rule;
 };
 
 /**
- * Implementation of private_message_t.set_message_rule.
+ * Get the message rule that applies to this message
  */
-static  status_t set_message_rule(private_message_t *this)
+static message_rule_t* get_message_rule(private_message_t *this)
 {
 	int i;
 
-	for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
+	for (i = 0; i < countof(message_rules); i++)
 	{
 		if ((this->exchange_type == message_rules[i].exchange_type) &&
 			(this->is_request == message_rules[i].is_request))
 		{
-			/* found rule for given exchange_type*/
-			this->message_rule = &(message_rules[i]);
-			return SUCCESS;
+			return &message_rules[i];
 		}
 	}
-	this->message_rule = NULL;
-	return NOT_FOUND;
+	return NULL;
 }
 
 /**
- * Implementation of private_message_t.get_payload_rule.
+ * Look up a payload rule
  */
-static status_t get_payload_rule(private_message_t *this,
-					payload_type_t payload_type, payload_rule_t **payload_rule)
+static payload_rule_t* get_payload_rule(private_message_t *this,
+										payload_type_t type)
 {
 	int i;
 
-	for (i = 0; i < this->message_rule->payload_rule_count;i++)
+	for (i = 0; i < this->rule->rule_count;i++)
 	{
-		if (this->message_rule->payload_rules[i].payload_type == payload_type)
+		if (this->rule->rules[i].type == type)
 		{
-			*payload_rule = &(this->message_rule->payload_rules[i]);
-			return SUCCESS;
+			return &this->rule->rules[i];
 		}
 	}
-
-	*payload_rule = NULL;
-	return NOT_FOUND;
+	return NULL;
 }
 
-/**
- * Implementation of message_t.set_ike_sa_id.
- */
-static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id)
+METHOD(message_t, set_ike_sa_id, void,
+	private_message_t *this,ike_sa_id_t *ike_sa_id)
 {
 	DESTROY_IF(this->ike_sa_id);
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 }
 
-/**
- * Implementation of message_t.get_ike_sa_id.
- */
-static ike_sa_id_t* get_ike_sa_id(private_message_t *this)
+METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
+	private_message_t *this)
 {
 	return this->ike_sa_id;
 }
 
-/**
- * Implementation of message_t.set_message_id.
- */
-static void set_message_id(private_message_t *this,u_int32_t message_id)
+METHOD(message_t, set_message_id, void,
+	private_message_t *this,u_int32_t message_id)
 {
 	this->message_id = message_id;
 }
 
-/**
- * Implementation of message_t.get_message_id.
- */
-static u_int32_t get_message_id(private_message_t *this)
+METHOD(message_t, get_message_id, u_int32_t,
+	private_message_t *this)
 {
 	return this->message_id;
 }
 
-/**
- * Implementation of message_t.get_initiator_spi.
- */
-static u_int64_t get_initiator_spi(private_message_t *this)
+METHOD(message_t, get_initiator_spi, u_int64_t,
+	private_message_t *this)
 {
 	return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
 }
 
-/**
- * Implementation of message_t.get_responder_spi.
- */
-static u_int64_t get_responder_spi(private_message_t *this)
+METHOD(message_t, get_responder_spi, u_int64_t,
+	private_message_t *this)
 {
 	return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
 }
 
-/**
- * Implementation of message_t.set_major_version.
- */
-static void set_major_version(private_message_t *this,u_int8_t major_version)
+METHOD(message_t, set_major_version, void,
+	private_message_t *this, u_int8_t major_version)
 {
 	this->major_version = major_version;
 }
 
-/**
- * Implementation of message_t.set_major_version.
- */
-static u_int8_t get_major_version(private_message_t *this)
+METHOD(message_t, get_major_version, u_int8_t,
+	private_message_t *this)
 {
 	return this->major_version;
 }
 
-/**
- * Implementation of message_t.set_minor_version.
- */
-static void set_minor_version(private_message_t *this,u_int8_t minor_version)
+METHOD(message_t, set_minor_version, void,
+	private_message_t *this,u_int8_t minor_version)
 {
 	this->minor_version = minor_version;
 }
 
-/**
- * Implementation of message_t.get_minor_version.
- */
-static u_int8_t get_minor_version(private_message_t *this)
+METHOD(message_t, get_minor_version, u_int8_t,
+	private_message_t *this)
 {
 	return this->minor_version;
 }
 
-/**
- * Implementation of message_t.set_exchange_type.
- */
-static void set_exchange_type(private_message_t *this,
-							  exchange_type_t exchange_type)
+METHOD(message_t, set_exchange_type, void,
+	private_message_t *this, exchange_type_t exchange_type)
 {
 	this->exchange_type = exchange_type;
 }
 
-/**
- * Implementation of message_t.get_exchange_type.
- */
-static exchange_type_t get_exchange_type(private_message_t *this)
+METHOD(message_t, get_exchange_type, exchange_type_t,
+	private_message_t *this)
 {
 	return this->exchange_type;
 }
 
-/**
- * Implementation of message_t.get_first_payload_type.
- */
-static payload_type_t get_first_payload_type(private_message_t *this)
+METHOD(message_t, get_first_payload_type, payload_type_t,
+	private_message_t *this)
 {
 	return this->first_payload;
 }
 
-/**
- * Implementation of message_t.set_request.
- */
-static void set_request(private_message_t *this, bool request)
+METHOD(message_t, set_request, void,
+	private_message_t *this, bool request)
 {
 	this->is_request = request;
 }
 
-/**
- * Implementation of message_t.get_request.
- */
-static exchange_type_t get_request(private_message_t *this)
+METHOD(message_t, get_request, bool,
+	private_message_t *this)
 {
 	return this->is_request;
 }
@@ -767,10 +661,8 @@ static bool is_encoded(private_message_t *this)
 	return TRUE;
 }
 
-/**
- * Implementation of message_t.add_payload.
- */
-static void add_payload(private_message_t *this, payload_t *payload)
+METHOD(message_t, add_payload, void,
+	private_message_t *this, payload_t *payload)
 {
 	payload_t *last_payload;
 
@@ -790,11 +682,8 @@ static void add_payload(private_message_t *this, payload_t *payload)
 		 payload_type_names, payload->get_type(payload));
 }
 
-/**
- * Implementation of message_t.add_notify.
- */
-static void add_notify(private_message_t *this, bool flush, notify_type_t type,
-					   chunk_t data)
+METHOD(message_t, add_notify, void,
+	private_message_t *this, bool flush, notify_type_t type, chunk_t data)
 {
 	notify_payload_t *notify;
 	payload_t *payload;
@@ -813,50 +702,38 @@ static void add_notify(private_message_t *this, bool flush, notify_type_t type,
 	add_payload(this, (payload_t*)notify);
 }
 
-/**
- * Implementation of message_t.set_source.
- */
-static void set_source(private_message_t *this, host_t *host)
+METHOD(message_t, set_source, void,
+	private_message_t *this, host_t *host)
 {
 	this->packet->set_source(this->packet, host);
 }
 
-/**
- * Implementation of message_t.set_destination.
- */
-static void set_destination(private_message_t *this, host_t *host)
+METHOD(message_t, set_destination, void,
+	private_message_t *this, host_t *host)
 {
 	this->packet->set_destination(this->packet, host);
 }
 
-/**
- * Implementation of message_t.get_source.
- */
-static host_t* get_source(private_message_t *this)
+METHOD(message_t, get_source, host_t*,
+	private_message_t *this)
 {
 	return this->packet->get_source(this->packet);
 }
 
-/**
- * Implementation of message_t.get_destination.
- */
-static host_t * get_destination(private_message_t *this)
+METHOD(message_t, get_destination, host_t*,
+	private_message_t *this)
 {
 	return this->packet->get_destination(this->packet);
 }
 
-/**
- * Implementation of message_t.create_payload_enumerator.
- */
-static enumerator_t *create_payload_enumerator(private_message_t *this)
+METHOD(message_t, create_payload_enumerator, enumerator_t*,
+	private_message_t *this)
 {
 	return this->payloads->create_enumerator(this->payloads);
 }
 
-/**
- * Implementation of message_t.get_payload.
- */
-static payload_t *get_payload(private_message_t *this, payload_type_t type)
+METHOD(message_t, get_payload, payload_t*,
+	private_message_t *this, payload_type_t type)
 {
 	payload_t *current, *found = NULL;
 	enumerator_t *enumerator;
@@ -874,10 +751,8 @@ static payload_t *get_payload(private_message_t *this, payload_type_t type)
 	return found;
 }
 
-/**
- * Implementation of message_t.get_notify
- */
-static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
+METHOD(message_t, get_notify, notify_payload_t*,
+	private_message_t *this, notify_type_t type)
 {
 	enumerator_t *enumerator;
 	notify_payload_t *notify = NULL;
@@ -1034,11 +909,13 @@ static void order_payloads(private_message_t *this)
 		list->insert_first(list, payload);
 	}
 	/* for each rule, ... */
-	for (i = 0; i < this->message_rule->payload_order_count; i++)
+	for (i = 0; i < this->rule->order_count; i++)
 	{
 		enumerator_t *enumerator;
 		notify_payload_t *notify;
-		payload_order_t order = this->message_rule->payload_order[i];
+		payload_order_t order;
+
+		order = this->rule->order[i];
 
 		/* ... find all payload ... */
 		enumerator = list->create_enumerator(list);
@@ -1068,8 +945,8 @@ static void order_payloads(private_message_t *this)
 		{
 			DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
 				 payload_type_names, payload->get_type(payload),
-				 exchange_type_names, this->message_rule->exchange_type,
-				 this->message_rule->is_request ? "request" : "response");
+				 exchange_type_names, this->rule->exchange_type,
+				 this->rule->is_request ? "request" : "response");
 		}
 		add_payload(this, payload);
 	}
@@ -1077,98 +954,67 @@ static void order_payloads(private_message_t *this)
 }
 
 /**
- * Implementation of private_message_t.encrypt_payloads.
+ * Wrap payloads in a encryption payload
  */
-static status_t encrypt_payloads(private_message_t *this,
-								 crypter_t *crypter, signer_t* signer)
+static encryption_payload_t* wrap_payloads(private_message_t *this)
 {
 	encryption_payload_t *encryption;
 	linked_list_t *payloads;
 	payload_t *current;
-	status_t status;
 
-	if (!this->message_rule->encrypted_content)
-	{
-		DBG2(DBG_ENC, "message doesn't have to be encrypted");
-		/* message contains no content to encrypt */
-		return SUCCESS;
-	}
-
-	if (!crypter || !signer)
-	{
-		DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
-		/* message contains no content to encrypt */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_ENC, "copy all payloads to a temporary list");
+	/* copy all payloads in a temporary list */
 	payloads = linked_list_create();
-
-	/* first copy all payloads in a temporary list */
-	while (this->payloads->get_count(this->payloads) > 0)
+	while (this->payloads->remove_first(this->payloads,
+										(void**)&current) == SUCCESS)
 	{
-		this->payloads->remove_first(this->payloads, (void**)&current);
 		payloads->insert_last(payloads, current);
 	}
 
 	encryption = encryption_payload_create();
-
-	DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
-	while (payloads->get_count(payloads) > 0)
+	while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
 	{
 		payload_rule_t *rule;
 		payload_type_t type;
-		bool to_encrypt = TRUE;
-
-		payloads->remove_first(payloads, (void**)&current);
+		bool encrypt = TRUE;
 
 		type = current->get_type(current);
-		if (get_payload_rule(this, type, &rule) == SUCCESS)
+		rule = get_payload_rule(this, type);
+		if (rule)
 		{
-			to_encrypt = rule->encrypted;
+			encrypt = rule->encrypted;
 		}
-		if (to_encrypt)
+		if (encrypt)
 		{
 			DBG2(DBG_ENC, "insert payload %N to encryption payload",
-				 payload_type_names, current->get_type(current));
+				 payload_type_names, type);
 			encryption->add_payload(encryption, current);
 		}
 		else
 		{
 			DBG2(DBG_ENC, "insert payload %N unencrypted",
-				 payload_type_names, current->get_type(current));
-			add_payload(this, (payload_t*)current);
+				 payload_type_names, type);
+			add_payload(this, current);
 		}
 	}
-
-	DBG2(DBG_ENC, "encrypting encryption payload");
-	encryption->set_transforms(encryption, crypter, signer);
-	status = encryption->encrypt(encryption);
-	DBG2(DBG_ENC, "add encrypted payload to payload list");
-	add_payload(this, (payload_t*)encryption);
-
 	payloads->destroy(payloads);
 
-	return status;
+	return encryption;
 }
 
-/**
- * Implementation of message_t.generate.
- */
-static status_t generate(private_message_t *this, crypter_t *crypter,
-						 signer_t* signer, packet_t **packet)
+METHOD(message_t, generate, status_t,
+	private_message_t *this, aead_t *aead, packet_t **packet)
 {
 	generator_t *generator;
 	ike_header_t *ike_header;
-	payload_t *payload, *next_payload;
+	payload_t *payload, *next;
+	encryption_payload_t *encryption = NULL;
 	enumerator_t *enumerator;
-	status_t status;
-	chunk_t packet_data;
+	chunk_t chunk;
 	char str[256];
+	u_int32_t *lenpos;
 
 	if (is_encoded(this))
-	{
-		/* already generated, return a new packet clone */
+	{	/* already generated, return a new packet clone */
 		*packet = this->packet->clone(this->packet);
 		return SUCCESS;
 	}
@@ -1182,14 +1028,12 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 	if (this->packet->get_source(this->packet) == NULL ||
 		this->packet->get_destination(this->packet) == NULL)
 	{
-		DBG1(DBG_ENC, "%s not defined",
-			 !this->packet->get_source(this->packet) ? "source" : "destination");
+		DBG1(DBG_ENC, "source/destination not defined");
 		return INVALID_STATE;
 	}
 
-	/* set the rules for this messge */
-	status = set_message_rule(this);
-	if (status != SUCCESS)
+	this->rule = get_message_rule(this);
+	if (!this->rule)
 	{
 		DBG1(DBG_ENC, "no message rules specified for this message type");
 		return NOT_SUPPORTED;
@@ -1199,17 +1043,16 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 
 	DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
 
-	/* going to encrypt all content which have to be encrypted */
-	status = encrypt_payloads(this, crypter, signer);
-	if (status != SUCCESS)
+	if (aead && this->rule->encrypted)
 	{
-		DBG1(DBG_ENC, "payload encryption failed");
-		return status;
+		encryption = wrap_payloads(this);
+	}
+	else
+	{
+		DBG2(DBG_ENC, "not encrypting payloads");
 	}
 
-	/* build ike header */
 	ike_header = ike_header_create();
-
 	ike_header->set_exchange_type(ike_header, this->exchange_type);
 	ike_header->set_message_id(ike_header, this->message_id);
 	ike_header->set_response_flag(ike_header, !this->is_request);
@@ -1222,54 +1065,49 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 
 	generator = generator_create();
 
+	/* generate all payloads with proper next type */
 	payload = (payload_t*)ike_header;
-
-	/* generate every payload expect last one, this is done later*/
 	enumerator = create_payload_enumerator(this);
-	while (enumerator->enumerate(enumerator, &next_payload))
+	while (enumerator->enumerate(enumerator, &next))
 	{
-		payload->set_next_type(payload, next_payload->get_type(next_payload));
+		payload->set_next_type(payload, next->get_type(next));
 		generator->generate_payload(generator, payload);
-		payload = next_payload;
+		payload = next;
 	}
 	enumerator->destroy(enumerator);
-
-	/* last payload has no next payload*/
-	payload->set_next_type(payload, NO_PAYLOAD);
-
+	payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
 	generator->generate_payload(generator, payload);
-
 	ike_header->destroy(ike_header);
 
-	/* build packet */
-	generator->write_to_chunk(generator, &packet_data);
-	generator->destroy(generator);
-
-	/* if last payload is of type encrypted, integrity checksum if necessary */
-	if (payload->get_type(payload) == ENCRYPTED)
+	if (encryption)
 	{
-		DBG2(DBG_ENC, "build signature on whole message");
-		encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
-		status = encryption_payload->build_signature(encryption_payload, packet_data);
-		if (status != SUCCESS)
+		u_int32_t *lenpos;
+
+		/* build associated data (without header of encryption payload) */
+		chunk = generator->get_chunk(generator, &lenpos);
+		encryption->set_transform(encryption, aead);
+		/* fill in length, including encryption payload */
+		htoun32(lenpos, chunk.len + encryption->get_length(encryption));
+
+		this->payloads->insert_last(this->payloads, encryption);
+		if (!encryption->encrypt(encryption, chunk))
 		{
-			return status;
+			generator->destroy(generator);
+			return INVALID_STATE;
 		}
+		generator->generate_payload(generator, &encryption->payload_interface);
 	}
+	chunk = generator->get_chunk(generator, &lenpos);
+	htoun32(lenpos, chunk.len);
+	this->packet->set_data(this->packet, chunk_clone(chunk));
+	generator->destroy(generator);
 
-	this->packet->set_data(this->packet, packet_data);
-
-	/* clone packet for caller */
 	*packet = this->packet->clone(this->packet);
-
-	DBG2(DBG_ENC, "message generated successfully");
 	return SUCCESS;
 }
 
-/**
- * Implementation of message_t.get_packet.
- */
-static packet_t *get_packet(private_message_t *this)
+METHOD(message_t, get_packet, packet_t*,
+	private_message_t *this)
 {
 	if (this->packet == NULL)
 	{
@@ -1278,10 +1116,8 @@ static packet_t *get_packet(private_message_t *this)
 	return this->packet->clone(this->packet);
 }
 
-/**
- * Implementation of message_t.get_packet_data.
- */
-static chunk_t get_packet_data(private_message_t *this)
+METHOD(message_t, get_packet_data, chunk_t,
+	private_message_t *this)
 {
 	if (this->packet == NULL)
 	{
@@ -1290,10 +1126,8 @@ static chunk_t get_packet_data(private_message_t *this)
 	return chunk_clone(this->packet->get_data(this->packet));
 }
 
-/**
- * Implementation of message_t.parse_header.
- */
-static status_t parse_header(private_message_t *this)
+METHOD(message_t, parse_header, status_t,
+	private_message_t *this)
 {
 	ike_header_t *ike_header;
 	status_t status;
@@ -1310,7 +1144,6 @@ static status_t parse_header(private_message_t *this)
 
 	}
 
-	/* verify payload */
 	status = ike_header->payload_interface.verify(
 										&ike_header->payload_interface);
 	if (status != SUCCESS)
@@ -1320,18 +1153,14 @@ static status_t parse_header(private_message_t *this)
 		return status;
 	}
 
-	if (this->ike_sa_id != NULL)
-	{
-		this->ike_sa_id->destroy(this->ike_sa_id);
-	}
-
+	DESTROY_IF(this->ike_sa_id);
 	this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
 									ike_header->get_responder_spi(ike_header),
 									ike_header->get_initiator_flag(ike_header));
 
 	this->exchange_type = ike_header->get_exchange_type(ike_header);
 	this->message_id = ike_header->get_message_id(ike_header);
-	this->is_request = (!(ike_header->get_response_flag(ike_header)));
+	this->is_request = !ike_header->get_response_flag(ike_header);
 	this->major_version = ike_header->get_maj_version(ike_header);
 	this->minor_version = ike_header->get_min_version(ike_header);
 	this->first_payload = ike_header->payload_interface.get_next_type(
@@ -1342,232 +1171,151 @@ static status_t parse_header(private_message_t *this)
 
 	ike_header->destroy(ike_header);
 
-	/* get the rules for this messge */
-	status = set_message_rule(this);
-	if (status != SUCCESS)
+	this->rule = get_message_rule(this);
+	if (!this->rule)
 	{
 		DBG1(DBG_ENC, "no message rules specified for a %N %s",
 			 exchange_type_names, this->exchange_type,
 			 this->is_request ? "request" : "response");
 	}
-
 	return status;
 }
 
 /**
- * Implementation of private_message_t.decrypt_and_verify_payloads.
+ * Decrypt payload from the encryption payload
  */
-static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter,
-								 signer_t* signer)
+static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
 {
-	bool current_payload_was_encrypted = FALSE;
-	payload_t *previous_payload = NULL;
-	int payload_number = 1;
-	iterator_t *iterator;
-	payload_t *current_payload;
-	status_t status;
-
-	iterator = this->payloads->create_iterator(this->payloads,TRUE);
+	bool was_encrypted = FALSE;
+	payload_t *payload, *previous = NULL;
+	enumerator_t *enumerator;
+	payload_rule_t *rule;
+	payload_type_t type;
+	status_t status = SUCCESS;
 
-	/* process each payload and decrypt a encryption payload */
-	while(iterator->iterate(iterator, (void**)&current_payload))
+	enumerator = this->payloads->create_enumerator(this->payloads);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
-		payload_rule_t *payload_rule;
-		payload_type_t current_payload_type;
+		type = payload->get_type(payload);
 
-		/* needed to check */
-		current_payload_type = current_payload->get_type(current_payload);
+		DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
 
-		DBG2(DBG_ENC, "process payload of type %N",
-			 payload_type_names, current_payload_type);
-
-		if (current_payload_type == ENCRYPTED)
+		if (type == ENCRYPTED)
 		{
-			encryption_payload_t *encryption_payload;
-			payload_t *current_encrypted_payload;
+			encryption_payload_t *encryption;
+			payload_t *encrypted;
+			chunk_t chunk;
 
-			encryption_payload = (encryption_payload_t*)current_payload;
+			encryption = (encryption_payload_t*)payload;
 
 			DBG2(DBG_ENC, "found an encryption payload");
 
-			if (payload_number != this->payloads->get_count(this->payloads))
+			if (enumerator->enumerate(enumerator, &payload))
 			{
-				/* encrypted payload is not last one */
 				DBG1(DBG_ENC, "encrypted payload is not last payload");
-				iterator->destroy(iterator);
-				return VERIFY_ERROR;
+				status = VERIFY_ERROR;
+				break;
 			}
-			/* decrypt */
-			encryption_payload->set_transforms(encryption_payload,
-											   crypter, signer);
-			DBG2(DBG_ENC, "verify signature of encryption payload");
-			status = encryption_payload->verify_signature(encryption_payload,
-										this->packet->get_data(this->packet));
-			if (status != SUCCESS)
+			encryption->set_transform(encryption, aead);
+			chunk = this->packet->get_data(this->packet);
+			if (chunk.len < encryption->get_length(encryption))
 			{
-				DBG1(DBG_ENC, "encryption payload signature invalid");
-				iterator->destroy(iterator);
-				return FAILED;
+				DBG1(DBG_ENC, "invalid payload length");
+				status = VERIFY_ERROR;
+				break;
 			}
-			DBG2(DBG_ENC, "decrypting content of encryption payload");
-			status = encryption_payload->decrypt(encryption_payload);
+			chunk.len -= encryption->get_length(encryption);
+			status = encryption->decrypt(encryption, chunk);
 			if (status != SUCCESS)
 			{
-				DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
-				iterator->destroy(iterator);
-				return PARSE_ERROR;
-			}
-
-			/* needed later to find out if a payload was encrypted */
-			current_payload_was_encrypted = TRUE;
-
-			/* check if there are payloads contained in the encryption payload */
-			if (encryption_payload->get_payload_count(encryption_payload) == 0)
-			{
-				DBG2(DBG_ENC, "encrypted payload is empty");
-				/* remove the encryption payload, is not needed anymore */
-				iterator->remove(iterator);
-				/* encrypted payload contains no other payload */
-				current_payload_type = NO_PAYLOAD;
-			}
-			else
-			{
-				/* encryption_payload is replaced with first payload contained
-				 * in encryption_payload */
-				encryption_payload->remove_first_payload(encryption_payload,
-													&current_encrypted_payload);
-				iterator->replace(iterator, NULL,
-								  (void *)current_encrypted_payload);
-				current_payload_type = current_encrypted_payload->get_type(
-													current_encrypted_payload);
+				break;
 			}
 
-			/* is the current paylad the first in the message? */
-			if (previous_payload == NULL)
-			{
-				/* yes, set the first payload type of the message to the
-				 * current type */
-				this->first_payload = current_payload_type;
-			}
-			else
-			{
-				/* no, set the next_type of the previous payload to the
-				 * current type */
-				previous_payload->set_next_type(previous_payload,
-												current_payload_type);
-			}
+			was_encrypted = TRUE;
+			this->payloads->remove_at(this->payloads, enumerator);
 
-			/* all encrypted payloads are added to the payload list */
-			while (encryption_payload->get_payload_count(encryption_payload) > 0)
+			while ((encrypted = encryption->remove_payload(encryption)))
 			{
-				encryption_payload->remove_first_payload(encryption_payload,
-													&current_encrypted_payload);
-				DBG2(DBG_ENC, "insert unencrypted payload of type "
-					 "%N at end of list", payload_type_names,
-					 current_encrypted_payload->get_type(
-											current_encrypted_payload));
-				this->payloads->insert_last(this->payloads,
-											current_encrypted_payload);
+				type = encrypted->get_type(encrypted);
+				if (previous)
+				{
+					previous->set_next_type(previous, type);
+				}
+				else
+				{
+					this->first_payload = type;
+				}
+				DBG2(DBG_ENC, "insert decrypted payload of type "
+					 "%N at end of list", payload_type_names, type);
+				this->payloads->insert_last(this->payloads, encrypted);
+				previous = encrypted;
 			}
-
-			/* encryption payload is processed, payloads are moved. Destroy it. */
-			encryption_payload->destroy(encryption_payload);
+			encryption->destroy(encryption);
 		}
-
-		/* we allow unknown payloads of any type and don't bother if it was
-		 * encrypted. Not our problem. */
-		if (current_payload_type != UNKNOWN_PAYLOAD &&
-			current_payload_type != NO_PAYLOAD)
+		if (type != UNKNOWN_PAYLOAD && !was_encrypted)
 		{
-			/* get the ruleset for found payload */
-			status = get_payload_rule(this, current_payload_type, &payload_rule);
-			if (status != SUCCESS)
-			{
-				/* payload is not allowed */
-				DBG1(DBG_ENC, "payload type %N not allowed",
-								  payload_type_names, current_payload_type);
-				iterator->destroy(iterator);
-				return VERIFY_ERROR;
-			}
-
-			/* check if the payload was encrypted, and if it should been have
-			 * encrypted */
-			if (payload_rule->encrypted != current_payload_was_encrypted)
+			rule = get_payload_rule(this, type);
+			if (!rule || rule->encrypted)
 			{
-				/* payload was not encrypted, but should have been.
-				 * or vice-versa */
-				DBG1(DBG_ENC, "payload type %N should be %s!",
-					 payload_type_names, current_payload_type,
-					 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
-				iterator->destroy(iterator);
-				return VERIFY_ERROR;
+				DBG1(DBG_ENC, "payload type %N was not encrypted",
+					 payload_type_names, type);
+				status = VERIFY_ERROR;
+				break;
 			}
 		}
-		/* advance to the next payload */
-		payload_number++;
-		/* is stored to set next payload in case of found encryption payload */
-		previous_payload = current_payload;
+		previous = payload;
 	}
-	iterator->destroy(iterator);
-	return SUCCESS;
+	enumerator->destroy(enumerator);
+	return status;
 }
 
 /**
- * Implementation of private_message_t.verify.
+ * Verify a message and all payload according to message/payload rules
  */
 static status_t verify(private_message_t *this)
 {
 	int i;
-	enumerator_t *enumerator;
-	payload_t *current_payload;
-	size_t total_found_payloads = 0;
 
 	DBG2(DBG_ENC, "verifying message structure");
 
 	/* check for payloads with wrong count*/
-	for (i = 0; i < this->message_rule->payload_rule_count; i++)
+	for (i = 0; i < this->rule->rule_count; i++)
 	{
-		size_t found_payloads = 0;
+		enumerator_t *enumerator;
+		payload_t *payload;
 		payload_rule_t *rule;
+		int found = 0;
 
-		rule = &this->message_rule->payload_rules[i];
+		rule = &this->rule->rules[i];
 		enumerator = create_payload_enumerator(this);
-
-		/* check all payloads for specific rule */
-		while (enumerator->enumerate(enumerator, &current_payload))
+		while (enumerator->enumerate(enumerator, &payload))
 		{
-			payload_type_t current_payload_type;
-			unknown_payload_t *unknown_payload;
+			payload_type_t type;
+			unknown_payload_t *unknown;
 
-			current_payload_type = current_payload->get_type(current_payload);
-			if (current_payload_type == UNKNOWN_PAYLOAD)
+			type = payload->get_type(payload);
+			if (type == UNKNOWN_PAYLOAD)
 			{
-				/* unknown payloads are ignored, IF they are not critical */
-				unknown_payload = (unknown_payload_t*)current_payload;
-				if (unknown_payload->is_critical(unknown_payload))
+				/* unknown payloads are ignored if they are not critical */
+				unknown = (unknown_payload_t*)payload;
+				if (unknown->is_critical(unknown))
 				{
 					DBG1(DBG_ENC, "%N is not supported, but its critical!",
-						 payload_type_names, current_payload_type);
+						 payload_type_names, type);
 					enumerator->destroy(enumerator);
 					return NOT_SUPPORTED;
 				}
 			}
-			else if (current_payload_type == rule->payload_type)
+			else if (type == rule->type)
 			{
-				found_payloads++;
-				total_found_payloads++;
-				DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
-					 rule->payload_type);
-
-				/* as soon as ohe payload occures more then specified,
-				 * the verification fails */
-				if (found_payloads >
-					rule->max_occurence)
+				found++;
+				DBG2(DBG_ENC, "found payload of type %N",
+					 payload_type_names, type);
+				if (found > rule->max_occurence)
 				{
 					DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
 						 "occured in current message", payload_type_names,
-						 current_payload_type, rule->max_occurence,
-						 found_payloads);
+						 type, rule->max_occurence, found);
 					enumerator->destroy(enumerator);
 					return VERIFY_ERROR;
 				}
@@ -1575,11 +1323,10 @@ static status_t verify(private_message_t *this)
 		}
 		enumerator->destroy(enumerator);
 
-		if (found_payloads < rule->min_occurence)
+		if (found < rule->min_occurence)
 		{
 			DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
-				 payload_type_names, rule->payload_type, rule->min_occurence,
-				 found_payloads);
+				 payload_type_names, rule->type, rule->min_occurence, found);
 			return VERIFY_ERROR;
 		}
 		if (rule->sufficient)
@@ -1590,72 +1337,60 @@ static status_t verify(private_message_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of message_t.parse_body.
- */
-static status_t parse_body(private_message_t *this, crypter_t *crypter,
-						   signer_t *signer)
+METHOD(message_t, parse_body, status_t,
+	private_message_t *this, aead_t *aead)
 {
 	status_t status = SUCCESS;
-	payload_type_t current_payload_type;
+	payload_t *payload;
+	payload_type_t type;
 	char str[256];
 
-	current_payload_type = this->first_payload;
+	type = this->first_payload;
 
 	DBG2(DBG_ENC, "parsing body of message, first payload is %N",
-		 payload_type_names, current_payload_type);
+		 payload_type_names, type);
 
-	/* parse payload for payload, while there are more available */
-	while ((current_payload_type != NO_PAYLOAD))
+	while (type != NO_PAYLOAD)
 	{
-		payload_t *current_payload;
-
 		DBG2(DBG_ENC, "starting parsing a %N payload",
-			 payload_type_names, current_payload_type);
+			 payload_type_names, type);
 
-		/* parse current payload */
-		status = this->parser->parse_payload(this->parser, current_payload_type,
-											 (payload_t**)&current_payload);
+		status = this->parser->parse_payload(this->parser, type, &payload);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "payload type %N could not be parsed",
-				 payload_type_names, current_payload_type);
+				 payload_type_names, type);
 			return PARSE_ERROR;
 		}
 
-		DBG2(DBG_ENC, "verifying payload of type %N",
-			 payload_type_names, current_payload_type);
-
-		/* verify it, stop parsig if its invalid */
-		status = current_payload->verify(current_payload);
+		DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
+		status = payload->verify(payload);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "%N payload verification failed",
-				 payload_type_names, current_payload_type);
-			current_payload->destroy(current_payload);
+				 payload_type_names, type);
+			payload->destroy(payload);
 			return VERIFY_ERROR;
 		}
 
 		DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
-			 payload_type_names, current_payload_type);
-		this->payloads->insert_last(this->payloads,current_payload);
+			 payload_type_names, type);
+		this->payloads->insert_last(this->payloads, payload);
 
 		/* an encryption payload is the last one, so STOP here. decryption is
 		 * done later */
-		if (current_payload_type == ENCRYPTED)
+		if (type == ENCRYPTED)
 		{
 			DBG2(DBG_ENC, "%N payload found. Stop parsing",
-				 payload_type_names, current_payload_type);
+				 payload_type_names, type);
 			break;
 		}
-
-		/* get next payload type */
-		current_payload_type = current_payload->get_next_type(current_payload);
+		type = payload->get_next_type(payload);
 	}
 
-	if (current_payload_type == ENCRYPTED)
+	if (type == ENCRYPTED)
 	{
-		status = decrypt_payloads(this,crypter,signer);
+		status = decrypt_payloads(this, aead);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "could not decrypt payloads");
@@ -1674,10 +1409,8 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter,
 	return SUCCESS;
 }
 
-/**
- * Implementation of message_t.destroy.
- */
-static void destroy (private_message_t *this)
+METHOD(message_t, destroy, void,
+	private_message_t *this)
 {
 	DESTROY_IF(this->ike_sa_id);
 	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
@@ -1691,58 +1424,48 @@ static void destroy (private_message_t *this)
  */
 message_t *message_create_from_packet(packet_t *packet)
 {
-	private_message_t *this = malloc_thing(private_message_t);
-
-	/* public functions */
-	this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
-	this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
-	this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
-	this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
-	this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
-	this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
-	this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
-	this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
-	this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
-	this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
-	this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
-	this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
-	this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
-	this->public.set_request = (void(*)(message_t*, bool))set_request;
-	this->public.get_request = (bool(*)(message_t*))get_request;
-	this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
-	this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
-	this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
-	this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
-	this->public.get_source = (host_t * (*) (message_t*)) get_source;
-	this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
-	this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
-	this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
-	this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
-	this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
-	this->public.parse_header = (status_t (*) (message_t *)) parse_header;
-	this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
-	this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
-	this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
-	this->public.destroy = (void(*)(message_t*))destroy;
-
-	/* private values */
-	this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
-	this->is_request = TRUE;
-	this->ike_sa_id = NULL;
-	this->first_payload = NO_PAYLOAD;
-	this->message_id = 0;
-
-	/* private values */
-	if (packet == NULL)
-	{
-		packet = packet_create();
-	}
-	this->message_rule = NULL;
-	this->packet = packet;
-	this->payloads = linked_list_create();
-
-	/* parser is created from data of packet */
-	this->parser = parser_create(this->packet->get_data(this->packet));
+	private_message_t *this;
+
+	INIT(this,
+		.public = {
+			.set_major_version = _set_major_version,
+			.get_major_version = _get_major_version,
+			.set_minor_version = _set_minor_version,
+			.get_minor_version = _get_minor_version,
+			.set_message_id = _set_message_id,
+			.get_message_id = _get_message_id,
+			.get_initiator_spi = _get_initiator_spi,
+			.get_responder_spi = _get_responder_spi,
+			.set_ike_sa_id = _set_ike_sa_id,
+			.get_ike_sa_id = _get_ike_sa_id,
+			.set_exchange_type = _set_exchange_type,
+			.get_exchange_type = _get_exchange_type,
+			.get_first_payload_type = _get_first_payload_type,
+			.set_request = _set_request,
+			.get_request = _get_request,
+			.add_payload = _add_payload,
+			.add_notify = _add_notify,
+			.generate = _generate,
+			.set_source = _set_source,
+			.get_source = _get_source,
+			.set_destination = _set_destination,
+			.get_destination = _get_destination,
+			.create_payload_enumerator = _create_payload_enumerator,
+			.get_payload = _get_payload,
+			.get_notify = _get_notify,
+			.parse_header = _parse_header,
+			.parse_body = _parse_body,
+			.get_packet = _get_packet,
+			.get_packet_data = _get_packet_data,
+			.destroy = _destroy,
+		},
+		.exchange_type = EXCHANGE_TYPE_UNDEFINED,
+		.is_request = TRUE,
+		.first_payload = NO_PAYLOAD,
+		.packet = packet,
+		.payloads = linked_list_create(),
+		.parser = parser_create(packet->get_data(packet)),
+	);
 
 	return (&this->public);
 }
@@ -1752,6 +1475,6 @@ message_t *message_create_from_packet(packet_t *packet)
  */
 message_t *message_create()
 {
-	return message_create_from_packet(NULL);
+	return message_create_from_packet(packet_create());
 }
 
diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h
index 2c7718f49..8c1cbcd09 100644
--- a/src/libcharon/encoding/message.h
+++ b/src/libcharon/encoding/message.h
@@ -32,8 +32,7 @@ typedef struct message_t message_t;
 #include <encoding/payloads/ike_header.h>
 #include <encoding/payloads/notify_payload.h>
 #include <utils/linked_list.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
+#include <crypto/aead.h>
 
 /**
  * This class is used to represent an IKEv2-Message.
@@ -201,14 +200,10 @@ struct message_t {
 	 * The body gets not only parsed, but rather it gets verified.
 	 * All payloads are verified if they are allowed to exist in the message
 	 * of this type and if their own structure is ok.
-	 * If there are encrypted payloads, they get decrypted via the supplied
-	 * crypter. Also the message integrity gets verified with the supplied
-	 * signer.
-	 * Crypter/signer can be omitted (by passing NULL) when no encryption
-	 * payload is expected.
-	 *
-	 * @param crypter	crypter to decrypt encryption payloads
-	 * @param signer	signer to verifiy a message with an encryption payload
+	 * If there are encrypted payloads, they get decrypted and verified using
+	 * the given aead transform (if given).
+	 *
+	 * @param aead		aead transform to verify/decrypt message
 	 * @return
 	 * 					- SUCCESS if parsing successful
 	 * 					- NOT_SUPPORTED if ciritcal unknown payloads found
@@ -216,32 +211,28 @@ struct message_t {
 	 *					- PARSE_ERROR if message parsing failed
 	 * 					- VERIFY_ERROR if message verification failed (bad syntax)
 	 * 					- FAILED if integrity check failed
-	 * 					- INVALID_STATE if crypter/signer not supplied, but needed
+	 * 					- INVALID_STATE if aead not supplied, but needed
 	 */
-	status_t (*parse_body) (message_t *this, crypter_t *crypter, signer_t *signer);
+	status_t (*parse_body) (message_t *this, aead_t *aead);
 
 	/**
 	 * Generates the UDP packet of specific message.
 	 *
 	 * Payloads which must be encrypted are generated first and added to
-	 * an encryption payload. This encryption payload will get encrypted via
-	 * the supplied crypter. Then all other payloads and the header get generated.
-	 * After that, the checksum is added to the encryption payload over the full
-	 * message.
-	 * Crypter/signer can be omitted (by passing NULL) when no encryption
-	 * payload is expected.
-	 * Generation is only done once, multiple calls will just return a packet copy.
-	 *
-	 * @param crypter	crypter to use when a payload must be encrypted
-	 * @param signer	signer to build a mac
+	 * an encryption payload. This encryption payload will get encrypted and
+	 * signed via the supplied aead transform (if given).
+	 * Generation is only done once, multiple calls will just return a copy
+	 * of the packet.
+	 *
+	 * @param aead		aead transform to encrypt/sign message
 	 * @param packet	copy of generated packet
 	 * @return
 	 * 					- SUCCESS if packet could be generated
 	 * 					- INVALID_STATE if exchange type is currently not set
 	 * 					- NOT_FOUND if no rules found for message generation
-	 * 					- INVALID_STATE if crypter/signer not supplied but needed.
+	 * 					- INVALID_STATE if aead not supplied but needed.
 	 */
-	status_t (*generate) (message_t *this, crypter_t *crypter, signer_t *signer, packet_t **packet);
+	status_t (*generate) (message_t *this, aead_t *aead, packet_t **packet);
 
 	/**
 	 * Gets the source host informations.
@@ -331,13 +322,8 @@ struct message_t {
 /**
  * Creates an message_t object from a incoming UDP Packet.
  *
- * @warning the given packet_t object is not copied and gets
- *			destroyed in message_t's destroy call.
- *
- * - exchange_type is set to NOT_SET
- * - original_initiator is set to TRUE
- * - is_request is set to TRUE
- * Call message_t.parse_header afterwards.
+ * The given packet gets owned by the message. The message is uninitialized,
+ * call parse_header() to populate header fields.
  *
  * @param packet		packet_t object which is assigned to message
  * @return 				message_t object
diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c
index 97b4743b2..5fc3b7c88 100644
--- a/src/libcharon/encoding/payloads/delete_payload.c
+++ b/src/libcharon/encoding/payloads/delete_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -65,11 +66,6 @@ struct private_delete_payload_t {
 	 * The contained SPI's.
 	 */
 	chunk_t spis;
-
-	/**
-	 * List containing u_int32_t spis
-	 */
-	linked_list_t *spi_list;
 };
 
 /**
@@ -77,7 +73,6 @@ struct private_delete_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_delete_payload_t.
- *
  */
 encoding_rule_t delete_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
@@ -85,20 +80,20 @@ encoding_rule_t delete_payload_encodings[] = {
 	/* the critical bit */
 	{ FLAG,				offsetof(private_delete_payload_t, critical) 		},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_delete_payload_t, payload_length)},
+	{ PAYLOAD_LENGTH,	offsetof(private_delete_payload_t, payload_length)	},
 	{ U_INT_8,			offsetof(private_delete_payload_t, protocol_id)		},
 	{ U_INT_8,			offsetof(private_delete_payload_t, spi_size)		},
 	{ U_INT_16,			offsetof(private_delete_payload_t, spi_count)		},
 	/* some delete data bytes, length is defined in PAYLOAD_LENGTH */
-	{ SPIS,			offsetof(private_delete_payload_t, spis) 				}
+	{ SPIS,				offsetof(private_delete_payload_t, spis) 			}
 };
 
 /*
@@ -115,10 +110,8 @@ encoding_rule_t delete_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_delete_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_delete_payload_t *this)
 {
 	switch (this->protocol_id)
 	{
@@ -147,112 +140,104 @@ static status_t verify(private_delete_payload_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of delete_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_delete_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_delete_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = delete_payload_encodings;
-	*rule_count = sizeof(delete_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(delete_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_delete_payload_t *this)
+METHOD(payload_t, get_payload_type, payload_type_t,
+	private_delete_payload_t *this)
 {
 	return DELETE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_delete_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_delete_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_delete_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_delete_payload_t *this,payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_delete_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_delete_payload_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of delete_payload_t.get_protocol_id.
- */
-static protocol_id_t get_protocol_id (private_delete_payload_t *this)
+METHOD(delete_payload_t, get_protocol_id, protocol_id_t,
+	private_delete_payload_t *this)
 {
-	return (this->protocol_id);
+	return this->protocol_id;
 }
 
-/**
- * Implementation of delete_payload_t.add_spi.
- */
-static void add_spi(private_delete_payload_t *this, u_int32_t spi)
+METHOD(delete_payload_t, add_spi, void,
+	private_delete_payload_t *this, u_int32_t spi)
 {
-	/* only add SPIs if AH|ESP, ignore others */
-	if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP)
+	switch (this->protocol_id)
 	{
-		this->spi_count += 1;
-		this->spis.len += this->spi_size;
-		this->spis.ptr = realloc(this->spis.ptr, this->spis.len);
-		*(u_int32_t*)(this->spis.ptr + (this->spis.len / this->spi_size - 1)) = spi;
-		if (this->spi_list)
-		{
-			/* reset SPI iterator list */
-			this->spi_list->destroy(this->spi_list);
-			this->spi_list = NULL;
-		}
+		case PROTO_AH:
+		case PROTO_ESP:
+			this->spi_count++;
+			this->payload_length += sizeof(spi);
+			this->spis = chunk_cat("mc", this->spis, chunk_from_thing(spi));
+			break;
+		default:
+			break;
 	}
 }
 
 /**
- * Implementation of delete_payload_t.create_spi_iterator.
+ * SPI enumerator implementation
  */
-static iterator_t* create_spi_iterator(private_delete_payload_t *this)
-{
-	int i;
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** remaining SPIs */
+	chunk_t spis;
+} spi_enumerator_t;
 
-	if (this->spi_list == NULL)
+METHOD(enumerator_t, spis_enumerate, bool,
+	spi_enumerator_t *this, u_int32_t *spi)
+{
+	if (this->spis.len >= sizeof(*spi))
 	{
-		this->spi_list = linked_list_create();
-		/* only parse SPIs if AH|ESP */
-		if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP)
-		{
-			for (i = 0; i < this->spi_count; i++)
-			{
-				this->spi_list->insert_last(this->spi_list, this->spis.ptr + i *
-															this->spi_size);
-			}
-		}
+		memcpy(spi, this->spis.ptr, sizeof(*spi));
+		this->spis = chunk_skip(this->spis, sizeof(*spi));
+		return TRUE;
 	}
-	return this->spi_list->create_iterator(this->spi_list, TRUE);
+	return FALSE;
 }
 
-/**
- * Implementation of payload_t.destroy and delete_payload_t.destroy.
- */
-static void destroy(private_delete_payload_t *this)
+METHOD(delete_payload_t, create_spi_enumerator, enumerator_t*,
+	private_delete_payload_t *this)
 {
-	if (this->spis.ptr != NULL)
-	{
-		chunk_free(&this->spis);
-	}
-	if (this->spi_list)
+	spi_enumerator_t *e;
+
+	if (this->spi_size != sizeof(u_int32_t))
 	{
-		this->spi_list->destroy(this->spi_list);
+		return enumerator_create_empty();
 	}
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_spis_enumerate,
+			.destroy = (void*)free,
+		},
+		.spis = this->spis,
+	);
+	return &e->public;
+}
+
+METHOD2(payload_t, delete_payload_t, destroy, void,
+	private_delete_payload_t *this)
+{
+	free(this->spis.ptr);
 	free(this);
 }
 
@@ -261,32 +246,28 @@ static void destroy(private_delete_payload_t *this)
  */
 delete_payload_t *delete_payload_create(protocol_id_t protocol_id)
 {
-	private_delete_payload_t *this = malloc_thing(private_delete_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (delete_payload_t *)) destroy;
-	this->public.get_protocol_id = (protocol_id_t (*) (delete_payload_t *)) get_protocol_id;
-	this->public.add_spi = (void (*) (delete_payload_t *,u_int32_t))add_spi;
-	this->public.create_spi_iterator = (iterator_t* (*) (delete_payload_t *)) create_spi_iterator;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = DELETE_PAYLOAD_HEADER_LENGTH;
-	this->protocol_id = protocol_id;
-	this->spi_size = protocol_id == PROTO_AH || protocol_id == PROTO_ESP ? 4 : 0;
-	this->spi_count = 0;
-	this->spis = chunk_empty;
-	this->spi_list = NULL;
+	private_delete_payload_t *this;
 
-	return (&this->public);
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_payload_type,
+				.destroy = _destroy,
+			},
+			.get_protocol_id = _get_protocol_id,
+			.add_spi = _add_spi,
+			.create_spi_enumerator = _create_spi_enumerator,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = DELETE_PAYLOAD_HEADER_LENGTH,
+		.protocol_id = protocol_id,
+		.spi_size = protocol_id == PROTO_AH || protocol_id == PROTO_ESP ? 4 : 0,
+	);
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/delete_payload.h b/src/libcharon/encoding/payloads/delete_payload.h
index 3b62c1af1..026829f97 100644
--- a/src/libcharon/encoding/payloads/delete_payload.h
+++ b/src/libcharon/encoding/payloads/delete_payload.h
@@ -39,6 +39,7 @@ typedef struct delete_payload_t delete_payload_t;
  * The DELETE payload format is described in RFC section 3.11.
  */
 struct delete_payload_t {
+
 	/**
 	 * The payload_t interface.
 	 */
@@ -59,13 +60,11 @@ struct delete_payload_t {
 	void (*add_spi) (delete_payload_t *this, u_int32_t spi);
 
 	/**
-	 * Get an iterator over the SPIs.
-	 *
-	 * The iterate() function returns a pointer to a u_int32_t SPI.
+	 * Get an enumerator over the SPIs in network order.
 	 *
-	 * @return				iterator over SPIs
+	 * @return				enumerator over SPIs, u_int32_t
 	 */
-	iterator_t *(*create_spi_iterator) (delete_payload_t *this);
+	enumerator_t *(*create_spi_enumerator) (delete_payload_t *this);
 
 	/**
 	 * Destroys an delete_payload_t object.
diff --git a/src/libcharon/encoding/payloads/encryption_payload.c b/src/libcharon/encoding/payloads/encryption_payload.c
index 2adbb88b9..3b23ea9fb 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.c
+++ b/src/libcharon/encoding/payloads/encryption_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -24,9 +25,6 @@
 #include <utils/linked_list.h>
 #include <encoding/generator.h>
 #include <encoding/parser.h>
-#include <utils/iterator.h>
-#include <crypto/signers/signer.h>
-
 
 typedef struct private_encryption_payload_t private_encryption_payload_t;
 
@@ -50,9 +48,9 @@ struct private_encryption_payload_t {
 	u_int8_t next_payload;
 
 	/**
-	 * Critical flag.
+	 * Flags, including reserved bits
 	 */
-	bool critical;
+	u_int8_t flags;
 
 	/**
 	 * Length of this payload
@@ -60,28 +58,17 @@ struct private_encryption_payload_t {
 	u_int16_t payload_length;
 
 	/**
-	 * Chunk containing the iv, data, padding,
-	 * and (an eventually not calculated) signature.
+	 * Chunk containing the IV, plain, padding and ICV.
 	 */
 	chunk_t encrypted;
 
 	/**
-	 * Chunk containing the data in decrypted (unpadded) form.
-	 */
-	chunk_t decrypted;
-
-	/**
-	 * Signer set by set_signer.
+	 * AEAD transform to use
 	 */
-	signer_t *signer;
+	aead_t *aead;
 
 	/**
-	 * Crypter, supplied by encrypt/decrypt
-	 */
-	crypter_t *crypter;
-
-	/**
-	 * Contained payloads of this encrpytion_payload.
+	 * Contained payloads
 	 */
 	linked_list_t *payloads;
 };
@@ -91,25 +78,16 @@ struct private_encryption_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_encryption_payload_t.
- *
  */
 encoding_rule_t encryption_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_encryption_payload_t, next_payload)	},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_encryption_payload_t, critical)		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
+	/* Critical and 7 reserved bits, all stored for reconstruction */
+	{ U_INT_8,			offsetof(private_encryption_payload_t, flags)			},
 	/* Length of the whole encryption payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_encryption_payload_t, payload_length)	},
 	/* encrypted data, stored in a chunk. contains iv, data, padding */
-	{ ENCRYPTED_DATA,	offsetof(private_encryption_payload_t, encrypted)			},
+	{ ENCRYPTED_DATA,	offsetof(private_encryption_payload_t, encrypted)		},
 };
 
 /*
@@ -131,108 +109,90 @@ encoding_rule_t encryption_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_encryption_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_encryption_payload_t *this)
 {
 	return SUCCESS;
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_encryption_payload_t *this, encoding_rule_t **rules,
+	size_t *count)
 {
 	*rules = encryption_payload_encodings;
-	*rule_count = sizeof(encryption_payload_encodings) / sizeof(encoding_rule_t);
+	*count = countof(encryption_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_encryption_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_encryption_payload_t *this)
 {
 	return ENCRYPTED;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_encryption_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_encryption_payload_t *this)
 {
-	/* returns first contained payload here */
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_encryption_payload_t *this, payload_type_t type)
 {
-	/* set next type is not allowed, since this payload MUST be the last one
-	 * and so nothing is done in here*/
+	/* the next payload is set during add */
 }
 
 /**
- * (re-)compute the lenght of the whole payload
+ * Compute the lenght of the whole payload
  */
 static void compute_length(private_encryption_payload_t *this)
 {
-	iterator_t *iterator;
-	payload_t *current_payload;
-	size_t block_size, length = 0;
-	iterator = this->payloads->create_iterator(this->payloads, TRUE);
+	enumerator_t *enumerator;
+	payload_t *payload;
+	size_t bs, length = 0;
 
-	/* count payload length */
-	while (iterator->iterate(iterator, (void **) &current_payload))
+	if (this->encrypted.len)
 	{
-		length += current_payload->get_length(current_payload);
+		length = this->encrypted.len;
 	}
-	iterator->destroy(iterator);
-
-	if (this->crypter && this->signer)
+	else
 	{
-		/* append one byte for padding length */
-		length++;
-		/* append padding */
-		block_size = this->crypter->get_block_size(this->crypter);
-		length += block_size - length % block_size;
-		/* add iv */
-		length += block_size;
-		/* add signature */
-		length += this->signer->get_block_size(this->signer);
+		enumerator = this->payloads->create_enumerator(this->payloads);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			length += payload->get_length(payload);
+		}
+		enumerator->destroy(enumerator);
+
+		if (this->aead)
+		{
+			/* append padding */
+			bs = this->aead->get_block_size(this->aead);
+			length += bs - (length % bs);
+			/* add iv */
+			length += this->aead->get_iv_size(this->aead);
+			/* add icv */
+			length += this->aead->get_icv_size(this->aead);
+		}
 	}
 	length += ENCRYPTION_PAYLOAD_HEADER_LENGTH;
 	this->payload_length = length;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_encryption_payload_t *this)
+METHOD2(payload_t, encryption_payload_t, get_length, size_t,
+	private_encryption_payload_t *this)
 {
 	compute_length(this);
 	return this->payload_length;
 }
 
-/**
- * Implementation of payload_t.create_payload_iterator.
- */
-static  iterator_t *create_payload_iterator (private_encryption_payload_t *this, bool forward)
-{
-	return (this->payloads->create_iterator(this->payloads, forward));
-}
-
-/**
- * Implementation of payload_t.add_payload.
- */
-static void add_payload(private_encryption_payload_t *this, payload_t *payload)
+METHOD(encryption_payload_t, add_payload, void,
+	private_encryption_payload_t *this, payload_t *payload)
 {
 	payload_t *last_payload;
+
 	if (this->payloads->get_count(this->payloads) > 0)
 	{
-		this->payloads->get_last(this->payloads,(void **) &last_payload);
+		this->payloads->get_last(this->payloads, (void **)&last_payload);
 		last_payload->set_next_type(last_payload, payload->get_type(payload));
 	}
 	else
@@ -240,339 +200,255 @@ static void add_payload(private_encryption_payload_t *this, payload_t *payload)
 		this->next_payload = payload->get_type(payload);
 	}
 	payload->set_next_type(payload, NO_PAYLOAD);
-	this->payloads->insert_last(this->payloads, (void*)payload);
+	this->payloads->insert_last(this->payloads, payload);
 	compute_length(this);
 }
 
-/**
- * Implementation of encryption_payload_t.remove_first_payload.
- */
-static status_t remove_first_payload(private_encryption_payload_t *this, payload_t **payload)
+METHOD(encryption_payload_t, remove_payload, payload_t *,
+	private_encryption_payload_t *this)
 {
-	return this->payloads->remove_first(this->payloads, (void**)payload);
-}
+	payload_t *payload;
 
-/**
- * Implementation of encryption_payload_t.get_payload_count.
- */
-static size_t get_payload_count(private_encryption_payload_t *this)
-{
-	return this->payloads->get_count(this->payloads);
+	if (this->payloads->remove_first(this->payloads,
+									 (void**)&payload) == SUCCESS)
+	{
+		return payload;
+	}
+	return NULL;
 }
 
 /**
- * Generate payload before encryption.
+ * Generate payload before encryption
  */
-static void generate(private_encryption_payload_t *this)
+static chunk_t generate(private_encryption_payload_t *this,
+						generator_t *generator)
 {
-	payload_t *current_payload, *next_payload;
-	generator_t *generator;
-	iterator_t *iterator;
-
-	/* recalculate length before generating */
-	compute_length(this);
+	payload_t *current, *next;
+	enumerator_t *enumerator;
+	u_int32_t *lenpos;
+	chunk_t chunk = chunk_empty;
 
-	/* create iterator */
-	iterator = this->payloads->create_iterator(this->payloads, TRUE);
-
-	/* get first payload */
-	if (iterator->iterate(iterator, (void**)&current_payload))
-	{
-		this->next_payload = current_payload->get_type(current_payload);
-	}
-	else
+	enumerator = this->payloads->create_enumerator(this->payloads);
+	if (enumerator->enumerate(enumerator, &current))
 	{
-		/* no paylads? */
-		DBG2(DBG_ENC, "generating contained payloads, but none available");
-		free(this->decrypted.ptr);
-		this->decrypted = chunk_empty;
-		iterator->destroy(iterator);
-		return;
-	}
+		this->next_payload = current->get_type(current);
 
-	generator = generator_create();
+		while (enumerator->enumerate(enumerator, &next))
+		{
+			current->set_next_type(current, next->get_type(next));
+			generator->generate_payload(generator, current);
+			current = next;
+		}
+		current->set_next_type(current, NO_PAYLOAD);
+		generator->generate_payload(generator, current);
 
-	/* build all payload, except last */
-	while(iterator->iterate(iterator, (void**)&next_payload))
-	{
-		current_payload->set_next_type(current_payload, next_payload->get_type(next_payload));
-		generator->generate_payload(generator, current_payload);
-		current_payload = next_payload;
+		chunk = generator->get_chunk(generator, &lenpos);
+		DBG2(DBG_ENC, "generated content in encryption payload");
 	}
-	iterator->destroy(iterator);
-
-	/* build last payload */
-	current_payload->set_next_type(current_payload, NO_PAYLOAD);
-	generator->generate_payload(generator, current_payload);
-
-	/* free already generated data */
-	free(this->decrypted.ptr);
-
-	generator->write_to_chunk(generator, &(this->decrypted));
-	generator->destroy(generator);
-	DBG2(DBG_ENC, "successfully generated content in encryption payload");
+	enumerator->destroy(enumerator);
+	return chunk;
 }
 
 /**
- * Implementation of encryption_payload_t.encrypt.
+ * Append the encryption payload header to the associated data
  */
-static status_t encrypt(private_encryption_payload_t *this)
+static chunk_t append_header(private_encryption_payload_t *this, chunk_t assoc)
 {
-	chunk_t iv, padding, to_crypt, result;
+	struct {
+		u_int8_t next_payload;
+		u_int8_t flags;
+		u_int16_t length;
+	} __attribute__((packed)) header = {
+		.next_payload = this->next_payload,
+		.flags = this->flags,
+		.length = htons(get_length(this)),
+	};
+	return chunk_cat("cc", assoc, chunk_from_thing(header));
+}
+
+METHOD(encryption_payload_t, encrypt, bool,
+	private_encryption_payload_t *this, chunk_t assoc)
+{
+	chunk_t iv, plain, padding, icv, crypt;
+	generator_t *generator;
 	rng_t *rng;
-	size_t block_size;
+	size_t bs;
 
-	if (this->signer == NULL || this->crypter == NULL)
+	if (this->aead == NULL)
 	{
-		DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
-		return INVALID_STATE;
+		DBG1(DBG_ENC, "encrypting encryption payload failed, transform missing");
+		return FALSE;
 	}
 
-	/* for random data in iv and padding */
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
-		DBG1(DBG_ENC, "could not encrypt, no RNG found");
-		return FAILED;
+		DBG1(DBG_ENC, "encrypting encryption payload failed, no RNG found");
+		return FALSE;
 	}
-	/* build payload chunk */
-	generate(this);
 
-	DBG2(DBG_ENC, "encrypting payloads");
-	DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
+	assoc = append_header(this, assoc);
 
-	/* build padding */
-	block_size = this->crypter->get_block_size(this->crypter);
-	padding.len = block_size - ((this->decrypted.len + 1) %  block_size);
-	rng->allocate_bytes(rng, padding.len, &padding);
-
-	/* concatenate payload data, padding, padding len */
-	to_crypt.len = this->decrypted.len + padding.len + 1;
-	to_crypt.ptr = malloc(to_crypt.len);
-
-	memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
-	memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
-	*(to_crypt.ptr + to_crypt.len - 1) = padding.len;
+	generator = generator_create();
+	plain = generate(this, generator);
+	bs = this->aead->get_block_size(this->aead);
+	/* we need at least one byte padding to store the padding length */
+	padding.len = bs - (plain.len % bs);
+	iv.len = this->aead->get_iv_size(this->aead);
+	icv.len = this->aead->get_icv_size(this->aead);
+
+	/* prepare data to authenticate-encrypt:
+	 * | IV | plain | padding | ICV |
+	 *       \____crypt______/   ^
+	 *              |           /
+	 *              v          /
+	 *     assoc -> + ------->/
+	 */
+	free(this->encrypted.ptr);
+	this->encrypted = chunk_alloc(iv.len + plain.len + padding.len + icv.len);
+	iv.ptr = this->encrypted.ptr;
+	memcpy(iv.ptr + iv.len, plain.ptr, plain.len);
+	plain.ptr = iv.ptr + iv.len;
+	padding.ptr = plain.ptr + plain.len;
+	icv.ptr = padding.ptr + padding.len;
+	crypt = chunk_create(plain.ptr, plain.len + padding.len);
+	generator->destroy(generator);
 
-	/* build iv */
-	iv.len = block_size;
-	rng->allocate_bytes(rng, iv.len, &iv);
+	rng->get_bytes(rng, iv.len, iv.ptr);
+	rng->get_bytes(rng, padding.len - 1, padding.ptr);
+	padding.ptr[padding.len - 1] = padding.len - 1;
 	rng->destroy(rng);
 
-	DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
+	DBG3(DBG_ENC, "encryption payload encryption:");
+	DBG3(DBG_ENC, "IV %B", &iv);
+	DBG3(DBG_ENC, "plain %B", &plain);
+	DBG3(DBG_ENC, "padding %B", &padding);
+	DBG3(DBG_ENC, "assoc %B", &assoc);
 
-	/* encrypt to_crypt chunk */
-	free(this->encrypted.ptr);
-	this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
-	free(padding.ptr);
-	free(to_crypt.ptr);
-
-	DBG3(DBG_ENC, "data after encryption %B", &result);
-
-	/* build encrypted result with iv and signature */
-	this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
-	free(this->encrypted.ptr);
-	this->encrypted.ptr = malloc(this->encrypted.len);
+	this->aead->encrypt(this->aead, crypt, assoc, iv, NULL);
 
-	/* fill in result, signature is left out */
-	memcpy(this->encrypted.ptr, iv.ptr, iv.len);
-	memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
+	DBG3(DBG_ENC, "encrypted %B", &crypt);
+	DBG3(DBG_ENC, "ICV %B", &icv);
 
-	free(result.ptr);
-	free(iv.ptr);
-	DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
-		 &this->encrypted);
+	free(assoc.ptr);
 
-	return SUCCESS;
+	return TRUE;
 }
 
 /**
  * Parse the payloads after decryption.
  */
-static status_t parse(private_encryption_payload_t *this)
+static status_t parse(private_encryption_payload_t *this, chunk_t plain)
 {
 	parser_t *parser;
-	status_t status;
-	payload_type_t current_payload_type;
-
-	/* build a parser on the decrypted data */
-	parser = parser_create(this->decrypted);
+	payload_type_t type;
 
-	current_payload_type = this->next_payload;
-	/* parse all payloads */
-	while (current_payload_type != NO_PAYLOAD)
+	parser = parser_create(plain);
+	type = this->next_payload;
+	while (type != NO_PAYLOAD)
 	{
-		payload_t *current_payload;
+		payload_t *payload;
 
-		status = parser->parse_payload(parser, current_payload_type, (payload_t**)&current_payload);
-		if (status != SUCCESS)
+		if (parser->parse_payload(parser, type, &payload) != SUCCESS)
 		{
 			parser->destroy(parser);
 			return PARSE_ERROR;
 		}
-
-		status = current_payload->verify(current_payload);
-		if (status != SUCCESS)
+		if (payload->verify(payload) != SUCCESS)
 		{
 			DBG1(DBG_ENC, "%N verification failed",
-				 payload_type_names, current_payload->get_type(current_payload));
-			current_payload->destroy(current_payload);
+				 payload_type_names, payload->get_type(payload));
+			payload->destroy(payload);
 			parser->destroy(parser);
 			return VERIFY_ERROR;
 		}
-
-		/* get next payload type */
-		current_payload_type = current_payload->get_next_type(current_payload);
-
-		this->payloads->insert_last(this->payloads,current_payload);
+		type = payload->get_next_type(payload);
+		this->payloads->insert_last(this->payloads, payload);
 	}
 	parser->destroy(parser);
-	DBG2(DBG_ENC, "succesfully parsed content of encryption payload");
+	DBG2(DBG_ENC, "parsed content of encryption payload");
 	return SUCCESS;
 }
 
-/**
- * Implementation of encryption_payload_t.encrypt.
- */
-static status_t decrypt(private_encryption_payload_t *this)
+METHOD(encryption_payload_t, decrypt, status_t,
+	private_encryption_payload_t *this, chunk_t assoc)
 {
-	chunk_t iv, concatenated;
-	u_int8_t padding_length;
-
-	DBG2(DBG_ENC, "decrypting encryption payload");
-	DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
-		 &this->encrypted);
+	chunk_t iv, plain, padding, icv, crypt;
+	size_t bs;
 
-	if (this->signer == NULL || this->crypter == NULL)
+	if (this->aead == NULL)
 	{
-		DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
+		DBG1(DBG_ENC, "decrypting encryption payload failed, transform missing");
 		return INVALID_STATE;
 	}
 
-	/* get IV */
-	iv.len = this->crypter->get_block_size(this->crypter);
+	/* prepare data to authenticate-decrypt:
+	 * | IV | plain | padding | ICV |
+	 *       \____crypt______/   ^
+	 *              |           /
+	 *              v          /
+	 *     assoc -> + ------->/
+	 */
 
+	bs = this->aead->get_block_size(this->aead);
+	iv.len = this->aead->get_iv_size(this->aead);
 	iv.ptr = this->encrypted.ptr;
+	icv.len = this->aead->get_icv_size(this->aead);
+	icv.ptr = this->encrypted.ptr + this->encrypted.len - icv.len;
+	crypt.ptr = iv.ptr + iv.len;
+	crypt.len = this->encrypted.len - iv.len;
 
-	/* point concatenated to data + padding + padding_length*/
-	concatenated.ptr = this->encrypted.ptr + iv.len;
-	concatenated.len = this->encrypted.len - iv.len -
-								this->signer->get_block_size(this->signer);
-
-	/* concatenated must be a multiple of block_size of crypter */
-	if (concatenated.len < iv.len || concatenated.len % iv.len)
+	if (iv.len + icv.len > this->encrypted.len ||
+		(crypt.len - icv.len) % bs)
 	{
-		DBG1(DBG_ENC, "could not decrypt, invalid input");
+		DBG1(DBG_ENC, "decrypting encryption payload failed, invalid length");
 		return FAILED;
 	}
 
-	/* free previus data, if any */
-	free(this->decrypted.ptr);
-
-	DBG3(DBG_ENC, "data before decryption %B", &concatenated);
-
-	this->crypter->decrypt(this->crypter, concatenated, iv, &this->decrypted);
+	assoc = append_header(this, assoc);
 
-	DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
+	DBG3(DBG_ENC, "encryption payload decryption:");
+	DBG3(DBG_ENC, "IV %B", &iv);
+	DBG3(DBG_ENC, "encrypted %B", &crypt);
+	DBG3(DBG_ENC, "ICV %B", &icv);
+	DBG3(DBG_ENC, "assoc %B", &assoc);
 
-	/* get padding length, sits just bevore signature */
-	padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
-	/* add one byte to the padding length, since the padding_length field is
-	 * not included */
-	padding_length++;
-
-	/* check size again */
-	if (padding_length > concatenated.len || padding_length > this->decrypted.len)
+	if (!this->aead->decrypt(this->aead, crypt, assoc, iv, NULL))
 	{
-		DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
-		/* decryption failed :-/ */
+		DBG1(DBG_ENC, "verifying encryption payload integrity failed");
+		free(assoc.ptr);
 		return FAILED;
 	}
-	this->decrypted.len -= padding_length;
-
-	/* free padding */
-	this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
-	DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
-	DBG2(DBG_ENC, "decryption successful, trying to parse content");
-	return parse(this);
-}
+	free(assoc.ptr);
 
-/**
- * Implementation of encryption_payload_t.set_transforms.
- */
-static void set_transforms(private_encryption_payload_t *this, crypter_t* crypter, signer_t* signer)
-{
-	this->signer = signer;
-	this->crypter = crypter;
-}
-
-/**
- * Implementation of encryption_payload_t.build_signature.
- */
-static status_t build_signature(private_encryption_payload_t *this, chunk_t data)
-{
-	chunk_t data_without_sig = data;
-	chunk_t sig;
-
-	if (this->signer == NULL)
+	plain = chunk_create(crypt.ptr, crypt.len - icv.len);
+	padding.len = plain.ptr[plain.len - 1] + 1;
+	if (padding.len > plain.len)
 	{
-		DBG1(DBG_ENC, "unable to build signature, no signer set");
-		return INVALID_STATE;
+		DBG1(DBG_ENC, "decrypting encryption payload failed, "
+			 "padding invalid %B", &crypt);
+		return PARSE_ERROR;
 	}
+	plain.len -= padding.len;
+	padding.ptr = plain.ptr + plain.len;
 
-	sig.len = this->signer->get_block_size(this->signer);
-	data_without_sig.len -= sig.len;
-	sig.ptr = data.ptr + data_without_sig.len;
-	DBG2(DBG_ENC, "building signature");
-	this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
-	return SUCCESS;
+	DBG3(DBG_ENC, "plain %B", &plain);
+	DBG3(DBG_ENC, "padding %B", &padding);
+
+	return parse(this, plain);
 }
 
-/**
- * Implementation of encryption_payload_t.verify_signature.
- */
-static status_t verify_signature(private_encryption_payload_t *this, chunk_t data)
+METHOD(encryption_payload_t, set_transform, void,
+	private_encryption_payload_t *this, aead_t* aead)
 {
-	chunk_t sig, data_without_sig;
-	bool valid;
-
-	if (this->signer == NULL)
-	{
-		DBG1(DBG_ENC, "unable to verify signature, no signer set");
-		return INVALID_STATE;
-	}
-	/* find signature in data chunk */
-	sig.len = this->signer->get_block_size(this->signer);
-	if (data.len <= sig.len)
-	{
-		DBG1(DBG_ENC, "unable to verify signature, invalid input");
-		return FAILED;
-	}
-	sig.ptr = data.ptr + data.len - sig.len;
-
-	/* verify it */
-	data_without_sig.len = data.len - sig.len;
-	data_without_sig.ptr = data.ptr;
-	valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
-
-	if (!valid)
-	{
-		DBG1(DBG_ENC, "signature verification failed");
-		return FAILED;
-	}
-
-	DBG2(DBG_ENC, "signature verification successful");
-	return SUCCESS;
+	this->aead = aead;
 }
 
-/**
- * Implementation of payload_t.destroy.
- */
-static void destroy(private_encryption_payload_t *this)
+METHOD2(payload_t, encryption_payload_t, destroy, void,
+	private_encryption_payload_t *this)
 {
 	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
 	free(this->encrypted.ptr);
-	free(this->decrypted.ptr);
 	free(this);
 }
 
@@ -581,39 +457,31 @@ static void destroy(private_encryption_payload_t *this)
  */
 encryption_payload_t *encryption_payload_create()
 {
-	private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
-
-	/* payload_t interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
-	this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
-	this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
-	this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
-
-	this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
-	this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
-	this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
-	this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
-	this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
-	this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH;
-	this->encrypted = chunk_empty;
-	this->decrypted = chunk_empty;
-	this->signer = NULL;
-	this->crypter = NULL;
-	this->payloads = linked_list_create();
-
-	return (&(this->public));
+	private_encryption_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_length = _get_length,
+			.add_payload = _add_payload,
+			.remove_payload = _remove_payload,
+			.set_transform = _set_transform,
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH,
+		.payloads = linked_list_create(),
+	);
+
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/encryption_payload.h b/src/libcharon/encoding/payloads/encryption_payload.h
index ac5326b87..e99c42fb7 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.h
+++ b/src/libcharon/encoding/payloads/encryption_payload.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -25,45 +26,30 @@
 typedef struct encryption_payload_t encryption_payload_t;
 
 #include <library.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
+#include <crypto/aead.h>
 #include <encoding/payloads/payload.h>
-#include <utils/linked_list.h>
 
 /**
  * Encrpytion payload length in bytes without IV and following data.
  */
 #define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4
 
-
 /**
  * The encryption payload as described in RFC section 3.14.
- *
- * Before any crypt/decrypt/sign/verify operation can occur,
- * the transforms must be set. After that, a parsed encryption payload
- * can be decrypted, which also will parse the contained payloads.
- * Encryption is done the same way, added payloads will get generated
- * and then encrypted.
- * For signature building, there is the FULL packet needed. Meaning it
- * must be builded after generation of all payloads and the encryption
- * of the encryption payload.
- * Signature verificatin is done before decryption.
  */
 struct encryption_payload_t {
+
 	/**
 	 * Implements payload_t interface.
 	 */
 	payload_t payload_interface;
 
 	/**
-	 * Creates an iterator for all contained payloads.
+	 * Get the payload length.
 	 *
-	 * iterator_t object has to get destroyed by the caller.
-	 *
-	 * @param forward 		iterator direction (TRUE: front to end)
-	 * return				created iterator_t object
+	 * @return			(expected) payload length
 	 */
-	 iterator_t *(*create_payload_iterator) (encryption_payload_t *this, bool forward);
+	size_t (*get_length)(encryption_payload_t *this);
 
 	/**
 	 * Adds a payload to this encryption payload.
@@ -73,89 +59,39 @@ struct encryption_payload_t {
 	void (*add_payload) (encryption_payload_t *this, payload_t *payload);
 
 	/**
-	 * Reove the last payload in the contained payload list.
+	 * Remove the first payload in the list
 	 *
 	 * @param payload		removed payload
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- NOT_FOUND if list empty
-	 */
-	status_t (*remove_first_payload) (encryption_payload_t *this, payload_t **payload);
-
-	/**
-	 * Get the number of payloads.
-	 *
-	 * @return				number of contained payloads
+	 * @return				payload, NULL if none left
 	 */
-	size_t (*get_payload_count) (encryption_payload_t *this);
+	payload_t* (*remove_payload)(encryption_payload_t *this);
 
 	/**
-	 * Set transforms to use.
-	 *
-	 * To decryption, encryption, signature building and verifying,
-	 * the payload needs a crypter and a signer object.
+	 * Set the AEAD transform to use.
 	 *
-	 * @warning Do NOT call this function again after encryption, since
-	 * the signer must be the same while encrypting and signature building!
-	 *
-	 * @param crypter		crypter_t to use for data de-/encryption
-	 * @param signer		signer_t to use for data signing/verifying
+	 * @param aead		aead transform to use
 	 */
-	void (*set_transforms) (encryption_payload_t *this, crypter_t *crypter, signer_t *signer);
+	void (*set_transform) (encryption_payload_t *this, aead_t *aead);
 
 	/**
-	 * Generate and encrypt contained payloads.
-	 *
-	 * This function generates the content for added payloads
-	 * and encrypts them. Signature is not built, since we need
-	 * additional data (the full message).
+	 * Generate, encrypt and sign contained payloads.
 	 *
-	 * @return				SUCCESS, or INVALID_STATE if transforms not set
+	 * @param assoc			associated data
+	 * @return				TRUE if encrypted
 	 */
-	status_t (*encrypt) (encryption_payload_t *this);
+	bool (*encrypt) (encryption_payload_t *this, chunk_t assoc);
 
 	/**
-	 * Decrypt and parse contained payloads.
-	 *
-	 * This function decrypts the contained data. After,
-	 * the payloads are parsed internally and are accessible
-	 * via the iterator.
-	 *
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- INVALID_STATE if transforms not set, or
-	 * 						- FAILED if data is invalid
-	 */
-	status_t (*decrypt) (encryption_payload_t *this);
-
-	/**
-	 * Build the signature.
-	 *
-	 * The signature is built over the FULL message, so the header
-	 * and every payload (inclusive this one) must already be generated.
-	 * The generated message is supplied via the data paramater.
-	 *
-	 * @param data			chunk contains the already generated message
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- INVALID_STATE if transforms not set
-	 */
-	status_t (*build_signature) (encryption_payload_t *this, chunk_t data);
-
-	/**
-	 * Verify the signature.
-	 *
-	 * Since the signature is built over the full message, we need
-	 * this data to do the verification. The message data
-	 * is supplied via the data argument.
-	 *
-	 * @param data			chunk contains the message
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- FAILED if signature invalid, or
-	 * 						- INVALID_STATE if transforms not set
+	 * Decrypt, verify and parse contained payloads.
+	 *
+	 * @param assoc			associated data
+	 * 						- SUCCESS if parsing successful
+	 *						- PARSE_ERROR if sub-payload parsing failed
+	 * 						- VERIFY_ERROR if sub-payload verification failed
+	 * 						- FAILED if integrity check failed
+	 * 						- INVALID_STATE if aead not supplied, but needed
 	 */
-	status_t (*verify_signature) (encryption_payload_t *this, chunk_t data);
+	status_t (*decrypt) (encryption_payload_t *this, chunk_t assoc);
 
 	/**
 	 * Destroys an encryption_payload_t object.
@@ -166,7 +102,7 @@ struct encryption_payload_t {
 /**
  * Creates an empty encryption_payload_t object.
  *
- * @return encryption_payload_t object
+ * @return			encryption_payload_t object
  */
 encryption_payload_t *encryption_payload_create(void);
 
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index 469698ef5..a56fd1869 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -41,7 +41,7 @@ ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL
 	"INVALID_KE_PAYLOAD");
 ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
 	"AUTHENTICATION_FAILED");
-ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED,
+ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUTHENTICATION_FAILED,
 	"SINGLE_PAIR_REQUIRED",
 	"NO_ADDITIONAL_SAS",
 	"INTERNAL_ADDRESS_FAILURE",
@@ -50,10 +50,12 @@ ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICAT
 	"INVALID_SELECTORS",
 	"UNACCEPTABLE_ADDRESSES",
 	"UNEXPECTED_NAT_DETECTED",
-	"USE_ASSIGNED_HoA");
-ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA,
+	"USE_ASSIGNED_HoA",
+	"TEMPORARY_FAILURE",
+	"CHILD_SA_NOT_FOUND");
+ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_FOUND,
 	"ME_CONNECT_FAILED");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, EAP_ONLY_AUTHENTICATION, ME_CONNECT_FAILED,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -84,8 +86,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
 	"TICKET_ACK",
 	"TICKET_NACK",
 	"TICKET_OPAQUE",
-	"LINK_ID");
-ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID,
+	"LINK_ID",
+	"USE_WESP_MODE",
+	"ROHC_SUPPORTED",
 	"EAP_ONLY_AUTHENTICATION");
 ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
 	"USE_BEET_MODE");
@@ -117,7 +120,7 @@ ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PR
 	"INVAL_KE");
 ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
 	"AUTH_FAILED");
-ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED,
+ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUTHENTICATION_FAILED,
 	"SINGLE_PAIR",
 	"NO_ADD_SAS",
 	"INT_ADDR_FAIL",
@@ -126,10 +129,12 @@ ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHE
 	"INVAL_SEL",
 	"UNACCEPT_ADDR",
 	"UNEXPECT_NAT",
-	"ASSIGNED_HoA");
-ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA,
+	"ASSIGNED_HoA",
+	"TEMP_FAIL",
+	"NO_CHILD_SA");
+ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_FOUND,
 	"ME_CONN_FAIL");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, EAP_ONLY_AUTHENTICATION, ME_CONNECT_FAILED,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -160,8 +165,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
 	"TKT_ACK",
 	"TKT_NACK",
 	"TKT_OPAK",
-	"LINK_ID");
-ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID,
+	"LINK_ID",
+	"WESP_MODE",
+	"ROHC_SUP",
 	"EAP_ONLY");
 ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
 	"BEET_MODE");
@@ -238,29 +244,29 @@ struct private_notify_payload_t {
  */
 encoding_rule_t notify_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload) 		},
+	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload)		},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_notify_payload_t, critical) 			},
+	{ FLAG,				offsetof(private_notify_payload_t, critical)			},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length) 		},
+	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length)		},
 	/* Protocol ID as 8 bit field*/
-	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id) 			},
+	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id)			},
 	/* SPI Size as 8 bit field*/
-	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size) 			},
+	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size)			},
 	/* Notify message type as 16 bit field*/
 	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)	},
 	/* SPI as variable length field*/
 	{ SPI,				offsetof(private_notify_payload_t, spi)					},
 	/* Key Exchange Data is from variable size */
-	{ NOTIFICATION_DATA,	offsetof(private_notify_payload_t, notification_data) 	}
+	{ NOTIFICATION_DATA,	offsetof(private_notify_payload_t, notification_data)	}
 };
 
 /*
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 0e1bc23b8..8abc236e1 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -64,6 +64,9 @@ enum notify_type_t {
 	UNEXPECTED_NAT_DETECTED = 41,
 	/* mobile IPv6 bootstrapping, RFC 5026 */
 	USE_ASSIGNED_HoA = 42,
+	/* IKEv2 RFC 5996 */
+	TEMPORARY_FAILURE = 43,
+	CHILD_SA_NOT_FOUND = 44,
 
 	/* IKE-ME, private use */
 	ME_CONNECT_FAILED = 8192,
@@ -98,16 +101,21 @@ enum notify_type_t {
 	REDIRECT_SUPPORTED = 16406,
 	REDIRECT = 16407,
 	REDIRECTED_FROM = 16408,
-	/* draft-ietf-ipsecme-ikev2-resumption, assigned by IANA */
+	/* session resumption, RFC 5723 */
 	TICKET_LT_OPAQUE = 16409,
 	TICKET_REQUEST = 16410,
 	TICKET_ACK = 16411,
 	TICKET_NACK = 16412,
 	TICKET_OPAQUE = 16413,
+	/* IPv6 configuration, RFC 5739 */
 	LINK_ID = 16414,
+	/* wrapped esp, RFC 5840 */
+	USE_WESP_MODE = 16415,
+	/* robust header compression, RFC 5857 */
+	ROHC_SUPPORTED = 16416,
+	/* EAP-only authentication, RFC 5998 */
+	EAP_ONLY_AUTHENTICATION = 16417,
 
-	/* draft-eronen-ipsec-ikev2-eap-auth, not assigned by IANA yet */
-	EAP_ONLY_AUTHENTICATION = 40960,
 	/* BEET mode, not even a draft yet. private use */
 	USE_BEET_MODE = 40961,
 	/* IKE-ME, private use */
@@ -144,7 +152,7 @@ struct notify_payload_t {
 	/**
 	 * Gets the protocol id of this payload.
 	 *
-	 * @return 			protocol id of this payload
+	 * @return			protocol id of this payload
 	 */
 	u_int8_t (*get_protocol_id) (notify_payload_t *this);
 
@@ -158,7 +166,7 @@ struct notify_payload_t {
 	/**
 	 * Gets the notify message type of this payload.
 	 *
-	 * @return 			notify message type of this payload
+	 * @return			notify message type of this payload
 	 */
 	notify_type_t (*get_notify_type) (notify_payload_t *this);
 
@@ -174,7 +182,7 @@ struct notify_payload_t {
 	 *
 	 * This is only valid for notifys with protocol AH|ESP
 	 *
-	 * @return 		SPI value
+	 * @return		SPI value
 	 */
 	u_int32_t (*get_spi) (notify_payload_t *this);
 
@@ -192,7 +200,7 @@ struct notify_payload_t {
 	 *
 	 * Returned data are not copied.
 	 *
-	 * @return 		chunk_t pointing to the value
+	 * @return		chunk_t pointing to the value
 	 */
 	chunk_t (*get_notification_data) (notify_payload_t *this);
 
@@ -201,7 +209,7 @@ struct notify_payload_t {
 	 *
 	 * @warning Value is getting copied.
 	 *
-	 * @param notification_data 	chunk_t pointing to the value to set
+	 * @param notification_data	chunk_t pointing to the value to set
 	 */
 	void (*set_notification_data) (notify_payload_t *this,
 								   chunk_t notification_data);
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index c93f73a68..985b03255 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -24,20 +24,18 @@
 #include <utils/linked_list.h>
 #include <daemon.h>
 
-
 /**
  * IKEv1 Value for a proposal payload.
  */
 #define PROPOSAL_TYPE_VALUE 2
 
-
 typedef struct private_proposal_substructure_t private_proposal_substructure_t;
 
 /**
  * Private data of an proposal_substructure_t object.
- *
  */
 struct private_proposal_substructure_t {
+
 	/**
 	 * Public proposal_substructure_t interface.
 	 */
@@ -92,24 +90,24 @@ struct private_proposal_substructure_t {
  */
 encoding_rule_t proposal_substructure_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload) 		},
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload)		},
 	/* Reserved Byte is skipped */
-	{ RESERVED_BYTE,		0															},
+	{ RESERVED_BYTE,	0															},
 	/* Length of the whole proposal substructure payload*/
-	{ PAYLOAD_LENGTH,		offsetof(private_proposal_substructure_t, proposal_length) 	},
+	{ PAYLOAD_LENGTH,	offsetof(private_proposal_substructure_t, proposal_length)	},
 	/* proposal number is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_proposal_substructure_t, proposal_number) 	},
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, proposal_number)	},
 	/* protocol ID is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_proposal_substructure_t, protocol_id)		},
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, protocol_id)		},
 	/* SPI Size has its own type */
-	{ SPI_SIZE,				offsetof(private_proposal_substructure_t, spi_size)			},
+	{ SPI_SIZE,			offsetof(private_proposal_substructure_t, spi_size)			},
 	/* Number of transforms is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_proposal_substructure_t, transforms_count)	},
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, transforms_count)	},
 	/* SPI is a chunk of variable size*/
-	{ SPI,					offsetof(private_proposal_substructure_t, spi)				},
+	{ SPI,				offsetof(private_proposal_substructure_t, spi)				},
 	/* Transforms are stored in a transform substructure,
 	   offset points to a linked_list_t pointer */
-	{ TRANSFORMS,			offsetof(private_proposal_substructure_t, transforms) 		}
+	{ TRANSFORMS,		offsetof(private_proposal_substructure_t, transforms)		}
 };
 
 /*
@@ -128,16 +126,14 @@ encoding_rule_t proposal_substructure_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_proposal_substructure_t *this)
+METHOD(payload_t, verify, status_t,
+	private_proposal_substructure_t *this)
 {
 	status_t status = SUCCESS;
-	iterator_t *iterator;
-	payload_t *current_transform;
+	enumerator_t *enumerator;
+	payload_t *current;
 
-	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 2))
+	if (this->next_payload != NO_PAYLOAD && this->next_payload != 2)
 	{
 		/* must be 0 or 2 */
 		DBG1(DBG_ENC, "inconsistent next payload");
@@ -169,61 +165,46 @@ static status_t verify(private_proposal_substructure_t *this)
 			}
 			break;
 		default:
-			DBG1(DBG_ENC, "invalid proposal protocol (%d)", this->protocol_id);
-			return FAILED;
-	}
-	if ((this->protocol_id == 0) || (this->protocol_id >= 4))
-	{
-		/* reserved are not supported */
-		DBG1(DBG_ENC, "invalid protocol");
-		return FAILED;
+			break;
 	}
-
-	iterator = this->transforms->create_iterator(this->transforms,TRUE);
-	while(iterator->iterate(iterator, (void**)&current_transform))
+	enumerator = this->transforms->create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &current))
 	{
-		status = current_transform->verify(current_transform);
+		status = current->verify(current);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed");
 			break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
 	/* proposal number is checked in SA payload */
 	return status;
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_proposal_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_proposal_substructure_t *this, encoding_rule_t **rules,
+	size_t *rule_count)
 {
 	*rules = proposal_substructure_encodings;
-	*rule_count = sizeof(proposal_substructure_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(proposal_substructure_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_proposal_substructure_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_proposal_substructure_t *this)
 {
 	return PROPOSAL_SUBSTRUCTURE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_proposal_substructure_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_proposal_substructure_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_proposal_substructure_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_proposal_substructure_t *this, payload_type_t type)
 {
 }
 
@@ -250,145 +231,88 @@ static void compute_length(private_proposal_substructure_t *this)
 	this->proposal_length = length;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_proposal_substructure_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_proposal_substructure_t *this)
 {
 	compute_length(this);
 	return this->proposal_length;
 }
 
 /**
- * Implementation of proposal_substructure_t.create_transform_substructure_iterator.
- */
-static iterator_t *create_transform_substructure_iterator (private_proposal_substructure_t *this,bool forward)
-{
-	return (this->transforms->create_iterator(this->transforms,forward));
-}
-
-/**
- * Implementation of proposal_substructure_t.add_transform_substructure.
+ * Add a transform substructure to the proposal
  */
-static void add_transform_substructure (private_proposal_substructure_t *this,transform_substructure_t *transform)
+static void add_transform_substructure(private_proposal_substructure_t *this,
+									   transform_substructure_t *transform)
 {
-	status_t status;
 	if (this->transforms->get_count(this->transforms) > 0)
 	{
-		transform_substructure_t *last_transform;
-		status = this->transforms->get_last(this->transforms,(void **) &last_transform);
-		/* last transform is now not anymore last one */
-		last_transform->set_is_last_transform(last_transform,FALSE);
+		transform_substructure_t *last;
 
+		this->transforms->get_last(this->transforms, (void **)&last);
+		last->set_is_last_transform(last, FALSE);
 	}
 	transform->set_is_last_transform(transform,TRUE);
-
-	this->transforms->insert_last(this->transforms,(void *) transform);
+	this->transforms->insert_last(this->transforms, transform);
 	compute_length(this);
 }
 
-/**
- * Implementation of proposal_substructure_t.proposal_substructure_t.
- */
-static void set_is_last_proposal (private_proposal_substructure_t *this, bool is_last)
+METHOD(proposal_substructure_t, set_is_last_proposal, void,
+	private_proposal_substructure_t *this, bool is_last)
 {
-	this->next_payload = (is_last) ? 0: PROPOSAL_TYPE_VALUE;
+	this->next_payload = is_last ? 0 : PROPOSAL_TYPE_VALUE;
 }
 
-/**
- * Implementation of proposal_substructure_t.set_proposal_number.
- */
-static void set_proposal_number(private_proposal_substructure_t *this,u_int8_t proposal_number)
+METHOD(proposal_substructure_t, set_proposal_number, void,
+	private_proposal_substructure_t *this,u_int8_t proposal_number)
 {
 	this->proposal_number = proposal_number;
 }
 
-/**
- * Implementation of proposal_substructure_t.get_proposal_number.
- */
-static u_int8_t get_proposal_number (private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, get_proposal_number, u_int8_t,
+	private_proposal_substructure_t *this)
 {
-	return (this->proposal_number);
+	return this->proposal_number;
 }
 
-/**
- * Implementation of proposal_substructure_t.set_protocol_id.
- */
-static void set_protocol_id(private_proposal_substructure_t *this,u_int8_t protocol_id)
+METHOD(proposal_substructure_t, set_protocol_id, void,
+	private_proposal_substructure_t *this,u_int8_t protocol_id)
 {
 	this->protocol_id = protocol_id;
 }
 
-/**
- * Implementation of proposal_substructure_t.get_protocol_id.
- */
-static u_int8_t get_protocol_id(private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, get_protocol_id, u_int8_t,
+	private_proposal_substructure_t *this)
 {
-	return (this->protocol_id);
+	return this->protocol_id;
 }
 
-/**
- * Implementation of proposal_substructure_t.set_spi.
- */
-static void set_spi(private_proposal_substructure_t *this, chunk_t spi)
+METHOD(proposal_substructure_t, set_spi, void,
+	private_proposal_substructure_t *this, chunk_t spi)
 {
-	/* first delete already set spi value */
-	if (this->spi.ptr != NULL)
-	{
-		free(this->spi.ptr);
-		this->spi.ptr = NULL;
-		this->spi.len = 0;
-		compute_length(this);
-	}
-
-	this->spi.ptr = clalloc(spi.ptr,spi.len);
-	this->spi.len = spi.len;
+	free(this->spi.ptr);
+	this->spi = chunk_clone(spi);
 	this->spi_size = spi.len;
 	compute_length(this);
 }
 
-/**
- * Implementation of proposal_substructure_t.get_spi.
- */
-static chunk_t get_spi(private_proposal_substructure_t *this)
-{
-	chunk_t spi;
-	spi.ptr = this->spi.ptr;
-	spi.len = this->spi.len;
-
-	return spi;
-}
-
-/**
- * Implementation of proposal_substructure_t.get_transform_count.
- */
-static size_t get_transform_count (private_proposal_substructure_t *this)
-{
-	return this->transforms->get_count(this->transforms);
-}
-
-/**
- * Implementation of proposal_substructure_t.get_spi_size.
- */
-static size_t get_spi_size (private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, get_spi, chunk_t,
+	private_proposal_substructure_t *this)
 {
-	return this->spi.len;
+	return this->spi;
 }
 
-/**
- * Implementation of proposal_substructure_t.get_proposal.
- */
-proposal_t* get_proposal(private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, get_proposal, proposal_t*,
+	private_proposal_substructure_t *this)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	transform_substructure_t *transform;
 	proposal_t *proposal;
 	u_int64_t spi;
 
-	proposal = proposal_create(this->protocol_id);
+	proposal = proposal_create(this->protocol_id, this->proposal_number);
 
-	iterator = this->transforms->create_iterator(this->transforms, TRUE);
-	while (iterator->iterate(iterator, (void**)&transform))
+	enumerator = this->transforms->create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &transform))
 	{
 		transform_type_t transform_type;
 		u_int16_t transform_id;
@@ -400,7 +324,7 @@ proposal_t* get_proposal(private_proposal_substructure_t *this)
 
 		proposal->add_algorithm(proposal, transform_type, transform_id, key_length);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
 	switch (this->spi.len)
 	{
@@ -418,42 +342,36 @@ proposal_t* get_proposal(private_proposal_substructure_t *this)
 	return proposal;
 }
 
-/**
- * Implementation of proposal_substructure_t.clone.
- */
-static private_proposal_substructure_t* clone_(private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, clone_, proposal_substructure_t*,
+	private_proposal_substructure_t *this)
 {
 	private_proposal_substructure_t *clone;
-	iterator_t *transforms;
-	transform_substructure_t *current_transform;
+	enumerator_t *enumerator;
+	transform_substructure_t *current;
 
-	clone = (private_proposal_substructure_t *) proposal_substructure_create();
+	clone = (private_proposal_substructure_t*)proposal_substructure_create();
 	clone->next_payload = this->next_payload;
 	clone->proposal_number = this->proposal_number;
 	clone->protocol_id = this->protocol_id;
 	clone->spi_size = this->spi_size;
 	if (this->spi.ptr != NULL)
 	{
-		clone->spi.ptr = clalloc(this->spi.ptr,this->spi.len);
+		clone->spi.ptr = clalloc(this->spi.ptr, this->spi.len);
 		clone->spi.len = this->spi.len;
 	}
-
-	transforms = this->transforms->create_iterator(this->transforms,FALSE);
-	while (transforms->iterate(transforms, (void**)&current_transform))
+	enumerator = this->transforms->create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &current))
 	{
-		current_transform = current_transform->clone(current_transform);
-		clone->public.add_transform_substructure(&clone->public, current_transform);
+		current = current->clone(current);
+		add_transform_substructure(clone, current);
 	}
-	transforms->destroy(transforms);
+	enumerator->destroy(enumerator);
 
-	return clone;
+	return &clone->public;
 }
 
-/**
- * Implements payload_t's and proposal_substructure_t's destroy function.
- * See #payload_s.destroy or proposal_substructure_s.destroy for description.
- */
-static void destroy(private_proposal_substructure_t *this)
+METHOD2(payload_t, proposal_substructure_t, destroy, void,
+	private_proposal_substructure_t *this)
 {
 	this->transforms->destroy_offset(this->transforms,
 									 offsetof(transform_substructure_t, destroy));
@@ -466,53 +384,42 @@ static void destroy(private_proposal_substructure_t *this)
  */
 proposal_substructure_t *proposal_substructure_create()
 {
-	private_proposal_substructure_t *this = malloc_thing(private_proposal_substructure_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-
-	/* public functions */
-	this->public.create_transform_substructure_iterator = (iterator_t* (*) (proposal_substructure_t *,bool)) create_transform_substructure_iterator;
-	this->public.add_transform_substructure = (void (*) (proposal_substructure_t *,transform_substructure_t *)) add_transform_substructure;
-	this->public.set_proposal_number = (void (*) (proposal_substructure_t *,u_int8_t))set_proposal_number;
-	this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number;
-	this->public.set_protocol_id = (void (*) (proposal_substructure_t *,u_int8_t))set_protocol_id;
-	this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
-	this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal;
-	this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal;
-	this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
-	this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
-	this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count;
-	this->public.get_spi_size = (size_t (*) (proposal_substructure_t *)) get_spi_size;
-	this->public.clone = (proposal_substructure_t * (*) (proposal_substructure_t *)) clone_;
-	this->public.destroy = (void (*) (proposal_substructure_t *)) destroy;
-
-	/* set default values of the fields */
-	this->next_payload = NO_PAYLOAD;
-	this->proposal_length = 0;
-	this->proposal_number = 0;
-	this->protocol_id = 0;
-	this->transforms_count = 0;
-	this->spi_size = 0;
-	this->spi.ptr = NULL;
-	this->spi.len = 0;
-
-	this->transforms = linked_list_create();
-
-	return (&(this->public));
+	private_proposal_substructure_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.set_proposal_number = _set_proposal_number,
+			.get_proposal_number = _get_proposal_number,
+			.set_protocol_id = _set_protocol_id,
+			.get_protocol_id = _get_protocol_id,
+			.set_is_last_proposal = _set_is_last_proposal,
+			.get_proposal = _get_proposal,
+			.set_spi = _set_spi,
+			.get_spi = _get_spi,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.transforms = linked_list_create(),
+	);
+
+	return &this->public;
 }
 
 /*
  * Described in header.
  */
-proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal)
+proposal_substructure_t *proposal_substructure_create_from_proposal(
+														proposal_t *proposal)
 {
 	transform_substructure_t *transform;
 	private_proposal_substructure_t *this;
@@ -591,7 +498,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
 		default:
 			break;
 	}
-	this->proposal_number = 0;
+	this->proposal_number = proposal->get_number(proposal);
 	this->protocol_id = proposal->get_protocol(proposal);
 
 	return &this->public;
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h
index 4934802af..56e7184b6 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.h
+++ b/src/libcharon/encoding/payloads/proposal_substructure.h
@@ -42,28 +42,12 @@ typedef struct proposal_substructure_t proposal_substructure_t;
  * The PROPOSAL SUBSTRUCTURE format is described in RFC section 3.3.1.
  */
 struct proposal_substructure_t {
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
 
-	/**
-	 * Creates an iterator of stored transform_substructure_t objects.
-	 *
-	 * @param forward		iterator direction (TRUE: front to end)
-	 * @return				created iterator_t object
-	 */
-	iterator_t *(*create_transform_substructure_iterator) (
-								proposal_substructure_t *this, bool forward);
-
-	/**
-	 * Adds a transform_substructure_t object to this object.
-	 *
-	 * @param transform 	transform_substructure_t object to add
-	 */
-	void (*add_transform_substructure) (proposal_substructure_t *this,
-										transform_substructure_t *transform);
-
 	/**
 	 * Sets the proposal number of current proposal.
 	 *
@@ -71,7 +55,6 @@ struct proposal_substructure_t {
 	 */
 	void (*set_proposal_number) (proposal_substructure_t *this,
 								 u_int8_t proposal_number);
-
 	/**
 	 * get proposal number of current proposal.
 	 *
@@ -79,20 +62,6 @@ struct proposal_substructure_t {
 	 */
 	u_int8_t (*get_proposal_number) (proposal_substructure_t *this);
 
-	/**
-	 * get the number of transforms in current proposal.
-	 *
-	 * @return 			transform count in current proposal
-	 */
-	size_t (*get_transform_count) (proposal_substructure_t *this);
-
-	/**
-	 * get size of the set spi in bytes.
-	 *
-	 * @return 			size of the spi in bytes
-	 */
-	size_t (*get_spi_size) (proposal_substructure_t *this);
-
 	/**
 	 * Sets the protocol id of current proposal.
 	 *
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index 187a8fee0..4fbd4cac0 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -27,9 +27,9 @@ typedef struct private_sa_payload_t private_sa_payload_t;
 
 /**
  * Private data of an sa_payload_t object.
- *
  */
 struct private_sa_payload_t {
+
 	/**
 	 * Public sa_payload_t interface.
 	 */
@@ -61,26 +61,25 @@ struct private_sa_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_sa_payload_t.
- *
  */
 encoding_rule_t sa_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,		offsetof(private_sa_payload_t, next_payload) 			},
+	{ U_INT_8,			offsetof(private_sa_payload_t, next_payload)		},
 	/* the critical bit */
-	{ FLAG,			offsetof(private_sa_payload_t, critical) 				},
+	{ FLAG,				offsetof(private_sa_payload_t, critical)			},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
 	/* Length of the whole SA payload*/
-	{ PAYLOAD_LENGTH,		offsetof(private_sa_payload_t, payload_length) 	},
+	{ PAYLOAD_LENGTH,	offsetof(private_sa_payload_t, payload_length)		},
 	/* Proposals are stored in a proposal substructure,
 	   offset points to a linked_list_t pointer */
-	{ PROPOSALS,		offsetof(private_sa_payload_t, proposals) 				}
+	{ PROPOSALS,		offsetof(private_sa_payload_t, proposals)			},
 };
 
 /*
@@ -95,26 +94,23 @@ encoding_rule_t sa_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_sa_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_sa_payload_t *this)
 {
 	int expected_number = 1, current_number;
 	status_t status = SUCCESS;
-	iterator_t *iterator;
-	proposal_substructure_t *current_proposal;
+	enumerator_t *enumerator;
+	proposal_substructure_t *substruct;
 	bool first = TRUE;
 
 	/* check proposal numbering */
-	iterator = this->proposals->create_iterator(this->proposals,TRUE);
-
-	while(iterator->iterate(iterator, (void**)&current_proposal))
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, (void**)&substruct))
 	{
-		current_number = current_proposal->get_proposal_number(current_proposal);
+		current_number = substruct->get_proposal_number(substruct);
 		if (current_number < expected_number)
 		{
-			if (current_number != (expected_number + 1))
+			if (current_number != expected_number + 1)
 			{
 				DBG1(DBG_ENC, "proposal number is %d, expected %d or %d",
 					 current_number, expected_number, expected_number + 1);
@@ -124,13 +120,12 @@ static status_t verify(private_sa_payload_t *this)
 		}
 		else if (current_number < expected_number)
 		{
-			/* must not be smaller then proceeding one */
-			DBG1(DBG_ENC, "proposal number smaller than that of previous proposal");
+			DBG1(DBG_ENC, "proposal number smaller than previous");
 			status = FAILED;
 			break;
 		}
 
-		status = current_proposal->payload_interface.verify(&(current_proposal->payload_interface));
+		status = substruct->payload_interface.verify(&substruct->payload_interface);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed");
@@ -139,52 +134,31 @@ static status_t verify(private_sa_payload_t *this)
 		first = FALSE;
 		expected_number = current_number;
 	}
-
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	return status;
 }
 
-
-/**
- * Implementation of payload_t.destroy and sa_payload_t.destroy.
- */
-static status_t destroy(private_sa_payload_t *this)
-{
-	this->proposals->destroy_offset(this->proposals,
-									offsetof(proposal_substructure_t, destroy));
-	free(this);
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_sa_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_sa_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = sa_payload_encodings;
-	*rule_count = sizeof(sa_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(sa_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_sa_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_sa_payload_t *this)
 {
 	return SECURITY_ASSOCIATION;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_sa_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_sa_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_sa_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_sa_payload_t *this,payload_type_t type)
 {
 	this->next_payload = type;
 }
@@ -192,116 +166,104 @@ static void set_next_type(private_sa_payload_t *this,payload_type_t type)
 /**
  * recompute length of the payload.
  */
-static void compute_length (private_sa_payload_t *this)
+static void compute_length(private_sa_payload_t *this)
 {
-	iterator_t *iterator;
-	payload_t *current_proposal;
+	enumerator_t *enumerator;
+	payload_t *current;
 	size_t length = SA_PAYLOAD_HEADER_LENGTH;
 
-	iterator = this->proposals->create_iterator(this->proposals,TRUE);
-	while (iterator->iterate(iterator, (void **)&current_proposal))
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, (void **)&current))
 	{
-		length += current_proposal->get_length(current_proposal);
+		length += current->get_length(current);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
 	this->payload_length = length;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_sa_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_sa_payload_t *this)
 {
 	compute_length(this);
 	return this->payload_length;
 }
 
-/**
- * Implementation of sa_payload_t.create_proposal_substructure_iterator.
- */
-static iterator_t *create_proposal_substructure_iterator (private_sa_payload_t *this,bool forward)
+METHOD(sa_payload_t, add_proposal, void,
+	private_sa_payload_t *this, proposal_t *proposal)
 {
-	return this->proposals->create_iterator(this->proposals,forward);
-}
+	proposal_substructure_t *substruct, *last;
+	u_int count;
 
-/**
- * Implementation of sa_payload_t.add_proposal_substructure.
- */
-static void add_proposal_substructure(private_sa_payload_t *this,proposal_substructure_t *proposal)
-{
-	status_t status;
-	u_int proposal_count = this->proposals->get_count(this->proposals);
-
-	if (proposal_count > 0)
+	count = this->proposals->get_count(this->proposals);
+	substruct = proposal_substructure_create_from_proposal(proposal);
+	if (count > 0)
 	{
-		proposal_substructure_t *last_proposal;
-		status = this->proposals->get_last(this->proposals,(void **) &last_proposal);
+		this->proposals->get_last(this->proposals, (void**)&last);
 		/* last transform is now not anymore last one */
-		last_proposal->set_is_last_proposal(last_proposal, FALSE);
+		last->set_is_last_proposal(last, FALSE);
+	}
+	substruct->set_is_last_proposal(substruct, TRUE);
+	if (proposal->get_number(proposal))
+	{	/* use the selected proposals number, if any */
+		substruct->set_proposal_number(substruct, proposal->get_number(proposal));
+	}
+	else
+	{
+		substruct->set_proposal_number(substruct, count + 1);
 	}
-	proposal->set_is_last_proposal(proposal, TRUE);
-	proposal->set_proposal_number(proposal, proposal_count + 1);
-	this->proposals->insert_last(this->proposals,(void *) proposal);
+	this->proposals->insert_last(this->proposals, substruct);
 	compute_length(this);
 }
 
-/**
- * Implementation of sa_payload_t.add_proposal.
- */
-static void add_proposal(private_sa_payload_t *this, proposal_t *proposal)
-{
-	proposal_substructure_t *substructure;
-
-	substructure = proposal_substructure_create_from_proposal(proposal);
-	add_proposal_substructure(this, substructure);
-}
-
-/**
- * Implementation of sa_payload_t.get_proposals.
- */
-static linked_list_t *get_proposals(private_sa_payload_t *this)
+METHOD(sa_payload_t, get_proposals, linked_list_t*,
+	private_sa_payload_t *this)
 {
 	int struct_number = 0;
 	int ignore_struct_number = 0;
-	iterator_t *iterator;
-	proposal_substructure_t *proposal_struct;
-	linked_list_t *proposal_list;
-
-	/* this list will hold our proposals */
-	proposal_list = linked_list_create();
+	enumerator_t *enumerator;
+	proposal_substructure_t *substruct;
+	linked_list_t *list;
+	proposal_t *proposal;
 
+	list = linked_list_create();
 	/* we do not support proposals split up to two proposal substructures, as
 	 * AH+ESP bundles are not supported in RFC4301 anymore.
 	 * To handle such structures safely, we just skip proposals with multiple
 	 * protocols.
 	 */
-	iterator = this->proposals->create_iterator(this->proposals, TRUE);
-	while (iterator->iterate(iterator, (void **)&proposal_struct))
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, &substruct))
 	{
-		proposal_t *proposal;
-
 		/* check if a proposal has a single protocol */
-		if (proposal_struct->get_proposal_number(proposal_struct) == struct_number)
+		if (substruct->get_proposal_number(substruct) == struct_number)
 		{
 			if (ignore_struct_number < struct_number)
 			{
-				/* remova an already added, if first of series */
-				proposal_list->remove_last(proposal_list, (void**)&proposal);
+				/* remove an already added, if first of series */
+				list->remove_last(list, (void**)&proposal);
 				proposal->destroy(proposal);
 				ignore_struct_number = struct_number;
 			}
 			continue;
 		}
 		struct_number++;
-		proposal = proposal_struct->get_proposal(proposal_struct);
+		proposal = substruct->get_proposal(substruct);
 		if (proposal)
 		{
-			proposal_list->insert_last(proposal_list, proposal);
+			list->insert_last(list, proposal);
 		}
 	}
-	iterator->destroy(iterator);
-	return proposal_list;
+	enumerator->destroy(enumerator);
+	return list;
+}
+
+METHOD2(payload_t, sa_payload_t, destroy, void,
+	private_sa_payload_t *this)
+{
+	this->proposals->destroy_offset(this->proposals,
+									offsetof(proposal_substructure_t, destroy));
+	free(this);
 }
 
 /*
@@ -309,29 +271,27 @@ static linked_list_t *get_proposals(private_sa_payload_t *this)
  */
 sa_payload_t *sa_payload_create()
 {
-	private_sa_payload_t *this = malloc_thing(private_sa_payload_t);
-
-	/* public interface */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.create_proposal_substructure_iterator = (iterator_t* (*) (sa_payload_t *,bool)) create_proposal_substructure_iterator;
-	this->public.add_proposal_substructure = (void (*) (sa_payload_t *,proposal_substructure_t *)) add_proposal_substructure;
-	this->public.add_proposal = (void (*) (sa_payload_t*,proposal_t*))add_proposal;
-	this->public.get_proposals = (linked_list_t* (*) (sa_payload_t *)) get_proposals;
-	this->public.destroy = (void (*) (sa_payload_t *)) destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = SA_PAYLOAD_HEADER_LENGTH;
-	this->proposals = linked_list_create();
+	private_sa_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.add_proposal = _add_proposal,
+			.get_proposals = _get_proposals,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = SA_PAYLOAD_HEADER_LENGTH,
+		.proposals = linked_list_create(),
+	);
 	return &this->public;
 }
 
@@ -340,19 +300,19 @@ sa_payload_t *sa_payload_create()
  */
 sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
 {
-	iterator_t *iterator;
+	private_sa_payload_t *this;
+	enumerator_t *enumerator;
 	proposal_t *proposal;
-	sa_payload_t *sa_payload = sa_payload_create();
 
-	/* add every payload from the list */
-	iterator = proposals->create_iterator(proposals, TRUE);
-	while (iterator->iterate(iterator, (void**)&proposal))
+	this = (private_sa_payload_t*)sa_payload_create();
+	enumerator = proposals->create_enumerator(proposals);
+	while (enumerator->enumerate(enumerator, &proposal))
 	{
-		add_proposal((private_sa_payload_t*)sa_payload, proposal);
+		add_proposal(this, proposal);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
-	return sa_payload;
+	return &this->public;
 }
 
 /*
@@ -360,9 +320,10 @@ sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
  */
 sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal)
 {
-	sa_payload_t *sa_payload = sa_payload_create();
+	private_sa_payload_t *this;
 
-	add_proposal((private_sa_payload_t*)sa_payload, proposal);
+	this = (private_sa_payload_t*)sa_payload_create();
+	add_proposal(this, proposal);
 
-	return sa_payload;
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h
index 25f5a2407..801a70738 100644
--- a/src/libcharon/encoding/payloads/sa_payload.h
+++ b/src/libcharon/encoding/payloads/sa_payload.h
@@ -40,32 +40,12 @@ typedef struct sa_payload_t sa_payload_t;
  * The SA Payload format is described in RFC section 3.3.
  */
 struct sa_payload_t {
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
 
-	/**
-	 * Creates an iterator of stored proposal_substructure_t objects.
-	 *
-	 * When deleting an proposal using this iterator,
-	 * the length of this transform substructure has to be refreshed
-	 * by calling get_length()!
-	 *
-	 * @param forward 		iterator direction (TRUE: front to end)
-	 * @return				created iterator_t object
-	 */
-	iterator_t *(*create_proposal_substructure_iterator) (sa_payload_t *this,
-														  bool forward);
-
-	/**
-	 * Adds a proposal_substructure_t object to this object.
-	 *
-	 * @param proposal  		proposal_substructure_t object to add
-	 */
-	void (*add_proposal_substructure) (sa_payload_t *this,
-									   proposal_substructure_t *proposal);
-
 	/**
 	 * Gets the proposals in this payload as a list.
 	 *
diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c
new file mode 100644
index 000000000..d9e39fe43
--- /dev/null
+++ b/src/libcharon/kernel/kernel_handler.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "kernel_handler.h"
+
+#include <hydra.h>
+#include <daemon.h>
+#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/migrate_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/roam_job.h>
+#include <processing/jobs/update_sa_job.h>
+
+typedef struct private_kernel_handler_t private_kernel_handler_t;
+
+/**
+ * Private data of a kernel_handler_t object.
+ */
+struct private_kernel_handler_t {
+
+	/**
+	 * Public part of kernel_handler_t object.
+	 */
+	kernel_handler_t public;
+
+};
+
+/**
+ * convert an IP protocol identifier to the IKEv2 specific protocol identifier.
+ */
+static inline protocol_id_t proto_ip2ike(u_int8_t protocol)
+{
+	switch (protocol)
+	{
+		case IPPROTO_ESP:
+			return PROTO_ESP;
+		case IPPROTO_AH:
+			return PROTO_AH;
+		default:
+			return protocol;
+	}
+}
+
+METHOD(kernel_listener_t, acquire, bool,
+	   private_kernel_handler_t *this, u_int32_t reqid,
+	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	job_t *job;
+	if (src_ts && dst_ts)
+	{
+		DBG1(DBG_KNL, "creating acquire job for policy %R === %R "
+					  "with reqid {%u}", src_ts, dst_ts, reqid);
+	}
+	else
+	{
+		DBG1(DBG_KNL, "creating acquire job for policy with reqid {%u}", reqid);
+	}
+	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
+	lib->processor->queue_job(lib->processor, job);
+	return TRUE;
+}
+
+METHOD(kernel_listener_t, expire, bool,
+	   private_kernel_handler_t *this, u_int32_t reqid, u_int8_t protocol,
+	   u_int32_t spi, bool hard)
+{
+	job_t *job;
+	protocol_id_t proto = proto_ip2ike(protocol);
+	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x "
+				  "and reqid {%u}", hard ? "delete" : "rekey",
+				  protocol_id_names, proto, ntohl(spi), reqid);
+	if (hard)
+	{
+		job = (job_t*)delete_child_sa_job_create(reqid, proto, spi);
+	}
+	else
+	{
+		job = (job_t*)rekey_child_sa_job_create(reqid, proto, spi);
+	}
+	lib->processor->queue_job(lib->processor, job);
+	return TRUE;
+}
+
+METHOD(kernel_listener_t, mapping, bool,
+	   private_kernel_handler_t *this, u_int32_t reqid, u_int32_t spi,
+	   host_t *remote)
+{
+	job_t *job;
+	DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
+				  "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
+	job = (job_t*)update_sa_job_create(reqid, remote);
+	lib->processor->queue_job(lib->processor, job);
+	return TRUE;
+}
+
+METHOD(kernel_listener_t, migrate, bool,
+	   private_kernel_handler_t *this, u_int32_t reqid,
+	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	   policy_dir_t direction, host_t *local, host_t *remote)
+{
+	job_t *job;
+	DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with "
+				  "reqid {%u}", src_ts, dst_ts, policy_dir_names, direction,
+				  reqid, local);
+	job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, direction, local,
+									 remote);
+	lib->processor->queue_job(lib->processor, job);
+	return TRUE;
+}
+
+METHOD(kernel_listener_t, roam, bool,
+	   private_kernel_handler_t *this, bool address)
+{
+	job_t *job;
+	job = (job_t*)roam_job_create(address);
+	lib->processor->queue_job(lib->processor, job);
+	return TRUE;
+}
+
+METHOD(kernel_handler_t, destroy, void,
+	   private_kernel_handler_t *this)
+{
+	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
+											 &this->public.listener);
+	free(this);
+}
+
+kernel_handler_t *kernel_handler_create()
+{
+	private_kernel_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.acquire = _acquire,
+				.expire = _expire,
+				.mapping = _mapping,
+				.migrate = _migrate,
+				.roam = _roam,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	hydra->kernel_interface->add_listener(hydra->kernel_interface,
+										  &this->public.listener);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/kernel/kernel_handler.h b/src/libcharon/kernel/kernel_handler.h
new file mode 100644
index 000000000..48ad6889c
--- /dev/null
+++ b/src/libcharon/kernel/kernel_handler.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_handler kernel_handler
+ * @{ @ingroup ckernel
+ */
+
+#ifndef KERNEL_HANDLER_H_
+#define KERNEL_HANDLER_H_
+
+typedef struct kernel_handler_t kernel_handler_t;
+
+#include <kernel/kernel_listener.h>
+
+/**
+ * Listens to and handles kernel events.
+ */
+struct kernel_handler_t {
+
+	/**
+	 * Implements the kernel listener interface.
+	 */
+	kernel_listener_t listener;
+
+	/**
+	 * Destroy this instance.
+	 */
+	void (*destroy)(kernel_handler_t *this);
+
+};
+
+/**
+ * Create an object of type kernel_handler_t.
+ */
+kernel_handler_t *kernel_handler_create();
+
+#endif /** KERNEL_HANDLER_H_ @}*/
diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c
deleted file mode 100644
index 837e628bc..000000000
--- a/src/libcharon/kernel/kernel_interface.c
+++ /dev/null
@@ -1,388 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "kernel_interface.h"
-
-#include <daemon.h>
-
-typedef struct private_kernel_interface_t private_kernel_interface_t;
-
-/**
- * Private data of a kernel_interface_t object.
- */
-struct private_kernel_interface_t {
-
-	/**
-	 * Public part of kernel_interface_t object.
-	 */
-	kernel_interface_t public;
-
-	/**
-	 * ipsec interface
-	 */
-	kernel_ipsec_t *ipsec;
-
-	/**
-	 * network interface
-	 */
-	kernel_net_t *net;
-};
-
-METHOD(kernel_interface_t, get_spi, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi);
-}
-
-METHOD(kernel_interface_t, get_cpi, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi);
-}
-
-METHOD(kernel_interface_t, add_sa, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
-	mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key,	ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
-			mark, lifetime, enc_alg, enc_key, int_alg, int_key,	mode, ipcomp,
-			cpi, encap, inbound, src_ts, dst_ts);
-}
-
-METHOD(kernel_interface_t, update_sa, status_t,
-	private_kernel_interface_t *this, u_int32_t spi, protocol_id_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap, mark_t mark)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
-								  new_src, new_dst, encap, new_encap, mark);
-}
-
-METHOD(kernel_interface_t, query_sa, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, bytes);
-}
-
-METHOD(kernel_interface_t, del_sa, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	protocol_id_t protocol, u_int16_t cpi, mark_t mark)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi, mark);
-}
-
-METHOD(kernel_interface_t, add_policy, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi,	bool routed)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-			direction, spi, protocol, reqid, mark, mode, ipcomp, cpi, routed);
-}
-
-METHOD(kernel_interface_t, query_policy, status_t,
-	private_kernel_interface_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	u_int32_t *use_time)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts,
-									 direction, mark, use_time);
-}
-
-METHOD(kernel_interface_t, del_policy, status_t,
-	private_kernel_interface_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	bool unrouted)
-{
-	if (!this->ipsec)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts,
-								   direction, mark, unrouted);
-}
-
-METHOD(kernel_interface_t, get_source_addr, host_t*,
-	private_kernel_interface_t *this, host_t *dest, host_t *src)
-{
-	if (!this->net)
-	{
-		return NULL;
-	}
-	return this->net->get_source_addr(this->net, dest, src);
-}
-
-METHOD(kernel_interface_t, get_nexthop, host_t*,
-	private_kernel_interface_t *this, host_t *dest)
-{
-	if (!this->net)
-	{
-		return NULL;
-	}
-	return this->net->get_nexthop(this->net, dest);
-}
-
-METHOD(kernel_interface_t, get_interface, char*,
-	private_kernel_interface_t *this, host_t *host)
-{
-	if (!this->net)
-	{
-		return NULL;
-	}
-	return this->net->get_interface(this->net, host);
-}
-
-METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*,
-	private_kernel_interface_t *this, bool include_down_ifaces,
-	bool include_virtual_ips)
-{
-	if (!this->net)
-	{
-		return enumerator_create_empty();
-	}
-	return this->net->create_address_enumerator(this->net, include_down_ifaces,
-												include_virtual_ips);
-}
-
-METHOD(kernel_interface_t, add_ip, status_t,
-	private_kernel_interface_t *this, host_t *virtual_ip, host_t *iface_ip)
-{
-	if (!this->net)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->net->add_ip(this->net, virtual_ip, iface_ip);
-}
-
-METHOD(kernel_interface_t, del_ip, status_t,
-	private_kernel_interface_t *this, host_t *virtual_ip)
-{
-	if (!this->net)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->net->del_ip(this->net, virtual_ip);
-}
-
-METHOD(kernel_interface_t, add_route, status_t,
-	private_kernel_interface_t *this, chunk_t dst_net,
-	u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	if (!this->net)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->net->add_route(this->net, dst_net, prefixlen, gateway,
-								src_ip, if_name);
-}
-
-METHOD(kernel_interface_t, del_route, status_t,
-	private_kernel_interface_t *this, chunk_t dst_net,
-	u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	if (!this->net)
-	{
-		return NOT_SUPPORTED;
-	}
-	return this->net->del_route(this->net, dst_net, prefixlen, gateway,
-								src_ip, if_name);
-}
-
-METHOD(kernel_interface_t, bypass_socket, bool,
-	private_kernel_interface_t *this, int fd, int family)
-{
-	if (!this->ipsec)
-	{
-		return FALSE;
-	}
-	return this->ipsec->bypass_socket(this->ipsec, fd, family);
-}
-
-METHOD(kernel_interface_t, get_address_by_ts, status_t,
-	private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip)
-{
-	enumerator_t *addrs;
-	host_t *host;
-	int family;
-	bool found = FALSE;
-
-	DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
-
-	/* if we have a family which includes localhost, we do not
-	 * search for an IP, we use the default */
-	family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
-
-	if (family == AF_INET)
-	{
-		host = host_create_from_string("127.0.0.1", 0);
-	}
-	else
-	{
-		host = host_create_from_string("::1", 0);
-	}
-
-	if (ts->includes(ts, host))
-	{
-		*ip = host_create_any(family);
-		host->destroy(host);
-		DBG2(DBG_KNL, "using host %H", *ip);
-		return SUCCESS;
-	}
-	host->destroy(host);
-
-	addrs = create_address_enumerator(this, TRUE, TRUE);
-	while (addrs->enumerate(addrs, (void**)&host))
-	{
-		if (ts->includes(ts, host))
-		{
-			found = TRUE;
-			*ip = host->clone(host);
-			break;
-		}
-	}
-	addrs->destroy(addrs);
-
-	if (!found)
-	{
-		DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "using host %H", *ip);
-	return SUCCESS;
-}
-
-
-METHOD(kernel_interface_t, add_ipsec_interface, void,
-	private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
-{
-	if (!this->ipsec)
-	{
-		this->ipsec = constructor();
-	}
-}
-
-METHOD(kernel_interface_t, remove_ipsec_interface, void,
-	private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
-{
-	/* TODO: replace if interface currently in use */
-}
-
-METHOD(kernel_interface_t, add_net_interface, void,
-	private_kernel_interface_t *this, kernel_net_constructor_t constructor)
-{
-	if (!this->net)
-	{
-		this->net = constructor();
-	}
-}
-
-METHOD(kernel_interface_t, remove_net_interface, void,
-	private_kernel_interface_t *this, kernel_net_constructor_t constructor)
-{
-	/* TODO: replace if interface currently in use */
-}
-
-METHOD(kernel_interface_t, destroy, void,
-	private_kernel_interface_t *this)
-{
-	DESTROY_IF(this->ipsec);
-	DESTROY_IF(this->net);
-	free(this);
-}
-
-/*
- * Described in header-file
- */
-kernel_interface_t *kernel_interface_create()
-{
-	private_kernel_interface_t *this;
-
-	INIT(this,
-		.public = {
-			.get_spi = _get_spi,
-			.get_cpi = _get_cpi,
-			.add_sa = _add_sa,
-			.update_sa = _update_sa,
-			.query_sa = _query_sa,
-			.del_sa = _del_sa,
-			.add_policy = _add_policy,
-			.query_policy = _query_policy,
-			.del_policy = _del_policy,
-			.get_source_addr = _get_source_addr,
-			.get_nexthop = _get_nexthop,
-			.get_interface = _get_interface,
-			.create_address_enumerator = _create_address_enumerator,
-			.add_ip = _add_ip,
-			.del_ip = _del_ip,
-			.add_route = _add_route,
-			.del_route = _del_route,
-			.bypass_socket = _bypass_socket,
-
-			.get_address_by_ts = _get_address_by_ts,
-			.add_ipsec_interface = _add_ipsec_interface,
-			.remove_ipsec_interface = _remove_ipsec_interface,
-			.add_net_interface = _add_net_interface,
-			.remove_net_interface = _remove_net_interface,
-			.destroy = _destroy,
-		},
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h
deleted file mode 100644
index 92d85f9c9..000000000
--- a/src/libcharon/kernel/kernel_interface.h
+++ /dev/null
@@ -1,408 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_interface kernel_interface
- * @{ @ingroup kernel
- */
-
-#ifndef KERNEL_INTERFACE_H_
-#define KERNEL_INTERFACE_H_
-
-typedef struct kernel_interface_t kernel_interface_t;
-
-#include <utils/host.h>
-#include <crypto/prf_plus.h>
-#include <encoding/payloads/proposal_substructure.h>
-
-#include <kernel/kernel_ipsec.h>
-#include <kernel/kernel_net.h>
-
-/**
- * Constructor function for ipsec kernel interface
- */
-typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void);
-
-/**
- * Constructor function for network kernel interface
- */
-typedef kernel_net_t* (*kernel_net_constructor_t)(void);
-
-/**
- * Manager and wrapper for different kernel interfaces.
- *
- * The kernel interface handles the communication with the kernel
- * for SA and policy management and interface and IP address management.
- */
-struct kernel_interface_t {
-
-	/**
-	 * Get a SPI from the kernel.
-	 *
-	 * @param src		source address of SA
-	 * @param dst		destination address of SA
-	 * @param protocol	protocol for SA (ESP/AH)
-	 * @param reqid		unique ID for this SA
-	 * @param spi		allocated spi
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
-
-	/**
-	 * Get a Compression Parameter Index (CPI) from the kernel.
-	 *
-	 * @param src		source address of SA
-	 * @param dst		destination address of SA
-	 * @param reqid		unique ID for the corresponding SA
-	 * @param cpi		allocated cpi
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi);
-
-	/**
-	 * Add an SA to the SAD.
-	 *
-	 * add_sa() may update an already allocated
-	 * SPI (via get_spi). In this case, the replace
-	 * flag must be set.
-	 * This function does install a single SA for a
-	 * single protocol in one direction.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param reqid			unique ID for this SA
-	 * @param mark			optional mark for this SA
-	 * @param lifetime		lifetime_cfg_t for this SA
-	 * @param enc_alg		Algorithm to use for encryption (ESP only)
-	 * @param enc_key		key to use for encryption
-	 * @param int_alg		Algorithm to use for integrity protection
-	 * @param int_key		key to use for integrity protection
-	 * @param mode			mode of the SA (tunnel, transport)
-	 * @param ipcomp		IPComp transform to use
-	 * @param cpi			CPI for IPComp
-	 * @param encap			enable UDP encapsulation for NAT traversal
-	 * @param inbound		TRUE if this is an inbound SA
-	 * @param src_ts		traffic selector with BEET source address
-	 * @param dst_ts		traffic selector with BEET destination address
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_sa) (kernel_interface_t *this,
-						host_t *src, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int32_t reqid, mark_t mark,
-						lifetime_cfg_t *lifetime,
-						u_int16_t enc_alg, chunk_t enc_key,
-						u_int16_t int_alg, chunk_t int_key,
-						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						bool encap, bool inbound,
-						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
-
-	/**
-	 * Update the hosts on an installed SA.
-	 *
-	 * We cannot directly update the destination address as the kernel
-	 * requires the spi, the protocol AND the destination address (and family)
-	 * to identify SAs. Therefore if the destination address changed we
-	 * create a new SA and delete the old one.
-	 *
-	 * @param spi			SPI of the SA
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
-	 * @param src			current source address
-	 * @param dst			current destination address
-	 * @param new_src		new source address
-	 * @param new_dst		new destination address
-	 * @param encap			current use of UDP encapsulation
-	 * @param new_encap		new use of UDP encapsulation
-	 * @param mark			optional mark for this SA
-	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
-	 *					  the kernel interface can't update the SA
-	 */
-	status_t (*update_sa)(kernel_interface_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap, mark_t mark);
-
-	/**
-	 * Query the number of bytes processed by an SA from the SAD.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param mark			optional mark for this SA
-	 * @param[out] bytes	the number of bytes processed by SA
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
-						  u_int32_t spi, protocol_id_t protocol, mark_t mark,
-						  u_int64_t *bytes);
-
-	/**
-	 * Delete a previously installed SA from the SAD.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp or 0
-	 * @param mark			optional mark for this SA
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						mark_t mark);
-
-	/**
-	 * Add a policy to the SPD.
-	 *
-	 * A policy is always associated to an SA. Traffic which matches a
-	 * policy is handled by the SA with the same reqid.
-	 *
-	 * @param src			source address of SA
-	 * @param dst			dest address of SA
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param spi			SPI of SA
-	 * @param protocol		protocol to use to protect traffic (AH/ESP)
-	 * @param reqid			unique ID of an SA to use to enforce policy
-	 * @param mark			mark for this policy
-	 * @param mode			mode of SA (tunnel, transport)
-	 * @param ipcomp		the IPComp transform used
-	 * @param cpi			CPI for IPComp
-	 * @param routed		TRUE, if this policy is routed in the kernel
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_policy) (kernel_interface_t *this,
-							host_t *src, host_t *dst,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction, u_int32_t spi,
-							protocol_id_t protocol, u_int32_t reqid,
-							mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-							u_int16_t cpi, bool routed);
-
-	/**
-	 * Query the use time of a policy.
-	 *
-	 * The use time of a policy is the time the policy was used
-	 * for the last time.
-	 *
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param mark			optional mark
-	 * @param[out] use_time	the time of this SA's last use
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*query_policy) (kernel_interface_t *this,
-							  traffic_selector_t *src_ts,
-							  traffic_selector_t *dst_ts,
-							  policy_dir_t direction, mark_t mark,
-							  u_int32_t *use_time);
-
-	/**
-	 * Remove a policy from the SPD.
-	 *
-	 * The kernel interface implements reference counting for policies.
-	 * If the same policy is installed multiple times (in the case of rekeying),
-	 * the reference counter is increased. del_policy() decreases the ref counter
-	 * and removes the policy only when no more references are available.
-	 *
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param mark			optional mark
-	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_policy) (kernel_interface_t *this,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction, mark_t mark,
-							bool unrouted);
-
-	/**
-	 * Get our outgoing source address for a destination.
-	 *
-	 * Does a route lookup to get the source address used to reach dest.
-	 * The returned host is allocated and must be destroyed.
-	 * An optional src address can be used to check if a route is available
-	 * for given source to dest.
-	 *
-	 * @param dest			target destination address
-	 * @param src			source address to check, or NULL
-	 * @return				outgoing source address, NULL if unreachable
-	 */
-	host_t* (*get_source_addr)(kernel_interface_t *this,
-							   host_t *dest, host_t *src);
-
-	/**
-	 * Get the next hop for a destination.
-	 *
-	 * Does a route lookup to get the next hop used to reach dest.
-	 * The returned host is allocated and must be destroyed.
-	 *
-	 * @param dest			target destination address
-	 * @return				next hop address, NULL if unreachable
-	 */
-	host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest);
-
-	/**
-	 * Get the interface name of a local address.
-	 *
-	 * @param host			address to get interface name from
-	 * @return 				allocated interface name, or NULL if not found
-	 */
-	char* (*get_interface) (kernel_interface_t *this, host_t *host);
-
-	/**
-	 * Creates an enumerator over all local addresses.
-	 *
-	 * This function blocks an internal cached address list until the
-	 * enumerator gets destroyed.
-	 * The hosts are read-only, do not modify of free.
-	 *
-	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
-	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
-	 * @return						enumerator over host_t's
-	 */
-	enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
-						bool include_down_ifaces, bool include_virtual_ips);
-
-	/**
-	 * Add a virtual IP to an interface.
-	 *
-	 * Virtual IPs are attached to an interface. If an IP is added multiple
-	 * times, the IP is refcounted and not removed until del_ip() was called
-	 * as many times as add_ip().
-	 * The virtual IP is attached to the interface where the iface_ip is found.
-	 *
-	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to attach virtual IP
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
-
-	/**
-	 * Remove a virtual IP from an interface.
-	 *
-	 * The kernel interface uses refcounting, see add_ip().
-	 *
-	 * @param virtual_ip	virtual ip address to assign
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
-
-	/**
-	 * Add a route.
-	 *
-	 * @param dst_net		destination net
-	 * @param prefixlen		destination net prefix length
-	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
-	 * @param if_name		name of the interface the route is bound to
-	 * @return				SUCCESS if operation completed
-	 * 						ALREADY_DONE if the route already exists
-	 */
-	status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
-
-	/**
-	 * Delete a route.
-	 *
-	 * @param dst_net		destination net
-	 * @param prefixlen		destination net prefix length
-	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
-	 * @param if_name		name of the interface the route is bound to
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
-
-	/**
-	 * Set up a bypass policy for a given socket.
-	 *
-	 * @param fd			socket file descriptor to setup policy for
-	 * @param family		protocol family of the socket
-	 * @return				TRUE of policy set up successfully
-	 */
-	bool (*bypass_socket)(kernel_interface_t *this, int fd, int family);
-
-	/**
-	 * manager methods
-	 */
-
-	/**
-	 * Tries to find an ip address of a local interface that is included in the
-	 * supplied traffic selector.
-	 *
-	 * @param ts			traffic selector
-	 * @param ip			returned ip (has to be destroyed)
-	 * @return				SUCCESS if address found
-	 */
-	status_t (*get_address_by_ts) (kernel_interface_t *this,
-										traffic_selector_t *ts, host_t **ip);
-
-	/**
-	 * Register an ipsec kernel interface constructor on the manager.
-	 *
-	 * @param create			constructor to register
-	 */
-	void (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
-
-	/**
-	 * Unregister an ipsec kernel interface constructor.
-	 *
-	 * @param create			constructor to unregister
-	 */
-	void (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
-
-	/**
-	 * Register a network kernel interface constructor on the manager.
-	 *
-	 * @param create			constructor to register
-	 */
-	void (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
-
-	/**
-	 * Unregister a network kernel interface constructor.
-	 *
-	 * @param create			constructor to unregister
-	 */
-	void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
-
-	/**
-	 * Destroys a kernel_interface_manager_t object.
-	 */
-	void (*destroy) (kernel_interface_t *this);
-};
-
-/**
- * Creates an object of type kernel_interface_t.
- */
-kernel_interface_t *kernel_interface_create(void);
-
-#endif /** KERNEL_INTERFACE_H_ @}*/
diff --git a/src/libcharon/kernel/kernel_ipsec.c b/src/libcharon/kernel/kernel_ipsec.c
deleted file mode 100644
index 5b0335b16..000000000
--- a/src/libcharon/kernel/kernel_ipsec.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "kernel_ipsec.h"
-
-ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_BEET,
-	"TRANSPORT",
-	"TUNNEL",
-	"BEET",
-);
-
-ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
-	"in",
-	"out",
-	"fwd"
-);
-
diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h
deleted file mode 100644
index d09265cc9..000000000
--- a/src/libcharon/kernel/kernel_ipsec.h
+++ /dev/null
@@ -1,292 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_ipsec kernel_ipsec
- * @{ @ingroup kernel
- */
-
-#ifndef KERNEL_IPSEC_H_
-#define KERNEL_IPSEC_H_
-
-typedef enum ipsec_mode_t ipsec_mode_t;
-typedef enum policy_dir_t policy_dir_t;
-typedef struct kernel_ipsec_t kernel_ipsec_t;
-
-#include <utils/host.h>
-#include <crypto/prf_plus.h>
-#include <config/proposal.h>
-#include <config/child_cfg.h>
-
-/**
- * Mode of a CHILD_SA.
- */
-enum ipsec_mode_t {
-	/** transport mode, no inner address */
-	MODE_TRANSPORT = 1,
-	/** tunnel mode, inner and outer addresses */
-	MODE_TUNNEL,
-	/** BEET mode, tunnel mode but fixed, bound inner addresses */
-	MODE_BEET,
-};
-
-/**
- * enum names for ipsec_mode_t.
- */
-extern enum_name_t *ipsec_mode_names;
-
-/**
- * Direction of a policy. These are equal to those
- * defined in xfrm.h, but we want to stay implementation
- * neutral here.
- */
-enum policy_dir_t {
-	/** Policy for inbound traffic */
-	POLICY_IN = 0,
-	/** Policy for outbound traffic */
-	POLICY_OUT = 1,
-	/** Policy for forwarded traffic */
-	POLICY_FWD = 2,
-};
-
-/**
- * enum names for policy_dir_t.
- */
-extern enum_name_t *policy_dir_names;
-
-/**
- * Interface to the ipsec subsystem of the kernel.
- *
- * The kernel ipsec interface handles the communication with the kernel
- * for SA and policy management. It allows setup of these, and provides
- * further the handling of kernel events.
- * Policy information are cached in the interface. This is necessary to do
- * reference counting. The Linux kernel does not allow the same policy
- * installed twice, but we need this as CHILD_SA exist multiple times
- * when rekeying. Thats why we do reference counting of policies.
- */
-struct kernel_ipsec_t {
-
-	/**
-	 * Get a SPI from the kernel.
-	 *
-	 * @param src		source address of SA
-	 * @param dst		destination address of SA
-	 * @param protocol	protocol for SA (ESP/AH)
-	 * @param reqid		unique ID for this SA
-	 * @param spi		allocated spi
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
-
-	/**
-	 * Get a Compression Parameter Index (CPI) from the kernel.
-	 *
-	 * @param src		source address of SA
-	 * @param dst		destination address of SA
-	 * @param reqid		unique ID for the corresponding SA
-	 * @param cpi		allocated cpi
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi);
-
-	/**
-	 * Add an SA to the SAD.
-	 *
-	 * add_sa() may update an already allocated
-	 * SPI (via get_spi). In this case, the replace
-	 * flag must be set.
-	 * This function does install a single SA for a
-	 * single protocol in one direction.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param reqid			unique ID for this SA
-	 * @param mark			mark for this SA
-	 * @param lifetime		lifetime_cfg_t for this SA
-	 * @param enc_alg		Algorithm to use for encryption (ESP only)
-	 * @param enc_key		key to use for encryption
-	 * @param int_alg		Algorithm to use for integrity protection
-	 * @param int_key		key to use for integrity protection
-	 * @param mode			mode of the SA (tunnel, transport)
-	 * @param ipcomp		IPComp transform to use
-	 * @param cpi			CPI for IPComp
-	 * @param encap			enable UDP encapsulation for NAT traversal
-	 * @param inbound		TRUE if this is an inbound SA
-	 * @param src_ts		traffic selector with BEET source address
-	 * @param dst_ts		traffic selector with BEET destination address
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_sa) (kernel_ipsec_t *this,
-						host_t *src, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int32_t reqid,
-						mark_t mark, lifetime_cfg_t *lifetime,
-						u_int16_t enc_alg, chunk_t enc_key,
-						u_int16_t int_alg, chunk_t int_key,
-						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						bool encap, bool inbound,
-						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
-
-	/**
-	 * Update the hosts on an installed SA.
-	 *
-	 * We cannot directly update the destination address as the kernel
-	 * requires the spi, the protocol AND the destination address (and family)
-	 * to identify SAs. Therefore if the destination address changed we
-	 * create a new SA and delete the old one.
-	 *
-	 * @param spi			SPI of the SA
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
-	 * @param src			current source address
-	 * @param dst			current destination address
-	 * @param new_src		new source address
-	 * @param new_dst		new destination address
-	 * @param encap			current use of UDP encapsulation
-	 * @param new_encap		new use of UDP encapsulation
-	 * @param mark			optional mark for this SA
-	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
-	 *					  the kernel interface can't update the SA
-	 */
-	status_t (*update_sa)(kernel_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap, mark_t mark);
-
-	/**
-	 * Query the number of bytes processed by an SA from the SAD.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param mark			optional mark for this SA
-	 * @param[out] bytes	the number of bytes processed by SA
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
-						  u_int32_t spi, protocol_id_t protocol, mark_t mark,
-						  u_int64_t *bytes);
-
-	/**
-	 * Delete a previusly installed SA from the SAD.
-	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp or 0
-	 * @param mark			optional mark for this SA
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-						mark_t mark);
-
-	/**
-	 * Add a policy to the SPD.
-	 *
-	 * A policy is always associated to an SA. Traffic which matches a
-	 * policy is handled by the SA with the same reqid.
-	 *
-	 * @param src			source address of SA
-	 * @param dst			dest address of SA
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param spi			SPI of SA
-	 * @param protocol		protocol to use to protect traffic (AH/ESP)
-	 * @param reqid			unique ID of an SA to use to enforce policy
-	 * @param mark			mark for this policy
-	 * @param mode			mode of SA (tunnel, transport)
-	 * @param ipcomp		the IPComp transform used
-	 * @param cpi			CPI for IPComp
-	 * @param routed		TRUE, if this policy is routed in the kernel
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_policy) (kernel_ipsec_t *this,
-							host_t *src, host_t *dst,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction, u_int32_t spi,
-							protocol_id_t protocol, u_int32_t reqid,
-							mark_t mark, ipsec_mode_t mode,
-							u_int16_t ipcomp, u_int16_t cpi, bool routed);
-
-	/**
-	 * Query the use time of a policy.
-	 *
-	 * The use time of a policy is the time the policy was used for the last
-	 * time. It is not the system time, but a monotonic timestamp as returned
-	 * by time_monotonic.
-	 *
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param mark			optional mark
-	 * @param[out] use_time	the monotonic timestamp of this SA's last use
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*query_policy) (kernel_ipsec_t *this,
-							  traffic_selector_t *src_ts,
-							  traffic_selector_t *dst_ts,
-							  policy_dir_t direction, mark_t mark,
-							  u_int32_t *use_time);
-
-	/**
-	 * Remove a policy from the SPD.
-	 *
-	 * The kernel interface implements reference counting for policies.
-	 * If the same policy is installed multiple times (in the case of rekeying),
-	 * the reference counter is increased. del_policy() decreases the ref counter
-	 * and removes the policy only when no more references are available.
-	 *
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param mark			optional mark
-	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_policy) (kernel_ipsec_t *this,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction, mark_t mark,
-							bool unrouted);
-
-	/**
-	 * Install a bypass policy for the given socket.
-	 *
-	 * @param fd			socket file descriptor to setup policy for
-	 * @param family		protocol family of the socket
-	 * @return				TRUE of policy set up successfully
-	 */
-	bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family);
-
-	/**
-	 * Destroy the implementation.
-	 */
-	void (*destroy) (kernel_ipsec_t *this);
-};
-
-#endif /** KERNEL_IPSEC_H_ @}*/
diff --git a/src/libcharon/kernel/kernel_net.h b/src/libcharon/kernel/kernel_net.h
deleted file mode 100644
index efb221f88..000000000
--- a/src/libcharon/kernel/kernel_net.h
+++ /dev/null
@@ -1,143 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_net kernel_net
- * @{ @ingroup kernel
- */
-
-#ifndef KERNEL_NET_H_
-#define KERNEL_NET_H_
-
-typedef struct kernel_net_t kernel_net_t;
-
-#include <utils/enumerator.h>
-#include <utils/host.h>
-
-/**
- * Interface to the network subsystem of the kernel.
- *
- * The kernel network interface handles the communication with the kernel
- * for interface and IP address management.
- */
-struct kernel_net_t {
-
-	/**
-	 * Get our outgoing source address for a destination.
-	 *
-	 * Does a route lookup to get the source address used to reach dest.
-	 * The returned host is allocated and must be destroyed.
-	 * An optional src address can be used to check if a route is available
-	 * for given source to dest.
-	 *
-	 * @param dest			target destination address
-	 * @param src			source address to check, or NULL
-	 * @return				outgoing source address, NULL if unreachable
-	 */
-	host_t* (*get_source_addr)(kernel_net_t *this, host_t *dest, host_t *src);
-
-	/**
-	 * Get the next hop for a destination.
-	 *
-	 * Does a route lookup to get the next hop used to reach dest.
-	 * The returned host is allocated and must be destroyed.
-	 *
-	 * @param dest			target destination address
-	 * @return				next hop address, NULL if unreachable
-	 */
-	host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest);
-
-	/**
-	 * Get the interface name of a local address.
-	 *
-	 * @param host			address to get interface name from
-	 * @return 				allocated interface name, or NULL if not found
-	 */
-	char* (*get_interface) (kernel_net_t *this, host_t *host);
-
-	/**
-	 * Creates an enumerator over all local addresses.
-	 *
-	 * This function blocks an internal cached address list until the
-	 * enumerator gets destroyed.
-	 * The hosts are read-only, do not modify of free.
-	 *
-	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
-	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
-	 * @return						enumerator over host_t's
-	 */
-	enumerator_t *(*create_address_enumerator) (kernel_net_t *this,
-						bool include_down_ifaces, bool include_virtual_ips);
-
-	/**
-	 * Add a virtual IP to an interface.
-	 *
-	 * Virtual IPs are attached to an interface. If an IP is added multiple
-	 * times, the IP is refcounted and not removed until del_ip() was called
-	 * as many times as add_ip().
-	 * The virtual IP is attached to the interface where the iface_ip is found.
-	 *
-	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to attach virtual IP
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
-
-	/**
-	 * Remove a virtual IP from an interface.
-	 *
-	 * The kernel interface uses refcounting, see add_ip().
-	 *
-	 * @param virtual_ip	virtual ip address to assign
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip);
-
-	/**
-	 * Add a route.
-	 *
-	 * @param dst_net		destination net
-	 * @param prefixlen		destination net prefix length
-	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
-	 * @param if_name		name of the interface the route is bound to
-	 * @return				SUCCESS if operation completed
-	 * 						ALREADY_DONE if the route already exists
-	 */
-	status_t (*add_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
-
-	/**
-	 * Delete a route.
-	 *
-	 * @param dst_net		destination net
-	 * @param prefixlen		destination net prefix length
-	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
-	 * @param if_name		name of the interface the route is bound to
-	 * @return				SUCCESS if operation completed
-	 */
-	status_t (*del_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
-
-	/**
-	 * Destroy the implementation.
-	 */
-	void (*destroy) (kernel_net_t *this);
-};
-
-#endif /** KERNEL_NET_H_ @}*/
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index 63a8cab58..d8cebe192 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -146,7 +146,7 @@ static void send_notify(message_t *request, notify_type_t type, chunk_t data)
 		ike_sa_id->switch_initiator(ike_sa_id);
 		response->set_ike_sa_id(response, ike_sa_id);
 		response->add_notify(response, FALSE, type, data);
-		if (response->generate(response, NULL, NULL, &packet) == SUCCESS)
+		if (response->generate(response, NULL, &packet) == SUCCESS)
 		{
 			charon->sender->send(charon->sender, packet);
 			response->destroy(response);
@@ -274,9 +274,17 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 {
 	packet_t *packet;
 	message_t *message;
+	status_t status;
 
 	/* read in a packet */
-	if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
+	status = charon->socket->receive(charon->socket, &packet);
+	if (status == NOT_SUPPORTED)
+	{
+		/* the processor destroys this job  */
+		this->job = NULL;
+		return JOB_REQUEUE_NONE;
+	}
+	else if (status != SUCCESS)
 	{
 		DBG2(DBG_NET, "receiving from socket failed!");
 		return JOB_REQUEUE_FAIR;
@@ -353,22 +361,25 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 			{
 				DBG1(DBG_NET, "using receive delay: %dms",
 					 this->receive_delay);
-				charon->scheduler->schedule_job_ms(charon->scheduler,
+				lib->scheduler->schedule_job_ms(lib->scheduler,
 								(job_t*)process_message_job_create(message),
 								this->receive_delay);
 				return JOB_REQUEUE_DIRECT;
 			}
 		}
 	}
-	charon->processor->queue_job(charon->processor,
-								 (job_t*)process_message_job_create(message));
+	lib->processor->queue_job(lib->processor,
+							  (job_t*)process_message_job_create(message));
 	return JOB_REQUEUE_DIRECT;
 }
 
 METHOD(receiver_t, destroy, void,
 	private_receiver_t *this)
 {
-	this->job->cancel(this->job);
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
 	this->rng->destroy(this->rng);
 	this->hasher->destroy(this->hasher);
 	free(this);
@@ -383,7 +394,9 @@ receiver_t *receiver_create()
 	u_int32_t now = time_monotonic(NULL);
 
 	INIT(this,
-		.public.destroy = _destroy,
+		.public = {
+			.destroy = _destroy,
+		},
 		.secret_switch = now,
 		.secret_offset = random() % now,
 	);
@@ -424,7 +437,7 @@ receiver_t *receiver_create()
 
 	this->job = callback_job_create((callback_job_cb_t)receive_packets,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
index bb6d50605..4177fb3e1 100644
--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
@@ -195,7 +195,7 @@ sender_t * sender_create()
 											"charon.send_delay_response", TRUE),
 	);
 
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h
index 5c5a4edfb..51b26920f 100644
--- a/src/libcharon/network/socket.h
+++ b/src/libcharon/network/socket.h
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -29,6 +30,11 @@ typedef struct socket_t socket_t;
 #include <network/packet.h>
 #include <utils/enumerator.h>
 
+/**
+ * Constructor prototype for sockets.
+ */
+typedef socket_t *(*socket_constructor_t)();
+
 /**
  * Socket interface definition.
  */
@@ -42,8 +48,8 @@ struct socket_t {
 	 *
 	 * @param packet		pinter gets address from allocated packet_t
 	 * @return
-	 * 						- SUCCESS when packet successfully received
-	 * 						- FAILED when unable to receive
+	 *						- SUCCESS when packet successfully received
+	 *						- FAILED when unable to receive
 	 */
 	status_t (*receive) (socket_t *this, packet_t **packet);
 
@@ -55,10 +61,15 @@ struct socket_t {
 	 *
 	 * @param packet		packet_t to send
 	 * @return
-	 * 						- SUCCESS when packet successfully sent
-	 * 						- FAILED when unable to send
+	 *						- SUCCESS when packet successfully sent
+	 *						- FAILED when unable to send
 	 */
 	status_t (*send) (socket_t *this, packet_t *packet);
+
+	/**
+	 * Destroy a socket implementation.
+	 */
+	void (*destroy) (socket_t *this);
 };
 
 #endif /** SOCKET_H_ @}*/
diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c
index 0dbce4b1b..72a454301 100644
--- a/src/libcharon/network/socket_manager.c
+++ b/src/libcharon/network/socket_manager.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -33,10 +35,20 @@ struct private_socket_manager_t {
 	socket_manager_t public;
 
 	/**
-	 * List of registered socket
+	 * List of registered socket constructors
 	 */
 	linked_list_t *sockets;
 
+	/**
+	 * Instantiated socket implementation
+	 */
+	socket_t *socket;
+
+	/**
+	 * The constructor used to create the current socket
+	 */
+	socket_constructor_t create;
+
 	/**
 	 * Lock for sockets list
 	 */
@@ -46,11 +58,9 @@ struct private_socket_manager_t {
 METHOD(socket_manager_t, receiver, status_t,
 	private_socket_manager_t *this, packet_t **packet)
 {
-	socket_t *socket;
 	status_t status;
-
 	this->lock->read_lock(this->lock);
-	if (this->sockets->get_first(this->sockets, (void**)&socket) != SUCCESS)
+	if (!this->socket)
 	{
 		DBG1(DBG_NET, "no socket implementation registered, receiving failed");
 		this->lock->unlock(this->lock);
@@ -58,7 +68,7 @@ METHOD(socket_manager_t, receiver, status_t,
 	}
 	/* receive is blocking and the thread can be cancelled */
 	thread_cleanup_push((thread_cleanup_t)this->lock->unlock, this->lock);
-	status = socket->receive(socket, packet);
+	status = this->socket->receive(this->socket, packet);
 	thread_cleanup_pop(TRUE);
 	return status;
 }
@@ -66,40 +76,67 @@ METHOD(socket_manager_t, receiver, status_t,
 METHOD(socket_manager_t, sender, status_t,
 	private_socket_manager_t *this, packet_t *packet)
 {
-	socket_t *socket;
 	status_t status;
-
 	this->lock->read_lock(this->lock);
-	if (this->sockets->get_first(this->sockets, (void**)&socket) != SUCCESS)
+	if (!this->socket)
 	{
 		DBG1(DBG_NET, "no socket implementation registered, sending failed");
 		this->lock->unlock(this->lock);
 		return NOT_SUPPORTED;
 	}
-	status = socket->send(socket, packet);
+	status = this->socket->send(this->socket, packet);
 	this->lock->unlock(this->lock);
 	return status;
 }
 
+static void create_socket(private_socket_manager_t *this)
+{
+	socket_constructor_t create;
+	/* remove constructors in order to avoid trying to create broken ones
+	 * multiple times */
+	while (this->sockets->remove_first(this->sockets,
+									   (void**)&create) == SUCCESS)
+	{
+		this->socket = create();
+		if (this->socket)
+		{
+			this->create = create;
+			break;
+		}
+	}
+}
+
 METHOD(socket_manager_t, add_socket, void,
-	private_socket_manager_t *this, socket_t *socket)
+	private_socket_manager_t *this, socket_constructor_t create)
 {
 	this->lock->write_lock(this->lock);
-	this->sockets->insert_last(this->sockets, socket);
+	this->sockets->insert_last(this->sockets, create);
+	if (!this->socket)
+	{
+		create_socket(this);
+	}
 	this->lock->unlock(this->lock);
 }
 
 METHOD(socket_manager_t, remove_socket, void,
-	private_socket_manager_t *this, socket_t *socket)
+	private_socket_manager_t *this, socket_constructor_t create)
 {
 	this->lock->write_lock(this->lock);
-	this->sockets->remove(this->sockets, socket, NULL);
+	this->sockets->remove(this->sockets, create, NULL);
+	if (this->create == create)
+	{
+		this->socket->destroy(this->socket);
+		this->socket = NULL;
+		this->create = NULL;
+		create_socket(this);
+	}
 	this->lock->unlock(this->lock);
 }
 
 METHOD(socket_manager_t, destroy, void,
 	private_socket_manager_t *this)
 {
+	DESTROY_IF(this->socket);
 	this->sockets->destroy(this->sockets);
 	this->lock->destroy(this->lock);
 	free(this);
diff --git a/src/libcharon/network/socket_manager.h b/src/libcharon/network/socket_manager.h
index b33d5c71c..94185d21c 100644
--- a/src/libcharon/network/socket_manager.h
+++ b/src/libcharon/network/socket_manager.h
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -51,14 +53,18 @@ struct socket_manager_t {
 	status_t (*send) (socket_manager_t *this, packet_t *packet);
 
 	/**
-	 * Register a socket implementation.
+	 * Register a socket constructor.
+	 *
+	 * @param create		constructor for the socket
 	 */
-	void (*add_socket)(socket_manager_t *this, socket_t *socket);
+	void (*add_socket)(socket_manager_t *this, socket_constructor_t create);
 
 	/**
-	 * Unregister a registered socket implementation.
+	 * Unregister a registered socket constructor.
+	 *
+	 * @param create		constructor for the socket
 	 */
-	void (*remove_socket)(socket_manager_t *this, socket_t *socket);
+	void (*remove_socket)(socket_manager_t *this, socket_constructor_t create);
 
 	/**
 	 * Destroy a socket_manager_t.
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 4cb047929..426d1a689 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.c b/src/libcharon/plugins/addrblock/addrblock_plugin.c
index 1c407035d..5fdb36c5c 100644
--- a/src/libcharon/plugins/addrblock/addrblock_plugin.c
+++ b/src/libcharon/plugins/addrblock/addrblock_plugin.c
@@ -61,7 +61,11 @@ plugin_t *addrblock_plugin_create()
 	private_addrblock_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.validator = addrblock_validator_create(),
 		.narrower = addrblock_narrow_create(),
 	);
diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in
index 6e4903ee1..d80868798 100644
--- a/src/libcharon/plugins/android/Makefile.in
+++ b/src/libcharon/plugins/android/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c
index e2c8572ef..3d82d8f60 100644
--- a/src/libcharon/plugins/android/android_plugin.c
+++ b/src/libcharon/plugins/android/android_plugin.c
@@ -79,8 +79,10 @@ plugin_t *android_plugin_create()
 	private_android_plugin_t *this;
 
 	INIT(this,
-		.public.plugin = {
-			.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
 		},
 		.logger = android_logger_create(),
 		.handler = android_handler_create(),
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
index 538c4a9a2..f9a8e1ea1 100644
--- a/src/libcharon/plugins/android/android_service.c
+++ b/src/libcharon/plugins/android/android_service.c
@@ -141,7 +141,7 @@ METHOD(listener_t, child_updown, bool,
 			 * callback, but from a different thread. we also delay it to avoid
 			 * a race condition during a regular shutdown */
 			job = callback_job_create(shutdown_callback, NULL, NULL, NULL);
-			charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, 1);
+			lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, 1);
 			return FALSE;
 		}
 	}
@@ -378,7 +378,7 @@ android_service_t *android_service_create(android_creds_t *creds)
 	charon->bus->add_listener(charon->bus, &this->public.listener);
 	this->job = callback_job_create((callback_job_cb_t)initiate, this,
 									NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index b34654fb7..e843c42e8 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index 829fd6356..fccc99ba5 100644
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -62,7 +62,11 @@ plugin_t *dhcp_plugin_create()
 	private_dhcp_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.socket = dhcp_socket_create(),
 	);
 
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index f61b3a60e..e1e83d648 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -31,6 +31,7 @@
 #include <threading/condvar.h>
 #include <threading/thread.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 
@@ -205,8 +206,8 @@ static int prepare_dhcp(private_dhcp_socket_t *this,
 	else
 	{
 		/* act as relay agent */
-		src = charon->kernel_interface->get_source_addr(
-									charon->kernel_interface, this->dst, NULL);
+		src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+													   this->dst, NULL);
 		if (src)
 		{
 			memcpy(&dhcp->gateway_address, src->get_address(src).ptr,
@@ -462,8 +463,6 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 
 	offer = host_create_from_chunk(AF_INET,
 					chunk_from_thing(dhcp->your_address), 0);
-	server = host_create_from_chunk(AF_INET,
-					chunk_from_thing(dhcp->server_address), DHCP_SERVER_PORT);
 
 	this->mutex->lock(this->mutex);
 	enumerator = this->discover->create_enumerator(this->discover);
@@ -471,11 +470,8 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 	{
 		if (transaction->get_id(transaction) == dhcp->transaction_id)
 		{
-			DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server);
 			this->discover->remove_at(this->discover, enumerator);
 			this->request->insert_last(this->request, transaction);
-			transaction->set_address(transaction, offer->clone(offer));
-			transaction->set_server(transaction, server->clone(server));
 			break;
 		}
 	}
@@ -504,9 +500,22 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 						chunk_create((char*)&option->data[pos], 4));
 				}
 			}
+			if (option->type == DHCP_SERVER_ID && option->len == 4)
+			{
+				server = host_create_from_chunk(AF_INET,
+							chunk_create(option->data, 4), DHCP_SERVER_PORT);
+			}
 			optlen -= optsize;
 			optpos += optsize;
 		}
+		if (!server)
+		{
+			server = host_create_from_chunk(AF_INET,
+				chunk_from_thing(dhcp->server_address), DHCP_SERVER_PORT);
+		}
+		DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server);
+		transaction->set_address(transaction, offer->clone(offer));
+		transaction->set_server(transaction, server->clone(server));
 	}
 	this->mutex->unlock(this->mutex);
 	this->condvar->broadcast(this->condvar);
@@ -751,7 +760,7 @@ dhcp_socket_t *dhcp_socket_create()
 
 	this->job = callback_job_create((callback_job_cb_t)receive_dhcp,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 14bf3f15d..c0750786d 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index b41b59616..41f69546e 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -200,14 +203,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -247,7 +260,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 57952f621..02d659197 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index d78957438..46011694a 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_identity/eap_identity.c b/src/libcharon/plugins/eap_identity/eap_identity.c
index ab082a955..03066b2f8 100644
--- a/src/libcharon/plugins/eap_identity/eap_identity.c
+++ b/src/libcharon/plugins/eap_identity/eap_identity.c
@@ -59,11 +59,8 @@ struct eap_identity_header_t {
 	u_int8_t data[];
 } __attribute__((__packed__));
 
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t process_peer(private_eap_identity_t *this,
-							 eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process_peer, status_t,
+	private_eap_identity_t *this, eap_payload_t *in, eap_payload_t **out)
 {
 	chunk_t id;
 	eap_identity_header_t *hdr;
@@ -74,7 +71,7 @@ static status_t process_peer(private_eap_identity_t *this,
 
 	hdr = alloca(len);
 	hdr->code = EAP_RESPONSE;
-	hdr->identifier = in->get_identifier(in);
+	hdr->identifier = in ? in->get_identifier(in) : 0;
 	hdr->length = htons(len);
 	hdr->type = EAP_IDENTITY;
 	memcpy(hdr->data, id.ptr, id.len);
@@ -83,20 +80,15 @@ static status_t process_peer(private_eap_identity_t *this,
 	return SUCCESS;
 }
 
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t initiate_peer(private_eap_identity_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_peer, status_t,
+	private_eap_identity_t *this, eap_payload_t **out)
 {
 	/* peer never initiates */
 	return FAILED;
 }
 
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t process_server(private_eap_identity_t *this,
-							   eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process_server, status_t,
+	private_eap_identity_t *this, eap_payload_t *in, eap_payload_t **out)
 {
 	chunk_t data;
 
@@ -108,10 +100,8 @@ static status_t process_server(private_eap_identity_t *this,
 	return SUCCESS;
 }
 
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_server, status_t,
+	private_eap_identity_t *this, eap_payload_t **out)
 {
 	eap_identity_header_t hdr;
 
@@ -125,19 +115,15 @@ static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **ou
 	return NEED_MORE;
 }
 
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_identity_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_identity_t *this, u_int32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_IDENTITY;
 }
 
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_identity_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_identity_t *this, chunk_t *msk)
 {
 	if (this->identity.ptr)
 	{
@@ -147,56 +133,42 @@ static status_t get_msk(private_eap_identity_t *this, chunk_t *msk)
 	return FAILED;
 }
 
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_identity_t *this)
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_identity_t *this)
 {
 	return FALSE;
 }
 
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_identity_t *this)
+METHOD(eap_method_t, destroy, void,
+	private_eap_identity_t *this)
 {
 	this->peer->destroy(this->peer);
 	free(this->identity.ptr);
 	free(this);
 }
 
-/**
- * Generic constructor
- */
-static private_eap_identity_t *eap_identity_create(identification_t *server,
-												   identification_t *peer)
-{
-	private_eap_identity_t *this = malloc_thing(private_eap_identity_t);
-
-	this->public.eap_method_interface.initiate = NULL;
-	this->public.eap_method_interface.process = NULL;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	this->peer = peer->clone(peer);
-	this->identity = chunk_empty;
-
-	return this;
-}
-
 /*
  * Described in header.
  */
 eap_identity_t *eap_identity_create_peer(identification_t *server,
 										 identification_t *peer)
 {
-	private_eap_identity_t *this = eap_identity_create(server, peer);
-
-	/* public functions */
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
+	private_eap_identity_t *this;
+
+	INIT(this,
+		.public =  {
+			.eap_method = {
+				.initiate = _initiate_peer,
+				.process = _process_peer,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.identity = chunk_empty,
+	);
 
 	return &this->public;
 }
@@ -207,11 +179,22 @@ eap_identity_t *eap_identity_create_peer(identification_t *server,
 eap_identity_t *eap_identity_create_server(identification_t *server,
 										   identification_t *peer)
 {
-	private_eap_identity_t *this = eap_identity_create(server, peer);
-
-	/* public functions */
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
+	private_eap_identity_t *this;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate_server,
+				.process = _process_server,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.identity = chunk_empty,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_identity/eap_identity.h b/src/libcharon/plugins/eap_identity/eap_identity.h
index 7364a8bda..9a7f28574 100644
--- a/src/libcharon/plugins/eap_identity/eap_identity.h
+++ b/src/libcharon/plugins/eap_identity/eap_identity.h
@@ -33,7 +33,7 @@ struct eap_identity_t {
 	/**
 	 * Implemented eap_method_t interface.
 	 */
-	eap_method_t eap_method_interface;
+	eap_method_t eap_method;
 };
 
 /**
diff --git a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
index 082997154..079c27909 100644
--- a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
+++ b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
@@ -14,15 +14,12 @@
  */
 
 #include "eap_identity_plugin.h"
-
 #include "eap_identity.h"
 
 #include <daemon.h>
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_identity_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	eap_identity_plugin_t *this)
 {
 	charon->eap->remove_method(charon->eap,
 							   (eap_constructor_t)eap_identity_create_server);
@@ -36,9 +33,13 @@ static void destroy(eap_identity_plugin_t *this)
  */
 plugin_t *eap_identity_plugin_create()
 {
-	eap_identity_plugin_t *this = malloc_thing(eap_identity_plugin_t);
+	eap_identity_plugin_t *this;
 
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
 
 	charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_SERVER,
 							(eap_constructor_t)eap_identity_create_server);
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 5bfc59fa4..2e307147f 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
index 3554ae12e..f70754abb 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5.c
+++ b/src/libcharon/plugins/eap_md5/eap_md5.c
@@ -47,7 +47,7 @@ struct private_eap_md5_t {
 	chunk_t challenge;
 
 	/**
-	 * EAP message identififier
+	 * EAP message identifier
 	 */
 	u_int8_t identifier;
 };
@@ -105,19 +105,15 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response,
 	return SUCCESS;
 }
 
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t initiate_peer(private_eap_md5_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_peer, status_t,
+	private_eap_md5_t *this, eap_payload_t **out)
 {
 	/* peer never initiates */
 	return FAILED;
 }
 
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_server, status_t,
+	private_eap_md5_t *this, eap_payload_t **out)
 {
 	rng_t *rng;
 	eap_md5_header_t *req;
@@ -142,11 +138,8 @@ static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t process_peer(private_eap_md5_t *this,
-							 eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process_peer, status_t,
+	private_eap_md5_t *this, eap_payload_t *in, eap_payload_t **out)
 {
 	chunk_t response;
 	chunk_t data;
@@ -177,11 +170,8 @@ static status_t process_peer(private_eap_md5_t *this,
 	return NEED_MORE;
 }
 
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t process_server(private_eap_md5_t *this,
-							   eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process_server, status_t,
+	private_eap_md5_t *this, eap_payload_t *in, eap_payload_t **out)
 {
 	chunk_t response, expected;
 	chunk_t data;
@@ -209,35 +199,27 @@ static status_t process_server(private_eap_md5_t *this,
 	return SUCCESS;
 }
 
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_md5_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_md5_t *this, u_int32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_MD5;
 }
 
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_md5_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_md5_t *this, chunk_t *msk)
 {
 	return FAILED;
 }
 
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_md5_t *this)
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_md5_t *this)
 {
 	return FALSE;
 }
 
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_md5_t *this)
+METHOD(eap_method_t, destroy, void,
+	private_eap_md5_t *this)
 {
 	this->peer->destroy(this->peer);
 	this->server->destroy(this->server);
@@ -245,39 +227,27 @@ static void destroy(private_eap_md5_t *this)
 	free(this);
 }
 
-/**
- * Generic constructor
- */
-static private_eap_md5_t *eap_md5_create_generic(identification_t *server,
-												 identification_t *peer)
-{
-	private_eap_md5_t *this = malloc_thing(private_eap_md5_t);
-
-	this->public.eap_method_interface.initiate = NULL;
-	this->public.eap_method_interface.process = NULL;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	/* private data */
-	this->peer = peer->clone(peer);
-	this->server = server->clone(server);
-	this->challenge = chunk_empty;
-	this->identifier = 0;
-
-	return this;
-}
-
 /*
- * see header
+ * See header
  */
 eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *peer)
 {
-	private_eap_md5_t *this = eap_md5_create_generic(server, peer);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
+	private_eap_md5_t *this;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate_server,
+				.process = _process_server,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.server = server->clone(server),
+	);
 
 	/* generate a non-zero identifier */
 	do {
@@ -288,14 +258,26 @@ eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *pee
 }
 
 /*
- * see header
+ * See header
  */
 eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer)
 {
-	private_eap_md5_t *this = eap_md5_create_generic(server, peer);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
+	private_eap_md5_t *this;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate_peer,
+				.process = _process_peer,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.server = server->clone(server),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.h b/src/libcharon/plugins/eap_md5/eap_md5.h
index 3cff0dd79..c6687149a 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5.h
+++ b/src/libcharon/plugins/eap_md5/eap_md5.h
@@ -33,7 +33,7 @@ struct eap_md5_t {
 	/**
 	 * Implemented eap_method_t interface.
 	 */
-	eap_method_t eap_method_interface;
+	eap_method_t eap_method;
 };
 
 /**
diff --git a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
index e716dc6e8..39a6f5731 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
+++ b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
@@ -14,15 +14,12 @@
  */
 
 #include "eap_md5_plugin.h"
-
 #include "eap_md5.h"
 
 #include <daemon.h>
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_md5_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	eap_md5_plugin_t *this)
 {
 	charon->eap->remove_method(charon->eap,
 							   (eap_constructor_t)eap_md5_create_server);
@@ -36,9 +33,13 @@ static void destroy(eap_md5_plugin_t *this)
  */
 plugin_t *eap_md5_plugin_create()
 {
-	eap_md5_plugin_t *this = malloc_thing(eap_md5_plugin_t);
+	eap_md5_plugin_t *this;
 
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
 
 	charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_SERVER,
 							(eap_constructor_t)eap_md5_create_server);
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index d61cc9e5d..635cfe6ec 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 3cd8d994c..4f39c8608 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -818,7 +818,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 	eap_mschapv2_header_t *eap;
 	chunk_t data;
 	char *message, *token, *msg = NULL;
-	int message_len, error = 0, retryable;
+	int message_len, error = 0, retriable;
 	chunk_t challenge = chunk_empty;
 
 	data = in->get_data(in);
@@ -847,7 +847,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 		else if (strneq(token, "R=", 2))
 		{
 			token += 2;
-			retryable = atoi(token);
+			retriable = atoi(token);
 		}
 		else if (strneq(token, "C=", 2))
 		{
@@ -880,17 +880,17 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 		 mschapv2_error_names, error, sanitize(msg));
 
 	/**
-	 * at this point, if the error is retryable, we MAY retry the authentication
+	 * at this point, if the error is retriable, we MAY retry the authentication
 	 * or MAY send a Change Password packet.
 	 *
-	 * if the error is not retryable (or if we do neither of the above), we
+	 * if the error is not retriable (or if we do neither of the above), we
 	 * SHOULD send a Failure Response packet.
 	 * windows clients don't do that, and since windows server 2008 r2 behaves
 	 * pretty odd if we do send a Failure Response, we just don't send one
 	 * either. windows 7 actually sends a delete notify (which, according to the
 	 * logs, results in an error on windows server 2008 r2).
 	 *
-	 * btw, windows server 2008 r2 does not send non-retryable errors for e.g.
+	 * btw, windows server 2008 r2 does not send non-retriable errors for e.g.
 	 * a disabled account but returns the windows error code in a notify payload
 	 * of type 12345.
 	 */
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index bb372d13c..1d771d9a4 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -200,14 +203,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -247,7 +260,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 65b868bc6..157034fe5 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -20,6 +20,8 @@
 
 #include <daemon.h>
 
+#define TUNNEL_TYPE_ESP		9
+
 typedef struct private_eap_radius_t private_eap_radius_t;
 
 /**
@@ -71,6 +73,11 @@ struct private_eap_radius_t {
 	 * Handle the Class attribute as group membership information?
 	 */
 	bool class_group;
+
+	/**
+	 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
+	 */
+	bool filter_id;
 };
 
 /**
@@ -211,6 +218,62 @@ static void process_class(private_eap_radius_t *this, radius_message_t *msg)
 	enumerator->destroy(enumerator);
 }
 
+/**
+ * Handle the Filter-Id attribute as IPsec CHILD_SA name
+ */
+static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
+{
+	enumerator_t *enumerator;
+	int type;
+	u_int8_t tunnel_tag;
+	u_int32_t tunnel_type;
+	chunk_t filter_id = chunk_empty, data;
+	bool is_esp_tunnel = FALSE;
+
+	enumerator = msg->create_enumerator(msg);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case RAT_TUNNEL_TYPE:
+				if (data.len != 4)
+				{
+					continue;
+				}
+				tunnel_tag = *data.ptr;
+				*data.ptr = 0x00;
+				tunnel_type = untoh32(data.ptr);
+				DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: "
+							  "tag = %u, value = %u", tunnel_tag, tunnel_type);
+				is_esp_tunnel = (tunnel_type == TUNNEL_TYPE_ESP);
+				break;
+			case RAT_FILTER_ID:
+				filter_id = data;
+				DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: "
+							  "'%.*s'", filter_id.len, filter_id.ptr);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (is_esp_tunnel && filter_id.len)
+	{
+		identification_t *id;
+		ike_sa_t *ike_sa;
+		auth_cfg_t *auth;
+
+		ike_sa = charon->bus->get_sa(charon->bus);
+		if (ike_sa)
+		{
+			auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+			id = identification_create_from_data(filter_id);
+			auth->add(auth, AUTH_RULE_GROUP, id);
+		}
+	}
+}
+
 METHOD(eap_method_t, process, status_t,
 	private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
 {
@@ -247,12 +310,17 @@ METHOD(eap_method_t, process, status_t,
 				{
 					process_class(this, response);
 				}
+				if (this->filter_id)
+				{
+					process_filter_id(this, response);
+				}
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
+					 this->peer);
 				status = SUCCESS;
 				break;
 			case RMC_ACCESS_REJECT:
 			default:
-				DBG1(DBG_CFG, "received %N from RADIUS server",
-					 radius_message_code_names, response->get_code(response));
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer);
 				status = FAILED;
 				break;
 		}
@@ -313,13 +381,15 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 	private_eap_radius_t *this;
 
 	INIT(this,
-		.public.eap_method_interface = {
-			.initiate = _initiate,
-			.process = _process,
-			.get_type = _get_type,
-			.is_mutual = _is_mutual,
-			.get_msk = _get_msk,
-			.destroy = _destroy,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
 		},
 		/* initially EAP_RADIUS, but is set to the method selected by RADIUS */
 		.type = EAP_RADIUS,
@@ -329,6 +399,9 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 								"charon.plugins.eap-radius.id_prefix", ""),
 		.class_group = lib->settings->get_bool(lib->settings,
 								"charon.plugins.eap-radius.class_group", FALSE),
+		.filter_id = lib->settings->get_bool(lib->settings,
+								"charon.plugins.eap-radius.filter_id", FALSE),
+
 	);
 	this->client = radius_client_create();
 	if (!this->client)
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.h b/src/libcharon/plugins/eap_radius/eap_radius.h
index 8eb9e8c2d..e98cb06e3 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius.h
@@ -33,7 +33,7 @@ struct eap_radius_t {
 	/**
 	 * Implemented eap_method_t interface.
 	 */
-	eap_method_t eap_method_interface;
+	eap_method_t eap_method;
 };
 
 /**
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 91aae2f62..1c24d77d5 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -151,7 +151,11 @@ plugin_t *eap_radius_plugin_create()
 	private_eap_radius_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.servers = linked_list_create(),
 	);
 
diff --git a/src/libcharon/plugins/eap_radius/radius_server.h b/src/libcharon/plugins/eap_radius/radius_server.h
index b820cb583..ba4c94619 100644
--- a/src/libcharon/plugins/eap_radius/radius_server.h
+++ b/src/libcharon/plugins/eap_radius/radius_server.h
@@ -79,6 +79,7 @@ struct radius_server_t {
  * @param server			server address
  * @param port				server port
  * @param nas_identifier	NAS-Identifier to use with this server
+ * @param secret			secret to use with this server
  * @param sockets			number of sockets to create in pool
  * @param preference		preference boost for this server
  */
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index d0f44e925..d05930bbd 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 2aa0ac832..46a584265 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -200,14 +203,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -247,7 +260,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 7d80f8019..2d8556a59 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -170,6 +171,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -201,14 +204,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -223,24 +229,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -248,7 +261,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index fc26f4497..e59015f82 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -200,14 +203,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -247,7 +260,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index f2e82df0a..3c66d2f36 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
index 0f5319792..1cc5352d8 100644
--- a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
@@ -85,8 +85,10 @@ plugin_t *eap_simaka_sql_plugin_create()
 							"charon.plugins.eap-simaka-sql.remove_used", FALSE);
 
 	INIT(this,
-		.public.plugin =  {
-			.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
 		},
 		.db = db,
 		.provider = eap_simaka_sql_provider_create(db, remove_used),
diff --git a/src/libcharon/plugins/eap_tls/Makefile.am b/src/libcharon/plugins/eap_tls/Makefile.am
new file mode 100644
index 000000000..29ddd822b
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-tls.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-tls.la
+libstrongswan_eap_tls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_eap_tls_la_SOURCES = \
+	eap_tls_plugin.h eap_tls_plugin.c eap_tls.h eap_tls.c
+
+libstrongswan_eap_tls_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
new file mode 100644
index 000000000..e4b78faf8
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -0,0 +1,605 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_tls
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+@MONOLITHIC_FALSE@libstrongswan_eap_tls_la_DEPENDENCIES =  \
+@MONOLITHIC_FALSE@	$(top_builddir)/src/libtls/libtls.la
+am_libstrongswan_eap_tls_la_OBJECTS = eap_tls_plugin.lo eap_tls.lo
+libstrongswan_eap_tls_la_OBJECTS =  \
+	$(am_libstrongswan_eap_tls_la_OBJECTS)
+libstrongswan_eap_tls_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_tls_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_tls_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_tls_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_tls_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_tls_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tls.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tls.la
+@MONOLITHIC_FALSE@libstrongswan_eap_tls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libstrongswan_eap_tls_la_SOURCES = \
+	eap_tls_plugin.h eap_tls_plugin.c eap_tls.h eap_tls.c
+
+libstrongswan_eap_tls_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tls/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tls/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) 
+	$(libstrongswan_eap_tls_la_LINK) $(am_libstrongswan_eap_tls_la_rpath) $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tls_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
new file mode 100644
index 000000000..efe72c437
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_tls.h"
+
+#include <tls_eap.h>
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_tls_t private_eap_tls_t;
+
+/**
+ * Private data of an eap_tls_t object.
+ */
+struct private_eap_tls_t {
+
+	/**
+	 * Public interface.
+	 */
+	eap_tls_t public;
+
+	/**
+	 * TLS stack, wrapped by EAP helper
+	 */
+	tls_eap_t *tls_eap;
+};
+
+/** Maximum number of EAP-TLS messages/fragments allowed */
+#define MAX_MESSAGE_COUNT 32 
+/** Default size of a EAP-TLS fragment */
+#define MAX_FRAGMENT_LEN 1024
+
+METHOD(eap_method_t, initiate, status_t,
+	private_eap_tls_t *this, eap_payload_t **out)
+{
+	chunk_t data;
+
+	if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, process, status_t,
+	private_eap_tls_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+	status_t status;
+	chunk_t data;
+
+	data = in->get_data(in);
+	status = this->tls_eap->process(this->tls_eap, data, &data);
+	if (status == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+	}
+	return status;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_tls_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_TLS;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_tls_t *this, chunk_t *msk)
+{
+	*msk = this->tls_eap->get_msk(this->tls_eap);
+	if (msk->len)
+	{
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_tls_t *this)
+{
+	return TRUE;
+}
+
+METHOD(eap_method_t, destroy, void,
+	private_eap_tls_t *this)
+{
+	this->tls_eap->destroy(this->tls_eap);
+	free(this);
+}
+
+/**
+ * Generic private constructor
+ */
+static eap_tls_t *eap_tls_create(identification_t *server,
+								 identification_t *peer, bool is_server)
+{
+	private_eap_tls_t *this;
+	size_t frag_size;
+	int max_msg_count;
+	tls_t *tls;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	frag_size = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN);
+	max_msg_count = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT);
+	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL);
+	this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count);
+	if (!this->tls_eap)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+eap_tls_t *eap_tls_create_server(identification_t *server,
+								 identification_t *peer)
+{
+	return eap_tls_create(server, peer, TRUE);
+}
+
+eap_tls_t *eap_tls_create_peer(identification_t *server,
+							   identification_t *peer)
+{
+	return eap_tls_create(server, peer, FALSE);
+}
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.h b/src/libcharon/plugins/eap_tls/eap_tls.h
new file mode 100644
index 000000000..7e080230a
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/eap_tls.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_tls_i eap_tls
+ * @{ @ingroup eap_tls
+ */
+
+#ifndef EAP_TLS_H_
+#define EAP_TLS_H_
+
+typedef struct eap_tls_t eap_tls_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of eap_method_t using EAP-TLS.
+ */
+struct eap_tls_t {
+
+	/**
+	 * Implements eap_method_t interface.
+	 */
+	eap_method_t eap_method;
+};
+
+/**
+ * Creates the EAP method EAP-TLS acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tls_t object
+ */
+eap_tls_t *eap_tls_create_server(identification_t *server,
+								 identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-TLS acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tls_t object
+ */
+eap_tls_t *eap_tls_create_peer(identification_t *server,
+							   identification_t *peer);
+
+#endif /** EAP_TLS_H_ @}*/
diff --git a/src/libcharon/plugins/eap_tls/eap_tls_plugin.c b/src/libcharon/plugins/eap_tls/eap_tls_plugin.c
new file mode 100644
index 000000000..a7c040bf4
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_tls_plugin.h"
+
+#include "eap_tls.h"
+
+#include <daemon.h>
+
+
+METHOD(plugin_t, destroy, void,
+	eap_tls_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_tls_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_tls_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_tls_plugin_create()
+{
+	eap_tls_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->eap->add_method(charon->eap, EAP_TLS, 0, EAP_SERVER,
+							(eap_constructor_t)eap_tls_create_server);
+	charon->eap->add_method(charon->eap, EAP_TLS, 0, EAP_PEER,
+							(eap_constructor_t)eap_tls_create_peer);
+
+	return &this->plugin;
+}
diff --git a/src/libcharon/plugins/eap_tls/eap_tls_plugin.h b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h
new file mode 100644
index 000000000..5ea719603
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_tls eap_tls
+ * @ingroup cplugins
+ *
+ * @defgroup eap_tls_plugin eap_tls_plugin
+ * @{ @ingroup eap_tls
+ */
+
+#ifndef EAP_TLS_PLUGIN_H_
+#define EAP_TLS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_tls_plugin_t eap_tls_plugin_t;
+
+/**
+ * EAP-TLS plugin
+ */
+struct eap_tls_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_tls_plugin instance.
+ */
+plugin_t *eap_tls_plugin_create();
+
+#endif /** EAP_TLS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.am b/src/libcharon/plugins/eap_tnc/Makefile.am
new file mode 100644
index 000000000..9c5a445c5
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-tnc.la
+libstrongswan_eap_tnc_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_eap_tnc_la_SOURCES = \
+	eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c
+
+libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
new file mode 100644
index 000000000..fb7108a8a
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -0,0 +1,605 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_tnc
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+@MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_DEPENDENCIES =  \
+@MONOLITHIC_FALSE@	$(top_builddir)/src/libtls/libtls.la
+am_libstrongswan_eap_tnc_la_OBJECTS = eap_tnc_plugin.lo eap_tnc.lo
+libstrongswan_eap_tnc_la_OBJECTS =  \
+	$(am_libstrongswan_eap_tnc_la_OBJECTS)
+libstrongswan_eap_tnc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_tnc_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_tnc_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_tnc_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_tnc_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_tnc_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tnc.la
+@MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libstrongswan_eap_tnc_la_SOURCES = \
+	eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c
+
+libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tnc/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tnc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) 
+	$(libstrongswan_eap_tnc_la_LINK) $(am_libstrongswan_eap_tnc_la_rpath) $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tnc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tnc_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
new file mode 100644
index 000000000..f0bff0e1f
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_tnc.h"
+
+#include <tls_eap.h>
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_tnc_t private_eap_tnc_t;
+
+/**
+ * Private data of an eap_tnc_t object.
+ */
+struct private_eap_tnc_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_tnc_t public;
+
+	/**
+	 * TLS stack, wrapped by EAP helper
+	 */
+	tls_eap_t *tls_eap;
+};
+
+
+/** Maximum number of EAP-TNC messages/fragments allowed */
+#define MAX_MESSAGE_COUNT 10 
+/** Default size of a EAP-TNC fragment */
+#define MAX_FRAGMENT_LEN 50000
+
+METHOD(eap_method_t, initiate, status_t,
+	private_eap_tnc_t *this, eap_payload_t **out)
+{
+	chunk_t data;
+
+	if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, process, status_t,
+	private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+	status_t status;
+	chunk_t data;
+
+	data = in->get_data(in);
+	status = this->tls_eap->process(this->tls_eap, data, &data);
+	if (status == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+	}
+	return status;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_tnc_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_TNC;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_tnc_t *this, chunk_t *msk)
+{
+	*msk = this->tls_eap->get_msk(this->tls_eap);
+	if (msk->len)
+	{
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_tnc_t *this)
+{
+	return FALSE;
+}
+
+METHOD(eap_method_t, destroy, void,
+	private_eap_tnc_t *this)
+{
+	this->tls_eap->destroy(this->tls_eap);
+	free(this);
+}
+
+/**
+ * Generic private constructor
+ */
+static eap_tnc_t *eap_tnc_create(identification_t *server,
+								 identification_t *peer, bool is_server)
+{
+	private_eap_tnc_t *this;
+	size_t frag_size;
+	int max_msg_count;
+	tnccs_t *tnccs;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	frag_size = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN);
+	max_msg_count = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT);
+	tnccs = charon->tnccs->create_instance(charon->tnccs, TNCCS_1_1, is_server);
+	this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size, max_msg_count);
+	if (!this->tls_eap)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+eap_tnc_t *eap_tnc_create_server(identification_t *server,
+								 identification_t *peer)
+{
+	return eap_tnc_create(server, peer, TRUE);
+}
+
+eap_tnc_t *eap_tnc_create_peer(identification_t *server,
+							   identification_t *peer)
+{
+	return eap_tnc_create(server, peer, FALSE);
+}
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.h b/src/libcharon/plugins/eap_tnc/eap_tnc.h
new file mode 100644
index 000000000..7e166fb60
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_tnc_i eap_tnc
+ * @{ @ingroup eap_tnc
+ */
+
+#ifndef EAP_TNC_H_
+#define EAP_TNC_H_
+
+typedef struct eap_tnc_t eap_tnc_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-TNC.
+ */
+struct eap_tnc_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method;
+};
+
+/**
+ * Creates the EAP method EAP-TNC acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tnc_t object
+ */
+eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-TNC acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tnc_t object
+ */
+eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer);
+
+#endif /** EAP_TNC_H_ @}*/
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
new file mode 100644
index 000000000..7430e4cac
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_tnc_plugin.h"
+#include "eap_tnc.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	eap_tnc_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_tnc_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_tnc_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_tnc_plugin_create()
+{
+	eap_tnc_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->eap->add_method(charon->eap, EAP_TNC, 0, EAP_SERVER,
+							(eap_constructor_t)eap_tnc_create_server);
+	charon->eap->add_method(charon->eap, EAP_TNC, 0, EAP_PEER,
+							(eap_constructor_t)eap_tnc_create_peer);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h
new file mode 100644
index 000000000..97298eb5c
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_tnc eap_tnc
+ * @ingroup cplugins
+ *
+ * @defgroup eap_tnc_plugin eap_tnc_plugin
+ * @{ @ingroup eap_tnc
+ */
+
+#ifndef EAP_TNC_PLUGIN_H_
+#define EAP_TNC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_tnc_plugin_t eap_tnc_plugin_t;
+
+/**
+ * EAP-TNC plugin
+ */
+struct eap_tnc_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_TNC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.am b/src/libcharon/plugins/eap_ttls/Makefile.am
new file mode 100644
index 000000000..94ce5cc1e
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-ttls.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-ttls.la
+libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_eap_ttls_la_SOURCES = \
+	eap_ttls_plugin.h eap_ttls_plugin.c \
+	eap_ttls_avp.h eap_ttls_avp.c \
+	eap_ttls.h eap_ttls.c \
+	eap_ttls_peer.h eap_ttls_peer.c \
+	eap_ttls_server.h eap_ttls_server.c
+
+libstrongswan_eap_ttls_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
new file mode 100644
index 000000000..2cdd7701d
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -0,0 +1,615 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_ttls
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+@MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_DEPENDENCIES =  \
+@MONOLITHIC_FALSE@	$(top_builddir)/src/libtls/libtls.la
+am_libstrongswan_eap_ttls_la_OBJECTS = eap_ttls_plugin.lo \
+	eap_ttls_avp.lo eap_ttls.lo eap_ttls_peer.lo \
+	eap_ttls_server.lo
+libstrongswan_eap_ttls_la_OBJECTS =  \
+	$(am_libstrongswan_eap_ttls_la_OBJECTS)
+libstrongswan_eap_ttls_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_ttls_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_ttls_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_ttls_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_ttls_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_ttls_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-ttls.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-ttls.la
+@MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libstrongswan_eap_ttls_la_SOURCES = \
+	eap_ttls_plugin.h eap_ttls_plugin.c \
+	eap_ttls_avp.h eap_ttls_avp.c \
+	eap_ttls.h eap_ttls.c \
+	eap_ttls_peer.h eap_ttls_peer.c \
+	eap_ttls_server.h eap_ttls_server.c
+
+libstrongswan_eap_ttls_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_ttls/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_ttls/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) 
+	$(libstrongswan_eap_ttls_la_LINK) $(am_libstrongswan_eap_ttls_la_rpath) $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_avp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_peer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_server.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
new file mode 100644
index 000000000..a62af6ea4
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2010 Martin Willi, revosec AG
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls.h"
+#include "eap_ttls_peer.h"
+#include "eap_ttls_server.h"
+
+#include <tls_eap.h>
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_ttls_t private_eap_ttls_t;
+
+/**
+ * Private data of an eap_ttls_t object.
+ */
+struct private_eap_ttls_t {
+
+	/**
+	 * Public interface.
+	 */
+	eap_ttls_t public;
+
+	/**
+	 * TLS stack, wrapped by EAP helper
+	 */
+	tls_eap_t *tls_eap;
+};
+
+/** Maximum number of EAP-TTLS messages/fragments allowed */
+#define MAX_MESSAGE_COUNT 32
+/** Default size of a EAP-TTLS fragment */
+#define MAX_FRAGMENT_LEN 1024
+
+METHOD(eap_method_t, initiate, status_t,
+	private_eap_ttls_t *this, eap_payload_t **out)
+{
+	chunk_t data;
+
+	if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, process, status_t,
+	private_eap_ttls_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+	status_t status;
+	chunk_t data;
+
+	data = in->get_data(in);
+	status = this->tls_eap->process(this->tls_eap, data, &data);
+	if (status == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+	}
+	return status;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_ttls_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_TTLS;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_ttls_t *this, chunk_t *msk)
+{
+	*msk = this->tls_eap->get_msk(this->tls_eap);
+	if (msk->len)
+	{
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_ttls_t *this)
+{
+	return TRUE;
+}
+
+METHOD(eap_method_t, destroy, void,
+	private_eap_ttls_t *this)
+{
+	this->tls_eap->destroy(this->tls_eap);
+	free(this);
+}
+
+/**
+ * Generic private constructor
+ */
+static eap_ttls_t *eap_ttls_create(identification_t *server,
+								   identification_t *peer, bool is_server,
+								   tls_application_t *application)
+{
+	private_eap_ttls_t *this;
+	size_t frag_size;
+	int max_msg_count;
+	tls_t *tls;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+	);
+	if (is_server && !lib->settings->get_bool(lib->settings,
+							"charon.plugins.eap-ttls.request_peer_auth", FALSE))
+	{
+		peer = NULL;
+	}
+	frag_size = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN);
+	max_msg_count = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-ttls.max_message_count", MAX_MESSAGE_COUNT);
+	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, application);
+	this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count);
+	if (!this->tls_eap)
+	{
+		application->destroy(application);
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+eap_ttls_t *eap_ttls_create_server(identification_t *server,
+						  		   identification_t *peer)
+{
+	return eap_ttls_create(server, peer, TRUE,
+						   &eap_ttls_server_create(server, peer)->application);
+}
+
+eap_ttls_t *eap_ttls_create_peer(identification_t *server,
+								 identification_t *peer)
+{
+	return eap_ttls_create(server, peer, FALSE,
+						   &eap_ttls_peer_create(server, peer)->application);
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.h b/src/libcharon/plugins/eap_ttls/eap_ttls.h
new file mode 100644
index 000000000..6e3bf2ceb
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_i eap_ttls
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_H_
+#define EAP_TTLS_H_
+
+typedef struct eap_ttls_t eap_ttls_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of eap_method_t using EAP-TTLS.
+ */
+struct eap_ttls_t {
+
+	/**
+	 * Implements eap_method_t interface.
+	 */
+	eap_method_t eap_method;
+};
+
+/**
+ * Creates the EAP method EAP-TTLS acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_ttls_t object
+ */
+eap_ttls_t *eap_ttls_create_server(identification_t *server,
+								   identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-TTLS acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_ttls_t object
+ */
+eap_ttls_t *eap_ttls_create_peer(identification_t *server,
+								 identification_t *peer);
+
+#endif /** EAP_TTLS_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
new file mode 100644
index 000000000..0eb5e94be
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_avp.h"
+
+#include <debug.h>
+
+#define AVP_EAP_MESSAGE		79
+#define AVP_HEADER_LEN		 8
+
+typedef struct private_eap_ttls_avp_t private_eap_ttls_avp_t;
+
+/**
+ * Private data of an eap_ttls_avp_t object.
+ */
+struct private_eap_ttls_avp_t {
+
+	/**
+	 * Public eap_ttls_avp_t interface.
+	 */
+	eap_ttls_avp_t public;
+
+	/**
+	 * AVP input buffer
+	 */
+	chunk_t input;
+
+	/**
+	 * Position in input buffer
+	 */
+	size_t inpos;
+
+	/**
+	 * process header (TRUE) or body (FALSE)
+	 */
+	bool process_header;
+
+	/**
+	 * Size of AVP data
+	 */
+	size_t data_len;
+};
+
+METHOD(eap_ttls_avp_t, build, void,
+	private_eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data)
+{
+	char zero_padding[] = { 0x00, 0x00, 0x00 };
+	chunk_t   avp_padding;
+	u_int8_t  avp_flags;
+	u_int32_t avp_len;
+
+	avp_flags = 0x40;
+	avp_len = 8 + data.len;
+	avp_padding = chunk_create(zero_padding, (4 - data.len) % 4);
+
+	writer->write_uint32(writer, AVP_EAP_MESSAGE);
+	writer->write_uint8(writer, avp_flags);
+	writer->write_uint24(writer, avp_len);
+	writer->write_data(writer, data);
+	writer->write_data(writer, avp_padding);
+}
+
+METHOD(eap_ttls_avp_t, process, status_t,
+	private_eap_ttls_avp_t* this, tls_reader_t *reader, chunk_t *data)
+{
+	size_t len;
+	chunk_t buf;
+
+	if (this->process_header)
+	{
+		tls_reader_t *header;
+		u_int32_t avp_code;
+		u_int8_t  avp_flags;
+		u_int32_t avp_len;
+		bool success;
+
+		len = min(reader->remaining(reader), AVP_HEADER_LEN - this->inpos);
+		if (!reader->read_data(reader, len, &buf))
+		{
+			return FAILED;
+		}
+		if (this->input.len == 0)
+		{
+			/* start of a new AVP header */
+			this->input = chunk_alloc(AVP_HEADER_LEN);
+			memcpy(this->input.ptr, buf.ptr, len);
+			this->inpos = len;
+		}
+		else
+		{
+			memcpy(this->input.ptr + this->inpos, buf.ptr, len);
+			this->inpos += len;
+		}
+
+		if (this->inpos < AVP_HEADER_LEN)
+		{
+			return NEED_MORE;
+		}
+
+		/* parse AVP header */
+		header = tls_reader_create(this->input);
+		success = header->read_uint32(header, &avp_code) &&
+				  header->read_uint8(header, &avp_flags) &&
+				  header->read_uint24(header, &avp_len);
+		header->destroy(header);
+		chunk_free(&this->input);
+		this->inpos = 0;
+
+		if (!success)
+		{
+			DBG1(DBG_IKE, "received invalid AVP header");
+			return FAILED;
+		}
+ 		if (avp_code != AVP_EAP_MESSAGE)
+		{
+			DBG1(DBG_IKE, "expected AVP_EAP_MESSAGE but received %u", avp_code);
+			return FAILED;
+		}
+		this->process_header = FALSE;
+		this->data_len = avp_len - 8;
+		this->input = chunk_alloc(this->data_len + (4 - avp_len) % 4);
+	}
+
+	/* process AVP data */
+	len = min(reader->remaining(reader), this->input.len - this->inpos);
+	if (!reader->read_data(reader, len, &buf))
+	{
+		return FAILED;
+	}
+	memcpy(this->input.ptr + this->inpos, buf.ptr, len);
+	this->inpos += len;
+	if (this->inpos < this->input.len)
+	{
+		return NEED_MORE;
+	}
+
+	*data = this->input;
+	data->len = this->data_len;
+
+	/* preparing for next AVP */
+	this->input = chunk_empty;
+	this->inpos = 0;
+	this->process_header = TRUE;
+
+	return SUCCESS;
+}
+
+METHOD(eap_ttls_avp_t, destroy, void,
+	private_eap_ttls_avp_t *this)
+{
+	chunk_free(&this->input);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_ttls_avp_t *eap_ttls_avp_create(void)
+{
+	private_eap_ttls_avp_t *this;
+
+	INIT(this,
+		.public= {
+			.process = _process,
+			.build = _build,
+			.destroy = _destroy,
+		},
+		.input = chunk_empty,
+		.inpos = 0,
+		.process_header = TRUE,
+		.data_len = 0,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h
new file mode 100644
index 000000000..cad1d9c56
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_avp eap_ttls_avp
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_AVP_H_
+#define EAP_TTLS_AVP_H_
+
+typedef struct eap_ttls_avp_t eap_ttls_avp_t;
+
+#include <library.h>
+
+#include <tls_reader.h>
+#include <tls_writer.h>
+
+/**
+ * EAP-TTLS Attribute-Value Pair (AVP) handler.
+ */
+struct eap_ttls_avp_t {
+
+	/**
+	 * Process received EAP-TTLS EAP Message AVP.
+	 *
+	 * @param reader	TLS data buffer
+	 * @param data		received EAP Message
+	 * @return
+	 *					- SUCCESS if AVP processing succeeded
+	 *					- FAILED if AVP processing failed
+	 *					- NEED_MORE if another invocation of process/build needed
+	 */
+	status_t (*process)(eap_ttls_avp_t *this, tls_reader_t *reader,
+						chunk_t *data);
+
+	/**
+	 * Build EAP-TTLS EAP Message AVP to send out.
+	 *
+	 * @param writer	TLS data buffer to write to
+	 * @param data		EAP Message to send
+	 */
+	void (*build)(eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data);
+
+	/**
+	 * Destroy a eap_ttls_application_t.
+	 */
+	void (*destroy)(eap_ttls_avp_t *this);
+};
+
+/**
+ * Create an eap_ttls_avp instance.
+ */
+eap_ttls_avp_t *eap_ttls_avp_create(void);
+
+#endif /** EAP_TTLS_AVP_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
new file mode 100644
index 000000000..10d08ca2a
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -0,0 +1,316 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_peer.h"
+#include "eap_ttls_avp.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t;
+
+/**
+ * Private data of an eap_ttls_peer_t object.
+ */
+struct private_eap_ttls_peer_t {
+
+	/**
+	 * Public eap_ttls_peer_t interface.
+	 */
+	eap_ttls_peer_t public;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * Current EAP-TTLS state
+	 */
+	bool start_phase2;
+
+	/**
+     * Current phase 2 EAP method
+	 */
+	eap_method_t *method;
+
+	/**
+     * Pending outbound EAP message
+	 */
+	eap_payload_t *out;
+
+	/**
+	 * AVP handler
+	 */
+	eap_ttls_avp_t *avp;
+};
+
+/**
+ * EAP packet format
+ */
+typedef struct __attribute__((packed)) {
+	u_int8_t code;
+	u_int8_t identifier;
+	u_int16_t length;
+	u_int8_t type;
+	u_int8_t data;
+} eap_packet_t;
+
+#define MAX_RADIUS_ATTRIBUTE_SIZE	253
+
+METHOD(tls_application_t, process, status_t,
+	private_eap_ttls_peer_t *this, tls_reader_t *reader)
+{
+	chunk_t avp_data = chunk_empty;
+	chunk_t eap_data = chunk_empty;
+	status_t status;
+	payload_t *payload;
+	eap_payload_t *in;
+	eap_packet_t *pkt;
+	eap_code_t code;
+	eap_type_t type, received_type;
+	u_int32_t vendor, received_vendor;
+	u_int16_t eap_len;
+	size_t eap_pos = 0;
+	bool concatenated = FALSE;
+
+	do
+	{
+		status = this->avp->process(this->avp, reader, &avp_data);
+		switch (status)
+		{
+			case SUCCESS:
+				break;
+			case NEED_MORE:
+				DBG1(DBG_IKE, "need more AVP data");
+				return NEED_MORE;
+			case FAILED:
+			default:
+				return FAILED;
+		}
+
+		if (eap_data.len == 0)
+		{
+			if (avp_data.len < 4)
+			{
+				DBG1(DBG_IKE, "AVP size to small to contain EAP header");
+				chunk_free(&avp_data);
+				return FAILED;
+			}
+			pkt = (eap_packet_t*)avp_data.ptr;
+			eap_len = untoh16(&pkt->length);
+
+			if (eap_len <= avp_data.len)
+			{
+				/* standard:  EAP packet contained in a single AVP */
+				eap_data = avp_data;
+				break;
+			}
+			else if (avp_data.len == MAX_RADIUS_ATTRIBUTE_SIZE)
+			{
+				/* non-standard: EAP packet segmented into multiple AVPs */
+				eap_data = chunk_alloc(eap_len);
+				concatenated = TRUE;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "non-radius segmentation of EAP packet into AVPs");
+				chunk_free(&avp_data);
+				return FAILED;
+			}
+		}
+
+		if (avp_data.len > eap_data.len - eap_pos)
+		{
+			DBG1(DBG_IKE, "AVP size to large to fit into EAP packet");
+			chunk_free(&avp_data);
+			chunk_free(&eap_data);
+			return FAILED;
+		}
+		memcpy(eap_data.ptr + eap_pos, avp_data.ptr, avp_data.len);
+		eap_pos += avp_data.len;
+		chunk_free(&avp_data);
+	}
+	while (eap_pos < eap_data.len);
+ 		
+	in = eap_payload_create_data(eap_data);
+	chunk_free(&eap_data);
+	payload = (payload_t*)in;
+
+	if (payload->verify(payload) != SUCCESS)
+	{
+		in->destroy(in);
+		return FAILED;
+	}
+	code = in->get_code(in);
+	received_type = in->get_type(in, &received_vendor);
+	DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP%s [EAP/%N/%N]",
+							concatenated ? "s" : "",
+					   		eap_code_short_names, code,
+							eap_type_short_names, received_type);
+	if (code != EAP_REQUEST)
+	{
+		DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST);
+		in->destroy(in);
+		return FAILED;
+	}
+
+	if (this->method == NULL)
+	{
+		if (received_vendor)
+		{
+			DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
+				 received_type, received_vendor);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "server requested %N authentication",
+				 eap_type_names, received_type);
+		}
+		this->method = charon->eap->create_instance(charon->eap,
+									received_type, received_vendor,
+									EAP_PEER, this->server, this->peer);
+		if (!this->method)
+		{
+			DBG1(DBG_IKE, "EAP method not supported");
+			this->out = eap_payload_create_nak(in->get_identifier(in));
+			in->destroy(in);
+			return NEED_MORE;
+		}
+	}
+
+	type = this->method->get_type(this->method, &vendor);
+
+	if (type != received_type || vendor != received_vendor)
+	{
+		DBG1(DBG_IKE, "received invalid EAP request");
+		in->destroy(in);
+		return FAILED;
+	}
+
+	status = this->method->process(this->method, in, &this->out);
+	in->destroy(in);
+
+	switch (status)
+	{
+		case SUCCESS:
+			this->method->destroy(this->method);
+			this->method = NULL;
+			return NEED_MORE;
+		case NEED_MORE:
+			if (type != EAP_TNC)
+			{
+				this->method->destroy(this->method);
+				this->method = NULL;
+			}
+			return NEED_MORE;
+		case FAILED:
+		default:
+			if (vendor)
+			{
+				DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
+							   type, vendor);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+			}
+			return FAILED;
+	}
+}
+
+METHOD(tls_application_t, build, status_t,
+	private_eap_ttls_peer_t *this, tls_writer_t *writer)
+{
+	chunk_t data;
+	eap_code_t code;
+	eap_type_t type;
+	u_int32_t vendor;
+
+	if (this->method == NULL && this->start_phase2)
+	{
+		/* generate an EAP Identity response */
+		this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
+								 0,	EAP_PEER, this->server, this->peer);
+		if (this->method == NULL)
+		{
+			DBG1(DBG_IKE, "EAP_IDENTITY method not available");
+			return FAILED;
+		}
+		this->method->process(this->method, NULL, &this->out);
+		this->method->destroy(this->method);
+		this->method = NULL;
+		this->start_phase2 = FALSE;
+	}
+
+	if (this->out)
+	{
+		code = this->out->get_code(this->out);
+		type = this->out->get_type(this->out, &vendor);
+		DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]",
+						eap_code_short_names, code, eap_type_short_names, type);
+
+		/* get the raw EAP message data */
+		data = this->out->get_data(this->out);
+		this->avp->build(this->avp, writer, data);
+
+		this->out->destroy(this->out);
+		this->out = NULL;
+	}
+	return INVALID_STATE;
+}
+
+METHOD(tls_application_t, destroy, void,
+	private_eap_ttls_peer_t *this)
+{
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	DESTROY_IF(this->method);
+	DESTROY_IF(this->out);
+	this->avp->destroy(this->avp);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server,
+									  identification_t *peer)
+{
+	private_eap_ttls_peer_t *this;
+
+	INIT(this,
+		.public = {
+			.application = {
+				.process = _process,
+				.build = _build,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.start_phase2 = TRUE,
+		.avp = eap_ttls_avp_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h
new file mode 100644
index 000000000..31fc0d9db
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_peer eap_ttls_peer
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_PEER_H_
+#define EAP_TTLS_PEER_H_
+
+typedef struct eap_ttls_peer_t eap_ttls_peer_t;
+
+#include "tls_application.h"
+
+#include <library.h>
+
+/**
+ * TLS application data handler as peer.
+ */
+struct eap_ttls_peer_t {
+
+	/**
+	 * Implements the TLS application data handler.
+	 */
+	tls_application_t application;
+};
+
+/**
+ * Create an eap_ttls_peer instance.
+ */
+eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server,
+									  identification_t *peer);
+
+#endif /** EAP_TTLS_PEER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c
new file mode 100644
index 000000000..48e759dcc
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_plugin.h"
+
+#include "eap_ttls.h"
+
+#include <daemon.h>
+
+
+METHOD(plugin_t, destroy, void,
+	eap_ttls_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_ttls_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_ttls_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_ttls_plugin_create()
+{
+	eap_ttls_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->eap->add_method(charon->eap, EAP_TTLS, 0, EAP_SERVER,
+							(eap_constructor_t)eap_ttls_create_server);
+	charon->eap->add_method(charon->eap, EAP_TTLS, 0, EAP_PEER,
+							(eap_constructor_t)eap_ttls_create_peer);
+
+	return &this->plugin;
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
new file mode 100644
index 000000000..2abc82931
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls eap_ttls
+ * @ingroup cplugins
+ *
+ * @defgroup eap_ttls_plugin eap_ttls_plugin
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_PLUGIN_H_
+#define EAP_TTLS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_ttls_plugin_t eap_ttls_plugin_t;
+
+/**
+ * EAP-TTLS plugin
+ */
+struct eap_ttls_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_ttls_plugin instance.
+ */
+plugin_t *eap_ttls_plugin_create();
+
+#endif /** EAP_TTLS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
new file mode 100644
index 000000000..835cd7306
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_server.h"
+#include "eap_ttls_avp.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
+
+/**
+ * Private data of an eap_ttls_server_t object.
+ */
+struct private_eap_ttls_server_t {
+
+	/**
+	 * Public eap_ttls_server_t interface.
+	 */
+	eap_ttls_server_t public;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * Current EAP-TTLS phase2 state
+	 */
+	bool start_phase2;
+
+	/**
+	 * Current EAP-TTLS phase2 TNC state
+	 */
+	bool start_phase2_tnc;
+
+	/**
+     * Current phase 2 EAP method
+	 */
+	eap_method_t *method;
+
+	/**
+     * Pending outbound EAP message
+	 */
+	eap_payload_t *out;
+
+	/**
+	 * AVP handler
+	 */
+	eap_ttls_avp_t *avp;
+};
+
+/**
+ * Start EAP client authentication protocol
+ */
+static status_t start_phase2_auth(private_eap_ttls_server_t *this)
+{
+	char *eap_type_str;
+	eap_type_t type;
+
+	eap_type_str = lib->settings->get_str(lib->settings,
+					 	"charon.plugins.eap-ttls.phase2_method", "md5");
+	type = eap_type_from_string(eap_type_str);
+	if (type == 0)
+	{
+		DBG1(DBG_IKE, "unrecognized phase2 method \"%s\"", eap_type_str);
+		return FAILED;
+	}
+	DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type);
+		this->method = charon->eap->create_instance(charon->eap, type, 0,
+								EAP_SERVER, this->server, this->peer);
+	if (this->method == NULL)
+	{
+		DBG1(DBG_IKE, "%N method not available", eap_type_names, type);
+		return FAILED;
+	}
+	if (this->method->initiate(this->method, &this->out) == NEED_MORE)
+	{
+		return NEED_MORE;
+	}
+	else
+	{
+		DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+			return FAILED;
+	}
+}
+
+/**
+ * If configured, start EAP-TNC protocol
+ */
+static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
+{
+	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
+					 	"charon.plugins.eap-ttls.phase2_tnc", FALSE))
+	{
+		DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
+		this->method = charon->eap->create_instance(charon->eap, EAP_TNC,
+									0, EAP_SERVER, this->server, this->peer);
+		if (this->method == NULL)
+		{
+			DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
+			return FAILED;
+		}
+		this->start_phase2_tnc = FALSE;
+		if (this->method->initiate(this->method, &this->out) == NEED_MORE)
+		{
+			return NEED_MORE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_TNC);
+			return FAILED;
+		}
+	}
+	return SUCCESS;
+}
+
+METHOD(tls_application_t, process, status_t,
+	private_eap_ttls_server_t *this, tls_reader_t *reader)
+{
+	chunk_t data = chunk_empty;
+	status_t status;
+	payload_t *payload;
+	eap_payload_t *in;
+	eap_code_t code;
+	eap_type_t type = EAP_NAK, received_type;
+	u_int32_t vendor, received_vendor;
+
+	status = this->avp->process(this->avp, reader, &data);
+	switch (status)
+	{
+		case SUCCESS:
+			break;
+		case NEED_MORE:
+			return NEED_MORE;
+		case FAILED:
+		default:
+			return FAILED;
+	}
+	in = eap_payload_create_data(data);
+	chunk_free(&data);
+	payload = (payload_t*)in;
+
+	if (payload->verify(payload) != SUCCESS)
+	{
+		in->destroy(in);
+		return FAILED;
+	}
+	code = in->get_code(in);
+	received_type = in->get_type(in, &received_vendor);
+	DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]",
+					   		eap_code_short_names, code,
+							eap_type_short_names, received_type);
+	if (code != EAP_RESPONSE)
+	{
+		DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_RESPONSE);
+		in->destroy(in);
+		return FAILED;
+	}
+
+	if (this->method)
+	{
+		type = this->method->get_type(this->method, &vendor);
+
+		if (type != received_type || vendor != received_vendor)
+		{
+			if (received_vendor == 0 && received_type == EAP_NAK)
+			{
+				DBG1(DBG_IKE, "peer does not support %N", eap_type_names, type);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received invalid EAP response");
+			}
+			in->destroy(in);
+			return FAILED;
+		}
+	}
+
+	if (!received_vendor && received_type == EAP_IDENTITY)
+	{
+		chunk_t eap_id;
+
+		if (this->method == NULL)
+		{
+			/* Received an EAP Identity response without a matching request */
+			this->method = charon->eap->create_instance(charon->eap,
+											 EAP_IDENTITY, 0, EAP_SERVER,
+											 this->server, this->peer);
+			if (this->method == NULL)
+			{
+				DBG1(DBG_IKE, "%N method not available",
+							   eap_type_names, EAP_IDENTITY);
+				return FAILED;
+			}
+		}
+
+		if (this->method->process(this->method, in, &this->out) != SUCCESS)
+		{
+
+			DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_IDENTITY);
+			return FAILED;
+		}
+
+		if (this->method->get_msk(this->method, &eap_id) == SUCCESS)
+		{
+			this->peer->destroy(this->peer);
+			this->peer = identification_create_from_data(eap_id);
+			DBG1(DBG_IKE, "received EAP identity '%Y'", this->peer);
+		}
+
+		in->destroy(in);
+		this->method->destroy(this->method);
+		this->method = NULL;
+
+		/* Start Phase 2 of EAP-TTLS authentication */
+		if (lib->settings->get_bool(lib->settings,
+					 	"charon.plugins.eap-ttls.request_peer_auth", FALSE))
+		{
+			return start_phase2_tnc(this);
+		}
+		else
+		{
+			return start_phase2_auth(this);
+		}
+	}
+
+	if (this->method == 0)
+	{
+		DBG1(DBG_IKE, "no %N phase2 method installed", eap_type_names, EAP_TTLS);
+		in->destroy(in);
+		return FAILED;
+	}
+
+	status = this->method->process(this->method, in, &this->out);
+	in->destroy(in);
+
+	switch (status)
+	{
+		case SUCCESS:
+			DBG1(DBG_IKE, "%N phase2 authentication of '%Y' with %N successful",
+							eap_type_names, EAP_TTLS, this->peer,
+							eap_type_names, type);
+			this->method->destroy(this->method);
+			this->method = NULL;
+
+			/* continue phase2 with EAP-TNC? */
+			return start_phase2_tnc(this);
+		case NEED_MORE:
+			break;
+		case FAILED:
+		default:
+			if (vendor)
+			{
+				DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
+							   type, vendor);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+			}
+			return FAILED;
+ 	}
+	return status;
+}
+
+METHOD(tls_application_t, build, status_t,
+	private_eap_ttls_server_t *this, tls_writer_t *writer)
+{
+	chunk_t data;
+	eap_code_t code;
+	eap_type_t type;
+	u_int32_t vendor;
+
+	if (this->method == NULL && this->start_phase2 &&
+		lib->settings->get_bool(lib->settings,
+			 	"charon.plugins.eap-ttls.phase2_piggyback", FALSE))
+	{
+		/* generate an EAP Identity request which will be piggybacked right
+		 * onto the TLS Finished message thus initiating EAP-TTLS phase2
+		 */
+		this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
+								 0,	EAP_SERVER, this->server, this->peer);
+		if (this->method == NULL)
+		{
+			DBG1(DBG_IKE, "%N method not available",
+				 eap_type_names, EAP_IDENTITY);
+			return FAILED;
+		}
+		this->method->initiate(this->method, &this->out);
+		this->start_phase2 = FALSE;
+	}
+
+	if (this->out)
+	{
+		code = this->out->get_code(this->out);
+		type = this->out->get_type(this->out, &vendor);
+		DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]",
+						eap_code_short_names, code, eap_type_short_names, type);
+
+		/* get the raw EAP message data */
+		data = this->out->get_data(this->out);
+		this->avp->build(this->avp, writer, data);
+
+		this->out->destroy(this->out);
+		this->out = NULL;
+	}
+	return INVALID_STATE;
+}
+
+METHOD(tls_application_t, destroy, void,
+	private_eap_ttls_server_t *this)
+{
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	DESTROY_IF(this->method);
+	DESTROY_IF(this->out);
+	this->avp->destroy(this->avp);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_ttls_server_t *eap_ttls_server_create(identification_t *server,
+										  identification_t *peer)
+{
+	private_eap_ttls_server_t *this;
+
+	INIT(this,
+		.public = {
+			.application = {
+				.process = _process,
+				.build = _build,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.start_phase2 = TRUE,
+		.start_phase2_tnc = TRUE,
+		.avp = eap_ttls_avp_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.h b/src/libcharon/plugins/eap_ttls/eap_ttls_server.h
new file mode 100644
index 000000000..a66a813ec
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_server eap_ttls_server
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_SERVER_H_
+#define EAP_TTLS_SERVER_H_
+
+typedef struct eap_ttls_server_t eap_ttls_server_t;
+
+#include "tls_application.h"
+
+#include <library.h>
+
+/**
+ * TLS application data handler as server.
+ */
+struct eap_ttls_server_t {
+
+	/**
+	 * Implements the TLS application data handler.
+	 */
+	tls_application_t application;
+};
+
+/**
+ * Create an eap_ttls_server instance.
+ */
+eap_ttls_server_t *eap_ttls_server_create(identification_t *server,
+										  identification_t *peer);
+
+#endif /** EAP_TTLS_SERVER_H_ @}*/
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 47952b99e..bfd50d6da 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c
index 01c2a39c8..d83bc1fd2 100644
--- a/src/libcharon/plugins/farp/farp_plugin.c
+++ b/src/libcharon/plugins/farp/farp_plugin.c
@@ -60,7 +60,11 @@ plugin_t *farp_plugin_create()
 	private_farp_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.listener = farp_listener_create(),
 	);
 
diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c
index 20bb44fd3..a904a6538 100644
--- a/src/libcharon/plugins/farp/farp_spoofer.c
+++ b/src/libcharon/plugins/farp/farp_spoofer.c
@@ -191,7 +191,7 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
 
 	this->job = callback_job_create((callback_job_cb_t)receive_arp,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 5ca9b464b..3600eb7c6 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
index 1ebc33ca4..9ff3fd5ff 100644
--- a/src/libcharon/plugins/ha/ha_cache.c
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -354,7 +354,7 @@ ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket,
 	if (sync)
 	{
 		/* request a resync as soon as we are up */
-		charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
 						callback_job_create((callback_job_cb_t)request_resync,
 											this, NULL, NULL), 1);
 	}
diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
index e188a8484..980c0551a 100644
--- a/src/libcharon/plugins/ha/ha_ctl.c
+++ b/src/libcharon/plugins/ha/ha_ctl.c
@@ -114,6 +114,7 @@ METHOD(ha_ctl_t, destroy, void,
 ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
 {
 	private_ha_ctl_t *this;
+	mode_t old;
 
 	INIT(this,
 		.public = {
@@ -125,16 +126,23 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
 
 	if (access(HA_FIFO, R_OK|W_OK) != 0)
 	{
-		if (mkfifo(HA_FIFO, 600) != 0)
+		old = umask(~(S_IRWXU | S_IRWXG));
+		if (mkfifo(HA_FIFO, S_IRUSR | S_IWUSR) != 0)
 		{
 			DBG1(DBG_CFG, "creating HA FIFO %s failed: %s",
 				 HA_FIFO, strerror(errno));
 		}
+		umask(old);
+	}
+	if (chown(HA_FIFO, charon->uid, charon->gid) != 0)
+	{
+		DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s",
+			 strerror(errno));
 	}
 
 	this->job = callback_job_create((callback_job_cb_t)dispatch_fifo,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 3bc426ea0..b46a221bd 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -136,7 +136,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 		diffie_hellman_t dh = { .get_shared_secret = get_shared_secret,
 								.destroy = (void*)&secret };
 
-		proposal = proposal_create(PROTO_IKE);
+		proposal = proposal_create(PROTO_IKE, 0);
 		keymat = ike_sa->get_keymat(ike_sa);
 		if (integ)
 		{
@@ -549,7 +549,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	child_sa->set_protocol(child_sa, PROTO_ESP);
 	child_sa->set_ipcomp(child_sa, ipcomp);
 
-	proposal = proposal_create(PROTO_ESP);
+	proposal = proposal_create(PROTO_ESP, 0);
 	if (integ)
 	{
 		proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, integ, 0);
@@ -869,7 +869,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
 	);
 	this->job = callback_job_create((callback_job_cb_t)dispatch,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c
index 10a63453a..56bdbf454 100644
--- a/src/libcharon/plugins/ha/ha_kernel.c
+++ b/src/libcharon/plugins/ha/ha_kernel.c
@@ -216,6 +216,11 @@ static void disable_all(private_ha_kernel_t *this)
 	enumerator = enumerator_create_directory(CLUSTERIP_DIR);
 	while (enumerator->enumerate(enumerator, NULL, &file, NULL))
 	{
+		if (chown(file, charon->uid, charon->gid) != 0)
+		{
+			DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s",
+				 strerror(errno));
+		}
 		active = get_active(this, file);
 		for (i = 1; i <= this->count; i++)
 		{
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index e722b4f3a..581294e60 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -142,7 +142,11 @@ plugin_t *ha_plugin_create()
 	}
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 	);
 
 	if (secret)
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index be2d7e428..19e0f692e 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -283,7 +283,7 @@ static void start_watchdog(private_ha_segments_t *this)
 {
 	this->job = callback_job_create((callback_job_cb_t)watchdog,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 }
 
 METHOD(ha_segments_t, handle_status, void,
@@ -345,7 +345,7 @@ static job_requeue_t send_status(private_ha_segments_t *this)
 	message->destroy(message);
 
 	/* schedule next invocation */
-	charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
+	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
 									callback_job_create((callback_job_cb_t)
 										send_status, this, NULL, NULL),
 									this->heartbeat_delay);
@@ -382,7 +382,9 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
 
 	INIT(this,
 		.public = {
-			.listener.alert = _alert_hook,
+			.listener = {
+				.alert = _alert_hook,
+			},
 			.activate = _activate,
 			.deactivate = _deactivate,
 			.handle_status = _handle_status,
diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c
index 21e6eb6d5..614c70ed3 100644
--- a/src/libcharon/plugins/ha/ha_socket.c
+++ b/src/libcharon/plugins/ha/ha_socket.c
@@ -107,7 +107,7 @@ METHOD(ha_socket_t, push, void,
 
 			job = callback_job_create((callback_job_cb_t)send_message,
 									  data, (void*)job_data_destroy, NULL);
-			charon->processor->queue_job(charon->processor, (job_t*)job);
+			lib->processor->queue_job(lib->processor, (job_t*)job);
 			return;
 		}
 		DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno));
diff --git a/src/libcharon/plugins/kernel_klips/Makefile.am b/src/libcharon/plugins/kernel_klips/Makefile.am
deleted file mode 100644
index 540bbe106..000000000
--- a/src/libcharon/plugins/kernel_klips/Makefile.am
+++ /dev/null
@@ -1,17 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
-else
-plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
-endif
-
-libstrongswan_kernel_klips_la_SOURCES = \
-	kernel_klips_plugin.h kernel_klips_plugin.c \
-	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
-
-libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_klips/Makefile.in b/src/libcharon/plugins/kernel_klips/Makefile.in
deleted file mode 100644
index 9cac89ec3..000000000
--- a/src/libcharon/plugins/kernel_klips/Makefile.in
+++ /dev/null
@@ -1,590 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcharon/plugins/kernel_klips
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_kernel_klips_la_LIBADD =
-am_libstrongswan_kernel_klips_la_OBJECTS = kernel_klips_plugin.lo \
-	kernel_klips_ipsec.lo
-libstrongswan_kernel_klips_la_OBJECTS =  \
-	$(am_libstrongswan_kernel_klips_la_OBJECTS)
-libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_kernel_klips_la_LDFLAGS) $(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_kernel_klips_la_rpath = -rpath \
-@MONOLITHIC_FALSE@	$(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_kernel_klips_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
-libstrongswan_kernel_klips_la_SOURCES = \
-	kernel_klips_plugin.h kernel_klips_plugin.c \
-	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
-
-libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_klips/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_klips/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_klips_la_LINK) $(am_libstrongswan_kernel_klips_la_rpath) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_ipsec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c
deleted file mode 100644
index 6b5aeb342..000000000
--- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ /dev/null
@@ -1,2660 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <stdint.h>
-#include "pfkeyv2.h"
-#include <linux/udp.h>
-#include <net/if.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-#include <errno.h>
-
-#include "kernel_klips_ipsec.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/mutex.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/acquire_job.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/delete_child_sa_job.h>
-#include <processing/jobs/update_sa_job.h>
-
-/** default timeout for generated SPIs (in seconds) */
-#define SPI_TIMEOUT 30
-
-/** buffer size for PF_KEY messages */
-#define PFKEY_BUFFER_SIZE 2048
-
-/** PF_KEY messages are 64 bit aligned */
-#define PFKEY_ALIGNMENT 8
-/** aligns len to 64 bits */
-#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
-/** calculates the properly padded length in 64 bit chunks */
-#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
-/** calculates user mode length i.e. in bytes */
-#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
-
-/** given a PF_KEY message header and an extension this updates the length in the header */
-#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
-/** given a PF_KEY message header this returns a pointer to the next extension */
-#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
-/** copy an extension and append it to a PF_KEY message */
-#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
-/** given a PF_KEY extension this returns a pointer to the next extension */
-#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
-/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
-#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
-/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
-#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
-				(ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
-				(ext)->sadb_ext_len <= (len))
-
-/** special SPI values used for policies in KLIPS */
-#define SPI_PASS 256
-#define SPI_DROP 257
-#define SPI_REJECT 258
-#define SPI_HOLD 259
-#define SPI_TRAP 260
-#define SPI_TRAPSUBNET 261
-
-/** the prefix of the name of KLIPS ipsec devices */
-#define IPSEC_DEV_PREFIX "ipsec"
-/** this is the default number of ipsec devices */
-#define DEFAULT_IPSEC_DEV_COUNT 4
-/** TRUE if the given name matches an ipsec device */
-#define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1))
-
-/** the following stuff is from ipsec_tunnel.h */
-struct ipsectunnelconf
-{
-	__u32	cf_cmd;
-	union
-	{
-		char	cfu_name[12];
-	} cf_u;
-#define cf_name cf_u.cfu_name
-};
-
-#define IPSEC_SET_DEV (SIOCDEVPRIVATE)
-#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1)
-#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2)
-
-typedef struct private_kernel_klips_ipsec_t private_kernel_klips_ipsec_t;
-
-/**
- * Private variables and functions of kernel_klips class.
- */
-struct private_kernel_klips_ipsec_t
-{
-	/**
-	 * Public part of the kernel_klips_t object.
-	 */
-	kernel_klips_ipsec_t public;
-
-	/**
-	 * mutex to lock access to various lists
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * List of installed policies (policy_entry_t)
-	 */
-	linked_list_t *policies;
-
-	/**
-	 * List of allocated SPIs without installed SA (sa_entry_t)
-	 */
-	linked_list_t *allocated_spis;
-
-	/**
-	 * List of installed SAs (sa_entry_t)
-	 */
-	linked_list_t *installed_sas;
-
-	/**
-	 * whether to install routes along policies
-	 */
-	bool install_routes;
-
-	/**
-	 * List of ipsec devices (ipsec_dev_t)
-	 */
-	linked_list_t *ipsec_devices;
-
-	/**
-	 * job receiving PF_KEY events
-	 */
-	callback_job_t *job;
-
-	/**
-	 * mutex to lock access to the PF_KEY socket
-	 */
-	mutex_t *mutex_pfkey;
-
-	/**
-	 * PF_KEY socket to communicate with the kernel
-	 */
-	int socket;
-
-	/**
-	 * PF_KEY socket to receive acquire and expire events
-	 */
-	int socket_events;
-
-	/**
-	 * sequence number for messages sent to the kernel
-	 */
-	int seq;
-
-};
-
-
-typedef struct ipsec_dev_t ipsec_dev_t;
-
-/**
- * ipsec device
- */
-struct ipsec_dev_t {
-	/** name of the virtual ipsec interface */
-	char name[IFNAMSIZ];
-
-	/** name of the physical interface */
-	char phys_name[IFNAMSIZ];
-
-	/** by how many CHILD_SA's this ipsec device is used */
-	u_int refcount;
-};
-
-/**
- * compare the given name with the virtual device name
- */
-static inline bool ipsec_dev_match_byname(ipsec_dev_t *current, char *name)
-{
-	return name && streq(current->name, name);
-}
-
-/**
- * compare the given name with the physical device name
- */
-static inline bool ipsec_dev_match_byphys(ipsec_dev_t *current, char *name)
-{
-	return name && streq(current->phys_name, name);
-}
-
-/**
- * matches free ipsec devices
- */
-static inline bool ipsec_dev_match_free(ipsec_dev_t *current)
-{
-	return current->refcount == 0;
-}
-
-/**
- * tries to find an ipsec_dev_t object by name
- */
-static status_t find_ipsec_dev(private_kernel_klips_ipsec_t *this, char *name,
-							   ipsec_dev_t **dev)
-{
-	linked_list_match_t match = (linked_list_match_t)(IS_IPSEC_DEV(name) ?
-								ipsec_dev_match_byname : ipsec_dev_match_byphys);
-	return this->ipsec_devices->find_first(this->ipsec_devices, match,
-												(void**)dev, name);
-}
-
-/**
- * attach an ipsec device to a physical interface
- */
-static status_t attach_ipsec_dev(char* name, char *phys_name)
-{
-	int sock;
-	struct ifreq req;
-	struct ipsectunnelconf *itc = (struct ipsectunnelconf*)&req.ifr_data;
-	short phys_flags;
-	int mtu;
-
-	DBG2(DBG_KNL, "attaching virtual interface %s to %s", name, phys_name);
-
-	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
-	{
-		return FAILED;
-	}
-
-	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
-	{
-		close(sock);
-		return FAILED;
-	}
-	phys_flags = req.ifr_flags;
-
-	strncpy(req.ifr_name, name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
-	{
-		close(sock);
-		return FAILED;
-	}
-
-	if (req.ifr_flags & IFF_UP)
-	{
-		/* if it's already up, it is already attached, detach it first */
-		ioctl(sock, IPSEC_DEL_DEV, &req);
-	}
-
-	/* attach it */
-	strncpy(req.ifr_name, name, IFNAMSIZ);
-	strncpy(itc->cf_name, phys_name, sizeof(itc->cf_name));
-	ioctl(sock, IPSEC_SET_DEV, &req);
-
-	/* copy address from physical to virtual */
-	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFADDR, &req) == 0)
-	{
-		strncpy(req.ifr_name, name, IFNAMSIZ);
-		ioctl(sock, SIOCSIFADDR, &req);
-	}
-
-	/* copy net mask from physical to virtual */
-	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
-	{
-		strncpy(req.ifr_name, name, IFNAMSIZ);
-		ioctl(sock, SIOCSIFNETMASK, &req);
-	}
-
-	/* copy other flags and addresses */
-	strncpy(req.ifr_name, name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
-	{
-		if (phys_flags & IFF_POINTOPOINT)
-		{
-			req.ifr_flags |= IFF_POINTOPOINT;
-			req.ifr_flags &= ~IFF_BROADCAST;
-			ioctl(sock, SIOCSIFFLAGS, &req);
-
-			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-			if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0)
-			{
-				strncpy(req.ifr_name, name, IFNAMSIZ);
-				ioctl(sock, SIOCSIFDSTADDR, &req);
-			}
-		}
-		else if (phys_flags & IFF_BROADCAST)
-		{
-			req.ifr_flags &= ~IFF_POINTOPOINT;
-			req.ifr_flags |= IFF_BROADCAST;
-			ioctl(sock, SIOCSIFFLAGS, &req);
-
-			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-			if (ioctl(sock, SIOCGIFBRDADDR, &req)==0)
-			{
-				strncpy(req.ifr_name, name, IFNAMSIZ);
-				ioctl(sock, SIOCSIFBRDADDR, &req);
-			}
-		}
-		else
-		{
-			req.ifr_flags &= ~IFF_POINTOPOINT;
-			req.ifr_flags &= ~IFF_BROADCAST;
-			ioctl(sock, SIOCSIFFLAGS, &req);
-		}
-	}
-
-	mtu = lib->settings->get_int(lib->settings,
-						"charon.plugins.kernel-klips.ipsec_dev_mtu", 0);
-	if (mtu <= 0)
-	{
-		/* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
-		 * ESP overhead      : 73 bytes
-		 * NAT-T overhead    :  8 bytes ==> 81 bytes
-		 *
-		 * assuming tunnel mode with AES encryption and integrity
-		 * outer IP header  : 20 bytes
-		 * (NAT-T UDP header:  8 bytes)
-		 * ESP header       :  8 bytes
-		 * IV               : 16 bytes
-		 * padding          : 15 bytes (worst-case)
-		 * pad len / NH     :  2 bytes
-		 * auth data        : 12 bytes
-		 */
-		strncpy(req.ifr_name, phys_name, IFNAMSIZ);
-		ioctl(sock, SIOCGIFMTU, &req);
-		mtu = req.ifr_mtu - 81;
-	}
-
-	/* set MTU */
-	strncpy(req.ifr_name, name, IFNAMSIZ);
-	req.ifr_mtu = mtu;
-	ioctl(sock, SIOCSIFMTU, &req);
-
-	/* bring ipsec device UP */
-	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
-	{
-		req.ifr_flags |= IFF_UP;
-		ioctl(sock, SIOCSIFFLAGS, &req);
-	}
-
-	close(sock);
-	return SUCCESS;
-}
-
-/**
- * detach an ipsec device from a physical interface
- */
-static status_t detach_ipsec_dev(char* name, char *phys_name)
-{
-	int sock;
-	struct ifreq req;
-
-	DBG2(DBG_KNL, "detaching virtual interface %s from %s", name,
-			strlen(phys_name) ? phys_name : "any physical interface");
-
-	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
-	{
-		return FAILED;
-	}
-
-	strncpy(req.ifr_name, name, IFNAMSIZ);
-	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
-	{
-		close(sock);
-		return FAILED;
-	}
-
-	/* shutting interface down */
-	if (req.ifr_flags & IFF_UP)
-	{
-		req.ifr_flags &= ~IFF_UP;
-		ioctl(sock, SIOCSIFFLAGS, &req);
-	}
-
-	/* unset address */
-	memset(&req.ifr_addr, 0, sizeof(req.ifr_addr));
-	req.ifr_addr.sa_family = AF_INET;
-	ioctl(sock, SIOCSIFADDR, &req);
-
-	/* detach interface */
-	ioctl(sock, IPSEC_DEL_DEV, &req);
-
-	close(sock);
-	return SUCCESS;
-}
-
-/**
- * destroy an ipsec_dev_t object
- */
-static void ipsec_dev_destroy(ipsec_dev_t *this)
-{
-	detach_ipsec_dev(this->name, this->phys_name);
-	free(this);
-}
-
-
-typedef struct route_entry_t route_entry_t;
-
-/**
- * installed routing entry
- */
-struct route_entry_t {
-	/** Name of the interface the route is bound to */
-	char *if_name;
-
-	/** Source ip of the route */
-	host_t *src_ip;
-
-	/** Gateway for this route */
-	host_t *gateway;
-
-	/** Destination net */
-	chunk_t dst_net;
-
-	/** Destination net prefixlen */
-	u_int8_t prefixlen;
-};
-
-/**
- * destroy an route_entry_t object
- */
-static void route_entry_destroy(route_entry_t *this)
-{
-	free(this->if_name);
-	this->src_ip->destroy(this->src_ip);
-	this->gateway->destroy(this->gateway);
-	chunk_free(&this->dst_net);
-	free(this);
-}
-
-typedef struct policy_entry_t policy_entry_t;
-
-/**
- * installed kernel policy.
- */
-struct policy_entry_t {
-
-	/** reqid of this policy, if setup as trap */
-	u_int32_t reqid;
-
-	/** direction of this policy: in, out, forward */
-	u_int8_t direction;
-
-	/** parameters of installed policy */
-	struct {
-		/** subnet and port */
-		host_t *net;
-		/** subnet mask */
-		u_int8_t mask;
-		/** protocol */
-		u_int8_t proto;
-	} src, dst;
-
-	/** associated route installed for this policy */
-	route_entry_t *route;
-
-	/** by how many CHILD_SA's this policy is actively used */
-	u_int activecount;
-
-	/** by how many CHILD_SA's this policy is trapped */
-	u_int trapcount;
-};
-
-/**
- * convert a numerical netmask to a host_t
- */
-static host_t *mask2host(int family, u_int8_t mask)
-{
-	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
-	chunk_t chunk = chunk_alloca(family == AF_INET ? 4 : 16);
-	int bytes = mask / 8, bits = mask % 8;
-	memset(chunk.ptr, 0xFF, bytes);
-	memset(chunk.ptr + bytes, 0, chunk.len - bytes);
-	if (bits)
-	{
-		chunk.ptr[bytes] =  bitmask[bits];
-	}
-	return host_create_from_chunk(family, chunk, 0);
-}
-
-/**
- * check if a host is in a subnet (host with netmask in bits)
- */
-static bool is_host_in_net(host_t *host, host_t *net, u_int8_t mask)
-{
-	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
-	chunk_t host_chunk, net_chunk;
-	int bytes = mask / 8, bits = mask % 8;
-
-	host_chunk = host->get_address(host);
-	net_chunk = net->get_address(net);
-
-	if (host_chunk.len != net_chunk.len)
-	{
-		return FALSE;
-	}
-
-	if (memeq(host_chunk.ptr, net_chunk.ptr, bytes))
-	{
-		return (bits == 0) ||
-			   (host_chunk.ptr[bytes] & bitmask[bits]) ==
-				   (net_chunk.ptr[bytes] & bitmask[bits]);
-	}
-
-	return FALSE;
-}
-
-/**
- * create a policy_entry_t object
- */
-static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
-		traffic_selector_t *dst_ts, policy_dir_t dir)
-{
-	policy_entry_t *policy = malloc_thing(policy_entry_t);
-	policy->reqid = 0;
-	policy->direction = dir;
-	policy->route = NULL;
-	policy->activecount = 0;
-	policy->trapcount = 0;
-
-	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
-	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
-
-	/* src or dest proto may be "any" (0), use more restrictive one */
-	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
-	policy->src.proto = policy->src.proto ? policy->src.proto : 0;
-	policy->dst.proto = policy->src.proto;
-
-	return policy;
-}
-
-/**
- * destroy a policy_entry_t object
- */
-static void policy_entry_destroy(policy_entry_t *this)
-{
-	DESTROY_IF(this->src.net);
-	DESTROY_IF(this->dst.net);
-	if (this->route)
-	{
-		route_entry_destroy(this->route);
-	}
-	free(this);
-}
-
-/**
- * compares two policy_entry_t
- */
-static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
-{
-	return current->direction == policy->direction &&
-		   current->src.proto == policy->src.proto &&
-		   current->dst.proto == policy->dst.proto &&
-		   current->src.mask == policy->src.mask &&
-		   current->dst.mask == policy->dst.mask &&
-		   current->src.net->equals(current->src.net, policy->src.net) &&
-		   current->dst.net->equals(current->dst.net, policy->dst.net);
-}
-
-static inline bool policy_entry_match_byaddrs(policy_entry_t *current, host_t *src,
-		host_t *dst)
-{
-	return is_host_in_net(src, current->src.net, current->src.mask) &&
-			is_host_in_net(dst, current->dst.net, current->dst.mask);
-}
-
-typedef struct sa_entry_t sa_entry_t;
-
-/**
- * used for two things:
- * - allocated SPIs that have not yet resulted in an installed SA
- * - installed inbound SAs with enabled UDP encapsulation
- */
-struct sa_entry_t {
-
-	/** protocol of this SA */
-	protocol_id_t protocol;
-
-	/** reqid of this SA */
-	u_int32_t reqid;
-
-	/** SPI of this SA */
-	u_int32_t spi;
-
-	/** src address of this SA */
-	host_t *src;
-
-	/** dst address of this SA */
-	host_t *dst;
-
-	/** TRUE if this SA uses UDP encapsulation */
-	bool encap;
-
-	/** TRUE if this SA is inbound */
-	bool inbound;
-};
-
-/**
- * create an sa_entry_t object
- */
-static sa_entry_t *create_sa_entry(protocol_id_t protocol, u_int32_t spi,
-								   u_int32_t reqid, host_t *src, host_t *dst,
-								   bool encap, bool inbound)
-{
-	sa_entry_t *sa = malloc_thing(sa_entry_t);
-	sa->protocol = protocol;
-	sa->reqid = reqid;
-	sa->spi = spi;
-	sa->src = src ? src->clone(src) : NULL;
-	sa->dst = dst ? dst->clone(dst) : NULL;
-	sa->encap = encap;
-	sa->inbound = inbound;
-	return sa;
-}
-
-/**
- * destroy an sa_entry_t object
- */
-static void sa_entry_destroy(sa_entry_t *this)
-{
-	DESTROY_IF(this->src);
-	DESTROY_IF(this->dst);
-	free(this);
-}
-
-/**
- * match an sa_entry_t for an inbound SA that uses UDP encapsulation by spi and src (remote) address
- */
-static inline bool sa_entry_match_encapbysrc(sa_entry_t *current, u_int32_t *spi,
-		host_t *src)
-{
-	return current->encap && current->inbound &&
-		   current->spi == *spi && src->ip_equals(src, current->src);
-}
-
-/**
- * match an sa_entry_t by protocol, spi and dst address (as the kernel does it)
- */
-static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *protocol,
-		u_int32_t *spi, host_t *dst)
-{
-	return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst);
-}
-
-/**
- * match an sa_entry_t by protocol, reqid and spi
- */
-static inline bool sa_entry_match_byid(sa_entry_t *current, protocol_id_t *protocol,
-		u_int32_t *spi, u_int32_t *reqid)
-{
-	return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid;
-}
-
-typedef struct pfkey_msg_t pfkey_msg_t;
-
-struct pfkey_msg_t
-{
-	/**
-	 * PF_KEY message base
-	 */
-	struct sadb_msg *msg;
-
-
-	/**
-	 * PF_KEY message extensions
-	 */
-	union {
-		struct sadb_ext *ext[SADB_EXT_MAX + 1];
-		struct {
-			struct sadb_ext *reserved;				/* SADB_EXT_RESERVED */
-			struct sadb_sa *sa;						/* SADB_EXT_SA */
-			struct sadb_lifetime *lft_current;		/* SADB_EXT_LIFETIME_CURRENT */
-			struct sadb_lifetime *lft_hard;			/* SADB_EXT_LIFETIME_HARD */
-			struct sadb_lifetime *lft_soft;			/* SADB_EXT_LIFETIME_SOFT */
-			struct sadb_address *src;				/* SADB_EXT_ADDRESS_SRC */
-			struct sadb_address *dst;				/* SADB_EXT_ADDRESS_DST */
-			struct sadb_address *proxy;				/* SADB_EXT_ADDRESS_PROXY */
-			struct sadb_key *key_auth;				/* SADB_EXT_KEY_AUTH */
-			struct sadb_key *key_encr;				/* SADB_EXT_KEY_ENCRYPT */
-			struct sadb_ident *id_src;				/* SADB_EXT_IDENTITY_SRC */
-			struct sadb_ident *id_dst;				/* SADB_EXT_IDENTITY_DST */
-			struct sadb_sens *sensitivity;			/* SADB_EXT_SENSITIVITY */
-			struct sadb_prop *proposal;				/* SADB_EXT_PROPOSAL */
-			struct sadb_supported *supported_auth;	/* SADB_EXT_SUPPORTED_AUTH */
-			struct sadb_supported *supported_encr;	/* SADB_EXT_SUPPORTED_ENCRYPT */
-			struct sadb_spirange *spirange;			/* SADB_EXT_SPIRANGE */
-			struct sadb_x_kmprivate *x_kmprivate;	/* SADB_X_EXT_KMPRIVATE */
-			struct sadb_ext *x_policy;				/* SADB_X_EXT_SATYPE2 */
-			struct sadb_ext *x_sa2;					/* SADB_X_EXT_SA2 */
-			struct sadb_address *x_dst2;			/* SADB_X_EXT_ADDRESS_DST2 */
-			struct sadb_address *x_src_flow;		/* SADB_X_EXT_ADDRESS_SRC_FLOW */
-			struct sadb_address *x_dst_flow;		/* SADB_X_EXT_ADDRESS_DST_FLOW */
-			struct sadb_address *x_src_mask;		/* SADB_X_EXT_ADDRESS_SRC_MASK */
-			struct sadb_address *x_dst_mask;		/* SADB_X_EXT_ADDRESS_DST_MASK */
-			struct sadb_x_debug *x_debug;			/* SADB_X_EXT_DEBUG */
-			struct sadb_protocol *x_protocol;		/* SADB_X_EXT_PROTOCOL */
-			struct sadb_x_nat_t_type *x_natt_type;	/* SADB_X_EXT_NAT_T_TYPE */
-			struct sadb_x_nat_t_port *x_natt_sport;	/* SADB_X_EXT_NAT_T_SPORT */
-			struct sadb_x_nat_t_port *x_natt_dport;	/* SADB_X_EXT_NAT_T_DPORT */
-			struct sadb_address *x_natt_oa;			/* SADB_X_EXT_NAT_T_OA */
-		} __attribute__((__packed__));
-	};
-};
-
-/**
- * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
- */
-static u_int8_t proto_ike2satype(protocol_id_t proto)
-{
-	switch (proto)
-	{
-		case PROTO_ESP:
-			return SADB_SATYPE_ESP;
-		case PROTO_AH:
-			return SADB_SATYPE_AH;
-		case IPPROTO_COMP:
-			return SADB_X_SATYPE_COMP;
-		default:
-			return proto;
-	}
-}
-
-/**
- * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
- */
-static protocol_id_t proto_satype2ike(u_int8_t proto)
-{
-	switch (proto)
-	{
-		case SADB_SATYPE_ESP:
-			return PROTO_ESP;
-		case SADB_SATYPE_AH:
-			return PROTO_AH;
-		case SADB_X_SATYPE_COMP:
-			return IPPROTO_COMP;
-		default:
-			return proto;
-	}
-}
-
-typedef struct kernel_algorithm_t kernel_algorithm_t;
-
-/**
- * Mapping of IKEv2 algorithms to PF_KEY algorithms
- */
-struct kernel_algorithm_t {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2;
-
-	/**
-	 * Identifier as defined in pfkeyv2.h
-	 */
-	int kernel;
-};
-
-#define END_OF_LIST -1
-
-/**
- * Algorithms for encryption
- */
-static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64,				0							}, */
-	{ENCR_DES,					SADB_EALG_DESCBC			},
-	{ENCR_3DES,					SADB_EALG_3DESCBC			},
-/*	{ENCR_RC5,					0							}, */
-/*	{ENCR_IDEA,					0							}, */
-/*	{ENCR_CAST,					0							}, */
-	{ENCR_BLOWFISH,				SADB_EALG_BFCBC				},
-/*	{ENCR_3IDEA,				0							}, */
-/*	{ENCR_DES_IV32,				0							}, */
-	{ENCR_NULL,					SADB_EALG_NULL				},
-	{ENCR_AES_CBC,				SADB_EALG_AESCBC			},
-/*	{ENCR_AES_CTR,				0							}, */
-/*	{ENCR_AES_CCM_ICV8,			0							}, */
-/*	{ENCR_AES_CCM_ICV12,		0							}, */
-/*	{ENCR_AES_CCM_ICV16,		0							}, */
-/*	{ENCR_AES_GCM_ICV8,			0							}, */
-/*	{ENCR_AES_GCM_ICV12,		0							}, */
-/*	{ENCR_AES_GCM_ICV16,		0							}, */
-	{END_OF_LIST,				0							},
-};
-
-/**
- * Algorithms for integrity protection
- */
-static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
-	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
-	{AUTH_HMAC_SHA2_256_128,	SADB_AALG_SHA256_HMAC		},
-	{AUTH_HMAC_SHA2_384_192,	SADB_AALG_SHA384_HMAC		},
-	{AUTH_HMAC_SHA2_512_256,	SADB_AALG_SHA512_HMAC		},
-/*	{AUTH_DES_MAC,				0,							}, */
-/*	{AUTH_KPDK_MD5,				0,							}, */
-/*	{AUTH_AES_XCBC_96,			0,							}, */
-	{END_OF_LIST,				0,							},
-};
-
-#if 0
-/**
- * Algorithms for IPComp, unused yet
- */
-static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI,				0							}, */
-	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
-	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
-/*	{IPCOMP_LZJH,				0							}, */
-	{END_OF_LIST,				0							},
-};
-#endif
-
-/**
- * Look up a kernel algorithm ID and its key size
- */
-static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
-{
-	while (list->ikev2 != END_OF_LIST)
-	{
-		if (ikev2 == list->ikev2)
-		{
-			return list->kernel;
-		}
-		list++;
-	}
-	return 0;
-}
-
-/**
- * add a host behind a sadb_address extension
- */
-static void host2ext(host_t *host, struct sadb_address *ext)
-{
-	sockaddr_t *host_addr = host->get_sockaddr(host);
-	socklen_t *len = host->get_sockaddr_len(host);
-	memcpy((char*)(ext + 1), host_addr, *len);
-	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
-}
-
-/**
- * add a host to the given sadb_msg
- */
-static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type)
-{
-	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = type;
-	host2ext(host, addr);
-	PFKEY_EXT_ADD(msg, addr);
-}
-
-/**
- * adds an empty address extension to the given sadb_msg
- */
-static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
-{
-	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
-										  sizeof(struct sockaddr_in6);
-	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = type;
-	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
-	saddr->sa_family = family;
-	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
-	PFKEY_EXT_ADD(msg, addr);
-}
-
-/**
- * add udp encap extensions to a sadb_msg
- */
-static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst,
-							bool ports_only)
-{
-	struct sadb_x_nat_t_type* nat_type;
-	struct sadb_x_nat_t_port* nat_port;
-
-	if (!ports_only)
-	{
-		nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
-		nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
-		nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
-		nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
-		PFKEY_EXT_ADD(msg, nat_type);
-	}
-
-	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
-	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
-	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
-	nat_port->sadb_x_nat_t_port_port = src->get_port(src);
-	PFKEY_EXT_ADD(msg, nat_port);
-
-	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
-	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
-	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
-	nat_port->sadb_x_nat_t_port_port = dst->get_port(dst);
-	PFKEY_EXT_ADD(msg, nat_port);
-}
-
-/**
- * build an SADB_X_ADDFLOW msg
- */
-static void build_addflow(struct sadb_msg *msg, u_int8_t satype, u_int32_t spi,
-		host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
-		host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
-{
-	struct sadb_sa *sa;
-	struct sadb_protocol *proto;
-	host_t *host;
-
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_X_ADDFLOW;
-	msg->sadb_msg_satype = satype;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_flags = replace ? SADB_X_SAFLAGS_REPLACEFLOW : 0;
-	PFKEY_EXT_ADD(msg, sa);
-
-	if (!src)
-	{
-		add_anyaddr_ext(msg, src_net->get_family(src_net), SADB_EXT_ADDRESS_SRC);
-	}
-	else
-	{
-		add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
-	}
-
-	if (!dst)
-	{
-		add_anyaddr_ext(msg, dst_net->get_family(dst_net), SADB_EXT_ADDRESS_DST);
-	}
-	else
-	{
-		add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-	}
-
-	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
-	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
-
-	host = mask2host(src_net->get_family(src_net), src_mask);
-	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
-	host->destroy(host);
-
-	host = mask2host(dst_net->get_family(dst_net), dst_mask);
-	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
-	host->destroy(host);
-
-	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
-	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
-	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
-	proto->sadb_protocol_proto = protocol;
-	PFKEY_EXT_ADD(msg, proto);
-}
-
-/**
- * build an SADB_X_DELFLOW msg
- */
-static void build_delflow(struct sadb_msg *msg, u_int8_t satype,
-		host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
-		u_int8_t protocol)
-{
-	struct sadb_protocol *proto;
-	host_t *host;
-
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_X_DELFLOW;
-	msg->sadb_msg_satype = satype;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
-	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
-
-	host = mask2host(src_net->get_family(src_net),
-					 src_mask);
-	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
-	host->destroy(host);
-
-	host = mask2host(dst_net->get_family(dst_net),
-					 dst_mask);
-	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
-	host->destroy(host);
-
-	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
-	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
-	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
-	proto->sadb_protocol_proto = protocol;
-	PFKEY_EXT_ADD(msg, proto);
-}
-
-/**
- * Parses a pfkey message received from the kernel
- */
-static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
-{
-	struct sadb_ext* ext;
-	size_t len;
-
-	memset(out, 0, sizeof(pfkey_msg_t));
-	out->msg = msg;
-
-	len = msg->sadb_msg_len;
-	len -= PFKEY_LEN(sizeof(struct sadb_msg));
-
-	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
-
-	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
-	{
-		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
-			ext->sadb_ext_len > len)
-		{
-			DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
-			break;
-		}
-
-		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
-		{
-			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
-			break;
-		}
-
-		if (out->ext[ext->sadb_ext_type])
-		{
-			DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);
-			break;
-		}
-
-		out->ext[ext->sadb_ext_type] = ext;
-		ext = PFKEY_EXT_NEXT_LEN(ext, len);
-	}
-
-	if (len)
-	{
-		DBG1(DBG_KNL, "PF_KEY message length is invalid");
-		return FAILED;
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Send a message to a specific PF_KEY socket and handle the response.
- */
-static status_t pfkey_send_socket(private_kernel_klips_ipsec_t *this, int socket,
-					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
-{
-	unsigned char buf[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg;
-	int in_len, len;
-
-	this->mutex_pfkey->lock(this->mutex_pfkey);
-
-	in->sadb_msg_seq = ++this->seq;
-	in->sadb_msg_pid = getpid();
-
-	in_len = PFKEY_USER_LEN(in->sadb_msg_len);
-
-	while (TRUE)
-	{
-		len = send(socket, in, in_len, 0);
-
-		if (len != in_len)
-		{
-			switch (errno)
-			{
-				case EINTR:
-					/* interrupted, try again */
-					continue;
-				case EINVAL:
-				case EEXIST:
-				case ESRCH:
-					/* we should also get a response for these from KLIPS */
-					break;
-				default:
-					this->mutex_pfkey->unlock(this->mutex_pfkey);
-					DBG1(DBG_KNL, "error sending to PF_KEY socket: %s (%d)",
-							strerror(errno), errno);
-					return FAILED;
-			}
-		}
-		break;
-	}
-
-	while (TRUE)
-	{
-		msg = (struct sadb_msg*)buf;
-
-		len = recv(socket, buf, sizeof(buf), 0);
-
-		if (len < 0)
-		{
-			if (errno == EINTR)
-			{
-				DBG1(DBG_KNL, "got interrupted");
-				/* interrupted, try again */
-				continue;
-			}
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
-			return FAILED;
-		}
-		if (len < sizeof(struct sadb_msg) ||
-			msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
-		{
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			DBG1(DBG_KNL, "received corrupted PF_KEY message");
-			return FAILED;
-		}
-		if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
-		{
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
-			return FAILED;
-		}
-		if (msg->sadb_msg_pid != in->sadb_msg_pid)
-		{
-			DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
-			continue;
-		}
-		if (msg->sadb_msg_seq != this->seq)
-		{
-			DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number,"
-					" was %d expected %d", msg->sadb_msg_seq, this->seq);
-			if (msg->sadb_msg_seq < this->seq)
-			{
-				continue;
-			}
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			return FAILED;
-		}
-		if (msg->sadb_msg_type != in->sadb_msg_type)
-		{
-			DBG2(DBG_KNL, "received PF_KEY message of wrong type,"
-					" was %d expected %d, ignoring",
-					msg->sadb_msg_type, in->sadb_msg_type);
-		}
-		break;
-	}
-
-	*out_len = len;
-	*out = (struct sadb_msg*)malloc(len);
-	memcpy(*out, buf, len);
-
-	this->mutex_pfkey->unlock(this->mutex_pfkey);
-
-	return SUCCESS;
-}
-
-/**
- * Send a message to the default PF_KEY socket.
- */
-static status_t pfkey_send(private_kernel_klips_ipsec_t *this,
-					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
-{
-	return pfkey_send_socket(this, this->socket, in, out, out_len);
-}
-
-/**
- * Send a message to the default PF_KEY socket and handle the response.
- */
-static status_t pfkey_send_ack(private_kernel_klips_ipsec_t *this, struct sadb_msg *in)
-{
-	struct sadb_msg *out;
-	size_t len;
-
-	if (pfkey_send(this, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "PF_KEY error: %s (%d)",
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * Add an eroute to KLIPS
- */
-static status_t add_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
-		u_int32_t spi, host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
-		host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg = (struct sadb_msg*)request;
-
-	memset(&request, 0, sizeof(request));
-
-	build_addflow(msg, satype, spi, src, dst, src_net, src_mask,
-			dst_net, dst_mask, protocol, replace);
-
-	return pfkey_send_ack(this, msg);
-}
-
-/**
- * Delete an eroute fom KLIPS
- */
-static status_t del_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
-		host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
-		u_int8_t protocol)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg = (struct sadb_msg*)request;
-
-	memset(&request, 0, sizeof(request));
-
-	build_delflow(msg, satype, src_net, src_mask, dst_net, dst_mask, protocol);
-
-	return pfkey_send_ack(this, msg);
-}
-
-/**
- * Process a SADB_ACQUIRE message from the kernel
- */
-static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	host_t *src, *dst;
-	u_int32_t reqid;
-	u_int8_t proto;
-	policy_entry_t *policy;
-	job_t *job;
-
-	switch (msg->sadb_msg_satype)
-	{
-		case SADB_SATYPE_UNSPEC:
-		case SADB_SATYPE_ESP:
-		case SADB_SATYPE_AH:
-			break;
-		default:
-			/* acquire for AH/ESP only */
-			return;
-	}
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
-		return;
-	}
-
-	/* KLIPS provides us only with the source and destination address,
-	 * and the transport protocol of the packet that triggered the policy.
-	 * we use this information to find a matching policy in our cache.
-	 * because KLIPS installs a narrow %hold eroute covering only this information,
-	 * we replace both the %trap and this %hold eroutes with a broader %hold
-	 * eroute covering the whole policy */
-	src = host_create_from_sockaddr((sockaddr_t*)(response.src + 1));
-	dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
-	proto = response.src->sadb_address_proto;
-	if (!src || !dst || src->get_family(src) != dst->get_family(dst))
-	{
-		DBG1(DBG_KNL, "received an SADB_ACQUIRE with invalid hosts");
-		return;
-	}
-
-	DBG2(DBG_KNL, "received an SADB_ACQUIRE for %H == %H : %d", src, dst, proto);
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_match_byaddrs,
-				(void**)&policy, src, dst) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but found no matching policy");
-		return;
-	}
-	if ((reqid = policy->reqid) == 0)
-	{
-		this->mutex->unlock(this->mutex);
-		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but policy is not routed anymore");
-		return;
-	}
-
-	/* add a broad %hold eroute that replaces the %trap eroute */
-	add_eroute(this, SADB_X_SATYPE_INT, htonl(SPI_HOLD), NULL, NULL,
-			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
-			policy->src.proto, TRUE);
-
-	/* remove the narrow %hold eroute installed by KLIPS */
-	del_eroute(this, SADB_X_SATYPE_INT, src, 32, dst, 32, proto);
-
-	this->mutex->unlock(this->mutex);
-
-	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
-	DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
-	job = (job_t*)acquire_job_create(reqid, NULL, NULL);
-	charon->processor->queue_job(charon->processor, job);
-}
-
-/**
- * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
- */
-static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	u_int32_t spi, reqid;
-	host_t *old_src, *new_src;
-	job_t *job;
-
-	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
-		return;
-	}
-
-	spi = response.sa->sadb_sa_spi;
-
-	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
-	{
-		sa_entry_t *sa;
-		sockaddr_t *addr = (sockaddr_t*)(response.src + 1);
-		old_src = host_create_from_sockaddr(addr);
-
-		this->mutex->lock(this->mutex);
-		if (!old_src || this->installed_sas->find_first(this->installed_sas,
-				(linked_list_match_t)sa_entry_match_encapbysrc,
-					(void**)&sa, &spi, old_src) != SUCCESS)
-		{
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING, but found no matching SA");
-			return;
-		}
-		reqid = sa->reqid;
-		this->mutex->unlock(this->mutex);
-
-		addr = (sockaddr_t*)(response.dst + 1);
-		switch (addr->sa_family)
-		{
-			case AF_INET:
-			{
-				struct sockaddr_in *sin = (struct sockaddr_in*)addr;
-				sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
-			}
-			case AF_INET6:
-			{
-				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr;
-				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
-			}
-			default:
-				break;
-		}
-		new_src = host_create_from_sockaddr(addr);
-		if (new_src)
-		{
-			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and"
-				" reqid {%d} changed, queuing update job", ntohl(spi), reqid);
-			job = (job_t*)update_sa_job_create(reqid, new_src);
-			charon->processor->queue_job(charon->processor, job);
-		}
-	}
-}
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
-{
-	unsigned char buf[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg = (struct sadb_msg*)buf;
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recv(this->socket_events, buf, sizeof(buf), 0);
-	thread_cancelability(oldstate);
-
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-
-	if (len < sizeof(struct sadb_msg) ||
-		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
-	{
-		DBG2(DBG_KNL, "received corrupted PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
-	}
-	if (msg->sadb_msg_pid != 0)
-	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
-	}
-	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
-	{
-		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	switch (msg->sadb_msg_type)
-	{
-		case SADB_ACQUIRE:
-			process_acquire(this, msg);
-			break;
-		case SADB_EXPIRE:
-			/* SADB_EXPIRE events in KLIPS are only triggered by traffic (even for
-			 * the time based limits). So if there is no traffic for a longer
-			 * period than configured as hard limit, we wouldn't be able to rekey
-			 * the SA and just receive the hard expire and thus delete the SA.
-			 * To avoid this behavior and to make charon behave as with the other
-			 * kernel plugins, we implement the expiration of SAs ourselves. */
-			break;
-		case SADB_X_NAT_T_NEW_MAPPING:
-			process_mapping(this, msg);
-			break;
-		default:
-			break;
-	}
-
-	return JOB_REQUEUE_DIRECT;
-}
-
-typedef enum {
-	/** an SPI has expired */
-	EXPIRE_TYPE_SPI,
-	/** a CHILD_SA has to be rekeyed */
-	EXPIRE_TYPE_SOFT,
-	/** a CHILD_SA has to be deleted */
-	EXPIRE_TYPE_HARD
-} expire_type_t;
-
-typedef struct sa_expire_t sa_expire_t;
-
-struct sa_expire_t {
-	/** kernel interface */
-	private_kernel_klips_ipsec_t *this;
-	/** the SPI of the expiring SA */
-	u_int32_t spi;
-	/** the protocol of the expiring SA */
-	protocol_id_t protocol;
-	/** the reqid of the expiring SA*/
-	u_int32_t reqid;
-	/** what type of expire this is */
-	expire_type_t type;
-};
-
-/**
- * Called when an SA expires
- */
-static job_requeue_t sa_expires(sa_expire_t *expire)
-{
-	private_kernel_klips_ipsec_t *this = expire->this;
-	protocol_id_t protocol = expire->protocol;
-	u_int32_t spi = expire->spi, reqid = expire->reqid;
-	bool hard = expire->type != EXPIRE_TYPE_SOFT;
-	sa_entry_t *cached_sa;
-	linked_list_t *list;
-	job_t *job;
-
-	/* for an expired SPI we first check whether the CHILD_SA got installed
-	 * in the meantime, for expired SAs we check whether they are still installed */
-	list = expire->type == EXPIRE_TYPE_SPI ? this->allocated_spis : this->installed_sas;
-
-	this->mutex->lock(this->mutex);
-	if (list->find_first(list, (linked_list_match_t)sa_entry_match_byid,
-			(void**)&cached_sa, &protocol, &spi, &reqid) != SUCCESS)
-	{
-		/* we found no entry:
-		 * - for SPIs, a CHILD_SA has been installed
-		 * - for SAs, the CHILD_SA has already been deleted */
-		this->mutex->unlock(this->mutex);
-		return JOB_REQUEUE_NONE;
-	}
-	else
-	{
-		list->remove(list, cached_sa, NULL);
-		sa_entry_destroy(cached_sa);
-	}
-	this->mutex->unlock(this->mutex);
-
-	DBG2(DBG_KNL, "%N CHILD_SA with SPI %.8x and reqid {%d} expired",
-			protocol_id_names, protocol, ntohl(spi), reqid);
-
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
-		 hard ? "delete" : "rekey",  protocol_id_names,
-		 protocol, ntohl(spi), reqid);
-	if (hard)
-	{
-		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
-	}
-	else
-	{
-		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
-	}
-	charon->processor->queue_job(charon->processor, job);
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * Schedule an expire job for an SA. Time is in seconds.
- */
-static void schedule_expire(private_kernel_klips_ipsec_t *this,
-							protocol_id_t protocol, u_int32_t spi,
-							u_int32_t reqid, expire_type_t type, u_int32_t time)
-{
-	callback_job_t *job;
-	sa_expire_t *expire = malloc_thing(sa_expire_t);
-	expire->this = this;
-	expire->protocol = protocol;
-	expire->spi = spi;
-	expire->reqid = reqid;
-	expire->type = type;
-	job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL);
-	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time);
-}
-
-METHOD(kernel_ipsec_t, get_spi, status_t,
-	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
-{
-	/* we cannot use SADB_GETSPI because KLIPS does not allow us to set the
-	 * NAT-T type in an SADB_UPDATE which we would have to use to update the
-	 * implicitly created SA.
-	 */
-	rng_t *rng;
-	u_int32_t spi_gen;
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_KNL, "allocating SPI failed: no RNG");
-		return FAILED;
-	}
-	rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen);
-	rng->destroy(rng);
-
-	/* charon's SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
-	spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF);
-
-	DBG2(DBG_KNL, "allocated SPI %.8x for %N SA between %#H..%#H",
-			spi_gen, protocol_id_names, protocol, src, dst);
-
-	*spi = htonl(spi_gen);
-
-	this->mutex->lock(this->mutex);
-	this->allocated_spis->insert_last(this->allocated_spis,
-			create_sa_entry(protocol, *spi, reqid, NULL, NULL, FALSE, TRUE));
-	this->mutex->unlock(this->mutex);
-	schedule_expire(this, protocol, *spi, reqid, EXPIRE_TYPE_SPI, SPI_TIMEOUT);
-
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, get_cpi, status_t,
-	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
-{
-	return FAILED;
-}
-
-/**
- * Add a pseudo IPIP SA for tunnel mode with KLIPS.
- */
-static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this,
-					   host_t *src, host_t *dst, u_int32_t spi, u_int32_t reqid)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "adding pseudo IPIP SA with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_ADD;
-	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_state = SADB_SASTATE_MATURE;
-	PFKEY_EXT_ADD(msg, sa);
-
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-
-	free(out);
-	return SUCCESS;
-}
-
-/**
- * group the IPIP SA required for tunnel mode with the outer SA
- */
-static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
-					   host_t *src, host_t *dst, u_int32_t spi,
-					   protocol_id_t protocol, u_int32_t reqid)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	struct sadb_x_satype *satype;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "grouping SAs with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_X_GRPSA;
-	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_state = SADB_SASTATE_MATURE;
-	PFKEY_EXT_ADD(msg, sa);
-
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
-	satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg);
-	satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
-	satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype));
-	satype->sadb_x_satype_satype = proto_ike2satype(protocol);
-	PFKEY_EXT_ADD(msg, satype);
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_X_EXT_SA2;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_state = SADB_SASTATE_MATURE;
-	PFKEY_EXT_ADD(msg, sa);
-
-	add_addr_ext(msg, dst, SADB_X_EXT_ADDRESS_DST2);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-
-	free(out);
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, add_sa, status_t,
-	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	protocol_id_t protocol, u_int32_t reqid, mark_t mark,
-	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	struct sadb_key *key;
-	size_t len;
-
-	if (inbound)
-	{
-		/* for inbound SAs we allocated an SPI via get_spi, so we first check
-		 * whether that SPI has already expired (race condition) */
-		sa_entry_t *alloc_spi;
-		this->mutex->lock(this->mutex);
-		if (this->allocated_spis->find_first(this->allocated_spis,
-				(linked_list_match_t)sa_entry_match_byid, (void**)&alloc_spi,
-					&protocol, &spi, &reqid) != SUCCESS)
-		{
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_KNL, "allocated SPI %.8x has already expired", ntohl(spi));
-			return FAILED;
-		}
-		else
-		{
-			this->allocated_spis->remove(this->allocated_spis, alloc_spi, NULL);
-			sa_entry_destroy(alloc_spi);
-		}
-		this->mutex->unlock(this->mutex);
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_ADD;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_state = SADB_SASTATE_MATURE;
-	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
-	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
-	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
-	PFKEY_EXT_ADD(msg, sa);
-
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
-	if (enc_alg != ENCR_UNDEFINED)
-	{
-		if (!sa->sadb_sa_encrypt)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-				 encryption_algorithm_names, enc_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
-		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
-		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
-		key->sadb_key_bits = enc_key.len * 8;
-		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
-		memcpy(key + 1, enc_key.ptr, enc_key.len);
-
-		PFKEY_EXT_ADD(msg, key);
-	}
-
-	if (int_alg != AUTH_UNDEFINED)
-	{
-		if (!sa->sadb_sa_auth)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 integrity_algorithm_names, int_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
-			 integrity_algorithm_names, int_alg, int_key.len * 8);
-
-		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
-		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
-		key->sadb_key_bits = int_key.len * 8;
-		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
-		memcpy(key + 1, int_key.ptr, int_key.len);
-
-		PFKEY_EXT_ADD(msg, key);
-	}
-
-	if (ipcomp != IPCOMP_NONE)
-	{
-		/*TODO*/
-	}
-
-	if (encap)
-	{
-		add_encap_ext(msg, src, dst, FALSE);
-	}
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	/* for tunnel mode SAs we have to install an additional IPIP SA and
-	 * group the two SAs together */
-	if (mode == MODE_TUNNEL)
-	{
-		if (add_ipip_sa(this, src, dst, spi, reqid) != SUCCESS ||
-			group_ipip_sa(this, src, dst, spi, protocol, reqid) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
-			return FAILED;
-		}
-	}
-
-	this->mutex->lock(this->mutex);
-	/* we cache this SA for two reasons:
-	 * - in case an SADB_X_NAT_T_MAPPING_NEW event occurs (we need to find the reqid then)
-	 * - to decide if an expired SA is still installed */
-	this->installed_sas->insert_last(this->installed_sas,
-				create_sa_entry(protocol, spi, reqid, src, dst, encap, inbound));
-	this->mutex->unlock(this->mutex);
-
-	/* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime
-	 * of SAs manually in the plugin. Refer to the comments in receive_events()
-	 * for details. */
-	if (lifetime->time.rekey)
-	{
-		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, lifetime->time.rekey);
-	}
-
-	if (lifetime->time.life)
-	{
-		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, lifetime->time.life);
-	}
-
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_klips_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap, mark_t mark)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	size_t len;
-
-	/* we can't update the SA if any of the ip addresses have changed.
-	 * that's because we can't use SADB_UPDATE and by deleting and readding the
-	 * SA the sequence numbers would get lost */
-	if (!src->ip_equals(src, new_src) ||
-		!dst->ip_equals(dst, new_dst))
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
-				" are not supported", ntohl(spi));
-		return NOT_SUPPORTED;
-	}
-
-	/* because KLIPS does not allow us to change the NAT-T type in an SADB_UPDATE,
-	 * we can't update the SA if the encap flag has changed since installing it */
-	if (encap != new_encap)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: change of UDP"
-				" encapsulation is not supported", ntohl(spi));
-		return NOT_SUPPORTED;
-	}
-
-	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
-		 ntohl(spi), src, dst, new_src, new_dst);
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_UPDATE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_encrypt = SADB_EALG_AESCBC; /* ignored */
-	sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; /* ignored */
-	sa->sadb_sa_state = SADB_SASTATE_MATURE;
-	PFKEY_EXT_ADD(msg, sa);
-
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
-	add_encap_ext(msg, new_src, new_dst, TRUE);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, query_sa, status_t,
-	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
-{
-	return NOT_SUPPORTED;  /* TODO */
-}
-
-METHOD(kernel_ipsec_t, del_sa, status_t,
-	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	sa_entry_t *cached_sa;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	/* all grouped SAs are automatically deleted by KLIPS as soon as
-	 * one of them is deleted, therefore we delete only the main one */
-	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-
-	this->mutex->lock(this->mutex);
-	/* this should not fail, but we don't care if it does, let the kernel decide
-	 * whether this SA exists or not */
-	if (this->installed_sas->find_first(this->installed_sas,
-			(linked_list_match_t)sa_entry_match_bydst, (void**)&cached_sa,
-			&protocol, &spi, dst) == SUCCESS)
-	{
-		this->installed_sas->remove(this->installed_sas, cached_sa, NULL);
-		sa_entry_destroy(cached_sa);
-	}
-	this->mutex->unlock(this->mutex);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_DELETE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	PFKEY_EXT_ADD(msg, sa);
-
-	/* the kernel wants an SADB_EXT_ADDRESS_SRC to be present even though
-	 * it is not used for anything. */
-	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
-	free(out);
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, add_policy, status_t,
-	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool routed)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	policy_entry_t *policy, *found = NULL;
-	u_int8_t satype;
-	size_t len;
-
-	if (direction == POLICY_FWD)
-	{
-		/* no forward policies for KLIPS */
-		return SUCCESS;
-	}
-
-	/* tunnel mode policies direct the packets into the pseudo IPIP SA */
-	satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
-									 proto_ike2satype(protocol);
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
-	{
-		/* use existing policy */
-		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing"
-					  " refcount", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		policy = found;
-	}
-	else
-	{
-		/* apply the new one, if we have no such policy */
-		this->policies->insert_last(this->policies, policy);
-	}
-
-	if (routed)
-	{
-		/* we install this as a %trap eroute in the kernel, later to be
-		 * triggered by packets matching the policy (-> ACQUIRE). */
-		spi = htonl(SPI_TRAP);
-		satype = SADB_X_SATYPE_INT;
-
-		/* the reqid is always set to the latest child SA that trapped this
-		 * policy. we will need this reqid upon receiving an acquire. */
-		policy->reqid = reqid;
-
-		/* increase the trap counter */
-		policy->trapcount++;
-
-		if (policy->activecount)
-		{
-			/* we do not replace the current policy in the kernel while a
-			 * policy is actively used */
-			this->mutex->unlock(this->mutex);
-			return SUCCESS;
-		}
-	}
-	else
-	{
-		/* increase the reference counter */
-		policy->activecount++;
-	}
-
-	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-
-	/* FIXME: SADB_X_SAFLAGS_INFLOW may be required, if we add an inbound policy for an IPIP SA */
-	build_addflow(msg, satype, spi, routed ? NULL : src, routed ? NULL : dst,
-			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
-			policy->src.proto, found != NULL);
-
-	this->mutex->unlock(this->mutex);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
-					   policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	this->mutex->lock(this->mutex);
-
-	/* we try to find the policy again and install the route if needed */
-	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		DBG2(DBG_KNL, "the policy %R === %R %N is already gone, ignoring",
-				src_ts, dst_ts, policy_dir_names, direction);
-		return SUCCESS;
-	}
-
-	/* KLIPS requires a special route that directs traffic that matches this
-	 * policy to one of the virtual ipsec interfaces. The virtual interface
-	 * has to be attached to the physical one the traffic runs over.
-	 * This is a special case of the source route we install in other kernel
-	 * interfaces.
-	 * In the following cases we do NOT install a source route (but just a
-	 * regular route):
-	 * - we are not in tunnel mode
-	 * - we are using IPv6 (does not work correctly yet!)
-	 * - routing is disabled via strongswan.conf
-	 */
-	if (policy->route == NULL && direction == POLICY_OUT)
-	{
-		char *iface;
-		ipsec_dev_t *dev;
-		route_entry_t *route = malloc_thing(route_entry_t);
-		route->src_ip = NULL;
-
-		if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
-			this->install_routes)
-		{
-			charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
-						src_ts, &route->src_ip);
-		}
-
-		if (!route->src_ip)
-		{
-			route->src_ip = host_create_any(src->get_family(src));
-		}
-
-		/* find the virtual interface */
-		iface = charon->kernel_interface->get_interface(charon->kernel_interface,
-														src);
-		if (find_ipsec_dev(this, iface, &dev) == SUCCESS)
-		{
-			/* above, we got either the name of a virtual or a physical
-			 * interface. for both cases it means we already have the devices
-			 * properly attached (assuming that we are exclusively attaching
-			 * ipsec devices). */
-			dev->refcount++;
-		}
-		else
-		{
-			/* there is no record of a mapping with the returned interface.
-			 * thus, we attach the first free virtual interface we find to
-			 * it. As above we assume we are the only client fiddling with
-			 * ipsec devices. */
-			if (this->ipsec_devices->find_first(this->ipsec_devices,
-					(linked_list_match_t)ipsec_dev_match_free,
-						(void**)&dev) == SUCCESS)
-			{
-				if (attach_ipsec_dev(dev->name, iface) == SUCCESS)
-				{
-					strncpy(dev->phys_name, iface, IFNAMSIZ);
-					dev->refcount = 1;
-				}
-				else
-				{
-					DBG1(DBG_KNL, "failed to attach virtual interface %s"
-							" to %s", dev->name, iface);
-					this->mutex->unlock(this->mutex);
-					free(iface);
-					return FAILED;
-				}
-			}
-			else
-			{
-				this->mutex->unlock(this->mutex);
-				DBG1(DBG_KNL, "failed to attach a virtual interface to %s: no"
-						" virtual interfaces left", iface);
-				free(iface);
-				return FAILED;
-			}
-		}
-		free(iface);
-		route->if_name = strdup(dev->name);
-
-		/* get the nexthop to dst */
-		route->gateway = charon->kernel_interface->get_nexthop(
-										charon->kernel_interface, dst);
-		route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net));
-		route->prefixlen = policy->dst.mask;
-
-		switch (charon->kernel_interface->add_route(charon->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name))
-		{
-			default:
-				DBG1(DBG_KNL, "unable to install route for policy %R === %R",
-					 src_ts, dst_ts);
-				/* FALL */
-			case ALREADY_DONE:
-				/* route exists, do not uninstall */
-				route_entry_destroy(route);
-				break;
-			case SUCCESS:
-				/* cache the installed route */
-				policy->route = route;
-				break;
-		}
-	}
-
-	this->mutex->unlock(this->mutex);
-
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, query_policy, status_t,
-	private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	u_int32_t *use_time)
-{
-	#define IDLE_PREFIX "idle="
-	static const char *path_eroute = "/proc/net/ipsec_eroute";
-	static const char *path_spi = "/proc/net/ipsec_spi";
-	FILE *file;
-	char line[1024], src[INET6_ADDRSTRLEN + 9], dst[INET6_ADDRSTRLEN + 9];
-	char *said = NULL, *pos;
-	policy_entry_t *policy, *found = NULL;
-	status_t status = FAILED;
-
-	if (direction == POLICY_FWD)
-	{
-		/* we do not install forward policies */
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		return NOT_FOUND;
-	}
-	policy_entry_destroy(policy);
-	policy = found;
-
-	/* src and dst selectors in KLIPS are of the form NET_ADDR/NETBITS:PROTO */
-	snprintf(src, sizeof(src), "%H/%d:%d", policy->src.net, policy->src.mask,
-			policy->src.proto);
-	src[sizeof(src) - 1] = '\0';
-	snprintf(dst, sizeof(dst), "%H/%d:%d", policy->dst.net, policy->dst.mask,
-			policy->dst.proto);
-	dst[sizeof(dst) - 1] = '\0';
-
-	this->mutex->unlock(this->mutex);
-
-	/* we try to find the matching eroute first */
-	file = fopen(path_eroute, "r");
-	if (file == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
-				dst_ts, policy_dir_names, direction, strerror(errno), errno);
-		return FAILED;
-	}
-
-	/* read line by line where each line looks like:
-	 * packets  src  ->  dst  =>  said */
-	while (fgets(line, sizeof(line), file))
-	{
-		enumerator_t *enumerator;
-		char *token;
-		int i = 0;
-
-		enumerator = enumerator_create_token(line, " \t", " \t\n");
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			switch (i++)
-			{
-				case 0: /* packets */
-					continue;
-				case 1: /* src */
-					if (streq(token, src))
-					{
-						continue;
-					}
-					break;
-				case 2: /* -> */
-					continue;
-				case 3: /* dst */
-					if (streq(token, dst))
-					{
-						continue;
-					}
-					break;
-				case 4: /* => */
-					continue;
-				case 5: /* said */
-					said = strdup(token);
-					break;
-			}
-			break;
-		}
-		enumerator->destroy(enumerator);
-
-		if (i == 5)
-		{
-			/* eroute matched */
-			break;
-		}
-	}
-	fclose(file);
-
-	if (said == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: found no matching"
-				" eroute", src_ts, dst_ts, policy_dir_names, direction);
-		return FAILED;
-	}
-
-	/* compared with the one in the spi entry the SA ID from the eroute entry
-	 * has an additional ":PROTO" appended, which we need to cut off */
-	pos = strrchr(said, ':');
-	*pos = '\0';
-
-	/* now we try to find the matching spi entry */
-	file = fopen(path_spi, "r");
-	if (file == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
-				dst_ts, policy_dir_names, direction, strerror(errno), errno);
-		return FAILED;
-	}
-
-	while (fgets(line, sizeof(line), file))
-	{
-		if (strneq(line, said, strlen(said)))
-		{
-			/* fine we found the correct line, now find the idle time */
-			u_int32_t idle_time;
-			pos = strstr(line, IDLE_PREFIX);
-			if (pos == NULL)
-			{
-				/* no idle time, i.e. this SA has not been used yet */
-				break;
-			}
-			if (sscanf(pos, IDLE_PREFIX"%u", &idle_time) <= 0)
-			{
-				/* idle time not valid */
-				break;
-			}
-
-			*use_time = time_monotonic(NULL) - idle_time;
-			status = SUCCESS;
-			break;
-		}
-	}
-	fclose(file);
-	free(said);
-
-	return status;
-}
-
-METHOD(kernel_ipsec_t, del_policy, status_t,
-	private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	bool unrouted)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg = (struct sadb_msg*)request, *out;
-	policy_entry_t *policy, *found = NULL;
-	route_entry_t *route;
-	size_t len;
-
-	if (direction == POLICY_FWD)
-	{
-		/* no forward policies for KLIPS */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		return NOT_FOUND;
-	}
-	policy_entry_destroy(policy);
-
-	/* decrease appropriate counter */
-	unrouted ? found->trapcount-- : found->activecount--;
-
-	if (found->trapcount == 0)
-	{
-		/* if this policy is finally unrouted, we reset the reqid because it
-		 * may still be actively used and there might be a pending acquire for
-		 * this policy. */
-		found->reqid = 0;
-	}
-
-	if (found->activecount > 0)
-	{
-		/* is still used by SAs, keep in kernel */
-		this->mutex->unlock(this->mutex);
-		DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
-		return SUCCESS;
-	}
-	else if (found->activecount == 0 && found->trapcount > 0)
-	{
-		/* for a policy that is not used actively anymore, but is still trapped
-		 * by another child SA we replace the current eroute with a %trap eroute */
-		DBG2(DBG_KNL, "policy still routed by another CHILD_SA, not removed");
-		memset(&request, 0, sizeof(request));
-		build_addflow(msg, SADB_X_SATYPE_INT, htonl(SPI_TRAP), NULL, NULL,
-				found->src.net, found->src.mask, found->dst.net,
-				found->dst.mask, found->src.proto, TRUE);
-		this->mutex->unlock(this->mutex);
-		return pfkey_send_ack(this, msg);
-	}
-
-	/* remove if last reference */
-	this->policies->remove(this->policies, found, NULL);
-	policy = found;
-
-	this->mutex->unlock(this->mutex);
-
-	memset(&request, 0, sizeof(request));
-
-	build_delflow(msg, 0, policy->src.net, policy->src.mask, policy->dst.net,
-			policy->dst.mask, policy->src.proto);
-
-	route = policy->route;
-	policy->route = NULL;
-	policy_entry_destroy(policy);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
-					   dst_ts, policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	if (route)
-	{
-		ipsec_dev_t *dev;
-
-		if (charon->kernel_interface->del_route(charon->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "error uninstalling route installed with"
-						  " policy %R === %R %N", src_ts, dst_ts,
-						   policy_dir_names, direction);
-		}
-
-		/* we have to detach the ipsec interface from the physical one over which
-		 * this SA ran (if it is not used by any other) */
-		this->mutex->lock(this->mutex);
-
-		if (find_ipsec_dev(this, route->if_name, &dev) == SUCCESS)
-		{
-			/* fine, we found a matching device object, let's check if we have
-			 * to detach it. */
-			if (--dev->refcount == 0)
-			{
-				if (detach_ipsec_dev(dev->name, dev->phys_name) != SUCCESS)
-				{
-					DBG1(DBG_KNL, "failed to detach virtual interface %s"
-							" from %s", dev->name, dev->phys_name);
-				}
-				dev->phys_name[0] = '\0';
-			}
-		}
-
-		this->mutex->unlock(this->mutex);
-
-		route_entry_destroy(route);
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Initialize the list of ipsec devices
- */
-static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
-{
-	int i, count = lib->settings->get_int(lib->settings,
-						"charon.plugins.kernel-klips.ipsec_dev_count",
-						DEFAULT_IPSEC_DEV_COUNT);
-
-	for (i = 0; i < count; ++i)
-	{
-		ipsec_dev_t *dev = malloc_thing(ipsec_dev_t);
-		snprintf(dev->name, IFNAMSIZ, IPSEC_DEV_PREFIX"%d", i);
-		dev->name[IFNAMSIZ - 1] = '\0';
-		dev->phys_name[0] = '\0';
-		dev->refcount = 0;
-		this->ipsec_devices->insert_last(this->ipsec_devices, dev);
-
-		/* detach any previously attached ipsec device */
-		detach_ipsec_dev(dev->name, dev->phys_name);
-	}
-}
-
-/**
- * Register a socket for AQUIRE/EXPIRE messages
- */
-static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8_t satype)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_REGISTER;
-	msg->sadb_msg_satype = satype;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY socket");
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, bypass_socket, bool,
-	private_kernel_klips_ipsec_t *this, int fd, int family)
-{
-	/* KLIPS does not need a bypass policy for IKE */
-	return TRUE;
-}
-
-METHOD(kernel_ipsec_t, destroy, void,
-	private_kernel_klips_ipsec_t *this)
-{
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
-	if (this->socket > 0)
-	{
-		close(this->socket);
-	}
-	if (this->socket_events > 0)
-	{
-		close(this->socket_events);
-	}
-	this->mutex_pfkey->destroy(this->mutex_pfkey);
-	this->mutex->destroy(this->mutex);
-	this->ipsec_devices->destroy_function(this->ipsec_devices, (void*)ipsec_dev_destroy);
-	this->installed_sas->destroy_function(this->installed_sas, (void*)sa_entry_destroy);
-	this->allocated_spis->destroy_function(this->allocated_spis, (void*)sa_entry_destroy);
-	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-kernel_klips_ipsec_t *kernel_klips_ipsec_create()
-{
-	private_kernel_klips_ipsec_t *this;
-
-	INIT(this,
-		.public.interface = {
-			.get_spi = _get_spi,
-			.get_cpi = _get_cpi,
-			.add_sa  = _add_sa,
-			.update_sa = _update_sa,
-			.query_sa = _query_sa,
-			.del_sa = _del_sa,
-			.add_policy = _add_policy,
-			.query_policy = _query_policy,
-			.del_policy = _del_policy,
-			.bypass_socket = _bypass_socket,
-			.destroy = _destroy,
-		},
-		.policies = linked_list_create(),
-		.allocated_spis = linked_list_create(),
-		.installed_sas = linked_list_create(),
-		.ipsec_devices = linked_list_create(),
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
-		.install_routes = lib->settings->get_bool(lib->settings,
-												"charon.install_routes", TRUE),
-	);
-
-	/* initialize ipsec devices */
-	init_ipsec_devices(this);
-
-	/* create a PF_KEY socket to communicate with the kernel */
-	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (this->socket <= 0)
-	{
-		DBG1(DBG_KNL, "unable to create PF_KEY socket");
-		destroy(this);
-		return NULL;
-	}
-
-	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
-	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (this->socket_events <= 0)
-	{
-		DBG1(DBG_KNL, "unable to create PF_KEY event socket");
-		destroy(this);
-		return NULL;
-	}
-
-	/* register the event socket */
-	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
-		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY event socket");
-		destroy(this);
-		return NULL;
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h
deleted file mode 100644
index 306ec0ada..000000000
--- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_klips_ipsec_i kernel_klips_ipsec
- * @{ @ingroup kernel_klips
- */
-
-#ifndef KERNEL_KLIPS_IPSEC_H_
-#define KERNEL_KLIPS_IPSEC_H_
-
-#include <kernel/kernel_ipsec.h>
-
-typedef struct kernel_klips_ipsec_t kernel_klips_ipsec_t;
-
-/**
- * Implementation of the kernel ipsec interface using PF_KEY.
- */
-struct kernel_klips_ipsec_t {
-
-	/**
-	 * Implements kernel_ipsec_t interface
-	 */
-	kernel_ipsec_t interface;
-};
-
-/**
- * Create a PF_KEY kernel ipsec interface instance.
- *
- * @return			kernel_klips_ipsec_t instance
- */
-kernel_klips_ipsec_t *kernel_klips_ipsec_create();
-
-#endif /** KERNEL_KLIPS_IPSEC_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c b/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c
deleted file mode 100644
index fa5e9eb29..000000000
--- a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "kernel_klips_plugin.h"
-
-#include "kernel_klips_ipsec.h"
-
-#include <daemon.h>
-
-typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t;
-
-/**
- * private data of kernel PF_KEY plugin
- */
-struct private_kernel_klips_plugin_t {
-	/**
-	 * implements plugin interface
-	 */
-	kernel_klips_plugin_t public;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_klips_plugin_t *this)
-{
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *kernel_klips_plugin_create()
-{
-	private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
-
-	return &this->public.plugin;
-}
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h b/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h
deleted file mode 100644
index 6086217ad..000000000
--- a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_klips kernel_klips
- * @ingroup cplugins
- *
- * @defgroup kernel_klips_plugin kernel_klips_plugin
- * @{ @ingroup kernel_klips
- */
-
-#ifndef KERNEL_KLIPS_PLUGIN_H_
-#define KERNEL_KLIPS_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct kernel_klips_plugin_t kernel_klips_plugin_t;
-
-/**
- * PF_KEY kernel interface plugin
- */
-struct kernel_klips_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-#endif /** KERNEL_KLIPS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_klips/pfkeyv2.h b/src/libcharon/plugins/kernel_klips/pfkeyv2.h
deleted file mode 100644
index 20d1c298d..000000000
--- a/src/libcharon/plugins/kernel_klips/pfkeyv2.h
+++ /dev/null
@@ -1,322 +0,0 @@
-/*
-RFC 2367               PF_KEY Key Management API               July 1998
-
-
-Appendix D: Sample Header File
-
-This file defines structures and symbols for the PF_KEY Version 2
-key management interface. It was written at the U.S. Naval Research
-Laboratory. This file is in the public domain. The authors ask that
-you leave this credit intact on any copies of this file.
-*/
-#ifndef __PFKEY_V2_H
-#define __PFKEY_V2_H 1
-
-#define PF_KEY_V2 2
-#define PFKEYV2_REVISION        199806L
-
-#define SADB_RESERVED    0
-#define SADB_GETSPI      1
-#define SADB_UPDATE      2
-#define SADB_ADD         3
-#define SADB_DELETE      4
-#define SADB_GET         5
-#define SADB_ACQUIRE     6
-#define SADB_REGISTER    7
-#define SADB_EXPIRE      8
-#define SADB_FLUSH       9
-#define SADB_DUMP       10
-#define SADB_X_PROMISC  11
-#define SADB_X_PCHANGE  12
-#define SADB_X_GRPSA    13
-#define SADB_X_ADDFLOW	14
-#define SADB_X_DELFLOW	15
-#define SADB_X_DEBUG	16
-#define SADB_X_NAT_T_NEW_MAPPING  17
-#define SADB_MAX                  17
-
-struct sadb_msg {
-  uint8_t sadb_msg_version;
-  uint8_t sadb_msg_type;
-  uint8_t sadb_msg_errno;
-  uint8_t sadb_msg_satype;
-  uint16_t sadb_msg_len;
-  uint16_t sadb_msg_reserved;
-  uint32_t sadb_msg_seq;
-  uint32_t sadb_msg_pid;
-};
-
-struct sadb_ext {
-  uint16_t sadb_ext_len;
-  uint16_t sadb_ext_type;
-};
-
-struct sadb_sa {
-  uint16_t sadb_sa_len;
-  uint16_t sadb_sa_exttype;
-  uint32_t sadb_sa_spi;
-  uint8_t sadb_sa_replay;
-  uint8_t sadb_sa_state;
-  uint8_t sadb_sa_auth;
-  uint8_t sadb_sa_encrypt;
-  uint32_t sadb_sa_flags;
-};
-
-struct sadb_lifetime {
-  uint16_t sadb_lifetime_len;
-  uint16_t sadb_lifetime_exttype;
-  uint32_t sadb_lifetime_allocations;
-  uint64_t sadb_lifetime_bytes;
-  uint64_t sadb_lifetime_addtime;
-  uint64_t sadb_lifetime_usetime;
-  uint32_t sadb_x_lifetime_packets;
-  uint32_t sadb_x_lifetime_reserved;
-};
-
-struct sadb_address {
-  uint16_t sadb_address_len;
-  uint16_t sadb_address_exttype;
-  uint8_t sadb_address_proto;
-  uint8_t sadb_address_prefixlen;
-  uint16_t sadb_address_reserved;
-};
-
-struct sadb_key {
-  uint16_t sadb_key_len;
-  uint16_t sadb_key_exttype;
-  uint16_t sadb_key_bits;
-  uint16_t sadb_key_reserved;
-};
-
-struct sadb_ident {
-  uint16_t sadb_ident_len;
-  uint16_t sadb_ident_exttype;
-  uint16_t sadb_ident_type;
-  uint16_t sadb_ident_reserved;
-  uint64_t sadb_ident_id;
-};
-
-struct sadb_sens {
-  uint16_t sadb_sens_len;
-  uint16_t sadb_sens_exttype;
-  uint32_t sadb_sens_dpd;
-  uint8_t sadb_sens_sens_level;
-  uint8_t sadb_sens_sens_len;
-  uint8_t sadb_sens_integ_level;
-  uint8_t sadb_sens_integ_len;
-  uint32_t sadb_sens_reserved;
-};
-
-struct sadb_prop {
-  uint16_t sadb_prop_len;
-  uint16_t sadb_prop_exttype;
-  uint8_t sadb_prop_replay;
-  uint8_t sadb_prop_reserved[3];
-};
-
-struct sadb_comb {
-  uint8_t sadb_comb_auth;
-  uint8_t sadb_comb_encrypt;
-  uint16_t sadb_comb_flags;
-  uint16_t sadb_comb_auth_minbits;
-  uint16_t sadb_comb_auth_maxbits;
-  uint16_t sadb_comb_encrypt_minbits;
-  uint16_t sadb_comb_encrypt_maxbits;
-  uint32_t sadb_comb_reserved;
-  uint32_t sadb_comb_soft_allocations;
-  uint32_t sadb_comb_hard_allocations;
-  uint64_t sadb_comb_soft_bytes;
-  uint64_t sadb_comb_hard_bytes;
-  uint64_t sadb_comb_soft_addtime;
-  uint64_t sadb_comb_hard_addtime;
-  uint64_t sadb_comb_soft_usetime;
-  uint64_t sadb_comb_hard_usetime;
-  uint32_t sadb_x_comb_soft_packets;
-  uint32_t sadb_x_comb_hard_packets;
-};
-
-struct sadb_supported {
-  uint16_t sadb_supported_len;
-  uint16_t sadb_supported_exttype;
-  uint32_t sadb_supported_reserved;
-};
-
-struct sadb_alg {
-  uint8_t sadb_alg_id;
-  uint8_t sadb_alg_ivlen;
-  uint16_t sadb_alg_minbits;
-  uint16_t sadb_alg_maxbits;
-  uint16_t sadb_alg_reserved;
-};
-
-struct sadb_spirange {
-  uint16_t sadb_spirange_len;
-  uint16_t sadb_spirange_exttype;
-  uint32_t sadb_spirange_min;
-  uint32_t sadb_spirange_max;
-  uint32_t sadb_spirange_reserved;
-};
-
-struct sadb_x_kmprivate {
-  uint16_t sadb_x_kmprivate_len;
-  uint16_t sadb_x_kmprivate_exttype;
-  uint32_t sadb_x_kmprivate_reserved;
-};
-
-struct sadb_x_satype {
-  uint16_t sadb_x_satype_len;
-  uint16_t sadb_x_satype_exttype;
-  uint8_t sadb_x_satype_satype;
-  uint8_t sadb_x_satype_reserved[3];
-};
-
-struct sadb_x_debug {
-  uint16_t sadb_x_debug_len;
-  uint16_t sadb_x_debug_exttype;
-  uint32_t sadb_x_debug_tunnel;
-  uint32_t sadb_x_debug_netlink;
-  uint32_t sadb_x_debug_xform;
-  uint32_t sadb_x_debug_eroute;
-  uint32_t sadb_x_debug_spi;
-  uint32_t sadb_x_debug_radij;
-  uint32_t sadb_x_debug_esp;
-  uint32_t sadb_x_debug_ah;
-  uint32_t sadb_x_debug_rcv;
-  uint32_t sadb_x_debug_pfkey;
-  uint32_t sadb_x_debug_ipcomp;
-  uint32_t sadb_x_debug_verbose;
-  uint8_t sadb_x_debug_reserved[4];
-};
-
-struct sadb_x_nat_t_type {
-  uint16_t sadb_x_nat_t_type_len;
-  uint16_t sadb_x_nat_t_type_exttype;
-  uint8_t sadb_x_nat_t_type_type;
-  uint8_t sadb_x_nat_t_type_reserved[3];
-};
-struct sadb_x_nat_t_port {
-  uint16_t sadb_x_nat_t_port_len;
-  uint16_t sadb_x_nat_t_port_exttype;
-  uint16_t sadb_x_nat_t_port_port;
-  uint16_t sadb_x_nat_t_port_reserved;
-};
-
-/*
- * A protocol structure for passing through the transport level
- * protocol.  It contains more fields than are actually used/needed
- * but it is this way to be compatible with the structure used in
- * OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
- */
-struct sadb_protocol {
-  uint16_t sadb_protocol_len;
-  uint16_t sadb_protocol_exttype;
-  uint8_t  sadb_protocol_proto;
-  uint8_t  sadb_protocol_direction;
-  uint8_t  sadb_protocol_flags;
-  uint8_t  sadb_protocol_reserved2;
-};
-
-#define SADB_EXT_RESERVED             0
-#define SADB_EXT_SA                   1
-#define SADB_EXT_LIFETIME_CURRENT     2
-#define SADB_EXT_LIFETIME_HARD        3
-#define SADB_EXT_LIFETIME_SOFT        4
-#define SADB_EXT_ADDRESS_SRC          5
-#define SADB_EXT_ADDRESS_DST          6
-#define SADB_EXT_ADDRESS_PROXY        7
-#define SADB_EXT_KEY_AUTH             8
-#define SADB_EXT_KEY_ENCRYPT          9
-#define SADB_EXT_IDENTITY_SRC         10
-#define SADB_EXT_IDENTITY_DST         11
-#define SADB_EXT_SENSITIVITY          12
-#define SADB_EXT_PROPOSAL             13
-#define SADB_EXT_SUPPORTED_AUTH       14
-#define SADB_EXT_SUPPORTED_ENCRYPT    15
-#define SADB_EXT_SPIRANGE             16
-#define SADB_X_EXT_KMPRIVATE          17
-#define SADB_X_EXT_SATYPE2            18
-#define SADB_X_EXT_SA2                19
-#define SADB_X_EXT_ADDRESS_DST2       20
-#define SADB_X_EXT_ADDRESS_SRC_FLOW   21
-#define SADB_X_EXT_ADDRESS_DST_FLOW   22
-#define SADB_X_EXT_ADDRESS_SRC_MASK   23
-#define SADB_X_EXT_ADDRESS_DST_MASK   24
-#define SADB_X_EXT_DEBUG              25
-#define SADB_X_EXT_PROTOCOL           26
-#define SADB_X_EXT_NAT_T_TYPE         27
-#define SADB_X_EXT_NAT_T_SPORT        28
-#define SADB_X_EXT_NAT_T_DPORT        29
-#define SADB_X_EXT_NAT_T_OA           30
-#define SADB_EXT_MAX                  30
-
-/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
-#define SADB_X_EXT_ADDRESS_DELFLOW \
-	( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
-	| (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
-	| (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
-	| (1<<SADB_X_EXT_ADDRESS_DST_MASK))
-
-#define SADB_SATYPE_UNSPEC    0
-#define SADB_SATYPE_AH        2
-#define SADB_SATYPE_ESP       3
-#define SADB_SATYPE_RSVP      5
-#define SADB_SATYPE_OSPFV2    6
-#define SADB_SATYPE_RIPV2     7
-#define SADB_SATYPE_MIP       8
-#define SADB_X_SATYPE_IPIP    9
-#define SADB_X_SATYPE_COMP    10
-#define SADB_X_SATYPE_INT     11
-#define SADB_SATYPE_MAX       11
-
-#define SADB_SASTATE_LARVAL   0
-#define SADB_SASTATE_MATURE   1
-#define SADB_SASTATE_DYING    2
-#define SADB_SASTATE_DEAD     3
-#define SADB_SASTATE_MAX      3
-
-#define SADB_SAFLAGS_PFS		1
-#define SADB_X_SAFLAGS_REPLACEFLOW	2
-#define SADB_X_SAFLAGS_CLEARFLOW	4
-#define SADB_X_SAFLAGS_INFLOW		8
-
-#define SADB_AALG_NONE        0
-#define SADB_AALG_MD5HMAC     2
-#define SADB_AALG_SHA1HMAC    3
-#define	SADB_AALG_SHA256_HMAC    5
-#define	SADB_AALG_SHA384_HMAC    6
-#define	SADB_AALG_SHA512_HMAC    7
-#define	SADB_AALG_RIPEMD160HMAC      8
-#define	SADB_AALG_MAX         15
-
-#define SADB_EALG_NONE        0
-#define SADB_EALG_DESCBC      2
-#define SADB_EALG_3DESCBC     3
-#define SADB_EALG_BFCBC	      7
-#define SADB_EALG_NULL        11
-#define SADB_EALG_AESCBC      12
-#define SADB_EALG_MAX         255
-
-#define SADB_X_CALG_NONE          0
-#define SADB_X_CALG_OUI           1
-#define SADB_X_CALG_DEFLATE       2
-#define SADB_X_CALG_LZS           3
-#define SADB_X_CALG_V42BIS        4
-#define SADB_X_CALG_MAX           4
-
-#define SADB_X_TALG_NONE          0
-#define SADB_X_TALG_IPv4_in_IPv4  1
-#define SADB_X_TALG_IPv6_in_IPv4  2
-#define SADB_X_TALG_IPv4_in_IPv6  3
-#define SADB_X_TALG_IPv6_in_IPv6  4
-#define SADB_X_TALG_MAX           4
-
-
-#define SADB_IDENTTYPE_RESERVED   0
-#define SADB_IDENTTYPE_PREFIX     1
-#define SADB_IDENTTYPE_FQDN       2
-#define SADB_IDENTTYPE_USERFQDN   3
-#define SADB_X_IDENTTYPE_CONNECTION 4
-#define SADB_IDENTTYPE_MAX        4
-
-#define SADB_KEY_FLAGS_MAX     0
-#endif /* __PFKEY_V2_H */
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.am b/src/libcharon/plugins/kernel_netlink/Makefile.am
deleted file mode 100644
index 2bb00ec0d..000000000
--- a/src/libcharon/plugins/kernel_netlink/Makefile.am
+++ /dev/null
@@ -1,20 +0,0 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
--DROUTING_TABLE=${routing_table} \
--DROUTING_TABLE_PRIO=${routing_table_prio}
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la
-else
-plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
-endif
-
-libstrongswan_kernel_netlink_la_SOURCES = \
-	kernel_netlink_plugin.h kernel_netlink_plugin.c \
-	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
-	kernel_netlink_shared.h kernel_netlink_shared.c
-
-libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in
deleted file mode 100644
index 49cc895bc..000000000
--- a/src/libcharon/plugins/kernel_netlink/Makefile.in
+++ /dev/null
@@ -1,597 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcharon/plugins/kernel_netlink
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_kernel_netlink_la_LIBADD =
-am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \
-	kernel_netlink_ipsec.lo kernel_netlink_net.lo \
-	kernel_netlink_shared.lo
-libstrongswan_kernel_netlink_la_OBJECTS =  \
-	$(am_libstrongswan_kernel_netlink_la_OBJECTS)
-libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_kernel_netlink_la_LDFLAGS) $(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_kernel_netlink_la_rpath = -rpath \
-@MONOLITHIC_FALSE@	$(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_kernel_netlink_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
--DROUTING_TABLE=${routing_table} \
--DROUTING_TABLE_PRIO=${routing_table_prio}
-
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
-libstrongswan_kernel_netlink_la_SOURCES = \
-	kernel_netlink_plugin.h kernel_netlink_plugin.c \
-	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
-	kernel_netlink_shared.h kernel_netlink_shared.c
-
-libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_ipsec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
deleted file mode 100644
index 019ec93f8..000000000
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ /dev/null
@@ -1,2265 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2008 Andreas Steffen
- * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <stdint.h>
-#include <linux/ipsec.h>
-#include <linux/netlink.h>
-#include <linux/rtnetlink.h>
-#include <linux/xfrm.h>
-#include <linux/udp.h>
-#include <unistd.h>
-#include <time.h>
-#include <errno.h>
-#include <string.h>
-#include <fcntl.h>
-
-#include "kernel_netlink_ipsec.h"
-#include "kernel_netlink_shared.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/mutex.h>
-#include <utils/hashtable.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/acquire_job.h>
-#include <processing/jobs/migrate_job.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/delete_child_sa_job.h>
-#include <processing/jobs/update_sa_job.h>
-
-/** required for Linux 2.6.26 kernel and later */
-#ifndef XFRM_STATE_AF_UNSPEC
-#define XFRM_STATE_AF_UNSPEC	32
-#endif
-
-/** from linux/in.h */
-#ifndef IP_XFRM_POLICY
-#define IP_XFRM_POLICY 17
-#endif
-
-/* missing on uclibc */
-#ifndef IPV6_XFRM_POLICY
-#define IPV6_XFRM_POLICY 34
-#endif /*IPV6_XFRM_POLICY*/
-
-/** default priority of installed policies */
-#define PRIO_LOW 3000
-#define PRIO_HIGH 2000
-
-/**
- * map the limit for bytes and packets to XFRM_INF per default
- */
-#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
-
-/**
- * Create ORable bitfield of XFRM NL groups
- */
-#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
-
-/**
- * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
- * 'usual' netlink data x like 'struct xfrm_usersa_info'
- */
-#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
-/**
- * returns a pointer to the next rtattr following rta.
- * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
- */
-#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
-/**
- * returns the total size of attached rta data
- * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
- */
-#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
-
-typedef struct kernel_algorithm_t kernel_algorithm_t;
-
-/**
- * Mapping of IKEv2 kernel identifier to linux crypto API names
- */
-struct kernel_algorithm_t {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2;
-
-	/**
-	 * Name of the algorithm in linux crypto API
-	 */
-	char *name;
-};
-
-ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
-	"XFRM_MSG_NEWSA",
-	"XFRM_MSG_DELSA",
-	"XFRM_MSG_GETSA",
-	"XFRM_MSG_NEWPOLICY",
-	"XFRM_MSG_DELPOLICY",
-	"XFRM_MSG_GETPOLICY",
-	"XFRM_MSG_ALLOCSPI",
-	"XFRM_MSG_ACQUIRE",
-	"XFRM_MSG_EXPIRE",
-	"XFRM_MSG_UPDPOLICY",
-	"XFRM_MSG_UPDSA",
-	"XFRM_MSG_POLEXPIRE",
-	"XFRM_MSG_FLUSHSA",
-	"XFRM_MSG_FLUSHPOLICY",
-	"XFRM_MSG_NEWAE",
-	"XFRM_MSG_GETAE",
-	"XFRM_MSG_REPORT",
-	"XFRM_MSG_MIGRATE",
-	"XFRM_MSG_NEWSADINFO",
-	"XFRM_MSG_GETSADINFO",
-	"XFRM_MSG_NEWSPDINFO",
-	"XFRM_MSG_GETSPDINFO",
-	"XFRM_MSG_MAPPING"
-);
-
-ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
-	"XFRMA_UNSPEC",
-	"XFRMA_ALG_AUTH",
-	"XFRMA_ALG_CRYPT",
-	"XFRMA_ALG_COMP",
-	"XFRMA_ENCAP",
-	"XFRMA_TMPL",
-	"XFRMA_SA",
-	"XFRMA_POLICY",
-	"XFRMA_SEC_CTX",
-	"XFRMA_LTIME_VAL",
-	"XFRMA_REPLAY_VAL",
-	"XFRMA_REPLAY_THRESH",
-	"XFRMA_ETIMER_THRESH",
-	"XFRMA_SRCADDR",
-	"XFRMA_COADDR",
-	"XFRMA_LASTUSED",
-	"XFRMA_POLICY_TYPE",
-	"XFRMA_MIGRATE",
-	"XFRMA_ALG_AEAD",
-	"XFRMA_KMADDRESS"
-);
-
-#define END_OF_LIST -1
-
-/**
- * Algorithms for encryption
- */
-static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64,				"***"				}, */
-	{ENCR_DES,					"des"				},
-	{ENCR_3DES,					"des3_ede"			},
-/*	{ENCR_RC5,					"***"				}, */
-/*	{ENCR_IDEA,					"***"				}, */
-	{ENCR_CAST,					"cast128"			},
-	{ENCR_BLOWFISH,				"blowfish"			},
-/*	{ENCR_3IDEA,				"***"				}, */
-/*	{ENCR_DES_IV32,				"***"				}, */
-	{ENCR_NULL,					"cipher_null"		},
-	{ENCR_AES_CBC,				"aes"				},
-	{ENCR_AES_CTR,				"rfc3686(ctr(aes))"	},
-	{ENCR_AES_CCM_ICV8,			"rfc4309(ccm(aes))"	},
-	{ENCR_AES_CCM_ICV12,		"rfc4309(ccm(aes))"	},
-	{ENCR_AES_CCM_ICV16,		"rfc4309(ccm(aes))"	},
-	{ENCR_AES_GCM_ICV8,			"rfc4106(gcm(aes))"	},
-	{ENCR_AES_GCM_ICV12,		"rfc4106(gcm(aes))"	},
-	{ENCR_AES_GCM_ICV16,		"rfc4106(gcm(aes))"	},
-	{ENCR_NULL_AUTH_AES_GMAC,	"rfc4543(gcm(aes))"	},
-	{ENCR_CAMELLIA_CBC,			"cbc(camellia)"		},
-/*	{ENCR_CAMELLIA_CTR,			"***"				}, */
-/*	{ENCR_CAMELLIA_CCM_ICV8,	"***"				}, */
-/*	{ENCR_CAMELLIA_CCM_ICV12,	"***"				}, */
-/*	{ENCR_CAMELLIA_CCM_ICV16,	"***"				}, */
-	{END_OF_LIST,				NULL				}
-};
-
-/**
- * Algorithms for integrity protection
- */
-static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96,			"md5"				},
-	{AUTH_HMAC_SHA1_96,			"sha1"				},
-	{AUTH_HMAC_SHA2_256_96,		"sha256"			},
-	{AUTH_HMAC_SHA2_256_128,	"hmac(sha256)"		},
-	{AUTH_HMAC_SHA2_384_192,	"hmac(sha384)"		},
-	{AUTH_HMAC_SHA2_512_256,	"hmac(sha512)"		},
-/*	{AUTH_DES_MAC,				"***"				}, */
-/*	{AUTH_KPDK_MD5,				"***"				}, */
-	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
-	{END_OF_LIST,				NULL				}
-};
-
-/**
- * Algorithms for IPComp
- */
-static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI,				"***"				}, */
-	{IPCOMP_DEFLATE,			"deflate"			},
-	{IPCOMP_LZS,				"lzs"				},
-	{IPCOMP_LZJH,				"lzjh"				},
-	{END_OF_LIST,				NULL				}
-};
-
-/**
- * Look up a kernel algorithm name and its key size
- */
-static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
-{
-	while (list->ikev2 != END_OF_LIST)
-	{
-		if (list->ikev2 == ikev2)
-		{
-			return list->name;
-		}
-		list++;
-	}
-	return NULL;
-}
-
-typedef struct route_entry_t route_entry_t;
-
-/**
- * installed routing entry
- */
-struct route_entry_t {
-	/** Name of the interface the route is bound to */
-	char *if_name;
-
-	/** Source ip of the route */
-	host_t *src_ip;
-
-	/** gateway for this route */
-	host_t *gateway;
-
-	/** Destination net */
-	chunk_t dst_net;
-
-	/** Destination net prefixlen */
-	u_int8_t prefixlen;
-};
-
-/**
- * destroy an route_entry_t object
- */
-static void route_entry_destroy(route_entry_t *this)
-{
-	free(this->if_name);
-	this->src_ip->destroy(this->src_ip);
-	DESTROY_IF(this->gateway);
-	chunk_free(&this->dst_net);
-	free(this);
-}
-
-typedef struct policy_entry_t policy_entry_t;
-
-/**
- * installed kernel policy.
- */
-struct policy_entry_t {
-
-	/** direction of this policy: in, out, forward */
-	u_int8_t direction;
-
-	/** parameters of installed policy */
-	struct xfrm_selector sel;
-
-	/** optional mark */
-	u_int32_t mark;
-
-	/** associated route installed for this policy */
-	route_entry_t *route;
-
-	/** by how many CHILD_SA's this policy is used */
-	u_int refcount;
-};
-
-/**
- * Hash function for policy_entry_t objects
- */
-static u_int policy_hash(policy_entry_t *key)
-{
-	chunk_t chunk = chunk_create((void*)&key->sel,
-						 	sizeof(struct xfrm_selector) + sizeof(u_int32_t));
-	return chunk_hash(chunk);
-}
-
-/**
- * Equality function for policy_entry_t objects
- */
-static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
-{
-	return memeq(&key->sel, &other_key->sel, 
-				 sizeof(struct xfrm_selector) + sizeof(u_int32_t)) &&
-		   key->direction == other_key->direction;
-}
-
-typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
-
-/**
- * Private variables and functions of kernel_netlink class.
- */
-struct private_kernel_netlink_ipsec_t {
-	/**
-	 * Public part of the kernel_netlink_t object.
-	 */
-	kernel_netlink_ipsec_t public;
-
-	/**
-	 * mutex to lock access to various lists
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Hash table of installed policies (policy_entry_t)
-	 */
-	hashtable_t *policies;
-
-	/**
-	 * job receiving netlink events
-	 */
-	callback_job_t *job;
-
-	/**
-	 * Netlink xfrm socket (IPsec)
-	 */
-	netlink_socket_t *socket_xfrm;
-
-	/**
-	 * netlink xfrm socket to receive acquire and expire events
-	 */
-	int socket_xfrm_events;
-
-	/**
-	 * whether to install routes along policies
-	 */
-	bool install_routes;
-};
-
-/**
- * convert a IKEv2 specific protocol identifier to the kernel one
- */
-static u_int8_t proto_ike2kernel(protocol_id_t proto)
-{
-	switch (proto)
-	{
-		case PROTO_ESP:
-			return IPPROTO_ESP;
-		case PROTO_AH:
-			return IPPROTO_AH;
-		default:
-			return proto;
-	}
-}
-
-/**
- * reverse of ike2kernel
- */
-static protocol_id_t proto_kernel2ike(u_int8_t proto)
-{
-	switch (proto)
-	{
-		case IPPROTO_ESP:
-			return PROTO_ESP;
-		case IPPROTO_AH:
-			return PROTO_AH;
-		default:
-			return proto;
-	}
-}
-
-/**
- * convert the general ipsec mode to the one defined in xfrm.h
- */
-static u_int8_t mode2kernel(ipsec_mode_t mode)
-{
-	switch (mode)
-	{
-		case MODE_TRANSPORT:
-			return XFRM_MODE_TRANSPORT;
-		case MODE_TUNNEL:
-			return XFRM_MODE_TUNNEL;
-		case MODE_BEET:
-			return XFRM_MODE_BEET;
-		default:
-			return mode;
-	}
-}
-
-/**
- * convert a host_t to a struct xfrm_address
- */
-static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
-{
-	chunk_t chunk = host->get_address(host);
-	memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
-}
-
-/**
- * convert a struct xfrm_address to a host_t
- */
-static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
-{
-	chunk_t chunk;
-
-	switch (family)
-	{
-		case AF_INET:
-			chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
-			break;
-		case AF_INET6:
-			chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
-			break;
-		default:
-			return NULL;
-	}
-	return host_create_from_chunk(family, chunk, ntohs(port));
-}
-
-/**
- * convert a traffic selector address range to subnet and its mask.
- */
-static void ts2subnet(traffic_selector_t* ts,
-					  xfrm_address_t *net, u_int8_t *mask)
-{
-	host_t *net_host;
-	chunk_t net_chunk;
-
-	ts->to_subnet(ts, &net_host, mask);
-	net_chunk = net_host->get_address(net_host);
-	memcpy(net, net_chunk.ptr, net_chunk.len);
-	net_host->destroy(net_host);
-}
-
-/**
- * convert a traffic selector port range to port/portmask
- */
-static void ts2ports(traffic_selector_t* ts,
-					 u_int16_t *port, u_int16_t *mask)
-{
-	/* linux does not seem to accept complex portmasks. Only
-	 * any or a specific port is allowed. We set to any, if we have
-	 * a port range, or to a specific, if we have one port only.
-	 */
-	u_int16_t from, to;
-
-	from = ts->get_from_port(ts);
-	to = ts->get_to_port(ts);
-
-	if (from == to)
-	{
-		*port = htons(from);
-		*mask = ~0;
-	}
-	else
-	{
-		*port = 0;
-		*mask = 0;
-	}
-}
-
-/**
- * convert a pair of traffic_selectors to a xfrm_selector
- */
-static struct xfrm_selector ts2selector(traffic_selector_t *src,
-										traffic_selector_t *dst)
-{
-	struct xfrm_selector sel;
-
-	memset(&sel, 0, sizeof(sel));
-	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-	/* src or dest proto may be "any" (0), use more restrictive one */
-	sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
-	ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
-	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
-	ts2ports(dst, &sel.dport, &sel.dport_mask);
-	ts2ports(src, &sel.sport, &sel.sport_mask);
-	sel.ifindex = 0;
-	sel.user = 0;
-
-	return sel;
-}
-
-/**
- * convert a xfrm_selector to a src|dst traffic_selector
- */
-static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
-{
-	u_char *addr;
-	u_int8_t prefixlen;
-	u_int16_t port = 0;
-	host_t *host = NULL;
-
-	if (src)
-	{
-		addr = (u_char*)&sel->saddr;
-		prefixlen = sel->prefixlen_s;
-		if (sel->sport_mask)
-		{
-			port = htons(sel->sport);
-		}
-	}
-	else
-	{
-		addr = (u_char*)&sel->daddr;
-		prefixlen = sel->prefixlen_d;
-		if (sel->dport_mask)
-		{
-			port = htons(sel->dport);
-		}
-	}
-
-	/* The Linux 2.6 kernel does not set the selector's family field,
-	 * so as a kludge we additionally test the prefix length.
-	 */
-	if (sel->family == AF_INET || sel->prefixlen_s == 32)
-	{
-		host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
-	}
-	else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
-	{
-		host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
-	}
-
-	if (host)
-	{
-		return traffic_selector_create_from_subnet(host, prefixlen,
-												   sel->proto, port);
-	}
-	return NULL;
-}
-
-/**
- * process a XFRM_MSG_ACQUIRE from kernel
- */
-static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
-{
-	u_int32_t reqid = 0;
-	int proto = 0;
-	traffic_selector_t *src_ts, *dst_ts;
-	struct xfrm_user_acquire *acquire;
-	struct rtattr *rta;
-	size_t rtasize;
-	job_t *job;
-
-	acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
-	rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
-	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
-
-	DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
-
-	while (RTA_OK(rta, rtasize))
-	{
-		DBG2(DBG_KNL, "  %N", xfrm_attr_type_names, rta->rta_type);
-
-		if (rta->rta_type == XFRMA_TMPL)
-		{
-			struct xfrm_user_tmpl* tmpl;
-
-			tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
-			reqid = tmpl->reqid;
-			proto = tmpl->id.proto;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-	switch (proto)
-	{
-		case 0:
-		case IPPROTO_ESP:
-		case IPPROTO_AH:
-			break;
-		default:
-			/* acquire for AH/ESP only, not for IPCOMP */
-			return;
-	}
-	src_ts = selector2ts(&acquire->sel, TRUE);
-	dst_ts = selector2ts(&acquire->sel, FALSE);
-	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
-					src_ts, dst_ts, reqid);
-	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
-	charon->processor->queue_job(charon->processor, job);
-}
-
-/**
- * process a XFRM_MSG_EXPIRE from kernel
- */
-static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
-{
-	job_t *job;
-	protocol_id_t protocol;
-	u_int32_t spi, reqid;
-	struct xfrm_user_expire *expire;
-
-	expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
-	protocol = proto_kernel2ike(expire->state.id.proto);
-	spi = expire->state.id.spi;
-	reqid = expire->state.reqid;
-
-	DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
-
-	if (protocol != PROTO_ESP && protocol != PROTO_AH)
-	{
-		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
-					  "which is not a CHILD_SA", ntohl(spi), reqid);
-		return;
-	}
-
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
-		 expire->hard ? "delete" : "rekey",  protocol_id_names,
-		 protocol, ntohl(spi), reqid);
-	if (expire->hard)
-	{
-		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
-	}
-	else
-	{
-		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
-	}
-	charon->processor->queue_job(charon->processor, job);
-}
-
-/**
- * process a XFRM_MSG_MIGRATE from kernel
- */
-static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
-{
-	traffic_selector_t *src_ts, *dst_ts;
-	host_t *local = NULL, *remote = NULL;
-	host_t *old_src = NULL, *old_dst = NULL;
-	host_t *new_src = NULL, *new_dst = NULL;
-	struct xfrm_userpolicy_id *policy_id;
-	struct rtattr *rta;
-	size_t rtasize;
-	u_int32_t reqid = 0;
-	policy_dir_t dir;
-	job_t *job;
-
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
-	rta     = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
-	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
-
-	DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
-
-	src_ts = selector2ts(&policy_id->sel, TRUE);
-	dst_ts = selector2ts(&policy_id->sel, FALSE);
-	dir = (policy_dir_t)policy_id->dir;
-
-	DBG2(DBG_KNL, "  policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
-
-	while (RTA_OK(rta, rtasize))
-	{
-		DBG2(DBG_KNL, "  %N", xfrm_attr_type_names, rta->rta_type);
-		if (rta->rta_type == XFRMA_KMADDRESS)
-		{
-			struct xfrm_user_kmaddress *kmaddress;
-
-			kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
-			local  = xfrm2host(kmaddress->family, &kmaddress->local, 0);
-			remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
-			DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
-		}
-		else if (rta->rta_type == XFRMA_MIGRATE)
-		{
-			struct xfrm_user_migrate *migrate;
-			protocol_id_t proto;
-
-			migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
-			old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
-			old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
-			new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
-			new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
-			proto = proto_kernel2ike(migrate->proto);
-			reqid = migrate->reqid;
-			DBG2(DBG_KNL, "  migrate %N %H...%H to %H...%H, reqid {%u}",
-							 protocol_id_names, proto, old_src, old_dst,
-							 new_src, new_dst, reqid);
-			DESTROY_IF(old_src);
-			DESTROY_IF(old_dst);
-			DESTROY_IF(new_src);
-			DESTROY_IF(new_dst);
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-
-	if (src_ts && dst_ts && local && remote)
-	{
-		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
-					   src_ts, dst_ts, policy_dir_names, dir, reqid, local);
-		job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
-										 local, remote);
-		charon->processor->queue_job(charon->processor, job);
-	}
-	else
-	{
-		DESTROY_IF(src_ts);
-		DESTROY_IF(dst_ts);
-		DESTROY_IF(local);
-		DESTROY_IF(remote);
-	}
-}
-
-/**
- * process a XFRM_MSG_MAPPING from kernel
- */
-static void process_mapping(private_kernel_netlink_ipsec_t *this,
-							struct nlmsghdr *hdr)
-{
-	job_t *job;
-	u_int32_t spi, reqid;
-	struct xfrm_user_mapping *mapping;
-	host_t *host;
-
-	mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
-	spi = mapping->id.spi;
-	reqid = mapping->reqid;
-
-	DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
-
-	if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
-	{
-		host = xfrm2host(mapping->id.family, &mapping->new_saddr,
-						 mapping->new_sport);
-		if (host)
-		{
-			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
-				"reqid {%u} changed, queuing update job", ntohl(spi), reqid);
-			job = (job_t*)update_sa_job_create(reqid, host);
-			charon->processor->queue_job(charon->processor, job);
-		}
-	}
-}
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
-{
-	char response[1024];
-	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
-	struct sockaddr_nl addr;
-	socklen_t addr_len = sizeof(addr);
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
-				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
-
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from xfrm event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-
-	if (addr.nl_pid != 0)
-	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	while (NLMSG_OK(hdr, len))
-	{
-		switch (hdr->nlmsg_type)
-		{
-			case XFRM_MSG_ACQUIRE:
-				process_acquire(this, hdr);
-				break;
-			case XFRM_MSG_EXPIRE:
-				process_expire(this, hdr);
-				break;
-			case XFRM_MSG_MIGRATE:
-				process_migrate(this, hdr);
-				break;
-			case XFRM_MSG_MAPPING:
-				process_mapping(this, hdr);
-				break;
-			default:
-				DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
-				break;
-		}
-		hdr = NLMSG_NEXT(hdr, len);
-	}
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Get an SPI for a specific protocol from the kernel.
- */
-static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
-		host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
-		u_int32_t reqid, u_int32_t *spi)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr, *out;
-	struct xfrm_userspi_info *userspi;
-	u_int32_t received_spi = 0;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
-
-	userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
-	host2xfrm(src, &userspi->info.saddr);
-	host2xfrm(dst, &userspi->info.id.daddr);
-	userspi->info.id.proto = proto;
-	userspi->info.mode = XFRM_MODE_TUNNEL;
-	userspi->info.reqid = reqid;
-	userspi->info.family = src->get_family(src);
-	userspi->min = min;
-	userspi->max = max;
-
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWSA:
-				{
-					struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
-					received_spi = usersa->id.spi;
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-
-					DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-		free(out);
-	}
-
-	if (received_spi == 0)
-	{
-		return FAILED;
-	}
-
-	*spi = received_spi;
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, get_spi, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
-{
-	DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-
-	if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
-			0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
-
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, get_cpi, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
-{
-	u_int32_t received_spi = 0;
-
-	DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
-
-	if (get_spi_internal(this, src, dst,
-			IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
-		return FAILED;
-	}
-
-	*cpi = htons((u_int16_t)ntohl(received_spi));
-
-	DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
-
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, add_sa, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark,
-	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key,	ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool inbound,
-	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
-{
-	netlink_buf_t request;
-	char *alg_name;
-	struct nlmsghdr *hdr;
-	struct xfrm_usersa_info *sa;
-	u_int16_t icv_size = 64;
-
-	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
-	 * we are in the recursive call below */
-	if (ipcomp != IPCOMP_NONE && cpi != 0)
-	{
-		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
-		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
-			   &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
-			   mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
-		ipcomp = IPCOMP_NONE;
-		/* use transport mode ESP SA, IPComp uses tunnel mode */
-		mode = MODE_TRANSPORT;
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}  "
-					  "(mark %u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
-					   ntohl(spi), reqid);
-	}
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-
-	sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
-	host2xfrm(src, &sa->saddr);
-	host2xfrm(dst, &sa->id.daddr);
-	sa->id.spi = spi;
-	sa->id.proto = proto_ike2kernel(protocol);
-	sa->family = src->get_family(src);
-	sa->mode = mode2kernel(mode);
-	switch (mode)
-	{
-		case MODE_TUNNEL:
-			sa->flags |= XFRM_STATE_AF_UNSPEC;
-			break;
-		case MODE_BEET:
-			if(src_ts && dst_ts)
-			{
-				sa->sel = ts2selector(src_ts, dst_ts);
-			}
-			break;
-		default:
-			break;
-	}
-
-	sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
-	sa->reqid = reqid;
-	sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
-	sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
-	sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
-	sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
-	/* we use lifetimes since added, not since used */
-	sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
-	sa->lft.hard_add_expires_seconds = lifetime->time.life;
-	sa->lft.soft_use_expires_seconds = 0;
-	sa->lft.hard_use_expires_seconds = 0;
-
-	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
-
-	switch (enc_alg)
-	{
-		case ENCR_UNDEFINED:
-			/* no encryption */
-			break;
-		case ENCR_AES_CCM_ICV16:
-		case ENCR_AES_GCM_ICV16:
-		case ENCR_NULL_AUTH_AES_GMAC:
-		case ENCR_CAMELLIA_CCM_ICV16:
-			icv_size += 32;
-			/* FALL */
-		case ENCR_AES_CCM_ICV12:
-		case ENCR_AES_GCM_ICV12:
-		case ENCR_CAMELLIA_CCM_ICV12:
-			icv_size += 32;
-			/* FALL */
-		case ENCR_AES_CCM_ICV8:
-		case ENCR_AES_GCM_ICV8:
-		case ENCR_CAMELLIA_CCM_ICV8:
-		{
-			struct xfrm_algo_aead *algo;
-
-			alg_name = lookup_algorithm(encryption_algs, enc_alg);
-			if (alg_name == NULL)
-			{
-				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 encryption_algorithm_names, enc_alg);
-				return FAILED;
-			}
-			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
-			rthdr->rta_type = XFRMA_ALG_AEAD;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
-			hdr->nlmsg_len += rthdr->rta_len;
-			if (hdr->nlmsg_len > sizeof(request))
-			{
-				return FAILED;
-			}
-
-			algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
-			algo->alg_key_len = enc_key.len * 8;
-			algo->alg_icv_len = icv_size;
-			strcpy(algo->alg_name, alg_name);
-			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-
-			rthdr = XFRM_RTA_NEXT(rthdr);
-			break;
-		}
-		default:
-		{
-			struct xfrm_algo *algo;
-
-			alg_name = lookup_algorithm(encryption_algs, enc_alg);
-			if (alg_name == NULL)
-			{
-				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 encryption_algorithm_names, enc_alg);
-				return FAILED;
-			}
-			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
-			rthdr->rta_type = XFRMA_ALG_CRYPT;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
-			hdr->nlmsg_len += rthdr->rta_len;
-			if (hdr->nlmsg_len > sizeof(request))
-			{
-				return FAILED;
-			}
-
-			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-			algo->alg_key_len = enc_key.len * 8;
-			strcpy(algo->alg_name, alg_name);
-			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-
-			rthdr = XFRM_RTA_NEXT(rthdr);
-		}
-	}
-
-	if (int_alg  != AUTH_UNDEFINED)
-	{
-		alg_name = lookup_algorithm(integrity_algs, int_alg);
-		if (alg_name == NULL)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-				 integrity_algorithm_names, int_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
-			 integrity_algorithm_names, int_alg, int_key.len * 8);
-
-		if (int_alg == AUTH_HMAC_SHA2_256_128)
-		{
-			struct xfrm_algo_auth* algo;
-
-			/* the kernel uses SHA256 with 96 bit truncation by default,
-			 * use specified truncation size supported by newer kernels */
-			rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len);
-
-			hdr->nlmsg_len += rthdr->rta_len;
-			if (hdr->nlmsg_len > sizeof(request))
-			{
-				return FAILED;
-			}
-
-			algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
-			algo->alg_key_len = int_key.len * 8;
-			algo->alg_trunc_len = 128;
-			strcpy(algo->alg_name, alg_name);
-			memcpy(algo->alg_key, int_key.ptr, int_key.len);
-		}
-		else
-		{
-			struct xfrm_algo* algo;
-
-			rthdr->rta_type = XFRMA_ALG_AUTH;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
-
-			hdr->nlmsg_len += rthdr->rta_len;
-			if (hdr->nlmsg_len > sizeof(request))
-			{
-				return FAILED;
-			}
-
-			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-			algo->alg_key_len = int_key.len * 8;
-			strcpy(algo->alg_name, alg_name);
-			memcpy(algo->alg_key, int_key.ptr, int_key.len);
-		}
-		rthdr = XFRM_RTA_NEXT(rthdr);
-	}
-
-	if (ipcomp != IPCOMP_NONE)
-	{
-		rthdr->rta_type = XFRMA_ALG_COMP;
-		alg_name = lookup_algorithm(compression_algs, ipcomp);
-		if (alg_name == NULL)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-				 ipcomp_transform_names, ipcomp);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using compression algorithm %N",
-			 ipcomp_transform_names, ipcomp);
-
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
-		algo->alg_key_len = 0;
-		strcpy(algo->alg_name, alg_name);
-
-		rthdr = XFRM_RTA_NEXT(rthdr);
-	}
-
-	if (encap)
-	{
-		struct xfrm_encap_tmpl *tmpl;
-
-		rthdr->rta_type = XFRMA_ENCAP;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
-		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
-		tmpl->encap_sport = htons(src->get_port(src));
-		tmpl->encap_dport = htons(dst->get_port(dst));
-		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-		/* encap_oa could probably be derived from the
-		 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
-		 * pluto does the same as we do here but it uses encap_oa in the
-		 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
-		 * the kernel ignores it anyway
-		 *   -> does that mean that NAT-T encap doesn't work in transport mode?
-		 * No. The reason the kernel ignores NAT-OA is that it recomputes
-		 * (or, rather, just ignores) the checksum. If packets pass
-		 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
-		rthdr = XFRM_RTA_NEXT(rthdr);
-	}
-
-	if (mark.value)
-	{
-		struct xfrm_mark *mrk;
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
-		rthdr = XFRM_RTA_NEXT(rthdr);
-	}
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		if (mark.value)
-		{
-			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x  "
-						  "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
-		}
-		else
-		{
-			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
-		}
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Get the replay state (i.e. sequence numbers) of an SA.
- */
-static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, host_t *dst,
-						  struct xfrm_replay_state *replay)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr, *out = NULL;
-	struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
-	size_t len;
-	struct rtattr *rta;
-	size_t rtasize;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETAE;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
-
-	aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
-	aevent_id->flags = XFRM_AE_RVAL;
-
-	host2xfrm(dst, &aevent_id->sa_id.daddr);
-	aevent_id->sa_id.spi = spi;
-	aevent_id->sa_id.proto = proto_ike2kernel(protocol);
-	aevent_id->sa_id.family = dst->get_family(dst);
-
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWAE:
-				{
-					out_aevent = NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-
-	if (out_aevent == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
-					  ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-
-	rta = XFRM_RTA(out, struct xfrm_aevent_id);
-	rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
-	while(RTA_OK(rta, rtasize))
-	{
-		if (rta->rta_type == XFRMA_REPLAY_VAL &&
-			RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
-		{
-			memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
-			free(out);
-			return SUCCESS;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-
-	DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
-				  ntohl(spi));
-	free(out);
-	return FAILED;
-}
-
-METHOD(kernel_ipsec_t, query_sa, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *out = NULL, *hdr;
-	struct xfrm_usersa_id *sa_id;
-	struct xfrm_usersa_info *sa = NULL;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "querying SAD entry with SPI %.8x  (mark %u/0x%8x)",
-					   ntohl(spi), mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-	}
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
-	sa_id->family = dst->get_family(dst);
-
-	if (mark.value)
-	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
-	}
-
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWSA:
-				{
-					sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					
-					if (mark.value)
-					{
-						DBG1(DBG_KNL, "querying SAD entry with SPI %.8x  "
-									  "(mark %u/0x%8x) failed: %s (%d)",
-									   ntohl(spi), mark.value, mark.mask,
-									   strerror(-err->error), -err->error);
-					}
-					else
-					{
-						DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
-									  "failed: %s (%d)", ntohl(spi),
-									   strerror(-err->error), -err->error);
-					}
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-
-	if (sa == NULL)
-	{
-		DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-	*bytes = sa->curlft.bytes;
-
-	free(out);
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, del_sa, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr;
-	struct xfrm_usersa_id *sa_id;
-
-	/* if IPComp was used, we first delete the additional IPComp SA */
-	if (cpi)
-	{
-		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x  (mark %u/0x%8x)",
-					   ntohl(spi), mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-	}
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = XFRM_MSG_DELSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
-	sa_id->family = dst->get_family(dst);
-
-	if (mark.value)
-	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
-	}
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		if (mark.value)
-		{
-			DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x  "
-						  "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
-		}
-		else
-		{
-			DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
-		}
-		return FAILED;
-	}
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x  (mark %u/0x%8x)",
-					   ntohl(spi), mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
-	}
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool old_encap, bool new_encap, mark_t mark)
-{
-	netlink_buf_t request;
-	u_char *pos;
-	struct nlmsghdr *hdr, *out = NULL;
-	struct xfrm_usersa_id *sa_id;
-	struct xfrm_usersa_info *out_sa = NULL, *sa;
-	size_t len;
-	struct rtattr *rta;
-	size_t rtasize;
-	struct xfrm_encap_tmpl* tmpl = NULL;
-	bool got_replay_state = FALSE;
-	struct xfrm_replay_state replay;
-
-	/* if IPComp is used, we first update the IPComp SA */
-	if (cpi)
-	{
-		update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
-				  src, dst, new_src, new_dst, FALSE, FALSE, mark);
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
-
-	/* query the existing SA first */
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
-	sa_id->family = dst->get_family(dst);
-
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWSA:
-				{
-					out_sa = NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-	if (out_sa == NULL)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-
-	/* try to get the replay state */
-	if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
-	{
-		got_replay_state = TRUE;
-	}
-
-	/* delete the old SA (without affecting the IPComp SA) */
-	if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
-		 ntohl(spi), src, dst, new_src, new_dst);
-	/* copy over the SA from out to request */
-	hdr = (struct nlmsghdr*)request;
-	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = XFRM_MSG_NEWSA;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-	sa = NLMSG_DATA(hdr);
-	sa->family = new_dst->get_family(new_dst);
-
-	if (!src->ip_equals(src, new_src))
-	{
-		host2xfrm(new_src, &sa->saddr);
-	}
-	if (!dst->ip_equals(dst, new_dst))
-	{
-		host2xfrm(new_dst, &sa->id.daddr);
-	}
-
-	rta = XFRM_RTA(out, struct xfrm_usersa_info);
-	rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
-	pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
-	while(RTA_OK(rta, rtasize))
-	{
-		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
-		if (rta->rta_type != XFRMA_ENCAP || new_encap)
-		{
-			if (rta->rta_type == XFRMA_ENCAP)
-			{	/* update encap tmpl */
-				tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
-				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
-				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
-			}
-			memcpy(pos, rta, rta->rta_len);
-			pos += RTA_ALIGN(rta->rta_len);
-			hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-
-	rta = (struct rtattr*)pos;
-	if (tmpl == NULL && new_encap)
-	{	/* add tmpl if we are enabling it */
-		rta->rta_type = XFRMA_ENCAP;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-
-		hdr->nlmsg_len += rta->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
-		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
-		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
-		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
-		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-
-		rta = XFRM_RTA_NEXT(rta);
-	}
-
-	if (got_replay_state)
-	{	/* copy the replay data if available */
-		rta->rta_type = XFRMA_REPLAY_VAL;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
-
-		hdr->nlmsg_len += rta->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-		memcpy(RTA_DATA(rta), &replay, sizeof(replay));
-
-		rta = XFRM_RTA_NEXT(rta);
-	}
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, add_policy, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi,	bool routed)
-{
-	policy_entry_t *current, *policy;
-	bool found = FALSE;
-	netlink_buf_t request;
-	struct xfrm_userpolicy_info *policy_info;
-	struct nlmsghdr *hdr;
-
-	/* create a policy */
-	policy = malloc_thing(policy_entry_t);
-	memset(policy, 0, sizeof(policy_entry_t));
-	policy->sel = ts2selector(src_ts, dst_ts);
-	policy->mark = mark.value & mark.mask;
-	policy->direction = direction;
-
-	/* find the policy, which matches EXACTLY */
-	this->mutex->lock(this->mutex);
-	current = this->policies->get(this->policies, policy);
-	if (current)
-	{
-		/* use existing policy */
-		current->refcount++;
-		if (mark.value)
-		{
-			DBG2(DBG_KNL, "policy %R === %R %N  (mark %u/0x%8x) "
-						  "already exists, increasing refcount",
-						   src_ts, dst_ts, policy_dir_names, direction,
-					  	   mark.value, mark.mask);
-		}
-		else
-		{
-			DBG2(DBG_KNL, "policy %R === %R %N "
-						  "already exists, increasing refcount",
-						   src_ts, dst_ts, policy_dir_names, direction);
-		}
-		free(policy);
-		policy = current;
-		found = TRUE;
-	}
-	else
-	{	/* apply the new one, if we have no such policy */
-		this->policies->put(this->policies, policy, policy);
-		policy->refcount = 1;
-	}
-
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "adding policy %R === %R %N  (mark %u/0x%8x)",
-					   src_ts, dst_ts, policy_dir_names, direction,
-					   mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "adding policy %R === %R %N",
-					   src_ts, dst_ts, policy_dir_names, direction);
-	}
-
-	memset(&request, 0, sizeof(request));
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
-
-	policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
-	policy_info->sel = policy->sel;
-	policy_info->dir = policy->direction;
-	/* calculate priority based on source selector size, small size = high prio */
-	policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
-	policy_info->priority -= policy->sel.prefixlen_s * 10;
-	policy_info->priority -= policy->sel.proto ? 2 : 0;
-	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
-	policy_info->action = XFRM_POLICY_ALLOW;
-	policy_info->share = XFRM_SHARE_ANY;
-	this->mutex->unlock(this->mutex);
-
-	/* policies don't expire */
-	policy_info->lft.soft_byte_limit = XFRM_INF;
-	policy_info->lft.soft_packet_limit = XFRM_INF;
-	policy_info->lft.hard_byte_limit = XFRM_INF;
-	policy_info->lft.hard_packet_limit = XFRM_INF;
-	policy_info->lft.soft_add_expires_seconds = 0;
-	policy_info->lft.hard_add_expires_seconds = 0;
-	policy_info->lft.soft_use_expires_seconds = 0;
-	policy_info->lft.hard_use_expires_seconds = 0;
-
-	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
-	rthdr->rta_type = XFRMA_TMPL;
-	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-
-	hdr->nlmsg_len += rthdr->rta_len;
-	if (hdr->nlmsg_len > sizeof(request))
-	{
-		return FAILED;
-	}
-
-	struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
-
-	if (ipcomp != IPCOMP_NONE)
-	{
-		tmpl->reqid = reqid;
-		tmpl->id.proto = IPPROTO_COMP;
-		tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-		tmpl->mode = mode2kernel(mode);
-		tmpl->optional = direction != POLICY_OUT;
-		tmpl->family = src->get_family(src);
-
-		host2xfrm(src, &tmpl->saddr);
-		host2xfrm(dst, &tmpl->id.daddr);
-
-		/* add an additional xfrm_user_tmpl */
-		rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-		hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		tmpl++;
-
-		/* use transport mode for ESP if we have a tunnel mode IPcomp SA */
-		mode = MODE_TRANSPORT;
-	}
-	else
-	{
-		/* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
-		host2xfrm(src, &tmpl->saddr);
-		host2xfrm(dst, &tmpl->id.daddr);
-	}
-
-	tmpl->reqid = reqid;
-	tmpl->id.proto = proto_ike2kernel(protocol);
-	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-	tmpl->mode = mode2kernel(mode);
-	tmpl->family = src->get_family(src);
-	rthdr = XFRM_RTA_NEXT(rthdr);
-
-	if (mark.value)
-	{
-		struct xfrm_mark *mrk;
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
-	}
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-
-	/* install a route, if:
-	 * - we are NOT updating a policy
-	 * - this is a forward policy (to just get one for each child)
-	 * - we are in tunnel/BEET mode
-	 * - routing is not disabled via strongswan.conf
-	 */
-	if (policy->route == NULL && direction == POLICY_FWD &&
-		mode != MODE_TRANSPORT && this->install_routes)
-	{
-		route_entry_t *route = malloc_thing(route_entry_t);
-
-		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
-				dst_ts, &route->src_ip) == SUCCESS)
-		{
-			/* get the nexthop to src (src as we are in POLICY_FWD).*/
-			route->gateway = charon->kernel_interface->get_nexthop(
-												charon->kernel_interface, src);
-			/* install route via outgoing interface */
-			route->if_name = charon->kernel_interface->get_interface(
-												charon->kernel_interface, dst);
-			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
-			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
-			route->prefixlen = policy->sel.prefixlen_s;
-
-			if (route->if_name)
-			{
-				switch (charon->kernel_interface->add_route(
-									charon->kernel_interface, route->dst_net,
-									route->prefixlen, route->gateway,
-									route->src_ip, route->if_name))
-				{
-					default:
-						DBG1(DBG_KNL, "unable to install source route for %H",
-							 route->src_ip);
-						/* FALL */
-					case ALREADY_DONE:
-						/* route exists, do not uninstall */
-						route_entry_destroy(route);
-						break;
-					case SUCCESS:
-						/* cache the installed route */
-						policy->route = route;
-						break;
-				}
-			}
-			else
-			{
-				route_entry_destroy(route);
-			}
-		}
-		else
-		{
-			free(route);
-		}
-	}
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, query_policy, status_t,
-	private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	u_int32_t *use_time)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *out = NULL, *hdr;
-	struct xfrm_userpolicy_id *policy_id;
-	struct xfrm_userpolicy_info *policy = NULL;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "querying policy %R === %R %N  (mark %u/0x%8x)",
-					   src_ts, dst_ts, policy_dir_names, direction,
-					   mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-	}
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
-
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
-	policy_id->sel = ts2selector(src_ts, dst_ts);
-	policy_id->dir = direction;
-
-	if (mark.value)
-	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
-	}
-
-	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
-	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
-		{
-			switch (hdr->nlmsg_type)
-			{
-				case XFRM_MSG_NEWPOLICY:
-				{
-					policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
-					break;
-				}
-				case NLMSG_ERROR:
-				{
-					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					DBG1(DBG_KNL, "querying policy failed: %s (%d)",
-						 strerror(-err->error), -err->error);
-					break;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
-			}
-			break;
-		}
-	}
-
-	if (policy == NULL)
-	{
-		DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		free(out);
-		return FAILED;
-	}
-
-	if (policy->curlft.use_time)
-	{
-		/* we need the monotonic time, but the kernel returns system time. */
-		*use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
-	}
-	else
-	{
-		*use_time = 0;
-	}
-
-	free(out);
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, del_policy, status_t,
-	private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction,	mark_t mark,
-	bool unrouted)
-{
-	policy_entry_t *current, policy, *to_delete = NULL;
-	route_entry_t *route;
-	netlink_buf_t request;
-	struct nlmsghdr *hdr;
-	struct xfrm_userpolicy_id *policy_id;
-
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%8x)",
-					   src_ts, dst_ts, policy_dir_names, direction,
-					   mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "deleting policy %R === %R %N",
-					   src_ts, dst_ts, policy_dir_names, direction);
-	}
-
-	/* create a policy */
-	memset(&policy, 0, sizeof(policy_entry_t));
-	policy.sel = ts2selector(src_ts, dst_ts);
-	policy.mark = mark.value & mark.mask;
-	policy.direction = direction;
-
-	/* find the policy */
-	this->mutex->lock(this->mutex);
-	current = this->policies->get(this->policies, &policy);
-	if (current)
-	{
-		to_delete = current;
-		if (--to_delete->refcount > 0)
-		{
-			/* is used by more SAs, keep in kernel */
-			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
-			this->mutex->unlock(this->mutex);
-			return SUCCESS;
-		}
-		/* remove if last reference */
-		this->policies->remove(this->policies, to_delete);
-	}
-	this->mutex->unlock(this->mutex);
-	if (!to_delete)
-	{
-		if (mark.value)
-		{
-			DBG1(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%8x) "
-						  "failed, not found", src_ts, dst_ts, policy_dir_names,
-						   direction, mark.value, mark.mask);
-		}
-		else
-		{
-			DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found",
-						   src_ts, dst_ts, policy_dir_names, direction);
-		}
-		return NOT_FOUND;
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
-
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
-	policy_id->sel = to_delete->sel;
-	policy_id->dir = direction;
-
-	if (mark.value)
-	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += rthdr->rta_len;
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
-	}
-
-	route = to_delete->route;
-	free(to_delete);
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		if (mark.value)
-		{
-			DBG1(DBG_KNL, "unable to delete policy %R === %R %N  "
-                          "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names,
-						   direction, mark.value, mark.mask);
-		}
-		else
-		{
-			DBG1(DBG_KNL, "unable to delete policy %R === %R %N",
-						   src_ts, dst_ts, policy_dir_names, direction);
-		}
-		return FAILED;
-	}
-
-	if (route)
-	{
-		if (charon->kernel_interface->del_route(charon->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "error uninstalling route installed with "
-						  "policy %R === %R %N", src_ts, dst_ts,
-						   policy_dir_names, direction);
-		}
-		route_entry_destroy(route);
-	}
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, bypass_socket, bool,
-	private_kernel_netlink_ipsec_t *this, int fd, int family)
-{
-	struct xfrm_userpolicy_info policy;
-	u_int sol, ipsec_policy;
-
-	switch (family)
-	{
-		case AF_INET:
-			sol = SOL_IP;
-			ipsec_policy = IP_XFRM_POLICY;
-			break;
-		case AF_INET6:
-			sol = SOL_IPV6;
-			ipsec_policy = IPV6_XFRM_POLICY;
-			break;
-		default:
-			return FALSE;
-	}
-
-	memset(&policy, 0, sizeof(policy));
-	policy.action = XFRM_POLICY_ALLOW;
-	policy.sel.family = family;
-
-	policy.dir = XFRM_POLICY_OUT;
-	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-	{
-		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-			 strerror(errno));
-		return FALSE;
-	}
-	policy.dir = XFRM_POLICY_IN;
-	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-	{
-		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-			 strerror(errno));
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(kernel_ipsec_t, destroy, void,
-	private_kernel_netlink_ipsec_t *this)
-{
-	enumerator_t *enumerator;
-	policy_entry_t *policy;
-
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
-	if (this->socket_xfrm_events > 0)
-	{
-		close(this->socket_xfrm_events);
-	}
-	DESTROY_IF(this->socket_xfrm);
-	enumerator = this->policies->create_enumerator(this->policies);
-	while (enumerator->enumerate(enumerator, &policy, &policy))
-	{
-		free(policy);
-	}
-	enumerator->destroy(enumerator);
-	this->policies->destroy(this->policies);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
-{
-	private_kernel_netlink_ipsec_t *this;
-	struct sockaddr_nl addr;
-	int fd;
-
-	INIT(this,
-		.public.interface = {
-			.get_spi = _get_spi,
-			.get_cpi = _get_cpi,
-			.add_sa  = _add_sa,
-			.update_sa = _update_sa,
-			.query_sa = _query_sa,
-			.del_sa = _del_sa,
-			.add_policy = _add_policy,
-			.query_policy = _query_policy,
-			.del_policy = _del_policy,
-			.bypass_socket = _bypass_socket,
-			.destroy = _destroy,
-		},
-		.policies = hashtable_create((hashtable_hash_t)policy_hash,
-									 (hashtable_equals_t)policy_equals, 32),
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.install_routes = lib->settings->get_bool(lib->settings,
-												"charon.install_routes", TRUE),
-	);
-
-	/* disable lifetimes for allocated SPIs in kernel */
-	fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
-	if (fd)
-	{
-		ignore_result(write(fd, "165", 3));
-		close(fd);
-	}
-
-	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
-	if (!this->socket_xfrm)
-	{
-		destroy(this);
-		return NULL;
-	}
-
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-
-	/* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
-	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
-	if (this->socket_xfrm_events <= 0)
-	{
-		DBG1(DBG_KNL, "unable to create XFRM event socket");
-		destroy(this);
-		return NULL;
-	}
-	addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
-					 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
-	if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		DBG1(DBG_KNL, "unable to bind XFRM event socket");
-		destroy(this);
-		return NULL;
-	}
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
deleted file mode 100644
index 3a45cce06..000000000
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_netlink_ipsec_i kernel_netlink_ipsec
- * @{ @ingroup kernel_netlink
- */
-
-#ifndef KERNEL_NETLINK_IPSEC_H_
-#define KERNEL_NETLINK_IPSEC_H_
-
-#include <kernel/kernel_ipsec.h>
-
-typedef struct kernel_netlink_ipsec_t kernel_netlink_ipsec_t;
-
-/**
- * Implementation of the kernel ipsec interface using Netlink.
- */
-struct kernel_netlink_ipsec_t {
-
-	/**
-	 * Implements kernel_ipsec_t interface
-	 */
-	kernel_ipsec_t interface;
-};
-
-/**
- * Create a netlink kernel ipsec interface instance.
- *
- * @return			kernel_netlink_ipsec_t instance
- */
-kernel_netlink_ipsec_t *kernel_netlink_ipsec_create();
-
-#endif /** KERNEL_NETLINK_IPSEC_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
deleted file mode 100644
index 6750458cf..000000000
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+++ /dev/null
@@ -1,1506 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/*
- * Copyright (C) 2010 secunet Security Networks AG
- * Copyright (C) 2010 Thomas Egerer
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-
-#include <sys/socket.h>
-#include <linux/netlink.h>
-#include <linux/rtnetlink.h>
-#include <unistd.h>
-#include <errno.h>
-#include <net/if.h>
-
-#include "kernel_netlink_net.h"
-#include "kernel_netlink_shared.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/roam_job.h>
-
-/** delay before firing roam jobs (ms) */
-#define ROAM_DELAY 100
-
-typedef struct addr_entry_t addr_entry_t;
-
-/**
- * IP address in an inface_entry_t
- */
-struct addr_entry_t {
-
-	/** The ip address */
-	host_t *ip;
-
-	/** virtual IP managed by us */
-	bool virtual;
-
-	/** scope of the address */
-	u_char scope;
-
-	/** Number of times this IP is used, if virtual */
-	u_int refcount;
-};
-
-/**
- * destroy a addr_entry_t object
- */
-static void addr_entry_destroy(addr_entry_t *this)
-{
-	this->ip->destroy(this->ip);
-	free(this);
-}
-
-typedef struct iface_entry_t iface_entry_t;
-
-/**
- * A network interface on this system, containing addr_entry_t's
- */
-struct iface_entry_t {
-
-	/** interface index */
-	int ifindex;
-
-	/** name of the interface */
-	char ifname[IFNAMSIZ];
-
-	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
-	u_int flags;
-
-	/** list of addresses as host_t */
-	linked_list_t *addrs;
-};
-
-/**
- * destroy an interface entry
- */
-static void iface_entry_destroy(iface_entry_t *this)
-{
-	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
-	free(this);
-}
-
-typedef struct private_kernel_netlink_net_t private_kernel_netlink_net_t;
-
-/**
- * Private variables and functions of kernel_netlink_net class.
- */
-struct private_kernel_netlink_net_t {
-	/**
-	 * Public part of the kernel_netlink_net_t object.
-	 */
-	kernel_netlink_net_t public;
-
-	/**
-	 * mutex to lock access to various lists
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * condition variable to signal virtual IP add/removal
-	 */
-	condvar_t *condvar;
-
-	/**
-	 * Cached list of interfaces and its addresses (iface_entry_t)
-	 */
-	linked_list_t *ifaces;
-
-	/**
-	 * job receiving netlink events
-	 */
-	callback_job_t *job;
-
-	/**
-	 * netlink rt socket (routing)
-	 */
-	netlink_socket_t *socket;
-
-	/**
-	 * Netlink rt socket to receive address change events
-	 */
-	int socket_events;
-
-	/**
-	 * time of the last roam_job
-	 */
-	timeval_t last_roam;
-
-	/**
-	 * routing table to install routes
-	 */
-	int routing_table;
-
-	/**
-	 * priority of used routing table
-	 */
-	int routing_table_prio;
-
-	/**
-	 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
-	 */
-	bool process_route;
-
-	/**
-	 * whether to actually install virtual IPs
-	 */
-	bool install_virtual_ip;
-
-	/**
-	 * list with routing tables to be excluded from route lookup
-	 */
-	linked_list_t *rt_exclude;
-};
-
-/**
- * get the refcount of a virtual ip
- */
-static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
-{
-	iterator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	int refcount = 0;
-
-	ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
-	while (ifaces->iterate(ifaces, (void**)&iface))
-	{
-		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
-		while (addrs->iterate(addrs, (void**)&addr))
-		{
-			if (addr->virtual && (iface->flags & IFF_UP) &&
-				ip->ip_equals(ip, addr->ip))
-			{
-				refcount = addr->refcount;
-				break;
-			}
-		}
-		addrs->destroy(addrs);
-		if (refcount)
-		{
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-
-	return refcount;
-}
-
-/**
- * start a roaming job. We delay it for a second and fire only one job
- * for multiple events. Otherwise we would create two many jobs.
- */
-static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
-{
-	timeval_t now;
-
-	time_monotonic(&now);
-	if (timercmp(&now, &this->last_roam, >))
-	{
-		now.tv_usec += ROAM_DELAY * 1000;
-		while (now.tv_usec > 1000000)
-		{
-			now.tv_sec++;
-			now.tv_usec -= 1000000;
-		}
-		this->last_roam = now;
-		charon->scheduler->schedule_job_ms(charon->scheduler,
-				(job_t*)roam_job_create(address), ROAM_DELAY);
-	}
-}
-
-/**
- * process RTM_NEWLINK/RTM_DELLINK from kernel
- */
-static void process_link(private_kernel_netlink_net_t *this,
-						 struct nlmsghdr *hdr, bool event)
-{
-	struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
-	struct rtattr *rta = IFLA_RTA(msg);
-	size_t rtasize = IFLA_PAYLOAD (hdr);
-	enumerator_t *enumerator;
-	iface_entry_t *current, *entry = NULL;
-	char *name = NULL;
-	bool update = FALSE;
-
-	while(RTA_OK(rta, rtasize))
-	{
-		switch (rta->rta_type)
-		{
-			case IFLA_IFNAME:
-				name = RTA_DATA(rta);
-				break;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-	if (!name)
-	{
-		name = "(unknown)";
-	}
-
-	this->mutex->lock(this->mutex);
-	switch (hdr->nlmsg_type)
-	{
-		case RTM_NEWLINK:
-		{
-			if (msg->ifi_flags & IFF_LOOPBACK)
-			{	/* ignore loopback interfaces */
-				break;
-			}
-			enumerator = this->ifaces->create_enumerator(this->ifaces);
-			while (enumerator->enumerate(enumerator, &current))
-			{
-				if (current->ifindex == msg->ifi_index)
-				{
-					entry = current;
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-			if (!entry)
-			{
-				entry = malloc_thing(iface_entry_t);
-				entry->ifindex = msg->ifi_index;
-				entry->flags = 0;
-				entry->addrs = linked_list_create();
-				this->ifaces->insert_last(this->ifaces, entry);
-			}
-			memcpy(entry->ifname, name, IFNAMSIZ);
-			entry->ifname[IFNAMSIZ-1] = '\0';
-			if (event)
-			{
-				if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
-				{
-					update = TRUE;
-					DBG1(DBG_KNL, "interface %s activated", name);
-				}
-				if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
-				{
-					update = TRUE;
-					DBG1(DBG_KNL, "interface %s deactivated", name);
-				}
-			}
-			entry->flags = msg->ifi_flags;
-			break;
-		}
-		case RTM_DELLINK:
-		{
-			enumerator = this->ifaces->create_enumerator(this->ifaces);
-			while (enumerator->enumerate(enumerator, &current))
-			{
-				if (current->ifindex == msg->ifi_index)
-				{
-					/* we do not remove it, as an address may be added to a
-					 * "down" interface and we wan't to know that. */
-					current->flags = msg->ifi_flags;
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-			break;
-		}
-	}
-	this->mutex->unlock(this->mutex);
-
-	/* send an update to all IKE_SAs */
-	if (update && event)
-	{
-		fire_roam_job(this, TRUE);
-	}
-}
-
-/**
- * process RTM_NEWADDR/RTM_DELADDR from kernel
- */
-static void process_addr(private_kernel_netlink_net_t *this,
-						 struct nlmsghdr *hdr, bool event)
-{
-	struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
-	struct rtattr *rta = IFA_RTA(msg);
-	size_t rtasize = IFA_PAYLOAD (hdr);
-	host_t *host = NULL;
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	chunk_t local = chunk_empty, address = chunk_empty;
-	bool update = FALSE, found = FALSE, changed = FALSE;
-
-	while(RTA_OK(rta, rtasize))
-	{
-		switch (rta->rta_type)
-		{
-			case IFA_LOCAL:
-				local.ptr = RTA_DATA(rta);
-				local.len = RTA_PAYLOAD(rta);
-				break;
-			case IFA_ADDRESS:
-				address.ptr = RTA_DATA(rta);
-				address.len = RTA_PAYLOAD(rta);
-				break;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-
-	/* For PPP interfaces, we need the IFA_LOCAL address,
-	 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
-	 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
-	if (local.ptr)
-	{
-		host = host_create_from_chunk(msg->ifa_family, local, 0);
-	}
-	else if (address.ptr)
-	{
-		host = host_create_from_chunk(msg->ifa_family, address, 0);
-	}
-
-	if (host == NULL)
-	{	/* bad family? */
-		return;
-	}
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->ifindex == msg->ifa_index)
-		{
-			addrs = iface->addrs->create_enumerator(iface->addrs);
-			while (addrs->enumerate(addrs, &addr))
-			{
-				if (host->ip_equals(host, addr->ip))
-				{
-					found = TRUE;
-					if (hdr->nlmsg_type == RTM_DELADDR)
-					{
-						iface->addrs->remove_at(iface->addrs, addrs);
-						if (!addr->virtual)
-						{
-							changed = TRUE;
-							DBG1(DBG_KNL, "%H disappeared from %s",
-								 host, iface->ifname);
-						}
-						addr_entry_destroy(addr);
-					}
-					else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
-					{
-						addr->refcount = 1;
-					}
-				}
-			}
-			addrs->destroy(addrs);
-
-			if (hdr->nlmsg_type == RTM_NEWADDR)
-			{
-				if (!found)
-				{
-					found = TRUE;
-					changed = TRUE;
-					addr = malloc_thing(addr_entry_t);
-					addr->ip = host->clone(host);
-					addr->virtual = FALSE;
-					addr->refcount = 1;
-					addr->scope = msg->ifa_scope;
-
-					iface->addrs->insert_last(iface->addrs, addr);
-					if (event)
-					{
-						DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
-					}
-				}
-			}
-			if (found && (iface->flags & IFF_UP))
-			{
-				update = TRUE;
-			}
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-	host->destroy(host);
-
-	/* send an update to all IKE_SAs */
-	if (update && event && changed)
-	{
-		fire_roam_job(this, TRUE);
-	}
-}
-
-/**
- * process RTM_NEWROUTE and RTM_DELROUTE from kernel
- */
-static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr)
-{
-	struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
-	struct rtattr *rta = RTM_RTA(msg);
-	size_t rtasize = RTM_PAYLOAD(hdr);
-	host_t *host = NULL;
-
-	/* ignore routes added by us */
-	if (msg->rtm_table && msg->rtm_table == this->routing_table)
-	{
-		return;
-	}
-
-	while (RTA_OK(rta, rtasize))
-	{
-		switch (rta->rta_type)
-		{
-			case RTA_PREFSRC:
-				host = host_create_from_chunk(msg->rtm_family,
-							chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
-				break;
-		}
-		rta = RTA_NEXT(rta, rtasize);
-	}
-	if (host)
-	{
-		this->mutex->lock(this->mutex);
-		if (!get_vip_refcount(this, host))
-		{	/* ignore routes added for virtual IPs */
-			fire_roam_job(this, FALSE);
-		}
-		this->mutex->unlock(this->mutex);
-		host->destroy(host);
-	}
-}
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
-{
-	char response[1024];
-	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
-	struct sockaddr_nl addr;
-	socklen_t addr_len = sizeof(addr);
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, response, sizeof(response), 0,
-				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
-
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from rt event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-
-	if (addr.nl_pid != 0)
-	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	while (NLMSG_OK(hdr, len))
-	{
-		/* looks good so far, dispatch netlink message */
-		switch (hdr->nlmsg_type)
-		{
-			case RTM_NEWADDR:
-			case RTM_DELADDR:
-				process_addr(this, hdr, TRUE);
-				this->condvar->broadcast(this->condvar);
-				break;
-			case RTM_NEWLINK:
-			case RTM_DELLINK:
-				process_link(this, hdr, TRUE);
-				this->condvar->broadcast(this->condvar);
-				break;
-			case RTM_NEWROUTE:
-			case RTM_DELROUTE:
-				if (this->process_route)
-				{
-					process_route(this, hdr);
-				}
-				break;
-			default:
-				break;
-		}
-		hdr = NLMSG_NEXT(hdr, len);
-	}
-	return JOB_REQUEUE_DIRECT;
-}
-
-/** enumerator over addresses */
-typedef struct {
-	private_kernel_netlink_net_t* this;
-	/** whether to enumerate down interfaces */
-	bool include_down_ifaces;
-	/** whether to enumerate virtual ip addresses */
-	bool include_virtual_ips;
-} address_enumerator_t;
-
-/**
- * cleanup function for address enumerator
- */
-static void address_enumerator_destroy(address_enumerator_t *data)
-{
-	data->this->mutex->unlock(data->this->mutex);
-	free(data);
-}
-
-/**
- * filter for addresses
- */
-static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
-{
-	if (!data->include_virtual_ips && (*in)->virtual)
-	{	/* skip virtual interfaces added by us */
-		return FALSE;
-	}
-	if ((*in)->scope >= RT_SCOPE_LINK)
-	{	/* skip addresses with a unusable scope */
-		return FALSE;
-	}
-	*out = (*in)->ip;
-	return TRUE;
-}
-
-/**
- * enumerator constructor for interfaces
- */
-static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
-{
-	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
-				(void*)filter_addresses, data, NULL);
-}
-
-/**
- * filter for interfaces
- */
-static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
-{
-	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
-	{	/* skip interfaces not up */
-		return FALSE;
-	}
-	*out = *in;
-	return TRUE;
-}
-
-/**
- * implementation of kernel_net_t.create_address_enumerator
- */
-static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *this,
-		bool include_down_ifaces, bool include_virtual_ips)
-{
-	address_enumerator_t *data = malloc_thing(address_enumerator_t);
-	data->this = this;
-	data->include_down_ifaces = include_down_ifaces;
-	data->include_virtual_ips = include_virtual_ips;
-
-	this->mutex->lock(this->mutex);
-	return enumerator_create_nested(
-				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
-							(void*)filter_interfaces, data, NULL),
-				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
-}
-
-/**
- * implementation of kernel_net_t.get_interface_name
- */
-static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
-{
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	char *name = NULL;
-
-	DBG2(DBG_KNL, "getting interface name for %H", ip);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
-		{
-			if (ip->ip_equals(ip, addr->ip))
-			{
-				name = strdup(iface->ifname);
-				break;
-			}
-		}
-		addrs->destroy(addrs);
-		if (name)
-		{
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	if (name)
-	{
-		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "%H is not a local address", ip);
-	}
-	return name;
-}
-
-/**
- * get the index of an interface by name
- */
-static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
-{
-	enumerator_t *ifaces;
-	iface_entry_t *iface;
-	int ifindex = 0;
-
-	DBG2(DBG_KNL, "getting iface index for %s", name);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (streq(name, iface->ifname))
-		{
-			ifindex = iface->ifindex;
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	if (ifindex == 0)
-	{
-		DBG1(DBG_KNL, "unable to get interface index for %s", name);
-	}
-	return ifindex;
-}
-
-/**
- * Check if an interface with a given index is up
- */
-static bool is_interface_up(private_kernel_netlink_net_t *this, int index)
-{
-	enumerator_t *ifaces;
-	iface_entry_t *iface;
-	/* default to TRUE for interface we do not monitor (e.g. lo) */
-	bool up = TRUE;
-
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->ifindex == index)
-		{
-			up = iface->flags & IFF_UP;
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	return up;
-}
-
-/**
- * check if an address (chunk) addr is in subnet (net with net_len net bits)
- */
-static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
-{
-	static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
-	int byte = 0;
-
-	if (net_len == 0)
-	{	/* any address matches a /0 network */
-		return TRUE;
-	}
-	if (addr.len != net.len || net_len > 8 * net.len )
-	{
-		return FALSE;
-	}
-	/* scan through all bytes in network order */
-	while (net_len > 0)
-	{
-		if (net_len < 8)
-		{
-			return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
-		}
-		else
-		{
-			if (addr.ptr[byte] != net.ptr[byte])
-			{
-				return FALSE;
-			}
-			byte++;
-			net_len -= 8;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
- */
-static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
-						 bool nexthop, host_t *candidate)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr, *out, *current;
-	struct rtmsg *msg;
-	chunk_t chunk;
-	size_t len;
-	int best = -1;
-	enumerator_t *enumerator;
-	host_t *src = NULL, *gtw = NULL;
-
-	DBG2(DBG_KNL, "getting address to reach %H", dest);
-
-	memset(&request, 0, sizeof(request));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST;
-	if (dest->get_family(dest) == AF_INET)
-	{
-		/* We dump all addresses for IPv4, as we want to ignore IPsec specific
-		 * routes installed by us. But the kernel does not return source
-		 * addresses in a IPv6 dump, so fall back to get() for v6 routes. */
-		hdr->nlmsg_flags |= NLM_F_ROOT | NLM_F_DUMP;
-	}
-	hdr->nlmsg_type = RTM_GETROUTE;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
-
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
-	msg->rtm_family = dest->get_family(dest);
-	if (candidate)
-	{
-		chunk = candidate->get_address(candidate);
-		netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
-	}
-	chunk = dest->get_address(dest);
-	netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
-
-	if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "getting address to %H failed", dest);
-		return NULL;
-	}
-	this->mutex->lock(this->mutex);
-
-	for (current = out; NLMSG_OK(current, len);
-		 current = NLMSG_NEXT(current, len))
-	{
-		switch (current->nlmsg_type)
-		{
-			case NLMSG_DONE:
-				break;
-			case RTM_NEWROUTE:
-			{
-				struct rtattr *rta;
-				size_t rtasize;
-				chunk_t rta_gtw, rta_src, rta_dst;
-				u_int32_t rta_oif = 0;
-				host_t *new_src, *new_gtw;
-				bool cont = FALSE;
-				uintptr_t table;
-
-				rta_gtw = rta_src = rta_dst = chunk_empty;
-				msg = (struct rtmsg*)(NLMSG_DATA(current));
-				rta = RTM_RTA(msg);
-				rtasize = RTM_PAYLOAD(current);
-				while (RTA_OK(rta, rtasize))
-				{
-					switch (rta->rta_type)
-					{
-						case RTA_PREFSRC:
-							rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_GATEWAY:
-							rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_DST:
-							rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_OIF:
-							if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
-							{
-								rta_oif = *(u_int32_t*)RTA_DATA(rta);
-							}
-							break;
-					}
-					rta = RTA_NEXT(rta, rtasize);
-				}
-				if (msg->rtm_dst_len <= best)
-				{	/* not better than a previous one */
-					continue;
-				}
-				enumerator = this->rt_exclude->create_enumerator(this->rt_exclude);
-				while (enumerator->enumerate(enumerator, &table))
-				{
-					if (table == msg->rtm_table)
-					{
-						cont = TRUE;
-						break;
-					}
-				}
-				enumerator->destroy(enumerator);
-				if (cont)
-				{
-					continue;
-				}
-				if (this->routing_table != 0 &&
-					msg->rtm_table == this->routing_table)
-				{	/* route is from our own ipsec routing table */
-					continue;
-				}
-				if (rta_oif && !is_interface_up(this, rta_oif))
-				{	/* interface is down */
-					continue;
-				}
-				if (!addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))
-				{	/* route destination does not contain dest */
-					continue;
-				}
-
-				if (nexthop)
-				{
-					/* nexthop lookup, return gateway if any */
-					DESTROY_IF(gtw);
-					gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
-					best = msg->rtm_dst_len;
-					continue;
-				}
-				if (rta_src.ptr)
-				{
-					/* got a source address */
-					new_src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
-					if (new_src)
-					{
-						if (get_vip_refcount(this, new_src))
-						{	/* skip source address if it is installed by us */
-							new_src->destroy(new_src);
-						}
-						else
-						{
-							DESTROY_IF(src);
-							src = new_src;
-							best = msg->rtm_dst_len;
-						}
-					}
-					continue;
-				}
-				if (rta_gtw.ptr)
-				{	/* no source, but a gateway. Lookup source to reach gtw. */
-					new_gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
-					new_src = get_route(this, new_gtw, FALSE, candidate);
-					new_gtw->destroy(new_gtw);
-					if (new_src)
-					{
-						DESTROY_IF(src);
-						src = new_src;
-						best = msg->rtm_dst_len;
-					}
-					continue;
-				}
-				continue;
-			}
-			default:
-				continue;
-		}
-		break;
-	}
-	free(out);
-	this->mutex->unlock(this->mutex);
-
-	if (nexthop)
-	{
-		if (gtw)
-		{
-			return gtw;
-		}
-		return dest->clone(dest);
-	}
-	return src;
-}
-
-/**
- * Implementation of kernel_net_t.get_source_addr.
- */
-static host_t* get_source_addr(private_kernel_netlink_net_t *this,
-							   host_t *dest, host_t *src)
-{
-	return get_route(this, dest, FALSE, src);
-}
-
-/**
- * Implementation of kernel_net_t.get_nexthop.
- */
-static host_t* get_nexthop(private_kernel_netlink_net_t *this, host_t *dest)
-{
-	return get_route(this, dest, TRUE, NULL);
-}
-
-/**
- * Manages the creation and deletion of ip addresses on an interface.
- * By setting the appropriate nlmsg_type, the ip will be set or unset.
- */
-static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
-							  int flags, int if_index, host_t *ip)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr;
-	struct ifaddrmsg *msg;
-	chunk_t chunk;
-
-	memset(&request, 0, sizeof(request));
-
-	chunk = ip->get_address(ip);
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
-	hdr->nlmsg_type = nlmsg_type;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
-
-	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
-	msg->ifa_family = ip->get_family(ip);
-	msg->ifa_flags = 0;
-	msg->ifa_prefixlen = 8 * chunk.len;
-	msg->ifa_scope = RT_SCOPE_UNIVERSE;
-	msg->ifa_index = if_index;
-
-	netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
-
-	return this->socket->send_ack(this->socket, hdr);
-}
-
-/**
- * Implementation of kernel_net_t.add_ip.
- */
-static status_t add_ip(private_kernel_netlink_net_t *this,
-						host_t *virtual_ip, host_t *iface_ip)
-{
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	enumerator_t *addrs, *ifaces;
-	int ifindex;
-
-	if (!this->install_virtual_ip)
-	{	/* disabled by config */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		bool iface_found = FALSE;
-
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
-		{
-			if (iface_ip->ip_equals(iface_ip, addr->ip))
-			{
-				iface_found = TRUE;
-			}
-			else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
-			{
-				addr->refcount++;
-				DBG2(DBG_KNL, "virtual IP %H already installed on %s",
-					 virtual_ip, iface->ifname);
-				addrs->destroy(addrs);
-				ifaces->destroy(ifaces);
-				this->mutex->unlock(this->mutex);
-				return SUCCESS;
-			}
-		}
-		addrs->destroy(addrs);
-
-		if (iface_found)
-		{
-			ifindex = iface->ifindex;
-			addr = malloc_thing(addr_entry_t);
-			addr->ip = virtual_ip->clone(virtual_ip);
-			addr->refcount = 0;
-			addr->virtual = TRUE;
-			addr->scope = RT_SCOPE_UNIVERSE;
-			iface->addrs->insert_last(iface->addrs, addr);
-
-			if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
-							  ifindex, virtual_ip) == SUCCESS)
-			{
-				while (get_vip_refcount(this, virtual_ip) == 0)
-				{	/* wait until address appears */
-					this->condvar->wait(this->condvar, this->mutex);
-				}
-				ifaces->destroy(ifaces);
-				this->mutex->unlock(this->mutex);
-				return SUCCESS;
-			}
-			ifaces->destroy(ifaces);
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
-			return FAILED;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	DBG1(DBG_KNL, "interface address %H not found, unable to install"
-		 "virtual IP %H", iface_ip, virtual_ip);
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_net_t.del_ip.
- */
-static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
-{
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	enumerator_t *addrs, *ifaces;
-	status_t status;
-	int ifindex;
-
-	if (!this->install_virtual_ip)
-	{	/* disabled by config */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
-		{
-			if (virtual_ip->ip_equals(virtual_ip, addr->ip))
-			{
-				ifindex = iface->ifindex;
-				if (addr->refcount == 1)
-				{
-					status = manage_ipaddr(this, RTM_DELADDR, 0,
-										   ifindex, virtual_ip);
-					if (status == SUCCESS)
-					{	/* wait until the address is really gone */
-						while (get_vip_refcount(this, virtual_ip) > 0)
-						{
-							this->condvar->wait(this->condvar, this->mutex);
-						}
-					}
-					addrs->destroy(addrs);
-					ifaces->destroy(ifaces);
-					this->mutex->unlock(this->mutex);
-					return status;
-				}
-				else
-				{
-					addr->refcount--;
-				}
-				DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
-					 virtual_ip);
-				addrs->destroy(addrs);
-				ifaces->destroy(ifaces);
-				this->mutex->unlock(this->mutex);
-				return SUCCESS;
-			}
-		}
-		addrs->destroy(addrs);
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
-	return FAILED;
-}
-
-/**
- * Manages source routes in the routing table.
- * By setting the appropriate nlmsg_type, the route gets added or removed.
- */
-static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_type,
-								int flags, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr;
-	struct rtmsg *msg;
-	int ifindex;
-	chunk_t chunk;
-
-	/* if route is 0.0.0.0/0, we can't install it, as it would
-	 * overwrite the default route. Instead, we add two routes:
-	 * 0.0.0.0/1 and 128.0.0.0/1 */
-	if (this->routing_table == 0 && prefixlen == 0)
-	{
-		chunk_t half_net;
-		u_int8_t half_prefixlen;
-		status_t status;
-
-		half_net = chunk_alloca(dst_net.len);
-		memset(half_net.ptr, 0, half_net.len);
-		half_prefixlen = 1;
-
-		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
-					gateway, src_ip, if_name);
-		half_net.ptr[0] |= 0x80;
-		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
-					gateway, src_ip, if_name);
-		return status;
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
-	hdr->nlmsg_type = nlmsg_type;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
-
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
-	msg->rtm_family = src_ip->get_family(src_ip);
-	msg->rtm_dst_len = prefixlen;
-	msg->rtm_table = this->routing_table;
-	msg->rtm_protocol = RTPROT_STATIC;
-	msg->rtm_type = RTN_UNICAST;
-	msg->rtm_scope = RT_SCOPE_UNIVERSE;
-
-	netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request));
-	chunk = src_ip->get_address(src_ip);
-	netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
-	if (gateway && gateway->get_family(gateway) == src_ip->get_family(src_ip))
-	{
-		chunk = gateway->get_address(gateway);
-		netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
-	}
-	ifindex = get_interface_index(this, if_name);
-	chunk.ptr = (char*)&ifindex;
-	chunk.len = sizeof(ifindex);
-	netlink_add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
-
-	return this->socket->send_ack(this->socket, hdr);
-}
-
-/**
- * Implementation of kernel_net_t.add_route.
- */
-static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
-		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
-				dst_net, prefixlen, gateway, src_ip, if_name);
-}
-
-/**
- * Implementation of kernel_net_t.del_route.
- */
-static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
-		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
-				gateway, src_ip, if_name);
-}
-
-/**
- * Initialize a list of local addresses.
- */
-static status_t init_address_list(private_kernel_netlink_net_t *this)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *out, *current, *in;
-	struct rtgenmsg *msg;
-	size_t len;
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-
-	DBG1(DBG_KNL, "listening on interfaces:");
-
-	memset(&request, 0, sizeof(request));
-
-	in = (struct nlmsghdr*)&request;
-	in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
-	in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
-	msg = (struct rtgenmsg*)NLMSG_DATA(in);
-	msg->rtgen_family = AF_UNSPEC;
-
-	/* get all links */
-	in->nlmsg_type = RTM_GETLINK;
-	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	current = out;
-	while (NLMSG_OK(current, len))
-	{
-		switch (current->nlmsg_type)
-		{
-			case NLMSG_DONE:
-				break;
-			case RTM_NEWLINK:
-				process_link(this, current, FALSE);
-				/* fall through */
-			default:
-				current = NLMSG_NEXT(current, len);
-				continue;
-		}
-		break;
-	}
-	free(out);
-
-	/* get all interface addresses */
-	in->nlmsg_type = RTM_GETADDR;
-	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	current = out;
-	while (NLMSG_OK(current, len))
-	{
-		switch (current->nlmsg_type)
-		{
-			case NLMSG_DONE:
-				break;
-			case RTM_NEWADDR:
-				process_addr(this, current, FALSE);
-				/* fall through */
-			default:
-				current = NLMSG_NEXT(current, len);
-				continue;
-		}
-		break;
-	}
-	free(out);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->flags & IFF_UP)
-		{
-			DBG1(DBG_KNL, "  %s", iface->ifname);
-			addrs = iface->addrs->create_enumerator(iface->addrs);
-			while (addrs->enumerate(addrs, (void**)&addr))
-			{
-				DBG1(DBG_KNL, "    %H", addr->ip);
-			}
-			addrs->destroy(addrs);
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-	return SUCCESS;
-}
-
-/**
- * create or delete a rule to use our routing table
- */
-static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
-							int family, u_int32_t table, u_int32_t prio)
-{
-	netlink_buf_t request;
-	struct nlmsghdr *hdr;
-	struct rtmsg *msg;
-	chunk_t chunk;
-
-	memset(&request, 0, sizeof(request));
-	hdr = (struct nlmsghdr*)request;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = nlmsg_type;
-	if (nlmsg_type == RTM_NEWRULE)
-	{
-		hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
-	}
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
-
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
-	msg->rtm_table = table;
-	msg->rtm_family = family;
-	msg->rtm_protocol = RTPROT_BOOT;
-	msg->rtm_scope = RT_SCOPE_UNIVERSE;
-	msg->rtm_type = RTN_UNICAST;
-
-	chunk = chunk_from_thing(prio);
-	netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
-
-	return this->socket->send_ack(this->socket, hdr);
-}
-
-/**
- * Implementation of kernel_netlink_net_t.destroy.
- */
-static void destroy(private_kernel_netlink_net_t *this)
-{
-	if (this->routing_table)
-	{
-		manage_rule(this, RTM_DELRULE, AF_INET, this->routing_table,
-					this->routing_table_prio);
-		manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table,
-					this->routing_table_prio);
-	}
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
-	if (this->socket_events > 0)
-	{
-		close(this->socket_events);
-	}
-	DESTROY_IF(this->socket);
-	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
-	this->rt_exclude->destroy(this->rt_exclude);
-	this->condvar->destroy(this->condvar);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-kernel_netlink_net_t *kernel_netlink_net_create()
-{
-	private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t);
-	struct sockaddr_nl addr;
-	enumerator_t *enumerator;
-	char *exclude;
-
-	/* public functions */
-	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
-	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
-	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
-	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
-	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
-	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
-	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
-	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
-	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
-
-	/* private members */
-	this->ifaces = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	timerclear(&this->last_roam);
-	this->routing_table = lib->settings->get_int(lib->settings,
-					"charon.routing_table", ROUTING_TABLE);
-	this->routing_table_prio = lib->settings->get_int(lib->settings,
-					"charon.routing_table_prio", ROUTING_TABLE_PRIO);
-	this->process_route = lib->settings->get_bool(lib->settings,
-					"charon.process_route", TRUE);
-	this->install_virtual_ip = lib->settings->get_bool(lib->settings,
-					"charon.install_virtual_ip", TRUE);
-
-	this->rt_exclude = linked_list_create();
-	exclude = lib->settings->get_str(lib->settings,
-					"charon.ignore_routing_tables", NULL);
-	if (exclude)
-	{
-		char *token;
-		uintptr_t table;
-
-		enumerator = enumerator_create_token(exclude, " ", " ");
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			errno = 0;
-			table = strtoul(token, NULL, 10);
-
-			if (errno == 0)
-			{
-				this->rt_exclude->insert_last(this->rt_exclude, (void*)table);
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	this->socket = netlink_socket_create(NETLINK_ROUTE);
-	this->job = NULL;
-
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-
-	/* create and bind RT socket for events (address/interface/route changes) */
-	this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
-	if (this->socket_events < 0)
-	{
-		DBG1(DBG_KNL, "unable to create RT event socket");
-		destroy(this);
-		return NULL;
-	}
-	addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
-					 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
-	if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		DBG1(DBG_KNL, "unable to bind RT event socket");
-		destroy(this);
-		return NULL;
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	if (init_address_list(this) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to get interface list");
-		destroy(this);
-		return NULL;
-	}
-
-	if (this->routing_table)
-	{
-		if (manage_rule(this, RTM_NEWRULE, AF_INET, this->routing_table,
-						this->routing_table_prio) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "unable to create IPv4 routing table rule");
-		}
-		if (manage_rule(this, RTM_NEWRULE, AF_INET6, this->routing_table,
-						this->routing_table_prio) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "unable to create IPv6 routing table rule");
-		}
-	}
-
-	return &this->public;
-}
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
deleted file mode 100644
index ff9831d3c..000000000
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_netlink_net_i kernel_netlink_net
- * @{ @ingroup kernel_netlink
- */
-
-#ifndef KERNEL_NETLINK_NET_H_
-#define KERNEL_NETLINK_NET_H_
-
-#include <kernel/kernel_net.h>
-
-typedef struct kernel_netlink_net_t kernel_netlink_net_t;
-
-/**
- * Implementation of the kernel network interface using Netlink.
- */
-struct kernel_netlink_net_t {
-
-	/**
-	 * Implements kernel_net_t interface
-	 */
-	kernel_net_t interface;
-};
-
-/**
- * Create a netlink kernel network interface instance.
- *
- * @return			kernel_netlink_net_t instance
- */
-kernel_netlink_net_t *kernel_netlink_net_create();
-
-#endif /** KERNEL_NETLINK_NET_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
deleted file mode 100644
index 4c61265aa..000000000
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "kernel_netlink_plugin.h"
-
-#include "kernel_netlink_ipsec.h"
-#include "kernel_netlink_net.h"
-
-#include <daemon.h>
-
-typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
-
-/**
- * private data of kernel netlink plugin
- */
-struct private_kernel_netlink_plugin_t {
-	/**
-	 * implements plugin interface
-	 */
-	kernel_netlink_plugin_t public;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_netlink_plugin_t *this)
-{
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
-	charon->kernel_interface->remove_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *kernel_netlink_plugin_create()
-{
-	private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
-	charon->kernel_interface->add_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
-
-	return &this->public.plugin;
-}
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
deleted file mode 100644
index 74c9ae24f..000000000
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_netlink kernel_netlink
- * @ingroup cplugins
- *
- * @defgroup kernel_netlink_plugin kernel_netlink_plugin
- * @{ @ingroup kernel_netlink
- */
-
-#ifndef KERNEL_NETLINK_PLUGIN_H_
-#define KERNEL_NETLINK_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct kernel_netlink_plugin_t kernel_netlink_plugin_t;
-
-/**
- * netlink kernel interface plugin
- */
-struct kernel_netlink_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-#endif /** KERNEL_NETLINK_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
deleted file mode 100644
index 5ed568150..000000000
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ /dev/null
@@ -1,306 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/socket.h>
-#include <linux/netlink.h>
-#include <linux/rtnetlink.h>
-#include <errno.h>
-#include <unistd.h>
-
-#include "kernel_netlink_shared.h"
-
-#include <daemon.h>
-#include <threading/mutex.h>
-
-typedef struct private_netlink_socket_t private_netlink_socket_t;
-
-/**
- * Private variables and functions of netlink_socket_t class.
- */
-struct private_netlink_socket_t {
-	/**
-	 * public part of the netlink_socket_t object.
-	 */
-	netlink_socket_t public;
-
-	/**
-	 * mutex to lock access to netlink socket
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * current sequence number for netlink request
-	 */
-	int seq;
-
-	/**
-	 * netlink socket protocol
-	 */
-	int protocol;
-
-	/**
-	 * netlink socket
-	 */
-	int socket;
-};
-
-/**
- * Imported from kernel_netlink_ipsec.c
- */
-extern enum_name_t *xfrm_msg_names;
-
-/**
- * Implementation of netlink_socket_t.send
- */
-static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in,
-			  struct nlmsghdr **out, size_t *out_len)
-{
-	int len, addr_len;
-	struct sockaddr_nl addr;
-	chunk_t result = chunk_empty, tmp;
-	struct nlmsghdr *msg, peek;
-
-	this->mutex->lock(this->mutex);
-
-	in->nlmsg_seq = ++this->seq;
-	in->nlmsg_pid = getpid();
-
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-	addr.nl_pid = 0;
-	addr.nl_groups = 0;
-
-	if (this->protocol == NETLINK_XFRM)
-	{
-		chunk_t in_chunk = { (u_char*)in, in->nlmsg_len };
-
-		DBG3(DBG_KNL, "sending %N: %B", xfrm_msg_names, in->nlmsg_type, &in_chunk);
-	}
-
-	while (TRUE)
-	{
-		len = sendto(this->socket, in, in->nlmsg_len, 0,
-					 (struct sockaddr*)&addr, sizeof(addr));
-
-		if (len != in->nlmsg_len)
-		{
-			if (errno == EINTR)
-			{
-				/* interrupted, try again */
-				continue;
-			}
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
-			return FAILED;
-		}
-		break;
-	}
-
-	while (TRUE)
-	{
-		char buf[4096];
-		tmp.len = sizeof(buf);
-		tmp.ptr = buf;
-		msg = (struct nlmsghdr*)tmp.ptr;
-
-		memset(&addr, 0, sizeof(addr));
-		addr.nl_family = AF_NETLINK;
-		addr.nl_pid = getpid();
-		addr.nl_groups = 0;
-		addr_len = sizeof(addr);
-
-		len = recvfrom(this->socket, tmp.ptr, tmp.len, 0,
-					   (struct sockaddr*)&addr, &addr_len);
-
-		if (len < 0)
-		{
-			if (errno == EINTR)
-			{
-				DBG1(DBG_KNL, "got interrupted");
-				/* interrupted, try again */
-				continue;
-			}
-			DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
-			this->mutex->unlock(this->mutex);
-			free(result.ptr);
-			return FAILED;
-		}
-		if (!NLMSG_OK(msg, len))
-		{
-			DBG1(DBG_KNL, "received corrupted netlink message");
-			this->mutex->unlock(this->mutex);
-			free(result.ptr);
-			return FAILED;
-		}
-		if (msg->nlmsg_seq != this->seq)
-		{
-			DBG1(DBG_KNL, "received invalid netlink sequence number");
-			if (msg->nlmsg_seq < this->seq)
-			{
-				continue;
-			}
-			this->mutex->unlock(this->mutex);
-			free(result.ptr);
-			return FAILED;
-		}
-
-		tmp.len = len;
-		result.ptr = realloc(result.ptr, result.len + tmp.len);
-		memcpy(result.ptr + result.len, tmp.ptr, tmp.len);
-		result.len += tmp.len;
-
-		/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
-		 * numbers to detect multi header messages */
-		len = recvfrom(this->socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
-					   (struct sockaddr*)&addr, &addr_len);
-
-		if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
-		{
-			/* seems to be multipart */
-			continue;
-		}
-		break;
-	}
-
-	*out_len = result.len;
-	*out = (struct nlmsghdr*)result.ptr;
-
-	this->mutex->unlock(this->mutex);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of netlink_socket_t.send_ack.
- */
-static status_t netlink_send_ack(private_netlink_socket_t *this, struct nlmsghdr *in)
-{
-	struct nlmsghdr *out, *hdr;
-	size_t len;
-
-	if (netlink_send(this, in, &out, &len) != SUCCESS)
-	{
-		return FAILED;
-	}
-	hdr = out;
-	while (NLMSG_OK(hdr, len))
-	{
-		switch (hdr->nlmsg_type)
-		{
-			case NLMSG_ERROR:
-			{
-				struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
-
-				if (err->error)
-				{
-					if (-err->error == EEXIST)
-					{	/* do not report existing routes */
-						free(out);
-						return ALREADY_DONE;
-					}
-					DBG1(DBG_KNL, "received netlink error: %s (%d)",
-						 strerror(-err->error), -err->error);
-					free(out);
-					return FAILED;
-				}
-				free(out);
-				return SUCCESS;
-			}
-			default:
-				hdr = NLMSG_NEXT(hdr, len);
-				continue;
-			case NLMSG_DONE:
-				break;
-		}
-		break;
-	}
-	DBG1(DBG_KNL, "netlink request not acknowledged");
-	free(out);
-	return FAILED;
-}
-
-/**
- * Implementation of netlink_socket_t.destroy.
- */
-static void destroy(private_netlink_socket_t *this)
-{
-	if (this->socket > 0)
-	{
-		close(this->socket);
-	}
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/**
- * Described in header.
- */
-netlink_socket_t *netlink_socket_create(int protocol)
-{
-	private_netlink_socket_t *this = malloc_thing(private_netlink_socket_t);
-	struct sockaddr_nl addr;
-
-	/* public functions */
-	this->public.send = (status_t(*)(netlink_socket_t*,struct nlmsghdr*, struct nlmsghdr**, size_t*))netlink_send;
-	this->public.send_ack = (status_t(*)(netlink_socket_t*,struct nlmsghdr*))netlink_send_ack;
-	this->public.destroy = (void(*)(netlink_socket_t*))destroy;
-
-	/* private members */
-	this->seq = 200;
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-
-	this->protocol = protocol;
-	this->socket = socket(AF_NETLINK, SOCK_RAW, protocol);
-	if (this->socket < 0)
-	{
-		DBG1(DBG_KNL, "unable to create netlink socket");
-		destroy(this);
-		return NULL;
-	}
-
-	addr.nl_groups = 0;
-	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		DBG1(DBG_KNL, "unable to bind netlink socket");
-		destroy(this);
-		return NULL;
-	}
-
-	return &this->public;
-}
-
-/**
- * Described in header.
- */
-void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
-						  size_t buflen)
-{
-	struct rtattr *rta;
-
-	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
-	{
-		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
-		return;
-	}
-
-	rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
-	rta->rta_type = rta_type;
-	rta->rta_len = RTA_LENGTH(data.len);
-	memcpy(RTA_DATA(rta), data.ptr, data.len);
-	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
-}
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
deleted file mode 100644
index dfd27a21a..000000000
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef KERNEL_NETLINK_SHARED_H_
-#define KERNEL_NETLINK_SHARED_H_
-
-#include <library.h>
-
-#include <linux/rtnetlink.h>
-
-/**
- * General purpose netlink buffer.
- *
- * 1024 byte is currently sufficient for all operations. Some platform
- * require an enforced aligment to four bytes (e.g. ARM).
- */
-typedef u_char netlink_buf_t[1024] __attribute__((aligned(RTA_ALIGNTO)));
-
-typedef struct netlink_socket_t netlink_socket_t;
-
-/**
- * Wrapper around a netlink socket.
- */
-struct netlink_socket_t {
-
-	/**
-	 * Send a netlink message and wait for a reply.
-	 *
-	 * @param	in		netlink message to send
-	 * @param	out 	received netlink message
-	 * @param	out_len	length of the received message
-	 */
-	status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len);
-
-	/**
-	 * Send a netlink message and wait for its acknowledge.
-	 *
-	 * @param	in		netlink message to send
-	 */
-	status_t (*send_ack)(netlink_socket_t *this, struct nlmsghdr *in);
-
-	/**
-	 * Destroy the socket.
-	 */
-	void (*destroy)(netlink_socket_t *this);
-};
-
-/**
- * Create a netlink_socket_t object.
- *
- * @param	protocol	protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
- */
-netlink_socket_t *netlink_socket_create(int protocol);
-
-/**
- * Creates an rtattr and adds it to the given netlink message.
- *
- * @param	hdr			netlink message
- * @param	rta_type	type of the rtattr
- * @param	data		data to add to the rtattr
- * @param	buflen		length of the netlink message buffer
- */
-void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, size_t buflen);
-
-#endif /* KERNEL_NETLINK_SHARED_H_ */
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.am b/src/libcharon/plugins/kernel_pfkey/Makefile.am
deleted file mode 100644
index 778a7f9a9..000000000
--- a/src/libcharon/plugins/kernel_pfkey/Makefile.am
+++ /dev/null
@@ -1,17 +0,0 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
-else
-plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
-endif
-
-libstrongswan_kernel_pfkey_la_SOURCES = \
-	kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
-	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
-
-libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
deleted file mode 100644
index 1dda6827b..000000000
--- a/src/libcharon/plugins/kernel_pfkey/Makefile.in
+++ /dev/null
@@ -1,590 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcharon/plugins/kernel_pfkey
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_kernel_pfkey_la_LIBADD =
-am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \
-	kernel_pfkey_ipsec.lo
-libstrongswan_kernel_pfkey_la_OBJECTS =  \
-	$(am_libstrongswan_kernel_pfkey_la_OBJECTS)
-libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_kernel_pfkey_la_rpath = -rpath \
-@MONOLITHIC_FALSE@	$(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_kernel_pfkey_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
-libstrongswan_kernel_pfkey_la_SOURCES = \
-	kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
-	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
-
-libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_ipsec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
deleted file mode 100644
index a64c27f6f..000000000
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ /dev/null
@@ -1,2210 +0,0 @@
-/*
- * Copyright (C) 2008-2010 Tobias Brunner
- * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#ifdef __FreeBSD__
-#include <limits.h> /* for LONG_MAX */
-#endif
-
-#ifdef HAVE_NET_PFKEYV2_H
-#include <net/pfkeyv2.h>
-#else
-#include <stdint.h>
-#include <linux/pfkeyv2.h>
-#endif
-
-#ifdef SADB_X_EXT_NAT_T_TYPE
-#define HAVE_NATT
-#endif
-
-#ifdef HAVE_NETIPSEC_IPSEC_H
-#include <netipsec/ipsec.h>
-#elif defined(HAVE_NETINET6_IPSEC_H)
-#include <netinet6/ipsec.h>
-#else
-#include <linux/ipsec.h>
-#endif
-
-#ifdef HAVE_NATT
-#ifdef HAVE_LINUX_UDP_H
-#include <linux/udp.h>
-#else
-#include <netinet/udp.h>
-#endif /*HAVE_LINUX_UDP_H*/
-#endif /*HAVE_NATT*/
-
-#include <unistd.h>
-#include <time.h>
-#include <errno.h>
-
-#include "kernel_pfkey_ipsec.h"
-
-#include <daemon.h>
-#include <utils/host.h>
-#include <threading/thread.h>
-#include <threading/mutex.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/acquire_job.h>
-#include <processing/jobs/migrate_job.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/delete_child_sa_job.h>
-#include <processing/jobs/update_sa_job.h>
-
-/** non linux specific */
-#ifndef IPPROTO_COMP
-#ifdef IPPROTO_IPCOMP
-#define IPPROTO_COMP IPPROTO_IPCOMP
-#endif
-#endif
-
-#ifndef SADB_X_AALG_SHA2_256HMAC
-#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
-#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
-#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
-#endif
-
-#ifndef SADB_X_EALG_AESCBC
-#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
-#endif
-
-#ifndef SADB_X_EALG_CASTCBC
-#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
-#endif
-
-#ifndef SOL_IP
-#define SOL_IP IPPROTO_IP
-#define SOL_IPV6 IPPROTO_IPV6
-#endif
-
-/** from linux/in.h */
-#ifndef IP_IPSEC_POLICY
-#define IP_IPSEC_POLICY 16
-#endif
-
-/** missing on uclibc */
-#ifndef IPV6_IPSEC_POLICY
-#define IPV6_IPSEC_POLICY 34
-#endif
-
-/** default priority of installed policies */
-#define PRIO_LOW 3000
-#define PRIO_HIGH 2000
-
-#ifdef __APPLE__
-/** from xnu/bsd/net/pfkeyv2.h */
-#define SADB_X_EXT_NATT 0x002
-	struct sadb_sa_2 {
-		struct sadb_sa	sa;
-		u_int16_t		sadb_sa_natt_port;
-		u_int16_t		sadb_reserved0;
-		u_int32_t		sadb_reserved1;
-	};
-#endif
-
-/** buffer size for PF_KEY messages */
-#define PFKEY_BUFFER_SIZE 4096
-
-/** PF_KEY messages are 64 bit aligned */
-#define PFKEY_ALIGNMENT 8
-/** aligns len to 64 bits */
-#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
-/** calculates the properly padded length in 64 bit chunks */
-#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
-/** calculates user mode length i.e. in bytes */
-#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
-
-/** given a PF_KEY message header and an extension this updates the length in the header */
-#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
-/** given a PF_KEY message header this returns a pointer to the next extension */
-#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
-/** copy an extension and append it to a PF_KEY message */
-#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
-/** given a PF_KEY extension this returns a pointer to the next extension */
-#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
-/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
-#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
-/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
-#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
-				(ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
-				(ext)->sadb_ext_len <= (len))
-
-typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
-
-/**
- * Private variables and functions of kernel_pfkey class.
- */
-struct private_kernel_pfkey_ipsec_t
-{
-	/**
-	 * Public part of the kernel_pfkey_t object.
-	 */
-	kernel_pfkey_ipsec_t public;
-
-	/**
-	 * mutex to lock access to various lists
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * List of installed policies (policy_entry_t)
-	 */
-	linked_list_t *policies;
-
-	/**
-	 * whether to install routes along policies
-	 */
-	bool install_routes;
-
-	/**
-	 * job receiving PF_KEY events
-	 */
-	callback_job_t *job;
-
-	/**
-	 * mutex to lock access to the PF_KEY socket
-	 */
-	mutex_t *mutex_pfkey;
-
-	/**
-	 * PF_KEY socket to communicate with the kernel
-	 */
-	int socket;
-
-	/**
-	 * PF_KEY socket to receive acquire and expire events
-	 */
-	int socket_events;
-
-	/**
-	 * sequence number for messages sent to the kernel
-	 */
-	int seq;
-};
-
-typedef struct route_entry_t route_entry_t;
-
-/**
- * installed routing entry
- */
-struct route_entry_t {
-	/** Name of the interface the route is bound to */
-	char *if_name;
-
-	/** Source ip of the route */
-	host_t *src_ip;
-
-	/** gateway for this route */
-	host_t *gateway;
-
-	/** Destination net */
-	chunk_t dst_net;
-
-	/** Destination net prefixlen */
-	u_int8_t prefixlen;
-};
-
-/**
- * destroy an route_entry_t object
- */
-static void route_entry_destroy(route_entry_t *this)
-{
-	free(this->if_name);
-	DESTROY_IF(this->src_ip);
-	DESTROY_IF(this->gateway);
-	chunk_free(&this->dst_net);
-	free(this);
-}
-
-typedef struct policy_entry_t policy_entry_t;
-
-/**
- * installed kernel policy.
- */
-struct policy_entry_t {
-
-	/** reqid of this policy */
-	u_int32_t reqid;
-
-	/** index assigned by the kernel */
-	u_int32_t index;
-
-	/** direction of this policy: in, out, forward */
-	u_int8_t direction;
-
-	/** parameters of installed policy */
-	struct {
-		/** subnet and port */
-		host_t *net;
-		/** subnet mask */
-		u_int8_t mask;
-		/** protocol */
-		u_int8_t proto;
-	} src, dst;
-
-	/** associated route installed for this policy */
-	route_entry_t *route;
-
-	/** by how many CHILD_SA's this policy is used */
-	u_int refcount;
-};
-
-/**
- * create a policy_entry_t object
- */
-static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
-		traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
-{
-	policy_entry_t *policy = malloc_thing(policy_entry_t);
-	policy->reqid = reqid;
-	policy->index = 0;
-	policy->direction = dir;
-	policy->route = NULL;
-	policy->refcount = 0;
-
-	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
-	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
-
-	/* src or dest proto may be "any" (0), use more restrictive one */
-	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
-	policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
-	policy->dst.proto = policy->src.proto;
-
-	return policy;
-}
-
-/**
- * destroy a policy_entry_t object
- */
-static void policy_entry_destroy(policy_entry_t *this)
-{
-	DESTROY_IF(this->src.net);
-	DESTROY_IF(this->dst.net);
-	if (this->route)
-	{
-		route_entry_destroy(this->route);
-	}
-	free(this);
-}
-
-/**
- * compares two policy_entry_t
- */
-static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
-{
-	return current->direction == policy->direction &&
-		   current->src.proto == policy->src.proto &&
-		   current->dst.proto == policy->dst.proto &&
-		   current->src.mask == policy->src.mask &&
-		   current->dst.mask == policy->dst.mask &&
-		   current->src.net->equals(current->src.net, policy->src.net) &&
-		   current->dst.net->equals(current->dst.net, policy->dst.net);
-}
-
-/**
- * compare the given kernel index with that of a policy
- */
-static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
-{
-	return current->index == *index;
-}
-
-typedef struct pfkey_msg_t pfkey_msg_t;
-
-struct pfkey_msg_t
-{
-	/**
-	 * PF_KEY message base
-	 */
-	struct sadb_msg *msg;
-
-	/**
-	 * PF_KEY message extensions
-	 */
-	union {
-		struct sadb_ext *ext[SADB_EXT_MAX + 1];
-		struct {
-			struct sadb_ext *reserved;				/* SADB_EXT_RESERVED */
-			struct sadb_sa *sa;						/* SADB_EXT_SA */
-			struct sadb_lifetime *lft_current;		/* SADB_EXT_LIFETIME_CURRENT */
-			struct sadb_lifetime *lft_hard;			/* SADB_EXT_LIFETIME_HARD */
-			struct sadb_lifetime *lft_soft;			/* SADB_EXT_LIFETIME_SOFT */
-			struct sadb_address *src;				/* SADB_EXT_ADDRESS_SRC */
-			struct sadb_address *dst;				/* SADB_EXT_ADDRESS_DST */
-			struct sadb_address *proxy;				/* SADB_EXT_ADDRESS_PROXY */
-			struct sadb_key *key_auth;				/* SADB_EXT_KEY_AUTH */
-			struct sadb_key *key_encr;				/* SADB_EXT_KEY_ENCRYPT */
-			struct sadb_ident *id_src;				/* SADB_EXT_IDENTITY_SRC */
-			struct sadb_ident *id_dst;				/* SADB_EXT_IDENTITY_DST */
-			struct sadb_sens *sensitivity;			/* SADB_EXT_SENSITIVITY */
-			struct sadb_prop *proposal;				/* SADB_EXT_PROPOSAL */
-			struct sadb_supported *supported_auth;	/* SADB_EXT_SUPPORTED_AUTH */
-			struct sadb_supported *supported_encr;	/* SADB_EXT_SUPPORTED_ENCRYPT */
-			struct sadb_spirange *spirange;			/* SADB_EXT_SPIRANGE */
-			struct sadb_x_kmprivate *x_kmprivate;	/* SADB_X_EXT_KMPRIVATE */
-			struct sadb_x_policy *x_policy;			/* SADB_X_EXT_POLICY */
-			struct sadb_x_sa2 *x_sa2;				/* SADB_X_EXT_SA2 */
-			struct sadb_x_nat_t_type *x_natt_type;	/* SADB_X_EXT_NAT_T_TYPE */
-			struct sadb_x_nat_t_port *x_natt_sport;	/* SADB_X_EXT_NAT_T_SPORT */
-			struct sadb_x_nat_t_port *x_natt_dport;	/* SADB_X_EXT_NAT_T_DPORT */
-			struct sadb_address *x_natt_oa;			/* SADB_X_EXT_NAT_T_OA */
-			struct sadb_x_sec_ctx *x_sec_ctx;		/* SADB_X_EXT_SEC_CTX */
-			struct sadb_x_kmaddress *x_kmaddress;	/* SADB_X_EXT_KMADDRESS */
-		} __attribute__((__packed__));
-	};
-};
-
-ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
-	"SADB_EXT_RESERVED",
-	"SADB_EXT_SA",
-	"SADB_EXT_LIFETIME_CURRENT",
-	"SADB_EXT_LIFETIME_HARD",
-	"SADB_EXT_LIFETIME_SOFT",
-	"SADB_EXT_ADDRESS_SRC",
-	"SADB_EXT_ADDRESS_DST",
-	"SADB_EXT_ADDRESS_PROXY",
-	"SADB_EXT_KEY_AUTH",
-	"SADB_EXT_KEY_ENCRYPT",
-	"SADB_EXT_IDENTITY_SRC",
-	"SADB_EXT_IDENTITY_DST",
-	"SADB_EXT_SENSITIVITY",
-	"SADB_EXT_PROPOSAL",
-	"SADB_EXT_SUPPORTED_AUTH",
-	"SADB_EXT_SUPPORTED_ENCRYPT",
-	"SADB_EXT_SPIRANGE",
-	"SADB_X_EXT_KMPRIVATE",
-	"SADB_X_EXT_POLICY",
-	"SADB_X_EXT_SA2",
-	"SADB_X_EXT_NAT_T_TYPE",
-	"SADB_X_EXT_NAT_T_SPORT",
-	"SADB_X_EXT_NAT_T_DPORT",
-	"SADB_X_EXT_NAT_T_OA",
-	"SADB_X_EXT_SEC_CTX",
-	"SADB_X_EXT_KMADDRESS"
-);
-
-/**
- * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
- */
-static u_int8_t proto_ike2satype(protocol_id_t proto)
-{
-	switch (proto)
-	{
-		case PROTO_ESP:
-			return SADB_SATYPE_ESP;
-		case PROTO_AH:
-			return SADB_SATYPE_AH;
-		case IPPROTO_COMP:
-			return SADB_X_SATYPE_IPCOMP;
-		default:
-			return proto;
-	}
-}
-
-/**
- * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
- */
-static protocol_id_t proto_satype2ike(u_int8_t proto)
-{
-	switch (proto)
-	{
-		case SADB_SATYPE_ESP:
-			return PROTO_ESP;
-		case SADB_SATYPE_AH:
-			return PROTO_AH;
-		case SADB_X_SATYPE_IPCOMP:
-			return IPPROTO_COMP;
-		default:
-			return proto;
-	}
-}
-
-/**
- * convert a IKEv2 specific protocol identifier to the IP protocol identifier
- */
-static u_int8_t proto_ike2ip(protocol_id_t proto)
-{
-	switch (proto)
-	{
-		case PROTO_ESP:
-			return IPPROTO_ESP;
-		case PROTO_AH:
-			return IPPROTO_AH;
-		default:
-			return proto;
-	}
-}
-
-/**
- * convert the general ipsec mode to the one defined in ipsec.h
- */
-static u_int8_t mode2kernel(ipsec_mode_t mode)
-{
-	switch (mode)
-	{
-		case MODE_TRANSPORT:
-			return IPSEC_MODE_TRANSPORT;
-		case MODE_TUNNEL:
-			return IPSEC_MODE_TUNNEL;
-#ifdef HAVE_IPSEC_MODE_BEET
-		case MODE_BEET:
-			return IPSEC_MODE_BEET;
-#endif
-		default:
-			return mode;
-	}
-}
-
-/**
- * convert the general policy direction to the one defined in ipsec.h
- */
-static u_int8_t dir2kernel(policy_dir_t dir)
-{
-	switch (dir)
-	{
-		case POLICY_IN:
-			return IPSEC_DIR_INBOUND;
-		case POLICY_OUT:
-			return IPSEC_DIR_OUTBOUND;
-#ifdef HAVE_IPSEC_DIR_FWD
-		case POLICY_FWD:
-			return IPSEC_DIR_FWD;
-#endif
-		default:
-			return IPSEC_DIR_INVALID;
-	}
-}
-
-#ifdef SADB_X_MIGRATE
-/**
- * convert the policy direction in ipsec.h to the general one.
- */
-static policy_dir_t kernel2dir(u_int8_t  dir)
-{
-	switch (dir)
-	{
-		case IPSEC_DIR_INBOUND:
-			return POLICY_IN;
-		case IPSEC_DIR_OUTBOUND:
-			return POLICY_OUT;
-#ifdef HAVE_IPSEC_DIR_FWD
-		case IPSEC_DIR_FWD:
-			return POLICY_FWD;
-#endif
-		default:
-			return dir;
-	}
-}
-#endif /*SADB_X_MIGRATE*/
-
-typedef struct kernel_algorithm_t kernel_algorithm_t;
-
-/**
- * Mapping of IKEv2 algorithms to PF_KEY algorithms
- */
-struct kernel_algorithm_t {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2;
-
-	/**
-	 * Identifier as defined in pfkeyv2.h
-	 */
-	int kernel;
-};
-
-#define END_OF_LIST -1
-
-/**
- * Algorithms for encryption
- */
-static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64,				0							}, */
-	{ENCR_DES,					SADB_EALG_DESCBC			},
-	{ENCR_3DES,					SADB_EALG_3DESCBC			},
-/*	{ENCR_RC5,					0							}, */
-/*	{ENCR_IDEA,					0							}, */
-	{ENCR_CAST,					SADB_X_EALG_CASTCBC			},
-	{ENCR_BLOWFISH,				SADB_X_EALG_BLOWFISHCBC		},
-/*	{ENCR_3IDEA,				0							}, */
-/*	{ENCR_DES_IV32,				0							}, */
-	{ENCR_NULL,					SADB_EALG_NULL				},
-	{ENCR_AES_CBC,				SADB_X_EALG_AESCBC			},
-/*	{ENCR_AES_CTR,				SADB_X_EALG_AESCTR			}, */
-/*  {ENCR_AES_CCM_ICV8,			SADB_X_EALG_AES_CCM_ICV8	}, */
-/*	{ENCR_AES_CCM_ICV12,		SADB_X_EALG_AES_CCM_ICV12	}, */
-/*	{ENCR_AES_CCM_ICV16,		SADB_X_EALG_AES_CCM_ICV16	}, */
-/*	{ENCR_AES_GCM_ICV8,			SADB_X_EALG_AES_GCM_ICV8	}, */
-/*	{ENCR_AES_GCM_ICV12,		SADB_X_EALG_AES_GCM_ICV12	}, */
-/*	{ENCR_AES_GCM_ICV16,		SADB_X_EALG_AES_GCM_ICV16	}, */
-	{END_OF_LIST,				0							},
-};
-
-/**
- * Algorithms for integrity protection
- */
-static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
-	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
-	{AUTH_HMAC_SHA2_256_128,	SADB_X_AALG_SHA2_256HMAC	},
-	{AUTH_HMAC_SHA2_384_192,	SADB_X_AALG_SHA2_384HMAC	},
-	{AUTH_HMAC_SHA2_512_256,	SADB_X_AALG_SHA2_512HMAC	},
-/*	{AUTH_DES_MAC,				0,							}, */
-/*	{AUTH_KPDK_MD5,				0,							}, */
-#ifdef SADB_X_AALG_AES_XCBC_MAC
-	{AUTH_AES_XCBC_96,			SADB_X_AALG_AES_XCBC_MAC,	},
-#endif
-	{END_OF_LIST,				0,							},
-};
-
-#if 0
-/**
- * Algorithms for IPComp, unused yet
- */
-static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI,				0							}, */
-	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
-	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
-	{IPCOMP_LZJH,				SADB_X_CALG_LZJH			},
-	{END_OF_LIST,				0							},
-};
-#endif
-
-/**
- * Look up a kernel algorithm ID and its key size
- */
-static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
-{
-	while (list->ikev2 != END_OF_LIST)
-	{
-		if (ikev2 == list->ikev2)
-		{
-			return list->kernel;
-		}
-		list++;
-	}
-	return 0;
-}
-
-/**
- * Copy a host_t as sockaddr_t to the given memory location. Ports are
- * reset to zero as per RFC 2367.
- * @return		the number of bytes copied
- */
-static size_t hostcpy(void *dest, host_t *host)
-{
-	sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
-	socklen_t *len = host->get_sockaddr_len(host);
-	memcpy(dest, addr, *len);
-#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
-	dest_addr->sa_len = *len;
-#endif
-	switch (dest_addr->sa_family)
-	{
-		case AF_INET:
-		{
-			struct sockaddr_in *sin = dest;
-			sin->sin_port = 0;
-			break;
-		}
-		case AF_INET6:
-		{
-			struct sockaddr_in6 *sin6 = dest;
-			sin6->sin6_port = 0;
-			break;
-		}
-	}
-	return *len;
-}
-
-/**
- * add a host behind an sadb_address extension
- */
-static void host2ext(host_t *host, struct sadb_address *ext)
-{
-	size_t len = hostcpy(ext + 1, host);
-	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
-}
-
-/**
- * add a host to the given sadb_msg
- */
-static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
-						 u_int8_t proto, u_int8_t prefixlen)
-{
-	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = type;
-	addr->sadb_address_proto = proto;
-	addr->sadb_address_prefixlen = prefixlen;
-	host2ext(host, addr);
-	PFKEY_EXT_ADD(msg, addr);
-}
-
-/**
- * adds an empty address extension to the given sadb_msg
- */
-static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
-{
-	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
-										  sizeof(struct sockaddr_in6);
-	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
-	addr->sadb_address_exttype = type;
-	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
-	saddr->sa_family = family;
-#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
-	saddr->sa_len = len;
-#endif
-	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
-	PFKEY_EXT_ADD(msg, addr);
-}
-
-#ifdef HAVE_NATT
-/**
- * add udp encap extensions to a sadb_msg
- */
-static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
-{
-	struct sadb_x_nat_t_type* nat_type;
-	struct sadb_x_nat_t_port* nat_port;
-
-	nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
-	nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
-	nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
-	nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
-	PFKEY_EXT_ADD(msg, nat_type);
-
-	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
-	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
-	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
-	nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
-	PFKEY_EXT_ADD(msg, nat_port);
-
-	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
-	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
-	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
-	nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
-	PFKEY_EXT_ADD(msg, nat_port);
-}
-#endif /*HAVE_NATT*/
-
-/**
- * Convert a sadb_address to a traffic_selector
- */
-static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
-{
-	traffic_selector_t *ts;
-	host_t *host;
-
-	/* The Linux 2.6 kernel does not set the protocol and port information
-	 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
-	 */
-	host = host_create_from_sockaddr((sockaddr_t*)&address[1])	;
-	ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
-				address->sadb_address_proto, host->get_port(host));
-	return ts;
-}
-
-/**
- * Parses a pfkey message received from the kernel
- */
-static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
-{
-	struct sadb_ext* ext;
-	size_t len;
-
-	memset(out, 0, sizeof(pfkey_msg_t));
-	out->msg = msg;
-
-	len = msg->sadb_msg_len;
-	len -= PFKEY_LEN(sizeof(struct sadb_msg));
-
-	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
-
-	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
-	{
-		DBG3(DBG_KNL, "  %N", sadb_ext_type_names, ext->sadb_ext_type);
-		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
-			ext->sadb_ext_len > len)
-		{
-			DBG1(DBG_KNL, "length of %N extension is invalid",
-						   sadb_ext_type_names, ext->sadb_ext_type);
-			break;
-		}
-
-		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
-		{
-			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
-			break;
-		}
-
-		if (out->ext[ext->sadb_ext_type])
-		{
-			DBG1(DBG_KNL, "duplicate %N extension",
-						   sadb_ext_type_names, ext->sadb_ext_type);
-			break;
-		}
-
-		out->ext[ext->sadb_ext_type] = ext;
-		ext = PFKEY_EXT_NEXT_LEN(ext, len);
-	}
-
-	if (len)
-	{
-		DBG1(DBG_KNL, "PF_KEY message length is invalid");
-		return FAILED;
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Send a message to a specific PF_KEY socket and handle the response.
- */
-static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
-					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
-{
-	unsigned char buf[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg;
-	int in_len, len;
-
-	this->mutex_pfkey->lock(this->mutex_pfkey);
-
-	/* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
-	 * in particular the behavior in response to an SADB_ACQUIRE. */
-	in->sadb_msg_seq = ++this->seq;
-	in->sadb_msg_pid = getpid();
-
-	in_len = PFKEY_USER_LEN(in->sadb_msg_len);
-
-	while (TRUE)
-	{
-		len = send(socket, in, in_len, 0);
-
-		if (len != in_len)
-		{
-			if (errno == EINTR)
-			{
-				/* interrupted, try again */
-				continue;
-			}
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
-			return FAILED;
-		}
-		break;
-	}
-
-	while (TRUE)
-	{
-		msg = (struct sadb_msg*)buf;
-
-		len = recv(socket, buf, sizeof(buf), 0);
-
-		if (len < 0)
-		{
-			if (errno == EINTR)
-			{
-				DBG1(DBG_KNL, "got interrupted");
-				/* interrupted, try again */
-				continue;
-			}
-			DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			return FAILED;
-		}
-		if (len < sizeof(struct sadb_msg) ||
-			msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
-		{
-			DBG1(DBG_KNL, "received corrupted PF_KEY message");
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			return FAILED;
-		}
-		if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
-		{
-			DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
-			this->mutex_pfkey->unlock(this->mutex_pfkey);
-			return FAILED;
-		}
-		if (msg->sadb_msg_pid != in->sadb_msg_pid)
-		{
-			DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
-			continue;
-		}
-		if (msg->sadb_msg_seq != this->seq)
-		{
-			DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
-				 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
-			if (msg->sadb_msg_seq == 0)
-			{
-				/* FreeBSD and Mac OS X do this for the response to
-				 * SADB_X_SPDGET (but not for the response to SADB_GET).
-				 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
-			}
-			else if (msg->sadb_msg_seq < this->seq)
-			{
-				continue;
-			}
-			else
-			{
-				this->mutex_pfkey->unlock(this->mutex_pfkey);
-				return FAILED;
-			}
-		}
-		if (msg->sadb_msg_type != in->sadb_msg_type)
-		{
-			DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
-					"was %d expected %d, ignoring",
-					msg->sadb_msg_type, in->sadb_msg_type);
-		}
-		break;
-	}
-
-	*out_len = len;
-	*out = (struct sadb_msg*)malloc(len);
-	memcpy(*out, buf, len);
-
-	this->mutex_pfkey->unlock(this->mutex_pfkey);
-
-	return SUCCESS;
-}
-
-/**
- * Send a message to the default PF_KEY socket and handle the response.
- */
-static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
-					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
-{
-	return pfkey_send_socket(this, this->socket, in, out, out_len);
-}
-
-/**
- * Process a SADB_ACQUIRE message from the kernel
- */
-static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	u_int32_t index, reqid = 0;
-	traffic_selector_t *src_ts, *dst_ts;
-	policy_entry_t *policy;
-	job_t *job;
-
-	switch (msg->sadb_msg_satype)
-	{
-		case SADB_SATYPE_UNSPEC:
-		case SADB_SATYPE_ESP:
-		case SADB_SATYPE_AH:
-			break;
-		default:
-			/* acquire for AH/ESP only */
-			return;
-	}
-	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
-		return;
-	}
-
-	index = response.x_policy->sadb_x_policy_id;
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
-	{
-		reqid = policy->reqid;
-	}
-	else
-	{
-		DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
-					   index);
-	}
-	src_ts = sadb_address2ts(response.src);
-	dst_ts = sadb_address2ts(response.dst);
-	this->mutex->unlock(this->mutex);
-
-	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
-				   src_ts, dst_ts, reqid);
-	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
-	charon->processor->queue_job(charon->processor, job);
-}
-
-/**
- * Process a SADB_EXPIRE message from the kernel
- */
-static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	protocol_id_t protocol;
-	u_int32_t spi, reqid;
-	bool hard;
-	job_t *job;
-
-	DBG2(DBG_KNL, "received an SADB_EXPIRE");
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
-		return;
-	}
-
-	protocol = proto_satype2ike(msg->sadb_msg_satype);
-	spi = response.sa->sadb_sa_spi;
-	reqid = response.x_sa2->sadb_x_sa2_reqid;
-	hard = response.lft_hard != NULL;
-
-	if (protocol != PROTO_ESP && protocol != PROTO_AH)
-	{
-		DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
-					  "which is not a CHILD_SA", ntohl(spi), reqid);
-		return;
-	}
-
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
-		 hard ? "delete" : "rekey",  protocol_id_names,
-		 protocol, ntohl(spi), reqid);
-	if (hard)
-	{
-		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
-	}
-	else
-	{
-		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
-	}
-	charon->processor->queue_job(charon->processor, job);
-}
-
-#ifdef SADB_X_MIGRATE
-/**
- * Process a SADB_X_MIGRATE message from the kernel
- */
-static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	traffic_selector_t *src_ts, *dst_ts;
-	policy_dir_t dir;
-	u_int32_t reqid = 0;
-	host_t *local = NULL, *remote = NULL;
-	job_t *job;
-
-	DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
-		return;
-	}
-	src_ts = sadb_address2ts(response.src);
-	dst_ts = sadb_address2ts(response.dst);
-	dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
-	DBG2(DBG_KNL, "  policy %R === %R %N, id %u", src_ts, dst_ts,
-					 policy_dir_names, dir);
-
-	/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
-	if (response.x_kmaddress)
-	{
-		sockaddr_t *local_addr, *remote_addr;
-		u_int32_t local_len;
-
-		local_addr  = (sockaddr_t*)&response.x_kmaddress[1];
-		local = host_create_from_sockaddr(local_addr);
-		local_len = (local_addr->sa_family == AF_INET6)?
-					sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
-		remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
-		remote = host_create_from_sockaddr(remote_addr);
-		DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
-	}
-
-	if (src_ts && dst_ts && local && remote)
-	{
-		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
-					   src_ts, dst_ts, policy_dir_names, dir, reqid, local);
-		job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
-										 local, remote);
-		charon->processor->queue_job(charon->processor, job);
-	}
-	else
-	{
-		DESTROY_IF(src_ts);
-		DESTROY_IF(dst_ts);
-		DESTROY_IF(local);
-		DESTROY_IF(remote);
-	}
-}
-#endif /*SADB_X_MIGRATE*/
-
-#ifdef SADB_X_NAT_T_NEW_MAPPING
-/**
- * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
- */
-static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
-{
-	pfkey_msg_t response;
-	u_int32_t spi, reqid;
-	host_t *host;
-	job_t *job;
-
-	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
-
-	if (parse_pfkey_message(msg, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
-		return;
-	}
-
-	if (!response.x_sa2)
-	{
-		DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
-		return;
-	}
-
-	spi = response.sa->sadb_sa_spi;
-	reqid = response.x_sa2->sadb_x_sa2_reqid;
-
-	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
-	{
-		sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
-		switch (sa->sa_family)
-		{
-			case AF_INET:
-			{
-				struct sockaddr_in *sin = (struct sockaddr_in*)sa;
-				sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
-			}
-			case AF_INET6:
-			{
-				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
-				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
-			}
-			default:
-				break;
-		}
-		host = host_create_from_sockaddr(sa);
-		if (host)
-		{
-			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
-				"reqid {%u} changed, queuing update job", ntohl(spi), reqid);
-			job = (job_t*)update_sa_job_create(reqid, host);
-			charon->processor->queue_job(charon->processor, job);
-		}
-	}
-}
-#endif /*SADB_X_NAT_T_NEW_MAPPING*/
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
-{
-	unsigned char buf[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg = (struct sadb_msg*)buf;
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-	thread_cancelability(oldstate);
-
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-
-	if (len < sizeof(struct sadb_msg) ||
-		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
-	{
-		DBG2(DBG_KNL, "received corrupted PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
-	}
-	if (msg->sadb_msg_pid != 0)
-	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
-	}
-	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
-	{
-		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	switch (msg->sadb_msg_type)
-	{
-		case SADB_ACQUIRE:
-			process_acquire(this, msg);
-			break;
-		case SADB_EXPIRE:
-			process_expire(this, msg);
-			break;
-#ifdef SADB_X_MIGRATE
-		case SADB_X_MIGRATE:
-			process_migrate(this, msg);
-			break;
-#endif /*SADB_X_MIGRATE*/
-#ifdef SADB_X_NAT_T_NEW_MAPPING
-		case SADB_X_NAT_T_NEW_MAPPING:
-			process_mapping(this, msg);
-			break;
-#endif /*SADB_X_NAT_T_NEW_MAPPING*/
-		default:
-			break;
-	}
-
-	return JOB_REQUEUE_DIRECT;
-}
-
-METHOD(kernel_ipsec_t, get_spi, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_x_sa2 *sa2;
-	struct sadb_spirange *range;
-	pfkey_msg_t response;
-	u_int32_t received_spi = 0;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_GETSPI;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
-	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
-	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
-	sa2->sadb_x_sa2_reqid = reqid;
-	PFKEY_EXT_ADD(msg, sa2);
-
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
-	range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
-	range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
-	range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
-	range->sadb_spirange_min = 0xc0000000;
-	range->sadb_spirange_max = 0xcFFFFFFF;
-	PFKEY_EXT_ADD(msg, range);
-
-	if (pfkey_send(this, msg, &out, &len) == SUCCESS)
-	{
-		if (out->sadb_msg_errno)
-		{
-			DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
-					strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		}
-		else if (parse_pfkey_message(out, &response) == SUCCESS)
-		{
-			received_spi = response.sa->sadb_sa_spi;
-		}
-		free(out);
-	}
-
-	if (received_spi == 0)
-	{
-		return FAILED;
-	}
-
-	*spi = received_spi;
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, get_cpi, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
-{
-	return FAILED;
-}
-
-METHOD(kernel_ipsec_t, add_sa, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	protocol_id_t protocol, u_int32_t reqid, mark_t mark,
-	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	struct sadb_x_sa2 *sa2;
-	struct sadb_lifetime *lft;
-	struct sadb_key *key;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-#ifdef __APPLE__
-	if (encap)
-	{
-		struct sadb_sa_2 *sa_2;
-		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
-		sa_2->sadb_sa_natt_port = dst->get_port(dst);
-		sa = &sa_2->sa;
-		sa->sadb_sa_flags |= SADB_X_EXT_NATT;
-		len = sizeof(struct sadb_sa_2);
-	}
-	else
-#endif
-	{
-		sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-		len = sizeof(struct sadb_sa);
-	}
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(len);
-	sa->sadb_sa_spi = spi;
-	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
-	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
-	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
-	PFKEY_EXT_ADD(msg, sa);
-
-	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
-	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
-	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
-	sa2->sadb_x_sa2_mode = mode2kernel(mode);
-	sa2->sadb_x_sa2_reqid = reqid;
-	PFKEY_EXT_ADD(msg, sa2);
-
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
-	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
-	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
-	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-	lft->sadb_lifetime_allocations = lifetime->packets.rekey;
-	lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
-	lft->sadb_lifetime_addtime = lifetime->time.rekey;
-	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
-	PFKEY_EXT_ADD(msg, lft);
-
-	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
-	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
-	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-	lft->sadb_lifetime_allocations = lifetime->packets.life;
-	lft->sadb_lifetime_bytes = lifetime->bytes.life;
-	lft->sadb_lifetime_addtime = lifetime->time.life;
-	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
-	PFKEY_EXT_ADD(msg, lft);
-
-	if (enc_alg != ENCR_UNDEFINED)
-	{
-		if (!sa->sadb_sa_encrypt)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-				 encryption_algorithm_names, enc_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
-		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
-		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
-		key->sadb_key_bits = enc_key.len * 8;
-		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
-		memcpy(key + 1, enc_key.ptr, enc_key.len);
-
-		PFKEY_EXT_ADD(msg, key);
-	}
-
-	if (int_alg != AUTH_UNDEFINED)
-	{
-		if (!sa->sadb_sa_auth)
-		{
-			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 integrity_algorithm_names, int_alg);
-			return FAILED;
-		}
-		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
-			 integrity_algorithm_names, int_alg, int_key.len * 8);
-
-		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
-		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
-		key->sadb_key_bits = int_key.len * 8;
-		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
-		memcpy(key + 1, int_key.ptr, int_key.len);
-
-		PFKEY_EXT_ADD(msg, key);
-	}
-
-	if (ipcomp != IPCOMP_NONE)
-	{
-		/*TODO*/
-	}
-
-#ifdef HAVE_NATT
-	if (encap)
-	{
-		add_encap_ext(msg, src, dst);
-	}
-#endif /*HAVE_NATT*/
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-
-	free(out);
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap, mark_t mark)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	pfkey_msg_t response;
-	size_t len;
-
-	/* we can't update the SA if any of the ip addresses have changed.
-	 * that's because we can't use SADB_UPDATE and by deleting and readding the
-	 * SA the sequence numbers would get lost */
-	if (!src->ip_equals(src, new_src) ||
-		!dst->ip_equals(dst, new_dst))
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
-				" are not supported", ntohl(spi));
-		return NOT_SUPPORTED;
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_GET;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	PFKEY_EXT_ADD(msg, sa);
-
-	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
-	 * it is not used for anything. */
-	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
-				ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
-			ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	else if (parse_pfkey_message(out, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
-				"from kernel failed", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
-		 ntohl(spi), src, dst, new_src, new_dst);
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_UPDATE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-#ifdef __APPLE__
-	{
-		struct sadb_sa_2 *sa_2;
-		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
-		sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
-		memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
-		if (encap)
-		{
-			sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
-			sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
-		}
-	}
-#else
-	PFKEY_EXT_COPY(msg, response.sa);
-#endif
-	PFKEY_EXT_COPY(msg, response.x_sa2);
-
-	PFKEY_EXT_COPY(msg, response.src);
-	PFKEY_EXT_COPY(msg, response.dst);
-
-	PFKEY_EXT_COPY(msg, response.lft_soft);
-	PFKEY_EXT_COPY(msg, response.lft_hard);
-
-	if (response.key_encr)
-	{
-		PFKEY_EXT_COPY(msg, response.key_encr);
-	}
-
-	if (response.key_auth)
-	{
-		PFKEY_EXT_COPY(msg, response.key_auth);
-	}
-
-#ifdef HAVE_NATT
-	if (new_encap)
-	{
-		add_encap_ext(msg, new_src, new_dst);
-	}
-#endif /*HAVE_NATT*/
-
-	free(out);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, query_sa, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	pfkey_msg_t response;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_GET;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	PFKEY_EXT_ADD(msg, sa);
-
-	/* the Linux Kernel doesn't care for the src address, but other systems do
-	 * (e.g. FreeBSD)
-	 */
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	else if (parse_pfkey_message(out, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
-		free(out);
-		return FAILED;
-	}
-	*bytes = response.lft_current->sadb_lifetime_bytes;
-
-	free(out);
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, del_sa, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_sa *sa;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_DELETE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
-	sa->sadb_sa_exttype = SADB_EXT_SA;
-	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
-	PFKEY_EXT_ADD(msg, sa);
-
-	/* the Linux Kernel doesn't care for the src address, but other systems do
-	 * (e.g. FreeBSD)
-	 */
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-
-	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
-	free(out);
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, add_policy, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool routed)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_x_policy *pol;
-	struct sadb_x_ipsecrequest *req;
-	policy_entry_t *policy, *found = NULL;
-	pfkey_msg_t response;
-	size_t len;
-
-	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
-	{
-		/* FWD policies are not supported on all platforms */
-		return SUCCESS;
-	}
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
-	{
-		/* use existing policy */
-		found->refcount++;
-		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
-					  "refcount", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		policy = found;
-	}
-	else
-	{
-		/* apply the new one, if we have no such policy */
-		this->policies->insert_last(this->policies, policy);
-		policy->refcount = 1;
-	}
-
-	memset(&request, 0, sizeof(request));
-
-	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
-	msg->sadb_msg_satype = 0;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
-	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
-	pol->sadb_x_policy_id = 0;
-	pol->sadb_x_policy_dir = dir2kernel(direction);
-	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
-#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
-	/* calculate priority based on source selector size, small size = high prio */
-	pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
-	pol->sadb_x_policy_priority -= policy->src.mask * 10;
-	pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
-	pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
-#endif
-
-	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
-	req = (struct sadb_x_ipsecrequest*)(pol + 1);
-	req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
-	/* !!! the length of this struct MUST be in octets instead of 64 bit words */
-	req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
-	req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
-	req->sadb_x_ipsecrequest_reqid = reqid;
-	req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
-	if (mode == MODE_TUNNEL)
-	{
-		len = hostcpy(req + 1, src);
-		req->sadb_x_ipsecrequest_len += len;
-		len = hostcpy((char*)(req + 1) + len, dst);
-		req->sadb_x_ipsecrequest_len += len;
-	}
-
-	pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
-	PFKEY_EXT_ADD(msg, pol);
-
-	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
-				 policy->src.mask);
-	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
-				 policy->dst.mask);
-
-#ifdef __FreeBSD__
-	{	/* on FreeBSD a lifetime has to be defined to be able to later query
-		 * the current use time. */
-		struct sadb_lifetime *lft;
-		lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
-		lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
-		lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-		lft->sadb_lifetime_addtime = LONG_MAX;
-		PFKEY_EXT_ADD(msg, lft);
-	}
-#endif
-
-	this->mutex->unlock(this->mutex);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
-					   policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	else if (parse_pfkey_message(out, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
-				"from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
-		free(out);
-		return FAILED;
-	}
-
-	this->mutex->lock(this->mutex);
-
-	/* we try to find the policy again and update the kernel index */
-	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
-	{
-		DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
-				"already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
-		this->mutex->unlock(this->mutex);
-		free(out);
-		return SUCCESS;
-	}
-	policy->index = response.x_policy->sadb_x_policy_id;
-	free(out);
-
-	/* install a route, if:
-	 * - we are NOT updating a policy
-	 * - this is a forward policy (to just get one for each child)
-	 * - we are in tunnel mode
-	 * - we are not using IPv6 (does not work correctly yet!)
-	 * - routing is not disabled via strongswan.conf
-	 */
-	if (policy->route == NULL && direction == POLICY_FWD &&
-		mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
-		this->install_routes)
-	{
-		route_entry_t *route = malloc_thing(route_entry_t);
-
-		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
-				dst_ts, &route->src_ip) == SUCCESS)
-		{
-			/* get the nexthop to src (src as we are in POLICY_FWD).*/
-			route->gateway = charon->kernel_interface->get_nexthop(
-									charon->kernel_interface, src);
-			route->if_name = charon->kernel_interface->get_interface(
-									charon->kernel_interface, dst);
-			route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
-			route->prefixlen = policy->src.mask;
-
-			if (route->if_name)
-			{
-				switch (charon->kernel_interface->add_route(
-									charon->kernel_interface, route->dst_net,
-									route->prefixlen, route->gateway,
-									route->src_ip, route->if_name))
-				{
-					default:
-						DBG1(DBG_KNL, "unable to install source route for %H",
-							 route->src_ip);
-						/* FALL */
-					case ALREADY_DONE:
-						/* route exists, do not uninstall */
-						route_entry_destroy(route);
-						break;
-					case SUCCESS:
-						/* cache the installed route */
-						policy->route = route;
-						break;
-				}
-			}
-			else
-			{
-				route_entry_destroy(route);
-			}
-		}
-		else
-		{
-			free(route);
-		}
-	}
-
-	this->mutex->unlock(this->mutex);
-
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, query_policy, status_t,
-	private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	u_int32_t *use_time)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_x_policy *pol;
-	policy_entry_t *policy, *found = NULL;
-	pfkey_msg_t response;
-	size_t len;
-
-	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
-	{
-		/* FWD policies are not supported on all platforms */
-		return NOT_FOUND;
-	}
-
-	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		this->mutex->unlock(this->mutex);
-		return NOT_FOUND;
-	}
-	policy_entry_destroy(policy);
-	policy = found;
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_X_SPDGET;
-	msg->sadb_msg_satype = 0;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
-	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	pol->sadb_x_policy_id = policy->index;
-	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
-	pol->sadb_x_policy_dir = dir2kernel(direction);
-	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
-	PFKEY_EXT_ADD(msg, pol);
-
-	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
-				 policy->src.mask);
-	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
-				 policy->dst.mask);
-
-	this->mutex->unlock(this->mutex);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
-					   dst_ts, policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	else if (parse_pfkey_message(out, &response) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
-				"from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
-		free(out);
-		return FAILED;
-	}
-	else if (response.lft_current == NULL)
-	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
-			 "use time", src_ts, dst_ts, policy_dir_names, direction);
-		free(out);
-		return FAILED;
-	}
-	/* we need the monotonic time, but the kernel returns system time. */
-	if (response.lft_current->sadb_lifetime_usetime)
-	{
-		*use_time = time_monotonic(NULL) -
-					(time(NULL) - response.lft_current->sadb_lifetime_usetime);
-	}
-	else
-	{
-		*use_time = 0;
-	}
-	free(out);
-
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, del_policy, status_t,
-	private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	bool unrouted)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	struct sadb_x_policy *pol;
-	policy_entry_t *policy, *found = NULL;
-	route_entry_t *route;
-	size_t len;
-
-	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
-	{
-		/* FWD policies are not supported on all platforms */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
-
-	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
-
-	/* find a matching policy */
-	this->mutex->lock(this->mutex);
-	if (this->policies->find_first(this->policies,
-			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
-	{
-		if (--found->refcount > 0)
-		{
-			/* is used by more SAs, keep in kernel */
-			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
-			policy_entry_destroy(policy);
-			this->mutex->unlock(this->mutex);
-			return SUCCESS;
-		}
-		/* remove if last reference */
-		this->policies->remove(this->policies, found, NULL);
-		policy_entry_destroy(policy);
-		policy = found;
-	}
-	else
-	{
-		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
-		policy_entry_destroy(policy);
-		this->mutex->unlock(this->mutex);
-		return NOT_FOUND;
-	}
-	this->mutex->unlock(this->mutex);
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_X_SPDDELETE;
-	msg->sadb_msg_satype = 0;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
-	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
-	pol->sadb_x_policy_dir = dir2kernel(direction);
-	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
-	PFKEY_EXT_ADD(msg, pol);
-
-	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
-				 policy->src.mask);
-	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
-				 policy->dst.mask);
-
-	route = policy->route;
-	policy->route = NULL;
-	policy_entry_destroy(policy);
-
-	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
-					   dst_ts, policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-
-	if (route)
-	{
-		if (charon->kernel_interface->del_route(charon->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name) != SUCCESS)
-		{
-			DBG1(DBG_KNL, "error uninstalling route installed with "
-						  "policy %R === %R %N", src_ts, dst_ts,
-						   policy_dir_names, direction);
-		}
-		route_entry_destroy(route);
-	}
-
-	return SUCCESS;
-}
-
-/**
- * Register a socket for AQUIRE/EXPIRE messages
- */
-static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
-									  u_int8_t satype)
-{
-	unsigned char request[PFKEY_BUFFER_SIZE];
-	struct sadb_msg *msg, *out;
-	size_t len;
-
-	memset(&request, 0, sizeof(request));
-
-	msg = (struct sadb_msg*)request;
-	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = SADB_REGISTER;
-	msg->sadb_msg_satype = satype;
-	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
-	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY socket");
-		return FAILED;
-	}
-	else if (out->sadb_msg_errno)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
-		free(out);
-		return FAILED;
-	}
-	free(out);
-	return SUCCESS;
-}
-
-METHOD(kernel_ipsec_t, bypass_socket, bool,
-	private_kernel_pfkey_ipsec_t *this, int fd, int family)
-{
-	struct sadb_x_policy policy;
-	u_int sol, ipsec_policy;
-
-	switch (family)
-	{
-		case AF_INET:
-		{
-			sol = SOL_IP;
-			ipsec_policy = IP_IPSEC_POLICY;
-			break;
-		}
-		case AF_INET6:
-		{
-			sol = SOL_IPV6;
-			ipsec_policy = IPV6_IPSEC_POLICY;
-			break;
-		}
-		default:
-			return FALSE;
-	}
-
-	memset(&policy, 0, sizeof(policy));
-	policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
-	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-
-	policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
-	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-	{
-		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-			 strerror(errno));
-		return FALSE;
-	}
-	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
-	{
-		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-			 strerror(errno));
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(kernel_ipsec_t, destroy, void,
-	private_kernel_pfkey_ipsec_t *this)
-{
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
-	if (this->socket > 0)
-	{
-		close(this->socket);
-	}
-	if (this->socket_events > 0)
-	{
-		close(this->socket_events);
-	}
-	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
-	this->mutex->destroy(this->mutex);
-	this->mutex_pfkey->destroy(this->mutex_pfkey);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
-{
-	private_kernel_pfkey_ipsec_t *this;
-
-	INIT(this,
-		.public.interface = {
-			.get_spi = _get_spi,
-			.get_cpi = _get_cpi,
-			.add_sa  = _add_sa,
-			.update_sa = _update_sa,
-			.query_sa = _query_sa,
-			.del_sa = _del_sa,
-			.add_policy = _add_policy,
-			.query_policy = _query_policy,
-			.del_policy = _del_policy,
-			.bypass_socket = _bypass_socket,
-			.destroy = _destroy,
-		},
-		.policies = linked_list_create(),
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
-		.install_routes = lib->settings->get_bool(lib->settings,
-												"charon.install_routes", TRUE),
-	);
-
-	/* create a PF_KEY socket to communicate with the kernel */
-	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (this->socket <= 0)
-	{
-		DBG1(DBG_KNL, "unable to create PF_KEY socket");
-		destroy(this);
-		return NULL;
-	}
-
-	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
-	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (this->socket_events <= 0)
-	{
-		DBG1(DBG_KNL, "unable to create PF_KEY event socket");
-		destroy(this);
-		return NULL;
-	}
-
-	/* register the event socket */
-	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
-		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY event socket");
-		destroy(this);
-		return NULL;
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
deleted file mode 100644
index 649f93733..000000000
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_pfkey_ipsec_i kernel_pfkey_ipsec
- * @{ @ingroup kernel_pfkey
- */
-
-#ifndef KERNEL_PFKEY_IPSEC_H_
-#define KERNEL_PFKEY_IPSEC_H_
-
-#include <kernel/kernel_ipsec.h>
-
-typedef struct kernel_pfkey_ipsec_t kernel_pfkey_ipsec_t;
-
-/**
- * Implementation of the kernel ipsec interface using PF_KEY.
- */
-struct kernel_pfkey_ipsec_t {
-
-	/**
-	 * Implements kernel_ipsec_t interface
-	 */
-	kernel_ipsec_t interface;
-};
-
-/**
- * Create a PF_KEY kernel ipsec interface instance.
- *
- * @return			kernel_pfkey_ipsec_t instance
- */
-kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create();
-
-#endif /** KERNEL_PFKEY_IPSEC_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
deleted file mode 100644
index b84ccf150..000000000
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "kernel_pfkey_plugin.h"
-
-#include "kernel_pfkey_ipsec.h"
-
-#include <daemon.h>
-
-typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t;
-
-/**
- * private data of kernel PF_KEY plugin
- */
-struct private_kernel_pfkey_plugin_t {
-	/**
-	 * implements plugin interface
-	 */
-	kernel_pfkey_plugin_t public;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_pfkey_plugin_t *this)
-{
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *kernel_pfkey_plugin_create()
-{
-	private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
-
-	return &this->public.plugin;
-}
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
deleted file mode 100644
index ecccc6303..000000000
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_pfkey kernel_pfkey
- * @ingroup cplugins
- *
- * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin
- * @{ @ingroup kernel_pfkey
- */
-
-#ifndef KERNEL_PFKEY_PLUGIN_H_
-#define KERNEL_PFKEY_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct kernel_pfkey_plugin_t kernel_pfkey_plugin_t;
-
-/**
- * PF_KEY kernel interface plugin
- */
-struct kernel_pfkey_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-#endif /** KERNEL_PFKEY_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.am b/src/libcharon/plugins/kernel_pfroute/Makefile.am
deleted file mode 100644
index 83db48160..000000000
--- a/src/libcharon/plugins/kernel_pfroute/Makefile.am
+++ /dev/null
@@ -1,17 +0,0 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
-else
-plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
-endif
-
-libstrongswan_kernel_pfroute_la_SOURCES = \
-	kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
-	kernel_pfroute_net.h kernel_pfroute_net.c
-
-libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in
deleted file mode 100644
index f78a97013..000000000
--- a/src/libcharon/plugins/kernel_pfroute/Makefile.in
+++ /dev/null
@@ -1,590 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcharon/plugins/kernel_pfroute
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_kernel_pfroute_la_LIBADD =
-am_libstrongswan_kernel_pfroute_la_OBJECTS = kernel_pfroute_plugin.lo \
-	kernel_pfroute_net.lo
-libstrongswan_kernel_pfroute_la_OBJECTS =  \
-	$(am_libstrongswan_kernel_pfroute_la_OBJECTS)
-libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_kernel_pfroute_la_LDFLAGS) $(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_kernel_pfroute_la_rpath = -rpath \
-@MONOLITHIC_FALSE@	$(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_kernel_pfroute_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
-libstrongswan_kernel_pfroute_la_SOURCES = \
-	kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
-	kernel_pfroute_net.h kernel_pfroute_net.c
-
-libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_pfroute_la_LINK) $(am_libstrongswan_kernel_pfroute_la_rpath) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_net.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
deleted file mode 100644
index 97c019b58..000000000
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ /dev/null
@@ -1,729 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <net/if.h>
-#include <ifaddrs.h>
-#include <net/route.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include "kernel_pfroute_net.h"
-
-#include <daemon.h>
-#include <utils/host.h>
-#include <threading/thread.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/roam_job.h>
-
-#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
-#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
-#endif
-
-/** delay before firing roam jobs (ms) */
-#define ROAM_DELAY 100
-
-/** buffer size for PF_ROUTE messages */
-#define PFROUTE_BUFFER_SIZE 4096
-
-typedef struct addr_entry_t addr_entry_t;
-
-/**
- * IP address in an inface_entry_t
- */
-struct addr_entry_t {
-
-	/** The ip address */
-	host_t *ip;
-
-	/** virtual IP managed by us */
-	bool virtual;
-
-	/** Number of times this IP is used, if virtual */
-	u_int refcount;
-};
-
-/**
- * destroy a addr_entry_t object
- */
-static void addr_entry_destroy(addr_entry_t *this)
-{
-	this->ip->destroy(this->ip);
-	free(this);
-}
-
-typedef struct iface_entry_t iface_entry_t;
-
-/**
- * A network interface on this system, containing addr_entry_t's
- */
-struct iface_entry_t {
-
-	/** interface index */
-	int ifindex;
-
-	/** name of the interface */
-	char ifname[IFNAMSIZ];
-
-	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
-	u_int flags;
-
-	/** list of addresses as host_t */
-	linked_list_t *addrs;
-};
-
-/**
- * destroy an interface entry
- */
-static void iface_entry_destroy(iface_entry_t *this)
-{
-	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
-	free(this);
-}
-
-
-typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
-
-/**
- * Private variables and functions of kernel_pfroute class.
- */
-struct private_kernel_pfroute_net_t
-{
-	/**
-	 * Public part of the kernel_pfroute_t object.
-	 */
-	kernel_pfroute_net_t public;
-
-	/**
-	 * mutex to lock access to various lists
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Cached list of interfaces and their addresses (iface_entry_t)
-	 */
-	linked_list_t *ifaces;
-
-	/**
-	 * job receiving PF_ROUTE events
-	 */
-	callback_job_t *job;
-
-	/**
-	 * mutex to lock access to the PF_ROUTE socket
-	 */
-	mutex_t *mutex_pfroute;
-
-	/**
-	 * PF_ROUTE socket to communicate with the kernel
-	 */
-	int socket;
-
-	/**
-	 * PF_ROUTE socket to receive events
-	 */
-	int socket_events;
-
-	/**
-	 * sequence number for messages sent to the kernel
-	 */
-	int seq;
-
-	/**
-	 * time of last roam job
-	 */
-	timeval_t last_roam;
-};
-
-/**
- * Start a roaming job. We delay it a bit and fire only one job
- * for multiple events. Otherwise we would create too many jobs.
- */
-static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
-{
-	timeval_t now;
-
-	time_monotonic(&now);
-	if (timercmp(&now, &this->last_roam, >))
-	{
-		now.tv_usec += ROAM_DELAY * 1000;
-		while (now.tv_usec > 1000000)
-		{
-			now.tv_sec++;
-			now.tv_usec -= 1000000;
-		}
-		this->last_roam = now;
-		charon->scheduler->schedule_job_ms(charon->scheduler,
-			(job_t*)roam_job_create(address), ROAM_DELAY);
-	}
-}
-
-/**
- * Process an RTM_*ADDR message from the kernel
- */
-static void process_addr(private_kernel_pfroute_net_t *this,
-						 struct rt_msghdr *msg)
-{
-	struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
-	sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
-	host_t *host = NULL;
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	bool found = FALSE, changed = FALSE, roam = FALSE;
-	int i;
-
-	for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
-	{
-		if (ifa->ifam_addrs & i)
-		{
-			if (RTA_IFA & i)
-			{
-				host = host_create_from_sockaddr(sockaddr);
-				break;
-			}
-			sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
-		}
-	}
-
-	if (!host)
-	{
-		return;
-	}
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->ifindex == ifa->ifam_index)
-		{
-			addrs = iface->addrs->create_enumerator(iface->addrs);
-			while (addrs->enumerate(addrs, &addr))
-			{
-				if (host->ip_equals(host, addr->ip))
-				{
-					found = TRUE;
-					if (ifa->ifam_type == RTM_DELADDR)
-					{
-						iface->addrs->remove_at(iface->addrs, addrs);
-						if (!addr->virtual)
-						{
-							changed = TRUE;
-							DBG1(DBG_KNL, "%H disappeared from %s",
-								 host, iface->ifname);
-						}
-						addr_entry_destroy(addr);
-					}
-					else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
-					{
-						addr->refcount = 1;
-					}
-				}
-			}
-			addrs->destroy(addrs);
-
-			if (!found && ifa->ifam_type == RTM_NEWADDR)
-			{
-				changed = TRUE;
-				addr = malloc_thing(addr_entry_t);
-				addr->ip = host->clone(host);
-				addr->virtual = FALSE;
-				addr->refcount = 1;
-				iface->addrs->insert_last(iface->addrs, addr);
-				DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
-			}
-
-			if (changed && (iface->flags & IFF_UP))
-			{
-				roam = TRUE;
-			}
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-	host->destroy(host);
-
-	if (roam)
-	{
-		fire_roam_job(this, TRUE);
-	}
-}
-
-/**
- * Process an RTM_IFINFO message from the kernel
- */
-static void process_link(private_kernel_pfroute_net_t *this,
-						 struct rt_msghdr *hdr)
-{
-	struct if_msghdr *msg = (struct if_msghdr*)hdr;
-	enumerator_t *enumerator;
-	iface_entry_t *iface;
-	bool roam = FALSE;
-
-	if (msg->ifm_flags & IFF_LOOPBACK)
-	{	/* ignore loopback interfaces */
-		return;
-	}
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->ifaces->create_enumerator(this->ifaces);
-	while (enumerator->enumerate(enumerator, &iface))
-	{
-		if (iface->ifindex == msg->ifm_index)
-		{
-			if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
-			{
-				roam = TRUE;
-				DBG1(DBG_KNL, "interface %s activated", iface->ifname);
-			}
-			else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
-			{
-				roam = TRUE;
-				DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
-			}
-			iface->flags = msg->ifm_flags;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-
-	if (roam)
-	{
-		fire_roam_job(this, TRUE);
-	}
-}
-
-/**
- * Process an RTM_*ROUTE message from the kernel
- */
-static void process_route(private_kernel_pfroute_net_t *this,
-						  struct rt_msghdr *msg)
-{
-
-}
-
-/**
- * Receives events from kernel
- */
-static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
-{
-	unsigned char buf[PFROUTE_BUFFER_SIZE];
-	struct rt_msghdr *msg = (struct rt_msghdr*)buf;
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-	thread_cancelability(oldstate);
-
-	if (len < 0)
-	{
-		switch (errno)
-		{
-			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
-			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
-			default:
-				DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
-				sleep(1);
-				return JOB_REQUEUE_FAIR;
-		}
-	}
-
-	if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
-		msg->rtm_version != RTM_VERSION)
-	{
-		DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
-		return JOB_REQUEUE_DIRECT;
-	}
-
-	switch (msg->rtm_type)
-	{
-		case RTM_NEWADDR:
-		case RTM_DELADDR:
-			process_addr(this, msg);
-			break;
-		case RTM_IFINFO:
-		/*case RTM_IFANNOUNCE <- what about this*/
-			process_link(this, msg);
-			break;
-		case RTM_ADD:
-		case RTM_DELETE:
-			process_route(this, msg);
-		default:
-			break;
-	}
-
-	return JOB_REQUEUE_DIRECT;
-}
-
-
-/** enumerator over addresses */
-typedef struct {
-	private_kernel_pfroute_net_t* this;
-	/** whether to enumerate down interfaces */
-	bool include_down_ifaces;
-	/** whether to enumerate virtual ip addresses */
-	bool include_virtual_ips;
-} address_enumerator_t;
-
-/**
- * cleanup function for address enumerator
- */
-static void address_enumerator_destroy(address_enumerator_t *data)
-{
-	data->this->mutex->unlock(data->this->mutex);
-	free(data);
-}
-
-/**
- * filter for addresses
- */
-static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
-{
-	host_t *ip;
-	if (!data->include_virtual_ips && (*in)->virtual)
-	{   /* skip virtual interfaces added by us */
-		return FALSE;
-	}
-	ip = (*in)->ip;
-	if (ip->get_family(ip) == AF_INET6)
-	{
-		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip);
-		if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
-		{   /* skip addresses with a unusable scope */
-			return FALSE;
-		}
-	}
-	*out = ip;
-	return TRUE;
-}
-
-/**
- * enumerator constructor for interfaces
- */
-static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
-{
-	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
-									(void*)filter_addresses, data, NULL);
-}
-
-/**
- * filter for interfaces
- */
-static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
-{
-	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
-	{   /* skip interfaces not up */
-		return FALSE;
-	}
-	*out = *in;
-	return TRUE;
-}
-
-/**
- * implementation of kernel_net_t.create_address_enumerator
- */
-static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this,
-		bool include_down_ifaces, bool include_virtual_ips)
-{
-	address_enumerator_t *data = malloc_thing(address_enumerator_t);
-	data->this = this;
-	data->include_down_ifaces = include_down_ifaces;
-	data->include_virtual_ips = include_virtual_ips;
-
-	this->mutex->lock(this->mutex);
-	return enumerator_create_nested(
-				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
-						(void*)filter_interfaces, data, NULL),
-				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
-}
-
-/**
- * implementation of kernel_net_t.get_interface_name
- */
-static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
-{
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	char *name = NULL;
-
-	DBG2(DBG_KNL, "getting interface name for %H", ip);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
-		{
-			if (ip->ip_equals(ip, addr->ip))
-			{
-				name = strdup(iface->ifname);
-				break;
-			}
-		}
-		addrs->destroy(addrs);
-		if (name)
-		{
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	if (name)
-	{
-		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "%H is not a local address", ip);
-	}
-	return name;
-}
-
-/**
- * Implementation of kernel_net_t.get_source_addr.
- */
-static host_t* get_source_addr(private_kernel_pfroute_net_t *this,
-							   host_t *dest, host_t *src)
-{
-	return NULL;
-}
-
-/**
- * Implementation of kernel_net_t.get_nexthop.
- */
-static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest)
-{
-	return NULL;
-}
-
-/**
- * Implementation of kernel_net_t.add_ip.
- */
-static status_t add_ip(private_kernel_pfroute_net_t *this,
-						host_t *virtual_ip, host_t *iface_ip)
-{
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_net_t.del_ip.
- */
-static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip)
-{
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_net_t.add_route.
- */
-static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
-		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	return FAILED;
-}
-
-/**
- * Implementation of kernel_net_t.del_route.
- */
-static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
-		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
-{
-	return FAILED;
-}
-
-/**
- * Initialize a list of local addresses.
- */
-static status_t init_address_list(private_kernel_pfroute_net_t *this)
-{
-	struct ifaddrs *ifap, *ifa;
-	iface_entry_t *iface, *current;
-	addr_entry_t *addr;
-	enumerator_t *ifaces, *addrs;
-
-	DBG1(DBG_KNL, "listening on interfaces:");
-
-	if (getifaddrs(&ifap) < 0)
-	{
-		DBG1(DBG_KNL, "  failed to get interfaces!");
-		return FAILED;
-	}
-
-	for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
-	{
-		if (ifa->ifa_addr == NULL)
-		{
-			continue;
-		}
-		switch(ifa->ifa_addr->sa_family)
-		{
-			case AF_LINK:
-			case AF_INET:
-			case AF_INET6:
-			{
-				if (ifa->ifa_flags & IFF_LOOPBACK)
-				{	/* ignore loopback interfaces */
-					continue;
-				}
-
-				iface = NULL;
-				ifaces = this->ifaces->create_enumerator(this->ifaces);
-				while (ifaces->enumerate(ifaces, &current))
-				{
-					if (streq(current->ifname, ifa->ifa_name))
-					{
-						iface = current;
-						break;
-					}
-				}
-				ifaces->destroy(ifaces);
-
-				if (!iface)
-				{
-					iface = malloc_thing(iface_entry_t);
-					memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
-					iface->ifindex = if_nametoindex(ifa->ifa_name);
-					iface->flags = ifa->ifa_flags;
-					iface->addrs = linked_list_create();
-					this->ifaces->insert_last(this->ifaces, iface);
-				}
-
-				if (ifa->ifa_addr->sa_family != AF_LINK)
-				{
-					addr = malloc_thing(addr_entry_t);
-					addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
-					addr->virtual = FALSE;
-					addr->refcount = 1;
-					iface->addrs->insert_last(iface->addrs, addr);
-				}
-			}
-		}
-	}
-	freeifaddrs(ifap);
-
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->flags & IFF_UP)
-		{
-			DBG1(DBG_KNL, "  %s", iface->ifname);
-			addrs = iface->addrs->create_enumerator(iface->addrs);
-			while (addrs->enumerate(addrs, (void**)&addr))
-			{
-				DBG1(DBG_KNL, "    %H", addr->ip);
-			}
-			addrs->destroy(addrs);
-		}
-	}
-	ifaces->destroy(ifaces);
-
-	return SUCCESS;
-}
-
-/**
- * Implementation of kernel_netlink_net_t.destroy.
- */
-static void destroy(private_kernel_pfroute_net_t *this)
-{
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
-	if (this->socket > 0)
-	{
-		close(this->socket);
-	}
-	if (this->socket_events)
-	{
-		close(this->socket_events);
-	}
-	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
-	this->mutex->destroy(this->mutex);
-	this->mutex_pfroute->destroy(this->mutex_pfroute);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-kernel_pfroute_net_t *kernel_pfroute_net_create()
-{
-	private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
-
-	/* public functions */
-	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
-	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
-	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
-	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
-	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
-	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
-	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
-	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
-
-	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
-
-	/* private members */
-	this->ifaces = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT);
-
-	this->seq = 0;
-	this->socket_events = 0;
-	this->job = NULL;
-
-	/* create a PF_ROUTE socket to communicate with the kernel */
-	this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
-	if (this->socket < 0)
-	{
-		DBG1(DBG_KNL, "unable to create PF_ROUTE socket");
-		destroy(this);
-		return NULL;
-	}
-
-	/* create a PF_ROUTE socket to receive events */
-	this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
-	if (this->socket_events < 0)
-	{
-		DBG1(DBG_KNL, "unable to create PF_ROUTE event socket");
-		destroy(this);
-		return NULL;
-	}
-
-	this->job = callback_job_create((callback_job_cb_t)receive_events,
-									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	if (init_address_list(this) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to get interface list");
-		destroy(this);
-		return NULL;
-	}
-
-	return &this->public;
-}
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
deleted file mode 100644
index 10c3c9eb7..000000000
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_pfroute_net_i kernel_pfroute_net
- * @{ @ingroup kernel_pfroute
- */
-
-#ifndef KERNEL_PFROUTE_NET_H_
-#define KERNEL_PFROUTE_NET_H_
-
-#include <kernel/kernel_net.h>
-
-typedef struct kernel_pfroute_net_t kernel_pfroute_net_t;
-
-/**
- * Implementation of the kernel net interface using PF_ROUTE.
- */
-struct kernel_pfroute_net_t {
-
-	/**
-	 * Implements kernel_net_t interface
-	 */
-	kernel_net_t interface;
-};
-
-/**
- * Create a PF_ROUTE kernel net interface instance.
- *
- * @return			kernel_pfroute_net_t instance
- */
-kernel_pfroute_net_t *kernel_pfroute_net_create();
-
-#endif /** KERNEL_PFROUTE_NET_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
deleted file mode 100644
index 97139fb56..000000000
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "kernel_pfroute_plugin.h"
-
-#include "kernel_pfroute_net.h"
-
-#include <daemon.h>
-
-typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
-
-/**
- * private data of kernel PF_ROUTE plugin
- */
-struct private_kernel_pfroute_plugin_t {
-	/**
-	 * implements plugin interface
-	 */
-	kernel_pfroute_plugin_t public;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_pfroute_plugin_t *this)
-{
-	charon->kernel_interface->remove_net_interface(charon->kernel_interface,
-						(kernel_net_constructor_t)kernel_pfroute_net_create);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *kernel_pfroute_plugin_create()
-{
-	private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
-	charon->kernel_interface->add_net_interface(charon->kernel_interface,
-						(kernel_net_constructor_t)kernel_pfroute_net_create);
-
-	return &this->public.plugin;
-}
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
deleted file mode 100644
index 50642a572..000000000
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup kernel_pfroute kernel_pfroute
- * @ingroup cplugins
- *
- * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
- * @{ @ingroup kernel_pfroute
- */
-
-#ifndef KERNEL_PFROUTE_PLUGIN_H_
-#define KERNEL_PFROUTE_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t;
-
-/**
- * PF_ROUTE kernel interface plugin
- */
-struct kernel_pfroute_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/led/Makefile.am b/src/libcharon/plugins/led/Makefile.am
new file mode 100644
index 000000000..6428361fc
--- /dev/null
+++ b/src/libcharon/plugins/led/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-led.la
+else
+plugin_LTLIBRARIES = libstrongswan-led.la
+endif
+
+libstrongswan_led_la_SOURCES = led_plugin.h led_plugin.c \
+	led_listener.h led_listener.c
+
+libstrongswan_led_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
new file mode 100644
index 000000000..a4e529d89
--- /dev/null
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -0,0 +1,601 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/led
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_led_la_LIBADD =
+am_libstrongswan_led_la_OBJECTS = led_plugin.lo led_listener.lo
+libstrongswan_led_la_OBJECTS = $(am_libstrongswan_led_la_OBJECTS)
+libstrongswan_led_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_led_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_led_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_led_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_led_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_led_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-led.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-led.la
+libstrongswan_led_la_SOURCES = led_plugin.h led_plugin.c \
+	led_listener.h led_listener.c
+
+libstrongswan_led_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/led/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/led/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) 
+	$(libstrongswan_led_la_LINK) $(am_libstrongswan_led_la_rpath) $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/led_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/led_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/led/led_listener.c b/src/libcharon/plugins/led/led_listener.c
new file mode 100644
index 000000000..18def8005
--- /dev/null
+++ b/src/libcharon/plugins/led/led_listener.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "led_listener.h"
+
+#include <errno.h>
+
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_led_listener_t private_led_listener_t;
+
+/**
+ * Private data of an led_listener_t object.
+ */
+struct private_led_listener_t {
+
+	/**
+	 * Public led_listener_t interface.
+	 */
+	led_listener_t public;
+
+	/**
+	 * Mutex
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Number of established IKE_SAs
+	 */
+	int count;
+
+	/**
+	 * LED blink on/off time, in ms
+	 */
+	int blink_time;
+
+	/**
+	 * Activity LED fd, if any
+	 */
+	FILE *activity;
+
+	/**
+	 * Activity LED maximum brightness
+	 */
+	int activity_max;
+};
+
+/**
+ * Open a LED brightness control file, get max brightness
+ */
+static FILE *open_led(char *name, int *max_brightness)
+{
+	char path[PATH_MAX];
+	FILE *f;
+
+	if (!name)
+	{
+		return NULL;
+	}
+
+	*max_brightness = 1;
+	snprintf(path, sizeof(path), "/sys/class/leds/%s/max_brightness", name);
+	f = fopen(path, "r");
+	if (f)
+	{
+		if (fscanf(f, "%d\n", max_brightness) != 1)
+		{
+			DBG1(DBG_CFG, "reading max brightness for '%s' failed: %s, using 1",
+				 name, strerror(errno));
+		}
+		fclose(f);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "reading max_brightness for '%s' failed: %s, using 1",
+			 name, strerror(errno));
+	}
+
+	snprintf(path, sizeof(path), "/sys/class/leds/%s/brightness", name);
+	f = fopen(path, "w");
+	if (!f)
+	{
+		DBG1(DBG_CFG, "opening LED file '%s' failed: %s", path, strerror(errno));
+	}
+	return f;
+}
+
+/**
+ * Set a LED to a given brightness
+ */
+static void set_led(FILE *led, int brightness)
+{
+	if (led)
+	{
+		if (fprintf(led, "%d\n", brightness) <= 0 ||
+			fflush(led) != 0)
+		{
+			DBG1(DBG_CFG, "setting LED brightness failed: %s", strerror(errno));
+		}
+	}
+}
+
+/**
+ * Plugin unloaded?
+ */
+static bool plugin_gone = FALSE;
+
+/**
+ * Reset activity LED after timeout
+ */
+static job_requeue_t reset_activity_led(private_led_listener_t *this)
+{
+	if (!plugin_gone)
+	{	/* TODO: fix race */
+		this->mutex->lock(this->mutex);
+		if (this->count)
+		{
+			set_led(this->activity, this->activity_max);
+		}
+		else
+		{
+			set_led(this->activity, 0);
+		}
+		this->mutex->unlock(this->mutex);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Blink the activity LED
+ */
+static void blink_activity(private_led_listener_t *this)
+{
+	if (this->activity)
+	{
+		this->mutex->lock(this->mutex);
+		if (this->count)
+		{
+			set_led(this->activity, 0);
+		}
+		else
+		{
+			set_led(this->activity, this->activity_max);
+		}
+		lib->scheduler->schedule_job_ms(lib->scheduler,
+			(job_t*)callback_job_create((callback_job_cb_t)reset_activity_led,
+										this, NULL, NULL), this->blink_time);
+		this->mutex->unlock(this->mutex);
+	}
+}
+
+METHOD(listener_t, ike_state_change, bool,
+	private_led_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	this->mutex->lock(this->mutex);
+	if (state == IKE_ESTABLISHED && ike_sa->get_state(ike_sa) != IKE_ESTABLISHED)
+	{
+		this->count++;
+		if (this->count == 1)
+		{
+			set_led(this->activity, this->activity_max);
+		}
+	}
+	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && state != IKE_ESTABLISHED)
+	{
+		this->count--;
+		if (this->count == 0)
+		{
+			set_led(this->activity, 0);
+		}
+	}
+	this->mutex->unlock(this->mutex);
+	return TRUE;
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_led_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming)
+{
+	if (incoming || message->get_request(message))
+	{
+		blink_activity(this);
+	}
+	return TRUE;
+}
+
+METHOD(led_listener_t, destroy, void,
+	private_led_listener_t *this)
+{
+	this->mutex->lock(this->mutex);
+	set_led(this->activity, 0);
+	plugin_gone = TRUE;
+	this->mutex->unlock(this->mutex);
+	if (this->activity)
+	{
+		fclose(this->activity);
+	}
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+led_listener_t *led_listener_create()
+{
+	private_led_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_state_change = _ike_state_change,
+				.message = _message_hook,
+			},
+			.destroy = _destroy,
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.blink_time = lib->settings->get_int(lib->settings,
+				"charon.plugins.led.blink_time", 50),
+	);
+
+	this->activity = open_led(lib->settings->get_str(lib->settings,
+				"charon.plugins.led.activity_led", NULL), &this->activity_max);
+	set_led(this->activity, 0);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/led/led_listener.h b/src/libcharon/plugins/led/led_listener.h
new file mode 100644
index 000000000..05ae28275
--- /dev/null
+++ b/src/libcharon/plugins/led/led_listener.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup led_listener led_listener
+ * @{ @ingroup led
+ */
+
+#ifndef LED_LISTENER_H_
+#define LED_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct led_listener_t led_listener_t;
+
+/**
+ * Listener that controls LEDs based on IKEv2 activity/state.
+ */
+struct led_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a led_listener_t.
+	 */
+	void (*destroy)(led_listener_t *this);
+};
+
+/**
+ * Create a led_listener instance.
+ */
+led_listener_t *led_listener_create();
+
+#endif /** LED_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/led/led_plugin.c b/src/libcharon/plugins/led/led_plugin.c
new file mode 100644
index 000000000..322d198ff
--- /dev/null
+++ b/src/libcharon/plugins/led/led_plugin.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "led_plugin.h"
+
+#include "led_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_led_plugin_t private_led_plugin_t;
+
+/**
+ * private data of led plugin
+ */
+struct private_led_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	led_plugin_t public;
+
+	/**
+	 * Listener controlling LEDs
+	 */
+	led_listener_t *listener;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_led_plugin_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *led_plugin_create()
+{
+	private_led_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.listener = led_listener_create(),
+	);
+
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/led/led_plugin.h b/src/libcharon/plugins/led/led_plugin.h
new file mode 100644
index 000000000..a7449addd
--- /dev/null
+++ b/src/libcharon/plugins/led/led_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup led led
+ * @ingroup cplugins
+ *
+ * @defgroup led_plugin led_plugin
+ * @{ @ingroup led
+ */
+
+#ifndef LED_PLUGIN_H_
+#define LED_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct led_plugin_t led_plugin_t;
+
+/**
+ * Linux LED control based on IKE activity/state.
+ */
+struct led_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** LED_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index d049bb41b..85db9a10b 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -170,6 +171,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -201,14 +204,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -223,24 +229,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -248,7 +261,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index 43c0ef009..aece95e12 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -36,7 +36,7 @@ struct private_load_tester_ipsec_t {
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	   protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+	   u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
 	*spi = ++this->spi;
 	return SUCCESS;
@@ -51,7 +51,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	   u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+	   u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	   lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	   u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
 	   u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
@@ -61,7 +61,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	   private_load_tester_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+	   private_load_tester_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
 	   u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src,
 	   host_t *new_dst, bool encap, bool new_encap, mark_t mark)
 {
@@ -70,14 +70,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	   u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+	   u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	return NOT_SUPPORTED;
 }
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+	   u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
 {
 	return SUCCESS;
 }
@@ -85,9 +85,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
 	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	   policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	   u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	   u_int16_t cpi, bool routed)
+	   policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	   mark_t mark, bool routed)
 {
 	return SUCCESS;
 }
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c
index 96b0cf1ec..cf6dd0562 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.c
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.c
@@ -59,7 +59,7 @@ static bool ike_state_change(private_load_tester_listener_t *this,
 
 		if (this->delete_after_established)
 		{
-			charon->processor->queue_job(charon->processor,
+			lib->processor->queue_job(lib->processor,
 									(job_t*)delete_ike_sa_job_create(id, TRUE));
 		}
 
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 15dbccb00..cb9b80c7f 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -22,6 +22,7 @@
 
 #include <unistd.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 #include <threading/condvar.h>
@@ -155,7 +156,7 @@ static void destroy(private_load_tester_plugin_t *this)
 		this->condvar->wait(this->condvar, this->mutex);
 	}
 	this->mutex->unlock(this->mutex);
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface,
+	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
 	lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
@@ -215,13 +216,13 @@ plugin_t *load_tester_plugin_create()
 	if (lib->settings->get_bool(lib->settings,
 					"charon.plugins.load-tester.fake_kernel", FALSE))
 	{
-		charon->kernel_interface->add_ipsec_interface(charon->kernel_interface,
+		hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	}
 	this->running = 0;
 	for (i = 0; i < this->initiators; i++)
 	{
-		charon->processor->queue_job(charon->processor,
+		lib->processor->queue_job(lib->processor,
 					(job_t*)callback_job_create((callback_job_cb_t)do_load_test,
 												this, NULL, NULL));
 	}
diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am
new file mode 100644
index 000000000..ed6c76c0f
--- /dev/null
+++ b/src/libcharon/plugins/maemo/Makefile.am
@@ -0,0 +1,23 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon ${maemo_CFLAGS}
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-maemo.la
+else
+plugin_LTLIBRARIES = libstrongswan-maemo.la
+endif
+
+libstrongswan_maemo_la_SOURCES = \
+	maemo_plugin.h maemo_plugin.c \
+	maemo_service.h maemo_service.c
+
+libstrongswan_maemo_la_LDFLAGS = -module -avoid-version
+libstrongswan_maemo_la_LIBADD  = ${maemo_LIBS}
+
+dbusservice_DATA = org.strongswan.charon.service
+
+EXTRA_DIST = $(dbusservice_DATA)
+
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
new file mode 100644
index 000000000..978950d22
--- /dev/null
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -0,0 +1,631 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/maemo
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)" \
+	"$(DESTDIR)$(dbusservicedir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_maemo_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_maemo_la_OBJECTS = maemo_plugin.lo maemo_service.lo
+libstrongswan_maemo_la_OBJECTS = $(am_libstrongswan_maemo_la_OBJECTS)
+libstrongswan_maemo_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_maemo_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_maemo_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_maemo_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_maemo_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_maemo_la_SOURCES)
+DATA = $(dbusservice_DATA)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon ${maemo_CFLAGS}
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-maemo.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-maemo.la
+libstrongswan_maemo_la_SOURCES = \
+	maemo_plugin.h maemo_plugin.c \
+	maemo_service.h maemo_service.c
+
+libstrongswan_maemo_la_LDFLAGS = -module -avoid-version
+libstrongswan_maemo_la_LIBADD = ${maemo_LIBS}
+dbusservice_DATA = org.strongswan.charon.service
+EXTRA_DIST = $(dbusservice_DATA)
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) 
+	$(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/maemo_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/maemo_service.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-dbusserviceDATA: $(dbusservice_DATA)
+	@$(NORMAL_INSTALL)
+	test -z "$(dbusservicedir)" || $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)"
+	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dbusservicedir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(dbusservicedir)" || exit $$?; \
+	done
+
+uninstall-dbusserviceDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(dbusservicedir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(dbusservicedir)" && rm -f $$files
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(DATA)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(dbusservicedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-dbusserviceDATA install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dbusserviceDATA install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-dbusserviceDATA \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/maemo/maemo_plugin.c b/src/libcharon/plugins/maemo/maemo_plugin.c
new file mode 100644
index 000000000..d4549f43a
--- /dev/null
+++ b/src/libcharon/plugins/maemo/maemo_plugin.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "maemo_plugin.h"
+#include "maemo_service.h"
+
+#include <daemon.h>
+
+typedef struct private_maemo_plugin_t private_maemo_plugin_t;
+
+/**
+ * private data of maemo plugin
+ */
+struct private_maemo_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	maemo_plugin_t public;
+
+	/**
+	 * service
+	 */
+	maemo_service_t *service;
+
+};
+
+METHOD(plugin_t, destroy, void,
+	   private_maemo_plugin_t *this)
+{
+	this->service->destroy(this->service);
+	free(this);
+}
+
+/*
+ * See header
+ */
+plugin_t *maemo_plugin_create()
+{
+	private_maemo_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	this->service = maemo_service_create();
+	if (!this->service)
+	{
+		return NULL;
+	}
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/maemo/maemo_plugin.h b/src/libcharon/plugins/maemo/maemo_plugin.h
new file mode 100644
index 000000000..23d139b49
--- /dev/null
+++ b/src/libcharon/plugins/maemo/maemo_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup maemo maemo
+ * @ingroup cplugins
+ *
+ * @defgroup maemo_plugin maemo_plugin
+ * @{ @ingroup maemo
+ */
+
+#ifndef MAEMO_PLUGIN_H_
+#define MAEMO_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct maemo_plugin_t maemo_plugin_t;
+
+/**
+ * Maemo integration plugin.
+ */
+struct maemo_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** MAEMO_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
new file mode 100644
index 000000000..efd914a00
--- /dev/null
+++ b/src/libcharon/plugins/maemo/maemo_service.c
@@ -0,0 +1,510 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <glib.h>
+#include <libosso.h>
+#include <sys/stat.h>
+
+#include "maemo_service.h"
+
+#include <daemon.h>
+#include <credentials/sets/mem_cred.h>
+#include <processing/jobs/callback_job.h>
+
+#define OSSO_STATUS_NAME	"status"
+#define OSSO_STATUS_SERVICE	"org.strongswan."OSSO_STATUS_NAME
+#define OSSO_STATUS_OBJECT	"/org/strongswan/"OSSO_STATUS_NAME
+#define OSSO_STATUS_IFACE	"org.strongswan."OSSO_STATUS_NAME
+
+#define OSSO_CHARON_NAME	"charon"
+#define OSSO_CHARON_SERVICE	"org.strongswan."OSSO_CHARON_NAME
+#define OSSO_CHARON_OBJECT	"/org/strongswan/"OSSO_CHARON_NAME
+#define OSSO_CHARON_IFACE	"org.strongswan."OSSO_CHARON_NAME
+
+#define MAEMO_COMMON_CA_DIR	"/etc/certs/common-ca"
+#define MAEMO_USER_CA_DIR	"/home/user/.maemosec-certs/wifi-ca"
+/* there is also an smime-ca and an ssl-ca sub-directory and the same for
+ * ...-user, which store end user/server certificates */
+
+typedef enum {
+	VPN_STATUS_DISCONNECTED,
+	VPN_STATUS_CONNECTING,
+	VPN_STATUS_CONNECTED,
+	VPN_STATUS_AUTH_FAILED,
+	VPN_STATUS_CONNECTION_FAILED,
+} vpn_status_t;
+
+typedef struct private_maemo_service_t private_maemo_service_t;
+
+/**
+ * private data of maemo service
+ */
+struct private_maemo_service_t {
+
+	/**
+	 * public interface
+	 */
+	maemo_service_t public;
+
+	/**
+	 * credentials
+	 */
+	mem_cred_t *creds;
+
+	/**
+	 * Glib main loop for a thread, handles DBUS calls
+	 */
+	GMainLoop *loop;
+
+	/**
+	 * Context for OSSO
+	 */
+	osso_context_t *context;
+
+	/**
+	 * Current IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Status of the current connection
+	 */
+	vpn_status_t status;
+
+	/**
+	 * Name of the current connection
+	 */
+	gchar *current;
+
+};
+
+static gint change_status(private_maemo_service_t *this, int status)
+{
+	osso_rpc_t retval;
+	gint res;
+	this->status = status;
+	res = osso_rpc_run (this->context, OSSO_STATUS_SERVICE, OSSO_STATUS_OBJECT,
+						OSSO_STATUS_IFACE, "StatusChanged", &retval,
+						DBUS_TYPE_INT32, status,
+						DBUS_TYPE_INVALID);
+	return res;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	   private_maemo_service_t *this, ike_sa_t *ike_sa, bool up)
+{
+	/* this callback is only registered during initiation, so if the IKE_SA
+	 * goes down we assume an authentication error */
+	if (this->ike_sa == ike_sa && !up)
+	{
+		change_status(this, VPN_STATUS_AUTH_FAILED);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, child_state_change, bool,
+	   private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	   child_sa_state_t state)
+{
+	/* this call back is only registered during initiation */
+	if (this->ike_sa == ike_sa && state == CHILD_DESTROYING)
+	{
+		change_status(this, VPN_STATUS_CONNECTION_FAILED);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, child_updown, bool,
+	   private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	   bool up)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		if (up)
+		{
+			/* disable hooks registered to catch initiation failures */
+			this->public.listener.ike_updown = NULL;
+			this->public.listener.child_state_change = NULL;
+			change_status(this, VPN_STATUS_CONNECTED);
+		}
+		else
+		{
+			change_status(this, VPN_STATUS_CONNECTION_FAILED);
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	   private_maemo_service_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	if (this->ike_sa == old)
+	{
+		this->ike_sa = new;
+	}
+	return TRUE;
+}
+
+/**
+ * load all CA certificates in the given directory
+ */
+static void load_ca_dir(private_maemo_service_t *this, char *dir)
+{
+	enumerator_t *enumerator;
+	char *rel, *abs;
+	struct stat st;
+
+	enumerator = enumerator_create_directory(dir);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &rel, &abs, &st))
+		{
+			if (rel[0] != '.')
+			{
+				if (S_ISREG(st.st_mode))
+				{
+					certificate_t *cert;
+					cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+											  CERT_X509, BUILD_FROM_FILE, abs,
+											  BUILD_END);
+					if (!cert)
+					{
+						DBG1(DBG_CFG, "loading CA certificate '%s' failed",
+							 abs);
+						continue;
+					}
+					DBG2(DBG_CFG, "loaded CA certificate '%Y'",
+						 cert->get_subject(cert));
+					this->creds->add_cert(this->creds, TRUE, cert);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+static void disconnect(private_maemo_service_t *this)
+{
+	ike_sa_t *ike_sa;
+	u_int id;
+
+	if (!this->current)
+	{
+		return;
+	}
+
+	/* avoid status updates, as this is called from the Glib main loop */
+	charon->bus->remove_listener(charon->bus, &this->public.listener);
+
+	ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager,
+													  this->current, FALSE);
+	if (ike_sa)
+	{
+		id = ike_sa->get_unique_id(ike_sa);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		charon->controller->terminate_ike(charon->controller, id,
+										  NULL, NULL);
+	}
+	this->current = (g_free(this->current), NULL);
+	this->status = VPN_STATUS_DISCONNECTED;
+}
+
+static gboolean initiate_connection(private_maemo_service_t *this,
+									GArray *arguments)
+{
+	gint i;
+	gchar *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL;
+	identification_t *gateway = NULL, *user = NULL;
+	ike_sa_t *ike_sa;
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	traffic_selector_t *ts;
+	auth_cfg_t *auth;
+	certificate_t *cert;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = 10800, /* 3h */
+			.rekey = 10200, /* 2h50min */
+			.jitter = 300 /* 5min */
+		}
+	};
+
+	if (this->status == VPN_STATUS_CONNECTED ||
+		this->status == VPN_STATUS_CONNECTING)
+	{
+		DBG1(DBG_CFG, "currently connected to '%s', disconnecting first",
+			 this->current);
+		disconnect (this);
+	}
+
+	if (arguments->len != 5)
+	{
+		DBG1(DBG_CFG, "wrong number of arguments: %d", arguments->len);
+		return FALSE;
+	}
+
+	for (i = 0; i < arguments->len; i++)
+	{
+		osso_rpc_t *arg = &g_array_index(arguments, osso_rpc_t, i);
+		if (arg->type != DBUS_TYPE_STRING)
+		{
+			DBG1(DBG_CFG, "invalid argument [%d]: %d", i, arg->type);
+			return FALSE;
+		}
+		switch (i)
+		{
+			case 0: /* name */
+				this->current = (g_free(this->current), NULL);
+				this->current = g_strdup(arg->value.s);
+				break;
+			case 1: /* hostname */
+				hostname = arg->value.s;
+				break;
+			case 2: /* CA certificate path */
+				cacert = arg->value.s;
+				break;
+			case 3: /* username */
+				username = arg->value.s;
+				break;
+			case 4: /* password */
+				password = arg->value.s;
+				break;
+		}
+	}
+
+	DBG1(DBG_CFG, "received initiate for connection '%s'", this->current);
+
+	this->creds->clear(this->creds);
+
+	if (cacert && !streq(cacert, ""))
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, cacert, BUILD_END);
+		if (cert)
+		{
+			this->creds->add_cert(this->creds, TRUE, cert);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "failed to load CA certificate");
+		}
+		/* if this is a server cert we could use the cert subject as id */
+	}
+	else
+	{
+		load_ca_dir(this, MAEMO_COMMON_CA_DIR);
+		load_ca_dir(this, MAEMO_USER_CA_DIR);
+	}
+
+	gateway = identification_create_from_string(hostname);
+	DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway);
+
+	{
+		shared_key_t *shared_key;
+		chunk_t secret = chunk_create(password, strlen(password));
+		user = identification_create_from_string(username);
+		shared_key = shared_key_create(SHARED_EAP, chunk_clone(secret));
+		this->creds->add_shared(this->creds, shared_key, user->clone(user),
+								NULL);
+	}
+
+	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
+							 hostname, IKEV2_UDP_PORT);
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+
+	peer_cfg = peer_cfg_create(this->current, 2, ike_cfg, CERT_SEND_IF_ASKED,
+							   UNIQUE_REPLACE, 1, /* keyingtries */
+							   36000, 0, /* rekey 10h, reauth none */
+							   600, 600, /* jitter, over 10min */
+							   TRUE, 0, /* mobike, DPD */
+							   host_create_from_string("0.0.0.0", 0) /* virt */,
+							   NULL, FALSE, NULL, NULL); /* pool, mediation */
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+	auth->add(auth, AUTH_RULE_IDENTITY, user);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+
+	child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */,
+								 TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE,
+								 FALSE, 0, 0, NULL, NULL);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
+											 0, "255.255.255.255", 65535);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+	/* get an additional reference because initiate consumes one */
+	child_cfg->get_ref(child_cfg);
+
+	/* get us an IKE_SA */
+	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+														peer_cfg);
+	if (!ike_sa->get_peer_cfg(ike_sa))
+	{
+		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+	}
+	peer_cfg->destroy(peer_cfg);
+
+	/* store the IKE_SA, so we can track its progress */
+	this->ike_sa = ike_sa;
+	this->status = VPN_STATUS_CONNECTING;
+	this->public.listener.ike_updown = _ike_updown;
+	this->public.listener.child_state_change = _child_state_change;
+	charon->bus->add_listener(charon->bus, &this->public.listener);
+
+	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "failed to initiate tunnel");
+		charon->bus->remove_listener(charon->bus, &this->public.listener);
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+													ike_sa);
+		this->status = VPN_STATUS_CONNECTION_FAILED;
+		return FALSE;
+	}
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return TRUE;
+}
+
+/**
+ * Callback for libosso dbus wrapper
+ */
+static gint dbus_req_handler(const gchar *interface, const gchar *method,
+							 GArray *arguments, private_maemo_service_t *this,
+							 osso_rpc_t *retval)
+{
+	if (streq(method, "Start"))
+	{	/* void start (void), dummy function to start charon as root */
+		return OSSO_OK;
+	}
+	else if (streq(method, "Connect"))
+	{	/* bool connect (name, host, cert, user, pass) */
+		retval->value.b = initiate_connection(this, arguments);
+		retval->type = DBUS_TYPE_BOOLEAN;
+	}
+	else if (streq(method, "Disconnect"))
+	{	/* void disconnect (void) */
+		disconnect(this);
+	}
+	else
+	{
+		return OSSO_ERROR;
+	}
+	return OSSO_OK;
+}
+
+/**
+ * Main loop to handle D-BUS messages.
+ */
+static job_requeue_t run(private_maemo_service_t *this)
+{
+	this->loop = g_main_loop_new(NULL, FALSE);
+	g_main_loop_run(this->loop);
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(maemo_service_t, destroy, void,
+	   private_maemo_service_t *this)
+{
+	if (this->loop)
+	{
+		if (g_main_loop_is_running(this->loop))
+		{
+			g_main_loop_quit(this->loop);
+		}
+		g_main_loop_unref(this->loop);
+	}
+	if (this->context)
+	{
+		osso_rpc_unset_cb_f(this->context,
+							OSSO_CHARON_SERVICE,
+							OSSO_CHARON_OBJECT,
+							OSSO_CHARON_IFACE,
+							(osso_rpc_cb_f*)dbus_req_handler,
+							this);
+		osso_deinitialize(this->context);
+	}
+	charon->bus->remove_listener(charon->bus, &this->public.listener);
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	this->creds->destroy(this->creds);
+	this->current = (g_free(this->current), NULL);
+	free(this);
+}
+
+/*
+ * See header
+ */
+maemo_service_t *maemo_service_create()
+{
+	osso_return_t result;
+	private_maemo_service_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_updown = _ike_updown,
+				.child_state_change = _child_state_change,
+				.child_updown = _child_updown,
+				.ike_rekey = _ike_rekey,
+			},
+			.destroy = _destroy,
+		},
+		.creds = mem_cred_create(),
+	);
+
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+
+	this->context = osso_initialize(OSSO_CHARON_SERVICE, "0.0.1", TRUE, NULL);
+	if (!this->context)
+	{
+		DBG1(DBG_CFG, "failed to initialize OSSO context");
+		destroy(this);
+		return NULL;
+	}
+
+	result = osso_rpc_set_cb_f(this->context,
+							   OSSO_CHARON_SERVICE,
+							   OSSO_CHARON_OBJECT,
+							   OSSO_CHARON_IFACE,
+							   (osso_rpc_cb_f*)dbus_req_handler,
+							   this);
+	if (result != OSSO_OK)
+	{
+		DBG1(DBG_CFG, "failed to set D-BUS callback (%d)", result);
+		destroy(this);
+		return NULL;
+	}
+
+	this->loop = NULL;
+	if (!g_thread_supported())
+	{
+		g_thread_init(NULL);
+	}
+
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL));
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/maemo/maemo_service.h b/src/libcharon/plugins/maemo/maemo_service.h
new file mode 100644
index 000000000..b0240cbaa
--- /dev/null
+++ b/src/libcharon/plugins/maemo/maemo_service.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup maemo_service maemo_service
+ * @{ @ingroup maemo
+ */
+
+#ifndef MAEMO_SERVICE_H_
+#define MAEMO_SERVICE_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct maemo_service_t maemo_service_t;
+
+/**
+ * Maemo connection management.
+ */
+struct maemo_service_t {
+
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a maemo_service_t.
+	 */
+	void (*destroy)(maemo_service_t *this);
+};
+
+/**
+ * Create an instance of maemo_service_t.
+ */
+maemo_service_t *maemo_service_create();
+
+#endif /** MAEMO_SERVICE_H_ @}*/
diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service b/src/libcharon/plugins/maemo/org.strongswan.charon.service
new file mode 100644
index 000000000..7dd31ed60
--- /dev/null
+++ b/src/libcharon/plugins/maemo/org.strongswan.charon.service
@@ -0,0 +1,4 @@
+[D-BUS Service]
+Name=org.strongswan.charon
+Exec=/usr/bin/run-standalone.sh /usr/libexec/ipsec/charon
+User=root
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index c26d325a9..6dcbc99dd 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index 6cbaf36f2..870d87c7e 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -126,11 +126,11 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	med_cfg = peer_cfg_create(
 		"mediation", 2, ike_cfg,
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
-		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
-		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
-		TRUE, this->dpd, 				/* mobike, dpddelay */
-		NULL, NULL, 					/* vip, pool */
-		TRUE, NULL, NULL); 				/* mediation, med by, peer id */
+		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
+		this->rekey*5, this->rekey*3,	/* jitter, overtime */
+		TRUE, this->dpd,				/* mobike, dpddelay */
+		NULL, NULL,						/* vip, pool */
+		TRUE, NULL, NULL);				/* mediation, med by, peer id */
 	e->destroy(e);
 
 	auth = auth_cfg_create();
@@ -163,10 +163,10 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	peer_cfg = peer_cfg_create(
 		name, 2, this->ike->get_ref(this->ike),
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
-		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
-		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
-		TRUE, this->dpd, 				/* mobike, dpddelay */
-		NULL, NULL, 					/* vip, pool */
+		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
+		this->rekey*5, this->rekey*3,	/* jitter, overtime */
+		TRUE, this->dpd,				/* mobike, dpddelay */
+		NULL, NULL,						/* vip, pool */
 		FALSE, med_cfg,					/* mediation, med by */
 		identification_create_from_encoding(ID_KEY_ID, other));
 
@@ -243,11 +243,11 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	this->current = peer_cfg_create(
 				name, 2, this->ike->get_ref(this->ike),
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
-				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
-				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
-				TRUE, this->dpd, 				/* mobike, dpddelay */
-				NULL, NULL, 					/* vip, pool */
-				FALSE, NULL, NULL); 			/* mediation, med by, peer id */
+				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
+				this->rekey*5, this->rekey*3,	/* jitter, overtime */
+				TRUE, this->dpd,				/* mobike, dpddelay */
+				NULL, NULL,						/* vip, pool */
+				FALSE, NULL, NULL);				/* mediation, med by, peer id */
 
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
@@ -364,7 +364,7 @@ static void schedule_autoinit(private_medcli_config_t *this)
 			if (peer_cfg)
 			{
 				/* schedule asynchronous initiation job */
-				charon->processor->queue_job(charon->processor,
+				lib->processor->queue_job(lib->processor,
 						(job_t*)callback_job_create(
 									(callback_job_cb_t)initiate_config,
 									peer_cfg, (void*)peer_cfg->destroy, NULL));
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 4dc9c00d0..f6db7d834 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in
index 1b3e4c5a6..2f5c20971 100644
--- a/src/libcharon/plugins/nm/Makefile.in
+++ b/src/libcharon/plugins/nm/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/nm/nm_creds.c b/src/libcharon/plugins/nm/nm_creds.c
index 193838e6b..638787019 100644
--- a/src/libcharon/plugins/nm/nm_creds.c
+++ b/src/libcharon/plugins/nm/nm_creds.c
@@ -50,6 +50,16 @@ struct private_nm_creds_t {
 	 */
 	char *pass;
 
+	/**
+	 * Private key decryption password / smartcard pin
+	 */
+	char *keypass;
+
+	/**
+	 * private key ID of smartcard key
+	 */
+	chunk_t keyid;
+
 	/**
 	 * users certificate
 	 */
@@ -239,8 +249,14 @@ static bool shared_enumerate(shared_enumerator_t *this, shared_key_t **key,
 		return FALSE;
 	}
 	*key = this->key;
-	*me = ID_MATCH_PERFECT;
-	*other = ID_MATCH_ANY;
+	if (me)
+	{
+		*me = ID_MATCH_PERFECT;
+	}
+	if (other)
+	{
+		*other = ID_MATCH_ANY;
+	}
 	this->done = TRUE;
 	return TRUE;
 }
@@ -262,18 +278,39 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
 							identification_t *other)
 {
 	shared_enumerator_t *enumerator;
+	chunk_t key;
 
-	if (!this->pass || !this->user)
+	switch (type)
 	{
-		return NULL;
-	}
-	if (type != SHARED_EAP && type != SHARED_IKE)
-	{
-		return NULL;
-	}
-	if (me && !me->equals(me, this->user))
-	{
-		return NULL;
+		case SHARED_EAP:
+		case SHARED_IKE:
+			if (!this->pass || !this->user)
+			{
+				return NULL;
+			}
+			if (me && !me->equals(me, this->user))
+			{
+				return NULL;
+			}
+			key = chunk_create(this->pass, strlen(this->pass));
+			break;
+		case SHARED_PRIVATE_KEY_PASS:
+			if (!this->keypass)
+			{
+				return NULL;
+			}
+			key = chunk_create(this->keypass, strlen(this->keypass));
+			break;
+		case SHARED_PIN:
+			if (!this->keypass || !me ||
+				!chunk_equals(me->get_encoding(me), this->keyid))
+			{
+				return NULL;
+			}
+			key = chunk_create(this->keypass, strlen(this->keypass));
+			break;
+		default:
+			return NULL;
 	}
 
 	enumerator = malloc_thing(shared_enumerator_t);
@@ -282,9 +319,7 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
 	enumerator->this = this;
 	enumerator->done = FALSE;
 	this->lock->read_lock(this->lock);
-	enumerator->key = shared_key_create(type,
-										chunk_clone(chunk_create(this->pass,
-													strlen(this->pass))));
+	enumerator->key = shared_key_create(type, chunk_clone(key));
 	return &enumerator->public;
 }
 
@@ -369,6 +404,30 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id
 	this->lock->unlock(this->lock);
 }
 
+/**
+ * Implementation of nm_creds_t.set_key_password
+ */
+static void set_key_password(private_nm_creds_t *this, char *password)
+{
+	this->lock->write_lock(this->lock);
+	free(this->keypass);
+	this->keypass = password ? strdup(password) : NULL;
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of nm_creds_t.set_pin
+ */
+static void set_pin(private_nm_creds_t *this, chunk_t keyid, char *pin)
+{
+	this->lock->write_lock(this->lock);
+	free(this->keypass);
+	free(this->keyid.ptr);
+	this->keypass = pin ? strdup(pin) : NULL;
+	this->keyid = chunk_clone(keyid);
+	this->lock->unlock(this->lock);
+}
+
 /**
  * Implementation of nm_creds_t.set_cert_and_key
  */
@@ -396,12 +455,16 @@ static void clear(private_nm_creds_t *this)
 	}
 	DESTROY_IF(this->user);
 	free(this->pass);
+	free(this->keypass);
+	free(this->keyid.ptr);
 	DESTROY_IF(this->usercert);
 	DESTROY_IF(this->key);
 	this->key = NULL;
 	this->usercert = NULL;
 	this->pass = NULL;
 	this->user = NULL;
+	this->keypass = NULL;
+	this->keyid = chunk_empty;
 }
 
 /**
@@ -430,6 +493,8 @@ nm_creds_t *nm_creds_create()
 	this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate;
 	this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir;
 	this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
+	this->public.set_key_password = (void(*)(nm_creds_t*, char *password))set_key_password;
+	this->public.set_pin = (void(*)(nm_creds_t*, chunk_t keyid, char *pin))set_pin;
 	this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
 	this->public.clear = (void(*)(nm_creds_t*))clear;
 	this->public.destroy = (void(*)(nm_creds_t*))destroy;
@@ -441,6 +506,8 @@ nm_creds_t *nm_creds_create()
 	this->pass = NULL;
 	this->usercert = NULL;
 	this->key = NULL;
+	this->keypass = NULL;
+	this->keyid = chunk_empty;
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/nm/nm_creds.h b/src/libcharon/plugins/nm/nm_creds.h
index b55cff31e..91f645c7e 100644
--- a/src/libcharon/plugins/nm/nm_creds.h
+++ b/src/libcharon/plugins/nm/nm_creds.h
@@ -58,6 +58,22 @@ struct nm_creds_t {
 	 */
 	void (*set_username_password)(nm_creds_t *this, identification_t *id,
 								  char *password);
+
+	/**
+	 * Set the passphrase to use for private key decryption.
+	 *
+	 * @param password	password to use
+	 */
+	void (*set_key_password)(nm_creds_t *this, char *password);
+
+	/**
+	 * Set the PIN to unlock a smartcard.
+	 *
+	 * @param keyid		keyid of the smartcard key
+	 * @param pin		PIN
+	 */
+	void (*set_pin)(nm_creds_t *this, chunk_t keyid, char *pin);
+
 	/**
 	 * Set the certificate and private key to use for client authentication.
 	 *
@@ -66,6 +82,7 @@ struct nm_creds_t {
 	 */
 	void (*set_cert_and_key)(nm_creds_t *this, certificate_t *cert,
 							 private_key_t *key);
+
 	/**
 	 * Clear the stored credentials.
 	 */
diff --git a/src/libcharon/plugins/nm/nm_plugin.c b/src/libcharon/plugins/nm/nm_plugin.c
index 250e6f7f9..fd0580bd6 100644
--- a/src/libcharon/plugins/nm/nm_plugin.c
+++ b/src/libcharon/plugins/nm/nm_plugin.c
@@ -122,7 +122,7 @@ plugin_t *nm_plugin_create()
 	/* bypass file permissions to read from users ssh-agent */
 	charon->keep_cap(charon, CAP_DAC_OVERRIDE);
 
-	charon->processor->queue_job(charon->processor,
+	lib->processor->queue_job(lib->processor,
 		 (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL));
 
 	return &this->public.plugin;
diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c
index 07318bbbf..72c5bbbb5 100644
--- a/src/libcharon/plugins/nm/nm_service.c
+++ b/src/libcharon/plugins/nm/nm_service.c
@@ -203,6 +203,59 @@ static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
 	return TRUE;
 }
 
+/**
+ * Find a certificate for which we have a private key on a smartcard
+ */
+static identification_t *find_smartcard_key(NMStrongswanPluginPrivate *priv,
+											char *pin)
+{
+	enumerator_t *enumerator, *sans;
+	identification_t *id = NULL;
+	certificate_t *cert;
+	x509_t *x509;
+	private_key_t *key;
+	chunk_t keyid;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_ANY, NULL, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		x509 = (x509_t*)cert;
+
+		/* there might be a lot of certificates, filter them by usage */
+		if ((x509->get_flags(x509) & X509_CLIENT_AUTH) &&
+			!(x509->get_flags(x509) & X509_CA))
+		{
+			keyid = x509->get_subjectKeyIdentifier(x509);
+			if (keyid.ptr)
+			{
+				/* try to find a private key by the certificate keyid */
+				priv->creds->set_pin(priv->creds, keyid, pin);
+				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								KEY_ANY, BUILD_PKCS11_KEYID, keyid, BUILD_END);
+				if (key)
+				{
+					/* prefer a more convenient subjectAltName */
+					sans = x509->create_subjectAltName_enumerator(x509);
+					if (!sans->enumerate(sans, &id))
+					{
+						id = cert->get_subject(cert);
+					}
+					id = id->clone(id);
+					sans->destroy(sans);
+
+					DBG1(DBG_CFG, "using smartcard certificate '%Y'", id);
+					priv->creds->set_cert_and_key(priv->creds,
+												  cert->get_ref(cert), key);
+					break;
+				}
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return id;
+}
+
 /**
  * Connect function called from NM via DBUS
  */
@@ -224,7 +277,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	auth_class_t auth_class = AUTH_CLASS_EAP;
 	certificate_t *cert = NULL;
 	x509_t *x509;
-	bool agent = FALSE;
+	bool agent = FALSE, smartcard = FALSE;
 	lifetime_cfg_t lifetime = {
 		.time = {
 			.life = 10800 /* 3h */,
@@ -279,6 +332,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		{
 			auth_class = AUTH_CLASS_PUBKEY;
 		}
+		else if (streq(str, "smartcard"))
+		{
+			auth_class = AUTH_CLASS_PUBKEY;
+			smartcard = TRUE;
+		}
 	}
 
 	/**
@@ -338,9 +396,26 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 
 	if (auth_class == AUTH_CLASS_PUBKEY)
 	{
+		if (smartcard)
+		{
+			char *pin;
+
+			pin = (char*)nm_setting_vpn_get_secret(vpn, "password");
+			if (pin)
+			{
+				user = find_smartcard_key(priv, pin);
+			}
+			if (!user)
+			{
+				g_set_error(err, NM_VPN_PLUGIN_ERROR,
+							NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+							"no usable smartcard certificate found.");
+				gateway->destroy(gateway);
+				return FALSE;
+			}
+		}
 		/* ... or certificate/private key authenitcation */
-		str = nm_setting_vpn_get_data_item(vpn, "usercert");
-		if (str)
+		else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert")))
 		{
 			public_key_t *public;
 			private_key_t *private = NULL;
@@ -380,16 +455,15 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			str = nm_setting_vpn_get_data_item(vpn, "userkey");
 			if (!agent && str)
 			{
-				chunk_t secret;
+				char *secret;
 
-				secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
-				if (secret.ptr)
+				secret = (char*)nm_setting_vpn_get_secret(vpn, "password");
+				if (secret)
 				{
-					secret.len = strlen(secret.ptr);
+					priv->creds->set_key_password(priv->creds, secret);
 				}
 				private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								KEY_RSA, BUILD_FROM_FILE, str,
-								BUILD_PASSPHRASE, secret, BUILD_END);
+								KEY_RSA, BUILD_FROM_FILE, str, BUILD_END);
 				if (!private)
 				{
 					g_set_error(err, NM_VPN_PLUGIN_ERROR,
@@ -524,17 +598,10 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 			if (path)
 			{
 				private_key_t *key;
-				chunk_t secret;
 
-				secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
-				if (secret.ptr)
-				{
-					secret.len = strlen(secret.ptr);
-				}
 				/* try to load/decrypt the private key */
 				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								KEY_RSA, BUILD_FROM_FILE, path,
-								BUILD_PASSPHRASE, secret, BUILD_END);
+								KEY_RSA, BUILD_FROM_FILE, path, BUILD_END);
 				if (key)
 				{
 					key->destroy(key);
@@ -542,6 +609,13 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 				}
 			}
 		}
+		else if streq(method, "smartcard")
+		{
+			if (nm_setting_vpn_get_secret(settings, "password"))
+			{
+				return FALSE;
+			}
+		}
 	}
 	*setting_name = NM_SETTING_VPN_SETTING_NAME;
 	return TRUE;
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 35fb8367f..f24e2d1e7 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 64820eb45..60937f23d 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -702,7 +702,7 @@ static job_requeue_t dispatch(private_smp_t *this)
 	fdp = malloc_thing(int);
 	*fdp = fd;
 	job = callback_job_create((callback_job_cb_t)process, fdp, free, this->job);
-	charon->processor->queue_job(charon->processor, (job_t*)job);
+	lib->processor->queue_job(lib->processor, (job_t*)job);
 
 	return JOB_REQUEUE_DIRECT;
 }
@@ -761,7 +761,7 @@ plugin_t *smp_plugin_create()
 	}
 
 	this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index df63d862e..bd85386b2 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/socket_default/socket_default_plugin.c b/src/libcharon/plugins/socket_default/socket_default_plugin.c
index 45390ddae..b5dea68b6 100644
--- a/src/libcharon/plugins/socket_default/socket_default_plugin.c
+++ b/src/libcharon/plugins/socket_default/socket_default_plugin.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -31,17 +33,13 @@ struct private_socket_default_plugin_t {
 	 */
 	socket_default_plugin_t public;
 
-	/**
-	 * Socket instance.
-	 */
-	socket_default_socket_t *socket;
 };
 
 METHOD(plugin_t, destroy, void,
 	private_socket_default_plugin_t *this)
 {
-	charon->socket->remove_socket(charon->socket, &this->socket->socket);
-	this->socket->destroy(this->socket);
+	charon->socket->remove_socket(charon->socket,
+						(socket_constructor_t)socket_default_socket_create);
 	free(this);
 }
 
@@ -53,16 +51,15 @@ plugin_t *socket_default_plugin_create()
 	private_socket_default_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
-		.socket = socket_default_socket_create(),
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 	);
 
-	if (!this->socket)
-	{
-		free(this);
-		return NULL;
-	}
-	charon->socket->add_socket(charon->socket, &this->socket->socket);
+	charon->socket->add_socket(charon->socket,
+						(socket_constructor_t)socket_default_socket_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index bc998182e..e95646643 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -42,11 +42,12 @@
 #include <sys/sysctl.h>
 #endif
 
+#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 
 /* Maximum size of a packet */
-#define MAX_PACKET 5000
+#define MAX_PACKET 10000
 
 /* length of non-esp marker */
 #define MARKER_LEN sizeof(u_int32_t)
@@ -116,12 +117,17 @@ struct private_socket_default_socket_t {
 	 * IPv6 socket for NATT (4500)
 	 */
 	int ipv6_natt;
+
+	/**
+	 * Maximum packet size to receive
+	 */
+	int max_packet;
 };
 
 METHOD(socket_t, receiver, status_t,
 	private_socket_default_socket_t *this, packet_t **packet)
 {
-	char buffer[MAX_PACKET];
+	char buffer[this->max_packet];
 	chunk_t data;
 	packet_t *pkt;
 	host_t *source = NULL, *dest = NULL;
@@ -195,7 +201,7 @@ METHOD(socket_t, receiver, status_t,
 		msg.msg_name = &src;
 		msg.msg_namelen = sizeof(src);
 		iov.iov_base = buffer;
-		iov.iov_len = sizeof(buffer);
+		iov.iov_len = this->max_packet;
 		msg.msg_iov = &iov;
 		msg.msg_iovlen = 1;
 		msg.msg_control = ancillary;
@@ -207,6 +213,11 @@ METHOD(socket_t, receiver, status_t,
 			DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
 			return FAILED;
 		}
+		if (msg.msg_flags & MSG_TRUNC)
+		{
+			DBG1(DBG_NET, "receive buffer too small, packet discarded");
+			return FAILED;
+		}
 		DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
 
 		if (bytes_read < MARKER_LEN)
@@ -351,12 +362,6 @@ METHOD(socket_t, sender, status_t,
 		if (data.len != 1 || data.ptr[0] != 0xFF)
 		{
 			/* add non esp marker to packet */
-			if (data.len > MAX_PACKET - MARKER_LEN)
-			{
-				DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
-					 data.len);
-				return FAILED;
-			}
 			marked = chunk_alloc(data.len + MARKER_LEN);
 			memset(marked.ptr, 0, MARKER_LEN);
 			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
@@ -521,8 +526,8 @@ static int open_socket(private_socket_default_socket_t *this,
 		}
 	}
 
-	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
-												 skt, family))
+	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
+												skt, family))
 	{
 		DBG1(DBG_NET, "installing IKE bypass policy failed");
 	}
@@ -541,7 +546,7 @@ static int open_socket(private_socket_default_socket_t *this,
 	return skt;
 }
 
-METHOD(socket_default_socket_t, destroy, void,
+METHOD(socket_t, destroy, void,
 	private_socket_default_socket_t *this)
 {
 	if (this->ipv4)
@@ -575,9 +580,11 @@ socket_default_socket_t *socket_default_socket_create()
 			.socket = {
 				.send = _sender,
 				.receive = _receiver,
+				.destroy = _destroy,
 			},
-			.destroy = _destroy,
 		},
+		.max_packet = lib->settings->get_int(lib->settings,
+										"charon.max_packet", MAX_PACKET),
 	);
 
 #ifdef __APPLE__
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.h b/src/libcharon/plugins/socket_default/socket_default_socket.h
index 755016662..89aa6f435 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.h
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.h
@@ -35,10 +35,6 @@ struct socket_default_socket_t {
 	 */
 	socket_t socket;
 
-	/**
-	 * Destroy a socket_default_socket_t.
-	 */
-	void (*destroy)(socket_default_socket_t *this);
 };
 
 /**
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 8a3a15188..8e0790671 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
index 3410fc7a4..a6ff14efd 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -31,17 +33,13 @@ struct private_socket_dynamic_plugin_t {
 	 */
 	socket_dynamic_plugin_t public;
 
-	/**
-	 * Socket instance.
-	 */
-	socket_dynamic_socket_t *socket;
 };
 
 METHOD(plugin_t, destroy, void,
 	private_socket_dynamic_plugin_t *this)
 {
-	charon->socket->remove_socket(charon->socket, &this->socket->socket);
-	this->socket->destroy(this->socket);
+	charon->socket->remove_socket(charon->socket,
+						(socket_constructor_t)socket_dynamic_socket_create);
 	free(this);
 }
 
@@ -53,16 +51,15 @@ plugin_t *socket_dynamic_plugin_create()
 	private_socket_dynamic_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
-		.socket = socket_dynamic_socket_create(),
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 	);
 
-	if (!this->socket)
-	{
-		free(this);
-		return NULL;
-	}
-	charon->socket->add_socket(charon->socket, &this->socket->socket);
+	charon->socket->add_socket(charon->socket,
+						(socket_constructor_t)socket_dynamic_socket_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index a7db59ce5..74dba82cc 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -36,13 +36,14 @@
 #include <netinet/udp.h>
 #include <net/if.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
 #include <utils/hashtable.h>
 
 /* Maximum size of a packet */
-#define MAX_PACKET 5000
+#define MAX_PACKET 10000
 
 /* length of non-esp marker */
 #define MARKER_LEN sizeof(u_int32_t)
@@ -100,6 +101,11 @@ struct private_socket_dynamic_socket_t {
 	 * Notification pipe to signal receiver
 	 */
 	int notify[2];
+
+	/**
+	 * Maximum packet size to receive
+	 */
+	int max_packet;
 };
 
 /**
@@ -197,7 +203,7 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this,
 {
 	host_t *source = NULL, *dest = NULL;
 	ssize_t len;
-	char buffer[MAX_PACKET];
+	char buffer[this->max_packet];
 	chunk_t data;
 	packet_t *packet;
 	struct msghdr msg;
@@ -212,7 +218,7 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this,
 	msg.msg_name = &src;
 	msg.msg_namelen = sizeof(src);
 	iov.iov_base = buffer;
-	iov.iov_len = sizeof(buffer);
+	iov.iov_len = this->max_packet;
 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;
 	msg.msg_control = ancillary;
@@ -224,6 +230,11 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this,
 		DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
 		return NULL;
 	}
+	if (msg.msg_flags & MSG_TRUNC)
+	{
+		DBG1(DBG_NET, "receive buffer too small, packet discarded");
+		return NULL;
+	}
 	DBG3(DBG_NET, "received packet %b", buffer, len);
 
 	if (len < MARKER_LEN)
@@ -412,8 +423,8 @@ static int open_socket(private_socket_dynamic_socket_t *this,
 		return 0;
 	}
 
-	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
-												 fd, family))
+	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
+												fd, family))
 	{
 		DBG1(DBG_NET, "installing IKE bypass policy failed");
 	}
@@ -495,12 +506,6 @@ METHOD(socket_t, sender, status_t,
 		!(data.len == 1 && data.ptr[0] == 0xFF))
 	{
 		/* add non esp marker to packet */
-		if (data.len > MAX_PACKET - MARKER_LEN)
-		{
-			DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
-				 data.len);
-			return FAILED;
-		}
 		marked = chunk_alloc(data.len + MARKER_LEN);
 		memset(marked.ptr, 0, MARKER_LEN);
 		memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
@@ -567,7 +572,7 @@ METHOD(socket_t, sender, status_t,
 	return SUCCESS;
 }
 
-METHOD(socket_dynamic_socket_t, destroy, void,
+METHOD(socket_t, destroy, void,
 	private_socket_dynamic_socket_t *this)
 {
 	enumerator_t *enumerator;
@@ -600,10 +605,12 @@ socket_dynamic_socket_t *socket_dynamic_socket_create()
 			.socket = {
 				.send = _sender,
 				.receive = _receiver,
+				.destroy = _destroy,
 			},
-			.destroy = _destroy,
 		},
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.max_packet = lib->settings->get_int(lib->settings,
+										"charon.max_packet", MAX_PACKET),
 	);
 
 	if (pipe(this->notify) != 0)
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h
index 72551e545..8c93f53d6 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h
@@ -35,10 +35,6 @@ struct socket_dynamic_socket_t {
 	 */
 	socket_t socket;
 
-	/**
-	 * Destroy a socket_dynamic_socket_t.
-	 */
-	void (*destroy)(socket_dynamic_socket_t *this);
 };
 
 /**
diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in
index 32bd9e0a1..5f4cba131 100644
--- a/src/libcharon/plugins/socket_raw/Makefile.in
+++ b/src/libcharon/plugins/socket_raw/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
index 5b011abcf..17a3a8db7 100644
--- a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
+++ b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -31,17 +33,13 @@ struct private_socket_raw_plugin_t {
 	 */
 	socket_raw_plugin_t public;
 
-	/**
-	 * Raw socket instance.
-	 */
-	socket_raw_socket_t *socket;
 };
 
 METHOD(plugin_t, destroy, void,
 	private_socket_raw_plugin_t *this)
 {
-	charon->socket->remove_socket(charon->socket, &this->socket->socket);
-	this->socket->destroy(this->socket);
+	charon->socket->remove_socket(charon->socket,
+							(socket_constructor_t)socket_raw_socket_create);
 	free(this);
 }
 
@@ -53,16 +51,15 @@ plugin_t *socket_raw_plugin_create()
 	private_socket_raw_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
-		.socket = socket_raw_socket_create(),
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 	);
 
-	if (!this->socket)
-	{
-		free(this);
-		return NULL;
-	}
-	charon->socket->add_socket(charon->socket, &this->socket->socket);
+	charon->socket->add_socket(charon->socket,
+							(socket_constructor_t)socket_raw_socket_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.c b/src/libcharon/plugins/socket_raw/socket_raw_socket.c
index 166870421..f6e87a86f 100644
--- a/src/libcharon/plugins/socket_raw/socket_raw_socket.c
+++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.c
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -36,11 +37,12 @@
 #include <linux/filter.h>
 #include <net/if.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 
 /* Maximum size of a packet */
-#define MAX_PACKET 5000
+#define MAX_PACKET 10000
 
 /* constants for packet handling */
 #define IP_LEN sizeof(struct iphdr)
@@ -119,12 +121,17 @@ struct private_socket_raw_socket_t {
 	 * send socket on nat-t port for IPv6
 	 */
 	int send6_natt;
+
+	/**
+	 * Maximum packet size to receive
+	 */
+	int max_packet;
 };
 
 METHOD(socket_t, receiver, status_t,
 	private_socket_raw_socket_t *this, packet_t **packet)
 {
-	char buffer[MAX_PACKET];
+	char buffer[this->max_packet];
 	chunk_t data;
 	packet_t *pkt;
 	struct udphdr *udp;
@@ -161,12 +168,17 @@ METHOD(socket_t, receiver, status_t,
 		struct iphdr *ip;
 		struct sockaddr_in src, dst;
 
-		bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
+		bytes_read = recv(this->recv4, buffer, this->max_packet, 0);
 		if (bytes_read < 0)
 		{
 			DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno));
 			return FAILED;
 		}
+		if (bytes_read == this->max_packet)
+		{
+			DBG1(DBG_NET, "receive buffer too small, packet discarded");
+			return FAILED;
+		}
 		DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
 
 		/* read source/dest from raw IP/UDP header */
@@ -216,7 +228,7 @@ METHOD(socket_t, receiver, status_t,
 		msg.msg_name = &src;
 		msg.msg_namelen = sizeof(src);
 		iov.iov_base = buffer;
-		iov.iov_len = sizeof(buffer);
+		iov.iov_len = this->max_packet;
 		msg.msg_iov = &iov;
 		msg.msg_iovlen = 1;
 		msg.msg_control = ancillary;
@@ -343,12 +355,6 @@ METHOD(socket_t, sender, status_t,
 		if (data.len != 1 || data.ptr[0] != 0xFF)
 		{
 			/* add non esp marker to packet */
-			if (data.len > MAX_PACKET - MARKER_LEN)
-			{
-				DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
-					 data.len);
-				return FAILED;
-			}
 			marked = chunk_alloc(data.len + MARKER_LEN);
 			memset(marked.ptr, 0, MARKER_LEN);
 			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
@@ -492,8 +498,8 @@ static int open_send_socket(private_socket_raw_socket_t *this,
 		}
 	}
 
-	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
-												 skt, family))
+	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
+												skt, family))
 	{
 		DBG1(DBG_NET, "installing bypass policy on send socket failed");
 	}
@@ -598,8 +604,8 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family)
 		return 0;
 	}
 
-	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
-												 skt, family))
+	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
+												skt, family))
 	{
 		DBG1(DBG_NET, "installing bypass policy on receive socket failed");
 	}
@@ -607,7 +613,7 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family)
 	return skt;
 }
 
-METHOD(socket_raw_socket_t, destroy, void,
+METHOD(socket_t, destroy, void,
 	private_socket_raw_socket_t *this)
 {
 	if (this->recv4)
@@ -649,9 +655,11 @@ socket_raw_socket_t *socket_raw_socket_create()
 			.socket = {
 				.send = _sender,
 				.receive = _receiver,
+				.destroy = _destroy,
 			},
-			.destroy = _destroy,
 		},
+		.max_packet = lib->settings->get_int(lib->settings,
+										"charon.max_packet", MAX_PACKET),
 	);
 
 	this->recv4 = open_recv_socket(this, AF_INET);
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.h b/src/libcharon/plugins/socket_raw/socket_raw_socket.h
index 94cf666e8..23ff304a8 100644
--- a/src/libcharon/plugins/socket_raw/socket_raw_socket.h
+++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.h
@@ -41,10 +41,6 @@ struct socket_raw_socket_t {
 	 */
 	socket_t socket;
 
-	/**
-	 * Destroy a socket_raw_socket_t.
-	 */
-	void (*destroy)(socket_raw_socket_t *this);
 };
 
 /**
diff --git a/src/libcharon/plugins/sql/Makefile.am b/src/libcharon/plugins/sql/Makefile.am
index 68b7e8cb2..37b87117c 100644
--- a/src/libcharon/plugins/sql/Makefile.am
+++ b/src/libcharon/plugins/sql/Makefile.am
@@ -2,9 +2,6 @@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
-
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-sql.la
 else
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index e32dc7b57..7c4521785 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -258,9 +274,6 @@ xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
-
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sql.la
 libstrongswan_sql_la_SOURCES = \
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index e094200ca..e6e98838b 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 617069432..165212a5e 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -15,6 +15,7 @@
 
 #include "stroke_config.h"
 
+#include <hydra.h>
 #include <daemon.h>
 #include <threading/mutex.h>
 #include <utils/lexparser.h>
@@ -199,8 +200,8 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 	host = host_create_from_dns(msg->add_conn.other.address, 0, 0);
 	if (host)
 	{
-		interface = charon->kernel_interface->get_interface(
-												charon->kernel_interface, host);
+		interface = hydra->kernel_interface->get_interface(
+												hydra->kernel_interface, host);
 		host->destroy(host);
 		if (interface)
 		{
@@ -215,8 +216,8 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 			host = host_create_from_dns(msg->add_conn.me.address, 0, 0);
 			if (host)
 			{
-				interface = charon->kernel_interface->get_interface(
-												charon->kernel_interface, host);
+				interface = hydra->kernel_interface->get_interface(
+												hydra->kernel_interface, host);
 				host->destroy(host);
 				if (!interface)
 				{
@@ -362,7 +363,16 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			}
 		}
 		else
-		{	/* no second authentication round, fine */
+		{	/* no second authentication round, fine. But load certificates
+			 * for other purposes (EAP-TLS) */
+			if (cert)
+			{
+				certificate = this->cred->load_peer(this->cred, cert);
+				if (certificate)
+				{
+					certificate->destroy(certificate);
+				}
+			}
 			return NULL;
 		}
 	}
@@ -502,6 +512,11 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			}
 			cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
 		}
+		if (msg->add_conn.aaa_identity)
+		{
+			cfg->add(cfg, AUTH_RULE_AAA_IDENTITY,
+				identification_create_from_string(msg->add_conn.aaa_identity));
+		}
 	}
 	else
 	{
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index f64421551..e0398ba78 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -354,7 +354,7 @@ static void terminate_srcip(private_stroke_control_t *this,
 		}
 
 		/* schedule delete asynchronously */
-		charon->processor->queue_job(charon->processor, (job_t*)
+		lib->processor->queue_job(lib->processor, (job_t*)
 						delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 2816b9bb2..91e71f1f4 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -14,10 +14,15 @@
  * for more details.
  */
 
+#include <sys/types.h>
 #include <sys/stat.h>
 #include <limits.h>
 #include <glob.h>
 #include <libgen.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
 
 #include "stroke_cred.h"
 #include "stroke_shared_key.h"
@@ -25,6 +30,8 @@
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/ac.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/sets/callback_cred.h>
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
 #include <threading/rwlock.h>
@@ -88,7 +95,8 @@ struct private_stroke_cred_t {
 typedef struct {
 	private_stroke_cred_t *this;
 	identification_t *id;
-	certificate_type_t type;
+	certificate_type_t cert;
+	key_type_t key;
 } id_data_t;
 
 /**
@@ -109,15 +117,18 @@ static bool private_filter(id_data_t *data,
 	private_key_t *key;
 
 	key = *in;
-	if (data->id == NULL)
+	if (data->key == KEY_ANY || data->key == key->get_type(key))
 	{
-		*out = key;
-		return TRUE;
-	}
-	if (key->has_fingerprint(key, data->id->get_encoding(data->id)))
-	{
-		*out = key;
-		return TRUE;
+		if (data->id == NULL)
+		{
+			*out = key;
+			return TRUE;
+		}
+		if (key->has_fingerprint(key, data->id->get_encoding(data->id)))
+		{
+			*out = key;
+			return TRUE;
+		}
 	}
 	return FALSE;
 }
@@ -133,6 +144,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
 	data = malloc_thing(id_data_t);
 	data->this = this;
 	data->id = id;
+	data->key = type;
 
 	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->private->create_enumerator(this->private),
@@ -148,7 +160,7 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou
 	public_key_t *public;
 	certificate_t *cert = *in;
 
-	if (data->type != CERT_ANY && data->type != cert->get_type(cert))
+	if (data->cert != CERT_ANY && data->cert != cert->get_type(cert))
 	{
 		return FALSE;
 	}
@@ -161,11 +173,14 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou
 	public = cert->get_public_key(cert);
 	if (public)
 	{
-		if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
+		if (data->key == KEY_ANY || data->key != public->get_type(public))
 		{
-			public->destroy(public);
-			*out = *in;
-			return TRUE;
+			if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
+			{
+				public->destroy(public);
+				*out = *in;
+				return TRUE;
+			}
 		}
 		public->destroy(public);
 	}
@@ -188,7 +203,8 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
 	data = malloc_thing(id_data_t);
 	data->this = this;
 	data->id = id;
-	data->type = cert;
+	data->cert = cert;
+	data->key = key;
 
 	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->certs->create_enumerator(this->certs),
@@ -667,47 +683,443 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line)
 }
 
 /**
- * Data to pass to passphrase_cb
+ * Data for passphrase callback
  */
 typedef struct {
 	/** socket we use for prompting */
 	FILE *prompt;
 	/** private key file */
-	char *file;
-	/** buffer for passphrase */
-	char buf[256];
+	char *path;
+	/** number of tries */
+	int try;
 } passphrase_cb_data_t;
 
 /**
- * Passphrase callback to read from whack fd
+ * Callback function to receive Passphrases
  */
-chunk_t passphrase_cb(passphrase_cb_data_t *data, int try)
+static shared_key_t* passphrase_cb(passphrase_cb_data_t *data,
+								shared_key_type_t type,
+								identification_t *me, identification_t *other,
+								id_match_t *match_me, id_match_t *match_other)
 {
-	chunk_t secret = chunk_empty;;
+	chunk_t secret;
+	char buf[256];
 
-	if (try > 5)
+	if (type != SHARED_ANY && type != SHARED_PRIVATE_KEY_PASS)
 	{
-		fprintf(data->prompt, "invalid passphrase, too many trials\n");
-		return chunk_empty;
+		return NULL;
 	}
-	if (try == 1)
+
+	if (data->try > 1)
 	{
-		fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file);
+		if (data->try > 5)
+		{
+			fprintf(data->prompt, "PIN invalid, giving up.\n");
+			return NULL;
+		}
+		fprintf(data->prompt, "PIN invalid!\n");
 	}
-	else
+	data->try++;
+	fprintf(data->prompt, "Private key '%s' is encrypted.\n", data->path);
+	fprintf(data->prompt, "Passphrase:\n");
+	if (fgets(buf, sizeof(buf), data->prompt))
 	{
-		fprintf(data->prompt, "invalid passphrase\n");
+		secret = chunk_create(buf, strlen(buf));
+		if (secret.len > 1)
+		{	/* trim appended \n */
+			secret.len--;
+			if (match_me)
+			{
+				*match_me = ID_MATCH_PERFECT;
+			}
+			if (match_other)
+			{
+				*match_other = ID_MATCH_NONE;
+			}
+			return shared_key_create(SHARED_PRIVATE_KEY_PASS, chunk_clone(secret));
+		}
 	}
-	fprintf(data->prompt, "Passphrase:\n");
-	if (fgets(data->buf, sizeof(data->buf), data->prompt))
+	return NULL;
+}
+
+/**
+ * Data for PIN callback
+ */
+typedef struct {
+	/** socket we use for prompting */
+	FILE *prompt;
+	/** card label */
+	char *card;
+	/** card keyid */
+	chunk_t keyid;
+	/** number of tries */
+	int try;
+} pin_cb_data_t;
+
+/**
+ * Callback function to receive PINs
+ */
+static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type,
+							identification_t *me, identification_t *other,
+							id_match_t *match_me, id_match_t *match_other)
+{
+	chunk_t secret;
+	char buf[256];
+
+	if (type != SHARED_ANY && type != SHARED_PIN)
+	{
+		return NULL;
+	}
+
+	if (!me || !chunk_equals(me->get_encoding(me), data->keyid))
+	{
+		return NULL;
+	}
+
+	if (data->try > 1)
+	{
+		fprintf(data->prompt, "PIN invalid, aborting.\n");
+		return NULL;
+	}
+	data->try++;
+	fprintf(data->prompt, "Login to '%s' required\n", data->card);
+	fprintf(data->prompt, "PIN:\n");
+	if (fgets(buf, sizeof(buf), data->prompt))
 	{
-		secret = chunk_create(data->buf, strlen(data->buf));
-		if (secret.len)
+		secret = chunk_create(buf, strlen(buf));
+		if (secret.len > 1)
 		{	/* trim appended \n */
 			secret.len--;
+			if (match_me)
+			{
+				*match_me = ID_MATCH_PERFECT;
+			}
+			if (match_other)
+			{
+				*match_other = ID_MATCH_NONE;
+			}
+			return shared_key_create(SHARED_PIN, chunk_clone(secret));
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Load a smartcard with a PIN
+ */
+static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
+					 FILE *prompt)
+{
+	chunk_t sc = chunk_empty, secret = chunk_empty;
+	char smartcard[64], keyid[64], module[64], *pos;
+	private_key_t *key = NULL;
+	u_int slot;
+	chunk_t chunk;
+	shared_key_t *shared;
+	identification_t *id;
+	mem_cred_t *mem = NULL;
+	callback_cred_t *cb = NULL;
+	pin_cb_data_t pin_data;
+	enum {
+		SC_FORMAT_SLOT_MODULE_KEYID,
+		SC_FORMAT_SLOT_KEYID,
+		SC_FORMAT_KEYID,
+	} format;
+
+	err_t ugh = extract_value(&sc, &line);
+
+	if (ugh != NULL)
+	{
+		DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+		return FALSE;
+	}
+	if (sc.len == 0)
+	{
+		DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr);
+		return FALSE;
+	}
+	snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
+	smartcard[sizeof(smartcard) - 1] = '\0';
+
+	/* parse slot and key id. Three formats are supported:
+	 * - %smartcard<slot>@<module>:<keyid>
+	 * - %smartcard<slot>:<keyid>
+	 * - %smartcard:<keyid>
+	 */
+	if (sscanf(smartcard, "%%smartcard%u@%s", &slot, module) == 2)
+	{
+		pos = strchr(module, ':');
+		if (!pos)
+		{
+			DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is "
+				 "invalid", line_nr);
+			return FALSE;
+		}
+		*pos = '\0';
+		strcpy(keyid, pos + 1);
+		format = SC_FORMAT_SLOT_MODULE_KEYID;
+	}
+	else if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
+	{
+		format = SC_FORMAT_SLOT_KEYID;
+	}
+	else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1)
+	{
+		format = SC_FORMAT_KEYID;
+	}
+	else
+	{
+		DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not"
+				" supported or invalid", line_nr);
+		return FALSE;
+	}
+
+	if (!eat_whitespace(&line))
+	{
+		DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
+		return FALSE;
+	}
+	ugh = extract_secret(&secret, &line);
+	if (ugh != NULL)
+	{
+		DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
+		return FALSE;
+	}
+
+	chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+	if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
+	{
+		free(secret.ptr);
+		if (!prompt)
+		{	/* no IO channel to prompt, skip */
+			free(chunk.ptr);
+			return TRUE;
+		}
+		/* use callback credential set to prompt for the pin */
+		pin_data.prompt = prompt;
+		pin_data.card = smartcard;
+		pin_data.keyid = chunk;
+		pin_data.try = 1;
+		cb = callback_cred_create_shared((void*)pin_cb, &pin_data);
+		lib->credmgr->add_local_set(lib->credmgr, &cb->set);
+	}
+	else
+	{
+		/* provide our pin in a temporary credential set */
+		shared = shared_key_create(SHARED_PIN, secret);
+		id = identification_create_from_encoding(ID_KEY_ID, chunk);
+		mem = mem_cred_create();
+		mem->add_shared(mem, shared, id, NULL);
+		lib->credmgr->add_local_set(lib->credmgr, &mem->set);
+	}
+
+	/* unlock: smartcard needs the pin and potentially calls public set */
+	this->lock->unlock(this->lock);
+	switch (format)
+	{
+		case SC_FORMAT_SLOT_MODULE_KEYID:
+			key = lib->creds->create(lib->creds,
+							CRED_PRIVATE_KEY, KEY_ANY,
+							BUILD_PKCS11_SLOT, slot,
+							BUILD_PKCS11_MODULE, module,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		case SC_FORMAT_SLOT_KEYID:
+			key = lib->creds->create(lib->creds,
+							CRED_PRIVATE_KEY, KEY_ANY,
+							BUILD_PKCS11_SLOT, slot,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		case SC_FORMAT_KEYID:
+			key = lib->creds->create(lib->creds,
+							CRED_PRIVATE_KEY, KEY_ANY,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+	}
+	this->lock->write_lock(this->lock);
+	if (mem)
+	{
+		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
+		mem->destroy(mem);
+	}
+	if (cb)
+	{
+		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
+		cb->destroy(cb);
+	}
+
+	if (key)
+	{
+		DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
+		this->private->insert_last(this->private, key);
+	}
+	return TRUE;
+}
+
+/**
+ * Load a private key
+ */
+static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
+						 FILE *prompt, key_type_t key_type)
+{
+	char path[PATH_MAX];
+	chunk_t filename;
+	chunk_t secret = chunk_empty;
+	private_key_t *key;
+
+	err_t ugh = extract_value(&filename, &line);
+
+	if (ugh != NULL)
+	{
+		DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+		return FALSE;
+	}
+	if (filename.len == 0)
+	{
+		DBG1(DBG_CFG, "line %d: empty filename", line_nr);
+		return FALSE;
+	}
+	if (*filename.ptr == '/')
+	{
+		/* absolute path name */
+		snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
+	}
+	else
+	{
+		/* relative path name */
+		snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
+				 filename.len, filename.ptr);
+	}
+
+	/* check for optional passphrase */
+	if (eat_whitespace(&line))
+	{
+		ugh = extract_secret(&secret, &line);
+		if (ugh != NULL)
+		{
+			DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
+			return FALSE;
+		}
+	}
+	if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
+	{
+		callback_cred_t *cb = NULL;
+		passphrase_cb_data_t pp_data = {
+			.prompt = prompt,
+			.path = path,
+			.try = 1,
+		};
+
+		free(secret.ptr);
+		if (!prompt)
+		{
+			return TRUE;
+		}
+		/* use callback credential set to prompt for the passphrase */
+		pp_data.prompt = prompt;
+		pp_data.path = path;
+		pp_data.try = 1;
+		cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data);
+		lib->credmgr->add_local_set(lib->credmgr, &cb->set);
+
+		/* unlock, as the builder might ask for a secret */
+		this->lock->unlock(this->lock);
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+		this->lock->write_lock(this->lock);
+
+		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
+		cb->destroy(cb);
+	}
+	else
+	{
+		mem_cred_t *mem = NULL;
+		shared_key_t *shared;
+
+		/* provide our pin in a temporary credential set */
+		shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret);
+		mem = mem_cred_create();
+		mem->add_shared(mem, shared, NULL);
+		lib->credmgr->add_local_set(lib->credmgr, &mem->set);
+
+		/* unlock, as the builder might ask for a secret */
+		this->lock->unlock(this->lock);
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+		this->lock->write_lock(this->lock);
+
+		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
+		mem->destroy(mem);
+	}
+	if (key)
+	{
+		DBG1(DBG_CFG, "  loaded %N private key from '%s'",
+			 key_type_names, key->get_type(key), path);
+		this->private->insert_last(this->private, key);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "  loading private key from '%s' failed", path);
+	}
+	return TRUE;
+}
+
+/**
+ * Load a shared key
+ */
+static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr,
+						shared_key_type_t type, chunk_t ids)
+{
+	stroke_shared_key_t *shared_key;
+	chunk_t secret = chunk_empty;
+	bool any = TRUE;
+
+	err_t ugh = extract_secret(&secret, &line);
+	if (ugh != NULL)
+	{
+		DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh);
+		return FALSE;
+	}
+	shared_key = stroke_shared_key_create(type, secret);
+	DBG1(DBG_CFG, "  loaded %N secret for %s", shared_key_type_names, type,
+		 ids.len > 0 ? (char*)ids.ptr : "%any");
+	DBG4(DBG_CFG, "  secret: %#B", &secret);
+
+	this->shared->insert_last(this->shared, shared_key);
+	while (ids.len > 0)
+	{
+		chunk_t id;
+		identification_t *peer_id;
+
+		ugh = extract_value(&id, &ids);
+		if (ugh != NULL)
+		{
+			DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+			return FALSE;
+		}
+		if (id.len == 0)
+		{
+			continue;
+		}
+
+		/* NULL terminate the ID string */
+		*(id.ptr + id.len) = '\0';
+		peer_id = identification_create_from_string(id.ptr);
+		if (peer_id->get_type(peer_id) == ID_ANY)
+		{
+			peer_id->destroy(peer_id);
+			continue;
 		}
+
+		shared_key->add_owner(shared_key, peer_id);
+		any = FALSE;
+	}
+	if (any)
+	{
+		shared_key->add_owner(shared_key,
+					identification_create_from_encoding(ID_ANY, chunk_empty));
 	}
-	return secret;
+	return TRUE;
 }
 
 /**
@@ -716,30 +1128,36 @@ chunk_t passphrase_cb(passphrase_cb_data_t *data, int try)
 static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 						 FILE *prompt)
 {
-	size_t bytes;
-	int line_nr = 0;
-	chunk_t chunk, src, line;
-	FILE *fd;
+	int line_nr = 0, fd;
+	chunk_t src, line;
 	private_key_t *private;
 	shared_key_t *shared;
+	struct stat sb;
+	void *addr;
 
 	DBG1(DBG_CFG, "loading secrets from '%s'", file);
-
-	fd = fopen(file, "r");
-	if (fd == NULL)
+	fd = open(file, O_RDONLY);
+	if (fd == -1)
 	{
-		DBG1(DBG_CFG, "opening secrets file '%s' failed", file);
+		DBG1(DBG_CFG, "opening secrets file '%s' failed: %s", file,
+			 strerror(errno));
 		return;
 	}
-
-	/* TODO: do error checks */
-	fseek(fd, 0, SEEK_END);
-	chunk.len = ftell(fd);
-	rewind(fd);
-	chunk.ptr = malloc(chunk.len);
-	bytes = fread(chunk.ptr, 1, chunk.len, fd);
-	fclose(fd);
-	src = chunk;
+	if (fstat(fd, &sb) == -1)
+	{
+		DBG1(DBG_LIB, "getting file size of '%s' failed: %s", file,
+			 strerror(errno));
+		close(fd);
+		return;
+	}
+	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+	if (addr == MAP_FAILED)
+	{
+		DBG1(DBG_LIB, "mapping '%s' failed: %s", file, strerror(errno));
+		close(fd);
+		return;
+	}
+	src = chunk_create(addr, sb.st_size);
 
 	if (level == 0)
 	{
@@ -844,223 +1262,52 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 		else
 		{
 			DBG1(DBG_CFG, "line %d: missing ' : ' separator", line_nr);
-			goto error;
+			break;
 		}
 
 		if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
 		{
 			DBG1(DBG_CFG, "line %d: missing token", line_nr);
-			goto error;
+			break;
 		}
 		if (match("RSA", &token) || match("ECDSA", &token))
 		{
-			char path[PATH_MAX];
-			chunk_t filename;
-			chunk_t secret = chunk_empty;
-			private_key_t *key = NULL;
-			key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA;
-
-			err_t ugh = extract_value(&filename, &line);
-
-			if (ugh != NULL)
-			{
-				DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
-				goto error;
-			}
-			if (filename.len == 0)
-			{
-				DBG1(DBG_CFG, "line %d: empty filename", line_nr);
-				goto error;
-			}
-			if (*filename.ptr == '/')
-			{
-				/* absolute path name */
-				snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
-			}
-			else
-			{
-				/* relative path name */
-				snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
-						 filename.len, filename.ptr);
-			}
-
-			/* check for optional passphrase */
-			if (eat_whitespace(&line))
-			{
-				ugh = extract_secret(&secret, &line);
-				if (ugh != NULL)
-				{
-					DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
-					goto error;
-				}
-			}
-			if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
-			{
-				if (prompt)
-				{
-					passphrase_cb_data_t data;
-
-					data.prompt = prompt;
-					data.file = path;
-					key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-											 key_type, BUILD_FROM_FILE, path,
-											 BUILD_PASSPHRASE_CALLBACK,
-											 passphrase_cb, &data, BUILD_END);
-				}
-			}
-			else
-			{
-				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
-										 BUILD_FROM_FILE, path,
-										 BUILD_PASSPHRASE, secret, BUILD_END);
-			}
-			if (key)
+			if (!load_private(this, line, line_nr, prompt,
+							  match("RSA", &token) ? KEY_RSA : KEY_ECDSA))
 			{
-				DBG1(DBG_CFG, "  loaded %N private key from '%s'",
-					 key_type_names, key->get_type(key), path);
-				this->private->insert_last(this->private, key);
-			}
-			else
-			{
-				DBG1(DBG_CFG, "  loading private key from '%s' failed", path);
+				break;
 			}
-			chunk_clear(&secret);
 		}
 		else if (match("PIN", &token))
 		{
-			chunk_t sc = chunk_empty, secret = chunk_empty;
-			char smartcard[32], keyid[22], pin[32];
-			private_key_t *key;
-			u_int slot;
-
-			err_t ugh = extract_value(&sc, &line);
-
-			if (ugh != NULL)
-			{
-				DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
-				goto error;
-			}
-			if (sc.len == 0)
-			{
-				DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr);
-				goto error;
-			}
-			snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
-			smartcard[sizeof(smartcard) - 1] = '\0';
-
-			/* parse slot and key id. only two formats are supported.
-			 * first try %smartcard<slot>:<keyid> */
-			if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
-			{
-				snprintf(smartcard, sizeof(smartcard), "%u:%s", slot, keyid);
-			}
-			/* then try %smartcard:<keyid> */
-			else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1)
-			{
-				snprintf(smartcard, sizeof(smartcard), "%s", keyid);
-			}
-			else
-			{
-				DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not"
-						" supported or invalid", line_nr);
-				goto error;
-			}
-
-			if (!eat_whitespace(&line))
-			{
-				DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
-				goto error;
-			}
-			ugh = extract_secret(&secret, &line);
-			if (ugh != NULL)
+			if (!load_pin(this, line, line_nr, prompt))
 			{
-				DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
-				goto error;
-			}
-			snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
-			pin[sizeof(pin) - 1] = '\0';
-
-			/* we assume an RSA key */
-			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-									 BUILD_SMARTCARD_KEYID, smartcard,
-									 BUILD_SMARTCARD_PIN, pin, BUILD_END);
-
-			if (key)
-			{
-				DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
-				this->private->insert_last(this->private, key);
+				break;
 			}
-			memset(pin, 0, sizeof(pin));
-			chunk_clear(&secret);
 		}
 		else if ((match("PSK", &token) && (type = SHARED_IKE)) ||
 				 (match("EAP", &token) && (type = SHARED_EAP)) ||
 				 (match("NTLM", &token) && (type = SHARED_NT_HASH)) ||
 				 (match("XAUTH", &token) && (type = SHARED_EAP)))
 		{
-			stroke_shared_key_t *shared_key;
-			chunk_t secret = chunk_empty;
-			bool any = TRUE;
-
-			err_t ugh = extract_secret(&secret, &line);
-			if (ugh != NULL)
-			{
-				DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh);
-				goto error;
-			}
-			shared_key = stroke_shared_key_create(type, secret);
-			DBG1(DBG_CFG, "  loaded %N secret for %s", shared_key_type_names, type,
-				 ids.len > 0 ? (char*)ids.ptr : "%any");
-			DBG4(DBG_CFG, "  secret: %#B", &secret);
-
-			this->shared->insert_last(this->shared, shared_key);
-			while (ids.len > 0)
+			if (!load_shared(this, line, line_nr, type, ids))
 			{
-				chunk_t id;
-				identification_t *peer_id;
-
-				ugh = extract_value(&id, &ids);
-				if (ugh != NULL)
-				{
-					DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
-					goto error;
-				}
-				if (id.len == 0)
-				{
-					continue;
-				}
-
-				/* NULL terminate the ID string */
-				*(id.ptr + id.len) = '\0';
-				peer_id = identification_create_from_string(id.ptr);
-				if (peer_id->get_type(peer_id) == ID_ANY)
-				{
-					peer_id->destroy(peer_id);
-					continue;
-				}
-
-				shared_key->add_owner(shared_key, peer_id);
-				any = FALSE;
-			}
-			if (any)
-			{
-				shared_key->add_owner(shared_key,
-					identification_create_from_encoding(ID_ANY, chunk_empty));
+				break;
 			}
 		}
 		else
 		{
 			DBG1(DBG_CFG, "line %d: token must be either "
 				 "RSA, ECDSA, PSK, EAP, XAUTH or PIN", line_nr);
-			goto error;
+			break;
 		}
 	}
-error:
 	if (level == 0)
 	{
 		this->lock->unlock(this->lock);
 	}
-	chunk_clear(&chunk);
+	munmap(addr, sb.st_size);
+	close(fd);
 }
 
 /**
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index a6de35466..86deea490 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -21,6 +21,7 @@
 #include <malloc.h>
 #endif /* HAVE_MALLINFO */
 
+#include <hydra.h>
 #include <daemon.h>
 #include <utils/linked_list.h>
 #include <credentials/certificates/x509.h>
@@ -422,12 +423,12 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		}
 #endif /* HAVE_MALLINFO */
 		fprintf(out, "  worker threads: %d idle of %d,",
-				charon->processor->get_idle_threads(charon->processor),
-				charon->processor->get_total_threads(charon->processor));
+				lib->processor->get_idle_threads(lib->processor),
+				lib->processor->get_total_threads(lib->processor));
 		fprintf(out, " job queue load: %d,",
-				charon->processor->get_job_load(charon->processor));
+				lib->processor->get_job_load(lib->processor));
 		fprintf(out, " scheduled events: %d\n",
-				charon->scheduler->get_job_load(charon->scheduler));
+				lib->scheduler->get_job_load(lib->scheduler));
 		fprintf(out, "  loaded plugins: ");
 		enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
 		while (enumerator->enumerate(enumerator, &plugin))
@@ -454,8 +455,8 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		}
 		enumerator->destroy(enumerator);
 
-		enumerator = charon->kernel_interface->create_address_enumerator(
-								charon->kernel_interface, FALSE, FALSE);
+		enumerator = hydra->kernel_interface->create_address_enumerator(
+									hydra->kernel_interface, FALSE, FALSE);
 		fprintf(out, "Listening IP addresses:\n");
 		while (enumerator->enumerate(enumerator, (void**)&host))
 		{
@@ -638,7 +639,7 @@ static void list_public_key(public_key_t *public, FILE *out)
 
 	fprintf(out, "  pubkey:    %N %d bits%s\n",
 			key_type_names, public->get_type(public),
-			public->get_keysize(public) * 8,
+			public->get_keysize(public),
 			private ? ", has private key" : "");
 	if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
 	{
@@ -1026,9 +1027,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
  */
 static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
 {
-	bool first = TRUE;
+	bool first = TRUE, ok;
 	enumerator_t *enumerator = list->create_enumerator(list);
 	certificate_t *cert;
+	time_t produced, usable, now = time(NULL);
 
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
@@ -1039,8 +1041,20 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
 			fprintf(out, "\n");
 			first = FALSE;
 		}
-
 		fprintf(out, "  signer:   \"%Y\"\n", cert->get_issuer(cert));
+
+		/* check validity */
+		ok = cert->get_validity(cert, &now, &produced, &usable);
+		fprintf(out, "  validity:  produced at %T\n", &produced, utc);
+		fprintf(out, "             usable till %T, ", &usable, utc);
+		if (ok)
+		{
+			fprintf(out, "ok\n");
+		}
+		else
+		{
+			fprintf(out, "expired (%V ago)\n", &now, &usable);
+		}
 	}
 	enumerator->destroy(enumerator);
 }
@@ -1073,6 +1087,13 @@ static void list_algs(FILE *out)
 		fprintf(out, "%N ", integrity_algorithm_names, integrity);
 	}
 	enumerator->destroy(enumerator);
+	fprintf(out, "\n  aead:       ");
+	enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption))
+	{
+		fprintf(out, "%N ", encryption_algorithm_names, encryption);
+	}
+	enumerator->destroy(enumerator);
 	fprintf(out, "\n  hasher:     ");
 	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &hash))
@@ -1184,7 +1205,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
 	bool on;
 	int found = 0;
 
-	fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n",
+	fprintf(out, "Leases in pool '%s', usage: %u/%u, %u online\n",
 			pool, online + offline, size, online);
 	enumerator = this->attribute->create_lease_enumerator(this->attribute, pool);
 	while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on))
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 18afa5af4..0a5110fd3 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -24,10 +24,10 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <processing/jobs/callback_job.h>
 #include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
 
 #include "stroke_config.h"
 #include "stroke_control.h"
@@ -180,11 +180,13 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
 	pop_end(msg, "left", &msg->add_conn.me);
 	pop_end(msg, "right", &msg->add_conn.other);
 	pop_string(msg, &msg->add_conn.eap_identity);
+	pop_string(msg, &msg->add_conn.aaa_identity);
 	pop_string(msg, &msg->add_conn.algorithms.ike);
 	pop_string(msg, &msg->add_conn.algorithms.esp);
 	pop_string(msg, &msg->add_conn.ikeme.mediated_by);
 	pop_string(msg, &msg->add_conn.ikeme.peerid);
 	DBG2(DBG_CFG, "  eap_identity=%s", msg->add_conn.eap_identity);
+	DBG2(DBG_CFG, "  aaa_identity=%s", msg->add_conn.aaa_identity);
 	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
 	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
 	DBG2(DBG_CFG, "  mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
@@ -352,6 +354,37 @@ static void stroke_purge(private_stroke_socket_t *this,
 	}
 }
 
+/**
+ * Export in-memory credentials
+ */
+static void stroke_export(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->export.selector);
+
+	if (msg->purge.flags & EXPORT_X509)
+	{
+		enumerator_t *enumerator;
+		identification_t *id;
+		certificate_t *cert;
+		chunk_t encoded;
+
+		id = identification_create_from_string(msg->export.selector);
+		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+												CERT_X509, KEY_ANY, id, FALSE);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			if (cert->get_encoding(cert, CERT_PEM, &encoded))
+			{
+				fprintf(out, "%.*s", encoded.len, encoded.ptr);
+				free(encoded.ptr);
+			}
+		}
+		enumerator->destroy(enumerator);
+		id->destroy(id);
+	}
+}
+
 /**
  * list pool leases
  */
@@ -364,21 +397,6 @@ static void stroke_leases(private_stroke_socket_t *this,
 	this->list->leases(this->list, msg, out);
 }
 
-debug_t get_group_from_name(char *type)
-{
-	if (strcaseeq(type, "any")) return DBG_ANY;
-	else if (strcaseeq(type, "mgr")) return DBG_MGR;
-	else if (strcaseeq(type, "ike")) return DBG_IKE;
-	else if (strcaseeq(type, "chd")) return DBG_CHD;
-	else if (strcaseeq(type, "job")) return DBG_JOB;
-	else if (strcaseeq(type, "cfg")) return DBG_CFG;
-	else if (strcaseeq(type, "knl")) return DBG_KNL;
-	else if (strcaseeq(type, "net")) return DBG_NET;
-	else if (strcaseeq(type, "enc")) return DBG_ENC;
-	else if (strcaseeq(type, "lib")) return DBG_LIB;
-	else return -1;
-}
-
 /**
  * set the verbosity debug output
  */
@@ -394,7 +412,7 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
 		 msg->loglevel.level, msg->loglevel.type);
 
-	group = get_group_from_name(msg->loglevel.type);
+	group = enum_from_name(debug_names, msg->loglevel.type);
 	if (group < 0)
 	{
 		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
@@ -525,6 +543,9 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 		case STR_PURGE:
 			stroke_purge(this, msg, out);
 			break;
+		case STR_EXPORT:
+			stroke_export(this, msg, out);
+			break;
 		case STR_LEASES:
 			stroke_leases(this, msg, out);
 			break;
@@ -565,7 +586,7 @@ static job_requeue_t receive(private_stroke_socket_t *this)
 	ctx->this = this;
 	job = callback_job_create((callback_job_cb_t)process,
 							  ctx, (void*)stroke_job_context_destroy, this->job);
-	charon->processor->queue_job(charon->processor, (job_t*)job);
+	lib->processor->queue_job(lib->processor, (job_t*)job);
 
 	return JOB_REQUEUE_FAIR;
 }
@@ -663,7 +684,7 @@ stroke_socket_t *stroke_socket_create()
 
 	this->job = callback_job_create((callback_job_cb_t)receive,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am
new file mode 100644
index 000000000..ca8869460
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/Makefile.am
@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+
+libstrongswan_tnc_imc_la_LIBADD = -ltnc
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnc-imc.la
+endif
+
+libstrongswan_tnc_imc_la_SOURCES = \
+	tnc_imc_plugin.h tnc_imc_plugin.c
+
+libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in
new file mode 100644
index 000000000..9a8794e93
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/Makefile.in
@@ -0,0 +1,603 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/tnc_imc
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_tnc_imc_la_DEPENDENCIES =
+am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo
+libstrongswan_tnc_imc_la_OBJECTS =  \
+	$(am_libstrongswan_tnc_imc_la_OBJECTS)
+libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_tnc_imc_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_tnc_imc_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_tnc_imc_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_tnc_imc_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_tnc_imc_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+libstrongswan_tnc_imc_la_LIBADD = -ltnc
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imc.la
+libstrongswan_tnc_imc_la_SOURCES = \
+	tnc_imc_plugin.h tnc_imc_plugin.c
+
+libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imc/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) 
+	$(libstrongswan_tnc_imc_la_LINK) $(am_libstrongswan_tnc_imc_la_rpath) $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
new file mode 100644
index 000000000..0ce930ba3
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imc_plugin.h"
+
+#include <libtnctncc.h>
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnc_imc_plugin_t *this)
+{
+	libtnc_tncc_Terminate();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnc_imc_plugin_create()
+{
+	char *tnc_config, *pref_lang;
+	tnc_imc_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	pref_lang = lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imc.preferred_language", "en");
+	tnc_config = lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imc.tnc_config", "/etc/tnc_config");
+
+	if (libtnc_tncc_Initialize(tnc_config) != TNC_RESULT_SUCCESS)
+	{
+		free(this);
+		DBG1(DBG_TNC, "TNC IMC initialization failed");
+		return NULL;
+	}
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h
new file mode 100644
index 000000000..8c5521cb2
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_imc tnc_imc
+ * @ingroup cplugins
+ *
+ * @defgroup tnc_imc_plugin tnc_imc_plugin
+ * @{ @ingroup tnc_imc
+ */
+
+#ifndef TNC_IMC_PLUGIN_H_
+#define TNC_IMC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnc_imc_plugin_t tnc_imc_plugin_t;
+
+/**
+ * TNC IMC plugin
+ */
+struct tnc_imc_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNC_IMC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am
new file mode 100644
index 000000000..9c3b47364
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/Makefile.am
@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+
+libstrongswan_tnc_imv_la_LIBADD = -ltnc
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
+endif
+
+libstrongswan_tnc_imv_la_SOURCES = \
+	tnc_imv_plugin.h tnc_imv_plugin.c
+
+libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
new file mode 100644
index 000000000..f89b5e03b
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -0,0 +1,603 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/tnc_imv
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_tnc_imv_la_DEPENDENCIES =
+am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo
+libstrongswan_tnc_imv_la_OBJECTS =  \
+	$(am_libstrongswan_tnc_imv_la_OBJECTS)
+libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_tnc_imv_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_tnc_imv_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_tnc_imv_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_tnc_imv_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_tnc_imv_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+libstrongswan_tnc_imv_la_LIBADD = -ltnc
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
+libstrongswan_tnc_imv_la_SOURCES = \
+	tnc_imv_plugin.h tnc_imv_plugin.c
+
+libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imv/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imv/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) 
+	$(libstrongswan_tnc_imv_la_LINK) $(am_libstrongswan_tnc_imv_la_rpath) $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
new file mode 100644
index 000000000..5b3d3892d
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv_plugin.h"
+
+#include <libtnctncs.h>
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnc_imv_plugin_t *this)
+{
+	libtnc_tncs_Terminate();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnc_imv_plugin_create()
+{
+	char *tnc_config;
+	tnc_imv_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	tnc_config = lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config");
+	if (libtnc_tncs_Initialize(tnc_config) != TNC_RESULT_SUCCESS)
+	{
+		free(this);
+		DBG1(DBG_TNC, "TNC IMV initialization failed");
+		return NULL;
+	}
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h
new file mode 100644
index 000000000..afeee2ea2
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_imv tnc_imv
+ * @ingroup cplugins
+ *
+ * @defgroup tnc_imv_plugin tnc_imv_plugin
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_PLUGIN_H_
+#define TNC_IMV_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnc_imv_plugin_t tnc_imv_plugin_t;
+
+/**
+ * TNC IMV plugin
+ */
+struct tnc_imv_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNC_IMV_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.am b/src/libcharon/plugins/tnccs_11/Makefile.am
new file mode 100644
index 000000000..7ccd0dfee
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+	`xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+
+libstrongswan_tnccs_11_la_LIBADD = -ltnc
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnccs-11.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnccs-11.la
+libstrongswan_tnccs_11_la_LIBADD += $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_tnccs_11_la_SOURCES = \
+	tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c
+
+libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in
new file mode 100644
index 000000000..200ff7a0a
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/Makefile.in
@@ -0,0 +1,607 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la
+subdir = src/libcharon/plugins/tnccs_11
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__append_1)
+am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo
+libstrongswan_tnccs_11_la_OBJECTS =  \
+	$(am_libstrongswan_tnccs_11_la_OBJECTS)
+libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_11_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_tnccs_11_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_tnccs_11_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_tnccs_11_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_tnccs_11_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+	`xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+libstrongswan_tnccs_11_la_LIBADD = -ltnc $(am__append_1)
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-11.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-11.la
+libstrongswan_tnccs_11_la_SOURCES = \
+	tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c
+
+libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_11/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_11/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) 
+	$(libstrongswan_tnccs_11_la_LINK) $(am_libstrongswan_tnccs_11_la_rpath) $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c
new file mode 100644
index 000000000..704bf64ed
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c
@@ -0,0 +1,328 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_11.h"
+
+#include <libtnctncc.h>
+#include <libtnctncs.h>
+
+#include <daemon.h>
+#include <debug.h>
+
+#define TNC_SEND_BUFFER_SIZE	32
+
+static chunk_t tnc_send_buffer[TNC_SEND_BUFFER_SIZE];
+
+/**
+ * Buffers TNCCS batch to be sent (TODO make the buffer scalable)
+ */
+static TNC_Result buffer_batch(u_int32_t id, const char *data, size_t len)
+{
+	if (id >= TNC_SEND_BUFFER_SIZE)
+	{
+		DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be stored in "
+					  "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE);
+		return TNC_RESULT_FATAL;
+	}
+	if (tnc_send_buffer[id].ptr)
+	{
+		DBG1(DBG_TNC, "send buffer slot for Connection ID %u is already "
+					  "occupied", id);
+		return TNC_RESULT_FATAL;
+	}
+	tnc_send_buffer[id] = chunk_alloc(len);
+	memcpy(tnc_send_buffer[id].ptr, data, len);
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * Retrieves TNCCS batch to be sent
+ */
+static bool retrieve_batch(u_int32_t id, chunk_t *batch)
+{
+	if (id >= TNC_SEND_BUFFER_SIZE)
+	{
+		DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be retrieved from "
+					  "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE);
+		return FALSE;
+	}
+
+	*batch = tnc_send_buffer[id];
+	return TRUE;
+}
+
+/**
+ * Frees TNCCS batch that was sent
+ */
+static void free_batch(u_int32_t id)
+{
+	if (id < TNC_SEND_BUFFER_SIZE)
+	{
+		chunk_free(&tnc_send_buffer[id]);
+	}
+}
+
+/**
+ * Define callback functions called by the libtnc library
+ */
+TNC_Result TNC_TNCC_SendBatch(libtnc_tncc_connection* conn, 
+							  const char* messageBuffer, size_t messageLength)
+{
+	return buffer_batch(conn->connectionID, messageBuffer, messageLength);
+}
+
+TNC_Result TNC_TNCS_SendBatch(libtnc_tncs_connection* conn, 
+							  const char* messageBuffer, size_t messageLength)
+{
+	return buffer_batch(conn->connectionID, messageBuffer, messageLength);
+}
+
+typedef struct private_tnccs_11_t private_tnccs_11_t;
+
+/**
+ * Private data of a tnccs_11_t object.
+ */
+struct private_tnccs_11_t {
+
+	/**
+	 * Public tls_t interface.
+	 */
+	tls_t public;
+
+	/**
+	 * TNCC if TRUE, TNCS if FALSE
+	 */
+	bool is_server;
+
+	/**
+	 * TNCC Connection to IMCs
+	 */
+	libtnc_tncc_connection* tncc_connection;
+
+	/**
+	 * TNCS Connection to IMVs
+	 */
+	libtnc_tncs_connection* tncs_connection;
+};
+
+METHOD(tls_t, process, status_t,
+	private_tnccs_11_t *this, void *buf, size_t buflen)
+{
+	u_int32_t conn_id;
+
+	if (this->is_server && !this->tncs_connection)
+	{
+		this->tncs_connection = libtnc_tncs_CreateConnection(NULL);
+		if (!this->tncs_connection)
+		{
+			DBG1(DBG_TNC, "TNCS CreateConnection failed");
+			return FAILED;
+		}
+		DBG1(DBG_TNC, "assigned TNCS Connection ID %u",
+					   this->tncs_connection->connectionID);
+		if (libtnc_tncs_BeginSession(this->tncs_connection) != TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "TNCS BeginSession failed");
+			return FAILED;
+		}
+	}
+	conn_id = this->is_server ? this->tncs_connection->connectionID
+							  : this->tncc_connection->connectionID;
+
+	DBG1(DBG_TNC, "received TNCCS Batch (%u bytes) for Connection ID %u",
+				   buflen, conn_id);
+	DBG3(DBG_TNC, "%.*s", buflen, buf);
+
+	if (this->is_server)
+	{
+		if (libtnc_tncs_ReceiveBatch(this->tncs_connection, buf, buflen) !=
+			TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "TNCS ReceiveBatch failed");
+			return FAILED;
+		}
+	}
+	else
+	{
+		if (libtnc_tncc_ReceiveBatch(this->tncc_connection, buf, buflen) !=
+			TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "TNCC ReceiveBatch failed");
+			return FAILED;
+		}
+	}
+	return NEED_MORE;
+}
+
+METHOD(tls_t, build, status_t,
+	private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	chunk_t batch;
+	u_int32_t conn_id;
+	size_t len;
+
+	if (!this->is_server && !this->tncc_connection)
+	{
+		this->tncc_connection = libtnc_tncc_CreateConnection(NULL);
+		if (!this->tncc_connection)
+		{
+			DBG1(DBG_TNC, "TNCC CreateConnection failed");
+			return FAILED;
+		}
+		DBG1(DBG_TNC, "assigned TNCC Connection ID %u",
+					   this->tncc_connection->connectionID);
+		if (libtnc_tncc_BeginSession(this->tncc_connection) != TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "TNCC BeginSession failed");
+			return FAILED;
+		}
+	}
+	conn_id = this->is_server ? this->tncs_connection->connectionID
+							  : this->tncc_connection->connectionID;
+	
+	if (!retrieve_batch(conn_id, &batch))
+	{
+		return FAILED;
+	}
+	len = *buflen;
+	len = min(len, batch.len);
+	*buflen = len;
+	if (msglen)
+	{
+		*msglen = batch.len;
+	}
+
+	if (batch.len)
+	{
+		DBG1(DBG_TNC, "sending TNCCS Batch (%d bytes) for Connection ID %u",
+					   batch.len, conn_id);
+		DBG3(DBG_TNC, "%.*s", batch.len, batch.ptr);
+		memcpy(buf, batch.ptr, len);
+		free_batch(conn_id);
+		return ALREADY_DONE;
+	}
+	else
+	{
+		return INVALID_STATE;
+	}
+}
+
+METHOD(tls_t, is_server, bool,
+	private_tnccs_11_t *this)
+{
+	return this->is_server;
+}
+
+METHOD(tls_t, get_purpose, tls_purpose_t,
+	private_tnccs_11_t *this)
+{
+	return TLS_PURPOSE_EAP_TNC;
+}
+
+METHOD(tls_t, is_complete, bool,
+	private_tnccs_11_t *this)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	char *group;
+	identification_t *id;
+	ike_sa_t *ike_sa;
+	auth_cfg_t *auth;
+	
+	if (libtnc_tncs_HaveRecommendation(this->tncs_connection, &rec, &eval) ==
+		TNC_RESULT_SUCCESS)
+	{
+		switch (rec)
+		{
+			case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+				DBG1(DBG_TNC, "TNC recommendation is allow");
+				group = "allow";
+				break;				
+			case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+				DBG1(DBG_TNC, "TNC recommendation is isolate");
+				group = "isolate";
+				break;
+			case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+			case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+			default:
+				DBG1(DBG_TNC, "TNC recommendation is none");
+				return FALSE;
+		}
+		ike_sa = charon->bus->get_sa(charon->bus);
+		if (ike_sa)
+		{
+			auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+			id = identification_create_from_string(group);
+			auth->add(auth, AUTH_RULE_GROUP, id);
+			DBG1(DBG_TNC, "added group membership '%s' based on TNC recommendation", group);
+		}
+		return TRUE;
+	}
+	else
+	{
+		return FALSE;
+	}
+}
+
+METHOD(tls_t, get_eap_msk, chunk_t,
+	private_tnccs_11_t *this)
+{
+	return chunk_empty;
+}
+
+METHOD(tls_t, destroy, void,
+	private_tnccs_11_t *this)
+{
+	if (this->is_server)
+	{
+		if (this->tncs_connection)
+		{
+			libtnc_tncs_DeleteConnection(this->tncs_connection);
+		}
+	}
+	else
+	{
+		if (this->tncc_connection)
+		{
+			libtnc_tncc_DeleteConnection(this->tncc_connection);
+		}
+		libtnc_tncc_Terminate();
+	}
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_t *tnccs_11_create(bool is_server)
+{
+	private_tnccs_11_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.is_server = _is_server,
+			.get_purpose = _get_purpose,
+			.is_complete = _is_complete,
+			.get_eap_msk = _get_eap_msk,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.h b/src/libcharon/plugins/tnccs_11/tnccs_11.h
new file mode 100644
index 000000000..7331fc8cd
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_11_h tnccs_11
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_11_H_
+#define TNCCS_11_H_
+
+#include <library.h>
+
+#include <tls.h>
+
+/**
+ * Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
+ *
+ * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
+ * @return					TNC_IF_TNCCS 1.1 protocol stack
+ */
+tls_t *tnccs_11_create(bool is_server);
+
+#endif /** TNCCS_11_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
new file mode 100644
index 000000000..03905ca37
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_11_plugin.h"
+#include "tnccs_11.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnccs_11_plugin_t *this)
+{
+	charon->tnccs->remove_method(charon->tnccs,
+								(tnccs_constructor_t)tnccs_11_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnccs_11_plugin_create()
+{
+	tnccs_11_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->tnccs->add_method(charon->tnccs, TNCCS_1_1, 
+							 (tnccs_constructor_t)tnccs_11_create);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h
new file mode 100644
index 000000000..619a073ad
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_11 tnccs_11
+ * @ingroup cplugins
+ *
+ * @defgroup tnccs_11_plugin tnccs_11_plugin
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_11_PLUGIN_H_
+#define TNCCS_11_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnccs_11_plugin_t tnccs_11_plugin_t;
+
+/**
+ * EAP-TNC plugin
+ */
+struct tnccs_11_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNCCS_11_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am
new file mode 100644
index 000000000..3018121e3
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+	`xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+
+libstrongswan_tnccs_20_la_LIBADD = -ltnc
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnccs-20.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnccs-20.la
+libstrongswan_tnccs_20_la_LIBADD += $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_tnccs_20_la_SOURCES = \
+	tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c
+
+libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in
new file mode 100644
index 000000000..6101f91df
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/Makefile.in
@@ -0,0 +1,607 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la
+subdir = src/libcharon/plugins/tnccs_20
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_tnccs_20_la_DEPENDENCIES = $(am__append_1)
+am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo
+libstrongswan_tnccs_20_la_OBJECTS =  \
+	$(am_libstrongswan_tnccs_20_la_OBJECTS)
+libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_20_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_tnccs_20_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_tnccs_20_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_tnccs_20_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_tnccs_20_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+	`xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+libstrongswan_tnccs_20_la_LIBADD = -ltnc $(am__append_1)
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-20.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-20.la
+libstrongswan_tnccs_20_la_SOURCES = \
+	tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c
+
+libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_20/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_20/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) 
+	$(libstrongswan_tnccs_20_la_LINK) $(am_libstrongswan_tnccs_20_la_rpath) $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
new file mode 100644
index 000000000..2bd1bc476
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_20.h"
+
+#include <debug.h>
+
+static chunk_t tncc_output;
+
+typedef struct private_tnccs_20_t private_tnccs_20_t;
+
+/**
+ * Private data of a tnccs_20_t object.
+ */
+struct private_tnccs_20_t {
+
+	/**
+	 * Public tls_t interface.
+	 */
+	tls_t public;
+
+	/**
+	 * TNCC if TRUE, TNCS if FALSE
+	 */
+	bool is_server;
+};
+
+METHOD(tls_t, process, status_t,
+	private_tnccs_20_t *this, void *buf, size_t buflen)
+{
+	return NEED_MORE;
+}
+
+METHOD(tls_t, build, status_t,
+	private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	return ALREADY_DONE;
+}
+
+METHOD(tls_t, is_server, bool,
+	private_tnccs_20_t *this)
+{
+	return this->is_server;
+}
+
+METHOD(tls_t, get_purpose, tls_purpose_t,
+	private_tnccs_20_t *this)
+{
+	return TLS_PURPOSE_EAP_TNC;
+}
+
+METHOD(tls_t, is_complete, bool,
+	private_tnccs_20_t *this)
+{
+	return FALSE;
+}
+
+METHOD(tls_t, get_eap_msk, chunk_t,
+	private_tnccs_20_t *this)
+{
+	return chunk_empty;
+}
+
+METHOD(tls_t, destroy, void,
+	private_tnccs_20_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_t *tnccs_20_create(bool is_server)
+{
+	private_tnccs_20_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.is_server = _is_server,
+			.get_purpose = _get_purpose,
+			.is_complete = _is_complete,
+			.get_eap_msk = _get_eap_msk,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.h b/src/libcharon/plugins/tnccs_20/tnccs_20.h
new file mode 100644
index 000000000..400d1dc12
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_20_h tnccs_20
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef TNCCS_20_H_
+#define TNCCS_20_H_
+
+#include <library.h>
+
+#include <tls.h>
+
+/**
+ * Create an instance of the TNC IF-TNCCS 2.0 protocol handler.
+ *
+ * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
+ * @return					TNC_IF_TNCCS 2.0 protocol stack
+ */
+tls_t *tnccs_20_create(bool is_server);
+
+#endif /** TNCCS_20_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
new file mode 100644
index 000000000..82c78f74c
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_20_plugin.h"
+#include "tnccs_20.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnccs_20_plugin_t *this)
+{
+	charon->tnccs->remove_method(charon->tnccs,
+								(tnccs_constructor_t)tnccs_20_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnccs_20_plugin_create()
+{
+	tnccs_20_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->tnccs->add_method(charon->tnccs, TNCCS_2_0, 
+							 (tnccs_constructor_t)tnccs_20_create);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h
new file mode 100644
index 000000000..1c4ecf4c9
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_20 tnccs_20
+ * @ingroup cplugins
+ *
+ * @defgroup tnccs_20_plugin tnccs_20_plugin
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef TNCCS_20_PLUGIN_H_
+#define TNCCS_20_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnccs_20_plugin_t tnccs_20_plugin_t;
+
+/**
+ * EAP-TNC plugin
+ */
+struct tnccs_20_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNCCS_20_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 934ab6080..9cb5f794a 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
index 3c4928be4..aee2505e3 100644
--- a/src/libcharon/plugins/uci/uci_control.c
+++ b/src/libcharon/plugins/uci/uci_control.c
@@ -294,7 +294,7 @@ uci_control_t *uci_control_create()
 	{
 		this->job = callback_job_create((callback_job_cb_t)receive,
 										this, NULL, NULL);
-		charon->processor->queue_job(charon->processor, (job_t*)this->job);
+		lib->processor->queue_job(lib->processor, (job_t*)this->job);
 	}
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 47850c1c5..47fff7e1d 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +205,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +262,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c
index 3b00421f8..342194a4c 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_cert.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_cert.c
@@ -51,7 +51,7 @@ bool test_cert_x509()
 		return FALSE;
 	}
 
-	encoding = ca_cert->get_encoding(ca_cert);
+	ca_cert->get_encoding(ca_cert, CERT_ASN1_DER, &encoding);
 	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 						BUILD_BLOB_ASN1_DER, encoding,
 						BUILD_END);
@@ -81,7 +81,7 @@ bool test_cert_x509()
 		return FALSE;
 	}
 
-	encoding = peer_cert->get_encoding(peer_cert);
+	peer_cert->get_encoding(peer_cert, CERT_ASN1_DER, &encoding);
 	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 						BUILD_BLOB_ASN1_DER, encoding,
 						BUILD_END);
diff --git a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
index 59da15644..6ba5769b5 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
@@ -59,12 +59,12 @@ bool test_rsa_gen()
 			return FALSE;
 		}
 		free(sig.ptr);
-		if (!public->encrypt(public, data, &crypt))
+		if (!public->encrypt(public, ENCRYPT_RSA_PKCS1, data, &crypt))
 		{
 			DBG1(DBG_CFG, "encrypting data with RSA failed");
 			return FALSE;
 		}
-		if (!private->decrypt(private, crypt, &plain))
+		if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, crypt, &plain))
 		{
 			DBG1(DBG_CFG, "decrypting data with RSA failed");
 			return FALSE;
@@ -110,7 +110,7 @@ bool test_rsa_load_any()
 	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
 								BUILD_BLOB_ASN1_DER, chunk,
 								BUILD_END);
-	if (!public || public->get_keysize(public) != 256)
+	if (!public || public->get_keysize(public) != 2048)
 	{
 		return FALSE;
 	}
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index ce233ad04..e93955d71 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index ea4a792c2..8e58b1a9b 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -18,6 +18,7 @@
 
 #include "updown_listener.h"
 
+#include <hydra.h>
 #include <daemon.h>
 #include <config/child_cfg.h>
 
@@ -218,8 +219,8 @@ METHOD(listener_t, child_updown, bool,
 
 		if (up)
 		{
-			iface = charon->kernel_interface->get_interface(
-												charon->kernel_interface, me);
+			iface = hydra->kernel_interface->get_interface(
+												hydra->kernel_interface, me);
 			if (iface)
 			{
 				cache_iface(this, child_sa->get_reqid(child_sa), iface);
diff --git a/src/libcharon/processing/jobs/acquire_job.h b/src/libcharon/processing/jobs/acquire_job.h
index eff79a9b0..2b5bf4805 100644
--- a/src/libcharon/processing/jobs/acquire_job.h
+++ b/src/libcharon/processing/jobs/acquire_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup acquire_job acquire_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef ACQUIRE_JOB_H_
diff --git a/src/libcharon/processing/jobs/callback_job.c b/src/libcharon/processing/jobs/callback_job.c
deleted file mode 100644
index 45e49112e..000000000
--- a/src/libcharon/processing/jobs/callback_job.c
+++ /dev/null
@@ -1,271 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "callback_job.h"
-
-#include <semaphore.h>
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-
-typedef struct private_callback_job_t private_callback_job_t;
-
-/**
- * Private data of an callback_job_t Object.
- */
-struct private_callback_job_t {
-	/**
-	 * Public callback_job_t interface.
-	 */
-	callback_job_t public;
-
-	/**
-	 * Callback to call on execution
-	 */
-	callback_job_cb_t callback;
-
-	/**
-	 * parameter to supply to callback
-	 */
-	void *data;
-
-	/**
-	 * cleanup function for data
-	 */
-	callback_job_cleanup_t cleanup;
-
-	/**
-	 * thread of the job, if running
-	 */
-	thread_t *thread;
-
-	/**
-	 * mutex to access jobs interna
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * list of asociated child jobs
-	 */
-	linked_list_t *children;
-
-	/**
-	 * parent of this job, or NULL
-	 */
-	private_callback_job_t *parent;
-
-	/**
-	 * TRUE if the job got cancelled
-	 */
-	bool cancelled;
-
-	/**
-	 * condvar to synchronize the cancellation/destruction of the job
-	 */
-	condvar_t *destroyable;
-
-	/**
-	 * semaphore to synchronize the termination of the assigned thread.
-	 *
-	 * separately allocated during cancellation, so that we can wait on it
-	 * without risking that it gets freed too early during destruction.
-	 */
-	sem_t *terminated;
-};
-
-/**
- * unregister a child from its parent, if any.
- * note: this->mutex has to be locked
- */
-static void unregister(private_callback_job_t *this)
-{
-	if (this->parent)
-	{
-		this->parent->mutex->lock(this->parent->mutex);
-		if (this->parent->cancelled && !this->cancelled)
-		{
-			/* if the parent has been cancelled but we have not yet, we do not
-			 * unregister until we got cancelled by the parent. */
-			this->parent->mutex->unlock(this->parent->mutex);
-			this->destroyable->wait(this->destroyable, this->mutex);
-			this->parent->mutex->lock(this->parent->mutex);
-		}
-		this->parent->children->remove(this->parent->children, this, NULL);
-		this->parent->mutex->unlock(this->parent->mutex);
-		this->parent = NULL;
-	}
-}
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_callback_job_t *this)
-{
-	this->mutex->lock(this->mutex);
-	unregister(this);
-	if (this->cleanup)
-	{
-		this->cleanup(this->data);
-	}
-	if (this->terminated)
-	{
-		sem_post(this->terminated);
-	}
-	this->children->destroy(this->children);
-	this->destroyable->destroy(this->destroyable);
-	this->mutex->unlock(this->mutex);
-	this->mutex->destroy(this->mutex);
-	free(this);
-}
-
-/**
- * Implementation of callback_job_t.cancel.
- */
-static void cancel(private_callback_job_t *this)
-{
-	callback_job_t *child;
-	sem_t *terminated = NULL;
-
-	this->mutex->lock(this->mutex);
-	this->cancelled = TRUE;
-	/* terminate children */
-	while (this->children->get_first(this->children, (void**)&child) == SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		child->cancel(child);
-		this->mutex->lock(this->mutex);
-	}
-	if (this->thread)
-	{
-		/* terminate the thread, if there is currently one executing the job.
-		 * we wait for its termination using a semaphore */
-		this->thread->cancel(this->thread);
-		terminated = this->terminated = malloc_thing(sem_t);
-		sem_init(terminated, 0, 0);
-	}
-	else
-	{
-		/* if the job is currently queued, it gets terminated later.
-		 * we can't wait, because it might not get executed at all.
-		 * we also unregister the queued job manually from its parent (the
-		 * others get unregistered during destruction) */
-		unregister(this);
-	}
-	this->destroyable->signal(this->destroyable);
-	this->mutex->unlock(this->mutex);
-
-	if (terminated)
-	{
-		sem_wait(terminated);
-		sem_destroy(terminated);
-		free(terminated);
-	}
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_callback_job_t *this)
-{
-	bool cleanup = FALSE, requeue = FALSE;
-
-	thread_cleanup_push((thread_cleanup_t)destroy, this);
-
-	this->mutex->lock(this->mutex);
-	this->thread = thread_current();
-	this->mutex->unlock(this->mutex);
-
-	while (TRUE)
-	{
-		this->mutex->lock(this->mutex);
-		if (this->cancelled)
-		{
-			this->mutex->unlock(this->mutex);
-			cleanup = TRUE;
-			break;
-		}
-		this->mutex->unlock(this->mutex);
-		switch (this->callback(this->data))
-		{
-			case JOB_REQUEUE_DIRECT:
-				continue;
-			case JOB_REQUEUE_FAIR:
-			{
-				requeue = TRUE;
-				break;
-			}
-			case JOB_REQUEUE_NONE:
-			default:
-			{
-				cleanup = TRUE;
-				break;
-			}
-		}
-		break;
-	}
-	this->mutex->lock(this->mutex);
-	this->thread = NULL;
-	this->mutex->unlock(this->mutex);
-	/* manually create a cancellation point to avoid that a cancelled thread
-	 * goes back into the thread pool */
-	thread_cancellation_point();
-	if (requeue)
-	{
-		charon->processor->queue_job(charon->processor,
-									 &this->public.job_interface);
-	}
-	thread_cleanup_pop(cleanup);
-}
-
-/*
- * Described in header.
- */
-callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
-									callback_job_cleanup_t cleanup,
-									callback_job_t *parent)
-{
-	private_callback_job_t *this = malloc_thing(private_callback_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	this->public.cancel = (void(*)(callback_job_t*))cancel;
-
-	/* private variables */
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->callback = cb;
-	this->data = data;
-	this->cleanup = cleanup;
-	this->thread = 0;
-	this->children = linked_list_create();
-	this->parent = (private_callback_job_t*)parent;
-	this->cancelled = FALSE;
-	this->destroyable = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->terminated = NULL;
-
-	/* register us at parent */
-	if (parent)
-	{
-		this->parent->mutex->lock(this->parent->mutex);
-		this->parent->children->insert_last(this->parent->children, this);
-		this->parent->mutex->unlock(this->parent->mutex);
-	}
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/processing/jobs/callback_job.h b/src/libcharon/processing/jobs/callback_job.h
deleted file mode 100644
index 62da1edd1..000000000
--- a/src/libcharon/processing/jobs/callback_job.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup callback_job callback_job
- * @{ @ingroup jobs
- */
-
-#ifndef CALLBACK_JOB_H_
-#define CALLBACK_JOB_H_
-
-typedef struct callback_job_t callback_job_t;
-
-#include <library.h>
-#include <processing/jobs/job.h>
-
-
-typedef enum job_requeue_t job_requeue_t;
-
-/**
- * Job requeueing policy
- *
- * The job requeueing policy defines how a job is handled when the callback
- * function returns.
- */
-enum job_requeue_t {
-
-	/**
-	 * Do not requeue job, destroy it
-	 */
-	JOB_REQUEUE_NONE,
-
-	/**
-	 * Reque the job fairly, meaning it has to requeue as any other job
-	 */
-	JOB_REQUEUE_FAIR,
-
-	/**
-	 * Reexecute the job directly, without the need of requeueing it
-	 */
-	JOB_REQUEUE_DIRECT,
-};
-
-/**
- * The callback function to use for the callback job.
- *
- * This is the function to use as callback for a callback job. It receives
- * a parameter supplied to the callback jobs constructor.
- *
- * @param data			param supplied to job
- * @return				requeing policy how to requeue the job
- */
-typedef job_requeue_t (*callback_job_cb_t)(void *data);
-
-/**
- * Cleanup function to use for data cleanup.
- *
- * The callback has an optional user argument which receives data. However,
- * this data may be cleaned up if it is allocated. This is the function
- * to supply to the constructor.
- *
- * @param data			param supplied to job
- * @return				requeing policy how to requeue the job
- */
-typedef void (*callback_job_cleanup_t)(void *data);
-
-/**
- * Class representing an callback Job.
- *
- * This is a special job which allows a simple callback function to
- * be executed by a thread of the thread pool. This allows simple execution
- * of asynchronous methods, without to manage threads.
- */
-struct callback_job_t {
-	/**
-	 * The job_t interface.
-	 */
-	job_t job_interface;
-
-	/**
-	 * Cancel the job's thread and wait for its termination. This only works
-	 * reliably for jobs that always use JOB_REQUEUE_FAIR or JOB_REQUEUE_DIRECT,
-	 * otherwise the job may already be destroyed when cancel is called. */
-	void (*cancel)(callback_job_t *this);
-};
-
-/**
- * Creates a callback job.
- *
- * The cleanup function is called when the job gets destroyed to destroy
- * the associated data.
- * If parent is not NULL, the specified job gets an association. Whenever
- * the parent gets cancelled (or runs out), all of its children are cancelled,
- * too.
- *
- * @param cb				callback to call from the processor
- * @param data				user data to supply to callback
- * @param cleanup			destructor for data on destruction, or NULL
- * @param parent			parent of this job
- * @return					callback_job_t object
- */
-callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
-									callback_job_cleanup_t cleanup,
-									callback_job_t *parent);
-
-#endif /** CALLBACK_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h
index 662a7b7c7..fc0e2b518 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.h
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup delete_child_sa_job delete_child_sa_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef DELETE_CHILD_SA_JOB_H_
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.h b/src/libcharon/processing/jobs/delete_ike_sa_job.h
index f641deea3..ae06b9cfc 100644
--- a/src/libcharon/processing/jobs/delete_ike_sa_job.h
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup delete_child_sa_job delete_child_sa_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef DELETE_IKE_SA_JOB_H_
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 13fc5e3d0..1371000eb 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -87,7 +87,7 @@ METHOD(job_t, execute, void,
 				}
 				else
 				{
-					charon->scheduler->schedule_job(charon->scheduler,
+					lib->scheduler->schedule_job(lib->scheduler,
 							&this->public.job_interface, this->timeout - diff);
 					rescheduled = TRUE;
 				}
@@ -136,9 +136,11 @@ inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
 	private_inactivity_job_t *this;
 
 	INIT(this,
-		.public.job_interface = {
-			.execute = _execute,
-			.destroy = _destroy,
+		.public = {
+				.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
 		},
 		.reqid = reqid,
 		.timeout = timeout,
diff --git a/src/libcharon/processing/jobs/inactivity_job.h b/src/libcharon/processing/jobs/inactivity_job.h
index 9c9daced8..890f7704b 100644
--- a/src/libcharon/processing/jobs/inactivity_job.h
+++ b/src/libcharon/processing/jobs/inactivity_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup inactivity_job inactivity_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef INACTIVITY_JOB_H_
diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.h b/src/libcharon/processing/jobs/initiate_mediation_job.h
index fddb1dd7b..d105de2b9 100644
--- a/src/libcharon/processing/jobs/initiate_mediation_job.h
+++ b/src/libcharon/processing/jobs/initiate_mediation_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup initiate_mediation_job initiate_mediation_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef INITIATE_MEDIATION_JOB_H_
diff --git a/src/libcharon/processing/jobs/job.h b/src/libcharon/processing/jobs/job.h
deleted file mode 100644
index 0f1c16ebe..000000000
--- a/src/libcharon/processing/jobs/job.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup job job
- * @{ @ingroup jobs
- */
-
-#ifndef JOB_H_
-#define JOB_H_
-
-typedef struct job_t job_t;
-
-#include <library.h>
-
-/**
- * Job-Interface as it is stored in the job queue.
- */
-struct job_t {
-
-	/**
-	 * Execute a job.
-	 *
-	 * The processing facility executes a job using this method. Jobs are
-	 * one-shot, they destroy themself after execution, so don't use a job
-	 * once it has been executed.
-	 */
-	void (*execute) (job_t *this);
-
-	/**
-	 * Destroy a job.
-	 *
-	 * Is only called whenever a job was not executed (e.g. due daemon shutdown).
-	 * After execution, jobs destroy themself.
-	 */
-	void (*destroy) (job_t *job);
-};
-
-#endif /** JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/mediation_job.h b/src/libcharon/processing/jobs/mediation_job.h
index 0574c65eb..41485cbc6 100644
--- a/src/libcharon/processing/jobs/mediation_job.h
+++ b/src/libcharon/processing/jobs/mediation_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup mediation_job mediation_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef MEDIATION_JOB_H_
diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h
index de313d517..09679c734 100644
--- a/src/libcharon/processing/jobs/migrate_job.h
+++ b/src/libcharon/processing/jobs/migrate_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup migrate_job migrate_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef MIGRATE_JOB_H_
diff --git a/src/libcharon/processing/jobs/process_message_job.h b/src/libcharon/processing/jobs/process_message_job.h
index 5e3f44d1f..2c42aa577 100644
--- a/src/libcharon/processing/jobs/process_message_job.h
+++ b/src/libcharon/processing/jobs/process_message_job.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup process_message_job process_message_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef PROCESS_MESSAGE_JOB_H_
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h
index 62887d6b9..fcbe65a06 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.h
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup rekey_child_sa_job rekey_child_sa_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef REKEY_CHILD_SA_JOB_H_
diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.h b/src/libcharon/processing/jobs/rekey_ike_sa_job.h
index a5c1028aa..3e3e13d00 100644
--- a/src/libcharon/processing/jobs/rekey_ike_sa_job.h
+++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup rekey_ike_sa_job rekey_ike_sa_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef REKEY_IKE_SA_JOB_H_
diff --git a/src/libcharon/processing/jobs/retransmit_job.h b/src/libcharon/processing/jobs/retransmit_job.h
index c8c13479b..c4545534b 100644
--- a/src/libcharon/processing/jobs/retransmit_job.h
+++ b/src/libcharon/processing/jobs/retransmit_job.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup retransmit_job retransmit_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef RETRANSMIT_JOB_H_
diff --git a/src/libcharon/processing/jobs/roam_job.h b/src/libcharon/processing/jobs/roam_job.h
index 55bdf2b28..acfb8bed8 100644
--- a/src/libcharon/processing/jobs/roam_job.h
+++ b/src/libcharon/processing/jobs/roam_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup roam_job roam_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef ROAM_JOB_H_
diff --git a/src/libcharon/processing/jobs/send_dpd_job.h b/src/libcharon/processing/jobs/send_dpd_job.h
index 8078a38bc..bd2728b9a 100644
--- a/src/libcharon/processing/jobs/send_dpd_job.h
+++ b/src/libcharon/processing/jobs/send_dpd_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup send_dpd_job send_dpd_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef SEND_DPD_JOB_H_
diff --git a/src/libcharon/processing/jobs/send_keepalive_job.h b/src/libcharon/processing/jobs/send_keepalive_job.h
index cda83cd7e..acf6d11aa 100644
--- a/src/libcharon/processing/jobs/send_keepalive_job.h
+++ b/src/libcharon/processing/jobs/send_keepalive_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup send_keepalive_job send_keepalive_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef SEND_KEEPALIVE_JOB_H_
diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h
index 11d1ac9b6..e2344fcc4 100644
--- a/src/libcharon/processing/jobs/update_sa_job.h
+++ b/src/libcharon/processing/jobs/update_sa_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup update_sa_job update_sa_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef UPDATE_SA_JOB_H_
diff --git a/src/libcharon/processing/processor.c b/src/libcharon/processing/processor.c
deleted file mode 100644
index d5774af26..000000000
--- a/src/libcharon/processing/processor.c
+++ /dev/null
@@ -1,273 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-
-#include "processor.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-
-
-typedef struct private_processor_t private_processor_t;
-
-/**
- * Private data of processor_t class.
- */
-struct private_processor_t {
-	/**
-	 * Public processor_t interface.
-	 */
-	processor_t public;
-
-	/**
-	 * Number of running threads
-	 */
-	u_int total_threads;
-
-	/**
-	 * Desired number of threads
-	 */
-	u_int desired_threads;
-
-	/**
-	 * Number of threads waiting for work
-	 */
-	u_int idle_threads;
-
-	/**
-	 * All threads managed in the pool (including threads that have been
-	 * cancelled, this allows to join them during destruction)
-	 */
-	linked_list_t *threads;
-
-	/**
-	 * The jobs are stored in a linked list
-	 */
-	linked_list_t *list;
-
-	/**
-	 * access to linked_list is locked through this mutex
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Condvar to wait for new jobs
-	 */
-	condvar_t *job_added;
-
-	/**
-	 * Condvar to wait for terminated threads
-	 */
-	condvar_t *thread_terminated;
-};
-
-static void process_jobs(private_processor_t *this);
-
-/**
- * restart a terminated thread
- */
-static void restart(private_processor_t *this)
-{
-	thread_t *thread;
-
-	DBG2(DBG_JOB, "terminated worker thread, ID: %u", thread_current_id());
-
-	/* respawn thread if required */
-	this->mutex->lock(this->mutex);
-	if (this->desired_threads < this->total_threads ||
-		(thread = thread_create((thread_main_t)process_jobs, this)) == NULL)
-	{
-		this->total_threads--;
-		this->thread_terminated->signal(this->thread_terminated);
-	}
-	else
-	{
-		this->threads->insert_last(this->threads, thread);
-	}
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Process queued jobs, called by the worker threads
- */
-static void process_jobs(private_processor_t *this)
-{
-	/* worker threads are not cancellable by default */
-	thread_cancelability(FALSE);
-
-	DBG2(DBG_JOB, "started worker thread, ID: %u", thread_current_id());
-
-	this->mutex->lock(this->mutex);
-	while (this->desired_threads >= this->total_threads)
-	{
-		job_t *job;
-
-		if (this->list->get_count(this->list) == 0)
-		{
-			this->idle_threads++;
-			this->job_added->wait(this->job_added, this->mutex);
-			this->idle_threads--;
-			continue;
-		}
-		this->list->remove_first(this->list, (void**)&job);
-		this->mutex->unlock(this->mutex);
-		/* terminated threads are restarted, so we have a constant pool */
-		thread_cleanup_push((thread_cleanup_t)restart, this);
-		job->execute(job);
-		thread_cleanup_pop(FALSE);
-		this->mutex->lock(this->mutex);
-	}
-	this->mutex->unlock(this->mutex);
-	restart(this);
-}
-
-/**
- * Implementation of processor_t.get_total_threads.
- */
-static u_int get_total_threads(private_processor_t *this)
-{
-	u_int count;
-	this->mutex->lock(this->mutex);
-	count = this->total_threads;
-	this->mutex->unlock(this->mutex);
-	return count;
-}
-
-/**
- * Implementation of processor_t.get_idle_threads.
- */
-static u_int get_idle_threads(private_processor_t *this)
-{
-	u_int count;
-	this->mutex->lock(this->mutex);
-	count = this->idle_threads;
-	this->mutex->unlock(this->mutex);
-	return count;
-}
-
-/**
- * implements processor_t.get_job_load
- */
-static u_int get_job_load(private_processor_t *this)
-{
-	u_int load;
-	this->mutex->lock(this->mutex);
-	load = this->list->get_count(this->list);
-	this->mutex->unlock(this->mutex);
-	return load;
-}
-
-/**
- * implements function processor_t.queue_job
- */
-static void queue_job(private_processor_t *this, job_t *job)
-{
-	this->mutex->lock(this->mutex);
-	this->list->insert_last(this->list, job);
-	this->job_added->signal(this->job_added);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of processor_t.set_threads.
- */
-static void set_threads(private_processor_t *this, u_int count)
-{
-	this->mutex->lock(this->mutex);
-	if (count > this->total_threads)
-	{	/* increase thread count */
-		int i;
-		thread_t *current;
-
-		this->desired_threads = count;
-		DBG1(DBG_JOB, "spawning %d worker threads", count - this->total_threads);
-		for (i = this->total_threads; i < count; i++)
-		{
-			current = thread_create((thread_main_t)process_jobs, this);
-			if (current)
-			{
-				this->threads->insert_last(this->threads, current);
-				this->total_threads++;
-			}
-		}
-	}
-	else if (count < this->total_threads)
-	{	/* decrease thread count */
-		this->desired_threads = count;
-	}
-	this->job_added->broadcast(this->job_added);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of processor_t.destroy.
- */
-static void destroy(private_processor_t *this)
-{
-	thread_t *current;
-	set_threads(this, 0);
-	this->mutex->lock(this->mutex);
-	while (this->total_threads > 0)
-	{
-		this->job_added->broadcast(this->job_added);
-		this->thread_terminated->wait(this->thread_terminated, this->mutex);
-	}
-	while (this->threads->remove_first(this->threads,
-									   (void**)&current) == SUCCESS)
-	{
-		current->join(current);
-	}
-	this->mutex->unlock(this->mutex);
-	this->thread_terminated->destroy(this->thread_terminated);
-	this->job_added->destroy(this->job_added);
-	this->mutex->destroy(this->mutex);
-	this->list->destroy_offset(this->list, offsetof(job_t, destroy));
-	this->threads->destroy(this->threads);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-processor_t *processor_create(size_t pool_size)
-{
-	private_processor_t *this = malloc_thing(private_processor_t);
-
-	this->public.get_total_threads = (u_int(*)(processor_t*))get_total_threads;
-	this->public.get_idle_threads = (u_int(*)(processor_t*))get_idle_threads;
-	this->public.get_job_load = (u_int(*)(processor_t*))get_job_load;
-	this->public.queue_job = (void(*)(processor_t*, job_t*))queue_job;
-	this->public.set_threads = (void(*)(processor_t*, u_int))set_threads;
-	this->public.destroy = (void(*)(processor_t*))destroy;
-
-	this->list = linked_list_create();
-	this->threads = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->total_threads = 0;
-	this->desired_threads = 0;
-	this->idle_threads = 0;
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/processing/processor.h b/src/libcharon/processing/processor.h
deleted file mode 100644
index 5bf8cf573..000000000
--- a/src/libcharon/processing/processor.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup processor processor
- * @{ @ingroup processing
- */
-
-#ifndef PROCESSOR_H_
-#define PROCESSOR_H_
-
-typedef struct processor_t processor_t;
-
-#include <stdlib.h>
-
-#include <library.h>
-#include <processing/jobs/job.h>
-
-/**
- * The processor uses threads to process queued jobs.
- */
-struct processor_t {
-
-	/**
-	 * Get the total number of threads used by the processor.
-	 *
-	 * @return				size of thread pool
-	 */
-	u_int (*get_total_threads) (processor_t *this);
-
-	/**
-	 * Get the number of threads currently waiting.
-	 *
-	 * @return				number of idle threads
-	 */
-	u_int (*get_idle_threads) (processor_t *this);
-
-	/**
-	 * Get the number of queued jobs.
-	 *
-	 * @returns 			number of items in queue
-	 */
-	u_int (*get_job_load) (processor_t *this);
-
-	/**
-	 * Adds a job to the queue.
-	 *
-	 * This function is non blocking and adds a job_t to the queue.
-	 *
-	 * @param job 			job to add to the queue
-	 */
-	void (*queue_job) (processor_t *this, job_t *job);
-
-	/**
-	 * Set the number of threads to use in the processor.
-	 *
-	 * If the number of threads is smaller than number of currently running
-	 * threads, thread count is decreased. Use 0 to disable the processor.
-	 * This call blocks if it decreases thread count until threads have
-	 * terminated, so make sure there are not too many blocking jobs.
-	 *
-	 * @param count			number of threads to allocate
-	 */
-	void (*set_threads)(processor_t *this, u_int count);
-
-	/**
-	 * Destroy a processor object.
-	 */
-	void (*destroy) (processor_t *processor);
-};
-
-/**
- * Create the thread pool without any threads.
- *
- * Use the set_threads method to start processing jobs.
- *
- * @return					processor_t object
- */
-processor_t *processor_create();
-
-#endif /** PROCESSOR_H_ @}*/
diff --git a/src/libcharon/processing/scheduler.c b/src/libcharon/processing/scheduler.c
deleted file mode 100644
index 345af502a..000000000
--- a/src/libcharon/processing/scheduler.c
+++ /dev/null
@@ -1,358 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-
-#include "scheduler.h"
-
-#include <daemon.h>
-#include <processing/processor.h>
-#include <processing/jobs/callback_job.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-
-/* the initial size of the heap */
-#define HEAP_SIZE_DEFAULT 64
-
-typedef struct event_t event_t;
-
-/**
- * Event containing a job and a schedule time
- */
-struct event_t {
-	/**
-	 * Time to fire the event.
-	 */
-	timeval_t time;
-
-	/**
-	 * Every event has its assigned job.
-	 */
-	job_t *job;
-};
-
-/**
- * destroy an event and its job
- */
-static void event_destroy(event_t *event)
-{
-	event->job->destroy(event->job);
-	free(event);
-}
-
-typedef struct private_scheduler_t private_scheduler_t;
-
-/**
- * Private data of a scheduler_t object.
- */
-struct private_scheduler_t {
-
-	/**
-	 * Public part of a scheduler_t object.
-	 */
-	 scheduler_t public;
-
-	/**
-	 * Job which queues scheduled jobs to the processor.
-	 */
-	callback_job_t *job;
-
-	/**
-	 * The heap in which the events are stored.
-	 */
-	event_t **heap;
-
-	/**
-	 * The size of the heap.
-	 */
-	u_int heap_size;
-
-	/**
-	 * The number of scheduled events.
-	 */
-	u_int event_count;
-
-	/**
-	 * Exclusive access to list
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Condvar to wait for next job.
-	 */
-	condvar_t *condvar;
-};
-
-/**
- * Comparse two timevals, return >0 if a > b, <0 if a < b and =0 if equal
- */
-static int timeval_cmp(timeval_t *a, timeval_t *b)
-{
-	if (a->tv_sec > b->tv_sec)
-	{
-		return 1;
-	}
-	if (a->tv_sec < b->tv_sec)
-	{
-		return -1;
-	}
-	if (a->tv_usec > b->tv_usec)
-	{
-		return 1;
-	}
-	if (a->tv_usec < b->tv_usec)
-	{
-		return -1;
-	}
-	return 0;
-}
-
-/**
- * Returns the top event without removing it. Returns NULL if the heap is empty.
- */
-static event_t *peek_event(private_scheduler_t *this)
-{
-	return this->event_count > 0 ? this->heap[1] : NULL;
-}
-
-/**
- * Removes the top event from the heap and returns it. Returns NULL if the heap
- * is empty.
- */
-static event_t *remove_event(private_scheduler_t *this)
-{
-	event_t *event, *top;
-	if (!this->event_count)
-	{
-		return NULL;
-	}
-
-	/* store the value to return */
-	event = this->heap[1];
-	/* move the bottom event to the top */
-	top = this->heap[1] = this->heap[this->event_count];
-
-	if (--this->event_count > 1)
-	{
-		/* seep down the top event */
-		u_int position = 1;
-		while ((position << 1) <= this->event_count)
-		{
-			u_int child = position << 1;
-
-			if ((child + 1) <= this->event_count &&
-				timeval_cmp(&this->heap[child + 1]->time,
-							&this->heap[child]->time) < 0)
-			{
-				/* the "right" child is smaller */
-				child++;
-			}
-
-			if (timeval_cmp(&top->time, &this->heap[child]->time) <= 0)
-			{
-				/* the top event fires before the smaller of the two children,
-				 * stop */
-				break;
-			}
-
-			/* swap with the smaller child */
-			this->heap[position] = this->heap[child];
-			position = child;
-		}
-		this->heap[position] = top;
-	}
-	return event;
-}
-
-/**
- * Get events from the queue and pass it to the processor
- */
-static job_requeue_t schedule(private_scheduler_t * this)
-{
-	timeval_t now;
-	event_t *event;
-	bool timed = FALSE, oldstate;
-
-	this->mutex->lock(this->mutex);
-
-	time_monotonic(&now);
-
-	if ((event = peek_event(this)) != NULL)
-	{
-		if (timeval_cmp(&now, &event->time) >= 0)
-		{
-			remove_event(this);
-			this->mutex->unlock(this->mutex);
-			DBG2(DBG_JOB, "got event, queuing job for execution");
-			charon->processor->queue_job(charon->processor, event->job);
-			free(event);
-			return JOB_REQUEUE_DIRECT;
-		}
-		timersub(&event->time, &now, &now);
-		if (now.tv_sec)
-		{
-			DBG2(DBG_JOB, "next event in %ds %dms, waiting",
-				 now.tv_sec, now.tv_usec/1000);
-		}
-		else
-		{
-			DBG2(DBG_JOB, "next event in %dms, waiting", now.tv_usec/1000);
-		}
-		timed = TRUE;
-	}
-	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
-	oldstate = thread_cancelability(TRUE);
-
-	if (timed)
-	{
-		this->condvar->timed_wait_abs(this->condvar, this->mutex, event->time);
-	}
-	else
-	{
-		DBG2(DBG_JOB, "no events, waiting");
-		this->condvar->wait(this->condvar, this->mutex);
-	}
-	thread_cancelability(oldstate);
-	thread_cleanup_pop(TRUE);
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Implements scheduler_t.get_job_load
- */
-static u_int get_job_load(private_scheduler_t *this)
-{
-	int count;
-	this->mutex->lock(this->mutex);
-	count = this->event_count;
-	this->mutex->unlock(this->mutex);
-	return count;
-}
-
-/**
- * Implements scheduler_t.schedule_job_tv.
- */
-static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
-{
-	event_t *event;
-	u_int position;
-
-	event = malloc_thing(event_t);
-	event->job = job;
-	event->time = tv;
-
-	this->mutex->lock(this->mutex);
-
-	this->event_count++;
-	if (this->event_count > this->heap_size)
-	{
-		/* double the size of the heap */
-		this->heap_size <<= 1;
-		this->heap = (event_t**)realloc(this->heap,
-									(this->heap_size + 1) * sizeof(event_t*));
-	}
-	/* "put" the event to the bottom */
-	position = this->event_count;
-
-	/* then bubble it up */
-	while (position > 1 && timeval_cmp(&this->heap[position >> 1]->time,
-									   &event->time) > 0)
-	{
-		/* parent has to be fired after the new event, move up */
-		this->heap[position] = this->heap[position >> 1];
-		position >>= 1;
-	}
-	this->heap[position] = event;
-
-	this->condvar->signal(this->condvar);
-	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implements scheduler_t.schedule_job.
- */
-static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
-{
-	timeval_t tv;
-
-	time_monotonic(&tv);
-	tv.tv_sec += s;
-
-	schedule_job_tv(this, job, tv);
-}
-
-/**
- * Implements scheduler_t.schedule_job_ms.
- */
-static void schedule_job_ms(private_scheduler_t *this, job_t *job, u_int32_t ms)
-{
-	timeval_t tv, add;
-
-	time_monotonic(&tv);
-	add.tv_sec = ms / 1000;
-	add.tv_usec = (ms % 1000) * 1000;
-
-	timeradd(&tv, &add, &tv);
-
-	schedule_job_tv(this, job, tv);
-}
-
-/**
- * Implementation of scheduler_t.destroy.
- */
-static void destroy(private_scheduler_t *this)
-{
-	event_t *event;
-	this->job->cancel(this->job);
-	this->condvar->destroy(this->condvar);
-	this->mutex->destroy(this->mutex);
-	while ((event = remove_event(this)) != NULL)
-	{
-		event_destroy(event);
-	}
-	free(this->heap);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-scheduler_t * scheduler_create()
-{
-	private_scheduler_t *this = malloc_thing(private_scheduler_t);
-
-	this->public.get_job_load = (u_int (*) (scheduler_t *this)) get_job_load;
-	this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t s)) schedule_job;
-	this->public.schedule_job_ms = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job_ms;
-	this->public.schedule_job_tv = (void (*) (scheduler_t *this, job_t *job, timeval_t tv)) schedule_job_tv;
-	this->public.destroy = (void(*)(scheduler_t*)) destroy;
-
-	/* Note: the root of the heap is at index 1 */
-	this->event_count = 0;
-	this->heap_size = HEAP_SIZE_DEFAULT;
-	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
-
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-
-	this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/processing/scheduler.h b/src/libcharon/processing/scheduler.h
deleted file mode 100644
index 5f5d2a563..000000000
--- a/src/libcharon/processing/scheduler.h
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup scheduler scheduler
- * @{ @ingroup processing
- */
-
-#ifndef SCHEDULER_H_
-#define SCHEDULER_H_
-
-typedef struct scheduler_t scheduler_t;
-
-#include <library.h>
-#include <processing/jobs/job.h>
-
-/**
- * The scheduler queues timed events which are then passed to the processor.
- *
- * The scheduler is implemented as a heap. A heap is a special kind of tree-
- * based data structure that satisfies the following property: if B is a child
- * node of A, then key(A) >= (or <=) key(B). So either the element with the
- * greatest (max-heap) or the smallest (min-heap) key is the root of the heap.
- * We use a min-heap whith the key being the absolute unix time at which an
- * event is scheduled. So the root is always the event that will fire next.
- *
- * An earlier implementation of the scheduler used a sorted linked list to store
- * the events. That had the advantage that removing the next event was extremely
- * fast, also, adding an event scheduled before or after all other events was
- * equally fast (all in O(1)). The problem was, though, that adding an event
- * in-between got slower, as the number of events grew larger (O(n)).
- * For each connection there could be several events: IKE-rekey, NAT-keepalive,
- * retransmissions, expire (half-open), and others. So a gateway that probably
- * has to handle thousands of concurrent connnections has to be able to queue a
- * large number of events as fast as possible. Locking makes this even worse, to
- * provide thread-safety, no events can be processed, while an event is queued,
- * so making the insertion fast is even more important.
- *
- * That's the advantage of the heap. Adding an element to the heap can be
- * achieved in O(log n) - on the other hand, removing the root node also
- * requires O(log n) operations. Consider 10000 queued events. Inserting a new
- * event in the list implementation required up to 10000 comparisons. In the
- * heap implementation, the worst case is about 13.3 comparisons. That's a
- * drastic improvement.
- *
- * The implementation itself uses a binary tree mapped to a one-based array to
- * store the elements. This reduces storage overhead and simplifies navigation:
- * the children of the node at position n are at position 2n and 2n+1 (likewise
- * the parent node of the node at position n is at position [n/2]). Thus,
- * navigating up and down the tree is reduced to simple index computations.
- *
- * Adding an element to the heap works as follows: The heap is always filled
- * from left to right, until a row is full, then the next row is filled. Mapped
- * to an array this gets as simple as putting the new element to the first free
- * position. In a one-based array that position equals the number of elements
- * currently stored in the heap. Then the heap property has to be restored, i.e.
- * the new element has to be "bubbled up" the tree until the parent node's key
- * is smaller or the element got the new root of the tree.
- *
- * Removing the next event from the heap works similarly. The event itself is
- * the root node and stored at position 1 of the array. After removing it, the
- * root has to be replaced and the heap property has to be restored. This is
- * done by moving the bottom element (last row, rightmost element) to the root
- * and then "seep it down" by swapping it with child nodes until none of the
- * children has a smaller key or it is again a leaf node.
- */
-struct scheduler_t {
-
-	/**
-	 * Adds a event to the queue, using a relative time offset in s.
-	 *
-	 * @param job 			job to schedule
-	 * @param time 			relative time to schedule job, in s
-	 */
-	void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t s);
-
-	/**
-	 * Adds a event to the queue, using a relative time offset in ms.
-	 *
-	 * @param job 			job to schedule
-	 * @param time 			relative time to schedule job, in ms
-	 */
-	void (*schedule_job_ms) (scheduler_t *this, job_t *job, u_int32_t ms);
-
-	/**
-	 * Adds a event to the queue, using an absolut time.
-	 *
-	 * The passed timeval should be calculated based on the time_monotonic()
-	 * function.
-	 *
-	 * @param job 			job to schedule
-	 * @param time 			absolut time to schedule job
-	 */
-	void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
-
-	/**
-	 * Returns number of jobs scheduled.
-	 *
-	 * @return 				number of scheduled jobs
-	 */
-	u_int (*get_job_load) (scheduler_t *this);
-
-	/**
-	 * Destroys a scheduler object.
-	 */
-	void (*destroy) (scheduler_t *this);
-};
-
-/**
- * Create a scheduler.
- *
- * @return 		scheduler_t object
- */
-scheduler_t *scheduler_create(void);
-
-#endif /** SCHEDULER_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap/eap_manager.c b/src/libcharon/sa/authenticators/eap/eap_manager.c
index f795183f0..bc2c4a617 100644
--- a/src/libcharon/sa/authenticators/eap/eap_manager.c
+++ b/src/libcharon/sa/authenticators/eap/eap_manager.c
@@ -68,12 +68,9 @@ struct private_eap_manager_t {
 	rwlock_t *lock;
 };
 
-/**
- * Implementation of eap_manager_t.add_method.
- */
-static void add_method(private_eap_manager_t *this, eap_type_t type,
-					   u_int32_t vendor, eap_role_t role,
-					   eap_constructor_t constructor)
+METHOD(eap_manager_t, add_method, void,
+	private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+	eap_role_t role, eap_constructor_t constructor)
 {
 	eap_entry_t *entry = malloc_thing(eap_entry_t);
 
@@ -87,10 +84,8 @@ static void add_method(private_eap_manager_t *this, eap_type_t type,
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of eap_manager_t.remove_method.
- */
-static void remove_method(private_eap_manager_t *this, eap_constructor_t constructor)
+METHOD(eap_manager_t, remove_method, void,
+	private_eap_manager_t *this, eap_constructor_t constructor)
 {
 	enumerator_t *enumerator;
 	eap_entry_t *entry;
@@ -109,13 +104,9 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of eap_manager_t.create_instance.
- */
-static eap_method_t* create_instance(private_eap_manager_t *this,
-									 eap_type_t type, u_int32_t vendor,
-									 eap_role_t role, identification_t *server,
-									 identification_t *peer)
+METHOD(eap_manager_t, create_instance, eap_method_t*,
+	private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+	eap_role_t role, identification_t *server, identification_t *peer)
 {
 	enumerator_t *enumerator;
 	eap_entry_t *entry;
@@ -140,10 +131,8 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 	return method;
 }
 
-/**
- * Implementation of 2008_t.destroy
- */
-static void destroy(private_eap_manager_t *this)
+METHOD(eap_manager_t, destroy, void,
+	private_eap_manager_t *this)
 {
 	this->methods->destroy_function(this->methods, free);
 	this->lock->destroy(this->lock);
@@ -151,19 +140,22 @@ static void destroy(private_eap_manager_t *this)
 }
 
 /*
- * see header file
+ * See header
  */
 eap_manager_t *eap_manager_create()
 {
-	private_eap_manager_t *this = malloc_thing(private_eap_manager_t);
-
-	this->public.add_method = (void(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, eap_constructor_t constructor))add_method;
-	this->public.remove_method = (void(*)(eap_manager_t*, eap_constructor_t constructor))remove_method;
-	this->public.create_instance = (eap_method_t*(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, identification_t*,identification_t*))create_instance;
-	this->public.destroy = (void(*)(eap_manager_t*))destroy;
-
-	this->methods = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	private_eap_manager_t *this;
+
+	INIT(this,
+			.public = {
+				.add_method = _add_method,
+				.remove_method = _remove_method,
+				.create_instance = _create_instance,
+				.destroy = _destroy,
+			},
+			.methods = linked_list_create(),
+			.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/authenticators/eap/eap_method.c
index ad7b92cfa..0fa4a00c5 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.c
+++ b/src/libcharon/sa/authenticators/eap/eap_method.c
@@ -15,55 +15,8 @@
 
 #include "eap_method.h"
 
-/*
- * See header
- */
-eap_type_t eap_type_from_string(char *name)
-{
-	int i;
-	static struct {
-		char *name;
-		eap_type_t type;
-	} types[] = {
-		{"identity",	EAP_IDENTITY},
-		{"md5",			EAP_MD5},
-		{"otp",			EAP_OTP},
-		{"gtc",			EAP_GTC},
-		{"sim",			EAP_SIM},
-		{"aka",			EAP_AKA},
-		{"mschapv2",	EAP_MSCHAPV2},
-		{"radius",		EAP_RADIUS},
-	};
-
-	for (i = 0; i < countof(types); i++)
-	{
-		if (strcaseeq(name, types[i].name))
-		{
-			return types[i].type;
-		}
-	}
-	return 0;
-}
-
-ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
-	"EAP_REQUEST",
-	"EAP_RESPONSE",
-	"EAP_SUCCESS",
-	"EAP_FAILURE",
-);
-
-ENUM(eap_code_short_names, EAP_REQUEST, EAP_FAILURE,
-	"REQ",
-	"RES",
-	"SUCC",
-	"FAIL",
-);
-
 ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
 	"EAP_SERVER",
 	"EAP_PEER",
 );
 
-
-
-
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/authenticators/eap/eap_method.h
index df354edb4..9961039ff 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.h
+++ b/src/libcharon/sa/authenticators/eap/eap_method.h
@@ -23,10 +23,10 @@
 
 typedef struct eap_method_t eap_method_t;
 typedef enum eap_role_t eap_role_t;
-typedef enum eap_code_t eap_code_t;
 
 #include <library.h>
 #include <utils/identification.h>
+#include <eap/eap.h>
 #include <encoding/payloads/eap_payload.h>
 
 /**
@@ -41,34 +41,6 @@ enum eap_role_t {
  */
 extern enum_name_t *eap_role_names;
 
-/**
- * Lookup the EAP method type from a string.
- *
- * @param name		EAP method name (such as "md5", "aka")
- * @return			method type, 0 if unkown
- */
-eap_type_t eap_type_from_string(char *name);
-
-/**
- * EAP code, type of an EAP message
- */
-enum eap_code_t {
-	EAP_REQUEST = 1,
-	EAP_RESPONSE = 2,
-	EAP_SUCCESS = 3,
-	EAP_FAILURE = 4,
-};
-
-/**
- * enum names for eap_code_t.
- */
-extern enum_name_t *eap_code_names;
-
-/**
- * short string enum names for eap_code_t.
- */
-extern enum_name_t *eap_code_short_names;
-
 /**
  * Interface of an EAP method for server and client side.
  *
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c
index 3c0f3c358..8b22fd1d7 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/authenticators/eap_authenticator.c
@@ -99,22 +99,30 @@ struct private_eap_authenticator_t {
 static eap_method_t *load_method(private_eap_authenticator_t *this,
 							eap_type_t type, u_int32_t vendor, eap_role_t role)
 {
-	identification_t *server, *peer;
+	identification_t *server, *peer, *aaa;
+	auth_cfg_t *auth;
 
 	if (role == EAP_SERVER)
 	{
 		server = this->ike_sa->get_my_id(this->ike_sa);
 		peer = this->ike_sa->get_other_id(this->ike_sa);
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	}
 	else
 	{
 		server = this->ike_sa->get_other_id(this->ike_sa);
 		peer = this->ike_sa->get_my_id(this->ike_sa);
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
 	}
 	if (this->eap_identity)
 	{
 		peer = this->eap_identity;
 	}
+	aaa = auth->get(auth, AUTH_RULE_AAA_IDENTITY);
+	if (aaa)
+	{
+		server = aaa;
+	}
 	return charon->eap->create_instance(charon->eap, type, vendor,
 										role, server, peer);
 }
@@ -458,11 +466,8 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message,
 	chunk_free(&auth_data);
 }
 
-/**
- * Implementation of authenticator_t.process for a server
- */
-static status_t process_server(private_eap_authenticator_t *this,
-							   message_t *message)
+METHOD(authenticator_t, process_server, status_t,
+	private_eap_authenticator_t *this, message_t *message)
 {
 	eap_payload_t *eap_payload;
 
@@ -492,11 +497,8 @@ static status_t process_server(private_eap_authenticator_t *this,
 	return NEED_MORE;
 }
 
-/**
- * Implementation of authenticator_t.build for a server
- */
-static status_t build_server(private_eap_authenticator_t *this,
-							 message_t *message)
+METHOD(authenticator_t, build_server, status_t,
+	private_eap_authenticator_t *this, message_t *message)
 {
 	if (this->eap_payload)
 	{
@@ -519,11 +521,8 @@ static status_t build_server(private_eap_authenticator_t *this,
 	return FAILED;
 }
 
-/**
- * Implementation of authenticator_t.process for a client
- */
-static status_t process_client(private_eap_authenticator_t *this,
-							   message_t *message)
+METHOD(authenticator_t, process_client, status_t,
+	private_eap_authenticator_t *this, message_t *message)
 {
 	eap_payload_t *eap_payload;
 
@@ -603,11 +602,8 @@ static status_t process_client(private_eap_authenticator_t *this,
 	return FAILED;
 }
 
-/**
- * Implementation of authenticator_t.build for a client
- */
-static status_t build_client(private_eap_authenticator_t *this,
-							 message_t *message)
+METHOD(authenticator_t, build_client, status_t,
+	private_eap_authenticator_t *this, message_t *message)
 {
 	if (this->eap_payload)
 	{
@@ -623,20 +619,16 @@ static status_t build_client(private_eap_authenticator_t *this,
 	return NEED_MORE;
 }
 
-/**
- * Implementation of authenticator_t.is_mutual.
- */
-static bool is_mutual(private_eap_authenticator_t *this)
+METHOD(authenticator_t, is_mutual, bool,
+	private_eap_authenticator_t *this)
 {
 	/* we don't know yet, but insist on it after EAP is complete */
 	this->require_mutual = TRUE;
 	return TRUE;
 }
 
-/**
- * Implementation of authenticator_t.destroy.
- */
-static void destroy(private_eap_authenticator_t *this)
+METHOD(authenticator_t, destroy, void,
+	private_eap_authenticator_t *this)
 {
 	DESTROY_IF(this->method);
 	DESTROY_IF(this->eap_payload);
@@ -652,25 +644,23 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
 									chunk_t received_nonce, chunk_t sent_nonce,
 									chunk_t received_init, chunk_t sent_init)
 {
-	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->received_init = received_init;
-	this->received_nonce = received_nonce;
-	this->sent_init = sent_init;
-	this->sent_nonce = sent_nonce;
-	this->msk = chunk_empty;
-	this->method = NULL;
-	this->eap_payload = NULL;
-	this->eap_complete = FALSE;
-	this->auth_complete = FALSE;
-	this->eap_identity = NULL;
-	this->require_mutual = FALSE;
+	private_eap_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = _build_client,
+				.process = _process_client,
+				.is_mutual = _is_mutual,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.received_init = received_init,
+		.received_nonce = received_nonce,
+		.sent_init = sent_init,
+		.sent_nonce = sent_nonce,
+	);
 
 	return &this->public;
 }
@@ -682,25 +672,23 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
 									chunk_t received_nonce, chunk_t sent_nonce,
 									chunk_t received_init, chunk_t sent_init)
 {
-	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->received_init = received_init;
-	this->received_nonce = received_nonce;
-	this->sent_init = sent_init;
-	this->sent_nonce = sent_nonce;
-	this->msk = chunk_empty;
-	this->method = NULL;
-	this->eap_payload = NULL;
-	this->eap_complete = FALSE;
-	this->auth_complete = FALSE;
-	this->eap_identity = NULL;
-	this->require_mutual = FALSE;
+	private_eap_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = _build_server,
+				.process = _process_server,
+				.is_mutual = _is_mutual,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.received_init = received_init,
+		.received_nonce = received_nonce,
+		.sent_init = sent_init,
+		.sent_nonce = sent_nonce,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c
index 3c67f6db6..54b4338bb 100644
--- a/src/libcharon/sa/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c
@@ -84,15 +84,15 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 			/* we try to deduct the signature scheme from the keysize */
 			switch (private->get_keysize(private))
 			{
-				case 32:
+				case 256:
 					scheme = SIGN_ECDSA_256;
 					auth_method = AUTH_ECDSA_256;
 					break;
-				case 48:
+				case 384:
 					scheme = SIGN_ECDSA_384;
 					auth_method = AUTH_ECDSA_384;
 					break;
-				case 66:
+				case 521:
 					scheme = SIGN_ECDSA_521;
 					auth_method = AUTH_ECDSA_521;
 					break;
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index bd41cba56..b6ef31da0 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -23,6 +23,7 @@
 #include <string.h>
 #include <time.h>
 
+#include <hydra.h>
 #include <daemon.h>
 
 ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
@@ -179,170 +180,144 @@ struct private_child_sa_t {
 };
 
 /**
- * Implementation of child_sa_t.get_name
+ * convert an IKEv2 specific protocol identifier to the IP protocol identifier.
  */
-static char *get_name(private_child_sa_t *this)
+static inline u_int8_t proto_ike2ip(protocol_id_t protocol)
+{
+	switch (protocol)
+	{
+		case PROTO_ESP:
+			return IPPROTO_ESP;
+		case PROTO_AH:
+			return IPPROTO_AH;
+		default:
+			return protocol;
+	}
+}
+
+METHOD(child_sa_t, get_name, char*,
+	   private_child_sa_t *this)
 {
 	return this->config->get_name(this->config);
 }
 
-/**
- * Implements child_sa_t.get_reqid
- */
-static u_int32_t get_reqid(private_child_sa_t *this)
+METHOD(child_sa_t, get_reqid, u_int32_t,
+	   private_child_sa_t *this)
 {
 	return this->reqid;
 }
 
-/**
- * Implements child_sa_t.get_config
- */
-static child_cfg_t* get_config(private_child_sa_t *this)
+METHOD(child_sa_t, get_config, child_cfg_t*,
+	   private_child_sa_t *this)
 {
 	return this->config;
 }
 
-/**
- * Implements child_sa_t.set_state
- */
-static void set_state(private_child_sa_t *this, child_sa_state_t state)
+METHOD(child_sa_t, set_state, void,
+	   private_child_sa_t *this, child_sa_state_t state)
 {
 	charon->bus->child_state_change(charon->bus, &this->public, state);
 	this->state = state;
 }
 
-/**
- * Implements child_sa_t.get_state
- */
-static child_sa_state_t get_state(private_child_sa_t *this)
+METHOD(child_sa_t, get_state, child_sa_state_t,
+	   private_child_sa_t *this)
 {
 	return this->state;
 }
 
-/**
- * Implements child_sa_t.get_spi
- */
-u_int32_t get_spi(private_child_sa_t *this, bool inbound)
+METHOD(child_sa_t, get_spi, u_int32_t,
+	   private_child_sa_t *this, bool inbound)
 {
 	return inbound ? this->my_spi : this->other_spi;
 }
 
-/**
- * Implements child_sa_t.get_cpi
- */
-u_int16_t get_cpi(private_child_sa_t *this, bool inbound)
+METHOD(child_sa_t, get_cpi, u_int16_t,
+	   private_child_sa_t *this, bool inbound)
 {
 	return inbound ? this->my_cpi : this->other_cpi;
 }
 
-/**
- * Implements child_sa_t.get_protocol
- */
-protocol_id_t get_protocol(private_child_sa_t *this)
+METHOD(child_sa_t, get_protocol, protocol_id_t,
+	   private_child_sa_t *this)
 {
 	return this->protocol;
 }
 
-/**
- * Implementation of child_sa_t.set_protocol
- */
-static void set_protocol(private_child_sa_t *this, protocol_id_t protocol)
+METHOD(child_sa_t, set_protocol, void,
+	   private_child_sa_t *this, protocol_id_t protocol)
 {
 	this->protocol = protocol;
 }
 
-/**
- * Implementation of child_sa_t.get_mode
- */
-static ipsec_mode_t get_mode(private_child_sa_t *this)
+METHOD(child_sa_t, get_mode, ipsec_mode_t,
+	   private_child_sa_t *this)
 {
 	return this->mode;
 }
 
-/**
- * Implementation of child_sa_t.set_mode
- */
-static void set_mode(private_child_sa_t *this, ipsec_mode_t mode)
+METHOD(child_sa_t, set_mode, void,
+	   private_child_sa_t *this, ipsec_mode_t mode)
 {
 	this->mode = mode;
 }
 
-/**
- * Implementation of child_sa_t.has_encap
- */
-static bool has_encap(private_child_sa_t *this)
+METHOD(child_sa_t, has_encap, bool,
+	   private_child_sa_t *this)
 {
 	return this->encap;
 }
 
-/**
- * Implementation of child_sa_t.get_ipcomp
- */
-static ipcomp_transform_t get_ipcomp(private_child_sa_t *this)
+METHOD(child_sa_t, get_ipcomp, ipcomp_transform_t,
+	   private_child_sa_t *this)
 {
 	return this->ipcomp;
 }
 
-/**
- * Implementation of child_sa_t.set_ipcomp.
- */
-static void set_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp)
+METHOD(child_sa_t, set_ipcomp, void,
+	   private_child_sa_t *this, ipcomp_transform_t ipcomp)
 {
 	this->ipcomp = ipcomp;
 }
 
-/**
- * Implementation of child_sa_t.set_close_action.
- */
-static void set_close_action(private_child_sa_t *this, action_t action)
+METHOD(child_sa_t, set_close_action, void,
+	   private_child_sa_t *this, action_t action)
 {
 	this->close_action = action;
 }
 
-/**
- * Implementation of child_sa_t.get_close_action.
- */
-static action_t get_close_action(private_child_sa_t *this)
+METHOD(child_sa_t, get_close_action, action_t,
+	   private_child_sa_t *this)
 {
 	return this->close_action;
 }
 
-/**
- * Implementation of child_sa_t.set_dpd_action.
- */
-static void set_dpd_action(private_child_sa_t *this, action_t action)
+METHOD(child_sa_t, set_dpd_action, void,
+	   private_child_sa_t *this, action_t action)
 {
 	this->dpd_action = action;
 }
 
-/**
- * Implementation of child_sa_t.get_dpd_action.
- */
-static action_t get_dpd_action(private_child_sa_t *this)
+METHOD(child_sa_t, get_dpd_action, action_t,
+	   private_child_sa_t *this)
 {
 	return this->dpd_action;
 }
 
-/**
- * Implementation of child_sa_t.get_proposal
- */
-static proposal_t* get_proposal(private_child_sa_t *this)
+METHOD(child_sa_t, get_proposal, proposal_t*,
+	   private_child_sa_t *this)
 {
 	return this->proposal;
 }
 
-/**
- * Implementation of child_sa_t.set_proposal
- */
-static void set_proposal(private_child_sa_t *this, proposal_t *proposal)
+METHOD(child_sa_t, set_proposal, void,
+	   private_child_sa_t *this, proposal_t *proposal)
 {
 	this->proposal = proposal->clone(proposal);
 }
 
-/**
- * Implementation of child_sa_t.get_traffic_selectors.
- */
-static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local)
+METHOD(child_sa_t, get_traffic_selectors, linked_list_t*,
+	   private_child_sa_t *this, bool local)
 {
 	return local ? this->my_ts : this->other_ts;
 }
@@ -365,11 +340,9 @@ struct policy_enumerator_t {
 	traffic_selector_t *ts;
 };
 
-/**
- * enumerator function of create_policy_enumerator()
- */
-static bool policy_enumerate(policy_enumerator_t *this,
-				 traffic_selector_t **my_out, traffic_selector_t **other_out)
+METHOD(enumerator_t, policy_enumerate, bool,
+	   policy_enumerator_t *this, traffic_selector_t **my_out,
+	   traffic_selector_t **other_out)
 {
 	traffic_selector_t *other_ts;
 
@@ -399,29 +372,29 @@ static bool policy_enumerate(policy_enumerator_t *this,
 	return FALSE;
 }
 
-/**
- * destroy function of create_policy_enumerator()
- */
-static void policy_destroy(policy_enumerator_t *this)
+METHOD(enumerator_t, policy_destroy, void,
+	   policy_enumerator_t *this)
 {
 	this->mine->destroy(this->mine);
 	this->other->destroy(this->other);
 	free(this);
 }
 
-/**
- * Implementation of child_sa_t.create_policy_enumerator
- */
-static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
+METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
+	   private_child_sa_t *this)
 {
-	policy_enumerator_t *e = malloc_thing(policy_enumerator_t);
-
-	e->public.enumerate = (void*)policy_enumerate;
-	e->public.destroy = (void*)policy_destroy;
-	e->mine = this->my_ts->create_enumerator(this->my_ts);
-	e->other = this->other_ts->create_enumerator(this->other_ts);
-	e->list = this->other_ts;
-	e->ts = NULL;
+	policy_enumerator_t *e;
+
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_policy_enumerate,
+			.destroy = _policy_destroy,
+		},
+		.mine = this->my_ts->create_enumerator(this->my_ts),
+		.other = this->other_ts->create_enumerator(this->other_ts),
+		.list = this->other_ts,
+		.ts = NULL,
+	);
 
 	return &e->public;
 }
@@ -441,10 +414,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->my_spi)
 		{
-			status = charon->kernel_interface->query_sa(charon->kernel_interface,
-									this->other_addr, this->my_addr,
-									this->my_spi, this->protocol,
-									this->mark_in, &bytes);
+			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
+							this->other_addr, this->my_addr, this->my_spi,
+							proto_ike2ip(this->protocol), this->mark_in,
+							&bytes);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->my_usebytes)
@@ -460,10 +433,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->other_spi)
 		{
-			status = charon->kernel_interface->query_sa(charon->kernel_interface,
-									this->my_addr, this->other_addr,
-									this->other_spi, this->protocol,
-									this->mark_out,	&bytes);
+			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
+							this->my_addr, this->other_addr, this->other_spi,
+							proto_ike2ip(this->protocol), this->mark_out,
+							&bytes);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->other_usebytes)
@@ -494,14 +467,14 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 
 		if (inbound)
 		{
-			if (charon->kernel_interface->query_policy(charon->kernel_interface,
+			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
 						other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
 			{
 				last_use = max(last_use, in);
 			}
 			if (this->mode != MODE_TRANSPORT)
 			{
-				if (charon->kernel_interface->query_policy(charon->kernel_interface,
+				if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
 						other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
 				{
 					last_use = max(last_use, fwd);
@@ -510,7 +483,7 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 		}
 		else
 		{
-			if (charon->kernel_interface->query_policy(charon->kernel_interface,
+			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
 						my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
 			{
 				last_use = max(last_use, out);
@@ -533,11 +506,8 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 	}
 }
 
-/**
- * Implementation of child_sa_t.get_usestats
- */
-static void get_usestats(private_child_sa_t *this, bool inbound,
-						 time_t *time, u_int64_t *bytes)
+METHOD(child_sa_t, get_usestats, void,
+	   private_child_sa_t *this, bool inbound, time_t *time, u_int64_t *bytes)
 {
 	if (update_usebytes(this, inbound) != FAILED)
 	{
@@ -556,48 +526,41 @@ static void get_usestats(private_child_sa_t *this, bool inbound,
 	}
 }
 
-/**
- * Implementation of child_sa_t.get_lifetime
- */
-static time_t get_lifetime(private_child_sa_t *this, bool hard)
+METHOD(child_sa_t, get_lifetime, time_t,
+	   private_child_sa_t *this, bool hard)
 {
 	return hard ? this->expire_time : this->rekey_time;
 }
 
-/**
- * Implementation of child_sa_t.alloc_spi
- */
-static u_int32_t alloc_spi(private_child_sa_t *this, protocol_id_t protocol)
+METHOD(child_sa_t, alloc_spi, u_int32_t,
+	   private_child_sa_t *this, protocol_id_t protocol)
 {
-	if (charon->kernel_interface->get_spi(charon->kernel_interface,
-							this->other_addr, this->my_addr, protocol,
-							this->reqid, &this->my_spi) == SUCCESS)
+	if (hydra->kernel_interface->get_spi(hydra->kernel_interface,
+										 this->other_addr, this->my_addr,
+										 proto_ike2ip(protocol), this->reqid,
+										 &this->my_spi) == SUCCESS)
 	{
 		return this->my_spi;
 	}
 	return 0;
 }
 
-/**
- * Implementation of child_sa_t.alloc_cpi
- */
-static u_int16_t alloc_cpi(private_child_sa_t *this)
+METHOD(child_sa_t, alloc_cpi, u_int16_t,
+	   private_child_sa_t *this)
 {
-	if (charon->kernel_interface->get_cpi(charon->kernel_interface,
-					this->other_addr, this->my_addr, this->reqid,
-					&this->my_cpi) == SUCCESS)
+	if (hydra->kernel_interface->get_cpi(hydra->kernel_interface,
+										 this->other_addr, this->my_addr,
+										 this->reqid, &this->my_cpi) == SUCCESS)
 	{
 		return this->my_cpi;
 	}
 	return 0;
 }
 
-/**
- * Implementation of child_sa_t.install
- */
-static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi, bool inbound,
-						linked_list_t *my_ts, linked_list_t *other_ts)
+METHOD(child_sa_t, install, status_t,
+	   private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
+	   u_int16_t cpi, bool inbound, linked_list_t *my_ts,
+	   linked_list_t *other_ts)
 {
 	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
 	traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
@@ -674,8 +637,8 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
 		}
 	}
 
-	status = charon->kernel_interface->add_sa(charon->kernel_interface,
-				src, dst, spi, this->protocol, this->reqid,
+	status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
+				src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
 				inbound ? this->mark_in : this->mark_out,
 				lifetime, enc_alg, encr, int_alg, integ, this->mode,
 				this->ipcomp, cpi, this->encap, update, src_ts, dst_ts);
@@ -685,11 +648,9 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
 	return status;
 }
 
-/**
- * Implementation of child_sa_t.add_policies
- */
-static status_t add_policies(private_child_sa_t *this,
-					linked_list_t *my_ts_list, linked_list_t *other_ts_list)
+METHOD(child_sa_t, add_policies, status_t,
+	   private_child_sa_t *this, linked_list_t *my_ts_list,
+	   linked_list_t *other_ts_list)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
@@ -712,26 +673,55 @@ static status_t add_policies(private_child_sa_t *this,
 
 	if (this->config->install_policy(this->config))
 	{
+		ipsec_sa_cfg_t my_sa = {
+			.mode = this->mode,
+			.reqid = this->reqid,
+			.ipcomp = {
+				.transform = this->ipcomp,
+			},
+		}, other_sa = my_sa;
+
+		my_sa.ipcomp.cpi = this->my_cpi;
+		other_sa.ipcomp.cpi = this->other_cpi;
+
+		if (this->protocol == PROTO_ESP)
+		{
+			my_sa.esp.use = TRUE;
+			my_sa.esp.spi = this->my_spi;
+			other_sa.esp.use = TRUE;
+			other_sa.esp.spi = this->other_spi;
+		}
+		else
+		{
+			my_sa.ah.use = TRUE;
+			my_sa.ah.spi = this->my_spi;
+			other_sa.ah.use = TRUE;
+			other_sa.ah.spi = this->other_spi;
+		}
+
 		/* enumerate pairs of traffic selectors */
 		enumerator = create_policy_enumerator(this);
 		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 		{
 			/* install 3 policies: out, in and forward */
-			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT,
-					this->other_spi, this->protocol, this->reqid, this->mark_out,
-					this->mode, this->ipcomp, this->other_cpi, routed);
-
-			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN,
-					this->my_spi, this->protocol, this->reqid, this->mark_in,
-					this->mode,	this->ipcomp, this->my_cpi, routed);
+			status |= hydra->kernel_interface->add_policy(
+							hydra->kernel_interface,
+							this->my_addr, this->other_addr, my_ts, other_ts,
+							POLICY_OUT, POLICY_IPSEC, &other_sa,
+							this->mark_out, routed);
+
+			status |= hydra->kernel_interface->add_policy(
+							hydra->kernel_interface,
+							this->other_addr, this->my_addr, other_ts, my_ts,
+							POLICY_IN, POLICY_IPSEC, &my_sa,
+							this->mark_in, routed);
 			if (this->mode != MODE_TRANSPORT)
 			{
-				status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD,
-					this->my_spi, this->protocol, this->reqid, this->mark_in,
-					this->mode,	this->ipcomp, this->my_cpi, routed);
+				status |= hydra->kernel_interface->add_policy(
+							hydra->kernel_interface,
+							this->other_addr, this->my_addr, other_ts, my_ts,
+							POLICY_FWD, POLICY_IPSEC, &my_sa,
+							this->mark_in, routed);
 			}
 
 			if (status != SUCCESS)
@@ -749,11 +739,9 @@ static status_t add_policies(private_child_sa_t *this,
 	return status;
 }
 
-/**
- * Implementation of child_sa_t.update.
- */
-static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
-					   host_t *vip, bool encap)
+METHOD(child_sa_t, update, status_t,
+	   private_child_sa_t *this,  host_t *me, host_t *other, host_t *vip,
+	   bool encap)
 {
 	child_sa_state_t old;
 	bool transport_proxy_mode;
@@ -775,8 +763,8 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 		/* update our (initator) SA */
 		if (this->my_spi)
 		{
-			if (charon->kernel_interface->update_sa(charon->kernel_interface,
-							this->my_spi, this->protocol,
+			if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
+							this->my_spi, proto_ike2ip(this->protocol),
 							this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
 							this->other_addr, this->my_addr, other, me,
 							this->encap, encap, this->mark_in) == NOT_SUPPORTED)
@@ -788,8 +776,8 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 		/* update his (responder) SA */
 		if (this->other_spi)
 		{
-			if (charon->kernel_interface->update_sa(charon->kernel_interface,
-							this->other_spi, this->protocol,
+			if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
+							this->other_spi, proto_ike2ip(this->protocol),
 							this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
 							this->my_addr, this->other_addr, me, other,
 							this->encap, encap, this->mark_out) == NOT_SUPPORTED)
@@ -801,6 +789,32 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 
 	if (this->config->install_policy(this->config))
 	{
+		ipsec_sa_cfg_t my_sa = {
+			.mode = this->mode,
+			.reqid = this->reqid,
+			.ipcomp = {
+				.transform = this->ipcomp,
+			},
+		}, other_sa = my_sa;
+
+		my_sa.ipcomp.cpi = this->my_cpi;
+		other_sa.ipcomp.cpi = this->other_cpi;
+
+		if (this->protocol == PROTO_ESP)
+		{
+			my_sa.esp.use = TRUE;
+			my_sa.esp.spi = this->my_spi;
+			other_sa.esp.use = TRUE;
+			other_sa.esp.spi = this->other_spi;
+		}
+		else
+		{
+			my_sa.ah.use = TRUE;
+			my_sa.ah.spi = this->my_spi;
+			other_sa.ah.use = TRUE;
+			other_sa.ah.spi = this->other_spi;
+		}
+
 		/* update policies */
 		if (!me->ip_equals(me, this->my_addr) ||
 			!other->ip_equals(other, this->other_addr))
@@ -813,13 +827,13 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 			while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 			{
 				/* remove old policies first */
-				charon->kernel_interface->del_policy(charon->kernel_interface,
+				hydra->kernel_interface->del_policy(hydra->kernel_interface,
 							my_ts, other_ts, POLICY_OUT, this->mark_out, FALSE);
-				charon->kernel_interface->del_policy(charon->kernel_interface,
+				hydra->kernel_interface->del_policy(hydra->kernel_interface,
 							other_ts, my_ts,  POLICY_IN, this->mark_in, FALSE);
 				if (this->mode != MODE_TRANSPORT)
 				{
-					charon->kernel_interface->del_policy(charon->kernel_interface,
+					hydra->kernel_interface->del_policy(hydra->kernel_interface,
 							other_ts, my_ts, POLICY_FWD, this->mark_in, FALSE);
 				}
 
@@ -839,25 +853,22 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 				 * correctly */
 				if (vip)
 				{
-					charon->kernel_interface->del_ip(charon->kernel_interface, vip);
-					charon->kernel_interface->add_ip(charon->kernel_interface, vip, me);
+					hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
+					hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, me);
 				}
 
 				/* reinstall updated policies */
-				charon->kernel_interface->add_policy(charon->kernel_interface,
-						me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
-						this->protocol, this->reqid, this->mark_out, this->mode,
-						this->ipcomp, this->other_cpi, FALSE);
-				charon->kernel_interface->add_policy(charon->kernel_interface,
-						other, me, other_ts, my_ts, POLICY_IN, this->my_spi,
-						this->protocol, this->reqid, this->mark_in, this->mode,
-						this->ipcomp, this->my_cpi, FALSE);
+				hydra->kernel_interface->add_policy(hydra->kernel_interface,
+						me, other, my_ts, other_ts, POLICY_OUT, POLICY_IPSEC,
+						&other_sa, this->mark_out, FALSE);
+				hydra->kernel_interface->add_policy(hydra->kernel_interface,
+						other, me, other_ts, my_ts, POLICY_IN, POLICY_IPSEC,
+						&my_sa, this->mark_in, FALSE);
 				if (this->mode != MODE_TRANSPORT)
 				{
-					charon->kernel_interface->add_policy(charon->kernel_interface,
-						other, me, other_ts, my_ts, POLICY_FWD, this->my_spi,
-						this->protocol, this->reqid, this->mark_in, this->mode,
-						this->ipcomp, this->my_cpi, FALSE);
+					hydra->kernel_interface->add_policy(hydra->kernel_interface,
+						other, me, other_ts, my_ts, POLICY_FWD, POLICY_IPSEC,
+						&my_sa, this->mark_in, FALSE);
 				}
 			}
 			enumerator->destroy(enumerator);
@@ -885,10 +896,8 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 	return SUCCESS;
 }
 
-/**
- * Implementation of child_sa_t.destroy.
- */
-static void destroy(private_child_sa_t *this)
+METHOD(child_sa_t, destroy, void,
+	   private_child_sa_t *this)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
@@ -905,15 +914,17 @@ static void destroy(private_child_sa_t *this)
 		{
 			this->protocol = PROTO_ESP;
 		}
-		charon->kernel_interface->del_sa(charon->kernel_interface,
+		hydra->kernel_interface->del_sa(hydra->kernel_interface,
 					this->other_addr, this->my_addr, this->my_spi,
-					this->protocol, this->my_cpi, this->mark_in);
+					proto_ike2ip(this->protocol), this->my_cpi,
+					this->mark_in);
 	}
 	if (this->other_spi)
 	{
-		charon->kernel_interface->del_sa(charon->kernel_interface,
+		hydra->kernel_interface->del_sa(hydra->kernel_interface,
 					this->my_addr, this->other_addr, this->other_spi,
-					this->protocol, this->other_cpi, this->mark_out);
+					proto_ike2ip(this->protocol), this->other_cpi,
+					this->mark_out);
 	}
 
 	if (this->config->install_policy(this->config))
@@ -922,14 +933,14 @@ static void destroy(private_child_sa_t *this)
 		enumerator = create_policy_enumerator(this);
 		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 		{
-			charon->kernel_interface->del_policy(charon->kernel_interface,
-							my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted);
-			charon->kernel_interface->del_policy(charon->kernel_interface,
-							other_ts, my_ts, POLICY_IN, this->mark_in, unrouted);
+			hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted);
+			hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						other_ts, my_ts, POLICY_IN, this->mark_in, unrouted);
 			if (this->mode != MODE_TRANSPORT)
 			{
-				charon->kernel_interface->del_policy(charon->kernel_interface,
-							other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted);
+				hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted);
 			}
 		}
 		enumerator->destroy(enumerator);
@@ -944,75 +955,66 @@ static void destroy(private_child_sa_t *this)
 	free(this);
 }
 
-/*
+/**
  * Described in header.
  */
 child_sa_t * child_sa_create(host_t *me, host_t* other,
 							 child_cfg_t *config, u_int32_t rekey, bool encap)
 {
 	static u_int32_t reqid = 0;
-	private_child_sa_t *this = malloc_thing(private_child_sa_t);
-
-	/* public functions */
-	this->public.get_name = (char*(*)(child_sa_t*))get_name;
-	this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid;
-	this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
-	this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
-	this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
-	this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
-	this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi;
-	this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
-	this->public.set_protocol = (void(*)(child_sa_t*, protocol_id_t protocol))set_protocol;
-	this->public.get_mode = (ipsec_mode_t(*)(child_sa_t*))get_mode;
-	this->public.set_mode = (void(*)(child_sa_t*, ipsec_mode_t mode))set_mode;
-	this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal;
-	this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal;
-	this->public.get_lifetime = (time_t(*)(child_sa_t*, bool))get_lifetime;
-	this->public.get_usestats = (void(*)(child_sa_t*,bool,time_t*,u_int64_t*))get_usestats;
-	this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
-	this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
-	this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp;
-	this->public.get_close_action = (action_t(*)(child_sa_t*))get_close_action;
-	this->public.set_close_action = (void(*)(child_sa_t*,action_t))set_close_action;
-	this->public.get_dpd_action = (action_t(*)(child_sa_t*))get_dpd_action;
-	this->public.set_dpd_action = (void(*)(child_sa_t*,action_t))set_dpd_action;
-	this->public.alloc_spi = (u_int32_t(*)(child_sa_t*, protocol_id_t protocol))alloc_spi;
-	this->public.alloc_cpi = (u_int16_t(*)(child_sa_t*))alloc_cpi;
-	this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound, linked_list_t *my_ts_list, linked_list_t *other_ts_list))install;
-	this->public.update = (status_t (*)(child_sa_t*,host_t*,host_t*,host_t*,bool))update;
-	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*))add_policies;
-	this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
-	this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
-	this->public.destroy = (void(*)(child_sa_t*))destroy;
-
-	/* private data */
-	this->my_addr = me->clone(me);
-	this->other_addr = other->clone(other);
-	this->my_spi = 0;
-	this->other_spi = 0;
-	this->my_cpi = 0;
-	this->other_cpi = 0;
-	this->encap = encap;
-	this->ipcomp = IPCOMP_NONE;
-	this->state = CHILD_CREATED;
-	this->my_usetime = 0;
-	this->other_usetime = 0;
-	this->my_usebytes = 0;
-	this->other_usebytes = 0;
-	this->my_ts = linked_list_create();
-	this->other_ts = linked_list_create();
-	this->protocol = PROTO_NONE;
-	this->mode = MODE_TUNNEL;
-	this->close_action = config->get_close_action(config);
-	this->dpd_action = config->get_dpd_action(config);
-	this->proposal = NULL;
-	this->rekey_time = 0;
-	this->expire_time = 0;
+	private_child_sa_t *this;
+
+	INIT(this,
+		.public = {
+			.get_name = _get_name,
+			.get_reqid = _get_reqid,
+			.get_config = _get_config,
+			.get_state = _get_state,
+			.set_state = _set_state,
+			.get_spi = _get_spi,
+			.get_cpi = _get_cpi,
+			.get_protocol = _get_protocol,
+			.set_protocol = _set_protocol,
+			.get_mode = _get_mode,
+			.set_mode = _set_mode,
+			.get_proposal = _get_proposal,
+			.set_proposal = _set_proposal,
+			.get_lifetime = _get_lifetime,
+			.get_usestats = _get_usestats,
+			.has_encap = _has_encap,
+			.get_ipcomp = _get_ipcomp,
+			.set_ipcomp = _set_ipcomp,
+			.get_close_action = _get_close_action,
+			.set_close_action = _set_close_action,
+			.get_dpd_action = _get_dpd_action,
+			.set_dpd_action = _set_dpd_action,
+			.alloc_spi = _alloc_spi,
+			.alloc_cpi = _alloc_cpi,
+			.install = _install,
+			.update = _update,
+			.add_policies = _add_policies,
+			.get_traffic_selectors = _get_traffic_selectors,
+			.create_policy_enumerator = _create_policy_enumerator,
+			.destroy = _destroy,
+		},
+		.my_addr = me->clone(me),
+		.other_addr = other->clone(other),
+		.encap = encap,
+		.ipcomp = IPCOMP_NONE,
+		.state = CHILD_CREATED,
+		.my_ts = linked_list_create(),
+		.other_ts = linked_list_create(),
+		.protocol = PROTO_NONE,
+		.mode = MODE_TUNNEL,
+		.close_action = config->get_close_action(config),
+		.dpd_action = config->get_dpd_action(config),
+		.reqid = config->get_reqid(config),
+		.mark_in = config->get_mark(config, TRUE),
+		.mark_out = config->get_mark(config, FALSE),
+	);
+
 	this->config = config;
 	config->get_ref(config);
-	this->reqid = config->get_reqid(config);
-	this->mark_in = config->get_mark(config, TRUE);
-	this->mark_out = config->get_mark(config, FALSE);
 
 	if (!this->reqid)
 	{
diff --git a/src/libcharon/sa/connect_manager.c b/src/libcharon/sa/connect_manager.c
index b78ba070d..1fb286863 100644
--- a/src/libcharon/sa/connect_manager.c
+++ b/src/libcharon/sa/connect_manager.c
@@ -932,7 +932,7 @@ static void update_checklist_state(private_connect_manager_t *this,
 
 		callback_data_t *data = callback_data_create(this, checklist->connect_id);
 		job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-		charon->scheduler->schedule_job_ms(charon->scheduler, job, ME_WAIT_TO_FINISH);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, ME_WAIT_TO_FINISH);
 		checklist->is_finishing = TRUE;
 	}
 
@@ -1031,7 +1031,7 @@ static void queue_retransmission(private_connect_manager_t *this, check_list_t *
 	DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms",
 		 retransmission, pair->id, rto);
 
-	charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)job, rto);
+	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)job, rto);
 }
 
 /**
@@ -1064,7 +1064,7 @@ static void send_check(private_connect_manager_t *this, check_list_t *checklist,
 	DBG2(DBG_IKE, "send ME_CONNECTAUTH %#B", &check->auth);
 
 	packet_t *packet;
-	if (message->generate(message, NULL, NULL, &packet) == SUCCESS)
+	if (message->generate(message, NULL, &packet) == SUCCESS)
 	{
 		charon->sender->send(charon->sender, packet->clone(packet));
 
@@ -1170,7 +1170,7 @@ static void schedule_checks(private_connect_manager_t *this, check_list_t *check
 {
 	callback_data_t *data = callback_data_create(this, checklist->connect_id);
 	checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-	charon->scheduler->schedule_job_ms(charon->scheduler, checklist->sender, time);
+	lib->scheduler->schedule_job_ms(lib->scheduler, checklist->sender, time);
 }
 
 /**
@@ -1222,7 +1222,7 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli
 
 			initiate_data_t *data = initiate_data_create(checklist, initiated);
 			job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiate_mediated, data, (callback_job_cleanup_t)initiate_data_destroy, NULL);
-			charon->processor->queue_job(charon->processor, job);
+			lib->processor->queue_job(lib->processor, job);
 			return;
 		}
 		else
@@ -1357,7 +1357,7 @@ static void process_request(private_connect_manager_t *this, check_t *check,
  */
 static void process_check(private_connect_manager_t *this, message_t *message)
 {
-	if (message->parse_body(message, NULL, NULL) != SUCCESS)
+	if (message->parse_body(message, NULL) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
 			 exchange_type_names, message->get_exchange_type(message),
@@ -1477,7 +1477,7 @@ static void check_and_initiate(private_connect_manager_t *this,
 	{
 		job_t *job = (job_t*)reinitiate_mediation_job_create(mediation_sa,
 															 waiting_sa);
-		charon->processor->queue_job(charon->processor, job);
+		lib->processor->queue_job(lib->processor, job);
 	}
 	iterator->destroy(iterator);
 
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 7536662ca..a4e4028ab 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -24,8 +24,8 @@
 #include "ike_sa.h"
 
 #include <library.h>
-#include <daemon.h>
 #include <hydra.h>
+#include <daemon.h>
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
 #include <sa/task_manager.h>
@@ -470,8 +470,8 @@ METHOD(ike_sa_t, send_keepalive, void,
 		diff = 0;
 	}
 	job = send_keepalive_job_create(this->ike_sa_id);
-	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
-									this->keepalive_interval - diff);
+	lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
+								 this->keepalive_interval - diff);
 }
 
 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
@@ -605,7 +605,7 @@ METHOD(ike_sa_t, send_dpd, status_t,
 	}
 	/* recheck in "interval" seconds */
 	job = (job_t*)send_dpd_job_create(this->ike_sa_id);
-	charon->scheduler->schedule_job(charon->scheduler, job, delay - diff);
+	lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
 	return SUCCESS;
 }
 
@@ -644,7 +644,7 @@ METHOD(ike_sa_t, set_state, void,
 				{
 					this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
 					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
-					charon->scheduler->schedule_job(charon->scheduler, job, t);
+					lib->scheduler->schedule_job(lib->scheduler, job, t);
 					DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
 				}
 				t = this->peer_cfg->get_reauth_time(this->peer_cfg);
@@ -653,7 +653,7 @@ METHOD(ike_sa_t, set_state, void,
 				{
 					this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
 					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
-					charon->scheduler->schedule_job(charon->scheduler, job, t);
+					lib->scheduler->schedule_job(lib->scheduler, job, t);
 					DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
 				}
 				t = this->peer_cfg->get_over_time(this->peer_cfg);
@@ -675,7 +675,7 @@ METHOD(ike_sa_t, set_state, void,
 					this->stats[STAT_DELETE] += t;
 					t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
 					job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-					charon->scheduler->schedule_job(charon->scheduler, job, t);
+					lib->scheduler->schedule_job(lib->scheduler, job, t);
 					DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
 				}
 
@@ -688,8 +688,8 @@ METHOD(ike_sa_t, set_state, void,
 		{
 			/* delete may fail if a packet gets lost, so set a timeout */
 			job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-			charon->scheduler->schedule_job(charon->scheduler, job,
-											HALF_OPEN_IKE_SA_TIMEOUT);
+			lib->scheduler->schedule_job(lib->scheduler, job,
+										 HALF_OPEN_IKE_SA_TIMEOUT);
 			break;
 		}
 		default:
@@ -730,14 +730,14 @@ METHOD(ike_sa_t, set_virtual_ip, void,
 	if (local)
 	{
 		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
-		if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
-											 this->my_host) == SUCCESS)
+		if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
+											this->my_host) == SUCCESS)
 		{
 			if (this->my_virtual_ip)
 			{
 				DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
-				charon->kernel_interface->del_ip(charon->kernel_interface,
-												 this->my_virtual_ip);
+				hydra->kernel_interface->del_ip(hydra->kernel_interface,
+												this->my_virtual_ip);
 			}
 			DESTROY_IF(this->my_virtual_ip);
 			this->my_virtual_ip = ip->clone(ip);
@@ -810,6 +810,20 @@ METHOD(ike_sa_t, get_pending_updates, u_int32_t,
 	return this->pending_updates;
 }
 
+METHOD(ike_sa_t, float_ports, void,
+	   private_ike_sa_t *this)
+{
+	/* do not switch if we have a custom port from MOBIKE/NAT */
+	if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
+	{
+		this->my_host->set_port(this->my_host, IKEV2_NATT_PORT);
+	}
+	if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
+	{
+		this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
+	}
+}
+
 METHOD(ike_sa_t, update_hosts, void,
 	private_ike_sa_t *this, host_t *me, host_t *other)
 {
@@ -843,10 +857,8 @@ METHOD(ike_sa_t, update_hosts, void,
 
 		if (!other->equals(other, this->other_host))
 		{
-			/* update others adress if we are NOT NATed,
-			 * and allow port changes if we are NATed */
-			if (!has_condition(this, COND_NAT_HERE) ||
-				other->ip_equals(other, this->other_host))
+			/* update others adress if we are NOT NATed */
+			if (!has_condition(this, COND_NAT_HERE))
 			{
 				set_other_host(this, other->clone(other));
 				update = TRUE;
@@ -882,8 +894,7 @@ METHOD(ike_sa_t, generate_message, status_t,
 	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
 	message->set_ike_sa_id(message, this->ike_sa_id);
 	return message->generate(message,
-				this->keymat->get_crypter(this->keymat, FALSE),
-				this->keymat->get_signer(this->keymat, FALSE), packet);
+				this->keymat->get_aead(this->keymat, FALSE), packet);
 }
 
 /**
@@ -1049,8 +1060,8 @@ static void resolve_hosts(private_ike_sa_t *this)
 			!this->other_host->is_anyaddr(this->other_host))
 		{
 			host->destroy(host);
-			host = charon->kernel_interface->get_source_addr(
-							charon->kernel_interface, this->other_host, NULL);
+			host = hydra->kernel_interface->get_source_addr(
+							hydra->kernel_interface, this->other_host, NULL);
 			if (host)
 			{
 				host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
@@ -1150,7 +1161,7 @@ METHOD(ike_sa_t, initiate, status_t,
 		{
 			/* mediated connection, initiate mediation process */
 			job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
-			charon->processor->queue_job(charon->processor, job);
+			lib->processor->queue_job(lib->processor, job);
 			return SUCCESS;
 		}
 #endif /* ME */
@@ -1173,8 +1184,7 @@ METHOD(ike_sa_t, process_message, status_t,
 	is_request = message->get_request(message);
 
 	status = message->parse_body(message,
-								 this->keymat->get_crypter(this->keymat, TRUE),
-								 this->keymat->get_signer(this->keymat, TRUE));
+								 this->keymat->get_aead(this->keymat, TRUE));
 	if (status != SUCCESS)
 	{
 
@@ -1229,15 +1239,12 @@ METHOD(ike_sa_t, process_message, status_t,
 	}
 	else
 	{
-		host_t *me, *other;
-
-		me = message->get_destination(message);
-		other = message->get_source(message);
-
 		/* if this IKE_SA is virgin, we check for a config */
 		if (this->ike_cfg == NULL)
 		{
 			job_t *job;
+			host_t *me = message->get_destination(message),
+				   *other = message->get_source(message);
 			this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
 														  me, other);
 			if (this->ike_cfg == NULL)
@@ -1250,20 +1257,12 @@ METHOD(ike_sa_t, process_message, status_t,
 			}
 			/* add a timeout if peer does not establish it completely */
 			job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
-			charon->scheduler->schedule_job(charon->scheduler, job,
-											HALF_OPEN_IKE_SA_TIMEOUT);
+			lib->scheduler->schedule_job(lib->scheduler, job,
+										 HALF_OPEN_IKE_SA_TIMEOUT);
 		}
 		this->stats[STAT_INBOUND] = time_monotonic(NULL);
-		/* check if message is trustworthy, and update host information */
-		if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
-			message->get_exchange_type(message) != IKE_SA_INIT)
-		{
-			if (!supports_extension(this, EXT_MOBIKE))
-			{	/* with MOBIKE, we do no implicit updates */
-				update_hosts(this, me, other);
-			}
-		}
-		status = this->task_manager->process_message(this->task_manager, message);
+		status = this->task_manager->process_message(this->task_manager,
+													 message);
 		if (message->get_exchange_type(message) == IKE_AUTH &&
 			this->state == IKE_ESTABLISHED &&
 			lib->settings->get_bool(lib->settings,
@@ -1697,7 +1696,7 @@ METHOD(ike_sa_t, set_auth_lifetime, void,
 	{
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
 			 lifetime);
-		charon->processor->queue_job(charon->processor,
+		lib->processor->queue_job(lib->processor,
 					(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
 	}
 	else if (this->stats[STAT_REAUTH] == 0 ||
@@ -1706,7 +1705,7 @@ METHOD(ike_sa_t, set_auth_lifetime, void,
 		this->stats[STAT_REAUTH] = reauth_time;
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
 			 " in %ds", lifetime, lifetime - reduction);
-		charon->scheduler->schedule_job(charon->scheduler,
+		lib->scheduler->schedule_job(lib->scheduler,
 						(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
 						lifetime - reduction);
 	}
@@ -1718,10 +1717,65 @@ METHOD(ike_sa_t, set_auth_lifetime, void,
 	}
 }
 
+/**
+ * Check if the current combination of source and destination address is still
+ * valid.
+ */
+static bool is_current_path_valid(private_ike_sa_t *this)
+{
+	bool valid = FALSE;
+	host_t *src;
+	src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+											this->other_host, this->my_host);
+	if (src)
+	{
+		if (src->ip_equals(src, this->my_host))
+		{
+			valid = TRUE;
+		}
+		src->destroy(src);
+	}
+	return valid;
+}
+
+/**
+ * Check if we have any path avialable for this IKE SA.
+ */
+static bool is_any_path_valid(private_ike_sa_t *this)
+{
+	bool valid = FALSE;
+	enumerator_t *enumerator;
+	host_t *src, *addr;
+	DBG1(DBG_IKE, "old path is not available anymore, try to find another");
+	src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+												   this->other_host, NULL);
+	if (!src)
+	{
+		enumerator = this->additional_addresses->create_enumerator(
+												this->additional_addresses);
+		while (enumerator->enumerate(enumerator, &addr))
+		{
+			DBG1(DBG_IKE, "looking for a route to %H ...", addr);
+			src = hydra->kernel_interface->get_source_addr(
+									hydra->kernel_interface, addr, NULL);
+			if (src)
+			{
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	if (src)
+	{
+		valid = TRUE;
+		src->destroy(src);
+	}
+	return valid;
+}
+
 METHOD(ike_sa_t, roam, status_t,
 	private_ike_sa_t *this, bool address)
 {
-	host_t *src;
 	ike_mobike_t *mobike;
 
 	switch (this->state)
@@ -1734,81 +1788,61 @@ METHOD(ike_sa_t, roam, status_t,
 		default:
 			break;
 	}
-	/* responder just updates the peer about changed address config */
-	if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
+
+	/* keep existing path if possible */
+	if (is_current_path_valid(this))
 	{
+		DBG2(DBG_IKE, "keeping connection path %H - %H",
+			 this->my_host, this->other_host);
+		set_condition(this, COND_STALE, FALSE);
+
 		if (supports_extension(this, EXT_MOBIKE) && address)
-		{
+		{	/* if any addresses changed, send an updated list */
 			DBG1(DBG_IKE, "sending address list update using MOBIKE");
 			mobike = ike_mobike_create(&this->public, TRUE);
-			this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
+			mobike->addresses(mobike);
+			this->task_manager->queue_task(this->task_manager,
+										   (task_t*)mobike);
 			return this->task_manager->initiate(this->task_manager);
 		}
 		return SUCCESS;
 	}
 
-	/* keep existing path if possible */
-	src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
-											this->other_host, this->my_host);
-	if (src)
+	if (!is_any_path_valid(this))
 	{
-		if (src->ip_equals(src, this->my_host))
-		{
-			DBG2(DBG_IKE, "keeping connection path %H - %H",
-				 src, this->other_host);
-			src->destroy(src);
-			set_condition(this, COND_STALE, FALSE);
-			return SUCCESS;
-		}
-		src->destroy(src);
-
-	}
-	else
-	{
-		/* check if we find a route at all */
-		enumerator_t *enumerator;
-		host_t *addr;
-
-		src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
-														this->other_host, NULL);
-		if (!src)
-		{
-			enumerator = this->additional_addresses->create_enumerator(
-													this->additional_addresses);
-			while (enumerator->enumerate(enumerator, &addr))
-			{
-				DBG1(DBG_IKE, "looking for a route to %H ...", addr);
-				src = charon->kernel_interface->get_source_addr(
-										charon->kernel_interface, addr, NULL);
-				if (src)
-				{
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-		if (!src)
-		{
-			DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
-				 this->other_host);
-			set_condition(this, COND_STALE, TRUE);
-			return SUCCESS;
-		}
-		src->destroy(src);
+		DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
+			 this->other_host);
+		set_condition(this, COND_STALE, TRUE);
+		return SUCCESS;
 	}
 	set_condition(this, COND_STALE, FALSE);
 
 	/* update addresses with mobike, if supported ... */
 	if (supports_extension(this, EXT_MOBIKE))
 	{
-		DBG1(DBG_IKE, "requesting address change using MOBIKE");
+		if (!has_condition(this, COND_ORIGINAL_INITIATOR))
+		{	/* responder updates the peer about changed address config */
+			DBG1(DBG_IKE, "sending address list update using MOBIKE, "
+				 "implicitly requesting an address change");
+			address = TRUE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "requesting address change using MOBIKE");
+		}
 		mobike = ike_mobike_create(&this->public, TRUE);
 		mobike->roam(mobike, address);
 		this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
 		return this->task_manager->initiate(this->task_manager);
 	}
-	DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
+
 	/* ... reauth if not */
+	if (!has_condition(this, COND_ORIGINAL_INITIATOR))
+	{	/* responder does not reauthenticate */
+		set_condition(this, COND_STALE, TRUE);
+		return SUCCESS;
+	}
+	DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
 	return reauth(this);
 }
 
@@ -1907,9 +1941,9 @@ METHOD(ike_sa_t, inherit, status_t,
 		this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
 		DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
 			 "lifetime reduced to %ds", reauth, delete);
-		charon->scheduler->schedule_job(charon->scheduler,
+		lib->scheduler->schedule_job(lib->scheduler,
 				(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
-		charon->scheduler->schedule_job(charon->scheduler,
+		lib->scheduler->schedule_job(lib->scheduler,
 				(job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
 	}
 	/* we have to initate here, there may be new tasks to handle */
@@ -1946,8 +1980,8 @@ METHOD(ike_sa_t, destroy, void,
 
 	if (this->my_virtual_ip)
 	{
-		charon->kernel_interface->del_ip(charon->kernel_interface,
-										 this->my_virtual_ip);
+		hydra->kernel_interface->del_ip(hydra->kernel_interface,
+										this->my_virtual_ip);
 		this->my_virtual_ip->destroy(this->my_virtual_ip);
 	}
 	if (this->other_virtual_ip)
@@ -2025,6 +2059,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 			.get_other_host = _get_other_host,
 			.set_other_host = _set_other_host,
 			.set_message_id = _set_message_id,
+			.float_ports = _float_ports,
 			.update_hosts = _update_hosts,
 			.get_my_id = _get_my_id,
 			.set_my_id = _set_my_id,
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 34842a573..c0007e27d 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -328,6 +328,14 @@ struct ike_sa_t {
 	 */
 	void (*set_other_host) (ike_sa_t *this, host_t *other);
 
+	/**
+	 * Float to port 4500 (e.g. if a NAT is detected).
+	 *
+	 * The port of either endpoint is changed only if it is currently
+	 * set to the default value of 500.
+	 */
+	void (*float_ports)(ike_sa_t *this);
+
 	/**
 	 * Update the IKE_SAs host.
 	 *
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index c71c3b297..fa94bb86d 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1613,6 +1613,9 @@ static void flush(private_ike_sa_manager_t *this)
 	enumerator->destroy(enumerator);
 	charon->bus->set_sa(charon->bus, NULL);
 	unlock_all_segments(this);
+
+	this->rng->destroy(this->rng);
+	this->hasher->destroy(this->hasher);
 }
 
 /**
@@ -1652,8 +1655,6 @@ static void destroy(private_ike_sa_manager_t *this)
 	free(this->half_open_segments);
 	free(this->connected_peers_segments);
 
-	this->rng->destroy(this->rng);
-	this->hasher->destroy(this->hasher);
 	free(this);
 }
 
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
index 38f5454e1..f4eabf808 100644
--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -199,6 +199,8 @@ struct ike_sa_manager_t {
 	 * Delete all existing IKE_SAs and destroy them immediately.
 	 *
 	 * Threads will be driven out, so all SAs can be deleted cleanly.
+	 * To a flush(), an immediate call to destroy() is mandatory; no other
+	 * method may be used.
 	 */
 	void (*flush)(ike_sa_manager_t *this);
 
diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c
index 837cbe428..878ad124f 100644
--- a/src/libcharon/sa/keymat.c
+++ b/src/libcharon/sa/keymat.c
@@ -36,24 +36,14 @@ struct private_keymat_t {
 	bool initiator;
 
 	/**
-	 * inbound signer (verify)
+	 * inbound AEAD
 	 */
-	signer_t *signer_in;
+	aead_t *aead_in;
 
 	/**
-	 * outbound signer (sign)
+	 * outbound AEAD
 	 */
-	signer_t *signer_out;
-
-	/**
-	 * inbound crypter (decrypt)
-	 */
-	crypter_t *crypter_in;
-
-	/**
-	 * outbound crypter (encrypt)
-	 */
-	crypter_t *crypter_out;
+	aead_t *aead_out;
 
 	/**
 	 * General purpose PRF
@@ -134,30 +124,135 @@ static int lookup_keylen(keylen_entry_t *list, int algo)
 	return 0;
 }
 
+METHOD(keymat_t, create_dh, diffie_hellman_t*,
+	private_keymat_t *this, diffie_hellman_group_t group)
+{
+	return lib->crypto->create_dh(lib->crypto, group);;
+}
+
 /**
- * Implementation of keymat_t.create_dh
+ * Derive IKE keys for a combined AEAD algorithm
  */
-static diffie_hellman_t* create_dh(private_keymat_t *this,
-								   diffie_hellman_group_t group)
+static bool derive_ike_aead(private_keymat_t *this, u_int16_t alg,
+							u_int16_t key_size, prf_plus_t *prf_plus)
 {
-	return lib->crypto->create_dh(lib->crypto, group);;
+	aead_t *aead_i, *aead_r;
+	chunk_t key;
+
+	/* SK_ei/SK_er used for encryption */
+	aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
+	aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
+	if (aead_i == NULL || aead_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, alg, key_size);
+		return FALSE;
+	}
+	key_size = aead_i->get_key_size(aead_i);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
+	aead_i->set_key(aead_i, key);
+	chunk_clear(&key);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_er secret %B", &key);
+	aead_r->set_key(aead_r, key);
+	chunk_clear(&key);
+
+	if (this->initiator)
+	{
+		this->aead_in = aead_r;
+		this->aead_out = aead_i;
+	}
+	else
+	{
+		this->aead_in = aead_i;
+		this->aead_out = aead_r;
+	}
+	return TRUE;
 }
 
 /**
- * Implementation of keymat_t.derive_keys
+ * Derive IKE keys for traditional encryption and MAC algorithms
  */
-static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
-							diffie_hellman_t *dh, chunk_t nonce_i,
-							chunk_t nonce_r, ike_sa_id_t *id,
-							pseudo_random_function_t rekey_function,
-							chunk_t rekey_skd)
+static bool derive_ike_traditional(private_keymat_t *this, u_int16_t enc_alg,
+					u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus)
 {
-	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
-	chunk_t spi_i, spi_r;
 	crypter_t *crypter_i, *crypter_r;
 	signer_t *signer_i, *signer_r;
+	size_t key_size;
+	chunk_t key;
+
+	/* SK_ai/SK_ar used for integrity protection */
+	signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
+	signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
+	if (signer_i == NULL || signer_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, INTEGRITY_ALGORITHM,
+			 integrity_algorithm_names, int_alg);
+		return FALSE;
+	}
+	key_size = signer_i->get_key_size(signer_i);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
+	signer_i->set_key(signer_i, key);
+	chunk_clear(&key);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
+	signer_r->set_key(signer_r, key);
+	chunk_clear(&key);
+
+	/* SK_ei/SK_er used for encryption */
+	crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
+	crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
+	if (crypter_i == NULL || crypter_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, enc_alg, key_size);
+		signer_i->destroy(signer_i);
+		signer_r->destroy(signer_r);
+		return FALSE;
+	}
+	key_size = crypter_i->get_key_size(crypter_i);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
+	crypter_i->set_key(crypter_i, key);
+	chunk_clear(&key);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_er secret %B", &key);
+	crypter_r->set_key(crypter_r, key);
+	chunk_clear(&key);
+
+	if (this->initiator)
+	{
+		this->aead_in = aead_create(crypter_r, signer_r);
+		this->aead_out = aead_create(crypter_i, signer_i);
+	}
+	else
+	{
+		this->aead_in = aead_create(crypter_i, signer_i);
+		this->aead_out = aead_create(crypter_r, signer_r);
+	}
+	return TRUE;
+}
+
+METHOD(keymat_t, derive_ike_keys, bool,
+	private_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
+	pseudo_random_function_t rekey_function, chunk_t rekey_skd)
+{
+	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
+	chunk_t spi_i, spi_r;
 	prf_plus_t *prf_plus;
-	u_int16_t alg, key_size;
+	u_int16_t alg, key_size, int_alg;
 	prf_t *rekey_prf = NULL;
 
 	spi_i = chunk_alloca(sizeof(u_int64_t));
@@ -195,6 +290,9 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
 			 * not and therefore fixed key semantics apply to XCBC for key
 			 * derivation. */
+		case PRF_CAMELLIA128_XCBC:
+			/* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
+			 * assume fixed key length. */
 			key_size = this->prf->get_key_size(this->prf)/2;
 			nonce_i.len = min(nonce_i.len, key_size);
 			nonce_r.len = min(nonce_r.len, key_size);
@@ -255,50 +353,6 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
 	DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
 
-	/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
-	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
-	{
-		DBG1(DBG_IKE, "no %N selected",
-			 transform_type_names, INTEGRITY_ALGORITHM);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-	signer_i = lib->crypto->create_signer(lib->crypto, alg);
-	signer_r = lib->crypto->create_signer(lib->crypto, alg);
-	if (signer_i == NULL || signer_r == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N not supported!",
-			 transform_type_names, INTEGRITY_ALGORITHM,
-			 integrity_algorithm_names ,alg);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-	key_size = signer_i->get_key_size(signer_i);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
-	signer_i->set_key(signer_i, key);
-	chunk_clear(&key);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
-	signer_r->set_key(signer_r, key);
-	chunk_clear(&key);
-
-	if (this->initiator)
-	{
-		this->signer_in = signer_r;
-		this->signer_out = signer_i;
-	}
-	else
-	{
-		this->signer_in = signer_i;
-		this->signer_out = signer_r;
-	}
-
-	/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
 	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
 	{
 		DBG1(DBG_IKE, "no %N selected",
@@ -307,38 +361,33 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 		DESTROY_IF(rekey_prf);
 		return FALSE;
 	}
-	crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
-	crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
-	if (crypter_i == NULL || crypter_r == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
-			 transform_type_names, ENCRYPTION_ALGORITHM,
-			 encryption_algorithm_names, alg, key_size);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-	key_size = crypter_i->get_key_size(crypter_i);
 
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
-	crypter_i->set_key(crypter_i, key);
-	chunk_clear(&key);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_er secret %B", &key);
-	crypter_r->set_key(crypter_r, key);
-	chunk_clear(&key);
-
-	if (this->initiator)
+	if (encryption_algorithm_is_aead(alg))
 	{
-		this->crypter_in = crypter_r;
-		this->crypter_out = crypter_i;
+		if (!derive_ike_aead(this, alg, key_size, prf_plus))
+		{
+			prf_plus->destroy(prf_plus);
+			DESTROY_IF(rekey_prf);
+			return FALSE;
+		}
 	}
 	else
 	{
-		this->crypter_in = crypter_i;
-		this->crypter_out = crypter_r;
+		if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+									 &int_alg, NULL))
+		{
+			DBG1(DBG_IKE, "no %N selected",
+				 transform_type_names, INTEGRITY_ALGORITHM);
+			prf_plus->destroy(prf_plus);
+			DESTROY_IF(rekey_prf);
+			return FALSE;
+		}
+		if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus))
+		{
+			prf_plus->destroy(prf_plus);
+			DESTROY_IF(rekey_prf);
+			return FALSE;
+		}
 	}
 
 	/* SK_pi/SK_pr used for authentication => stored for later */
@@ -371,14 +420,10 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	return TRUE;
 }
 
-/**
- * Implementation of keymat_t.derive_child_keys
- */
-static bool derive_child_keys(private_keymat_t *this,
-							  proposal_t *proposal, diffie_hellman_t *dh,
-							  chunk_t nonce_i, chunk_t nonce_r,
-							  chunk_t *encr_i, chunk_t *integ_i,
-							  chunk_t *encr_r, chunk_t *integ_r)
+METHOD(keymat_t, derive_child_keys, bool,
+	private_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
+	chunk_t *encr_r, chunk_t *integ_r)
 {
 	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
 	chunk_t seed, secret = chunk_empty;
@@ -480,37 +525,22 @@ static bool derive_child_keys(private_keymat_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of keymat_t.get_skd
- */
-static pseudo_random_function_t get_skd(private_keymat_t *this, chunk_t *skd)
+METHOD(keymat_t, get_skd, pseudo_random_function_t,
+	private_keymat_t *this, chunk_t *skd)
 {
 	*skd = this->skd;
 	return this->prf_alg;
 }
 
-/**
- * Implementation of keymat_t.get_signer
- */
-static signer_t* get_signer(private_keymat_t *this, bool in)
-{
-	return in ? this->signer_in : this->signer_out;
-}
-
-/**
- * Implementation of keymat_t.get_crypter
- */
-static crypter_t* get_crypter(private_keymat_t *this, bool in)
+METHOD(keymat_t, get_aead, aead_t*,
+	private_keymat_t *this, bool in)
 {
-	return in ? this->crypter_in : this->crypter_out;
+	return in ? this->aead_in : this->aead_out;
 }
 
-/**
- * Implementation of keymat_t.get_auth_octets
- */
-static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
-							   chunk_t ike_sa_init, chunk_t nonce,
-							   identification_t *id)
+METHOD(keymat_t, get_auth_octets, chunk_t,
+	private_keymat_t *this, bool verify, chunk_t ike_sa_init,
+	chunk_t nonce, identification_t *id)
 {
 	chunk_t chunk, idx, octets;
 	chunk_t skp;
@@ -538,12 +568,9 @@ static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
 #define IKEV2_KEY_PAD_LENGTH 17
 
-/**
- * Implementation of keymat_t.get_psk_sig
- */
-static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
-						   chunk_t ike_sa_init, chunk_t nonce, chunk_t secret,
-						   identification_t *id)
+METHOD(keymat_t, get_psk_sig, chunk_t,
+	private_keymat_t *this, bool verify, chunk_t ike_sa_init,
+	chunk_t nonce, chunk_t secret, identification_t *id)
 {
 	chunk_t key_pad, key, sig, octets;
 
@@ -567,15 +594,11 @@ static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
 	return sig;
 }
 
-/**
- * Implementation of keymat_t.destroy.
- */
-static void destroy(private_keymat_t *this)
+METHOD(keymat_t, destroy, void,
+	private_keymat_t *this)
 {
-	DESTROY_IF(this->signer_in);
-	DESTROY_IF(this->signer_out);
-	DESTROY_IF(this->crypter_in);
-	DESTROY_IF(this->crypter_out);
+	DESTROY_IF(this->aead_in);
+	DESTROY_IF(this->aead_out);
 	DESTROY_IF(this->prf);
 	chunk_clear(&this->skd);
 	chunk_clear(&this->skp_verify);
@@ -588,29 +611,22 @@ static void destroy(private_keymat_t *this)
  */
 keymat_t *keymat_create(bool initiator)
 {
-	private_keymat_t *this = malloc_thing(private_keymat_t);
-
-	this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
-	this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys;
-	this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
-	this->public.get_skd = (pseudo_random_function_t(*)(keymat_t*, chunk_t *skd))get_skd;
-	this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
-	this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
-	this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
-	this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig;
-	this->public.destroy = (void(*)(keymat_t*))destroy;
-
-	this->initiator = initiator;
-
-	this->signer_in = NULL;
-	this->signer_out = NULL;
-	this->crypter_in = NULL;
-	this->crypter_out = NULL;
-	this->prf = NULL;
-	this->prf_alg = PRF_UNDEFINED;
-	this->skd = chunk_empty;
-	this->skp_verify = chunk_empty;
-	this->skp_build = chunk_empty;
+	private_keymat_t *this;
+
+	INIT(this,
+		.public = {
+			.create_dh = _create_dh,
+			.derive_ike_keys = _derive_ike_keys,
+			.derive_child_keys = _derive_child_keys,
+			.get_skd = _get_skd,
+			.get_aead = _get_aead,
+			.get_auth_octets = _get_auth_octets,
+			.get_psk_sig = _get_psk_sig,
+			.destroy = _destroy,
+		},
+		.initiator = initiator,
+		.prf_alg = PRF_UNDEFINED,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h
index e51709e8d..4f01aa411 100644
--- a/src/libcharon/sa/keymat.h
+++ b/src/libcharon/sa/keymat.h
@@ -24,8 +24,7 @@
 #include <library.h>
 #include <utils/identification.h>
 #include <crypto/prfs/prf.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
+#include <crypto/aead.h>
 #include <config/proposal.h>
 #include <sa/ike_sa_id.h>
 
@@ -99,21 +98,13 @@ struct keymat_t {
 	 */
 	pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd);
 
-	/**
-	 * Get a signer to sign/verify IKE messages.
-	 *
-	 * @param in		TRUE for inbound (verify), FALSE for outbound (sign)
-	 * @return			signer
-	 */
-	signer_t* (*get_signer)(keymat_t *this, bool in);
-
 	/*
-	 * Get a crypter to en-/decrypt IKE messages.
+	 * Get a AEAD transform to en-/decrypt and sign/verify IKE messages.
 	 *
 	 * @param in		TRUE for inbound (decrypt), FALSE for outbound (encrypt)
 	 * @return			crypter
 	 */
-	crypter_t* (*get_crypter)(keymat_t *this, bool in);
+	aead_t* (*get_aead)(keymat_t *this, bool in);
 
 	/**
 	 * Generate octets to use for authentication procedure (RFC4306 2.15).
diff --git a/src/libcharon/sa/mediation_manager.c b/src/libcharon/sa/mediation_manager.c
index 035f49053..2fbab7c7c 100644
--- a/src/libcharon/sa/mediation_manager.c
+++ b/src/libcharon/sa/mediation_manager.c
@@ -241,7 +241,7 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe
 										  (void**)&requester) == SUCCESS)
 	{
 		job_t *job = (job_t*)mediation_callback_job_create(requester, peer_id);
-		charon->processor->queue_job(charon->processor, job);
+		lib->processor->queue_job(lib->processor, job);
 		requester->destroy(requester);
 	}
 
diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c
index a68826440..18703ce36 100644
--- a/src/libcharon/sa/task_manager.c
+++ b/src/libcharon/sa/task_manager.c
@@ -274,7 +274,7 @@ METHOD(task_manager_t, retransmit, status_t,
 		this->initiating.retransmitted++;
 		job = (job_t*)retransmit_job_create(this->initiating.mid,
 											this->ike_sa->get_id(this->ike_sa));
-		charon->scheduler->schedule_job_ms(charon->scheduler, job, timeout);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
 	}
 	return SUCCESS;
 }
@@ -883,11 +883,21 @@ METHOD(task_manager_t, process_message, status_t,
 	private_task_manager_t *this, message_t *msg)
 {
 	u_int32_t mid = msg->get_message_id(msg);
+	host_t *me = msg->get_destination(msg), *other = msg->get_source(msg);
 
 	if (msg->get_request(msg))
 	{
 		if (mid == this->responding.mid)
 		{
+			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
+				msg->get_exchange_type(msg) != IKE_SA_INIT)
+			{	/* only do host updates based on verified messages */
+				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+				{	/* with MOBIKE, we do no implicit updates */
+					this->ike_sa->update_hosts(this->ike_sa, me, other);
+				}
+			}
 			charon->bus->message(charon->bus, msg, TRUE);
 			if (process_request(this, msg) != SUCCESS)
 			{
@@ -920,6 +930,15 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (mid == this->initiating.mid)
 		{
+			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
+				msg->get_exchange_type(msg) != IKE_SA_INIT)
+			{	/* only do host updates based on verified messages */
+				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+				{	/* with MOBIKE, we do no implicit updates */
+					this->ike_sa->update_hosts(this->ike_sa, me, other);
+				}
+			}
 			charon->bus->message(charon->bus, msg, TRUE);
 			if (process_response(this, msg) != SUCCESS)
 			{
diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
index 3de27ee3f..57beedba9 100644
--- a/src/libcharon/sa/tasks/child_create.c
+++ b/src/libcharon/sa/tasks/child_create.c
@@ -261,7 +261,7 @@ static void schedule_inactivity_timeout(private_child_create_t *this)
 	{
 		close_ike = lib->settings->get_bool(lib->settings,
 										"charon.inactivity_close_ike", FALSE);
-		charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
 				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
 									  timeout, close_ike), timeout);
 	}
@@ -871,7 +871,7 @@ static void handle_child_sa_failure(private_child_create_t *this,
 		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
 		 * first */
 		DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
-		charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
+		lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
 			delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
 			100);
 	}
diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/tasks/child_delete.c
index b0cd30e1e..45e97e4cd 100644
--- a/src/libcharon/sa/tasks/child_delete.c
+++ b/src/libcharon/sa/tasks/child_delete.c
@@ -117,11 +117,10 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
  */
 static void process_payloads(private_child_delete_t *this, message_t *message)
 {
-	enumerator_t *payloads;
-	iterator_t *spis;
+	enumerator_t *payloads, *spis;
 	payload_t *payload;
 	delete_payload_t *delete_payload;
-	u_int32_t *spi;
+	u_int32_t spi;
 	protocol_id_t protocol;
 	child_sa_t *child_sa;
 
@@ -136,19 +135,19 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 			{
 				continue;
 			}
-			spis = delete_payload->create_spi_iterator(delete_payload);
-			while (spis->iterate(spis, (void**)&spi))
+			spis = delete_payload->create_spi_enumerator(delete_payload);
+			while (spis->enumerate(spis, &spi))
 			{
 				child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
-													  *spi, FALSE);
+													  spi, FALSE);
 				if (child_sa == NULL)
 				{
 					DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x, "
-						 "but no such SA", protocol_id_names, protocol, ntohl(*spi));
+						 "but no such SA", protocol_id_names, protocol, ntohl(spi));
 					continue;
 				}
 				DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
-						protocol_id_names, protocol, ntohl(*spi));
+					 protocol_id_names, protocol, ntohl(spi));
 
 				switch (child_sa->get_state(child_sa))
 				{
@@ -161,7 +160,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 						if (!this->initiator)
 						{
 							this->ike_sa->destroy_child_sa(this->ike_sa,
-														   protocol, *spi);
+														   protocol, spi);
 							continue;
 						}
 					case CHILD_INSTALLED:
diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c
index fb3452efd..fdaaea4b8 100644
--- a/src/libcharon/sa/tasks/child_rekey.c
+++ b/src/libcharon/sa/tasks/child_rekey.c
@@ -75,6 +75,15 @@ struct private_child_rekey_t {
 	 * colliding task, may be delete or rekey
 	 */
 	task_t *collision;
+
+	/**
+	 * Indicate that peer destroyed the redundant child from collision.
+	 * This happens if a peer's delete notification for the redundant
+	 * child gets processed before the rekey job. If so, we must not
+	 * touch the child created in the collision since it points to
+	 * memory already freed.
+	 */
+	bool other_child_destroyed;
 };
 
 /**
@@ -239,9 +248,13 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
 			DBG1(DBG_IKE, "CHILD_SA rekey collision won, "
 				 "deleting rekeyed child");
 			to_delete = this->child_sa;
-			/* disable close action for the redundand child */
-			child_sa = other->child_create->get_child(other->child_create);
-			child_sa->set_close_action(child_sa, ACTION_NONE);
+			/* don't touch child other created, it has already been deleted */
+			if (!this->other_child_destroyed)
+			{
+				/* disable close action for the redundand child */
+				child_sa = other->child_create->get_child(other->child_create);
+				child_sa->set_close_action(child_sa, ACTION_NONE);
+			}
 		}
 		else
 		{
@@ -286,7 +299,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 		DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
 			 "starting reauthentication");
 		this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-		charon->processor->queue_job(charon->processor,
+		lib->processor->queue_job(lib->processor,
 				(job_t*)rekey_ike_sa_job_create(
 							this->ike_sa->get_id(this->ike_sa), TRUE));
 		return SUCCESS;
@@ -316,7 +329,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 			DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
 								"trying again in %d seconds", retry);
 			this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-			charon->scheduler->schedule_job(charon->scheduler, job, retry);
+			lib->scheduler->schedule_job(lib->scheduler, job, retry);
 		}
 		return SUCCESS;
 	}
@@ -380,6 +393,13 @@ static void collide(private_child_rekey_t *this, task_t *other)
 	else if (other->get_type(other) == CHILD_DELETE)
 	{
 		child_delete_t *del = (child_delete_t*)other;
+		if (del->get_child(del) == this->child_create->get_child(this->child_create))
+		{
+			/* peer deletes redundant child created in collision */
+			this->other_child_destroyed = TRUE;
+			other->destroy(other);
+			return;
+		}
 		if (del == NULL || del->get_child(del) != this->child_sa)
 		{
 			/* not the same child => no collision */
@@ -466,6 +486,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 	this->spi = spi;
 	this->collision = NULL;
 	this->child_delete = NULL;
+	this->other_child_destroyed = FALSE;
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
index a954782f2..b440ec811 100644
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -481,9 +481,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 		{
 			this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
 		}
-		if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
-			message->get_notify(message, EAP_ONLY_AUTHENTICATION))
-		{	/* EAP-only has no official notify, accept only from strongSwan */
+		if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
+		{
 			this->ike_sa->enable_extension(this->ike_sa,
 										   EXT_EAP_ONLY_AUTHENTICATION);
 		}
@@ -538,6 +537,11 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 			{
 				cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
 			}
+			id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
+			if (id)
+			{
+				cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
+			}
 		}
 
 		/* verify authentication data */
@@ -821,7 +825,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 					break;
 				default:
 				{
-					if (type < 16383)
+					if (type <= 16383)
 					{
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c
index 38fb572f4..dd4a5f5c0 100644
--- a/src/libcharon/sa/tasks/ike_init.c
+++ b/src/libcharon/sa/tasks/ike_init.c
@@ -468,7 +468,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 				}
 				default:
 				{
-					if (type < 16383)
+					if (type <= 16383)
 					{
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
diff --git a/src/libcharon/sa/tasks/ike_me.c b/src/libcharon/sa/tasks/ike_me.c
index 2d2847ae0..1de6ae8fc 100644
--- a/src/libcharon/sa/tasks/ike_me.c
+++ b/src/libcharon/sa/tasks/ike_me.c
@@ -17,6 +17,7 @@
 
 #include <string.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <config/peer_cfg.h>
 #include <encoding/payloads/id_payload.h>
@@ -134,8 +135,8 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 	host = this->ike_sa->get_my_host(this->ike_sa);
 	port = host->get_port(host);
 
-	enumerator = charon->kernel_interface->create_address_enumerator(
-										charon->kernel_interface, FALSE, FALSE);
+	enumerator = hydra->kernel_interface->create_address_enumerator(
+										hydra->kernel_interface, FALSE, FALSE);
 	while (enumerator->enumerate(enumerator, (void**)&addr))
 	{
 		host = addr->clone(addr);
@@ -454,6 +455,9 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
 				DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting");
 				return FAILED;
 			}
+			/* if we are on a mediation connection we switch to port 4500 even
+			 * if no NAT is detected. */
+			this->ike_sa->float_ports(this->ike_sa);
 			return NEED_MORE;
 		}
 		case IKE_AUTH:
@@ -689,7 +693,7 @@ static status_t build_r_ms(private_ike_me_t *this, message_t *message)
 			job_t *job = (job_t*)mediation_job_create(this->peer_id,
 					this->ike_sa->get_other_id(this->ike_sa), this->connect_id,
 					this->connect_key, this->remote_endpoints, this->response);
-			charon->processor->queue_job(charon->processor, job);
+			lib->processor->queue_job(lib->processor, job);
 			break;
 		}
 		default:
diff --git a/src/libcharon/sa/tasks/ike_mobike.c b/src/libcharon/sa/tasks/ike_mobike.c
index a62886f02..5b12eaaac 100644
--- a/src/libcharon/sa/tasks/ike_mobike.c
+++ b/src/libcharon/sa/tasks/ike_mobike.c
@@ -17,6 +17,7 @@
 
 #include <string.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <sa/tasks/ike_natd.h>
 #include <encoding/payloads/notify_payload.h>
@@ -70,6 +71,11 @@ struct private_ike_mobike_t {
 	 * include address list update
 	 */
 	bool address;
+
+	/**
+	 * additional addresses got updated
+	 */
+	bool addresses_updated;
 };
 
 /**
@@ -153,6 +159,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 				host = host_create_from_chunk(family, data, 0);
 				DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
 				this->ike_sa->add_additional_address(this->ike_sa, host);
+				this->addresses_updated = TRUE;
 				break;
 			}
 			case UPDATE_SA_ADDRESSES:
@@ -163,6 +170,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 			case NO_ADDITIONAL_ADDRESSES:
 			{
 				flush_additional_addresses(this);
+				this->addresses_updated = TRUE;
 				break;
 			}
 			case NAT_DETECTION_SOURCE_IP:
@@ -193,8 +201,8 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 	int added = 0;
 
 	me = this->ike_sa->get_my_host(this->ike_sa);
-	enumerator = charon->kernel_interface->create_address_enumerator(
-										charon->kernel_interface, FALSE, FALSE);
+	enumerator = hydra->kernel_interface->create_address_enumerator(
+										hydra->kernel_interface, FALSE, FALSE);
 	while (enumerator->enumerate(enumerator, (void**)&host))
 	{
 		if (me->ip_equals(me, host))
@@ -269,32 +277,23 @@ static void update_children(private_ike_mobike_t *this)
 }
 
 /**
- * Apply port of old address if it equals new, port otherwise
+ * Apply the port of the old host, if its ip equals the new, use port otherwise.
  */
-static void apply_port(private_ike_mobike_t *this, host_t *host, host_t *old,
-					   u_int16_t port)
+static void apply_port(host_t *host, host_t *old, u_int16_t port)
 {
 	if (host->ip_equals(host, old))
 	{
-		host->set_port(host, old->get_port(old));
+		port = old->get_port(old);
 	}
-	else
+	else if (port == IKEV2_UDP_PORT)
 	{
-		if (port == IKEV2_UDP_PORT)
-		{
-			host->set_port(host, IKEV2_NATT_PORT);
-		}
-		else
-		{
-			host->set_port(host, port);
-		}
+		port = IKEV2_NATT_PORT;
 	}
+	host->set_port(host, port);
 }
 
-/**
- * Implementation of ike_mobike_t.transmit
- */
-static void transmit(private_ike_mobike_t *this, packet_t *packet)
+METHOD(ike_mobike_t, transmit, void,
+	   private_ike_mobike_t *this, packet_t *packet)
 {
 	host_t *me, *other, *me_old, *other_old;
 	iterator_t *iterator;
@@ -310,11 +309,11 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 	other_old = this->ike_sa->get_other_host(this->ike_sa);
 	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 
-	me = charon->kernel_interface->get_source_addr(
-									charon->kernel_interface, other_old, NULL);
+	me = hydra->kernel_interface->get_source_addr(
+									hydra->kernel_interface, other_old, NULL);
 	if (me)
 	{
-		apply_port(this, me, me_old, ike_cfg->get_my_port(ike_cfg));
+		apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
 		DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old);
 		copy = packet->clone(packet);
 		copy->set_source(copy, me);
@@ -324,8 +323,8 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
 	while (iterator->iterate(iterator, (void**)&other))
 	{
-		me = charon->kernel_interface->get_source_addr(
-										charon->kernel_interface, other, NULL);
+		me = hydra->kernel_interface->get_source_addr(
+										hydra->kernel_interface, other, NULL);
 		if (me)
 		{
 			if (me->get_family(me) != other->get_family(other))
@@ -334,9 +333,9 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 				continue;
 			}
 			/* reuse port for an active address, 4500 otherwise */
-			apply_port(this, me, me_old, ike_cfg->get_my_port(ike_cfg));
+			apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
 			other = other->clone(other);
-			apply_port(this, other, other_old, ike_cfg->get_other_port(ike_cfg));
+			apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg));
 			DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
 			copy = packet->clone(packet);
 			copy->set_source(copy, me);
@@ -347,12 +346,11 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 	iterator->destroy(iterator);
 }
 
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t build_i(private_ike_mobike_t *this, message_t *message)
+METHOD(task_t, build_i, status_t,
+	   private_ike_mobike_t *this, message_t *message)
 {
-	if (message->get_message_id(message) == 1)
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_message_id(message) == 1)
 	{	/* only in first IKE_AUTH */
 		message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
 		build_address_list(this, message);
@@ -363,7 +361,7 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
 
 		/* we check if the existing address is still valid */
 		old = message->get_source(message);
-		new = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+		new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
 										message->get_destination(message), old);
 		if (new)
 		{
@@ -379,11 +377,12 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
 		}
 		if (this->update)
 		{
-			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
+			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
+								chunk_empty);
 			build_cookie(this, message);
 			update_children(this);
 		}
-		if (this->address)
+		if (this->address && !this->check)
 		{
 			build_address_list(this, message);
 		}
@@ -395,12 +394,11 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_mobike_t *this, message_t *message)
+METHOD(task_t, process_r, status_t,
+	   private_ike_mobike_t *this, message_t *message)
 {
-	if (message->get_message_id(message) == 1)
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_message_id(message) == 1)
 	{	/* only first IKE_AUTH */
 		process_payloads(this, message);
 	}
@@ -421,14 +419,25 @@ static status_t process_r(private_ike_mobike_t *this, message_t *message)
 		{
 			this->natd->task.process(&this->natd->task, message);
 		}
+		if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
+												COND_ORIGINAL_INITIATOR))
+		{
+			host_t *other = message->get_source(message);
+			host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
+			if (!other->equals(other, other_old))
+			{
+				DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
+					 other);
+				this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
+				this->update = TRUE;
+			}
+		}
 	}
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_mobike_t *this, message_t *message)
+METHOD(task_t, build_r, status_t,
+	   private_ike_mobike_t *this, message_t *message)
 {
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
@@ -460,10 +469,8 @@ static status_t build_r(private_ike_mobike_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_mobike_t *this, message_t *message)
+METHOD(task_t, process_i, status_t,
+	   private_ike_mobike_t *this, message_t *message)
 {
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
@@ -536,14 +543,22 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 			}
 			if (this->update)
 			{
-				/* start the update with the same task */
-				this->check = FALSE;
-				this->address = FALSE;
-				if (this->natd)
-				{
-					this->natd->task.destroy(&this->natd->task);
+				/* use the same task to ... */
+				if (!this->ike_sa->has_condition(this->ike_sa,
+												 COND_ORIGINAL_INITIATOR))
+				{	/*... send an updated list of addresses as responder */
+					update_children(this);
+					this->update = FALSE;
+				}
+				else
+				{	/* ... send the update as original initiator */
+					if (this->natd)
+					{
+						this->natd->task.destroy(&this->natd->task);
+					}
+					this->natd = ike_natd_create(this->ike_sa, this->initiator);
 				}
-				this->natd = ike_natd_create(this->ike_sa, this->initiator);
+				this->check = FALSE;
 				this->ike_sa->set_pending_updates(this->ike_sa, 1);
 				return NEED_MORE;
 			}
@@ -553,51 +568,48 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of ike_mobike_t.roam.
- */
-static void roam(private_ike_mobike_t *this, bool address)
+METHOD(ike_mobike_t, addresses, void,
+	   private_ike_mobike_t *this)
+{
+	this->address = TRUE;
+	this->ike_sa->set_pending_updates(this->ike_sa,
+						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+}
+
+METHOD(ike_mobike_t, roam, void,
+	   private_ike_mobike_t *this, bool address)
 {
 	this->check = TRUE;
 	this->address = address;
 	this->ike_sa->set_pending_updates(this->ike_sa,
-							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
 }
 
-/**
- * Implementation of ike_mobike_t.dpd
- */
-static void dpd(private_ike_mobike_t *this)
+METHOD(ike_mobike_t, dpd, void,
+	   private_ike_mobike_t *this)
 {
 	if (!this->natd)
 	{
 		this->natd = ike_natd_create(this->ike_sa, this->initiator);
 	}
-	this->address = FALSE;
 	this->ike_sa->set_pending_updates(this->ike_sa,
-							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
 }
 
-/**
- * Implementation of ike_mobike_t.is_probing.
- */
-static bool is_probing(private_ike_mobike_t *this)
+METHOD(ike_mobike_t, is_probing, bool,
+	   private_ike_mobike_t *this)
 {
 	return this->check;
 }
 
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_mobike_t *this)
+METHOD(task_t, get_type, task_type_t,
+	   private_ike_mobike_t *this)
 {
 	return IKE_MOBIKE;
 }
 
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa)
+METHOD(task_t, migrate, void,
+	   private_ike_mobike_t *this, ike_sa_t *ike_sa)
 {
 	chunk_free(&this->cookie2);
 	this->ike_sa = ike_sa;
@@ -607,10 +619,8 @@ static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa)
 	}
 }
 
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_mobike_t *this)
+METHOD(task_t, destroy, void,
+	   private_ike_mobike_t *this)
 {
 	chunk_free(&this->cookie2);
 	if (this->natd)
@@ -625,35 +635,36 @@ static void destroy(private_ike_mobike_t *this)
  */
 ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
 {
-	private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t);
-
-	this->public.roam = (void(*)(ike_mobike_t*,bool))roam;
-	this->public.dpd = (void(*)(ike_mobike_t*))dpd;
-	this->public.transmit = (void(*)(ike_mobike_t*,packet_t*))transmit;
-	this->public.is_probing = (bool(*)(ike_mobike_t*))is_probing;
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
+	private_ike_mobike_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+			.addresses = _addresses,
+			.roam = _roam,
+			.dpd = _dpd,
+			.transmit = _transmit,
+			.is_probing = _is_probing,
+		},
+		.ike_sa = ike_sa,
+		.initiator = initiator,
+	);
 
 	if (initiator)
 	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
 	}
 	else
 	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
 	}
 
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-	this->update = FALSE;
-	this->check = FALSE;
-	this->address = TRUE;
-	this->cookie2 = chunk_empty;
-	this->natd = NULL;
-
 	return &this->public;
 }
 
diff --git a/src/libcharon/sa/tasks/ike_mobike.h b/src/libcharon/sa/tasks/ike_mobike.h
index 05b2224d1..16611939e 100644
--- a/src/libcharon/sa/tasks/ike_mobike.h
+++ b/src/libcharon/sa/tasks/ike_mobike.h
@@ -45,6 +45,11 @@ struct ike_mobike_t {
 	 */
 	task_t task;
 
+	/**
+	 * Use the task to update the list of additional addresses.
+	 */
+	void (*addresses)(ike_mobike_t *this);
+
 	/**
 	 * Use the task to roam to other addresses.
 	 *
diff --git a/src/libcharon/sa/tasks/ike_natd.c b/src/libcharon/sa/tasks/ike_natd.c
index 9ea20ba36..7839b52eb 100644
--- a/src/libcharon/sa/tasks/ike_natd.c
+++ b/src/libcharon/sa/tasks/ike_natd.c
@@ -18,6 +18,7 @@
 
 #include <string.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <config/peer_cfg.h>
 #include <crypto/hashers/hasher.h>
@@ -265,41 +266,15 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-
-#ifdef ME
-		/* if we are on a mediated connection we have already switched to
-		 * port 4500 and the correct destination port is already configured,
-		 * therefore we must not switch again */
-		if (peer_cfg->get_mediated_by(peer_cfg))
-		{
-			return SUCCESS;
-		}
-#endif /* ME */
-
 		if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
-#ifdef ME
-			/* if we are on a mediation connection we switch to port 4500 even
-			 * if no NAT is detected. */
-			peer_cfg->is_mediation(peer_cfg) ||
-#endif /* ME */
 			/* if peer supports NAT-T, we switch to port 4500 even
-			 * if no NAT is detected. MOBIKE requires this. */
+			 * if no NAT is detected. can't be done later (when we would know
+			 * whether the peer supports MOBIKE) because there would be no
+			 * exchange to actually do the switch (other than a forced DPD). */
 			(peer_cfg->use_mobike(peer_cfg) &&
 			 this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
 		{
-			host_t *me, *other;
-
-			/* do not switch if we have a custom port from mobike/NAT */
-			me = this->ike_sa->get_my_host(this->ike_sa);
-			if (me->get_port(me) == IKEV2_UDP_PORT)
-			{
-				me->set_port(me, IKEV2_NATT_PORT);
-			}
-			other = this->ike_sa->get_other_host(this->ike_sa);
-			if (other->get_port(other) == IKEV2_UDP_PORT)
-			{
-				other->set_port(other, IKEV2_NATT_PORT);
-			}
+			this->ike_sa->float_ports(this->ike_sa);
 		}
 	}
 
@@ -342,7 +317,7 @@ static status_t build_i(private_ike_natd_t *this, message_t *message)
 	}
 	else
 	{
-		host = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+		host = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
 							this->ike_sa->get_other_host(this->ike_sa), NULL);
 		if (host)
 		{	/* 2. */
@@ -353,8 +328,8 @@ static status_t build_i(private_ike_natd_t *this, message_t *message)
 		}
 		else
 		{	/* 3. */
-			enumerator = charon->kernel_interface->create_address_enumerator(
-										charon->kernel_interface, FALSE, FALSE);
+			enumerator = hydra->kernel_interface->create_address_enumerator(
+										hydra->kernel_interface, FALSE, FALSE);
 			while (enumerator->enumerate(enumerator, (void**)&host))
 			{
 				/* apply port 500 to host, but work on a copy */
diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c
index a2275e796..1a6c140c4 100644
--- a/src/libcharon/sa/tasks/ike_rekey.c
+++ b/src/libcharon/sa/tasks/ike_rekey.c
@@ -196,7 +196,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 		DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
 			 "starting reauthentication");
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		charon->processor->queue_job(charon->processor,
+		lib->processor->queue_job(lib->processor,
 				(job_t*)rekey_ike_sa_job_create(
 							this->ike_sa->get_id(this->ike_sa), TRUE));
 		return SUCCESS;
@@ -217,7 +217,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 				DBG1(DBG_IKE, "IKE_SA rekeying failed, "
 										"trying again in %d seconds", retry);
 				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-				charon->scheduler->schedule_job(charon->scheduler, job, retry);
+				lib->scheduler->schedule_job(lib->scheduler, job, retry);
 			}
 			return SUCCESS;
 		case NEED_MORE:
@@ -241,51 +241,56 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 	if (this->collision &&
 		this->collision->get_type(this->collision) == IKE_REKEY)
 	{
-		chunk_t this_nonce, other_nonce;
-		host_t *host;
 		private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
 
-		this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
-		other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
-
-		/* if we have the lower nonce, delete rekeyed SA. If not, delete
-		 * the redundant. */
-		if (memcmp(this_nonce.ptr, other_nonce.ptr,
-				   min(this_nonce.len, other_nonce.len)) < 0)
-		{
-			/* peer should delete this SA. Add a timeout just in case. */
-			job_t *job = (job_t*)delete_ike_sa_job_create(
-									other->new_sa->get_id(other->new_sa), TRUE);
-			charon->scheduler->schedule_job(charon->scheduler, job, 10);
-			DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
-			other->new_sa = NULL;
-		}
-		else
+		/* ike_init can be NULL, if child_sa is half-open */
+		if (other->ike_init)
 		{
-			DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA");
-			/* apply host for a proper delete */
-			host = this->ike_sa->get_my_host(this->ike_sa);
-			this->new_sa->set_my_host(this->new_sa, host->clone(host));
-			host = this->ike_sa->get_other_host(this->ike_sa);
-			this->new_sa->set_other_host(this->new_sa, host->clone(host));
-			this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-			if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
+			host_t *host;
+			chunk_t this_nonce, other_nonce;
+
+			this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
+			other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
+
+			/* if we have the lower nonce, delete rekeyed SA. If not, delete
+			 * the redundant. */
+			if (memcmp(this_nonce.ptr, other_nonce.ptr,
+						min(this_nonce.len, other_nonce.len)) < 0)
 			{
-				charon->ike_sa_manager->checkin_and_destroy(
-										charon->ike_sa_manager, this->new_sa);
+				/* peer should delete this SA. Add a timeout just in case. */
+				job_t *job = (job_t*)delete_ike_sa_job_create(
+						other->new_sa->get_id(other->new_sa), TRUE);
+				lib->scheduler->schedule_job(lib->scheduler, job, 10);
+				DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
+				other->new_sa = NULL;
 			}
 			else
 			{
-				charon->ike_sa_manager->checkin(
-										charon->ike_sa_manager, this->new_sa);
+				DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA");
+				/* apply host for a proper delete */
+				host = this->ike_sa->get_my_host(this->ike_sa);
+				this->new_sa->set_my_host(this->new_sa, host->clone(host));
+				host = this->ike_sa->get_other_host(this->ike_sa);
+				this->new_sa->set_other_host(this->new_sa, host->clone(host));
+				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+				if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
+				{
+					charon->ike_sa_manager->checkin_and_destroy(
+								charon->ike_sa_manager, this->new_sa);
+				}
+				else
+				{
+					charon->ike_sa_manager->checkin(
+								charon->ike_sa_manager, this->new_sa);
+				}
+				/* set threads active IKE_SA after checkin */
+				charon->bus->set_sa(charon->bus, this->ike_sa);
+				/* inherit to other->new_sa in destroy() */
+				this->new_sa = other->new_sa;
+				other->new_sa = NULL;
+				return SUCCESS;
 			}
-			/* set threads active IKE_SA after checkin */
-			charon->bus->set_sa(charon->bus, this->ike_sa);
-			/* inherit to other->new_sa in destroy() */
-			this->new_sa = other->new_sa;
-			other->new_sa = NULL;
-			return SUCCESS;
 		}
 		/* set threads active IKE_SA after checkin */
 		charon->bus->set_sa(charon->bus, this->ike_sa);
diff --git a/src/libcharon/sa/tasks/ike_vendor.c b/src/libcharon/sa/tasks/ike_vendor.c
index 7c435b6d1..1c14ee06b 100644
--- a/src/libcharon/sa/tasks/ike_vendor.c
+++ b/src/libcharon/sa/tasks/ike_vendor.c
@@ -123,12 +123,14 @@ ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator)
 	private_ike_vendor_t *this;
 
 	INIT(this,
-		.public.task = {
-			.build = _build,
-			.process = _process,
-			.migrate = _migrate,
-			.get_type = _get_type,
-			.destroy = _destroy,
+		.public = {
+			.task = {
+				.build = _build,
+				.process = _process,
+				.migrate = _migrate,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
 		},
 		.initiator = initiator,
 		.ike_sa = ike_sa,
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 80bf647cd..f91eff077 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -15,6 +15,7 @@
 
 #include "trap_manager.h"
 
+#include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
 #include <utils/linked_list.h>
@@ -138,8 +139,8 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
 	if (!me || me->is_anyaddr(me))
 	{
 		DESTROY_IF(me);
-		me = charon->kernel_interface->get_source_addr(
-									charon->kernel_interface, other, NULL);
+		me = hydra->kernel_interface->get_source_addr(
+									hydra->kernel_interface, other, NULL);
 		if (!me)
 		{
 			DBG1(DBG_CFG, "installing trap failed, local address unknown");
diff --git a/src/libcharon/tnccs/tnccs.c b/src/libcharon/tnccs/tnccs.c
new file mode 100644
index 000000000..2facf02c8
--- /dev/null
+++ b/src/libcharon/tnccs/tnccs.c
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs.h"
+
+ENUM(eap_type_names, TNCCS_1_1, TNCCS_2_0,
+	"TNCCS 1.1",
+	"TNCCS SOH",
+	"TNCCS 2.0",
+);
diff --git a/src/libcharon/tnccs/tnccs.h b/src/libcharon/tnccs/tnccs.h
new file mode 100644
index 000000000..583512e82
--- /dev/null
+++ b/src/libcharon/tnccs/tnccs.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs tnccs
+ * @{ @ingroup libcharon
+ */
+
+#ifndef TNCCS_H_
+#define TNCCS_H_
+
+typedef enum tnccs_type_t tnccs_type_t;
+
+#include <library.h>
+
+/**
+ * Type of TNC Client/Server protocol
+ */
+enum tnccs_type_t {
+	TNCCS_1_1,
+	TNCCS_SOH,
+	TNCCS_2_0
+};
+
+/**
+ * enum names for tnccs_type_t.
+ */
+extern enum_name_t *tnccs_type_names;
+
+typedef struct tnccs_t tnccs_t;
+
+/**
+ * Constructor definition for a pluggable TNCCS protocol implementation.
+ *
+ * @param is_server		TRUE if TNC Server, FALSE if TNC Client
+ * @return				implementation of the tnccs_t interface
+ */
+typedef tnccs_t* (*tnccs_constructor_t)(bool is_server);
+
+#endif /** TNC_H_ @}*/
diff --git a/src/libcharon/tnccs/tnccs_manager.c b/src/libcharon/tnccs/tnccs_manager.c
new file mode 100644
index 000000000..0fd6737c0
--- /dev/null
+++ b/src/libcharon/tnccs/tnccs_manager.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_manager.h"
+
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_tnccs_manager_t private_tnccs_manager_t;
+typedef struct tnccs_entry_t tnccs_entry_t;
+
+/**
+ * TNCCS constructor entry
+ */
+struct tnccs_entry_t {
+
+	/**
+	 * TNCCS protocol type
+	 */
+	tnccs_type_t type;
+
+	/**
+	 * constructor function to create instance
+	 */
+	tnccs_constructor_t constructor;
+};
+
+/**
+ * private data of tnccs_manager
+ */
+struct private_tnccs_manager_t {
+
+	/**
+	 * public functions
+	 */
+	tnccs_manager_t public;
+
+	/**
+	 * list of tnccs_entry_t's
+	 */
+	linked_list_t *protocols;
+
+	/**
+	 * rwlock to lock methods
+	 */
+	rwlock_t *lock;
+};
+
+METHOD(tnccs_manager_t, add_method, void,
+	private_tnccs_manager_t *this, tnccs_type_t type,
+	tnccs_constructor_t constructor)
+{
+	tnccs_entry_t *entry = malloc_thing(tnccs_entry_t);
+
+	entry->type = type;
+	entry->constructor = constructor;
+
+	this->lock->write_lock(this->lock);
+	this->protocols->insert_last(this->protocols, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(tnccs_manager_t, remove_method, void,
+	private_tnccs_manager_t *this, tnccs_constructor_t constructor)
+{
+	enumerator_t *enumerator;
+	tnccs_entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->protocols->create_enumerator(this->protocols);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (constructor == entry->constructor)
+		{
+			this->protocols->remove_at(this->protocols, enumerator);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(tnccs_manager_t, create_instance, tnccs_t*,
+	private_tnccs_manager_t *this, tnccs_type_t type, bool is_server)
+{
+	enumerator_t *enumerator;
+	tnccs_entry_t *entry;
+	tnccs_t *protocol = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->protocols->create_enumerator(this->protocols);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (type == entry->type)
+		{
+			protocol = entry->constructor(is_server);
+			if (protocol)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return protocol;
+}
+
+METHOD(tnccs_manager_t, destroy, void,
+	private_tnccs_manager_t *this)
+{
+	this->protocols->destroy_function(this->protocols, free);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * See header
+ */
+tnccs_manager_t *tnccs_manager_create()
+{
+	private_tnccs_manager_t *this;
+
+	INIT(this,
+			.public = {
+				.add_method = _add_method,
+				.remove_method = _remove_method,
+				.create_instance = _create_instance,
+				.destroy = _destroy,
+			},
+			.protocols = linked_list_create(),
+			.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/tnccs/tnccs_manager.h b/src/libcharon/tnccs/tnccs_manager.h
new file mode 100644
index 000000000..2f4a961a7
--- /dev/null
+++ b/src/libcharon/tnccs/tnccs_manager.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_manager tnccs_manager
+ * @{ @ingroup tnccs
+ */
+
+#ifndef TNCCS_MANAGER_H_
+#define TNCCS_MANAGER_H_
+
+#include "tnccs.h"
+
+typedef struct tnccs_manager_t tnccs_manager_t;
+
+/**
+ * The TNCCS manager manages all TNCCS implementations and creates instances.
+ *
+ * A plugin registers its implemented TNCCS protocol with the manager by
+ * providing type and a constructor function. The manager then creates
+ * TNCCS protocol instances via the provided constructor.
+ */
+struct tnccs_manager_t {
+
+	/**
+	 * Register a TNCCS protocol implementation.
+	 *
+	 * @param type			TNCCS protocol type
+	 * @param constructor	constructor, returns a TNCCS protocol implementation
+	 */
+	void (*add_method)(tnccs_manager_t *this, tnccs_type_t type,
+					   tnccs_constructor_t constructor);
+
+	/**
+	 * Unregister a TNCCS protocol implementation using it's constructor.
+	 *
+	 * @param constructor	constructor function to remove, as added in add_method
+	 */
+	void (*remove_method)(tnccs_manager_t *this, tnccs_constructor_t constructor);
+
+	/**
+	 * Create a new TNCCS protocol instance.
+	 *
+	 * @param type			type of the TNCCS protocol
+	 * @param is_server		TRUE if TNC Server, FALSE if TNC Client
+	 * @return				TNCCS protocol instance, NULL if no constructor found
+	 */
+	tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
+								bool is_server);
+
+	/**
+	 * Destroy a tnccs_manager instance.
+	 */
+	void (*destroy)(tnccs_manager_t *this);
+};
+
+/**
+ * Create a tnccs_manager instance.
+ */
+tnccs_manager_t *tnccs_manager_create();
+
+#endif /** TNCCS_MANAGER_H_ @}*/
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index a84b272dc..777f1fd10 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -162,6 +163,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -193,14 +196,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -215,24 +221,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -240,7 +253,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am
index 44dd31577..5fee39da9 100644
--- a/src/libfreeswan/Makefile.am
+++ b/src/libfreeswan/Makefile.am
@@ -11,6 +11,7 @@ libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c ato
 
 INCLUDES = \
 -I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto
 
 dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index 6d640d778..28ba035c6 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -179,6 +180,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -210,14 +213,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -232,24 +238,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -257,7 +270,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -282,6 +298,7 @@ libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c ato
 
 INCLUDES = \
 -I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto
 
 dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
index caad7447a..2418e76ad 100644
--- a/src/libhydra/Android.mk
+++ b/src/libhydra/Android.mk
@@ -7,13 +7,21 @@ hydra.c hydra.h \
 attributes/attributes.c attributes/attributes.h \
 attributes/attribute_provider.h attributes/attribute_handler.h \
 attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h
+attributes/mem_pool.c attributes/mem_pool.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.h \
+kernel/kernel_listener.h
 
 # adding the plugin source files
 
 LOCAL_SRC_FILES += $(call add_plugin, attr)
 
-# build libcharon --------------------------------------------------------------
+LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
+
+LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
+
+# build libhydra ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
 	$(libvstr_PATH) \
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
index 4e5c55d3f..d0698d0f5 100644
--- a/src/libhydra/Makefile.am
+++ b/src/libhydra/Makefile.am
@@ -5,7 +5,11 @@ hydra.c hydra.h \
 attributes/attributes.c attributes/attributes.h \
 attributes/attribute_provider.h attributes/attribute_handler.h \
 attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h
+attributes/mem_pool.c attributes/mem_pool.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.h \
+kernel/kernel_listener.h
 
 libhydra_la_LIBADD =
 
@@ -40,6 +44,34 @@ if MONOLITHIC
 endif
 endif
 
+if USE_KERNEL_PFKEY
+  SUBDIRS += plugins/kernel_pfkey
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+endif
+endif
+
+if USE_KERNEL_PFROUTE
+  SUBDIRS += plugins/kernel_pfroute
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+endif
+endif
+
+if USE_KERNEL_KLIPS
+  SUBDIRS += plugins/kernel_klips
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/kernel_klips/libstrongswan-kernel-klips.la
+endif
+endif
+
+if USE_KERNEL_NETLINK
+  SUBDIRS += plugins/kernel_netlink
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+endif
+endif
+
 if USE_RESOLVE
   SUBDIRS += plugins/resolve
 if MONOLITHIC
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index a3aec26c9..8e5697b79 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -38,8 +38,16 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_2 = plugins/attr/libstrongswan-attr.la
 @USE_ATTR_SQL_TRUE@am__append_3 = plugins/attr_sql
 @MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_4 = plugins/attr_sql/libstrongswan-attr-sql.la
-@USE_RESOLVE_TRUE@am__append_5 = plugins/resolve
-@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_6 = plugins/resolve/libstrongswan-resolve.la
+@USE_KERNEL_PFKEY_TRUE@am__append_5 = plugins/kernel_pfkey
+@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_6 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+@USE_KERNEL_PFROUTE_TRUE@am__append_7 = plugins/kernel_pfroute
+@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_8 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+@USE_KERNEL_KLIPS_TRUE@am__append_9 = plugins/kernel_klips
+@MONOLITHIC_TRUE@@USE_KERNEL_KLIPS_TRUE@am__append_10 = plugins/kernel_klips/libstrongswan-kernel-klips.la
+@USE_KERNEL_NETLINK_TRUE@am__append_11 = plugins/kernel_netlink
+@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_12 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+@USE_RESOLVE_TRUE@am__append_13 = plugins/resolve
+@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_14 = plugins/resolve/libstrongswan-resolve.la
 subdir = src/libhydra
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -50,6 +58,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -80,9 +89,10 @@ am__base_list = \
 am__installdirs = "$(DESTDIR)$(libdir)"
 LTLIBRARIES = $(lib_LTLIBRARIES)
 libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \
-	$(am__append_6)
+	$(am__append_6) $(am__append_8) $(am__append_10) \
+	$(am__append_12) $(am__append_14)
 am_libhydra_la_OBJECTS = hydra.lo attributes.lo attribute_manager.lo \
-	mem_pool.lo
+	mem_pool.lo kernel_interface.lo kernel_ipsec.lo
 libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -113,7 +123,9 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/resolve
+DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/kernel_pfkey \
+	plugins/kernel_pfroute plugins/kernel_klips \
+	plugins/kernel_netlink plugins/resolve
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -205,6 +217,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -236,14 +250,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -258,24 +275,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -283,7 +307,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -301,9 +328,15 @@ hydra.c hydra.h \
 attributes/attributes.c attributes/attributes.h \
 attributes/attribute_provider.h attributes/attribute_handler.h \
 attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h
-
-libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6)
+attributes/mem_pool.c attributes/mem_pool.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.h \
+kernel/kernel_listener.h
+
+libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6) \
+	$(am__append_8) $(am__append_10) $(am__append_12) \
+	$(am__append_14)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
 -DIPSEC_DIR=\"${ipsecdir}\" \
@@ -312,12 +345,16 @@ AM_CFLAGS = \
 
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3) \
-@MONOLITHIC_FALSE@	$(am__append_5)
+@MONOLITHIC_FALSE@	$(am__append_5) $(am__append_7) \
+@MONOLITHIC_FALSE@	$(am__append_9) $(am__append_11) \
+@MONOLITHIC_FALSE@	$(am__append_13)
 
 # build optional plugins
 ########################
 @MONOLITHIC_TRUE@SUBDIRS = $(am__append_1) $(am__append_3) \
-@MONOLITHIC_TRUE@	$(am__append_5)
+@MONOLITHIC_TRUE@	$(am__append_5) $(am__append_7) \
+@MONOLITHIC_TRUE@	$(am__append_9) $(am__append_11) \
+@MONOLITHIC_TRUE@	$(am__append_13)
 all: all-recursive
 
 .SUFFIXES:
@@ -395,6 +432,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attribute_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_ipsec.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem_pool.Plo@am__quote@
 
 .c.o:
@@ -439,6 +478,20 @@ mem_pool.lo: attributes/mem_pool.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
 
+kernel_interface.lo: kernel/kernel_interface.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
+
+kernel_ipsec.lo: kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
index e1d69fd6b..8af97dc78 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libhydra/attributes/mem_pool.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,8 @@
 
 #include <debug.h>
 #include <utils/hashtable.h>
-#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+#include <threading/mutex.h>
 
 #define POOL_LIMIT (sizeof(uintptr_t)*8)
 
@@ -54,26 +55,28 @@ struct private_mem_pool_t {
 	u_int unused;
 
 	/**
-	 * hashtable [identity => offset], for online leases
+	 * lease hashtable [identity => entry]
 	 */
-	hashtable_t *online;
-
-	/**
-	 * hashtable [identity => offset], for offline leases
-	 */
-	hashtable_t *offline;
-
-	/**
-	 * hashtable [identity => identity], handles identity references
-	 */
-	hashtable_t *ids;
+	hashtable_t *leases;
 
 	/**
 	 * lock to safely access the pool
 	 */
-	rwlock_t *lock;
+	mutex_t *mutex;
 };
 
+/**
+ * Lease entry.
+ */
+typedef struct {
+	/* identitiy reference */
+	identification_t *id;
+	/* list of online leases, as offset */
+	linked_list_t *online;
+	/* list of offline leases, as offset */
+	linked_list_t *offline;
+} entry_t;
+
 /**
  * hashtable hash function for identities
  */
@@ -154,43 +157,61 @@ static int host2offset(private_mem_pool_t *pool, host_t *addr)
 }
 
 METHOD(mem_pool_t, get_name, const char*,
-	   private_mem_pool_t *this)
+	private_mem_pool_t *this)
 {
 	return this->name;
 }
 
 METHOD(mem_pool_t, get_size, u_int,
-	   private_mem_pool_t *this)
+	private_mem_pool_t *this)
 {
 	return this->size;
 }
 
 METHOD(mem_pool_t, get_online, u_int,
-	   private_mem_pool_t *this)
+	private_mem_pool_t *this)
 {
-	u_int count;
-	this->lock->read_lock(this->lock);
-	count = this->online->get_count(this->online);
-	this->lock->unlock(this->lock);
+	enumerator_t *enumerator;
+	entry_t *entry;
+	u_int count = 0;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->leases->create_enumerator(this->leases);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		count += entry->online->get_count(entry->online);
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
 	return count;
 }
 
 METHOD(mem_pool_t, get_offline, u_int,
-	   private_mem_pool_t *this)
+	private_mem_pool_t *this)
 {
-	u_int count;
-	this->lock->read_lock(this->lock);
-	count = this->offline->get_count(this->offline);
-	this->lock->unlock(this->lock);
+	enumerator_t *enumerator;
+	entry_t *entry;
+	u_int count = 0;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->leases->create_enumerator(this->leases);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		count += entry->offline->get_count(entry->offline);
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
 	return count;
 }
 
 METHOD(mem_pool_t, acquire_address, host_t*,
-	   private_mem_pool_t *this, identification_t *id, host_t *requested)
+	private_mem_pool_t *this, identification_t *id, host_t *requested)
 {
-	uintptr_t offset = 0;
+	uintptr_t offset = 0, current;
 	enumerator_t *enumerator;
-	identification_t *old_id;
+	entry_t *entry, *old;
 
 	/* if the pool is empty (e.g. in the %config case) we simply return the
 	 * requested address */
@@ -207,108 +228,114 @@ METHOD(mem_pool_t, acquire_address, host_t*,
 		return NULL;
 	}
 
-	this->lock->write_lock(this->lock);
+	this->mutex->lock(this->mutex);
 	while (TRUE)
 	{
-		/* check for a valid offline lease, refresh */
-		offset = (uintptr_t)this->offline->remove(this->offline, id);
-		if (offset)
+		entry = this->leases->get(this->leases, id);
+		if (entry)
 		{
-			id = this->ids->get(this->ids, id);
-			if (id)
+			/* check for a valid offline lease, refresh */
+			enumerator = entry->offline->create_enumerator(entry->offline);
+			if (enumerator->enumerate(enumerator, &current))
+			{
+				entry->offline->remove_at(entry->offline, enumerator);
+				entry->online->insert_last(entry->online, (void*)current);
+				offset = current;
+			}
+			enumerator->destroy(enumerator);
+			if (offset)
 			{
 				DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
-				this->online->put(this->online, id, (void*)offset);
 				break;
 			}
-		}
-
-		/* check for a valid online lease, reassign */
-		offset = (uintptr_t)this->online->get(this->online, id);
-		if (offset)
-		{
-			if (offset == host2offset(this, requested))
+			/* check for a valid online lease to reassign */
+			enumerator = entry->online->create_enumerator(entry->online);
+			while (enumerator->enumerate(enumerator, &current))
 			{
-				DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
+				if (current == host2offset(this, requested))
+				{
+					offset = current;
+					break;
+				}
 			}
-			else
+			enumerator->destroy(enumerator);
+			if (offset)
 			{
-				DBG1(DBG_CFG, "'%Y' already has an online lease, "
-					 "unable to assign address", id);
-				offset = 0;
+				DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
+				break;
 			}
-			break;
 		}
-
+		else
+		{
+			INIT(entry,
+				.id = id->clone(id),
+				.online = linked_list_create(),
+				.offline = linked_list_create(),
+			);
+			this->leases->put(this->leases, entry->id, entry);
+		}
 		if (this->unused < this->size)
 		{
-			/* assigning offset, starting by 1. Handling 0 in hashtable
-			 * is difficult. */
+			/* assigning offset, starting by 1 */
 			offset = ++this->unused;
-			id = id->clone(id);
-			this->ids->put(this->ids, id, id);
-			this->online->put(this->online, id, (void*)offset);
+			entry->online->insert_last(entry->online, (void*)offset);
 			DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
 			break;
 		}
 
 		/* no more addresses, replace the first found offline lease */
-		enumerator = this->offline->create_enumerator(this->offline);
-		if (enumerator->enumerate(enumerator, &old_id, &offset))
+		enumerator = this->leases->create_enumerator(this->leases);
+		while (enumerator->enumerate(enumerator, NULL, &old))
 		{
-			offset = (uintptr_t)this->offline->remove(this->offline, old_id);
-			if (offset)
+			if (old->offline->remove_first(old->offline,
+										   (void**)&current) == SUCCESS)
 			{
-				/* destroy reference to old ID */
-				old_id = this->ids->remove(this->ids, old_id);
+				offset = current;
+				entry->online->insert_last(entry->online, (void*)offset);
 				DBG1(DBG_CFG, "reassigning existing offline lease by '%Y'"
-					 " to '%Y'", old_id, id);
-				if (old_id)
-				{
-					old_id->destroy(old_id);
-				}
-				id = id->clone(id);
-				this->ids->put(this->ids, id, id);
-				this->online->put(this->online, id, (void*)offset);
-				enumerator->destroy(enumerator);
+					 " to '%Y'", old->id, id);
 				break;
 			}
 		}
 		enumerator->destroy(enumerator);
-
-		DBG1(DBG_CFG, "pool '%s' is full, unable to assign address",
-			 this->name);
 		break;
 	}
-	this->lock->unlock(this->lock);
+	this->mutex->unlock(this->mutex);
 
 	if (offset)
 	{
 		return offset2host(this, offset);
 	}
+	else
+	{
+		DBG1(DBG_CFG, "pool '%s' is full, unable to assign address",
+			 this->name);
+	}
 	return NULL;
 }
 
 METHOD(mem_pool_t, release_address, bool,
-	   private_mem_pool_t *this, host_t *address, identification_t *id)
+	private_mem_pool_t *this, host_t *address, identification_t *id)
 {
 	bool found = FALSE;
+	entry_t *entry;
+	uintptr_t offset;
+
 	if (this->size != 0)
 	{
-		uintptr_t offset;
-		this->lock->write_lock(this->lock);
-		offset = (uintptr_t)this->online->remove(this->online, id);
-		if (offset)
+		this->mutex->lock(this->mutex);
+		entry = this->leases->get(this->leases, id);
+		if (entry)
 		{
-			id = this->ids->get(this->ids, id);
-			if (id)
+			offset = host2offset(this, address);
+			if (entry->online->remove(entry->online, (void*)offset, NULL) > 0)
 			{
 				DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id);
-				this->offline->put(this->offline, id, (void*)offset);
+				entry->offline->insert_last(entry->offline, (void*)offset);
 				found = TRUE;
 			}
 		}
-		this->lock->unlock(this->lock);
+		this->mutex->unlock(this->mutex);
 	}
 	return found;
 }
@@ -319,52 +346,69 @@ METHOD(mem_pool_t, release_address, bool,
 typedef struct {
 	/** implemented enumerator interface */
 	enumerator_t public;
-	/** inner hash-table enumerator */
-	enumerator_t *inner;
+	/** hash-table enumerator */
+	enumerator_t *entries;
+	/** online enumerator */
+	enumerator_t *online;
+	/** offline enumerator */
+	enumerator_t *offline;
 	/** enumerated pool */
 	private_mem_pool_t *pool;
+	/** currently enumerated entry */
+	entry_t *entry;
 	/** currently enumerated lease address */
-	host_t *current;
+	host_t *addr;
 } lease_enumerator_t;
 
 METHOD(enumerator_t, lease_enumerate, bool,
-	   lease_enumerator_t *this, identification_t **id_out, host_t **addr_out,
-	   bool *online)
+	lease_enumerator_t *this, identification_t **id, host_t **addr, bool *online)
 {
-	identification_t *id;
 	uintptr_t offset;
 
-	DESTROY_IF(this->current);
-	this->current = NULL;
+	DESTROY_IF(this->addr);
+	this->addr = NULL;
 
-	if (this->inner->enumerate(this->inner, &id, NULL))
+	while (TRUE)
 	{
-		offset = (uintptr_t)this->pool->online->get(this->pool->online, id);
-		if (offset)
+		if (this->entry)
 		{
-			*id_out = id;
-			*addr_out = this->current = offset2host(this->pool, offset);
-			*online = TRUE;
-			return TRUE;
+			if (this->online->enumerate(this->online, (void**)&offset))
+			{
+				*id = this->entry->id;
+				*addr = this->addr = offset2host(this->pool, offset);
+				*online = TRUE;
+				return TRUE;
+			}
+			if (this->offline->enumerate(this->offline, (void**)&offset))
+			{
+				*id = this->entry->id;
+				*addr = this->addr = offset2host(this->pool, offset);
+				*online = FALSE;
+				return TRUE;
+			}
+			this->online->destroy(this->online);
+			this->offline->destroy(this->offline);
+			this->online = this->offline = NULL;
 		}
-		offset = (uintptr_t)this->pool->offline->get(this->pool->offline, id);
-		if (offset)
+		if (!this->entries->enumerate(this->entries, NULL, &this->entry))
 		{
-			*id_out = id;
-			*addr_out = this->current = offset2host(this->pool, offset);
-			*online = FALSE;
-			return TRUE;
+			return FALSE;
 		}
+		this->online = this->entry->online->create_enumerator(
+														this->entry->online);
+		this->offline = this->entry->offline->create_enumerator(
+														this->entry->offline);
 	}
-	return FALSE;
 }
 
 METHOD(enumerator_t, lease_enumerator_destroy, void,
-	   lease_enumerator_t *this)
+	lease_enumerator_t *this)
 {
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	this->pool->lock->unlock(this->pool->lock);
+	DESTROY_IF(this->addr);
+	DESTROY_IF(this->online);
+	DESTROY_IF(this->offline);
+	this->entries->destroy(this->entries);
+	this->pool->mutex->unlock(this->pool->mutex);
 	free(this);
 }
 
@@ -372,35 +416,37 @@ METHOD(mem_pool_t, create_lease_enumerator, enumerator_t*,
 	   private_mem_pool_t *this)
 {
 	lease_enumerator_t *enumerator;
-	this->lock->read_lock(this->lock);
+
+	this->mutex->lock(this->mutex);
 	INIT(enumerator,
 		.public = {
 			.enumerate = (void*)_lease_enumerate,
-			.destroy = (void*)_lease_enumerator_destroy,
+			.destroy = _lease_enumerator_destroy,
 		},
 		.pool = this,
-		.inner = this->ids->create_enumerator(this->ids),
+		.entries = this->leases->create_enumerator(this->leases),
 	);
 	return &enumerator->public;
 }
 
 METHOD(mem_pool_t, destroy, void,
-	   private_mem_pool_t *this)
+	private_mem_pool_t *this)
 {
 	enumerator_t *enumerator;
-	identification_t *id;
+	entry_t *entry;
 
-	enumerator = this->ids->create_enumerator(this->ids);
-	while (enumerator->enumerate(enumerator, &id, NULL))
+	enumerator = this->leases->create_enumerator(this->leases);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		id->destroy(id);
+		entry->id->destroy(entry->id);
+		entry->online->destroy(entry->online);
+		entry->offline->destroy(entry->offline);
+		free(entry);
 	}
 	enumerator->destroy(enumerator);
 
-	this->ids->destroy(this->ids);
-	this->online->destroy(this->online);
-	this->offline->destroy(this->offline);
-	this->lock->destroy(this->lock);
+	this->leases->destroy(this->leases);
+	this->mutex->destroy(this->mutex);
 	DESTROY_IF(this->base);
 	free(this->name);
 	free(this);
@@ -412,6 +458,7 @@ METHOD(mem_pool_t, destroy, void,
 mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 {
 	private_mem_pool_t *this;
+	int addr_bits;
 
 	INIT(this,
 		.public = {
@@ -425,18 +472,14 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 			.destroy = _destroy,
 		},
 		.name = strdup(name),
-		.online = hashtable_create((hashtable_hash_t)id_hash,
+		.leases = hashtable_create((hashtable_hash_t)id_hash,
 								   (hashtable_equals_t)id_equals, 16),
-		.offline = hashtable_create((hashtable_hash_t)id_hash,
-									(hashtable_equals_t)id_equals, 16),
-		.ids = hashtable_create((hashtable_hash_t)id_hash,
-								(hashtable_equals_t)id_equals, 16),
-		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
 	if (base)
 	{
-		int addr_bits = base->get_family(base) == AF_INET ? 32 : 128;
+		addr_bits = base->get_family(base) == AF_INET ? 32 : 128;
 		/* net bits -> host bits */
 		bits = addr_bits - bits;
 		if (bits > POOL_LIMIT)
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index 16a8193ea..f180e36bb 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -42,6 +42,7 @@ void libhydra_deinit()
 {
 	private_hydra_t *this = (private_hydra_t*)hydra;
 	this->public.attributes->destroy(this->public.attributes);
+	this->public.kernel_interface->destroy(this->public.kernel_interface);
 	free((void*)this->public.daemon);
 	free(this);
 	hydra = NULL;
@@ -57,6 +58,7 @@ bool libhydra_init(const char *daemon)
 	INIT(this,
 		.public = {
 			.attributes = attribute_manager_create(),
+			.kernel_interface = kernel_interface_create(),
 			.daemon = strdup(daemon ?: "libhydra"),
 		},
 	);
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
index 8670f3969..d7a7d8de4 100644
--- a/src/libhydra/hydra.h
+++ b/src/libhydra/hydra.h
@@ -19,6 +19,9 @@
  * @defgroup attributes attributes
  * @ingroup libhydra
  *
+ * @defgroup hkernel kernel
+ * @ingroup libhydra
+ *
  * @defgroup hplugins plugins
  * @ingroup libhydra
  *
@@ -32,6 +35,7 @@
 typedef struct hydra_t hydra_t;
 
 #include <attributes/attribute_manager.h>
+#include <kernel/kernel_interface.h>
 
 #include <library.h>
 
@@ -45,6 +49,11 @@ struct hydra_t {
 	 */
 	attribute_manager_t *attributes;
 
+	/**
+	 * kernel interface to communicate with kernel
+	 */
+	kernel_interface_t *kernel_interface;
+
 	/**
 	 * name of the daemon that initialized the library
 	 */
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
new file mode 100644
index 000000000..3e6d46205
--- /dev/null
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -0,0 +1,522 @@
+/*
+ * Copyright (C) 2008-2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "kernel_interface.h"
+
+#include <debug.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+
+typedef struct private_kernel_interface_t private_kernel_interface_t;
+
+/**
+ * Private data of a kernel_interface_t object.
+ */
+struct private_kernel_interface_t {
+
+	/**
+	 * Public part of kernel_interface_t object.
+	 */
+	kernel_interface_t public;
+
+	/**
+	 * ipsec interface
+	 */
+	kernel_ipsec_t *ipsec;
+
+	/**
+	 * network interface
+	 */
+	kernel_net_t *net;
+
+	/**
+	 * mutex for listeners
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * list of registered listeners
+	 */
+	linked_list_t *listeners;
+};
+
+METHOD(kernel_interface_t, get_spi, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst,
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi);
+}
+
+METHOD(kernel_interface_t, get_cpi, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi);
+}
+
+METHOD(kernel_interface_t, add_sa, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int32_t reqid,
+	mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key,	ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
+			mark, lifetime, enc_alg, enc_key, int_alg, int_key,	mode, ipcomp,
+			cpi, encap, inbound, src_ts, dst_ts);
+}
+
+METHOD(kernel_interface_t, update_sa, status_t,
+	private_kernel_interface_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap, mark_t mark)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
+								  new_src, new_dst, encap, new_encap, mark);
+}
+
+METHOD(kernel_interface_t, query_sa, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, bytes);
+}
+
+METHOD(kernel_interface_t, del_sa, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi,
+	u_int8_t protocol, u_int16_t cpi, mark_t mark)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi, mark);
+}
+
+METHOD(kernel_interface_t, add_policy, status_t,
+	private_kernel_interface_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
+								   direction, type, sa, mark, routed);
+}
+
+METHOD(kernel_interface_t, query_policy, status_t,
+	private_kernel_interface_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts,
+									 direction, mark, use_time);
+}
+
+METHOD(kernel_interface_t, del_policy, status_t,
+	private_kernel_interface_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	bool unrouted)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts,
+								   direction, mark, unrouted);
+}
+
+METHOD(kernel_interface_t, get_source_addr, host_t*,
+	private_kernel_interface_t *this, host_t *dest, host_t *src)
+{
+	if (!this->net)
+	{
+		return NULL;
+	}
+	return this->net->get_source_addr(this->net, dest, src);
+}
+
+METHOD(kernel_interface_t, get_nexthop, host_t*,
+	private_kernel_interface_t *this, host_t *dest)
+{
+	if (!this->net)
+	{
+		return NULL;
+	}
+	return this->net->get_nexthop(this->net, dest);
+}
+
+METHOD(kernel_interface_t, get_interface, char*,
+	private_kernel_interface_t *this, host_t *host)
+{
+	if (!this->net)
+	{
+		return NULL;
+	}
+	return this->net->get_interface(this->net, host);
+}
+
+METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*,
+	private_kernel_interface_t *this, bool include_down_ifaces,
+	bool include_virtual_ips)
+{
+	if (!this->net)
+	{
+		return enumerator_create_empty();
+	}
+	return this->net->create_address_enumerator(this->net, include_down_ifaces,
+												include_virtual_ips);
+}
+
+METHOD(kernel_interface_t, add_ip, status_t,
+	private_kernel_interface_t *this, host_t *virtual_ip, host_t *iface_ip)
+{
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->net->add_ip(this->net, virtual_ip, iface_ip);
+}
+
+METHOD(kernel_interface_t, del_ip, status_t,
+	private_kernel_interface_t *this, host_t *virtual_ip)
+{
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->net->del_ip(this->net, virtual_ip);
+}
+
+METHOD(kernel_interface_t, add_route, status_t,
+	private_kernel_interface_t *this, chunk_t dst_net,
+	u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->net->add_route(this->net, dst_net, prefixlen, gateway,
+								src_ip, if_name);
+}
+
+METHOD(kernel_interface_t, del_route, status_t,
+	private_kernel_interface_t *this, chunk_t dst_net,
+	u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	if (!this->net)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->net->del_route(this->net, dst_net, prefixlen, gateway,
+								src_ip, if_name);
+}
+
+METHOD(kernel_interface_t, bypass_socket, bool,
+	private_kernel_interface_t *this, int fd, int family)
+{
+	if (!this->ipsec)
+	{
+		return FALSE;
+	}
+	return this->ipsec->bypass_socket(this->ipsec, fd, family);
+}
+
+METHOD(kernel_interface_t, get_address_by_ts, status_t,
+	private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip)
+{
+	enumerator_t *addrs;
+	host_t *host;
+	int family;
+	bool found = FALSE;
+
+	DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
+
+	/* if we have a family which includes localhost, we do not
+	 * search for an IP, we use the default */
+	family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
+
+	if (family == AF_INET)
+	{
+		host = host_create_from_string("127.0.0.1", 0);
+	}
+	else
+	{
+		host = host_create_from_string("::1", 0);
+	}
+
+	if (ts->includes(ts, host))
+	{
+		*ip = host_create_any(family);
+		host->destroy(host);
+		DBG2(DBG_KNL, "using host %H", *ip);
+		return SUCCESS;
+	}
+	host->destroy(host);
+
+	addrs = create_address_enumerator(this, TRUE, TRUE);
+	while (addrs->enumerate(addrs, (void**)&host))
+	{
+		if (ts->includes(ts, host))
+		{
+			found = TRUE;
+			*ip = host->clone(host);
+			break;
+		}
+	}
+	addrs->destroy(addrs);
+
+	if (!found)
+	{
+		DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "using host %H", *ip);
+	return SUCCESS;
+}
+
+
+METHOD(kernel_interface_t, add_ipsec_interface, void,
+	private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
+{
+	if (!this->ipsec)
+	{
+		this->ipsec = constructor();
+	}
+}
+
+METHOD(kernel_interface_t, remove_ipsec_interface, void,
+	private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
+{
+	/* TODO: replace if interface currently in use */
+}
+
+METHOD(kernel_interface_t, add_net_interface, void,
+	private_kernel_interface_t *this, kernel_net_constructor_t constructor)
+{
+	if (!this->net)
+	{
+		this->net = constructor();
+	}
+}
+
+METHOD(kernel_interface_t, remove_net_interface, void,
+	private_kernel_interface_t *this, kernel_net_constructor_t constructor)
+{
+	/* TODO: replace if interface currently in use */
+}
+
+METHOD(kernel_interface_t, add_listener, void,
+	private_kernel_interface_t *this, kernel_listener_t *listener)
+{
+	this->mutex->lock(this->mutex);
+	this->listeners->insert_last(this->listeners, listener);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, remove_listener, void,
+	private_kernel_interface_t *this, kernel_listener_t *listener)
+{
+	this->mutex->lock(this->mutex);
+	this->listeners->remove(this->listeners, listener, NULL);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, acquire, void,
+	private_kernel_interface_t *this, u_int32_t reqid,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	kernel_listener_t *listener;
+	enumerator_t *enumerator;
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->acquire &&
+			!listener->acquire(listener, reqid, src_ts, dst_ts))
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, expire, void,
+	private_kernel_interface_t *this, u_int32_t reqid, u_int8_t protocol,
+	u_int32_t spi, bool hard)
+{
+	kernel_listener_t *listener;
+	enumerator_t *enumerator;
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->expire &&
+			!listener->expire(listener, reqid, protocol, spi, hard))
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, mapping, void,
+	private_kernel_interface_t *this, u_int32_t reqid, u_int32_t spi,
+	host_t *remote)
+{
+	kernel_listener_t *listener;
+	enumerator_t *enumerator;
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->mapping &&
+			!listener->mapping(listener, reqid, spi, remote))
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, migrate, void,
+	private_kernel_interface_t *this, u_int32_t reqid,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, host_t *local, host_t *remote)
+{
+	kernel_listener_t *listener;
+	enumerator_t *enumerator;
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->migrate &&
+			!listener->migrate(listener, reqid, src_ts, dst_ts, direction,
+							   local, remote))
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+static bool call_roam(kernel_listener_t *listener, bool *roam)
+{
+	return listener->roam && !listener->roam(listener, *roam);
+}
+
+METHOD(kernel_interface_t, roam, void,
+	private_kernel_interface_t *this, bool address)
+{
+	this->mutex->lock(this->mutex);
+	this->listeners->remove(this->listeners, &address, (void*)call_roam);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, destroy, void,
+	private_kernel_interface_t *this)
+{
+	DESTROY_IF(this->ipsec);
+	DESTROY_IF(this->net);
+	this->mutex->destroy(this->mutex);
+	this->listeners->destroy(this->listeners);
+	free(this);
+}
+
+/*
+ * Described in header-file
+ */
+kernel_interface_t *kernel_interface_create()
+{
+	private_kernel_interface_t *this;
+
+	INIT(this,
+		.public = {
+			.get_spi = _get_spi,
+			.get_cpi = _get_cpi,
+			.add_sa = _add_sa,
+			.update_sa = _update_sa,
+			.query_sa = _query_sa,
+			.del_sa = _del_sa,
+			.add_policy = _add_policy,
+			.query_policy = _query_policy,
+			.del_policy = _del_policy,
+			.get_source_addr = _get_source_addr,
+			.get_nexthop = _get_nexthop,
+			.get_interface = _get_interface,
+			.create_address_enumerator = _create_address_enumerator,
+			.add_ip = _add_ip,
+			.del_ip = _del_ip,
+			.add_route = _add_route,
+			.del_route = _del_route,
+			.bypass_socket = _bypass_socket,
+
+			.get_address_by_ts = _get_address_by_ts,
+			.add_ipsec_interface = _add_ipsec_interface,
+			.remove_ipsec_interface = _remove_ipsec_interface,
+			.add_net_interface = _add_net_interface,
+			.remove_net_interface = _remove_net_interface,
+
+			.add_listener = _add_listener,
+			.remove_listener = _remove_listener,
+			.acquire = _acquire,
+			.expire = _expire,
+			.mapping = _mapping,
+			.migrate = _migrate,
+			.roam = _roam,
+			.destroy = _destroy,
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.listeners = linked_list_create(),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
new file mode 100644
index 000000000..8b0c7a296
--- /dev/null
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -0,0 +1,476 @@
+/*
+ * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_interface kernel_interface
+ * @{ @ingroup hkernel
+ */
+
+#ifndef KERNEL_INTERFACE_H_
+#define KERNEL_INTERFACE_H_
+
+typedef struct kernel_interface_t kernel_interface_t;
+
+#include <utils/host.h>
+#include <crypto/prf_plus.h>
+
+#include <kernel/kernel_listener.h>
+#include <kernel/kernel_ipsec.h>
+#include <kernel/kernel_net.h>
+
+/**
+ * Constructor function for ipsec kernel interface
+ */
+typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void);
+
+/**
+ * Constructor function for network kernel interface
+ */
+typedef kernel_net_t* (*kernel_net_constructor_t)(void);
+
+/**
+ * Manager and wrapper for different kernel interfaces.
+ *
+ * The kernel interface handles the communication with the kernel
+ * for SA and policy management and interface and IP address management.
+ */
+struct kernel_interface_t {
+
+	/**
+	 * Get a SPI from the kernel.
+	 *
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param protocol	protocol for SA (ESP/AH)
+	 * @param reqid		unique ID for this SA
+	 * @param spi		allocated spi
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
+						u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+
+	/**
+	 * Get a Compression Parameter Index (CPI) from the kernel.
+	 *
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param reqid		unique ID for the corresponding SA
+	 * @param cpi		allocated cpi
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
+						u_int32_t reqid, u_int16_t *cpi);
+
+	/**
+	 * Add an SA to the SAD.
+	 *
+	 * add_sa() may update an already allocated
+	 * SPI (via get_spi). In this case, the replace
+	 * flag must be set.
+	 * This function does install a single SA for a
+	 * single protocol in one direction.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param reqid			unique ID for this SA
+	 * @param mark			optional mark for this SA
+	 * @param lifetime		lifetime_cfg_t for this SA
+	 * @param enc_alg		Algorithm to use for encryption (ESP only)
+	 * @param enc_key		key to use for encryption
+	 * @param int_alg		Algorithm to use for integrity protection
+	 * @param int_key		key to use for integrity protection
+	 * @param mode			mode of the SA (tunnel, transport)
+	 * @param ipcomp		IPComp transform to use
+	 * @param cpi			CPI for IPComp
+	 * @param encap			enable UDP encapsulation for NAT traversal
+	 * @param inbound		TRUE if this is an inbound SA
+	 * @param src_ts		traffic selector with BEET source address
+	 * @param dst_ts		traffic selector with BEET destination address
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_sa) (kernel_interface_t *this,
+						host_t *src, host_t *dst, u_int32_t spi,
+						u_int8_t protocol, u_int32_t reqid, mark_t mark,
+						lifetime_cfg_t *lifetime,
+						u_int16_t enc_alg, chunk_t enc_key,
+						u_int16_t int_alg, chunk_t int_key,
+						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						bool encap, bool inbound,
+						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+
+	/**
+	 * Update the hosts on an installed SA.
+	 *
+	 * We cannot directly update the destination address as the kernel
+	 * requires the spi, the protocol AND the destination address (and family)
+	 * to identify SAs. Therefore if the destination address changed we
+	 * create a new SA and delete the old one.
+	 *
+	 * @param spi			SPI of the SA
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
+	 * @param src			current source address
+	 * @param dst			current destination address
+	 * @param new_src		new source address
+	 * @param new_dst		new destination address
+	 * @param encap			current use of UDP encapsulation
+	 * @param new_encap		new use of UDP encapsulation
+	 * @param mark			optional mark for this SA
+	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
+	 *					  the kernel interface can't update the SA
+	 */
+	status_t (*update_sa)(kernel_interface_t *this,
+						  u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap, mark_t mark);
+
+	/**
+	 * Query the number of bytes processed by an SA from the SAD.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param mark			optional mark for this SA
+	 * @param[out] bytes	the number of bytes processed by SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+						  u_int32_t spi, u_int8_t protocol, mark_t mark,
+						  u_int64_t *bytes);
+
+	/**
+	 * Delete a previously installed SA from the SAD.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp or 0
+	 * @param mark			optional mark for this SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+						u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
+						mark_t mark);
+
+	/**
+	 * Add a policy to the SPD.
+	 *
+	 * A policy is always associated to an SA. Traffic which matches a
+	 * policy is handled by the SA with the same reqid.
+	 *
+	 * @param src			source address of SA
+	 * @param dst			dest address of SA
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
+	 * @param sa			details about the SA(s) tied to this policy
+	 * @param mark			mark for this policy
+	 * @param routed		TRUE, if this policy is routed in the kernel
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_policy) (kernel_interface_t *this,
+							host_t *src, host_t *dst,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction, policy_type_t type,
+							ipsec_sa_cfg_t *sa, mark_t mark, bool routed);
+
+	/**
+	 * Query the use time of a policy.
+	 *
+	 * The use time of a policy is the time the policy was used
+	 * for the last time.
+	 *
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param mark			optional mark
+	 * @param[out] use_time	the time of this SA's last use
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_policy) (kernel_interface_t *this,
+							  traffic_selector_t *src_ts,
+							  traffic_selector_t *dst_ts,
+							  policy_dir_t direction, mark_t mark,
+							  u_int32_t *use_time);
+
+	/**
+	 * Remove a policy from the SPD.
+	 *
+	 * The kernel interface implements reference counting for policies.
+	 * If the same policy is installed multiple times (in the case of rekeying),
+	 * the reference counter is increased. del_policy() decreases the ref counter
+	 * and removes the policy only when no more references are available.
+	 *
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param mark			optional mark
+	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_policy) (kernel_interface_t *this,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction, mark_t mark,
+							bool unrouted);
+
+	/**
+	 * Get our outgoing source address for a destination.
+	 *
+	 * Does a route lookup to get the source address used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 * An optional src address can be used to check if a route is available
+	 * for given source to dest.
+	 *
+	 * @param dest			target destination address
+	 * @param src			source address to check, or NULL
+	 * @return				outgoing source address, NULL if unreachable
+	 */
+	host_t* (*get_source_addr)(kernel_interface_t *this,
+							   host_t *dest, host_t *src);
+
+	/**
+	 * Get the next hop for a destination.
+	 *
+	 * Does a route lookup to get the next hop used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 *
+	 * @param dest			target destination address
+	 * @return				next hop address, NULL if unreachable
+	 */
+	host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest);
+
+	/**
+	 * Get the interface name of a local address.
+	 *
+	 * @param host			address to get interface name from
+	 * @return				allocated interface name, or NULL if not found
+	 */
+	char* (*get_interface) (kernel_interface_t *this, host_t *host);
+
+	/**
+	 * Creates an enumerator over all local addresses.
+	 *
+	 * This function blocks an internal cached address list until the
+	 * enumerator gets destroyed.
+	 * The hosts are read-only, do not modify of free.
+	 *
+	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
+	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
+	 * @return						enumerator over host_t's
+	 */
+	enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
+						bool include_down_ifaces, bool include_virtual_ips);
+
+	/**
+	 * Add a virtual IP to an interface.
+	 *
+	 * Virtual IPs are attached to an interface. If an IP is added multiple
+	 * times, the IP is refcounted and not removed until del_ip() was called
+	 * as many times as add_ip().
+	 * The virtual IP is attached to the interface where the iface_ip is found.
+	 *
+	 * @param virtual_ip	virtual ip address to assign
+	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
+						host_t *iface_ip);
+
+	/**
+	 * Remove a virtual IP from an interface.
+	 *
+	 * The kernel interface uses refcounting, see add_ip().
+	 *
+	 * @param virtual_ip	virtual ip address to assign
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
+
+	/**
+	 * Add a route.
+	 *
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 *						ALREADY_DONE if the route already exists
+	 */
+	status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net,
+						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   char *if_name);
+
+	/**
+	 * Delete a route.
+	 *
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net,
+						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   char *if_name);
+
+	/**
+	 * Set up a bypass policy for a given socket.
+	 *
+	 * @param fd			socket file descriptor to setup policy for
+	 * @param family		protocol family of the socket
+	 * @return				TRUE of policy set up successfully
+	 */
+	bool (*bypass_socket)(kernel_interface_t *this, int fd, int family);
+
+	/**
+	 * manager methods
+	 */
+
+	/**
+	 * Tries to find an ip address of a local interface that is included in the
+	 * supplied traffic selector.
+	 *
+	 * @param ts			traffic selector
+	 * @param ip			returned ip (has to be destroyed)
+	 * @return				SUCCESS if address found
+	 */
+	status_t (*get_address_by_ts)(kernel_interface_t *this,
+								  traffic_selector_t *ts, host_t **ip);
+
+	/**
+	 * Register an ipsec kernel interface constructor on the manager.
+	 *
+	 * @param create			constructor to register
+	 */
+	void (*add_ipsec_interface)(kernel_interface_t *this,
+								kernel_ipsec_constructor_t create);
+
+	/**
+	 * Unregister an ipsec kernel interface constructor.
+	 *
+	 * @param create			constructor to unregister
+	 */
+	void (*remove_ipsec_interface)(kernel_interface_t *this,
+								   kernel_ipsec_constructor_t create);
+
+	/**
+	 * Register a network kernel interface constructor on the manager.
+	 *
+	 * @param create			constructor to register
+	 */
+	void (*add_net_interface)(kernel_interface_t *this,
+							  kernel_net_constructor_t create);
+
+	/**
+	 * Unregister a network kernel interface constructor.
+	 *
+	 * @param create			constructor to unregister
+	 */
+	void (*remove_net_interface)(kernel_interface_t *this,
+								 kernel_net_constructor_t create);
+
+	/**
+	 * Add a listener to the kernel interface.
+	 *
+	 * @param listener			listener to add
+	 */
+	void (*add_listener)(kernel_interface_t *this,
+						 kernel_listener_t *listener);
+
+	/**
+	 * Remove a listener from the kernel interface.
+	 *
+	 * @param listener			listener to remove
+	 */
+	void (*remove_listener)(kernel_interface_t *this,
+							kernel_listener_t *listener);
+
+	/**
+	 * Raise an acquire event.
+	 *
+	 * @param reqid			reqid of the policy to acquire
+	 * @param src_ts		source traffic selector
+	 * @param dst_ts		destination traffic selector
+	 */
+	void (*acquire)(kernel_interface_t *this, u_int32_t reqid,
+					traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+
+	/**
+	 * Raise an expire event.
+	 *
+	 * @param reqid			reqid of the expired SA
+	 * @param protocol		protocol of the expired SA
+	 * @param spi			spi of the expired SA
+	 * @param hard			TRUE if it is a hard expire, FALSE otherwise
+	 */
+	void (*expire)(kernel_interface_t *this, u_int32_t reqid,
+				   u_int8_t protocol, u_int32_t spi, bool hard);
+
+	/**
+	 * Raise a mapping event.
+	 *
+	 * @param reqid			reqid of the SA
+	 * @param spi			spi of the SA
+	 * @param remote		new remote host
+	 */
+	void (*mapping)(kernel_interface_t *this, u_int32_t reqid, u_int32_t spi,
+					host_t *remote);
+
+	/**
+	 * Raise a migrate event.
+	 *
+	 * @param reqid			reqid of the policy
+	 * @param src_ts		source traffic selector
+	 * @param dst_ts		destination traffic selector
+	 * @param direction		direction of the policy (in|out)
+	 * @param local			local host address to be used in the IKE_SA
+	 * @param remote		remote host address to be used in the IKE_SA
+	 */
+	void (*migrate)(kernel_interface_t *this, u_int32_t reqid,
+					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+					policy_dir_t direction, host_t *local, host_t *remote);
+
+	/**
+	 * Raise a roam event.
+	 *
+	 * @param address		TRUE if address list, FALSE if routing changed
+	 */
+	void (*roam)(kernel_interface_t *this, bool address);
+
+	/**
+	 * Destroys a kernel_interface_manager_t object.
+	 */
+	void (*destroy) (kernel_interface_t *this);
+};
+
+/**
+ * Creates an object of type kernel_interface_t.
+ */
+kernel_interface_t *kernel_interface_create(void);
+
+#endif /** KERNEL_INTERFACE_H_ @}*/
diff --git a/src/libhydra/kernel/kernel_ipsec.c b/src/libhydra/kernel/kernel_ipsec.c
new file mode 100644
index 000000000..383685426
--- /dev/null
+++ b/src/libhydra/kernel/kernel_ipsec.c
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "kernel_ipsec.h"
+
+ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_BEET,
+	"TRANSPORT",
+	"TUNNEL",
+	"BEET",
+);
+
+ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
+	"in",
+	"out",
+	"fwd"
+);
+
+ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH,
+	"IPCOMP_NONE",
+	"IPCOMP_OUI",
+	"IPCOMP_DEFLATE",
+	"IPCOMP_LZS",
+	"IPCOMP_LZJH"
+);
+
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
new file mode 100644
index 000000000..49d9cc07a
--- /dev/null
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -0,0 +1,368 @@
+/*
+ * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_ipsec kernel_ipsec
+ * @{ @ingroup hkernel
+ */
+
+#ifndef KERNEL_IPSEC_H_
+#define KERNEL_IPSEC_H_
+
+typedef enum ipsec_mode_t ipsec_mode_t;
+typedef enum policy_dir_t policy_dir_t;
+typedef enum policy_type_t policy_type_t;
+typedef enum ipcomp_transform_t ipcomp_transform_t;
+typedef struct kernel_ipsec_t kernel_ipsec_t;
+typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
+typedef struct lifetime_cfg_t lifetime_cfg_t;
+typedef struct mark_t mark_t;
+
+#include <utils/host.h>
+#include <crypto/prf_plus.h>
+#include <selectors/traffic_selector.h>
+
+/**
+ * Mode of an IPsec SA.
+ */
+enum ipsec_mode_t {
+	/** transport mode, no inner address */
+	MODE_TRANSPORT = 1,
+	/** tunnel mode, inner and outer addresses */
+	MODE_TUNNEL,
+	/** BEET mode, tunnel mode but fixed, bound inner addresses */
+	MODE_BEET,
+};
+
+/**
+ * enum names for ipsec_mode_t.
+ */
+extern enum_name_t *ipsec_mode_names;
+
+/**
+ * Direction of a policy. These are equal to those
+ * defined in xfrm.h, but we want to stay implementation
+ * neutral here.
+ */
+enum policy_dir_t {
+	/** Policy for inbound traffic */
+	POLICY_IN = 0,
+	/** Policy for outbound traffic */
+	POLICY_OUT = 1,
+	/** Policy for forwarded traffic */
+	POLICY_FWD = 2,
+};
+
+/**
+ * enum names for policy_dir_t.
+ */
+extern enum_name_t *policy_dir_names;
+
+/**
+ * Type of a policy.
+ */
+enum policy_type_t {
+	/** Normal IPsec policy */
+	POLICY_IPSEC = 1,
+	/** Passthrough policy (traffic is ignored by IPsec) */
+	POLICY_PASS,
+	/** Drop policy (traffic is discarded) */
+	POLICY_DROP,
+};
+
+/**
+ * IPComp transform IDs, as in RFC 4306
+ */
+enum ipcomp_transform_t {
+	IPCOMP_NONE = 0,
+	IPCOMP_OUI = 1,
+	IPCOMP_DEFLATE = 2,
+	IPCOMP_LZS = 3,
+	IPCOMP_LZJH = 4,
+};
+
+/**
+ * enum strings for ipcomp_transform_t.
+ */
+extern enum_name_t *ipcomp_transform_names;
+
+/**
+ * This struct contains details about IPsec SA(s) tied to a policy.
+ */
+struct ipsec_sa_cfg_t {
+	/** mode of SA (tunnel, transport) */
+	ipsec_mode_t mode;
+	/** unique ID */
+	u_int32_t reqid;
+	/** details about ESP/AH */
+	struct {
+		/** TRUE if this protocol is used */
+		bool use;
+		/** SPI for ESP/AH */
+		u_int32_t spi;
+	} esp, ah;
+	/** details about IPComp */
+	struct {
+		/** the IPComp transform used */
+		u_int16_t transform;
+		/** CPI for IPComp */
+		u_int16_t cpi;
+	} ipcomp;
+};
+
+/**
+ * A lifetime_cfg_t defines the lifetime limits of an SA.
+ *
+ * Set any of these values to 0 to ignore.
+ */
+struct lifetime_cfg_t {
+	struct {
+		/** Limit before the SA gets invalid. */
+		u_int64_t	life;
+		/** Limit before the SA gets rekeyed. */
+		u_int64_t	rekey;
+		/** The range of a random value subtracted from rekey. */
+		u_int64_t	jitter;
+	} time, bytes, packets;
+};
+
+/**
+ * A mark_t defines an optional mark in an IPsec SA.
+ */
+struct mark_t {
+	/** Mark value */
+	u_int32_t value;
+	/** Mark mask */
+	u_int32_t mask;
+};
+
+/**
+ * Interface to the ipsec subsystem of the kernel.
+ *
+ * The kernel ipsec interface handles the communication with the kernel
+ * for SA and policy management. It allows setup of these, and provides
+ * further the handling of kernel events.
+ * Policy information are cached in the interface. This is necessary to do
+ * reference counting. The Linux kernel does not allow the same policy
+ * installed twice, but we need this as CHILD_SA exist multiple times
+ * when rekeying. Thats why we do reference counting of policies.
+ */
+struct kernel_ipsec_t {
+
+	/**
+	 * Get a SPI from the kernel.
+	 *
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param protocol	protocol for SA (ESP/AH)
+	 * @param reqid		unique ID for this SA
+	 * @param spi		allocated spi
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
+						u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+
+	/**
+	 * Get a Compression Parameter Index (CPI) from the kernel.
+	 *
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param reqid		unique ID for the corresponding SA
+	 * @param cpi		allocated cpi
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
+						u_int32_t reqid, u_int16_t *cpi);
+
+	/**
+	 * Add an SA to the SAD.
+	 *
+	 * add_sa() may update an already allocated
+	 * SPI (via get_spi). In this case, the replace
+	 * flag must be set.
+	 * This function does install a single SA for a
+	 * single protocol in one direction.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param reqid			unique ID for this SA
+	 * @param mark			mark for this SA
+	 * @param lifetime		lifetime_cfg_t for this SA
+	 * @param enc_alg		Algorithm to use for encryption (ESP only)
+	 * @param enc_key		key to use for encryption
+	 * @param int_alg		Algorithm to use for integrity protection
+	 * @param int_key		key to use for integrity protection
+	 * @param mode			mode of the SA (tunnel, transport)
+	 * @param ipcomp		IPComp transform to use
+	 * @param cpi			CPI for IPComp
+	 * @param encap			enable UDP encapsulation for NAT traversal
+	 * @param inbound		TRUE if this is an inbound SA
+	 * @param src_ts		traffic selector with BEET source address
+	 * @param dst_ts		traffic selector with BEET destination address
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_sa) (kernel_ipsec_t *this,
+						host_t *src, host_t *dst, u_int32_t spi,
+						u_int8_t protocol, u_int32_t reqid,
+						mark_t mark, lifetime_cfg_t *lifetime,
+						u_int16_t enc_alg, chunk_t enc_key,
+						u_int16_t int_alg, chunk_t int_key,
+						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+						bool encap, bool inbound,
+						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+
+	/**
+	 * Update the hosts on an installed SA.
+	 *
+	 * We cannot directly update the destination address as the kernel
+	 * requires the spi, the protocol AND the destination address (and family)
+	 * to identify SAs. Therefore if the destination address changed we
+	 * create a new SA and delete the old one.
+	 *
+	 * @param spi			SPI of the SA
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
+	 * @param src			current source address
+	 * @param dst			current destination address
+	 * @param new_src		new source address
+	 * @param new_dst		new destination address
+	 * @param encap			current use of UDP encapsulation
+	 * @param new_encap		new use of UDP encapsulation
+	 * @param mark			optional mark for this SA
+	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
+	 *					  the kernel interface can't update the SA
+	 */
+	status_t (*update_sa)(kernel_ipsec_t *this,
+						  u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap, mark_t mark);
+
+	/**
+	 * Query the number of bytes processed by an SA from the SAD.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param mark			optional mark for this SA
+	 * @param[out] bytes	the number of bytes processed by SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+						  u_int32_t spi, u_int8_t protocol, mark_t mark,
+						  u_int64_t *bytes);
+
+	/**
+	 * Delete a previusly installed SA from the SAD.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp or 0
+	 * @param mark			optional mark for this SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+						u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
+						mark_t mark);
+
+	/**
+	 * Add a policy to the SPD.
+	 *
+	 * A policy is always associated to an SA. Traffic which matches a
+	 * policy is handled by the SA with the same reqid.
+	 *
+	 * @param src			source address of SA
+	 * @param dst			dest address of SA
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
+	 * @param sa			details about the SA(s) tied to this policy
+	 * @param mark			mark for this policy
+	 * @param routed		TRUE, if this policy is routed in the kernel
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_policy) (kernel_ipsec_t *this,
+							host_t *src, host_t *dst,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction, policy_type_t type,
+							ipsec_sa_cfg_t *sa, mark_t mark, bool routed);
+
+	/**
+	 * Query the use time of a policy.
+	 *
+	 * The use time of a policy is the time the policy was used for the last
+	 * time. It is not the system time, but a monotonic timestamp as returned
+	 * by time_monotonic.
+	 *
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param mark			optional mark
+	 * @param[out] use_time	the monotonic timestamp of this SA's last use
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_policy) (kernel_ipsec_t *this,
+							  traffic_selector_t *src_ts,
+							  traffic_selector_t *dst_ts,
+							  policy_dir_t direction, mark_t mark,
+							  u_int32_t *use_time);
+
+	/**
+	 * Remove a policy from the SPD.
+	 *
+	 * The kernel interface implements reference counting for policies.
+	 * If the same policy is installed multiple times (in the case of rekeying),
+	 * the reference counter is increased. del_policy() decreases the ref counter
+	 * and removes the policy only when no more references are available.
+	 *
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param mark			optional mark
+	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_policy) (kernel_ipsec_t *this,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction, mark_t mark,
+							bool unrouted);
+
+	/**
+	 * Install a bypass policy for the given socket.
+	 *
+	 * @param fd			socket file descriptor to setup policy for
+	 * @param family		protocol family of the socket
+	 * @return				TRUE of policy set up successfully
+	 */
+	bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family);
+
+	/**
+	 * Destroy the implementation.
+	 */
+	void (*destroy) (kernel_ipsec_t *this);
+};
+
+#endif /** KERNEL_IPSEC_H_ @}*/
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h
new file mode 100644
index 000000000..6f2dbd23b
--- /dev/null
+++ b/src/libhydra/kernel/kernel_listener.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_listener kernel_listener
+ * @{ @ingroup hkernel
+ */
+
+#ifndef KERNEL_LISTENER_H_
+#define KERNEL_LISTENER_H_
+
+typedef struct kernel_listener_t kernel_listener_t;
+
+#include <kernel/kernel_ipsec.h>
+#include <selectors/traffic_selector.h>
+#include <utils/host.h>
+
+/**
+ * Interface for components interested in kernel events.
+ *
+ * All hooks are optional.
+ */
+struct kernel_listener_t {
+
+	/**
+	 * Hook called if an acquire event for a policy is received.
+	 *
+	 * @param reqid			reqid of the policy to acquire
+	 * @param src_ts		source traffic selector
+	 * @param dst_ts		destination traffic selector
+	 * @return				TRUE to remain registered, FALSE to unregister
+	 */
+	bool (*acquire)(kernel_listener_t *this, u_int32_t reqid,
+					traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+
+	/**
+	 * Hook called if an exire event for an IPsec SA is received.
+	 *
+	 * @param reqid			reqid of the expired SA
+	 * @param protocol		protocol of the expired SA
+	 * @param spi			spi of the expired SA
+	 * @param hard			TRUE if it is a hard expire, FALSE otherwise
+	 * @return				TRUE to remain registered, FALSE to unregister
+	 */
+	bool (*expire)(kernel_listener_t *this, u_int32_t reqid,
+				   u_int8_t protocol, u_int32_t spi, bool hard);
+
+	/**
+	 * Hook called if the NAT mappings of an IPsec SA changed.
+	 *
+	 * @param reqid			reqid of the SA
+	 * @param spi			spi of the SA
+	 * @param remote		new remote host
+	 * @return				TRUE to remain registered, FALSE to unregister
+	 */
+	bool (*mapping)(kernel_listener_t *this, u_int32_t reqid, u_int32_t spi,
+					host_t *remote);
+
+	/**
+	 * Hook called if a migrate event for a policy is received.
+	 *
+	 * @param reqid			reqid of the policy
+	 * @param src_ts		source traffic selector
+	 * @param dst_ts		destination traffic selector
+	 * @param direction		direction of the policy (in|out)
+	 * @param local			local host address to be used in the IKE_SA
+	 * @param remote		remote host address to be used in the IKE_SA
+	 * @return				TRUE to remain registered, FALSE to unregister
+	 */
+	bool (*migrate)(kernel_listener_t *this, u_int32_t reqid,
+					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+					policy_dir_t direction, host_t *local, host_t *remote);
+
+	/**
+	 * Hook called if changes in the networking layer occured (interfaces
+	 * up/down, routes added/deleted etc.).
+	 *
+	 * @param address		TRUE if address list, FALSE if routing changed
+	 * @return				TRUE to remain registered, FALSE to unregister
+	 */
+	bool (*roam)(kernel_listener_t *this, bool address);
+};
+
+#endif /** KERNEL_LISTENER_H_ @}*/
diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h
new file mode 100644
index 000000000..69e01f43f
--- /dev/null
+++ b/src/libhydra/kernel/kernel_net.h
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_net kernel_net
+ * @{ @ingroup hkernel
+ */
+
+#ifndef KERNEL_NET_H_
+#define KERNEL_NET_H_
+
+typedef struct kernel_net_t kernel_net_t;
+
+#include <utils/enumerator.h>
+#include <utils/host.h>
+
+/**
+ * Interface to the network subsystem of the kernel.
+ *
+ * The kernel network interface handles the communication with the kernel
+ * for interface and IP address management.
+ */
+struct kernel_net_t {
+
+	/**
+	 * Get our outgoing source address for a destination.
+	 *
+	 * Does a route lookup to get the source address used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 * An optional src address can be used to check if a route is available
+	 * for given source to dest.
+	 *
+	 * @param dest			target destination address
+	 * @param src			source address to check, or NULL
+	 * @return				outgoing source address, NULL if unreachable
+	 */
+	host_t* (*get_source_addr)(kernel_net_t *this, host_t *dest, host_t *src);
+
+	/**
+	 * Get the next hop for a destination.
+	 *
+	 * Does a route lookup to get the next hop used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 *
+	 * @param dest			target destination address
+	 * @return				next hop address, NULL if unreachable
+	 */
+	host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest);
+
+	/**
+	 * Get the interface name of a local address.
+	 *
+	 * @param host			address to get interface name from
+	 * @return				allocated interface name, or NULL if not found
+	 */
+	char* (*get_interface) (kernel_net_t *this, host_t *host);
+
+	/**
+	 * Creates an enumerator over all local addresses.
+	 *
+	 * This function blocks an internal cached address list until the
+	 * enumerator gets destroyed.
+	 * The hosts are read-only, do not modify of free.
+	 *
+	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
+	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
+	 * @return						enumerator over host_t's
+	 */
+	enumerator_t *(*create_address_enumerator) (kernel_net_t *this,
+						bool include_down_ifaces, bool include_virtual_ips);
+
+	/**
+	 * Add a virtual IP to an interface.
+	 *
+	 * Virtual IPs are attached to an interface. If an IP is added multiple
+	 * times, the IP is refcounted and not removed until del_ip() was called
+	 * as many times as add_ip().
+	 * The virtual IP is attached to the interface where the iface_ip is found.
+	 *
+	 * @param virtual_ip	virtual ip address to assign
+	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip,
+						host_t *iface_ip);
+
+	/**
+	 * Remove a virtual IP from an interface.
+	 *
+	 * The kernel interface uses refcounting, see add_ip().
+	 *
+	 * @param virtual_ip	virtual ip address to assign
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip);
+
+	/**
+	 * Add a route.
+	 *
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 *						ALREADY_DONE if the route already exists
+	 */
+	status_t (*add_route) (kernel_net_t *this, chunk_t dst_net,
+						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   char *if_name);
+
+	/**
+	 * Delete a route.
+	 *
+	 * @param dst_net		destination net
+	 * @param prefixlen		destination net prefix length
+	 * @param gateway		gateway for this route
+	 * @param src_ip		sourc ip of the route
+	 * @param if_name		name of the interface the route is bound to
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_route) (kernel_net_t *this, chunk_t dst_net,
+						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   char *if_name);
+
+	/**
+	 * Destroy the implementation.
+	 */
+	void (*destroy) (kernel_net_t *this);
+};
+
+#endif /** KERNEL_NET_H_ @}*/
diff --git a/src/libhydra/plugins/attr/Makefile.am b/src/libhydra/plugins/attr/Makefile.am
index 71401648e..fe0c39ebd 100644
--- a/src/libhydra/plugins/attr/Makefile.am
+++ b/src/libhydra/plugins/attr/Makefile.am
@@ -1,6 +1,5 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index 71402fc7f..72182e57f 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -254,9 +270,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr.la
diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am
index a3dac863f..7491debcd 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.am
+++ b/src/libhydra/plugins/attr_sql/Makefile.am
@@ -3,7 +3,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = \
 	-rdynamic \
-	-DPLUGINS=\""${libstrongswan_plugins}\""
+	-DPLUGINS=\""${pool_plugins}\""
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-attr-sql.la
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index edf51059b..dfb41cc02 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -177,6 +178,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -208,14 +211,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -230,24 +236,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -255,7 +268,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -270,7 +286,7 @@ xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 AM_CFLAGS = \
 	-rdynamic \
-	-DPLUGINS=\""${libstrongswan_plugins}\""
+	-DPLUGINS=\""${pool_plugins}\""
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr-sql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr-sql.la
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.am b/src/libhydra/plugins/kernel_klips/Makefile.am
new file mode 100644
index 000000000..df639b255
--- /dev/null
+++ b/src/libhydra/plugins/kernel_klips/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
+endif
+
+libstrongswan_kernel_klips_la_SOURCES = \
+	kernel_klips_plugin.h kernel_klips_plugin.c \
+	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
+
+libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
new file mode 100644
index 000000000..a451bd6f5
--- /dev/null
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -0,0 +1,604 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libhydra/plugins/kernel_klips
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_klips_la_LIBADD =
+am_libstrongswan_kernel_klips_la_OBJECTS = kernel_klips_plugin.lo \
+	kernel_klips_ipsec.lo
+libstrongswan_kernel_klips_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_klips_la_OBJECTS)
+libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_klips_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_klips_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_klips_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
+libstrongswan_kernel_klips_la_SOURCES = \
+	kernel_klips_plugin.h kernel_klips_plugin.c \
+	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
+
+libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_klips/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_klips/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_klips_la_LINK) $(am_libstrongswan_kernel_klips_la_rpath) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
new file mode 100644
index 000000000..0ccb2ac5f
--- /dev/null
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -0,0 +1,2643 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <stdint.h>
+#include "pfkeyv2.h"
+#include <linux/udp.h>
+#include <net/if.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <errno.h>
+
+#include "kernel_klips_ipsec.h"
+
+#include <hydra.h>
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
+
+/** default timeout for generated SPIs (in seconds) */
+#define SPI_TIMEOUT 30
+
+/** buffer size for PF_KEY messages */
+#define PFKEY_BUFFER_SIZE 2048
+
+/** PF_KEY messages are 64 bit aligned */
+#define PFKEY_ALIGNMENT 8
+/** aligns len to 64 bits */
+#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
+/** calculates the properly padded length in 64 bit chunks */
+#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
+/** calculates user mode length i.e. in bytes */
+#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
+
+/** given a PF_KEY message header and an extension this updates the length in the header */
+#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
+/** given a PF_KEY message header this returns a pointer to the next extension */
+#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
+/** copy an extension and append it to a PF_KEY message */
+#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
+/** given a PF_KEY extension this returns a pointer to the next extension */
+#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
+/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
+#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
+/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
+#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len <= (len))
+
+/** special SPI values used for policies in KLIPS */
+#define SPI_PASS 256
+#define SPI_DROP 257
+#define SPI_REJECT 258
+#define SPI_HOLD 259
+#define SPI_TRAP 260
+#define SPI_TRAPSUBNET 261
+
+/** the prefix of the name of KLIPS ipsec devices */
+#define IPSEC_DEV_PREFIX "ipsec"
+/** this is the default number of ipsec devices */
+#define DEFAULT_IPSEC_DEV_COUNT 4
+/** TRUE if the given name matches an ipsec device */
+#define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1))
+
+/** the following stuff is from ipsec_tunnel.h */
+struct ipsectunnelconf
+{
+	__u32	cf_cmd;
+	union
+	{
+		char	cfu_name[12];
+	} cf_u;
+#define cf_name cf_u.cfu_name
+};
+
+#define IPSEC_SET_DEV (SIOCDEVPRIVATE)
+#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1)
+#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2)
+
+typedef struct private_kernel_klips_ipsec_t private_kernel_klips_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_klips class.
+ */
+struct private_kernel_klips_ipsec_t
+{
+	/**
+	 * Public part of the kernel_klips_t object.
+	 */
+	kernel_klips_ipsec_t public;
+
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * List of installed policies (policy_entry_t)
+	 */
+	linked_list_t *policies;
+
+	/**
+	 * List of allocated SPIs without installed SA (sa_entry_t)
+	 */
+	linked_list_t *allocated_spis;
+
+	/**
+	 * List of installed SAs (sa_entry_t)
+	 */
+	linked_list_t *installed_sas;
+
+	/**
+	 * whether to install routes along policies
+	 */
+	bool install_routes;
+
+	/**
+	 * List of ipsec devices (ipsec_dev_t)
+	 */
+	linked_list_t *ipsec_devices;
+
+	/**
+	 * job receiving PF_KEY events
+	 */
+	callback_job_t *job;
+
+	/**
+	 * mutex to lock access to the PF_KEY socket
+	 */
+	mutex_t *mutex_pfkey;
+
+	/**
+	 * PF_KEY socket to communicate with the kernel
+	 */
+	int socket;
+
+	/**
+	 * PF_KEY socket to receive acquire and expire events
+	 */
+	int socket_events;
+
+	/**
+	 * sequence number for messages sent to the kernel
+	 */
+	int seq;
+
+};
+
+
+typedef struct ipsec_dev_t ipsec_dev_t;
+
+/**
+ * ipsec device
+ */
+struct ipsec_dev_t {
+	/** name of the virtual ipsec interface */
+	char name[IFNAMSIZ];
+
+	/** name of the physical interface */
+	char phys_name[IFNAMSIZ];
+
+	/** by how many CHILD_SA's this ipsec device is used */
+	u_int refcount;
+};
+
+/**
+ * compare the given name with the virtual device name
+ */
+static inline bool ipsec_dev_match_byname(ipsec_dev_t *current, char *name)
+{
+	return name && streq(current->name, name);
+}
+
+/**
+ * compare the given name with the physical device name
+ */
+static inline bool ipsec_dev_match_byphys(ipsec_dev_t *current, char *name)
+{
+	return name && streq(current->phys_name, name);
+}
+
+/**
+ * matches free ipsec devices
+ */
+static inline bool ipsec_dev_match_free(ipsec_dev_t *current)
+{
+	return current->refcount == 0;
+}
+
+/**
+ * tries to find an ipsec_dev_t object by name
+ */
+static status_t find_ipsec_dev(private_kernel_klips_ipsec_t *this, char *name,
+							   ipsec_dev_t **dev)
+{
+	linked_list_match_t match = (linked_list_match_t)(IS_IPSEC_DEV(name) ?
+								ipsec_dev_match_byname : ipsec_dev_match_byphys);
+	return this->ipsec_devices->find_first(this->ipsec_devices, match,
+												(void**)dev, name);
+}
+
+/**
+ * attach an ipsec device to a physical interface
+ */
+static status_t attach_ipsec_dev(char* name, char *phys_name)
+{
+	int sock;
+	struct ifreq req;
+	struct ipsectunnelconf *itc = (struct ipsectunnelconf*)&req.ifr_data;
+	short phys_flags;
+	int mtu;
+
+	DBG2(DBG_KNL, "attaching virtual interface %s to %s", name, phys_name);
+
+	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
+	{
+		return FAILED;
+	}
+
+	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+	{
+		close(sock);
+		return FAILED;
+	}
+	phys_flags = req.ifr_flags;
+
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+	{
+		close(sock);
+		return FAILED;
+	}
+
+	if (req.ifr_flags & IFF_UP)
+	{
+		/* if it's already up, it is already attached, detach it first */
+		ioctl(sock, IPSEC_DEL_DEV, &req);
+	}
+
+	/* attach it */
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	strncpy(itc->cf_name, phys_name, sizeof(itc->cf_name));
+	ioctl(sock, IPSEC_SET_DEV, &req);
+
+	/* copy address from physical to virtual */
+	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFADDR, &req) == 0)
+	{
+		strncpy(req.ifr_name, name, IFNAMSIZ);
+		ioctl(sock, SIOCSIFADDR, &req);
+	}
+
+	/* copy net mask from physical to virtual */
+	strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
+	{
+		strncpy(req.ifr_name, name, IFNAMSIZ);
+		ioctl(sock, SIOCSIFNETMASK, &req);
+	}
+
+	/* copy other flags and addresses */
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
+	{
+		if (phys_flags & IFF_POINTOPOINT)
+		{
+			req.ifr_flags |= IFF_POINTOPOINT;
+			req.ifr_flags &= ~IFF_BROADCAST;
+			ioctl(sock, SIOCSIFFLAGS, &req);
+
+			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+			if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0)
+			{
+				strncpy(req.ifr_name, name, IFNAMSIZ);
+				ioctl(sock, SIOCSIFDSTADDR, &req);
+			}
+		}
+		else if (phys_flags & IFF_BROADCAST)
+		{
+			req.ifr_flags &= ~IFF_POINTOPOINT;
+			req.ifr_flags |= IFF_BROADCAST;
+			ioctl(sock, SIOCSIFFLAGS, &req);
+
+			strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+			if (ioctl(sock, SIOCGIFBRDADDR, &req)==0)
+			{
+				strncpy(req.ifr_name, name, IFNAMSIZ);
+				ioctl(sock, SIOCSIFBRDADDR, &req);
+			}
+		}
+		else
+		{
+			req.ifr_flags &= ~IFF_POINTOPOINT;
+			req.ifr_flags &= ~IFF_BROADCAST;
+			ioctl(sock, SIOCSIFFLAGS, &req);
+		}
+	}
+
+	mtu = lib->settings->get_int(lib->settings,
+						"%s.plugins.kernel-klips.ipsec_dev_mtu", 0,
+						hydra->daemon);
+	if (mtu <= 0)
+	{
+		/* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
+		 * ESP overhead      : 73 bytes
+		 * NAT-T overhead    :  8 bytes ==> 81 bytes
+		 *
+		 * assuming tunnel mode with AES encryption and integrity
+		 * outer IP header  : 20 bytes
+		 * (NAT-T UDP header:  8 bytes)
+		 * ESP header       :  8 bytes
+		 * IV               : 16 bytes
+		 * padding          : 15 bytes (worst-case)
+		 * pad len / NH     :  2 bytes
+		 * auth data        : 12 bytes
+		 */
+		strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+		ioctl(sock, SIOCGIFMTU, &req);
+		mtu = req.ifr_mtu - 81;
+	}
+
+	/* set MTU */
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	req.ifr_mtu = mtu;
+	ioctl(sock, SIOCSIFMTU, &req);
+
+	/* bring ipsec device UP */
+	if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
+	{
+		req.ifr_flags |= IFF_UP;
+		ioctl(sock, SIOCSIFFLAGS, &req);
+	}
+
+	close(sock);
+	return SUCCESS;
+}
+
+/**
+ * detach an ipsec device from a physical interface
+ */
+static status_t detach_ipsec_dev(char* name, char *phys_name)
+{
+	int sock;
+	struct ifreq req;
+
+	DBG2(DBG_KNL, "detaching virtual interface %s from %s", name,
+			strlen(phys_name) ? phys_name : "any physical interface");
+
+	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
+	{
+		return FAILED;
+	}
+
+	strncpy(req.ifr_name, name, IFNAMSIZ);
+	if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+	{
+		close(sock);
+		return FAILED;
+	}
+
+	/* shutting interface down */
+	if (req.ifr_flags & IFF_UP)
+	{
+		req.ifr_flags &= ~IFF_UP;
+		ioctl(sock, SIOCSIFFLAGS, &req);
+	}
+
+	/* unset address */
+	memset(&req.ifr_addr, 0, sizeof(req.ifr_addr));
+	req.ifr_addr.sa_family = AF_INET;
+	ioctl(sock, SIOCSIFADDR, &req);
+
+	/* detach interface */
+	ioctl(sock, IPSEC_DEL_DEV, &req);
+
+	close(sock);
+	return SUCCESS;
+}
+
+/**
+ * destroy an ipsec_dev_t object
+ */
+static void ipsec_dev_destroy(ipsec_dev_t *this)
+{
+	detach_ipsec_dev(this->name, this->phys_name);
+	free(this);
+}
+
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+
+	/** Source ip of the route */
+	host_t *src_ip;
+
+	/** Gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	this->src_ip->destroy(this->src_ip);
+	this->gateway->destroy(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+
+	/** reqid of this policy, if setup as trap */
+	u_int32_t reqid;
+
+	/** direction of this policy: in, out, forward */
+	u_int8_t direction;
+
+	/** parameters of installed policy */
+	struct {
+		/** subnet and port */
+		host_t *net;
+		/** subnet mask */
+		u_int8_t mask;
+		/** protocol */
+		u_int8_t proto;
+	} src, dst;
+
+	/** associated route installed for this policy */
+	route_entry_t *route;
+
+	/** by how many CHILD_SA's this policy is actively used */
+	u_int activecount;
+
+	/** by how many CHILD_SA's this policy is trapped */
+	u_int trapcount;
+};
+
+/**
+ * convert a numerical netmask to a host_t
+ */
+static host_t *mask2host(int family, u_int8_t mask)
+{
+	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+	chunk_t chunk = chunk_alloca(family == AF_INET ? 4 : 16);
+	int bytes = mask / 8, bits = mask % 8;
+	memset(chunk.ptr, 0xFF, bytes);
+	memset(chunk.ptr + bytes, 0, chunk.len - bytes);
+	if (bits)
+	{
+		chunk.ptr[bytes] =  bitmask[bits];
+	}
+	return host_create_from_chunk(family, chunk, 0);
+}
+
+/**
+ * check if a host is in a subnet (host with netmask in bits)
+ */
+static bool is_host_in_net(host_t *host, host_t *net, u_int8_t mask)
+{
+	static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+	chunk_t host_chunk, net_chunk;
+	int bytes = mask / 8, bits = mask % 8;
+
+	host_chunk = host->get_address(host);
+	net_chunk = net->get_address(net);
+
+	if (host_chunk.len != net_chunk.len)
+	{
+		return FALSE;
+	}
+
+	if (memeq(host_chunk.ptr, net_chunk.ptr, bytes))
+	{
+		return (bits == 0) ||
+			   (host_chunk.ptr[bytes] & bitmask[bits]) ==
+				   (net_chunk.ptr[bytes] & bitmask[bits]);
+	}
+
+	return FALSE;
+}
+
+/**
+ * create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+		traffic_selector_t *dst_ts, policy_dir_t dir)
+{
+	policy_entry_t *policy = malloc_thing(policy_entry_t);
+	policy->reqid = 0;
+	policy->direction = dir;
+	policy->route = NULL;
+	policy->activecount = 0;
+	policy->trapcount = 0;
+
+	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
+	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
+
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
+	policy->src.proto = policy->src.proto ? policy->src.proto : 0;
+	policy->dst.proto = policy->src.proto;
+
+	return policy;
+}
+
+/**
+ * destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+	DESTROY_IF(this->src.net);
+	DESTROY_IF(this->dst.net);
+	if (this->route)
+	{
+		route_entry_destroy(this->route);
+	}
+	free(this);
+}
+
+/**
+ * compares two policy_entry_t
+ */
+static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
+{
+	return current->direction == policy->direction &&
+		   current->src.proto == policy->src.proto &&
+		   current->dst.proto == policy->dst.proto &&
+		   current->src.mask == policy->src.mask &&
+		   current->dst.mask == policy->dst.mask &&
+		   current->src.net->equals(current->src.net, policy->src.net) &&
+		   current->dst.net->equals(current->dst.net, policy->dst.net);
+}
+
+static inline bool policy_entry_match_byaddrs(policy_entry_t *current, host_t *src,
+		host_t *dst)
+{
+	return is_host_in_net(src, current->src.net, current->src.mask) &&
+			is_host_in_net(dst, current->dst.net, current->dst.mask);
+}
+
+typedef struct sa_entry_t sa_entry_t;
+
+/**
+ * used for two things:
+ * - allocated SPIs that have not yet resulted in an installed SA
+ * - installed inbound SAs with enabled UDP encapsulation
+ */
+struct sa_entry_t {
+
+	/** protocol of this SA */
+	u_int8_t protocol;
+
+	/** reqid of this SA */
+	u_int32_t reqid;
+
+	/** SPI of this SA */
+	u_int32_t spi;
+
+	/** src address of this SA */
+	host_t *src;
+
+	/** dst address of this SA */
+	host_t *dst;
+
+	/** TRUE if this SA uses UDP encapsulation */
+	bool encap;
+
+	/** TRUE if this SA is inbound */
+	bool inbound;
+};
+
+/**
+ * create an sa_entry_t object
+ */
+static sa_entry_t *create_sa_entry(u_int8_t protocol, u_int32_t spi,
+								   u_int32_t reqid, host_t *src, host_t *dst,
+								   bool encap, bool inbound)
+{
+	sa_entry_t *sa = malloc_thing(sa_entry_t);
+	sa->protocol = protocol;
+	sa->reqid = reqid;
+	sa->spi = spi;
+	sa->src = src ? src->clone(src) : NULL;
+	sa->dst = dst ? dst->clone(dst) : NULL;
+	sa->encap = encap;
+	sa->inbound = inbound;
+	return sa;
+}
+
+/**
+ * destroy an sa_entry_t object
+ */
+static void sa_entry_destroy(sa_entry_t *this)
+{
+	DESTROY_IF(this->src);
+	DESTROY_IF(this->dst);
+	free(this);
+}
+
+/**
+ * match an sa_entry_t for an inbound SA that uses UDP encapsulation by spi and src (remote) address
+ */
+static inline bool sa_entry_match_encapbysrc(sa_entry_t *current, u_int32_t *spi,
+		host_t *src)
+{
+	return current->encap && current->inbound &&
+		   current->spi == *spi && src->ip_equals(src, current->src);
+}
+
+/**
+ * match an sa_entry_t by protocol, spi and dst address (as the kernel does it)
+ */
+static inline bool sa_entry_match_bydst(sa_entry_t *current, u_int8_t *protocol,
+		u_int32_t *spi, host_t *dst)
+{
+	return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst);
+}
+
+/**
+ * match an sa_entry_t by protocol, reqid and spi
+ */
+static inline bool sa_entry_match_byid(sa_entry_t *current, u_int8_t *protocol,
+		u_int32_t *spi, u_int32_t *reqid)
+{
+	return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid;
+}
+
+typedef struct pfkey_msg_t pfkey_msg_t;
+
+struct pfkey_msg_t
+{
+	/**
+	 * PF_KEY message base
+	 */
+	struct sadb_msg *msg;
+
+
+	/**
+	 * PF_KEY message extensions
+	 */
+	union {
+		struct sadb_ext *ext[SADB_EXT_MAX + 1];
+		struct {
+			struct sadb_ext *reserved;				/* SADB_EXT_RESERVED */
+			struct sadb_sa *sa;						/* SADB_EXT_SA */
+			struct sadb_lifetime *lft_current;		/* SADB_EXT_LIFETIME_CURRENT */
+			struct sadb_lifetime *lft_hard;			/* SADB_EXT_LIFETIME_HARD */
+			struct sadb_lifetime *lft_soft;			/* SADB_EXT_LIFETIME_SOFT */
+			struct sadb_address *src;				/* SADB_EXT_ADDRESS_SRC */
+			struct sadb_address *dst;				/* SADB_EXT_ADDRESS_DST */
+			struct sadb_address *proxy;				/* SADB_EXT_ADDRESS_PROXY */
+			struct sadb_key *key_auth;				/* SADB_EXT_KEY_AUTH */
+			struct sadb_key *key_encr;				/* SADB_EXT_KEY_ENCRYPT */
+			struct sadb_ident *id_src;				/* SADB_EXT_IDENTITY_SRC */
+			struct sadb_ident *id_dst;				/* SADB_EXT_IDENTITY_DST */
+			struct sadb_sens *sensitivity;			/* SADB_EXT_SENSITIVITY */
+			struct sadb_prop *proposal;				/* SADB_EXT_PROPOSAL */
+			struct sadb_supported *supported_auth;	/* SADB_EXT_SUPPORTED_AUTH */
+			struct sadb_supported *supported_encr;	/* SADB_EXT_SUPPORTED_ENCRYPT */
+			struct sadb_spirange *spirange;			/* SADB_EXT_SPIRANGE */
+			struct sadb_x_kmprivate *x_kmprivate;	/* SADB_X_EXT_KMPRIVATE */
+			struct sadb_ext *x_policy;				/* SADB_X_EXT_SATYPE2 */
+			struct sadb_ext *x_sa2;					/* SADB_X_EXT_SA2 */
+			struct sadb_address *x_dst2;			/* SADB_X_EXT_ADDRESS_DST2 */
+			struct sadb_address *x_src_flow;		/* SADB_X_EXT_ADDRESS_SRC_FLOW */
+			struct sadb_address *x_dst_flow;		/* SADB_X_EXT_ADDRESS_DST_FLOW */
+			struct sadb_address *x_src_mask;		/* SADB_X_EXT_ADDRESS_SRC_MASK */
+			struct sadb_address *x_dst_mask;		/* SADB_X_EXT_ADDRESS_DST_MASK */
+			struct sadb_x_debug *x_debug;			/* SADB_X_EXT_DEBUG */
+			struct sadb_protocol *x_protocol;		/* SADB_X_EXT_PROTOCOL */
+			struct sadb_x_nat_t_type *x_natt_type;	/* SADB_X_EXT_NAT_T_TYPE */
+			struct sadb_x_nat_t_port *x_natt_sport;	/* SADB_X_EXT_NAT_T_SPORT */
+			struct sadb_x_nat_t_port *x_natt_dport;	/* SADB_X_EXT_NAT_T_DPORT */
+			struct sadb_address *x_natt_oa;			/* SADB_X_EXT_NAT_T_OA */
+		} __attribute__((__packed__));
+	};
+};
+
+/**
+ * convert a protocol identifier to the PF_KEY sa type
+ */
+static u_int8_t proto2satype(u_int8_t proto)
+{
+	switch (proto)
+	{
+		case IPPROTO_ESP:
+			return SADB_SATYPE_ESP;
+		case IPPROTO_AH:
+			return SADB_SATYPE_AH;
+		case IPPROTO_COMP:
+			return SADB_X_SATYPE_COMP;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert a PF_KEY sa type to a protocol identifier
+ */
+static u_int8_t satype2proto(u_int8_t satype)
+{
+	switch (satype)
+	{
+		case SADB_SATYPE_ESP:
+			return IPPROTO_ESP;
+		case SADB_SATYPE_AH:
+			return IPPROTO_AH;
+		case SADB_X_SATYPE_COMP:
+			return IPPROTO_COMP;
+		default:
+			return satype;
+	}
+}
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 algorithms to PF_KEY algorithms
+ */
+struct kernel_algorithm_t {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2;
+
+	/**
+	 * Identifier as defined in pfkeyv2.h
+	 */
+	int kernel;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64,				0							}, */
+	{ENCR_DES,					SADB_EALG_DESCBC			},
+	{ENCR_3DES,					SADB_EALG_3DESCBC			},
+/*	{ENCR_RC5,					0							}, */
+/*	{ENCR_IDEA,					0							}, */
+/*	{ENCR_CAST,					0							}, */
+	{ENCR_BLOWFISH,				SADB_EALG_BFCBC				},
+/*	{ENCR_3IDEA,				0							}, */
+/*	{ENCR_DES_IV32,				0							}, */
+	{ENCR_NULL,					SADB_EALG_NULL				},
+	{ENCR_AES_CBC,				SADB_EALG_AESCBC			},
+/*	{ENCR_AES_CTR,				0							}, */
+/*	{ENCR_AES_CCM_ICV8,			0							}, */
+/*	{ENCR_AES_CCM_ICV12,		0							}, */
+/*	{ENCR_AES_CCM_ICV16,		0							}, */
+/*	{ENCR_AES_GCM_ICV8,			0							}, */
+/*	{ENCR_AES_GCM_ICV12,		0							}, */
+/*	{ENCR_AES_GCM_ICV16,		0							}, */
+	{END_OF_LIST,				0							},
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
+	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
+	{AUTH_HMAC_SHA2_256_128,	SADB_AALG_SHA256_HMAC		},
+	{AUTH_HMAC_SHA2_384_192,	SADB_AALG_SHA384_HMAC		},
+	{AUTH_HMAC_SHA2_512_256,	SADB_AALG_SHA512_HMAC		},
+/*	{AUTH_DES_MAC,				0,							}, */
+/*	{AUTH_KPDK_MD5,				0,							}, */
+/*	{AUTH_AES_XCBC_96,			0,							}, */
+	{END_OF_LIST,				0,							},
+};
+
+#if 0
+/**
+ * Algorithms for IPComp, unused yet
+ */
+static kernel_algorithm_t compression_algs[] = {
+/*	{IPCOMP_OUI,				0							}, */
+	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
+	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
+/*	{IPCOMP_LZJH,				0							}, */
+	{END_OF_LIST,				0							},
+};
+#endif
+
+/**
+ * Look up a kernel algorithm ID and its key size
+ */
+static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+{
+	while (list->ikev2 != END_OF_LIST)
+	{
+		if (ikev2 == list->ikev2)
+		{
+			return list->kernel;
+		}
+		list++;
+	}
+	return 0;
+}
+
+/**
+ * add a host behind a sadb_address extension
+ */
+static void host2ext(host_t *host, struct sadb_address *ext)
+{
+	sockaddr_t *host_addr = host->get_sockaddr(host);
+	socklen_t *len = host->get_sockaddr_len(host);
+	memcpy((char*)(ext + 1), host_addr, *len);
+	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+}
+
+/**
+ * add a host to the given sadb_msg
+ */
+static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type)
+{
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	host2ext(host, addr);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * adds an empty address extension to the given sadb_msg
+ */
+static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
+{
+	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
+										  sizeof(struct sockaddr_in6);
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
+	saddr->sa_family = family;
+	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * add udp encap extensions to a sadb_msg
+ */
+static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst,
+							bool ports_only)
+{
+	struct sadb_x_nat_t_type* nat_type;
+	struct sadb_x_nat_t_port* nat_port;
+
+	if (!ports_only)
+	{
+		nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
+		nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+		nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
+		nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
+		PFKEY_EXT_ADD(msg, nat_type);
+	}
+
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = src->get_port(src);
+	PFKEY_EXT_ADD(msg, nat_port);
+
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = dst->get_port(dst);
+	PFKEY_EXT_ADD(msg, nat_port);
+}
+
+/**
+ * build an SADB_X_ADDFLOW msg
+ */
+static void build_addflow(struct sadb_msg *msg, u_int8_t satype, u_int32_t spi,
+		host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
+		host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
+{
+	struct sadb_sa *sa;
+	struct sadb_protocol *proto;
+	host_t *host;
+
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_ADDFLOW;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_flags = replace ? SADB_X_SAFLAGS_REPLACEFLOW : 0;
+	PFKEY_EXT_ADD(msg, sa);
+
+	if (!src)
+	{
+		add_anyaddr_ext(msg, src_net->get_family(src_net), SADB_EXT_ADDRESS_SRC);
+	}
+	else
+	{
+		add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	}
+
+	if (!dst)
+	{
+		add_anyaddr_ext(msg, dst_net->get_family(dst_net), SADB_EXT_ADDRESS_DST);
+	}
+	else
+	{
+		add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+	}
+
+	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
+	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
+
+	host = mask2host(src_net->get_family(src_net), src_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
+	host->destroy(host);
+
+	host = mask2host(dst_net->get_family(dst_net), dst_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
+	host->destroy(host);
+
+	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
+	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
+	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
+	proto->sadb_protocol_proto = protocol;
+	PFKEY_EXT_ADD(msg, proto);
+}
+
+/**
+ * build an SADB_X_DELFLOW msg
+ */
+static void build_delflow(struct sadb_msg *msg, u_int8_t satype,
+		host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
+		u_int8_t protocol)
+{
+	struct sadb_protocol *proto;
+	host_t *host;
+
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_DELFLOW;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
+	add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
+
+	host = mask2host(src_net->get_family(src_net),
+					 src_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
+	host->destroy(host);
+
+	host = mask2host(dst_net->get_family(dst_net),
+					 dst_mask);
+	add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
+	host->destroy(host);
+
+	proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
+	proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
+	proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
+	proto->sadb_protocol_proto = protocol;
+	PFKEY_EXT_ADD(msg, proto);
+}
+
+/**
+ * Parses a pfkey message received from the kernel
+ */
+static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
+{
+	struct sadb_ext* ext;
+	size_t len;
+
+	memset(out, 0, sizeof(pfkey_msg_t));
+	out->msg = msg;
+
+	len = msg->sadb_msg_len;
+	len -= PFKEY_LEN(sizeof(struct sadb_msg));
+
+	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
+
+	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
+	{
+		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
+			ext->sadb_ext_len > len)
+		{
+			DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+			break;
+		}
+
+		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
+		{
+			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+			break;
+		}
+
+		if (out->ext[ext->sadb_ext_type])
+		{
+			DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);
+			break;
+		}
+
+		out->ext[ext->sadb_ext_type] = ext;
+		ext = PFKEY_EXT_NEXT_LEN(ext, len);
+	}
+
+	if (len)
+	{
+		DBG1(DBG_KNL, "PF_KEY message length is invalid");
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Send a message to a specific PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_socket(private_kernel_klips_ipsec_t *this, int socket,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg;
+	int in_len, len;
+
+	this->mutex_pfkey->lock(this->mutex_pfkey);
+
+	in->sadb_msg_seq = ++this->seq;
+	in->sadb_msg_pid = getpid();
+
+	in_len = PFKEY_USER_LEN(in->sadb_msg_len);
+
+	while (TRUE)
+	{
+		len = send(socket, in, in_len, 0);
+
+		if (len != in_len)
+		{
+			switch (errno)
+			{
+				case EINTR:
+					/* interrupted, try again */
+					continue;
+				case EINVAL:
+				case EEXIST:
+				case ESRCH:
+					/* we should also get a response for these from KLIPS */
+					break;
+				default:
+					this->mutex_pfkey->unlock(this->mutex_pfkey);
+					DBG1(DBG_KNL, "error sending to PF_KEY socket: %s (%d)",
+							strerror(errno), errno);
+					return FAILED;
+			}
+		}
+		break;
+	}
+
+	while (TRUE)
+	{
+		msg = (struct sadb_msg*)buf;
+
+		len = recv(socket, buf, sizeof(buf), 0);
+
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				DBG1(DBG_KNL, "got interrupted");
+				/* interrupted, try again */
+				continue;
+			}
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
+			return FAILED;
+		}
+		if (len < sizeof(struct sadb_msg) ||
+			msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+		{
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "received corrupted PF_KEY message");
+			return FAILED;
+		}
+		if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+		{
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+			return FAILED;
+		}
+		if (msg->sadb_msg_pid != in->sadb_msg_pid)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
+			continue;
+		}
+		if (msg->sadb_msg_seq != this->seq)
+		{
+			DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number,"
+					" was %d expected %d", msg->sadb_msg_seq, this->seq);
+			if (msg->sadb_msg_seq < this->seq)
+			{
+				continue;
+			}
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (msg->sadb_msg_type != in->sadb_msg_type)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message of wrong type,"
+					" was %d expected %d, ignoring",
+					msg->sadb_msg_type, in->sadb_msg_type);
+		}
+		break;
+	}
+
+	*out_len = len;
+	*out = (struct sadb_msg*)malloc(len);
+	memcpy(*out, buf, len);
+
+	this->mutex_pfkey->unlock(this->mutex_pfkey);
+
+	return SUCCESS;
+}
+
+/**
+ * Send a message to the default PF_KEY socket.
+ */
+static status_t pfkey_send(private_kernel_klips_ipsec_t *this,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	return pfkey_send_socket(this, this->socket, in, out, out_len);
+}
+
+/**
+ * Send a message to the default PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_ack(private_kernel_klips_ipsec_t *this, struct sadb_msg *in)
+{
+	struct sadb_msg *out;
+	size_t len;
+
+	if (pfkey_send(this, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "PF_KEY error: %s (%d)",
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Add an eroute to KLIPS
+ */
+static status_t add_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
+		u_int32_t spi, host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
+		host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)request;
+
+	memset(&request, 0, sizeof(request));
+
+	build_addflow(msg, satype, spi, src, dst, src_net, src_mask,
+			dst_net, dst_mask, protocol, replace);
+
+	return pfkey_send_ack(this, msg);
+}
+
+/**
+ * Delete an eroute fom KLIPS
+ */
+static status_t del_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
+		host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
+		u_int8_t protocol)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)request;
+
+	memset(&request, 0, sizeof(request));
+
+	build_delflow(msg, satype, src_net, src_mask, dst_net, dst_mask, protocol);
+
+	return pfkey_send_ack(this, msg);
+}
+
+/**
+ * Process a SADB_ACQUIRE message from the kernel
+ */
+static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	host_t *src, *dst;
+	u_int32_t reqid;
+	u_int8_t proto;
+	policy_entry_t *policy;
+
+	switch (msg->sadb_msg_satype)
+	{
+		case SADB_SATYPE_UNSPEC:
+		case SADB_SATYPE_ESP:
+		case SADB_SATYPE_AH:
+			break;
+		default:
+			/* acquire for AH/ESP only */
+			return;
+	}
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
+		return;
+	}
+
+	/* KLIPS provides us only with the source and destination address,
+	 * and the transport protocol of the packet that triggered the policy.
+	 * we use this information to find a matching policy in our cache.
+	 * because KLIPS installs a narrow %hold eroute covering only this information,
+	 * we replace both the %trap and this %hold eroutes with a broader %hold
+	 * eroute covering the whole policy */
+	src = host_create_from_sockaddr((sockaddr_t*)(response.src + 1));
+	dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
+	proto = response.src->sadb_address_proto;
+	if (!src || !dst || src->get_family(src) != dst->get_family(dst))
+	{
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE with invalid hosts");
+		return;
+	}
+
+	DBG2(DBG_KNL, "received an SADB_ACQUIRE for %H == %H : %d", src, dst, proto);
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_match_byaddrs,
+				(void**)&policy, src, dst) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but found no matching policy");
+		return;
+	}
+	if ((reqid = policy->reqid) == 0)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE, but policy is not routed anymore");
+		return;
+	}
+
+	/* add a broad %hold eroute that replaces the %trap eroute */
+	add_eroute(this, SADB_X_SATYPE_INT, htonl(SPI_HOLD), NULL, NULL,
+			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
+			policy->src.proto, TRUE);
+
+	/* remove the narrow %hold eroute installed by KLIPS */
+	del_eroute(this, SADB_X_SATYPE_INT, src, 32, dst, 32, proto);
+
+	this->mutex->unlock(this->mutex);
+
+	hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, NULL,
+									 NULL);
+}
+
+/**
+ * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
+ */
+static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	u_int32_t spi, reqid;
+	host_t *old_src, *new_src;
+
+	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
+		return;
+	}
+
+	spi = response.sa->sadb_sa_spi;
+
+	if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP)
+	{
+		sa_entry_t *sa;
+		sockaddr_t *addr = (sockaddr_t*)(response.src + 1);
+		old_src = host_create_from_sockaddr(addr);
+
+		this->mutex->lock(this->mutex);
+		if (!old_src || this->installed_sas->find_first(this->installed_sas,
+				(linked_list_match_t)sa_entry_match_encapbysrc,
+					(void**)&sa, &spi, old_src) != SUCCESS)
+		{
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING, but found no matching SA");
+			return;
+		}
+		reqid = sa->reqid;
+		this->mutex->unlock(this->mutex);
+
+		addr = (sockaddr_t*)(response.dst + 1);
+		switch (addr->sa_family)
+		{
+			case AF_INET:
+			{
+				struct sockaddr_in *sin = (struct sockaddr_in*)addr;
+				sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			case AF_INET6:
+			{
+				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr;
+				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			default:
+				break;
+		}
+		new_src = host_create_from_sockaddr(addr);
+		if (new_src)
+		{
+			hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
+											 spi, new_src);
+		}
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)buf;
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recv(this->socket_events, buf, sizeof(buf), 0);
+	thread_cancelability(oldstate);
+
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+
+	if (len < sizeof(struct sadb_msg) ||
+		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+	{
+		DBG2(DBG_KNL, "received corrupted PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+	{
+		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	switch (msg->sadb_msg_type)
+	{
+		case SADB_ACQUIRE:
+			process_acquire(this, msg);
+			break;
+		case SADB_EXPIRE:
+			/* SADB_EXPIRE events in KLIPS are only triggered by traffic (even
+			 * for the time based limits). So if there is no traffic for a
+			 * longer period than configured as hard limit, we wouldn't be able
+			 * to rekey the SA and just receive the hard expire and thus delete
+			 * the SA.
+			 * To avoid this behavior and to make the daemon behave as with the
+			 * other kernel plugins, we implement the expiration of SAs
+			 * ourselves. */
+			break;
+		case SADB_X_NAT_T_NEW_MAPPING:
+			process_mapping(this, msg);
+			break;
+		default:
+			break;
+	}
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+typedef enum {
+	/** an SPI has expired */
+	EXPIRE_TYPE_SPI,
+	/** a CHILD_SA has to be rekeyed */
+	EXPIRE_TYPE_SOFT,
+	/** a CHILD_SA has to be deleted */
+	EXPIRE_TYPE_HARD
+} expire_type_t;
+
+typedef struct sa_expire_t sa_expire_t;
+
+struct sa_expire_t {
+	/** kernel interface */
+	private_kernel_klips_ipsec_t *this;
+	/** the SPI of the expiring SA */
+	u_int32_t spi;
+	/** the protocol of the expiring SA */
+	u_int8_t protocol;
+	/** the reqid of the expiring SA*/
+	u_int32_t reqid;
+	/** what type of expire this is */
+	expire_type_t type;
+};
+
+/**
+ * Called when an SA expires
+ */
+static job_requeue_t sa_expires(sa_expire_t *expire)
+{
+	private_kernel_klips_ipsec_t *this = expire->this;
+	u_int8_t protocol = expire->protocol;
+	u_int32_t spi = expire->spi, reqid = expire->reqid;
+	bool hard = expire->type != EXPIRE_TYPE_SOFT;
+	sa_entry_t *cached_sa;
+	linked_list_t *list;
+
+	/* for an expired SPI we first check whether the CHILD_SA got installed
+	 * in the meantime, for expired SAs we check whether they are still installed */
+	list = expire->type == EXPIRE_TYPE_SPI ? this->allocated_spis : this->installed_sas;
+
+	this->mutex->lock(this->mutex);
+	if (list->find_first(list, (linked_list_match_t)sa_entry_match_byid,
+			(void**)&cached_sa, &protocol, &spi, &reqid) != SUCCESS)
+	{
+		/* we found no entry:
+		 * - for SPIs, a CHILD_SA has been installed
+		 * - for SAs, the CHILD_SA has already been deleted */
+		this->mutex->unlock(this->mutex);
+		return JOB_REQUEUE_NONE;
+	}
+	else
+	{
+		list->remove(list, cached_sa, NULL);
+		sa_entry_destroy(cached_sa);
+	}
+	this->mutex->unlock(this->mutex);
+
+	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
+									spi, hard);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedule an expire job for an SA. Time is in seconds.
+ */
+static void schedule_expire(private_kernel_klips_ipsec_t *this,
+							u_int8_t protocol, u_int32_t spi,
+							u_int32_t reqid, expire_type_t type, u_int32_t time)
+{
+	callback_job_t *job;
+	sa_expire_t *expire = malloc_thing(sa_expire_t);
+	expire->this = this;
+	expire->protocol = protocol;
+	expire->spi = spi;
+	expire->reqid = reqid;
+	expire->type = type;
+	job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL);
+	lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, time);
+}
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	/* we cannot use SADB_GETSPI because KLIPS does not allow us to set the
+	 * NAT-T type in an SADB_UPDATE which we would have to use to update the
+	 * implicitly created SA.
+	 */
+	rng_t *rng;
+	u_int32_t spi_gen;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_KNL, "allocating SPI failed: no RNG");
+		return FAILED;
+	}
+	rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen);
+	rng->destroy(rng);
+
+	/* allocated SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
+	spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF);
+
+	*spi = htonl(spi_gen);
+
+	this->mutex->lock(this->mutex);
+	this->allocated_spis->insert_last(this->allocated_spis,
+			create_sa_entry(protocol, *spi, reqid, NULL, NULL, FALSE, TRUE));
+	this->mutex->unlock(this->mutex);
+	schedule_expire(this, protocol, *spi, reqid, EXPIRE_TYPE_SPI, SPI_TIMEOUT);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	return FAILED;
+}
+
+/**
+ * Add a pseudo IPIP SA for tunnel mode with KLIPS.
+ */
+static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi, u_int32_t reqid)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "adding pseudo IPIP SA with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_ADD;
+	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * group the IPIP SA required for tunnel mode with the outer SA
+ */
+static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi,
+					   u_int8_t protocol, u_int32_t reqid)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_x_satype *satype;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "grouping SAs with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_GRPSA;
+	msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+	satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg);
+	satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
+	satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype));
+	satype->sadb_x_satype_satype = proto2satype(protocol);
+	PFKEY_EXT_ADD(msg, satype);
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_X_EXT_SA2;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+
+	add_addr_ext(msg, dst, SADB_X_EXT_ADDRESS_DST2);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to group SAs with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
+	u_int8_t protocol, u_int32_t reqid, mark_t mark,
+	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_key *key;
+	size_t len;
+
+	if (inbound)
+	{
+		/* for inbound SAs we allocated an SPI via get_spi, so we first check
+		 * whether that SPI has already expired (race condition) */
+		sa_entry_t *alloc_spi;
+		this->mutex->lock(this->mutex);
+		if (this->allocated_spis->find_first(this->allocated_spis,
+				(linked_list_match_t)sa_entry_match_byid, (void**)&alloc_spi,
+					&protocol, &spi, &reqid) != SUCCESS)
+		{
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_KNL, "allocated SPI %.8x has already expired", ntohl(spi));
+			return FAILED;
+		}
+		else
+		{
+			this->allocated_spis->remove(this->allocated_spis, alloc_spi, NULL);
+			sa_entry_destroy(alloc_spi);
+		}
+		this->mutex->unlock(this->mutex);
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_ADD;
+	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
+	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
+	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+	PFKEY_EXT_ADD(msg, sa);
+
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+	if (enc_alg != ENCR_UNDEFINED)
+	{
+		if (!sa->sadb_sa_encrypt)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 encryption_algorithm_names, enc_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
+		key->sadb_key_bits = enc_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
+		memcpy(key + 1, enc_key.ptr, enc_key.len);
+
+		PFKEY_EXT_ADD(msg, key);
+	}
+
+	if (int_alg != AUTH_UNDEFINED)
+	{
+		if (!sa->sadb_sa_auth)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 integrity_algorithm_names, int_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
+			 integrity_algorithm_names, int_alg, int_key.len * 8);
+
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
+		key->sadb_key_bits = int_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
+		memcpy(key + 1, int_key.ptr, int_key.len);
+
+		PFKEY_EXT_ADD(msg, key);
+	}
+
+	if (ipcomp != IPCOMP_NONE)
+	{
+		/*TODO*/
+	}
+
+	if (encap)
+	{
+		add_encap_ext(msg, src, dst, FALSE);
+	}
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	/* for tunnel mode SAs we have to install an additional IPIP SA and
+	 * group the two SAs together */
+	if (mode == MODE_TUNNEL)
+	{
+		if (add_ipip_sa(this, src, dst, spi, reqid) != SUCCESS ||
+			group_ipip_sa(this, src, dst, spi, protocol, reqid) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+			return FAILED;
+		}
+	}
+
+	this->mutex->lock(this->mutex);
+	/* we cache this SA for two reasons:
+	 * - in case an SADB_X_NAT_T_MAPPING_NEW event occurs (we need to find the reqid then)
+	 * - to decide if an expired SA is still installed */
+	this->installed_sas->insert_last(this->installed_sas,
+				create_sa_entry(protocol, spi, reqid, src, dst, encap, inbound));
+	this->mutex->unlock(this->mutex);
+
+	/* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime
+	 * of SAs manually in the plugin. Refer to the comments in receive_events()
+	 * for details. */
+	if (lifetime->time.rekey)
+	{
+		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, lifetime->time.rekey);
+	}
+
+	if (lifetime->time.life)
+	{
+		schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, lifetime->time.life);
+	}
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_kernel_klips_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap, mark_t mark)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	size_t len;
+
+	/* we can't update the SA if any of the ip addresses have changed.
+	 * that's because we can't use SADB_UPDATE and by deleting and readding the
+	 * SA the sequence numbers would get lost */
+	if (!src->ip_equals(src, new_src) ||
+		!dst->ip_equals(dst, new_dst))
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
+				" are not supported", ntohl(spi));
+		return NOT_SUPPORTED;
+	}
+
+	/* because KLIPS does not allow us to change the NAT-T type in an SADB_UPDATE,
+	 * we can't update the SA if the encap flag has changed since installing it */
+	if (encap != new_encap)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: change of UDP"
+				" encapsulation is not supported", ntohl(spi));
+		return NOT_SUPPORTED;
+	}
+
+	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_UPDATE;
+	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_encrypt = SADB_EALG_AESCBC; /* ignored */
+	sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; /* ignored */
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
+	PFKEY_EXT_ADD(msg, sa);
+
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+	add_encap_ext(msg, new_src, new_dst, TRUE);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+{
+	return NOT_SUPPORTED;  /* TODO */
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	sa_entry_t *cached_sa;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	/* all grouped SAs are automatically deleted by KLIPS as soon as
+	 * one of them is deleted, therefore we delete only the main one */
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+
+	this->mutex->lock(this->mutex);
+	/* this should not fail, but we don't care if it does, let the kernel decide
+	 * whether this SA exists or not */
+	if (this->installed_sas->find_first(this->installed_sas,
+			(linked_list_match_t)sa_entry_match_bydst, (void**)&cached_sa,
+			&protocol, &spi, dst) == SUCCESS)
+	{
+		this->installed_sas->remove(this->installed_sas, cached_sa, NULL);
+		sa_entry_destroy(cached_sa);
+	}
+	this->mutex->unlock(this->mutex);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_DELETE;
+	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+
+	/* the kernel wants an SADB_EXT_ADDRESS_SRC to be present even though
+	 * it is not used for anything. */
+	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	policy_entry_t *policy, *found = NULL;
+	u_int32_t spi;
+	u_int8_t satype;
+	size_t len;
+
+	if (direction == POLICY_FWD)
+	{
+		/* no forward policies for KLIPS */
+		return SUCCESS;
+	}
+
+	/* tunnel mode policies direct the packets into the pseudo IPIP SA */
+	satype = (sa->mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP
+									   : proto2satype(sa->esp.use ? IPPROTO_ESP
+																  : IPPROTO_AH);
+	spi = sa->esp.use ? sa->esp.spi : sa->ah.spi;
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+	{
+		/* use existing policy */
+		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing"
+					  " refcount", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{
+		/* apply the new one, if we have no such policy */
+		this->policies->insert_last(this->policies, policy);
+	}
+
+	if (routed)
+	{
+		/* we install this as a %trap eroute in the kernel, later to be
+		 * triggered by packets matching the policy (-> ACQUIRE). */
+		spi = htonl(SPI_TRAP);
+		satype = SADB_X_SATYPE_INT;
+
+		/* the reqid is always set to the latest child SA that trapped this
+		 * policy. we will need this reqid upon receiving an acquire. */
+		policy->reqid = sa->reqid;
+
+		/* increase the trap counter */
+		policy->trapcount++;
+
+		if (policy->activecount)
+		{
+			/* we do not replace the current policy in the kernel while a
+			 * policy is actively used */
+			this->mutex->unlock(this->mutex);
+			return SUCCESS;
+		}
+	}
+	else
+	{
+		/* increase the reference counter */
+		policy->activecount++;
+	}
+
+	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+
+	/* FIXME: SADB_X_SAFLAGS_INFLOW may be required, if we add an inbound policy for an IPIP SA */
+	build_addflow(msg, satype, spi, routed ? NULL : src, routed ? NULL : dst,
+			policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
+			policy->src.proto, found != NULL);
+
+	this->mutex->unlock(this->mutex);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
+					   policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	this->mutex->lock(this->mutex);
+
+	/* we try to find the policy again and install the route if needed */
+	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG2(DBG_KNL, "the policy %R === %R %N is already gone, ignoring",
+				src_ts, dst_ts, policy_dir_names, direction);
+		return SUCCESS;
+	}
+
+	/* KLIPS requires a special route that directs traffic that matches this
+	 * policy to one of the virtual ipsec interfaces. The virtual interface
+	 * has to be attached to the physical one the traffic runs over.
+	 * This is a special case of the source route we install in other kernel
+	 * interfaces.
+	 * In the following cases we do NOT install a source route (but just a
+	 * regular route):
+	 * - we are not in tunnel mode
+	 * - we are using IPv6 (does not work correctly yet!)
+	 * - routing is disabled via strongswan.conf
+	 */
+	if (policy->route == NULL && direction == POLICY_OUT)
+	{
+		char *iface;
+		ipsec_dev_t *dev;
+		route_entry_t *route = malloc_thing(route_entry_t);
+		route->src_ip = NULL;
+
+		if (sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+			this->install_routes)
+		{
+			hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
+													   src_ts, &route->src_ip);
+		}
+
+		if (!route->src_ip)
+		{
+			route->src_ip = host_create_any(src->get_family(src));
+		}
+
+		/* find the virtual interface */
+		iface = hydra->kernel_interface->get_interface(hydra->kernel_interface,
+													   src);
+		if (find_ipsec_dev(this, iface, &dev) == SUCCESS)
+		{
+			/* above, we got either the name of a virtual or a physical
+			 * interface. for both cases it means we already have the devices
+			 * properly attached (assuming that we are exclusively attaching
+			 * ipsec devices). */
+			dev->refcount++;
+		}
+		else
+		{
+			/* there is no record of a mapping with the returned interface.
+			 * thus, we attach the first free virtual interface we find to
+			 * it. As above we assume we are the only client fiddling with
+			 * ipsec devices. */
+			if (this->ipsec_devices->find_first(this->ipsec_devices,
+					(linked_list_match_t)ipsec_dev_match_free,
+						(void**)&dev) == SUCCESS)
+			{
+				if (attach_ipsec_dev(dev->name, iface) == SUCCESS)
+				{
+					strncpy(dev->phys_name, iface, IFNAMSIZ);
+					dev->refcount = 1;
+				}
+				else
+				{
+					DBG1(DBG_KNL, "failed to attach virtual interface %s"
+							" to %s", dev->name, iface);
+					this->mutex->unlock(this->mutex);
+					free(iface);
+					return FAILED;
+				}
+			}
+			else
+			{
+				this->mutex->unlock(this->mutex);
+				DBG1(DBG_KNL, "failed to attach a virtual interface to %s: no"
+						" virtual interfaces left", iface);
+				free(iface);
+				return FAILED;
+			}
+		}
+		free(iface);
+		route->if_name = strdup(dev->name);
+
+		/* get the nexthop to dst */
+		route->gateway = hydra->kernel_interface->get_nexthop(
+												hydra->kernel_interface, dst);
+		route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net));
+		route->prefixlen = policy->dst.mask;
+
+		switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name))
+		{
+			default:
+				DBG1(DBG_KNL, "unable to install route for policy %R === %R",
+					 src_ts, dst_ts);
+				/* FALL */
+			case ALREADY_DONE:
+				/* route exists, do not uninstall */
+				route_entry_destroy(route);
+				break;
+			case SUCCESS:
+				/* cache the installed route */
+				policy->route = route;
+				break;
+		}
+	}
+
+	this->mutex->unlock(this->mutex);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
+{
+	#define IDLE_PREFIX "idle="
+	static const char *path_eroute = "/proc/net/ipsec_eroute";
+	static const char *path_spi = "/proc/net/ipsec_spi";
+	FILE *file;
+	char line[1024], src[INET6_ADDRSTRLEN + 9], dst[INET6_ADDRSTRLEN + 9];
+	char *said = NULL, *pos;
+	policy_entry_t *policy, *found = NULL;
+	status_t status = FAILED;
+
+	if (direction == POLICY_FWD)
+	{
+		/* we do not install forward policies */
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		return NOT_FOUND;
+	}
+	policy_entry_destroy(policy);
+	policy = found;
+
+	/* src and dst selectors in KLIPS are of the form NET_ADDR/NETBITS:PROTO */
+	snprintf(src, sizeof(src), "%H/%d:%d", policy->src.net, policy->src.mask,
+			policy->src.proto);
+	src[sizeof(src) - 1] = '\0';
+	snprintf(dst, sizeof(dst), "%H/%d:%d", policy->dst.net, policy->dst.mask,
+			policy->dst.proto);
+	dst[sizeof(dst) - 1] = '\0';
+
+	this->mutex->unlock(this->mutex);
+
+	/* we try to find the matching eroute first */
+	file = fopen(path_eroute, "r");
+	if (file == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+				dst_ts, policy_dir_names, direction, strerror(errno), errno);
+		return FAILED;
+	}
+
+	/* read line by line where each line looks like:
+	 * packets  src  ->  dst  =>  said */
+	while (fgets(line, sizeof(line), file))
+	{
+		enumerator_t *enumerator;
+		char *token;
+		int i = 0;
+
+		enumerator = enumerator_create_token(line, " \t", " \t\n");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			switch (i++)
+			{
+				case 0: /* packets */
+					continue;
+				case 1: /* src */
+					if (streq(token, src))
+					{
+						continue;
+					}
+					break;
+				case 2: /* -> */
+					continue;
+				case 3: /* dst */
+					if (streq(token, dst))
+					{
+						continue;
+					}
+					break;
+				case 4: /* => */
+					continue;
+				case 5: /* said */
+					said = strdup(token);
+					break;
+			}
+			break;
+		}
+		enumerator->destroy(enumerator);
+
+		if (i == 5)
+		{
+			/* eroute matched */
+			break;
+		}
+	}
+	fclose(file);
+
+	if (said == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: found no matching"
+				" eroute", src_ts, dst_ts, policy_dir_names, direction);
+		return FAILED;
+	}
+
+	/* compared with the one in the spi entry the SA ID from the eroute entry
+	 * has an additional ":PROTO" appended, which we need to cut off */
+	pos = strrchr(said, ':');
+	*pos = '\0';
+
+	/* now we try to find the matching spi entry */
+	file = fopen(path_spi, "r");
+	if (file == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+				dst_ts, policy_dir_names, direction, strerror(errno), errno);
+		return FAILED;
+	}
+
+	while (fgets(line, sizeof(line), file))
+	{
+		if (strneq(line, said, strlen(said)))
+		{
+			/* fine we found the correct line, now find the idle time */
+			u_int32_t idle_time;
+			pos = strstr(line, IDLE_PREFIX);
+			if (pos == NULL)
+			{
+				/* no idle time, i.e. this SA has not been used yet */
+				break;
+			}
+			if (sscanf(pos, IDLE_PREFIX"%u", &idle_time) <= 0)
+			{
+				/* idle time not valid */
+				break;
+			}
+
+			*use_time = time_monotonic(NULL) - idle_time;
+			status = SUCCESS;
+			break;
+		}
+	}
+	fclose(file);
+	free(said);
+
+	return status;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	bool unrouted)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)request, *out;
+	policy_entry_t *policy, *found = NULL;
+	route_entry_t *route;
+	size_t len;
+
+	if (direction == POLICY_FWD)
+	{
+		/* no forward policies for KLIPS */
+		return SUCCESS;
+	}
+
+	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		return NOT_FOUND;
+	}
+	policy_entry_destroy(policy);
+
+	/* decrease appropriate counter */
+	unrouted ? found->trapcount-- : found->activecount--;
+
+	if (found->trapcount == 0)
+	{
+		/* if this policy is finally unrouted, we reset the reqid because it
+		 * may still be actively used and there might be a pending acquire for
+		 * this policy. */
+		found->reqid = 0;
+	}
+
+	if (found->activecount > 0)
+	{
+		/* is still used by SAs, keep in kernel */
+		this->mutex->unlock(this->mutex);
+		DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+		return SUCCESS;
+	}
+	else if (found->activecount == 0 && found->trapcount > 0)
+	{
+		/* for a policy that is not used actively anymore, but is still trapped
+		 * by another child SA we replace the current eroute with a %trap eroute */
+		DBG2(DBG_KNL, "policy still routed by another CHILD_SA, not removed");
+		memset(&request, 0, sizeof(request));
+		build_addflow(msg, SADB_X_SATYPE_INT, htonl(SPI_TRAP), NULL, NULL,
+				found->src.net, found->src.mask, found->dst.net,
+				found->dst.mask, found->src.proto, TRUE);
+		this->mutex->unlock(this->mutex);
+		return pfkey_send_ack(this, msg);
+	}
+
+	/* remove if last reference */
+	this->policies->remove(this->policies, found, NULL);
+	policy = found;
+
+	this->mutex->unlock(this->mutex);
+
+	memset(&request, 0, sizeof(request));
+
+	build_delflow(msg, 0, policy->src.net, policy->src.mask, policy->dst.net,
+			policy->dst.mask, policy->src.proto);
+
+	route = policy->route;
+	policy->route = NULL;
+	policy_entry_destroy(policy);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
+					   dst_ts, policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	if (route)
+	{
+		ipsec_dev_t *dev;
+
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with"
+						  " policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}
+
+		/* we have to detach the ipsec interface from the physical one over which
+		 * this SA ran (if it is not used by any other) */
+		this->mutex->lock(this->mutex);
+
+		if (find_ipsec_dev(this, route->if_name, &dev) == SUCCESS)
+		{
+			/* fine, we found a matching device object, let's check if we have
+			 * to detach it. */
+			if (--dev->refcount == 0)
+			{
+				if (detach_ipsec_dev(dev->name, dev->phys_name) != SUCCESS)
+				{
+					DBG1(DBG_KNL, "failed to detach virtual interface %s"
+							" from %s", dev->name, dev->phys_name);
+				}
+				dev->phys_name[0] = '\0';
+			}
+		}
+
+		this->mutex->unlock(this->mutex);
+
+		route_entry_destroy(route);
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Initialize the list of ipsec devices
+ */
+static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
+{
+	int i, count = lib->settings->get_int(lib->settings,
+						"%s.plugins.kernel-klips.ipsec_dev_count",
+						DEFAULT_IPSEC_DEV_COUNT, hydra->daemon);
+
+	for (i = 0; i < count; ++i)
+	{
+		ipsec_dev_t *dev = malloc_thing(ipsec_dev_t);
+		snprintf(dev->name, IFNAMSIZ, IPSEC_DEV_PREFIX"%d", i);
+		dev->name[IFNAMSIZ - 1] = '\0';
+		dev->phys_name[0] = '\0';
+		dev->refcount = 0;
+		this->ipsec_devices->insert_last(this->ipsec_devices, dev);
+
+		/* detach any previously attached ipsec device */
+		detach_ipsec_dev(dev->name, dev->phys_name);
+	}
+}
+
+/**
+ * Register a socket for AQUIRE/EXPIRE messages
+ */
+static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8_t satype)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_REGISTER;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket");
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_kernel_klips_ipsec_t *this, int fd, int family)
+{
+	/* KLIPS does not need a bypass policy for IKE */
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_kernel_klips_ipsec_t *this)
+{
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	if (this->socket > 0)
+	{
+		close(this->socket);
+	}
+	if (this->socket_events > 0)
+	{
+		close(this->socket_events);
+	}
+	this->mutex_pfkey->destroy(this->mutex_pfkey);
+	this->mutex->destroy(this->mutex);
+	this->ipsec_devices->destroy_function(this->ipsec_devices, (void*)ipsec_dev_destroy);
+	this->installed_sas->destroy_function(this->installed_sas, (void*)sa_entry_destroy);
+	this->allocated_spis->destroy_function(this->allocated_spis, (void*)sa_entry_destroy);
+	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_klips_ipsec_t *kernel_klips_ipsec_create()
+{
+	private_kernel_klips_ipsec_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa  = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.bypass_socket = _bypass_socket,
+				.destroy = _destroy,
+			},
+		},
+		.policies = linked_list_create(),
+		.allocated_spis = linked_list_create(),
+		.installed_sas = linked_list_create(),
+		.ipsec_devices = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
+		.install_routes = lib->settings->get_bool(lib->settings,
+												  "%s.install_routes", TRUE,
+												  hydra->daemon),
+	);
+
+	/* initialize ipsec devices */
+	init_ipsec_devices(this);
+
+	/* create a PF_KEY socket to communicate with the kernel */
+	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket <= 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_KEY socket");
+		destroy(this);
+		return NULL;
+	}
+
+	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
+	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket_events <= 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_KEY event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	/* register the event socket */
+	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
+		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.h b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.h
new file mode 100644
index 000000000..306ec0ada
--- /dev/null
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_klips_ipsec_i kernel_klips_ipsec
+ * @{ @ingroup kernel_klips
+ */
+
+#ifndef KERNEL_KLIPS_IPSEC_H_
+#define KERNEL_KLIPS_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_klips_ipsec_t kernel_klips_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using PF_KEY.
+ */
+struct kernel_klips_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a PF_KEY kernel ipsec interface instance.
+ *
+ * @return			kernel_klips_ipsec_t instance
+ */
+kernel_klips_ipsec_t *kernel_klips_ipsec_create();
+
+#endif /** KERNEL_KLIPS_IPSEC_H_ @}*/
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
new file mode 100644
index 000000000..1a22835c0
--- /dev/null
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_klips_plugin.h"
+
+#include "kernel_klips_ipsec.h"
+
+#include <hydra.h>
+
+typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t;
+
+/**
+ * private data of kernel PF_KEY plugin
+ */
+struct private_kernel_klips_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_klips_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_klips_plugin_t *this)
+{
+	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
+						(kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_klips_plugin_create()
+{
+	private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
+						(kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.h b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.h
new file mode 100644
index 000000000..8dd386a66
--- /dev/null
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_klips kernel_klips
+ * @ingroup hplugins
+ *
+ * @defgroup kernel_klips_plugin kernel_klips_plugin
+ * @{ @ingroup kernel_klips
+ */
+
+#ifndef KERNEL_KLIPS_PLUGIN_H_
+#define KERNEL_KLIPS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_klips_plugin_t kernel_klips_plugin_t;
+
+/**
+ * PF_KEY kernel interface plugin
+ */
+struct kernel_klips_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KERNEL_KLIPS_PLUGIN_H_ @}*/
diff --git a/src/libhydra/plugins/kernel_klips/pfkeyv2.h b/src/libhydra/plugins/kernel_klips/pfkeyv2.h
new file mode 100644
index 000000000..20d1c298d
--- /dev/null
+++ b/src/libhydra/plugins/kernel_klips/pfkeyv2.h
@@ -0,0 +1,322 @@
+/*
+RFC 2367               PF_KEY Key Management API               July 1998
+
+
+Appendix D: Sample Header File
+
+This file defines structures and symbols for the PF_KEY Version 2
+key management interface. It was written at the U.S. Naval Research
+Laboratory. This file is in the public domain. The authors ask that
+you leave this credit intact on any copies of this file.
+*/
+#ifndef __PFKEY_V2_H
+#define __PFKEY_V2_H 1
+
+#define PF_KEY_V2 2
+#define PFKEYV2_REVISION        199806L
+
+#define SADB_RESERVED    0
+#define SADB_GETSPI      1
+#define SADB_UPDATE      2
+#define SADB_ADD         3
+#define SADB_DELETE      4
+#define SADB_GET         5
+#define SADB_ACQUIRE     6
+#define SADB_REGISTER    7
+#define SADB_EXPIRE      8
+#define SADB_FLUSH       9
+#define SADB_DUMP       10
+#define SADB_X_PROMISC  11
+#define SADB_X_PCHANGE  12
+#define SADB_X_GRPSA    13
+#define SADB_X_ADDFLOW	14
+#define SADB_X_DELFLOW	15
+#define SADB_X_DEBUG	16
+#define SADB_X_NAT_T_NEW_MAPPING  17
+#define SADB_MAX                  17
+
+struct sadb_msg {
+  uint8_t sadb_msg_version;
+  uint8_t sadb_msg_type;
+  uint8_t sadb_msg_errno;
+  uint8_t sadb_msg_satype;
+  uint16_t sadb_msg_len;
+  uint16_t sadb_msg_reserved;
+  uint32_t sadb_msg_seq;
+  uint32_t sadb_msg_pid;
+};
+
+struct sadb_ext {
+  uint16_t sadb_ext_len;
+  uint16_t sadb_ext_type;
+};
+
+struct sadb_sa {
+  uint16_t sadb_sa_len;
+  uint16_t sadb_sa_exttype;
+  uint32_t sadb_sa_spi;
+  uint8_t sadb_sa_replay;
+  uint8_t sadb_sa_state;
+  uint8_t sadb_sa_auth;
+  uint8_t sadb_sa_encrypt;
+  uint32_t sadb_sa_flags;
+};
+
+struct sadb_lifetime {
+  uint16_t sadb_lifetime_len;
+  uint16_t sadb_lifetime_exttype;
+  uint32_t sadb_lifetime_allocations;
+  uint64_t sadb_lifetime_bytes;
+  uint64_t sadb_lifetime_addtime;
+  uint64_t sadb_lifetime_usetime;
+  uint32_t sadb_x_lifetime_packets;
+  uint32_t sadb_x_lifetime_reserved;
+};
+
+struct sadb_address {
+  uint16_t sadb_address_len;
+  uint16_t sadb_address_exttype;
+  uint8_t sadb_address_proto;
+  uint8_t sadb_address_prefixlen;
+  uint16_t sadb_address_reserved;
+};
+
+struct sadb_key {
+  uint16_t sadb_key_len;
+  uint16_t sadb_key_exttype;
+  uint16_t sadb_key_bits;
+  uint16_t sadb_key_reserved;
+};
+
+struct sadb_ident {
+  uint16_t sadb_ident_len;
+  uint16_t sadb_ident_exttype;
+  uint16_t sadb_ident_type;
+  uint16_t sadb_ident_reserved;
+  uint64_t sadb_ident_id;
+};
+
+struct sadb_sens {
+  uint16_t sadb_sens_len;
+  uint16_t sadb_sens_exttype;
+  uint32_t sadb_sens_dpd;
+  uint8_t sadb_sens_sens_level;
+  uint8_t sadb_sens_sens_len;
+  uint8_t sadb_sens_integ_level;
+  uint8_t sadb_sens_integ_len;
+  uint32_t sadb_sens_reserved;
+};
+
+struct sadb_prop {
+  uint16_t sadb_prop_len;
+  uint16_t sadb_prop_exttype;
+  uint8_t sadb_prop_replay;
+  uint8_t sadb_prop_reserved[3];
+};
+
+struct sadb_comb {
+  uint8_t sadb_comb_auth;
+  uint8_t sadb_comb_encrypt;
+  uint16_t sadb_comb_flags;
+  uint16_t sadb_comb_auth_minbits;
+  uint16_t sadb_comb_auth_maxbits;
+  uint16_t sadb_comb_encrypt_minbits;
+  uint16_t sadb_comb_encrypt_maxbits;
+  uint32_t sadb_comb_reserved;
+  uint32_t sadb_comb_soft_allocations;
+  uint32_t sadb_comb_hard_allocations;
+  uint64_t sadb_comb_soft_bytes;
+  uint64_t sadb_comb_hard_bytes;
+  uint64_t sadb_comb_soft_addtime;
+  uint64_t sadb_comb_hard_addtime;
+  uint64_t sadb_comb_soft_usetime;
+  uint64_t sadb_comb_hard_usetime;
+  uint32_t sadb_x_comb_soft_packets;
+  uint32_t sadb_x_comb_hard_packets;
+};
+
+struct sadb_supported {
+  uint16_t sadb_supported_len;
+  uint16_t sadb_supported_exttype;
+  uint32_t sadb_supported_reserved;
+};
+
+struct sadb_alg {
+  uint8_t sadb_alg_id;
+  uint8_t sadb_alg_ivlen;
+  uint16_t sadb_alg_minbits;
+  uint16_t sadb_alg_maxbits;
+  uint16_t sadb_alg_reserved;
+};
+
+struct sadb_spirange {
+  uint16_t sadb_spirange_len;
+  uint16_t sadb_spirange_exttype;
+  uint32_t sadb_spirange_min;
+  uint32_t sadb_spirange_max;
+  uint32_t sadb_spirange_reserved;
+};
+
+struct sadb_x_kmprivate {
+  uint16_t sadb_x_kmprivate_len;
+  uint16_t sadb_x_kmprivate_exttype;
+  uint32_t sadb_x_kmprivate_reserved;
+};
+
+struct sadb_x_satype {
+  uint16_t sadb_x_satype_len;
+  uint16_t sadb_x_satype_exttype;
+  uint8_t sadb_x_satype_satype;
+  uint8_t sadb_x_satype_reserved[3];
+};
+
+struct sadb_x_debug {
+  uint16_t sadb_x_debug_len;
+  uint16_t sadb_x_debug_exttype;
+  uint32_t sadb_x_debug_tunnel;
+  uint32_t sadb_x_debug_netlink;
+  uint32_t sadb_x_debug_xform;
+  uint32_t sadb_x_debug_eroute;
+  uint32_t sadb_x_debug_spi;
+  uint32_t sadb_x_debug_radij;
+  uint32_t sadb_x_debug_esp;
+  uint32_t sadb_x_debug_ah;
+  uint32_t sadb_x_debug_rcv;
+  uint32_t sadb_x_debug_pfkey;
+  uint32_t sadb_x_debug_ipcomp;
+  uint32_t sadb_x_debug_verbose;
+  uint8_t sadb_x_debug_reserved[4];
+};
+
+struct sadb_x_nat_t_type {
+  uint16_t sadb_x_nat_t_type_len;
+  uint16_t sadb_x_nat_t_type_exttype;
+  uint8_t sadb_x_nat_t_type_type;
+  uint8_t sadb_x_nat_t_type_reserved[3];
+};
+struct sadb_x_nat_t_port {
+  uint16_t sadb_x_nat_t_port_len;
+  uint16_t sadb_x_nat_t_port_exttype;
+  uint16_t sadb_x_nat_t_port_port;
+  uint16_t sadb_x_nat_t_port_reserved;
+};
+
+/*
+ * A protocol structure for passing through the transport level
+ * protocol.  It contains more fields than are actually used/needed
+ * but it is this way to be compatible with the structure used in
+ * OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
+ */
+struct sadb_protocol {
+  uint16_t sadb_protocol_len;
+  uint16_t sadb_protocol_exttype;
+  uint8_t  sadb_protocol_proto;
+  uint8_t  sadb_protocol_direction;
+  uint8_t  sadb_protocol_flags;
+  uint8_t  sadb_protocol_reserved2;
+};
+
+#define SADB_EXT_RESERVED             0
+#define SADB_EXT_SA                   1
+#define SADB_EXT_LIFETIME_CURRENT     2
+#define SADB_EXT_LIFETIME_HARD        3
+#define SADB_EXT_LIFETIME_SOFT        4
+#define SADB_EXT_ADDRESS_SRC          5
+#define SADB_EXT_ADDRESS_DST          6
+#define SADB_EXT_ADDRESS_PROXY        7
+#define SADB_EXT_KEY_AUTH             8
+#define SADB_EXT_KEY_ENCRYPT          9
+#define SADB_EXT_IDENTITY_SRC         10
+#define SADB_EXT_IDENTITY_DST         11
+#define SADB_EXT_SENSITIVITY          12
+#define SADB_EXT_PROPOSAL             13
+#define SADB_EXT_SUPPORTED_AUTH       14
+#define SADB_EXT_SUPPORTED_ENCRYPT    15
+#define SADB_EXT_SPIRANGE             16
+#define SADB_X_EXT_KMPRIVATE          17
+#define SADB_X_EXT_SATYPE2            18
+#define SADB_X_EXT_SA2                19
+#define SADB_X_EXT_ADDRESS_DST2       20
+#define SADB_X_EXT_ADDRESS_SRC_FLOW   21
+#define SADB_X_EXT_ADDRESS_DST_FLOW   22
+#define SADB_X_EXT_ADDRESS_SRC_MASK   23
+#define SADB_X_EXT_ADDRESS_DST_MASK   24
+#define SADB_X_EXT_DEBUG              25
+#define SADB_X_EXT_PROTOCOL           26
+#define SADB_X_EXT_NAT_T_TYPE         27
+#define SADB_X_EXT_NAT_T_SPORT        28
+#define SADB_X_EXT_NAT_T_DPORT        29
+#define SADB_X_EXT_NAT_T_OA           30
+#define SADB_EXT_MAX                  30
+
+/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
+#define SADB_X_EXT_ADDRESS_DELFLOW \
+	( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
+	| (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
+	| (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
+	| (1<<SADB_X_EXT_ADDRESS_DST_MASK))
+
+#define SADB_SATYPE_UNSPEC    0
+#define SADB_SATYPE_AH        2
+#define SADB_SATYPE_ESP       3
+#define SADB_SATYPE_RSVP      5
+#define SADB_SATYPE_OSPFV2    6
+#define SADB_SATYPE_RIPV2     7
+#define SADB_SATYPE_MIP       8
+#define SADB_X_SATYPE_IPIP    9
+#define SADB_X_SATYPE_COMP    10
+#define SADB_X_SATYPE_INT     11
+#define SADB_SATYPE_MAX       11
+
+#define SADB_SASTATE_LARVAL   0
+#define SADB_SASTATE_MATURE   1
+#define SADB_SASTATE_DYING    2
+#define SADB_SASTATE_DEAD     3
+#define SADB_SASTATE_MAX      3
+
+#define SADB_SAFLAGS_PFS		1
+#define SADB_X_SAFLAGS_REPLACEFLOW	2
+#define SADB_X_SAFLAGS_CLEARFLOW	4
+#define SADB_X_SAFLAGS_INFLOW		8
+
+#define SADB_AALG_NONE        0
+#define SADB_AALG_MD5HMAC     2
+#define SADB_AALG_SHA1HMAC    3
+#define	SADB_AALG_SHA256_HMAC    5
+#define	SADB_AALG_SHA384_HMAC    6
+#define	SADB_AALG_SHA512_HMAC    7
+#define	SADB_AALG_RIPEMD160HMAC      8
+#define	SADB_AALG_MAX         15
+
+#define SADB_EALG_NONE        0
+#define SADB_EALG_DESCBC      2
+#define SADB_EALG_3DESCBC     3
+#define SADB_EALG_BFCBC	      7
+#define SADB_EALG_NULL        11
+#define SADB_EALG_AESCBC      12
+#define SADB_EALG_MAX         255
+
+#define SADB_X_CALG_NONE          0
+#define SADB_X_CALG_OUI           1
+#define SADB_X_CALG_DEFLATE       2
+#define SADB_X_CALG_LZS           3
+#define SADB_X_CALG_V42BIS        4
+#define SADB_X_CALG_MAX           4
+
+#define SADB_X_TALG_NONE          0
+#define SADB_X_TALG_IPv4_in_IPv4  1
+#define SADB_X_TALG_IPv6_in_IPv4  2
+#define SADB_X_TALG_IPv4_in_IPv6  3
+#define SADB_X_TALG_IPv6_in_IPv6  4
+#define SADB_X_TALG_MAX           4
+
+
+#define SADB_IDENTTYPE_RESERVED   0
+#define SADB_IDENTTYPE_PREFIX     1
+#define SADB_IDENTTYPE_FQDN       2
+#define SADB_IDENTTYPE_USERFQDN   3
+#define SADB_X_IDENTTYPE_CONNECTION 4
+#define SADB_IDENTTYPE_MAX        4
+
+#define SADB_KEY_FLAGS_MAX     0
+#endif /* __PFKEY_V2_H */
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.am b/src/libhydra/plugins/kernel_netlink/Makefile.am
new file mode 100644
index 000000000..1ad379421
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = -rdynamic \
+-DROUTING_TABLE=${routing_table} \
+-DROUTING_TABLE_PRIO=${routing_table_prio}
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
+endif
+
+libstrongswan_kernel_netlink_la_SOURCES = \
+	kernel_netlink_plugin.h kernel_netlink_plugin.c \
+	kernel_netlink_ipsec.h kernel_netlink_ipsec.c \
+	kernel_netlink_net.h kernel_netlink_net.c \
+	kernel_netlink_shared.h kernel_netlink_shared.c
+
+libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
new file mode 100644
index 000000000..d41ee1456
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -0,0 +1,614 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libhydra/plugins/kernel_netlink
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_netlink_la_LIBADD =
+am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \
+	kernel_netlink_ipsec.lo kernel_netlink_net.lo \
+	kernel_netlink_shared.lo
+libstrongswan_kernel_netlink_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_netlink_la_OBJECTS)
+libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_netlink_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_netlink_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_netlink_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = -rdynamic \
+-DROUTING_TABLE=${routing_table} \
+-DROUTING_TABLE_PRIO=${routing_table_prio}
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
+libstrongswan_kernel_netlink_la_SOURCES = \
+	kernel_netlink_plugin.h kernel_netlink_plugin.c \
+	kernel_netlink_ipsec.h kernel_netlink_ipsec.c \
+	kernel_netlink_net.h kernel_netlink_net.c \
+	kernel_netlink_shared.h kernel_netlink_shared.c
+
+libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_netlink/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_netlink/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
new file mode 100644
index 000000000..8cc9a6283
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -0,0 +1,2221 @@
+/*
+ * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2008 Andreas Steffen
+ * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <stdint.h>
+#include <linux/ipsec.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <linux/xfrm.h>
+#include <linux/udp.h>
+#include <unistd.h>
+#include <time.h>
+#include <errno.h>
+#include <string.h>
+#include <fcntl.h>
+
+#include "kernel_netlink_ipsec.h"
+#include "kernel_netlink_shared.h"
+
+#include <hydra.h>
+#include <debug.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <utils/hashtable.h>
+#include <processing/jobs/callback_job.h>
+
+/** required for Linux 2.6.26 kernel and later */
+#ifndef XFRM_STATE_AF_UNSPEC
+#define XFRM_STATE_AF_UNSPEC	32
+#endif
+
+/** from linux/in.h */
+#ifndef IP_XFRM_POLICY
+#define IP_XFRM_POLICY 17
+#endif
+
+/* missing on uclibc */
+#ifndef IPV6_XFRM_POLICY
+#define IPV6_XFRM_POLICY 34
+#endif /*IPV6_XFRM_POLICY*/
+
+/** default priority of installed policies */
+#define PRIO_LOW 3000
+#define PRIO_HIGH 2000
+
+/**
+ * map the limit for bytes and packets to XFRM_INF per default
+ */
+#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
+
+/**
+ * Create ORable bitfield of XFRM NL groups
+ */
+#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
+
+/**
+ * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
+ * 'usual' netlink data x like 'struct xfrm_usersa_info'
+ */
+#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
+/**
+ * returns a pointer to the next rtattr following rta.
+ * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
+ */
+#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
+/**
+ * returns the total size of attached rta data
+ * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
+ */
+#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 kernel identifier to linux crypto API names
+ */
+struct kernel_algorithm_t {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2;
+
+	/**
+	 * Name of the algorithm in linux crypto API
+	 */
+	char *name;
+};
+
+ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
+	"XFRM_MSG_NEWSA",
+	"XFRM_MSG_DELSA",
+	"XFRM_MSG_GETSA",
+	"XFRM_MSG_NEWPOLICY",
+	"XFRM_MSG_DELPOLICY",
+	"XFRM_MSG_GETPOLICY",
+	"XFRM_MSG_ALLOCSPI",
+	"XFRM_MSG_ACQUIRE",
+	"XFRM_MSG_EXPIRE",
+	"XFRM_MSG_UPDPOLICY",
+	"XFRM_MSG_UPDSA",
+	"XFRM_MSG_POLEXPIRE",
+	"XFRM_MSG_FLUSHSA",
+	"XFRM_MSG_FLUSHPOLICY",
+	"XFRM_MSG_NEWAE",
+	"XFRM_MSG_GETAE",
+	"XFRM_MSG_REPORT",
+	"XFRM_MSG_MIGRATE",
+	"XFRM_MSG_NEWSADINFO",
+	"XFRM_MSG_GETSADINFO",
+	"XFRM_MSG_NEWSPDINFO",
+	"XFRM_MSG_GETSPDINFO",
+	"XFRM_MSG_MAPPING"
+);
+
+ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
+	"XFRMA_UNSPEC",
+	"XFRMA_ALG_AUTH",
+	"XFRMA_ALG_CRYPT",
+	"XFRMA_ALG_COMP",
+	"XFRMA_ENCAP",
+	"XFRMA_TMPL",
+	"XFRMA_SA",
+	"XFRMA_POLICY",
+	"XFRMA_SEC_CTX",
+	"XFRMA_LTIME_VAL",
+	"XFRMA_REPLAY_VAL",
+	"XFRMA_REPLAY_THRESH",
+	"XFRMA_ETIMER_THRESH",
+	"XFRMA_SRCADDR",
+	"XFRMA_COADDR",
+	"XFRMA_LASTUSED",
+	"XFRMA_POLICY_TYPE",
+	"XFRMA_MIGRATE",
+	"XFRMA_ALG_AEAD",
+	"XFRMA_KMADDRESS"
+);
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64,				"***"				}, */
+	{ENCR_DES,					"des"				},
+	{ENCR_3DES,					"des3_ede"			},
+/*	{ENCR_RC5,					"***"				}, */
+/*	{ENCR_IDEA,					"***"				}, */
+	{ENCR_CAST,					"cast128"			},
+	{ENCR_BLOWFISH,				"blowfish"			},
+/*	{ENCR_3IDEA,				"***"				}, */
+/*	{ENCR_DES_IV32,				"***"				}, */
+	{ENCR_NULL,					"cipher_null"		},
+	{ENCR_AES_CBC,				"aes"				},
+	{ENCR_AES_CTR,				"rfc3686(ctr(aes))"	},
+	{ENCR_AES_CCM_ICV8,			"rfc4309(ccm(aes))"	},
+	{ENCR_AES_CCM_ICV12,		"rfc4309(ccm(aes))"	},
+	{ENCR_AES_CCM_ICV16,		"rfc4309(ccm(aes))"	},
+	{ENCR_AES_GCM_ICV8,			"rfc4106(gcm(aes))"	},
+	{ENCR_AES_GCM_ICV12,		"rfc4106(gcm(aes))"	},
+	{ENCR_AES_GCM_ICV16,		"rfc4106(gcm(aes))"	},
+	{ENCR_NULL_AUTH_AES_GMAC,	"rfc4543(gcm(aes))"	},
+	{ENCR_CAMELLIA_CBC,			"cbc(camellia)"		},
+/*	{ENCR_CAMELLIA_CTR,			"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV8,	"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV12,	"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV16,	"***"				}, */
+	{ENCR_SERPENT_CBC,			"serpent"			},
+	{ENCR_TWOFISH_CBC,			"twofish"			},
+	{END_OF_LIST,				NULL				}
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+	{AUTH_HMAC_MD5_96,			"md5"				},
+	{AUTH_HMAC_SHA1_96,			"sha1"				},
+	{AUTH_HMAC_SHA2_256_96,		"sha256"			},
+	{AUTH_HMAC_SHA2_256_128,	"hmac(sha256)"		},
+	{AUTH_HMAC_SHA2_384_192,	"hmac(sha384)"		},
+	{AUTH_HMAC_SHA2_512_256,	"hmac(sha512)"		},
+/*	{AUTH_DES_MAC,				"***"				}, */
+/*	{AUTH_KPDK_MD5,				"***"				}, */
+	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
+	{END_OF_LIST,				NULL				}
+};
+
+/**
+ * Algorithms for IPComp
+ */
+static kernel_algorithm_t compression_algs[] = {
+/*	{IPCOMP_OUI,				"***"				}, */
+	{IPCOMP_DEFLATE,			"deflate"			},
+	{IPCOMP_LZS,				"lzs"				},
+	{IPCOMP_LZJH,				"lzjh"				},
+	{END_OF_LIST,				NULL				}
+};
+
+/**
+ * Look up a kernel algorithm name and its key size
+ */
+static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+{
+	while (list->ikev2 != END_OF_LIST)
+	{
+		if (list->ikev2 == ikev2)
+		{
+			return list->name;
+		}
+		list++;
+	}
+	return NULL;
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+
+	/** Source ip of the route */
+	host_t *src_ip;
+
+	/** gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	this->src_ip->destroy(this->src_ip);
+	DESTROY_IF(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+
+	/** direction of this policy: in, out, forward */
+	u_int8_t direction;
+
+	/** parameters of installed policy */
+	struct xfrm_selector sel;
+
+	/** optional mark */
+	u_int32_t mark;
+
+	/** associated route installed for this policy */
+	route_entry_t *route;
+
+	/** by how many CHILD_SA's this policy is used */
+	u_int refcount;
+};
+
+/**
+ * Hash function for policy_entry_t objects
+ */
+static u_int policy_hash(policy_entry_t *key)
+{
+	chunk_t chunk = chunk_create((void*)&key->sel,
+							sizeof(struct xfrm_selector) + sizeof(u_int32_t));
+	return chunk_hash(chunk);
+}
+
+/**
+ * Equality function for policy_entry_t objects
+ */
+static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
+{
+	return memeq(&key->sel, &other_key->sel,
+				 sizeof(struct xfrm_selector) + sizeof(u_int32_t)) &&
+		   key->direction == other_key->direction;
+}
+
+typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_netlink class.
+ */
+struct private_kernel_netlink_ipsec_t {
+	/**
+	 * Public part of the kernel_netlink_t object.
+	 */
+	kernel_netlink_ipsec_t public;
+
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Hash table of installed policies (policy_entry_t)
+	 */
+	hashtable_t *policies;
+
+	/**
+	 * job receiving netlink events
+	 */
+	callback_job_t *job;
+
+	/**
+	 * Netlink xfrm socket (IPsec)
+	 */
+	netlink_socket_t *socket_xfrm;
+
+	/**
+	 * netlink xfrm socket to receive acquire and expire events
+	 */
+	int socket_xfrm_events;
+
+	/**
+	 * whether to install routes along policies
+	 */
+	bool install_routes;
+};
+
+/**
+ * convert the general ipsec mode to the one defined in xfrm.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+	switch (mode)
+	{
+		case MODE_TRANSPORT:
+			return XFRM_MODE_TRANSPORT;
+		case MODE_TUNNEL:
+			return XFRM_MODE_TUNNEL;
+		case MODE_BEET:
+			return XFRM_MODE_BEET;
+		default:
+			return mode;
+	}
+}
+
+/**
+ * convert a host_t to a struct xfrm_address
+ */
+static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
+{
+	chunk_t chunk = host->get_address(host);
+	memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
+}
+
+/**
+ * convert a struct xfrm_address to a host_t
+ */
+static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
+{
+	chunk_t chunk;
+
+	switch (family)
+	{
+		case AF_INET:
+			chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
+			break;
+		case AF_INET6:
+			chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
+			break;
+		default:
+			return NULL;
+	}
+	return host_create_from_chunk(family, chunk, ntohs(port));
+}
+
+/**
+ * convert a traffic selector address range to subnet and its mask.
+ */
+static void ts2subnet(traffic_selector_t* ts,
+					  xfrm_address_t *net, u_int8_t *mask)
+{
+	host_t *net_host;
+	chunk_t net_chunk;
+
+	ts->to_subnet(ts, &net_host, mask);
+	net_chunk = net_host->get_address(net_host);
+	memcpy(net, net_chunk.ptr, net_chunk.len);
+	net_host->destroy(net_host);
+}
+
+/**
+ * convert a traffic selector port range to port/portmask
+ */
+static void ts2ports(traffic_selector_t* ts,
+					 u_int16_t *port, u_int16_t *mask)
+{
+	/* linux does not seem to accept complex portmasks. Only
+	 * any or a specific port is allowed. We set to any, if we have
+	 * a port range, or to a specific, if we have one port only.
+	 */
+	u_int16_t from, to;
+
+	from = ts->get_from_port(ts);
+	to = ts->get_to_port(ts);
+
+	if (from == to)
+	{
+		*port = htons(from);
+		*mask = ~0;
+	}
+	else
+	{
+		*port = 0;
+		*mask = 0;
+	}
+}
+
+/**
+ * convert a pair of traffic_selectors to a xfrm_selector
+ */
+static struct xfrm_selector ts2selector(traffic_selector_t *src,
+										traffic_selector_t *dst)
+{
+	struct xfrm_selector sel;
+
+	memset(&sel, 0, sizeof(sel));
+	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
+	ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
+	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
+	ts2ports(dst, &sel.dport, &sel.dport_mask);
+	ts2ports(src, &sel.sport, &sel.sport_mask);
+	sel.ifindex = 0;
+	sel.user = 0;
+
+	return sel;
+}
+
+/**
+ * convert a xfrm_selector to a src|dst traffic_selector
+ */
+static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+{
+	u_char *addr;
+	u_int8_t prefixlen;
+	u_int16_t port = 0;
+	host_t *host = NULL;
+
+	if (src)
+	{
+		addr = (u_char*)&sel->saddr;
+		prefixlen = sel->prefixlen_s;
+		if (sel->sport_mask)
+		{
+			port = htons(sel->sport);
+		}
+	}
+	else
+	{
+		addr = (u_char*)&sel->daddr;
+		prefixlen = sel->prefixlen_d;
+		if (sel->dport_mask)
+		{
+			port = htons(sel->dport);
+		}
+	}
+
+	/* The Linux 2.6 kernel does not set the selector's family field,
+	 * so as a kludge we additionally test the prefix length.
+	 */
+	if (sel->family == AF_INET || sel->prefixlen_s == 32)
+	{
+		host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
+	}
+	else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
+	{
+		host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
+	}
+
+	if (host)
+	{
+		return traffic_selector_create_from_subnet(host, prefixlen,
+												   sel->proto, port);
+	}
+	return NULL;
+}
+
+/**
+ * process a XFRM_MSG_ACQUIRE from kernel
+ */
+static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
+{
+	u_int32_t reqid = 0;
+	int proto = 0;
+	traffic_selector_t *src_ts, *dst_ts;
+	struct xfrm_user_acquire *acquire;
+	struct rtattr *rta;
+	size_t rtasize;
+
+	acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
+	rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
+	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
+
+	DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
+
+	while (RTA_OK(rta, rtasize))
+	{
+		DBG2(DBG_KNL, "  %N", xfrm_attr_type_names, rta->rta_type);
+
+		if (rta->rta_type == XFRMA_TMPL)
+		{
+			struct xfrm_user_tmpl* tmpl;
+
+			tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
+			reqid = tmpl->reqid;
+			proto = tmpl->id.proto;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	switch (proto)
+	{
+		case 0:
+		case IPPROTO_ESP:
+		case IPPROTO_AH:
+			break;
+		default:
+			/* acquire for AH/ESP only, not for IPCOMP */
+			return;
+	}
+	src_ts = selector2ts(&acquire->sel, TRUE);
+	dst_ts = selector2ts(&acquire->sel, FALSE);
+
+	hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
+									 dst_ts);
+}
+
+/**
+ * process a XFRM_MSG_EXPIRE from kernel
+ */
+static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
+{
+	u_int8_t protocol;
+	u_int32_t spi, reqid;
+	struct xfrm_user_expire *expire;
+
+	expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
+	protocol = expire->state.id.proto;
+	spi = expire->state.id.spi;
+	reqid = expire->state.reqid;
+
+	DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
+
+	if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
+	{
+		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and "
+					  "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
+		return;
+	}
+
+	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
+									spi, expire->hard != 0);
+}
+
+/**
+ * process a XFRM_MSG_MIGRATE from kernel
+ */
+static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
+{
+	traffic_selector_t *src_ts, *dst_ts;
+	host_t *local = NULL, *remote = NULL;
+	host_t *old_src = NULL, *old_dst = NULL;
+	host_t *new_src = NULL, *new_dst = NULL;
+	struct xfrm_userpolicy_id *policy_id;
+	struct rtattr *rta;
+	size_t rtasize;
+	u_int32_t reqid = 0;
+	policy_dir_t dir;
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	rta     = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
+	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
+
+	DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
+
+	src_ts = selector2ts(&policy_id->sel, TRUE);
+	dst_ts = selector2ts(&policy_id->sel, FALSE);
+	dir = (policy_dir_t)policy_id->dir;
+
+	DBG2(DBG_KNL, "  policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
+
+	while (RTA_OK(rta, rtasize))
+	{
+		DBG2(DBG_KNL, "  %N", xfrm_attr_type_names, rta->rta_type);
+		if (rta->rta_type == XFRMA_KMADDRESS)
+		{
+			struct xfrm_user_kmaddress *kmaddress;
+
+			kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
+			local  = xfrm2host(kmaddress->family, &kmaddress->local, 0);
+			remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
+			DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
+		}
+		else if (rta->rta_type == XFRMA_MIGRATE)
+		{
+			struct xfrm_user_migrate *migrate;
+
+			migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
+			old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
+			old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
+			new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
+			new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
+			reqid = migrate->reqid;
+			DBG2(DBG_KNL, "  migrate %H...%H to %H...%H, reqid {%u}",
+						  old_src, old_dst, new_src, new_dst, reqid);
+			DESTROY_IF(old_src);
+			DESTROY_IF(old_dst);
+			DESTROY_IF(new_src);
+			DESTROY_IF(new_dst);
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+
+	if (src_ts && dst_ts && local && remote)
+	{
+		hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
+										 src_ts, dst_ts, dir, local, remote);
+	}
+	else
+	{
+		DESTROY_IF(src_ts);
+		DESTROY_IF(dst_ts);
+		DESTROY_IF(local);
+		DESTROY_IF(remote);
+	}
+}
+
+/**
+ * process a XFRM_MSG_MAPPING from kernel
+ */
+static void process_mapping(private_kernel_netlink_ipsec_t *this,
+							struct nlmsghdr *hdr)
+{
+	u_int32_t spi, reqid;
+	struct xfrm_user_mapping *mapping;
+	host_t *host;
+
+	mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
+	spi = mapping->id.spi;
+	reqid = mapping->reqid;
+
+	DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
+
+	if (mapping->id.proto == IPPROTO_ESP)
+	{
+		host = xfrm2host(mapping->id.family, &mapping->new_saddr,
+						 mapping->new_sport);
+		if (host)
+		{
+			hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
+											 spi, host);
+		}
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
+{
+	char response[1024];
+	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
+	struct sockaddr_nl addr;
+	socklen_t addr_len = sizeof(addr);
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
+				   (struct sockaddr*)&addr, &addr_len);
+	thread_cancelability(oldstate);
+
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from xfrm event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+
+	if (addr.nl_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	while (NLMSG_OK(hdr, len))
+	{
+		switch (hdr->nlmsg_type)
+		{
+			case XFRM_MSG_ACQUIRE:
+				process_acquire(this, hdr);
+				break;
+			case XFRM_MSG_EXPIRE:
+				process_expire(this, hdr);
+				break;
+			case XFRM_MSG_MIGRATE:
+				process_migrate(this, hdr);
+				break;
+			case XFRM_MSG_MAPPING:
+				process_mapping(this, hdr);
+				break;
+			default:
+				DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
+				break;
+		}
+		hdr = NLMSG_NEXT(hdr, len);
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Get an SPI for a specific protocol from the kernel.
+ */
+static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
+		host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
+		u_int32_t reqid, u_int32_t *spi)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr, *out;
+	struct xfrm_userspi_info *userspi;
+	u_int32_t received_spi = 0;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
+
+	userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
+	host2xfrm(src, &userspi->info.saddr);
+	host2xfrm(dst, &userspi->info.id.daddr);
+	userspi->info.id.proto = proto;
+	userspi->info.mode = XFRM_MODE_TUNNEL;
+	userspi->info.reqid = reqid;
+	userspi->info.family = src->get_family(src);
+	userspi->min = min;
+	userspi->max = max;
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
+					received_spi = usersa->id.spi;
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+
+					DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+		free(out);
+	}
+
+	if (received_spi == 0)
+	{
+		return FAILED;
+	}
+
+	*spi = received_spi;
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
+
+	if (get_spi_internal(this, src, dst, protocol,
+			0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	u_int32_t received_spi = 0;
+
+	DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
+
+	if (get_spi_internal(this, src, dst,
+			IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
+		return FAILED;
+	}
+
+	*cpi = htons((u_int16_t)ntohl(received_spi));
+
+	DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
+	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool encap, bool inbound,
+	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
+{
+	netlink_buf_t request;
+	char *alg_name;
+	struct nlmsghdr *hdr;
+	struct xfrm_usersa_info *sa;
+	u_int16_t icv_size = 64;
+
+	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
+	 * we are in the recursive call below */
+	if (ipcomp != IPCOMP_NONE && cpi != 0)
+	{
+		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
+		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
+			   &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
+			   mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
+		ipcomp = IPCOMP_NONE;
+		/* use transport mode ESP SA, IPComp uses tunnel mode */
+		mode = MODE_TRANSPORT;
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}  "
+					  "(mark %u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
+					   ntohl(spi), reqid);
+	}
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
+
+	sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
+	host2xfrm(src, &sa->saddr);
+	host2xfrm(dst, &sa->id.daddr);
+	sa->id.spi = spi;
+	sa->id.proto = protocol;
+	sa->family = src->get_family(src);
+	sa->mode = mode2kernel(mode);
+	switch (mode)
+	{
+		case MODE_TUNNEL:
+			sa->flags |= XFRM_STATE_AF_UNSPEC;
+			break;
+		case MODE_BEET:
+			if(src_ts && dst_ts)
+			{
+				sa->sel = ts2selector(src_ts, dst_ts);
+			}
+			break;
+		default:
+			break;
+	}
+
+	sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
+	sa->reqid = reqid;
+	sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
+	sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
+	sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
+	sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
+	/* we use lifetimes since added, not since used */
+	sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
+	sa->lft.hard_add_expires_seconds = lifetime->time.life;
+	sa->lft.soft_use_expires_seconds = 0;
+	sa->lft.hard_use_expires_seconds = 0;
+
+	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
+
+	switch (enc_alg)
+	{
+		case ENCR_UNDEFINED:
+			/* no encryption */
+			break;
+		case ENCR_AES_CCM_ICV16:
+		case ENCR_AES_GCM_ICV16:
+		case ENCR_NULL_AUTH_AES_GMAC:
+		case ENCR_CAMELLIA_CCM_ICV16:
+			icv_size += 32;
+			/* FALL */
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV12:
+			icv_size += 32;
+			/* FALL */
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV8:
+		{
+			struct xfrm_algo_aead *algo;
+
+			alg_name = lookup_algorithm(encryption_algs, enc_alg);
+			if (alg_name == NULL)
+			{
+				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 encryption_algorithm_names, enc_alg);
+				return FAILED;
+			}
+			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+			rthdr->rta_type = XFRMA_ALG_AEAD;
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
+			algo->alg_key_len = enc_key.len * 8;
+			algo->alg_icv_len = icv_size;
+			strcpy(algo->alg_name, alg_name);
+			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
+
+			rthdr = XFRM_RTA_NEXT(rthdr);
+			break;
+		}
+		default:
+		{
+			struct xfrm_algo *algo;
+
+			alg_name = lookup_algorithm(encryption_algs, enc_alg);
+			if (alg_name == NULL)
+			{
+				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 encryption_algorithm_names, enc_alg);
+				return FAILED;
+			}
+			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+			rthdr->rta_type = XFRMA_ALG_CRYPT;
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+			algo->alg_key_len = enc_key.len * 8;
+			strcpy(algo->alg_name, alg_name);
+			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
+
+			rthdr = XFRM_RTA_NEXT(rthdr);
+		}
+	}
+
+	if (int_alg != AUTH_UNDEFINED)
+	{
+		alg_name = lookup_algorithm(integrity_algs, int_alg);
+		if (alg_name == NULL)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 integrity_algorithm_names, int_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
+			 integrity_algorithm_names, int_alg, int_key.len * 8);
+
+		if (int_alg == AUTH_HMAC_SHA2_256_128)
+		{
+			struct xfrm_algo_auth* algo;
+
+			/* the kernel uses SHA256 with 96 bit truncation by default,
+			 * use specified truncation size supported by newer kernels */
+			rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len);
+
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
+			algo->alg_key_len = int_key.len * 8;
+			algo->alg_trunc_len = 128;
+			strcpy(algo->alg_name, alg_name);
+			memcpy(algo->alg_key, int_key.ptr, int_key.len);
+		}
+		else
+		{
+			struct xfrm_algo* algo;
+
+			rthdr->rta_type = XFRMA_ALG_AUTH;
+			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
+
+			hdr->nlmsg_len += rthdr->rta_len;
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+			algo->alg_key_len = int_key.len * 8;
+			strcpy(algo->alg_name, alg_name);
+			memcpy(algo->alg_key, int_key.ptr, int_key.len);
+		}
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
+	if (ipcomp != IPCOMP_NONE)
+	{
+		rthdr->rta_type = XFRMA_ALG_COMP;
+		alg_name = lookup_algorithm(compression_algs, ipcomp);
+		if (alg_name == NULL)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 ipcomp_transform_names, ipcomp);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using compression algorithm %N",
+			 ipcomp_transform_names, ipcomp);
+
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+		algo->alg_key_len = 0;
+		strcpy(algo->alg_name, alg_name);
+
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
+	if (encap)
+	{
+		struct xfrm_encap_tmpl *tmpl;
+
+		rthdr->rta_type = XFRMA_ENCAP;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
+		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
+		tmpl->encap_sport = htons(src->get_port(src));
+		tmpl->encap_dport = htons(dst->get_port(dst));
+		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
+		/* encap_oa could probably be derived from the
+		 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
+		 * pluto does the same as we do here but it uses encap_oa in the
+		 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
+		 * the kernel ignores it anyway
+		 *   -> does that mean that NAT-T encap doesn't work in transport mode?
+		 * No. The reason the kernel ignores NAT-OA is that it recomputes
+		 * (or, rather, just ignores) the checksum. If packets pass
+		 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		if (mark.value)
+		{
+			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x  "
+						  "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		}
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Get the replay state (i.e. sequence numbers) of an SA.
+ */
+static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
+						  u_int32_t spi, u_int8_t protocol, host_t *dst,
+						  struct xfrm_replay_state *replay)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr, *out = NULL;
+	struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
+	size_t len;
+	struct rtattr *rta;
+	size_t rtasize;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETAE;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
+
+	aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
+	aevent_id->flags = XFRM_AE_RVAL;
+
+	host2xfrm(dst, &aevent_id->sa_id.daddr);
+	aevent_id->sa_id.spi = spi;
+	aevent_id->sa_id.proto = protocol;
+	aevent_id->sa_id.family = dst->get_family(dst);
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWAE:
+				{
+					out_aevent = NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+
+	if (out_aevent == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
+					  ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+
+	rta = XFRM_RTA(out, struct xfrm_aevent_id);
+	rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
+	while(RTA_OK(rta, rtasize))
+	{
+		if (rta->rta_type == XFRMA_REPLAY_VAL &&
+			RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
+		{
+			memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
+			free(out);
+			return SUCCESS;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+
+	DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
+				  ntohl(spi));
+	free(out);
+	return FAILED;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *out = NULL, *hdr;
+	struct xfrm_usersa_id *sa_id;
+	struct xfrm_usersa_info *sa = NULL;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "querying SAD entry with SPI %.8x  (mark %u/0x%8x)",
+					   ntohl(spi), mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+	}
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = protocol;
+	sa_id->family = dst->get_family(dst);
+
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+
+					if (mark.value)
+					{
+						DBG1(DBG_KNL, "querying SAD entry with SPI %.8x  "
+									  "(mark %u/0x%8x) failed: %s (%d)",
+									   ntohl(spi), mark.value, mark.mask,
+									   strerror(-err->error), -err->error);
+					}
+					else
+					{
+						DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
+									  "failed: %s (%d)", ntohl(spi),
+									   strerror(-err->error), -err->error);
+					}
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+
+	if (sa == NULL)
+	{
+		DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	*bytes = sa->curlft.bytes;
+
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct xfrm_usersa_id *sa_id;
+
+	/* if IPComp was used, we first delete the additional IPComp SA */
+	if (cpi)
+	{
+		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x  (mark %u/0x%8x)",
+					   ntohl(spi), mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+	}
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_DELSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = protocol;
+	sa_id->family = dst->get_family(dst);
+
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		if (mark.value)
+		{
+			DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x  "
+						  "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		}
+		return FAILED;
+	}
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x  (mark %u/0x%8x)",
+					   ntohl(spi), mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	}
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_kernel_netlink_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool old_encap, bool new_encap, mark_t mark)
+{
+	netlink_buf_t request;
+	u_char *pos;
+	struct nlmsghdr *hdr, *out = NULL;
+	struct xfrm_usersa_id *sa_id;
+	struct xfrm_usersa_info *out_sa = NULL, *sa;
+	size_t len;
+	struct rtattr *rta;
+	size_t rtasize;
+	struct xfrm_encap_tmpl* tmpl = NULL;
+	bool got_replay_state = FALSE;
+	struct xfrm_replay_state replay;
+
+	/* if IPComp is used, we first update the IPComp SA */
+	if (cpi)
+	{
+		update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
+				  src, dst, new_src, new_dst, FALSE, FALSE, mark);
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
+
+	/* query the existing SA first */
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = protocol;
+	sa_id->family = dst->get_family(dst);
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					out_sa = NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+	if (out_sa == NULL)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+
+	/* try to get the replay state */
+	if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
+	{
+		got_replay_state = TRUE;
+	}
+
+	/* delete the old SA (without affecting the IPComp SA) */
+	if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+	/* copy over the SA from out to request */
+	hdr = (struct nlmsghdr*)request;
+	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_NEWSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
+	sa = NLMSG_DATA(hdr);
+	sa->family = new_dst->get_family(new_dst);
+
+	if (!src->ip_equals(src, new_src))
+	{
+		host2xfrm(new_src, &sa->saddr);
+	}
+	if (!dst->ip_equals(dst, new_dst))
+	{
+		host2xfrm(new_dst, &sa->id.daddr);
+	}
+
+	rta = XFRM_RTA(out, struct xfrm_usersa_info);
+	rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
+	pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
+	while(RTA_OK(rta, rtasize))
+	{
+		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
+		if (rta->rta_type != XFRMA_ENCAP || new_encap)
+		{
+			if (rta->rta_type == XFRMA_ENCAP)
+			{	/* update encap tmpl */
+				tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
+				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
+				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
+			}
+			memcpy(pos, rta, rta->rta_len);
+			pos += RTA_ALIGN(rta->rta_len);
+			hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+
+	rta = (struct rtattr*)pos;
+	if (tmpl == NULL && new_encap)
+	{	/* add tmpl if we are enabling it */
+		rta->rta_type = XFRMA_ENCAP;
+		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
+
+		hdr->nlmsg_len += rta->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
+		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
+		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
+		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
+		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
+
+		rta = XFRM_RTA_NEXT(rta);
+	}
+
+	if (got_replay_state)
+	{	/* copy the replay data if available */
+		rta->rta_type = XFRMA_REPLAY_VAL;
+		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
+
+		hdr->nlmsg_len += rta->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+		memcpy(RTA_DATA(rta), &replay, sizeof(replay));
+
+		rta = XFRM_RTA_NEXT(rta);
+	}
+
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
+{
+	policy_entry_t *current, *policy;
+	bool found = FALSE;
+	netlink_buf_t request;
+	struct xfrm_userpolicy_info *policy_info;
+	struct nlmsghdr *hdr;
+	int i;
+
+	/* create a policy */
+	policy = malloc_thing(policy_entry_t);
+	memset(policy, 0, sizeof(policy_entry_t));
+	policy->sel = ts2selector(src_ts, dst_ts);
+	policy->mark = mark.value & mark.mask;
+	policy->direction = direction;
+
+	/* find the policy, which matches EXACTLY */
+	this->mutex->lock(this->mutex);
+	current = this->policies->get(this->policies, policy);
+	if (current)
+	{
+		/* use existing policy */
+		current->refcount++;
+		if (mark.value)
+		{
+			DBG2(DBG_KNL, "policy %R === %R %N  (mark %u/0x%8x) "
+						  "already exists, increasing refcount",
+						   src_ts, dst_ts, policy_dir_names, direction,
+						   mark.value, mark.mask);
+		}
+		else
+		{
+			DBG2(DBG_KNL, "policy %R === %R %N "
+						  "already exists, increasing refcount",
+						   src_ts, dst_ts, policy_dir_names, direction);
+		}
+		free(policy);
+		policy = current;
+		found = TRUE;
+	}
+	else
+	{	/* apply the new one, if we have no such policy */
+		this->policies->put(this->policies, policy, policy);
+		policy->refcount = 1;
+	}
+
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "adding policy %R === %R %N  (mark %u/0x%8x)",
+					   src_ts, dst_ts, policy_dir_names, direction,
+					   mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "adding policy %R === %R %N",
+					   src_ts, dst_ts, policy_dir_names, direction);
+	}
+
+	memset(&request, 0, sizeof(request));
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
+
+	policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
+	policy_info->sel = policy->sel;
+	policy_info->dir = policy->direction;
+	/* calculate priority based on source selector size, small size = high prio */
+	policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
+	policy_info->priority -= policy->sel.prefixlen_s * 10;
+	policy_info->priority -= policy->sel.proto ? 2 : 0;
+	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
+	policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW
+											  : XFRM_POLICY_BLOCK;
+	policy_info->share = XFRM_SHARE_ANY;
+	this->mutex->unlock(this->mutex);
+
+	/* policies don't expire */
+	policy_info->lft.soft_byte_limit = XFRM_INF;
+	policy_info->lft.soft_packet_limit = XFRM_INF;
+	policy_info->lft.hard_byte_limit = XFRM_INF;
+	policy_info->lft.hard_packet_limit = XFRM_INF;
+	policy_info->lft.soft_add_expires_seconds = 0;
+	policy_info->lft.hard_add_expires_seconds = 0;
+	policy_info->lft.soft_use_expires_seconds = 0;
+	policy_info->lft.hard_use_expires_seconds = 0;
+
+	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
+
+	if (type == POLICY_IPSEC)
+	{
+		struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
+		struct {
+			u_int8_t proto;
+			bool use;
+		} protos[] = {
+			{ IPPROTO_COMP, sa->ipcomp.transform != IPCOMP_NONE },
+			{ IPPROTO_ESP, sa->esp.use },
+			{ IPPROTO_AH, sa->ah.use },
+		};
+		ipsec_mode_t proto_mode = sa->mode;
+
+		rthdr->rta_type = XFRMA_TMPL;
+		rthdr->rta_len = 0; /* actual length is set below */
+
+		for (i = 0; i < countof(protos); i++)
+		{
+			if (!protos[i].use)
+			{
+				continue;
+			}
+
+			rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+			hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
+
+			tmpl->reqid = sa->reqid;
+			tmpl->id.proto = protos[i].proto;
+			tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
+			tmpl->mode = mode2kernel(proto_mode);
+			tmpl->optional = protos[i].proto == IPPROTO_COMP &&
+							 direction != POLICY_OUT;
+			tmpl->family = src->get_family(src);
+
+			if (proto_mode == MODE_TUNNEL)
+			{	/* only for tunnel mode */
+				host2xfrm(src, &tmpl->saddr);
+				host2xfrm(dst, &tmpl->id.daddr);
+			}
+
+			tmpl++;
+
+			/* use transport mode for other SAs */
+			proto_mode = MODE_TRANSPORT;
+		}
+
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+
+	/* install a route, if:
+	 * - we are NOT updating a policy
+	 * - this is a forward policy (to just get one for each child)
+	 * - we are in tunnel/BEET mode
+	 * - routing is not disabled via strongswan.conf
+	 */
+	if (policy->route == NULL && direction == POLICY_FWD &&
+		sa->mode != MODE_TRANSPORT && this->install_routes)
+	{
+		route_entry_t *route = malloc_thing(route_entry_t);
+
+		if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
+				dst_ts, &route->src_ip) == SUCCESS)
+		{
+			/* get the nexthop to src (src as we are in POLICY_FWD).*/
+			route->gateway = hydra->kernel_interface->get_nexthop(
+												hydra->kernel_interface, src);
+			/* install route via outgoing interface */
+			route->if_name = hydra->kernel_interface->get_interface(
+												hydra->kernel_interface, dst);
+			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
+			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
+			route->prefixlen = policy->sel.prefixlen_s;
+
+			if (route->if_name)
+			{
+				switch (hydra->kernel_interface->add_route(
+									hydra->kernel_interface, route->dst_net,
+									route->prefixlen, route->gateway,
+									route->src_ip, route->if_name))
+				{
+					default:
+						DBG1(DBG_KNL, "unable to install source route for %H",
+							 route->src_ip);
+						/* FALL */
+					case ALREADY_DONE:
+						/* route exists, do not uninstall */
+						route_entry_destroy(route);
+						break;
+					case SUCCESS:
+						/* cache the installed route */
+						policy->route = route;
+						break;
+				}
+			}
+			else
+			{
+				route_entry_destroy(route);
+			}
+		}
+		else
+		{
+			free(route);
+		}
+	}
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *out = NULL, *hdr;
+	struct xfrm_userpolicy_id *policy_id;
+	struct xfrm_userpolicy_info *policy = NULL;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "querying policy %R === %R %N  (mark %u/0x%8x)",
+					   src_ts, dst_ts, policy_dir_names, direction,
+					   mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+	}
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id->sel = ts2selector(src_ts, dst_ts);
+	policy_id->dir = direction;
+
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
+	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWPOLICY:
+				{
+					policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying policy failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+
+	if (policy == NULL)
+	{
+		DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+
+	if (policy->curlft.use_time)
+	{
+		/* we need the monotonic time, but the kernel returns system time. */
+		*use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
+	}
+	else
+	{
+		*use_time = 0;
+	}
+
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	bool unrouted)
+{
+	policy_entry_t *current, policy, *to_delete = NULL;
+	route_entry_t *route;
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct xfrm_userpolicy_id *policy_id;
+
+	if (mark.value)
+	{
+		DBG2(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%8x)",
+					   src_ts, dst_ts, policy_dir_names, direction,
+					   mark.value, mark.mask);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "deleting policy %R === %R %N",
+					   src_ts, dst_ts, policy_dir_names, direction);
+	}
+
+	/* create a policy */
+	memset(&policy, 0, sizeof(policy_entry_t));
+	policy.sel = ts2selector(src_ts, dst_ts);
+	policy.mark = mark.value & mark.mask;
+	policy.direction = direction;
+
+	/* find the policy */
+	this->mutex->lock(this->mutex);
+	current = this->policies->get(this->policies, &policy);
+	if (current)
+	{
+		to_delete = current;
+		if (--to_delete->refcount > 0)
+		{
+			/* is used by more SAs, keep in kernel */
+			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+			this->mutex->unlock(this->mutex);
+			return SUCCESS;
+		}
+		/* remove if last reference */
+		this->policies->remove(this->policies, to_delete);
+	}
+	this->mutex->unlock(this->mutex);
+	if (!to_delete)
+	{
+		if (mark.value)
+		{
+			DBG1(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%8x) "
+						  "failed, not found", src_ts, dst_ts, policy_dir_names,
+						   direction, mark.value, mark.mask);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found",
+						   src_ts, dst_ts, policy_dir_names, direction);
+		}
+		return NOT_FOUND;
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id->sel = to_delete->sel;
+	policy_id->dir = direction;
+
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
+	route = to_delete->route;
+	free(to_delete);
+
+	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		if (mark.value)
+		{
+			DBG1(DBG_KNL, "unable to delete policy %R === %R %N  "
+                          "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names,
+						   direction, mark.value, mark.mask);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "unable to delete policy %R === %R %N",
+						   src_ts, dst_ts, policy_dir_names, direction);
+		}
+		return FAILED;
+	}
+
+	if (route)
+	{
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with "
+						  "policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}
+		route_entry_destroy(route);
+	}
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_kernel_netlink_ipsec_t *this, int fd, int family)
+{
+	struct xfrm_userpolicy_info policy;
+	u_int sol, ipsec_policy;
+
+	switch (family)
+	{
+		case AF_INET:
+			sol = SOL_IP;
+			ipsec_policy = IP_XFRM_POLICY;
+			break;
+		case AF_INET6:
+			sol = SOL_IPV6;
+			ipsec_policy = IPV6_XFRM_POLICY;
+			break;
+		default:
+			return FALSE;
+	}
+
+	memset(&policy, 0, sizeof(policy));
+	policy.action = XFRM_POLICY_ALLOW;
+	policy.sel.family = family;
+
+	policy.dir = XFRM_POLICY_OUT;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	policy.dir = XFRM_POLICY_IN;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_kernel_netlink_ipsec_t *this)
+{
+	enumerator_t *enumerator;
+	policy_entry_t *policy;
+
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	if (this->socket_xfrm_events > 0)
+	{
+		close(this->socket_xfrm_events);
+	}
+	DESTROY_IF(this->socket_xfrm);
+	enumerator = this->policies->create_enumerator(this->policies);
+	while (enumerator->enumerate(enumerator, &policy, &policy))
+	{
+		free(policy);
+	}
+	enumerator->destroy(enumerator);
+	this->policies->destroy(this->policies);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
+{
+	private_kernel_netlink_ipsec_t *this;
+	struct sockaddr_nl addr;
+	int fd;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa  = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.bypass_socket = _bypass_socket,
+				.destroy = _destroy,
+			},
+		},
+		.policies = hashtable_create((hashtable_hash_t)policy_hash,
+									 (hashtable_equals_t)policy_equals, 32),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.install_routes = lib->settings->get_bool(lib->settings,
+												  "%s.install_routes", TRUE,
+												  hydra->daemon),
+	);
+
+	if (streq(hydra->daemon, "pluto"))
+	{	/* no routes for pluto, they are installed via updown script */
+		this->install_routes = FALSE;
+	}
+
+	/* disable lifetimes for allocated SPIs in kernel */
+	fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
+	if (fd)
+	{
+		ignore_result(write(fd, "165", 3));
+		close(fd);
+	}
+
+	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
+	if (!this->socket_xfrm)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+
+	/* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
+	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
+	if (this->socket_xfrm_events <= 0)
+	{
+		DBG1(DBG_KNL, "unable to create XFRM event socket");
+		destroy(this);
+		return NULL;
+	}
+	addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
+					 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
+	if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		DBG1(DBG_KNL, "unable to bind XFRM event socket");
+		destroy(this);
+		return NULL;
+	}
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h
new file mode 100644
index 000000000..3a45cce06
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_netlink_ipsec_i kernel_netlink_ipsec
+ * @{ @ingroup kernel_netlink
+ */
+
+#ifndef KERNEL_NETLINK_IPSEC_H_
+#define KERNEL_NETLINK_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_netlink_ipsec_t kernel_netlink_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using Netlink.
+ */
+struct kernel_netlink_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a netlink kernel ipsec interface instance.
+ *
+ * @return			kernel_netlink_ipsec_t instance
+ */
+kernel_netlink_ipsec_t *kernel_netlink_ipsec_create();
+
+#endif /** KERNEL_NETLINK_IPSEC_H_ @}*/
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
new file mode 100644
index 000000000..314c1acc1
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -0,0 +1,1578 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * Copyright (C) 2010 secunet Security Networks AG
+ * Copyright (C) 2010 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <unistd.h>
+#include <errno.h>
+#include <net/if.h>
+
+#include "kernel_netlink_net.h"
+#include "kernel_netlink_shared.h"
+
+#include <hydra.h>
+#include <debug.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+/** delay before firing roam events (ms) */
+#define ROAM_DELAY 100
+
+typedef struct addr_entry_t addr_entry_t;
+
+/**
+ * IP address in an inface_entry_t
+ */
+struct addr_entry_t {
+
+	/** The ip address */
+	host_t *ip;
+
+	/** virtual IP managed by us */
+	bool virtual;
+
+	/** scope of the address */
+	u_char scope;
+
+	/** Number of times this IP is used, if virtual */
+	u_int refcount;
+};
+
+/**
+ * destroy a addr_entry_t object
+ */
+static void addr_entry_destroy(addr_entry_t *this)
+{
+	this->ip->destroy(this->ip);
+	free(this);
+}
+
+typedef struct iface_entry_t iface_entry_t;
+
+/**
+ * A network interface on this system, containing addr_entry_t's
+ */
+struct iface_entry_t {
+
+	/** interface index */
+	int ifindex;
+
+	/** name of the interface */
+	char ifname[IFNAMSIZ];
+
+	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+	u_int flags;
+
+	/** list of addresses as host_t */
+	linked_list_t *addrs;
+};
+
+/**
+ * destroy an interface entry
+ */
+static void iface_entry_destroy(iface_entry_t *this)
+{
+	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
+	free(this);
+}
+
+typedef struct private_kernel_netlink_net_t private_kernel_netlink_net_t;
+
+/**
+ * Private variables and functions of kernel_netlink_net class.
+ */
+struct private_kernel_netlink_net_t {
+	/**
+	 * Public part of the kernel_netlink_net_t object.
+	 */
+	kernel_netlink_net_t public;
+
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * condition variable to signal virtual IP add/removal
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * Cached list of interfaces and its addresses (iface_entry_t)
+	 */
+	linked_list_t *ifaces;
+
+	/**
+	 * job receiving netlink events
+	 */
+	callback_job_t *job;
+
+	/**
+	 * netlink rt socket (routing)
+	 */
+	netlink_socket_t *socket;
+
+	/**
+	 * Netlink rt socket to receive address change events
+	 */
+	int socket_events;
+
+	/**
+	 * time of the last roam event
+	 */
+	timeval_t last_roam;
+
+	/**
+	 * routing table to install routes
+	 */
+	int routing_table;
+
+	/**
+	 * priority of used routing table
+	 */
+	int routing_table_prio;
+
+	/**
+	 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
+	 */
+	bool process_route;
+
+	/**
+	 * whether to actually install virtual IPs
+	 */
+	bool install_virtual_ip;
+
+	/**
+	 * list with routing tables to be excluded from route lookup
+	 */
+	linked_list_t *rt_exclude;
+};
+
+/**
+ * get the refcount of a virtual ip
+ */
+static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
+{
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	int refcount = 0;
+
+	ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
+		{
+			if (addr->virtual && (iface->flags & IFF_UP) &&
+				ip->ip_equals(ip, addr->ip))
+			{
+				refcount = addr->refcount;
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (refcount)
+		{
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+
+	return refcount;
+}
+
+/**
+ * get the first non-virtual ip address on the given interface.
+ * returned host is a clone, has to be freed by caller.
+ */
+static host_t *get_interface_address(private_kernel_netlink_net_t *this,
+									 int ifindex, int family)
+{
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	host_t *ip = NULL;
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == ifindex)
+		{
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
+			{
+				if (!addr->virtual && addr->ip->get_family(addr->ip) == family)
+				{
+					ip = addr->ip->clone(addr->ip);
+					break;
+				}
+			}
+			addrs->destroy(addrs);
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	return ip;
+}
+
+/**
+ * callback function that raises the delayed roam event
+ */
+static job_requeue_t roam_event(uintptr_t address)
+{
+	hydra->kernel_interface->roam(hydra->kernel_interface, address != 0);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * fire a roaming event. we delay it for a bit and fire only one event
+ * for multiple calls. otherwise we would create too many events.
+ */
+static void fire_roam_event(private_kernel_netlink_net_t *this, bool address)
+{
+	timeval_t now;
+	job_t *job;
+
+	time_monotonic(&now);
+	if (timercmp(&now, &this->last_roam, >))
+	{
+		now.tv_usec += ROAM_DELAY * 1000;
+		while (now.tv_usec > 1000000)
+		{
+			now.tv_sec++;
+			now.tv_usec -= 1000000;
+		}
+		this->last_roam = now;
+
+		job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
+										  (void*)(uintptr_t)(address ? 1 : 0),
+										  NULL, NULL);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY);
+	}
+}
+
+/**
+ * process RTM_NEWLINK/RTM_DELLINK from kernel
+ */
+static void process_link(private_kernel_netlink_net_t *this,
+						 struct nlmsghdr *hdr, bool event)
+{
+	struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = IFLA_RTA(msg);
+	size_t rtasize = IFLA_PAYLOAD (hdr);
+	enumerator_t *enumerator;
+	iface_entry_t *current, *entry = NULL;
+	char *name = NULL;
+	bool update = FALSE;
+
+	while(RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
+		{
+			case IFLA_IFNAME:
+				name = RTA_DATA(rta);
+				break;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	if (!name)
+	{
+		name = "(unknown)";
+	}
+
+	this->mutex->lock(this->mutex);
+	switch (hdr->nlmsg_type)
+	{
+		case RTM_NEWLINK:
+		{
+			if (msg->ifi_flags & IFF_LOOPBACK)
+			{	/* ignore loopback interfaces */
+				break;
+			}
+			enumerator = this->ifaces->create_enumerator(this->ifaces);
+			while (enumerator->enumerate(enumerator, &current))
+			{
+				if (current->ifindex == msg->ifi_index)
+				{
+					entry = current;
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+			if (!entry)
+			{
+				entry = malloc_thing(iface_entry_t);
+				entry->ifindex = msg->ifi_index;
+				entry->flags = 0;
+				entry->addrs = linked_list_create();
+				this->ifaces->insert_last(this->ifaces, entry);
+			}
+			memcpy(entry->ifname, name, IFNAMSIZ);
+			entry->ifname[IFNAMSIZ-1] = '\0';
+			if (event)
+			{
+				if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
+				{
+					update = TRUE;
+					DBG1(DBG_KNL, "interface %s activated", name);
+				}
+				if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
+				{
+					update = TRUE;
+					DBG1(DBG_KNL, "interface %s deactivated", name);
+				}
+			}
+			entry->flags = msg->ifi_flags;
+			break;
+		}
+		case RTM_DELLINK:
+		{
+			enumerator = this->ifaces->create_enumerator(this->ifaces);
+			while (enumerator->enumerate(enumerator, &current))
+			{
+				if (current->ifindex == msg->ifi_index)
+				{
+					/* we do not remove it, as an address may be added to a
+					 * "down" interface and we wan't to know that. */
+					current->flags = msg->ifi_flags;
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+			break;
+		}
+	}
+	this->mutex->unlock(this->mutex);
+
+	/* send an update to all IKE_SAs */
+	if (update && event)
+	{
+		fire_roam_event(this, TRUE);
+	}
+}
+
+/**
+ * process RTM_NEWADDR/RTM_DELADDR from kernel
+ */
+static void process_addr(private_kernel_netlink_net_t *this,
+						 struct nlmsghdr *hdr, bool event)
+{
+	struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = IFA_RTA(msg);
+	size_t rtasize = IFA_PAYLOAD (hdr);
+	host_t *host = NULL;
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	chunk_t local = chunk_empty, address = chunk_empty;
+	bool update = FALSE, found = FALSE, changed = FALSE;
+
+	while(RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
+		{
+			case IFA_LOCAL:
+				local.ptr = RTA_DATA(rta);
+				local.len = RTA_PAYLOAD(rta);
+				break;
+			case IFA_ADDRESS:
+				address.ptr = RTA_DATA(rta);
+				address.len = RTA_PAYLOAD(rta);
+				break;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+
+	/* For PPP interfaces, we need the IFA_LOCAL address,
+	 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
+	 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
+	if (local.ptr)
+	{
+		host = host_create_from_chunk(msg->ifa_family, local, 0);
+	}
+	else if (address.ptr)
+	{
+		host = host_create_from_chunk(msg->ifa_family, address, 0);
+	}
+
+	if (host == NULL)
+	{	/* bad family? */
+		return;
+	}
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == msg->ifa_index)
+		{
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
+			{
+				if (host->ip_equals(host, addr->ip))
+				{
+					found = TRUE;
+					if (hdr->nlmsg_type == RTM_DELADDR)
+					{
+						iface->addrs->remove_at(iface->addrs, addrs);
+						if (!addr->virtual)
+						{
+							changed = TRUE;
+							DBG1(DBG_KNL, "%H disappeared from %s",
+								 host, iface->ifname);
+						}
+						addr_entry_destroy(addr);
+					}
+					else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
+					{
+						addr->refcount = 1;
+					}
+				}
+			}
+			addrs->destroy(addrs);
+
+			if (hdr->nlmsg_type == RTM_NEWADDR)
+			{
+				if (!found)
+				{
+					found = TRUE;
+					changed = TRUE;
+					addr = malloc_thing(addr_entry_t);
+					addr->ip = host->clone(host);
+					addr->virtual = FALSE;
+					addr->refcount = 1;
+					addr->scope = msg->ifa_scope;
+
+					iface->addrs->insert_last(iface->addrs, addr);
+					if (event)
+					{
+						DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+					}
+				}
+			}
+			if (found && (iface->flags & IFF_UP))
+			{
+				update = TRUE;
+			}
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	host->destroy(host);
+
+	/* send an update to all IKE_SAs */
+	if (update && event && changed)
+	{
+		fire_roam_event(this, TRUE);
+	}
+}
+
+/**
+ * process RTM_NEWROUTE and RTM_DELROUTE from kernel
+ */
+static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr)
+{
+	struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = RTM_RTA(msg);
+	size_t rtasize = RTM_PAYLOAD(hdr);
+	u_int32_t rta_oif = 0;
+	host_t *host = NULL;
+
+	/* ignore routes added by us or in the local routing table (local addrs) */
+	if (msg->rtm_table && (msg->rtm_table == this->routing_table ||
+						   msg->rtm_table == RT_TABLE_LOCAL))
+	{
+		return;
+	}
+
+	while (RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
+		{
+			case RTA_PREFSRC:
+				host = host_create_from_chunk(msg->rtm_family,
+							chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
+				break;
+			case RTA_OIF:
+				if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
+				{
+					rta_oif = *(u_int32_t*)RTA_DATA(rta);
+				}
+				break;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	if (!host && rta_oif)
+	{
+		host = get_interface_address(this, rta_oif, msg->rtm_family);
+	}
+	if (host)
+	{
+		this->mutex->lock(this->mutex);
+		if (!get_vip_refcount(this, host))
+		{	/* ignore routes added for virtual IPs */
+			fire_roam_event(this, FALSE);
+		}
+		this->mutex->unlock(this->mutex);
+		host->destroy(host);
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
+{
+	char response[1024];
+	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
+	struct sockaddr_nl addr;
+	socklen_t addr_len = sizeof(addr);
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recvfrom(this->socket_events, response, sizeof(response), 0,
+				   (struct sockaddr*)&addr, &addr_len);
+	thread_cancelability(oldstate);
+
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from rt event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+
+	if (addr.nl_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	while (NLMSG_OK(hdr, len))
+	{
+		/* looks good so far, dispatch netlink message */
+		switch (hdr->nlmsg_type)
+		{
+			case RTM_NEWADDR:
+			case RTM_DELADDR:
+				process_addr(this, hdr, TRUE);
+				this->condvar->broadcast(this->condvar);
+				break;
+			case RTM_NEWLINK:
+			case RTM_DELLINK:
+				process_link(this, hdr, TRUE);
+				this->condvar->broadcast(this->condvar);
+				break;
+			case RTM_NEWROUTE:
+			case RTM_DELROUTE:
+				if (this->process_route)
+				{
+					process_route(this, hdr);
+				}
+				break;
+			default:
+				break;
+		}
+		hdr = NLMSG_NEXT(hdr, len);
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+/** enumerator over addresses */
+typedef struct {
+	private_kernel_netlink_net_t* this;
+	/** whether to enumerate down interfaces */
+	bool include_down_ifaces;
+	/** whether to enumerate virtual ip addresses */
+	bool include_virtual_ips;
+} address_enumerator_t;
+
+/**
+ * cleanup function for address enumerator
+ */
+static void address_enumerator_destroy(address_enumerator_t *data)
+{
+	data->this->mutex->unlock(data->this->mutex);
+	free(data);
+}
+
+/**
+ * filter for addresses
+ */
+static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+{
+	if (!data->include_virtual_ips && (*in)->virtual)
+	{	/* skip virtual interfaces added by us */
+		return FALSE;
+	}
+	if ((*in)->scope >= RT_SCOPE_LINK)
+	{	/* skip addresses with a unusable scope */
+		return FALSE;
+	}
+	*out = (*in)->ip;
+	return TRUE;
+}
+
+/**
+ * enumerator constructor for interfaces
+ */
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+{
+	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+				(void*)filter_addresses, data, NULL);
+}
+
+/**
+ * filter for interfaces
+ */
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+{
+	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+	{	/* skip interfaces not up */
+		return FALSE;
+	}
+	*out = *in;
+	return TRUE;
+}
+
+/**
+ * implementation of kernel_net_t.create_address_enumerator
+ */
+static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *this,
+		bool include_down_ifaces, bool include_virtual_ips)
+{
+	address_enumerator_t *data = malloc_thing(address_enumerator_t);
+	data->this = this;
+	data->include_down_ifaces = include_down_ifaces;
+	data->include_virtual_ips = include_virtual_ips;
+
+	this->mutex->lock(this->mutex);
+	return enumerator_create_nested(
+				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
+							(void*)filter_interfaces, data, NULL),
+				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+}
+
+/**
+ * implementation of kernel_net_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
+{
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	char *name = NULL;
+
+	DBG2(DBG_KNL, "getting interface name for %H", ip);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
+		{
+			if (ip->ip_equals(ip, addr->ip))
+			{
+				name = strdup(iface->ifname);
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (name)
+		{
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+
+	if (name)
+	{
+		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "%H is not a local address", ip);
+	}
+	return name;
+}
+
+/**
+ * get the index of an interface by name
+ */
+static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
+{
+	enumerator_t *ifaces;
+	iface_entry_t *iface;
+	int ifindex = 0;
+
+	DBG2(DBG_KNL, "getting iface index for %s", name);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (streq(name, iface->ifname))
+		{
+			ifindex = iface->ifindex;
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+
+	if (ifindex == 0)
+	{
+		DBG1(DBG_KNL, "unable to get interface index for %s", name);
+	}
+	return ifindex;
+}
+
+/**
+ * Check if an interface with a given index is up
+ */
+static bool is_interface_up(private_kernel_netlink_net_t *this, int index)
+{
+	enumerator_t *ifaces;
+	iface_entry_t *iface;
+	/* default to TRUE for interface we do not monitor (e.g. lo) */
+	bool up = TRUE;
+
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == index)
+		{
+			up = iface->flags & IFF_UP;
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	return up;
+}
+
+/**
+ * check if an address (chunk) addr is in subnet (net with net_len net bits)
+ */
+static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
+{
+	static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+	int byte = 0;
+
+	if (net_len == 0)
+	{	/* any address matches a /0 network */
+		return TRUE;
+	}
+	if (addr.len != net.len || net_len > 8 * net.len )
+	{
+		return FALSE;
+	}
+	/* scan through all bytes in network order */
+	while (net_len > 0)
+	{
+		if (net_len < 8)
+		{
+			return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
+		}
+		else
+		{
+			if (addr.ptr[byte] != net.ptr[byte])
+			{
+				return FALSE;
+			}
+			byte++;
+			net_len -= 8;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
+ */
+static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
+						 bool nexthop, host_t *candidate)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr, *out, *current;
+	struct rtmsg *msg;
+	chunk_t chunk;
+	size_t len;
+	int best = -1;
+	enumerator_t *enumerator;
+	host_t *src = NULL, *gtw = NULL;
+
+	DBG2(DBG_KNL, "getting address to reach %H", dest);
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	if (dest->get_family(dest) == AF_INET)
+	{
+		/* We dump all addresses for IPv4, as we want to ignore IPsec specific
+		 * routes installed by us. But the kernel does not return source
+		 * addresses in a IPv6 dump, so fall back to get() for v6 routes. */
+		hdr->nlmsg_flags |= NLM_F_ROOT | NLM_F_DUMP;
+	}
+	hdr->nlmsg_type = RTM_GETROUTE;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_family = dest->get_family(dest);
+	if (candidate)
+	{
+		chunk = candidate->get_address(candidate);
+		netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+	}
+	chunk = dest->get_address(dest);
+	netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
+
+	if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "getting address to %H failed", dest);
+		return NULL;
+	}
+	this->mutex->lock(this->mutex);
+
+	for (current = out; NLMSG_OK(current, len);
+		 current = NLMSG_NEXT(current, len))
+	{
+		switch (current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWROUTE:
+			{
+				struct rtattr *rta;
+				size_t rtasize;
+				chunk_t rta_gtw, rta_src, rta_dst;
+				u_int32_t rta_oif = 0;
+				host_t *new_src, *new_gtw;
+				bool cont = FALSE;
+				uintptr_t table;
+
+				rta_gtw = rta_src = rta_dst = chunk_empty;
+				msg = (struct rtmsg*)(NLMSG_DATA(current));
+				rta = RTM_RTA(msg);
+				rtasize = RTM_PAYLOAD(current);
+				while (RTA_OK(rta, rtasize))
+				{
+					switch (rta->rta_type)
+					{
+						case RTA_PREFSRC:
+							rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+							break;
+						case RTA_GATEWAY:
+							rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+							break;
+						case RTA_DST:
+							rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+							break;
+						case RTA_OIF:
+							if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
+							{
+								rta_oif = *(u_int32_t*)RTA_DATA(rta);
+							}
+							break;
+					}
+					rta = RTA_NEXT(rta, rtasize);
+				}
+				if (msg->rtm_dst_len <= best)
+				{	/* not better than a previous one */
+					continue;
+				}
+				enumerator = this->rt_exclude->create_enumerator(this->rt_exclude);
+				while (enumerator->enumerate(enumerator, &table))
+				{
+					if (table == msg->rtm_table)
+					{
+						cont = TRUE;
+						break;
+					}
+				}
+				enumerator->destroy(enumerator);
+				if (cont)
+				{
+					continue;
+				}
+				if (this->routing_table != 0 &&
+					msg->rtm_table == this->routing_table)
+				{	/* route is from our own ipsec routing table */
+					continue;
+				}
+				if (rta_oif && !is_interface_up(this, rta_oif))
+				{	/* interface is down */
+					continue;
+				}
+				if (!addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))
+				{	/* route destination does not contain dest */
+					continue;
+				}
+
+				if (nexthop)
+				{
+					/* nexthop lookup, return gateway if any */
+					DESTROY_IF(gtw);
+					gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
+					best = msg->rtm_dst_len;
+					continue;
+				}
+				if (rta_src.ptr)
+				{	/* got a source address */
+					new_src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
+					if (new_src)
+					{
+						if (get_vip_refcount(this, new_src))
+						{	/* skip source address if it is installed by us */
+							new_src->destroy(new_src);
+						}
+						else
+						{
+							DESTROY_IF(src);
+							src = new_src;
+							best = msg->rtm_dst_len;
+						}
+					}
+					continue;
+				}
+				if (rta_oif)
+				{	/* no src or gtw, but an interface. Get address from it. */
+					new_src = get_interface_address(this, rta_oif,
+													msg->rtm_family);
+					if (new_src)
+					{
+						DESTROY_IF(src);
+						src = new_src;
+						best = msg->rtm_dst_len;
+					}
+					continue;
+				}
+				if (rta_gtw.ptr)
+				{	/* no source, but a gateway. Lookup source to reach gtw. */
+					new_gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
+					new_src = get_route(this, new_gtw, FALSE, candidate);
+					new_gtw->destroy(new_gtw);
+					if (new_src)
+					{
+						DESTROY_IF(src);
+						src = new_src;
+						best = msg->rtm_dst_len;
+					}
+					continue;
+				}
+				continue;
+			}
+			default:
+				continue;
+		}
+		break;
+	}
+	free(out);
+	this->mutex->unlock(this->mutex);
+
+	if (nexthop)
+	{
+		if (gtw)
+		{
+			return gtw;
+		}
+		return dest->clone(dest);
+	}
+	return src;
+}
+
+/**
+ * Implementation of kernel_net_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_netlink_net_t *this,
+							   host_t *dest, host_t *src)
+{
+	return get_route(this, dest, FALSE, src);
+}
+
+/**
+ * Implementation of kernel_net_t.get_nexthop.
+ */
+static host_t* get_nexthop(private_kernel_netlink_net_t *this, host_t *dest)
+{
+	return get_route(this, dest, TRUE, NULL);
+}
+
+/**
+ * Manages the creation and deletion of ip addresses on an interface.
+ * By setting the appropriate nlmsg_type, the ip will be set or unset.
+ */
+static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
+							  int flags, int if_index, host_t *ip)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct ifaddrmsg *msg;
+	chunk_t chunk;
+
+	memset(&request, 0, sizeof(request));
+
+	chunk = ip->get_address(ip);
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+	hdr->nlmsg_type = nlmsg_type;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
+
+	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
+	msg->ifa_family = ip->get_family(ip);
+	msg->ifa_flags = 0;
+	msg->ifa_prefixlen = 8 * chunk.len;
+	msg->ifa_scope = RT_SCOPE_UNIVERSE;
+	msg->ifa_index = if_index;
+
+	netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
+
+	return this->socket->send_ack(this->socket, hdr);
+}
+
+/**
+ * Implementation of kernel_net_t.add_ip.
+ */
+static status_t add_ip(private_kernel_netlink_net_t *this,
+						host_t *virtual_ip, host_t *iface_ip)
+{
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	enumerator_t *addrs, *ifaces;
+	int ifindex;
+
+	if (!this->install_virtual_ip)
+	{	/* disabled by config */
+		return SUCCESS;
+	}
+
+	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		bool iface_found = FALSE;
+
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
+		{
+			if (iface_ip->ip_equals(iface_ip, addr->ip))
+			{
+				iface_found = TRUE;
+			}
+			else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
+			{
+				addr->refcount++;
+				DBG2(DBG_KNL, "virtual IP %H already installed on %s",
+					 virtual_ip, iface->ifname);
+				addrs->destroy(addrs);
+				ifaces->destroy(ifaces);
+				this->mutex->unlock(this->mutex);
+				return SUCCESS;
+			}
+		}
+		addrs->destroy(addrs);
+
+		if (iface_found)
+		{
+			ifindex = iface->ifindex;
+			addr = malloc_thing(addr_entry_t);
+			addr->ip = virtual_ip->clone(virtual_ip);
+			addr->refcount = 0;
+			addr->virtual = TRUE;
+			addr->scope = RT_SCOPE_UNIVERSE;
+			iface->addrs->insert_last(iface->addrs, addr);
+
+			if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
+							  ifindex, virtual_ip) == SUCCESS)
+			{
+				while (get_vip_refcount(this, virtual_ip) == 0)
+				{	/* wait until address appears */
+					this->condvar->wait(this->condvar, this->mutex);
+				}
+				ifaces->destroy(ifaces);
+				this->mutex->unlock(this->mutex);
+				return SUCCESS;
+			}
+			ifaces->destroy(ifaces);
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
+			return FAILED;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+
+	DBG1(DBG_KNL, "interface address %H not found, unable to install"
+		 "virtual IP %H", iface_ip, virtual_ip);
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_ip.
+ */
+static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
+{
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	enumerator_t *addrs, *ifaces;
+	status_t status;
+	int ifindex;
+
+	if (!this->install_virtual_ip)
+	{	/* disabled by config */
+		return SUCCESS;
+	}
+
+	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
+		{
+			if (virtual_ip->ip_equals(virtual_ip, addr->ip))
+			{
+				ifindex = iface->ifindex;
+				if (addr->refcount == 1)
+				{
+					status = manage_ipaddr(this, RTM_DELADDR, 0,
+										   ifindex, virtual_ip);
+					if (status == SUCCESS)
+					{	/* wait until the address is really gone */
+						while (get_vip_refcount(this, virtual_ip) > 0)
+						{
+							this->condvar->wait(this->condvar, this->mutex);
+						}
+					}
+					addrs->destroy(addrs);
+					ifaces->destroy(ifaces);
+					this->mutex->unlock(this->mutex);
+					return status;
+				}
+				else
+				{
+					addr->refcount--;
+				}
+				DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
+					 virtual_ip);
+				addrs->destroy(addrs);
+				ifaces->destroy(ifaces);
+				this->mutex->unlock(this->mutex);
+				return SUCCESS;
+			}
+		}
+		addrs->destroy(addrs);
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+
+	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
+	return FAILED;
+}
+
+/**
+ * Manages source routes in the routing table.
+ * By setting the appropriate nlmsg_type, the route gets added or removed.
+ */
+static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_type,
+								int flags, chunk_t dst_net, u_int8_t prefixlen,
+								host_t *gateway, host_t *src_ip, char *if_name)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct rtmsg *msg;
+	int ifindex;
+	chunk_t chunk;
+
+	/* if route is 0.0.0.0/0, we can't install it, as it would
+	 * overwrite the default route. Instead, we add two routes:
+	 * 0.0.0.0/1 and 128.0.0.0/1 */
+	if (this->routing_table == 0 && prefixlen == 0)
+	{
+		chunk_t half_net;
+		u_int8_t half_prefixlen;
+		status_t status;
+
+		half_net = chunk_alloca(dst_net.len);
+		memset(half_net.ptr, 0, half_net.len);
+		half_prefixlen = 1;
+
+		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
+					gateway, src_ip, if_name);
+		half_net.ptr[0] |= 0x80;
+		status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
+					gateway, src_ip, if_name);
+		return status;
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+	hdr->nlmsg_type = nlmsg_type;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_family = src_ip->get_family(src_ip);
+	msg->rtm_dst_len = prefixlen;
+	msg->rtm_table = this->routing_table;
+	msg->rtm_protocol = RTPROT_STATIC;
+	msg->rtm_type = RTN_UNICAST;
+	msg->rtm_scope = RT_SCOPE_UNIVERSE;
+
+	netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request));
+	chunk = src_ip->get_address(src_ip);
+	netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+	if (gateway && gateway->get_family(gateway) == src_ip->get_family(src_ip))
+	{
+		chunk = gateway->get_address(gateway);
+		netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
+	}
+	ifindex = get_interface_index(this, if_name);
+	chunk.ptr = (char*)&ifindex;
+	chunk.len = sizeof(ifindex);
+	netlink_add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
+
+	return this->socket->send_ack(this->socket, hdr);
+}
+
+/**
+ * Implementation of kernel_net_t.add_route.
+ */
+static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
+				dst_net, prefixlen, gateway, src_ip, if_name);
+}
+
+/**
+ * Implementation of kernel_net_t.del_route.
+ */
+static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
+				gateway, src_ip, if_name);
+}
+
+/**
+ * Initialize a list of local addresses.
+ */
+static status_t init_address_list(private_kernel_netlink_net_t *this)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *out, *current, *in;
+	struct rtgenmsg *msg;
+	size_t len;
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+
+	DBG1(DBG_KNL, "listening on interfaces:");
+
+	memset(&request, 0, sizeof(request));
+
+	in = (struct nlmsghdr*)&request;
+	in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
+	in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
+	msg = (struct rtgenmsg*)NLMSG_DATA(in);
+	msg->rtgen_family = AF_UNSPEC;
+
+	/* get all links */
+	in->nlmsg_type = RTM_GETLINK;
+	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	current = out;
+	while (NLMSG_OK(current, len))
+	{
+		switch (current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWLINK:
+				process_link(this, current, FALSE);
+				/* fall through */
+			default:
+				current = NLMSG_NEXT(current, len);
+				continue;
+		}
+		break;
+	}
+	free(out);
+
+	/* get all interface addresses */
+	in->nlmsg_type = RTM_GETADDR;
+	if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	current = out;
+	while (NLMSG_OK(current, len))
+	{
+		switch (current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWADDR:
+				process_addr(this, current, FALSE);
+				/* fall through */
+			default:
+				current = NLMSG_NEXT(current, len);
+				continue;
+		}
+		break;
+	}
+	free(out);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->flags & IFF_UP)
+		{
+			DBG1(DBG_KNL, "  %s", iface->ifname);
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, (void**)&addr))
+			{
+				DBG1(DBG_KNL, "    %H", addr->ip);
+			}
+			addrs->destroy(addrs);
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	return SUCCESS;
+}
+
+/**
+ * create or delete a rule to use our routing table
+ */
+static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
+							int family, u_int32_t table, u_int32_t prio)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct rtmsg *msg;
+	chunk_t chunk;
+
+	memset(&request, 0, sizeof(request));
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = nlmsg_type;
+	if (nlmsg_type == RTM_NEWRULE)
+	{
+		hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
+	}
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_table = table;
+	msg->rtm_family = family;
+	msg->rtm_protocol = RTPROT_BOOT;
+	msg->rtm_scope = RT_SCOPE_UNIVERSE;
+	msg->rtm_type = RTN_UNICAST;
+
+	chunk = chunk_from_thing(prio);
+	netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
+
+	return this->socket->send_ack(this->socket, hdr);
+}
+
+/**
+ * Implementation of kernel_netlink_net_t.destroy.
+ */
+static void destroy(private_kernel_netlink_net_t *this)
+{
+	if (this->routing_table)
+	{
+		manage_rule(this, RTM_DELRULE, AF_INET, this->routing_table,
+					this->routing_table_prio);
+		manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table,
+					this->routing_table_prio);
+	}
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	if (this->socket_events > 0)
+	{
+		close(this->socket_events);
+	}
+	DESTROY_IF(this->socket);
+	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	this->rt_exclude->destroy(this->rt_exclude);
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_netlink_net_t *kernel_netlink_net_create()
+{
+	private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t);
+	struct sockaddr_nl addr;
+	enumerator_t *enumerator;
+	char *exclude;
+
+	/* public functions */
+	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
+	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
+	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
+	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
+	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
+	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
+	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
+	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
+
+	/* private members */
+	this->ifaces = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	timerclear(&this->last_roam);
+	this->routing_table = lib->settings->get_int(lib->settings,
+					"%s.routing_table", ROUTING_TABLE, hydra->daemon);
+	this->routing_table_prio = lib->settings->get_int(lib->settings,
+					"%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon);
+	this->process_route = lib->settings->get_bool(lib->settings,
+					"%s.process_route", TRUE, hydra->daemon);
+	this->install_virtual_ip = lib->settings->get_bool(lib->settings,
+					"%s.install_virtual_ip", TRUE, hydra->daemon);
+
+	this->rt_exclude = linked_list_create();
+	exclude = lib->settings->get_str(lib->settings,
+					"%s.ignore_routing_tables", NULL, hydra->daemon);
+	if (exclude)
+	{
+		char *token;
+		uintptr_t table;
+
+		enumerator = enumerator_create_token(exclude, " ", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			errno = 0;
+			table = strtoul(token, NULL, 10);
+
+			if (errno == 0)
+			{
+				this->rt_exclude->insert_last(this->rt_exclude, (void*)table);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	this->socket = netlink_socket_create(NETLINK_ROUTE);
+	this->job = NULL;
+
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+
+	/* create and bind RT socket for events (address/interface/route changes) */
+	this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+	if (this->socket_events < 0)
+	{
+		DBG1(DBG_KNL, "unable to create RT event socket");
+		destroy(this);
+		return NULL;
+	}
+	addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
+					 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
+	if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		DBG1(DBG_KNL, "unable to bind RT event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+
+	if (init_address_list(this) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to get interface list");
+		destroy(this);
+		return NULL;
+	}
+
+	if (this->routing_table)
+	{
+		if (manage_rule(this, RTM_NEWRULE, AF_INET, this->routing_table,
+						this->routing_table_prio) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "unable to create IPv4 routing table rule");
+		}
+		if (manage_rule(this, RTM_NEWRULE, AF_INET6, this->routing_table,
+						this->routing_table_prio) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "unable to create IPv6 routing table rule");
+		}
+	}
+
+	return &this->public;
+}
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h
new file mode 100644
index 000000000..ff9831d3c
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_netlink_net_i kernel_netlink_net
+ * @{ @ingroup kernel_netlink
+ */
+
+#ifndef KERNEL_NETLINK_NET_H_
+#define KERNEL_NETLINK_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_netlink_net_t kernel_netlink_net_t;
+
+/**
+ * Implementation of the kernel network interface using Netlink.
+ */
+struct kernel_netlink_net_t {
+
+	/**
+	 * Implements kernel_net_t interface
+	 */
+	kernel_net_t interface;
+};
+
+/**
+ * Create a netlink kernel network interface instance.
+ *
+ * @return			kernel_netlink_net_t instance
+ */
+kernel_netlink_net_t *kernel_netlink_net_create();
+
+#endif /** KERNEL_NETLINK_NET_H_ @}*/
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
new file mode 100644
index 000000000..212675d1a
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_netlink_plugin.h"
+
+#include "kernel_netlink_ipsec.h"
+#include "kernel_netlink_net.h"
+
+#include <hydra.h>
+
+typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
+
+/**
+ * private data of kernel netlink plugin
+ */
+struct private_kernel_netlink_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_netlink_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_netlink_plugin_t *this)
+{
+	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
+					(kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
+	hydra->kernel_interface->remove_net_interface(hydra->kernel_interface,
+					(kernel_net_constructor_t)kernel_netlink_net_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_netlink_plugin_create()
+{
+	private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
+					(kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
+	hydra->kernel_interface->add_net_interface(hydra->kernel_interface,
+					(kernel_net_constructor_t)kernel_netlink_net_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h
new file mode 100644
index 000000000..a795486ca
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_netlink kernel_netlink
+ * @ingroup hplugins
+ *
+ * @defgroup kernel_netlink_plugin kernel_netlink_plugin
+ * @{ @ingroup kernel_netlink
+ */
+
+#ifndef KERNEL_NETLINK_PLUGIN_H_
+#define KERNEL_NETLINK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_netlink_plugin_t kernel_netlink_plugin_t;
+
+/**
+ * netlink kernel interface plugin
+ */
+struct kernel_netlink_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KERNEL_NETLINK_PLUGIN_H_ @}*/
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
new file mode 100644
index 000000000..c26fd2e51
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -0,0 +1,306 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include "kernel_netlink_shared.h"
+
+#include <debug.h>
+#include <threading/mutex.h>
+
+typedef struct private_netlink_socket_t private_netlink_socket_t;
+
+/**
+ * Private variables and functions of netlink_socket_t class.
+ */
+struct private_netlink_socket_t {
+	/**
+	 * public part of the netlink_socket_t object.
+	 */
+	netlink_socket_t public;
+
+	/**
+	 * mutex to lock access to netlink socket
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * current sequence number for netlink request
+	 */
+	int seq;
+
+	/**
+	 * netlink socket protocol
+	 */
+	int protocol;
+
+	/**
+	 * netlink socket
+	 */
+	int socket;
+};
+
+/**
+ * Imported from kernel_netlink_ipsec.c
+ */
+extern enum_name_t *xfrm_msg_names;
+
+/**
+ * Implementation of netlink_socket_t.send
+ */
+static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in,
+			  struct nlmsghdr **out, size_t *out_len)
+{
+	int len, addr_len;
+	struct sockaddr_nl addr;
+	chunk_t result = chunk_empty, tmp;
+	struct nlmsghdr *msg, peek;
+
+	this->mutex->lock(this->mutex);
+
+	in->nlmsg_seq = ++this->seq;
+	in->nlmsg_pid = getpid();
+
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+	addr.nl_pid = 0;
+	addr.nl_groups = 0;
+
+	if (this->protocol == NETLINK_XFRM)
+	{
+		chunk_t in_chunk = { (u_char*)in, in->nlmsg_len };
+
+		DBG3(DBG_KNL, "sending %N: %B", xfrm_msg_names, in->nlmsg_type, &in_chunk);
+	}
+
+	while (TRUE)
+	{
+		len = sendto(this->socket, in, in->nlmsg_len, 0,
+					 (struct sockaddr*)&addr, sizeof(addr));
+
+		if (len != in->nlmsg_len)
+		{
+			if (errno == EINTR)
+			{
+				/* interrupted, try again */
+				continue;
+			}
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
+			return FAILED;
+		}
+		break;
+	}
+
+	while (TRUE)
+	{
+		char buf[4096];
+		tmp.len = sizeof(buf);
+		tmp.ptr = buf;
+		msg = (struct nlmsghdr*)tmp.ptr;
+
+		memset(&addr, 0, sizeof(addr));
+		addr.nl_family = AF_NETLINK;
+		addr.nl_pid = getpid();
+		addr.nl_groups = 0;
+		addr_len = sizeof(addr);
+
+		len = recvfrom(this->socket, tmp.ptr, tmp.len, 0,
+					   (struct sockaddr*)&addr, &addr_len);
+
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				DBG1(DBG_KNL, "got interrupted");
+				/* interrupted, try again */
+				continue;
+			}
+			DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
+			this->mutex->unlock(this->mutex);
+			free(result.ptr);
+			return FAILED;
+		}
+		if (!NLMSG_OK(msg, len))
+		{
+			DBG1(DBG_KNL, "received corrupted netlink message");
+			this->mutex->unlock(this->mutex);
+			free(result.ptr);
+			return FAILED;
+		}
+		if (msg->nlmsg_seq != this->seq)
+		{
+			DBG1(DBG_KNL, "received invalid netlink sequence number");
+			if (msg->nlmsg_seq < this->seq)
+			{
+				continue;
+			}
+			this->mutex->unlock(this->mutex);
+			free(result.ptr);
+			return FAILED;
+		}
+
+		tmp.len = len;
+		result.ptr = realloc(result.ptr, result.len + tmp.len);
+		memcpy(result.ptr + result.len, tmp.ptr, tmp.len);
+		result.len += tmp.len;
+
+		/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
+		 * numbers to detect multi header messages */
+		len = recvfrom(this->socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
+					   (struct sockaddr*)&addr, &addr_len);
+
+		if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
+		{
+			/* seems to be multipart */
+			continue;
+		}
+		break;
+	}
+
+	*out_len = result.len;
+	*out = (struct nlmsghdr*)result.ptr;
+
+	this->mutex->unlock(this->mutex);
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of netlink_socket_t.send_ack.
+ */
+static status_t netlink_send_ack(private_netlink_socket_t *this, struct nlmsghdr *in)
+{
+	struct nlmsghdr *out, *hdr;
+	size_t len;
+
+	if (netlink_send(this, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	hdr = out;
+	while (NLMSG_OK(hdr, len))
+	{
+		switch (hdr->nlmsg_type)
+		{
+			case NLMSG_ERROR:
+			{
+				struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
+
+				if (err->error)
+				{
+					if (-err->error == EEXIST)
+					{	/* do not report existing routes */
+						free(out);
+						return ALREADY_DONE;
+					}
+					DBG1(DBG_KNL, "received netlink error: %s (%d)",
+						 strerror(-err->error), -err->error);
+					free(out);
+					return FAILED;
+				}
+				free(out);
+				return SUCCESS;
+			}
+			default:
+				hdr = NLMSG_NEXT(hdr, len);
+				continue;
+			case NLMSG_DONE:
+				break;
+		}
+		break;
+	}
+	DBG1(DBG_KNL, "netlink request not acknowledged");
+	free(out);
+	return FAILED;
+}
+
+/**
+ * Implementation of netlink_socket_t.destroy.
+ */
+static void destroy(private_netlink_socket_t *this)
+{
+	if (this->socket > 0)
+	{
+		close(this->socket);
+	}
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+netlink_socket_t *netlink_socket_create(int protocol)
+{
+	private_netlink_socket_t *this = malloc_thing(private_netlink_socket_t);
+	struct sockaddr_nl addr;
+
+	/* public functions */
+	this->public.send = (status_t(*)(netlink_socket_t*,struct nlmsghdr*, struct nlmsghdr**, size_t*))netlink_send;
+	this->public.send_ack = (status_t(*)(netlink_socket_t*,struct nlmsghdr*))netlink_send_ack;
+	this->public.destroy = (void(*)(netlink_socket_t*))destroy;
+
+	/* private members */
+	this->seq = 200;
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+
+	this->protocol = protocol;
+	this->socket = socket(AF_NETLINK, SOCK_RAW, protocol);
+	if (this->socket < 0)
+	{
+		DBG1(DBG_KNL, "unable to create netlink socket");
+		destroy(this);
+		return NULL;
+	}
+
+	addr.nl_groups = 0;
+	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		DBG1(DBG_KNL, "unable to bind netlink socket");
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
+/**
+ * Described in header.
+ */
+void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
+						  size_t buflen)
+{
+	struct rtattr *rta;
+
+	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
+	{
+		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
+		return;
+	}
+
+	rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
+	rta->rta_type = rta_type;
+	rta->rta_len = RTA_LENGTH(data.len);
+	memcpy(RTA_DATA(rta), data.ptr, data.len);
+	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
+}
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
new file mode 100644
index 000000000..dfd27a21a
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef KERNEL_NETLINK_SHARED_H_
+#define KERNEL_NETLINK_SHARED_H_
+
+#include <library.h>
+
+#include <linux/rtnetlink.h>
+
+/**
+ * General purpose netlink buffer.
+ *
+ * 1024 byte is currently sufficient for all operations. Some platform
+ * require an enforced aligment to four bytes (e.g. ARM).
+ */
+typedef u_char netlink_buf_t[1024] __attribute__((aligned(RTA_ALIGNTO)));
+
+typedef struct netlink_socket_t netlink_socket_t;
+
+/**
+ * Wrapper around a netlink socket.
+ */
+struct netlink_socket_t {
+
+	/**
+	 * Send a netlink message and wait for a reply.
+	 *
+	 * @param	in		netlink message to send
+	 * @param	out 	received netlink message
+	 * @param	out_len	length of the received message
+	 */
+	status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len);
+
+	/**
+	 * Send a netlink message and wait for its acknowledge.
+	 *
+	 * @param	in		netlink message to send
+	 */
+	status_t (*send_ack)(netlink_socket_t *this, struct nlmsghdr *in);
+
+	/**
+	 * Destroy the socket.
+	 */
+	void (*destroy)(netlink_socket_t *this);
+};
+
+/**
+ * Create a netlink_socket_t object.
+ *
+ * @param	protocol	protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
+ */
+netlink_socket_t *netlink_socket_create(int protocol);
+
+/**
+ * Creates an rtattr and adds it to the given netlink message.
+ *
+ * @param	hdr			netlink message
+ * @param	rta_type	type of the rtattr
+ * @param	data		data to add to the rtattr
+ * @param	buflen		length of the netlink message buffer
+ */
+void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, size_t buflen);
+
+#endif /* KERNEL_NETLINK_SHARED_H_ */
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.am b/src/libhydra/plugins/kernel_pfkey/Makefile.am
new file mode 100644
index 000000000..1d1488a6b
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+endif
+
+libstrongswan_kernel_pfkey_la_SOURCES = \
+	kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
new file mode 100644
index 000000000..a98ae42d1
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -0,0 +1,606 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libhydra/plugins/kernel_pfkey
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_pfkey_la_LIBADD =
+am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \
+	kernel_pfkey_ipsec.lo
+libstrongswan_kernel_pfkey_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_pfkey_la_OBJECTS)
+libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_pfkey_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_pfkey_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+libstrongswan_kernel_pfkey_la_SOURCES = \
+	kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
new file mode 100644
index 000000000..f5786447b
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -0,0 +1,2178 @@
+/*
+ * Copyright (C) 2008-2010 Tobias Brunner
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#ifdef __FreeBSD__
+#include <limits.h> /* for LONG_MAX */
+#endif
+
+#ifdef HAVE_NET_PFKEYV2_H
+#include <net/pfkeyv2.h>
+#else
+#include <stdint.h>
+#include <linux/pfkeyv2.h>
+#endif
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+#define HAVE_NATT
+#endif
+
+#ifdef HAVE_NETIPSEC_IPSEC_H
+#include <netipsec/ipsec.h>
+#elif defined(HAVE_NETINET6_IPSEC_H)
+#include <netinet6/ipsec.h>
+#else
+#include <linux/ipsec.h>
+#endif
+
+#ifdef HAVE_NATT
+#ifdef HAVE_LINUX_UDP_H
+#include <linux/udp.h>
+#else
+#include <netinet/udp.h>
+#endif /*HAVE_LINUX_UDP_H*/
+#endif /*HAVE_NATT*/
+
+#include <unistd.h>
+#include <time.h>
+#include <errno.h>
+
+#include "kernel_pfkey_ipsec.h"
+
+#include <hydra.h>
+#include <debug.h>
+#include <utils/host.h>
+#include <utils/linked_list.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
+
+/** non linux specific */
+#ifndef IPPROTO_COMP
+#ifdef IPPROTO_IPCOMP
+#define IPPROTO_COMP IPPROTO_IPCOMP
+#endif
+#endif
+
+#ifndef SADB_X_AALG_SHA2_256HMAC
+#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
+#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
+#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
+#endif
+
+#ifndef SADB_X_EALG_AESCBC
+#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
+#endif
+
+#ifndef SADB_X_EALG_CASTCBC
+#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
+#endif
+
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+
+/** from linux/in.h */
+#ifndef IP_IPSEC_POLICY
+#define IP_IPSEC_POLICY 16
+#endif
+
+/** missing on uclibc */
+#ifndef IPV6_IPSEC_POLICY
+#define IPV6_IPSEC_POLICY 34
+#endif
+
+/** default priority of installed policies */
+#define PRIO_LOW 3000
+#define PRIO_HIGH 2000
+
+#ifdef __APPLE__
+/** from xnu/bsd/net/pfkeyv2.h */
+#define SADB_X_EXT_NATT 0x002
+	struct sadb_sa_2 {
+		struct sadb_sa	sa;
+		u_int16_t		sadb_sa_natt_port;
+		u_int16_t		sadb_reserved0;
+		u_int32_t		sadb_reserved1;
+	};
+#endif
+
+/** buffer size for PF_KEY messages */
+#define PFKEY_BUFFER_SIZE 4096
+
+/** PF_KEY messages are 64 bit aligned */
+#define PFKEY_ALIGNMENT 8
+/** aligns len to 64 bits */
+#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
+/** calculates the properly padded length in 64 bit chunks */
+#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
+/** calculates user mode length i.e. in bytes */
+#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
+
+/** given a PF_KEY message header and an extension this updates the length in the header */
+#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
+/** given a PF_KEY message header this returns a pointer to the next extension */
+#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
+/** copy an extension and append it to a PF_KEY message */
+#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
+/** given a PF_KEY extension this returns a pointer to the next extension */
+#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
+/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
+#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
+/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
+#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+				(ext)->sadb_ext_len <= (len))
+
+typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_pfkey class.
+ */
+struct private_kernel_pfkey_ipsec_t
+{
+	/**
+	 * Public part of the kernel_pfkey_t object.
+	 */
+	kernel_pfkey_ipsec_t public;
+
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * List of installed policies (policy_entry_t)
+	 */
+	linked_list_t *policies;
+
+	/**
+	 * whether to install routes along policies
+	 */
+	bool install_routes;
+
+	/**
+	 * job receiving PF_KEY events
+	 */
+	callback_job_t *job;
+
+	/**
+	 * mutex to lock access to the PF_KEY socket
+	 */
+	mutex_t *mutex_pfkey;
+
+	/**
+	 * PF_KEY socket to communicate with the kernel
+	 */
+	int socket;
+
+	/**
+	 * PF_KEY socket to receive acquire and expire events
+	 */
+	int socket_events;
+
+	/**
+	 * sequence number for messages sent to the kernel
+	 */
+	int seq;
+};
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+
+	/** Source ip of the route */
+	host_t *src_ip;
+
+	/** gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	DESTROY_IF(this->src_ip);
+	DESTROY_IF(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+
+	/** reqid of this policy */
+	u_int32_t reqid;
+
+	/** index assigned by the kernel */
+	u_int32_t index;
+
+	/** direction of this policy: in, out, forward */
+	u_int8_t direction;
+
+	/** parameters of installed policy */
+	struct {
+		/** subnet and port */
+		host_t *net;
+		/** subnet mask */
+		u_int8_t mask;
+		/** protocol */
+		u_int8_t proto;
+	} src, dst;
+
+	/** associated route installed for this policy */
+	route_entry_t *route;
+
+	/** by how many CHILD_SA's this policy is used */
+	u_int refcount;
+};
+
+/**
+ * create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+		traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
+{
+	policy_entry_t *policy = malloc_thing(policy_entry_t);
+	policy->reqid = reqid;
+	policy->index = 0;
+	policy->direction = dir;
+	policy->route = NULL;
+	policy->refcount = 0;
+
+	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
+	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
+
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
+	policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
+	policy->dst.proto = policy->src.proto;
+
+	return policy;
+}
+
+/**
+ * destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+	DESTROY_IF(this->src.net);
+	DESTROY_IF(this->dst.net);
+	if (this->route)
+	{
+		route_entry_destroy(this->route);
+	}
+	free(this);
+}
+
+/**
+ * compares two policy_entry_t
+ */
+static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
+{
+	return current->direction == policy->direction &&
+		   current->src.proto == policy->src.proto &&
+		   current->dst.proto == policy->dst.proto &&
+		   current->src.mask == policy->src.mask &&
+		   current->dst.mask == policy->dst.mask &&
+		   current->src.net->equals(current->src.net, policy->src.net) &&
+		   current->dst.net->equals(current->dst.net, policy->dst.net);
+}
+
+/**
+ * compare the given kernel index with that of a policy
+ */
+static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
+{
+	return current->index == *index;
+}
+
+typedef struct pfkey_msg_t pfkey_msg_t;
+
+struct pfkey_msg_t
+{
+	/**
+	 * PF_KEY message base
+	 */
+	struct sadb_msg *msg;
+
+	/**
+	 * PF_KEY message extensions
+	 */
+	union {
+		struct sadb_ext *ext[SADB_EXT_MAX + 1];
+		struct {
+			struct sadb_ext *reserved;				/* SADB_EXT_RESERVED */
+			struct sadb_sa *sa;						/* SADB_EXT_SA */
+			struct sadb_lifetime *lft_current;		/* SADB_EXT_LIFETIME_CURRENT */
+			struct sadb_lifetime *lft_hard;			/* SADB_EXT_LIFETIME_HARD */
+			struct sadb_lifetime *lft_soft;			/* SADB_EXT_LIFETIME_SOFT */
+			struct sadb_address *src;				/* SADB_EXT_ADDRESS_SRC */
+			struct sadb_address *dst;				/* SADB_EXT_ADDRESS_DST */
+			struct sadb_address *proxy;				/* SADB_EXT_ADDRESS_PROXY */
+			struct sadb_key *key_auth;				/* SADB_EXT_KEY_AUTH */
+			struct sadb_key *key_encr;				/* SADB_EXT_KEY_ENCRYPT */
+			struct sadb_ident *id_src;				/* SADB_EXT_IDENTITY_SRC */
+			struct sadb_ident *id_dst;				/* SADB_EXT_IDENTITY_DST */
+			struct sadb_sens *sensitivity;			/* SADB_EXT_SENSITIVITY */
+			struct sadb_prop *proposal;				/* SADB_EXT_PROPOSAL */
+			struct sadb_supported *supported_auth;	/* SADB_EXT_SUPPORTED_AUTH */
+			struct sadb_supported *supported_encr;	/* SADB_EXT_SUPPORTED_ENCRYPT */
+			struct sadb_spirange *spirange;			/* SADB_EXT_SPIRANGE */
+			struct sadb_x_kmprivate *x_kmprivate;	/* SADB_X_EXT_KMPRIVATE */
+			struct sadb_x_policy *x_policy;			/* SADB_X_EXT_POLICY */
+			struct sadb_x_sa2 *x_sa2;				/* SADB_X_EXT_SA2 */
+			struct sadb_x_nat_t_type *x_natt_type;	/* SADB_X_EXT_NAT_T_TYPE */
+			struct sadb_x_nat_t_port *x_natt_sport;	/* SADB_X_EXT_NAT_T_SPORT */
+			struct sadb_x_nat_t_port *x_natt_dport;	/* SADB_X_EXT_NAT_T_DPORT */
+			struct sadb_address *x_natt_oa;			/* SADB_X_EXT_NAT_T_OA */
+			struct sadb_x_sec_ctx *x_sec_ctx;		/* SADB_X_EXT_SEC_CTX */
+			struct sadb_x_kmaddress *x_kmaddress;	/* SADB_X_EXT_KMADDRESS */
+		} __attribute__((__packed__));
+	};
+};
+
+ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
+	"SADB_EXT_RESERVED",
+	"SADB_EXT_SA",
+	"SADB_EXT_LIFETIME_CURRENT",
+	"SADB_EXT_LIFETIME_HARD",
+	"SADB_EXT_LIFETIME_SOFT",
+	"SADB_EXT_ADDRESS_SRC",
+	"SADB_EXT_ADDRESS_DST",
+	"SADB_EXT_ADDRESS_PROXY",
+	"SADB_EXT_KEY_AUTH",
+	"SADB_EXT_KEY_ENCRYPT",
+	"SADB_EXT_IDENTITY_SRC",
+	"SADB_EXT_IDENTITY_DST",
+	"SADB_EXT_SENSITIVITY",
+	"SADB_EXT_PROPOSAL",
+	"SADB_EXT_SUPPORTED_AUTH",
+	"SADB_EXT_SUPPORTED_ENCRYPT",
+	"SADB_EXT_SPIRANGE",
+	"SADB_X_EXT_KMPRIVATE",
+	"SADB_X_EXT_POLICY",
+	"SADB_X_EXT_SA2",
+	"SADB_X_EXT_NAT_T_TYPE",
+	"SADB_X_EXT_NAT_T_SPORT",
+	"SADB_X_EXT_NAT_T_DPORT",
+	"SADB_X_EXT_NAT_T_OA",
+	"SADB_X_EXT_SEC_CTX",
+	"SADB_X_EXT_KMADDRESS"
+);
+
+/**
+ * convert a protocol identifier to the PF_KEY sa type
+ */
+static u_int8_t proto2satype(u_int8_t proto)
+{
+	switch (proto)
+	{
+		case IPPROTO_ESP:
+			return SADB_SATYPE_ESP;
+		case IPPROTO_AH:
+			return SADB_SATYPE_AH;
+		case IPPROTO_COMP:
+			return SADB_X_SATYPE_IPCOMP;
+		default:
+			return proto;
+	}
+}
+
+/**
+ * convert a PF_KEY sa type to a protocol identifier
+ */
+static u_int8_t satype2proto(u_int8_t satype)
+{
+	switch (satype)
+	{
+		case SADB_SATYPE_ESP:
+			return IPPROTO_ESP;
+		case SADB_SATYPE_AH:
+			return IPPROTO_AH;
+		case SADB_X_SATYPE_IPCOMP:
+			return IPPROTO_COMP;
+		default:
+			return satype;
+	}
+}
+
+/**
+ * convert the general ipsec mode to the one defined in ipsec.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+	switch (mode)
+	{
+		case MODE_TRANSPORT:
+			return IPSEC_MODE_TRANSPORT;
+		case MODE_TUNNEL:
+			return IPSEC_MODE_TUNNEL;
+#ifdef HAVE_IPSEC_MODE_BEET
+		case MODE_BEET:
+			return IPSEC_MODE_BEET;
+#endif
+		default:
+			return mode;
+	}
+}
+
+/**
+ * convert the general policy direction to the one defined in ipsec.h
+ */
+static u_int8_t dir2kernel(policy_dir_t dir)
+{
+	switch (dir)
+	{
+		case POLICY_IN:
+			return IPSEC_DIR_INBOUND;
+		case POLICY_OUT:
+			return IPSEC_DIR_OUTBOUND;
+#ifdef HAVE_IPSEC_DIR_FWD
+		case POLICY_FWD:
+			return IPSEC_DIR_FWD;
+#endif
+		default:
+			return IPSEC_DIR_INVALID;
+	}
+}
+
+#ifdef SADB_X_MIGRATE
+/**
+ * convert the policy direction in ipsec.h to the general one.
+ */
+static policy_dir_t kernel2dir(u_int8_t  dir)
+{
+	switch (dir)
+	{
+		case IPSEC_DIR_INBOUND:
+			return POLICY_IN;
+		case IPSEC_DIR_OUTBOUND:
+			return POLICY_OUT;
+#ifdef HAVE_IPSEC_DIR_FWD
+		case IPSEC_DIR_FWD:
+			return POLICY_FWD;
+#endif
+		default:
+			return dir;
+	}
+}
+#endif /*SADB_X_MIGRATE*/
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 algorithms to PF_KEY algorithms
+ */
+struct kernel_algorithm_t {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2;
+
+	/**
+	 * Identifier as defined in pfkeyv2.h
+	 */
+	int kernel;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64,				0							}, */
+	{ENCR_DES,					SADB_EALG_DESCBC			},
+	{ENCR_3DES,					SADB_EALG_3DESCBC			},
+/*	{ENCR_RC5,					0							}, */
+/*	{ENCR_IDEA,					0							}, */
+	{ENCR_CAST,					SADB_X_EALG_CASTCBC			},
+	{ENCR_BLOWFISH,				SADB_X_EALG_BLOWFISHCBC		},
+/*	{ENCR_3IDEA,				0							}, */
+/*	{ENCR_DES_IV32,				0							}, */
+	{ENCR_NULL,					SADB_EALG_NULL				},
+	{ENCR_AES_CBC,				SADB_X_EALG_AESCBC			},
+/*	{ENCR_AES_CTR,				SADB_X_EALG_AESCTR			}, */
+/*  {ENCR_AES_CCM_ICV8,			SADB_X_EALG_AES_CCM_ICV8	}, */
+/*	{ENCR_AES_CCM_ICV12,		SADB_X_EALG_AES_CCM_ICV12	}, */
+/*	{ENCR_AES_CCM_ICV16,		SADB_X_EALG_AES_CCM_ICV16	}, */
+/*	{ENCR_AES_GCM_ICV8,			SADB_X_EALG_AES_GCM_ICV8	}, */
+/*	{ENCR_AES_GCM_ICV12,		SADB_X_EALG_AES_GCM_ICV12	}, */
+/*	{ENCR_AES_GCM_ICV16,		SADB_X_EALG_AES_GCM_ICV16	}, */
+	{END_OF_LIST,				0							},
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
+	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
+	{AUTH_HMAC_SHA2_256_128,	SADB_X_AALG_SHA2_256HMAC	},
+	{AUTH_HMAC_SHA2_384_192,	SADB_X_AALG_SHA2_384HMAC	},
+	{AUTH_HMAC_SHA2_512_256,	SADB_X_AALG_SHA2_512HMAC	},
+/*	{AUTH_DES_MAC,				0,							}, */
+/*	{AUTH_KPDK_MD5,				0,							}, */
+#ifdef SADB_X_AALG_AES_XCBC_MAC
+	{AUTH_AES_XCBC_96,			SADB_X_AALG_AES_XCBC_MAC,	},
+#endif
+	{END_OF_LIST,				0,							},
+};
+
+#if 0
+/**
+ * Algorithms for IPComp, unused yet
+ */
+static kernel_algorithm_t compression_algs[] = {
+/*	{IPCOMP_OUI,				0							}, */
+	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
+	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
+	{IPCOMP_LZJH,				SADB_X_CALG_LZJH			},
+	{END_OF_LIST,				0							},
+};
+#endif
+
+/**
+ * Look up a kernel algorithm ID and its key size
+ */
+static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+{
+	while (list->ikev2 != END_OF_LIST)
+	{
+		if (ikev2 == list->ikev2)
+		{
+			return list->kernel;
+		}
+		list++;
+	}
+	return 0;
+}
+
+/**
+ * Copy a host_t as sockaddr_t to the given memory location. Ports are
+ * reset to zero as per RFC 2367.
+ * @return		the number of bytes copied
+ */
+static size_t hostcpy(void *dest, host_t *host)
+{
+	sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
+	socklen_t *len = host->get_sockaddr_len(host);
+	memcpy(dest, addr, *len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	dest_addr->sa_len = *len;
+#endif
+	switch (dest_addr->sa_family)
+	{
+		case AF_INET:
+		{
+			struct sockaddr_in *sin = dest;
+			sin->sin_port = 0;
+			break;
+		}
+		case AF_INET6:
+		{
+			struct sockaddr_in6 *sin6 = dest;
+			sin6->sin6_port = 0;
+			break;
+		}
+	}
+	return *len;
+}
+
+/**
+ * add a host behind an sadb_address extension
+ */
+static void host2ext(host_t *host, struct sadb_address *ext)
+{
+	size_t len = hostcpy(ext + 1, host);
+	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
+}
+
+/**
+ * add a host to the given sadb_msg
+ */
+static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
+						 u_int8_t proto, u_int8_t prefixlen)
+{
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	addr->sadb_address_proto = proto;
+	addr->sadb_address_prefixlen = prefixlen;
+	host2ext(host, addr);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * adds an empty address extension to the given sadb_msg
+ */
+static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
+{
+	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
+										  sizeof(struct sockaddr_in6);
+	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+	addr->sadb_address_exttype = type;
+	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
+	saddr->sa_family = family;
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	saddr->sa_len = len;
+#endif
+	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+	PFKEY_EXT_ADD(msg, addr);
+}
+
+#ifdef HAVE_NATT
+/**
+ * add udp encap extensions to a sadb_msg
+ */
+static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
+{
+	struct sadb_x_nat_t_type* nat_type;
+	struct sadb_x_nat_t_port* nat_port;
+
+	nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+	nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
+	nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
+	PFKEY_EXT_ADD(msg, nat_type);
+
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
+	PFKEY_EXT_ADD(msg, nat_port);
+
+	nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+	nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+	nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+	nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
+	PFKEY_EXT_ADD(msg, nat_port);
+}
+#endif /*HAVE_NATT*/
+
+/**
+ * Convert a sadb_address to a traffic_selector
+ */
+static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
+{
+	traffic_selector_t *ts;
+	host_t *host;
+
+	/* The Linux 2.6 kernel does not set the protocol and port information
+	 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
+	 */
+	host = host_create_from_sockaddr((sockaddr_t*)&address[1])	;
+	ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
+				address->sadb_address_proto, host->get_port(host));
+	return ts;
+}
+
+/**
+ * Parses a pfkey message received from the kernel
+ */
+static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
+{
+	struct sadb_ext* ext;
+	size_t len;
+
+	memset(out, 0, sizeof(pfkey_msg_t));
+	out->msg = msg;
+
+	len = msg->sadb_msg_len;
+	len -= PFKEY_LEN(sizeof(struct sadb_msg));
+
+	ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
+
+	while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
+	{
+		DBG3(DBG_KNL, "  %N", sadb_ext_type_names, ext->sadb_ext_type);
+		if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
+			ext->sadb_ext_len > len)
+		{
+			DBG1(DBG_KNL, "length of %N extension is invalid",
+						   sadb_ext_type_names, ext->sadb_ext_type);
+			break;
+		}
+
+		if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
+		{
+			DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+			break;
+		}
+
+		if (out->ext[ext->sadb_ext_type])
+		{
+			DBG1(DBG_KNL, "duplicate %N extension",
+						   sadb_ext_type_names, ext->sadb_ext_type);
+			break;
+		}
+
+		out->ext[ext->sadb_ext_type] = ext;
+		ext = PFKEY_EXT_NEXT_LEN(ext, len);
+	}
+
+	if (len)
+	{
+		DBG1(DBG_KNL, "PF_KEY message length is invalid");
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Send a message to a specific PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg;
+	int in_len, len;
+
+	this->mutex_pfkey->lock(this->mutex_pfkey);
+
+	/* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
+	 * in particular the behavior in response to an SADB_ACQUIRE. */
+	in->sadb_msg_seq = ++this->seq;
+	in->sadb_msg_pid = getpid();
+
+	in_len = PFKEY_USER_LEN(in->sadb_msg_len);
+
+	while (TRUE)
+	{
+		len = send(socket, in, in_len, 0);
+
+		if (len != in_len)
+		{
+			if (errno == EINTR)
+			{
+				/* interrupted, try again */
+				continue;
+			}
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
+			return FAILED;
+		}
+		break;
+	}
+
+	while (TRUE)
+	{
+		msg = (struct sadb_msg*)buf;
+
+		len = recv(socket, buf, sizeof(buf), 0);
+
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				DBG1(DBG_KNL, "got interrupted");
+				/* interrupted, try again */
+				continue;
+			}
+			DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (len < sizeof(struct sadb_msg) ||
+			msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+		{
+			DBG1(DBG_KNL, "received corrupted PF_KEY message");
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+		{
+			DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+			this->mutex_pfkey->unlock(this->mutex_pfkey);
+			return FAILED;
+		}
+		if (msg->sadb_msg_pid != in->sadb_msg_pid)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
+			continue;
+		}
+		if (msg->sadb_msg_seq != this->seq)
+		{
+			DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
+				 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
+			if (msg->sadb_msg_seq == 0)
+			{
+				/* FreeBSD and Mac OS X do this for the response to
+				 * SADB_X_SPDGET (but not for the response to SADB_GET).
+				 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
+			}
+			else if (msg->sadb_msg_seq < this->seq)
+			{
+				continue;
+			}
+			else
+			{
+				this->mutex_pfkey->unlock(this->mutex_pfkey);
+				return FAILED;
+			}
+		}
+		if (msg->sadb_msg_type != in->sadb_msg_type)
+		{
+			DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
+					"was %d expected %d, ignoring",
+					msg->sadb_msg_type, in->sadb_msg_type);
+		}
+		break;
+	}
+
+	*out_len = len;
+	*out = (struct sadb_msg*)malloc(len);
+	memcpy(*out, buf, len);
+
+	this->mutex_pfkey->unlock(this->mutex_pfkey);
+
+	return SUCCESS;
+}
+
+/**
+ * Send a message to the default PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
+					struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+	return pfkey_send_socket(this, this->socket, in, out, out_len);
+}
+
+/**
+ * Process a SADB_ACQUIRE message from the kernel
+ */
+static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	u_int32_t index, reqid = 0;
+	traffic_selector_t *src_ts, *dst_ts;
+	policy_entry_t *policy;
+
+	switch (msg->sadb_msg_satype)
+	{
+		case SADB_SATYPE_UNSPEC:
+		case SADB_SATYPE_ESP:
+		case SADB_SATYPE_AH:
+			break;
+		default:
+			/* acquire for AH/ESP only */
+			return;
+	}
+	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
+		return;
+	}
+
+	index = response.x_policy->sadb_x_policy_id;
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
+	{
+		reqid = policy->reqid;
+	}
+	else
+	{
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no"
+					  " matching policy found", index);
+	}
+	src_ts = sadb_address2ts(response.src);
+	dst_ts = sadb_address2ts(response.dst);
+	this->mutex->unlock(this->mutex);
+
+	hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
+									 dst_ts);
+}
+
+/**
+ * Process a SADB_EXPIRE message from the kernel
+ */
+static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	u_int8_t protocol;
+	u_int32_t spi, reqid;
+	bool hard;
+
+	DBG2(DBG_KNL, "received an SADB_EXPIRE");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
+		return;
+	}
+
+	protocol = satype2proto(msg->sadb_msg_satype);
+	spi = response.sa->sadb_sa_spi;
+	reqid = response.x_sa2->sadb_x_sa2_reqid;
+	hard = response.lft_hard != NULL;
+
+	if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
+	{
+		DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
+					  "which is not a CHILD_SA", ntohl(spi), reqid);
+		return;
+	}
+
+	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
+									spi, hard);
+}
+
+#ifdef SADB_X_MIGRATE
+/**
+ * Process a SADB_X_MIGRATE message from the kernel
+ */
+static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	traffic_selector_t *src_ts, *dst_ts;
+	policy_dir_t dir;
+	u_int32_t reqid = 0;
+	host_t *local = NULL, *remote = NULL;
+
+	DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
+		return;
+	}
+	src_ts = sadb_address2ts(response.src);
+	dst_ts = sadb_address2ts(response.dst);
+	dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
+	DBG2(DBG_KNL, "  policy %R === %R %N, id %u", src_ts, dst_ts,
+					 policy_dir_names, dir);
+
+	/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
+	if (response.x_kmaddress)
+	{
+		sockaddr_t *local_addr, *remote_addr;
+		u_int32_t local_len;
+
+		local_addr  = (sockaddr_t*)&response.x_kmaddress[1];
+		local = host_create_from_sockaddr(local_addr);
+		local_len = (local_addr->sa_family == AF_INET6)?
+					sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
+		remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
+		remote = host_create_from_sockaddr(remote_addr);
+		DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
+	}
+
+	if (src_ts && dst_ts && local && remote)
+	{
+		hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
+										 src_ts, dst_ts, dir, local, remote);
+	}
+	else
+	{
+		DESTROY_IF(src_ts);
+		DESTROY_IF(dst_ts);
+		DESTROY_IF(local);
+		DESTROY_IF(remote);
+	}
+}
+#endif /*SADB_X_MIGRATE*/
+
+#ifdef SADB_X_NAT_T_NEW_MAPPING
+/**
+ * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
+ */
+static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+	pfkey_msg_t response;
+	u_int32_t spi, reqid;
+	host_t *host;
+
+	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
+
+	if (parse_pfkey_message(msg, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
+		return;
+	}
+
+	if (!response.x_sa2)
+	{
+		DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
+					  "information");
+		return;
+	}
+
+	spi = response.sa->sadb_sa_spi;
+	reqid = response.x_sa2->sadb_x_sa2_reqid;
+
+	if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP)
+	{
+		sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
+		switch (sa->sa_family)
+		{
+			case AF_INET:
+			{
+				struct sockaddr_in *sin = (struct sockaddr_in*)sa;
+				sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			case AF_INET6:
+			{
+				struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
+				sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			}
+			default:
+				break;
+		}
+		host = host_create_from_sockaddr(sa);
+		if (host)
+		{
+			hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
+											 spi, host);
+		}
+	}
+}
+#endif /*SADB_X_NAT_T_NEW_MAPPING*/
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
+{
+	unsigned char buf[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg = (struct sadb_msg*)buf;
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
+	thread_cancelability(oldstate);
+
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+
+	if (len < sizeof(struct sadb_msg) ||
+		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+	{
+		DBG2(DBG_KNL, "received corrupted PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+	{
+		DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	switch (msg->sadb_msg_type)
+	{
+		case SADB_ACQUIRE:
+			process_acquire(this, msg);
+			break;
+		case SADB_EXPIRE:
+			process_expire(this, msg);
+			break;
+#ifdef SADB_X_MIGRATE
+		case SADB_X_MIGRATE:
+			process_migrate(this, msg);
+			break;
+#endif /*SADB_X_MIGRATE*/
+#ifdef SADB_X_NAT_T_NEW_MAPPING
+		case SADB_X_NAT_T_NEW_MAPPING:
+			process_mapping(this, msg);
+			break;
+#endif /*SADB_X_NAT_T_NEW_MAPPING*/
+		default:
+			break;
+	}
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_sa2 *sa2;
+	struct sadb_spirange *range;
+	pfkey_msg_t response;
+	u_int32_t received_spi = 0;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_GETSPI;
+	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
+	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+	sa2->sadb_x_sa2_reqid = reqid;
+	PFKEY_EXT_ADD(msg, sa2);
+
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+	range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
+	range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
+	range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+	range->sadb_spirange_min = 0xc0000000;
+	range->sadb_spirange_max = 0xcFFFFFFF;
+	PFKEY_EXT_ADD(msg, range);
+
+	if (pfkey_send(this, msg, &out, &len) == SUCCESS)
+	{
+		if (out->sadb_msg_errno)
+		{
+			DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
+					strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		}
+		else if (parse_pfkey_message(out, &response) == SUCCESS)
+		{
+			received_spi = response.sa->sadb_sa_spi;
+		}
+		free(out);
+	}
+
+	if (received_spi == 0)
+	{
+		return FAILED;
+	}
+
+	*spi = received_spi;
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	return FAILED;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
+	u_int8_t protocol, u_int32_t reqid, mark_t mark,
+	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	struct sadb_x_sa2 *sa2;
+	struct sadb_lifetime *lft;
+	struct sadb_key *key;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
+	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+#ifdef __APPLE__
+	if (encap)
+	{
+		struct sadb_sa_2 *sa_2;
+		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+		sa_2->sadb_sa_natt_port = dst->get_port(dst);
+		sa = &sa_2->sa;
+		sa->sadb_sa_flags |= SADB_X_EXT_NATT;
+		len = sizeof(struct sadb_sa_2);
+	}
+	else
+#endif
+	{
+		sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+		len = sizeof(struct sadb_sa);
+	}
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(len);
+	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
+	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
+	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+	PFKEY_EXT_ADD(msg, sa);
+
+	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
+	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+	sa2->sadb_x_sa2_mode = mode2kernel(mode);
+	sa2->sadb_x_sa2_reqid = reqid;
+	PFKEY_EXT_ADD(msg, sa2);
+
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
+	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+	lft->sadb_lifetime_allocations = lifetime->packets.rekey;
+	lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
+	lft->sadb_lifetime_addtime = lifetime->time.rekey;
+	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
+	PFKEY_EXT_ADD(msg, lft);
+
+	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+	lft->sadb_lifetime_allocations = lifetime->packets.life;
+	lft->sadb_lifetime_bytes = lifetime->bytes.life;
+	lft->sadb_lifetime_addtime = lifetime->time.life;
+	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
+	PFKEY_EXT_ADD(msg, lft);
+
+	if (enc_alg != ENCR_UNDEFINED)
+	{
+		if (!sa->sadb_sa_encrypt)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 encryption_algorithm_names, enc_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+			 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
+		key->sadb_key_bits = enc_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
+		memcpy(key + 1, enc_key.ptr, enc_key.len);
+
+		PFKEY_EXT_ADD(msg, key);
+	}
+
+	if (int_alg != AUTH_UNDEFINED)
+	{
+		if (!sa->sadb_sa_auth)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+					 integrity_algorithm_names, int_alg);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
+			 integrity_algorithm_names, int_alg, int_key.len * 8);
+
+		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
+		key->sadb_key_bits = int_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
+		memcpy(key + 1, int_key.ptr, int_key.len);
+
+		PFKEY_EXT_ADD(msg, key);
+	}
+
+	if (ipcomp != IPCOMP_NONE)
+	{
+		/*TODO*/
+	}
+
+#ifdef HAVE_NATT
+	if (encap)
+	{
+		add_encap_ext(msg, src, dst);
+	}
+#endif /*HAVE_NATT*/
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap, mark_t mark)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	pfkey_msg_t response;
+	size_t len;
+
+	/* we can't update the SA if any of the ip addresses have changed.
+	 * that's because we can't use SADB_UPDATE and by deleting and readding the
+	 * SA the sequence numbers would get lost */
+	if (!src->ip_equals(src, new_src) ||
+		!dst->ip_equals(dst, new_dst))
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
+				" are not supported", ntohl(spi));
+		return NOT_SUPPORTED;
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_GET;
+	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+
+	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
+	 * it is not used for anything. */
+	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
+				ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+			ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
+				"from kernel failed", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_UPDATE;
+	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+#ifdef __APPLE__
+	{
+		struct sadb_sa_2 *sa_2;
+		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+		sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
+		memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
+		if (encap)
+		{
+			sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
+			sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
+		}
+	}
+#else
+	PFKEY_EXT_COPY(msg, response.sa);
+#endif
+	PFKEY_EXT_COPY(msg, response.x_sa2);
+
+	PFKEY_EXT_COPY(msg, response.src);
+	PFKEY_EXT_COPY(msg, response.dst);
+
+	PFKEY_EXT_COPY(msg, response.lft_soft);
+	PFKEY_EXT_COPY(msg, response.lft_hard);
+
+	if (response.key_encr)
+	{
+		PFKEY_EXT_COPY(msg, response.key_encr);
+	}
+
+	if (response.key_auth)
+	{
+		PFKEY_EXT_COPY(msg, response.key_auth);
+	}
+
+#ifdef HAVE_NATT
+	if (new_encap)
+	{
+		add_encap_ext(msg, new_src, new_dst);
+	}
+#endif /*HAVE_NATT*/
+
+	free(out);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	pfkey_msg_t response;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_GET;
+	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+
+	/* the Linux Kernel doesn't care for the src address, but other systems do
+	 * (e.g. FreeBSD)
+	 */
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		free(out);
+		return FAILED;
+	}
+	*bytes = response.lft_current->sadb_lifetime_bytes;
+
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_sa *sa;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_DELETE;
+	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+	sa->sadb_sa_exttype = SADB_EXT_SA;
+	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+	sa->sadb_sa_spi = spi;
+	PFKEY_EXT_ADD(msg, sa);
+
+	/* the Linux Kernel doesn't care for the src address, but other systems do
+	 * (e.g. FreeBSD)
+	 */
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
+				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+
+	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_policy *pol;
+	struct sadb_x_ipsecrequest *req;
+	policy_entry_t *policy, *found = NULL;
+	pfkey_msg_t response;
+	size_t len;
+
+	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	{
+		/* FWD policies are not supported on all platforms */
+		return SUCCESS;
+	}
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction, sa->reqid);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+	{
+		/* use existing policy */
+		found->refcount++;
+		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
+					  "refcount", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{
+		/* apply the new one, if we have no such policy */
+		this->policies->insert_last(this->policies, policy);
+		policy->refcount = 1;
+	}
+
+	memset(&request, 0, sizeof(request));
+
+	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
+	msg->sadb_msg_satype = 0;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+	pol->sadb_x_policy_id = 0;
+	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
+	/* calculate priority based on source selector size, small size = high prio */
+	pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
+	pol->sadb_x_policy_priority -= policy->src.mask * 10;
+	pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
+	pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
+#endif
+
+	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
+	req = (struct sadb_x_ipsecrequest*)(pol + 1);
+	req->sadb_x_ipsecrequest_proto = sa->esp.use ? IPPROTO_ESP : IPPROTO_AH;
+	/* !!! the length of this struct MUST be in octets instead of 64 bit words */
+	req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
+	req->sadb_x_ipsecrequest_mode = mode2kernel(sa->mode);
+	req->sadb_x_ipsecrequest_reqid = sa->reqid;
+	req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
+	if (sa->mode == MODE_TUNNEL)
+	{
+		len = hostcpy(req + 1, src);
+		req->sadb_x_ipsecrequest_len += len;
+		len = hostcpy((char*)(req + 1) + len, dst);
+		req->sadb_x_ipsecrequest_len += len;
+	}
+
+	pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
+	PFKEY_EXT_ADD(msg, pol);
+
+	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+				 policy->src.mask);
+	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+				 policy->dst.mask);
+
+#ifdef __FreeBSD__
+	{	/* on FreeBSD a lifetime has to be defined to be able to later query
+		 * the current use time. */
+		struct sadb_lifetime *lft;
+		lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+		lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+		lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+		lft->sadb_lifetime_addtime = LONG_MAX;
+		PFKEY_EXT_ADD(msg, lft);
+	}
+#endif
+
+	this->mutex->unlock(this->mutex);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
+					   policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
+				"from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+
+	this->mutex->lock(this->mutex);
+
+	/* we try to find the policy again and update the kernel index */
+	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
+	{
+		DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
+				"already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
+		this->mutex->unlock(this->mutex);
+		free(out);
+		return SUCCESS;
+	}
+	policy->index = response.x_policy->sadb_x_policy_id;
+	free(out);
+
+	/* install a route, if:
+	 * - we are NOT updating a policy
+	 * - this is a forward policy (to just get one for each child)
+	 * - we are in tunnel mode
+	 * - we are not using IPv6 (does not work correctly yet!)
+	 * - routing is not disabled via strongswan.conf
+	 */
+	if (policy->route == NULL && direction == POLICY_FWD &&
+		sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+		this->install_routes)
+	{
+		route_entry_t *route = malloc_thing(route_entry_t);
+
+		if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
+				dst_ts, &route->src_ip) == SUCCESS)
+		{
+			/* get the nexthop to src (src as we are in POLICY_FWD).*/
+			route->gateway = hydra->kernel_interface->get_nexthop(
+									hydra->kernel_interface, src);
+			route->if_name = hydra->kernel_interface->get_interface(
+									hydra->kernel_interface, dst);
+			route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
+			route->prefixlen = policy->src.mask;
+
+			if (route->if_name)
+			{
+				switch (hydra->kernel_interface->add_route(
+									hydra->kernel_interface, route->dst_net,
+									route->prefixlen, route->gateway,
+									route->src_ip, route->if_name))
+				{
+					default:
+						DBG1(DBG_KNL, "unable to install source route for %H",
+							 route->src_ip);
+						/* FALL */
+					case ALREADY_DONE:
+						/* route exists, do not uninstall */
+						route_entry_destroy(route);
+						break;
+					case SUCCESS:
+						/* cache the installed route */
+						policy->route = route;
+						break;
+				}
+			}
+			else
+			{
+				route_entry_destroy(route);
+			}
+		}
+		else
+		{
+			free(route);
+		}
+	}
+
+	this->mutex->unlock(this->mutex);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_policy *pol;
+	policy_entry_t *policy, *found = NULL;
+	pfkey_msg_t response;
+	size_t len;
+
+	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	{
+		/* FWD policies are not supported on all platforms */
+		return NOT_FOUND;
+	}
+
+	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		this->mutex->unlock(this->mutex);
+		return NOT_FOUND;
+	}
+	policy_entry_destroy(policy);
+	policy = found;
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_SPDGET;
+	msg->sadb_msg_satype = 0;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	pol->sadb_x_policy_id = policy->index;
+	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+	PFKEY_EXT_ADD(msg, pol);
+
+	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+				 policy->src.mask);
+	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+				 policy->dst.mask);
+
+	this->mutex->unlock(this->mutex);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+					   dst_ts, policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	else if (parse_pfkey_message(out, &response) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
+				"from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+	else if (response.lft_current == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
+			 "use time", src_ts, dst_ts, policy_dir_names, direction);
+		free(out);
+		return FAILED;
+	}
+	/* we need the monotonic time, but the kernel returns system time. */
+	if (response.lft_current->sadb_lifetime_usetime)
+	{
+		*use_time = time_monotonic(NULL) -
+					(time(NULL) - response.lft_current->sadb_lifetime_usetime);
+	}
+	else
+	{
+		*use_time = 0;
+	}
+	free(out);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	bool unrouted)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	struct sadb_x_policy *pol;
+	policy_entry_t *policy, *found = NULL;
+	route_entry_t *route;
+	size_t len;
+
+	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	{
+		/* FWD policies are not supported on all platforms */
+		return SUCCESS;
+	}
+
+	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+				   policy_dir_names, direction);
+
+	/* create a policy */
+	policy = create_policy_entry(src_ts, dst_ts, direction, 0);
+
+	/* find a matching policy */
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+			(linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+	{
+		if (--found->refcount > 0)
+		{
+			/* is used by more SAs, keep in kernel */
+			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+			policy_entry_destroy(policy);
+			this->mutex->unlock(this->mutex);
+			return SUCCESS;
+		}
+		/* remove if last reference */
+		this->policies->remove(this->policies, found, NULL);
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{
+		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+					   dst_ts, policy_dir_names, direction);
+		policy_entry_destroy(policy);
+		this->mutex->unlock(this->mutex);
+		return NOT_FOUND;
+	}
+	this->mutex->unlock(this->mutex);
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_X_SPDDELETE;
+	msg->sadb_msg_satype = 0;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+	PFKEY_EXT_ADD(msg, pol);
+
+	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+				 policy->src.mask);
+	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+				 policy->dst.mask);
+
+	route = policy->route;
+	policy->route = NULL;
+	policy_entry_destroy(policy);
+
+	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+					   policy_dir_names, direction);
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
+					   dst_ts, policy_dir_names, direction,
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+
+	if (route)
+	{
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway,
+				route->src_ip, route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with "
+						  "policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}
+		route_entry_destroy(route);
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Register a socket for AQUIRE/EXPIRE messages
+ */
+static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
+									  u_int8_t satype)
+{
+	unsigned char request[PFKEY_BUFFER_SIZE];
+	struct sadb_msg *msg, *out;
+	size_t len;
+
+	memset(&request, 0, sizeof(request));
+
+	msg = (struct sadb_msg*)request;
+	msg->sadb_msg_version = PF_KEY_V2;
+	msg->sadb_msg_type = SADB_REGISTER;
+	msg->sadb_msg_satype = satype;
+	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+	if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket");
+		return FAILED;
+	}
+	else if (out->sadb_msg_errno)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
+					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_kernel_pfkey_ipsec_t *this, int fd, int family)
+{
+	struct sadb_x_policy policy;
+	u_int sol, ipsec_policy;
+
+	switch (family)
+	{
+		case AF_INET:
+		{
+			sol = SOL_IP;
+			ipsec_policy = IP_IPSEC_POLICY;
+			break;
+		}
+		case AF_INET6:
+		{
+			sol = SOL_IPV6;
+			ipsec_policy = IPV6_IPSEC_POLICY;
+			break;
+		}
+		default:
+			return FALSE;
+	}
+
+	memset(&policy, 0, sizeof(policy));
+	policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+
+	policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_kernel_pfkey_ipsec_t *this)
+{
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	if (this->socket > 0)
+	{
+		close(this->socket);
+	}
+	if (this->socket_events > 0)
+	{
+		close(this->socket_events);
+	}
+	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+	this->mutex->destroy(this->mutex);
+	this->mutex_pfkey->destroy(this->mutex_pfkey);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
+{
+	private_kernel_pfkey_ipsec_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa  = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.bypass_socket = _bypass_socket,
+				.destroy = _destroy,
+			},
+		},
+		.policies = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
+		.install_routes = lib->settings->get_bool(lib->settings,
+												  "%s.install_routes", TRUE,
+												  hydra->daemon),
+	);
+
+	if (streq(hydra->daemon, "pluto"))
+	{	/* no routes for pluto, they are installed via updown script */
+		this->install_routes = FALSE;
+	}
+
+	/* create a PF_KEY socket to communicate with the kernel */
+	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket <= 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_KEY socket");
+		destroy(this);
+		return NULL;
+	}
+
+	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
+	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (this->socket_events <= 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_KEY event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	/* register the event socket */
+	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
+		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to register PF_KEY event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
new file mode 100644
index 000000000..649f93733
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfkey_ipsec_i kernel_pfkey_ipsec
+ * @{ @ingroup kernel_pfkey
+ */
+
+#ifndef KERNEL_PFKEY_IPSEC_H_
+#define KERNEL_PFKEY_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_pfkey_ipsec_t kernel_pfkey_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using PF_KEY.
+ */
+struct kernel_pfkey_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a PF_KEY kernel ipsec interface instance.
+ *
+ * @return			kernel_pfkey_ipsec_t instance
+ */
+kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create();
+
+#endif /** KERNEL_PFKEY_IPSEC_H_ @}*/
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
new file mode 100644
index 000000000..781ba5008
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_pfkey_plugin.h"
+
+#include "kernel_pfkey_ipsec.h"
+
+#include <hydra.h>
+
+typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t;
+
+/**
+ * private data of kernel PF_KEY plugin
+ */
+struct private_kernel_pfkey_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_pfkey_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfkey_plugin_t *this)
+{
+	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
+						(kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_pfkey_plugin_create()
+{
+	private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
+						(kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h
new file mode 100644
index 000000000..51db4d8d3
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfkey kernel_pfkey
+ * @ingroup hplugins
+ *
+ * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin
+ * @{ @ingroup kernel_pfkey
+ */
+
+#ifndef KERNEL_PFKEY_PLUGIN_H_
+#define KERNEL_PFKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfkey_plugin_t kernel_pfkey_plugin_t;
+
+/**
+ * PF_KEY kernel interface plugin
+ */
+struct kernel_pfkey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KERNEL_PFKEY_PLUGIN_H_ @}*/
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.am b/src/libhydra/plugins/kernel_pfroute/Makefile.am
new file mode 100644
index 000000000..df3109eb8
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+endif
+
+libstrongswan_kernel_pfroute_la_SOURCES = \
+	kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+	kernel_pfroute_net.h kernel_pfroute_net.c
+
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
new file mode 100644
index 000000000..b0bc00c70
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -0,0 +1,606 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libhydra/plugins/kernel_pfroute
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_pfroute_la_LIBADD =
+am_libstrongswan_kernel_pfroute_la_OBJECTS = kernel_pfroute_plugin.lo \
+	kernel_pfroute_net.lo
+libstrongswan_kernel_pfroute_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_pfroute_la_OBJECTS)
+libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_pfroute_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_pfroute_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_pfroute_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+libstrongswan_kernel_pfroute_la_SOURCES = \
+	kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+	kernel_pfroute_net.h kernel_pfroute_net.c
+
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfroute/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfroute/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
+	$(libstrongswan_kernel_pfroute_la_LINK) $(am_libstrongswan_kernel_pfroute_la_rpath) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_net.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
new file mode 100644
index 000000000..59fc915fd
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -0,0 +1,742 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <ifaddrs.h>
+#include <net/route.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include "kernel_pfroute_net.h"
+
+#include <hydra.h>
+#include <debug.h>
+#include <utils/host.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
+#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
+#endif
+
+/** delay before firing roam events (ms) */
+#define ROAM_DELAY 100
+
+/** buffer size for PF_ROUTE messages */
+#define PFROUTE_BUFFER_SIZE 4096
+
+typedef struct addr_entry_t addr_entry_t;
+
+/**
+ * IP address in an inface_entry_t
+ */
+struct addr_entry_t {
+
+	/** The ip address */
+	host_t *ip;
+
+	/** virtual IP managed by us */
+	bool virtual;
+
+	/** Number of times this IP is used, if virtual */
+	u_int refcount;
+};
+
+/**
+ * destroy a addr_entry_t object
+ */
+static void addr_entry_destroy(addr_entry_t *this)
+{
+	this->ip->destroy(this->ip);
+	free(this);
+}
+
+typedef struct iface_entry_t iface_entry_t;
+
+/**
+ * A network interface on this system, containing addr_entry_t's
+ */
+struct iface_entry_t {
+
+	/** interface index */
+	int ifindex;
+
+	/** name of the interface */
+	char ifname[IFNAMSIZ];
+
+	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+	u_int flags;
+
+	/** list of addresses as host_t */
+	linked_list_t *addrs;
+};
+
+/**
+ * destroy an interface entry
+ */
+static void iface_entry_destroy(iface_entry_t *this)
+{
+	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
+	free(this);
+}
+
+
+typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
+
+/**
+ * Private variables and functions of kernel_pfroute class.
+ */
+struct private_kernel_pfroute_net_t
+{
+	/**
+	 * Public part of the kernel_pfroute_t object.
+	 */
+	kernel_pfroute_net_t public;
+
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Cached list of interfaces and their addresses (iface_entry_t)
+	 */
+	linked_list_t *ifaces;
+
+	/**
+	 * job receiving PF_ROUTE events
+	 */
+	callback_job_t *job;
+
+	/**
+	 * mutex to lock access to the PF_ROUTE socket
+	 */
+	mutex_t *mutex_pfroute;
+
+	/**
+	 * PF_ROUTE socket to communicate with the kernel
+	 */
+	int socket;
+
+	/**
+	 * PF_ROUTE socket to receive events
+	 */
+	int socket_events;
+
+	/**
+	 * sequence number for messages sent to the kernel
+	 */
+	int seq;
+
+	/**
+	 * time of last roam event
+	 */
+	timeval_t last_roam;
+};
+
+/**
+ * callback function that raises the delayed roam event
+ */
+static job_requeue_t roam_event(uintptr_t address)
+{
+	hydra->kernel_interface->roam(hydra->kernel_interface, address != 0);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * fire a roaming event. we delay it for a bit and fire only one event
+ * for multiple calls. otherwise we would create too many events.
+ */
+static void fire_roam_event(private_kernel_pfroute_net_t *this, bool address)
+{
+	timeval_t now;
+	job_t *job;
+
+	time_monotonic(&now);
+	if (timercmp(&now, &this->last_roam, >))
+	{
+		now.tv_usec += ROAM_DELAY * 1000;
+		while (now.tv_usec > 1000000)
+		{
+			now.tv_sec++;
+			now.tv_usec -= 1000000;
+		}
+		this->last_roam = now;
+
+		job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
+										  (void*)(uintptr_t)(address ? 1 : 0),
+										  NULL, NULL);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY);
+	}
+}
+
+/**
+ * Process an RTM_*ADDR message from the kernel
+ */
+static void process_addr(private_kernel_pfroute_net_t *this,
+						 struct rt_msghdr *msg)
+{
+	struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
+	sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
+	host_t *host = NULL;
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	bool found = FALSE, changed = FALSE, roam = FALSE;
+	int i;
+
+	for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
+	{
+		if (ifa->ifam_addrs & i)
+		{
+			if (RTA_IFA & i)
+			{
+				host = host_create_from_sockaddr(sockaddr);
+				break;
+			}
+			sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
+		}
+	}
+
+	if (!host)
+	{
+		return;
+	}
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == ifa->ifam_index)
+		{
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
+			{
+				if (host->ip_equals(host, addr->ip))
+				{
+					found = TRUE;
+					if (ifa->ifam_type == RTM_DELADDR)
+					{
+						iface->addrs->remove_at(iface->addrs, addrs);
+						if (!addr->virtual)
+						{
+							changed = TRUE;
+							DBG1(DBG_KNL, "%H disappeared from %s",
+								 host, iface->ifname);
+						}
+						addr_entry_destroy(addr);
+					}
+					else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
+					{
+						addr->refcount = 1;
+					}
+				}
+			}
+			addrs->destroy(addrs);
+
+			if (!found && ifa->ifam_type == RTM_NEWADDR)
+			{
+				changed = TRUE;
+				addr = malloc_thing(addr_entry_t);
+				addr->ip = host->clone(host);
+				addr->virtual = FALSE;
+				addr->refcount = 1;
+				iface->addrs->insert_last(iface->addrs, addr);
+				DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+			}
+
+			if (changed && (iface->flags & IFF_UP))
+			{
+				roam = TRUE;
+			}
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	host->destroy(host);
+
+	if (roam)
+	{
+		fire_roam_event(this, TRUE);
+	}
+}
+
+/**
+ * Process an RTM_IFINFO message from the kernel
+ */
+static void process_link(private_kernel_pfroute_net_t *this,
+						 struct rt_msghdr *hdr)
+{
+	struct if_msghdr *msg = (struct if_msghdr*)hdr;
+	enumerator_t *enumerator;
+	iface_entry_t *iface;
+	bool roam = FALSE;
+
+	if (msg->ifm_flags & IFF_LOOPBACK)
+	{	/* ignore loopback interfaces */
+		return;
+	}
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->ifaces->create_enumerator(this->ifaces);
+	while (enumerator->enumerate(enumerator, &iface))
+	{
+		if (iface->ifindex == msg->ifm_index)
+		{
+			if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
+			{
+				roam = TRUE;
+				DBG1(DBG_KNL, "interface %s activated", iface->ifname);
+			}
+			else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
+			{
+				roam = TRUE;
+				DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
+			}
+			iface->flags = msg->ifm_flags;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	if (roam)
+	{
+		fire_roam_event(this, TRUE);
+	}
+}
+
+/**
+ * Process an RTM_*ROUTE message from the kernel
+ */
+static void process_route(private_kernel_pfroute_net_t *this,
+						  struct rt_msghdr *msg)
+{
+
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
+{
+	unsigned char buf[PFROUTE_BUFFER_SIZE];
+	struct rt_msghdr *msg = (struct rt_msghdr*)buf;
+	int len;
+	bool oldstate;
+
+	oldstate = thread_cancelability(TRUE);
+	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
+	thread_cancelability(oldstate);
+
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+
+	if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
+		msg->rtm_version != RTM_VERSION)
+	{
+		DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	switch (msg->rtm_type)
+	{
+		case RTM_NEWADDR:
+		case RTM_DELADDR:
+			process_addr(this, msg);
+			break;
+		case RTM_IFINFO:
+		/*case RTM_IFANNOUNCE <- what about this*/
+			process_link(this, msg);
+			break;
+		case RTM_ADD:
+		case RTM_DELETE:
+			process_route(this, msg);
+		default:
+			break;
+	}
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+
+/** enumerator over addresses */
+typedef struct {
+	private_kernel_pfroute_net_t* this;
+	/** whether to enumerate down interfaces */
+	bool include_down_ifaces;
+	/** whether to enumerate virtual ip addresses */
+	bool include_virtual_ips;
+} address_enumerator_t;
+
+/**
+ * cleanup function for address enumerator
+ */
+static void address_enumerator_destroy(address_enumerator_t *data)
+{
+	data->this->mutex->unlock(data->this->mutex);
+	free(data);
+}
+
+/**
+ * filter for addresses
+ */
+static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+{
+	host_t *ip;
+	if (!data->include_virtual_ips && (*in)->virtual)
+	{   /* skip virtual interfaces added by us */
+		return FALSE;
+	}
+	ip = (*in)->ip;
+	if (ip->get_family(ip) == AF_INET6)
+	{
+		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip);
+		if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+		{   /* skip addresses with a unusable scope */
+			return FALSE;
+		}
+	}
+	*out = ip;
+	return TRUE;
+}
+
+/**
+ * enumerator constructor for interfaces
+ */
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+{
+	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+									(void*)filter_addresses, data, NULL);
+}
+
+/**
+ * filter for interfaces
+ */
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+{
+	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+	{   /* skip interfaces not up */
+		return FALSE;
+	}
+	*out = *in;
+	return TRUE;
+}
+
+/**
+ * implementation of kernel_net_t.create_address_enumerator
+ */
+static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this,
+		bool include_down_ifaces, bool include_virtual_ips)
+{
+	address_enumerator_t *data = malloc_thing(address_enumerator_t);
+	data->this = this;
+	data->include_down_ifaces = include_down_ifaces;
+	data->include_virtual_ips = include_virtual_ips;
+
+	this->mutex->lock(this->mutex);
+	return enumerator_create_nested(
+				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
+						(void*)filter_interfaces, data, NULL),
+				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+}
+
+/**
+ * implementation of kernel_net_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
+{
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	char *name = NULL;
+
+	DBG2(DBG_KNL, "getting interface name for %H", ip);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
+		{
+			if (ip->ip_equals(ip, addr->ip))
+			{
+				name = strdup(iface->ifname);
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (name)
+		{
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+
+	if (name)
+	{
+		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "%H is not a local address", ip);
+	}
+	return name;
+}
+
+/**
+ * Implementation of kernel_net_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_pfroute_net_t *this,
+							   host_t *dest, host_t *src)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.get_nexthop.
+ */
+static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.add_ip.
+ */
+static status_t add_ip(private_kernel_pfroute_net_t *this,
+						host_t *virtual_ip, host_t *iface_ip)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_ip.
+ */
+static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.add_route.
+ */
+static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_route.
+ */
+static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return FAILED;
+}
+
+/**
+ * Initialize a list of local addresses.
+ */
+static status_t init_address_list(private_kernel_pfroute_net_t *this)
+{
+	struct ifaddrs *ifap, *ifa;
+	iface_entry_t *iface, *current;
+	addr_entry_t *addr;
+	enumerator_t *ifaces, *addrs;
+
+	DBG1(DBG_KNL, "listening on interfaces:");
+
+	if (getifaddrs(&ifap) < 0)
+	{
+		DBG1(DBG_KNL, "  failed to get interfaces!");
+		return FAILED;
+	}
+
+	for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
+	{
+		if (ifa->ifa_addr == NULL)
+		{
+			continue;
+		}
+		switch(ifa->ifa_addr->sa_family)
+		{
+			case AF_LINK:
+			case AF_INET:
+			case AF_INET6:
+			{
+				if (ifa->ifa_flags & IFF_LOOPBACK)
+				{	/* ignore loopback interfaces */
+					continue;
+				}
+
+				iface = NULL;
+				ifaces = this->ifaces->create_enumerator(this->ifaces);
+				while (ifaces->enumerate(ifaces, &current))
+				{
+					if (streq(current->ifname, ifa->ifa_name))
+					{
+						iface = current;
+						break;
+					}
+				}
+				ifaces->destroy(ifaces);
+
+				if (!iface)
+				{
+					iface = malloc_thing(iface_entry_t);
+					memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
+					iface->ifindex = if_nametoindex(ifa->ifa_name);
+					iface->flags = ifa->ifa_flags;
+					iface->addrs = linked_list_create();
+					this->ifaces->insert_last(this->ifaces, iface);
+				}
+
+				if (ifa->ifa_addr->sa_family != AF_LINK)
+				{
+					addr = malloc_thing(addr_entry_t);
+					addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
+					addr->virtual = FALSE;
+					addr->refcount = 1;
+					iface->addrs->insert_last(iface->addrs, addr);
+				}
+			}
+		}
+	}
+	freeifaddrs(ifap);
+
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->flags & IFF_UP)
+		{
+			DBG1(DBG_KNL, "  %s", iface->ifname);
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, (void**)&addr))
+			{
+				DBG1(DBG_KNL, "    %H", addr->ip);
+			}
+			addrs->destroy(addrs);
+		}
+	}
+	ifaces->destroy(ifaces);
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_netlink_net_t.destroy.
+ */
+static void destroy(private_kernel_pfroute_net_t *this)
+{
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
+	if (this->socket > 0)
+	{
+		close(this->socket);
+	}
+	if (this->socket_events)
+	{
+		close(this->socket_events);
+	}
+	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	this->mutex->destroy(this->mutex);
+	this->mutex_pfroute->destroy(this->mutex_pfroute);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create()
+{
+	private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
+
+	/* public functions */
+	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
+	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
+	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
+	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
+	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
+	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
+	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
+
+	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
+
+	/* private members */
+	this->ifaces = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT);
+
+	this->seq = 0;
+	this->socket_events = 0;
+	this->job = NULL;
+
+	/* create a PF_ROUTE socket to communicate with the kernel */
+	this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+	if (this->socket < 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_ROUTE socket");
+		destroy(this);
+		return NULL;
+	}
+
+	/* create a PF_ROUTE socket to receive events */
+	this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+	if (this->socket_events < 0)
+	{
+		DBG1(DBG_KNL, "unable to create PF_ROUTE event socket");
+		destroy(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+
+	if (init_address_list(this) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to get interface list");
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h
new file mode 100644
index 000000000..10c3c9eb7
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfroute_net_i kernel_pfroute_net
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_NET_H_
+#define KERNEL_PFROUTE_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_pfroute_net_t kernel_pfroute_net_t;
+
+/**
+ * Implementation of the kernel net interface using PF_ROUTE.
+ */
+struct kernel_pfroute_net_t {
+
+	/**
+	 * Implements kernel_net_t interface
+	 */
+	kernel_net_t interface;
+};
+
+/**
+ * Create a PF_ROUTE kernel net interface instance.
+ *
+ * @return			kernel_pfroute_net_t instance
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create();
+
+#endif /** KERNEL_PFROUTE_NET_H_ @}*/
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
new file mode 100644
index 000000000..5f351bd72
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_pfroute_plugin.h"
+
+#include "kernel_pfroute_net.h"
+
+#include <hydra.h>
+
+typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
+
+/**
+ * private data of kernel PF_ROUTE plugin
+ */
+struct private_kernel_pfroute_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_pfroute_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfroute_plugin_t *this)
+{
+	hydra->kernel_interface->remove_net_interface(hydra->kernel_interface,
+						(kernel_net_constructor_t)kernel_pfroute_net_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_pfroute_plugin_create()
+{
+	private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	hydra->kernel_interface->add_net_interface(hydra->kernel_interface,
+						(kernel_net_constructor_t)kernel_pfroute_net_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h
new file mode 100644
index 000000000..b8ee31a1d
--- /dev/null
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfroute kernel_pfroute
+ * @ingroup hplugins
+ *
+ * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_PLUGIN_H_
+#define KERNEL_PFROUTE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t;
+
+/**
+ * PF_ROUTE kernel interface plugin
+ */
+struct kernel_pfroute_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/
diff --git a/src/libhydra/plugins/resolve/Makefile.am b/src/libhydra/plugins/resolve/Makefile.am
index f8830d42e..a05c84061 100644
--- a/src/libhydra/plugins/resolve/Makefile.am
+++ b/src/libhydra/plugins/resolve/Makefile.am
@@ -1,6 +1,5 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic \
 	-DRESOLV_CONF=\"${resolv_conf}\"
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index e16c66923..aedc8fdb7 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -257,9 +273,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 AM_CFLAGS = -rdynamic \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index d53df9bb2..0aa509acc 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -137,6 +138,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -168,14 +171,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -190,24 +196,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -215,7 +228,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index e0319e918..3a8f4beaf 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -741,6 +741,7 @@ static eap_payload_t* generate(private_simaka_message_t *this, chunk_t sigdata)
 
 		crypter = this->crypto->get_crypter(this->crypto);
 		bs = crypter->get_block_size(crypter);
+		iv.len = crypter->get_iv_size(crypter);
 
 		/* add AT_PADDING attribute */
 		padding = bs - ((sizeof(encr_buf) - encr.len) % bs);
@@ -757,15 +758,15 @@ static eap_payload_t* generate(private_simaka_message_t *this, chunk_t sigdata)
 		/* add IV attribute */
 		hdr = (attr_hdr_t*)out.ptr;
 		hdr->type = AT_IV;
-		hdr->length = bs / 4 + 1;
+		hdr->length = iv.len / 4 + 1;
 		memset(out.ptr + 2, 0, 2);
 		out = chunk_skip(out, 4);
 
 		rng = this->crypto->get_rng(this->crypto);
-		rng->get_bytes(rng, bs, out.ptr);
+		rng->get_bytes(rng, iv.len, out.ptr);
 
-		iv = chunk_clonea(chunk_create(out.ptr, bs));
-		out = chunk_skip(out, bs);
+		iv = chunk_clonea(chunk_create(out.ptr, iv.len));
+		out = chunk_skip(out, iv.len);
 
 		/* inline encryption */
 		crypter->encrypt(crypter, encr, iv, NULL);
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 1931dfa45..431543151 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -23,6 +23,7 @@ crypto/signers/signer.c crypto/signers/signer.h \
 crypto/crypto_factory.c crypto/crypto_factory.h \
 crypto/crypto_tester.c crypto/crypto_tester.h \
 crypto/diffie_hellman.c crypto/diffie_hellman.h \
+crypto/aead.c crypto/aead.h \
 crypto/transform.c crypto/transform.h \
 credentials/credential_factory.c credentials/credential_factory.h \
 credentials/builder.c credentials/builder.h \
@@ -43,10 +44,18 @@ credentials/credential_manager.c credentials/credential_manager.h \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
 credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
 credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+eap/eap.h eap/eap.c \
+plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h \
+processing/jobs/job.h \
+processing/jobs/callback_job.c processing/jobs/callback_job.h \
+processing/processor.c processing/processor.h \
+processing/scheduler.c processing/scheduler.h \
 selectors/traffic_selector.c selectors/traffic_selector.h \
 threading/thread.h threading/thread.c \
 threading/thread_value.h threading/thread_value.c \
@@ -62,8 +71,7 @@ utils/linked_list.c utils/linked_list.h \
 utils/hashtable.c utils/hashtable.h \
 utils/enumerator.c utils/enumerator.h \
 utils/optionsfrom.c utils/optionsfrom.h \
-utils/backtrace.c utils/backtrace.h \
-plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
+utils/backtrace.c utils/backtrace.h
 
 # adding the plugin source files
 
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 3678abd5d..2ab8aa636 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -21,6 +21,7 @@ crypto/signers/signer.c crypto/signers/signer.h \
 crypto/crypto_factory.c crypto/crypto_factory.h \
 crypto/crypto_tester.c crypto/crypto_tester.h \
 crypto/diffie_hellman.c crypto/diffie_hellman.h \
+crypto/aead.c crypto/aead.h \
 crypto/transform.c crypto/transform.h \
 credentials/credential_factory.c credentials/credential_factory.h \
 credentials/builder.c credentials/builder.h \
@@ -41,10 +42,18 @@ credentials/credential_manager.c credentials/credential_manager.h \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
 credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
 credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+eap/eap.h eap/eap.c \
+plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h \
+processing/jobs/job.h \
+processing/jobs/callback_job.c processing/jobs/callback_job.h \
+processing/processor.c processing/processor.h \
+processing/scheduler.c processing/scheduler.h \
 selectors/traffic_selector.c selectors/traffic_selector.h \
 threading/thread.h threading/thread.c \
 threading/thread_value.h threading/thread_value.c \
@@ -60,8 +69,10 @@ utils/linked_list.c utils/linked_list.h \
 utils/hashtable.c utils/hashtable.h \
 utils/enumerator.c utils/enumerator.h \
 utils/optionsfrom.c utils/optionsfrom.h \
-utils/backtrace.c utils/backtrace.h \
-plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
+utils/backtrace.c utils/backtrace.h
+
+
+library.lo :	$(top_builddir)/config.status
 
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB)
 
@@ -314,6 +325,34 @@ if MONOLITHIC
 endif
 endif
 
+if USE_PKCS11
+  SUBDIRS += plugins/pkcs11
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pkcs11/libstrongswan-pkcs11.la
+endif
+endif
+
+if USE_CTR
+  SUBDIRS += plugins/ctr
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/ctr/libstrongswan-ctr.la
+endif
+endif
+
+if USE_CCM
+  SUBDIRS += plugins/ccm
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/ccm/libstrongswan-ccm.la
+endif
+endif
+
+if USE_GCM
+  SUBDIRS += plugins/gcm
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/gcm/libstrongswan-gcm.la
+endif
+endif
+
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index b6dcf6be5..8be6dd9b8 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -98,8 +98,16 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_58 = plugins/fips_prf/libstrongswan-fips-prf.la
 @USE_AGENT_TRUE@am__append_59 = plugins/agent
 @MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_60 = plugins/agent/libstrongswan-agent.la
-@USE_TEST_VECTORS_TRUE@am__append_61 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_62 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_PKCS11_TRUE@am__append_61 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_62 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_63 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_64 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_65 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_66 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_67 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_68 = plugins/gcm/libstrongswan-gcm.la
+@USE_TEST_VECTORS_TRUE@am__append_69 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_70 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -110,6 +118,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -152,7 +161,8 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_42) $(am__append_44) $(am__append_46) \
 	$(am__append_48) $(am__append_50) $(am__append_52) \
 	$(am__append_54) $(am__append_56) $(am__append_58) \
-	$(am__append_60) $(am__append_62)
+	$(am__append_60) $(am__append_62) $(am__append_64) \
+	$(am__append_66) $(am__append_68) $(am__append_70)
 am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
 	printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \
@@ -166,7 +176,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	crypto/signers/signer.h crypto/crypto_factory.c \
 	crypto/crypto_factory.h crypto/crypto_tester.c \
 	crypto/crypto_tester.h crypto/diffie_hellman.c \
-	crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
+	crypto/diffie_hellman.h crypto/aead.c crypto/aead.h \
+	crypto/transform.c crypto/transform.h \
 	credentials/credential_factory.c \
 	credentials/credential_factory.h credentials/builder.c \
 	credentials/builder.h credentials/cred_encoding.c \
@@ -193,11 +204,19 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	credentials/sets/ocsp_response_wrapper.c \
 	credentials/sets/ocsp_response_wrapper.h \
 	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-	credentials/auth_cfg.c credentials/auth_cfg.h \
-	credentials/credential_set.h credentials/cert_validator.h \
-	database/database.h database/database_factory.h \
-	database/database_factory.c fetcher/fetcher.h \
-	fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+	credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+	credentials/sets/callback_cred.c \
+	credentials/sets/callback_cred.h credentials/auth_cfg.c \
+	credentials/auth_cfg.h credentials/credential_set.h \
+	credentials/cert_validator.h database/database.h \
+	database/database_factory.h database/database_factory.c \
+	fetcher/fetcher.h fetcher/fetcher_manager.h \
+	fetcher/fetcher_manager.c eap/eap.h eap/eap.c \
+	plugins/plugin_loader.c plugins/plugin_loader.h \
+	plugins/plugin.h processing/jobs/job.h \
+	processing/jobs/callback_job.c processing/jobs/callback_job.h \
+	processing/processor.c processing/processor.h \
+	processing/scheduler.c processing/scheduler.h \
 	selectors/traffic_selector.c selectors/traffic_selector.h \
 	threading/thread.h threading/thread.c threading/thread_value.h \
 	threading/thread_value.c threading/mutex.h threading/mutex.c \
@@ -208,27 +227,27 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	utils/linked_list.c utils/linked_list.h utils/hashtable.c \
 	utils/hashtable.h utils/enumerator.c utils/enumerator.h \
 	utils/optionsfrom.c utils/optionsfrom.h utils/backtrace.c \
-	utils/backtrace.h plugins/plugin_loader.c \
-	plugins/plugin_loader.h plugins/plugin.h \
-	utils/leak_detective.c utils/leak_detective.h \
-	integrity_checker.c integrity_checker.h
+	utils/backtrace.h utils/leak_detective.c \
+	utils/leak_detective.h integrity_checker.c integrity_checker.h
 @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo
 @USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
 am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
 	settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \
 	crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo prf.lo \
 	rng.lo prf_plus.lo signer.lo crypto_factory.lo \
-	crypto_tester.lo diffie_hellman.lo transform.lo \
+	crypto_tester.lo diffie_hellman.lo aead.lo transform.lo \
 	credential_factory.lo builder.lo cred_encoding.lo \
 	private_key.lo public_key.lo shared_key.lo certificate.lo \
 	x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \
 	credential_manager.lo auth_cfg_wrapper.lo \
-	ocsp_response_wrapper.lo cert_cache.lo auth_cfg.lo \
-	database_factory.lo fetcher_manager.lo traffic_selector.lo \
-	thread.lo thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \
+	ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \
+	callback_cred.lo auth_cfg.lo database_factory.lo \
+	fetcher_manager.lo eap.lo plugin_loader.lo callback_job.lo \
+	processor.lo scheduler.lo traffic_selector.lo thread.lo \
+	thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \
 	identification.lo lexparser.lo linked_list.lo hashtable.lo \
-	enumerator.lo optionsfrom.lo backtrace.lo plugin_loader.lo \
-	$(am__objects_1) $(am__objects_2)
+	enumerator.lo optionsfrom.lo backtrace.lo $(am__objects_1) \
+	$(am__objects_2)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -265,8 +284,8 @@ DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \
 	plugins/revocation plugins/pubkey plugins/pkcs1 plugins/pgp \
 	plugins/dnskey plugins/pem plugins/curl plugins/ldap \
 	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
-	plugins/gcrypt plugins/fips_prf plugins/agent \
-	plugins/test_vectors
+	plugins/gcrypt plugins/fips_prf plugins/agent plugins/pkcs11 \
+	plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -358,6 +377,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -389,14 +410,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -411,24 +435,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -436,7 +467,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -462,7 +496,8 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	crypto/signers/signer.h crypto/crypto_factory.c \
 	crypto/crypto_factory.h crypto/crypto_tester.c \
 	crypto/crypto_tester.h crypto/diffie_hellman.c \
-	crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
+	crypto/diffie_hellman.h crypto/aead.c crypto/aead.h \
+	crypto/transform.c crypto/transform.h \
 	credentials/credential_factory.c \
 	credentials/credential_factory.h credentials/builder.c \
 	credentials/builder.h credentials/cred_encoding.c \
@@ -489,11 +524,19 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	credentials/sets/ocsp_response_wrapper.c \
 	credentials/sets/ocsp_response_wrapper.h \
 	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-	credentials/auth_cfg.c credentials/auth_cfg.h \
-	credentials/credential_set.h credentials/cert_validator.h \
-	database/database.h database/database_factory.h \
-	database/database_factory.c fetcher/fetcher.h \
-	fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+	credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+	credentials/sets/callback_cred.c \
+	credentials/sets/callback_cred.h credentials/auth_cfg.c \
+	credentials/auth_cfg.h credentials/credential_set.h \
+	credentials/cert_validator.h database/database.h \
+	database/database_factory.h database/database_factory.c \
+	fetcher/fetcher.h fetcher/fetcher_manager.h \
+	fetcher/fetcher_manager.c eap/eap.h eap/eap.c \
+	plugins/plugin_loader.c plugins/plugin_loader.h \
+	plugins/plugin.h processing/jobs/job.h \
+	processing/jobs/callback_job.c processing/jobs/callback_job.h \
+	processing/processor.c processing/processor.h \
+	processing/scheduler.c processing/scheduler.h \
 	selectors/traffic_selector.c selectors/traffic_selector.h \
 	threading/thread.h threading/thread.c threading/thread_value.h \
 	threading/thread_value.c threading/mutex.h threading/mutex.c \
@@ -504,9 +547,7 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	utils/linked_list.c utils/linked_list.h utils/hashtable.c \
 	utils/hashtable.h utils/enumerator.c utils/enumerator.h \
 	utils/optionsfrom.c utils/optionsfrom.h utils/backtrace.c \
-	utils/backtrace.h plugins/plugin_loader.c \
-	plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \
-	$(am__append_5)
+	utils/backtrace.h $(am__append_2) $(am__append_5)
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(RTLIB) $(am__append_6) $(am__append_8) $(am__append_10) \
 	$(am__append_12) $(am__append_14) $(am__append_16) \
@@ -517,7 +558,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_42) $(am__append_44) $(am__append_46) \
 	$(am__append_48) $(am__append_50) $(am__append_52) \
 	$(am__append_54) $(am__append_56) $(am__append_58) \
-	$(am__append_60) $(am__append_62)
+	$(am__append_60) $(am__append_62) $(am__append_64) \
+	$(am__append_66) $(am__append_68) $(am__append_70)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \
 	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \
@@ -548,7 +590,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
 @MONOLITHIC_FALSE@	$(am__append_47) $(am__append_49) \
 @MONOLITHIC_FALSE@	$(am__append_51) $(am__append_53) \
 @MONOLITHIC_FALSE@	$(am__append_55) $(am__append_57) \
-@MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61)
+@MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61) \
+@MONOLITHIC_FALSE@	$(am__append_63) $(am__append_65) \
+@MONOLITHIC_FALSE@	$(am__append_67) $(am__append_69)
 
 # build plugins with their own Makefile
 #######################################
@@ -565,7 +609,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
 @MONOLITHIC_TRUE@	$(am__append_47) $(am__append_49) \
 @MONOLITHIC_TRUE@	$(am__append_51) $(am__append_53) \
 @MONOLITHIC_TRUE@	$(am__append_55) $(am__append_57) \
-@MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61)
+@MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61) \
+@MONOLITHIC_TRUE@	$(am__append_63) $(am__append_65) \
+@MONOLITHIC_TRUE@	$(am__append_67) $(am__append_69)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -641,12 +687,15 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aead.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backtrace.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@
@@ -660,6 +709,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/database_factory.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/debug.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/diffie_hellman.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher_manager.Plo@am__quote@
@@ -673,6 +723,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/linked_list.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem_cred.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mutex.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@
@@ -684,10 +735,12 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf_plus.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/printf_hook.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/processor.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_keywords.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rwlock.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/settings.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shared_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signer.Plo@am__quote@
@@ -817,6 +870,13 @@ diffie_hellman.lo: crypto/diffie_hellman.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
 
+aead.lo: crypto/aead.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aead.lo -MD -MP -MF $(DEPDIR)/aead.Tpo -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aead.Tpo $(DEPDIR)/aead.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/aead.c' object='aead.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
+
 transform.lo: crypto/transform.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform.lo -MD -MP -MF $(DEPDIR)/transform.Tpo -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform.Tpo $(DEPDIR)/transform.Plo
@@ -929,6 +989,20 @@ cert_cache.lo: credentials/sets/cert_cache.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
 
+mem_cred.lo: credentials/sets/mem_cred.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_cred.lo -MD -MP -MF $(DEPDIR)/mem_cred.Tpo -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mem_cred.Tpo $(DEPDIR)/mem_cred.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/mem_cred.c' object='mem_cred.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
+
+callback_cred.lo: credentials/sets/callback_cred.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_cred.lo -MD -MP -MF $(DEPDIR)/callback_cred.Tpo -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_cred.Tpo $(DEPDIR)/callback_cred.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/callback_cred.c' object='callback_cred.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
+
 auth_cfg.lo: credentials/auth_cfg.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo
@@ -950,6 +1024,41 @@ fetcher_manager.lo: fetcher/fetcher_manager.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
 
+eap.lo: eap/eap.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap.lo -MD -MP -MF $(DEPDIR)/eap.Tpo -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap.Tpo $(DEPDIR)/eap.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='eap/eap.c' object='eap.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
+
+plugin_loader.lo: plugins/plugin_loader.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
+
+callback_job.lo: processing/jobs/callback_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+
+processor.lo: processing/processor.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
+
+scheduler.lo: processing/scheduler.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+
 traffic_selector.lo: selectors/traffic_selector.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.lo -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Plo
@@ -1041,13 +1150,6 @@ backtrace.lo: utils/backtrace.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
 
-plugin_loader.lo: plugins/plugin_loader.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
-
 leak_detective.lo: utils/leak_detective.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo
@@ -1383,6 +1485,8 @@ uninstall-am: uninstall-libLTLIBRARIES
 	uninstall-libLTLIBRARIES
 
 
+library.lo :	$(top_builddir)/config.status
+
 $(srcdir)/asn1/oid.c :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
 		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 8f91a2e2b..1e5dec8a5 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -171,12 +171,12 @@ const oid_t oid_names[] = {
  {              0x02,       159, 0,  7, "ecdsa-with-SHA256"         }, /* 158 */
  {              0x03,       160, 0,  7, "ecdsa-with-SHA384"         }, /* 159 */
  {              0x04,         0, 0,  7, "ecdsa-with-SHA512"         }, /* 160 */
- {0x2B,                     307, 1,  0, ""                          }, /* 161 */
- {  0x06,                   221, 1,  1, "dod"                       }, /* 162 */
+ {0x2B,                     309, 1,  0, ""                          }, /* 161 */
+ {  0x06,                   223, 1,  1, "dod"                       }, /* 162 */
  {    0x01,                   0, 1,  2, "internet"                  }, /* 163 */
- {      0x04,               182, 1,  3, "private"                   }, /* 164 */
+ {      0x04,               183, 1,  3, "private"                   }, /* 164 */
  {        0x01,               0, 1,  4, "enterprise"                }, /* 165 */
- {          0x82,           175, 1,  5, ""                          }, /* 166 */
+ {          0x82,           176, 1,  5, ""                          }, /* 166 */
  {            0x37,           0, 1,  6, "Microsoft"                 }, /* 167 */
  {              0x0A,       172, 1,  7, ""                          }, /* 168 */
  {                0x03,       0, 1,  8, ""                          }, /* 169 */
@@ -184,184 +184,186 @@ const oid_t oid_names[] = {
  {                  0x04,     0, 0,  9, "msEncryptingFileSystem"    }, /* 171 */
  {              0x14,         0, 1,  7, "msEnrollmentInfrastructure"}, /* 172 */
  {                0x02,       0, 1,  8, "msCertificateTypeExtension"}, /* 173 */
- {                  0x02,     0, 0,  9, "msSmartcardLogon"          }, /* 174 */
- {          0x89,             0, 1,  5, ""                          }, /* 175 */
- {            0x31,           0, 1,  6, ""                          }, /* 176 */
- {              0x01,         0, 1,  7, ""                          }, /* 177 */
- {                0x01,       0, 1,  8, ""                          }, /* 178 */
- {                  0x02,     0, 1,  9, ""                          }, /* 179 */
- {                    0x02, 181, 0, 10, ""                          }, /* 180 */
- {                    0x4B,   0, 0, 10, "TCGID"                     }, /* 181 */
- {      0x05,                 0, 1,  3, "security"                  }, /* 182 */
- {        0x05,               0, 1,  4, "mechanisms"                }, /* 183 */
- {          0x07,             0, 1,  5, "id-pkix"                   }, /* 184 */
- {            0x01,         188, 1,  6, "id-pe"                     }, /* 185 */
- {              0x01,       187, 0,  7, "authorityInfoAccess"       }, /* 186 */
- {              0x07,         0, 0,  7, "ipAddrBlocks"              }, /* 187 */
- {            0x02,         191, 1,  6, "id-qt"                     }, /* 188 */
- {              0x01,       190, 0,  7, "cps"                       }, /* 189 */
- {              0x02,         0, 0,  7, "unotice"                   }, /* 190 */
- {            0x03,         201, 1,  6, "id-kp"                     }, /* 191 */
- {              0x01,       193, 0,  7, "serverAuth"                }, /* 192 */
- {              0x02,       194, 0,  7, "clientAuth"                }, /* 193 */
- {              0x03,       195, 0,  7, "codeSigning"               }, /* 194 */
- {              0x04,       196, 0,  7, "emailProtection"           }, /* 195 */
- {              0x05,       197, 0,  7, "ipsecEndSystem"            }, /* 196 */
- {              0x06,       198, 0,  7, "ipsecTunnel"               }, /* 197 */
- {              0x07,       199, 0,  7, "ipsecUser"                 }, /* 198 */
- {              0x08,       200, 0,  7, "timeStamping"              }, /* 199 */
- {              0x09,         0, 0,  7, "ocspSigning"               }, /* 200 */
- {            0x08,         203, 1,  6, "id-otherNames"             }, /* 201 */
- {              0x05,         0, 0,  7, "xmppAddr"                  }, /* 202 */
- {            0x0A,         208, 1,  6, "id-aca"                    }, /* 203 */
- {              0x01,       205, 0,  7, "authenticationInfo"        }, /* 204 */
- {              0x02,       206, 0,  7, "accessIdentity"            }, /* 205 */
- {              0x03,       207, 0,  7, "chargingIdentity"          }, /* 206 */
- {              0x04,         0, 0,  7, "group"                     }, /* 207 */
- {            0x0B,         209, 0,  6, "subjectInfoAccess"         }, /* 208 */
- {            0x30,           0, 1,  6, "id-ad"                     }, /* 209 */
- {              0x01,       218, 1,  7, "ocsp"                      }, /* 210 */
- {                0x01,     212, 0,  8, "basic"                     }, /* 211 */
- {                0x02,     213, 0,  8, "nonce"                     }, /* 212 */
- {                0x03,     214, 0,  8, "crl"                       }, /* 213 */
- {                0x04,     215, 0,  8, "response"                  }, /* 214 */
- {                0x05,     216, 0,  8, "noCheck"                   }, /* 215 */
- {                0x06,     217, 0,  8, "archiveCutoff"             }, /* 216 */
- {                0x07,       0, 0,  8, "serviceLocator"            }, /* 217 */
- {              0x02,       219, 0,  7, "caIssuers"                 }, /* 218 */
- {              0x03,       220, 0,  7, "timeStamping"              }, /* 219 */
- {              0x05,         0, 0,  7, "caRepository"              }, /* 220 */
- {  0x0E,                   227, 1,  1, "oiw"                       }, /* 221 */
- {    0x03,                   0, 1,  2, "secsig"                    }, /* 222 */
- {      0x02,                 0, 1,  3, "algorithms"                }, /* 223 */
- {        0x07,             225, 0,  4, "des-cbc"                   }, /* 224 */
- {        0x1A,             226, 0,  4, "sha-1"                     }, /* 225 */
- {        0x1D,               0, 0,  4, "sha-1WithRSASignature"     }, /* 226 */
- {  0x24,                   273, 1,  1, "TeleTrusT"                 }, /* 227 */
- {    0x03,                   0, 1,  2, "algorithm"                 }, /* 228 */
- {      0x03,                 0, 1,  3, "signatureAlgorithm"        }, /* 229 */
- {        0x01,             234, 1,  4, "rsaSignature"              }, /* 230 */
- {          0x02,           232, 0,  5, "rsaSigWithripemd160"       }, /* 231 */
- {          0x03,           233, 0,  5, "rsaSigWithripemd128"       }, /* 232 */
- {          0x04,             0, 0,  5, "rsaSigWithripemd256"       }, /* 233 */
- {        0x02,               0, 1,  4, "ecSign"                    }, /* 234 */
- {          0x01,           236, 0,  5, "ecSignWithsha1"            }, /* 235 */
- {          0x02,           237, 0,  5, "ecSignWithripemd160"       }, /* 236 */
- {          0x03,           238, 0,  5, "ecSignWithmd2"             }, /* 237 */
- {          0x04,           239, 0,  5, "ecSignWithmd5"             }, /* 238 */
- {          0x05,           256, 1,  5, "ttt-ecg"                   }, /* 239 */
- {            0x01,         244, 1,  6, "fieldType"                 }, /* 240 */
- {              0x01,         0, 1,  7, "characteristictwoField"    }, /* 241 */
- {                0x01,       0, 1,  8, "basisType"                 }, /* 242 */
- {                  0x01,     0, 0,  9, "ipBasis"                   }, /* 243 */
- {            0x02,         246, 1,  6, "keyType"                   }, /* 244 */
- {              0x01,         0, 0,  7, "ecgPublicKey"              }, /* 245 */
- {            0x03,         247, 0,  6, "curve"                     }, /* 246 */
- {            0x04,         254, 1,  6, "signatures"                }, /* 247 */
- {              0x01,       249, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 248 */
- {              0x02,       250, 0,  7, "ecgdsa-with-SHA1"          }, /* 249 */
- {              0x03,       251, 0,  7, "ecgdsa-with-SHA224"        }, /* 250 */
- {              0x04,       252, 0,  7, "ecgdsa-with-SHA256"        }, /* 251 */
- {              0x05,       253, 0,  7, "ecgdsa-with-SHA384"        }, /* 252 */
- {              0x06,         0, 0,  7, "ecgdsa-with-SHA512"        }, /* 253 */
- {            0x05,           0, 1,  6, "module"                    }, /* 254 */
- {              0x01,         0, 0,  7, "1"                         }, /* 255 */
- {          0x08,             0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 256 */
- {            0x01,           0, 1,  6, "ellipticCurve"             }, /* 257 */
- {              0x01,         0, 1,  7, "versionOne"                }, /* 258 */
- {                0x01,     260, 0,  8, "brainpoolP160r1"           }, /* 259 */
- {                0x02,     261, 0,  8, "brainpoolP160t1"           }, /* 260 */
- {                0x03,     262, 0,  8, "brainpoolP192r1"           }, /* 261 */
- {                0x04,     263, 0,  8, "brainpoolP192t1"           }, /* 262 */
- {                0x05,     264, 0,  8, "brainpoolP224r1"           }, /* 263 */
- {                0x06,     265, 0,  8, "brainpoolP224t1"           }, /* 264 */
- {                0x07,     266, 0,  8, "brainpoolP256r1"           }, /* 265 */
- {                0x08,     267, 0,  8, "brainpoolP256t1"           }, /* 266 */
- {                0x09,     268, 0,  8, "brainpoolP320r1"           }, /* 267 */
- {                0x0A,     269, 0,  8, "brainpoolP320t1"           }, /* 268 */
- {                0x0B,     270, 0,  8, "brainpoolP384r1"           }, /* 269 */
- {                0x0C,     271, 0,  8, "brainpoolP384t1"           }, /* 270 */
- {                0x0D,     272, 0,  8, "brainpoolP512r1"           }, /* 271 */
- {                0x0E,       0, 0,  8, "brainpoolP512t1"           }, /* 272 */
- {  0x81,                     0, 1,  1, ""                          }, /* 273 */
- {    0x04,                   0, 1,  2, "Certicom"                  }, /* 274 */
- {      0x00,                 0, 1,  3, "curve"                     }, /* 275 */
- {        0x01,             277, 0,  4, "sect163k1"                 }, /* 276 */
- {        0x02,             278, 0,  4, "sect163r1"                 }, /* 277 */
- {        0x03,             279, 0,  4, "sect239k1"                 }, /* 278 */
- {        0x04,             280, 0,  4, "sect113r1"                 }, /* 279 */
- {        0x05,             281, 0,  4, "sect113r2"                 }, /* 280 */
- {        0x06,             282, 0,  4, "secp112r1"                 }, /* 281 */
- {        0x07,             283, 0,  4, "secp112r2"                 }, /* 282 */
- {        0x08,             284, 0,  4, "secp160r1"                 }, /* 283 */
- {        0x09,             285, 0,  4, "secp160k1"                 }, /* 284 */
- {        0x0A,             286, 0,  4, "secp256k1"                 }, /* 285 */
- {        0x0F,             287, 0,  4, "sect163r2"                 }, /* 286 */
- {        0x10,             288, 0,  4, "sect283k1"                 }, /* 287 */
- {        0x11,             289, 0,  4, "sect283r1"                 }, /* 288 */
- {        0x16,             290, 0,  4, "sect131r1"                 }, /* 289 */
- {        0x17,             291, 0,  4, "sect131r2"                 }, /* 290 */
- {        0x18,             292, 0,  4, "sect193r1"                 }, /* 291 */
- {        0x19,             293, 0,  4, "sect193r2"                 }, /* 292 */
- {        0x1A,             294, 0,  4, "sect233k1"                 }, /* 293 */
- {        0x1B,             295, 0,  4, "sect233r1"                 }, /* 294 */
- {        0x1C,             296, 0,  4, "secp128r1"                 }, /* 295 */
- {        0x1D,             297, 0,  4, "secp128r2"                 }, /* 296 */
- {        0x1E,             298, 0,  4, "secp160r2"                 }, /* 297 */
- {        0x1F,             299, 0,  4, "secp192k1"                 }, /* 298 */
- {        0x20,             300, 0,  4, "secp224k1"                 }, /* 299 */
- {        0x21,             301, 0,  4, "secp224r1"                 }, /* 300 */
- {        0x22,             302, 0,  4, "secp384r1"                 }, /* 301 */
- {        0x23,             303, 0,  4, "secp521r1"                 }, /* 302 */
- {        0x24,             304, 0,  4, "sect409k1"                 }, /* 303 */
- {        0x25,             305, 0,  4, "sect409r1"                 }, /* 304 */
- {        0x26,             306, 0,  4, "sect571k1"                 }, /* 305 */
- {        0x27,               0, 0,  4, "sect571r1"                 }, /* 306 */
- {0x60,                       0, 1,  0, ""                          }, /* 307 */
- {  0x86,                     0, 1,  1, ""                          }, /* 308 */
- {    0x48,                   0, 1,  2, ""                          }, /* 309 */
- {      0x01,                 0, 1,  3, "organization"              }, /* 310 */
- {        0x65,             329, 1,  4, "gov"                       }, /* 311 */
- {          0x03,             0, 1,  5, "csor"                      }, /* 312 */
- {            0x04,           0, 1,  6, "nistalgorithm"             }, /* 313 */
- {              0x01,       324, 1,  7, "aes"                       }, /* 314 */
- {                0x02,     316, 0,  8, "id-aes128-CBC"             }, /* 315 */
- {                0x06,     317, 0,  8, "id-aes128-GCM"             }, /* 316 */
- {                0x07,     318, 0,  8, "id-aes128-CCM"             }, /* 317 */
- {                0x16,     319, 0,  8, "id-aes192-CBC"             }, /* 318 */
- {                0x1A,     320, 0,  8, "id-aes192-GCM"             }, /* 319 */
- {                0x1B,     321, 0,  8, "id-aes192-CCM"             }, /* 320 */
- {                0x2A,     322, 0,  8, "id-aes256-CBC"             }, /* 321 */
- {                0x2E,     323, 0,  8, "id-aes256-GCM"             }, /* 322 */
- {                0x2F,       0, 0,  8, "id-aes256-CCM"             }, /* 323 */
- {              0x02,         0, 1,  7, "hashalgs"                  }, /* 324 */
- {                0x01,     326, 0,  8, "id-SHA-256"                }, /* 325 */
- {                0x02,     327, 0,  8, "id-SHA-384"                }, /* 326 */
- {                0x03,     328, 0,  8, "id-SHA-512"                }, /* 327 */
- {                0x04,       0, 0,  8, "id-SHA-224"                }, /* 328 */
- {        0x86,               0, 1,  4, ""                          }, /* 329 */
- {          0xf8,             0, 1,  5, ""                          }, /* 330 */
- {            0x42,         343, 1,  6, "netscape"                  }, /* 331 */
- {              0x01,       338, 1,  7, ""                          }, /* 332 */
- {                0x01,     334, 0,  8, "nsCertType"                }, /* 333 */
- {                0x03,     335, 0,  8, "nsRevocationUrl"           }, /* 334 */
- {                0x04,     336, 0,  8, "nsCaRevocationUrl"         }, /* 335 */
- {                0x08,     337, 0,  8, "nsCaPolicyUrl"             }, /* 336 */
- {                0x0d,       0, 0,  8, "nsComment"                 }, /* 337 */
- {              0x03,       341, 1,  7, "directory"                 }, /* 338 */
- {                0x01,       0, 1,  8, ""                          }, /* 339 */
- {                  0x03,     0, 0,  9, "employeeNumber"            }, /* 340 */
- {              0x04,         0, 1,  7, "policy"                    }, /* 341 */
- {                0x01,       0, 0,  8, "nsSGC"                     }, /* 342 */
- {            0x45,           0, 1,  6, "verisign"                  }, /* 343 */
- {              0x01,         0, 1,  7, "pki"                       }, /* 344 */
- {                0x09,       0, 1,  8, "attributes"                }, /* 345 */
- {                  0x02,   347, 0,  9, "messageType"               }, /* 346 */
- {                  0x03,   348, 0,  9, "pkiStatus"                 }, /* 347 */
- {                  0x04,   349, 0,  9, "failInfo"                  }, /* 348 */
- {                  0x05,   350, 0,  9, "senderNonce"               }, /* 349 */
- {                  0x06,   351, 0,  9, "recipientNonce"            }, /* 350 */
- {                  0x07,   352, 0,  9, "transID"                   }, /* 351 */
- {                  0x08,   353, 0,  9, "extensionReq"              }, /* 352 */
- {                  0x08,     0, 0,  9, "extensionReq"              }  /* 353 */
+ {                  0x02,   175, 0,  9, "msSmartcardLogon"          }, /* 174 */
+ {                  0x03,     0, 0,  9, "msUPN"                     }, /* 175 */
+ {          0x89,             0, 1,  5, ""                          }, /* 176 */
+ {            0x31,           0, 1,  6, ""                          }, /* 177 */
+ {              0x01,         0, 1,  7, ""                          }, /* 178 */
+ {                0x01,       0, 1,  8, ""                          }, /* 179 */
+ {                  0x02,     0, 1,  9, ""                          }, /* 180 */
+ {                    0x02, 182, 0, 10, ""                          }, /* 181 */
+ {                    0x4B,   0, 0, 10, "TCGID"                     }, /* 182 */
+ {      0x05,                 0, 1,  3, "security"                  }, /* 183 */
+ {        0x05,               0, 1,  4, "mechanisms"                }, /* 184 */
+ {          0x07,             0, 1,  5, "id-pkix"                   }, /* 185 */
+ {            0x01,         190, 1,  6, "id-pe"                     }, /* 186 */
+ {              0x01,       188, 0,  7, "authorityInfoAccess"       }, /* 187 */
+ {              0x03,       189, 0,  7, "qcStatements"              }, /* 188 */
+ {              0x07,         0, 0,  7, "ipAddrBlocks"              }, /* 189 */
+ {            0x02,         193, 1,  6, "id-qt"                     }, /* 190 */
+ {              0x01,       192, 0,  7, "cps"                       }, /* 191 */
+ {              0x02,         0, 0,  7, "unotice"                   }, /* 192 */
+ {            0x03,         203, 1,  6, "id-kp"                     }, /* 193 */
+ {              0x01,       195, 0,  7, "serverAuth"                }, /* 194 */
+ {              0x02,       196, 0,  7, "clientAuth"                }, /* 195 */
+ {              0x03,       197, 0,  7, "codeSigning"               }, /* 196 */
+ {              0x04,       198, 0,  7, "emailProtection"           }, /* 197 */
+ {              0x05,       199, 0,  7, "ipsecEndSystem"            }, /* 198 */
+ {              0x06,       200, 0,  7, "ipsecTunnel"               }, /* 199 */
+ {              0x07,       201, 0,  7, "ipsecUser"                 }, /* 200 */
+ {              0x08,       202, 0,  7, "timeStamping"              }, /* 201 */
+ {              0x09,         0, 0,  7, "ocspSigning"               }, /* 202 */
+ {            0x08,         205, 1,  6, "id-otherNames"             }, /* 203 */
+ {              0x05,         0, 0,  7, "xmppAddr"                  }, /* 204 */
+ {            0x0A,         210, 1,  6, "id-aca"                    }, /* 205 */
+ {              0x01,       207, 0,  7, "authenticationInfo"        }, /* 206 */
+ {              0x02,       208, 0,  7, "accessIdentity"            }, /* 207 */
+ {              0x03,       209, 0,  7, "chargingIdentity"          }, /* 208 */
+ {              0x04,         0, 0,  7, "group"                     }, /* 209 */
+ {            0x0B,         211, 0,  6, "subjectInfoAccess"         }, /* 210 */
+ {            0x30,           0, 1,  6, "id-ad"                     }, /* 211 */
+ {              0x01,       220, 1,  7, "ocsp"                      }, /* 212 */
+ {                0x01,     214, 0,  8, "basic"                     }, /* 213 */
+ {                0x02,     215, 0,  8, "nonce"                     }, /* 214 */
+ {                0x03,     216, 0,  8, "crl"                       }, /* 215 */
+ {                0x04,     217, 0,  8, "response"                  }, /* 216 */
+ {                0x05,     218, 0,  8, "noCheck"                   }, /* 217 */
+ {                0x06,     219, 0,  8, "archiveCutoff"             }, /* 218 */
+ {                0x07,       0, 0,  8, "serviceLocator"            }, /* 219 */
+ {              0x02,       221, 0,  7, "caIssuers"                 }, /* 220 */
+ {              0x03,       222, 0,  7, "timeStamping"              }, /* 221 */
+ {              0x05,         0, 0,  7, "caRepository"              }, /* 222 */
+ {  0x0E,                   229, 1,  1, "oiw"                       }, /* 223 */
+ {    0x03,                   0, 1,  2, "secsig"                    }, /* 224 */
+ {      0x02,                 0, 1,  3, "algorithms"                }, /* 225 */
+ {        0x07,             227, 0,  4, "des-cbc"                   }, /* 226 */
+ {        0x1A,             228, 0,  4, "sha-1"                     }, /* 227 */
+ {        0x1D,               0, 0,  4, "sha-1WithRSASignature"     }, /* 228 */
+ {  0x24,                   275, 1,  1, "TeleTrusT"                 }, /* 229 */
+ {    0x03,                   0, 1,  2, "algorithm"                 }, /* 230 */
+ {      0x03,                 0, 1,  3, "signatureAlgorithm"        }, /* 231 */
+ {        0x01,             236, 1,  4, "rsaSignature"              }, /* 232 */
+ {          0x02,           234, 0,  5, "rsaSigWithripemd160"       }, /* 233 */
+ {          0x03,           235, 0,  5, "rsaSigWithripemd128"       }, /* 234 */
+ {          0x04,             0, 0,  5, "rsaSigWithripemd256"       }, /* 235 */
+ {        0x02,               0, 1,  4, "ecSign"                    }, /* 236 */
+ {          0x01,           238, 0,  5, "ecSignWithsha1"            }, /* 237 */
+ {          0x02,           239, 0,  5, "ecSignWithripemd160"       }, /* 238 */
+ {          0x03,           240, 0,  5, "ecSignWithmd2"             }, /* 239 */
+ {          0x04,           241, 0,  5, "ecSignWithmd5"             }, /* 240 */
+ {          0x05,           258, 1,  5, "ttt-ecg"                   }, /* 241 */
+ {            0x01,         246, 1,  6, "fieldType"                 }, /* 242 */
+ {              0x01,         0, 1,  7, "characteristictwoField"    }, /* 243 */
+ {                0x01,       0, 1,  8, "basisType"                 }, /* 244 */
+ {                  0x01,     0, 0,  9, "ipBasis"                   }, /* 245 */
+ {            0x02,         248, 1,  6, "keyType"                   }, /* 246 */
+ {              0x01,         0, 0,  7, "ecgPublicKey"              }, /* 247 */
+ {            0x03,         249, 0,  6, "curve"                     }, /* 248 */
+ {            0x04,         256, 1,  6, "signatures"                }, /* 249 */
+ {              0x01,       251, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 250 */
+ {              0x02,       252, 0,  7, "ecgdsa-with-SHA1"          }, /* 251 */
+ {              0x03,       253, 0,  7, "ecgdsa-with-SHA224"        }, /* 252 */
+ {              0x04,       254, 0,  7, "ecgdsa-with-SHA256"        }, /* 253 */
+ {              0x05,       255, 0,  7, "ecgdsa-with-SHA384"        }, /* 254 */
+ {              0x06,         0, 0,  7, "ecgdsa-with-SHA512"        }, /* 255 */
+ {            0x05,           0, 1,  6, "module"                    }, /* 256 */
+ {              0x01,         0, 0,  7, "1"                         }, /* 257 */
+ {          0x08,             0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 258 */
+ {            0x01,           0, 1,  6, "ellipticCurve"             }, /* 259 */
+ {              0x01,         0, 1,  7, "versionOne"                }, /* 260 */
+ {                0x01,     262, 0,  8, "brainpoolP160r1"           }, /* 261 */
+ {                0x02,     263, 0,  8, "brainpoolP160t1"           }, /* 262 */
+ {                0x03,     264, 0,  8, "brainpoolP192r1"           }, /* 263 */
+ {                0x04,     265, 0,  8, "brainpoolP192t1"           }, /* 264 */
+ {                0x05,     266, 0,  8, "brainpoolP224r1"           }, /* 265 */
+ {                0x06,     267, 0,  8, "brainpoolP224t1"           }, /* 266 */
+ {                0x07,     268, 0,  8, "brainpoolP256r1"           }, /* 267 */
+ {                0x08,     269, 0,  8, "brainpoolP256t1"           }, /* 268 */
+ {                0x09,     270, 0,  8, "brainpoolP320r1"           }, /* 269 */
+ {                0x0A,     271, 0,  8, "brainpoolP320t1"           }, /* 270 */
+ {                0x0B,     272, 0,  8, "brainpoolP384r1"           }, /* 271 */
+ {                0x0C,     273, 0,  8, "brainpoolP384t1"           }, /* 272 */
+ {                0x0D,     274, 0,  8, "brainpoolP512r1"           }, /* 273 */
+ {                0x0E,       0, 0,  8, "brainpoolP512t1"           }, /* 274 */
+ {  0x81,                     0, 1,  1, ""                          }, /* 275 */
+ {    0x04,                   0, 1,  2, "Certicom"                  }, /* 276 */
+ {      0x00,                 0, 1,  3, "curve"                     }, /* 277 */
+ {        0x01,             279, 0,  4, "sect163k1"                 }, /* 278 */
+ {        0x02,             280, 0,  4, "sect163r1"                 }, /* 279 */
+ {        0x03,             281, 0,  4, "sect239k1"                 }, /* 280 */
+ {        0x04,             282, 0,  4, "sect113r1"                 }, /* 281 */
+ {        0x05,             283, 0,  4, "sect113r2"                 }, /* 282 */
+ {        0x06,             284, 0,  4, "secp112r1"                 }, /* 283 */
+ {        0x07,             285, 0,  4, "secp112r2"                 }, /* 284 */
+ {        0x08,             286, 0,  4, "secp160r1"                 }, /* 285 */
+ {        0x09,             287, 0,  4, "secp160k1"                 }, /* 286 */
+ {        0x0A,             288, 0,  4, "secp256k1"                 }, /* 287 */
+ {        0x0F,             289, 0,  4, "sect163r2"                 }, /* 288 */
+ {        0x10,             290, 0,  4, "sect283k1"                 }, /* 289 */
+ {        0x11,             291, 0,  4, "sect283r1"                 }, /* 290 */
+ {        0x16,             292, 0,  4, "sect131r1"                 }, /* 291 */
+ {        0x17,             293, 0,  4, "sect131r2"                 }, /* 292 */
+ {        0x18,             294, 0,  4, "sect193r1"                 }, /* 293 */
+ {        0x19,             295, 0,  4, "sect193r2"                 }, /* 294 */
+ {        0x1A,             296, 0,  4, "sect233k1"                 }, /* 295 */
+ {        0x1B,             297, 0,  4, "sect233r1"                 }, /* 296 */
+ {        0x1C,             298, 0,  4, "secp128r1"                 }, /* 297 */
+ {        0x1D,             299, 0,  4, "secp128r2"                 }, /* 298 */
+ {        0x1E,             300, 0,  4, "secp160r2"                 }, /* 299 */
+ {        0x1F,             301, 0,  4, "secp192k1"                 }, /* 300 */
+ {        0x20,             302, 0,  4, "secp224k1"                 }, /* 301 */
+ {        0x21,             303, 0,  4, "secp224r1"                 }, /* 302 */
+ {        0x22,             304, 0,  4, "secp384r1"                 }, /* 303 */
+ {        0x23,             305, 0,  4, "secp521r1"                 }, /* 304 */
+ {        0x24,             306, 0,  4, "sect409k1"                 }, /* 305 */
+ {        0x25,             307, 0,  4, "sect409r1"                 }, /* 306 */
+ {        0x26,             308, 0,  4, "sect571k1"                 }, /* 307 */
+ {        0x27,               0, 0,  4, "sect571r1"                 }, /* 308 */
+ {0x60,                       0, 1,  0, ""                          }, /* 309 */
+ {  0x86,                     0, 1,  1, ""                          }, /* 310 */
+ {    0x48,                   0, 1,  2, ""                          }, /* 311 */
+ {      0x01,                 0, 1,  3, "organization"              }, /* 312 */
+ {        0x65,             331, 1,  4, "gov"                       }, /* 313 */
+ {          0x03,             0, 1,  5, "csor"                      }, /* 314 */
+ {            0x04,           0, 1,  6, "nistalgorithm"             }, /* 315 */
+ {              0x01,       326, 1,  7, "aes"                       }, /* 316 */
+ {                0x02,     318, 0,  8, "id-aes128-CBC"             }, /* 317 */
+ {                0x06,     319, 0,  8, "id-aes128-GCM"             }, /* 318 */
+ {                0x07,     320, 0,  8, "id-aes128-CCM"             }, /* 319 */
+ {                0x16,     321, 0,  8, "id-aes192-CBC"             }, /* 320 */
+ {                0x1A,     322, 0,  8, "id-aes192-GCM"             }, /* 321 */
+ {                0x1B,     323, 0,  8, "id-aes192-CCM"             }, /* 322 */
+ {                0x2A,     324, 0,  8, "id-aes256-CBC"             }, /* 323 */
+ {                0x2E,     325, 0,  8, "id-aes256-GCM"             }, /* 324 */
+ {                0x2F,       0, 0,  8, "id-aes256-CCM"             }, /* 325 */
+ {              0x02,         0, 1,  7, "hashalgs"                  }, /* 326 */
+ {                0x01,     328, 0,  8, "id-SHA-256"                }, /* 327 */
+ {                0x02,     329, 0,  8, "id-SHA-384"                }, /* 328 */
+ {                0x03,     330, 0,  8, "id-SHA-512"                }, /* 329 */
+ {                0x04,       0, 0,  8, "id-SHA-224"                }, /* 330 */
+ {        0x86,               0, 1,  4, ""                          }, /* 331 */
+ {          0xf8,             0, 1,  5, ""                          }, /* 332 */
+ {            0x42,         345, 1,  6, "netscape"                  }, /* 333 */
+ {              0x01,       340, 1,  7, ""                          }, /* 334 */
+ {                0x01,     336, 0,  8, "nsCertType"                }, /* 335 */
+ {                0x03,     337, 0,  8, "nsRevocationUrl"           }, /* 336 */
+ {                0x04,     338, 0,  8, "nsCaRevocationUrl"         }, /* 337 */
+ {                0x08,     339, 0,  8, "nsCaPolicyUrl"             }, /* 338 */
+ {                0x0d,       0, 0,  8, "nsComment"                 }, /* 339 */
+ {              0x03,       343, 1,  7, "directory"                 }, /* 340 */
+ {                0x01,       0, 1,  8, ""                          }, /* 341 */
+ {                  0x03,     0, 0,  9, "employeeNumber"            }, /* 342 */
+ {              0x04,         0, 1,  7, "policy"                    }, /* 343 */
+ {                0x01,       0, 0,  8, "nsSGC"                     }, /* 344 */
+ {            0x45,           0, 1,  6, "verisign"                  }, /* 345 */
+ {              0x01,         0, 1,  7, "pki"                       }, /* 346 */
+ {                0x09,       0, 1,  8, "attributes"                }, /* 347 */
+ {                  0x02,   349, 0,  9, "messageType"               }, /* 348 */
+ {                  0x03,   350, 0,  9, "pkiStatus"                 }, /* 349 */
+ {                  0x04,   351, 0,  9, "failInfo"                  }, /* 350 */
+ {                  0x05,   352, 0,  9, "senderNonce"               }, /* 351 */
+ {                  0x06,   353, 0,  9, "recipientNonce"            }, /* 352 */
+ {                  0x07,   354, 0,  9, "transID"                   }, /* 353 */
+ {                  0x08,   355, 0,  9, "extensionReq"              }, /* 354 */
+ {                  0x08,     0, 0,  9, "extensionReq"              }  /* 355 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index aa1fd31b0..16c9e854b 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -116,92 +116,93 @@ extern const oid_t oid_names[];
 #define OID_ECDSA_WITH_SHA256				158
 #define OID_ECDSA_WITH_SHA384				159
 #define OID_ECDSA_WITH_SHA512				160
-#define OID_TCGID							181
-#define OID_AUTHORITY_INFO_ACCESS			186
-#define OID_IP_ADDR_BLOCKS					187
-#define OID_SERVER_AUTH						192
-#define OID_CLIENT_AUTH						193
-#define OID_OCSP_SIGNING					200
-#define OID_XMPP_ADDR						202
-#define OID_AUTHENTICATION_INFO				204
-#define OID_ACCESS_IDENTITY					205
-#define OID_CHARGING_IDENTITY				206
-#define OID_GROUP							207
-#define OID_OCSP							210
-#define OID_BASIC							211
-#define OID_NONCE							212
-#define OID_CRL								213
-#define OID_RESPONSE						214
-#define OID_NO_CHECK						215
-#define OID_ARCHIVE_CUTOFF					216
-#define OID_SERVICE_LOCATOR					217
-#define OID_CA_ISSUERS						218
-#define OID_DES_CBC							224
-#define OID_SHA1							225
-#define OID_SHA1_WITH_RSA_OIW				226
-#define OID_ECGDSA_PUBKEY					245
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		248
-#define OID_ECGDSA_SIG_WITH_SHA1			249
-#define OID_ECGDSA_SIG_WITH_SHA224			250
-#define OID_ECGDSA_SIG_WITH_SHA256			251
-#define OID_ECGDSA_SIG_WITH_SHA384			252
-#define OID_ECGDSA_SIG_WITH_SHA512			253
-#define OID_SECT163K1						276
-#define OID_SECT163R1						277
-#define OID_SECT239K1						278
-#define OID_SECT113R1						279
-#define OID_SECT113R2						280
-#define OID_SECT112R1						281
-#define OID_SECT112R2						282
-#define OID_SECT160R1						283
-#define OID_SECT160K1						284
-#define OID_SECT256K1						285
-#define OID_SECT163R2						286
-#define OID_SECT283K1						287
-#define OID_SECT283R1						288
-#define OID_SECT131R1						289
-#define OID_SECT131R2						290
-#define OID_SECT193R1						291
-#define OID_SECT193R2						292
-#define OID_SECT233K1						293
-#define OID_SECT233R1						294
-#define OID_SECT128R1						295
-#define OID_SECT128R2						296
-#define OID_SECT160R2						297
-#define OID_SECT192K1						298
-#define OID_SECT224K1						299
-#define OID_SECT224R1						300
-#define OID_SECT384R1						301
-#define OID_SECT521R1						302
-#define OID_SECT409K1						303
-#define OID_SECT409R1						304
-#define OID_SECT571K1						305
-#define OID_SECT571R1						306
-#define OID_AES128_CBC						315
-#define OID_AES128_GCM						316
-#define OID_AES128_CCM						317
-#define OID_AES192_CBC						318
-#define OID_AES192_GCM						319
-#define OID_AES192_CCM						320
-#define OID_AES256_CBC						321
-#define OID_AES256_GCM						322
-#define OID_AES256_CCM						323
-#define OID_SHA256							325
-#define OID_SHA384							326
-#define OID_SHA512							327
-#define OID_SHA224							328
-#define OID_NS_REVOCATION_URL				334
-#define OID_NS_CA_REVOCATION_URL			335
-#define OID_NS_CA_POLICY_URL				336
-#define OID_NS_COMMENT						337
-#define OID_EMPLOYEE_NUMBER					340
-#define OID_PKI_MESSAGE_TYPE				346
-#define OID_PKI_STATUS						347
-#define OID_PKI_FAIL_INFO					348
-#define OID_PKI_SENDER_NONCE				349
-#define OID_PKI_RECIPIENT_NONCE				350
-#define OID_PKI_TRANS_ID					351
+#define OID_USER_PRINCIPAL_NAME				175
+#define OID_TCGID							182
+#define OID_AUTHORITY_INFO_ACCESS			187
+#define OID_IP_ADDR_BLOCKS					189
+#define OID_SERVER_AUTH						194
+#define OID_CLIENT_AUTH						195
+#define OID_OCSP_SIGNING					202
+#define OID_XMPP_ADDR						204
+#define OID_AUTHENTICATION_INFO				206
+#define OID_ACCESS_IDENTITY					207
+#define OID_CHARGING_IDENTITY				208
+#define OID_GROUP							209
+#define OID_OCSP							212
+#define OID_BASIC							213
+#define OID_NONCE							214
+#define OID_CRL								215
+#define OID_RESPONSE						216
+#define OID_NO_CHECK						217
+#define OID_ARCHIVE_CUTOFF					218
+#define OID_SERVICE_LOCATOR					219
+#define OID_CA_ISSUERS						220
+#define OID_DES_CBC							226
+#define OID_SHA1							227
+#define OID_SHA1_WITH_RSA_OIW				228
+#define OID_ECGDSA_PUBKEY					247
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		250
+#define OID_ECGDSA_SIG_WITH_SHA1			251
+#define OID_ECGDSA_SIG_WITH_SHA224			252
+#define OID_ECGDSA_SIG_WITH_SHA256			253
+#define OID_ECGDSA_SIG_WITH_SHA384			254
+#define OID_ECGDSA_SIG_WITH_SHA512			255
+#define OID_SECT163K1						278
+#define OID_SECT163R1						279
+#define OID_SECT239K1						280
+#define OID_SECT113R1						281
+#define OID_SECT113R2						282
+#define OID_SECT112R1						283
+#define OID_SECT112R2						284
+#define OID_SECT160R1						285
+#define OID_SECT160K1						286
+#define OID_SECT256K1						287
+#define OID_SECT163R2						288
+#define OID_SECT283K1						289
+#define OID_SECT283R1						290
+#define OID_SECT131R1						291
+#define OID_SECT131R2						292
+#define OID_SECT193R1						293
+#define OID_SECT193R2						294
+#define OID_SECT233K1						295
+#define OID_SECT233R1						296
+#define OID_SECT128R1						297
+#define OID_SECT128R2						298
+#define OID_SECT160R2						299
+#define OID_SECT192K1						300
+#define OID_SECT224K1						301
+#define OID_SECT224R1						302
+#define OID_SECT384R1						303
+#define OID_SECT521R1						304
+#define OID_SECT409K1						305
+#define OID_SECT409R1						306
+#define OID_SECT571K1						307
+#define OID_SECT571R1						308
+#define OID_AES128_CBC						317
+#define OID_AES128_GCM						318
+#define OID_AES128_CCM						319
+#define OID_AES192_CBC						320
+#define OID_AES192_GCM						321
+#define OID_AES192_CCM						322
+#define OID_AES256_CBC						323
+#define OID_AES256_GCM						324
+#define OID_AES256_CCM						325
+#define OID_SHA256							327
+#define OID_SHA384							328
+#define OID_SHA512							329
+#define OID_SHA224							330
+#define OID_NS_REVOCATION_URL				336
+#define OID_NS_CA_REVOCATION_URL			337
+#define OID_NS_CA_POLICY_URL				338
+#define OID_NS_COMMENT						339
+#define OID_EMPLOYEE_NUMBER					342
+#define OID_PKI_MESSAGE_TYPE				348
+#define OID_PKI_STATUS						349
+#define OID_PKI_FAIL_INFO					350
+#define OID_PKI_SENDER_NONCE				351
+#define OID_PKI_RECIPIENT_NONCE				352
+#define OID_PKI_TRANS_ID					353
 
-#define OID_MAX								354
+#define OID_MAX								356
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 5d729c2eb..36db0299c 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -173,6 +173,7 @@
               0x14           "msEnrollmentInfrastructure"
                 0x02         "msCertificateTypeExtension"
                   0x02       "msSmartcardLogon"
+                  0x03       "msUPN"					OID_USER_PRINCIPAL_NAME
           0x89               ""
             0x31             ""
               0x01           ""
@@ -185,6 +186,7 @@
           0x07               "id-pkix"
             0x01             "id-pe"
               0x01           "authorityInfoAccess"		OID_AUTHORITY_INFO_ACCESS
+              0x03           "qcStatements"
               0x07           "ipAddrBlocks"				OID_IP_ADDR_BLOCKS
             0x02             "id-qt"
               0x01           "cps"
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index 4d115a816..9a4152145 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -307,24 +307,46 @@ static char hex2bin(char hex)
 chunk_t chunk_from_hex(chunk_t hex, char *buf)
 {
 	int i, len;
+	u_char *ptr;
 	bool odd = FALSE;
 
-	len = (hex.len / 2);
-	if (hex.len % 2)
+   /* subtract the number of optional ':' separation characters */
+	len = hex.len;
+	ptr = hex.ptr;
+ 	for (i = 0; i < hex.len; i++)
+	{
+		if (*ptr++ == ':')
+		{
+			len--;
+		}
+	}
+
+	/* compute the number of binary bytes */
+	if (len % 2)
 	{
 		odd = TRUE;
 		len++;
 	}
+	len /= 2;
+
+	/* allocate buffer memory unless provided by caller */
 	if (!buf)
 	{
 		buf = malloc(len);
 	}
+
 	/* buffer is filled from the right */
 	memset(buf, 0, len);
 	hex.ptr += hex.len;
+
 	for (i = len - 1; i >= 0; i--)
 	{
-		buf[i] = hex2bin(*(--hex.ptr));
+		/* skip separation characters */
+		if (*(--hex.ptr) == ':')
+		{
+			--hex.ptr;
+		}
+		buf[i] = hex2bin(*hex.ptr);
 		if (i > 0 || !odd)
 		{
 			buf[i] |= hex2bin(*(--hex.ptr)) << 4;
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 5441ccf3c..f94bdfbf2 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -193,12 +193,12 @@ static inline void chunk_clear(chunk_t *chunk)
 /**
  * Allocate a chunk on the heap
  */
-#define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(malloc(x), x);})
+#define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(x ? malloc(x) : NULL, x);})
 
 /**
  * Allocate a chunk on the stack
  */
-#define chunk_alloca(bytes) ({size_t x = (bytes); chunk_create(alloca(x), x);})
+#define chunk_alloca(bytes) ({size_t x = (bytes); chunk_create(x ? alloca(x) : NULL, x);})
 
 /**
  * Clone a chunk on heap
@@ -208,7 +208,7 @@ static inline void chunk_clear(chunk_t *chunk)
 /**
  * Clone a chunk on stack
  */
-#define chunk_clonea(chunk) ({chunk_t x = (chunk); chunk_create_clone(alloca(x.len), x);})
+#define chunk_clonea(chunk) ({chunk_t x = (chunk); chunk_create_clone(x.len ? alloca(x.len) : NULL, x);})
 
 /**
  * Concatenate chunks into a chunk on heap
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 2573d0327..ce718b9cb 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -20,6 +20,7 @@
 #include <debug.h>
 #include <utils/linked_list.h>
 #include <utils/identification.h>
+#include <eap/eap.h>
 #include <credentials/certificates/certificate.h>
 
 ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
@@ -29,62 +30,6 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
 	"EAP",
 );
 
-ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
-	"EAP_IDENTITY",
-	"EAP_NOTIFICATION",
-	"EAP_NAK",
-	"EAP_MD5",
-	"EAP_OTP",
-	"EAP_GTC");
-ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC,
-	"EAP_SIM");
-ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
-	"EAP_AKA");
-ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
-	"EAP_MSCHAPV2");
-ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
-	"EAP_RADIUS",
-	"EAP_EXPANDED",
-	"EAP_EXPERIMENTAL");
-ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
-
-ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
-	"ID",
-	"NTF",
-	"NAK",
-	"MD5",
-	"OTP",
-	"GTC");
-ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC,
-	"SIM");
-ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM,
-	"AKA");
-ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
-	"MSCHAPV2");
-ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
-	"RAD",
-	"EXP",
-	"XP");
-ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
-
-ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
-	"RULE_IDENTITY",
-	"RULE_AUTH_CLASS",
-	"RULE_EAP_IDENTITY",
-	"RULE_EAP_TYPE",
-	"RULE_EAP_VENDOR",
-	"RULE_CA_CERT",
-	"RULE_IM_CERT",
-	"RULE_SUBJECT_CERT",
-	"RULE_CRL_VALIDATION",
-	"RULE_OCSP_VALIDATION",
-	"RULE_GROUP",
-	"HELPER_IM_CERT",
-	"HELPER_SUBJECT_CERT",
-	"HELPER_IM_HASH_URL",
-	"HELPER_SUBJECT_HASH_URL",
-);
-
 typedef struct private_auth_cfg_t private_auth_cfg_t;
 
 /**
@@ -174,6 +119,7 @@ static void destroy_entry_value(entry_t *entry)
 	{
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AAA_IDENTITY:
 		case AUTH_RULE_GROUP:
 		{
 			identification_t *id = (identification_t*)entry->value;
@@ -231,6 +177,7 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
 				break;
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_AAA_IDENTITY:
 			case AUTH_RULE_GROUP:
 			case AUTH_RULE_CA_CERT:
 			case AUTH_RULE_IM_CERT:
@@ -296,6 +243,7 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
 			return (void*)VALIDATION_FAILED;
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AAA_IDENTITY:
 		case AUTH_RULE_GROUP:
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
@@ -331,6 +279,7 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 			break;
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AAA_IDENTITY:
 		case AUTH_RULE_GROUP:
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
@@ -445,6 +394,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 			}
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_AAA_IDENTITY:
 			{
 				identification_t *id1, *id2;
 
@@ -590,6 +540,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				}
 				case AUTH_RULE_IDENTITY:
 				case AUTH_RULE_EAP_IDENTITY:
+				case AUTH_RULE_AAA_IDENTITY:
 				case AUTH_RULE_GROUP:
 				{
 					identification_t *id = (identification_t*)value;
@@ -677,6 +628,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 					}
 					case AUTH_RULE_IDENTITY:
 					case AUTH_RULE_EAP_IDENTITY:
+					case AUTH_RULE_AAA_IDENTITY:
 					case AUTH_RULE_GROUP:
 					{
 						identification_t *id1, *id2;
@@ -761,6 +713,7 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
 		{
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_AAA_IDENTITY:
 			case AUTH_RULE_GROUP:
 			{
 				identification_t *id = (identification_t*)entry->value;
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 713e16372..19624a2fe 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -27,7 +27,6 @@
 typedef struct auth_cfg_t auth_cfg_t;
 typedef enum auth_rule_t auth_rule_t;
 typedef enum auth_class_t auth_class_t;
-typedef enum eap_type_t eap_type_t;
 
 /**
  * Class of authentication to use. This is different to auth_method_t in that
@@ -50,35 +49,6 @@ enum auth_class_t {
  */
 extern enum_name_t *auth_class_names;
 
-/**
- * EAP types, defines the EAP method implementation
- */
-enum eap_type_t {
-	EAP_IDENTITY = 1,
-	EAP_NOTIFICATION = 2,
-	EAP_NAK = 3,
-	EAP_MD5 = 4,
-	EAP_OTP = 5,
-	EAP_GTC = 6,
-	EAP_SIM = 18,
-	EAP_AKA = 23,
-	EAP_MSCHAPV2 = 26,
-	/** not a method, but an implementation providing different methods */
-	EAP_RADIUS = 253,
-	EAP_EXPANDED = 254,
-	EAP_EXPERIMENTAL = 255,
-};
-
-/**
- * enum names for eap_type_t.
- */
-extern enum_name_t *eap_type_names;
-
-/**
- * short string enum names for eap_type_t.
- */
-extern enum_name_t *eap_type_short_names;
-
 /**
  * Authentication config to use during authentication process.
  *
@@ -98,6 +68,8 @@ enum auth_rule_t {
 	AUTH_RULE_IDENTITY,
 	/** authentication class, auth_class_t */
 	AUTH_RULE_AUTH_CLASS,
+	/** AAA-backend identity for EAP methods supporting it, identification_t* */
+	AUTH_RULE_AAA_IDENTITY,
 	/** EAP identity to use within EAP-Identity exchange, identification_t* */
 	AUTH_RULE_EAP_IDENTITY,
 	/** EAP type to propose for peer authentication, eap_type_t */
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index cfb708e33..c43e5fd5d 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -45,8 +45,10 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_PATHLEN",
 	"BUILD_X509_FLAG",
 	"BUILD_REVOKED_ENUMERATOR",
-	"BUILD_SMARTCARD_KEYID",
-	"BUILD_SMARTCARD_PIN",
+	"BUILD_CHALLENGE_PWD",
+	"BUILD_PKCS11_MODULE",
+	"BUILD_PKCS11_SLOT",
+	"BUILD_PKCS11_KEYID",
 	"BUILD_RSA_MODULUS",
 	"BUILD_RSA_PUB_EXP",
 	"BUILD_RSA_PRIV_EXP",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index ffb09f72a..dc87da2a4 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -57,12 +57,6 @@ enum builder_part_t {
 	BUILD_BLOB_PGP,
 	/** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
 	BUILD_BLOB_DNSKEY,
-	/** passphrase for e.g. PEM decryption, chunk_t */
-	BUILD_PASSPHRASE,
-	/** passphrase callback, chunk_t(*fn)(void *user, int try), void *user.
-	 *  The callback is invoked until the returned passphrase is accepted, or
-	 *  a zero-length passphrase is returned. Try starts at 1. */
-	BUILD_PASSPHRASE_CALLBACK,
 	/** key size in bits, as used for key generation, u_int */
 	BUILD_KEY_SIZE,
 	/** private key to use for signing, private_key_t* */
@@ -103,10 +97,14 @@ enum builder_part_t {
 	BUILD_X509_FLAG,
 	/** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */
 	BUILD_REVOKED_ENUMERATOR,
-	/** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */
-	BUILD_SMARTCARD_KEYID,
-	/** pin to access a key on a smartcard, null terminated char* */
-	BUILD_SMARTCARD_PIN,
+	/** PKCS#10 challenge password */
+	BUILD_CHALLENGE_PWD,
+	/** friendly name of a PKCS#11 module, null terminated char* */
+	BUILD_PKCS11_MODULE,
+	/** slot specifier for a token in a PKCS#11 module, int */
+	BUILD_PKCS11_SLOT,
+	/** key ID of a key on a token, chunk_t */
+	BUILD_PKCS11_KEYID,
 	/** modulus (n) of a RSA key, chunk_t */
 	BUILD_RSA_MODULUS,
 	/** public exponent (e) of a RSA key, chunk_t */
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 7cc7dbe0e..ff621012f 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -64,32 +64,29 @@ struct entry_t {
 	credential_type_t type;
 	/** subtype of credential, e.g. certificate_type_t */
 	int subtype;
+	/** registered with final flag? */
+	bool final;
 	/** builder function */
 	builder_function_t constructor;
 };
 
-/**
- * Implementation of credential_factory_t.add_builder_constructor.
- */
-static void add_builder(private_credential_factory_t *this,
-						credential_type_t type, int subtype,
-						builder_function_t constructor)
+METHOD(credential_factory_t, add_builder, void,
+	private_credential_factory_t *this, credential_type_t type, int subtype,
+	bool final, builder_function_t constructor)
 {
 	entry_t *entry = malloc_thing(entry_t);
 
 	entry->type = type;
 	entry->subtype = subtype;
+	entry->final = final;
 	entry->constructor = constructor;
 	this->lock->write_lock(this->lock);
 	this->constructors->insert_last(this->constructors, entry);
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of credential_factory_t.remove_builder.
- */
-static void remove_builder(private_credential_factory_t *this,
-						   builder_function_t constructor)
+METHOD(credential_factory_t, remove_builder, void,
+	private_credential_factory_t *this, builder_function_t constructor)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -108,11 +105,8 @@ static void remove_builder(private_credential_factory_t *this,
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of credential_factory_t.create.
- */
-static void* create(private_credential_factory_t *this, credential_type_t type,
-					int subtype, ...)
+METHOD(credential_factory_t, create, void*,
+	private_credential_factory_t *this, credential_type_t type, int subtype, ...)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -159,9 +153,31 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
 }
 
 /**
- * Implementation of credential_factory_t.destroy
+ * Filter function for builder enumerator
  */
-static void destroy(private_credential_factory_t *this)
+static bool builder_filter(void *null, entry_t **entry, credential_type_t *type,
+						   void *dummy1, int *subtype)
+{
+	if ((*entry)->final)
+	{
+		*type = (*entry)->type;
+		*subtype = (*entry)->subtype;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(credential_factory_t, create_builder_enumerator, enumerator_t*,
+	private_credential_factory_t *this)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(
+				this->constructors->create_enumerator(this->constructors),
+				(void*)builder_filter, this->lock, (void*)this->lock->unlock);
+}
+
+METHOD(credential_factory_t, destroy, void,
+	private_credential_factory_t *this)
 {
 	this->constructors->destroy_function(this->constructors, free);
 	this->recursive->destroy(this->recursive);
@@ -174,16 +190,20 @@ static void destroy(private_credential_factory_t *this)
  */
 credential_factory_t *credential_factory_create()
 {
-	private_credential_factory_t *this = malloc_thing(private_credential_factory_t);
-
-	this->public.create = (void*(*)(credential_factory_t*, credential_type_t type, int subtype, ...))create;
-	this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_function_t constructor))add_builder;
-	this->public.remove_builder = (void(*)(credential_factory_t*,builder_function_t constructor))remove_builder;
-	this->public.destroy = (void(*)(credential_factory_t*))destroy;
-
-	this->constructors = linked_list_create();
-	this->recursive = thread_value_create(NULL);
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	private_credential_factory_t *this;
+
+	INIT(this,
+		.public = {
+			.create = _create,
+			.create_builder_enumerator = _create_builder_enumerator,
+			.add_builder = _add_builder,
+			.remove_builder = _remove_builder,
+			.destroy = _destroy,
+		},
+		.constructors = linked_list_create(),
+		.recursive = thread_value_create(NULL),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index e8ffb6b9d..709dc916a 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -68,11 +68,17 @@ struct credential_factory_t {
 	/**
 	 * Register a credential builder function.
 	 *
+	 * The final flag indicates if the registered builder can build such
+	 * a credential itself the most common encoding, without the need
+	 * for an additional builder.
+	 *
 	 * @param type			type of credential the builder creates
+	 * @param subtype		subtype of the credential, type specific
+	 * @param final			TRUE if this build does not invoke other builders
 	 * @param constructor	builder constructor function to register
 	 */
 	void (*add_builder)(credential_factory_t *this,
-						credential_type_t type, int subtype,
+						credential_type_t type, int subtype, bool final,
 						builder_function_t constructor);
 	/**
 	 * Unregister a credential builder function.
@@ -82,6 +88,16 @@ struct credential_factory_t {
 	void (*remove_builder)(credential_factory_t *this,
 						   builder_function_t constructor);
 
+	/**
+	 * Create an enumerator over registered builder types.
+	 *
+	 * The enumerator returns only builder types registered with the final
+	 * flag set.
+	 *
+	 * @return				enumerator (credential_type_t, int subtype)
+	 */
+	enumerator_t* (*create_builder_enumerator)(credential_factory_t *this);
+
 	/**
 	 * Destroy a credential_factory instance.
 	 */
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 46c36c941..97e8d8887 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -157,8 +157,10 @@ static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
 	linked_list_t *local;
 
 	INIT(enumerator,
-		.public.enumerate = (void*)_sets_enumerate,
-		.public.destroy = _sets_destroy,
+		.public = {
+			.enumerate = (void*)_sets_enumerate,
+			.destroy = _sets_destroy,
+		},
 		.global = this->sets->create_enumerator(this->sets),
 	);
 	local = this->local_sets->get(this->local_sets);
@@ -822,7 +824,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
 }
 
 /**
- * Check if a certificate's keyid is contained in the auth helper
+ * Check if an helper contains a certificate as trust anchor
  */
 static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert)
 {
@@ -854,17 +856,10 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
 	certificate_t *issuer, *current;
 	auth_cfg_t *trustchain;
 	int pathlen = 0;
+	bool has_anchor;
 
 	trustchain = auth_cfg_create();
-
-	current = auth->get(auth, AUTH_RULE_CA_CERT);
-	if (!current)
-	{
-		/* no trust anchor specified, return this cert only */
-		trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT,
-						subject->get_ref(subject));
-		return trustchain;
-	}
+	has_anchor = auth->get(auth, AUTH_RULE_CA_CERT) != NULL;
 	current = subject->get_ref(subject);
 	while (TRUE)
 	{
@@ -879,17 +874,33 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
 		}
 		else
 		{
+			if (!has_anchor &&
+				this->cache->issued_by(this->cache, current, current))
+			{	/* If no trust anchor specified, accept any CA */
+				trustchain->add(trustchain, AUTH_RULE_CA_CERT, current);
+				return trustchain;
+			}
 			trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
 		}
+		if (pathlen++ > MAX_TRUST_PATH_LEN)
+		{
+			break;
+		}
 		issuer = get_issuer_cert(this, current, FALSE);
-		if (!issuer || issuer->equals(issuer, current) ||
-			pathlen > MAX_TRUST_PATH_LEN)
+		if (!issuer)
 		{
-			DESTROY_IF(issuer);
+			if (!has_anchor)
+			{	/* If no trust anchor specified, accept incomplete chains */
+				return trustchain;
+			}
+			break;
+		}
+		if (has_anchor && issuer->equals(issuer, current))
+		{
+			issuer->destroy(issuer);
 			break;
 		}
 		current = issuer;
-		pathlen++;
 	}
 	trustchain->destroy(trustchain);
 	return NULL;
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
index 27f4ab098..e57d3f5a5 100644
--- a/src/libstrongswan/credentials/keys/private_key.h
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -51,18 +51,20 @@ struct private_key_t {
 	/**
 	 * Decrypt a chunk of data.
 	 *
+	 * @param scheme	expected encryption scheme used
 	 * @param crypto	chunk containing encrypted data
 	 * @param plain		where to allocate decrypted data
 	 * @return			TRUE if data decrypted and plaintext allocated
 	 */
-	bool (*decrypt)(private_key_t *this, chunk_t crypto, chunk_t *plain);
+	bool (*decrypt)(private_key_t *this, encryption_scheme_t scheme,
+					chunk_t crypto, chunk_t *plain);
 
 	/**
-	 * Get the strength of the key in bytes.
+	 * Get the strength of the key in bits.
 	 *
-	 * @return			strength of the key in bytes
+	 * @return			strength of the key in bits
 	 */
-	size_t (*get_keysize) (private_key_t *this);
+	int (*get_keysize) (private_key_t *this);
 
 	/**
 	 * Get the public part from the private key.
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index ce342de33..22df5dd1b 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -42,6 +42,16 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
 	"ECDSA-521",
 );
 
+ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512,
+	"ENCRYPT_UNKNOWN",
+	"ENCRYPT_RSA_PKCS1",
+	"ENCRYPT_RSA_OAEP_SHA1",
+	"ENCRYPT_RSA_OAEP_SHA224",
+	"ENCRYPT_RSA_OAEP_SHA256",
+	"ENCRYPT_RSA_OAEP_SHA384",
+	"ENCRYPT_RSA_OAEP_SHA512",
+);
+
 /**
  * See header.
  */
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index ff827a189..d20d2736b 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -24,6 +24,7 @@
 typedef struct public_key_t public_key_t;
 typedef enum key_type_t key_type_t;
 typedef enum signature_scheme_t signature_scheme_t;
+typedef enum encryption_scheme_t encryption_scheme_t;
 
 #include <library.h>
 #include <utils/identification.h>
@@ -96,6 +97,31 @@ enum signature_scheme_t {
  */
 extern enum_name_t *signature_scheme_names;
 
+/**
+ * Encryption scheme for public key data encryption.
+ */
+enum encryption_scheme_t {
+	/** Unknown encryption scheme                                      */
+	ENCRYPT_UNKNOWN,
+	/** RSAES-PKCS1-v1_5 as in PKCS#1                                  */
+	ENCRYPT_RSA_PKCS1,
+	/** RSAES-OAEP as in PKCS#1, using SHA1 as hash, no label          */
+	ENCRYPT_RSA_OAEP_SHA1,
+	/** RSAES-OAEP as in PKCS#1, using SHA-224 as hash, no label       */
+	ENCRYPT_RSA_OAEP_SHA224,
+	/** RSAES-OAEP as in PKCS#1, using SHA-256 as hash, no label       */
+	ENCRYPT_RSA_OAEP_SHA256,
+	/** RSAES-OAEP as in PKCS#1, using SHA-384 as hash, no label       */
+	ENCRYPT_RSA_OAEP_SHA384,
+	/** RSAES-OAEP as in PKCS#1, using SHA-512 as hash, no label       */
+	ENCRYPT_RSA_OAEP_SHA512,
+};
+
+/**
+ * Enum names for encryption_scheme_t
+ */
+extern enum_name_t *encryption_scheme_names;
+
 /**
  * Abstract interface of a public key.
  */
@@ -122,11 +148,13 @@ struct public_key_t {
 	/**
 	 * Encrypt a chunk of data.
 	 *
+	 * @param scheme	encryption scheme to use
 	 * @param plain		chunk containing plaintext data
 	 * @param crypto	where to allocate encrypted data
 	 * @return 			TRUE if data successfully encrypted
 	 */
-	bool (*encrypt)(public_key_t *this, chunk_t plain, chunk_t *crypto);
+	bool (*encrypt)(public_key_t *this, encryption_scheme_t scheme,
+					chunk_t plain, chunk_t *crypto);
 
 	/**
 	 * Check if two public keys are equal.
@@ -137,11 +165,11 @@ struct public_key_t {
 	bool (*equals)(public_key_t *this, public_key_t *other);
 
 	/**
-	 * Get the strength of the key in bytes.
+	 * Get the strength of the key in bits.
 	 *
-	 * @return			strength of the key in bytes
+	 * @return			strength of the key in bits
 	 */
-	size_t (*get_keysize) (public_key_t *this);
+	int (*get_keysize) (public_key_t *this);
 
 	/**
 	 * Get the fingerprint of the key.
diff --git a/src/libstrongswan/credentials/sets/callback_cred.c b/src/libstrongswan/credentials/sets/callback_cred.c
new file mode 100644
index 000000000..bff33f029
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/callback_cred.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "callback_cred.h"
+
+typedef struct private_callback_cred_t private_callback_cred_t;
+
+/**
+ * Private data of an callback_cred_t object.
+ */
+struct private_callback_cred_t {
+
+	/**
+	 * Public callback_cred_t interface.
+	 */
+	callback_cred_t public;
+
+	/**
+	 * Callback of this set, for all types, and generic
+	 */
+	union {
+		void *generic;
+		callback_cred_shared_cb_t shared;
+	} cb;
+
+	/**
+	 * Data to pass to callback
+	 */
+	void *data;
+};
+
+/**
+ * Shared key enumerator on callbacks
+ */
+typedef struct {
+	/* implements enumerator_t */
+	enumerator_t public;
+	/* backref to this */
+	private_callback_cred_t *this;
+	/* type if requested key */
+	shared_key_type_t type;
+	/* own identity to match */
+	identification_t *me;
+	/* other identity to match */
+	identification_t *other;
+	/* current shared key */
+	shared_key_t *current;
+} shared_enumerator_t;
+
+METHOD(enumerator_t, shared_enumerate, bool,
+	shared_enumerator_t *this, shared_key_t **out,
+	id_match_t *match_me, id_match_t *match_other)
+{
+	DESTROY_IF(this->current);
+	this->current = this->this->cb.shared(this->this->data, this->type,
+								this->me, this->other, match_me, match_other);
+	if (this->current)
+	{
+		*out = this->current;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, shared_destroy, void,
+	shared_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	free(this);
+}
+
+METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
+	private_callback_cred_t *this, shared_key_type_t type,
+	identification_t *me, identification_t *other)
+{
+	shared_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_shared_enumerate,
+			.destroy = _shared_destroy,
+		},
+		.this = this,
+		.type = type,
+		.me = me,
+		.other = other,
+	);
+	return &enumerator->public;
+}
+
+METHOD(callback_cred_t, destroy, void,
+	private_callback_cred_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create a generic callback credential set
+ */
+static private_callback_cred_t* create_generic(void *cb, void *data)
+{
+	private_callback_cred_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_shared_enumerator = (void*)return_null,
+				.create_private_enumerator = (void*)return_null,
+				.create_cert_enumerator = (void*)return_null,
+				.create_cdp_enumerator  = (void*)return_null,
+				.cache_cert = (void*)nop,
+			},
+			.destroy = _destroy,
+		},
+		.cb.generic = cb,
+		.data = data,
+	);
+	return this;
+}
+
+/**
+ * See header
+ */
+callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb,
+											 void *data)
+{
+	private_callback_cred_t *this = create_generic(cb, data);
+
+	this->public.set.create_shared_enumerator = _create_shared_enumerator;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/sets/callback_cred.h b/src/libstrongswan/credentials/sets/callback_cred.h
new file mode 100644
index 000000000..efc4c7fa5
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/callback_cred.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup callback_cred callback_cred
+ * @{ @ingroup sets
+ */
+
+#ifndef CALLBACK_CRED_H_
+#define CALLBACK_CRED_H_
+
+typedef struct callback_cred_t callback_cred_t;
+
+#include <credentials/credential_set.h>
+
+/**
+ * Callback function to get shared keys.
+ *
+ * @param type			type of requested shared key
+ * @param me			own identity
+ * @param other			other identity
+ * @param match_me		match result of own identity
+ * @param match_other	match result of other identity
+ */
+typedef shared_key_t* (*callback_cred_shared_cb_t)(
+								void *data, shared_key_type_t type,
+								identification_t *me, identification_t *other,
+								id_match_t *match_me, id_match_t *match_other);
+
+/**
+ * Generic callbcack using user specified callback functions.
+ */
+struct callback_cred_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy a callback_cred_t.
+	 */
+	void (*destroy)(callback_cred_t *this);
+};
+
+/**
+ * Create a callback_cred instance, for a shared key.
+ *
+ * @param cb		callback function
+ * @param data		data to pass to callback
+ */
+callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb,
+											 void *data);
+
+#endif /** CALLBACK_CRED_H_ @}*/
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
new file mode 100644
index 000000000..c29a99f1f
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -0,0 +1,433 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mem_cred.h"
+
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+
+typedef struct private_mem_cred_t private_mem_cred_t;
+
+/**
+ * Private data of an mem_cred_t object.
+ */
+struct private_mem_cred_t {
+
+	/**
+	 * Public mem_cred_t interface.
+	 */
+	mem_cred_t public;
+
+	/**
+	 * Lock for this set
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * List of trusted certificates, certificate_t
+	 */
+	linked_list_t *trusted;
+
+	/**
+	 * List of trusted and untrusted certificates, certificate_t
+	 */
+	linked_list_t *untrusted;
+
+	/**
+	 * List of private keys, private_key_t
+	 */
+	linked_list_t *keys;
+
+	/**
+	 * List of shared keys, as shared_entry_t
+	 */
+	linked_list_t *shared;
+};
+
+/**
+ * Data for the certificate enumerator
+ */
+typedef struct {
+	rwlock_t *lock;
+	certificate_type_t cert;
+	key_type_t key;
+	identification_t *id;
+} cert_data_t;
+
+/**
+ * destroy cert_data
+ */
+static void cert_data_destroy(cert_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
+}
+
+/**
+ * filter function for certs enumerator
+ */
+static bool certs_filter(cert_data_t *data, certificate_t **in, certificate_t **out)
+{
+	public_key_t *public;
+	certificate_t *cert = *in;
+
+	if (data->cert == CERT_ANY || data->cert == cert->get_type(cert))
+	{
+		public = cert->get_public_key(cert);
+		if (public)
+		{
+			if (data->key == KEY_ANY || data->key == public->get_type(public))
+			{
+				if (data->id && public->has_fingerprint(public,
+											data->id->get_encoding(data->id)))
+				{
+					public->destroy(public);
+					*out = *in;
+					return TRUE;
+				}
+			}
+			public->destroy(public);
+		}
+		else if (data->key != KEY_ANY)
+		{
+			return FALSE;
+		}
+		if (data->id == NULL || cert->has_subject(cert, data->id))
+		{
+			*out = *in;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	private_mem_cred_t *this, certificate_type_t cert, key_type_t key,
+	identification_t *id, bool trusted)
+{
+	cert_data_t *data;
+	enumerator_t *enumerator;
+
+	INIT(data,
+		.lock = this->lock,
+		.cert = cert,
+		.key = key,
+		.id = id,
+	);
+	this->lock->read_lock(this->lock);
+	if (trusted)
+	{
+		enumerator = this->trusted->create_enumerator(this->trusted);
+	}
+	else
+	{
+		enumerator = this->untrusted->create_enumerator(this->untrusted);
+	}
+	return enumerator_create_filter(enumerator, (void*)certs_filter, data,
+									(void*)cert_data_destroy);
+}
+
+static bool certificate_equals(certificate_t *item, certificate_t *cert)
+{
+	return item->equals(item, cert);
+}
+
+METHOD(mem_cred_t, add_cert, void,
+	private_mem_cred_t *this, bool trusted, certificate_t *cert)
+{
+	this->lock->write_lock(this->lock);
+	if (this->untrusted->find_last(this->untrusted,
+				(linked_list_match_t)certificate_equals, NULL, cert) != SUCCESS)
+	{
+		if (trusted)
+		{
+			this->trusted->insert_last(this->trusted, cert->get_ref(cert));
+		}
+		this->untrusted->insert_last(this->untrusted, cert->get_ref(cert));
+	}
+	cert->destroy(cert);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Data for key enumerator
+ */
+typedef struct {
+	rwlock_t *lock;
+	key_type_t type;
+	identification_t *id;
+} key_data_t;
+
+/**
+ * Destroy key enumerator data
+ */
+static void key_data_destroy(key_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
+}
+
+/**
+ * filter function for private key enumerator
+ */
+static bool key_filter(key_data_t *data, private_key_t **in, private_key_t **out)
+{
+	private_key_t *key;
+
+	key = *in;
+	if (data->type == KEY_ANY || data->type == key->get_type(key))
+	{
+		if (data->id == NULL ||
+			key->has_fingerprint(key, data->id->get_encoding(data->id)))
+		{
+			*out = key;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
+	private_mem_cred_t *this, key_type_t type, identification_t *id)
+{
+	key_data_t *data;
+
+	INIT(data,
+		.lock = this->lock,
+		.type = type,
+		.id = id,
+	);
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->keys->create_enumerator(this->keys),
+							(void*)key_filter, data, (void*)key_data_destroy);
+}
+
+METHOD(mem_cred_t, add_key, void,
+	private_mem_cred_t *this, private_key_t *key)
+{
+	this->lock->write_lock(this->lock);
+	this->keys->insert_last(this->keys, key);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Shared key entry
+ */
+typedef struct {
+	/* shared key */
+	shared_key_t *shared;
+	/* list of owners, identification_t */
+	linked_list_t *owners;
+} shared_entry_t;
+
+/**
+ * Clean up a shared entry
+ */
+static void shared_entry_destroy(shared_entry_t *entry)
+{
+	entry->owners->destroy_offset(entry->owners,
+								  offsetof(identification_t, destroy));
+	entry->shared->destroy(entry->shared);
+	free(entry);
+}
+
+/**
+ * Data for the shared_key enumerator
+ */
+typedef struct {
+	rwlock_t *lock;
+	identification_t *me;
+	identification_t *other;
+	shared_key_type_t type;
+} shared_data_t;
+
+/**
+ * free shared key enumerator data and unlock list
+ */
+static void shared_data_destroy(shared_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
+}
+
+/**
+ * Get the best match of an owner in an entry.
+ */
+static id_match_t has_owner(shared_entry_t *entry, identification_t *owner)
+{
+	enumerator_t *enumerator;
+	id_match_t match, best = ID_MATCH_NONE;
+	identification_t *current;
+
+	enumerator = entry->owners->create_enumerator(entry->owners);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		match  = owner->matches(owner, current);
+		if (match > best)
+		{
+			best = match;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return best;
+}
+
+/**
+ * enumerator filter function for shared entries
+ */
+static bool shared_filter(shared_data_t *data,
+						  shared_entry_t **in, shared_key_t **out,
+						  void **unused1, id_match_t *me,
+						  void **unused2, id_match_t *other)
+{
+	id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE;
+	shared_entry_t *entry = *in;
+
+	if (data->type != SHARED_ANY &&
+		entry->shared->get_type(entry->shared) != data->type)
+	{
+		return FALSE;
+	}
+	if (data->me)
+	{
+		my_match = has_owner(entry, data->me);
+	}
+	if (data->other)
+	{
+		other_match = has_owner(entry, data->other);
+	}
+	if ((data->me || data->other) && (!my_match && !other_match))
+	{
+		return FALSE;
+	}
+	*out = entry->shared;
+	if (me)
+	{
+		*me = my_match;
+	}
+	if (other)
+	{
+		*other = other_match;
+	}
+	return TRUE;
+}
+
+METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
+	private_mem_cred_t *this, shared_key_type_t type,
+	identification_t *me, identification_t *other)
+{
+	shared_data_t *data;
+
+	INIT(data,
+		.lock = this->lock,
+		.me = me,
+		.other = other,
+		.type = type,
+	);
+	data->lock->read_lock(data->lock);
+	return enumerator_create_filter(
+						this->shared->create_enumerator(this->shared),
+						(void*)shared_filter, data, (void*)shared_data_destroy);
+}
+
+METHOD(mem_cred_t, add_shared, void,
+	private_mem_cred_t *this, shared_key_t *shared, ...)
+{
+	shared_entry_t *entry;
+	identification_t *id;
+	va_list args;
+
+	INIT(entry,
+		.shared = shared,
+		.owners = linked_list_create(),
+	);
+
+	va_start(args, shared);
+	do
+	{
+		id = va_arg(args, identification_t*);
+		if (id)
+		{
+			entry->owners->insert_last(entry->owners, id);
+		}
+	}
+	while (id);
+	va_end(args);
+
+	this->lock->write_lock(this->lock);
+	this->shared->insert_last(this->shared, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(mem_cred_t, clear_, void,
+	private_mem_cred_t *this)
+{
+	this->lock->write_lock(this->lock);
+	this->trusted->destroy_offset(this->trusted,
+								  offsetof(certificate_t, destroy));
+	this->untrusted->destroy_offset(this->untrusted,
+									offsetof(certificate_t, destroy));
+	this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy));
+	this->shared->destroy_function(this->shared, (void*)shared_entry_destroy);
+	this->trusted = linked_list_create();
+	this->untrusted = linked_list_create();
+	this->keys = linked_list_create();
+	this->shared = linked_list_create();
+	this->lock->unlock(this->lock);
+}
+
+METHOD(mem_cred_t, destroy, void,
+	private_mem_cred_t *this)
+{
+	clear_(this);
+	this->trusted->destroy(this->trusted);
+	this->untrusted->destroy(this->untrusted);
+	this->keys->destroy(this->keys);
+	this->shared->destroy(this->shared);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+mem_cred_t *mem_cred_create()
+{
+	private_mem_cred_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_shared_enumerator = _create_shared_enumerator,
+				.create_private_enumerator = _create_private_enumerator,
+				.create_cert_enumerator = _create_cert_enumerator,
+				.create_cdp_enumerator  = (void*)return_null,
+				.cache_cert = (void*)nop,
+			},
+			.add_cert = _add_cert,
+			.add_key = _add_key,
+			.add_shared = _add_shared,
+			.clear = _clear_,
+			.destroy = _destroy,
+		},
+		.trusted = linked_list_create(),
+		.untrusted = linked_list_create(),
+		.keys = linked_list_create(),
+		.shared = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
new file mode 100644
index 000000000..b26e43d6c
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mem_cred mem_cred
+ * @{ @ingroup sets
+ */
+
+#ifndef MEM_CRED_H_
+#define MEM_CRED_H_
+
+typedef struct mem_cred_t mem_cred_t;
+
+#include <credentials/credential_set.h>
+
+/**
+ * Generic in-memory credential set.
+ */
+struct mem_cred_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Add a certificate to the credential set.
+	 *
+	 * @param trusted		TRUE to serve certificate as trusted
+	 * @param cert			certificate, reference gets owned by set
+	 */
+	void (*add_cert)(mem_cred_t *this, bool trusted, certificate_t *cert);
+
+	/**
+	 * Add a private key to the credential set.
+	 *
+	 * @param key			key, reference gets owned by set
+	 */
+	void (*add_key)(mem_cred_t *this, private_key_t *key);
+
+	/**
+	 * Add a shared key to the credential set.
+	 *
+	 * @param shared		shared key to add, gets owned by set
+	 * @param ...			NULL terminated list of owners identification_t*
+	 */
+	void (*add_shared)(mem_cred_t *this, shared_key_t *shared, ...);
+
+	/**
+	 * Clear all credentials from the credential set.
+	 */
+	void (*clear)(mem_cred_t *this);
+
+	/**
+	 * Destroy a mem_cred_t.
+	 */
+	void (*destroy)(mem_cred_t *this);
+};
+
+/**
+ * Create a mem_cred instance.
+ */
+mem_cred_t *mem_cred_create();
+
+#endif /** MEM_CRED_H_ @}*/
diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c
new file mode 100644
index 000000000..51cb05909
--- /dev/null
+++ b/src/libstrongswan/crypto/aead.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "aead.h"
+
+#include <debug.h>
+
+typedef struct private_aead_t private_aead_t;
+
+/**
+ * Private data of an aead_t object.
+ */
+struct private_aead_t {
+
+	/**
+	 * Public aead_t interface.
+	 */
+	aead_t public;
+
+	/**
+	 * traditional crypter
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * draditional signer
+	 */
+	signer_t *signer;
+};
+
+METHOD(aead_t, encrypt, void,
+	private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	chunk_t encr, sig;
+
+	this->signer->get_signature(this->signer, assoc, NULL);
+	this->signer->get_signature(this->signer, iv, NULL);
+
+	if (encrypted)
+	{
+		this->crypter->encrypt(this->crypter, plain, iv, &encr);
+		this->signer->allocate_signature(this->signer, encr, &sig);
+		*encrypted = chunk_cat("cmm", iv, encr, sig);
+	}
+	else
+	{
+		this->crypter->encrypt(this->crypter, plain, iv, NULL);
+		this->signer->get_signature(this->signer, plain, plain.ptr + plain.len);
+	}
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	chunk_t sig;
+	size_t bs;
+
+	bs = this->crypter->get_block_size(this->crypter);
+	sig.len = this->signer->get_block_size(this->signer);
+	if (sig.len > encrypted.len || (encrypted.len - sig.len) % bs)
+	{
+		DBG1(DBG_LIB, "invalid encrypted data length %d with block size %d",
+			encrypted.len - sig.len, bs);
+		return FALSE;
+	}
+	chunk_split(encrypted, "mm", encrypted.len - sig.len,
+				&encrypted, sig.len, &sig);
+
+	this->signer->get_signature(this->signer, assoc, NULL);
+	this->signer->get_signature(this->signer, iv, NULL);
+	if (!this->signer->verify_signature(this->signer, encrypted, sig))
+	{
+		DBG1(DBG_LIB, "MAC verification failed");
+		return FALSE;
+	}
+	this->crypter->decrypt(this->crypter, encrypted, iv, plain);
+	return TRUE;
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_aead_t *this)
+{
+	return this->crypter->get_block_size(this->crypter);
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_aead_t *this)
+{
+	return this->signer->get_block_size(this->signer);
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_aead_t *this)
+{
+	return this->crypter->get_iv_size(this->crypter);
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter) +
+			this->signer->get_key_size(this->signer);
+}
+
+METHOD(aead_t, set_key, void,
+	private_aead_t *this, chunk_t key)
+{
+	chunk_t sig, enc;
+
+	chunk_split(key, "mm", this->signer->get_key_size(this->signer), &sig,
+				this->crypter->get_key_size(this->crypter), &enc);
+
+	this->signer->set_key(this->signer, sig);
+	this->crypter->set_key(this->crypter, enc);
+}
+
+METHOD(aead_t, destroy, void,
+	private_aead_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	this->signer->destroy(this->signer);
+	free(this);
+}
+
+/**
+ * See header
+ */
+aead_t *aead_create(crypter_t *crypter, signer_t *signer)
+{
+	private_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_block_size = _get_block_size,
+			.get_icv_size = _get_icv_size,
+			.get_iv_size = _get_iv_size,
+			.get_key_size = _get_key_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+		.crypter = crypter,
+		.signer = signer,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h
new file mode 100644
index 000000000..d560381d9
--- /dev/null
+++ b/src/libstrongswan/crypto/aead.h
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup aead aead
+ * @{ @ingroup crypto
+ */
+
+#ifndef AEAD_H_
+#define AEAD_H_
+
+typedef struct aead_t aead_t;
+
+#include <library.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+
+/**
+ * Authenticated encryption / authentication decryption interface.
+ */
+struct aead_t {
+
+	/**
+	 * Encrypt and sign data, sign associated data.
+	 *
+	 * The plain data must be a multiple of get_block_size(), the IV must
+	 * have a length of get_iv_size().
+	 * If encrypted is NULL, the encryption is done inline. The buffer must
+	 * have space for additional get_icv_size() data, the ICV value is
+	 * appended silently to the plain chunk.
+	 *
+	 * @param plain			data to encrypt and sign
+	 * @param assoc			associated data to sign
+	 * @param iv			initialization vector
+	 * @param encrypted		allocated encryption result
+	 */
+	void (*encrypt)(aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+					chunk_t *encrypted);
+
+	/**
+	 * Decrypt and verify data, verify associated data.
+	 *
+	 * The IV must have a length of get_iv_size().
+	 * If plain is NULL, the decryption is done inline. The decrypted data
+	 * is returned in the encrypted chunk, the last get_icv_size() bytes
+	 * contain the verified ICV.
+	 *
+	 * @param encrypted		data to encrypt and verify
+	 * @param assoc			associated data to verify
+	 * @param iv			initialization vector
+	 * @param plain			allocated result, if successful
+	 * @return				TRUE if MAC verification successful
+	 */
+	bool (*decrypt)(aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+					chunk_t *plain);
+
+	/**
+	 * Get the block size for encryption.
+	 *
+	 * @return				block size in bytes
+	 */
+	size_t (*get_block_size)(aead_t *this);
+
+	/**
+	 * Get the integrity check value size of the algorithm.
+	 *
+	 * @return				ICV size in bytes
+	 */
+	size_t (*get_icv_size)(aead_t *this);
+
+	/**
+	 * Get the size of the initialization vector.
+	 *
+	 * @return				IV size in bytes
+	 */
+	size_t (*get_iv_size)(aead_t *this);
+
+	/**
+	 * Get the size of the key material (for encryption and authentication).
+	 *
+	 * @return				key size in bytes
+	 */
+	size_t (*get_key_size)(aead_t *this);
+
+	/**
+	 * Set the key for encryption and authentication.
+	 *
+	 * @param key			encryption and authentication key
+	 */
+	void (*set_key)(aead_t *this, chunk_t key);
+
+	/**
+	 * Destroy a aead_t.
+	 */
+	void (*destroy)(aead_t *this);
+};
+
+/**
+ * Create a aead instance using traditional transforms.
+ *
+ * @param crypter		encryption transform for this aead
+ * @param signer		integrity tranform for this aead
+ * @return				aead transform
+ */
+aead_t *aead_create(crypter_t *crypter, signer_t *signer);
+
+#endif /** AEAD_H_ @}*/
diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c
index ebd35a8a0..0730c707c 100644
--- a/src/libstrongswan/crypto/crypters/crypter.c
+++ b/src/libstrongswan/crypto/crypters/crypter.c
@@ -159,4 +159,25 @@ int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size)
 	return oid;
 }
 
-
+/*
+ * Described in header.
+ */
+bool encryption_algorithm_is_aead(encryption_algorithm_t alg)
+{
+	switch (alg)
+	{
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_CCM_ICV16:
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+		case ENCR_NULL_AUTH_AES_GMAC:
+		case ENCR_CAMELLIA_CCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV16:
+			return TRUE;
+		default:
+			return FALSE;
+	}
+}
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index f052a181d..3bf039681 100644
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -42,6 +42,7 @@ enum encryption_algorithm_t {
 	ENCR_DES_IV32 =            9,
 	ENCR_NULL =               11,
 	ENCR_AES_CBC =            12,
+	/** CTR as specified for IPsec (RFC5930/RFC3686), nonce appended to key */
 	ENCR_AES_CTR =            13,
 	ENCR_AES_CCM_ICV8 =       14,
 	ENCR_AES_CCM_ICV12 =      15,
@@ -51,6 +52,7 @@ enum encryption_algorithm_t {
 	ENCR_AES_GCM_ICV16 =      20,
 	ENCR_NULL_AUTH_AES_GMAC = 21,
 	ENCR_CAMELLIA_CBC =       23,
+	/* CTR as specified for IPsec (RFC5529), nonce appended to key */
 	ENCR_CAMELLIA_CTR =       24,
 	ENCR_CAMELLIA_CCM_ICV8 =  25,
 	ENCR_CAMELLIA_CCM_ICV12 = 26,
@@ -81,8 +83,8 @@ struct crypter_t {
 	/**
 	 * Encrypt a chunk of data and allocate space for the encrypted value.
 	 *
-	 * The length of the iv must equal to get_block_size(), while the length
-	 * of data must be a multiple it.
+	 * The length of the iv must equal to get_iv_size(), while the length
+	 * of data must be a multiple of get_block_size().
 	 * If encrypted is NULL, the encryption is done in-place (overwriting data).
 	 *
 	 * @param data			data to encrypt
@@ -95,8 +97,8 @@ struct crypter_t {
 	/**
 	 * Decrypt a chunk of data and allocate space for the decrypted value.
 	 *
-	 * The length of the iv must equal to get_block_size(), while the length
-	 * of data must be a multiple it.
+	 * The length of the iv must equal to get_iv_size(), while the length
+	 * of data must be a multiple of get_block_size().
 	 * If decrpyted is NULL, the encryption is done in-place (overwriting data).
 	 *
 	 * @param data			data to decrypt
@@ -109,14 +111,29 @@ struct crypter_t {
 	/**
 	 * Get the block size of the crypto algorithm.
 	 *
-	 * @return					block size in bytes
+	 * get_block_size() returns the smallest block the crypter can handle,
+	 * not the block size of the underlying crypto algorithm. For counter mode,
+	 * it is usually 1.
+	 *
+	 * @return				block size in bytes
 	 */
 	size_t (*get_block_size) (crypter_t *this);
 
+	/**
+	 * Get the IV size of the crypto algorithm.
+	 *
+	 * @return				initialization vector size in bytes
+	 */
+	size_t (*get_iv_size)(crypter_t *this);
+
 	/**
 	 * Get the key size of the crypto algorithm.
 	 *
-	 * @return					key size in bytes
+	 * get_key_size() might return a key length different from the key
+	 * size passed to the factory constructor. For Counter Mode, the nonce
+	 * is handled as a part of the key material and is passed to set_key().
+	 *
+	 * @return				key size in bytes
 	 */
 	size_t (*get_key_size) (crypter_t *this);
 
@@ -125,7 +142,7 @@ struct crypter_t {
 	 *
 	 * The length of the key must match get_key_size().
 	 *
-	 * @param key				key to set
+	 * @param key			key to set
 	 */
 	void (*set_key) (crypter_t *this, chunk_t key);
 
@@ -153,4 +170,12 @@ encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size);
  */
 int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size);
 
+/**
+ * Check if an encryption algorithm identifier is an AEAD algorithm.
+ *
+ * @param alg			algorithm identifier
+ * @return				TRUE if it is an AEAD algorithm
+ */
+bool encryption_algorithm_is_aead(encryption_algorithm_t alg);
+
 #endif /** CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index fee71953d..f2f01987d 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -22,16 +22,20 @@
 
 typedef struct entry_t entry_t;
 struct entry_t {
-	/** algorithm */
+	/* algorithm */
 	u_int algo;
+	/* benchmarked speed */
+	u_int speed;
 	/* constructor */
 	union {
 		crypter_constructor_t create_crypter;
+		aead_constructor_t create_aead;
 		signer_constructor_t create_signer;
 		hasher_constructor_t create_hasher;
 		prf_constructor_t create_prf;
 		rng_constructor_t create_rng;
 		dh_constructor_t create_dh;
+		void *create;
 	};
 };
 
@@ -52,6 +56,11 @@ struct private_crypto_factory_t {
 	 */
 	linked_list_t *crypters;
 
+	/**
+	 * registered aead transforms, as entry_t
+	 */
+	linked_list_t *aeads;
+
 	/**
 	 * registered signers, as entry_t
 	 */
@@ -92,17 +101,20 @@ struct private_crypto_factory_t {
 	 */
 	bool test_on_create;
 
+	/**
+	 * run algorithm benchmark during registration
+	 */
+	bool bench;
+
 	/**
 	 * rwlock to lock access to modules
 	 */
 	rwlock_t *lock;
 };
 
-/**
- * Implementation of crypto_factory_t.create_crypter.
- */
-static crypter_t* create_crypter(private_crypto_factory_t *this,
-								 encryption_algorithm_t algo, size_t key_size)
+METHOD(crypto_factory_t, create_crypter, crypter_t*,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
+	size_t key_size)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -116,7 +128,7 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_crypter(this->tester, algo, key_size,
-											entry->create_crypter))
+											entry->create_crypter, NULL))
 			{
 				continue;
 			}
@@ -132,11 +144,40 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 	return crypter;
 }
 
-/**
- * Implementation of crypto_factory_t.create_signer.
- */
-static signer_t* create_signer(private_crypto_factory_t *this,
-							   integrity_algorithm_t algo)
+METHOD(crypto_factory_t, create_aead, aead_t*,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
+	size_t key_size)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	aead_t *aead = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->aeads->create_enumerator(this->aeads);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->algo == algo)
+		{
+			if (this->test_on_create &&
+				!this->tester->test_aead(this->tester, algo, key_size,
+										 entry->create_aead, NULL))
+			{
+				continue;
+			}
+			aead = entry->create_aead(algo, key_size);
+			if (aead)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return aead;
+}
+
+METHOD(crypto_factory_t, create_signer, signer_t*,
+	private_crypto_factory_t *this, integrity_algorithm_t algo)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -150,7 +191,7 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_signer(this->tester, algo,
-										   entry->create_signer))
+										   entry->create_signer, NULL))
 			{
 				continue;
 			}
@@ -167,11 +208,8 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 	return signer;
 }
 
-/**
- * Implementation of crypto_factory_t.create_hasher.
- */
-static hasher_t* create_hasher(private_crypto_factory_t *this,
-							   hash_algorithm_t algo)
+METHOD(crypto_factory_t, create_hasher, hasher_t*,
+	private_crypto_factory_t *this, hash_algorithm_t algo)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -185,7 +223,7 @@ static hasher_t* create_hasher(private_crypto_factory_t *this,
 		{
 			if (this->test_on_create && algo != HASH_PREFERRED &&
 				!this->tester->test_hasher(this->tester, algo,
-										   entry->create_hasher))
+										   entry->create_hasher, NULL))
 			{
 				continue;
 			}
@@ -201,11 +239,8 @@ static hasher_t* create_hasher(private_crypto_factory_t *this,
 	return hasher;
 }
 
-/**
- * Implementation of crypto_factory_t.create_prf.
- */
-static prf_t* create_prf(private_crypto_factory_t *this,
-						 pseudo_random_function_t algo)
+METHOD(crypto_factory_t, create_prf, prf_t*,
+	private_crypto_factory_t *this, pseudo_random_function_t algo)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -218,7 +253,8 @@ static prf_t* create_prf(private_crypto_factory_t *this,
 		if (entry->algo == algo)
 		{
 			if (this->test_on_create &&
-				!this->tester->test_prf(this->tester, algo, entry->create_prf))
+				!this->tester->test_prf(this->tester, algo,
+										entry->create_prf, NULL))
 			{
 				continue;
 			}
@@ -234,10 +270,8 @@ static prf_t* create_prf(private_crypto_factory_t *this,
 	return prf;
 }
 
-/**
- * Implementation of crypto_factory_t.create_rng.
- */
-static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
+METHOD(crypto_factory_t, create_rng, rng_t*,
+	private_crypto_factory_t *this, rng_quality_t quality)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -251,7 +285,8 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
 		if (entry->algo >= quality && diff > entry->algo - quality)
 		{
 			if (this->test_on_create &&
-				!this->tester->test_rng(this->tester, quality, entry->create_rng))
+				!this->tester->test_rng(this->tester, quality,
+										entry->create_rng, NULL))
 			{
 				continue;
 			}
@@ -272,11 +307,8 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
 	return NULL;
 }
 
-/**
- * Implementation of crypto_factory_t.create_dh.
- */
-static diffie_hellman_t* create_dh(private_crypto_factory_t *this,
-								   diffie_hellman_group_t group)
+METHOD(crypto_factory_t, create_dh, diffie_hellman_t*,
+	private_crypto_factory_t *this, diffie_hellman_group_t group, ...)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -288,7 +320,21 @@ static diffie_hellman_t* create_dh(private_crypto_factory_t *this,
 	{
 		if (entry->algo == group)
 		{
-			diffie_hellman = entry->create_dh(group);
+			if (group == MODP_CUSTOM)
+			{
+				va_list args;
+				chunk_t g, p;
+
+				va_start(args, group);
+				g = va_arg(args, chunk_t);
+				p = va_arg(args, chunk_t);
+				va_end(args);
+				diffie_hellman = entry->create_dh(MODP_CUSTOM, g, p);
+			}
+			else
+			{
+				diffie_hellman = entry->create_dh(group);
+			}
 			if (diffie_hellman)
 			{
 				break;
@@ -301,30 +347,65 @@ static diffie_hellman_t* create_dh(private_crypto_factory_t *this,
 }
 
 /**
- * Implementation of crypto_factory_t.add_crypter.
+ * Insert an algorithm entry to a list
  */
-static void add_crypter(private_crypto_factory_t *this,
-						encryption_algorithm_t algo,
-						crypter_constructor_t create)
+static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
+					  int algo, u_int speed, void *create)
 {
-	if (!this->test_on_add ||
-		this->tester->test_crypter(this->tester, algo, 0, create))
+	entry_t *entry, *current;
+	linked_list_t *tmp;
+	bool inserted = FALSE;
+
+	INIT(entry,
+		.algo = algo,
+		.speed = speed,
+	);
+	entry->create = create;
+
+	this->lock->write_lock(this->lock);
+	if (speed)
+	{	/* insert sorted by speed using a temporary list */
+		tmp = linked_list_create();
+		while (list->remove_first(list, (void**)&current) == SUCCESS)
+		{
+			tmp->insert_last(tmp, current);
+		}
+		while (tmp->remove_first(tmp, (void**)&current) == SUCCESS)
+		{
+			if (!inserted &&
+				current->algo == algo &&
+				current->speed < speed)
+			{
+				list->insert_last(list, entry);
+				inserted = TRUE;
+			}
+			list->insert_last(list, current);
+		}
+		tmp->destroy(tmp);
+	}
+	if (!inserted)
 	{
-		entry_t *entry = malloc_thing(entry_t);
+		list->insert_last(list, entry);
+	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(crypto_factory_t, add_crypter, void,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
+	crypter_constructor_t create)
+{
+	u_int speed = 0;
 
-		entry->algo = algo;
-		entry->create_crypter = create;
-		this->lock->write_lock(this->lock);
-		this->crypters->insert_last(this->crypters, entry);
-		this->lock->unlock(this->lock);
+	if (!this->test_on_add ||
+		this->tester->test_crypter(this->tester, algo, 0, create,
+								   this->bench ? &speed : NULL))
+	{
+		add_entry(this, this->crypters, algo, speed, create);
 	}
 }
 
-/**
- * Implementation of crypto_factory_t.remove_crypter.
- */
-static void remove_crypter(private_crypto_factory_t *this,
-						   crypter_constructor_t create)
+METHOD(crypto_factory_t, remove_crypter, void,
+	private_crypto_factory_t *this, crypter_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -343,30 +424,56 @@ static void remove_crypter(private_crypto_factory_t *this,
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.add_signer.
- */
-static void add_signer(private_crypto_factory_t *this,
-					   integrity_algorithm_t algo, signer_constructor_t create)
+METHOD(crypto_factory_t, add_aead, void,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
+	aead_constructor_t create)
 {
+	u_int speed = 0;
+
 	if (!this->test_on_add ||
-		this->tester->test_signer(this->tester, algo, create))
+		this->tester->test_aead(this->tester, algo, 0, create,
+								   this->bench ? &speed : NULL))
 	{
-		entry_t *entry = malloc_thing(entry_t);
+		add_entry(this, this->aeads, algo, speed, create);
+	}
+}
 
-		entry->algo = algo;
-		entry->create_signer = create;
-		this->lock->write_lock(this->lock);
-		this->signers->insert_last(this->signers, entry);
-		this->lock->unlock(this->lock);
+METHOD(crypto_factory_t, remove_aead, void,
+	private_crypto_factory_t *this, aead_constructor_t create)
+{
+	entry_t *entry;
+	enumerator_t *enumerator;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->aeads->create_enumerator(this->aeads);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->create_aead == create)
+		{
+			this->aeads->remove_at(this->aeads, enumerator);
+			free(entry);
+		}
 	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.remove_signer.
- */
-static void remove_signer(private_crypto_factory_t *this,
-						  signer_constructor_t create)
+METHOD(crypto_factory_t, add_signer, void,
+	private_crypto_factory_t *this, integrity_algorithm_t algo,
+	signer_constructor_t create)
+{
+	u_int speed = 0;
+
+	if (!this->test_on_add ||
+		this->tester->test_signer(this->tester, algo, create,
+								  this->bench ? &speed : NULL))
+	{
+		add_entry(this, this->signers, algo, speed, create);
+	}
+}
+
+METHOD(crypto_factory_t, remove_signer, void,
+	private_crypto_factory_t *this, signer_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -385,30 +492,22 @@ static void remove_signer(private_crypto_factory_t *this,
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.add_hasher.
- */
-static void add_hasher(private_crypto_factory_t *this, hash_algorithm_t algo,
-					   hasher_constructor_t create)
+METHOD(crypto_factory_t, add_hasher, void,
+	private_crypto_factory_t *this, hash_algorithm_t algo,
+	hasher_constructor_t create)
 {
+	u_int speed = 0;
+
 	if (!this->test_on_add ||
-		this->tester->test_hasher(this->tester, algo, create))
+		this->tester->test_hasher(this->tester, algo, create,
+								  this->bench ? &speed : NULL))
 	{
-		entry_t *entry = malloc_thing(entry_t);
-
-		entry->algo = algo;
-		entry->create_hasher = create;
-		this->lock->write_lock(this->lock);
-		this->hashers->insert_last(this->hashers, entry);
-		this->lock->unlock(this->lock);
+		add_entry(this, this->hashers, algo, speed, create);
 	}
 }
 
-/**
- * Implementation of crypto_factory_t.remove_hasher.
- */
-static void remove_hasher(private_crypto_factory_t *this,
-						  hasher_constructor_t create)
+METHOD(crypto_factory_t, remove_hasher, void,
+	private_crypto_factory_t *this, hasher_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -427,29 +526,22 @@ static void remove_hasher(private_crypto_factory_t *this,
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.add_prf.
- */
-static void add_prf(private_crypto_factory_t *this,
-					pseudo_random_function_t algo, prf_constructor_t create)
+METHOD(crypto_factory_t, add_prf, void,
+	private_crypto_factory_t *this, pseudo_random_function_t algo,
+	prf_constructor_t create)
 {
+	u_int speed = 0;
+
 	if (!this->test_on_add ||
-		this->tester->test_prf(this->tester, algo, create))
+		this->tester->test_prf(this->tester, algo, create,
+							   this->bench ? &speed : NULL))
 	{
-		entry_t *entry = malloc_thing(entry_t);
-
-		entry->algo = algo;
-		entry->create_prf = create;
-		this->lock->write_lock(this->lock);
-		this->prfs->insert_last(this->prfs, entry);
-		this->lock->unlock(this->lock);
+		add_entry(this, this->prfs, algo, speed, create);
 	}
 }
 
-/**
- * Implementation of crypto_factory_t.remove_prf.
- */
-static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create)
+METHOD(crypto_factory_t, remove_prf, void,
+	private_crypto_factory_t *this, prf_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -468,29 +560,22 @@ static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create)
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.add_rng.
- */
-static void add_rng(private_crypto_factory_t *this, rng_quality_t quality,
-					rng_constructor_t create)
+METHOD(crypto_factory_t, add_rng, void,
+	private_crypto_factory_t *this, rng_quality_t quality,
+	rng_constructor_t create)
 {
+	u_int speed = 0;
+
 	if (!this->test_on_add ||
-		this->tester->test_rng(this->tester, quality, create))
+		this->tester->test_rng(this->tester, quality, create,
+							   this->bench ? &speed : NULL))
 	{
-		entry_t *entry = malloc_thing(entry_t);
-
-		entry->algo = quality;
-		entry->create_rng = create;
-		this->lock->write_lock(this->lock);
-		this->rngs->insert_last(this->rngs, entry);
-		this->lock->unlock(this->lock);
+		add_entry(this, this->rngs, quality, speed, create);
 	}
 }
 
-/**
- * Implementation of crypto_factory_t.remove_rng.
- */
-static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create)
+METHOD(crypto_factory_t, remove_rng, void,
+	private_crypto_factory_t *this, rng_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -509,25 +594,15 @@ static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create)
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.add_dh.
- */
-static void add_dh(private_crypto_factory_t *this, diffie_hellman_group_t group,
-				   dh_constructor_t create)
+METHOD(crypto_factory_t, add_dh, void,
+	private_crypto_factory_t *this, diffie_hellman_group_t group,
+	dh_constructor_t create)
 {
-	entry_t *entry = malloc_thing(entry_t);
-
-	entry->algo = group;
-	entry->create_dh = create;
-	this->lock->write_lock(this->lock);
-	this->dhs->insert_last(this->dhs, entry);
-	this->lock->unlock(this->lock);
+	add_entry(this, this->dhs, group, 0, create);
 }
 
-/**
- * Implementation of crypto_factory_t.remove_dh.
- */
-static void remove_dh(private_crypto_factory_t *this, dh_constructor_t create)
+METHOD(crypto_factory_t, remove_dh, void,
+	private_crypto_factory_t *this, dh_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -591,14 +666,18 @@ static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *alg
 	return TRUE;
 }
 
-/**
- * Implementation of crypto_factory_t.create_crypter_enumerator
- */
-static enumerator_t* create_crypter_enumerator(private_crypto_factory_t *this)
+METHOD(crypto_factory_t, create_crypter_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
 {
 	return create_enumerator(this, this->crypters, crypter_filter);
 }
 
+METHOD(crypto_factory_t, create_aead_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
+{
+	return create_enumerator(this, this->aeads, crypter_filter);
+}
+
 /**
  * Filter function to enumerate algorithm, not entry
  */
@@ -608,10 +687,8 @@ static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo)
 	return TRUE;
 }
 
-/**
- * Implementation of crypto_factory_t.create_signer_enumerator
- */
-static enumerator_t* create_signer_enumerator(private_crypto_factory_t *this)
+METHOD(crypto_factory_t, create_signer_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
 {
 	return create_enumerator(this, this->signers, signer_filter);
 }
@@ -625,10 +702,8 @@ static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo)
 	return TRUE;
 }
 
-/**
- * Implementation of crypto_factory_t.create_hasher_enumerator
- */
-static enumerator_t* create_hasher_enumerator(private_crypto_factory_t *this)
+METHOD(crypto_factory_t, create_hasher_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
 {
 	return create_enumerator(this, this->hashers, hasher_filter);
 }
@@ -642,10 +717,8 @@ static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo)
 	return TRUE;
 }
 
-/**
- * Implementation of crypto_factory_t.create_prf_enumerator
- */
-static enumerator_t* create_prf_enumerator(private_crypto_factory_t *this)
+METHOD(crypto_factory_t, create_prf_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
 {
 	return create_enumerator(this, this->prfs, prf_filter);
 }
@@ -659,24 +732,21 @@ static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group)
 	return TRUE;
 }
 
-/**
- * Implementation of crypto_factory_t.create_dh_enumerator
- */
-static enumerator_t* create_dh_enumerator(private_crypto_factory_t *this)
+METHOD(crypto_factory_t, create_dh_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
 {
 	return create_enumerator(this, this->dhs, dh_filter);
 }
 
-/**
- * Implementation of crypto_factory_t.add_test_vector
- */
-static void add_test_vector(private_crypto_factory_t *this,
-							transform_type_t type, void *vector)
+METHOD(crypto_factory_t, add_test_vector, void,
+	private_crypto_factory_t *this, transform_type_t type, void *vector)
 {
 	switch (type)
 	{
 		case ENCRYPTION_ALGORITHM:
 			return this->tester->add_crypter_vector(this->tester, vector);
+		case AEAD_ALGORITHM:
+			return this->tester->add_aead_vector(this->tester, vector);
 		case INTEGRITY_ALGORITHM:
 			return this->tester->add_signer_vector(this->tester, vector);
 		case HASH_ALGORITHM:
@@ -691,17 +761,16 @@ static void add_test_vector(private_crypto_factory_t *this,
 	}
 }
 
-/**
- * Implementation of crypto_factory_t.destroy
- */
-static void destroy(private_crypto_factory_t *this)
-{
-	this->crypters->destroy_function(this->crypters, free);
-	this->signers->destroy_function(this->signers, free);
-	this->hashers->destroy_function(this->hashers, free);
-	this->prfs->destroy_function(this->prfs, free);
-	this->rngs->destroy_function(this->rngs, free);
-	this->dhs->destroy_function(this->dhs, free);
+METHOD(crypto_factory_t, destroy, void,
+	private_crypto_factory_t *this)
+{
+	this->crypters->destroy(this->crypters);
+	this->aeads->destroy(this->aeads);
+	this->signers->destroy(this->signers);
+	this->hashers->destroy(this->hashers);
+	this->prfs->destroy(this->prfs);
+	this->rngs->destroy(this->rngs);
+	this->dhs->destroy(this->dhs);
 	this->tester->destroy(this->tester);
 	this->lock->destroy(this->lock);
 	free(this);
@@ -712,46 +781,56 @@ static void destroy(private_crypto_factory_t *this)
  */
 crypto_factory_t *crypto_factory_create()
 {
-	private_crypto_factory_t *this = malloc_thing(private_crypto_factory_t);
-
-	this->public.create_crypter = (crypter_t*(*)(crypto_factory_t*, encryption_algorithm_t, size_t))create_crypter;
-	this->public.create_signer = (signer_t*(*)(crypto_factory_t*, integrity_algorithm_t))create_signer;
-	this->public.create_hasher = (hasher_t*(*)(crypto_factory_t*, hash_algorithm_t))create_hasher;
-	this->public.create_prf = (prf_t*(*)(crypto_factory_t*, pseudo_random_function_t))create_prf;
-	this->public.create_rng = (rng_t*(*)(crypto_factory_t*, rng_quality_t quality))create_rng;
-	this->public.create_dh = (diffie_hellman_t*(*)(crypto_factory_t*, diffie_hellman_group_t group))create_dh;
-	this->public.add_crypter = (void(*)(crypto_factory_t*, encryption_algorithm_t algo, crypter_constructor_t create))add_crypter;
-	this->public.remove_crypter = (void(*)(crypto_factory_t*, crypter_constructor_t create))remove_crypter;
-	this->public.add_signer = (void(*)(crypto_factory_t*, integrity_algorithm_t algo, signer_constructor_t create))add_signer;
-	this->public.remove_signer = (void(*)(crypto_factory_t*, signer_constructor_t create))remove_signer;
-	this->public.add_hasher = (void(*)(crypto_factory_t*, hash_algorithm_t algo, hasher_constructor_t create))add_hasher;
-	this->public.remove_hasher = (void(*)(crypto_factory_t*, hasher_constructor_t create))remove_hasher;
-	this->public.add_prf = (void(*)(crypto_factory_t*, pseudo_random_function_t algo, prf_constructor_t create))add_prf;
-	this->public.remove_prf = (void(*)(crypto_factory_t*, prf_constructor_t create))remove_prf;
-	this->public.add_rng = (void(*)(crypto_factory_t*, rng_quality_t quality, rng_constructor_t create))add_rng;
-	this->public.remove_rng = (void(*)(crypto_factory_t*, rng_constructor_t create))remove_rng;
-	this->public.add_dh = (void(*)(crypto_factory_t*, diffie_hellman_group_t algo, dh_constructor_t create))add_dh;
-	this->public.remove_dh = (void(*)(crypto_factory_t*, dh_constructor_t create))remove_dh;
-	this->public.create_crypter_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_crypter_enumerator;
-	this->public.create_signer_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_signer_enumerator;
-	this->public.create_hasher_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_hasher_enumerator;
-	this->public.create_prf_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_prf_enumerator;
-	this->public.create_dh_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_dh_enumerator;
-	this->public.add_test_vector = (void(*)(crypto_factory_t*, transform_type_t type, ...))add_test_vector;
-	this->public.destroy = (void(*)(crypto_factory_t*))destroy;
-
-	this->crypters = linked_list_create();
-	this->signers = linked_list_create();
-	this->hashers = linked_list_create();
-	this->prfs = linked_list_create();
-	this->rngs = linked_list_create();
-	this->dhs = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	this->tester = crypto_tester_create();
-	this->test_on_add = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.on_add", FALSE);
-	this->test_on_create = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.on_create", FALSE);
+	private_crypto_factory_t *this;
+
+	INIT(this,
+		.public = {
+			.create_crypter = _create_crypter,
+			.create_aead = _create_aead,
+			.create_signer = _create_signer,
+			.create_hasher = _create_hasher,
+			.create_prf = _create_prf,
+			.create_rng = _create_rng,
+			.create_dh = _create_dh,
+			.add_crypter = _add_crypter,
+			.remove_crypter = _remove_crypter,
+			.add_aead = _add_aead,
+			.remove_aead = _remove_aead,
+			.add_signer = _add_signer,
+			.remove_signer = _remove_signer,
+			.add_hasher = _add_hasher,
+			.remove_hasher = _remove_hasher,
+			.add_prf = _add_prf,
+			.remove_prf = _remove_prf,
+			.add_rng = _add_rng,
+			.remove_rng = _remove_rng,
+			.add_dh = _add_dh,
+			.remove_dh = _remove_dh,
+			.create_crypter_enumerator = _create_crypter_enumerator,
+			.create_aead_enumerator = _create_aead_enumerator,
+			.create_signer_enumerator = _create_signer_enumerator,
+			.create_hasher_enumerator = _create_hasher_enumerator,
+			.create_prf_enumerator = _create_prf_enumerator,
+			.create_dh_enumerator = _create_dh_enumerator,
+			.add_test_vector = _add_test_vector,
+			.destroy = _destroy,
+		},
+		.crypters = linked_list_create(),
+		.aeads = linked_list_create(),
+		.signers = linked_list_create(),
+		.hashers = linked_list_create(),
+		.prfs = linked_list_create(),
+		.rngs = linked_list_create(),
+		.dhs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.tester = crypto_tester_create(),
+		.test_on_add = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.on_add", FALSE),
+		.test_on_create = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.on_create", FALSE),
+		.bench = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.bench", FALSE),
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 9c6effd26..ff06eda7b 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -25,6 +25,7 @@ typedef struct crypto_factory_t crypto_factory_t;
 
 #include <library.h>
 #include <crypto/crypters/crypter.h>
+#include <crypto/aead.h>
 #include <crypto/signers/signer.h>
 #include <crypto/hashers/hasher.h>
 #include <crypto/prfs/prf.h>
@@ -37,6 +38,11 @@ typedef struct crypto_factory_t crypto_factory_t;
  */
 typedef crypter_t* (*crypter_constructor_t)(encryption_algorithm_t algo,
 											size_t key_size);
+/**
+ * Constructor function for aead transforms
+ */
+typedef aead_t* (*aead_constructor_t)(encryption_algorithm_t algo,
+									  size_t key_size);
 /**
  * Constructor function for signers
  */
@@ -59,8 +65,11 @@ typedef rng_t* (*rng_constructor_t)(rng_quality_t quality);
 
 /**
  * Constructor function for diffie hellman
+ *
+ * The DH constructor accepts additional arguments for:
+ * - MODP_CUSTOM: chunk_t generator, chunk_t prime
  */
-typedef diffie_hellman_t* (*dh_constructor_t)(diffie_hellman_group_t group);
+typedef diffie_hellman_t* (*dh_constructor_t)(diffie_hellman_group_t group, ...);
 
 /**
  * Handles crypto modules and creates instances.
@@ -77,6 +86,16 @@ struct crypto_factory_t {
 	crypter_t* (*create_crypter)(crypto_factory_t *this,
 								 encryption_algorithm_t algo, size_t key_size);
 
+	/**
+	 * Create a aead instance.
+	 *
+	 * @param algo			encryption algorithm
+	 * @param key_size		length of the key in bytes
+	 * @return				aead_t instance, NULL if not supported
+	 */
+	aead_t* (*create_aead)(crypto_factory_t *this,
+						   encryption_algorithm_t algo, size_t key_size);
+
 	/**
 	 * Create a symmetric signer instance.
 	 *
@@ -113,11 +132,13 @@ struct crypto_factory_t {
 	/**
 	 * Create a diffie hellman instance.
 	 *
+	 * Additional arguments are passed to the DH constructor.
+	 *
 	 * @param group			diffie hellman group
 	 * @return				diffie_hellman_t instance, NULL if not supported
 	 */
 	diffie_hellman_t* (*create_dh)(crypto_factory_t *this,
-								   diffie_hellman_group_t group);
+								   diffie_hellman_group_t group, ...);
 
 	/**
 	 * Register a crypter constructor.
@@ -136,6 +157,23 @@ struct crypto_factory_t {
 	 */
 	void (*remove_crypter)(crypto_factory_t *this, crypter_constructor_t create);
 
+	/**
+	 * Unregister a aead constructor.
+	 *
+	 * @param create		constructor function to unregister
+	 */
+	void (*remove_aead)(crypto_factory_t *this, aead_constructor_t create);
+
+	/**
+	 * Register a aead constructor.
+	 *
+	 * @param algo			algorithm to constructor
+	 * @param create		constructor function for that algorithm
+	 * @return
+	 */
+	void (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo,
+					 aead_constructor_t create);
+
 	/**
 	 * Register a signer constructor.
 	 *
@@ -229,6 +267,13 @@ struct crypto_factory_t {
 	 */
 	enumerator_t* (*create_crypter_enumerator)(crypto_factory_t *this);
 
+	/**
+	 * Create an enumerator over all registered aead algorithms.
+	 *
+	 * @return				enumerator over encryption_algorithm_t
+	 */
+	enumerator_t* (*create_aead_enumerator)(crypto_factory_t *this);
+
 	/**
 	 * Create an enumerator over all registered signer algorithms.
 	 *
@@ -261,9 +306,10 @@ struct crypto_factory_t {
 	 * Add a test vector to the crypto factory.
 	 *
 	 * @param type			type of the test vector
-	 * @param ...			pointer to a test vector, defined in crypto_tester.h
+	 * @param vector		pointer to a test vector, defined in crypto_tester.h
 	 */
-	void (*add_test_vector)(crypto_factory_t *this, transform_type_t type, ...);
+	void (*add_test_vector)(crypto_factory_t *this, transform_type_t type,
+							void *vector);
 
 	/**
 	 * Destroy a crypto_factory instance.
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 76cc1cf2c..d17485ff2 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2009 Martin Willi
+ * Copyright (C) 2009-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010 revosec AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,6 +14,10 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <time.h>
+
 #include "crypto_tester.h"
 
 #include <debug.h>
@@ -35,6 +40,11 @@ struct private_crypto_tester_t {
 	 */
 	linked_list_t *crypter;
 
+	/**
+	 * List of aead test vectors
+	 */
+	linked_list_t *aead;
+
 	/**
 	 * List of signer test vectors
 	 */
@@ -64,13 +74,98 @@ struct private_crypto_tester_t {
 	 * should we run RNG_TRUE tests? Enough entropy?
 	 */
 	bool rng_true;
+
+	/**
+	 * time we test each algorithm
+	 */
+	int bench_time;
+
+	/**
+	 * size of buffer we use for benchmarking
+	 */
+	int bench_size;
 };
 
 /**
- * Implementation of crypto_tester_t.test_crypter
+ * Get the name of a test vector, if available
+ */
+static const char* get_name(void *sym)
+{
+#ifdef HAVE_DLADDR
+	Dl_info dli;
+
+	if (dladdr(sym, &dli))
+	{
+		return dli.dli_sname;
+	}
+#endif
+	return "unknown";
+}
+
+/**
+ * Start a benchmark timer
+ */
+static void start_timing(struct timespec *start)
+{
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, start);
+}
+
+/**
+ * End a benchmark timer, return ms
+ */
+static u_int end_timing(struct timespec *start)
+{
+	struct timespec end;
+
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
+	return (end.tv_nsec - start->tv_nsec) / 1000000 +
+			(end.tv_sec - start->tv_sec) * 1000;
+}
+
+/**
+ * Benchmark a crypter
  */
-static bool test_crypter(private_crypto_tester_t *this,
-	encryption_algorithm_t alg, size_t key_size, crypter_constructor_t create)
+static u_int bench_crypter(private_crypto_tester_t *this,
+	encryption_algorithm_t alg, crypter_constructor_t create)
+{
+	crypter_t *crypter;
+
+	crypter = create(alg, 0);
+	if (crypter)
+	{
+		char iv[crypter->get_iv_size(crypter)];
+		char key[crypter->get_key_size(crypter)];
+		chunk_t buf;
+		struct timespec start;
+		u_int runs;
+
+		memset(iv, 0x56, sizeof(iv));
+		memset(key, 0x12, sizeof(key));
+		crypter->set_key(crypter, chunk_from_thing(key));
+
+		buf = chunk_alloc(this->bench_size);
+		memset(buf.ptr, 0x34, buf.len);
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			crypter->encrypt(crypter, buf, chunk_from_thing(iv), NULL);
+			runs++;
+			crypter->decrypt(crypter, buf, chunk_from_thing(iv), NULL);
+			runs++;
+		}
+		free(buf.ptr);
+		crypter->destroy(crypter);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_crypter, bool,
+	private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size,
+	crypter_constructor_t create, u_int *speed)
 {
 	enumerator_t *enumerator;
 	crypter_test_vector_t *vector;
@@ -102,7 +197,7 @@ static bool test_crypter(private_crypto_tester_t *this,
 
 		key = chunk_create(vector->key, crypter->get_key_size(crypter));
 		crypter->set_key(crypter, key);
-		iv = chunk_create(vector->iv, crypter->get_block_size(crypter));
+		iv = chunk_create(vector->iv, crypter->get_iv_size(crypter));
 
 		/* allocated encryption */
 		plain = chunk_create(vector->plain, vector->len);
@@ -136,8 +231,165 @@ static bool test_crypter(private_crypto_tester_t *this,
 		crypter->destroy(crypter);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 encryption_algorithm_names, alg, get_name(vector));
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!tested)
+	{
+		DBG1(DBG_LIB, "%s %N: no test vectors found",
+			 this->required ? "disabled" : "enabled ",
+			 encryption_algorithm_names, alg);
+		return !this->required;
+	}
+	if (!failed)
+	{
+		if (speed)
+		{
+			*speed = bench_crypter(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 encryption_algorithm_names, alg, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
 				 encryption_algorithm_names, alg, tested);
+		}
+	}
+	return !failed;
+}
+
+/**
+ * Benchmark an aead transform
+ */
+static u_int bench_aead(private_crypto_tester_t *this,
+	encryption_algorithm_t alg, aead_constructor_t create)
+{
+	aead_t *aead;
+
+	aead = create(alg, 0);
+	if (aead)
+	{
+		char iv[aead->get_iv_size(aead)];
+		char key[aead->get_key_size(aead)];
+		char assoc[4];
+		chunk_t buf;
+		struct timespec start;
+		u_int runs;
+		size_t icv;
+
+		memset(iv, 0x56, sizeof(iv));
+		memset(key, 0x12, sizeof(key));
+		memset(assoc, 0x78, sizeof(assoc));
+		aead->set_key(aead, chunk_from_thing(key));
+		icv = aead->get_icv_size(aead);
+
+		buf = chunk_alloc(this->bench_size + icv);
+		memset(buf.ptr, 0x34, buf.len);
+		buf.len -= icv;
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			aead->encrypt(aead, buf, chunk_from_thing(assoc),
+						  chunk_from_thing(iv), NULL);
+			runs += 2;
+			aead->decrypt(aead, chunk_create(buf.ptr, buf.len + icv),
+						  chunk_from_thing(assoc), chunk_from_thing(iv), NULL);
+			runs += 2;
+		}
+		free(buf.ptr);
+		aead->destroy(aead);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_aead, bool,
+	private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size,
+	aead_constructor_t create, u_int *speed)
+{
+	enumerator_t *enumerator;
+	aead_test_vector_t *vector;
+	bool failed = FALSE;
+	u_int tested = 0;
+
+	enumerator = this->aead->create_enumerator(this->aead);
+	while (enumerator->enumerate(enumerator, &vector))
+	{
+		aead_t *aead;
+		chunk_t key, plain, cipher, iv, assoc;
+		size_t icv;
+
+		if (vector->alg != alg)
+		{
+			continue;
+		}
+		if (key_size && key_size != vector->key_size)
+		{	/* test only vectors with a specific key size, if key size given */
+			continue;
+		}
+		aead = create(alg, vector->key_size);
+		if (!aead)
+		{	/* key size not supported... */
+			continue;
+		}
+
+		failed = FALSE;
+		tested++;
+
+		key = chunk_create(vector->key, aead->get_key_size(aead));
+		aead->set_key(aead, key);
+		iv = chunk_create(vector->iv, aead->get_iv_size(aead));
+		assoc = chunk_create(vector->adata, vector->alen);
+		icv = aead->get_icv_size(aead);
+
+		/* allocated encryption */
+		plain = chunk_create(vector->plain, vector->len);
+		aead->encrypt(aead, plain, assoc, iv, &cipher);
+		if (!memeq(vector->cipher, cipher.ptr, cipher.len))
+		{
+			failed = TRUE;
+		}
+		/* inline decryption */
+		if (!aead->decrypt(aead, cipher, assoc, iv, NULL))
+		{
+			failed = TRUE;
+		}
+		if (!memeq(vector->plain, cipher.ptr, cipher.len - icv))
+		{
+			failed = TRUE;
+		}
+		free(cipher.ptr);
+		/* allocated decryption */
+		cipher = chunk_create(vector->cipher, vector->len + icv);
+		if (!aead->decrypt(aead, cipher, assoc, iv, &plain))
+		{
+			plain = chunk_empty;
+			failed = TRUE;
+		}
+		else if (!memeq(vector->plain, plain.ptr, plain.len))
+		{
+			failed = TRUE;
+		}
+		plain.ptr = realloc(plain.ptr, plain.len + icv);
+		/* inline encryption */
+		aead->encrypt(aead, plain, assoc, iv, NULL);
+		if (!memeq(vector->cipher, plain.ptr, plain.len + icv))
+		{
+			failed = TRUE;
+		}
+		free(plain.ptr);
+
+		aead->destroy(aead);
+		if (failed)
+		{
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 encryption_algorithm_names, alg, get_name(vector));
 			break;
 		}
 	}
@@ -151,17 +403,64 @@ static bool test_crypter(private_crypto_tester_t *this,
 	}
 	if (!failed)
 	{
-		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-			 encryption_algorithm_names, alg, tested);
+		if (speed)
+		{
+			*speed = bench_aead(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 encryption_algorithm_names, alg, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
+				 encryption_algorithm_names, alg, tested);
+		}
 	}
 	return !failed;
 }
 
 /**
- * Implementation of crypto_tester_t.test_signer
+ * Benchmark a signer
  */
-static bool test_signer(private_crypto_tester_t *this,
-						integrity_algorithm_t alg, signer_constructor_t create)
+static u_int bench_signer(private_crypto_tester_t *this,
+	encryption_algorithm_t alg, signer_constructor_t create)
+{
+	signer_t *signer;
+
+	signer = create(alg);
+	if (signer)
+	{
+		char key[signer->get_key_size(signer)];
+		char mac[signer->get_block_size(signer)];
+		chunk_t buf;
+		struct timespec start;
+		u_int runs;
+
+		memset(key, 0x12, sizeof(key));
+		signer->set_key(signer, chunk_from_thing(key));
+
+		buf = chunk_alloc(this->bench_size);
+		memset(buf.ptr, 0x34, buf.len);
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			signer->get_signature(signer, buf, mac);
+			runs++;
+			signer->verify_signature(signer, buf, chunk_from_thing(mac));
+			runs++;
+		}
+		free(buf.ptr);
+		signer->destroy(signer);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_signer, bool,
+	private_crypto_tester_t *this, integrity_algorithm_t alg,
+	signer_constructor_t create, u_int *speed)
 {
 	enumerator_t *enumerator;
 	signer_test_vector_t *vector;
@@ -226,11 +525,10 @@ static bool test_signer(private_crypto_tester_t *this,
 		/* signature to existing buffer, using append mode */
 		if (data.len > 2)
 		{
-			memset(mac.ptr, 0, mac.len);
 			signer->allocate_signature(signer, chunk_create(data.ptr, 1), NULL);
 			signer->get_signature(signer, chunk_create(data.ptr + 1, 1), NULL);
-			signer->get_signature(signer, chunk_skip(data, 2), mac.ptr);
-			if (!memeq(vector->mac, mac.ptr, mac.len))
+			if (!signer->verify_signature(signer, chunk_skip(data, 2),
+										  chunk_create(vector->mac, mac.len)))
 			{
 				failed = TRUE;
 			}
@@ -240,8 +538,8 @@ static bool test_signer(private_crypto_tester_t *this,
 		signer->destroy(signer);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
-				 integrity_algorithm_names, alg, tested);
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 integrity_algorithm_names, alg, get_name(vector));
 			break;
 		}
 	}
@@ -255,17 +553,58 @@ static bool test_signer(private_crypto_tester_t *this,
 	}
 	if (!failed)
 	{
-		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-			 integrity_algorithm_names, alg, tested);
+		if (speed)
+		{
+			*speed = bench_signer(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 integrity_algorithm_names, alg, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
+				 integrity_algorithm_names, alg, tested);
+		}
 	}
 	return !failed;
 }
 
 /**
- * Implementation of hasher_t.test_hasher
+ * Benchmark a hasher
  */
-static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
-						hasher_constructor_t create)
+static u_int bench_hasher(private_crypto_tester_t *this,
+	hash_algorithm_t alg, hasher_constructor_t create)
+{
+	hasher_t *hasher;
+
+	hasher = create(alg);
+	if (hasher)
+	{
+		char hash[hasher->get_hash_size(hasher)];
+		chunk_t buf;
+		struct timespec start;
+		u_int runs;
+
+		buf = chunk_alloc(this->bench_size);
+		memset(buf.ptr, 0x34, buf.len);
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			hasher->get_hash(hasher, buf, hash);
+			runs++;
+		}
+		free(buf.ptr);
+		hasher->destroy(hasher);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_hasher, bool,
+	private_crypto_tester_t *this, hash_algorithm_t alg,
+	hasher_constructor_t create, u_int *speed)
 {
 	enumerator_t *enumerator;
 	hasher_test_vector_t *vector;
@@ -330,8 +669,8 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 		hasher->destroy(hasher);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
-				 hash_algorithm_names, alg, tested);
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 hash_algorithm_names, alg, get_name(vector));
 			break;
 		}
 	}
@@ -345,17 +684,58 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 	}
 	if (!failed)
 	{
-		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-			 hash_algorithm_names, alg, tested);
+		if (speed)
+		{
+			*speed = bench_hasher(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 hash_algorithm_names, alg, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
+				 hash_algorithm_names, alg, tested);
+		}
 	}
 	return !failed;
 }
 
 /**
- * Implementation of crypto_tester_t.test_prf
+ * Benchmark a PRF
  */
-static bool test_prf(private_crypto_tester_t *this,
-					 pseudo_random_function_t alg, prf_constructor_t create)
+static u_int bench_prf(private_crypto_tester_t *this,
+					   pseudo_random_function_t alg, prf_constructor_t create)
+{
+	prf_t *prf;
+
+	prf = create(alg);
+	if (prf)
+	{
+		char bytes[prf->get_block_size(prf)];
+		chunk_t buf;
+		struct timespec start;
+		u_int runs;
+
+		buf = chunk_alloc(this->bench_size);
+		memset(buf.ptr, 0x34, buf.len);
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			prf->get_bytes(prf, buf, bytes);
+			runs++;
+		}
+		free(buf.ptr);
+		prf->destroy(prf);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_prf, bool,
+	private_crypto_tester_t *this, pseudo_random_function_t alg,
+	prf_constructor_t create, u_int *speed)
 {
 	enumerator_t *enumerator;
 	prf_test_vector_t *vector;
@@ -431,8 +811,8 @@ static bool test_prf(private_crypto_tester_t *this,
 		prf->destroy(prf);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
-				 pseudo_random_function_names, alg, tested);
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 pseudo_random_function_names, alg, get_name(vector));
 			break;
 		}
 	}
@@ -446,17 +826,55 @@ static bool test_prf(private_crypto_tester_t *this,
 	}
 	if (!failed)
 	{
-		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-			 pseudo_random_function_names, alg, tested);
+		if (speed)
+		{
+			*speed = bench_prf(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 pseudo_random_function_names, alg, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
+				 pseudo_random_function_names, alg, tested);
+		}
 	}
 	return !failed;
 }
 
 /**
- * Implementation of crypto_tester_t.test_rng
+ * Benchmark a RNG
  */
-static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
-					 rng_constructor_t create)
+static u_int bench_rng(private_crypto_tester_t *this,
+					   rng_quality_t quality, rng_constructor_t create)
+{
+	rng_t *rng;
+
+	rng = create(quality);
+	if (rng)
+	{
+		struct timespec start;
+		chunk_t buf;
+		u_int runs;
+
+		runs = 0;
+		buf = chunk_alloc(this->bench_size);
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			rng->get_bytes(rng, buf.len, buf.ptr);
+			runs++;
+		}
+		free(buf.ptr);
+		rng->destroy(rng);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_rng, bool,
+	private_crypto_tester_t *this, rng_quality_t quality,
+	rng_constructor_t create, u_int *speed)
 {
 	enumerator_t *enumerator;
 	rng_test_vector_t *vector;
@@ -515,8 +933,8 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 		rng->destroy(rng);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
-				 rng_quality_names, quality, tested);
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 rng_quality_names, quality, get_name(vector));
 			break;
 		}
 	}
@@ -530,63 +948,62 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 	}
 	if (!failed)
 	{
-		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-			 rng_quality_names, quality, tested);
+		if (speed)
+		{
+			*speed = bench_rng(this, quality, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 rng_quality_names, quality, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
+				 rng_quality_names, quality, tested);
+		}
 	}
 	return !failed;
 }
 
-/**
- * Implementation of crypter_tester_t.add_crypter_vector
- */
-static void add_crypter_vector(private_crypto_tester_t *this,
-							   crypter_test_vector_t *vector)
+METHOD(crypto_tester_t, add_crypter_vector, void,
+	private_crypto_tester_t *this, crypter_test_vector_t *vector)
 {
 	this->crypter->insert_last(this->crypter, vector);
 }
 
-/**
- * Implementation of crypter_tester_t.add_signer_vector
- */
-static void add_signer_vector(private_crypto_tester_t *this,
-							  signer_test_vector_t *vector)
+METHOD(crypto_tester_t, add_aead_vector, void,
+	private_crypto_tester_t *this, aead_test_vector_t *vector)
+{
+	this->aead->insert_last(this->aead, vector);
+}
+
+METHOD(crypto_tester_t, add_signer_vector, void,
+	private_crypto_tester_t *this, signer_test_vector_t *vector)
 {
 	this->signer->insert_last(this->signer, vector);
 }
 
-/**
- * Implementation of crypter_tester_t.add_hasher_vector
- */
-static void add_hasher_vector(private_crypto_tester_t *this,
-							  hasher_test_vector_t *vector)
+METHOD(crypto_tester_t, add_hasher_vector, void,
+	private_crypto_tester_t *this, hasher_test_vector_t *vector)
 {
 	this->hasher->insert_last(this->hasher, vector);
 }
 
-/**
- * Implementation of crypter_tester_t.add_prf_vector
- */
-static void add_prf_vector(private_crypto_tester_t *this,
-						   prf_test_vector_t *vector)
+METHOD(crypto_tester_t, add_prf_vector, void,
+	private_crypto_tester_t *this, prf_test_vector_t *vector)
 {
 	this->prf->insert_last(this->prf, vector);
 }
 
-/**
- * Implementation of crypter_tester_t.add_rng_vector
- */
-static void add_rng_vector(private_crypto_tester_t *this,
-						   rng_test_vector_t *vector)
+METHOD(crypto_tester_t, add_rng_vector, void,
+	private_crypto_tester_t *this, rng_test_vector_t *vector)
 {
 	this->rng->insert_last(this->rng, vector);
 }
 
-/**
- * Implementation of crypto_tester_t.destroy.
- */
-static void destroy(private_crypto_tester_t *this)
+METHOD(crypto_tester_t, destroy, void,
+	private_crypto_tester_t *this)
 {
 	this->crypter->destroy(this->crypter);
+	this->aead->destroy(this->aead);
 	this->signer->destroy(this->signer);
 	this->hasher->destroy(this->hasher);
 	this->prf->destroy(this->prf);
@@ -599,30 +1016,43 @@ static void destroy(private_crypto_tester_t *this)
  */
 crypto_tester_t *crypto_tester_create()
 {
-	private_crypto_tester_t *this = malloc_thing(private_crypto_tester_t);
-
-	this->public.test_crypter = (bool(*)(crypto_tester_t*, encryption_algorithm_t alg,size_t key_size, crypter_constructor_t create))test_crypter;
-	this->public.test_signer = (bool(*)(crypto_tester_t*, integrity_algorithm_t alg, signer_constructor_t create))test_signer;
-	this->public.test_hasher = (bool(*)(crypto_tester_t*, hash_algorithm_t alg, hasher_constructor_t create))test_hasher;
-	this->public.test_prf = (bool(*)(crypto_tester_t*, pseudo_random_function_t alg, prf_constructor_t create))test_prf;
-	this->public.test_rng = (bool(*)(crypto_tester_t*, rng_quality_t quality, rng_constructor_t create))test_rng;
-	this->public.add_crypter_vector = (void(*)(crypto_tester_t*, crypter_test_vector_t *vector))add_crypter_vector;
-	this->public.add_signer_vector = (void(*)(crypto_tester_t*, signer_test_vector_t *vector))add_signer_vector;
-	this->public.add_hasher_vector = (void(*)(crypto_tester_t*, hasher_test_vector_t *vector))add_hasher_vector;
-	this->public.add_prf_vector = (void(*)(crypto_tester_t*, prf_test_vector_t *vector))add_prf_vector;
-	this->public.add_rng_vector = (void(*)(crypto_tester_t*, rng_test_vector_t *vector))add_rng_vector;
-	this->public.destroy = (void(*)(crypto_tester_t*))destroy;
-
-	this->crypter = linked_list_create();
-	this->signer = linked_list_create();
-	this->hasher = linked_list_create();
-	this->prf = linked_list_create();
-	this->rng = linked_list_create();
-
-	this->required = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.required", FALSE);
-	this->rng_true = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.rng_true", FALSE);
+	private_crypto_tester_t *this;
+
+	INIT(this,
+		.public = {
+			.test_crypter = _test_crypter,
+			.test_aead = _test_aead,
+			.test_signer = _test_signer,
+			.test_hasher = _test_hasher,
+			.test_prf = _test_prf,
+			.test_rng = _test_rng,
+			.add_crypter_vector = _add_crypter_vector,
+			.add_aead_vector = _add_aead_vector,
+			.add_signer_vector = _add_signer_vector,
+			.add_hasher_vector = _add_hasher_vector,
+			.add_prf_vector = _add_prf_vector,
+			.add_rng_vector = _add_rng_vector,
+			.destroy = _destroy,
+		},
+		.crypter = linked_list_create(),
+		.aead = linked_list_create(),
+		.signer = linked_list_create(),
+		.hasher = linked_list_create(),
+		.prf = linked_list_create(),
+		.rng = linked_list_create(),
+
+		.required = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.required", FALSE),
+		.rng_true = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.rng_true", FALSE),
+		.bench_time = lib->settings->get_int(lib->settings,
+								"libstrongswan.crypto_test.bench_time", 50),
+		.bench_size = lib->settings->get_int(lib->settings,
+								"libstrongswan.crypto_test.bench_size", 1024),
+	);
+
+	/* enforce a block size of 16, should be fine for all algorithms */
+	this->bench_size = this->bench_size / 16 * 16;
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h
index ddcc2da51..cef0b3c18 100644
--- a/src/libstrongswan/crypto/crypto_tester.h
+++ b/src/libstrongswan/crypto/crypto_tester.h
@@ -26,6 +26,7 @@ typedef struct crypto_tester_t crypto_tester_t;
 #include <crypto/crypto_factory.h>
 
 typedef struct crypter_test_vector_t crypter_test_vector_t;
+typedef struct aead_test_vector_t aead_test_vector_t;
 typedef struct signer_test_vector_t signer_test_vector_t;
 typedef struct hasher_test_vector_t hasher_test_vector_t;
 typedef struct prf_test_vector_t prf_test_vector_t;
@@ -48,6 +49,27 @@ struct crypter_test_vector_t {
 	u_char *cipher;
 };
 
+struct aead_test_vector_t {
+	/** encryption algorithm this vector tests */
+	encryption_algorithm_t alg;
+	/** key length to use, in bytes */
+	size_t key_size;
+	/** encryption key of test vector */
+	u_char *key;
+	/** initialization vector, using crypters blocksize bytes */
+	u_char *iv;
+	/** length of associated data */
+	size_t alen;
+	/** associated data */
+	u_char *adata;
+	/** length of plain text */
+	size_t len;
+	/** plain text */
+	u_char *plain;
+	/** cipher text */
+	u_char *cipher;
+};
+
 struct signer_test_vector_t {
 	/** signer algorithm this test vector tests */
 	pseudo_random_function_t alg;
@@ -114,48 +136,67 @@ struct crypto_tester_t {
 	 * Test a crypter algorithm, optionally using a specified key size.
 	 *
 	 * @param alg			algorithm to test
-	 * @param key_size		key size to test, 0 for all
+	 * @param key_size		key size to test, 0 for default
 	 * @param create		constructor function for the crypter
+	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_crypter)(crypto_tester_t *this, encryption_algorithm_t alg,
-						 size_t key_size, crypter_constructor_t create);
+						 size_t key_size, crypter_constructor_t create,
+						 u_int *speed);
+
+	/**
+	 * Test an aead algorithm, optionally using a specified key size.
+	 *
+	 * @param alg			algorithm to test
+	 * @param key_size		key size to test, 0 for default
+	 * @param create		constructor function for the aead transform
+	 * @param speed			speed test result, NULL to omit
+	 * @return				TRUE if test passed
+	 */
+	bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg,
+						 size_t key_size, aead_constructor_t create,
+						 u_int *speed);
 	/**
 	 * Test a signer algorithm.
 	 *
 	 * @param alg			algorithm to test
 	 * @param create		constructor function for the signer
+	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_signer)(crypto_tester_t *this, integrity_algorithm_t alg,
-						signer_constructor_t create);
+						signer_constructor_t create, u_int *speed);
 	/**
 	 * Test a hasher algorithm.
 	 *
 	 * @param alg			algorithm to test
 	 * @param create		constructor function for the hasher
+	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_hasher)(crypto_tester_t *this, hash_algorithm_t alg,
-						hasher_constructor_t create);
+						hasher_constructor_t create, u_int *speed);
 	/**
 	 * Test a PRF algorithm.
 	 *
 	 * @param alg			algorithm to test
 	 * @param create		constructor function for the PRF
+	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_prf)(crypto_tester_t *this, pseudo_random_function_t alg,
-					 prf_constructor_t create);
+					 prf_constructor_t create, u_int *speed);
 	/**
 	 * Test a RNG implementation.
 	 *
 	 * @param alg			algorithm to test
 	 * @param create		constructor function for the RNG
+	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_rng)(crypto_tester_t *this, rng_quality_t quality,
-					 rng_constructor_t create);
+					 rng_constructor_t create, u_int *speed);
 	/**
 	 * Add a test vector to test a crypter.
 	 *
@@ -163,6 +204,13 @@ struct crypto_tester_t {
 	 */
 	void (*add_crypter_vector)(crypto_tester_t *this,
 							   crypter_test_vector_t *vector);
+	/**
+	 * Add a test vector to test an aead transform.
+	 *
+	 * @param vector		pointer to test vector
+	 */
+	void (*add_aead_vector)(crypto_tester_t *this,
+							aead_test_vector_t *vector);
 	/**
 	 * Add a test vector to test a signer.
 	 *
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 9bd8991fc..5f7365321 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -38,9 +38,10 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_224_BIT, ECP_521_BIT,
 	"MODP_2048_256",
 	"ECP_192",
 	"ECP_224");
-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_224_BIT,
-	"MODP_NULL");
-ENUM_END(diffie_hellman_group_names, MODP_NULL);
+ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_224_BIT,
+	"MODP_NULL",
+	"MODP_CUSTOM");
+ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
 
 
 /**
@@ -441,3 +442,20 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
 	return NULL;
 }
 
+/**
+ * See header.
+ */
+bool diffie_hellman_group_is_ec(diffie_hellman_group_t group)
+{
+	switch (group)
+	{
+		case ECP_256_BIT:
+		case ECP_384_BIT:
+		case ECP_521_BIT:
+		case ECP_192_BIT:
+		case ECP_224_BIT:
+			return TRUE;
+		default:
+			return FALSE;
+	}
+}
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index cdc9c785e..9ae772363 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -57,6 +57,8 @@ enum diffie_hellman_group_t {
 	ECP_224_BIT   = 26,
 	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
 	MODP_NULL = 1024,
+	/** MODP group with custon generator, prime */
+	MODP_CUSTOM = 1025,
 };
 
 /**
@@ -145,4 +147,12 @@ struct diffie_hellman_params_t {
  */
 diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group);
 
+/**
+ * Check if a given DH group is an ECDH group
+ *
+ * @param group			group to check
+ * @return				TUE if group is an ECP group
+ */
+bool diffie_hellman_group_is_ec(diffie_hellman_group_t group);
+
 #endif /** DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/libstrongswan/crypto/prfs/prf.c b/src/libstrongswan/crypto/prfs/prf.c
index 8681a5b97..12e13ef57 100644
--- a/src/libstrongswan/crypto/prfs/prf.c
+++ b/src/libstrongswan/crypto/prfs/prf.c
@@ -16,12 +16,13 @@
 
 #include "prf.h"
 
-ENUM_BEGIN(pseudo_random_function_names, PRF_UNDEFINED, PRF_KEYED_SHA1,
+ENUM_BEGIN(pseudo_random_function_names, PRF_UNDEFINED, PRF_CAMELLIA128_XCBC,
 	"PRF_UNDEFINED",
 	"PRF_FIPS_SHA1_160",
 	"PRF_FIPS_DES",
-	"PRF_KEYED_SHA1");
-ENUM_NEXT(pseudo_random_function_names, PRF_HMAC_MD5, PRF_AES128_CMAC, PRF_KEYED_SHA1,
+	"PRF_KEYED_SHA1",
+	"PRF_CAMELLIA128_XCBC");
+ENUM_NEXT(pseudo_random_function_names, PRF_HMAC_MD5, PRF_AES128_CMAC, PRF_CAMELLIA128_XCBC,
 	"PRF_HMAC_MD5",
 	"PRF_HMAC_SHA1",
 	"PRF_HMAC_TIGER",
diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h
index 6e853444f..ad15205d3 100644
--- a/src/libstrongswan/crypto/prfs/prf.h
+++ b/src/libstrongswan/crypto/prfs/prf.h
@@ -30,8 +30,7 @@ typedef struct prf_t prf_t;
 /**
  * Pseudo random function, as in IKEv2 RFC 3.3.2.
  *
- * PRF algorithms not defined in IKEv2 are allocated in "private use"
- * space.
+ * PRF algorithms not defined in IKEv2 are allocated in "private use" space.
  */
 enum pseudo_random_function_t {
 	PRF_UNDEFINED = 1024,
@@ -55,11 +54,12 @@ enum pseudo_random_function_t {
 	PRF_FIPS_SHA1_160 = 1025,
 	/** FIPS 186-2-change1, uses fixed output size of 160bit */
 	PRF_FIPS_DES = 1026,
-	/**
-	 * Keyed hash algorithm using SHA1, used in EAP-AKA:
+	/** Keyed hash algorithm using SHA1, used in EAP-AKA:
 	 * This PRF uses SHA1, but XORs the key into the IV. No "Final()" operation
 	 * is applied to the SHA1 state. */
 	PRF_KEYED_SHA1 = 1027,
+	/** draft-kanno-ipsecme-camellia-xcbc, not yet assigned by IANA */
+	PRF_CAMELLIA128_XCBC = 1028,
 };
 
 /**
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index a43dde7ea..10ab9fc23 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -1,6 +1,6 @@
 /* C code produced by gperf version 3.0.3 */
 /* Command-line: /usr/bin/gperf -N proposal_get_token -m 10 -C -G -c -t -D  */
-/* Computed positions: -k'1,5,7,10,$' */
+/* Computed positions: -k'1,5,7,10,15,$' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
       && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
@@ -59,12 +59,12 @@ struct proposal_token {
     u_int16_t         keysize;
 };
 
-#define TOTAL_KEYWORDS 95
+#define TOTAL_KEYWORDS 117
 #define MIN_WORD_LENGTH 3
-#define MAX_WORD_LENGTH 12
-#define MIN_HASH_VALUE 5
-#define MAX_HASH_VALUE 137
-/* maximum key range = 133, duplicates = 0 */
+#define MAX_WORD_LENGTH 17
+#define MIN_HASH_VALUE 9
+#define MAX_HASH_VALUE 209
+/* maximum key range = 201, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -80,38 +80,45 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138,   3,  11,
-        2,  23,  29,  27,  21,  16,   5,   0, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138,  17, 138,   1,   0,   1,
-        9,   9,  50,   0,   4,  54, 138, 138,   1, 138,
-       35,   0, 138, 138,  71,   3,  38,  22, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210,  16,   9,
+        4,  41,  66,  19,   8,   4,   5,   3, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 122, 210,   3,  22,  21,
+        3, 111, 103,  48,   7,   4, 210, 210,   3, 210,
+       57,   3, 210, 210,  78,   6,   3,  28, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210
     };
   register int hval = len;
 
   switch (hval)
     {
       default:
+        hval += asso_values[(unsigned char)str[14]];
+      /*FALLTHROUGH*/
+      case 14:
+      case 13:
+      case 12:
+      case 11:
+      case 10:
         hval += asso_values[(unsigned char)str[9]];
       /*FALLTHROUGH*/
       case 9:
@@ -135,115 +142,148 @@ hash (str, len)
 
 static const struct proposal_token wordlist[] =
   {
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
     {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
+    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
+    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
+    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
     {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
     {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
-    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
-    {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
-    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
-    {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
+    {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
+    {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
+    {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
+    {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
+    {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
+    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
+    {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
+    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
+    {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
     {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
-    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
+    {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
+    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
     {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
-    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
-    {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
     {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
-    {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
     {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
+    {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
+    {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
+    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
+    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
+    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
+    {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"aes192gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
-    {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
     {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
-    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
-    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
-    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
-    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
-    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
+    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
+    {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
+    {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
     {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
-    {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
     {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
-    {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
+    {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
+    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
+    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
     {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
-    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
+    {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
     {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
-    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
     {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
     {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
-    {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
-    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
-    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
-    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
-    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
-    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
-    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
     {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
-    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
-    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
+    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
+    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
+    {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
+    {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
+    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
     {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
-    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
     {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
-    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
-    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
-    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
-    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
-    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
-    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
     {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
-    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
     {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
     {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
+    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
+    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
+    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
     {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
-    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
+    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
+    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
-    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
     {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
+    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
     {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
-    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
-    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
-    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256}
+    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0}
   };
 
 static const short lookup[] =
   {
-    -1, -1, -1, -1, -1,  0,  1, -1,  2, -1,  3, -1,  4,  5,
-     6,  7, -1, -1, -1, -1,  8,  9, 10, 11, 12, 13, 14, 15,
-    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, 26, -1, -1,
-    27, 28, 29, 30, 31, 32, 33, -1, 34, 35, 36, 37, 38, 39,
-    40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53,
-    54, 55, 56, 57, 58, -1, 59, 60, 61, 62, 63, 64, 65, 66,
-    67, 68, -1, 69, 70, 71, 72, 73, 74, 75, 76, -1, -1, 77,
-    78, 79, 80, 81, -1, -1, 82, 83, -1, -1, 84, 85, -1, 86,
-    87, 88, 89, -1, -1, -1, -1, -1, -1, -1, 90, 91, -1, -1,
-    -1, -1, -1, -1, 92, -1, 93, -1, -1, -1, -1, 94
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,
+      1,  -1,  -1,  -1,  -1,  -1,   2,  -1,  -1,  -1,
+     -1,   3,   4,  -1,  -1,  -1,  -1,  -1,   5,   6,
+      7,   8,  -1,  -1,  -1,   9,  10,  11,  12,  13,
+     14,  15,  16,  17,  18,  19,  20,  21,  22,  -1,
+     -1,  -1,  -1,  23,  24,  25,  26,  27,  28,  29,
+     30,  -1,  31,  -1,  32,  33,  34,  35,  36,  37,
+     38,  39,  40,  41,  42,  43,  44,  45,  46,  47,
+     48,  -1,  49,  -1,  50,  -1,  51,  -1,  52,  -1,
+     53,  -1,  54,  55,  56,  57,  58,  59,  60,  61,
+     62,  63,  64,  65,  66,  67,  68,  69,  -1,  70,
+     -1,  71,  -1,  72,  73,  74,  75,  76,  -1,  77,
+     78,  79,  80,  81,  -1,  82,  83,  84,  85,  -1,
+     -1,  86,  87,  88,  89,  90,  91,  92,  -1,  -1,
+     93,  94,  95,  96,  97,  98,  99, 100, 101, 102,
+    103, 104,  -1,  -1,  -1,  -1,  -1,  -1, 105, 106,
+    107, 108,  -1,  -1,  -1,  -1, 109,  -1, 110,  -1,
+     -1,  -1,  -1,  -1, 111,  -1,  -1,  -1,  -1, 112,
+    113,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1, 114, 115,  -1,  -1,  -1, 116
   };
 
 #ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.txt b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
index 338993821..208c6715b 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
@@ -86,6 +86,27 @@ camellia,         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128
 camellia128,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128
 camellia192,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192
 camellia256,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256
+camellia128ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128
+camellia192ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192
+camellia256ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256
+camellia128ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128
+camellia128ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128
+camellia128ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128
+camellia128ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128
+camellia128ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128
+camellia128ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128
+camellia192ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192
+camellia192ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192
+camellia192ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192
+camellia192ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192
+camellia192ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192
+camellia192ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192
+camellia256ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256
+camellia256ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256
+camellia256ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256
+camellia256ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256
+camellia256ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256
+camellia256ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256
 cast128,          ENCRYPTION_ALGORITHM, ENCR_CAST,               128
 serpent,          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128
 serpent128,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128
@@ -107,6 +128,7 @@ sha512,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0
 sha2_512,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0
 md5,              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0
 aesxcbc,          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0
+camelliaxcbc,     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0
 modpnull,         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0
 modp768,          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0
 modp1024,         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0
diff --git a/src/libstrongswan/crypto/signers/signer.c b/src/libstrongswan/crypto/signers/signer.c
index e98916bfe..d8659170b 100644
--- a/src/libstrongswan/crypto/signers/signer.c
+++ b/src/libstrongswan/crypto/signers/signer.c
@@ -16,11 +16,14 @@
 
 #include "signer.h"
 
-ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_HMAC_SHA2_256_96,
+ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_CAMELLIA_XCBC_96,
 	"UNDEFINED",
 	"HMAC_SHA1_128",
-	"HMAC_SHA2_256_96");
-ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_HMAC_SHA2_256_96,
+	"HMAC_SHA2_256_96",
+	"HMAC_SHA2_256_256",
+	"HMAC_SHA2_384_384",
+	"CAMELLIA_XCBC_96");
+ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_CAMELLIA_XCBC_96,
 	"HMAC_MD5_96",
 	"HMAC_SHA1_96",
 	"DES_MAC",
diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h
index 94e8c99b9..e2c224d8b 100644
--- a/src/libstrongswan/crypto/signers/signer.h
+++ b/src/libstrongswan/crypto/signers/signer.h
@@ -66,6 +66,12 @@ enum integrity_algorithm_t {
 	AUTH_HMAC_SHA1_128 = 1025,
 	/** SHA256 96 bit truncation variant, supported by Linux kernels */
 	AUTH_HMAC_SHA2_256_96 = 1026,
+	/** SHA256 full length tuncation variant, as used in TLS */
+	AUTH_HMAC_SHA2_256_256 = 1027,
+	/** SHA384 full length tuncation variant, as used in TLS */
+	AUTH_HMAC_SHA2_384_384 = 1028,
+	/** draft-kanno-ipsecme-camellia-xcbc, not yet assigned by IANA */
+	AUTH_CAMELLIA_XCBC_96 = 1029,
 };
 
 /**
@@ -102,6 +108,10 @@ struct signer_t {
 	/**
 	 * Verify a signature.
 	 *
+	 * To verify a signature of multiple chunks of data, pass the
+	 * data to get_signature() with a NULL buffer. verify_signature() acts
+	 * as a final call and includes all data fed to get_signature().
+	 *
 	 * @param data		a chunk containing the data to verify
 	 * @param signature	a chunk containing the signature
 	 * @return			TRUE, if signature is valid, FALSE otherwise
diff --git a/src/libstrongswan/crypto/transform.c b/src/libstrongswan/crypto/transform.c
index af40f4de6..cec90a616 100644
--- a/src/libstrongswan/crypto/transform.c
+++ b/src/libstrongswan/crypto/transform.c
@@ -15,11 +15,12 @@
 
 #include <crypto/transform.h>
 
-ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, RANDOM_NUMBER_GENERATOR,
+ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, AEAD_ALGORITHM,
 	"UNDEFINED_TRANSFORM_TYPE",
 	"HASH_ALGORITHM",
-	"RANDOM_NUMBER_GENERATOR");
-ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, RANDOM_NUMBER_GENERATOR,
+	"RANDOM_NUMBER_GENERATOR",
+	"AEAD_ALGORITHM");
+ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, AEAD_ALGORITHM,
 	"ENCRYPTION_ALGORITHM",
 	"PSEUDO_RANDOM_FUNCTION",
 	"INTEGRITY_ALGORITHM",
diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h
index d11700a73..1a2660199 100644
--- a/src/libstrongswan/crypto/transform.h
+++ b/src/libstrongswan/crypto/transform.h
@@ -32,6 +32,7 @@ enum transform_type_t {
 	UNDEFINED_TRANSFORM_TYPE = 241,
 	HASH_ALGORITHM = 242,
 	RANDOM_NUMBER_GENERATOR = 243,
+	AEAD_ALGORITHM = 244,
 	ENCRYPTION_ALGORITHM = 1,
 	PSEUDO_RANDOM_FUNCTION = 2,
 	INTEGRITY_ALGORITHM = 3,
diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/debug.c
index 21a7e63dd..6ded70248 100644
--- a/src/libstrongswan/debug.c
+++ b/src/libstrongswan/debug.c
@@ -27,6 +27,8 @@ ENUM(debug_names, DBG_DMN, DBG_LIB,
 	"KNL",
 	"NET",
 	"ENC",
+	"TNC",
+	"TLS",
 	"LIB",
 );
 
@@ -40,6 +42,8 @@ ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
 	"knl",
 	"net",
 	"enc",
+	"tnc",
+	"tls",
 	"lib",
 );
 
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h
index a21111d93..d3399bff6 100644
--- a/src/libstrongswan/debug.h
+++ b/src/libstrongswan/debug.h
@@ -50,6 +50,10 @@ enum debug_t {
 	DBG_NET,
 	/** message encoding/decoding */
 	DBG_ENC,
+	/** trusted network connect */
+	DBG_TNC,
+	/** libtls */
+	DBG_TLS,
 	/** libstrongswan */
 	DBG_LIB,
 	/** number of groups */
diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c
new file mode 100644
index 000000000..71734017a
--- /dev/null
+++ b/src/libstrongswan/eap/eap.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap.h"
+
+ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
+	"EAP_REQUEST",
+	"EAP_RESPONSE",
+	"EAP_SUCCESS",
+	"EAP_FAILURE",
+);
+
+ENUM(eap_code_short_names, EAP_REQUEST, EAP_FAILURE,
+	"REQ",
+	"RES",
+	"SUCC",
+	"FAIL",
+);
+
+ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
+	"EAP_IDENTITY",
+	"EAP_NOTIFICATION",
+	"EAP_NAK",
+	"EAP_MD5",
+	"EAP_OTP",
+	"EAP_GTC");
+ENUM_NEXT(eap_type_names, EAP_TLS, EAP_TLS, EAP_GTC,
+	"EAP_TLS");
+ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_TLS,
+	"EAP_SIM");
+ENUM_NEXT(eap_type_names, EAP_TTLS, EAP_TTLS, EAP_SIM,
+	"EAP_TTLS");
+ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_TTLS,
+	"EAP_AKA");
+ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+	"EAP_MSCHAPV2");
+ENUM_NEXT(eap_type_names, EAP_TNC, EAP_TNC, EAP_MSCHAPV2,
+	"EAP_TNC");
+ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_TNC,
+	"EAP_RADIUS",
+	"EAP_EXPANDED",
+	"EAP_EXPERIMENTAL");
+ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
+
+ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
+	"ID",
+	"NTF",
+	"NAK",
+	"MD5",
+	"OTP",
+	"GTC");
+ENUM_NEXT(eap_type_short_names, EAP_TLS, EAP_TLS, EAP_GTC,
+	"TLS");
+ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_TLS,
+	"SIM");
+ENUM_NEXT(eap_type_short_names, EAP_TTLS, EAP_TTLS, EAP_SIM,
+	"TTLS");
+ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_TTLS,
+	"AKA");
+ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+	"MSCHAPV2");
+ENUM_NEXT(eap_type_short_names, EAP_TNC, EAP_TNC, EAP_MSCHAPV2,
+	"TNC");
+ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_TNC,
+	"RAD",
+	"EXP",
+	"XP");
+ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
+
+ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
+	"RULE_IDENTITY",
+	"RULE_AUTH_CLASS",
+	"RULE_EAP_IDENTITY",
+	"RULE_EAP_TYPE",
+	"RULE_EAP_VENDOR",
+	"RULE_CA_CERT",
+	"RULE_IM_CERT",
+	"RULE_SUBJECT_CERT",
+	"RULE_CRL_VALIDATION",
+	"RULE_OCSP_VALIDATION",
+	"RULE_GROUP",
+	"HELPER_IM_CERT",
+	"HELPER_SUBJECT_CERT",
+	"HELPER_IM_HASH_URL",
+	"HELPER_SUBJECT_HASH_URL",
+);
+
+/*
+ * See header
+ */
+eap_type_t eap_type_from_string(char *name)
+{
+	int i;
+	static struct {
+		char *name;
+		eap_type_t type;
+	} types[] = {
+		{"identity",	EAP_IDENTITY},
+		{"md5",			EAP_MD5},
+		{"otp",			EAP_OTP},
+		{"gtc",			EAP_GTC},
+		{"tls",			EAP_TLS},
+		{"ttls",		EAP_TTLS},
+		{"sim",			EAP_SIM},
+		{"aka",			EAP_AKA},
+		{"mschapv2",	EAP_MSCHAPV2},
+		{"tnc",			EAP_TNC},
+		{"radius",		EAP_RADIUS},
+	};
+
+	for (i = 0; i < countof(types); i++)
+	{
+		if (strcaseeq(name, types[i].name))
+		{
+			return types[i].type;
+		}
+	}
+	return 0;
+}
diff --git a/src/libstrongswan/eap/eap.h b/src/libstrongswan/eap/eap.h
new file mode 100644
index 000000000..1d55747a4
--- /dev/null
+++ b/src/libstrongswan/eap/eap.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap eap
+ * @{ @ingroup libstrongswan
+ */
+
+#ifndef EAP_H_
+#define EAP_H_
+
+typedef enum eap_code_t eap_code_t;
+typedef enum eap_type_t eap_type_t;
+
+#include <library.h>
+
+/**
+ * EAP code, type of an EAP message
+ */
+enum eap_code_t {
+	EAP_REQUEST = 1,
+	EAP_RESPONSE = 2,
+	EAP_SUCCESS = 3,
+	EAP_FAILURE = 4,
+};
+
+/**
+ * enum names for eap_code_t.
+ */
+extern enum_name_t *eap_code_names;
+
+/**
+ * short string enum names for eap_code_t.
+ */
+extern enum_name_t *eap_code_short_names;
+
+/**
+ * EAP types, defines the EAP method implementation
+ */
+enum eap_type_t {
+	EAP_IDENTITY = 1,
+	EAP_NOTIFICATION = 2,
+	EAP_NAK = 3,
+	EAP_MD5 = 4,
+	EAP_OTP = 5,
+	EAP_GTC = 6,
+	EAP_TLS = 13,
+	EAP_SIM = 18,
+	EAP_TTLS = 21,
+	EAP_AKA = 23,
+	EAP_MSCHAPV2 = 26,
+	EAP_TNC = 38,
+	/** not a method, but an implementation providing different methods */
+	EAP_RADIUS = 253,
+	EAP_EXPANDED = 254,
+	EAP_EXPERIMENTAL = 255,
+};
+
+/**
+ * enum names for eap_type_t.
+ */
+extern enum_name_t *eap_type_names;
+
+/**
+ * short string enum names for eap_type_t.
+ */
+extern enum_name_t *eap_type_short_names;
+
+/**
+ * Lookup the EAP method type from a string.
+ *
+ * @param name		EAP method name (such as "md5", "aka")
+ * @return			method type, 0 if unkown
+ */
+eap_type_t eap_type_from_string(char *name);
+
+#endif /** EAP_H_ @}*/
diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c
index 946a54deb..258a5b410 100644
--- a/src/libstrongswan/enum.c
+++ b/src/libstrongswan/enum.c
@@ -16,12 +16,14 @@
 #include <stddef.h>
 #include <stdio.h>
 
+#include <library.h>
+
 #include "enum.h"
 
 /**
- * get the name of an enum value in a enum_name_t list
+ * See header.
  */
-static char *enum_name(enum_name_t *e, int val)
+char *enum_to_name(enum_name_t *e, int val)
 {
 	do
 	{
@@ -34,6 +36,27 @@ static char *enum_name(enum_name_t *e, int val)
 	return NULL;
 }
 
+/**
+ * See header.
+ */
+int enum_from_name(enum_name_t *e, char *name)
+{
+	do
+	{
+		int i, count = e->last - e->first;
+
+		for (i = 0; i < count; i++)
+		{
+			if (strcaseeq(name, e->names[i]))
+			{
+				return e->first + i;
+			}
+		}
+	}
+	while ((e = e->next));
+	return -1;
+}
+
 /**
  * Described in header.
  */
@@ -43,7 +66,7 @@ int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	enum_name_t *ed = *((enum_name_t**)(args[0]));
 	int val = *((int*)(args[1]));
 
-	char *name = enum_name(ed, val);
+	char *name = enum_to_name(ed, val);
 
 	if (name == NULL)
 	{
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/enum.h
index 691f9f2bc..d5f169772 100644
--- a/src/libstrongswan/enum.h
+++ b/src/libstrongswan/enum.h
@@ -106,6 +106,24 @@ struct enum_name_t {
  */
 #define ENUM(name, first, last, ...) ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last)
 
+/**
+ * Convert a enum value to its string representation.
+ *
+ * @param e		enum names for this enum value
+ * @param val	enum value to get string for
+ * @return		string for enum, NULL if not found
+ */
+char *enum_to_name(enum_name_t *e, int val);
+
+/**
+ * Convert a enum string back to its enum value.
+ *
+ * @param e		enum names for this enum value
+ * @param name	name to get enum value for
+ * @return		enum value, -1 if not found
+ */
+int enum_from_name(enum_name_t *e, char *name);
+
 /**
  * printf hook function for enum_names_t.
  *
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index b61bdf7a0..b7e75aec5 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -65,6 +65,8 @@ void library_deinit()
 	detailed = lib->settings->get_bool(lib->settings,
 								"libstrongswan.leak_detective.detailed", TRUE);
 
+	this->public.scheduler->destroy(this->public.scheduler);
+	this->public.processor->destroy(this->public.processor);
 	this->public.plugins->destroy(this->public.plugins);
 	this->public.settings->destroy(this->public.settings);
 	this->public.credmgr->destroy(this->public.credmgr);
@@ -141,6 +143,8 @@ bool library_init(char *settings)
 	this->public.encoding = cred_encoding_create();
 	this->public.fetcher = fetcher_manager_create();
 	this->public.db = database_factory_create();
+	this->public.processor = processor_create();
+	this->public.scheduler = scheduler_create();
 	this->public.plugins = plugin_loader_create();
 	this->public.integrity = NULL;
 
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index cd5dfb479..034ff10c5 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -43,6 +43,12 @@
  * @defgroup plugins plugins
  * @ingroup libstrongswan
  *
+ * @defgroup processing processing
+ * @ingroup libstrongswan
+ *
+ * @defgroup jobs jobs
+ * @ingroup processing
+ *
  * @defgroup threading threading
  * @ingroup libstrongswan
  *
@@ -64,6 +70,8 @@
 #include "settings.h"
 #include "integrity_checker.h"
 #include "plugins/plugin_loader.h"
+#include "processing/processor.h"
+#include "processing/scheduler.h"
 #include "crypto/crypto_factory.h"
 #include "fetcher/fetcher_manager.h"
 #include "database/database_factory.h"
@@ -118,6 +126,16 @@ struct library_t {
 	 */
 	plugin_loader_t *plugins;
 
+	/**
+	 * process jobs using a thread pool
+	 */
+	processor_t *processor;
+
+	/**
+	 * schedule jobs
+	 */
+	scheduler_t *scheduler;
+
 	/**
 	 * various settings loaded from settings file
 	 */
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 9859b75cf..99a520852 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c
index 10d48cf67..f13e33492 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.c
+++ b/src/libstrongswan/plugins/aes/aes_crypter.c
@@ -1331,11 +1331,8 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char
     state_out(out_blk, b0);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv,
-					chunk_t *decrypted)
+METHOD(crypter_t, decrypt, void,
+	private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	int pos;
 	const u_int32_t *iv_i;
@@ -1376,12 +1373,8 @@ static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv,
 	}
 }
 
-
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *encrypted)
+METHOD(crypter_t, encrypt, void,
+	private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	int pos;
 	const u_int32_t *iv_i;
@@ -1417,26 +1410,26 @@ static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv,
 	}
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size (private_aes_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_aes_crypter_t *this)
 {
 	return AES_BLOCK_SIZE;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size (private_aes_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_aes_crypter_t *this)
+{
+	return AES_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_aes_crypter_t *this)
 {
 	return this->key_size;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key (private_aes_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_aes_crypter_t *this, chunk_t key)
 {
 	u_int32_t    *kf, *kt, rci, f = 0;
 	u_int8_t *in_key = key.ptr;
@@ -1498,8 +1491,8 @@ static void set_key (private_aes_crypter_t *this, chunk_t key)
 	}
 
 	if(!f)
-    {
-		u_int32_t    i;
+	{
+		u_int32_t i;
 
 		kt = this->aes_d_key + nc * this->aes_Nrnd;
 		kf = this->aes_e_key;
@@ -1517,15 +1510,13 @@ static void set_key (private_aes_crypter_t *this, chunk_t key)
 			cpy(kt, kf);
 #endif
 			kt -= 2 * nc;
-        }
+		}
 		cpy(kt, kf);
-    }
+	}
 }
 
-/**
- * Implementation of crypter_t.destroy and aes_crypter_t.destroy.
- */
-static void destroy (private_aes_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_aes_crypter_t *this)
 {
 	free(this);
 }
@@ -1541,36 +1532,38 @@ aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo, size_t key_size)
 	{
 		return NULL;
 	}
-
-	this = malloc_thing(private_aes_crypter_t);
+	switch (key_size)
+	{
+		case 0:
+			key_size = 16;
+			break;
+		case 32:
+		case 24:
+		case 16:
+			break;
+		default:
+			return NULL;
+	}
 
 	#if !defined(FIXED_TABLES)
 	if(!tab_gen) { gen_tabs(); tab_gen = 1; }
 	#endif
 
-	this->key_size = key_size;
-	switch(key_size)
-	{
-	case 32:        /* bytes */
-		this->aes_Nkey = 8;
-		break;
-	case 24:        /* bytes */
-		this->aes_Nkey = 6;
-		break;
-	case 16:        /* bytes */
-		this->aes_Nkey = 4;
-		break;
-	default:
-		free(this);
-		return NULL;
-	}
-
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.key_size = key_size,
+		.aes_Nkey = key_size / 4,
+	);
+
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.h b/src/libstrongswan/plugins/aes/aes_crypter.h
index 061d72fd6..473772f04 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.h
+++ b/src/libstrongswan/plugins/aes/aes_crypter.h
@@ -32,9 +32,9 @@ typedef struct aes_crypter_t aes_crypter_t;
 struct aes_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c
index 1e920f8cc..22b47e334 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.c
+++ b/src/libstrongswan/plugins/aes/aes_plugin.c
@@ -31,10 +31,8 @@ struct private_aes_plugin_t {
 	aes_plugin_t public;
 };
 
-/**
- * Implementation of aes_plugin_t.destroy
- */
-static void destroy(private_aes_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_aes_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 								(crypter_constructor_t)aes_crypter_create);
@@ -46,9 +44,15 @@ static void destroy(private_aes_plugin_t *this)
  */
 plugin_t *aes_plugin_create()
 {
-	private_aes_plugin_t *this = malloc_thing(private_aes_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_aes_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 							 (crypter_constructor_t)aes_crypter_create);
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index c95e7b778..9f65f4ffb 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index d40b437bb..bd3c1ac75 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -31,10 +31,8 @@ struct private_agent_plugin_t {
 	agent_plugin_t public;
 };
 
-/**
- * Implementation of agent_plugin_t.agenttroy
- */
-static void destroy(private_agent_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_agent_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
 							   (builder_function_t)agent_private_key_open);
@@ -46,11 +44,17 @@ static void destroy(private_agent_plugin_t *this)
  */
 plugin_t *agent_plugin_create()
 {
-	private_agent_plugin_t *this = malloc_thing(private_agent_plugin_t);
+	private_agent_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)agent_private_key_open);
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 51ddbecc6..0864f4118 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -205,7 +205,7 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 		{
 			break;;
 		}
-		if (pubkey && !private_key_belongs_to(&this->public.interface, pubkey))
+		if (pubkey && !private_key_belongs_to(&this->public.key, pubkey))
 		{
 			continue;
 		}
@@ -221,11 +221,9 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 	return FALSE;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_agent_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	u_int32_t len, flags;
 	char buf[2048];
@@ -294,36 +292,28 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	return TRUE;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static key_type_t get_type(private_agent_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_agent_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static bool decrypt(private_agent_private_key_t *this,
-					chunk_t crypto, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_agent_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "private key decryption not supported by ssh-agent");
 	return FALSE;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static size_t get_keysize(private_agent_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_agent_private_key_t *this)
 {
-	return this->key_size;
+	return this->key_size * 8;
 }
 
-/**
- * Implementation of agent_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_agent_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_agent_private_key_t *this)
 {
 	chunk_t key, n, e;
 
@@ -336,20 +326,15 @@ static public_key_t* get_public_key(private_agent_private_key_t *this)
 						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_agent_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_agent_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	return FALSE;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_agent_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_agent_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e, key;
 
@@ -366,19 +351,15 @@ static bool get_fingerprint(private_agent_private_key_t *this,
 			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
 }
 
-/**
- * Implementation of agent_private_key.get_ref.
- */
-static private_agent_private_key_t* get_ref(private_agent_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_agent_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static void destroy(private_agent_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_agent_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -420,20 +401,25 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 		return FALSE;
 	}
 
-	this = malloc_thing(private_agent_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.belongs_to = private_key_belongs_to,
+				.equals = private_key_equals,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	this->socket = open_connection(path);
 	if (this->socket < 0)
@@ -441,9 +427,6 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 		free(this);
 		return NULL;
 	}
-	this->key = chunk_empty;
-	this->ref = 1;
-
 	if (!read_key(this, pubkey))
 	{
 		destroy(this);
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.h b/src/libstrongswan/plugins/agent/agent_private_key.h
index 3d9500c1a..0623f2bb9 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.h
+++ b/src/libstrongswan/plugins/agent/agent_private_key.h
@@ -34,7 +34,7 @@ struct agent_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 6a82ce94a..d310843ac 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
index fb856ed37..784c07eaf 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
@@ -68,8 +68,6 @@ typedef struct private_blowfish_crypter_t private_blowfish_crypter_t;
 
 /**
  * Class implementing the Blowfish symmetric encryption algorithm.
- *
- * @ingroup crypters
  */
 struct private_blowfish_crypter_t {
 
@@ -89,11 +87,9 @@ struct private_blowfish_crypter_t {
 	u_int32_t key_size;
 };
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
-					chunk_t *decrypted)
+METHOD(crypter_t, decrypt, void,
+	private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
+	chunk_t *decrypted)
 {
 	u_int8_t *in, *out;
 
@@ -114,11 +110,9 @@ static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
 	free(iv.ptr);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *encrypted)
+METHOD(crypter_t, encrypt, void,
+	private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
+	chunk_t *encrypted)
 {
 	u_int8_t *in, *out;
 
@@ -139,34 +133,32 @@ static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
 	free(iv.ptr);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size (private_blowfish_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_blowfish_crypter_t *this)
 {
 	return BLOWFISH_BLOCK_SIZE;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size (private_blowfish_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_blowfish_crypter_t *this)
+{
+	return BLOWFISH_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_blowfish_crypter_t *this)
 {
 	return this->key_size;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key (private_blowfish_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_blowfish_crypter_t *this, chunk_t key)
 {
 	BF_set_key(&this->schedule, key.len , key.ptr);
 }
 
-/**
- * Implementation of crypter_t.destroy and blowfish_crypter_t.destroy.
- */
-static void destroy (private_blowfish_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_blowfish_crypter_t *this)
 {
 	free(this);
 }
@@ -174,7 +166,8 @@ static void destroy (private_blowfish_crypter_t *this)
 /*
  * Described in header
  */
-blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t key_size)
+blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo,
+											size_t key_size)
 {
 	private_blowfish_crypter_t *this;
 
@@ -183,15 +176,20 @@ blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t
 		return NULL;
 	}
 
-	this = malloc_thing(private_blowfish_crypter_t);
-
-	this->key_size = key_size;
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.key_size = key_size ?: 16,
+	);
+
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
index 71cc09cd0..70dcae66e 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
@@ -32,9 +32,9 @@ typedef struct blowfish_crypter_t blowfish_crypter_t;
 struct blowfish_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
index f9fb605b3..6ab093d7b 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -32,10 +32,8 @@ struct private_blowfish_plugin_t {
 	blowfish_plugin_t public;
 };
 
-/**
- * Implementation of blowfish_plugin_t.destroy
- */
-static void destroy(private_blowfish_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_blowfish_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 								(crypter_constructor_t)blowfish_crypter_create);
@@ -47,9 +45,15 @@ static void destroy(private_blowfish_plugin_t *this)
  */
 plugin_t *blowfish_plugin_create()
 {
-	private_blowfish_plugin_t *this = malloc_thing(private_blowfish_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_blowfish_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
 							 (crypter_constructor_t)blowfish_crypter_create);
diff --git a/src/libstrongswan/plugins/ccm/Makefile.am b/src/libstrongswan/plugins/ccm/Makefile.am
new file mode 100644
index 000000000..bca1f0735
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ccm.la
+else
+plugin_LTLIBRARIES = libstrongswan-ccm.la
+endif
+
+libstrongswan_ccm_la_SOURCES = \
+	ccm_plugin.h ccm_plugin.c \
+	ccm_aead.h ccm_aead.c
+
+libstrongswan_ccm_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
new file mode 100644
index 000000000..017d75c48
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/ccm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ccm_la_LIBADD =
+am_libstrongswan_ccm_la_OBJECTS = ccm_plugin.lo ccm_aead.lo
+libstrongswan_ccm_la_OBJECTS = $(am_libstrongswan_ccm_la_OBJECTS)
+libstrongswan_ccm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_ccm_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ccm_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ccm_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_ccm_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ccm_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ccm.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ccm.la
+libstrongswan_ccm_la_SOURCES = \
+	ccm_plugin.h ccm_plugin.c \
+	ccm_aead.h ccm_aead.c
+
+libstrongswan_ccm_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ccm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/ccm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) 
+	$(libstrongswan_ccm_la_LINK) $(am_libstrongswan_ccm_la_rpath) $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ccm_aead.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ccm_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c
new file mode 100644
index 000000000..7fee2b3c4
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.c
@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ccm_aead.h"
+
+#define BLOCK_SIZE 16
+#define SALT_SIZE 3
+#define IV_SIZE 8
+#define NONCE_SIZE (SALT_SIZE + IV_SIZE) /* 11 */
+#define Q_SIZE (BLOCK_SIZE - NONCE_SIZE - 1) /* 4 */
+
+typedef struct private_ccm_aead_t private_ccm_aead_t;
+
+/**
+ * Private data of an ccm_aead_t object.
+ */
+struct private_ccm_aead_t {
+
+	/**
+	 * Public ccm_aead_t interface.
+	 */
+	ccm_aead_t public;
+
+	/**
+	 * Underlying CBC crypter.
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * Length of the integrity check value
+	 */
+	size_t icv_size;
+
+	/**
+	 * salt to add to nonce
+	 */
+	u_char salt[SALT_SIZE];
+};
+
+/**
+ * First block with control information
+ */
+typedef struct __attribute__((packed)) {
+	BITFIELD4(u_int8_t,
+		/* size of p length field q, as q-1 */
+		q_len: 3,
+		/* size of our ICV t, as (t-2)/2 */
+		t_len: 3,
+		/* do we have associated data */
+		assoc: 1,
+		reserved: 1,
+	) flags;
+	/* nonce value */
+	struct __attribute__((packed)) {
+		u_char salt[SALT_SIZE];
+		u_char iv[IV_SIZE];
+	} nonce;
+	/* lenght of plain text, q */
+	u_char q[Q_SIZE];
+} b0_t;
+
+/**
+ * Counter block
+ */
+typedef struct __attribute__((packed)) {
+	BITFIELD3(u_int8_t,
+		/* size of p length field q, as q-1 */
+		q_len: 3,
+		zero: 3,
+		reserved: 2,
+	) flags;
+	/* nonce value */
+	struct __attribute__((packed)) {
+		u_char salt[SALT_SIZE];
+		u_char iv[IV_SIZE];
+	} nonce;
+	/* counter value */
+	u_char i[Q_SIZE];
+} ctr_t;
+
+/**
+ * Build the first block B0
+ */
+static void build_b0(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					 chunk_t iv, char *out)
+{
+	b0_t *block = (b0_t*)out;
+
+	block->flags.reserved = 0;
+	block->flags.assoc = assoc.len ? 1 : 0;
+	block->flags.t_len = (this->icv_size - 2) / 2;
+	block->flags.q_len = Q_SIZE - 1;
+	memcpy(block->nonce.salt, this->salt, SALT_SIZE);
+	memcpy(block->nonce.iv, iv.ptr, IV_SIZE);
+	htoun32(block->q, plain.len);
+}
+
+/**
+ * Build a counter block for counter i
+ */
+static void build_ctr(private_ccm_aead_t *this, u_int32_t i, chunk_t iv,
+					  char *out)
+{
+	ctr_t *ctr = (ctr_t*)out;
+
+	ctr->flags.reserved = 0;
+	ctr->flags.zero = 0;
+	ctr->flags.q_len = Q_SIZE - 1;
+	memcpy(ctr->nonce.salt, this->salt, SALT_SIZE);
+	memcpy(ctr->nonce.iv, iv.ptr, IV_SIZE);
+	htoun32(ctr->i, i);
+}
+
+/**
+ * En-/Decrypt data
+ */
+static void crypt_data(private_ccm_aead_t *this, chunk_t iv,
+					   chunk_t in, chunk_t out)
+{
+	char ctr[BLOCK_SIZE];
+	char zero[BLOCK_SIZE];
+	char block[BLOCK_SIZE];
+
+	build_ctr(this, 1, iv, ctr);
+	memset(zero, 0, BLOCK_SIZE);
+
+	while (in.len > 0)
+	{
+		memcpy(block, ctr, BLOCK_SIZE);
+		this->crypter->encrypt(this->crypter, chunk_from_thing(block),
+							   chunk_from_thing(zero), NULL);
+		chunk_increment(chunk_from_thing(ctr));
+
+		if (in.ptr != out.ptr)
+		{
+			memcpy(out.ptr, in.ptr, min(in.len, BLOCK_SIZE));
+		}
+		memxor(out.ptr, block, min(in.len, BLOCK_SIZE));
+		in = chunk_skip(in, BLOCK_SIZE);
+		out = chunk_skip(out, BLOCK_SIZE);
+	}
+}
+
+/**
+ * En-/Decrypt the ICV
+ */
+static void crypt_icv(private_ccm_aead_t *this, chunk_t iv, char *icv)
+{
+	char ctr[BLOCK_SIZE];
+	char zero[BLOCK_SIZE];
+
+	build_ctr(this, 0, iv, ctr);
+	memset(zero, 0, BLOCK_SIZE);
+
+	this->crypter->encrypt(this->crypter, chunk_from_thing(ctr),
+						   chunk_from_thing(zero), NULL);
+	memxor(icv, ctr, this->icv_size);
+}
+
+/**
+ * Create the ICV
+ */
+static void create_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					   chunk_t iv, char *icv)
+{
+	char zero[BLOCK_SIZE];
+	chunk_t chunk;
+	char *pos;
+	int r, len;
+
+	memset(zero, 0, BLOCK_SIZE);
+
+	/* calculate number of blocks, including b0 */
+	r = 1;
+	if (assoc.len)
+	{	/* assoc gets a 2 byte length header, gets padded to BLOCK_SIZE */
+		r += (2 + assoc.len + BLOCK_SIZE - 1) / BLOCK_SIZE;
+	}
+	/* plain text gets padded to BLOCK_SIZE */
+	r += (plain.len + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+	/* concatenate data to a new chunk */
+	chunk = chunk_alloc(r * BLOCK_SIZE);
+	/* write control block */
+	build_b0(this, plain, assoc, iv, chunk.ptr);
+	pos = chunk.ptr + BLOCK_SIZE;
+	/* append associated data, with length header */
+	if (assoc.len)
+	{
+		/* currently we support two byte headers only (up to 2^16-2^8 bytes) */
+		htoun16(pos, assoc.len);
+		memcpy(pos + 2, assoc.ptr, assoc.len);
+		pos += 2 + assoc.len;
+		/* padding */
+		len = (BLOCK_SIZE - ((2 + assoc.len) % BLOCK_SIZE)) % BLOCK_SIZE;
+		memset(pos, 0, len);
+		pos += len;
+	}
+	/* write plain data */
+	memcpy(pos, plain.ptr, plain.len);
+	pos += plain.len;
+	/* padding */
+	len = (BLOCK_SIZE - (plain.len % BLOCK_SIZE)) % BLOCK_SIZE;
+
+	memset(pos, 0, len);
+
+	/* encrypt inline with CBC, zero IV */
+	this->crypter->encrypt(this->crypter, chunk, chunk_from_thing(zero), NULL);
+	/* copy last icv_size bytes as ICV to output */
+	memcpy(icv, chunk.ptr + chunk.len - BLOCK_SIZE, this->icv_size);
+
+	/* encrypt the ICV value */
+	crypt_icv(this, iv, icv);
+
+	free(chunk.ptr);
+}
+
+/**
+ * Verify the ICV
+ */
+static bool verify_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					   chunk_t iv, char *icv)
+{
+	char buf[this->icv_size];
+
+	create_icv(this, plain, assoc, iv, buf);
+
+	return memeq(buf, icv, this->icv_size);
+}
+
+METHOD(aead_t, encrypt, void,
+	private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(plain.len + this->icv_size);
+		create_icv(this, plain, assoc, iv, encrypted->ptr + plain.len);
+		crypt_data(this, iv, plain, *encrypted);
+	}
+	else
+	{
+		create_icv(this, plain, assoc, iv, plain.ptr + plain.len);
+		crypt_data(this, iv, plain, plain);
+	}
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_ccm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	if (encrypted.len < this->icv_size)
+	{
+		return FALSE;
+	}
+	encrypted.len -= this->icv_size;
+	if (plain)
+	{
+		*plain = chunk_alloc(encrypted.len);
+		crypt_data(this, iv, encrypted, *plain);
+		return verify_icv(this, *plain, assoc, iv,
+						  encrypted.ptr + encrypted.len);
+	}
+	else
+	{
+		crypt_data(this, iv, encrypted, encrypted);
+		return verify_icv(this, encrypted, assoc, iv,
+						  encrypted.ptr + encrypted.len);
+	}
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return 1;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return IV_SIZE;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
+}
+
+METHOD(aead_t, set_key, void,
+	private_ccm_aead_t *this, chunk_t key)
+{
+	memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
+	key.len -= SALT_SIZE;
+	this->crypter->set_key(this->crypter, key);
+}
+
+METHOD(aead_t, destroy, void,
+	private_ccm_aead_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_ccm_aead_t *this;
+	size_t icv_size;
+
+	switch (key_size)
+	{
+		case 0:
+			key_size = 16;
+			break;
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return NULL;
+	}
+	switch (algo)
+	{
+		case ENCR_AES_CCM_ICV8:
+			algo = ENCR_AES_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_AES_CCM_ICV12:
+			algo = ENCR_AES_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_AES_CCM_ICV16:
+			algo = ENCR_AES_CBC;
+			icv_size = 16;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV8:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV12:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV16:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 16;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.aead = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_icv_size = _get_icv_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+		.icv_size = icv_size,
+	);
+
+	if (!this->crypter)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h
new file mode 100644
index 000000000..d5e302f94
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ccm_aead ccm_aead
+ * @{ @ingroup ccm
+ */
+
+#ifndef CCM_AEAD_H_
+#define CCM_AEAD_H_
+
+#include <crypto/aead.h>
+
+typedef struct ccm_aead_t ccm_aead_t;
+
+/**
+ * Counter with Cipher Block Chaining-Message Authentication Code (CCM).
+ *
+ * Implements CCM as specified in NIST 800-38B, using AEAD semantics from
+ * RFC 5282, based on RFC4309.
+ */
+struct ccm_aead_t {
+
+	/**
+	 * Implements aead_t interface.
+	 */
+	aead_t aead;
+};
+
+/**
+ * Create a ccm_aead instance.
+ *
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement, a CCM mode
+ * @return				aead, NULL if not supported
+ */
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** CCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.c b/src/libstrongswan/plugins/ccm/ccm_plugin.c
new file mode 100644
index 000000000..5fc3b14d7
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_plugin.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ccm_plugin.h"
+
+#include <library.h>
+
+#include "ccm_aead.h"
+
+typedef struct private_ccm_plugin_t private_ccm_plugin_t;
+
+/**
+ * private data of ccm_plugin
+ */
+struct private_ccm_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	ccm_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_ccm_plugin_t *this)
+{
+	lib->crypto->remove_aead(lib->crypto,
+					(aead_constructor_t)ccm_aead_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ccm_plugin_create()
+{
+	private_ccm_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+	);
+
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16,
+					(aead_constructor_t)ccm_aead_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.h b/src/libstrongswan/plugins/ccm/ccm_plugin.h
new file mode 100644
index 000000000..9a3252012
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ccm ccm
+ * @ingroup plugins
+ *
+ * @defgroup ccm_plugin ccm_plugin
+ * @{ @ingroup ccm
+ */
+
+#ifndef CCM_PLUGIN_H_
+#define CCM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ccm_plugin_t ccm_plugin_t;
+
+/**
+ * Plugin providing CCM mode operation.
+ */
+struct ccm_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** CCM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/ctr/Makefile.am b/src/libstrongswan/plugins/ctr/Makefile.am
new file mode 100644
index 000000000..893171aab
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ctr.la
+else
+plugin_LTLIBRARIES = libstrongswan-ctr.la
+endif
+
+libstrongswan_ctr_la_SOURCES = \
+	ctr_plugin.h ctr_plugin.c \
+	ctr_ipsec_crypter.h ctr_ipsec_crypter.c
+
+libstrongswan_ctr_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
new file mode 100644
index 000000000..b51f57113
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/ctr
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ctr_la_LIBADD =
+am_libstrongswan_ctr_la_OBJECTS = ctr_plugin.lo ctr_ipsec_crypter.lo
+libstrongswan_ctr_la_OBJECTS = $(am_libstrongswan_ctr_la_OBJECTS)
+libstrongswan_ctr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_ctr_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ctr_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ctr_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_ctr_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ctr_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ctr.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ctr.la
+libstrongswan_ctr_la_SOURCES = \
+	ctr_plugin.h ctr_plugin.c \
+	ctr_ipsec_crypter.h ctr_ipsec_crypter.c
+
+libstrongswan_ctr_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ctr/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/ctr/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) 
+	$(libstrongswan_ctr_la_LINK) $(am_libstrongswan_ctr_la_rpath) $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctr_ipsec_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctr_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c
new file mode 100644
index 000000000..ddcae423b
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ctr_ipsec_crypter.h"
+
+typedef struct private_ctr_ipsec_crypter_t private_ctr_ipsec_crypter_t;
+
+/**
+ * Private data of an ctr_ipsec_crypter_t object.
+ */
+struct private_ctr_ipsec_crypter_t {
+
+	/**
+	 * Public ctr_ipsec_crypter_t interface.
+	 */
+	ctr_ipsec_crypter_t public;
+
+	/**
+	 * Underlying CBC crypter
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * counter state
+	 */
+	struct {
+		char nonce[4];
+		char iv[8];
+		u_int32_t counter;
+	} __attribute__((packed)) state;
+};
+
+/**
+ * Do the CTR crypto operation
+ */
+static void crypt_ctr(private_ctr_ipsec_crypter_t *this,
+					  chunk_t in, chunk_t out)
+{
+	size_t is, bs;
+	chunk_t state;
+
+	is = this->crypter->get_iv_size(this->crypter);
+	bs = sizeof(this->state);
+
+	this->state.counter = htonl(1);
+	state = chunk_create((char*)&this->state, bs);
+
+	while (in.len > 0)
+	{
+		char iv[is], block[bs];
+
+		memset(iv, 0, is);
+		memcpy(block, state.ptr, bs);
+		this->crypter->encrypt(this->crypter,
+						chunk_create(block, bs), chunk_create(iv, is), NULL);
+		chunk_increment(state);
+
+		if (in.ptr != out.ptr)
+		{
+			memcpy(out.ptr, in.ptr, min(in.len, bs));
+		}
+		memxor(out.ptr, block, min(in.len, bs));
+		in = chunk_skip(in, bs);
+		out = chunk_skip(out, bs);
+	}
+}
+
+METHOD(crypter_t, crypt, void,
+	private_ctr_ipsec_crypter_t *this, chunk_t in, chunk_t iv, chunk_t *out)
+{
+	memcpy(this->state.iv, iv.ptr, sizeof(this->state.iv));
+
+	if (out)
+	{
+		*out = chunk_alloc(in.len);
+		crypt_ctr(this, in, *out);
+	}
+	else
+	{
+		crypt_ctr(this, in, in);
+	}
+}
+
+METHOD(crypter_t, get_block_size, size_t,
+	private_ctr_ipsec_crypter_t *this)
+{
+	return 1;
+}
+
+METHOD(crypter_t, get_iv_size, size_t,
+	private_ctr_ipsec_crypter_t *this)
+{
+	return sizeof(this->state.iv);
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_ctr_ipsec_crypter_t *this)
+{
+	return this->crypter->get_key_size(this->crypter)
+			+ sizeof(this->state.nonce);
+}
+
+METHOD(crypter_t, set_key, void,
+	private_ctr_ipsec_crypter_t *this, chunk_t key)
+{
+	memcpy(this->state.nonce, key.ptr + key.len - sizeof(this->state.nonce),
+		   sizeof(this->state.nonce));
+	key.len -= sizeof(this->state.nonce);
+	this->crypter->set_key(this->crypter, key);
+}
+
+METHOD(crypter_t, destroy, void,
+	private_ctr_ipsec_crypter_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ctr_ipsec_crypter_t *ctr_ipsec_crypter_create(encryption_algorithm_t algo,
+											  size_t key_size)
+{
+	private_ctr_ipsec_crypter_t *this;
+
+	switch (algo)
+	{
+		case ENCR_AES_CTR:
+			algo = ENCR_AES_CBC;
+			break;
+		case ENCR_CAMELLIA_CTR:
+			algo = ENCR_CAMELLIA_CBC;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _crypt,
+				.decrypt = _crypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+	);
+
+	if (!this->crypter)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
new file mode 100644
index 000000000..db21aec3b
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ctr_ipsec_crypter ctr_ipsec_crypter
+ * @{ @ingroup ctr
+ */
+
+#ifndef CTR_IPSEC_CRYPTER_H_
+#define CTR_IPSEC_CRYPTER_H_
+
+#include <crypto/crypters/crypter.h>
+
+typedef struct ctr_ipsec_crypter_t ctr_ipsec_crypter_t;
+
+/**
+ * Counter Mode wrapper for encryption algorithms, IPsec variant (RFC3686).
+ */
+struct ctr_ipsec_crypter_t {
+
+	/**
+	 * Implements crypter_t interface.
+	 */
+	crypter_t crypter;
+};
+
+/**
+ * Create a ctr_ipsec_crypter instance.
+ */
+ctr_ipsec_crypter_t *ctr_ipsec_crypter_create();
+
+/**
+ * Create a ctr_ipsec_crypter instance.
+ *
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement, a counter mode
+ * @return				crypter, NULL if not supported
+ */
+ctr_ipsec_crypter_t *ctr_ipsec_crypter_create(encryption_algorithm_t algo,
+											  size_t key_size);
+
+#endif /** CTR_IPSEC_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.c b/src/libstrongswan/plugins/ctr/ctr_plugin.c
new file mode 100644
index 000000000..5e47f23ec
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_plugin.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ctr_plugin.h"
+
+#include <library.h>
+
+#include "ctr_ipsec_crypter.h"
+
+typedef struct private_ctr_plugin_t private_ctr_plugin_t;
+
+/**
+ * private data of ctr_plugin
+ */
+struct private_ctr_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	ctr_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_ctr_plugin_t *this)
+{
+	lib->crypto->remove_crypter(lib->crypto,
+					(crypter_constructor_t)ctr_ipsec_crypter_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ctr_plugin_create()
+{
+	private_ctr_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
+					(crypter_constructor_t)ctr_ipsec_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
+					(crypter_constructor_t)ctr_ipsec_crypter_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.h b/src/libstrongswan/plugins/ctr/ctr_plugin.h
new file mode 100644
index 000000000..7b2f901dc
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ctr ctr
+ * @ingroup plugins
+ *
+ * @defgroup ctr_plugin ctr_plugin
+ * @{ @ingroup ctr
+ */
+
+#ifndef CTR_PLUGIN_H_
+#define CTR_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ctr_plugin_t ctr_plugin_t;
+
+/**
+ * Plugin providing CTR mode operation of symmetric encryption algorithms.
+ */
+struct ctr_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** CTR_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index fc3b0ab1a..9cc99063c 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 2341c9052..4835f6461 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -166,10 +166,12 @@ curl_fetcher_t *curl_fetcher_create()
 	private_curl_fetcher_t *this;
 
 	INIT(this,
-		.public.interface = {
-			.fetch = _fetch,
-			.set_option = _set_option,
-			.destroy = _destroy,
+		.public = {
+			.interface = {
+				.fetch = _fetch,
+				.set_option = _set_option,
+				.destroy = _destroy,
+			},
 		},
 		.curl = curl_easy_init(),
 	);
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 319baa04c..0e8fa7315 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index 142e79613..7d9fbe852 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -1416,11 +1416,8 @@ static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long len
 	tin[0]=tin[1]=0;
 }
 
-/**
- * Implementation of crypter_t.decrypt for DES.
- */
-static void decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-					chunk_t *decrypted)
+METHOD(crypter_t, decrypt, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1437,11 +1434,8 @@ static void decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 }
 
 
-/**
- * Implementation of crypter_t.decrypt for DES.
- */
-static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-						chunk_t *encrypted)
+METHOD(crypter_t, encrypt, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1457,11 +1451,8 @@ static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 					 data.len, this->ks, &ivb, DES_ENCRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for DES (ECB).
- */
-static void decrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-						chunk_t *decrypted)
+METHOD(crypter_t, decrypt_ecb, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	u_int8_t *out;
 
@@ -1475,11 +1466,8 @@ static void decrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 					 data.len, this->ks, DES_DECRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for DES (ECB).
- */
-static void encrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-						chunk_t *encrypted)
+METHOD(crypter_t, encrypt_ecb, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	u_int8_t *out;
 
@@ -1493,11 +1481,8 @@ static void encrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 					 data.len, this->ks, DES_ENCRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for 3DES.
- */
-static void decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *decrypted)
+METHOD(crypter_t, decrypt3, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1514,11 +1499,8 @@ static void decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 						 &ivb, DES_DECRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for 3DES.
- */
-static void encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *encrypted)
+METHOD(crypter_t, encrypt3, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1535,44 +1517,40 @@ static void encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 						  &ivb, DES_ENCRYPT);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size (private_des_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_des_crypter_t *this)
 {
 	return sizeof(des_cblock);
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size (private_des_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_des_crypter_t *this)
+{
+	return sizeof(des_cblock);
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_des_crypter_t *this)
 {
 	return this->key_size;
 }
 
-/**
- * Implementation of crypter_t.set_key for DES.
- */
-static void set_key(private_des_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_des_crypter_t *this, chunk_t key)
 {
 	des_set_key((des_cblock*)(key.ptr), &this->ks);
 }
 
-/**
- * Implementation of crypter_t.set_key for 3DES.
- */
-static void set_key3(private_des_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key3, void,
+	private_des_crypter_t *this, chunk_t key)
 {
 	des_set_key((des_cblock*)(key.ptr) + 0, &this->ks3[0]);
 	des_set_key((des_cblock*)(key.ptr) + 1, &this->ks3[1]);
 	des_set_key((des_cblock*)(key.ptr) + 2, &this->ks3[2]);
 }
 
-/**
- * Implementation of crypter_t.destroy and des_crypter_t.destroy.
- */
-static void destroy(private_des_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_des_crypter_t *this)
 {
 	free(this);
 }
@@ -1582,33 +1560,39 @@ static void destroy(private_des_crypter_t *this)
  */
 des_crypter_t *des_crypter_create(encryption_algorithm_t algo)
 {
-	private_des_crypter_t *this = malloc_thing(private_des_crypter_t);
-
-	/* functions of crypter_t interface */
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
+	private_des_crypter_t *this;
+
+	INIT(this,
+		.public = {
+			.crypter = {
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* use functions depending on algorithm */
 	switch (algo)
 	{
 		case ENCR_DES:
 			this->key_size = sizeof(des_cblock);
-			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
+			this->public.crypter.set_key = _set_key;
+			this->public.crypter.encrypt = _encrypt;
+			this->public.crypter.decrypt = _decrypt;
 			break;
 		case ENCR_3DES:
 			this->key_size = 3 * sizeof(des_cblock);
-			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key3;
-			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt3;
-			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt3;
+			this->public.crypter.set_key = _set_key3;
+			this->public.crypter.encrypt = _encrypt3;
+			this->public.crypter.decrypt = _decrypt3;
 			break;
 		case ENCR_DES_ECB:
 			this->key_size = sizeof(des_cblock);
-			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt_ecb;
-			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt_ecb;
+			this->public.crypter.set_key = _set_key;
+			this->public.crypter.encrypt = _encrypt_ecb;
+			this->public.crypter.decrypt = _decrypt_ecb;
 			break;
 		default:
 			free(this);
diff --git a/src/libstrongswan/plugins/des/des_crypter.h b/src/libstrongswan/plugins/des/des_crypter.h
index cffbd4ce3..07215d0c5 100644
--- a/src/libstrongswan/plugins/des/des_crypter.h
+++ b/src/libstrongswan/plugins/des/des_crypter.h
@@ -32,9 +32,9 @@ typedef struct des_crypter_t des_crypter_t;
 struct des_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index afc82e8d4..43b457ce2 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -31,10 +31,8 @@ struct private_des_plugin_t {
 	des_plugin_t public;
 };
 
-/**
- * Implementation of des_plugin_t.destroy
- */
-static void destroy(private_des_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_des_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 								(crypter_constructor_t)des_crypter_create);
@@ -46,9 +44,15 @@ static void destroy(private_des_plugin_t *this)
  */
 plugin_t *des_plugin_create()
 {
-	private_des_plugin_t *this = malloc_thing(private_des_plugin_t);
+	private_des_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
 							 (crypter_constructor_t)des_crypter_create);
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 73f81f4db..7f4529211 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
index 125047b05..bc0ee30ae 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
@@ -50,9 +50,9 @@ plugin_t *dnskey_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)dnskey_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)dnskey_public_key_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 4ed8276c4..7e2a1ccdf 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.am b/src/libstrongswan/plugins/gcm/Makefile.am
new file mode 100644
index 000000000..ec733fbcc
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-gcm.la
+else
+plugin_LTLIBRARIES = libstrongswan-gcm.la
+endif
+
+libstrongswan_gcm_la_SOURCES = \
+	gcm_plugin.h gcm_plugin.c \
+	gcm_aead.h gcm_aead.c
+
+libstrongswan_gcm_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
new file mode 100644
index 000000000..a4de9ea77
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/gcm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_gcm_la_LIBADD =
+am_libstrongswan_gcm_la_OBJECTS = gcm_plugin.lo gcm_aead.lo
+libstrongswan_gcm_la_OBJECTS = $(am_libstrongswan_gcm_la_OBJECTS)
+libstrongswan_gcm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_gcm_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_gcm_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_gcm_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_gcm_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_gcm_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gcm.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gcm.la
+libstrongswan_gcm_la_SOURCES = \
+	gcm_plugin.h gcm_plugin.c \
+	gcm_aead.h gcm_aead.c
+
+libstrongswan_gcm_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/gcm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/gcm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) 
+	$(libstrongswan_gcm_la_LINK) $(am_libstrongswan_gcm_la_rpath) $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcm_aead.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcm_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c
new file mode 100644
index 000000000..0d7d91dbf
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.c
@@ -0,0 +1,425 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcm_aead.h"
+
+#include <limits.h>
+
+#define BLOCK_SIZE 16
+#define NONCE_SIZE 12
+#define IV_SIZE 8
+#define SALT_SIZE (NONCE_SIZE - IV_SIZE)
+
+typedef struct private_gcm_aead_t private_gcm_aead_t;
+
+/**
+ * Private data of an gcm_aead_t object.
+ */
+struct private_gcm_aead_t {
+
+	/**
+	 * Public gcm_aead_t interface.
+	 */
+	gcm_aead_t public;
+
+	/**
+	 * Underlying CBC crypter.
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * Size of the integrity check value
+	 */
+	size_t icv_size;
+
+	/**
+	 * Salt value
+	 */
+	char salt[SALT_SIZE];
+
+	/**
+	 * GHASH subkey H
+	 */
+	char h[BLOCK_SIZE];
+};
+
+/**
+ * Find a suiteable word size and network order conversion functions
+ */
+#if ULONG_MAX == 18446744073709551615UL && defined(htobe64)
+#	define htobeword htobe64
+#	define bewordtoh be64toh
+#	define SHIFT_WORD_TYPE u_int64_t
+#else
+#	define htobeword htonl
+#	define bewordtoh ntohl
+#	define SHIFT_WORD_TYPE u_int32_t
+#endif
+
+/**
+ * Bitshift a block right by one bit
+ */
+static void sr_block(char *block)
+{
+	int i;
+	SHIFT_WORD_TYPE *word = (SHIFT_WORD_TYPE*)block;
+
+	for (i = 0; i < BLOCK_SIZE / sizeof(*word); i++)
+	{
+		word[i] = bewordtoh(word[i]);
+	}
+	for (i = BLOCK_SIZE / sizeof(*word) - 1; i >= 0; i--)
+	{
+		word[i] >>= 1;
+		if (i != 0)
+		{
+			word[i] |= word[i - 1] << (sizeof(*word) * 8 - 1);
+		}
+	}
+	for (i = 0; i < BLOCK_SIZE / sizeof(*word); i++)
+	{
+		word[i] = htobeword(word[i]);
+	}
+}
+
+/**
+ * Naive implementation of block multiplication in GF128, no tables
+ */
+static void mult_block(char *x, char *y, char *res)
+{
+	char z[BLOCK_SIZE], v[BLOCK_SIZE], r;
+	int bit, byte;
+
+	r = 0xE1;
+	memset(z, 0, BLOCK_SIZE);
+	memcpy(v, y, BLOCK_SIZE);
+
+	for (byte = 0; byte < BLOCK_SIZE; byte++)
+	{
+		for (bit = 7; bit >= 0; bit--)
+		{
+			if (x[byte] & (1 << bit))
+			{
+				memxor(z, v, BLOCK_SIZE);
+			}
+			if (v[BLOCK_SIZE - 1] & 0x01)
+			{
+				sr_block(v);
+				v[0] ^= r;
+			}
+			else
+			{
+				sr_block(v);
+			}
+		}
+	}
+	memcpy(res, z, BLOCK_SIZE);
+}
+
+/**
+ * GHASH function
+ */
+static void ghash(private_gcm_aead_t *this, chunk_t x, char *res)
+{
+	char y[BLOCK_SIZE];
+
+	memset(y, 0, BLOCK_SIZE);
+
+	while (x.len)
+	{
+		memxor(y, x.ptr, BLOCK_SIZE);
+		mult_block(y, this->h, y);
+		x = chunk_skip(x, BLOCK_SIZE);
+	}
+	memcpy(res, y, BLOCK_SIZE);
+}
+
+/**
+ * GCTR function, en-/decrypts x inline
+ */
+static void gctr(private_gcm_aead_t *this, char *icb, chunk_t x)
+{
+	char cb[BLOCK_SIZE], iv[BLOCK_SIZE], tmp[BLOCK_SIZE];
+
+	memset(iv, 0, BLOCK_SIZE);
+	memcpy(cb, icb, BLOCK_SIZE);
+
+	while (x.len)
+	{
+		memcpy(tmp, cb, BLOCK_SIZE);
+		this->crypter->encrypt(this->crypter, chunk_from_thing(tmp),
+							   chunk_from_thing(iv), NULL);
+		memxor(x.ptr, tmp, min(BLOCK_SIZE, x.len));
+		chunk_increment(chunk_from_thing(cb));
+		x = chunk_skip(x, BLOCK_SIZE);
+	}
+}
+
+/**
+ * Generate the block J0
+ */
+static void create_j(private_gcm_aead_t *this, char *iv, char *j)
+{
+	memcpy(j, this->salt, SALT_SIZE);
+	memcpy(j + SALT_SIZE, iv, IV_SIZE);
+	htoun32(j + SALT_SIZE + IV_SIZE, 1);
+}
+
+/**
+ * Create GHASH subkey H
+ */
+static void create_h(private_gcm_aead_t *this, char *h)
+{
+	char zero[BLOCK_SIZE];
+
+	memset(zero, 0, BLOCK_SIZE);
+	memset(h, 0, BLOCK_SIZE);
+
+	this->crypter->encrypt(this->crypter, chunk_create(h, BLOCK_SIZE),
+						   chunk_from_thing(zero), NULL);
+}
+
+/**
+ * Encrypt/decrypt
+ */
+static void crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out)
+{
+	char icb[BLOCK_SIZE];
+
+	memcpy(icb, j, BLOCK_SIZE);
+	chunk_increment(chunk_from_thing(icb));
+
+	out.len = in.len;
+	if (in.ptr != out.ptr)
+	{
+		memcpy(out.ptr, in.ptr, in.len);
+	}
+	gctr(this, icb, out);
+}
+
+/**
+ * Create ICV
+ */
+static void create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
+					   char *j, char *icv)
+{
+	size_t assoc_pad, crypt_pad;
+	chunk_t chunk;
+	char s[BLOCK_SIZE], *pos;
+
+	assoc_pad = (BLOCK_SIZE - (assoc.len % BLOCK_SIZE)) % BLOCK_SIZE;
+	crypt_pad = (BLOCK_SIZE - (crypt.len % BLOCK_SIZE)) % BLOCK_SIZE;
+
+	/* concatenate data to a new chunk */
+	chunk = chunk_alloc(assoc.len + assoc_pad +
+						crypt.len + crypt_pad + BLOCK_SIZE);
+	pos = chunk.ptr;
+	/* add associated data */
+	memcpy(pos, assoc.ptr, assoc.len);
+	pos += assoc.len;
+	memset(pos, 0, assoc_pad);
+	pos += assoc_pad;
+	/* add encrypted data */
+	memcpy(pos, crypt.ptr, crypt.len);
+	pos += crypt.len;
+	memset(pos, 0, crypt_pad);
+	pos += crypt_pad;
+	/* write associated len */
+	memset(pos, 0, 4);
+	pos += 4;
+	htoun32(pos, assoc.len * 8);
+	pos += 4;
+	/* write encrypted length */
+	memset(pos, 0, 4);
+	pos += 4;
+	htoun32(pos, crypt.len * 8);
+	pos += 4;
+
+	ghash(this, chunk, s);
+	free(chunk.ptr);
+	gctr(this, j, chunk_from_thing(s));
+
+	memcpy(icv, s, this->icv_size);
+}
+
+/**
+ * Verify the ICV value
+ */
+static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
+					   char *j, char *icv)
+{
+	char tmp[this->icv_size];
+
+	create_icv(this, assoc, crypt, j, tmp);
+
+	return memeq(tmp, icv, this->icv_size);
+}
+
+METHOD(aead_t, encrypt, void,
+	private_gcm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	char j[BLOCK_SIZE];
+
+	create_j(this, iv.ptr, j);
+
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(plain.len + this->icv_size);
+		crypt(this, j, plain, *encrypted);
+		create_icv(this, assoc,
+				   chunk_create(encrypted->ptr, encrypted->len - this->icv_size),
+				   j, encrypted->ptr + encrypted->len - this->icv_size);
+	}
+	else
+	{
+		crypt(this, j, plain, plain);
+		create_icv(this, assoc, plain, j, plain.ptr + plain.len);
+	}
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_gcm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	char j[BLOCK_SIZE];
+
+	if (encrypted.len < this->icv_size)
+	{
+		return FALSE;
+	}
+
+	create_j(this, iv.ptr, j);
+
+	encrypted.len -= this->icv_size;
+	if (!verify_icv(this, assoc, encrypted, j, encrypted.ptr + encrypted.len))
+	{
+		return FALSE;
+	}
+	if (plain)
+	{
+		*plain = chunk_alloc(encrypted.len);
+		crypt(this, j, encrypted, *plain);
+	}
+	else
+	{
+		crypt(this, j, encrypted, encrypted);
+	}
+	return TRUE;
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return 1;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return IV_SIZE;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
+}
+
+METHOD(aead_t, set_key, void,
+	private_gcm_aead_t *this, chunk_t key)
+{
+	memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
+	key.len -= SALT_SIZE;
+	this->crypter->set_key(this->crypter, key);
+	create_h(this, this->h);
+}
+
+METHOD(aead_t, destroy, void,
+	private_gcm_aead_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_gcm_aead_t *this;
+	size_t icv_size;
+
+	switch (key_size)
+	{
+		case 0:
+			key_size = 16;
+			break;
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return NULL;
+	}
+	switch (algo)
+	{
+		case ENCR_AES_GCM_ICV8:
+			algo = ENCR_AES_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_AES_GCM_ICV12:
+			algo = ENCR_AES_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_AES_GCM_ICV16:
+			algo = ENCR_AES_CBC;
+			icv_size = 16;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.aead = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_icv_size = _get_icv_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+		.icv_size = icv_size,
+	);
+
+	if (!this->crypter)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h
new file mode 100644
index 000000000..db4be2442
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcm_aead gcm_aead
+ * @{ @ingroup gcm
+ */
+
+#ifndef GCM_AEAD_H_
+#define GCM_AEAD_H_
+
+#include <crypto/aead.h>
+
+typedef struct gcm_aead_t gcm_aead_t;
+
+/**
+ * Galois/Counter Mode (GCM).
+ *
+ * Implements GCM as specified in NIST 800-38D, using AEAD semantics from
+ * RFC 5282, based on RFC4106.
+ */
+struct gcm_aead_t {
+
+	/**
+	 * Implements aead_t interface.
+	 */
+	aead_t aead;
+};
+
+/**
+ * Create a gcm_aead instance.
+ *
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement, a gcm mode
+ * @return				aead, NULL if not supported
+ */
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** GCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c
new file mode 100644
index 000000000..061001b30
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcm_plugin.h"
+
+#include <library.h>
+
+#include "gcm_aead.h"
+
+typedef struct private_gcm_plugin_t private_gcm_plugin_t;
+
+/**
+ * private data of gcm_plugin
+ */
+struct private_gcm_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	gcm_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_gcm_plugin_t *this)
+{
+	lib->crypto->remove_aead(lib->crypto,
+					(aead_constructor_t)gcm_aead_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *gcm_plugin_create()
+{
+	private_gcm_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+	);
+
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8,
+					(aead_constructor_t)gcm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12,
+					(aead_constructor_t)gcm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16,
+					(aead_constructor_t)gcm_aead_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.h b/src/libstrongswan/plugins/gcm/gcm_plugin.h
new file mode 100644
index 000000000..52676708e
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcm gcm
+ * @ingroup plugins
+ *
+ * @defgroup gcm_plugin gcm_plugin
+ * @{ @ingroup gcm
+ */
+
+#ifndef GCM_PLUGIN_H_
+#define GCM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct gcm_plugin_t gcm_plugin_t;
+
+/**
+ * Plugin providing GCM mode operation.
+ */
+struct gcm_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** GCM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 09131c4be..00c49c487 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
index 5dbdde32c..599481911 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -40,15 +40,43 @@ struct private_gcrypt_crypter_t {
 	 * gcrypt algorithm identifier
 	 */
 	int alg;
+
+	/**
+	 * are we using counter mode?
+	 */
+	bool ctr_mode;
+
+	/**
+	 * counter state
+	 */
+	struct {
+		char nonce[4];
+		char iv[8];
+		u_int32_t counter;
+	} __attribute__((packed)) ctr;
 };
 
 /**
- * Implementation of crypter_t.decrypt.
+ * Set the IV for en/decryption
  */
-static void decrypt(private_gcrypt_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst)
+static void set_iv(private_gcrypt_crypter_t *this, chunk_t iv)
+{
+	if (this->ctr_mode)
+	{
+		memcpy(this->ctr.iv, iv.ptr, sizeof(this->ctr.iv));
+		this->ctr.counter = htonl(1);
+		gcry_cipher_setctr(this->h, &this->ctr, sizeof(this->ctr));
+	}
+	else
+	{
+		gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	}
+}
+
+METHOD(crypter_t, decrypt, void,
+	private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	set_iv(this, iv);
 
 	if (dst)
 	{
@@ -61,13 +89,10 @@ static void decrypt(private_gcrypt_crypter_t *this, chunk_t data,
 	}
 }
 
-/**
- * Implementation of crypter_t.encrypt.
- */
-static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, encrypt, void,
+	private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	set_iv(this, iv);
 
 	if (dst)
 	{
@@ -80,40 +105,60 @@ static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
 	}
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size(private_gcrypt_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_gcrypt_crypter_t *this)
 {
 	size_t len = 0;
 
+	if (this->ctr_mode)
+	{	/* counter mode does not need any padding */
+		return 1;
+	}
 	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
 	return len;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size(private_gcrypt_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_gcrypt_crypter_t *this)
+{
+	size_t len = 0;
+
+	if (this->ctr_mode)
+	{
+		return sizeof(this->ctr.iv);
+	}
+	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
+	return len;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_gcrypt_crypter_t *this)
 {
 	size_t len = 0;
 
 	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_KEYLEN, NULL, &len);
+	if (this->ctr_mode)
+	{
+		return len + sizeof(this->ctr.nonce);
+	}
 	return len;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key(private_gcrypt_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_gcrypt_crypter_t *this, chunk_t key)
 {
+	if (this->ctr_mode)
+	{
+		/* last 4 bytes are the nonce */
+		memcpy(this->ctr.nonce, key.ptr + key.len - sizeof(this->ctr.nonce),
+			   sizeof(this->ctr.nonce));
+		key.len -= sizeof(this->ctr.nonce);
+	}
 	gcry_cipher_setkey(this->h, key.ptr, key.len);
 }
 
-/**
- * Implementation of crypter_t.destroy.
- */
-static void destroy (private_gcrypt_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_gcrypt_crypter_t *this)
 {
 	gcry_cipher_close(this->h);
 	free(this);
@@ -149,18 +194,19 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 			gcrypt_alg = GCRY_CIPHER_CAST5;
 			break;
 		case ENCR_BLOWFISH:
-			if (key_size != 16)
+			if (key_size != 16 && key_size != 0)
 			{	/* gcrypt currently supports 128 bit blowfish only */
 				return NULL;
 			}
 			gcrypt_alg = GCRY_CIPHER_BLOWFISH;
 			break;
-		/* case ENCR_AES_CTR:
-			mode = GCRY_CIPHER_MODE_CTR; */
+		case ENCR_AES_CTR:
+			mode = GCRY_CIPHER_MODE_CTR;
 			/* fall */
 		case ENCR_AES_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_AES128;
 					break;
@@ -174,13 +220,14 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 					return NULL;
 			}
 			break;
-		/* case ENCR_CAMELLIA_CTR:
-			mode = GCRY_CIPHER_MODE_CTR; */
+		case ENCR_CAMELLIA_CTR:
+			mode = GCRY_CIPHER_MODE_CTR;
 			/* fall */
 		case ENCR_CAMELLIA_CBC:
 			switch (key_size)
 			{
 #ifdef HAVE_GCRY_CIPHER_CAMELLIA
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_CAMELLIA128;
 					break;
@@ -198,6 +245,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		case ENCR_SERPENT_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_SERPENT128;
 					break;
@@ -214,6 +262,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		case ENCR_TWOFISH_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_TWOFISH128;
 					break;
@@ -228,9 +277,22 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_crypter_t);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.alg = gcrypt_alg,
+		.ctr_mode = mode == GCRY_CIPHER_MODE_CTR,
+	);
 
-	this->alg = gcrypt_alg;
 	err = gcry_cipher_open(&this->h, gcrypt_alg, mode, 0);
 	if (err)
 	{
@@ -239,14 +301,6 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		free(this);
 		return NULL;
 	}
-
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *))encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *))decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *))get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *))get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t))set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *))destroy;
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
index ce0ead4a8..e565e28c7 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
@@ -33,7 +33,7 @@ struct gcrypt_crypter_t {
 	/**
 	 * The crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index 08d6239ad..6c4665da2 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -73,10 +73,8 @@ struct private_gcrypt_dh_t {
 	size_t p_len;
 };
 
-/**
- * Implementation of gcrypt_dh_t.set_other_public_value.
- */
-static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_gcrypt_dh_t *this, chunk_t value)
 {
 	gcry_mpi_t p_min_1;
 	gcry_error_t err;
@@ -134,18 +132,14 @@ static chunk_t export_mpi(gcry_mpi_t value, size_t len)
 	return chunk;
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_my_public_value.
- */
-static void get_my_public_value(private_gcrypt_dh_t *this, chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_gcrypt_dh_t *this, chunk_t *value)
 {
 	*value = export_mpi(this->ya, this->p_len);
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_gcrypt_dh_t *this, chunk_t *secret)
 {
 	if (!this->zz)
 	{
@@ -155,18 +149,14 @@ static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret)
 	return SUCCESS;
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_gcrypt_dh_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_gcrypt_dh_t *this)
 {
 	return this->group;
 }
 
-/**
- * Implementation of gcrypt_dh_t.destroy.
- */
-static void destroy(private_gcrypt_dh_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_gcrypt_dh_t *this)
 {
 	gcry_mpi_release(this->p);
 	gcry_mpi_release(this->xa);
@@ -178,42 +168,37 @@ static void destroy(private_gcrypt_dh_t *this)
 }
 
 /*
- * Described in header.
+ * Generic internal constructor
  */
-gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
+gcrypt_dh_t *create_generic(diffie_hellman_group_t group, size_t exp_len,
+							chunk_t g, chunk_t p)
 {
 	private_gcrypt_dh_t *this;
-	diffie_hellman_params_t *params;
 	gcry_error_t err;
 	chunk_t random;
 	rng_t *rng;
 
-	params = diffie_hellman_get_params(group);
-	if (!params)
-	{
-		return NULL;
-	}
-
-	this = malloc_thing(private_gcrypt_dh_t);
-
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-
-	this->group = group;
-	this->p_len = params->prime.len;
-	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG,
-						params->prime.ptr, params->prime.len, NULL);
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+		.p_len = p.len,
+	);
+	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG, p.ptr, p.len, NULL);
 	if (err)
 	{
 		DBG1(DBG_LIB, "importing mpi modulus failed: %s", gpg_strerror(err));
 		free(this);
 		return NULL;
 	}
-	err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG,
-						params->generator.ptr, params->generator.len, NULL);
+	err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG, g.ptr, g.len, NULL);
 	if (err)
 	{
 		DBG1(DBG_LIB, "importing mpi generator failed: %s", gpg_strerror(err));
@@ -225,7 +210,7 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (rng)
 	{	/* prefer external randomizer */
-		rng->allocate_bytes(rng, params->exp_len, &random);
+		rng->allocate_bytes(rng, exp_len, &random);
 		rng->destroy(rng);
 		err = gcry_mpi_scan(&this->xa, GCRYMPI_FMT_USG,
 							random.ptr, random.len, NULL);
@@ -241,21 +226,49 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	}
 	else
 	{	/* fallback to gcrypt internal randomizer, shouldn't ever happen */
-		this->xa = gcry_mpi_new(params->exp_len * 8);
-		gcry_mpi_randomize(this->xa, params->exp_len * 8, GCRY_STRONG_RANDOM);
+		this->xa = gcry_mpi_new(exp_len * 8);
+		gcry_mpi_randomize(this->xa, exp_len * 8, GCRY_STRONG_RANDOM);
 	}
-	if (params->exp_len == this->p_len)
+	if (exp_len == this->p_len)
 	{
 		/* achieve bitsof(p)-1 by setting MSB to 0 */
-		gcry_mpi_clear_bit(this->xa, params->exp_len * 8 - 1);
+		gcry_mpi_clear_bit(this->xa, exp_len * 8 - 1);
 	}
 
 	this->ya = gcry_mpi_new(this->p_len * 8);
-	this->yb = NULL;
-	this->zz = NULL;
 
 	gcry_mpi_powm(this->ya, this->g, this->xa, this->p);
 
 	return &this->public;
 }
 
+
+/*
+ * Described in header.
+ */
+gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
+{
+
+	diffie_hellman_params_t *params;
+
+	params = diffie_hellman_get_params(group);
+	if (!params)
+	{
+		return NULL;
+	}
+	return create_generic(group, params->exp_len,
+						  params->generator, params->prime);
+}
+
+/*
+ * Described in header.
+ */
+gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group,
+									 chunk_t g, chunk_t p)
+{
+	if (group == MODP_CUSTOM)
+	{
+		return create_generic(group, p.len, g, p);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
index 95b68dcd0..a70958dc4 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
@@ -44,5 +44,16 @@ struct gcrypt_dh_t {
  */
 gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group);
 
+/**
+ * Creates a new gcrypt_dh_t object for MODP_CUSTOM.
+ *
+ * @param group			MODP_CUSTOM
+ * @param g				generator
+ * @param p				prime
+ * @return				gcrypt_dh_t object, NULL if not supported
+ */
+gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group,
+									 chunk_t g, chunk_t p);
+
 #endif /** GCRYPT_DH_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 39609c16c..96c87614f 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -37,27 +37,20 @@ struct private_gcrypt_hasher_t {
 	gcry_md_hd_t hd;
 };
 
-/**
- * Implementation of hasher_t.get_hash_size.
- */
-static size_t get_hash_size(private_gcrypt_hasher_t *this)
+METHOD(hasher_t, get_hash_size, size_t,
+	private_gcrypt_hasher_t *this)
 {
 	return gcry_md_get_algo_dlen(gcry_md_get_algo(this->hd));
 }
 
-/**
- * Implementation of hasher_t.reset.
- */
-static void reset(private_gcrypt_hasher_t *this)
+METHOD(hasher_t, reset, void,
+	private_gcrypt_hasher_t *this)
 {
 	gcry_md_reset(this->hd);
 }
 
-/**
- * Implementation of hasher_t.get_hash.
- */
-static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
-					 u_int8_t *hash)
+METHOD(hasher_t, get_hash, void,
+	private_gcrypt_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	gcry_md_write(this->hd, chunk.ptr, chunk.len);
 	if (hash)
@@ -67,11 +60,8 @@ static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.allocate_hash.
- */
-static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
-						  chunk_t *hash)
+METHOD(hasher_t, allocate_hash, void,
+	private_gcrypt_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
@@ -84,10 +74,8 @@ static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.destroy.
- */
-static void destroy (private_gcrypt_hasher_t *this)
+METHOD(hasher_t, destroy, void,
+	private_gcrypt_hasher_t *this)
 {
 	gcry_md_close(this->hd);
 	free(this);
@@ -132,7 +120,17 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_hasher_t);
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	err = gcry_md_open(&this->hd, gcrypt_alg, 0);
 	if (err)
@@ -143,12 +141,6 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 		return NULL;
 	}
 
-	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
-	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
-	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
-	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
-	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
index 708ccaafb..a7542bcdd 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
@@ -33,7 +33,7 @@ struct gcrypt_hasher_t {
 	/**
 	 * The hasher_t interface.
 	 */
-	hasher_t hasher_interface;
+	hasher_t hasher;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 039036b2c..590add5c8 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -93,10 +93,8 @@ static struct gcry_thread_cbs thread_functions = {
 	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
 };
 
-/**
- * Implementation of gcrypt_plugin_t.destroy
- */
-static void destroy(private_gcrypt_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_gcrypt_plugin_t *this)
 {
 	lib->crypto->remove_hasher(lib->crypto,
 					(hasher_constructor_t)gcrypt_hasher_create);
@@ -106,6 +104,8 @@ static void destroy(private_gcrypt_plugin_t *this)
 					(rng_constructor_t)gcrypt_rng_create);
 	lib->crypto->remove_dh(lib->crypto,
 					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->remove_dh(lib->crypto,
+					(dh_constructor_t)gcrypt_dh_create_custom);
 	lib->creds->remove_builder(lib->creds,
 					(builder_function_t)gcrypt_rsa_private_key_gen);
 	lib->creds->remove_builder(lib->creds,
@@ -139,9 +139,13 @@ plugin_t *gcrypt_plugin_create()
 	}
 	gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
 
-	this = malloc_thing(private_gcrypt_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* hashers */
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
@@ -172,8 +176,14 @@ plugin_t *gcrypt_plugin_create()
 					(crypter_constructor_t)gcrypt_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
+					(crypter_constructor_t)gcrypt_crypter_create);
+#ifdef HAVE_GCRY_CIPHER_CAMELLIA
 	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
+					(crypter_constructor_t)gcrypt_crypter_create);
+#endif /* HAVE_GCRY_CIPHER_CAMELLIA */
 	lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC,
@@ -210,13 +220,15 @@ plugin_t *gcrypt_plugin_create()
 					(dh_constructor_t)gcrypt_dh_create);
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+					(dh_constructor_t)gcrypt_dh_create_custom);
 
 	/* RSA */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 					(builder_function_t)gcrypt_rsa_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE,
 					(builder_function_t)gcrypt_rsa_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
 					(builder_function_t)gcrypt_rsa_public_key_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
index d0d252572..d29755de9 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
@@ -35,11 +35,8 @@ struct private_gcrypt_rng_t {
 	rng_quality_t quality;
 };
 
-/**
- * Implementation of gcrypt_rng_t.get_bytes.
- */
-static void get_bytes(private_gcrypt_rng_t *this, size_t bytes,
-					  u_int8_t *buffer)
+METHOD(rng_t, get_bytes, void,
+	private_gcrypt_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	switch (this->quality)
 	{
@@ -55,20 +52,15 @@ static void get_bytes(private_gcrypt_rng_t *this, size_t bytes,
 	}
 }
 
-/**
- * Implementation of gcrypt_rng_t.allocate_bytes.
- */
-static void allocate_bytes(private_gcrypt_rng_t *this, size_t bytes,
-						   chunk_t *chunk)
+METHOD(rng_t, allocate_bytes, void,
+	private_gcrypt_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(bytes);
 	get_bytes(this, chunk->len, chunk->ptr);
 }
 
-/**
- * Implementation of gcrypt_rng_t.destroy.
- */
-static void destroy(private_gcrypt_rng_t *this)
+METHOD(rng_t, destroy, void,
+	private_gcrypt_rng_t *this)
 {
 	free(this);
 }
@@ -90,13 +82,16 @@ gcrypt_rng_t *gcrypt_rng_create(rng_quality_t quality)
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_rng_t);
-
-	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
-	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
-	this->public.rng.destroy = (void (*) (rng_t *))destroy;
-
-	this->quality = quality;
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+		.quality = quality,
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index b8e86aba0..38ce2cd6c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -192,19 +192,15 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 	return !!signature->len;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static key_type_t get_type(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *sig)
+METHOD(private_key_t, sign, bool,
+	private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *sig)
 {
 	switch (scheme)
 	{
@@ -229,17 +225,21 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche
 	}
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static bool decrypt(private_gcrypt_rsa_private_key_t *this,
-					chunk_t encrypted, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_gcrypt_rsa_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t encrypted, chunk_t *plain)
 {
 	gcry_error_t err;
 	gcry_sexp_t in, out;
 	chunk_t padded;
 	u_char *pos = NULL;;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	err = gcry_sexp_build(&in, NULL, "(enc-val(flags)(rsa(a %b)))",
 						  encrypted.len, encrypted.ptr);
 	if (err)
@@ -277,18 +277,14 @@ static bool decrypt(private_gcrypt_rsa_private_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_keysize.
- */
-static size_t get_keysize(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_gcrypt_rsa_private_key_t *this)
 {
-	return gcry_pk_get_nbits(this->key) / 8;
+	return gcry_pk_get_nbits(this->key);
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	chunk_t n, e;
 	public_key_t *public;
@@ -304,11 +300,9 @@ static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
 	return public;
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_gcrypt_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t cn, ce, cp, cq, cd, cu, cexp1 = chunk_empty, cexp2 = chunk_empty;
 	gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2;
@@ -385,11 +379,9 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_gcrypt_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -409,19 +401,15 @@ static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_ref.
- */
-static private_key_t* get_ref(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static void destroy(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -434,25 +422,29 @@ static void destroy(private_gcrypt_rsa_private_key_t *this)
 /**
  * Internal generic constructor
  */
-static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty()
+static private_gcrypt_rsa_private_key_t *create_empty()
 {
-	private_gcrypt_rsa_private_key_t *this = malloc_thing(private_gcrypt_rsa_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-
-	this->key = NULL;
-	this->ref = 1;
+	private_gcrypt_rsa_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
@@ -493,7 +485,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type,
 		DBG1(DBG_LIB, "building S-expression failed: %s", gpg_strerror(err));
 		return NULL;
 	}
-	this = gcrypt_rsa_private_key_create_empty();
+	this = create_empty();
 	err = gcry_pk_genkey(&this->key, param);
 	gcry_sexp_release(param);
 	if (err)
@@ -552,7 +544,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type,
 		break;
 	}
 
-	this = gcrypt_rsa_private_key_create_empty();
+	this = create_empty();
 	err = gcry_sexp_build(&this->key, NULL,
 					"(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))",
 					n.len, n.ptr, e.len, e.ptr, d.len, d.ptr,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
index 4c3605f4b..0f3d66b80 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
@@ -34,7 +34,7 @@ struct gcrypt_rsa_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 80a91b976..f8645da97 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -159,19 +159,15 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_gcrypt_rsa_public_key_t *this,
-				   signature_scheme_t scheme, chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_gcrypt_rsa_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -196,15 +192,19 @@ static bool verify(private_gcrypt_rsa_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.encrypt.
- */
-static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
-					 chunk_t *encrypted)
+METHOD(public_key_t, encrypt_, bool,
+	private_gcrypt_rsa_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *encrypted)
 {
 	gcry_sexp_t in, out;
 	gcry_error_t err;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	/* "pkcs1" uses PKCS 1.5 (section 8.1) block type 2 encryption:
 	 * 00 | 02 | RANDOM | 00 | DATA */
 	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(value %b))",
@@ -228,19 +228,15 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
 	return !!encrypted->len;
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_gcrypt_rsa_public_key_t *this)
 {
-	return gcry_pk_get_nbits(this->key) / 8;
+	return gcry_pk_get_nbits(this->key);
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_gcrypt_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t n, e;
 	bool success;
@@ -256,11 +252,9 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_gcrypt_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -280,19 +274,15 @@ static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static public_key_t* get_ref(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gcrypt_rsa_public_key.destroy.
- */
-static void destroy(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -331,21 +321,23 @@ gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type,
 		break;
 	}
 
-	this = malloc_thing(private_gcrypt_rsa_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
-	this->key = NULL;
-	this->ref = 1;
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
 						  n.len, n.ptr, e.len, e.ptr);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
index fa18c357b..ca0a284a2 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
@@ -34,7 +34,7 @@ struct gcrypt_rsa_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index bd7100b27..b4ec1ed8d 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index 4ee449890..e99502b27 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -85,10 +85,8 @@ struct private_gmp_diffie_hellman_t {
 	bool computed;
 };
 
-/**
- * Implementation of gmp_diffie_hellman_t.set_other_public_value.
- */
-static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_gmp_diffie_hellman_t *this, chunk_t value)
 {
 	mpz_t p_min_1;
 
@@ -146,10 +144,8 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 	mpz_clear(p_min_1);
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_gmp_diffie_hellman_t *this,chunk_t *value)
 {
 	value->len = this->p_len;
 	value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
@@ -159,10 +155,8 @@ static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *valu
 	}
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_gmp_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
@@ -177,18 +171,14 @@ static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *s
 	return SUCCESS;
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_gmp_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_gmp_diffie_hellman_t *this)
 {
 	return this->group;
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.destroy.
- */
-static void destroy(private_gmp_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_gmp_diffie_hellman_t *this)
 {
 	mpz_clear(this->p);
 	mpz_clear(this->xa);
@@ -199,44 +189,38 @@ static void destroy(private_gmp_diffie_hellman_t *this)
 	free(this);
 }
 
-/*
- * Described in header.
+/**
+ * Generic internal constructor
  */
-gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
+static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group,
+											size_t exp_len, chunk_t g, chunk_t p)
 {
 	private_gmp_diffie_hellman_t *this;
-	diffie_hellman_params_t *params;
-	rng_t *rng;
 	chunk_t random;
+	rng_t *rng;
 
-	params = diffie_hellman_get_params(group);
-	if (!params)
-	{
-		return NULL;
-	}
-
-	this = malloc_thing(private_gmp_diffie_hellman_t);
-
-	/* public functions */
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+		.p_len = p.len,
+	);
 
-	/* private variables */
-	this->group = group;
 	mpz_init(this->p);
 	mpz_init(this->yb);
 	mpz_init(this->ya);
 	mpz_init(this->xa);
 	mpz_init(this->zz);
 	mpz_init(this->g);
-
-	this->computed = FALSE;
-	this->p_len = params->prime.len;
-	mpz_import(this->p, params->prime.len, 1, 1, 1, 0, params->prime.ptr);
-	mpz_import(this->g, params->generator.len, 1, 1, 1, 0, params->generator.ptr);
+	mpz_import(this->g, g.len, 1, 1, 1, 0, g.ptr);
+	mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (!rng)
@@ -247,10 +231,10 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 		return NULL;
 	}
 
-	rng->allocate_bytes(rng, params->exp_len, &random);
+	rng->allocate_bytes(rng, exp_len, &random);
 	rng->destroy(rng);
 
-	if (params->exp_len == this->p_len)
+	if (exp_len == this->p_len)
 	{
 		/* achieve bitsof(p)-1 by setting MSB to 0 */
 		*random.ptr &= 0x7F;
@@ -265,3 +249,29 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	return &this->public;
 }
 
+/*
+ * Described in header.
+ */
+gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
+{
+	diffie_hellman_params_t *params;
+
+	params = diffie_hellman_get_params(group);
+	if (!params)
+	{
+		return NULL;
+	}
+	return create_generic(group, params->exp_len,
+						  params->generator, params->prime);
+}
+
+
+gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p)
+{
+	if (group == MODP_CUSTOM)
+	{
+		return create_generic(MODP_CUSTOM, p.len, g, p);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
index 2a54eebb1..6d73c0863 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
@@ -45,5 +45,16 @@ struct gmp_diffie_hellman_t {
  */
 gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group);
 
+/**
+ * Creates a new gmp_diffie_hellman_t object for MODP_CUSTOM.
+ *
+ * @param group			MODP_CUSTOM
+ * @param g				generator
+ * @param p				prime
+ * @return				gmp_diffie_hellman_t object, NULL if not supported
+ */
+gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p);
+
 #endif /** GMP_DIFFIE_HELLMAN_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index fbce9732f..9b4fad3da 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -33,13 +33,13 @@ struct private_gmp_plugin_t {
 	gmp_plugin_t public;
 };
 
-/**
- * Implementation of gmp_plugin_t.gmptroy
- */
-static void destroy(private_gmp_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_gmp_plugin_t *this)
 {
 	lib->crypto->remove_dh(lib->crypto,
 						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->remove_dh(lib->crypto,
+						(dh_constructor_t)gmp_diffie_hellman_create_custom);
 	lib->creds->remove_builder(lib->creds,
 						(builder_function_t)gmp_rsa_private_key_gen);
 	lib->creds->remove_builder(lib->creds,
@@ -54,9 +54,15 @@ static void destroy(private_gmp_plugin_t *this)
  */
 plugin_t *gmp_plugin_create()
 {
-	private_gmp_plugin_t *this = malloc_thing(private_gmp_plugin_t);
+	private_gmp_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
@@ -81,11 +87,14 @@ plugin_t *gmp_plugin_create()
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
 
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+						(dh_constructor_t)gmp_diffie_hellman_create_custom);
+
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 						(builder_function_t)gmp_rsa_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE,
 						(builder_function_t)gmp_rsa_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
 						(builder_function_t)gmp_rsa_public_key_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index cc9985320..1b6c20817 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -209,7 +209,7 @@ static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
 }
 
 /**
- * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature.
+ * Build a signature using the PKCS#1 EMSA scheme
  */
 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 									   hash_algorithm_t hash_algorithm,
@@ -250,7 +250,7 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 	{
 		free(digestInfo.ptr);
 		DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len,
-			 this->k * 8);
+			 mpz_sizeinbase(this->n, 2));
 		return FALSE;
 	}
 
@@ -280,19 +280,15 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_type.
- */
-static key_type_t get_type(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_gmp_rsa_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.sign.
- */
-static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
@@ -317,15 +313,19 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
 	}
 }
 
-/**
- * Implementation of gmp_rsa_private_key.decrypt.
- */
-static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
-					chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_gmp_rsa_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	chunk_t em, stripped;
 	bool success = FALSE;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	/* rsa decryption using PKCS#1 RSADP */
 	stripped = em = rsadp(this, crypto);
 
@@ -356,18 +356,14 @@ end:
 	return success;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_keysize.
- */
-static size_t get_keysize(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_gmp_rsa_private_key_t *this)
 {
-	return this->k;
+	return mpz_sizeinbase(this->n, 2);
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_gmp_rsa_private_key_t *this)
 {
 	chunk_t n, e;
 	public_key_t *public;
@@ -383,27 +379,9 @@ static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
 	return public;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.equals.
- */
-static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
-{
-	return private_key_equals(&this->public.interface, other);
-}
-
-/**
- * Implementation of gmp_rsa_private_key.belongs_to.
- */
-static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
-{
-	return private_key_belongs_to(&this->public.interface, public);
-}
-
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gmp_rsa_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_gmp_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 	bool success;
@@ -435,11 +413,8 @@ static bool get_encoding(private_gmp_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_gmp_rsa_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -459,19 +434,15 @@ static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_ref.
- */
-static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_gmp_rsa_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.destroy.
- */
-static void destroy(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_gmp_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -592,23 +563,27 @@ static status_t check(private_gmp_rsa_private_key_t *this)
  */
 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
 {
-	private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
-	this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
-	this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
-	this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
-	this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
-	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
-
-	this->ref = 1;
+	private_gmp_rsa_private_key_t *this;
 
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 	return this;
 }
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
index db1fcf535..32e1f292c 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
@@ -34,7 +34,7 @@ struct gmp_rsa_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index c114ae80d..a7ba80138 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -273,19 +273,15 @@ end:
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_gmp_rsa_public_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
-				   chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -312,24 +308,21 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
 
 #define MIN_PS_PADDING 8
 
-/**
- * Implementation of public_key_t.encrypt.
- */
-static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
-					 chunk_t *crypto)
+METHOD(public_key_t, encrypt_, bool,
+	private_gmp_rsa_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypto)
 {
 	chunk_t em;
 	u_char *pos;
 	int padding, i;
 	rng_t *rng;
 
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (rng == NULL)
+	if (scheme != ENCRYPT_RSA_PKCS1)
 	{
-		DBG1(DBG_LIB, "no random generator available");
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
 		return FALSE;
 	}
-
 	/* number of pseudo-random padding octets */
 	padding = this->k - plain.len - 3;
 	if (padding < MIN_PS_PADDING)
@@ -338,6 +331,12 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 			 MIN_PS_PADDING);
 		return FALSE;
 	}
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (rng == NULL)
+	{
+		DBG1(DBG_LIB, "no random generator available");
+		return FALSE;
+	}
 
 	/* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */
 	DBG2(DBG_LIB, "padding %u bytes of data to the rsa modulus size of"
@@ -376,27 +375,15 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 	return TRUE;
 }
 
-/**
- * Implementation of gmp_rsa_public_key.equals.
- */
-static bool equals(private_gmp_rsa_public_key_t *this, public_key_t *other)
-{
-	return public_key_equals(&this->public.interface, other);
-}
-
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_gmp_rsa_public_key_t *this)
 {
-	return this->k;
+	return mpz_sizeinbase(this->n, 2);
 }
 
-/**
- * Implementation of public_key_t.get_encoding
- */
-static bool get_encoding(private_gmp_rsa_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_gmp_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t n, e;
 	bool success;
@@ -412,11 +399,8 @@ static bool get_encoding(private_gmp_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gmp_rsa_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_gmp_rsa_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -436,19 +420,15 @@ static bool get_fingerprint(private_gmp_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static private_gmp_rsa_public_key_t* get_ref(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_gmp_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gmp_rsa_public_key.destroy.
- */
-static void destroy(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_gmp_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -490,20 +470,23 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
 		return NULL;
 	}
 
-	this = malloc_thing(private_gmp_rsa_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*) (public_key_t*))get_type;
-	this->public.interface.verify = (bool (*) (public_key_t*, signature_scheme_t, chunk_t, chunk_t))verify;
-	this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_;
-	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t*))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*) (public_key_t *this))destroy;
-
-	this->ref = 1;
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	mpz_init(this->n);
 	mpz_init(this->e);
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
index 807f0bb7c..14dd71e0b 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
@@ -35,7 +35,7 @@ struct gmp_rsa_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index b03ff44a6..42a7d3747 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c
index c1ab48899..c7b2739df 100644
--- a/src/libstrongswan/plugins/hmac/hmac.c
+++ b/src/libstrongswan/plugins/hmac/hmac.c
@@ -30,7 +30,7 @@ struct private_hmac_t {
 	/**
 	 * Public hmac_t interface.
 	 */
-	hmac_t hmac;
+	hmac_t public;
 
 	/**
 	 * Block size, as in RFC.
@@ -53,10 +53,8 @@ struct private_hmac_t {
 	chunk_t ipaded_key;
 };
 
-/**
- * Implementation of hmac_t.get_mac.
- */
-static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
+METHOD(hmac_t, get_mac, void,
+	private_hmac_t *this, chunk_t data, u_int8_t *out)
 {
 	/* H(K XOR opad, H(K XOR ipad, text))
 	 *
@@ -91,37 +89,31 @@ static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
 	}
 }
 
-/**
- * Implementation of hmac_t.allocate_mac.
- */
-static void allocate_mac(private_hmac_t *this, chunk_t data, chunk_t *out)
+METHOD(hmac_t, allocate_mac, void,
+	private_hmac_t *this, chunk_t data, chunk_t *out)
 {
 	/* allocate space and use get_mac */
 	if (out == NULL)
 	{
 		/* append mode */
-		this->hmac.get_mac(&(this->hmac), data, NULL);
+		get_mac(this, data, NULL);
 	}
 	else
 	{
 		out->len = this->h->get_hash_size(this->h);
 		out->ptr = malloc(out->len);
-		this->hmac.get_mac(&(this->hmac), data, out->ptr);
+		get_mac(this, data, out->ptr);
 	}
 }
 
-/**
- * Implementation of hmac_t.get_block_size.
- */
-static size_t get_block_size(private_hmac_t *this)
+METHOD(hmac_t, get_block_size, size_t,
+	private_hmac_t *this)
 {
 	return this->h->get_hash_size(this->h);
 }
 
-/**
- * Implementation of hmac_t.set_key.
- */
-static void set_key(private_hmac_t *this, chunk_t key)
+METHOD(hmac_t, set_key, void,
+	private_hmac_t *this, chunk_t key)
 {
 	int i;
 	u_int8_t buffer[this->b];
@@ -151,10 +143,8 @@ static void set_key(private_hmac_t *this, chunk_t key)
 	this->h->get_hash(this->h, this->ipaded_key, NULL);
 }
 
-/**
- * Implementation of hmac_t.destroy.
- */
-static void destroy(private_hmac_t *this)
+METHOD(hmac_t, destroy, void,
+	private_hmac_t *this)
 {
 	this->h->destroy(this->h);
 	free(this->opaded_key.ptr);
@@ -167,14 +157,17 @@ static void destroy(private_hmac_t *this)
  */
 hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 {
-	private_hmac_t *this = malloc_thing(private_hmac_t);
-
-	/* set hmac_t methods */
-	this->hmac.get_mac = (void (*)(hmac_t *,chunk_t,u_int8_t*))get_mac;
-	this->hmac.allocate_mac = (void (*)(hmac_t *,chunk_t,chunk_t*))allocate_mac;
-	this->hmac.get_block_size = (size_t (*)(hmac_t *))get_block_size;
-	this->hmac.set_key = (void (*)(hmac_t *,chunk_t))set_key;
-	this->hmac.destroy = (void (*)(hmac_t *))destroy;
+	private_hmac_t *this;
+
+	INIT(this,
+		.public = {
+			.get_mac = _get_mac,
+			.allocate_mac = _allocate_mac,
+			.get_block_size = _get_block_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+	);
 
 	/* set b, according to hasher */
 	switch (hash_algorithm)
@@ -193,7 +186,6 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 			return NULL;
 	}
 
-	/* build the hasher */
 	this->h = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
 	if (this->h == NULL)
 	{
@@ -208,5 +200,5 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 	this->ipaded_key.ptr = malloc(this->b);
 	this->ipaded_key.len = this->b;
 
-	return &(this->hmac);
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index e6b9f7a74..73df4dc6c 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -32,10 +32,8 @@ struct private_hmac_plugin_t {
 	hmac_plugin_t public;
 };
 
-/**
- * Implementation of hmac_plugin_t.hmactroy
- */
-static void destroy(private_hmac_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_hmac_plugin_t *this)
 {
 	lib->crypto->remove_prf(lib->crypto,
 							(prf_constructor_t)hmac_prf_create);
@@ -49,9 +47,15 @@ static void destroy(private_hmac_plugin_t *this)
  */
 plugin_t *hmac_plugin_create()
 {
-	private_hmac_plugin_t *this = malloc_thing(private_hmac_plugin_t);
+	private_hmac_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256,
 						 (prf_constructor_t)hmac_prf_create);
@@ -72,12 +76,16 @@ plugin_t *hmac_plugin_create()
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128,
 							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256,
+							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96,
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128,
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192,
 							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384,
+							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256,
 							(signer_constructor_t)hmac_signer_create);
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.c b/src/libstrongswan/plugins/hmac/hmac_prf.c
index cca6e9570..ca10612f9 100644
--- a/src/libstrongswan/plugins/hmac/hmac_prf.c
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.c
@@ -36,51 +36,39 @@ struct private_hmac_prf_t {
 	hmac_t *hmac;
 };
 
-/**
- * Implementation of prf_t.get_bytes.
- */
-static void get_bytes(private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer)
+METHOD(prf_t, get_bytes, void,
+	private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer)
 {
 	this->hmac->get_mac(this->hmac, seed, buffer);
 }
 
-/**
- * Implementation of prf_t.allocate_bytes.
- */
-static void allocate_bytes(private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk)
+METHOD(prf_t, allocate_bytes, void,
+	private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	this->hmac->allocate_mac(this->hmac, seed, chunk);
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_block_size(private_hmac_prf_t *this)
+METHOD(prf_t, get_block_size, size_t,
+	private_hmac_prf_t *this)
 {
 	return this->hmac->get_block_size(this->hmac);
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_key_size(private_hmac_prf_t *this)
+METHOD(prf_t, get_key_size, size_t,
+	private_hmac_prf_t *this)
 {
 	/* for HMAC prfs, IKEv2 uses block size as key size */
 	return this->hmac->get_block_size(this->hmac);
 }
 
-/**
- * Implementation of prf_t.set_key.
- */
-static void set_key(private_hmac_prf_t *this, chunk_t key)
+METHOD(prf_t, set_key, void,
+	private_hmac_prf_t *this, chunk_t key)
 {
 	this->hmac->set_key(this->hmac, key);
 }
 
-/**
- * Implementation of prf_t.destroy.
- */
-static void destroy(private_hmac_prf_t *this)
+METHOD(prf_t, destroy, void,
+	private_hmac_prf_t *this)
 {
 	this->hmac->destroy(this->hmac);
 	free(this);
@@ -92,44 +80,47 @@ static void destroy(private_hmac_prf_t *this)
 hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo)
 {
 	private_hmac_prf_t *this;
-	hash_algorithm_t hash;
+	hmac_t *hmac;
 
 	switch (algo)
 	{
 		case PRF_HMAC_SHA1:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			break;
 		case PRF_HMAC_MD5:
-			hash = HASH_MD5;
+			hmac = hmac_create(HASH_MD5);
 			break;
 		case PRF_HMAC_SHA2_256:
-			hash = HASH_SHA256;
+			hmac = hmac_create(HASH_SHA256);
 			break;
 		case PRF_HMAC_SHA2_384:
-			hash = HASH_SHA384;
+			hmac = hmac_create(HASH_SHA384);
 			break;
 		case PRF_HMAC_SHA2_512:
-			hash = HASH_SHA512;
+			hmac = hmac_create(HASH_SHA512);
 			break;
 		default:
 			return NULL;
 	}
-
-	this = malloc_thing(private_hmac_prf_t);
-	this->hmac = hmac_create(hash);
-	if (this->hmac == NULL)
+	if (hmac == NULL)
 	{
-		free(this);
 		return NULL;
 	}
 
-	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
-	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
-	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
-	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
-	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
-	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.prf = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_block_size = _get_block_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.hmac = hmac,
+	);
+
+	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.h b/src/libstrongswan/plugins/hmac/hmac_prf.h
index 975b456f5..29d7269ae 100644
--- a/src/libstrongswan/plugins/hmac/hmac_prf.h
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.h
@@ -35,9 +35,9 @@ typedef struct hmac_prf_t hmac_prf_t;
 struct hmac_prf_t {
 
 	/**
-	 * Generic prf_t interface for this hmac_prf_t class.
+	 * Implements prf_t interface.
 	 */
-	prf_t prf_interface;
+	prf_t prf;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.c b/src/libstrongswan/plugins/hmac/hmac_signer.c
index f82a8f3a1..511a3e3a5 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.c
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.c
@@ -41,11 +41,8 @@ struct private_hmac_signer_t {
 	size_t block_size;
 };
 
-/**
- * Implementation of signer_t.get_signature.
- */
-static void get_signature(private_hmac_signer_t *this,
-						  chunk_t data, u_int8_t *buffer)
+METHOD(signer_t, get_signature, void,
+	private_hmac_signer_t *this, chunk_t data, u_int8_t *buffer)
 {
 	if (buffer == NULL)
 	{	/* append mode */
@@ -60,11 +57,8 @@ static void get_signature(private_hmac_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.allocate_signature.
- */
-static void allocate_signature (private_hmac_signer_t *this,
-								chunk_t data, chunk_t *chunk)
+METHOD(signer_t, allocate_signature, void,
+	private_hmac_signer_t *this, chunk_t data, chunk_t *chunk)
 {
 	if (chunk == NULL)
 	{	/* append mode */
@@ -83,11 +77,8 @@ static void allocate_signature (private_hmac_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.verify_signature.
- */
-static bool verify_signature(private_hmac_signer_t *this,
-							 chunk_t data, chunk_t signature)
+METHOD(signer_t, verify_signature, bool,
+	private_hmac_signer_t *this, chunk_t data, chunk_t signature)
 {
 	u_int8_t mac[this->hmac->get_block_size(this->hmac)];
 
@@ -100,38 +91,29 @@ static bool verify_signature(private_hmac_signer_t *this,
 	return memeq(signature.ptr, mac, this->block_size);
 }
 
-/**
- * Implementation of signer_t.get_key_size.
- */
-static size_t get_key_size(private_hmac_signer_t *this)
+METHOD(signer_t, get_key_size, size_t,
+	private_hmac_signer_t *this)
 {
 	return this->hmac->get_block_size(this->hmac);
 }
 
-/**
- * Implementation of signer_t.get_block_size.
- */
-static size_t get_block_size(private_hmac_signer_t *this)
+METHOD(signer_t, get_block_size, size_t,
+	private_hmac_signer_t *this)
 {
 	return this->block_size;
 }
 
-/**
- * Implementation of signer_t.set_key.
- */
-static void set_key(private_hmac_signer_t *this, chunk_t key)
+METHOD(signer_t, set_key, void,
+	private_hmac_signer_t *this, chunk_t key)
 {
 	this->hmac->set_key(this->hmac, key);
 }
 
-/**
- * Implementation of signer_t.destroy.
- */
-static status_t destroy(private_hmac_signer_t *this)
+METHOD(signer_t, destroy, void,
+	private_hmac_signer_t *this)
 {
 	this->hmac->destroy(this->hmac);
 	free(this);
-	return SUCCESS;
 }
 
 /*
@@ -140,66 +122,76 @@ static status_t destroy(private_hmac_signer_t *this)
 hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
 {
 	private_hmac_signer_t *this;
+	hmac_t *hmac;
 	size_t trunc;
-	hash_algorithm_t hash;
 
 	switch (algo)
 	{
 		case AUTH_HMAC_SHA1_96:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			trunc = 12;
 			break;
 		case AUTH_HMAC_SHA1_128:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			trunc = 16;
 			break;
 		case AUTH_HMAC_SHA1_160:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			trunc = 20;
 			break;
 		case AUTH_HMAC_MD5_96:
-			hash = HASH_MD5;
+			hmac = hmac_create(HASH_MD5);
 			trunc = 12;
 			break;
 		case AUTH_HMAC_MD5_128:
-			hash = HASH_MD5;
+			hmac = hmac_create(HASH_MD5);
 			trunc = 16;
 			break;
 		case AUTH_HMAC_SHA2_256_128:
-			hash = HASH_SHA256;
+			hmac = hmac_create(HASH_SHA256);
 			trunc = 16;
 			break;
 		case AUTH_HMAC_SHA2_384_192:
-			hash = HASH_SHA384;
+			hmac = hmac_create(HASH_SHA384);
 			trunc = 24;
 			break;
 		case AUTH_HMAC_SHA2_512_256:
-			hash = HASH_SHA512;
+			hmac = hmac_create(HASH_SHA512);
 			trunc = 32;
 			break;
+		case AUTH_HMAC_SHA2_256_256:
+			hmac = hmac_create(HASH_SHA256);
+			trunc = 32;
+			break;
+		case AUTH_HMAC_SHA2_384_384:
+			hmac = hmac_create(HASH_SHA384);
+			trunc = 48;
+			break;
 		default:
 			return NULL;
 	}
 
-	this = malloc_thing(private_hmac_signer_t);
-	this->hmac = hmac_create(hash);
-	if (this->hmac == NULL)
+	if (hmac == NULL)
 	{
-		free(this);
 		return NULL;
 	}
-	/* prevent invalid truncation */
-	this->block_size = min(trunc, this->hmac->get_block_size(this->hmac));
-
-	/* interface functions */
-	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
-	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
-	this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature;
-	this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size;
-	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
-	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
-	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
-
-	return &(this->public);
+
+	INIT(this,
+		.public = {
+			.signer = {
+				.get_signature = _get_signature,
+				.allocate_signature = _allocate_signature,
+				.verify_signature = _verify_signature,
+				.get_key_size = _get_key_size,
+				.get_block_size = _get_block_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.block_size = min(trunc, hmac->get_block_size(hmac)),
+		.hmac = hmac,
+	);
+
+	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.h b/src/libstrongswan/plugins/hmac/hmac_signer.h
index 0de93440c..5e798683b 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.h
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.h
@@ -34,9 +34,9 @@ typedef struct hmac_signer_t hmac_signer_t;
 struct hmac_signer_t {
 
 	/**
-	 * generic signer_t interface for this signer
+	 * Implements signer_t interface.
 	 */
-	signer_t signer_interface;
+	signer_t signer;
 };
 
 /**
@@ -44,8 +44,7 @@ struct hmac_signer_t {
  *
  * HMAC signatures are often truncated to shorten them to a more usable, but
  * still secure enough length.
- * Block size must be equal or smaller then the hash algorithms
- * hash.
+ * Block size must be equal or smaller then the hash algorithms hash.
  *
  * @param algo		algorithm to implement
  * @return			hmac_signer_t, NULL if  not supported
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index b96fd5abf..65a135e76 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 874ee07a2..a78dad97c 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index cc32bca88..6de400e8e 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 83c1188b6..7d4d42c14 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index de9df7271..a32418b16 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +205,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +262,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 5645d72d7..b9d97a901 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -416,10 +416,19 @@ static bool parse_authKeyIdentifier_ext(private_openssl_crl_t *this,
 static bool parse_crlNumber_ext(private_openssl_crl_t *this,
 								X509_EXTENSION *ext)
 {
-	free(this->serial.ptr);
-	this->serial = chunk_clone(
-						openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext)));
-	return this->serial.len != 0;
+	chunk_t chunk;
+
+	chunk = openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext));
+	/* quick and dirty INTEGER unwrap */
+	if (chunk.len > 1 && chunk.ptr[0] == V_ASN1_INTEGER &&
+		chunk.ptr[1] == chunk.len - 2)
+	{
+		chunk = chunk_skip(chunk, 2);
+		free(this->serial.ptr);
+		this->serial = chunk_clone(chunk);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index a8923ab56..2ed07ff0c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -40,86 +40,58 @@ struct private_openssl_crypter_t {
 	const EVP_CIPHER *cipher;
 };
 
-/**
- * Mapping from the algorithms defined in IKEv2 to
- * OpenSSL algorithm names and their key length
- */
-typedef struct {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2_id;
-
-	/**
-	 * Name of the algorithm, as used in OpenSSL
-	 */
-	char *name;
-
-	/**
-	 * Minimum valid key length in bytes
-	 */
-	size_t key_size_min;
-
-	/**
-	 * Maximum valid key length in bytes
-	 */
-	size_t key_size_max;
-} openssl_algorithm_t;
-
-#define END_OF_LIST -1
-
-/**
- * Algorithms for encryption
- */
-static openssl_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64, 	"***", 			0,	0}, */
-	{ENCR_DES, 			"des",			8,	8},		/* 64 bits */
-	{ENCR_3DES, 		"des3",			24,	24},	/* 192 bits */
-	{ENCR_RC5, 			"rc5", 			5,	255},	/* 40 to 2040 bits, RFC 2451 */
-	{ENCR_IDEA, 		"idea",			16,	16},	/* 128 bits, RFC 2451 */
-	{ENCR_CAST, 		"cast",			5,	16},	/* 40 to 128 bits, RFC 2451 */
-	{ENCR_BLOWFISH, 	"blowfish",		5,	56},	/* 40 to 448 bits, RFC 2451 */
-/*	{ENCR_3IDEA, 		"***",			0,	0}, */
-/*	{ENCR_DES_IV32, 	"***",			0,	0}, */
-/*	{ENCR_NULL, 		"***",			0,	0}, */ /* handled separately */
-/*	{ENCR_AES_CBC, 		"***",			0,	0}, */ /* handled separately */
-/*	{ENCR_CAMELLIA_CBC,	"***",			0,	0}, */ /* handled separately */
-/*	{ENCR_AES_CTR, 		"***",			0,	0}, */ /* disabled in evp.h */
-	{END_OF_LIST, 		NULL,			0,	0},
-};
-
 /**
  * Look up an OpenSSL algorithm name and validate its key size
  */
-static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
-					   u_int16_t ikev2_algo, size_t *key_size)
+static char* lookup_algorithm(u_int16_t ikev2_algo, size_t *key_size)
 {
-	while (openssl_algo->ikev2_id != END_OF_LIST)
+	struct {
+		/* identifier specified in IKEv2 */
+		int ikev2_id;
+		/* name of the algorithm, as used in OpenSSL */
+		char *name;
+		/* default key size in bytes */
+		size_t key_def;
+		/* minimum key size */
+		size_t key_min;
+		/* maximum key size */
+		size_t key_max;
+	} mappings[] = {
+		{ENCR_DES, 			"des",			 8,		 8,		  8},
+		{ENCR_3DES, 		"des3",			24,		24,		 24},
+		{ENCR_RC5, 			"rc5", 			16,		 5,		255},
+		{ENCR_IDEA, 		"idea",			16,		16,		 16},
+		{ENCR_CAST, 		"cast",			16,		 5,		 16},
+		{ENCR_BLOWFISH, 	"blowfish",		16,		 5,		 56},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
 	{
-		if (ikev2_algo == openssl_algo->ikev2_id)
+		if (ikev2_algo == mappings[i].ikev2_id)
 		{
 			/* set the key size if it is not set */
-			if (*key_size == 0 &&
-				(openssl_algo->key_size_min == openssl_algo->key_size_max))
+			if (*key_size == 0)
 			{
-				*key_size = openssl_algo->key_size_min;
+				*key_size = mappings[i].key_def;
 			}
-
 			/* validate key size */
-			if (*key_size < openssl_algo->key_size_min ||
-				*key_size > openssl_algo->key_size_max)
+			if (*key_size < mappings[i].key_min ||
+				*key_size > mappings[i].key_max)
 			{
 				return NULL;
 			}
-			return openssl_algo->name;
+			return mappings[i].name;
 		}
-		openssl_algo++;
 	}
 	return NULL;
 }
 
-static void crypt(private_openssl_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst, int enc)
+/**
+ * Do the actual en/decryption in an EVP context
+ */
+static void crypt(private_openssl_crypter_t *this, chunk_t data, chunk_t iv,
+				  chunk_t *dst, int enc)
 {
 	int len;
 	u_char *out;
@@ -141,53 +113,44 @@ static void crypt(private_openssl_crypter_t *this, chunk_t data,
 	EVP_CIPHER_CTX_cleanup(&ctx);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_openssl_crypter_t *this, chunk_t data,
-						chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, decrypt, void,
+	private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, data, iv, dst, 0);
 }
 
-
-/**
- * Implementation of crypter_t.encrypt.
- */
-static void encrypt (private_openssl_crypter_t *this, chunk_t data,
-							chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, encrypt, void,
+	private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, data, iv, dst, 1);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size(private_openssl_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_openssl_crypter_t *this)
 {
 	return this->cipher->block_size;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size(private_openssl_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_openssl_crypter_t *this)
+{
+	return this->cipher->block_size;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_openssl_crypter_t *this)
 {
 	return this->key.len;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key(private_openssl_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_openssl_crypter_t *this, chunk_t key)
 {
 	memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len));
 }
 
-/**
- * Implementation of crypter_t.destroy.
- */
-static void destroy (private_openssl_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_openssl_crypter_t *this)
 {
 	free(this->key.ptr);
 	free(this);
@@ -201,16 +164,32 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 {
 	private_openssl_crypter_t *this;
 
-	this = malloc_thing(private_openssl_crypter_t);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	switch (algo)
 	{
 		case ENCR_NULL:
 			this->cipher = EVP_enc_null();
+			key_size = 0;
 			break;
 		case ENCR_AES_CBC:
 			switch (key_size)
 			{
+				case 0:
+					key_size = 16;
+					/* FALL */
 				case 16:        /* AES 128 */
 					this->cipher = EVP_get_cipherbyname("aes128");
 					break;
@@ -228,6 +207,9 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 		case ENCR_CAMELLIA_CBC:
 			switch (key_size)
 			{
+				case 0:
+					key_size = 16;
+					/* FALL */
 				case 16:        /* CAMELLIA 128 */
 					this->cipher = EVP_get_cipherbyname("camellia128");
 					break;
@@ -243,11 +225,14 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 			}
 			break;
 		case ENCR_DES_ECB:
+			key_size = 8;
 			this->cipher = EVP_des_ecb();
 			break;
 		default:
 		{
-			char* name = lookup_algorithm(encryption_algs, algo, &key_size);
+			char* name;
+
+			name = lookup_algorithm(algo, &key_size);
 			if (!name)
 			{
 				/* algo unavailable or key_size invalid */
@@ -268,12 +253,5 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 
 	this->key = chunk_alloc(key_size);
 
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.h b/src/libstrongswan/plugins/openssl/openssl_crypter.h
index 7e30ae03c..b12e7a6ab 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.h
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.h
@@ -31,9 +31,9 @@ typedef struct openssl_crypter_t openssl_crypter_t;
 struct openssl_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index 9a032c54f..b27aa3391 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -57,11 +57,8 @@ struct private_openssl_diffie_hellman_t {
 	bool computed;
 };
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_openssl_diffie_hellman_t *this,
-								chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_openssl_diffie_hellman_t *this, chunk_t *value)
 {
 	*value = chunk_alloc(DH_size(this->dh));
 	memset(value->ptr, 0, value->len);
@@ -69,11 +66,8 @@ static void get_my_public_value(private_openssl_diffie_hellman_t *this,
 			  value->ptr + value->len - BN_num_bytes(this->dh->pub_key));
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
-								  chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_openssl_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
@@ -88,11 +82,8 @@ static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
 }
 
 
-/**
- * Implementation of openssl_diffie_hellman_t.set_other_public_value.
- */
-static void set_other_public_value(private_openssl_diffie_hellman_t *this,
-								   chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_openssl_diffie_hellman_t *this, chunk_t value)
 {
 	int len;
 
@@ -110,10 +101,8 @@ static void set_other_public_value(private_openssl_diffie_hellman_t *this,
 	this->computed = TRUE;
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_openssl_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_openssl_diffie_hellman_t *this)
 {
 	return this->group;
 }
@@ -137,10 +126,8 @@ static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.destroy.
- */
-static void destroy(private_openssl_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_openssl_diffie_hellman_t *this)
 {
 	BN_clear_free(this->pub_key);
 	DH_free(this->dh);
@@ -151,15 +138,22 @@ static void destroy(private_openssl_diffie_hellman_t *this)
 /*
  * Described in header.
  */
-openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group)
+openssl_diffie_hellman_t *openssl_diffie_hellman_create(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p)
 {
-	private_openssl_diffie_hellman_t *this = malloc_thing(private_openssl_diffie_hellman_t);
-
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	private_openssl_diffie_hellman_t *this;
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	this->dh = DH_new();
 	if (!this->dh)
@@ -173,11 +167,19 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 	this->pub_key = BN_new();
 	this->shared_secret = chunk_empty;
 
-	/* find a modulus according to group */
-	if (set_modulus(this) != SUCCESS)
+	if (group == MODP_CUSTOM)
 	{
-		destroy(this);
-		return NULL;
+		this->dh->p = BN_bin2bn(p.ptr, p.len, NULL);
+		this->dh->g = BN_bin2bn(g.ptr, g.len, NULL);
+	}
+	else
+	{
+		/* find a modulus according to group */
+		if (set_modulus(this) != SUCCESS)
+		{
+			destroy(this);
+			return NULL;
+		}
 	}
 
 	/* generate my public and private values */
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
index 6c4b4fe81..53dc59c78 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
@@ -40,9 +40,12 @@ struct openssl_diffie_hellman_t {
  * Creates a new openssl_diffie_hellman_t object.
  *
  * @param group			Diffie Hellman group number to use
+ * @param g				custom generator, if MODP_CUSTOM
+ * @param p				custom prime, if MODP_CUSTOM
  * @return				openssl_diffie_hellman_t object, NULL if not supported
  */
-openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group);
+openssl_diffie_hellman_t *openssl_diffie_hellman_create(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p);
 
 #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index a53e8aea0..32fc2bccd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -165,7 +165,8 @@ error:
  *   of the Diffie-Hellman shared secret value is the same as that of the
  *   Diffie-Hellman public value."
  */
-static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_t *shared_secret)
+static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this,
+							   chunk_t *shared_secret)
 {
 	const BIGNUM *priv_key;
 	EC_POINT *secret = NULL;
@@ -209,10 +210,8 @@ error:
 	return ret;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.set_other_public_value.
- */
-static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_openssl_ec_diffie_hellman_t *this, chunk_t value)
 {
 	if (!chunk2ecp(this->ec_group, value, this->pub_key))
 	{
@@ -230,18 +229,14 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
 	this->computed = TRUE;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
 {
 	ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE);
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_openssl_ec_diffie_hellman_t *this, chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_openssl_ec_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
@@ -251,18 +246,14 @@ static status_t get_shared_secret(private_openssl_ec_diffie_hellman_t *this, chu
 	return SUCCESS;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_openssl_ec_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_openssl_ec_diffie_hellman_t *this)
 {
 	return this->group;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.destroy.
- */
-static void destroy(private_openssl_ec_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_openssl_ec_diffie_hellman_t *this)
 {
 	EC_POINT_clear_free(this->pub_key);
 	EC_KEY_free(this->key);
@@ -275,13 +266,20 @@ static void destroy(private_openssl_ec_diffie_hellman_t *this)
  */
 openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group)
 {
-	private_openssl_ec_diffie_hellman_t *this = malloc_thing(private_openssl_ec_diffie_hellman_t);
-
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	private_openssl_ec_diffie_hellman_t *this;
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+	);
 
 	switch (group)
 	{
@@ -328,11 +326,6 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro
 		return NULL;
 	}
 
-	this->group = group;
-	this->computed = FALSE;
-
-	this->shared_secret = chunk_empty;
-
 	return &this->public;
 }
 #endif /* OPENSSL_NO_EC */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 281155913..f4c4759bf 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -138,11 +138,9 @@ static bool build_der_signature(private_openssl_ec_private_key_t *this,
 	return built;
 }
 
-/**
- * Implementation of private_key_t.sign.
- */
-static bool sign(private_openssl_ec_private_key_t *this,
-				 signature_scheme_t scheme, chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_openssl_ec_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
@@ -172,36 +170,38 @@ static bool sign(private_openssl_ec_private_key_t *this,
 	}
 }
 
-/**
- * Implementation of private_key_t.destroy.
- */
-static bool decrypt(private_openssl_ec_private_key_t *this,
-					chunk_t crypto, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_openssl_ec_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "EC private key decryption not implemented");
 	return FALSE;
 }
 
-/**
- * Implementation of private_key_t.get_keysize.
- */
-static size_t get_keysize(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_openssl_ec_private_key_t *this)
 {
-	return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec));
+	switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(this->ec)))
+	{
+		case NID_X9_62_prime256v1:
+			return 256;
+		case NID_secp384r1:
+			return 384;
+		case NID_secp521r1:
+			return 521;
+		default:
+			return 0;
+	}
 }
 
-/**
- * Implementation of private_key_t.get_type.
- */
-static key_type_t get_type(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_openssl_ec_private_key_t *this)
 {
 	return KEY_ECDSA;
 }
 
-/**
- * Implementation of private_key_t.get_public_key.
- */
-static public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_openssl_ec_private_key_t *this)
 {
 	public_key_t *public;
 	chunk_t key;
@@ -217,20 +217,16 @@ static public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
 	return public;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_ec_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_openssl_ec_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_ec_fingerprint(this->ec, type, fingerprint);
 }
 
-/**
- * Implementation of private_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_ec_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_openssl_ec_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -261,19 +257,15 @@ static bool get_encoding(private_openssl_ec_private_key_t *this,
 	}
 }
 
-/**
- * Implementation of private_key_t.get_ref.
- */
-static private_key_t* get_ref(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_openssl_ec_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of private_key_t.destroy.
- */
-static void destroy(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_openssl_ec_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -291,23 +283,27 @@ static void destroy(private_openssl_ec_private_key_t *this)
  */
 static private_openssl_ec_private_key_t *create_empty(void)
 {
-	private_openssl_ec_private_key_t *this = malloc_thing(private_openssl_ec_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-
-	this->ec = NULL;
-	this->ref = 1;
+	private_openssl_ec_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
index 720c63f90..f56c95aa1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
@@ -34,7 +34,7 @@ struct openssl_ec_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index def36c92f..7461695ad 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -130,19 +130,15 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this,
 	return valid;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_openssl_ec_public_key_t *this)
 {
 	return KEY_ECDSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_openssl_ec_public_key_t *this,
-				   signature_scheme_t scheme, chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_openssl_ec_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -172,22 +168,28 @@ static bool verify(private_openssl_ec_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static bool encrypt_(private_openssl_ec_public_key_t *this,
-					 chunk_t crypto, chunk_t *plain)
+METHOD(public_key_t, encrypt, bool,
+	private_openssl_ec_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "EC public key encryption not implemented");
 	return FALSE;
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_openssl_ec_public_key_t *this)
 {
-	return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec));
+	switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(this->ec)))
+	{
+		case NID_X9_62_prime256v1:
+			return 256;
+		case NID_secp384r1:
+			return 384;
+		case NID_secp521r1:
+			return 521;
+		default:
+			return 0;
+	}
 }
 
 /**
@@ -232,20 +234,16 @@ bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp)
 	return TRUE;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_ec_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_openssl_ec_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_ec_fingerprint(this->ec, type, fingerprint);
 }
 
-/**
- * Implementation of private_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_ec_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_openssl_ec_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -276,19 +274,15 @@ static bool get_encoding(private_openssl_ec_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static public_key_t* get_ref(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_openssl_ec_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of openssl_ec_public_key.destroy.
- */
-static void destroy(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_openssl_ec_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -306,21 +300,25 @@ static void destroy(private_openssl_ec_public_key_t *this)
  */
 static private_openssl_ec_public_key_t *create_empty()
 {
-	private_openssl_ec_public_key_t *this = malloc_thing(private_openssl_ec_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
-	this->ec = NULL;
-	this->ref = 1;
+	private_openssl_ec_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt,
+				.get_keysize = _get_keysize,
+				.equals = public_key_equals,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
index 29d607d38..8094083a7 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
@@ -34,7 +34,7 @@ struct openssl_ec_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
index 7556bc594..d81f4b21e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -90,27 +90,20 @@ static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
 	return NULL;
 }
 
-/**
- * Implementation of hasher_t.get_hash_size.
- */
-static size_t get_hash_size(private_openssl_hasher_t *this)
+METHOD(hasher_t, get_hash_size, size_t,
+	private_openssl_hasher_t *this)
 {
 	return this->hasher->md_size;
 }
 
-/**
- * Implementation of hasher_t.reset.
- */
-static void reset(private_openssl_hasher_t *this)
+METHOD(hasher_t, reset, void,
+	private_openssl_hasher_t *this)
 {
 	EVP_DigestInit_ex(this->ctx, this->hasher, NULL);
 }
 
-/**
- * Implementation of hasher_t.get_hash.
- */
-static void get_hash(private_openssl_hasher_t *this, chunk_t chunk,
-					 u_int8_t *hash)
+METHOD(hasher_t, get_hash, void,
+	private_openssl_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	EVP_DigestUpdate(this->ctx, chunk.ptr, chunk.len);
 	if (hash)
@@ -120,11 +113,8 @@ static void get_hash(private_openssl_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.allocate_hash.
- */
-static void allocate_hash(private_openssl_hasher_t *this, chunk_t chunk,
-						  chunk_t *hash)
+METHOD(hasher_t, allocate_hash, void,
+	private_openssl_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
@@ -137,10 +127,8 @@ static void allocate_hash(private_openssl_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.destroy.
- */
-static void destroy (private_openssl_hasher_t *this)
+METHOD(hasher_t, destroy, void,
+	private_openssl_hasher_t *this)
 {
 	EVP_MD_CTX_destroy(this->ctx);
 	free(this);
@@ -160,7 +148,17 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 		return NULL;
 	}
 
-	this = malloc_thing(private_openssl_hasher_t);
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	this->hasher = EVP_get_digestbyname(name);
 	if (!this->hasher)
@@ -170,12 +168,6 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 		return NULL;
 	}
 
-	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
-	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
-	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
-	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
-	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
 	this->ctx = EVP_MD_CTX_create();
 
 	/* initialization */
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.h b/src/libstrongswan/plugins/openssl/openssl_hasher.h
index fd7a043d1..b03f6891b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.h
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.h
@@ -31,9 +31,9 @@ typedef struct openssl_hasher_t openssl_hasher_t;
 struct openssl_hasher_t {
 
 	/**
-	 * The hasher_t interface.
+	 * Implements hasher_t interface.
 	 */
-	hasher_t hasher_interface;
+	hasher_t hasher;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 31697dcb8..0ab4eda9c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -16,6 +16,7 @@
 
 #include <openssl/evp.h>
 #include <openssl/conf.h>
+#include <openssl/rand.h>
 #include <openssl/crypto.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
@@ -24,6 +25,7 @@
 #include "openssl_plugin.h"
 
 #include <library.h>
+#include <debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include "openssl_util.h"
@@ -150,6 +152,31 @@ static void threading_init()
 	}
 }
 
+/**
+ * Seed the OpenSSL RNG, if required
+ */
+static bool seed_rng()
+{
+	rng_t *rng = NULL;
+	char buf[32];
+
+	while (RAND_status() != 1)
+	{
+		if (!rng)
+		{
+			rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+			if (!rng)
+			{
+				return FALSE;
+			}
+		}
+		rng->get_bytes(rng, sizeof(buf), buf);
+		RAND_seed(buf, sizeof(buf));
+	}
+	DESTROY_IF(rng);
+	return TRUE;
+}
+
 /**
  * cleanup OpenSSL threading locks
  */
@@ -166,10 +193,8 @@ static void threading_cleanup()
 	mutex = NULL;
 }
 
-/**
- * Implementation of openssl_plugin_t.destroy
- */
-static void destroy(private_openssl_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_openssl_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 					(crypter_constructor_t)openssl_crypter_create);
@@ -218,9 +243,15 @@ static void destroy(private_openssl_plugin_t *this)
  */
 plugin_t *openssl_plugin_create()
 {
-	private_openssl_plugin_t *this = malloc_thing(private_openssl_plugin_t);
+	private_openssl_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	threading_init();
 
@@ -233,6 +264,13 @@ plugin_t *openssl_plugin_create()
 	ENGINE_register_all_complete();
 #endif /* OPENSSL_NO_ENGINE */
 
+	if (!seed_rng())
+	{
+		DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
+		destroy(this);
+		return NULL;
+	}
+
 	/* crypter */
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)openssl_crypter_create);
@@ -312,33 +350,35 @@ plugin_t *openssl_plugin_create()
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+						(dh_constructor_t)openssl_diffie_hellman_create);
 
 	/* rsa */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE,
 					(builder_function_t)openssl_rsa_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 					(builder_function_t)openssl_rsa_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
 					(builder_function_t)openssl_rsa_private_key_connect);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
 					(builder_function_t)openssl_rsa_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 					(builder_function_t)openssl_rsa_public_key_load);
 
 #ifndef OPENSSL_NO_EC
 	/* ecdsa */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, TRUE,
 					(builder_function_t)openssl_ec_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, FALSE,
 					(builder_function_t)openssl_ec_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, TRUE,
 					(builder_function_t)openssl_ec_public_key_load);
 #endif /* OPENSSL_NO_EC */
 
 	/* X509 certificates */
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, TRUE,
 					(builder_function_t)openssl_x509_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, TRUE,
 					(builder_function_t)openssl_crl_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 5817ade9e..0b607c386 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -131,19 +131,16 @@ error:
 	return success;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_type.
- */
-static key_type_t get_type(private_openssl_rsa_private_key_t *this)
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_openssl_rsa_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.sign.
- */
-static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
@@ -168,28 +165,47 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
 	}
 }
 
-/**
- * Implementation of openssl_rsa_private_key.decrypt.
- */
-static bool decrypt(private_openssl_rsa_private_key_t *this,
-					chunk_t crypto, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_openssl_rsa_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
-	DBG1(DBG_LIB, "RSA private key decryption not implemented");
-	return FALSE;
+	int padding, len;
+	char *decrypted;
+
+	switch (scheme)
+	{
+		case ENCRYPT_RSA_PKCS1:
+			padding = RSA_PKCS1_PADDING;
+			break;
+		case ENCRYPT_RSA_OAEP_SHA1:
+			padding = RSA_PKCS1_OAEP_PADDING;
+			break;
+		default:
+			DBG1(DBG_LIB, "encryption scheme %N not supported via openssl",
+				 encryption_scheme_names, scheme);
+			return FALSE;
+	}
+	decrypted = malloc(RSA_size(this->rsa));
+	len = RSA_private_decrypt(crypto.len, crypto.ptr, decrypted,
+							  this->rsa, padding);
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "RSA decryption failed");
+		free(decrypted);
+		return FALSE;
+	}
+	*plain = chunk_create(decrypted, len);
+	return TRUE;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_keysize.
- */
-static size_t get_keysize(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_openssl_rsa_private_key_t *this)
 {
-	return RSA_size(this->rsa);
+	return RSA_size(this->rsa) * 8;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_openssl_rsa_private_key_t *this)
 {
 	chunk_t enc;
 	public_key_t *key;
@@ -204,20 +220,16 @@ static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
 	return key;
 }
 
-/**
- * Implementation of public_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_rsa_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_openssl_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
 }
 
-/*
- * Implementation of public_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_rsa_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_openssl_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -252,19 +264,15 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this,
 	}
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_ref.
- */
-static private_openssl_rsa_private_key_t* get_ref(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_openssl_rsa_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.destroy.
- */
-static void destroy(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_openssl_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -280,25 +288,29 @@ static void destroy(private_openssl_rsa_private_key_t *this)
 /**
  * Internal generic constructor
  */
-static private_openssl_rsa_private_key_t *create_empty(void)
+static private_openssl_rsa_private_key_t *create_empty()
 {
-	private_openssl_rsa_private_key_t *this = malloc_thing(private_openssl_rsa_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
-	this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
-	this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
-	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
-
-	this->engine = FALSE;
-	this->ref = 1;
+	private_openssl_rsa_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
@@ -443,6 +455,48 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 	return NULL;
 }
 
+/**
+ * Login to engine with a PIN specified for a keyid
+ */
+static bool login(ENGINE *engine, chunk_t keyid)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	identification_t *id;
+	chunk_t key;
+	char pin[64];
+	bool found = FALSE, success = FALSE;
+
+	id = identification_create_from_encoding(ID_KEY_ID, keyid);
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+														SHARED_PIN, id, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		found = TRUE;
+		key = shared->get_key(shared);
+		if (snprintf(pin, sizeof(pin), "%.*s", key.len, key.ptr) >= sizeof(pin))
+		{
+			continue;
+		}
+		if (ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
+		{
+			success = TRUE;
+			break;
+		}
+		else
+		{
+			DBG1(DBG_CFG, "setting PIN on engine failed");
+		}
+	}
+	enumerator->destroy(enumerator);
+	id->destroy(id);
+	if (!found)
+	{
+		DBG1(DBG_CFG, "no PIN found for %#B", &keyid);
+	}
+	return success;
+}
+
 /**
  * See header.
  */
@@ -451,20 +505,25 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 {
 #ifndef OPENSSL_NO_ENGINE
 	private_openssl_rsa_private_key_t *this;
-	char *keyid = NULL, *pin = NULL;
+	char *engine_id = NULL;
+	char keyname[64];
+	chunk_t keyid = chunk_empty;;
 	EVP_PKEY *key;
-	char *engine_id;
 	ENGINE *engine;
+	int slot = -1;
 
 	while (TRUE)
 	{
 		switch (va_arg(args, builder_part_t))
 		{
-			case BUILD_SMARTCARD_KEYID:
-				keyid = va_arg(args, char*);
+			case BUILD_PKCS11_KEYID:
+				keyid = va_arg(args, chunk_t);
 				continue;
-			case BUILD_SMARTCARD_PIN:
-				pin = va_arg(args, char*);
+			case BUILD_PKCS11_SLOT:
+				slot = va_arg(args, int);
+				continue;
+			case BUILD_PKCS11_MODULE:
+				engine_id = va_arg(args, char*);
 				continue;
 			case BUILD_END:
 				break;
@@ -473,17 +532,31 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 		}
 		break;
 	}
-	if (!keyid || !pin)
+	if (!keyid.len || keyid.len > 40)
 	{
 		return NULL;
 	}
 
-	engine_id = lib->settings->get_str(lib->settings,
+	memset(keyname, 0, sizeof(keyname));
+	if (slot != -1)
+	{
+		snprintf(keyname, sizeof(keyname), "%d:", slot);
+	}
+	if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1)
+	{
+		return NULL;
+	}
+	chunk_to_hex(keyid, keyname + strlen(keyname), FALSE);
+
+	if (!engine_id)
+	{
+		engine_id = lib->settings->get_str(lib->settings,
 						"libstrongswan.plugins.openssl.engine_id", "pkcs11");
+	}
 	engine = ENGINE_by_id(engine_id);
 	if (!engine)
 	{
-		DBG1(DBG_LIB, "engine '%s' is not available", engine_id);
+		DBG2(DBG_LIB, "engine '%s' is not available", engine_id);
 		return NULL;
 	}
 	if (!ENGINE_init(engine))
@@ -492,18 +565,17 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 		ENGINE_free(engine);
 		return NULL;
 	}
-	if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
+	if (!login(engine, keyid))
 	{
-		DBG1(DBG_LIB, "failed to set PIN on engine '%s'", engine_id);
+		DBG1(DBG_LIB, "login to engine '%s' failed", engine_id);
 		ENGINE_free(engine);
 		return NULL;
 	}
-
-	key = ENGINE_load_private_key(engine, keyid, NULL, NULL);
+	key = ENGINE_load_private_key(engine, keyname, NULL, NULL);
 	if (!key)
 	{
 		DBG1(DBG_LIB, "failed to load private key with ID '%s' from "
-			 "engine '%s'", keyid, engine_id);
+			 "engine '%s'", keyname, engine_id);
 		ENGINE_free(engine);
 		return NULL;
 	}
@@ -512,6 +584,11 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 	this = create_empty();
 	this->rsa = EVP_PKEY_get1_RSA(key);
 	this->engine = TRUE;
+	if (!this->rsa)
+	{
+		destroy(this);
+		return NULL;
+	}
 
 	return &this->public;
 #else /* OPENSSL_NO_ENGINE */
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
index 079dfa46a..60889d651 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
@@ -34,7 +34,7 @@ struct openssl_rsa_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 6ac61a65c..422e31521 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -114,19 +114,15 @@ error:
 	return valid;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_openssl_rsa_public_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
-				   chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -151,22 +147,43 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 	}
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static bool encrypt_(private_openssl_rsa_public_key_t *this,
-					 chunk_t crypto, chunk_t *plain)
+METHOD(public_key_t, encrypt, bool,
+	private_openssl_rsa_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypto)
 {
-	DBG1(DBG_LIB, "RSA public key encryption not implemented");
-	return FALSE;
+	int padding, len;
+	char *encrypted;
+
+	switch (scheme)
+	{
+		case ENCRYPT_RSA_PKCS1:
+			padding = RSA_PKCS1_PADDING;
+			break;
+		case ENCRYPT_RSA_OAEP_SHA1:
+			padding = RSA_PKCS1_OAEP_PADDING;
+			break;
+		default:
+			DBG1(DBG_LIB, "decryption scheme %N not supported via openssl",
+				 encryption_scheme_names, scheme);
+			return FALSE;
+	}
+	encrypted = malloc(RSA_size(this->rsa));
+	len = RSA_public_encrypt(plain.len, plain.ptr, encrypted,
+							 this->rsa, padding);
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "RSA decryption failed");
+		free(encrypted);
+		return FALSE;
+	}
+	*crypto = chunk_create(encrypted, len);
+	return TRUE;
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_openssl_rsa_public_key_t *this)
 {
-	return RSA_size(this->rsa);
+	return RSA_size(this->rsa) * 8;
 }
 
 /**
@@ -211,20 +228,16 @@ bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp)
 	return TRUE;
 }
 
-/**
- * Implementation of public_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_rsa_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_openssl_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
 }
 
-/*
- * Implementation of public_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_rsa_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_openssl_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -262,19 +275,15 @@ static bool get_encoding(private_openssl_rsa_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static public_key_t* get_ref(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_openssl_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of openssl_rsa_public_key.destroy.
- */
-static void destroy(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_openssl_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -292,21 +301,25 @@ static void destroy(private_openssl_rsa_public_key_t *this)
  */
 static private_openssl_rsa_public_key_t *create_empty()
 {
-	private_openssl_rsa_public_key_t *this = malloc_thing(private_openssl_rsa_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
-	this->rsa = NULL;
-	this->ref = 1;
+	private_openssl_rsa_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
index 620aa51ce..021257d3c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
@@ -33,7 +33,7 @@ struct openssl_rsa_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
index b65388010..20f2fa984 100644
--- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
@@ -124,13 +124,15 @@ openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo)
 	}
 
 	INIT(this,
-		.public.prf = {
-			.get_block_size = _get_block_size,
-			.get_bytes = _get_bytes,
-			.allocate_bytes = _allocate_bytes,
-			.get_key_size = _get_key_size,
-			.set_key = _set_key,
-			.destroy = _destroy,
+		.public = {
+			.prf = {
+				.get_block_size = _get_block_size,
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
 		},
 	);
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 1c9bb699e..aa39bc93d 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -187,6 +187,15 @@ static identification_t *general_name2id(GENERAL_NAME *name)
 		}
 		case GEN_DIRNAME :
 			return openssl_x509_name2id(name->d.directoryName);
+		case GEN_OTHERNAME:
+			if (OBJ_obj2nid(name->d.otherName->type_id) == NID_ms_upn &&
+				name->d.otherName->value->type == V_ASN1_UTF8STRING)
+			{
+				return identification_create_from_encoding(ID_RFC822_ADDR,
+							openssl_asn1_str2chunk(
+								name->d.otherName->value->value.utf8string));
+			}
+			return NULL;
 		default:
 			return NULL;
 	}
@@ -286,10 +295,23 @@ METHOD(certificate_t, has_subject, id_match_t,
 	identification_t *current;
 	enumerator_t *enumerator;
 	id_match_t match, best;
+	chunk_t encoding;
 
 	if (subject->get_type(subject) == ID_KEY_ID)
 	{
-		if (chunk_equals(this->hash, subject->get_encoding(subject)))
+		encoding = subject->get_encoding(subject);
+
+		if (chunk_equals(this->hash, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->subjectKeyIdentifier.len &&
+			chunk_equals(this->subjectKeyIdentifier, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->pubkey &&
+			this->pubkey->has_fingerprint(this->pubkey, encoding))
 		{
 			return ID_MATCH_PERFECT;
 		}
@@ -755,6 +777,38 @@ static bool parse_extensions(private_openssl_x509_t *this)
 	return TRUE;
 }
 
+/**
+ * Parse ExtendedKeyUsage
+ */
+static void parse_extKeyUsage(private_openssl_x509_t *this)
+{
+	EXTENDED_KEY_USAGE *usage;
+	int i;
+
+	usage = X509_get_ext_d2i(this->x509, NID_ext_key_usage, NULL, NULL);
+	if (usage)
+	{
+		for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
+		{
+			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
+			{
+				case NID_server_auth:
+					this->flags |= X509_SERVER_AUTH;
+					break;
+				case NID_client_auth:
+					this->flags |= X509_CLIENT_AUTH;
+					break;
+				case NID_OCSP_sign:
+					this->flags |= X509_OCSP_SIGNER;
+					break;
+				default:
+					break;
+			}
+		}
+		sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
+	}
+}
+
 /**
  * Parse a DER encoded x509 certificate
  */
@@ -814,6 +868,7 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	{
 		return TRUE;
 	}
+	parse_extKeyUsage(this);
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher)
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index adb8f08d1..46953f681 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
index 9edea4bd3..06c20292f 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
@@ -78,8 +78,8 @@ static void padlock_crypt(void *key, void *ctrl, void *src, void *dst,
 		: "eax", "ecx", "edx", "esi", "edi");
 }
 
-/*
- * Implementation of crypter_t.crypt
+/**
+ * Do encryption/decryption operation using Padlock control word
  */
 static void crypt(private_padlock_aes_crypter_t *this, char *iv,
 				  chunk_t src, chunk_t *dst, bool enc)
@@ -107,53 +107,44 @@ static void crypt(private_padlock_aes_crypter_t *this, char *iv,
 				  src.len / AES_BLOCK_SIZE, iv_aligned);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_padlock_aes_crypter_t *this, chunk_t data,
-						chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, decrypt, void,
+	private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, iv.ptr, data, dst, TRUE);
 }
 
-
-/**
- * Implementation of crypter_t.encrypt.
- */
-static void encrypt (private_padlock_aes_crypter_t *this, chunk_t data,
-							chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, encrypt, void,
+	private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, iv.ptr, data, dst, FALSE);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size(private_padlock_aes_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_padlock_aes_crypter_t *this)
 {
 	return AES_BLOCK_SIZE;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size(private_padlock_aes_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_padlock_aes_crypter_t *this)
+{
+	return AES_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_padlock_aes_crypter_t *this)
 {
 	return this->key.len;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key(private_padlock_aes_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_padlock_aes_crypter_t *this, chunk_t key)
 {
 	memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len));
 }
 
-/**
- * Implementation of crypter_t.destroy and aes_crypter_t.destroy.
- */
-static void destroy (private_padlock_aes_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_padlock_aes_crypter_t *this)
 {
 	free(this->key.ptr);
 	free(this);
@@ -171,29 +162,33 @@ padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo,
 	{
 		return NULL;
 	}
-
-	this = malloc_thing(private_padlock_aes_crypter_t);
-
 	switch (key_size)
 	{
+		case 0:
+			key_size = 16;
+			/* FALL */
 		case 16:        /* AES 128 */
 			break;
 		case 24:        /* AES-192 */
 		case 32:        /* AES-256 */
 			/* These need an expanded key, currently not supported, FALL */
 		default:
-			free(this);
 			return NULL;
 	}
 
-	this->key = chunk_alloc(key_size);
-
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.key = chunk_alloc(key_size),
+	);
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
index d4c7a7577..1c804860c 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
@@ -32,9 +32,9 @@ typedef struct padlock_aes_crypter_t padlock_aes_crypter_t;
 struct padlock_aes_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index c9606ae15..027c53c7b 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -101,10 +101,8 @@ static padlock_feature_t get_padlock_features()
 	return 0;
 }
 
-/**
- * Implementation of aes_plugin_t.destroy
- */
-static void destroy(private_padlock_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_padlock_plugin_t *this)
 {
 	if (this->features & PADLOCK_RNG_ENABLED)
 	{
@@ -133,11 +131,17 @@ static void destroy(private_padlock_plugin_t *this)
  */
 plugin_t *padlock_plugin_create()
 {
-	private_padlock_plugin_t *this = malloc_thing(private_padlock_plugin_t);
+	private_padlock_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.features = get_padlock_features(),
+	);
 
-	this->features = get_padlock_features();
 	if (!this->features)
 	{
 		free(this);
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.c b/src/libstrongswan/plugins/padlock/padlock_rng.c
index 8ff46081b..3d805df9d 100644
--- a/src/libstrongswan/plugins/padlock/padlock_rng.c
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.c
@@ -53,15 +53,15 @@ struct private_padlock_rng_t {
  */
 static void rng(char *buf, int len, int quality)
 {
-	while (len > 0)
+	while (len > 0)
 	{
 		int status;
 
 		/* run XSTORE until we have all bytes needed. We do not use REP, as
 		 * this should not be performance critical and it's easier this way. */
 		asm volatile (
-			".byte 0x0F,0xA7,0xC0 \n\t"
-			: "=D"(buf), "=a"(status)
+			".byte 0x0F,0xA7,0xC0 \n\t"
+			: "=D"(buf), "=a"(status)
 			: "d"(quality), "D"(buf));
 
 		/* bits[0..4] of status word contains the number of bytes read */
@@ -69,11 +69,8 @@ static void rng(char *buf, int len, int quality)
 	}
 }
 
-/**
- * Implementation of padlock_rng_t.allocate_bytes.
- */
-static void allocate_bytes(private_padlock_rng_t *this, size_t bytes,
-						   chunk_t *chunk)
+METHOD(rng_t, allocate_bytes, void,
+	private_padlock_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	chunk->len = bytes;
 	/* padlock requires some additional bytes */
@@ -82,11 +79,8 @@ static void allocate_bytes(private_padlock_rng_t *this, size_t bytes,
 	rng(chunk->ptr, chunk->len, this->quality);
 }
 
-/**
- * Implementation of padlock_rng_t.get_bytes.
- */
-static void get_bytes(private_padlock_rng_t *this, size_t bytes,
-					  u_int8_t *buffer)
+METHOD(rng_t, get_bytes, void,
+	private_padlock_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	chunk_t chunk;
 
@@ -96,10 +90,8 @@ static void get_bytes(private_padlock_rng_t *this, size_t bytes,
 	chunk_clear(&chunk);
 }
 
-/**
- * Implementation of padlock_rng_t.destroy.
- */
-static void destroy(private_padlock_rng_t *this)
+METHOD(rng_t, destroy, void,
+	private_padlock_rng_t *this)
 {
 	free(this);
 }
@@ -109,11 +101,17 @@ static void destroy(private_padlock_rng_t *this)
  */
 padlock_rng_t *padlock_rng_create(rng_quality_t quality)
 {
-	private_padlock_rng_t *this = malloc_thing(private_padlock_rng_t);
-
-	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
-	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
-	this->public.rng.destroy = (void (*) (rng_t *))destroy;
+	private_padlock_rng_t *this;
+
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* map RNG quality to Padlock quality factor */
 	switch (quality)
@@ -127,8 +125,10 @@ padlock_rng_t *padlock_rng_create(rng_quality_t quality)
 		case RNG_TRUE:
 			this->quality = PADLOCK_QF3;
 			break;
+		default:
+			free(this);
+			return NULL;
 	}
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
index 60b516675..66a077353 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
@@ -83,19 +83,14 @@ static void append_data(private_padlock_sha1_hasher_t *this, chunk_t data)
 	this->data.len += data.len;
 }
 
-/**
- * Implementation of hasher_t.reset.
- */
-static void reset(private_padlock_sha1_hasher_t *this)
+METHOD(hasher_t, reset, void,
+	private_padlock_sha1_hasher_t *this)
 {
 	chunk_free(&this->data);
 }
 
-/**
- * Implementation of hasher_t.get_hash.
- */
-static void get_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
-					 u_int8_t *hash)
+METHOD(hasher_t, get_hash, void,
+	private_padlock_sha1_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	if (hash)
 	{
@@ -116,11 +111,8 @@ static void get_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.allocate_hash.
- */
-static void allocate_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
-						  chunk_t *hash)
+METHOD(hasher_t, allocate_hash, void,
+	private_padlock_sha1_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
@@ -133,18 +125,14 @@ static void allocate_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.get_hash_size.
- */
-static size_t get_hash_size(private_padlock_sha1_hasher_t *this)
+METHOD(hasher_t, get_hash_size, size_t,
+	private_padlock_sha1_hasher_t *this)
 {
 	return HASH_SIZE_SHA1;
 }
 
-/**
- * Implementation of hasher_t.destroy.
- */
-static void destroy(private_padlock_sha1_hasher_t *this)
+METHOD(hasher_t, destroy, void,
+	private_padlock_sha1_hasher_t *this)
 {
 	free(this->data.ptr);
 	free(this);
@@ -161,15 +149,16 @@ padlock_sha1_hasher_t *padlock_sha1_hasher_create(hash_algorithm_t algo)
 	{
 		return NULL;
 	}
-
-	this = malloc_thing(private_padlock_sha1_hasher_t);
-	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
-	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
-	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
-	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
-	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
-	this->data = chunk_empty;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+	);
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
index 740bdfe98..2d2b2b45d 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
@@ -34,7 +34,7 @@ struct padlock_sha1_hasher_t {
 	/**
 	 * Implements hasher_t interface.
 	 */
-	hasher_t hasher_interface;
+	hasher_t hasher;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index e19a66fa5..cf5acdd1c 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index a15c3f258..b760adda9 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -127,8 +127,8 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 	}
 	crypter->set_key(crypter, key);
 
-	if (iv.len != crypter->get_block_size(crypter) ||
-		blob->len % iv.len)
+	if (iv.len != crypter->get_iv_size(crypter) ||
+		blob->len % crypter->get_block_size(crypter))
 	{
 		crypter->destroy(crypter);
 		DBG1(DBG_LIB, "  data size is not multiple of block size");
@@ -167,8 +167,7 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 /**
  * Converts a PEM encoded file into its binary form (RFC 1421, RFC 934)
  */
-static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data,
-						   bool *pgp)
+static status_t pem_to_bin(chunk_t *blob, bool *pgp)
 {
 	typedef enum {
 		PEM_PRE    = 0,
@@ -187,9 +186,10 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 	chunk_t dst    = *blob;
 	chunk_t line   = chunk_empty;
 	chunk_t iv     = chunk_empty;
-	chunk_t passphrase;
-	int try = 0;
 	u_char iv_buf[HASH_SIZE_MD5];
+	status_t status = NOT_FOUND;
+	enumerator_t *enumerator;
+	shared_key_t *shared;
 
 	dst.len = 0;
 	iv.ptr = iv_buf;
@@ -326,36 +326,35 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 	{
 		return SUCCESS;
 	}
-	if (!cb)
-	{
-		DBG1(DBG_LIB, "  missing passphrase");
-		return INVALID_ARG;
-	}
-	while (TRUE)
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+											SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
 	{
-		passphrase = cb(cb_data, ++try);
-		if (!passphrase.len || !passphrase.ptr)
+		chunk_t passphrase, chunk;
+
+		passphrase = shared->get_key(shared);
+		chunk = chunk_clone(*blob);
+		status = pem_decrypt(&chunk, alg, key_size, iv, passphrase);
+		if (status == SUCCESS)
 		{
-			return INVALID_ARG;
+			memcpy(blob->ptr, chunk.ptr, chunk.len);
+			blob->len = chunk.len;
 		}
-		switch (pem_decrypt(blob, alg, key_size, iv, passphrase))
-		{
-			case INVALID_ARG:
-				/* bad passphrase, retry */
-				continue;
-			case SUCCESS:
-				return SUCCESS;
-			default:
-				return FAILED;
+		free(chunk.ptr);
+		if (status != INVALID_ARG)
+		{	/* try again only if passphrase invalid */
+			break;
 		}
 	}
+	enumerator->destroy(enumerator);
+	return status;
 }
 
 /**
  * load the credential from a blob
  */
 static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
-							chunk_t(*cb)(void*,int), void *cb_data,
 							x509_flag_t flags)
 {
 	void *cred = NULL;
@@ -364,7 +363,7 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
 	blob = chunk_clone(blob);
 	if (!is_asn1(blob))
 	{
-		if (pem_to_bin(&blob, cb, cb_data, &pgp) != SUCCESS)
+		if (pem_to_bin(&blob, &pgp) != SUCCESS)
 		{
 			chunk_clear(&blob);
 			return NULL;
@@ -394,7 +393,6 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
  * load the credential from a file
  */
 static void *load_from_file(char *file, credential_type_t type, int subtype,
-							chunk_t(*cb)(void*,int), void *cb_data,
 							x509_flag_t flags)
 {
 	void *cred = NULL;
@@ -425,8 +423,7 @@ static void *load_from_file(char *file, credential_type_t type, int subtype,
 		return NULL;
 	}
 
-	cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype,
-						  cb, cb_data, flags);
+	cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype, flags);
 
 	munmap(addr, sb.st_size);
 	close(fd);
@@ -437,7 +434,6 @@ static void *load_from_file(char *file, credential_type_t type, int subtype,
  * load the credential from a file descriptor
  */
 static void *load_from_fd(int fd, credential_type_t type, int subtype,
-						  chunk_t(*cb)(void*,int), void *cb_data,
 						  x509_flag_t flags)
 {
 	char buf[8096];
@@ -464,20 +460,7 @@ static void *load_from_fd(int fd, credential_type_t type, int subtype,
 			return NULL;
 		}
 	}
-	return load_from_blob(chunk_create(buf, total), type, subtype,
-						  cb, cb_data, flags);
-}
-
-/**
- * passphrase callback to use if passphrase given
- */
-static chunk_t given_passphrase_cb(chunk_t *passphrase, int try)
-{
-	if (try > 1)
-	{	/* try only once for given passphrases */
-		return chunk_empty;
-	}
-	return *passphrase;
+	return load_from_blob(chunk_create(buf, total), type, subtype, flags);
 }
 
 /**
@@ -487,9 +470,7 @@ static void *pem_load(credential_type_t type, int subtype, va_list args)
 {
 	char *file = NULL;
 	int fd = -1;
-	chunk_t pem = chunk_empty, passphrase = chunk_empty;
-	chunk_t (*cb)(void *data, int try) = NULL;
-	void *cb_data = NULL;
+	chunk_t pem = chunk_empty;
 	int flags = 0;
 
 	while (TRUE)
@@ -505,18 +486,6 @@ static void *pem_load(credential_type_t type, int subtype, va_list args)
 			case BUILD_BLOB_PEM:
 				pem = va_arg(args, chunk_t);
 				continue;
-			case BUILD_PASSPHRASE:
-				passphrase = va_arg(args, chunk_t);
-				if (passphrase.len && passphrase.ptr)
-				{
-					cb = (void*)given_passphrase_cb;
-					cb_data = &passphrase;
-				}
-				continue;
-			case BUILD_PASSPHRASE_CALLBACK:
-				cb = va_arg(args, chunk_t(*)(void*,int));
-				cb_data = va_arg(args, void*);
-				continue;
 			case BUILD_X509_FLAG:
 				flags = va_arg(args, int);
 				continue;
@@ -530,15 +499,15 @@ static void *pem_load(credential_type_t type, int subtype, va_list args)
 
 	if (pem.len)
 	{
-		return load_from_blob(pem, type, subtype, cb, cb_data, flags);
+		return load_from_blob(pem, type, subtype, flags);
 	}
 	if (file)
 	{
-		return load_from_file(file, type, subtype, cb, cb_data, flags);
+		return load_from_file(file, type, subtype, flags);
 	}
 	if (fd != -1)
 	{
-		return load_from_fd(fd, type, subtype, cb, cb_data, flags);
+		return load_from_fd(fd, type, subtype, flags);
 	}
 	return NULL;
 }
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index 810901b7a..83efb155b 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -57,49 +57,49 @@ plugin_t *pem_plugin_create()
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
 	/* register private key PEM decoding builders */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pem_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pem_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, FALSE,
 							(builder_function_t)pem_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_DSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_DSA, FALSE,
 							(builder_function_t)pem_private_key_load);
 
 	/* register public key PEM decoding builders */
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pem_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pem_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, FALSE,
 							(builder_function_t)pem_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_DSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_DSA, FALSE,
 							(builder_function_t)pem_public_key_load);
 
 	/* register certificate PEM decoding builders */
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_ANY,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_ANY, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE,
 							(builder_function_t)pem_certificate_load);
 
 	/* register pluto specific certificate formats */
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, FALSE,
 							(builder_function_t)pem_certificate_load);
 
 	/* register PEM encoder */
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index a5bc5eb39..0098147a9 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c
index 84c9bfddd..440e70a18 100644
--- a/src/libstrongswan/plugins/pgp/pgp_builder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_builder.c
@@ -129,7 +129,7 @@ static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme,
 /**
  * Implementation of private_key_t.decrypt for signature-only keys
  */
-static bool decrypt_not_allowed(private_key_t *this,
+static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t scheme,
 								chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "decryption failed - signature only key");
diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c
index 3ed1faf01..41e0a5df6 100644
--- a/src/libstrongswan/plugins/pgp/pgp_plugin.c
+++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c
@@ -60,16 +60,16 @@ plugin_t *pgp_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pgp_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pgp_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pgp_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pgp_private_key_load);
 
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE,
 							(builder_function_t)pgp_cert_load);
 
 	lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode);
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 947f52d82..8b41499a7 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index 35ec2d2bf..d3afb5c67 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -56,11 +56,11 @@ plugin_t *pkcs1_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pkcs1_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pkcs1_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pkcs1_private_key_load);
 
 	lib->encoding->add_encoder(lib->encoding, pkcs1_encoder_encode);
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.am b/src/libstrongswan/plugins/pkcs11/Makefile.am
new file mode 100644
index 000000000..199039d95
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pkcs11.la
+else
+plugin_LTLIBRARIES = libstrongswan-pkcs11.la
+endif
+
+libstrongswan_pkcs11_la_SOURCES = \
+	pkcs11_plugin.h pkcs11_plugin.c pkcs11.h \
+	pkcs11_library.h pkcs11_library.c \
+	pkcs11_creds.h pkcs11_creds.c \
+	pkcs11_private_key.h pkcs11_private_key.c \
+	pkcs11_public_key.h pkcs11_public_key.c \
+	pkcs11_hasher.h pkcs11_hasher.c \
+	pkcs11_manager.h pkcs11_manager.c
+
+libstrongswan_pkcs11_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
new file mode 100644
index 000000000..c27310910
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -0,0 +1,614 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pkcs11
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_pkcs11_la_LIBADD =
+am_libstrongswan_pkcs11_la_OBJECTS = pkcs11_plugin.lo \
+	pkcs11_library.lo pkcs11_creds.lo pkcs11_private_key.lo \
+	pkcs11_public_key.lo pkcs11_hasher.lo pkcs11_manager.lo
+libstrongswan_pkcs11_la_OBJECTS =  \
+	$(am_libstrongswan_pkcs11_la_OBJECTS)
+libstrongswan_pkcs11_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_pkcs11_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pkcs11_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pkcs11_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs11.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs11.la
+libstrongswan_pkcs11_la_SOURCES = \
+	pkcs11_plugin.h pkcs11_plugin.c pkcs11.h \
+	pkcs11_library.h pkcs11_library.c \
+	pkcs11_creds.h pkcs11_creds.c \
+	pkcs11_private_key.h pkcs11_private_key.c \
+	pkcs11_public_key.h pkcs11_public_key.c \
+	pkcs11_hasher.h pkcs11_hasher.c \
+	pkcs11_manager.h pkcs11_manager.c
+
+libstrongswan_pkcs11_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs11/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs11/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) 
+	$(libstrongswan_pkcs11_la_LINK) $(am_libstrongswan_pkcs11_la_rpath) $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_library.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_public_key.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11.h b/src/libstrongswan/plugins/pkcs11/pkcs11.h
new file mode 100644
index 000000000..2e6a1e3ed
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11.h
@@ -0,0 +1,1357 @@
+/* pkcs11.h
+   Copyright 2006, 2007 g10 Code GmbH
+   Copyright 2006 Andreas Jellinghaus
+
+   This file is free software; as a special exception the author gives
+   unlimited permission to copy and/or distribute it, with or without
+   modifications, as long as this notice is preserved.
+
+   This file is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+   the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+   PURPOSE.  */
+
+/* Please submit changes back to the Scute project at
+   http://www.scute.org/ (or send them to marcus@g10code.com), so that
+   they can be picked up by other projects from there as well.  */
+
+/* This file is a modified implementation of the PKCS #11 standard by
+   RSA Security Inc.  It is mostly a drop-in replacement, with the
+   following change:
+
+   This header file does not require any macro definitions by the user
+   (like CK_DEFINE_FUNCTION etc).  In fact, it defines those macros
+   for you (if useful, some are missing, let me know if you need
+   more).
+
+   There is an additional API available that does comply better to the
+   GNU coding standard.  It can be switched on by defining
+   CRYPTOKI_GNU before including this header file.  For this, the
+   following changes are made to the specification:
+
+   All structure types are changed to a "struct ck_foo" where CK_FOO
+   is the type name in PKCS #11.
+
+   All non-structure types are changed to ck_foo_t where CK_FOO is the
+   lowercase version of the type name in PKCS #11.  The basic types
+   (CK_ULONG et al.) are removed without substitute.
+
+   All members of structures are modified in the following way: Type
+   indication prefixes are removed, and underscore characters are
+   inserted before words.  Then the result is lowercased.
+
+   Note that function names are still in the original case, as they
+   need for ABI compatibility.
+
+   CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute.  Use
+   <stdbool.h>.
+
+   If CRYPTOKI_COMPAT is defined before including this header file,
+   then none of the API changes above take place, and the API is the
+   one defined by the PKCS #11 standard.  */
+
+#ifndef PKCS11_H
+#define PKCS11_H 1
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* The version of cryptoki we implement.  The revision is changed with
+   each modification of this file.  If you do not use the "official"
+   version of this file, please consider deleting the revision macro
+   (you may use a macro with a different name to keep track of your
+   versions).  */
+#define CRYPTOKI_VERSION_MAJOR		2
+#define CRYPTOKI_VERSION_MINOR		20
+#define CRYPTOKI_VERSION_REVISION	6
+
+
+/* Compatibility interface is default, unless CRYPTOKI_GNU is
+   given.  */
+#ifndef CRYPTOKI_GNU
+#ifndef CRYPTOKI_COMPAT
+#define CRYPTOKI_COMPAT 1
+#endif
+#endif
+
+/* System dependencies.  */
+
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+
+/* There is a matching pop below.  */
+#pragma pack(push, cryptoki, 1)
+
+#ifdef CRYPTOKI_EXPORTS
+#define CK_SPEC __declspec(dllexport)
+#else
+#define CK_SPEC __declspec(dllimport)
+#endif
+
+#else
+
+#define CK_SPEC
+
+#endif
+
+
+#ifdef CRYPTOKI_COMPAT
+  /* If we are in compatibility mode, switch all exposed names to the
+     PKCS #11 variant.  There are corresponding #undefs below.  */
+
+#define ck_flags_t CK_FLAGS
+#define ck_version _CK_VERSION
+
+#define ck_info _CK_INFO
+#define cryptoki_version cryptokiVersion
+#define manufacturer_id manufacturerID
+#define library_description libraryDescription
+#define library_version libraryVersion
+
+#define ck_notification_t CK_NOTIFICATION
+#define ck_slot_id_t CK_SLOT_ID
+
+#define ck_slot_info _CK_SLOT_INFO
+#define slot_description slotDescription
+#define hardware_version hardwareVersion
+#define firmware_version firmwareVersion
+
+#define ck_token_info _CK_TOKEN_INFO
+#define serial_number serialNumber
+#define max_session_count ulMaxSessionCount
+#define session_count ulSessionCount
+#define max_rw_session_count ulMaxRwSessionCount
+#define rw_session_count ulRwSessionCount
+#define max_pin_len ulMaxPinLen
+#define min_pin_len ulMinPinLen
+#define total_public_memory ulTotalPublicMemory
+#define free_public_memory ulFreePublicMemory
+#define total_private_memory ulTotalPrivateMemory
+#define free_private_memory ulFreePrivateMemory
+#define utc_time utcTime
+
+#define ck_session_handle_t CK_SESSION_HANDLE
+#define ck_user_type_t CK_USER_TYPE
+#define ck_state_t CK_STATE
+
+#define ck_session_info _CK_SESSION_INFO
+#define slot_id slotID
+#define device_error ulDeviceError
+
+#define ck_object_handle_t CK_OBJECT_HANDLE
+#define ck_object_class_t CK_OBJECT_CLASS
+#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE
+#define ck_key_type_t CK_KEY_TYPE
+#define ck_certificate_type_t CK_CERTIFICATE_TYPE
+#define ck_attribute_type_t CK_ATTRIBUTE_TYPE
+
+#define ck_attribute _CK_ATTRIBUTE
+#define value pValue
+#define value_len ulValueLen
+
+#define ck_date _CK_DATE
+
+#define ck_mechanism_type_t CK_MECHANISM_TYPE
+
+#define ck_mechanism _CK_MECHANISM
+#define parameter pParameter
+#define parameter_len ulParameterLen
+
+#define ck_mechanism_info _CK_MECHANISM_INFO
+#define min_key_size ulMinKeySize
+#define max_key_size ulMaxKeySize
+
+#define ck_rv_t CK_RV
+#define ck_notify_t CK_NOTIFY
+
+#define ck_function_list _CK_FUNCTION_LIST
+
+#define ck_createmutex_t CK_CREATEMUTEX
+#define ck_destroymutex_t CK_DESTROYMUTEX
+#define ck_lockmutex_t CK_LOCKMUTEX
+#define ck_unlockmutex_t CK_UNLOCKMUTEX
+
+#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
+#define create_mutex CreateMutex
+#define destroy_mutex DestroyMutex
+#define lock_mutex LockMutex
+#define unlock_mutex UnlockMutex
+#define reserved pReserved
+
+#endif	/* CRYPTOKI_COMPAT */
+
+
+
+typedef unsigned long ck_flags_t;
+
+struct ck_version
+{
+  unsigned char major;
+  unsigned char minor;
+};
+
+
+struct ck_info
+{
+  struct ck_version cryptoki_version;
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  unsigned char library_description[32];
+  struct ck_version library_version;
+};
+
+
+typedef unsigned long ck_notification_t;
+
+#define CKN_SURRENDER	(0)
+
+
+typedef unsigned long ck_slot_id_t;
+
+
+struct ck_slot_info
+{
+  unsigned char slot_description[64];
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+};
+
+
+#define CKF_TOKEN_PRESENT	(1 << 0)
+#define CKF_REMOVABLE_DEVICE	(1 << 1)
+#define CKF_HW_SLOT		(1 << 2)
+#define CKF_ARRAY_ATTRIBUTE	(1 << 30)
+
+
+struct ck_token_info
+{
+  unsigned char label[32];
+  unsigned char manufacturer_id[32];
+  unsigned char model[16];
+  unsigned char serial_number[16];
+  ck_flags_t flags;
+  unsigned long max_session_count;
+  unsigned long session_count;
+  unsigned long max_rw_session_count;
+  unsigned long rw_session_count;
+  unsigned long max_pin_len;
+  unsigned long min_pin_len;
+  unsigned long total_public_memory;
+  unsigned long free_public_memory;
+  unsigned long total_private_memory;
+  unsigned long free_private_memory;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+  unsigned char utc_time[16];
+};
+
+
+#define CKF_RNG					(1 << 0)
+#define CKF_WRITE_PROTECTED			(1 << 1)
+#define CKF_LOGIN_REQUIRED			(1 << 2)
+#define CKF_USER_PIN_INITIALIZED		(1 << 3)
+#define CKF_RESTORE_KEY_NOT_NEEDED		(1 << 5)
+#define CKF_CLOCK_ON_TOKEN			(1 << 6)
+#define CKF_PROTECTED_AUTHENTICATION_PATH	(1 << 8)
+#define CKF_DUAL_CRYPTO_OPERATIONS		(1 << 9)
+#define CKF_TOKEN_INITIALIZED			(1 << 10)
+#define CKF_SECONDARY_AUTHENTICATION		(1 << 11)
+#define CKF_USER_PIN_COUNT_LOW			(1 << 16)
+#define CKF_USER_PIN_FINAL_TRY			(1 << 17)
+#define CKF_USER_PIN_LOCKED			(1 << 18)
+#define CKF_USER_PIN_TO_BE_CHANGED		(1 << 19)
+#define CKF_SO_PIN_COUNT_LOW			(1 << 20)
+#define CKF_SO_PIN_FINAL_TRY			(1 << 21)
+#define CKF_SO_PIN_LOCKED			(1 << 22)
+#define CKF_SO_PIN_TO_BE_CHANGED		(1 << 23)
+
+#define CK_UNAVAILABLE_INFORMATION	((unsigned long) -1)
+#define CK_EFFECTIVELY_INFINITE		(0)
+
+
+typedef unsigned long ck_session_handle_t;
+
+#define CK_INVALID_HANDLE	(0)
+
+
+typedef unsigned long ck_user_type_t;
+
+#define CKU_SO			(0)
+#define CKU_USER		(1)
+#define CKU_CONTEXT_SPECIFIC	(2)
+
+
+typedef unsigned long ck_state_t;
+
+#define CKS_RO_PUBLIC_SESSION	(0)
+#define CKS_RO_USER_FUNCTIONS	(1)
+#define CKS_RW_PUBLIC_SESSION	(2)
+#define CKS_RW_USER_FUNCTIONS	(3)
+#define CKS_RW_SO_FUNCTIONS	(4)
+
+
+struct ck_session_info
+{
+  ck_slot_id_t slot_id;
+  ck_state_t state;
+  ck_flags_t flags;
+  unsigned long device_error;
+};
+
+#define CKF_RW_SESSION		(1 << 1)
+#define CKF_SERIAL_SESSION	(1 << 2)
+
+
+typedef unsigned long ck_object_handle_t;
+
+
+typedef unsigned long ck_object_class_t;
+
+#define CKO_DATA		(0)
+#define CKO_CERTIFICATE		(1)
+#define CKO_PUBLIC_KEY		(2)
+#define CKO_PRIVATE_KEY		(3)
+#define CKO_SECRET_KEY		(4)
+#define CKO_HW_FEATURE		(5)
+#define CKO_DOMAIN_PARAMETERS	(6)
+#define CKO_MECHANISM		(7)
+#define CKO_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_hw_feature_type_t;
+
+#define CKH_MONOTONIC_COUNTER	(1)
+#define CKH_CLOCK		(2)
+#define CKH_USER_INTERFACE	(3)
+#define CKH_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_key_type_t;
+
+#define CKK_RSA			(0)
+#define CKK_DSA			(1)
+#define CKK_DH			(2)
+#define CKK_ECDSA		(3)
+#define CKK_EC			(3)
+#define CKK_X9_42_DH		(4)
+#define CKK_KEA			(5)
+#define CKK_GENERIC_SECRET	(0x10)
+#define CKK_RC2			(0x11)
+#define CKK_RC4			(0x12)
+#define CKK_DES			(0x13)
+#define CKK_DES2		(0x14)
+#define CKK_DES3		(0x15)
+#define CKK_CAST		(0x16)
+#define CKK_CAST3		(0x17)
+#define CKK_CAST128		(0x18)
+#define CKK_RC5			(0x19)
+#define CKK_IDEA		(0x1a)
+#define CKK_SKIPJACK		(0x1b)
+#define CKK_BATON		(0x1c)
+#define CKK_JUNIPER		(0x1d)
+#define CKK_CDMF		(0x1e)
+#define CKK_AES			(0x1f)
+#define CKK_BLOWFISH		(0x20)
+#define CKK_TWOFISH		(0x21)
+#define CKK_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_certificate_type_t;
+
+#define CKC_X_509		(0)
+#define CKC_X_509_ATTR_CERT	(1)
+#define CKC_WTLS		(2)
+#define CKC_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_attribute_type_t;
+
+#define CKA_CLASS			(0)
+#define CKA_TOKEN			(1)
+#define CKA_PRIVATE			(2)
+#define CKA_LABEL			(3)
+#define CKA_APPLICATION			(0x10)
+#define CKA_VALUE			(0x11)
+#define CKA_OBJECT_ID			(0x12)
+#define CKA_CERTIFICATE_TYPE		(0x80)
+#define CKA_ISSUER			(0x81)
+#define CKA_SERIAL_NUMBER		(0x82)
+#define CKA_AC_ISSUER			(0x83)
+#define CKA_OWNER			(0x84)
+#define CKA_ATTR_TYPES			(0x85)
+#define CKA_TRUSTED			(0x86)
+#define CKA_CERTIFICATE_CATEGORY	(0x87)
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN	(0x88)
+#define CKA_URL				(0x89)
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY	(0x8a)
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY	(0x8b)
+#define CKA_CHECK_VALUE			(0x90)
+#define CKA_KEY_TYPE			(0x100)
+#define CKA_SUBJECT			(0x101)
+#define CKA_ID				(0x102)
+#define CKA_SENSITIVE			(0x103)
+#define CKA_ENCRYPT			(0x104)
+#define CKA_DECRYPT			(0x105)
+#define CKA_WRAP			(0x106)
+#define CKA_UNWRAP			(0x107)
+#define CKA_SIGN			(0x108)
+#define CKA_SIGN_RECOVER		(0x109)
+#define CKA_VERIFY			(0x10a)
+#define CKA_VERIFY_RECOVER		(0x10b)
+#define CKA_DERIVE			(0x10c)
+#define CKA_START_DATE			(0x110)
+#define CKA_END_DATE			(0x111)
+#define CKA_MODULUS			(0x120)
+#define CKA_MODULUS_BITS		(0x121)
+#define CKA_PUBLIC_EXPONENT		(0x122)
+#define CKA_PRIVATE_EXPONENT		(0x123)
+#define CKA_PRIME_1			(0x124)
+#define CKA_PRIME_2			(0x125)
+#define CKA_EXPONENT_1			(0x126)
+#define CKA_EXPONENT_2			(0x127)
+#define CKA_COEFFICIENT			(0x128)
+#define CKA_PRIME			(0x130)
+#define CKA_SUBPRIME			(0x131)
+#define CKA_BASE			(0x132)
+#define CKA_PRIME_BITS			(0x133)
+#define CKA_SUB_PRIME_BITS		(0x134)
+#define CKA_VALUE_BITS			(0x160)
+#define CKA_VALUE_LEN			(0x161)
+#define CKA_EXTRACTABLE			(0x162)
+#define CKA_LOCAL			(0x163)
+#define CKA_NEVER_EXTRACTABLE		(0x164)
+#define CKA_ALWAYS_SENSITIVE		(0x165)
+#define CKA_KEY_GEN_MECHANISM		(0x166)
+#define CKA_MODIFIABLE			(0x170)
+#define CKA_ECDSA_PARAMS		(0x180)
+#define CKA_EC_PARAMS			(0x180)
+#define CKA_EC_POINT			(0x181)
+#define CKA_SECONDARY_AUTH		(0x200)
+#define CKA_AUTH_PIN_FLAGS		(0x201)
+#define CKA_ALWAYS_AUTHENTICATE		(0x202)
+#define CKA_WRAP_WITH_TRUSTED		(0x210)
+#define CKA_HW_FEATURE_TYPE		(0x300)
+#define CKA_RESET_ON_INIT		(0x301)
+#define CKA_HAS_RESET			(0x302)
+#define CKA_PIXEL_X			(0x400)
+#define CKA_PIXEL_Y			(0x401)
+#define CKA_RESOLUTION			(0x402)
+#define CKA_CHAR_ROWS			(0x403)
+#define CKA_CHAR_COLUMNS		(0x404)
+#define CKA_COLOR			(0x405)
+#define CKA_BITS_PER_PIXEL		(0x406)
+#define CKA_CHAR_SETS			(0x480)
+#define CKA_ENCODING_METHODS		(0x481)
+#define CKA_MIME_TYPES			(0x482)
+#define CKA_MECHANISM_TYPE		(0x500)
+#define CKA_REQUIRED_CMS_ATTRIBUTES	(0x501)
+#define CKA_DEFAULT_CMS_ATTRIBUTES	(0x502)
+#define CKA_SUPPORTED_CMS_ATTRIBUTES	(0x503)
+#define CKA_WRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x211)
+#define CKA_UNWRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x212)
+#define CKA_ALLOWED_MECHANISMS		(CKF_ARRAY_ATTRIBUTE | 0x600)
+#define CKA_VENDOR_DEFINED		((unsigned long) (1 << 31))
+
+
+struct ck_attribute
+{
+  ck_attribute_type_t type;
+  void *value;
+  unsigned long value_len;
+};
+
+
+struct ck_date
+{
+  unsigned char year[4];
+  unsigned char month[2];
+  unsigned char day[2];
+};
+
+
+typedef unsigned long ck_mechanism_type_t;
+
+#define CKM_RSA_PKCS_KEY_PAIR_GEN	(0)
+#define CKM_RSA_PKCS			(1)
+#define CKM_RSA_9796			(2)
+#define CKM_RSA_X_509			(3)
+#define CKM_MD2_RSA_PKCS		(4)
+#define CKM_MD5_RSA_PKCS		(5)
+#define CKM_SHA1_RSA_PKCS		(6)
+#define CKM_RIPEMD128_RSA_PKCS		(7)
+#define CKM_RIPEMD160_RSA_PKCS		(8)
+#define CKM_RSA_PKCS_OAEP		(9)
+#define CKM_RSA_X9_31_KEY_PAIR_GEN	(0xa)
+#define CKM_RSA_X9_31			(0xb)
+#define CKM_SHA1_RSA_X9_31		(0xc)
+#define CKM_RSA_PKCS_PSS		(0xd)
+#define CKM_SHA1_RSA_PKCS_PSS		(0xe)
+#define CKM_DSA_KEY_PAIR_GEN		(0x10)
+#define	CKM_DSA				(0x11)
+#define CKM_DSA_SHA1			(0x12)
+#define CKM_DH_PKCS_KEY_PAIR_GEN	(0x20)
+#define CKM_DH_PKCS_DERIVE		(0x21)
+#define	CKM_X9_42_DH_KEY_PAIR_GEN	(0x30)
+#define CKM_X9_42_DH_DERIVE		(0x31)
+#define CKM_X9_42_DH_HYBRID_DERIVE	(0x32)
+#define CKM_X9_42_MQV_DERIVE		(0x33)
+#define CKM_SHA256_RSA_PKCS		(0x40)
+#define CKM_SHA384_RSA_PKCS		(0x41)
+#define CKM_SHA512_RSA_PKCS		(0x42)
+#define CKM_SHA256_RSA_PKCS_PSS		(0x43)
+#define CKM_SHA384_RSA_PKCS_PSS		(0x44)
+#define CKM_SHA512_RSA_PKCS_PSS		(0x45)
+#define CKM_RC2_KEY_GEN			(0x100)
+#define CKM_RC2_ECB			(0x101)
+#define	CKM_RC2_CBC			(0x102)
+#define	CKM_RC2_MAC			(0x103)
+#define CKM_RC2_MAC_GENERAL		(0x104)
+#define CKM_RC2_CBC_PAD			(0x105)
+#define CKM_RC4_KEY_GEN			(0x110)
+#define CKM_RC4				(0x111)
+#define CKM_DES_KEY_GEN			(0x120)
+#define CKM_DES_ECB			(0x121)
+#define CKM_DES_CBC			(0x122)
+#define CKM_DES_MAC			(0x123)
+#define CKM_DES_MAC_GENERAL		(0x124)
+#define CKM_DES_CBC_PAD			(0x125)
+#define CKM_DES2_KEY_GEN		(0x130)
+#define CKM_DES3_KEY_GEN		(0x131)
+#define CKM_DES3_ECB			(0x132)
+#define CKM_DES3_CBC			(0x133)
+#define CKM_DES3_MAC			(0x134)
+#define CKM_DES3_MAC_GENERAL		(0x135)
+#define CKM_DES3_CBC_PAD		(0x136)
+#define CKM_CDMF_KEY_GEN		(0x140)
+#define CKM_CDMF_ECB			(0x141)
+#define CKM_CDMF_CBC			(0x142)
+#define CKM_CDMF_MAC			(0x143)
+#define CKM_CDMF_MAC_GENERAL		(0x144)
+#define CKM_CDMF_CBC_PAD		(0x145)
+#define CKM_MD2				(0x200)
+#define CKM_MD2_HMAC			(0x201)
+#define CKM_MD2_HMAC_GENERAL		(0x202)
+#define CKM_MD5				(0x210)
+#define CKM_MD5_HMAC			(0x211)
+#define CKM_MD5_HMAC_GENERAL		(0x212)
+#define CKM_SHA_1			(0x220)
+#define CKM_SHA_1_HMAC			(0x221)
+#define CKM_SHA_1_HMAC_GENERAL		(0x222)
+#define CKM_RIPEMD128			(0x230)
+#define CKM_RIPEMD128_HMAC		(0x231)
+#define CKM_RIPEMD128_HMAC_GENERAL	(0x232)
+#define CKM_RIPEMD160			(0x240)
+#define CKM_RIPEMD160_HMAC		(0x241)
+#define CKM_RIPEMD160_HMAC_GENERAL	(0x242)
+#define CKM_SHA256			(0x250)
+#define CKM_SHA256_HMAC			(0x251)
+#define CKM_SHA256_HMAC_GENERAL		(0x252)
+#define CKM_SHA384			(0x260)
+#define CKM_SHA384_HMAC			(0x261)
+#define CKM_SHA384_HMAC_GENERAL		(0x262)
+#define CKM_SHA512			(0x270)
+#define CKM_SHA512_HMAC			(0x271)
+#define CKM_SHA512_HMAC_GENERAL		(0x272)
+#define CKM_CAST_KEY_GEN		(0x300)
+#define CKM_CAST_ECB			(0x301)
+#define CKM_CAST_CBC			(0x302)
+#define CKM_CAST_MAC			(0x303)
+#define CKM_CAST_MAC_GENERAL		(0x304)
+#define CKM_CAST_CBC_PAD		(0x305)
+#define CKM_CAST3_KEY_GEN		(0x310)
+#define CKM_CAST3_ECB			(0x311)
+#define CKM_CAST3_CBC			(0x312)
+#define CKM_CAST3_MAC			(0x313)
+#define CKM_CAST3_MAC_GENERAL		(0x314)
+#define CKM_CAST3_CBC_PAD		(0x315)
+#define CKM_CAST5_KEY_GEN		(0x320)
+#define CKM_CAST128_KEY_GEN		(0x320)
+#define CKM_CAST5_ECB			(0x321)
+#define CKM_CAST128_ECB			(0x321)
+#define CKM_CAST5_CBC			(0x322)
+#define CKM_CAST128_CBC			(0x322)
+#define CKM_CAST5_MAC			(0x323)
+#define	CKM_CAST128_MAC			(0x323)
+#define CKM_CAST5_MAC_GENERAL		(0x324)
+#define CKM_CAST128_MAC_GENERAL		(0x324)
+#define CKM_CAST5_CBC_PAD		(0x325)
+#define CKM_CAST128_CBC_PAD		(0x325)
+#define CKM_RC5_KEY_GEN			(0x330)
+#define CKM_RC5_ECB			(0x331)
+#define CKM_RC5_CBC			(0x332)
+#define CKM_RC5_MAC			(0x333)
+#define CKM_RC5_MAC_GENERAL		(0x334)
+#define CKM_RC5_CBC_PAD			(0x335)
+#define CKM_IDEA_KEY_GEN		(0x340)
+#define CKM_IDEA_ECB			(0x341)
+#define	CKM_IDEA_CBC			(0x342)
+#define CKM_IDEA_MAC			(0x343)
+#define CKM_IDEA_MAC_GENERAL		(0x344)
+#define CKM_IDEA_CBC_PAD		(0x345)
+#define CKM_GENERIC_SECRET_KEY_GEN	(0x350)
+#define CKM_CONCATENATE_BASE_AND_KEY	(0x360)
+#define CKM_CONCATENATE_BASE_AND_DATA	(0x362)
+#define CKM_CONCATENATE_DATA_AND_BASE	(0x363)
+#define CKM_XOR_BASE_AND_DATA		(0x364)
+#define CKM_EXTRACT_KEY_FROM_KEY	(0x365)
+#define CKM_SSL3_PRE_MASTER_KEY_GEN	(0x370)
+#define CKM_SSL3_MASTER_KEY_DERIVE	(0x371)
+#define CKM_SSL3_KEY_AND_MAC_DERIVE	(0x372)
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH	(0x373)
+#define CKM_TLS_PRE_MASTER_KEY_GEN	(0x374)
+#define CKM_TLS_MASTER_KEY_DERIVE	(0x375)
+#define CKM_TLS_KEY_AND_MAC_DERIVE	(0x376)
+#define CKM_TLS_MASTER_KEY_DERIVE_DH	(0x377)
+#define CKM_SSL3_MD5_MAC		(0x380)
+#define CKM_SSL3_SHA1_MAC		(0x381)
+#define CKM_MD5_KEY_DERIVATION		(0x390)
+#define CKM_MD2_KEY_DERIVATION		(0x391)
+#define CKM_SHA1_KEY_DERIVATION		(0x392)
+#define CKM_PBE_MD2_DES_CBC		(0x3a0)
+#define CKM_PBE_MD5_DES_CBC		(0x3a1)
+#define CKM_PBE_MD5_CAST_CBC		(0x3a2)
+#define CKM_PBE_MD5_CAST3_CBC		(0x3a3)
+#define CKM_PBE_MD5_CAST5_CBC		(0x3a4)
+#define CKM_PBE_MD5_CAST128_CBC		(0x3a4)
+#define CKM_PBE_SHA1_CAST5_CBC		(0x3a5)
+#define CKM_PBE_SHA1_CAST128_CBC	(0x3a5)
+#define CKM_PBE_SHA1_RC4_128		(0x3a6)
+#define CKM_PBE_SHA1_RC4_40		(0x3a7)
+#define CKM_PBE_SHA1_DES3_EDE_CBC	(0x3a8)
+#define CKM_PBE_SHA1_DES2_EDE_CBC	(0x3a9)
+#define CKM_PBE_SHA1_RC2_128_CBC	(0x3aa)
+#define CKM_PBE_SHA1_RC2_40_CBC		(0x3ab)
+#define CKM_PKCS5_PBKD2			(0x3b0)
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC	(0x3c0)
+#define CKM_KEY_WRAP_LYNKS		(0x400)
+#define CKM_KEY_WRAP_SET_OAEP		(0x401)
+#define CKM_SKIPJACK_KEY_GEN		(0x1000)
+#define CKM_SKIPJACK_ECB64		(0x1001)
+#define CKM_SKIPJACK_CBC64		(0x1002)
+#define CKM_SKIPJACK_OFB64		(0x1003)
+#define CKM_SKIPJACK_CFB64		(0x1004)
+#define CKM_SKIPJACK_CFB32		(0x1005)
+#define CKM_SKIPJACK_CFB16		(0x1006)
+#define CKM_SKIPJACK_CFB8		(0x1007)
+#define CKM_SKIPJACK_WRAP		(0x1008)
+#define CKM_SKIPJACK_PRIVATE_WRAP	(0x1009)
+#define CKM_SKIPJACK_RELAYX		(0x100a)
+#define CKM_KEA_KEY_PAIR_GEN		(0x1010)
+#define CKM_KEA_KEY_DERIVE		(0x1011)
+#define CKM_FORTEZZA_TIMESTAMP		(0x1020)
+#define CKM_BATON_KEY_GEN		(0x1030)
+#define CKM_BATON_ECB128		(0x1031)
+#define CKM_BATON_ECB96			(0x1032)
+#define CKM_BATON_CBC128		(0x1033)
+#define CKM_BATON_COUNTER		(0x1034)
+#define CKM_BATON_SHUFFLE		(0x1035)
+#define CKM_BATON_WRAP			(0x1036)
+#define CKM_ECDSA_KEY_PAIR_GEN		(0x1040)
+#define CKM_EC_KEY_PAIR_GEN		(0x1040)
+#define CKM_ECDSA			(0x1041)
+#define CKM_ECDSA_SHA1			(0x1042)
+#define CKM_ECDH1_DERIVE		(0x1050)
+#define CKM_ECDH1_COFACTOR_DERIVE	(0x1051)
+#define CKM_ECMQV_DERIVE		(0x1052)
+#define CKM_JUNIPER_KEY_GEN		(0x1060)
+#define CKM_JUNIPER_ECB128		(0x1061)
+#define CKM_JUNIPER_CBC128		(0x1062)
+#define CKM_JUNIPER_COUNTER		(0x1063)
+#define CKM_JUNIPER_SHUFFLE		(0x1064)
+#define CKM_JUNIPER_WRAP		(0x1065)
+#define CKM_FASTHASH			(0x1070)
+#define CKM_AES_KEY_GEN			(0x1080)
+#define CKM_AES_ECB			(0x1081)
+#define CKM_AES_CBC			(0x1082)
+#define CKM_AES_MAC			(0x1083)
+#define CKM_AES_MAC_GENERAL		(0x1084)
+#define CKM_AES_CBC_PAD			(0x1085)
+#define CKM_DSA_PARAMETER_GEN		(0x2000)
+#define CKM_DH_PKCS_PARAMETER_GEN	(0x2001)
+#define CKM_X9_42_DH_PARAMETER_GEN	(0x2002)
+#define CKM_VENDOR_DEFINED		((unsigned long) (1 << 31))
+
+
+struct ck_mechanism
+{
+  ck_mechanism_type_t mechanism;
+  void *parameter;
+  unsigned long parameter_len;
+};
+
+
+struct ck_mechanism_info
+{
+  unsigned long min_key_size;
+  unsigned long max_key_size;
+  ck_flags_t flags;
+};
+
+#define CKF_HW			(1 << 0)
+#define CKF_ENCRYPT		(1 << 8)
+#define CKF_DECRYPT		(1 << 9)
+#define CKF_DIGEST		(1 << 10)
+#define CKF_SIGN		(1 << 11)
+#define CKF_SIGN_RECOVER	(1 << 12)
+#define CKF_VERIFY		(1 << 13)
+#define CKF_VERIFY_RECOVER	(1 << 14)
+#define CKF_GENERATE		(1 << 15)
+#define CKF_GENERATE_KEY_PAIR	(1 << 16)
+#define CKF_WRAP		(1 << 17)
+#define CKF_UNWRAP		(1 << 18)
+#define CKF_DERIVE		(1 << 19)
+#define CKF_EXTENSION		((unsigned long) (1 << 31))
+
+
+/* Flags for C_WaitForSlotEvent.  */
+#define CKF_DONT_BLOCK				(1)
+
+
+typedef unsigned long ck_rv_t;
+
+
+typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session,
+				ck_notification_t event, void *application);
+
+/* Forward reference.  */
+struct ck_function_list;
+
+#define _CK_DECLARE_FUNCTION(name, args)	\
+typedef ck_rv_t (*CK_ ## name) args;		\
+ck_rv_t CK_SPEC name args
+
+_CK_DECLARE_FUNCTION (C_Initialize, (void *init_args));
+_CK_DECLARE_FUNCTION (C_Finalize, (void *reserved));
+_CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info *info));
+_CK_DECLARE_FUNCTION (C_GetFunctionList,
+		      (struct ck_function_list **function_list));
+
+_CK_DECLARE_FUNCTION (C_GetSlotList,
+		      (unsigned char token_present, ck_slot_id_t *slot_list,
+		       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetSlotInfo,
+		      (ck_slot_id_t slot_id, struct ck_slot_info *info));
+_CK_DECLARE_FUNCTION (C_GetTokenInfo,
+		      (ck_slot_id_t slot_id, struct ck_token_info *info));
+_CK_DECLARE_FUNCTION (C_WaitForSlotEvent,
+		      (ck_flags_t flags, ck_slot_id_t *slot, void *reserved));
+_CK_DECLARE_FUNCTION (C_GetMechanismList,
+		      (ck_slot_id_t slot_id,
+		       ck_mechanism_type_t *mechanism_list,
+		       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetMechanismInfo,
+		      (ck_slot_id_t slot_id, ck_mechanism_type_t type,
+		       struct ck_mechanism_info *info));
+_CK_DECLARE_FUNCTION (C_InitToken,
+		      (ck_slot_id_t slot_id, unsigned char *pin,
+		       unsigned long pin_len, unsigned char *label));
+_CK_DECLARE_FUNCTION (C_InitPIN,
+		      (ck_session_handle_t session, unsigned char *pin,
+		       unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_SetPIN,
+		      (ck_session_handle_t session, unsigned char *old_pin,
+		       unsigned long old_len, unsigned char *new_pin,
+		       unsigned long new_len));
+
+_CK_DECLARE_FUNCTION (C_OpenSession,
+		      (ck_slot_id_t slot_id, ck_flags_t flags,
+		       void *application, ck_notify_t notify,
+		       ck_session_handle_t *session));
+_CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id));
+_CK_DECLARE_FUNCTION (C_GetSessionInfo,
+		      (ck_session_handle_t session,
+		       struct ck_session_info *info));
+_CK_DECLARE_FUNCTION (C_GetOperationState,
+		      (ck_session_handle_t session,
+		       unsigned char *operation_state,
+		       unsigned long *operation_state_len));
+_CK_DECLARE_FUNCTION (C_SetOperationState,
+		      (ck_session_handle_t session,
+		       unsigned char *operation_state,
+		       unsigned long operation_state_len,
+		       ck_object_handle_t encryption_key,
+		       ck_object_handle_t authentiation_key));
+_CK_DECLARE_FUNCTION (C_Login,
+		      (ck_session_handle_t session, ck_user_type_t user_type,
+		       unsigned char *pin, unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_CreateObject,
+		      (ck_session_handle_t session,
+		       struct ck_attribute *templ,
+		       unsigned long count, ck_object_handle_t *object));
+_CK_DECLARE_FUNCTION (C_CopyObject,
+		      (ck_session_handle_t session, ck_object_handle_t object,
+		       struct ck_attribute *templ, unsigned long count,
+		       ck_object_handle_t *new_object));
+_CK_DECLARE_FUNCTION (C_DestroyObject,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object));
+_CK_DECLARE_FUNCTION (C_GetObjectSize,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       unsigned long *size));
+_CK_DECLARE_FUNCTION (C_GetAttributeValue,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_SetAttributeValue,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjectsInit,
+		      (ck_session_handle_t session,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjects,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t *object,
+		       unsigned long max_object_count,
+		       unsigned long *object_count));
+_CK_DECLARE_FUNCTION (C_FindObjectsFinal,
+		      (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_EncryptInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Encrypt,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *encrypted_data,
+		       unsigned long *encrypted_data_len));
+_CK_DECLARE_FUNCTION (C_EncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_EncryptFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *last_encrypted_part,
+		       unsigned long *last_encrypted_part_len));
+
+_CK_DECLARE_FUNCTION (C_DecryptInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Decrypt,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_data,
+		       unsigned long encrypted_data_len,
+		       unsigned char *data, unsigned long *data_len));
+_CK_DECLARE_FUNCTION (C_DecryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part, unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_DecryptFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *last_part,
+		       unsigned long *last_part_len));
+
+_CK_DECLARE_FUNCTION (C_DigestInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism));
+_CK_DECLARE_FUNCTION (C_Digest,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *digest,
+		       unsigned long *digest_len));
+_CK_DECLARE_FUNCTION (C_DigestUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_DigestKey,
+		      (ck_session_handle_t session, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_DigestFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *digest,
+		       unsigned long *digest_len));
+
+_CK_DECLARE_FUNCTION (C_SignInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Sign,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_SignFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignRecoverInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_SignRecover,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+
+_CK_DECLARE_FUNCTION (C_VerifyInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Verify,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_VerifyFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyRecoverInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_VerifyRecover,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long signature_len,
+		       unsigned char *data,
+		       unsigned long *data_len));
+
+_CK_DECLARE_FUNCTION (C_DigestEncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptDigestUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part,
+		       unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_SignEncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part,
+		       unsigned long *part_len));
+
+_CK_DECLARE_FUNCTION (C_GenerateKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       struct ck_attribute *templ,
+		       unsigned long count,
+		       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_GenerateKeyPair,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       struct ck_attribute *public_key_template,
+		       unsigned long public_key_attribute_count,
+		       struct ck_attribute *private_key_template,
+		       unsigned long private_key_attribute_count,
+		       ck_object_handle_t *public_key,
+		       ck_object_handle_t *private_key));
+_CK_DECLARE_FUNCTION (C_WrapKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t wrapping_key,
+		       ck_object_handle_t key,
+		       unsigned char *wrapped_key,
+		       unsigned long *wrapped_key_len));
+_CK_DECLARE_FUNCTION (C_UnwrapKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t unwrapping_key,
+		       unsigned char *wrapped_key,
+		       unsigned long wrapped_key_len,
+		       struct ck_attribute *templ,
+		       unsigned long attribute_count,
+		       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_DeriveKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t base_key,
+		       struct ck_attribute *templ,
+		       unsigned long attribute_count,
+		       ck_object_handle_t *key));
+
+_CK_DECLARE_FUNCTION (C_SeedRandom,
+		      (ck_session_handle_t session, unsigned char *seed,
+		       unsigned long seed_len));
+_CK_DECLARE_FUNCTION (C_GenerateRandom,
+		      (ck_session_handle_t session,
+		       unsigned char *random_data,
+		       unsigned long random_len));
+
+_CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session));
+
+
+struct ck_function_list
+{
+  struct ck_version version;
+  CK_C_Initialize C_Initialize;
+  CK_C_Finalize C_Finalize;
+  CK_C_GetInfo C_GetInfo;
+  CK_C_GetFunctionList C_GetFunctionList;
+  CK_C_GetSlotList C_GetSlotList;
+  CK_C_GetSlotInfo C_GetSlotInfo;
+  CK_C_GetTokenInfo C_GetTokenInfo;
+  CK_C_GetMechanismList C_GetMechanismList;
+  CK_C_GetMechanismInfo C_GetMechanismInfo;
+  CK_C_InitToken C_InitToken;
+  CK_C_InitPIN C_InitPIN;
+  CK_C_SetPIN C_SetPIN;
+  CK_C_OpenSession C_OpenSession;
+  CK_C_CloseSession C_CloseSession;
+  CK_C_CloseAllSessions C_CloseAllSessions;
+  CK_C_GetSessionInfo C_GetSessionInfo;
+  CK_C_GetOperationState C_GetOperationState;
+  CK_C_SetOperationState C_SetOperationState;
+  CK_C_Login C_Login;
+  CK_C_Logout C_Logout;
+  CK_C_CreateObject C_CreateObject;
+  CK_C_CopyObject C_CopyObject;
+  CK_C_DestroyObject C_DestroyObject;
+  CK_C_GetObjectSize C_GetObjectSize;
+  CK_C_GetAttributeValue C_GetAttributeValue;
+  CK_C_SetAttributeValue C_SetAttributeValue;
+  CK_C_FindObjectsInit C_FindObjectsInit;
+  CK_C_FindObjects C_FindObjects;
+  CK_C_FindObjectsFinal C_FindObjectsFinal;
+  CK_C_EncryptInit C_EncryptInit;
+  CK_C_Encrypt C_Encrypt;
+  CK_C_EncryptUpdate C_EncryptUpdate;
+  CK_C_EncryptFinal C_EncryptFinal;
+  CK_C_DecryptInit C_DecryptInit;
+  CK_C_Decrypt C_Decrypt;
+  CK_C_DecryptUpdate C_DecryptUpdate;
+  CK_C_DecryptFinal C_DecryptFinal;
+  CK_C_DigestInit C_DigestInit;
+  CK_C_Digest C_Digest;
+  CK_C_DigestUpdate C_DigestUpdate;
+  CK_C_DigestKey C_DigestKey;
+  CK_C_DigestFinal C_DigestFinal;
+  CK_C_SignInit C_SignInit;
+  CK_C_Sign C_Sign;
+  CK_C_SignUpdate C_SignUpdate;
+  CK_C_SignFinal C_SignFinal;
+  CK_C_SignRecoverInit C_SignRecoverInit;
+  CK_C_SignRecover C_SignRecover;
+  CK_C_VerifyInit C_VerifyInit;
+  CK_C_Verify C_Verify;
+  CK_C_VerifyUpdate C_VerifyUpdate;
+  CK_C_VerifyFinal C_VerifyFinal;
+  CK_C_VerifyRecoverInit C_VerifyRecoverInit;
+  CK_C_VerifyRecover C_VerifyRecover;
+  CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
+  CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
+  CK_C_SignEncryptUpdate C_SignEncryptUpdate;
+  CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
+  CK_C_GenerateKey C_GenerateKey;
+  CK_C_GenerateKeyPair C_GenerateKeyPair;
+  CK_C_WrapKey C_WrapKey;
+  CK_C_UnwrapKey C_UnwrapKey;
+  CK_C_DeriveKey C_DeriveKey;
+  CK_C_SeedRandom C_SeedRandom;
+  CK_C_GenerateRandom C_GenerateRandom;
+  CK_C_GetFunctionStatus C_GetFunctionStatus;
+  CK_C_CancelFunction C_CancelFunction;
+  CK_C_WaitForSlotEvent C_WaitForSlotEvent;
+};
+
+
+typedef ck_rv_t (*ck_createmutex_t) (void **mutex);
+typedef ck_rv_t (*ck_destroymutex_t) (void *mutex);
+typedef ck_rv_t (*ck_lockmutex_t) (void *mutex);
+typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex);
+
+
+struct ck_c_initialize_args
+{
+  ck_createmutex_t create_mutex;
+  ck_destroymutex_t destroy_mutex;
+  ck_lockmutex_t lock_mutex;
+  ck_unlockmutex_t unlock_mutex;
+  ck_flags_t flags;
+  void *reserved;
+};
+
+
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS	(1 << 0)
+#define CKF_OS_LOCKING_OK			(1 << 1)
+
+#define CKR_OK					(0)
+#define CKR_CANCEL				(1)
+#define CKR_HOST_MEMORY				(2)
+#define CKR_SLOT_ID_INVALID			(3)
+#define CKR_GENERAL_ERROR			(5)
+#define CKR_FUNCTION_FAILED			(6)
+#define CKR_ARGUMENTS_BAD			(7)
+#define CKR_NO_EVENT				(8)
+#define CKR_NEED_TO_CREATE_THREADS		(9)
+#define CKR_CANT_LOCK				(0xa)
+#define CKR_ATTRIBUTE_READ_ONLY			(0x10)
+#define CKR_ATTRIBUTE_SENSITIVE			(0x11)
+#define CKR_ATTRIBUTE_TYPE_INVALID		(0x12)
+#define CKR_ATTRIBUTE_VALUE_INVALID		(0x13)
+#define CKR_DATA_INVALID			(0x20)
+#define CKR_DATA_LEN_RANGE			(0x21)
+#define CKR_DEVICE_ERROR			(0x30)
+#define CKR_DEVICE_MEMORY			(0x31)
+#define CKR_DEVICE_REMOVED			(0x32)
+#define CKR_ENCRYPTED_DATA_INVALID		(0x40)
+#define CKR_ENCRYPTED_DATA_LEN_RANGE		(0x41)
+#define CKR_FUNCTION_CANCELED			(0x50)
+#define CKR_FUNCTION_NOT_PARALLEL		(0x51)
+#define CKR_FUNCTION_NOT_SUPPORTED		(0x54)
+#define CKR_KEY_HANDLE_INVALID			(0x60)
+#define CKR_KEY_SIZE_RANGE			(0x62)
+#define CKR_KEY_TYPE_INCONSISTENT		(0x63)
+#define CKR_KEY_NOT_NEEDED			(0x64)
+#define CKR_KEY_CHANGED				(0x65)
+#define CKR_KEY_NEEDED				(0x66)
+#define CKR_KEY_INDIGESTIBLE			(0x67)
+#define CKR_KEY_FUNCTION_NOT_PERMITTED		(0x68)
+#define CKR_KEY_NOT_WRAPPABLE			(0x69)
+#define CKR_KEY_UNEXTRACTABLE			(0x6a)
+#define CKR_MECHANISM_INVALID			(0x70)
+#define CKR_MECHANISM_PARAM_INVALID		(0x71)
+#define CKR_OBJECT_HANDLE_INVALID		(0x82)
+#define CKR_OPERATION_ACTIVE			(0x90)
+#define CKR_OPERATION_NOT_INITIALIZED		(0x91)
+#define CKR_PIN_INCORRECT			(0xa0)
+#define CKR_PIN_INVALID				(0xa1)
+#define CKR_PIN_LEN_RANGE			(0xa2)
+#define CKR_PIN_EXPIRED				(0xa3)
+#define CKR_PIN_LOCKED				(0xa4)
+#define CKR_SESSION_CLOSED			(0xb0)
+#define CKR_SESSION_COUNT			(0xb1)
+#define CKR_SESSION_HANDLE_INVALID		(0xb3)
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED	(0xb4)
+#define CKR_SESSION_READ_ONLY			(0xb5)
+#define CKR_SESSION_EXISTS			(0xb6)
+#define CKR_SESSION_READ_ONLY_EXISTS		(0xb7)
+#define CKR_SESSION_READ_WRITE_SO_EXISTS	(0xb8)
+#define CKR_SIGNATURE_INVALID			(0xc0)
+#define CKR_SIGNATURE_LEN_RANGE			(0xc1)
+#define CKR_TEMPLATE_INCOMPLETE			(0xd0)
+#define CKR_TEMPLATE_INCONSISTENT		(0xd1)
+#define CKR_TOKEN_NOT_PRESENT			(0xe0)
+#define CKR_TOKEN_NOT_RECOGNIZED		(0xe1)
+#define CKR_TOKEN_WRITE_PROTECTED		(0xe2)
+#define	CKR_UNWRAPPING_KEY_HANDLE_INVALID	(0xf0)
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE		(0xf1)
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT	(0xf2)
+#define CKR_USER_ALREADY_LOGGED_IN		(0x100)
+#define CKR_USER_NOT_LOGGED_IN			(0x101)
+#define CKR_USER_PIN_NOT_INITIALIZED		(0x102)
+#define CKR_USER_TYPE_INVALID			(0x103)
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN	(0x104)
+#define CKR_USER_TOO_MANY_TYPES			(0x105)
+#define CKR_WRAPPED_KEY_INVALID			(0x110)
+#define CKR_WRAPPED_KEY_LEN_RANGE		(0x112)
+#define CKR_WRAPPING_KEY_HANDLE_INVALID		(0x113)
+#define CKR_WRAPPING_KEY_SIZE_RANGE		(0x114)
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT	(0x115)
+#define CKR_RANDOM_SEED_NOT_SUPPORTED		(0x120)
+#define CKR_RANDOM_NO_RNG			(0x121)
+#define CKR_DOMAIN_PARAMS_INVALID		(0x130)
+#define CKR_BUFFER_TOO_SMALL			(0x150)
+#define CKR_SAVED_STATE_INVALID			(0x160)
+#define CKR_INFORMATION_SENSITIVE		(0x170)
+#define CKR_STATE_UNSAVEABLE			(0x180)
+#define CKR_CRYPTOKI_NOT_INITIALIZED		(0x190)
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED	(0x191)
+#define CKR_MUTEX_BAD				(0x1a0)
+#define CKR_MUTEX_NOT_LOCKED			(0x1a1)
+#define CKR_FUNCTION_REJECTED			(0x200)
+#define CKR_VENDOR_DEFINED			((unsigned long) (1 << 31))
+
+
+
+/* Compatibility layer.  */
+
+#ifdef CRYPTOKI_COMPAT
+
+#undef CK_DEFINE_FUNCTION
+#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
+
+/* For NULL.  */
+#include <stddef.h>
+
+typedef unsigned char CK_BYTE;
+typedef unsigned char CK_CHAR;
+typedef unsigned char CK_UTF8CHAR;
+typedef unsigned char CK_BBOOL;
+typedef unsigned long int CK_ULONG;
+typedef long int CK_LONG;
+typedef CK_BYTE *CK_BYTE_PTR;
+typedef CK_CHAR *CK_CHAR_PTR;
+typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR;
+typedef CK_ULONG *CK_ULONG_PTR;
+typedef void *CK_VOID_PTR;
+typedef void **CK_VOID_PTR_PTR;
+#define CK_FALSE 0
+#define CK_TRUE 1
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE 0
+#endif
+#ifndef TRUE
+#define TRUE 1
+#endif
+#endif
+
+typedef struct ck_version CK_VERSION;
+typedef struct ck_version *CK_VERSION_PTR;
+
+typedef struct ck_info CK_INFO;
+typedef struct ck_info *CK_INFO_PTR;
+
+typedef ck_slot_id_t *CK_SLOT_ID_PTR;
+
+typedef struct ck_slot_info CK_SLOT_INFO;
+typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
+
+typedef struct ck_token_info CK_TOKEN_INFO;
+typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
+
+typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
+
+typedef struct ck_session_info CK_SESSION_INFO;
+typedef struct ck_session_info *CK_SESSION_INFO_PTR;
+
+typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
+
+typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
+
+typedef struct ck_attribute CK_ATTRIBUTE;
+typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
+
+typedef struct ck_date CK_DATE;
+typedef struct ck_date *CK_DATE_PTR;
+
+typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
+
+typedef struct ck_mechanism CK_MECHANISM;
+typedef struct ck_mechanism *CK_MECHANISM_PTR;
+
+typedef struct ck_mechanism_info CK_MECHANISM_INFO;
+typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
+
+typedef struct ck_function_list CK_FUNCTION_LIST;
+typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
+typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
+
+typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
+typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
+
+#define NULL_PTR NULL
+
+/* Delete the helper macros defined at the top of the file.  */
+#undef ck_flags_t
+#undef ck_version
+
+#undef ck_info
+#undef cryptoki_version
+#undef manufacturer_id
+#undef library_description
+#undef library_version
+
+#undef ck_notification_t
+#undef ck_slot_id_t
+
+#undef ck_slot_info
+#undef slot_description
+#undef hardware_version
+#undef firmware_version
+
+#undef ck_token_info
+#undef serial_number
+#undef max_session_count
+#undef session_count
+#undef max_rw_session_count
+#undef rw_session_count
+#undef max_pin_len
+#undef min_pin_len
+#undef total_public_memory
+#undef free_public_memory
+#undef total_private_memory
+#undef free_private_memory
+#undef utc_time
+
+#undef ck_session_handle_t
+#undef ck_user_type_t
+#undef ck_state_t
+
+#undef ck_session_info
+#undef slot_id
+#undef device_error
+
+#undef ck_object_handle_t
+#undef ck_object_class_t
+#undef ck_hw_feature_type_t
+#undef ck_key_type_t
+#undef ck_certificate_type_t
+#undef ck_attribute_type_t
+
+#undef ck_attribute
+#undef value
+#undef value_len
+
+#undef ck_date
+
+#undef ck_mechanism_type_t
+
+#undef ck_mechanism
+#undef parameter
+#undef parameter_len
+
+#undef ck_mechanism_info
+#undef min_key_size
+#undef max_key_size
+
+#undef ck_rv_t
+#undef ck_notify_t
+
+#undef ck_function_list
+
+#undef ck_createmutex_t
+#undef ck_destroymutex_t
+#undef ck_lockmutex_t
+#undef ck_unlockmutex_t
+
+#undef ck_c_initialize_args
+#undef create_mutex
+#undef destroy_mutex
+#undef lock_mutex
+#undef unlock_mutex
+#undef reserved
+
+#endif	/* CRYPTOKI_COMPAT */
+
+
+/* System dependencies.  */
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+#pragma pack(pop, cryptoki)
+#endif
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif	/* PKCS11_H */
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
new file mode 100644
index 000000000..1b1448c6a
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_creds.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+
+typedef struct private_pkcs11_creds_t private_pkcs11_creds_t;
+
+/**
+ * Private data of an pkcs11_creds_t object.
+ */
+struct private_pkcs11_creds_t {
+
+	/**
+	 * Public pkcs11_creds_t interface.
+	 */
+	pkcs11_creds_t public;
+
+	/**
+	 * PKCS# library
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Token slot
+	 */
+	CK_SLOT_ID slot;
+
+	/**
+	 * List of trusted certificates
+	 */
+	linked_list_t *trusted;
+
+	/**
+	 * List of untrusted certificates
+	 */
+	linked_list_t *untrusted;
+};
+
+/**
+ * Find certificates, optionally trusted
+ */
+static void find_certificates(private_pkcs11_creds_t *this,
+							  CK_SESSION_HANDLE session, CK_BBOOL trusted)
+{
+	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE type = CKC_X_509;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+		{CKA_TRUSTED, &trusted, sizeof(trusted)},
+	};
+	CK_OBJECT_HANDLE object;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_VALUE, NULL, 0},
+		{CKA_LABEL, NULL, 0},
+	};
+	enumerator_t *enumerator;
+	linked_list_t *raw;
+	certificate_t *cert;
+	struct {
+		chunk_t value;
+		chunk_t label;
+	} *entry;
+
+	raw = linked_list_create();
+	enumerator = this->lib->create_object_enumerator(this->lib,
+							session, tmpl, countof(tmpl), attr, countof(attr));
+	while (enumerator->enumerate(enumerator, &object))
+	{
+		entry = malloc(sizeof(*entry));
+		entry->value = chunk_clone(
+							chunk_create(attr[0].pValue, attr[0].ulValueLen));
+		entry->label = chunk_clone(
+							chunk_create(attr[1].pValue, attr[1].ulValueLen));
+		raw->insert_last(raw, entry);
+	}
+	enumerator->destroy(enumerator);
+
+	while (raw->remove_first(raw, (void**)&entry) == SUCCESS)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							BUILD_BLOB_ASN1_DER, entry->value,
+							BUILD_END);
+		if (cert)
+		{
+			DBG1(DBG_CFG, "    loaded %strusted cert '%.*s'",
+				 trusted ? "" : "un", entry->label.len, entry->label.ptr);
+			/* trusted certificates are also returned as untrusted */
+			this->untrusted->insert_last(this->untrusted, cert);
+			if (trusted)
+			{
+				this->trusted->insert_last(this->trusted, cert->get_ref(cert));
+			}
+		}
+		else
+		{
+			DBG1(DBG_CFG, "    loading cert '%.*s' failed",
+				 entry->label.len, entry->label.ptr);
+		}
+		free(entry->value.ptr);
+		free(entry->label.ptr);
+		free(entry);
+	}
+	raw->destroy(raw);
+}
+
+/**
+ * Load in the certificates from the token
+ */
+static bool load_certificates(private_pkcs11_creds_t *this)
+{
+	CK_SESSION_HANDLE session;
+	CK_RV rv;
+
+	rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION,
+									 NULL, NULL, &session);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "opening session failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+
+	find_certificates(this, session, CK_TRUE);
+	find_certificates(this, session, CK_FALSE);
+
+	this->lib->f->C_CloseSession(session);
+	return TRUE;
+}
+
+/**
+ * filter function for certs enumerator
+ */
+static bool certs_filter(identification_t *id,
+						 certificate_t **in, certificate_t **out)
+{
+	public_key_t *public;
+	certificate_t *cert = *in;
+
+	if (id == NULL || cert->has_subject(cert, id))
+	{
+		*out = *in;
+		return TRUE;
+	}
+	public = cert->get_public_key(cert);
+	if (public)
+	{
+		if (public->has_fingerprint(public, id->get_encoding(id)))
+		{
+			public->destroy(public);
+			*out = *in;
+			return TRUE;
+		}
+		public->destroy(public);
+	}
+	return FALSE;
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs11_creds_t *this, certificate_type_t cert, key_type_t key,
+	identification_t *id, bool trusted)
+{
+	enumerator_t *inner;
+
+	if (cert != CERT_X509 && cert != CERT_ANY)
+	{
+		return NULL;
+	}
+	if (trusted)
+	{
+		inner = this->trusted->create_enumerator(this->trusted);
+	}
+	else
+	{
+		inner = this->untrusted->create_enumerator(this->untrusted);
+	}
+	return enumerator_create_filter(inner, (void*)certs_filter, id, NULL);
+}
+
+METHOD(pkcs11_creds_t, get_library, pkcs11_library_t*,
+	private_pkcs11_creds_t *this)
+{
+	return this->lib;
+}
+
+METHOD(pkcs11_creds_t, get_slot, CK_SLOT_ID,
+	private_pkcs11_creds_t *this)
+{
+	return this->slot;
+}
+
+METHOD(pkcs11_creds_t, destroy, void,
+	private_pkcs11_creds_t *this)
+{
+	this->trusted->destroy_offset(this->trusted,
+								offsetof(certificate_t, destroy));
+	this->untrusted->destroy_offset(this->untrusted,
+								offsetof(certificate_t, destroy));
+	free(this);
+}
+
+/**
+ * See header
+ */
+pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot)
+{
+	private_pkcs11_creds_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_shared_enumerator = (void*)enumerator_create_empty,
+				.create_private_enumerator = (void*)enumerator_create_empty,
+				.create_cert_enumerator = _create_cert_enumerator,
+				.create_cdp_enumerator  = (void*)enumerator_create_empty,
+				.cache_cert = (void*)nop,
+			},
+			.get_library = _get_library,
+			.get_slot = _get_slot,
+			.destroy = _destroy,
+		},
+		.lib = p11,
+		.slot = slot,
+		.trusted = linked_list_create(),
+		.untrusted = linked_list_create(),
+	);
+
+	if (!load_certificates(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
new file mode 100644
index 000000000..c40a8dea6
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_creds pkcs11_creds
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_CREDS_H_
+#define PKCS11_CREDS_H_
+
+typedef struct pkcs11_creds_t pkcs11_creds_t;
+
+#include "pkcs11_library.h"
+
+#include <credentials/credential_manager.h>
+
+/**
+ * Credential set on top on a PKCS#11 token.
+ */
+struct pkcs11_creds_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Get the PKCS#11 library this set uses.
+	 *
+	 * @return		library
+	 */
+	pkcs11_library_t* (*get_library)(pkcs11_creds_t *this);
+
+	/**
+	 * Get the slot of the token this set uses.
+	 *
+	 * @return		slot
+	 */
+	CK_SLOT_ID (*get_slot)(pkcs11_creds_t *this);
+
+	/**
+	 * Destroy a pkcs11_creds_t.
+	 */
+	void (*destroy)(pkcs11_creds_t *this);
+};
+
+/**
+ * Create a pkcs11_creds instance.
+ *
+ * @param p11			loaded PKCS#11 library
+ * @param slot			slot of the token we hand out credentials
+ */
+pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot);
+
+#endif /** PKCS11_CREDS_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
new file mode 100644
index 000000000..6d327be40
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
@@ -0,0 +1,323 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_hasher.h"
+
+#include <unistd.h>
+
+#include <debug.h>
+#include <threading/mutex.h>
+
+#include "pkcs11_manager.h"
+
+typedef struct private_pkcs11_hasher_t private_pkcs11_hasher_t;
+
+/**
+ * Private data of an pkcs11_hasher_t object.
+ */
+struct private_pkcs11_hasher_t {
+
+	/**
+	 * Public pkcs11_hasher_t interface.
+	 */
+	pkcs11_hasher_t public;
+
+	/**
+	 * PKCS#11 library
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Mechanism for this hasher
+	 */
+	CK_MECHANISM_PTR mech;
+
+	/**
+	 * Token session
+	 */
+	CK_SESSION_HANDLE session;
+
+	/**
+	 * size of the hash
+	 */
+	size_t size;
+
+	/**
+	 * Mutex to lock the tokens hashing engine
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * do we have an initialized state?
+	 */
+	bool have_state;
+
+	/**
+	 * state buffer
+	 */
+	CK_BYTE_PTR state;
+
+	/**
+	 * Length of the state buffer
+	 */
+	CK_ULONG state_len;
+};
+
+METHOD(hasher_t, get_hash_size, size_t,
+	private_pkcs11_hasher_t *this)
+{
+	return this->size;
+}
+
+/**
+ * Save the Operation state to host memory
+ */
+static void save_state(private_pkcs11_hasher_t *this)
+{
+	CK_RV rv;
+
+	while (TRUE)
+	{
+		if (!this->state)
+		{
+			rv = this->lib->f->C_GetOperationState(this->session, NULL,
+												   &this->state_len);
+			if (rv != CKR_OK)
+			{
+				break;
+			}
+			this->state = malloc(this->state_len);
+		}
+		rv = this->lib->f->C_GetOperationState(this->session, this->state,
+											   &this->state_len);
+		switch (rv)
+		{
+			case CKR_BUFFER_TOO_SMALL:
+				free(this->state);
+				this->state = NULL;
+				continue;
+			case CKR_OK:
+				this->have_state = TRUE;
+				return;
+			default:
+				break;
+		}
+		break;
+	}
+	DBG1(DBG_CFG, "C_GetOperationState() failed: %N", ck_rv_names, rv);
+	abort();
+}
+
+/**
+ * Load the Operation state from host memory
+ */
+static void load_state(private_pkcs11_hasher_t *this)
+{
+	CK_RV rv;
+
+	rv = this->lib->f->C_SetOperationState(this->session, this->state,
+						this->state_len, CK_INVALID_HANDLE, CK_INVALID_HANDLE);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_SetOperationState() failed: %N", ck_rv_names, rv);
+		abort();
+	}
+	this->have_state = FALSE;
+}
+
+METHOD(hasher_t, reset, void,
+	private_pkcs11_hasher_t *this)
+{
+	this->have_state = FALSE;
+}
+
+METHOD(hasher_t, get_hash, void,
+	private_pkcs11_hasher_t *this, chunk_t chunk, u_int8_t *hash)
+{
+	CK_RV rv;
+	CK_ULONG len;
+
+	this->mutex->lock(this->mutex);
+	if (this->have_state)
+	{
+		load_state(this);
+	}
+	else
+	{
+		rv = this->lib->f->C_DigestInit(this->session, this->mech);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_DigestInit() failed: %N", ck_rv_names, rv);
+			abort();
+		}
+	}
+	if (chunk.len)
+	{
+		rv = this->lib->f->C_DigestUpdate(this->session, chunk.ptr, chunk.len);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_DigestUpdate() failed: %N", ck_rv_names, rv);
+			abort();
+		}
+	}
+	if (hash)
+	{
+		len = this->size;
+		rv = this->lib->f->C_DigestFinal(this->session,
+								hash, &len);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_DigestFinal() failed: %N", ck_rv_names, rv);
+			abort();
+		}
+	}
+	else
+	{
+		save_state(this);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(hasher_t, allocate_hash, void,
+	private_pkcs11_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+	if (hash)
+	{
+		*hash = chunk_alloc(this->size);
+		get_hash(this, chunk, hash->ptr);
+	}
+	else
+	{
+		get_hash(this, chunk, NULL);
+	}
+}
+
+METHOD(hasher_t, destroy, void,
+	private_pkcs11_hasher_t *this)
+{
+	this->lib->f->C_CloseSession(this->session);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * Get the Cryptoki mechanism for a hash algorithm
+ */
+static CK_MECHANISM_PTR algo_to_mechanism(hash_algorithm_t algo, size_t *size)
+{
+	static struct {
+		hash_algorithm_t algo;
+		CK_MECHANISM mechanism;
+		size_t size;
+	} mappings[] = {
+		{HASH_MD2,		{CKM_MD2,		NULL, 0},	HASH_SIZE_MD2},
+		{HASH_MD5,		{CKM_MD5,		NULL, 0},	HASH_SIZE_MD5},
+		{HASH_SHA1,		{CKM_SHA_1,		NULL, 0},	HASH_SIZE_SHA1},
+		{HASH_SHA256,	{CKM_SHA256,	NULL, 0},	HASH_SIZE_SHA256},
+		{HASH_SHA384,	{CKM_SHA384,	NULL, 0},	HASH_SIZE_SHA384},
+		{HASH_SHA512,	{CKM_SHA512,	NULL, 0},	HASH_SIZE_SHA512},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
+	{
+		if (mappings[i].algo == algo)
+		{
+			*size = mappings[i].size;
+			return &mappings[i].mechanism;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Find a token we can use for a hash algorithm
+ */
+static pkcs11_library_t* find_token(hash_algorithm_t algo,
+			CK_SESSION_HANDLE *session, CK_MECHANISM_PTR *mout, size_t *size)
+{
+	enumerator_t *tokens, *mechs;
+	pkcs11_manager_t *manager;
+	pkcs11_library_t *current, *found = NULL;
+	CK_MECHANISM_TYPE type;
+	CK_MECHANISM_PTR mech;
+	CK_SLOT_ID slot;
+
+	mech = algo_to_mechanism(algo, size);
+	if (!mech)
+	{
+		return NULL;
+	}
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+	tokens = manager->create_token_enumerator(manager);
+	while (tokens->enumerate(tokens, &current, &slot))
+	{
+		mechs = current->create_mechanism_enumerator(current, slot);
+		while (mechs->enumerate(mechs, &type, NULL))
+		{
+			if (type == mech->mechanism)
+			{
+				if (current->f->C_OpenSession(slot, CKF_SERIAL_SESSION,
+											  NULL, NULL, session) == CKR_OK)
+				{
+					found = current;
+					*mout = mech;
+					break;
+				}
+			}
+		}
+		mechs->destroy(mechs);
+		if (found)
+		{
+			break;
+		}
+	}
+	tokens->destroy(tokens);
+	return found;
+}
+
+/**
+ * See header
+ */
+pkcs11_hasher_t *pkcs11_hasher_create(hash_algorithm_t algo)
+{
+	private_pkcs11_hasher_t *this;
+
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.destroy = _destroy,
+			},
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	this->lib = find_token(algo, &this->session, &this->mech, &this->size);
+	if (!this->lib)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h
new file mode 100644
index 000000000..9c55d463e
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_hasher pkcs11_hasher
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_HASHER_H_
+#define PKCS11_HASHER_H_
+
+#include <crypto/hashers/hasher.h>
+
+typedef struct pkcs11_hasher_t pkcs11_hasher_t;
+
+/**
+ * Hash implementation using a PKCS#11 token.
+ */
+struct pkcs11_hasher_t {
+
+	/**
+	 * Implements hasher_t interface.
+	 */
+	hasher_t hasher;
+};
+
+/**
+ * Creates a PKCS#11 based hasher.
+ *
+ * @param algo		hash algorithm
+ * @return			hasher, NULL if not supported
+ */
+pkcs11_hasher_t *pkcs11_hasher_create(hash_algorithm_t algo);
+
+#endif /** PKCS11_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
new file mode 100644
index 000000000..9fb1b7769
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -0,0 +1,869 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_library.h"
+
+#include <dlfcn.h>
+
+#include <library.h>
+#include <debug.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+
+typedef struct private_pkcs11_library_t private_pkcs11_library_t;
+
+
+ENUM_BEGIN(ck_rv_names, CKR_OK, CKR_CANT_LOCK,
+	"OK",
+	"CANCEL",
+	"HOST_MEMORY",
+	"SLOT_ID_INVALID",
+	"(0x04)",
+	"GENERAL_ERROR",
+	"FUNCTION_FAILED",
+	"ARGUMENTS_BAD",
+	"NO_EVENT",
+	"NEED_TO_CREATE_THREADS",
+	"CANT_LOCK");
+ENUM_NEXT(ck_rv_names, CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID,
+		CKR_CANT_LOCK,
+	"ATTRIBUTE_READ_ONLY",
+	"ATTRIBUTE_SENSITIVE",
+	"ATTRIBUTE_TYPE_INVALID",
+	"ATTRIBUTE_VALUE_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_DATA_INVALID, CKR_DATA_LEN_RANGE,
+		CKR_ATTRIBUTE_VALUE_INVALID,
+	"DATA_INVALID"
+	"DATA_LEN_RANGE");
+ENUM_NEXT(ck_rv_names, CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED,
+		CKR_DATA_LEN_RANGE,
+	"DEVICE_ERROR",
+	"DEVICE_MEMORY",
+	"DEVICE_REMOVED");
+ENUM_NEXT(ck_rv_names, CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE,
+		CKR_DEVICE_REMOVED,
+	"ENCRYPTED_DATA_INVALID",
+	"ENCRYPTED_DATA_LEN_RANGE");
+ENUM_NEXT(ck_rv_names, CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED,
+		CKR_ENCRYPTED_DATA_LEN_RANGE,
+	"FUNCTION_CANCELED",
+	"FUNCTION_NOT_PARALLEL",
+	"(0x52)",
+	"(0x53)",
+	"FUNCTION_NOT_SUPPORTED");
+ENUM_NEXT(ck_rv_names, CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE,
+		CKR_FUNCTION_NOT_SUPPORTED,
+	"KEY_HANDLE_INVALID",
+	"(0x61)",
+	"KEY_SIZE_RANGE",
+	"KEY_TYPE_INCONSISTENT",
+	"KEY_NOT_NEEDED",
+	"KEY_CHANGED",
+	"KEY_NEEDED",
+	"KEY_INDIGESTIBLE",
+	"KEY_FUNCTION_NOT_PERMITTED",
+	"KEY_NOT_WRAPPABLE",
+	"KEY_UNEXTRACTABLE");
+ENUM_NEXT(ck_rv_names, CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID,
+		CKR_KEY_UNEXTRACTABLE,
+	"MECHANISM_INVALID",
+	"MECHANISM_PARAM_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID,
+		CKR_MECHANISM_PARAM_INVALID,
+	"OBJECT_HANDLE_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED,
+		CKR_OBJECT_HANDLE_INVALID,
+	"OPERATION_ACTIVE",
+	"OPERATION_NOT_INITIALIZED");
+ENUM_NEXT(ck_rv_names, CKR_PIN_INCORRECT, CKR_PIN_LOCKED,
+		CKR_OPERATION_NOT_INITIALIZED,
+	"PIN_INCORRECT",
+	"PIN_INVALID",
+	"PIN_LEN_RANGE",
+	"PIN_EXPIRED",
+	"PIN_LOCKED");
+ENUM_NEXT(ck_rv_names, CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS,
+		CKR_PIN_LOCKED,
+	"SESSION_CLOSED",
+	"SESSION_COUNT",
+	"(0xb2)",
+	"SESSION_HANDLE_INVALID",
+	"SESSION_PARALLEL_NOT_SUPPORTED",
+	"SESSION_READ_ONLY",
+	"SESSION_EXISTS",
+	"SESSION_READ_ONLY_EXISTS",
+	"SESSION_READ_WRITE_SO_EXISTS");
+ENUM_NEXT(ck_rv_names, CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE,
+		CKR_SESSION_READ_WRITE_SO_EXISTS,
+	"SIGNATURE_INVALID",
+	"SIGNATURE_LEN_RANGE");
+ENUM_NEXT(ck_rv_names, CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT,
+		CKR_SIGNATURE_LEN_RANGE,
+	"TEMPLATE_INCOMPLETE",
+	"TEMPLATE_INCONSISTENT",
+);
+ENUM_NEXT(ck_rv_names, CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED,
+		CKR_TEMPLATE_INCONSISTENT,
+	"TOKEN_NOT_PRESENT",
+	"TOKEN_NOT_RECOGNIZED",
+	"TOKEN_WRITE_PROTECTED");
+ENUM_NEXT(ck_rv_names, CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT,
+		CKR_TOKEN_WRITE_PROTECTED,
+	"UNWRAPPING_KEY_HANDLE_INVALID",
+	"UNWRAPPING_KEY_SIZE_RANGE",
+	"UNWRAPPING_KEY_TYPE_INCONSISTENT");
+ENUM_NEXT(ck_rv_names, CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES,
+		CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT,
+	"USER_ALREADY_LOGGED_IN",
+	"USER_NOT_LOGGED_IN",
+	"USER_PIN_NOT_INITIALIZED",
+	"USER_TYPE_INVALID",
+	"USER_ANOTHER_ALREADY_LOGGED_IN",
+	"USER_TOO_MANY_TYPES");
+ENUM_NEXT(ck_rv_names, CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT,
+		CKR_USER_TOO_MANY_TYPES,
+	"WRAPPED_KEY_INVALID",
+	"(0x111)",
+	"WRAPPED_KEY_LEN_RANGE",
+	"WRAPPING_KEY_HANDLE_INVALID",
+	"WRAPPING_KEY_SIZE_RANGE",
+	"WRAPPING_KEY_TYPE_INCONSISTENT");
+ENUM_NEXT(ck_rv_names, CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG,
+		CKR_WRAPPING_KEY_TYPE_INCONSISTENT,
+	"RANDOM_SEED_NOT_SUPPORTED",
+	"RANDOM_NO_RNG");
+ENUM_NEXT(ck_rv_names, CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID,
+		CKR_RANDOM_NO_RNG,
+	"DOMAIN_PARAMS_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL,
+		CKR_DOMAIN_PARAMS_INVALID,
+	"BUFFER_TOO_SMALL");
+ENUM_NEXT(ck_rv_names, CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID,
+		CKR_BUFFER_TOO_SMALL,
+	"SAVED_STATE_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE,
+		CKR_SAVED_STATE_INVALID,
+	"INFORMATION_SENSITIVE");
+ENUM_NEXT(ck_rv_names, CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE,
+		CKR_INFORMATION_SENSITIVE,
+	"STATE_UNSAVEABLE");
+ENUM_NEXT(ck_rv_names, CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED,
+		CKR_STATE_UNSAVEABLE,
+	"CRYPTOKI_NOT_INITIALIZED",
+	"CRYPTOKI_ALREADY_INITIALIZED");
+ENUM_NEXT(ck_rv_names, CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED,
+		CKR_CRYPTOKI_ALREADY_INITIALIZED,
+	"MUTEX_BAD",
+	"MUTEX_NOT_LOCKED");
+ENUM_NEXT(ck_rv_names, CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED,
+		CKR_MUTEX_NOT_LOCKED,
+	"FUNCTION_REJECTED");
+ENUM_END(ck_rv_names, CKR_FUNCTION_REJECTED);
+
+
+ENUM_BEGIN(ck_mech_names, CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_DSA_SHA1,
+	"RSA_PKCS_KEY_PAIR_GEN",
+	"RSA_PKCS",
+	"RSA_9796",
+	"RSA_X_509",
+	"MD2_RSA_PKCS",
+	"MD5_RSA_PKCS",
+	"SHA1_RSA_PKCS",
+	"RIPEMD128_RSA_PKCS",
+	"RIPEMD160_RSA_PKCS",
+	"RSA_PKCS_OAEP",
+	"RSA_X9_31_KEY_PAIR_GEN",
+	"RSA_X9_31",
+	"SHA1_RSA_X9_31",
+	"RSA_PKCS_PSS",
+	"SHA1_RSA_PKCS_PSS",
+	"(0xf)",
+	"DSA_KEY_PAIR_GEN",
+	"DSA",
+	"DSA_SHA1");
+ENUM_NEXT(ck_mech_names, CKM_DH_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_DERIVE,
+		CKM_DSA_SHA1,
+	"DH_PKCS_KEY_PAIR_GEN",
+	"DH_PKCS_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_MQV_DERIVE,
+		CKM_DH_PKCS_DERIVE,
+	"X9_42_DH_KEY_PAIR_GEN",
+	"X9_42_DH_DERIVE",
+	"X9_42_DH_HYBRID_DERIVE",
+	"X9_42_MQV_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_SHA256_RSA_PKCS, CKM_SHA512_RSA_PKCS_PSS,
+		CKM_X9_42_MQV_DERIVE,
+	"SHA256_RSA_PKCS",
+	"SHA384_RSA_PKCS",
+	"SHA512_RSA_PKCS",
+	"SHA256_RSA_PKCS_PSS",
+	"SHA384_RSA_PKCS_PSS",
+	"SHA512_RSA_PKCS_PSS");
+ENUM_NEXT(ck_mech_names, CKM_RC2_KEY_GEN, CKM_RC2_CBC_PAD,
+		CKM_SHA512_RSA_PKCS_PSS,
+	"RC2_KEY_GEN",
+	"RC2_ECB",
+	"RC2_CBC",
+	"RC2_MAC",
+	"RC2_MAC_GENERAL",
+	"RC2_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_RC4_KEY_GEN, CKM_RC4,
+		CKM_RC2_CBC_PAD,
+	"RC4_KEY_GEN",
+	"RC4");
+ENUM_NEXT(ck_mech_names, CKM_DES_KEY_GEN, CKM_DES_CBC_PAD,
+		CKM_RC4,
+	"DES_KEY_GEN",
+	"DES_ECB",
+	"DES_CBC",
+	"DES_MAC",
+	"DES_MAC_GENERAL",
+	"DES_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_DES2_KEY_GEN, CKM_DES3_CBC_PAD,
+		CKM_DES_CBC_PAD,
+	"DES2_KEY_GEN",
+	"DES3_KEY_GEN",
+	"DES3_ECB",
+	"DES3_CBC",
+	"DES3_MAC",
+	"DES3_MAC_GENERAL",
+	"DES3_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_CDMF_KEY_GEN, CKM_CDMF_CBC_PAD,
+		CKM_DES3_CBC_PAD,
+	"CDMF_KEY_GEN",
+	"CDMF_ECB",
+	"CDMF_CBC",
+	"CDMF_MAC",
+	"CDMF_MAC_GENERAL",
+	"CDMF_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_MD2, CKM_MD2_HMAC_GENERAL,
+		CKM_CDMF_CBC_PAD,
+	"MD2",
+	"MD2_HMAC",
+	"MD2_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_MD5, CKM_MD5_HMAC_GENERAL,
+		CKM_MD2_HMAC_GENERAL,
+	"MD5",
+	"MD5_HMAC",
+	"MD5_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA_1, CKM_SHA_1_HMAC_GENERAL,
+		CKM_MD5_HMAC_GENERAL,
+	"SHA_1",
+	"SHA_1_HMAC",
+	"SHA_1_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_RIPEMD128, CKM_RIPEMD128_HMAC_GENERAL,
+		CKM_SHA_1_HMAC_GENERAL,
+	"RIPEMD128",
+	"RIPEMD128_HMAC",
+	"RIPEMD128_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_RIPEMD160, CKM_RIPEMD160_HMAC_GENERAL,
+		CKM_RIPEMD128_HMAC_GENERAL,
+	"RIPEMD160",
+	"RIPEMD160_HMAC",
+	"RIPEMD160_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA256, CKM_SHA256_HMAC_GENERAL,
+		CKM_RIPEMD160_HMAC_GENERAL,
+	"SHA256",
+	"SHA256_HMAC",
+	"SHA256_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA384, CKM_SHA384_HMAC_GENERAL,
+		CKM_SHA256_HMAC_GENERAL,
+	"SHA384",
+	"SHA384_HMAC",
+	"SHA384_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA512, CKM_SHA512_HMAC_GENERAL,
+		CKM_SHA384_HMAC_GENERAL	,
+	"SHA512",
+	"SHA512_HMAC",
+	"SHA512_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_CAST_KEY_GEN, CKM_CAST_CBC_PAD,
+		CKM_SHA512_HMAC_GENERAL,
+	"CAST_KEY_GEN",
+	"CAST_ECB",
+	"CAST_CBC",
+	"CAST_MAC",
+	"CAST_MAC_GENERAL",
+	"CAST_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_CAST3_KEY_GEN, CKM_CAST3_CBC_PAD,
+		CKM_CAST_CBC_PAD,
+	"CAST3_KEY_GEN",
+	"CAST3_ECB",
+	"CAST3_CBC",
+	"CAST3_MAC",
+	"CAST3_MAC_GENERAL",
+	"CAST3_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_CAST128_KEY_GEN, CKM_CAST128_CBC_PAD,
+		CKM_CAST3_CBC_PAD,
+	"CAST128_KEY_GEN",
+	"CAST128_ECB",
+	"CAST128_CBC",
+	"CAST128_MAC",
+	"CAST128_MAC_GENERAL",
+	"CAST128_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_RC5_KEY_GEN, CKM_RC5_CBC_PAD,
+		CKM_CAST128_CBC_PAD,
+	"RC5_KEY_GEN",
+	"RC5_ECB",
+	"RC5_CBC",
+	"RC5_MAC",
+	"RC5_MAC_GENERAL",
+	"RC5_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_IDEA_KEY_GEN, CKM_IDEA_CBC_PAD,
+		CKM_RC5_CBC_PAD,
+	"IDEA_KEY_GEN",
+	"IDEA_ECB",
+	"IDEA_CBC",
+	"IDEA_MAC",
+	"IDEA_MAC_GENERAL",
+	"IDEA_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_GENERIC_SECRET_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN,
+		CKM_IDEA_CBC_PAD,
+	"GENERIC_SECRET_KEY_GEN");
+ENUM_NEXT(ck_mech_names, CKM_CONCATENATE_BASE_AND_KEY, CKM_EXTRACT_KEY_FROM_KEY,
+		CKM_GENERIC_SECRET_KEY_GEN,
+	"CONCATENATE_BASE_AND_KEY",
+	"(0x361)",
+	"CONCATENATE_BASE_AND_DATA",
+	"CONCATENATE_DATA_AND_BASE",
+	"XOR_BASE_AND_DATA",
+	"EXTRACT_KEY_FROM_KEY");
+ENUM_NEXT(ck_mech_names, CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_MASTER_KEY_DERIVE_DH,
+		CKM_EXTRACT_KEY_FROM_KEY,
+	"SSL3_PRE_MASTER_KEY_GEN",
+	"SSL3_MASTER_KEY_DERIVE",
+	"SSL3_KEY_AND_MAC_DERIVE",
+	"SSL3_MASTER_KEY_DERIVE_DH",
+	"TLS_PRE_MASTER_KEY_GEN",
+	"TLS_MASTER_KEY_DERIVE",
+	"TLS_KEY_AND_MAC_DERIVE",
+	"TLS_MASTER_KEY_DERIVE_DH");
+ENUM_NEXT(ck_mech_names, CKM_SSL3_MD5_MAC, CKM_SSL3_SHA1_MAC,
+		CKM_TLS_MASTER_KEY_DERIVE_DH,
+	"SSL3_MD5_MAC",
+	"SSL3_SHA1_MAC");
+ENUM_NEXT(ck_mech_names, CKM_MD5_KEY_DERIVATION, CKM_SHA1_KEY_DERIVATION,
+		CKM_SSL3_SHA1_MAC,
+	"MD5_KEY_DERIVATION",
+	"MD2_KEY_DERIVATION",
+	"SHA1_KEY_DERIVATION");
+ENUM_NEXT(ck_mech_names, CKM_PBE_MD2_DES_CBC, CKM_PBE_SHA1_RC2_40_CBC,
+		CKM_SHA1_KEY_DERIVATION,
+	"PBE_MD2_DES_CBC",
+	"PBE_MD5_DES_CBC",
+	"PBE_MD5_CAST_CBC",
+	"PBE_MD5_CAST3_CBC",
+	"PBE_MD5_CAST128_CBC",
+	"PBE_SHA1_CAST128_CBC",
+	"PBE_SHA1_RC4_128",
+	"PBE_SHA1_RC4_40",
+	"PBE_SHA1_DES3_EDE_CBC",
+	"PBE_SHA1_DES2_EDE_CBC",
+	"PBE_SHA1_RC2_128_CBC",
+	"PBE_SHA1_RC2_40_CBC");
+ENUM_NEXT(ck_mech_names, CKM_PKCS5_PBKD2, CKM_PKCS5_PBKD2,
+		CKM_PBE_SHA1_RC2_40_CBC,
+	"PKCS5_PBKD2");
+ENUM_NEXT(ck_mech_names, CKM_PBA_SHA1_WITH_SHA1_HMAC, CKM_PBA_SHA1_WITH_SHA1_HMAC,
+		CKM_PKCS5_PBKD2,
+	"PBA_SHA1_WITH_SHA1_HMAC");
+ENUM_NEXT(ck_mech_names, CKM_KEY_WRAP_LYNKS, CKM_KEY_WRAP_SET_OAEP,
+		CKM_PBA_SHA1_WITH_SHA1_HMAC,
+	"KEY_WRAP_LYNKS",
+	"KEY_WRAP_SET_OAEP");
+ENUM_NEXT(ck_mech_names, CKM_SKIPJACK_KEY_GEN, CKM_SKIPJACK_RELAYX,
+		CKM_KEY_WRAP_SET_OAEP,
+	"SKIPJACK_KEY_GEN",
+	"SKIPJACK_ECB64",
+	"SKIPJACK_CBC64",
+	"SKIPJACK_OFB64",
+	"SKIPJACK_CFB64",
+	"SKIPJACK_CFB32",
+	"SKIPJACK_CFB16",
+	"SKIPJACK_CFB8",
+	"SKIPJACK_WRAP",
+	"SKIPJACK_PRIVATE_WRAP",
+	"SKIPJACK_RELAYX");
+ENUM_NEXT(ck_mech_names, CKM_KEA_KEY_PAIR_GEN, CKM_KEA_KEY_DERIVE,
+		CKM_SKIPJACK_RELAYX,
+	"KEA_KEY_PAIR_GEN",
+	"KEA_KEY_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_FORTEZZA_TIMESTAMP, CKM_FORTEZZA_TIMESTAMP,
+		CKM_KEA_KEY_DERIVE,
+	"FORTEZZA_TIMESTAMP");
+ENUM_NEXT(ck_mech_names, CKM_BATON_KEY_GEN, CKM_BATON_WRAP,
+		CKM_FORTEZZA_TIMESTAMP,
+	"BATON_KEY_GEN",
+	"BATON_ECB128",
+	"BATON_ECB96",
+	"BATON_CBC128",
+	"BATON_COUNTER",
+	"BATON_SHUFFLE",
+	"BATON_WRAP");
+ENUM_NEXT(ck_mech_names, CKM_ECDSA_KEY_PAIR_GEN, CKM_ECDSA_SHA1,
+		CKM_BATON_WRAP,
+	"ECDSA_KEY_PAIR_GEN",
+	"ECDSA",
+	"ECDSA_SHA1");
+ENUM_NEXT(ck_mech_names, CKM_ECDH1_DERIVE, CKM_ECMQV_DERIVE,
+		CKM_ECDSA_SHA1,
+	"ECDH1_DERIVE",
+	"ECDH1_COFACTOR_DERIVE",
+	"ECMQV_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_JUNIPER_KEY_GEN, CKM_JUNIPER_WRAP,
+		CKM_ECMQV_DERIVE,
+	"JUNIPER_KEY_GEN",
+	"JUNIPER_ECB128",
+	"JUNIPER_CBC128",
+	"JUNIPER_COUNTER",
+	"JUNIPER_SHUFFLE",
+	"JUNIPER_WRAP");
+ENUM_NEXT(ck_mech_names, CKM_FASTHASH, CKM_FASTHASH,
+		CKM_JUNIPER_WRAP,
+	"FASTHASH");
+ENUM_NEXT(ck_mech_names, CKM_AES_KEY_GEN, CKM_AES_CBC_PAD,
+		CKM_FASTHASH,
+	"AES_KEY_GEN",
+	"AES_ECB",
+	"AES_CBC",
+	"AES_MAC",
+	"AES_MAC_GENERAL",
+	"AES_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_DSA_PARAMETER_GEN, CKM_X9_42_DH_PARAMETER_GEN,
+		CKM_AES_CBC_PAD,
+	"DSA_PARAMETER_GEN",
+	"DH_PKCS_PARAMETER_GEN",
+	"X9_42_DH_PARAMETER_GEN");
+ENUM_END(ck_mech_names, CKM_X9_42_DH_PARAMETER_GEN);
+
+/**
+ * Private data of an pkcs11_library_t object.
+ */
+struct private_pkcs11_library_t {
+
+	/**
+	 * Public pkcs11_library_t interface.
+	 */
+	pkcs11_library_t public;
+
+	/**
+	 * dlopen() handle
+	 */
+	void *handle;
+
+	/**
+	 * Name as passed to the constructor
+	 */
+	char *name;
+};
+
+METHOD(pkcs11_library_t, get_name, char*,
+	private_pkcs11_library_t *this)
+{
+	return this->name;
+}
+
+/**
+ * Object enumerator
+ */
+typedef struct {
+	/* implements enumerator_t */
+	enumerator_t public;
+	/* session */
+	CK_SESSION_HANDLE session;
+	/* pkcs11 library */
+	pkcs11_library_t *lib;
+	/* attributes to retreive */
+	CK_ATTRIBUTE_PTR attr;
+	/* number of attributes */
+	CK_ULONG count;
+	/* currently allocated attributes, to free */
+	linked_list_t *freelist;
+} object_enumerator_t;
+
+/**
+ * Free contents of attributes in a list
+ */
+static void free_attrs(object_enumerator_t *this)
+{
+	CK_ATTRIBUTE_PTR attr;
+
+	while (this->freelist->remove_last(this->freelist, (void**)&attr) == SUCCESS)
+	{
+		free(attr->pValue);
+		attr->pValue = NULL;
+		attr->ulValueLen = 0;
+	}
+}
+
+/**
+ * Get attributes for a given object during enumeration
+ */
+static bool get_attributes(object_enumerator_t *this, CK_OBJECT_HANDLE object)
+{
+	CK_RV rv;
+	int i;
+
+	free_attrs(this);
+
+	/* get length of objects first */
+	rv = this->lib->f->C_GetAttributeValue(this->session, object,
+										   this->attr, this->count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetAttributeValue(NULL) error: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	/* allocate required chunks */
+	for (i = 0; i < this->count; i++)
+	{
+		if (this->attr[i].pValue == NULL &&
+			this->attr[i].ulValueLen != 0 && this->attr[i].ulValueLen != -1)
+		{
+			this->attr[i].pValue = malloc(this->attr[i].ulValueLen);
+			this->freelist->insert_last(this->freelist, &this->attr[i]);
+		}
+	}
+	/* get the data */
+	rv = this->lib->f->C_GetAttributeValue(this->session, object,
+										   this->attr, this->count);
+	if (rv != CKR_OK)
+	{
+		free_attrs(this);
+		DBG1(DBG_CFG, "C_GetAttributeValue(NULL) error: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(enumerator_t, object_enumerate, bool,
+	object_enumerator_t *this, CK_OBJECT_HANDLE *out)
+{
+	CK_OBJECT_HANDLE object;
+	CK_ULONG found;
+	CK_RV rv;
+
+	rv = this->lib->f->C_FindObjects(this->session, &object, 1, &found);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_FindObjects() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	if (found)
+	{
+		if (this->attr)
+		{
+			if (!get_attributes(this, object))
+			{
+				return FALSE;
+			}
+		}
+		*out = object;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, object_destroy, void,
+	object_enumerator_t *this)
+{
+	this->lib->f->C_FindObjectsFinal(this->session);
+	free_attrs(this);
+	this->freelist->destroy(this->freelist);
+	free(this);
+}
+
+METHOD(pkcs11_library_t, create_object_enumerator, enumerator_t*,
+	private_pkcs11_library_t *this, CK_SESSION_HANDLE session,
+	CK_ATTRIBUTE_PTR tmpl, CK_ULONG tcount,
+	CK_ATTRIBUTE_PTR attr, CK_ULONG acount)
+{
+	object_enumerator_t *enumerator;
+	CK_RV rv;
+
+	rv = this->public.f->C_FindObjectsInit(session, tmpl, tcount);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_FindObjectsInit() failed: %N", ck_rv_names, rv);
+		return enumerator_create_empty();
+	}
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_object_enumerate,
+			.destroy = _object_destroy,
+		},
+		.session = session,
+		.lib = &this->public,
+		.attr = attr,
+		.count = acount,
+		.freelist = linked_list_create(),
+	);
+	return &enumerator->public;
+}
+
+/**
+ * Enumerator over mechanisms
+ */
+typedef struct {
+	/* implements enumerator_t */
+	enumerator_t public;
+	/* PKCS#11 library */
+	pkcs11_library_t *lib;
+	/* slot of token */
+	CK_SLOT_ID slot;
+	/* mechanism type list */
+	CK_MECHANISM_TYPE_PTR mechs;
+	/* number of mechanism types */
+	CK_ULONG count;
+	/* current mechanism */
+	CK_ULONG current;
+} mechanism_enumerator_t;
+
+METHOD(enumerator_t, enumerate_mech, bool,
+	mechanism_enumerator_t *this, CK_MECHANISM_TYPE* type,
+	CK_MECHANISM_INFO *info)
+{
+	CK_RV rv;
+
+	if (this->current >= this->count)
+	{
+		return FALSE;
+	}
+	if (info)
+	{
+		rv = this->lib->f->C_GetMechanismInfo(this->slot,
+											  this->mechs[this->current], info);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_GetMechanismInfo() failed: %N", ck_rv_names, rv);
+			return FALSE;
+		}
+	}
+	*type = this->mechs[this->current++];
+	return TRUE;
+}
+
+METHOD(enumerator_t, destroy_mech, void,
+	mechanism_enumerator_t *this)
+{
+	free(this->mechs);
+	free(this);
+}
+
+METHOD(pkcs11_library_t, create_mechanism_enumerator, enumerator_t*,
+	private_pkcs11_library_t *this, CK_SLOT_ID slot)
+{
+	mechanism_enumerator_t *enumerator;
+	CK_RV rv;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_mech,
+			.destroy = _destroy_mech,
+		},
+		.lib = &this->public,
+		.slot = slot,
+	);
+
+	rv = enumerator->lib->f->C_GetMechanismList(slot, NULL, &enumerator->count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetMechanismList() failed: %N", ck_rv_names, rv);
+		free(enumerator);
+		return enumerator_create_empty();
+	}
+	enumerator->mechs = malloc(sizeof(CK_MECHANISM_TYPE) * enumerator->count);
+	enumerator->lib->f->C_GetMechanismList(slot, enumerator->mechs,
+										   &enumerator->count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetMechanismList() failed: %N", ck_rv_names, rv);
+		destroy_mech(enumerator);
+		return enumerator_create_empty();
+	}
+	return &enumerator->public;
+}
+
+METHOD(pkcs11_library_t, destroy, void,
+	private_pkcs11_library_t *this)
+{
+	this->public.f->C_Finalize(NULL);
+	dlclose(this->handle);
+	free(this);
+}
+
+/**
+ * See header
+ */
+void pkcs11_library_trim(char *str, int len)
+{
+	int i;
+
+	str[len - 1] = '\0';
+	for (i = len - 2; i > 0; i--)
+	{
+		if (str[i] == ' ')
+		{
+			str[i] = '\0';
+			continue;
+		}
+		break;
+	}
+}
+
+/**
+ * Mutex creation callback
+ */
+static CK_RV CreateMutex(CK_VOID_PTR_PTR data)
+{
+	*data = mutex_create(MUTEX_TYPE_DEFAULT);
+	return CKR_OK;
+}
+
+/**
+ * Mutex destruction callback
+ */
+static CK_RV DestroyMutex(CK_VOID_PTR data)
+{
+	mutex_t *mutex = (mutex_t*)data;
+
+	mutex->destroy(mutex);
+	return CKR_OK;
+}
+
+/**
+ * Mutex lock callback
+ */
+static CK_RV LockMutex(CK_VOID_PTR data)
+{
+	mutex_t *mutex = (mutex_t*)data;
+
+	mutex->lock(mutex);
+	return CKR_OK;
+}
+
+/**
+ * Mutex unlock callback
+ */
+static CK_RV UnlockMutex(CK_VOID_PTR data)
+{
+	mutex_t *mutex = (mutex_t*)data;
+
+	mutex->unlock(mutex);
+	return CKR_OK;
+}
+
+/**
+ * Initialize a PKCS#11 library
+ */
+static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
+{
+	CK_C_GetFunctionList pC_GetFunctionList;
+	CK_INFO info;
+	CK_RV rv;
+	CK_C_INITIALIZE_ARGS args = {
+		.CreateMutex = CreateMutex,
+		.DestroyMutex = DestroyMutex,
+		.LockMutex = LockMutex,
+		.UnlockMutex = UnlockMutex,
+	};
+
+	pC_GetFunctionList = dlsym(this->handle, "C_GetFunctionList");
+	if (!pC_GetFunctionList)
+	{
+		DBG1(DBG_CFG, "C_GetFunctionList not found for '%s': %s", name, dlerror());
+		return FALSE;
+	}
+	rv = pC_GetFunctionList(&this->public.f);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetFunctionList() error for '%s': %N",
+			 name, ck_rv_names, rv);
+		return FALSE;
+	}
+
+	rv = this->public.f->C_Initialize(&args);
+	if (rv == CKR_CANT_LOCK)
+	{	/* try OS locking */
+		memset(&args, 0, sizeof(args));
+		args.flags = CKF_OS_LOCKING_OK;
+		rv = this->public.f->C_Initialize(&args);
+	}
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_Initialize() error for '%s': %N",
+			 name, ck_rv_names, rv);
+		return FALSE;
+	}
+	rv = this->public.f->C_GetInfo(&info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetInfo() error for '%s': %N",
+			 name, ck_rv_names, rv);
+		this->public.f->C_Finalize(NULL);
+		return FALSE;
+	}
+
+	pkcs11_library_trim(info.manufacturerID,
+			strnlen(info.manufacturerID, sizeof(info.manufacturerID)));
+	pkcs11_library_trim(info.libraryDescription,
+			strnlen(info.libraryDescription, sizeof(info.libraryDescription)));
+
+	DBG1(DBG_CFG, "loaded PKCS#11 v%d.%d library '%s' (%s)",
+		 info.cryptokiVersion.major, info.cryptokiVersion.minor, name, file);
+	DBG1(DBG_CFG, "  %s: %s v%d.%d",
+		 info.manufacturerID, info.libraryDescription,
+		 info.libraryVersion.major, info.libraryVersion.minor);
+	if (args.flags & CKF_OS_LOCKING_OK)
+	{
+		DBG1(DBG_CFG, "  uses OS locking functions");
+	}
+	return TRUE;
+}
+
+/**
+ * See header
+ */
+pkcs11_library_t *pkcs11_library_create(char *name, char *file)
+{
+	private_pkcs11_library_t *this;
+
+	INIT(this,
+		.public = {
+			.get_name = _get_name,
+			.create_object_enumerator = _create_object_enumerator,
+			.create_mechanism_enumerator = _create_mechanism_enumerator,
+			.destroy = _destroy,
+		},
+		.name = name,
+		.handle = dlopen(file, RTLD_LAZY),
+	);
+
+	if (!this->handle)
+	{
+		DBG1(DBG_CFG, "opening PKCS#11 library failed: %s", dlerror());
+		free(this);
+		return NULL;
+	}
+
+	if (!initialize(this, name, file))
+	{
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
new file mode 100644
index 000000000..1457d24d4
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_library pkcs11_library
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_LIBRARY_H_
+#define PKCS11_LIBRARY_H_
+
+typedef struct pkcs11_library_t pkcs11_library_t;
+
+#include "pkcs11.h"
+
+#include <enum.h>
+#include <utils/enumerator.h>
+
+/**
+ * A loaded and initialized PKCS#11 library.
+ */
+struct pkcs11_library_t {
+
+	/**
+	 * PKCS#11 function list, as returned by C_GetFunctionList
+	 */
+	CK_FUNCTION_LIST_PTR f;
+
+	/**
+	 * Get the name this instance was created with.
+	 *
+	 * @return			name, as passed to constructor
+	 */
+	char* (*get_name)(pkcs11_library_t *this);
+
+	/**
+	 * Create an enumerator over CK_OBJECT_HANDLE using a search template.
+	 *
+	 * An optional attribute array is automatically filled in with the
+	 * objects associated attributes. If the value of an output attribute
+	 * is NULL, the value gets allocated/freed during enumeration.
+	 *
+	 * @param session	session to use
+	 * @param tmpl		search template
+	 * @param tcount 	number of attributes in the search template
+	 * @param attr		attributes to read from object
+	 * @param acount	number of attributes to read
+	 */
+	enumerator_t* (*create_object_enumerator)(pkcs11_library_t *this,
+			CK_SESSION_HANDLE session, CK_ATTRIBUTE_PTR tmpl, CK_ULONG tcount,
+			CK_ATTRIBUTE_PTR attr, CK_ULONG acount);
+
+	/**
+	 * Create an enumerator over supported mechanisms of a token.
+	 *
+	 * The resulting enumerator enumerates over the mechanism type, and if
+	 * a non-NULL pointer is given, over the mechanism info details.
+	 *
+	 * @param slot		slot of the token
+	 * @return			enumerator over (CK_MECHANISM_TYPE, CK_MECHANISM_INFO)
+	 */
+	enumerator_t* (*create_mechanism_enumerator)(pkcs11_library_t *this,
+												 CK_SLOT_ID slot);
+
+	/**
+	 * Destroy a pkcs11_library_t.
+	 */
+	void (*destroy)(pkcs11_library_t *this);
+};
+
+/**
+ * Enum names for CK_RV return values
+ */
+extern enum_name_t *ck_rv_names;
+
+/**
+ * Enum names for CK_MECHANISM_TYPE values
+ */
+extern enum_name_t *ck_mech_names;
+
+/**
+ * Trim/null terminate a string returned by the varius PKCS#11 functions.
+ *
+ * @param str		string to trim
+ * @param len		max length of the string
+ */
+void pkcs11_library_trim(char *str, int len);
+
+/**
+ * Create a pkcs11_library instance.
+ *
+ * @param name		an arbitrary name, for debugging
+ * @param file		pkcs11 library file to dlopen()
+ * @return			library abstraction
+ */
+pkcs11_library_t *pkcs11_library_create(char *name, char *file);
+
+#endif /** PKCS11_LIBRARY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
new file mode 100644
index 000000000..0c27600a6
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -0,0 +1,407 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_manager.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/thread.h>
+
+#include "pkcs11_library.h"
+
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_pkcs11_manager_t private_pkcs11_manager_t;
+
+/**
+ * Private data of an pkcs11_manager_t object.
+ */
+struct private_pkcs11_manager_t {
+
+	/**
+	 * Public pkcs11_manager_t interface.
+	 */
+	pkcs11_manager_t public;
+
+	/**
+	 * List of loaded libraries, as lib_entry_t
+	 */
+	linked_list_t *libs;
+
+	/**
+	 * Slot event callback function
+	 */
+	pkcs11_manager_token_event_t cb;
+
+	/**
+	 * Slot event user data
+	 */
+	void *data;
+};
+
+/**
+ * Entry for a loaded library
+ */
+typedef struct {
+	/* back reference to this */
+	private_pkcs11_manager_t *this;
+	/* associated library path */
+	char *path;
+	/* loaded library */
+	pkcs11_library_t *lib;
+	/* event dispatcher job */
+	callback_job_t *job;
+} lib_entry_t;
+
+/**
+ * Destroy a lib_entry_t
+ */
+static void lib_entry_destroy(lib_entry_t *entry)
+{
+	if (entry->job)
+	{
+		entry->job->cancel(entry->job);
+	}
+	entry->lib->destroy(entry->lib);
+	free(entry);
+}
+
+/**
+ * Print supported mechanisms of a token in a slot
+ */
+static void print_mechs(lib_entry_t *entry, CK_SLOT_ID slot)
+{
+	enumerator_t *enumerator;
+	CK_MECHANISM_TYPE type;
+	CK_MECHANISM_INFO info;
+
+	enumerator = entry->lib->create_mechanism_enumerator(entry->lib, slot);
+	while (enumerator->enumerate(enumerator, &type, &info))
+	{
+		DBG2(DBG_CFG, "      %N %lu-%lu [ %s%s%s%s%s%s%s%s%s%s%s%s%s]",
+			ck_mech_names, type,
+			info.ulMinKeySize, info.ulMaxKeySize,
+			info.flags & CKF_HW ? "HW " : "",
+			info.flags & CKF_ENCRYPT ? "ENCR " : "",
+			info.flags & CKF_DECRYPT ? "DECR " : "",
+			info.flags & CKF_DIGEST ? "DGST " : "",
+			info.flags & CKF_SIGN ? "SIGN " : "",
+			info.flags & CKF_SIGN_RECOVER ? "SIGN_RCVR " : "",
+			info.flags & CKF_VERIFY ? "VRFY " : "",
+			info.flags & CKF_VERIFY_RECOVER ? "VRFY_RCVR " : "",
+			info.flags & CKF_GENERATE ? "GEN " : "",
+			info.flags & CKF_GENERATE_KEY_PAIR ? "GEN_KEY_PAIR " : "",
+			info.flags & CKF_WRAP ? "WRAP " : "",
+			info.flags & CKF_UNWRAP ? "UNWRAP " : "",
+			info.flags & CKF_DERIVE ? "DERIVE " : "");
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Handle a token
+ */
+static void handle_token(lib_entry_t *entry, CK_SLOT_ID slot)
+{
+	CK_TOKEN_INFO info;
+	CK_RV rv;
+
+	rv = entry->lib->f->C_GetTokenInfo(slot, &info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetTokenInfo failed: %N", ck_rv_names, rv);
+		return;
+	}
+	pkcs11_library_trim(info.label, sizeof(info.label));
+	pkcs11_library_trim(info.manufacturerID, sizeof(info.manufacturerID));
+	pkcs11_library_trim(info.model, sizeof(info.model));
+	DBG1(DBG_CFG, "    %s (%s: %s)",
+		 info.label, info.manufacturerID, info.model);
+
+	print_mechs(entry, slot);
+}
+
+/**
+ * Handle slot changes
+ */
+static void handle_slot(lib_entry_t *entry, CK_SLOT_ID slot, bool hot)
+{
+	CK_SLOT_INFO info;
+	CK_RV rv;
+
+	rv = entry->lib->f->C_GetSlotInfo(slot, &info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSlotInfo failed: %N", ck_rv_names, rv);
+		return;
+	}
+
+	pkcs11_library_trim(info.slotDescription, sizeof(info.slotDescription));
+	if (info.flags & CKF_TOKEN_PRESENT)
+	{
+		DBG1(DBG_CFG, "  found token in slot '%s':%lu (%s)",
+			 entry->lib->get_name(entry->lib), slot, info.slotDescription);
+		handle_token(entry, slot);
+		if (hot)
+		{
+			entry->this->cb(entry->this->data, entry->lib, slot, TRUE);
+		}
+	}
+	else
+	{
+		DBG1(DBG_CFG, "token removed from slot '%s':%lu (%s)",
+			 entry->lib->get_name(entry->lib), slot, info.slotDescription);
+		if (hot)
+		{
+			entry->this->cb(entry->this->data, entry->lib, slot, FALSE);
+		}
+	}
+}
+
+/**
+ * Dispatch slot events
+ */
+static job_requeue_t dispatch_slot_events(lib_entry_t *entry)
+{
+	CK_SLOT_ID slot;
+	CK_RV rv;
+	bool old;
+
+	old = thread_cancelability(TRUE);
+	rv = entry->lib->f->C_WaitForSlotEvent(0, &slot, NULL);
+	thread_cancelability(old);
+	if (rv == CKR_FUNCTION_NOT_SUPPORTED || rv == CKR_NO_EVENT)
+	{
+		DBG1(DBG_CFG, "module '%s' does not support hot-plugging, cancelled",
+			 entry->lib->get_name(entry->lib));
+		return JOB_REQUEUE_NONE;
+	}
+	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
+	{	/* C_Finalize called, abort */
+		return JOB_REQUEUE_NONE;
+	}
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "error in C_WaitForSlotEvent: %N", ck_rv_names, rv);
+	}
+	handle_slot(entry, slot, TRUE);
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * End dispatching, unset job
+ */
+static void end_dispatch(lib_entry_t *entry)
+{
+	entry->job = NULL;
+}
+
+/**
+ * Get the slot list of a library
+ */
+static CK_SLOT_ID_PTR get_slot_list(pkcs11_library_t *p11, CK_ULONG *out)
+{
+	CK_SLOT_ID_PTR slots;
+	CK_ULONG count;
+	CK_RV rv;
+
+	rv = p11->f->C_GetSlotList(TRUE, NULL, &count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSlotList() failed: %N", ck_rv_names, rv);
+		return NULL;
+	}
+	if (count == 0)
+	{
+		return NULL;
+	}
+	slots = malloc(sizeof(CK_SLOT_ID) * count);
+	rv = p11->f->C_GetSlotList(TRUE, slots, &count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSlotList() failed: %N", ck_rv_names, rv);
+		free(slots);
+		return NULL;
+	}
+	*out = count;
+	return slots;
+}
+
+/**
+ * Query the slots for tokens
+ */
+static void query_slots(lib_entry_t *entry)
+{
+	CK_ULONG count;
+	CK_SLOT_ID_PTR slots;
+	int i;
+
+	slots = get_slot_list(entry->lib, &count);
+	if (slots)
+	{
+		for (i = 0; i < count; i++)
+		{
+			handle_slot(entry, slots[i], FALSE);
+		}
+		free(slots);
+	}
+}
+
+/**
+ * Token enumerator
+ */
+typedef struct {
+	/* implements enumerator */
+	enumerator_t public;
+	/* inner enumerator over PKCS#11 libraries */
+	enumerator_t *inner;
+	/* active library entry */
+	lib_entry_t *entry;
+	/* slot list with tokens */
+	CK_SLOT_ID_PTR slots;
+	/* number of slots */
+	CK_ULONG count;
+	/* current slot */
+	int current;
+} token_enumerator_t;
+
+METHOD(enumerator_t, enumerate_token, bool,
+	token_enumerator_t *this, pkcs11_library_t **out, CK_SLOT_ID *slot)
+{
+	if (this->current >= this->count)
+	{
+		free(this->slots);
+		this->slots = NULL;
+		this->current = 0;
+	}
+	while (!this->slots)
+	{
+		if (!this->inner->enumerate(this->inner, &this->entry))
+		{
+			return FALSE;
+		}
+		this->slots = get_slot_list(this->entry->lib, &this->count);
+	}
+	*out = this->entry->lib;
+	*slot = this->slots[this->current++];
+	return TRUE;
+}
+
+METHOD(enumerator_t, destroy_token, void,
+	token_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this->slots);
+	free(this);
+}
+
+METHOD(pkcs11_manager_t, create_token_enumerator, enumerator_t*,
+	private_pkcs11_manager_t *this)
+{
+	token_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_token,
+			.destroy = _destroy_token,
+		},
+		.inner = this->libs->create_enumerator(this->libs),
+	);
+	return &enumerator->public;
+}
+
+/**
+ * Singleton instance
+ */
+static private_pkcs11_manager_t *singleton = NULL;
+
+METHOD(pkcs11_manager_t, destroy, void,
+	private_pkcs11_manager_t *this)
+{
+	this->libs->destroy_function(this->libs, (void*)lib_entry_destroy);
+	free(this);
+	singleton = NULL;
+}
+
+/**
+ * See header
+ */
+pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
+										void *data)
+{
+	private_pkcs11_manager_t *this;
+	enumerator_t *enumerator;
+	lib_entry_t *entry;
+	char *module;
+
+	INIT(this,
+		.public = {
+			.create_token_enumerator = _create_token_enumerator,
+			.destroy = _destroy,
+		},
+		.libs = linked_list_create(),
+		.cb = cb,
+		.data = data,
+	);
+
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+										"libstrongswan.plugins.pkcs11.modules");
+	while (enumerator->enumerate(enumerator, &module))
+	{
+		INIT(entry,
+			.this = this,
+		);
+
+		entry->path = lib->settings->get_str(lib->settings,
+				"libstrongswan.plugins.pkcs11.modules.%s.path", NULL, module);
+		if (!entry->path)
+		{
+			DBG1(DBG_CFG, "PKCS11 module '%s' misses library path", module);
+			free(entry);
+			continue;
+		}
+		entry->lib = pkcs11_library_create(module, entry->path);
+		if (!entry->lib)
+		{
+			free(entry);
+			continue;
+		}
+		this->libs->insert_last(this->libs, entry);
+	}
+	enumerator->destroy(enumerator);
+
+	singleton = this;
+
+	enumerator = this->libs->create_enumerator(this->libs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		query_slots(entry);
+		entry->job = callback_job_create((void*)dispatch_slot_events,
+										 entry, (void*)end_dispatch, NULL);
+		lib->processor->queue_job(lib->processor, (job_t*)entry->job);
+	}
+	enumerator->destroy(enumerator);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+pkcs11_manager_t *pkcs11_manager_get()
+{
+	return (pkcs11_manager_t*)singleton;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h
new file mode 100644
index 000000000..b80d67324
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_manager pkcs11_manager
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_MANAGER_H_
+#define PKCS11_MANAGER_H_
+
+typedef struct pkcs11_manager_t pkcs11_manager_t;
+
+#include <library.h>
+
+#include "pkcs11_library.h"
+
+/**
+ * Token event callback function.
+ *
+ * @param data		user supplied data, as passed to pkcs11_manager_create()
+ * @param p11		loaded PKCS#11 library token belongs to
+ * @param slot		slot number the event occured in
+ * @param add		TRUE if token was added to the slot, FALSE if removed
+ */
+typedef void (*pkcs11_manager_token_event_t)(void *data, pkcs11_library_t *p11,
+											 CK_SLOT_ID slot, bool add);
+
+
+/**
+ * Manages multiple PKCS#11 libraries with hot pluggable slots
+ */
+struct pkcs11_manager_t {
+
+	/**
+	 * Create an enumerator over all tokens.
+	 *
+	 * @return			enumerator over (pkcs11_library_t*,CK_SLOT_ID)
+	 */
+	enumerator_t* (*create_token_enumerator)(pkcs11_manager_t *this);
+
+	/**
+	 * Destroy a pkcs11_manager_t.
+	 */
+	void (*destroy)(pkcs11_manager_t *this);
+};
+
+/**
+ * Create a pkcs11_manager instance.
+ *
+ * @param cb		token event callback function
+ * @param data		user data to pass to token event callback
+ * @return			instance
+ */
+pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
+										void *data);
+
+
+/**
+ * Get the singleton instance of the manager
+ *
+ * @return			instance, NULL if none available
+ */
+pkcs11_manager_t *pkcs11_manager_get();
+
+#endif /** PKCS11_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
new file mode 100644
index 000000000..ace405c23
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_plugin.h"
+
+#include <library.h>
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/mutex.h>
+
+#include "pkcs11_manager.h"
+#include "pkcs11_creds.h"
+#include "pkcs11_private_key.h"
+#include "pkcs11_public_key.h"
+#include "pkcs11_hasher.h"
+
+typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t;
+
+/**
+ * private data of pkcs11_plugin
+ */
+struct private_pkcs11_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pkcs11_plugin_t public;
+
+	/**
+	 * PKCS#11 library/slot manager
+	 */
+	pkcs11_manager_t *manager;
+
+	/**
+	 * List of credential sets, pkcs11_creds_t
+	 */
+	linked_list_t *creds;
+
+	/**
+	 * mutex to lock list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Token event callback function
+ */
+static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
+						   CK_SLOT_ID slot, bool add)
+{
+	enumerator_t *enumerator;
+	pkcs11_creds_t *creds, *found = NULL;;
+
+	if (add)
+	{
+		creds = pkcs11_creds_create(p11, slot);
+		if (creds)
+		{
+			this->mutex->lock(this->mutex);
+			this->creds->insert_last(this->creds, creds);
+			this->mutex->unlock(this->mutex);
+			lib->credmgr->add_set(lib->credmgr, &creds->set);
+		}
+	}
+	else
+	{
+		this->mutex->lock(this->mutex);
+		enumerator = this->creds->create_enumerator(this->creds);
+		while (enumerator->enumerate(enumerator, &creds))
+		{
+			if (creds->get_library(creds) == p11 &&
+				creds->get_slot(creds) == slot)
+			{
+				found = creds;
+				this->creds->remove_at(this->creds, enumerator);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		this->mutex->unlock(this->mutex);
+
+		if (found)
+		{
+			lib->credmgr->remove_set(lib->credmgr, &found->set);
+			found->destroy(found);
+			/* flush the cache after a token is gone */
+			lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
+		}
+	}
+}
+
+METHOD(plugin_t, destroy, void,
+	private_pkcs11_plugin_t *this)
+{
+	pkcs11_creds_t *creds;
+
+	lib->creds->remove_builder(lib->creds,
+							(builder_function_t)pkcs11_private_key_connect);
+	while (this->creds->remove_last(this->creds, (void**)&creds) == SUCCESS)
+	{
+		lib->credmgr->remove_set(lib->credmgr, &creds->set);
+		creds->destroy(creds);
+	}
+	lib->crypto->remove_hasher(lib->crypto,
+							(hasher_constructor_t)pkcs11_hasher_create);
+	this->creds->destroy(this->creds);
+	this->manager->destroy(this->manager);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *pkcs11_plugin_create()
+{
+	private_pkcs11_plugin_t *this;
+	enumerator_t *enumerator;
+	pkcs11_library_t *p11;
+	CK_SLOT_ID slot;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.creds = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	this->manager = pkcs11_manager_create((void*)token_event_cb, this);
+
+	if (lib->settings->get_bool(lib->settings,
+							"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
+	{
+		lib->crypto->add_hasher(lib->crypto, HASH_MD2,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+					(hasher_constructor_t)pkcs11_hasher_create);
+	}
+
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
+							(builder_function_t)pkcs11_private_key_connect);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
+							(builder_function_t)pkcs11_public_key_load);
+
+	enumerator = this->manager->create_token_enumerator(this->manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		token_event_cb(this, p11, slot, TRUE);
+	}
+	enumerator->destroy(enumerator);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h
new file mode 100644
index 000000000..432e2173a
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11 pkcs11
+ * @ingroup plugins
+ *
+ * @defgroup pkcs11_plugin pkcs11_plugin
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_PLUGIN_H_
+#define PKCS11_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pkcs11_plugin_t pkcs11_plugin_t;
+
+/**
+ * Plugin providing PKCS#11 token support.
+ */
+struct pkcs11_plugin_t {
+
+	/**
+	 * Implements plugin interface,
+	 */
+	plugin_t plugin;
+};
+
+#endif /** PKCS11_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
new file mode 100644
index 000000000..cabca3f54
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -0,0 +1,600 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_private_key.h"
+
+#include "pkcs11_library.h"
+#include "pkcs11_manager.h"
+
+#include <debug.h>
+#include <threading/mutex.h>
+
+typedef struct private_pkcs11_private_key_t private_pkcs11_private_key_t;
+
+/**
+ * Private data of an pkcs11_private_key_t object.
+ */
+struct private_pkcs11_private_key_t {
+
+	/**
+	 * Public pkcs11_private_key_t interface.
+	 */
+	pkcs11_private_key_t public;
+
+	/**
+	 * PKCS#11 module
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Token session
+	 */
+	CK_SESSION_HANDLE session;
+
+	/**
+	 * Mutex to lock session
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Key object on the token
+	 */
+	CK_OBJECT_HANDLE object;
+
+	/**
+	 * Key requires reauthentication for each signature/decryption
+	 */
+	CK_BBOOL reauth;
+
+	/**
+	 * Keyid of the key we use
+	 */
+	identification_t *keyid;
+
+	/**
+	 * Associated public key
+	 */
+	public_key_t *pubkey;
+
+	/**
+	 * References to this key
+	 */
+	refcount_t ref;
+};
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_pkcs11_private_key_t *this)
+{
+	return this->pubkey->get_type(this->pubkey);
+}
+
+METHOD(private_key_t, get_keysize, int,
+	private_pkcs11_private_key_t *this)
+{
+	return this->pubkey->get_keysize(this->pubkey);
+}
+
+/**
+ * See header.
+ */
+CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme)
+{
+	static struct {
+		signature_scheme_t scheme;
+		CK_MECHANISM mechanism;
+	} mappings[] = {
+		{SIGN_RSA_EMSA_PKCS1_NULL,		{CKM_RSA_PKCS,				NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA1,		{CKM_SHA1_RSA_PKCS,			NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA256,	{CKM_SHA256_RSA_PKCS,		NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA384,	{CKM_SHA384_RSA_PKCS,		NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA512,	{CKM_SHA512_RSA_PKCS,		NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_MD5,		{CKM_MD5_RSA_PKCS,			NULL, 0}},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
+	{
+		if (mappings[i].scheme == scheme)
+		{
+			return &mappings[i].mechanism;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * See header.
+ */
+CK_MECHANISM_PTR pkcs11_encryption_scheme_to_mech(encryption_scheme_t scheme)
+{
+	static struct {
+		encryption_scheme_t scheme;
+		CK_MECHANISM mechanism;
+	} mappings[] = {
+		{ENCRYPT_RSA_PKCS1,			{CKM_RSA_PKCS,				NULL, 0}},
+		{ENCRYPT_RSA_OAEP_SHA1,		{CKM_RSA_PKCS_OAEP,			NULL, 0}},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
+	{
+		if (mappings[i].scheme == scheme)
+		{
+			return &mappings[i].mechanism;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Reauthenticate to do a signature
+ */
+static bool reauth(private_pkcs11_private_key_t *this)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	chunk_t pin;
+	CK_RV rv;
+	bool found = FALSE, success = FALSE;
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+												SHARED_PIN, this->keyid, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		found = TRUE;
+		pin = shared->get_key(shared);
+		rv = this->lib->f->C_Login(this->session, CKU_CONTEXT_SPECIFIC,
+								   pin.ptr, pin.len);
+		if (rv == CKR_OK)
+		{
+			success = TRUE;
+			break;
+		}
+		DBG1(DBG_CFG, "reauthentication login failed: %N", ck_rv_names, rv);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "private key requires reauthentication, but no PIN found");
+		return FALSE;
+	}
+	return success;
+}
+
+METHOD(private_key_t, sign, bool,
+	private_pkcs11_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_BYTE_PTR buf;
+	CK_ULONG len;
+	CK_RV rv;
+
+	mechanism = pkcs11_signature_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "signature scheme %N not supported",
+			 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_SignInit(this->session, mechanism, this->object);
+	if (this->reauth && !reauth(this))
+	{
+		return FALSE;
+	}
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_SignInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	len = (get_keysize(this) + 7) / 8;
+	buf = malloc(len);
+	rv = this->lib->f->C_Sign(this->session, data.ptr, data.len, buf, &len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Sign() failed: %N", ck_rv_names, rv);
+		free(buf);
+		return FALSE;
+	}
+	*signature = chunk_create(buf, len);
+	return TRUE;
+}
+
+METHOD(private_key_t, decrypt, bool,
+	private_pkcs11_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypt, chunk_t *plain)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_BYTE_PTR buf;
+	CK_ULONG len;
+	CK_RV rv;
+
+	mechanism = pkcs11_encryption_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_DecryptInit(this->session, mechanism, this->object);
+	if (this->reauth && !reauth(this))
+	{
+		return FALSE;
+	}
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_DecryptInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	len = (get_keysize(this) + 7) / 8;
+	buf = malloc(len);
+	rv = this->lib->f->C_Decrypt(this->session, crypt.ptr, crypt.len, buf, &len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Decrypt() failed: %N", ck_rv_names, rv);
+		free(buf);
+		return FALSE;
+	}
+	*plain = chunk_create(buf, len);
+	return TRUE;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_pkcs11_private_key_t *this)
+{
+	return this->pubkey->get_ref(this->pubkey);
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+	private_pkcs11_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
+{
+	return this->pubkey->get_fingerprint(this->pubkey, type, fingerprint);
+}
+
+METHOD(private_key_t, get_encoding, bool,
+	private_pkcs11_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	return FALSE;
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_pkcs11_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(private_key_t, destroy, void,
+	private_pkcs11_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		if (this->pubkey)
+		{
+			this->pubkey->destroy(this->pubkey);
+		}
+		this->mutex->destroy(this->mutex);
+		this->keyid->destroy(this->keyid);
+		this->lib->f->C_CloseSession(this->session);
+		free(this);
+	}
+}
+
+/**
+ * Find the PKCS#11 library by its friendly name
+ */
+static pkcs11_library_t* find_lib(char *module)
+{
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator;
+	pkcs11_library_t *p11, *found = NULL;
+	CK_SLOT_ID slot;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		if (streq(module, p11->get_name(p11)))
+		{
+			found = p11;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Find the PKCS#11 lib having a keyid, and optionally a slot
+ */
+static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot)
+{
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator;
+	pkcs11_library_t *p11, *found = NULL;
+	CK_SLOT_ID current;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &current))
+	{
+		if (*slot == -1 || *slot == current)
+		{
+			/* we look for a public key, it is usually readable without login */
+			CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+			CK_ATTRIBUTE tmpl[] = {
+				{CKA_CLASS, &class, sizeof(class)},
+				{CKA_ID, keyid.ptr, keyid.len},
+			};
+			CK_OBJECT_HANDLE object;
+			CK_SESSION_HANDLE session;
+			CK_RV rv;
+			enumerator_t *keys;
+
+			rv = p11->f->C_OpenSession(current, CKF_SERIAL_SESSION, NULL, NULL,
+									   &session);
+			if (rv != CKR_OK)
+			{
+				DBG1(DBG_CFG, "opening PKCS#11 session failed: %N",
+					 ck_rv_names, rv);
+				continue;
+			}
+			keys = p11->create_object_enumerator(p11, session,
+												 tmpl, countof(tmpl), NULL, 0);
+			if (keys->enumerate(keys, &object))
+			{
+				DBG1(DBG_CFG, "found key on PKCS#11 token '%s':%d",
+					 p11->get_name(p11), current);
+				found = p11;
+				*slot = current;
+			}
+			keys->destroy(keys);
+			p11->f->C_CloseSession(session);
+			if (found)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Find the key on the token
+ */
+static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
+{
+	CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_ID, keyid.ptr, keyid.len},
+	};
+	CK_OBJECT_HANDLE object;
+	CK_KEY_TYPE type;
+	CK_BBOOL reauth;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_KEY_TYPE, &type, sizeof(type)},
+		{CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
+		{CKA_MODULUS, NULL, 0},
+		{CKA_PUBLIC_EXPONENT, NULL, 0},
+	};
+	enumerator_t *enumerator;
+	chunk_t modulus, pubexp;
+
+	enumerator = this->lib->create_object_enumerator(this->lib,
+						this->session, tmpl, countof(tmpl), attr, countof(attr));
+	if (enumerator->enumerate(enumerator, &object))
+	{
+		switch (type)
+		{
+			case CKK_RSA:
+				if (attr[2].ulValueLen == -1 || attr[3].ulValueLen == -1)
+				{
+					DBG1(DBG_CFG, "reading modulus/exponent from PKCS#1 failed");
+					break;
+				}
+				modulus = chunk_create(attr[2].pValue, attr[2].ulValueLen);
+				pubexp = chunk_create(attr[3].pValue, attr[3].ulValueLen);
+				this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+									KEY_RSA, BUILD_RSA_MODULUS, modulus,
+									BUILD_RSA_PUB_EXP, pubexp, BUILD_END);
+				if (!this->pubkey)
+				{
+					DBG1(DBG_CFG, "extracting public key from PKCS#11 RSA "
+						 "private key failed");
+				}
+				this->reauth = reauth;
+				this->object = object;
+				break;
+			default:
+				DBG1(DBG_CFG, "PKCS#11 key type %d not supported", type);
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return this->pubkey != NULL;
+}
+
+/**
+ * Find a PIN and try to log in
+ */
+static bool login(private_pkcs11_private_key_t *this, int slot)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	chunk_t pin;
+	CK_RV rv;
+	CK_SESSION_INFO info;
+	bool found = FALSE, success = FALSE;
+
+	rv = this->lib->f->C_GetSessionInfo(this->session, &info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSessionInfo failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	if (info.state != CKS_RO_PUBLIC_SESSION &&
+		info.state != CKS_RW_PUBLIC_SESSION)
+	{	/* already logged in with another session, skip */
+		return TRUE;
+	}
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+												SHARED_PIN, this->keyid, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		found = TRUE;
+		pin = shared->get_key(shared);
+		rv = this->lib->f->C_Login(this->session, CKU_USER, pin.ptr, pin.len);
+		if (rv == CKR_OK)
+		{
+			success = TRUE;
+			break;
+		}
+		DBG1(DBG_CFG, "login to '%s':%d failed: %N",
+			 this->lib->get_name(this->lib), slot, ck_rv_names, rv);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "no PIN found for PKCS#11 key %Y", this->keyid);
+		return FALSE;
+	}
+	return success;
+}
+
+/**
+ * See header.
+ */
+pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
+{
+	private_pkcs11_private_key_t *this;
+	char *module = NULL;
+	chunk_t keyid = chunk_empty;
+	int slot = -1;
+	CK_RV rv;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_PKCS11_KEYID:
+				keyid = va_arg(args, chunk_t);
+				continue;
+			case BUILD_PKCS11_SLOT:
+				slot = va_arg(args, int);
+				continue;
+			case BUILD_PKCS11_MODULE:
+				module = va_arg(args, char*);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!keyid.len)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
+
+	if (module && slot != -1)
+	{
+		this->lib = find_lib(module);
+		if (!this->lib)
+		{
+			DBG1(DBG_CFG, "PKCS#11 module '%s' not found", module);
+			free(this);
+			return NULL;
+		}
+	}
+	else
+	{
+		this->lib = find_lib_by_keyid(keyid, &slot);
+		if (!this->lib)
+		{
+			DBG1(DBG_CFG, "no PKCS#11 module found having a keyid %#B", &keyid);
+			free(this);
+			return NULL;
+		}
+	}
+
+	rv = this->lib->f->C_OpenSession(slot, CKF_SERIAL_SESSION,
+									 NULL, NULL, &this->session);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "opening private key session on '%s':%d failed: %N",
+			 module, slot, ck_rv_names, rv);
+		free(this);
+		return NULL;
+	}
+
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->keyid = identification_create_from_encoding(ID_KEY_ID, keyid);
+
+	if (!login(this, slot))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	if (!find_key(this, keyid))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h
new file mode 100644
index 000000000..428913f0a
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_private_key pkcs11_private_key
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_PRIVATE_KEY_H_
+#define PKCS11_PRIVATE_KEY_H_
+
+typedef struct pkcs11_private_key_t pkcs11_private_key_t;
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+#include "pkcs11.h"
+
+/**
+ * Private Key implementation on top of PKCS#11.
+ */
+struct pkcs11_private_key_t {
+
+	/**
+	 * Implements private_key_t interface.
+	 */
+	private_key_t key;
+};
+
+/**
+ * Open a private key on a PKCS#11 device.
+ *
+ * Accepts the BUILD_SMARTCARD_KEYID and the BUILD_SMARTCARD_PIN arguments.
+ *
+ * @param type		type of the key
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args);
+
+/**
+ * Get the Cryptoki mechanism for a signature scheme.
+ */
+CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme);
+
+/**
+ * Get the Cryptoki mechanism for a encryption scheme.
+ */
+CK_MECHANISM_PTR pkcs11_encryption_scheme_to_mech(encryption_scheme_t scheme);
+
+#endif /** PKCS11_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
new file mode 100644
index 000000000..8d32d9a3f
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@@ -0,0 +1,473 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_public_key.h"
+
+#include "pkcs11.h"
+#include "pkcs11_private_key.h"
+#include "pkcs11_manager.h"
+
+#include <debug.h>
+#include <threading/mutex.h>
+
+typedef struct private_pkcs11_public_key_t private_pkcs11_public_key_t;
+
+/**
+ * Private data of an pkcs11_public_key_t object.
+ */
+struct private_pkcs11_public_key_t {
+
+	/**
+	 * Public pkcs11_public_key_t interface.
+	 */
+	pkcs11_public_key_t public;
+
+	/**
+	 * Type of the key
+	 */
+	key_type_t type;
+
+	/**
+	 * Key size in bytes
+	 */
+	size_t k;
+
+	/**
+	 * PKCS#11 library this key uses
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Slot the token is in
+	 */
+	CK_SLOT_ID slot;
+
+	/**
+	 * Session we use
+	 */
+	CK_SESSION_HANDLE session;
+
+	/**
+	 * Object handle to the key
+	 */
+	CK_OBJECT_HANDLE object;
+
+	/**
+	 * Mutex to lock session
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * References to this key
+	 */
+	refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+	private_pkcs11_public_key_t *this)
+{
+	return this->type;
+}
+
+METHOD(public_key_t, get_keysize, int,
+	private_pkcs11_public_key_t *this)
+{
+	return this->k * 8;
+}
+
+METHOD(public_key_t, verify, bool,
+	private_pkcs11_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t sig)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_RV rv;
+
+	mechanism = pkcs11_signature_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "signature scheme %N not supported",
+			 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	if (sig.len && sig.ptr[0] == 0)
+	{	/* trim leading zero byte in sig */
+		sig = chunk_skip(sig, 1);
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_VerifyInit(this->session, mechanism, this->object);
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_VerifyInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	rv = this->lib->f->C_Verify(this->session, data.ptr, data.len,
+								sig.ptr, sig.len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Verify() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(public_key_t, encrypt, bool,
+	private_pkcs11_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypt)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_BYTE_PTR buf;
+	CK_ULONG len;
+	CK_RV rv;
+
+	mechanism = pkcs11_encryption_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_EncryptInit(this->session, mechanism, this->object);
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_EncryptInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	len = (get_keysize(this) + 7) / 8;
+	buf = malloc(len);
+	rv = this->lib->f->C_Encrypt(this->session, plain.ptr, plain.len, buf, &len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Encrypt() failed: %N", ck_rv_names, rv);
+		free(buf);
+		return FALSE;
+	}
+	*crypt = chunk_create(buf, len);
+	return TRUE;
+}
+
+/**
+ * Encode RSA key using a given encoding type
+ */
+static bool encode_rsa(private_pkcs11_public_key_t *this,
+					cred_encoding_type_t type, void *cache, chunk_t *encoding)
+{
+	CK_RV rv;
+	bool success = FALSE;
+	chunk_t n, e;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_MODULUS, NULL, 0},
+		{CKA_PUBLIC_EXPONENT, NULL, 0},
+	};
+
+	rv = this->lib->f->C_GetAttributeValue(this->session, this->object,
+										   attr, countof(attr));
+	if (rv != CKR_OK ||
+		attr[0].ulValueLen == 0 || attr[0].ulValueLen == -1 ||
+		attr[1].ulValueLen == 0 || attr[1].ulValueLen == -1)
+	{
+		return FALSE;
+	}
+	attr[0].pValue = malloc(attr[0].ulValueLen);
+	attr[1].pValue = malloc(attr[1].ulValueLen);
+	rv = this->lib->f->C_GetAttributeValue(this->session, this->object,
+										   attr, countof(attr));
+	if (rv == CKR_OK)
+	{
+		n = chunk_create(attr[0].pValue, attr[0].ulValueLen);
+		e = chunk_create(attr[1].pValue, attr[1].ulValueLen);
+		success = lib->encoding->encode(lib->encoding, type, cache, encoding,
+			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
+	}
+	free(attr[0].pValue);
+	free(attr[1].pValue);
+	return success;
+}
+
+METHOD(public_key_t, get_encoding, bool,
+	private_pkcs11_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	switch (this->type)
+	{
+		case KEY_RSA:
+			return encode_rsa(this, type, NULL, encoding);
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+	private_pkcs11_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
+	switch (this->type)
+	{
+		case KEY_RSA:
+			return encode_rsa(this, type, this, fp);
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_pkcs11_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(public_key_t, destroy, void,
+	private_pkcs11_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		this->lib->f->C_CloseSession(this->session);
+		this->mutex->destroy(this->mutex);
+		free(this);
+	}
+}
+
+/**
+ * Create an empty PKCS#11 public key
+ */
+static private_pkcs11_public_key_t *create(key_type_t type, size_t k,
+							pkcs11_library_t *p11, CK_SLOT_ID slot,
+							CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object)
+{
+	private_pkcs11_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = type,
+		.k = k,
+		.lib = p11,
+		.slot = slot,
+		.session = session,
+		.object = object,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.ref = 1,
+	);
+
+	return this;
+}
+
+/**
+ * Find a key object, including PKCS11 library and slot
+ */
+static private_pkcs11_public_key_t* find_rsa_key(chunk_t n, chunk_t e)
+{
+	private_pkcs11_public_key_t *this = NULL;
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator, *keys;
+	pkcs11_library_t *p11;
+	CK_SLOT_ID slot;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+		CK_KEY_TYPE type = CKK_RSA;
+		CK_ATTRIBUTE tmpl[] = {
+			{CKA_CLASS, &class, sizeof(class)},
+			{CKA_KEY_TYPE, &type, sizeof(type)},
+			{CKA_MODULUS, n.ptr, n.len},
+			{CKA_PUBLIC_EXPONENT, e.ptr, e.len},
+		};
+		CK_OBJECT_HANDLE object;
+		CK_SESSION_HANDLE session;
+		CK_RV rv;
+
+		rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
+								   &session);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
+			continue;
+		}
+		keys = p11->create_object_enumerator(p11, session,
+											 tmpl, countof(tmpl), NULL, 0);
+		if (keys->enumerate(keys, &object))
+		{
+			this = create(KEY_RSA, n.len, p11, slot, session, object);
+			keys->destroy(keys);
+			break;
+		}
+		keys->destroy(keys);
+		p11->f->C_CloseSession(session);
+	}
+	enumerator->destroy(enumerator);
+	return this;
+}
+
+/**
+ * Create a key object in a suitable token session
+ */
+static private_pkcs11_public_key_t* create_rsa_key(chunk_t n, chunk_t e)
+{
+	private_pkcs11_public_key_t *this = NULL;
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator, *mechs;
+	pkcs11_library_t *p11;
+	CK_SLOT_ID slot;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		CK_MECHANISM_TYPE mech;
+		CK_MECHANISM_INFO info;
+		CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+		CK_KEY_TYPE type = CKK_RSA;
+		CK_ATTRIBUTE tmpl[] = {
+			{CKA_CLASS, &class, sizeof(class)},
+			{CKA_KEY_TYPE, &type, sizeof(type)},
+			{CKA_MODULUS, n.ptr, n.len},
+			{CKA_PUBLIC_EXPONENT, e.ptr, e.len}
+		};
+		CK_OBJECT_HANDLE object;
+		CK_SESSION_HANDLE session;
+		CK_RV rv;
+
+		mechs = p11->create_mechanism_enumerator(p11, slot);
+		while (mechs->enumerate(mechs, &mech, &info))
+		{
+			if (!(info.flags & CKF_VERIFY))
+			{
+				continue;
+			}
+			switch (mech)
+			{
+				case CKM_RSA_PKCS:
+				case CKM_SHA1_RSA_PKCS:
+				case CKM_SHA256_RSA_PKCS:
+				case CKM_SHA384_RSA_PKCS:
+				case CKM_SHA512_RSA_PKCS:
+				case CKM_MD5_RSA_PKCS:
+					break;
+				default:
+					continue;
+			}
+			rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
+									   &session);
+			if (rv != CKR_OK)
+			{
+				DBG1(DBG_CFG, "opening PKCS#11 session failed: %N",
+					 ck_rv_names, rv);
+				continue;
+			}
+			rv = p11->f->C_CreateObject(session, tmpl, countof(tmpl), &object);
+			if (rv == CKR_OK)
+			{
+				this = create(KEY_RSA, n.len, p11, slot, session, object);
+				DBG2(DBG_CFG, "created RSA public key on token '%s':%d ",
+					 p11->get_name(p11), slot);
+				break;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "creating RSA public key on token '%s':%d "
+					 "failed: %N", p11->get_name(p11), slot, ck_rv_names, rv);
+				p11->f->C_CloseSession(session);
+			}
+		}
+		mechs->destroy(mechs);
+		if (this)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return this;
+}
+
+/**
+ * See header
+ */
+pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args)
+{
+	private_pkcs11_public_key_t *this;
+	chunk_t n, e;
+
+	n = e = chunk_empty;
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_RSA_MODULUS:
+				n = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PUB_EXP:
+				e = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (type == KEY_RSA && e.ptr && n.ptr)
+	{
+		if (n.len && n.ptr[0] == 0)
+		{	/* trim leading zero byte in modulus */
+			n = chunk_skip(n, 1);
+		}
+		this = find_rsa_key(n, e);
+		if (this)
+		{
+			return &this->public;
+		}
+		this = create_rsa_key(n, e);
+		if (this)
+		{
+			return &this->public;
+		}
+	}
+	return NULL;
+}
+
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
new file mode 100644
index 000000000..4fd94620e
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_public_key pkcs11_public_key
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_PUBLIC_KEY_H_
+#define PKCS11_PUBLIC_KEY_H_
+
+typedef struct pkcs11_public_key_t pkcs11_public_key_t;
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * PKCS#11 based public key implementation.
+ */
+struct pkcs11_public_key_t {
+
+	/**
+	 * Implements public_key_t.
+	 */
+	public_key_t key;
+};
+
+/**
+ * Create a public key in a PKCS#11 session.
+ *
+ * @param type		type of the key
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args);
+
+#endif /** PKCS11_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 336d0bc02..e1427bf15 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -189,7 +189,6 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
 		plugin = load_plugin(this, path, token);
 		if (plugin)
 		{
-			/* insert in front to destroy them in reverse order */
 			this->plugins->insert_last(this->plugins, plugin);
 			this->names->insert_last(this->names, token);
 		}
@@ -215,12 +214,13 @@ static void unload(private_plugin_loader_t *this)
 	plugin_t *plugin;
 	char *name;
 
-	while (this->plugins->remove_first(this->plugins,
+	/* unload plugins in reverse order */
+	while (this->plugins->remove_last(this->plugins,
 									   (void**)&plugin) == SUCCESS)
 	{
 		plugin->destroy(plugin);
 	}
-	while (this->names->remove_first(this->names, (void**)&name) == SUCCESS)
+	while (this->names->remove_last(this->names, (void**)&name) == SUCCESS)
 	{
 		free(name);
 	}
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 4dc5985cd..495223855 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
index b0eabc9ee..6f41ada2a 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -50,7 +50,7 @@ plugin_t *pubkey_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE,
 							(builder_function_t)pubkey_cert_wrap);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index af929080d..efd24c761 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 871566e65..16a9d21c5 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c
index d352a9583..02393b907 100644
--- a/src/libstrongswan/plugins/revocation/revocation_plugin.c
+++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c
@@ -52,7 +52,11 @@ plugin_t *revocation_plugin_create()
 	private_revocation_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.validator = revocation_validator_create(),
 	);
 	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 703764e5e..1036bedfc 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 5e490f2e5..579e6f9b0 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 6d81d0d81..9c9b57f98 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 6d3b05d19..049301977 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -13,9 +13,14 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
 	test_vectors/3des_cbc.c \
 	test_vectors/aes_cbc.c \
+	test_vectors/aes_ctr.c \
 	test_vectors/aes_xcbc.c \
+	test_vectors/aes_ccm.c \
+	test_vectors/aes_gcm.c \
 	test_vectors/blowfish.c \
 	test_vectors/camellia_cbc.c \
+	test_vectors/camellia_ctr.c \
+	test_vectors/camellia_xcbc.c \
 	test_vectors/cast.c \
 	test_vectors/des.c \
 	test_vectors/idea.c \
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 20a6db81e..9be3f825a 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -75,10 +76,11 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_test_vectors_la_LIBADD =
 am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
-	3des_cbc.lo aes_cbc.lo aes_xcbc.lo blowfish.lo camellia_cbc.lo \
-	cast.lo des.lo idea.lo null.lo rc5.lo serpent_cbc.lo \
-	twofish_cbc.lo md2.lo md4.lo md5.lo md5_hmac.lo sha1.lo \
-	sha1_hmac.lo sha2.lo sha2_hmac.lo fips_prf.lo rng.lo
+	3des_cbc.lo aes_cbc.lo aes_ctr.lo aes_xcbc.lo aes_ccm.lo \
+	aes_gcm.lo blowfish.lo camellia_cbc.lo camellia_ctr.lo \
+	camellia_xcbc.lo cast.lo des.lo idea.lo null.lo rc5.lo \
+	serpent_cbc.lo twofish_cbc.lo md2.lo md4.lo md5.lo md5_hmac.lo \
+	sha1.lo sha1_hmac.lo sha2.lo sha2_hmac.lo fips_prf.lo rng.lo
 libstrongswan_test_vectors_la_OBJECTS =  \
 	$(am_libstrongswan_test_vectors_la_OBJECTS)
 libstrongswan_test_vectors_la_LINK = $(LIBTOOL) --tag=CC \
@@ -171,6 +173,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +206,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +231,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +263,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -269,9 +286,14 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
 	test_vectors/3des_cbc.c \
 	test_vectors/aes_cbc.c \
+	test_vectors/aes_ctr.c \
 	test_vectors/aes_xcbc.c \
+	test_vectors/aes_ccm.c \
+	test_vectors/aes_gcm.c \
 	test_vectors/blowfish.c \
 	test_vectors/camellia_cbc.c \
+	test_vectors/camellia_ctr.c \
+	test_vectors/camellia_xcbc.c \
 	test_vectors/cast.c \
 	test_vectors/des.c \
 	test_vectors/idea.c \
@@ -376,9 +398,14 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/3des_cbc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_cbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_ccm.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_ctr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_gcm.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_xcbc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_cbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_ctr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_xcbc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cast.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf.Plo@am__quote@
@@ -433,6 +460,13 @@ aes_cbc.lo: test_vectors/aes_cbc.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
 
+aes_ctr.lo: test_vectors/aes_ctr.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ctr.lo -MD -MP -MF $(DEPDIR)/aes_ctr.Tpo -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_ctr.Tpo $(DEPDIR)/aes_ctr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_ctr.c' object='aes_ctr.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
+
 aes_xcbc.lo: test_vectors/aes_xcbc.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo
@@ -440,6 +474,20 @@ aes_xcbc.lo: test_vectors/aes_xcbc.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
 
+aes_ccm.lo: test_vectors/aes_ccm.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ccm.lo -MD -MP -MF $(DEPDIR)/aes_ccm.Tpo -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_ccm.Tpo $(DEPDIR)/aes_ccm.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_ccm.c' object='aes_ccm.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
+
+aes_gcm.lo: test_vectors/aes_gcm.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_gcm.lo -MD -MP -MF $(DEPDIR)/aes_gcm.Tpo -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_gcm.Tpo $(DEPDIR)/aes_gcm.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_gcm.c' object='aes_gcm.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
+
 blowfish.lo: test_vectors/blowfish.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo
@@ -454,6 +502,20 @@ camellia_cbc.lo: test_vectors/camellia_cbc.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
 
+camellia_ctr.lo: test_vectors/camellia_ctr.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_ctr.lo -MD -MP -MF $(DEPDIR)/camellia_ctr.Tpo -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_ctr.Tpo $(DEPDIR)/camellia_ctr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_ctr.c' object='camellia_ctr.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
+
+camellia_xcbc.lo: test_vectors/camellia_xcbc.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_xcbc.lo -MD -MP -MF $(DEPDIR)/camellia_xcbc.Tpo -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_xcbc.Tpo $(DEPDIR)/camellia_xcbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_xcbc.c' object='camellia_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
+
 cast.lo: test_vectors/cast.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index b182dd829..ab4689c1c 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -19,6 +19,15 @@ TEST_VECTOR_CRYPTER(aes_cbc3)
 TEST_VECTOR_CRYPTER(aes_cbc4)
 TEST_VECTOR_CRYPTER(aes_cbc5)
 TEST_VECTOR_CRYPTER(aes_cbc6)
+TEST_VECTOR_CRYPTER(aes_ctr1)
+TEST_VECTOR_CRYPTER(aes_ctr2)
+TEST_VECTOR_CRYPTER(aes_ctr3)
+TEST_VECTOR_CRYPTER(aes_ctr4)
+TEST_VECTOR_CRYPTER(aes_ctr5)
+TEST_VECTOR_CRYPTER(aes_ctr6)
+TEST_VECTOR_CRYPTER(aes_ctr7)
+TEST_VECTOR_CRYPTER(aes_ctr8)
+TEST_VECTOR_CRYPTER(aes_ctr9)
 TEST_VECTOR_CRYPTER(blowfish1)
 TEST_VECTOR_CRYPTER(blowfish2)
 TEST_VECTOR_CRYPTER(camellia_cbc1)
@@ -27,6 +36,15 @@ TEST_VECTOR_CRYPTER(camellia_cbc3)
 TEST_VECTOR_CRYPTER(camellia_cbc4)
 TEST_VECTOR_CRYPTER(camellia_cbc5)
 TEST_VECTOR_CRYPTER(camellia_cbc6)
+TEST_VECTOR_CRYPTER(camellia_ctr1)
+TEST_VECTOR_CRYPTER(camellia_ctr2)
+TEST_VECTOR_CRYPTER(camellia_ctr3)
+TEST_VECTOR_CRYPTER(camellia_ctr4)
+TEST_VECTOR_CRYPTER(camellia_ctr5)
+TEST_VECTOR_CRYPTER(camellia_ctr6)
+TEST_VECTOR_CRYPTER(camellia_ctr7)
+TEST_VECTOR_CRYPTER(camellia_ctr8)
+TEST_VECTOR_CRYPTER(camellia_ctr9)
 TEST_VECTOR_CRYPTER(cast1)
 TEST_VECTOR_CRYPTER(des_cbc1)
 TEST_VECTOR_CRYPTER(des_cbc2)
@@ -49,11 +67,31 @@ TEST_VECTOR_CRYPTER(twofish_cbc1)
 TEST_VECTOR_CRYPTER(twofish_cbc2)
 TEST_VECTOR_CRYPTER(twofish_cbc3)
 
+TEST_VECTOR_AEAD(aes_ccm1)
+TEST_VECTOR_AEAD(aes_ccm2)
+TEST_VECTOR_AEAD(aes_ccm3)
+TEST_VECTOR_AEAD(aes_ccm4)
+TEST_VECTOR_AEAD(aes_ccm5)
+TEST_VECTOR_AEAD(aes_ccm6)
+TEST_VECTOR_AEAD(aes_ccm7)
+TEST_VECTOR_AEAD(aes_ccm8)
+TEST_VECTOR_AEAD(aes_ccm9)
+TEST_VECTOR_AEAD(aes_ccm10)
+TEST_VECTOR_AEAD(aes_ccm11)
+TEST_VECTOR_AEAD(aes_gcm1)
+TEST_VECTOR_AEAD(aes_gcm2)
+TEST_VECTOR_AEAD(aes_gcm3)
+TEST_VECTOR_AEAD(aes_gcm4)
+TEST_VECTOR_AEAD(aes_gcm5)
+TEST_VECTOR_AEAD(aes_gcm6)
+TEST_VECTOR_AEAD(aes_gcm7)
+
 TEST_VECTOR_SIGNER(aes_xcbc_s1)
 TEST_VECTOR_SIGNER(aes_xcbc_s2)
 TEST_VECTOR_SIGNER(aes_xcbc_s3)
 TEST_VECTOR_SIGNER(aes_xcbc_s4)
 TEST_VECTOR_SIGNER(aes_xcbc_s5)
+TEST_VECTOR_SIGNER(camellia_xcbc_s1)
 TEST_VECTOR_SIGNER(md5_hmac_s1)
 TEST_VECTOR_SIGNER(md5_hmac_s2)
 TEST_VECTOR_SIGNER(md5_hmac_s3)
@@ -118,6 +156,9 @@ TEST_VECTOR_PRF(aes_xcbc_p4)
 TEST_VECTOR_PRF(aes_xcbc_p5)
 TEST_VECTOR_PRF(aes_xcbc_p6)
 TEST_VECTOR_PRF(aes_xcbc_p7)
+TEST_VECTOR_PRF(camellia_xcbc_p1)
+TEST_VECTOR_PRF(camellia_xcbc_p2)
+TEST_VECTOR_PRF(camellia_xcbc_p3)
 TEST_VECTOR_PRF(md5_hmac_p1)
 TEST_VECTOR_PRF(md5_hmac_p2)
 TEST_VECTOR_PRF(md5_hmac_p3)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
new file mode 100644
index 000000000..8de180ad5
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test vectors with 11 bytes nonces are hard to find, neither RFC3610 nor
+ * NIST 800-38C has one. These vectors are taken from the Linux kernel,
+ * originally from "fips cavs fax files on hand at Red Hat".
+ */
+aead_test_vector_t aes_ccm1 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 0,
+	.key	= "\x83\xac\x54\x66\xc2\xeb\xe5\x05\x2e\x01\xd1\xfc\x5d\x82\x66\x2e"
+			  "\x96\xac\x59",
+	.iv		= "\x30\x07\xa1\xe2\xa2\xc7\x55\x24",
+	.plain	= "\x19\xc8\x81\xf6\xe9\x86\xff\x93\x0b\x78\x67\xe5\xbb\xb7\xfc\x6e"
+			  "\x83\x77\xb3\xa6\x0c\x8c\x9f\x9c\x35\x2e\xad\xe0\x62\xf9\x91\xa1",
+	.cipher	= "\xab\x6f\xe1\x69\x1d\x19\x99\xa8\x92\xa0\xc4\x6f\x7e\xe2\x8b\xb1"
+			  "\x70\xbb\x8c\xa6\x4c\x6e\x97\x8a\x57\x2b\xbe\x5d\x98\xa6\xb1\x32"
+			  "\xda\x24\xea\xd9\xa1\x39\x98\xfd\xa4\xbe\xd9\xf2\x1a\x6d\x22\xa8",
+};
+
+aead_test_vector_t aes_ccm2 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 32,
+	.key	= "\x1e\x2c\x7e\x01\x41\x9a\xef\xc0\x0d\x58\x96\x6e\x5c\xa2\x4b\xd3"
+			  "\x4f\xa3\x19",
+	.iv		= "\xd3\x01\x5a\xd8\x30\x60\x15\x56",
+	.adata	= "\xda\xe6\x28\x9c\x45\x2d\xfd\x63\x5e\xda\x4c\xb6\xe6\xfc\xf9\xb7"
+			  "\x0c\x56\xcb\xe4\xe0\x05\x7a\xe1\x0a\x63\x09\x78\xbc\x2c\x55\xde",
+	.plain	= "\x87\xa3\x36\xfd\x96\xb3\x93\x78\xa9\x28\x63\xba\x12\xa3\x14\x85"
+			  "\x57\x1e\x06\xc9\x7b\x21\xef\x76\x7f\x38\x7e\x8e\x29\xa4\x3e\x7e",
+	.cipher	= "\x8a\x1e\x11\xf0\x02\x6b\xe2\x19\xfc\x70\xc4\x6d\x8e\xb7\x99\xab"
+			  "\xc5\x4b\xa2\xac\xd3\xf3\x48\xff\x3b\xb5\xce\x53\xef\xde\xbb\x02"
+			  "\xa9\x86\x15\x6c\x13\xfe\xda\x0a\x22\xb8\x29\x3d\xd8\x39\x9a\x23",
+};
+
+aead_test_vector_t aes_ccm3 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 0, .alen = 32,
+	.key	= "\xf4\x6b\xc2\x75\x62\xfe\xb4\xe1\xa3\xf0\xff\xdd\x4e\x4b\x12\x75"
+			  "\x53\x14\x73\x66\x8d\x88\xf6\x80\xa0\x20\x35",
+	.iv		= "\x26\xf2\x21\x8d\x50\x20\xda\xe2",
+	.adata	= "\x5b\x9e\x13\x67\x02\x5e\xef\xc1\x6c\xf9\xd7\x1e\x52\x8f\x7a\x47"
+			  "\xe9\xd4\xcf\x20\x14\x6e\xf0\x2d\xd8\x9e\x2b\x56\x10\x23\x56\xe7",
+	.cipher	= "\x36\xea\x7a\x70\x08\xdc\x6a\xbc\xad\x0c\x7a\x63\xf6\x61\xfd\x9b",
+};
+
+aead_test_vector_t aes_ccm4 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 32, .alen = 32,
+	.key	= "\x56\xdf\x5c\x8f\x26\x3f\x0e\x42\xef\x7a\xd3\xce\xfc\x84\x60\x62"
+			  "\xca\xb4\x40\xaf\x5f\xc9\xc9\x01\xd6\x3c\x8c",
+	.iv		= "\x86\x84\xb6\xcd\xef\x09\x2e\x94",
+	.adata	= "\x02\x65\x78\x3c\xe9\x21\x30\x91\xb1\xb9\xda\x76\x9a\x78\x6d\x95"
+			  "\xf2\x88\x32\xa3\xf2\x50\xcb\x4c\xe3\x00\x73\x69\x84\x69\x87\x79",
+	.plain	= "\x9f\xd2\x02\x4b\x52\x49\x31\x3c\x43\x69\x3a\x2d\x8e\x70\xad\x7e"
+			  "\xe0\xe5\x46\x09\x80\x89\x13\xb2\x8c\x8b\xd9\x3f\x86\xfb\xb5\x6b",
+	.cipher	= "\x39\xdf\x7c\x3c\x5a\x29\xb9\x62\x5d\x51\xc2\x16\xd8\xbd\x06\x9f"
+			  "\x9b\x6a\x09\x70\xc1\x51\x83\xc2\x66\x88\x1d\x4f\x9a\xda\xe0\x1e"
+			  "\xc7\x79\x11\x58\xe5\x6b\x20\x40\x7a\xea\x46\x42\x8b\xe4\x6f\xe1",
+};
+
+aead_test_vector_t aes_ccm5 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 32, .alen = 32,
+	.key	= "\xe0\x8d\x99\x71\x60\xd7\x97\x1a\xbd\x01\x99\xd5\x8a\xdf\x71\x3a"
+			  "\xd3\xdf\x24\x4b\x5e\x3d\x4b\x4e\x30\x7a\xb9\xd8\x53\x0a\x5e\x2b"
+			  "\x1e\x29\x91",
+	.iv		= "\xad\x8e\xc1\x53\x0a\xcf\x2d\xbe",
+	.adata	= "\x19\xb6\x1f\x57\xc4\xf3\xf0\x8b\x78\x2b\x94\x02\x29\x0f\x42\x27"
+			  "\x6b\x75\xcb\x98\x34\x08\x7e\x79\xe4\x3e\x49\x0d\x84\x8b\x22\x87",
+	.plain	= "\xe1\xd9\xd8\x13\xeb\x3a\x75\x3f\x9d\xbd\x5f\x66\xbe\xdc\xbb\x66"
+			  "\xbf\x17\x99\x62\x4a\x39\x27\x1f\x1d\xdc\x24\xae\x19\x2f\x98\x4c",
+	.cipher	= "\x19\xb8\x61\x33\x45\x2b\x43\x96\x6f\x51\xd0\x20\x30\x7d\x9b\xc6"
+			  "\x26\x3d\xf8\xc9\x65\x16\xa8\x9f\xf0\x62\x17\x34\xf2\x1e\x8d\x75"
+			  "\x4e\x13\xcc\xc0\xc3\x2a\x54\x2d",
+};
+
+aead_test_vector_t aes_ccm6 = {
+	.alg = ENCR_AES_CCM_ICV12, .key_size = 32, .len = 32, .alen = 32,
+	.key	= "\x7c\xc8\x18\x3b\x8d\x99\xe0\x7c\x45\x41\xb8\xbd\x5c\xa7\xc2\x32"
+			  "\x8a\xb8\x02\x59\xa4\xfe\xa9\x2c\x09\x75\x9a\x9b\x3c\x9b\x27\x39"
+			  "\xf9\xd9\x4e",
+	.iv		= "\x63\xb5\x3d\x9d\x43\xf6\x1e\x50",
+	.adata	= "\x57\xf5\x6b\x8b\x57\x5c\x3d\x3b\x13\x02\x01\x0c\x83\x4c\x96\x35"
+			  "\x8e\xd6\x39\xcf\x7d\x14\x9b\x94\xb0\x39\x36\xe6\x8f\x57\xe0\x13",
+	.plain	= "\x3b\x6c\x29\x36\xb6\xef\x07\xa6\x83\x72\x07\x4f\xcf\xfa\x66\x89"
+			  "\x5f\xca\xb1\xba\xd5\x8f\x2c\x27\x30\xdb\x75\x09\x93\xd4\x65\xe4",
+	.cipher	= "\xb0\x88\x5a\x33\xaa\xe5\xc7\x1d\x85\x23\xc7\xc6\x2f\xf4\x1e\x3d"
+			  "\xcc\x63\x44\x25\x07\x78\x4f\x9e\x96\xb8\x88\xeb\xbc\x48\x1f\x06"
+			  "\x39\xaf\x39\xac\xd8\x4a\x80\x39\x7b\x72\x8a\xf7",
+};
+
+aead_test_vector_t aes_ccm7 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 32, .len = 32, .alen = 32,
+	.key	= "\xab\xd0\xe9\x33\x07\x26\xe5\x83\x8c\x76\x95\xd4\xb6\xdc\xf3\x46"
+			  "\xf9\x8f\xad\xe3\x02\x13\x83\x77\x3f\xb0\xf1\xa1\xa1\x22\x0f\x2b"
+			  "\x24\xa7\x8b",
+	.iv		= "\x07\xcb\xcc\x0e\xe6\x33\xbf\xf5",
+	.adata	= "\xd4\xdb\x30\x1d\x03\xfe\xfd\x5f\x87\xd4\x8c\xb6\xb6\xf1\x7a\x5d"
+			  "\xab\x90\x65\x8d\x8e\xca\x4d\x4f\x16\x0c\x40\x90\x4b\xc7\x36\x73",
+	.plain	= "\xf5\xc6\x7d\x48\xc1\xb7\xe6\x92\x97\x5a\xca\xc4\xa9\x6d\xf9\x3d"
+			  "\x6c\xde\xbc\xf1\x90\xea\x6a\xb2\x35\x86\x36\xaf\x5c\xfe\x4b\x3a",
+	.cipher	= "\x83\x6f\x40\x87\x72\xcf\xc1\x13\xef\xbb\x80\x21\x04\x6c\x58\x09"
+			  "\x07\x1b\xfc\xdf\xc0\x3f\x5b\xc7\xe0\x79\xa8\x6e\x71\x7c\x3f\xcf"
+			  "\x5c\xda\xb2\x33\xe5\x13\xe2\x0d\x74\xd1\xef\xb5\x0f\x3a\xb5\xf8",
+};
+
+aead_test_vector_t aes_ccm8 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 16, .len = 0, .alen = 0,
+	.key	= "\xab\x2f\x8a\x74\xb7\x1c\xd2\xb1\xff\x80\x2e\x48\x7d\x82\xf8\xb9"
+			  "\xaf\x94\x87",
+	.iv		= "\x78\x35\x82\x81\x7f\x88\x94\x68",
+	.cipher	= "\x41\x3c\xb8\x87\x73\xcb\xf3\xf3",
+};
+
+aead_test_vector_t aes_ccm9 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 0, .alen = 32,
+	.key	= "\x39\xbb\xa7\xbe\x59\x97\x9e\x73\xa2\xbc\x6b\x98\xd7\x75\x7f\xe3"
+			  "\xa4\x48\x93\x39\x26\x71\x4a\xc6\xee\x49\x83",
+	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
+	.adata	= "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64"
+			  "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6\xdb\x00\x56\x36\x61",
+	.cipher	= "\x71\x99\xfa\xf4\x44\x12\x68\x9b",
+};
+
+aead_test_vector_t aes_ccm10 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 0, .alen = 0,
+	.key	= "\xa4\x4b\x54\x29\x0a\xb8\x6d\x01\x5b\x80\x2a\xcf\x25\xc4\xb7\x5c"
+			  "\x20\x2c\xad\x30\xc2\x2b\x41\xfb\x0e\x85\xbc\x33\xad\x0f\x2b\xff"
+			  "\xee\x49\x83",
+	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
+	.cipher	= "\x1f\xb8\x8f\xa3\xdd\x54\x00\xf2",
+};
+
+aead_test_vector_t aes_ccm11 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 32, .alen = 32,
+	.key	= "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0"
+			  "\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83",
+	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
+	.adata	= "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64"
+			  "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6\xdb\x00\x56\x36\x61",
+	.plain	= "\x85\x34\x66\x42\xc8\x92\x0f\x36\x58\xe0\x6b\x91\x3c\x98\x5c\xbb"
+			  "\x0a\x85\xcc\x02\xad\x7a\x96\xe9\x65\x43\xa4\xc3\x0f\xdc\x55\x81",
+	.cipher	= "\xfb\xe5\x5d\x34\xbe\xe5\xe8\xe7\x5a\xef\x2f\xbf\x1f\x7f\xd4\xb2"
+			  "\x66\xca\x61\x1e\x96\x7a\x61\xb3\x1c\x16\x45\x52\xba\x04\x9c\x9f"
+			  "\xb1\xd2\x40\xbc\x52\x7c\x6f\xb1",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c
new file mode 100644
index 000000000..1e5126a70
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test 1 of RFC3686
+ */
+crypter_test_vector_t aes_ctr1 = {
+	.alg = ENCR_AES_CTR, .key_size = 16, .len = 16,
+	.key	= "\xae\x68\x52\xf8\x12\x10\x67\xcc\x4b\xf7\xa5\x76\x55\x77\xf3\x9e"
+			  "\x00\x00\x00\x30",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "Single block msg",
+	.cipher	= "\xe4\x09\x5d\x4f\xb7\xa7\xb3\x79\x2d\x61\x75\xa3\x26\x13\x11\xb8"
+};
+
+/**
+ * Test 2 of RFC3686
+ */
+crypter_test_vector_t aes_ctr2 = {
+	.alg = ENCR_AES_CTR, .key_size = 16, .len = 32,
+	.key	= "\x7e\x24\x06\x78\x17\xfa\xe0\xd7\x43\xd6\xce\x1f\x32\x53\x91\x63"
+			  "\x00\x6c\xb6\xdb",
+	.iv		= "\xc0\x54\x3b\x59\xda\x48\xd9\x0b",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\x51\x04\xa1\x06\x16\x8a\x72\xd9\x79\x0d\x41\xee\x8e\xda\xd3\x88"
+			  "\xeb\x2e\x1e\xfc\x46\xda\x57\xc8\xfc\xe6\x30\xdf\x91\x41\xbe\x28"
+};
+
+/**
+ * Test 3 of RFC3686
+ */
+crypter_test_vector_t aes_ctr3 = {
+	.alg = ENCR_AES_CTR, .key_size = 16, .len = 36,
+	.key	= "\x76\x91\xbe\x03\x5e\x50\x20\xa8\xac\x6e\x61\x85\x29\xf9\xa0\xdc"
+			  "\x00\xe0\x01\x7b",
+	.iv		= "\x27\x77\x7f\x3f\x4a\x17\x86\xf0",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xc1\xcf\x48\xa8\x9f\x2f\xfd\xd9\xcf\x46\x52\xe9\xef\xdb\x72\xd7"
+			  "\x45\x40\xa4\x2b\xde\x6d\x78\x36\xd5\x9a\x5c\xea\xae\xf3\x10\x53"
+			  "\x25\xb2\x07\x2f",
+};
+
+/**
+ * Test 4 of RFC3686
+ */
+crypter_test_vector_t aes_ctr4 = {
+	.alg = ENCR_AES_CTR, .key_size = 24, .len = 16,
+	.key	= "\x16\xaf\x5b\x14\x5f\xc9\xf5\x79\xc1\x75\xf9\x3e\x3b\xfb\x0e\xed"
+			  "\x86\x3d\x06\xcc\xfd\xb7\x85\x15"
+			  "\x00\x00\x00\x48",
+	.iv		= "\x36\x73\x3c\x14\x7d\x6d\x93\xcb",
+	.plain	= "Single block msg",
+	.cipher	= "\x4b\x55\x38\x4f\xe2\x59\xc9\xc8\x4e\x79\x35\xa0\x03\xcb\xe9\x28",
+};
+
+/**
+ * Test 5 of RFC3686
+ */
+crypter_test_vector_t aes_ctr5 = {
+	.alg = ENCR_AES_CTR, .key_size = 24, .len = 32,
+	.key	= "\x7c\x5c\xb2\x40\x1b\x3d\xc3\x3c\x19\xe7\x34\x08\x19\xe0\xf6\x9c"
+			  "\x67\x8c\x3d\xb8\xe6\xf6\xa9\x1a"
+			  "\x00\x96\xb0\x3b",
+	.iv		= "\x02\x0c\x6e\xad\xc2\xcb\x50\x0d",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\x45\x32\x43\xfc\x60\x9b\x23\x32\x7e\xdf\xaa\xfa\x71\x31\xcd\x9f"
+			  "\x84\x90\x70\x1c\x5a\xd4\xa7\x9c\xfc\x1f\xe0\xff\x42\xf4\xfb\x00",
+};
+
+/**
+ * Test 6 of RFC3686
+ */
+crypter_test_vector_t aes_ctr6 = {
+	.alg = ENCR_AES_CTR, .key_size = 24, .len = 36,
+	.key	= "\x02\xbf\x39\x1e\xe8\xec\xb1\x59\xb9\x59\x61\x7b\x09\x65\x27\x9b"
+			  "\xf5\x9b\x60\xa7\x86\xd3\xe0\xfe"
+			  "\x00\x07\xbd\xfd",
+	.iv		= "\x5c\xbd\x60\x27\x8d\xcc\x09\x12",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\x96\x89\x3f\xc5\x5e\x5c\x72\x2f\x54\x0b\x7d\xd1\xdd\xf7\xe7\x58"
+			  "\xd2\x88\xbc\x95\xc6\x91\x65\x88\x45\x36\xc8\x11\x66\x2f\x21\x88"
+			  "\xab\xee\x09\x35",
+};
+
+/**
+ * Test 7 of RFC3686
+ */
+crypter_test_vector_t aes_ctr7 = {
+	.alg = ENCR_AES_CTR, .key_size = 32, .len = 16,
+	.key	= "\x77\x6b\xef\xf2\x85\x1d\xb0\x6f\x4c\x8a\x05\x42\xc8\x69\x6f\x6c"
+			  "\x6a\x81\xaf\x1e\xec\x96\xb4\xd3\x7f\xc1\xd6\x89\xe6\xc1\xc1\x04"
+			  "\x00\x00\x00\x60",
+	.iv		= "\xdb\x56\x72\xc9\x7a\xa8\xf0\xb2",
+	.plain	= "Single block msg",
+	.cipher	= "\x14\x5a\xd0\x1d\xbf\x82\x4e\xc7\x56\x08\x63\xdc\x71\xe3\xe0\xc0",
+};
+
+/**
+ * Test 8 of RFC3686
+ */
+crypter_test_vector_t aes_ctr8 = {
+	.alg = ENCR_AES_CTR, .key_size = 32, .len = 32,
+	.key	= "\xf6\xd6\x6d\x6b\xd5\x2d\x59\xbb\x07\x96\x36\x58\x79\xef\xf8\x86"
+			  "\xc6\x6d\xd5\x1a\x5b\x6a\x99\x74\x4b\x50\x59\x0c\x87\xa2\x38\x84"
+			  "\x00\xfa\xac\x24",
+	.iv		= "\xc1\x58\x5e\xf1\x5a\x43\xd8\x75",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\xf0\x5e\x23\x1b\x38\x94\x61\x2c\x49\xee\x00\x0b\x80\x4e\xb2\xa9"
+			  "\xb8\x30\x6b\x50\x8f\x83\x9d\x6a\x55\x30\x83\x1d\x93\x44\xaf\x1c",
+};
+
+/**
+ * Test 9 of RFC3686
+ */
+crypter_test_vector_t aes_ctr9 = {
+	.alg = ENCR_AES_CTR, .key_size = 32, .len = 36,
+	.key	= "\xff\x7a\x61\x7c\xe6\x91\x48\xe4\xf1\x72\x6e\x2f\x43\x58\x1d\xe2"
+			  "\xaa\x62\xd9\xf8\x05\x53\x2e\xdf\xf1\xee\xd6\x87\xfb\x54\x15\x3d"
+			  "\x00\x1c\xc5\xb7",
+	.iv		= "\x51\xa5\x1d\x70\xa1\xc1\x11\x48",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xeb\x6c\x52\x82\x1d\x0b\xbb\xf7\xce\x75\x94\x46\x2a\xca\x4f\xaa"
+			  "\xb4\x07\xdf\x86\x65\x69\xfd\x07\xf4\x8c\xc0\xb5\x83\xd6\x07\x1f"
+			  "\x1e\xc0\xe6\xb8",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
new file mode 100644
index 000000000..7534633e1
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * From the Linux kernel, those with an IV. Originally from
+ * McGrew & Viega - http://citeseer.ist.psu.edu/656989.html
+ */
+aead_test_vector_t aes_gcm1 = {
+	.alg = ENCR_AES_GCM_ICV8, .key_size = 16, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
+			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6",
+};
+
+aead_test_vector_t aes_gcm2 = {
+	.alg = ENCR_AES_GCM_ICV12, .key_size = 16, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
+			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd",
+};
+
+aead_test_vector_t aes_gcm3 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
+			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4",
+};
+
+aead_test_vector_t aes_gcm4 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 60, .alen = 20,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39",
+	.adata	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef"
+			  "\xab\xad\xda\xd2",
+	.cipher = "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x5b\xc9\x4f\xbc"
+			  "\x32\x21\xa5\xdb\x94\xfa\xe9\x5a\xe7\x12\x1a\x47",
+};
+
+aead_test_vector_t aes_gcm5 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 24, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher = "\x39\x80\xca\x0b\x3c\x00\xe8\x41\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
+			  "\x85\x9e\x1c\xea\xa6\xef\xd9\x84\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
+			  "\x7d\x77\x3d\x00\xc1\x44\xc5\x25\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
+			  "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9\xcc\xda\x27\x10\xac\xad\xe2\x56"
+			  "\x99\x24\xa7\xc8\x58\x73\x36\xbf\xb1\x18\x02\x4d\xb8\x67\x4a\x14",
+};
+
+aead_test_vector_t aes_gcm6 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
+			  "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
+			  "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38"
+			  "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x89\x80\x15\xad"
+			  "\xb0\x94\xda\xc5\xd9\x34\x71\xbd\xec\x1a\x50\x22\x70\xe3\xcc\x6c",
+};
+
+aead_test_vector_t aes_gcm7 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 60, .alen = 20,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.adata	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef"
+			  "\xab\xad\xda\xd2",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39",
+	.cipher	= "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
+			  "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
+			  "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38"
+			  "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x76\xfc\x6e\xce"
+			  "\x0f\x4e\x17\x68\xcd\xdf\x88\x53\xbb\x2d\x55\x1b",
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c
new file mode 100644
index 000000000..241e6ca7a
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test 1 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr1 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 16,
+	.key	= "\xae\x68\x52\xf8\x12\x10\x67\xcc\x4b\xf7\xa5\x76\x55\x77\xf3\x9e"
+			  "\x00\x00\x00\x30",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "Single block msg",
+	.cipher	= "\xd0\x9d\xc2\x9a\x82\x14\x61\x9a\x20\x87\x7c\x76\xdb\x1f\x0b\x3f"
+};
+
+/**
+ * Test 2 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr2 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 32,
+	.key	= "\x7e\x24\x06\x78\x17\xfa\xe0\xd7\x43\xd6\xce\x1f\x32\x53\x91\x63"
+			  "\x00\x6c\xb6\xdb",
+	.iv		= "\xc0\x54\x3b\x59\xda\x48\xd9\x0b",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\xdb\xf3\xc7\x8d\xc0\x83\x96\xd4\xda\x7c\x90\x77\x65\xbb\xcb\x44"
+			  "\x2b\x8e\x8e\x0f\x31\xf0\xdc\xa7\x2c\x74\x17\xe3\x53\x60\xe0\x48"
+};
+
+/**
+ * Test 3 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr3 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 36,
+	.key	= "\x76\x91\xbe\x03\x5e\x50\x20\xa8\xac\x6e\x61\x85\x29\xf9\xa0\xdc"
+			  "\x00\xe0\x01\x7b",
+	.iv		= "\x27\x77\x7f\x3f\x4a\x17\x86\xf0",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xb1\x9d\x1f\xcd\xcb\x75\xeb\x88\x2f\x84\x9c\xe2\x4d\x85\xcf\x73"
+			  "\x9c\xe6\x4b\x2b\x5c\x9d\x73\xf1\x4f\x2d\x5d\x9d\xce\x98\x89\xcd"
+			  "\xdf\x50\x86\x96",
+};
+
+/**
+ * Test 4 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr4 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 16,
+	.key	= "\x16\xaf\x5b\x14\x5f\xc9\xf5\x79\xc1\x75\xf9\x3e\x3b\xfb\x0e\xed"
+			  "\x86\x3d\x06\xcc\xfd\xb7\x85\x15"
+			  "\x00\x00\x00\x48",
+	.iv		= "\x36\x73\x3c\x14\x7d\x6d\x93\xcb",
+	.plain	= "Single block msg",
+	.cipher	= "\x23\x79\x39\x9e\x8a\x8d\x2b\x2b\x16\x70\x2f\xc7\x8b\x9e\x96\x96",
+};
+
+/**
+ * Test 5 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr5 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 32,
+	.key	= "\x7c\x5c\xb2\x40\x1b\x3d\xc3\x3c\x19\xe7\x34\x08\x19\xe0\xf6\x9c"
+			  "\x67\x8c\x3d\xb8\xe6\xf6\xa9\x1a"
+			  "\x00\x96\xb0\x3b",
+	.iv		= "\x02\x0c\x6e\xad\xc2\xcb\x50\x0d",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\x7d\xef\x34\xf7\xa5\xd0\xe4\x15\x67\x4b\x7f\xfc\xae\x67\xc7\x5d"
+			  "\xd0\x18\xb8\x6f\xf2\x30\x51\xe0\x56\x39\x2a\x99\xf3\x5a\x4c\xed",
+};
+
+/**
+ * Test 6 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr6 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 36,
+	.key	= "\x02\xbf\x39\x1e\xe8\xec\xb1\x59\xb9\x59\x61\x7b\x09\x65\x27\x9b"
+			  "\xf5\x9b\x60\xa7\x86\xd3\xe0\xfe"
+			  "\x00\x07\xbd\xfd",
+	.iv		= "\x5c\xbd\x60\x27\x8d\xcc\x09\x12",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\x57\x10\xe5\x56\xe1\x48\x7a\x20\xb5\xac\x0e\x73\xf1\x9e\x4e\x78"
+			  "\x76\xf3\x7f\xdc\x91\xb1\xef\x4d\x4d\xad\xe8\xe6\x66\xa6\x4d\x0e"
+			  "\xd5\x57\xab\x57",
+};
+
+/**
+ * Test 7 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr7 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 16,
+	.key	= "\x77\x6b\xef\xf2\x85\x1d\xb0\x6f\x4c\x8a\x05\x42\xc8\x69\x6f\x6c"
+			  "\x6a\x81\xaf\x1e\xec\x96\xb4\xd3\x7f\xc1\xd6\x89\xe6\xc1\xc1\x04"
+			  "\x00\x00\x00\x60",
+	.iv		= "\xdb\x56\x72\xc9\x7a\xa8\xf0\xb2",
+	.plain	= "Single block msg",
+	.cipher	= "\x34\x01\xf9\xc8\x24\x7e\xff\xce\xbd\x69\x94\x71\x4c\x1b\xbb\x11",
+};
+
+/**
+ * Test 8 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr8 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 32,
+	.key	= "\xf6\xd6\x6d\x6b\xd5\x2d\x59\xbb\x07\x96\x36\x58\x79\xef\xf8\x86"
+			  "\xc6\x6d\xd5\x1a\x5b\x6a\x99\x74\x4b\x50\x59\x0c\x87\xa2\x38\x84"
+			  "\x00\xfa\xac\x24",
+	.iv		= "\xc1\x58\x5e\xf1\x5a\x43\xd8\x75",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\xd6\xc3\x03\x92\x24\x6f\x78\x08\xa8\x3c\x2b\x22\xa8\x83\x9e\x45"
+			  "\xe5\x1c\xd4\x8a\x1c\xdf\x40\x6e\xbc\x9c\xc2\xd3\xab\x83\x41\x08",
+};
+
+/**
+ * Test 9 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr9 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 36,
+	.key	= "\xff\x7a\x61\x7c\xe6\x91\x48\xe4\xf1\x72\x6e\x2f\x43\x58\x1d\xe2"
+			  "\xaa\x62\xd9\xf8\x05\x53\x2e\xdf\xf1\xee\xd6\x87\xfb\x54\x15\x3d"
+			  "\x00\x1c\xc5\xb7",
+	.iv		= "\x51\xa5\x1d\x70\xa1\xc1\x11\x48",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xa4\xda\x23\xfc\xe6\xa5\xff\xaa\x6d\x64\xae\x9a\x06\x52\xa4\x2c"
+			  "\xd1\x61\xa3\x4b\x65\xf9\x67\x9f\x75\xc0\x1f\x10\x1f\x71\x27\x6f"
+			  "\x15\xef\x0d\x8d",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c
new file mode 100644
index 000000000..2a58b3732
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * draft-kanno-ipsecme-camellia-xcbc Test Case #1
+ */
+signer_test_vector_t camellia_xcbc_s1 = {
+	.alg = AUTH_CAMELLIA_XCBC_96, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.data	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.mac	= "\x3d\x04\x2d\xd4\xe7\xbc\x79\x1c\xee\x32\x04\x15",
+};
+
+prf_test_vector_t camellia_xcbc_p1 = {
+	.alg = PRF_CAMELLIA128_XCBC, .key_size = 16, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\x3d\x04\x2d\xd4\xe7\xbc\x79\x1c\xee\x32\x04\x15\xc5\xe3\x26\xd6",
+};
+
+/**
+ * draft-kanno-ipsecme-camellia-xcbc Test Case #2
+ */
+prf_test_vector_t camellia_xcbc_p2 = {
+	.alg = PRF_CAMELLIA128_XCBC, .key_size = 10, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\xb9\x16\xb4\x23\x42\x0a\x90\x6c\xd7\xd7\xb6\x72\xa2\x4e\x97\x6f",
+};
+
+/**
+ * draft-kanno-ipsecme-camellia-xcbc Test #3
+ */
+prf_test_vector_t camellia_xcbc_p3 = {
+	.alg = PRF_CAMELLIA128_XCBC, .key_size = 18, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\xed\xcb",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\xb9\x71\x46\x36\x9d\x31\x94\x0f\xf5\x7a\x0d\xdf\x22\x33\xc1\xd2",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index 234d237f3..f3a254d8d 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -20,6 +20,7 @@
 
 /* define symbols of all test vectors */
 #define TEST_VECTOR_CRYPTER(x) crypter_test_vector_t x;
+#define TEST_VECTOR_AEAD(x) aead_test_vector_t x;
 #define TEST_VECTOR_SIGNER(x) signer_test_vector_t x;
 #define TEST_VECTOR_HASHER(x) hasher_test_vector_t x;
 #define TEST_VECTOR_PRF(x) prf_test_vector_t x;
@@ -28,12 +29,14 @@
 #include "test_vectors.h"
 
 #undef TEST_VECTOR_CRYPTER
+#undef TEST_VECTOR_AEAD
 #undef TEST_VECTOR_SIGNER
 #undef TEST_VECTOR_HASHER
 #undef TEST_VECTOR_PRF
 #undef TEST_VECTOR_RNG
 
 #define TEST_VECTOR_CRYPTER(x)
+#define TEST_VECTOR_AEAD(x)
 #define TEST_VECTOR_SIGNER(x)
 #define TEST_VECTOR_HASHER(x)
 #define TEST_VECTOR_PRF(x)
@@ -48,6 +51,14 @@ static crypter_test_vector_t *crypter[] = {
 #undef TEST_VECTOR_CRYPTER
 #define TEST_VECTOR_CRYPTER(x)
 
+#undef TEST_VECTOR_AEAD
+#define TEST_VECTOR_AEAD(x) &x,
+static aead_test_vector_t *aead[] = {
+#include "test_vectors.h"
+};
+#undef TEST_VECTOR_AEAD
+#define TEST_VECTOR_AEAD(x)
+
 #undef TEST_VECTOR_SIGNER
 #define TEST_VECTOR_SIGNER(x) &x,
 static signer_test_vector_t *signer[] = {
@@ -116,6 +127,11 @@ plugin_t *test_vectors_plugin_create()
 		lib->crypto->add_test_vector(lib->crypto,
 									 ENCRYPTION_ALGORITHM, crypter[i]);
 	}
+	for (i = 0; i < countof(aead); i++)
+	{
+		lib->crypto->add_test_vector(lib->crypto,
+									 AEAD_ALGORITHM, aead[i]);
+	}
 	for (i = 0; i < countof(signer); i++)
 	{
 		lib->crypto->add_test_vector(lib->crypto,
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index f40427f3f..b1cc2f168 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 92b576aa5..559090aa0 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -260,7 +260,7 @@ static const asn1Object_t otherNameObjects[] = {
 /**
  * Extracts an otherName
  */
-static bool parse_otherName(chunk_t blob, int level0)
+static bool parse_otherName(chunk_t *blob, int level0, id_type_t *type)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
@@ -268,7 +268,7 @@ static bool parse_otherName(chunk_t blob, int level0)
 	int oid = OID_UNKNOWN;
 	bool success = FALSE;
 
-	parser = asn1_parser_create(otherNameObjects, blob);
+	parser = asn1_parser_create(otherNameObjects, *blob);
 	parser->set_top_level(parser, level0);
 
 	while (parser->iterate(parser, &objectID, &object))
@@ -279,13 +279,27 @@ static bool parse_otherName(chunk_t blob, int level0)
 				oid = asn1_known_oid(object);
 				break;
 			case ON_OBJ_VALUE:
-				if (oid == OID_XMPP_ADDR)
+				switch (oid)
 				{
-					if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
-								parser->get_level(parser)+1, "xmppAddr"))
-					{
-						goto end;
-					}
+					case OID_XMPP_ADDR:
+						if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
+									parser->get_level(parser)+1, "xmppAddr"))
+						{
+							goto end;
+						}
+						break;
+					case OID_USER_PRINCIPAL_NAME:
+						if (asn1_parse_simple_object(&object, ASN1_UTF8STRING,
+									parser->get_level(parser)+1, "msUPN"))
+						{	/* we handle UPNs as RFC822 addr */
+							*blob = object;
+							*type = ID_RFC822_ADDR;
+						}
+						else
+						{
+							goto end;
+						}
+						break;
 				}
 				break;
 			default:
@@ -379,7 +393,8 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 				}
 				break;
 			case GN_OBJ_OTHER_NAME:
-				if (!parse_otherName(object, parser->get_level(parser)+1))
+				if (!parse_otherName(&object, parser->get_level(parser)+1,
+									 &id_type))
 				{
 					goto end;
 				}
@@ -1091,15 +1106,28 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
 	identification_t *current;
 	enumerator_t *enumerator;
 	id_match_t match, best;
+	chunk_t encoding;
 
-	if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID)
+	if (subject->get_type(subject) == ID_KEY_ID)
 	{
-		if (chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+		encoding = subject->get_encoding(subject);
+
+		if (this->encoding_hash.len &&
+			chunk_equals(this->encoding_hash, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->subjectKeyIdentifier.len &&
+			chunk_equals(this->subjectKeyIdentifier, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->public_key &&
+			this->public_key->has_fingerprint(this->public_key, encoding))
 		{
 			return ID_MATCH_PERFECT;
 		}
 	}
-
 	best = this->subject->matches(this->subject, subject);
 	enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
 	while (enumerator->enumerate(enumerator, &current))
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index bfb0ca621..7b488484e 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -684,7 +684,7 @@ x509_pkcs10_t *x509_pkcs10_gen(certificate_type_t type, va_list args)
 				enumerator->destroy(enumerator);
 				continue;
 			}
-			case BUILD_PASSPHRASE:
+			case BUILD_CHALLENGE_PWD:
 				cert->challengePassword = chunk_clone(va_arg(args, chunk_t));
 				continue;
 			case BUILD_DIGEST_ALG:
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 8391781e2..11a7f023c 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -73,25 +73,25 @@ plugin_t *x509_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE,
 							(builder_function_t)x509_cert_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, TRUE,
 							(builder_function_t)x509_cert_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, FALSE,
 							(builder_function_t)x509_ac_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, TRUE,
 							(builder_function_t)x509_ac_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, TRUE,
 							(builder_function_t)x509_crl_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, FALSE,
 							(builder_function_t)x509_crl_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, FALSE,
 							(builder_function_t)x509_ocsp_request_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, TRUE,
 							(builder_function_t)x509_ocsp_response_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, FALSE,
 							(builder_function_t)x509_pkcs10_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, TRUE,
 							(builder_function_t)x509_pkcs10_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 69bba8d6f..e82e5246f 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index b9f03eeac..be18d92b8 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -27,10 +27,11 @@ typedef struct private_xcbc_t private_xcbc_t;
  * The variable names are the same as in the RFC.
  */
 struct private_xcbc_t {
+
 	/**
 	 * Public xcbc_t interface.
 	 */
-	xcbc_t xcbc;
+	xcbc_t public;
 
 	/**
 	 * Block size, in bytes
@@ -135,9 +136,9 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 	if (this->remaining_bytes == this->b && !this->zero)
 	{
 		/* a) If the blocksize of M[n] is 128 bits:
-         *    XOR M[n] with E[n-1] and Key K2, then encrypt the result with
-         *    Key K1, yielding E[n].
-         */
+		 *    XOR M[n] with E[n-1] and Key K2, then encrypt the result with
+		 *    Key K1, yielding E[n].
+		 */
 		memxor(this->e, this->remaining, this->b);
 		memxor(this->e, this->k2, this->b);
 		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
@@ -147,20 +148,20 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 		/* b) If the blocksize of M[n] is less than 128 bits:
 		 *
 		 *  i) Pad M[n] with a single "1" bit, followed by the number of
-         *     "0" bits (possibly none) required to increase M[n]'s
-         *     blocksize to 128 bits.
-         */
-        if (this->remaining_bytes < this->b)
-        {
-		    this->remaining[this->remaining_bytes] = 0x80;
-		    while (++this->remaining_bytes < this->b)
-		    {
-			    this->remaining[this->remaining_bytes] = 0x00;
-		    }
-        }
-        /*  ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result
-         *      with Key K1, yielding E[n].
-         */
+		 *     "0" bits (possibly none) required to increase M[n]'s
+		 *     blocksize to 128 bits.
+		 */
+		if (this->remaining_bytes < this->b)
+		{
+			this->remaining[this->remaining_bytes] = 0x80;
+			while (++this->remaining_bytes < this->b)
+			{
+				this->remaining[this->remaining_bytes] = 0x00;
+			}
+		}
+		/*  ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result
+		 *      with Key K1, yielding E[n].
+		 */
 		memxor(this->e, this->remaining, this->b);
 		memxor(this->e, this->k3, this->b);
 		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
@@ -174,10 +175,8 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 	this->zero = TRUE;
 }
 
-/**
- * Implementation of xcbc_t.get_mac.
- */
-static void get_mac(private_xcbc_t *this, chunk_t data, u_int8_t *out)
+METHOD(xcbc_t, get_mac, void,
+	private_xcbc_t *this, chunk_t data, u_int8_t *out)
 {
 	/* update E, do not process last block */
 	update(this, data);
@@ -188,18 +187,14 @@ static void get_mac(private_xcbc_t *this, chunk_t data, u_int8_t *out)
 	}
 }
 
-/**
- * Implementation of xcbc_t.get_block_size.
- */
-static size_t get_block_size(private_xcbc_t *this)
+METHOD(xcbc_t, get_block_size, size_t,
+	private_xcbc_t *this)
 {
 	return this->b;
 }
 
-/**
- * Implementation of xcbc_t.set_key.
- */
-static void set_key(private_xcbc_t *this, chunk_t key)
+METHOD(xcbc_t, set_key, void,
+	private_xcbc_t *this, chunk_t key)
 {
 	chunk_t iv, k1, lengthened;
 
@@ -228,11 +223,11 @@ static void set_key(private_xcbc_t *this, chunk_t key)
 
 	/*
 	 * (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret
-     *     key K, as follows:
-     *     K1 = 0x01010101010101010101010101010101 encrypted with Key K
-     *     K2 = 0x02020202020202020202020202020202 encrypted with Key K
-     *     K3 = 0x03030303030303030303030303030303 encrypted with Key K
-     */
+	 *     key K, as follows:
+	 *     K1 = 0x01010101010101010101010101010101 encrypted with Key K
+	 *     K2 = 0x02020202020202020202020202020202 encrypted with Key K
+	 *     K3 = 0x03030303030303030303030303030303 encrypted with Key K
+	 */
 	this->k1->set_key(this->k1, lengthened);
 	memset(this->k2, 0x02, this->b);
 	this->k1->encrypt(this->k1, chunk_create(this->k2, this->b), iv, NULL);
@@ -243,10 +238,8 @@ static void set_key(private_xcbc_t *this, chunk_t key)
 	this->k1->set_key(this->k1, k1);
 }
 
-/**
- * Implementation of xcbc_t.destroy.
- */
-static void destroy(private_xcbc_t *this)
+METHOD(xcbc_t, destroy, void,
+	private_xcbc_t *this)
 {
 	this->k1->destroy(this->k1);
 	free(this->k2);
@@ -263,35 +256,38 @@ xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size)
 {
 	private_xcbc_t *this;
 	crypter_t *crypter;
+	u_int8_t b;
 
 	crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size);
 	if (!crypter)
 	{
 		return NULL;
 	}
+	b = crypter->get_block_size(crypter);
 	/* input and output of crypter must be equal for xcbc */
-	if (crypter->get_block_size(crypter) != key_size)
+	if (b != key_size)
 	{
 		crypter->destroy(crypter);
 		return NULL;
 	}
 
-	this = malloc_thing(private_xcbc_t);
-	this->xcbc.get_mac = (void (*)(xcbc_t *,chunk_t,u_int8_t*))get_mac;
-	this->xcbc.get_block_size = (size_t (*)(xcbc_t *))get_block_size;
-	this->xcbc.set_key = (void (*)(xcbc_t *,chunk_t))set_key;
-	this->xcbc.destroy = (void (*)(xcbc_t *))destroy;
-
-	this->b = crypter->get_block_size(crypter);
-	this->k1 = crypter;
-	this->k2 = malloc(this->b);
-	this->k3 = malloc(this->b);
-	this->e = malloc(this->b);
-	memset(this->e, 0, this->b);
-	this->remaining = malloc(this->b);
-	this->remaining_bytes = 0;
-	this->zero = TRUE;
-
-	return &this->xcbc;
+	INIT(this,
+		.public = {
+			.get_mac = _get_mac,
+			.get_block_size = _get_block_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+		.b = b,
+		.k1 = crypter,
+		.k2 = malloc(b),
+		.k3 = malloc(b),
+		.e = malloc(b),
+		.remaining = malloc(b),
+		.zero = TRUE,
+	);
+	memset(this->e, 0, b);
+
+	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
index 9d903bfaa..88156f383 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -32,15 +32,13 @@ struct private_xcbc_plugin_t {
 	xcbc_plugin_t public;
 };
 
-/**
- * Implementation of xcbc_plugin_t.xcbctroy
- */
-static void destroy(private_xcbc_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_xcbc_plugin_t *this)
 {
 	lib->crypto->remove_prf(lib->crypto,
-							(prf_constructor_t)xcbc_prf_create);
+					(prf_constructor_t)xcbc_prf_create);
 	lib->crypto->remove_signer(lib->crypto,
-							   (signer_constructor_t)xcbc_signer_create);
+					(signer_constructor_t)xcbc_signer_create);
 	free(this);
 }
 
@@ -49,14 +47,24 @@ static void destroy(private_xcbc_plugin_t *this)
  */
 plugin_t *xcbc_plugin_create()
 {
-	private_xcbc_plugin_t *this = malloc_thing(private_xcbc_plugin_t);
+	private_xcbc_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC,
-						 (prf_constructor_t)xcbc_prf_create);
+					(prf_constructor_t)xcbc_prf_create);
+	lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC,
+					(prf_constructor_t)xcbc_prf_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96,
-							(signer_constructor_t)xcbc_signer_create);
+					(signer_constructor_t)xcbc_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96,
+					(signer_constructor_t)xcbc_signer_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.c b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
index 2459dc616..ac9e1fda0 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
@@ -35,18 +35,14 @@ struct private_xcbc_prf_t {
 	xcbc_t *xcbc;
 };
 
-/**
- * Implementation of prf_t.get_bytes.
- */
-static void get_bytes(private_xcbc_prf_t *this, chunk_t seed, u_int8_t *buffer)
+METHOD(prf_t, get_bytes, void,
+	private_xcbc_prf_t *this, chunk_t seed, u_int8_t *buffer)
 {
 	this->xcbc->get_mac(this->xcbc, seed, buffer);
 }
 
-/**
- * Implementation of prf_t.allocate_bytes.
- */
-static void allocate_bytes(private_xcbc_prf_t *this, chunk_t seed, chunk_t *chunk)
+METHOD(prf_t, allocate_bytes, void,
+	private_xcbc_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	if (chunk)
 	{
@@ -59,35 +55,27 @@ static void allocate_bytes(private_xcbc_prf_t *this, chunk_t seed, chunk_t *chun
 	}
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_block_size(private_xcbc_prf_t *this)
+METHOD(prf_t, get_block_size, size_t,
+	private_xcbc_prf_t *this)
 {
 	return this->xcbc->get_block_size(this->xcbc);
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_key_size(private_xcbc_prf_t *this)
+METHOD(prf_t, get_key_size, size_t,
+	private_xcbc_prf_t *this)
 {
 	/* in xcbc, block and key size are always equal */
 	return this->xcbc->get_block_size(this->xcbc);
 }
 
-/**
- * Implementation of prf_t.set_key.
- */
-static void set_key(private_xcbc_prf_t *this, chunk_t key)
+METHOD(prf_t, set_key, void,
+	private_xcbc_prf_t *this, chunk_t key)
 {
 	this->xcbc->set_key(this->xcbc, key);
 }
 
-/**
- * Implementation of prf_t.destroy.
- */
-static void destroy(private_xcbc_prf_t *this)
+METHOD(prf_t, destroy, void,
+	private_xcbc_prf_t *this)
 {
 	this->xcbc->destroy(this->xcbc);
 	free(this);
@@ -106,6 +94,9 @@ xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo)
 		case PRF_AES128_XCBC:
 			xcbc = xcbc_create(ENCR_AES_CBC, 16);
 			break;
+		case PRF_CAMELLIA128_XCBC:
+			xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16);
+			break;
 		default:
 			return NULL;
 	}
@@ -114,15 +105,19 @@ xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo)
 		return NULL;
 	}
 
-	this = malloc_thing(private_xcbc_prf_t);
-	this->xcbc = xcbc;
-
-	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
-	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
-	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
-	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
-	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
-	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+	INIT(this,
+		.public = {
+			.prf = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_block_size = _get_block_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.xcbc = xcbc,
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.h b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
index d2db9af41..294a853b4 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
@@ -34,9 +34,9 @@ typedef struct xcbc_prf_t xcbc_prf_t;
 struct xcbc_prf_t {
 
 	/**
-	 * Generic prf_t interface for this xcbc_prf_t class.
+	 * Implements prf_t interface.
 	 */
-	prf_t prf_interface;
+	prf_t prf;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.c b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
index 1c98d39d7..ece592323 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
@@ -41,11 +41,8 @@ struct private_xcbc_signer_t {
 	size_t block_size;
 };
 
-/**
- * Implementation of signer_t.get_signature.
- */
-static void get_signature(private_xcbc_signer_t *this,
-						  chunk_t data, u_int8_t *buffer)
+METHOD(signer_t, get_signature, void,
+	private_xcbc_signer_t *this, chunk_t data, u_int8_t *buffer)
 {
 	if (buffer == NULL)
 	{	/* append mode */
@@ -60,11 +57,8 @@ static void get_signature(private_xcbc_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.allocate_signature.
- */
-static void allocate_signature (private_xcbc_signer_t *this,
-								chunk_t data, chunk_t *chunk)
+METHOD(signer_t, allocate_signature, void,
+	private_xcbc_signer_t *this, chunk_t data, chunk_t *chunk)
 {
 	if (chunk == NULL)
 	{	/* append mode */
@@ -83,11 +77,8 @@ static void allocate_signature (private_xcbc_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.verify_signature.
- */
-static bool verify_signature(private_xcbc_signer_t *this,
-							 chunk_t data, chunk_t signature)
+METHOD(signer_t, verify_signature, bool,
+	private_xcbc_signer_t *this, chunk_t data, chunk_t signature)
 {
 	u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
 
@@ -100,38 +91,29 @@ static bool verify_signature(private_xcbc_signer_t *this,
 	return memeq(signature.ptr, mac, this->block_size);
 }
 
-/**
- * Implementation of signer_t.get_key_size.
- */
-static size_t get_key_size(private_xcbc_signer_t *this)
+METHOD(signer_t, get_key_size, size_t,
+	private_xcbc_signer_t *this)
 {
 	return this->xcbc->get_block_size(this->xcbc);
 }
 
-/**
- * Implementation of signer_t.get_block_size.
- */
-static size_t get_block_size(private_xcbc_signer_t *this)
+METHOD(signer_t, get_block_size, size_t,
+	private_xcbc_signer_t *this)
 {
 	return this->block_size;
 }
 
-/**
- * Implementation of signer_t.set_key.
- */
-static void set_key(private_xcbc_signer_t *this, chunk_t key)
+METHOD(signer_t, set_key, void,
+	private_xcbc_signer_t *this, chunk_t key)
 {
 	this->xcbc->set_key(this->xcbc, key);
 }
 
-/**
- * Implementation of signer_t.destroy.
- */
-static status_t destroy(private_xcbc_signer_t *this)
+METHOD(signer_t, destroy, void,
+	private_xcbc_signer_t *this)
 {
 	this->xcbc->destroy(this->xcbc);
 	free(this);
-	return SUCCESS;
 }
 
 /*
@@ -149,6 +131,10 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
 			xcbc = xcbc_create(ENCR_AES_CBC, 16);
 			trunc = 12;
 			break;
+		case AUTH_CAMELLIA_XCBC_96:
+			xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16);
+			trunc = 12;
+			break;
 		default:
 			return NULL;
 	}
@@ -157,18 +143,21 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
 		return NULL;
 	}
 
-	this = malloc_thing(private_xcbc_signer_t);
-	this->xcbc = xcbc;
-	this->block_size = min(trunc, xcbc->get_block_size(xcbc));
-
-	/* interface functions */
-	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
-	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
-	this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature;
-	this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size;
-	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
-	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
-	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
+	INIT(this,
+		.public = {
+			.signer = {
+				.get_signature = _get_signature,
+				.allocate_signature = _allocate_signature,
+				.verify_signature = _verify_signature,
+				.get_key_size = _get_key_size,
+				.get_block_size = _get_block_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.xcbc = xcbc,
+		.block_size = min(trunc, xcbc->get_block_size(xcbc)),
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.h b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
index 181cfe299..56b55f223 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
@@ -31,9 +31,9 @@ typedef struct xcbc_signer_t xcbc_signer_t;
 struct xcbc_signer_t {
 
 	/**
-	 * generic signer_t interface for this signer
+	 * Implements signer_t interface.
 	 */
-	signer_t signer_interface;
+	signer_t signer;
 };
 
 /**
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c
index 037f0b918..4d4cef829 100644
--- a/src/libstrongswan/printf_hook.c
+++ b/src/libstrongswan/printf_hook.c
@@ -132,6 +132,14 @@ static int custom_arginfo(const struct printf_info *info, size_t n, int *argtype
 #include <errno.h>
 #include <unistd.h> /* for STDOUT_FILENO */
 
+/**
+ * These are used below, whenever the public wrapper functions are called before
+ * initialization or after destruction.
+ */
+#undef vprintf
+#undef vfprintf
+#undef vsnprintf
+
 /**
  * Vstr custom format specifier callback function.
  */
@@ -177,13 +185,16 @@ static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler
 	switch(handler->numargs)
 	{
 		case 1:
-			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], VSTR_TYPE_FMT_END);
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
+						 VSTR_TYPE_FMT_END);
 			break;
 		case 2:
-			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], at[1], VSTR_TYPE_FMT_END);
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
+						 at[1], VSTR_TYPE_FMT_END);
 			break;
 		case 3:
-			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], at[1], at[2], VSTR_TYPE_FMT_END);
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
+						 at[1], at[2], VSTR_TYPE_FMT_END);
 			break;
 	}
 }
@@ -193,7 +204,7 @@ static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler
  */
 #include <threading/thread_value.h>
 
-static thread_value_t *vstr_conf;
+static thread_value_t *vstr_conf = NULL;
 
 static Vstr_conf *create_vstr_conf()
 {
@@ -216,12 +227,15 @@ static Vstr_conf *create_vstr_conf()
 
 static inline Vstr_conf *get_vstr_conf()
 {
-	Vstr_conf *conf;
-	conf = (Vstr_conf*)vstr_conf->get(vstr_conf);
-	if (!conf)
+	Vstr_conf *conf = NULL;
+	if (vstr_conf)
 	{
-		conf = create_vstr_conf();
-		vstr_conf->set(vstr_conf, conf);
+		conf = (Vstr_conf*)vstr_conf->get(vstr_conf);
+		if (!conf)
+		{
+			conf = create_vstr_conf();
+			vstr_conf->set(vstr_conf, conf);
+		}
 	}
 	return conf;
 }
@@ -265,11 +279,20 @@ int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...)
 	va_end(args);
 	return written;
 }
-static inline int vstr_wrapper_vprintf_internal(int fd, const char *format,
+int vstr_wrapper_asprintf(char **str, const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vasprintf(str, format, args);
+	va_end(args);
+	return written;
+}
+static inline int vstr_wrapper_vprintf_internal(Vstr_conf *conf, int fd,
+												const char *format,
 												va_list args)
 {
 	int written;
-	Vstr_conf *conf = get_vstr_conf();
 	Vstr_base *s = vstr_make_base(conf);
 	vstr_add_vfmt(s, 0, format, args);
 	written = s->len;
@@ -289,24 +312,39 @@ static inline int vstr_wrapper_vprintf_internal(int fd, const char *format,
 }
 int vstr_wrapper_vprintf(const char *format, va_list args)
 {
-	return vstr_wrapper_vprintf_internal(STDOUT_FILENO, format, args);
+	Vstr_conf *conf = get_vstr_conf();
+	if (conf)
+	{
+		return vstr_wrapper_vprintf_internal(conf, STDOUT_FILENO, format, args);
+	}
+	return vprintf(format, args);
 }
 int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list args)
 {
-	return vstr_wrapper_vprintf_internal(fileno(stream), format, args);
+	Vstr_conf *conf = get_vstr_conf();
+	if (conf)
+	{
+		return vstr_wrapper_vprintf_internal(conf, fileno(stream), format,
+											 args);
+	}
+	return vfprintf(stream, format, args);
 }
 static inline int vstr_wrapper_vsnprintf_internal(char *str, size_t size,
 												  const char *format,
 												  va_list args)
 {
-	int written;
 	Vstr_conf *conf = get_vstr_conf();
-	Vstr_base *s = vstr_make_base(conf);
-	vstr_add_vfmt(s, 0, format, args);
-	written = s->len;
-	vstr_export_cstr_buf(s, 1, s->len, str, (size > 0) ? size : s->len + 1);
-	vstr_free_base(s);
-	return written;
+	if (conf)
+	{
+		int written;
+		Vstr_base *s = vstr_make_base(conf);
+		vstr_add_vfmt(s, 0, format, args);
+		written = s->len;
+		vstr_export_cstr_buf(s, 1, s->len, str, (size > 0) ? size : s->len + 1);
+		vstr_free_base(s);
+		return written;
+	}
+	return vsnprintf(str, size, format, args);
 }
 int vstr_wrapper_vsprintf(char *str, const char *format, va_list args)
 {
@@ -317,7 +355,26 @@ int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format,
 {
 	return (size > 0) ? vstr_wrapper_vsnprintf_internal(str, size, format, args) : 0;
 }
-
+int vstr_wrapper_vasprintf(char **str, const char *format, va_list args)
+{
+	size_t len = 100;
+	int written;
+	*str = malloc(len);
+	while (TRUE)
+	{
+		va_list ac;
+		va_copy(ac, args);
+		written = vstr_wrapper_vsnprintf_internal(*str, len, format, ac);
+		va_end(ac);
+		if (written < len)
+		{
+			break;
+		}
+		len = written + 1;
+		*str = realloc(*str, len);
+	}
+	return written;
+}
 #endif
 
 /**
@@ -408,6 +465,7 @@ static void destroy(private_printf_hook_t *this)
 #ifdef USE_VSTR
 	/* freeing the Vstr_conf of the main thread */
 	vstr_conf->destroy(vstr_conf);
+	vstr_conf = NULL;
 	vstr_free_conf(conf);
 	vstr_exit();
 #endif
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
index ce7e10b24..11fd66ce9 100644
--- a/src/libstrongswan/printf_hook.h
+++ b/src/libstrongswan/printf_hook.h
@@ -58,21 +58,25 @@ int vstr_wrapper_printf(const char *format, ...);
 int vstr_wrapper_fprintf(FILE *stream, const char *format, ...);
 int vstr_wrapper_sprintf(char *str, const char *format, ...);
 int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...);
+int vstr_wrapper_asprintf(char **str, const char *format, ...);
 
 int vstr_wrapper_vprintf(const char *format, va_list ap);
 int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list ap);
 int vstr_wrapper_vsprintf(char *str, const char *format, va_list ap);
 int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list ap);
+int vstr_wrapper_vasprintf(char **str, const char *format, va_list ap);
 
 #define printf vstr_wrapper_printf
 #define fprintf vstr_wrapper_fprintf
 #define sprintf vstr_wrapper_sprintf
 #define snprintf vstr_wrapper_snprintf
+#define asprintf vstr_wrapper_asprintf
 
 #define vprintf vstr_wrapper_vprintf
 #define vfprintf vstr_wrapper_vfprintf
 #define vsprintf vstr_wrapper_vsprintf
 #define vsnprintf vstr_wrapper_vsnprintf
+#define vasprintf vstr_wrapper_vasprintf
 
 #endif
 
@@ -83,7 +87,7 @@ int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list a
  * @param len		length of the buffer
  * @param spec		format specifier
  * @param args		arguments array
- * @return 			number of characters written
+ * @return			number of characters written
  */
 typedef int (*printf_hook_function_t)(char *dst, size_t len,
 									  printf_hook_spec_t *spec,
diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
new file mode 100644
index 000000000..556cbd907
--- /dev/null
+++ b/src/libstrongswan/processing/jobs/callback_job.c
@@ -0,0 +1,271 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "callback_job.h"
+
+#include <semaphore.h>
+
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+
+typedef struct private_callback_job_t private_callback_job_t;
+
+/**
+ * Private data of an callback_job_t Object.
+ */
+struct private_callback_job_t {
+	/**
+	 * Public callback_job_t interface.
+	 */
+	callback_job_t public;
+
+	/**
+	 * Callback to call on execution
+	 */
+	callback_job_cb_t callback;
+
+	/**
+	 * parameter to supply to callback
+	 */
+	void *data;
+
+	/**
+	 * cleanup function for data
+	 */
+	callback_job_cleanup_t cleanup;
+
+	/**
+	 * thread of the job, if running
+	 */
+	thread_t *thread;
+
+	/**
+	 * mutex to access jobs interna
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * list of asociated child jobs
+	 */
+	linked_list_t *children;
+
+	/**
+	 * parent of this job, or NULL
+	 */
+	private_callback_job_t *parent;
+
+	/**
+	 * TRUE if the job got cancelled
+	 */
+	bool cancelled;
+
+	/**
+	 * condvar to synchronize the cancellation/destruction of the job
+	 */
+	condvar_t *destroyable;
+
+	/**
+	 * semaphore to synchronize the termination of the assigned thread.
+	 *
+	 * separately allocated during cancellation, so that we can wait on it
+	 * without risking that it gets freed too early during destruction.
+	 */
+	sem_t *terminated;
+};
+
+/**
+ * unregister a child from its parent, if any.
+ * note: this->mutex has to be locked
+ */
+static void unregister(private_callback_job_t *this)
+{
+	if (this->parent)
+	{
+		this->parent->mutex->lock(this->parent->mutex);
+		if (this->parent->cancelled && !this->cancelled)
+		{
+			/* if the parent has been cancelled but we have not yet, we do not
+			 * unregister until we got cancelled by the parent. */
+			this->parent->mutex->unlock(this->parent->mutex);
+			this->destroyable->wait(this->destroyable, this->mutex);
+			this->parent->mutex->lock(this->parent->mutex);
+		}
+		this->parent->children->remove(this->parent->children, this, NULL);
+		this->parent->mutex->unlock(this->parent->mutex);
+		this->parent = NULL;
+	}
+}
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_callback_job_t *this)
+{
+	this->mutex->lock(this->mutex);
+	unregister(this);
+	if (this->cleanup)
+	{
+		this->cleanup(this->data);
+	}
+	if (this->terminated)
+	{
+		sem_post(this->terminated);
+	}
+	this->children->destroy(this->children);
+	this->destroyable->destroy(this->destroyable);
+	this->mutex->unlock(this->mutex);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * Implementation of callback_job_t.cancel.
+ */
+static void cancel(private_callback_job_t *this)
+{
+	callback_job_t *child;
+	sem_t *terminated = NULL;
+
+	this->mutex->lock(this->mutex);
+	this->cancelled = TRUE;
+	/* terminate children */
+	while (this->children->get_first(this->children, (void**)&child) == SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		child->cancel(child);
+		this->mutex->lock(this->mutex);
+	}
+	if (this->thread)
+	{
+		/* terminate the thread, if there is currently one executing the job.
+		 * we wait for its termination using a semaphore */
+		this->thread->cancel(this->thread);
+		terminated = this->terminated = malloc_thing(sem_t);
+		sem_init(terminated, 0, 0);
+	}
+	else
+	{
+		/* if the job is currently queued, it gets terminated later.
+		 * we can't wait, because it might not get executed at all.
+		 * we also unregister the queued job manually from its parent (the
+		 * others get unregistered during destruction) */
+		unregister(this);
+	}
+	this->destroyable->signal(this->destroyable);
+	this->mutex->unlock(this->mutex);
+
+	if (terminated)
+	{
+		sem_wait(terminated);
+		sem_destroy(terminated);
+		free(terminated);
+	}
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_callback_job_t *this)
+{
+	bool cleanup = FALSE, requeue = FALSE;
+
+	thread_cleanup_push((thread_cleanup_t)destroy, this);
+
+	this->mutex->lock(this->mutex);
+	this->thread = thread_current();
+	this->mutex->unlock(this->mutex);
+
+	while (TRUE)
+	{
+		this->mutex->lock(this->mutex);
+		if (this->cancelled)
+		{
+			this->mutex->unlock(this->mutex);
+			cleanup = TRUE;
+			break;
+		}
+		this->mutex->unlock(this->mutex);
+		switch (this->callback(this->data))
+		{
+			case JOB_REQUEUE_DIRECT:
+				continue;
+			case JOB_REQUEUE_FAIR:
+			{
+				requeue = TRUE;
+				break;
+			}
+			case JOB_REQUEUE_NONE:
+			default:
+			{
+				cleanup = TRUE;
+				break;
+			}
+		}
+		break;
+	}
+	this->mutex->lock(this->mutex);
+	this->thread = NULL;
+	this->mutex->unlock(this->mutex);
+	/* manually create a cancellation point to avoid that a cancelled thread
+	 * goes back into the thread pool */
+	thread_cancellation_point();
+	if (requeue)
+	{
+		lib->processor->queue_job(lib->processor,
+								  &this->public.job_interface);
+	}
+	thread_cleanup_pop(cleanup);
+}
+
+/*
+ * Described in header.
+ */
+callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
+									callback_job_cleanup_t cleanup,
+									callback_job_t *parent)
+{
+	private_callback_job_t *this = malloc_thing(private_callback_job_t);
+
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	this->public.cancel = (void(*)(callback_job_t*))cancel;
+
+	/* private variables */
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->callback = cb;
+	this->data = data;
+	this->cleanup = cleanup;
+	this->thread = 0;
+	this->children = linked_list_create();
+	this->parent = (private_callback_job_t*)parent;
+	this->cancelled = FALSE;
+	this->destroyable = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->terminated = NULL;
+
+	/* register us at parent */
+	if (parent)
+	{
+		this->parent->mutex->lock(this->parent->mutex);
+		this->parent->children->insert_last(this->parent->children, this);
+		this->parent->mutex->unlock(this->parent->mutex);
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h
new file mode 100644
index 000000000..62da1edd1
--- /dev/null
+++ b/src/libstrongswan/processing/jobs/callback_job.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup callback_job callback_job
+ * @{ @ingroup jobs
+ */
+
+#ifndef CALLBACK_JOB_H_
+#define CALLBACK_JOB_H_
+
+typedef struct callback_job_t callback_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+
+typedef enum job_requeue_t job_requeue_t;
+
+/**
+ * Job requeueing policy
+ *
+ * The job requeueing policy defines how a job is handled when the callback
+ * function returns.
+ */
+enum job_requeue_t {
+
+	/**
+	 * Do not requeue job, destroy it
+	 */
+	JOB_REQUEUE_NONE,
+
+	/**
+	 * Reque the job fairly, meaning it has to requeue as any other job
+	 */
+	JOB_REQUEUE_FAIR,
+
+	/**
+	 * Reexecute the job directly, without the need of requeueing it
+	 */
+	JOB_REQUEUE_DIRECT,
+};
+
+/**
+ * The callback function to use for the callback job.
+ *
+ * This is the function to use as callback for a callback job. It receives
+ * a parameter supplied to the callback jobs constructor.
+ *
+ * @param data			param supplied to job
+ * @return				requeing policy how to requeue the job
+ */
+typedef job_requeue_t (*callback_job_cb_t)(void *data);
+
+/**
+ * Cleanup function to use for data cleanup.
+ *
+ * The callback has an optional user argument which receives data. However,
+ * this data may be cleaned up if it is allocated. This is the function
+ * to supply to the constructor.
+ *
+ * @param data			param supplied to job
+ * @return				requeing policy how to requeue the job
+ */
+typedef void (*callback_job_cleanup_t)(void *data);
+
+/**
+ * Class representing an callback Job.
+ *
+ * This is a special job which allows a simple callback function to
+ * be executed by a thread of the thread pool. This allows simple execution
+ * of asynchronous methods, without to manage threads.
+ */
+struct callback_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+
+	/**
+	 * Cancel the job's thread and wait for its termination. This only works
+	 * reliably for jobs that always use JOB_REQUEUE_FAIR or JOB_REQUEUE_DIRECT,
+	 * otherwise the job may already be destroyed when cancel is called. */
+	void (*cancel)(callback_job_t *this);
+};
+
+/**
+ * Creates a callback job.
+ *
+ * The cleanup function is called when the job gets destroyed to destroy
+ * the associated data.
+ * If parent is not NULL, the specified job gets an association. Whenever
+ * the parent gets cancelled (or runs out), all of its children are cancelled,
+ * too.
+ *
+ * @param cb				callback to call from the processor
+ * @param data				user data to supply to callback
+ * @param cleanup			destructor for data on destruction, or NULL
+ * @param parent			parent of this job
+ * @return					callback_job_t object
+ */
+callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
+									callback_job_cleanup_t cleanup,
+									callback_job_t *parent);
+
+#endif /** CALLBACK_JOB_H_ @}*/
diff --git a/src/libstrongswan/processing/jobs/job.h b/src/libstrongswan/processing/jobs/job.h
new file mode 100644
index 000000000..0f1c16ebe
--- /dev/null
+++ b/src/libstrongswan/processing/jobs/job.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup job job
+ * @{ @ingroup jobs
+ */
+
+#ifndef JOB_H_
+#define JOB_H_
+
+typedef struct job_t job_t;
+
+#include <library.h>
+
+/**
+ * Job-Interface as it is stored in the job queue.
+ */
+struct job_t {
+
+	/**
+	 * Execute a job.
+	 *
+	 * The processing facility executes a job using this method. Jobs are
+	 * one-shot, they destroy themself after execution, so don't use a job
+	 * once it has been executed.
+	 */
+	void (*execute) (job_t *this);
+
+	/**
+	 * Destroy a job.
+	 *
+	 * Is only called whenever a job was not executed (e.g. due daemon shutdown).
+	 * After execution, jobs destroy themself.
+	 */
+	void (*destroy) (job_t *job);
+};
+
+#endif /** JOB_H_ @}*/
diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c
new file mode 100644
index 000000000..2a44f61e8
--- /dev/null
+++ b/src/libstrongswan/processing/processor.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include "processor.h"
+
+#include <debug.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_processor_t private_processor_t;
+
+/**
+ * Private data of processor_t class.
+ */
+struct private_processor_t {
+	/**
+	 * Public processor_t interface.
+	 */
+	processor_t public;
+
+	/**
+	 * Number of running threads
+	 */
+	u_int total_threads;
+
+	/**
+	 * Desired number of threads
+	 */
+	u_int desired_threads;
+
+	/**
+	 * Number of threads waiting for work
+	 */
+	u_int idle_threads;
+
+	/**
+	 * All threads managed in the pool (including threads that have been
+	 * cancelled, this allows to join them during destruction)
+	 */
+	linked_list_t *threads;
+
+	/**
+	 * The jobs are stored in a linked list
+	 */
+	linked_list_t *list;
+
+	/**
+	 * access to linked_list is locked through this mutex
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for new jobs
+	 */
+	condvar_t *job_added;
+
+	/**
+	 * Condvar to wait for terminated threads
+	 */
+	condvar_t *thread_terminated;
+};
+
+static void process_jobs(private_processor_t *this);
+
+/**
+ * restart a terminated thread
+ */
+static void restart(private_processor_t *this)
+{
+	thread_t *thread;
+
+	DBG2(DBG_JOB, "terminated worker thread, ID: %u", thread_current_id());
+
+	/* respawn thread if required */
+	this->mutex->lock(this->mutex);
+	if (this->desired_threads < this->total_threads ||
+		(thread = thread_create((thread_main_t)process_jobs, this)) == NULL)
+	{
+		this->total_threads--;
+		this->thread_terminated->signal(this->thread_terminated);
+	}
+	else
+	{
+		this->threads->insert_last(this->threads, thread);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Process queued jobs, called by the worker threads
+ */
+static void process_jobs(private_processor_t *this)
+{
+	/* worker threads are not cancellable by default */
+	thread_cancelability(FALSE);
+
+	DBG2(DBG_JOB, "started worker thread, ID: %u", thread_current_id());
+
+	this->mutex->lock(this->mutex);
+	while (this->desired_threads >= this->total_threads)
+	{
+		job_t *job;
+
+		if (this->list->get_count(this->list) == 0)
+		{
+			this->idle_threads++;
+			this->job_added->wait(this->job_added, this->mutex);
+			this->idle_threads--;
+			continue;
+		}
+		this->list->remove_first(this->list, (void**)&job);
+		this->mutex->unlock(this->mutex);
+		/* terminated threads are restarted, so we have a constant pool */
+		thread_cleanup_push((thread_cleanup_t)restart, this);
+		job->execute(job);
+		thread_cleanup_pop(FALSE);
+		this->mutex->lock(this->mutex);
+	}
+	this->mutex->unlock(this->mutex);
+	restart(this);
+}
+
+/**
+ * Implementation of processor_t.get_total_threads.
+ */
+static u_int get_total_threads(private_processor_t *this)
+{
+	u_int count;
+	this->mutex->lock(this->mutex);
+	count = this->total_threads;
+	this->mutex->unlock(this->mutex);
+	return count;
+}
+
+/**
+ * Implementation of processor_t.get_idle_threads.
+ */
+static u_int get_idle_threads(private_processor_t *this)
+{
+	u_int count;
+	this->mutex->lock(this->mutex);
+	count = this->idle_threads;
+	this->mutex->unlock(this->mutex);
+	return count;
+}
+
+/**
+ * implements processor_t.get_job_load
+ */
+static u_int get_job_load(private_processor_t *this)
+{
+	u_int load;
+	this->mutex->lock(this->mutex);
+	load = this->list->get_count(this->list);
+	this->mutex->unlock(this->mutex);
+	return load;
+}
+
+/**
+ * implements function processor_t.queue_job
+ */
+static void queue_job(private_processor_t *this, job_t *job)
+{
+	this->mutex->lock(this->mutex);
+	this->list->insert_last(this->list, job);
+	this->job_added->signal(this->job_added);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of processor_t.set_threads.
+ */
+static void set_threads(private_processor_t *this, u_int count)
+{
+	this->mutex->lock(this->mutex);
+	if (count > this->total_threads)
+	{	/* increase thread count */
+		int i;
+		thread_t *current;
+
+		this->desired_threads = count;
+		DBG1(DBG_JOB, "spawning %d worker threads", count - this->total_threads);
+		for (i = this->total_threads; i < count; i++)
+		{
+			current = thread_create((thread_main_t)process_jobs, this);
+			if (current)
+			{
+				this->threads->insert_last(this->threads, current);
+				this->total_threads++;
+			}
+		}
+	}
+	else if (count < this->total_threads)
+	{	/* decrease thread count */
+		this->desired_threads = count;
+	}
+	this->job_added->broadcast(this->job_added);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of processor_t.destroy.
+ */
+static void destroy(private_processor_t *this)
+{
+	thread_t *current;
+	set_threads(this, 0);
+	this->mutex->lock(this->mutex);
+	while (this->total_threads > 0)
+	{
+		this->job_added->broadcast(this->job_added);
+		this->thread_terminated->wait(this->thread_terminated, this->mutex);
+	}
+	while (this->threads->remove_first(this->threads,
+									   (void**)&current) == SUCCESS)
+	{
+		current->join(current);
+	}
+	this->mutex->unlock(this->mutex);
+	this->thread_terminated->destroy(this->thread_terminated);
+	this->job_added->destroy(this->job_added);
+	this->mutex->destroy(this->mutex);
+	this->list->destroy_offset(this->list, offsetof(job_t, destroy));
+	this->threads->destroy(this->threads);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+processor_t *processor_create(size_t pool_size)
+{
+	private_processor_t *this = malloc_thing(private_processor_t);
+
+	this->public.get_total_threads = (u_int(*)(processor_t*))get_total_threads;
+	this->public.get_idle_threads = (u_int(*)(processor_t*))get_idle_threads;
+	this->public.get_job_load = (u_int(*)(processor_t*))get_job_load;
+	this->public.queue_job = (void(*)(processor_t*, job_t*))queue_job;
+	this->public.set_threads = (void(*)(processor_t*, u_int))set_threads;
+	this->public.destroy = (void(*)(processor_t*))destroy;
+
+	this->list = linked_list_create();
+	this->threads = linked_list_create();
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->total_threads = 0;
+	this->desired_threads = 0;
+	this->idle_threads = 0;
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/processing/processor.h b/src/libstrongswan/processing/processor.h
new file mode 100644
index 000000000..bebbe3a15
--- /dev/null
+++ b/src/libstrongswan/processing/processor.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup processor processor
+ * @{ @ingroup processing
+ */
+
+#ifndef PROCESSOR_H_
+#define PROCESSOR_H_
+
+typedef struct processor_t processor_t;
+
+#include <stdlib.h>
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+/**
+ * The processor uses threads to process queued jobs.
+ */
+struct processor_t {
+
+	/**
+	 * Get the total number of threads used by the processor.
+	 *
+	 * @return				size of thread pool
+	 */
+	u_int (*get_total_threads) (processor_t *this);
+
+	/**
+	 * Get the number of threads currently waiting.
+	 *
+	 * @return				number of idle threads
+	 */
+	u_int (*get_idle_threads) (processor_t *this);
+
+	/**
+	 * Get the number of queued jobs.
+	 *
+	 * @return				number of items in queue
+	 */
+	u_int (*get_job_load) (processor_t *this);
+
+	/**
+	 * Adds a job to the queue.
+	 *
+	 * This function is non blocking and adds a job_t to the queue.
+	 *
+	 * @param job			job to add to the queue
+	 */
+	void (*queue_job) (processor_t *this, job_t *job);
+
+	/**
+	 * Set the number of threads to use in the processor.
+	 *
+	 * If the number of threads is smaller than number of currently running
+	 * threads, thread count is decreased. Use 0 to disable the processor.
+	 * This call blocks if it decreases thread count until threads have
+	 * terminated, so make sure there are not too many blocking jobs.
+	 *
+	 * @param count			number of threads to allocate
+	 */
+	void (*set_threads)(processor_t *this, u_int count);
+
+	/**
+	 * Destroy a processor object.
+	 */
+	void (*destroy) (processor_t *processor);
+};
+
+/**
+ * Create the thread pool without any threads.
+ *
+ * Use the set_threads method to start processing jobs.
+ *
+ * @return					processor_t object
+ */
+processor_t *processor_create();
+
+#endif /** PROCESSOR_H_ @}*/
diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
new file mode 100644
index 000000000..e23f04598
--- /dev/null
+++ b/src/libstrongswan/processing/scheduler.c
@@ -0,0 +1,358 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "scheduler.h"
+
+#include <debug.h>
+#include <processing/processor.h>
+#include <processing/jobs/callback_job.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+
+/* the initial size of the heap */
+#define HEAP_SIZE_DEFAULT 64
+
+typedef struct event_t event_t;
+
+/**
+ * Event containing a job and a schedule time
+ */
+struct event_t {
+	/**
+	 * Time to fire the event.
+	 */
+	timeval_t time;
+
+	/**
+	 * Every event has its assigned job.
+	 */
+	job_t *job;
+};
+
+/**
+ * destroy an event and its job
+ */
+static void event_destroy(event_t *event)
+{
+	event->job->destroy(event->job);
+	free(event);
+}
+
+typedef struct private_scheduler_t private_scheduler_t;
+
+/**
+ * Private data of a scheduler_t object.
+ */
+struct private_scheduler_t {
+
+	/**
+	 * Public part of a scheduler_t object.
+	 */
+	 scheduler_t public;
+
+	/**
+	 * Job which queues scheduled jobs to the processor.
+	 */
+	callback_job_t *job;
+
+	/**
+	 * The heap in which the events are stored.
+	 */
+	event_t **heap;
+
+	/**
+	 * The size of the heap.
+	 */
+	u_int heap_size;
+
+	/**
+	 * The number of scheduled events.
+	 */
+	u_int event_count;
+
+	/**
+	 * Exclusive access to list
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for next job.
+	 */
+	condvar_t *condvar;
+};
+
+/**
+ * Comparse two timevals, return >0 if a > b, <0 if a < b and =0 if equal
+ */
+static int timeval_cmp(timeval_t *a, timeval_t *b)
+{
+	if (a->tv_sec > b->tv_sec)
+	{
+		return 1;
+	}
+	if (a->tv_sec < b->tv_sec)
+	{
+		return -1;
+	}
+	if (a->tv_usec > b->tv_usec)
+	{
+		return 1;
+	}
+	if (a->tv_usec < b->tv_usec)
+	{
+		return -1;
+	}
+	return 0;
+}
+
+/**
+ * Returns the top event without removing it. Returns NULL if the heap is empty.
+ */
+static event_t *peek_event(private_scheduler_t *this)
+{
+	return this->event_count > 0 ? this->heap[1] : NULL;
+}
+
+/**
+ * Removes the top event from the heap and returns it. Returns NULL if the heap
+ * is empty.
+ */
+static event_t *remove_event(private_scheduler_t *this)
+{
+	event_t *event, *top;
+	if (!this->event_count)
+	{
+		return NULL;
+	}
+
+	/* store the value to return */
+	event = this->heap[1];
+	/* move the bottom event to the top */
+	top = this->heap[1] = this->heap[this->event_count];
+
+	if (--this->event_count > 1)
+	{
+		/* seep down the top event */
+		u_int position = 1;
+		while ((position << 1) <= this->event_count)
+		{
+			u_int child = position << 1;
+
+			if ((child + 1) <= this->event_count &&
+				timeval_cmp(&this->heap[child + 1]->time,
+							&this->heap[child]->time) < 0)
+			{
+				/* the "right" child is smaller */
+				child++;
+			}
+
+			if (timeval_cmp(&top->time, &this->heap[child]->time) <= 0)
+			{
+				/* the top event fires before the smaller of the two children,
+				 * stop */
+				break;
+			}
+
+			/* swap with the smaller child */
+			this->heap[position] = this->heap[child];
+			position = child;
+		}
+		this->heap[position] = top;
+	}
+	return event;
+}
+
+/**
+ * Get events from the queue and pass it to the processor
+ */
+static job_requeue_t schedule(private_scheduler_t * this)
+{
+	timeval_t now;
+	event_t *event;
+	bool timed = FALSE, oldstate;
+
+	this->mutex->lock(this->mutex);
+
+	time_monotonic(&now);
+
+	if ((event = peek_event(this)) != NULL)
+	{
+		if (timeval_cmp(&now, &event->time) >= 0)
+		{
+			remove_event(this);
+			this->mutex->unlock(this->mutex);
+			DBG2(DBG_JOB, "got event, queuing job for execution");
+			lib->processor->queue_job(lib->processor, event->job);
+			free(event);
+			return JOB_REQUEUE_DIRECT;
+		}
+		timersub(&event->time, &now, &now);
+		if (now.tv_sec)
+		{
+			DBG2(DBG_JOB, "next event in %ds %dms, waiting",
+				 now.tv_sec, now.tv_usec/1000);
+		}
+		else
+		{
+			DBG2(DBG_JOB, "next event in %dms, waiting", now.tv_usec/1000);
+		}
+		timed = TRUE;
+	}
+	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+	oldstate = thread_cancelability(TRUE);
+
+	if (timed)
+	{
+		this->condvar->timed_wait_abs(this->condvar, this->mutex, event->time);
+	}
+	else
+	{
+		DBG2(DBG_JOB, "no events, waiting");
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+	thread_cancelability(oldstate);
+	thread_cleanup_pop(TRUE);
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Implements scheduler_t.get_job_load
+ */
+static u_int get_job_load(private_scheduler_t *this)
+{
+	int count;
+	this->mutex->lock(this->mutex);
+	count = this->event_count;
+	this->mutex->unlock(this->mutex);
+	return count;
+}
+
+/**
+ * Implements scheduler_t.schedule_job_tv.
+ */
+static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
+{
+	event_t *event;
+	u_int position;
+
+	event = malloc_thing(event_t);
+	event->job = job;
+	event->time = tv;
+
+	this->mutex->lock(this->mutex);
+
+	this->event_count++;
+	if (this->event_count > this->heap_size)
+	{
+		/* double the size of the heap */
+		this->heap_size <<= 1;
+		this->heap = (event_t**)realloc(this->heap,
+									(this->heap_size + 1) * sizeof(event_t*));
+	}
+	/* "put" the event to the bottom */
+	position = this->event_count;
+
+	/* then bubble it up */
+	while (position > 1 && timeval_cmp(&this->heap[position >> 1]->time,
+									   &event->time) > 0)
+	{
+		/* parent has to be fired after the new event, move up */
+		this->heap[position] = this->heap[position >> 1];
+		position >>= 1;
+	}
+	this->heap[position] = event;
+
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implements scheduler_t.schedule_job.
+ */
+static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
+{
+	timeval_t tv;
+
+	time_monotonic(&tv);
+	tv.tv_sec += s;
+
+	schedule_job_tv(this, job, tv);
+}
+
+/**
+ * Implements scheduler_t.schedule_job_ms.
+ */
+static void schedule_job_ms(private_scheduler_t *this, job_t *job, u_int32_t ms)
+{
+	timeval_t tv, add;
+
+	time_monotonic(&tv);
+	add.tv_sec = ms / 1000;
+	add.tv_usec = (ms % 1000) * 1000;
+
+	timeradd(&tv, &add, &tv);
+
+	schedule_job_tv(this, job, tv);
+}
+
+/**
+ * Implementation of scheduler_t.destroy.
+ */
+static void destroy(private_scheduler_t *this)
+{
+	event_t *event;
+	this->job->cancel(this->job);
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
+	while ((event = remove_event(this)) != NULL)
+	{
+		event_destroy(event);
+	}
+	free(this->heap);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+scheduler_t * scheduler_create()
+{
+	private_scheduler_t *this = malloc_thing(private_scheduler_t);
+
+	this->public.get_job_load = (u_int (*) (scheduler_t *this)) get_job_load;
+	this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t s)) schedule_job;
+	this->public.schedule_job_ms = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job_ms;
+	this->public.schedule_job_tv = (void (*) (scheduler_t *this, job_t *job, timeval_t tv)) schedule_job_tv;
+	this->public.destroy = (void(*)(scheduler_t*)) destroy;
+
+	/* Note: the root of the heap is at index 1 */
+	this->event_count = 0;
+	this->heap_size = HEAP_SIZE_DEFAULT;
+	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
+
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+
+	this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/processing/scheduler.h b/src/libstrongswan/processing/scheduler.h
new file mode 100644
index 000000000..f2c72550f
--- /dev/null
+++ b/src/libstrongswan/processing/scheduler.h
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup scheduler scheduler
+ * @{ @ingroup processing
+ */
+
+#ifndef SCHEDULER_H_
+#define SCHEDULER_H_
+
+typedef struct scheduler_t scheduler_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+/**
+ * The scheduler queues timed events which are then passed to the processor.
+ *
+ * The scheduler is implemented as a heap. A heap is a special kind of tree-
+ * based data structure that satisfies the following property: if B is a child
+ * node of A, then key(A) >= (or <=) key(B). So either the element with the
+ * greatest (max-heap) or the smallest (min-heap) key is the root of the heap.
+ * We use a min-heap whith the key being the absolute unix time at which an
+ * event is scheduled. So the root is always the event that will fire next.
+ *
+ * An earlier implementation of the scheduler used a sorted linked list to store
+ * the events. That had the advantage that removing the next event was extremely
+ * fast, also, adding an event scheduled before or after all other events was
+ * equally fast (all in O(1)). The problem was, though, that adding an event
+ * in-between got slower, as the number of events grew larger (O(n)).
+ * For each connection there could be several events: IKE-rekey, NAT-keepalive,
+ * retransmissions, expire (half-open), and others. So a gateway that probably
+ * has to handle thousands of concurrent connnections has to be able to queue a
+ * large number of events as fast as possible. Locking makes this even worse, to
+ * provide thread-safety, no events can be processed, while an event is queued,
+ * so making the insertion fast is even more important.
+ *
+ * That's the advantage of the heap. Adding an element to the heap can be
+ * achieved in O(log n) - on the other hand, removing the root node also
+ * requires O(log n) operations. Consider 10000 queued events. Inserting a new
+ * event in the list implementation required up to 10000 comparisons. In the
+ * heap implementation, the worst case is about 13.3 comparisons. That's a
+ * drastic improvement.
+ *
+ * The implementation itself uses a binary tree mapped to a one-based array to
+ * store the elements. This reduces storage overhead and simplifies navigation:
+ * the children of the node at position n are at position 2n and 2n+1 (likewise
+ * the parent node of the node at position n is at position [n/2]). Thus,
+ * navigating up and down the tree is reduced to simple index computations.
+ *
+ * Adding an element to the heap works as follows: The heap is always filled
+ * from left to right, until a row is full, then the next row is filled. Mapped
+ * to an array this gets as simple as putting the new element to the first free
+ * position. In a one-based array that position equals the number of elements
+ * currently stored in the heap. Then the heap property has to be restored, i.e.
+ * the new element has to be "bubbled up" the tree until the parent node's key
+ * is smaller or the element got the new root of the tree.
+ *
+ * Removing the next event from the heap works similarly. The event itself is
+ * the root node and stored at position 1 of the array. After removing it, the
+ * root has to be replaced and the heap property has to be restored. This is
+ * done by moving the bottom element (last row, rightmost element) to the root
+ * and then "seep it down" by swapping it with child nodes until none of the
+ * children has a smaller key or it is again a leaf node.
+ */
+struct scheduler_t {
+
+	/**
+	 * Adds a event to the queue, using a relative time offset in s.
+	 *
+	 * @param job			job to schedule
+	 * @param time			relative time to schedule job, in s
+	 */
+	void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t s);
+
+	/**
+	 * Adds a event to the queue, using a relative time offset in ms.
+	 *
+	 * @param job			job to schedule
+	 * @param time			relative time to schedule job, in ms
+	 */
+	void (*schedule_job_ms) (scheduler_t *this, job_t *job, u_int32_t ms);
+
+	/**
+	 * Adds a event to the queue, using an absolut time.
+	 *
+	 * The passed timeval should be calculated based on the time_monotonic()
+	 * function.
+	 *
+	 * @param job			job to schedule
+	 * @param time			absolut time to schedule job
+	 */
+	void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
+
+	/**
+	 * Returns number of jobs scheduled.
+	 *
+	 * @return				number of scheduled jobs
+	 */
+	u_int (*get_job_load) (scheduler_t *this);
+
+	/**
+	 * Destroys a scheduler object.
+	 */
+	void (*destroy) (scheduler_t *this);
+};
+
+/**
+ * Create a scheduler.
+ *
+ * @return		scheduler_t object
+ */
+scheduler_t *scheduler_create(void);
+
+#endif /** SCHEDULER_H_ @}*/
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c
index 610e2b8ea..d85abb1df 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/settings.c
@@ -88,11 +88,60 @@ struct kv_t {
 };
 
 /**
- * find a section by a given key
+ * Print a format key, but consume already processed arguments
  */
-static section_t *find_section(section_t *section, char *key, va_list args)
+static bool print_key(char *buf, int len, char *start, char *key, va_list args)
 {
-	char name[512], *pos;
+	va_list copy;
+	bool res;
+	char *pos;
+
+	va_copy(copy, args);
+	while (start < key)
+	{
+		pos = strchr(start, '%');
+		if (!pos)
+		{
+			start += strlen(start) + 1;
+			continue;
+		}
+		pos++;
+		switch (*pos)
+		{
+			case 'd':
+				va_arg(copy, int);
+				break;
+			case 's':
+				va_arg(copy, char*);
+				break;
+			case 'N':
+				va_arg(copy, enum_name_t*);
+				va_arg(copy, int);
+				break;
+			case '%':
+				break;
+			default:
+				DBG1(DBG_CFG, "settings with %%%c not supported!", *pos);
+				break;
+		}
+		start = pos;
+		if (*start)
+		{
+			start++;
+		}
+	}
+	res = vsnprintf(buf, len, key, copy) < len;
+	va_end(copy);
+	return res;
+}
+
+/**
+ * find a section by a given key, using buffered key, reusable buffer
+ */
+static section_t *find_section_buffered(section_t *section,
+					char *start, char *key, va_list args, char *buf, int len)
+{
+	char *pos;
 	enumerator_t *enumerator;
 	section_t *current, *found = NULL;
 
@@ -100,21 +149,20 @@ static section_t *find_section(section_t *section, char *key, va_list args)
 	{
 		return NULL;
 	}
-	if (vsnprintf(name, sizeof(name), key, args) >= sizeof(name))
-	{
-		return NULL;
-	}
-
-	pos = strchr(name, '.');
+	pos = strchr(key, '.');
 	if (pos)
 	{
 		*pos = '\0';
 		pos++;
 	}
+	if (!print_key(buf, len, start, key, args))
+	{
+		return NULL;
+	}
 	enumerator = section->sections->create_enumerator(section->sections);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (streq(current->name, name))
+		if (streq(current->name, buf))
 		{
 			found = current;
 			break;
@@ -123,37 +171,55 @@ static section_t *find_section(section_t *section, char *key, va_list args)
 	enumerator->destroy(enumerator);
 	if (found && pos)
 	{
-		return find_section(found, pos, args);
+		return find_section_buffered(found, start, pos, args, buf, len);
 	}
 	return found;
 }
 
-static char *find_value(section_t *section, char *key, va_list args)
+/**
+ * find a section by a given key
+ */
+static section_t *find_section(section_t *section, char *key, va_list args)
 {
-	char name[512], *pos, *value = NULL;
-	enumerator_t *enumerator;
-	kv_t *kv;
-	section_t *current, *found = NULL;
+	char buf[128], keybuf[512];
 
-	if (section == NULL)
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
 	{
 		return NULL;
 	}
+	return find_section_buffered(section, keybuf, keybuf, args, buf, sizeof(buf));
+}
+
+/**
+ * Find the string value for a key, using buffered key, reusable buffer
+ */
+static char *find_value_buffered(section_t *section,
+					char *start, char *key, va_list args, char *buf, int len)
+{
+	char *pos, *value = NULL;
+	enumerator_t *enumerator;
+	kv_t *kv;
+	section_t *current, *found = NULL;
 
-	if (vsnprintf(name, sizeof(name), key, args) >= sizeof(name))
+	if (section == NULL)
 	{
 		return NULL;
 	}
 
-	pos = strchr(name, '.');
+	pos = strchr(key, '.');
 	if (pos)
 	{
 		*pos = '\0';
 		pos++;
+
+		if (!print_key(buf, len, start, key, args))
+		{
+			return NULL;
+		}
 		enumerator = section->sections->create_enumerator(section->sections);
 		while (enumerator->enumerate(enumerator, &current))
 		{
-			if (streq(current->name, name))
+			if (streq(current->name, buf))
 			{
 				found = current;
 				break;
@@ -162,15 +228,19 @@ static char *find_value(section_t *section, char *key, va_list args)
 		enumerator->destroy(enumerator);
 		if (found)
 		{
-			return find_value(found, pos, args);
+			return find_value_buffered(found, start, pos, args, buf, len);
 		}
 	}
 	else
 	{
+		if (!print_key(buf, len, start, key, args))
+		{
+			return NULL;
+		}
 		enumerator = section->kv->create_enumerator(section->kv);
 		while (enumerator->enumerate(enumerator, &kv))
 		{
-			if (streq(kv->key, name))
+			if (streq(kv->key, buf))
 			{
 				value = kv->value;
 				break;
@@ -181,6 +251,20 @@ static char *find_value(section_t *section, char *key, va_list args)
 	return value;
 }
 
+/**
+ * Find the string value for a key
+ */
+static char *find_value(section_t *section, char *key, va_list args)
+{
+	char buf[128], keybuf[512];
+
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
+	{
+		return NULL;
+	}
+	return find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf));
+}
+
 /**
  * Implementation of settings_t.get.
  */
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
index f274fb33c..486de8def 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/settings.h
@@ -49,8 +49,11 @@ typedef struct settings_t settings_t;
 	}
 	@endcode
  *
- * The values are accesses using the get() functions using dotted keys, e.g.
+ * The values are accessed using the get() functions using dotted keys, e.g.
  *   section-one.subsection.othervalue
+ *
+ * Currently only a limited set of printf format specifiers are supported
+ * (namely %s, %d and %N, see implementation for details).
  */
 struct settings_t {
 
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index 63958593d..b868d538d 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -28,7 +28,7 @@
 #include "enum.h"
 #include "debug.h"
 
-ENUM(status_names, SUCCESS, DESTROY_ME,
+ENUM(status_names, SUCCESS, NEED_MORE,
 	"SUCCESS",
 	"FAILED",
 	"OUT_OF_RES",
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index 04551835e..35d3bebd1 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -137,6 +137,28 @@
 	static const typeof(name) *_##name = (const typeof(name)*)name; \
 	static ret name(this, ##__VA_ARGS__)
 
+/**
+ * Architecture independent bitfield definition helpers (at least with GCC).
+ *
+ * Defines a bitfield with a type t and a fixed size of bitfield members, e.g.:
+ * BITFIELD2(u_int8_t,
+ *     low: 4,
+ *     high: 4,
+ * ) flags;
+ * The member defined first placed at bit 0.
+ */
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define BITFIELD2(t, a, b,...)			struct { t a; t b; __VA_ARGS__}
+#define BITFIELD3(t, a, b, c,...)		struct { t a; t b; t c; __VA_ARGS__}
+#define BITFIELD4(t, a, b, c, d,...)	struct { t a; t b; t c; t d; __VA_ARGS__}
+#define BITFIELD5(t, a, b, c, d, e,...)	struct { t a; t b; t c; t d; t e; __VA_ARGS__}
+#elif BYTE_ORDER == BIG_ENDIAN
+#define BITFIELD2(t, a, b,...)			struct { t b; t a; __VA_ARGS__}
+#define BITFIELD3(t, a, b, c,...)		struct { t c; t b; t a; __VA_ARGS__}
+#define BITFIELD4(t, a, b, c, d,...)	struct { t d; t c; t b; t a; __VA_ARGS__}
+#define BITFIELD5(t, a, b, c, d, e,...)	struct { t e; t d; t c; t b; t a; __VA_ARGS__}
+#endif
+
 /**
  * Macro to allocate a sized type.
  */
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 3caeb8f0e..0696c1030 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -930,7 +930,11 @@ identification_t *identification_create_from_string(char *string)
 				else
 				{	/* not IPv4, mostly FQDN */
 					this = identification_create(ID_FQDN);
-					this->encoded = chunk_create(strdup(string), strlen(string));
+					this->encoded.len = strlen(string);
+					if (this->encoded.len)
+					{
+						this->encoded.ptr = strdup(string);
+					}
 				}
 				return &this->public;
 			}
@@ -947,7 +951,11 @@ identification_t *identification_create_from_string(char *string)
 				else
 				{	/* not IPv4/6 fallback to KEY_ID */
 					this = identification_create(ID_KEY_ID);
-					this->encoded = chunk_create(strdup(string), strlen(string));
+					this->encoded.len = strlen(string);
+					if (this->encoded.len)
+					{
+						this->encoded.ptr = strdup(string);
+					}
 				}
 				return &this->public;
 			}
@@ -969,14 +977,22 @@ identification_t *identification_create_from_string(char *string)
 			{
 				this = identification_create(ID_FQDN);
 				string += 1;
-				this->encoded = chunk_create(strdup(string), strlen(string));
+				this->encoded.len = strlen(string);
+				if (this->encoded.len)
+				{
+					this->encoded.ptr = strdup(string);
+				}
 				return &this->public;
 			}
 		}
 		else
 		{
 			this = identification_create(ID_RFC822_ADDR);
-			this->encoded = chunk_create(strdup(string), strlen(string));
+			this->encoded.len = strlen(string);
+			if (this->encoded.len)
+			{
+				this->encoded.ptr = strdup(string);
+			}
 			return &this->public;
 		}
 	}
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 0673878a5..5673fc32d 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -181,8 +181,11 @@ char *whitelist[] = {
 	"register_printf_specifier",
 	"syslog",
 	"vsyslog",
+	"__syslog_chk",
+	"__vsyslog_chk",
 	"getaddrinfo",
 	"setlocale",
+	"getpass",
 	/* ignore dlopen, as we do not dlclose to get proper leak reports */
 	"dlopen",
 	"dlerror",
@@ -213,6 +216,8 @@ char *whitelist[] = {
 	"gcry_check_version",
 	"gcry_randomize",
 	"gcry_create_nonce",
+	/* NSPR */
+	"PR_CallOnce",
 };
 
 /**
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h
index ba5f28f6a..1444c93fc 100644
--- a/src/libstrongswan/utils/linked_list.h
+++ b/src/libstrongswan/utils/linked_list.h
@@ -34,8 +34,8 @@ typedef struct linked_list_t linked_list_t;
  * @param item			current list item
  * @param ...			user supplied data (only pointers, at most 5)
  * @return
- * 						- TRUE, if the item matched
- * 						- FALSE, otherwise
+ *						- TRUE, if the item matched
+ *						- FALSE, otherwise
  */
 typedef bool (*linked_list_match_t)(void *item, ...);
 
@@ -57,7 +57,7 @@ struct linked_list_t {
 	/**
 	 * Gets the count of items in the list.
 	 *
-	 * @return 			number of items in list
+	 * @return			number of items in list
 	 */
 	int (*get_count) (linked_list_t *this);
 
@@ -69,7 +69,7 @@ struct linked_list_t {
 	 * @deprecated Iterator is obsolete and will disappear, it is too
 	 * complicated to implement. Use enumerator instead.
 	 *
-	 * @param forward 	iterator direction (TRUE: front to end)
+	 * @param forward	iterator direction (TRUE: front to end)
 	 * @return			new iterator_t object
 	 */
 	iterator_t *(*create_iterator) (linked_list_t *this, bool forward);
@@ -94,7 +94,7 @@ struct linked_list_t {
 	/**
 	 * Removes the first item in the list and returns its value.
 	 *
-	 * @param item 		returned value of first item, or NULL
+	 * @param item		returned value of first item, or NULL
 	 * @return			SUCCESS, or NOT_FOUND if list is empty
 	 */
 	status_t (*remove_first) (linked_list_t *this, void **item);
@@ -107,18 +107,20 @@ struct linked_list_t {
 	void (*remove_at)(linked_list_t *this, enumerator_t *enumerator);
 
 	/**
-	 * Remove items from the list matching item.
+	 * Remove items from the list matching the given item.
 	 *
-	 * If a compare function is given, it is called for each item, where
-	 * the first parameter is the current list item and the second parameter
-	 * is the supplied item parameter.
-	 * If compare is NULL, compare is done by pointer.
+	 * If a compare function is given, it is called for each item, with the
+	 * first parameter being the current list item and the second parameter
+	 * being the supplied item. Return TRUE from the compare function to remove
+	 * the item, return FALSE to keep it in the list.
+	 *
+	 * If compare is NULL, comparison is done by pointers.
 	 *
 	 * @param item		item to remove/pass to comparator
 	 * @param compare	compare function, or NULL
 	 * @return			number of removed items
 	 */
-	int (*remove)(linked_list_t *this, void *item, bool (*compare)(void *,void*));
+	int (*remove)(linked_list_t *this, void *item, bool (*compare)(void*,void*));
 
 	/**
 	 * Returns the value of the first list item without removing it.
@@ -132,7 +134,7 @@ struct linked_list_t {
 	/**
 	 * Inserts a new item at the end of the list.
 	 *
-	 * @param item 		value to insert into list
+	 * @param item		value to insert into list
 	 */
 	void (*insert_last) (linked_list_t *this, void *item);
 
@@ -148,7 +150,7 @@ struct linked_list_t {
 	/**
 	 * Returns the value of the last list item without removing it.
 	 *
-	 * @param this 		calling object
+	 * @param this		calling object
 	 * @param item		returned value of last item
 	 * @return			SUCCESS, NOT_FOUND if list is empty
 	 */
@@ -203,6 +205,8 @@ struct linked_list_t {
 	 * which can be evalutated at compile time using the offsetof
 	 * macro, e.g.: list->invoke(list, offsetof(object_t, method));
 	 *
+	 * @warning Only use pointers as user supplied data.
+	 *
 	 * @param offset	offset of the method to invoke on objects
 	 * @param ...		user data to supply to called function (limited to 5 arguments)
 	 */
@@ -211,6 +215,8 @@ struct linked_list_t {
 	/**
 	 * Invoke a function on all of the contained objects.
 	 *
+	 * @warning Only use pointers as user supplied data.
+	 *
 	 * @param function	offset of the method to invoke on objects
 	 * @param ...		user data to supply to called function (limited to 5 arguments)
 	 */
@@ -265,7 +271,7 @@ struct linked_list_t {
 /**
  * Creates an empty linked list object.
  *
- * @return 		linked_list_t object.
+ * @return		linked_list_t object.
  */
 linked_list_t *linked_list_create(void);
 
diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am
new file mode 100644
index 000000000..a58e783d7
--- /dev/null
+++ b/src/libtls/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+noinst_LTLIBRARIES = libtls.la
+libtls_la_SOURCES = \
+	tls_protection.h tls_protection.c \
+	tls_compression.h tls_compression.c \
+	tls_fragmentation.h tls_fragmentation.c \
+	tls_alert.h tls_alert.c \
+	tls_crypto.h tls_crypto.c \
+	tls_prf.h tls_prf.c \
+	tls_reader.h tls_reader.c \
+	tls_writer.h tls_writer.c \
+	tls_socket.h tls_socket.c \
+	tls_eap.h tls_eap.c \
+	tls_peer.h tls_peer.c \
+	tls_server.h tls_server.c \
+	tls_handshake.h tls_application.h tls.h tls.c
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
new file mode 100644
index 000000000..9f0a817f5
--- /dev/null
+++ b/src/libtls/Makefile.in
@@ -0,0 +1,559 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libtls
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+LTLIBRARIES = $(noinst_LTLIBRARIES)
+libtls_la_LIBADD =
+am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \
+	tls_fragmentation.lo tls_alert.lo tls_crypto.lo tls_prf.lo \
+	tls_reader.lo tls_writer.lo tls_socket.lo tls_eap.lo \
+	tls_peer.lo tls_server.lo tls.lo
+libtls_la_OBJECTS = $(am_libtls_la_OBJECTS)
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libtls_la_SOURCES)
+DIST_SOURCES = $(libtls_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+noinst_LTLIBRARIES = libtls.la
+libtls_la_SOURCES = \
+	tls_protection.h tls_protection.c \
+	tls_compression.h tls_compression.c \
+	tls_fragmentation.h tls_fragmentation.c \
+	tls_alert.h tls_alert.c \
+	tls_crypto.h tls_crypto.c \
+	tls_prf.h tls_prf.c \
+	tls_reader.h tls_reader.c \
+	tls_writer.h tls_writer.c \
+	tls_socket.h tls_socket.c \
+	tls_eap.h tls_eap.c \
+	tls_peer.h tls_peer.c \
+	tls_server.h tls_server.c \
+	tls_handshake.h tls_application.h tls.h tls.c
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libtls/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libtls/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libtls.la: $(libtls_la_OBJECTS) $(libtls_la_DEPENDENCIES) 
+	$(LINK)  $(libtls_la_OBJECTS) $(libtls_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_alert.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_compression.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypto.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_eap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_fragmentation.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_peer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_protection.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_reader.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_server.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_socket.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_writer.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
new file mode 100644
index 000000000..20141f235
--- /dev/null
+++ b/src/libtls/tls.c
@@ -0,0 +1,481 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls.h"
+
+#include <debug.h>
+
+#include "tls_protection.h"
+#include "tls_compression.h"
+#include "tls_fragmentation.h"
+#include "tls_crypto.h"
+#include "tls_server.h"
+#include "tls_peer.h"
+
+ENUM_BEGIN(tls_version_names, SSL_2_0, SSL_2_0,
+	"SSLv2");
+ENUM_NEXT(tls_version_names, SSL_3_0, TLS_1_2, SSL_2_0,
+	"SSLv3",
+	"TLS 1.0",
+	"TLS 1.1",
+	"TLS 1.2");
+ENUM_END(tls_version_names, TLS_1_2);
+
+ENUM(tls_content_type_names, TLS_CHANGE_CIPHER_SPEC, TLS_APPLICATION_DATA,
+	"ChangeCipherSpec",
+	"Alert",
+	"Handshake",
+	"ApplicationData",
+);
+
+ENUM_BEGIN(tls_handshake_type_names, TLS_HELLO_REQUEST, TLS_SERVER_HELLO,
+	"HelloRequest",
+	"ClientHello",
+	"ServerHello");
+ENUM_NEXT(tls_handshake_type_names,
+		TLS_CERTIFICATE, TLS_CLIENT_KEY_EXCHANGE, TLS_SERVER_HELLO,
+	"Certificate",
+	"ServerKeyExchange",
+	"CertificateRequest",
+	"ServerHelloDone",
+	"CertificateVerify",
+	"ClientKeyExchange");
+ENUM_NEXT(tls_handshake_type_names,
+		TLS_FINISHED, TLS_FINISHED, TLS_CLIENT_KEY_EXCHANGE,
+	"Finished");
+ENUM_END(tls_handshake_type_names, TLS_FINISHED);
+
+ENUM_BEGIN(tls_extension_names, TLS_EXT_SERVER_NAME, TLS_EXT_STATUS_REQUEST,
+	"server name",
+	"max fragment length",
+	"client certificate url",
+	"trusted ca keys",
+	"truncated hmac",
+	"status request");
+ENUM_NEXT(tls_extension_names,
+		TLS_EXT_ELLIPTIC_CURVES, TLS_EXT_EC_POINT_FORMATS,
+		TLS_EXT_STATUS_REQUEST,
+	"elliptic curves",
+	"ec point formats");
+ENUM_NEXT(tls_extension_names,
+		TLS_EXT_SIGNATURE_ALGORITHMS, TLS_EXT_SIGNATURE_ALGORITHMS,
+		TLS_EXT_EC_POINT_FORMATS,
+	"signature algorithms");
+ENUM_END(tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
+
+/**
+ * TLS record
+ */
+typedef struct __attribute__((packed)) {
+	u_int8_t type;
+	u_int16_t version;
+	u_int16_t length;
+	char data[];
+} tls_record_t;
+
+typedef struct private_tls_t private_tls_t;
+
+/**
+ * Private data of an tls_protection_t object.
+ */
+struct private_tls_t {
+
+	/**
+	 * Public tls_t interface.
+	 */
+	tls_t public;
+
+	/**
+	 * Role this TLS stack acts as.
+	 */
+	bool is_server;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * Negotiated TLS version
+	 */
+	tls_version_t version;
+
+	/**
+	 * TLS stack purpose, as given to constructor
+	 */
+	tls_purpose_t purpose;
+
+	/**
+	 * TLS record protection layer
+	 */
+	tls_protection_t *protection;
+
+	/**
+	 * TLS record compression layer
+	 */
+	tls_compression_t *compression;
+
+	/**
+	 * TLS record fragmentation layer
+	 */
+	tls_fragmentation_t *fragmentation;
+
+	/**
+	 * TLS alert handler
+	 */
+	tls_alert_t *alert;
+
+	/**
+	 * TLS crypto helper context
+	 */
+	tls_crypto_t *crypto;
+
+	/**
+	 * TLS handshake protocol handler
+	 */
+	tls_handshake_t *handshake;
+
+	/**
+	 * TLS application data handler
+	 */
+	tls_application_t *application;
+
+	/**
+	 * Allocated input buffer
+	 */
+	chunk_t input;
+
+	/**
+	 * Number of bytes read in input buffer
+	 */
+	size_t inpos;
+
+	/**
+	 * Allocated output buffer
+	 */
+	chunk_t output;
+
+	/**
+	 * Number of bytes processed from output buffer
+	 */
+	size_t outpos;
+
+	/**
+	 * Partial TLS record header received
+	 */
+	tls_record_t head;
+
+	/**
+	 * Position in partially received record header
+	 */
+	size_t headpos;
+};
+
+METHOD(tls_t, process, status_t,
+	private_tls_t *this, void *buf, size_t buflen)
+{
+	tls_record_t *record;
+	status_t status;
+	u_int len;
+
+	if (this->headpos)
+	{	/* have a partial TLS record header, try to complete it */
+		len = min(buflen, sizeof(this->head) - this->headpos);
+		memcpy(((char*)&this->head) + this->headpos, buf, len);
+		this->headpos += len;
+		buflen -= len;
+		buf += len;
+		if (this->headpos == sizeof(this->head))
+		{	/* header complete, allocate space with new header */
+			len = untoh16(&this->head.length);
+			this->input = chunk_alloc(len + sizeof(tls_record_t));
+			memcpy(this->input.ptr, &this->head, sizeof(this->head));
+			this->inpos = sizeof(this->head);
+			this->headpos = 0;
+		}
+	}
+
+	while (buflen)
+	{
+		if (this->input.len == 0)
+		{
+			if (buflen < sizeof(tls_record_t))
+			{
+				DBG2(DBG_TLS, "received incomplete TLS record header");
+				memcpy(&this->head, buf, buflen);
+				this->headpos = buflen;
+				break;
+			}
+			while (TRUE)
+			{
+				/* try to process records inline */
+				record = buf;
+				len = untoh16(&record->length);
+
+				if (len + sizeof(tls_record_t) > buflen)
+				{	/* not a full record, read to buffer */
+					this->input = chunk_alloc(len + sizeof(tls_record_t));
+					this->inpos = 0;
+					break;
+				}
+				DBG2(DBG_TLS, "processing TLS %N record (%d bytes)",
+					 tls_content_type_names, record->type, len);
+				status = this->protection->process(this->protection,
+								record->type, chunk_create(record->data, len));
+				if (status != NEED_MORE)
+				{
+					return status;
+				}
+				buf += len + sizeof(tls_record_t);
+				buflen -= len + sizeof(tls_record_t);
+				if (buflen == 0)
+				{
+					return NEED_MORE;
+				}
+			}
+		}
+		len = min(buflen, this->input.len - this->inpos);
+		memcpy(this->input.ptr + this->inpos, buf, len);
+		buf += len;
+		buflen -= len;
+		this->inpos += len;
+		DBG2(DBG_TLS, "buffering %d bytes, %d bytes of %d byte TLS record received",
+			 len, this->inpos, this->input.len);
+		if (this->input.len == this->inpos)
+		{
+			record = (tls_record_t*)this->input.ptr;
+			len = untoh16(&record->length);
+
+			DBG2(DBG_TLS, "processing buffered TLS %N record (%d bytes)",
+				 tls_content_type_names, record->type, len);
+			status = this->protection->process(this->protection,
+								record->type, chunk_create(record->data, len));
+			chunk_free(&this->input);
+			this->inpos = 0;
+			if (status != NEED_MORE)
+			{
+				return status;
+			}
+		}
+	}
+	return NEED_MORE;
+}
+
+METHOD(tls_t, build, status_t,
+	private_tls_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	tls_content_type_t type;
+	tls_record_t record;
+	status_t status;
+	chunk_t data;
+	size_t len;
+
+	len = *buflen;
+	if (this->output.len == 0)
+	{
+		/* query upper layers for new records, as many as we can get */
+		while (TRUE)
+		{
+			status = this->protection->build(this->protection, &type, &data);
+			switch (status)
+			{
+				case NEED_MORE:
+					record.type = type;
+					htoun16(&record.version, this->version);
+					htoun16(&record.length, data.len);
+					this->output = chunk_cat("mcm", this->output,
+											 chunk_from_thing(record), data);
+					DBG2(DBG_TLS, "sending TLS %N record (%d bytes)",
+						 tls_content_type_names, type, data.len);
+					continue;
+				case INVALID_STATE:
+					if (this->output.len == 0)
+					{
+						return INVALID_STATE;
+					}
+					break;
+				default:
+					return status;
+			}
+			break;
+		}
+		if (msglen)
+		{
+			*msglen = this->output.len;
+		}
+	}
+	else
+	{
+		if (msglen)
+		{
+			*msglen = 0;
+		}
+	}
+	len = min(len, this->output.len - this->outpos);
+	memcpy(buf, this->output.ptr + this->outpos, len);
+	this->outpos += len;
+	*buflen = len;
+	if (this->outpos == this->output.len)
+	{
+		chunk_free(&this->output);
+		this->outpos = 0;
+		return ALREADY_DONE;
+	}
+	return NEED_MORE;
+}
+
+METHOD(tls_t, is_server, bool,
+	private_tls_t *this)
+{
+	return this->is_server;
+}
+
+METHOD(tls_t, get_version, tls_version_t,
+	private_tls_t *this)
+{
+	return this->version;
+}
+
+METHOD(tls_t, set_version, bool,
+	private_tls_t *this, tls_version_t version)
+{
+	if (version > this->version)
+	{
+		return FALSE;
+	}
+	switch (version)
+	{
+		case TLS_1_0:
+		case TLS_1_1:
+		case TLS_1_2:
+			this->version = version;
+			this->protection->set_version(this->protection, version);
+			return TRUE;
+		case SSL_2_0:
+		case SSL_3_0:
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(tls_t, get_purpose, tls_purpose_t,
+	private_tls_t *this)
+{
+	return this->purpose;
+}
+
+METHOD(tls_t, is_complete, bool,
+	private_tls_t *this)
+{
+	if (this->handshake->finished(this->handshake))
+	{
+		if (!this->application)
+		{
+			return TRUE;
+		}
+		return this->fragmentation->application_finished(this->fragmentation);
+	}
+	return FALSE;
+}
+
+METHOD(tls_t, get_eap_msk, chunk_t,
+	private_tls_t *this)
+{
+	return this->crypto->get_eap_msk(this->crypto);
+}
+
+METHOD(tls_t, destroy, void,
+	private_tls_t *this)
+{
+	this->protection->destroy(this->protection);
+	this->compression->destroy(this->compression);
+	this->fragmentation->destroy(this->fragmentation);
+	this->crypto->destroy(this->crypto);
+	this->handshake->destroy(this->handshake);
+	DESTROY_IF(this->peer);
+	this->server->destroy(this->server);
+	DESTROY_IF(this->application);
+	this->alert->destroy(this->alert);
+
+	free(this->input.ptr);
+	free(this->output.ptr);
+
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_t *tls_create(bool is_server, identification_t *server,
+				  identification_t *peer, tls_purpose_t purpose,
+				  tls_application_t *application)
+{
+	private_tls_t *this;
+
+	switch (purpose)
+	{
+		case TLS_PURPOSE_EAP_TLS:
+		case TLS_PURPOSE_EAP_TTLS:
+		case TLS_PURPOSE_GENERIC:
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.is_server = _is_server,
+			.get_version = _get_version,
+			.set_version = _set_version,
+			.get_purpose = _get_purpose,
+			.is_complete = _is_complete,
+			.get_eap_msk = _get_eap_msk,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+		.version = TLS_1_2,
+		.server = server->clone(server),
+		.peer = peer ? peer->clone(peer) : NULL,
+		.application = application,
+		.purpose = purpose,
+	);
+
+	this->crypto = tls_crypto_create(&this->public);
+	this->alert = tls_alert_create();
+	if (is_server)
+	{
+		this->handshake = &tls_server_create(&this->public, this->crypto,
+							this->alert, this->server, this->peer)->handshake;
+	}
+	else
+	{
+		this->handshake = &tls_peer_create(&this->public, this->crypto,
+							this->alert, this->peer, this->server)->handshake;
+	}
+	this->fragmentation = tls_fragmentation_create(this->handshake, this->alert,
+												   this->application);
+	this->compression = tls_compression_create(this->fragmentation, this->alert);
+	this->protection = tls_protection_create(this->compression, this->alert);
+	this->crypto->set_protection(this->crypto, this->protection);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
new file mode 100644
index 000000000..1908f5dd4
--- /dev/null
+++ b/src/libtls/tls.h
@@ -0,0 +1,236 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libtls libtls
+ *
+ * @addtogroup libtls
+ * TLS implementation on top of libstrongswan
+ *
+ * @defgroup tls tls
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_H_
+#define TLS_H_
+
+typedef enum tls_version_t tls_version_t;
+typedef enum tls_content_type_t tls_content_type_t;
+typedef enum tls_handshake_type_t tls_handshake_type_t;
+typedef enum tls_purpose_t tls_purpose_t;
+typedef struct tls_t tls_t;
+
+#include <library.h>
+
+#include "tls_application.h"
+
+/**
+ * TLS/SSL version numbers
+ */
+enum tls_version_t {
+	SSL_2_0 = 0x0200,
+	SSL_3_0 = 0x0300,
+	TLS_1_0 = 0x0301,
+	TLS_1_1 = 0x0302,
+	TLS_1_2 = 0x0303,
+};
+
+/**
+ * Enum names for tls_version_t
+ */
+extern enum_name_t *tls_version_names;
+
+/**
+ * TLS higher level content type
+ */
+enum tls_content_type_t {
+	TLS_CHANGE_CIPHER_SPEC = 20,
+	TLS_ALERT = 21,
+	TLS_HANDSHAKE = 22,
+	TLS_APPLICATION_DATA = 23,
+};
+
+/**
+ * Enum names for tls_content_type_t
+ */
+extern enum_name_t *tls_content_type_names;
+
+/**
+ * TLS handshake subtype
+ */
+enum tls_handshake_type_t {
+	TLS_HELLO_REQUEST = 0,
+	TLS_CLIENT_HELLO = 1,
+	TLS_SERVER_HELLO = 2,
+	TLS_CERTIFICATE = 11,
+	TLS_SERVER_KEY_EXCHANGE = 12,
+	TLS_CERTIFICATE_REQUEST = 13,
+	TLS_SERVER_HELLO_DONE = 14,
+	TLS_CERTIFICATE_VERIFY = 15,
+	TLS_CLIENT_KEY_EXCHANGE = 16,
+	TLS_FINISHED = 20,
+};
+
+/**
+ * Enum names for tls_handshake_type_t
+ */
+extern enum_name_t *tls_handshake_type_names;
+
+/**
+ * Purpose the TLS stack is initiated for.
+ */
+enum tls_purpose_t {
+	/** authentication in EAP-TLS */
+	TLS_PURPOSE_EAP_TLS,
+	/** outer authentication and protection in EAP-TTLS */
+	TLS_PURPOSE_EAP_TTLS,
+	/** non-EAP TLS */
+	TLS_PURPOSE_GENERIC,
+	/** EAP binding for TNC */
+	TLS_PURPOSE_EAP_TNC
+};
+
+/**
+ * TLS Hello extension types.
+ */
+enum tls_extension_t {
+	/** Server name the client wants to talk to */
+	TLS_EXT_SERVER_NAME = 0,
+	/** request a maximum fragment size */
+	TLS_EXT_MAX_FRAGMENT_LENGTH = 1,
+	/** indicate client certificate URL support */
+	TLS_EXT_CLIENT_CERTIFICATE_URL = 2,
+	/** list of CA the client trusts */
+	TLS_EXT_TRUSTED_CA_KEYS = 3,
+	/** request MAC truncation to 80-bit */
+	TLS_EXT_TRUNCATED_HMAC = 4,
+	/** list of OCSP responders the client trusts */
+	TLS_EXT_STATUS_REQUEST = 5,
+	/** list of supported elliptic curves */
+	TLS_EXT_ELLIPTIC_CURVES = 10,
+	/** supported point formats */
+	TLS_EXT_EC_POINT_FORMATS = 11,
+	/** list supported signature algorithms */
+	TLS_EXT_SIGNATURE_ALGORITHMS = 13,
+};
+
+/**
+ * Enum names for tls_extension_t
+ */
+extern enum_name_t *tls_extension_names;
+
+/**
+ * A bottom-up driven TLS stack, suitable for EAP implementations.
+ */
+struct tls_t {
+
+	/**
+	 * Process one or more TLS records, pass it to upper layers.
+	 *
+	 * @param buf		TLS record data, including headers
+	 * @param buflen	number of bytes in buf to process
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if more invocations to process/build needed
+	 */
+	status_t (*process)(tls_t *this, void *buf, size_t buflen);
+
+	/**
+	 * Query upper layer for one or more TLS records, build fragments.
+	 *
+	 * The TLS stack automatically fragments the records to the given buffer
+	 * size. Fragmentation is indicated by the reclen ouput parameter and
+	 * the return value. For the first fragment of a TLS record, a non-zero
+	 * record length is returned in reclen. If more fragments follow, NEED_MORE
+	 * is returned. A return value of ALREADY_DONE indicates that the final
+	 * fragment has been returned.
+	 *
+	 * @param buf		buffer to write TLS record fragments to
+	 * @param buflen	size of buffer, receives bytes written
+	 * @param msglen	receives size of all TLS fragments
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- INVALID_STATE if more input data required
+	 *					- NEED_MORE if more fragments available
+	 *					- ALREADY_DONE if the last available fragment returned
+	 */
+	status_t (*build)(tls_t *this, void *buf, size_t *buflen, size_t *msglen);
+
+	/**
+	 * Check if TLS stack is acting as a server.
+	 *
+	 * @return			TRUE if server, FALSE if peer
+	 */
+	bool (*is_server)(tls_t *this);
+
+	/**
+	 * Get the negotiated TLS/SSL version.
+	 *
+	 * @return			negotiated TLS version
+	 */
+	tls_version_t (*get_version)(tls_t *this);
+
+	/**
+	 * Set the negotiated TLS/SSL version.
+	 *
+	 * @param version	negotiated TLS version
+	 * @return			TRUE if version acceptable
+	 */
+	bool (*set_version)(tls_t *this, tls_version_t version);
+
+	/**
+	 * Get the purpose of this TLS stack instance.
+	 *
+	 * @return			purpose given during construction
+	 */
+	tls_purpose_t (*get_purpose)(tls_t *this);
+
+	/**
+	 * Check if TLS negotiation completed successfully.
+	 *
+	 * @return			TRUE if TLS negotation and authentication complete
+	 */
+	bool (*is_complete)(tls_t *this);
+
+	/**
+	 * Get the MSK for EAP-TLS.
+	 *
+	 * @return			MSK, internal data
+	 */
+	chunk_t (*get_eap_msk)(tls_t *this);
+
+	/**
+	 * Destroy a tls_t.
+	 */
+	void (*destroy)(tls_t *this);
+};
+
+/**
+ * Create a tls instance.
+ *
+ * @param is_server			TRUE to act as server, FALSE for client
+ * @param server			server identity
+ * @param peer				peer identity, NULL for no client authentication
+ * @param purpose			purpose this TLS stack instance is used for
+ * @param application		higher layer application or NULL if none
+ * @return					TLS stack
+ */
+tls_t *tls_create(bool is_server, identification_t *server,
+				  identification_t *peer, tls_purpose_t purpose,
+				  tls_application_t *application);
+
+#endif /** TLS_H_ @}*/
diff --git a/src/libtls/tls_alert.c b/src/libtls/tls_alert.c
new file mode 100644
index 000000000..8a4fa7d77
--- /dev/null
+++ b/src/libtls/tls_alert.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_alert.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+
+ENUM_BEGIN(tls_alert_desc_names, TLS_CLOSE_NOTIFY, TLS_CLOSE_NOTIFY,
+	"close notify",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_UNEXPECTED_MESSAGE, TLS_UNEXPECTED_MESSAGE,
+		TLS_CLOSE_NOTIFY,
+	"unexpected message",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_BAD_RECORD_MAC, TLS_RECORD_OVERFLOW,
+		TLS_UNEXPECTED_MESSAGE,
+	"bad record mac",
+	"decryption failed",
+	"record overflow",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_DECOMPRESSION_FAILURE, TLS_DECOMPRESSION_FAILURE,
+		TLS_RECORD_OVERFLOW,
+	"decompression_failure",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_HANDSHAKE_FAILURE, TLS_DECRYPT_ERROR,
+		TLS_DECOMPRESSION_FAILURE,
+	"handshake failure",
+	"no certificate",
+	"bad certificate",
+	"unsupported certificate",
+	"certificate revoked",
+	"certificate expired",
+	"certificate unknown",
+	"illegal parameter",
+	"unknown ca",
+	"access denied",
+	"decode error",
+	"decrypt error",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_EXPORT_RESTRICTION, TLS_EXPORT_RESTRICTION,
+		TLS_DECRYPT_ERROR,
+	"export restriction",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_PROTOCOL_VERSION, TLS_INSUFFICIENT_SECURITY,
+		TLS_EXPORT_RESTRICTION,
+	"protocol version",
+	"insufficient security",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_INTERNAL_ERROR, TLS_INTERNAL_ERROR,
+		TLS_INSUFFICIENT_SECURITY,
+	"internal error",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_USER_CANCELED, TLS_USER_CANCELED,
+		TLS_INTERNAL_ERROR,
+	"user canceled",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_NO_RENEGOTIATION, TLS_NO_RENEGOTIATION,
+		TLS_USER_CANCELED,
+	"no renegotiation",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_UNSUPPORTED_EXTENSION, TLS_UNSUPPORTED_EXTENSION,
+		TLS_NO_RENEGOTIATION,
+	"unsupported extension",
+);
+ENUM_END(tls_alert_desc_names, TLS_UNSUPPORTED_EXTENSION);
+
+
+typedef struct private_tls_alert_t private_tls_alert_t;
+
+/**
+ * Private data of an tls_alert_t object.
+ */
+struct private_tls_alert_t {
+
+	/**
+	 * Public tls_alert_t interface.
+	 */
+	tls_alert_t public;
+
+	/**
+	 * Warning queue
+	 */
+	linked_list_t *warnings;
+
+	/**
+	 * Do we have a fatal alert?
+	 */
+	bool fatal;
+
+	/**
+	 * Has the fatal alert been consumed?
+	 */
+	bool consumed;
+
+	/**
+	 * Fatal alert discription
+	 */
+	tls_alert_desc_t desc;
+};
+
+METHOD(tls_alert_t, add, void,
+	private_tls_alert_t *this, tls_alert_level_t level,
+	tls_alert_desc_t desc)
+{
+	if (level == TLS_FATAL)
+	{
+		if (!this->fatal)
+		{
+			this->desc = desc;
+			this->fatal = TRUE;
+		}
+	}
+	else
+	{
+		this->warnings->insert_last(this->warnings, (void*)(uintptr_t)desc);
+	}
+}
+
+METHOD(tls_alert_t, get, bool,
+	private_tls_alert_t *this, tls_alert_level_t *level,
+	tls_alert_desc_t *desc)
+{
+	if (this->fatal && !this->consumed)
+	{
+		this->consumed = TRUE;
+		*level = TLS_FATAL;
+		*desc = this->desc;
+		if (this->desc == TLS_CLOSE_NOTIFY)
+		{
+			DBG1(DBG_TLS, "sending TLS close notify");
+		}
+		else
+		{
+			DBG1(DBG_TLS, "sending fatal TLS alert '%N'",
+				 tls_alert_desc_names, this->desc);
+		}
+		return TRUE;
+	}
+	else
+	{
+		uintptr_t warning;
+
+		if (this->warnings->remove_first(this->warnings,
+										 (void**)&warning) == SUCCESS)
+		{
+			*level = TLS_WARNING;
+			*desc = warning;
+			DBG1(DBG_TLS, "sending TLS alert warning '%N'",
+				 tls_alert_desc_names, warning);
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(tls_alert_t, fatal, bool,
+	private_tls_alert_t *this)
+{
+	return this->fatal;
+}
+
+METHOD(tls_alert_t, process, status_t,
+	private_tls_alert_t *this, tls_alert_level_t level,
+	tls_alert_desc_t desc)
+{
+	if (desc == TLS_CLOSE_NOTIFY)
+	{
+		DBG1(DBG_TLS, "received TLS close notify");
+		add(this, TLS_FATAL, TLS_CLOSE_NOTIFY);
+		return NEED_MORE;
+	}
+	switch (level)
+	{
+		case TLS_WARNING:
+			DBG1(DBG_TLS, "received TLS alert warning '%N'",
+				 tls_alert_desc_names, desc);
+			return NEED_MORE;
+		case TLS_FATAL:
+			DBG1(DBG_TLS, "received fatal TLS alert '%N'",
+				 tls_alert_desc_names, desc);
+			return FAILED;
+		default:
+			DBG1(DBG_TLS, "received unknown TLS alert '%N'",
+				 tls_alert_desc_names, desc);
+			return FAILED;
+	}
+}
+
+METHOD(tls_alert_t, destroy, void,
+	private_tls_alert_t *this)
+{
+	this->warnings->destroy(this->warnings);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_alert_t *tls_alert_create()
+{
+	private_tls_alert_t *this;
+
+	INIT(this,
+		.public = {
+			.add = _add,
+			.get = _get,
+			.fatal = _fatal,
+			.process = _process,
+			.destroy = _destroy,
+		},
+		.warnings = linked_list_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_alert.h b/src/libtls/tls_alert.h
new file mode 100644
index 000000000..95ba4d91b
--- /dev/null
+++ b/src/libtls/tls_alert.h
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_alert tls_alert
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_ALERT_H_
+#define TLS_ALERT_H_
+
+#include <library.h>
+
+typedef struct tls_alert_t tls_alert_t;
+typedef enum tls_alert_level_t tls_alert_level_t;
+typedef enum tls_alert_desc_t tls_alert_desc_t;
+
+/**
+ * Level of a TLS alert
+ */
+enum tls_alert_level_t {
+	TLS_WARNING = 1,
+	TLS_FATAL = 2,
+};
+
+/**
+ * Description of a TLS alert
+ */
+enum tls_alert_desc_t {
+	TLS_CLOSE_NOTIFY = 0,
+	TLS_UNEXPECTED_MESSAGE = 10,
+	TLS_BAD_RECORD_MAC = 20,
+	TLS_DECRYPTION_FAILED = 21,
+	TLS_RECORD_OVERFLOW = 22,
+	TLS_DECOMPRESSION_FAILURE = 30,
+	TLS_HANDSHAKE_FAILURE = 40,
+	TLS_NO_CERTIFICATE = 41,
+	TLS_BAD_CERTIFICATE = 42,
+	TLS_UNSUPPORTED_CERTIFICATE = 43,
+	TLS_CERTIFICATE_REVOKED = 44,
+	TLS_CERTIFICATE_EXPIRED = 45,
+	TLS_CERTIFICATE_UNKNOWN = 46,
+	TLS_ILLEGAL_PARAMETER = 47,
+	TLS_UNKNOWN_CA = 48,
+	TLS_ACCESS_DENIED = 49,
+	TLS_DECODE_ERROR = 50,
+	TLS_DECRYPT_ERROR = 51,
+	TLS_EXPORT_RESTRICTION = 60,
+	TLS_PROTOCOL_VERSION = 70,
+	TLS_INSUFFICIENT_SECURITY = 71,
+	TLS_INTERNAL_ERROR = 80,
+	TLS_USER_CANCELED = 90,
+	TLS_NO_RENEGOTIATION = 100,
+	TLS_UNSUPPORTED_EXTENSION = 110,
+};
+
+/**
+ * Enum names for alert descriptions
+ */
+extern enum_name_t *tls_alert_desc_names;
+
+/**
+ * TLS alert handling.
+ */
+struct tls_alert_t {
+
+	/**
+	 * Add an alert to the TLS alert queue, will be sent.
+	 *
+	 * @param level			level of TLS alert
+	 * @param description	description of alert
+	 */
+	void (*add)(tls_alert_t *this, tls_alert_level_t level,
+				tls_alert_desc_t description);
+
+	/**
+	 * Get an alert pushed to the alert queue, to send.
+	 *
+	 * @param level			receives TLS alert level
+	 * @param description	receives TLS alert description
+	 * @return				TRUE if returned an alert
+	 */
+	bool (*get)(tls_alert_t *this, tls_alert_level_t *level,
+				tls_alert_desc_t *description);
+
+	/**
+	 * Did a fatal alert occur?.
+	 *
+	 * @return				TRUE if a fatal alert has occured
+	 */
+	bool (*fatal)(tls_alert_t *this);
+
+	/**
+	 * Process a received TLS alert.
+	 *
+	 * @param level			level of received alert
+	 * @param description	alert description
+	 * @return				status to pass down to TLS stack
+	 */
+	status_t (*process)(tls_alert_t *this, tls_alert_level_t level,
+						tls_alert_desc_t description);
+
+	/**
+	 * Destroy a tls_alert_t.
+	 */
+	void (*destroy)(tls_alert_t *this);
+};
+
+/**
+ * Create a tls_alert instance.
+ */
+tls_alert_t *tls_alert_create();
+
+#endif /** TLS_ALERT_H_ @}*/
diff --git a/src/libtls/tls_application.h b/src/libtls/tls_application.h
new file mode 100644
index 000000000..b54a25e22
--- /dev/null
+++ b/src/libtls/tls_application.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_handshake tls_handshake
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_APPLICATION_H_
+#define TLS_APPLICATION_H_
+
+typedef struct tls_application_t tls_application_t;
+
+#include "tls_reader.h"
+#include "tls_writer.h"
+
+/**
+ * TLS application data interface.
+ */
+struct tls_application_t {
+
+	/**
+	 * Process received TLS application data.
+	 *
+	 * @param reader	TLS data buffer
+	 * @return
+	 *					- SUCCESS if application completed
+	 *					- FAILED if application data processing failed
+	 *					- NEED_MORE if another invocation of process/build needed
+	 */
+	status_t (*process)(tls_application_t *this, tls_reader_t *reader);
+
+	/**
+	 * Build TLS application data to send out.
+	 *
+	 * @param writer	TLS data buffer to write to
+	 * @return
+	 *					- SUCCESS if application completed
+	 *					- FAILED if application data build failed
+	 *					- NEED_MORE if more data ready for delivery
+	 *					- INVALID_STATE if more input to process() required
+	 */
+	status_t (*build)(tls_application_t *this, tls_writer_t *writer);
+
+	/**
+	 * Destroy a tls_application_t.
+	 */
+	void (*destroy)(tls_application_t *this);
+};
+
+#endif /** TLS_APPLICATION_H_ @}*/
diff --git a/src/libtls/tls_compression.c b/src/libtls/tls_compression.c
new file mode 100644
index 000000000..68266cd0c
--- /dev/null
+++ b/src/libtls/tls_compression.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_compression.h"
+
+typedef struct private_tls_compression_t private_tls_compression_t;
+
+/**
+ * Private data of an tls_compression_t object.
+ */
+struct private_tls_compression_t {
+
+	/**
+	 * Public tls_compression_t interface.
+	 */
+	tls_compression_t public;
+
+	/**
+	 * Upper layer, TLS record fragmentation
+	 */
+	tls_fragmentation_t *fragmentation;
+};
+
+METHOD(tls_compression_t, process, status_t,
+	private_tls_compression_t *this, tls_content_type_t type, chunk_t data)
+{
+	return this->fragmentation->process(this->fragmentation, type, data);
+}
+
+METHOD(tls_compression_t, build, status_t,
+	private_tls_compression_t *this, tls_content_type_t *type, chunk_t *data)
+{
+	return this->fragmentation->build(this->fragmentation, type, data);
+}
+
+METHOD(tls_compression_t, destroy, void,
+	private_tls_compression_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_compression_t *tls_compression_create(tls_fragmentation_t *fragmentation,
+										  tls_alert_t *alert)
+{
+	private_tls_compression_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.destroy = _destroy,
+		},
+		.fragmentation = fragmentation,
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_compression.h b/src/libtls/tls_compression.h
new file mode 100644
index 000000000..b4832ab06
--- /dev/null
+++ b/src/libtls/tls_compression.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_compression tls_compression
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_COMPRESSION_H_
+#define TLS_COMPRESSION_H_
+
+#include <library.h>
+
+#include "tls.h"
+#include "tls_alert.h"
+#include "tls_fragmentation.h"
+
+typedef struct tls_compression_t tls_compression_t;
+
+/**
+ * TLS record protocol compression layer.
+ */
+struct tls_compression_t {
+
+	/**
+	 * Process a compressed TLS record, pass it to upper layers.
+	 *
+	 * @param type		type of the TLS record to process
+	 * @param data		associated TLS record data
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if more invocations to process/build needed
+	 */
+	status_t (*process)(tls_compression_t *this,
+						tls_content_type_t type, chunk_t data);
+
+	/**
+	 * Query upper layer for TLS record, build compressed record.
+	 *
+	 * @param type		type of the built TLS record
+	 * @param data		allocated data of the built TLS record
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if upper layers have more records to send
+	 *					- INVALID_STATE if more input records required
+	 */
+	status_t (*build)(tls_compression_t *this,
+					  tls_content_type_t *type, chunk_t *data);
+
+	/**
+	 * Destroy a tls_compression_t.
+	 */
+	void (*destroy)(tls_compression_t *this);
+};
+
+/**
+ * Create a tls_compression instance.
+ *
+ * @param fragmentation		fragmentation layer of TLS stack
+ * @param alert				TLS alert handler
+ * @return					TLS compression layer.
+ */
+tls_compression_t *tls_compression_create(tls_fragmentation_t *fragmentation,
+										  tls_alert_t *alert);
+
+#endif /** TLS_COMPRESSION_H_ @}*/
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
new file mode 100644
index 000000000..78f2a796d
--- /dev/null
+++ b/src/libtls/tls_crypto.c
@@ -0,0 +1,1674 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_crypto.h"
+
+#include <debug.h>
+
+ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
+								   TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
+	"TLS_NULL_WITH_NULL_NULL",
+	"TLS_RSA_WITH_NULL_MD5",
+	"TLS_RSA_WITH_NULL_SHA",
+	"TLS_RSA_EXPORT_WITH_RC4_40_MD5",
+	"TLS_RSA_WITH_RC4_128_MD5",
+	"TLS_RSA_WITH_RC4_128_SHA",
+	"TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+	"TLS_RSA_WITH_IDEA_CBC_SHA",
+	"TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_RSA_WITH_DES_CBC_SHA",
+	"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_DH_DSS_WITH_DES_CBC_SHA",
+	"TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_DH_RSA_WITH_DES_CBC_SHA",
+	"TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_DHE_DSS_WITH_DES_CBC_SHA",
+	"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_DHE_RSA_WITH_DES_CBC_SHA",
+	"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
+	"TLS_DH_anon_WITH_RC4_128_MD5",
+	"TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_DH_anon_WITH_DES_CBC_SHA",
+	"TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
+ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
+								  TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
+								  TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
+	"TLS_KRB5_WITH_DES_CBC_SHA",
+	"TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+	"TLS_KRB5_WITH_RC4_128_SHA",
+	"TLS_KRB5_WITH_IDEA_CBC_SHA",
+	"TLS_KRB5_WITH_DES_CBC_MD5",
+	"TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+	"TLS_KRB5_WITH_RC4_128_MD5",
+	"TLS_KRB5_WITH_IDEA_CBC_MD5",
+	"TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+	"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
+	"TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
+	"TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+	"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
+	"TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
+	"TLS_PSK_WITH_NULL_SHA",
+	"TLS_DHE_PSK_WITH_NULL_SHA",
+	"TLS_RSA_PSK_WITH_NULL_SHA",
+	"TLS_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_DH_DSS_WITH_AES_128_CBC_SHA",
+	"TLS_DH_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+	"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_DH_anon_WITH_AES_128_CBC_SHA",
+	"TLS_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_DH_DSS_WITH_AES_256_CBC_SHA",
+	"TLS_DH_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+	"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_DH_anon_WITH_AES_256_CBC_SHA",
+	"TLS_RSA_WITH_NULL_SHA256",
+	"TLS_RSA_WITH_AES_128_CBC_SHA256 ",
+	"TLS_RSA_WITH_AES_256_CBC_SHA256",
+	"TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
+	"TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+	"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+	"TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
+	"TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
+	"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
+	"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+	"TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
+ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+								  TLS_DH_anon_WITH_AES_256_CBC_SHA256,
+								  TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
+	"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
+	"TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
+	"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+	"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+	"TLS_DH_anon_WITH_AES_128_CBC_SHA256",
+	"TLS_DH_anon_WITH_AES_256_CBC_SHA256");
+ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+								  TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
+								  TLS_DH_anon_WITH_AES_256_CBC_SHA256,
+	"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_PSK_WITH_RC4_128_SHA",
+	"TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
+	"TLS_PSK_WITH_AES_128_CBC_SHA",
+	"TLS_PSK_WITH_AES_256_CBC_SHA",
+	"TLS_DHE_PSK_WITH_RC4_128_SHA",
+	"TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
+	"TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
+	"TLS_RSA_PSK_WITH_RC4_128_SHA",
+	"TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
+	"TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
+	"TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
+	"TLS_RSA_WITH_SEED_CBC_SHA",
+	"TLS_DH_DSS_WITH_SEED_CBC_SHA",
+	"TLS_DH_RSA_WITH_SEED_CBC_SHA",
+	"TLS_DHE_DSS_WITH_SEED_CBC_SHA",
+	"TLS_DHE_RSA_WITH_SEED_CBC_SHA",
+	"TLS_DH_anon_WITH_SEED_CBC_SHA",
+	"TLS_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+	"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+	"TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
+	"TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
+	"TLS_DH_anon_WITH_AES_128_GCM_SHA256",
+	"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
+	"TLS_PSK_WITH_AES_128_GCM_SHA256",
+	"TLS_PSK_WITH_AES_256_GCM_SHA384",
+	"TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
+	"TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
+	"TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
+	"TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
+	"TLS_PSK_WITH_AES_128_CBC_SHA256",
+	"TLS_PSK_WITH_AES_256_CBC_SHA384",
+	"TLS_PSK_WITH_NULL_SHA256",
+	"TLS_PSK_WITH_NULL_SHA384",
+	"TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
+	"TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
+	"TLS_DHE_PSK_WITH_NULL_SHA256",
+	"TLS_DHE_PSK_WITH_NULL_SHA384",
+	"TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
+	"TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
+	"TLS_RSA_PSK_WITH_NULL_SHA256",
+	"TLS_RSA_PSK_WITH_NULL_SHA384",
+	"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+	"TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+	"TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+	"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+	"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+	"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
+ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+								  TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+								  TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
+	"TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
+ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
+								  TLS_ECDHE_PSK_WITH_NULL_SHA384,
+								  TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+	"TLS_ECDH_ECDSA_WITH_NULL_SHA",
+	"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+	"TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+	"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDH_RSA_WITH_NULL_SHA",
+	"TLS_ECDH_RSA_WITH_RC4_128_SHA",
+	"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_NULL_SHA",
+	"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDH_anon_WITH_NULL_SHA",
+	"TLS_ECDH_anon_WITH_RC4_128_SHA",
+	"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+	"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+	"TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
+	"TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
+	"TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
+	"TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
+	"TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+	"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+	"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_PSK_WITH_RC4_128_SHA",
+	"TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+	"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
+	"TLS_ECDHE_PSK_WITH_NULL_SHA",
+	"TLS_ECDHE_PSK_WITH_NULL_SHA256",
+	"TLS_ECDHE_PSK_WITH_NULL_SHA384");
+ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
+
+ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
+	"NONE",
+	"MD5",
+	"SHA1",
+	"SHA224",
+	"SHA256",
+	"SHA384",
+	"SHA512",
+);
+
+ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
+	"RSA",
+	"DSA",
+	"ECDSA",
+);
+
+ENUM_BEGIN(tls_client_certificate_type_names,
+		   TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
+	"RSA_SIGN",
+	"DSA_SIGN",
+	"RSA_FIXED_DH",
+	"DSS_FIXED_DH",
+	"RSA_EPHEMERAL_DH",
+	"DSS_EPHEMERAL_DH");
+ENUM_NEXT(tls_client_certificate_type_names,
+		  TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
+	"FORTEZZA_DMS");
+ENUM_NEXT(tls_client_certificate_type_names,
+		  TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
+	"ECDSA_SIGN",
+	"RSA_FIXED_ECDH",
+	"ECDSA_FIXED_ECDH");
+ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
+
+ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
+	"EXPLICIT_PRIME",
+	"EXPLICIT_CHAR2",
+	"NAMED_CURVE",
+);
+
+ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
+	"SECT163K1",
+	"SECT163R1",
+	"SECT163R2",
+	"SECT193R1",
+	"SECT193R2",
+	"SECT233K1",
+	"SECT233R1",
+	"SECT239K1",
+	"SECT283K1",
+	"SECT283R1",
+	"SECT409K1",
+	"SECT409R1",
+	"SECT571K1",
+	"SECT571R1",
+	"SECP160K1",
+	"SECP160R1",
+	"SECP160R2",
+	"SECP192K1",
+	"SECP192R1",
+	"SECP224K1",
+	"SECP224R1",
+	"SECP256K1",
+	"SECP256R1",
+	"SECP384R1",
+	"SECP521R1",
+);
+
+ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
+	"compressed",
+	"compressed y",
+	"uncompressed",
+	"uncompressed y",
+	"hybrid",
+	"hybrid y",
+);
+
+ENUM(tls_ec_point_format_names,
+	 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
+	"uncompressed",
+	"ansiX962 compressed prime",
+	"ansiX962 compressed char2",
+);
+
+typedef struct private_tls_crypto_t private_tls_crypto_t;
+
+/**
+ * Private data of an tls_crypto_t object.
+ */
+struct private_tls_crypto_t {
+
+	/**
+	 * Public tls_crypto_t interface.
+	 */
+	tls_crypto_t public;
+
+	/**
+	 * Protection layer
+	 */
+	tls_protection_t *protection;
+
+	/**
+	 * List of supported/acceptable cipher suites
+	 */
+	tls_cipher_suite_t *suites;
+
+	/**
+	 * Number of supported suites
+	 */
+	int suite_count;
+
+	/**
+	 * Selected cipher suite
+	 */
+	tls_cipher_suite_t suite;
+
+	/**
+	 * RSA supported?
+	 */
+	bool rsa;
+
+	/**
+	 * ECDSA supported?
+	 */
+	bool ecdsa;
+
+	/**
+	 * TLS context
+	 */
+	tls_t *tls;
+
+	/**
+	 * All handshake data concatentated
+	 */
+	chunk_t handshake;
+
+	/**
+	 * Connection state TLS PRF
+	 */
+	tls_prf_t *prf;
+
+	/**
+	 * Signer instance for inbound traffic
+	 */
+	signer_t *signer_in;
+
+	/**
+	 * Signer instance for outbound traffic
+	 */
+	signer_t *signer_out;
+
+	/**
+	 * Crypter instance for inbound traffic
+	 */
+	crypter_t *crypter_in;
+
+	/**
+	 * Crypter instance for outbound traffic
+	 */
+	crypter_t *crypter_out;
+
+	/**
+	 * IV for input decryption, if < TLSv1.2
+	 */
+	chunk_t iv_in;
+
+	/**
+	 * IV for output decryption, if < TLSv1.2
+	 */
+	chunk_t iv_out;
+
+	/**
+	 * EAP-[T]TLS MSK
+	 */
+	chunk_t msk;
+
+	/**
+	 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
+	 */
+	char *msk_label;
+};
+
+typedef struct {
+	tls_cipher_suite_t suite;
+	key_type_t key;
+	diffie_hellman_group_t dh;
+	hash_algorithm_t hash;
+	pseudo_random_function_t prf;
+	integrity_algorithm_t mac;
+	encryption_algorithm_t encr;
+	size_t encr_size;
+} suite_algs_t;
+
+/**
+ * Mapping suites to a set of algorithms
+ */
+static suite_algs_t suite_algs[] = {
+	{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		KEY_ECDSA, ECP_384_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+		KEY_ECDSA, ECP_384_BIT,
+		HASH_SHA384, PRF_HMAC_SHA2_384,
+		AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		KEY_RSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		KEY_RSA, ECP_256_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		KEY_RSA, ECP_384_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+		KEY_RSA, ECP_384_BIT,
+		HASH_SHA384, PRF_HMAC_SHA2_384,
+		AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
+	},
+	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+		KEY_RSA, MODP_2048_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
+	},
+	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+		KEY_RSA, MODP_3072_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
+	},
+	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+		KEY_RSA, MODP_3072_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
+	},
+	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+		KEY_RSA, MODP_4096_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		KEY_RSA, MODP_2048_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+		KEY_RSA, MODP_3072_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		KEY_RSA, MODP_3072_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+		KEY_RSA, MODP_4096_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
+	},
+	{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		KEY_RSA, MODP_2048_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_3DES, 0
+	},
+	{ TLS_RSA_WITH_AES_128_CBC_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
+	},
+	{ TLS_RSA_WITH_AES_128_CBC_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
+	},
+	{ TLS_RSA_WITH_AES_256_CBC_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
+	},
+	{ TLS_RSA_WITH_AES_256_CBC_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
+	},
+	{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
+	},
+	{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
+	},
+	{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
+	},
+	{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
+	},
+	{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_3DES, 0
+	},
+	{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		KEY_RSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_3DES, 0
+	},
+	{ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_3DES, 0
+	},
+	{ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_NULL, 0
+	},
+	{ TLS_ECDHE_RSA_WITH_NULL_SHA,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_NULL, 0
+	},
+	{ TLS_RSA_WITH_NULL_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_NULL, 0
+	},
+	{ TLS_RSA_WITH_NULL_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
+	},
+	{ TLS_RSA_WITH_NULL_MD5,
+		KEY_RSA, MODP_NONE,
+		HASH_MD5, PRF_HMAC_MD5,
+		AUTH_HMAC_MD5_128, ENCR_NULL, 0
+	},
+};
+
+/**
+ * Look up algoritms by a suite
+ */
+static suite_algs_t *find_suite(tls_cipher_suite_t suite)
+{
+	int i;
+
+	for (i = 0; i < countof(suite_algs); i++)
+	{
+		if (suite_algs[i].suite == suite)
+		{
+			return &suite_algs[i];
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Filter a suite list using a transform enumerator
+ */
+static void filter_suite(private_tls_crypto_t *this,
+						 suite_algs_t suites[], int *count, int offset,
+						 enumerator_t*(*create_enumerator)(crypto_factory_t*))
+{
+	suite_algs_t current;
+	int i, remaining = 0;
+	enumerator_t *enumerator;
+
+	memset(&current, 0, sizeof(current));
+	for (i = 0; i < *count; i++)
+	{
+		enumerator = create_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
+		{
+			if ((suites[i].encr == ENCR_NULL ||
+				 !current.encr || current.encr == suites[i].encr) &&
+				(!current.mac  || current.mac  == suites[i].mac) &&
+				(!current.prf  || current.prf  == suites[i].prf) &&
+				(!current.hash || current.hash == suites[i].hash) &&
+				(suites[i].dh == MODP_NONE ||
+				 !current.dh   || current.dh   == suites[i].dh))
+			{
+				suites[remaining] = suites[i];
+				remaining++;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	*count = remaining;
+}
+
+/**
+ * Purge NULL encryption cipher suites from list
+ */
+static void filter_null_suites(private_tls_crypto_t *this,
+							   suite_algs_t suites[], int *count)
+{
+	int i, remaining = 0;
+
+	for (i = 0; i < *count; i++)
+	{
+		if (suites[i].encr != ENCR_NULL)
+		{
+			suites[remaining] = suites[i];
+			remaining++;
+		}
+	}
+	*count = remaining;
+}
+
+/**
+ * Purge suites using a given key type
+ */
+static void filter_key_suites(private_tls_crypto_t *this,
+							  suite_algs_t suites[], int *count, key_type_t key)
+{
+	int i, remaining = 0;
+
+	DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
+	for (i = 0; i < *count; i++)
+	{
+		if (suites[i].key != key)
+		{
+			suites[remaining] = suites[i];
+			remaining++;
+		}
+	}
+	*count = remaining;
+}
+
+/**
+ * Filter suites by key exchange user config
+ */
+static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
+											  suite_algs_t suites[], int *count)
+{
+	enumerator_t *enumerator;
+	int i, remaining = 0;
+	char *token, *config;
+
+	config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL);
+	if (config)
+	{
+		for (i = 0; i < *count; i++)
+		{
+			enumerator = enumerator_create_token(config, ",", " ");
+			while (enumerator->enumerate(enumerator, &token))
+			{
+				if (strcaseeq(token, "ecdhe-ecdsa") &&
+					diffie_hellman_group_is_ec(suites[i].dh) &&
+					suites[i].key == KEY_ECDSA)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "ecdhe-rsa") &&
+					diffie_hellman_group_is_ec(suites[i].dh) &&
+					suites[i].key == KEY_RSA)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "dhe-rsa") &&
+					!diffie_hellman_group_is_ec(suites[i].dh) &&
+					suites[i].dh != MODP_NONE &&
+					suites[i].key == KEY_RSA)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "rsa") &&
+					suites[i].dh == MODP_NONE &&
+					suites[i].key == KEY_RSA)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		*count = remaining;
+	}
+}
+
+/**
+ * Filter suites by cipher user config
+ */
+static void filter_cipher_config_suites(private_tls_crypto_t *this,
+										suite_algs_t suites[], int *count)
+{
+	enumerator_t *enumerator;
+	int i, remaining = 0;
+	char *token, *config;
+
+	config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL);
+	if (config)
+	{
+		for (i = 0; i < *count; i++)
+		{
+			enumerator = enumerator_create_token(config, ",", " ");
+			while (enumerator->enumerate(enumerator, &token))
+			{
+				if (strcaseeq(token, "aes128") &&
+					suites[i].encr == ENCR_AES_CBC &&
+					suites[i].encr_size == 16)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "aes256") &&
+					suites[i].encr == ENCR_AES_CBC &&
+					suites[i].encr_size == 32)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "camellia128") &&
+					suites[i].encr == ENCR_CAMELLIA_CBC &&
+					suites[i].encr_size == 16)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "camellia256") &&
+					suites[i].encr == ENCR_CAMELLIA_CBC &&
+					suites[i].encr_size == 32)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "3des") &&
+					suites[i].encr == ENCR_3DES)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "null") &&
+					suites[i].encr == ENCR_NULL)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		*count = remaining;
+	}
+}
+
+/**
+ * Filter suites by mac user config
+ */
+static void filter_mac_config_suites(private_tls_crypto_t *this,
+									 suite_algs_t suites[], int *count)
+{
+	enumerator_t *enumerator;
+	int i, remaining = 0;
+	char *token, *config;
+
+	config = lib->settings->get_str(lib->settings, "libtls.mac", NULL);
+	if (config)
+	{
+		for (i = 0; i < *count; i++)
+		{
+			enumerator = enumerator_create_token(config, ",", " ");
+			while (enumerator->enumerate(enumerator, &token))
+			{
+				if (strcaseeq(token, "md5") &&
+					suites[i].hash == HASH_MD5)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "sha1") &&
+					suites[i].hash == HASH_SHA1)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "sha256") &&
+					suites[i].hash == HASH_SHA256)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "sha384") &&
+					suites[i].hash == HASH_SHA384)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		*count = remaining;
+	}
+}
+
+/**
+ * Filter for specific suites specified in strongswan.conf
+ */
+static void filter_specific_config_suites(private_tls_crypto_t *this,
+										  suite_algs_t suites[], int *count)
+{
+	enumerator_t *enumerator;
+	int i, remaining = 0, suite;
+	char *token, *config;
+
+	config = lib->settings->get_str(lib->settings, "libtls.suites", NULL);
+	if (config)
+	{
+		for (i = 0; i < *count; i++)
+		{
+			enumerator = enumerator_create_token(config, ",", " ");
+			while (enumerator->enumerate(enumerator, &token))
+			{
+				suite = enum_from_name(tls_cipher_suite_names, token);
+				if (suite == suites[i].suite)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		*count = remaining;
+	}
+}
+
+/**
+ * Initialize the cipher suite list
+ */
+static void build_cipher_suite_list(private_tls_crypto_t *this,
+									bool require_encryption)
+{
+	suite_algs_t suites[countof(suite_algs)];
+	int count = countof(suite_algs), i;
+
+	/* copy all suites */
+	for (i = 0; i < count; i++)
+	{
+		suites[i] = suite_algs[i];
+	}
+	if (require_encryption)
+	{
+		filter_null_suites(this, suites, &count);
+	}
+	if (!this->rsa)
+	{
+		filter_key_suites(this, suites, &count, KEY_RSA);
+	}
+	if (!this->ecdsa)
+	{
+		filter_key_suites(this, suites, &count, KEY_ECDSA);
+	}
+
+	/* filter suite list by each algorithm */
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
+				 lib->crypto->create_crypter_enumerator);
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
+				 lib->crypto->create_signer_enumerator);
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
+				 lib->crypto->create_prf_enumerator);
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
+				 lib->crypto->create_hasher_enumerator);
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
+				 lib->crypto->create_dh_enumerator);
+
+	/* filter suites with strongswan.conf options */
+	filter_key_exchange_config_suites(this, suites, &count);
+	filter_cipher_config_suites(this, suites, &count);
+	filter_mac_config_suites(this, suites, &count);
+	filter_specific_config_suites(this, suites, &count);
+
+	free(this->suites);
+	this->suite_count = count;
+	this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
+
+	DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
+	for (i = 0; i < count; i++)
+	{
+		DBG2(DBG_TLS, "  %N", tls_cipher_suite_names, suites[i].suite);
+		this->suites[i] = suites[i].suite;
+	}
+}
+
+METHOD(tls_crypto_t, get_cipher_suites, int,
+	private_tls_crypto_t *this, tls_cipher_suite_t **suites)
+{
+	*suites = this->suites;
+	return this->suite_count;
+}
+
+/**
+ * Create crypto primitives
+ */
+static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+	DESTROY_IF(this->prf);
+	if (this->tls->get_version(this->tls) < TLS_1_2)
+	{
+		this->prf = tls_prf_create_10();
+	}
+	else
+	{
+		this->prf = tls_prf_create_12(algs->prf);
+	}
+	if (!this->prf)
+	{
+		DBG1(DBG_TLS, "selected TLS PRF not supported");
+		return FALSE;
+	}
+
+	DESTROY_IF(this->signer_in);
+	DESTROY_IF(this->signer_out);
+	this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
+	this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
+	if (!this->signer_in || !this->signer_out)
+	{
+		DBG1(DBG_TLS, "selected TLS MAC %N not supported",
+			 integrity_algorithm_names, algs->mac);
+		return FALSE;
+	}
+
+	DESTROY_IF(this->crypter_in);
+	DESTROY_IF(this->crypter_out);
+	if (algs->encr == ENCR_NULL)
+	{
+		this->crypter_in = this->crypter_out = NULL;
+	}
+	else
+	{
+		this->crypter_in = lib->crypto->create_crypter(lib->crypto,
+												algs->encr, algs->encr_size);
+		this->crypter_out = lib->crypto->create_crypter(lib->crypto,
+												algs->encr, algs->encr_size);
+		if (!this->crypter_in || !this->crypter_out)
+		{
+			DBG1(DBG_TLS, "selected TLS crypter %N not supported",
+				 encryption_algorithm_names, algs->encr);
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
+	private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
+	key_type_t key)
+{
+	suite_algs_t *algs;
+	int i, j;
+
+	for (i = 0; i < this->suite_count; i++)
+	{
+		for (j = 0; j < count; j++)
+		{
+			if (this->suites[i] == suites[j])
+			{
+				algs = find_suite(this->suites[i]);
+				if (algs)
+				{
+					if (key == KEY_ANY || key == algs->key)
+					{
+						if (create_ciphers(this, algs))
+						{
+							this->suite = this->suites[i];
+							return this->suite;
+						}
+					}
+				}
+			}
+		}
+	}
+	return 0;
+}
+
+METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
+	private_tls_crypto_t *this)
+{
+	suite_algs_t *algs;
+
+	algs = find_suite(this->suite);
+	if (algs)
+	{
+		return algs->dh;
+	}
+	return MODP_NONE;
+}
+
+METHOD(tls_crypto_t, get_signature_algorithms, void,
+	private_tls_crypto_t *this, tls_writer_t *writer)
+{
+	tls_writer_t *supported;
+	enumerator_t *enumerator;
+	hash_algorithm_t alg;
+	tls_hash_algorithm_t hash;
+
+	supported = tls_writer_create(32);
+	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &alg))
+	{
+		switch (alg)
+		{
+			case HASH_MD5:
+				hash = TLS_HASH_MD5;
+				break;
+			case HASH_SHA1:
+				hash = TLS_HASH_SHA1;
+				break;
+			case HASH_SHA224:
+				hash = TLS_HASH_SHA224;
+				break;
+			case HASH_SHA256:
+				hash = TLS_HASH_SHA256;
+				break;
+			case HASH_SHA384:
+				hash = TLS_HASH_SHA384;
+				break;
+			case HASH_SHA512:
+				hash = TLS_HASH_SHA512;
+				break;
+			default:
+				continue;
+		}
+		if (this->rsa)
+		{
+			supported->write_uint8(supported, hash);
+			supported->write_uint8(supported, TLS_SIG_RSA);
+		}
+		if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
+		{	/* currently we have no signature scheme for MD5/SHA224 */
+			supported->write_uint8(supported, hash);
+			supported->write_uint8(supported, TLS_SIG_ECDSA);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	writer->write_data16(writer, supported->get_buf(supported));
+	supported->destroy(supported);
+}
+
+/**
+ * Mapping groups to TLS named curves
+ */
+static struct {
+	diffie_hellman_group_t group;
+	tls_named_curve_t curve;
+} curves[] = {
+	{ ECP_256_BIT, TLS_SECP256R1},
+	{ ECP_384_BIT, TLS_SECP384R1},
+	{ ECP_521_BIT, TLS_SECP521R1},
+	{ ECP_224_BIT, TLS_SECP224R1},
+	{ ECP_192_BIT, TLS_SECP192R1},
+};
+
+/**
+ * Filter EC groups, add TLS curve
+ */
+static bool group_filter(void *null,
+						diffie_hellman_group_t *in, diffie_hellman_group_t *out,
+						void* dummy1, tls_named_curve_t *curve)
+{
+	int i;
+
+	for (i = 0; i < countof(curves); i++)
+	{
+		if (curves[i].group == *in)
+		{
+			if (out)
+			{
+				*out = curves[i].group;
+			}
+			if (curve)
+			{
+				*curve = curves[i].curve;
+			}
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
+	private_tls_crypto_t *this)
+{
+	return enumerator_create_filter(
+					lib->crypto->create_dh_enumerator(lib->crypto),
+					(void*)group_filter, NULL, NULL);
+}
+
+METHOD(tls_crypto_t, set_protection, void,
+	private_tls_crypto_t *this, tls_protection_t *protection)
+{
+	this->protection = protection;
+}
+
+METHOD(tls_crypto_t, append_handshake, void,
+	private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
+{
+	u_int32_t header;
+
+	/* reconstruct handshake header */
+	header = htonl(data.len | (type << 24));
+	this->handshake = chunk_cat("mcc", this->handshake,
+								chunk_from_thing(header), data);
+}
+
+/**
+ * Create a hash using the suites HASH algorithm
+ */
+static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
+{
+	if (this->tls->get_version(this->tls) >= TLS_1_2)
+	{
+		hasher_t *hasher;
+		suite_algs_t *alg;
+
+		alg = find_suite(this->suite);
+		if (!alg)
+		{
+			return FALSE;
+		}
+		hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
+		if (!hasher)
+		{
+			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
+			return FALSE;
+		}
+		hasher->allocate_hash(hasher, data, hash);
+		hasher->destroy(hasher);
+	}
+	else
+	{
+		hasher_t *md5, *sha1;
+		char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
+
+		md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+		if (!md5)
+		{
+			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
+			return FALSE;
+		}
+		md5->get_hash(md5, data, buf);
+		md5->destroy(md5);
+		sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+		if (!sha1)
+		{
+			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
+			return FALSE;
+		}
+		sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
+		sha1->destroy(sha1);
+
+		*hash = chunk_clone(chunk_from_thing(buf));
+	}
+	return TRUE;
+}
+
+/**
+ * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
+ */
+static signature_scheme_t hashsig_to_scheme(key_type_t type,
+					tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
+{
+	switch (sig)
+	{
+		case TLS_SIG_RSA:
+			if (type != KEY_RSA)
+			{
+				return SIGN_UNKNOWN;
+			}
+			switch (hash)
+			{
+				case TLS_HASH_MD5:
+					return SIGN_RSA_EMSA_PKCS1_MD5;
+				case TLS_HASH_SHA1:
+					return SIGN_RSA_EMSA_PKCS1_SHA1;
+				case TLS_HASH_SHA224:
+					return SIGN_RSA_EMSA_PKCS1_SHA224;
+				case TLS_HASH_SHA256:
+					return SIGN_RSA_EMSA_PKCS1_SHA256;
+				case TLS_HASH_SHA384:
+					return SIGN_RSA_EMSA_PKCS1_SHA384;
+				case TLS_HASH_SHA512:
+					return SIGN_RSA_EMSA_PKCS1_SHA512;
+				default:
+					return SIGN_UNKNOWN;
+			}
+		case TLS_SIG_ECDSA:
+			if (type != KEY_ECDSA)
+			{
+				return SIGN_UNKNOWN;
+			}
+			switch (hash)
+			{
+				case TLS_HASH_SHA224:
+					return SIGN_ECDSA_WITH_SHA1_DER;
+				case TLS_HASH_SHA256:
+					return SIGN_ECDSA_WITH_SHA256_DER;
+				case TLS_HASH_SHA384:
+					return SIGN_ECDSA_WITH_SHA384_DER;
+				case TLS_HASH_SHA512:
+					return SIGN_ECDSA_WITH_SHA512_DER;
+				default:
+					return SIGN_UNKNOWN;
+			}
+		default:
+			return SIGN_UNKNOWN;
+	}
+}
+
+METHOD(tls_crypto_t, sign, bool,
+	private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
+	chunk_t data, chunk_t hashsig)
+{
+	if (this->tls->get_version(this->tls) >= TLS_1_2)
+	{
+		signature_scheme_t scheme;
+		tls_reader_t *reader;
+		u_int8_t hash, alg;
+		chunk_t sig;
+		bool done = FALSE;
+
+		if (!hashsig.len)
+		{	/* fallback if none given */
+			hashsig = chunk_from_chars(
+				TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
+		}
+		reader = tls_reader_create(hashsig);
+		while (reader->remaining(reader) >= 2)
+		{
+			if (reader->read_uint8(reader, &hash) &&
+				reader->read_uint8(reader, &alg))
+			{
+				scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
+				if (scheme != SIGN_UNKNOWN &&
+					key->sign(key, scheme, data, &sig))
+				{
+					done = TRUE;
+					break;
+				}
+			}
+		}
+		reader->destroy(reader);
+		if (!done)
+		{
+			DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
+			return FALSE;
+		}
+		DBG2(DBG_TLS, "created signature with %N/%N",
+			 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
+		writer->write_uint8(writer, hash);
+		writer->write_uint8(writer, alg);
+		writer->write_data16(writer, sig);
+		free(sig.ptr);
+	}
+	else
+	{
+		chunk_t sig, hash;
+		bool done;
+
+		switch (key->get_type(key))
+		{
+			case KEY_RSA:
+				if (!hash_data(this, data, &hash))
+				{
+					return FALSE;
+				}
+				done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
+				free(hash.ptr);
+				if (!done)
+				{
+					return FALSE;
+				}
+				DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
+				break;
+			case KEY_ECDSA:
+				if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
+				{
+					return FALSE;
+				}
+				DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
+				break;
+			default:
+				return FALSE;
+		}
+		writer->write_data16(writer, sig);
+		free(sig.ptr);
+	}
+	return TRUE;
+}
+
+METHOD(tls_crypto_t, verify, bool,
+	private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
+	chunk_t data)
+{
+	if (this->tls->get_version(this->tls) >= TLS_1_2)
+	{
+		signature_scheme_t scheme = SIGN_UNKNOWN;
+		u_int8_t hash, alg;
+		chunk_t sig;
+
+		if (!reader->read_uint8(reader, &hash) ||
+			!reader->read_uint8(reader, &alg) ||
+			!reader->read_data16(reader, &sig))
+		{
+			DBG1(DBG_TLS, "received invalid signature");
+			return FALSE;
+		}
+		scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
+		if (scheme == SIGN_UNKNOWN)
+		{
+			DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
+				 tls_hash_algorithm_names, hash,
+				 tls_signature_algorithm_names, alg);
+			return FALSE;
+		}
+		if (!key->verify(key, scheme, data, sig))
+		{
+			return FALSE;
+		}
+		DBG2(DBG_TLS, "verified signature with %N/%N",
+			 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
+	}
+	else
+	{
+		chunk_t sig, hash;
+		bool done;
+
+		if (!reader->read_data16(reader, &sig))
+		{
+			DBG1(DBG_TLS, "received invalid signature");
+			return FALSE;
+		}
+		switch (key->get_type(key))
+		{
+			case KEY_RSA:
+				if (!hash_data(this, data, &hash))
+				{
+					return FALSE;
+				}
+				done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
+				free(hash.ptr);
+				if (!done)
+				{
+					return FALSE;
+				}
+				DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
+				break;
+			case KEY_ECDSA:
+				if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
+				{
+					return FALSE;
+				}
+				DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
+				break;
+			default:
+				return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+METHOD(tls_crypto_t, sign_handshake, bool,
+	private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
+	chunk_t hashsig)
+{
+	return sign(this, key, writer, this->handshake, hashsig);
+}
+
+METHOD(tls_crypto_t, verify_handshake, bool,
+	private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
+{
+	return verify(this, key, reader, this->handshake);
+}
+
+METHOD(tls_crypto_t, calculate_finished, bool,
+	private_tls_crypto_t *this, char *label, char out[12])
+{
+	chunk_t seed;
+
+	if (!this->prf)
+	{
+		return FALSE;
+	}
+	if (!hash_data(this, this->handshake, &seed))
+	{
+		return FALSE;
+	}
+	this->prf->get_bytes(this->prf, label, seed, 12, out);
+	free(seed.ptr);
+	return TRUE;
+}
+
+METHOD(tls_crypto_t, derive_secrets, void,
+	private_tls_crypto_t *this, chunk_t premaster,
+	chunk_t client_random, chunk_t server_random)
+{
+	char master[48];
+	chunk_t seed, block, client_write, server_write;
+	int mks, eks = 0, ivs = 0;
+
+	/* derive master secret */
+	seed = chunk_cata("cc", client_random, server_random);
+	this->prf->set_key(this->prf, premaster);
+	this->prf->get_bytes(this->prf, "master secret", seed,
+						 sizeof(master), master);
+
+	this->prf->set_key(this->prf, chunk_from_thing(master));
+	memset(master, 0, sizeof(master));
+
+	/* derive key block for key expansion */
+	mks = this->signer_out->get_key_size(this->signer_out);
+	if (this->crypter_out)
+	{
+		eks = this->crypter_out->get_key_size(this->crypter_out);
+		if (this->tls->get_version(this->tls) < TLS_1_1)
+		{
+			ivs = this->crypter_out->get_iv_size(this->crypter_out);
+		}
+	}
+	seed = chunk_cata("cc", server_random, client_random);
+	block = chunk_alloca((mks + eks + ivs) * 2);
+	this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
+
+	/* signer keys */
+	client_write = chunk_create(block.ptr, mks);
+	block = chunk_skip(block, mks);
+	server_write = chunk_create(block.ptr, mks);
+	block = chunk_skip(block, mks);
+	if (this->tls->is_server(this->tls))
+	{
+		this->signer_in->set_key(this->signer_in, client_write);
+		this->signer_out->set_key(this->signer_out, server_write);
+	}
+	else
+	{
+		this->signer_out->set_key(this->signer_out, client_write);
+		this->signer_in->set_key(this->signer_in, server_write);
+	}
+
+	/* crypter keys, and IVs if < TLSv1.2 */
+	if (this->crypter_out && this->crypter_in)
+	{
+		client_write = chunk_create(block.ptr, eks);
+		block = chunk_skip(block, eks);
+		server_write = chunk_create(block.ptr, eks);
+		block = chunk_skip(block, eks);
+
+		if (this->tls->is_server(this->tls))
+		{
+			this->crypter_in->set_key(this->crypter_in, client_write);
+			this->crypter_out->set_key(this->crypter_out, server_write);
+		}
+		else
+		{
+			this->crypter_out->set_key(this->crypter_out, client_write);
+			this->crypter_in->set_key(this->crypter_in, server_write);
+		}
+		if (ivs)
+		{
+			client_write = chunk_create(block.ptr, ivs);
+			block = chunk_skip(block, ivs);
+			server_write = chunk_create(block.ptr, ivs);
+			block = chunk_skip(block, ivs);
+
+			if (this->tls->is_server(this->tls))
+			{
+				this->iv_in = chunk_clone(client_write);
+				this->iv_out = chunk_clone(server_write);
+			}
+			else
+			{
+				this->iv_out = chunk_clone(client_write);
+				this->iv_in = chunk_clone(server_write);
+			}
+		}
+	}
+}
+
+METHOD(tls_crypto_t, change_cipher, void,
+	private_tls_crypto_t *this, bool inbound)
+{
+	if (this->protection)
+	{
+		if (inbound)
+		{
+			this->protection->set_cipher(this->protection, TRUE,
+							this->signer_in, this->crypter_in, this->iv_in);
+		}
+		else
+		{
+			this->protection->set_cipher(this->protection, FALSE,
+							this->signer_out, this->crypter_out, this->iv_out);
+		}
+	}
+}
+
+METHOD(tls_crypto_t, derive_eap_msk, void,
+	private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
+{
+	if (this->msk_label)
+	{
+		chunk_t seed;
+
+		seed = chunk_cata("cc", client_random, server_random);
+		free(this->msk.ptr);
+		this->msk = chunk_alloc(64);
+		this->prf->get_bytes(this->prf, this->msk_label, seed,
+							 this->msk.len, this->msk.ptr);
+	}
+}
+
+METHOD(tls_crypto_t, get_eap_msk, chunk_t,
+	private_tls_crypto_t *this)
+{
+	return this->msk;
+}
+
+METHOD(tls_crypto_t, destroy, void,
+	private_tls_crypto_t *this)
+{
+	DESTROY_IF(this->signer_in);
+	DESTROY_IF(this->signer_out);
+	DESTROY_IF(this->crypter_in);
+	DESTROY_IF(this->crypter_out);
+	free(this->iv_in.ptr);
+	free(this->iv_out.ptr);
+	free(this->handshake.ptr);
+	free(this->msk.ptr);
+	DESTROY_IF(this->prf);
+	free(this->suites);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_crypto_t *tls_crypto_create(tls_t *tls)
+{
+	private_tls_crypto_t *this;
+	enumerator_t *enumerator;
+	credential_type_t type;
+	int subtype;
+
+	INIT(this,
+		.public = {
+			.get_cipher_suites = _get_cipher_suites,
+			.select_cipher_suite = _select_cipher_suite,
+			.get_dh_group = _get_dh_group,
+			.get_signature_algorithms = _get_signature_algorithms,
+			.create_ec_enumerator = _create_ec_enumerator,
+			.set_protection = _set_protection,
+			.append_handshake = _append_handshake,
+			.sign = _sign,
+			.verify = _verify,
+			.sign_handshake = _sign_handshake,
+			.verify_handshake = _verify_handshake,
+			.calculate_finished = _calculate_finished,
+			.derive_secrets = _derive_secrets,
+			.change_cipher = _change_cipher,
+			.derive_eap_msk = _derive_eap_msk,
+			.get_eap_msk = _get_eap_msk,
+			.destroy = _destroy,
+		},
+		.tls = tls,
+	);
+
+	enumerator = lib->creds->create_builder_enumerator(lib->creds);
+	while (enumerator->enumerate(enumerator, &type, &subtype))
+	{
+		if (type == CRED_PUBLIC_KEY)
+		{
+			switch (subtype)
+			{
+				case KEY_RSA:
+					this->rsa = TRUE;
+					break;
+				case KEY_ECDSA:
+					this->ecdsa = TRUE;
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	switch (tls->get_purpose(tls))
+	{
+		case TLS_PURPOSE_EAP_TLS:
+			/* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
+			this->msk_label = "client EAP encryption";
+			build_cipher_suite_list(this, FALSE);
+			break;
+		case TLS_PURPOSE_EAP_TTLS:
+			/* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
+			this->msk_label = "ttls keying material";
+			build_cipher_suite_list(this, TRUE);
+			break;
+		case TLS_PURPOSE_GENERIC:
+			build_cipher_suite_list(this, TRUE);
+			break;
+		default:
+			break;
+	}
+	return &this->public;
+}
diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h
new file mode 100644
index 000000000..f57b8f3e1
--- /dev/null
+++ b/src/libtls/tls_crypto.h
@@ -0,0 +1,554 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_crypto tls_crypto
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_CRYPTO_H_
+#define TLS_CRYPTO_H_
+
+typedef struct tls_crypto_t tls_crypto_t;
+typedef enum tls_cipher_suite_t tls_cipher_suite_t;
+typedef enum tls_hash_algorithm_t tls_hash_algorithm_t;
+typedef enum tls_signature_algorithm_t tls_signature_algorithm_t;
+typedef enum tls_client_certificate_type_t tls_client_certificate_type_t;
+typedef enum tls_ecc_curve_type_t tls_ecc_curve_type_t;
+typedef enum tls_named_curve_t tls_named_curve_t;
+typedef enum tls_ansi_point_format_t tls_ansi_point_format_t;
+typedef enum tls_ec_point_format_t tls_ec_point_format_t;
+
+#include "tls.h"
+#include "tls_prf.h"
+#include "tls_protection.h"
+
+#include <library.h>
+
+#include <credentials/keys/private_key.h>
+
+/**
+ * TLS cipher suites
+ */
+enum tls_cipher_suite_t {
+	TLS_NULL_WITH_NULL_NULL =					0x0000,
+	TLS_RSA_WITH_NULL_MD5 =						0x0001,
+	TLS_RSA_WITH_NULL_SHA =						0x0002,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5 =			0x0003,
+	TLS_RSA_WITH_RC4_128_MD5 =					0x0004,
+	TLS_RSA_WITH_RC4_128_SHA =					0x0005,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 =		0x0006,
+	TLS_RSA_WITH_IDEA_CBC_SHA =					0x0007,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA =			0x0008,
+	TLS_RSA_WITH_DES_CBC_SHA =					0x0009,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA =				0x000A,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 		0x000B,
+	TLS_DH_DSS_WITH_DES_CBC_SHA =				0x000C,
+	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA =			0x000D,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA =		0x000E,
+	TLS_DH_RSA_WITH_DES_CBC_SHA = 				0x000F,
+	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA =			0x0010,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 	0x0011,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA =				0x0012,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA =			0x0013,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA =		0x0014,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA =				0x0015,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA =			0x0016,
+	TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 =		0x0017,
+	TLS_DH_anon_WITH_RC4_128_MD5 =				0x0018,
+	TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA =		0x0019,
+	TLS_DH_anon_WITH_DES_CBC_SHA =				0x001A,
+	TLS_DH_anon_WITH_3DES_EDE_CBC_SHA =			0x001B,
+
+	TLS_KRB5_WITH_DES_CBC_SHA =					0x001E,
+	TLS_KRB5_WITH_3DES_EDE_CBC_SHA =			0x001F,
+	TLS_KRB5_WITH_RC4_128_SHA =					0x0020,
+	TLS_KRB5_WITH_IDEA_CBC_SHA =				0x0021,
+	TLS_KRB5_WITH_DES_CBC_MD5 =					0x0022,
+	TLS_KRB5_WITH_3DES_EDE_CBC_MD5 =			0x0023,
+	TLS_KRB5_WITH_RC4_128_MD5 =					0x0024,
+	TLS_KRB5_WITH_IDEA_CBC_MD5 =				0x0025,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA =		0x0026,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA =		0x0027,
+	TLS_KRB5_EXPORT_WITH_RC4_40_SHA =			0x0028,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 =		0x0029,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 =		0x002A,
+	TLS_KRB5_EXPORT_WITH_RC4_40_MD5 =			0x002B,
+	TLS_PSK_WITH_NULL_SHA =						0x002C,
+	TLS_DHE_PSK_WITH_NULL_SHA =					0x002D,
+	TLS_RSA_PSK_WITH_NULL_SHA =					0x002E,
+	TLS_RSA_WITH_AES_128_CBC_SHA =				0x002F,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA =			0x0030,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA =			0x0031,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA =			0x0032,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA =			0x0033,
+	TLS_DH_anon_WITH_AES_128_CBC_SHA =			0x0034,
+	TLS_RSA_WITH_AES_256_CBC_SHA =				0x0035,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA =			0x0036,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA =			0x0037,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA =			0x0038,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA =			0x0039,
+	TLS_DH_anon_WITH_AES_256_CBC_SHA =			0x003A,
+	TLS_RSA_WITH_NULL_SHA256 =					0x003B,
+	TLS_RSA_WITH_AES_128_CBC_SHA256 =			0x003C,
+	TLS_RSA_WITH_AES_256_CBC_SHA256 =			0x003D,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA256 =		0x003E,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA256 =		0x003F,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 =		0x0040,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA =			0x0041,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA =		0x0042,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA =		0x0043,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 	0x0044,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA =		0x0045,
+	TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA =		0x0046,
+
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 =		0x0067,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA256 =		0x0068,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA256 =		0x0069,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 =		0x006A,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 =		0x006B,
+	TLS_DH_anon_WITH_AES_128_CBC_SHA256 =		0x006C,
+	TLS_DH_anon_WITH_AES_256_CBC_SHA256 =		0x006D,
+
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA =			0x0084,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA =		0x0085,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA =		0x0086,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA =		0x0087,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 	0x0088,
+	TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 	0x0089,
+	TLS_PSK_WITH_RC4_128_SHA =					0x008A,
+	TLS_PSK_WITH_3DES_EDE_CBC_SHA =				0x008B,
+	TLS_PSK_WITH_AES_128_CBC_SHA =				0x008C,
+	TLS_PSK_WITH_AES_256_CBC_SHA =				0x008D,
+	TLS_DHE_PSK_WITH_RC4_128_SHA =				0x008E,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA =			0x008F,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA =			0x0090,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA =			0x0091,
+	TLS_RSA_PSK_WITH_RC4_128_SHA =				0x0092,
+	TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA =			0x0093,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA =			0x0094,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA =			0x0095,
+	TLS_RSA_WITH_SEED_CBC_SHA =					0x0096,
+	TLS_DH_DSS_WITH_SEED_CBC_SHA =				0x0097,
+	TLS_DH_RSA_WITH_SEED_CBC_SHA =				0x0098,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA =				0x0099,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA =				0x009A,
+	TLS_DH_anon_WITH_SEED_CBC_SHA =				0x009B,
+	TLS_RSA_WITH_AES_128_GCM_SHA256 =			0x009C,
+	TLS_RSA_WITH_AES_256_GCM_SHA384 =			0x009D,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 =		0x009E,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 =		0x009F,
+	TLS_DH_RSA_WITH_AES_128_GCM_SHA256 =		0x00A0,
+	TLS_DH_RSA_WITH_AES_256_GCM_SHA384 =		0x00A1,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 =		0x00A2,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 =		0x00A3,
+	TLS_DH_DSS_WITH_AES_128_GCM_SHA256 =		0x00A4,
+	TLS_DH_DSS_WITH_AES_256_GCM_SHA384 =		0x00A5,
+	TLS_DH_anon_WITH_AES_128_GCM_SHA256 =		0x00A6,
+	TLS_DH_anon_WITH_AES_256_GCM_SHA384 =		0x00A7,
+	TLS_PSK_WITH_AES_128_GCM_SHA256 =			0x00A8,
+	TLS_PSK_WITH_AES_256_GCM_SHA384 =			0x00A9,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 =		0x00AA,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 =		0x00AB,
+	TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 =		0x00AC,
+	TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 =		0x00AD,
+	TLS_PSK_WITH_AES_128_CBC_SHA256 =			0x00AE,
+	TLS_PSK_WITH_AES_256_CBC_SHA384 =			0x00AF,
+	TLS_PSK_WITH_NULL_SHA256 =					0x00B0,
+	TLS_PSK_WITH_NULL_SHA384 =					0x00B1,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 =		0x00B2,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 =		0x00B3,
+	TLS_DHE_PSK_WITH_NULL_SHA256 =				0x00B4,
+	TLS_DHE_PSK_WITH_NULL_SHA384 =				0x00B5,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 =		0x00B6,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 =		0x00B7,
+	TLS_RSA_PSK_WITH_NULL_SHA256 =				0x00B8,
+	TLS_RSA_PSK_WITH_NULL_SHA384 =				0x00B9,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 =		0x00BA,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 =	0x00BB,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 =	0x00BC,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 =	0x00BD,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 =	0x00BE,
+	TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 =	0x00BF,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 =		0x00C0,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 =	0x00C1,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 =	0x00C2,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 =	0x00C3,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 =	0x00C4,
+	TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 =	0x00C5,
+
+	TLS_EMPTY_RENEGOTIATION_INFO_SCSV =			0x00FF,
+
+	TLS_ECDH_ECDSA_WITH_NULL_SHA =				0xC001,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA =			0xC002,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA =		0xC003,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA =		0xC004,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA =		0xC005,
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA =				0xC006,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA =			0xC007,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA =		0xC008,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA =		0xC009,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA =		0xC00A,
+	TLS_ECDH_RSA_WITH_NULL_SHA =				0xC00B,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA =				0xC00C,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA =		0xC00D,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA =			0xC00E,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA =			0xC00F,
+	TLS_ECDHE_RSA_WITH_NULL_SHA =				0xC010,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA =			0xC011,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA =		0xC012,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA =		0xC013,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA =		0xC014,
+	TLS_ECDH_anon_WITH_NULL_SHA =				0xC015,
+	TLS_ECDH_anon_WITH_RC4_128_SHA =			0xC016,
+	TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA =		0xC017,
+	TLS_ECDH_anon_WITH_AES_128_CBC_SHA =		0xC018,
+	TLS_ECDH_anon_WITH_AES_256_CBC_SHA =		0xC019,
+	TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA =			0xC01A,
+	TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA =		0xC01B,
+	TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA =		0xC01C,
+	TLS_SRP_SHA_WITH_AES_128_CBC_SHA =			0xC01D,
+	TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA =		0xC01E,
+	TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA =		0xC01F,
+	TLS_SRP_SHA_WITH_AES_256_CBC_SHA =			0xC020,
+	TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA =		0xC021,
+	TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA =		0xC022,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 =	0xC023,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 =	0xC024,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 =	0xC025,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 =	0xC026,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 =		0xC027,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 =		0xC028,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 =		0xC029,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 =		0xC02A,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 =	0xC02B,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 =	0xC02C,
+	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 =	0xC02D,
+	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 =	0xC02E,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 =		0xC02F,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 =		0xC030,
+	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 =		0xC031,
+	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 =		0xC032,
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA =			0xC033,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA =		0xC034,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA =		0xC035,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA =		0xC036,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 =		0xC037,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 =		0xC038,
+	TLS_ECDHE_PSK_WITH_NULL_SHA =				0xC039,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256 =			0xC03A,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384 =			0xC03B
+};
+
+/**
+ * Enum names for tls_cipher_suite_t
+ */
+extern enum_name_t *tls_cipher_suite_names;
+
+/**
+ * TLS HashAlgorithm identifiers
+ */
+enum tls_hash_algorithm_t {
+	TLS_HASH_NONE =		0,
+	TLS_HASH_MD5 =		1,
+	TLS_HASH_SHA1 =		2,
+	TLS_HASH_SHA224 =	3,
+	TLS_HASH_SHA256 =	4,
+	TLS_HASH_SHA384 =	5,
+	TLS_HASH_SHA512 =	6,
+};
+
+/**
+ * Enum names for tls_hash_algorithm_t
+ */
+extern enum_name_t *tls_hash_algorithm_names;
+
+/**
+ * TLS SignatureAlgorithm identifiers
+ */
+enum tls_signature_algorithm_t {
+	TLS_SIG_RSA =		1,
+	TLS_SIG_DSA =		2,
+	TLS_SIG_ECDSA =		3,
+};
+
+/**
+ * Enum names for tls_signature_algorithm_t
+ */
+extern enum_name_t *tls_signature_algorithm_names;
+
+/**
+ * TLS ClientCertificateType
+ */
+enum tls_client_certificate_type_t {
+	TLS_RSA_SIGN =			1,
+	TLS_DSA_SIGN =			2,
+	TLS_RSA_FIXED_DH =		3,
+	TLS_DSS_FIXED_DH =		4,
+	TLS_RSA_EPHEMERAL_DH =	5,
+	TLS_DSS_EPHEMERAL_DH =	6,
+	TLS_FORTEZZA_DMS =		20,
+	TLS_ECDSA_SIGN =		64,
+	TLS_RSA_FIXED_ECDH =	65,
+	TLS_ECDSA_FIXED_ECDH =	66,
+};
+
+/**
+ * Enum names for tls_client_certificate_type_t
+ */
+extern enum_name_t *tls_client_certificate_type_names;
+
+/**
+ * TLS EccCurveType
+ */
+enum tls_ecc_curve_type_t {
+	TLS_ECC_EXPLICIT_PRIME =	1,
+	TLS_ECC_EXPLICIT_CHAR2 =	2,
+	TLS_ECC_NAMED_CURVE =		3,
+};
+
+/**
+ * Enum names for tls_ecc_curve_type_t
+ */
+extern enum_name_t *tls_ecc_curve_type_names;
+
+/**
+ * TLS Named Curve identifiers
+ */
+enum tls_named_curve_t {
+	TLS_SECT163K1 =		 1,
+	TLS_SECT163R1 =		 2,
+	TLS_SECT163R2 =		 3,
+	TLS_SECT193R1 =		 4,
+	TLS_SECT193R2 =		 5,
+	TLS_SECT233K1 =		 6,
+	TLS_SECT233R1 =		 7,
+	TLS_SECT239K1 =		 8,
+	TLS_SECT283K1 =		 9,
+	TLS_SECT283R1 =		10,
+	TLS_SECT409K1 =		11,
+	TLS_SECT409R1 =		12,
+	TLS_SECT571K1 =		13,
+	TLS_SECT571R1 =		14,
+	TLS_SECP160K1 =		15,
+	TLS_SECP160R1 =		16,
+	TLS_SECP160R2 =		17,
+	TLS_SECP192K1 =		18,
+	TLS_SECP192R1 =		19,
+	TLS_SECP224K1 =		20,
+	TLS_SECP224R1 =		21,
+	TLS_SECP256K1 =		22,
+	TLS_SECP256R1 =		23,
+	TLS_SECP384R1 =		24,
+	TLS_SECP521R1 =		25,
+};
+
+/**
+ * Enum names for tls_named_curve_t
+ */
+extern enum_name_t *tls_named_curve_names;
+
+/**
+ * EC Point format, ANSI X9.62.
+ */
+enum tls_ansi_point_format_t {
+	TLS_ANSI_COMPRESSED =	2,
+	TLS_ANSI_COMPRESSED_Y =	3,
+	TLS_ANSI_UNCOMPRESSED =	4,
+	TLS_ANSI_HYBRID =		6,
+	TLS_ANSI_HYBRID_Y =		7,
+};
+
+/**
+ * Enum names for tls_ansi_point_format_t.
+ */
+extern enum_name_t *tls_ansi_point_format_names;
+
+/**
+ * EC Point format, TLS specific identifiers.
+ */
+enum tls_ec_point_format_t {
+	TLS_EC_POINT_UNCOMPRESSED = 0,
+	TLS_EC_POINT_ANSIX962_COMPRESSED_PRIME = 1,
+	TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2 = 2,
+};
+
+/**
+ * Enum names for tls_ec_point_format_t.
+ */
+extern enum_name_t *tls_ec_point_format_names;
+
+/**
+ * TLS crypto helper functions.
+ */
+struct tls_crypto_t {
+
+	/**
+	 * Get a list of supported TLS cipher suites.
+	 *
+	 * @param suites		list of suites, points to internal data
+	 * @return				number of suites returned
+	 */
+	int (*get_cipher_suites)(tls_crypto_t *this, tls_cipher_suite_t **suites);
+
+	/**
+	 * Select and store a cipher suite from a given list of candidates.
+	 *
+	 * @param suites		list of candidates to select from
+	 * @param count			number of suites
+	 * @param key			key type used, or KEY_ANY
+	 * @return				selected suite, 0 if none acceptable
+	 */
+	tls_cipher_suite_t (*select_cipher_suite)(tls_crypto_t *this,
+										tls_cipher_suite_t *suites, int count,
+										key_type_t key);
+
+	/**
+	 * Get the Diffie-Hellman group to use, if any.
+	 *
+	 * @return				Diffie Hellman group, ord MODP_NONE
+	 */
+	diffie_hellman_group_t (*get_dh_group)(tls_crypto_t *this);
+
+	/**
+	 * Write the list of supported hash/sig algorithms to writer.
+	 *
+	 * @param writer		writer to write supported hash/sig algorithms
+	 */
+	void (*get_signature_algorithms)(tls_crypto_t *this, tls_writer_t *writer);
+
+	/**
+	 * Create an enumerator over supported ECDH groups.
+	 *
+	 * Enumerates over (diffie_hellman_group_t, tls_named_curve_t)
+	 *
+	 * @return				enumerator
+	 */
+	enumerator_t* (*create_ec_enumerator)(tls_crypto_t *this);
+
+	/**
+	 * Set the protection layer of the TLS stack to control it.
+	 *
+	 * @param protection		protection layer to work on
+	 */
+	void (*set_protection)(tls_crypto_t *this, tls_protection_t *protection);
+
+	/**
+	 * Store exchanged handshake data, used for cryptographic operations.
+	 *
+	 * @param type			handshake sub type
+	 * @param data			data to append to handshake buffer
+	 */
+	void (*append_handshake)(tls_crypto_t *this,
+							 tls_handshake_type_t type, chunk_t data);
+
+	/**
+	 * Sign a blob of data, append signature to writer.
+	 *
+	 * @param key			private key to use for signature
+	 * @param writer		TLS writer to write signature to
+	 * @param data			data to sign
+	 * @param hashsig		list of TLS1.2 hash/sig algorithms to select from
+	 * @return				TRUE if signature create successfully
+	 */
+	bool (*sign)(tls_crypto_t *this, private_key_t *key,
+				 tls_writer_t *writer, chunk_t data, chunk_t hashsig);
+
+	/**
+	 * Verify a blob of data, read signature from a reader.
+	 *
+	 * @param key			public key to verify signature with
+	 * @param reader		TLS reader to read signature from
+	 * @param data			data to verify signature
+	 * @return				TRUE if signature valid
+	 */
+	bool (*verify)(tls_crypto_t *this, public_key_t *key,
+				   tls_reader_t *reader, chunk_t data);
+
+	/**
+	 * Create a signature of the handshake data using a given private key.
+	 *
+	 * @param key			private key to use for signature
+	 * @param writer		TLS writer to write signature to
+	 * @param hashsig		list of TLS1.2 hash/sig algorithms to select from
+	 * @return				TRUE if signature create successfully
+	 */
+	bool (*sign_handshake)(tls_crypto_t *this, private_key_t *key,
+						   tls_writer_t *writer, chunk_t hashsig);
+
+	/**
+	 * Verify the signature over handshake data using a given public key.
+	 *
+	 * @param key			public key to verify signature with
+	 * @param reader		TLS reader to read signature from
+	 * @return				TRUE if signature valid
+	 */
+	bool (*verify_handshake)(tls_crypto_t *this, public_key_t *key,
+							 tls_reader_t *reader);
+
+	/**
+	 * Calculate the data of a TLS finished message.
+	 *
+	 * @param label			ASCII label to use for calculation
+	 * @param out			buffer to write finished data to
+	 * @return				TRUE if calculation successful
+	 */
+	bool (*calculate_finished)(tls_crypto_t *this, char *label, char out[12]);
+
+	/**
+	 * Derive the master secret, MAC and encryption keys.
+	 *
+	 * @param premaster		premaster secret
+	 * @param client_random	random data from client hello
+	 * @param server_random	random data from server hello
+	 */
+	void (*derive_secrets)(tls_crypto_t *this, chunk_t premaster,
+						   chunk_t client_random, chunk_t server_random);
+
+	/**
+	 * Change the cipher used at protection layer.
+	 *
+	 * @param inbound		TRUE to change inbound cipher, FALSE for outbound
+	 */
+	void (*change_cipher)(tls_crypto_t *this, bool inbound);
+
+	/**
+	 * Derive the EAP-TLS MSK.
+	 *
+	 * @param client_random	random data from client hello
+	 * @param server_random	random data from server hello
+	 */
+	void (*derive_eap_msk)(tls_crypto_t *this,
+						   chunk_t client_random, chunk_t server_random);
+
+	/**
+	 * Get the MSK to use in EAP-TLS.
+	 *
+	 * @return				MSK, points to internal data
+	 */
+	chunk_t (*get_eap_msk)(tls_crypto_t *this);
+
+	/**
+	 * Destroy a tls_crypto_t.
+	 */
+	void (*destroy)(tls_crypto_t *this);
+};
+
+/**
+ * Create a tls_crypto instance.
+ */
+tls_crypto_t *tls_crypto_create(tls_t *tls);
+
+#endif /** TLS_CRYPTO_H_ @}*/
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
new file mode 100644
index 000000000..a8c3a5053
--- /dev/null
+++ b/src/libtls/tls_eap.c
@@ -0,0 +1,379 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_eap.h"
+
+#include "tls.h"
+
+#include <debug.h>
+#include <library.h>
+
+/** Size limit for a single TLS message */
+#define MAX_TLS_MESSAGE_LEN 65536
+
+typedef struct private_tls_eap_t private_tls_eap_t;
+
+/**
+ * Private data of an tls_eap_t object.
+ */
+struct private_tls_eap_t {
+
+	/**
+	 * Public tls_eap_t interface.
+	 */
+	tls_eap_t public;
+
+	/**
+	 * Type of EAP method, EAP-TLS, EAP-TTLS, or EAP-TNC
+	 */
+	eap_type_t type;
+
+	/**
+	 * TLS stack
+	 */
+	tls_t *tls;
+
+	/**
+	 * Role
+	 */
+	bool is_server;
+
+	/**
+	 * First fragment of a multi-fragment record?
+	 */
+	bool first_fragment;
+
+	/**
+	 * Maximum size of an outgoing EAP-TLS fragment
+	 */
+	size_t frag_size;
+
+	/**
+	 * Number of EAP messages/fragments processed so far
+	 */
+	int processed;
+
+	/**
+	 * Maximum number of processed EAP messages/fragments 
+	 */
+	int max_msg_count;
+};
+
+/**
+ * Flags of an EAP-TLS/TTLS/TNC message
+ */
+typedef enum {
+	EAP_TLS_LENGTH = (1<<7),		/* shared with EAP-TTLS/TNC */
+	EAP_TLS_MORE_FRAGS = (1<<6),	/* shared with EAP-TTLS/TNC */
+	EAP_TLS_START = (1<<5),			/* shared with EAP-TTLS/TNC */
+	EAP_TTLS_VERSION = (0x07),		/* shared with EAP-TNC      */
+} eap_tls_flags_t;
+
+#define EAP_TTLS_SUPPORTED_VERSION	0
+#define EAP_TNC_SUPPORTED_VERSION	1
+
+/**
+ * EAP-TLS/TTLS packet format
+ */
+typedef struct __attribute__((packed)) {
+	u_int8_t code;
+	u_int8_t identifier;
+	u_int16_t length;
+	u_int8_t type;
+	u_int8_t flags;
+} eap_tls_packet_t;
+
+METHOD(tls_eap_t, initiate, status_t,
+	private_tls_eap_t *this, chunk_t *out)
+{
+	if (this->is_server)
+	{
+		eap_tls_packet_t pkt = {
+			.type = this->type,
+			.code = EAP_REQUEST,
+			.flags = EAP_TLS_START,
+		};
+		switch (this->type)
+		{
+			case EAP_TTLS:
+				pkt.flags |= EAP_TTLS_SUPPORTED_VERSION;
+				break;
+			case EAP_TNC:
+				pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
+				break;
+			default:
+				break;
+		}
+		htoun16(&pkt.length, sizeof(eap_tls_packet_t));
+		do
+		{	/* start with non-zero random identifier */
+			pkt.identifier = random();
+		}
+		while (!pkt.identifier);
+
+		DBG2(DBG_IKE, "sending %N start packet", eap_type_names, this->type);
+		*out = chunk_clone(chunk_from_thing(pkt));
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+/**
+ * Process a received packet
+ */
+static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
+{
+	u_int32_t msg_len;
+	u_int16_t pkt_len;
+
+	pkt_len = untoh16(&pkt->length);
+	if (pkt->flags & EAP_TLS_LENGTH)
+	{
+		if (pkt_len < sizeof(eap_tls_packet_t) + sizeof(msg_len))
+		{
+			DBG1(DBG_TLS, "%N packet too short", eap_type_names, this->type);
+			return FAILED;
+		}
+		msg_len = untoh32(pkt + 1);
+		if (msg_len < pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len) ||
+			msg_len > MAX_TLS_MESSAGE_LEN)
+		{
+			DBG1(DBG_TLS, "invalid %N packet length", eap_type_names, this->type);
+			return FAILED;
+		}
+		return this->tls->process(this->tls, (char*)(pkt + 1) + sizeof(msg_len),
+						pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len));
+	}
+	return this->tls->process(this->tls, (char*)(pkt + 1),
+							  pkt_len - sizeof(eap_tls_packet_t));
+}
+
+/**
+ * Build a packet to send
+ */
+static status_t build_pkt(private_tls_eap_t *this,
+						  u_int8_t identifier, chunk_t *out)
+{
+	char buf[this->frag_size];
+	eap_tls_packet_t *pkt;
+	size_t len, reclen;
+	status_t status;
+	char *kind;
+
+	pkt = (eap_tls_packet_t*)buf;
+	pkt->code = this->is_server ? EAP_REQUEST : EAP_RESPONSE;
+	pkt->identifier = this->is_server ? identifier + 1 : identifier;
+	pkt->type = this->type;
+	pkt->flags = 0;
+
+	switch (this->type)
+	{
+		case EAP_TTLS:
+			pkt->flags |= EAP_TTLS_SUPPORTED_VERSION;
+			break;
+		case EAP_TNC:
+			pkt->flags |= EAP_TNC_SUPPORTED_VERSION;
+			break;
+		default:
+			break;
+	}
+
+	if (this->first_fragment)
+	{
+		pkt->flags |= EAP_TLS_LENGTH;
+		len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t);
+		status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t) +
+								  sizeof(u_int32_t), &len, &reclen);
+	}
+	else
+	{
+		len = sizeof(buf) - sizeof(eap_tls_packet_t);
+		status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t),
+								  &len, &reclen);
+	}
+	switch (status)
+	{
+		case NEED_MORE:
+			pkt->flags |= EAP_TLS_MORE_FRAGS;
+			kind = "further fragment";
+			if (this->first_fragment)
+			{
+				this->first_fragment = FALSE;
+				kind = "first fragment";
+			}
+			break;
+		case ALREADY_DONE:
+			kind = "packet";
+			if (!this->first_fragment)
+			{
+				this->first_fragment = TRUE;
+				kind = "final fragment";
+			}
+			break;
+		default:
+			return status;
+	}
+	DBG2(DBG_TLS, "sending %N %s (%u bytes)",
+		 eap_type_names, this->type, kind, len);
+	if (reclen)
+	{
+		htoun32(pkt + 1, reclen);
+		len += sizeof(u_int32_t);
+		pkt->flags |= EAP_TLS_LENGTH;
+	}
+	len += sizeof(eap_tls_packet_t);
+	htoun16(&pkt->length, len);
+	*out = chunk_clone(chunk_create(buf, len));
+	return NEED_MORE;
+}
+
+/**
+ * Send an ack to request next fragment
+ */
+static chunk_t create_ack(private_tls_eap_t *this, u_int8_t identifier)
+{
+	eap_tls_packet_t pkt = {
+		.code = this->is_server ? EAP_REQUEST : EAP_RESPONSE,
+		.identifier = this->is_server ? identifier + 1 : identifier,
+		.type = this->type,
+	};
+	htoun16(&pkt.length, sizeof(pkt));
+	switch (this->type)
+	{
+		case EAP_TTLS:
+			pkt.flags |= EAP_TTLS_SUPPORTED_VERSION;
+		break;
+		case EAP_TNC:
+			pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
+			break;
+		default:
+			break;
+	}
+	DBG2(DBG_TLS, "sending %N acknowledgement packet",
+		 eap_type_names, this->type);
+	return chunk_clone(chunk_from_thing(pkt));
+}
+
+METHOD(tls_eap_t, process, status_t,
+	private_tls_eap_t *this, chunk_t in, chunk_t *out)
+{
+	eap_tls_packet_t *pkt;
+	status_t status;
+
+	if (++this->processed > this->max_msg_count)
+	{
+		DBG1(DBG_IKE, "%N packet count exceeded (%d > %d)",
+			 eap_type_names, this->type,
+			 this->processed, this->max_msg_count);
+		return FAILED;
+	}
+
+	pkt = (eap_tls_packet_t*)in.ptr;
+	if (in.len < sizeof(eap_tls_packet_t) ||
+		untoh16(&pkt->length) != in.len)
+	{
+		DBG1(DBG_IKE, "invalid %N packet length",
+			 eap_type_names, this->type);
+		return FAILED;
+	}
+	if (pkt->flags & EAP_TLS_START)
+	{
+		if (this->type == EAP_TTLS || this->type == EAP_TNC)
+		{
+			DBG1(DBG_TLS, "%N version is v%u", eap_type_names, this->type,
+				 pkt->flags & EAP_TTLS_VERSION);
+		}
+	}
+	else
+	{
+		if (in.len == sizeof(eap_tls_packet_t))
+		{
+			DBG2(DBG_TLS, "received %N acknowledgement packet",
+				 eap_type_names, this->type);
+			status = build_pkt(this, pkt->identifier, out);
+			if (status == INVALID_STATE &&
+				this->tls->is_complete(this->tls))
+			{
+				return SUCCESS;
+			}
+			return status;
+		}
+		status = process_pkt(this, pkt);
+		if (status != NEED_MORE)
+		{
+			return status;
+		}
+	}
+	status = build_pkt(this, pkt->identifier, out);
+	switch (status)
+	{
+		case INVALID_STATE:
+			*out = create_ack(this, pkt->identifier);
+			return NEED_MORE;
+		case FAILED:
+			if (!this->is_server)
+			{
+				*out = create_ack(this, pkt->identifier);
+				return NEED_MORE;
+			}
+			return FAILED;
+		default:
+			return status;
+	}
+}
+
+METHOD(tls_eap_t, get_msk, chunk_t,
+	private_tls_eap_t *this)
+{
+	return this->tls->get_eap_msk(this->tls);
+}
+
+METHOD(tls_eap_t, destroy, void,
+	private_tls_eap_t *this)
+{
+	this->tls->destroy(this->tls);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
+						  int max_msg_count)
+{
+	private_tls_eap_t *this;
+
+	if (!tls)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.initiate = _initiate,
+			.process = _process,
+			.get_msk = _get_msk,
+			.destroy = _destroy,
+		},
+		.type = type,
+		.is_server = tls->is_server(tls),
+		.first_fragment = TRUE,
+		.frag_size = frag_size,
+		.max_msg_count = max_msg_count,
+		.tls = tls,
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h
new file mode 100644
index 000000000..ebda2636d
--- /dev/null
+++ b/src/libtls/tls_eap.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_eap tls_eap
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_EAP_H_
+#define TLS_EAP_H_
+
+typedef struct tls_eap_t tls_eap_t;
+
+#include <eap/eap.h>
+
+#include "tls.h"
+
+/**
+ * TLS over EAP helper, as used by EAP-TLS and EAP-TTLS.
+ */
+struct tls_eap_t {
+
+	/**
+	 * Initiate TLS/TTLS/TNC over EAP exchange (as client).
+	 *
+	 * @param out			allocated EAP packet data to send
+	 * @return
+	 *						- NEED_MORE if more exchanges required
+	 *						- FAILED if initiation failed
+	 */
+	status_t (*initiate)(tls_eap_t *this, chunk_t *out);
+
+	/**
+	 * Process a received EAP-TLS/TTLS/TNC packet, create response.
+	 *
+	 * @param in			EAP packet data to process
+	 * @param out			allocated EAP packet data to send
+	 * @return
+	 *						- SUCCESS if TLS negotiation completed
+	 *						- FAILED if TLS negotiation failed
+	 *						- NEED_MORE if more exchanges required
+	 */
+	status_t (*process)(tls_eap_t *this, chunk_t in, chunk_t *out);
+
+	/**
+	 * Get the EAP-MSK.
+	 *
+	 * @return				MSK
+	 */
+	chunk_t (*get_msk)(tls_eap_t *this);
+
+	/**
+	 * Destroy a tls_eap_t.
+	 */
+	void (*destroy)(tls_eap_t *this);
+};
+
+/**
+ * Create a tls_eap instance.
+ *
+ * @param type				EAP type, EAP-TLS or EAP-TTLS
+ * @param tls				TLS implementation
+ * @param frag_size			maximum size of a TLS fragment we send
+ * @param max_msg_count		maximum number of processed messages
+ */
+tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
+						  int max_msg_count);
+
+#endif /** TLS_EAP_H_ @}*/
diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
new file mode 100644
index 000000000..5a598cfc4
--- /dev/null
+++ b/src/libtls/tls_fragmentation.c
@@ -0,0 +1,471 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_fragmentation.h"
+
+#include "tls_reader.h"
+
+#include <debug.h>
+
+typedef struct private_tls_fragmentation_t private_tls_fragmentation_t;
+
+/**
+ * Alert state
+ */
+typedef enum {
+	/* no alert received/sent */
+	ALERT_NONE,
+	/* currently sending an alert */
+	ALERT_SENDING,
+	/* alert sent and out */
+	ALERT_SENT,
+} alert_state_t;
+
+/**
+ * Private data of an tls_fragmentation_t object.
+ */
+struct private_tls_fragmentation_t {
+
+	/**
+	 * Public tls_fragmentation_t interface.
+	 */
+	tls_fragmentation_t public;
+
+	/**
+	 * Upper layer handshake protocol
+	 */
+	tls_handshake_t *handshake;
+
+	/**
+	 * TLS alert handler
+	 */
+	tls_alert_t *alert;
+
+	/**
+	 * State of alert handling
+	 */
+	alert_state_t state;
+
+	/**
+	 * Did the application layer complete successfully?
+	 */
+	bool application_finished;
+
+	/**
+	 * Handshake input buffer
+	 */
+	chunk_t input;
+
+	/**
+	 * Position in input buffer
+	 */
+	size_t inpos;
+
+	/**
+	 * Currently processed handshake message type
+	 */
+	tls_handshake_type_t type;
+
+	/**
+	 * Handshake output buffer
+	 */
+	chunk_t output;
+
+	/**
+	 * Type of data in output buffer
+	 */
+	tls_content_type_t output_type;
+
+	/**
+	 * Upper layer application data protocol
+	 */
+	tls_application_t *application;
+};
+
+/**
+ * Maximum size of a TLS fragment
+ */
+#define MAX_TLS_FRAGMENT_LEN 16384
+
+/**
+ * Maximum size of a TLS handshake message we accept
+ */
+#define MAX_TLS_HANDSHAKE_LEN 65536
+
+/**
+ * Process a TLS alert
+ */
+static status_t process_alert(private_tls_fragmentation_t *this,
+							  tls_reader_t *reader)
+{
+	u_int8_t level, description;
+
+	if (!reader->read_uint8(reader, &level) ||
+		!reader->read_uint8(reader, &description))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	return this->alert->process(this->alert, level, description);
+}
+
+/**
+ * Process TLS handshake protocol data
+ */
+static status_t process_handshake(private_tls_fragmentation_t *this,
+								  tls_reader_t *reader)
+{
+	while (reader->remaining(reader))
+	{
+		tls_reader_t *msg;
+		u_int8_t type;
+		u_int32_t len;
+		status_t status;
+		chunk_t data;
+
+		if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
+		{
+			DBG1(DBG_TLS, "TLS fragment has invalid length");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			return NEED_MORE;
+		}
+
+		if (this->input.len == 0)
+		{	/* new handshake message */
+			if (!reader->read_uint8(reader, &type) ||
+				!reader->read_uint24(reader, &len))
+			{
+				DBG1(DBG_TLS, "TLS handshake header invalid");
+				this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+				return NEED_MORE;
+			}
+			this->type = type;
+			if (len > MAX_TLS_HANDSHAKE_LEN)
+			{
+				DBG1(DBG_TLS, "TLS handshake exceeds maximum length");
+				this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+				return NEED_MORE;
+			}
+			chunk_free(&this->input);
+			this->inpos = 0;
+			if (len)
+			{
+				this->input = chunk_alloc(len);
+			}
+		}
+
+		len = min(this->input.len - this->inpos, reader->remaining(reader));
+		if (!reader->read_data(reader, len, &data))
+		{
+			DBG1(DBG_TLS, "TLS fragment has invalid length");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			return NEED_MORE;
+		}
+		memcpy(this->input.ptr + this->inpos, data.ptr, len);
+		this->inpos += len;
+
+		if (this->input.len == this->inpos)
+		{	/* message completely defragmented, process */
+			msg = tls_reader_create(this->input);
+			DBG2(DBG_TLS, "received TLS %N handshake (%u bytes)",
+				 tls_handshake_type_names, this->type, this->input.len);
+			status = this->handshake->process(this->handshake, this->type, msg);
+			msg->destroy(msg);
+			chunk_free(&this->input);
+			if (status != NEED_MORE)
+			{
+				return status;
+			}
+		}
+		if (this->alert->fatal(this->alert))
+		{
+			break;
+		}
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Process TLS application data
+ */
+static status_t process_application(private_tls_fragmentation_t *this,
+									tls_reader_t *reader)
+{
+	while (reader->remaining(reader))
+	{
+		status_t status;
+
+		if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
+		{
+			DBG1(DBG_TLS, "TLS fragment has invalid length");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			return NEED_MORE;
+		}
+		status = this->application->process(this->application, reader);
+		switch (status)
+		{
+			case NEED_MORE:
+				continue;
+			case SUCCESS:
+				this->application_finished = TRUE;
+				return SUCCESS;
+			case FAILED:
+			default:
+				this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY);
+				return NEED_MORE;
+		}
+	}
+	return NEED_MORE;
+}
+
+METHOD(tls_fragmentation_t, process, status_t,
+	private_tls_fragmentation_t *this, tls_content_type_t type, chunk_t data)
+{
+	tls_reader_t *reader;
+	status_t status;
+
+	switch (this->state)
+	{
+		case ALERT_SENDING:
+		case ALERT_SENT:
+			/* don't accept more input, fatal error ocurred */
+			return NEED_MORE;
+		case ALERT_NONE:
+			break;
+	}
+	reader = tls_reader_create(data);
+	switch (type)
+	{
+		case TLS_CHANGE_CIPHER_SPEC:
+			if (this->handshake->change_cipherspec(this->handshake))
+			{
+				status = NEED_MORE;
+				break;
+			}
+			status = FAILED;
+			break;
+		case TLS_ALERT:
+			status = process_alert(this, reader);
+			break;
+		case TLS_HANDSHAKE:
+			status = process_handshake(this, reader);
+			break;
+		case TLS_APPLICATION_DATA:
+			status = process_application(this, reader);
+			break;
+		default:
+			DBG1(DBG_TLS, "received unknown TLS content type %d, ignored", type);
+			status = NEED_MORE;
+			break;
+	}
+	reader->destroy(reader);
+	return status;
+}
+
+/**
+ * Check if alerts are pending
+ */
+static bool check_alerts(private_tls_fragmentation_t *this, chunk_t *data)
+{
+	tls_alert_level_t level;
+	tls_alert_desc_t desc;
+	tls_writer_t *writer;
+
+	if (this->alert->get(this->alert, &level, &desc))
+	{
+		writer = tls_writer_create(2);
+
+		writer->write_uint8(writer, level);
+		writer->write_uint8(writer, desc);
+
+		*data = chunk_clone(writer->get_buf(writer));
+		writer->destroy(writer);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Build hanshake message
+ */
+static status_t build_handshake(private_tls_fragmentation_t *this)
+{
+	tls_writer_t *hs, *msg;
+	tls_handshake_type_t type;
+	status_t status;
+
+	msg = tls_writer_create(64);
+	while (TRUE)
+	{
+		hs = tls_writer_create(64);
+		status = this->handshake->build(this->handshake, &type, hs);
+		switch (status)
+		{
+			case NEED_MORE:
+				if (this->alert->fatal(this->alert))
+				{
+					break;
+				}
+				msg->write_uint8(msg, type);
+				msg->write_data24(msg, hs->get_buf(hs));
+				DBG2(DBG_TLS, "sending TLS %N handshake (%u bytes)",
+					 tls_handshake_type_names, type, hs->get_buf(hs).len);
+				hs->destroy(hs);
+				continue;
+			case INVALID_STATE:
+				this->output_type = TLS_HANDSHAKE;
+				this->output = chunk_clone(msg->get_buf(msg));
+				break;
+			default:
+				break;
+		}
+		hs->destroy(hs);
+		break;
+	}
+	msg->destroy(msg);
+	return status;
+}
+
+/**
+ * Build TLS application data
+ */
+static status_t build_application(private_tls_fragmentation_t *this)
+{
+	tls_writer_t *msg;
+	status_t status;
+
+	msg = tls_writer_create(64);
+	while (TRUE)
+	{
+		status = this->application->build(this->application, msg);
+		switch (status)
+		{
+			case NEED_MORE:
+				continue;
+			case INVALID_STATE:
+				this->output_type = TLS_APPLICATION_DATA;
+				this->output = chunk_clone(msg->get_buf(msg));
+				break;
+			case SUCCESS:
+				this->application_finished = TRUE;
+				break;
+			case FAILED:
+			default:
+				this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY);
+				break;
+		}
+		break;
+	}
+	msg->destroy(msg);
+	return status;
+}
+
+METHOD(tls_fragmentation_t, build, status_t,
+	private_tls_fragmentation_t *this, tls_content_type_t *type, chunk_t *data)
+{
+	status_t status = INVALID_STATE;
+
+	switch (this->state)
+	{
+		case ALERT_SENDING:
+			this->state = ALERT_SENT;
+			return INVALID_STATE;
+		case ALERT_SENT:
+			return FAILED;
+		case ALERT_NONE:
+			break;
+	}
+	if (check_alerts(this, data))
+	{
+		this->state = ALERT_SENDING;
+		*type = TLS_ALERT;
+		return NEED_MORE;
+	}
+	if (!this->output.len)
+	{
+		if (this->handshake->cipherspec_changed(this->handshake))
+		{
+			*type = TLS_CHANGE_CIPHER_SPEC;
+			*data = chunk_clone(chunk_from_chars(0x01));
+			return NEED_MORE;
+		}
+		if (!this->handshake->finished(this->handshake))
+		{
+			status = build_handshake(this);
+		}
+		else if (this->application)
+		{
+			status = build_application(this);
+		}
+		if (check_alerts(this, data))
+		{
+			this->state = ALERT_SENDING;
+			*type = TLS_ALERT;
+			return NEED_MORE;
+		}
+	}
+	if (this->output.len)
+	{
+		*type = this->output_type;
+		if (this->output.len <= MAX_TLS_FRAGMENT_LEN)
+		{
+			*data = this->output;
+			this->output = chunk_empty;
+			return NEED_MORE;
+		}
+		*data = chunk_create(this->output.ptr, MAX_TLS_FRAGMENT_LEN);
+		this->output = chunk_clone(chunk_skip(this->output, MAX_TLS_FRAGMENT_LEN));
+		return NEED_MORE;
+	}
+	return status;
+}
+
+METHOD(tls_fragmentation_t, application_finished, bool,
+	private_tls_fragmentation_t *this)
+{
+	return this->application_finished;
+}
+
+METHOD(tls_fragmentation_t, destroy, void,
+	private_tls_fragmentation_t *this)
+{
+	free(this->input.ptr);
+	free(this->output.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
+							tls_alert_t *alert, tls_application_t *application)
+{
+	private_tls_fragmentation_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.application_finished = _application_finished,
+			.destroy = _destroy,
+		},
+		.handshake = handshake,
+		.alert = alert,
+		.state = ALERT_NONE,
+		.application = application,
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_fragmentation.h b/src/libtls/tls_fragmentation.h
new file mode 100644
index 000000000..d80278916
--- /dev/null
+++ b/src/libtls/tls_fragmentation.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_fragmentation tls_fragmentation
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_FRAGMENTATION_H_
+#define TLS_FRAGMENTATION_H_
+
+#include <library.h>
+
+#include "tls.h"
+#include "tls_alert.h"
+#include "tls_handshake.h"
+
+typedef struct tls_fragmentation_t tls_fragmentation_t;
+
+/**
+ * TLS record protocol fragmentation layer.
+ */
+struct tls_fragmentation_t {
+
+	/**
+	 * Process a fragmented TLS record, pass it to upper layers.
+	 *
+	 * @param type		type of the TLS record to process
+	 * @param data		associated TLS record data
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if more invocations to process/build needed
+	 */
+	status_t (*process)(tls_fragmentation_t *this,
+						tls_content_type_t type, chunk_t data);
+
+	/**
+	 * Query upper layer for TLS messages, build fragmented records.
+	 *
+	 * @param type		type of the built TLS record
+	 * @param data		allocated data of the built TLS record
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if upper layers have more records to send
+	 *					- INVALID_STATE if more input records required
+	 */
+	status_t (*build)(tls_fragmentation_t *this,
+					  tls_content_type_t *type, chunk_t *data);
+
+	/**
+	 * Has the application layer finished (returned SUCCESS)?.
+	 *
+	 * @return			TRUE if application layer finished
+	 */
+	bool (*application_finished)(tls_fragmentation_t *this);
+
+	/**
+	 * Destroy a tls_fragmentation_t.
+	 */
+	void (*destroy)(tls_fragmentation_t *this);
+};
+
+/**
+ * Create a tls_fragmentation instance.
+ *
+ * @param handshake			upper layer handshake protocol
+ * @param alert				TLS alert handler
+ * @param application		upper layer application data or NULL
+ * @return					TLS fragmentation layer
+ */
+tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
+							tls_alert_t *alert, tls_application_t *application);
+
+#endif /** TLS_FRAGMENTATION_H_ @}*/
diff --git a/src/libtls/tls_handshake.h b/src/libtls/tls_handshake.h
new file mode 100644
index 000000000..6703b341b
--- /dev/null
+++ b/src/libtls/tls_handshake.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_handshake tls_handshake
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_HANDSHAKE_H_
+#define TLS_HANDSHAKE_H_
+
+typedef struct tls_handshake_t tls_handshake_t;
+
+#include "tls.h"
+#include "tls_reader.h"
+#include "tls_writer.h"
+
+/**
+ * TLS handshake state machine interface.
+ */
+struct tls_handshake_t {
+
+	/**
+	 * Process received TLS handshake message.
+	 *
+	 * @param type		TLS handshake message type
+	 * @param reader	TLS data buffer
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if a fatal TLS alert queued
+	 *					- NEED_MORE if more invocations to process/build needed
+	 *					- DESTROY_ME if a fatal TLS alert received
+	 */
+	status_t (*process)(tls_handshake_t *this,
+						tls_handshake_type_t type, tls_reader_t *reader);
+
+	/**
+	 * Build TLS handshake messages to send out.
+	 *
+	 * @param type		type of created handshake message
+	 * @param writer	TLS data buffer to write to
+	 * @return
+	 *					- SUCCESS if handshake complete
+	 *					- FAILED if handshake failed
+	 *					- NEED_MORE if more messages ready for delivery
+	 *					- INVALID_STATE if more input to process() required
+	 */
+	status_t (*build)(tls_handshake_t *this,
+					  tls_handshake_type_t *type, tls_writer_t *writer);
+
+	/**
+	 * Check if the cipher spec for outgoing messages has changed.
+	 *
+	 * @return			TRUE if cipher spec changed
+	 */
+	bool (*cipherspec_changed)(tls_handshake_t *this);
+
+	/**
+	 * Change the cipher spec for incoming messages.
+	 *
+	 * @return			TRUE if cipher spec changed
+	 */
+	bool (*change_cipherspec)(tls_handshake_t *this);
+
+	/**
+	 * Check if the finished message was decoded successfully.
+	 *
+	 * @return			TRUE if finished message was decoded successfully
+	 */
+	bool (*finished)(tls_handshake_t *this);
+
+	/**
+	 * Destroy a tls_handshake_t.
+	 */
+	void (*destroy)(tls_handshake_t *this);
+};
+
+#endif /** TLS_HANDSHAKE_H_ @}*/
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
new file mode 100644
index 000000000..c1fd33eea
--- /dev/null
+++ b/src/libtls/tls_peer.c
@@ -0,0 +1,1099 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_peer.h"
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+
+#include <time.h>
+
+typedef struct private_tls_peer_t private_tls_peer_t;
+
+typedef enum {
+	STATE_INIT,
+	STATE_HELLO_SENT,
+	STATE_HELLO_RECEIVED,
+	STATE_HELLO_DONE,
+	STATE_CERT_SENT,
+	STATE_CERT_RECEIVED,
+	STATE_KEY_EXCHANGE_RECEIVED,
+	STATE_CERTREQ_RECEIVED,
+	STATE_KEY_EXCHANGE_SENT,
+	STATE_VERIFY_SENT,
+	STATE_CIPHERSPEC_CHANGED_OUT,
+	STATE_FINISHED_SENT,
+	STATE_CIPHERSPEC_CHANGED_IN,
+	STATE_COMPLETE,
+} peer_state_t;
+
+/**
+ * Private data of an tls_peer_t object.
+ */
+struct private_tls_peer_t {
+
+	/**
+	 * Public tls_peer_t interface.
+	 */
+	tls_peer_t public;
+
+	/**
+	 * TLS stack
+	 */
+	tls_t *tls;
+
+	/**
+	 * TLS crypto context
+	 */
+	tls_crypto_t *crypto;
+
+	/**
+	 * TLS alert handler
+	 */
+	tls_alert_t *alert;
+
+	/**
+	 * Peer identity, NULL for no client authentication
+	 */
+	identification_t *peer;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * State we are in
+	 */
+	peer_state_t state;
+
+	/**
+	 * Hello random data selected by client
+	 */
+	char client_random[32];
+
+	/**
+	 * Hello random data selected by server
+	 */
+	char server_random[32];
+
+	/**
+	 * Auth helper for peer authentication
+	 */
+	auth_cfg_t *peer_auth;
+
+	/**
+	 * Auth helper for server authentication
+	 */
+	auth_cfg_t *server_auth;
+
+	/**
+	 * Peer private key
+	 */
+	private_key_t *private;
+
+	/**
+	 * DHE exchange
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * List of server-supported hashsig algorithms
+	 */
+	chunk_t hashsig;
+
+	/**
+	 * List of server-supported client certificate types
+	 */
+	chunk_t cert_types;
+};
+
+/**
+ * Process a server hello message
+ */
+static status_t process_server_hello(private_tls_peer_t *this,
+									 tls_reader_t *reader)
+{
+	u_int8_t compression;
+	u_int16_t version, cipher;
+	chunk_t random, session, ext = chunk_empty;
+	tls_cipher_suite_t suite;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_SERVER_HELLO, reader->peek(reader));
+
+	if (!reader->read_uint16(reader, &version) ||
+		!reader->read_data(reader, sizeof(this->server_random), &random) ||
+		!reader->read_data8(reader, &session) ||
+		!reader->read_uint16(reader, &cipher) ||
+		!reader->read_uint8(reader, &compression) ||
+		(reader->remaining(reader) && !reader->read_data16(reader, &ext)))
+	{
+		DBG1(DBG_TLS, "received invalid ServerHello");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	memcpy(this->server_random, random.ptr, sizeof(this->server_random));
+
+	if (!this->tls->set_version(this->tls, version))
+	{
+		DBG1(DBG_TLS, "negotiated version %N not supported",
+			 tls_version_names, version);
+		this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
+		return NEED_MORE;
+	}
+	suite = cipher;
+	if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
+	{
+		DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
+			 tls_cipher_suite_names, suite);
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+	DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
+		 tls_version_names, version, tls_cipher_suite_names, suite);
+	this->state = STATE_HELLO_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Check if a server certificate is acceptable for the given server identity
+ */
+static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
+{
+	identification_t *id;
+
+	if (cert->has_subject(cert, this->server))
+	{
+		return TRUE;
+	}
+	id = cert->get_subject(cert);
+	if (id->matches(id, this->server))
+	{
+		return TRUE;
+	}
+	if (cert->get_type(cert) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)cert;
+		enumerator_t *enumerator;
+
+		enumerator = x509->create_subjectAltName_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &id))
+		{
+			if (id->matches(id, this->server))
+			{
+				enumerator->destroy(enumerator);
+				return TRUE;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
+	return FALSE;
+}
+
+/**
+ * Process a Certificate message
+ */
+static status_t process_certificate(private_tls_peer_t *this,
+									tls_reader_t *reader)
+{
+	certificate_t *cert;
+	tls_reader_t *certs;
+	chunk_t data;
+	bool first = TRUE;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CERTIFICATE, reader->peek(reader));
+
+	if (!reader->read_data24(reader, &data))
+	{
+		DBG1(DBG_TLS, "certificate message header invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	certs = tls_reader_create(data);
+	while (certs->remaining(certs))
+	{
+		if (!certs->read_data24(certs, &data))
+		{
+			DBG1(DBG_TLS, "certificate message invalid");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			certs->destroy(certs);
+			return NEED_MORE;
+		}
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+		if (cert)
+		{
+			if (first)
+			{
+				if (!check_certificate(this, cert))
+				{
+					cert->destroy(cert);
+					certs->destroy(certs);
+					this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
+					return NEED_MORE;
+				}
+				this->server_auth->add(this->server_auth,
+									   AUTH_HELPER_SUBJECT_CERT, cert);
+				DBG1(DBG_TLS, "received TLS server certificate '%Y'",
+					 cert->get_subject(cert));
+				first = FALSE;
+			}
+			else
+			{
+				DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
+					 cert->get_subject(cert));
+				this->server_auth->add(this->server_auth,
+									   AUTH_HELPER_IM_CERT, cert);
+			}
+		}
+		else
+		{
+			DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
+			this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
+		}
+	}
+	certs->destroy(certs);
+	this->state = STATE_CERT_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Find a trusted public key to encrypt/verify key exchange data
+ */
+static public_key_t *find_public_key(private_tls_peer_t *this)
+{
+	public_key_t *public = NULL, *current;
+	certificate_t *cert;
+	enumerator_t *enumerator;
+	auth_cfg_t *auth;
+
+	cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
+	if (cert)
+	{
+		enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+						KEY_ANY, cert->get_subject(cert), this->server_auth);
+		while (enumerator->enumerate(enumerator, &current, &auth))
+		{
+			public = current->get_ref(current);
+			break;
+		}
+		enumerator->destroy(enumerator);
+	}
+	return public;
+}
+
+/**
+ * Process a Key Exchange message using MODP Diffie Hellman
+ */
+static status_t process_modp_key_exchange(private_tls_peer_t *this,
+										  tls_reader_t *reader)
+{
+	chunk_t prime, generator, pub, chunk;
+	public_key_t *public;
+
+	chunk = reader->peek(reader);
+	if (!reader->read_data16(reader, &prime) ||
+		!reader->read_data16(reader, &generator) ||
+		!reader->read_data16(reader, &pub))
+	{
+		DBG1(DBG_TLS, "received invalid Server Key Exchange");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	public = find_public_key(this);
+	if (!public)
+	{
+		DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
+		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+		return NEED_MORE;
+	}
+
+	chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
+	chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
+					  chunk_from_thing(this->server_random), chunk);
+	if (!this->crypto->verify(this->crypto, public, reader, chunk))
+	{
+		public->destroy(public);
+		free(chunk.ptr);
+		DBG1(DBG_TLS, "verifying DH parameters failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
+		return NEED_MORE;
+	}
+	public->destroy(public);
+	free(chunk.ptr);
+
+	this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
+									  generator, prime);
+	if (!this->dh)
+	{
+		DBG1(DBG_TLS, "custom DH parameters not supported");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	this->dh->set_other_public_value(this->dh, pub);
+
+	this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Get the EC group for a TLS named curve
+ */
+static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
+												tls_named_curve_t curve)
+{
+	diffie_hellman_group_t group;
+	tls_named_curve_t current;
+	enumerator_t *enumerator;
+
+	enumerator = this->crypto->create_ec_enumerator(this->crypto);
+	while (enumerator->enumerate(enumerator, &group, &current))
+	{
+		if (current == curve)
+		{
+			enumerator->destroy(enumerator);
+			return group;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return 0;
+}
+
+/**
+ * Process a Key Exchange message using EC Diffie Hellman
+ */
+static status_t process_ec_key_exchange(private_tls_peer_t *this,
+										tls_reader_t *reader)
+{
+	diffie_hellman_group_t group;
+	public_key_t *public;
+	u_int8_t type;
+	u_int16_t curve;
+	chunk_t pub, chunk;
+
+	chunk = reader->peek(reader);
+	if (!reader->read_uint8(reader, &type))
+	{
+		DBG1(DBG_TLS, "received invalid Server Key Exchange");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	if (type != TLS_ECC_NAMED_CURVE)
+	{
+		DBG1(DBG_TLS, "ECDH curve type %N not supported",
+			 tls_ecc_curve_type_names, type);
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+	if (!reader->read_uint16(reader, &curve) ||
+		!reader->read_data8(reader, &pub) || pub.len == 0)
+	{
+		DBG1(DBG_TLS, "received invalid Server Key Exchange");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	group = curve_to_ec_group(this, curve);
+	if (!group)
+	{
+		DBG1(DBG_TLS, "ECDH curve %N not supported",
+			 tls_named_curve_names, curve);
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+
+	public = find_public_key(this);
+	if (!public)
+	{
+		DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
+		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+		return NEED_MORE;
+	}
+
+	chunk.len = 4 + pub.len;
+	chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
+					  chunk_from_thing(this->server_random), chunk);
+	if (!this->crypto->verify(this->crypto, public, reader, chunk))
+	{
+		public->destroy(public);
+		free(chunk.ptr);
+		DBG1(DBG_TLS, "verifying DH parameters failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
+		return NEED_MORE;
+	}
+	public->destroy(public);
+	free(chunk.ptr);
+
+	this->dh = lib->crypto->create_dh(lib->crypto, group);
+	if (!this->dh)
+	{
+		DBG1(DBG_TLS, "DH group %N not supported",
+			 diffie_hellman_group_names, group);
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+
+	if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
+	{
+		DBG1(DBG_TLS, "DH point format '%N' not supported",
+			 tls_ansi_point_format_names, pub.ptr[0]);
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
+
+	this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process a Server Key Exchange
+ */
+static status_t process_key_exchange(private_tls_peer_t *this,
+									 tls_reader_t *reader)
+{
+	diffie_hellman_group_t group;
+
+	this->crypto->append_handshake(this->crypto,
+								TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
+
+	group = this->crypto->get_dh_group(this->crypto);
+	if (group == MODP_NONE)
+	{
+		DBG1(DBG_TLS, "received Server Key Exchange, but not required "
+			 "for current suite");
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+	if (diffie_hellman_group_is_ec(group))
+	{
+		return process_ec_key_exchange(this, reader);
+	}
+	return process_modp_key_exchange(this, reader);
+}
+
+/**
+ * Process a Certificate Request message
+ */
+static status_t process_certreq(private_tls_peer_t *this, tls_reader_t *reader)
+{
+	chunk_t types, hashsig, data;
+	tls_reader_t *authorities;
+	identification_t *id;
+	certificate_t *cert;
+
+	if (!this->peer)
+	{
+		DBG1(DBG_TLS, "server requested a certificate, but client "
+			 "authentication disabled");
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+	this->crypto->append_handshake(this->crypto,
+								TLS_CERTIFICATE_REQUEST, reader->peek(reader));
+
+	if (!reader->read_data8(reader, &types))
+	{
+		DBG1(DBG_TLS, "certreq message header invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	this->cert_types = chunk_clone(types);
+	if (this->tls->get_version(this->tls) >= TLS_1_2)
+	{
+		if (!reader->read_data16(reader, &hashsig))
+		{
+			DBG1(DBG_TLS, "certreq message invalid");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			return NEED_MORE;
+		}
+		this->hashsig = chunk_clone(hashsig);
+	}
+	if (!reader->read_data16(reader, &data))
+	{
+		DBG1(DBG_TLS, "certreq message invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	authorities = tls_reader_create(data);
+	while (authorities->remaining(authorities))
+	{
+		if (!authorities->read_data16(authorities, &data))
+		{
+			DBG1(DBG_TLS, "certreq message invalid");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			authorities->destroy(authorities);
+			return NEED_MORE;
+		}
+		id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
+		cert = lib->credmgr->get_cert(lib->credmgr,
+									  CERT_X509, KEY_ANY, id, TRUE);
+		if (cert)
+		{
+			DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
+			this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
+		}
+		else
+		{
+			DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
+		}
+		id->destroy(id);
+	}
+	authorities->destroy(authorities);
+	this->state = STATE_CERTREQ_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process Hello Done message
+ */
+static status_t process_hello_done(private_tls_peer_t *this,
+								   tls_reader_t *reader)
+{
+	this->crypto->append_handshake(this->crypto,
+								   TLS_SERVER_HELLO_DONE, reader->peek(reader));
+	this->state = STATE_HELLO_DONE;
+	return NEED_MORE;
+}
+
+/**
+ * Process finished message
+ */
+static status_t process_finished(private_tls_peer_t *this, tls_reader_t *reader)
+{
+	chunk_t received;
+	char buf[12];
+
+	if (!reader->read_data(reader, sizeof(buf), &received))
+	{
+		DBG1(DBG_TLS, "received server finished too short");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
+	{
+		DBG1(DBG_TLS, "calculating server finished failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	if (!chunk_equals(received, chunk_from_thing(buf)))
+	{
+		DBG1(DBG_TLS, "received server finished invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
+		return NEED_MORE;
+	}
+	this->state = STATE_COMPLETE;
+	this->crypto->derive_eap_msk(this->crypto,
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+	return NEED_MORE;
+}
+
+METHOD(tls_handshake_t, process, status_t,
+	private_tls_peer_t *this, tls_handshake_type_t type, tls_reader_t *reader)
+{
+	tls_handshake_type_t expected;
+
+	switch (this->state)
+	{
+		case STATE_HELLO_SENT:
+			if (type == TLS_SERVER_HELLO)
+			{
+				return process_server_hello(this, reader);
+			}
+			expected = TLS_SERVER_HELLO;
+			break;
+		case STATE_HELLO_RECEIVED:
+			if (type == TLS_CERTIFICATE)
+			{
+				return process_certificate(this, reader);
+			}
+			expected = TLS_CERTIFICATE;
+			break;
+		case STATE_CERT_RECEIVED:
+			if (type == TLS_SERVER_KEY_EXCHANGE)
+			{
+				return process_key_exchange(this, reader);
+			}
+			/* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
+		case STATE_KEY_EXCHANGE_RECEIVED:
+			if (type == TLS_CERTIFICATE_REQUEST)
+			{
+				return process_certreq(this, reader);
+			}
+			this->peer = NULL;
+			/* fall through since TLS_CERTIFICATE_REQUEST is optional */
+		case STATE_CERTREQ_RECEIVED:
+			if (type == TLS_SERVER_HELLO_DONE)
+			{
+				return process_hello_done(this, reader);
+			}
+			expected = TLS_SERVER_HELLO_DONE;
+			break;
+		case STATE_CIPHERSPEC_CHANGED_IN:
+			if (type == TLS_FINISHED)
+			{
+				return process_finished(this, reader);
+			}
+			expected = TLS_FINISHED;
+			break;
+		default:
+			DBG1(DBG_TLS, "TLS %N not expected in current state",
+				 tls_handshake_type_names, type);
+			this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
+			return NEED_MORE;
+	}
+	DBG1(DBG_TLS, "TLS %N expected, but received %N",
+		 tls_handshake_type_names, expected, tls_handshake_type_names, type);
+	this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
+	return NEED_MORE;
+}
+
+/**
+ * Send a client hello
+ */
+static status_t send_client_hello(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	tls_cipher_suite_t *suites;
+	tls_writer_t *extensions, *curves = NULL;
+	tls_version_t version;
+	tls_named_curve_t curve;
+	enumerator_t *enumerator;
+	int count, i;
+	rng_t *rng;
+
+	htoun32(&this->client_random, time(NULL));
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_TLS, "no suitable RNG found to generate client random");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	rng->get_bytes(rng, sizeof(this->client_random) - 4, this->client_random + 4);
+	rng->destroy(rng);
+
+	/* TLS version */
+	version = this->tls->get_version(this->tls);
+	writer->write_uint16(writer, version);
+	writer->write_data(writer, chunk_from_thing(this->client_random));
+
+	/* session identifier => none */
+	writer->write_data8(writer, chunk_empty);
+
+	/* add TLS cipher suites */
+	count = this->crypto->get_cipher_suites(this->crypto, &suites);
+	writer->write_uint16(writer, count * 2);
+	for (i = 0; i < count; i++)
+	{
+		writer->write_uint16(writer, suites[i]);
+	}
+
+	/* NULL compression only */
+	writer->write_uint8(writer, 1);
+	writer->write_uint8(writer, 0);
+
+	extensions = tls_writer_create(32);
+
+	extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
+	this->crypto->get_signature_algorithms(this->crypto, extensions);
+
+	/* add supported Elliptic Curves, if any */
+	enumerator = this->crypto->create_ec_enumerator(this->crypto);
+	while (enumerator->enumerate(enumerator, NULL, &curve))
+	{
+		if (!curves)
+		{
+			extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
+			curves = tls_writer_create(16);
+		}
+		curves->write_uint16(curves, curve);
+	}
+	enumerator->destroy(enumerator);
+	if (curves)
+	{
+		extensions->write_data16(extensions, curves->get_buf(curves));
+		curves->destroy(curves);
+
+		/* if we support curves, add point format extension */
+		extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
+		extensions->write_uint16(extensions, 2);
+		extensions->write_uint8(extensions, 1);
+		extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
+	}
+
+	writer->write_data16(writer, extensions->get_buf(extensions));
+	extensions->destroy(extensions);
+
+	*type = TLS_CLIENT_HELLO;
+	this->state = STATE_HELLO_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Find a private key suitable to sign Certificate Verify
+ */
+static private_key_t *find_private_key(private_tls_peer_t *this)
+{
+	private_key_t *key = NULL;
+	tls_reader_t *reader;
+	key_type_t type;
+	u_int8_t cert;
+
+	if (!this->peer)
+	{
+		return NULL;
+	}
+	reader = tls_reader_create(this->cert_types);
+	while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
+	{
+		switch (cert)
+		{
+			case TLS_RSA_SIGN:
+				type = KEY_RSA;
+				break;
+			case TLS_ECDSA_SIGN:
+				type = KEY_ECDSA;
+				break;
+			default:
+				continue;
+		}
+		key = lib->credmgr->get_private(lib->credmgr, type,
+										this->peer, this->peer_auth);
+		if (key)
+		{
+			break;
+		}
+	}
+	reader->destroy(reader);
+	return key;
+}
+
+/**
+ * Send Certificate
+ */
+static status_t send_certificate(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	auth_rule_t rule;
+	tls_writer_t *certs;
+	chunk_t data;
+
+	this->private = find_private_key(this);
+	if (!this->private)
+	{
+		DBG1(DBG_TLS, "no TLS peer certificate found for '%Y'", this->peer);
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+
+	/* generate certificate payload */
+	certs = tls_writer_create(256);
+	cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
+	if (cert)
+	{
+		if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
+		{
+			DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
+				 cert->get_subject(cert));
+			certs->write_data24(certs, data);
+			free(data.ptr);
+		}
+	}
+	enumerator = this->peer_auth->create_enumerator(this->peer_auth);
+	while (enumerator->enumerate(enumerator, &rule, &cert))
+	{
+		if (rule == AUTH_RULE_IM_CERT)
+		{
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
+			{
+				DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
+					 cert->get_subject(cert));
+				certs->write_data24(certs, data);
+				free(data.ptr);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	writer->write_data24(writer, certs->get_buf(certs));
+	certs->destroy(certs);
+
+	*type = TLS_CERTIFICATE;
+	this->state = STATE_CERT_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send client key exchange, using premaster encryption
+ */
+static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	public_key_t *public;
+	rng_t *rng;
+	char premaster[48];
+	chunk_t encrypted;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	if (!rng)
+	{
+		DBG1(DBG_TLS, "no suitable RNG found for TLS premaster secret");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
+	rng->destroy(rng);
+	htoun16(premaster, TLS_1_2);
+
+	this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+
+	public = find_public_key(this);
+	if (!public)
+	{
+		DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
+		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+		return NEED_MORE;
+	}
+	if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
+						 chunk_from_thing(premaster), &encrypted))
+	{
+		public->destroy(public);
+		DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
+		return NEED_MORE;
+	}
+	public->destroy(public);
+
+	writer->write_data16(writer, encrypted);
+	free(encrypted.ptr);
+
+	*type = TLS_CLIENT_KEY_EXCHANGE;
+	this->state = STATE_KEY_EXCHANGE_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send client key exchange, using DHE exchange
+ */
+static status_t send_key_exchange_dhe(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	chunk_t premaster, pub;
+
+	if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
+	{
+		DBG1(DBG_TLS, "calculating premaster from DH failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	this->crypto->derive_secrets(this->crypto, premaster,
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+	chunk_clear(&premaster);
+
+	this->dh->get_my_public_value(this->dh, &pub);
+	if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
+	{
+		writer->write_data16(writer, pub);
+	}
+	else
+	{	/* ECP uses 8bit length header only, but a point format */
+		writer->write_uint8(writer, pub.len + 1);
+		writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
+		writer->write_data(writer, pub);
+	}
+	free(pub.ptr);
+
+	*type = TLS_CLIENT_KEY_EXCHANGE;
+	this->state = STATE_KEY_EXCHANGE_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send client key exchange, depending on suite
+ */
+static status_t send_key_exchange(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	if (this->dh)
+	{
+		return send_key_exchange_dhe(this, type, writer);
+	}
+	return send_key_exchange_encrypt(this, type, writer);
+}
+
+/**
+ * Send certificate verify
+ */
+static status_t send_certificate_verify(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	if (!this->private ||
+		!this->crypto->sign_handshake(this->crypto, this->private,
+									  writer, this->hashsig))
+	{
+		DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+
+	*type = TLS_CERTIFICATE_VERIFY;
+	this->state = STATE_VERIFY_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send Finished
+ */
+static status_t send_finished(private_tls_peer_t *this,
+							  tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	char buf[12];
+
+	if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
+	{
+		DBG1(DBG_TLS, "calculating client finished data failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+
+	writer->write_data(writer, chunk_from_thing(buf));
+
+	*type = TLS_FINISHED;
+	this->state = STATE_FINISHED_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+METHOD(tls_handshake_t, build, status_t,
+	private_tls_peer_t *this, tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	switch (this->state)
+	{
+		case STATE_INIT:
+			return send_client_hello(this, type, writer);
+		case STATE_HELLO_DONE:
+			if (this->peer)
+			{
+				return send_certificate(this, type, writer);
+			}
+			/* otherwise fall through to next state */
+		case STATE_CERT_SENT:
+			return send_key_exchange(this, type, writer);
+		case STATE_KEY_EXCHANGE_SENT:
+			if (this->peer)
+			{
+				return send_certificate_verify(this, type, writer);
+			}
+			else
+			{
+				return INVALID_STATE;
+			}
+		case STATE_CIPHERSPEC_CHANGED_OUT:
+			return send_finished(this, type, writer);
+		default:
+			return INVALID_STATE;
+	}
+}
+
+METHOD(tls_handshake_t, cipherspec_changed, bool,
+	private_tls_peer_t *this)
+{
+	if ((this->peer && this->state == STATE_VERIFY_SENT) ||
+	   (!this->peer && this->state == STATE_KEY_EXCHANGE_SENT))
+	{
+		this->crypto->change_cipher(this->crypto, FALSE);
+		this->state = STATE_CIPHERSPEC_CHANGED_OUT;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_handshake_t, change_cipherspec, bool,
+	private_tls_peer_t *this)
+{
+	if (this->state == STATE_FINISHED_SENT)
+	{
+		this->crypto->change_cipher(this->crypto, TRUE);
+		this->state = STATE_CIPHERSPEC_CHANGED_IN;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_handshake_t, finished, bool,
+	private_tls_peer_t *this)
+{
+	return this->state == STATE_COMPLETE;
+}
+
+METHOD(tls_handshake_t, destroy, void,
+	private_tls_peer_t *this)
+{
+	DESTROY_IF(this->private);
+	DESTROY_IF(this->dh);
+	this->peer_auth->destroy(this->peer_auth);
+	this->server_auth->destroy(this->server_auth);
+	free(this->hashsig.ptr);
+	free(this->cert_types.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
+							identification_t *peer, identification_t *server)
+{
+	private_tls_peer_t *this;
+
+	INIT(this,
+		.public = {
+			.handshake = {
+				.process = _process,
+				.build = _build,
+				.cipherspec_changed = _cipherspec_changed,
+				.change_cipherspec = _change_cipherspec,
+				.finished = _finished,
+				.destroy = _destroy,
+			},
+		},
+		.state = STATE_INIT,
+		.tls = tls,
+		.crypto = crypto,
+		.alert = alert,
+		.peer = peer,
+		.server = server,
+		.peer_auth = auth_cfg_create(),
+		.server_auth = auth_cfg_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_peer.h b/src/libtls/tls_peer.h
new file mode 100644
index 000000000..f773ea72e
--- /dev/null
+++ b/src/libtls/tls_peer.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_peer tls_peer
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_PEER_H_
+#define TLS_PEER_H_
+
+typedef struct tls_peer_t tls_peer_t;
+
+#include "tls_handshake.h"
+#include "tls_crypto.h"
+
+#include <library.h>
+
+/**
+ * TLS handshake protocol handler as peer.
+ */
+struct tls_peer_t {
+
+	/**
+	 * Implements the TLS handshake protocol handler.
+	 */
+	tls_handshake_t handshake;
+};
+
+/**
+ * Create a tls_peer instance.
+*
+ * @param tls		TLS stack
+ * @param crypto	TLS crypto helper
+ * @param alert		TLS alert handler
+ * @param peer		peer identity
+ * @param server	server identity
+ */
+tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
+							identification_t *peer, identification_t *server);
+
+#endif /** TLS_PEER_H_ @}*/
diff --git a/src/libtls/tls_prf.c b/src/libtls/tls_prf.c
new file mode 100644
index 000000000..f181d01d3
--- /dev/null
+++ b/src/libtls/tls_prf.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_prf.h"
+
+typedef struct private_tls_prf12_t private_tls_prf12_t;
+
+/**
+ * Private data of an tls_prf_t object.
+ */
+struct private_tls_prf12_t {
+
+	/**
+	 * Public tls_prf_t interface.
+	 */
+	tls_prf_t public;
+
+	/**
+	 * Underlying primitive PRF
+	 */
+	prf_t *prf;
+};
+
+METHOD(tls_prf_t, set_key12, void,
+	private_tls_prf12_t *this, chunk_t key)
+{
+	this->prf->set_key(this->prf, key);
+}
+
+/**
+ * The P_hash function as in TLS 1.0/1.2
+ */
+static void p_hash(prf_t *prf, char *label, chunk_t seed, size_t block_size,
+				   size_t bytes, char *out)
+{
+	char buf[block_size], abuf[block_size];
+	chunk_t a;
+
+	/* seed = label + seed */
+	seed = chunk_cata("cc", chunk_create(label, strlen(label)), seed);
+	/* A(0) = seed */
+	a = seed;
+
+	while (TRUE)
+	{
+		/* A(i) = HMAC_hash(secret, A(i-1)) */
+		prf->get_bytes(prf, a, abuf);
+		a = chunk_from_thing(abuf);
+		/* HMAC_hash(secret, A(i) + seed) */
+		prf->get_bytes(prf, a, NULL);
+		prf->get_bytes(prf, seed, buf);
+
+		if (bytes <= block_size)
+		{
+			memcpy(out, buf, bytes);
+			break;
+		}
+		memcpy(out, buf, block_size);
+		out += block_size;
+		bytes -= block_size;
+	}
+}
+
+METHOD(tls_prf_t, get_bytes12, void,
+	private_tls_prf12_t *this, char *label, chunk_t seed,
+	size_t bytes, char *out)
+{
+	p_hash(this->prf, label, seed, this->prf->get_block_size(this->prf),
+		   bytes, out);
+}
+
+METHOD(tls_prf_t, destroy12, void,
+	private_tls_prf12_t *this)
+{
+	this->prf->destroy(this->prf);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_prf_t *tls_prf_create_12(pseudo_random_function_t prf)
+{
+	private_tls_prf12_t *this;
+
+	INIT(this,
+		.public = {
+			.set_key = _set_key12,
+			.get_bytes = _get_bytes12,
+			.destroy = _destroy12,
+		},
+		.prf = lib->crypto->create_prf(lib->crypto, prf),
+	);
+	if (!this->prf)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+
+typedef struct private_tls_prf10_t private_tls_prf10_t;
+
+/**
+ * Private data of an tls_prf_t object.
+ */
+struct private_tls_prf10_t {
+
+	/**
+	 * Public tls_prf_t interface.
+	 */
+	tls_prf_t public;
+
+	/**
+	 * Underlying MD5 PRF
+	 */
+	prf_t *md5;
+
+	/**
+	 * Underlying SHA1 PRF
+	 */
+	prf_t *sha1;
+};
+
+METHOD(tls_prf_t, set_key10, void,
+	private_tls_prf10_t *this, chunk_t key)
+{
+	size_t len = key.len / 2 + key.len % 2;
+
+	this->md5->set_key(this->md5, chunk_create(key.ptr, len));
+	this->sha1->set_key(this->sha1, chunk_create(key.ptr + key.len - len, len));
+}
+
+METHOD(tls_prf_t, get_bytes10, void,
+	private_tls_prf10_t *this, char *label, chunk_t seed,
+	size_t bytes, char *out)
+{
+	char buf[bytes];
+
+	p_hash(this->md5, label, seed, this->md5->get_block_size(this->md5),
+		   bytes, out);
+	p_hash(this->sha1, label, seed, this->sha1->get_block_size(this->sha1),
+		   bytes, buf);
+	memxor(out, buf, bytes);
+}
+
+METHOD(tls_prf_t, destroy10, void,
+	private_tls_prf10_t *this)
+{
+	DESTROY_IF(this->md5);
+	DESTROY_IF(this->sha1);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_prf_t *tls_prf_create_10(pseudo_random_function_t prf)
+{
+	private_tls_prf10_t *this;
+
+	INIT(this,
+		.public = {
+			.set_key = _set_key10,
+			.get_bytes = _get_bytes10,
+			.destroy = _destroy10,
+		},
+		.md5 = lib->crypto->create_prf(lib->crypto, PRF_HMAC_MD5),
+		.sha1 = lib->crypto->create_prf(lib->crypto, PRF_HMAC_SHA1),
+	);
+	if (!this->md5 || !this->sha1)
+	{
+		destroy10(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libtls/tls_prf.h b/src/libtls/tls_prf.h
new file mode 100644
index 000000000..9fb9bc2de
--- /dev/null
+++ b/src/libtls/tls_prf.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_prf tls_prf
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_PRF_H_
+#define TLS_PRF_H_
+
+typedef struct tls_prf_t tls_prf_t;
+
+#include <crypto/prfs/prf.h>
+
+/**
+ * The PRF function specified on TLS, based on HMAC.
+ */
+struct tls_prf_t {
+
+	/**
+	 * Set the key of the PRF function.
+	 *
+	 * @param key		key to set
+	 */
+	void (*set_key)(tls_prf_t *this, chunk_t key);
+
+	/**
+	 * Generate a series of bytes using a label and a seed.
+	 *
+	 * @param label		ASCII input label
+	 * @param seed		seed input value
+	 * @param bytes		number of bytes to get
+	 * @param out		buffer receiving bytes
+	 */
+	void (*get_bytes)(tls_prf_t *this, char *label, chunk_t seed,
+					  size_t bytes, char *out);
+
+	/**
+	 * Destroy a tls_prf_t.
+	 */
+	void (*destroy)(tls_prf_t *this);
+};
+
+/**
+ * Create a tls_prf instance with specific algorithm as in TLS 1.2.
+ *
+ * @param prf			underlying PRF function to use
+ * @return				TLS PRF algorithm
+ */
+tls_prf_t *tls_prf_create_12(pseudo_random_function_t prf);
+
+/**
+ * Create a tls_prf instance with XOred SHA1/MD5 as in TLS 1.0/1.1.
+ *
+ * @return				TLS PRF algorithm
+ */
+tls_prf_t *tls_prf_create_10();
+
+#endif /** TLS_PRF_H_ @}*/
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
new file mode 100644
index 000000000..d823bae04
--- /dev/null
+++ b/src/libtls/tls_protection.c
@@ -0,0 +1,333 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_protection.h"
+
+#include <debug.h>
+
+typedef struct private_tls_protection_t private_tls_protection_t;
+
+/**
+ * Private data of an tls_protection_t object.
+ */
+struct private_tls_protection_t {
+
+	/**
+	 * Public tls_protection_t interface.
+	 */
+	tls_protection_t public;
+
+	/**
+	 * negotiated TLS version
+	 */
+	tls_version_t version;
+
+	/**
+	 * Upper layer, TLS record compression
+	 */
+	tls_compression_t *compression;
+
+	/**
+	 * TLS alert handler
+	 */
+	tls_alert_t *alert;
+
+	/**
+	 * RNG if we generate IVs ourself
+	 */
+	rng_t *rng;
+
+	/**
+	 * Sequence number of incoming records
+	 */
+	u_int32_t seq_in;
+
+	/**
+	 * Sequence number for outgoing records
+	 */
+	u_int32_t seq_out;
+
+	/**
+	 * Signer instance for inbound traffic
+	 */
+	signer_t *signer_in;
+
+	/**
+	 * Signer instance for outbound traffic
+	 */
+	signer_t *signer_out;
+
+	/**
+	 * Crypter instance for inbound traffic
+	 */
+	crypter_t *crypter_in;
+
+	/**
+	 * Crypter instance for outbound traffic
+	 */
+	crypter_t *crypter_out;
+
+	/**
+	 * Current IV for input decryption
+	 */
+	chunk_t iv_in;
+
+	/**
+	 * Current IV for output decryption
+	 */
+	chunk_t iv_out;
+};
+
+/**
+ * Create the header to append to the record data to create the MAC
+ */
+static chunk_t sigheader(u_int32_t seq, u_int8_t type,
+						 u_int16_t version, u_int16_t length)
+{
+	/* we only support 32 bit sequence numbers, but TLS uses 64 bit */
+	u_int32_t seq_high = 0;
+
+	seq = htonl(seq);
+	version = htons(version);
+	length = htons(length);
+
+	return chunk_cat("ccccc", chunk_from_thing(seq_high),
+					chunk_from_thing(seq), chunk_from_thing(type),
+					chunk_from_thing(version), chunk_from_thing(length));
+}
+
+METHOD(tls_protection_t, process, status_t,
+	private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
+{
+	if (this->alert->fatal(this->alert))
+	{	/* don't accept more input, fatal error ocurred */
+		return NEED_MORE;
+	}
+
+	if (this->crypter_in)
+	{
+		chunk_t iv, next_iv = chunk_empty;
+		u_int8_t bs, padding_length;
+
+		bs = this->crypter_in->get_block_size(this->crypter_in);
+		if (this->iv_in.len)
+		{	/* < TLSv1.1 uses IV from key derivation/last block */
+			if (data.len < bs || data.len % bs)
+			{
+				DBG1(DBG_TLS, "encrypted TLS record length invalid");
+				this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+				return NEED_MORE;
+			}
+			iv = this->iv_in;
+			next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs));
+		}
+		else
+		{	/* TLSv1.1 uses random IVs, prepended to record */
+			iv.len = this->crypter_in->get_iv_size(this->crypter_in);
+			iv = chunk_create(data.ptr, iv.len);
+			data = chunk_skip(data, iv.len);
+			if (data.len < bs || data.len % bs)
+			{
+				DBG1(DBG_TLS, "encrypted TLS record length invalid");
+				this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+				return NEED_MORE;
+			}
+		}
+		this->crypter_in->decrypt(this->crypter_in, data, iv, NULL);
+
+		if (next_iv.len)
+		{	/* next record IV is last ciphertext block of this record */
+			memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len);
+			free(next_iv.ptr);
+		}
+
+		padding_length = data.ptr[data.len - 1];
+		if (padding_length >= data.len)
+		{
+			DBG1(DBG_TLS, "invalid TLS record padding");
+			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+			return NEED_MORE;
+		}
+		data.len -= padding_length + 1;
+	}
+	if (this->signer_in)
+	{
+		chunk_t mac, macdata, header;
+		u_int8_t bs;
+
+		bs = this->signer_in->get_block_size(this->signer_in);
+		if (data.len < bs)
+		{
+			DBG1(DBG_TLS, "TLS record too short to verify MAC");
+			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+			return NEED_MORE;
+		}
+		mac = chunk_skip(data, data.len - bs);
+		data.len -= bs;
+
+		header = sigheader(this->seq_in, type, this->version, data.len);
+		macdata = chunk_cat("mc", header, data);
+		if (!this->signer_in->verify_signature(this->signer_in, macdata, mac))
+		{
+			DBG1(DBG_TLS, "TLS record MAC verification failed");
+			free(macdata.ptr);
+			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+			return NEED_MORE;
+		}
+		free(macdata.ptr);
+	}
+
+	if (type == TLS_CHANGE_CIPHER_SPEC)
+	{
+		this->seq_in = 0;
+	}
+	else
+	{
+		this->seq_in++;
+	}
+	return this->compression->process(this->compression, type, data);
+}
+
+METHOD(tls_protection_t, build, status_t,
+	private_tls_protection_t *this, tls_content_type_t *type, chunk_t *data)
+{
+	status_t status;
+
+	status = this->compression->build(this->compression, type, data);
+	if (*type == TLS_CHANGE_CIPHER_SPEC)
+	{
+		this->seq_out = 0;
+		return status;
+	}
+
+	if (status == NEED_MORE)
+	{
+		if (this->signer_out)
+		{
+			chunk_t mac, header;
+
+			header = sigheader(this->seq_out, *type, this->version, data->len);
+			this->signer_out->get_signature(this->signer_out, header, NULL);
+			free(header.ptr);
+			this->signer_out->allocate_signature(this->signer_out, *data, &mac);
+			if (this->crypter_out)
+			{
+				chunk_t padding, iv;
+				u_int8_t bs, padding_length;
+
+				bs = this->crypter_out->get_block_size(this->crypter_out);
+				padding_length = bs - ((data->len + mac.len + 1) % bs);
+
+				padding = chunk_alloca(padding_length);
+				memset(padding.ptr, padding_length, padding.len);
+
+				if (this->iv_out.len)
+				{	/* < TLSv1.1 uses IV from key derivation/last block */
+					iv = this->iv_out;
+				}
+				else
+				{	/* TLSv1.1 uses random IVs, prepended to record */
+					if (!this->rng)
+					{
+						DBG1(DBG_TLS, "no RNG supported to generate TLS IV");
+						free(data->ptr);
+						return FAILED;
+					}
+					iv.len = this->crypter_out->get_iv_size(this->crypter_out);
+					this->rng->allocate_bytes(this->rng, iv.len, &iv);
+				}
+
+				*data = chunk_cat("mmcc", *data, mac, padding,
+								  chunk_from_thing(padding_length));
+				/* encrypt inline */
+				this->crypter_out->encrypt(this->crypter_out, *data, iv, NULL);
+
+				if (this->iv_out.len)
+				{	/* next record IV is last ciphertext block of this record */
+					memcpy(this->iv_out.ptr, data->ptr + data->len -
+						   this->iv_out.len, this->iv_out.len);
+				}
+				else
+				{	/* prepend IV */
+					*data = chunk_cat("mm", iv, *data);
+				}
+			}
+			else
+			{	/* NULL encryption */
+				*data = chunk_cat("mm", *data, mac);
+			}
+		}
+		this->seq_out++;
+	}
+	return status;
+}
+
+METHOD(tls_protection_t, set_cipher, void,
+	private_tls_protection_t *this, bool inbound, signer_t *signer,
+	crypter_t *crypter, chunk_t iv)
+{
+	if (inbound)
+	{
+		this->signer_in = signer;
+		this->crypter_in = crypter;
+		this->iv_in = iv;
+	}
+	else
+	{
+		this->signer_out = signer;
+		this->crypter_out = crypter;
+		this->iv_out = iv;
+		if (!iv.len)
+		{	/* generate IVs if none given */
+			this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		}
+	}
+}
+
+METHOD(tls_protection_t, set_version, void,
+	private_tls_protection_t *this, tls_version_t version)
+{
+	this->version = version;
+}
+
+METHOD(tls_protection_t, destroy, void,
+	private_tls_protection_t *this)
+{
+	DESTROY_IF(this->rng);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_protection_t *tls_protection_create(tls_compression_t *compression,
+										tls_alert_t *alert)
+{
+	private_tls_protection_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.set_cipher = _set_cipher,
+			.set_version = _set_version,
+			.destroy = _destroy,
+		},
+		.alert = alert,
+		.compression = compression,
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_protection.h b/src/libtls/tls_protection.h
new file mode 100644
index 000000000..99c94e935
--- /dev/null
+++ b/src/libtls/tls_protection.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_protection tls_protection
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_PROTECTION_H_
+#define TLS_PROTECTION_H_
+
+#include <library.h>
+
+#include "tls.h"
+#include "tls_alert.h"
+#include "tls_compression.h"
+
+typedef struct tls_protection_t tls_protection_t;
+
+/**
+ * TLS record protocol protection layer.
+ */
+struct tls_protection_t {
+
+	/**
+	 * Process a protected TLS record, pass it to upper layers.
+	 *
+	 * @param type		type of the TLS record to process
+	 * @param data		associated TLS record data
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if more invocations to process/build needed
+	 */
+	status_t (*process)(tls_protection_t *this,
+						tls_content_type_t type, chunk_t data);
+
+	/**
+	 * Query upper layer for TLS record, build protected record.
+	 *
+	 * @param type		type of the built TLS record
+	 * @param data		allocated data of the built TLS record
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if upper layers have more records to send
+	 *					- INVALID_STATE if more input records required
+	 */
+	status_t (*build)(tls_protection_t *this,
+					  tls_content_type_t *type, chunk_t *data);
+
+	/**
+	 * Set a new cipher, including encryption and integrity algorithms.
+	 *
+	 * @param inbound	TRUE to use cipher for inbound data, FALSE for outbound
+	 * @param signer	new signer to use, gets owned by protection layer
+	 * @param crypter	new crypter to use, gets owned by protection layer
+	 * @param iv		initial IV for crypter, gets owned by protection layer
+	 */
+	void (*set_cipher)(tls_protection_t *this, bool inbound, signer_t *signer,
+					   crypter_t *crypter, chunk_t iv);
+
+	/**
+	 * Set the TLS version negotiated, used for MAC calculation.
+	 *
+	 * @param version	TLS version negotiated
+	 */
+	void (*set_version)(tls_protection_t *this, tls_version_t version);
+
+	/**
+	 * Destroy a tls_protection_t.
+	 */
+	void (*destroy)(tls_protection_t *this);
+};
+
+/**
+ * Create a tls_protection instance.
+ *
+ * @param compression		compression layer of TLS stack
+ * @param alert				TLS alert handler
+ * @return					TLS protection layer.
+ */
+tls_protection_t *tls_protection_create(tls_compression_t *compression,
+										tls_alert_t *alert);
+
+#endif /** TLS_PROTECTION_H_ @}*/
diff --git a/src/libtls/tls_reader.c b/src/libtls/tls_reader.c
new file mode 100644
index 000000000..17ec68fd5
--- /dev/null
+++ b/src/libtls/tls_reader.c
@@ -0,0 +1,200 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_reader.h"
+
+#include <debug.h>
+
+typedef struct private_tls_reader_t private_tls_reader_t;
+
+/**
+ * Private data of an tls_reader_t object.
+ */
+struct private_tls_reader_t {
+
+	/**
+	 * Public tls_reader_t interface.
+	 */
+	tls_reader_t public;
+
+	/**
+	 * Remaining data to process
+	 */
+	chunk_t buf;
+};
+
+METHOD(tls_reader_t, remaining, u_int32_t,
+	private_tls_reader_t *this)
+{
+	return this->buf.len;
+}
+
+METHOD(tls_reader_t, peek, chunk_t,
+	private_tls_reader_t *this)
+{
+	return this->buf;
+}
+
+METHOD(tls_reader_t, read_uint8, bool,
+	private_tls_reader_t *this, u_int8_t *res)
+{
+	if (this->buf.len < 1)
+	{
+		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
+			 this->buf.len, 8);
+		return FALSE;
+	}
+	*res = this->buf.ptr[0];
+	this->buf = chunk_skip(this->buf, 1);
+	return TRUE;
+}
+
+METHOD(tls_reader_t, read_uint16, bool,
+	private_tls_reader_t *this, u_int16_t *res)
+{
+	if (this->buf.len < 2)
+	{
+		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
+			 this->buf.len, 16);
+		return FALSE;
+	}
+	*res = untoh16(this->buf.ptr);
+	this->buf = chunk_skip(this->buf, 2);
+	return TRUE;
+}
+
+METHOD(tls_reader_t, read_uint24, bool,
+	private_tls_reader_t *this, u_int32_t *res)
+{
+	if (this->buf.len < 3)
+	{
+		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
+			 this->buf.len, 24);
+		return FALSE;
+	}
+	*res = untoh32(this->buf.ptr) >> 8;
+	this->buf = chunk_skip(this->buf, 3);
+	return TRUE;
+}
+
+METHOD(tls_reader_t, read_uint32, bool,
+	private_tls_reader_t *this, u_int32_t *res)
+{
+	if (this->buf.len < 4)
+	{
+		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
+			 this->buf.len, 32);
+		return FALSE;
+	}
+	*res = untoh32(this->buf.ptr);
+	this->buf = chunk_skip(this->buf, 4);
+	return TRUE;
+}
+
+METHOD(tls_reader_t, read_data, bool,
+	private_tls_reader_t *this, u_int32_t len, chunk_t *res)
+{
+	if (this->buf.len < len)
+	{
+		DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes TLS data",
+			 this->buf.len, len);
+		return FALSE;
+	}
+	*res = chunk_create(this->buf.ptr, len);
+	this->buf = chunk_skip(this->buf, len);
+	return TRUE;
+}
+
+METHOD(tls_reader_t, read_data8, bool,
+	private_tls_reader_t *this, chunk_t *res)
+{
+	u_int8_t len;
+
+	if (!read_uint8(this, &len))
+	{
+		return FALSE;
+	}
+	return read_data(this, len, res);
+}
+
+METHOD(tls_reader_t, read_data16, bool,
+	private_tls_reader_t *this, chunk_t *res)
+{
+	u_int16_t len;
+
+	if (!read_uint16(this, &len))
+	{
+		return FALSE;
+	}
+	return read_data(this, len, res);
+}
+
+METHOD(tls_reader_t, read_data24, bool,
+	private_tls_reader_t *this, chunk_t *res)
+{
+	u_int32_t len;
+
+	if (!read_uint24(this, &len))
+	{
+		return FALSE;
+	}
+	return read_data(this, len, res);
+}
+
+METHOD(tls_reader_t, read_data32, bool,
+	private_tls_reader_t *this, chunk_t *res)
+{
+	u_int32_t len;
+
+	if (!read_uint32(this, &len))
+	{
+		return FALSE;
+	}
+	return read_data(this, len, res);
+}
+
+METHOD(tls_reader_t, destroy, void,
+	private_tls_reader_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_reader_t *tls_reader_create(chunk_t data)
+{
+	private_tls_reader_t *this;
+
+	INIT(this,
+		.public = {
+			.remaining = _remaining,
+			.peek = _peek,
+			.read_uint8 = _read_uint8,
+			.read_uint16 = _read_uint16,
+			.read_uint24 = _read_uint24,
+			.read_uint32 = _read_uint32,
+			.read_data = _read_data,
+			.read_data8 = _read_data8,
+			.read_data16 = _read_data16,
+			.read_data24 = _read_data24,
+			.read_data32 = _read_data32,
+			.destroy = _destroy,
+		},
+		.buf = data,
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_reader.h b/src/libtls/tls_reader.h
new file mode 100644
index 000000000..a8978b486
--- /dev/null
+++ b/src/libtls/tls_reader.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_reader tls_reader
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_READER_H_
+#define TLS_READER_H_
+
+typedef struct tls_reader_t tls_reader_t;
+
+#include <library.h>
+
+/**
+ * TLS record parser.
+ */
+struct tls_reader_t {
+
+	/**
+	 * Get the number of remaining bytes.
+	 *
+	 * @return			number of remaining bytes in buffer
+	 */
+	u_int32_t (*remaining)(tls_reader_t *this);
+
+	/**
+	 * Peek the remaining data, not consuming any bytes.
+	 *
+	 * @return			remaining data
+	 */
+	chunk_t (*peek)(tls_reader_t *this);
+
+	/**
+	 * Read a 8-bit integer from the buffer, advance.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint8)(tls_reader_t *this, u_int8_t *res);
+
+	/**
+	 * Read a 16-bit integer from the buffer, advance.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint16)(tls_reader_t *this, u_int16_t *res);
+
+	/**
+	 * Read a 24-bit integer from the buffer, advance.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint24)(tls_reader_t *this, u_int32_t *res);
+
+	/**
+	 * Read a 32-bit integer from the buffer, advance.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint32)(tls_reader_t *this, u_int32_t *res);
+
+	/**
+	 * Read a chunk of len bytes, advance.
+	 *
+	 * @param len		number of bytes to read
+	 * @param res		pointer to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data)(tls_reader_t *this, u_int32_t len, chunk_t *res);
+
+	/**
+	 * Read a chunk of bytes with a 8-bit length header, advance.
+	 *
+	 * @param res		pointer to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data8)(tls_reader_t *this, chunk_t *res);
+
+	/**
+	 * Read a chunk of bytes with a 16-bit length header, advance.
+	 *
+	 * @param res		pointer to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data16)(tls_reader_t *this, chunk_t *res);
+
+	/**
+	 * Read a chunk of bytes with a 24-bit length header, advance.
+	 *
+	 * @param res		pointer to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data24)(tls_reader_t *this, chunk_t *res);
+
+	/**
+	 * Read a chunk of bytes with a 32-bit length header, advance.
+	 *
+	 * @param res		pointer to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data32)(tls_reader_t *this, chunk_t *res);
+
+	/**
+	 * Destroy a tls_reader_t.
+	 */
+	void (*destroy)(tls_reader_t *this);
+};
+
+/**
+ * Create a tls_reader instance.
+ */
+tls_reader_t *tls_reader_create(chunk_t data);
+
+#endif /** tls_reader_H_ @}*/
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
new file mode 100644
index 000000000..b0417f6cb
--- /dev/null
+++ b/src/libtls/tls_server.c
@@ -0,0 +1,1032 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_server.h"
+
+#include <time.h>
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+
+typedef struct private_tls_server_t private_tls_server_t;
+
+
+typedef enum {
+	STATE_INIT,
+	STATE_HELLO_RECEIVED,
+	STATE_HELLO_SENT,
+	STATE_CERT_SENT,
+	STATE_KEY_EXCHANGE_SENT,
+	STATE_CERTREQ_SENT,
+	STATE_HELLO_DONE,
+	STATE_CERT_RECEIVED,
+	STATE_KEY_EXCHANGE_RECEIVED,
+	STATE_CERT_VERIFY_RECEIVED,
+	STATE_CIPHERSPEC_CHANGED_IN,
+	STATE_FINISHED_RECEIVED,
+	STATE_CIPHERSPEC_CHANGED_OUT,
+	STATE_FINISHED_SENT,
+} server_state_t;
+
+/**
+ * Private data of an tls_server_t object.
+ */
+struct private_tls_server_t {
+
+	/**
+	 * Public tls_server_t interface.
+	 */
+	tls_server_t public;
+
+	/**
+	 * TLS stack
+	 */
+	tls_t *tls;
+
+	/**
+	 * TLS crypto context
+	 */
+	tls_crypto_t *crypto;
+
+	/**
+	 * TLS alert handler
+	 */
+	tls_alert_t *alert;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity, NULL for no client authentication
+	 */
+	identification_t *peer;
+
+	/**
+	 * State we are in
+	 */
+	server_state_t state;
+
+	/**
+	 * Hello random data selected by client
+	 */
+	char client_random[32];
+
+	/**
+	 * Hello random data selected by server
+	 */
+	char server_random[32];
+
+	/**
+	 * Auth helper for peer authentication
+	 */
+	auth_cfg_t *peer_auth;
+
+	/**
+	 * Auth helper for server authentication
+	 */
+	auth_cfg_t *server_auth;
+
+	/**
+	 * Peer private key
+	 */
+	private_key_t *private;
+
+	/**
+	 * DHE exchange
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * Selected TLS cipher suite
+	 */
+	tls_cipher_suite_t suite;
+
+	/**
+	 * Offered TLS version of the client
+	 */
+	tls_version_t client_version;
+
+	/**
+	 * Hash and signature algorithms supported by peer
+	 */
+	chunk_t hashsig;
+
+	/**
+	 * Elliptic curves supported by peer
+	 */
+	chunk_t curves;
+
+	/**
+	 * Did we receive the curves from the client?
+	 */
+	bool curves_received;
+};
+
+/**
+ * Find a cipher suite and a server key
+ */
+static bool select_suite_and_key(private_tls_server_t *this,
+								 tls_cipher_suite_t *suites, int count)
+{
+	private_key_t *key;
+	key_type_t type;
+
+	key = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->server,
+									this->server_auth);
+	if (!key)
+	{
+		DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
+			 this->server);
+		return FALSE;
+	}
+	this->suite = this->crypto->select_cipher_suite(this->crypto,
+											suites, count, key->get_type(key));
+	if (!this->suite)
+	{	/* no match for this key, try to find another type */
+		if (key->get_type(key) == KEY_ECDSA)
+		{
+			type = KEY_RSA;
+		}
+		else
+		{
+			type = KEY_ECDSA;
+		}
+		key->destroy(key);
+
+		this->suite = this->crypto->select_cipher_suite(this->crypto,
+											suites, count, type);
+		if (!this->suite)
+		{
+			DBG1(DBG_TLS, "received cipher suites inacceptable");
+			return FALSE;
+		}
+		this->server_auth->destroy(this->server_auth);
+		this->server_auth = auth_cfg_create();
+		key = lib->credmgr->get_private(lib->credmgr, type, this->server,
+										this->server_auth);
+		if (!key)
+		{
+			DBG1(DBG_TLS, "received cipher suites inacceptable");
+			return FALSE;
+		}
+	}
+	this->private = key;
+	return TRUE;
+}
+
+/**
+ * Process client hello message
+ */
+static status_t process_client_hello(private_tls_server_t *this,
+									 tls_reader_t *reader)
+{
+	u_int16_t version, extension;
+	chunk_t random, session, ciphers, compression, ext = chunk_empty;
+	tls_reader_t *extensions;
+	tls_cipher_suite_t *suites;
+	int count, i;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CLIENT_HELLO, reader->peek(reader));
+
+	if (!reader->read_uint16(reader, &version) ||
+		!reader->read_data(reader, sizeof(this->client_random), &random) ||
+		!reader->read_data8(reader, &session) ||
+		!reader->read_data16(reader, &ciphers) ||
+		!reader->read_data8(reader, &compression) ||
+		(reader->remaining(reader) && !reader->read_data16(reader, &ext)))
+	{
+		DBG1(DBG_TLS, "received invalid ClientHello");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	if (ext.len)
+	{
+		extensions = tls_reader_create(ext);
+		while (extensions->remaining(extensions))
+		{
+			if (!extensions->read_uint16(extensions, &extension) ||
+				!extensions->read_data16(extensions, &ext))
+			{
+				DBG1(DBG_TLS, "received invalid ClientHello Extensions");
+				this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+				extensions->destroy(extensions);
+				return NEED_MORE;
+			}
+			DBG1(DBG_TLS, "received TLS '%N' extension",
+				 tls_extension_names, extension);
+			DBG3(DBG_TLS, "%B", &ext);
+			switch (extension)
+			{
+				case TLS_EXT_SIGNATURE_ALGORITHMS:
+					this->hashsig = chunk_clone(ext);
+					break;
+				case TLS_EXT_ELLIPTIC_CURVES:
+					this->curves_received = TRUE;
+					this->curves = chunk_clone(ext);
+					break;
+				default:
+					break;
+			}
+		}
+		extensions->destroy(extensions);
+	}
+
+	memcpy(this->client_random, random.ptr, sizeof(this->client_random));
+
+	if (!this->tls->set_version(this->tls, version))
+	{
+		DBG1(DBG_TLS, "negotiated version %N not supported",
+			 tls_version_names, version);
+		this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
+		return NEED_MORE;
+	}
+	count = ciphers.len / sizeof(u_int16_t);
+	suites = alloca(count * sizeof(tls_cipher_suite_t));
+	DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
+	for (i = 0; i < count; i++)
+	{
+		suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
+		DBG2(DBG_TLS, "  %N", tls_cipher_suite_names, suites[i]);
+	}
+
+	if (!select_suite_and_key(this, suites, count))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+	DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
+		 tls_version_names, this->tls->get_version(this->tls),
+		 tls_cipher_suite_names, this->suite);
+	this->client_version = version;
+	this->state = STATE_HELLO_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process certificate
+ */
+static status_t process_certificate(private_tls_server_t *this,
+									tls_reader_t *reader)
+{
+	certificate_t *cert;
+	tls_reader_t *certs;
+	chunk_t data;
+	bool first = TRUE;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CERTIFICATE, reader->peek(reader));
+
+	if (!reader->read_data24(reader, &data))
+	{
+		DBG1(DBG_TLS, "certificate message header invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	certs = tls_reader_create(data);
+	while (certs->remaining(certs))
+	{
+		if (!certs->read_data24(certs, &data))
+		{
+			DBG1(DBG_TLS, "certificate message invalid");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			certs->destroy(certs);
+			return NEED_MORE;
+		}
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+		if (cert)
+		{
+			if (first)
+			{
+				this->peer_auth->add(this->peer_auth,
+									 AUTH_HELPER_SUBJECT_CERT, cert);
+				DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
+					 cert->get_subject(cert));
+				first = FALSE;
+			}
+			else
+			{
+				DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
+					 cert->get_subject(cert));
+				this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
+			}
+		}
+		else
+		{
+			DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
+			this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
+		}
+	}
+	certs->destroy(certs);
+	this->state = STATE_CERT_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process Client Key Exchange, using premaster encryption
+ */
+static status_t process_key_exchange_encrypted(private_tls_server_t *this,
+											   tls_reader_t *reader)
+{
+	chunk_t encrypted, decrypted;
+	char premaster[48];
+	rng_t *rng;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
+
+	if (!reader->read_data16(reader, &encrypted))
+	{
+		DBG1(DBG_TLS, "received invalid Client Key Exchange");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	htoun16(premaster, this->client_version);
+	/* pre-randomize premaster for failure cases */
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_TLS, "creating RNG failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
+	rng->destroy(rng);
+
+	if (this->private &&
+		this->private->decrypt(this->private,
+							   ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
+	{
+		if (decrypted.len == sizeof(premaster) &&
+			untoh16(decrypted.ptr) == this->client_version)
+		{
+			memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
+		}
+		else
+		{
+			DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
+		}
+		chunk_clear(&decrypted);
+	}
+	else
+	{
+		DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
+	}
+
+	this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+
+	this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process client key exchange, using DHE exchange
+ */
+static status_t process_key_exchange_dhe(private_tls_server_t *this,
+										 tls_reader_t *reader)
+{
+	chunk_t premaster, pub;
+	bool ec;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
+
+	ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
+	if ((ec && !reader->read_data8(reader, &pub)) ||
+		(!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
+	{
+		DBG1(DBG_TLS, "received invalid Client Key Exchange");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	if (ec)
+	{
+		if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
+		{
+			DBG1(DBG_TLS, "DH point format '%N' not supported",
+				 tls_ansi_point_format_names, pub.ptr[0]);
+			this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+			return NEED_MORE;
+		}
+		pub = chunk_skip(pub, 1);
+	}
+	this->dh->set_other_public_value(this->dh, pub);
+	if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
+	{
+		DBG1(DBG_TLS, "calculating premaster from DH failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+
+	this->crypto->derive_secrets(this->crypto, premaster,
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+	chunk_clear(&premaster);
+
+	this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process Client Key Exchange
+ */
+static status_t process_key_exchange(private_tls_server_t *this,
+									 tls_reader_t *reader)
+{
+	if (this->dh)
+	{
+		return process_key_exchange_dhe(this, reader);
+	}
+	return process_key_exchange_encrypted(this, reader);
+}
+
+/**
+ * Process Certificate verify
+ */
+static status_t process_cert_verify(private_tls_server_t *this,
+									tls_reader_t *reader)
+{
+	bool verified = FALSE;
+	enumerator_t *enumerator;
+	public_key_t *public;
+	auth_cfg_t *auth;
+	tls_reader_t *sig;
+
+	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+										KEY_ANY, this->peer, this->peer_auth);
+	while (enumerator->enumerate(enumerator, &public, &auth))
+	{
+		sig = tls_reader_create(reader->peek(reader));
+		verified = this->crypto->verify_handshake(this->crypto, public, sig);
+		sig->destroy(sig);
+		if (verified)
+		{
+			break;
+		}
+		DBG1(DBG_TLS, "signature verification failed, trying another key");
+	}
+	enumerator->destroy(enumerator);
+
+	if (!verified)
+	{
+		DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
+			 this->peer);
+		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+		return NEED_MORE;
+	}
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CERTIFICATE_VERIFY, reader->peek(reader));
+	this->state = STATE_CERT_VERIFY_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process finished message
+ */
+static status_t process_finished(private_tls_server_t *this,
+								 tls_reader_t *reader)
+{
+	chunk_t received;
+	char buf[12];
+
+	if (!reader->read_data(reader, sizeof(buf), &received))
+	{
+		DBG1(DBG_TLS, "received client finished too short");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
+	{
+		DBG1(DBG_TLS, "calculating client finished failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	if (!chunk_equals(received, chunk_from_thing(buf)))
+	{
+		DBG1(DBG_TLS, "received client finished invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
+		return NEED_MORE;
+	}
+
+	this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
+	this->state = STATE_FINISHED_RECEIVED;
+	return NEED_MORE;
+}
+
+METHOD(tls_handshake_t, process, status_t,
+	private_tls_server_t *this, tls_handshake_type_t type, tls_reader_t *reader)
+{
+	tls_handshake_type_t expected;
+
+	switch (this->state)
+	{
+		case STATE_INIT:
+			if (type == TLS_CLIENT_HELLO)
+			{
+				return process_client_hello(this, reader);
+			}
+			expected = TLS_CLIENT_HELLO;
+			break;
+		case STATE_HELLO_DONE:
+			if (type == TLS_CERTIFICATE)
+			{
+				return process_certificate(this, reader);
+			}
+			if (this->peer)
+			{
+				expected = TLS_CERTIFICATE;
+				break;
+			}
+			/* otherwise fall through to next state */
+		case STATE_CERT_RECEIVED:
+			if (type == TLS_CLIENT_KEY_EXCHANGE)
+			{
+				return process_key_exchange(this, reader);
+			}
+			expected = TLS_CLIENT_KEY_EXCHANGE;
+			break;
+		case STATE_KEY_EXCHANGE_RECEIVED:
+			if (type == TLS_CERTIFICATE_VERIFY)
+			{
+				return process_cert_verify(this, reader);
+			}
+			if (this->peer)
+			{
+				expected = TLS_CERTIFICATE_VERIFY;
+				break;
+			}
+			else
+			{
+				return INVALID_STATE;
+			}
+		case STATE_CIPHERSPEC_CHANGED_IN:
+			if (type == TLS_FINISHED)
+			{
+				return process_finished(this, reader);
+			}
+			expected = TLS_FINISHED;
+			break;
+		default:
+			DBG1(DBG_TLS, "TLS %N not expected in current state",
+				 tls_handshake_type_names, type);
+			this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
+			return NEED_MORE;
+	}
+	DBG1(DBG_TLS, "TLS %N expected, but received %N",
+		 tls_handshake_type_names, expected, tls_handshake_type_names, type);
+	this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
+	return NEED_MORE;
+}
+
+/**
+ * Send ServerHello message
+ */
+static status_t send_server_hello(private_tls_server_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	tls_version_t version;
+	rng_t *rng;
+
+	htoun32(&this->server_random, time(NULL));
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_TLS, "no suitable RNG found to generate server random");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return FAILED;
+	}
+	rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
+	rng->destroy(rng);
+
+	/* TLS version */
+	version = this->tls->get_version(this->tls);
+	writer->write_uint16(writer, version);
+	writer->write_data(writer, chunk_from_thing(this->server_random));
+
+	/* session identifier => none, we don't support session resumption */
+	writer->write_data8(writer, chunk_empty);
+
+	/* add selected TLS cipher suite */
+	writer->write_uint16(writer, this->suite);
+
+	/* NULL compression only */
+	writer->write_uint8(writer, 0);
+
+	*type = TLS_SERVER_HELLO;
+	this->state = STATE_HELLO_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send Certificate
+ */
+static status_t send_certificate(private_tls_server_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	auth_rule_t rule;
+	tls_writer_t *certs;
+	chunk_t data;
+
+	/* generate certificate payload */
+	certs = tls_writer_create(256);
+	cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
+	if (cert)
+	{
+		if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
+		{
+			DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
+				 cert->get_subject(cert));
+			certs->write_data24(certs, data);
+			free(data.ptr);
+		}
+	}
+	enumerator = this->server_auth->create_enumerator(this->server_auth);
+	while (enumerator->enumerate(enumerator, &rule, &cert))
+	{
+		if (rule == AUTH_RULE_IM_CERT)
+		{
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
+			{
+				DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
+					 cert->get_subject(cert));
+				certs->write_data24(certs, data);
+				free(data.ptr);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	writer->write_data24(writer, certs->get_buf(certs));
+	certs->destroy(certs);
+
+	*type = TLS_CERTIFICATE;
+	this->state = STATE_CERT_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send Certificate Request
+ */
+static status_t send_certificate_request(private_tls_server_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	tls_writer_t *authorities, *supported;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	x509_t *x509;
+	identification_t *id;
+
+	supported = tls_writer_create(4);
+	/* we propose both RSA and ECDSA */
+	supported->write_uint8(supported, TLS_RSA_SIGN);
+	supported->write_uint8(supported, TLS_ECDSA_SIGN);
+	writer->write_data8(writer, supported->get_buf(supported));
+	supported->destroy(supported);
+	if (this->tls->get_version(this->tls) >= TLS_1_2)
+	{
+		this->crypto->get_signature_algorithms(this->crypto, writer);
+	}
+
+	authorities = tls_writer_create(64);
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+												CERT_X509, KEY_RSA, NULL, TRUE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		x509 = (x509_t*)cert;
+		if (x509->get_flags(x509) & X509_CA)
+		{
+			id = cert->get_subject(cert);
+			DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
+			authorities->write_data16(authorities, id->get_encoding(id));
+		}
+	}
+	enumerator->destroy(enumerator);
+	writer->write_data16(writer, authorities->get_buf(authorities));
+	authorities->destroy(authorities);
+
+	*type = TLS_CERTIFICATE_REQUEST;
+	this->state = STATE_CERTREQ_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Get the TLS curve of a given EC DH group
+ */
+static tls_named_curve_t ec_group_to_curve(private_tls_server_t *this,
+										   diffie_hellman_group_t group)
+{
+	diffie_hellman_group_t current;
+	tls_named_curve_t curve;
+	enumerator_t *enumerator;
+
+	enumerator = this->crypto->create_ec_enumerator(this->crypto);
+	while (enumerator->enumerate(enumerator, &current, &curve))
+	{
+		if (current == group)
+		{
+			enumerator->destroy(enumerator);
+			return curve;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return 0;
+}
+
+/**
+ * Check if the peer supports a given TLS curve
+ */
+bool peer_supports_curve(private_tls_server_t *this, tls_named_curve_t curve)
+{
+	tls_reader_t *reader;
+	u_int16_t current;
+
+	if (!this->curves_received)
+	{	/* none received, assume yes */
+		return TRUE;
+	}
+	reader = tls_reader_create(this->curves);
+	while (reader->remaining(reader) && reader->read_uint16(reader, &current))
+	{
+		if (current == curve)
+		{
+			reader->destroy(reader);
+			return TRUE;
+		}
+	}
+	reader->destroy(reader);
+	return FALSE;
+}
+
+/**
+ * Try to find a curve supported by both, client and server
+ */
+static bool find_supported_curve(private_tls_server_t *this,
+								 tls_named_curve_t *curve)
+{
+	tls_named_curve_t current;
+	enumerator_t *enumerator;
+
+	enumerator = this->crypto->create_ec_enumerator(this->crypto);
+	while (enumerator->enumerate(enumerator, NULL, &current))
+	{
+		if (peer_supports_curve(this, current))
+		{
+			*curve = current;
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Send Server key Exchange
+ */
+static status_t send_server_key_exchange(private_tls_server_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer,
+							diffie_hellman_group_t group)
+{
+	diffie_hellman_params_t *params = NULL;
+	tls_named_curve_t curve;
+	chunk_t chunk;
+
+	if (diffie_hellman_group_is_ec(group))
+	{
+		curve = ec_group_to_curve(this, group);
+		if (!curve || (!peer_supports_curve(this, curve) &&
+					   !find_supported_curve(this, &curve)))
+		{
+			DBG1(DBG_TLS, "no EC group supported by client and server");
+			this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+			return NEED_MORE;
+		}
+		DBG2(DBG_TLS, "selected ECDH group %N", tls_named_curve_names, curve);
+		writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
+		writer->write_uint16(writer, curve);
+	}
+	else
+	{
+		params = diffie_hellman_get_params(group);
+		if (!params)
+		{
+			DBG1(DBG_TLS, "no parameters found for DH group %N",
+				 diffie_hellman_group_names, group);
+			this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+			return NEED_MORE;
+		}
+		DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
+		writer->write_data16(writer, params->prime);
+		writer->write_data16(writer, params->generator);
+	}
+	this->dh = lib->crypto->create_dh(lib->crypto, group);
+	if (!this->dh)
+	{
+		DBG1(DBG_TLS, "DH group %N not supported",
+			 diffie_hellman_group_names, group);
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	this->dh->get_my_public_value(this->dh, &chunk);
+	if (params)
+	{
+		writer->write_data16(writer, chunk);
+	}
+	else
+	{	/* ECP uses 8bit length header only, but a point format */
+		writer->write_uint8(writer, chunk.len + 1);
+		writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
+		writer->write_data(writer, chunk);
+	}
+	free(chunk.ptr);
+
+	chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
+				chunk_from_thing(this->server_random), writer->get_buf(writer));
+	if (!this->private || !this->crypto->sign(this->crypto, this->private,
+											  writer, chunk, this->hashsig))
+	{
+		DBG1(DBG_TLS, "signing DH parameters failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		free(chunk.ptr);
+		return NEED_MORE;
+	}
+	free(chunk.ptr);
+	*type = TLS_SERVER_KEY_EXCHANGE;
+	this->state = STATE_KEY_EXCHANGE_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send Hello Done
+ */
+static status_t send_hello_done(private_tls_server_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	*type = TLS_SERVER_HELLO_DONE;
+	this->state = STATE_HELLO_DONE;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send Finished
+ */
+static status_t send_finished(private_tls_server_t *this,
+							  tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	char buf[12];
+
+	if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
+	{
+		DBG1(DBG_TLS, "calculating server finished data failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return FAILED;
+	}
+
+	writer->write_data(writer, chunk_from_thing(buf));
+
+	*type = TLS_FINISHED;
+	this->state = STATE_FINISHED_SENT;
+	this->crypto->derive_eap_msk(this->crypto,
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+	return NEED_MORE;
+}
+
+METHOD(tls_handshake_t, build, status_t,
+	private_tls_server_t *this, tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	diffie_hellman_group_t group;
+
+	switch (this->state)
+	{
+		case STATE_HELLO_RECEIVED:
+			return send_server_hello(this, type, writer);
+		case STATE_HELLO_SENT:
+			return send_certificate(this, type, writer);
+		case STATE_CERT_SENT:
+			group = this->crypto->get_dh_group(this->crypto);
+			if (group)
+			{
+				return send_server_key_exchange(this, type, writer, group);
+			}
+			/* otherwise fall through to next state */
+		case STATE_KEY_EXCHANGE_SENT:
+			if (this->peer)
+			{
+				return send_certificate_request(this, type, writer);
+			}
+			/* otherwise fall through to next state */
+		case STATE_CERTREQ_SENT:
+			return send_hello_done(this, type, writer);
+		case STATE_CIPHERSPEC_CHANGED_OUT:
+			return send_finished(this, type, writer);
+		case STATE_FINISHED_SENT:
+			return INVALID_STATE;
+		default:
+			return INVALID_STATE;
+	}
+}
+
+METHOD(tls_handshake_t, cipherspec_changed, bool,
+	private_tls_server_t *this)
+{
+	if (this->state == STATE_FINISHED_RECEIVED)
+	{
+		this->crypto->change_cipher(this->crypto, FALSE);
+		this->state = STATE_CIPHERSPEC_CHANGED_OUT;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_handshake_t, change_cipherspec, bool,
+	private_tls_server_t *this)
+{
+	if ((this->peer && this->state == STATE_CERT_VERIFY_RECEIVED) ||
+	   (!this->peer && this->state == STATE_KEY_EXCHANGE_RECEIVED))
+	{
+		this->crypto->change_cipher(this->crypto, TRUE);
+		this->state = STATE_CIPHERSPEC_CHANGED_IN;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_handshake_t, finished, bool,
+	private_tls_server_t *this)
+{
+	return this->state == STATE_FINISHED_SENT;
+}
+
+METHOD(tls_handshake_t, destroy, void,
+	private_tls_server_t *this)
+{
+	DESTROY_IF(this->private);
+	DESTROY_IF(this->dh);
+	this->peer_auth->destroy(this->peer_auth);
+	this->server_auth->destroy(this->server_auth);
+	free(this->hashsig.ptr);
+	free(this->curves.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_server_t *tls_server_create(tls_t *tls,
+						tls_crypto_t *crypto, tls_alert_t *alert,
+						identification_t *server, identification_t *peer)
+{
+	private_tls_server_t *this;
+
+	INIT(this,
+		.public = {
+			.handshake = {
+				.process = _process,
+				.build = _build,
+				.cipherspec_changed = _cipherspec_changed,
+				.change_cipherspec = _change_cipherspec,
+				.finished = _finished,
+				.destroy = _destroy,
+			},
+		},
+		.tls = tls,
+		.crypto = crypto,
+		.alert = alert,
+		.server = server,
+		.peer = peer,
+		.state = STATE_INIT,
+		.peer_auth = auth_cfg_create(),
+		.server_auth = auth_cfg_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_server.h b/src/libtls/tls_server.h
new file mode 100644
index 000000000..6289dc8eb
--- /dev/null
+++ b/src/libtls/tls_server.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_server tls_server
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_SERVER_H_
+#define TLS_SERVER_H_
+
+typedef struct tls_server_t tls_server_t;
+
+#include "tls_handshake.h"
+#include "tls_crypto.h"
+
+#include <library.h>
+
+/**
+ * TLS handshake protocol handler as peer.
+ */
+struct tls_server_t {
+
+	/**
+	 * Implements the TLS handshake protocol handler.
+	 */
+	tls_handshake_t handshake;
+};
+
+/**
+ * Create a tls_server instance.
+ *
+ * @param tls		TLS stack
+ * @param crypto	TLS crypto helper
+ * @param alert		TLS alert handler
+ * @param server	server identity
+ * @param peer		peer identity
+ */
+tls_server_t *tls_server_create(tls_t *tls,
+						tls_crypto_t *crypto, tls_alert_t *alert,
+						identification_t *server, identification_t *peer);
+
+#endif /** TLS_SERVER_H_ @}*/
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
new file mode 100644
index 000000000..e0c440a4c
--- /dev/null
+++ b/src/libtls/tls_socket.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_socket.h"
+
+#include <unistd.h>
+
+#include <debug.h>
+
+typedef struct private_tls_socket_t private_tls_socket_t;
+typedef struct private_tls_application_t private_tls_application_t;
+
+struct private_tls_application_t {
+
+	/**
+	 * Implements tls_application layer.
+	 */
+	tls_application_t application;
+
+	/**
+	 * Chunk of data to send
+	 */
+	chunk_t out;
+
+	/**
+	 * Chunk of data received
+	 */
+	chunk_t in;
+};
+
+/**
+ * Private data of an tls_socket_t object.
+ */
+struct private_tls_socket_t {
+
+	/**
+	 * Public tls_socket_t interface.
+	 */
+	tls_socket_t public;
+
+	/**
+	 * TLS application implementation
+	 */
+	private_tls_application_t app;
+
+	/**
+	 * TLS stack
+	 */
+	tls_t *tls;
+
+	/**
+	 * Underlying OS socket
+	 */
+	int fd;
+};
+
+METHOD(tls_application_t, process, status_t,
+	private_tls_application_t *this, tls_reader_t *reader)
+{
+	chunk_t data;
+
+	if (!reader->read_data(reader, reader->remaining(reader), &data))
+	{
+		return FAILED;
+	}
+	this->in = chunk_cat("mc", this->in, data);
+	return NEED_MORE;
+}
+
+METHOD(tls_application_t, build, status_t,
+	private_tls_application_t *this, tls_writer_t *writer)
+{
+	if (this->out.len)
+	{
+		writer->write_data(writer, this->out);
+		this->out = chunk_empty;
+		return NEED_MORE;
+	}
+	return INVALID_STATE;
+}
+
+/**
+ * TLS data exchange loop
+ */
+static bool exchange(private_tls_socket_t *this, bool wr)
+{
+	char buf[1024];
+	ssize_t len;
+	int round = 0;
+
+	for (round = 0; TRUE; round++)
+	{
+		while (TRUE)
+		{
+			len = sizeof(buf);
+			switch (this->tls->build(this->tls, buf, &len, NULL))
+			{
+				case NEED_MORE:
+				case ALREADY_DONE:
+					len = write(this->fd, buf, len);
+					if (len == -1)
+					{
+						return FALSE;
+					}
+					continue;
+				case INVALID_STATE:
+					break;
+				default:
+					return FALSE;
+			}
+			break;
+		}
+		if (wr)
+		{
+			if (this->app.out.len == 0)
+			{	/* all data written */
+				return TRUE;
+			}
+		}
+		else
+		{
+			if (this->app.in.len)
+			{	/* some data received */
+				return TRUE;
+			}
+			if (round > 0)
+			{	/* did some handshaking, return empty chunk to not block */
+				return TRUE;
+			}
+		}
+		len = read(this->fd, buf, sizeof(buf));
+		if (len <= 0)
+		{
+			return FALSE;
+		}
+		if (this->tls->process(this->tls, buf, len) != NEED_MORE)
+		{
+			return FALSE;
+		}
+	}
+}
+
+METHOD(tls_socket_t, read_, bool,
+	private_tls_socket_t *this, chunk_t *buf)
+{
+	if (exchange(this, FALSE))
+	{
+		*buf = this->app.in;
+		this->app.in = chunk_empty;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_socket_t, write_, bool,
+	private_tls_socket_t *this, chunk_t buf)
+{
+	this->app.out = buf;
+	if (exchange(this, TRUE))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_socket_t, destroy, void,
+	private_tls_socket_t *this)
+{
+	this->tls->destroy(this->tls);
+	free(this->app.in.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
+								identification_t *peer, int fd)
+{
+	private_tls_socket_t *this;
+
+	INIT(this,
+		.public = {
+			.read = _read_,
+			.write = _write_,
+			.destroy = _destroy,
+		},
+		.app = {
+			.application = {
+				.build = _build,
+				.process = _process,
+				.destroy = (void*)nop,
+			},
+		},
+		.fd = fd,
+	);
+
+	this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC,
+						   &this->app.application);
+	if (!this->tls)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h
new file mode 100644
index 000000000..ac714a385
--- /dev/null
+++ b/src/libtls/tls_socket.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_socket tls_socket
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_SOCKET_H_
+#define TLS_SOCKET_H_
+
+#include "tls.h"
+
+typedef struct tls_socket_t tls_socket_t;
+
+/**
+ * TLS secured socket.
+ *
+ * Wraps a blocking (socket) file descriptor for a reliable transport into a
+ * TLS secured socket. TLS negotiation happens on demand, certificates and
+ * private keys are fetched from any registered credential set.
+ */
+struct tls_socket_t {
+
+	/**
+	 * Read data from secured socket, return allocated chunk.
+	 *
+	 * This call is blocking, you may use select() on the underlying socket to
+	 * wait for data. If the there was non-application data available, the
+	 * read function can return an empty chunk.
+	 *
+	 * @param data		pointer to allocate received data
+	 * @return			TRUE if data received successfully
+	 */
+	bool (*read)(tls_socket_t *this, chunk_t *data);
+
+	/**
+	 * Write a chunk of data over the secured socket.
+	 *
+	 * @param data		data to send
+	 * @return			TRUE if data sent successfully
+	 */
+	bool (*write)(tls_socket_t *this, chunk_t data);
+
+	/**
+	 * Destroy a tls_socket_t.
+	 */
+	void (*destroy)(tls_socket_t *this);
+};
+
+/**
+ * Create a tls_socket instance.
+ *
+ * @param is_server			TRUE to act as TLS server
+ * @param server			server identity
+ * @param peer				client identity, NULL for no client authentication
+ * @param fd				socket to read/write from
+ * @return					TLS socket wrapper
+ */
+tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
+								identification_t *peer, int fd);
+
+#endif /** TLS_SOCKET_H_ @}*/
diff --git a/src/libtls/tls_writer.c b/src/libtls/tls_writer.c
new file mode 100644
index 000000000..235dc2cdf
--- /dev/null
+++ b/src/libtls/tls_writer.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_writer.h"
+
+typedef struct private_tls_writer_t private_tls_writer_t;
+
+/**
+ * Private data of an tls_writer_t object.
+ */
+struct private_tls_writer_t {
+
+	/**
+	 * Public tls_writer_t interface.
+	 */
+	tls_writer_t public;
+
+	/**
+	 * Allocated buffer
+	 */
+	chunk_t buf;
+
+	/**
+	 * Used bytes in buffer
+	 */
+	size_t used;
+
+	/**
+	 * Number of bytes to increase buffer size
+	 */
+	size_t increase;
+};
+
+/**
+ * Increase buffer size
+ */
+static void increase(private_tls_writer_t *this)
+{
+	this->buf.len += this->increase;
+	this->buf.ptr = realloc(this->buf.ptr, this->buf.len);
+}
+
+METHOD(tls_writer_t, write_uint8, void,
+	private_tls_writer_t *this, u_int8_t value)
+{
+	if (this->used + 1 > this->buf.len)
+	{
+		increase(this);
+	}
+	this->buf.ptr[this->used] = value;
+	this->used += 1;
+}
+
+METHOD(tls_writer_t, write_uint16, void,
+	private_tls_writer_t *this, u_int16_t value)
+{
+	if (this->used + 2 > this->buf.len)
+	{
+		increase(this);
+	}
+	htoun16(this->buf.ptr + this->used, value);
+	this->used += 2;
+}
+
+METHOD(tls_writer_t, write_uint24, void,
+	private_tls_writer_t *this, u_int32_t value)
+{
+	if (this->used + 3 > this->buf.len)
+	{
+		increase(this);
+	}
+	value = htonl(value);
+	memcpy(this->buf.ptr + this->used, ((char*)&value) + 1, 3);
+	this->used += 3;
+}
+
+METHOD(tls_writer_t, write_uint32, void,
+	private_tls_writer_t *this, u_int32_t value)
+{
+	if (this->used + 4 > this->buf.len)
+	{
+		increase(this);
+	}
+	htoun32(this->buf.ptr + this->used, value);
+	this->used += 4;
+}
+
+METHOD(tls_writer_t, write_data, void,
+	private_tls_writer_t *this, chunk_t value)
+{
+	while (this->used + value.len > this->buf.len)
+	{
+		increase(this);
+	}
+	memcpy(this->buf.ptr + this->used, value.ptr, value.len);
+	this->used += value.len;
+}
+
+METHOD(tls_writer_t, write_data8, void,
+	private_tls_writer_t *this, chunk_t value)
+{
+	write_uint8(this, value.len);
+	write_data(this, value);
+}
+
+METHOD(tls_writer_t, write_data16, void,
+	private_tls_writer_t *this, chunk_t value)
+{
+	write_uint16(this, value.len);
+	write_data(this, value);
+}
+
+METHOD(tls_writer_t, write_data24, void,
+	private_tls_writer_t *this, chunk_t value)
+{
+	write_uint24(this, value.len);
+	write_data(this, value);
+}
+
+METHOD(tls_writer_t, write_data32, void,
+	private_tls_writer_t *this, chunk_t value)
+{
+	write_uint32(this, value.len);
+	write_data(this, value);
+}
+
+METHOD(tls_writer_t, wrap8, void,
+	private_tls_writer_t *this)
+{
+	if (this->used + 1 > this->buf.len)
+	{
+		increase(this);
+	}
+	memmove(this->buf.ptr + 1, this->buf.ptr, 1);
+	this->buf.ptr[0] = this->used;
+	this->used += 1;
+}
+
+METHOD(tls_writer_t, wrap16, void,
+	private_tls_writer_t *this)
+{
+	if (this->used + 2 > this->buf.len)
+	{
+		increase(this);
+	}
+	memmove(this->buf.ptr + 2, this->buf.ptr, 2);
+	htoun16(this->buf.ptr, this->used);
+	this->used += 2;
+}
+
+METHOD(tls_writer_t, wrap24, void,
+	private_tls_writer_t *this)
+{
+	u_int32_t len;
+
+	if (this->used + 3 > this->buf.len)
+	{
+		increase(this);
+	}
+	memmove(this->buf.ptr + 3, this->buf.ptr, 3);
+
+	len = htonl(this->used);
+	memcpy(this->buf.ptr, ((char*)&len) + 1, 3);
+	this->used += 3;
+}
+
+METHOD(tls_writer_t, wrap32, void,
+	private_tls_writer_t *this)
+{
+	if (this->used + 4 > this->buf.len)
+	{
+		increase(this);
+	}
+	memmove(this->buf.ptr + 4, this->buf.ptr, 4);
+	htoun32(this->buf.ptr, this->used);
+	this->used += 4;
+}
+
+METHOD(tls_writer_t, get_buf, chunk_t,
+	private_tls_writer_t *this)
+{
+	return chunk_create(this->buf.ptr, this->used);
+}
+
+METHOD(tls_writer_t, destroy, void,
+	private_tls_writer_t *this)
+{
+	free(this->buf.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_writer_t *tls_writer_create(u_int32_t bufsize)
+{
+	private_tls_writer_t *this;
+
+	INIT(this,
+		.public = {
+			.write_uint8 = _write_uint8,
+			.write_uint16 = _write_uint16,
+			.write_uint24 = _write_uint24,
+			.write_uint32 = _write_uint32,
+			.write_data = _write_data,
+			.write_data8 = _write_data8,
+			.write_data16 = _write_data16,
+			.write_data24 = _write_data24,
+			.write_data32 = _write_data32,
+			.wrap8 = _wrap8,
+			.wrap16 = _wrap16,
+			.wrap24 = _wrap24,
+			.wrap32 = _wrap32,
+			.get_buf = _get_buf,
+			.destroy = _destroy,
+		},
+		.increase = bufsize ?: 32,
+	);
+	if (bufsize)
+	{
+		this->buf = chunk_alloc(bufsize);
+	}
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_writer.h b/src/libtls/tls_writer.h
new file mode 100644
index 000000000..d3f09d5da
--- /dev/null
+++ b/src/libtls/tls_writer.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_writer tls_writer
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_WRITER_H_
+#define TLS_WRITER_H_
+
+typedef struct tls_writer_t tls_writer_t;
+
+#include <library.h>
+
+/**
+ * TLS record generator.
+ */
+struct tls_writer_t {
+
+	/**
+	 * Append a 8-bit integer to the buffer.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_uint8)(tls_writer_t *this, u_int8_t value);
+
+	/**
+	 * Append a 16-bit integer to the buffer.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_uint16)(tls_writer_t *this, u_int16_t value);
+
+	/**
+	 * Append a 24-bit integer to the buffer.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_uint24)(tls_writer_t *this, u_int32_t value);
+
+	/**
+	 * Append a 32-bit integer to the buffer.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_uint32)(tls_writer_t *this, u_int32_t value);
+
+	/**
+	 * Append a chunk of data without a length header.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_data)(tls_writer_t *this, chunk_t value);
+
+	/**
+	 * Append a chunk of data with a 8-bit length header.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_data8)(tls_writer_t *this, chunk_t value);
+
+	/**
+	 * Append a chunk of data with a 16-bit length header.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_data16)(tls_writer_t *this, chunk_t value);
+
+	/**
+	 * Append a chunk of data with a 24-bit length header.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_data24)(tls_writer_t *this, chunk_t value);
+
+	/**
+	 * Append a chunk of data with a 32-bit length header.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_data32)(tls_writer_t *this, chunk_t value);
+
+	/**
+	 * Prepend a 8-bit length header to existing data.
+	 */
+	void (*wrap8)(tls_writer_t *this);
+
+	/**
+	 * Prepend a 16-bit length header to existing data.
+	 */
+	void (*wrap16)(tls_writer_t *this);
+
+	/**
+	 * Prepend a 24-bit length header to existing data.
+	 */
+	void (*wrap24)(tls_writer_t *this);
+
+	/**
+	 * Prepend a 32-bit length header to existing data.
+	 */
+	void (*wrap32)(tls_writer_t *this);
+
+	/**
+	 * Get the encoded data buffer.
+	 *
+	 * @return			chunk to internal buffer
+	 */
+	chunk_t (*get_buf)(tls_writer_t *this);
+
+	/**
+	 * Destroy a tls_writer_t.
+	 */
+	void (*destroy)(tls_writer_t *this);
+};
+
+/**
+ * Create a tls_writer instance.
+ *
+ * @param bufsize		initially allocated buffer size
+ */
+tls_writer_t *tls_writer_create(u_int32_t bufsize);
+
+#endif /** TLS_WRITER_H_ @}*/
diff --git a/src/manager/Makefile.am b/src/manager/Makefile.am
index e67335673..045c77896 100644
--- a/src/manager/Makefile.am
+++ b/src/manager/Makefile.am
@@ -17,7 +17,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_C
 AM_CFLAGS = -rdynamic \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${manager_plugins}\""
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
 manager_templatesdir = ${managerdir}/templates
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 63a892ee7..5073d9686 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -181,6 +182,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -212,14 +215,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -234,24 +240,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -259,7 +272,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -285,7 +301,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_C
 AM_CFLAGS = -rdynamic \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${manager_plugins}\""
 
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
diff --git a/src/medsrv/Makefile.am b/src/medsrv/Makefile.am
index bdec08190..171b086cf 100644
--- a/src/medsrv/Makefile.am
+++ b/src/medsrv/Makefile.am
@@ -14,7 +14,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
 AM_CFLAGS = -rdynamic \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${medsrv_plugins}\""
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
 medsrv_templatesdir = ${medsrvdir}/templates
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 415c35e79..07315cfd2 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +205,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +262,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -272,7 +288,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
 AM_CFLAGS = -rdynamic \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${medsrv_plugins}\""
 
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
index a278cdd17..0be040e87 100644
--- a/src/openac/Makefile.am
+++ b/src/openac/Makefile.am
@@ -5,6 +5,6 @@ dist_man_MANS = openac.8
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
   -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${openac_plugins}\""
 openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 openac.o :		$(top_builddir)/config.status
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 578ab7d39..fcac66226 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -260,7 +276,7 @@ dist_man_MANS = openac.8
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
   -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${openac_plugins}\""
 
 openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 3f28b0ac4..5de8f5b7c 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -36,6 +36,7 @@
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
 #include <credentials/keys/private_key.h>
+#include <credentials/sets/mem_cred.h>
 #include <utils/optionsfrom.h>
 
 #define OPENAC_PATH   		IPSEC_CONFDIR "/openac"
@@ -437,10 +438,19 @@ int main(int argc, char **argv)
 	/* load the signer's RSA private key */
 	if (keyfile != NULL)
 	{
+		mem_cred_t *mem;
+		shared_key_t *shared;
+
+		mem = mem_cred_create();
+		lib->credmgr->add_set(lib->credmgr, &mem->set);
+		shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
+								   chunk_clone(passphrase));
+		mem->add_shared(mem, shared, NULL);
 		signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 									   BUILD_FROM_FILE, keyfile,
-									   BUILD_PASSPHRASE, passphrase,
 									   BUILD_END);
+		lib->credmgr->remove_set(lib->credmgr, &mem->set);
+		mem->destroy(mem);
 		if (signerKey == NULL)
 		{
 			goto end;
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index 99e9bc581..482f83834 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -16,4 +16,4 @@ pki.o :	$(top_builddir)/config.status
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
-	-DPLUGINS=\""${libstrongswan_plugins}\""
+	-DPLUGINS=\""${pki_plugins}\""
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 8f08777bb..0ec6f9c0b 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -142,6 +143,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -173,14 +176,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -195,24 +201,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -220,7 +233,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -246,7 +262,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
-	-DPLUGINS=\""${libstrongswan_plugins}\""
+	-DPLUGINS=\""${pki_plugins}\""
 
 all: all-am
 
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 2002cd555..8ea852e31 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -35,7 +35,7 @@ static int issue()
 	public_key_t *public = NULL;
 	bool pkcs10 = FALSE;
 	char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
-	char *error = NULL;
+	char *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san, *cdps, *ocsp;
 	int lifetime = 1095;
@@ -85,6 +85,9 @@ static int issue()
 			case 'k':
 				cakey = arg;
 				continue;
+			case 'x':
+				keyid = arg;
+				continue;
 			case 'd':
 				dn = arg;
 				continue;
@@ -153,9 +156,9 @@ static int issue()
 		error = "--cacert is required";
 		goto usage;
 	}
-	if (!cakey)
+	if (!cakey && !keyid)
 	{
-		error = "--cakey is required";
+		error = "--cakey or --keyid is required";
 		goto usage;
 	}
 	if (dn)
@@ -190,12 +193,24 @@ static int issue()
 	}
 
 	DBG2(DBG_LIB, "Reading ca private key:");
-	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								 public->get_type(public),
-								 BUILD_FROM_FILE, cakey, BUILD_END);
+	if (cakey)
+	{
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+									 public->get_type(public),
+									 BUILD_FROM_FILE, cakey, BUILD_END);
+	}
+	else
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+									 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	if (!private)
 	{
-		error = "parsing CA private key failed";
+		error = "loading CA private key failed";
 		goto end;
 	}
 	if (!private->belongs_to(private, public))
@@ -354,8 +369,8 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		issue, 'i', "issue",
 		"issue a certificate using a CA certificate and key",
-		{"[--in file] [--type pub|pkcs10]",
-		 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
+		{"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex",
+		 " --cacert file --dn subject-dn [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
 		 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
@@ -365,6 +380,7 @@ static void __attribute__ ((constructor))reg()
 			{"type",	't', 1, "type of input, default: pub"},
 			{"cacert",	'c', 1, "CA certificate file"},
 			{"cakey",	'k', 1, "CA private key file"},
+			{"cakeyid",	'x', 1, "keyid on smartcard of CA private key"},
 			{"dn",		'd', 1, "distinguished name to include as subject"},
 			{"san",		'a', 1, "subjectAltName to include in certificate"},
 			{"lifetime",'l', 1, "days the certificate is valid, default: 1095"},
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 6d5462783..870dca920 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -17,6 +17,7 @@
 
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/certificates/crl.h>
 #include <selectors/traffic_selector.h>
 
 #include <time.h>
@@ -29,7 +30,7 @@ static void print_pubkey(public_key_t *key)
 	chunk_t chunk;
 
 	printf("pubkey:    %N %d bits\n", key_type_names, key->get_type(key),
-		   key->get_keysize(key) * 8);
+		   key->get_keysize(key));
 	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
 	{
 		printf("keyid:     %#B\n", &chunk);
@@ -201,6 +202,44 @@ static void print_x509(x509_t *x509)
 	}
 }
 
+/**
+ * Print CRL specific information
+ */
+static void print_crl(crl_t *crl)
+{
+	enumerator_t *enumerator;
+	time_t ts;
+	crl_reason_t reason;
+	chunk_t chunk;
+	int count = 0;
+	char buf[64];
+	struct tm tm;
+
+	chunk = crl->get_serial(crl);
+	printf("serial:    %#B\n", &chunk);
+	chunk = crl->get_authKeyIdentifier(crl);
+	printf("authKeyId: %#B\n", &chunk);
+
+	enumerator = crl->create_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+
+	printf("%d revoked certificate%s%s\n", count,
+		   count == 1 ? "" : "s", count ? ":" : "");
+	enumerator = crl->create_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+	{
+		localtime_r(&ts, &tm);
+		strftime(buf, sizeof(buf), "%F %T", &tm);
+		printf("    %#B %N %s\n", &chunk, crl_reason_names, reason, buf);
+		count++;
+	}
+	enumerator->destroy(enumerator);
+}
+
 /**
  * Print certificate information
  */
@@ -212,7 +251,10 @@ static void print_cert(certificate_t *cert)
 	now = time(NULL);
 
 	printf("cert:      %N\n", certificate_type_names, cert->get_type(cert));
-	printf("subject:  \"%Y\"\n", cert->get_subject(cert));
+	if (cert->get_type(cert) != CERT_X509_CRL)
+	{
+		printf("subject:  \"%Y\"\n", cert->get_subject(cert));
+	}
 	printf("issuer:   \"%Y\"\n", cert->get_issuer(cert));
 
 	cert->get_validity(cert, &now, &notBefore, &notAfter);
@@ -240,22 +282,20 @@ static void print_cert(certificate_t *cert)
 		case CERT_X509:
 			print_x509((x509_t*)cert);
 			break;
+		case CERT_X509_CRL:
+			print_crl((crl_t*)cert);
+			break;
 		default:
 			printf("parsing certificate subtype %N not implemented\n",
 				   certificate_type_names, cert->get_type(cert));
 			break;
 	}
-
 	key = cert->get_public_key(cert);
 	if (key)
 	{
 		print_pubkey(key);
 		key->destroy(key);
 	}
-	else
-	{
-		printf("unable to extract public key\n");
-	}
 }
 
 /**
@@ -280,6 +320,11 @@ static int print()
 					type = CRED_CERTIFICATE;
 					subtype = CERT_X509;
 				}
+				else if (streq(arg, "crl"))
+				{
+					type = CRED_CERTIFICATE;
+					subtype = CERT_X509_CRL;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -358,7 +403,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ print, 'a', "print",
 		"print a credential in a human readable form",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509]"},
+		{"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index fc2614c7d..30078a8fa 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -30,7 +30,7 @@ static int pub()
 	private_key_t *private;
 	public_key_t *public;
 	chunk_t encoding;
-	char *file = NULL;
+	char *file = NULL, *keyid = NULL;
 	void *cred;
 	char *arg;
 
@@ -75,6 +75,9 @@ static int pub()
 			case 'i':
 				file = arg;
 				continue;
+			case 'x':
+				keyid = arg;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -87,6 +90,15 @@ static int pub()
 		cred = lib->creds->create(lib->creds, type, subtype,
 									 BUILD_FROM_FILE, file, BUILD_END);
 	}
+	else if (keyid)
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		cred = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+									 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	else
 	{
 		cred = lib->creds->create(lib->creds, type, subtype,
@@ -145,10 +157,12 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		pub, 'p', "pub",
 		"extract the public key from a private key/certificate",
-		{"[--in file] [--type rsa|ecdsa|pkcs10|x509] [--outform der|pem|pgp]"},
+		{"[--in file|--keyid hex] [--type rsa|ecdsa|pkcs10|x509]",
+		 "[--outform der|pem|pgp]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
+			{"keyid",	'x', 1, "keyid on smartcard of private key"},
 			{"type",	't', 1, "type of credential, default: rsa"},
 			{"outform",	'f', 1, "encoding of extracted public key"},
 		}
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index a1ae2f515..d1ca45e1a 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -127,7 +127,7 @@ static int req()
 							  BUILD_SIGNING_KEY, private,
 							  BUILD_SUBJECT, id,
 							  BUILD_SUBJECT_ALTNAMES, san,
-							  BUILD_PASSPHRASE, challenge_password,
+							  BUILD_CHALLENGE_PWD, challenge_password,
 							  BUILD_DIGEST_ALG, digest,
 							  BUILD_END);
 	if (!cert)
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 71776c745..5e6f0bd14 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -32,7 +32,7 @@ static int self()
 	certificate_t *cert = NULL;
 	private_key_t *private = NULL;
 	public_key_t *public = NULL;
-	char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL;
+	char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san, *ocsp;
 	int lifetime = 1095;
@@ -78,6 +78,9 @@ static int self()
 			case 'i':
 				file = arg;
 				continue;
+			case 'x':
+				keyid = arg;
+				continue;
 			case 'd':
 				dn = arg;
 				continue;
@@ -149,6 +152,15 @@ static int self()
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
 									 BUILD_FROM_FILE, file, BUILD_END);
 	}
+	else if (keyid)
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+									 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	else
 	{
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
@@ -156,7 +168,7 @@ static int self()
 	}
 	if (!private)
 	{
-		error = "parsing private key failed";
+		error = "loading private key failed";
 		goto end;
 	}
 	public = private->get_public_key(private);
@@ -242,7 +254,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		self, 's', "self",
 		"create a self signed certificate",
-		{"[--in file] [--type rsa|ecdsa]",
+		{"[--in file | --keyid hex] [--type rsa|ecdsa]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
 		 "[--flag serverAuth|clientAuth|ocspSigning]+",
@@ -250,6 +262,7 @@ static void __attribute__ ((constructor))reg()
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "private key input file, default: stdin"},
+			{"keyid",	'x', 1, "keyid on smartcard of private key"},
 			{"type",	't', 1, "type of input key, default: rsa"},
 			{"dn",		'd', 1, "subject and issuer distinguished name"},
 			{"san",		'a', 1, "subjectAltName to include in certificate"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index b7163a153..24bf9123f 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -110,7 +110,7 @@ static int sign_crl()
 	x509_t *x509;
 	hash_algorithm_t digest = HASH_SHA1;
 	char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
-	char serial[512], crl_serial[8];
+	char serial[512], crl_serial[8], *keyid = NULL;
 	int serial_len = 0;
 	crl_reason_t reason = CRL_REASON_UNSPECIFIED;
 	time_t thisUpdate, nextUpdate, date = time(NULL);
@@ -143,6 +143,9 @@ static int sign_crl()
 			case 'k':
 				cakey = arg;
 				continue;
+			case 'x':
+				keyid = arg;
+				continue;
 			case 'a':
 				lastupdate = arg;
 				continue;
@@ -245,9 +248,9 @@ static int sign_crl()
 		error = "--cacert is required";
 		goto usage;
 	}
-	if (!cakey)
+	if (!cakey && !keyid)
 	{
-		error = "--cakey is required";
+		error = "--cakey or --keyid is required";
 		goto usage;
 	}
 
@@ -270,12 +273,24 @@ static int sign_crl()
 		error = "extracting CA certificate public key failed";
 		goto error;
 	}
-	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								 public->get_type(public),
-								 BUILD_FROM_FILE, cakey, BUILD_END);
+	if (cakey)
+	{
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+									 public->get_type(public),
+									 BUILD_FROM_FILE, cakey, BUILD_END);
+	}
+	else
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+									 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	if (!private)
 	{
-		error = "parsing CA private key failed";
+		error = "loading CA private key failed";
 		goto error;
 	}
 	if (!private->belongs_to(private, public))
@@ -359,7 +374,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		sign_crl, 'c', "signcrl",
 		"issue a CRL using a CA certificate and key",
-		{"--cacert file --cakey file --lifetime days",
+		{"--cacert file --cakey file | --cakeyid hex --lifetime days",
 		 "[  [--reason key-compromise|ca-compromise|affiliation-changed|",
 		 "             superseded|cessation-of-operation|certificate-hold]",
 		 "   [--date timestamp]",
@@ -369,6 +384,7 @@ static void __attribute__ ((constructor))reg()
 			{"help",	'h', 0, "show usage information"},
 			{"cacert",	'c', 1, "CA certificate file"},
 			{"cakey",	'k', 1, "CA private key file"},
+			{"cakeyid",	'x', 1, "keyid on smartcard of CA private key"},
 			{"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"},
 			{"lastcrl",	'a', 1, "CRL of lastUpdate to copy revocations from"},
 			{"cert",	'z', 1, "certificate file to revoke"},
diff --git a/src/pki/pki.c b/src/pki/pki.c
index d5dd03fa0..3005d2fcd 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -16,7 +16,10 @@
 #include "command.h"
 #include "pki.h"
 
+#include <unistd.h>
+
 #include <debug.h>
+#include <credentials/sets/callback_cred.h>
 
 /**
  * Convert a form string to a encoding type
@@ -108,6 +111,67 @@ hash_algorithm_t get_digest(char *name)
 	return HASH_UNKNOWN;
 }
 
+/**
+ * Callback credential set pki uses
+ */
+static callback_cred_t *cb_set;
+
+/**
+ * Callback function to receive credentials
+ */
+static shared_key_t* cb(void *data, shared_key_type_t type,
+						identification_t *me, identification_t *other,
+						id_match_t *match_me, id_match_t *match_other)
+{
+	char buf[64], *label, *secret;
+
+	switch (type)
+	{
+		case SHARED_PIN:
+			label = "Smartcard PIN";
+			break;
+		case SHARED_PRIVATE_KEY_PASS:
+			label = "Private key passphrase";
+			break;
+		default:
+			return NULL;
+	}
+	snprintf(buf, sizeof(buf), "%s: ", label);
+	secret = getpass(buf);
+	if (secret)
+	{
+		if (match_me)
+		{
+			*match_me = ID_MATCH_PERFECT;
+		}
+		if (match_other)
+		{
+			*match_other = ID_MATCH_NONE;
+		}
+		return shared_key_create(type,
+							chunk_clone(chunk_create(secret, strlen(secret))));
+	}
+	return NULL;
+}
+
+/**
+ * Register PIN/Passphrase callback function
+ */
+static void add_callback()
+{
+	cb_set = callback_cred_create_shared(cb, NULL);
+	lib->credmgr->add_set(lib->credmgr, &cb_set->set);
+}
+
+/**
+ * Unregister PIN/Passphrase callback function
+ */
+static void remove_callback()
+{
+	lib->credmgr->remove_set(lib->credmgr, &cb_set->set);
+	cb_set->destroy(cb_set);
+}
+
 /**
  * Library initialization and operation parsing
  */
@@ -129,6 +193,9 @@ int main(int argc, char *argv[])
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
+
+	add_callback();
+	atexit(remove_callback);
 	return command_dispatch(argc, argv);
 }
 
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 9f631ca28..934b11a46 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -18,6 +18,7 @@ db_ops.c db_ops.h \
 defs.c defs.h \
 demux.c demux.h \
 dnskey.c dnskey.h \
+event_queue.c event_queue.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
 ike_alg.c ike_alg.h \
@@ -25,8 +26,6 @@ ipsec_doi.c ipsec_doi.h \
 kameipsec.h \
 kernel.c kernel.h \
 kernel_alg.c kernel_alg.h \
-kernel_netlink.c kernel_netlink.h \
-kernel_noklips.c kernel_noklips.h \
 kernel_pfkey.c kernel_pfkey.h \
 keys.c keys.h \
 lex.c lex.h \
@@ -74,10 +73,10 @@ AM_CFLAGS = -rdynamic \
 -DIPSEC_CONFDIR=\"${sysconfdir}\" \
 -DIPSEC_PIDDIR=\"${piddir}\" \
 -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
--DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \
+-DPLUGINS=\""${pluto_plugins}\"" \
 -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \
 -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \
--DPLUTO -DKLIPS -DDEBUG
+-DPLUTO -DDEBUG
 
 pluto_LDADD = \
 $(LIBSTRONGSWANDIR)/libstrongswan.la \
@@ -89,9 +88,7 @@ _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
 
-CLEANFILES = ipsec.secrets.5
-dist_man_MANS = pluto.8 ipsec.secrets.5
-EXTRA_DIST = ipsec.secrets.5.in
+dist_man_MANS = pluto.8
 
 # compile options
 #################
@@ -138,8 +135,3 @@ if USE_XAUTH
   SUBDIRS += plugins/xauth
 endif
 
-ipsec.secrets.5 : ipsec.secrets.5.in
-	sed \
-	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-	$(srcdir)/$@.in > $@
-
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 41fc4927e..080530f86 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -71,14 +71,14 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
-	"$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 PROGRAMS = $(ipsec_PROGRAMS)
 am__pluto_adns_OBJECTS = adns.$(OBJEXT)
 _pluto_adns_OBJECTS = $(am__pluto_adns_OBJECTS)
@@ -89,17 +89,17 @@ am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \
 	certs.$(OBJEXT) connections.$(OBJEXT) constants.$(OBJEXT) \
 	cookie.$(OBJEXT) crl.$(OBJEXT) crypto.$(OBJEXT) \
 	db_ops.$(OBJEXT) defs.$(OBJEXT) demux.$(OBJEXT) \
-	dnskey.$(OBJEXT) fetch.$(OBJEXT) foodgroups.$(OBJEXT) \
-	ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) kernel.$(OBJEXT) \
-	kernel_alg.$(OBJEXT) kernel_netlink.$(OBJEXT) \
-	kernel_noklips.$(OBJEXT) kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) \
-	lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) modecfg.$(OBJEXT) \
-	nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) packet.$(OBJEXT) \
-	pkcs7.$(OBJEXT) pluto.$(OBJEXT) plutomain.$(OBJEXT) \
-	rcv_whack.$(OBJEXT) server.$(OBJEXT) smartcard.$(OBJEXT) \
-	spdb.$(OBJEXT) state.$(OBJEXT) timer.$(OBJEXT) \
-	vendor.$(OBJEXT) virtual.$(OBJEXT) whack_attribute.$(OBJEXT) \
-	xauth_manager.$(OBJEXT) x509.$(OBJEXT) builder.$(OBJEXT)
+	dnskey.$(OBJEXT) event_queue.$(OBJEXT) fetch.$(OBJEXT) \
+	foodgroups.$(OBJEXT) ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) \
+	kernel.$(OBJEXT) kernel_alg.$(OBJEXT) kernel_pfkey.$(OBJEXT) \
+	keys.$(OBJEXT) lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) \
+	modecfg.$(OBJEXT) nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) \
+	packet.$(OBJEXT) pkcs7.$(OBJEXT) pluto.$(OBJEXT) \
+	plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) server.$(OBJEXT) \
+	smartcard.$(OBJEXT) spdb.$(OBJEXT) state.$(OBJEXT) \
+	timer.$(OBJEXT) vendor.$(OBJEXT) virtual.$(OBJEXT) \
+	whack_attribute.$(OBJEXT) xauth_manager.$(OBJEXT) \
+	x509.$(OBJEXT) builder.$(OBJEXT)
 pluto_OBJECTS = $(am_pluto_OBJECTS)
 pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \
 	$(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \
@@ -148,7 +148,6 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -251,6 +250,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -282,14 +283,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -304,24 +308,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -329,7 +340,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -355,6 +369,7 @@ db_ops.c db_ops.h \
 defs.c defs.h \
 demux.c demux.h \
 dnskey.c dnskey.h \
+event_queue.c event_queue.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
 ike_alg.c ike_alg.h \
@@ -362,8 +377,6 @@ ipsec_doi.c ipsec_doi.h \
 kameipsec.h \
 kernel.c kernel.h \
 kernel_alg.c kernel_alg.h \
-kernel_netlink.c kernel_netlink.h \
-kernel_noklips.c kernel_noklips.h \
 kernel_pfkey.c kernel_pfkey.h \
 keys.c keys.h \
 lex.c lex.h \
@@ -405,11 +418,11 @@ INCLUDES = \
 AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
 	-DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
-	-DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \
+	-DPLUGINS=\""${pluto_plugins}\"" \
 	-DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" -DKERNEL26_SUPPORT \
-	-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \
-	$(am__append_1) $(am__append_2) $(am__append_3) \
-	$(am__append_4) $(am__append_5) $(am__append_7)
+	-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DDEBUG $(am__append_1) \
+	$(am__append_2) $(am__append_3) $(am__append_4) \
+	$(am__append_5) $(am__append_7)
 pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \
 	$(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \
 	-lresolv $(PTHREADLIB) $(DLLIB) $(am__append_6)
@@ -417,9 +430,7 @@ _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
 
-CLEANFILES = ipsec.secrets.5
-dist_man_MANS = pluto.8 ipsec.secrets.5
-EXTRA_DIST = ipsec.secrets.5.in
+dist_man_MANS = pluto.8
 
 # build optional plugins
 ########################
@@ -529,14 +540,13 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/defs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/demux.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/event_queue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/foodgroups.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_doi.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_alg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_noklips.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keys.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.Po@am__quote@
@@ -601,44 +611,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man5: $(dist_man_MANS)
-	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man5:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
 install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
@@ -889,7 +861,7 @@ check: check-recursive
 all-am: Makefile $(PROGRAMS) $(MANS)
 installdirs: installdirs-recursive
 installdirs-am:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-recursive
@@ -909,7 +881,6 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -957,7 +928,7 @@ install-info: install-info-recursive
 
 install-info-am:
 
-install-man: install-man5 install-man8
+install-man: install-man8
 
 install-pdf: install-pdf-recursive
 
@@ -989,7 +960,7 @@ ps-am:
 
 uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
 
-uninstall-man: uninstall-man5 uninstall-man8
+uninstall-man: uninstall-man8
 
 .MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
 	install-am install-strip tags-recursive
@@ -1002,24 +973,18 @@ uninstall-man: uninstall-man5 uninstall-man8
 	html-am info info-am install install-am install-data \
 	install-data-am install-dvi install-dvi-am install-exec \
 	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-man install-man5 \
-	install-man8 install-pdf install-pdf-am install-ps \
-	install-ps-am install-strip installcheck installcheck-am \
-	installdirs installdirs-am maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am \
-	uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \
+	install-info-am install-ipsecPROGRAMS install-man install-man8 \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	installdirs-am maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-ipsecPROGRAMS uninstall-man \
 	uninstall-man8
 
 
 plutomain.o :	$(top_builddir)/config.status
 
-ipsec.secrets.5 : ipsec.secrets.5.in
-	sed \
-	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-	$(srcdir)/$@.in > $@
-
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index 32fd46ef4..d06e09007 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -414,7 +414,7 @@ struct alg_info_esp *alg_info_esp_create_from_str(char *alg_str)
 	alg_info_esp = malloc_thing (struct alg_info_esp);
 	zero(alg_info_esp);
 
-	pfs_name=index (alg_str, ';');
+	pfs_name=strchr(alg_str, ';');
 	if (pfs_name)
 	{
 		memcpy(esp_buf, alg_str, pfs_name-alg_str);
diff --git a/src/pluto/builder.c b/src/pluto/builder.c
index 0cba32bcf..d7ec3feb9 100644
--- a/src/pluto/builder.c
+++ b/src/pluto/builder.c
@@ -136,9 +136,9 @@ static x509crl_t *builder_load_crl(certificate_type_t type, va_list args)
 
 void init_builder(void)
 {
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, FALSE,
 							(builder_function_t)builder_load_cert);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, FALSE,
 							(builder_function_t)builder_load_crl);
 }
 
diff --git a/src/pluto/certs.c b/src/pluto/certs.c
index 24e8ffb27..e866022df 100644
--- a/src/pluto/certs.c
+++ b/src/pluto/certs.c
@@ -74,20 +74,21 @@ void cert_free(cert_t *cert)
 cert_t* cert_add(cert_t *cert)
 {
 	certificate_t *certificate = cert->cert;
-	cert_t *c = certs;
+	cert_t *c;
 
-	while (c != NULL)
+	lock_certs_and_keys("cert_add");
+
+	for (c = certs; c != NULL; c = c->next)
 	{
-		if (certificate->equals(certificate, c->cert)) /* already in chain, free cert */
-		{
+		if (certificate->equals(certificate, c->cert))
+		{	/* already in chain, free cert */
+			unlock_certs_and_keys("cert_add");
 			cert_free(cert);
 			return c;
 		}
-		c = c->next;
 	}
 
 	/* insert new cert at the root of the chain */
-	lock_certs_and_keys("cert_add");
 	cert->next = certs;
 	certs = cert;
 	DBG(DBG_CONTROL | DBG_PARSING,
@@ -97,90 +98,6 @@ cert_t* cert_add(cert_t *cert)
 	return cert;
 }
 
-/**
- * Passphrase callback to read from whack fd
- */
-chunk_t whack_pass_cb(prompt_pass_t *pass, int try)
-{
-	int n;
-
-	if (try > MAX_PROMPT_PASS_TRIALS)
-	{
-		whack_log(RC_LOG_SERIOUS, "invalid passphrase, too many trials");
-		return chunk_empty;
-	}
-	if (try == 1)
-	{
-		whack_log(RC_ENTERSECRET, "need passphrase for 'private key'");
-	}
-	else
-	{
-		whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
-	}
-
-	n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
-
-	if (n == -1)
-	{
-		whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
-		return chunk_empty;
-	}
-
-	pass->secret[n-1] = '\0';
-
-	if (strlen(pass->secret) == 0)
-	{
-		whack_log(RC_LOG_SERIOUS, "no passphrase entered, aborted");
-		return chunk_empty;
-	}
-	return chunk_create(pass->secret, strlen(pass->secret));
-}
-
-/**
- *  Loads a PKCS#1 or PGP private key file
- */
-private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
-								key_type_t type)
-{
-	private_key_t *key = NULL;
-	char *path;
-
-	path = concatenate_paths(PRIVATE_KEY_PATH, filename);
-	if (pass && pass->prompt && pass->fd != NULL_FD)
-	{	/* use passphrase callback */
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 BUILD_FROM_FILE, path,
-								 BUILD_PASSPHRASE_CALLBACK, whack_pass_cb, pass,
-								 BUILD_END);
-		if (key)
-		{
-			whack_log(RC_SUCCESS, "valid passphrase");
-		}
-	}
-	else if (pass)
-	{	/* use a given passphrase */
-		chunk_t password = chunk_create(pass->secret, strlen(pass->secret));
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 BUILD_FROM_FILE, path,
-								 BUILD_PASSPHRASE, password, BUILD_END);
-	}
-	else
-	{	/* no passphrase */
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 BUILD_FROM_FILE, path, BUILD_END);
-
-	}
-	if (key)
-	{
-		plog("  loaded private key from '%s'", filename);
-	}
-	else
-	{
-		plog("  syntax error in private key file");
-	}
-	return key;
-}
-
 /**
  *  Loads a X.509 or OpenPGP certificate
  */
@@ -316,7 +233,7 @@ void list_pgp_end_certs(bool utc)
 
 				whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
 						key_type_names, key->get_type(key),
-						key->get_keysize(key) * BITS_PER_BYTE,
+						key->get_keysize(key),
 						has_private_key(cert)? ", has private key" : "");
 				if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid))
 				{
diff --git a/src/pluto/certs.h b/src/pluto/certs.h
index 21e856a3c..b31c4c3ed 100644
--- a/src/pluto/certs.h
+++ b/src/pluto/certs.h
@@ -65,8 +65,6 @@ extern const cert_t cert_empty;
  */
 extern bool no_cr_send;
 
-extern private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
-									   key_type_t type);
 extern cert_t* load_cert(char *filename, const char *label, x509_flag_t flags);
 extern cert_t* load_host_cert(char *filename);
 extern cert_t* load_ca_cert(char *filename);
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index e1f47f2d6..9f277e135 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -297,6 +297,7 @@ void delete_connection(connection_t *c, bool relations)
 {
 	modecfg_attribute_t *ca;
 	connection_t *old_cur_connection;
+	identification_t *client_id;
 
 	old_cur_connection = cur_connection == c? NULL : cur_connection;
 #ifdef DEBUG
@@ -367,12 +368,14 @@ void delete_connection(connection_t *c, bool relations)
 		free(c->spd.that.virt);
 	}
 
+	client_id = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id;
+
 	/* release virtual IP address lease if any */
 	if (c->spd.that.modecfg && c->spd.that.pool &&
 		!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip))
 	{
 		hydra->attributes->release_address(hydra->attributes, c->spd.that.pool,
-										   c->spd.that.host_srcip, c->spd.that.id);
+										   c->spd.that.host_srcip, client_id);
 	}
 
 	/* release requested attributes if any */
@@ -388,7 +391,7 @@ void delete_connection(connection_t *c, bool relations)
 		while (c->attributes->remove_last(c->attributes, (void **)&ca) == SUCCESS)
 		{
 			hydra->attributes->release(hydra->attributes, ca->handler,
-									   c->spd.that.id, ca->type, ca->value);
+									   client_id, ca->type, ca->value);
 			modecfg_attribute_destroy(ca);
 		}
 		c->attributes->destroy(c->attributes);
@@ -536,7 +539,7 @@ void check_orientations(void)
 				for (hp = host_pairs; hp != NULL; hp = hp->next)
 				{
 					if (sameaddr(&hp->him.addr, &i->addr)
-					&& (!no_klips || hp->him.port == pluto_port))
+						&& hp->him.port == pluto_port)
 					{
 						/* bad news: the whole chain of connections
 						 * hanging off this host pair has both sides
@@ -871,7 +874,8 @@ static void load_end_certificate(char *filename, struct end *dst)
 		/* cache the certificate that was last retrieved from the smartcard */
 		if (dst->sc)
 		{
-			if (!certificate->equals(certificate, dst->sc->last_cert->cert))
+			if (!dst->sc->last_cert ||
+			    !certificate->equals(certificate, dst->sc->last_cert->cert))
 			{
 				lock_certs_and_keys("load_end_certificates");
 				cert_release(dst->sc->last_cert);
@@ -1077,7 +1081,7 @@ void add_connection(const whack_message_t *wm)
 		if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp)
 		{
 			loglog(RC_COMMENT
-				, "ignoring --compress in \"%s\" because KLIPS is not configured to do IPCOMP"
+				, "ignoring --compress in \"%s\" because kernel does not support IPCOMP"
 				, c->name);
 		}
 
@@ -1191,7 +1195,12 @@ void add_connection(const whack_message_t *wm)
 		}
 
 		c->spd.next = NULL;
-		c->spd.reqid = gen_reqid();
+		c->spd.reqid = wm->reqid ?: gen_reqid();
+
+		c->spd.mark_in.value = wm->mark_in.value;
+		c->spd.mark_in.mask = wm->mark_in.mask;
+		c->spd.mark_out.value = wm->mark_out.value;
+		c->spd.mark_out.mask = wm->mark_out.mask;
 
 		/* set internal fields */
 		c->instance_serial = 0;
@@ -1884,7 +1893,7 @@ bool orient(connection_t *c)
 				{
 					/* check if this interface matches this end */
 					if (sameaddr(&sr->this.host_addr, &p->addr)
-					&& (!no_klips || sr->this.host_port == pluto_port))
+						&& sr->this.host_port == pluto_port)
 					{
 						if (oriented(*c))
 						{
@@ -1903,7 +1912,7 @@ bool orient(connection_t *c)
 
 					/* done with this interface if it doesn't match that end */
 					if (!(sameaddr(&sr->that.host_addr, &p->addr)
-					&& (!no_klips || sr->that.host_port == pluto_port)))
+						&& sr->that.host_port == pluto_port))
 						break;
 
 					/* swap ends and try again.
@@ -2146,27 +2155,6 @@ static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh)
 		}
 		return;
 	}
-
-#ifdef KLIPS
-	if (b->held)
-	{
-		/* Replace HOLD with b->failure_shunt.
-		 * If no b->failure_shunt specified, use SPI_PASS -- THIS MAY CHANGE.
-		 */
-		if (b->failure_shunt == 0)
-		{
-			DBG(DBG_OPPO, DBG_log("no explicit failure shunt for %s to %s; installing %%pass"
-								  , ocb, pcb));
-		}
-
-		(void) replace_bare_shunt(&b->our_client, &b->peer_client
-			, b->policy_prio
-			, b->failure_shunt
-			, b->failure_shunt != 0
-			, b->transport_proto
-			, ugh);
-	}
-#endif
 }
 
 static void initiate_opportunistic_body(struct find_oppo_bundle *b
@@ -2203,16 +2191,6 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh)
 	 */
 	whack_log_fd = whackfd;
 
-#ifdef KLIPS
-	/* Discover and record whether %hold has gone away.
-	 * This could have happened while we were awaiting DNS.
-	 * We must check BEFORE any call to cannot_oppo.
-	 */
-	if (was_held)
-		cr->b.held = has_bare_hold(&cr->b.our_client, &cr->b.peer_client
-			, cr->b.transport_proto);
-#endif
-
 #ifdef DEBUG
 	/* if we're going to ignore the error, at least note it in debugging log */
 	if (cr->b.failure_ok && ugh)
@@ -2424,7 +2402,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 		/* We've found a connection that can serve.
 		 * Do we have to initiate it?
 		 * Not if there is currently an IPSEC SA.
-		 * But if there is an IPSEC SA, then KLIPS would not
+		 * But if there is an IPSEC SA, then the kernel would not
 		 * have generated the acquire.  So we assume that there isn't one.
 		 * This may be redundant if a non-opportunistic
 		 * negotiation is already being attempted.
@@ -2445,13 +2423,11 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 		/* otherwise, there is some kind of static conn that can handle
 		 * this connection, so we initiate it */
 
-#ifdef KLIPS
 		if (b->held)
 		{
 			/* what should we do on failure? */
 			(void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client);
 		}
-#endif
 		ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
 		b->whackfd = NULL_FD;   /* protect from close */
 	}
@@ -2816,21 +2792,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 							"no suitable connection for opportunism "
 							"between %s and %s with %Y as peer",
 							 ocb, pcb, ac->gateways_from_dns->gw_id);
-
-#ifdef KLIPS
-					if (b->held)
-					{
-						/* Replace HOLD with PASS.
-						 * The type of replacement *ought* to be
-						 * specified by policy.
-						 */
-						(void) replace_bare_shunt(&b->our_client, &b->peer_client
-							, BOTTOM_PRIO
-							, SPI_PASS  /* fail into PASS */
-							, TRUE, b->transport_proto
-							, "no suitable connection");
-					}
-#endif
 				}
 				else
 				{
@@ -2839,7 +2800,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 					passert(c->gw_info != NULL);
 					passert(HAS_IPSEC_POLICY(c->policy));
 					passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing));
-#ifdef KLIPS
 					if (b->held)
 					{
 						/* what should we do on failure? */
@@ -2847,7 +2807,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 										   , b->transport_proto
 										   , &b->our_client, &b->peer_client);
 					}
-#endif
 					c->gw_info->key->last_tried_time = now();
 					ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
 					b->whackfd = NULL_FD;       /* protect from close */
@@ -3161,6 +3120,10 @@ connection_t *route_owner(connection_t *c, struct spd_route **srp,
 				{
 					continue;
 				}
+				if (src->mark_out.value != srd->mark_out.value)
+				{
+					continue;
+				}
 				passert(oriented(*d));
 				if (srd->routing > best_routing)
 				{
@@ -3181,6 +3144,10 @@ connection_t *route_owner(connection_t *c, struct spd_route **srp,
 				{
 					continue;
 				}
+				if (src->mark_in.value != srd->mark_in.value)
+				{
+					continue;
+				}
 				if (srd->routing > best_erouting)
 				{
 					best_ero = d;
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
index b67f0b562..e3775fcb0 100644
--- a/src/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -168,6 +168,8 @@ struct spd_route {
 	so_serial_t eroute_owner;
 	enum routing_t routing;     /* level of routing in place */
 	uint32_t reqid;
+	mark_t mark_in;
+	mark_t mark_out;
 };
 
 typedef struct connection connection_t;
@@ -294,7 +296,7 @@ extern connection_t* find_connection_for_clients(struct spd_route **srp,
 												 const ip_address *peer_client,
 												 int transport_proto);
 extern void get_peer_ca_and_groups(connection_t *c,
-								   identification_t **peer_ca, 
+								   identification_t **peer_ca,
 								   ietf_attributes_t **peer_attributes);
 
 /* instantiating routines
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index 63a37009b..ec7bfaf78 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -77,7 +77,6 @@ ENUM(dpd_action_names, DPD_ACTION_NONE, DPD_ACTION_RESTART,
 ENUM(timer_event_names, EVENT_NULL, EVENT_LOG_DAILY,
 	"EVENT_NULL",
 	"EVENT_REINIT_SECRET",
-	"EVENT_SHUNT_SCAN",
 	"EVENT_SO_DISCARD",
 	"EVENT_RETRANSMIT",
 	"EVENT_SA_REPLACE",
@@ -112,7 +111,7 @@ const char *const debug_bit_names[] = {
 	"emitting",
 	"control",
 	"lifecycle",
-	"klips",
+	"kernel",
 	"dns",
 	"natt",
 	"oppo",
@@ -132,6 +131,8 @@ const char *const debug_bit_names[] = {
 /* State of exchanges */
 
 static const char *const state_name[] = {
+	"STATE_UNDEFINED",
+
 	"STATE_MAIN_R0",
 	"STATE_MAIN_I1",
 	"STATE_MAIN_R1",
@@ -171,11 +172,12 @@ static const char *const state_name[] = {
 };
 
 enum_names state_names =
-	{ STATE_MAIN_R0, STATE_IKE_ROOF-1, state_name, NULL };
+	{ STATE_UNDEFINED, STATE_IKE_ROOF-1, state_name, NULL };
 
 /* story for state */
 
 const char *const state_story[] = {
+	"undefined state after error",			 /* STATE_UNDEFINED */
 	"expecting MI1",                         /* STATE_MAIN_R0 */
 	"sent MI1, expecting MR1",               /* STATE_MAIN_I1 */
 	"sent MR1, expecting MI2",               /* STATE_MAIN_R1 */
@@ -411,7 +413,7 @@ enum_names esp_transform_names =
 
 static const char *const ipcomp_transform_name[] = {
 	"IPCOMP_OUI",
-	"IPCOMP_DEFLAT",
+	"IPCOMP_DEFLATE",
 	"IPCOMP_LZS",
 	"IPCOMP_LZJH",
 };
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index 790bbefa6..075579d6d 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -18,6 +18,8 @@
 
 #include <freeswan.h>
 
+#include <kernel/kernel_ipsec.h>
+
 #include <utils.h>
 #include <utils/identification.h>
 #include <crypto/hashers/hasher.h>
@@ -193,16 +195,9 @@ extern enum_names esp_transform_names;
 
 /* IPCOMP transform values
  * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
+ * now defined in kernel/kernel_ipsec.h
  */
 
-enum ipsec_comp_algo {
-	IPSCOMP_NONE   = 0,
-	IPCOMP_OUI     = 1,
-	IPCOMP_DEFLATE = 2,
-	IPCOMP_LZS     = 3,
-	IPCOMP_LZJH    = 4
-};
-
 extern enum_names ipcomp_transformid_names;
 
 /* Certificate type values
@@ -251,9 +246,6 @@ extern enum_name_t *timer_event_names;
 enum event_type {
 	EVENT_NULL, /* non-event */
 	EVENT_REINIT_SECRET,        /* Refresh cookie secret */
-#ifdef KLIPS
-	EVENT_SHUNT_SCAN,           /* scan shunt eroutes known to kernel */
-#endif
 	EVENT_SO_DISCARD,           /* discard unfinished state object */
 	EVENT_RETRANSMIT,           /* Retransmit packet */
 	EVENT_SA_REPLACE,           /* SA replacement event */
@@ -325,7 +317,7 @@ extern const char *const debug_bit_names[];
 #define DBG_EMITTING    LELEM(3)        /* show encoding of messages */
 #define DBG_CONTROL     LELEM(4)        /* control flow within Pluto */
 #define DBG_LIFECYCLE   LELEM(5)        /* SA lifecycle */
-#define DBG_KLIPS       LELEM(6)        /* messages to KLIPS */
+#define DBG_KERNEL      LELEM(6)        /* messages to kernel */
 #define DBG_DNS         LELEM(7)        /* DNS activity */
 #define DBG_NATT        LELEM(8)        /* NAT-T */
 #define DBG_OPPO        LELEM(9)        /* opportunism */
@@ -376,11 +368,6 @@ extern const char *const state_story[];
 enum state_kind {
 	STATE_UNDEFINED,    /* 0 -- most likely accident */
 
-	/*  Opportunism states: see "Opportunistic Encryption" 2.2 */
-
-	OPPO_ACQUIRE,       /* got an ACQUIRE message for this pair */
-	OPPO_GW_DISCOVERED, /* got TXT specifying gateway */
-
 	/* IKE states */
 
 	STATE_MAIN_R0,
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index a62e7632d..0684de618 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -1,6 +1,10 @@
 /* crypto interfaces
+ *
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2007-2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 1998-2001 D. Hugh Redelmeier
- * Copyright (C) 2007-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -26,10 +30,10 @@ static struct encrypt_desc encrypt_desc_3des =
 	algo_id:         OAKLEY_3DES_CBC,
 	algo_next:       NULL,
 
-	enc_blocksize:	 DES_BLOCK_SIZE,
-	keydeflen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	keyminlen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	keymaxlen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	enc_blocksize:   DES_BLOCK_SIZE,
+	keydeflen:       DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	keyminlen:       DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	keymaxlen:       DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
 };
 
 #define  AES_KEY_MIN_LEN	128
@@ -38,14 +42,14 @@ static struct encrypt_desc encrypt_desc_3des =
 
 static struct encrypt_desc encrypt_desc_aes =
 {
-	algo_type: 	     IKE_ALG_ENCRYPT,
-	algo_id:   	     OAKLEY_AES_CBC,
-	algo_next: 	     NULL,
-
-	enc_blocksize: 	 AES_BLOCK_SIZE,
-	keyminlen: 		 AES_KEY_MIN_LEN,
-	keydeflen: 		 AES_KEY_DEF_LEN,
-	keymaxlen: 		 AES_KEY_MAX_LEN,
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_AES_CBC,
+	algo_next:       NULL,
+
+	enc_blocksize:   AES_BLOCK_SIZE,
+	keyminlen:       AES_KEY_MIN_LEN,
+	keydeflen:       AES_KEY_DEF_LEN,
+	keymaxlen:       AES_KEY_MAX_LEN,
 };
 
 #define  CAMELLIA_KEY_MIN_LEN	128
@@ -54,14 +58,14 @@ static struct encrypt_desc encrypt_desc_aes =
 
 static struct encrypt_desc encrypt_desc_camellia =
 {
-	algo_type: 	     IKE_ALG_ENCRYPT,
-	algo_id:   	     OAKLEY_CAMELLIA_CBC,
-	algo_next: 	     NULL,
-
-	enc_blocksize: 	 CAMELLIA_BLOCK_SIZE,
-	keyminlen: 		 CAMELLIA_KEY_MIN_LEN,
-	keydeflen: 		 CAMELLIA_KEY_DEF_LEN,
-	keymaxlen: 		 CAMELLIA_KEY_MAX_LEN,
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_CAMELLIA_CBC,
+	algo_next:       NULL,
+
+	enc_blocksize:   CAMELLIA_BLOCK_SIZE,
+	keyminlen:       CAMELLIA_KEY_MIN_LEN,
+	keydeflen:       CAMELLIA_KEY_DEF_LEN,
+	keymaxlen:       CAMELLIA_KEY_MAX_LEN,
 };
 
 #define  BLOWFISH_KEY_MIN_LEN	128
@@ -73,10 +77,10 @@ static struct encrypt_desc encrypt_desc_blowfish =
 	algo_id:         OAKLEY_BLOWFISH_CBC,
 	algo_next:       NULL,
 
-	enc_blocksize:	 BLOWFISH_BLOCK_SIZE,
-	keyminlen:		 BLOWFISH_KEY_MIN_LEN,
-	keydeflen:		 BLOWFISH_KEY_MIN_LEN,
-	keymaxlen:		 BLOWFISH_KEY_MAX_LEN,
+	enc_blocksize:   BLOWFISH_BLOCK_SIZE,
+	keyminlen:       BLOWFISH_KEY_MIN_LEN,
+	keydeflen:       BLOWFISH_KEY_MIN_LEN,
+	keymaxlen:       BLOWFISH_KEY_MAX_LEN,
 };
 
 #define  SERPENT_KEY_MIN_LEN	128
@@ -85,14 +89,14 @@ static struct encrypt_desc encrypt_desc_blowfish =
 
 static struct encrypt_desc encrypt_desc_serpent =
 {
-	algo_type: 	    IKE_ALG_ENCRYPT,
-	algo_id:   	    OAKLEY_SERPENT_CBC,
-	algo_next: 	    NULL,
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_SERPENT_CBC,
+	algo_next:       NULL,
 
 	enc_blocksize:   SERPENT_BLOCK_SIZE,
-	keyminlen:		 SERPENT_KEY_MIN_LEN,
-	keydeflen:		 SERPENT_KEY_DEF_LEN,
-	keymaxlen:		 SERPENT_KEY_MAX_LEN,
+	keyminlen:       SERPENT_KEY_MIN_LEN,
+	keydeflen:       SERPENT_KEY_DEF_LEN,
+	keymaxlen:       SERPENT_KEY_MAX_LEN,
 };
 
 #define  TWOFISH_KEY_MIN_LEN	128
@@ -101,62 +105,62 @@ static struct encrypt_desc encrypt_desc_serpent =
 
 static struct encrypt_desc encrypt_desc_twofish =
 {
-	algo_type: 	     IKE_ALG_ENCRYPT,
-	algo_id:   	     OAKLEY_TWOFISH_CBC,
-	algo_next: 	     NULL,
-
-	enc_blocksize:	 TWOFISH_BLOCK_SIZE,
-	keydeflen:		 TWOFISH_KEY_MIN_LEN,
-	keyminlen:		 TWOFISH_KEY_DEF_LEN,
-	keymaxlen:		 TWOFISH_KEY_MAX_LEN,
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_TWOFISH_CBC,
+	algo_next:       NULL,
+
+	enc_blocksize:   TWOFISH_BLOCK_SIZE,
+	keydeflen:       TWOFISH_KEY_MIN_LEN,
+	keyminlen:       TWOFISH_KEY_DEF_LEN,
+	keymaxlen:       TWOFISH_KEY_MAX_LEN,
 };
 
 static struct encrypt_desc encrypt_desc_twofish_ssh =
 {
-	algo_type: 	     IKE_ALG_ENCRYPT,
-	algo_id:   	     OAKLEY_TWOFISH_CBC_SSH,
-	algo_next: 	     NULL,
-
-	enc_blocksize:	 TWOFISH_BLOCK_SIZE,
-	keydeflen:		 TWOFISH_KEY_MIN_LEN,
-	keyminlen:		 TWOFISH_KEY_DEF_LEN,
-	keymaxlen:		 TWOFISH_KEY_MAX_LEN,
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_TWOFISH_CBC_SSH,
+	algo_next:       NULL,
+
+	enc_blocksize:   TWOFISH_BLOCK_SIZE,
+	keydeflen:       TWOFISH_KEY_MIN_LEN,
+	keyminlen:       TWOFISH_KEY_DEF_LEN,
+	keymaxlen:       TWOFISH_KEY_MAX_LEN,
 };
 
 static struct hash_desc hash_desc_md5 =
 {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_MD5,
-	algo_next: NULL,
+	algo_type:        IKE_ALG_HASH,
+	algo_id:          OAKLEY_MD5,
+	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_MD5,
 };
 
 static struct hash_desc hash_desc_sha1 =
 {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA,
-	algo_next: NULL,
+	algo_type:        IKE_ALG_HASH,
+	algo_id:          OAKLEY_SHA,
+	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA1,
 };
 
 static struct hash_desc hash_desc_sha2_256 = {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA2_256,
-	algo_next: NULL,
+	algo_type:        IKE_ALG_HASH,
+	algo_id:          OAKLEY_SHA2_256,
+	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA256,
 };
 
 static struct hash_desc hash_desc_sha2_384 = {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA2_384,
-	algo_next: NULL,
+	algo_type:        IKE_ALG_HASH,
+	algo_id:          OAKLEY_SHA2_384,
+	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA384,
 };
 
 static struct hash_desc hash_desc_sha2_512 = {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA2_512,
-	algo_next: NULL,
+	algo_type:        IKE_ALG_HASH,
+	algo_id:          OAKLEY_SHA2_512,
+	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA512,
 };
 
@@ -517,108 +521,118 @@ signature_scheme_t oakley_to_signature_scheme(int method)
 	}
 }
 
+/**
+ * Table to map IKEv2 encryption algorithms to IKEv1 (or IKEv1 ESP) and back
+ */
+struct {
+	encryption_algorithm_t alg;
+	int oakley;
+	int esp;
+} encr_map[] = {
+	{ENCR_DES,                OAKLEY_DES_CBC,         ESP_DES       },
+	{ENCR_3DES,               OAKLEY_3DES_CBC,        ESP_3DES      },
+	{ENCR_RC5,                OAKLEY_RC5_R16_B64_CBC, ESP_RC5       },
+	{ENCR_IDEA,               OAKLEY_IDEA_CBC,        ESP_IDEA      },
+	{ENCR_CAST,               OAKLEY_CAST_CBC,        ESP_CAST      },
+	{ENCR_BLOWFISH,           OAKLEY_BLOWFISH_CBC,    ESP_BLOWFISH  },
+	{ENCR_AES_CBC,            OAKLEY_AES_CBC,         ESP_AES       },
+	{ENCR_CAMELLIA_CBC,       OAKLEY_CAMELLIA_CBC,    ESP_CAMELLIA  },
+	{ENCR_SERPENT_CBC,        OAKLEY_SERPENT_CBC,     ESP_SERPENT   },
+	{ENCR_TWOFISH_CBC,        OAKLEY_TWOFISH_CBC,     ESP_TWOFISH   },
+	{ENCR_NULL,               0,                      ESP_NULL      },
+	{ENCR_AES_CTR,            0,                      ESP_AES_CTR   },
+	{ENCR_AES_CCM_ICV8,       0,                      ESP_AES_CCM_8 },
+	{ENCR_AES_CCM_ICV12,      0,                      ESP_AES_CCM_12},
+	{ENCR_AES_CCM_ICV16,      0,                      ESP_AES_CCM_16},
+	{ENCR_AES_GCM_ICV8,       0,                      ESP_AES_GCM_8 },
+	{ENCR_AES_GCM_ICV12,      0,                      ESP_AES_GCM_12},
+	{ENCR_AES_GCM_ICV16,      0,                      ESP_AES_GCM_16},
+	{ENCR_NULL_AUTH_AES_GMAC, 0,                      ESP_AES_GMAC  },
+};
+
 /**
  * Converts IKEv2 encryption to IKEv1 encryption algorithm
  */
 int oakley_from_encryption_algorithm(encryption_algorithm_t alg)
 {
-	switch (alg)
+	int i;
+	for (i = 0; i < countof(encr_map); i++)
 	{
-		case ENCR_DES:
-			return OAKLEY_DES_CBC;
-		case ENCR_3DES:
-			return OAKLEY_3DES_CBC;
-		case ENCR_RC5:
-			return OAKLEY_RC5_R16_B64_CBC;
-		case ENCR_IDEA:
-			return OAKLEY_IDEA_CBC;
-		case ENCR_CAST:
-			return OAKLEY_CAST_CBC;
-		case ENCR_BLOWFISH:
-			return OAKLEY_BLOWFISH_CBC;
-		case ENCR_AES_CBC:
-			return OAKLEY_AES_CBC;
-		case ENCR_CAMELLIA_CBC:
-			return OAKLEY_CAMELLIA_CBC;
-		case ENCR_SERPENT_CBC:
-			return OAKLEY_SERPENT_CBC;
-	case ENCR_TWOFISH_CBC:
-			return OAKLEY_TWOFISH_CBC;
-		default:
-			return 0;
+		if (encr_map[i].alg == alg)
+		{
+			return encr_map[i].oakley;
+		}
 	}
+	return 0;
 }
 
 /**
- * Converts IKEv2 integrity to IKEv1 hash algorithm
+ * Converts IKEv2 encryption to IKEv1 ESP encryption algorithm
  */
-int oakley_from_integrity_algorithm(integrity_algorithm_t alg)
+int esp_from_encryption_algorithm(encryption_algorithm_t alg)
 {
-	switch (alg)
+	int i;
+	for (i = 0; i < countof(encr_map); i++)
 	{
-		case AUTH_HMAC_MD5_96:
-			return OAKLEY_MD5;
-		case AUTH_HMAC_SHA1_96:
-			return OAKLEY_SHA;
-		case AUTH_HMAC_SHA2_256_128:
-			return OAKLEY_SHA2_256;
-		case AUTH_HMAC_SHA2_384_192:
-			return OAKLEY_SHA2_384;
-		case AUTH_HMAC_SHA2_512_256:
-			return OAKLEY_SHA2_512;
-		default:
-			return 0;
+		if (encr_map[i].alg == alg)
+		{
+			return encr_map[i].esp;
+		}
 	}
+	return 0;
 }
 
 /**
- * Converts IKEv2 encryption to IKEv1 ESP encryption algorithm
+ * Converts IKEv1 ESP encryption to IKEv2 algorithm
  */
-int esp_from_encryption_algorithm(encryption_algorithm_t alg)
+encryption_algorithm_t encryption_algorithm_from_esp(int esp)
 {
-	switch (alg)
+	int i;
+	for (i = 0; i < countof(encr_map); i++)
 	{
-		case ENCR_DES:
-			return ESP_DES;
-		case ENCR_3DES:
-			return ESP_3DES;
-		case ENCR_RC5:
-			return ESP_RC5;
-		case ENCR_IDEA:
-			return ESP_IDEA;
-		case ENCR_CAST:
-			return ESP_CAST;
-		case ENCR_BLOWFISH:
-			return ESP_BLOWFISH;
-		case ENCR_NULL:
-			return ESP_NULL;
-		case ENCR_AES_CBC:
-			return ESP_AES;
-		case ENCR_AES_CTR:
-			return ESP_AES_CTR;
-		case ENCR_AES_CCM_ICV8:
-			return ESP_AES_CCM_8;
-		case ENCR_AES_CCM_ICV12:
-			return ESP_AES_CCM_12;
-		case ENCR_AES_CCM_ICV16:
-			return ESP_AES_CCM_16;
-		case ENCR_AES_GCM_ICV8:
-			return ESP_AES_GCM_8;
-		case ENCR_AES_GCM_ICV12:
-			return ESP_AES_GCM_12;
-		case ENCR_AES_GCM_ICV16:
-			return ESP_AES_GCM_16;
-		case ENCR_CAMELLIA_CBC:
-			return ESP_CAMELLIA;
-		case ENCR_NULL_AUTH_AES_GMAC:
-			return ESP_AES_GMAC;
-		case ENCR_SERPENT_CBC:
-			return ESP_SERPENT;
-		case ENCR_TWOFISH_CBC:
-			return ESP_TWOFISH;
-		default:
-			return 0;
+		if (encr_map[i].esp == esp)
+		{
+			return encr_map[i].alg;
+		}
+	}
+	return 0;
+}
+
+/**
+ * Table to map IKEv2 integrity algorithms to IKEv1 (or IKEv1 ESP) and back
+ */
+struct {
+	integrity_algorithm_t alg;
+	int oakley;
+	int esp;
+} auth_map[] = {
+	{AUTH_HMAC_MD5_96,       OAKLEY_MD5,      AUTH_ALGORITHM_HMAC_MD5        },
+	{AUTH_HMAC_SHA1_96,      OAKLEY_SHA,      AUTH_ALGORITHM_HMAC_SHA1       },
+	{AUTH_HMAC_SHA2_256_96,  0,               AUTH_ALGORITHM_HMAC_SHA2_256_96},
+	{AUTH_HMAC_SHA2_256_128, OAKLEY_SHA2_256, AUTH_ALGORITHM_HMAC_SHA2_256   },
+	{AUTH_HMAC_SHA2_384_192, OAKLEY_SHA2_384, AUTH_ALGORITHM_HMAC_SHA2_384   },
+	{AUTH_HMAC_SHA2_512_256, OAKLEY_SHA2_512, AUTH_ALGORITHM_HMAC_SHA2_512   },
+	{AUTH_AES_XCBC_96,       0,               AUTH_ALGORITHM_AES_XCBC_MAC    },
+	{AUTH_AES_128_GMAC,      0,               AUTH_ALGORITHM_AES_128_GMAC    },
+	{AUTH_AES_192_GMAC,      0,               AUTH_ALGORITHM_AES_192_GMAC    },
+	{AUTH_AES_256_GMAC,      0,               AUTH_ALGORITHM_AES_256_GMAC    },
+};
+
+
+/**
+ * Converts IKEv2 integrity to IKEv1 hash algorithm
+ */
+int oakley_from_integrity_algorithm(integrity_algorithm_t alg)
+{
+	int i;
+	for (i = 0; i < countof(auth_map); i++)
+	{
+		if (auth_map[i].alg == alg)
+		{
+			return auth_map[i].oakley;
+		}
 	}
+	return 0;
 }
 
 /**
@@ -626,29 +640,30 @@ int esp_from_encryption_algorithm(encryption_algorithm_t alg)
  */
 int esp_from_integrity_algorithm(integrity_algorithm_t alg)
 {
-	switch (alg)
+	int i;
+	for (i = 0; i < countof(auth_map); i++)
 	{
-		case AUTH_HMAC_MD5_96:
-			return AUTH_ALGORITHM_HMAC_MD5;
-		case AUTH_HMAC_SHA1_96:
-			return AUTH_ALGORITHM_HMAC_SHA1;
-		case AUTH_AES_XCBC_96:
-			return AUTH_ALGORITHM_AES_XCBC_MAC;
-		case AUTH_HMAC_SHA2_256_96:
-			return AUTH_ALGORITHM_HMAC_SHA2_256_96;
-		case AUTH_HMAC_SHA2_256_128:
-			return AUTH_ALGORITHM_HMAC_SHA2_256;
-		case AUTH_HMAC_SHA2_384_192:
-			return AUTH_ALGORITHM_HMAC_SHA2_384;
-		case AUTH_HMAC_SHA2_512_256:
-			return AUTH_ALGORITHM_HMAC_SHA2_512;
-		case AUTH_AES_128_GMAC:
-			return AUTH_ALGORITHM_AES_128_GMAC;
-		case AUTH_AES_192_GMAC:
-			return AUTH_ALGORITHM_AES_192_GMAC;
-		case AUTH_AES_256_GMAC:
-			return AUTH_ALGORITHM_AES_256_GMAC;
-		default:
-			return 0;
+		if (auth_map[i].alg == alg)
+		{
+			return auth_map[i].esp;
+		}
 	}
+	return 0;
 }
+
+/**
+ * Converts IKEv1 ESP authentication to IKEv2 integrity algorithm
+ */
+integrity_algorithm_t integrity_algorithm_from_esp(int esp)
+{
+	int i;
+	for (i = 0; i < countof(auth_map); i++)
+	{
+		if (auth_map[i].esp == esp)
+		{
+			return auth_map[i].alg;
+		}
+	}
+	return 0;
+}
+
diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h
index 019ba5764..16ad12780 100644
--- a/src/pluto/crypto.h
+++ b/src/pluto/crypto.h
@@ -1,4 +1,9 @@
 /* crypto interfaces
+ *
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 1998, 1999  D. Hugh Redelmeier.
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -54,4 +59,6 @@ extern int oakley_from_encryption_algorithm(encryption_algorithm_t alg);
 extern int oakley_from_integrity_algorithm(integrity_algorithm_t alg);
 extern int esp_from_encryption_algorithm(encryption_algorithm_t alg);
 extern int esp_from_integrity_algorithm(integrity_algorithm_t alg);
+extern encryption_algorithm_t encryption_algorithm_from_esp(int esp);
+extern integrity_algorithm_t integrity_algorithm_from_esp(int esp);
 
diff --git a/src/pluto/defs.h b/src/pluto/defs.h
index 8491f4ae8..532652e5b 100644
--- a/src/pluto/defs.h
+++ b/src/pluto/defs.h
@@ -21,12 +21,6 @@
 
 #include <chunk.h>
 
-#ifdef KLIPS
-# define USED_BY_KLIPS  /* ignore */
-#else
-# define USED_BY_KLIPS  UNUSED
-#endif
-
 #ifdef DEBUG
 # define USED_BY_DEBUG  /* ignore */
 #else
@@ -66,15 +60,6 @@ extern const char* check_expiry(time_t expiration_date,
 #define MAX_PROMPT_PASS_TRIALS  5
 #define PROMPT_PASS_LEN         64
 
-/* struct used to prompt for a secret passphrase
- * from a console with file descriptor fd
- */
-typedef struct {
-	char secret[PROMPT_PASS_LEN+1];
-	bool prompt;
-	int fd;
-} prompt_pass_t;
-
 /* filter eliminating the directory entries '.' and '..' */
 typedef struct dirent dirent_t;
 extern int file_select(const dirent_t *entry);
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
index 617353c6c..0590a3585 100644
--- a/src/pluto/demux.c
+++ b/src/pluto/demux.c
@@ -1782,7 +1782,7 @@ process_packet(struct msg_digest **mdp)
 		 * the last phase 1 block, not the last block sent.
 		 */
 		{
-			size_t crypter_block_size;
+			size_t crypter_block_size, crypter_iv_size;
 			encryption_algorithm_t enc_alg;
 			crypter_t *crypter;
 			chunk_t data, iv;
@@ -1791,6 +1791,7 @@ process_packet(struct msg_digest **mdp)
 			enc_alg = oakley_to_encryption_algorithm(st->st_oakley.encrypt);
 			crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len);
 			crypter_block_size = crypter->get_block_size(crypter);
+			crypter_iv_size = crypter->get_iv_size(crypter);
 
 			if (pbs_left(&md->message_pbs) % crypter_block_size != 0)
 			{
@@ -1817,17 +1818,17 @@ process_packet(struct msg_digest **mdp)
 			}
 
 			/* form iv by truncation */
-			st->st_new_iv_len = crypter_block_size;
+			st->st_new_iv_len = crypter_iv_size;
 			iv = chunk_create(st->st_new_iv, st->st_new_iv_len);
-			new_iv = alloca(crypter_block_size);
-			memcpy(new_iv, data.ptr + data.len - crypter_block_size,
-				   crypter_block_size);
+			new_iv = alloca(crypter_iv_size);
+			memcpy(new_iv, data.ptr + data.len - crypter_iv_size,
+				   crypter_iv_size);
 
 			crypter->set_key(crypter, st->st_enc_key);
 			crypter->decrypt(crypter, data, iv, NULL);
 			crypter->destroy(crypter);
 
-		memcpy(st->st_new_iv, new_iv, crypter_block_size);
+			memcpy(st->st_new_iv, new_iv, crypter_iv_size);
 			if (restore_iv)
 			{
 				memcpy(st->st_new_iv, new_iv, new_iv_len);
@@ -2307,7 +2308,7 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
 
 			/* tell whack and log of progress */
 			{
-				const char *story = state_story[st->st_state - STATE_MAIN_R0];
+				const char *story = state_story[st->st_state];
 				enum rc_type w = RC_NEW_STATE + st->st_state;
 				char sadetails[128];
 
diff --git a/src/pluto/event_queue.c b/src/pluto/event_queue.c
new file mode 100644
index 000000000..55d064f26
--- /dev/null
+++ b/src/pluto/event_queue.c
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unistd.h>
+#include <fcntl.h>
+
+#include "event_queue.h"
+
+#include <debug.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+
+typedef struct private_event_queue_t private_event_queue_t;
+
+/**
+ * Private data of event_queue_t class.
+ */
+struct private_event_queue_t {
+	/**
+	 * Public event_queue_t interface.
+	 */
+	event_queue_t public;
+
+	/**
+	 * List of queued events (event_t*).
+	 */
+	linked_list_t *events;
+
+	/**
+	 * Mutex for event list.
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Read end of the notification pipe.
+	 */
+	int read_fd;
+
+	/**
+	 * Write end of the notification pipe.
+	 */
+	int write_fd;
+
+};
+
+typedef struct event_t event_t;
+
+struct event_t {
+	/**
+	 * Callback function.
+	 */
+	void (*callback)(void *data);
+
+	/**
+	 * Data to supply to the callback.
+	 */
+	void *data;
+
+	/**
+	 * Cleanup function.
+	 */
+	void (*cleanup)(void *data);
+};
+
+static event_t *event_create(void (*callback)(void *data), void *data,
+							 void (*cleanup)(void *data))
+{
+	event_t *this;
+	INIT(this,
+		.callback = callback,
+		.data = data,
+		.cleanup = cleanup,
+	);
+	return this;
+}
+
+static void event_destroy(event_t *this)
+{
+	if (this->cleanup)
+	{
+		this->cleanup(this->data);
+	}
+	free(this);
+}
+
+METHOD(event_queue_t, get_event_fd, int,
+	   private_event_queue_t *this)
+{
+	return this->read_fd;
+}
+
+METHOD(event_queue_t, handle, void,
+	   private_event_queue_t *this)
+{
+	char buf[10];
+	linked_list_t *events;
+	event_t *event;
+	this->mutex->lock(this->mutex);
+	/* flush pipe */
+	while (read(this->read_fd, &buf, sizeof(buf)) == sizeof(buf));
+	/* replace the list, so we can unlock the mutex while executing the jobs */
+	events = this->events;
+	this->events = linked_list_create();
+	this->mutex->unlock(this->mutex);
+
+	while (events->remove_first(events, (void**)&event) == SUCCESS)
+	{
+		event->callback(event->data);
+		event_destroy(event);
+	}
+	events->destroy(events);
+}
+
+METHOD(event_queue_t, queue, void,
+	   private_event_queue_t *this, void (*callback)(void *data), void *data,
+	   void (*cleanup)(void *data))
+{
+	event_t *event = event_create(callback, data, cleanup);
+	char c = 0;
+	this->mutex->lock(this->mutex);
+	this->events->insert_last(this->events, event);
+	ignore_result(write(this->write_fd, &c, 1));
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(event_queue_t, destroy, void,
+	   private_event_queue_t *this)
+{
+	this->mutex->lock(this->mutex);
+	this->events->destroy_function(this->events, (void*)event_destroy);
+	this->mutex->unlock(this->mutex);
+	this->mutex->destroy(this->mutex);
+	close(this->read_fd);
+	close(this->write_fd);
+	free(this);
+}
+
+bool set_nonblock(int socket)
+{
+	int flags = fcntl(socket, F_GETFL);
+	return flags != -1 && fcntl(socket, F_SETFL, flags | O_NONBLOCK) != -1;
+}
+
+bool set_cloexec(int socket)
+{
+	int flags = fcntl(socket, F_GETFD);
+	return flags != -1 && fcntl(socket, F_SETFD, flags | FD_CLOEXEC) != -1;
+}
+
+/*
+ * Described in header.
+ */
+event_queue_t *event_queue_create()
+{
+	private_event_queue_t *this;
+	int fd[2];
+
+	INIT(this,
+		.public = {
+			.get_event_fd = _get_event_fd,
+			.handle = _handle,
+			.queue = _queue,
+			.destroy = _destroy,
+		},
+		.events = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	if (pipe(fd) == -1 ||
+		!set_nonblock(fd[0]) || !set_cloexec(fd[0]) ||
+		!set_nonblock(fd[1]) || !set_cloexec(fd[1]))
+	{
+		DBG1(DBG_JOB, "failed to create pipe for job queue");
+		_destroy(this);
+		return NULL;
+	}
+
+	this->read_fd = fd[0];
+	this->write_fd = fd[1];
+
+	return &this->public;
+}
+
diff --git a/src/pluto/event_queue.h b/src/pluto/event_queue.h
new file mode 100644
index 000000000..343729e25
--- /dev/null
+++ b/src/pluto/event_queue.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup event_queue event_queue
+ * @{ @ingroup pluto
+ */
+
+#ifndef EVENT_QUEUE_H_
+#define EVENT_QUEUE_H_
+
+typedef struct event_queue_t event_queue_t;
+
+/**
+ * The event queue facility can be used to synchronize thread-pool threads
+ * with the pluto main thread.  That is, all queued callbacks are executed
+ * asynchronously by the pluto main thread.
+ */
+struct event_queue_t {
+
+	/**
+	 * Returns the file descriptor used to notify the main thread.
+	 *
+	 * @return				fd to use in the main thread
+	 */
+	int (*get_event_fd) (event_queue_t *this);
+
+	/**
+	 * Handle all queued events.
+	 */
+	void (*handle) (event_queue_t *this);
+
+	/**
+	 * Add an event to the queue.
+	 *
+	 * @param callback		callback function to add to the queue
+	 * @param data			data supplied to the callback function
+	 * @param cleanup		optional cleanup function
+	 */
+	void (*queue) (event_queue_t *this, void (*callback)(void *data),
+				   void *data, void (*cleanup)(void *data));
+
+	/**
+	 * Destroy this instance.
+	 */
+	void (*destroy) (event_queue_t *this);
+
+};
+
+/**
+ * Create the event queue.
+ *
+ * @return					created object
+ */
+event_queue_t *event_queue_create();
+
+#endif /** EVENT_QUEUE_H_ @}*/
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c
index 7521dd33b..08353907e 100644
--- a/src/pluto/ike_alg.c
+++ b/src/pluto/ike_alg.c
@@ -194,18 +194,16 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy)
 
 		if (policy & POLICY_PUBKEY)
 		{
-			int auth_method = 0;
-			size_t key_size = 0;
+			int auth_method = 0, key_size = 0;
 			key_type_t key_type = KEY_ANY;
 
-
 			if (c->spd.this.cert)
 			{
 				certificate_t *certificate = c->spd.this.cert->cert;
 				public_key_t *key = certificate->get_public_key(certificate);
 
 				if (key == NULL)
-				{				
+				{
 					plog("ike alg: unable to retrieve my public key");
 					continue;
 				}
@@ -233,13 +231,13 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy)
 				case KEY_ECDSA:
 					switch (key_size)
 					{
-						case 32:
+						case 256:
 							auth_method = OAKLEY_ECDSA_256;
 							break;
-						case 48:
+						case 384:
 							auth_method = OAKLEY_ECDSA_384;
 							break;
-						case 66:
+						case 521:
 							auth_method = OAKLEY_ECDSA_521;
 							break;
 						default:
diff --git a/src/pluto/ipsec.secrets.5 b/src/pluto/ipsec.secrets.5
deleted file mode 100644
index 6c39f86e1..000000000
--- a/src/pluto/ipsec.secrets.5
+++ /dev/null
@@ -1,175 +0,0 @@
-.TH IPSEC.SECRETS 5 "2010-05-30" "4.4.1rc3" "strongSwan"
-.SH NAME
-ipsec.secrets \- secrets for IKE/IPsec authentication
-.SH DESCRIPTION
-The file \fIipsec.secrets\fP holds a table of secrets.
-These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons
-pluto (IKEv1) and charon (IKEv2) to authenticate other hosts.
-.LP
-It is vital that these secrets be protected.  The file should be owned
-by the super-user,
-and its permissions should be set to block all access by others.
-.LP
-The file is a sequence of entries and include directives.
-Here is an example.
-.LP
-.RS
-.nf
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
-
-: RSA moonKey.pem
-
-alice@strongswan.org : EAP "x3.dEhgN"
-
-: XAUTH carol "4iChxLT3"
-
-: XAUTH dave "ryftzG4A"
-
-# get secrets from other files
-include ipsec.*.secrets
-.fi
-.RE
-.LP
-Each entry in the file is a list of optional ID selectors, followed by a secret.
-The two parts are separated by a colon (\fB:\fP) that is surrounded
-by whitespace. If no ID selectors are specified the line must start with a
-colon.
-.LP
-A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure.  To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
-.LP
-Matching IDs with selectors is fairly straightforward: they have to be
-equal.  In the case of a ``Road Warrior'' connection, if an equal
-match is not found for the Peer's ID, and it is in the form of an IP
-address, a selector of \fB%any\fP will match the peer's IP address if IPV4
-and \fB%any6\fP will match a the peer's IP address if IPV6.
-Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of
-\fB%any\fP.
-.LP
-In IKEv1 an additional complexity
-arises in the case of authentication by preshared secret: the
-responder will need to look up the secret before the Peer's ID payload has
-been decoded, so the ID used will be the IP address.
-.LP
-To authenticate a connection between two hosts, the entry that most
-specifically matches the host and peer IDs is used.  An entry with no
-selectors will match any host and peer.  More specifically, an entry with one
-selector will match a host and peer if the selector matches the host's ID (the
-peer isn't considered).  Still more specifically, an entry with multiple
-selectors will match a host and peer if the host ID and peer ID each match one
-of the selectors.  If the key is for an asymmetric authentication technique
-(i.e. a public key system such as RSA), an entry with multiple selectors will
-match a host and peer even if only the host ID matches a selector (it is
-presumed that the selectors are all identities of the host).
-It is acceptable for two entries to be the best match as
-long as they agree about the secret or private key.
-.LP
-Authentication by preshared secret requires that both systems find the
-identical secret (the secret is not actually transmitted by the IKE
-protocol).  If both the host and peer appear in the selector list, the
-same entry will be suitable for both systems so verbatim copying
-between systems can be used.  This naturally extends to larger groups
-sharing the same secret.  Thus multiple-selector entries are best for PSK
-authentication.
-.LP
-Authentication by public key systems such as RSA requires that each host
-have its own private key.  A host could reasonably use a different private keys
-for different interfaces and for different peers.  But it would not
-be normal to share entries between systems.  Thus thus no-selector and
-one-selector forms of entry often make sense for public key authentication.
-.LP
-The key part of an entry must start with a token indicating the kind of
-key.  The following types of secrets are currently supported:
-.TP
-.B PSK
-defines a pre-shared key
-.TP
-.B RSA
-defines an RSA private key
-.TP
-.B ECDSA
-defines an ECDSA private key
-.TP
-.B EAP
-defines EAP credentials
-.TP
-.B XAUTH
-defines XAUTH credentials
-.TP
-.B PIN
-defines a smartcard PIN
-.LP
-Details on each type of secret are given below.
-.LP
-Whitespace at the end of a line is ignored. At the start of a line or
-after whitespace, \fB#\fP and the following text up to the end of the
-line is treated as a comment.
-.LP
-An include directive causes the contents of the named file to be processed
-before continuing with the current file.  The filename is subject to
-``globbing'' as in \fIsh\fP(1), so every file with a matching name
-is processed.  Includes may be nested to a modest
-depth (10, currently).  If the filename doesn't start with a \fB/\fP, the
-directory containing the current file is prepended to the name.  The
-include directive is a line that starts with the word \fBinclude\fP,
-followed by whitespace, followed by the filename (which must not contain
-whitespace).
-.SS TYPES OF SECRETS
-.TP
-.B [ <selectors> ] : PSK <secret>
-A preshared secret is most conveniently represented as a sequence of
-characters, delimited by double-quote characters (\fB"\fP).
-The sequence cannot contain a newline or double-quote.
-Strictly speaking, the secret is actually the sequence
-of bytes that is used in the file to represent the sequence of
-characters (excluding the delimiters).
-.TP
-.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
-.TQ
-.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
-For the private key file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
-encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
-.B %prompt
-can be used which then causes the daemons to ask the user for the password
-whenever it is required to decrypt the key.
-.TP
-.B <user id> : EAP <secret>
-As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters,
-delimited by double-quote characters (\fB"\fP).
-.br
-\fBEAP\fP secrets are IKEv2 only.
-.TP
-.B : XAUTH <username> <password>
-\fBXAUTH\fP secrets are IKEv1 only.
-.TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-The format
-.B "%smartcard[<slot nr>[:<key id>]]"
-is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1,
-instead of specifying the pin code statically,
-.B %prompt
-can be specified, which causes the pluto daemon to ask the user for the pin
-code.
-.LP
-
-.SH FILES
-/etc/ipsec.secrets
-.SH SEE ALSO
-\fIipsec.conf\fP(5),
-\fIipsec\fP(8)
-.br
-.SH HISTORY
-Originally written for the FreeS/WAN project by D. Hugh Redelmeier.
-Updated and extended for the strongSwan project <http://www.strongswan.org> by
-Tobias Brunner and Andreas Steffen.
-.SH BUGS
-If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP;
-if it is \fB0::0\fP, it will match \fB%any6\fP.
diff --git a/src/pluto/ipsec.secrets.5.in b/src/pluto/ipsec.secrets.5.in
deleted file mode 100644
index adb915e4d..000000000
--- a/src/pluto/ipsec.secrets.5.in
+++ /dev/null
@@ -1,175 +0,0 @@
-.TH IPSEC.SECRETS 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan"
-.SH NAME
-ipsec.secrets \- secrets for IKE/IPsec authentication
-.SH DESCRIPTION
-The file \fIipsec.secrets\fP holds a table of secrets.
-These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons
-pluto (IKEv1) and charon (IKEv2) to authenticate other hosts.
-.LP
-It is vital that these secrets be protected.  The file should be owned
-by the super-user,
-and its permissions should be set to block all access by others.
-.LP
-The file is a sequence of entries and include directives.
-Here is an example.
-.LP
-.RS
-.nf
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
-
-: RSA moonKey.pem
-
-alice@strongswan.org : EAP "x3.dEhgN"
-
-: XAUTH carol "4iChxLT3"
-
-: XAUTH dave "ryftzG4A"
-
-# get secrets from other files
-include ipsec.*.secrets
-.fi
-.RE
-.LP
-Each entry in the file is a list of optional ID selectors, followed by a secret.
-The two parts are separated by a colon (\fB:\fP) that is surrounded
-by whitespace. If no ID selectors are specified the line must start with a
-colon.
-.LP
-A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure.  To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
-.LP
-Matching IDs with selectors is fairly straightforward: they have to be
-equal.  In the case of a ``Road Warrior'' connection, if an equal
-match is not found for the Peer's ID, and it is in the form of an IP
-address, a selector of \fB%any\fP will match the peer's IP address if IPV4
-and \fB%any6\fP will match a the peer's IP address if IPV6.
-Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of
-\fB%any\fP.
-.LP
-In IKEv1 an additional complexity
-arises in the case of authentication by preshared secret: the
-responder will need to look up the secret before the Peer's ID payload has
-been decoded, so the ID used will be the IP address.
-.LP
-To authenticate a connection between two hosts, the entry that most
-specifically matches the host and peer IDs is used.  An entry with no
-selectors will match any host and peer.  More specifically, an entry with one
-selector will match a host and peer if the selector matches the host's ID (the
-peer isn't considered).  Still more specifically, an entry with multiple
-selectors will match a host and peer if the host ID and peer ID each match one
-of the selectors.  If the key is for an asymmetric authentication technique
-(i.e. a public key system such as RSA), an entry with multiple selectors will
-match a host and peer even if only the host ID matches a selector (it is
-presumed that the selectors are all identities of the host).
-It is acceptable for two entries to be the best match as
-long as they agree about the secret or private key.
-.LP
-Authentication by preshared secret requires that both systems find the
-identical secret (the secret is not actually transmitted by the IKE
-protocol).  If both the host and peer appear in the selector list, the
-same entry will be suitable for both systems so verbatim copying
-between systems can be used.  This naturally extends to larger groups
-sharing the same secret.  Thus multiple-selector entries are best for PSK
-authentication.
-.LP
-Authentication by public key systems such as RSA requires that each host
-have its own private key.  A host could reasonably use a different private keys
-for different interfaces and for different peers.  But it would not
-be normal to share entries between systems.  Thus thus no-selector and
-one-selector forms of entry often make sense for public key authentication.
-.LP
-The key part of an entry must start with a token indicating the kind of
-key.  The following types of secrets are currently supported:
-.TP
-.B PSK
-defines a pre-shared key
-.TP
-.B RSA
-defines an RSA private key
-.TP
-.B ECDSA
-defines an ECDSA private key
-.TP
-.B EAP
-defines EAP credentials
-.TP
-.B XAUTH
-defines XAUTH credentials
-.TP
-.B PIN
-defines a smartcard PIN
-.LP
-Details on each type of secret are given below.
-.LP
-Whitespace at the end of a line is ignored. At the start of a line or
-after whitespace, \fB#\fP and the following text up to the end of the
-line is treated as a comment.
-.LP
-An include directive causes the contents of the named file to be processed
-before continuing with the current file.  The filename is subject to
-``globbing'' as in \fIsh\fP(1), so every file with a matching name
-is processed.  Includes may be nested to a modest
-depth (10, currently).  If the filename doesn't start with a \fB/\fP, the
-directory containing the current file is prepended to the name.  The
-include directive is a line that starts with the word \fBinclude\fP,
-followed by whitespace, followed by the filename (which must not contain
-whitespace).
-.SS TYPES OF SECRETS
-.TP
-.B [ <selectors> ] : PSK <secret>
-A preshared secret is most conveniently represented as a sequence of
-characters, delimited by double-quote characters (\fB"\fP).
-The sequence cannot contain a newline or double-quote.
-Strictly speaking, the secret is actually the sequence
-of bytes that is used in the file to represent the sequence of
-characters (excluding the delimiters).
-.TP
-.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
-.TQ
-.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
-For the private key file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
-encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
-.B %prompt
-can be used which then causes the daemons to ask the user for the password
-whenever it is required to decrypt the key.
-.TP
-.B <user id> : EAP <secret>
-As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters,
-delimited by double-quote characters (\fB"\fP).
-.br
-\fBEAP\fP secrets are IKEv2 only.
-.TP
-.B : XAUTH <username> <password>
-\fBXAUTH\fP secrets are IKEv1 only.
-.TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-The format
-.B "%smartcard[<slot nr>[:<key id>]]"
-is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1,
-instead of specifying the pin code statically,
-.B %prompt
-can be specified, which causes the pluto daemon to ask the user for the pin
-code.
-.LP
-
-.SH FILES
-/etc/ipsec.secrets
-.SH SEE ALSO
-\fIipsec.conf\fP(5),
-\fIipsec\fP(8)
-.br
-.SH HISTORY
-Originally written for the FreeS/WAN project by D. Hugh Redelmeier.
-Updated and extended for the strongSwan project <http://www.strongswan.org> by
-Tobias Brunner and Andreas Steffen.
-.SH BUGS
-If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP;
-if it is \fB0::0\fP, it will match \fB%any6\fP.
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 4a6a7c872..7ec547b0c 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -1753,7 +1753,7 @@ bool encrypt_message(pb_stream *pbs, struct state *st)
 	size_t enc_len = pbs_offset(pbs) - sizeof(struct isakmp_hdr);
 	chunk_t data, iv;
     char *new_iv;
-	size_t crypter_block_size;
+	size_t crypter_block_size, crypter_iv_size;
 	encryption_algorithm_t enc_alg;
 	crypter_t *crypter;
 
@@ -1761,6 +1761,7 @@ bool encrypt_message(pb_stream *pbs, struct state *st)
 	enc_alg = oakley_to_encryption_algorithm(st->st_oakley.encrypt);
 	crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len);
 	crypter_block_size = crypter->get_block_size(crypter);
+	crypter_iv_size = crypter->get_iv_size(crypter);
 
 	/* Pad up to multiple of encryption blocksize.
 	 * See the description associated with the definition of
@@ -1781,15 +1782,15 @@ bool encrypt_message(pb_stream *pbs, struct state *st)
 	data = chunk_create(enc_start, enc_len);
 
 	/* form iv by truncation */
-	st->st_new_iv_len = crypter_block_size;
+	st->st_new_iv_len = crypter_iv_size;
 	iv = chunk_create(st->st_new_iv, st->st_new_iv_len);
 
 	crypter->set_key(crypter, st->st_enc_key);
 	crypter->encrypt(crypter, data, iv, NULL);
 	crypter->destroy(crypter);
 
-	new_iv = data.ptr + data.len - crypter_block_size;
-	memcpy(st->st_new_iv, new_iv, crypter_block_size);
+	new_iv = data.ptr + data.len - crypter_iv_size;
+	memcpy(st->st_new_iv, new_iv, crypter_iv_size);
 	update_iv(st);
 	DBG_cond_dump(DBG_CRYPT, "next IV:", st->st_iv, st->st_iv_len);
 	close_message(pbs);
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index dd7ed8893..e57822ffb 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1,7 +1,11 @@
 /* routines that interface with the kernel's IPsec mechanism
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 1998-2002  D. Hugh Redelmeier
+ * Copyright (C) 1997 Angelos D. Keromytis
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -32,16 +36,16 @@
 #include <freeswan.h>
 
 #include <library.h>
+#include <hydra.h>
 #include <crypto/rngs/rng.h>
+#include <kernel/kernel_listener.h>
 
-#ifdef KLIPS
 #include <signal.h>
 #include <sys/time.h>   /* for select(2) */
 #include <sys/types.h>  /* for select(2) */
 #include <pfkeyv2.h>
 #include <pfkey.h>
 #include "kameipsec.h"
-#endif /* KLIPS */
 
 #include "constants.h"
 #include "defs.h"
@@ -49,28 +53,21 @@
 #include "state.h"
 #include "timer.h"
 #include "kernel.h"
-#include "kernel_netlink.h"
 #include "kernel_pfkey.h"
-#include "kernel_noklips.h"
 #include "log.h"
 #include "ca.h"
 #include "server.h"
 #include "whack.h"      /* for RC_LOG_SERIOUS */
 #include "keys.h"
+#include "crypto.h"
 #include "nat_traversal.h"
 #include "alg_info.h"
 #include "kernel_alg.h"
+#include "pluto.h"
 
 
 bool can_do_IPcomp = TRUE;  /* can system actually perform IPCOMP? */
 
-/* How far can IPsec messages arrive out of order before the anti-replay
- * logic loses track and swats them?  64 is the best KLIPS can do.
- * And 32 is the best XFRM can do...
- */
-#define REPLAY_WINDOW   64
-#define REPLAY_WINDOW_XFRM      32
-
 /* test if the routes required for two different connections agree
  * It is assumed that the destination subnets agree; we are only
  * testing that the interfaces and nexthops match.
@@ -78,282 +75,115 @@ bool can_do_IPcomp = TRUE;  /* can system actually perform IPCOMP? */
 #define routes_agree(c, d) ((c)->interface == (d)->interface \
 		&& sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
 
-#ifndef KLIPS
-
-bool no_klips = TRUE;   /* don't actually use KLIPS */
-
-#else /* !KLIPS */
-
-/* bare (connectionless) shunt (eroute) table
- *
- * Bare shunts are those that don't "belong" to a connection.
- * This happens because some %trapped traffic hasn't yet or cannot be
- * assigned to a connection.  The usual reason is that we cannot discover
- * the peer SG.  Another is that even when the peer has been discovered,
- * it may be that no connection matches all the particulars.
- * We record them so that, with scanning, we can discover
- * which %holds are news and which others should expire.
- */
+/* forward declaration */
+static bool shunt_eroute(connection_t *c, struct spd_route *sr,
+						 enum routing_t rt_kind, unsigned int op,
+						 const char *opname);
 
-#define SHUNT_SCAN_INTERVAL     (60 * 2)   /* time between scans of eroutes */
+static void set_text_said(char *text_said, const ip_address *dst,
+						  ipsec_spi_t spi, int proto);
 
-/* SHUNT_PATIENCE only has resolution down to a multiple of the sample rate,
- * SHUNT_SCAN_INTERVAL.
- * By making SHUNT_PATIENCE an odd multiple of half of SHUNT_SCAN_INTERVAL,
- * we minimize the effects of jitter.
+/**
+ * Default IPsec SA config (e.g. to install trap policies).
  */
-#define SHUNT_PATIENCE  (SHUNT_SCAN_INTERVAL * 15 / 2)  /* inactivity timeout */
-
-struct bare_shunt {
-	policy_prio_t policy_prio;
-	ip_subnet ours;
-	ip_subnet his;
-	ip_said said;
-	int transport_proto;
-	unsigned long count;
-	time_t last_activity;
-	char *why;
-	struct bare_shunt *next;
+static ipsec_sa_cfg_t null_ipsec_sa = {
+	.mode = MODE_TRANSPORT,
+	.esp = {
+		.use = TRUE,
+	},
 };
 
-static struct bare_shunt *bare_shunts = NULL;
-
-#ifdef DEBUG
-static void DBG_bare_shunt(const char *op, const struct bare_shunt *bs)
+/**
+ * Helper function that converts an ip_subnet to a traffic_selector_t.
+ */
+static traffic_selector_t *traffic_selector_from_subnet(const ip_subnet *client,
+														const u_int8_t proto)
 {
-	DBG(DBG_KLIPS,
-		{
-			int ourport = ntohs(portof(&(bs)->ours.addr));
-			int hisport = ntohs(portof(&(bs)->his.addr));
-			char ourst[SUBNETTOT_BUF];
-			char hist[SUBNETTOT_BUF];
-			char sat[SATOT_BUF];
-			char prio[POLICY_PRIO_BUF];
-
-			subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
-			subnettot(&(bs)->his, 0, hist, sizeof(hist));
-			satot(&(bs)->said, 0, sat, sizeof(sat));
-			fmt_policy_prio(bs->policy_prio, prio);
-			DBG_log("%s bare shunt %p %s:%d -> %s:%d => %s:%d %s    %s"
-				, op, (const void *)(bs), ourst, ourport, hist, hisport
-				, sat, (bs)->transport_proto, prio, (bs)->why);
-		});
+	traffic_selector_t *ts;
+	host_t *net;
+	net = host_create_from_sockaddr((sockaddr_t*)&client->addr);
+	ts = traffic_selector_create_from_subnet(net, client->maskbits, proto,
+											 net->get_port(net));
+	return ts;
 }
-#else /* !DEBUG */
-#define DBG_bare_shunt(op, bs) {}
-#endif /* !DEBUG */
 
-/* The orphaned_holds table records %holds for which we
- * scan_proc_shunts found no representation of in any connection.
- * The corresponding ACQUIRE message might have been lost.
+/**
+ * Helper function that converts a traffic_selector_t to an ip_subnet.
  */
-struct eroute_info *orphaned_holds = NULL;
-
-/* forward declaration */
-static bool shunt_eroute(connection_t *c, struct spd_route *sr,
-						 enum routing_t rt_kind, unsigned int op,
-						 const char *opname);
-
-static void set_text_said(char *text_said, const ip_address *dst,
-						  ipsec_spi_t spi, int proto);
-
-bool no_klips = FALSE;  /* don't actually use KLIPS */
+static ip_subnet subnet_from_traffic_selector(traffic_selector_t *ts)
+{
+	ip_subnet subnet;
+	host_t *net;
+	u_int8_t mask;
+	ts->to_subnet(ts, &net, &mask);
+	subnet.addr = *(ip_address*)net->get_sockaddr(net);
+	subnet.maskbits = mask;
+	net->destroy(net);
+	return subnet;
+}
 
-static const struct pfkey_proto_info null_proto_info[2] = {
-		{
-				proto: IPPROTO_ESP,
-				encapsulation: ENCAPSULATION_MODE_TRANSPORT,
-				reqid: 0
-		},
-		{
-				proto: 0,
-				encapsulation: 0,
-				reqid: 0
-		}
-};
 
 void record_and_initiate_opportunistic(const ip_subnet *ours,
 									   const ip_subnet *his,
 									   int transport_proto, const char *why)
 {
+	ip_address src, dst;
 	passert(samesubnettype(ours, his));
 
-	/* Add to bare shunt list.
-	 * We need to do this because the shunt was installed by KLIPS
-	 * which can't do this itself.
-	 */
-	{
-		struct bare_shunt *bs = malloc_thing(struct bare_shunt);
-
-		bs->why = clone_str(why);
-		bs->ours = *ours;
-		bs->his = *his;
-		bs->transport_proto = transport_proto;
-		bs->policy_prio = BOTTOM_PRIO;
-
-		bs->said.proto = SA_INT;
-		bs->said.spi = htonl(SPI_HOLD);
-		bs->said.dst = *aftoinfo(subnettypeof(ours))->any;
-
-		bs->count = 0;
-		bs->last_activity = now();
-
-		bs->next = bare_shunts;
-		bare_shunts = bs;
-		DBG_bare_shunt("add", bs);
-	}
-
 	/* actually initiate opportunism */
-	{
-		ip_address src, dst;
-
-		networkof(ours, &src);
-		networkof(his, &dst);
-		initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
-	}
-
-	/* if present, remove from orphaned_holds list.
-	 * NOTE: we do this last in case ours or his is a pointer into a member.
-	 */
-	{
-		struct eroute_info **pp, *p;
-
-		for (pp = &orphaned_holds; (p = *pp) != NULL; pp = &p->next)
-		{
-			if (samesubnet(ours, &p->ours)
-			&& samesubnet(his, &p->his)
-			&& transport_proto == p->transport_proto
-			&& portof(&ours->addr) == portof(&p->ours.addr)
-			&& portof(&his->addr) == portof(&p->his.addr))
-			{
-				*pp = p->next;
-				free(p);
-				break;
-			}
-		}
-	}
-}
-
-#endif /* KLIPS */
-
-static unsigned get_proto_reqid(unsigned base, int proto)
-{
-	switch (proto)
-	{
-	default:
-	case IPPROTO_COMP:
-		base++;
-		/* fall through */
-	case IPPROTO_ESP:
-		base++;
-		/* fall through */
-	case IPPROTO_AH:
-		break;
-	}
-
-	return base;
+	networkof(ours, &src);
+	networkof(his, &dst);
+	initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
 }
 
 /* Generate Unique SPI numbers.
  *
- * The specs say that the number must not be less than IPSEC_DOI_SPI_MIN.
- * Pluto generates numbers not less than IPSEC_DOI_SPI_OUR_MIN,
- * reserving numbers in between for manual keying (but we cannot so
- * restrict numbers generated by our peer).
- * XXX This should be replaced by a call to the kernel when
- * XXX we get an API.
  * The returned SPI is in network byte order.
- * We use a random number as the initial SPI so that there is
- * a good chance that different Pluto instances will choose
- * different SPIs.  This is good for two reasons.
- * - the keying material for the initiator and responder only
- *   differs if the SPIs differ.
- * - if Pluto is restarted, it would otherwise recycle the SPI
- *   numbers and confuse everything.  When the kernel generates
- *   SPIs, this will no longer matter.
- * We then allocate numbers sequentially.  Thus we don't have to
- * check if the number was previously used (assuming that no
- * SPI lives longer than 4G of its successors).
  */
 ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr,
 						  bool tunnel)
 {
-	static ipsec_spi_t spi = 0; /* host order, so not returned directly! */
-	char text_said[SATOT_BUF];
-	rng_t *rng;
+	host_t *host_src, *host_dst;
+	u_int32_t spi;
 
-	set_text_said(text_said, &sr->this.host_addr, 0, proto);
-
-	if (kernel_ops->get_spi)
-	{
-		return kernel_ops->get_spi(&sr->that.host_addr
-			, &sr->this.host_addr, proto, tunnel
-			, get_proto_reqid(sr->reqid, proto)
-			, IPSEC_DOI_SPI_OUR_MIN, 0xffffffff
-			, text_said);
-	}
+	host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr);
 
-	spi++;
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	while (spi < IPSEC_DOI_SPI_OUR_MIN || spi == ntohl(avoid))
+	if (hydra->kernel_interface->get_spi(hydra->kernel_interface, host_src,
+								host_dst, proto, sr->reqid, &spi) != SUCCESS)
 	{
-		rng->get_bytes(rng, sizeof(spi), (u_char *)&spi);
+		spi = 0;
 	}
-	rng->destroy(rng);
-	DBG(DBG_CONTROL,
-		{
-			ipsec_spi_t spi_net = htonl(spi);
 
-			DBG_dump("generate SPI:", (u_char *)&spi_net, sizeof(spi_net));
-		});
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
 
-	return htonl(spi);
+	return spi;
 }
 
 /* Generate Unique CPI numbers.
  * The result is returned as an SPI (4 bytes) in network order!
  * The real bits are in the nework-low-order 2 bytes.
- * Modelled on get_ipsec_spi, but range is more limited:
- * 256-61439.
- * If we can't find one easily, return 0 (a bad SPI,
- * no matter what order) indicating failure.
  */
 ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel)
 {
-	static cpi_t first_busy_cpi = 0, latest_cpi;
-	char text_said[SATOT_BUF];
-	rng_t *rng;
+	host_t *host_src, *host_dst;
+	u_int16_t cpi;
 
-	set_text_said(text_said, &sr->this.host_addr, 0, IPPROTO_COMP);
+	host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr);
 
-	if (kernel_ops->get_spi)
-	{
-		return kernel_ops->get_spi(&sr->that.host_addr
-			, &sr->this.host_addr, IPPROTO_COMP, tunnel
-			, get_proto_reqid(sr->reqid, IPPROTO_COMP)
-			, IPCOMP_FIRST_NEGOTIATED, IPCOMP_LAST_NEGOTIATED
-			, text_said);
-	}
+	if (hydra->kernel_interface->get_cpi(hydra->kernel_interface, host_src,
+										 host_dst, sr->reqid, &cpi) != SUCCESS)
 
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	while (!(IPCOMP_FIRST_NEGOTIATED <= first_busy_cpi && first_busy_cpi < IPCOMP_LAST_NEGOTIATED))
 	{
-		rng->get_bytes(rng, sizeof(first_busy_cpi), (u_char *)&first_busy_cpi);
-		latest_cpi = first_busy_cpi;
+		cpi = 0;
 	}
-	rng->destroy(rng);
 
-	latest_cpi++;
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
 
-	if (latest_cpi == first_busy_cpi)
-	{
-		find_my_cpi_gap(&latest_cpi, &first_busy_cpi);
-	}
-	if (latest_cpi > IPCOMP_LAST_NEGOTIATED)
-	{
-		latest_cpi = IPCOMP_FIRST_NEGOTIATED;
-	}
-	return htonl((ipsec_spi_t)latest_cpi);
+	return htonl((u_int32_t)ntohs(cpi));
 }
 
 /* Replace the shell metacharacters ', \, ", `, and $ in a character string
@@ -420,7 +250,7 @@ static void escape_metachar(const char *src, char *dst, size_t dstlen)
 # define DEFAULT_UPDOWN "ipsec _updown"
 #endif
 
-static bool do_command(connection_t *c, struct spd_route *sr,
+static bool do_command(connection_t *c, struct spd_route *sr, struct state *st,
 					   const char *verb)
 {
 	char cmd[1536];     /* arbitrary limit on shell command length */
@@ -464,6 +294,9 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			peerclientnet_str[ADDRTOT_BUF],
 			peerclientmask_str[ADDRTOT_BUF],
 			peerca_str[BUF_LEN],
+			mark_in[BUF_LEN] = "",
+			mark_out[BUF_LEN] = "",
+			udp_encap[BUF_LEN] = "",
 			xauth_id_str[BUF_LEN] = "",
 			secure_myid_str[BUF_LEN] = "",
 			secure_peerid_str[BUF_LEN] = "",
@@ -491,11 +324,29 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 
 			strcpy(srcip_str, "PLUTO_MY_SOURCEIP='");
 			n = srcip_str + strlen(srcip_str);
-			snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H", 
+			snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H",
 						sr->this.host_srcip);
 			strncat(srcip_str, "' ", sizeof(srcip_str));
 		}
 
+		if (sr->mark_in.value)
+		{
+			snprintf(mark_in, sizeof(mark_in), "PLUTO_MARK_IN='%u/0x%08x' ",
+					 sr->mark_in.value, sr->mark_in.mask);
+		}
+
+		if (sr->mark_out.value)
+		{
+			snprintf(mark_out, sizeof(mark_out), "PLUTO_MARK_OUT='%u/0x%08x' ",
+					 sr->mark_out.value, sr->mark_out.mask);
+		}
+
+		if (st && (st->nat_traversal & NAT_T_DETECTED))
+		{
+			snprintf(udp_encap, sizeof(udp_encap), "PLUTO_UDP_ENC='%u' ",
+					 sr->that.host_port);
+		}
+
 		addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
 		snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id);
 		escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
@@ -536,7 +387,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			{
 				if (key->issuer)
 				{
-					snprintf(peerca_str, BUF_LEN, "%Y", key->issuer);	
+					snprintf(peerca_str, BUF_LEN, "%Y", key->issuer);
 					escape_metachar(peerca_str, secure_peerca_str, BUF_LEN);
 				}
 				else
@@ -573,13 +424,16 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			"PLUTO_PEER_CA='%s' "
 			"%s"        /* optional PLUTO_MY_SRCIP */
 			"%s"        /* optional PLUTO_XAUTH_ID */
+			"%s"        /* optional PLUTO_MARK_IN */
+			"%s"        /* optional PLUTO_MARK_OUT */
+			"%s"        /* optional PLUTO_UDP_ENC */
 			"%s"        /* actual script */
 			, verb, verb_suffix
 			, c->name
 			, nexthop_str
 			, c->interface->vname
 			, sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : ""
-			, sr->reqid + 1     /* ESP requid */
+			, sr->reqid
 			, me_str
 			, secure_myid_str
 			, myclient_str
@@ -597,6 +451,9 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			, secure_peerca_str
 			, srcip_str
 			, xauth_id_str
+			, mark_in
+			, mark_out
+			, udp_encap
 			, sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
 		{
 			loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
@@ -607,88 +464,83 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 	DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
 		, verb, verb_suffix, cmd));
 
-#ifdef KLIPS
-	if (!no_klips)
+	/* invoke the script, catching stderr and stdout
+	 * It may be of concern that some file descriptors will
+	 * be inherited.  For the ones under our control, we
+	 * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
+	 * Any used by library routines (perhaps the resolver or syslog)
+	 * will remain.
+	 */
+	FILE *f = popen(cmd, "r");
+
+	if (f == NULL)
 	{
-		/* invoke the script, catching stderr and stdout
-		 * It may be of concern that some file descriptors will
-		 * be inherited.  For the ones under our control, we
-		 * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
-		 * Any used by library routines (perhaps the resolver or syslog)
-		 * will remain.
-		 */
-		FILE *f = popen(cmd, "r");
+		loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
+		return FALSE;
+	}
 
-		if (f == NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
-			return FALSE;
-		}
+	/* log any output */
+	for (;;)
+	{
+		/* if response doesn't fit in this buffer, it will be folded */
+		char resp[256];
 
-		/* log any output */
-		for (;;)
+		if (fgets(resp, sizeof(resp), f) == NULL)
 		{
-			/* if response doesn't fit in this buffer, it will be folded */
-			char resp[256];
-
-			if (fgets(resp, sizeof(resp), f) == NULL)
+			if (ferror(f))
 			{
-				if (ferror(f))
-				{
-					log_errno((e, "fgets failed on output of %s%s command"
-						, verb, verb_suffix));
-					return FALSE;
-				}
-				else
-				{
-					passert(feof(f));
-					break;
-				}
+				log_errno((e, "fgets failed on output of %s%s command"
+					, verb, verb_suffix));
+				return FALSE;
 			}
 			else
 			{
-				char *e = resp + strlen(resp);
-
-				if (e > resp && e[-1] == '\n')
-					e[-1] = '\0';       /* trim trailing '\n' */
-				plog("%s%s output: %s", verb, verb_suffix, resp);
+				passert(feof(f));
+				break;
 			}
 		}
-
-		/* report on and react to return code */
+		else
 		{
-			int r = pclose(f);
+			char *e = resp + strlen(resp);
 
-			if (r == -1)
-			{
-				log_errno((e, "pclose failed for %s%s command"
-					, verb, verb_suffix));
-				return FALSE;
-			}
-			else if (WIFEXITED(r))
-			{
-				if (WEXITSTATUS(r) != 0)
-				{
-					loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
-						, verb, verb_suffix, WEXITSTATUS(r));
-					return FALSE;
-				}
-			}
-			else if (WIFSIGNALED(r))
-			{
-				loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
-					, verb, verb_suffix, WTERMSIG(r));
-				return FALSE;
-			}
-			else
+			if (e > resp && e[-1] == '\n')
+				e[-1] = '\0';       /* trim trailing '\n' */
+			plog("%s%s output: %s", verb, verb_suffix, resp);
+		}
+	}
+
+	/* report on and react to return code */
+	{
+		int r = pclose(f);
+
+		if (r == -1)
+		{
+			log_errno((e, "pclose failed for %s%s command"
+				, verb, verb_suffix));
+			return FALSE;
+		}
+		else if (WIFEXITED(r))
+		{
+			if (WEXITSTATUS(r) != 0)
 			{
-				loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
-					, verb, verb_suffix, r);
+				loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
+					, verb, verb_suffix, WEXITSTATUS(r));
 				return FALSE;
 			}
 		}
+		else if (WIFSIGNALED(r))
+		{
+			loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
+				, verb, verb_suffix, WTERMSIG(r));
+			return FALSE;
+		}
+		else
+		{
+			loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
+				, verb, verb_suffix, r);
+			return FALSE;
+		}
 	}
-#endif /* KLIPS */
 	return TRUE;
 }
 
@@ -731,10 +583,9 @@ static enum routability could_route(connection_t *c)
 	}
 
 	/* if routing would affect IKE messages, reject */
-	if (!no_klips
-	&& c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
-	&& c->spd.this.host_port != IKE_UDP_PORT
-	&& addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
+	if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
+	 && c->spd.this.host_port != IKE_UDP_PORT
+	 && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
 	{
 		loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
 		return route_impossible;
@@ -754,7 +605,6 @@ static enum routability could_route(connection_t *c)
 									 using the eroute */
 	}
 
-#ifdef KLIPS
 	/* if there is an eroute for another connection, there is a problem */
 	if (ero != NULL && ero != c)
 	{
@@ -838,10 +688,9 @@ static enum routability could_route(connection_t *c)
 			loglog(RC_LOG_SERIOUS
 				, "cannot install eroute -- it is in use for \"%s\"%s #%lu"
 				, ero->name, inst, esr->eroute_owner);
-			return FALSE;       /* another connection already using the eroute */
+			return route_impossible;
 		}
 	}
-#endif /* KLIPS */
 	return route_easy;
 }
 
@@ -886,9 +735,7 @@ void unroute_connection(connection_t *c)
 		{
 			/* cannot handle a live one */
 			passert(sr->routing != RT_ROUTED_TUNNEL);
-#ifdef KLIPS
 			shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
-#endif
 		}
 
 		sr->routing = RT_UNROUTED;  /* do now so route_owner won't find us */
@@ -896,14 +743,12 @@ void unroute_connection(connection_t *c)
 		/* only unroute if no other connection shares it */
 		if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
 		{
-			(void) do_command(c, sr, "unroute");
+			(void) do_command(c, sr, NULL, "unroute");
 		}
 	}
 }
 
 
-#ifdef KLIPS
-
 static void set_text_said(char *text_said, const ip_address *dst,
 						  ipsec_spi_t spi, int proto)
 {
@@ -913,99 +758,36 @@ static void set_text_said(char *text_said, const ip_address *dst,
 	satot(&said, 0, text_said, SATOT_BUF);
 }
 
-/* find an entry in the bare_shunt table.
- * Trick: return a pointer to the pointer to the entry;
- * this allows the entry to be deleted.
- */
-static struct bare_shunt** bare_shunt_ptr(const ip_subnet *ours,
-										  const ip_subnet *his,
-										  int transport_proto)
-{
-	struct bare_shunt *p, **pp;
-
-	for (pp = &bare_shunts; (p = *pp) != NULL; pp = &p->next)
-	{
-		if (samesubnet(ours, &p->ours)
-		&& samesubnet(his, &p->his)
-		&& transport_proto == p->transport_proto
-		&& portof(&ours->addr) == portof(&p->ours.addr)
-		&& portof(&his->addr) == portof(&p->his.addr))
-			return pp;
-	}
-	return NULL;
-}
-
-/* free a bare_shunt entry, given a pointer to the pointer */
-static void free_bare_shunt(struct bare_shunt **pp)
-{
-	if (pp == NULL)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("delete bare shunt: null pointer")
-		)
-	}
-	else
-	{
-		struct bare_shunt *p = *pp;
-
-		*pp = p->next;
-		DBG_bare_shunt("delete", p);
-		free(p->why);
-		free(p);
-	}
-}
-
-void
-show_shunt_status(void)
-{
-	struct bare_shunt *bs;
-
-	for (bs = bare_shunts; bs != NULL; bs = bs->next)
-	{
-		/* Print interesting fields.  Ignore count and last_active. */
-
-		int ourport = ntohs(portof(&bs->ours.addr));
-		int hisport = ntohs(portof(&bs->his.addr));
-		char ourst[SUBNETTOT_BUF];
-		char hist[SUBNETTOT_BUF];
-		char sat[SATOT_BUF];
-		char prio[POLICY_PRIO_BUF];
-
-		subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
-		subnettot(&(bs)->his, 0, hist, sizeof(hist));
-		satot(&(bs)->said, 0, sat, sizeof(sat));
-		fmt_policy_prio(bs->policy_prio, prio);
-
-		whack_log(RC_COMMENT, "%s:%d -> %s:%d => %s:%d %s    %s"
-			, ourst, ourport, hist, hisport, sat, bs->transport_proto
-			, prio, bs->why);
-	}
-	if (bare_shunts != NULL)
-		whack_log(RC_COMMENT, BLANK_FORMAT);    /* spacer */
-}
 
-/* Setup an IPsec route entry.
+/**
+ * Setup an IPsec route entry.
  * op is one of the ERO_* operators.
  */
-
 static bool raw_eroute(const ip_address *this_host,
 					   const ip_subnet *this_client,
 					   const ip_address *that_host,
 					   const ip_subnet *that_client,
+					   mark_t mark,
 					   ipsec_spi_t spi,
 					   unsigned int proto,
 					   unsigned int satype,
 					   unsigned int transport_proto,
-					   const struct pfkey_proto_info *proto_info,
-					   time_t use_lifetime,
+					   ipsec_sa_cfg_t *sa,
 					   unsigned int op,
 					   const char *opname USED_BY_DEBUG)
 {
+	traffic_selector_t *ts_src, *ts_dst;
+	host_t *host_src, *host_dst;
+	policy_type_t type = POLICY_IPSEC;
+	policy_dir_t dir = POLICY_OUT;
 	char text_said[SATOT_BUF];
+	bool ok = TRUE, routed = FALSE,
+		 deleting = (op & ERO_MASK) == ERO_DELETE,
+		 replacing = op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT);
 
 	set_text_said(text_said, that_host, spi, proto);
 
-	DBG(DBG_CONTROL | DBG_KLIPS,
+	DBG(DBG_CONTROL | DBG_KERNEL,
 		{
 			int sport = ntohs(portof(&this_client->addr));
 			int dport = ntohs(portof(&that_client->addr));
@@ -1019,104 +801,86 @@ static bool raw_eroute(const ip_address *this_host,
 				, text_said, transport_proto);
 		});
 
-	return kernel_ops->raw_eroute(this_host, this_client
-		, that_host, that_client, spi, satype, transport_proto, proto_info
-		, use_lifetime, op, text_said);
-}
-
-/* test to see if %hold remains */
-bool has_bare_hold(const ip_address *src, const ip_address *dst,
-				   int transport_proto)
-{
-	ip_subnet this_client, that_client;
-	struct bare_shunt **bspp;
-
-	passert(addrtypeof(src) == addrtypeof(dst));
-	happy(addrtosubnet(src, &this_client));
-	happy(addrtosubnet(dst, &that_client));
-	bspp = bare_shunt_ptr(&this_client, &that_client, transport_proto);
-	return bspp != NULL
-		&& (*bspp)->said.proto == SA_INT && (*bspp)->said.spi == htonl(SPI_HOLD);
-}
+	if (satype == SADB_X_SATYPE_INT)
+	{
+		switch (ntohl(spi))
+		{
+			case SPI_PASS:
+				type = POLICY_PASS;
+				break;
+			case SPI_DROP:
+			case SPI_REJECT:
+				type = POLICY_DROP;
+				break;
+			case SPI_TRAP:
+			case SPI_TRAPSUBNET:
+			case SPI_HOLD:
+				if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+				{
+					return TRUE;
+				}
+				routed = TRUE;
+				break;
+		}
+	}
 
+	if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+	{
+		dir = POLICY_IN;
+	}
 
-/* Replace (or delete) a shunt that is in the bare_shunts table.
- * Issues the PF_KEY commands and updates the bare_shunts table.
- */
-bool replace_bare_shunt(const ip_address *src, const ip_address *dst,
-						policy_prio_t policy_prio, ipsec_spi_t shunt_spi,
-						bool repl, unsigned int transport_proto, const char *why)
-{
-	ip_subnet this_client, that_client;
-	ip_subnet this_broad_client, that_broad_client;
-	const ip_address *null_host = aftoinfo(addrtypeof(src))->any;
+	host_src = host_create_from_sockaddr((sockaddr_t*)this_host);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)that_host);
+	ts_src = traffic_selector_from_subnet(this_client, transport_proto);
+	ts_dst = traffic_selector_from_subnet(that_client, transport_proto);
 
-	passert(addrtypeof(src) == addrtypeof(dst));
-	happy(addrtosubnet(src, &this_client));
-	happy(addrtosubnet(dst, &that_client));
-	this_broad_client = this_client;
-	that_broad_client = that_client;
-	setportof(0, &this_broad_client.addr);
-	setportof(0, &that_broad_client.addr);
+	if (deleting || replacing)
+	{
+		hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						ts_src, ts_dst, dir, mark, routed);
+	}
 
-	if (repl)
+	if (!deleting)
 	{
-		struct bare_shunt **bs_pp = bare_shunt_ptr(&this_broad_client
-												 , &that_broad_client, 0);
+		ok = hydra->kernel_interface->add_policy(hydra->kernel_interface,
+						host_src, host_dst, ts_src, ts_dst, dir, type, sa,
+						mark, routed) == SUCCESS;
+	}
 
-		/* is there already a broad host-to-host bare shunt? */
-		if (bs_pp == NULL)
+	if (dir == POLICY_IN)
+	{	/* handle forward policy */
+		dir = POLICY_FWD;
+		if (deleting || replacing)
 		{
-			if (raw_eroute(null_host, &this_broad_client, null_host, &that_broad_client
-						   , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
-						   , 0, null_proto_info
-						   , SHUNT_PATIENCE, ERO_ADD, why))
-			{
-				struct bare_shunt *bs = malloc_thing(struct bare_shunt);
-
-				bs->ours = this_broad_client;
-				bs->his =  that_broad_client;
-				bs->transport_proto = 0;
-				bs->said.proto = SA_INT;
-				bs->why = clone_str(why);
-				bs->policy_prio = policy_prio;
-				bs->said.spi = htonl(shunt_spi);
-				bs->said.dst = *null_host;
-				bs->count = 0;
-				bs->last_activity = now();
-				bs->next = bare_shunts;
-				bare_shunts = bs;
-				DBG_bare_shunt("add", bs);
-			}
+			hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						ts_src, ts_dst, dir, mark, routed);
+		}
+
+		if (!deleting && ok &&
+			(sa->mode == MODE_TUNNEL || satype == SADB_X_SATYPE_INT))
+		{
+			ok = hydra->kernel_interface->add_policy(hydra->kernel_interface,
+						host_src, host_dst, ts_src, ts_dst, dir, type, sa,
+						mark, routed) == SUCCESS;
 		}
-		shunt_spi = SPI_HOLD;
 	}
 
-	if (raw_eroute(null_host, &this_client, null_host, &that_client
-				   , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
-				   , transport_proto, null_proto_info
-				   , SHUNT_PATIENCE, ERO_DELETE, why))
-	{
-		struct bare_shunt **bs_pp = bare_shunt_ptr(&this_client, &that_client
-										, transport_proto);
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
+	ts_src->destroy(ts_src);
+	ts_dst->destroy(ts_dst);
 
-		/* delete bare eroute */
-		free_bare_shunt(bs_pp);
-		return TRUE;
-	}
-	else
-	{
-		return FALSE;
-	}
+	return ok;
 }
 
 static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
 							  unsigned int proto, unsigned int satype,
-							  const struct pfkey_proto_info *proto_info,
-							  unsigned int op, const char *opname)
+							  ipsec_sa_cfg_t *sa, unsigned int op,
+							  const char *opname)
 {
 	const ip_address *peer = &sr->that.host_addr;
 	char buf2[256];
+	bool ok;
 
 	snprintf(buf2, sizeof(buf2)
 			 , "eroute_connection %s", opname);
@@ -1125,11 +889,13 @@ static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
 	{
 		peer = aftoinfo(addrtypeof(peer))->any;
 	}
-	return raw_eroute(&sr->this.host_addr, &sr->this.client
-					  , peer
-					  , &sr->that.client
-					  , spi, proto, satype
-					  , sr->this.protocol, proto_info, 0, op, buf2);
+	ok = raw_eroute(peer, &sr->that.client,
+					&sr->this.host_addr, &sr->this.client, sr->mark_in,
+					spi, proto, satype, sr->this.protocol,
+					sa, op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), buf2);
+	return raw_eroute(&sr->this.host_addr, &sr->this.client, peer,
+					  &sr->that.client, sr->mark_out, spi, proto, satype,
+					  sr->this.protocol, sa, op, buf2) && ok;
 }
 
 /* assign a bare hold to a connection */
@@ -1162,31 +928,24 @@ bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr,
 		break;
 	}
 
-	/* we need a broad %hold, not the narrow one.
+	/* We need a broad %hold
 	 * First we ensure that there is a broad %hold.
 	 * There may already be one (race condition): no need to create one.
 	 * There may already be a %trap: replace it.
 	 * There may not be any broad eroute: add %hold.
-	 * Once the broad %hold is in place, delete the narrow one.
 	 */
 	if (rn != ro)
 	{
 		if (erouted(ro)
-		? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
-				, null_proto_info
-				, ERO_REPLACE, "replace %trap with broad %hold")
-		: !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
-				, null_proto_info
-				, ERO_ADD, "add broad %hold"))
+		? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT,
+							 &null_ipsec_sa, ERO_REPLACE,
+							 "replace %trap with broad %hold")
+		: !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT,
+							 &null_ipsec_sa, ERO_ADD, "add broad %hold"))
 		{
 			return FALSE;
 		}
 	}
-	if (!replace_bare_shunt(src, dst, BOTTOM_PRIO, SPI_HOLD, FALSE
-	, transport_proto, "delete narrow %hold"))
-	{
-		return FALSE;
-	}
 	sr->routing = rn;
 	return TRUE;
 }
@@ -1195,32 +954,21 @@ bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr,
 static bool sag_eroute(struct state *st, struct spd_route *sr,
 					   unsigned op, const char *opname)
 {
-	u_int inner_proto = 0;
-	u_int inner_satype = 0;
+	u_int inner_proto, inner_satype;
 	ipsec_spi_t inner_spi = 0;
-	struct pfkey_proto_info proto_info[4];
-	int i;
-	bool tunnel;
-
-	/* figure out the SPI and protocol (in two forms)
-	 * for the innermost transformation.
-	 */
-
-	i = sizeof(proto_info) / sizeof(proto_info[0]) - 1;
-	proto_info[i].proto = 0;
-	tunnel = FALSE;
+	ipsec_sa_cfg_t sa = {
+		.mode = MODE_TRANSPORT,
+	};
+	bool tunnel = FALSE;
 
 	if (st->st_ah.present)
 	{
 		inner_spi = st->st_ah.attrs.spi;
 		inner_proto = SA_AH;
 		inner_satype = SADB_SATYPE_AH;
-
-		i--;
-		proto_info[i].proto = IPPROTO_AH;
-		proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
-		tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-		proto_info[i].reqid = sr->reqid;
+		sa.ah.use = TRUE;
+		sa.ah.spi = inner_spi;
+		tunnel |= st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
 	}
 
 	if (st->st_esp.present)
@@ -1228,12 +976,9 @@ static bool sag_eroute(struct state *st, struct spd_route *sr,
 		inner_spi = st->st_esp.attrs.spi;
 		inner_proto = SA_ESP;
 		inner_satype = SADB_SATYPE_ESP;
-
-		i--;
-		proto_info[i].proto = IPPROTO_ESP;
-		proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
-		tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-		proto_info[i].reqid = sr->reqid + 1;
+		sa.esp.use = TRUE;
+		sa.esp.spi = inner_spi;
+		tunnel |= st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
 	}
 
 	if (st->st_ipcomp.present)
@@ -1241,37 +986,28 @@ static bool sag_eroute(struct state *st, struct spd_route *sr,
 		inner_spi = st->st_ipcomp.attrs.spi;
 		inner_proto = SA_COMP;
 		inner_satype = SADB_X_SATYPE_COMP;
-
-		i--;
-		proto_info[i].proto = IPPROTO_COMP;
-		proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
-		tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-		proto_info[i].reqid = sr->reqid + 2;
+		sa.ipcomp.transform = st->st_ipcomp.attrs.transid;
+		sa.ipcomp.cpi = htons(ntohl(inner_spi));
+		tunnel |= st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
 	}
 
-	if (i == sizeof(proto_info) / sizeof(proto_info[0]) - 1)
+	if (!sa.ah.use && !sa.esp.use && !sa.ipcomp.transform)
 	{
 		impossible();   /* no transform at all! */
 	}
 
 	if (tunnel)
 	{
-		int j;
-
 		inner_spi = st->st_tunnel_out_spi;
 		inner_proto = SA_IPIP;
 		inner_satype = SADB_X_SATYPE_IPIP;
-
-		proto_info[i].encapsulation = ENCAPSULATION_MODE_TUNNEL;
-		for (j = i + 1; proto_info[j].proto; j++)
-		{
-			proto_info[j].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-		}
+		sa.mode = MODE_TUNNEL;
 	}
 
-	return eroute_connection(sr
-		, inner_spi, inner_proto, inner_satype, proto_info + i
-		, op, opname);
+	sa.reqid = sr->reqid;
+
+	return eroute_connection(sr, inner_spi, inner_proto, inner_satype,
+							 &sa, op, opname);
 }
 
 /* compute a (host-order!) SPI to implement the policy in connection c */
@@ -1318,7 +1054,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
 	 * The SPI signifies the kind of shunt.
 	 */
 	ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE);
-	bool ok;
 
 	if (spi == 0)
 	{
@@ -1377,599 +1112,120 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
 		}
 	}
 
-	ok = TRUE;
-	if (kernel_ops->inbound_eroute)
-	{
-		ok = raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
-			, &c->spd.this.host_addr, &c->spd.this.client
-			, htonl(spi), SA_INT, SADB_X_SATYPE_INT
-			, 0, null_proto_info, 0
-			, op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), opname);
-	}
-	return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT
-		, null_proto_info, op, opname) && ok;
+	return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT,
+							 &null_ipsec_sa, op, opname);
 }
 
-
-/*
- * This is only called when s is a likely SAID with  trailing protocol i.e.
- * it has the form :-
- *
- *   %<keyword>:p
- *   <ip-proto><spi>@a.b.c.d:p
- *
- * The task here is to remove the ":p" part so that the rest can be read
- * by another routine.
- */
-static const char *read_proto(const char * s, size_t * len, int * transport_proto)
+static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 {
-	const char * p;
-	const char * ugh;
-	unsigned long proto;
-	size_t l;
-
-	l = *len;
-	p = memchr(s, ':', l);
-	if (p == 0)
+	host_t *host_src, *host_dst;
+	connection_t *c = st->st_connection;
+	struct end *src, *dst;
+	ipsec_mode_t mode = MODE_TRANSPORT;
+	ipsec_sa_cfg_t sa = { .mode = 0 };
+	lifetime_cfg_t lt_none = { .time = { .rekey = 0 } };
+	mark_t mark;
+	bool ok = TRUE;
+	/* SPIs, saved for undoing, if necessary */
+	struct kernel_sa said[EM_MAXRELSPIS], *said_next = said;
+	if (inbound)
 	{
-		*transport_proto = 0;
-		return 0;
+		src = &c->spd.that;
+		dst = &c->spd.this;
+		mark = c->spd.mark_in;
 	}
-	ugh = ttoul(p+1, l-((p-s)+1), 10, &proto);
-	if (ugh != 0)
+	else
 	{
-		return ugh;
+		src = &c->spd.this;
+		dst = &c->spd.that;
+		mark = c->spd.mark_out;
 	}
-	if (proto > 65535)
+
+	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
+
+	if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+		|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+		|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
 	{
-		return "protocol number is too large, legal range is 0-65535";
+		mode = MODE_TUNNEL;
 	}
-	*len = p-s;
-	*transport_proto = proto;
-	return 0;
-}
 
+	sa.mode = mode;
+	sa.reqid = c->spd.reqid;
 
-/* scan /proc/net/ipsec_eroute every once in a while, looking for:
- *
- * - %hold shunts of which Pluto isn't aware.  This situation could
- *   be caused by lost ACQUIRE messages.  When found, they will
- *   added to orphan_holds.  This in turn will lead to Opportunistic
- *   initiation.
- *
- * - other kinds of shunts that haven't been used recently.  These will be
- *   deleted.  They represent OE failures.
- *
- * - recording recent uses of tunnel eroutes so that rekeying decisions
- *   can be made for OE connections.
- *
- * Here are some sample lines:
- * 10         10.3.2.1.0/24    -> 0.0.0.0/0          => %trap
- * 259        10.3.2.1.115/32  -> 10.19.75.161/32    => tun0x1002@10.19.75.145
- * 71         10.44.73.97/32   -> 0.0.0.0/0          => %trap
- * 4119       10.44.73.97/32   -> 10.114.121.41/32   => %pass
- * Newer versions of KLIPS start each line with a 32-bit packet count.
- * If available, the count is used to detect whether a %pass shunt is in use.
- *
- * NOTE: execution time is quadratic in the number of eroutes since the
- * searching for each is sequential.  If this becomes a problem, faster
- * searches could be implemented (hash or radix tree, for example).
- */
-void scan_proc_shunts(void)
-{
-	static const char procname[] = "/proc/net/ipsec_eroute";
-	FILE *f;
-	time_t nw = now();
-	int lino;
-	struct eroute_info *expired = NULL;
-
-	event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
+	memset(said, 0, sizeof(said));
 
-	DBG(DBG_CONTROL,
-		DBG_log("scanning for shunt eroutes")
-	)
+	/* set up IPCOMP SA, if any */
 
-	/* free any leftover entries: they will be refreshed if still current */
-	while (orphaned_holds != NULL)
+	if (st->st_ipcomp.present)
 	{
-		struct eroute_info *p = orphaned_holds;
-
-		orphaned_holds = p->next;
-		free(orphaned_holds);
-	}
-
-	/* decode the /proc file.  Don't do anything strenuous to it
-	 * (certainly no PF_KEY stuff) to minimize the chance that it
-	 * might change underfoot.
-	 */
-
-	f = fopen(procname, "r");
-	if (f == NULL)
-	{
-		return;
-	}
-
-	/* for each line... */
-	for (lino = 1; ; lino++)
-	{
-		unsigned char buf[1024];  /* should be big enough */
-		chunk_t field[10];        /* 10 is loose upper bound */
-		chunk_t *ff = NULL;       /* fixed fields (excluding optional count) */
-		int fi;
-		struct eroute_info eri;
-		char *cp;
-		err_t context = ""
-			, ugh = NULL;
-
-		cp = fgets(buf, sizeof(buf), f);
-		if (cp == NULL)
-		{
-			break;
-		}
-
-		/* break out each field
-		 * Note: if there are too many fields, just stop;
-		 * it will be diagnosed a little later.
-		 */
-		for (fi = 0; fi < (int)countof(field); fi++)
-		{
-			static const char sep[] = " \t\n";  /* field-separating whitespace */
-			size_t w;
-
-			cp += strspn(cp, sep);      /* find start of field */
-			w = strcspn(cp, sep);       /* find width of field */
-			field[fi] = chunk_create(cp, w);
-			cp += w;
-			if (w == 0)
-			{
-				break;
-			}
-		}
-
-		/* This odd do-hickey is to share error reporting code.
-		 * A break will get to that common code.  The setting
-		 * of "ugh" and "context" parameterize it.
-		 */
-		do {
-			/* Old entries have no packet count; new ones do.
-			 * check if things are as they should be.
-			 */
-			if (fi == 5)
-			{
-				ff = &field[0]; /* old form, with no count */
-			}
-			else if (fi == 6)
-			{
-				ff = &field[1]; /* new form, with count */
-			}
-			else
-			{
-				ugh = "has wrong number of fields";
-				break;
-			}
-
-			if (ff[1].len != 2
-			|| strncmp(ff[1].ptr, "->", 2) != 0
-			|| ff[3].len != 2
-			|| strncmp(ff[3].ptr, "=>", 2) != 0)
-			{
-				ugh = "is missing -> or =>";
-				break;
-			}
-
-			/* actually digest fields of interest */
-
-			/* packet count */
-
-			eri.count = 0;
-			if (ff != field)
-			{
-				context = "count field is malformed: ";
-				ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count);
-				if (ugh != NULL)
-				{
-					break;
-				}
-			}
-
-			/* our client */
-
-			context = "source subnet field malformed: ";
-			ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours);
-			if (ugh != NULL)
-			{
-				break;
-			}
-
-			/* his client */
-
-			context = "destination subnet field malformed: ";
-			ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his);
-			if (ugh != NULL)
-			{
-				break;
-			}
-
-			/* SAID */
-
-			context = "SA ID field malformed: ";
-			ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto);
-			if (ugh != NULL)
-			{
-				break;
-			}
-			ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said);
-		} while (FALSE);
-
-		if (ugh != NULL)
-		{
-			plog("INTERNAL ERROR: %s line %d %s%s"
-				, procname, lino, context, ugh);
-			continue;   /* ignore rest of line */
-		}
-
-		/* Now we have decoded eroute, let's consider it.
-		 * For shunt eroutes:
-		 *
-		 * %hold: if not known, add to orphaned_holds list for initiation
-		 *    because ACQUIRE might have been lost.
-		 *
-		 * %pass, %drop, %reject: determine if idle; if so, blast it away.
-		 *    Can occur bare (if DNS provided insufficient information)
-		 *    or with a connection (failure context).
-		 *    Could even be installed by ipsec manual.
-		 *
-		 * %trap: always welcome.
-		 *
-		 * For other eroutes: find state and record count change
-		 */
-		if (eri.said.proto == SA_INT)
-		{
-			/* shunt eroute */
-			switch (ntohl(eri.said.spi))
-			{
-			case SPI_HOLD:
-				if (bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto) == NULL
-				&& shunt_owner(&eri.ours, &eri.his) == NULL)
-				{
-					int ourport = ntohs(portof(&eri.ours.addr));
-					int hisport = ntohs(portof(&eri.his.addr));
-					char ourst[SUBNETTOT_BUF];
-					char hist[SUBNETTOT_BUF];
-					char sat[SATOT_BUF];
-
-					subnettot(&eri.ours, 0, ourst, sizeof(ourst));
-					subnettot(&eri.his, 0, hist, sizeof(hist));
-					satot(&eri.said, 0, sat, sizeof(sat));
-
-					DBG(DBG_CONTROL,
-						DBG_log("add orphaned shunt %s:%d -> %s:%d => %s:%d"
-							, ourst, ourport, hist, hisport, sat, eri.transport_proto)
-					 )
-					eri.next = orphaned_holds;
-					orphaned_holds = clone_thing(eri);
-				}
-				break;
-
-			case SPI_PASS:
-			case SPI_DROP:
-			case SPI_REJECT:
-				/* nothing sensible to do if we don't have counts */
-				if (ff != field)
-				{
-					struct bare_shunt **bs_pp
-						= bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto);
-
-					if (bs_pp != NULL)
-					{
-						struct bare_shunt *bs = *bs_pp;
-
-						if (eri.count != bs->count)
-						{
-							bs->count = eri.count;
-							bs->last_activity = nw;
-						}
-						else if (nw - bs->last_activity > SHUNT_PATIENCE)
-						{
-							eri.next = expired;
-							expired = clone_thing(eri);
-						}
-					}
-				}
-				break;
-
-			case SPI_TRAP:
-				break;
-
-			default:
-				bad_case(ntohl(eri.said.spi));
-			}
-		}
-		else
-		{
-			/* regular (non-shunt) eroute */
-			state_eroute_usage(&eri.ours, &eri.his, eri.count, nw);
-		}
-	}   /* for each line */
-	fclose(f);
-
-	/* Now that we've finished processing the /proc file,
-	 * it is safe to delete the expired %pass shunts.
-	 */
-	while (expired != NULL)
-	{
-		struct eroute_info *p = expired;
-		ip_address src, dst;
-
-		networkof(&p->ours, &src);
-		networkof(&p->his, &dst);
-		(void) replace_bare_shunt(&src, &dst
-			, BOTTOM_PRIO       /* not used because we are deleting.  This value is a filler */
-			, SPI_PASS  /* not used because we are deleting.  This value is a filler */
-			, FALSE, p->transport_proto, "delete expired bare shunts");
-		expired = p->next;
-		free(p);
-	}
-}
-
-static bool del_spi(ipsec_spi_t spi, int proto,
-					const ip_address *src, const ip_address *dest)
-{
-	char text_said[SATOT_BUF];
-	struct kernel_sa sa;
-
-	set_text_said(text_said, dest, spi, proto);
-
-	DBG(DBG_KLIPS, DBG_log("delete %s", text_said));
-
-	memset(&sa, 0, sizeof(sa));
-	sa.spi = spi;
-	sa.proto = proto;
-	sa.src = src;
-	sa.dst = dest;
-	sa.text_said = text_said;
-
-	return kernel_ops->del_sa(&sa);
-}
-
-/* Setup a pair of SAs. Code taken from setsa.c and spigrp.c, in
- * ipsec-0.5.
- */
-
-static bool setup_half_ipsec_sa(struct state *st, bool inbound)
-{
-	/* Build an inbound or outbound SA */
-
-	connection_t *c = st->st_connection;
-	ip_subnet src, dst;
-	ip_subnet src_client, dst_client;
-	ipsec_spi_t inner_spi = 0;
-	u_int proto = 0;
-	u_int satype = SADB_SATYPE_UNSPEC;
-	bool replace;
-
-	/* SPIs, saved for spigrouping or undoing, if necessary */
-	struct kernel_sa
-		said[EM_MAXRELSPIS],
-		*said_next = said;
-
-	char text_said[SATOT_BUF];
-	int encapsulation;
-
-	replace = inbound && (kernel_ops->get_spi != NULL);
-
-	src.maskbits = 0;
-	dst.maskbits = 0;
-
-	if (inbound)
-	{
-		src.addr = c->spd.that.host_addr;
-		dst.addr = c->spd.this.host_addr;
-		src_client = c->spd.that.client;
-		dst_client = c->spd.this.client;
-	}
-	else
-	{
-		src.addr = c->spd.this.host_addr,
-		dst.addr = c->spd.that.host_addr;
-		src_client = c->spd.this.client;
-		dst_client = c->spd.that.client;
-	}
-
-	encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-	if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-		|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-		|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	{
-		encapsulation = ENCAPSULATION_MODE_TUNNEL;
-	}
-
-	memset(said, 0, sizeof(said));
-
-	/* If we are tunnelling, set up IP in IP pseudo SA */
-
-	if (kernel_ops->inbound_eroute)
-	{
-		inner_spi = 256;
-		proto = SA_IPIP;
-		satype = SADB_SATYPE_UNSPEC;
-	}
-	else if (encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	{
-		/* XXX hack alert -- we SHOULD NOT HAVE TO HAVE A DIFFERENT SPI
-		 * XXX FOR IP-in-IP ENCAPSULATION!
-		 */
-
-		ipsec_spi_t ipip_spi;
-
-		/* Allocate an SPI for the tunnel.
-		 * Since our peer will never see this,
-		 * and it comes from its own number space,
-		 * it is purely a local implementation wart.
-		 */
-		{
-			static ipsec_spi_t last_tunnel_spi = IPSEC_DOI_SPI_OUR_MIN;
-
-			ipip_spi = htonl(++last_tunnel_spi);
-			if (inbound)
-			{
-				st->st_tunnel_in_spi = ipip_spi;
-			}
-			else
-			{
-				st->st_tunnel_out_spi = ipip_spi;
-			}
-		}
-
-		set_text_said(text_said
-			, &c->spd.that.host_addr, ipip_spi, SA_IPIP);
-
-		said_next->src = &src.addr;
-		said_next->dst = &dst.addr;
-		said_next->src_client = &src_client;
-		said_next->dst_client = &dst_client;
-		said_next->spi = ipip_spi;
-		said_next->satype = SADB_X_SATYPE_IPIP;
-		said_next->text_said = text_said;
-
-		if (!kernel_ops->add_sa(said_next, replace))
-			goto fail;
-
-		said_next++;
-
-		inner_spi = ipip_spi;
-		proto = SA_IPIP;
-		satype = SADB_X_SATYPE_IPIP;
-	}
-
-	/* set up IPCOMP SA, if any */
-
-	if (st->st_ipcomp.present)
-	{
-		ipsec_spi_t ipcomp_spi = inbound? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
-		unsigned compalg;
+		ipsec_spi_t ipcomp_spi = inbound ? st->st_ipcomp.our_spi
+										 : st->st_ipcomp.attrs.spi;
 
 		switch (st->st_ipcomp.attrs.transid)
 		{
 			case IPCOMP_DEFLATE:
-				compalg = SADB_X_CALG_DEFLATE;
 				break;
 
 			default:
-				loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented"
-					, enum_name(&ipcomp_transformid_names, st->st_ipcomp.attrs.transid));
+				loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented",
+					   enum_name(&ipcomp_transformid_names,
+								 st->st_ipcomp.attrs.transid));
 				goto fail;
 		}
 
-		set_text_said(text_said, &dst.addr, ipcomp_spi, SA_COMP);
+		sa.ipcomp.cpi = htons(ntohl(ipcomp_spi));
+		sa.ipcomp.transform = st->st_ipcomp.attrs.transid;
 
-		said_next->src = &src.addr;
-		said_next->dst = &dst.addr;
-		said_next->src_client = &src_client;
-		said_next->dst_client = &dst_client;
 		said_next->spi = ipcomp_spi;
-		said_next->satype = SADB_X_SATYPE_COMP;
-		said_next->compalg = compalg;
-		said_next->encapsulation = encapsulation;
-		said_next->reqid = c->spd.reqid + 2;
-		said_next->text_said = text_said;
+		said_next->proto = IPPROTO_COMP;
 
-		if (!kernel_ops->add_sa(said_next, replace))
+		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
+						host_dst, ipcomp_spi, said_next->proto, c->spd.reqid,
+						mark, &lt_none, ENCR_UNDEFINED, chunk_empty,
+						AUTH_UNDEFINED, chunk_empty, mode,
+						st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE,
+						inbound, NULL, NULL) != SUCCESS)
 		{
 			goto fail;
 		}
 		said_next++;
-		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+		mode = MODE_TRANSPORT;
 	}
 
 	/* set up ESP SA, if any */
 
 	if (st->st_esp.present)
 	{
-		ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
-		u_char *esp_dst_keymat = inbound? st->st_esp.our_keymat : st->st_esp.peer_keymat;
+		ipsec_spi_t esp_spi = inbound ? st->st_esp.our_spi
+									  : st->st_esp.attrs.spi;
+		u_char *esp_dst_keymat = inbound ? st->st_esp.our_keymat
+										 : st->st_esp.peer_keymat;
+		bool encap = st->nat_traversal & NAT_T_DETECTED;
+		encryption_algorithm_t enc_alg;
+		integrity_algorithm_t auth_alg;
 		const struct esp_info *ei;
+		chunk_t enc_key, auth_key;
 		u_int16_t key_len;
 
-		static const struct esp_info esp_info[] = {
-			{ ESP_NULL, AUTH_ALGORITHM_HMAC_MD5,
-				0, HMAC_MD5_KEY_LEN,
-				SADB_EALG_NULL, SADB_AALG_MD5HMAC },
-			{ ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1,
-				0, HMAC_SHA1_KEY_LEN,
-				SADB_EALG_NULL, SADB_AALG_SHA1HMAC },
-
-			{ ESP_DES, AUTH_ALGORITHM_NONE,
-				DES_CBC_BLOCK_SIZE, 0,
-				SADB_EALG_DESCBC, SADB_AALG_NONE },
-			{ ESP_DES, AUTH_ALGORITHM_HMAC_MD5,
-				DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN,
-				SADB_EALG_DESCBC, SADB_AALG_MD5HMAC },
-			{ ESP_DES, AUTH_ALGORITHM_HMAC_SHA1,
-				DES_CBC_BLOCK_SIZE,
-				HMAC_SHA1_KEY_LEN, SADB_EALG_DESCBC, SADB_AALG_SHA1HMAC },
-
-			{ ESP_3DES, AUTH_ALGORITHM_NONE,
-				DES_CBC_BLOCK_SIZE * 3, 0,
-				SADB_EALG_3DESCBC, SADB_AALG_NONE },
-			{ ESP_3DES, AUTH_ALGORITHM_HMAC_MD5,
-				DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN,
-				SADB_EALG_3DESCBC, SADB_AALG_MD5HMAC },
-			{ ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1,
-				DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN,
-				SADB_EALG_3DESCBC, SADB_AALG_SHA1HMAC },
-		};
-
-		u_int8_t natt_type = 0;
-		u_int16_t natt_sport = 0;
-		u_int16_t natt_dport = 0;
-		ip_address natt_oa;
-
-		if (st->nat_traversal & NAT_T_DETECTED)
+		if ((ei = kernel_alg_esp_info(st->st_esp.attrs.transid,
+									  st->st_esp.attrs.auth)) == NULL)
 		{
-			natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
-						 ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
-			natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
-			natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
-			natt_oa = st->nat_oa;
-		}
-
-		for (ei = esp_info; ; ei++)
-		{
-			if (ei == &esp_info[countof(esp_info)])
-			{
-				/* Check for additional kernel alg */
-				if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid,
-										st->st_esp.attrs.auth))!=NULL)
-				{
-					break;
-				}
-
-				/* note: enum_show may use a static buffer, so two
-				 * calls in one printf would be a mistake.
-				 * enum_name does the same job, without a static buffer,
-				 * assuming the name will be found.
-				 */
-				loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet"
-					, enum_name(&esp_transform_names, st->st_esp.attrs.transid)
-					, enum_name(&auth_alg_names, st->st_esp.attrs.auth));
-				goto fail;
-			}
-
-			if (st->st_esp.attrs.transid == ei->transid &&
-				st->st_esp.attrs.auth == ei->auth)
-			{
-				break;
-			}
+			loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s"
+				   " not implemented yet",
+				   enum_name(&esp_transform_names, st->st_esp.attrs.transid),
+				   enum_name(&auth_alg_names, st->st_esp.attrs.auth));
+			goto fail;
 		}
 
-		key_len = st->st_esp.attrs.key_len/8;
+		key_len = st->st_esp.attrs.key_len / 8;
 		if (key_len)
 		{
 			/* XXX: must change to check valid _range_ key_len */
 			if (key_len > ei->enckeylen)
 			{
-				loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
+				loglog(RC_LOG_SERIOUS, "ESP transform %s: key_len=%d > %d",
 					enum_name(&esp_transform_names, st->st_esp.attrs.transid),
 					(int)key_len, (int)ei->enckeylen);
 				goto fail;
@@ -2012,290 +1268,144 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 				break;
 		}
 
-		/* divide up keying material */
-		set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
-		said_next->src = &src.addr;
-		said_next->dst = &dst.addr;
-		said_next->src_client = &src_client;
-		said_next->dst_client = &dst_client;
-		said_next->spi = esp_spi;
-		said_next->satype = SADB_SATYPE_ESP;
-		said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
-									REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
-		said_next->authalg = ei->authalg;
-		said_next->authkeylen = ei->authkeylen;
-		said_next->authkey = esp_dst_keymat + key_len;
-		said_next->encalg = ei->encryptalg;
-		said_next->enckeylen = key_len;
-		said_next->enckey = esp_dst_keymat;
-		said_next->encapsulation = encapsulation;
-		said_next->reqid = c->spd.reqid + 1;
-		said_next->natt_sport = natt_sport;
-		said_next->natt_dport = natt_dport;
-		said_next->transid = st->st_esp.attrs.transid;
-		said_next->natt_type = natt_type;
-		said_next->natt_oa = &natt_oa;
-		said_next->text_said = text_said;
-
-		if (!kernel_ops->add_sa(said_next, replace))
+		if (encap)
 		{
-			goto fail;
+			host_src->set_port(host_src, src->host_port);
+			host_dst->set_port(host_dst, dst->host_port);
+			// st->nat_oa is currently unused
 		}
-		said_next++;
-		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-	}
-
-	/* set up AH SA, if any */
 
-	if (st->st_ah.present)
-	{
-		ipsec_spi_t ah_spi = inbound? st->st_ah.our_spi : st->st_ah.attrs.spi;
-		u_char *ah_dst_keymat = inbound? st->st_ah.our_keymat : st->st_ah.peer_keymat;
+		/* divide up keying material */
+		enc_alg = encryption_algorithm_from_esp(st->st_esp.attrs.transid);
+		enc_key.ptr = esp_dst_keymat;
+		enc_key.len = key_len;
+		auth_alg = integrity_algorithm_from_esp(st->st_esp.attrs.auth);
+		auth_alg = auth_alg ? : AUTH_UNDEFINED;
+		auth_key.ptr = esp_dst_keymat + key_len;
+		auth_key.len = ei->authkeylen;
 
-		unsigned char authalg;
+		sa.esp.use = TRUE;
+		sa.esp.spi = esp_spi;
 
-		switch (st->st_ah.attrs.auth)
-		{
-			case AUTH_ALGORITHM_HMAC_MD5:
-				authalg = SADB_AALG_MD5HMAC;
-				break;
-			case AUTH_ALGORITHM_HMAC_SHA1:
-				authalg = SADB_AALG_SHA1HMAC;
-				break;
-			default:
-				loglog(RC_LOG_SERIOUS, "%s not implemented yet",
-					   enum_show(&auth_alg_names, st->st_ah.attrs.auth));
-			goto fail;
-		}
+		said_next->spi = esp_spi;
+		said_next->proto = IPPROTO_ESP;
 
-		set_text_said(text_said, &dst.addr, ah_spi, SA_AH);
-		said_next->src = &src.addr;
-		said_next->dst = &dst.addr;
-		said_next->src_client = &src_client;
-		said_next->dst_client = &dst_client;
-		said_next->spi = ah_spi;
-		said_next->satype = SADB_SATYPE_AH;
-		said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
-									REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
-		said_next->authalg = authalg;
-		said_next->authkeylen = st->st_ah.keymat_len;
-		said_next->authkey = ah_dst_keymat;
-		said_next->encapsulation = encapsulation;
-		said_next->reqid = c->spd.reqid;
-		said_next->text_said = text_said;
-
-		if (!kernel_ops->add_sa(said_next, replace))
+		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
+						host_dst, esp_spi, said_next->proto, c->spd.reqid,
+						mark, &lt_none, enc_alg, enc_key,
+						auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
+						encap, inbound, NULL, NULL) != SUCCESS)
 		{
 			goto fail;
 		}
 		said_next++;
-		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+		mode = MODE_TRANSPORT;
 	}
 
-	if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-	|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-	|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	{
-		encapsulation = ENCAPSULATION_MODE_TUNNEL;
-	}
+	/* set up AH SA, if any */
 
-	if (kernel_ops->inbound_eroute ? c->spd.eroute_owner == SOS_NOBODY
-		: encapsulation == ENCAPSULATION_MODE_TUNNEL)
+	if (st->st_ah.present)
 	{
-		/* If inbound, and policy does not specifie DISABLEARRIVALCHECK,
-		 * tell KLIPS to enforce the IP addresses appropriate for this tunnel.
-		 * Note reversed ends.
-		 * Not much to be done on failure.
-		 */
-		if (inbound && (c->policy & POLICY_DISABLEARRIVALCHECK) == 0)
-		{
-			struct pfkey_proto_info proto_info[4];
-			int i = 0;
+		ipsec_spi_t ah_spi = inbound ? st->st_ah.our_spi
+									 : st->st_ah.attrs.spi;
+		u_char *ah_dst_keymat = inbound ? st->st_ah.our_keymat
+										: st->st_ah.peer_keymat;
+		integrity_algorithm_t auth_alg;
+		chunk_t auth_key;
 
-			if (st->st_ipcomp.present)
-			{
-				proto_info[i].proto = IPPROTO_COMP;
-				proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
-				proto_info[i].reqid = c->spd.reqid + 2;
-				i++;
-			}
+		auth_alg = integrity_algorithm_from_esp(st->st_ah.attrs.auth);
+		auth_key.ptr = ah_dst_keymat;
+		auth_key.len = st->st_ah.keymat_len;
 
-			if (st->st_esp.present)
-			{
-				proto_info[i].proto = IPPROTO_ESP;
-				proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
-				proto_info[i].reqid = c->spd.reqid + 1;
-				i++;
-			}
-
-			if (st->st_ah.present)
-			{
-				proto_info[i].proto = IPPROTO_AH;
-				proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
-				proto_info[i].reqid = c->spd.reqid;
-				i++;
-			}
-
-			proto_info[i].proto = 0;
+		sa.ah.use = TRUE;
+		sa.ah.spi = ah_spi;
 
-			if (kernel_ops->inbound_eroute
-				&& encapsulation == ENCAPSULATION_MODE_TUNNEL)
-			{
-				proto_info[0].encapsulation = ENCAPSULATION_MODE_TUNNEL;
-				for (i = 1; proto_info[i].proto; i++)
-				{
-					proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-				}
-			}
-
-			/* MCR - should be passed a spd_eroute structure here */
-			(void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
-							  , &c->spd.this.host_addr, &c->spd.this.client
-							  , inner_spi, proto, satype, c->spd.this.protocol
-							  , proto_info, 0
-							  , ERO_ADD_INBOUND, "add inbound");
-		}
-	}
-
-	/* If there are multiple SPIs, group them. */
-
-	if (kernel_ops->grp_sa && said_next > &said[1])
-	{
-		struct kernel_sa *s;
+		said_next->spi = ah_spi;
+		said_next->proto = IPPROTO_AH;
 
-		/* group SAs, two at a time, inner to outer (backwards in said[])
-		 * The grouping is by pairs.  So if said[] contains ah esp ipip,
-		 * the grouping would be ipip:esp, esp:ah.
-		 */
-		for (s = said; s < said_next-1; s++)
+		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
+						host_dst, ah_spi, said_next->proto, c->spd.reqid,
+						mark, &lt_none, ENCR_UNDEFINED, chunk_empty,
+						auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
+						FALSE, inbound, NULL, NULL) != SUCCESS)
 		{
-			char
-				text_said0[SATOT_BUF],
-				text_said1[SATOT_BUF];
-
-			/* group s[1] and s[0], in that order */
-
-			set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto);
-			set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto);
-
-			DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0));
-
-			s[0].text_said = text_said0;
-			s[1].text_said = text_said1;
-
-			if (!kernel_ops->grp_sa(s + 1, s))
-			{
-				goto fail;
-			}
+			goto fail;
 		}
-		/* could update said, but it will not be used */
+		said_next++;
+		mode = MODE_TRANSPORT;
 	}
 
-	return TRUE;
+	goto cleanup;
 
 fail:
+	/* undo the done SPIs */
+	while (said_next-- != said)
 	{
-		/* undo the done SPIs */
-		while (said_next-- != said)
-		{
-			(void) del_spi(said_next->spi, said_next->proto, &src.addr,
-						   said_next->dst);
-		}
-		return FALSE;
+		hydra->kernel_interface->del_sa(hydra->kernel_interface, host_src,
+										host_dst, said_next->spi,
+										said_next->proto, 0 /* cpi */,
+										mark);
 	}
-}
+	ok = FALSE;
 
-/* teardown_ipsec_sa is a canibalized version of setup_ipsec_sa */
+cleanup:
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
+	return ok;
+}
 
 static bool teardown_half_ipsec_sa(struct state *st, bool inbound)
 {
-	/* We need to delete AH, ESP, and IP in IP SPIs.
-	 * But if there is more than one, they have been grouped
-	 * so deleting any one will do.  So we just delete the
-	 * first one found.  It may or may not be the only one.
-	 */
 	connection_t *c = st->st_connection;
-	struct {
-		unsigned proto;
-		struct ipsec_proto_info *info;
-	} protos[4];
-	int i;
-	bool result;
+	const struct end *src, *dst;
+	host_t *host_src, *host_dst;
+	ipsec_spi_t spi;
+	mark_t mark;
+	bool result = TRUE;
 
-	i = 0;
-	if (kernel_ops->inbound_eroute && inbound
-		&& c->spd.eroute_owner == SOS_NOBODY)
+	if (inbound)
 	{
-		(void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
-			, &c->spd.this.host_addr, &c->spd.this.client
-			, 256, IPSEC_PROTO_ANY, SADB_SATYPE_UNSPEC, c->spd.this.protocol
-			, null_proto_info, 0
-			, ERO_DEL_INBOUND, "delete inbound");
+		src = &c->spd.that;
+		dst = &c->spd.this;
+		mark = c->spd.mark_in;
 	}
-
-	if (!kernel_ops->grp_sa)
+	else
 	{
-		if (st->st_ah.present)
-		{
-			protos[i].info = &st->st_ah;
-			protos[i].proto = SA_AH;
-			i++;
-		}
+		src = &c->spd.this;
+		dst = &c->spd.that;
+		mark = c->spd.mark_out;
+	}
 
-		if (st->st_esp.present)
-		{
-			protos[i].info = &st->st_esp;
-			protos[i].proto = SA_ESP;
-			i++;
-		}
+	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
 
-		if (st->st_ipcomp.present)
-		{
-			protos[i].info = &st->st_ipcomp;
-			protos[i].proto = SA_COMP;
-			i++;
-		}
-	}
-	else if (st->st_ah.present)
+	if (st->st_ah.present)
 	{
-		protos[i].info = &st->st_ah;
-		protos[i].proto = SA_AH;
-		i++;
+		spi = inbound ? st->st_ah.our_spi : st->st_ah.attrs.spi;
+		result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
+								host_src, host_dst, spi, IPPROTO_AH,
+								0 /* cpi */, mark) == SUCCESS;
 	}
-	else if (st->st_esp.present)
+
+	if (st->st_esp.present)
 	{
-		protos[i].info = &st->st_esp;
-		protos[i].proto = SA_ESP;
-		i++;
+		spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi;
+		result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
+								host_src, host_dst, spi, IPPROTO_ESP,
+								0 /* cpi */, mark) == SUCCESS;
 	}
-	else
+
+	if (st->st_ipcomp.present)
 	{
-		impossible();   /* neither AH nor ESP in outbound SA bundle! */
+		spi = inbound ? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
+		result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
+								host_src, host_dst, spi, IPPROTO_COMP,
+								0 /* cpi */, mark) == SUCCESS;
 	}
-	protos[i].proto = 0;
 
-	result = TRUE;
-	for (i = 0; protos[i].proto; i++)
-	{
-		unsigned proto = protos[i].proto;
-		ipsec_spi_t spi;
-		const ip_address *src, *dst;
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
 
-		if (inbound)
-		{
-			spi = protos[i].info->our_spi;
-			src = &c->spd.that.host_addr;
-			dst = &c->spd.this.host_addr;
-		}
-		else
-		{
-			spi = protos[i].info->attrs.spi;
-			src = &c->spd.this.host_addr;
-			dst = &c->spd.that.host_addr;
-		}
-
-		result &= del_spi(spi, proto, src, dst);
-	}
 	return result;
 }
 
@@ -2304,126 +1414,198 @@ static bool teardown_half_ipsec_sa(struct state *st, bool inbound)
  */
 bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
 {
-	char text_said[SATOT_BUF];
-	struct kernel_sa sa;
 	connection_t *c = st->st_connection;
+	traffic_selector_t *ts_src = NULL, *ts_dst = NULL;
+	host_t *host_src = NULL, *host_dst = NULL;
+	const struct end *src, *dst;
+	ipsec_spi_t spi;
+	mark_t mark;
+	u_int64_t bytes_kernel = 0;
+	bool result = FALSE;
 
 	*use_time = UNDEFINED_TIME;
 
-	if (kernel_ops->get_sa == NULL || !st->st_esp.present)
+	if (!st->st_esp.present)
 	{
-		return FALSE;
+		goto failed;
 	}
-	memset(&sa, 0, sizeof(sa));
-	sa.proto = SA_ESP;
 
 	if (inbound)
 	{
-		sa.src = &c->spd.that.host_addr;
-		sa.dst = &c->spd.this.host_addr;
-		sa.spi = st->st_esp.our_spi;
+		src = &c->spd.that;
+		dst = &c->spd.this;
+		mark = c->spd.mark_in;
+		spi = st->st_esp.our_spi;
 	}
 	else
 	{
-		sa.src = &c->spd.this.host_addr;
-		sa.dst = &c->spd.that.host_addr;
-		sa.spi = st->st_esp.attrs.spi;
+		src = &c->spd.this;
+		dst = &c->spd.that;
+		mark = c->spd.mark_out;
+		spi = st->st_esp.attrs.spi;
 	}
-	set_text_said(text_said, sa.dst, sa.spi, sa.proto);
 
-	sa.text_said = text_said;
+	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
 
-	DBG(DBG_KLIPS,
-		DBG_log("get %s", text_said)
-	)
-	if (!kernel_ops->get_sa(&sa, bytes))
+	switch(hydra->kernel_interface->query_sa(hydra->kernel_interface, host_src,
+											 host_dst, spi, IPPROTO_ESP,
+											 mark, &bytes_kernel))
 	{
-		return FALSE;
+		case FAILED:
+			goto failed;
+		case SUCCESS:
+			*bytes = bytes_kernel;
+			break;
+		case NOT_SUPPORTED:
+		default:
+			break;
 	}
-	DBG(DBG_KLIPS,
-		DBG_log("  current: %d bytes", *bytes)
-	)
 
 	if (st->st_serialno == c->spd.eroute_owner)
 	{
-		DBG(DBG_KLIPS,
-			DBG_log("get %sbound policy with reqid %u"
-				, inbound? "in":"out", (u_int)c->spd.reqid + 1)
-		)
-		sa.transport_proto = c->spd.this.protocol;
-		sa.encapsulation = st->st_esp.attrs.encapsulation;
+		u_int32_t time_kernel;
 
-		if (inbound)
-		{
-			sa.src_client = &c->spd.that.client;
-			sa.dst_client = &c->spd.this.client;
-		}
-		else
+		ts_src = traffic_selector_from_subnet(&src->client, src->protocol);
+		ts_dst = traffic_selector_from_subnet(&dst->client, dst->protocol);
+
+		if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
+							ts_src, ts_dst, inbound ? POLICY_IN : POLICY_OUT,
+							mark, &time_kernel) != SUCCESS)
 		{
-			sa.src_client = &c->spd.this.client;
-			sa.dst_client = &c->spd.that.client;
+			goto failed;
 		}
-		if (!kernel_ops->get_policy(&sa, inbound, use_time))
+		*use_time = time_kernel;
+
+		if (inbound &&
+			st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
 		{
-			return FALSE;
+			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
+							ts_src, ts_dst, POLICY_FWD, mark,
+							&time_kernel) != SUCCESS)
+			{
+				goto failed;
+			}
+			*use_time = max(*use_time, time_kernel);
 		}
-		DBG(DBG_KLIPS,
-			DBG_log("  use_time: %T", use_time, FALSE)
-		)
 	}
-	return TRUE;
+
+	result = TRUE;
+
+failed:
+	DESTROY_IF(host_src);
+	DESTROY_IF(host_dst);
+	DESTROY_IF(ts_src);
+	DESTROY_IF(ts_dst);
+	return result;
 }
 
-const struct kernel_ops *kernel_ops;
+/**
+ * Handler for kernel events (called by thread-pool thread)
+ */
+kernel_listener_t *kernel_handler;
 
-#endif /* KLIPS */
+/**
+ * Data for acquire events
+ */
+typedef struct {
+	/** Subnets */
+	ip_subnet src, dst;
+	/** Transport protocol */
+	int proto;
+} acquire_data_t;
 
-void init_kernel(void)
+/**
+ * Callback for acquire events (called by main thread)
+ */
+void handle_acquire(acquire_data_t *this)
 {
-#ifdef KLIPS
+	record_and_initiate_opportunistic(&this->src, &this->dst, this->proto,
+									  "%acquire");
+}
 
-	if (no_klips)
+METHOD(kernel_listener_t, acquire, bool,
+	   kernel_listener_t *this, u_int32_t reqid,
+	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	if (src_ts && dst_ts)
 	{
-		kernel_ops = &noklips_kernel_ops;
-		return;
+		acquire_data_t *data;
+		DBG(DBG_CONTROL,
+			DBG_log("creating acquire event for policy %R === %R "
+					"with reqid {%u}", src_ts, dst_ts, reqid));
+		INIT(data,
+			.src = subnet_from_traffic_selector(src_ts),
+			.dst = subnet_from_traffic_selector(dst_ts),
+			.proto = src_ts->get_protocol(src_ts),
+		);
+		pluto->events->queue(pluto->events, (void*)handle_acquire, data, free);
 	}
+	else
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("ignoring acquire without traffic selectors for policy "
+					"with reqid {%u}", reqid));
+	}
+	DESTROY_IF(src_ts);
+	DESTROY_IF(dst_ts);
+	return TRUE;
+}
 
-	init_pfkey();
-
-	kernel_ops = &klips_kernel_ops;
+/**
+ * Data for mapping events
+ */
+typedef struct {
+	/** reqid, spi of affected SA */
+	u_int32_t reqid, spi;
+	/** new endpont */
+	ip_address new_end;
+} mapping_data_t;
 
-#if defined(linux) && defined(KERNEL26_SUPPORT)
-	{
-		bool linux_ipsec = 0;
-		struct stat buf;
+/**
+ * Callback for mapping events (called by main thread)
+ */
+void handle_mapping(mapping_data_t *this)
+{
+	process_nat_t_new_mapping(this->reqid, this->spi, &this->new_end);
+}
 
-		linux_ipsec = (stat("/proc/net/pfkey", &buf) == 0);
-		if (linux_ipsec)
-			{
-				plog("Using Linux 2.6 IPsec interface code");
-				kernel_ops = &linux_kernel_ops;
-			}
-		else
-			{
-				plog("Using KLIPS IPsec interface code");
-			}
-	}
-#endif
 
-	if (kernel_ops->init)
-	{
-		kernel_ops->init();
-	}
+METHOD(kernel_listener_t, mapping, bool,
+	   kernel_listener_t *this, u_int32_t reqid, u_int32_t spi, host_t *remote)
+{
+	mapping_data_t *data;
+	DBG(DBG_CONTROL,
+		DBG_log("creating mapping event for SA with SPI %.8x and reqid {%u}",
+				spi, reqid));
+	INIT(data,
+		.reqid = reqid,
+		.spi = spi,
+		.new_end = *(ip_address*)remote->get_sockaddr(remote),
+	);
+	pluto->events->queue(pluto->events, (void*)handle_mapping, data, free);
+	return TRUE;
+}
 
+void init_kernel(void)
+{
 	/* register SA types that we can negotiate */
-	can_do_IPcomp = FALSE;  /* until we get a response from KLIPS */
-	kernel_ops->pfkey_register();
+	can_do_IPcomp = FALSE;  /* until we get a response from the kernel */
+	pfkey_register();
+
+	INIT(kernel_handler,
+		.acquire = _acquire,
+		.mapping = _mapping,
+	);
+	hydra->kernel_interface->add_listener(hydra->kernel_interface,
+										  kernel_handler);
+}
 
-	if (!kernel_ops->policy_lifetime)
-	{
-		event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
-	}
-#endif
+void kernel_finalize()
+{
+	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
+											 kernel_handler);
+	free(kernel_handler);
 }
 
 /* Note: install_inbound_ipsec_sa is only used by the Responder.
@@ -2482,13 +1664,8 @@ bool install_inbound_ipsec_sa(struct state *st)
 			return FALSE;
 	}
 
-#ifdef KLIPS
 	/* (attempt to) actually set up the SAs */
 	return setup_half_ipsec_sa(st, TRUE);
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()"));
-	return TRUE;
-#endif /* !KLIPS */
 }
 
 /* Install a route and then a prospective shunt eroute or an SA group eroute.
@@ -2496,11 +1673,8 @@ bool install_inbound_ipsec_sa(struct state *st)
  * Any SA Group must have already been created.
  * On failure, steps will be unwound.
  */
-bool route_and_eroute(connection_t *c USED_BY_KLIPS,
-					  struct spd_route *sr USED_BY_KLIPS,
-					  struct state *st USED_BY_KLIPS)
+bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
 {
-#ifdef KLIPS
 	struct spd_route *esr;
 	struct spd_route *rosr;
 	connection_t *ero      /* who, if anyone, owns our eroute? */
@@ -2510,7 +1684,6 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 		, route_installed = FALSE;
 
 	connection_t *ero_top;
-	struct bare_shunt **bspp;
 
 	DBG(DBG_CONTROLMORE,
 		DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu"
@@ -2537,15 +1710,9 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 			break;
 #endif
 
-	bspp = (ero == NULL)
-		? bare_shunt_ptr(&sr->this.client, &sr->that.client, sr->this.protocol)
-		: NULL;
-
 	/* install the eroute */
 
-	passert(bspp == NULL || ero == NULL);       /* only one non-NULL */
-
-	if (bspp != NULL || ero != NULL)
+	if (ero != NULL)
 	{
 		/* We're replacing an eroute */
 
@@ -2571,7 +1738,6 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 				&& samesubnet(&esr->that.client, &sr->that.client));
 		}
 #endif
-		/* remember to free bspp iff we make it out of here alive */
 	}
 	else
 	{
@@ -2601,7 +1767,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 		 */
 		firewall_notified = st == NULL  /* not a tunnel eroute */
 			|| sr->eroute_owner != SOS_NOBODY   /* already notified */
-			|| do_command(c, sr, "up"); /* go ahead and notify */
+			|| do_command(c, sr, st, "up"); /* go ahead and notify */
 	}
 
 	/* install the route */
@@ -2616,8 +1782,8 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 	else if (ro == NULL)
 	{
 		/* a new route: no deletion required, but preparation is */
-		(void) do_command(c, sr, "prepare");    /* just in case; ignore failure */
-		route_installed = do_command(c, sr, "route");
+		(void) do_command(c, sr, st, "prepare");    /* just in case; ignore failure */
+		route_installed = do_command(c, sr, st, "route");
 	}
 	else if (routed(sr->routing) || routes_agree(ro, c))
 	{
@@ -2636,13 +1802,13 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 		 */
 		if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
 		{
-			(void) do_command(ro, sr, "unroute");
-			route_installed = do_command(c, sr, "route");
+			(void) do_command(ro, sr, st, "unroute");
+			route_installed = do_command(c, sr, st, "route");
 		}
 		else
 		{
-			route_installed = do_command(c, sr, "route");
-			(void) do_command(ro, sr, "unroute");
+			route_installed = do_command(c, sr, st, "route");
+			(void) do_command(ro, sr, st, "unroute");
 		}
 
 		/* record unrouting */
@@ -2663,11 +1829,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 	{
 		/* Success! */
 
-		if (bspp != NULL)
-		{
-			free_bare_shunt(bspp);
-		}
-		else if (ero != NULL && ero != c)
+		if (ero != NULL && ero != c)
 		{
 			/* check if ero is an ancestor of c. */
 			connection_t *ero2;
@@ -2713,7 +1875,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 	{
 		/* Failure!  Unwind our work. */
 		if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
-			(void) do_command(c, sr, "down");
+			(void) do_command(c, sr, st, "down");
 
 		if (eroute_installed)
 		{
@@ -2721,28 +1883,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 			 * Since there is nothing much to be done if the restoration
 			 * fails, ignore success or failure.
 			 */
-			if (bspp != NULL)
-			{
-				/* Restore old bare_shunt.
-				 * I don't think that this case is very likely.
-				 * Normally a bare shunt would have been assigned
-				 * to a connection before we've gotten this far.
-				 */
-				struct bare_shunt *bs = *bspp;
-
-				(void) raw_eroute(&bs->said.dst /* should be useless */
-					, &bs->ours
-					, &bs->said.dst     /* should be useless */
-					, &bs->his
-					, bs->said.spi      /* network order */
-					, SA_INT
-					, SADB_X_SATYPE_INT
-					, 0
-					, null_proto_info
-					, SHUNT_PATIENCE
-					, ERO_REPLACE, "restore");
-			}
-			else if (ero != NULL)
+			if (ero != NULL)
 			{
 				/* restore ero's former glory */
 				if (esr->eroute_owner == SOS_NOBODY)
@@ -2781,14 +1922,10 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 
 		return FALSE;
 	}
-#else /* !KLIPS */
-	return TRUE;
-#endif /* !KLIPS */
 }
 
-bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
+bool install_ipsec_sa(struct state *st, bool inbound_also)
 {
-#ifdef KLIPS
 	struct spd_route *sr;
 
 	DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
@@ -2838,21 +1975,6 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
 			}
 		}
 	}
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s"
-		, inbound_also? "inbound and oubound" : "outbound only"));
-
-	switch (could_route(st->st_connection))
-	{
-		case route_easy:
-		case route_nearconflict:
-			break;
-		default:
-			return FALSE;
-	}
-
-
-#endif /* !KLIPS */
 
 	return TRUE;
 }
@@ -2861,10 +1983,8 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
  * we may not succeed, but we bull ahead anyway because
  * we cannot do anything better by recognizing failure
  */
-void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
-					 bool inbound_only USED_BY_KLIPS)
+void delete_ipsec_sa(struct state *st, bool inbound_only)
 {
-#ifdef KLIPS
 	if (!inbound_only)
 	{
 		/* If the state is the eroute owner, we must adjust
@@ -2890,7 +2010,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
 				sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
 					? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
 
-				(void) do_command(c, sr, "down");
+				(void) do_command(c, sr, st, "down");
 				if ((c->policy & POLICY_DONT_REKEY)	&& c->kind == CK_INSTANCE)
 				{
 					/* in this special case, even if the connection
@@ -2911,46 +2031,41 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
 		(void) teardown_half_ipsec_sa(st, FALSE);
 	}
 	(void) teardown_half_ipsec_sa(st, TRUE);
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
-#endif /* !KLIPS */
 }
 
-#ifdef KLIPS
 static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
 {
 	connection_t *c = st->st_connection;
-	char text_said[SATOT_BUF];
-	struct kernel_sa sa;
-	ip_address
-		src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
-		dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
-
-	ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
-
-	u_int16_t
-		natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
-		natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
-
-	set_text_said(text_said, &dst, esp_spi, SA_ESP);
-
-	memset(&sa, 0, sizeof(sa));
-	sa.spi = esp_spi;
-	sa.src = &src;
-	sa.dst = &dst;
-	sa.text_said = text_said;
-	sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
-	sa.natt_sport = natt_sport;
-	sa.natt_dport = natt_dport;
-	sa.transid = st->st_esp.attrs.transid;
-
-	return kernel_ops->add_sa(&sa, TRUE);
+	host_t *host_src, *host_dst, *new_src, *new_dst;
+	ipsec_spi_t spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi;
+	struct end *src = inbound ? &c->spd.that : &c->spd.this,
+			   *dst = inbound ? &c->spd.this : &c->spd.that;
+	mark_t mark = inbound ? c->spd.mark_in : c->spd.mark_out;
+	bool result;
+
+	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
+
+	new_src = host_src->clone(host_src);
+	new_dst = host_dst->clone(host_dst);
+	new_src->set_port(new_src, src->host_port);
+	new_dst->set_port(new_dst, dst->host_port);
+
+	result = hydra->kernel_interface->update_sa(hydra->kernel_interface,
+					spi, IPPROTO_ESP, 0 /* cpi */, host_src, host_dst,
+					new_src, new_dst, TRUE /* encap */, TRUE /* new_encap */,
+					mark) == SUCCESS;
+
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
+	new_src->destroy(new_src);
+	new_dst->destroy(new_dst);
+
+	return result;
 }
-#endif
 
-bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
+bool update_ipsec_sa (struct state *st)
 {
-#ifdef KLIPS
 	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
 	{
 		if (st->st_esp.present && (
@@ -2973,10 +2088,6 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
 		return FALSE;
 	}
 	return TRUE;
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
-	return TRUE;
-#endif /* !KLIPS */
 }
 
 /* Check if there was traffic on given SA during the last idle_max
@@ -2986,102 +2097,17 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
  */
 bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
 {
-	static const char procname[] = "/proc/net/ipsec_spi";
-	FILE *f;
-	char buf[1024];
+	time_t use_time;
 	u_int bytes;
 	int ret = TRUE;
 
 	passert(st != NULL);
 
-	f = fopen(procname, "r");
-	if (f == NULL)
+	if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
 	{
-		/* Can't open the file, perhaps were are on 26sec? */
-		time_t use_time;
-
-		if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
-		{
-			*idle_time = time(NULL) - use_time;
-			ret = *idle_time >= idle_max;
-		}
+		*idle_time = time_monotonic(NULL) - use_time;
+		ret = *idle_time >= idle_max;
 	}
-	else
-	{
-		while (f != NULL)
-		{
-			char *line;
-			char text_said[SATOT_BUF];
-			u_int8_t proto = 0;
-			ip_address dst;
-			ip_said said;
-			ipsec_spi_t spi = 0;
-			static const char idle[] = "idle=";
-
-			dst = st->st_connection->spd.this.host_addr; /* inbound SA */
-			if (st->st_ah.present)
-			{
-				proto = SA_AH;
-				spi = st->st_ah.our_spi;
-			}
-			if (st->st_esp.present)
-			{
-				proto = SA_ESP;
-				spi = st->st_esp.our_spi;
-			}
 
-			if (proto == 0 && spi == 0)
-			{
-				ret = TRUE;
-				break;
-			}
-
-			initsaid(&dst, spi, proto, &said);
-			satot(&said, 'x', text_said, SATOT_BUF);
-
-			line = fgets(buf, sizeof(buf), f);
-			if (line == NULL)
-			{
-				/* Reached end of list */
-				ret = TRUE;
-				break;
-			}
-
-			if (strneq(line, text_said, strlen(text_said)))
-			{
-				/* we found a match, now try to find idle= */
-				char *p = strstr(line, idle);
-
-				if (p == NULL)
-				{
-					/* SAs which haven't been used yet don't have it */
-					ret = TRUE; /* it didn't have traffic */
-					break;
-				}
-				p += sizeof(idle)-1;
-				if (*p == '\0')
-				{
-					ret = TRUE; /* be paranoid */
-					break;
-				}
-				if (sscanf(p, "%d", (int *) idle_time) <= 0)
-				{
-					ret = TRUE;
-					break;
-				}
-				if (*idle_time >= idle_max)
-				{
-					ret = TRUE;
-					break;
-				}
-				else
-				{
-					ret = FALSE;
-					break;
-				}
-			}
-		}
-		fclose(f);
-	}
 	return ret;
 }
diff --git a/src/pluto/kernel.h b/src/pluto/kernel.h
index 06850abfd..1fa11c50e 100644
--- a/src/pluto/kernel.h
+++ b/src/pluto/kernel.h
@@ -14,10 +14,8 @@
 
 #include "connections.h"
 
-extern bool no_klips;   /* don't actually use KLIPS */
 extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */
 
-#ifdef KLIPS
 /* Declare eroute things early enough for uses.
  *
  * Flags are encoded above the low-order byte of verbs.
@@ -32,8 +30,6 @@ extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */
 #define ERO_DELETE      SADB_X_DELFLOW
 #define ERO_ADD SADB_X_ADDFLOW
 #define ERO_REPLACE     (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
-#define ERO_ADD_INBOUND (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-#define ERO_DEL_INBOUND (SADB_X_DELFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
 
 struct pfkey_proto_info {
 		int proto;
@@ -75,69 +71,6 @@ struct kernel_sa {
 		const char *text_said;
 };
 
-struct kernel_ops {
-		enum {
-				KERNEL_TYPE_NONE,
-				KERNEL_TYPE_KLIPS,
-				KERNEL_TYPE_LINUX,
-		} type;
-		bool inbound_eroute;
-		bool policy_lifetime;
-		int *async_fdp;
-
-		void (*init)(void);
-		void (*pfkey_register)(void);
-		void (*pfkey_register_response)(const struct sadb_msg *msg);
-		void (*process_queue)(void);
-		void (*process_msg)(void);
-		bool (*raw_eroute)(const ip_address *this_host,
-						   const ip_subnet *this_client,
-						   const ip_address *that_host,
-						   const ip_subnet *that_client,
-						   ipsec_spi_t spi,
-						   unsigned int satype,
-						   unsigned int transport_proto,
-						   const struct pfkey_proto_info *proto_info,
-						   time_t use_lifetime,
-						   unsigned int op,
-						   const char *text_said);
-		bool (*get_policy)(const struct kernel_sa *sa, bool inbound,
-						   time_t *use_time);
-		bool (*add_sa)(const struct kernel_sa *sa, bool replace);
-		bool (*grp_sa)(const struct kernel_sa *sa_outer,
-					   const struct kernel_sa *sa_inner);
-		bool (*del_sa)(const struct kernel_sa *sa);
-		bool (*get_sa)(const struct kernel_sa *sa, u_int *bytes);
-		ipsec_spi_t (*get_spi)(const ip_address *src,
-							   const ip_address *dst,
-							   int proto,
-							   bool tunnel_mode,
-							   unsigned reqid,
-							   ipsec_spi_t min,
-							   ipsec_spi_t max,
-							   const char *text_said);
-};
-
-
-extern const struct kernel_ops *kernel_ops;
-
-/* information from /proc/net/ipsec_eroute */
-
-struct eroute_info {
-	unsigned long count;
-	ip_subnet ours;
-	ip_subnet his;
-	ip_address dst;
-	ip_said     said;
-	int transport_proto;
-	struct eroute_info *next;
-};
-
-extern struct eroute_info *orphaned_holds;
-
-extern void show_shunt_status(void);
-#endif
-
 /* A netlink header defines EM_MAXRELSPIS, the max number of SAs in a group.
  * Is there a PF_KEY equivalent?
  */
@@ -151,22 +84,11 @@ extern void record_and_initiate_opportunistic(const ip_subnet *
 											  , const char *why);
 
 extern void init_kernel(void);
-
-extern void scan_proc_shunts(void);
+extern void kernel_finalize(void);
 
 extern bool trap_connection(struct connection *c);
 extern void unroute_connection(struct connection *c);
 
-extern bool has_bare_hold(const ip_address *src, const ip_address *dst
-						  , int transport_proto);
-
-extern bool replace_bare_shunt(const ip_address *src, const ip_address *dst
-							   , policy_prio_t policy_prio
-							   , ipsec_spi_t shunt_spi  /* in host order! */
-							   , bool repl
-							   , unsigned int transport_proto
-							   , const char *why);
-
 extern bool assign_hold(struct connection *c
 						, struct spd_route *sr
 						, int transport_proto
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index 7c2855edc..2a195cffc 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -105,7 +105,7 @@ const struct sadb_alg* kernel_alg_sadb_alg_get(int satype, int exttype,
  */
 static void kernel_alg_init(void)
 {
-	DBG(DBG_KLIPS,
+	DBG(DBG_KERNEL,
 		DBG_log("alg_init(): memset(%p, 0, %d) memset(%p, 0, %d)",
 				&esp_aalg,  (int)sizeof (esp_aalg),
 				&esp_ealg,  (int)sizeof (esp_ealg))
@@ -121,7 +121,7 @@ static int kernel_alg_add(int satype, int exttype,
 	struct sadb_alg *alg_p = NULL;
 	int alg_id = sadb_alg->sadb_alg_id;
 
-	DBG(DBG_KLIPS,
+	DBG(DBG_KERNEL,
 		DBG_log("kernel_alg_add(): satype=%d, exttype=%d, alg_id=%d",
 				satype, exttype, sadb_alg->sadb_alg_id)
 	)
@@ -131,7 +131,7 @@ static int kernel_alg_add(int satype, int exttype,
 	/* This logic "mimics" KLIPS: first algo implementation will be used */
 	if (alg_p->sadb_alg_id)
 	{
-		DBG(DBG_KLIPS,
+		DBG(DBG_KERNEL,
 			DBG_log("kernel_alg_add(): discarding already setup "
 					"satype=%d, exttype=%d, alg_id=%d",
 					satype, exttype, sadb_alg->sadb_alg_id)
@@ -172,7 +172,7 @@ bool kernel_alg_esp_enc_ok(u_int alg_id, u_int key_len,
 out:
 	if (ret)
 	{
-		DBG(DBG_KLIPS,
+		DBG(DBG_KERNEL,
 			DBG_log("kernel_alg_esp_enc_ok(%d,%d): "
 					"alg_id=%d, "
 					"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
@@ -188,7 +188,7 @@ out:
 	}
 	else
 	{
-		DBG(DBG_KLIPS,
+		DBG(DBG_KERNEL,
 			DBG_log("kernel_alg_esp_enc_ok(%d,%d): NO", alg_id, key_len);
 		)
 	}
@@ -252,66 +252,6 @@ bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
 	return TRUE;
 }
 
-/**
- * Load kernel_alg arrays from /proc used in manual mode from klips/utils/spi.c
- */
-int kernel_alg_proc_read(void)
-{
-	int satype;
-	int supp_exttype;
-	int alg_id, ivlen, minbits, maxbits;
-	struct sadb_alg sadb_alg;
-	int ret;
-	char buf[128];
-
-	FILE *fp=fopen("/proc/net/pf_key_supported", "r");
-
-	if (!fp)
-		return -1;
-
-	kernel_alg_init();
-
-	while (fgets(buf, sizeof(buf), fp))
-	{
-		if (buf[0] != ' ') /* skip titles */
-			continue;
-
-		sscanf(buf, "%d %d %d %d %d %d"
-				,&satype, &supp_exttype
-				, &alg_id, &ivlen
-				, &minbits, &maxbits);
-
-		switch (satype)
-		{
-		case SADB_SATYPE_ESP:
-			switch(supp_exttype)
-			{
-			case SADB_EXT_SUPPORTED_AUTH:
-			case SADB_EXT_SUPPORTED_ENCRYPT:
-				sadb_alg.sadb_alg_id = alg_id;
-				sadb_alg.sadb_alg_ivlen = ivlen;
-				sadb_alg.sadb_alg_minbits = minbits;
-				sadb_alg.sadb_alg_maxbits = maxbits;
-				ret = kernel_alg_add(satype, supp_exttype, &sadb_alg);
-				DBG(DBG_CRYPT,
-					DBG_log("kernel_alg_proc_read() alg_id=%d, "
-							"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
-							"ret=%d"
-							, sadb_alg.sadb_alg_id
-							, sadb_alg.sadb_alg_ivlen
-							, sadb_alg.sadb_alg_minbits
-							, sadb_alg.sadb_alg_maxbits
-							, ret)
-				)
-			}
-		default:
-			continue;
-		}
-	}
-	fclose(fp);
-	return 0;
-}
-
 /**
  * Load kernel_alg arrays pluto's SADB_REGISTER user by pluto/kernel.c
  */
@@ -346,7 +286,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 		int supp_exttype = sadb.supported->sadb_supported_exttype;
 		int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN;
 
-		DBG(DBG_KLIPS,
+		DBG(DBG_KERNEL,
 			DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
 					"sadb_msg_len=%d sadb_supported_len=%d"
 					, satype==SADB_SATYPE_ESP? "ESP" : "AH"
@@ -363,7 +303,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 		{
 			kernel_alg_add(satype, supp_exttype, sadb.alg);
 
-			DBG(DBG_KLIPS,
+			DBG(DBG_KERNEL,
 				DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
 						"alg[%d], exttype=%d, satype=%d, alg_id=%d, "
 						"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
@@ -438,7 +378,7 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id)
 	}
 
 none:
-	DBG(DBG_KLIPS,
+	DBG(DBG_KERNEL,
 		DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d",
 				alg_id, keylen)
 	)
@@ -450,7 +390,7 @@ struct sadb_alg* kernel_alg_esp_sadb_alg(u_int alg_id)
 	struct sadb_alg *sadb_alg = (ESP_EALG_PRESENT(alg_id))
 				? &esp_ealg[alg_id] : NULL;
 
-	DBG(DBG_KLIPS,
+	DBG(DBG_KERNEL,
 		DBG_log("kernel_alg_esp_sadb_alg(): alg_id=%d, sadb_alg=%p"
 				, alg_id, sadb_alg)
 	)
diff --git a/src/pluto/kernel_alg.h b/src/pluto/kernel_alg.h
index 5ce8c3003..4c757db41 100644
--- a/src/pluto/kernel_alg.h
+++ b/src/pluto/kernel_alg.h
@@ -33,7 +33,6 @@ extern bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg, struc
 extern u_int kernel_alg_esp_enc_keylen(u_int alg_id);
 extern bool kernel_alg_esp_auth_ok(u_int auth, struct alg_info_esp *nfo);
 extern u_int kernel_alg_esp_auth_keylen(u_int auth);
-extern int kernel_alg_proc_read(void);
 extern void kernel_alg_list(void);
 
 /* get sadb_alg for passed args */
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
deleted file mode 100644
index 75d0c98d3..000000000
--- a/src/pluto/kernel_netlink.c
+++ /dev/null
@@ -1,1319 +0,0 @@
-/* netlink interface to the kernel's IPsec mechanism
- * Copyright (C) 2003 Herbert Xu.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#if defined(linux) && defined(KERNEL26_SUPPORT)
-
-#include <errno.h>
-#include <fcntl.h>
-#include <string.h>
-#include <sys/queue.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/queue.h>
-#include <unistd.h>
-#include <linux/xfrm.h>
-#include <linux/rtnetlink.h>
-
-#include "kameipsec.h"
-
-#include <freeswan.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "kernel.h"
-#include "kernel_netlink.h"
-#include "kernel_pfkey.h"
-#include "log.h"
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-#include "kernel_alg.h"
-
-/** required for Linux 2.6.26 kernel and later */
-#ifndef XFRM_STATE_AF_UNSPEC
-#define XFRM_STATE_AF_UNSPEC	32
-#endif
-
-/* Minimum priority number in SPD used by pluto. */
-#define MIN_SPD_PRIORITY 1024
-
-static int netlinkfd = NULL_FD;
-static int netlink_bcast_fd = NULL_FD;
-
-#define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */
-
-static sparse_names xfrm_type_names = {
-	NE(NLMSG_NOOP),
-	NE(NLMSG_ERROR),
-	NE(NLMSG_DONE),
-	NE(NLMSG_OVERRUN),
-
-	NE(XFRM_MSG_NEWSA),
-	NE(XFRM_MSG_DELSA),
-	NE(XFRM_MSG_GETSA),
-
-	NE(XFRM_MSG_NEWPOLICY),
-	NE(XFRM_MSG_DELPOLICY),
-	NE(XFRM_MSG_GETPOLICY),
-
-	NE(XFRM_MSG_ALLOCSPI),
-	NE(XFRM_MSG_ACQUIRE),
-	NE(XFRM_MSG_EXPIRE),
-
-	NE(XFRM_MSG_UPDPOLICY),
-	NE(XFRM_MSG_UPDSA),
-
-	NE(XFRM_MSG_POLEXPIRE),
-
-	NE(XFRM_MSG_MAX),
-
-	{ 0, sparse_end }
-};
-
-#undef NE
-
-/* Authentication algorithms */
-static sparse_names aalg_list = {
-	{ SADB_X_AALG_NULL,            "digest_null" },
-	{ SADB_AALG_MD5HMAC,           "md5" },
-	{ SADB_AALG_SHA1HMAC,          "sha1" },
-	{ SADB_X_AALG_SHA2_256_96HMAC, "sha256" },
-	{ SADB_X_AALG_SHA2_256HMAC,    "hmac(sha256)" },
-	{ SADB_X_AALG_SHA2_384HMAC,    "hmac(sha384)" },
-	{ SADB_X_AALG_SHA2_512HMAC,    "hmac(sha512)" },
-	{ SADB_X_AALG_RIPEMD160HMAC,   "ripemd160" },
-	{ SADB_X_AALG_AES_XCBC_MAC,    "xcbc(aes)"},
-	{ 0, sparse_end }
-};
-
-/* Encryption algorithms */
-static sparse_names ealg_list = {
-	{ SADB_EALG_NULL,            "cipher_null" },
-	{ SADB_EALG_DESCBC,          "des" },
-	{ SADB_EALG_3DESCBC,         "des3_ede" },
-	{ SADB_X_EALG_CASTCBC,       "cast128" },
-	{ SADB_X_EALG_BLOWFISHCBC,   "blowfish" },
-	{ SADB_X_EALG_AESCBC,        "aes" },
-	{ SADB_X_EALG_AESCTR,        "rfc3686(ctr(aes))" },
-	{ SADB_X_EALG_AES_CCM_ICV8,  "rfc4309(ccm(aes))" },
-	{ SADB_X_EALG_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
-	{ SADB_X_EALG_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
-	{ SADB_X_EALG_AES_GCM_ICV8,  "rfc4106(gcm(aes))" },
-	{ SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
-	{ SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
-	{ SADB_X_EALG_NULL_AES_GMAC, "rfc4543(gcm(aes))" },
-	{ SADB_X_EALG_CAMELLIACBC,   "cbc(camellia)" },
-	{ SADB_X_EALG_SERPENTCBC,    "serpent" },
-	{ SADB_X_EALG_TWOFISHCBC,    "twofish" },
-	{ 0, sparse_end }
-};
-
-/* Compression algorithms */
-static sparse_names calg_list = {
-	{ SADB_X_CALG_DEFLATE, "deflate" },
-	{ SADB_X_CALG_LZS,     "lzs" },
-	{ SADB_X_CALG_LZJH,    "lzjh" },
-	{ 0, sparse_end }
-};
-
-/** ip2xfrm - Take an IP address and convert to an xfrm.
- *
- * @param addr ip_address
- * @param xaddr xfrm_address_t - IPv[46] Address from addr is copied here.
- */
-static void ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
-{
-	if (addr->u.v4.sin_family == AF_INET)
-	{
-		xaddr->a4 = addr->u.v4.sin_addr.s_addr;
-	}
-	else
-	{
-		memcpy(xaddr->a6, &addr->u.v6.sin6_addr, sizeof(xaddr->a6));
-	}
-}
-
-/** init_netlink - Initialize the netlink inferface.  Opens the sockets and
- * then binds to the broadcast socket.
- */
-static void init_netlink(void)
-{
-	struct sockaddr_nl addr;
-
-	netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
-
-	if (netlinkfd < 0)
-	{
-		exit_log_errno((e, "socket() in init_netlink()"));
-	}
-	if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0)
-	{
-		exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()"));
-	}
-	netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
-
-	if (netlink_bcast_fd < 0)
-	{
-		exit_log_errno((e, "socket() for bcast in init_netlink()"));
-	}
-	if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0)
-	{
-		exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()"));
-	}
-	if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0)
-	{
-		exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()"));
-	}
-	addr.nl_family = AF_NETLINK;
-	addr.nl_pid = getpid();
-	addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
-	if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0)
-	{
-		exit_log_errno((e, "Failed to bind bcast socket in init_netlink()"));
-	}
-}
-
-/** send_netlink_msg
- *
- * @param hdr - Data to be sent.
- * @param rbuf - Return Buffer - contains data returned from the send.
- * @param rbuf_len - Length of rbuf
- * @param description - String - user friendly description of what is
- *                      being attempted.  Used for diagnostics
- * @param text_said - String
- * @return bool True if the message was succesfully sent.
- */
-static bool send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf,
-							 size_t rbuf_len, const char *description,
-							 const char *text_said)
-{
-	struct {
-		struct nlmsghdr n;
-		struct nlmsgerr e;
-		char data[1024];
-	} rsp;
-
-	size_t len;
-	ssize_t r;
-	struct sockaddr_nl addr;
-	static uint32_t seq;
-
-	if (no_klips)
-	{
-		return TRUE;
-	}
-
-	hdr->nlmsg_seq = ++seq;
-	len = hdr->nlmsg_len;
-	do {
-		r = write(netlinkfd, hdr, len);
-	}
-	while (r < 0 && errno == EINTR);
-
-	if (r < 0)
-	{
-		log_errno((e
-			, "netlink write() of %s message"
-			  " for %s %s failed"
-			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-			, description, text_said));
-		return FALSE;
-	}
-	else if ((size_t)r != len)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "ERROR: netlink write() of %s message"
-			  " for %s %s truncated: %ld instead of %lu"
-			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-			, description, text_said
-			, (long)r, (unsigned long)len);
-		return FALSE;
-	}
-
-	for (;;)
-	{
-		socklen_t alen;
-
-		alen = sizeof(addr);
-		r = recvfrom(netlinkfd, &rsp, sizeof(rsp), 0
-			, (struct sockaddr *)&addr, &alen);
-		if (r < 0)
-		{
-			if (errno == EINTR)
-			{
-				continue;
-			}
-			log_errno((e
-				, "netlink recvfrom() of response to our %s message"
-				  " for %s %s failed"
-				, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-				, description, text_said));
-			return FALSE;
-		}
-		else if ((size_t) r < sizeof(rsp.n))
-		{
-			plog("netlink read truncated message: %ld bytes; ignore message"
-				, (long) r);
-			continue;
-		}
-		else if (addr.nl_pid != 0)
-		{
-			/* not for us: ignore */
-			DBG(DBG_KLIPS,
-				DBG_log("netlink: ignoring %s message from process %u"
-					, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)
-					, addr.nl_pid));
-			continue;
-		}
-		else if (rsp.n.nlmsg_seq != seq)
-		{
-			DBG(DBG_KLIPS,
-				DBG_log("netlink: ignoring out of sequence (%u/%u) message %s"
-					, rsp.n.nlmsg_seq, seq
-					, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)));
-			continue;
-		}
-		break;
-	}
-
-	if (rsp.n.nlmsg_len > (size_t) r)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "netlink recvfrom() of response to our %s message"
-			  " for %s %s was truncated: %ld instead of %lu"
-			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-			, description, text_said
-			, (long) len, (unsigned long) rsp.n.nlmsg_len);
-		return FALSE;
-	}
-	else if (rsp.n.nlmsg_type != NLMSG_ERROR
-	&& (rbuf && rsp.n.nlmsg_type != rbuf->nlmsg_type))
-	{
-		loglog(RC_LOG_SERIOUS
-			, "netlink recvfrom() of response to our %s message"
-			  " for %s %s was of wrong type (%s)"
-			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-			, description, text_said
-			, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type));
-		return FALSE;
-	}
-	else if (rbuf)
-	{
-		if ((size_t) r > rbuf_len)
-		{
-			loglog(RC_LOG_SERIOUS
-				, "netlink recvfrom() of response to our %s message"
-				  " for %s %s was too long: %ld > %lu"
-				, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-				, description, text_said
-				, (long)r, (unsigned long)rbuf_len);
-			return FALSE;
-		}
-		memcpy(rbuf, &rsp, r);
-		return TRUE;
-	}
-	else if (rsp.n.nlmsg_type == NLMSG_ERROR && rsp.e.error)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "ERROR: netlink response for %s %s included errno %d: %s"
-			, description, text_said
-			, -rsp.e.error
-			, strerror(-rsp.e.error));
-		return FALSE;
-	}
-
-	return TRUE;
-}
-
-/** netlink_policy -
- *
- * @param hdr - Data to check
- * @param enoent_ok - Boolean - OK or not OK.
- * @param text_said - String
- * @return boolean
- */
-static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok,
-						   const char *text_said)
-{
-	struct {
-		struct nlmsghdr n;
-		struct nlmsgerr e;
-		char data[1024];
-	} rsp;
-	int error;
-
-	rsp.n.nlmsg_type = NLMSG_ERROR;
-	if (!send_netlink_msg(hdr, &rsp.n, sizeof(rsp), "policy", text_said))
-	{
-		return FALSE;
-	}
-
-	error = -rsp.e.error;
-	if (!error)
-	{
-		return TRUE;
-	}
-
-	if (error == ENOENT && enoent_ok)
-	{
-		return TRUE;
-	}
-
-	loglog(RC_LOG_SERIOUS
-		, "ERROR: netlink %s response for flow %s included errno %d: %s"
-		, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-		, text_said
-		, error
-		, strerror(error));
-	return FALSE;
-}
-
-/** netlink_raw_eroute
- *
- * @param this_host ip_address
- * @param this_client ip_subnet
- * @param that_host ip_address
- * @param that_client ip_subnet
- * @param spi
- * @param proto int (Currently unused) Contains protocol (u=tcp, 17=udp, etc...)
- * @param transport_proto int (Currently unused) 0=tunnel, 1=transport
- * @param satype int
- * @param proto_info
- * @param lifetime (Currently unused)
- * @param ip int
- * @return boolean True if successful
- */
-static bool netlink_raw_eroute(const ip_address *this_host
-							 , const ip_subnet *this_client
-							 , const ip_address *that_host
-							 , const ip_subnet *that_client
-							 , ipsec_spi_t spi
-							 , unsigned int satype
-							 , unsigned int transport_proto
-							 , const struct pfkey_proto_info *proto_info
-							 , time_t use_lifetime UNUSED
-							 , unsigned int op
-							 , const char *text_said)
-{
-	struct {
-		struct nlmsghdr n;
-		union {
-			struct xfrm_userpolicy_info p;
-			struct xfrm_userpolicy_id id;
-		} u;
-		char data[1024];
-	} req;
-	int shift;
-	int dir;
-	int family;
-	int policy;
-	bool ok;
-	bool enoent_ok;
-
-	policy = IPSEC_POLICY_IPSEC;
-
-	if (satype == SADB_X_SATYPE_INT)
-	{
-		/* shunt route */
-		switch (ntohl(spi))
-		{
-		case SPI_PASS:
-			policy = IPSEC_POLICY_NONE;
-			break;
-		case SPI_DROP:
-		case SPI_REJECT:
-		default:
-			policy = IPSEC_POLICY_DISCARD;
-			break;
-		case SPI_TRAP:
-		case SPI_TRAPSUBNET:
-		case SPI_HOLD:
-			if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-			{
-				return TRUE;
-			}
-			break;
-		}
-	}
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-
-	family = that_client->addr.u.v4.sin_family;
-	shift = (family == AF_INET) ? 5 : 7;
-
-	req.u.p.sel.sport = portof(&this_client->addr);
-	req.u.p.sel.dport = portof(&that_client->addr);
-	req.u.p.sel.sport_mask = (req.u.p.sel.sport) ? ~0:0;
-	req.u.p.sel.dport_mask = (req.u.p.sel.dport) ? ~0:0;
-	ip2xfrm(&this_client->addr, &req.u.p.sel.saddr);
-	ip2xfrm(&that_client->addr, &req.u.p.sel.daddr);
-	req.u.p.sel.prefixlen_s = this_client->maskbits;
-	req.u.p.sel.prefixlen_d = that_client->maskbits;
-	req.u.p.sel.proto = transport_proto;
-	req.u.p.sel.family = family;
-
-	dir = XFRM_POLICY_OUT;
-	if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-	{
-		dir = XFRM_POLICY_IN;
-	}
-
-	if ((op & ERO_MASK) == ERO_DELETE)
-	{
-		req.u.id.dir = dir;
-		req.n.nlmsg_type = XFRM_MSG_DELPOLICY;
-		req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.id)));
-	}
-	else
-	{
-		int src, dst;
-
-		req.u.p.dir = dir;
-
-		src = req.u.p.sel.prefixlen_s;
-		dst = req.u.p.sel.prefixlen_d;
-		if (dir != XFRM_POLICY_OUT) {
-			src = req.u.p.sel.prefixlen_d;
-			dst = req.u.p.sel.prefixlen_s;
-		}
-		req.u.p.priority = MIN_SPD_PRIORITY
-			+ (((2 << shift) - src) << shift)
-			+ (2 << shift) - dst;
-
-		req.u.p.action = XFRM_POLICY_ALLOW;
-		if (policy == IPSEC_POLICY_DISCARD)
-		{
-			req.u.p.action = XFRM_POLICY_BLOCK;
-		}
-		req.u.p.lft.soft_use_expires_seconds = use_lifetime;
-		req.u.p.lft.soft_byte_limit = XFRM_INF;
-		req.u.p.lft.soft_packet_limit = XFRM_INF;
-		req.u.p.lft.hard_byte_limit = XFRM_INF;
-		req.u.p.lft.hard_packet_limit = XFRM_INF;
-
-		req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
-		if (op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
-		{
-			req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
-		}
-		req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));
-	}
-
-	if (policy == IPSEC_POLICY_IPSEC && (op & ERO_MASK) != ERO_DELETE)
-	{
-		struct rtattr *attr;
-		struct xfrm_user_tmpl tmpl[4];
-		int i;
-
-		memset(tmpl, 0, sizeof(tmpl));
-		for (i = 0; proto_info[i].proto; i++)
-		{
-			tmpl[i].reqid = proto_info[i].reqid;
-			tmpl[i].id.proto = proto_info[i].proto;
-			tmpl[i].optional =
-				proto_info[i].proto == IPPROTO_COMP && dir != XFRM_POLICY_OUT;
-			tmpl[i].aalgos = tmpl[i].ealgos = tmpl[i].calgos = ~0;
-			tmpl[i].family = that_host->u.v4.sin_family;
-			tmpl[i].mode =
-				proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-			if (!tmpl[i].mode)
-			{
-				continue;
-			}
-
-			ip2xfrm(this_host, &tmpl[i].saddr);
-			ip2xfrm(that_host, &tmpl[i].id.daddr);
-		}
-
-		attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
-		attr->rta_type = XFRMA_TMPL;
-		attr->rta_len = i * sizeof(tmpl[0]);
-		memcpy(RTA_DATA(attr), tmpl, attr->rta_len);
-		attr->rta_len = RTA_LENGTH(attr->rta_len);
-		req.n.nlmsg_len += attr->rta_len;
-	}
-
-	enoent_ok = FALSE;
-	if (op == ERO_DEL_INBOUND)
-	{
-		enoent_ok = TRUE;
-	}
-	else if (op == ERO_DELETE && ntohl(spi) == SPI_HOLD)
-	{
-		enoent_ok = TRUE;
-	}
-
-	ok = netlink_policy(&req.n, enoent_ok, text_said);
-	switch (dir)
-	{
-	case XFRM_POLICY_IN:
-		if (req.n.nlmsg_type == XFRM_MSG_DELPOLICY)
-		{
-			req.u.id.dir = XFRM_POLICY_FWD;
-		}
-		else if (!ok)
-		{
-			break;
-		}
-		else if (proto_info[0].encapsulation != ENCAPSULATION_MODE_TUNNEL
-		&& satype != SADB_X_SATYPE_INT)
-		{
-			break;
-		}
-		else
-		{
-			req.u.p.dir = XFRM_POLICY_FWD;
-		}
-		ok &= netlink_policy(&req.n, enoent_ok, text_said);
-		break;
-	}
-
-	return ok;
-}
-
-/** netlink_add_sa - Add an SA into the kernel SPDB via netlink
- *
- * @param sa Kernel SA to add/modify
- * @param replace boolean - true if this replaces an existing SA
- * @return bool True if successfull
- */
-static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
-{
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_usersa_info p;
-		char data[1024];
-	} req;
-	struct rtattr *attr;
-	u_int16_t icv_size = 64;
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	req.n.nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
-
-	ip2xfrm(sa->src, &req.p.saddr);
-	ip2xfrm(sa->dst, &req.p.id.daddr);
-
-	req.p.id.spi = sa->spi;
-	req.p.id.proto = satype2proto(sa->satype);
-	req.p.family = sa->src->u.v4.sin_family;
-	if (sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	{
-		req.p.mode = XFRM_MODE_TUNNEL;
-		req.p.flags |= XFRM_STATE_AF_UNSPEC;
-	}
-	else
-	{
-		req.p.mode = XFRM_MODE_TRANSPORT;
-	}
-	req.p.replay_window = sa->replay_window;
-	req.p.reqid = sa->reqid;
-	req.p.lft.soft_byte_limit = XFRM_INF;
-	req.p.lft.soft_packet_limit = XFRM_INF;
-	req.p.lft.hard_byte_limit = XFRM_INF;
-	req.p.lft.hard_packet_limit = XFRM_INF;
-
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.p)));
-
-	attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
-
-	if (sa->authalg)
-	{
-		const char *name;
-
-		name = sparse_name(aalg_list, sa->authalg);
-		if (!name)
-		{
-			loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u"
-				, sa->authalg);
-			return FALSE;
-		}
-		DBG(DBG_CRYPT,
-			DBG_log("configured authentication algorithm %s with key size %d",
-					enum_show(&auth_alg_names, sa->authalg),
-					sa->authkeylen * BITS_PER_BYTE)
-			)
-
-		if (sa->authalg == SADB_X_AALG_SHA2_256HMAC)
-		{
-			struct xfrm_algo_auth algo;
-
-			/* the kernel uses SHA256 with 96 bit truncation by default,
-			 * use specified truncation size supported by newer kernels */
-			strcpy(algo.alg_name, name);
-			algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
-			algo.alg_trunc_len = 128;
-
-			attr->rta_type = XFRMA_ALG_AUTH_TRUNC;
-			attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
-
-			memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-			memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
-				, sa->authkeylen);
-		}
-		else
-		{
-			struct xfrm_algo algo;
-
-			strcpy(algo.alg_name, name);
-			algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
-
-			attr->rta_type = XFRMA_ALG_AUTH;
-			attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
-
-			memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-			memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
-				, sa->authkeylen);
-		}
-		req.n.nlmsg_len += attr->rta_len;
-		attr = (struct rtattr *)((char *)attr + attr->rta_len);
-	}
-
-	switch (sa->encalg)
-	{
-		case SADB_EALG_NONE:
-			/* no encryption */
-			break;
-		case SADB_X_EALG_AES_CCM_ICV16:
-		case SADB_X_EALG_AES_GCM_ICV16:
-		case SADB_X_EALG_NULL_AES_GMAC:
-			icv_size += 32;
-			/* FALL */
-		case SADB_X_EALG_AES_CCM_ICV12:
-		case SADB_X_EALG_AES_GCM_ICV12:
-			icv_size += 32;
-			/* FALL */
-		case SADB_X_EALG_AES_CCM_ICV8:
-		case SADB_X_EALG_AES_GCM_ICV8:
-		{
-			struct xfrm_algo_aead *algo;
-			const char *name;
-
-			name = sparse_name(ealg_list, sa->encalg);
-			if (!name)
-			{
-				loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u",
-					   sa->encalg);
-				return FALSE;
-			}
-			DBG(DBG_CRYPT,
-				DBG_log("configured esp encryption algorithm %s with key size %d",
-						enum_show(&esp_transform_names, sa->encalg),
-						sa->enckeylen * BITS_PER_BYTE)
-			)
-			attr->rta_type = XFRMA_ALG_AEAD;
-			attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen);
-			req.n.nlmsg_len += attr->rta_len;
-
-			algo = (struct xfrm_algo_aead*)RTA_DATA(attr);
-			algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
-			algo->alg_icv_len = icv_size;
-			strcpy(algo->alg_name, name);
-			memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
-
-			attr = (struct rtattr *)((char *)attr + attr->rta_len);
-			break;
-		}
-		default:
-		{
-			struct xfrm_algo *algo;
-			const char *name;
-
-			name = sparse_name(ealg_list, sa->encalg);
-			if (!name)
-			{
-				loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u",
-					   sa->encalg);
-				return FALSE;
-			}
-			DBG(DBG_CRYPT,
-				DBG_log("configured esp encryption algorithm %s with key size %d",
-						enum_show(&esp_transform_names, sa->encalg),
-						sa->enckeylen * BITS_PER_BYTE)
-			)
-			attr->rta_type = XFRMA_ALG_CRYPT;
-			attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + sa->enckeylen);
-			req.n.nlmsg_len += attr->rta_len;
-
-			algo = (struct xfrm_algo*)RTA_DATA(attr);
-			algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
-			strcpy(algo->alg_name, name);
-			memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
-
-			attr = (struct rtattr *)((char *)attr + attr->rta_len);
-		}
-	}
-
-	if (sa->compalg)
-	{
-		struct xfrm_algo algo;
-		const char *name;
-
-		name = sparse_name(calg_list, sa->compalg);
-		if (!name)
-		{
-			loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u"
-				, sa->compalg);
-			return FALSE;
-		}
-
-		strcpy(algo.alg_name, name);
-		algo.alg_key_len = 0;
-
-		attr->rta_type = XFRMA_ALG_COMP;
-		attr->rta_len = RTA_LENGTH(sizeof(algo));
-
-		memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-
-		req.n.nlmsg_len += attr->rta_len;
-		attr = (struct rtattr *)((char *)attr + attr->rta_len);
-	}
-
-	if (sa->natt_type)
-	{
-		struct xfrm_encap_tmpl natt;
-
-		natt.encap_type = sa->natt_type;
-		natt.encap_sport = ntohs(sa->natt_sport);
-		natt.encap_dport = ntohs(sa->natt_dport);
-		memset (&natt.encap_oa, 0, sizeof (natt.encap_oa));
-
-		attr->rta_type = XFRMA_ENCAP;
-		attr->rta_len = RTA_LENGTH(sizeof(natt));
-
-		memcpy(RTA_DATA(attr), &natt, sizeof(natt));
-
-		req.n.nlmsg_len += attr->rta_len;
-		attr = (struct rtattr *)((char *)attr + attr->rta_len);
-	}
-
-	return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
-}
-
-/** netlink_del_sa - Delete an SA from the Kernel
- *
- * @param sa Kernel SA to be deleted
- * @return bool True if successfull
- */
-static bool netlink_del_sa(const struct kernel_sa *sa)
-{
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_usersa_id id;
-		char data[1024];
-	} req;
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	req.n.nlmsg_type = XFRM_MSG_DELSA;
-
-	ip2xfrm(sa->dst, &req.id.daddr);
-
-	req.id.spi = sa->spi;
-	req.id.family = sa->src->u.v4.sin_family;
-	req.id.proto = sa->proto;
-
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-
-	return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said);
-}
-
-static bool netlink_error(const char *req_type, const struct nlmsghdr *n,
-						  const struct nlmsgerr *e, int rsp_size)
-{
-	if (n->nlmsg_type == NLMSG_ERROR)
-	{
-		DBG(DBG_KLIPS,
-			DBG_log("%s returned with errno %d: %s"
-			, req_type
-			, -e->error
-			, strerror(-e->error))
-		)
-		return TRUE;
-	}
-	if (n->nlmsg_len < NLMSG_LENGTH(rsp_size))
-	{
-		plog("%s returned message with length %lu < %lu bytes"
-			, req_type
-			, (unsigned long) n->nlmsg_len
-			, (unsigned long) rsp_size);
-		return TRUE;
-	}
-	return FALSE;
-}
-
-static bool netlink_get_policy(const struct kernel_sa *sa, bool inbound,
-							   time_t *use_time)
-{
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_userpolicy_id id;
-	} req;
-
-	struct {
-		struct nlmsghdr n;
-		union {
-			struct nlmsgerr e;
-			struct xfrm_userpolicy_info info;
-		} u;
-		char data[1024];
-	} rsp;
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST;
-	req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
-
-	req.id.sel.sport = portof(&sa->src_client->addr);
-	req.id.sel.dport = portof(&sa->dst_client->addr);
-	req.id.sel.sport_mask = (req.id.sel.sport) ? ~0:0;
-	req.id.sel.dport_mask = (req.id.sel.dport) ? ~0:0;
-	ip2xfrm(&sa->src_client->addr, &req.id.sel.saddr);
-	ip2xfrm(&sa->dst_client->addr, &req.id.sel.daddr);
-	req.id.sel.prefixlen_s = sa->src_client->maskbits;
-	req.id.sel.prefixlen_d = sa->dst_client->maskbits;
-	req.id.sel.proto = sa->transport_proto;
-	req.id.sel.family = sa->dst_client->addr.u.v4.sin_family;
-
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-	rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
-
-	req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT;
-
-	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
-	{
-		return FALSE;
-	}
-	if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
-	{
-		return FALSE;
-	}
-	*use_time = (time_t)rsp.u.info.curlft.use_time;
-
-	if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	{
-		time_t use_time_fwd;
-
-		req.id.dir = XFRM_POLICY_FWD;
-
-		if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
-		{
-			return FALSE;
-		}
-		if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
-		{
-			return FALSE;
-		}
-		use_time_fwd = (time_t)rsp.u.info.curlft.use_time;
-		*use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd;
-	}
-	return TRUE;
-}
-
-
-/** netlink_get_sa - Get information about an SA from the Kernel
- *
- * @param sa Kernel SA to be queried
- * @return bool True if successfull
- */
-static bool netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
-{
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_usersa_id id;
-	} req;
-
-	struct {
-		struct nlmsghdr n;
-		union {
-			struct nlmsgerr e;
-			struct xfrm_usersa_info info;
-		} u;
-		char data[1024];
-	} rsp;
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST;
-	req.n.nlmsg_type = XFRM_MSG_GETSA;
-
-	ip2xfrm(sa->dst, &req.id.daddr);
-
-	req.id.spi = sa->spi;
-	req.id.family = sa->src->u.v4.sin_family;
-	req.id.proto = sa->proto;
-
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-	rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
-
-	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said))
-	{
-		return FALSE;
-	}
-	if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
-	{
-		return FALSE;
-	}
-	*bytes = (u_int) rsp.u.info.curlft.bytes;
-	return TRUE;
-}
-
-static void linux_pfkey_register_response(const struct sadb_msg *msg)
-{
-	switch (msg->sadb_msg_satype)
-	{
-	case SADB_SATYPE_ESP:
-#ifndef NO_KERNEL_ALG
-			kernel_alg_register_pfkey(msg, msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-#endif
-			break;
-	case SADB_X_SATYPE_IPCOMP:
-		can_do_IPcomp = TRUE;
-		break;
-	default:
-		break;
-	}
-}
-
-/** linux_pfkey_register - Register via PFKEY our capabilities
- *
- */
-static void linux_pfkey_register(void)
-{
-	pfkey_register_proto(SADB_SATYPE_AH, "AH");
-	pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
-	pfkey_register_proto(SADB_X_SATYPE_IPCOMP, "IPCOMP");
-	pfkey_close();
-}
-
-/** Create ip_address out of xfrm_address_t.
- *
- * @param family
- * @param src xfrm formatted IP address
- * @param dst ip_address formatted destination
- * @return err_t NULL if okay, otherwise an error
- */
-static err_t xfrm_to_ip_address(unsigned family, const xfrm_address_t *src,
-								ip_address *dst)
-{
-	switch (family)
-	{
-	case AF_INET:   /* IPv4 */
-	case AF_UNSPEC: /* Unspecified, we assume IPv4 */
-		initaddr((const void *) &src->a4, sizeof(src->a4), AF_INET, dst);
-		return NULL;
-	case AF_INET6:  /* IPv6 */
-		initaddr((const void *) &src->a6, sizeof(src->a6), AF_INET6, dst);
-		return NULL;
-	default:
-		return "unknown address family";
-	}
-}
-
-/* Create a pair of ip_address's out of xfrm_sel.
- *
- * @param sel xfrm selector
- * @param src ip_address formatted source
- * @param dst ip_address formatted destination
- * @return err_t NULL if okay, otherwise an error
- */
-static err_t xfrm_sel_to_ip_pair(const struct xfrm_selector *sel,
-								 ip_address *src, ip_address *dst)
-{
-	int family;
-	err_t ugh;
-
-	family = sel->family;
-
-	if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src))
-		|| (ugh = xfrm_to_ip_address(family, &sel->daddr, dst)))
-	{
-		return ugh;
-	}
-
-	/* family has been verified in xfrm_to_ip_address. */
-	if (family == AF_INET)
-	{
-		src->u.v4.sin_port = sel->sport;
-		dst->u.v4.sin_port = sel->dport;
-	}
-	else
-	{
-		src->u.v6.sin6_port = sel->sport;
-		dst->u.v6.sin6_port = sel->dport;
-	}
-
-   return NULL;
-}
-
-static void netlink_acquire(struct nlmsghdr *n)
-{
-	struct xfrm_user_acquire *acquire;
-	ip_address src, dst;
-	ip_subnet ours, his;
-	unsigned transport_proto;
-	err_t ugh = NULL;
-
-	if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*acquire)))
-	{
-		plog("netlink_acquire got message with length %lu < %lu bytes; ignore message"
-			, (unsigned long) n->nlmsg_len
-			, (unsigned long) sizeof(*acquire));
-		return;
-	}
-
-	acquire = NLMSG_DATA(n);
-	transport_proto = acquire->sel.proto;
-
-	/* XXX also the type of src/dst should be checked to make sure
-	 *     that they aren't v4 to v6 or something goofy
-	 */
-
-	if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst))
-	&& !(ugh = addrtosubnet(&src, &ours))
-	&& !(ugh = addrtosubnet(&dst, &his)))
-	{
-		record_and_initiate_opportunistic(&ours, &his, transport_proto
-			, "%acquire-netlink");
-	}
-	if (ugh != NULL)
-	{
-		plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh);
-	}
-}
-
-static void netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
-{
-	ip_address src, dst;
-	unsigned transport_proto;
-	err_t ugh = NULL;
-
-	transport_proto = pol->sel.proto;
-
-	if (!(ugh = xfrm_sel_to_ip_pair(&pol->sel, &src, &dst)))
-	{
-		plog("XFRM_MSG_POLEXPIRE message from kernel malformed: %s", ugh);
-		return;
-	}
-
-	replace_bare_shunt(&src, &dst, BOTTOM_PRIO, SPI_PASS, FALSE, transport_proto
-		, "delete expired bare shunt");
-}
-
-static void netlink_policy_expire(struct nlmsghdr *n)
-{
-	struct xfrm_user_polexpire *upe;
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_userpolicy_id id;
-	} req;
-
-	struct {
-		struct nlmsghdr n;
-		union {
-			struct nlmsgerr e;
-			struct xfrm_userpolicy_info pol;
-		} u;
-		char data[1024];
-	} rsp;
-
-	if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*upe)))
-	{
-		plog("netlink_policy_expire got message with length %lu < %lu bytes; ignore message"
-			, (unsigned long) n->nlmsg_len
-			, (unsigned long) sizeof(*upe));
-		return;
-	}
-
-	upe = NLMSG_DATA(n);
-	req.id.dir = upe->pol.dir;
-	req.id.index = upe->pol.index;
-	req.n.nlmsg_flags = NLM_F_REQUEST;
-	req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-
-	rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
-
-	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
-	{
-		return;
-	}
-	if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol)))
-	{
-		return;
-	}
-	if (req.id.index != rsp.u.pol.index)
-	{
-		DBG(DBG_KLIPS,
-			DBG_log("netlink_policy_expire: policy was replaced: "
-					"dir=%d, oldindex=%d, newindex=%d"
-				, req.id.dir, req.id.index, rsp.u.pol.index));
-		return;
-	}
-
-	if (upe->pol.curlft.add_time != rsp.u.pol.curlft.add_time)
-	{
-		DBG(DBG_KLIPS,
-			DBG_log("netlink_policy_expire: policy was replaced "
-					" and you have won the lottery: "
-					"dir=%d, index=%d"
-				, req.id.dir, req.id.index));
-		return;
-	}
-
-	switch (upe->pol.dir)
-	{
-	case XFRM_POLICY_OUT:
-		netlink_shunt_expire(&rsp.u.pol);
-		break;
-	}
-}
-
-static bool netlink_get(void)
-{
-	struct {
-		struct nlmsghdr n;
-		char data[1024];
-	} rsp;
-	ssize_t r;
-	struct sockaddr_nl addr;
-	socklen_t alen;
-
-	alen = sizeof(addr);
-	r = recvfrom(netlink_bcast_fd, &rsp, sizeof(rsp), 0
-		, (struct sockaddr *)&addr, &alen);
-	if (r < 0)
-	{
-		if (errno == EAGAIN)
-			return FALSE;
-		if (errno != EINTR)
-			log_errno((e, "recvfrom() failed in netlink_get"));
-		return TRUE;
-	}
-	else if ((size_t) r < sizeof(rsp.n))
-	{
-		plog("netlink_get read truncated message: %ld bytes; ignore message"
-			, (long) r);
-		return TRUE;
-	}
-	else if (addr.nl_pid != 0)
-	{
-		/* not for us: ignore */
-		DBG(DBG_KLIPS,
-			DBG_log("netlink_get: ignoring %s message from process %u"
-				, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)
-				, addr.nl_pid));
-		return TRUE;
-	}
-	else if ((size_t) r != rsp.n.nlmsg_len)
-	{
-		plog("netlink_get read message with length %ld that doesn't equal nlmsg_len %lu bytes; ignore message"
-			, (long) r
-			, (unsigned long) rsp.n.nlmsg_len);
-		return TRUE;
-	}
-
-	DBG(DBG_KLIPS,
-		DBG_log("netlink_get: %s message"
-				, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)));
-
-	switch (rsp.n.nlmsg_type)
-	{
-	case XFRM_MSG_ACQUIRE:
-		netlink_acquire(&rsp.n);
-		break;
-	case XFRM_MSG_POLEXPIRE:
-		netlink_policy_expire(&rsp.n);
-		break;
-	default:
-		/* ignored */
-		break;
-	}
-
-	return TRUE;
-}
-
-static void netlink_process_msg(void)
-{
-	while (netlink_get());
-}
-
-static ipsec_spi_t netlink_get_spi(const ip_address *src, const ip_address *dst,
-								  int proto, bool tunnel_mode, unsigned reqid,
-								  ipsec_spi_t min, ipsec_spi_t max,
-								  const char *text_said)
-{
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_userspi_info spi;
-	} req;
-
-	struct {
-		struct nlmsghdr n;
-		union {
-			struct nlmsgerr e;
-			struct xfrm_usersa_info sa;
-		} u;
-		char data[1024];
-	} rsp;
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST;
-	req.n.nlmsg_type = XFRM_MSG_ALLOCSPI;
-
-	ip2xfrm(src, &req.spi.info.saddr);
-	ip2xfrm(dst, &req.spi.info.id.daddr);
-	req.spi.info.mode = tunnel_mode;
-	req.spi.info.reqid = reqid;
-	req.spi.info.id.proto = proto;
-	req.spi.info.family = src->u.v4.sin_family;
-	req.spi.min = min;
-	req.spi.max = max;
-
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.spi)));
-	rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
-
-	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said))
-	{
-		return 0;
-	}
-	if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa)))
-	{
-		return 0;
-	}
-	DBG(DBG_KLIPS,
-		DBG_log("netlink_get_spi: allocated 0x%x for %s"
-			, ntohl(rsp.u.sa.id.spi), text_said));
-	return rsp.u.sa.id.spi;
-}
-
-const struct kernel_ops linux_kernel_ops = {
-		type: KERNEL_TYPE_LINUX,
-		inbound_eroute: 1,
-		policy_lifetime: 1,
-		async_fdp: &netlink_bcast_fd,
-
-		init: init_netlink,
-		pfkey_register: linux_pfkey_register,
-		pfkey_register_response: linux_pfkey_register_response,
-		process_msg: netlink_process_msg,
-		raw_eroute: netlink_raw_eroute,
-		get_policy: netlink_get_policy,
-		add_sa: netlink_add_sa,
-		del_sa: netlink_del_sa,
-		get_sa: netlink_get_sa,
-		process_queue: NULL,
-		grp_sa: NULL,
-		get_spi: netlink_get_spi,
-};
-#endif /* linux && KLIPS */
diff --git a/src/pluto/kernel_netlink.h b/src/pluto/kernel_netlink.h
deleted file mode 100644
index 65163c966..000000000
--- a/src/pluto/kernel_netlink.h
+++ /dev/null
@@ -1,18 +0,0 @@
-/* declarations of routines that interface with the kernel's pfkey mechanism
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- * Copyright (C) 2003  Herbert Xu
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#if defined(KLIPS) && defined(linux)
-extern const struct kernel_ops linux_kernel_ops;
-#endif
diff --git a/src/pluto/kernel_noklips.c b/src/pluto/kernel_noklips.c
deleted file mode 100644
index e99efe062..000000000
--- a/src/pluto/kernel_noklips.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* interface to fake kernel interface, used for testing pluto in-vitro.
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
- * Copyright (C) 2003 Herbert Xu.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <sys/select.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/queue.h>
-
-#include <freeswan.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "kernel.h"
-#include "kernel_noklips.h"
-#include "log.h"
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-
-void
-init_noklips(void)
-{
-  return;
-}
-
-/* asynchronous messages from our queue */
-static void
-noklips_dequeue(void)
-{
-}
-
-/* asynchronous messages directly from PF_KEY socket */
-static void
-noklips_event(void)
-{
-}
-
-static void
-noklips_register_response(const struct sadb_msg *msg UNUSED)
-{
-}
-
-static void
-noklips_register(void)
-{
-}
-
-static bool
-noklips_raw_eroute(const ip_address *this_host UNUSED
-				   , const ip_subnet *this_client UNUSED
-				   , const ip_address *that_host UNUSED
-				   , const ip_subnet *that_client UNUSED
-				   , ipsec_spi_t spi UNUSED
-				   , unsigned int satype UNUSED
-				   , unsigned int transport_proto UNUSED
-				   , const struct pfkey_proto_info *proto_info UNUSED
-				   , time_t use_lifetime UNUSED
-				   , unsigned int op UNUSED
-				   , const char *text_said UNUSED)
-{
-  return TRUE;
-}
-
-static bool
-noklips_add_sa(const struct kernel_sa *sa UNUSED
-			   , bool replace UNUSED)
-{
-  return TRUE;
-}
-
-static bool
-noklips_grp_sa(const struct kernel_sa *sa0 UNUSED
-			   , const struct kernel_sa *sa1 UNUSED)
-{
-  return TRUE;
-}
-
-static bool
-noklips_del_sa(const struct kernel_sa *sa UNUSED)
-{
-  return TRUE;
-}
-
-
-const struct kernel_ops noklips_kernel_ops = {
-		type: KERNEL_TYPE_NONE,
-		async_fdp: NULL,
-
-		init: init_noklips,
-		pfkey_register: noklips_register,
-		pfkey_register_response: noklips_register_response,
-		process_queue: noklips_dequeue,
-		process_msg: noklips_event,
-		raw_eroute: noklips_raw_eroute,
-		add_sa: noklips_add_sa,
-		grp_sa: noklips_grp_sa,
-		del_sa: noklips_del_sa,
-		get_sa: NULL,
-		get_spi: NULL,
-		inbound_eroute: FALSE,
-		policy_lifetime: FALSE
-};
diff --git a/src/pluto/kernel_noklips.h b/src/pluto/kernel_noklips.h
deleted file mode 100644
index 3da55d80b..000000000
--- a/src/pluto/kernel_noklips.h
+++ /dev/null
@@ -1,17 +0,0 @@
-/* declarations of routines that interface with the kernel's pfkey mechanism
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- * Copyright (C) 2003  Herbert Xu
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-extern void init_noklips(void);
-extern const struct kernel_ops noklips_kernel_ops;
diff --git a/src/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c
index 99ba4ff30..77fff2f9e 100644
--- a/src/pluto/kernel_pfkey.c
+++ b/src/pluto/kernel_pfkey.c
@@ -1,7 +1,9 @@
-/* pfkey interface to the kernel's IPsec mechanism
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2003 Herbert Xu.
+ * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 1997 Angelos D. Keromytis.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,41 +16,29 @@
  * for more details.
  */
 
-#ifdef KLIPS
-
 #include <errno.h>
-#include <fcntl.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
 #include <unistd.h>
 
 #include <sys/select.h>
-#include <sys/time.h>
 #include <sys/socket.h>
 #include <sys/types.h>
-#include <sys/queue.h>
 
 #include <freeswan.h>
 #include <pfkeyv2.h>
 #include <pfkey.h>
 
 #include "constants.h"
-#include "defs.h"
 #include "kernel.h"
 #include "kernel_pfkey.h"
 #include "log.h"
 #include "whack.h"      /* for RC_LOG_SERIOUS */
-#include "demux.h"
-#include "nat_traversal.h"
-#include "alg_info.h"
 #include "kernel_alg.h"
 
 
 static int pfkeyfd = NULL_FD;
 
 typedef u_int32_t pfkey_seq_t;
-static pfkey_seq_t pfkey_seq = 0;       /* sequence number for our PF_KEY messages */
+static pfkey_seq_t pfkey_seq = 0; /* sequence number for our PF_KEY messages */
 
 static pid_t pid;
 
@@ -77,106 +67,19 @@ static sparse_names pfkey_type_names = {
 		{ 0, sparse_end }
 };
 
-#ifdef NEVER /* not needed yet */
-static sparse_names pfkey_ext_names = {
-		NE(SADB_EXT_RESERVED),
-		NE(SADB_EXT_SA),
-		NE(SADB_EXT_LIFETIME_CURRENT),
-		NE(SADB_EXT_LIFETIME_HARD),
-		NE(SADB_EXT_LIFETIME_SOFT),
-		NE(SADB_EXT_ADDRESS_SRC),
-		NE(SADB_EXT_ADDRESS_DST),
-		NE(SADB_EXT_ADDRESS_PROXY),
-		NE(SADB_EXT_KEY_AUTH),
-		NE(SADB_EXT_KEY_ENCRYPT),
-		NE(SADB_EXT_IDENTITY_SRC),
-		NE(SADB_EXT_IDENTITY_DST),
-		NE(SADB_EXT_SENSITIVITY),
-		NE(SADB_EXT_PROPOSAL),
-		NE(SADB_EXT_SUPPORTED_AUTH),
-		NE(SADB_EXT_SUPPORTED_ENCRYPT),
-		NE(SADB_EXT_SPIRANGE),
-		NE(SADB_X_EXT_KMPRIVATE),
-		NE(SADB_X_EXT_SATYPE2),
-		NE(SADB_X_EXT_SA2),
-		NE(SADB_X_EXT_ADDRESS_DST2),
-		NE(SADB_X_EXT_ADDRESS_SRC_FLOW),
-		NE(SADB_X_EXT_ADDRESS_DST_FLOW),
-		NE(SADB_X_EXT_ADDRESS_SRC_MASK),
-		NE(SADB_X_EXT_ADDRESS_DST_MASK),
-		NE(SADB_X_EXT_DEBUG),
-		{ 0, sparse_end }
-};
-#endif /* NEVER */
-
 #undef NE
 
-void
-init_pfkey(void)
-{
-	pid = getpid();
-
-	/* open PF_KEY socket */
-
-	pfkeyfd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-
-	if (pfkeyfd == -1)
-		exit_log_errno((e, "socket() in init_pfkeyfd()"));
-
-#ifdef NEVER    /* apparently unsupported! */
-	if (fcntl(pfkeyfd, F_SETFL, O_NONBLOCK) != 0)
-		exit_log_errno((e, "fcntl(O_NONBLOCK) in init_pfkeyfd()"));
-#endif
-	if (fcntl(pfkeyfd, F_SETFD, FD_CLOEXEC) != 0)
-		exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_pfkeyfd()"));
-
-	DBG(DBG_KLIPS,
-		DBG_log("process %u listening for PF_KEY_V2 on file descriptor %d", (unsigned)pid, pfkeyfd));
-}
-
-/* Kinds of PF_KEY message from the kernel:
- * - response to a request from us
- *   + ACK/NAK
- *   + Register: indicates transforms supported by kernel
- *   + SPI requested by getspi
- * - Acquire, requesting us to deal with trapped clear packet
- * - expiration of of one of our SAs
- * - messages to other processes
- *
- * To minimize the effect on the event-driven structure of Pluto,
- * responses are dealt with synchronously.  We hope that the Kernel
- * produces them synchronously.  We must "read ahead" in the PF_KEY
- * stream, saving Acquire and Expiry messages that are encountered.
- * We ignore messages to other processes.
- */
-
 typedef union {
 		unsigned char bytes[PFKEYv2_MAX_MSGSIZE];
 		struct sadb_msg msg;
 	} pfkey_buf;
 
-/* queue of unprocessed PF_KEY messages input from kernel
- * Note that the pfkey_buf may be partly allocated, reflecting
- * the variable length nature of the messages.  So the link field
- * must come first.
- */
-typedef struct pfkey_item {
-		struct pfkey_item *next;
-		pfkey_buf buf;
-	} pfkey_item;
-
-static pfkey_item *pfkey_iq_head = NULL;        /* oldest */
-static pfkey_item *pfkey_iq_tail;       /* youngest */
-
 static bool
 pfkey_input_ready(void)
 {
-	fd_set readfds;
 	int ndes;
-	struct timeval tm;
-
-	tm.tv_sec = 0;      /* don't wait at all */
-	tm.tv_usec = 0;
+	fd_set readfds;
+	struct timeval tm = { .tv_sec = 0 }; /* don't wait, polling */
 
 	FD_ZERO(&readfds);  /* we only care about pfkeyfd */
 	FD_SET(pfkeyfd, &readfds);
@@ -190,16 +93,16 @@ pfkey_input_ready(void)
 		log_errno((e, "select() failed in pfkey_get()"));
 		return FALSE;
 	}
-
-	if (ndes == 0)
+	else if (ndes == 0)
+	{
 		return FALSE;   /* nothing to read */
-
+	}
 	passert(ndes == 1 && FD_ISSET(pfkeyfd, &readfds));
 	return TRUE;
 }
 
 /* get a PF_KEY message from kernel.
- * Returns TRUE is message found, FALSE if no message pending,
+ * Returns TRUE if message found, FALSE if no message pending,
  * and aborts or keeps trying when an error is encountered.
  * The only validation of the message is that the message length
  * received matches that in the message header, and that the message
@@ -216,48 +119,48 @@ pfkey_get(pfkey_buf *buf)
 		ssize_t len;
 
 		if (!pfkey_input_ready())
+		{
 			return FALSE;
+		}
 
 		len = read(pfkeyfd, buf->bytes, sizeof(buf->bytes));
 
 		if (len < 0)
 		{
 			if (errno == EAGAIN)
+			{
 				return FALSE;
-
+			}
 			log_errno((e, "read() failed in pfkey_get()"));
 			return FALSE;
 		}
-		else if ((size_t) len < sizeof(buf->msg))
+		else if ((size_t)len < sizeof(buf->msg))
 		{
-			plog("pfkey_get read truncated PF_KEY message: %d bytes; ignoring message"
-				, (int) len);
+			plog("pfkey_get read truncated PF_KEY message: %d bytes; ignoring",
+				 (int)len);
 		}
-		else if ((size_t) len != buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN)
+		else if ((size_t)len != buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN)
 		{
-			plog("pfkey_get read PF_KEY message with length %d that doesn't equal sadb_msg_len %u * %u; ignoring message"
-				, (int) len
-				, (unsigned) buf->msg.sadb_msg_len
-				, (unsigned) IPSEC_PFKEYv2_ALIGN);
+			plog("pfkey_get read PF_KEY message with length %d that doesn't"
+				 " equal sadb_msg_len %u * %u; ignoring message", (int)len,
+				 (unsigned)buf->msg.sadb_msg_len, (unsigned)IPSEC_PFKEYv2_ALIGN);
 		}
-		else if (!(buf->msg.sadb_msg_pid == (unsigned)pid
-		|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_ACQUIRE)
-		|| (buf->msg.sadb_msg_type == SADB_REGISTER)
-		|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING)))
+		else if (buf->msg.sadb_msg_pid != (unsigned)pid)
 		{
 			/* not for us: ignore */
-			DBG(DBG_KLIPS,
-				DBG_log("pfkey_get: ignoring PF_KEY %s message %u for process %u"
-					, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-					, buf->msg.sadb_msg_seq
-					, buf->msg.sadb_msg_pid));
+			DBG(DBG_KERNEL,
+				DBG_log("pfkey_get: ignoring PF_KEY %s message %u for process"
+						" %u", sparse_val_show(pfkey_type_names,
+											   buf->msg.sadb_msg_type),
+						buf->msg.sadb_msg_seq, buf->msg.sadb_msg_pid));
 		}
 		else
 		{
-			DBG(DBG_KLIPS,
-				DBG_log("pfkey_get: %s message %u"
-					, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-					, buf->msg.sadb_msg_seq));
+			DBG(DBG_KERNEL,
+				DBG_log("pfkey_get: %s message %u",
+						sparse_val_show(pfkey_type_names,
+										buf->msg.sadb_msg_type),
+						buf->msg.sadb_msg_seq));
 			return TRUE;
 		}
 	}
@@ -269,285 +172,49 @@ pfkey_get_response(pfkey_buf *buf, pfkey_seq_t seq)
 {
 	while (pfkey_get(buf))
 	{
-		if (buf->msg.sadb_msg_pid == (unsigned)pid
-		&& buf->msg.sadb_msg_seq == seq)
+		if (buf->msg.sadb_msg_seq == seq)
 		{
 			return TRUE;
 		}
-		else
-		{
-			/* Not for us: queue it. */
-			size_t bl = buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
-			pfkey_item *it = malloc(offsetof(pfkey_item, buf) + bl);
-
-			memcpy(&it->buf, buf, bl);
-
-			it->next = NULL;
-			if (pfkey_iq_head == NULL)
-			{
-				pfkey_iq_head = it;
-			}
-			else
-			{
-				pfkey_iq_tail->next = it;
-			}
-			pfkey_iq_tail = it;
-		}
 	}
 	return FALSE;
 }
 
-/* Process a SADB_REGISTER message from the kernel.
- * This will be a response to one of ours, but it may be asynchronous
- * (if kernel modules are loaded and unloaded).
- * Some sanity checking has already been performed.
- */
-static void
-klips_pfkey_register_response(const struct sadb_msg *msg)
-{
-	/* Find out what the kernel can support.
-	 * In fact, the only question at the moment
-	 * is whether it can support IPcomp.
-	 * So we ignore the rest.
-	 * ??? we really should pay attention to what transforms are supported.
-	 */
-	switch (msg->sadb_msg_satype)
-	{
-	case SADB_SATYPE_AH:
-		break;
-	case SADB_SATYPE_ESP:
-#ifndef NO_KERNEL_ALG
-		kernel_alg_register_pfkey(msg, sizeof (pfkey_buf));
-#endif
-		break;
-	case SADB_X_SATYPE_COMP:
-		/* ??? There ought to be an extension to list the
-		 * supported algorithms, but RFC 2367 doesn't
-		 * list one for IPcomp.  KLIPS uses SADB_X_CALG_DEFLATE.
-		 * Since we only implement deflate, we'll assume this.
-		 */
-		can_do_IPcomp = TRUE;
-		break;
-	case SADB_X_SATYPE_IPIP:
-		break;
-	default:
-		break;
-	}
-}
-
-/* Processs a SADB_ACQUIRE message from KLIPS.
- * Try to build an opportunistic connection!
- * See RFC 2367 "PF_KEY Key Management API, Version 2" 3.1.6
- * <base, address(SD), (address(P)), (identity(SD),) (sensitivity,) proposal>
- * - extensions for source and data IP addresses
- * - optional extensions for identity [not useful for us?]
- * - optional extension for sensitivity [not useful for us?]
- * - expension for proposal [not useful for us?]
- *
- * ??? We must use the sequence number in creating an SA.
- * We actually need to create up to 4 SAs each way.  Which one?
- * I guess it depends on the protocol present in the sadb_msg_satype.
- * For now, we'll ignore this requirement.
- *
- * ??? We need some mechanism to make sure that multiple ACQUIRE messages
- * don't cause a whole bunch of redundant negotiations.
- */
-static void
-process_pfkey_acquire(pfkey_buf *buf, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
-	struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
-	int src_proto = srcx->sadb_address_proto;
-	int dst_proto = dstx->sadb_address_proto;
-	ip_address *src = (ip_address*)&srcx[1];
-	ip_address *dst = (ip_address*)&dstx[1];
-	ip_subnet ours, his;
-	err_t ugh = NULL;
-
-	/* assumption: we're only catching our own outgoing packets
-	 * so source is our end and destination is the other end.
-	 * Verifying this is not actually convenient.
-	 *
-	 * This stylized control structure yields a complaint or
-	 * desired results.  For compactness, a pointer value is
-	 * treated as a boolean.  Logically, the structure is:
-	 * keep going as long as things are OK.
-	 */
-	if (buf->msg.sadb_msg_pid == 0      /* we only wish to hear from kernel */
-	&& !(ugh = src_proto == dst_proto? NULL : "src and dst protocols differ")
-	&& !(ugh = addrtypeof(src) == addrtypeof(dst)? NULL : "conflicting address types")
-	&& !(ugh = addrtosubnet(src, &ours))
-	&& !(ugh = addrtosubnet(dst, &his)))
-		record_and_initiate_opportunistic(&ours, &his, src_proto, "%acquire");
-
-	if (ugh != NULL)
-		plog("SADB_ACQUIRE message from KLIPS malformed: %s", ugh);
-
-}
-
-/* Handle PF_KEY messages from the kernel that are not dealt with
- * synchronously.  In other words, all but responses to PF_KEY messages
- * that we sent.
- */
-static void
-pfkey_async(pfkey_buf *buf)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-
-	if (pfkey_msg_parse(&buf->msg, NULL, extensions, EXT_BITS_OUT))
-	{
-		plog("pfkey_async:"
-			" unparseable PF_KEY message:"
-			" %s len=%d, errno=%d, seq=%d, pid=%d; message ignored"
-			, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-			, buf->msg.sadb_msg_len
-			, buf->msg.sadb_msg_errno
-			, buf->msg.sadb_msg_seq
-			, buf->msg.sadb_msg_pid);
-	}
-	else
-	{
-		DBG(DBG_CONTROL | DBG_KLIPS, DBG_log("pfkey_async:"
-			" %s len=%u, errno=%u, satype=%u, seq=%u, pid=%u"
-			, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-			, buf->msg.sadb_msg_len
-			, buf->msg.sadb_msg_errno
-			, buf->msg.sadb_msg_satype
-			, buf->msg.sadb_msg_seq
-			, buf->msg.sadb_msg_pid));
-
-		switch (buf->msg.sadb_msg_type)
-		{
-		case SADB_REGISTER:
-			kernel_ops->pfkey_register_response(&buf->msg);
-			break;
-		case SADB_ACQUIRE:
-			/* to simulate loss of ACQUIRE, delete this call */
-			process_pfkey_acquire(buf, extensions);
-			break;
-		case SADB_X_NAT_T_NEW_MAPPING:
-			process_pfkey_nat_t_new_mapping(&(buf->msg), extensions);
-			break;
-		default:
-			/* ignored */
-			break;
-		}
-	}
-}
-
-/* asynchronous messages from our queue */
-static void
-pfkey_dequeue(void)
-{
-	while (pfkey_iq_head != NULL)
-	{
-		pfkey_item *it = pfkey_iq_head;
-
-		pfkey_async(&it->buf);
-		pfkey_iq_head = it->next;
-		free(it);
-	}
-
-	/* Handle any orphaned holds, but only if no pfkey input is pending.
-	 * For each, we initiate Opportunistic.
-	 * note: we don't need to advance the pointer because
-	 * record_and_initiate_opportunistic will remove the current
-	 * record each time we call it.
-	 */
-	while (orphaned_holds != NULL && !pfkey_input_ready())
-	  record_and_initiate_opportunistic(&orphaned_holds->ours
-										, &orphaned_holds->his
-										, orphaned_holds->transport_proto
-										, "%hold found-pfkey");
-
-}
-
-/* asynchronous messages directly from PF_KEY socket */
-static void
-pfkey_event(void)
-{
-	pfkey_buf buf;
-
-	if (pfkey_get(&buf))
-		pfkey_async(&buf);
-}
-
 static bool
-pfkey_build(int error
-, const char *description
-, const char *text_said
-, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+pfkey_build(int error, const char *description, const char *text_said,
+			struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
-	if (error == 0)
-	{
-		return TRUE;
-	}
-	else
+	if (error != 0)
 	{
-		loglog(RC_LOG_SERIOUS, "building of %s %s failed, code %d"
-			, description, text_said, error);
+		loglog(RC_LOG_SERIOUS, "building of %s %s failed, code %d", description,
+							   text_said, error);
 		pfkey_extensions_free(extensions);
 		return FALSE;
 	}
+	return TRUE;
 }
 
 /* pfkey_extensions_init + pfkey_build + pfkey_msg_hdr_build */
 static bool
-pfkey_msg_start(u_int8_t msg_type
-, u_int8_t satype
-, const char *description
-, const char *text_said
-, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+pfkey_msg_start(u_int8_t msg_type, u_int8_t satype, const char *description,
+				const char *text_said,
+				struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
 	pfkey_extensions_init(extensions);
-	return pfkey_build(pfkey_msg_hdr_build(&extensions[0], msg_type
-			, satype, 0, ++pfkey_seq, pid)
-		, description, text_said, extensions);
-}
-
-/* pfkey_build + pfkey_address_build */
-static bool
-pfkeyext_address(u_int16_t exttype
-, const ip_address *address
-, const char *description
-, const char *text_said
-, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	/* the following variable is only needed to silence
-	 * a warning caused by the fact that the argument
-	 * to sockaddrof is NOT pointer to const!
-	 */
-	ip_address t = *address;
-
-	return pfkey_build(pfkey_address_build(extensions + exttype
-			, exttype, 0, 0, sockaddrof(&t))
-		, description, text_said, extensions);
-}
-
-/* pfkey_build + pfkey_x_protocol_build */
-static bool
-pfkeyext_protocol(int transport_proto
-, const char *description
-, const char *text_said
-, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	return (transport_proto == 0)? TRUE
-		: pfkey_build(
-			pfkey_x_protocol_build(extensions + SADB_X_EXT_PROTOCOL, transport_proto)
-			, description, text_said, extensions);
+	return pfkey_build(pfkey_msg_hdr_build(&extensions[0], msg_type, satype, 0,
+										   ++pfkey_seq, pid),
+					   description, text_said, extensions);
 }
 
-
 /* Finish (building, sending, accepting response for) PF_KEY message.
  * If response isn't NULL, the response from the kernel will be
  * placed there (and its errno field will not be examined).
  * Returns TRUE iff all appears well.
  */
 static bool
-finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1]
-, const char *description
-, const char *text_said
-, pfkey_buf *response)
+finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
+				 const char *description, const char *text_said,
+				 pfkey_buf *response)
 {
 	struct sadb_msg *pfkey_msg;
 	bool success = TRUE;
@@ -557,368 +224,157 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1]
 
 	if (error != 0)
 	{
-		loglog(RC_LOG_SERIOUS, "pfkey_msg_build of %s %s failed, code %d"
-			, description, text_said, error);
+		loglog(RC_LOG_SERIOUS, "pfkey_msg_build of %s %s failed, code %d",
+							   description, text_said, error);
 		success = FALSE;
 	}
 	else
 	{
 		size_t len = pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
 
-		DBG(DBG_KLIPS,
-			DBG_log("finish_pfkey_msg: %s message %u for %s %s"
-				, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
-				, pfkey_msg->sadb_msg_seq
-				, description, text_said);
+		DBG(DBG_KERNEL,
+			DBG_log("finish_pfkey_msg: %s message %u for %s %s",
+					sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type),
+					pfkey_msg->sadb_msg_seq, description, text_said);
 			DBG_dump(NULL, (void *) pfkey_msg, len));
 
-		if (!no_klips)
-		{
-			ssize_t r = write(pfkeyfd, pfkey_msg, len);
+		ssize_t r = write(pfkeyfd, pfkey_msg, len);
 
-			if (r != (ssize_t)len)
+		if (r != (ssize_t)len)
+		{
+			if (r < 0)
 			{
-				if (r < 0)
-				{
-					log_errno((e
-						, "pfkey write() of %s message %u"
-						  " for %s %s failed"
-						, sparse_val_show(pfkey_type_names
-							, pfkey_msg->sadb_msg_type)
-						, pfkey_msg->sadb_msg_seq
-						, description, text_said));
-				}
-				else
-				{
-					loglog(RC_LOG_SERIOUS
-						, "ERROR: pfkey write() of %s message %u"
-						  " for %s %s truncated: %ld instead of %ld"
-						, sparse_val_show(pfkey_type_names
-							, pfkey_msg->sadb_msg_type)
-						, pfkey_msg->sadb_msg_seq
-						, description, text_said
-						, (long)r, (long)len);
-				}
-				success = FALSE;
+				log_errno((e, "pfkey write() of %s message %u for %s %s"
+						  " failed", sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
+						  description, text_said));
+			}
+			else
+			{
+				loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
+					   " %u for %s %s truncated: %ld instead of %ld",
+					   sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
+						description, text_said, (long)r, (long)len);
+			}
+			success = FALSE;
 
-				/* if we were compiled with debugging, but we haven't already
-				 * dumped the KLIPS command, do so.
-				 */
+			/* if we were compiled with debugging, but we haven't already
+			 * dumped the command, do so.
+			 */
 #ifdef DEBUG
-				if ((cur_debugging & DBG_KLIPS) == 0)
-					DBG_dump(NULL, (void *) pfkey_msg, len);
+			if ((cur_debugging & DBG_KERNEL) == 0)
+				DBG_dump(NULL, (void *) pfkey_msg, len);
 #endif
+		}
+		else
+		{
+			/* Check response from kernel.
+			 * It ought to be an echo, perhaps with additional info.
+			 * If the caller wants it, response will point to space.
+			 */
+			pfkey_buf b;
+			pfkey_buf *bp = response != NULL? response : &b;
+
+			if (!pfkey_get_response(bp,
+						((struct sadb_msg *)extensions[0])->sadb_msg_seq))
+			{
+				loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
+					   " message for %s %s", sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), description, text_said);
+				success = FALSE;
 			}
-			else
+			else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
 			{
-				/* Check response from KLIPS.
-				 * It ought to be an echo, perhaps with additional info.
-				 * If the caller wants it, response will point to space.
-				 */
-				pfkey_buf b;
-				pfkey_buf *bp = response != NULL? response : &b;
-
-				if (!pfkey_get_response(bp, ((struct sadb_msg *) extensions[0])->sadb_msg_seq))
-				{
-					loglog(RC_LOG_SERIOUS
-						, "ERROR: no response to our PF_KEY %s message for %s %s"
-						, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
-						, description, text_said);
-					success = FALSE;
-				}
-				else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
-				{
-					loglog(RC_LOG_SERIOUS
-						, "FreeS/WAN ERROR: response to our PF_KEY %s message for %s %s was of wrong type (%s)"
-						, sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type)
-						, description, text_said
-						, sparse_val_show(pfkey_type_names, bp->msg.sadb_msg_type));
-					success = FALSE;
-				}
-				else if (response == NULL && bp->msg.sadb_msg_errno != 0)
-				{
-					/* KLIPS is signalling a problem */
-					loglog(RC_LOG_SERIOUS
-						, "ERROR: PF_KEY %s response for %s %s included errno %u: %s"
-						, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
-						, description, text_said
-						, (unsigned) bp->msg.sadb_msg_errno
-						, strerror(bp->msg.sadb_msg_errno));
-					success = FALSE;
-				}
+				loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
+					   " message for %s %s was of wrong type (%s)",
+					   sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
+					   description, text_said, sparse_val_show(pfkey_type_names,
+							bp->msg.sadb_msg_type));
+				success = FALSE;
+			}
+			else if (response == NULL && bp->msg.sadb_msg_errno != 0)
+			{
+				/* Kernel is signalling a problem */
+				loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
+					   " included errno %u: %s",
+					   sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), description, text_said,
+					   (unsigned) bp->msg.sadb_msg_errno,
+					   strerror(bp->msg.sadb_msg_errno));
+				success = FALSE;
 			}
 		}
 	}
-
-	/* all paths must exit this way to free resources */
 	pfkey_extensions_free(extensions);
 	pfkey_msg_free(&pfkey_msg);
 	return success;
 }
 
-/*  register SA types that can be negotiated */
-void
-pfkey_register_proto(unsigned satype, const char *satypename)
+/* Process a SADB_REGISTER message from the kernel.
+ * This will be a response to one of ours, but it may be asynchronous
+ * (if kernel modules are loaded and unloaded).
+ * Some sanity checking has already been performed.
+ */
+static void
+pfkey_register_response(const struct sadb_msg *msg)
 {
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	pfkey_buf pfb;
-
-	if (!(pfkey_msg_start(SADB_REGISTER
-	  , satype
-	  , satypename, NULL, extensions)
-	&& finish_pfkey_msg(extensions, satypename, "", &pfb)))
-	{
-		/* ??? should this be loglog */
-		plog("no KLIPS support for %s", satypename);
-	}
-	else
+	/* Find out what the kernel can support.
+	 */
+	switch (msg->sadb_msg_satype)
 	{
-		kernel_ops->pfkey_register_response(&pfb.msg);
-		DBG(DBG_KLIPS,
-			DBG_log("%s registered with kernel.", satypename));
+	case SADB_SATYPE_ESP:
+#ifndef NO_KERNEL_ALG
+		kernel_alg_register_pfkey(msg, sizeof (pfkey_buf));
+#endif
+		break;
+	case SADB_X_SATYPE_IPCOMP:
+		/* ??? There ought to be an extension to list the
+		 * supported algorithms, but RFC 2367 doesn't
+		 * list one for IPcomp.
+		 */
+		can_do_IPcomp = TRUE;
+		break;
+	default:
+		break;
 	}
 }
 
+/**  register SA types that can be negotiated */
 static void
-klips_pfkey_register(void)
-{
-	pfkey_register_proto(SADB_SATYPE_AH, "AH");
-	pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
-	can_do_IPcomp = FALSE;  /* until we get a response from KLIPS */
-	pfkey_register_proto(SADB_X_SATYPE_COMP, "IPCOMP");
-	pfkey_register_proto(SADB_X_SATYPE_IPIP, "IPIP");
-}
-
-static bool
-pfkey_raw_eroute(const ip_address *this_host
-				 , const ip_subnet *this_client
-				 , const ip_address *that_host
-				 , const ip_subnet *that_client
-				 , ipsec_spi_t spi
-				 , unsigned int satype
-				 , unsigned int transport_proto
-				 , const struct pfkey_proto_info *proto_info UNUSED
-				 , time_t use_lifetime UNUSED
-				 , unsigned int op
-				 , const char *text_said)
+pfkey_register_proto(unsigned satype, const char *satypename)
 {
 	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	ip_address
-		sflow_ska,
-		dflow_ska,
-		smask_ska,
-		dmask_ska;
-	int sport = ntohs(portof(&this_client->addr));
-	int dport = ntohs(portof(&that_client->addr));
-
-	networkof(this_client, &sflow_ska);
-	maskof(this_client, &smask_ska);
-	setportof(sport ? ~0:0, &smask_ska);
-
-	networkof(that_client, &dflow_ska);
-	maskof(that_client, &dmask_ska);
-	setportof(dport ? ~0:0, &dmask_ska);
-
-	if (!pfkey_msg_start(op & ERO_MASK, satype
-					   , "pfkey_msg_hdr flow", text_said, extensions))
-	{
-		return FALSE;
-	}
-
-	if (op != ERO_DELETE)
-	{
-		if (!(pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-										 , SADB_EXT_SA
-										 , spi  /* in network order */
-										 , 0, 0, 0, 0, op >> ERO_FLAG_SHIFT)
-						  , "pfkey_sa add flow", text_said, extensions)
-
-			&& pfkeyext_address(SADB_EXT_ADDRESS_SRC, this_host
-				, "pfkey_addr_s add flow", text_said, extensions)
-
-			&& pfkeyext_address(SADB_EXT_ADDRESS_DST, that_host
-								, "pfkey_addr_d add flow", text_said
-								, extensions)))
-		{
-			return FALSE;
-		}
-	}
-
-	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_FLOW, &sflow_ska
-						  , "pfkey_addr_sflow", text_said, extensions))
-	{
-		return FALSE;
-	}
-
-	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_FLOW, &dflow_ska
-						, "pfkey_addr_dflow", text_said, extensions))
-	{
-		return FALSE;
-	}
-
-	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_MASK, &smask_ska
-						, "pfkey_addr_smask", text_said, extensions))
-	{
-		return FALSE;
-	}
+	pfkey_buf pfb;
 
-	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_MASK, &dmask_ska
-						, "pfkey_addr_dmask", text_said, extensions))
+	if (!(pfkey_msg_start(SADB_REGISTER, satype, satypename, NULL, extensions)
+		  && finish_pfkey_msg(extensions, satypename, "", &pfb)))
 	{
-		return FALSE;
+		/* ??? should this be loglog */
+		plog("no kernel support for %s", satypename);
 	}
-
-	if (!pfkeyext_protocol(transport_proto
-						, "pfkey_x_protocol", text_said, extensions))
+	else
 	{
-		return FALSE;
+		pfkey_register_response(&pfb.msg);
+		DBG(DBG_KERNEL,
+			DBG_log("%s registered with kernel.", satypename));
 	}
-
-	return finish_pfkey_msg(extensions, "flow", text_said, NULL);
-}
-
-static bool
-pfkey_add_sa(const struct kernel_sa *sa, bool replace)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-
-	return pfkey_msg_start(replace ? SADB_UPDATE : SADB_ADD, sa->satype
-		, "pfkey_msg_hdr Add SA", sa->text_said, extensions)
-
-	&& pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-			, SADB_EXT_SA
-			, sa->spi   /* in network order */
-			, sa->replay_window, SADB_SASTATE_MATURE
-			, sa->authalg, sa->encalg ? sa->encalg: sa->compalg, 0)
-		, "pfkey_sa Add SA", sa->text_said, extensions)
-
-	&& pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src
-		, "pfkey_addr_s Add SA", sa->text_said, extensions)
-
-	&& pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst
-		, "pfkey_addr_d Add SA", sa->text_said, extensions)
-
-	&& (sa->authkeylen == 0
-		|| pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH]
-				, SADB_EXT_KEY_AUTH, sa->authkeylen * BITS_PER_BYTE
-				, sa->authkey)
-			, "pfkey_key_a Add SA", sa->text_said, extensions))
-
-	&& (sa->enckeylen == 0
-		|| pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT]
-				, SADB_EXT_KEY_ENCRYPT, sa->enckeylen * BITS_PER_BYTE
-				, sa->enckey)
-			, "pfkey_key_e Add SA", sa->text_said, extensions))
-
-	&& (sa->natt_type == 0
-		|| pfkey_build(pfkey_x_nat_t_type_build(
-				&extensions[SADB_X_EXT_NAT_T_TYPE], sa->natt_type),
-				"pfkey_nat_t_type Add ESP SA",  sa->text_said, extensions))
-	&& (sa->natt_sport == 0
-		|| pfkey_build(pfkey_x_nat_t_port_build(
-						&extensions[SADB_X_EXT_NAT_T_SPORT], SADB_X_EXT_NAT_T_SPORT,
-						sa->natt_sport), "pfkey_nat_t_sport Add ESP SA", sa->text_said,
-						extensions))
-	&& (sa->natt_dport == 0
-		|| pfkey_build(pfkey_x_nat_t_port_build(
-						&extensions[SADB_X_EXT_NAT_T_DPORT], SADB_X_EXT_NAT_T_DPORT,
-						sa->natt_dport), "pfkey_nat_t_dport Add ESP SA", sa->text_said,
-						extensions))
-	&& (sa->natt_type == 0 || isanyaddr(sa->natt_oa)
-		|| pfkeyext_address(SADB_X_EXT_NAT_T_OA, sa->natt_oa
-			, "pfkey_nat_t_oa Add ESP SA", sa->text_said, extensions))
-
-	&& finish_pfkey_msg(extensions, "Add SA", sa->text_said, NULL);
-
-}
-
-static bool
-pfkey_grp_sa(const struct kernel_sa *sa0, const struct kernel_sa *sa1)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-
-	return pfkey_msg_start(SADB_X_GRPSA, sa1->satype
-		, "pfkey_msg_hdr group", sa1->text_said, extensions)
-
-	&& pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-			, SADB_EXT_SA
-			, sa1->spi  /* in network order */
-			, 0, 0, 0, 0, 0)
-		, "pfkey_sa group", sa1->text_said, extensions)
-
-	&& pfkeyext_address(SADB_EXT_ADDRESS_DST, sa1->dst
-		, "pfkey_addr_d group", sa1->text_said, extensions)
-
-	&& pfkey_build(pfkey_x_satype_build(&extensions[SADB_X_EXT_SATYPE2]
-			, sa0->satype)
-		, "pfkey_satype group", sa0->text_said, extensions)
-
-	&& pfkey_build(pfkey_sa_build(&extensions[SADB_X_EXT_SA2]
-			, SADB_X_EXT_SA2
-			, sa0->spi  /* in network order */
-			, 0, 0, 0, 0, 0)
-		, "pfkey_sa2 group", sa0->text_said, extensions)
-
-	&& pfkeyext_address(SADB_X_EXT_ADDRESS_DST2, sa0->dst
-		, "pfkey_addr_d2 group", sa0->text_said, extensions)
-
-	&& finish_pfkey_msg(extensions, "group", sa1->text_said, NULL);
-}
-
-static bool
-pfkey_del_sa(const struct kernel_sa *sa)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-
-	return pfkey_msg_start(SADB_DELETE, proto2satype(sa->proto)
-		, "pfkey_msg_hdr delete SA", sa->text_said, extensions)
-
-	&& pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-			, SADB_EXT_SA
-			, sa->spi   /* in host order */
-			, 0, SADB_SASTATE_MATURE, 0, 0, 0)
-		, "pfkey_sa delete SA", sa->text_said, extensions)
-
-	&& pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src
-		, "pfkey_addr_s delete SA", sa->text_said, extensions)
-
-	&& pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst
-		, "pfkey_addr_d delete SA", sa->text_said, extensions)
-
-	&& finish_pfkey_msg(extensions, "Delete SA", sa->text_said, NULL);
 }
 
 void
-pfkey_close(void)
+pfkey_register(void)
 {
-	while (pfkey_iq_head != NULL)
-	{
-		pfkey_item *it = pfkey_iq_head;
+	pid = getpid();
 
-		pfkey_iq_head = it->next;
-		free(it);
+	pfkeyfd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (pfkeyfd == -1)
+	{
+		exit_log_errno((e, "socket() in init_pfkeyfd()"));
 	}
 
+	pfkey_register_proto(SADB_SATYPE_AH, "AH");
+	pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
+	pfkey_register_proto(SADB_X_SATYPE_IPCOMP, "IPCOMP");
+
 	close(pfkeyfd);
-	pfkeyfd = NULL_FD;
 }
-
-const struct kernel_ops klips_kernel_ops = {
-		type: KERNEL_TYPE_KLIPS,
-		async_fdp: &pfkeyfd,
-
-		pfkey_register: klips_pfkey_register,
-		pfkey_register_response: klips_pfkey_register_response,
-		process_queue: pfkey_dequeue,
-		process_msg: pfkey_event,
-		raw_eroute: pfkey_raw_eroute,
-		add_sa: pfkey_add_sa,
-		grp_sa: pfkey_grp_sa,
-		del_sa: pfkey_del_sa,
-		get_sa: NULL,
-		get_spi: NULL,
-		inbound_eroute: FALSE,
-		policy_lifetime: FALSE,
-		init: NULL
-};
-#endif /* KLIPS */
diff --git a/src/pluto/kernel_pfkey.h b/src/pluto/kernel_pfkey.h
index ad20a5888..b50ad6c37 100644
--- a/src/pluto/kernel_pfkey.h
+++ b/src/pluto/kernel_pfkey.h
@@ -1,6 +1,6 @@
-/* declarations of routines that interface with the kernel's pfkey mechanism
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- * Copyright (C) 2003  Herbert Xu
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,9 +13,8 @@
  * for more details.
  */
 
-#ifdef KLIPS
-extern void init_pfkey(void);
-extern void pfkey_register_proto(unsigned satype, const char *satypename);
-extern void pfkey_close(void);
-extern const struct kernel_ops klips_kernel_ops;
-#endif
+/**
+ * Register our capabilities via PF_KEY, also learn the kernel's capabilities,
+ * i.e. the supported algorithms.
+ */
+void pfkey_register();
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index 6db757ba7..a79c2c0d2 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -37,6 +37,8 @@
 #include <library.h>
 #include <asn1/asn1.h>
 #include <credentials/certificates/pgp_certificate.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/sets/callback_cred.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -539,6 +541,128 @@ end:
 	return ugh;
 }
 
+/* struct used to prompt for a secret passphrase
+ * from a console with file descriptor fd
+ */
+typedef struct {
+	char secret[PROMPT_PASS_LEN+1];
+	bool prompt;
+	int fd;
+	int try;
+} prompt_pass_t;
+
+/**
+ * Passphrase callback to read from whack fd
+ */
+static shared_key_t* whack_pass_cb(prompt_pass_t *pass, shared_key_type_t type,
+								identification_t *me, identification_t *other,
+								id_match_t *match_me, id_match_t *match_other)
+{
+	int n;
+
+	if (type != SHARED_ANY && type != SHARED_PRIVATE_KEY_PASS)
+	{
+		return NULL;
+	}
+
+	if (pass->try > MAX_PROMPT_PASS_TRIALS)
+	{
+		whack_log(RC_LOG_SERIOUS, "invalid passphrase, too many trials");
+		return NULL;
+	}
+	if (pass->try == 1)
+	{
+		whack_log(RC_ENTERSECRET, "need passphrase for 'private key'");
+	}
+	else
+	{
+		whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
+	}
+	pass->try++;
+
+	n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
+	if (n == -1)
+	{
+		whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
+		return NULL;
+	}
+	pass->secret[n-1] = '\0';
+
+	if (strlen(pass->secret) == 0)
+	{
+		whack_log(RC_LOG_SERIOUS, "no passphrase entered, aborted");
+		return NULL;
+	}
+	if (match_me)
+	{
+		*match_me = ID_MATCH_PERFECT;
+	}
+	if (match_other)
+	{
+		*match_other = ID_MATCH_NONE;
+	}
+	return shared_key_create(SHARED_PRIVATE_KEY_PASS,
+				chunk_clone(chunk_create(pass->secret, strlen(pass->secret))));
+}
+
+/**
+ *  Loads a PKCS#1 or PGP private key file
+ */
+static private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
+									   key_type_t type)
+{
+	private_key_t *key = NULL;
+	char *path;
+
+	path = concatenate_paths(PRIVATE_KEY_PATH, filename);
+	if (pass && pass->prompt && pass->fd != NULL_FD)
+	{	/* use passphrase callback */
+		callback_cred_t *cb;
+
+		cb = callback_cred_create_shared((void*)whack_pass_cb, pass);
+		lib->credmgr->add_local_set(lib->credmgr, &cb->set);
+
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
+		cb->destroy(cb);
+		if (key)
+		{
+			whack_log(RC_SUCCESS, "valid passphrase");
+		}
+	}
+	else if (pass)
+	{	/* use a given passphrase */
+		mem_cred_t *mem;
+		shared_key_t *shared;
+
+		mem = mem_cred_create();
+		lib->credmgr->add_local_set(lib->credmgr, &mem->set);
+		shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
+				chunk_clone(chunk_create(pass->secret, strlen(pass->secret))));
+		mem->add_shared(mem, shared, NULL);
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
+		mem->destroy(mem);
+	}
+	else
+	{	/* no passphrase */
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+
+	}
+	if (key)
+	{
+		plog("  loaded private key from '%s'", filename);
+	}
+	else
+	{
+		plog("  syntax error in private key file");
+	}
+	return key;
+}
+
 /**
  * process a key file protected with optional passphrase which can either be
  * read from ipsec.secrets or prompted for by using whack
@@ -552,6 +676,7 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd)
 	memset(pass.secret,'\0', sizeof(pass.secret));
 	pass.prompt = FALSE;
 	pass.fd = whackfd;
+	pass.try = 1;
 
 	/* we expect the filename of a PKCS#1 private key file */
 
@@ -1324,7 +1449,7 @@ void list_public_keys(bool utc)
 		whack_log(RC_COMMENT, "  identity: '%Y'", key->id);
 		whack_log(RC_COMMENT, "  pubkey:    %N %4d bits, until %T %s",
 			key_type_names, public->get_type(public),
-			public->get_keysize(public) * BITS_PER_BYTE,
+			public->get_keysize(public),
 			&key->until_time, utc,
 			check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
 		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
diff --git a/src/pluto/log.c b/src/pluto/log.c
index 444ac2220..6e70898a5 100644
--- a/src/pluto/log.c
+++ b/src/pluto/log.c
@@ -862,9 +862,6 @@ void show_status(bool all, const char *name)
 	}
 	show_connections_status(all, name);
 	show_states_status(all, name);
-#ifdef KLIPS
-	show_shunt_status();
-#endif
 }
 
 /* ip_str: a simple to use variant of addrtot.
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index 0d0cd899c..a2acce23a 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -419,7 +419,7 @@ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody,
 		close_output_pbs(&attrval);
 	}
 	enumerator->destroy(enumerator);
-	close_message(&strattr);
+	close_output_pbs(&strattr);
 	
 	modecfg_hash(r_hashval, r_hash_start, rbody->cur, st);
 	close_message(rbody);
diff --git a/src/pluto/nat_traversal.c b/src/pluto/nat_traversal.c
index feedf2aad..5e9353b72 100644
--- a/src/pluto/nat_traversal.c
+++ b/src/pluto/nat_traversal.c
@@ -1,6 +1,9 @@
-/* FreeS/WAN NAT-Traversal
- * Copyright (C) 2002-2005 Mathieu Lafon - Arkoon Network Security
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2002-2005 Mathieu Lafon
+ * Arkoon Network Security
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -24,10 +27,6 @@
 #include <signal.h>     /* used only if MSG_NOSIGNAL not defined */
 #include <sys/queue.h>
 
-#include <freeswan.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
 #include <library.h>
 #include <crypto/hashers/hasher.h>
 
@@ -796,80 +795,51 @@ void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st)
 	}
 }
 
-struct _new_klips_mapp_nfo {
-		struct sadb_sa *sa;
-		ip_address src, dst;
-		u_int16_t sport, dport;
+struct _new_kernel_mapp_nfo {
+		u_int32_t reqid;
+		u_int32_t spi;
+		ip_address *addr;
 };
 
-static void nat_t_new_klips_mapp (struct state *st, void *data)
+static void nat_t_new_kernel_mapp (struct state *st, void *data)
 {
 	connection_t *c = st->st_connection;
-	struct _new_klips_mapp_nfo *nfo = (struct _new_klips_mapp_nfo *)data;
+	struct _new_kernel_mapp_nfo *nfo = (struct _new_kernel_mapp_nfo *)data;
 
 	if (c != NULL && st->st_esp.present
-	&&  sameaddr(&c->spd.that.host_addr, &(nfo->src))
-	&&  st->st_esp.our_spi == nfo->sa->sadb_sa_spi)
-	{
-		nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
-								  &(nfo->dst), nfo->dport);
-	}
-}
-
-void process_pfkey_nat_t_new_mapping(
-		struct sadb_msg *msg __attribute__ ((unused)),
-		struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	struct _new_klips_mapp_nfo nfo;
-	struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
-	struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
-	struct sockaddr *srca, *dsta;
-	err_t ugh = NULL;
-
-	nfo.sa = (void *) extensions[SADB_EXT_SA];
-
-	if (!nfo.sa || !srcx || !dstx)
+		&&  nfo->spi == st->st_esp.our_spi
+		&&  nfo->reqid == c->spd.reqid)
 	{
-		plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: "
-				"got NULL params");
-		return;
-	}
-
-	srca = ((struct sockaddr *)(void *)&srcx[1]);
-	dsta = ((struct sockaddr *)(void *)&dstx[1]);
+		u_int16_t port = ntohs(portof(nfo->addr));
 
-	if (srca->sa_family != AF_INET || dsta->sa_family != AF_INET)
-	{
-		ugh = "only AF_INET supported";
-	}
-	else
-	{
-		char text_said[SATOT_BUF];
-		char _srca[ADDRTOT_BUF], _dsta[ADDRTOT_BUF];
-		ip_said said;
-
-		initaddr((const void *) &((const struct sockaddr_in *)srca)->sin_addr,
-						sizeof(((const struct sockaddr_in *)srca)->sin_addr),
-						srca->sa_family, &(nfo.src));
-		nfo.sport = ntohs(((const struct sockaddr_in *)srca)->sin_port);
-		initaddr((const void *) &((const struct sockaddr_in *)dsta)->sin_addr,
-						sizeof(((const struct sockaddr_in *)dsta)->sin_addr),
-						dsta->sa_family, &(nfo.dst));
-		nfo.dport = ntohs(((const struct sockaddr_in *)dsta)->sin_port);
+		DBG(DBG_NATT, {
+			char text_said[SATOT_BUF];
+			char olda[ADDRTOT_BUF];
+			char newa[ADDRTOT_BUF];
+			ip_said said;
 
-		DBG(DBG_NATT,
-			initsaid(&nfo.src, nfo.sa->sadb_sa_spi, SA_ESP, &said);
+			initsaid(&c->spd.that.host_addr, nfo->spi, SA_ESP, &said);
 			satot(&said, 0, text_said, SATOT_BUF);
-			addrtot(&nfo.src, 0, _srca, ADDRTOT_BUF);
-			addrtot(&nfo.dst, 0, _dsta, ADDRTOT_BUF);
-			DBG_log("new klips mapping %s %s:%d %s:%d",
-						text_said, _srca, nfo.sport, _dsta, nfo.dport);
-		)
+			addrtot(&c->spd.that.host_addr, 0, olda, ADDRTOT_BUF);
+			addrtot(nfo->addr, 0, newa, ADDRTOT_BUF);
+
+			DBG_log("new kernel mapping %s %s:%d %s:%d",
+					text_said, olda, c->spd.that.host_port, newa, port);
+		})
 
-		for_each_state((void *)nat_t_new_klips_mapp, &nfo);
+		nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
+								  nfo->addr, port);
 	}
+}
 
-	if (ugh != NULL)
-		plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: %s", ugh);
+void process_nat_t_new_mapping(u_int32_t reqid, u_int32_t spi,
+							   ip_address *new_end)
+{
+	struct _new_kernel_mapp_nfo nfo = {
+		.reqid = reqid,
+		.spi = spi,
+		.addr = new_end,
+	};
+	for_each_state((void *)nat_t_new_kernel_mapp, &nfo);
 }
 
diff --git a/src/pluto/nat_traversal.h b/src/pluto/nat_traversal.h
index 98b0a2bc0..80bdaf787 100644
--- a/src/pluto/nat_traversal.h
+++ b/src/pluto/nat_traversal.h
@@ -1,5 +1,8 @@
-/* FreeS/WAN NAT-Traversal
- * Copyright (C) 2002-2003 Mathieu Lafon - Arkoon Network Security
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2002-2003 Mathieu Lafon
+ * Arkoon Network Security
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -115,11 +118,8 @@ void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st);
 /**
  * New NAT mapping
  */
-#ifdef __PFKEY_V2_H
-void process_pfkey_nat_t_new_mapping(
-		struct sadb_msg *,
-		struct sadb_ext *[SADB_EXT_MAX + 1]);
-#endif
+void process_nat_t_new_mapping(u_int32_t reqid, u_int32_t spi,
+							   ip_address *new_end);
 
 /**
  * IKE port floating
diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c
index c0fd041a7..10b2a4d5a 100644
--- a/src/pluto/pkcs7.c
+++ b/src/pluto/pkcs7.c
@@ -407,7 +407,7 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
 			}
 			break;
 		case PKCS7_ENCRYPTED_KEY:
-			if (!key->decrypt(key, object, &symmetric_key))
+			if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key))
 			{
 				DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
 				goto end;
@@ -473,7 +473,7 @@ end:
 			DBG1(DBG_LIB, "symmetric key length %d is wrong", symmetric_key.len);
 			goto failed;
 		}
-		if (iv.len != crypter->get_block_size(crypter))
+		if (iv.len != crypter->get_iv_size(crypter))
 		{
 			DBG1(DBG_LIB, "IV length %d is wrong", iv.len);
 			goto failed;
@@ -668,7 +668,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg
 		rng->destroy(rng);
 
 		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		rng->allocate_bytes(rng, crypter->get_block_size(crypter), &iv);
+		rng->allocate_bytes(rng, crypter->get_iv_size(crypter), &iv);
 		DBG4(DBG_LIB, "initialization vector: %B", &iv);
 		rng->destroy(rng);
 	}
@@ -710,7 +710,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg
 			chunk_free(&out);
 			return chunk_empty;
 		}
-		key->encrypt(key, symmetricKey, &protectedKey);
+		key->encrypt(key, ENCRYPT_RSA_PKCS1, symmetricKey, &protectedKey);
 		key->destroy(key);
 	}
 
diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in
index 13749e5af..b2ffb11db 100644
--- a/src/pluto/plugins/xauth/Makefile.in
+++ b/src/pluto/plugins/xauth/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -163,6 +164,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -194,14 +197,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -216,24 +222,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -241,7 +254,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8
index b80d13772..58cb15091 100644
--- a/src/pluto/pluto.8
+++ b/src/pluto/pluto.8
@@ -15,7 +15,6 @@ ipsec pluto
 \fIfilename\fP]
 [\-\-nofork]
 [\-\-stderrlog]
-[\-\-noklips]
 [\-\-uniqueids]
 [\fB\-\-interface\fP \fIinterfacename\fP]
 [\-\-ikeport\ \c
@@ -37,7 +36,7 @@ ipsec pluto
 [\-\-debug\(hyemitting]
 [\-\-debug\(hycontrol]
 [\-\-debug\(hylifecycle]
-[\-\-debug\(hyklips]
+[\-\-debug\(hykernel]
 [\-\-debug\(hydns]
 [\-\-debug\(hyoppo]
 [\-\-debug\(hyprivate]
@@ -209,7 +208,7 @@ ipsec whack
 [\-\-debug\(hyemitting]
 [\-\-debug\(hycontrol]
 [\-\-debug\(hylifecycle]
-[\-\-debug\(hyklips]
+[\-\-debug\(hykernel]
 [\-\-debug\(hydns]
 [\-\-debug\(hyoppo]
 [\-\-debug\(hyprivate]
@@ -256,10 +255,7 @@ In other words,
 .BR pluto
 can eliminate much of the work of manual keying.
 The actual
-secure transmission of packets is the responsibility of other parts of
-the system (see
-.BR KLIPS ,
-the companion implementation of IPsec).
+secure transmission of packets is the responsibility of the Linux kernel.
 \fIipsec_auto\fP(8) provides a more convenient interface to
 \fBpluto\fP and \fBwhack\fP.
 .SS IKE's Job
@@ -314,8 +310,8 @@ are considered policy and are left in the system administrator's hands.
 .SS Pluto
 .LP
 \fBpluto\fP is an implementation of IKE.  It runs as a daemon on a network
-node.  Currently, this network node must be a LINUX system running the
-\fBKLIPS\fP implementation of IPsec.
+node.  Currently, this network node must be a Linux 2.6 system running the
+native \fBNETKEY\fP IPsec stack.
 .LP
 \fBpluto\fP only implements a subset of IKE.  This is enough for it to
 interoperate with other instances of \fBpluto\fP, and many other IKE
@@ -331,13 +327,13 @@ peers with whom it is negotiating.
 .LP
 \fBpluto\fP initiates negotiation of a Security Association when it is
 manually prodded: the program \fBwhack\fP is run to trigger this.
-It will also initiate a negotiation when \fBKLIPS\fP traps an outbound packet
-for Opportunistic Encryption.
+It will also initiate a negotiation when the Linux kernel traps an outbound
+packet for Opportunistic Encryption.
 .LP
 \fBpluto\fP implements ISAKMP SAs itself.  After it has negotiated the
-characteristics of an IPsec SA, it directs \fBKLIPS\fP to implement it.
+characteristics of an IPsec SA, it directs the Linux kernel to implement it.
 It also invokes a script to adjust any firewall and issue \fIroute\fP(8)
-commands to direct IP packets through \fBKLIPS\fP.
+commands.
 .LP
 When \fBpluto\fP shuts down, it closes all Security Associations.
 .SS Before Running Pluto
@@ -345,8 +341,8 @@ When \fBpluto\fP shuts down, it closes all Security Associations.
 \fBpluto\fP runs as a daemon with userid root.  Before running it, a few
 things must be set up.
 .LP
-\fBpluto\fP requires \fBKLIPS\fP, the FreeS/WAN implementation of IPsec.
-All of the components of \fBKLIPS\fP and \fBpluto\fP should be installed.
+\fBpluto\fP requires a Linux 2.6 kernel with the modules for the native IPsec
+stack enabled.
 .LP
 \fBpluto\fP supports multiple public networks (that is, networks
 that are considered insecure and thus need to have their traffic
@@ -355,11 +351,8 @@ public interfaces to use by looking at all interfaces that are
 configured (the \fB\-\-interface\fP option can be used to limit
 the interfaces considered).
 It does this only when \fBwhack\fP tells it to \-\-listen,
-so the interfaces must be configured by then.  Each interface with a name of the form
-\fBipsec\fP[\fB0\fP-\fB9\fP] is taken as a \fBKLIPS\fP virtual public interface.
-Another network interface with the same IP address (there should be only
-one) is taken as the corresponding real public
-interface.  \fIifconfig\fP(8) with the \fB\-a\fP flag will show
+so the interfaces must be configured by then.
+\fIifconfig\fP(8) with the \fB\-a\fP flag will show
 the name and status of each network interface.
 .LP
 \fBpluto\fP requires a database of preshared secrets and RSA private keys.
@@ -368,33 +361,6 @@ This is described in the
 \fBpluto\fP is told of RSA public keys via \fBwhack\fP commands.
 If the connection is Opportunistic, and no RSA public key is known,
 \fBpluto\fP will attempt to fetch RSA keys using the Domain Name System.
-.SS Setting up \fBKLIPS\fP for \fBpluto\fP
-.LP
-The most basic network topology that \fBpluto\fP supports has two security
-gateways negotiating on behalf of client subnets.  The diagram of RGB's
-testbed is a good example (see \fIklips/doc/rgb_setup.txt\fP).
-.LP
-The file \fIINSTALL\fP in the base directory of this distribution
-explains how to start setting up the whole system, including \fBKLIPS\fP.
-.LP
-Make sure that the security gateways have routes to each other.  This
-is usually covered by the default route, but may require issuing
-.IR route (8)
-commands.  The route must go through a particular IP
-interface (we will assume it is \fIeth0\fP, but it need not be).  The
-interface that connects the security gateway to its client must be a
-different one.
-.LP
-It is necessary to issue a
-.IR ipsec_tncfg (8)
-command on each gateway.  The required command is:
-
-\ \ \ ipsec tncfg \-\-attach\ \-\-virtual\ ipsec0 \-\-physical\ eth0
-
-A command to set up the ipsec0 virtual interface will also need to be
-run.  It will have the same parameters as the command used to set up
-the physical interface to which it has just been connected using
-.IR ipsec_tncfg (8).
 .SS ipsec.secrets file
 .LP
 A \fBpluto\fP daemon and another IKE daemon (for example, another instance
@@ -473,13 +439,6 @@ corresponding to a particular connection.
 Often there is one representing an ISAKMP SA and another representing
 an IPsec SA.
 .LP
-\fBKLIPS\fP hooks into the routing code in a LINUX kernel.
-Traffic to be processed by an IPsec SA must be directed through
-\fBKLIPS\fP by routing commands.  Furthermore, the processing to be
-done is specified by \fIipsec eroute(8)\fP commands.
-\fBpluto\fP takes the responsibility of managing both of these special
-kinds of routes.
-.LP
 Each connection may be routed, and must be while it has an IPsec SA.
 The connection specifies the characteristics of the route: the
 interface on this machine, the ``gateway'' (the nexthop),
@@ -519,9 +478,9 @@ SA for the same connection already has an eroute, all its outgoing traffic
 is taken over by the new eroute.  The incoming traffic will still be
 processed.  This characteristic is exploited during rekeying.
 .LP
-All of these routing characteristics are expected change when
-\fBKLIPS\fP is modified to use the firewall hooks in the LINUX 2.4.x
-kernel.
+Some of these routing characteristics are specific to \fBKLIPS\fP, the FreeS/WAN
+implementation of IPsec and are not relevant when running pluto on the native
+Linux 2.6 IPsec stack.
 .SS Using Whack
 .LP
 \fBwhack\fP is used to command a running \fBpluto\fP.
@@ -691,7 +650,7 @@ Note that this has nothing to do with IKE authentication.
 .TP
 \fB\-\-compress\fP
 All proposed IPsec SAs will include IPCOMP (compression).
-This will be ignored if KLIPS is not configured with IPCOMP support.
+This will be ignored if the kernel is not configured with IPCOMP support.
 .TP
 \fB\-\-tunnel\fP
 the IPsec SA should use tunneling.  Implicit if the SA is for clients.
@@ -1304,9 +1263,6 @@ disable ``daemon fork'' (default is to fork).  In addition, after the
 lock file and control socket are created, print the line ``Pluto
 initialized'' to standard out.
 .TP
-\fB\-\-noklips\fP
-don't actually implement negotiated IPsec SAs
-.TP
 \fB\-\-uniqueids\fP
 if this option has been selected, whenever a new ISAKMP SA is
 established, any connection with the same Peer ID but a different
@@ -1317,12 +1273,6 @@ then regained at another IP address.
 \fB\-\-stderrlog\fP
 log goes to standard out {default is to use \fIsyslogd\fP(8))
 .LP
-For example
-.TP
-pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog
-.LP
-lets one test \fBpluto\fP without using the superuser account.
-.LP
 \fBpluto\fP is willing to produce a prodigious amount of debugging
 information.  To do so, it must be compiled with \-DDEBUG.  There are
 several classes of debugging output, and \fBpluto\fP may be directed to
@@ -1351,8 +1301,8 @@ show \fBpluto\fP's decision making
 \fB\-\-debug-lifecycle\fP
 [this option is temporary] log more detail of lifecycle of SAs
 .TP
-\fB\-\-debug-klips\fP
-show \fBpluto\fP's interaction with \fBKLIPS\fP
+\fB\-\-debug-kernel\fP
+show \fBpluto\fP's interaction with the kernel
 .TP
 \fB\-\-debug-dns\fP
 show \fBpluto\fP's interaction with \fBDNS\fP for KEY and TXT records
@@ -1418,11 +1368,6 @@ system (\fBpluto\fP didn't send a reply because it wasn't happy with
 the previous message).
 .SS Notes
 .LP
-If \fBpluto\fP is compiled without \-DKLIPS, it negotiates Security
-Associations but never ask the kernel to put them in place and never
-makes routing changes.  This allows \fBpluto\fP to be tested on systems
-without \fBKLIPS\fP, but makes it rather useless.
-.LP
 Each IPsec SA is assigned an SPI, a 32-bit number used to refer to the SA.
 The IKE protocol lets the destination of the SA choose the SPI.
 The range 0 to 0xFF is reserved for IANA.
@@ -1469,7 +1414,7 @@ component.  The selection is controlled by the \-\-encrypt and
 .IP \(bu
 Each of these may be combined with IPCOMP Deflate compression,
 but only if the potential connection specifies compression and only
-if KLIPS is configured with IPCOMP support.
+if the kernel is configured with IPCOMP support.
 .IP \(bu
 The IPSEC SAs may be tunnel or transport mode, where appropriate.
 The \-\-tunnel flag controls this when \fBpluto\fP is initiating.
diff --git a/src/pluto/pluto.c b/src/pluto/pluto.c
index e9c7c316b..66fdb30b9 100644
--- a/src/pluto/pluto.c
+++ b/src/pluto/pluto.c
@@ -41,6 +41,7 @@ pluto_t *pluto;
 void pluto_deinit()
 {
 	private_pluto_t *this = (private_pluto_t*)pluto;
+	this->public.events->destroy(this->public.events);
 	this->public.xauth->destroy(this->public.xauth);
 	free(this);
 	pluto = NULL;
@@ -55,6 +56,7 @@ bool pluto_init(char *file)
 
 	INIT(this,
 		.public = {
+			.events = event_queue_create(),
 			.xauth = xauth_manager_create(),
 		},
 	);
diff --git a/src/pluto/pluto.h b/src/pluto/pluto.h
index 37e6e3f33..2440093ca 100644
--- a/src/pluto/pluto.h
+++ b/src/pluto/pluto.h
@@ -31,6 +31,7 @@
 
 typedef struct pluto_t pluto_t;
 
+#include <event_queue.h>
 #include <xauth/xauth_manager.h>
 
 #include <library.h>
@@ -40,10 +41,16 @@ typedef struct pluto_t pluto_t;
  */
 struct pluto_t {
 
+	/**
+	 * event queue (callbacks, executed by the pluto main thread)
+	 */
+	event_queue_t *events;
+
 	/**
 	 * manager for payload attributes
 	 */
 	xauth_manager_t *xauth;
+
 };
 
 /**
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index 89123bb8a..627176c1b 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -79,6 +79,11 @@
 #include "whack_attribute.h"
 #include "pluto.h"
 
+/**
+ * Number of threads in the thread pool, if not specified in config.
+ */
+#define DEFAULT_THREADS 4
+
 static void usage(const char *mess)
 {
 	if (mess != NULL && *mess != '\0')
@@ -91,7 +96,6 @@ static void usage(const char *mess)
 			" \\\n\t"
 			"[--nofork]"
 			" [--stderrlog]"
-			" [--noklips]"
 			" [--nocrsend]"
 			" \\\n\t"
 			"[--strictcrlpolicy]"
@@ -125,7 +129,7 @@ static void usage(const char *mess)
 			" \\\n\t"
 			"[--debug-control]"
 			" [--debug-lifecycle]"
-			" [--debug-klips]"
+			" [--debug-kernel]"
 			" [--debug-dns]"
 			" \\\n\t"
 			"[--debug-oppo]"
@@ -295,7 +299,6 @@ int main(int argc, char **argv)
 			{ "optionsfrom", required_argument, NULL, '+' },
 			{ "nofork", no_argument, NULL, 'd' },
 			{ "stderrlog", no_argument, NULL, 'e' },
-			{ "noklips", no_argument, NULL, 'n' },
 			{ "nocrsend", no_argument, NULL, 'c' },
 			{ "strictcrlpolicy", no_argument, NULL, 'r' },
 			{ "crlcheckinterval", required_argument, NULL, 'x'},
@@ -333,7 +336,8 @@ int main(int argc, char **argv)
 			{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
 			{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
 			{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
-			{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
+			{ "debug-klips", no_argument, NULL, DBG_KERNEL + DBG_OFFSET },
+			{ "debug-kernel", no_argument, NULL, DBG_KERNEL + DBG_OFFSET },
 			{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
 			{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
 			{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
@@ -396,10 +400,6 @@ int main(int argc, char **argv)
 			log_to_stderr_desired = TRUE;
 			continue;
 
-		case 'n':       /* --noklips */
-			no_klips = TRUE;
-			continue;
-
 		case 'c':       /* --nocrsend */
 			no_cr_send = TRUE;
 			continue;
@@ -621,27 +621,19 @@ int main(int argc, char **argv)
 		fflush(stdout);
 	}
 
-	/* Close everything but ctl_fd and (if needed) stderr.
-	 * There is some danger that a library that we don't know
-	 * about is using some fd that we don't know about.
-	 * I guess we'll soon find out.
+	/* Redirect stdin, stdout and stderr to /dev/null
 	 */
 	{
-		int i;
-
-		for (i = getdtablesize() - 1; i >= 0; i--)  /* Bad hack */
-		{
-			if ((!log_to_stderr || i != 2) && i != ctl_fd)
-				close(i);
-		}
-
-		/* make sure that stdin, stdout, stderr are reserved */
-		if (open("/dev/null", O_RDONLY) != 0)
+		int fd;
+		if ((fd = open("/dev/null", O_RDWR)) == -1)
+			abort();
+		if (dup2(fd, 0) != 0)
 			abort();
-		if (dup2(0, 1) != 1)
+		if (dup2(fd, 1) != 1)
 			abort();
-		if (!log_to_stderr && dup2(0, 2) != 2)
+		if (!log_to_stderr && dup2(fd, 2) != 2)
 			abort();
+		close(fd);
 	}
 
 	init_constants();
@@ -764,6 +756,10 @@ int main(int argc, char **argv)
 	/* loading attribute certificates (experimental) */
 	ac_load_certs();
 
+	lib->processor->set_threads(lib->processor,
+			lib->settings->get_int(lib->settings, "pluto.threads",
+								   DEFAULT_THREADS));
+
 	daily_log_event();
 	call_server();
 	return -1;  /* Shouldn't ever reach this */
@@ -779,11 +775,13 @@ int main(int argc, char **argv)
  */
 void exit_pluto(int status)
 {
+	lib->processor->set_threads(lib->processor, 0);
 	reset_globals();    /* needed because we may be called in odd state */
 	free_preshared_secrets();
 	free_remembered_public_keys();
 	delete_every_connection();
 	whack_attribute_finalize(); /* free in-memory pools */
+	kernel_finalize();
 	fetch_finalize();           /* stop fetching thread */
 	free_crl_fetch();           /* free chain of crl fetch requests */
 	free_ocsp_fetch();          /* free chain of ocsp fetch requests */
diff --git a/src/pluto/server.c b/src/pluto/server.c
index 21f65f4f8..4d07843c1 100644
--- a/src/pluto/server.c
+++ b/src/pluto/server.c
@@ -56,6 +56,7 @@
 #include "adns.h"       /* needs <resolv.h> */
 #include "dnskey.h"     /* needs keys.h and adns.h */
 #include "whack.h"      /* for RC_LOG_SERIOUS */
+#include "pluto.h"
 
 #include <pfkeyv2.h>
 #include <pfkey.h>
@@ -467,7 +468,6 @@ create_socket(struct raw_iface *ifp, const char *v_name, int port)
 #endif
 
 #if defined(linux) && defined(KERNEL26_SUPPORT)
-	if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
 	{
 		struct sadb_x_policy policy;
 		int level, opt;
@@ -536,7 +536,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
 	for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
 	{
 		struct raw_iface *v = NULL;     /* matching ipsecX interface */
-		struct raw_iface fake_v;
 		bool after = FALSE; /* has vfp passed ifp on the list? */
 		bool bad = FALSE;
 		struct raw_iface *vfp;
@@ -578,7 +577,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
 					 * "after" allows us to avoid double reporting.
 					 */
 #if defined(linux) && defined(KERNEL26_SUPPORT)
-					if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
 					{
 						if (after)
 						{
@@ -603,7 +601,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
 			continue;
 
 #if defined(linux) && defined(KERNEL26_SUPPORT)
-		if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
 		{
 			v = ifp;
 			goto add_entry;
@@ -613,24 +610,10 @@ process_raw_ifaces(struct raw_iface *rifaces)
 		/* what if we didn't find a virtual interface? */
 		if (v == NULL)
 		{
-			if (no_klips)
-			{
-				/* kludge for testing: invent a virtual device */
-				static const char fvp[] = "virtual";
-				fake_v = *ifp;
-				passert(sizeof(fake_v.name) > sizeof(fvp));
-				strcpy(fake_v.name, fvp);
-				addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
-					, sizeof(fake_v.name) - (sizeof(fvp) - 1));
-				v = &fake_v;
-			}
-			else
-			{
-				DBG(DBG_CONTROL,
-						DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
-							, ifp->name, ip_str(&ifp->addr)));
-				continue;
-			}
+			DBG(DBG_CONTROL,
+				DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
+					, ifp->name, ip_str(&ifp->addr)));
+			continue;
 		}
 
 		/* We've got all we need; see if this is a new thing:
@@ -811,7 +794,7 @@ call_server(void)
 	{
 		fd_set readfds;
 		fd_set writefds;
-		int ndes;
+		int ndes, events_fd;
 
 		/* wait for next interesting thing */
 
@@ -853,19 +836,10 @@ call_server(void)
 				FD_SET(adns_afd, &readfds);
 			}
 
-#ifdef KLIPS
-			if (!no_klips)
-			{
-				int fd = *kernel_ops->async_fdp;
-
-				if (kernel_ops->process_queue)
-					kernel_ops->process_queue();
-				if (maxfd < fd)
-					maxfd = fd;
-				passert(!FD_ISSET(fd, &readfds));
-				FD_SET(fd, &readfds);
-			}
-#endif
+			events_fd = pluto->events->get_event_fd(pluto->events);
+			if (maxfd < events_fd)
+				maxfd = events_fd;
+			FD_SET(events_fd, &readfds);
 
 			if (listening)
 			{
@@ -947,18 +921,16 @@ call_server(void)
 				ndes--;
 			}
 
-#ifdef KLIPS
-			if (!no_klips && FD_ISSET(*kernel_ops->async_fdp, &readfds))
+			if (FD_ISSET(events_fd, &readfds))
 			{
 				passert(ndes > 0);
 				DBG(DBG_CONTROL,
 					DBG_log(BLANK_FORMAT);
-					DBG_log("*received kernel message"));
-				kernel_ops->process_msg();
+					DBG_log("*handling asynchronous events"));
+				pluto->events->handle(pluto->events);
 				passert(GLOBALS_ARE_RESET());
 				ndes--;
 			}
-#endif
 
 			for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
 			{
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
index f1a3932a6..85e246ac4 100644
--- a/src/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -502,9 +502,9 @@ static cert_t* scx_find_cert_object(CK_SESSION_HANDLE session,
 	*cert = cert_empty;
 	cert->smartcard = TRUE;
 	cert->cert = lib->creds->create(lib->creds,
-							  		CRED_CERTIFICATE, CERT_X509,
-							  		BUILD_BLOB_ASN1_DER, blob,
-							  		BUILD_END);
+									CRED_CERTIFICATE, CERT_X509,
+									BUILD_BLOB_ASN1_DER, blob,
+									BUILD_END);
 	if (cert->cert)
 	{
 		return cert;
@@ -539,6 +539,7 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 		CK_ULONG obj_count = 0;
 		time_t valid_until;
 		smartcard_t *sc;
+		cert_t *cert;
 		certificate_t *certificate;
 		x509_t *x509;
 
@@ -559,8 +560,8 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 		*sc = empty_sc;
 		sc->any_slot = FALSE;
 		sc->slot  = slot;
-		sc->last_cert = scx_find_cert_object(session, object, sc);
-		if (sc->last_cert == NULL)
+		cert = scx_find_cert_object(session, object, sc);
+		if (!cert)
 		{
 			scx_free(sc);
 			continue;
@@ -571,9 +572,10 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 		)
 
 		/* check validity of certificate */
-		certificate = sc->last_cert->cert;
+		certificate = cert->cert;
 		if (!certificate->get_validity(certificate, NULL, NULL, &valid_until))
 		{
+			cert_free(cert);
 			scx_free(sc);
 			continue;
 		}
@@ -582,17 +584,17 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 		)
 
 		sc = scx_add(sc);
-		x509 = (x509_t*)certificate;
 
 		/* put end entity and ca certificates into different chains */
+		x509 = (x509_t*)certificate;
 		if (x509->get_flags(x509) & X509_CA)
 		{
-			sc->last_cert = add_authcert(sc->last_cert, X509_CA);
+			sc->last_cert = add_authcert(cert, X509_CA);
 		}
 		else
 		{
-			add_public_key_from_cert(sc->last_cert, valid_until, DAL_LOCAL);
-			sc->last_cert = cert_add(sc->last_cert);
+			add_public_key_from_cert(cert, valid_until, DAL_LOCAL);
+			sc->last_cert = cert_add(cert);
 		}
 
 		cert_share(sc->last_cert);
@@ -1078,7 +1080,7 @@ cert_t* scx_load_cert(const char *filename, smartcard_t **scp, bool *cached)
 	*scp = sc = scx_add(scx_parse_number_slot_id(number_slot_id));
 
 	/* is there a cached smartcard certificate? */
-	*cached = sc->last_cert && 
+	*cached = sc->last_cert &&
 			  (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL;
 
 	if (*cached)
@@ -1451,7 +1453,7 @@ bool scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen, u_char *out,
 			{
 				return FALSE;
 			}
-			key->encrypt(key, plain_text, &cipher_text);
+			key->encrypt(key, ENCRYPT_RSA_PKCS1, plain_text, &cipher_text);
 			key->destroy(key);
 
 			if (cipher_text.ptr == NULL)
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index cdf2cb21b..2ed07bdfc 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -234,7 +234,7 @@ out_attr(int type
 				, val, enum_show(d, val)));
 	return TRUE;
 }
-#define return_on(var, val) do { var=val;goto return_out; } while(0);
+#define return_on(var, val) do { var=val;goto return_out; } while(0)
 /* Output an SA, as described by a db_sa.
  * This has the side-effect of allocating SPIs for us.
  */
@@ -448,7 +448,7 @@ out_sa(pb_stream *outs
 							, &st->st_connection->spd
 							, tunnel_mode);
 						if (*spi_ptr == 0)
-							return FALSE;
+							return_on(ret, FALSE);
 						*spi_generated = TRUE;
 					}
 					if (!out_raw((u_char *)spi_ptr, IPSEC_DOI_SPI_SIZE
@@ -2176,7 +2176,7 @@ parse_ipsec_sa_body(
 #endif
 			if (!can_do_IPcomp)
 			{
-				plog("compression proposed by %s, but KLIPS is not configured with IPCOMP"
+				plog("compression proposed by %s, but kernel does not support IPCOMP"
 					, ip_str(&c->spd.that.host_addr));
 				continue;
 			}
diff --git a/src/pluto/state.c b/src/pluto/state.c
index 29d78fb3d..3639f944d 100644
--- a/src/pluto/state.c
+++ b/src/pluto/state.c
@@ -734,7 +734,7 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
 		, st->st_serialno
 		, c->name, inst
 		, enum_name(&state_names, st->st_state)
-		, state_story[st->st_state - STATE_MAIN_R0]
+		, state_story[st->st_state]
 		, timer_event_names, st->st_event->ev_type
 		, delta
 		, np1, np2, eo, dpd);
@@ -782,7 +782,7 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
 		}
 		if (st->st_esp.present)
 		{
-			time_t now = time(NULL);
+			time_t now = time_monotonic(NULL);
 
 			add_said(&c->spd.that.host_addr, st->st_esp.attrs.spi, SA_ESP);
 			add_sa_info(st, FALSE);
@@ -794,12 +794,10 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
 			add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP);
 			add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP);
 		}
-#ifdef KLIPS
 		tunnel =  st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
 			   || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
 			   || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
 		p += snprintf(p, p_end - p, "; %s", tunnel? "tunnel":"transport");
-#endif
 
 		snprintf(state_buf2, state_buf2_len
 			, "#%lu: \"%s\"%s%s"
@@ -897,56 +895,6 @@ void show_states_status(bool all, const char *name)
 	free(array);
 }
 
-/* Given that we've used up a range of unused CPI's,
- * search for a new range of currently unused ones.
- * Note: this is very expensive when not trivial!
- * If we can't find one easily, choose 0 (a bad SPI,
- * no matter what order) indicating failure.
- */
-void find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi)
-{
-	int tries = 0;
-	cpi_t base = *latest_cpi;
-	cpi_t closest;
-	int i;
-
-startover:
-	closest = ~0;       /* not close at all */
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-	{
-		struct state *st;
-
-		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-		{
-			if (st->st_ipcomp.present)
-			{
-				cpi_t c = ntohl(st->st_ipcomp.our_spi) - base;
-
-				if (c < closest)
-				{
-					if (c == 0)
-					{
-						/* oops: next spot is occupied; start over */
-						if (++tries == 20)
-						{
-							/* FAILURE */
-							*latest_cpi = *first_busy_cpi = 0;
-							return;
-						}
-						base++;
-						if (base > IPCOMP_LAST_NEGOTIATED)
-							base = IPCOMP_FIRST_NEGOTIATED;
-						goto startover; /* really a tail call */
-					}
-					closest = c;
-				}
-			}
-		}
-	}
-	*latest_cpi = base; /* base is first in next free range */
-	*first_busy_cpi = closest + base;   /* and this is the roof */
-}
-
 /* Muck with high-order 16 bits of this SPI in order to make
  * the corresponding SAID unique.
  * Its low-order 16 bits hold a well-known IPCOMP CPI.
diff --git a/src/pluto/state.h b/src/pluto/state.h
index c4e8db485..a307d9f69 100644
--- a/src/pluto/state.h
+++ b/src/pluto/state.h
@@ -127,10 +127,8 @@ struct state
 	struct ipsec_proto_info st_ah;
 	struct ipsec_proto_info st_esp;
 	struct ipsec_proto_info st_ipcomp;
-#ifdef KLIPS
 	ipsec_spi_t        st_tunnel_in_spi;          /* KLUDGE */
 	ipsec_spi_t        st_tunnel_out_spi;         /* KLUDGE */
-#endif
 
 	const struct dh_desc *st_pfs_group;        /* group for Phase 2 PFS */
 
@@ -267,7 +265,6 @@ extern struct state
 
 extern void show_states_status(bool all, const char *name);
 extern void for_each_state(void *(f)(struct state *, void *data), void *data);
-extern void find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi);
 extern ipsec_spi_t uniquify_his_cpi(ipsec_spi_t cpi, struct state *st);
 extern void fmt_state(bool all, struct state *st, time_t n
 					 , char *state_buf, size_t state_buf_len
diff --git a/src/pluto/timer.c b/src/pluto/timer.c
index b112d67f6..c1ad55f5e 100644
--- a/src/pluto/timer.c
+++ b/src/pluto/timer.c
@@ -233,13 +233,6 @@ void handle_timer_event(void)
 			init_secret();
 			break;
 
-#ifdef KLIPS
-		case EVENT_SHUNT_SCAN:
-			passert(st == NULL);
-			scan_proc_shunts();
-			break;
-#endif
-
 		case EVENT_LOG_DAILY:
 			daily_log_event();
 			break;
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index 2b8681246..d717beb15 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -427,7 +427,7 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
 			{
 				whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
 					key_type_names, key->get_type(key),
-					key->get_keysize(key) * BITS_PER_BYTE,
+					key->get_keysize(key),
 					cert->smartcard ? ", on smartcard" :
 					(has_private_key(cert)? ", has private key" : ""));
 
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index dd4a4a63d..897b49ac3 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -21,7 +21,7 @@ INCLUDES = \
 
 AM_CFLAGS = \
 -DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DPLUGINS=\""${pluto_plugins}\"" \
+-DPLUGINS=\""${scepclient_plugins}\"" \
 -DDEBUG -DNO_PLUTO
 
 LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 7832e5f66..a20fa2eb9 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -50,6 +50,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -173,6 +174,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -204,14 +207,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -226,24 +232,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -251,7 +264,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -280,7 +296,7 @@ INCLUDES = \
 -I$(WHACKDIR)
 
 AM_CFLAGS = -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-	-DPLUGINS=\""${pluto_plugins}\"" -DDEBUG -DNO_PLUTO \
+	-DPLUGINS=\""${scepclient_plugins}\"" -DDEBUG -DNO_PLUTO \
 	$(am__append_1)
 LIBSTRONGSWANBUILDDIR = $(top_builddir)/src/libstrongswan
 LIBFREESWANBUILDDIR = $(top_builddir)/src/libfreeswan
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 5c32bbdef..448854acd 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -807,7 +807,7 @@ int main(int argc, char **argv)
 	public_key = private_key->get_public_key(private_key);
 
 	/* check for minimum key length */
-	if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS)
+	if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE)
 	{
 		exit_scepclient("length of RSA key has to be at least %d bits"
 			,RSA_MIN_OCTETS * BITS_PER_BYTE);
@@ -859,7 +859,7 @@ int main(int argc, char **argv)
 						BUILD_SIGNING_KEY, private_key,
 						BUILD_SUBJECT, subject,
 						BUILD_SUBJECT_ALTNAMES, subjectAltNames,
-						BUILD_PASSPHRASE, challengePassword,
+						BUILD_CHALLENGE_PWD, challengePassword,
 						BUILD_DIGEST_ALG, pkcs10_signature_alg,
 						BUILD_END);
 		if (!pkcs10_req)
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 9813a0c06..75297f767 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -9,6 +9,7 @@ INCLUDES = \
 -I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto \
 -I$(top_srcdir)/src/whack \
 -I$(top_srcdir)/src/stroke
@@ -23,9 +24,8 @@ AM_CFLAGS = \
 -DDEBUG
 
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in
-dist_man_MANS = ipsec.conf.5 starter.8
-CLEANFILES = ipsec.conf.5
+EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
+dist_man_MANS = starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 
 PLUTODIR=$(top_srcdir)/src/pluto
@@ -43,11 +43,6 @@ if USE_LOAD_WARNING
   AM_CFLAGS += -DLOAD_WARNING
 endif
 
-ipsec.conf.5:	ipsec.conf.5.in
-		sed \
-		-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-		$(srcdir)/$@.in > $@
-
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
 		$(LEX) $(srcdir)/parser.l
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index d06c8974d..446f183f1 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -49,14 +49,14 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
-	"$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 PROGRAMS = $(ipsec_PROGRAMS)
 am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
 	starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \
@@ -106,7 +106,6 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -178,6 +177,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -209,14 +210,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -231,24 +235,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -256,7 +267,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -278,6 +292,7 @@ INCLUDES = \
 -I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto \
 -I$(top_srcdir)/src/whack \
 -I$(top_srcdir)/src/stroke
@@ -288,9 +303,8 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \
 	$(am__append_2) $(am__append_3)
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in
-dist_man_MANS = ipsec.conf.5 starter.8
-CLEANFILES = ipsec.conf.5
+EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
+dist_man_MANS = starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 PLUTODIR = $(top_srcdir)/src/pluto
 SCEPCLIENTDIR = $(top_srcdir)/src/scepclient
@@ -424,44 +438,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man5: $(dist_man_MANS)
-	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man5:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
 install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
@@ -600,7 +576,7 @@ check-am: all-am
 check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -620,7 +596,6 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -669,7 +644,7 @@ install-info: install-info-am
 
 install-info-am:
 
-install-man: install-man5 install-man8
+install-man: install-man8
 
 install-pdf: install-pdf-am
 
@@ -701,7 +676,7 @@ ps-am:
 
 uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
 
-uninstall-man: uninstall-man5 uninstall-man8
+uninstall-man: uninstall-man8
 
 .MAKE: install-am install-strip
 
@@ -712,20 +687,14 @@ uninstall-man: uninstall-man5 uninstall-man8
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-exec-local \
 	install-html install-html-am install-info install-info-am \
-	install-ipsecPROGRAMS install-man install-man5 install-man8 \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \
-	uninstall-man8
-
-
-ipsec.conf.5:	ipsec.conf.5.in
-		sed \
-		-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-		$(srcdir)/$@.in > $@
+	install-ipsecPROGRAMS install-man install-man8 install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-man uninstall-man8
+
 
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
 		$(LEX) $(srcdir)/parser.l
diff --git a/src/starter/README b/src/starter/README
index 12a60a11d..4aff64978 100644
--- a/src/starter/README
+++ b/src/starter/README
@@ -18,8 +18,6 @@ Usage:
 FEATURES
 --------
 
-o Load and unload KLIPS (ipsec.o kernel module)
-
 o Load modules of the native Linux 2.6 IPsec stack
 
 o Launch and monitor pluto
@@ -50,8 +48,7 @@ o /var/run/dynip/xxxx can be used to use a virtual interface name in
 
 o %auto can be used to automaticaly name the connections
 
-o kill -TERM can be used to stop FS. pluto will be stopped and KLIPS unloaded
-  (if it has been loaded).
+o kill -TERM can be used to stop FS. pluto will be stopped.
 
 o Can be used to start strongSwan and load lots of connections in a few
   seconds.
diff --git a/src/starter/args.c b/src/starter/args.c
index ab6b60509..37d600283 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -208,6 +208,7 @@ static const token_info_t token_info[] =
 	{ ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
 	{ ARG_MISC, 0, NULL  /* KW_EAP */                                              },
 	{ ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
+	{ ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
 	{ ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
 	{ ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 399e17844..3367616ca 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -19,6 +19,8 @@
 
 #include <freeswan.h>
 
+#include <eap/eap.h>
+
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
 #include "../pluto/log.h"
@@ -461,7 +463,7 @@ static void handle_firewall(const char *label, starter_end_t *end,
 	}
 }
 
-static bool handle_mark(char *value, mark_t *mark)	
+static bool handle_mark(char *value, mark_t *mark)
 {
 	char *pos, *endptr;
 
@@ -671,31 +673,8 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				}
 				break;
 			}
-			if (streq(kw->value, "aka"))
-			{
-				conn->eap_type = 23;
-			}
-			else if (streq(kw->value, "sim"))
-			{
-				conn->eap_type = 18;
-			}
-			else if (streq(kw->value, "md5"))
-			{
-				conn->eap_type = 4;
-			}
-			else if (streq(kw->value, "gtc"))
-			{
-				conn->eap_type = 6;
-			}
-			else if (streq(kw->value, "mschapv2"))
-			{
-				conn->eap_type = 26;
-			}
-			else if (streq(kw->value, "radius"))
-			{	/* pseudo-type */
-				conn->eap_type = 253;
-			}
-			else
+			conn->eap_type = eap_type_from_string(kw->value);
+			if (conn->eap_type == 0)
 			{
 				conn->eap_type = atoi(kw->value);
 				if (conn->eap_type == 0)
@@ -739,7 +718,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				if (*endptr != '\0')
 				{
 					plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
-		    		cfg->err++;
+					cfg->err++;
 				}
 			}
 			break;
@@ -815,7 +794,7 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
 				DBG(DBG_CONTROL,
 					DBG_log("  also=%s", kw->value)
 				)
-	    	}
+			}
 			continue;
 		}
 
@@ -879,7 +858,7 @@ static void load_also_conns(starter_conn_t *conn, also_t *also,
 /*
  * find a conn included by also
  */
-static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn, 
+static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn,
 								 starter_config_t *cfg)
 {
 	starter_conn_t *c = cfg->conn_first;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 5e4356ea3..982d1d206 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -95,13 +95,6 @@ struct also {
 		also_t          *next;
 };
 
-typedef struct mark_t mark_t;
-
-struct mark_t{
-		u_int32_t value;
-		u_int32_t mask;
-};
-
 typedef struct starter_conn starter_conn_t;
 
 struct starter_conn {
@@ -117,6 +110,7 @@ struct starter_conn {
 		u_int32_t       eap_type;
 		u_int32_t       eap_vendor;
 		char            *eap_identity;
+		char            *aaa_identity;
 		char            *xauth_identity;
 		lset_t          policy;
 		time_t          sa_ike_life_seconds;
@@ -129,8 +123,8 @@ struct starter_conn {
 		unsigned long   sa_keying_tries;
 		unsigned long   sa_rekey_fuzz;
 		u_int32_t       reqid;
-		mark_t			mark_in;
-		mark_t			mark_out;
+		mark_t          mark_in;
+		mark_t          mark_out;
 		sa_family_t     addr_family;
 		sa_family_t     tunnel_addr_family;
 		bool            install_policy;
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
index 92b2c74a4..ef26cdce5 100644
--- a/src/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -56,7 +56,7 @@ get_defaultroute(defaultroute_t *defaultroute)
 	ssize_t msglen;
 	int fd;
 
-	bzero(&rtu, sizeof(rtu));
+	memset(&rtu, 0, sizeof(rtu));
 	rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt));
 	rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
 	rtu.m.nh.nlmsg_type = RTM_GETROUTE;
@@ -142,7 +142,7 @@ get_defaultroute(defaultroute_t *defaultroute)
 				plog("could not open AF_INET socket");
 				break;
 			}
-			bzero(&req, sizeof(req));
+			memset(&req, 0, sizeof(req));
 			req.ifr_ifindex = iface_idx;
 			if (ioctl(fd, SIOCGIFNAME, &req) < 0 ||
 				ioctl(fd, SIOCGIFADDR, &req) < 0)
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
deleted file mode 100644
index b1ae15825..000000000
--- a/src/starter/ipsec.conf.5
+++ /dev/null
@@ -1,1330 +0,0 @@
-.TH IPSEC.CONF 5 "2010-05-30" "4.4.1rc3" "strongSwan"
-.SH NAME
-ipsec.conf \- IPsec configuration and connections
-.SH DESCRIPTION
-The optional
-.I ipsec.conf
-file
-specifies most configuration and control information for the
-strongSwan IPsec subsystem.
-The major exception is secrets for authentication;
-see
-.IR ipsec.secrets (5).
-Its contents are not security-sensitive.
-.PP
-The file is a text file, consisting of one or more
-.IR sections .
-White space followed by
-.B #
-followed by anything to the end of the line
-is a comment and is ignored,
-as are empty lines which are not within a section.
-.PP
-A line which contains
-.B include
-and a file name, separated by white space,
-is replaced by the contents of that file,
-preceded and followed by empty lines.
-If the file name is not a full pathname,
-it is considered to be relative to the directory containing the
-including file.
-Such inclusions can be nested.
-Only a single filename may be supplied, and it may not contain white space,
-but it may include shell wildcards (see
-.IR sh (1));
-for example:
-.PP
-.B include
-.B "ipsec.*.conf"
-.PP
-The intention of the include facility is mostly to permit keeping
-information on connections, or sets of connections,
-separate from the main configuration file.
-This permits such connection descriptions to be changed,
-copied to the other security gateways involved, etc.,
-without having to constantly extract them from the configuration
-file and then insert them back into it.
-Note also the
-.B also
-parameter (described below) which permits splitting a single logical
-section (e.g. a connection description) into several actual sections.
-.PP
-A section
-begins with a line of the form:
-.PP
-.I type
-.I name
-.PP
-where
-.I type
-indicates what type of section follows, and
-.I name
-is an arbitrary name which distinguishes the section from others
-of the same type.
-Names must start with a letter and may contain only
-letters, digits, periods, underscores, and hyphens.
-All subsequent non-empty lines
-which begin with white space are part of the section;
-comments within a section must begin with white space too.
-There may be only one section of a given type with a given name.
-.PP
-Lines within the section are generally of the form
-.PP
-\ \ \ \ \ \fIparameter\fB=\fIvalue\fR
-.PP
-(note the mandatory preceding white space).
-There can be white space on either side of the
-.BR = .
-Parameter names follow the same syntax as section names,
-and are specific to a section type.
-Unless otherwise explicitly specified,
-no parameter name may appear more than once in a section.
-.PP
-An empty
-.I value
-stands for the system default value (if any) of the parameter,
-i.e. it is roughly equivalent to omitting the parameter line entirely.
-A
-.I value
-may contain white space only if the entire
-.I value
-is enclosed in double quotes (\fB"\fR);
-a
-.I value
-cannot itself contain a double quote,
-nor may it be continued across more than one line.
-.PP
-Numeric values are specified to be either an ``integer''
-(a sequence of digits) or a ``decimal number''
-(sequence of digits optionally followed by `.' and another sequence of digits).
-.PP
-There is currently one parameter which is available in any type of
-section:
-.TP
-.B also
-the value is a section name;
-the parameters of that section are appended to this section,
-as if they had been written as part of it.
-The specified section must exist, must follow the current one,
-and must have the same section type.
-(Nesting is permitted,
-and there may be more than one
-.B also
-in a single section,
-although it is forbidden to append the same section more than once.)
-.PP
-A section with name
-.B %default
-specifies defaults for sections of the same type.
-For each parameter in it,
-any section of that type which does not have a parameter of the same name
-gets a copy of the one from the
-.B %default
-section.
-There may be multiple
-.B %default
-sections of a given type,
-but only one default may be supplied for any specific parameter name,
-and all
-.B %default
-sections of a given type must precede all non-\c
-.B %default
-sections of that type.
-.B %default
-sections may not contain the
-.B also
-parameter.
-.PP
-Currently there are three types of sections:
-a
-.B config
-section specifies general configuration information for IPsec, a
-.B conn
-section specifies an IPsec connection, while a
-.B ca
-section specifies special properties of a certification authority.
-.SH "CONN SECTIONS"
-A
-.B conn
-section contains a
-.IR "connection specification" ,
-defining a network connection to be made using IPsec.
-The name given is arbitrary, and is used to identify the connection.
-Here's a simple example:
-.PP
-.ne 10
-.nf
-.ft B
-.ta 1c
-conn snt
-	left=192.168.0.1
-	leftsubnet=10.1.0.0/16
-	right=192.168.0.2
-	rightsubnet=10.1.0.0/16
-	keyingtries=%forever
-	auto=add
-.ft
-.fi
-.PP
-A note on terminology: There are two kinds of communications going on:
-transmission of user IP packets, and gateway-to-gateway negotiations for
-keying, rekeying, and general control.
-The path to control the connection is called 'ISAKMP SA' in IKEv1
-and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
-level data path, is called 'IPsec SA' or 'Child SA'.
-strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
-all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
-protocol.
-.PP
-To avoid trivial editing of the configuration file to suit it to each system
-involved in a connection,
-connection specifications are written in terms of
-.I left
-and
-.I right
-participants,
-rather than in terms of local and remote.
-Which participant is considered
-.I left
-or
-.I right
-is arbitrary;
-for every connection description an attempt is made to figure out whether
-the local endpoint should act as the
-.I left
-or
-.I right
-endpoint. This is done by matching the IP addresses defined for both endpoints
-with the IP addresses assigned to local network interfaces. If a match is found
-then the role (left or right) that matches is going to be considered local.
-If no match is found during startup,
-.I left
-is considered local.
-This permits using identical connection specifications on both ends.
-There are cases where there is no symmetry; a good convention is to
-use
-.I left
-for the local side and
-.I right
-for the remote side (the first letters are a good mnemonic).
-.PP
-Many of the parameters relate to one participant or the other;
-only the ones for
-.I left
-are listed here, but every parameter whose name begins with
-.B left
-has a
-.B right
-counterpart,
-whose description is the same but with
-.B left
-and
-.B right
-reversed.
-.PP
-Parameters are optional unless marked '(required)'.
-.SS "CONN PARAMETERS"
-Unless otherwise noted, for a connection to work,
-in general it is necessary for the two ends to agree exactly
-on the values of these parameters.
-.TP 14
-.B ah
-AH authentication algorithm to be used
-for the connection, e.g.
-.B hmac-md5.
-.TP
-.B auth
-whether authentication should be done as part of
-ESP encryption, or separately using the AH protocol;
-acceptable values are
-.B esp
-(the default) and
-.BR ah .
-.br
-The IKEv2 daemon currently supports ESP only.
-.TP
-.B authby
-how the two security gateways should authenticate each other;
-acceptable values are
-.B secret
-or
-.B psk
-for pre-shared secrets,
-.B pubkey
-(the default) for public key signatures as well as the synonyms
-.B rsasig
-for RSA digital signatures and
-.B ecdsasig
-for Elliptic Curve DSA signatures.
-.B never
-can be used if negotiation is never to be attempted or accepted (useful for
-shunt-only conns).
-Digital signatures are superior in every way to shared secrets.
-IKEv1 additionally supports the values
-.B xauthpsk
-and
-.B xauthrsasig
-that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
-based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
-This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
-.B leftauth
-parameter instead to define authentication methods in IKEv2.
-.TP
-.B auto
-what operation, if any, should be done automatically at IPsec startup;
-currently-accepted values are
-.BR add ,
-.BR route ,
-.B start
-and
-.B ignore
-(the default).
-.B add
-loads a connection without starting it.
-.B route
-loads a connection and installs kernel traps. If traffic is detected between
-.B leftsubnet
-and
-.B rightsubnet
-, a connection is established.
-.B start
-loads a connection and brings it up immediatly.
-.B ignore
-ignores the connection. This is equal to delete a connection from the config
-file.
-Relevant only locally, other end need not agree on it
-(but in general, for an intended-to-be-permanent connection,
-both ends should use
-.B auto=start
-to ensure that any reboot causes immediate renegotiation).
-.TP
-.B compress
-whether IPComp compression of content is proposed on the connection
-(link-level compression does not work on encrypted data,
-so to be effective, compression must be done \fIbefore\fR encryption);
-acceptable values are
-.B yes
-and
-.B no
-(the default). A value of
-.B yes
-causes IPsec to propose both compressed and uncompressed,
-and prefer compressed.
-A value of
-.B no
-prevents IPsec from proposing compression;
-a proposal to compress will still be accepted.
-.TP
-.B dpdaction
-controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
-R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
-are periodically sent in order to check the
-liveliness of the IPsec peer. The values
-.BR clear ,
-.BR hold ,
-and
-.B restart
-all activate DPD. If no activity is detected, all connections with a dead peer
-are stopped and unrouted
-.RB ( clear ),
-put in the hold state
-.RB ( hold )
-or restarted
-.RB ( restart ).
-For IKEv1, the default is
-.B none
-which disables the active sending of R_U_THERE notifications.
-Nevertheless pluto will always send the DPD Vendor ID during connection set up
-in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. For IKEv2,
-.B none
-does't make sense, since all messages are used to detect dead peers. If specified,
-it has the same meaning as the default
-.RB ( clear ).
-.TP
-.B dpddelay
-defines the period time interval with which R_U_THERE messages/INFORMATIONAL
-exchanges are sent to the peer. These are only sent if no other traffic is
-received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
-messages and uses only standard messages (such as those to rekey) to detect
-dead peers.
-.TP
-.B dpdtimeout
-defines the timeout interval, after which all connections to a peer are deleted
-in case of inactivity. This only applies to IKEv1, in IKEv2 the default
-retransmission timeout applies, as every exchange is used to detect dead peers.
-.TP
-.B inactivity
-defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic. Currently supported in IKEv2 connections only.
-.TP
-.B eap
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B radius
-for the EAP-RADIUS proxy and
-.B sim
-for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
-.TP
-.B eap_identity
-defines the identity the client uses to reply to a EAP Identity request.
-If defined on the EAP server, the defined identity will be used as peer
-identity during EAP authentication. The special value
-.B %identity
-uses the EAP Identity method to ask the client for an EAP identity. If not
-defined, the IKEv2 identity will be used as EAP identity.
-.TP
-.B esp
-comma-separated list of ESP encryption/authentication algorithms to be used
-for the connection, e.g.
-.BR 3des-md5 .
-The notation is
-.BR encryption-integrity-[dh-group] .
-.br
-If
-.B dh-group
-is specified, CHILD_SA setup and rekeying include a separate diffe hellman
-exchange (IKEv2 only).
-.TP
-.B forceencaps
-Force UDP encapsulation for ESP packets even if no NAT situation is detected.
-This may help to surmount restrictive firewalls. In order to force the peer to
-encapsulate packets, NAT detection payloads are faked (IKEv2 only).
-.TP
-.B ike
-comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
-to be used, e.g.
-.BR aes128-sha1-modp2048 .
-The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
-.TP
-.B ikelifetime
-how long the keying channel of a connection (ISAKMP or IKE SA)
-should last before being renegotiated.
-.TP
-.B installpolicy
-decides whether IPsec policies are installed in the kernel by the IKEv2
-charon daemon for a given connection. Allows peaceful cooperation e.g. with
-the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
-Acceptable values are
-.B yes
-(the default) and
-.BR no .
-.TP
-.B keyexchange
-method of key exchange;
-which protocol should be used to initialize the connection. Connections marked with
-.B ikev1
-are initiated with pluto, those marked with
-.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
-.B keyexchange
-setting. The default value
-.B ike
-currently is a synonym for
-.BR ikev1 .
-.TP
-.B keyingtries
-how many attempts (a whole number or \fB%forever\fP) should be made to
-negotiate a connection, or a replacement for one, before giving up
-(default
-.BR %forever ).
-The value \fB%forever\fP
-means 'never give up'.
-Relevant only locally, other end need not agree on it.
-.TP
-.B keylife
-synonym for
-.BR lifetime .
-.TP
-.B left
-(required)
-the IP address of the left participant's public-network interface
-or one of several magic values.
-If it is
-.BR %defaultroute ,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time and
-during configuration update).
-Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.
-The prefix
-.B  %
-in front of a fully-qualified domain name or an IP address will implicitly set
-.B leftallowany=yes.
-If the domain name cannot be resolved into an IP address at IPsec startup or
-update time then
-.B left=%any
-and
-.B leftallowany=no
-will be assumed.
-
-In case of an IKEv2 connection, the value
-.B %any
-for the local endpoint signifies an address to be filled in (by automatic
-keying) during negotiation. If the local peer initiates the connection setup
-the routing table will be queried to determine the correct local IP address.
-In case the local peer is responding to a connection setup then any IP address
-that is assigned to a local interface will be accepted.
-.br
-Note that specifying
-.B %any
-for the local endpoint is not supported by the IKEv1 pluto daemon.
-
-If
-.B %any
-is used for the remote endpoint it literally means any IP address.
-
-Please note that with the usage of wildcards multiple connection descriptions
-might match a given incoming connection attempt. The most specific description
-is used in that case.
-.TP
-.B leftallowany
-a modifier for
-.B left
-, making it behave as
-.B %any
-although a concrete IP address has been assigned.
-Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
-startup or update time.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B leftauth
-Authentication method to use locally (left) or require from the remote (right)
-side.
-This parameter is supported in IKEv2 only. Acceptable values are
-.B pubkey
-for public key authentication (RSA/ECDSA),
-.B psk
-for pre-shared key authentication and
-.B eap
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
-.B eap,
-an optional EAP method can be appended. Currently defined methods are
-.BR eap-aka ,
-.BR eap-gtc ,
-.BR eap-md5 ,
-.B eap-mschapv2
-and
-.BR eap-sim .
-Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
-EAP methods are defined in the form
-.B eap-type-vendor
-.RB "(e.g. " eap-7-12345 ).
-.TP
-.B leftauth2
-Same as
-.BR leftauth ,
-but defines an additional authentication exchange. IKEv2 supports multiple
-authentication rounds using "Multiple Authentication Exchanges" defined
-in RFC4739. This allows, for example, separated authentication
-of host and user (IKEv2 only).
-.TP
-.B leftca
-the distinguished name of a certificate authority which is required to
-lie in the trust path going from the left participant's certificate up
-to the root certification authority.
-.TP
-.B leftca2
-Same as
-.B leftca,
-but for the second authentication round (IKEv2 only).
-.TP
-.B leftcert
-the path to the left participant's X.509 certificate. The file can be encoded
-either in PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
-are accepted. By default
-.B leftcert
-sets
-.B leftid
-to the distinguished name of the certificate's subject and
-.B leftca
-to the distinguished name of the certificate's issuer.
-The left participant's ID can be overriden by specifying a
-.B leftid
-value which must be certified by the certificate, though.
-.TP
-.B leftcert2
-Same as
-.B leftcert,
-but for the second authentication round (IKEv2 only).
-.TP
-.B leftfirewall
-whether the left participant is doing forwarding-firewalling
-(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
-which should be turned off (for traffic to the other subnet)
-once the connection is established;
-acceptable values are
-.B yes
-and
-.B no
-(the default).
-May not be used in the same connection description with
-.BR leftupdown .
-Implemented as a parameter to the default \fBipsec _updown\fR script.
-See notes below.
-Relevant only locally, other end need not agree on it.
-
-If one or both security gateways are doing forwarding firewalling
-(possibly including masquerading),
-and this is specified using the firewall parameters,
-tunnels established with IPsec are exempted from it
-so that packets can flow unchanged through the tunnels.
-(This means that all subnets connected in this manner must have
-distinct, non-overlapping subnet address blocks.)
-This is done by the default \fBipsec _updown\fR script (see
-.IR pluto (8)).
-
-In situations calling for more control,
-it may be preferable for the user to supply his own
-.I updown
-script,
-which makes the appropriate adjustments for his system.
-.TP
-.B leftgroups
-a comma separated list of group names. If the
-.B leftgroups
-parameter is present then the peer must be a member of at least one
-of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
-been issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts/\fP.
-.br
-Attribute certificates are not supported in IKEv2 yet.
-.TP
-.B lefthostaccess
-inserts a pair of INPUT and OUTPUT iptables rules using the default
-\fBipsec _updown\fR script, thus allowing access to the host itself
-in the case where the host's internal interface is part of the
-negotiated client subnet.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B leftid
-how the left participant should be identified for authentication;
-defaults to
-.BR left .
-Can be an IP address or a fully-qualified domain name preceded by
-.B @
-(which is used as a literal string and not resolved).
-.TP
-.B leftid2
-identity to use for a second authentication for the left participant
-(IKEv2 only); defaults to
-.BR leftid .
-.TP
-.B leftikeport
-UDP port the left participant uses for IKE communication. Currently supported in
-IKEv2 connections only. If unspecified, port 500 is used with the port floating
-to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
-different from the default additionally requires a socket implementation that
-listens to this port.
-.TP
-.B leftnexthop
-this parameter is usually not needed any more because the NETKEY IPsec stack
-does not require explicit routing entries for the traffic to be tunneled. If
-.B leftsourceip
-is used with IKEv1 then
-.B leftnexthop
-must still be set in order for the source routes to work properly.
-.TP
-.B leftprotoport
-restrict the traffic selector to a single protocol and/or port.
-Examples:
-.B leftprotoport=tcp/http
-or
-.B leftprotoport=6/80
-or
-.B leftprotoport=udp
-.TP
-.B leftrsasigkey
-the left participant's
-public key for RSA signature authentication,
-in RFC 2537 format using
-.IR ttodata (3)
-encoding.
-The magic value
-.B %none
-means the same as not specifying a value (useful to override a default).
-The value
-.B %cert
-(the default)
-means that the key is extracted from a certificate.
-The identity used for the left participant
-must be a specific host, not
-.B %any
-or another magic value.
-.B Caution:
-if two connection descriptions
-specify different public keys for the same
-.BR leftid ,
-confusion and madness will ensue.
-.TP
-.B leftsendcert
-Accepted values are
-.B never
-or
-.BR no ,
-.B always
-or
-.BR yes ,
-and
-.BR ifasked ,
-the latter meaning that the peer must send a certificate request payload in
-order to get a certificate in return.
-.TP
-.B leftsourceip
-The internal source IP to use in a tunnel, also known as virtual IP. If the
-value is one of the synonyms
-.BR %modeconfig ,
-.BR %modecfg ,
-.BR %config ,
-or
-.BR %cfg ,
-an address is requested from the peer. In IKEv2, a statically defined address
-is also requested, since the server may change it.
-.TP
-.B rightsourceip
-The internal source IP to use in a tunnel for the remote peer. If the
-value is
-.B %config
-on the responder side, the initiator must propose an address which is then
-echoed back. Also supported are address pools expressed as
-\fInetwork\fB/\fInetmask\fR
-or the use of an external IP address pool using %\fIpoolname\fR,
-where \fIpoolname\fR is the name of the IP address pool used for the lookup.
-.TP
-.B leftsubnet
-private subnet behind the left participant, expressed as
-\fInetwork\fB/\fInetmask\fR;
-if omitted, essentially assumed to be \fIleft\fB/32\fR,
-signifying that the left end of the connection goes to the left participant
-only. When using IKEv2, the configured subnet of the peers may differ, the
-protocol narrows it to the greatest common subnet. Further, IKEv2 supports
-multiple subnets separated by commas. IKEv1 only interprets the first subnet
-of such a definition.
-.TP
-.B leftsubnetwithin
-the peer can propose any subnet or single IP address that fits within the
-range defined by
-.BR leftsubnetwithin.
-Not relevant for IKEv2, as subnets are narrowed.
-.TP
-.B leftupdown
-what ``updown'' script to run to adjust routing and/or firewalling
-when the status of the connection
-changes (default
-.BR "ipsec _updown" ).
-May include positional parameters separated by white space
-(although this requires enclosing the whole string in quotes);
-including shell metacharacters is unwise.
-See
-.IR pluto (8)
-for details.
-Relevant only locally, other end need not agree on it. IKEv2 uses the updown
-script to insert firewall rules only, since routing has been implemented
-directly into charon.
-.TP
-.B lifebytes
-the number of bytes transmitted over an IPsec SA before it expires (IKEv2
-only).
-.TP
-.B lifepackets
-the number of packets transmitted over an IPsec SA before it expires (IKEv2
-only).
-.TP
-.B lifetime
-how long a particular instance of a connection
-(a set of encryption/authentication keys for user packets) should last,
-from successful negotiation to expiry;
-acceptable values are an integer optionally followed by
-.BR s
-(a time in seconds)
-or a decimal number followed by
-.BR m ,
-.BR h ,
-or
-.B d
-(a time
-in minutes, hours, or days respectively)
-(default
-.BR 1h ,
-maximum
-.BR 24h ).
-Normally, the connection is renegotiated (via the keying channel)
-before it expires (see
-.BR margintime ).
-The two ends need not exactly agree on
-.BR lifetime ,
-although if they do not,
-there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer.
-.TP
-.B marginbytes
-how many bytes before IPsec SA expiry (see
-.BR lifebytes )
-should attempts to negotiate a replacement begin (IKEv2 only).
-.TP
-.B marginpackets
-how many packets before IPsec SA expiry (see
-.BR lifepackets )
-should attempts to negotiate a replacement begin (IKEv2 only).
-.TP
-.B margintime
-how long before connection expiry or keying-channel expiry
-should attempts to
-negotiate a replacement
-begin; acceptable values as for
-.B lifetime
-(default
-.BR 9m ).
-Relevant only locally, other end need not agree on it.
-.TP
-.B mark
-sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound
-IPsec SAs and policies (IKEv2 only). If the mask is missing then a default
-mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mark_in
-sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mark_out
-sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mobike
-enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
-.B yes
-(the default) and
-.BR no .
-If set to
-.BR no ,
-the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
-ignore the MOBIKE_SUPPORTED notify as responder.
-.TP
-.B modeconfig
-defines which mode is used to assign a virtual IP.
-Accepted values are
-.B push
-and
-.B pull
-(the default).
-Currently relevant for IKEv1 only since IKEv2 always uses the configuration
-payload in pull mode. Cisco VPN gateways usually operate in
-.B push
-mode.
-.TP
-.B pfs
-whether Perfect Forward Secrecy of keys is desired on the connection's
-keying channel
-(with PFS, penetration of the key-exchange protocol
-does not compromise keys negotiated earlier);
-acceptable values are
-.B yes
-(the default)
-and
-.BR no.
-IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
-PFS is enforced by defining a Diffie-Hellman modp group in the
-.B esp
-parameter.
-.TP
-.B pfsgroup
-defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
-differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
-.TP
-.B reauth
-whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
-reauthentication is always done. In IKEv2, a value of
-.B no
-rekeys without uninstalling the IPsec SAs, a value of
-.B yes
-(the default) creates a new IKE_SA from scratch and tries to recreate
-all IPsec SAs.
-.TP
-.B rekey
-whether a connection should be renegotiated when it is about to expire;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-The two ends need not agree, but while a value of
-.B no
-prevents pluto/charon from requesting renegotiation,
-it does not prevent responding to renegotiation requested from the other end,
-so
-.B no
-will be largely ineffective unless both ends agree on it.
-.TP
-.B rekeyfuzz
-maximum percentage by which
-.BR marginbytes ,
-.B marginpackets
-and
-.B margintime
-should be randomly increased to randomize rekeying intervals
-(important for hosts with many connections);
-acceptable values are an integer,
-which may exceed 100,
-followed by a `%'
-(defaults to
-.BR 100% ).
-The value of
-.BR marginTYPE ,
-after this random increase,
-must not exceed
-.B lifeTYPE
-(where TYPE is one of
-.IR bytes ,
-.I packets
-or
-.IR time ).
-The value
-.B 0%
-will suppress randomization.
-Relevant only locally, other end need not agree on it.
-.TP
-.B rekeymargin
-synonym for
-.BR margintime .
-.TP
-.B reqid
-sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only).
-.TP
-.B type
-the type of the connection; currently the accepted values
-are
-.B tunnel
-(the default)
-signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
-.BR transport ,
-signifying host-to-host transport mode;
-.BR transport_proxy ,
-signifying the special Mobile IPv6 transport proxy mode;
-.BR passthrough ,
-signifying that no IPsec processing should be done at all;
-.BR drop ,
-signifying that packets should be discarded; and
-.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned.
-The IKEv2 daemon charon currently supports
-.BR tunnel ,
-.BR transport ,
-and
-.BR tunnel_proxy
-connection types, only.
-.TP
-.B xauth
-specifies the role in the XAUTH protocol if activated by
-.B authby=xauthpsk
-or
-.B authby=xauthrsasig.
-Accepted values are
-.B server
-and
-.B client
-(the default).
-
-.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
-The following parameters are relevant to IKEv2 Mediation Extension
-operation only.
-.TP 14
-.B mediation
-whether this connection is a mediation connection, ie. whether this
-connection is used to mediate other connections.  Mediation connections
-create no child SA. Acceptable values are
-.B no
-(the default) and
-.BR yes .
-.TP
-.B mediated_by
-the name of the connection to mediate this connection through.  If given,
-the connection will be mediated through the named mediation connection.
-The mediation connection must set
-.BR mediation=yes .
-.TP
-.B me_peerid
-ID as which the peer is known to the mediation server, ie. which the other
-end of this connection uses as its
-.B leftid
-on its connection to the mediation server.  This is the ID we request the
-mediation server to mediate us with.  If
-.B me_peerid
-is not given, the
-.B rightid
-of this connection will be used as peer ID.
-
-.SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
-.TP 10
-.B auto
-currently can have either the value
-.B ignore
-or
-.B add
-.
-.TP
-.B cacert
-defines a path to the CA certificate either relative to
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
-.TP
-.B crluri
-defines a CRL distribution point (ldap, http, or file URI)
-.TP
-.B crluri1
-synonym for
-.B crluri.
-.TP
-.B crluri2
-defines an alternative CRL distribution point (ldap, http, or file URI)
-.TP
-.B ldaphost
-defines an ldap host. Currently used by IKEv1 only.
-.TP
-.B ocspuri
-defines an OCSP URI.
-.TP
-.B ocspuri1
-synonym for
-.B ocspuri.
-.TP
-.B ocspuri2
-defines an alternative OCSP URI. Currently used by IKEv2 only.
-.TP
-.B certuribase
-defines the base URI for the Hash and URL feature supported by IKEv2.
-Instead of exchanging complete certificates, IKEv2 allows to send an URI
-that resolves to the DER encoded certificate. The certificate URIs are built
-by appending the SHA1 hash of the DER encoded certificates to this base URI.
-.SH "CONFIG SECTIONS"
-At present, the only
-.B config
-section known to the IPsec software is the one named
-.BR setup ,
-which contains information used when the software is being started.
-Here's an example:
-.PP
-.ne 8
-.nf
-.ft B
-.ta 1c
-config setup
-	plutodebug=all
-	crlcheckinterval=10m
-	strictcrlpolicy=yes
-.ft
-.fi
-.PP
-Parameters are optional unless marked ``(required)''.
-The currently-accepted
-.I parameter
-names in a
-.B config
-.B setup
-section affecting both daemons are:
-.TP 14
-.B cachecrls
-certificate revocation lists (CRLs) fetched via http or ldap will be cached in
-\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
-authority's public key.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B charonstart
-whether to start the IKEv2 Charon daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
-The default is
-.B yes
-if starter was compiled with IKEv2 support.
-.TP
-.B dumpdir
-in what directory should things started by \fBipsec starter\fR
-(notably the Pluto and Charon daemons) be allowed to dump core?
-The empty value (the default) means they are not
-allowed to.
-This feature is currently not yet supported by \fBipsec starter\fR.
-.TP
-.B plutostart
-whether to start the IKEv1 Pluto daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
-The default is
-.B yes
-if starter was compiled with IKEv1 support.
-.TP
-.B strictcrlpolicy
-defines if a fresh CRL must be available in order for the peer authentication based
-on RSA signatures to succeed.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-IKEv2 additionally recognizes
-.B ifuri
-which reverts to
-.B yes
-if at least one CRL URI is defined and to
-.B no
-if no URI is known.
-.TP
-.B uniqueids
-whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
-.B replace
-wich is identical to
-.B yes
-and the value
-.B keep
-to reject new IKE_SA setups and keep the duplicate established earlier.
-.PP
-The following
-.B config section
-parameters are used by the IKEv1 Pluto daemon only:
-.TP
-.B crlcheckinterval
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
-.B keep_alive
-interval in seconds between NAT keep alive packets, the default being 20 seconds.
-.TP
-.B nat_traversal
-activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
-being able of floating to udp/4500 if a NAT situation is detected.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-Used by IKEv1 only, NAT traversal always being active in IKEv2.
-.TP
-.B nocrsend
-no certificate request payloads will be sent.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B pkcs11initargs
-non-standard argument string for PKCS#11 C_Initialize() function;
-required by NSS softoken.
-.TP
-.B pkcs11module
-defines the path to a dynamically loadable PKCS #11 library.
-.TP
-.B pkcs11keepstate
-PKCS #11 login sessions will be kept during the whole lifetime of the keying
-daemon. Useful with pin-pad smart card readers.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B pkcs11proxy
-Pluto will act as a PKCS #11 proxy accessible via the whack interface.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B plutodebug
-how much Pluto debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names without the
-.B \-\-debug\-
-prefix,
-separated by white space) are enabled;
-for details on available debugging types, see
-.IR pluto (8).
-.TP
-.B plutostderrlog
-Pluto will not use syslog, but rather log to stderr, and redirect stderr
-to the argument file.
-.TP
-.B postpluto
-shell command to run after starting Pluto
-(e.g., to remove a decrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.B prepluto
-shell command to run before starting Pluto
-(e.g., to decrypt an encrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.B virtual_private
-defines private networks using a wildcard notation.
-.PP
-The following
-.B config section
-parameters are used by the IKEv2 Charon daemon only:
-.TP
-.B charondebug
-how much Charon debugging output should be logged.
-A comma separated list containing type level/pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private).
-.PP
-The following
-.B config section
-parameters only make sense if the KLIPS IPsec stack
-is used instead of the default NETKEY stack of the Linux 2.6 kernel:
-.TP
-.B fragicmp
-whether a tunnel's need to fragment a packet should be reported
-back with an ICMP message,
-in an attempt to make the sender lower his PMTU estimate;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-.TP
-.B hidetos
-whether a tunnel packet's TOS field should be set to
-.B 0
-rather than copied from the user packet inside;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no
-.TP
-.B interfaces
-virtual and physical interfaces for IPsec to use:
-a single
-\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
-by white space, or
-.BR %none .
-One of the pairs may be written as
-.BR %defaultroute ,
-which means: find the interface \fId\fR that the default route points to,
-and then act as if the value was ``\fBipsec0=\fId\fR''.
-.B %defaultroute
-is the default;
-.B %none
-must be used to denote no interfaces.
-.TP
-.B overridemtu
-value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
-overriding IPsec's (large) default.
-.SH FILES
-.nf
-/etc/ipsec.conf
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
-/etc/ipsec.d/cacerts
-/etc/ipsec.d/certs
-/etc/ipsec.d/crls
-
-.SH SEE ALSO
-ipsec(8), pluto(8), starter(8)
-.SH HISTORY
-Originally written for the FreeS/WAN project by Henry Spencer.
-Updated and extended for the strongSwan project <http://www.strongswan.org> by
-Tobias Brunner, Andreas Steffen and Martin Willi.
-.SH BUGS
-.PP
-If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
-will fail.
diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in
deleted file mode 100644
index 3d2940a66..000000000
--- a/src/starter/ipsec.conf.5.in
+++ /dev/null
@@ -1,1330 +0,0 @@
-.TH IPSEC.CONF 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan"
-.SH NAME
-ipsec.conf \- IPsec configuration and connections
-.SH DESCRIPTION
-The optional
-.I ipsec.conf
-file
-specifies most configuration and control information for the
-strongSwan IPsec subsystem.
-The major exception is secrets for authentication;
-see
-.IR ipsec.secrets (5).
-Its contents are not security-sensitive.
-.PP
-The file is a text file, consisting of one or more
-.IR sections .
-White space followed by
-.B #
-followed by anything to the end of the line
-is a comment and is ignored,
-as are empty lines which are not within a section.
-.PP
-A line which contains
-.B include
-and a file name, separated by white space,
-is replaced by the contents of that file,
-preceded and followed by empty lines.
-If the file name is not a full pathname,
-it is considered to be relative to the directory containing the
-including file.
-Such inclusions can be nested.
-Only a single filename may be supplied, and it may not contain white space,
-but it may include shell wildcards (see
-.IR sh (1));
-for example:
-.PP
-.B include
-.B "ipsec.*.conf"
-.PP
-The intention of the include facility is mostly to permit keeping
-information on connections, or sets of connections,
-separate from the main configuration file.
-This permits such connection descriptions to be changed,
-copied to the other security gateways involved, etc.,
-without having to constantly extract them from the configuration
-file and then insert them back into it.
-Note also the
-.B also
-parameter (described below) which permits splitting a single logical
-section (e.g. a connection description) into several actual sections.
-.PP
-A section
-begins with a line of the form:
-.PP
-.I type
-.I name
-.PP
-where
-.I type
-indicates what type of section follows, and
-.I name
-is an arbitrary name which distinguishes the section from others
-of the same type.
-Names must start with a letter and may contain only
-letters, digits, periods, underscores, and hyphens.
-All subsequent non-empty lines
-which begin with white space are part of the section;
-comments within a section must begin with white space too.
-There may be only one section of a given type with a given name.
-.PP
-Lines within the section are generally of the form
-.PP
-\ \ \ \ \ \fIparameter\fB=\fIvalue\fR
-.PP
-(note the mandatory preceding white space).
-There can be white space on either side of the
-.BR = .
-Parameter names follow the same syntax as section names,
-and are specific to a section type.
-Unless otherwise explicitly specified,
-no parameter name may appear more than once in a section.
-.PP
-An empty
-.I value
-stands for the system default value (if any) of the parameter,
-i.e. it is roughly equivalent to omitting the parameter line entirely.
-A
-.I value
-may contain white space only if the entire
-.I value
-is enclosed in double quotes (\fB"\fR);
-a
-.I value
-cannot itself contain a double quote,
-nor may it be continued across more than one line.
-.PP
-Numeric values are specified to be either an ``integer''
-(a sequence of digits) or a ``decimal number''
-(sequence of digits optionally followed by `.' and another sequence of digits).
-.PP
-There is currently one parameter which is available in any type of
-section:
-.TP
-.B also
-the value is a section name;
-the parameters of that section are appended to this section,
-as if they had been written as part of it.
-The specified section must exist, must follow the current one,
-and must have the same section type.
-(Nesting is permitted,
-and there may be more than one
-.B also
-in a single section,
-although it is forbidden to append the same section more than once.)
-.PP
-A section with name
-.B %default
-specifies defaults for sections of the same type.
-For each parameter in it,
-any section of that type which does not have a parameter of the same name
-gets a copy of the one from the
-.B %default
-section.
-There may be multiple
-.B %default
-sections of a given type,
-but only one default may be supplied for any specific parameter name,
-and all
-.B %default
-sections of a given type must precede all non-\c
-.B %default
-sections of that type.
-.B %default
-sections may not contain the
-.B also
-parameter.
-.PP
-Currently there are three types of sections:
-a
-.B config
-section specifies general configuration information for IPsec, a
-.B conn
-section specifies an IPsec connection, while a
-.B ca
-section specifies special properties of a certification authority.
-.SH "CONN SECTIONS"
-A
-.B conn
-section contains a
-.IR "connection specification" ,
-defining a network connection to be made using IPsec.
-The name given is arbitrary, and is used to identify the connection.
-Here's a simple example:
-.PP
-.ne 10
-.nf
-.ft B
-.ta 1c
-conn snt
-	left=192.168.0.1
-	leftsubnet=10.1.0.0/16
-	right=192.168.0.2
-	rightsubnet=10.1.0.0/16
-	keyingtries=%forever
-	auto=add
-.ft
-.fi
-.PP
-A note on terminology: There are two kinds of communications going on:
-transmission of user IP packets, and gateway-to-gateway negotiations for
-keying, rekeying, and general control.
-The path to control the connection is called 'ISAKMP SA' in IKEv1
-and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
-level data path, is called 'IPsec SA' or 'Child SA'.
-strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
-all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
-protocol.
-.PP
-To avoid trivial editing of the configuration file to suit it to each system
-involved in a connection,
-connection specifications are written in terms of
-.I left
-and
-.I right
-participants,
-rather than in terms of local and remote.
-Which participant is considered
-.I left
-or
-.I right
-is arbitrary;
-for every connection description an attempt is made to figure out whether
-the local endpoint should act as the
-.I left
-or
-.I right
-endpoint. This is done by matching the IP addresses defined for both endpoints
-with the IP addresses assigned to local network interfaces. If a match is found
-then the role (left or right) that matches is going to be considered local.
-If no match is found during startup,
-.I left
-is considered local.
-This permits using identical connection specifications on both ends.
-There are cases where there is no symmetry; a good convention is to
-use
-.I left
-for the local side and
-.I right
-for the remote side (the first letters are a good mnemonic).
-.PP
-Many of the parameters relate to one participant or the other;
-only the ones for
-.I left
-are listed here, but every parameter whose name begins with
-.B left
-has a
-.B right
-counterpart,
-whose description is the same but with
-.B left
-and
-.B right
-reversed.
-.PP
-Parameters are optional unless marked '(required)'.
-.SS "CONN PARAMETERS"
-Unless otherwise noted, for a connection to work,
-in general it is necessary for the two ends to agree exactly
-on the values of these parameters.
-.TP 14
-.B ah
-AH authentication algorithm to be used
-for the connection, e.g.
-.B hmac-md5.
-.TP
-.B auth
-whether authentication should be done as part of
-ESP encryption, or separately using the AH protocol;
-acceptable values are
-.B esp
-(the default) and
-.BR ah .
-.br
-The IKEv2 daemon currently supports ESP only.
-.TP
-.B authby
-how the two security gateways should authenticate each other;
-acceptable values are
-.B secret
-or
-.B psk
-for pre-shared secrets,
-.B pubkey
-(the default) for public key signatures as well as the synonyms
-.B rsasig
-for RSA digital signatures and
-.B ecdsasig
-for Elliptic Curve DSA signatures.
-.B never
-can be used if negotiation is never to be attempted or accepted (useful for
-shunt-only conns).
-Digital signatures are superior in every way to shared secrets.
-IKEv1 additionally supports the values
-.B xauthpsk
-and
-.B xauthrsasig
-that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
-based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
-This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
-.B leftauth
-parameter instead to define authentication methods in IKEv2.
-.TP
-.B auto
-what operation, if any, should be done automatically at IPsec startup;
-currently-accepted values are
-.BR add ,
-.BR route ,
-.B start
-and
-.B ignore
-(the default).
-.B add
-loads a connection without starting it.
-.B route
-loads a connection and installs kernel traps. If traffic is detected between
-.B leftsubnet
-and
-.B rightsubnet
-, a connection is established.
-.B start
-loads a connection and brings it up immediatly.
-.B ignore
-ignores the connection. This is equal to delete a connection from the config
-file.
-Relevant only locally, other end need not agree on it
-(but in general, for an intended-to-be-permanent connection,
-both ends should use
-.B auto=start
-to ensure that any reboot causes immediate renegotiation).
-.TP
-.B compress
-whether IPComp compression of content is proposed on the connection
-(link-level compression does not work on encrypted data,
-so to be effective, compression must be done \fIbefore\fR encryption);
-acceptable values are
-.B yes
-and
-.B no
-(the default). A value of
-.B yes
-causes IPsec to propose both compressed and uncompressed,
-and prefer compressed.
-A value of
-.B no
-prevents IPsec from proposing compression;
-a proposal to compress will still be accepted.
-.TP
-.B dpdaction
-controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
-R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
-are periodically sent in order to check the
-liveliness of the IPsec peer. The values
-.BR clear ,
-.BR hold ,
-and
-.B restart
-all activate DPD. If no activity is detected, all connections with a dead peer
-are stopped and unrouted
-.RB ( clear ),
-put in the hold state
-.RB ( hold )
-or restarted
-.RB ( restart ).
-For IKEv1, the default is
-.B none
-which disables the active sending of R_U_THERE notifications.
-Nevertheless pluto will always send the DPD Vendor ID during connection set up
-in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. For IKEv2,
-.B none
-does't make sense, since all messages are used to detect dead peers. If specified,
-it has the same meaning as the default
-.RB ( clear ).
-.TP
-.B dpddelay
-defines the period time interval with which R_U_THERE messages/INFORMATIONAL
-exchanges are sent to the peer. These are only sent if no other traffic is
-received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
-messages and uses only standard messages (such as those to rekey) to detect
-dead peers.
-.TP
-.B dpdtimeout
-defines the timeout interval, after which all connections to a peer are deleted
-in case of inactivity. This only applies to IKEv1, in IKEv2 the default
-retransmission timeout applies, as every exchange is used to detect dead peers.
-.TP
-.B inactivity
-defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic. Currently supported in IKEv2 connections only.
-.TP
-.B eap
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B radius
-for the EAP-RADIUS proxy and
-.B sim
-for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
-.TP
-.B eap_identity
-defines the identity the client uses to reply to a EAP Identity request.
-If defined on the EAP server, the defined identity will be used as peer
-identity during EAP authentication. The special value
-.B %identity
-uses the EAP Identity method to ask the client for an EAP identity. If not
-defined, the IKEv2 identity will be used as EAP identity.
-.TP
-.B esp
-comma-separated list of ESP encryption/authentication algorithms to be used
-for the connection, e.g.
-.BR 3des-md5 .
-The notation is
-.BR encryption-integrity-[dh-group] .
-.br
-If
-.B dh-group
-is specified, CHILD_SA setup and rekeying include a separate diffe hellman
-exchange (IKEv2 only).
-.TP
-.B forceencaps
-Force UDP encapsulation for ESP packets even if no NAT situation is detected.
-This may help to surmount restrictive firewalls. In order to force the peer to
-encapsulate packets, NAT detection payloads are faked (IKEv2 only).
-.TP
-.B ike
-comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
-to be used, e.g.
-.BR aes128-sha1-modp2048 .
-The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
-.TP
-.B ikelifetime
-how long the keying channel of a connection (ISAKMP or IKE SA)
-should last before being renegotiated.
-.TP
-.B installpolicy
-decides whether IPsec policies are installed in the kernel by the IKEv2
-charon daemon for a given connection. Allows peaceful cooperation e.g. with
-the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
-Acceptable values are
-.B yes
-(the default) and
-.BR no .
-.TP
-.B keyexchange
-method of key exchange;
-which protocol should be used to initialize the connection. Connections marked with
-.B ikev1
-are initiated with pluto, those marked with
-.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
-.B keyexchange
-setting. The default value
-.B ike
-currently is a synonym for
-.BR ikev1 .
-.TP
-.B keyingtries
-how many attempts (a whole number or \fB%forever\fP) should be made to
-negotiate a connection, or a replacement for one, before giving up
-(default
-.BR %forever ).
-The value \fB%forever\fP
-means 'never give up'.
-Relevant only locally, other end need not agree on it.
-.TP
-.B keylife
-synonym for
-.BR lifetime .
-.TP
-.B left
-(required)
-the IP address of the left participant's public-network interface
-or one of several magic values.
-If it is
-.BR %defaultroute ,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time and
-during configuration update).
-Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.
-The prefix
-.B  %
-in front of a fully-qualified domain name or an IP address will implicitly set
-.B leftallowany=yes.
-If the domain name cannot be resolved into an IP address at IPsec startup or
-update time then
-.B left=%any
-and
-.B leftallowany=no
-will be assumed.
-
-In case of an IKEv2 connection, the value
-.B %any
-for the local endpoint signifies an address to be filled in (by automatic
-keying) during negotiation. If the local peer initiates the connection setup
-the routing table will be queried to determine the correct local IP address.
-In case the local peer is responding to a connection setup then any IP address
-that is assigned to a local interface will be accepted.
-.br
-Note that specifying
-.B %any
-for the local endpoint is not supported by the IKEv1 pluto daemon.
-
-If
-.B %any
-is used for the remote endpoint it literally means any IP address.
-
-Please note that with the usage of wildcards multiple connection descriptions
-might match a given incoming connection attempt. The most specific description
-is used in that case.
-.TP
-.B leftallowany
-a modifier for
-.B left
-, making it behave as
-.B %any
-although a concrete IP address has been assigned.
-Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
-startup or update time.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B leftauth
-Authentication method to use locally (left) or require from the remote (right)
-side.
-This parameter is supported in IKEv2 only. Acceptable values are
-.B pubkey
-for public key authentication (RSA/ECDSA),
-.B psk
-for pre-shared key authentication and
-.B eap
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
-.B eap,
-an optional EAP method can be appended. Currently defined methods are
-.BR eap-aka ,
-.BR eap-gtc ,
-.BR eap-md5 ,
-.B eap-mschapv2
-and
-.BR eap-sim .
-Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
-EAP methods are defined in the form
-.B eap-type-vendor
-.RB "(e.g. " eap-7-12345 ).
-.TP
-.B leftauth2
-Same as
-.BR leftauth ,
-but defines an additional authentication exchange. IKEv2 supports multiple
-authentication rounds using "Multiple Authentication Exchanges" defined
-in RFC4739. This allows, for example, separated authentication
-of host and user (IKEv2 only).
-.TP
-.B leftca
-the distinguished name of a certificate authority which is required to
-lie in the trust path going from the left participant's certificate up
-to the root certification authority.
-.TP
-.B leftca2
-Same as
-.B leftca,
-but for the second authentication round (IKEv2 only).
-.TP
-.B leftcert
-the path to the left participant's X.509 certificate. The file can be encoded
-either in PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
-are accepted. By default
-.B leftcert
-sets
-.B leftid
-to the distinguished name of the certificate's subject and
-.B leftca
-to the distinguished name of the certificate's issuer.
-The left participant's ID can be overriden by specifying a
-.B leftid
-value which must be certified by the certificate, though.
-.TP
-.B leftcert2
-Same as
-.B leftcert,
-but for the second authentication round (IKEv2 only).
-.TP
-.B leftfirewall
-whether the left participant is doing forwarding-firewalling
-(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
-which should be turned off (for traffic to the other subnet)
-once the connection is established;
-acceptable values are
-.B yes
-and
-.B no
-(the default).
-May not be used in the same connection description with
-.BR leftupdown .
-Implemented as a parameter to the default \fBipsec _updown\fR script.
-See notes below.
-Relevant only locally, other end need not agree on it.
-
-If one or both security gateways are doing forwarding firewalling
-(possibly including masquerading),
-and this is specified using the firewall parameters,
-tunnels established with IPsec are exempted from it
-so that packets can flow unchanged through the tunnels.
-(This means that all subnets connected in this manner must have
-distinct, non-overlapping subnet address blocks.)
-This is done by the default \fBipsec _updown\fR script (see
-.IR pluto (8)).
-
-In situations calling for more control,
-it may be preferable for the user to supply his own
-.I updown
-script,
-which makes the appropriate adjustments for his system.
-.TP
-.B leftgroups
-a comma separated list of group names. If the
-.B leftgroups
-parameter is present then the peer must be a member of at least one
-of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
-been issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts/\fP.
-.br
-Attribute certificates are not supported in IKEv2 yet.
-.TP
-.B lefthostaccess
-inserts a pair of INPUT and OUTPUT iptables rules using the default
-\fBipsec _updown\fR script, thus allowing access to the host itself
-in the case where the host's internal interface is part of the
-negotiated client subnet.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B leftid
-how the left participant should be identified for authentication;
-defaults to
-.BR left .
-Can be an IP address or a fully-qualified domain name preceded by
-.B @
-(which is used as a literal string and not resolved).
-.TP
-.B leftid2
-identity to use for a second authentication for the left participant
-(IKEv2 only); defaults to
-.BR leftid .
-.TP
-.B leftikeport
-UDP port the left participant uses for IKE communication. Currently supported in
-IKEv2 connections only. If unspecified, port 500 is used with the port floating
-to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
-different from the default additionally requires a socket implementation that
-listens to this port.
-.TP
-.B leftnexthop
-this parameter is usually not needed any more because the NETKEY IPsec stack
-does not require explicit routing entries for the traffic to be tunneled. If
-.B leftsourceip
-is used with IKEv1 then
-.B leftnexthop
-must still be set in order for the source routes to work properly.
-.TP
-.B leftprotoport
-restrict the traffic selector to a single protocol and/or port.
-Examples:
-.B leftprotoport=tcp/http
-or
-.B leftprotoport=6/80
-or
-.B leftprotoport=udp
-.TP
-.B leftrsasigkey
-the left participant's
-public key for RSA signature authentication,
-in RFC 2537 format using
-.IR ttodata (3)
-encoding.
-The magic value
-.B %none
-means the same as not specifying a value (useful to override a default).
-The value
-.B %cert
-(the default)
-means that the key is extracted from a certificate.
-The identity used for the left participant
-must be a specific host, not
-.B %any
-or another magic value.
-.B Caution:
-if two connection descriptions
-specify different public keys for the same
-.BR leftid ,
-confusion and madness will ensue.
-.TP
-.B leftsendcert
-Accepted values are
-.B never
-or
-.BR no ,
-.B always
-or
-.BR yes ,
-and
-.BR ifasked ,
-the latter meaning that the peer must send a certificate request payload in
-order to get a certificate in return.
-.TP
-.B leftsourceip
-The internal source IP to use in a tunnel, also known as virtual IP. If the
-value is one of the synonyms
-.BR %modeconfig ,
-.BR %modecfg ,
-.BR %config ,
-or
-.BR %cfg ,
-an address is requested from the peer. In IKEv2, a statically defined address
-is also requested, since the server may change it.
-.TP
-.B rightsourceip
-The internal source IP to use in a tunnel for the remote peer. If the
-value is
-.B %config
-on the responder side, the initiator must propose an address which is then
-echoed back. Also supported are address pools expressed as
-\fInetwork\fB/\fInetmask\fR
-or the use of an external IP address pool using %\fIpoolname\fR,
-where \fIpoolname\fR is the name of the IP address pool used for the lookup.
-.TP
-.B leftsubnet
-private subnet behind the left participant, expressed as
-\fInetwork\fB/\fInetmask\fR;
-if omitted, essentially assumed to be \fIleft\fB/32\fR,
-signifying that the left end of the connection goes to the left participant
-only. When using IKEv2, the configured subnet of the peers may differ, the
-protocol narrows it to the greatest common subnet. Further, IKEv2 supports
-multiple subnets separated by commas. IKEv1 only interprets the first subnet
-of such a definition.
-.TP
-.B leftsubnetwithin
-the peer can propose any subnet or single IP address that fits within the
-range defined by
-.BR leftsubnetwithin.
-Not relevant for IKEv2, as subnets are narrowed.
-.TP
-.B leftupdown
-what ``updown'' script to run to adjust routing and/or firewalling
-when the status of the connection
-changes (default
-.BR "ipsec _updown" ).
-May include positional parameters separated by white space
-(although this requires enclosing the whole string in quotes);
-including shell metacharacters is unwise.
-See
-.IR pluto (8)
-for details.
-Relevant only locally, other end need not agree on it. IKEv2 uses the updown
-script to insert firewall rules only, since routing has been implemented
-directly into charon.
-.TP
-.B lifebytes
-the number of bytes transmitted over an IPsec SA before it expires (IKEv2
-only).
-.TP
-.B lifepackets
-the number of packets transmitted over an IPsec SA before it expires (IKEv2
-only).
-.TP
-.B lifetime
-how long a particular instance of a connection
-(a set of encryption/authentication keys for user packets) should last,
-from successful negotiation to expiry;
-acceptable values are an integer optionally followed by
-.BR s
-(a time in seconds)
-or a decimal number followed by
-.BR m ,
-.BR h ,
-or
-.B d
-(a time
-in minutes, hours, or days respectively)
-(default
-.BR 1h ,
-maximum
-.BR 24h ).
-Normally, the connection is renegotiated (via the keying channel)
-before it expires (see
-.BR margintime ).
-The two ends need not exactly agree on
-.BR lifetime ,
-although if they do not,
-there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer.
-.TP
-.B marginbytes
-how many bytes before IPsec SA expiry (see
-.BR lifebytes )
-should attempts to negotiate a replacement begin (IKEv2 only).
-.TP
-.B marginpackets
-how many packets before IPsec SA expiry (see
-.BR lifepackets )
-should attempts to negotiate a replacement begin (IKEv2 only).
-.TP
-.B margintime
-how long before connection expiry or keying-channel expiry
-should attempts to
-negotiate a replacement
-begin; acceptable values as for
-.B lifetime
-(default
-.BR 9m ).
-Relevant only locally, other end need not agree on it.
-.TP
-.B mark
-sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound
-IPsec SAs and policies (IKEv2 only). If the mask is missing then a default
-mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mark_in
-sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mark_out
-sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mobike
-enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
-.B yes
-(the default) and
-.BR no .
-If set to
-.BR no ,
-the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
-ignore the MOBIKE_SUPPORTED notify as responder.
-.TP
-.B modeconfig
-defines which mode is used to assign a virtual IP.
-Accepted values are
-.B push
-and
-.B pull
-(the default).
-Currently relevant for IKEv1 only since IKEv2 always uses the configuration
-payload in pull mode. Cisco VPN gateways usually operate in
-.B push
-mode.
-.TP
-.B pfs
-whether Perfect Forward Secrecy of keys is desired on the connection's
-keying channel
-(with PFS, penetration of the key-exchange protocol
-does not compromise keys negotiated earlier);
-acceptable values are
-.B yes
-(the default)
-and
-.BR no.
-IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
-PFS is enforced by defining a Diffie-Hellman modp group in the
-.B esp
-parameter.
-.TP
-.B pfsgroup
-defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
-differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
-.TP
-.B reauth
-whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
-reauthentication is always done. In IKEv2, a value of
-.B no
-rekeys without uninstalling the IPsec SAs, a value of
-.B yes
-(the default) creates a new IKE_SA from scratch and tries to recreate
-all IPsec SAs.
-.TP
-.B rekey
-whether a connection should be renegotiated when it is about to expire;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-The two ends need not agree, but while a value of
-.B no
-prevents pluto/charon from requesting renegotiation,
-it does not prevent responding to renegotiation requested from the other end,
-so
-.B no
-will be largely ineffective unless both ends agree on it.
-.TP
-.B rekeyfuzz
-maximum percentage by which
-.BR marginbytes ,
-.B marginpackets
-and
-.B margintime
-should be randomly increased to randomize rekeying intervals
-(important for hosts with many connections);
-acceptable values are an integer,
-which may exceed 100,
-followed by a `%'
-(defaults to
-.BR 100% ).
-The value of
-.BR marginTYPE ,
-after this random increase,
-must not exceed
-.B lifeTYPE
-(where TYPE is one of
-.IR bytes ,
-.I packets
-or
-.IR time ).
-The value
-.B 0%
-will suppress randomization.
-Relevant only locally, other end need not agree on it.
-.TP
-.B rekeymargin
-synonym for
-.BR margintime .
-.TP
-.B reqid
-sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only).
-.TP
-.B type
-the type of the connection; currently the accepted values
-are
-.B tunnel
-(the default)
-signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
-.BR transport ,
-signifying host-to-host transport mode;
-.BR transport_proxy ,
-signifying the special Mobile IPv6 transport proxy mode;
-.BR passthrough ,
-signifying that no IPsec processing should be done at all;
-.BR drop ,
-signifying that packets should be discarded; and
-.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned.
-The IKEv2 daemon charon currently supports
-.BR tunnel ,
-.BR transport ,
-and
-.BR tunnel_proxy
-connection types, only.
-.TP
-.B xauth
-specifies the role in the XAUTH protocol if activated by
-.B authby=xauthpsk
-or
-.B authby=xauthrsasig.
-Accepted values are
-.B server
-and
-.B client
-(the default).
-
-.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
-The following parameters are relevant to IKEv2 Mediation Extension
-operation only.
-.TP 14
-.B mediation
-whether this connection is a mediation connection, ie. whether this
-connection is used to mediate other connections.  Mediation connections
-create no child SA. Acceptable values are
-.B no
-(the default) and
-.BR yes .
-.TP
-.B mediated_by
-the name of the connection to mediate this connection through.  If given,
-the connection will be mediated through the named mediation connection.
-The mediation connection must set
-.BR mediation=yes .
-.TP
-.B me_peerid
-ID as which the peer is known to the mediation server, ie. which the other
-end of this connection uses as its
-.B leftid
-on its connection to the mediation server.  This is the ID we request the
-mediation server to mediate us with.  If
-.B me_peerid
-is not given, the
-.B rightid
-of this connection will be used as peer ID.
-
-.SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
-.TP 10
-.B auto
-currently can have either the value
-.B ignore
-or
-.B add
-.
-.TP
-.B cacert
-defines a path to the CA certificate either relative to
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
-.TP
-.B crluri
-defines a CRL distribution point (ldap, http, or file URI)
-.TP
-.B crluri1
-synonym for
-.B crluri.
-.TP
-.B crluri2
-defines an alternative CRL distribution point (ldap, http, or file URI)
-.TP
-.B ldaphost
-defines an ldap host. Currently used by IKEv1 only.
-.TP
-.B ocspuri
-defines an OCSP URI.
-.TP
-.B ocspuri1
-synonym for
-.B ocspuri.
-.TP
-.B ocspuri2
-defines an alternative OCSP URI. Currently used by IKEv2 only.
-.TP
-.B certuribase
-defines the base URI for the Hash and URL feature supported by IKEv2.
-Instead of exchanging complete certificates, IKEv2 allows to send an URI
-that resolves to the DER encoded certificate. The certificate URIs are built
-by appending the SHA1 hash of the DER encoded certificates to this base URI.
-.SH "CONFIG SECTIONS"
-At present, the only
-.B config
-section known to the IPsec software is the one named
-.BR setup ,
-which contains information used when the software is being started.
-Here's an example:
-.PP
-.ne 8
-.nf
-.ft B
-.ta 1c
-config setup
-	plutodebug=all
-	crlcheckinterval=10m
-	strictcrlpolicy=yes
-.ft
-.fi
-.PP
-Parameters are optional unless marked ``(required)''.
-The currently-accepted
-.I parameter
-names in a
-.B config
-.B setup
-section affecting both daemons are:
-.TP 14
-.B cachecrls
-certificate revocation lists (CRLs) fetched via http or ldap will be cached in
-\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
-authority's public key.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B charonstart
-whether to start the IKEv2 Charon daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
-The default is
-.B yes
-if starter was compiled with IKEv2 support.
-.TP
-.B dumpdir
-in what directory should things started by \fBipsec starter\fR
-(notably the Pluto and Charon daemons) be allowed to dump core?
-The empty value (the default) means they are not
-allowed to.
-This feature is currently not yet supported by \fBipsec starter\fR.
-.TP
-.B plutostart
-whether to start the IKEv1 Pluto daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
-The default is
-.B yes
-if starter was compiled with IKEv1 support.
-.TP
-.B strictcrlpolicy
-defines if a fresh CRL must be available in order for the peer authentication based
-on RSA signatures to succeed.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-IKEv2 additionally recognizes
-.B ifuri
-which reverts to
-.B yes
-if at least one CRL URI is defined and to
-.B no
-if no URI is known.
-.TP
-.B uniqueids
-whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
-.B replace
-wich is identical to
-.B yes
-and the value
-.B keep
-to reject new IKE_SA setups and keep the duplicate established earlier.
-.PP
-The following
-.B config section
-parameters are used by the IKEv1 Pluto daemon only:
-.TP
-.B crlcheckinterval
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
-.B keep_alive
-interval in seconds between NAT keep alive packets, the default being 20 seconds.
-.TP
-.B nat_traversal
-activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
-being able of floating to udp/4500 if a NAT situation is detected.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-Used by IKEv1 only, NAT traversal always being active in IKEv2.
-.TP
-.B nocrsend
-no certificate request payloads will be sent.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B pkcs11initargs
-non-standard argument string for PKCS#11 C_Initialize() function;
-required by NSS softoken.
-.TP
-.B pkcs11module
-defines the path to a dynamically loadable PKCS #11 library.
-.TP
-.B pkcs11keepstate
-PKCS #11 login sessions will be kept during the whole lifetime of the keying
-daemon. Useful with pin-pad smart card readers.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B pkcs11proxy
-Pluto will act as a PKCS #11 proxy accessible via the whack interface.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B plutodebug
-how much Pluto debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names without the
-.B \-\-debug\-
-prefix,
-separated by white space) are enabled;
-for details on available debugging types, see
-.IR pluto (8).
-.TP
-.B plutostderrlog
-Pluto will not use syslog, but rather log to stderr, and redirect stderr
-to the argument file.
-.TP
-.B postpluto
-shell command to run after starting Pluto
-(e.g., to remove a decrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.B prepluto
-shell command to run before starting Pluto
-(e.g., to decrypt an encrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.B virtual_private
-defines private networks using a wildcard notation.
-.PP
-The following
-.B config section
-parameters are used by the IKEv2 Charon daemon only:
-.TP
-.B charondebug
-how much Charon debugging output should be logged.
-A comma separated list containing type level/pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private).
-.PP
-The following
-.B config section
-parameters only make sense if the KLIPS IPsec stack
-is used instead of the default NETKEY stack of the Linux 2.6 kernel:
-.TP
-.B fragicmp
-whether a tunnel's need to fragment a packet should be reported
-back with an ICMP message,
-in an attempt to make the sender lower his PMTU estimate;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-.TP
-.B hidetos
-whether a tunnel packet's TOS field should be set to
-.B 0
-rather than copied from the user packet inside;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no
-.TP
-.B interfaces
-virtual and physical interfaces for IPsec to use:
-a single
-\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
-by white space, or
-.BR %none .
-One of the pairs may be written as
-.BR %defaultroute ,
-which means: find the interface \fId\fR that the default route points to,
-and then act as if the value was ``\fBipsec0=\fId\fR''.
-.B %defaultroute
-is the default;
-.B %none
-must be used to denote no interfaces.
-.TP
-.B overridemtu
-value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
-overriding IPsec's (large) default.
-.SH FILES
-.nf
-/etc/ipsec.conf
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
-/etc/ipsec.d/cacerts
-/etc/ipsec.d/certs
-/etc/ipsec.d/crls
-
-.SH SEE ALSO
-ipsec(8), pluto(8), starter(8)
-.SH HISTORY
-Originally written for the FreeS/WAN project by Henry Spencer.
-Updated and extended for the strongSwan project <http://www.strongswan.org> by
-Tobias Brunner, Andreas Steffen and Martin Willi.
-.SH BUGS
-.PP
-If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
-will fail.
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 1d7cae00b..0c24c7dcf 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -1,6 +1,6 @@
 /* C code produced by gperf version 3.0.3 */
 /* Command-line: /usr/bin/gperf -m 10 -C -G -D -t  */
-/* Computed positions: -k'1-2,6,$' */
+/* Computed positions: -k'2-3,6,$' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
       && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 126
+#define TOTAL_KEYWORDS 127
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 20
-#define MAX_HASH_VALUE 220
-/* maximum key range = 201, duplicates = 0 */
+#define MIN_HASH_VALUE 12
+#define MAX_HASH_VALUE 238
+/* maximum key range = 227, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221,  35,
-       77, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221,   8, 221,  31, 221,  20,
-       28,   5,  75,  26,  88,   5, 221,  97,   5,  50,
-       39,  67,  29, 221,   7,  13,   6,  89,  15, 221,
-        5,  24,   7, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239,   2,
+      104, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239,  15, 239,  20,  14,  58,
+       51,   1,   7,   1,  81,   1, 239, 132,  47,   4,
+        1,  49,  10,   9,  23,   1,  20,  48,   4, 239,
+      239,  35,   1, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239
     };
   register int hval = len;
 
@@ -112,11 +112,10 @@ hash (str, len)
       case 5:
       case 4:
       case 3:
+        hval += asso_values[(unsigned char)str[2]];
+      /*FALLTHROUGH*/
       case 2:
         hval += asso_values[(unsigned char)str[1]];
-      /*FALLTHROUGH*/
-      case 1:
-        hval += asso_values[(unsigned char)str[0]];
         break;
     }
   return hval + asso_values[(unsigned char)str[len - 1]];
@@ -124,159 +123,161 @@ hash (str, len)
 
 static const struct kw_entry wordlist[] =
   {
-    {"left",              KW_LEFT},
-    {"right",             KW_RIGHT},
+    {"pfs",               KW_PFS},
+    {"uniqueids",         KW_UNIQUEIDS},
+    {"rightgroups",       KW_RIGHTGROUPS},
     {"lifetime",          KW_KEYLIFE},
+    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
+    {"rightnatip",        KW_RIGHTNATIP},
+    {"esp",               KW_ESP},
+    {"rightnexthop",      KW_RIGHTNEXTHOP},
+    {"rightsourceip",     KW_RIGHTSOURCEIP},
+    {"right",             KW_RIGHT},
+    {"leftupdown",        KW_LEFTUPDOWN},
+    {"leftnexthop",       KW_LEFTNEXTHOP},
+    {"left",              KW_LEFT},
+    {"keep_alive",        KW_KEEP_ALIVE},
+    {"rightsubnet",       KW_RIGHTSUBNET},
+    {"rightikeport",      KW_RIGHTIKEPORT},
+    {"rightsendcert",     KW_RIGHTSENDCERT},
     {"leftcert",          KW_LEFTCERT,},
-    {"leftfirewall",      KW_LEFTFIREWALL},
+    {"interfaces",        KW_INTERFACES},
+    {"lifepackets",       KW_LIFEPACKETS},
     {"leftsendcert",      KW_LEFTSENDCERT},
-    {"rightikeport",      KW_RIGHTIKEPORT},
-    {"leftprotoport",     KW_LEFTPROTOPORT},
-    {"type",              KW_TYPE},
     {"leftgroups",        KW_LEFTGROUPS},
-    {"rekey",             KW_REKEY},
-    {"rightsubnet",       KW_RIGHTSUBNET},
-    {"crluri",            KW_CRLURI},
-    {"rightsendcert",     KW_RIGHTSENDCERT},
-    {"reqid",             KW_REQID},
-    {"rightcert",         KW_RIGHTCERT},
-    {"certuribase",       KW_CERTURIBASE},
-    {"esp",               KW_ESP},
-    {"leftallowany",      KW_LEFTALLOWANY},
-    {"rightid",           KW_RIGHTID},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
-    {"leftnexthop",       KW_LEFTNEXTHOP},
+    {"eap",               KW_EAP},
+    {"rightprotoport",    KW_RIGHTPROTOPORT},
+    {"leftnatip",         KW_LEFTNATIP},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"type",              KW_TYPE},
+    {"keylife",           KW_KEYLIFE},
+    {"mark_in",           KW_MARK_IN},
     {"lifebytes",         KW_LIFEBYTES},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"leftca",            KW_LEFTCA},
+    {"margintime",        KW_REKEYMARGIN},
+    {"marginbytes",       KW_MARGINBYTES},
     {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {"rightprotoport",    KW_RIGHTPROTOPORT},
-    {"rightgroups",       KW_RIGHTGROUPS},
-    {"plutostart",        KW_PLUTOSTART},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
-    {"lifepackets",       KW_LIFEPACKETS},
-    {"rightsourceip",     KW_RIGHTSOURCEIP},
-    {"eap",               KW_EAP},
-    {"cacert",            KW_CACERT},
-    {"rightca",           KW_RIGHTCA},
+    {"marginpackets",     KW_MARGINPACKETS},
+    {"certuribase",       KW_CERTURIBASE},
     {"virtual_private",   KW_VIRTUAL_PRIVATE},
-    {"leftid",            KW_LEFTID},
-    {"crluri1",           KW_CRLURI},
-    {"ldapbase",          KW_LDAPBASE},
-    {"leftca",            KW_LEFTCA},
-    {"leftnatip",         KW_LEFTNATIP},
-    {"rightallowany",     KW_RIGHTALLOWANY},
-    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
-    {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"rightid",           KW_RIGHTID},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"compress",          KW_COMPRESS},
+    {"leftprotoport",     KW_LEFTPROTOPORT},
+    {"overridemtu",       KW_OVERRIDEMTU},
+    {"reqid",             KW_REQID},
     {"inactivity",        KW_INACTIVITY},
-    {"packetdefault",     KW_PACKETDEFAULT},
-    {"installpolicy",     KW_INSTALLPOLICY},
-    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
-    {"leftupdown",        KW_LEFTUPDOWN},
-    {"rightnatip",        KW_RIGHTNATIP},
-    {"rightnexthop",      KW_RIGHTNEXTHOP},
-    {"cachecrls",         KW_CACHECRLS},
-    {"dpddelay",          KW_DPDDELAY},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"mediated_by",       KW_MEDIATED_BY},
-    {"me_peerid",         KW_ME_PEERID},
-    {"plutodebug",        KW_PLUTODEBUG},
-    {"eap_identity",      KW_EAP_IDENTITY},
-    {"leftcert2",         KW_LEFTCERT2,},
-    {"rightid2",          KW_RIGHTID2},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
-    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"leftfirewall",      KW_LEFTFIREWALL},
     {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"ocspuri",           KW_OCSPURI},
-    {"also",              KW_ALSO},
+    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"mobike",	           KW_MOBIKE},
+    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
+    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"pfsgroup",          KW_PFSGROUP},
+    {"me_peerid",         KW_ME_PEERID},
+    {"crluri",            KW_CRLURI},
+    {"leftsourceip",      KW_LEFTSOURCEIP},
+    {"crluri1",           KW_CRLURI},
     {"mediation",         KW_MEDIATION},
-    {"ike",               KW_IKE},
-    {"dpdaction",         KW_DPDACTION},
-    {"rekeymargin",       KW_REKEYMARGIN},
-    {"compress",          KW_COMPRESS},
-    {"ldaphost",          KW_LDAPHOST},
+    {"dumpdir",           KW_DUMPDIR},
+    {"forceencaps",       KW_FORCEENCAPS},
     {"leftsubnet",        KW_LEFTSUBNET},
-    {"crluri2",           KW_CRLURI2},
-    {"rightca2",          KW_RIGHTCA2},
-    {"leftsourceip",      KW_LEFTSOURCEIP},
-    {"rightcert2",        KW_RIGHTCERT2},
-    {"pfs",               KW_PFS},
-    {"leftid2",           KW_LEFTID2},
+    {"rightca",           KW_RIGHTCA},
+    {"rightcert",         KW_RIGHTCERT},
+    {"ocspuri",           KW_OCSPURI},
+    {"dpdaction",         KW_DPDACTION},
+    {"ocspuri1",          KW_OCSPURI},
     {"dpdtimeout",        KW_DPDTIMEOUT},
-    {"leftikeport",       KW_LEFTIKEPORT},
-    {"leftca2",           KW_LEFTCA2},
+    {"installpolicy",     KW_INSTALLPOLICY},
     {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"xauth",             KW_XAUTH},
-    {"rightauth2",        KW_RIGHTAUTH2},
-    {"mark_in",           KW_MARK_IN},
-    {"mobike",	           KW_MOBIKE},
-    {"margintime",        KW_REKEYMARGIN},
-    {"dumpdir",           KW_DUMPDIR},
-    {"ocspuri1",          KW_OCSPURI},
+    {"ldapbase",          KW_LDAPBASE},
+    {"also",              KW_ALSO},
+    {"leftallowany",      KW_LEFTALLOWANY},
+    {"force_keepalive",   KW_FORCE_KEEPALIVE},
     {"keyexchange",       KW_KEYEXCHANGE},
-    {"fragicmp",          KW_FRAGICMP},
+    {"hidetos",           KW_HIDETOS},
+    {"klipsdebug",        KW_KLIPSDEBUG},
+    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
     {"rightauth",         KW_RIGHTAUTH},
-    {"interfaces",        KW_INTERFACES},
-    {"marginbytes",       KW_MARGINBYTES},
-    {"marginpackets",     KW_MARGINPACKETS},
-    {"nocrsend",          KW_NOCRSEND},
-    {"keep_alive",        KW_KEEP_ALIVE},
-    {"rightupdown",       KW_RIGHTUPDOWN},
-    {"keyingtries",       KW_KEYINGTRIES},
-    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {"uniqueids",         KW_UNIQUEIDS},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {"charondebug",       KW_CHARONDEBUG},
+    {"rightid2",          KW_RIGHTID2},
+    {"leftid",            KW_LEFTID},
+    {"mediated_by",       KW_MEDIATED_BY},
+    {"fragicmp",          KW_FRAGICMP},
     {"mark_out",          KW_MARK_OUT},
+    {"auto",              KW_AUTO},
+    {"leftcert2",         KW_LEFTCERT2,},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
+    {"cacert",            KW_CACERT},
+    {"plutostart",        KW_PLUTOSTART},
+    {"eap_identity",      KW_EAP_IDENTITY},
+    {"prepluto",          KW_PREPLUTO},
+    {"packetdefault",     KW_PACKETDEFAULT},
+    {"xauth_identity",    KW_XAUTH_IDENTITY},
     {"charonstart",       KW_CHARONSTART},
-    {"klipsdebug",        KW_KLIPSDEBUG},
-    {"force_keepalive",   KW_FORCE_KEEPALIVE},
-    {"forceencaps",       KW_FORCEENCAPS},
+    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
+    {"rightauth2",        KW_RIGHTAUTH2},
+    {"ike",               KW_IKE},
+    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"leftca2",           KW_LEFTCA2},
     {"authby",            KW_AUTHBY},
+    {"leftauth",          KW_LEFTAUTH},
+    {"cachecrls",         KW_CACHECRLS},
+    {"ldaphost",          KW_LDAPHOST},
+    {"rekeymargin",       KW_REKEYMARGIN},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"dpddelay",          KW_DPDDELAY},
+    {"ikelifetime",       KW_IKELIFETIME},
+    {"auth",              KW_AUTH},
+    {"xauth",             KW_XAUTH},
     {"postpluto",         KW_POSTPLUTO},
-    {"pkcs11module",      KW_PKCS11MODULE},
-    {"ocspuri2",          KW_OCSPURI2},
-    {"hidetos",           KW_HIDETOS},
-    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
-    {"mark",              KW_MARK},
-    {"charondebug",       KW_CHARONDEBUG},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"modeconfig",        KW_MODECONFIG},
+    {"nocrsend",          KW_NOCRSEND},
     {"leftauth2",         KW_LEFTAUTH2},
-    {"overridemtu",       KW_OVERRIDEMTU},
-    {"pkcs11initargs",    KW_PKCS11INITARGS},
-    {"keylife",           KW_KEYLIFE},
-    {"auto",              KW_AUTO},
-    {"ikelifetime",       KW_IKELIFETIME},
+    {"leftid2",           KW_LEFTID2},
+    {"leftikeport",       KW_LEFTIKEPORT},
+    {"rightca2",          KW_RIGHTCA2},
+    {"rekey",             KW_REKEY},
+    {"rightcert2",        KW_RIGHTCERT2},
+    {"mark",              KW_MARK},
+    {"crluri2",           KW_CRLURI2},
     {"reauth",            KW_REAUTH},
-    {"leftauth",          KW_LEFTAUTH},
-    {"pkcs11proxy",       KW_PKCS11PROXY},
-    {"prepluto",          KW_PREPLUTO},
-    {"pfsgroup",          KW_PFSGROUP},
-    {"auth",              KW_AUTH},
-    {"modeconfig",        KW_MODECONFIG}
+    {"ocspuri2",          KW_OCSPURI2},
+    {"pkcs11module",      KW_PKCS11MODULE},
+    {"pkcs11initargs",    KW_PKCS11INITARGS},
+    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
+    {"pkcs11proxy",       KW_PKCS11PROXY}
   };
 
 static const short lookup[] =
   {
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,   0,   1,  -1,   2,  -1,  -1,   3,  -1,
+     -1,   4,  -1,   5,   6,   7,   8,   9,  -1,  10,
+     11,  -1,  12,  13,  14,  15,  16,  17,  -1,  18,
+     19,  20,  21,  22,  -1,  -1,  23,  24,  -1,  25,
+     26,  27,  28,  29,  30,  31,  32,  33,  34,  35,
+     36,  37,  38,  39,  40,  41,  42,  43,  44,  45,
+     46,  47,  48,  49,  50,  51,  -1,  52,  53,  54,
+     55,  -1,  56,  57,  -1,  58,  59,  60,  -1,  61,
+     62,  63,  64,  -1,  -1,  65,  -1,  66,  -1,  67,
+     68,  69,  70,  71,  -1,  -1,  72,  -1,  -1,  73,
+     74,  75,  76,  77,  78,  79,  80,  -1,  81,  82,
+     83,  84,  85,  86,  87,  -1,  88,  -1,  89,  90,
+     -1,  91,  92,  93,  94,  -1,  95,  96,  97,  98,
+     -1,  -1,  -1,  -1,  99, 100, 101,  -1, 102, 103,
+    104, 105, 106, 107, 108, 109,  -1, 110,  -1,  -1,
+    111,  -1,  -1,  -1,  -1,  -1,  -1, 112,  -1, 113,
+    114, 115, 116, 117, 118,  -1,  -1,  -1,  -1, 119,
+     -1,  -1, 120,  -1,  -1,  -1,  -1,  -1,  -1, 121,
+     -1,  -1,  -1,  -1, 122,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1, 123,  -1, 124, 125,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-      0,  -1,  -1,   1,  -1,  -1,  -1,  -1,   2,   3,
-     -1,  -1,   4,   5,  -1,   6,   7,  -1,  -1,   8,
-      9,  10,  11,  12,  13,  14,  -1,  15,  16,  -1,
-     17,  18,  19,  20,  -1,  21,  22,  23,  -1,  -1,
-     24,  25,  26,  27,  28,  29,  -1,  30,  31,  32,
-     33,  34,  35,  -1,  36,  -1,  -1,  37,  38,  39,
-     40,  41,  42,  43,  -1,  44,  45,  46,  47,  -1,
-     48,  -1,  49,  50,  51,  52,  53,  54,  55,  -1,
-     56,  57,  58,  59,  60,  61,  62,  63,  -1,  64,
-     65,  66,  67,  68,  69,  70,  71,  72,  73,  74,
-     75,  -1,  76,  77,  78,  79,  -1,  -1,  80,  81,
-     82,  -1,  83,  84,  -1,  85,  86,  87,  88,  89,
-     90,  -1,  91,  -1,  92,  -1,  93,  94,  95,  -1,
-     -1,  96,  97,  -1,  98,  99,  -1,  -1,  -1,  -1,
-     -1,  -1, 100,  -1, 101,  -1, 102,  -1,  -1,  -1,
-    103, 104,  -1,  -1, 105,  -1,  -1, 106, 107, 108,
-    109, 110, 111,  -1, 112, 113,  -1, 114, 115, 116,
-     -1, 117,  -1, 118, 119, 120, 121,  -1,  -1,  -1,
-    122,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 123,  -1,
-     -1,  -1, 124,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-    125
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 126
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 25d2ce4b9..1dae65a99 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -71,6 +71,7 @@ typedef enum {
 	KW_AUTHBY,
 	KW_EAP,
 	KW_EAP_IDENTITY,
+	KW_AAA_IDENTITY,
 	KW_MOBIKE,
 	KW_FORCEENCAPS,
 	KW_IKELIFETIME,
@@ -122,8 +123,8 @@ typedef enum {
 
    /* end keywords */
 	KW_HOST,
-	KW_NEXTHOP,
 	KW_IKEPORT,
+	KW_NEXTHOP,
 	KW_SUBNET,
 	KW_SUBNETWITHIN,
 	KW_PROTOPORT,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index fcdc60cff..06705635a 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -49,6 +49,7 @@ force_keepalive,   KW_FORCE_KEEPALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
 eap,               KW_EAP
 eap_identity,      KW_EAP_IDENTITY
+aaa_identity,      KW_AAA_IDENTITY
 mobike,	           KW_MOBIKE
 forceencaps,       KW_FORCEENCAPS
 pkcs11module,      KW_PKCS11MODULE
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 9c69ab9e5..9ba569d47 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -39,15 +39,6 @@
 #define IPV4_LEN	 4
 #define IPV6_LEN	16
 
-/**
- * Mode of an IPsec SA, must be the same as in charons kernel_ipsec.h
- */
-enum ipsec_mode_t {
-	MODE_TRANSPORT = 1,
-	MODE_TUNNEL,
-	MODE_BEET
-};
-
 /**
  * Authentication methods, must be the same as in charons authenticator.h
  */
@@ -204,7 +195,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	memset(&msg, 0, sizeof(msg));
 	msg.type = STR_ADD_CONN;
 	msg.length = offsetof(stroke_msg_t, buffer);
-	msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
+	msg.add_conn.ikev2 = conn->keyexchange != KEY_EXCHANGE_IKEV1;
 	msg.add_conn.name = push_string(&msg, connection_name(conn));
 
 	/* PUBKEY is preferred to PSK and EAP */
@@ -223,6 +214,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.eap_type = conn->eap_type;
 	msg.add_conn.eap_vendor = conn->eap_vendor;
 	msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
+	msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
 
 	if (conn->policy & POLICY_TUNNEL)
 	{
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 58034d96b..b7d916eae 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -277,7 +277,7 @@ int starter_whack_add_conn(starter_conn_t *conn)
 	msg.whack_connection = TRUE;
 	msg.name = connection_name(conn, name, sizeof(name));
 
-	msg.ikev1                 = conn->keyexchange != KEY_EXCHANGE_IKEV2;
+	msg.ikev1                 = conn->keyexchange == KEY_EXCHANGE_IKEV1;
 	msg.addr_family           = conn->addr_family;
 	msg.tunnel_addr_family    = conn->tunnel_addr_family;
 	msg.sa_ike_life_seconds   = conn->sa_ike_life_seconds;
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index c7f264730..c490be114 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -142,6 +143,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -173,14 +176,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -195,24 +201,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -220,7 +233,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 4fa0f76a8..103617f08 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -56,9 +56,8 @@ static char* push_string(stroke_msg_t *msg, char *string)
 static int send_stroke_msg (stroke_msg_t *msg)
 {
 	struct sockaddr_un ctl_addr;
-	int sock;
-	char buffer[512];
-	int byte_count;
+	int sock, byte_count;
+	char buffer[512], *pass;
 
 	ctl_addr.sun_family = AF_UNIX;
 	strcpy(ctl_addr.sun_path, STROKE_SOCKET);
@@ -90,17 +89,30 @@ static int send_stroke_msg (stroke_msg_t *msg)
 	while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
 	{
 		buffer[byte_count] = '\0';
-		printf("%s", buffer);
 
-		/* we prompt if we receive the "Passphrase:" magic keyword */
-		if (byte_count >= 12 &&
-			strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0)
+		/* we prompt if we receive the "Passphrase:"/"PIN:" magic keyword */
+		if ((byte_count >= 12 &&
+			 strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0) ||
+			(byte_count >= 5 &&
+			 strcmp(buffer + byte_count - 5, "PIN:\n") == 0))
 		{
-			if (fgets(buffer, sizeof(buffer), stdin))
+			/* remove trailing newline */
+			pass = strrchr(buffer, '\n');
+			if (pass)
 			{
-				ignore_result(write(sock, buffer, strlen(buffer)));
+				*pass = ' ';
+			}
+			pass = getpass(buffer);
+			if (pass)
+			{
+				ignore_result(write(sock, pass, strlen(pass)));
+				ignore_result(write(sock, "\n", 1));
 			}
 		}
+		else
+		{
+			printf("%s", buffer);
+		}
 	}
 	if (byte_count < 0)
 	{
@@ -276,9 +288,23 @@ static int purge(stroke_keyword_t kw)
 	return send_stroke_msg(&msg);
 }
 
-static int leases(stroke_keyword_t kw, char *pool, char *address)
+static int export_flags[] = {
+	EXPORT_X509,
+};
+
+static int export(stroke_keyword_t kw, char *selector)
 {
+	stroke_msg_t msg;
 
+	msg.type = STR_EXPORT;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.export.selector = push_string(&msg, selector);
+	msg.export.flags = export_flags[kw - STROKE_EXPORT_FIRST];
+	return send_stroke_msg(&msg);
+}
+
+static int leases(stroke_keyword_t kw, char *pool, char *address)
+{
 	stroke_msg_t msg;
 
 	msg.type = STR_LEASES;
@@ -349,6 +375,8 @@ static void exit_usage(char *error)
 	printf("    stroke purgeocsp\n");
 	printf("  Purge IKE_SAs without a CHILD_SA:\n");
 	printf("    stroke purgeike\n");
+	printf("  Export credentials to the console:\n");
+	printf("    stroke exportx509 DN\n");
 	printf("  Show leases of a pool:\n");
 	printf("    stroke leases [POOL [ADDRESS]]\n");
 	exit_error(error);
@@ -466,6 +494,13 @@ int main(int argc, char *argv[])
 		case STROKE_PURGE_IKE:
 			res = purge(token->kw);
 			break;
+		case STROKE_EXPORT_X509:
+			if (argc != 3)
+			{
+				exit_usage("\"exportx509\" needs a distinguished name");
+			}
+			res = export(token->kw, argv[2]);
+			break;
 		case STROKE_LEASES:
 			res = leases(token->kw, argc > 2 ? argv[2] : NULL,
 						 argc > 3 ? argv[3] : NULL);
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index bb9705743..c2d79176e 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -54,7 +54,7 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 33
+#define TOTAL_KEYWORDS 34
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
 #define MIN_HASH_VALUE 3
@@ -79,15 +79,15 @@ hash (str, len)
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 17, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 18, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40,  0,  4,  1,
-       1,  0, 40, 17, 40, 18, 40,  4,  0, 40,
-      40, 12, 17, 40,  6,  3, 19, 12, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+       1,  0, 40, 17, 40, 20, 40,  3,  0, 40,
+      40, 12, 19, 40,  6,  3, 20, 12, 40, 40,
+      10, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
@@ -148,14 +148,15 @@ static const struct stroke_token wordlist[] =
     {"listocsp",        STROKE_LIST_OCSP},
     {"statusall",       STROKE_STATUSALL},
     {"listalgs",        STROKE_LIST_ALGS},
+    {"exportx509",      STROKE_EXPORT_X509},
     {"delete",          STROKE_DELETE},
-    {"purgeocsp",       STROKE_PURGE_OCSP},
     {"listocspcerts",   STROKE_LIST_OCSPCERTS},
+    {"purgeocsp",       STROKE_PURGE_OCSP},
     {"purgeike",        STROKE_PURGE_IKE},
-    {"listcainfos",     STROKE_LIST_CAINFOS},
     {"unroute",         STROKE_UNROUTE},
-    {"listpubkeys",     STROKE_LIST_PUBKEYS},
+    {"listcainfos",     STROKE_LIST_CAINFOS},
     {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
+    {"listpubkeys",     STROKE_LIST_PUBKEYS},
     {"down-srcip",      STROKE_DOWN_SRCIP},
     {"listgroups",      STROKE_LIST_GROUPS}
   };
@@ -164,7 +165,7 @@ static const short lookup[] =
   {
     -1, -1, -1,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10,
     11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
-    25, 26, 27, 28, 29, 30, 31, -1, -1, -1, -1, 32
+    25, 26, 27, 28, 29, 30, 31, 32, -1, -1, -1, 33
   };
 
 #ifdef __GNUC__
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 6332000db..4a3826536 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -49,12 +49,14 @@ typedef enum {
 	STROKE_REREAD_ALL,
 	STROKE_PURGE_OCSP,
 	STROKE_PURGE_IKE,
-	STROKE_LEASES
+	STROKE_EXPORT_X509,
+	STROKE_LEASES,
 } stroke_keyword_t;
 
 #define STROKE_LIST_FIRST		STROKE_LIST_PUBKEYS
 #define STROKE_REREAD_FIRST		STROKE_REREAD_SECRETS
 #define STROKE_PURGE_FIRST		STROKE_PURGE_OCSP
+#define STROKE_EXPORT_FIRST		STROKE_EXPORT_X509
 
 typedef struct stroke_token stroke_token_t;
 
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 96fa0bf3a..0b8092985 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -56,4 +56,5 @@ rereadcrls,      STROKE_REREAD_CRLS
 rereadall,       STROKE_REREAD_ALL
 purgeocsp,       STROKE_PURGE_OCSP
 purgeike,        STROKE_PURGE_IKE
+exportx509,      STROKE_EXPORT_X509
 leases,          STROKE_LEASES
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index a36cc9038..9466cf0b0 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -109,6 +109,16 @@ enum purge_flag_t {
 	PURGE_IKE =			0x0002,
 };
 
+typedef enum export_flag_t export_flag_t;
+
+/**
+ * Definition of the export flags
+ */
+enum export_flag_t {
+	/** export an X509 certificate */
+	EXPORT_X509 =		0x0001,
+};
+
 /**
  * CRL certificate validation policy
  */
@@ -193,6 +203,8 @@ struct stroke_msg_t {
 		STR_PURGE,
 		/* show pool leases */
 		STR_LEASES,
+		/* export credentials */
+		STR_EXPORT,
 		/* more to come */
 	} type;
 
@@ -220,6 +232,7 @@ struct stroke_msg_t {
 			u_int32_t eap_type;
 			u_int32_t eap_vendor;
 			char *eap_identity;
+			char *aaa_identity;
 			int mode;
 			int mobike;
 			int force_encap;
@@ -301,6 +314,12 @@ struct stroke_msg_t {
 			purge_flag_t flags;
 		} purge;
 
+		/* data for STR_EXPORT */
+		struct {
+			export_flag_t flags;
+			char *selector;
+		} export;
+
 		/* data for STR_LEASES */
 		struct {
 			char *pool;
diff --git a/src/whack/Makefile.am b/src/whack/Makefile.am
index 27f856231..316a83312 100644
--- a/src/whack/Makefile.am
+++ b/src/whack/Makefile.am
@@ -5,6 +5,7 @@ whack_SOURCES = whack.c whack.h
 INCLUDES = \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto
 
 whack_LDADD = \
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index d163f2b58..270e8fe50 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -141,6 +142,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -172,14 +175,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -194,24 +200,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -219,7 +232,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -235,6 +251,7 @@ whack_SOURCES = whack.c whack.h
 INCLUDES = \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto
 
 whack_LDADD = \
diff --git a/src/whack/whack.c b/src/whack/whack.c
index 643e4be04..c5fe3b458 100644
--- a/src/whack/whack.c
+++ b/src/whack/whack.c
@@ -471,7 +471,7 @@ enum {
 	DBGOPT_EMITTING,    /* same order as DBG_* */
 	DBGOPT_CONTROL,     /* same order as DBG_* */
 	DBGOPT_LIFECYCLE,   /* same order as DBG_* */
-	DBGOPT_KLIPS,       /* same order as DBG_* */
+	DBGOPT_KERNEL,      /* same order as DBG_* */
 	DBGOPT_DNS,         /* same order as DBG_* */
 	DBGOPT_NATT,        /* same order as DBG_* */
 	DBGOPT_OPPO,        /* same order as DBG_* */
@@ -659,7 +659,8 @@ static const struct option long_opts[] = {
 	{ "debug-emitting", no_argument, NULL, DBGOPT_EMITTING + OO },
 	{ "debug-control", no_argument, NULL, DBGOPT_CONTROL + OO },
 	{ "debug-lifecycle", no_argument, NULL, DBGOPT_LIFECYCLE + OO },
-	{ "debug-klips", no_argument, NULL, DBGOPT_KLIPS + OO },
+	{ "debug-klips", no_argument, NULL, DBGOPT_KERNEL + OO },
+	{ "debug-kernel", no_argument, NULL, DBGOPT_KERNEL + OO },
 	{ "debug-dns", no_argument, NULL, DBGOPT_DNS + OO },
 	{ "debug-natt", no_argument, NULL, DBGOPT_NATT + OO },
 	{ "debug-oppo", no_argument, NULL, DBGOPT_OPPO + OO },
@@ -1595,7 +1596,7 @@ int main(int argc, char **argv)
 		case DBGOPT_EMITTING:   /* --debug-emitting */
 		case DBGOPT_CONTROL:    /* --debug-control */
 		case DBGOPT_LIFECYCLE:  /* --debug-lifecycle */
-		case DBGOPT_KLIPS:      /* --debug-klips */
+		case DBGOPT_KERNEL:     /* --debug-kernel, --debug-klips */
 		case DBGOPT_DNS:        /* --debug-dns */
 		case DBGOPT_NATT:       /* --debug-natt */
 		case DBGOPT_OPPO:       /* --debug-oppo */
diff --git a/testing/INSTALL b/testing/INSTALL
index 27db50013..5e42925f7 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,23 +53,23 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.3.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.34.1.tar.bz2
 
-    * The Linux kernel 2.6.33.3 does not require any patches for the uml guest kernel
-      to successfully start up but the aes_gmac patch must be applied for
-      ESP AES-GMAC support.
+    * The Linux kernel 2.6.34.1 does not require any patches for the uml guest kernel
+      to successfully start up but the xfrm_mark patch must be applied for
+      XFRM MARK support.
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.33
+      http://download.strongswan.org/uml/.config-2.6.34
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
-      http://download.strongswan.org/uml/gentoo-fs-20090615.tar.bz2
+      http://download.strongswan.org/uml/gentoo-fs-20100703.tar.bz2
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.4.1.tar.bz2
+      http://download.strongswan.org/strongswan-4.4.2.tar.bz2
 
 
 3. Creating the environment
diff --git a/testing/Makefile.am b/testing/Makefile.am
index 130b87b43..2aa7d70bc 100644
--- a/testing/Makefile.am
+++ b/testing/Makefile.am
@@ -1,7 +1,7 @@
 noinst_SCRIPTS = do-tests
 CLEANFILES = do-tests
 EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
-             testing.conf hosts images scripts tests INSTALL README
+             testing.conf ssh_config hosts images scripts tests INSTALL README
 
 do-tests : do-tests.in
 	sed \
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 010f4c81b..82b751fd2 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -120,6 +121,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -151,14 +154,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -173,24 +179,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -198,7 +211,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -213,7 +229,7 @@ xml_LIBS = @xml_LIBS@
 noinst_SCRIPTS = do-tests
 CLEANFILES = do-tests
 EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
-             testing.conf hosts images scripts tests INSTALL README
+             testing.conf ssh_config hosts images scripts tests INSTALL README
 
 all: all-am
 
diff --git a/testing/do-tests.in b/testing/do-tests.in
index 2a869515d..2e67e9367 100755
--- a/testing/do-tests.in
+++ b/testing/do-tests.in
@@ -100,6 +100,16 @@ do
 done
 
 
+##############################################################################
+# open ssh sessions
+#
+for host in $STRONGSWANHOSTS
+do
+    ssh $SSHCONF -N root@`eval echo \\\$ipv4_$host` &
+    eval ssh_pid_$host="`echo $!`"
+done
+
+
 ##############################################################################
 # create header for the results html file
 #
@@ -350,7 +360,7 @@ do
 		iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
 		tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &"
 		echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
-		ssh root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
+		ssh $SSHCONF root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
 		eval TDUP_${host}="true"
 	    done
 	fi
@@ -367,7 +377,7 @@ do
 	    if ($2 != "")
 	    {
 		printf("echo \"%s# %s\"; ", $1, $2)
-		printf("ssh root@\044ipv4_%s \"%s\"; ", $1, $2)
+		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
 		printf("echo;\n")
 	    }
 	}' $TESTDIR/pretest.dat` >> $CONSOLE_LOG 2>&1
@@ -379,7 +389,7 @@ do
 
 	function stop_tcpdump {
 	    echo "${1}# killall tcpdump" >> $CONSOLE_LOG
-	    eval ssh root@\$ipv4_${1} killall tcpdump
+	    eval ssh $SSHCONF root@\$ipv4_${1} killall tcpdump
 	    eval TDUP_${1}="false"
 	    echo ""
 	}
@@ -405,12 +415,12 @@ do
 		{
 		    printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
 		    printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
-		    printf("ssh root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
+		    printf("ssh \044SSHCONF root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
 		}
 		else
 		{
 		    printf("echo \"%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
-		    printf("ssh root@\044ipv4_%s %s | grep \"%s\"; ",  host, command, pattern)
+		    printf("ssh \044SSHCONF root@\044ipv4_%s %s | grep \"%s\"; ",  host, command, pattern)
 		}
 		printf("cmd_exit=\044?; ")
 		printf("echo; ")
@@ -465,26 +475,26 @@ do
 
 	    for command in statusall listall
 	    do
-		ssh $HOSTLOGIN ipsec $command \
+		ssh $SSHCONF $HOSTLOGIN ipsec $command \
 		    > $TESTRESULTDIR/${host}.$command 2>/dev/null
 	    done
 
 	    for file in strongswan.conf ipsec.conf ipsec.secrets
 	    do
-		scp $HOSTLOGIN:/etc/$file \
+		scp $SSHCONF $HOSTLOGIN:/etc/$file \
 		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
 	    done
 
-	    scp $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
+	    scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
 	    	$TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
 
-	    ssh $HOSTLOGIN ip -s xfrm policy \
+	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm policy \
 		    > $TESTRESULTDIR/${host}.ip.policy 2>/dev/null
-	    ssh $HOSTLOGIN ip -s xfrm state \
+	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm state \
 		    > $TESTRESULTDIR/${host}.ip.state 2>/dev/null
-	    ssh $HOSTLOGIN ip route list table $SOURCEIP_ROUTING_TABLE \
+	    ssh $SSHCONF $HOSTLOGIN ip route list table $SOURCEIP_ROUTING_TABLE \
 		    > $TESTRESULTDIR/${host}.ip.route 2>/dev/null
-	    ssh $HOSTLOGIN $IPTABLES_CMD \
+	    ssh $SSHCONF $HOSTLOGIN $IPTABLES_CMD \
 		    > $TESTRESULTDIR/${host}.iptables 2>/dev/null
 	    chmod a+r $TESTRESULTDIR/*
 	    cat >> $TESTRESULTDIR/index.html <<@EOF
@@ -521,6 +531,48 @@ do
 
 	done
 
+	for host in $RADIUSHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+	    for file in clients.conf eap.conf radiusd.conf proxy.conf users
+	    do
+		scp $SSHCONF $HOSTLOGIN:/etc/raddb/$file \
+		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
+	    done
+
+	    scp $SSHCONF $HOSTLOGIN:/var/log/radius/radius.log \
+	    	$TESTRESULTDIR/${host}.radius.log  > /dev/null 2>&1
+
+	    chmod a+r $TESTRESULTDIR/*
+	    cat >> $TESTRESULTDIR/index.html <<@EOF
+    <h3>$host</h3>
+      <table border="0" cellspacing="0" width="600">
+      <tr>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.clients.conf">clients.conf</a></li>
+	    <li><a href="$host.radiusd.conf">radiusd.conf</a></li>
+	  </ul>
+	</td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.eap.conf">eap.conf</a></li>
+	    <li><a href="$host.radius.log">radius.log</a></li>
+	  </ul>
+      </td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.proxy.conf">proxy.conf</a></li>
+	    <li><a href="$host.users">users</a></li>
+	  </ul>
+      </td>
+    </tr>
+    </table>
+@EOF
+
+	done
+
 	cat >> $TESTRESULTDIR/index.html <<@EOF
   </td></tr>
   <tr><td align="right">
@@ -543,7 +595,7 @@ do
 	    if ($2 != "")
 	    {
 		printf("echo \"%s# %s\"; ", $1, $2)
-		printf("ssh root@\044ipv4_%s \"%s\"; ", $1, $2)
+		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
 		printf("echo;\n")
 	    }
 	}' $TESTDIR/posttest.dat` >> $CONSOLE_LOG 2>&1
@@ -556,10 +608,10 @@ do
 	for host in $IPSECHOSTS
 	do
 	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $HOSTLOGIN grep pluto /var/log/auth.log \
+	    ssh $SSHCONF $HOSTLOGIN grep pluto /var/log/auth.log \
 		> $TESTRESULTDIR/${host}.auth.log
 	    echo >> $TESTRESULTDIR/${host}.auth.log
-	    ssh $HOSTLOGIN grep charon /var/log/auth.log \
+	    ssh $SSHCONF $HOSTLOGIN grep charon /var/log/auth.log \
 		>> $TESTRESULTDIR/${host}.auth.log
 	done
 
@@ -571,10 +623,10 @@ do
 	for host in $IPSECHOSTS
 	do
 	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $HOSTLOGIN grep pluto /var/log/daemon.log \
+	    ssh $SSHCONF $HOSTLOGIN grep pluto /var/log/daemon.log \
 		> $TESTRESULTDIR/${host}.daemon.log
 	    echo >> $TESTRESULTDIR/${host}.daemon.log
-	    ssh $HOSTLOGIN grep charon /var/log/daemon.log \
+	    ssh $SSHCONF $HOSTLOGIN grep charon /var/log/daemon.log \
 		>> $TESTRESULTDIR/${host}.daemon.log
 	done
 
@@ -588,7 +640,7 @@ do
 	    if [ "`eval echo \\\$TDUP_${host}`" = "true" ]
 	    then
 		echo "${host}# killall tcpdump" >> $CONSOLE_LOG
-		eval ssh root@\$ipv4_$host killall tcpdump
+		eval ssh $SSHCONF root@\$ipv4_$host killall tcpdump
 		eval TDUP_${host}="false"
 	    fi
 	done
@@ -639,7 +691,7 @@ do
 	for host in $IPSECHOSTS
 	do
 	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $HOSTLOGIN 'if [ -f /var/run/charon.pid ]; then rm /var/run/charon.pid; echo "    removed charon.pid on `hostname`"; fi'
+	    ssh $SSHCONF $HOSTLOGIN 'if [ -f /var/run/charon.pid ]; then rm /var/run/charon.pid; echo "    removed charon.pid on `hostname`"; fi'
 	done
 
     done
@@ -694,10 +746,20 @@ cecho ""
 HTDOCS="/var/www/localhost/htdocs"
 
 cecho-n "Copying test results to winnetou.."
-ssh root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
-scp -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
-ssh root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
+ssh $SSHCONF root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
+scp $SSHCONF -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
+ssh $SSHCONF root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
 cgecho "done"
 cecho ""
 cecho "The results are available in $TODAYDIR"
 cecho "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
+
+
+##########################################################################
+# close ssh sessions
+#
+for host in $STRONGSWANHOSTS
+do
+    kill `eval echo \\\$ssh_pid_$host`
+done
+
diff --git a/testing/hosts/alice/etc/init.d/radiusd b/testing/hosts/alice/etc/init.d/radiusd
new file mode 100755
index 000000000..8334385f9
--- /dev/null
+++ b/testing/hosts/alice/etc/init.d/radiusd
@@ -0,0 +1,64 @@
+#!/sbin/runscript
+
+opts="${opts} reload"
+
+depend() {
+	need net
+	use dns
+}
+
+checkconfig() {
+	# set the location of log files
+	if ! cd /var/log/radius ; then
+		eerror "Failed to change current directory to /var/log/radius"
+		return 1
+	fi
+
+	if [ ! -d /var/run/radiusd ] && ! mkdir /var/run/radiusd ; then
+		eerror "Failed to create /var/run/radiusd"
+		return 1
+	fi
+	
+	if [ ! -f /etc/raddb/radiusd.conf ] ; then
+		eerror "No /etc/raddb/radiusd.conf file exists!"
+		return 1
+	fi
+
+	RADIUSD_OPTS="-xx"
+	RADIUSD_USER=`grep '^ *user *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
+	RADIUSD_GROUP=`grep '^ *group *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
+	if [ -n "${RADIUSD_USER}" ] && ! getent passwd ${RADIUSD_USER} > /dev/null ; then
+		eerror "${RADIUSD_USER} user missing!"
+		return 1
+	fi
+	if [ -n "${RADIUSD_GROUP}" ] && ! getent group ${RADIUSD_GROUP} > /dev/null ; then
+		eerror "${RADIUSD_GROUP} group missing!"
+		return 1
+	fi
+
+	# radius.log is created before privileges are dropped - need to set proper permissions on it
+	[ -f radius.log ] || touch radius.log || return 1
+
+	chown -R "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" . /var/run/radiusd && \
+		chmod -R u+rwX,g+rX . /var/run/radiusd || return 1
+}
+
+start() {
+	checkconfig || return 1
+
+	ebegin "Starting radiusd"
+	start-stop-daemon --start --quiet --exec /usr/sbin/radiusd -- ${RADIUSD_OPTS} >/dev/null
+	eend $?
+}
+
+stop () {
+	ebegin "Stopping radiusd"
+	start-stop-daemon --stop --quiet --pidfile=/var/run/radiusd/radiusd.pid
+	eend $?
+}
+
+reload () {
+	ebegin "Reloading radiusd"
+	kill -HUP `</var/run/radiusd/radiusd.pid`
+	eend $?
+}
diff --git a/testing/hosts/alice/etc/ipsec.conf b/testing/hosts/alice/etc/ipsec.conf
index 312cadb8f..134c1c032 100755
--- a/testing/hosts/alice/etc/ipsec.conf
+++ b/testing/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 		
 conn nat-t
 	left=%defaultroute
diff --git a/testing/hosts/alice/etc/raddb/certs/aaaCert.pem b/testing/hosts/alice/etc/raddb/certs/aaaCert.pem
new file mode 100644
index 000000000..6aeb0c0b1
--- /dev/null
+++ b/testing/hosts/alice/etc/raddb/certs/aaaCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/alice/etc/raddb/certs/aaaKey.pem b/testing/hosts/alice/etc/raddb/certs/aaaKey.pem
new file mode 100644
index 000000000..da8cdb051
--- /dev/null
+++ b/testing/hosts/alice/etc/raddb/certs/aaaKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
+bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
+9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
+/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
+NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
+BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
+Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
+NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
+IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
+Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
+aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
+YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
+b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
+/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
+P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
+V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
+cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
+PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
+a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
+NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
+xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
+J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
+YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
+SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
+EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/alice/etc/raddb/certs/dh b/testing/hosts/alice/etc/raddb/certs/dh
new file mode 100644
index 000000000..9ee09be74
--- /dev/null
+++ b/testing/hosts/alice/etc/raddb/certs/dh
@@ -0,0 +1,5 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAKECDgU/s7GDh2vDd5A10bVlOTcs0e4u8sIsfzGL4kSNokoFqLD6OiVj
+1z1QY1lZz464CSiXzM2A/UqppCsgiXSkjGtDQ87GJpB04fEojzXjxVnHNECJU1o1
+DnW05efrrH8gLm6YxRawQ/aboJxsPdcaaI9CTF9zWYQlDhrpq1RTAgEC
+-----END DH PARAMETERS-----
diff --git a/testing/hosts/alice/etc/raddb/certs/random b/testing/hosts/alice/etc/raddb/certs/random
new file mode 100644
index 000000000..b0dda82b3
Binary files /dev/null and b/testing/hosts/alice/etc/raddb/certs/random differ
diff --git a/testing/hosts/alice/etc/raddb/certs/strongswanCert.pem b/testing/hosts/alice/etc/raddb/certs/strongswanCert.pem
new file mode 100644
index 000000000..0865ad22e
--- /dev/null
+++ b/testing/hosts/alice/etc/raddb/certs/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/alice/etc/strongswan.conf b/testing/hosts/alice/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/alice/etc/strongswan.conf
+++ b/testing/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf
index 0172c043b..62c0ec787 100755
--- a/testing/hosts/bob/etc/ipsec.conf
+++ b/testing/hosts/bob/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn nat-t
 	left=%defaultroute
diff --git a/testing/hosts/bob/etc/strongswan.conf b/testing/hosts/bob/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/bob/etc/strongswan.conf
+++ b/testing/hosts/bob/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf
index af5c71b32..1def6ca99 100755
--- a/testing/hosts/carol/etc/ipsec.conf
+++ b/testing/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/hosts/carol/etc/strongswan.conf b/testing/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/carol/etc/strongswan.conf
+++ b/testing/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf
index 16e5299ce..c9d559f0d 100755
--- a/testing/hosts/dave/etc/ipsec.conf
+++ b/testing/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/hosts/dave/etc/strongswan.conf b/testing/hosts/dave/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/dave/etc/strongswan.conf
+++ b/testing/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf
index 9512fb7e5..b1e6549cf 100755
--- a/testing/hosts/moon/etc/ipsec.conf
+++ b/testing/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/hosts/moon/etc/strongswan.conf b/testing/hosts/moon/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/moon/etc/strongswan.conf
+++ b/testing/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/sun/etc/ipsec.conf b/testing/hosts/sun/etc/ipsec.conf
index 77d3fb183..083e58970 100755
--- a/testing/hosts/sun/etc/ipsec.conf
+++ b/testing/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
diff --git a/testing/hosts/sun/etc/strongswan.conf b/testing/hosts/sun/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/sun/etc/strongswan.conf
+++ b/testing/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/venus/etc/ipsec.conf b/testing/hosts/venus/etc/ipsec.conf
index 524640cda..86cd6c9d4 100755
--- a/testing/hosts/venus/etc/ipsec.conf
+++ b/testing/hosts/venus/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn nat-t
 	left=%defaultroute
diff --git a/testing/hosts/venus/etc/strongswan.conf b/testing/hosts/venus/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/venus/etc/strongswan.conf
+++ b/testing/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 58a88a3cb..dd69a793f 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -31,3 +31,4 @@ V	141123125153Z		1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/C
 V	150226210530Z		1F	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V	150803083841Z		22	unknown	/C=CH/O=Linux strongSwan/CN=aaa.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index 5fd137735..58a88a3cb 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -30,3 +30,4 @@ V	140826104451Z		1D	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strong
 V	141123125153Z		1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
 V	150226210530Z		1F	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/22.pem b/testing/hosts/winnetou/etc/openssl/newcerts/22.pem
new file mode 100644
index 000000000..6aeb0c0b1
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/22.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index 2bd5a0a98..409940768 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-22
+23
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index aabe6ec39..2bd5a0a98 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-21
+22
diff --git a/testing/scripts/build-umlkernel b/testing/scripts/build-umlkernel
index 7a98fc6c1..b9f0d710d 100755
--- a/testing/scripts/build-umlkernel
+++ b/testing/scripts/build-umlkernel
@@ -119,10 +119,10 @@ cp $KERNELCONFIG .config
 cecho "!!"
 cecho "!! Making .config for kernel. You might be prompted for new parameters!"
 cecho "!!"
-make oldconfig ARCH=um >> $LOGFILE 2>&1
+make oldconfig ARCH=um SUBARCH=i386 2>&1 | tee -a $LOGFILE
 
 cecho-n " * Now compiling uml kernel.."
-make linux ARCH=um  >> $LOGFILE 2>&1
+make linux ARCH=um SUBARCH=i386 >> $LOGFILE 2>&1
 cgecho "done"
 
 cecho-n " * Copying uml kernel to '${BUILDDIR}/linux-uml-${KERNELVERSION}'.."
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index 8a083e2ec..e22b65cf4 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -127,6 +127,7 @@ echo "ln -sf /usr/share/zoneinfo/${TZUML} /etc/localtime" >> $INSTALLSHELL
 echo "cd /root/${STRONGSWANVERSION}" >> $INSTALLSHELL
 echo -n "./configure --sysconfdir=/etc" >> $INSTALLSHELL
 echo -n " --with-random-device=/dev/urandom" >> $INSTALLSHELL
+echo -n " --disable-load-warning" >> $INSTALLSHELL
 
 if [ "$USE_LIBCURL" = "yes" ]
 then
@@ -171,6 +172,36 @@ then
     echo -n " --enable-eap-radius" >> $INSTALLSHELL
 fi
 
+if [ "$USE_EAP_TLS" = "yes" ]
+then
+    echo -n " --enable-eap-tls" >> $INSTALLSHELL
+fi
+
+if [ "$USE_EAP_TTLS" = "yes" ]
+then
+    echo -n " --enable-eap-ttls" >> $INSTALLSHELL
+fi
+
+if [ "$USE_EAP_TNC" = "yes" ]
+then
+    echo -n " --enable-eap-tnc" >> $INSTALLSHELL
+fi
+
+if [ "$USE_TNC_IMC" = "yes" ]
+then
+    echo -n " --enable-tnc-imc" >> $INSTALLSHELL
+fi
+
+if [ "$USE_TNC_IMV" = "yes" ]
+then
+    echo -n " --enable-tnc-imv" >> $INSTALLSHELL
+fi
+
+if [ "$USE_TNCCS_11" = "yes" ]
+then
+    echo -n " --enable-tnccs-11" >> $INSTALLSHELL
+fi
+
 if [ "$USE_SQL" = "yes" ]
 then
     echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
@@ -246,8 +277,23 @@ then
     echo -n " --enable-addrblock" >> $INSTALLSHELL
 fi
 
+if [ "$USE_CTR" = "yes" ]
+then
+    echo -n " --enable-ctr" >> $INSTALLSHELL
+fi
+
+if [ "$USE_CCM" = "yes" ]
+then
+    echo -n " --enable-ccm" >> $INSTALLSHELL
+fi
+
+if [ "$USE_GCM" = "yes" ]
+then
+    echo -n " --enable-gcm" >> $INSTALLSHELL
+fi
+
 echo "" >> $INSTALLSHELL
-echo "make" >> $INSTALLSHELL
+echo "make -j" >> $INSTALLSHELL
 echo "make install" >> $INSTALLSHELL
 echo "ldconfig" >> $INSTALLSHELL
 
diff --git a/testing/scripts/gstart-umls b/testing/scripts/gstart-umls
index 624db8d8b..c6fcd26dc 100755
--- a/testing/scripts/gstart-umls
+++ b/testing/scripts/gstart-umls
@@ -67,10 +67,10 @@ do
 	    \$SWITCH_${host} \
 	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
         cgecho "done"
+        sleep 15
     fi
     let "x0+=dx"
     let "y0+=dy"
-    sleep 15
 done
 
 if [ -z "$BOOTING_HOSTS" ]
diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig
index 8dd3069f6..0e167e8e2 100755
--- a/testing/scripts/load-testconfig
+++ b/testing/scripts/load-testconfig
@@ -45,7 +45,7 @@ then
     for host in `ls $TESTSDIR/$testname/hosts`
     do
 	eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	scp -r $TESTSDIR/$testname/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1
+	scp $SSHCONF -r $TESTSDIR/$testname/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1
     done
 fi
 
@@ -57,6 +57,18 @@ fi
 for host in $IPSECHOSTS
 do
     eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    ssh $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
+    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
+		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
+done
+
+
+##########################################################################
+# clear radius.log on FreeRadius servers
+#
+
+for host in $RADIUSHOSTS
+do
+    eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/radius/radius.log; \
 		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
 done
diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults
index b26be9936..64cc0262e 100755
--- a/testing/scripts/restore-defaults
+++ b/testing/scripts/restore-defaults
@@ -46,6 +46,6 @@ then
     for host in `ls $TESTSDIR/${testname}/hosts`
     do
 	eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	scp -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
+	scp $SSHCONF -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
     done
 fi
diff --git a/testing/ssh_config b/testing/ssh_config
new file mode 100644
index 000000000..36569c07c
--- /dev/null
+++ b/testing/ssh_config
@@ -0,0 +1,10 @@
+Host *
+	# debian default
+	SendEnv LANG LC_*
+	HashKnownHosts yes
+	GSSAPIAuthentication yes
+	# faster encryption
+	Ciphers arcfour
+	# share multiple sessions
+	ControlMaster auto
+	ControlPath /tmp/ssh-uml-%r@%h:%p
diff --git a/testing/testing.conf b/testing/testing.conf
index 55716ebaa..b9cb4bb30 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.33.3.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.35.2.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.33
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.35
 
 # Bzipped uml patch for kernel
-UMLPATCH=$UMLTESTDIR/aes_gmac.patch.bz2
+#UMLPATCH=$UMLTESTDIR/xfrm_mark.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.4.1.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.4.2.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -42,6 +42,12 @@ USE_EAP_MD5="yes"
 USE_EAP_MSCHAPV2="yes"
 USE_EAP_IDENTITY="yes"
 USE_EAP_RADIUS="yes"
+USE_EAP_TLS="yes"
+USE_EAP_TTLS="yes"
+USE_EAP_TNC="yes"
+USE_TNC_IMC="yes"
+USE_TNC_IMV="yes"
+USE_TNCCS_11="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"
 USE_OPENSSL="yes"
@@ -57,9 +63,12 @@ USE_SOCKET_DYNAMIC="yes"
 USE_DHCP="yes"
 USE_FARP="yes"
 USE_ADDRBLOCK="yes"
+USE_CTR="yes"
+USE_CCM="yes"
+USE_GCM="yes"
 
 # Gentoo linux root filesystem
-ROOTFS=$UMLTESTDIR/gentoo-fs-20090615.tar.bz2
+ROOTFS=$UMLTESTDIR/gentoo-fs-20100805.tar.bz2
 
 # Size of the finished root filesystem in MB
 ROOTFSSIZE=700
@@ -78,6 +87,9 @@ UMLKERNEL=$BUILDDIR/linux-uml-$KERNELVERSION
 # Directory where test results will be stored
 TESTRESULTSDIR=$UMLTESTDIR/testresults
 
+# SSH configuration (speedup SSH)
+SSHCONF="-F $UMLTESTDIR/testing/ssh_config"
+
 # Path to a full strongswan tree on the host system, which is
 # mounted into /root/strongswan-shared. This gives us an easy
 # way to apply and test changes instantly.
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
index a24c69735..cf51269a5 100755
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=camellia128-sha256-modp2048!
 	esp=camellia128-sha256!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
index a8e09f8ff..5571dc086 100755
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=camellia128-sha256-modp2048!
 	esp=camellia128-sha256!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf b/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
index 0848c3696..462427a8c 100755
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=serpent256-sha2_512-modp4096!
 	esp=serpent256-sha2_512!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
index 05edfc7d0..de3c1d1c7 100755
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=serpent256-sha2_512-modp4096!
 	esp=serpent256-sha2_512!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
index 838291f80..4c02699b7 100755
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=twofish256-sha2_512-modp4096!
 	esp=twofish256-sha2_512!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
index c2ef12853..d608ac2f6 100755
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=twofish256-sha2_512-modp4096!
 	esp=twofish256-sha2_512!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 77491cfd8..697565a38 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors pem pkcs1 x509 gcrypt hmac curl
+  load = test-vectors pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 7d8cd1781..5cc54b24f 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl
+  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 77491cfd8..697565a38 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors pem pkcs1 x509 gcrypt hmac curl
+  load = test-vectors pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index f0e57e827..92fcbd641 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 208f1c36d..e483eba9d 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index f0e57e827..92fcbd641 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
index c2d2b14ac..83c10cfdc 100644
--- a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
index a42c7a5bd..3be21d055 100755
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn home
 	left=PH_IP_DAVE
@@ -17,5 +18,4 @@ conn home
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
index 340b1a176..d90ab485c 100755
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1 
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index d84d916a5..7a066e53e 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ charon {
 }
 
 pluto {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index 38db1e4fc..8cb117c7b 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -5,5 +5,5 @@ charon {
 }
 
 pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
 }
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
index d55638907..528e3f1b3 100755
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
index 94517ecbe..991ae4368 100755
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
index 3517077f9..57394c27a 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=blowfish256-sha2_512-modp4096!
 	esp=blowfish256-sha2_512!
 
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
index 28dd532b3..4dbdc67b3 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
index 1b4cca222..427c5d180 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=blowfish256-sha2_512-modp4096!
 	esp=blowfish256-sha2_512!
 
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
index 28dd532b3..4dbdc67b3 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-blowfish/test.conf
+++ b/testing/tests/ikev1/alg-blowfish/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
index 2611115cd..2d6f87b17 100755
--- a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
 	esp=aes128-sha256_96!
 
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
index 758c7a29a..b2a686db0 100755
--- a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
 	esp=aes128-sha256_96!
 
diff --git a/testing/tests/ikev1/alg-sha256-96/test.conf b/testing/tests/ikev1/alg-sha256-96/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha256-96/test.conf
+++ b/testing/tests/ikev1/alg-sha256-96/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
index 0e1db6fbe..66476b83e 100755
--- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
 	esp=aes128-sha256!
 
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
index 584ffda19..2b97ff4f3 100755
--- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
 	esp=aes128-sha256!
 
diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha256/test.conf
+++ b/testing/tests/ikev1/alg-sha256/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
index c60c6615c..42df1dccd 100755
--- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes192-sha384-modp3072!
 	esp=aes192-sha384!
 
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
index 2d361b38a..a75d370aa 100755
--- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes192-sha384-modp3072!
 	esp=aes192-sha384!
 
diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev1/alg-sha384/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha384/test.conf
+++ b/testing/tests/ikev1/alg-sha384/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
index 6bd3ac8c7..329de395c 100755
--- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes256-sha512-modp4096!
 	esp=aes256-sha512!
 
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
index a28269155..8da459a8a 100755
--- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes256-sha512-modp4096!
 	esp=aes256-sha512!
 
diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev1/alg-sha512/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha512/test.conf
+++ b/testing/tests/ikev1/alg-sha512/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
index cdd6929ff..a84b3a6b2 100755
--- a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
index 285dc7234..ce3903596 100755
--- a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
index a0250f597..11cf4d5d1 100755
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
index 53d719d9d..1a47aeb7d 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 openac {
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
index 45118094b..f5050fef1 100755
--- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	compress=yes
 
 conn home
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
index a370ca458..aaf13f5fc 100755
--- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	compress=yes
 
 conn rw
diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/compress/test.conf
+++ b/testing/tests/ikev1/compress/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
index 98e7df65f..bb1879b1d 100755
--- a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
index 25906e890..ec0bc2e88 100755
--- a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
index 1bc6cf4fb..5a7668c64 100755
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -17,6 +17,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=2
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
index fdfff13f0..1b80c0ddd 100755
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -17,6 +17,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=2
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
index e0c758e74..77f6cfcb0 100755
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
index d3603b7aa..1c011dccb 100755
--- a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
index d240302b6..b4bc2101c 100755
--- a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
index d3603b7aa..1c011dccb 100755
--- a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
index 6c2de2e1e..3fbad9070 100755
--- a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
index 8d07e42ba..0b9f891bd 100755
--- a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
index 307d0b6b4..4d5bff62c 100755
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
index ce7afbaf3..dd7ae0b20 100755
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn carol
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
index 5c0763734..caad279bb 100755
--- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 		
 conn nat-t
 	left=%defaultroute
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
index e79b2ca35..32d2ab0f6 100755
--- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn nat-t
 	left=%defaultroute
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
index 3533c3f8b..7de7a951e 100755
--- a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 		
 conn nat-t
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
index a50275d98..34490a13a 100755
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	dpdaction=clear
 	dpddelay=10
 	dpdtimeout=30
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
index e6938e79a..3c0b0bf15 100755
--- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
index ae9b35e97..9f1aded0f 100755
--- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
         dpdaction=restart
         dpddelay=5
         dpdtimeout=25
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
index bf39d7527..ee28eebf3 100755
--- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=%defaultroute
 	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
index bf39d7527..ee28eebf3 100755
--- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=%defaultroute
 	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
index 1f964d0de..0f37e6188 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
index c098ffd90..ec35eac9a 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
index 45ec8094b..21848bc1c 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=%defaultroute
 	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
index 6af3a88ac..299b6a831 100755
--- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
index e1bc08ee4..45ada023f 100755
--- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
index 8a9f033f1..168e5d2a8 100755
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
index fb0e59d86..b89d8e861 100755
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/test.conf b/testing/tests/ikev1/esp-ah-tunnel/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-ah-tunnel/test.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
index ed905d05f..75ce0fbbe 100755
--- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes256-sha2_256-modp2048!
 	esp=aes256-aesxcbc!
 
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
index f1b7ff56d..c2e0a6dde 100755
--- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes256-sha2_256-modp2048!
 	esp=aes256-aesxcbc!
 
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
index feeef7901..a5715a7f1 100755
--- a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-md5-modp1024!
 	esp=des-md5!
 
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
index be4c9aced..0329a533d 100755
--- a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-md5-modp1024!
 	esp=des-md5!
 
diff --git a/testing/tests/ikev1/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-alg-des/test.conf
+++ b/testing/tests/ikev1/esp-alg-des/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index 3c9fdbb71..fe76579ac 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes-sha1
 	esp=null-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index 62f17df49..b768b8ee4 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes-sha1!
 	esp=null-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-alg-null/test.conf
+++ b/testing/tests/ikev1/esp-alg-null/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
index 21997940b..46a619016 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-sha1
 	esp=3des-sha1
 
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 14f58ccc3..86a15c96d 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha1
 	esp=aes128-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
index 7e2de30cd..052541b21 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-sha,aes128-sha1
 	esp=3des-sha1,aes128-sha1
 
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
index 14f58ccc3..86a15c96d 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha1
 	esp=aes128-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
index feeef7901..a5715a7f1 100755
--- a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-md5-modp1024!
 	esp=des-md5!
 
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
index 147d8ffaa..e5fed2f06 100755
--- a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
index b984b8d14..95739fe51 100755
--- a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
index bb409adcc..a0d600a6f 100755
--- a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	right=PH_IP_SUN
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
index 49c84d894..b56189c6c 100755
--- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
index e517b39cd..1f2ade20b 100755
--- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
index 63ad1c01d..d75a7022e 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-sha1
 	esp=3des-sha1
 
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 1ea5fe7a5..460ff749c 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha1!
 	esp=aes128-sha1
 
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
index 9272bdc7f..36bdc0fa4 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-sha1,aes128-sha1
 	esp=3des-sha1,aes128-sha1
 conn home
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
index 1ea5fe7a5..460ff749c 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha1!
 	esp=aes128-sha1
 
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
index 90eb30a9b..630135adc 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
 }
 
 libhydra {
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
index 90eb30a9b..630135adc 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
 }
 
 libhydra {
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index 90eb30a9b..630135adc 100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
 }
 
 libhydra {
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
index f05916614..3d6addb62 100755
--- a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn alice
 	also=home
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
index 44644f2af..0b93eb58f 100755
--- a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn alice
         also=home
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
index ce760a473..7f5bb812f 100755
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=192.168.0.1
 	leftsourceip=10.1.0.1
 	leftcert=moonCert.pem
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
index 21493adc3..fb989daff 100644
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP6_VENUS
 }
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
index 594f2c59b..64c97eb16 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	rekeymargin=3m
 	rekey=no
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
index 469145fb8..ba47559a0 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
index 79be57226..8b125ab80 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	modeconfig=push
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
index 797025c4d..f8d952d21 100644
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
index b019c5a33..4cea3d81b 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	right=PH_IP_CAROL
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
index 5b38a2041..cf96ddeca 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	right=PH_IP_DAVE
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
index 911531edb..b01f5b112 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightsourceip=PH_IP_MOON1
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
index 57ec7040e..9c75434c2 100755
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
index 3179faa05..726998e19 100755
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
index ce26fc5e9..37278081e 100755
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	rekey=no
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
index 797025c4d..f8d952d21 100644
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
index cfdc692d7..d9e5b119e 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
index fecce5efa..bf83264af 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
index 994792f7d..50b896541 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -26,6 +26,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
index 04a512eb7..4d42b1419 100755
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
index a9e648f5e..f91ca63a8 100755
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
index 1da39e483..39a1aa825 100755
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
index 8e41bb124..ca5919d5c 100755
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn duck 
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
index d240302b6..b4bc2101c 100755
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index fdca83e18..0b9917b53 100755
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
index d4ce57333..cf93bb231 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
index ea445522e..5f04445d2 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
index cf952be47..f79c501a8 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
index 0adb2593d..d11724c28 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftsendcert=ifasked
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
index 0e8e413e6..2d80aad8a 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	leftsendcert=ifasked
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
index 1e00096c8..9b97015fd 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftsendcert=ifasked
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
index 82576bb2b..1ee1b7749 100755
--- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-net
 	left=192.168.0.1
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
index 506417867..57496e10e 100755
--- a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-net
 	left=192.168.0.2
diff --git a/testing/tests/ikev1/nat-two-rw-mark/description.txt b/testing/tests/ikev1/nat-two-rw-mark/description.txt
new file mode 100644
index 000000000..2a93d11d8
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/description.txt
@@ -0,0 +1,16 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
+after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark</b> parameter in ipsec.conf.
+<p/>
+<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
+and from <b>alice</b> and <b>venus</b>, respectively.
+<p/>
+The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts 
+iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules 
+that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> 
+and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
new file mode 100644
index 000000000..fa64c3d88
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::alice.*alice@strongswan.org::YES
+sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::venus.*venus.strongswan.org::YES
+sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
+sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
+bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..4ed556226
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn nat-t
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..2b346430e
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control parsing" #parsing to get knl 2 messages
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn alice
+	rightid=alice@strongswan.org
+	mark=10/0xffffffff
+	also=sun
+	auto=add
+
+conn venus
+	rightid=@venus.strongswan.org
+	mark=20  #0xffffffff is used by default
+	also=sun
+	auto=add
+
+conn sun
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftupdown=/etc/mark_updown
+	right=%any
+	rightsubnet=10.1.0.0/25
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..0d22e684d
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown
@@ -0,0 +1,527 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+	if [ -n "$PLUTO_UDP_ENC" ]
+	then
+	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+	else
+		SET_MARK="-p esp"
+	fi
+	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..0be3477c1
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn nat-t
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-mark/posttest.dat b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat
new file mode 100644
index 000000000..89d5f534b
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat
@@ -0,0 +1,11 @@
+sun::iptables -t mangle -v -n -L PREROUTING
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
+sun::conntrack -F
+sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev1/nat-two-rw-mark/pretest.dat b/testing/tests/ikev1/nat-two-rw-mark/pretest.dat
new file mode 100644
index 000000000..310e5be71
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/pretest.dat
@@ -0,0 +1,21 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500  -j SNAT --to PH_IP_MOON:510
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500  -j SNAT --to PH_IP_MOON:520
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2
+alice::ipsec up nat-t
+venus::sleep 2
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/ikev1/nat-two-rw-mark/test.conf b/testing/tests/ikev1/nat-two-rw-mark/test.conf
new file mode 100644
index 000000000..ae3c190b8
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
index e8576f0e7..eee3c45e8 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 		
 conn nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
index ebd735a11..a7c500fe2 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
index e8576f0e7..eee3c45e8 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 		
 conn nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
index 83d2b268a..a38c66023 100755
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
index d5b7c39fa..6a373e29f 100755
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
index bbd1f3a06..094ab3bed 100755
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
index abe91e6ee..428b10ce6 100755
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
index 7302a423b..ad0359f01 100755
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn net-net
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
index 7633f5c8b..9bbff9039 100755
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn net-net
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
index 5eedd9f28..c63ec2f30 100755
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn net-net
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
index 24bd66f53..e21ee9910 100755
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn net-net
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
index eabb76bf7..bc72fab0f 100755
--- a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
index 18b18f3ea..837c1ab56 100755
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
index 4bf0f97aa..c50c4c594 100644
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
index 3f2bc48c0..efd9c798a 100755
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
index 4bf0f97aa..c50c4c594 100644
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-same-nets/description.txt b/testing/tests/ikev1/net2net-same-nets/description.txt
new file mode 100644
index 000000000..d0eb3374f
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/description.txt
@@ -0,0 +1,15 @@
+A connection between two identical <b>10.0.0.0/14</b> networks behind the gateways <b>moon</b>
+and <b>sun</b> is set up. In order to make network routing work, the subnet behind <b>moon</b>
+sees the subnet behind <b>sun</b> as <b>10.4.0.0/14</b> whereas the subnet behind <b>sun</b>
+sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are
+done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets.
+<p/>
+Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic whereas on gateway <b>sun</b> the script indicated by
+<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the
+connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create
+the necessary NETMAP operations and forward the tunneled traffic.
+<p/>
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.
diff --git a/testing/tests/ikev1/net2net-same-nets/evaltest.dat b/testing/tests/ikev1/net2net-same-nets/evaltest.dat
new file mode 100644
index 000000000..b5ad0628e
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::net-net.*IPsec SA established::YES
+sun::ipsec statusall::net-net.*IPsec SA established::YES
+alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
+bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES 
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..30af017ff
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.0.0.0/14
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.4.0.0/14
+	auto=add
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..5e924cf25
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.4.0.0/14
+	leftupdown=/etc/mark_updown
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.0.0.0/14
+	mark_in=8
+	mark_out=4
+	auto=add
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..0bfdcad85
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -0,0 +1,376 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+# define NETMAP
+SAME_NET=$PLUTO_PEER_CLIENT
+IN_NET=$PLUTO_MY_CLIENT
+OUT_NET="10.8.0.0/14"
+
+# define internal interface
+INT_INTERFACE="eth1"
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+	if [ -n "$PLUTO_UDP_ENC" ]
+	then
+	    SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC"
+	else
+		SET_MARK_IN="-p esp"
+	fi
+	SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# is there an outbound mark to be set?
+if [ -n "$PLUTO_MARK_OUT" ]
+then
+	SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK_IN
+	    iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+		     -d $IN_NET -j NETMAP --to $SAME_NET 
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
+	    iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+	             -s $SAME_NET -j NETMAP --to $OUT_NET 
+	fi
+	if [ -n "$PLUTO_MARK_OUT" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK_OUT 
+	    iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -d $OUT_NET -j NETMAP --to $SAME_NET
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+            iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+                     -s $SAME_NET -j NETMAP --to $IN_NET
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK_IN
+	    iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+	             -d $IN_NET -j NETMAP --to $SAME_NET 
+	    iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
+	    iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \
+	             -s $SAME_NET -j NETMAP --to $OUT_NET 
+	fi
+	if [ -n "$PLUTO_MARK_OUT" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK_OUT
+	    iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev1/net2net-same-nets/posttest.dat b/testing/tests/ikev1/net2net-same-nets/posttest.dat
new file mode 100644
index 000000000..e75e66650
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/posttest.dat
@@ -0,0 +1,7 @@
+sun::iptables -t mangle -n -v -L PREROUTING
+sun::iptables -t nat -n -v -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::conntrack -F
diff --git a/testing/tests/ikev1/net2net-same-nets/pretest.dat b/testing/tests/ikev1/net2net-same-nets/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-same-nets/test.conf b/testing/tests/ikev1/net2net-same-nets/test.conf
new file mode 100644
index 000000000..1971a33ab
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
index e2e43cecd..acb12e7f3 100755
--- a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
index 9a1f0934b..a62964829 100755
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
index 9b0c9b534..cd2ab0aca 100755
--- a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
index 5624f4fcf..c79b1c3e2 100755
--- a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
index 9b0c9b534..cd2ab0aca 100755
--- a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
index 557fb62eb..25eec2a3e 100755
--- a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	right=PH_IP_SUN
diff --git a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
index 9276f1f90..7541aa894 100755
--- a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
index 3adfdc0b8..48df689af 100755
--- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
index e1ce14973..c4bfebda1 100755
--- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
index 913e6d91a..aae781b69 100755
--- a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home-icmp
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
index d941e81ef..7b80a299e 100755
--- a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw-icmp
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
index dfc0143ed..2bb557410 100755
--- a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
index e1ce14973..c4bfebda1 100755
--- a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
index 6db69096b..7c2bb3a98 100755
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 72ff765c3..7403971e9 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 72ff765c3..7403971e9 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-mark-in-out/description.txt b/testing/tests/ikev1/rw-mark-in-out/description.txt
new file mode 100644
index 000000000..4c35081b1
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/description.txt
@@ -0,0 +1,16 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
+gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
+and 10.3.0.20, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf.
+<p/>
+<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
+and from <b>alice</b> and <b>venus</b>, respectively.
+<p/>
+The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
+iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules
+that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b>
+and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/rw-mark-in-out/evaltest.dat b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat
new file mode 100644
index 000000000..168b3dfb9
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+venus::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::alice.*alice@strongswan.org::YES
+sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::venus.*venus.strongswan.org::YES
+sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
+sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES
+bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..5594bbf52
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,77 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..4256006c0
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..83fe9eed2
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn alice
+	rightid=alice@strongswan.org
+	mark_in=10/0xffffffff
+	mark_out=11/0xffffffff
+	also=sun
+	auto=add
+
+conn venus
+	rightid=@venus.strongswan.org
+	mark_in=20  #0xffffffff is used by default
+	mark_out=21 #0xffffffff is used by default
+	also=sun
+	auto=add
+
+conn sun
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftupdown=/etc/mark_updown
+	right=%any
+	rightsubnet=10.1.0.0/25
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..0d22e684d
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -0,0 +1,527 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+	if [ -n "$PLUTO_UDP_ENC" ]
+	then
+	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+	else
+		SET_MARK="-p esp"
+	fi
+	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
new file mode 100755
index 000000000..5594bbf52
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
@@ -0,0 +1,77 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..e7561ebbe
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-mark-in-out/posttest.dat b/testing/tests/ikev1/rw-mark-in-out/posttest.dat
new file mode 100644
index 000000000..fae79271b
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/posttest.dat
@@ -0,0 +1,12 @@
+sun::iptables -t mangle -v -n -L PREROUTING
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::ip route del 10.1.0.0/16 via PH_IP_MOON
+sun::conntrack -F
+sun::rm /etc/mark_updown
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev1/rw-mark-in-out/pretest.dat b/testing/tests/ikev1/rw-mark-in-out/pretest.dat
new file mode 100644
index 000000000..427e5c67f
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/pretest.dat
@@ -0,0 +1,18 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
+sun::ip route add 10.1.0.0/16 via PH_IP_MOON
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2
+alice::ipsec up home
+venus::sleep 2
+venus::ipsec up home
+venus::sleep 2
diff --git a/testing/tests/ikev1/rw-mark-in-out/test.conf b/testing/tests/ikev1/rw-mark-in-out/test.conf
new file mode 100644
index 000000000..ae3c190b8
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
index f0e4036c0..ffa211299 100755
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn home
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
index 864d014de..5f7cdedd2 100755
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn rw-carol 
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index f0e4036c0..ffa211299 100755
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn home
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index f3a6db107..efec3b33d 100755
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn rw
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index d76337996..0d2a5d2c4 100755
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn home
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index 025f335b2..41582eaef 100755
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn rw
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
index 980523a5e..c040fe88f 100755
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn home
 	authby=secret
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
index d57d790d1..f0dbeb323 100755
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
index 08a41e612..f2a15af0a 100755
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128,serpent128,twofish128,3des
 	
 conn home
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
index b8900c082..02270e004 100755
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
index dbfac50e2..dbd3adb4c 100755
--- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
@@ -8,6 +8,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw-psk
 	authby=secret
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
index db281ef80..f6859b8a4 100755
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
index f3c2be9a1..f14352bf8 100755
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn carol
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
index cd751df3d..af2fcc5dc 100755
--- a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
index e78231f0c..2bd4985ca 100755
--- a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
index 57ec7040e..9c75434c2 100755
--- a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
index 3179faa05..726998e19 100755
--- a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
index 7cd938628..bd47f9e09 100644
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
+++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
@@ -5,6 +5,7 @@ conn %default
         keylife=20m
         rekeymargin=3m
         keyingtries=1
+	keyexchange=ikev1
 
 include /etc/ipsec.host
 
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
index a2af4e9f8..2a1dad5c6 100755
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
index e48b1a78c..e10e9d45c 100755
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
index b9710cb14..67e97ebc2 100755
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
index b4ad3c011..4dfa345f4 100755
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	right=PH_IP_CAROL
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
index eafcf5e55..b65d7a690 100755
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
index 71aa4decf..e0ef16930 100755
--- a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
index 471e9e833..63a8c92b5 100755
--- a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
index d4ce57333..cf93bb231 100755
--- a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
index ea445522e..5f04445d2 100755
--- a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
index 8952bc92f..39b031551 100755
--- a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
index 30b657662..e3cf9b15d 100755
--- a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn system
 	left=PH_IP_ALICE
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
index ab3287aee..61ce28e6b 100755
--- a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn alice
 	right=PH_IP_ALICE
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
index bb9897c79..fa2dc953e 100755
--- a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn system
 	left=PH_IP_VENUS
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
index aa0ae1289..b7402d24b 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
index dbd431cc2..e3f377d18 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
index 0243f5afb..8f9226dd1 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
index dbd431cc2..e3f377d18 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
index 4206f8916..452187f11 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
index dbd431cc2..089467da4 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth attr kernel-netlink
+  dns1 = 192.168.0.150
+  dns2 = 10.1.0.20
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
index 42fa8359b..f90d222b5 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
index 48015ad4c..da1a10513 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
index baa85e32c..3a4b75af6 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
index c92ad8748..850ea561b 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
index 32b1227bb..be62c2b8f 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
index 090deac77..c09fb3c2c 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
index f79a81a6f..251041443 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
index 684ace0d3..1c7d7002e 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
index 14307a7f0..782c160c9 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
index a4e01b564..595e6588c 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
index 47bf1dafc..186d8e121 100755
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
index f79a81a6f..251041443 100755
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
index 47928181f..ca2df4b28 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
index 8c8cb4a2d..079c6b0d5 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
index 1c48e13e7..0a65acb5d 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 	xauth=server
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
index 42fa8359b..f90d222b5 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
index 1e21fbb97..fc86bab41 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
index 94cc6819d..e2709cdf1 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
index 47bf1dafc..186d8e121 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
index 1fcf71d5c..478e732ae 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
index f79a81a6f..251041443 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev2/alg-3des-md5/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-3des-md5/test.conf
+++ b/testing/tests/ikev2/alg-3des-md5/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-aes-ccm/description.txt b/testing/tests/ikev2/alg-aes-ccm/description.txt
new file mode 100644
index 000000000..28e38ca7f
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_CCM_12_128</b> both for IKE and ESP by defining <b>ike=aes128ccm12-aesxcbc-modp2048</b>
+(or alternatively <b>aes128ccm96</b>) and <b>esp=aes128ccm12-modp2048</b> in ipsec.conf, respectively.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
new file mode 100644
index 000000000..0834a8db0
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec statusall::IKE proposal: AES_CCM_12_128::YES
+carol::ipsec statusall::IKE proposal: AES_CCM_12_128::YES
+moon::ipsec statusall::AES_CCM_12_128,::YES
+carol::ipsec statusall::AES_CCM_12_128,::YES
+moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
+carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..6bcfbc28d
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128ccm96-aesxcbc-modp2048!
+	esp=aes128ccm96-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..db2c09bae
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..1d6f13861
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128ccm12-aesxcbc-modp2048!
+	esp=aes128ccm12-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..db2c09bae
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-aes-ccm/posttest.dat b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-ccm/test.conf b/testing/tests/ikev2/alg-aes-ccm/test.conf
new file mode 100644
index 000000000..acb73b06f
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-ctr/description.txt b/testing/tests/ikev2/alg-aes-ctr/description.txt
new file mode 100644
index 000000000..edb601b61
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_CTR_128</b> both for IKE and ESP by defining <b>ike=aes128ctr-aesxcbc-modp2048</b>
+and <b>esp=aes128ctr-aesxcbc-modp2048</b> in ipsec.conf, respectively.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
new file mode 100644
index 000000000..522ce6088
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec statusall::IKE proposal: AES_CTR_128::YES
+carol::ipsec statusall::IKE proposal: AES_CTR_128::YES
+moon::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES
+carol::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES
+moon::ip xfrm state::rfc3686(ctr(aes))::YES
+carol::ip xfrm state::rfc3686(ctr(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
+
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..70c482835
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128ctr-aesxcbc-modp2048!
+	esp=aes128ctr-aesxcbc-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..be46d6d3e
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..bf103742f
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128ctr-aesxcbc-modp2048!
+	esp=aes128ctr-aesxcbc-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..be46d6d3e
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-aes-ctr/posttest.dat b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-ctr/test.conf b/testing/tests/ikev2/alg-aes-ctr/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-gcm/description.txt b/testing/tests/ikev2/alg-aes-gcm/description.txt
new file mode 100644
index 000000000..2afcecd68
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/description.txt
@@ -0,0 +1,5 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-aesxcbc-modp2048</b>
+(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
+respectively.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
new file mode 100644
index 000000000..9cd3e8e15
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec statusall::IKE proposal: AES_GCM_16_256::YES
+carol::ipsec statusall::IKE proposal: AES_GCM_16_256::YES
+moon::ipsec statusall::AES_GCM_16_256,::YES
+carol::ipsec statusall::AES_GCM_16_256,::YES
+moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
+carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..e3f19aff8
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm128-aesxcbc-modp2048!
+	esp=aes256gcm128-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7fe7619f1
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0d51a3ea8
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm16-aesxcbc-modp2048!
+	esp=aes256gcm16-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7fe7619f1
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/alg-aes-gcm/posttest.dat b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-gcm/test.conf b/testing/tests/ikev2/alg-aes-gcm/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha256-96/test.conf
+++ b/testing/tests/ikev2/alg-sha256-96/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha256/test.conf
+++ b/testing/tests/ikev2/alg-sha256/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha384/test.conf
+++ b/testing/tests/ikev2/alg-sha384/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha512/test.conf
+++ b/testing/tests/ikev2/alg-sha512/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev2/compress/test.conf
+++ b/testing/tests/ikev2/compress/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2/dpd-hold/test.conf
index 2b240d895..5442565f8 100644
--- a/testing/tests/ikev2/dpd-hold/test.conf
+++ b/testing/tests/ikev2/dpd-hold/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
deleted file mode 100644
index 9fe03b010..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-modp2048</b> or alternatively
-<b>esp=aes128ccm96-modp2048</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
deleted file mode 100644
index f7959d129..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CCM_12_128::YES
-carol::ipsec statusall::AES_CCM_12_128::YES
-carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
-moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 85c825002..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
-	esp=aes128ccm96-modp2048!
-
-conn home
-	left=PH_IP_CAROL
-	leftfirewall=yes
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 8f8404516..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
-	esp=aes128ccm12-modp2048!
-
-conn rw
-	left=PH_IP_MOON
-	leftfirewall=yes
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat
deleted file mode 100644
index f360351e1..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1 
-carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf b/testing/tests/ikev2/esp-alg-aes-ccm/test.conf
deleted file mode 100644
index acb73b06f..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/description.txt b/testing/tests/ikev2/esp-alg-aes-ctr/description.txt
deleted file mode 100644
index 6443a348f..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CTR_128 / AES_XCBC_96</b> by defining <b>esp=aes128ctr-aesxcbc-modp2048</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
deleted file mode 100644
index 6b5d0ba0b..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES
-carol::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES
-moon::ip xfrm state::rfc3686(ctr(aes))::YES
-carol::ip xfrm state::rfc3686(ctr(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
-
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 02ca66b75..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
-	esp=aes128ctr-aesxcbc-modp2048!
-
-conn home
-	left=PH_IP_CAROL
-	leftfirewall=yes
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1c19714b9..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
-	esp=aes128ctr-aesxcbc-modp2048!
-
-conn rw
-	left=PH_IP_MOON
-	leftfirewall=yes
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat
deleted file mode 100644
index f360351e1..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1 
-carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf b/testing/tests/ikev2/esp-alg-aes-ctr/test.conf
deleted file mode 100644
index acb73b06f..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
deleted file mode 100644
index bd9521e0d..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively
-<b>esp=aes256gcm128-modp2048</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
deleted file mode 100644
index 7434cc156..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_GCM_16_256::YES
-carol::ipsec statusall::AES_GCM_16_256::YES
-carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index df2b7437d..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256-aesxcbc-modp2048!
-	esp=aes256gcm128-modp2048!
-
-conn home
-	left=PH_IP_CAROL
-	leftfirewall=yes
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 661681105..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256-aesxcbc-modp2048!
-	esp=aes256gcm16-modp2048!
-
-conn rw
-	left=PH_IP_MOON
-	leftfirewall=yes
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat
deleted file mode 100644
index f360351e1..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1 
-carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf b/testing/tests/ikev2/esp-alg-aes-gcm/test.conf
deleted file mode 100644
index acb73b06f..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/esp-alg-null/test.conf
+++ b/testing/tests/ikev2/esp-alg-null/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
index 1c955057a..5b88b2163 100644
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat
index 7cebd7f25..1777f439f 100644
--- a/testing/tests/ikev2/ip-pool-wish/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat
index 7cebd7f25..1777f439f 100644
--- a/testing/tests/ikev2/ip-pool/posttest.dat
+++ b/testing/tests/ikev2/ip-pool/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2/ip-split-pools-db/posttest.dat
index 32b445090..9d88281ad 100644
--- a/testing/tests/ikev2/ip-split-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-split-pools-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::ipsec pool --del pool0 2> /dev/null
 moon::ipsec pool --del pool1 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 83052889c..7b0393ebd 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -1,8 +1,8 @@
 alice::ipsec stop
 venus::ipsec stop
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 alice::/etc/init.d/iptables stop 2> /dev/null
 venus::/etc/init.d/iptables stop 2> /dev/null
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
index f849b7e1a..f41bb0fbc 100644
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -1,6 +1,6 @@
 alice::ipsec stop
-moon::ipsec stop
 carol::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 alice::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index d64b3da7d..897db40ed 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -13,7 +13,7 @@ moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RS
 dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
 dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
-moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
 moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES
 moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
index 442233f32..0d22e684d 100755
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
@@ -124,7 +124,7 @@
 #       PLUTO_MARK_OUT
 #              is an optional XFRM mark set on the outbound IPsec SA
 #
-#       PLUTO_ESP_ENC
+#       PLUTO_UDP_ENC
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index d7b68956c..c64158a2f 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -124,7 +124,7 @@
 #       PLUTO_MARK_OUT
 #              is an optional XFRM mark set on the outbound IPsec SA
 #
-#       PLUTO_ESP_ENC
+#       PLUTO_UDP_ENC
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index a0a045ce8..77d3d45e5 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,7 +1,7 @@
 moon::cat /var/log/daemon.log::requesting ocsp status from::YES
 moon::cat /var/log/daemon.log::ocsp response verification failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD::YES
 moon::ipsec status::rw.*ESTABLISHED::NO
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index 2e0f059c6..6a253d830 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,7 +1,7 @@
 moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
 moon::cat /var/log/daemon.log::libcurl http request failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least SKIPPED::YES
 moon::ipsec status::ESTABLISHED.*carol::YES
 moon::ipsec status::ESTABLISHED.*dave::NO
 carol::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index 45c6ce7c5..44945bf5f 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES
 moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
 moon::cat /var/log/daemon.log::ocsp response verification failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD::YES
 moon::ipsec status::rw.*ESTABLISHED::NO
 carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 6d762c970..bbb5a76fd 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 6d762c970..bbb5a76fd 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 6d762c970..bbb5a76fd 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
index 9c3702cb7..2de32a6f2 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,29 +1,11 @@
 authorize {
-  preprocess
-  chap
-  mschap
-  suffix
   eap {
     ok = return
   }
-  unix
   files
-  expiration
-  logintime
-  pap
 }
 
 authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
   eap
 }
 
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index 3508e9d8c..280d62e3c 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,9 +1,5 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/users
 alice::/etc/init.d/radiusd start 
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
index 2bd21499b..e0d77b583 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
index 9c3702cb7..802fcfd8d 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,29 +1,12 @@
 authorize {
-  preprocess
-  chap
-  mschap
   suffix
   eap {
     ok = return
   }
-  unix
   files
-  expiration
-  logintime
-  pap
 }
 
 authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
   eap
 }
 
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index 3508e9d8c..280d62e3c 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,9 +1,5 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/users
 alice::/etc/init.d/radiusd start 
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
index 2bd21499b..e0d77b583 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
index dfceb037d..92896b11e 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,30 +1,11 @@
 authorize {
-  preprocess
-  chap
-  mschap
   sim_files
-  suffix
   eap {
     ok = return
   }
-  unix
-  files
-  expiration
-  logintime
-  pap
 }
 
 authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
   eap
 }
 
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index 0a9f41856..0da980c07 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,8 +1,5 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
 alice::cat /etc/raddb/triplets.dat
 alice::/etc/init.d/radiusd start
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
index 2bd21499b..e0d77b583 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
index ff3e67459..852d424af 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
@@ -7,7 +7,7 @@ carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
 moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
index dfceb037d..126d61d05 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,30 +1,12 @@
 authorize {
-  preprocess
-  chap
-  mschap
   sim_files
   suffix
   eap {
     ok = return
   }
-  unix
-  files
-  expiration
-  logintime
-  pap
 }
 
 authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
   eap
 }
 
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
index 9f82ffa2f..e468cd4f9 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,4 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
-  send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
index 9f82ffa2f..e468cd4f9 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,4 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
-  send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
index 8250ae1ab..f21745bcd 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -2,7 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
-  send_vendor_id = yes
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 6a30756b7..5a51733dc 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -4,9 +4,6 @@ dave::/etc/init.d/iptables start 2> /dev/null
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
 alice::cat /etc/raddb/triplets.dat
 alice::/etc/init.d/radiusd start
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
index 70416826e..bb6b68687 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index 5fae7ecd5..b4d66adc6 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -7,7 +7,7 @@ carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
 moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/description.txt b/testing/tests/ikev2/rw-eap-tls-fragments/description.txt
new file mode 100644
index 000000000..f6a5f1c7b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
+(without a separate IKEv2 authentication), using TLS client and server certificates,
+respectively. Large certificates and a multi-level trust hierarchy with a path length
+of 3 force a fragmentation of the TLS handshake message into two TLS records. 
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
new file mode 100644
index 000000000..f4d534051
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.d.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..889a47d80
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carol_D_cert.der
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=strongSwan Project, CN=moon.d.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der
new file mode 100644
index 000000000..43984fd2b
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der
new file mode 100644
index 000000000..1b3748ba5
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der
new file mode 100644
index 000000000..bebee462d
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..a1a643655
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carol_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc0bcdff5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+
+  plugins {
+    eap-tls {
+      max_message_count = 40
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9f979e17b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moon_D_cert.der
+	leftauth=eap-tls
+	leftfirewall=yes
+	rightauth=eap-tls
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der
new file mode 100644
index 000000000..43984fd2b
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der
new file mode 100644
index 000000000..4f42bb29a
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der
new file mode 100644
index 000000000..dda5a5b1c
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der
new file mode 100644
index 000000000..6f59b569e
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der
new file mode 100644
index 000000000..8d7a0a774
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der
new file mode 100644
index 000000000..cbd7b0dc7
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der
new file mode 100644
index 000000000..9b1da0ea8
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der
new file mode 100644
index 000000000..ba08fc3c5
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der
new file mode 100644
index 000000000..9fb1ba0f8
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der
new file mode 100644
index 000000000..88c478c35
Binary files /dev/null and b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e02427b6b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moon_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc0bcdff5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+
+  plugins {
+    eap-tls {
+      max_message_count = 40
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
new file mode 100644
index 000000000..085b19509
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
new file mode 100644
index 000000000..35d35dc86
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
@@ -0,0 +1,9 @@
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
new file mode 100644
index 000000000..2bd21499b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-only/description.txt b/testing/tests/ikev2/rw-eap-tls-only/description.txt
new file mode 100644
index 000000000..b3e0450a4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/description.txt
@@ -0,0 +1,4 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
+(without a separate IKEv2 authentication), using TLS client and server certificates,
+respectively.
diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
new file mode 100644
index 000000000..1e9bdb2af
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3aeab002f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5fe84aea3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..430211020
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftauth=eap-tls
+	leftfirewall=yes
+	rightauth=eap-tls
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5fe84aea3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-only/test.conf b/testing/tests/ikev2/rw-eap-tls-only/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/description.txt b/testing/tests/ikev2/rw-eap-tls-radius/description.txt
new file mode 100644
index 000000000..842a88c42
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses a mutual <b>EAP-TLS</b> authentication based
+on X.509 certificates with the remote AAA RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
new file mode 100644
index 000000000..f0a674063
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..92f96ad66
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,13 @@
+eap {
+  default_eap_type = tls
+  tls {
+    certdir = /etc/raddb/certs
+    cadir = /etc/raddb/certs
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..990184919
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4f4c8abcf
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5fe84aea3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..be907f839
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightid="C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
+	rightauth=eap-radius
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
new file mode 100644
index 000000000..920d6a20d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
new file mode 100644
index 000000000..280d62e3c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/radiusd start 
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/test.conf b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
new file mode 100644
index 000000000..e0d77b583
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-block/description.txt
new file mode 100644
index 000000000..51423177a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements
+<b>carol</b> is authenticated successfully and is granted access to the subnet behind
+<b>moon</b> whereas <b>dave</b> fails the layered EAP authentication and is rejected. 
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
new file mode 100644
index 000000000..2304df23e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES 
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..621e94f0e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+none
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..6747b4a4a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f8700d3c5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-block/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
new file mode 100644
index 000000000..350aefc60
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b>
+is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas 
+<b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
new file mode 100644
index 000000000..517ea9ab2
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES         
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
new file mode 100644
index 000000000..1a27a02fc
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
@@ -0,0 +1,2 @@
+$INCLUDE	/usr/share/freeradius/dictionary
+$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
new file mode 100644
index 000000000..f295467a9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
@@ -0,0 +1,5 @@
+ATTRIBUTE	TNC-Status	3001	integer
+
+VALUE	TNC-Status	Access	0 
+VALUE	TNC-Status	Isolate	1
+VALUE	TNC-Status	None	2
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..2d4961288
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
@@ -0,0 +1,23 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..a9509a716
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for TNC@FHH-TNC-Server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9cf2b43c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..998e6c2e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..621e94f0e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+none
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fc8f84638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
new file mode 100644
index 000000000..132752119
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
new file mode 100644
index 000000000..dc7d5934e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
+alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::/etc/init.d/radiusd start
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
new file mode 100644
index 000000000..bb6b68687
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt
new file mode 100644
index 000000000..7eebd3d4d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
new file mode 100644
index 000000000..d0ea22ba9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES            
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
new file mode 100644
index 000000000..1a27a02fc
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
@@ -0,0 +1,2 @@
+$INCLUDE	/usr/share/freeradius/dictionary
+$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
new file mode 100644
index 000000000..f295467a9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
@@ -0,0 +1,5 @@
+ATTRIBUTE	TNC-Status	3001	integer
+
+VALUE	TNC-Status	Access	0 
+VALUE	TNC-Status	Isolate	1
+VALUE	TNC-Status	None	2
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..f91bccc72
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
@@ -0,0 +1,36 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	if (control:TNC-Status == "Access") {
+		update reply {
+			Tunnel-Type := ESP 
+			Filter-Id := "allow"
+		}
+	}
+	elsif (control:TNC-Status == "Isolate") {
+		update reply {
+			Tunnel-Type := ESP 
+			Filter-Id := "isolate"	
+		}
+	}
+
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..a9509a716
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for TNC@FHH-TNC-Server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9cf2b43c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..998e6c2e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..33dcdcfb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f4e456bbe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+      filter_id = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
new file mode 100644
index 000000000..132752119
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
new file mode 100644
index 000000000..8dd865819
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
@@ -0,0 +1,18 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
+alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::/etc/init.d/radiusd start
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
new file mode 100644
index 000000000..2a52df203
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt
new file mode 100644
index 000000000..762b839ee
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>,
+bothe ends doing certificate-based EAP-TLS authentication only.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
new file mode 100644
index 000000000..cebfff25f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES              
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..1b6274215
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..54c06b12e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8898a63ba
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      request_peer_auth = yes
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc/description.txt b/testing/tests/ikev2/rw-eap-tnc/description.txt
new file mode 100644
index 000000000..4b4808c94
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+
diff --git a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat
new file mode 100644
index 000000000..a02755148
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f8700d3c5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/posttest.dat b/testing/tests/ikev2/rw-eap-tnc/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc/pretest.dat b/testing/tests/ikev2/rw-eap-tnc/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc/test.conf b/testing/tests/ikev2/rw-eap-tnc/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/description.txt b/testing/tests/ikev2/rw-eap-ttls-only/description.txt
new file mode 100644
index 000000000..3d4c3ab87
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+<p/> 
+With the default setting <b>charon.plugins.eap-ttls.phase2_piggyback = no</b> the server
+<b>moon</b> passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by
+sending a tunneled orphan EAP Identity response upon the reception of the server's TLS
+Finished message. Client <b>carol</b> presents the correct MD5 password and succeeds
+whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
new file mode 100644
index 000000000..9586fe558
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..967598643
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ad1255212
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d37848bac
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8cdcb640c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+   }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
new file mode 100644
index 000000000..369596177
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt
new file mode 100644
index 000000000..d5f0b267a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+<p/>
+With the setting <b>charon.plugins.eap-ttls.phase2_piggyback = yes</b> the server <b>moon</b>
+initiates phase2 of the EAP-TTLS protocol by piggybacking a tunneled EAP Identity request
+right onto the TLS Finished message. Client <b>carol</b> presents the correct MD5 password
+and succeeds whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
new file mode 100644
index 000000000..9586fe558
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..967598643
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ad1255212
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d37848bac
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b065251ea
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+   }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
new file mode 100644
index 000000000..369596177
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt
new file mode 100644
index 000000000..299106b32
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the
+wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
new file mode 100644
index 000000000..2c0f65159
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -0,0 +1,21 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..c91cd40fb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,18 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..97a2e02c9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..d388060be
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fc8f84638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
new file mode 100644
index 000000000..dbe56013a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
new file mode 100644
index 000000000..cbe1ae229
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -0,0 +1,11 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/radiusd start 
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
new file mode 100644
index 000000000..e6a786a94
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol winnetou dave moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 442233f32..0d22e684d 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -124,7 +124,7 @@
 #       PLUTO_MARK_OUT
 #              is an optional XFRM mark set on the outbound IPsec SA
 #
-#       PLUTO_ESP_ENC
+#       PLUTO_UDP_ENC
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
index 2814e881f..9940e81a5 100755
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
index 4cf027ad5..016adc095 100755
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
index 84abbb07a..bb96a71e0 100755
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
index 4cf027ad5..016adc095 100755
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
index 4e73b5292..1cfd1eb1f 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
index 825ae1264..1cfd1eb1f 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac 
+  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
 }
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
index b27609917..363c910b0 100755
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP6_CAROL
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
index 0129ef744..1b5a2aced 100755
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP6_MOON
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
index 5d77c2dd5..76135d1ee 100755
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn home
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
index 78f674026..69b154bcf 100755
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn rw
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
index 8bc0deba8..69ba50530 100755
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	left=PH_IP6_MOON
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
index b68082dd9..a7c6b18c7 100755
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	left=PH_IP6_SUN
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
index c226d97d0..982b2fdb2 100755
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=camellia192-sha384-modp3072!
 	esp=camellia192-sha384!
 
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
index e26d972f0..b6f719256 100755
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=camellia192-sha384-modp3072!
 	esp=camellia192-sha384!
 
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 3562ddc67..bdd3f5582 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl
+  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 63892fd33..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl 
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 3562ddc67..bdd3f5582 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl
+  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 63892fd33..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl 
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
index a96b54446..4c5d53dff 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 1029b8536..a8fecbc2f 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors pem pkcs1 openssl random hmac curl
+  load = test-vectors pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 2da706ef7..85164eeb7 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl
+  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index edc6dbed4..763503e29 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors pem pkcs1 openssl random hmac curl
+  load = test-vectors pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 206f029f3..c78da2c08 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 208f1c36d..e483eba9d 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 3ae6205cb..848adaf6a 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt b/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt
new file mode 100644
index 000000000..e25da6935
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
+(without a separate IKEv2 authentication), using TLS client and server certificates,
+respectively. Elliptic curve cryptography is used by both the IKE and TLS
+protocols.
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
new file mode 100644
index 000000000..dad834ca6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS version TLS 1.2 with suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..02ece4738
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ecp256!
+	esp=aes128-sha256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..29709926a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
+4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
+BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
+MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
+sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
+ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
+s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5f21c1012
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+
+Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
+KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
+RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..4e53ef91a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ed9b8c764
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2679d4f9b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ecp256!
+	esp=aes128-sha256!
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftauth=eap-tls
+	leftfirewall=yes
+	rightauth=eap-tls
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..5178c7f38
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
+PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
+5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
+BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
+Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
+Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
+j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
+VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
+SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
+l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
+mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
+CI9WpQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..beab0485f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
+yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
+1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
+tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
+pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..46d8e2933
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+}
+
+libtls {
+  key_exchange = ecdhe-ecdsa
+  cipher = aes128
+  mac = sha256
+}
+
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-aes-xcbc/test.conf b/testing/tests/pfkey/alg-aes-xcbc/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/test.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/pfkey/alg-sha384/test.conf b/testing/tests/pfkey/alg-sha384/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/alg-sha384/test.conf
+++ b/testing/tests/pfkey/alg-sha384/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/pfkey/alg-sha512/test.conf b/testing/tests/pfkey/alg-sha512/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/alg-sha512/test.conf
+++ b/testing/tests/pfkey/alg-sha512/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/pfkey/esp-alg-null/test.conf b/testing/tests/pfkey/esp-alg-null/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/esp-alg-null/test.conf
+++ b/testing/tests/pfkey/esp-alg-null/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat
index d4d57ad83..40b1a403e 100644
--- a/testing/tests/sql/ip-pool-db-expired/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat
index d4d57ad83..40b1a403e 100644
--- a/testing/tests/sql/ip-pool-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat
index d4d57ad83..40b1a403e 100644
--- a/testing/tests/sql/ip-pool-db/posttest.dat
+++ b/testing/tests/sql/ip-pool-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
index 5ff7b9d47..0fce500bf 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat
index 5ff7b9d47..0fce500bf 100644
--- a/testing/tests/sql/ip-split-pools-db/posttest.dat
+++ b/testing/tests/sql/ip-split-pools-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
-- 
cgit v1.2.3


From 568905f488e63e28778f87ac0e38d845f45bae79 Mon Sep 17 00:00:00 2001
From: René Mayrhofer <rene@mayrhofer.eu.org>
Date: Sat, 5 Mar 2011 09:20:09 +0100
Subject: Imported Upstream version 4.5.1

---
 Android.mk                                         |    2 +-
 Makefile.in                                        |    4 +-
 NEWS                                               |   74 ++
 configure                                          |  447 ++++++--
 configure.in                                       |   65 +-
 ltmain.sh                                          |    0
 man/Makefile.in                                    |    4 +-
 man/ipsec.conf.5                                   |   24 +-
 man/ipsec.conf.5.in                                |   22 +-
 man/ipsec.secrets.5                                |    2 +-
 man/strongswan.conf.5                              |   65 +-
 man/strongswan.conf.5.in                           |   63 +-
 scripts/Makefile.am                                |    8 +-
 scripts/Makefile.in                                |   43 +-
 scripts/fetch.c                                    |   41 +
 scripts/oid2der.c                                  |   31 +
 src/Makefile.am                                    |   18 +-
 src/Makefile.in                                    |   38 +-
 src/_copyright/Makefile.am                         |    1 -
 src/_copyright/Makefile.in                         |  102 +-
 src/_copyright/_copyright.8                        |   29 -
 src/_updown/Makefile.in                            |    4 +-
 src/_updown_espmark/Makefile.in                    |    4 +-
 src/charon/Makefile.in                             |    4 +-
 src/charon/charon.c                                |  137 ++-
 src/checksum/Makefile.in                           |    4 +-
 src/conftest/Makefile.am                           |   26 +
 src/conftest/Makefile.in                           |  954 ++++++++++++++++
 src/conftest/README                                |  315 ++++++
 src/conftest/actions.c                             |  339 ++++++
 src/conftest/actions.h                             |   42 +
 src/conftest/config.c                              |  343 ++++++
 src/conftest/config.h                              |   56 +
 src/conftest/conftest.c                            |  550 +++++++++
 src/conftest/conftest.h                            |   74 ++
 src/conftest/hooks/add_notify.c                    |  140 +++
 src/conftest/hooks/add_payload.c                   |  151 +++
 src/conftest/hooks/custom_proposal.c               |  188 +++
 src/conftest/hooks/force_cookie.c                  |  117 ++
 src/conftest/hooks/hook.h                          |   45 +
 src/conftest/hooks/ignore_message.c                |   89 ++
 src/conftest/hooks/ike_auth_fill.c                 |  145 +++
 src/conftest/hooks/log_id.c                        |   89 ++
 src/conftest/hooks/log_ke.c                        |   81 ++
 src/conftest/hooks/log_proposals.c                 |   98 ++
 src/conftest/hooks/log_ts.c                        |   86 ++
 src/conftest/hooks/pretend_auth.c                  |  386 +++++++
 src/conftest/hooks/rebuild_auth.c                  |  243 ++++
 src/conftest/hooks/reset_seq.c                     |  158 +++
 src/conftest/hooks/set_critical.c                  |  123 ++
 src/conftest/hooks/set_ike_initiator.c             |   87 ++
 src/conftest/hooks/set_ike_request.c               |   84 ++
 src/conftest/hooks/set_ike_spi.c                   |  104 ++
 src/conftest/hooks/set_ike_version.c               |  111 ++
 src/conftest/hooks/set_length.c                    |  133 +++
 src/conftest/hooks/set_proposal_number.c           |  163 +++
 src/conftest/hooks/set_reserved.c                  |  245 ++++
 src/conftest/hooks/unencrypted_notify.c            |  153 +++
 src/conftest/hooks/unsort_message.c                |  133 +++
 src/dumm/Makefile.in                               |    4 +-
 src/include/Makefile.in                            |    4 +-
 src/include/linux/xfrm.h                           |    1 +
 src/ipsec/Makefile.in                              |    4 +-
 src/ipsec/ipsec.8                                  |    2 +-
 src/ipsec/ipsec.in                                 |    6 +-
 src/libcharon/Makefile.am                          |   20 +-
 src/libcharon/Makefile.in                          |  157 ++-
 src/libcharon/bus/bus.c                            |    2 +-
 src/libcharon/config/backend_manager.c             |   74 +-
 src/libcharon/config/child_cfg.c                   |  268 ++---
 src/libcharon/config/child_cfg.h                   |   31 +-
 src/libcharon/config/peer_cfg.c                    |    2 +-
 src/libcharon/config/proposal.c                    |   10 +-
 src/libcharon/daemon.c                             |  220 +---
 src/libcharon/daemon.h                             |   19 +-
 src/libcharon/encoding/generator.c                 |  375 +-----
 src/libcharon/encoding/message.c                   |  174 ++-
 src/libcharon/encoding/message.h                   |   41 +-
 src/libcharon/encoding/parser.c                    |   34 +-
 src/libcharon/encoding/payloads/auth_payload.c     |  205 ++--
 src/libcharon/encoding/payloads/auth_payload.h     |   24 +-
 src/libcharon/encoding/payloads/cert_payload.c     |  198 ++--
 src/libcharon/encoding/payloads/cert_payload.h     |    9 +
 src/libcharon/encoding/payloads/certreq_payload.c  |  161 ++-
 .../encoding/payloads/configuration_attribute.c    |  108 +-
 src/libcharon/encoding/payloads/cp_payload.c       |  169 ++-
 src/libcharon/encoding/payloads/delete_payload.c   |   21 +-
 src/libcharon/encoding/payloads/eap_payload.c      |   19 +-
 src/libcharon/encoding/payloads/id_payload.c       |  220 ++--
 src/libcharon/encoding/payloads/id_payload.h       |   44 +-
 src/libcharon/encoding/payloads/ike_header.c       |  315 +++---
 src/libcharon/encoding/payloads/ike_header.h       |   22 +
 src/libcharon/encoding/payloads/ke_payload.c       |  203 ++--
 src/libcharon/encoding/payloads/ke_payload.h       |   23 +-
 src/libcharon/encoding/payloads/nonce_payload.c    |  178 ++-
 src/libcharon/encoding/payloads/notify_payload.c   |  207 ++--
 src/libcharon/encoding/payloads/payload.c          |   64 +-
 src/libcharon/encoding/payloads/payload.h          |   39 +-
 .../encoding/payloads/proposal_substructure.c      |   62 +-
 .../encoding/payloads/proposal_substructure.h      |    6 +-
 src/libcharon/encoding/payloads/sa_payload.c       |   27 +-
 src/libcharon/encoding/payloads/sa_payload.h       |    7 +
 .../payloads/traffic_selector_substructure.c       |  164 ++-
 .../encoding/payloads/transform_attribute.c        |  221 ++--
 .../encoding/payloads/transform_substructure.c     |  299 ++---
 .../encoding/payloads/transform_substructure.h     |   65 +-
 src/libcharon/encoding/payloads/ts_payload.c       |  273 ++---
 src/libcharon/encoding/payloads/ts_payload.h       |   34 +-
 src/libcharon/encoding/payloads/unknown_payload.c  |  172 +--
 src/libcharon/encoding/payloads/unknown_payload.h  |   18 +-
 .../encoding/payloads/vendor_id_payload.c          |  125 +-
 .../encoding/payloads/vendor_id_payload.h          |    5 +
 src/libcharon/plugins/addrblock/Makefile.in        |    4 +-
 .../plugins/addrblock/addrblock_validator.c        |    9 +-
 src/libcharon/plugins/android/Makefile.in          |    4 +-
 src/libcharon/plugins/android/android_creds.c      |    2 +-
 src/libcharon/plugins/android/android_service.c    |    4 +-
 src/libcharon/plugins/dhcp/Makefile.in             |    4 +-
 src/libcharon/plugins/dhcp/dhcp_socket.c           |    7 +-
 src/libcharon/plugins/eap_aka/Makefile.in          |    4 +-
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |    4 +-
 src/libcharon/plugins/eap_gtc/Makefile.in          |    4 +-
 src/libcharon/plugins/eap_identity/Makefile.in     |    4 +-
 src/libcharon/plugins/eap_md5/Makefile.in          |    4 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |    4 +-
 src/libcharon/plugins/eap_radius/Makefile.in       |    4 +-
 src/libcharon/plugins/eap_sim/Makefile.in          |    4 +-
 src/libcharon/plugins/eap_sim_file/Makefile.in     |    4 +-
 .../plugins/eap_simaka_pseudonym/Makefile.in       |    4 +-
 .../plugins/eap_simaka_reauth/Makefile.in          |    4 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |    4 +-
 src/libcharon/plugins/eap_tls/Makefile.in          |    4 +-
 src/libcharon/plugins/eap_tnc/Makefile.in          |    4 +-
 src/libcharon/plugins/eap_tnc/eap_tnc.c            |   26 +-
 src/libcharon/plugins/eap_ttls/Makefile.in         |    4 +-
 src/libcharon/plugins/eap_ttls/eap_ttls_peer.c     |    1 +
 src/libcharon/plugins/farp/Makefile.in             |    4 +-
 src/libcharon/plugins/ha/Makefile.in               |    4 +-
 src/libcharon/plugins/ha/ha_ctl.c                  |    9 +-
 src/libcharon/plugins/ha/ha_dispatcher.c           |    8 +-
 src/libcharon/plugins/ha/ha_segments.c             |   14 +-
 src/libcharon/plugins/ha/ha_socket.c               |    8 +-
 src/libcharon/plugins/ha/ha_tunnel.c               |    4 +-
 src/libcharon/plugins/led/Makefile.in              |    4 +-
 src/libcharon/plugins/load_tester/Makefile.in      |    4 +-
 .../plugins/load_tester/load_tester_config.c       |    4 +-
 .../plugins/load_tester/load_tester_ipsec.c        |    2 +-
 .../plugins/load_tester/load_tester_plugin.c       |    4 +-
 src/libcharon/plugins/maemo/Makefile.am            |    6 +-
 src/libcharon/plugins/maemo/Makefile.in            |   11 +-
 src/libcharon/plugins/maemo/maemo_service.c        |   15 +-
 .../plugins/maemo/org.strongswan.charon.service    |    4 -
 .../plugins/maemo/org.strongswan.charon.service.in |    4 +
 src/libcharon/plugins/medcli/Makefile.in           |    4 +-
 src/libcharon/plugins/medcli/medcli_config.c       |    8 +-
 src/libcharon/plugins/medsrv/Makefile.in           |    4 +-
 src/libcharon/plugins/nm/Makefile.in               |    4 +-
 src/libcharon/plugins/nm/nm_creds.c                |    6 +-
 src/libcharon/plugins/nm/nm_service.c              |    4 +-
 src/libcharon/plugins/smp/Makefile.in              |    4 +-
 src/libcharon/plugins/socket_default/Makefile.in   |    4 +-
 src/libcharon/plugins/socket_dynamic/Makefile.in   |    4 +-
 src/libcharon/plugins/socket_raw/Makefile.in       |    4 +-
 src/libcharon/plugins/sql/Makefile.in              |    4 +-
 src/libcharon/plugins/sql/sql_config.c             |  169 ++-
 src/libcharon/plugins/sql/sql_cred.c               |  246 ++--
 src/libcharon/plugins/sql/sql_plugin.c             |   18 +-
 src/libcharon/plugins/stroke/Makefile.am           |    3 +-
 src/libcharon/plugins/stroke/Makefile.in           |   10 +-
 src/libcharon/plugins/stroke/stroke_ca.c           |   76 +-
 src/libcharon/plugins/stroke/stroke_config.c       |  103 +-
 src/libcharon/plugins/stroke/stroke_control.c      |  189 +++-
 src/libcharon/plugins/stroke/stroke_control.h      |    7 +
 src/libcharon/plugins/stroke/stroke_cred.c         |  409 +------
 src/libcharon/plugins/stroke/stroke_list.c         |  130 ++-
 src/libcharon/plugins/stroke/stroke_plugin.c       |   18 +-
 src/libcharon/plugins/stroke/stroke_shared_key.c   |  140 ---
 src/libcharon/plugins/stroke/stroke_shared_key.h   |   60 -
 src/libcharon/plugins/stroke/stroke_socket.c       |   23 +
 src/libcharon/plugins/tnc_imc/Makefile.am          |    7 +-
 src/libcharon/plugins/tnc_imc/Makefile.in          |   18 +-
 src/libcharon/plugins/tnc_imc/tnc_imc.c            |  207 ++++
 src/libcharon/plugins/tnc_imc/tnc_imc.h            |   36 +
 .../plugins/tnc_imc/tnc_imc_bind_function.c        |   83 ++
 src/libcharon/plugins/tnc_imc/tnc_imc_manager.c    |  238 ++++
 src/libcharon/plugins/tnc_imc/tnc_imc_manager.h    |   32 +
 src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c     |  141 ++-
 src/libcharon/plugins/tnc_imv/Makefile.am          |    8 +-
 src/libcharon/plugins/tnc_imv/Makefile.in          |   21 +-
 src/libcharon/plugins/tnc_imv/tnc_imv.c            |  208 ++++
 src/libcharon/plugins/tnc_imv/tnc_imv.h            |   36 +
 .../plugins/tnc_imv/tnc_imv_bind_function.c        |  137 +++
 src/libcharon/plugins/tnc_imv/tnc_imv_manager.c    |  295 +++++
 src/libcharon/plugins/tnc_imv/tnc_imv_manager.h    |   32 +
 src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c     |  137 ++-
 .../plugins/tnc_imv/tnc_imv_recommendations.c      |  415 +++++++
 .../plugins/tnc_imv/tnc_imv_recommendations.h      |   33 +
 src/libcharon/plugins/tnccs_11/Makefile.am         |   16 +-
 src/libcharon/plugins/tnccs_11/Makefile.in         |   92 +-
 src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c |  323 ++++++
 src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h |  100 ++
 .../plugins/tnccs_11/messages/imc_imv_msg.c        |  242 ++++
 .../plugins/tnccs_11/messages/imc_imv_msg.h        |   71 ++
 .../plugins/tnccs_11/messages/tnccs_error_msg.c    |  191 ++++
 .../plugins/tnccs_11/messages/tnccs_error_msg.h    |   80 ++
 .../plugins/tnccs_11/messages/tnccs_msg.c          |  140 +++
 .../plugins/tnccs_11/messages/tnccs_msg.h          |  102 ++
 .../messages/tnccs_preferred_language_msg.c        |  137 +++
 .../messages/tnccs_preferred_language_msg.h        |   64 ++
 .../tnccs_11/messages/tnccs_reason_strings_msg.c   |  149 +++
 .../tnccs_11/messages/tnccs_reason_strings_msg.h   |   64 ++
 .../tnccs_11/messages/tnccs_recommendation_msg.c   |  186 +++
 .../tnccs_11/messages/tnccs_recommendation_msg.h   |   64 ++
 .../messages/tnccs_tncs_contact_info_msg.c         |  118 ++
 .../messages/tnccs_tncs_contact_info_msg.h         |   54 +
 src/libcharon/plugins/tnccs_11/tnccs_11.c          |  515 ++++++---
 src/libcharon/plugins/tnccs_20/Makefile.am         |   21 +-
 src/libcharon/plugins/tnccs_20/Makefile.in         |  121 +-
 .../plugins/tnccs_20/batch/pb_tnc_batch.c          |  543 +++++++++
 .../plugins/tnccs_20/batch/pb_tnc_batch.h          |  126 +++
 .../messages/pb_access_recommendation_msg.c        |  180 +++
 .../messages/pb_access_recommendation_msg.h        |   76 ++
 .../tnccs_20/messages/pb_assessment_result_msg.c   |  172 +++
 .../tnccs_20/messages/pb_assessment_result_msg.h   |   60 +
 .../plugins/tnccs_20/messages/pb_error_msg.c       |  346 ++++++
 .../plugins/tnccs_20/messages/pb_error_msg.h       |  127 +++
 .../tnccs_20/messages/pb_experimental_msg.c        |  102 ++
 .../tnccs_20/messages/pb_experimental_msg.h        |   53 +
 .../tnccs_20/messages/pb_language_preference_msg.c |  175 +++
 .../tnccs_20/messages/pb_language_preference_msg.h |   60 +
 .../plugins/tnccs_20/messages/pb_pa_msg.c          |  293 +++++
 .../plugins/tnccs_20/messages/pb_pa_msg.h          |  123 ++
 .../tnccs_20/messages/pb_reason_string_msg.c       |  216 ++++
 .../tnccs_20/messages/pb_reason_string_msg.h       |   69 ++
 .../messages/pb_remediation_parameters_msg.c       |  259 +++++
 .../messages/pb_remediation_parameters_msg.h       |   96 ++
 .../plugins/tnccs_20/messages/pb_tnc_msg.c         |   75 ++
 .../plugins/tnccs_20/messages/pb_tnc_msg.h         |  128 +++
 .../tnccs_20/state_machine/pb_tnc_state_machine.c  |  287 +++++
 .../tnccs_20/state_machine/pb_tnc_state_machine.h  |   88 ++
 src/libcharon/plugins/tnccs_20/tnccs_20.c          |  575 +++++++++-
 src/libcharon/plugins/tnccs_dynamic/Makefile.am    |   17 +
 src/libcharon/plugins/tnccs_dynamic/Makefile.in    |  607 ++++++++++
 .../plugins/tnccs_dynamic/tnccs_dynamic.c          |  146 +++
 .../plugins/tnccs_dynamic/tnccs_dynamic.h          |   36 +
 .../plugins/tnccs_dynamic/tnccs_dynamic_plugin.c   |   47 +
 .../plugins/tnccs_dynamic/tnccs_dynamic_plugin.h   |   42 +
 src/libcharon/plugins/uci/Makefile.in              |    4 +-
 src/libcharon/plugins/uci/uci_config.c             |    4 +-
 src/libcharon/plugins/unit_tester/Makefile.in      |    4 +-
 src/libcharon/plugins/updown/Makefile.in           |    4 +-
 src/libcharon/processing/jobs/acquire_job.c        |   31 +-
 .../processing/jobs/delete_child_sa_job.c          |   35 +-
 src/libcharon/processing/jobs/delete_ike_sa_job.c  |   31 +-
 src/libcharon/processing/jobs/migrate_job.c        |   39 +-
 .../processing/jobs/process_message_job.c          |   29 +-
 src/libcharon/processing/jobs/rekey_child_sa_job.c |   33 +-
 src/libcharon/processing/jobs/rekey_ike_sa_job.c   |   31 +-
 src/libcharon/processing/jobs/retransmit_job.c     |   31 +-
 src/libcharon/processing/jobs/roam_job.c           |   29 +-
 src/libcharon/processing/jobs/send_dpd_job.c       |   29 +-
 src/libcharon/processing/jobs/send_keepalive_job.c |   29 +-
 src/libcharon/processing/jobs/start_action_job.c   |  101 ++
 src/libcharon/processing/jobs/start_action_job.h   |   49 +
 src/libcharon/processing/jobs/update_sa_job.c      |   33 +-
 src/libcharon/sa/authenticators/authenticator.c    |   20 +-
 src/libcharon/sa/authenticators/authenticator.h    |    8 +-
 .../sa/authenticators/eap_authenticator.c          |   18 +-
 .../sa/authenticators/eap_authenticator.h          |    8 +-
 .../sa/authenticators/psk_authenticator.c          |   94 +-
 .../sa/authenticators/psk_authenticator.h          |    8 +-
 .../sa/authenticators/pubkey_authenticator.c       |   90 +-
 .../sa/authenticators/pubkey_authenticator.h       |    8 +-
 src/libcharon/sa/child_sa.c                        |   12 +-
 src/libcharon/sa/child_sa.h                        |    3 +-
 src/libcharon/sa/connect_manager.c                 |    5 +-
 src/libcharon/sa/ike_sa.c                          |   79 +-
 src/libcharon/sa/ike_sa.h                          |    3 +-
 src/libcharon/sa/ike_sa_manager.c                  |  474 ++++----
 src/libcharon/sa/ike_sa_manager.h                  |   18 +-
 src/libcharon/sa/keymat.c                          |   10 +-
 src/libcharon/sa/keymat.h                          |    8 +-
 src/libcharon/sa/task_manager.c                    |   46 +-
 src/libcharon/sa/task_manager.h                    |   10 +
 src/libcharon/sa/tasks/child_create.c              |  182 +--
 src/libcharon/sa/tasks/child_rekey.c               |    7 +-
 src/libcharon/sa/tasks/ike_auth.c                  |  200 ++--
 src/libcharon/sa/tasks/ike_cert_pre.c              |   19 +-
 src/libcharon/sa/tasks/ike_rekey.c                 |    7 +-
 src/libcharon/tnc/imc/imc.h                        |  175 +++
 src/libcharon/tnc/imc/imc_manager.h                |  116 ++
 src/libcharon/tnc/imv/imv.h                        |  175 +++
 src/libcharon/tnc/imv/imv_manager.h                |  134 +++
 src/libcharon/tnc/imv/imv_recommendations.c        |   24 +
 src/libcharon/tnc/imv/imv_recommendations.h        |  117 ++
 src/libcharon/tnc/tnccs/tnccs.c                    |   23 +
 src/libcharon/tnc/tnccs/tnccs.h                    |   82 ++
 src/libcharon/tnc/tnccs/tnccs_manager.c            |  477 ++++++++
 src/libcharon/tnc/tnccs/tnccs_manager.h            |  184 +++
 src/libcharon/tnc/tncif.h                          |  106 ++
 src/libcharon/tnc/tncifimc.h                       |  180 +++
 src/libcharon/tnc/tncifimv.c                       |   36 +
 src/libcharon/tnc/tncifimv.h                       |  248 ++++
 src/libcharon/tnccs/tnccs.c                        |   22 -
 src/libcharon/tnccs/tnccs.h                        |   52 -
 src/libcharon/tnccs/tnccs_manager.c                |  148 ---
 src/libcharon/tnccs/tnccs_manager.h                |   74 --
 src/libfast/Makefile.in                            |    4 +-
 src/libfast/request.c                              |   11 +-
 src/libfast/request.h                              |    8 +
 src/libfreeswan/Makefile.am                        |   12 +-
 src/libfreeswan/Makefile.in                        |   40 +-
 src/libfreeswan/atosa.3                            |  217 ----
 src/libfreeswan/atosa.c                            |  198 ----
 src/libfreeswan/copyright.c                        |   12 +-
 src/libfreeswan/freeswan.h                         |   29 -
 src/libfreeswan/keyblobtoid.3                      |  102 --
 src/libfreeswan/keyblobtoid.c                      |  146 ---
 src/libfreeswan/prng.3                             |  120 --
 src/libfreeswan/prng.c                             |  200 ----
 src/libfreeswan/satoa.c                            |  100 --
 src/libhydra/Makefile.in                           |    4 +-
 src/libhydra/kernel/kernel_interface.c             |    8 +-
 src/libhydra/kernel/kernel_interface.h             |    3 +-
 src/libhydra/kernel/kernel_ipsec.h                 |    3 +-
 src/libhydra/plugins/attr/Makefile.in              |    4 +-
 src/libhydra/plugins/attr/attr_plugin.c            |   19 +-
 src/libhydra/plugins/attr_sql/Makefile.in          |    4 +-
 src/libhydra/plugins/attr_sql/attr_sql_plugin.c    |   23 +-
 src/libhydra/plugins/kernel_klips/Makefile.in      |    4 +-
 .../plugins/kernel_klips/kernel_klips_ipsec.c      |    2 +-
 .../plugins/kernel_klips/kernel_klips_plugin.c     |   19 +-
 src/libhydra/plugins/kernel_netlink/Makefile.in    |    4 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |   42 +-
 .../plugins/kernel_netlink/kernel_netlink_plugin.c |   17 +-
 src/libhydra/plugins/kernel_pfkey/Makefile.in      |    4 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |   17 +-
 .../plugins/kernel_pfkey/kernel_pfkey_plugin.c     |   19 +-
 src/libhydra/plugins/kernel_pfroute/Makefile.in    |    4 +-
 .../plugins/kernel_pfroute/kernel_pfroute_plugin.c |   19 +-
 src/libhydra/plugins/resolve/Makefile.in           |    4 +-
 src/libhydra/plugins/resolve/resolve_plugin.c      |   18 +-
 src/libsimaka/Makefile.in                          |    4 +-
 src/libstrongswan/Makefile.am                      |   24 +-
 src/libstrongswan/Makefile.in                      |  186 +--
 src/libstrongswan/asn1/asn1.c                      |   94 ++
 src/libstrongswan/asn1/asn1.h                      |   16 +
 src/libstrongswan/asn1/asn1_parser.c               |   66 +-
 src/libstrongswan/asn1/oid.c                       |  715 ++++++------
 src/libstrongswan/asn1/oid.h                       |  178 +--
 src/libstrongswan/asn1/oid.txt                     |   17 +-
 src/libstrongswan/credentials/auth_cfg.c           |  155 ++-
 src/libstrongswan/credentials/auth_cfg.h           |    8 +
 src/libstrongswan/credentials/builder.c            |    8 +
 src/libstrongswan/credentials/builder.h            |   18 +-
 src/libstrongswan/credentials/cert_validator.h     |    7 +-
 src/libstrongswan/credentials/certificates/crl.h   |   15 +
 src/libstrongswan/credentials/certificates/x509.c  |   28 -
 src/libstrongswan/credentials/certificates/x509.h  |   89 +-
 src/libstrongswan/credentials/credential_manager.c |   90 +-
 .../credentials/sets/auth_cfg_wrapper.c            |    3 +-
 src/libstrongswan/credentials/sets/mem_cred.c      |  240 +++-
 src/libstrongswan/credentials/sets/mem_cred.h      |   50 +-
 src/libstrongswan/crypto/crypto_factory.c          |  133 ++-
 src/libstrongswan/crypto/crypto_factory.h          |   31 +-
 src/libstrongswan/crypto/crypto_tester.c           |  166 +--
 src/libstrongswan/crypto/crypto_tester.h           |   16 +-
 src/libstrongswan/eap/eap.h                        |    2 +-
 src/libstrongswan/enum.c                           |    2 +-
 src/libstrongswan/fetcher/fetcher_manager.c        |    4 +-
 src/libstrongswan/integrity_checker.c              |   62 +-
 src/libstrongswan/plugins/aes/Makefile.in          |    4 +-
 src/libstrongswan/plugins/aes/aes_plugin.c         |    4 +-
 src/libstrongswan/plugins/af_alg/Makefile.am       |   20 +
 src/libstrongswan/plugins/af_alg/Makefile.in       |  612 ++++++++++
 src/libstrongswan/plugins/af_alg/af_alg_crypter.c  |  237 ++++
 src/libstrongswan/plugins/af_alg/af_alg_crypter.h  |   54 +
 src/libstrongswan/plugins/af_alg/af_alg_hasher.c   |  170 +++
 src/libstrongswan/plugins/af_alg/af_alg_hasher.h   |   52 +
 src/libstrongswan/plugins/af_alg/af_alg_ops.c      |  226 ++++
 src/libstrongswan/plugins/af_alg/af_alg_ops.h      |   92 ++
 src/libstrongswan/plugins/af_alg/af_alg_plugin.c   |   74 ++
 src/libstrongswan/plugins/af_alg/af_alg_plugin.h   |   42 +
 src/libstrongswan/plugins/af_alg/af_alg_prf.c      |  211 ++++
 src/libstrongswan/plugins/af_alg/af_alg_prf.h      |   52 +
 src/libstrongswan/plugins/af_alg/af_alg_signer.c   |  206 ++++
 src/libstrongswan/plugins/af_alg/af_alg_signer.h   |   52 +
 src/libstrongswan/plugins/agent/Makefile.in        |    4 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |    4 +-
 .../plugins/blowfish/blowfish_plugin.c             |    4 +-
 src/libstrongswan/plugins/ccm/Makefile.in          |    4 +-
 src/libstrongswan/plugins/ccm/ccm_plugin.c         |   37 +-
 src/libstrongswan/plugins/constraints/Makefile.am  |   16 +
 src/libstrongswan/plugins/constraints/Makefile.in  |  604 ++++++++++
 .../plugins/constraints/constraints_plugin.c       |   65 ++
 .../plugins/constraints/constraints_plugin.h       |   42 +
 .../plugins/constraints/constraints_validator.c    |  578 ++++++++++
 .../plugins/constraints/constraints_validator.h    |   49 +
 src/libstrongswan/plugins/ctr/Makefile.in          |    4 +-
 src/libstrongswan/plugins/ctr/ctr_plugin.c         |   22 +-
 src/libstrongswan/plugins/curl/Makefile.in         |    4 +-
 src/libstrongswan/plugins/curl/curl_fetcher.c      |   16 +-
 src/libstrongswan/plugins/curl/curl_plugin.c       |   16 +-
 src/libstrongswan/plugins/des/Makefile.in          |    4 +-
 src/libstrongswan/plugins/des/des_plugin.c         |    8 +-
 src/libstrongswan/plugins/dnskey/Makefile.in       |    4 +-
 src/libstrongswan/plugins/dnskey/dnskey_plugin.c   |   19 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |    4 +-
 src/libstrongswan/plugins/fips_prf/fips_prf.c      |   55 +-
 .../plugins/fips_prf/fips_prf_plugin.c             |   28 +-
 src/libstrongswan/plugins/gcm/Makefile.in          |    4 +-
 src/libstrongswan/plugins/gcm/gcm_plugin.c         |   20 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |    4 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c   |   68 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |    4 +-
 src/libstrongswan/plugins/gmp/gmp_plugin.c         |   26 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |    4 +-
 src/libstrongswan/plugins/hmac/hmac_plugin.c       |   88 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |    4 +-
 src/libstrongswan/plugins/ldap/ldap_fetcher.c      |   35 +-
 src/libstrongswan/plugins/ldap/ldap_plugin.c       |   16 +-
 src/libstrongswan/plugins/md4/Makefile.in          |    4 +-
 src/libstrongswan/plugins/md4/md4_plugin.c         |   20 +-
 src/libstrongswan/plugins/md5/Makefile.in          |    4 +-
 src/libstrongswan/plugins/md5/md5_plugin.c         |   20 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |    4 +-
 src/libstrongswan/plugins/mysql/mysql_database.c   |   40 +-
 src/libstrongswan/plugins/mysql/mysql_plugin.c     |   15 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |    4 +-
 src/libstrongswan/plugins/openssl/openssl_crl.c    |   11 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |   74 +-
 src/libstrongswan/plugins/openssl/openssl_x509.c   |  100 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |    4 +-
 src/libstrongswan/plugins/padlock/padlock_plugin.c |   12 +-
 src/libstrongswan/plugins/pem/Makefile.in          |    4 +-
 src/libstrongswan/plugins/pem/pem_encoder.c        |    2 +-
 src/libstrongswan/plugins/pem/pem_plugin.c         |   18 +-
 src/libstrongswan/plugins/pgp/Makefile.in          |    4 +-
 src/libstrongswan/plugins/pgp/pgp_plugin.c         |   21 +-
 src/libstrongswan/plugins/pkcs1/Makefile.in        |    4 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c     |   16 +-
 src/libstrongswan/plugins/pkcs11/Makefile.in       |    4 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_creds.c    |   23 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_library.c  |   67 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_library.h  |   21 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_manager.c  |    5 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c   |   14 +-
 .../plugins/pkcs11/pkcs11_private_key.c            |   18 +-
 src/libstrongswan/plugins/plugin_loader.c          |  111 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |    4 +-
 src/libstrongswan/plugins/pubkey/pubkey_plugin.c   |   18 +-
 src/libstrongswan/plugins/random/Makefile.in       |    4 +-
 src/libstrongswan/plugins/random/random_plugin.c   |   22 +-
 src/libstrongswan/plugins/random/random_rng.c      |   37 +-
 src/libstrongswan/plugins/revocation/Makefile.in   |    4 +-
 .../plugins/revocation/revocation_validator.c      |  279 +++--
 src/libstrongswan/plugins/sha1/Makefile.in         |    4 +-
 src/libstrongswan/plugins/sha1/sha1_plugin.c       |   22 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |    4 +-
 src/libstrongswan/plugins/sha2/sha2_plugin.c       |   26 +-
 src/libstrongswan/plugins/soup/Makefile.am         |   16 +
 src/libstrongswan/plugins/soup/Makefile.in         |  601 ++++++++++
 src/libstrongswan/plugins/soup/soup_fetcher.c      |  159 +++
 src/libstrongswan/plugins/soup/soup_fetcher.h      |   44 +
 src/libstrongswan/plugins/soup/soup_plugin.c       |   72 ++
 src/libstrongswan/plugins/soup/soup_plugin.h       |   42 +
 src/libstrongswan/plugins/sqlite/Makefile.in       |    4 +-
 src/libstrongswan/plugins/sqlite/sqlite_database.c |   45 +-
 src/libstrongswan/plugins/sqlite/sqlite_plugin.c   |   18 +-
 src/libstrongswan/plugins/test_vectors/Makefile.in |    4 +-
 .../plugins/test_vectors/test_vectors_plugin.c     |   16 +-
 src/libstrongswan/plugins/x509/Makefile.in         |    4 +-
 src/libstrongswan/plugins/x509/x509_cert.c         | 1192 +++++++++++++++-----
 src/libstrongswan/plugins/x509/x509_crl.c          |  173 ++-
 src/libstrongswan/plugins/x509/x509_plugin.c       |   16 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |    4 +-
 src/libstrongswan/plugins/xcbc/xcbc_plugin.c       |   30 +-
 src/libstrongswan/printf_hook.c                    |   24 +-
 src/libstrongswan/processing/processor.c           |    2 +-
 src/libstrongswan/selectors/traffic_selector.c     |    6 +-
 src/libstrongswan/settings.c                       |  838 +++++++++++---
 src/libstrongswan/settings.h                       |  171 ++-
 src/libstrongswan/utils.c                          |    8 +
 src/libstrongswan/utils.h                          |   17 +-
 src/libstrongswan/utils/backtrace.c                |   14 +-
 src/libstrongswan/utils/backtrace.h                |    9 +-
 src/libstrongswan/utils/hashtable.c                |    3 +-
 src/libstrongswan/utils/host.c                     |   39 +
 src/libstrongswan/utils/host.h                     |    9 +
 src/libstrongswan/utils/identification.c           |   10 +-
 src/libstrongswan/utils/leak_detective.c           |   33 +-
 src/libstrongswan/utils/optionsfrom.c              |   30 +-
 src/libtls/Makefile.in                             |    4 +-
 src/libtls/tls.h                                   |    2 +-
 src/libtls/tls_crypto.c                            |   10 +-
 src/libtls/tls_eap.c                               |   12 +-
 src/libtls/tls_reader.c                            |   18 +-
 src/libtls/tls_writer.c                            |    2 +-
 src/manager/Makefile.in                            |    4 +-
 src/medsrv/Makefile.in                             |    4 +-
 src/openac/Makefile.in                             |    4 +-
 src/pki/Makefile.in                                |    4 +-
 src/pki/command.c                                  |    2 +-
 src/pki/command.h                                  |    2 +-
 src/pki/commands/issue.c                           |  223 +++-
 src/pki/commands/print.c                           |  151 ++-
 src/pki/commands/self.c                            |  171 ++-
 src/pki/commands/signcrl.c                         |   86 +-
 src/pluto/Makefile.in                              |    4 +-
 src/pluto/ca.c                                     |    2 +-
 src/pluto/crl.c                                    |   10 +-
 src/pluto/crypto.c                                 |  279 +++--
 src/pluto/demux.c                                  |    2 +-
 src/pluto/ike_alg.c                                |   81 +-
 src/pluto/ike_alg.h                                |    6 +-
 src/pluto/kernel.c                                 |    6 +-
 src/pluto/kernel_alg.c                             |   50 +-
 src/pluto/keys.c                                   |    8 +-
 src/pluto/ocsp.c                                   |    4 +-
 src/pluto/plugins/xauth/Makefile.in                |    4 +-
 src/pluto/pluto.8                                  |   10 +-
 src/pluto/x509.c                                   |    8 +-
 src/scepclient/Makefile.in                         |    4 +-
 src/scepclient/scepclient.8                        |    4 +-
 src/starter/Makefile.am                            |   21 +-
 src/starter/Makefile.in                            |  126 +--
 src/starter/args.c                                 |    2 +
 src/starter/confread.c                             |   17 +
 src/starter/confread.h                             |    2 +
 src/starter/keywords.c                             |  288 ++---
 src/starter/keywords.h                             |    6 +-
 src/starter/keywords.txt                           |    7 +-
 src/starter/starter.8                              |    0
 src/starter/starterstroke.c                        |    2 +
 src/stroke/Makefile.in                             |    4 +-
 src/stroke/stroke.c                                |   25 +
 src/stroke/stroke_keywords.c                       |   98 +-
 src/stroke/stroke_keywords.h                       |    3 +
 src/stroke/stroke_keywords.txt                     |    3 +
 src/stroke/stroke_msg.h                            |   10 +-
 src/whack/Makefile.in                              |    4 +-
 testing/INSTALL                                    |   13 +-
 testing/Makefile.in                                |    4 +-
 testing/do-tests.in                                |    1 +
 testing/hosts/default/etc/hosts                    |    2 +
 testing/hosts/default/etc/ipsec.d/tables.sql       |   38 +-
 testing/hosts/winnetou/etc/openssl/index.txt       |    1 +
 testing/hosts/winnetou/etc/openssl/index.txt.old   |    1 +
 testing/hosts/winnetou/etc/openssl/newcerts/23.pem |   25 +
 testing/hosts/winnetou/etc/openssl/serial          |    2 +-
 testing/hosts/winnetou/etc/openssl/serial.old      |    2 +-
 testing/scripts/build-umlrootfs                    |   20 +
 testing/scripts/kstart-umls                        |    2 +-
 testing/scripts/xstart-umls                        |    2 +-
 testing/testing.conf                               |   18 +-
 testing/tests/ha/both-active/description.txt       |    8 +
 testing/tests/ha/both-active/evaltest.dat          |   20 +
 .../ha/both-active/hosts/alice/etc/init.d/iptables |  104 ++
 .../ha/both-active/hosts/alice/etc/ipsec.conf      |   22 +
 .../hosts/alice/etc/ipsec.d/certs/marsCert.pem     |   25 +
 .../hosts/alice/etc/ipsec.d/private/marsKey.pem    |   27 +
 .../ha/both-active/hosts/alice/etc/ipsec.secrets   |    3 +
 .../ha/both-active/hosts/alice/etc/strongswan.conf |   15 +
 .../ha/both-active/hosts/carol/etc/ipsec.conf      |   23 +
 .../ha/both-active/hosts/carol/etc/strongswan.conf |    5 +
 .../tests/ha/both-active/hosts/dave/etc/ipsec.conf |   23 +
 .../ha/both-active/hosts/dave/etc/strongswan.conf  |    6 +
 .../ha/both-active/hosts/moon/etc/init.d/iptables  |  104 ++
 .../tests/ha/both-active/hosts/moon/etc/ipsec.conf |   22 +
 .../hosts/moon/etc/ipsec.d/certs/marsCert.pem      |   25 +
 .../hosts/moon/etc/ipsec.d/private/marsKey.pem     |   27 +
 .../ha/both-active/hosts/moon/etc/ipsec.secrets    |    3 +
 .../ha/both-active/hosts/moon/etc/strongswan.conf  |   15 +
 testing/tests/ha/both-active/posttest.dat          |   17 +
 testing/tests/ha/both-active/pretest.dat           |   18 +
 testing/tests/ha/both-active/test.conf             |   21 +
 testing/tests/ikev1/dpd-restart/evaltest.dat       |    4 +-
 testing/tests/ikev1/dynamic-initiator/pretest.dat  |    2 +-
 testing/tests/ikev1/dynamic-responder/pretest.dat  |    2 +-
 testing/tests/ikev1/net2net-start/pretest.dat      |    2 +-
 testing/tests/ikev1/xauth-rsa-fail/description.txt |    2 +-
 .../tests/ikev1/xauth-rsa-nosecret/description.txt |    2 +-
 .../tests/ikev2/critical-extension/description.txt |    5 +
 .../tests/ikev2/critical-extension/evaltest.dat    |    6 +
 .../critical-extension/hosts/moon/etc/ipsec.conf   |   25 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.der      |  Bin 0 -> 952 bytes
 .../hosts/moon/etc/strongswan.conf                 |   12 +
 .../critical-extension/hosts/sun/etc/ipsec.conf    |   25 +
 .../hosts/sun/etc/ipsec.d/certs/sunCert.der        |  Bin 0 -> 951 bytes
 .../hosts/sun/etc/strongswan.conf                  |    6 +
 .../tests/ikev2/critical-extension/posttest.dat    |    5 +
 testing/tests/ikev2/critical-extension/pretest.dat |    6 +
 testing/tests/ikev2/critical-extension/test.conf   |   21 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-tnc-11-radius-block/description.txt     |   11 +
 .../ikev2/rw-eap-tnc-11-radius-block/evaltest.dat  |   14 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 +
 .../hosts/alice/etc/raddb/dictionary               |    2 +
 .../hosts/alice/etc/raddb/dictionary.tnc           |    5 +
 .../hosts/alice/etc/raddb/eap.conf                 |   25 +
 .../hosts/alice/etc/raddb/proxy.conf               |    5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 ++
 .../hosts/alice/etc/raddb/sites-available/default  |   44 +
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 +
 .../etc/raddb/sites-available/inner-tunnel-second  |   23 +
 .../hosts/alice/etc/raddb/users                    |    2 +
 .../hosts/alice/etc/tnc_config                     |    3 +
 .../hosts/carol/etc/ipsec.conf                     |   24 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../hosts/carol/etc/tnc_config                     |    3 +
 .../hosts/dave/etc/ipsec.conf                      |   24 +
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    6 +
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 +
 .../hosts/dave/etc/tnc_config                      |    3 +
 .../hosts/moon/etc/init.d/iptables                 |   84 ++
 .../hosts/moon/etc/ipsec.conf                      |   25 +
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   12 +
 .../ikev2/rw-eap-tnc-11-radius-block/posttest.dat  |    8 +
 .../ikev2/rw-eap-tnc-11-radius-block/pretest.dat   |   15 +
 .../ikev2/rw-eap-tnc-11-radius-block/test.conf     |   26 +
 .../ikev2/rw-eap-tnc-11-radius/description.txt     |   10 +
 .../tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat  |   19 +
 .../hosts/alice/etc/raddb/clients.conf             |    4 +
 .../hosts/alice/etc/raddb/dictionary               |    2 +
 .../hosts/alice/etc/raddb/dictionary.tnc           |    5 +
 .../hosts/alice/etc/raddb/eap.conf                 |   25 +
 .../hosts/alice/etc/raddb/proxy.conf               |    5 +
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 ++
 .../hosts/alice/etc/raddb/sites-available/default  |   44 +
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 +
 .../etc/raddb/sites-available/inner-tunnel-second  |   36 +
 .../hosts/alice/etc/raddb/users                    |    2 +
 .../hosts/alice/etc/tnc_config                     |    3 +
 .../hosts/carol/etc/ipsec.conf                     |   24 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |    6 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../hosts/carol/etc/tnc_config                     |    3 +
 .../rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf |   24 +
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |    6 +
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 +
 .../rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config |    3 +
 .../hosts/moon/etc/init.d/iptables                 |   84 ++
 .../rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf |   35 +
 .../hosts/moon/etc/ipsec.secrets                   |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   13 +
 .../tests/ikev2/rw-eap-tnc-11-radius/posttest.dat  |    8 +
 .../tests/ikev2/rw-eap-tnc-11-radius/pretest.dat   |   18 +
 testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf |   26 +
 testing/tests/ikev2/rw-eap-tnc-11/description.txt  |    9 +
 testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat     |   19 +
 .../ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf |   23 +
 .../rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets    |    3 +
 .../rw-eap-tnc-11/hosts/carol/etc/strongswan.conf  |    6 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config |    3 +
 .../ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf  |   23 +
 .../rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets     |    3 +
 .../rw-eap-tnc-11/hosts/dave/etc/strongswan.conf   |    6 +
 .../rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file |    1 +
 .../ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config  |    3 +
 .../ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf  |   36 +
 .../rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets     |    6 +
 .../rw-eap-tnc-11/hosts/moon/etc/strongswan.conf   |   13 +
 .../ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config  |    3 +
 testing/tests/ikev2/rw-eap-tnc-11/posttest.dat     |    6 +
 testing/tests/ikev2/rw-eap-tnc-11/pretest.dat      |   15 +
 testing/tests/ikev2/rw-eap-tnc-11/test.conf        |   26 +
 .../ikev2/rw-eap-tnc-20-block/description.txt      |   11 +
 .../tests/ikev2/rw-eap-tnc-20-block/evaltest.dat   |   12 +
 .../rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf |   23 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |   14 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../rw-eap-tnc-20-block/hosts/carol/etc/tnc_config |    3 +
 .../rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf  |   23 +
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |   14 +
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 +
 .../rw-eap-tnc-20-block/hosts/dave/etc/tnc_config  |    3 +
 .../rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf  |   26 +
 .../hosts/moon/etc/ipsec.secrets                   |    6 +
 .../hosts/moon/etc/strongswan.conf                 |   19 +
 .../rw-eap-tnc-20-block/hosts/moon/etc/tnc_config  |    3 +
 .../tests/ikev2/rw-eap-tnc-20-block/posttest.dat   |    6 +
 .../tests/ikev2/rw-eap-tnc-20-block/pretest.dat    |   15 +
 testing/tests/ikev2/rw-eap-tnc-20-block/test.conf  |   26 +
 .../tests/ikev2/rw-eap-tnc-20-tls/description.txt  |   10 +
 testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat |   19 +
 .../rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf   |   24 +
 .../hosts/carol/etc/strongswan.conf                |   11 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config   |    3 +
 .../rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf    |   24 +
 .../hosts/dave/etc/strongswan.conf                 |   11 +
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 +
 .../rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config    |    3 +
 .../rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf    |   36 +
 .../rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets |    6 +
 .../hosts/moon/etc/strongswan.conf                 |   16 +
 .../rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config    |    3 +
 testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat |    6 +
 testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat  |   15 +
 testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf    |   26 +
 testing/tests/ikev2/rw-eap-tnc-20/description.txt  |   11 +
 testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat     |   19 +
 .../ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf |   23 +
 .../rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets    |    3 +
 .../rw-eap-tnc-20/hosts/carol/etc/strongswan.conf  |   11 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config |    4 +
 .../ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf  |   23 +
 .../rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets     |    3 +
 .../rw-eap-tnc-20/hosts/dave/etc/strongswan.conf   |   11 +
 .../rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file |    1 +
 .../ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config  |    4 +
 .../ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf  |   36 +
 .../rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets     |    6 +
 .../rw-eap-tnc-20/hosts/moon/etc/strongswan.conf   |   16 +
 .../ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config  |    4 +
 testing/tests/ikev2/rw-eap-tnc-20/posttest.dat     |    6 +
 testing/tests/ikev2/rw-eap-tnc-20/pretest.dat      |   15 +
 testing/tests/ikev2/rw-eap-tnc-20/test.conf        |   26 +
 .../tests/ikev2/rw-eap-tnc-block/description.txt   |    8 -
 testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat  |   12 -
 .../rw-eap-tnc-block/hosts/carol/etc/ipsec.conf    |   23 -
 .../rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets |    3 -
 .../hosts/carol/etc/strongswan.conf                |    6 -
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 -
 .../rw-eap-tnc-block/hosts/carol/etc/tnc_config    |    3 -
 .../rw-eap-tnc-block/hosts/dave/etc/ipsec.conf     |   23 -
 .../rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets  |    3 -
 .../hosts/dave/etc/strongswan.conf                 |    6 -
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 -
 .../rw-eap-tnc-block/hosts/dave/etc/tnc_config     |    3 -
 .../rw-eap-tnc-block/hosts/moon/etc/ipsec.conf     |   26 -
 .../rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets  |    6 -
 .../hosts/moon/etc/strongswan.conf                 |   13 -
 .../rw-eap-tnc-block/hosts/moon/etc/tnc_config     |    3 -
 testing/tests/ikev2/rw-eap-tnc-block/posttest.dat  |    6 -
 testing/tests/ikev2/rw-eap-tnc-block/pretest.dat   |   15 -
 testing/tests/ikev2/rw-eap-tnc-block/test.conf     |   26 -
 .../tests/ikev2/rw-eap-tnc-dynamic/description.txt |   12 +
 .../tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat    |   27 +
 .../rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf  |   23 +
 .../hosts/carol/etc/ipsec.secrets                  |    3 +
 .../hosts/carol/etc/strongswan.conf                |   11 +
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 +
 .../rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config  |    4 +
 .../rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf   |   23 +
 .../hosts/dave/etc/ipsec.secrets                   |    3 +
 .../hosts/dave/etc/strongswan.conf                 |   11 +
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 +
 .../rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config   |    4 +
 .../rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf   |   36 +
 .../hosts/moon/etc/ipsec.secrets                   |    6 +
 .../hosts/moon/etc/strongswan.conf                 |   16 +
 .../rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config   |    4 +
 .../tests/ikev2/rw-eap-tnc-dynamic/posttest.dat    |    6 +
 testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat |   15 +
 testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf   |   26 +
 .../ikev2/rw-eap-tnc-radius-block/description.txt  |   11 -
 .../ikev2/rw-eap-tnc-radius-block/evaltest.dat     |   14 -
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/dictionary               |    2 -
 .../hosts/alice/etc/raddb/dictionary.tnc           |    5 -
 .../hosts/alice/etc/raddb/eap.conf                 |   25 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 --
 .../hosts/alice/etc/raddb/sites-available/default  |   44 -
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 -
 .../etc/raddb/sites-available/inner-tunnel-second  |   23 -
 .../hosts/alice/etc/raddb/users                    |    2 -
 .../hosts/alice/etc/tnc_config                     |    3 -
 .../hosts/carol/etc/ipsec.conf                     |   24 -
 .../hosts/carol/etc/ipsec.secrets                  |    3 -
 .../hosts/carol/etc/strongswan.conf                |    6 -
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 -
 .../hosts/carol/etc/tnc_config                     |    3 -
 .../hosts/dave/etc/ipsec.conf                      |   24 -
 .../hosts/dave/etc/ipsec.secrets                   |    3 -
 .../hosts/dave/etc/strongswan.conf                 |    6 -
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 -
 .../hosts/dave/etc/tnc_config                      |    3 -
 .../hosts/moon/etc/init.d/iptables                 |   84 --
 .../hosts/moon/etc/ipsec.conf                      |   25 -
 .../hosts/moon/etc/ipsec.secrets                   |    3 -
 .../hosts/moon/etc/strongswan.conf                 |   12 -
 .../ikev2/rw-eap-tnc-radius-block/posttest.dat     |    8 -
 .../ikev2/rw-eap-tnc-radius-block/pretest.dat      |   15 -
 .../tests/ikev2/rw-eap-tnc-radius-block/test.conf  |   26 -
 .../tests/ikev2/rw-eap-tnc-radius/description.txt  |   10 -
 testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat |   19 -
 .../hosts/alice/etc/raddb/clients.conf             |    4 -
 .../hosts/alice/etc/raddb/dictionary               |    2 -
 .../hosts/alice/etc/raddb/dictionary.tnc           |    5 -
 .../hosts/alice/etc/raddb/eap.conf                 |   25 -
 .../hosts/alice/etc/raddb/proxy.conf               |    5 -
 .../hosts/alice/etc/raddb/radiusd.conf             |  120 --
 .../hosts/alice/etc/raddb/sites-available/default  |   44 -
 .../alice/etc/raddb/sites-available/inner-tunnel   |   32 -
 .../etc/raddb/sites-available/inner-tunnel-second  |   36 -
 .../rw-eap-tnc-radius/hosts/alice/etc/raddb/users  |    2 -
 .../rw-eap-tnc-radius/hosts/alice/etc/tnc_config   |    3 -
 .../rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf   |   24 -
 .../hosts/carol/etc/ipsec.secrets                  |    3 -
 .../hosts/carol/etc/strongswan.conf                |    6 -
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 -
 .../rw-eap-tnc-radius/hosts/carol/etc/tnc_config   |    3 -
 .../rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf    |   24 -
 .../rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets |    3 -
 .../hosts/dave/etc/strongswan.conf                 |    6 -
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 -
 .../rw-eap-tnc-radius/hosts/dave/etc/tnc_config    |    3 -
 .../hosts/moon/etc/init.d/iptables                 |   84 --
 .../rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf    |   35 -
 .../rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets |    3 -
 .../hosts/moon/etc/strongswan.conf                 |   13 -
 testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat |    8 -
 testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat  |   18 -
 testing/tests/ikev2/rw-eap-tnc-radius/test.conf    |   26 -
 testing/tests/ikev2/rw-eap-tnc-tls/description.txt |    7 -
 testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat    |   19 -
 .../rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf      |   24 -
 .../rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf |    6 -
 .../hosts/carol/etc/tnc/dummyimc.file              |    1 -
 .../rw-eap-tnc-tls/hosts/carol/etc/tnc_config      |    3 -
 .../ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf |   24 -
 .../rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf  |    6 -
 .../hosts/dave/etc/tnc/dummyimc.file               |    1 -
 .../ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config |    3 -
 .../ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf |   36 -
 .../rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets    |    6 -
 .../rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf  |   13 -
 .../ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config |    3 -
 testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat    |    6 -
 testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat     |   15 -
 testing/tests/ikev2/rw-eap-tnc-tls/test.conf       |   26 -
 testing/tests/ikev2/rw-eap-tnc/description.txt     |    9 -
 testing/tests/ikev2/rw-eap-tnc/evaltest.dat        |   19 -
 .../ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf    |   23 -
 .../ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets |    3 -
 .../rw-eap-tnc/hosts/carol/etc/strongswan.conf     |    6 -
 .../rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file   |    1 -
 .../ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config    |    3 -
 .../ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf     |   23 -
 .../ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets  |    3 -
 .../rw-eap-tnc/hosts/dave/etc/strongswan.conf      |    6 -
 .../rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file    |    1 -
 .../ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config     |    3 -
 .../ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf     |   36 -
 .../ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets  |    6 -
 .../rw-eap-tnc/hosts/moon/etc/strongswan.conf      |   13 -
 .../ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config     |    3 -
 testing/tests/ikev2/rw-eap-tnc/posttest.dat        |    6 -
 testing/tests/ikev2/rw-eap-tnc/pretest.dat         |   15 -
 testing/tests/ikev2/rw-eap-tnc/test.conf           |   26 -
 .../ikev2/two-certs/hosts/carol/etc/ipsec.conf     |    1 +
 .../critical-extension/description.txt             |    5 +
 .../openssl-ikev2/critical-extension/evaltest.dat  |    6 +
 .../critical-extension/hosts/moon/etc/ipsec.conf   |   25 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.der      |  Bin 0 -> 952 bytes
 .../hosts/moon/etc/strongswan.conf                 |   12 +
 .../critical-extension/hosts/sun/etc/ipsec.conf    |   25 +
 .../hosts/sun/etc/ipsec.d/certs/sunCert.der        |  Bin 0 -> 951 bytes
 .../hosts/sun/etc/strongswan.conf                  |    6 +
 .../openssl-ikev2/critical-extension/posttest.dat  |    5 +
 .../openssl-ikev2/critical-extension/pretest.dat   |    6 +
 .../openssl-ikev2/critical-extension/test.conf     |   21 +
 testing/tests/p2pnat/behind-same-nat/pretest.dat   |    2 +-
 testing/tests/p2pnat/medsrv-psk/pretest.dat        |    2 +-
 testing/tests/sql/multi-level-ca/description.txt   |    6 +
 testing/tests/sql/multi-level-ca/evaltest.dat      |   18 +
 .../sql/multi-level-ca/hosts/carol/etc/ipsec.conf  |    7 +
 .../hosts/carol/etc/ipsec.d/data.sql               |  192 ++++
 .../multi-level-ca/hosts/carol/etc/ipsec.secrets   |    3 +
 .../multi-level-ca/hosts/carol/etc/strongswan.conf |   10 +
 .../sql/multi-level-ca/hosts/dave/etc/ipsec.conf   |    7 +
 .../multi-level-ca/hosts/dave/etc/ipsec.d/data.sql |  194 ++++
 .../multi-level-ca/hosts/dave/etc/ipsec.secrets    |    3 +
 .../multi-level-ca/hosts/dave/etc/strongswan.conf  |   10 +
 .../sql/multi-level-ca/hosts/moon/etc/ipsec.conf   |    7 +
 .../multi-level-ca/hosts/moon/etc/ipsec.d/data.sql |  164 +++
 .../multi-level-ca/hosts/moon/etc/ipsec.secrets    |    3 +
 .../multi-level-ca/hosts/moon/etc/strongswan.conf  |   10 +
 testing/tests/sql/multi-level-ca/posttest.dat      |   10 +
 testing/tests/sql/multi-level-ca/pretest.dat       |   18 +
 testing/tests/sql/multi-level-ca/test.conf         |   21 +
 .../net2net-cert/hosts/moon/etc/ipsec.d/data.sql   |    4 +-
 .../net2net-cert/hosts/sun/etc/ipsec.d/data.sql    |    4 +-
 .../tests/sql/net2net-route-pem/description.txt    |   10 +
 testing/tests/sql/net2net-route-pem/evaltest.dat   |   16 +
 .../net2net-route-pem/hosts/moon/etc/ipsec.conf    |    8 +
 .../hosts/moon/etc/ipsec.d/data.sql                |  249 ++++
 .../net2net-route-pem/hosts/moon/etc/ipsec.secrets |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   10 +
 .../sql/net2net-route-pem/hosts/sun/etc/ipsec.conf |    8 +
 .../hosts/sun/etc/ipsec.d/data.sql                 |  249 ++++
 .../net2net-route-pem/hosts/sun/etc/ipsec.secrets  |    3 +
 .../hosts/sun/etc/strongswan.conf                  |   10 +
 testing/tests/sql/net2net-route-pem/posttest.dat   |    6 +
 testing/tests/sql/net2net-route-pem/pretest.dat    |   13 +
 testing/tests/sql/net2net-route-pem/test.conf      |   21 +
 .../tests/sql/net2net-start-pem/description.txt    |   10 +
 testing/tests/sql/net2net-start-pem/evaltest.dat   |   12 +
 .../net2net-start-pem/hosts/moon/etc/ipsec.conf    |    8 +
 .../hosts/moon/etc/ipsec.d/data.sql                |  279 +++++
 .../net2net-start-pem/hosts/moon/etc/ipsec.secrets |    3 +
 .../hosts/moon/etc/strongswan.conf                 |   10 +
 .../sql/net2net-start-pem/hosts/sun/etc/ipsec.conf |    8 +
 .../hosts/sun/etc/ipsec.d/data.sql                 |  273 +++++
 .../net2net-start-pem/hosts/sun/etc/ipsec.secrets  |    3 +
 .../hosts/sun/etc/strongswan.conf                  |   10 +
 testing/tests/sql/net2net-start-pem/posttest.dat   |    6 +
 testing/tests/sql/net2net-start-pem/pretest.dat    |   11 +
 testing/tests/sql/net2net-start-pem/test.conf      |   21 +
 922 files changed, 38462 insertions(+), 11282 deletions(-)
 mode change 100644 => 100755 ltmain.sh
 create mode 100644 scripts/fetch.c
 create mode 100644 scripts/oid2der.c
 delete mode 100644 src/_copyright/_copyright.8
 create mode 100644 src/conftest/Makefile.am
 create mode 100644 src/conftest/Makefile.in
 create mode 100644 src/conftest/README
 create mode 100644 src/conftest/actions.c
 create mode 100644 src/conftest/actions.h
 create mode 100644 src/conftest/config.c
 create mode 100644 src/conftest/config.h
 create mode 100644 src/conftest/conftest.c
 create mode 100644 src/conftest/conftest.h
 create mode 100644 src/conftest/hooks/add_notify.c
 create mode 100644 src/conftest/hooks/add_payload.c
 create mode 100644 src/conftest/hooks/custom_proposal.c
 create mode 100644 src/conftest/hooks/force_cookie.c
 create mode 100644 src/conftest/hooks/hook.h
 create mode 100644 src/conftest/hooks/ignore_message.c
 create mode 100644 src/conftest/hooks/ike_auth_fill.c
 create mode 100644 src/conftest/hooks/log_id.c
 create mode 100644 src/conftest/hooks/log_ke.c
 create mode 100644 src/conftest/hooks/log_proposals.c
 create mode 100644 src/conftest/hooks/log_ts.c
 create mode 100644 src/conftest/hooks/pretend_auth.c
 create mode 100644 src/conftest/hooks/rebuild_auth.c
 create mode 100644 src/conftest/hooks/reset_seq.c
 create mode 100644 src/conftest/hooks/set_critical.c
 create mode 100644 src/conftest/hooks/set_ike_initiator.c
 create mode 100644 src/conftest/hooks/set_ike_request.c
 create mode 100644 src/conftest/hooks/set_ike_spi.c
 create mode 100644 src/conftest/hooks/set_ike_version.c
 create mode 100644 src/conftest/hooks/set_length.c
 create mode 100644 src/conftest/hooks/set_proposal_number.c
 create mode 100644 src/conftest/hooks/set_reserved.c
 create mode 100644 src/conftest/hooks/unencrypted_notify.c
 create mode 100644 src/conftest/hooks/unsort_message.c
 delete mode 100644 src/libcharon/plugins/maemo/org.strongswan.charon.service
 create mode 100644 src/libcharon/plugins/maemo/org.strongswan.charon.service.in
 delete mode 100644 src/libcharon/plugins/stroke/stroke_shared_key.c
 delete mode 100644 src/libcharon/plugins/stroke/stroke_shared_key.h
 create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc.c
 create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc.h
 create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
 create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
 create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_manager.h
 create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv.c
 create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv.h
 create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
 create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
 create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_manager.h
 create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
 create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
 create mode 100644 src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
 create mode 100644 src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
 create mode 100644 src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c
 create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
 create mode 100644 src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
 create mode 100644 src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h
 create mode 100644 src/libcharon/plugins/tnccs_dynamic/Makefile.am
 create mode 100644 src/libcharon/plugins/tnccs_dynamic/Makefile.in
 create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
 create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
 create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
 create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h
 create mode 100644 src/libcharon/processing/jobs/start_action_job.c
 create mode 100644 src/libcharon/processing/jobs/start_action_job.h
 create mode 100644 src/libcharon/tnc/imc/imc.h
 create mode 100644 src/libcharon/tnc/imc/imc_manager.h
 create mode 100644 src/libcharon/tnc/imv/imv.h
 create mode 100644 src/libcharon/tnc/imv/imv_manager.h
 create mode 100644 src/libcharon/tnc/imv/imv_recommendations.c
 create mode 100644 src/libcharon/tnc/imv/imv_recommendations.h
 create mode 100644 src/libcharon/tnc/tnccs/tnccs.c
 create mode 100644 src/libcharon/tnc/tnccs/tnccs.h
 create mode 100644 src/libcharon/tnc/tnccs/tnccs_manager.c
 create mode 100644 src/libcharon/tnc/tnccs/tnccs_manager.h
 create mode 100644 src/libcharon/tnc/tncif.h
 create mode 100644 src/libcharon/tnc/tncifimc.h
 create mode 100644 src/libcharon/tnc/tncifimv.c
 create mode 100644 src/libcharon/tnc/tncifimv.h
 delete mode 100644 src/libcharon/tnccs/tnccs.c
 delete mode 100644 src/libcharon/tnccs/tnccs.h
 delete mode 100644 src/libcharon/tnccs/tnccs_manager.c
 delete mode 100644 src/libcharon/tnccs/tnccs_manager.h
 delete mode 100644 src/libfreeswan/atosa.3
 delete mode 100644 src/libfreeswan/atosa.c
 delete mode 100644 src/libfreeswan/keyblobtoid.3
 delete mode 100644 src/libfreeswan/keyblobtoid.c
 delete mode 100644 src/libfreeswan/prng.3
 delete mode 100644 src/libfreeswan/prng.c
 delete mode 100644 src/libfreeswan/satoa.c
 delete mode 100644 src/libstrongswan/credentials/certificates/x509.c
 create mode 100644 src/libstrongswan/plugins/af_alg/Makefile.am
 create mode 100644 src/libstrongswan/plugins/af_alg/Makefile.in
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_crypter.c
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_crypter.h
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_hasher.c
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_hasher.h
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_ops.c
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_ops.h
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_plugin.c
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_plugin.h
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_prf.c
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_prf.h
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_signer.c
 create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_signer.h
 create mode 100644 src/libstrongswan/plugins/constraints/Makefile.am
 create mode 100644 src/libstrongswan/plugins/constraints/Makefile.in
 create mode 100644 src/libstrongswan/plugins/constraints/constraints_plugin.c
 create mode 100644 src/libstrongswan/plugins/constraints/constraints_plugin.h
 create mode 100644 src/libstrongswan/plugins/constraints/constraints_validator.c
 create mode 100644 src/libstrongswan/plugins/constraints/constraints_validator.h
 create mode 100644 src/libstrongswan/plugins/soup/Makefile.am
 create mode 100644 src/libstrongswan/plugins/soup/Makefile.in
 create mode 100644 src/libstrongswan/plugins/soup/soup_fetcher.c
 create mode 100644 src/libstrongswan/plugins/soup/soup_fetcher.h
 create mode 100644 src/libstrongswan/plugins/soup/soup_plugin.c
 create mode 100644 src/libstrongswan/plugins/soup/soup_plugin.h
 delete mode 100644 src/starter/starter.8
 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/23.pem
 create mode 100644 testing/tests/ha/both-active/description.txt
 create mode 100644 testing/tests/ha/both-active/evaltest.dat
 create mode 100755 testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
 create mode 100755 testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf
 create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem
 create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem
 create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets
 create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
 create mode 100755 testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
 create mode 100755 testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem
 create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem
 create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ha/both-active/posttest.dat
 create mode 100644 testing/tests/ha/both-active/pretest.dat
 create mode 100644 testing/tests/ha/both-active/test.conf
 create mode 100644 testing/tests/ikev2/critical-extension/description.txt
 create mode 100644 testing/tests/ikev2/critical-extension/evaltest.dat
 create mode 100755 testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der
 create mode 100644 testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der
 create mode 100644 testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/critical-extension/posttest.dat
 create mode 100644 testing/tests/ikev2/critical-extension/pretest.dat
 create mode 100644 testing/tests/ikev2/critical-extension/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/test.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/description.txt
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/test.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config
 create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat
 create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/description.txt
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/test.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/description.txt
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/test.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/description.txt
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/evaltest.dat
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
 delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/posttest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/pretest.dat
 delete mode 100644 testing/tests/ikev2/rw-eap-tnc/test.conf
 create mode 100644 testing/tests/openssl-ikev2/critical-extension/description.txt
 create mode 100644 testing/tests/openssl-ikev2/critical-extension/evaltest.dat
 create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der
 create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der
 create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/openssl-ikev2/critical-extension/posttest.dat
 create mode 100644 testing/tests/openssl-ikev2/critical-extension/pretest.dat
 create mode 100644 testing/tests/openssl-ikev2/critical-extension/test.conf
 create mode 100644 testing/tests/sql/multi-level-ca/description.txt
 create mode 100644 testing/tests/sql/multi-level-ca/evaltest.dat
 create mode 100755 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf
 create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
 create mode 100755 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf
 create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
 create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
 create mode 100644 testing/tests/sql/multi-level-ca/posttest.dat
 create mode 100644 testing/tests/sql/multi-level-ca/pretest.dat
 create mode 100644 testing/tests/sql/multi-level-ca/test.conf
 create mode 100644 testing/tests/sql/net2net-route-pem/description.txt
 create mode 100644 testing/tests/sql/net2net-route-pem/evaltest.dat
 create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/sql/net2net-route-pem/posttest.dat
 create mode 100644 testing/tests/sql/net2net-route-pem/pretest.dat
 create mode 100644 testing/tests/sql/net2net-route-pem/test.conf
 create mode 100644 testing/tests/sql/net2net-start-pem/description.txt
 create mode 100644 testing/tests/sql/net2net-start-pem/evaltest.dat
 create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf
 create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
 create mode 100755 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf
 create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql
 create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets
 create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
 create mode 100644 testing/tests/sql/net2net-start-pem/posttest.dat
 create mode 100644 testing/tests/sql/net2net-start-pem/pretest.dat
 create mode 100644 testing/tests/sql/net2net-start-pem/test.conf

(limited to 'src/libstrongswan/plugins')

diff --git a/Android.mk b/Android.mk
index d6c83367f..4c90f6340 100644
--- a/Android.mk
+++ b/Android.mk
@@ -53,7 +53,7 @@ strongswan_CFLAGS := \
 	-DUSE_VSTR \
 	-DROUTING_TABLE=0 \
 	-DROUTING_TABLE_PRIO=220 \
-	-DVERSION=\"4.5.0\" \
+	-DVERSION=\"4.5.1\" \
 	-DPLUGINS='"$(strongswan_PLUGINS)"' \
 	-DIPSEC_DIR=\"/system/bin\" \
 	-DIPSEC_PIDDIR=\"/data/misc/vpn\" \
diff --git a/Makefile.in b/Makefile.in
index 56c31b104..eba785b0c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -229,9 +229,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -270,6 +268,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/NEWS b/NEWS
index ed0d18211..42af2d37f 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,77 @@
+strongswan-4.5.1
+----------------
+
+- Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol (BP)
+  compatible with Trusted Network Connect (TNC). The TNCCS 2.0 protocol
+  requires the tnccs_20, tnc_imc and tnc_imv plugins but does not depend
+  on the libtnc library. Any available IMV/IMC pairs conforming to the
+  Trusted Computing Group's TNC-IF-IMV/IMC 1.2 interface specification
+  can be loaded via /etc/tnc_config.
+
+- Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv
+  in place of the external libtnc library.
+
+- The tnccs_dynamic plugin loaded on a TNC server in addition to the
+  tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS
+  protocol version used by a TNC client and invokes an instance of
+  the corresponding protocol stack.
+
+- IKE and ESP proposals can now be stored in an SQL database using a
+  new proposals table. The start_action field in the child_configs
+  tables allows the automatic starting or routing of connections stored
+  in an SQL database.
+
+- The new certificate_authorities and certificate_distribution_points
+  tables make it possible to store CRL and OCSP Certificate Distribution
+  points in an SQL database.
+
+- The new 'include' statement allows to recursively include other files in
+  strongswan.conf.  Existing sections and values are thereby extended and
+  replaced, respectively.
+
+- Due to the changes in the parser for strongswan.conf, the configuration
+  syntax for the attr plugin has changed.  Previously, it was possible to
+  specify multiple values of a specific attribute type by adding multiple
+  key/value pairs with the same key (e.g. dns) to the plugins.attr section.
+  Because values with the same key now replace previously defined values
+  this is not possible anymore.  As an alternative, multiple values can be
+  specified by separating them with a comma (e.g. dns = 1.2.3.4, 2.3.4.5).
+
+- ipsec listalgs now appends (set in square brackets) to each crypto
+  algorithm listed the plugin that registered the function.
+
+- Traffic Flow Confidentiality padding supported with Linux 2.6.38 can be used
+  by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all packets to a given
+  boundary, the special value '%mtu' pads all packets to the path MTU.
+
+- The new af-alg plugin can use various crypto primitives of the Linux Crypto
+  API using the AF_ALG interface introduced with 2.6.38. This removes the need
+  for additional userland implementations of symmetric cipher, hash, hmac and
+  xcbc algorithms.
+
+- The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and
+  responder. The notify is sent when initiating configurations with a unique
+  policy, set in ipsec.conf via the global 'uniqueids' option.
+
+- The conftest conformance testing framework enables the IKEv2 stack to perform
+  many tests using a distinct tool and configuration frontend. Various hooks
+  can alter reserved bits, flags, add custom notifies and proposals, reorder
+  or drop messages and much more. It is enabled using the --enable-conftest
+  ./configure switch.
+
+- The new libstrongswan constraints plugin provides advanced X.509 constraint
+  checking. In additon to X.509 pathLen constraints, the plugin checks for
+  nameConstraints and certificatePolicies, including policyMappings and
+  policyConstraints. The x509 certificate plugin and the pki tool have been
+  enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf
+  connection keywords take OIDs a peer certificate must have.
+
+- The left/rightauth ipsec.conf keywords accept values with a minimum strength
+  for trustchain public keys in bits, such as rsa-2048 or ecdsa-256.
+
+- The revocation and x509 libstrongswan plugins and the pki tool gained basic
+  support for delta CRLs.
+
 
 strongswan-4.5.0
 ----------------
diff --git a/configure b/configure
index d823c3045..b0b1cdc60 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.67 for strongSwan 4.5.0.
+# Generated by GNU Autoconf 2.67 for strongSwan 4.5.1.
 #
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -698,8 +698,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.5.0'
-PACKAGE_STRING='strongSwan 4.5.0'
+PACKAGE_VERSION='4.5.1'
+PACKAGE_STRING='strongSwan 4.5.1'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -753,12 +753,18 @@ USE_VSTR_FALSE
 USE_VSTR_TRUE
 USE_LIBCAP_FALSE
 USE_LIBCAP_TRUE
+USE_IPSEC_SCRIPT_FALSE
+USE_IPSEC_SCRIPT_TRUE
 USE_FILE_CONFIG_FALSE
 USE_FILE_CONFIG_TRUE
+USE_LIBCHARON_FALSE
+USE_LIBCHARON_TRUE
 USE_LIBHYDRA_FALSE
 USE_LIBHYDRA_TRUE
 USE_LIBSTRONGSWAN_FALSE
 USE_LIBSTRONGSWAN_TRUE
+USE_CONFTEST_FALSE
+USE_CONFTEST_TRUE
 USE_SCRIPTS_FALSE
 USE_SCRIPTS_TRUE
 USE_TOOLS_FALSE
@@ -821,6 +827,8 @@ USE_SOCKET_RAW_FALSE
 USE_SOCKET_RAW_TRUE
 USE_SOCKET_DEFAULT_FALSE
 USE_SOCKET_DEFAULT_TRUE
+USE_TNCCS_DYNAMIC_FALSE
+USE_TNCCS_DYNAMIC_TRUE
 USE_TNCCS_20_FALSE
 USE_TNCCS_20_TRUE
 USE_TNCCS_11_FALSE
@@ -889,6 +897,8 @@ USE_MEDSRV_FALSE
 USE_MEDSRV_TRUE
 USE_STROKE_FALSE
 USE_STROKE_TRUE
+USE_AF_ALG_FALSE
+USE_AF_ALG_TRUE
 USE_GCM_FALSE
 USE_GCM_TRUE
 USE_CCM_FALSE
@@ -923,6 +933,8 @@ USE_PKCS1_FALSE
 USE_PKCS1_TRUE
 USE_PUBKEY_FALSE
 USE_PUBKEY_TRUE
+USE_CONSTRAINTS_FALSE
+USE_CONSTRAINTS_TRUE
 USE_REVOCATION_FALSE
 USE_REVOCATION_TRUE
 USE_X509_FALSE
@@ -949,6 +961,8 @@ USE_AES_FALSE
 USE_AES_TRUE
 USE_LDAP_FALSE
 USE_LDAP_TRUE
+USE_SOUP_FALSE
+USE_SOUP_TRUE
 USE_CURL_FALSE
 USE_CURL_TRUE
 USE_TEST_VECTORS_FALSE
@@ -980,14 +994,14 @@ gtk_LIBS
 gtk_CFLAGS
 xml_LIBS
 xml_CFLAGS
+soup_LIBS
+soup_CFLAGS
 PTHREADLIB
 RTLIB
 SOCKLIB
 BTLIB
 DLLIB
 ALLOCA
-ipsecgid
-ipsecuid
 GPERF
 PERL
 YFLAGS
@@ -1138,6 +1152,7 @@ with_xauth_module
 with_user
 with_group
 enable_curl
+enable_soup
 enable_ldap
 enable_aes
 enable_des
@@ -1151,6 +1166,7 @@ enable_gmp
 enable_random
 enable_x509
 enable_revocation
+enable_constraints
 enable_pubkey
 enable_pkcs1
 enable_pgp
@@ -1158,6 +1174,7 @@ enable_dnskey
 enable_pem
 enable_hmac
 enable_xcbc
+enable_af_alg
 enable_test_vectors
 enable_mysql
 enable_sqlite
@@ -1191,6 +1208,7 @@ enable_tnc_imc
 enable_tnc_imv
 enable_tnccs_11
 enable_tnccs_20
+enable_tnccs_dynamic
 enable_kernel_netlink
 enable_kernel_pfkey
 enable_kernel_pfroute
@@ -1214,6 +1232,7 @@ enable_threads
 enable_charon
 enable_tools
 enable_scripts
+enable_conftest
 enable_updown
 enable_attr
 enable_attr_sql
@@ -1259,6 +1278,8 @@ CPPFLAGS
 CPP
 YACC
 YFLAGS
+soup_CFLAGS
+soup_LIBS
 xml_CFLAGS
 xml_LIBS
 gtk_CFLAGS
@@ -1809,7 +1830,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.5.0 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.5.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1879,7 +1900,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.5.0:";;
+     short | recursive ) echo "Configuration of strongSwan 4.5.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1889,6 +1910,8 @@ Optional Features:
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-curl           enable CURL fetcher plugin to fetch files via
                           libcurl. Requires libcurl.
+  --enable-soup           enable soup fetcher plugin to fetch from HTTP via
+                          libsoup. Requires libsoup.
   --enable-ldap           enable LDAP fetching plugin to fetch files via
                           libldap. Requires openLDAP.
   --disable-aes           disable AES software implementation plugin.
@@ -1905,6 +1928,7 @@ Optional Features:
   --disable-random        disable RNG implementation on top of /dev/(u)random.
   --disable-x509          disable X509 certificate implementation plugin.
   --disable-revocation    disable X509 CRL/OCSP revocation check plugin.
+  --disable-constraints   disable advanced X509 constraint checking plugin.
   --disable-pubkey        disable RAW public key support plugin.
   --disable-pkcs1         disable PKCS1 key decoding plugin.
   --disable-pgp           disable PGP key decoding plugin.
@@ -1912,6 +1936,7 @@ Optional Features:
   --disable-pem           disable PEM decoding plugin.
   --disable-hmac          disable HMAC crypto implementation plugin.
   --disable-xcbc          disable xcbc crypto implementation plugin.
+  --enable-af-alg         enable AF_ALG crypto interface to Linux Crypto API.
   --enable-test-vectors   enable plugin providing crypto test vectors.
   --enable-mysql          enable MySQL database support. Requires
                           libmysqlclient_r.
@@ -1955,6 +1980,7 @@ Optional Features:
   --enable-tnc-imv        enable TNC IMV module.
   --enable-tnccs-11       enable TNCCS 1.1 protocol module.
   --enable-tnccs-20       enable TNCCS 2.0 protocol module.
+  --enable-tnccs-dynamic  enable dynamic TNCCS protocol discovery module.
   --disable-kernel-netlink
                           disable the netlink kernel interface.
   --enable-kernel-pfkey   enable the PF_KEY kernel interface.
@@ -1990,6 +2016,7 @@ Optional Features:
                           pki).
   --disable-scripts       disable additional utilities (found in directory
                           scripts).
+  --enable-conftest       enforce Suite B conformance test framework.
   --disable-updown        disable updown firewall script plugin.
   --disable-attr          disable strongswan.conf based configuration
                           attribute plugin.
@@ -2092,6 +2119,8 @@ Some influential environment variables:
   YFLAGS      The list of arguments that will be passed by default to $YACC.
               This script will default YFLAGS to the empty string to avoid a
               default value of `-d' given by some make applications.
+  soup_CFLAGS C compiler flags for soup, overriding pkg-config
+  soup_LIBS   linker flags for soup, overriding pkg-config
   xml_CFLAGS  C compiler flags for xml, overriding pkg-config
   xml_LIBS    linker flags for xml, overriding pkg-config
   gtk_CFLAGS  C compiler flags for gtk, overriding pkg-config
@@ -2168,7 +2197,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.5.0
+strongSwan configure 4.5.1
 generated by GNU Autoconf 2.67
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -2644,7 +2673,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.5.0, which was
+It was created by strongSwan $as_me 4.5.1, which was
 generated by GNU Autoconf 2.67.  Invocation command line was
 
   $ $0 $@
@@ -3459,7 +3488,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.5.0'
+ VERSION='4.5.1'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3947,6 +3976,21 @@ else
 fi
 
 
+# Check whether --enable-soup was given.
+if test "${enable_soup+set}" = set; then :
+  enableval=$enable_soup; soup_given=true
+		if test x$enableval = xyes; then
+			soup=true
+		 else
+			soup=false
+		fi
+else
+  soup=false
+		soup_given=false
+
+fi
+
+
 # Check whether --enable-ldap was given.
 if test "${enable_ldap+set}" = set; then :
   enableval=$enable_ldap; ldap_given=true
@@ -4142,6 +4186,21 @@ else
 fi
 
 
+# Check whether --enable-constraints was given.
+if test "${enable_constraints+set}" = set; then :
+  enableval=$enable_constraints; constraints_given=true
+		if test x$enableval = xyes; then
+			constraints=true
+		 else
+			constraints=false
+		fi
+else
+  constraints=true
+		constraints_given=false
+
+fi
+
+
 # Check whether --enable-pubkey was given.
 if test "${enable_pubkey+set}" = set; then :
   enableval=$enable_pubkey; pubkey_given=true
@@ -4247,6 +4306,21 @@ else
 fi
 
 
+# Check whether --enable-af-alg was given.
+if test "${enable_af_alg+set}" = set; then :
+  enableval=$enable_af_alg; af_alg_given=true
+		if test x$enableval = xyes; then
+			af_alg=true
+		 else
+			af_alg=false
+		fi
+else
+  af_alg=false
+		af_alg_given=false
+
+fi
+
+
 # Check whether --enable-test-vectors was given.
 if test "${enable_test_vectors+set}" = set; then :
   enableval=$enable_test_vectors; test_vectors_given=true
@@ -4742,6 +4816,21 @@ else
 fi
 
 
+# Check whether --enable-tnccs-dynamic was given.
+if test "${enable_tnccs_dynamic+set}" = set; then :
+  enableval=$enable_tnccs_dynamic; tnccs_dynamic_given=true
+		if test x$enableval = xyes; then
+			tnccs_dynamic=true
+		 else
+			tnccs_dynamic=false
+		fi
+else
+  tnccs_dynamic=false
+		tnccs_dynamic_given=false
+
+fi
+
+
 # Check whether --enable-kernel-netlink was given.
 if test "${enable_kernel_netlink+set}" = set; then :
   enableval=$enable_kernel_netlink; kernel_netlink_given=true
@@ -5087,6 +5176,21 @@ else
 fi
 
 
+# Check whether --enable-conftest was given.
+if test "${enable_conftest+set}" = set; then :
+  enableval=$enable_conftest; conftest_given=true
+		if test x$enableval = xyes; then
+			conftest=true
+		 else
+			conftest=false
+		fi
+else
+  conftest=false
+		conftest_given=false
+
+fi
+
+
 # Check whether --enable-updown was given.
 if test "${enable_updown+set}" = set; then :
   enableval=$enable_updown; updown_given=true
@@ -7769,13 +7873,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:7772: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:7876: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7775: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:7879: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7778: output\"" >&5)
+  (eval echo "\"\$as_me:7882: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -8980,7 +9084,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8983 "configure"' > conftest.$ac_ext
+  echo '#line 9087 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -10242,11 +10346,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10245: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10349: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10249: \$? = $ac_status" >&5
+   echo "$as_me:10353: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -10581,11 +10685,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10584: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10688: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10588: \$? = $ac_status" >&5
+   echo "$as_me:10692: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -10686,11 +10790,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10689: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10793: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10693: \$? = $ac_status" >&5
+   echo "$as_me:10797: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10741,11 +10845,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10744: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10848: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10748: \$? = $ac_status" >&5
+   echo "$as_me:10852: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -13125,7 +13229,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 13128 "configure"
+#line 13232 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13221,7 +13325,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 13224 "configure"
+#line 13328 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13855,27 +13959,6 @@ else
 $as_echo "not found" >&6; }
 fi
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid of user \"$ipsecuser\"" >&5
-$as_echo_n "checking for uid of user \"$ipsecuser\"... " >&6; }
-ipsecuid=`id -u $ipsecuser 2>/dev/null`
-if test -n "$ipsecuid"; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ipsecuid" >&5
-$as_echo "$ipsecuid" >&6; }
-
-else
-	as_fn_error $? "not found" "$LINENO" 5
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gid of group \"$ipsecgroup\"" >&5
-$as_echo_n "checking for gid of group \"$ipsecgroup\"... " >&6; }
-ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'`
-if test -n "$ipsecgid"; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ipsecgid" >&5
-$as_echo "$ipsecgid" >&6; }
-
-else
-	as_fn_error $? "not found" "$LINENO" 5
-fi
-
 
 if test x$eap_aka_3gpp2 = xtrue; then
 	gmp=true;
@@ -13901,7 +13984,7 @@ if test x$fips_prf = xtrue; then
 	fi
 fi
 
-if test x$smp = xtrue; then
+if test x$smp = xtrue -o x$tnccs_11 = xtrue; then
 	xml=true
 fi
 
@@ -15245,6 +15328,100 @@ else
 fi
 
 
+fi
+
+if test x$soup = xtrue; then
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for soup" >&5
+$as_echo_n "checking for soup... " >&6; }
+
+if test -n "$soup_CFLAGS"; then
+    pkg_cv_soup_CFLAGS="$soup_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsoup-2.4\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsoup-2.4") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_soup_CFLAGS=`$PKG_CONFIG --cflags "libsoup-2.4" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$soup_LIBS"; then
+    pkg_cv_soup_LIBS="$soup_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsoup-2.4\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsoup-2.4") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_soup_LIBS=`$PKG_CONFIG --libs "libsoup-2.4" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        soup_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libsoup-2.4" 2>&1`
+        else
+	        soup_PKG_ERRORS=`$PKG_CONFIG --print-errors "libsoup-2.4" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$soup_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (libsoup-2.4) were not met:
+
+$soup_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables soup_CFLAGS
+and soup_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables soup_CFLAGS
+and soup_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5 ; }
+else
+	soup_CFLAGS=$pkg_cv_soup_CFLAGS
+	soup_LIBS=$pkg_cv_soup_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
 fi
 
 if test x$xml = xtrue; then
@@ -15931,17 +16108,6 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
-if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then
-	ac_fn_c_check_header_mongrel "$LINENO" "libtnc.h" "ac_cv_header_libtnc_h" "$ac_includes_default"
-if test "x$ac_cv_header_libtnc_h" = x""yes; then :
-
-else
-  as_fn_error $? "libtnc header libtnc.h not found!" "$LINENO" 5
-fi
-
-
-fi
-
 if test x$uci = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5
 $as_echo_n "checking for main in -luci... " >&6; }
@@ -16544,6 +16710,15 @@ if test x$curl = xtrue; then
 		libcharon_plugins=${libcharon_plugins}" curl"
 		pluto_plugins=${pluto_plugins}" curl"
 		scepclient_plugins=${scepclient_plugins}" curl"
+		scripts_plugins=${scripts_plugins}" curl"
+
+	fi
+
+if test x$soup = xtrue; then
+		s_plugins=${s_plugins}" soup"
+		libcharon_plugins=${libcharon_plugins}" soup"
+		pluto_plugins=${pluto_plugins}" soup"
+		scripts_plugins=${scripts_plugins}" soup"
 
 	fi
 
@@ -16552,6 +16727,7 @@ if test x$ldap = xtrue; then
 		libcharon_plugins=${libcharon_plugins}" ldap"
 		pluto_plugins=${pluto_plugins}" ldap"
 		scepclient_plugins=${scepclient_plugins}" ldap"
+		scripts_plugins=${scripts_plugins}" ldap"
 
 	fi
 
@@ -16681,6 +16857,12 @@ if test x$revocation = xtrue; then
 
 	fi
 
+if test x$constraints = xtrue; then
+		s_plugins=${s_plugins}" constraints"
+		libcharon_plugins=${libcharon_plugins}" constraints"
+
+	fi
+
 if test x$pubkey = xtrue; then
 		s_plugins=${s_plugins}" pubkey"
 		libcharon_plugins=${libcharon_plugins}" pubkey"
@@ -16825,6 +17007,18 @@ if test x$gcm = xtrue; then
 
 	fi
 
+if test x$af_alg = xtrue; then
+		s_plugins=${s_plugins}" af-alg"
+		libcharon_plugins=${libcharon_plugins}" af-alg"
+		pluto_plugins=${pluto_plugins}" af-alg"
+		openac_plugins=${openac_plugins}" af-alg"
+		scepclient_plugins=${scepclient_plugins}" af-alg"
+		pki_plugins=${pki_plugins}" af-alg"
+		scripts_plugins=${scripts_plugins}" af-alg"
+		medsrv_plugins=${medsrv_plugins}" af-alg"
+
+	fi
+
 if test x$xauth = xtrue; then
 		p_plugins=${p_plugins}" xauth"
 		pluto_plugins=${pluto_plugins}" xauth"
@@ -16845,6 +17039,12 @@ if test x$attr_sql = xtrue; then
 
 	fi
 
+if test x$load_tester = xtrue; then
+		c_plugins=${c_plugins}" load-tester"
+		libcharon_plugins=${libcharon_plugins}" load-tester"
+
+	fi
+
 if test x$kernel_pfkey = xtrue; then
 		h_plugins=${h_plugins}" kernel-pfkey"
 		libcharon_plugins=${libcharon_plugins}" kernel-pfkey"
@@ -16880,12 +17080,6 @@ if test x$resolve = xtrue; then
 
 	fi
 
-if test x$load_tester = xtrue; then
-		c_plugins=${c_plugins}" load-tester"
-		libcharon_plugins=${libcharon_plugins}" load-tester"
-
-	fi
-
 if test x$socket_default = xtrue; then
 		c_plugins=${c_plugins}" socket-default"
 		libcharon_plugins=${libcharon_plugins}" socket-default"
@@ -17024,15 +17218,9 @@ if test x$eap_tnc = xtrue; then
 
 	fi
 
-if test x$tnc_imc = xtrue; then
-		c_plugins=${c_plugins}" tnc-imc"
-		libcharon_plugins=${libcharon_plugins}" tnc-imc"
-
-	fi
-
-if test x$tnc_imv = xtrue; then
-		c_plugins=${c_plugins}" tnc-imv"
-		libcharon_plugins=${libcharon_plugins}" tnc-imv"
+if test x$tnccs_20 = xtrue; then
+		c_plugins=${c_plugins}" tnccs-20"
+		libcharon_plugins=${libcharon_plugins}" tnccs-20"
 
 	fi
 
@@ -17042,9 +17230,21 @@ if test x$tnccs_11 = xtrue; then
 
 	fi
 
-if test x$tnccs_20 = xtrue; then
-		c_plugins=${c_plugins}" tnccs-20"
-		libcharon_plugins=${libcharon_plugins}" tnccs-20"
+if test x$tnccs_dynamic = xtrue; then
+		c_plugins=${c_plugins}" tnccs-dynamic"
+		libcharon_plugins=${libcharon_plugins}" tnccs-dynamic"
+
+	fi
+
+if test x$tnc_imc = xtrue; then
+		c_plugins=${c_plugins}" tnc-imc"
+		libcharon_plugins=${libcharon_plugins}" tnc-imc"
+
+	fi
+
+if test x$tnc_imv = xtrue; then
+		c_plugins=${c_plugins}" tnc-imv"
+		libcharon_plugins=${libcharon_plugins}" tnc-imv"
 
 	fi
 
@@ -17147,6 +17347,14 @@ else
   USE_CURL_FALSE=
 fi
 
+ if test x$soup = xtrue; then
+  USE_SOUP_TRUE=
+  USE_SOUP_FALSE='#'
+else
+  USE_SOUP_TRUE='#'
+  USE_SOUP_FALSE=
+fi
+
  if test x$ldap = xtrue; then
   USE_LDAP_TRUE=
   USE_LDAP_FALSE='#'
@@ -17251,6 +17459,14 @@ else
   USE_REVOCATION_FALSE=
 fi
 
+ if test x$constraints = xtrue; then
+  USE_CONSTRAINTS_TRUE=
+  USE_CONSTRAINTS_FALSE='#'
+else
+  USE_CONSTRAINTS_TRUE='#'
+  USE_CONSTRAINTS_FALSE=
+fi
+
  if test x$pubkey = xtrue; then
   USE_PUBKEY_TRUE=
   USE_PUBKEY_FALSE='#'
@@ -17387,6 +17603,14 @@ else
   USE_GCM_FALSE=
 fi
 
+ if test x$af_alg = xtrue; then
+  USE_AF_ALG_TRUE=
+  USE_AF_ALG_FALSE='#'
+else
+  USE_AF_ALG_TRUE='#'
+  USE_AF_ALG_FALSE=
+fi
+
 
  if test x$stroke = xtrue; then
   USE_STROKE_TRUE=
@@ -17660,6 +17884,14 @@ else
   USE_TNCCS_20_FALSE=
 fi
 
+ if test x$tnccs_dynamic = xtrue; then
+  USE_TNCCS_DYNAMIC_TRUE=
+  USE_TNCCS_DYNAMIC_FALSE='#'
+else
+  USE_TNCCS_DYNAMIC_TRUE='#'
+  USE_TNCCS_DYNAMIC_FALSE=
+fi
+
  if test x$socket_default = xtrue; then
   USE_SOCKET_DEFAULT_TRUE=
   USE_SOCKET_DEFAULT_FALSE='#'
@@ -17911,7 +18143,15 @@ else
   USE_SCRIPTS_FALSE=
 fi
 
- if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue; then
+ if test x$conftest = xtrue; then
+  USE_CONFTEST_TRUE=
+  USE_CONFTEST_FALSE='#'
+else
+  USE_CONFTEST_TRUE='#'
+  USE_CONFTEST_FALSE=
+fi
+
+ if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then
   USE_LIBSTRONGSWAN_TRUE=
   USE_LIBSTRONGSWAN_FALSE='#'
 else
@@ -17927,6 +18167,14 @@ else
   USE_LIBHYDRA_FALSE=
 fi
 
+ if test x$charon = xtrue -o x$conftest = xtrue; then
+  USE_LIBCHARON_TRUE=
+  USE_LIBCHARON_FALSE='#'
+else
+  USE_LIBCHARON_TRUE='#'
+  USE_LIBCHARON_FALSE=
+fi
+
  if test x$pluto = xtrue -o x$stroke = xtrue; then
   USE_FILE_CONFIG_TRUE=
   USE_FILE_CONFIG_FALSE='#'
@@ -17935,6 +18183,14 @@ else
   USE_FILE_CONFIG_FALSE=
 fi
 
+ if test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then
+  USE_IPSEC_SCRIPT_TRUE=
+  USE_IPSEC_SCRIPT_FALSE='#'
+else
+  USE_IPSEC_SCRIPT_TRUE='#'
+  USE_IPSEC_SCRIPT_FALSE=
+fi
+
  if test x$capabilities = xlibcap; then
   USE_LIBCAP_TRUE=
   USE_LIBCAP_FALSE='#'
@@ -17992,7 +18248,7 @@ fi
 
 
 
-ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -18153,6 +18409,10 @@ if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
   as_fn_error $? "conditional \"USE_CURL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_SOUP_TRUE}" && test -z "${USE_SOUP_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SOUP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_LDAP_TRUE}" && test -z "${USE_LDAP_FALSE}"; then
   as_fn_error $? "conditional \"USE_LDAP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -18205,6 +18465,10 @@ if test -z "${USE_REVOCATION_TRUE}" && test -z "${USE_REVOCATION_FALSE}"; then
   as_fn_error $? "conditional \"USE_REVOCATION\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_CONSTRAINTS_TRUE}" && test -z "${USE_CONSTRAINTS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_CONSTRAINTS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then
   as_fn_error $? "conditional \"USE_PUBKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -18273,6 +18537,10 @@ if test -z "${USE_GCM_TRUE}" && test -z "${USE_GCM_FALSE}"; then
   as_fn_error $? "conditional \"USE_GCM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_AF_ALG_TRUE}" && test -z "${USE_AF_ALG_FALSE}"; then
+  as_fn_error $? "conditional \"USE_AF_ALG\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
   as_fn_error $? "conditional \"USE_STROKE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -18409,6 +18677,10 @@ if test -z "${USE_TNCCS_20_TRUE}" && test -z "${USE_TNCCS_20_FALSE}"; then
   as_fn_error $? "conditional \"USE_TNCCS_20\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_TNCCS_DYNAMIC_TRUE}" && test -z "${USE_TNCCS_DYNAMIC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TNCCS_DYNAMIC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_SOCKET_DEFAULT_TRUE}" && test -z "${USE_SOCKET_DEFAULT_FALSE}"; then
   as_fn_error $? "conditional \"USE_SOCKET_DEFAULT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -18533,6 +18805,10 @@ if test -z "${USE_SCRIPTS_TRUE}" && test -z "${USE_SCRIPTS_FALSE}"; then
   as_fn_error $? "conditional \"USE_SCRIPTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_CONFTEST_TRUE}" && test -z "${USE_CONFTEST_FALSE}"; then
+  as_fn_error $? "conditional \"USE_CONFTEST\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then
   as_fn_error $? "conditional \"USE_LIBSTRONGSWAN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -18541,10 +18817,18 @@ if test -z "${USE_LIBHYDRA_TRUE}" && test -z "${USE_LIBHYDRA_FALSE}"; then
   as_fn_error $? "conditional \"USE_LIBHYDRA\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_LIBCHARON_TRUE}" && test -z "${USE_LIBCHARON_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LIBCHARON\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
   as_fn_error $? "conditional \"USE_FILE_CONFIG\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_IPSEC_SCRIPT_TRUE}" && test -z "${USE_IPSEC_SCRIPT_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IPSEC_SCRIPT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_LIBCAP_TRUE}" && test -z "${USE_LIBCAP_FALSE}"; then
   as_fn_error $? "conditional \"USE_LIBCAP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -18973,7 +19257,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.5.0, which was
+This file was extended by strongSwan $as_me 4.5.1, which was
 generated by GNU Autoconf 2.67.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -19030,7 +19314,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 4.5.0
+strongSwan config.status 4.5.1
 configured by $0, generated by GNU Autoconf 2.67,
   with options \\"\$ac_cs_config\\"
 
@@ -19424,12 +19708,14 @@ do
     "src/libstrongswan/plugins/xcbc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/xcbc/Makefile" ;;
     "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;;
     "src/libstrongswan/plugins/revocation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/revocation/Makefile" ;;
+    "src/libstrongswan/plugins/constraints/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/constraints/Makefile" ;;
     "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;;
     "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;;
     "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;;
     "src/libstrongswan/plugins/dnskey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/dnskey/Makefile" ;;
     "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;;
     "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;;
+    "src/libstrongswan/plugins/soup/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/soup/Makefile" ;;
     "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;;
     "src/libstrongswan/plugins/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mysql/Makefile" ;;
     "src/libstrongswan/plugins/sqlite/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sqlite/Makefile" ;;
@@ -19441,6 +19727,7 @@ do
     "src/libstrongswan/plugins/ctr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ctr/Makefile" ;;
     "src/libstrongswan/plugins/ccm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ccm/Makefile" ;;
     "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;;
+    "src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
     "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
     "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;;
@@ -19477,6 +19764,7 @@ do
     "src/libcharon/plugins/tnc_imv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imv/Makefile" ;;
     "src/libcharon/plugins/tnccs_11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_11/Makefile" ;;
     "src/libcharon/plugins/tnccs_20/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_20/Makefile" ;;
+    "src/libcharon/plugins/tnccs_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_dynamic/Makefile" ;;
     "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;;
     "src/libcharon/plugins/socket_raw/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_raw/Makefile" ;;
     "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;;
@@ -19512,6 +19800,7 @@ do
     "src/manager/Makefile") CONFIG_FILES="$CONFIG_FILES src/manager/Makefile" ;;
     "src/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/medsrv/Makefile" ;;
     "src/checksum/Makefile") CONFIG_FILES="$CONFIG_FILES src/checksum/Makefile" ;;
+    "src/conftest/Makefile") CONFIG_FILES="$CONFIG_FILES src/conftest/Makefile" ;;
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
diff --git a/configure.in b/configure.in
index 83c35d614..823456239 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.5.0)
+AC_INIT(strongSwan,4.5.1)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_CONFIG_MACRO_DIR([m4/config])
 PKG_PROG_PKG_CONFIG
@@ -66,6 +66,7 @@ AC_ARG_WITH(
 m4_include(m4/macros/enable-disable.m4)
 
 ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
 ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
 ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
 ARG_DISBL_SET([des],            [disable DES/3DES software implementation plugin.])
@@ -79,6 +80,7 @@ ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementa
 ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
 ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
 ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.])
+ARG_DISBL_SET([constraints],    [disable advanced X509 constraint checking plugin.])
 ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
 ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
 ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
@@ -86,6 +88,7 @@ ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
 ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
 ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
 ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
+ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
 ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
 ARG_ENABL_SET([mysql],          [enable MySQL database support. Requires libmysqlclient_r.])
 ARG_ENABL_SET([sqlite],         [enable SQLite database support. Requires libsqlite3.])
@@ -119,6 +122,7 @@ ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
 ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
 ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module.])
 ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
+ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.])
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
 ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
 ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
@@ -142,6 +146,7 @@ ARG_DISBL_SET([threads],        [disable the use of threads in pluto. Charon alw
 ARG_DISBL_SET([charon],         [disable the IKEv2 keying daemon charon.])
 ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
 ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
+ARG_ENABL_SET([conftest],       [enforce Suite B conformance test framework.])
 ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
 ARG_DISBL_SET([attr],           [disable strongswan.conf based configuration attribute plugin.])
 ARG_ENABL_SET([attr-sql],       [enable SQL based configuration attribute plugin.])
@@ -201,24 +206,6 @@ else
 	AC_MSG_RESULT([not found])
 fi
 
-dnl translate user/group to numercial ids
-AC_MSG_CHECKING([for uid of user "$ipsecuser"])
-ipsecuid=`id -u $ipsecuser 2>/dev/null`
-if test -n "$ipsecuid"; then
-	AC_MSG_RESULT([$ipsecuid])
-	AC_SUBST(ipsecuid)
-else
-	AC_MSG_ERROR([not found])
-fi
-AC_MSG_CHECKING([for gid of group "$ipsecgroup"])
-ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'`
-if test -n "$ipsecgid"; then
-	AC_MSG_RESULT([$ipsecgid])
-	AC_SUBST(ipsecgid)
-else
-	AC_MSG_ERROR([not found])
-fi
-
 dnl =========================
 dnl  dependency calculation
 dnl =========================
@@ -247,7 +234,7 @@ if test x$fips_prf = xtrue; then
 	fi
 fi
 
-if test x$smp = xtrue; then
+if test x$smp = xtrue -o x$tnccs_11 = xtrue; then
 	xml=true
 fi
 
@@ -513,6 +500,12 @@ if test x$curl = xtrue; then
 	AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])])
 fi
 
+if test x$soup = xtrue; then
+	PKG_CHECK_MODULES(soup, [libsoup-2.4])
+	AC_SUBST(soup_CFLAGS)
+	AC_SUBST(soup_LIBS)
+fi
+
 if test x$xml = xtrue; then
 	PKG_CHECK_MODULES(xml, [libxml-2.0])
 	AC_SUBST(xml_CFLAGS)
@@ -607,10 +600,6 @@ if test x$gcrypt = xtrue; then
 	)
 fi
 
-if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then
-	AC_CHECK_HEADER([libtnc.h],,[AC_MSG_ERROR([libtnc header libtnc.h not found!])])
-fi
-
 if test x$uci = xtrue; then
 	AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])])
 	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
@@ -708,8 +697,9 @@ h_plugins=
 s_plugins=
 
 ADD_PLUGIN([test-vectors],         [s libcharon pluto openac scepclient pki])
-ADD_PLUGIN([curl],                 [s libcharon pluto scepclient])
-ADD_PLUGIN([ldap],                 [s libcharon pluto scepclient])
+ADD_PLUGIN([curl],                 [s libcharon pluto scepclient scripts])
+ADD_PLUGIN([soup],                 [s libcharon pluto scripts])
+ADD_PLUGIN([ldap],                 [s libcharon pluto scepclient scripts])
 ADD_PLUGIN([mysql],                [s libcharon pluto pool manager medsrv])
 ADD_PLUGIN([sqlite],               [s libcharon pluto pool manager medsrv])
 ADD_PLUGIN([aes],                  [s libcharon pluto openac scepclient pki scripts])
@@ -722,6 +712,7 @@ ADD_PLUGIN([md5],                  [s libcharon pluto openac scepclient pki])
 ADD_PLUGIN([random],               [s libcharon pluto openac scepclient pki scripts medsrv])
 ADD_PLUGIN([x509],                 [s libcharon pluto openac scepclient pki scripts])
 ADD_PLUGIN([revocation],           [s libcharon])
+ADD_PLUGIN([constraints],          [s libcharon])
 ADD_PLUGIN([pubkey],               [s libcharon])
 ADD_PLUGIN([pkcs1],                [s libcharon pluto openac scepclient pki scripts manager medsrv])
 ADD_PLUGIN([pgp],                  [s libcharon pluto])
@@ -739,15 +730,16 @@ ADD_PLUGIN([hmac],                 [s libcharon pluto scripts])
 ADD_PLUGIN([ctr],                  [s libcharon scripts])
 ADD_PLUGIN([ccm],                  [s libcharon scripts])
 ADD_PLUGIN([gcm],                  [s libcharon scripts])
+ADD_PLUGIN([af-alg],               [s libcharon pluto openac scepclient pki scripts medsrv])
 ADD_PLUGIN([xauth],                [p pluto])
 ADD_PLUGIN([attr],                 [h libcharon pluto])
 ADD_PLUGIN([attr-sql],             [h libcharon pluto])
+ADD_PLUGIN([load-tester],          [c libcharon])
 ADD_PLUGIN([kernel-pfkey],         [h libcharon pluto])
 ADD_PLUGIN([kernel-pfroute],       [h libcharon pluto])
 ADD_PLUGIN([kernel-klips],         [h libcharon pluto])
 ADD_PLUGIN([kernel-netlink],       [h libcharon pluto])
 ADD_PLUGIN([resolve],              [h libcharon pluto])
-ADD_PLUGIN([load-tester],          [c libcharon])
 ADD_PLUGIN([socket-default],       [c libcharon])
 ADD_PLUGIN([socket-raw],           [c libcharon])
 ADD_PLUGIN([socket-dynamic],       [c libcharon])
@@ -771,10 +763,11 @@ ADD_PLUGIN([eap-radius],           [c libcharon])
 ADD_PLUGIN([eap-tls],              [c libcharon])
 ADD_PLUGIN([eap-ttls],             [c libcharon])
 ADD_PLUGIN([eap-tnc],              [c libcharon])
+ADD_PLUGIN([tnccs-20],             [c libcharon])
+ADD_PLUGIN([tnccs-11],             [c libcharon])
+ADD_PLUGIN([tnccs-dynamic],        [c libcharon])
 ADD_PLUGIN([tnc-imc],              [c libcharon])
 ADD_PLUGIN([tnc-imv],              [c libcharon])
-ADD_PLUGIN([tnccs-11],             [c libcharon])
-ADD_PLUGIN([tnccs-20],             [c libcharon])
 ADD_PLUGIN([medsrv],               [c libcharon])
 ADD_PLUGIN([medcli],               [c libcharon])
 ADD_PLUGIN([nm],                   [c libcharon])
@@ -810,6 +803,7 @@ dnl libstrongswan plugins
 dnl =====================
 AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
 AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
+AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
 AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
 AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
 AM_CONDITIONAL(USE_DES, test x$des = xtrue)
@@ -823,6 +817,7 @@ AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
 AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
 AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
 AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue)
+AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue)
 AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
 AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
 AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
@@ -840,6 +835,7 @@ AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
 AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
 AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
 AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
+AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
 
 dnl charon plugins
 dnl ==============
@@ -877,6 +873,7 @@ AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
 AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
 AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue)
 AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue)
+AM_CONDITIONAL(USE_TNCCS_DYNAMIC, test x$tnccs_dynamic = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
 AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
@@ -917,9 +914,12 @@ AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
 AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue)
+AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue)
+AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
+AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
 AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
@@ -965,12 +965,14 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/xcbc/Makefile
 	src/libstrongswan/plugins/x509/Makefile
 	src/libstrongswan/plugins/revocation/Makefile
+	src/libstrongswan/plugins/constraints/Makefile
 	src/libstrongswan/plugins/pubkey/Makefile
 	src/libstrongswan/plugins/pkcs1/Makefile
 	src/libstrongswan/plugins/pgp/Makefile
 	src/libstrongswan/plugins/dnskey/Makefile
 	src/libstrongswan/plugins/pem/Makefile
 	src/libstrongswan/plugins/curl/Makefile
+	src/libstrongswan/plugins/soup/Makefile
 	src/libstrongswan/plugins/ldap/Makefile
 	src/libstrongswan/plugins/mysql/Makefile
 	src/libstrongswan/plugins/sqlite/Makefile
@@ -982,6 +984,7 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/ctr/Makefile
 	src/libstrongswan/plugins/ccm/Makefile
 	src/libstrongswan/plugins/gcm/Makefile
+	src/libstrongswan/plugins/af_alg/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libhydra/Makefile
 	src/libhydra/plugins/attr/Makefile
@@ -1018,6 +1021,7 @@ AC_OUTPUT(
 	src/libcharon/plugins/tnc_imv/Makefile
 	src/libcharon/plugins/tnccs_11/Makefile
 	src/libcharon/plugins/tnccs_20/Makefile
+	src/libcharon/plugins/tnccs_dynamic/Makefile
 	src/libcharon/plugins/socket_default/Makefile
 	src/libcharon/plugins/socket_raw/Makefile
 	src/libcharon/plugins/socket_dynamic/Makefile
@@ -1053,6 +1057,7 @@ AC_OUTPUT(
 	src/manager/Makefile
 	src/medsrv/Makefile
 	src/checksum/Makefile
+	src/conftest/Makefile
 	scripts/Makefile
 	testing/Makefile
 )
diff --git a/ltmain.sh b/ltmain.sh
old mode 100644
new mode 100755
diff --git a/man/Makefile.in b/man/Makefile.in
index 4388e318b..f0d8cde7d 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -198,9 +198,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -239,6 +237,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index b1e60b280..1b74fab08 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2010-10-19" "4.5.0rc2" "strongSwan"
+.TH IPSEC.CONF 5 "2010-10-19" "4.5.1" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA),
 .B psk
 for pre-shared key authentication and
 .B eap
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
+to (require the) use of the Extensible Authentication Protocol.
+To require a trustchain public key strength for the remote side, specify the
+key type followed by the strength in bits (for example
+.BR rsa-2048
+or
+.BR ecdsa-256 ).
+For
 .B eap,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
@@ -589,7 +594,7 @@ sets
 to the distinguished name of the certificate's subject and
 .B leftca
 to the distinguished name of the certificate's issuer.
-The left participant's ID can be overriden by specifying a
+The left participant's ID can be overridden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
 .TP
@@ -598,6 +603,10 @@ Same as
 .B leftcert,
 but for the second authentication round (IKEv2 only).
 .TP
+.BR leftcertpolicy " = <OIDs>"
+Comma separated list of certificate policy OIDs the peers certificate must have.
+OIDs are specified using the numerical dotted representation (IKEv2 only).
+.TP
 .BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
 (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
@@ -953,6 +962,13 @@ synonym for
 .BR reqid " = <number>"
 sets the reqid for a given connection to a pre-configured fixed value.
 .TP
+.BR tfc " = <value>"
+number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
+is currently supported in IKEv2 and applies to outgoing packets only. The
+special value
+.BR %mtu
+fills up ESP packets with padding to have the size of the MTU.
+.TP
 .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
 the type of the connection; currently the accepted values
 are
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 187f36957..9a789acef 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA),
 .B psk
 for pre-shared key authentication and
 .B eap
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
+to (require the) use of the Extensible Authentication Protocol.
+To require a trustchain public key strength for the remote side, specify the
+key type followed by the strength in bits (for example
+.BR rsa-2048
+or
+.BR ecdsa-256 ).
+For
 .B eap,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
@@ -589,7 +594,7 @@ sets
 to the distinguished name of the certificate's subject and
 .B leftca
 to the distinguished name of the certificate's issuer.
-The left participant's ID can be overriden by specifying a
+The left participant's ID can be overridden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
 .TP
@@ -598,6 +603,10 @@ Same as
 .B leftcert,
 but for the second authentication round (IKEv2 only).
 .TP
+.BR leftcertpolicy " = <OIDs>"
+Comma separated list of certificate policy OIDs the peers certificate must have.
+OIDs are specified using the numerical dotted representation (IKEv2 only).
+.TP
 .BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
 (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
@@ -953,6 +962,13 @@ synonym for
 .BR reqid " = <number>"
 sets the reqid for a given connection to a pre-configured fixed value.
 .TP
+.BR tfc " = <value>"
+number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
+is currently supported in IKEv2 and applies to outgoing packets only. The
+special value
+.BR %mtu
+fills up ESP packets with padding to have the size of the MTU.
+.TP
 .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
 the type of the connection; currently the accepted values
 are
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index 1e586a491..3eb60afcf 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.0rc2" "strongSwan"
+.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.1" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 2a8703503..2e58a87d0 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.0rc2" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.1" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -60,6 +60,61 @@ An example file in this format might look like this:
 .PP
 Indentation is optional, you may use tabs or spaces.
 
+.SH INCLUDING FILES
+Using the
+.B include
+statement it is possible to include other files into strongswan.conf, e.g.
+.PP
+.EX
+	include /some/path/*.conf
+.EE
+.PP
+If the file name is not an absolute path, it is considered to be relative
+to the directory of the file containing the include statement. The file name
+may include shell wildcards (see
+.IR sh (1)).
+Also, such inclusions can be nested.
+.PP
+Sections loaded from included files
+.I extend
+previously loaded sections; already existing values are
+.IR replaced .
+It is important to note that settings are added relative to the section the
+include statement is in.
+.PP
+As an example, the following three files result in the same final
+config as the one given above:
+.PP
+.EX
+	a = b
+	section-one {
+		somevalue = before include
+		include include.conf
+	}
+	include other.conf
+
+include.conf:
+	# settings loaded from this file are added to section-one
+	# the following replaces the previous value
+	somevalue = asdf
+	subsection {
+		othervalue = yyy
+	}
+	yetanother = zz
+
+other.conf:
+	# this extends section-one and subsection
+	section-one {
+		subsection {
+			# this replaces the previous value
+			othervalue = xxx
+		}
+	}
+	section-two {
+		x = 12
+	}
+.EE
+
 .SH READING VALUES
 Values are accessed using a dot-separated section list and a key.
 With reference to the example above, accessing
@@ -405,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup
 .TP
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
+.TP
+.BR libstrongswan.x509.enforce_critical " [yes]"
+Discard certificates with unsupported or unknown critical extensions
 .SS libstrongswan.plugins subsection
 .TP
 .BR libstrongswan.plugins.attr-sql.database
@@ -420,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 ENGINE ID to use in the OpenSSL plugin
 .TP
 .BR libstrongswan.plugins.pkcs11.modules
-
 .TP
 .BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
-
-.TP
-.BR libstrongswan.plugins.x509.enforce_critical " [no]"
-Discard certificates with unsupported or unknown critical extensions
 .SS libtls section
 .TP
 .BR libtls.cipher
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 77db9a3c0..47aa6d552 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -60,6 +60,61 @@ An example file in this format might look like this:
 .PP
 Indentation is optional, you may use tabs or spaces.
 
+.SH INCLUDING FILES
+Using the
+.B include
+statement it is possible to include other files into strongswan.conf, e.g.
+.PP
+.EX
+	include /some/path/*.conf
+.EE
+.PP
+If the file name is not an absolute path, it is considered to be relative
+to the directory of the file containing the include statement. The file name
+may include shell wildcards (see
+.IR sh (1)).
+Also, such inclusions can be nested.
+.PP
+Sections loaded from included files
+.I extend
+previously loaded sections; already existing values are
+.IR replaced .
+It is important to note that settings are added relative to the section the
+include statement is in.
+.PP
+As an example, the following three files result in the same final
+config as the one given above:
+.PP
+.EX
+	a = b
+	section-one {
+		somevalue = before include
+		include include.conf
+	}
+	include other.conf
+
+include.conf:
+	# settings loaded from this file are added to section-one
+	# the following replaces the previous value
+	somevalue = asdf
+	subsection {
+		othervalue = yyy
+	}
+	yetanother = zz
+
+other.conf:
+	# this extends section-one and subsection
+	section-one {
+		subsection {
+			# this replaces the previous value
+			othervalue = xxx
+		}
+	}
+	section-two {
+		x = 12
+	}
+.EE
+
 .SH READING VALUES
 Values are accessed using a dot-separated section list and a key.
 With reference to the example above, accessing
@@ -405,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup
 .TP
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
+.TP
+.BR libstrongswan.x509.enforce_critical " [yes]"
+Discard certificates with unsupported or unknown critical extensions
 .SS libstrongswan.plugins subsection
 .TP
 .BR libstrongswan.plugins.attr-sql.database
@@ -420,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 ENGINE ID to use in the OpenSSL plugin
 .TP
 .BR libstrongswan.plugins.pkcs11.modules
-
 .TP
 .BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
-
-.TP
-.BR libstrongswan.plugins.x509.enforce_critical " [no]"
-Discard certificates with unsupported or unknown critical extensions
 .SS libtls section
 .TP
 .BR libtls.cipher
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 827fb7dfb..2cd8b499b 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -2,8 +2,8 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls
 AM_CFLAGS = \
 -DPLUGINS="\"${scripts_plugins}\""
 
-noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql \
-	thread_analysis dh_speed pubkey_speed crypt_burn
+noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \
+	thread_analysis dh_speed pubkey_speed crypt_burn fetch
 
 if USE_TLS
 	noinst_PROGRAMS += tls_test
@@ -17,16 +17,20 @@ bin2sql_SOURCES = bin2sql.c
 id2sql_SOURCES = id2sql.c
 key2keyid_SOURCES = key2keyid.c
 keyid2sql_SOURCES = keyid2sql.c
+oid2der_SOURCES = oid2der.c
 thread_analysis_SOURCES = thread_analysis.c
 dh_speed_SOURCES = dh_speed.c
 pubkey_speed_SOURCES = pubkey_speed.c
 crypt_burn_SOURCES = crypt_burn.c
+fetch_SOURCES = fetch.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+oid2der_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 key2keyid.o :	$(top_builddir)/config.status
 
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index e28424350..891555dcd 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -35,8 +35,9 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
-	key2keyid$(EXEEXT) keyid2sql$(EXEEXT) thread_analysis$(EXEEXT) \
-	dh_speed$(EXEEXT) pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT)
+	key2keyid$(EXEEXT) keyid2sql$(EXEEXT) oid2der$(EXEEXT) \
+	thread_analysis$(EXEEXT) dh_speed$(EXEEXT) \
+	pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) fetch$(EXEEXT)
 subdir = scripts
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -69,6 +70,10 @@ am_dh_speed_OBJECTS = dh_speed.$(OBJEXT)
 dh_speed_OBJECTS = $(am_dh_speed_OBJECTS)
 dh_speed_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_fetch_OBJECTS = fetch.$(OBJEXT)
+fetch_OBJECTS = $(am_fetch_OBJECTS)
+fetch_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_id2sql_OBJECTS = id2sql.$(OBJEXT)
 id2sql_OBJECTS = $(am_id2sql_OBJECTS)
 id2sql_DEPENDENCIES =  \
@@ -81,6 +86,10 @@ am_keyid2sql_OBJECTS = keyid2sql.$(OBJEXT)
 keyid2sql_OBJECTS = $(am_keyid2sql_OBJECTS)
 keyid2sql_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_oid2der_OBJECTS = oid2der.$(OBJEXT)
+oid2der_OBJECTS = $(am_oid2der_OBJECTS)
+oid2der_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_pubkey_speed_OBJECTS = pubkey_speed.$(OBJEXT)
 pubkey_speed_OBJECTS = $(am_pubkey_speed_OBJECTS)
 pubkey_speed_DEPENDENCIES =  \
@@ -102,13 +111,15 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
-	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \
-	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
-	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES)
+	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \
+	$(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(oid2der_SOURCES) $(pubkey_speed_SOURCES) \
+	$(thread_analysis_SOURCES)
 DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
-	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \
-	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
-	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES)
+	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \
+	$(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(oid2der_SOURCES) $(pubkey_speed_SOURCES) \
+	$(thread_analysis_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -231,9 +242,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -272,6 +281,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -291,16 +302,20 @@ bin2sql_SOURCES = bin2sql.c
 id2sql_SOURCES = id2sql.c
 key2keyid_SOURCES = key2keyid.c
 keyid2sql_SOURCES = keyid2sql.c
+oid2der_SOURCES = oid2der.c
 thread_analysis_SOURCES = thread_analysis.c
 dh_speed_SOURCES = dh_speed.c
 pubkey_speed_SOURCES = pubkey_speed.c
 crypt_burn_SOURCES = crypt_burn.c
+fetch_SOURCES = fetch.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+oid2der_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
 
 .SUFFIXES:
@@ -356,6 +371,9 @@ crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES)
 dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) 
 	@rm -f dh_speed$(EXEEXT)
 	$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
+fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) 
+	@rm -f fetch$(EXEEXT)
+	$(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS)
 id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) 
 	@rm -f id2sql$(EXEEXT)
 	$(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS)
@@ -365,6 +383,9 @@ key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES)
 keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) 
 	@rm -f keyid2sql$(EXEEXT)
 	$(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS)
+oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) 
+	@rm -f oid2der$(EXEEXT)
+	$(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS)
 pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) 
 	@rm -f pubkey_speed$(EXEEXT)
 	$(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS)
@@ -382,9 +403,11 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2sql.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypt_burn.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh_speed.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid2sql.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid2der.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_speed.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_analysis.Po@am__quote@
 
diff --git a/scripts/fetch.c b/scripts/fetch.c
new file mode 100644
index 000000000..57abce4ca
--- /dev/null
+++ b/scripts/fetch.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+
+#include <library.h>
+#include <debug.h>
+
+int main(int argc, char *argv[])
+{
+	chunk_t res;
+
+	library_init(NULL);
+	atexit(library_deinit);
+	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+
+	if (argc != 2)
+	{
+		fprintf(stderr, "usage: %s <url>\n", argv[0]);
+	}
+	if (lib->fetcher->fetch(lib->fetcher, argv[1], &res, FETCH_END) == SUCCESS)
+	{
+		ignore_result(write(1, res.ptr, res.len));
+		free(res.ptr);
+		return 0;
+	}
+	return 1;
+}
diff --git a/scripts/oid2der.c b/scripts/oid2der.c
new file mode 100644
index 000000000..0da3bbb62
--- /dev/null
+++ b/scripts/oid2der.c
@@ -0,0 +1,31 @@
+
+#include <stdio.h>
+#include <asn1/asn1.h>
+
+/**
+ * convert string OID to DER encoding
+ */
+int main(int argc, char *argv[])
+{
+	int i, nr = 0;
+	chunk_t oid;
+
+	while (argc > ++nr)
+	{
+		oid = asn1_oid_from_string(argv[nr]);
+		if (oid.len)
+		{
+			for (i = 0; i < oid.len; i++)
+			{
+				printf("0x%02x,", oid.ptr[i]);
+			}
+			printf("\n");
+			free(oid.ptr);
+		}
+		else
+		{
+			return 1;
+		}
+	}
+	return 0;
+}
diff --git a/src/Makefile.am b/src/Makefile.am
index 0edddc9fc..cd75de5e9 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -16,8 +16,16 @@ if USE_TLS
   SUBDIRS += libtls
 endif
 
+if USE_LIBCHARON
+  SUBDIRS += libcharon
+endif
+
 if USE_FILE_CONFIG
-  SUBDIRS += libfreeswan starter ipsec _copyright
+  SUBDIRS += libfreeswan starter
+endif
+
+if USE_IPSEC_SCRIPT
+  SUBDIRS += ipsec _copyright
 endif
 
 if USE_PLUTO
@@ -25,7 +33,7 @@ if USE_PLUTO
 endif
 
 if USE_CHARON
-  SUBDIRS += libcharon charon
+  SUBDIRS += charon
 endif
 
 if USE_STROKE
@@ -40,6 +48,10 @@ if USE_TOOLS
   SUBDIRS += libfreeswan openac scepclient pki
 endif
 
+if USE_CONFTEST
+  SUBDIRS += conftest
+endif
+
 if USE_DUMM
   SUBDIRS += dumm
 endif
@@ -64,4 +76,4 @@ EXTRA_DIST = strongswan.conf
 
 install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
-		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
diff --git a/src/Makefile.in b/src/Makefile.in
index cb688d795..63d29b694 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -37,17 +37,20 @@ host_triplet = @host@
 @USE_LIBHYDRA_TRUE@am__append_2 = libhydra
 @USE_SIMAKA_TRUE@am__append_3 = libsimaka
 @USE_TLS_TRUE@am__append_4 = libtls
-@USE_FILE_CONFIG_TRUE@am__append_5 = libfreeswan starter ipsec _copyright
-@USE_PLUTO_TRUE@am__append_6 = pluto whack
-@USE_CHARON_TRUE@am__append_7 = libcharon charon
-@USE_STROKE_TRUE@am__append_8 = stroke
-@USE_UPDOWN_TRUE@am__append_9 = _updown _updown_espmark
-@USE_TOOLS_TRUE@am__append_10 = libfreeswan openac scepclient pki
-@USE_DUMM_TRUE@am__append_11 = dumm
-@USE_FAST_TRUE@am__append_12 = libfast
-@USE_MANAGER_TRUE@am__append_13 = manager
-@USE_MEDSRV_TRUE@am__append_14 = medsrv
-@USE_INTEGRITY_TEST_TRUE@am__append_15 = checksum
+@USE_LIBCHARON_TRUE@am__append_5 = libcharon
+@USE_FILE_CONFIG_TRUE@am__append_6 = libfreeswan starter
+@USE_IPSEC_SCRIPT_TRUE@am__append_7 = ipsec _copyright
+@USE_PLUTO_TRUE@am__append_8 = pluto whack
+@USE_CHARON_TRUE@am__append_9 = charon
+@USE_STROKE_TRUE@am__append_10 = stroke
+@USE_UPDOWN_TRUE@am__append_11 = _updown _updown_espmark
+@USE_TOOLS_TRUE@am__append_12 = libfreeswan openac scepclient pki
+@USE_CONFTEST_TRUE@am__append_13 = conftest
+@USE_DUMM_TRUE@am__append_14 = dumm
+@USE_FAST_TRUE@am__append_15 = libfast
+@USE_MANAGER_TRUE@am__append_16 = manager
+@USE_MEDSRV_TRUE@am__append_17 = medsrv
+@USE_INTEGRITY_TEST_TRUE@am__append_18 = checksum
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -82,9 +85,9 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libtls \
-	libfreeswan starter ipsec _copyright pluto whack libcharon \
+	libcharon libfreeswan starter ipsec _copyright pluto whack \
 	charon stroke _updown _updown_espmark openac scepclient pki \
-	dumm libfast manager medsrv checksum
+	conftest dumm libfast manager medsrv checksum
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -230,9 +233,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -271,6 +272,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -285,7 +288,8 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5) $(am__append_6) \
 	$(am__append_7) $(am__append_8) $(am__append_9) \
 	$(am__append_10) $(am__append_11) $(am__append_12) \
-	$(am__append_13) $(am__append_14) $(am__append_15)
+	$(am__append_13) $(am__append_14) $(am__append_15) \
+	$(am__append_16) $(am__append_17) $(am__append_18)
 EXTRA_DIST = strongswan.conf
 all: all-recursive
 
@@ -636,7 +640,7 @@ uninstall-am:
 
 install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
-		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+		test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/_copyright/Makefile.am b/src/_copyright/Makefile.am
index 33c4ffc23..405e08b3d 100644
--- a/src/_copyright/Makefile.am
+++ b/src/_copyright/Makefile.am
@@ -1,6 +1,5 @@
 ipsec_PROGRAMS = _copyright
 _copyright_SOURCES = _copyright.c
-dist_man8_MANS = _copyright.8
 
 INCLUDES = \
 -I$(top_srcdir)/src/libfreeswan \
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 58ebb523c..8d4ef733e 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -36,8 +36,7 @@ build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = _copyright$(EXEEXT)
 subdir = src/_copyright
-DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -53,7 +52,7 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
 PROGRAMS = $(ipsec_PROGRAMS)
 am__copyright_OBJECTS = _copyright.$(OBJEXT)
 _copyright_OBJECTS = $(am__copyright_OBJECTS)
@@ -75,30 +74,6 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(_copyright_SOURCES)
 DIST_SOURCES = $(_copyright_SOURCES)
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-man8dir = $(mandir)/man8
-NROFF = nroff
-MANS = $(dist_man8_MANS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -221,9 +196,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +235,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -273,7 +248,6 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 _copyright_SOURCES = _copyright.c
-dist_man8_MANS = _copyright.8
 INCLUDES = \
 -I$(top_srcdir)/src/libfreeswan \
 -I$(top_srcdir)/src/libstrongswan
@@ -394,40 +368,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(dist_man8_MANS)
-	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man8:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -482,19 +422,6 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	@list='$(MANS)'; if test -n "$$list"; then \
-	  list=`for p in $$list; do \
-	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
-	  if test -n "$$list" && \
-	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
-	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
-	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
-	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
-	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
-	    exit 1; \
-	  else :; fi; \
-	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -526,9 +453,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(PROGRAMS) $(MANS)
+all-am: Makefile $(PROGRAMS)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -579,7 +506,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS install-man
+install-data-am: install-ipsecPROGRAMS
 
 install-dvi: install-dvi-am
 
@@ -595,7 +522,7 @@ install-info: install-info-am
 
 install-info-am:
 
-install-man: install-man8
+install-man:
 
 install-pdf: install-pdf-am
 
@@ -625,9 +552,7 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
-
-uninstall-man: uninstall-man8
+uninstall-am: uninstall-ipsecPROGRAMS
 
 .MAKE: install-am install-strip
 
@@ -638,13 +563,12 @@ uninstall-man: uninstall-man8
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-html \
 	install-html-am install-info install-info-am \
-	install-ipsecPROGRAMS install-man install-man8 install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
-	uninstall-man uninstall-man8
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/_copyright/_copyright.8 b/src/_copyright/_copyright.8
deleted file mode 100644
index 99386254b..000000000
--- a/src/_copyright/_copyright.8
+++ /dev/null
@@ -1,29 +0,0 @@
-.TH _COPYRIGHT 8 "25 Apr 2002"
-.SH NAME
-ipsec _copyright \- prints FreeSWAN copyright
-.SH DESCRIPTION
-.I _copyright
-outputs the FreeSWAN copyright, and version numbers for "ipsec --copyright"
-.SH "SEE ALSO"
-ipsec(8)
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Michael Richardson. Program written by Henry Spencer.
-.\"
-.\" $Log: _copyright.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 44c058d03..fa33bb570 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -200,9 +200,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -241,6 +239,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index db44ee74e..a428db4e2 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -200,9 +200,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -241,6 +239,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 5a60af3d8..f502b0f25 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -199,9 +199,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -240,6 +238,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/charon/charon.c b/src/charon/charon.c
index fd255e919..d1fff5bd9 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -26,6 +26,8 @@
 #include <pthread.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <syslog.h>
+#include <errno.h>
 #include <unistd.h>
 #include <getopt.h>
 #include <pwd.h>
@@ -42,6 +44,9 @@
 #include <private/android_filesystem_config.h>
 #endif
 
+#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
 
 /**
  * PID file, in which charon stores its process id
@@ -268,6 +273,134 @@ static void unlink_pidfile()
 	unlink(PID_FILE);
 }
 
+/**
+ * Initialize logging
+ */
+static void initialize_loggers(bool use_stderr, level_t levels[])
+{
+	sys_logger_t *sys_logger;
+	file_logger_t *file_logger;
+	enumerator_t *enumerator;
+	char *facility, *filename;
+	int loggers_defined = 0;
+	debug_t group;
+	level_t  def;
+	bool append, ike_name;
+	FILE *file;
+
+	/* setup sysloggers */
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+														  "charon.syslog");
+	while (enumerator->enumerate(enumerator, &facility))
+	{
+		loggers_defined++;
+
+		ike_name = lib->settings->get_bool(lib->settings,
+								"charon.syslog.%s.ike_name", FALSE, facility);
+		if (streq(facility, "daemon"))
+		{
+			sys_logger = sys_logger_create(LOG_DAEMON, ike_name);
+		}
+		else if (streq(facility, "auth"))
+		{
+			sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name);
+		}
+		else
+		{
+			continue;
+		}
+		def = lib->settings->get_int(lib->settings,
+									 "charon.syslog.%s.default", 1, facility);
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			sys_logger->set_level(sys_logger, group,
+				lib->settings->get_int(lib->settings,
+									   "charon.syslog.%s.%N", def,
+									   facility, debug_lower_names, group));
+		}
+		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
+		charon->bus->add_listener(charon->bus, &sys_logger->listener);
+	}
+	enumerator->destroy(enumerator);
+
+	/* and file loggers */
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+														  "charon.filelog");
+	while (enumerator->enumerate(enumerator, &filename))
+	{
+		loggers_defined++;
+		if (streq(filename, "stderr"))
+		{
+			file = stderr;
+		}
+		else if (streq(filename, "stdout"))
+		{
+			file = stdout;
+		}
+		else
+		{
+			append = lib->settings->get_bool(lib->settings,
+									"charon.filelog.%s.append", TRUE, filename);
+			file = fopen(filename, append ? "a" : "w");
+			if (file == NULL)
+			{
+				DBG1(DBG_DMN, "opening file %s for logging failed: %s",
+					 filename, strerror(errno));
+				continue;
+			}
+			if (lib->settings->get_bool(lib->settings,
+							"charon.filelog.%s.flush_line", FALSE, filename))
+			{
+				setlinebuf(file);
+			}
+		}
+		file_logger = file_logger_create(file,
+						lib->settings->get_str(lib->settings,
+							"charon.filelog.%s.time_format", NULL, filename),
+						lib->settings->get_bool(lib->settings,
+							"charon.filelog.%s.ike_name", FALSE, filename));
+		def = lib->settings->get_int(lib->settings,
+									 "charon.filelog.%s.default", 1, filename);
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			file_logger->set_level(file_logger, group,
+				lib->settings->get_int(lib->settings,
+									   "charon.filelog.%s.%N", def,
+									   filename, debug_lower_names, group));
+		}
+		charon->file_loggers->insert_last(charon->file_loggers, file_logger);
+		charon->bus->add_listener(charon->bus, &file_logger->listener);
+
+	}
+	enumerator->destroy(enumerator);
+
+	/* set up legacy style default loggers provided via command-line */
+	if (!loggers_defined)
+	{
+		/* set up default stdout file_logger */
+		file_logger = file_logger_create(stdout, NULL, FALSE);
+		charon->bus->add_listener(charon->bus, &file_logger->listener);
+		charon->file_loggers->insert_last(charon->file_loggers, file_logger);
+		/* set up default daemon sys_logger */
+		sys_logger = sys_logger_create(LOG_DAEMON, FALSE);
+		charon->bus->add_listener(charon->bus, &sys_logger->listener);
+		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			sys_logger->set_level(sys_logger, group, levels[group]);
+			if (use_stderr)
+			{
+				file_logger->set_level(file_logger, group, levels[group]);
+			}
+		}
+
+		/* set up default auth sys_logger */
+		sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE);
+		charon->bus->add_listener(charon->bus, &sys_logger->listener);
+		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
+		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
+	}
+}
 
 /**
  * print command line usage and exit
@@ -395,8 +528,10 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
+	initialize_loggers(!use_syslog, levels);
+
 	/* initialize daemon */
-	if (!charon->initialize(charon, use_syslog, levels))
+	if (!charon->initialize(charon))
 	{
 		DBG1(DBG_DMN, "initialization failed - aborting charon");
 		goto deinit;
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 61bfc1a9d..65aa91422 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -237,9 +237,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -278,6 +276,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/conftest/Makefile.am b/src/conftest/Makefile.am
new file mode 100644
index 000000000..7eab0df27
--- /dev/null
+++ b/src/conftest/Makefile.am
@@ -0,0 +1,26 @@
+ipsec_PROGRAMS = conftest
+
+AM_CFLAGS = -rdynamic
+
+conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
+	hooks/hook.h hooks/ike_auth_fill.c hooks/unsort_message.c \
+	hooks/add_notify.c hooks/unencrypted_notify.c hooks/ignore_message.c \
+	hooks/add_payload.c hooks/set_critical.c hooks/force_cookie.c \
+	hooks/set_ike_version.c hooks/pretend_auth.c hooks/set_length.c \
+	hooks/log_proposals.c hooks/set_proposal_number.c hooks/log_ke.c \
+	hooks/log_id.c hooks/custom_proposal.c hooks/set_ike_spi.c \
+	hooks/set_ike_request.c hooks/set_reserved.c hooks/set_ike_initiator.c \
+	hooks/log_ts.c hooks/rebuild_auth.c hooks/reset_seq.c
+
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+conftest_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	-lm $(PTHREADLIB) $(DLLIB)
+
+EXTRA_DIST = README
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
new file mode 100644
index 000000000..1c07710e0
--- /dev/null
+++ b/src/conftest/Makefile.in
@@ -0,0 +1,954 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = conftest$(EXEEXT)
+subdir = src/conftest
+DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
+PROGRAMS = $(ipsec_PROGRAMS)
+am_conftest_OBJECTS = conftest.$(OBJEXT) config.$(OBJEXT) \
+	actions.$(OBJEXT) ike_auth_fill.$(OBJEXT) \
+	unsort_message.$(OBJEXT) add_notify.$(OBJEXT) \
+	unencrypted_notify.$(OBJEXT) ignore_message.$(OBJEXT) \
+	add_payload.$(OBJEXT) set_critical.$(OBJEXT) \
+	force_cookie.$(OBJEXT) set_ike_version.$(OBJEXT) \
+	pretend_auth.$(OBJEXT) set_length.$(OBJEXT) \
+	log_proposals.$(OBJEXT) set_proposal_number.$(OBJEXT) \
+	log_ke.$(OBJEXT) log_id.$(OBJEXT) custom_proposal.$(OBJEXT) \
+	set_ike_spi.$(OBJEXT) set_ike_request.$(OBJEXT) \
+	set_reserved.$(OBJEXT) set_ike_initiator.$(OBJEXT) \
+	log_ts.$(OBJEXT) rebuild_auth.$(OBJEXT) reset_seq.$(OBJEXT)
+conftest_OBJECTS = $(am_conftest_OBJECTS)
+am__DEPENDENCIES_1 =
+conftest_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(conftest_SOURCES)
+DIST_SOURCES = $(conftest_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CFLAGS = -rdynamic
+conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
+	hooks/hook.h hooks/ike_auth_fill.c hooks/unsort_message.c \
+	hooks/add_notify.c hooks/unencrypted_notify.c hooks/ignore_message.c \
+	hooks/add_payload.c hooks/set_critical.c hooks/force_cookie.c \
+	hooks/set_ike_version.c hooks/pretend_auth.c hooks/set_length.c \
+	hooks/log_proposals.c hooks/set_proposal_number.c hooks/log_ke.c \
+	hooks/log_id.c hooks/custom_proposal.c hooks/set_ike_spi.c \
+	hooks/set_ike_request.c hooks/set_reserved.c hooks/set_ike_initiator.c \
+	hooks/log_ts.c hooks/rebuild_auth.c hooks/reset_seq.c
+
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+conftest_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	-lm $(PTHREADLIB) $(DLLIB)
+
+EXTRA_DIST = README
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/conftest/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/conftest/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) 
+	@rm -f conftest$(EXEEXT)
+	$(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/actions.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/add_notify.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/add_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/config.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/conftest.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/custom_proposal.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/force_cookie.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ignore_message.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth_fill.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_id.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_ke.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_proposals.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_ts.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pretend_auth.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rebuild_auth.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/reset_seq.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_critical.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_initiator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_request.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_spi.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_version.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_length.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_proposal_number.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_reserved.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unencrypted_notify.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unsort_message.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+ike_auth_fill.o: hooks/ike_auth_fill.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.o -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ike_auth_fill.c' object='ike_auth_fill.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c
+
+ike_auth_fill.obj: hooks/ike_auth_fill.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.obj -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ike_auth_fill.c' object='ike_auth_fill.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi`
+
+unsort_message.o: hooks/unsort_message.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.o -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unsort_message.c' object='unsort_message.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c
+
+unsort_message.obj: hooks/unsort_message.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.obj -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unsort_message.c' object='unsort_message.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi`
+
+add_notify.o: hooks/add_notify.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.o -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_notify.c' object='add_notify.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c
+
+add_notify.obj: hooks/add_notify.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.obj -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_notify.c' object='add_notify.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi`
+
+unencrypted_notify.o: hooks/unencrypted_notify.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.o -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unencrypted_notify.c' object='unencrypted_notify.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c
+
+unencrypted_notify.obj: hooks/unencrypted_notify.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.obj -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unencrypted_notify.c' object='unencrypted_notify.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi`
+
+ignore_message.o: hooks/ignore_message.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.o -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ignore_message.c' object='ignore_message.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c
+
+ignore_message.obj: hooks/ignore_message.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.obj -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ignore_message.c' object='ignore_message.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi`
+
+add_payload.o: hooks/add_payload.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.o -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_payload.c' object='add_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c
+
+add_payload.obj: hooks/add_payload.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.obj -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_payload.c' object='add_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi`
+
+set_critical.o: hooks/set_critical.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.o -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_critical.c' object='set_critical.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c
+
+set_critical.obj: hooks/set_critical.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.obj -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_critical.c' object='set_critical.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi`
+
+force_cookie.o: hooks/force_cookie.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.o -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/force_cookie.c' object='force_cookie.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c
+
+force_cookie.obj: hooks/force_cookie.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.obj -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/force_cookie.c' object='force_cookie.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi`
+
+set_ike_version.o: hooks/set_ike_version.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.o -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_version.c' object='set_ike_version.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c
+
+set_ike_version.obj: hooks/set_ike_version.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.obj -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_version.c' object='set_ike_version.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi`
+
+pretend_auth.o: hooks/pretend_auth.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.o -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/pretend_auth.c' object='pretend_auth.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c
+
+pretend_auth.obj: hooks/pretend_auth.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.obj -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/pretend_auth.c' object='pretend_auth.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi`
+
+set_length.o: hooks/set_length.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.o -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_length.c' object='set_length.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c
+
+set_length.obj: hooks/set_length.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.obj -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_length.c' object='set_length.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi`
+
+log_proposals.o: hooks/log_proposals.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.o -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_proposals.c' object='log_proposals.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c
+
+log_proposals.obj: hooks/log_proposals.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.obj -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_proposals.c' object='log_proposals.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi`
+
+set_proposal_number.o: hooks/set_proposal_number.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.o -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_proposal_number.c' object='set_proposal_number.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c
+
+set_proposal_number.obj: hooks/set_proposal_number.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.obj -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_proposal_number.c' object='set_proposal_number.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi`
+
+log_ke.o: hooks/log_ke.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.o -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ke.c' object='log_ke.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c
+
+log_ke.obj: hooks/log_ke.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.obj -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ke.c' object='log_ke.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi`
+
+log_id.o: hooks/log_id.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.o -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_id.c' object='log_id.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c
+
+log_id.obj: hooks/log_id.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.obj -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_id.c' object='log_id.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi`
+
+custom_proposal.o: hooks/custom_proposal.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.o -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/custom_proposal.c' object='custom_proposal.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c
+
+custom_proposal.obj: hooks/custom_proposal.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.obj -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/custom_proposal.c' object='custom_proposal.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi`
+
+set_ike_spi.o: hooks/set_ike_spi.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.o -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_spi.c' object='set_ike_spi.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c
+
+set_ike_spi.obj: hooks/set_ike_spi.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.obj -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_spi.c' object='set_ike_spi.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi`
+
+set_ike_request.o: hooks/set_ike_request.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.o -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_request.c' object='set_ike_request.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c
+
+set_ike_request.obj: hooks/set_ike_request.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.obj -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_request.c' object='set_ike_request.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi`
+
+set_reserved.o: hooks/set_reserved.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.o -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_reserved.c' object='set_reserved.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c
+
+set_reserved.obj: hooks/set_reserved.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.obj -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_reserved.c' object='set_reserved.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi`
+
+set_ike_initiator.o: hooks/set_ike_initiator.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.o -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_initiator.c' object='set_ike_initiator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c
+
+set_ike_initiator.obj: hooks/set_ike_initiator.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.obj -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_initiator.c' object='set_ike_initiator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi`
+
+log_ts.o: hooks/log_ts.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.o -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ts.c' object='log_ts.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c
+
+log_ts.obj: hooks/log_ts.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.obj -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ts.c' object='log_ts.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi`
+
+rebuild_auth.o: hooks/rebuild_auth.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.o -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/rebuild_auth.c' object='rebuild_auth.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c
+
+rebuild_auth.obj: hooks/rebuild_auth.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.obj -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/rebuild_auth.c' object='rebuild_auth.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi`
+
+reset_seq.o: hooks/reset_seq.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.o -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/reset_seq.c' object='reset_seq.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c
+
+reset_seq.obj: hooks/reset_seq.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.obj -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/reset_seq.c' object='reset_seq.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/conftest/README b/src/conftest/README
new file mode 100644
index 000000000..e2156921f
--- /dev/null
+++ b/src/conftest/README
@@ -0,0 +1,315 @@
+
+
+             conftest - an IKEv2 conformance testing framework
+             =================================================
+
+
+1. Introduction
+---------------
+
+conftest is a conformance testing framework for IKEv2 and related protocols,
+based on the strongSwan IKEv2 daemon charon. It uses a specialized configuration
+and control front-end, but links against the mainstream strongSwan IKEv2 stack.
+
+The conftest framework can test other implementations of IKEv2 and related
+standards. It can inject or mangle packets to test the behavior of other
+implementations under certain conditions.
+
+2. Test suites
+--------------
+
+The framework can use different sets of conformance tests, called test suites.
+Each test suite contains a global suite configuration file, usually named
+suite.conf. It contains the global settings for all tests in this suite, mostly
+credentials and connection definitions.
+
+A test suite consists of several test cases. Each test has its own configuration
+file, often called test.conf. The test configuration file may contain test
+specific credentials and connection definitions, but primarily defines actions
+and hooks. Actions trigger certain protocol specific operations, such as
+initiating or terminating a tunnel. Hooks are used to change the behavior of
+the IKE stack, most likely to stress some factors of the IKE protocol and
+provoke unintended behavior in the tested platform.
+
+3. Configuration syntax
+-----------------------
+
+Both the suite and the test specific configuration file use the same syntax.
+It is the same as used by the strongswan.conf file used to configure the
+strongSwan software suite.
+
+The syntax is as follows:
+
+ settings := (section|keyvalue)*
+ section  := name { settings }
+ keyvalue := key = value\n
+
+Settings contain zero or more sub-sections or key/value pairs. A section
+consists of a name, followed by curly open and close brackets. The value in the
+key/value pair starts after the equal sign and is terminated by the end of the
+line.
+
+The test specific configuration is merged to the suite configuration, resulting
+in a unified configuration. Sections are merged, keys in the test configuration
+overwrite existing identical keys in the suite configuration.
+
+4. Logging
+----------
+
+Logging verbosity can be controlled in the log section of a suite/test
+configuration. The stdout subsection takes logging facility/verbosity key
+value pairs, the different facility types are defined in debug_lower_names at
+src/libstrongswan/debug.c.
+Any other sub-section in the log section is considered as a file name to log
+to. Each section takes the same facility/verbosity keys as the special stdout
+section.
+
+5. Connections
+--------------
+
+Both the suite and test configuration may contain connection definitions under
+the configs section. Each IKE_SA configuration has a sub-section. Each IKE_SA
+sub-section contains one or more CHILD_SA configuration sub-sections:
+
+configs {
+    ike-a {
+        # ... ike options
+        child-a1 {
+            # ... child options
+        }
+        child-a2 {
+            # ...
+        }
+    }
+}
+
+Configuration names can be chosen arbitrary, but should be unique within the
+same file.
+
+The IKE_SA configuration uses the following options (as key/value pairs):
+
+  lhost:          Address (IP or Hostname) of this host
+  rhost:          Address (IP or Hostname) of tested host
+  lid:            IKEv2 identifier of this host
+  rid:            IKEv2 identifier of tested host
+  proposal:       IKE_SA proposal list, comma separated, e.g.:
+                  aes128-sha1-modp2048,3des-md5-sha1-modp1024-modp1536
+                  Supported algorithm names are defined under
+                  src/libstrongswan/crypt/proposal/proposal_keywords.txt
+  fake_nat:       Fake the NAT_DETECTION_*_IP payloads to simulate a NAT
+                  scenario
+  rsa_strength:   connection requires a trustchain with RSA keys of given bits
+  ecdsa_strength: connection requires a trustchain with ECDSA keys of given bits
+  cert_policy:    connection requries a certificate with the given OID policy
+
+The following CHILD_SA specific configuration options are supported:
+
+  lts:         Local side traffic selectors, comma separated CIDR subnets
+  rts:         Remote side traffic selectors, comma separated CIDR subnets
+  transport:   Propose IPsec transport mode instead of tunnel mode
+  tfc_padding: Inject Traffic Flow Confidentialty bytes to align packets to the
+               given length
+
+6. Credentials
+--------------
+
+Credentials may be defined globally in the suite or locally in the test specific
+configuration file. Certificates files are defined in the certs section, either
+in the trusted or in the untrusted section. Trusted certificates are trust
+anchors, usually root CA certificates. Untrusted certificates do not build a
+trust anchor and usually contain intermediate or end entity certificates.
+
+Certificates files are loaded relative to the configuration file path and may
+be encoded either in plain ASN.1 DER or in PEM format. The prefix of the
+key/value pair is used to specify the type of the certificate, usually x509 or
+crl.
+
+Private keys can be defined in the suite or test config file under the keys
+section. The prefix of the key/value pair must be either rsa or ecdsa, the
+specified file may be encoded in ASN.1 DER or unencrypted PEM.
+
+certs {
+    trusted {
+        x509-a-ca = ca.pem
+    }
+    untrusted {
+        x509-me = /path/to/cert.pem
+        crl-from-ca = /path/to/crl.pem
+    }
+}
+keys {
+    ecdsa-me = /path/to/key.pem
+}
+
+7. Actions
+----------
+
+The actions section in the test specific configuration file defines
+the IKEv2 protocol actions to trigger. Currently, the following actions
+are supported and take these arguments (as key/value pairs):
+
+  initiate:    Initiate an IKE- and CHILD_SA
+               config: name of the CHILD_SA configuration to initiate
+               delay: Delay to trigger action after startup
+  rekey_ike:   Rekey an IKE_SA
+               config: name of originating IKE_SA configuration
+               delay: Delay to trigger action after startup
+  rekey_child: Rekey an CHILD_SA
+               config: name of originating CHILD_SA configuration
+               delay: Delay to trigger action after startup
+  liveness:    Do a liveness check (DPD) on the IKE_SA
+               config: name of originating IKE_SA configuration
+               delay: Delay to trigger action after startup
+  close_ike:   Close an IKE_SA
+               config: name of originating IKE_SA configuration
+               delay: Delay to trigger action after startup
+  close_child: Close a CHILD_SA
+               config: name of originating IKE_SA configuration
+               delay: Delay to trigger action after startup
+
+To trigger the same action multiple times, the action sections must be named
+uniquely. Append an arbitrary string to the action name. The following example
+initiates a connection and rekeys it twice:
+
+actions {
+    initiate {
+        config = child-a1
+    }
+    rekey_ike-1 {
+        config = ike-a
+        delay = 3
+    }
+    rekey_ike-2 {
+        config = ike-a
+        delay = 6
+    }
+}
+
+8. Hooks
+--------
+
+The hooks section section in the test configuration defines different hooks
+to use to mangle packets or trigger other protocol modifications. These
+hook functions are implemented in the hooks folder of conftest.
+
+Currently, the following hooks are defined with the following options:
+
+  add_notify:         Add a notify to a message
+    request:          yes to include in request, no in response
+    id:               IKEv2 message identifier of message to add notify
+    type:             notify type to add, names defined in notify_type_names
+                      under src/libcharon/encoding/payloads/notify_payload.c
+    data:             notification data to add, prepend 0x to interpret the
+                      string as hex string
+    spi:              SPI to use in notify
+    esp:              yes to send an ESP protocol notify, no for IKE
+  add_payload:        Add an arbitrary payload to a message
+    request:          yes to include in request, no in response
+    id:               IKEv2 message identifier of message to add payload
+    type:             type of the payload to add, names defined in
+                      payload_type_short_names in payload.c
+    data:             data to append after generic payload header, use 0x
+                      prefix for hex encoded data
+    critical:         yes to set payload critical bit
+    replace:          yes to replace an existing payload of the same type
+  custom_proposal:    set a custom proposal value in the SA payload
+    request:          yes to include in request, no in response
+    id:               IKEv2 message identifier of message to add notify
+                      The hook takes subsections with numerical names, each
+                      defining a proposal substructure. The substructure
+                      takes key/value pairs, where key defines the type, value
+                      the specific algorithm.
+  force_cookie:       Reject IKE_SA_INIT requests with a COOKIE
+  ignore_message:     Ignore a specific message, simulating packet loss
+    inbound:          yes to ignore incoming, no for outgoing messages
+    request:          yes to ignore requests, no for responses
+    id:               IKEv2 message identifier of message to ignore
+  ike_auth_fill:      Fill up IKE_AUTH message to a given size using a CERT
+                      payload.
+    request:          yes to fill requests messages, no for responses
+    id:               IKEv2 message identifier of message to fill up
+    bytes:            number of bytes the final IKE_AUTH message should have
+  log_id:             Comfortably log received ID payload contents
+  log_ke:             Comfortably log received KE payload DH groups
+  log_proposal:       Comfortably log all proposals received in SA payloads
+  log_ts:             Comfortably log all received TS payloads
+  pretend_auth:       magically reconstruct IKE_AUTH response even if
+                      AUTHENTICATION_FAILED received
+  rebuild_auth:       rebuild AUTH payload, i.e. if ID payload changed
+  reset_seq:          Reset sequence numbers of an ESP SA
+    delay:            Seconds to delay reset after SA established
+  set_critical:       Set critical bit on existing payloads:
+    request:          yes to set in request, no in response
+    id:               IKEv2 message identifier of message to mangle payloads
+    payloads:         space separated payload list to set critical bit on
+  set_ike_initiator:  toggle IKE initiator flag in IKE header
+    request:          yes to set in request, no in response
+    id:               IKEv2 message identifier of message to mangle
+  set_ike_request:    toggle IKE request flag in IKE header
+    request:          yes to set in request, no in response
+    id:               IKEv2 message identifier of message to mangle
+  set_ike_spi:        set the IKE SPIs in IKE header
+    request:          yes to set in request, no in response
+    id:               IKEv2 message identifier of message to mangle
+    spii:             initiator SPI to set (as decimal integer)
+    spir:             responder SPI to set
+  set_ike_version:    set version fields in IKE header
+    request:          yes to set in request, no in response
+    id:               IKEv2 message identifier of message to mangle
+    major:            major version to set
+    minor:            minor version to set
+    higher:           yes to set Higher Version Supported flag
+  set_length:         set the length in a payload header
+    request:          yes to set in request, no in response
+    id:               IKEv2 message identifier of message to mangle
+    type:             payload type to mangle
+    diff:             difference to add/remove from real length (+1,-3 etc.)
+  set_proposal_number:Change the number of a proposal in a SA payload
+    request:          yes to set in request, no in response
+    id:               IKEv2 message identifier of message to mangle
+    from:             proposal number to mangle
+    to:               new porposal number to set instead of from
+  set_reserved:       set arbitrary reserved bits/bytes in payloads
+    request:          yes to set in request, no in response
+    id:               IKEv2 message identifier of message to mangle
+                      The hook takes a list of subsection, each named as payload
+                      type. Each section takes a bits and a bytes key, the
+                      value is a comma separated list of decimal numbers of
+                      bits/bytes to mangle (1 is the first reserved bit/byte
+                      in the payload). The byteval key defines to which value
+                      set mangled bytes in the byte list.
+  unencrypted_notify: Send an unencrypted message with a notify after
+                      establishing an IKE_SA
+    id:               IKEv2 message identifier of message to send
+    type:             notify type to add, names defined in notify_type_names
+                      under src/libcharon/encoding/payloads/notify_payload.c
+    data:             notification data to add, prepend 0x to interpret the
+                      string as hex string
+    spi:              SPI to use in notify
+    esp:              yes to send an ESP protocol notify, no for IKE
+  unsort_message:     reorder the payloads in a message
+    request:          yes to reorder requests messages, no for responses
+    id:               IKEv2 message identifier of message to reorder
+    order:            payload order, space separated payload names as defined
+                      in payload_type_short_names under
+                      src/libcharon/encoding/payloads/payload.c
+
+9. Invoking
+-----------
+
+Compile time options required depend on the test suite. A minimalistic
+strongSwan build with the OpenSSL crypto backend can be configured with:
+
+./configure --sysconfdir=/etc --disable-pluto --disable-scripts \
+  --disable-tools --disable-aes --disable-des --disable-md5 \
+  --disable-sha1 --disable-sha2 --disable-fips-prf --disable-gmp \
+  --disable-pubkey --disable-pgp --disable-dnskey --disable-updown \
+  --disable-attr --disable-resolve --enable-openssl --enable-conftest \
+  --enable-gcm --enable-ccm --enable-ctr
+
+The conftest utility is installed by default under /usr/local/libexec/ipsec/,
+but can be invoked with the ipsec helper script. It takes a suite specific
+configuration file after the --suite option and a test specific file with
+the --test option:
+
+  ipsec conftest --suite suite.conf --test 1.1.1/test.conf
diff --git a/src/conftest/actions.c b/src/conftest/actions.c
new file mode 100644
index 000000000..e66e9d7f1
--- /dev/null
+++ b/src/conftest/actions.c
@@ -0,0 +1,339 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "actions.h"
+#include "conftest.h"
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/send_dpd_job.h>
+
+typedef struct private_actions_t private_actions_t;
+
+/**
+ * Private data of an actions_t object.
+ */
+struct private_actions_t {
+
+	/**
+	 * Public actions_t interface.
+	 */
+	actions_t public;
+};
+
+/**
+ * Initiate a CHILD_SA
+ */
+static job_requeue_t initiate(char *config)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg = NULL, *current;
+	enumerator_t *enumerator;
+
+	peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, config);
+	if (!peer_cfg)
+	{
+		DBG1(DBG_CFG, "initiating '%s' failed, config not found", config);
+		return JOB_REQUEUE_NONE;
+	}
+	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (streq(current->get_name(current), config))
+		{
+			child_cfg = current;
+			child_cfg->get_ref(child_cfg);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (child_cfg)
+	{
+		DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config);
+		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+									 NULL, NULL);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "initiating '%s' failed, CHILD_SA config not found",
+			 config);
+	}
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Rekey an IKE_SA
+ */
+static job_requeue_t rekey_ike(char *config)
+{
+	enumerator_t *enumerator;
+	job_t *job = NULL;
+	ike_sa_t *ike_sa;
+
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (strcaseeq(config, ike_sa->get_name(ike_sa)))
+		{
+			job = (job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (job)
+	{
+		DBG1(DBG_CFG, "starting rekey of IKE_SA '%s'", config);
+		lib->processor->queue_job(lib->processor, job);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "rekeying '%s' failed, IKE_SA not found", config);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Rekey an CHILD_SA
+ */
+static job_requeue_t rekey_child(char *config)
+{
+	enumerator_t *enumerator;
+	iterator_t *children;
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+	u_int32_t reqid = 0, spi = 0;
+	protocol_id_t proto = PROTO_ESP;
+
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		children = ike_sa->create_child_sa_iterator(ike_sa);
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			if (streq(config, child_sa->get_name(child_sa)))
+			{
+				reqid = child_sa->get_reqid(child_sa);
+				proto = child_sa->get_protocol(child_sa);
+				spi = child_sa->get_spi(child_sa, TRUE);
+				break;
+			}
+		}
+		children->destroy(children);
+	}
+	enumerator->destroy(enumerator);
+	if (reqid)
+	{
+		DBG1(DBG_CFG, "starting rekey of CHILD_SA '%s'", config);
+		lib->processor->queue_job(lib->processor,
+						(job_t*)rekey_child_sa_job_create(reqid, proto, spi));
+	}
+	else
+	{
+		DBG1(DBG_CFG, "rekeying '%s' failed, CHILD_SA not found", config);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Do a liveness check
+ */
+static job_requeue_t liveness(char *config)
+{
+	enumerator_t *enumerator;
+	job_t *job = NULL;
+	ike_sa_t *ike_sa;
+
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (strcaseeq(config, ike_sa->get_name(ike_sa)))
+		{
+			job = (job_t*)send_dpd_job_create(ike_sa->get_id(ike_sa));
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (job)
+	{
+		DBG1(DBG_CFG, "starting liveness check of IKE_SA '%s'", config);
+		lib->processor->queue_job(lib->processor, job);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "liveness check for '%s' failed, IKE_SA not found", config);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Close an IKE_SA with all CHILD_SAs
+ */
+static job_requeue_t close_ike(char *config)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	int id = 0;
+
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (strcaseeq(config, ike_sa->get_name(ike_sa)))
+		{
+			id = ike_sa->get_unique_id(ike_sa);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (id)
+	{
+		DBG1(DBG_CFG, "closing IKE_SA '%s'", config);
+		charon->controller->terminate_ike(charon->controller, id, NULL, NULL);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "unable to close IKE_SA '%s', not found", config);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Close a CHILD_SAs
+ */
+static job_requeue_t close_child(char *config)
+{
+	enumerator_t *enumerator;
+	iterator_t *children;
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+	int id = 0;
+
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+
+		children = ike_sa->create_child_sa_iterator(ike_sa);
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			if (streq(config, child_sa->get_name(child_sa)))
+			{
+				id = child_sa->get_reqid(child_sa);
+				break;
+			}
+		}
+		children->destroy(children);
+	}
+	enumerator->destroy(enumerator);
+	if (id)
+	{
+		DBG1(DBG_CFG, "closing CHILD_SA '%s'", config);
+		charon->controller->terminate_child(charon->controller, id, NULL, NULL);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "unable to close CHILD_SA '%s', not found", config);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Load a single action
+ */
+static void load_action(settings_t *settings, char *action)
+{
+	static struct {
+		char *name;
+		callback_job_cb_t cb;
+	} actions[] = {
+		{"initiate",		(void*)initiate},
+		{"rekey_ike",		(void*)rekey_ike},
+		{"rekey_child",		(void*)rekey_child},
+		{"liveness",		(void*)liveness},
+		{"close_ike",		(void*)close_ike},
+		{"close_child",		(void*)close_child},
+	};
+	bool found = FALSE;
+	int i;
+
+	for (i = 0; i < countof(actions); i++)
+	{
+		if (strncaseeq(actions[i].name, action, strlen(actions[i].name)))
+		{
+			int delay;
+			char *config;
+
+			found = TRUE;
+			delay = settings->get_int(settings, "actions.%s.delay", 0, action);
+			config = settings->get_str(settings, "actions.%s.config",
+									   NULL, action);
+			if (!config)
+			{
+				DBG1(DBG_CFG, "no config defined for action '%s'", action);
+				break;
+			}
+			lib->scheduler->schedule_job(lib->scheduler,
+				(job_t*)callback_job_create(actions[i].cb, config, NULL, NULL),
+				delay);
+		}
+	}
+	if (!found)
+	{
+		DBG1(DBG_CFG, "unknown action '%s', skipped", action);
+	}
+}
+
+/**
+ * Load configured actions
+ */
+static void load_actions(settings_t *settings)
+{
+	enumerator_t *enumerator;
+	char *action;
+
+	enumerator = settings->create_section_enumerator(settings, "actions");
+	while (enumerator->enumerate(enumerator, &action))
+	{
+		load_action(settings, action);
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(actions_t, destroy, void,
+	private_actions_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+actions_t *actions_create()
+{
+	private_actions_t *this;
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+	);
+
+	load_actions(conftest->test);
+
+	return &this->public;
+}
diff --git a/src/conftest/actions.h b/src/conftest/actions.h
new file mode 100644
index 000000000..2e1cbbacd
--- /dev/null
+++ b/src/conftest/actions.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup actions actions
+ * @{ @ingroup conftest
+ */
+
+#ifndef ACTIONS_H_
+#define ACTIONS_H_
+
+typedef struct actions_t actions_t;
+
+/**
+ * actionss to trigger based on configuration.
+ */
+struct actions_t {
+
+	/**
+	 * Destroy a actions_t.
+	 */
+	void (*destroy)(actions_t *this);
+};
+
+/**
+ * Create a actions instance.
+ */
+actions_t *actions_create();
+
+#endif /** ACTIONS_H_ @}*/
diff --git a/src/conftest/config.c b/src/conftest/config.c
new file mode 100644
index 000000000..952141211
--- /dev/null
+++ b/src/conftest/config.c
@@ -0,0 +1,343 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "config.h"
+
+#include <daemon.h>
+#include <conftest.h>
+
+typedef struct private_config_t private_config_t;
+
+/**
+ * Private data of an config_t object.
+ */
+struct private_config_t {
+
+	/**
+	 * Public config_t interface.
+	 */
+	config_t public;
+
+	/**
+	 * List of loaded peer configs
+	 */
+	linked_list_t *configs;
+};
+
+/**
+ * filter function for ike configs
+ */
+static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out)
+{
+	*out = (*in)->get_ike_cfg(*in);
+	return TRUE;
+}
+
+METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
+	private_config_t *this, host_t *me, host_t *other)
+{
+
+	return enumerator_create_filter(
+							this->configs->create_enumerator(this->configs),
+							(void*)ike_filter, NULL, NULL);
+}
+
+METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
+	private_config_t *this, identification_t *me, identification_t *other)
+{
+	return this->configs->create_enumerator(this->configs);
+}
+
+METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
+	private_config_t *this, char *name)
+{
+	enumerator_t *e1, *e2;
+	peer_cfg_t *current, *found = NULL;
+	child_cfg_t *child;
+
+	e1 = this->configs->create_enumerator(this->configs);
+	while (e1->enumerate(e1, &current))
+	{
+		e2 = current->create_child_cfg_enumerator(current);
+		while (e2->enumerate(e2, &child))
+		{
+			if (streq(child->get_name(child), name))
+			{
+				found = current;
+				found->get_ref(found);
+				break;
+			}
+		}
+		e2->destroy(e2);
+		if (found)
+		{
+			break;
+		}
+	}
+	e1->destroy(e1);
+	return found;
+}
+
+/**
+ * Load IKE config for a given section name
+ */
+static ike_cfg_t *load_ike_config(private_config_t *this,
+								  settings_t *settings, char *config)
+{
+	enumerator_t *enumerator;
+	ike_cfg_t *ike_cfg;
+	proposal_t *proposal;
+	char *token;
+
+	ike_cfg = ike_cfg_create(TRUE,
+		settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config),
+		settings->get_str(settings, "configs.%s.lhost", "%any", config),
+		settings->get_int(settings, "configs.%s.lport", 500, config),
+		settings->get_str(settings, "configs.%s.rhost", "%any", config),
+		settings->get_int(settings, "configs.%s.rport", 500, config));
+	token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
+	if (token)
+	{
+		enumerator = enumerator_create_token(token, ",", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			proposal = proposal_create_from_string(PROTO_IKE, token);
+			if (proposal)
+			{
+				ike_cfg->add_proposal(ike_cfg, proposal);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "parsing proposal '%s' failed, skipped", token);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	}
+	return ike_cfg;
+}
+/**
+ * Load CHILD config for given section names
+ */
+static child_cfg_t *load_child_config(private_config_t *this,
+							settings_t *settings, char *config, char *child)
+{
+	child_cfg_t *child_cfg;
+	lifetime_cfg_t lifetime = {};
+	enumerator_t *enumerator;
+	proposal_t *proposal;
+	traffic_selector_t *ts;
+	ipsec_mode_t mode = MODE_TUNNEL;
+	host_t *net;
+	char *token;
+	int bits;
+	u_int32_t tfc;
+
+	if (settings->get_bool(settings, "configs.%s.%s.transport",
+						   FALSE, config, child))
+	{
+		mode = MODE_TRANSPORT;
+	}
+	tfc = settings->get_int(settings, "configs.%s.%s.tfc_padding",
+							0, config, child);
+	child_cfg = child_cfg_create(child, &lifetime, NULL, FALSE, mode,
+								 ACTION_NONE, ACTION_NONE, ACTION_NONE,
+								 FALSE, 0, 0, NULL, NULL, tfc);
+
+	token = settings->get_str(settings, "configs.%s.%s.proposal",
+							  NULL, config, child);
+	if (token)
+	{
+		enumerator = enumerator_create_token(token, ",", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			proposal = proposal_create_from_string(PROTO_ESP, token);
+			if (proposal)
+			{
+				child_cfg->add_proposal(child_cfg, proposal);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "parsing proposal '%s' failed, skipped", token);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	}
+
+	token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config);
+	if (token)
+	{
+		enumerator = enumerator_create_token(token, ",", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			net = host_create_from_subnet(token, &bits);
+			if (net)
+			{
+				ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
+				child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "invalid local ts: %s, skipped", token);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		ts = traffic_selector_create_dynamic(0, 0, 65535);
+		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	}
+
+	token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config);
+	if (token)
+	{
+		enumerator = enumerator_create_token(token, ",", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			net = host_create_from_subnet(token, &bits);
+			if (net)
+			{
+				ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
+				child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "invalid remote ts: %s, skipped", token);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		ts = traffic_selector_create_dynamic(0, 0, 65535);
+		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	}
+	return child_cfg;
+}
+
+/**
+ * Load peer config for a given section name
+ */
+static peer_cfg_t *load_peer_config(private_config_t *this,
+									settings_t *settings, char *config)
+{
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	auth_cfg_t *auth;
+	child_cfg_t *child_cfg;
+	enumerator_t *enumerator;
+	identification_t *lid, *rid;
+	char *child, *policy;
+	uintptr_t strength;
+
+	ike_cfg = load_ike_config(this, settings, config);
+	peer_cfg = peer_cfg_create(config, 2, ike_cfg, CERT_ALWAYS_SEND,
+							   UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, 0,
+							   NULL, NULL, FALSE, NULL, NULL);
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	lid = identification_create_from_string(
+				settings->get_str(settings, "configs.%s.lid", "%any", config));
+	auth->add(auth, AUTH_RULE_IDENTITY, lid);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	rid = identification_create_from_string(
+				settings->get_str(settings, "configs.%s.rid", "%any", config));
+	strength = settings->get_int(settings, "configs.%s.rsa_strength", 0);
+	if (strength)
+	{
+		auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength);
+	}
+	strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0);
+	if (strength)
+	{
+		auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
+	}
+	policy = settings->get_str(settings, "configs.%s.cert_policy", NULL, config);
+	if (policy)
+	{
+		auth->add(auth, AUTH_RULE_CERT_POLICY, strdup(policy));
+	}
+	auth->add(auth, AUTH_RULE_IDENTITY, rid);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+
+	DBG1(DBG_CFG, "loaded config %s: %Y - %Y", config, lid, rid);
+
+	enumerator = settings->create_section_enumerator(settings,
+													 "configs.%s", config);
+	while (enumerator->enumerate(enumerator, &child))
+	{
+		child_cfg = load_child_config(this, settings, config, child);
+		peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+	}
+	enumerator->destroy(enumerator);
+	return peer_cfg;
+}
+
+METHOD(config_t, load, void,
+	private_config_t *this, settings_t *settings)
+{
+	enumerator_t *enumerator;
+	char *config;
+
+	enumerator = settings->create_section_enumerator(settings, "configs");
+	while (enumerator->enumerate(enumerator, &config))
+	{
+		this->configs->insert_last(this->configs,
+								load_peer_config(this, settings, config));
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(config_t, destroy, void,
+	private_config_t *this)
+{
+	this->configs->destroy_offset(this->configs, offsetof(peer_cfg_t, destroy));
+	free(this);
+}
+
+/**
+ * See header
+ */
+config_t *config_create()
+{
+	private_config_t *this;
+
+	INIT(this,
+		.public = {
+			.backend = {
+				.create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
+				.create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
+				.get_peer_cfg_by_name = _get_peer_cfg_by_name,
+			},
+			.load = _load,
+			.destroy = _destroy,
+		},
+		.configs = linked_list_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/conftest/config.h b/src/conftest/config.h
new file mode 100644
index 000000000..2a62b9ce0
--- /dev/null
+++ b/src/conftest/config.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup config config
+ * @{ @ingroup conftest
+ */
+
+#ifndef CONFIG_H_
+#define CONFIG_H_
+
+typedef struct config_t config_t;
+
+#include <config/backend.h>
+
+/**
+ * Conftest IKE and CHILD config backend
+ */
+struct config_t {
+
+	/**
+	 * Implements the backend_t interface.
+	 */
+	backend_t backend;
+
+	/**
+	 * Load configurations from a settings file.
+	 *
+	 * @param settings		settings file to load configs from
+	 */
+	void (*load)(config_t *this, settings_t *settings);
+
+	/**
+	 * Destroy a config_t.
+	 */
+	void (*destroy)(config_t *this);
+};
+
+/**
+ * Create a config instance.
+ */
+config_t *config_create();
+
+#endif /** CONFIG_H_ @}*/
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
new file mode 100644
index 000000000..fea88818e
--- /dev/null
+++ b/src/conftest/conftest.c
@@ -0,0 +1,550 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <signal.h>
+#include <getopt.h>
+#include <dlfcn.h>
+#include <libgen.h>
+
+#include "conftest.h"
+#include "config.h"
+#include "hooks/hook.h"
+
+#include <threading/thread.h>
+#include <credentials/certificates/x509.h>
+
+/**
+ * Conftest globals struct
+ */
+conftest_t *conftest;
+
+/**
+ * Print usage information
+ */
+static void usage(FILE *out)
+{
+	fprintf(out, "Usage:\n");
+	fprintf(out, "  --help           show usage information\n");
+	fprintf(out, "  --version        show conftest version\n");
+	fprintf(out, "  --suite <file>   global testsuite configuration "
+									 "(default: ./suite.conf)\n");
+	fprintf(out, "  --test <file>    test specific configuration\n");
+}
+
+/**
+ * Handle SIGSEGV/SIGILL signals raised by threads
+ */
+static void segv_handler(int signal)
+{
+	fprintf(stderr, "thread %u received %d\n", thread_current_id(), signal);
+	abort();
+}
+
+/**
+ * Load suite and test specific configurations
+ */
+static bool load_configs(char *suite_file, char *test_file)
+{
+	if (!test_file)
+	{
+		fprintf(stderr, "Missing test configuration file.\n");
+		return FALSE;
+	}
+	if (access(suite_file, R_OK) != 0)
+	{
+		fprintf(stderr, "Reading suite configuration file '%s' failed: %s.\n",
+				suite_file, strerror(errno));
+		return FALSE;
+	}
+	if (access(test_file, R_OK) != 0)
+	{
+		fprintf(stderr, "Reading test configuration file '%s' failed: %s.\n",
+				test_file, strerror(errno));
+		return FALSE;
+	}
+	conftest->test = settings_create(suite_file);
+	conftest->test->load_files(conftest->test, test_file);
+	conftest->suite_dir = strdup(dirname(suite_file));
+	return TRUE;
+}
+
+/**
+ * Load trusted/untrusted certificates
+ */
+static bool load_cert(settings_t *settings, bool trusted)
+{
+	enumerator_t *enumerator;
+	char *key, *value;
+
+	enumerator = settings->create_key_value_enumerator(settings,
+								trusted ? "certs.trusted" : "certs.untrusted");
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		certificate_t *cert = NULL;
+
+		if (strncaseeq(key, "x509", strlen("x509")))
+		{
+			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+							CERT_X509, BUILD_FROM_FILE, value, BUILD_END);
+		}
+		else if (strncaseeq(key, "crl", strlen("crl")))
+		{
+			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+							CERT_X509_CRL, BUILD_FROM_FILE, value, BUILD_END);
+		}
+		else
+		{
+			fprintf(stderr, "certificate type '%s' not supported\n", key);
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+		if (!cert)
+		{
+			fprintf(stderr, "loading %strusted certificate '%s' from '%s' "
+					"failed\n", trusted ? "" : "un", key, value);
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+		conftest->creds->add_cert(conftest->creds, trusted, cert);
+	}
+	enumerator->destroy(enumerator);
+	return TRUE;
+}
+
+/**
+ * Load certificates from the confiuguration file
+ */
+static bool load_certs(settings_t *settings, char *dir)
+{
+	char wd[PATH_MAX];
+
+	if (getcwd(wd, sizeof(wd)) == NULL)
+	{
+		fprintf(stderr, "getting cwd failed: %s\n", strerror(errno));
+		return FALSE;
+	}
+	if (chdir(dir) != 0)
+	{
+		fprintf(stderr, "opening directory '%s' failed: %s\n",
+				dir, strerror(errno));
+		return FALSE;
+	}
+
+	if (!load_cert(settings, TRUE) ||
+		!load_cert(settings, FALSE))
+	{
+		return FALSE;
+	}
+
+	if (chdir(wd) != 0)
+	{
+		fprintf(stderr, "opening directory '%s' failed: %s\n",
+				wd, strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Load private keys from the confiuguration file
+ */
+static bool load_keys(settings_t *settings, char *dir)
+{
+	enumerator_t *enumerator;
+	char *type, *value, wd[PATH_MAX];
+	private_key_t *key;
+	key_type_t key_type;
+
+	if (getcwd(wd, sizeof(wd)) == NULL)
+	{
+		fprintf(stderr, "getting cwd failed: %s\n", strerror(errno));
+		return FALSE;
+	}
+	if (chdir(dir) != 0)
+	{
+		fprintf(stderr, "opening directory '%s' failed: %s\n",
+				dir, strerror(errno));
+		return FALSE;
+	}
+
+	enumerator = settings->create_key_value_enumerator(settings, "keys");
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		if (strncaseeq(type, "ecdsa", strlen("ecdsa")))
+		{
+			key_type = KEY_ECDSA;
+		}
+		else if (strncaseeq(type, "rsa", strlen("rsa")))
+		{
+			key_type = KEY_RSA;
+		}
+		else
+		{
+			fprintf(stderr, "unknown key type: '%s'\n", type);
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+								 BUILD_FROM_FILE, value, BUILD_END);
+		if (!key)
+		{
+			fprintf(stderr, "loading %s key from '%s' failed\n", type, value);
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+		conftest->creds->add_key(conftest->creds, key);
+	}
+	enumerator->destroy(enumerator);
+
+	if (chdir(wd) != 0)
+	{
+		fprintf(stderr, "opening directory '%s' failed: %s\n",
+				wd, strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Load certificate distribution points
+ */
+static void load_cdps(settings_t *settings)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	char *ca, *uri, *section;
+	certificate_type_t type;
+	x509_t *x509;
+
+	enumerator = settings->create_section_enumerator(settings, "cdps");
+	while (enumerator->enumerate(enumerator, &section))
+	{
+		if (strncaseeq(section, "crl", strlen("crl")))
+		{
+			type = CERT_X509_CRL;
+		}
+		else if (strncaseeq(section, "ocsp", strlen("ocsp")))
+		{
+			type = CERT_X509_OCSP_RESPONSE;
+		}
+		else
+		{
+			fprintf(stderr, "unknown cdp type '%s', ignored\n", section);
+			continue;
+		}
+
+		uri = settings->get_str(settings, "cdps.%s.uri", NULL, section);
+		ca = settings->get_str(settings, "cdps.%s.ca", NULL, section);
+		if (!ca || !uri)
+		{
+			fprintf(stderr, "cdp '%s' misses ca/uri, ignored\n", section);
+			continue;
+		}
+		x509 = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+							CERT_X509, BUILD_FROM_FILE, ca, BUILD_END);
+		if (!x509)
+		{
+			fprintf(stderr, "loading cdp '%s' ca failed, ignored\n", section);
+			continue;
+		}
+		id = identification_create_from_encoding(ID_KEY_ID,
+									x509->get_subjectKeyIdentifier(x509));
+		conftest->creds->add_cdp(conftest->creds, type, id, uri);
+		DESTROY_IF((certificate_t*)x509);
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Load configured hooks
+ */
+static bool load_hooks()
+{
+	enumerator_t *enumerator;
+	char *name, *pos, buf[64];
+	hook_t *(*create)(char*);
+	hook_t *hook;
+
+	enumerator = conftest->test->create_section_enumerator(conftest->test,
+														   "hooks");
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		pos = strchr(name, '-');
+		if (pos)
+		{
+			snprintf(buf, sizeof(buf), "%.*s_hook_create", pos - name, name);
+		}
+		else
+		{
+			snprintf(buf, sizeof(buf), "%s_hook_create", name);
+		}
+		create = dlsym(RTLD_DEFAULT, buf);
+		if (create)
+		{
+			hook = create(name);
+			if (hook)
+			{
+				conftest->hooks->insert_last(conftest->hooks, hook);
+				charon->bus->add_listener(charon->bus, &hook->listener);
+			}
+		}
+		else
+		{
+			fprintf(stderr, "dlsym() for hook '%s' failed: %s\n", name, dlerror());
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return TRUE;
+}
+
+/**
+ * atexit() cleanup handler
+ */
+static void cleanup()
+{
+	hook_t *hook;
+
+	DESTROY_IF(conftest->test);
+	lib->credmgr->remove_set(lib->credmgr, &conftest->creds->set);
+	conftest->creds->destroy(conftest->creds);
+	DESTROY_IF(conftest->actions);
+	while (conftest->hooks->remove_last(conftest->hooks,
+										(void**)&hook) == SUCCESS)
+	{
+		charon->bus->remove_listener(charon->bus, &hook->listener);
+		hook->destroy(hook);
+	}
+	conftest->hooks->destroy(conftest->hooks);
+	if (conftest->config)
+	{
+		if (charon->backends)
+		{
+			charon->backends->remove_backend(charon->backends,
+											 &conftest->config->backend);
+		}
+		conftest->config->destroy(conftest->config);
+	}
+	free(conftest->suite_dir);
+	free(conftest);
+	libcharon_deinit();
+	libhydra_deinit();
+	library_deinit();
+}
+
+/**
+ * Load log levels for a logger from section
+ */
+static void load_log_levels(file_logger_t *logger, char *section)
+{
+	debug_t group;
+	level_t  def;
+
+	def = conftest->test->get_int(conftest->test, "log.%s.default", 1, section);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		logger->set_level(logger, group,
+					conftest->test->get_int(conftest->test, "log.%s.%N", def,
+											section, debug_lower_names, group));
+	}
+}
+
+/**
+ * Load logger configuration
+ */
+static void load_loggers(file_logger_t *logger)
+{
+	enumerator_t *enumerator;
+	char *section;
+	FILE *file;
+
+	load_log_levels(logger, "stdout");
+
+	enumerator = conftest->test->create_section_enumerator(conftest->test, "log");
+	while (enumerator->enumerate(enumerator, &section))
+	{
+		if (!streq(section, "stdout"))
+		{
+			file = fopen(section, "w");
+			if (file == NULL)
+			{
+				fprintf(stderr, "opening file %s for logging failed: %s",
+						section, strerror(errno));
+				continue;
+			}
+			logger = file_logger_create(file, NULL, FALSE);
+			load_log_levels(logger, section);
+			charon->bus->add_listener(charon->bus, &logger->listener);
+			charon->file_loggers->insert_last(charon->file_loggers, logger);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Main function, starts the conftest daemon.
+ */
+int main(int argc, char *argv[])
+{
+	struct sigaction action;
+	int status = 0;
+	sigset_t set;
+	int sig;
+	char *suite_file = "suite.conf", *test_file = NULL;
+	file_logger_t *logger;
+
+	if (!library_init(NULL))
+	{
+		library_deinit();
+		return SS_RC_LIBSTRONGSWAN_INTEGRITY;
+	}
+	if (!libhydra_init("conftest"))
+	{
+		libhydra_deinit();
+		library_deinit();
+		return SS_RC_INITIALIZATION_FAILED;
+	}
+	if (!libcharon_init())
+	{
+		libcharon_deinit();
+		libhydra_deinit();
+		library_deinit();
+		return SS_RC_INITIALIZATION_FAILED;
+	}
+
+	INIT(conftest,
+		.creds = mem_cred_create(),
+	);
+
+	logger = file_logger_create(stdout, NULL, FALSE);
+	logger->set_level(logger, DBG_ANY, LEVEL_CTRL);
+	charon->bus->add_listener(charon->bus, &logger->listener);
+	charon->file_loggers->insert_last(charon->file_loggers, logger);
+
+	lib->credmgr->add_set(lib->credmgr, &conftest->creds->set);
+	conftest->hooks = linked_list_create();
+	conftest->config = config_create();
+
+	atexit(cleanup);
+
+	while (TRUE)
+	{
+		struct option long_opts[] = {
+			{ "help", no_argument, NULL, 'h' },
+			{ "version", no_argument, NULL, 'v' },
+			{ "suite", required_argument, NULL, 's' },
+			{ "test", required_argument, NULL, 't' },
+			{ 0,0,0,0 }
+		};
+		switch (getopt_long(argc, argv, "", long_opts, NULL))
+		{
+			case EOF:
+				break;
+			case 'h':
+				usage(stdout);
+				return 0;
+			case 'v':
+				printf("strongSwan %s conftest\n", VERSION);
+				return 0;
+			case 's':
+				suite_file = optarg;
+				continue;
+			case 't':
+				test_file = optarg;
+				continue;
+			default:
+				usage(stderr);
+				return 1;
+		}
+		break;
+	}
+
+	if (!load_configs(suite_file, test_file))
+	{
+		return 1;
+	}
+	load_loggers(logger);
+
+	if (!lib->plugins->load(lib->plugins, NULL,
+			conftest->test->get_str(conftest->test, "preload", "")))
+	{
+		return 1;
+	}
+	if (!charon->initialize(charon))
+	{
+		return 1;
+	}
+	if (!load_certs(conftest->test, conftest->suite_dir))
+	{
+		return 1;
+	}
+	if (!load_keys(conftest->test, conftest->suite_dir))
+	{
+		return 1;
+	}
+	load_cdps(conftest->test);
+	if (!load_hooks())
+	{
+		return 1;
+	}
+	charon->backends->add_backend(charon->backends, &conftest->config->backend);
+	conftest->config->load(conftest->config, conftest->test);
+	conftest->actions = actions_create();
+
+	/* set up thread specific handlers */
+	action.sa_handler = segv_handler;
+	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaddset(&action.sa_mask, SIGINT);
+	sigaddset(&action.sa_mask, SIGTERM);
+	sigaddset(&action.sa_mask, SIGHUP);
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &action, NULL);
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+	/* start thread pool */
+	charon->start(charon);
+
+	/* handle SIGINT/SIGTERM in main thread */
+	sigemptyset(&set);
+	sigaddset(&set, SIGINT);
+	sigaddset(&set, SIGHUP);
+	sigaddset(&set, SIGTERM);
+	sigprocmask(SIG_BLOCK, &set, NULL);
+
+	while (sigwait(&set, &sig) == 0)
+	{
+		switch (sig)
+		{
+			case SIGINT:
+			case SIGTERM:
+				fprintf(stderr, "\nshutting down...\n");
+				break;
+			default:
+				continue;
+		}
+		break;
+	}
+	return status;
+}
diff --git a/src/conftest/conftest.h b/src/conftest/conftest.h
new file mode 100644
index 000000000..2caf9b3ce
--- /dev/null
+++ b/src/conftest/conftest.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup conftest conftest
+ */
+
+#ifndef CONFTEST_H_
+#define CONFTEST_H_
+
+#include <library.h>
+#include <hydra.h>
+#include <daemon.h>
+#include <credentials/sets/mem_cred.h>
+
+#include "config.h"
+#include "actions.h"
+
+typedef struct conftest_t conftest_t;
+
+/**
+ * Global conftest variables.
+ */
+struct conftest_t {
+
+	/**
+	 * Merged suite/test configuration
+	 */
+	settings_t *test;
+
+	/**
+	 * Directory containing suite files
+	 */
+	char *suite_dir;
+
+	/**
+	 * Credentials loaded from configuration
+	 */
+	mem_cred_t *creds;
+
+	/**
+	 * Configurations loaded from config
+	 */
+	config_t *config;
+
+	/**
+	 * Loaded hooks
+	 */
+	linked_list_t *hooks;
+
+	/**
+	 * Action handling
+	 */
+	actions_t *actions;
+};
+
+/**
+ * Conftest globals
+ */
+extern conftest_t *conftest;
+
+#endif /** CONFTEST_H_ */
diff --git a/src/conftest/hooks/add_notify.c b/src/conftest/hooks/add_notify.c
new file mode 100644
index 000000000..de46ca81f
--- /dev/null
+++ b/src/conftest/hooks/add_notify.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+typedef struct private_add_notify_t private_add_notify_t;
+
+/**
+ * Private data of an add_notify_t object.
+ */
+struct private_add_notify_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * Notify type
+	 */
+	char *type;
+
+	/**
+	 * Notify data
+	 */
+	char *data;
+
+	/**
+	 * SPI of notify
+	 */
+	int spi;
+
+	/**
+	 * TRUE for a ESP protocol notify, FALSE for IKE
+	 */
+	bool esp;
+};
+
+METHOD(listener_t, message, bool,
+	private_add_notify_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		notify_type_t type;
+		notify_payload_t *notify;
+		chunk_t data = chunk_empty;
+
+		type = atoi(this->type);
+		if (!type)
+		{
+			type = enum_from_name(notify_type_names, this->type);
+			if (type == -1)
+			{
+				DBG1(DBG_CFG, "unknown notify: '%s', skipped", this->type);
+				return TRUE;
+			}
+		}
+		if (strncaseeq(this->data, "0x", 2))
+		{
+			data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2);
+			data = chunk_from_hex(data, NULL);
+		}
+		else if (this->data && strlen(this->data))
+		{
+			data = chunk_clone(chunk_create(this->data, strlen(this->data)));
+		}
+		notify = notify_payload_create_from_protocol_and_type(
+									this->esp ? PROTO_ESP : PROTO_IKE, type);
+		notify->set_spi(notify, this->spi);
+		if (data.len)
+		{
+			notify->set_notification_data(notify, data);
+			free(data.ptr);
+		}
+		message->add_payload(message, &notify->payload_interface);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_add_notify_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *add_notify_hook_create(char *name)
+{
+	private_add_notify_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+		.type = conftest->test->get_str(conftest->test,
+										"hooks.%s.type", "", name),
+		.data = conftest->test->get_str(conftest->test,
+										"hooks.%s.data", "", name),
+		.spi = conftest->test->get_int(conftest->test,
+										"hooks.%s.spi", 0, name),
+		.esp = conftest->test->get_bool(conftest->test,
+										"hooks.%s.esp", FALSE, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/add_payload.c b/src/conftest/hooks/add_payload.c
new file mode 100644
index 000000000..03a47cc23
--- /dev/null
+++ b/src/conftest/hooks/add_payload.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/unknown_payload.h>
+
+typedef struct private_add_payload_t private_add_payload_t;
+
+/**
+ * Private data of an add_payload_t object.
+ */
+struct private_add_payload_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * Payload type
+	 */
+	char *type;
+
+	/**
+	 * Payload data
+	 */
+	char *data;
+
+	/**
+	 * Set critical bit of the payload
+	 */
+	bool critical;
+
+	/**
+	 * True to replace existing payload of this type
+	 */
+	bool replace;
+};
+
+METHOD(listener_t, message, bool,
+	private_add_payload_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		unknown_payload_t *unknown;
+		payload_t *payload;
+		enumerator_t *enumerator;
+		chunk_t data = chunk_empty;
+		payload_type_t type;
+
+		type = atoi(this->type);
+		if (!type)
+		{
+			type = enum_from_name(payload_type_short_names, this->type);
+			if (type == -1)
+			{
+				DBG1(DBG_CFG, "unknown payload: '%s', skipped", this->type);
+				return TRUE;
+			}
+		}
+		if (this->replace)
+		{
+			enumerator = message->create_payload_enumerator(message);
+			while (enumerator->enumerate(enumerator, &payload))
+			{
+				if (payload->get_type(payload) == type)
+				{
+					message->remove_payload_at(message, enumerator);
+					payload->destroy(payload);
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		if (strncaseeq(this->data, "0x", 2))
+		{
+			data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2);
+			data = chunk_from_hex(data, NULL);
+		}
+		else if (this->data && strlen(this->data))
+		{
+			data = chunk_clone(chunk_create(this->data, strlen(this->data)));
+		}
+		unknown = unknown_payload_create_data(type, this->critical, data);
+		message->add_payload(message, &unknown->payload_interface);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_add_payload_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *add_payload_hook_create(char *name)
+{
+	private_add_payload_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+		.type = conftest->test->get_str(conftest->test,
+										"hooks.%s.type", "", name),
+		.data = conftest->test->get_str(conftest->test,
+										"hooks.%s.data", "", name),
+		.critical = conftest->test->get_bool(conftest->test,
+										"hooks.%s.critical", FALSE, name),
+		.replace = conftest->test->get_bool(conftest->test,
+										"hooks.%s.replace", FALSE, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/custom_proposal.c b/src/conftest/hooks/custom_proposal.c
new file mode 100644
index 000000000..e4acd841f
--- /dev/null
+++ b/src/conftest/hooks/custom_proposal.c
@@ -0,0 +1,188 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <errno.h>
+
+#include <encoding/payloads/sa_payload.h>
+#include <config/proposal.h>
+#include <crypto/proposal/proposal_keywords.h>
+
+typedef struct private_custom_proposal_t private_custom_proposal_t;
+
+/**
+ * Private data of an custom_proposal_t object.
+ */
+struct private_custom_proposal_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * hook name
+	 */
+	char *name;
+};
+
+/**
+ * Load custom proposal configuration to proposal list
+ */
+static linked_list_t* load_proposals(private_custom_proposal_t *this,
+									 protocol_id_t proto, u_int64_t spi)
+{
+	enumerator_t *props, *algs;
+	char *number, *key, *value;
+	linked_list_t *list;
+
+	list = linked_list_create();
+	props = conftest->test->create_section_enumerator(conftest->test,
+													  "hooks.%s", this->name);
+	while (props->enumerate(props, &number))
+	{
+		const proposal_token_t *token = NULL;
+		proposal_t *proposal;
+		u_int16_t type, alg, keysize = 0;
+		char *end;
+
+		proposal = proposal_create(proto, atoi(number));
+		proposal->set_spi(proposal, spi);
+
+		algs = conftest->test->create_key_value_enumerator(conftest->test,
+											"hooks.%s.%s", this->name, number);
+		while (algs->enumerate(algs, &key, &value))
+		{
+			errno = 0;
+			type = strtoul(key, &end, 10);
+			if (end == key || errno)
+			{
+				type = enum_from_name(transform_type_names, key);
+				if (type == -1)
+				{
+					DBG1(DBG_CFG, "unknown transform: '%s', skipped", key);
+					continue;
+				}
+			}
+			errno = 0;
+			alg = strtoul(value, &end, 10);
+			if (end == value || errno)
+			{
+				token = proposal_get_token(value, strlen(value));
+				if (!token)
+				{
+					DBG1(DBG_CFG, "unknown algorithm: '%s', skipped", value);
+					continue;
+				}
+				keysize = token->keysize;
+				alg = token->algorithm;
+			}
+			proposal->add_algorithm(proposal, type, alg, keysize);
+		}
+		algs->destroy(algs);
+		list->insert_last(list, proposal);
+	}
+	props->destroy(props);
+	return list;
+}
+
+METHOD(listener_t, message, bool,
+	private_custom_proposal_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		enumerator_t *enumerator;
+		payload_t *payload;
+		sa_payload_t *new, *old = NULL;
+		linked_list_t *new_props, *old_props;
+		proposal_t *proposal;
+
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (payload->get_type(payload) == SECURITY_ASSOCIATION)
+			{
+				old = (sa_payload_t*)payload;
+				message->remove_payload_at(message, enumerator);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (old)
+		{
+			old_props = old->get_proposals(old);
+			old->destroy(old);
+			enumerator = old_props->create_enumerator(old_props);
+			if (enumerator->enumerate(enumerator, &proposal))
+			{
+				new_props = load_proposals(this,
+										   proposal->get_protocol(proposal),
+										   proposal->get_spi(proposal));
+				DBG1(DBG_CFG, "injecting custom proposal: %#P", new_props);
+				new = sa_payload_create_from_proposal_list(new_props);
+				message->add_payload(message, (payload_t*)new);
+				new_props->destroy_offset(new_props, offsetof(proposal_t, destroy));
+			}
+			enumerator->destroy(enumerator);
+			old_props->destroy_offset(old_props, offsetof(proposal_t, destroy));
+		}
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_custom_proposal_t *this)
+{
+	free(this->name);
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *custom_proposal_hook_create(char *name)
+{
+	private_custom_proposal_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+		.name = strdup(name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/force_cookie.c b/src/conftest/hooks/force_cookie.c
new file mode 100644
index 000000000..e34f82851
--- /dev/null
+++ b/src/conftest/hooks/force_cookie.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/unknown_payload.h>
+
+typedef struct private_force_cookie_t private_force_cookie_t;
+
+/**
+ * Private data of an force_cookie_t object.
+ */
+struct private_force_cookie_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+};
+
+METHOD(listener_t, message, bool,
+	private_force_cookie_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (incoming && message->get_request(message) &&
+		message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		enumerator_t *enumerator;
+		bool has_cookie = FALSE;
+		payload_t *payload;
+
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (payload->get_type(payload) == NOTIFY)
+			{
+				notify_payload_t *notify = (notify_payload_t*)payload;
+				chunk_t data;
+
+				if (notify->get_notify_type(notify) == COOKIE)
+				{
+					data = notify->get_notification_data(notify);
+					DBG1(DBG_CFG, "received COOKIE: %#B", &data);
+					has_cookie = TRUE;
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (!has_cookie)
+		{
+			message_t *response;
+			host_t *src, *dst;
+			packet_t *packet;
+			ike_sa_id_t *ike_sa_id;
+			chunk_t data = chunk_from_thing("COOKIE test data");
+
+			DBG1(DBG_CFG, "sending COOKIE: %#B", &data);
+			response = message_create();
+			dst = message->get_source(message);
+			src = message->get_destination(message);
+			response->set_source(response, src->clone(src));
+			response->set_destination(response, dst->clone(dst));
+			response->set_exchange_type(response, IKE_SA_INIT);
+			response->set_request(response, FALSE);
+			response->set_message_id(response, 0);
+			ike_sa_id = message->get_ike_sa_id(message);
+			ike_sa_id->switch_initiator(ike_sa_id);
+			response->set_ike_sa_id(response, ike_sa_id);
+			response->add_notify(response, FALSE, COOKIE, data);
+			if (response->generate(response, NULL, &packet) == SUCCESS)
+			{
+				charon->sender->send(charon->sender, packet);
+				response->destroy(response);
+			}
+			message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_force_cookie_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *force_cookie_hook_create(char *name)
+{
+	private_force_cookie_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/hook.h b/src/conftest/hooks/hook.h
new file mode 100644
index 000000000..39a15f21b
--- /dev/null
+++ b/src/conftest/hooks/hook.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hook hook
+ * @{ @ingroup hooks
+ */
+
+#ifndef HOOK_H_
+#define HOOK_H_
+
+typedef struct hook_t hook_t;
+
+#include <daemon.h>
+#include <conftest.h>
+
+/**
+ * Hook providing interface.
+ */
+struct hook_t {
+
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a hook_t.
+	 */
+	void (*destroy)(hook_t *this);
+};
+
+#endif /** HOOK_H_ @}*/
diff --git a/src/conftest/hooks/ignore_message.c b/src/conftest/hooks/ignore_message.c
new file mode 100644
index 000000000..210f3ac50
--- /dev/null
+++ b/src/conftest/hooks/ignore_message.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+typedef struct private_ignore_message_t private_ignore_message_t;
+
+/**
+ * Private data of an ignore_message_t object.
+ */
+struct private_ignore_message_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Drop incoming or outgoing?
+	 */
+	bool in;
+
+	/**
+	 * Drop requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to drop.
+	 */
+	int id;
+};
+
+METHOD(listener_t, message, bool,
+	private_ignore_message_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (incoming == this->in &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		DBG1(DBG_CFG, "ignoring message");
+		message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_ignore_message_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the ignore_message hook
+ */
+hook_t *ignore_message_hook_create(char *name)
+{
+	private_ignore_message_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.in = conftest->test->get_bool(conftest->test,
+										"hooks.%s.inbound", TRUE, name),
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/ike_auth_fill.c b/src/conftest/hooks/ike_auth_fill.c
new file mode 100644
index 000000000..2843d60c1
--- /dev/null
+++ b/src/conftest/hooks/ike_auth_fill.c
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <time.h>
+#include <netinet/udp.h>
+
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/encryption_payload.h>
+
+typedef struct private_ike_auth_fill_t private_ike_auth_fill_t;
+
+/**
+ * Private data of an ike_auth_fill_t object.
+ */
+struct private_ike_auth_fill_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * Number of bytes to fill IKE_AUTH up
+	 */
+	int bytes;
+};
+
+/** size of non ESP-Marker */
+#define NON_ESP_MARKER_LEN 4
+
+/**
+ * Calculate packet size on wire (without ethernet/IP header)
+ */
+static size_t calculate_wire_size(message_t *message, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	size_t size = 0;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		size += payload->get_length(payload);
+	}
+	enumerator->destroy(enumerator);
+
+	if (message->get_exchange_type(message) != IKE_SA_INIT)
+	{
+		keymat_t *keymat;
+		aead_t *aead;
+		size_t  bs;
+
+		keymat = ike_sa->get_keymat(ike_sa);
+		aead = keymat->get_aead(keymat, FALSE);
+		if (aead)
+		{
+			bs = aead->get_block_size(aead);
+			size += ENCRYPTION_PAYLOAD_HEADER_LENGTH + NON_ESP_MARKER_LEN +
+				aead->get_icv_size(aead) + aead->get_iv_size(aead) +
+				(bs - (size % bs));
+		}
+	}
+	return sizeof(struct udphdr) + IKE_HEADER_LENGTH + size;
+}
+
+METHOD(listener_t, message, bool,
+	private_ike_auth_fill_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		cert_payload_t *pld;
+		size_t size, diff;
+		chunk_t data;
+
+		size = calculate_wire_size(message, ike_sa);
+		if (size < this->bytes - CERT_PAYLOAD_HEADER_LENGTH)
+		{
+			diff = this->bytes - size - CERT_PAYLOAD_HEADER_LENGTH;
+			data = chunk_alloc(diff);
+			memset(data.ptr, 0x12, data.len);
+			pld = cert_payload_create_custom(201, data);
+			message->add_payload(message, &pld->payload_interface);
+			DBG1(DBG_CFG, "inserting %d dummy bytes certificate payload", diff);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_ike_auth_fill_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *ike_auth_fill_hook_create(char *name)
+{
+	private_ike_auth_fill_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 1, name),
+		.bytes = conftest->test->get_int(conftest->test,
+										"hooks.%s.bytes", 0, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/log_id.c b/src/conftest/hooks/log_id.c
new file mode 100644
index 000000000..ad14cea10
--- /dev/null
+++ b/src/conftest/hooks/log_id.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/id_payload.h>
+
+typedef struct private_log_id_t private_log_id_t;
+
+/**
+ * Private data of an log_id_t object.
+ */
+struct private_log_id_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+};
+
+METHOD(listener_t, message, bool,
+	private_log_id_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (incoming)
+	{
+		enumerator_t *enumerator;
+		payload_t *payload;
+		id_payload_t *id_payload;
+		identification_t *id;
+		chunk_t data;
+
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (payload->get_type(payload) == ID_INITIATOR ||
+				payload->get_type(payload) == ID_RESPONDER)
+			{
+				id_payload = (id_payload_t*)payload;
+				id = id_payload->get_identification(id_payload);
+				data = id->get_encoding(id);
+
+				DBG1(DBG_CFG, "%N: %N %B",
+					 payload_type_short_names, payload->get_type(payload),
+					 id_type_names, id->get_type(id), &data);
+				id->destroy(id);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_log_id_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *log_id_hook_create(char *name)
+{
+	private_log_id_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/log_ke.c b/src/conftest/hooks/log_ke.c
new file mode 100644
index 000000000..231c0a8d8
--- /dev/null
+++ b/src/conftest/hooks/log_ke.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/ke_payload.h>
+
+typedef struct private_log_ke_t private_log_ke_t;
+
+/**
+ * Private data of an log_ke_t object.
+ */
+struct private_log_ke_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+};
+
+METHOD(listener_t, message, bool,
+	private_log_ke_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (incoming)
+	{
+		enumerator_t *enumerator;
+		payload_t *payload;
+		ke_payload_t *ke;
+
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (payload->get_type(payload) == KEY_EXCHANGE)
+			{
+				ke = (ke_payload_t*)payload;
+				DBG1(DBG_CFG, "received DH group %N",
+					 diffie_hellman_group_names, ke->get_dh_group_number(ke));
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_log_ke_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *log_ke_hook_create(char *name)
+{
+	private_log_ke_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/log_proposals.c b/src/conftest/hooks/log_proposals.c
new file mode 100644
index 000000000..8c330ab3d
--- /dev/null
+++ b/src/conftest/hooks/log_proposals.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/sa_payload.h>
+
+typedef struct private_log_proposals_t private_log_proposals_t;
+
+/**
+ * Private data of an log_proposals_t object.
+ */
+struct private_log_proposals_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+};
+
+METHOD(listener_t, message, bool,
+	private_log_proposals_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (incoming)
+	{
+		enumerator_t *enumerator, *proposals;
+		payload_t *payload;
+		linked_list_t *list;
+		sa_payload_t *sa;
+		proposal_t *proposal;
+
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (payload->get_type(payload) == SECURITY_ASSOCIATION)
+			{
+				sa = (sa_payload_t*)payload;
+				list = sa->get_proposals(sa);
+				DBG1(DBG_CFG, "received %d proposal%s:", list->get_count(list),
+					 list->get_count(list) == 1 ? "" : "s");
+				proposals = list->create_enumerator(list);
+				while (proposals->enumerate(proposals, &proposal))
+				{
+					u_int64_t spi = proposal->get_spi(proposal);
+
+					if (proposal->get_protocol(proposal) != PROTO_IKE)
+					{
+						spi = htonl(spi);
+					}
+					DBG1(DBG_CFG, "  %d (SPI 0x%llx): %P",
+						 proposal->get_number(proposal), spi, proposal);
+				}
+				proposals->destroy(proposals);
+				list->destroy_offset(list, offsetof(proposal_t, destroy));
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_log_proposals_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *log_proposals_hook_create(char *name)
+{
+	private_log_proposals_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/log_ts.c b/src/conftest/hooks/log_ts.c
new file mode 100644
index 000000000..dacc7a58c
--- /dev/null
+++ b/src/conftest/hooks/log_ts.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/ts_payload.h>
+
+typedef struct private_log_ts_t private_log_ts_t;
+
+/**
+ * Private data of an log_ts_t object.
+ */
+struct private_log_ts_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+};
+
+METHOD(listener_t, message, bool,
+	private_log_ts_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (incoming)
+	{
+		enumerator_t *enumerator;
+		payload_t *payload;
+		linked_list_t *list;
+		ts_payload_t *ts;
+
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (payload->get_type(payload) == TRAFFIC_SELECTOR_INITIATOR ||
+				payload->get_type(payload) == TRAFFIC_SELECTOR_RESPONDER)
+			{
+				ts = (ts_payload_t*)payload;
+				list = ts->get_traffic_selectors(ts);
+
+				DBG1(DBG_CFG, "received %N: %#R",
+					 payload_type_short_names, payload->get_type(payload), list);
+				list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_log_ts_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *log_ts_hook_create(char *name)
+{
+	private_log_ts_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c
new file mode 100644
index 000000000..4b7168cac
--- /dev/null
+++ b/src/conftest/hooks/pretend_auth.c
@@ -0,0 +1,386 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ts_payload.h>
+
+typedef struct private_pretend_auth_t private_pretend_auth_t;
+
+/**
+ * Private data of an pretend_auth_t object.
+ */
+struct private_pretend_auth_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * remote peer identity
+	 */
+	identification_t *id;
+
+	/**
+	 * reserved bytes of ID payload
+	 */
+	char reserved[3];
+
+	/**
+	 * IKE_SA_INIT data for signature
+	 */
+	chunk_t ike_init;
+
+	/**
+	 * Nonce for signature
+	 */
+	chunk_t nonce;
+
+	/**
+	 * Selected CHILD_SA proposal
+	 */
+	proposal_t *proposal;
+
+	/**
+	 * List of initiators Traffic Selectors
+	 */
+	linked_list_t *tsi;
+
+	/**
+	 * List of responders Traffic Selectors
+	 */
+	linked_list_t *tsr;
+};
+
+/**
+ * Process IKE_SA_INIT request message, outgoing
+ */
+static void process_init_request(private_pretend_auth_t *this,
+								 ike_sa_t *ike_sa, message_t *message)
+{
+	nonce_payload_t *nonce;
+
+	nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+	if (nonce)
+	{
+		free(this->nonce.ptr);
+		this->nonce = nonce->get_nonce(nonce);
+	}
+}
+
+/**
+ * Process IKE_AUTH request message, outgoing
+ */
+static void process_auth_request(private_pretend_auth_t *this,
+								 ike_sa_t *ike_sa, message_t *message)
+{
+	id_payload_t *id;
+	sa_payload_t *sa;
+	ts_payload_t *tsi, *tsr;
+	linked_list_t *proposals;
+
+	id = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
+	if (id)
+	{
+		this->id->destroy(this->id);
+		this->id = id->get_identification(id);
+	}
+	sa = (sa_payload_t*)message->get_payload(message, SECURITY_ASSOCIATION);
+	if (sa)
+	{
+		proposals = sa->get_proposals(sa);
+		proposals->remove_first(proposals, (void**)&this->proposal);
+		if (this->proposal)
+		{
+			this->proposal->set_spi(this->proposal, htonl(0x12345678));
+		}
+		proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
+	}
+	tsi = (ts_payload_t*)message->get_payload(message,
+											  TRAFFIC_SELECTOR_INITIATOR);
+	if (tsi)
+	{
+		this->tsi = tsi->get_traffic_selectors(tsi);
+	}
+	tsr = (ts_payload_t*)message->get_payload(message,
+											  TRAFFIC_SELECTOR_RESPONDER);
+	if (tsr)
+	{
+		this->tsr = tsr->get_traffic_selectors(tsr);
+	}
+
+}
+
+/**
+ * Process IKE_SA_INIT response message, incoming
+ */
+static void process_init_response(private_pretend_auth_t *this,
+								  ike_sa_t *ike_sa, message_t *message)
+{
+	this->ike_init = message->get_packet_data(message);
+}
+
+/**
+ * Build CERT payloads
+ */
+static void build_certs(private_pretend_auth_t *this,
+						ike_sa_t *ike_sa, message_t *message, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	cert_payload_t *payload;
+	certificate_t *cert;
+	auth_rule_t type;
+
+	/* get subject cert first, then issuing certificates */
+	cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+	if (cert)
+	{
+		payload = cert_payload_create_from_cert(cert);
+		if (payload)
+		{
+			DBG1(DBG_IKE, "pretending end entity cert \"%Y\"",
+				 cert->get_subject(cert));
+			message->add_payload(message, (payload_t*)payload);
+		}
+	}
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &type, &cert))
+	{
+		if (type == AUTH_RULE_IM_CERT)
+		{
+			payload = cert_payload_create_from_cert(cert);
+			if (payload)
+			{
+				DBG1(DBG_IKE, "pretending issuer cert \"%Y\"",
+					 cert->get_subject(cert));
+				message->add_payload(message, (payload_t*)payload);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Build faked AUTH payload
+ */
+static bool build_auth(private_pretend_auth_t *this,
+					   ike_sa_t *ike_sa, message_t *message)
+{
+	chunk_t octets, auth_data;
+	private_key_t *private;
+	auth_cfg_t *auth;
+	auth_payload_t *auth_payload;
+	auth_method_t auth_method;
+	signature_scheme_t scheme;
+	keymat_t *keymat;
+
+	auth = auth_cfg_create();
+	private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->id, auth);
+	build_certs(this, ike_sa, message, auth);
+	auth->destroy(auth);
+	if (private == NULL)
+	{
+		DBG1(DBG_CFG, "no private key found for '%Y' to pretend AUTH", this->id);
+		return FALSE;
+	}
+
+	switch (private->get_type(private))
+	{
+		case KEY_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			auth_method = AUTH_RSA;
+			break;
+		case KEY_ECDSA:
+			/* we try to deduct the signature scheme from the keysize */
+			switch (private->get_keysize(private))
+			{
+				case 256:
+					scheme = SIGN_ECDSA_256;
+					auth_method = AUTH_ECDSA_256;
+					break;
+				case 384:
+					scheme = SIGN_ECDSA_384;
+					auth_method = AUTH_ECDSA_384;
+					break;
+				case 521:
+					scheme = SIGN_ECDSA_521;
+					auth_method = AUTH_ECDSA_521;
+					break;
+				default:
+					DBG1(DBG_CFG, "%d bit ECDSA private key size not supported",
+							private->get_keysize(private));
+					return FALSE;
+			}
+			break;
+		default:
+			DBG1(DBG_CFG, "private key of type %N not supported",
+					key_type_names, private->get_type(private));
+			return FALSE;
+	}
+	keymat = ike_sa->get_keymat(ike_sa);
+	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init,
+									 this->nonce, this->id, this->reserved);
+	if (!private->sign(private, scheme, octets, &auth_data))
+	{
+		chunk_free(&octets);
+		private->destroy(private);
+		return FALSE;
+	}
+	auth_payload = auth_payload_create();
+	auth_payload->set_auth_method(auth_payload, auth_method);
+	auth_payload->set_data(auth_payload, auth_data);
+	chunk_free(&auth_data);
+	chunk_free(&octets);
+	private->destroy(private);
+	message->add_payload(message, (payload_t*)auth_payload);
+	DBG1(DBG_CFG, "pretending AUTH payload for '%Y' with %N",
+		 this->id, auth_method_names, auth_method);
+	return TRUE;
+}
+
+/**
+ * Process IKE_AUTH response message, incoming
+ */
+static void process_auth_response(private_pretend_auth_t *this,
+								  ike_sa_t *ike_sa, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+
+	/* check for, and remove AUTHENTICATION_FAILED notify */
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		notify_payload_t *notify = (notify_payload_t*)payload;
+
+		if (payload->get_type(payload) != NOTIFY ||
+			notify->get_notify_type(notify) != AUTHENTICATION_FAILED)
+		{
+			DBG1(DBG_CFG, "no %N notify found, disabling AUTH pretending",
+				 notify_type_names, AUTHENTICATION_FAILED);
+			enumerator->destroy(enumerator);
+			return;
+		}
+		message->remove_payload_at(message, enumerator);
+		payload->destroy(payload);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!build_auth(this, ike_sa, message))
+	{
+		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+		return;
+	}
+	message->add_payload(message, (payload_t*)
+				id_payload_create_from_identification(ID_RESPONDER, this->id));
+	if (this->proposal)
+	{
+		message->add_payload(message, (payload_t*)
+					sa_payload_create_from_proposal(this->proposal));
+	}
+	if (this->tsi)
+	{
+		message->add_payload(message, (payload_t*)
+					ts_payload_create_from_traffic_selectors(TRUE, this->tsi));
+	}
+	if (this->tsr)
+	{
+		message->add_payload(message, (payload_t*)
+					ts_payload_create_from_traffic_selectors(FALSE, this->tsr));
+	}
+}
+
+METHOD(listener_t, message, bool,
+	private_pretend_auth_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (incoming)
+	{
+		if (!message->get_request(message))
+		{
+			if (message->get_exchange_type(message) == IKE_SA_INIT)
+			{
+				process_init_response(this, ike_sa, message);
+			}
+			if (message->get_exchange_type(message) == IKE_AUTH &&
+				message->get_message_id(message) == 1)
+			{
+				process_auth_response(this, ike_sa, message);
+			}
+		}
+	}
+	else
+	{
+		if (message->get_request(message))
+		{
+			if (message->get_exchange_type(message) == IKE_SA_INIT)
+			{
+				process_init_request(this, ike_sa, message);
+			}
+			if (message->get_exchange_type(message) == IKE_AUTH &&
+				message->get_message_id(message) == 1)
+			{
+				process_auth_request(this, ike_sa, message);
+			}
+		}
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_pretend_auth_t *this)
+{
+	if (this->tsi)
+	{
+		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	}
+	if (this->tsr)
+	{
+		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	}
+	DESTROY_IF(this->proposal);
+	this->id->destroy(this->id);
+	free(this->ike_init.ptr);
+	free(this->nonce.ptr);
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *pretend_auth_hook_create(char *name)
+{
+	private_pretend_auth_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.id = identification_create_from_string(
+				conftest->test->get_str(conftest->test,
+										"hooks.%s.peer", "%any", name)),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c
new file mode 100644
index 000000000..993c952e0
--- /dev/null
+++ b/src/conftest/hooks/rebuild_auth.c
@@ -0,0 +1,243 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/generator.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/id_payload.h>
+
+typedef struct private_rebuild_auth_t private_rebuild_auth_t;
+
+/**
+ * Private data of an rebuild_auth_t object.
+ */
+struct private_rebuild_auth_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Our IKE_SA_INIT data, required to rebuild AUTH
+	 */
+	chunk_t ike_init;
+
+	/**
+	 * Received NONCE, required to rebuild AUTH
+	 */
+	chunk_t nonce;
+
+	/**
+	 * ID to use for key lookup, if not from IDi
+	 */
+	identification_t *id;
+};
+
+/**
+ * Rebuild our AUTH data
+ */
+static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
+						 message_t *message)
+{
+	enumerator_t *enumerator;
+	chunk_t octets, auth_data;
+	private_key_t *private;
+	auth_cfg_t *auth;
+	payload_t *payload;
+	auth_payload_t *auth_payload;
+	auth_method_t auth_method;
+	signature_scheme_t scheme;
+	keymat_t *keymat;
+	identification_t *id;
+	char reserved[3];
+	generator_t *generator;
+	chunk_t data;
+	u_int32_t *lenpos;
+
+	payload = message->get_payload(message,
+					message->get_request(message) ? ID_INITIATOR : ID_RESPONDER);
+	if (!payload)
+	{
+		DBG1(DBG_CFG, "ID payload not found to rebuild AUTH");
+		return FALSE;
+	}
+
+	generator = generator_create();
+	generator->generate_payload(generator, payload);
+	data = generator->get_chunk(generator, &lenpos);
+	if (data.len < 8)
+	{
+		DBG1(DBG_CFG, "ID payload invalid to rebuild AUTH");
+		generator->destroy(generator);
+		return FALSE;
+	}
+	memcpy(reserved, data.ptr + 5, 3);
+	id = identification_create_from_encoding(data.ptr[4], chunk_skip(data, 8));
+	generator->destroy(generator);
+
+	auth = auth_cfg_create();
+	private = lib->credmgr->get_private(lib->credmgr, KEY_ANY,
+										this->id ?: id, auth);
+	auth->destroy(auth);
+	if (private == NULL)
+	{
+		DBG1(DBG_CFG, "no private key found for '%Y' to rebuild AUTH",
+			 this->id ?: id);
+		id->destroy(id);
+		return FALSE;
+	}
+
+	switch (private->get_type(private))
+	{
+		case KEY_RSA:
+			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			auth_method = AUTH_RSA;
+			break;
+		case KEY_ECDSA:
+			/* we try to deduct the signature scheme from the keysize */
+			switch (private->get_keysize(private))
+			{
+				case 256:
+					scheme = SIGN_ECDSA_256;
+					auth_method = AUTH_ECDSA_256;
+					break;
+				case 384:
+					scheme = SIGN_ECDSA_384;
+					auth_method = AUTH_ECDSA_384;
+					break;
+				case 521:
+					scheme = SIGN_ECDSA_521;
+					auth_method = AUTH_ECDSA_521;
+					break;
+				default:
+					DBG1(DBG_CFG, "%d bit ECDSA private key size not supported",
+							private->get_keysize(private));
+					id->destroy(id);
+					return FALSE;
+			}
+			break;
+		default:
+			DBG1(DBG_CFG, "private key of type %N not supported",
+					key_type_names, private->get_type(private));
+			id->destroy(id);
+			return FALSE;
+	}
+	keymat = ike_sa->get_keymat(ike_sa);
+	octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init,
+									 this->nonce, id, reserved);
+	if (!private->sign(private, scheme, octets, &auth_data))
+	{
+		chunk_free(&octets);
+		private->destroy(private);
+		id->destroy(id);
+		return FALSE;
+	}
+	auth_payload = auth_payload_create();
+	auth_payload->set_auth_method(auth_payload, auth_method);
+	auth_payload->set_data(auth_payload, auth_data);
+	chunk_free(&auth_data);
+	chunk_free(&octets);
+	private->destroy(private);
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == AUTHENTICATION)
+		{
+			message->remove_payload_at(message, enumerator);
+			payload->destroy(payload);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	message->add_payload(message, (payload_t*)auth_payload);
+	DBG1(DBG_CFG, "rebuilding AUTH payload for '%Y' with %N",
+		 id, auth_method_names, auth_method);
+	id->destroy(id);
+	return TRUE;
+}
+
+METHOD(listener_t, message, bool,
+	private_rebuild_auth_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming && message->get_message_id(message) == 1)
+	{
+		rebuild_auth(this, ike_sa, message);
+	}
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		if (incoming)
+		{
+			nonce_payload_t *nonce;
+
+			nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+			if (nonce)
+			{
+				free(this->nonce.ptr);
+				this->nonce = nonce->get_nonce(nonce);
+			}
+		}
+		else
+		{
+			packet_t *packet;
+
+			if (message->generate(message, NULL, &packet) == SUCCESS)
+			{
+				free(this->ike_init.ptr);
+				this->ike_init = chunk_clone(packet->get_data(packet));
+				packet->destroy(packet);
+			}
+		}
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_rebuild_auth_t *this)
+{
+	free(this->ike_init.ptr);
+	free(this->nonce.ptr);
+	DESTROY_IF(this->id);
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *rebuild_auth_hook_create(char *name)
+{
+	private_rebuild_auth_t *this;
+	char *id;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+	);
+	id = conftest->test->get_str(conftest->test, "hooks.%s.key", NULL, name);
+	if (id)
+	{
+		this->id = identification_create_from_string(id);
+	}
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/reset_seq.c b/src/conftest/hooks/reset_seq.c
new file mode 100644
index 000000000..ccf8e997d
--- /dev/null
+++ b/src/conftest/hooks/reset_seq.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <linux/xfrm.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <processing/jobs/callback_job.h>
+#include <plugins/kernel_netlink/kernel_netlink_shared.h>
+
+#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
+
+typedef struct private_reset_seq_t private_reset_seq_t;
+
+/**
+ * Private data of an reset_seq_t object.
+ */
+struct private_reset_seq_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Delay for reset
+	 */
+	int delay;
+};
+
+/**
+ * Callback job
+ */
+static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr;
+	struct xfrm_aevent_id *id;
+	struct rtattr *rthdr;
+	struct xfrm_replay_state *replay;
+	struct sockaddr_nl addr;
+	int s, len;
+
+	DBG1(DBG_CFG, "resetting sequence number of SPI 0x%x", htonl(data->spi));
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_REPLACE;
+	hdr->nlmsg_seq = 201;
+	hdr->nlmsg_pid = getpid();
+	hdr->nlmsg_type = XFRM_MSG_NEWAE;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
+
+	id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
+	id->sa_id = *data;
+
+	rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id);
+	rthdr->rta_type = XFRMA_REPLAY_VAL;
+	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
+	hdr->nlmsg_len += rthdr->rta_len;
+
+	replay = (struct xfrm_replay_state*)RTA_DATA(rthdr);
+
+	s = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
+	if (s == -1)
+	{
+		DBG1(DBG_CFG, "opening XFRM socket failed: %s", strerror(errno));
+		return JOB_REQUEUE_NONE;
+	}
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+	len = sendto(s, hdr, hdr->nlmsg_len, 0,
+				 (struct sockaddr*)&addr, sizeof(addr));
+	if (len != hdr->nlmsg_len)
+	{
+		DBG1(DBG_CFG, "sending XFRM aevent failed: %s", strerror(errno));
+	}
+	close(s);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedule sequence number reset job
+ */
+static void schedule_reset_job(private_reset_seq_t *this, host_t *dst,
+							   u_int32_t spi)
+{
+	struct xfrm_usersa_id *data;
+	chunk_t chunk;
+
+	INIT(data,
+		.spi = spi,
+		.family = dst->get_family(dst),
+		.proto = IPPROTO_ESP,
+	);
+
+	chunk = dst->get_address(dst);
+	memcpy(&data->daddr, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
+
+	lib->scheduler->schedule_job(lib->scheduler,
+								 (job_t*)callback_job_create(
+									(void*)reset_cb, data, (void*)free, NULL),
+								 this->delay);
+}
+
+METHOD(listener_t, child_updown, bool,
+	private_reset_seq_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	bool up)
+{
+	if (up)
+	{
+		schedule_reset_job(this, ike_sa->get_other_host(ike_sa),
+						   child_sa->get_spi(child_sa, FALSE));
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_reset_seq_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *reset_seq_hook_create(char *name)
+{
+	private_reset_seq_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.child_updown = _child_updown,
+			},
+			.destroy = _destroy,
+		},
+		.delay = conftest->test->get_int(conftest->test,
+										"hooks.%s.delay", 10, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/set_critical.c b/src/conftest/hooks/set_critical.c
new file mode 100644
index 000000000..caf2215c3
--- /dev/null
+++ b/src/conftest/hooks/set_critical.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/unknown_payload.h>
+
+typedef struct private_set_critical_t private_set_critical_t;
+
+/**
+ * Private data of an set_critical_t object.
+ */
+struct private_set_critical_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * Payload types, space separated
+	 */
+	char *payloads;
+};
+
+METHOD(listener_t, message, bool,
+	private_set_critical_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		enumerator_t *msg, *types;
+		payload_t *payload;
+		payload_type_t type;
+		bool *critical;
+		char *name;
+
+		types = enumerator_create_token(this->payloads, " ", "");
+		while (types->enumerate(types, &name))
+		{
+			type = atoi(name);
+			if (!type)
+			{
+				type = enum_from_name(payload_type_short_names, name);
+				if (type == -1)
+				{
+					DBG1(DBG_CFG, "invalid payload name '%s'", name);
+					break;
+				}
+			}
+			msg = message->create_payload_enumerator(message);
+			while (msg->enumerate(msg, &payload))
+			{
+				if (type == payload->get_type(payload))
+				{
+					critical = payload_get_field(payload, FLAG, 0);
+					if (critical)
+					{
+						*critical = TRUE;
+					}
+				}
+			}
+			msg->destroy(msg);
+		}
+		types->destroy(types);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_set_critical_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *set_critical_hook_create(char *name)
+{
+	private_set_critical_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+		.payloads = conftest->test->get_str(conftest->test,
+										"hooks.%s.payloads", "", name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/set_ike_initiator.c b/src/conftest/hooks/set_ike_initiator.c
new file mode 100644
index 000000000..6ba43eaca
--- /dev/null
+++ b/src/conftest/hooks/set_ike_initiator.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/unknown_payload.h>
+
+typedef struct private_set_ike_initiator_t private_set_ike_initiator_t;
+
+/**
+ * Private data of an set_ike_initiator_t object.
+ */
+struct private_set_ike_initiator_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+};
+
+METHOD(listener_t, message, bool,
+	private_set_ike_initiator_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		ike_sa_id_t *id;
+
+		DBG1(DBG_CFG, "toggling IKE message initiator flag");
+		id = message->get_ike_sa_id(message);
+		id->switch_initiator(id);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_set_ike_initiator_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *set_ike_initiator_hook_create(char *name)
+{
+	private_set_ike_initiator_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/set_ike_request.c b/src/conftest/hooks/set_ike_request.c
new file mode 100644
index 000000000..baabea66a
--- /dev/null
+++ b/src/conftest/hooks/set_ike_request.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/unknown_payload.h>
+
+typedef struct private_set_ike_request_t private_set_ike_request_t;
+
+/**
+ * Private data of an set_ike_request_t object.
+ */
+struct private_set_ike_request_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+};
+
+METHOD(listener_t, message, bool,
+	private_set_ike_request_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		DBG1(DBG_CFG, "toggling IKE message request flag");
+		message->set_request(message, !this->req);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_set_ike_request_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *set_ike_request_hook_create(char *name)
+{
+	private_set_ike_request_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/set_ike_spi.c b/src/conftest/hooks/set_ike_spi.c
new file mode 100644
index 000000000..14a0da9cd
--- /dev/null
+++ b/src/conftest/hooks/set_ike_spi.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/unknown_payload.h>
+
+typedef struct private_set_ike_spi_t private_set_ike_spi_t;
+
+/**
+ * Private data of an set_ike_spi_t object.
+ */
+struct private_set_ike_spi_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * Initiator SPI
+	 */
+	u_int64_t spii;
+
+	/**
+	 * Responder SPI
+	 */
+	u_int64_t spir;
+};
+
+METHOD(listener_t, message, bool,
+	private_set_ike_spi_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		ike_sa_id_t *id;
+
+		DBG1(DBG_CFG, "setting IKE SPIs to: 0x%llx/0x%llx",
+			 this->spii, this->spir);
+
+		id = message->get_ike_sa_id(message);
+		id->set_initiator_spi(id, this->spii);
+		id->set_responder_spi(id, this->spir);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_set_ike_spi_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *set_ike_spi_hook_create(char *name)
+{
+	private_set_ike_spi_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+		.spii = strtoull(conftest->test->get_str(conftest->test,
+										"hooks.%s.spii", "0", name), NULL, 16),
+		.spir = strtoull(conftest->test->get_str(conftest->test,
+										"hooks.%s.spir", "0", name), NULL, 16),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/set_ike_version.c b/src/conftest/hooks/set_ike_version.c
new file mode 100644
index 000000000..d2de9dc81
--- /dev/null
+++ b/src/conftest/hooks/set_ike_version.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/unknown_payload.h>
+
+typedef struct private_set_ike_version_t private_set_ike_version_t;
+
+/**
+ * Private data of an set_ike_version_t object.
+ */
+struct private_set_ike_version_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * Major version to set
+	 */
+	int major;
+
+	/**
+	 * Minor version to set
+	 */
+	int minor;
+
+	/**
+	 * Higher version supported?
+	 */
+	bool higher;
+};
+
+METHOD(listener_t, message, bool,
+	private_set_ike_version_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		DBG1(DBG_CFG, "setting IKE version of message ID %d to %d.%d",
+			 this->id, this->major, this->minor);
+		message->set_major_version(message, this->major);
+		message->set_minor_version(message, this->minor);
+		if (this->higher)
+		{
+			message->set_version_flag(message);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_set_ike_version_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *set_ike_version_hook_create(char *name)
+{
+	private_set_ike_version_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+		.major = conftest->test->get_int(conftest->test,
+										"hooks.%s.major", 2, name),
+		.minor = conftest->test->get_int(conftest->test,
+										"hooks.%s.minor", 0, name),
+		.higher = conftest->test->get_bool(conftest->test,
+										"hooks.%s.higher", FALSE, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/set_length.c b/src/conftest/hooks/set_length.c
new file mode 100644
index 000000000..0379dcb7c
--- /dev/null
+++ b/src/conftest/hooks/set_length.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+typedef struct private_set_length_t private_set_length_t;
+
+/**
+ * Private data of an set_length_t object.
+ */
+struct private_set_length_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * Payload type
+	 */
+	char *type;
+
+	/**
+	 * Difference to correct length
+	 */
+	int diff;
+};
+
+METHOD(listener_t, message, bool,
+	private_set_length_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		payload_t *payload;
+		enumerator_t *enumerator;
+		payload_type_t type;
+
+		type = atoi(this->type);
+		if (!type)
+		{
+			type = enum_from_name(payload_type_short_names, this->type);
+			if (type == -1)
+			{
+				DBG1(DBG_CFG, "unknown payload: '%s', skipped", this->type);
+				return TRUE;
+			}
+		}
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (type == payload->get_type(payload))
+			{
+				encoding_rule_t *rules;
+				size_t count;
+				u_int16_t *len;
+				int i;
+
+				payload->get_encoding_rules(payload, &rules, &count);
+				for (i = 0; i < count; i++)
+				{
+					if (rules[i].type == PAYLOAD_LENGTH)
+					{
+						len = (u_int16_t*)(((void*)payload) + rules[i].offset);
+						DBG1(DBG_CFG, "adjusting length of %N payload "
+							 "from %d to %d", payload_type_short_names, type,
+							 *len, *len + this->diff);
+						*len = *len + this->diff;
+					}
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_set_length_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *set_length_hook_create(char *name)
+{
+	private_set_length_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+		.type = conftest->test->get_str(conftest->test,
+										"hooks.%s.type", "", name),
+		.diff = conftest->test->get_int(conftest->test,
+										"hooks.%s.diff", 0, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/set_proposal_number.c b/src/conftest/hooks/set_proposal_number.c
new file mode 100644
index 000000000..a59d96b6d
--- /dev/null
+++ b/src/conftest/hooks/set_proposal_number.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/sa_payload.h>
+
+typedef struct private_set_proposal_number_t private_set_proposal_number_t;
+
+/**
+ * Private data of an set_proposal_number_t object.
+ */
+struct private_set_proposal_number_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * Proposal number to modify
+	 */
+	int from;
+
+	/**
+	 * Proposal number to set
+	 */
+	int to;
+};
+
+/**
+ * Copy all algs from given type from one proposal to another
+ */
+static void copy_proposal_algs(proposal_t *from, proposal_t *to,
+							   transform_type_t type)
+{
+	enumerator_t *enumerator;
+	u_int16_t alg, key_size;
+
+	enumerator = from->create_enumerator(from, type);
+	while (enumerator->enumerate(enumerator, &alg, &key_size))
+	{
+		to->add_algorithm(to, type, alg, key_size);
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(listener_t, message, bool,
+	private_set_proposal_number_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		enumerator_t *enumerator;
+		payload_t *payload;
+		linked_list_t *list = NULL, *updated;
+		sa_payload_t *sa;
+		proposal_t *proposal, *new;
+
+		updated = linked_list_create();
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (payload->get_type(payload) == SECURITY_ASSOCIATION)
+			{
+				sa = (sa_payload_t*)payload;
+				list = sa->get_proposals(sa);
+				message->remove_payload_at(message, enumerator);
+				sa->destroy(sa);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (list)
+		{
+			enumerator = list->create_enumerator(list);
+			while (enumerator->enumerate(enumerator, &proposal))
+			{
+				if (proposal->get_number(proposal) == this->from)
+				{
+					DBG1(DBG_CFG, "setting proposal number from %d to %d",
+						 this->from, this->to);
+					new = proposal_create(proposal->get_protocol(proposal),
+										  this->to);
+					copy_proposal_algs(proposal, new, ENCRYPTION_ALGORITHM);
+					copy_proposal_algs(proposal, new, INTEGRITY_ALGORITHM);
+					copy_proposal_algs(proposal, new, PSEUDO_RANDOM_FUNCTION);
+					copy_proposal_algs(proposal, new, DIFFIE_HELLMAN_GROUP);
+					copy_proposal_algs(proposal, new, EXTENDED_SEQUENCE_NUMBERS);
+					updated->insert_last(updated, new);
+				}
+				else
+				{
+					list->remove_at(list, enumerator);
+					updated->insert_last(updated, proposal);
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		sa = sa_payload_create_from_proposal_list(updated);
+		list->destroy_offset(list, offsetof(proposal_t, destroy));
+		updated->destroy_offset(updated, offsetof(proposal_t, destroy));
+		message->add_payload(message, (payload_t*)sa);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_set_proposal_number_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *set_proposal_number_hook_create(char *name)
+{
+	private_set_proposal_number_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+		.from = conftest->test->get_int(conftest->test,
+										"hooks.%s.from", 0, name),
+		.to = conftest->test->get_int(conftest->test,
+										"hooks.%s.to", 1, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/set_reserved.c b/src/conftest/hooks/set_reserved.c
new file mode 100644
index 000000000..77a605d2a
--- /dev/null
+++ b/src/conftest/hooks/set_reserved.c
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+#include <encoding/payloads/sa_payload.h>
+
+typedef struct private_set_reserved_t private_set_reserved_t;
+
+/**
+ * Private data of an set_reserved_t object.
+ */
+struct private_set_reserved_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * Hook name
+	 */
+	char *name;
+};
+
+/**
+ * Set reserved bit of a payload
+ */
+static void set_bit(private_set_reserved_t *this, message_t *message,
+					payload_type_t type, u_int nr)
+{
+	enumerator_t *payloads;
+	payload_t *payload;
+	bool *bit;
+
+	if (type == HEADER)
+	{
+		message->set_reserved_header_bit(message, nr);
+		DBG1(DBG_CFG, "setting reserved bit %d of %N",
+			  nr, payload_type_short_names, type);
+	}
+	else
+	{
+		payloads = message->create_payload_enumerator(message);
+		while (payloads->enumerate(payloads, &payload))
+		{
+			if (payload->get_type(payload) == type)
+			{
+				bit = payload_get_field(payload, RESERVED_BIT, nr);
+				if (bit)
+				{
+					DBG1(DBG_CFG, "setting reserved bit %d of %N",
+						 nr, payload_type_short_names, type);
+					*bit = TRUE;
+				}
+			}
+		}
+		payloads->destroy(payloads);
+	}
+}
+
+/**
+ * Set reserved byte of a payload
+ */
+static void set_byte(private_set_reserved_t *this, message_t *message,
+					payload_type_t type, u_int nr, u_int8_t byteval)
+{
+	enumerator_t *payloads;
+	payload_t *payload;
+	u_int8_t *byte;
+
+	if (type == TRANSFORM_SUBSTRUCTURE || type == PROPOSAL_SUBSTRUCTURE)
+	{
+		enumerator_t *transforms, *proposals;
+		transform_substructure_t *transform;
+		proposal_substructure_t *proposal;
+		sa_payload_t *sa;
+
+		payloads = message->create_payload_enumerator(message);
+		while (payloads->enumerate(payloads, &payload))
+		{
+			if (payload->get_type(payload) == SECURITY_ASSOCIATION)
+			{
+				sa = (sa_payload_t*)payload;
+				proposals = sa->create_substructure_enumerator(sa);
+				while (proposals->enumerate(proposals, &proposal))
+				{
+					if (type == PROPOSAL_SUBSTRUCTURE)
+					{
+						byte = payload_get_field(&proposal->payload_interface,
+												 RESERVED_BYTE, nr);
+						if (byte)
+						{
+							DBG1(DBG_CFG, "setting reserved byte %d of %N to %d",
+								 nr, payload_type_short_names, type, byteval);
+							*byte = byteval;
+						}
+					}
+					else if (type == TRANSFORM_SUBSTRUCTURE)
+					{
+						transforms = proposal->create_substructure_enumerator(
+																	proposal);
+						while (transforms->enumerate(transforms, &transform))
+						{
+							byte = payload_get_field(&transform->payload_interface,
+													 RESERVED_BYTE, nr);
+							if (byte)
+							{
+								DBG1(DBG_CFG, "setting reserved byte %d of %N to %d",
+									 nr, payload_type_short_names, type, byteval);
+								*byte = byteval;
+							}
+						}
+						transforms->destroy(transforms);
+					}
+				}
+				proposals->destroy(proposals);
+			}
+		}
+		payloads->destroy(payloads);
+	}
+	else
+	{
+		payloads = message->create_payload_enumerator(message);
+		while (payloads->enumerate(payloads, &payload))
+		{
+			if (payload->get_type(payload) == type)
+			{
+				byte = payload_get_field(payload, RESERVED_BYTE, nr);
+				if (byte)
+				{
+					DBG1(DBG_CFG, "setting reserved byte %d of %N to %d",
+						  nr, payload_type_short_names, type, byteval);
+					*byte = byteval;
+				}
+			}
+		}
+		payloads->destroy(payloads);
+	}
+}
+
+METHOD(listener_t, message, bool,
+	private_set_reserved_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		enumerator_t *bits, *bytes, *types;
+		payload_type_t type;
+		char *nr, *name;
+		u_int8_t byteval;
+
+		types = conftest->test->create_section_enumerator(conftest->test,
+													"hooks.%s", this->name);
+		while (types->enumerate(types, &name))
+		{
+			type = atoi(name);
+			if (!type)
+			{
+				type = enum_from_name(payload_type_short_names, name);
+				if (type == -1)
+				{
+					DBG1(DBG_CFG, "invalid payload name '%s'", name);
+					break;
+				}
+			}
+			nr = conftest->test->get_str(conftest->test,
+								"hooks.%s.%s.bits", "", this->name, name);
+			bits = enumerator_create_token(nr, ",", " ");
+			while (bits->enumerate(bits, &nr))
+			{
+				set_bit(this, message, type, atoi(nr));
+			}
+			bits->destroy(bits);
+
+			nr = conftest->test->get_str(conftest->test,
+								"hooks.%s.%s.bytes", "", this->name, name);
+			byteval = conftest->test->get_int(conftest->test,
+								"hooks.%s.%s.byteval", 255, this->name, name);
+			bytes = enumerator_create_token(nr, ",", " ");
+			while (bytes->enumerate(bytes, &nr))
+			{
+				set_byte(this, message, type, atoi(nr), byteval);
+			}
+			bytes->destroy(bytes);
+		}
+		types->destroy(types);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_set_reserved_t *this)
+{
+	free(this->name);
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *set_reserved_hook_create(char *name)
+{
+	private_set_reserved_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+		.name = strdup(name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/unencrypted_notify.c b/src/conftest/hooks/unencrypted_notify.c
new file mode 100644
index 000000000..80bdc64b7
--- /dev/null
+++ b/src/conftest/hooks/unencrypted_notify.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+typedef struct private_unencrypted_notify_t private_unencrypted_notify_t;
+
+/**
+ * Private data of an unencrypted_notify_t object.
+ */
+struct private_unencrypted_notify_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * ID of message send.
+	 */
+	int id;
+
+	/**
+	 * Notify type
+	 */
+	char *type;
+
+	/**
+	 * Notify data
+	 */
+	char *data;
+
+	/**
+	 * SPI of notify
+	 */
+	int spi;
+
+	/**
+	 * TRUE for a ESP protocol notify, FALSE for IKE
+	 */
+	bool esp;
+};
+
+METHOD(listener_t, ike_updown, bool,
+	private_unencrypted_notify_t *this, ike_sa_t *ike_sa, bool up)
+{
+	if (up)
+	{
+		message_t *message;
+		host_t *host;
+		notify_type_t type;
+		notify_payload_t *notify;
+		chunk_t data = chunk_empty;
+		packet_t *packet;
+
+		type = atoi(this->type);
+		if (!type)
+		{
+			type = enum_from_name(notify_type_names, this->type);
+			if (type == -1)
+			{
+				DBG1(DBG_CFG, "unknown notify: '%s', skipped", this->type);
+				return TRUE;
+			}
+		}
+		if (strncaseeq(this->data, "0x", 2))
+		{
+			data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2);
+			data = chunk_from_hex(data, NULL);
+		}
+		else if (this->data && strlen(this->data))
+		{
+			data = chunk_clone(chunk_create(this->data, strlen(this->data)));
+		}
+		notify = notify_payload_create_from_protocol_and_type(
+									this->esp ? PROTO_ESP : PROTO_IKE, type);
+		notify->set_spi(notify, this->spi);
+		if (data.len)
+		{
+			notify->set_notification_data(notify, data);
+			free(data.ptr);
+		}
+
+		DBG1(DBG_CFG, "injecting unencrypted INFORMATIONAL message");
+
+		message = message_create();
+		message->set_message_id(message, this->id);
+		message->set_ike_sa_id(message, ike_sa->get_id(ike_sa));
+		message->set_exchange_type(message, INFORMATIONAL);
+		message->set_request(message, TRUE);
+		host = ike_sa->get_my_host(ike_sa);
+		message->set_source(message, host->clone(host));
+		host = ike_sa->get_other_host(ike_sa);
+		message->set_destination(message, host->clone(host));
+		message->add_payload(message, &notify->payload_interface);
+		if (message->generate(message, NULL, &packet) != SUCCESS)
+		{
+			DBG1(DBG_CFG, "generating message failed");
+			message->destroy(message);
+			return TRUE;
+		}
+		message->destroy(message);
+		charon->sender->send(charon->sender, packet);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_unencrypted_notify_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *unencrypted_notify_hook_create(char *name)
+{
+	private_unencrypted_notify_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.ike_updown = _ike_updown,
+			},
+			.destroy = _destroy,
+		},
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 2, name),
+		.type = conftest->test->get_str(conftest->test,
+										"hooks.%s.type", "", name),
+		.data = conftest->test->get_str(conftest->test,
+										"hooks.%s.data", "", name),
+		.spi = conftest->test->get_int(conftest->test,
+										"hooks.%s.spi", 0, name),
+		.esp = conftest->test->get_bool(conftest->test,
+										"hooks.%s.esp", FALSE, name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/conftest/hooks/unsort_message.c b/src/conftest/hooks/unsort_message.c
new file mode 100644
index 000000000..b37b261a4
--- /dev/null
+++ b/src/conftest/hooks/unsort_message.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hook.h"
+
+typedef struct private_unsort_message_t private_unsort_message_t;
+
+/**
+ * Private data of an unsort_message_t object.
+ */
+struct private_unsort_message_t {
+
+	/**
+	 * Implements the hook_t interface.
+	 */
+	hook_t hook;
+
+	/**
+	 * Alter requests or responses?
+	 */
+	bool req;
+
+	/**
+	 * ID of message to alter.
+	 */
+	int id;
+
+	/**
+	 * Order of payloads we want
+	 */
+	char *order;
+};
+
+METHOD(listener_t, message, bool,
+	private_unsort_message_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming)
+{
+	if (!incoming &&
+		message->get_request(message) == this->req &&
+		message->get_message_id(message) == this->id)
+	{
+		enumerator_t *enumerator, *order;
+		linked_list_t *list;
+		payload_type_t type;
+		payload_t *payload;
+		char *name;
+
+		list = linked_list_create();
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			message->remove_payload_at(message, enumerator);
+			list->insert_last(list, payload);
+		}
+		enumerator->destroy(enumerator);
+
+		order = enumerator_create_token(this->order, ", ", " ");
+		while (order->enumerate(order, &name))
+		{
+			type = enum_from_name(payload_type_short_names, name);
+			if (type != -1)
+			{
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &payload))
+				{
+					if (payload->get_type(payload) == type)
+					{
+						list->remove_at(list, enumerator);
+						message->add_payload(message, payload);
+					}
+				}
+				enumerator->destroy(enumerator);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "unknown payload to sort: '%s', skipped", name);
+			}
+		}
+		order->destroy(order);
+
+		while (list->remove_first(list, (void**)&payload) == SUCCESS)
+		{
+			message->add_payload(message, payload);
+		}
+		list->destroy(list);
+
+		message->disable_sort(message);
+	}
+	return TRUE;
+}
+
+METHOD(hook_t, destroy, void,
+	private_unsort_message_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create the IKE_AUTH fill hook
+ */
+hook_t *unsort_message_hook_create(char *name)
+{
+	private_unsort_message_t *this;
+
+	INIT(this,
+		.hook = {
+			.listener = {
+				.message = _message,
+			},
+			.destroy = _destroy,
+		},
+		.req = conftest->test->get_bool(conftest->test,
+										"hooks.%s.request", TRUE, name),
+		.id = conftest->test->get_int(conftest->test,
+										"hooks.%s.id", 0, name),
+		.order = conftest->test->get_str(conftest->test,
+										"hooks.%s.order", "", name),
+	);
+
+	return &this->hook;
+}
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 7c22f5ec5..79961b916 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -226,9 +226,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -267,6 +265,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 498fb17f1..b9b758193 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -172,9 +172,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -213,6 +211,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h
index b971e3848..930fdd2de 100644
--- a/src/include/linux/xfrm.h
+++ b/src/include/linux/xfrm.h
@@ -283,6 +283,7 @@ enum xfrm_attr_type_t {
 	XFRMA_KMADDRESS,        /* struct xfrm_user_kmaddress */
 	XFRMA_ALG_AUTH_TRUNC,	/* struct xfrm_algo_auth */
 	XFRMA_MARK,		/* struct xfrm_mark */
+	XFRMA_TFCPAD,		/* __u32 */
 	__XFRMA_MAX
 
 #define XFRMA_MAX (__XFRMA_MAX - 1)
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 276d9f36d..0b4870e94 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -200,9 +200,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -241,6 +239,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8
index f995119aa..6f4117be7 100644
--- a/src/ipsec/ipsec.8
+++ b/src/ipsec/ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2010-05-30" "4.5.0rc1" "strongSwan"
+.TH IPSEC 8 "2010-05-30" "4.5.1" "strongSwan"
 .SH NAME
 ipsec \- invoke IPsec utilities
 .SH SYNOPSIS
diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in
index 0bddc201a..2ea0ef798 100755
--- a/src/ipsec/ipsec.in
+++ b/src/ipsec/ipsec.in
@@ -65,7 +65,7 @@ case "$1" in
 	echo "	rereadsecrets|rereadgroups"
 	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
 	echo "	rereadacerts|rereadcrls|rereadall"
-	echo "	purgeocsp|purgeike"
+	echo "	purgeocsp|purgecrls|purgecerts|purgeike"
 	echo "	scencrypt|scdecrypt <value> [--inbase <base>] [--outbase <base>] [--keyid <id>]"
 	echo "	openac"
 	echo "	pluto"
@@ -191,11 +191,11 @@ rereadall|purgeocsp)
 	fi
 	exit "$rc"
 	;;
-purgeike)
+purgeike|purgecrls|purgecerts)
 	rc=7
 	if [ -e $IPSEC_CHARON_PID ]
 	then
-		$IPSEC_STROKE purgeike
+		$IPSEC_STROKE "$1"
 		rc="$?"
 	fi
 	exit "$rc"
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 2b7646327..1e78c9d79 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -53,6 +53,7 @@ processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
 processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
 processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
+processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
@@ -87,8 +88,12 @@ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
 sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
 sa/tasks/task.c sa/tasks/task.h \
-tnccs/tnccs.c tnccs/tnccs.h \
-tnccs/tnccs_manager.h tnccs/tnccs_manager.c
+tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \
+tnc/imc/imc.h tnc/imc/imc_manager.h \
+tnc/imv/imv.h tnc/imv/imv_manager.h \
+tnc/imv/imv_recommendations.c tnc/imv/imv_recommendations.h \
+tnc/tnccs/tnccs.c tnc/tnccs/tnccs.h \
+tnc/tnccs/tnccs_manager.c tnc/tnccs/tnccs_manager.h
 
 daemon.lo :		$(top_builddir)/config.status
 
@@ -317,14 +322,14 @@ endif
 if USE_TNC_IMC
   SUBDIRS += plugins/tnc_imc
 if MONOLITHIC
-  libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc_imc.la
+  libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc-imc.la
 endif
 endif
 
 if USE_TNC_IMV
   SUBDIRS += plugins/tnc_imv
 if MONOLITHIC
-  libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc_imv.la
+  libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la
 endif
 endif
 
@@ -342,6 +347,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_TNCCS_DYNAMIC
+  SUBDIRS += plugins/tnccs_dynamic
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la
+endif
+endif
+
 if USE_MEDSRV
   SUBDIRS += plugins/medsrv
 if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 8a7a99ddd..6ec4c6ca5 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -96,35 +96,37 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_51 = plugins/eap_tnc/libstrongswan-eap-tnc.la
 @MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_52 = $(top_builddir)/src/libtls/libtls.la
 @USE_TNC_IMC_TRUE@am__append_53 = plugins/tnc_imc
-@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc_imc.la
+@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc-imc.la
 @USE_TNC_IMV_TRUE@am__append_55 = plugins/tnc_imv
-@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc_imv.la
+@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc-imv.la
 @USE_TNCCS_11_TRUE@am__append_57 = plugins/tnccs_11
 @MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_58 = plugins/tnccs_11/libstrongswan-tnccs-11.la
 @USE_TNCCS_20_TRUE@am__append_59 = plugins/tnccs_20
 @MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_60 = plugins/tnccs_20/libstrongswan-tnccs-20.la
-@USE_MEDSRV_TRUE@am__append_61 = plugins/medsrv
-@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_62 = plugins/medsrv/libstrongswan-medsrv.la
-@USE_MEDCLI_TRUE@am__append_63 = plugins/medcli
-@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_64 = plugins/medcli/libstrongswan-medcli.la
-@USE_NM_TRUE@am__append_65 = plugins/nm
-@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_66 = plugins/nm/libstrongswan-nm.la
-@USE_DHCP_TRUE@am__append_67 = plugins/dhcp
-@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_68 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_ANDROID_TRUE@am__append_69 = plugins/android
-@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_70 = plugins/android/libstrongswan-android.la
-@USE_MAEMO_TRUE@am__append_71 = plugins/maemo
-@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_72 = plugins/maemo/libstrongswan-maemo.la
-@USE_HA_TRUE@am__append_73 = plugins/ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_74 = plugins/ha/libstrongswan-ha.la
-@USE_LED_TRUE@am__append_75 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_76 = plugins/led/libstrongswan-led.la
-@USE_UCI_TRUE@am__append_77 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_78 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_79 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_80 = plugins/uci/libstrongswan-addrblock.la
-@USE_UNIT_TESTS_TRUE@am__append_81 = plugins/unit_tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_82 = plugins/unit_tester/libstrongswan-unit-tester.la
+@USE_TNCCS_DYNAMIC_TRUE@am__append_61 = plugins/tnccs_dynamic
+@MONOLITHIC_TRUE@@USE_TNCCS_DYNAMIC_TRUE@am__append_62 = plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la
+@USE_MEDSRV_TRUE@am__append_63 = plugins/medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_64 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_65 = plugins/medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_66 = plugins/medcli/libstrongswan-medcli.la
+@USE_NM_TRUE@am__append_67 = plugins/nm
+@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_68 = plugins/nm/libstrongswan-nm.la
+@USE_DHCP_TRUE@am__append_69 = plugins/dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_70 = plugins/dhcp/libstrongswan-dhcp.la
+@USE_ANDROID_TRUE@am__append_71 = plugins/android
+@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_72 = plugins/android/libstrongswan-android.la
+@USE_MAEMO_TRUE@am__append_73 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_74 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_75 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_76 = plugins/ha/libstrongswan-ha.la
+@USE_LED_TRUE@am__append_77 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_78 = plugins/led/libstrongswan-led.la
+@USE_UCI_TRUE@am__append_79 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_80 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_81 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_82 = plugins/uci/libstrongswan-addrblock.la
+@USE_UNIT_TESTS_TRUE@am__append_83 = plugins/unit_tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_84 = plugins/unit_tester/libstrongswan-unit-tester.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -181,7 +183,8 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_60) $(am__append_62) $(am__append_64) \
 	$(am__append_66) $(am__append_68) $(am__append_70) \
 	$(am__append_72) $(am__append_74) $(am__append_76) \
-	$(am__append_78) $(am__append_80) $(am__append_82)
+	$(am__append_78) $(am__append_80) $(am__append_82) \
+	$(am__append_84)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/file_logger.c \
 	bus/listeners/file_logger.h bus/listeners/sys_logger.c \
@@ -251,8 +254,9 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 	processing/jobs/send_keepalive_job.c \
 	processing/jobs/send_keepalive_job.h \
-	processing/jobs/roam_job.c processing/jobs/roam_job.h \
-	processing/jobs/update_sa_job.c \
+	processing/jobs/start_action_job.c \
+	processing/jobs/start_action_job.h processing/jobs/roam_job.c \
+	processing/jobs/roam_job.h processing/jobs/update_sa_job.c \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
 	processing/jobs/inactivity_job.h \
@@ -288,8 +292,12 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
 	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
 	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \
-	tnccs/tnccs_manager.c encoding/payloads/endpoint_notify.c \
+	tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \
+	tnc/imc/imc.h tnc/imc/imc_manager.h tnc/imv/imv.h \
+	tnc/imv/imv_manager.h tnc/imv/imv_recommendations.c \
+	tnc/imv/imv_recommendations.h tnc/tnccs/tnccs.c \
+	tnc/tnccs/tnccs.h tnc/tnccs/tnccs_manager.c \
+	tnc/tnccs/tnccs_manager.h encoding/payloads/endpoint_notify.c \
 	encoding/payloads/endpoint_notify.h \
 	processing/jobs/initiate_mediation_job.c \
 	processing/jobs/initiate_mediation_job.h \
@@ -315,16 +323,17 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \
 	acquire_job.lo delete_child_sa_job.lo delete_ike_sa_job.lo \
 	migrate_job.lo process_message_job.lo rekey_child_sa_job.lo \
 	rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \
-	send_keepalive_job.lo roam_job.lo update_sa_job.lo \
-	inactivity_job.lo authenticator.lo eap_authenticator.lo \
-	eap_method.lo eap_manager.lo sim_manager.lo \
-	psk_authenticator.lo pubkey_authenticator.lo child_sa.lo \
-	ike_sa.lo ike_sa_id.lo ike_sa_manager.lo task_manager.lo \
-	keymat.lo trap_manager.lo child_create.lo child_delete.lo \
-	child_rekey.lo ike_auth.lo ike_cert_pre.lo ike_cert_post.lo \
-	ike_config.lo ike_delete.lo ike_dpd.lo ike_init.lo ike_natd.lo \
-	ike_mobike.lo ike_rekey.lo ike_reauth.lo ike_auth_lifetime.lo \
-	ike_vendor.lo task.lo tnccs.lo tnccs_manager.lo \
+	send_keepalive_job.lo start_action_job.lo roam_job.lo \
+	update_sa_job.lo inactivity_job.lo authenticator.lo \
+	eap_authenticator.lo eap_method.lo eap_manager.lo \
+	sim_manager.lo psk_authenticator.lo pubkey_authenticator.lo \
+	child_sa.lo ike_sa.lo ike_sa_id.lo ike_sa_manager.lo \
+	task_manager.lo keymat.lo trap_manager.lo child_create.lo \
+	child_delete.lo child_rekey.lo ike_auth.lo ike_cert_pre.lo \
+	ike_cert_post.lo ike_config.lo ike_delete.lo ike_dpd.lo \
+	ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \
+	ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \
+	tncifimv.lo imv_recommendations.lo tnccs.lo tnccs_manager.lo \
 	$(am__objects_1)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
@@ -366,9 +375,9 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/eap_mschapv2 plugins/eap_radius plugins/eap_tls \
 	plugins/eap_ttls plugins/eap_tnc plugins/tnc_imc \
 	plugins/tnc_imv plugins/tnccs_11 plugins/tnccs_20 \
-	plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \
-	plugins/android plugins/maemo plugins/ha plugins/led \
-	plugins/uci plugins/addrblock plugins/unit_tester
+	plugins/tnccs_dynamic plugins/medsrv plugins/medcli plugins/nm \
+	plugins/dhcp plugins/android plugins/maemo plugins/ha \
+	plugins/led plugins/uci plugins/addrblock plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -514,9 +523,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -555,6 +562,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -635,8 +644,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 	processing/jobs/send_keepalive_job.c \
 	processing/jobs/send_keepalive_job.h \
-	processing/jobs/roam_job.c processing/jobs/roam_job.h \
-	processing/jobs/update_sa_job.c \
+	processing/jobs/start_action_job.c \
+	processing/jobs/start_action_job.h processing/jobs/roam_job.c \
+	processing/jobs/roam_job.h processing/jobs/update_sa_job.c \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
 	processing/jobs/inactivity_job.h \
@@ -672,8 +682,12 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
 	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
 	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \
-	tnccs/tnccs_manager.c $(am__append_1)
+	tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \
+	tnc/imc/imc.h tnc/imc/imc_manager.h tnc/imv/imv.h \
+	tnc/imv/imv_manager.h tnc/imv/imv_recommendations.c \
+	tnc/imv/imv_recommendations.h tnc/tnccs/tnccs.c \
+	tnc/tnccs/tnccs.h tnc/tnccs/tnccs_manager.c \
+	tnc/tnccs/tnccs_manager.h $(am__append_1)
 INCLUDES = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
@@ -699,7 +713,8 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
 	$(am__append_60) $(am__append_62) $(am__append_64) \
 	$(am__append_66) $(am__append_68) $(am__append_70) \
 	$(am__append_72) $(am__append_74) $(am__append_76) \
-	$(am__append_78) $(am__append_80) $(am__append_82)
+	$(am__append_78) $(am__append_80) $(am__append_82) \
+	$(am__append_84)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_5) \
 @MONOLITHIC_FALSE@	$(am__append_7) $(am__append_9) \
@@ -720,7 +735,7 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_69) $(am__append_71) \
 @MONOLITHIC_FALSE@	$(am__append_73) $(am__append_75) \
 @MONOLITHIC_FALSE@	$(am__append_77) $(am__append_79) \
-@MONOLITHIC_FALSE@	$(am__append_81)
+@MONOLITHIC_FALSE@	$(am__append_81) $(am__append_83)
 
 # build optional plugins
 ########################
@@ -743,7 +758,7 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_69) $(am__append_71) \
 @MONOLITHIC_TRUE@	$(am__append_73) $(am__append_75) \
 @MONOLITHIC_TRUE@	$(am__append_77) $(am__append_79) \
-@MONOLITHIC_TRUE@	$(am__append_81)
+@MONOLITHIC_TRUE@	$(am__append_81) $(am__append_83)
 all: all-recursive
 
 .SUFFIXES:
@@ -867,6 +882,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_vendor.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_recommendations.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Plo@am__quote@
@@ -898,11 +914,13 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sim_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/start_action_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncifimv.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Plo@am__quote@
@@ -1283,6 +1301,13 @@ send_keepalive_job.lo: processing/jobs/send_keepalive_job.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
 
+start_action_job.lo: processing/jobs/start_action_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT start_action_job.lo -MD -MP -MF $(DEPDIR)/start_action_job.Tpo -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/start_action_job.Tpo $(DEPDIR)/start_action_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/start_action_job.c' object='start_action_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c
+
 roam_job.lo: processing/jobs/roam_job.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.lo -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Plo
@@ -1521,19 +1546,33 @@ task.lo: sa/tasks/task.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
 
-tnccs.lo: tnccs/tnccs.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c
+tncifimv.lo: tnc/tncifimv.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tncifimv.lo -MD -MP -MF $(DEPDIR)/tncifimv.Tpo -c -o tncifimv.lo `test -f 'tnc/tncifimv.c' || echo '$(srcdir)/'`tnc/tncifimv.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tncifimv.Tpo $(DEPDIR)/tncifimv.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/tncifimv.c' object='tncifimv.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tncifimv.lo `test -f 'tnc/tncifimv.c' || echo '$(srcdir)/'`tnc/tncifimv.c
+
+imv_recommendations.lo: tnc/imv/imv_recommendations.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_recommendations.lo -MD -MP -MF $(DEPDIR)/imv_recommendations.Tpo -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_recommendations.Tpo $(DEPDIR)/imv_recommendations.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/imv/imv_recommendations.c' object='imv_recommendations.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c
+
+tnccs.lo: tnc/tnccs/tnccs.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c
 
-tnccs_manager.lo: tnccs/tnccs_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c
+tnccs_manager.lo: tnc/tnccs/tnccs_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c
 
 endpoint_notify.lo: encoding/payloads/endpoint_notify.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index ab8d0fc48..23931c47d 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -227,13 +227,13 @@ static bool log_cb(entry_t *entry, log_data_t *data)
 		{
 			entry->blocker = FALSE;
 			entry->condvar->signal(entry->condvar);
+			entry->calling--;
 		}
 		else
 		{
 			entry_destroy(entry);
 		}
 		va_end(args);
-		entry->calling--;
 		return TRUE;
 	}
 	va_end(args);
diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c
index 90ef58563..e78cb702d 100644
--- a/src/libcharon/config/backend_manager.c
+++ b/src/libcharon/config/backend_manager.c
@@ -96,6 +96,11 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 		{
 			match += MATCH_ANY;
 		}
+		else
+		{
+			me_cand->destroy(me_cand);
+			return MATCH_NONE;
+		}
 		me_cand->destroy(me_cand);
 	}
 	else
@@ -119,6 +124,11 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 		{
 			match += MATCH_ANY;
 		}
+		else
+		{
+			other_cand->destroy(other_cand);
+			return MATCH_NONE;
+		}
 		other_cand->destroy(other_cand);
 	}
 	else
@@ -128,11 +138,8 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 	return match;
 }
 
-/**
- * implements backend_manager_t.get_ike_cfg.
- */
-static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
-							  host_t *me, host_t *other)
+METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
+	private_backend_manager_t *this, host_t *me, host_t *other)
 {
 	ike_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
@@ -308,12 +315,9 @@ static void insert_sorted(match_entry_t *entry, linked_list_t *list,
 	}
 }
 
-/**
- * Implements backend_manager_t.create_peer_cfg_enumerator.
- */
-static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
-							host_t *me, host_t *other, identification_t *my_id,
-							identification_t *other_id)
+METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
+	private_backend_manager_t *this, host_t *me, host_t *other,
+	identification_t *my_id, identification_t *other_id)
 {
 	enumerator_t *enumerator;
 	peer_data_t *data;
@@ -372,10 +376,8 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
 									(void*)peer_enum_filter_destroy);
 }
 
-/**
- * implements backend_manager_t.get_peer_cfg_by_name.
- */
-static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *name)
+METHOD(backend_manager_t, get_peer_cfg_by_name, peer_cfg_t*,
+	private_backend_manager_t *this, char *name)
 {
 	backend_t *backend;
 	peer_cfg_t *config = NULL;
@@ -392,30 +394,24 @@ static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *n
 	return config;
 }
 
-/**
- * Implementation of backend_manager_t.remove_backend.
- */
-static void remove_backend(private_backend_manager_t *this, backend_t *backend)
+METHOD(backend_manager_t, remove_backend, void,
+	private_backend_manager_t *this, backend_t *backend)
 {
 	this->lock->write_lock(this->lock);
 	this->backends->remove(this->backends, backend, NULL);
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of backend_manager_t.add_backend.
- */
-static void add_backend(private_backend_manager_t *this, backend_t *backend)
+METHOD(backend_manager_t, add_backend, void,
+	private_backend_manager_t *this, backend_t *backend)
 {
 	this->lock->write_lock(this->lock);
 	this->backends->insert_last(this->backends, backend);
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of backend_manager_t.destroy.
- */
-static void destroy(private_backend_manager_t *this)
+METHOD(backend_manager_t, destroy, void,
+	private_backend_manager_t *this)
 {
 	this->backends->destroy(this->backends);
 	this->lock->destroy(this->lock);
@@ -424,20 +420,24 @@ static void destroy(private_backend_manager_t *this)
 
 /*
  * Described in header-file
+
  */
 backend_manager_t *backend_manager_create()
 {
-	private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
-
-	this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
-	this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name;
-	this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator;
-	this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend;
-	this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend;
-	this->public.destroy = (void (*)(backend_manager_t*))destroy;
+	private_backend_manager_t *this;
 
-	this->backends = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	INIT(this,
+		.public = {
+			.get_ike_cfg = _get_ike_cfg,
+			.get_peer_cfg_by_name = _get_peer_cfg_by_name,
+			.create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
+			.add_backend = _add_backend,
+			.remove_backend = _remove_backend,
+			.destroy = _destroy,
+		},
+		.backends = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 1cdfd5949..74949be3c 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -79,6 +79,11 @@ struct private_child_cfg_t {
 	 */
 	ipsec_mode_t mode;
 
+	/**
+	 * action to take to start CHILD_SA
+	 */
+	action_t start_action;
+
 	/**
 	 * action to take on DPD
 	 */
@@ -118,6 +123,12 @@ struct private_child_cfg_t {
 	 * Optional mark to install outbound CHILD_SA with
 	 */
 	mark_t mark_out;
+
+	/**
+	 * Traffic Flow Confidentiality padding, if enabled
+	 */
+	u_int32_t tfc;
+
 	/**
 	 * set up IPsec transport SA in MIPv6 proxy mode
 	 */
@@ -129,26 +140,20 @@ struct private_child_cfg_t {
 	bool install_policy;
 };
 
-/**
- * Implementation of child_cfg_t.get_name.
- */
-static char *get_name(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_name, char*,
+	private_child_cfg_t *this)
 {
 	return this->name;
 }
 
-/**
- * Implementation of child_cfg_t.add_proposal.
- */
-static void add_proposal(private_child_cfg_t *this, proposal_t *proposal)
+METHOD(child_cfg_t, add_proposal, void,
+	private_child_cfg_t *this, proposal_t *proposal)
 {
 	this->proposals->insert_last(this->proposals, proposal);
 }
 
-/**
- * Implementation of child_cfg_t.get_proposals.
- */
-static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
+METHOD(child_cfg_t, get_proposals, linked_list_t*,
+	private_child_cfg_t *this, bool strip_dh)
 {
 	enumerator_t *enumerator;
 	proposal_t *current;
@@ -169,12 +174,9 @@ static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
 	return proposals;
 }
 
-/**
- * Implementation of child_cfg_t.select_proposal.
- */
-static proposal_t* select_proposal(private_child_cfg_t*this,
-								   linked_list_t *proposals, bool strip_dh,
-								   bool private)
+METHOD(child_cfg_t, select_proposal, proposal_t*,
+	private_child_cfg_t*this, linked_list_t *proposals, bool strip_dh,
+	bool private)
 {
 	enumerator_t *stored_enum, *supplied_enum;
 	proposal_t *stored, *supplied, *selected = NULL;
@@ -219,11 +221,8 @@ static proposal_t* select_proposal(private_child_cfg_t*this,
 	return selected;
 }
 
-/**
- * Implementation of child_cfg_t.add_traffic_selector.
- */
-static void add_traffic_selector(private_child_cfg_t *this, bool local,
-								 traffic_selector_t *ts)
+METHOD(child_cfg_t, add_traffic_selector, void,
+	private_child_cfg_t *this, bool local, traffic_selector_t *ts)
 {
 	if (local)
 	{
@@ -235,12 +234,8 @@ static void add_traffic_selector(private_child_cfg_t *this, bool local,
 	}
 }
 
-/**
- * Implementation of child_cfg_t.get_traffic_selectors.
- */
-static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool local,
-											linked_list_t *supplied,
-											host_t *host)
+METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
+	private_child_cfg_t *this, bool local, linked_list_t *supplied,	host_t *host)
 {
 	enumerator_t *e1, *e2;
 	traffic_selector_t *ts1, *ts2, *selected;
@@ -346,18 +341,14 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 	return result;
 }
 
-/**
- * Implementation of child_cfg_t.get_updown.
- */
-static char* get_updown(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_updown, char*,
+	private_child_cfg_t *this)
 {
 	return this->updown;
 }
 
-/**
- * Implementation of child_cfg_t.get_hostaccess.
- */
-static bool get_hostaccess(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_hostaccess, bool,
+	private_child_cfg_t *this)
 {
 	return this->hostaccess;
 }
@@ -378,10 +369,8 @@ static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
 }
 #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
 
-/**
- * Implementation of child_cfg_t.get_lifetime.
- */
-static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*,
+	private_child_cfg_t *this)
 {
 	lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
 	memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
@@ -391,34 +380,32 @@ static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
 	return lft;
 }
 
-/**
- * Implementation of child_cfg_t.get_mode.
- */
-static ipsec_mode_t get_mode(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_mode, ipsec_mode_t,
+	private_child_cfg_t *this)
 {
 	return this->mode;
 }
 
-/**
- * Implementation of child_cfg_t.get_dpd_action.
- */
-static action_t get_dpd_action(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_start_action, action_t,
+	private_child_cfg_t *this)
+{
+	return this->start_action;
+}
+
+METHOD(child_cfg_t, get_dpd_action, action_t,
+	private_child_cfg_t *this)
 {
 	return this->dpd_action;
 }
 
-/**
- * Implementation of child_cfg_t.get_close_action.
- */
-static action_t get_close_action(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_close_action, action_t,
+	private_child_cfg_t *this)
 {
 	return this->close_action;
 }
 
-/**
- * Implementation of child_cfg_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_dh_group, diffie_hellman_group_t,
+	private_child_cfg_t *this)
 {
 	enumerator_t *enumerator;
 	proposal_t *proposal;
@@ -436,77 +423,64 @@ static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this)
 	return dh_group;
 }
 
-/**
- * Implementation of child_cfg_t.use_ipcomp.
- */
-static bool use_ipcomp(private_child_cfg_t *this)
+METHOD(child_cfg_t, use_ipcomp, bool,
+	private_child_cfg_t *this)
 {
 	return this->use_ipcomp;
 }
 
-/**
- * Implementation of child_cfg_t.get_inactivity.
- */
-static u_int32_t get_inactivity(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_inactivity, u_int32_t,
+	private_child_cfg_t *this)
 {
 	return this->inactivity;
 }
 
-/**
- * Implementation of child_cfg_t.get_reqid.
- */
-static u_int32_t get_reqid(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_reqid, u_int32_t,
+	private_child_cfg_t *this)
 {
 	return this->reqid;
 }
 
-/**
- * Implementation of child_cfg_t.get_mark.
- */
-static mark_t get_mark(private_child_cfg_t *this, bool inbound)
+METHOD(child_cfg_t, get_mark, mark_t,
+	private_child_cfg_t *this, bool inbound)
 {
 	return inbound ? this->mark_in : this->mark_out;
 }
 
-/**
- * Implementation of child_cfg_t.set_mipv6_options.
- */
-static void set_mipv6_options(private_child_cfg_t *this, bool proxy_mode,
-														 bool install_policy)
+METHOD(child_cfg_t, get_tfc, u_int32_t,
+	private_child_cfg_t *this)
+{
+	return this->tfc;
+}
+
+METHOD(child_cfg_t, set_mipv6_options, void,
+	private_child_cfg_t *this, bool proxy_mode, bool install_policy)
 {
 	this->proxy_mode = proxy_mode;
 	this->install_policy = install_policy;
 }
 
-/**
- * Implementation of child_cfg_t.use_proxy_mode.
- */
-static bool use_proxy_mode(private_child_cfg_t *this)
+METHOD(child_cfg_t, use_proxy_mode, bool,
+	private_child_cfg_t *this)
 {
 	return this->proxy_mode;
 }
 
-/**
- * Implementation of child_cfg_t.install_policy.
- */
-static bool install_policy(private_child_cfg_t *this)
+METHOD(child_cfg_t, install_policy, bool,
+	private_child_cfg_t *this)
 {
 	return this->install_policy;
 }
 
-/**
- * Implementation of child_cfg_t.get_ref.
- */
-static child_cfg_t* get_ref(private_child_cfg_t *this)
+METHOD(child_cfg_t, get_ref, child_cfg_t*,
+	private_child_cfg_t *this)
 {
 	ref_get(&this->refcount);
 	return &this->public;
 }
 
-/**
- * Implements child_cfg_t.destroy.
- */
-static void destroy(private_child_cfg_t *this)
+METHOD(child_cfg_t, destroy, void,
+	private_child_cfg_t *this)
 {
 	if (ref_put(&this->refcount))
 	{
@@ -527,71 +501,67 @@ static void destroy(private_child_cfg_t *this)
  */
 child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 							  char *updown, bool hostaccess,
-							  ipsec_mode_t mode, action_t dpd_action,
-							  action_t close_action, bool ipcomp,
-							  u_int32_t inactivity, u_int32_t reqid,
-							  mark_t *mark_in, mark_t *mark_out)
+							  ipsec_mode_t mode, action_t start_action,
+							  action_t dpd_action, action_t close_action,
+							  bool ipcomp, u_int32_t inactivity, u_int32_t reqid,
+							  mark_t *mark_in, mark_t *mark_out, u_int32_t tfc)
 {
-	private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
-
-	this->public.get_name = (char* (*) (child_cfg_t*))get_name;
-	this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector;
-	this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
-	this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
-	this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
-	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool,bool))select_proposal;
-	this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
-	this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
-	this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
-	this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
-	this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
-	this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime;
-	this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
-	this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
-	this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
-	this->public.get_inactivity = (u_int32_t (*) (child_cfg_t *))get_inactivity;
-	this->public.get_reqid = (u_int32_t (*) (child_cfg_t *))get_reqid;
-	this->public.get_mark = (mark_t (*) (child_cfg_t *,bool))get_mark;
-	this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode;
-	this->public.install_policy = (bool (*) (child_cfg_t *))install_policy;
-	this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref;
-	this->public.destroy = (void (*) (child_cfg_t*))destroy;
-
-	this->name = strdup(name);
-	this->updown = updown ? strdup(updown) : NULL;
-	this->hostaccess = hostaccess;
-	this->mode = mode;
-	this->dpd_action = dpd_action;
-	this->close_action = close_action;
-	this->use_ipcomp = ipcomp;
-	this->inactivity = inactivity;
-	this->reqid = reqid;
+	private_child_cfg_t *this;
+
+	INIT(this,
+		.public = {
+			.get_name = _get_name,
+			.add_traffic_selector = _add_traffic_selector,
+			.get_traffic_selectors = _get_traffic_selectors,
+			.add_proposal = _add_proposal,
+			.get_proposals = _get_proposals,
+			.select_proposal = _select_proposal,
+			.get_updown = _get_updown,
+			.get_hostaccess = _get_hostaccess,
+			.get_mode = _get_mode,
+			.get_start_action = _get_start_action,
+			.get_dpd_action = _get_dpd_action,
+			.get_close_action = _get_close_action,
+			.get_lifetime = _get_lifetime,
+			.get_dh_group = _get_dh_group,
+			.set_mipv6_options = _set_mipv6_options,
+			.use_ipcomp = _use_ipcomp,
+			.get_inactivity = _get_inactivity,
+			.get_reqid = _get_reqid,
+			.get_mark = _get_mark,
+			.get_tfc = _get_tfc,
+			.use_proxy_mode = _use_proxy_mode,
+			.install_policy = _install_policy,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.name = strdup(name),
+		.updown = strdupnull(updown),
+		.hostaccess = hostaccess,
+		.mode = mode,
+		.start_action = start_action,
+		.dpd_action = dpd_action,
+		.close_action = close_action,
+		.use_ipcomp = ipcomp,
+		.inactivity = inactivity,
+		.reqid = reqid,
+		.proxy_mode = FALSE,
+		.install_policy = TRUE,
+		.refcount = 1,
+		.proposals = linked_list_create(),
+		.my_ts = linked_list_create(),
+		.other_ts = linked_list_create(),
+		.tfc = tfc,
+	);
 
 	if (mark_in)
 	{
 		this->mark_in = *mark_in;
 	}
-	else
-	{
-		this->mark_in.value = 0;
-		this->mark_in.mask  = 0;
-	}
 	if (mark_out)
 	{
 		this->mark_out = *mark_out;
 	}
-	else
-	{
-		this->mark_out.value = 0;
-		this->mark_out.mask  = 0;
-	}
-
-	this->proxy_mode = FALSE;
-	this->install_policy = TRUE;
-	this->refcount = 1;
-	this->proposals = linked_list_create();
-	this->my_ts = linked_list_create();
-	this->other_ts = linked_list_create();
 	memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t));
 
 	return &this->public;
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 1e6fe3fe9..175ced76c 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -32,14 +32,15 @@ typedef struct child_cfg_t child_cfg_t;
 #include <kernel/kernel_ipsec.h>
 
 /**
- * Action to take when DPD detected/connection gets closed by peer.
+ * Action to take when connection is loaded, DPD is detected or
+ * connection gets closed by peer.
  */
 enum action_t {
 	/** No action */
 	ACTION_NONE,
-	/** Route config to reestablish on demand */
+	/** Route config to establish or reestablish on demand */
 	ACTION_ROUTE,
-	/** Restart config immediately */
+	/** Start or restart config immediately */
 	ACTION_RESTART,
 };
 
@@ -168,6 +169,13 @@ struct child_cfg_t {
 	 */
 	ipsec_mode_t (*get_mode) (child_cfg_t *this);
 
+	/**
+	 * Action to take to start CHILD_SA.
+	 *
+	 * @return				start action
+	 */
+	action_t (*get_start_action) (child_cfg_t *this);
+
 	/**
 	 * Action to take on DPD.
 	 *
@@ -219,6 +227,13 @@ struct child_cfg_t {
 	 */
 	mark_t (*get_mark)(child_cfg_t *this, bool inbound);
 
+	/**
+	 * Get the TFC padding value to use for CHILD_SA.
+	 *
+	 * @return				TFC padding, 0 to disable, -1 for MTU
+	 */
+	u_int32_t (*get_tfc)(child_cfg_t *this);
+
 	/**
 	 * Sets two options needed for Mobile IPv6 interoperability
 	 *
@@ -276,6 +291,7 @@ struct child_cfg_t {
  * @param updown			updown script to execute on up/down event
  * @param hostaccess		TRUE to allow access to the local host
  * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
+ * @param start_action		start action
  * @param dpd_action		DPD action
  * @param close_action		close action
  * @param ipcomp			use IPComp, if peer supports it
@@ -283,13 +299,14 @@ struct child_cfg_t {
  * @param reqid				specific reqid to use for CHILD_SA, 0 for auto assign
  * @param mark_in			optional inbound mark (can be NULL)
  * @param mark_out			optional outbound mark (can be NULL)
+ * @param tfc				TFC padding size, 0 to disable, -1 to pad to PMTU
  * @return					child_cfg_t object
  */
 child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 							  char *updown, bool hostaccess,
-							  ipsec_mode_t mode, action_t dpd_action,
-							  action_t close_action, bool ipcomp,
-							  u_int32_t inactivity, u_int32_t reqid,
-							  mark_t *mark_in, mark_t *mark_out);
+							  ipsec_mode_t mode, action_t start_action,
+							  action_t dpd_action, action_t close_action,
+							  bool ipcomp, u_int32_t inactivity, u_int32_t reqid,
+							  mark_t *mark_in, mark_t *mark_out, u_int32_t tfc);
 
 #endif /** CHILD_CFG_H_ @}*/
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index 9df14c9ae..6f0c87279 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -682,7 +682,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->use_mobike = mobike;
 	this->dpd = dpd;
 	this->virtual_ip = virtual_ip;
-	this->pool = pool ? strdup(pool) : NULL;
+	this->pool = strdupnull(pool);
 	this->local_auth = linked_list_create();
 	this->remote_auth = linked_list_create();
 	this->refcount = 1;
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 5b8294599..86a59bc1b 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -560,6 +560,7 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 
 	if (token == NULL)
 	{
+		DBG1(DBG_CFG, "algorithm '%.*s' not recognized", alg.len, alg.ptr);
 		return FAILED;
 	}
 
@@ -740,9 +741,10 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 	integrity_algorithm_t integrity;
 	pseudo_random_function_t prf;
 	diffie_hellman_group_t group;
+	const char *plugin_name;
 
 	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &encryption))
+	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
 	{
 		switch (encryption)
 		{
@@ -777,7 +779,7 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 	enumerator->destroy(enumerator);
 
 	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &integrity))
+	while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
 	{
 		switch (integrity)
 		{
@@ -796,7 +798,7 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 	enumerator->destroy(enumerator);
 
 	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &prf))
+	while (enumerator->enumerate(enumerator, &prf, &plugin_name))
 	{
 		switch (prf)
 		{
@@ -815,7 +817,7 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 	enumerator->destroy(enumerator);
 
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &group))
+	while (enumerator->enumerate(enumerator, &group, &plugin_name))
 	{
 		switch (group)
 		{
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 4b8e1fadd..4f2831e42 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -19,14 +19,14 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
-#include <syslog.h>
 #include <time.h>
-#include <errno.h>
 
 #ifdef CAPABILITIES
-#ifdef HAVE_SYS_CAPABILITY_H
-#include <sys/capability.h>
-#endif /* HAVE_SYS_CAPABILITY_H */
+# ifdef HAVE_SYS_CAPABILITY_H
+#  include <sys/capability.h>
+# elif defined(CAPABILITIES_NATIVE)
+#  include <linux/capability.h>
+# endif /* CAPABILITIES_NATIVE */
 #endif /* CAPABILITIES */
 
 #include "daemon.h"
@@ -34,10 +34,7 @@
 #include <library.h>
 #include <config/proposal.h>
 #include <kernel/kernel_handler.h>
-
-#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
-#define LOG_AUTHPRIV LOG_AUTH
-#endif
+#include <processing/jobs/start_action_job.h>
 
 typedef struct private_daemon_t private_daemon_t;
 
@@ -62,7 +59,7 @@ struct private_daemon_t {
 	cap_t caps;
 #endif /* CAPABILITIES_LIBCAP */
 #ifdef CAPABILITIES_NATIVE
-	struct __user_cap_data_struct caps;
+	struct __user_cap_data_struct caps[2];
 #endif /* CAPABILITIES_NATIVE */
 
 };
@@ -147,9 +144,16 @@ METHOD(daemon_t, keep_cap, void,
 	cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET);
 #endif /* CAPABILITIES_LIBCAP */
 #ifdef CAPABILITIES_NATIVE
-	this->caps.effective |= 1 << cap;
-	this->caps.permitted |= 1 << cap;
-	this->caps.inheritable |= 1 << cap;
+	int i = 0;
+
+	if (cap >= 32)
+	{
+		i++;
+		cap -= 32;
+	}
+	this->caps[i].effective |= 1 << cap;
+	this->caps[i].permitted |= 1 << cap;
+	this->caps[i].inheritable |= 1 << cap;
 #endif /* CAPABILITIES_NATIVE */
 }
 
@@ -164,9 +168,15 @@ METHOD(daemon_t, drop_capabilities, bool,
 #endif /* CAPABILITIES_LIBCAP */
 #ifdef CAPABILITIES_NATIVE
 	struct __user_cap_header_struct header = {
-		.version = _LINUX_CAPABILITY_VERSION,
+#if defined(_LINUX_CAPABILITY_VERSION_3)
+		.version = _LINUX_CAPABILITY_VERSION_3,
+#elif defined(_LINUX_CAPABILITY_VERSION_2)
+		.version = _LINUX_CAPABILITY_VERSION_2,
+#else
+		.version = _LINUX_CAPABILITY_VERSION_1,
+#endif
 	};
-	if (capset(&header, &this->caps) != 0)
+	if (capset(&header, this->caps) != 0)
 	{
 		return FALSE;
 	}
@@ -202,155 +212,9 @@ static void print_plugins()
 	DBG1(DBG_DMN, "loaded plugins: %s", buf);
 }
 
-/**
- * Initialize logging
- */
-static void initialize_loggers(private_daemon_t *this, bool use_stderr,
-							   level_t levels[])
-{
-	sys_logger_t *sys_logger;
-	file_logger_t *file_logger;
-	enumerator_t *enumerator;
-	char *facility, *filename;
-	int loggers_defined = 0;
-	debug_t group;
-	level_t  def;
-	bool append, ike_name;
-	FILE *file;
-
-	/* setup sysloggers */
-	enumerator = lib->settings->create_section_enumerator(lib->settings,
-														  "charon.syslog");
-	while (enumerator->enumerate(enumerator, &facility))
-	{
-		loggers_defined++;
-
-		ike_name = lib->settings->get_bool(lib->settings,
-								"charon.syslog.%s.ike_name", FALSE, facility);
-		if (streq(facility, "daemon"))
-		{
-			sys_logger = sys_logger_create(LOG_DAEMON, ike_name);
-		}
-		else if (streq(facility, "auth"))
-		{
-			sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name);
-		}
-		else
-		{
-			continue;
-		}
-		def = lib->settings->get_int(lib->settings,
-									 "charon.syslog.%s.default", 1, facility);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			sys_logger->set_level(sys_logger, group,
-				lib->settings->get_int(lib->settings,
-									   "charon.syslog.%s.%N", def,
-									   facility, debug_lower_names, group));
-		}
-		this->public.sys_loggers->insert_last(this->public.sys_loggers,
-											  sys_logger);
-		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
-	}
-	enumerator->destroy(enumerator);
-
-	/* and file loggers */
-	enumerator = lib->settings->create_section_enumerator(lib->settings,
-														  "charon.filelog");
-	while (enumerator->enumerate(enumerator, &filename))
-	{
-		loggers_defined++;
-		if (streq(filename, "stderr"))
-		{
-			file = stderr;
-		}
-		else if (streq(filename, "stdout"))
-		{
-			file = stdout;
-		}
-		else
-		{
-			append = lib->settings->get_bool(lib->settings,
-									"charon.filelog.%s.append", TRUE, filename);
-			file = fopen(filename, append ? "a" : "w");
-			if (file == NULL)
-			{
-				DBG1(DBG_DMN, "opening file %s for logging failed: %s",
-					 filename, strerror(errno));
-				continue;
-			}
-			if (lib->settings->get_bool(lib->settings,
-							"charon.filelog.%s.flush_line", FALSE, filename))
-			{
-				setlinebuf(file);
-			}
-		}
-		file_logger = file_logger_create(file,
-						lib->settings->get_str(lib->settings,
-							"charon.filelog.%s.time_format", NULL, filename),
-						lib->settings->get_bool(lib->settings,
-							"charon.filelog.%s.ike_name", FALSE, filename));
-		def = lib->settings->get_int(lib->settings,
-									 "charon.filelog.%s.default", 1, filename);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			file_logger->set_level(file_logger, group,
-				lib->settings->get_int(lib->settings,
-									   "charon.filelog.%s.%N", def,
-									   filename, debug_lower_names, group));
-		}
-		this->public.file_loggers->insert_last(this->public.file_loggers,
-											   file_logger);
-		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
-
-	}
-	enumerator->destroy(enumerator);
-
-	/* set up legacy style default loggers provided via command-line */
-	if (!loggers_defined)
-	{
-		/* set up default stdout file_logger */
-		file_logger = file_logger_create(stdout, NULL, FALSE);
-		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
-		this->public.file_loggers->insert_last(this->public.file_loggers,
-											   file_logger);
-		/* set up default daemon sys_logger */
-		sys_logger = sys_logger_create(LOG_DAEMON, FALSE);
-		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
-		this->public.sys_loggers->insert_last(this->public.sys_loggers,
-											  sys_logger);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			sys_logger->set_level(sys_logger, group, levels[group]);
-			if (use_stderr)
-			{
-				file_logger->set_level(file_logger, group, levels[group]);
-			}
-		}
-
-		/* set up default auth sys_logger */
-		sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE);
-		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
-		this->public.sys_loggers->insert_last(this->public.sys_loggers,
-											  sys_logger);
-		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
-	}
-}
-
 METHOD(daemon_t, initialize, bool,
-	   private_daemon_t *this, bool syslog, level_t levels[])
+	private_daemon_t *this)
 {
-	/* for uncritical pseudo random numbers */
-	srandom(time(NULL) + getpid());
-
-	/* setup bus and it's listeners first to enable log output */
-	this->public.bus = bus_create();
-	/* set up hook to log dbg message in library via charons message bus */
-	dbg_old = dbg;
-	dbg = dbg_bus;
-
-	initialize_loggers(this, !syslog, levels);
-
 	DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")");
 
 	if (lib->integrity)
@@ -362,16 +226,6 @@ METHOD(daemon_t, initialize, bool,
 		DBG1(DBG_DMN, "daemon 'charon': passed file integrity test");
 	}
 
-	/* load secrets, ca certificates and crls */
-	this->public.controller = controller_create();
-	this->public.eap = eap_manager_create();
-	this->public.sim = sim_manager_create();
-	this->public.tnccs = tnccs_manager_create();
-	this->public.backends = backend_manager_create();
-	this->public.socket = socket_manager_create();
-	this->public.traps = trap_manager_create();
-	this->kernel_handler = kernel_handler_create();
-
 	/* load plugins, further infrastructure may need it */
 	if (!lib->plugins->load(lib->plugins, NULL,
 			lib->settings->get_str(lib->settings, "charon.load", PLUGINS)))
@@ -393,6 +247,9 @@ METHOD(daemon_t, initialize, bool,
 		return FALSE;
 	}
 
+	/* Queue start_action job */
+	lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create());
+
 #ifdef ME
 	this->public.connect_manager = connect_manager_create();
 	if (this->public.connect_manager == NULL)
@@ -418,10 +275,20 @@ private_daemon_t *daemon_create()
 			.drop_capabilities = _drop_capabilities,
 			.initialize = _initialize,
 			.start = _start,
+			.bus = bus_create(),
 			.file_loggers = linked_list_create(),
 			.sys_loggers = linked_list_create(),
 		},
 	);
+	charon = &this->public;
+	this->public.controller = controller_create();
+	this->public.eap = eap_manager_create();
+	this->public.sim = sim_manager_create();
+	this->public.tnccs = tnccs_manager_create();
+	this->public.backends = backend_manager_create();
+	this->public.socket = socket_manager_create();
+	this->public.traps = trap_manager_create();
+	this->kernel_handler = kernel_handler_create();
 
 #ifdef CAPABILITIES
 #ifdef CAPABILITIES_LIBCAP
@@ -442,7 +309,6 @@ private_daemon_t *daemon_create()
  */
 void libcharon_deinit()
 {
-
 	destroy((private_daemon_t*)charon);
 	charon = NULL;
 }
@@ -455,7 +321,13 @@ bool libcharon_init()
 	private_daemon_t *this;
 
 	this = daemon_create();
-	charon = &this->public;
+
+	/* for uncritical pseudo random numbers */
+	srandom(time(NULL) + getpid());
+
+	/* set up hook to log dbg message in library via charons message bus */
+	dbg_old = dbg;
+	dbg = dbg_bus;
 
 	lib->printf_hook->add_handler(lib->printf_hook, 'P',
 								  proposal_printf_hook,
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index c0c834b43..04f1fc249 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -149,7 +149,9 @@ typedef struct daemon_t daemon_t;
 #include <config/backend_manager.h>
 #include <sa/authenticators/eap/eap_manager.h>
 #include <sa/authenticators/eap/sim_manager.h>
-#include <tnccs/tnccs_manager.h>
+#include <tnc/imc/imc_manager.h>
+#include <tnc/imv/imv_manager.h>
+#include <tnc/tnccs/tnccs_manager.h>
 
 #ifdef ME
 #include <sa/connect_manager.h>
@@ -236,6 +238,16 @@ struct daemon_t {
 	 */
 	sim_manager_t *sim;
 
+	/**
+	 * TNC IMC manager controlling Integrity Measurement Collectors
+	 */
+	imc_manager_t *imcs;
+
+	/**
+	 * TNC IMV manager controlling Integrity Measurement Verifiers
+	 */
+	imv_manager_t *imvs;
+
 	/**
 	 * TNCCS manager to maintain registered TNCCS protocols
 	 */
@@ -286,7 +298,7 @@ struct daemon_t {
 	/**
 	 * Initialize the daemon.
 	 */
-	bool (*initialize)(daemon_t *this, bool syslog, level_t levels[]);
+	bool (*initialize)(daemon_t *this);
 
 	/**
 	 * Starts the daemon, i.e. spawns the threads of the thread pool.
@@ -305,6 +317,9 @@ extern daemon_t *charon;
 /**
  * Initialize libcharon and create the "charon" instance of daemon_t.
  *
+ * This function initializes the bus, listeners can be registered before
+ * calling initialize().
+ *
  * @return		FALSE if integrity check failed
  */
 bool libcharon_init();
diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c
index 224f76fce..ce3844361 100644
--- a/src/libcharon/encoding/generator.c
+++ b/src/libcharon/encoding/generator.c
@@ -41,6 +41,7 @@
 #include <encoding/payloads/cp_payload.h>
 #include <encoding/payloads/configuration_attribute.h>
 #include <encoding/payloads/eap_payload.h>
+#include <encoding/payloads/unknown_payload.h>
 
 /**
  * Generating is done in a data buffer.
@@ -89,20 +90,10 @@ struct private_generator_t {
 	 */
 	void *data_struct;
 
-	/*
-	 * Last payload length position offset in the buffer.
-	 */
-	u_int32_t last_payload_length_position_offset;
-
 	/**
 	 * Offset of the header length field in the buffer.
 	 */
-	u_int32_t header_length_position_offset;
-
-	/**
-	 * Last SPI size.
-	 */
-	u_int8_t last_spi_size;
+	u_int32_t header_length_offset;
 
 	/**
 	 * Attribute format of the last generated transform attribute.
@@ -192,33 +183,6 @@ static void write_bytes_to_buffer(private_generator_t *this, void *bytes,
 	}
 }
 
-/**
- * Writes a specific amount of byte into the buffer at a specific offset.
- */
-static void write_bytes_to_buffer_at_offset(private_generator_t *this,
-						void *bytes, int number_of_bytes, u_int32_t offset)
-{
-	int i;
-	u_int8_t *read_position = (u_int8_t *)bytes;
-	u_int8_t *write_position;
-	u_int32_t free_space_after_offset = get_size(this) - offset;
-
-	/* check first if enough space for new data is available */
-	if (number_of_bytes > free_space_after_offset)
-	{
-		make_space_available(this,
-							 (number_of_bytes - free_space_after_offset) * 8);
-	}
-
-	write_position = this->buffer + offset;
-	for (i = 0; i < number_of_bytes; i++)
-	{
-		*write_position = *read_position;
-		read_position++;
-		write_position++;
-	}
-}
-
 /**
  * Generates a U_INT-Field type and writes it to buffer.
  */
@@ -234,10 +198,13 @@ static void generate_u_int_type(private_generator_t *this,
 			number_of_bits = 4;
 			break;
 		case TS_TYPE:
+		case RESERVED_BYTE:
+		case SPI_SIZE:
 		case U_INT_8:
 			number_of_bits = 8;
 			break;
 		case U_INT_16:
+		case PAYLOAD_LENGTH:
 		case CONFIGURATION_ATTRIBUTE_LENGTH:
 			number_of_bits = 16;
 			break;
@@ -301,6 +268,8 @@ static void generate_u_int_type(private_generator_t *this,
 			break;
 		}
 		case TS_TYPE:
+		case RESERVED_BYTE:
+		case SPI_SIZE:
 		case U_INT_8:
 		{
 			/* 8 bit values are written as they are */
@@ -338,6 +307,7 @@ static void generate_u_int_type(private_generator_t *this,
 
 		}
 		case U_INT_16:
+		case PAYLOAD_LENGTH:
 		case CONFIGURATION_ATTRIBUTE_LENGTH:
 		{
 			u_int16_t val = htons(*((u_int16_t*)(this->data_struct + offset)));
@@ -370,49 +340,6 @@ static void generate_u_int_type(private_generator_t *this,
 	}
 }
 
-/**
- * Generate a reserved bit or byte
- */
-static void generate_reserved_field(private_generator_t *this, int bits)
-{
-	/* only one bit or 8 bit fields are supported */
-	if (bits != 1 && bits != 8)
-	{
-		DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits);
-		return ;
-	}
-	make_space_available(this, bits);
-
-	if (bits == 1)
-	{
-		u_int8_t reserved_bit = ~(1 << (7 - this->current_bit));
-
-		*(this->out_position) = *(this->out_position) & reserved_bit;
-		if (this->current_bit == 0)
-		{
-			/* memory must be zero */
-			*(this->out_position) = 0x00;
-		}
-		this->current_bit++;
-		if (this->current_bit >= 8)
-		{
-			this->current_bit = this->current_bit % 8;
-			this->out_position++;
-		}
-	}
-	else
-	{
-		if (this->current_bit > 0)
-		{
-			DBG1(DBG_ENC, "reserved field cannot be written cause "
-				 "alignement of current bit is %d", this->current_bit);
-			return;
-		}
-		*(this->out_position) = 0x00;
-		this->out_position++;
-	}
-}
-
 /**
  * Generate a FLAG filed
  */
@@ -468,7 +395,7 @@ METHOD(generator_t, get_chunk, chunk_t,
 {
 	chunk_t data;
 
-	*lenpos = (u_int32_t*)(this->buffer + this->header_length_position_offset);
+	*lenpos = (u_int32_t*)(this->buffer + this->header_length_offset);
 	data = chunk_create(this->buffer, get_length(this));
 	DBG3(DBG_ENC, "generated data of this generator %B", &data);
 	return data;
@@ -484,8 +411,6 @@ METHOD(generator_t, generate_payload, void,
 
 	this->data_struct = payload;
 	payload_type = payload->get_type(payload);
-	/* spi size has to get reseted */
-	this->last_spi_size = 0;
 
 	offset_start = this->out_position - this->buffer;
 
@@ -505,56 +430,25 @@ METHOD(generator_t, generate_payload, void,
 			case U_INT_8:
 			case U_INT_16:
 			case U_INT_32:
+			case PAYLOAD_LENGTH:
 			case IKE_SPI:
+			case RESERVED_BYTE:
+			case SPI_SIZE:
 			case TS_TYPE:
 			case ATTRIBUTE_TYPE:
 			case CONFIGURATION_ATTRIBUTE_LENGTH:
-			{
 				generate_u_int_type(this, rules[i].type, rules[i].offset);
 				break;
-			}
 			case RESERVED_BIT:
-			{
-				generate_reserved_field(this, 1);
-				break;
-			}
-			case RESERVED_BYTE:
-			{
-				generate_reserved_field(this, 8);
-				break;
-			}
 			case FLAG:
-			{
 				generate_flag(this, rules[i].offset);
 				break;
-			}
-			case PAYLOAD_LENGTH:
-			{
-				this->last_payload_length_position_offset = get_offset(this);
-				generate_u_int_type(this, U_INT_16,rules[i].offset);
-				break;
-			}
 			case HEADER_LENGTH:
-			{
-				this->header_length_position_offset = get_offset(this);
-				generate_u_int_type(this ,U_INT_32, rules[i].offset);
-				break;
-			}
-			case SPI_SIZE:
-				generate_u_int_type(this, U_INT_8, rules[i].offset);
-				this->last_spi_size = *((u_int8_t *)(this->data_struct +
-													 rules[i].offset));
+				this->header_length_offset = get_offset(this);
+				generate_u_int_type(this, U_INT_32, rules[i].offset);
 				break;
 			case ADDRESS:
-			{
-				generate_from_chunk(this, rules[i].offset);
-				break;
-			}
 			case SPI:
-			{
-				generate_from_chunk(this, rules[i].offset);
-				break;
-			}
 			case KEY_EXCHANGE_DATA:
 			case NOTIFICATION_DATA:
 			case NONCE_DATA:
@@ -566,221 +460,52 @@ METHOD(generator_t, generate_payload, void,
 			case CONFIGURATION_ATTRIBUTE_VALUE:
 			case VID_DATA:
 			case EAP_DATA:
-			{
-				u_int32_t payload_length_position_offset;
-				u_int16_t length_of_payload;
-				u_int16_t header_length = 0;
-				u_int16_t length_in_network_order;
-
-				switch(rules[i].type)
-				{
-					case KEY_EXCHANGE_DATA:
-						header_length = KE_PAYLOAD_HEADER_LENGTH;
-						break;
-					case NOTIFICATION_DATA:
-						header_length = NOTIFY_PAYLOAD_HEADER_LENGTH +
-														this->last_spi_size;
-						break;
-					case NONCE_DATA:
-						header_length = NONCE_PAYLOAD_HEADER_LENGTH;
-						break;
-					case ID_DATA:
-						header_length = ID_PAYLOAD_HEADER_LENGTH;
-						break;
-					case AUTH_DATA:
-						header_length = AUTH_PAYLOAD_HEADER_LENGTH;
-						break;
-					case CERT_DATA:
-						header_length = CERT_PAYLOAD_HEADER_LENGTH;
-						break;
-					case CERTREQ_DATA:
-						header_length = CERTREQ_PAYLOAD_HEADER_LENGTH;
-						break;
-					case SPIS:
-						header_length = DELETE_PAYLOAD_HEADER_LENGTH;
-						break;
-					case VID_DATA:
-						header_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH;
-						break;
-					case CONFIGURATION_ATTRIBUTE_VALUE:
-						header_length = CONFIGURATION_ATTRIBUTE_HEADER_LENGTH;
-						break;
-					case EAP_DATA:
-						header_length = EAP_PAYLOAD_HEADER_LENGTH;
-						break;
-					default:
-						break;
-				}
+			case ENCRYPTED_DATA:
+			case UNKNOWN_DATA:
 				generate_from_chunk(this, rules[i].offset);
-
-				payload_length_position_offset =
-									this->last_payload_length_position_offset;
-
-				length_of_payload = header_length +
-						((chunk_t *)(this->data_struct + rules[i].offset))->len;
-
-				length_in_network_order = htons(length_of_payload);
-				write_bytes_to_buffer_at_offset(this, &length_in_network_order,
-							sizeof(u_int16_t), payload_length_position_offset);
 				break;
-			}
 			case PROPOSALS:
-			{
-				u_int32_t payload_length_position_offset =
-									this->last_payload_length_position_offset;
-				/* Length of SA_PAYLOAD is calculated */
-				u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH;
-				u_int16_t int16_val;
-				linked_list_t *proposals = *((linked_list_t **)
-										(this->data_struct + rules[i].offset));
-				iterator_t *iterator;
-				payload_t *current_proposal;
-
-				iterator = proposals->create_iterator(proposals,TRUE);
-				while (iterator->iterate(iterator, (void**)&current_proposal))
-				{
-					u_int32_t before_generate_position_offset;
-					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_offset(this);
-					generate_payload(this, current_proposal);
-					after_generate_position_offset = get_offset(this);
-					length_of_sa_payload += (after_generate_position_offset -
-											 before_generate_position_offset);
-				}
-				iterator->destroy(iterator);
-
-				int16_val = htons(length_of_sa_payload);
-				write_bytes_to_buffer_at_offset(this, &int16_val,
-							sizeof(u_int16_t),payload_length_position_offset);
-				break;
-			}
 			case TRANSFORMS:
-			{
-				u_int32_t payload_length_position_offset =
-									this->last_payload_length_position_offset;
-				u_int16_t length_of_proposal =
-					PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size;
-				u_int16_t int16_val;
-				linked_list_t *transforms = *((linked_list_t **)
-										(this->data_struct + rules[i].offset));
-				iterator_t *iterator;
-				payload_t *current_transform;
-
-				iterator = transforms->create_iterator(transforms,TRUE);
-				while (iterator->iterate(iterator, (void**)&current_transform))
-				{
-					u_int32_t before_generate_position_offset;
-					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_offset(this);
-					generate_payload(this, current_transform);
-					after_generate_position_offset = get_offset(this);
-
-					length_of_proposal += (after_generate_position_offset -
-										   before_generate_position_offset);
-				}
-				iterator->destroy(iterator);
-
-				int16_val = htons(length_of_proposal);
-				write_bytes_to_buffer_at_offset(this, &int16_val,
-							sizeof(u_int16_t), payload_length_position_offset);
-				break;
-			}
 			case TRANSFORM_ATTRIBUTES:
-			{
-				u_int32_t transform_length_position_offset =
-									this->last_payload_length_position_offset;
-				u_int16_t length_of_transform =
-									TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
-				u_int16_t int16_val;
-				linked_list_t *transform_attributes =*((linked_list_t **)
-									(this->data_struct + rules[i].offset));
-				iterator_t *iterator;
-				payload_t *current_attribute;
-
-				iterator = transform_attributes->create_iterator(
-													transform_attributes, TRUE);
-				while (iterator->iterate(iterator, (void**)&current_attribute))
-				{
-					u_int32_t before_generate_position_offset;
-					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_offset(this);
-					generate_payload(this, current_attribute);
-					after_generate_position_offset = get_offset(this);
-
-					length_of_transform += (after_generate_position_offset -
-											before_generate_position_offset);
-				}
-
-				iterator->destroy(iterator);
-
-				int16_val = htons(length_of_transform);
-				write_bytes_to_buffer_at_offset(this, &int16_val,
-							sizeof(u_int16_t),transform_length_position_offset);
-				break;
-			}
 			case CONFIGURATION_ATTRIBUTES:
+			case TRAFFIC_SELECTORS:
 			{
-				u_int32_t configurations_length_position_offset =
-									this->last_payload_length_position_offset;
-				u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH;
-				u_int16_t int16_val;
-				linked_list_t *configuration_attributes = *((linked_list_t **)
-										(this->data_struct + rules[i].offset));
-				iterator_t *iterator;
-				payload_t *current_attribute;
+				linked_list_t *proposals;
+				enumerator_t *enumerator;
+				payload_t *proposal;
 
-				iterator = configuration_attributes->create_iterator(
-												configuration_attributes,TRUE);
-				while (iterator->iterate(iterator, (void**)&current_attribute))
+				proposals = *((linked_list_t **)
+										(this->data_struct + rules[i].offset));
+				enumerator = proposals->create_enumerator(proposals);
+				while (enumerator->enumerate(enumerator, &proposal))
 				{
-					u_int32_t before_generate_position_offset;
-					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_offset(this);
-					generate_payload(this, current_attribute);
-					after_generate_position_offset = get_offset(this);
-
-					length_of_configurations += after_generate_position_offset -
-											before_generate_position_offset;
+					generate_payload(this, proposal);
 				}
-
-				iterator->destroy(iterator);
-
-				int16_val = htons(length_of_configurations);
-				write_bytes_to_buffer_at_offset(this, &int16_val,
-					 sizeof(u_int16_t),configurations_length_position_offset);
+				enumerator->destroy(enumerator);
 				break;
 			}
 			case ATTRIBUTE_FORMAT:
-			{
 				generate_flag(this, rules[i].offset);
 				/* Attribute format is a flag which is stored in context*/
 				this->attribute_format =
 							*((bool *)(this->data_struct + rules[i].offset));
 				break;
-			}
-
 			case ATTRIBUTE_LENGTH_OR_VALUE:
-			{
-				if (this->attribute_format == FALSE)
+				if (this->attribute_format)
 				{
 					generate_u_int_type(this, U_INT_16, rules[i].offset);
-					/* this field hold the length of the attribute */
-					this->attribute_length =
-						*((u_int16_t *)(this->data_struct + rules[i].offset));
 				}
 				else
 				{
 					generate_u_int_type(this, U_INT_16, rules[i].offset);
+					/* this field hold the length of the attribute */
+					this->attribute_length =
+						*((u_int16_t *)(this->data_struct + rules[i].offset));
 				}
 				break;
-			}
 			case ATTRIBUTE_VALUE:
 			{
-				if (this->attribute_format == FALSE)
+				if (!this->attribute_format)
 				{
 					DBG2(DBG_ENC, "attribute value has not fixed size");
 					/* the attribute value is generated */
@@ -788,44 +513,6 @@ METHOD(generator_t, generate_payload, void,
 				}
 				break;
 			}
-			case TRAFFIC_SELECTORS:
-			{
-				u_int32_t payload_length_position_offset =
-									this->last_payload_length_position_offset;
-				u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH;
-				u_int16_t int16_val;
-				linked_list_t *traffic_selectors = *((linked_list_t **)
-										(this->data_struct + rules[i].offset));
-				iterator_t *iterator;
-				payload_t *current_tss;
-
-				iterator = traffic_selectors->create_iterator(
-													traffic_selectors,TRUE);
-				while (iterator->iterate(iterator, (void **)&current_tss))
-				{
-					u_int32_t before_generate_position_offset;
-					u_int32_t after_generate_position_offset;
-
-					before_generate_position_offset = get_offset(this);
-					generate_payload(this, current_tss);
-					after_generate_position_offset = get_offset(this);
-
-					length_of_ts_payload += (after_generate_position_offset -
-											 before_generate_position_offset);
-				}
-				iterator->destroy(iterator);
-
-				int16_val = htons(length_of_ts_payload);
-				write_bytes_to_buffer_at_offset(this, &int16_val,
-							sizeof(u_int16_t),payload_length_position_offset);
-				break;
-			}
-
-			case ENCRYPTED_DATA:
-			{
-				generate_from_chunk(this, rules[i].offset);
-				break;
-			}
 			default:
 				DBG1(DBG_ENC, "field type %N is not supported",
 					 encoding_type_names, rules[i].type);
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index d41ad4697..dbef340ab 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -131,6 +131,7 @@ static payload_rule_t ike_sa_init_r_rules[] = {
 	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
 	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
 	{NONCE,							1,	1,						FALSE,	FALSE},
+	{CERTIFICATE_REQUEST,			1,	1,						FALSE,	FALSE},
 	{VENDOR_ID,						0,	10,						FALSE,	FALSE},
 };
 
@@ -489,6 +490,21 @@ struct private_message_t {
 	 */
 	bool is_request;
 
+	/**
+	 * Higher version supported?
+	 */
+	bool version_flag;
+
+	/**
+	 * Reserved bits in IKE header
+	 */
+	bool reserved[5];
+
+	/**
+	 * Sorting of message disabled?
+	 */
+	bool sort_disabled;
+
 	/**
 	 * Message ID of this message.
 	 */
@@ -647,18 +663,35 @@ METHOD(message_t, get_request, bool,
 	return this->is_request;
 }
 
-/**
- * Is this message in an encoded form?
- */
-static bool is_encoded(private_message_t *this)
+METHOD(message_t, set_version_flag, void,
+	private_message_t *this)
 {
-	chunk_t data = this->packet->get_data(this->packet);
+	this->version_flag = TRUE;
+}
 
-	if (data.ptr == NULL)
+METHOD(message_t, get_reserved_header_bit, bool,
+	private_message_t *this, u_int nr)
+{
+	if (nr < countof(this->reserved))
 	{
-		return FALSE;
+		return this->reserved[nr];
 	}
-	return TRUE;
+	return FALSE;
+}
+
+METHOD(message_t, set_reserved_header_bit, void,
+	private_message_t *this, u_int nr)
+{
+	if (nr < countof(this->reserved))
+	{
+		this->reserved[nr] = TRUE;
+	}
+}
+
+METHOD(message_t, is_encoded, bool,
+	private_message_t *this)
+{
+	return this->packet->get_data(this->packet).ptr != NULL;
 }
 
 METHOD(message_t, add_payload, void,
@@ -732,6 +765,12 @@ METHOD(message_t, create_payload_enumerator, enumerator_t*,
 	return this->payloads->create_enumerator(this->payloads);
 }
 
+METHOD(message_t, remove_payload_at, void,
+	private_message_t *this, enumerator_t *enumerator)
+{
+	this->payloads->remove_at(this->payloads, enumerator);
+}
+
 METHOD(message_t, get_payload, payload_t*,
 	private_message_t *this, payload_type_t type)
 {
@@ -1001,6 +1040,12 @@ static encryption_payload_t* wrap_payloads(private_message_t *this)
 	return encryption;
 }
 
+METHOD(message_t, disable_sort, void,
+	private_message_t *this)
+{
+	this->sort_disabled = TRUE;
+}
+
 METHOD(message_t, generate, status_t,
 	private_message_t *this, aead_t *aead, packet_t **packet)
 {
@@ -1012,12 +1057,8 @@ METHOD(message_t, generate, status_t,
 	chunk_t chunk;
 	char str[256];
 	u_int32_t *lenpos;
-
-	if (is_encoded(this))
-	{	/* already generated, return a new packet clone */
-		*packet = this->packet->clone(this->packet);
-		return SUCCESS;
-	}
+	bool *reserved;
+	int i;
 
 	if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
 	{
@@ -1039,7 +1080,10 @@ METHOD(message_t, generate, status_t,
 		return NOT_SUPPORTED;
 	}
 
-	order_payloads(this);
+	if (!this->sort_disabled)
+	{
+		order_payloads(this);
+	}
 
 	DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
 
@@ -1053,9 +1097,12 @@ METHOD(message_t, generate, status_t,
 	}
 
 	ike_header = ike_header_create();
+	ike_header->set_maj_version(ike_header, this->major_version);
+	ike_header->set_min_version(ike_header, this->minor_version);
 	ike_header->set_exchange_type(ike_header, this->exchange_type);
 	ike_header->set_message_id(ike_header, this->message_id);
 	ike_header->set_response_flag(ike_header, !this->is_request);
+	ike_header->set_version_flag(ike_header, this->version_flag);
 	ike_header->set_initiator_flag(ike_header,
 						this->ike_sa_id->is_initiator(this->ike_sa_id));
 	ike_header->set_initiator_spi(ike_header,
@@ -1063,6 +1110,16 @@ METHOD(message_t, generate, status_t,
 	ike_header->set_responder_spi(ike_header,
 						this->ike_sa_id->get_responder_spi(this->ike_sa_id));
 
+	for (i = 0; i < countof(this->reserved); i++)
+	{
+		reserved = payload_get_field(&ike_header->payload_interface,
+									 RESERVED_BIT, i);
+		if (reserved)
+		{
+			*reserved = this->reserved[i];
+		}
+	}
+
 	generator = generator_create();
 
 	/* generate all payloads with proper next type */
@@ -1131,6 +1188,8 @@ METHOD(message_t, parse_header, status_t,
 {
 	ike_header_t *ike_header;
 	status_t status;
+	bool *reserved;
+	int i;
 
 	DBG2(DBG_ENC, "parsing header of message");
 
@@ -1165,7 +1224,15 @@ METHOD(message_t, parse_header, status_t,
 	this->minor_version = ike_header->get_min_version(ike_header);
 	this->first_payload = ike_header->payload_interface.get_next_type(
 												&ike_header->payload_interface);
-
+	for (i = 0; i < countof(this->reserved); i++)
+	{
+		reserved = payload_get_field(&ike_header->payload_interface,
+									 RESERVED_BIT, i);
+		if (reserved)
+		{
+			this->reserved[i] = *reserved;
+		}
+	}
 	DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
 		 this->is_request ? "request" : "response");
 
@@ -1181,6 +1248,31 @@ METHOD(message_t, parse_header, status_t,
 	return status;
 }
 
+/**
+ * Check if a payload is for a mediation extension connectivity check
+ */
+static bool is_connectivity_check(private_message_t *this, payload_t *payload)
+{
+#ifdef ME
+	if (this->exchange_type == INFORMATIONAL &&
+		payload->get_type(payload) == NOTIFY)
+	{
+		notify_payload_t *notify = (notify_payload_t*)payload;
+
+		switch (notify->get_notify_type(notify))
+		{
+			case ME_CONNECTID:
+			case ME_ENDPOINT:
+			case ME_CONNECTAUTH:
+				return TRUE;
+			default:
+				break;
+		}
+	}
+#endif /* !ME */
+	return FALSE;
+}
+
 /**
  * Decrypt payload from the encryption payload
  */
@@ -1252,14 +1344,15 @@ static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
 			}
 			encryption->destroy(encryption);
 		}
-		if (type != UNKNOWN_PAYLOAD && !was_encrypted)
+		if (payload_is_known(type) && !was_encrypted &&
+			!is_connectivity_check(this, payload))
 		{
 			rule = get_payload_rule(this, type);
 			if (!rule || rule->encrypted)
 			{
 				DBG1(DBG_ENC, "payload type %N was not encrypted",
 					 payload_type_names, type);
-				status = VERIFY_ERROR;
+				status = FAILED;
 				break;
 			}
 		}
@@ -1274,6 +1367,7 @@ static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
  */
 static status_t verify(private_message_t *this)
 {
+	bool complete = FALSE;
 	int i;
 
 	DBG2(DBG_ENC, "verifying message structure");
@@ -1291,22 +1385,9 @@ static status_t verify(private_message_t *this)
 		while (enumerator->enumerate(enumerator, &payload))
 		{
 			payload_type_t type;
-			unknown_payload_t *unknown;
 
 			type = payload->get_type(payload);
-			if (type == UNKNOWN_PAYLOAD)
-			{
-				/* unknown payloads are ignored if they are not critical */
-				unknown = (unknown_payload_t*)payload;
-				if (unknown->is_critical(unknown))
-				{
-					DBG1(DBG_ENC, "%N is not supported, but its critical!",
-						 payload_type_names, type);
-					enumerator->destroy(enumerator);
-					return NOT_SUPPORTED;
-				}
-			}
-			else if (type == rule->type)
+			if (type == rule->type)
 			{
 				found++;
 				DBG2(DBG_ENC, "found payload of type %N",
@@ -1323,15 +1404,15 @@ static status_t verify(private_message_t *this)
 		}
 		enumerator->destroy(enumerator);
 
-		if (found < rule->min_occurence)
+		if (!complete && found < rule->min_occurence)
 		{
 			DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
 				 payload_type_names, rule->type, rule->min_occurence, found);
 			return VERIFY_ERROR;
 		}
-		if (rule->sufficient)
+		if (found && rule->sufficient)
 		{
-			return SUCCESS;
+			complete = TRUE;
 		}
 	}
 	return SUCCESS;
@@ -1360,7 +1441,7 @@ METHOD(message_t, parse_body, status_t,
 		{
 			DBG1(DBG_ENC, "payload type %N could not be parsed",
 				 payload_type_names, type);
-			return PARSE_ERROR;
+			return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED;
 		}
 
 		DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
@@ -1370,7 +1451,7 @@ METHOD(message_t, parse_body, status_t,
 			DBG1(DBG_ENC, "%N payload verification failed",
 				 payload_type_names, type);
 			payload->destroy(payload);
-			return VERIFY_ERROR;
+			return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED;
 		}
 
 		DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
@@ -1388,14 +1469,11 @@ METHOD(message_t, parse_body, status_t,
 		type = payload->get_next_type(payload);
 	}
 
-	if (type == ENCRYPTED)
+	status = decrypt_payloads(this, aead);
+	if (status != SUCCESS)
 	{
-		status = decrypt_payloads(this, aead);
-		if (status != SUCCESS)
-		{
-			DBG1(DBG_ENC, "could not decrypt payloads");
-			return status;
-		}
+		DBG1(DBG_ENC, "could not decrypt payloads");
+		return status;
 	}
 
 	status = verify(this);
@@ -1443,14 +1521,20 @@ message_t *message_create_from_packet(packet_t *packet)
 			.get_first_payload_type = _get_first_payload_type,
 			.set_request = _set_request,
 			.get_request = _get_request,
+			.set_version_flag = _set_version_flag,
+			.get_reserved_header_bit = _get_reserved_header_bit,
+			.set_reserved_header_bit = _set_reserved_header_bit,
 			.add_payload = _add_payload,
 			.add_notify = _add_notify,
+			.disable_sort = _disable_sort,
 			.generate = _generate,
+			.is_encoded = _is_encoded,
 			.set_source = _set_source,
 			.get_source = _get_source,
 			.set_destination = _set_destination,
 			.get_destination = _get_destination,
 			.create_payload_enumerator = _create_payload_enumerator,
+			.remove_payload_at = _remove_payload_at,
 			.get_payload = _get_payload,
 			.get_notify = _get_notify,
 			.parse_header = _parse_header,
@@ -1459,6 +1543,8 @@ message_t *message_create_from_packet(packet_t *packet)
 			.get_packet_data = _get_packet_data,
 			.destroy = _destroy,
 		},
+		.major_version = IKE_MAJOR_VERSION,
+		.minor_version = IKE_MINOR_VERSION,
 		.exchange_type = EXCHANGE_TYPE_UNDEFINED,
 		.is_request = TRUE,
 		.first_payload = NO_PAYLOAD,
diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h
index 8c1cbcd09..51197308c 100644
--- a/src/libcharon/encoding/message.h
+++ b/src/libcharon/encoding/message.h
@@ -153,6 +153,26 @@ struct message_t {
 	 */
 	bool (*get_request) (message_t *this);
 
+	/**
+	 * Set the version flag in the IKE header.
+	 */
+	void (*set_version_flag)(message_t *this);
+
+	/**
+	 * Get a reserved bit in the IKE header.
+	 *
+	 * @param nr			reserved bit to get in IKE header, 0-4
+	 * @return				TRUE if bit is set
+	 */
+	bool (*get_reserved_header_bit)(message_t *this, u_int nr);
+
+	/**
+	 * Set a reserved bit in the IKE header.
+	 *
+	 * @param nr			reserved bit to set in IKE header, 0-4
+	 */
+	void (*set_reserved_header_bit)(message_t *this, u_int nr);
+
 	/**
 	 * Append a payload to the message.
 	 *
@@ -180,6 +200,11 @@ struct message_t {
 	void (*add_notify) (message_t *this, bool flush, notify_type_t type,
 						chunk_t data);
 
+	/**
+	 * Disable automatic payload sorting for this message.
+	 */
+	void (*disable_sort)(message_t *this);
+
 	/**
 	 * Parses header of message.
 	 *
@@ -206,8 +231,6 @@ struct message_t {
 	 * @param aead		aead transform to verify/decrypt message
 	 * @return
 	 * 					- SUCCESS if parsing successful
-	 * 					- NOT_SUPPORTED if ciritcal unknown payloads found
-	 * 					- NOT_SUPPORTED if message type is not supported!
 	 *					- PARSE_ERROR if message parsing failed
 	 * 					- VERIFY_ERROR if message verification failed (bad syntax)
 	 * 					- FAILED if integrity check failed
@@ -234,6 +257,13 @@ struct message_t {
 	 */
 	status_t (*generate) (message_t *this, aead_t *aead, packet_t **packet);
 
+	/**
+	 * Check if the message has already been encoded using generate().
+	 *
+	 * @return			TRUE if message has been encoded
+	 */
+	bool (*is_encoded)(message_t *this);
+
 	/**
 	 * Gets the source host informations.
 	 *
@@ -281,6 +311,13 @@ struct message_t {
 	 */
 	enumerator_t * (*create_payload_enumerator) (message_t *this);
 
+	/**
+	 * Remove the payload at the current enumerator position.
+	 *
+	 * @param enumerator	enumerator created by create_payload_enumerator()
+	 */
+	void (*remove_payload_at)(message_t *this, enumerator_t *enumerator);
+
 	/**
 	 * Find a payload of a specific type.
 	 *
diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c
index 9aa34b1bc..32cefb9e7 100644
--- a/src/libcharon/encoding/parser.c
+++ b/src/libcharon/encoding/parser.c
@@ -387,12 +387,6 @@ static status_t parse_payload(private_parser_t *this,
 	DBG3(DBG_ENC, "parsing payload from %b",
 		 this->byte_pos, this->input_roof - this->byte_pos);
 
-	if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
-	{
-		DBG1(DBG_ENC, "  payload type %d is unknown, handling as %N",
-			 payload_type, payload_type_names, UNKNOWN_PAYLOAD);
-	}
-
 	/* base pointer for output, avoids casting in every rule */
 	output = pld;
 
@@ -415,6 +409,7 @@ static status_t parse_payload(private_parser_t *this,
 				break;
 			}
 			case U_INT_8:
+			case RESERVED_BYTE:
 			{
 				if (!parse_uint8(this, rule_number, output + rule->offset))
 				{
@@ -433,6 +428,7 @@ static status_t parse_payload(private_parser_t *this,
 				break;
 			}
 			case U_INT_32:
+			case HEADER_LENGTH:
 			{
 				if (!parse_uint32(this, rule_number, output + rule->offset))
 				{
@@ -451,23 +447,6 @@ static status_t parse_payload(private_parser_t *this,
 				break;
 			}
 			case RESERVED_BIT:
-			{
-				if (!parse_bit(this, rule_number, NULL))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case RESERVED_BYTE:
-			{
-				if (!parse_uint8(this, rule_number, NULL))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
 			case FLAG:
 			{
 				if (!parse_bit(this, rule_number, output + rule->offset))
@@ -493,15 +472,6 @@ static status_t parse_payload(private_parser_t *this,
 				}
 				break;
 			}
-			case HEADER_LENGTH:
-			{
-				if (!parse_uint32(this, rule_number, output + rule->offset))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
 			case SPI_SIZE:
 			{
 				if (!parse_uint8(this, rule_number, output + rule->offset))
diff --git a/src/libcharon/encoding/payloads/auth_payload.c b/src/libcharon/encoding/payloads/auth_payload.c
index d31208abb..cb44a997c 100644
--- a/src/libcharon/encoding/payloads/auth_payload.c
+++ b/src/libcharon/encoding/payloads/auth_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -18,7 +19,6 @@
 
 #include <encoding/payloads/encodings.h>
 
-
 typedef struct private_auth_payload_t private_auth_payload_t;
 
 /**
@@ -42,6 +42,16 @@ struct private_auth_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * Reserved bits
+	 */
+	bool reserved_bit[7];
+
+	/**
+	 * Reserved bytes
+	 */
+	u_int8_t reserved_byte[3];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -66,27 +76,27 @@ struct private_auth_payload_t {
  */
 encoding_rule_t auth_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_auth_payload_t, next_payload) 	},
+	{ U_INT_8,			offsetof(private_auth_payload_t, next_payload)		},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_auth_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
-	{ RESERVED_BIT,		0 												},
+	{ FLAG,				offsetof(private_auth_payload_t, critical)			},
+	/* 7 Bit reserved bits */
+	{ RESERVED_BIT,		offsetof(private_auth_payload_t, reserved_bit[0])	},
+	{ RESERVED_BIT,		offsetof(private_auth_payload_t, reserved_bit[1])	},
+	{ RESERVED_BIT,		offsetof(private_auth_payload_t, reserved_bit[2])	},
+	{ RESERVED_BIT,		offsetof(private_auth_payload_t, reserved_bit[3])	},
+	{ RESERVED_BIT,		offsetof(private_auth_payload_t, reserved_bit[4])	},
+	{ RESERVED_BIT,		offsetof(private_auth_payload_t, reserved_bit[5])	},
+	{ RESERVED_BIT,		offsetof(private_auth_payload_t, reserved_bit[6])	},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_auth_payload_t, payload_length)},
+	{ PAYLOAD_LENGTH,	offsetof(private_auth_payload_t, payload_length)	},
 	/* 1 Byte AUTH type*/
-	{ U_INT_8,			offsetof(private_auth_payload_t, auth_method)	},
+	{ U_INT_8,			offsetof(private_auth_payload_t, auth_method)		},
 	/* 3 reserved bytes */
-	{ RESERVED_BYTE,	0 												},
-	{ RESERVED_BYTE,	0 												},
-	{ RESERVED_BYTE,	0 												},
+	{ RESERVED_BYTE,	offsetof(private_auth_payload_t, reserved_byte[0])	},
+	{ RESERVED_BYTE,	offsetof(private_auth_payload_t, reserved_byte[1])	},
+	{ RESERVED_BYTE,	offsetof(private_auth_payload_t, reserved_byte[2])	},
 	/* some auth data bytes, length is defined in PAYLOAD_LENGTH */
-	{ AUTH_DATA,		offsetof(private_auth_payload_t, auth_data) 	}
+	{ AUTH_DATA,		offsetof(private_auth_payload_t, auth_data)	}
 };
 
 /*
@@ -103,125 +113,73 @@ encoding_rule_t auth_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_auth_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_auth_payload_t *this)
 {
-	if (this->auth_method == 0 ||
-		(this->auth_method >= 4 && this->auth_method <= 8) ||
-		(this->auth_method >= 12 && this->auth_method <= 200))
-	{
-		/* reserved IDs */
-		return FAILED;
-	}
 	return SUCCESS;
 }
 
-/**
- * Implementation of auth_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = auth_payload_encodings;
-	*rule_count = sizeof(auth_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(auth_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_auth_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_auth_payload_t *this)
 {
 	return AUTHENTICATION;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_auth_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_auth_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_auth_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_auth_payload_t *this, payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_auth_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_auth_payload_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of auth_payload_t.set_auth_method.
- */
-static void set_auth_method (private_auth_payload_t *this, auth_method_t method)
+METHOD(auth_payload_t, set_auth_method, void,
+	private_auth_payload_t *this, auth_method_t method)
 {
 	this->auth_method = method;
 }
 
-/**
- * Implementation of auth_payload_t.get_auth_method.
- */
-static auth_method_t get_auth_method (private_auth_payload_t *this)
+METHOD(auth_payload_t, get_auth_method, auth_method_t,
+	private_auth_payload_t *this)
 {
-	return (this->auth_method);
+	return this->auth_method;
 }
 
-/**
- * Implementation of auth_payload_t.set_data.
- */
-static void set_data (private_auth_payload_t *this, chunk_t data)
+METHOD(auth_payload_t, set_data, void,
+	private_auth_payload_t *this, chunk_t data)
 {
-	if (this->auth_data.ptr != NULL)
-	{
-		chunk_free(&(this->auth_data));
-	}
-	this->auth_data.ptr = clalloc(data.ptr,data.len);
-	this->auth_data.len = data.len;
+	free(this->auth_data.ptr);
+	this->auth_data = chunk_clone(data);
 	this->payload_length = AUTH_PAYLOAD_HEADER_LENGTH + this->auth_data.len;
 }
 
-/**
- * Implementation of auth_payload_t.get_data.
- */
-static chunk_t get_data (private_auth_payload_t *this)
+METHOD(auth_payload_t, get_data, chunk_t,
+	private_auth_payload_t *this)
 {
-	return (this->auth_data);
+	return this->auth_data;
 }
 
-/**
- * Implementation of auth_payload_t.get_data_clone.
- */
-static chunk_t get_data_clone (private_auth_payload_t *this)
+METHOD2(payload_t, auth_payload_t, destroy, void,
+	private_auth_payload_t *this)
 {
-	chunk_t cloned_data;
-	if (this->auth_data.ptr == NULL)
-	{
-		return (this->auth_data);
-	}
-	cloned_data.ptr = clalloc(this->auth_data.ptr,this->auth_data.len);
-	cloned_data.len = this->auth_data.len;
-	return cloned_data;
-}
-
-/**
- * Implementation of payload_t.destroy and auth_payload_t.destroy.
- */
-static void destroy(private_auth_payload_t *this)
-{
-	if (this->auth_data.ptr != NULL)
-	{
-		chunk_free(&(this->auth_data));
-	}
-
+	free(this->auth_data.ptr);
 	free(this);
 }
 
@@ -230,30 +188,27 @@ static void destroy(private_auth_payload_t *this)
  */
 auth_payload_t *auth_payload_create()
 {
-	private_auth_payload_t *this = malloc_thing(private_auth_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (auth_payload_t *)) destroy;
-	this->public.set_auth_method = (void (*) (auth_payload_t *,auth_method_t)) set_auth_method;
-	this->public.get_auth_method = (auth_method_t (*) (auth_payload_t *)) get_auth_method;
-	this->public.set_data = (void (*) (auth_payload_t *,chunk_t)) set_data;
-	this->public.get_data_clone = (chunk_t (*) (auth_payload_t *)) get_data_clone;
-	this->public.get_data = (chunk_t (*) (auth_payload_t *)) get_data;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length =AUTH_PAYLOAD_HEADER_LENGTH;
-	this->auth_data = chunk_empty;
-
-	return (&(this->public));
+	private_auth_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.set_auth_method = _set_auth_method,
+			.get_auth_method = _get_auth_method,
+			.set_data = _set_data,
+			.get_data = _get_data,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = AUTH_PAYLOAD_HEADER_LENGTH,
+	);
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/auth_payload.h b/src/libcharon/encoding/payloads/auth_payload.h
index 37ee149db..e4c4e6ae3 100644
--- a/src/libcharon/encoding/payloads/auth_payload.h
+++ b/src/libcharon/encoding/payloads/auth_payload.h
@@ -62,29 +62,31 @@ struct auth_payload_t {
 	/**
 	 * Set the AUTH data.
 	 *
-	 * Data gets cloned.
-	 *
-	 * @param data			AUTH data as chunk_t
+	 * @param data			AUTH data as chunk_t, gets cloned
 	 */
 	void (*set_data) (auth_payload_t *this, chunk_t data);
 
 	/**
 	 * Get the AUTH data.
 	 *
-	 * Returned data are a copy of the internal one.
-	 *
-	 * @return				AUTH data as chunk_t
+	 * @return				AUTH data as chunk_t, internal data
 	 */
-	chunk_t (*get_data_clone) (auth_payload_t *this);
+	chunk_t (*get_data) (auth_payload_t *this);
 
 	/**
-	 * Get the AUTH data.
+	 * Get the value of a reserved bit.
 	 *
-	 * Returned data are NOT copied
+	 * @param nr			number of the reserved bit, 0-6
+	 * @return				TRUE if bit was set, FALSE to clear
+	 */
+	bool (*get_reserved_bit)(auth_payload_t *this, u_int nr);
+
+	/**
+	 * Set one of the reserved bits.
 	 *
-	 * @return				AUTH data as chunk_t
+	 * @param nr			number of the reserved bit, 0-6
 	 */
-	chunk_t (*get_data) (auth_payload_t *this);
+	void (*set_reserved_bit)(auth_payload_t *this, u_int nr);
 
 	/**
 	 * Destroys an auth_payload_t object.
diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index 80239f654..c42cec680 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -43,9 +44,9 @@ typedef struct private_cert_payload_t private_cert_payload_t;
 
 /**
  * Private data of an cert_payload_t object.
- *
  */
 struct private_cert_payload_t {
+
 	/**
 	 * Public cert_payload_t interface.
 	 */
@@ -61,6 +62,11 @@ struct private_cert_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * reserved bits
+	 */
+	bool reserved[7];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -91,23 +97,23 @@ struct private_cert_payload_t {
  */
 encoding_rule_t cert_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_cert_payload_t, next_payload) 	},
+	{ U_INT_8,			offsetof(private_cert_payload_t, next_payload)	},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_cert_payload_t, critical) 		},
+	{ FLAG,				offsetof(private_cert_payload_t, critical)		},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,		offsetof(private_cert_payload_t, reserved[0])	},
+	{ RESERVED_BIT,		offsetof(private_cert_payload_t, reserved[1])	},
+	{ RESERVED_BIT,		offsetof(private_cert_payload_t, reserved[2])	},
+	{ RESERVED_BIT,		offsetof(private_cert_payload_t, reserved[3])	},
+	{ RESERVED_BIT,		offsetof(private_cert_payload_t, reserved[4])	},
+	{ RESERVED_BIT,		offsetof(private_cert_payload_t, reserved[5])	},
+	{ RESERVED_BIT,		offsetof(private_cert_payload_t, reserved[6])	},
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_cert_payload_t, payload_length)},
 	/* 1 Byte CERT type*/
 	{ U_INT_8,			offsetof(private_cert_payload_t, encoding)		},
 	/* some cert data bytes, length is defined in PAYLOAD_LENGTH */
-	{ CERT_DATA,		offsetof(private_cert_payload_t, data) 			}
+	{ CERT_DATA,		offsetof(private_cert_payload_t, data)			}
 };
 
 /*
@@ -123,25 +129,23 @@ encoding_rule_t cert_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_cert_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_cert_payload_t *this)
 {
 	if (this->encoding == ENC_X509_HASH_AND_URL ||
 		this->encoding == ENC_X509_HASH_AND_URL_BUNDLE)
 	{
+		int i;
+
 		/* coarse verification of "Hash and URL" encoded certificates */
 		if (this->data.len <= 20)
 		{
 			DBG1(DBG_ENC, "invalid payload length for hash-and-url (%d), ignore",
-					this->data.len);
+				 this->data.len);
 			this->invalid_hash_and_url = TRUE;
 			return SUCCESS;
 		}
-
-		int i = 20; /* skipping the hash */
-		for (; i < this->data.len; ++i)
+		for (i = 20; i < this->data.len; ++i)
 		{
 			if (this->data.ptr[i] == '\0')
 			{
@@ -151,94 +155,81 @@ static status_t verify(private_cert_payload_t *this)
 			else if (!isprint(this->data.ptr[i]))
 			{
 				DBG1(DBG_ENC, "non printable characters in url of hash-and-url"
-						" encoded certificate payload, ignore");
+					 " encoded certificate payload, ignore");
 				this->invalid_hash_and_url = TRUE;
 				return SUCCESS;
 			}
 		}
-
 		/* URL is not null terminated, correct that */
-		chunk_t data = chunk_alloc(this->data.len + 1);
-		memcpy(data.ptr, this->data.ptr, this->data.len);
-		data.ptr[this->data.len] = '\0';
-		chunk_free(&this->data);
-		this->data = data;
+		this->data = chunk_cat("mc", this->data, chunk_from_chars(0));
 	}
 	return SUCCESS;
 }
 
-/**
- * Implementation of cert_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_cert_payload_t *this,
-							   encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = cert_payload_encodings;
-	*rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(cert_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_cert_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_cert_payload_t *this)
 {
 	return CERTIFICATE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_cert_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_cert_payload_t *this)
 {
 	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_cert_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_cert_payload_t *this, payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_cert_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_cert_payload_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of cert_payload_t.get_cert_encoding.
- */
-static cert_encoding_t get_cert_encoding(private_cert_payload_t *this)
+METHOD(cert_payload_t, get_cert_encoding, cert_encoding_t,
+	private_cert_payload_t *this)
 {
 	return this->encoding;
 }
 
-/**
- * Implementation of cert_payload_t.get_cert.
- */
-static certificate_t *get_cert(private_cert_payload_t *this)
+METHOD(cert_payload_t, get_cert, certificate_t*,
+	private_cert_payload_t *this)
 {
-	if (this->encoding != ENC_X509_SIGNATURE)
+	int type;
+
+	switch (this->encoding)
 	{
-		return NULL;
+		case ENC_X509_SIGNATURE:
+			type = CERT_X509;
+			break;
+		case ENC_CRL:
+			type = CERT_X509_CRL;
+			break;
+		default:
+			return NULL;
 	}
-	return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							  BUILD_BLOB_ASN1_DER, this->data,
-							  BUILD_END);
+	return lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+							  BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
 }
 
-/**
- * Implementation of cert_payload_t.get_hash.
- */
-static chunk_t get_hash(private_cert_payload_t *this)
+METHOD(cert_payload_t, get_hash, chunk_t,
+	private_cert_payload_t *this)
 {
 	chunk_t hash = chunk_empty;
+
 	if ((this->encoding != ENC_X509_HASH_AND_URL &&
-		this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) ||
+		 this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) ||
 		this->invalid_hash_and_url)
 	{
 		return hash;
@@ -248,13 +239,11 @@ static chunk_t get_hash(private_cert_payload_t *this)
 	return hash;
 }
 
-/**
- * Implementation of cert_payload_t.get_url.
- */
-static char *get_url(private_cert_payload_t *this)
+METHOD(cert_payload_t, get_url, char*,
+	private_cert_payload_t *this)
 {
 	if ((this->encoding != ENC_X509_HASH_AND_URL &&
-		this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) ||
+		 this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) ||
 		this->invalid_hash_and_url)
 	{
 		return NULL;
@@ -262,12 +251,10 @@ static char *get_url(private_cert_payload_t *this)
 	return (char*)this->data.ptr + 20;
 }
 
-/**
- * Implementation of payload_t.destroy and cert_payload_t.destroy.
- */
-static void destroy(private_cert_payload_t *this)
+METHOD2(payload_t, cert_payload_t, destroy, void,
+	private_cert_payload_t *this)
 {
-	chunk_free(&this->data);
+	free(this->data.ptr);
 	free(this);
 }
 
@@ -276,29 +263,28 @@ static void destroy(private_cert_payload_t *this)
  */
 cert_payload_t *cert_payload_create()
 {
-	private_cert_payload_t *this = malloc_thing(private_cert_payload_t);
-
-	this->public.payload_interface.verify = (status_t (*) (payload_t*))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**, size_t*))get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
-
-	this->public.destroy = (void (*) (cert_payload_t*))destroy;
-	this->public.get_cert = (certificate_t* (*) (cert_payload_t*))get_cert;
-	this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t*))get_cert_encoding;
-	this->public.get_hash = (chunk_t (*) (cert_payload_t*))get_hash;
-	this->public.get_url = (char* (*) (cert_payload_t*))get_url;
-
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH;
-	this->data = chunk_empty;
-	this->encoding = 0;
-	this->invalid_hash_and_url = FALSE;
-
+	private_cert_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_cert = _get_cert,
+			.get_cert_encoding = _get_cert_encoding,
+			.get_hash = _get_hash,
+			.get_url = _get_url,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = CERT_PAYLOAD_HEADER_LENGTH,
+	);
 	return &this->public;
 }
 
@@ -343,3 +329,15 @@ cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url)
 	return &this->public;
 }
 
+/*
+ * Described in header
+ */
+cert_payload_t *cert_payload_create_custom(cert_encoding_t type, chunk_t data)
+{
+	private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create();
+
+	this->encoding = type;
+	this->data = data;
+	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
+	return &this->public;
+}
diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h
index aa1c7bf5a..21b503a40 100644
--- a/src/libcharon/encoding/payloads/cert_payload.h
+++ b/src/libcharon/encoding/payloads/cert_payload.h
@@ -134,4 +134,13 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert);
  */
 cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url);
 
+/**
+ * Creates a custom certificate payload using type and associated data.
+ *
+ * @param type				encoding type of certificate
+ * @param data				associated data (gets owned)
+ * @return					cert_payload_t object
+ */
+cert_payload_t *cert_payload_create_custom(cert_encoding_t type, chunk_t data);
+
 #endif /** CERT_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/certreq_payload.c b/src/libcharon/encoding/payloads/certreq_payload.c
index 9ff0bdde0..8e0836f0e 100644
--- a/src/libcharon/encoding/payloads/certreq_payload.c
+++ b/src/libcharon/encoding/payloads/certreq_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -22,14 +23,13 @@
 
 #include "certreq_payload.h"
 
-
 typedef struct private_certreq_payload_t private_certreq_payload_t;
 
 /**
  * Private data of an certreq_payload_t object.
- *
  */
 struct private_certreq_payload_t {
+
 	/**
 	 * Public certreq_payload_t interface.
 	 */
@@ -45,6 +45,11 @@ struct private_certreq_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * Reserved bits
+	 */
+	bool reserved[7];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -66,21 +71,20 @@ struct private_certreq_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_certreq_payload_t.
- *
  */
 encoding_rule_t certreq_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_certreq_payload_t, next_payload) 	},
+	{ U_INT_8,			offsetof(private_certreq_payload_t, next_payload)	},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_certreq_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ FLAG,				offsetof(private_certreq_payload_t, critical)		},
+	/* 7 Bit reserved bits */
+	{ RESERVED_BIT,		offsetof(private_certreq_payload_t, reserved[0])	},
+	{ RESERVED_BIT,		offsetof(private_certreq_payload_t, reserved[1])	},
+	{ RESERVED_BIT,		offsetof(private_certreq_payload_t, reserved[2])	},
+	{ RESERVED_BIT,		offsetof(private_certreq_payload_t, reserved[3])	},
+	{ RESERVED_BIT,		offsetof(private_certreq_payload_t, reserved[4])	},
+	{ RESERVED_BIT,		offsetof(private_certreq_payload_t, reserved[5])	},
+	{ RESERVED_BIT,		offsetof(private_certreq_payload_t, reserved[6])	},
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_certreq_payload_t, payload_length)	},
 	/* 1 Byte CERTREQ type*/
@@ -102,10 +106,8 @@ encoding_rule_t certreq_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_certreq_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_certreq_payload_t *this)
 {
 	if (this->encoding == ENC_X509_SIGNATURE)
 	{
@@ -120,51 +122,39 @@ static status_t verify(private_certreq_payload_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of certreq_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = certreq_payload_encodings;
-	*rule_count = sizeof(certreq_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(certreq_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_certreq_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_certreq_payload_t *this)
 {
 	return CERTIFICATE_REQUEST;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_certreq_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_certreq_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_certreq_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_certreq_payload_t *this, payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_certreq_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_certreq_payload_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of certreq_payload_t.add_keyid.
- */
-static void add_keyid(private_certreq_payload_t *this, chunk_t keyid)
+METHOD(certreq_payload_t, add_keyid, void,
+	private_certreq_payload_t *this, chunk_t keyid)
 {
 	this->data = chunk_cat("mc", this->data, keyid);
 	this->payload_length += keyid.len;
@@ -181,10 +171,8 @@ struct keyid_enumerator_t  {
 	u_char *pos;
 };
 
-/**
- * enumerate function for keyid_enumerator
- */
-static bool keyid_enumerate(keyid_enumerator_t *this, chunk_t *chunk)
+METHOD(enumerator_t, keyid_enumerate, bool,
+	keyid_enumerator_t *this, chunk_t *chunk)
 {
 	if (this->pos == NULL)
 	{
@@ -207,23 +195,23 @@ static bool keyid_enumerate(keyid_enumerator_t *this, chunk_t *chunk)
 	return FALSE;
 }
 
-/**
- * Implementation of certreq_payload_t.create_keyid_enumerator.
- */
-static enumerator_t* create_keyid_enumerator(private_certreq_payload_t *this)
+METHOD(certreq_payload_t, create_keyid_enumerator, enumerator_t*,
+	private_certreq_payload_t *this)
 {
-	keyid_enumerator_t *enumerator = malloc_thing(keyid_enumerator_t);
-	enumerator->public.enumerate = (void*)keyid_enumerate;
-	enumerator->public.destroy = (void*)free;
-	enumerator->full = this->data;
-	enumerator->pos = NULL;
+	keyid_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_keyid_enumerate,
+			.destroy = (void*)free,
+		},
+		.full = this->data,
+	);
 	return &enumerator->public;
 }
 
-/**
- * Implementation of certreq_payload_t.get_cert_type.
- */
-static certificate_type_t get_cert_type(private_certreq_payload_t *this)
+METHOD(certreq_payload_t, get_cert_type, certificate_type_t,
+	private_certreq_payload_t *this)
 {
 	switch (this->encoding)
 	{
@@ -234,10 +222,8 @@ static certificate_type_t get_cert_type(private_certreq_payload_t *this)
 	}
 }
 
-/**
- * Implementation of payload_t.destroy and certreq_payload_t.destroy.
- */
-static void destroy(private_certreq_payload_t *this)
+METHOD2(payload_t, certreq_payload_t, destroy, void,
+	private_certreq_payload_t *this)
 {
 	chunk_free(&this->data);
 	free(this);
@@ -248,30 +234,27 @@ static void destroy(private_certreq_payload_t *this)
  */
 certreq_payload_t *certreq_payload_create()
 {
-	private_certreq_payload_t *this = malloc_thing(private_certreq_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t*))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**,size_t*))get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (certreq_payload_t*)) destroy;
-	this->public.create_keyid_enumerator = (enumerator_t*(*)(certreq_payload_t*))create_keyid_enumerator;
-		this->public.get_cert_type = (certificate_type_t(*)(certreq_payload_t*))get_cert_type;
-	this->public.add_keyid = (void(*)(certreq_payload_t*, chunk_t keyid))add_keyid;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH;
-	this->data = chunk_empty;
-	this->encoding = 0;
-
+	private_certreq_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.create_keyid_enumerator = _create_keyid_enumerator,
+			.get_cert_type = _get_cert_type,
+			.add_keyid = _add_keyid,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH,
+	);
 	return &this->public;
 }
 
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c
index 9094fd44d..e608497bd 100644
--- a/src/libcharon/encoding/payloads/configuration_attribute.c
+++ b/src/libcharon/encoding/payloads/configuration_attribute.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -22,19 +23,23 @@
 #include <library.h>
 #include <daemon.h>
 
-
 typedef struct private_configuration_attribute_t private_configuration_attribute_t;
 
 /**
  * Private data of an configuration_attribute_t object.
- *
  */
 struct private_configuration_attribute_t {
+
 	/**
 	 * Public configuration_attribute_t interface.
 	 */
 	configuration_attribute_t public;
 
+	/**
+	 * Reserved bit
+	 */
+	bool reserved;
+
 	/**
 	 * Type of the attribute.
 	 */
@@ -58,8 +63,8 @@ struct private_configuration_attribute_t {
  * private_configuration_attribute_t.
  */
 encoding_rule_t configuration_attribute_encodings[] = {
-
-	{ RESERVED_BIT,						0													},
+	/* 1 reserved bit */
+	{ RESERVED_BIT,						offsetof(private_configuration_attribute_t, reserved)},
 	/* type of the attribute as 15 bit unsigned integer */
 	{ ATTRIBUTE_TYPE,					offsetof(private_configuration_attribute_t, type)	},
 	/* Length of attribute value */
@@ -80,10 +85,8 @@ encoding_rule_t configuration_attribute_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_configuration_attribute_t *this)
+METHOD(payload_t, verify, status_t,
+	private_configuration_attribute_t *this)
 {
 	bool failed = FALSE;
 
@@ -151,69 +154,51 @@ static status_t verify(private_configuration_attribute_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_configuration_attribute_t *this,
-							   encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_configuration_attribute_t *this, encoding_rule_t **rules,
+	size_t *rule_count)
 {
 	*rules = configuration_attribute_encodings;
-	*rule_count = sizeof(configuration_attribute_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(configuration_attribute_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_configuration_attribute_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_configuration_attribute_t *this)
 {
 	return CONFIGURATION_ATTRIBUTE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_configuration_attribute_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_configuration_attribute_t *this)
 {
 	return NO_PAYLOAD;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_configuration_attribute_t *this,
-						  payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_configuration_attribute_t *this, payload_type_t type)
 {
 }
 
-/**
- * Implementation of configuration_attribute_t.get_length.
- */
-static size_t get_length(private_configuration_attribute_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_configuration_attribute_t *this)
 {
 	return this->value.len + CONFIGURATION_ATTRIBUTE_HEADER_LENGTH;
 }
 
-/**
- * Implementation of configuration_attribute_t.get_type.
- */
-static configuration_attribute_type_t get_configuration_attribute_type(
-									private_configuration_attribute_t *this)
+METHOD(configuration_attribute_t, get_cattr_type, configuration_attribute_type_t,
+	private_configuration_attribute_t *this)
 {
 	return this->type;
 }
 
-/**
- * Implementation of configuration_attribute_t.get_value.
- */
-static chunk_t get_value(private_configuration_attribute_t *this)
+METHOD(configuration_attribute_t, get_value, chunk_t,
+	private_configuration_attribute_t *this)
 {
 	return this->value;
 }
 
-/**
- * Implementation of configuration_attribute_t.destroy and payload_t.destroy.
- */
-static void destroy(private_configuration_attribute_t *this)
+METHOD2(payload_t, configuration_attribute_t, destroy, void,
+	private_configuration_attribute_t *this)
 {
 	free(this->value.ptr);
 	free(this);
@@ -226,23 +211,22 @@ configuration_attribute_t *configuration_attribute_create()
 {
 	private_configuration_attribute_t *this;
 
-	this = malloc_thing(private_configuration_attribute_t);
-	this->public.payload_interface.verify = (status_t(*)(payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void(*)(payload_t *, encoding_rule_t **, size_t *) )get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t(*)(payload_t *))get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t(*)(payload_t *))get_next_type;
-	this->public.payload_interface.set_next_type = (void(*)(payload_t *,payload_type_t))set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t(*)(payload_t *))get_type;
-	this->public.payload_interface.destroy = (void(*)(payload_t*))destroy;
-
-	this->public.get_value = (chunk_t(*)(configuration_attribute_t *))get_value;
-	this->public.get_type = (configuration_attribute_type_t(*)(configuration_attribute_t *))get_configuration_attribute_type;
-	this->public.destroy = (void (*)(configuration_attribute_t*))destroy;
-
-	this->type = 0;
-	this->value = chunk_empty;
-	this->length = 0;
-
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_value = _get_value,
+			.get_type = _get_cattr_type,
+			.destroy = _destroy,
+		},
+	);
 	return &this->public;
 }
 
diff --git a/src/libcharon/encoding/payloads/cp_payload.c b/src/libcharon/encoding/payloads/cp_payload.c
index f0a26eee2..82e9e51b7 100644
--- a/src/libcharon/encoding/payloads/cp_payload.c
+++ b/src/libcharon/encoding/payloads/cp_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -32,9 +33,9 @@ typedef struct private_cp_payload_t private_cp_payload_t;
 
 /**
  * Private data of an cp_payload_t object.
- *
  */
 struct private_cp_payload_t {
+
 	/**
 	 * Public cp_payload_t interface.
 	 */
@@ -50,6 +51,16 @@ struct private_cp_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * Reserved bits
+	 */
+	bool reserved_bit[7];
+
+	/**
+	 * Reserved bytes
+	 */
+	u_int8_t reserved_byte[3];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -71,30 +82,30 @@ struct private_cp_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_cp_payload_t.
- *
  */
 encoding_rule_t cp_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,		offsetof(private_cp_payload_t, next_payload) 			},
+	{ U_INT_8,					offsetof(private_cp_payload_t, next_payload)	},
 	/* the critical bit */
-	{ FLAG,			offsetof(private_cp_payload_t, critical) 				},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ FLAG,						offsetof(private_cp_payload_t, critical)		},
+	/* 7 Bit reserved bits */
+	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[0])	},
+	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[1])	},
+	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[2])	},
+	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[3])	},
+	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[4])	},
+	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[5])	},
+	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[6])	},
 	/* Length of the whole CP payload*/
-	{ PAYLOAD_LENGTH,		offsetof(private_cp_payload_t, payload_length) 	},
+	{ PAYLOAD_LENGTH,			offsetof(private_cp_payload_t, payload_length)	},
 	/* Proposals are stored in a proposal substructure,
 	   offset points to a linked_list_t pointer */
-	{ U_INT_8,				offsetof(private_cp_payload_t, type)			},
-	{ RESERVED_BYTE,0 														},
-	{ RESERVED_BYTE,0														},
-	{ RESERVED_BYTE,0														},
-	{ CONFIGURATION_ATTRIBUTES,	offsetof(private_cp_payload_t, attributes)	}
+	{ U_INT_8,					offsetof(private_cp_payload_t, type)			},
+	/* 3 reserved bytes */
+	{ RESERVED_BYTE,			offsetof(private_cp_payload_t, reserved_byte[0])},
+	{ RESERVED_BYTE,			offsetof(private_cp_payload_t, reserved_byte[1])},
+	{ RESERVED_BYTE,			offsetof(private_cp_payload_t, reserved_byte[2])},
+	{ CONFIGURATION_ATTRIBUTES,	offsetof(private_cp_payload_t, attributes)		}
 };
 
 /*
@@ -111,10 +122,8 @@ encoding_rule_t cp_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_cp_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_cp_payload_t *this)
 {
 	status_t status = SUCCESS;
 	enumerator_t *enumerator;
@@ -133,36 +142,27 @@ static status_t verify(private_cp_payload_t *this)
 	return status;
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_cp_payload_t *this,
-							   encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_cp_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = cp_payload_encodings;
-	*rule_count = sizeof(cp_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(cp_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_cp_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_cp_payload_t *this)
 {
 	return CONFIGURATION;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_cp_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_cp_payload_t *this)
 {
 	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_cp_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_cp_payload_t *this,payload_type_t type)
 {
 	this->next_payload = type;
 }
@@ -185,44 +185,33 @@ static void compute_length(private_cp_payload_t *this)
 	enumerator->destroy(enumerator);
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_cp_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_cp_payload_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of cp_payload_t.create_attribute_enumerator.
- */
-static enumerator_t *create_attribute_enumerator(private_cp_payload_t *this)
+METHOD(cp_payload_t, create_attribute_enumerator, enumerator_t*,
+	private_cp_payload_t *this)
 {
 	return this->attributes->create_enumerator(this->attributes);
 }
 
-/**
- * Implementation of cp_payload_t.add_attribute.
- */
-static void add_attribute(private_cp_payload_t *this,
-						  configuration_attribute_t *attribute)
+METHOD(cp_payload_t, add_attribute, void,
+	private_cp_payload_t *this, configuration_attribute_t *attribute)
 {
 	this->attributes->insert_last(this->attributes, attribute);
 	compute_length(this);
 }
 
-/**
- * Implementation of cp_payload_t.get_type.
- */
-static config_type_t get_config_type(private_cp_payload_t *this)
+METHOD(cp_payload_t, get_config_type, config_type_t,
+	private_cp_payload_t *this)
 {
 	return this->type;
 }
 
-/**
- * Implementation of payload_t.destroy and cp_payload_t.destroy.
- */
-static void destroy(private_cp_payload_t *this)
+METHOD2(payload_t, cp_payload_t, destroy, void,
+	private_cp_payload_t *this)
 {
 	this->attributes->destroy_offset(this->attributes,
 								offsetof(configuration_attribute_t, destroy));
@@ -232,42 +221,38 @@ static void destroy(private_cp_payload_t *this)
 /*
  * Described in header.
  */
-cp_payload_t *cp_payload_create()
+cp_payload_t *cp_payload_create_type(config_type_t type)
 {
-	private_cp_payload_t *this = malloc_thing(private_cp_payload_t);
-
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	this->public.create_attribute_enumerator = (enumerator_t*(*)(cp_payload_t *))create_attribute_enumerator;
-	this->public.add_attribute = (void (*) (cp_payload_t *,configuration_attribute_t*))add_attribute;
-	this->public.get_type = (config_type_t (*) (cp_payload_t *))get_config_type;
-	this->public.destroy = (void (*)(cp_payload_t *))destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = CP_PAYLOAD_HEADER_LENGTH;
-	this->attributes = linked_list_create();
-	this->type = CFG_REQUEST;
-
+	private_cp_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.create_attribute_enumerator = _create_attribute_enumerator,
+			.add_attribute = _add_attribute,
+			.get_type = _get_config_type,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = CP_PAYLOAD_HEADER_LENGTH,
+		.attributes = linked_list_create(),
+		.type = type,
+	);
 	return &this->public;
 }
 
 /*
  * Described in header.
  */
-cp_payload_t *cp_payload_create_type(config_type_t type)
+cp_payload_t *cp_payload_create()
 {
-	private_cp_payload_t *this = (private_cp_payload_t*)cp_payload_create();
-
-	this->type = type;
-
-	return &this->public;
+	return cp_payload_create_type(CFG_REQUEST);
 }
-
diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c
index 5fc3b7c88..e6ee07d39 100644
--- a/src/libcharon/encoding/payloads/delete_payload.c
+++ b/src/libcharon/encoding/payloads/delete_payload.c
@@ -42,6 +42,11 @@ struct private_delete_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * reserved bits
+	 */
+	bool reserved[7];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -79,14 +84,14 @@ encoding_rule_t delete_payload_encodings[] = {
 	{ U_INT_8,			offsetof(private_delete_payload_t, next_payload) 	},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_delete_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,		0 													},
-	{ RESERVED_BIT,		0 													},
-	{ RESERVED_BIT,		0 													},
-	{ RESERVED_BIT,		0 													},
-	{ RESERVED_BIT,		0 													},
-	{ RESERVED_BIT,		0 													},
-	{ RESERVED_BIT,		0 													},
+	/* 7 Bit reserved bits */
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[0])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[1])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[2])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[3])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[4])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[5])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[6])		},
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_delete_payload_t, payload_length)	},
 	{ U_INT_8,			offsetof(private_delete_payload_t, protocol_id)		},
diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c
index 21f34a642..eafb668b6 100644
--- a/src/libcharon/encoding/payloads/eap_payload.c
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@@ -42,6 +42,11 @@ struct private_eap_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * Reserved bits
+	 */
+	bool reserved[7];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -66,13 +71,13 @@ static encoding_rule_t eap_payload_encodings[] = {
 	/* the critical bit */
 	{ FLAG,				offsetof(private_eap_payload_t, critical) 		},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,		offsetof(private_eap_payload_t, reserved[0])	},
+	{ RESERVED_BIT,		offsetof(private_eap_payload_t, reserved[1])	},
+	{ RESERVED_BIT,		offsetof(private_eap_payload_t, reserved[2])	},
+	{ RESERVED_BIT,		offsetof(private_eap_payload_t, reserved[3])	},
+	{ RESERVED_BIT,		offsetof(private_eap_payload_t, reserved[4])	},
+	{ RESERVED_BIT,		offsetof(private_eap_payload_t, reserved[5])	},
+	{ RESERVED_BIT,		offsetof(private_eap_payload_t, reserved[6])	},
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_eap_payload_t, payload_length)	},
 	/* chunt to data, starting at "code" */
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
index 4158c3e07..3befadfe2 100644
--- a/src/libcharon/encoding/payloads/id_payload.c
+++ b/src/libcharon/encoding/payloads/id_payload.c
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  *
  * Hochschule fuer Technik Rapperswil
@@ -50,6 +51,16 @@ struct private_id_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * Reserved bits
+	 */
+	bool reserved_bit[7];
+
+	/**
+	 * Reserved bytes
+	 */
+	u_int8_t reserved_byte[3];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -71,31 +82,30 @@ struct private_id_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_id_payload_t.
- *
  */
 encoding_rule_t id_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_id_payload_t, next_payload) 	},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_id_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
+	/* 7 Bit reserved bits */
+	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[0])	},
+	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[1])	},
+	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[2])	},
+	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[3])	},
+	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[4])	},
+	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[5])	},
+	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[6])	},
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_id_payload_t, payload_length) 	},
 	/* 1 Byte ID type*/
 	{ U_INT_8,			offsetof(private_id_payload_t, id_type)			},
 	/* 3 reserved bytes */
-	{ RESERVED_BYTE,	0 												},
-	{ RESERVED_BYTE,	0 												},
-	{ RESERVED_BYTE,	0 												},
+	{ RESERVED_BYTE,	offsetof(private_id_payload_t, reserved_byte[0])},
+	{ RESERVED_BYTE,	offsetof(private_id_payload_t, reserved_byte[1])},
+	{ RESERVED_BYTE,	offsetof(private_id_payload_t, reserved_byte[2])},
 	/* some id data bytes, length is defined in PAYLOAD_LENGTH */
-	{ ID_DATA,			offsetof(private_id_payload_t, id_data) 		}
+	{ ID_DATA,			offsetof(private_id_payload_t, id_data)			}
 };
 
 /*
@@ -112,136 +122,59 @@ encoding_rule_t id_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_id_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_id_payload_t *this)
 {
-	if ((this->id_type == 0) ||
-		(this->id_type == 4) ||
-		((this->id_type >= 6) && (this->id_type <= 8)) ||
-		((this->id_type >= 12) && (this->id_type <= 200)))
+	if (this->id_type == 0 || this->id_type == 4)
 	{
 		/* reserved IDs */
 		DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
 		return FAILED;
 	}
-
 	return SUCCESS;
 }
 
-/**
- * Implementation of id_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = id_payload_encodings;
-	*rule_count = sizeof(id_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(id_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_id_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_id_payload_t *this)
 {
 	return this->payload_type;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_id_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_id_payload_t *this)
 {
 	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_id_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_id_payload_t *this, payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_id_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_id_payload_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of id_payload_t.set_type.
- */
-static void set_id_type (private_id_payload_t *this, id_type_t type)
-{
-	this->id_type = type;
-}
-
-/**
- * Implementation of id_payload_t.get_id_type.
- */
-static id_type_t get_id_type (private_id_payload_t *this)
+METHOD(id_payload_t, get_identification, identification_t*,
+	private_id_payload_t *this)
 {
-	return (this->id_type);
+	return identification_create_from_encoding(this->id_type, this->id_data);
 }
 
-/**
- * Implementation of id_payload_t.set_data.
- */
-static void set_data (private_id_payload_t *this, chunk_t data)
+METHOD2(payload_t, id_payload_t, destroy, void,
+	private_id_payload_t *this)
 {
-	if (this->id_data.ptr != NULL)
-	{
-		chunk_free(&(this->id_data));
-	}
-	this->id_data.ptr = clalloc(data.ptr,data.len);
-	this->id_data.len = data.len;
-	this->payload_length = ID_PAYLOAD_HEADER_LENGTH + this->id_data.len;
-}
-
-
-/**
- * Implementation of id_payload_t.get_data_clone.
- */
-static chunk_t get_data (private_id_payload_t *this)
-{
-	return (this->id_data);
-}
-
-/**
- * Implementation of id_payload_t.get_data_clone.
- */
-static chunk_t get_data_clone (private_id_payload_t *this)
-{
-	chunk_t cloned_data;
-	if (this->id_data.ptr == NULL)
-	{
-		return (this->id_data);
-	}
-	cloned_data.ptr = clalloc(this->id_data.ptr,this->id_data.len);
-	cloned_data.len = this->id_data.len;
-	return cloned_data;
-}
-
-/**
- * Implementation of id_payload_t.get_identification.
- */
-static identification_t *get_identification (private_id_payload_t *this)
-{
-	return identification_create_from_encoding(this->id_type,this->id_data);
-}
-
-/**
- * Implementation of payload_t.destroy and id_payload_t.destroy.
- */
-static void destroy(private_id_payload_t *this)
-{
-	if (this->id_data.ptr != NULL)
-	{
-		chunk_free(&(this->id_data));
-	}
+	free(this->id_data.ptr);
 	free(this);
 }
 
@@ -250,44 +183,41 @@ static void destroy(private_id_payload_t *this)
  */
 id_payload_t *id_payload_create(payload_type_t payload_type)
 {
-	private_id_payload_t *this = malloc_thing(private_id_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (id_payload_t *)) destroy;
-	this->public.set_id_type = (void (*) (id_payload_t *,id_type_t)) set_id_type;
-	this->public.get_id_type = (id_type_t (*) (id_payload_t *)) get_id_type;
-	this->public.set_data = (void (*) (id_payload_t *,chunk_t)) set_data;
-	this->public.get_data = (chunk_t (*) (id_payload_t *)) get_data;
-	this->public.get_data_clone = (chunk_t (*) (id_payload_t *)) get_data_clone;
-
-	this->public.get_identification = (identification_t * (*) (id_payload_t *this)) get_identification;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length =ID_PAYLOAD_HEADER_LENGTH;
-	this->id_data = chunk_empty;
-	this->payload_type = payload_type;
-
-	return (&(this->public));
+	private_id_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_identification = _get_identification,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = ID_PAYLOAD_HEADER_LENGTH,
+		.payload_type = payload_type,
+	);
+	return &this->public;
 }
 
 /*
  * Described in header.
  */
-id_payload_t *id_payload_create_from_identification(payload_type_t payload_type, identification_t *identification)
+id_payload_t *id_payload_create_from_identification(payload_type_t payload_type,
+													identification_t *id)
 {
-	id_payload_t *this= id_payload_create(payload_type);
-	this->set_data(this,identification->get_encoding(identification));
-	this->set_id_type(this,identification->get_type(identification));
-	return this;
+	private_id_payload_t *this;
+
+	this = (private_id_payload_t*)id_payload_create(payload_type);
+	this->id_data = chunk_clone(id->get_encoding(id));
+	this->id_type = id->get_type(id);
+	this->payload_length += this->id_data.len;
+
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
index 5502dc961..99831f85f 100644
--- a/src/libcharon/encoding/payloads/id_payload.h
+++ b/src/libcharon/encoding/payloads/id_payload.h
@@ -40,57 +40,15 @@ typedef struct id_payload_t id_payload_t;
  * The ID payload format is described in RFC section 3.5.
  */
 struct id_payload_t {
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
 
-	/**
-	 * Set the ID type.
-	 *
-	 * @param type			Type of ID
-	 */
-	void (*set_id_type) (id_payload_t *this, id_type_t type);
-
-	/**
-	 * Get the ID type.
-	 *
-	 * @return				type of the ID
-	 */
-	id_type_t (*get_id_type) (id_payload_t *this);
-
-	/**
-	 * Set the ID data.
-	 *
-	 * Data are getting cloned.
-	 *
-	 * @param data			ID data as chunk_t
-	 */
-	void (*set_data) (id_payload_t *this, chunk_t data);
-
-	/**
-	 * Get the ID data.
-	 *
-	 * Returned data are a copy of the internal one
-	 *
-	 * @return				ID data as chunk_t
-	 */
-	chunk_t (*get_data_clone) (id_payload_t *this);
-
-	/**
-	 * Get the ID data.
-	 *
-	 * Returned data are NOT copied.
-	 *
-	 * @return				ID data as chunk_t
-	 */
-	chunk_t (*get_data) (id_payload_t *this);
-
 	/**
 	 * Creates an identification object of this id payload.
 	 *
-	 * Returned object has to get destroyed by the caller.
-	 *
 	 * @return				identification_t object
 	 */
 	identification_t *(*get_identification) (id_payload_t *this);
diff --git a/src/libcharon/encoding/payloads/ike_header.c b/src/libcharon/encoding/payloads/ike_header.c
index 735f01304..80dcee0cb 100644
--- a/src/libcharon/encoding/payloads/ike_header.c
+++ b/src/libcharon/encoding/payloads/ike_header.c
@@ -83,6 +83,11 @@ struct private_ike_header_t {
 		bool response;
 	} flags;
 
+	/**
+	 * Reserved bits of IKE header
+	 */
+	bool reserved[5];
+
 	/**
 	 * Associated Message-ID.
 	 */
@@ -119,30 +124,30 @@ encoding_rule_t ike_header_encodings[] = {
 	/* 8 Byte SPI, stored in the field initiator_spi */
 	{ IKE_SPI,		offsetof(private_ike_header_t, initiator_spi)	},
 	/* 8 Byte SPI, stored in the field responder_spi */
-	{ IKE_SPI,		offsetof(private_ike_header_t, responder_spi) 	},
+	{ IKE_SPI,		offsetof(private_ike_header_t, responder_spi)	},
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,		offsetof(private_ike_header_t, next_payload) 	},
+	{ U_INT_8,		offsetof(private_ike_header_t, next_payload)	},
 	/* 4 Bit major version, stored in the field maj_version */
-	{ U_INT_4,		offsetof(private_ike_header_t, maj_version) 	},
+	{ U_INT_4,		offsetof(private_ike_header_t, maj_version)		},
 	/* 4 Bit minor version, stored in the field min_version */
-	{ U_INT_4,		offsetof(private_ike_header_t, min_version) 	},
+	{ U_INT_4,		offsetof(private_ike_header_t, min_version)		},
 	/* 8 Bit for the exchange type */
-	{ U_INT_8,		offsetof(private_ike_header_t, exchange_type) 	},
-	/* 2 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 										},
-	{ RESERVED_BIT,	0 										},
+	{ U_INT_8,		offsetof(private_ike_header_t, exchange_type)	},
+	/* 2 Bit reserved bits */
+	{ RESERVED_BIT,	offsetof(private_ike_header_t, reserved[0])		},
+	{ RESERVED_BIT,	offsetof(private_ike_header_t, reserved[1])		},
 	/* 3 Bit flags, stored in the fields response, version and initiator */
-	{ FLAG,			offsetof(private_ike_header_t, flags.response) 	},
-	{ FLAG,			offsetof(private_ike_header_t, flags.version) 	},
-	{ FLAG,			offsetof(private_ike_header_t, flags.initiator) },
-	/* 3 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 										},
-	{ RESERVED_BIT,	0 										},
-	{ RESERVED_BIT,	0 										},
+	{ FLAG,			offsetof(private_ike_header_t, flags.response)	},
+	{ FLAG,			offsetof(private_ike_header_t, flags.version)	},
+	{ FLAG,			offsetof(private_ike_header_t, flags.initiator)	},
+	/* 3 Bit reserved bits */
+	{ RESERVED_BIT,	offsetof(private_ike_header_t, reserved[2])		},
+	{ RESERVED_BIT,	offsetof(private_ike_header_t, reserved[3])		},
+	{ RESERVED_BIT,	offsetof(private_ike_header_t, reserved[4])		},
 	/* 4 Byte message id, stored in the field message_id */
-	{ U_INT_32,		offsetof(private_ike_header_t, message_id) 		},
+	{ U_INT_32,		offsetof(private_ike_header_t, message_id)		},
 	/* 4 Byte length fied, stored in the field length */
-	{ HEADER_LENGTH,	offsetof(private_ike_header_t, length) 			}
+	{ HEADER_LENGTH,offsetof(private_ike_header_t, length)			},
 };
 
 
@@ -163,11 +168,8 @@ encoding_rule_t ike_header_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_ike_header_t *this)
+METHOD(payload_t, verify, status_t,
+	private_ike_header_t *this)
 {
 	if ((this->exchange_type < IKE_SA_INIT) ||
 		((this->exchange_type > INFORMATIONAL)
@@ -179,7 +181,6 @@ static status_t verify(private_ike_header_t *this)
 		/* unsupported exchange type */
 		return FAILED;
 	}
-
 	if (this->initiator_spi == 0
 #ifdef ME
 		/* we allow zero spi for INFORMATIONAL exchanges,
@@ -191,225 +192,201 @@ static status_t verify(private_ike_header_t *this)
 		/* initiator spi not set */
 		return FAILED;
 	}
+	return SUCCESS;
+}
 
-	/* verification of version is not done in here */
+METHOD(payload_t, get_encoding_rules, void,
+	private_ike_header_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = ike_header_encodings;
+	*rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t);
+}
 
-	return SUCCESS;
+METHOD(payload_t, get_type, payload_type_t,
+	private_ike_header_t *this)
+{
+	return HEADER;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(payload_t *this,payload_type_t type)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_ike_header_t *this)
 {
-	((private_ike_header_t *)this)->next_payload = type;
+	return this->next_payload;
 }
-/**
- * Implementation of ike_header_t.get_initiator_spi.
- */
-static u_int64_t get_initiator_spi(private_ike_header_t *this)
+
+METHOD(payload_t, set_next_type, void,
+	private_ike_header_t *this, payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+METHOD(payload_t, get_length, size_t,
+	private_ike_header_t *this)
+{
+	return this->length;
+}
+
+METHOD(ike_header_t, get_initiator_spi, u_int64_t,
+	private_ike_header_t *this)
 {
 	return this->initiator_spi;
 }
 
-/**
- * Implementation of ike_header_t.set_initiator_spi.
- */
-static void set_initiator_spi(private_ike_header_t *this, u_int64_t initiator_spi)
+METHOD(ike_header_t, set_initiator_spi, void,
+	private_ike_header_t *this, u_int64_t initiator_spi)
 {
 	this->initiator_spi = initiator_spi;
 }
 
-/**
- * Implementation of ike_header_t.get_responder_spi.
- */
-static u_int64_t get_responder_spi(private_ike_header_t *this)
+METHOD(ike_header_t, get_responder_spi, u_int64_t,
+	private_ike_header_t *this)
 {
 	return this->responder_spi;
 }
 
-/**
- * Implementation of ike_header_t.set_responder_spi.
- */
-static void set_responder_spi(private_ike_header_t *this, u_int64_t responder_spi)
+METHOD(ike_header_t, set_responder_spi, void,
+	private_ike_header_t *this, u_int64_t responder_spi)
 {
 	this->responder_spi = responder_spi;
 }
 
-/**
- * Implementation of ike_header_t.get_maj_version.
- */
-static u_int8_t get_maj_version(private_ike_header_t *this)
+METHOD(ike_header_t, get_maj_version, u_int8_t,
+	private_ike_header_t *this)
 {
 	return this->maj_version;
 }
 
-/**
- * Implementation of ike_header_t.get_min_version.
- */
-static u_int8_t get_min_version(private_ike_header_t *this)
+METHOD(ike_header_t, set_maj_version, void,
+	private_ike_header_t *this, u_int8_t major)
+{
+	this->maj_version = major;
+}
+
+METHOD(ike_header_t, get_min_version, u_int8_t,
+	private_ike_header_t *this)
 {
 	return this->min_version;
 }
 
-/**
- * Implementation of ike_header_t.get_response_flag.
- */
-static bool get_response_flag(private_ike_header_t *this)
+METHOD(ike_header_t, set_min_version, void,
+	private_ike_header_t *this, u_int8_t minor)
+{
+	this->min_version = minor;
+}
+
+METHOD(ike_header_t, get_response_flag, bool,
+	private_ike_header_t *this)
 {
 	return this->flags.response;
 }
 
-/**
- * Implementation of ike_header_t.set_response_flag.
- */
-static void set_response_flag(private_ike_header_t *this, bool response)
+METHOD(ike_header_t, set_response_flag, void,
+	private_ike_header_t *this, bool response)
 {
 	this->flags.response = response;
 }
 
-/**
- * Implementation of ike_header_t.get_version_flag.
- */
-static bool get_version_flag(private_ike_header_t *this)
+METHOD(ike_header_t, get_version_flag, bool,
+	private_ike_header_t *this)
 {
 	return this->flags.version;
 }
 
-/**
- * Implementation of ike_header_t.get_initiator_flag.
- */
-static bool get_initiator_flag(private_ike_header_t *this)
+METHOD(ike_header_t, set_version_flag, void,
+	private_ike_header_t *this, bool version)
+{
+	this->flags.version = version;
+}
+
+METHOD(ike_header_t, get_initiator_flag, bool,
+	private_ike_header_t *this)
 {
 	return this->flags.initiator;
 }
 
-/**
- * Implementation of ike_header_t.set_initiator_flag.
- */
-static void set_initiator_flag(private_ike_header_t *this, bool initiator)
+METHOD(ike_header_t, set_initiator_flag, void,
+	private_ike_header_t *this, bool initiator)
 {
 	this->flags.initiator = initiator;
 }
 
-/**
- * Implementation of ike_header_t.get_exchange_type.
- */
-static u_int8_t get_exchange_type(private_ike_header_t *this)
+METHOD(ike_header_t, get_exchange_type, u_int8_t,
+	private_ike_header_t *this)
 {
 	return this->exchange_type;
 }
 
-/**
- * Implementation of ike_header_t.set_exchange_type.
- */
-static void set_exchange_type(private_ike_header_t *this, u_int8_t exchange_type)
+METHOD(ike_header_t, set_exchange_type, void,
+	private_ike_header_t *this, u_int8_t exchange_type)
 {
 	this->exchange_type = exchange_type;
 }
 
-/**
- * Implements ike_header_t's get_message_id function.
- * See #ike_header_t.get_message_id  for description.
- */
-static u_int32_t get_message_id(private_ike_header_t *this)
+METHOD(ike_header_t, get_message_id, u_int32_t,
+	private_ike_header_t *this)
 {
 	return this->message_id;
 }
 
-/**
- * Implementation of ike_header_t.set_message_id.
- */
-static void set_message_id(private_ike_header_t *this, u_int32_t message_id)
+METHOD(ike_header_t, set_message_id, void,
+	private_ike_header_t *this, u_int32_t message_id)
 {
 	this->message_id = message_id;
 }
 
-/**
- * Implementation of ike_header_t.destroy and payload_t.destroy.
- */
-static void destroy(ike_header_t *this)
+METHOD2(payload_t, ike_header_t, destroy, void,
+	private_ike_header_t *this)
 {
 	free(this);
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(payload_t *this, encoding_rule_t **rules, size_t *rule_count)
-{
-	*rules = ike_header_encodings;
-	*rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t);
-}
-
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(payload_t *this)
-{
-	return HEADER;
-}
-
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(payload_t *this)
-{
-	return (((private_ike_header_t*)this)->next_payload);
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(payload_t *this)
-{
-	return (((private_ike_header_t*)this)->length);
-}
-
 /*
  * Described in header.
  */
 ike_header_t *ike_header_create()
 {
-	private_ike_header_t *this = malloc_thing(private_ike_header_t);
-
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = get_encoding_rules;
-	this->public.payload_interface.get_length = get_length;
-	this->public.payload_interface.get_next_type = get_next_type;
-	this->public.payload_interface.set_next_type = set_next_type;
-	this->public.payload_interface.get_type = get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	this->public.destroy = destroy;
-
-	this->public.get_initiator_spi = (u_int64_t (*) (ike_header_t*))get_initiator_spi;
-	this->public.set_initiator_spi = (void (*) (ike_header_t*,u_int64_t))set_initiator_spi;
-	this->public.get_responder_spi = (u_int64_t (*) (ike_header_t*))get_responder_spi;
-	this->public.set_responder_spi = (void (*) (ike_header_t *,u_int64_t))set_responder_spi;
-	this->public.get_maj_version = (u_int8_t (*) (ike_header_t*))get_maj_version;
-	this->public.get_min_version = (u_int8_t (*) (ike_header_t*))get_min_version;
-	this->public.get_response_flag = (bool (*) (ike_header_t*))get_response_flag;
-	this->public.set_response_flag = (void (*) (ike_header_t*,bool))set_response_flag;
-	this->public.get_version_flag = (bool (*) (ike_header_t*))get_version_flag;
-	this->public.get_initiator_flag = (bool (*) (ike_header_t*))get_initiator_flag;
-	this->public.set_initiator_flag = (void (*) (ike_header_t*,bool))set_initiator_flag;
-	this->public.get_exchange_type = (u_int8_t (*) (ike_header_t*))get_exchange_type;
-	this->public.set_exchange_type = (void (*) (ike_header_t*,u_int8_t))set_exchange_type;
-	this->public.get_message_id = (u_int32_t (*) (ike_header_t*))get_message_id;
-	this->public.set_message_id = (void (*) (ike_header_t*,u_int32_t))set_message_id;
-
-	/* set default values of the fields */
-	this->initiator_spi = 0;
-	this->responder_spi = 0;
-	this->next_payload = 0;
-	this->maj_version = IKE_MAJOR_VERSION;
-	this->min_version = IKE_MINOR_VERSION;
-	this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
-	this->flags.initiator = TRUE;
-	this->flags.version = HIGHER_VERSION_SUPPORTED_FLAG;
-	this->flags.response = FALSE;
-	this->message_id = 0;
-	this->length = IKE_HEADER_LENGTH;
-
-	return (ike_header_t*)this;
+	private_ike_header_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_initiator_spi = _get_initiator_spi,
+			.set_initiator_spi = _set_initiator_spi,
+			.get_responder_spi = _get_responder_spi,
+			.set_responder_spi = _set_responder_spi,
+			.get_maj_version = _get_maj_version,
+			.set_maj_version = _set_maj_version,
+			.get_min_version = _get_min_version,
+			.set_min_version = _set_min_version,
+			.get_response_flag = _get_response_flag,
+			.set_response_flag = _set_response_flag,
+			.get_version_flag = _get_version_flag,
+			.set_version_flag = _set_version_flag,
+			.get_initiator_flag = _get_initiator_flag,
+			.set_initiator_flag = _set_initiator_flag,
+			.get_exchange_type = _get_exchange_type,
+			.set_exchange_type = _set_exchange_type,
+			.get_message_id = _get_message_id,
+			.set_message_id = _set_message_id,
+			.destroy = _destroy,
+		},
+		.maj_version = IKE_MAJOR_VERSION,
+		.min_version = IKE_MINOR_VERSION,
+		.exchange_type = EXCHANGE_TYPE_UNDEFINED,
+		.flags = {
+			.initiator = TRUE,
+			.version = HIGHER_VERSION_SUPPORTED_FLAG,
+		},
+		.length = IKE_HEADER_LENGTH,
+	);
+
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/ike_header.h b/src/libcharon/encoding/payloads/ike_header.h
index e63e8bf06..f52c852c5 100644
--- a/src/libcharon/encoding/payloads/ike_header.h
+++ b/src/libcharon/encoding/payloads/ike_header.h
@@ -142,6 +142,13 @@ struct ike_header_t {
 	 */
 	u_int8_t (*get_maj_version) (ike_header_t *this);
 
+	/**
+	 * Set the major version.
+	 *
+	 * @param major			major version
+	 */
+	void (*set_maj_version) (ike_header_t *this, u_int8_t major);
+
 	/**
 	 * Get the minor version.
 	 *
@@ -149,6 +156,13 @@ struct ike_header_t {
 	 */
 	u_int8_t (*get_min_version) (ike_header_t *this);
 
+	/**
+	 * Set the minor version.
+	 *
+	 * @param minor			minor version
+	 */
+	void (*set_min_version) (ike_header_t *this, u_int8_t minor);
+
 	/**
 	 * Get the response flag.
 	 *
@@ -162,6 +176,7 @@ struct ike_header_t {
 	 * @param response		response flag
 	 */
 	void (*set_response_flag) (ike_header_t *this, bool response);
+
 	/**
 	 * Get "higher version supported"-flag.
 	 *
@@ -169,6 +184,13 @@ struct ike_header_t {
 	 */
 	bool (*get_version_flag) (ike_header_t *this);
 
+	/**
+	 * Set the "higher version supported"-flag.
+	 *
+	 * @param version		flag value
+	 */
+	void (*set_version_flag)(ike_header_t *this, bool version);
+
 	/**
 	 * Get the initiator flag.
 	 *
diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c
index 1bc79f084..999d73192 100644
--- a/src/libcharon/encoding/payloads/ke_payload.c
+++ b/src/libcharon/encoding/payloads/ke_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -20,14 +21,13 @@
 
 #include <encoding/payloads/encodings.h>
 
-
 typedef struct private_ke_payload_t private_ke_payload_t;
 
 /**
  * Private data of an ke_payload_t object.
- *
  */
 struct private_ke_payload_t {
+
 	/**
 	 * Public ke_payload_t interface.
 	 */
@@ -43,6 +43,16 @@ struct private_ke_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * Reserved bits
+	 */
+	bool reserved_bit[7];
+
+	/**
+	 * Reserved bytes
+	 */
+	u_int8_t reserved_byte[2];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -64,27 +74,27 @@ struct private_ke_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_ke_payload_t.
- *
  */
 encoding_rule_t ke_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_ke_payload_t, next_payload) 		},
+	{ U_INT_8,				offsetof(private_ke_payload_t, next_payload)	},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_ke_payload_t, critical) 			},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ FLAG,					offsetof(private_ke_payload_t, critical)		},
+	/* 7 Bit reserved bits */
+	{ RESERVED_BIT,			offsetof(private_ke_payload_t, reserved_bit[0])	},
+	{ RESERVED_BIT,			offsetof(private_ke_payload_t, reserved_bit[1])	},
+	{ RESERVED_BIT,			offsetof(private_ke_payload_t, reserved_bit[2])	},
+	{ RESERVED_BIT,			offsetof(private_ke_payload_t, reserved_bit[3])	},
+	{ RESERVED_BIT,			offsetof(private_ke_payload_t, reserved_bit[4])	},
+	{ RESERVED_BIT,			offsetof(private_ke_payload_t, reserved_bit[5])	},
+	{ RESERVED_BIT,			offsetof(private_ke_payload_t, reserved_bit[6])	},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_ke_payload_t, payload_length) 		},
+	{ PAYLOAD_LENGTH,		offsetof(private_ke_payload_t, payload_length)	},
 	/* DH Group number as 16 bit field*/
-	{ U_INT_16,			offsetof(private_ke_payload_t, dh_group_number) 	},
-	{ RESERVED_BYTE,	0 													},
-	{ RESERVED_BYTE,	0 													},
+	{ U_INT_16,				offsetof(private_ke_payload_t, dh_group_number)	},
+	/* 2 reserved bytes */
+	{ RESERVED_BYTE,		offsetof(private_ke_payload_t, reserved_byte[0])},
+	{ RESERVED_BYTE,		offsetof(private_ke_payload_t, reserved_byte[1])},
 	/* Key Exchange Data is from variable size */
 	{ KEY_EXCHANGE_DATA,	offsetof(private_ke_payload_t, key_exchange_data)}
 };
@@ -103,123 +113,60 @@ encoding_rule_t ke_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_ke_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_ke_payload_t *this)
 {
-	/* dh group is not verified in here */
 	return SUCCESS;
 }
 
-/**
- * Implementation of payload_t.destroy.
- */
-static void destroy(private_ke_payload_t *this)
-{
-	if (this->key_exchange_data.ptr != NULL)
-	{
-		free(this->key_exchange_data.ptr);
-	}
-	free(this);
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = ke_payload_encodings;
-	*rule_count = sizeof(ke_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(ke_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_ke_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_ke_payload_t *this)
 {
 	return KEY_EXCHANGE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_ke_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_ke_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_ke_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_ke_payload_t *this,payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * recompute the length of the payload.
- */
-static void compute_length(private_ke_payload_t *this)
-{
-	size_t length = KE_PAYLOAD_HEADER_LENGTH;
-	if (this->key_exchange_data.ptr != NULL)
-	{
-		length += this->key_exchange_data.len;
-	}
-	this->payload_length = length;
-}
-
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_ke_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_ke_payload_t *this)
 {
-	compute_length(this);
 	return this->payload_length;
 }
 
-/**
- * Implementation of ke_payload_t.get_key_exchange_data.
- */
-static chunk_t get_key_exchange_data(private_ke_payload_t *this)
+METHOD(ke_payload_t, get_key_exchange_data, chunk_t,
+	private_ke_payload_t *this)
 {
-	return (this->key_exchange_data);
+	return this->key_exchange_data;
 }
 
-/**
- * Implementation of ke_payload_t.set_key_exchange_data.
- */
-static void set_key_exchange_data(private_ke_payload_t *this, chunk_t key_exchange_data)
-{
-	/* destroy existing data first */
-	if (this->key_exchange_data.ptr != NULL)
-	{
-		/* free existing value */
-		free(this->key_exchange_data.ptr);
-		this->key_exchange_data.ptr = NULL;
-		this->key_exchange_data.len = 0;
-
-	}
-
-	this->key_exchange_data = chunk_clone(key_exchange_data);
-	compute_length(this);
-}
-
-/**
- * Implementation of ke_payload_t.get_dh_group_number.
- */
-static diffie_hellman_group_t get_dh_group_number(private_ke_payload_t *this)
+METHOD(ke_payload_t, get_dh_group_number, diffie_hellman_group_t,
+	private_ke_payload_t *this)
 {
 	return this->dh_group_number;
 }
 
-/**
- * Implementation of ke_payload_t.set_dh_group_number.
- */
-static void set_dh_group_number(private_ke_payload_t *this, diffie_hellman_group_t dh_group_number)
+METHOD2(payload_t, ke_payload_t, destroy, void,
+	private_ke_payload_t *this)
 {
-	this->dh_group_number = dh_group_number;
+	free(this->key_exchange_data.ptr);
+	free(this);
 }
 
 /*
@@ -227,31 +174,27 @@ static void set_dh_group_number(private_ke_payload_t *this, diffie_hellman_group
  */
 ke_payload_t *ke_payload_create()
 {
-	private_ke_payload_t *this = malloc_thing(private_ke_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.get_key_exchange_data = (chunk_t (*) (ke_payload_t *)) get_key_exchange_data;
-	this->public.set_key_exchange_data = (void (*) (ke_payload_t *,chunk_t)) set_key_exchange_data;
-	this->public.get_dh_group_number = (diffie_hellman_group_t (*) (ke_payload_t *)) get_dh_group_number;
-	this->public.set_dh_group_number =(void (*) (ke_payload_t *,diffie_hellman_group_t)) set_dh_group_number;
-	this->public.destroy = (void (*) (ke_payload_t *)) destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = KE_PAYLOAD_HEADER_LENGTH;
-	this->key_exchange_data = chunk_empty;
-	this->dh_group_number = MODP_NONE;
-
+	private_ke_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_key_exchange_data = _get_key_exchange_data,
+			.get_dh_group_number = _get_dh_group_number,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = KE_PAYLOAD_HEADER_LENGTH,
+		.dh_group_number = MODP_NONE,
+	);
 	return &this->public;
 }
 
@@ -264,7 +207,7 @@ ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *dh)
 
 	dh->get_my_public_value(dh, &this->key_exchange_data);
 	this->dh_group_number = dh->get_dh_group(dh);
-	compute_length(this);
+	this->payload_length = this->key_exchange_data.len + KE_PAYLOAD_HEADER_LENGTH;
 
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h
index 3ca05009e..65cc11883 100644
--- a/src/libcharon/encoding/payloads/ke_payload.h
+++ b/src/libcharon/encoding/payloads/ke_payload.h
@@ -47,23 +47,12 @@ struct ke_payload_t {
 	payload_t payload_interface;
 
 	/**
-	 * Returns the currently set key exchange data of this KE payload.
+	 * Returns the key exchange data of this KE payload.
 	 *
-	 * @warning Returned data are not copied.
-	 *
-	 * @return 		chunk_t pointing to the value
+	 * @return 		chunk_t pointing to internal data
 	 */
 	chunk_t (*get_key_exchange_data) (ke_payload_t *this);
 
-	/**
-	 * Sets the key exchange data of this KE payload.
-	 *
-	 * Value is getting copied.
-	 *
-	 * @param key_exchange_data chunk_t pointing to the value to set
-	 */
-	void (*set_key_exchange_data) (ke_payload_t *this, chunk_t key_exchange_data);
-
 	/**
 	 * Gets the Diffie-Hellman Group Number of this KE payload.
 	 *
@@ -71,14 +60,6 @@ struct ke_payload_t {
 	 */
 	diffie_hellman_group_t (*get_dh_group_number) (ke_payload_t *this);
 
-	/**
-	 * Sets the Diffie-Hellman Group Number of this KE payload.
-	 *
-	 * @param dh_group_number	DH Group to set
-	 */
-	void (*set_dh_group_number) (ke_payload_t *this,
-								 diffie_hellman_group_t dh_group_number);
-
 	/**
 	 * Destroys an ke_payload_t object.
 	 */
diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c
index 4ad5ce9dd..78000b8c6 100644
--- a/src/libcharon/encoding/payloads/nonce_payload.c
+++ b/src/libcharon/encoding/payloads/nonce_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,21 +15,19 @@
  * for more details.
  */
 
-/* offsetof macro */
 #include <stddef.h>
 
 #include "nonce_payload.h"
 
 #include <encoding/payloads/encodings.h>
 
-
 typedef struct private_nonce_payload_t private_nonce_payload_t;
 
 /**
  * Private data of an nonce_payload_t object.
- *
  */
 struct private_nonce_payload_t {
+
 	/**
 	 * Public nonce_payload_t interface.
 	 */
@@ -44,6 +43,11 @@ struct private_nonce_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * Reserved bits
+	 */
+	bool reserved[7];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -60,25 +64,24 @@ struct private_nonce_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_nonce_payload_t.
- *
  */
 encoding_rule_t nonce_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_nonce_payload_t, next_payload) 	},
+	{ U_INT_8,			offsetof(private_nonce_payload_t, next_payload)		},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_nonce_payload_t, critical) 		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ FLAG,				offsetof(private_nonce_payload_t, critical)			},
+	/* 7 Bit reserved bits */
+	{ RESERVED_BIT,		offsetof(private_nonce_payload_t, reserved[0])		},
+	{ RESERVED_BIT,		offsetof(private_nonce_payload_t, reserved[1])		},
+	{ RESERVED_BIT,		offsetof(private_nonce_payload_t, reserved[2])		},
+	{ RESERVED_BIT,		offsetof(private_nonce_payload_t, reserved[3])		},
+	{ RESERVED_BIT,		offsetof(private_nonce_payload_t, reserved[4])		},
+	{ RESERVED_BIT,		offsetof(private_nonce_payload_t, reserved[5])		},
+	{ RESERVED_BIT,		offsetof(private_nonce_payload_t, reserved[6])		},
 	/* Length of the whole nonce payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_nonce_payload_t, payload_length) 	},
+	{ PAYLOAD_LENGTH,	offsetof(private_nonce_payload_t, payload_length)	},
 	/* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */
-	{ NONCE_DATA,			offsetof(private_nonce_payload_t, nonce) 		}
+	{ NONCE_DATA,		offsetof(private_nonce_payload_t, nonce)			},
 };
 
 /*                           1                   2                   3
@@ -92,102 +95,64 @@ encoding_rule_t nonce_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_nonce_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_nonce_payload_t *this)
 {
-	if ((this->nonce.len < 16) || ((this->nonce.len > 256)))
+	if (this->nonce.len < 16 || this->nonce.len > 256)
 	{
-		/* nonce length is wrong */
 		return FAILED;
 	}
-
 	return SUCCESS;
 }
 
-/**
- * Implementation of nonce_payload_t.set_nonce.
- */
-static status_t set_nonce(private_nonce_payload_t *this, chunk_t nonce)
-{
-	this->nonce.ptr = clalloc(nonce.ptr, nonce.len);
-	this->nonce.len = nonce.len;
-	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len;
-	return SUCCESS;
-}
-
-/**
- * Implementation of nonce_payload_t.get_nonce.
- */
-static chunk_t get_nonce(private_nonce_payload_t *this)
-{
-	chunk_t nonce;
-	nonce.ptr = clalloc(this->nonce.ptr,this->nonce.len);
-	nonce.len = this->nonce.len;
-	return nonce;
-}
-
-/**
- * Implementation of nonce_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = nonce_payload_encodings;
-	*rule_count = sizeof(nonce_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(nonce_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_nonce_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_nonce_payload_t *this)
 {
 	return NONCE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_nonce_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_nonce_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_nonce_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_nonce_payload_t *this, payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * recompute the length of the payload.
- */
-static void compute_length(private_nonce_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_nonce_payload_t *this)
 {
-	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + this->nonce.len;
+	return this->payload_length;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_nonce_payload_t *this)
+METHOD(nonce_payload_t, set_nonce, void,
+	 private_nonce_payload_t *this, chunk_t nonce)
 {
-	compute_length(this);
-	return this->payload_length;
+	this->nonce = chunk_clone(nonce);
+	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len;
 }
 
-/**
- * Implementation of payload_t.destroy and nonce_payload_t.destroy.
- */
-static void destroy(private_nonce_payload_t *this)
+METHOD(nonce_payload_t, get_nonce, chunk_t,
+	private_nonce_payload_t *this)
 {
-	if (this->nonce.ptr != NULL)
-	{
-		free(this->nonce.ptr);
-	}
+	return chunk_clone(this->nonce);
+}
 
+METHOD2(payload_t, nonce_payload_t, destroy, void,
+	private_nonce_payload_t *this)
+{
+	free(this->nonce.ptr);
 	free(this);
 }
 
@@ -196,30 +161,25 @@ static void destroy(private_nonce_payload_t *this)
  */
 nonce_payload_t *nonce_payload_create()
 {
-	private_nonce_payload_t *this = malloc_thing(private_nonce_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (nonce_payload_t *)) destroy;
-	this->public.set_nonce = (void (*) (nonce_payload_t *,chunk_t)) set_nonce;
-	this->public.get_nonce = (chunk_t (*) (nonce_payload_t *)) get_nonce;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH;
-	this->nonce.ptr = NULL;
-	this->nonce.len = 0;
-
-	return (&(this->public));
+	private_nonce_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.set_nonce = _set_nonce,
+			.get_nonce = _get_nonce,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = NONCE_PAYLOAD_HEADER_LENGTH,
+	);
+	return &this->public;
 }
-
-
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index a56fd1869..77f15ec6d 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -1,7 +1,8 @@
 /*
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2006-2008 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -186,9 +187,9 @@ typedef struct private_notify_payload_t private_notify_payload_t;
 
 /**
  * Private data of an notify_payload_t object.
- *
  */
 struct private_notify_payload_t {
+
 	/**
 	 * Public notify_payload_t interface.
 	 */
@@ -204,6 +205,11 @@ struct private_notify_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * reserved bits
+	 */
+	bool reserved[7];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -240,7 +246,6 @@ struct private_notify_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_notify_payload_t.
- *
  */
 encoding_rule_t notify_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
@@ -248,13 +253,13 @@ encoding_rule_t notify_payload_encodings[] = {
 	/* the critical bit */
 	{ FLAG,				offsetof(private_notify_payload_t, critical)			},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0														},
-	{ RESERVED_BIT,	0														},
-	{ RESERVED_BIT,	0														},
-	{ RESERVED_BIT,	0														},
-	{ RESERVED_BIT,	0														},
-	{ RESERVED_BIT,	0														},
-	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[0])			},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[1])			},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[2])			},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[3])			},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[4])			},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[5])			},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[6])			},
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length)		},
 	/* Protocol ID as 8 bit field*/
@@ -262,11 +267,11 @@ encoding_rule_t notify_payload_encodings[] = {
 	/* SPI Size as 8 bit field*/
 	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size)			},
 	/* Notify message type as 16 bit field*/
-	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)	},
+	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)			},
 	/* SPI as variable length field*/
 	{ SPI,				offsetof(private_notify_payload_t, spi)					},
 	/* Key Exchange Data is from variable size */
-	{ NOTIFICATION_DATA,	offsetof(private_notify_payload_t, notification_data)	}
+	{ NOTIFICATION_DATA,offsetof(private_notify_payload_t, notification_data)	}
 };
 
 /*
@@ -287,10 +292,8 @@ encoding_rule_t notify_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_notify_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_notify_payload_t *this)
 {
 	bool bad_length = FALSE;
 
@@ -404,35 +407,27 @@ static status_t verify(private_notify_payload_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = notify_payload_encodings;
-	*rule_count = sizeof(notify_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(notify_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_notify_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_notify_payload_t *this)
 {
 	return NOTIFY;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_notify_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_notify_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_notify_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_notify_payload_t *this, payload_type_t type)
 {
 	this->next_payload = type;
 }
@@ -443,6 +438,7 @@ static void set_next_type(private_notify_payload_t *this,payload_type_t type)
 static void compute_length (private_notify_payload_t *this)
 {
 	size_t length = NOTIFY_PAYLOAD_HEADER_LENGTH;
+
 	if (this->notification_data.ptr != NULL)
 	{
 		length += this->notification_data.len;
@@ -454,51 +450,38 @@ static void compute_length (private_notify_payload_t *this)
 	this->payload_length = length;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_notify_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_notify_payload_t *this)
 {
-	compute_length(this);
 	return this->payload_length;
 }
 
-/**
- * Implementation of notify_payload_t.get_protocol_id.
- */
-static u_int8_t get_protocol_id(private_notify_payload_t *this)
+METHOD(notify_payload_t, get_protocol_id, u_int8_t,
+	private_notify_payload_t *this)
 {
 	return this->protocol_id;
 }
 
-/**
- * Implementation of notify_payload_t.set_protocol_id.
- */
-static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id)
+METHOD(notify_payload_t, set_protocol_id, void,
+	private_notify_payload_t *this, u_int8_t protocol_id)
 {
 	this->protocol_id = protocol_id;
 }
 
-/**
- * Implementation of notify_payload_t.get_notify_type.
- */
-static notify_type_t get_notify_type(private_notify_payload_t *this)
+METHOD(notify_payload_t, get_notify_type, notify_type_t,
+	private_notify_payload_t *this)
 {
 	return this->notify_type;
 }
 
-/**
- * Implementation of notify_payload_t.set_notify_type.
- */
-static void set_notify_type(private_notify_payload_t *this, u_int16_t notify_type)
+METHOD(notify_payload_t, set_notify_type, void,
+	private_notify_payload_t *this, notify_type_t notify_type)
 {
 	this->notify_type = notify_type;
 }
 
-/**
- * Implementation of notify_payload_t.get_spi.
- */
-static u_int32_t get_spi(private_notify_payload_t *this)
+METHOD(notify_payload_t, get_spi, u_int32_t,
+	private_notify_payload_t *this)
 {
 	switch (this->protocol_id)
 	{
@@ -514,10 +497,8 @@ static u_int32_t get_spi(private_notify_payload_t *this)
 	return 0;
 }
 
-/**
- * Implementation of notify_payload_t.set_spi.
- */
-static void set_spi(private_notify_payload_t *this, u_int32_t spi)
+METHOD(notify_payload_t, set_spi, void,
+	private_notify_payload_t *this, u_int32_t spi)
 {
 	chunk_free(&this->spi);
 	switch (this->protocol_id)
@@ -534,37 +515,26 @@ static void set_spi(private_notify_payload_t *this, u_int32_t spi)
 	compute_length(this);
 }
 
-/**
- * Implementation of notify_payload_t.get_notification_data.
- */
-static chunk_t get_notification_data(private_notify_payload_t *this)
+METHOD(notify_payload_t, get_notification_data, chunk_t,
+	private_notify_payload_t *this)
 {
-	return (this->notification_data);
+	return this->notification_data;
 }
 
-/**
- * Implementation of notify_payload_t.set_notification_data.
- */
-static status_t set_notification_data(private_notify_payload_t *this, chunk_t notification_data)
+METHOD(notify_payload_t, set_notification_data, void,
+	private_notify_payload_t *this, chunk_t data)
 {
-	chunk_free(&this->notification_data);
-	if (notification_data.len > 0)
-	{
-		this->notification_data = chunk_clone(notification_data);
-	}
+	free(this->notification_data.ptr);
+	this->notification_data = chunk_clone(data);
 	compute_length(this);
-	return SUCCESS;
 }
 
-/**
- * Implementation of notify_payload_t.destroy and notify_payload_t.destroy.
- */
-static status_t destroy(private_notify_payload_t *this)
+METHOD2(payload_t, notify_payload_t, destroy, void,
+	private_notify_payload_t *this)
 {
-	chunk_free(&this->notification_data);
-	chunk_free(&this->spi);
+	free(this->notification_data.ptr);
+	free(this->spi.ptr);
 	free(this);
-	return SUCCESS;
 }
 
 /*
@@ -572,52 +542,45 @@ static status_t destroy(private_notify_payload_t *this)
  */
 notify_payload_t *notify_payload_create()
 {
-	private_notify_payload_t *this = malloc_thing(private_notify_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id;
-	this->public.set_protocol_id  = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id;
-	this->public.get_notify_type = (notify_type_t (*) (notify_payload_t *)) get_notify_type;
-	this->public.set_notify_type = (void (*) (notify_payload_t *,notify_type_t)) set_notify_type;
-	this->public.get_spi = (u_int32_t (*) (notify_payload_t *)) get_spi;
-	this->public.set_spi = (void (*) (notify_payload_t *,u_int32_t)) set_spi;
-	this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data;
-	this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data;
-	this->public.destroy = (void (*) (notify_payload_t *)) destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH;
-	this->protocol_id = 0;
-	this->notify_type = 0;
-	this->spi.ptr = NULL;
-	this->spi.len = 0;
-	this->spi_size = 0;
-	this->notification_data.ptr = NULL;
-	this->notification_data.len = 0;
-
+	private_notify_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_protocol_id = _get_protocol_id,
+			.set_protocol_id  = _set_protocol_id,
+			.get_notify_type = _get_notify_type,
+			.set_notify_type = _set_notify_type,
+			.get_spi = _get_spi,
+			.set_spi = _set_spi,
+			.get_notification_data = _get_notification_data,
+			.set_notification_data = _set_notification_data,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH,
+	);
 	return &this->public;
 }
 
 /*
  * Described in header.
  */
-notify_payload_t *notify_payload_create_from_protocol_and_type(protocol_id_t protocol_id, notify_type_t notify_type)
+notify_payload_t *notify_payload_create_from_protocol_and_type(
+						protocol_id_t protocol_id, notify_type_t notify_type)
 {
 	notify_payload_t *notify = notify_payload_create();
 
-	notify->set_notify_type(notify,notify_type);
-	notify->set_protocol_id(notify,protocol_id);
+	notify->set_notify_type(notify, notify_type);
+	notify->set_protocol_id(notify, protocol_id);
 
 	return notify;
 }
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index 1cee6d2aa..d1e677db7 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -59,25 +59,23 @@ ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, N
 #ifdef ME
 ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION,
 	"ID_PEER");
-ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER,
+ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER,
 	"HEADER",
 	"PROPOSAL_SUBSTRUCTURE",
 	"TRANSFORM_SUBSTRUCTURE",
 	"TRANSFORM_ATTRIBUTE",
 	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
-	"CONFIGURATION_ATTRIBUTE",
-	"UNKNOWN_PAYLOAD");
+	"CONFIGURATION_ATTRIBUTE");
 #else
-ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION,
+ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, EXTENSIBLE_AUTHENTICATION,
 	"HEADER",
 	"PROPOSAL_SUBSTRUCTURE",
 	"TRANSFORM_SUBSTRUCTURE",
 	"TRANSFORM_ATTRIBUTE",
 	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
-	"CONFIGURATION_ATTRIBUTE",
-	"UNKNOWN_PAYLOAD");
+	"CONFIGURATION_ATTRIBUTE");
 #endif /* ME */
-ENUM_END(payload_type_names, UNKNOWN_PAYLOAD);
+ENUM_END(payload_type_names, CONFIGURATION_ATTRIBUTE);
 
 /* short forms of payload names */
 ENUM_BEGIN(payload_type_short_names, NO_PAYLOAD, NO_PAYLOAD,
@@ -102,25 +100,23 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICAT
 #ifdef ME
 ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION,
 	"IDp");
-ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER,
+ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER,
 	"HDR",
 	"PROP",
 	"TRANS",
 	"TRANSATTR",
 	"TSSUB",
-	"CPATTR",
-	"??");
+	"CPATTR");
 #else
-ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION,
+ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, EXTENSIBLE_AUTHENTICATION,
 	"HDR",
 	"PROP",
 	"TRANS",
 	"TRANSATTR",
 	"TSSUB",
-	"CPATTR",
-	"??");
+	"CPATTR");
 #endif /* ME */
-ENUM_END(payload_type_short_names, UNKNOWN_PAYLOAD);
+ENUM_END(payload_type_short_names, CONFIGURATION_ATTRIBUTE);
 
 /*
  * see header
@@ -178,7 +174,45 @@ payload_t *payload_create(payload_type_t type)
 		case ENCRYPTED:
 			return (payload_t*)encryption_payload_create();
 		default:
-			return (payload_t*)unknown_payload_create();
+			return (payload_t*)unknown_payload_create(type);
 	}
 }
 
+/**
+ * See header.
+ */
+bool payload_is_known(payload_type_t type)
+{
+	if (type == HEADER ||
+		(type >= SECURITY_ASSOCIATION && type <= EXTENSIBLE_AUTHENTICATION))
+	{
+		return TRUE;
+	}
+#ifdef ME
+	if (type == ID_PEER)
+	{
+		return TRUE;
+	}
+#endif
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+void* payload_get_field(payload_t *payload, encoding_type_t type, u_int skip)
+{
+	encoding_rule_t *rule;
+	size_t count;
+	int i;
+
+	payload->get_encoding_rules(payload, &rule, &count);
+	for (i = 0; i < count; i++)
+	{
+		if (rule[i].type == type && skip-- == 0)
+		{
+			return ((char*)payload) + rule[i].offset;
+		}
+	}
+	return NULL;
+}
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index 2e783cb30..0f407ff42 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -137,7 +137,7 @@ enum payload_type_t{
 	 * This payload type is not sent over wire and just
 	 * used internally to handle IKEv2-Header like a payload.
 	 */
-	HEADER = 140,
+	HEADER = 256,
 
 	/**
 	 * PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space.
@@ -145,7 +145,7 @@ enum payload_type_t{
 	 * This payload type is not sent over wire and just
 	 * used internally to handle a proposal substructure like a payload.
 	 */
-	PROPOSAL_SUBSTRUCTURE = 141,
+	PROPOSAL_SUBSTRUCTURE = 257,
 
 	/**
 	 * TRANSFORM_SUBSTRUCTURE has a value of PRIVATE USE space.
@@ -153,7 +153,7 @@ enum payload_type_t{
 	 * This payload type is not sent over wire and just
 	 * used internally to handle a transform substructure like a payload.
 	 */
-	TRANSFORM_SUBSTRUCTURE = 142,
+	TRANSFORM_SUBSTRUCTURE = 258,
 
 	/**
 	 * TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space.
@@ -161,7 +161,7 @@ enum payload_type_t{
 	 * This payload type is not sent over wire and just
 	 * used internally to handle a transform attribute like a payload.
 	 */
-	TRANSFORM_ATTRIBUTE = 143,
+	TRANSFORM_ATTRIBUTE = 259,
 
 	/**
 	 * TRAFFIC_SELECTOR_SUBSTRUCTURE has a value of PRIVATE USE space.
@@ -169,7 +169,7 @@ enum payload_type_t{
 	 * This payload type is not sent over wire and just
 	 * used internally to handle a transform selector like a payload.
 	 */
-	TRAFFIC_SELECTOR_SUBSTRUCTURE = 144,
+	TRAFFIC_SELECTOR_SUBSTRUCTURE = 260,
 
 	/**
 	 * CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space.
@@ -177,18 +177,9 @@ enum payload_type_t{
 	 * This payload type is not sent over wire and just
 	 * used internally to handle a transform attribute like a payload.
 	 */
-	CONFIGURATION_ATTRIBUTE = 145,
-
-	/**
-	 * A unknown payload has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a unknown payload.
-	 */
-	UNKNOWN_PAYLOAD = 146,
+	CONFIGURATION_ATTRIBUTE = 261,
 };
 
-
 /**
  * enum names for payload_type_t.
  */
@@ -269,4 +260,22 @@ struct payload_t {
  */
 payload_t *payload_create(payload_type_t type);
 
+/**
+ * Check if a specific payload is implemented, or handled as unknown payload.
+ *
+ * @param type		type of the payload to check
+ * @return			FALSE if payload type handled as unknown payload
+ */
+bool payload_is_known(payload_type_t type);
+
+/**
+ * Get the value field in a payload using encoding rules.
+ *
+ * @param payload	payload to look up a field
+ * @param type		encoding rule type to look up
+ * @param skip		number rules of type to skip, 0 to get first
+ * @return			type specific value pointer, NULL if not found
+ */
+void* payload_get_field(payload_t *payload, encoding_type_t type, u_int skip);
+
 #endif /** PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index 985b03255..f39c3b0e6 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -46,6 +46,11 @@ struct private_proposal_substructure_t {
 	 */
 	u_int8_t  next_payload;
 
+	/**
+	 * reserved byte
+	 */
+	u_int8_t reserved;
+
 	/**
 	 * Length of this payload.
 	 */
@@ -91,8 +96,8 @@ struct private_proposal_substructure_t {
 encoding_rule_t proposal_substructure_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload)		},
-	/* Reserved Byte is skipped */
-	{ RESERVED_BYTE,	0															},
+	/* 1 Reserved Byte */
+	{ RESERVED_BYTE,	offsetof(private_proposal_substructure_t, reserved)			},
 	/* Length of the whole proposal substructure payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_proposal_substructure_t, proposal_length)	},
 	/* proposal number is a number of 8 bit */
@@ -213,28 +218,23 @@ METHOD(payload_t, set_next_type, void,
  */
 static void compute_length(private_proposal_substructure_t *this)
 {
-	iterator_t *iterator;
-	payload_t *current_transform;
-	size_t transforms_count = 0;
-	size_t length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH;
+	enumerator_t *enumerator;
+	payload_t *transform;
 
-	iterator = this->transforms->create_iterator(this->transforms,TRUE);
-	while (iterator->iterate(iterator, (void**)&current_transform))
+	this->transforms_count = 0;
+	this->proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->spi.len;
+	enumerator = this->transforms->create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &transform))
 	{
-		length += current_transform->get_length(current_transform);
-		transforms_count++;
+		this->proposal_length += transform->get_length(transform);
+		this->transforms_count++;
 	}
-	iterator->destroy(iterator);
-
-	length += this->spi.len;
-	this->transforms_count = transforms_count;
-	this->proposal_length = length;
+	enumerator->destroy(enumerator);
 }
 
 METHOD(payload_t, get_length, size_t,
 	private_proposal_substructure_t *this)
 {
-	compute_length(this);
 	return this->proposal_length;
 }
 
@@ -342,32 +342,10 @@ METHOD(proposal_substructure_t, get_proposal, proposal_t*,
 	return proposal;
 }
 
-METHOD(proposal_substructure_t, clone_, proposal_substructure_t*,
+METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*,
 	private_proposal_substructure_t *this)
 {
-	private_proposal_substructure_t *clone;
-	enumerator_t *enumerator;
-	transform_substructure_t *current;
-
-	clone = (private_proposal_substructure_t*)proposal_substructure_create();
-	clone->next_payload = this->next_payload;
-	clone->proposal_number = this->proposal_number;
-	clone->protocol_id = this->protocol_id;
-	clone->spi_size = this->spi_size;
-	if (this->spi.ptr != NULL)
-	{
-		clone->spi.ptr = clalloc(this->spi.ptr, this->spi.len);
-		clone->spi.len = this->spi.len;
-	}
-	enumerator = this->transforms->create_enumerator(this->transforms);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		current = current->clone(current);
-		add_transform_substructure(clone, current);
-	}
-	enumerator->destroy(enumerator);
-
-	return &clone->public;
+	return this->transforms->create_enumerator(this->transforms);
 }
 
 METHOD2(payload_t, proposal_substructure_t, destroy, void,
@@ -403,12 +381,13 @@ proposal_substructure_t *proposal_substructure_create()
 			.get_protocol_id = _get_protocol_id,
 			.set_is_last_proposal = _set_is_last_proposal,
 			.get_proposal = _get_proposal,
+			.create_substructure_enumerator = _create_substructure_enumerator,
 			.set_spi = _set_spi,
 			.get_spi = _get_spi,
-			.clone = _clone_,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
+		.proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH,
 		.transforms = linked_list_create(),
 	);
 
@@ -500,6 +479,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(
 	}
 	this->proposal_number = proposal->get_number(proposal);
 	this->protocol_id = proposal->get_protocol(proposal);
+	compute_length(this);
 
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h
index 56e7184b6..d0ba1fd2a 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.h
+++ b/src/libcharon/encoding/payloads/proposal_substructure.h
@@ -111,11 +111,11 @@ struct proposal_substructure_t {
 	proposal_t * (*get_proposal) (proposal_substructure_t *this);
 
 	/**
-	 * Clones an proposal_substructure_t object.
+	 * Create an enumerator over transform substructures.
 	 *
-	 * @return		cloned object
+	 * @return			enumerator over transform_substructure_t
 	 */
-	proposal_substructure_t* (*clone) (proposal_substructure_t *this);
+	enumerator_t* (*create_substructure_enumerator)(proposal_substructure_t *this);
 
 	/**
 	 * Destroys an proposal_substructure_t object.
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index 4fbd4cac0..db20d052f 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -45,6 +45,11 @@ struct private_sa_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * Reserved bits
+	 */
+	bool reserved[7];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -68,13 +73,13 @@ encoding_rule_t sa_payload_encodings[] = {
 	/* the critical bit */
 	{ FLAG,				offsetof(private_sa_payload_t, critical)			},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,		0													},
-	{ RESERVED_BIT,		0													},
-	{ RESERVED_BIT,		0													},
-	{ RESERVED_BIT,		0													},
-	{ RESERVED_BIT,		0													},
-	{ RESERVED_BIT,		0													},
-	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[0])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[1])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[2])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[3])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[4])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[5])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[6])			},
 	/* Length of the whole SA payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_sa_payload_t, payload_length)		},
 	/* Proposals are stored in a proposal substructure,
@@ -185,7 +190,6 @@ static void compute_length(private_sa_payload_t *this)
 METHOD(payload_t, get_length, size_t,
 	private_sa_payload_t *this)
 {
-	compute_length(this);
 	return this->payload_length;
 }
 
@@ -258,6 +262,12 @@ METHOD(sa_payload_t, get_proposals, linked_list_t*,
 	return list;
 }
 
+METHOD(sa_payload_t, create_substructure_enumerator, enumerator_t*,
+	private_sa_payload_t *this)
+{
+	return this->proposals->create_enumerator(this->proposals);
+}
+
 METHOD2(payload_t, sa_payload_t, destroy, void,
 	private_sa_payload_t *this)
 {
@@ -286,6 +296,7 @@ sa_payload_t *sa_payload_create()
 			},
 			.add_proposal = _add_proposal,
 			.get_proposals = _get_proposals,
+			.create_substructure_enumerator = _create_substructure_enumerator,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h
index 801a70738..cc8c481c8 100644
--- a/src/libcharon/encoding/payloads/sa_payload.h
+++ b/src/libcharon/encoding/payloads/sa_payload.h
@@ -60,6 +60,13 @@ struct sa_payload_t {
 	 */
 	void (*add_proposal) (sa_payload_t *this, proposal_t *proposal);
 
+	/**
+	 * Create an enumerator over all proposal substructures.
+	 *
+	 * @return					enumerator over proposal_substructure_t
+	 */
+	enumerator_t* (*create_substructure_enumerator)(sa_payload_t *this);
+
 	/**
 	 * Destroys an sa_payload_t object.
 	 */
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
index f24857591..df36e4383 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -19,14 +20,13 @@
 #include <encoding/payloads/encodings.h>
 #include <utils/linked_list.h>
 
-
 typedef struct private_traffic_selector_substructure_t private_traffic_selector_substructure_t;
 
 /**
  * Private data of an traffic_selector_substructure_t object.
- *
  */
 struct private_traffic_selector_substructure_t {
+
 	/**
 	 * Public traffic_selector_substructure_t interface.
 	 */
@@ -73,24 +73,22 @@ struct private_traffic_selector_substructure_t {
  *
  * The defined offsets are the positions in a object of type
  * private_traffic_selector_substructure_t.
- *
  */
 encoding_rule_t traffic_selector_substructure_encodings[] = {
 	/* 1 Byte next ts type*/
-	{ TS_TYPE,			offsetof(private_traffic_selector_substructure_t, ts_type) 			},
+	{ TS_TYPE,		offsetof(private_traffic_selector_substructure_t, ts_type) 			},
 	/* 1 Byte IP protocol id*/
-	{ U_INT_8,			offsetof(private_traffic_selector_substructure_t, ip_protocol_id) 	},
+	{ U_INT_8,		offsetof(private_traffic_selector_substructure_t, ip_protocol_id) 	},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_traffic_selector_substructure_t, payload_length)		},
+	{ PAYLOAD_LENGTH,offsetof(private_traffic_selector_substructure_t, payload_length)	},
 	/* 2 Byte start port*/
-	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, start_port)			},
+	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, start_port)		},
 	/* 2 Byte end port*/
 	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, end_port)			},
 	/* starting address is either 4 or 16 byte */
-	{ ADDRESS,			offsetof(private_traffic_selector_substructure_t, starting_address)	},
+	{ ADDRESS,		offsetof(private_traffic_selector_substructure_t, starting_address)	},
 	/* ending address is either 4 or 16 byte */
-	{ ADDRESS,			offsetof(private_traffic_selector_substructure_t, ending_address)		}
-
+	{ ADDRESS,		offsetof(private_traffic_selector_substructure_t, ending_address)	}
 };
 
 /*
@@ -111,10 +109,8 @@ encoding_rule_t traffic_selector_substructure_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_traffic_selector_substructure_t *this)
+METHOD(payload_t, verify, status_t,
+	private_traffic_selector_substructure_t *this)
 {
 	if (this->start_port > this->end_port)
 	{
@@ -152,72 +148,48 @@ static status_t verify(private_traffic_selector_substructure_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of traffic_selector_substructure_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_traffic_selector_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_traffic_selector_substructure_t *this, encoding_rule_t **rules,
+	size_t *rule_count)
 {
 	*rules = traffic_selector_substructure_encodings;
-	*rule_count = sizeof(traffic_selector_substructure_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(traffic_selector_substructure_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_traffic_selector_substructure_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_traffic_selector_substructure_t *this)
 {
 	return TRAFFIC_SELECTOR_SUBSTRUCTURE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_traffic_selector_substructure_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_traffic_selector_substructure_t *this)
 {
-	return 0;
+	return NO_PAYLOAD;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_traffic_selector_substructure_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_traffic_selector_substructure_t *this,payload_type_t type)
 {
-
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_traffic_selector_substructure_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_traffic_selector_substructure_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of traffic_selector_substructure_t.get_traffic_selector.
- */
-static traffic_selector_t *get_traffic_selector(private_traffic_selector_substructure_t *this)
+METHOD(traffic_selector_substructure_t, get_traffic_selector, traffic_selector_t*,
+	private_traffic_selector_substructure_t *this)
 {
-	traffic_selector_t *ts;
-	ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type,
-											this->starting_address, this->start_port,
-											this->ending_address, this->end_port);
-	return ts;
+	return traffic_selector_create_from_bytes(
+									this->ip_protocol_id, this->ts_type,
+									this->starting_address, this->start_port,
+									this->ending_address, this->end_port);
 }
 
-/**
- * recompute length field of the payload
- */
-void compute_length(private_traffic_selector_substructure_t *this)
-{
-	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH +
-			this->ending_address.len + this->starting_address.len;
-}
-
-/**
- * Implementation of payload_t.destroy and traffic_selector_substructure_t.destroy.
- */
-static void destroy(private_traffic_selector_substructure_t *this)
+METHOD2(payload_t, traffic_selector_substructure_t, destroy, void,
+	private_traffic_selector_substructure_t *this)
 {
 	free(this->starting_address.ptr);
 	free(this->ending_address.ptr);
@@ -229,48 +201,46 @@ static void destroy(private_traffic_selector_substructure_t *this)
  */
 traffic_selector_substructure_t *traffic_selector_substructure_create()
 {
-	private_traffic_selector_substructure_t *this = malloc_thing(private_traffic_selector_substructure_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.get_traffic_selector = (traffic_selector_t* (*)(traffic_selector_substructure_t*))get_traffic_selector;
-	this->public.destroy = (void (*) (traffic_selector_substructure_t *)) destroy;
-
-	/* private variables */
-	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH;
-	this->start_port = 0;
-	this->end_port = 0;
-	this->starting_address = chunk_empty;
-	this->ending_address = chunk_empty;
-	this->ip_protocol_id = 0;
-	/* must be set to be valid */
-	this->ts_type = TS_IPV4_ADDR_RANGE;
-
-	return (&(this->public));
+	private_traffic_selector_substructure_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_traffic_selector = _get_traffic_selector,
+			.destroy = _destroy,
+		},
+		.payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH,
+		/* must be set to be valid */
+		.ts_type = TS_IPV4_ADDR_RANGE,
+	);
+	return &this->public;
 }
 
 /*
  * Described in header
  */
-traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(traffic_selector_t *traffic_selector)
+traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(
+													traffic_selector_t *ts)
 {
-	private_traffic_selector_substructure_t *this = (private_traffic_selector_substructure_t*)traffic_selector_substructure_create();
-	this->ts_type = traffic_selector->get_type(traffic_selector);
-	this->ip_protocol_id = traffic_selector->get_protocol(traffic_selector);
-	this->start_port = traffic_selector->get_from_port(traffic_selector);
-	this->end_port = traffic_selector->get_to_port(traffic_selector);
-	this->starting_address = chunk_clone(traffic_selector->get_from_address(traffic_selector));
-	this->ending_address = chunk_clone(traffic_selector->get_to_address(traffic_selector));
-
-	compute_length(this);
+	private_traffic_selector_substructure_t *this;
+
+	this = (private_traffic_selector_substructure_t*)traffic_selector_substructure_create();
+	this->ts_type = ts->get_type(ts);
+	this->ip_protocol_id = ts->get_protocol(ts);
+	this->start_port = ts->get_from_port(ts);
+	this->end_port = ts->get_to_port(ts);
+	this->starting_address = chunk_clone(ts->get_from_address(ts));
+	this->ending_address = chunk_clone(ts->get_to_address(ts));
+	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH +
+						this->ending_address.len + this->starting_address.len;
 
-	return &(this->public);
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/transform_attribute.c b/src/libcharon/encoding/payloads/transform_attribute.c
index 8bf2ddef4..7d21258b1 100644
--- a/src/libcharon/encoding/payloads/transform_attribute.c
+++ b/src/libcharon/encoding/payloads/transform_attribute.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -26,9 +27,9 @@ typedef struct private_transform_attribute_t private_transform_attribute_t;
 
 /**
  * Private data of an transform_attribute_t object.
- *
  */
 struct private_transform_attribute_t {
+
 	/**
 	 * Public transform_attribute_t interface.
 	 */
@@ -70,7 +71,6 @@ ENUM_END(transform_attribute_type_name, KEY_LENGTH);
  *
  * The defined offsets are the positions in a object of type
  * private_transform_attribute_t.
- *
  */
 encoding_rule_t transform_attribute_encodings[] = {
 	/* Flag defining the format of this payload */
@@ -78,7 +78,7 @@ encoding_rule_t transform_attribute_encodings[] = {
 	/* type of the attribute as 15 bit unsigned integer */
 	{ ATTRIBUTE_TYPE,			offsetof(private_transform_attribute_t, attribute_type)				},
 	/* Length or value, depending on the attribute format flag */
-	{ ATTRIBUTE_LENGTH_OR_VALUE,	offsetof(private_transform_attribute_t, attribute_length_or_value)	},
+	{ ATTRIBUTE_LENGTH_OR_VALUE,offsetof(private_transform_attribute_t, attribute_length_or_value)	},
 	/* Value of attribute if attribute format flag is zero */
 	{ ATTRIBUTE_VALUE,			offsetof(private_transform_attribute_t, attribute_value) 			}
 };
@@ -95,162 +95,106 @@ encoding_rule_t transform_attribute_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_transform_attribute_t *this)
+METHOD(payload_t, verify, status_t,
+	private_transform_attribute_t *this)
 {
-	if (this->attribute_type != KEY_LENGTH)
-	{
-		return FAILED;
-	}
-
 	return SUCCESS;
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_transform_attribute_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_transform_attribute_t *this, encoding_rule_t **rules,
+	size_t *rule_count)
 {
 	*rules = transform_attribute_encodings;
-	*rule_count = sizeof(transform_attribute_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(transform_attribute_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_transform_attribute_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_transform_attribute_t *this)
 {
 	return TRANSFORM_ATTRIBUTE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_transform_attribute_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_transform_attribute_t *this)
 {
-	return (NO_PAYLOAD);
+	return NO_PAYLOAD;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_transform_attribute_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_transform_attribute_t *this, payload_type_t type)
 {
 }
 
-/**
- * Implementation of transform_attribute_t.get_length.
- */
-static size_t get_length(private_transform_attribute_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_transform_attribute_t *this)
 {
-	if (this->attribute_format == TRUE)
+	if (this->attribute_format)
 	{
-		/*Attribute size is only 4 byte */
 		return 4;
 	}
-	return (this->attribute_length_or_value + 4);
+	return this->attribute_length_or_value + 4;
 }
 
-/**
- * Implementation of transform_attribute_t.set_value_chunk.
- */
-static void set_value_chunk(private_transform_attribute_t *this, chunk_t value)
+METHOD(transform_attribute_t, set_value_chunk, void,
+	private_transform_attribute_t *this, chunk_t value)
 {
-	if (this->attribute_value.ptr != NULL)
-	{
-		/* free existing value */
-		free(this->attribute_value.ptr);
-		this->attribute_value.ptr = NULL;
-		this->attribute_value.len = 0;
-
-	}
+	chunk_free(&this->attribute_value);
 
-	if (value.len > 2)
+	if (value.len != 2)
 	{
-		this->attribute_value.ptr = clalloc(value.ptr,value.len);
-		this->attribute_value.len = value.len;
+		this->attribute_value = chunk_clone(value);
 		this->attribute_length_or_value = value.len;
-		/* attribute has not a fixed length */
 		this->attribute_format = FALSE;
 	}
 	else
 	{
-		memcpy(&(this->attribute_length_or_value),value.ptr,value.len);
+		memcpy(&this->attribute_length_or_value, value.ptr, value.len);
 	}
 }
 
-/**
- * Implementation of transform_attribute_t.set_value.
- */
-static void set_value(private_transform_attribute_t *this, u_int16_t value)
+METHOD(transform_attribute_t, set_value, void,
+	private_transform_attribute_t *this, u_int16_t value)
 {
-	if (this->attribute_value.ptr != NULL)
-	{
-		/* free existing value */
-		free(this->attribute_value.ptr);
-		this->attribute_value.ptr = NULL;
-		this->attribute_value.len = 0;
-
-	}
+	chunk_free(&this->attribute_value);
 	this->attribute_length_or_value = value;
+	this->attribute_format = TRUE;
 }
 
-/**
- * Implementation of transform_attribute_t.get_value_chunk.
- */
-static chunk_t get_value_chunk (private_transform_attribute_t *this)
+METHOD(transform_attribute_t, get_value_chunk, chunk_t,
+	private_transform_attribute_t *this)
 {
-	chunk_t value;
-
-	if (this->attribute_format == FALSE)
+	if (this->attribute_format)
 	{
-		value.ptr = this->attribute_value.ptr;
-		value.len = this->attribute_value.len;
+		return chunk_from_thing(this->attribute_length_or_value);
 	}
-	else
-	{
-		value.ptr = (void *) &(this->attribute_length_or_value);
-		value.len = 2;
-	}
-
-	return value;
+	return this->attribute_value;
 }
 
-/**
- * Implementation of transform_attribute_t.get_value.
- */
-static u_int16_t get_value (private_transform_attribute_t *this)
+METHOD(transform_attribute_t, get_value, u_int16_t,
+	private_transform_attribute_t *this)
 {
 	return this->attribute_length_or_value;
 }
 
-
-/**
- * Implementation of transform_attribute_t.set_attribute_type.
- */
-static void set_attribute_type (private_transform_attribute_t *this, u_int16_t type)
+METHOD(transform_attribute_t, set_attribute_type, void,
+	private_transform_attribute_t *this, u_int16_t type)
 {
 	this->attribute_type = type & 0x7FFF;
 }
 
-/**
- * Implementation of transform_attribute_t.get_attribute_type.
- */
-static u_int16_t get_attribute_type (private_transform_attribute_t *this)
+METHOD(transform_attribute_t, get_attribute_type, u_int16_t,
+	private_transform_attribute_t *this)
 {
 	return this->attribute_type;
 }
 
-/**
- * Implementation of transform_attribute_t.clone.
- */
-static transform_attribute_t * _clone(private_transform_attribute_t *this)
+METHOD(transform_attribute_t, clone_, transform_attribute_t*,
+	private_transform_attribute_t *this)
 {
 	private_transform_attribute_t *new_clone;
 
-	new_clone = (private_transform_attribute_t *) transform_attribute_create();
+	new_clone = (private_transform_attribute_t *)transform_attribute_create();
 
 	new_clone->attribute_format = this->attribute_format;
 	new_clone->attribute_type = this->attribute_type;
@@ -258,22 +202,15 @@ static transform_attribute_t * _clone(private_transform_attribute_t *this)
 
 	if (!new_clone->attribute_format)
 	{
-		new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len);
-		new_clone->attribute_value.len = this->attribute_value.len;
+		new_clone->attribute_value = chunk_clone(this->attribute_value);
 	}
-
-	return (transform_attribute_t *) new_clone;
+	return &new_clone->public;
 }
 
-/**
- * Implementation of transform_attribute_t.destroy and payload_t.destroy.
- */
-static void destroy(private_transform_attribute_t *this)
+METHOD2(payload_t, transform_attribute_t, destroy, void,
+	private_transform_attribute_t *this)
 {
-	if (this->attribute_value.ptr != NULL)
-	{
-		free(this->attribute_value.ptr);
-	}
+	free(this->attribute_value.ptr);
 	free(this);
 }
 
@@ -282,35 +219,31 @@ static void destroy(private_transform_attribute_t *this)
  */
 transform_attribute_t *transform_attribute_create()
 {
-	private_transform_attribute_t *this = malloc_thing(private_transform_attribute_t);
-
-	/* payload interface */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.set_value_chunk = (void (*) (transform_attribute_t *,chunk_t)) set_value_chunk;
-	this->public.set_value = (void (*) (transform_attribute_t *,u_int16_t)) set_value;
-	this->public.get_value_chunk = (chunk_t (*) (transform_attribute_t *)) get_value_chunk;
-	this->public.get_value = (u_int16_t (*) (transform_attribute_t *)) get_value;
-	this->public.set_attribute_type = (void (*) (transform_attribute_t *,u_int16_t type)) set_attribute_type;
-	this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type;
-	this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) _clone;
-	this->public.destroy = (void (*) (transform_attribute_t *)) destroy;
-
-	/* set default values of the fields */
-	this->attribute_format = TRUE;
-	this->attribute_type = 0;
-	this->attribute_length_or_value = 0;
-	this->attribute_value.ptr = NULL;
-	this->attribute_value.len = 0;
-
-	return (&(this->public));
+	private_transform_attribute_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.set_value_chunk = _set_value_chunk,
+			.set_value = _set_value,
+			.get_value_chunk = _get_value_chunk,
+			.get_value = _get_value,
+			.set_attribute_type = _set_attribute_type,
+			.get_attribute_type = _get_attribute_type,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+		.attribute_format = TRUE,
+	);
+	return &this->public;
 }
 
 /*
@@ -319,7 +252,7 @@ transform_attribute_t *transform_attribute_create()
 transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length)
 {
 	transform_attribute_t *attribute = transform_attribute_create();
-	attribute->set_attribute_type(attribute,KEY_LENGTH);
-	attribute->set_value(attribute,key_length);
+	attribute->set_attribute_type(attribute, KEY_LENGTH);
+	attribute->set_value(attribute, key_length);
 	return attribute;
 }
diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c
index c94f6c1a2..0428da726 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.c
+++ b/src/libcharon/encoding/payloads/transform_substructure.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -24,14 +25,13 @@
 #include <utils/linked_list.h>
 #include <daemon.h>
 
-
 typedef struct private_transform_substructure_t private_transform_substructure_t;
 
 /**
  * Private data of an transform_substructure_t object.
- *
  */
 struct private_transform_substructure_t {
+
 	/**
 	 * Public transform_substructure_t interface.
 	 */
@@ -41,14 +41,16 @@ struct private_transform_substructure_t {
 	 * Next payload type.
 	 */
 	u_int8_t  next_payload;
-
+	/**
+	 * Reserved bytes
+	 */
+	u_int8_t reserved[2];
 
 	/**
 	 * Length of this payload.
 	 */
 	u_int16_t transform_length;
 
-
 	/**
 	 * Type of the transform.
 	 */
@@ -65,30 +67,28 @@ struct private_transform_substructure_t {
 	linked_list_t *attributes;
 };
 
-
 /**
  * Encoding rules to parse or generate a Transform substructure.
  *
  * The defined offsets are the positions in a object of type
  * private_transform_substructure_t.
- *
  */
 encoding_rule_t transform_substructure_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_transform_substructure_t, next_payload) 		},
-	/* Reserved Byte is skipped */
-	{ RESERVED_BYTE,		0																},
+	{ U_INT_8,				offsetof(private_transform_substructure_t, next_payload)	},
+	/* 1 Reserved Byte */
+	{ RESERVED_BYTE,		offsetof(private_transform_substructure_t, reserved[0])		},
 	/* Length of the whole transform substructure*/
-	{ PAYLOAD_LENGTH,		offsetof(private_transform_substructure_t, transform_length)	},
+	{ PAYLOAD_LENGTH,		offsetof(private_transform_substructure_t, transform_length)},
 	/* transform type is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_transform_substructure_t, transform_type) 	},
-	/* Reserved Byte is skipped */
-	{ RESERVED_BYTE,		0																},
+	{ U_INT_8,				offsetof(private_transform_substructure_t, transform_type)	},
+	/* 1 Reserved Byte */
+	{ RESERVED_BYTE,		offsetof(private_transform_substructure_t, reserved[1])		},
 	/* tranform ID is a number of 8 bit */
-	{ U_INT_16,				offsetof(private_transform_substructure_t, transform_id)		},
+	{ U_INT_16,				offsetof(private_transform_substructure_t, transform_id)	},
 	/* Attributes are stored in a transform attribute,
 	   offset points to a linked_list_t pointer */
-	{ TRANSFORM_ATTRIBUTES,	offsetof(private_transform_substructure_t, attributes) 		}
+	{ TRANSFORM_ATTRIBUTES,	offsetof(private_transform_substructure_t, attributes)		}
 };
 
 /*
@@ -105,19 +105,15 @@ encoding_rule_t transform_substructure_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_transform_substructure_t *this)
+METHOD(payload_t, verify, status_t,
+	private_transform_substructure_t *this)
 {
 	status_t status = SUCCESS;
-	iterator_t *iterator;
-	payload_t *current_attributes;
+	enumerator_t *enumerator;
+	payload_t *attribute;
 
-	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3))
+	if (this->next_payload != NO_PAYLOAD && this->next_payload != 3)
 	{
-		/* must be 0 or 3 */
 		DBG1(DBG_ENC, "inconsistent next payload");
 		return FAILED;
 	}
@@ -138,45 +134,41 @@ static status_t verify(private_transform_substructure_t *this)
 			return FAILED;
 		}
 	}
-	iterator = this->attributes->create_iterator(this->attributes,TRUE);
 
-	while(iterator->iterate(iterator, (void**)&current_attributes))
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
 	{
-		status = current_attributes->verify(current_attributes);
+		status = attribute->verify(attribute);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed");
+			break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
 	/* proposal number is checked in SA payload */
 	return status;
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_transform_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_transform_substructure_t *this, encoding_rule_t **rules,
+	size_t *rule_count)
 {
 	*rules = transform_substructure_encodings;
-	*rule_count = sizeof(transform_substructure_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(transform_substructure_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_transform_substructure_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_transform_substructure_t *this)
 {
 	return TRANSFORM_SUBSTRUCTURE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_transform_substructure_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_transform_substructure_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
 /**
@@ -184,154 +176,69 @@ static payload_type_t get_next_type(private_transform_substructure_t *this)
  */
 static void compute_length (private_transform_substructure_t *this)
 {
-	iterator_t *iterator;
-	payload_t *current_attribute;
-	size_t length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+	enumerator_t *enumerator;
+	payload_t *attribute;
 
-	iterator = this->attributes->create_iterator(this->attributes,TRUE);
-	while (iterator->iterate(iterator, (void**)&current_attribute))
+	this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
 	{
-		length += current_attribute->get_length(current_attribute);
+		this->transform_length += attribute->get_length(attribute);
 	}
-	iterator->destroy(iterator);
-
-	this->transform_length = length;
+	enumerator->destroy(enumerator);
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_transform_substructure_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_transform_substructure_t *this)
 {
-	compute_length(this);
 	return this->transform_length;
 }
 
-/**
- * Implementation of transform_substructure_t.create_transform_attribute_iterator.
- */
-static iterator_t *create_transform_attribute_iterator (private_transform_substructure_t *this,bool forward)
-{
-	return this->attributes->create_iterator(this->attributes,forward);
-}
-
-/**
- * Implementation of transform_substructure_t.add_transform_attribute.
- */
-static void add_transform_attribute (private_transform_substructure_t *this,transform_attribute_t *attribute)
-{
-	this->attributes->insert_last(this->attributes,(void *) attribute);
-	compute_length(this);
-}
-
-/**
- * Implementation of transform_substructure_t.set_is_last_transform.
- */
-static void set_is_last_transform (private_transform_substructure_t *this, bool is_last)
-{
-	this->next_payload = (is_last) ? 0: TRANSFORM_TYPE_VALUE;
-}
-
-/**
- * Implementation of transform_substructure_t.get_is_last_transform.
- */
-static bool get_is_last_transform (private_transform_substructure_t *this)
-{
-	return ((this->next_payload == TRANSFORM_TYPE_VALUE) ? FALSE : TRUE);
-}
-
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_transform_substructure_t *this,payload_type_t type)
+METHOD(transform_substructure_t, set_is_last_transform, void,
+	private_transform_substructure_t *this, bool is_last)
 {
+	this->next_payload = is_last ? 0: TRANSFORM_TYPE_VALUE;
 }
 
-/**
- * Implementation of transform_substructure_t.set_transform_type.
- */
-static void set_transform_type (private_transform_substructure_t *this,u_int8_t type)
+METHOD(payload_t, set_next_type, void,
+	private_transform_substructure_t *this,payload_type_t type)
 {
-	this->transform_type = type;
 }
 
-/**
- * Implementation of transform_substructure_t.get_transform_type.
- */
-static u_int8_t get_transform_type (private_transform_substructure_t *this)
+METHOD(transform_substructure_t, get_transform_type, u_int8_t,
+	private_transform_substructure_t *this)
 {
 	return this->transform_type;
 }
 
-/**
- * Implementation of transform_substructure_t.set_transform_id.
- */
-static void set_transform_id (private_transform_substructure_t *this,u_int16_t id)
-{
-	this->transform_id = id;
-}
-
-/**
- * Implementation of transform_substructure_t.get_transform_id.
- */
-static u_int16_t get_transform_id (private_transform_substructure_t *this)
+METHOD(transform_substructure_t, get_transform_id, u_int16_t,
+	private_transform_substructure_t *this)
 {
 	return this->transform_id;
 }
 
-/**
- * Implementation of transform_substructure_t.clone.
- */
-static transform_substructure_t *clone_(private_transform_substructure_t *this)
-{
-	private_transform_substructure_t *clone;
-	iterator_t *attributes;
-	transform_attribute_t *current_attribute;
-
-	clone = (private_transform_substructure_t *) transform_substructure_create();
-	clone->next_payload = this->next_payload;
-	clone->transform_type = this->transform_type;
-	clone->transform_id = this->transform_id;
-
-	attributes = this->attributes->create_iterator(this->attributes, FALSE);
-	while (attributes->iterate(attributes, (void**)&current_attribute))
-	{
-		current_attribute = current_attribute->clone(current_attribute);
-		clone->public.add_transform_attribute(&clone->public, current_attribute);
-	}
-	attributes->destroy(attributes);
-
-	return &clone->public;
-}
-
-
-/**
- * Implementation of transform_substructure_t.get_key_length.
- */
-static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length)
+METHOD(transform_substructure_t, get_key_length, status_t,
+	private_transform_substructure_t *this, u_int16_t *key_length)
 {
-	iterator_t *attributes;
-	transform_attribute_t *current_attribute;
+	enumerator_t *enumerator;
+	transform_attribute_t *attribute;
 
-	attributes = this->attributes->create_iterator(this->attributes, TRUE);
-	while (attributes->iterate(attributes, (void**)&current_attribute))
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
 	{
-		if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH)
+		if (attribute->get_attribute_type(attribute) == KEY_LENGTH)
 		{
-			*key_length = current_attribute->get_value(current_attribute);
-			attributes->destroy(attributes);
+			*key_length = attribute->get_value(attribute);
+			enumerator->destroy(enumerator);
 			return SUCCESS;
 		}
 	}
-	attributes->destroy(attributes);
+	enumerator->destroy(enumerator);
 	return FAILED;
 }
 
-
-/**
- * Implementation of transform_substructure_t.destroy and payload_t.destroy.
- */
-static void destroy(private_transform_substructure_t *this)
+METHOD2(payload_t, transform_substructure_t, destroy, void,
+	private_transform_substructure_t *this)
 {
 	this->attributes->destroy_offset(this->attributes,
 									 offsetof(transform_attribute_t, destroy));
@@ -343,60 +250,50 @@ static void destroy(private_transform_substructure_t *this)
  */
 transform_substructure_t *transform_substructure_create()
 {
-	private_transform_substructure_t *this = malloc_thing(private_transform_substructure_t);
-
-	/* payload interface */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.create_transform_attribute_iterator = (iterator_t * (*) (transform_substructure_t *,bool)) create_transform_attribute_iterator;
-	this->public.add_transform_attribute = (void (*) (transform_substructure_t *,transform_attribute_t *)) add_transform_attribute;
-	this->public.set_is_last_transform = (void (*) (transform_substructure_t *,bool)) set_is_last_transform;
-	this->public.get_is_last_transform = (bool (*) (transform_substructure_t *)) get_is_last_transform;
-	this->public.set_transform_type = (void (*) (transform_substructure_t *,u_int8_t)) set_transform_type;
-	this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type;
-	this->public.set_transform_id = (void (*) (transform_substructure_t *,u_int16_t)) set_transform_id;
-	this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id;
-	this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length;
-	this->public.clone = (transform_substructure_t* (*) (transform_substructure_t *)) clone_;
-	this->public.destroy = (void (*) (transform_substructure_t *)) destroy;
-
-	/* set default values of the fields */
-	this->next_payload = NO_PAYLOAD;
-	this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
-	this->transform_id = 0;
-	this->transform_type = 0;
-	this->attributes = linked_list_create();
-
-	return (&(this->public));
+	private_transform_substructure_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.set_is_last_transform = _set_is_last_transform,
+			.get_transform_type = _get_transform_type,
+			.get_transform_id = _get_transform_id,
+			.get_key_length = _get_key_length,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH,
+		.attributes = linked_list_create(),
+	);
+	return &this->public;
 }
 
 /*
  * Described in header
  */
 transform_substructure_t *transform_substructure_create_type(
-								transform_type_t transform_type,
-								u_int16_t transform_id, u_int16_t key_length)
+					transform_type_t type, u_int16_t id, u_int16_t key_length)
 {
-	transform_substructure_t *transform = transform_substructure_create();
+	private_transform_substructure_t *this;
 
-	transform->set_transform_type(transform,transform_type);
-	transform->set_transform_id(transform,transform_id);
+	this = (private_transform_substructure_t*)transform_substructure_create();
 
+	this->transform_type = type;
+	this->transform_id = id;
 	if (key_length)
 	{
-		transform_attribute_t *attribute;
-
-		attribute = transform_attribute_create_key_length(key_length);
-		transform->add_transform_attribute(transform, attribute);
-
+		this->attributes->insert_last(this->attributes,
+					(void*)transform_attribute_create_key_length(key_length));
+		compute_length(this);
 	}
-	return transform;
+	return &this->public;
 }
 
diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h
index 5d31f8c0a..c961700a4 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.h
+++ b/src/libcharon/encoding/payloads/transform_substructure.h
@@ -34,7 +34,6 @@ typedef struct transform_substructure_t transform_substructure_t;
 #include <crypto/crypters/crypter.h>
 #include <config/proposal.h>
 
-
 /**
  * IKEv1 Value for a transform payload.
  */
@@ -45,31 +44,18 @@ typedef struct transform_substructure_t transform_substructure_t;
  */
 #define TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH 8
 
-
 /**
  * Class representing an IKEv2- TRANSFORM SUBSTRUCTURE.
  *
  * The TRANSFORM SUBSTRUCTURE format is described in RFC section 3.3.2.
  */
 struct transform_substructure_t {
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
 
-	/**
-	 * Creates an iterator of stored transform_attribute_t objects.
-	 *
-	 * When deleting an transform attribute using this iterator,
-	 * the length of this transform substructure has to be refreshed
-	 * by calling get_length().
-	 *
-	 * @param forward 		iterator direction (TRUE: front to end)
-	 * @return				created iterator_t object.
-	 */
-	iterator_t * (*create_transform_attribute_iterator) (
-								transform_substructure_t *this, bool forward);
-
 	/**
 	 * Adds a transform_attribute_t object to this object.
 	 *
@@ -88,20 +74,6 @@ struct transform_substructure_t {
 	 */
 	void (*set_is_last_transform) (transform_substructure_t *this, bool is_last);
 
-	/**
-	 * Checks if this is the last transform.
-	 *
-	 * @return 			TRUE if this is the last Transform, FALSE otherwise
-	 */
-	bool (*get_is_last_transform) (transform_substructure_t *this);
-
-	/**
-	 * Sets transform type of the current transform substructure.
-	 *
-	 * @param type		type value to set
-	 */
-	void (*set_transform_type) (transform_substructure_t *this, u_int8_t type);
-
 	/**
 	 * get transform type of the current transform.
 	 *
@@ -110,21 +82,14 @@ struct transform_substructure_t {
 	u_int8_t (*get_transform_type) (transform_substructure_t *this);
 
 	/**
-	 * Sets transform id of the current transform substructure.
-	 *
-	 * @param id		transform id to set
-	 */
-	void (*set_transform_id) (transform_substructure_t *this, u_int16_t id);
-
-	/**
-	 * get transform id of the current transform.
+	 * Get transform id of the current transform.
 	 *
 	 * @return 			Transform id of current transform substructure.
 	 */
 	u_int16_t (*get_transform_id) (transform_substructure_t *this);
 
 	/**
-	 * get transform id of the current transform.
+	 * Get transform id of the current transform.
 	 *
 	 * @param key_length	The key length is written to this location
 	 * @return
@@ -135,13 +100,6 @@ struct transform_substructure_t {
 	status_t (*get_key_length) (transform_substructure_t *this,
 								u_int16_t *key_length);
 
-	/**
-	 * Clones an transform_substructure_t object.
-	 *
-	 * @return		cloned transform_substructure_t object
-	 */
-	transform_substructure_t* (*clone) (transform_substructure_t *this);
-
 	/**
 	 * Destroys an transform_substructure_t object.
 	 */
@@ -151,24 +109,19 @@ struct transform_substructure_t {
 /**
  * Creates an empty transform_substructure_t object.
  *
- * @return			created transform_substructure_t object
+ * @return				created transform_substructure_t object
  */
 transform_substructure_t *transform_substructure_create(void);
 
 /**
  * Creates an empty transform_substructure_t object.
  *
- * The key length is used for the transport types ENCRYPTION_ALGORITHM,
- * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all
- * other transport types the key_length parameter is not used
- *
- * @param transform_type	type of transform to create
- * @param transform_id		transform id specifying the specific algorithm of a transform type
- * @param key_length		Key length for key lenght attribute
- * @return					transform_substructure_t object
+ * @param type			type of transform to create
+ * @param id			transform id specifc for the transform type
+ * @param key_length	key length for key lenght attribute, 0 to omit
+ * @return				transform_substructure_t object
  */
 transform_substructure_t *transform_substructure_create_type(
-						transform_type_t transform_type, u_int16_t transform_id,
-						u_int16_t key_length);
+					transform_type_t type, u_int16_t id, u_int16_t key_length);
 
 #endif /** TRANSFORM_SUBSTRUCTURE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c
index 6bf3e4293..28f760e40 100644
--- a/src/libcharon/encoding/payloads/ts_payload.c
+++ b/src/libcharon/encoding/payloads/ts_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -25,9 +26,9 @@ typedef struct private_ts_payload_t private_ts_payload_t;
 
 /**
  * Private data of an ts_payload_t object.
- *
  */
 struct private_ts_payload_t {
+
 	/**
 	 * Public ts_payload_t interface.
 	 */
@@ -48,6 +49,16 @@ struct private_ts_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * reserved bits
+	 */
+	bool reserved_bit[7];
+
+	/**
+	 * reserved bytes
+	 */
+	bool reserved_byte[3];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -56,12 +67,12 @@ struct private_ts_payload_t {
 	/**
 	 * Number of traffic selectors
 	 */
-	u_int8_t number_of_traffic_selectors;
+	u_int8_t ts_num;
 
 	/**
 	 * Contains the traffic selectors of type traffic_selector_substructure_t.
 	 */
-	linked_list_t *traffic_selectors;
+	linked_list_t *substrs;
 };
 
 /**
@@ -69,31 +80,30 @@ struct private_ts_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_ts_payload_t.
- *
  */
 encoding_rule_t ts_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_ts_payload_t, next_payload) 				},
+	{ U_INT_8,			offsetof(private_ts_payload_t, next_payload)	},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_ts_payload_t, critical) 					},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
-	{ RESERVED_BIT,	0 																},
+	{ FLAG,				offsetof(private_ts_payload_t, critical)		},
+	/* 7 Bit reserved bits */
+	{ RESERVED_BIT,		offsetof(private_ts_payload_t, reserved_bit[0])	},
+	{ RESERVED_BIT,		offsetof(private_ts_payload_t, reserved_bit[1])	},
+	{ RESERVED_BIT,		offsetof(private_ts_payload_t, reserved_bit[2])	},
+	{ RESERVED_BIT,		offsetof(private_ts_payload_t, reserved_bit[3])	},
+	{ RESERVED_BIT,		offsetof(private_ts_payload_t, reserved_bit[4])	},
+	{ RESERVED_BIT,		offsetof(private_ts_payload_t, reserved_bit[5])	},
+	{ RESERVED_BIT,		offsetof(private_ts_payload_t, reserved_bit[6])	},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_ts_payload_t, payload_length)},
+	{ PAYLOAD_LENGTH,	offsetof(private_ts_payload_t, payload_length)	},
 	/* 1 Byte TS type*/
-	{ U_INT_8,			offsetof(private_ts_payload_t, number_of_traffic_selectors)	},
+	{ U_INT_8,			offsetof(private_ts_payload_t, ts_num)			},
 	/* 3 reserved bytes */
-	{ RESERVED_BYTE,	0 															},
-	{ RESERVED_BYTE,	0 															},
-	{ RESERVED_BYTE,	0 															},
+	{ RESERVED_BYTE,	offsetof(private_ts_payload_t, reserved_byte[0])},
+	{ RESERVED_BYTE,	offsetof(private_ts_payload_t, reserved_byte[1])},
+	{ RESERVED_BYTE,	offsetof(private_ts_payload_t, reserved_byte[2])},
 	/* some ts data bytes, length is defined in PAYLOAD_LENGTH */
-	{ TRAFFIC_SELECTORS,	offsetof(private_ts_payload_t, traffic_selectors)		}
+	{ TRAFFIC_SELECTORS,offsetof(private_ts_payload_t, substrs)			}
 };
 
 /*
@@ -110,71 +120,56 @@ encoding_rule_t ts_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_ts_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_ts_payload_t *this)
 {
-	iterator_t *iterator;
-	payload_t *current_traffic_selector;
+	enumerator_t *enumerator;
+	payload_t *substr;
 	status_t status = SUCCESS;
 
-	if (this->number_of_traffic_selectors != (this->traffic_selectors->get_count(this->traffic_selectors)))
+	if (this->ts_num != this->substrs->get_count(this->substrs))
 	{
-		/* must be the same */
 		return FAILED;
 	}
-
-	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
-	while(iterator->iterate(iterator, (void**)&current_traffic_selector))
+	enumerator = this->substrs->create_enumerator(this->substrs);
+	while (enumerator->enumerate(enumerator, &substr))
 	{
-		status = current_traffic_selector->verify(current_traffic_selector);
+		status = substr->verify(substr);
 		if (status != SUCCESS)
 		{
 			break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
 	return status;
 }
 
-/**
- * Implementation of ts_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = ts_payload_encodings;
-	*rule_count = sizeof(ts_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(ts_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_ts_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_ts_payload_t *this)
 {
 	if (this->is_initiator)
 	{
 		return TRAFFIC_SELECTOR_INITIATOR;
 	}
-	else
-	{
-		return TRAFFIC_SELECTOR_RESPONDER;
-	}
+	return TRAFFIC_SELECTOR_RESPONDER;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_ts_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_ts_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_ts_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_ts_payload_t *this,payload_type_t type)
 {
 	this->next_payload = type;
 }
@@ -182,95 +177,64 @@ static void set_next_type(private_ts_payload_t *this,payload_type_t type)
 /**
  * recompute the length of the payload.
  */
-static void compute_length (private_ts_payload_t *this)
+static void compute_length(private_ts_payload_t *this)
 {
-	iterator_t *iterator;
-	size_t ts_count = 0;
-	size_t length = TS_PAYLOAD_HEADER_LENGTH;
-	payload_t *current_traffic_selector;
+	enumerator_t *enumerator;
+	payload_t *subst;
 
-	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
-	while (iterator->iterate(iterator, (void**)&current_traffic_selector))
+	this->payload_length = TS_PAYLOAD_HEADER_LENGTH;
+	this->ts_num = 0;
+	enumerator = this->substrs->create_enumerator(this->substrs);
+	while (enumerator->enumerate(enumerator, &subst))
 	{
-		length += current_traffic_selector->get_length(current_traffic_selector);
-		ts_count++;
+		this->payload_length += subst->get_length(subst);
+		this->ts_num++;
 	}
-	iterator->destroy(iterator);
-
-	this->number_of_traffic_selectors= ts_count;
-	this->payload_length = length;
+	enumerator->destroy(enumerator);
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_ts_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_ts_payload_t *this)
 {
-	compute_length(this);
 	return this->payload_length;
 }
 
-/**
- * Implementation of ts_payload_t.get_initiator.
- */
-static bool get_initiator (private_ts_payload_t *this)
+METHOD(ts_payload_t, get_initiator, bool,
+	private_ts_payload_t *this)
 {
-	return (this->is_initiator);
+	return this->is_initiator;
 }
 
-/**
- * Implementation of ts_payload_t.set_initiator.
- */
-static void set_initiator (private_ts_payload_t *this,bool is_initiator)
+METHOD(ts_payload_t, set_initiator, void,
+	private_ts_payload_t *this,bool is_initiator)
 {
 	this->is_initiator = is_initiator;
 }
 
-/**
- * Implementation of ts_payload_t.add_traffic_selector_substructure.
- */
-static void add_traffic_selector_substructure (private_ts_payload_t *this,traffic_selector_substructure_t *traffic_selector)
-{
-	this->traffic_selectors->insert_last(this->traffic_selectors,traffic_selector);
-	this->number_of_traffic_selectors = this->traffic_selectors->get_count(this->traffic_selectors);
-}
-
-/**
- * Implementation of ts_payload_t.create_traffic_selector_substructure_iterator.
- */
-static iterator_t * create_traffic_selector_substructure_iterator (private_ts_payload_t *this, bool forward)
-{
-	return this->traffic_selectors->create_iterator(this->traffic_selectors,forward);
-}
-
-/**
- * Implementation of ts_payload_t.get_traffic_selectors.
- */
-static linked_list_t *get_traffic_selectors(private_ts_payload_t *this)
+METHOD(ts_payload_t, get_traffic_selectors, linked_list_t*,
+	private_ts_payload_t *this)
 {
 	traffic_selector_t *ts;
-	iterator_t *iterator;
-	traffic_selector_substructure_t *ts_substructure;
-	linked_list_t *ts_list = linked_list_create();
+	enumerator_t *enumerator;
+	traffic_selector_substructure_t *subst;
+	linked_list_t *list;
 
-	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors, TRUE);
-	while (iterator->iterate(iterator, (void**)&ts_substructure))
+	list = linked_list_create();
+	enumerator = this->substrs->create_enumerator(this->substrs);
+	while (enumerator->enumerate(enumerator, &subst))
 	{
-		ts = ts_substructure->get_traffic_selector(ts_substructure);
-		ts_list->insert_last(ts_list, (void*)ts);
+		ts = subst->get_traffic_selector(subst);
+		list->insert_last(list, ts);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
-	return ts_list;
+	return list;
 }
 
-/**
- * Implementation of payload_t.destroy and ts_payload_t.destroy.
- */
-static void destroy(private_ts_payload_t *this)
+METHOD2(payload_t, ts_payload_t, destroy, void,
+	private_ts_payload_t *this)
 {
-	this->traffic_selectors->destroy_offset(this->traffic_selectors,
-											offsetof(payload_t, destroy));
+	this->substrs->destroy_offset(this->substrs, offsetof(payload_t, destroy));
 	free(this);
 }
 
@@ -279,56 +243,53 @@ static void destroy(private_ts_payload_t *this)
  */
 ts_payload_t *ts_payload_create(bool is_initiator)
 {
-	private_ts_payload_t *this = malloc_thing(private_ts_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (ts_payload_t *)) destroy;
-	this->public.get_initiator = (bool (*) (ts_payload_t *)) get_initiator;
-	this->public.set_initiator = (void (*) (ts_payload_t *,bool)) set_initiator;
-	this->public.add_traffic_selector_substructure = (void (*) (ts_payload_t *,traffic_selector_substructure_t *)) add_traffic_selector_substructure;
-	this->public.create_traffic_selector_substructure_iterator = (iterator_t* (*) (ts_payload_t *,bool)) create_traffic_selector_substructure_iterator;
-	this->public.get_traffic_selectors = (linked_list_t *(*) (ts_payload_t *)) get_traffic_selectors;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length =TS_PAYLOAD_HEADER_LENGTH;
-	this->is_initiator = is_initiator;
-	this->number_of_traffic_selectors = 0;
-	this->traffic_selectors = linked_list_create();
+	private_ts_payload_t *this;
 
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_initiator = _get_initiator,
+			.set_initiator = _set_initiator,
+			.get_traffic_selectors = _get_traffic_selectors,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = TS_PAYLOAD_HEADER_LENGTH,
+		.is_initiator = is_initiator,
+		.substrs = linked_list_create(),
+	);
+	return &this->public;
 }
 
 /*
  * Described in header
  */
-ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked_list_t *traffic_selectors)
+ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator,
+											linked_list_t *traffic_selectors)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	traffic_selector_t *ts;
-	traffic_selector_substructure_t *ts_substructure;
+	traffic_selector_substructure_t *subst;
 	private_ts_payload_t *this;
 
 	this = (private_ts_payload_t*)ts_payload_create(is_initiator);
 
-	iterator = traffic_selectors->create_iterator(traffic_selectors, TRUE);
-	while (iterator->iterate(iterator, (void**)&ts))
+	enumerator = traffic_selectors->create_enumerator(traffic_selectors);
+	while (enumerator->enumerate(enumerator, &ts))
 	{
-		ts_substructure = traffic_selector_substructure_create_from_traffic_selector(ts);
-		this->public.add_traffic_selector_substructure(&(this->public), ts_substructure);
+		subst = traffic_selector_substructure_create_from_traffic_selector(ts);
+		this->substrs->insert_last(this->substrs, subst);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
+	compute_length(this);
 
-	return &(this->public);
+	return &this->public;
 }
-
diff --git a/src/libcharon/encoding/payloads/ts_payload.h b/src/libcharon/encoding/payloads/ts_payload.h
index d322ff1a8..88ca00bc9 100644
--- a/src/libcharon/encoding/payloads/ts_payload.h
+++ b/src/libcharon/encoding/payloads/ts_payload.h
@@ -19,7 +19,6 @@
  * @{ @ingroup payloads
  */
 
-
 #ifndef TS_PAYLOAD_H_
 #define TS_PAYLOAD_H_
 
@@ -36,13 +35,13 @@ typedef struct ts_payload_t ts_payload_t;
  */
 #define TS_PAYLOAD_HEADER_LENGTH 8
 
-
 /**
  * Class representing an IKEv2 TS payload.
  *
  * The TS payload format is described in RFC section 3.13.
  */
 struct ts_payload_t {
+
 	/**
 	 * The payload_t interface.
 	 */
@@ -66,27 +65,6 @@ struct ts_payload_t {
 	 */
 	void (*set_initiator) (ts_payload_t *this,bool is_initiator);
 
-	/**
-	 * Adds a traffic_selector_substructure_t object to this object.
-	 *
-	 * @param traffic_selector  traffic_selector_substructure_t object to add
-	 */
-	void (*add_traffic_selector_substructure) (ts_payload_t *this,
-							traffic_selector_substructure_t *traffic_selector);
-
-	/**
-	 * Creates an iterator of stored traffic_selector_substructure_t objects.
-	 *
-	 * When removing an traffic_selector_substructure_t object
-	 * using this iterator, the length of this payload
-	 * has to get refreshed by calling payload_t.get_length!
-	 *
-	 * @param forward 		iterator direction (TRUE: front to end)
-	 * @return				created iterator_t object
-	 */
-	iterator_t *(*create_traffic_selector_substructure_iterator) (
-											ts_payload_t *this, bool forward);
-
 	/**
 	 * Get a list of nested traffic selectors as traffic_selector_t.
 	 *
@@ -105,19 +83,15 @@ struct ts_payload_t {
 /**
  * Creates an empty ts_payload_t object.
  *
- * @param is_initiator
- * 						- TRUE if this payload is of type TSi
- * 						- FALSE if this payload is of type TSr
- * @return				ts_payload_t object
+ * @param is_initiator		TRUE for TSi, FALSE for TSr payload type
+ * @return					ts_payload_t object
  */
 ts_payload_t *ts_payload_create(bool is_initiator);
 
 /**
  * Creates ts_payload with a list of traffic_selector_t
  *
- * @param is_initiator
- * 							- TRUE if this payload is of type TSi
- * 							- FALSE if this payload is of type TSr
+ * @param is_initiator		TRUE for TSi, FALSE for TSr payload type
  * @param traffic_selectors	list of traffic selectors to include
  * @return					ts_payload_t object
  */
diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c
index dd5547dc3..27af338b3 100644
--- a/src/libcharon/encoding/payloads/unknown_payload.c
+++ b/src/libcharon/encoding/payloads/unknown_payload.c
@@ -18,8 +18,6 @@
 
 #include "unknown_payload.h"
 
-
-
 typedef struct private_unknown_payload_t private_unknown_payload_t;
 
 /**
@@ -32,6 +30,11 @@ struct private_unknown_payload_t {
 	 */
 	unknown_payload_t public;
 
+	/**
+	 * Type of this payload
+	 */
+	payload_type_t type;
+
 	/**
 	 * Next payload type.
 	 */
@@ -42,6 +45,11 @@ struct private_unknown_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * Reserved bits
+	 */
+	bool reserved[7];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -62,21 +70,21 @@ struct private_unknown_payload_t {
  */
 encoding_rule_t unknown_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_unknown_payload_t, next_payload)},
+	{ U_INT_8,			offsetof(private_unknown_payload_t, next_payload)	},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_unknown_payload_t, critical) 	},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
-	{ RESERVED_BIT,	0 													},
+	{ FLAG,				offsetof(private_unknown_payload_t, critical)		},
+	/* 7 Bit reserved bits */
+	{ RESERVED_BIT,		offsetof(private_unknown_payload_t, reserved[0])	},
+	{ RESERVED_BIT,		offsetof(private_unknown_payload_t, reserved[1])	},
+	{ RESERVED_BIT,		offsetof(private_unknown_payload_t, reserved[2])	},
+	{ RESERVED_BIT,		offsetof(private_unknown_payload_t, reserved[3])	},
+	{ RESERVED_BIT,		offsetof(private_unknown_payload_t, reserved[4])	},
+	{ RESERVED_BIT,		offsetof(private_unknown_payload_t, reserved[5])	},
+	{ RESERVED_BIT,		offsetof(private_unknown_payload_t, reserved[6])	},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_unknown_payload_t, payload_length)},
+	{ PAYLOAD_LENGTH,	offsetof(private_unknown_payload_t, payload_length)	},
 	/* some unknown data bytes, length is defined in PAYLOAD_LENGTH */
-	{ UNKNOWN_DATA,		offsetof(private_unknown_payload_t, data) 		}
+	{ UNKNOWN_DATA,		offsetof(private_unknown_payload_t, data)			},
 };
 
 /*
@@ -91,111 +99,109 @@ encoding_rule_t unknown_payload_encodings[] = {
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_unknown_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_unknown_payload_t *this)
 {
-	/* can't do any checks, so we assume its good */
+	if (this->payload_length != UNKNOWN_PAYLOAD_HEADER_LENGTH + this->data.len)
+	{
+		return FAILED;
+	}
 	return SUCCESS;
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = unknown_payload_encodings;
 	*rule_count = sizeof(unknown_payload_encodings) / sizeof(encoding_rule_t);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_unknown_payload_t *this)
+METHOD(payload_t, get_payload_type, payload_type_t,
+	private_unknown_payload_t *this)
 {
-	return UNKNOWN_PAYLOAD;
+	return this->type;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_unknown_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_unknown_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_unknown_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_unknown_payload_t *this,payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_unknown_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_unknown_payload_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of unknown_payload_t.get_data.
- */
-static bool is_critical(private_unknown_payload_t *this)
+METHOD(unknown_payload_t, is_critical, bool,
+	private_unknown_payload_t *this)
 {
 	return this->critical;
 }
 
-/**
- * Implementation of unknown_payload_t.get_data.
- */
-static chunk_t get_data (private_unknown_payload_t *this)
+METHOD(unknown_payload_t, get_data, chunk_t,
+	private_unknown_payload_t *this)
 {
-	return (this->data);
+	return this->data;
 }
 
-/**
- * Implementation of payload_t.destroy and unknown_payload_t.destroy.
- */
-static void destroy(private_unknown_payload_t *this)
+METHOD2(payload_t, unknown_payload_t, destroy, void,
+	private_unknown_payload_t *this)
 {
-	if (this->data.ptr != NULL)
-	{
-		chunk_free(&(this->data));
-	}
-
+	free(this->data.ptr);
 	free(this);
 }
 
 /*
  * Described in header
  */
-unknown_payload_t *unknown_payload_create()
+unknown_payload_t *unknown_payload_create(payload_type_t type)
+{
+	private_unknown_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_payload_type,
+				.destroy = _destroy,
+			},
+			.is_critical = _is_critical,
+			.get_data = _get_data,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH,
+		.type = type,
+	);
+
+	return &this->public;
+}
+
+
+/*
+ * Described in header
+ */
+unknown_payload_t *unknown_payload_create_data(payload_type_t type,
+											   bool critical, chunk_t data)
 {
-	private_unknown_payload_t *this = malloc_thing(private_unknown_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (unknown_payload_t *)) destroy;
-	this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical;
-	this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH;
-	this->data = chunk_empty;
-
-	return (&(this->public));
+	private_unknown_payload_t *this;
+
+	this = (private_unknown_payload_t*)unknown_payload_create(type);
+	this->data = data;
+	this->critical = critical;
+	this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH + data.len;
+
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h
index c761ed2b6..5ae85331b 100644
--- a/src/libcharon/encoding/payloads/unknown_payload.h
+++ b/src/libcharon/encoding/payloads/unknown_payload.h
@@ -70,10 +70,22 @@ struct unknown_payload_t {
 };
 
 /**
- * Creates an empty unknown_payload_t object.
+ * Creates an empty unknown_payload_t.
  *
- * @return unknown_payload_t object
+ * @param			type of the payload
+ * @return			unknown_payload_t object
  */
-unknown_payload_t *unknown_payload_create(void);
+unknown_payload_t *unknown_payload_create(payload_type_t type);
+
+/**
+ * Create an unknown payload with data.
+ *
+ * @param type		type of payload to create
+ * @param critical	TRUE to set critical bit
+ * @param data		data to set for this payload, gets owned by payload
+ * @return			payload object
+ */
+unknown_payload_t *unknown_payload_create_data(payload_type_t type,
+											   bool critical, chunk_t data);
 
 #endif /** UNKNOWN_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.c b/src/libcharon/encoding/payloads/vendor_id_payload.c
index bf33d2418..e9e80e989 100644
--- a/src/libcharon/encoding/payloads/vendor_id_payload.c
+++ b/src/libcharon/encoding/payloads/vendor_id_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -40,6 +41,11 @@ struct private_vendor_id_payload_t {
 	 */
 	bool critical;
 
+	/**
+	 * Reserved bits
+	 */
+	bool reserved[7];
+
 	/**
 	 * Length of this payload.
 	 */
@@ -59,21 +65,21 @@ struct private_vendor_id_payload_t {
  */
 encoding_rule_t vendor_id_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_vendor_id_payload_t, next_payload) },
+	{ U_INT_8,			offsetof(private_vendor_id_payload_t, next_payload)	},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_vendor_id_payload_t, critical)		},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,		offsetof(private_vendor_id_payload_t, reserved[0])	},
+	{ RESERVED_BIT,		offsetof(private_vendor_id_payload_t, reserved[1])	},
+	{ RESERVED_BIT,		offsetof(private_vendor_id_payload_t, reserved[2])	},
+	{ RESERVED_BIT,		offsetof(private_vendor_id_payload_t, reserved[3])	},
+	{ RESERVED_BIT,		offsetof(private_vendor_id_payload_t, reserved[4])	},
+	{ RESERVED_BIT,		offsetof(private_vendor_id_payload_t, reserved[5])	},
+	{ RESERVED_BIT,		offsetof(private_vendor_id_payload_t, reserved[6])	},
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_vendor_id_payload_t, payload_length)},
 	/* some vendor_id data bytes, length is defined in PAYLOAD_LENGTH */
-	{ VID_DATA,			offsetof(private_vendor_id_payload_t, data) }
+	{ VID_DATA,			offsetof(private_vendor_id_payload_t, data)			}
 };
 
 /*
@@ -88,68 +94,52 @@ encoding_rule_t vendor_id_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_vendor_id_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_vendor_id_payload_t *this)
 {
 	return SUCCESS;
 }
 
-/**
- * Implementation of vendor_id_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_vendor_id_payload_t *this,
-							   encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_vendor_id_payload_t *this, encoding_rule_t **rules,
+	size_t *rule_count)
 {
 	*rules = vendor_id_payload_encodings;
-	*rule_count = sizeof(vendor_id_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(vendor_id_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_vendor_id_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_vendor_id_payload_t *this)
 {
 	return VENDOR_ID;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_vendor_id_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_vendor_id_payload_t *this)
 {
 	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_vendor_id_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_vendor_id_payload_t *this, payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_vendor_id_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_vendor_id_payload_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of vendor_id_payload_t.get_data.
- */
-static chunk_t get_data(private_vendor_id_payload_t *this)
+METHOD(vendor_id_payload_t, get_data, chunk_t,
+	private_vendor_id_payload_t *this)
 {
 	return this->data;
 }
 
-/**
- * Implementation of payload_t.destroy and vendor_id_payload_t.destroy.
- */
-static void destroy(private_vendor_id_payload_t *this)
+METHOD2(payload_t, vendor_id_payload_t, destroy, void,
+	private_vendor_id_payload_t *this)
 {
 	free(this->data.ptr);
 	free(this);
@@ -158,38 +148,35 @@ static void destroy(private_vendor_id_payload_t *this)
 /*
  * Described in header
  */
-vendor_id_payload_t *vendor_id_payload_create()
+vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data)
 {
-	private_vendor_id_payload_t *this = malloc_thing(private_vendor_id_payload_t);
-
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-	this->public.get_data = (chunk_t (*) (vendor_id_payload_t *)) get_data;
-
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH;
-	this->data = chunk_empty;
+	private_vendor_id_payload_t *this;
 
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_data = _get_data,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH + data.len,
+		.data = data,
+	);
 	return &this->public;
 }
 
 /*
  * Described in header
  */
-vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data)
+vendor_id_payload_t *vendor_id_payload_create()
 {
-	private_vendor_id_payload_t *this;
-
-	this = (private_vendor_id_payload_t*)vendor_id_payload_create();
-	this->payload_length += data.len;
-	this->data = data;
-
-	return &this->public;
+	return vendor_id_payload_create_data(chunk_empty);
 }
-
diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.h b/src/libcharon/encoding/payloads/vendor_id_payload.h
index 241535cac..4e4e7d8eb 100644
--- a/src/libcharon/encoding/payloads/vendor_id_payload.h
+++ b/src/libcharon/encoding/payloads/vendor_id_payload.h
@@ -50,6 +50,11 @@ struct vendor_id_payload_t {
 	 * @return		VID data, pointing to an internal chunk_t
 	 */
 	chunk_t (*get_data)(vendor_id_payload_t *this);
+
+	/**
+	 * Destroy Vendor ID payload.
+	 */
+	void (*destroy)(vendor_id_payload_t *this);
 };
 
 /**
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 426d1a689..018318a59 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
index 44ef38d85..12cf0c941 100644
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -1,8 +1,6 @@
 /*
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010 Martin Willi, revosec AG
+ * Copyright (C) 2009 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -90,7 +88,8 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer)
 
 METHOD(cert_validator_t, validate, bool,
 	private_addrblock_validator_t *this, certificate_t *subject,
-	certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+	certificate_t *issuer, bool online, int pathlen, bool anchor,
+	auth_cfg_t *auth)
 {
 	if (subject->get_type(subject) == CERT_X509 &&
 		issuer->get_type(issuer) == CERT_X509)
diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in
index d80868798..7d6eb2b9c 100644
--- a/src/libcharon/plugins/android/Makefile.in
+++ b/src/libcharon/plugins/android/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c
index aa7fc6f92..601c91e7b 100644
--- a/src/libcharon/plugins/android/android_creds.c
+++ b/src/libcharon/plugins/android/android_creds.c
@@ -235,7 +235,7 @@ METHOD(android_creds_t, set_username_password, void,
 	DESTROY_IF(this->user);
 	this->user = id->clone(id);
 	free(this->pass);
-	this->pass = password ? strdup(password) : NULL;
+	this->pass = strdupnull(password);
 	this->lock->unlock(this->lock);
 }
 
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
index f9a8e1ea1..487567f2a 100644
--- a/src/libcharon/plugins/android/android_service.c
+++ b/src/libcharon/plugins/android/android_service.c
@@ -291,8 +291,8 @@ static job_requeue_t initiate(private_android_service_t *this)
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
 	child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
-								 NULL, NULL);
+								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
+								 0, 0, NULL, NULL, 0);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index e843c42e8..8046fc052 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index e1e83d648..8851c1b79 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -459,7 +459,7 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 {
 	dhcp_transaction_t *transaction = NULL;
 	enumerator_t *enumerator;
-	host_t *offer, *server;
+	host_t *offer, *server = NULL;
 
 	offer = host_create_from_chunk(AF_INET,
 					chunk_from_thing(dhcp->your_address), 0);
@@ -500,7 +500,7 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 						chunk_create((char*)&option->data[pos], 4));
 				}
 			}
-			if (option->type == DHCP_SERVER_ID && option->len == 4)
+			if (!server && option->type == DHCP_SERVER_ID && option->len == 4)
 			{
 				server = host_create_from_chunk(AF_INET,
 							chunk_create(option->data, 4), DHCP_SERVER_PORT);
@@ -515,12 +515,11 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 		}
 		DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server);
 		transaction->set_address(transaction, offer->clone(offer));
-		transaction->set_server(transaction, server->clone(server));
+		transaction->set_server(transaction, server);
 	}
 	this->mutex->unlock(this->mutex);
 	this->condvar->broadcast(this->condvar);
 	offer->destroy(offer);
-	server->destroy(server);
 }
 
 /**
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index c0750786d..4a23f9010 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 41f69546e..ad1ae1906 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -224,9 +224,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -265,6 +263,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 02d659197..142a35e50 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 46011694a..5c1e07ade 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 2e307147f..4e01d96cc 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 635cfe6ec..495ccf441 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 1d771d9a4..99084e2c1 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -224,9 +224,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -265,6 +263,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index d05930bbd..90f203f61 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 46a584265..3cd766a75 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -224,9 +224,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -265,6 +263,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 2d8556a59..a48fb652a 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -225,9 +225,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -266,6 +264,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index e59015f82..f2af3ae0d 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -224,9 +224,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -265,6 +263,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 3c66d2f36..9a58a6055 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index e4b78faf8..9ebb85be9 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index fb7108a8a..cf75585ef 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index f0bff0e1f..dd4ed5322 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -18,7 +18,7 @@
 #include <tls_eap.h>
 
 #include <daemon.h>
-#include <library.h>
+#include <debug.h>
 
 typedef struct private_eap_tnc_t private_eap_tnc_t;
 
@@ -114,6 +114,8 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 	private_eap_tnc_t *this;
 	size_t frag_size;
 	int max_msg_count;
+	char* protocol;
+	tnccs_type_t type;
 	tnccs_t *tnccs;
 
 	INIT(this,
@@ -133,7 +135,27 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 					"charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN);
 	max_msg_count = lib->settings->get_int(lib->settings,
 					"charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT);
-	tnccs = charon->tnccs->create_instance(charon->tnccs, TNCCS_1_1, is_server);
+	protocol = lib->settings->get_str(lib->settings,
+					"charon.plugins.eap-tnc.protocol", "tnccs-1.1");
+	if (strcaseeq(protocol, "tnccs-2.0"))
+	{
+		type = TNCCS_2_0;
+	}
+	else if (strcaseeq(protocol, "tnccs-1.1"))
+	{
+		type = TNCCS_1_1;
+	}
+	else if (strcaseeq(protocol, "tnccs-dynamic") && is_server)
+	{
+		type = TNCCS_DYNAMIC;
+	}
+	else
+	{
+		DBG1(DBG_TNC, "TNCCS protocol '%s' not supported", protocol);
+		free(this);
+		return NULL;
+	}
+	tnccs = charon->tnccs->create_instance(charon->tnccs, type, is_server);
 	this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size, max_msg_count);
 	if (!this->tls_eap)
 	{
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 2cdd7701d..ff67686b2 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -225,9 +225,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -266,6 +264,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
index 10d08ca2a..29b0a9303 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -196,6 +196,7 @@ METHOD(tls_application_t, process, status_t,
 			in->destroy(in);
 			return NEED_MORE;
 		}
+		this->start_phase2 = FALSE;
 	}
 
 	type = this->method->get_type(this->method, &vendor);
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index bfd50d6da..21e8b78db 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 3600eb7c6..2fcd7cc82 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
index 980c0551a..15f7824f9 100644
--- a/src/libcharon/plugins/ha/ha_ctl.c
+++ b/src/libcharon/plugins/ha/ha_ctl.c
@@ -21,8 +21,8 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
-#include <pthread.h>
 
+#include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
 #define HA_FIFO IPSEC_PIDDIR "/charon.ha"
@@ -60,13 +60,14 @@ struct private_ha_ctl_t {
  */
 static job_requeue_t dispatch_fifo(private_ha_ctl_t *this)
 {
-	int fifo, old;
+	int fifo;
+	bool oldstate;
 	char buf[8];
 	u_int segment;
 
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old);
+	oldstate = thread_cancelability(TRUE);
 	fifo = open(HA_FIFO, O_RDONLY);
-	pthread_setcancelstate(old, NULL);
+	thread_cancelability(oldstate);
 	if (fifo == -1)
 	{
 		DBG1(DBG_CFG, "opening HA fifo failed: %s", strerror(errno));
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index b46a221bd..85dc0f4a4 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -596,9 +596,9 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	if (initiator)
 	{
 		if (child_sa->install(child_sa, encr_r, integ_r, inbound_spi,
-						inbound_cpi, TRUE, local_ts, remote_ts) != SUCCESS ||
+					inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS ||
 			child_sa->install(child_sa, encr_i, integ_i, outbound_spi,
-						outbound_cpi, FALSE, local_ts, remote_ts) != SUCCESS)
+					outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS)
 		{
 			failed = TRUE;
 		}
@@ -606,9 +606,9 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	else
 	{
 		if (child_sa->install(child_sa, encr_i, integ_i, inbound_spi,
-						inbound_cpi, TRUE, local_ts, remote_ts) != SUCCESS ||
+					inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS ||
 			child_sa->install(child_sa, encr_r, integ_r, outbound_spi,
-						outbound_cpi, FALSE, local_ts, remote_ts) != SUCCESS)
+					outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS)
 		{
 			failed = TRUE;
 		}
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index 19e0f692e..7c7bef851 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -15,11 +15,10 @@
 
 #include "ha_segments.h"
 
-#include <pthread.h>
-
 #include <threading/mutex.h>
 #include <threading/condvar.h>
 #include <utils/linked_list.h>
+#include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
 #define DEFAULT_HEARTBEAT_DELAY 1000
@@ -255,16 +254,15 @@ METHOD(listener_t, alert_hook, bool,
  */
 static job_requeue_t watchdog(private_ha_segments_t *this)
 {
-	int oldstate;
-	bool timeout;
+	bool timeout, oldstate;
 
 	this->mutex->lock(this->mutex);
-	pthread_cleanup_push((void*)this->mutex->unlock, this->mutex);
-	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	thread_cleanup_push((void*)this->mutex->unlock, this->mutex);
+	oldstate = thread_cancelability(TRUE);
 	timeout = this->condvar->timed_wait(this->condvar, this->mutex,
 										this->heartbeat_timeout);
-	pthread_setcancelstate(oldstate, NULL);
-	pthread_cleanup_pop(TRUE);
+	thread_cancelability(oldstate);
+	thread_cleanup_pop(TRUE);
 	if (timeout)
 	{
 		DBG1(DBG_CFG, "no heartbeat received, taking all segments");
diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c
index 614c70ed3..086178442 100644
--- a/src/libcharon/plugins/ha/ha_socket.c
+++ b/src/libcharon/plugins/ha/ha_socket.c
@@ -20,10 +20,10 @@
 #include <sys/socket.h>
 #include <errno.h>
 #include <unistd.h>
-#include <pthread.h>
 
 #include <daemon.h>
 #include <utils/host.h>
+#include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
 typedef struct private_ha_socket_t private_ha_socket_t;
@@ -121,12 +121,12 @@ METHOD(ha_socket_t, pull, ha_message_t*,
 	{
 		ha_message_t *message;
 		char buf[1024];
-		int oldstate;
+		bool oldstate;
 		ssize_t len;
 
-		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+		oldstate = thread_cancelability(TRUE);
 		len = recv(this->fd, buf, sizeof(buf), 0);
-		pthread_setcancelstate(oldstate, NULL);
+		thread_cancelability(oldstate);
 		if (len <= 0)
 		{
 			switch (errno)
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index fef84a430..299053ec1 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -223,8 +223,8 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
 
 	child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT,
-					 			 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
-								 NULL, NULL);
+								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
+								 0, 0, NULL, NULL, 0);
 	ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 	ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index a4e529d89..fa1194fd0 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 85db9a10b..c921ec3db 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -225,9 +225,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -266,6 +264,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index a230aa3f5..71391d593 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -224,8 +224,8 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	}
 
 	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
-								 NULL, NULL);
+								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
+								 0, 0, NULL, NULL, 0);
 	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
 	child_cfg->add_proposal(child_cfg, proposal);
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index aece95e12..ef9d7f9ef 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -52,7 +52,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
 	   u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
-	   lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	   u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	   u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
 	   u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
 	   traffic_selector_t *dst_ts)
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index cb9b80c7f..8fd65adfa 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -28,6 +28,8 @@
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 
+static const char *plugin_name = "load_tester";
+
 typedef struct private_load_tester_plugin_t private_load_tester_plugin_t;
 
 /**
@@ -189,7 +191,7 @@ plugin_t *load_tester_plugin_create()
 	this = malloc_thing(private_load_tester_plugin_t);
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->crypto->add_dh(lib->crypto, MODP_NULL,
+	lib->crypto->add_dh(lib->crypto, MODP_NULL, plugin_name,
 						(dh_constructor_t)load_tester_diffie_hellman_create);
 
 	this->delay = lib->settings->get_int(lib->settings,
diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am
index ed6c76c0f..0bf7fad5d 100644
--- a/src/libcharon/plugins/maemo/Makefile.am
+++ b/src/libcharon/plugins/maemo/Makefile.am
@@ -19,5 +19,9 @@ libstrongswan_maemo_la_LIBADD  = ${maemo_LIBS}
 
 dbusservice_DATA = org.strongswan.charon.service
 
-EXTRA_DIST = $(dbusservice_DATA)
+org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in
+	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@
+
+EXTRA_DIST = org.strongswan.charon.service.in
+CLEANFILES = $(dbusservice_DATA)
 
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index 978950d22..0ca1fa436 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -224,9 +224,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -265,6 +263,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -288,7 +288,8 @@ libstrongswan_maemo_la_SOURCES = \
 libstrongswan_maemo_la_LDFLAGS = -module -avoid-version
 libstrongswan_maemo_la_LIBADD = ${maemo_LIBS}
 dbusservice_DATA = org.strongswan.charon.service
-EXTRA_DIST = $(dbusservice_DATA)
+EXTRA_DIST = org.strongswan.charon.service.in
+CLEANFILES = $(dbusservice_DATA)
 all: all-am
 
 .SUFFIXES:
@@ -528,6 +529,7 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -626,6 +628,9 @@ uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES
 	uninstall-pluginLTLIBRARIES
 
 
+org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in
+	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
index efd914a00..0e9fd8ccc 100644
--- a/src/libcharon/plugins/maemo/maemo_service.c
+++ b/src/libcharon/plugins/maemo/maemo_service.c
@@ -115,12 +115,11 @@ METHOD(listener_t, ike_updown, bool,
 	return TRUE;
 }
 
-METHOD(listener_t, child_state_change, bool,
-	   private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-	   child_sa_state_t state)
+METHOD(listener_t, ike_state_change, bool,
+	   private_maemo_service_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
 {
 	/* this call back is only registered during initiation */
-	if (this->ike_sa == ike_sa && state == CHILD_DESTROYING)
+	if (this->ike_sa == ike_sa && state == IKE_DESTROYING)
 	{
 		change_status(this, VPN_STATUS_CONNECTION_FAILED);
 		return FALSE;
@@ -138,7 +137,7 @@ METHOD(listener_t, child_updown, bool,
 		{
 			/* disable hooks registered to catch initiation failures */
 			this->public.listener.ike_updown = NULL;
-			this->public.listener.child_state_change = NULL;
+			this->public.listener.ike_state_change = NULL;
 			change_status(this, VPN_STATUS_CONNECTED);
 		}
 		else
@@ -347,7 +346,7 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 
 	child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */,
 								 TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE,
-								 FALSE, 0, 0, NULL, NULL);
+								 ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@@ -371,7 +370,7 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 	this->ike_sa = ike_sa;
 	this->status = VPN_STATUS_CONNECTING;
 	this->public.listener.ike_updown = _ike_updown;
-	this->public.listener.child_state_change = _child_state_change;
+	this->public.listener.ike_state_change = _ike_state_change;
 	charon->bus->add_listener(charon->bus, &this->public.listener);
 
 	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
@@ -464,7 +463,7 @@ maemo_service_t *maemo_service_create()
 		.public = {
 			.listener = {
 				.ike_updown = _ike_updown,
-				.child_state_change = _child_state_change,
+				.ike_state_change = _ike_state_change,
 				.child_updown = _child_updown,
 				.ike_rekey = _ike_rekey,
 			},
diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service b/src/libcharon/plugins/maemo/org.strongswan.charon.service
deleted file mode 100644
index 7dd31ed60..000000000
--- a/src/libcharon/plugins/maemo/org.strongswan.charon.service
+++ /dev/null
@@ -1,4 +0,0 @@
-[D-BUS Service]
-Name=org.strongswan.charon
-Exec=/usr/bin/run-standalone.sh /usr/libexec/ipsec/charon
-User=root
diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service.in b/src/libcharon/plugins/maemo/org.strongswan.charon.service.in
new file mode 100644
index 000000000..8fa83af93
--- /dev/null
+++ b/src/libcharon/plugins/maemo/org.strongswan.charon.service.in
@@ -0,0 +1,4 @@
+[D-BUS Service]
+Name=org.strongswan.charon
+Exec=/usr/bin/run-standalone.sh @LIBEXECDIR@/ipsec/charon
+User=root
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 6dcbc99dd..372a436a6 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index 870d87c7e..b5672dba9 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -182,8 +182,8 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
 	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
-								 NULL, NULL);
+								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
+								 0, 0, NULL, NULL, 0);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
@@ -261,8 +261,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	this->current->add_auth_cfg(this->current, auth, FALSE);
 
 	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
-								 NULL, NULL);
+								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
+								 0, 0, NULL, NULL, 0);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index f6db7d834..4bb65bd09 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in
index 2f5c20971..69af7bf83 100644
--- a/src/libcharon/plugins/nm/Makefile.in
+++ b/src/libcharon/plugins/nm/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/nm/nm_creds.c b/src/libcharon/plugins/nm/nm_creds.c
index 638787019..ea98c056d 100644
--- a/src/libcharon/plugins/nm/nm_creds.c
+++ b/src/libcharon/plugins/nm/nm_creds.c
@@ -400,7 +400,7 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id
 	DESTROY_IF(this->user);
 	this->user = id->clone(id);
 	free(this->pass);
-	this->pass = password ? strdup(password) : NULL;
+	this->pass = strdupnull(password);
 	this->lock->unlock(this->lock);
 }
 
@@ -411,7 +411,7 @@ static void set_key_password(private_nm_creds_t *this, char *password)
 {
 	this->lock->write_lock(this->lock);
 	free(this->keypass);
-	this->keypass = password ? strdup(password) : NULL;
+	this->keypass = strdupnull(password);
 	this->lock->unlock(this->lock);
 }
 
@@ -423,7 +423,7 @@ static void set_pin(private_nm_creds_t *this, chunk_t keyid, char *pin)
 	this->lock->write_lock(this->lock);
 	free(this->keypass);
 	free(this->keyid.ptr);
-	this->keypass = pin ? strdup(pin) : NULL;
+	this->keypass = strdupnull(pin);
 	this->keyid = chunk_clone(keyid);
 	this->lock->unlock(this->lock);
 }
diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c
index 72c5bbbb5..4300b57cf 100644
--- a/src/libcharon/plugins/nm/nm_service.c
+++ b/src/libcharon/plugins/nm/nm_service.c
@@ -518,8 +518,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 
 	child_cfg = child_cfg_create(priv->name, &lifetime,
 								 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
-								 ACTION_NONE, ACTION_NONE, ipcomp, 0, 0,
-								 NULL, NULL);
+								 ACTION_NONE, ACTION_NONE, ACTION_NONE, ipcomp,
+								 0, 0, NULL, NULL, 0);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index f24e2d1e7..3d2cef13c 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index bd85386b2..b82372e30 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 8e0790671..7a49088b2 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in
index 5f4cba131..744b12fcf 100644
--- a/src/libcharon/plugins/socket_raw/Makefile.in
+++ b/src/libcharon/plugins/socket_raw/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 7c4521785..4244d3b5e 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index a47d93f7b..dc016012c 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2010 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -38,13 +39,13 @@ struct private_sql_config_t {
 };
 
 /**
- * forward declaration
+ * Forward declaration
  */
 static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 								  identification_t *me, identification_t *other);
 
 /**
- * build a traffic selector from a SQL query
+ * Build a traffic selector from an SQL query
  */
 static traffic_selector_t *build_traffic_selector(private_sql_config_t *this,
 												  enumerator_t *e, bool *local)
@@ -119,24 +120,62 @@ static void add_traffic_selectors(private_sql_config_t *this,
 }
 
 /**
- * build a Child configuration from a SQL query
+ * Add ESP proposals to a child config
+ */
+static void add_esp_proposals(private_sql_config_t *this,
+							  child_cfg_t *child, int id)
+{
+	enumerator_t *e;
+	proposal_t *proposal;
+	char *prop;
+	bool use_default = TRUE;
+
+	e = this->db->query(this->db,
+			"SELECT proposal "
+			"FROM proposals JOIN child_config_proposal ON id = prop "
+			"WHERE child_cfg = ? ORDER BY prio",
+			DB_INT, id, DB_TEXT);
+	if (e)
+	{
+		while (e->enumerate(e, &prop))
+		{
+			proposal = proposal_create_from_string(PROTO_ESP, prop);
+			if (!proposal)
+			{
+				DBG1(DBG_CFG, "could not create ESP proposal from '%s'", prop);
+				break;
+			}
+			child->add_proposal(child, proposal);
+			use_default = FALSE;
+		}
+		e->destroy(e);
+	}
+	if (use_default)
+	{
+		child->add_proposal(child, proposal_create_default(PROTO_ESP));
+	}
+}
+
+/**
+ * Build a child config from an SQL query
  */
 static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
 {
-	int id, lifetime, rekeytime, jitter, hostaccess, mode, dpd, close, ipcomp;
+	int id, lifetime, rekeytime, jitter, hostaccess, mode, ipcomp, reqid;
+	int start, dpd, close;
 	char *name, *updown;
 	child_cfg_t *child_cfg;
 
-	if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter,
-						&updown, &hostaccess, &mode, &dpd, &close, &ipcomp))
+	if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, &updown,
+						&hostaccess, &mode, &start, &dpd, &close, &ipcomp, &reqid))
 	{
 		lifetime_cfg_t lft = {
 			.time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
 		};
 		child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
-									 dpd, close, ipcomp, 0, 0, NULL, NULL);
-		/* TODO: read proposal from db */
-		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+									 start, dpd, close, ipcomp, 0, reqid,
+									 NULL, NULL, 0);
+		add_esp_proposals(this, child_cfg, id);
 		add_traffic_selectors(this, child_cfg, id);
 		return child_cfg;
 	}
@@ -152,13 +191,13 @@ static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id)
 	child_cfg_t *child_cfg;
 
 	e = this->db->query(this->db,
-			"SELECT id, name, lifetime, rekeytime, jitter, "
-			"updown, hostaccess, mode, dpd_action, close_action, ipcomp "
+			"SELECT id, name, lifetime, rekeytime, jitter, updown, hostaccess, "
+			"mode, start_action, dpd_action, close_action, ipcomp, reqid "
 			"FROM child_configs JOIN peer_config_child_config ON id = child_cfg "
 			"WHERE peer_cfg = ?",
 			DB_INT, id,
-			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT,
-			DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT);
+			DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_TEXT, DB_INT,
+			DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT);
 	if (e)
 	{
 		while ((child_cfg = build_child_cfg(this, e)))
@@ -170,29 +209,65 @@ static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id)
 }
 
 /**
- * build a ike configuration from a SQL query
+ * Add IKE proposals to an IKE config
+ */
+static void add_ike_proposals(private_sql_config_t *this,
+							  ike_cfg_t *ike_cfg, int id)
+{
+	enumerator_t *e;
+	proposal_t *proposal;
+	char *prop;
+	bool use_default = TRUE;
+
+	e = this->db->query(this->db,
+			"SELECT proposal "
+			"FROM proposals JOIN ike_config_proposal ON id = prop "
+			"WHERE ike_cfg = ? ORDER BY prio",
+			DB_INT, id, DB_TEXT);
+	if (e)
+	{
+		while (e->enumerate(e, &prop))
+		{
+			proposal = proposal_create_from_string(PROTO_IKE, prop);
+			if (!proposal)
+			{
+				DBG1(DBG_CFG, "could not create IKE proposal from '%s'", prop);
+				break;
+			}
+			ike_cfg->add_proposal(ike_cfg, proposal);
+			use_default = FALSE;
+		}
+		e->destroy(e);
+	}
+	if (use_default)
+	{
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	}
+}
+
+/**
+ * Build an IKE config from an SQL query
  */
 static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e,
 								host_t *my_host, host_t *other_host)
 {
-	int certreq, force_encap;
+	int id, certreq, force_encap;
 	char *local, *remote;
 
-	while (e->enumerate(e, &certreq, &force_encap, &local, &remote))
+	while (e->enumerate(e, &id, &certreq, &force_encap, &local, &remote))
 	{
 		ike_cfg_t *ike_cfg;
 
 		ike_cfg = ike_cfg_create(certreq, force_encap,
 								 local, IKEV2_UDP_PORT, remote, IKEV2_UDP_PORT);
-		/* TODO: read proposal from db */
-		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+		add_ike_proposals(this, ike_cfg, id);
 		return ike_cfg;
 	}
 	return NULL;
 }
 
 /**
- * Query a IKE config by its id
+ * Query an IKE config by its id
  */
 static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id)
 {
@@ -200,10 +275,10 @@ static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id)
 	ike_cfg_t *ike_cfg = NULL;
 
 	e = this->db->query(this->db,
-			"SELECT certreq, force_encap, local, remote "
+			"SELECT id, certreq, force_encap, local, remote "
 			"FROM ike_configs WHERE id = ?",
 			DB_INT, id,
-			DB_INT, DB_INT, DB_TEXT, DB_TEXT);
+			DB_INT, DB_INT, DB_INT, DB_TEXT, DB_TEXT);
 	if (e)
 	{
 		ike_cfg = build_ike_cfg(this, e, NULL, NULL);
@@ -246,7 +321,7 @@ static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id)
 }
 
 /**
- * build a peer configuration from a SQL query
+ * Build a peer config from an SQL query
  */
 static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 								  identification_t *me, identification_t *other)
@@ -325,10 +400,8 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 	return NULL;
 }
 
-/**
- * implements backend_t.get_peer_cfg_by_name.
- */
-static peer_cfg_t *get_peer_cfg_by_name(private_sql_config_t *this, char *name)
+METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
+	private_sql_config_t *this, char *name)
 {
 	enumerator_t *e;
 	peer_cfg_t *peer_cfg = NULL;
@@ -398,11 +471,8 @@ static void ike_enumerator_destroy(ike_enumerator_t *this)
 	free(this);
 }
 
-/**
- * Implementation of backend_t.create_ike_cfg_enumerator.
- */
-static enumerator_t* create_ike_cfg_enumerator(private_sql_config_t *this,
-											   host_t *me, host_t *other)
+METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
+	private_sql_config_t *this, host_t *me, host_t *other)
 {
 	ike_enumerator_t *e = malloc_thing(ike_enumerator_t);
 
@@ -414,9 +484,9 @@ static enumerator_t* create_ike_cfg_enumerator(private_sql_config_t *this,
 	e->public.destroy = (void*)ike_enumerator_destroy;
 
 	e->inner = this->db->query(this->db,
-			"SELECT certreq, force_encap, local, remote "
+			"SELECT id, certreq, force_encap, local, remote "
 			"FROM ike_configs",
-			DB_INT, DB_INT, DB_TEXT, DB_TEXT);
+			DB_INT, DB_INT, DB_INT, DB_TEXT, DB_TEXT);
 	if (!e->inner)
 	{
 		free(e);
@@ -466,12 +536,8 @@ static void peer_enumerator_destroy(peer_enumerator_t *this)
 	free(this);
 }
 
-/**
- * Implementation of backend_t.create_peer_cfg_enumerator.
- */
-static enumerator_t* create_peer_cfg_enumerator(private_sql_config_t *this,
-												identification_t *me,
-												identification_t *other)
+METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
+	private_sql_config_t *this, identification_t *me, identification_t *other)
 {
 	peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
 
@@ -508,10 +574,8 @@ static enumerator_t* create_peer_cfg_enumerator(private_sql_config_t *this,
 	return &e->public;
 }
 
-/**
- * Implementation of sql_config_t.destroy.
- */
-static void destroy(private_sql_config_t *this)
+METHOD(sql_config_t, destroy, void,
+	private_sql_config_t *this)
 {
 	free(this);
 }
@@ -521,14 +585,19 @@ static void destroy(private_sql_config_t *this)
  */
 sql_config_t *sql_config_create(database_t *db)
 {
-	private_sql_config_t *this = malloc_thing(private_sql_config_t);
-
-	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
-	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
-	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
-	this->public.destroy = (void(*)(sql_config_t*))destroy;
+	private_sql_config_t *this;
 
-	this->db = db;
+	INIT(this,
+		.public = {
+			.backend = {
+				.create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
+				.create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
+				.get_peer_cfg_by_name = _get_peer_cfg_by_name,
+			},
+			.destroy = _destroy,
+		},
+		.db = db
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/sql/sql_cred.c b/src/libcharon/plugins/sql/sql_cred.c
index 12f4ab045..117eec921 100644
--- a/src/libcharon/plugins/sql/sql_cred.c
+++ b/src/libcharon/plugins/sql/sql_cred.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -37,6 +38,7 @@ struct private_sql_cred_t {
 	database_t *db;
 };
 
+
 /**
  * enumerator over private keys
  */
@@ -49,11 +51,8 @@ typedef struct {
 	private_key_t *current;
 } private_enumerator_t;
 
-/**
- * Implementation of private_enumerator_t.public.enumerate
- */
-static bool private_enumerator_enumerate(private_enumerator_t *this,
-										 private_key_t **key)
+METHOD(enumerator_t, private_enumerator_enumerate, bool,
+	   private_enumerator_t *this, private_key_t **key)
 {
 	chunk_t blob;
 	int type;
@@ -62,7 +61,7 @@ static bool private_enumerator_enumerate(private_enumerator_t *this,
 	while (this->inner->enumerate(this->inner, &type, &blob))
 	{
 		this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-										   BUILD_BLOB_ASN1_DER, blob,
+										   BUILD_BLOB_PEM, blob,
 										   BUILD_END);
 		if (this->current)
 		{
@@ -74,29 +73,25 @@ static bool private_enumerator_enumerate(private_enumerator_t *this,
 	return FALSE;
 }
 
-/**
- * Implementation of private_enumerator_t.public.destroy
- */
-static void private_enumerator_destroy(private_enumerator_t *this)
+METHOD(enumerator_t, private_enumerator_destroy, void,
+	   private_enumerator_t *this)
 {
 	DESTROY_IF(this->current);
 	this->inner->destroy(this->inner);
 	free(this);
 }
 
-/**
- * Implementation of credential_set_t.create_private_enumerator.
- */
-static enumerator_t* create_private_enumerator(private_sql_cred_t *this,
-											   key_type_t type,
-											   identification_t *id)
+METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
+	   private_sql_cred_t *this, key_type_t type, identification_t *id)
 {
 	private_enumerator_t *e;
 
-	e = malloc_thing(private_enumerator_t);
-	e->current = NULL;
-	e->public.enumerate = (void*)private_enumerator_enumerate;
-	e->public.destroy = (void*)private_enumerator_destroy;
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_private_enumerator_enumerate,
+			.destroy = _private_enumerator_destroy,
+		},
+	);
 	if (id && id->get_type(id) != ID_ANY)
 	{
 		e->inner = this->db->query(this->db,
@@ -123,6 +118,7 @@ static enumerator_t* create_private_enumerator(private_sql_cred_t *this,
 	return &e->public;
 }
 
+
 /**
  * enumerator over certificates
  */
@@ -135,11 +131,8 @@ typedef struct {
 	certificate_t *current;
 } cert_enumerator_t;
 
-/**
- * Implementation of cert_enumerator_t.public.enumerate
- */
-static bool cert_enumerator_enumerate(cert_enumerator_t *this,
-									  certificate_t **cert)
+METHOD(enumerator_t, cert_enumerator_enumerate, bool,
+	   cert_enumerator_t *this, certificate_t **cert)
 {
 	chunk_t blob;
 	int type;
@@ -148,7 +141,7 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this,
 	while (this->inner->enumerate(this->inner, &type, &blob))
 	{
 		this->current = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
-										   BUILD_BLOB_ASN1_DER, blob,
+										   BUILD_BLOB_PEM, blob,
 										   BUILD_END);
 		if (this->current)
 		{
@@ -160,29 +153,26 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this,
 	return FALSE;
 }
 
-/**
- * Implementation of cert_enumerator_t.public.destroy
- */
-static void cert_enumerator_destroy(cert_enumerator_t *this)
+METHOD(enumerator_t, cert_enumerator_destroy, void,
+	   cert_enumerator_t *this)
 {
 	DESTROY_IF(this->current);
 	this->inner->destroy(this->inner);
 	free(this);
 }
 
-/**
- * Implementation of credential_set_t.create_cert_enumerator.
- */
-static enumerator_t* create_cert_enumerator(private_sql_cred_t *this,
-										certificate_type_t cert, key_type_t key,
-										identification_t *id, bool trusted)
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	   private_sql_cred_t *this, certificate_type_t cert, key_type_t key,
+	   identification_t *id, bool trusted)
 {
 	cert_enumerator_t *e;
 
-	e = malloc_thing(cert_enumerator_t);
-	e->current = NULL;
-	e->public.enumerate = (void*)cert_enumerator_enumerate;
-	e->public.destroy = (void*)cert_enumerator_destroy;
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_cert_enumerator_enumerate,
+			.destroy = _cert_enumerator_destroy,
+		},
+	);
 	if (id && id->get_type(id) != ID_ANY)
 	{
 		e->inner = this->db->query(this->db,
@@ -213,6 +203,7 @@ static enumerator_t* create_cert_enumerator(private_sql_cred_t *this,
 	return &e->public;
 }
 
+
 /**
  * enumerator over shared keys
  */
@@ -229,12 +220,9 @@ typedef struct {
 	shared_key_t *current;
 } shared_enumerator_t;
 
-/**
- * Implementation of shared_enumerator_t.public.enumerate
- */
-static bool shared_enumerator_enumerate(shared_enumerator_t *this,
-										shared_key_t **shared,
-										id_match_t *me, id_match_t *other)
+METHOD(enumerator_t, shared_enumerator_enumerate, bool,
+	   shared_enumerator_t *this, shared_key_t **shared,
+	   id_match_t *me, id_match_t *other)
 {
 	chunk_t blob;
 	int type;
@@ -261,31 +249,28 @@ static bool shared_enumerator_enumerate(shared_enumerator_t *this,
 	return FALSE;
 }
 
-/**
- * Implementation of shared_enumerator_t.public.destroy
- */
-static void shared_enumerator_destroy(shared_enumerator_t *this)
+METHOD(enumerator_t, shared_enumerator_destroy, void,
+	   shared_enumerator_t *this)
 {
 	DESTROY_IF(this->current);
 	this->inner->destroy(this->inner);
 	free(this);
 }
 
-/**
- * Implementation of credential_set_t.create_shared_enumerator.
- */
-static enumerator_t* create_shared_enumerator(private_sql_cred_t *this,
-								  shared_key_type_t type,
-								  identification_t *me, identification_t *other)
+METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
+	   private_sql_cred_t *this, shared_key_type_t type,
+	   identification_t *me, identification_t *other)
 {
 	shared_enumerator_t *e;
 
-	e = malloc_thing(shared_enumerator_t);
-	e->me = me;
-	e->other = other;
-	e->current = NULL;
-	e->public.enumerate = (void*)shared_enumerator_enumerate;
-	e->public.destroy = (void*)shared_enumerator_destroy;
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_shared_enumerator_enumerate,
+			.destroy = _shared_enumerator_destroy,
+		},
+		.me = me,
+		.other = other,
+	);
 	if (!me && !other)
 	{
 		e->inner = this->db->query(this->db,
@@ -329,36 +314,141 @@ static enumerator_t* create_shared_enumerator(private_sql_cred_t *this,
 	return &e->public;
 }
 
+
 /**
- * Implementation of credential_set_t.cache_cert.
+ * enumerator over CDPs
  */
-static void cache_cert(private_sql_cred_t *this, certificate_t *cert)
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated string */
+	char *current;
+} cdp_enumerator_t;
+
+/**
+ * types of CDPs
+ */
+typedef enum {
+	/** any available CDP */
+	CDP_TYPE_ANY = 0,
+	/** CRL */
+	CDP_TYPE_CRL,
+	/** OCSP Responder */
+	CDP_TYPE_OCSP,
+} cdp_type_t;
+
+METHOD(enumerator_t, cdp_enumerator_enumerate, bool,
+	   cdp_enumerator_t *this, char **uri)
+{
+	char *text;
+
+	free(this->current);
+	while (this->inner->enumerate(this->inner, &text))
+	{
+		*uri = this->current = strdup(text);
+		return TRUE;
+	}
+	this->current = NULL;
+	return FALSE;
+}
+
+METHOD(enumerator_t, cdp_enumerator_destroy, void,
+	   cdp_enumerator_t *this)
+{
+	free(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
+	   private_sql_cred_t *this, certificate_type_t type, identification_t *id)
+{
+	cdp_enumerator_t *e;
+	cdp_type_t cdp_type;
+
+	switch (type)
+	{	/* we serve CRLs and OCSP responders */
+		case CERT_X509_CRL:
+			cdp_type = CDP_TYPE_CRL;
+			break;
+		case CERT_X509_OCSP_RESPONSE:
+			cdp_type = CDP_TYPE_OCSP;
+			break;
+		case CERT_ANY:
+			cdp_type = CDP_TYPE_ANY;
+			break;
+		default:
+			return NULL;
+	}
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_cdp_enumerator_enumerate,
+			.destroy = _cdp_enumerator_destroy,
+		},
+	);
+	if (id && id->get_type(id) != ID_ANY)
+	{
+		e->inner = this->db->query(this->db,
+				"SELECT dp.uri FROM certificate_distribution_points AS dp "
+				"JOIN certificate_authorities AS ca ON ca.id = dp.ca "
+				"JOIN certificates AS c ON c.id = ca.certificate "
+				"JOIN certificate_identity AS ci ON c.id = ci.certificate "
+				"JOIN identities AS i ON ci.identity = i.id "
+				"WHERE i.type = ? AND i.data = ? AND (? OR dp.type = ?)",
+				DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
+				DB_INT, cdp_type == CDP_TYPE_ANY, DB_INT, cdp_type,
+				DB_TEXT);
+	}
+	else
+	{
+		e->inner = this->db->query(this->db,
+				"SELECT dp.uri FROM certificate_distribution_points AS dp "
+				"WHERE (? OR dp.type = ?)",
+				DB_INT, cdp_type == CDP_TYPE_ANY, DB_INT, cdp_type,
+				DB_TEXT);
+	}
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+METHOD(credential_set_t, cache_cert, void,
+	   private_sql_cred_t *this, certificate_t *cert)
 {
 	/* TODO: implement CRL caching to database */
 }
 
-/**
- * Implementation of sql_cred_t.destroy.
- */
-static void destroy(private_sql_cred_t *this)
+METHOD(sql_cred_t, destroy, void,
+	   private_sql_cred_t *this)
 {
 	free(this);
 }
+
 /**
  * Described in header.
  */
 sql_cred_t *sql_cred_create(database_t *db)
 {
-	private_sql_cred_t *this = malloc_thing(private_sql_cred_t);
-
-	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
-	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
-	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
-	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)cache_cert;
-	this->public.destroy = (void(*)(sql_cred_t*))destroy;
-
-	this->db = db;
+	private_sql_cred_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_private_enumerator = _create_private_enumerator,
+				.create_cert_enumerator = _create_cert_enumerator,
+				.create_shared_enumerator = _create_shared_enumerator,
+				.create_cdp_enumerator = _create_cdp_enumerator,
+				.cache_cert = _cache_cert,
+			},
+			.destroy = _destroy,
+		},
+		.db = db,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c
index 7b0a198d1..ad1eb91b1 100644
--- a/src/libcharon/plugins/sql/sql_plugin.c
+++ b/src/libcharon/plugins/sql/sql_plugin.c
@@ -53,10 +53,8 @@ struct private_sql_plugin_t {
 	sql_logger_t *logger;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_sql_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_sql_plugin_t *this)
 {
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
 	lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
@@ -83,11 +81,15 @@ plugin_t *sql_plugin_create()
 		return NULL;
 	}
 
-	this = malloc_thing(private_sql_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.db = lib->db->create(lib->db, uri),
+	);
 
-	this->db = lib->db->create(lib->db, uri);
 	if (!this->db)
 	{
 		DBG1(DBG_CFG, "sql plugin failed to connect to database");
diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am
index 40888a40b..e561224e9 100644
--- a/src/libcharon/plugins/stroke/Makefile.am
+++ b/src/libcharon/plugins/stroke/Makefile.am
@@ -21,7 +21,6 @@ libstrongswan_stroke_la_SOURCES = \
 	stroke_cred.h stroke_cred.c \
 	stroke_ca.h stroke_ca.c \
 	stroke_attribute.h stroke_attribute.c \
-	stroke_list.h stroke_list.c \
-	stroke_shared_key.h stroke_shared_key.c
+	stroke_list.h stroke_list.c
 
 libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index e6e98838b..ccf3eeede 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -77,7 +77,7 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_stroke_la_LIBADD =
 am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \
 	stroke_config.lo stroke_control.lo stroke_cred.lo stroke_ca.lo \
-	stroke_attribute.lo stroke_list.lo stroke_shared_key.lo
+	stroke_attribute.lo stroke_list.lo
 libstrongswan_stroke_la_OBJECTS =  \
 	$(am_libstrongswan_stroke_la_OBJECTS)
 libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -292,8 +292,7 @@ libstrongswan_stroke_la_SOURCES = \
 	stroke_cred.h stroke_cred.c \
 	stroke_ca.h stroke_ca.c \
 	stroke_attribute.h stroke_attribute.c \
-	stroke_list.h stroke_list.c \
-	stroke_shared_key.h stroke_shared_key.c
+	stroke_list.h stroke_list.c
 
 libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -386,7 +385,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_cred.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_list.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_shared_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_socket.Plo@am__quote@
 
 .c.o:
diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
index 9a3ae0ab9..69e13deb9 100644
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -113,6 +113,7 @@ static void ca_section_destroy(ca_section_t *this)
 	this->crl->destroy_function(this->crl, free);
 	this->ocsp->destroy_function(this->ocsp, free);
 	this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy));
+	this->cert->destroy(this->cert);
 	free(this->certuribase);
 	free(this->name);
 	free(this);
@@ -207,11 +208,8 @@ static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data
 	return enumerator;
 }
 
-/**
- * Implementation of credential_set_t.create_cdp_enumerator.
- */
-static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this,
-								certificate_type_t type, identification_t *id)
+METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
+	private_stroke_ca_t *this, certificate_type_t type, identification_t *id)
 {
 	cdp_data_t *data;
 
@@ -235,10 +233,9 @@ static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this,
 			(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp,
 			data, (void*)cdp_data_destroy);
 }
-/**
- * Implementation of stroke_ca_t.add.
- */
-static void add(private_stroke_ca_t *this, stroke_msg_t *msg)
+
+METHOD(stroke_ca_t, add, void,
+	private_stroke_ca_t *this, stroke_msg_t *msg)
 {
 	certificate_t *cert;
 	ca_section_t *ca;
@@ -279,10 +276,8 @@ static void add(private_stroke_ca_t *this, stroke_msg_t *msg)
 	}
 }
 
-/**
- * Implementation of stroke_ca_t.del.
- */
-static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
+METHOD(stroke_ca_t, del, void,
+	private_stroke_ca_t *this, stroke_msg_t *msg)
 {
 	enumerator_t *enumerator;
 	ca_section_t *ca = NULL;
@@ -336,10 +331,8 @@ static void list_uris(linked_list_t *list, char *label, FILE *out)
 	enumerator->destroy(enumerator);
 }
 
-/**
- * Implementation of stroke_ca_t.check_for_hash_and_url.
- */
-static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cert)
+METHOD(stroke_ca_t, check_for_hash_and_url, void,
+	private_stroke_ca_t *this, certificate_t* cert)
 {
 	ca_section_t *section;
 	enumerator_t *enumerator;
@@ -376,10 +369,8 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 	hasher->destroy(hasher);
 }
 
-/**
- * Implementation of stroke_ca_t.list.
- */
-static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
+METHOD(stroke_ca_t, list, void,
+	private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 {
 	bool first = TRUE;
 	ca_section_t *section;
@@ -426,10 +417,8 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of stroke_ca_t.destroy
- */
-static void destroy(private_stroke_ca_t *this)
+METHOD(stroke_ca_t, destroy, void,
+	private_stroke_ca_t *this)
 {
 	this->sections->destroy_function(this->sections, (void*)ca_section_destroy);
 	this->lock->destroy(this->lock);
@@ -441,22 +430,27 @@ static void destroy(private_stroke_ca_t *this)
  */
 stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
 {
-	private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t);
-
-	this->public.set.create_private_enumerator = (void*)return_null;
-	this->public.set.create_cert_enumerator = (void*)return_null;
-	this->public.set.create_shared_enumerator = (void*)return_null;
-	this->public.set.create_cdp_enumerator = (void*)create_cdp_enumerator;
-	this->public.set.cache_cert = (void*)nop;
-	this->public.add = (void(*)(stroke_ca_t*, stroke_msg_t *msg))add;
-	this->public.del = (void(*)(stroke_ca_t*, stroke_msg_t *msg))del;
-	this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list;
-	this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url;
-	this->public.destroy = (void(*)(stroke_ca_t*))destroy;
-
-	this->sections = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	this->cred = cred;
+	private_stroke_ca_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_private_enumerator = (void*)return_null,
+				.create_cert_enumerator = (void*)return_null,
+				.create_shared_enumerator = (void*)return_null,
+				.create_cdp_enumerator = _create_cdp_enumerator,
+				.cache_cert = (void*)nop,
+			},
+			.add = _add,
+			.del = _del,
+			.list = _list,
+			.check_for_hash_and_url = _check_for_hash_and_url,
+			.destroy = _destroy,
+		},
+		.sections = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.cred = cred,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 165212a5e..ea7d17592 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -53,12 +53,8 @@ struct private_stroke_config_t {
 	stroke_cred_t *cred;
 };
 
-/**
- * Implementation of backend_t.create_peer_cfg_enumerator.
- */
-static enumerator_t* create_peer_cfg_enumerator(private_stroke_config_t *this,
-												identification_t *me,
-												identification_t *other)
+METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
+	private_stroke_config_t *this, identification_t *me, identification_t *other)
 {
 	this->mutex->lock(this->mutex);
 	return enumerator_create_cleaner(this->list->create_enumerator(this->list),
@@ -74,11 +70,8 @@ static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out)
 	return TRUE;
 }
 
-/**
- * Implementation of backend_t.create_ike_cfg_enumerator.
- */
-static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this,
-											   host_t *me, host_t *other)
+METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
+	private_stroke_config_t *this, host_t *me, host_t *other)
 {
 	this->mutex->lock(this->mutex);
 	return enumerator_create_filter(this->list->create_enumerator(this->list),
@@ -86,10 +79,8 @@ static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this,
 									(void*)this->mutex->unlock);
 }
 
-/**
- * implements backend_t.get_peer_cfg_by_name.
- */
-static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *name)
+METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
+	private_stroke_config_t *this, char *name)
 {
 	enumerator_t *e1, *e2;
 	peer_cfg_t *current, *found = NULL;
@@ -438,13 +429,38 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		enumerator->destroy(enumerator);
 	}
 
+	/* certificatePolicies */
+	if (end->cert_policy)
+	{
+		enumerator_t *enumerator;
+		char *policy;
+
+		enumerator = enumerator_create_token(end->cert_policy, ",", " ");
+		while (enumerator->enumerate(enumerator, &policy))
+		{
+			cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy));
+		}
+		enumerator->destroy(enumerator);
+	}
+
 	/* authentication metod (class, actually) */
 	if (streq(auth, "pubkey") ||
-		streq(auth, "rsasig") || streq(auth, "rsa") ||
-		streq(auth, "ecdsasig") || streq(auth, "ecdsa"))
+		strneq(auth, "rsa", strlen("rsa")) ||
+		strneq(auth, "ecdsa", strlen("ecdsa")))
 	{
+		u_int strength;
+
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
+
+		if (sscanf(auth, "rsa-%d", &strength) == 1)
+		{
+			cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
+		}
+		if (sscanf(auth, "ecdsa-%d", &strength) == 1)
+		{
+			cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
+		}
 	}
 	else if (streq(auth, "psk") || streq(auth, "secret"))
 	{
@@ -808,9 +824,9 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 	child_cfg = child_cfg_create(
 				msg->add_conn.name, &lifetime,
 				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
-				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
+				msg->add_conn.mode, ACTION_NONE, dpd, dpd, msg->add_conn.ipcomp,
 				msg->add_conn.inactivity, msg->add_conn.reqid,
-				&mark_in, &mark_out);
+				&mark_in, &mark_out, msg->add_conn.tfc);
 	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
 											msg->add_conn.install_policy);
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
@@ -821,10 +837,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 	return child_cfg;
 }
 
-/**
- * Implementation of stroke_config_t.add.
- */
-static void add(private_stroke_config_t *this, stroke_msg_t *msg)
+METHOD(stroke_config_t, add, void,
+	private_stroke_config_t *this, stroke_msg_t *msg)
 {
 	ike_cfg_t *ike_cfg, *existing_ike;
 	peer_cfg_t *peer_cfg, *existing;
@@ -884,10 +898,8 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
 	}
 }
 
-/**
- * Implementation of stroke_config_t.del.
- */
-static void del(private_stroke_config_t *this, stroke_msg_t *msg)
+METHOD(stroke_config_t, del, void,
+	private_stroke_config_t *this, stroke_msg_t *msg)
 {
 	enumerator_t *enumerator, *children;
 	peer_cfg_t *peer;
@@ -938,10 +950,8 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg)
 	}
 }
 
-/**
- * Implementation of stroke_config_t.destroy
- */
-static void destroy(private_stroke_config_t *this)
+METHOD(stroke_config_t, destroy, void,
+	private_stroke_config_t *this)
 {
 	this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy));
 	this->mutex->destroy(this->mutex);
@@ -953,19 +963,24 @@ static void destroy(private_stroke_config_t *this)
  */
 stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred)
 {
-	private_stroke_config_t *this = malloc_thing(private_stroke_config_t);
-
-	this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
-	this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
-	this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
-	this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add;
-	this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del;
-	this->public.destroy = (void(*)(stroke_config_t*))destroy;
-
-	this->list = linked_list_create();
-	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-	this->ca = ca;
-	this->cred = cred;
+	private_stroke_config_t *this;
+
+	INIT(this,
+		.public = {
+			.backend = {
+				.create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
+				.create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
+				.get_peer_cfg_by_name = _get_peer_cfg_by_name,
+			},
+			.add = _add,
+			.del = _del,
+			.destroy = _destroy,
+		},
+		.list = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
+		.ca = ca,
+		.cred = cred,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index e0398ba78..3541ab8f9 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -17,6 +17,8 @@
 
 #include <daemon.h>
 #include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
 
 typedef struct private_stroke_control_t private_stroke_control_t;
 
@@ -90,10 +92,8 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
 	return found;
 }
 
-/**
- * Implementation of stroke_control_t.initiate.
- */
-static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+METHOD(stroke_control_t, initiate, void,
+	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
@@ -137,76 +137,89 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou
 }
 
 /**
- * Implementation of stroke_control_t.terminate.
+ * Parse a terminate/rekey specifier
  */
-static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+static bool parse_specifier(char *string, u_int32_t *id,
+							char **name, bool *child, bool *all)
 {
-	char *string, *pos = NULL, *name = NULL;
-	u_int32_t id = 0;
-	bool child, all = FALSE;
 	int len;
-	ike_sa_t *ike_sa;
-	enumerator_t *enumerator;
-	linked_list_t *ike_list, *child_list;
-	stroke_log_info_t info;
-	uintptr_t del;
+	char *pos = NULL;
 
-	string = msg->terminate.name;
+	*id = 0;
+	*name = NULL;
+	*all = FALSE;
 
 	len = strlen(string);
 	if (len < 1)
 	{
-		DBG1(DBG_CFG, "error parsing string");
-		return;
+		return FALSE;
 	}
 	switch (string[len-1])
 	{
 		case '}':
-			child = TRUE;
+			*child = TRUE;
 			pos = strchr(string, '{');
 			break;
 		case ']':
-			child = FALSE;
+			*child = FALSE;
 			pos = strchr(string, '[');
 			break;
 		default:
-			name = string;
-			child = FALSE;
+			*name = string;
+			*child = FALSE;
 			break;
 	}
 
-	if (name)
+	if (*name)
 	{
 		/* is a single name */
 	}
 	else if (pos == string + len - 2)
 	{	/* is name[] or name{} */
 		string[len-2] = '\0';
-		name = string;
+		*name = string;
 	}
 	else
 	{
 		if (!pos)
 		{
-			DBG1(DBG_CFG, "error parsing string");
-			return;
+			return FALSE;
 		}
 		if (*(pos + 1) == '*')
 		{	/* is name[*] */
-			all = TRUE;
+			*all = TRUE;
 			*pos = '\0';
-			name = string;
+			*name = string;
 		}
 		else
 		{	/* is name[123] or name{23} */
-			id = atoi(pos + 1);
-			if (id == 0)
+			*id = atoi(pos + 1);
+			if (*id == 0)
 			{
-				DBG1(DBG_CFG, "error parsing string");
-				return;
+				return FALSE;
 			}
 		}
 	}
+	return TRUE;
+}
+
+METHOD(stroke_control_t, terminate, void,
+	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+{
+	char *name;
+	u_int32_t id;
+	bool child, all;
+	ike_sa_t *ike_sa;
+	enumerator_t *enumerator;
+	linked_list_t *ike_list, *child_list;
+	stroke_log_info_t info;
+	uintptr_t del;
+
+	if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all))
+	{
+		DBG1(DBG_CFG, "error parsing specifier string");
+		return;
+	}
 
 	info.out = out;
 	info.level = msg->output_verbosity;
@@ -293,11 +306,68 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 	child_list->destroy(child_list);
 }
 
-/**
- * Implementation of stroke_control_t.terminate_srcip.
- */
-static void terminate_srcip(private_stroke_control_t *this,
-							stroke_msg_t *msg, FILE *out)
+METHOD(stroke_control_t, rekey, void,
+	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+{
+	char *name;
+	u_int32_t id;
+	bool child, all, finished = FALSE;
+	ike_sa_t *ike_sa;
+	enumerator_t *enumerator;
+
+	if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all))
+	{
+		DBG1(DBG_CFG, "error parsing specifier string");
+		return;
+	}
+	enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		child_sa_t *child_sa;
+		iterator_t *children;
+
+		if (child)
+		{
+			children = ike_sa->create_child_sa_iterator(ike_sa);
+			while (children->iterate(children, (void**)&child_sa))
+			{
+				if ((name && streq(name, child_sa->get_name(child_sa))) ||
+					(id && id == child_sa->get_reqid(child_sa)))
+				{
+					lib->processor->queue_job(lib->processor,
+						(job_t*)rekey_child_sa_job_create(
+								child_sa->get_reqid(child_sa),
+								child_sa->get_protocol(child_sa),
+								child_sa->get_spi(child_sa, TRUE)));
+					if (!all)
+					{
+						finished = TRUE;
+						break;
+					}
+				}
+			}
+			children->destroy(children);
+		}
+		else if ((name && streq(name, ike_sa->get_name(ike_sa))) ||
+				 (id && id == ike_sa->get_unique_id(ike_sa)))
+		{
+			lib->processor->queue_job(lib->processor,
+				(job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE));
+			if (!all)
+			{
+				finished = TRUE;
+			}
+		}
+		if (finished)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(stroke_control_t, terminate_srcip, void,
+	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
@@ -362,10 +432,8 @@ static void terminate_srcip(private_stroke_control_t *this,
 	DESTROY_IF(end);
 }
 
-/**
- * Implementation of stroke_control_t.purge_ike
- */
-static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+METHOD(stroke_control_t, purge_ike, void,
+	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	enumerator_t *enumerator;
 	iterator_t *iterator;
@@ -402,10 +470,8 @@ static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 	list->destroy(list);
 }
 
-/**
- * Implementation of stroke_control_t.route.
- */
-static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+METHOD(stroke_control_t, route, void,
+	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
@@ -443,10 +509,8 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 	child_cfg->destroy(child_cfg);
 }
 
-/**
- * Implementation of stroke_control_t.unroute.
- */
-static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+METHOD(stroke_control_t, unroute, void,
+	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	child_sa_t *child_sa;
 	enumerator_t *enumerator;
@@ -468,10 +532,8 @@ static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out
 	fprintf(out, "configuration '%s' not found\n", msg->unroute.name);
 }
 
-/**
- * Implementation of stroke_control_t.destroy
- */
-static void destroy(private_stroke_control_t *this)
+METHOD(stroke_control_t, destroy, void,
+	private_stroke_control_t *this)
 {
 	free(this);
 }
@@ -481,15 +543,20 @@ static void destroy(private_stroke_control_t *this)
  */
 stroke_control_t *stroke_control_create()
 {
-	private_stroke_control_t *this = malloc_thing(private_stroke_control_t);
-
-	this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate;
-	this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate;
-	this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip;
-	this->public.purge_ike = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))purge_ike;
-	this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route;
-	this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute;
-	this->public.destroy = (void(*)(stroke_control_t*))destroy;
+	private_stroke_control_t *this;
+
+	INIT(this,
+		.public = {
+			.initiate = _initiate,
+			.terminate = _terminate,
+			.terminate_srcip = _terminate_srcip,
+			.rekey = _rekey,
+			.purge_ike = _purge_ike,
+			.route = _route,
+			.unroute = _unroute,
+			.destroy = _destroy,
+		},
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/stroke/stroke_control.h b/src/libcharon/plugins/stroke/stroke_control.h
index 9b49bdc31..869aab3d3 100644
--- a/src/libcharon/plugins/stroke/stroke_control.h
+++ b/src/libcharon/plugins/stroke/stroke_control.h
@@ -53,6 +53,13 @@ struct stroke_control_t {
 	 */
 	void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
 
+	/**
+	 * Rekey a connection.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*rekey)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
+
 	/**
 	 * Delete IKE_SAs without a CHILD_SA.
 	 *
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 91e71f1f4..83e5a9ad6 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -25,7 +25,6 @@
 #include <unistd.h>
 
 #include "stroke_cred.h"
-#include "stroke_shared_key.h"
 
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
@@ -64,24 +63,9 @@ struct private_stroke_cred_t {
 	stroke_cred_t public;
 
 	/**
-	 * list of trusted peer/signer/CA certificates (certificate_t)
+	 * credentials
 	 */
-	linked_list_t *certs;
-
-	/**
-	 * list of shared secrets (private_shared_key_t)
-	 */
-	linked_list_t *shared;
-
-	/**
-	 * list of private keys (private_key_t)
-	 */
-	linked_list_t *private;
-
-	/**
-	 * read-write lock to lists
-	 */
-	rwlock_t *lock;
+	mem_cred_t *creds;
 
 	/**
 	 * cache CRLs to disk?
@@ -89,237 +73,6 @@ struct private_stroke_cred_t {
 	bool cachecrl;
 };
 
-/**
- * data to pass to various filters
- */
-typedef struct {
-	private_stroke_cred_t *this;
-	identification_t *id;
-	certificate_type_t cert;
-	key_type_t key;
-} id_data_t;
-
-/**
- * destroy id enumerator data and unlock list
- */
-static void id_data_destroy(id_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * filter function for private key enumerator
- */
-static bool private_filter(id_data_t *data,
-						   private_key_t **in, private_key_t **out)
-{
-	private_key_t *key;
-
-	key = *in;
-	if (data->key == KEY_ANY || data->key == key->get_type(key))
-	{
-		if (data->id == NULL)
-		{
-			*out = key;
-			return TRUE;
-		}
-		if (key->has_fingerprint(key, data->id->get_encoding(data->id)))
-		{
-			*out = key;
-			return TRUE;
-		}
-	}
-	return FALSE;
-}
-
-/**
- * Implements credential_set_t.create_private_enumerator
- */
-static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
-							key_type_t type, identification_t *id)
-{
-	id_data_t *data;
-
-	data = malloc_thing(id_data_t);
-	data->this = this;
-	data->id = id;
-	data->key = type;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(this->private->create_enumerator(this->private),
-									(void*)private_filter, data,
-									(void*)id_data_destroy);
-}
-
-/**
- * filter function for certs enumerator
- */
-static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out)
-{
-	public_key_t *public;
-	certificate_t *cert = *in;
-
-	if (data->cert != CERT_ANY && data->cert != cert->get_type(cert))
-	{
-		return FALSE;
-	}
-	if (data->id == NULL || cert->has_subject(cert, data->id))
-	{
-		*out = *in;
-		return TRUE;
-	}
-
-	public = cert->get_public_key(cert);
-	if (public)
-	{
-		if (data->key == KEY_ANY || data->key != public->get_type(public))
-		{
-			if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
-			{
-				public->destroy(public);
-				*out = *in;
-				return TRUE;
-			}
-		}
-		public->destroy(public);
-	}
-	return FALSE;
-}
-
-/**
- * Implements credential_set_t.create_cert_enumerator
- */
-static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
-							certificate_type_t cert, key_type_t key,
-							identification_t *id, bool trusted)
-{
-	id_data_t *data;
-
-	if (trusted && (cert == CERT_X509_CRL || cert == CERT_X509_AC))
-	{
-		return NULL;
-	}
-	data = malloc_thing(id_data_t);
-	data->this = this;
-	data->id = id;
-	data->cert = cert;
-	data->key = key;
-
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(this->certs->create_enumerator(this->certs),
-									(void*)certs_filter, data,
-									(void*)id_data_destroy);
-}
-
-typedef struct {
-	private_stroke_cred_t *this;
-	identification_t *me;
-	identification_t *other;
-	shared_key_type_t type;
-} shared_data_t;
-
-/**
- * free shared key enumerator data and unlock list
- */
-static void shared_data_destroy(shared_data_t *data)
-{
-	data->this->lock->unlock(data->this->lock);
-	free(data);
-}
-
-/**
- * filter function for certs enumerator
- */
-static bool shared_filter(shared_data_t *data,
-						  stroke_shared_key_t **in, shared_key_t **out,
-						  void **unused1, id_match_t *me,
-						  void **unused2, id_match_t *other)
-{
-	id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE;
-	stroke_shared_key_t *stroke = *in;
-	shared_key_t *shared = &stroke->shared;
-
-	if (data->type != SHARED_ANY && shared->get_type(shared) != data->type)
-	{
-		return FALSE;
-	}
-
-	if (data->me)
-	{
-		my_match = stroke->has_owner(stroke, data->me);
-	}
-	if (data->other)
-	{
-		other_match = stroke->has_owner(stroke, data->other);
-	}
-	if ((data->me || data->other) && (!my_match && !other_match))
-	{
-		return FALSE;
-	}
-	*out = shared;
-	if (me)
-	{
-		*me = my_match;
-	}
-	if (other)
-	{
-		*other = other_match;
-	}
-	return TRUE;
-}
-
-/**
- * Implements credential_set_t.create_shared_enumerator
- */
-static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
-							shared_key_type_t type,	identification_t *me,
-							identification_t *other)
-{
-	shared_data_t *data = malloc_thing(shared_data_t);
-
-	data->this = this;
-	data->me = me;
-	data->other = other;
-	data->type = type;
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(this->shared->create_enumerator(this->shared),
-									(void*)shared_filter, data,
-									(void*)shared_data_destroy);
-}
-
-/**
- * Add a certificate to chain
- */
-static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
-{
-	certificate_t *current;
-	enumerator_t *enumerator;
-	bool new = TRUE;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->certs->create_enumerator(this->certs);
-	while (enumerator->enumerate(enumerator, (void**)&current))
-	{
-		if (current->equals(current, cert))
-		{
-			/* cert already in queue */
-			cert->destroy(cert);
-			cert = current;
-			new = FALSE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (new)
-	{
-		this->certs->insert_last(this->certs, cert);
-	}
-	this->lock->unlock(this->lock);
-	return cert;
-}
-
 /**
  * Implementation of stroke_cred_t.load_ca.
  */
@@ -352,84 +105,11 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
 			cert->destroy(cert);
 			return NULL;
 		}
-		return (certificate_t*)add_cert(this, cert);
+		return this->creds->add_cert_ref(this->creds, TRUE, cert);
 	}
 	return NULL;
 }
 
-/**
- * Add X.509 CRL to chain
- */
-static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
-{
-	certificate_t *current, *cert = &crl->certificate;
-	enumerator_t *enumerator;
-	bool new = TRUE, found = FALSE;
-
-	this->lock->write_lock(this->lock);
-	enumerator = this->certs->create_enumerator(this->certs);
-	while (enumerator->enumerate(enumerator, (void**)&current))
-	{
-		if (current->get_type(current) == CERT_X509_CRL)
-		{
-			crl_t *crl_c = (crl_t*)current;
-			chunk_t authkey = crl->get_authKeyIdentifier(crl);
-			chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c);
-
-			/* if compare authorityKeyIdentifiers if available */
-			if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c))
-			{
-				found = TRUE;
-			}
-			else
-			{
-				identification_t *issuer = cert->get_issuer(cert);
-				identification_t *issuer_c = current->get_issuer(current);
-
-				/* otherwise compare issuer distinguished names */
-				if (issuer->equals(issuer, issuer_c))
-				{
-					found = TRUE;
-				}
-			}
-			if (found)
-			{
-				new = crl_is_newer(crl, crl_c);
-				if (new)
-				{
-					this->certs->remove_at(this->certs, enumerator);
-				}
-				else
-				{
-					cert->destroy(cert);
-				}
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (new)
-	{
-		this->certs->insert_last(this->certs, cert);
-	}
-	this->lock->unlock(this->lock);
-	return new;
-}
-
-/**
- * Add X.509 attribute certificate to chain
- */
-static bool add_ac(private_stroke_cred_t *this, ac_t* ac)
-{
-	certificate_t *cert = &ac->certificate;
-
-	this->lock->write_lock(this->lock);
-	this->certs->insert_last(this->certs, cert);
-	this->lock->unlock(this->lock);
-	return TRUE;
-}
-
 /**
  * Implementation of stroke_cred_t.load_peer.
  */
@@ -453,10 +133,10 @@ static certificate_t* load_peer(private_stroke_cred_t *this, char *filename)
 							  BUILD_END);
 	if (cert)
 	{
-		cert = add_cert(this, cert);
+		cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
 		DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
 					  cert->get_subject(cert), filename);
-		return cert->get_ref(cert);
+		return cert;
 	}
 	DBG1(DBG_CFG, "  loading certificate from '%s' failed", filename);
 	return NULL;
@@ -511,8 +191,8 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 						}
 						else
 						{
-							DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
-										  cert->get_subject(cert), file);
+							DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" "
+								 "from '%s'", cert->get_subject(cert), file);
 						}
 					}
 					else
@@ -540,7 +220,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 				}
 				if (cert)
 				{
-					add_cert(this, cert);
+					this->creds->add_cert(this->creds, TRUE, cert);
 				}
 				break;
 			case CERT_X509_CRL:
@@ -550,7 +230,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 										  BUILD_END);
 				if (cert)
 				{
-					add_crl(this, (crl_t*)cert);
+					this->creds->add_crl(this->creds, (crl_t*)cert);
 					DBG1(DBG_CFG, "  loaded crl from '%s'",  file);
 				}
 				else
@@ -565,7 +245,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 										  BUILD_END);
 				if (cert)
 				{
-					add_ac(this, (ac_t*)cert);
+					this->creds->add_cert(this->creds, FALSE, cert);
 					DBG1(DBG_CFG, "  loaded attribute certificate from '%s'",
 								  file);
 				}
@@ -593,7 +273,7 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 		crl_t *crl = (crl_t*)cert;
 
 		cert->get_ref(cert);
-		if (add_crl(this, crl))
+		if (this->creds->add_crl(this->creds, crl))
 		{
 			char buf[BUF_LEN];
 			chunk_t chunk, hex;
@@ -914,7 +594,6 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	}
 
 	/* unlock: smartcard needs the pin and potentially calls public set */
-	this->lock->unlock(this->lock);
 	switch (format)
 	{
 		case SC_FORMAT_SLOT_MODULE_KEYID:
@@ -936,7 +615,6 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 							BUILD_PKCS11_KEYID, chunk, BUILD_END);
 			break;
 	}
-	this->lock->write_lock(this->lock);
 	if (mem)
 	{
 		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
@@ -951,7 +629,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	if (key)
 	{
 		DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
-		this->private->insert_last(this->private, key);
+		this->creds->add_key(this->creds, key);
 	}
 	return TRUE;
 }
@@ -1022,11 +700,8 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data);
 		lib->credmgr->add_local_set(lib->credmgr, &cb->set);
 
-		/* unlock, as the builder might ask for a secret */
-		this->lock->unlock(this->lock);
 		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
 								 BUILD_FROM_FILE, path, BUILD_END);
-		this->lock->write_lock(this->lock);
 
 		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
 		cb->destroy(cb);
@@ -1042,11 +717,8 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		mem->add_shared(mem, shared, NULL);
 		lib->credmgr->add_local_set(lib->credmgr, &mem->set);
 
-		/* unlock, as the builder might ask for a secret */
-		this->lock->unlock(this->lock);
 		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
 								 BUILD_FROM_FILE, path, BUILD_END);
-		this->lock->write_lock(this->lock);
 
 		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
 		mem->destroy(mem);
@@ -1055,7 +727,7 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	{
 		DBG1(DBG_CFG, "  loaded %N private key from '%s'",
 			 key_type_names, key->get_type(key), path);
-		this->private->insert_last(this->private, key);
+		this->creds->add_key(this->creds, key);
 	}
 	else
 	{
@@ -1070,7 +742,8 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
 static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr,
 						shared_key_type_t type, chunk_t ids)
 {
-	stroke_shared_key_t *shared_key;
+	shared_key_t *shared_key;
+	linked_list_t *owners;
 	chunk_t secret = chunk_empty;
 	bool any = TRUE;
 
@@ -1080,12 +753,12 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh);
 		return FALSE;
 	}
-	shared_key = stroke_shared_key_create(type, secret);
+	shared_key = shared_key_create(type, secret);
 	DBG1(DBG_CFG, "  loaded %N secret for %s", shared_key_type_names, type,
 		 ids.len > 0 ? (char*)ids.ptr : "%any");
 	DBG4(DBG_CFG, "  secret: %#B", &secret);
 
-	this->shared->insert_last(this->shared, shared_key);
+	owners = linked_list_create();
 	while (ids.len > 0)
 	{
 		chunk_t id;
@@ -1111,14 +784,15 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr,
 			continue;
 		}
 
-		shared_key->add_owner(shared_key, peer_id);
+		owners->insert_last(owners, peer_id);
 		any = FALSE;
 	}
 	if (any)
 	{
-		shared_key->add_owner(shared_key,
+		owners->insert_last(owners,
 					identification_create_from_encoding(ID_ANY, chunk_empty));
 	}
+	this->creds->add_shared_list(this->creds, shared_key, owners);
 	return TRUE;
 }
 
@@ -1130,8 +804,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 {
 	int line_nr = 0, fd;
 	chunk_t src, line;
-	private_key_t *private;
-	shared_key_t *shared;
 	struct stat sb;
 	void *addr;
 
@@ -1160,20 +832,8 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 	src = chunk_create(addr, sb.st_size);
 
 	if (level == 0)
-	{
-		this->lock->write_lock(this->lock);
-
-		/* flush secrets on non-recursive invocation */
-		while (this->shared->remove_last(this->shared,
-										 (void**)&shared) == SUCCESS)
-		{
-			shared->destroy(shared);
-		}
-		while (this->private->remove_last(this->private,
-										  (void**)&private) == SUCCESS)
-		{
-			private->destroy(private);
-		}
+	{	/* flush secrets on non-recursive invocation */
+		this->creds->clear_secrets(this->creds);
 	}
 
 	while (fetchline(&src, &line))
@@ -1234,7 +894,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 			if (glob(pattern, GLOB_ERR, NULL, &buf) != 0)
 			{
 				DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern);
-				globfree(&buf);
 			}
 			else
 			{
@@ -1302,10 +961,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 			break;
 		}
 	}
-	if (level == 0)
-	{
-		this->lock->unlock(this->lock);
-	}
 	munmap(addr, sb.st_size);
 	close(fd);
 }
@@ -1384,10 +1039,8 @@ static void reread(private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt)
  */
 static void destroy(private_stroke_cred_t *this)
 {
-	this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
-	this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy));
-	this->private->destroy_offset(this->private, offsetof(private_key_t, destroy));
-	this->lock->destroy(this->lock);
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	this->creds->destroy(this->creds);
 	free(this);
 }
 
@@ -1398,9 +1051,9 @@ stroke_cred_t *stroke_cred_create()
 {
 	private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t);
 
-	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
-	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
-	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
+	this->public.set.create_private_enumerator = (void*)return_null;
+	this->public.set.create_cert_enumerator = (void*)return_null;
+	this->public.set.create_shared_enumerator = (void*)return_null;
 	this->public.set.create_cdp_enumerator = (void*)return_null;
 	this->public.set.cache_cert = (void*)cache_cert;
 	this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg, FILE*))reread;
@@ -1409,10 +1062,8 @@ stroke_cred_t *stroke_cred_create()
 	this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl;
 	this->public.destroy = (void(*)(stroke_cred_t*))destroy;
 
-	this->certs = linked_list_create();
-	this->shared = linked_list_create();
-	this->private = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	this->creds = mem_cred_create();
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 
 	load_certs(this);
 	load_secrets(this, SECRETS_FILE, 0, NULL);
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 86deea490..36311f092 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -388,10 +388,8 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 	enumerator->destroy(enumerator);
 }
 
-/**
- * Implementation of stroke_list_t.status.
- */
-static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all)
+METHOD(stroke_list_t, status, void,
+	private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all)
 {
 	enumerator_t *enumerator, *children;
 	ike_cfg_t *ike_cfg;
@@ -756,7 +754,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 			enumerator_t *enumerator;
 			identification_t *altName;
 			bool first_altName = TRUE;
-			int pathlen;
+			u_int pathlen;
 			chunk_t serial, authkey;
 			time_t notBefore, notAfter;
 			public_key_t *public;
@@ -836,10 +834,10 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 			}
 
 			/* list optional pathLenConstraint */
-			pathlen = x509->get_pathLenConstraint(x509);
-			if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
+			pathlen = x509->get_constraint(x509, X509_PATH_LEN);
+			if (pathlen != X509_NO_CONSTRAINT)
 			{
-				fprintf(out, "  pathlen:   %d\n", pathlen);
+				fprintf(out, "  pathlen:   %u\n", pathlen);
 			}
 
 			/* list optional ipAddrBlocks */
@@ -979,6 +977,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 		{
 			fprintf(out, "  serial:    %#B\n", &chunk);
 		}
+		if (crl->is_delta_crl(crl, &chunk))
+		{
+			fprintf(out, "  delta for: %#B\n", &chunk);
+		}
 
 		/* count the number of revoked certificates */
 		{
@@ -1059,6 +1061,25 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
 	enumerator->destroy(enumerator);
 }
 
+/**
+ * Print the name of an algorithm plus the name of the plugin that registered it
+ */
+static void print_alg(FILE *out, int *len, enum_name_t *alg_names, int alg_type,
+					  const char *plugin_name)
+{
+	char alg_name[BUF_LEN];
+	int alg_name_len;
+	
+	alg_name_len = sprintf(alg_name, " %N[%s]", alg_names, alg_type, plugin_name);
+	if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE)
+	{
+		fprintf(out, "\n             ");
+		*len = 13;	
+	}
+	fprintf(out, "%s", alg_name);
+	*len += alg_name_len;
+}
+
 /**
  * List of registered cryptographical algorithms
  */
@@ -1070,58 +1091,73 @@ static void list_algs(FILE *out)
 	hash_algorithm_t hash;
 	pseudo_random_function_t prf;
 	diffie_hellman_group_t group;
+	rng_quality_t quality;
+	const char *plugin_name;
+	int len;
 
 	fprintf(out, "\n");
 	fprintf(out, "List of registered IKEv2 Algorithms:\n");
-	fprintf(out, "\n  encryption: ");
+	fprintf(out, "\n  encryption:");
+	len = 13;
 	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &encryption))
+	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
 	{
-		fprintf(out, "%N ", encryption_algorithm_names, encryption);
+		print_alg(out, &len, encryption_algorithm_names, encryption, plugin_name);
 	}
 	enumerator->destroy(enumerator);
-	fprintf(out, "\n  integrity:  ");
+	fprintf(out, "\n  integrity: ");
+	len = 13;
 	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &integrity))
+	while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
 	{
-		fprintf(out, "%N ", integrity_algorithm_names, integrity);
+		print_alg(out, &len, integrity_algorithm_names, integrity, plugin_name);
 	}
 	enumerator->destroy(enumerator);
-	fprintf(out, "\n  aead:       ");
+	fprintf(out, "\n  aead:      ");
+	len = 13;
 	enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &encryption))
+	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
 	{
-		fprintf(out, "%N ", encryption_algorithm_names, encryption);
+		print_alg(out, &len, encryption_algorithm_names, encryption, plugin_name);
 	}
 	enumerator->destroy(enumerator);
-	fprintf(out, "\n  hasher:     ");
+	fprintf(out, "\n  hasher:    ");
+	len = 13;
 	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &hash))
+	while (enumerator->enumerate(enumerator, &hash, &plugin_name))
 	{
-		fprintf(out, "%N ", hash_algorithm_names, hash);
+		print_alg(out, &len, hash_algorithm_names, hash, plugin_name);
 	}
 	enumerator->destroy(enumerator);
-	fprintf(out, "\n  prf:        ");
+	fprintf(out, "\n  prf:       ");
+	len = 13;
 	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &prf))
+	while (enumerator->enumerate(enumerator, &prf, &plugin_name))
 	{
-		fprintf(out, "%N ", pseudo_random_function_names, prf);
+		print_alg(out, &len, pseudo_random_function_names, prf, plugin_name);
 	}
 	enumerator->destroy(enumerator);
-	fprintf(out, "\n  dh-group:   ");
+	fprintf(out, "\n  dh-group:  ");
+	len = 13;
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &group))
+	while (enumerator->enumerate(enumerator, &group, &plugin_name))
 	{
-		fprintf(out, "%N ", diffie_hellman_group_names, group);
+		print_alg(out, &len, diffie_hellman_group_names, group, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	fprintf(out, "\n  random-gen:");
+	len = 13;
+	enumerator = lib->crypto->create_rng_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &quality, &plugin_name))
+	{
+		print_alg(out, &len, rng_quality_names, quality, plugin_name);
 	}
 	enumerator->destroy(enumerator);
 	fprintf(out, "\n");
 }
 
-/**
- * Implementation of stroke_list_t.list.
- */
-static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
+METHOD(stroke_list_t, list, void,
+	private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 {
 	linked_list_t *cert_list = NULL;
 
@@ -1224,10 +1260,8 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
 	}
 }
 
-/**
- * Implementation of stroke_list_t.leases
- */
-static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
+METHOD(stroke_list_t, leases, void,
+	private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 {
 	enumerator_t *enumerator;
 	u_int size, offline, online;
@@ -1264,10 +1298,8 @@ static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
 	DESTROY_IF(address);
 }
 
-/**
- * Implementation of stroke_list_t.destroy
- */
-static void destroy(private_stroke_list_t *this)
+METHOD(stroke_list_t, destroy, void,
+	private_stroke_list_t *this)
 {
 	free(this);
 }
@@ -1277,15 +1309,19 @@ static void destroy(private_stroke_list_t *this)
  */
 stroke_list_t *stroke_list_create(stroke_attribute_t *attribute)
 {
-	private_stroke_list_t *this = malloc_thing(private_stroke_list_t);
-
-	this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list;
-	this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status;
-	this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases;
-	this->public.destroy = (void(*)(stroke_list_t*))destroy;
-
-	this->uptime = time_monotonic(NULL);
-	this->attribute = attribute;
+	private_stroke_list_t *this;
+
+	INIT(this,
+		.public = {
+
+			.list = _list,
+			.status = _status,
+			.leases = _leases,
+			.destroy = _destroy,
+		},
+		.uptime = time_monotonic(NULL),
+		.attribute = attribute,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 4361e5050..2e83d0d28 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -36,10 +36,8 @@ struct private_stroke_plugin_t {
 	stroke_socket_t *socket;
 };
 
-/**
- * Implementation of stroke_plugin_t.destroy
- */
-static void destroy(private_stroke_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_stroke_plugin_t *this)
 {
 	this->socket->destroy(this->socket);
 	free(this);
@@ -50,11 +48,17 @@ static void destroy(private_stroke_plugin_t *this)
  */
 plugin_t *stroke_plugin_create()
 {
-	private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t);
+	private_stroke_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.socket = stroke_socket_create(),
+	);
 
-	this->socket = stroke_socket_create();
 	if (this->socket == NULL)
 	{
 		free(this);
diff --git a/src/libcharon/plugins/stroke/stroke_shared_key.c b/src/libcharon/plugins/stroke/stroke_shared_key.c
deleted file mode 100644
index 4f716e83a..000000000
--- a/src/libcharon/plugins/stroke/stroke_shared_key.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "stroke_shared_key.h"
-
-#include <utils/linked_list.h>
-
-typedef struct private_stroke_shared_key_t private_stroke_shared_key_t;
-
-/**
- * private data of shared_key
- */
-struct private_stroke_shared_key_t {
-
-	/**
-	 * implements shared_key_t
-	 */
-	stroke_shared_key_t public;
-
-	/**
-	 * type of this key
-	 */
-	shared_key_type_t type;
-
-	/**
-	 * data of the key
-	 */
-	chunk_t key;
-
-	/**
-	 * list of key owners, as identification_t
-	 */
-	linked_list_t *owners;
-
-	/**
-	 * reference counter
-	 */
-	refcount_t ref;
-};
-
-/**
- * Implementation of shared_key_t.get_type.
- */
-static shared_key_type_t get_type(private_stroke_shared_key_t *this)
-{
-	return this->type;
-}
-
-/**
- * Implementation of shared_key_t.get_ref.
- */
-static private_stroke_shared_key_t* get_ref(private_stroke_shared_key_t *this)
-{
-	ref_get(&this->ref);
-	return this;
-}
-
-/**
- * Implementation of shared_key_t.get_key.
- */
-static chunk_t get_key(private_stroke_shared_key_t *this)
-{
-	return this->key;
-}
-
-/**
- * Implementation of stroke_shared_key_t.has_owner.
- */
-static id_match_t has_owner(private_stroke_shared_key_t *this, identification_t *owner)
-{
-	enumerator_t *enumerator;
-	id_match_t match, best = ID_MATCH_NONE;
-	identification_t *current;
-
-	enumerator = this->owners->create_enumerator(this->owners);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		match  = owner->matches(owner, current);
-		if (match > best)
-		{
-			best = match;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return best;
-}
-/**
- * Implementation of stroke_shared_key_t.add_owner.
- */
-static void add_owner(private_stroke_shared_key_t *this, identification_t *owner)
-{
-	this->owners->insert_last(this->owners, owner);
-}
-
-/**
- * Implementation of stroke_shared_key_t.destroy
- */
-static void destroy(private_stroke_shared_key_t *this)
-{
-	if (ref_put(&this->ref))
-	{
-		this->owners->destroy_offset(this->owners, offsetof(identification_t, destroy));
-		chunk_free(&this->key);
-		free(this);
-	}
-}
-
-/**
- * create a shared key
- */
-stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key)
-{
-	private_stroke_shared_key_t *this = malloc_thing(private_stroke_shared_key_t);
-
-	this->public.shared.get_type = (shared_key_type_t(*)(shared_key_t*))get_type;
-	this->public.shared.get_key = (chunk_t(*)(shared_key_t*))get_key;
-	this->public.shared.get_ref = (shared_key_t*(*)(shared_key_t*))get_ref;
-	this->public.shared.destroy = (void(*)(shared_key_t*))destroy;
-	this->public.add_owner = (void(*)(stroke_shared_key_t*, identification_t *owner))add_owner;
-	this->public.has_owner = (id_match_t(*)(stroke_shared_key_t*, identification_t *owner))has_owner;
-
-	this->owners = linked_list_create();
-	this->type = type;
-	this->key = key;
-	this->ref = 1;
-
-	return &this->public;
-}
diff --git a/src/libcharon/plugins/stroke/stroke_shared_key.h b/src/libcharon/plugins/stroke/stroke_shared_key.h
deleted file mode 100644
index 05ad55083..000000000
--- a/src/libcharon/plugins/stroke/stroke_shared_key.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup stroke_shared_key stroke_shared_key
- * @{ @ingroup stroke
- */
-
-#ifndef STROKE_SHARED_KEY_H_
-#define STROKE_SHARED_KEY_H_
-
-#include <utils/identification.h>
-#include <credentials/keys/shared_key.h>
-
-typedef struct stroke_shared_key_t stroke_shared_key_t;
-
-/**
- * Shared key implementation for keys read from ipsec.secrets
- */
-struct stroke_shared_key_t {
-
-	/**
-	 * Implements the shared_key_t interface.
-	 */
-	shared_key_t shared;
-
-	/**
-	 * Add an owner to the key.
-	 *
-	 * @param owner		owner to add
-	 */
-	void (*add_owner)(stroke_shared_key_t *this, identification_t *owner);
-
-	/**
-	 * Check if a key has a specific owner.
-	 *
-	 * @param owner		owner to check
-	 * @return			best match found
-	 */
-	id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner);
-};
-
-/**
- * Create a stroke_shared_key instance.
- */
-stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key);
-
-#endif /** STROKE_SHARED_KEY_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 0a5110fd3..18e77905d 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -151,6 +151,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	pop_string(msg, &end->ca);
 	pop_string(msg, &end->ca2);
 	pop_string(msg, &end->groups);
+	pop_string(msg, &end->cert_policy);
 	pop_string(msg, &end->updown);
 
 	DBG2(DBG_CFG, "  %s=%s", label, end->address);
@@ -245,6 +246,17 @@ static void stroke_terminate_srcip(private_stroke_socket_t *this,
 	this->control->terminate_srcip(this->control, msg, out);
 }
 
+/**
+ * rekey a connection by name/id
+ */
+static void stroke_rekey(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->terminate.name);
+	DBG1(DBG_CFG, "received stroke: rekey '%s'", msg->rekey.name);
+
+	this->control->rekey(this->control, msg, out);
+}
+
 /**
  * route a policy (install SPD entries)
  */
@@ -348,6 +360,14 @@ static void stroke_purge(private_stroke_socket_t *this,
 	{
 		lib->credmgr->flush_cache(lib->credmgr, CERT_X509_OCSP_RESPONSE);
 	}
+	if (msg->purge.flags & PURGE_CRLS)
+	{
+		lib->credmgr->flush_cache(lib->credmgr, CERT_X509_CRL);
+	}
+	if (msg->purge.flags & PURGE_CERTS)
+	{
+		lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
+	}
 	if (msg->purge.flags & PURGE_IKE)
 	{
 		this->control->purge_ike(this->control, msg, out);
@@ -510,6 +530,9 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 		case STR_TERMINATE_SRCIP:
 			stroke_terminate_srcip(this, msg, out);
 			break;
+		case STR_REKEY:
+			stroke_rekey(this, msg, out);
+			break;
 		case STR_STATUS:
 			stroke_status(this, msg, out, FALSE);
 			break;
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am
index ca8869460..2c551813e 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.am
+++ b/src/libcharon/plugins/tnc_imc/Makefile.am
@@ -1,11 +1,9 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = -rdynamic
 
-libstrongswan_tnc_imc_la_LIBADD = -ltnc
-
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
 else
@@ -13,7 +11,8 @@ plugin_LTLIBRARIES = libstrongswan-tnc-imc.la
 endif
 
 libstrongswan_tnc_imc_la_SOURCES = \
-	tnc_imc_plugin.h tnc_imc_plugin.c
+	tnc_imc_plugin.h tnc_imc_plugin.c tnc_imc.h tnc_imc.c \
+	tnc_imc_manager.h tnc_imc_manager.c tnc_imc_bind_function.c
 
 libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in
index 9a8794e93..dc44408ff 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.in
+++ b/src/libcharon/plugins/tnc_imc/Makefile.in
@@ -74,8 +74,9 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_tnc_imc_la_DEPENDENCIES =
-am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo
+libstrongswan_tnc_imc_la_LIBADD =
+am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo tnc_imc.lo \
+	tnc_imc_manager.lo tnc_imc_bind_function.lo
 libstrongswan_tnc_imc_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_imc_la_OBJECTS)
 libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -221,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -273,14 +274,14 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = -rdynamic
-libstrongswan_tnc_imc_la_LIBADD = -ltnc
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imc.la
 libstrongswan_tnc_imc_la_SOURCES = \
-	tnc_imc_plugin.h tnc_imc_plugin.c
+	tnc_imc_plugin.h tnc_imc_plugin.c tnc_imc.h tnc_imc.c \
+	tnc_imc_manager.h tnc_imc_manager.c tnc_imc_bind_function.c
 
 libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -366,6 +367,9 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_bind_function.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_plugin.Plo@am__quote@
 
 .c.o:
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.c b/src/libcharon/plugins/tnc_imc/tnc_imc.c
new file mode 100644
index 000000000..174084436
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc.c
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) 2006 Mike McCauley
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imc.h"
+
+#include <dlfcn.h>
+
+#include <debug.h>
+#include <library.h>
+
+typedef struct private_tnc_imc_t private_tnc_imc_t;
+
+/**
+ * Private data of an imv_t object.
+ */
+struct private_tnc_imc_t {
+
+	/**
+	 * Public members of imc_t.
+	 */
+	imc_t public;
+
+	/**
+	 * Path of loaded IMC
+	 */
+	char *path;
+
+	/**
+	 * Name of loaded IMC
+	 */
+	char *name;
+
+	/**
+	 * Handle of loaded IMC
+	 */
+	void *handle;
+
+	/**
+	 * ID of loaded IMC
+	 */
+	TNC_IMCID id;
+
+	/**
+	 * List of message types supported by IMC
+	 */
+	TNC_MessageTypeList supported_types;
+
+	/**
+	 * Number of supported message types
+	 */
+	TNC_UInt32 type_count;
+};
+
+METHOD(imc_t, set_id, void,
+	private_tnc_imc_t *this, TNC_IMCID id)
+{
+	this->id = id;
+}
+
+METHOD(imc_t, get_id, TNC_IMCID,
+	private_tnc_imc_t *this)
+{
+	return this->id;
+}
+
+METHOD(imc_t, get_name, char*,
+	private_tnc_imc_t *this)
+{
+	return this->name;
+}
+
+METHOD(imc_t, set_message_types, void,
+	private_tnc_imc_t *this, TNC_MessageTypeList supported_types,
+							 TNC_UInt32 type_count)
+{
+	/* Free an existing MessageType list */
+	free(this->supported_types);
+	this->supported_types = NULL;
+
+	/* Store the new MessageType list */
+	this->type_count = type_count;
+	if (type_count && supported_types)
+	{
+		size_t size = type_count * sizeof(TNC_MessageType);
+
+		this->supported_types = malloc(size);
+		memcpy(this->supported_types, supported_types, size);
+	}
+	DBG2(DBG_TNC, "IMC %u supports %u message types", this->id, type_count);
+}
+
+METHOD(imc_t, type_supported, bool,
+	private_tnc_imc_t *this, TNC_MessageType message_type)
+{
+	TNC_VendorID msg_vid, vid;
+	TNC_MessageSubtype msg_subtype, subtype;
+	int i;
+
+    msg_vid = (message_type >> 8) & TNC_VENDORID_ANY;
+	msg_subtype = message_type & TNC_SUBTYPE_ANY;
+
+	for (i = 0; i < this->type_count; i++)
+	{
+	    vid = (this->supported_types[i] >> 8) & TNC_VENDORID_ANY;
+	    subtype = this->supported_types[i] & TNC_SUBTYPE_ANY;
+
+	    if (this->supported_types[i] == message_type
+		|| (subtype == TNC_SUBTYPE_ANY
+			&& (msg_vid == vid || vid == TNC_VENDORID_ANY))
+		|| (vid == TNC_VENDORID_ANY 
+		    && (msg_subtype == subtype || subtype == TNC_SUBTYPE_ANY)))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(imc_t, destroy, void,
+	private_tnc_imc_t *this)
+{
+	dlclose(this->handle);
+	free(this->supported_types);
+	free(this->name);
+	free(this->path);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imc_t* tnc_imc_create(char *name, char *path)
+{
+	private_tnc_imc_t *this;
+
+	INIT(this,
+		.public = {
+			.set_id = _set_id,
+			.get_id = _get_id,
+			.get_name = _get_name,
+			.set_message_types = _set_message_types,
+			.type_supported = _type_supported,
+			.destroy = _destroy,
+        },
+		.name = name,
+		.path = path,
+	);
+
+	this->handle = dlopen(path, RTLD_LAZY);
+	if (!this->handle)
+	{
+		DBG1(DBG_TNC, "IMC \"%s\" failed to load: %s", name, dlerror());
+		free(this);
+		return NULL;
+	}
+
+	this->public.initialize = dlsym(this->handle, "TNC_IMC_Initialize");
+	if (!this->public.initialize)
+    {
+		DBG1(DBG_TNC, "could not resolve TNC_IMC_Initialize in %s: %s\n",
+					   path, dlerror());
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+	this->public.notify_connection_change =
+						 dlsym(this->handle, "TNC_IMC_NotifyConnectionChange");
+    this->public.begin_handshake = dlsym(this->handle, "TNC_IMC_BeginHandshake");
+	if (!this->public.begin_handshake)
+    {
+		DBG1(DBG_TNC, "could not resolve TNC_IMC_BeginHandshake in %s: %s\n",
+					   path, dlerror());
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+    this->public.receive_message =
+						dlsym(this->handle, "TNC_IMC_ReceiveMessage");
+    this->public.batch_ending =
+						dlsym(this->handle, "TNC_IMC_BatchEnding");
+    this->public.terminate =
+						dlsym(this->handle, "TNC_IMC_Terminate");
+    this->public.provide_bind_function =
+						dlsym(this->handle, "TNC_IMC_ProvideBindFunction");
+    if (!this->public.provide_bind_function)
+	{
+		DBG1(DBG_TNC, "could not resolve TNC_IMC_ProvideBindFunction in %s: %s\n",
+					  path, dlerror());
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.h b/src/libcharon/plugins/tnc_imc/tnc_imc.h
new file mode 100644
index 000000000..10a67f90b
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imc_t tnc_imc
+ * @{ @ingroup tnc_imc
+ */
+
+#ifndef TNC_IMC_H_
+#define TNC_IMC_H_
+
+#include <tnc/imc/imc.h>
+
+/**
+ * Create an Integrity Measurement Collector.
+ *
+ * @param name			name of the IMC
+ * @param filename		path to the dynamic IMC library
+ * @return				instance of the imc_t interface
+ */
+imc_t* tnc_imc_create(char *name, char *filename);
+
+#endif /** TNC_IMC_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
new file mode 100644
index 000000000..e18f1b006
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2006 Mike McCauley
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imc.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+#define TNC_IMVID_ANY	0xffff
+
+/**
+ * Called by the IMC to inform a TNCC about the set of message types the IMC
+ * is able to receive
+ */
+TNC_Result TNC_TNCC_ReportMessageTypes(TNC_IMCID imc_id,
+									   TNC_MessageTypeList supported_types,
+									   TNC_UInt32 type_count)
+{
+	return charon->imcs->set_message_types(charon->imcs, imc_id,
+										   supported_types, type_count);
+}
+
+/**
+ * Called by the IMC to ask a TNCC to retry an Integrity Check Handshake
+ */
+TNC_Result TNC_TNCC_RequestHandshakeRetry(TNC_IMCID imc_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_RetryReason reason)
+{
+	return charon->tnccs->request_handshake_retry(charon->tnccs, TRUE, imc_id,
+												  connection_id, reason);
+}
+
+/**
+ * Called by the IMC when an IMC-IMV message is to be sent
+ */
+TNC_Result TNC_TNCC_SendMessage(TNC_IMCID imc_id,
+								TNC_ConnectionID connection_id,
+								TNC_BufferReference msg,
+								TNC_UInt32 msg_len,
+								TNC_MessageType msg_type)
+{
+	return charon->tnccs->send_message(charon->tnccs, imc_id, TNC_IMVID_ANY,
+									   connection_id, msg, msg_len, msg_type);
+}
+
+/**
+ * Called by the IMC when it needs a function pointer
+ */
+TNC_Result TNC_TNCC_BindFunction(TNC_IMCID id,
+								 char *function_name,
+								 void **function_pointer)
+{
+	if (streq(function_name, "TNC_TNCC_ReportMessageTypes"))
+	{
+		*function_pointer = (void*)TNC_TNCC_ReportMessageTypes;
+	}
+    else if (streq(function_name, "TNC_TNCC_RequestHandshakeRetry"))
+	{
+		*function_pointer = (void*)TNC_TNCC_RequestHandshakeRetry;
+	}
+    else if (streq(function_name, "TNC_TNCC_SendMessage"))
+	{
+		*function_pointer = (void*)TNC_TNCC_SendMessage;
+	}
+    else
+	{
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
+    return TNC_RESULT_SUCCESS;
+}
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
new file mode 100644
index 000000000..aa20534f5
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (C) 2006 Mike McCauley
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imc_manager.h"
+
+#include <tnc/imc/imc_manager.h>
+#include <tnc/tncifimc.h>
+
+#include <debug.h>
+#include <library.h>
+#include <utils/linked_list.h>
+
+typedef struct private_tnc_imc_manager_t private_tnc_imc_manager_t;
+
+/**
+ * Private data of an imc_manager_t object.
+ */
+struct private_tnc_imc_manager_t {
+
+	/**
+	 * Public members of imc_manager_t.
+	 */
+	imc_manager_t public;
+
+	/**
+	 * Linked list of IMCs
+	 */
+	linked_list_t *imcs;
+
+	/**
+	 * Next IMC ID to be assigned
+	 */
+	TNC_IMCID next_imc_id;
+};
+
+METHOD(imc_manager_t, add, bool,
+	private_tnc_imc_manager_t *this, imc_t *imc)
+{
+	TNC_Version version;
+
+	/* Initialize the module */
+	imc->set_id(imc, this->next_imc_id);
+	if (imc->initialize(imc->get_id(imc), TNC_IFIMC_VERSION_1,
+			TNC_IFIMC_VERSION_1, &version) != TNC_RESULT_SUCCESS)
+	{
+		DBG1(DBG_TNC, "IMC \"%s\" failed to initialize", imc->get_name(imc));
+		return FALSE;
+	}
+	this->imcs->insert_last(this->imcs, imc);
+	this->next_imc_id++;
+
+	if (imc->provide_bind_function(imc->get_id(imc), TNC_TNCC_BindFunction)
+			!= TNC_RESULT_SUCCESS)
+	{
+		DBG1(DBG_TNC, "IMC \"%s\" failed to obtain bind function",
+					   imc->get_name(imc));
+		this->imcs->remove_last(this->imcs, (void**)&imc);
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+METHOD(imc_manager_t, remove_, imc_t*,
+	private_tnc_imc_manager_t *this, TNC_IMCID id)
+{
+	enumerator_t *enumerator;
+	imc_t *imc;
+
+	enumerator = this->imcs->create_enumerator(this->imcs);
+	while (enumerator->enumerate(enumerator, &imc))
+	{
+		if (id == imc->get_id(imc))
+		{
+			this->imcs->remove_at(this->imcs, enumerator);
+			return imc;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return NULL;
+}
+
+METHOD(imc_manager_t, get_preferred_language, char*,
+	private_tnc_imc_manager_t *this)
+{
+	return lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imc.preferred_language", "en");
+}
+
+METHOD(imc_manager_t, notify_connection_change, void,
+	private_tnc_imc_manager_t *this, TNC_ConnectionID id,
+									 TNC_ConnectionState state)
+{
+	enumerator_t *enumerator;
+	imc_t *imc;
+
+	enumerator = this->imcs->create_enumerator(this->imcs);
+	while (enumerator->enumerate(enumerator, &imc))
+	{
+		if (imc->notify_connection_change)
+		{
+			imc->notify_connection_change(imc->get_id(imc), id, state);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imc_manager_t, begin_handshake, void,
+	private_tnc_imc_manager_t *this, TNC_ConnectionID id)
+{
+	enumerator_t *enumerator;
+	imc_t *imc;
+
+	enumerator = this->imcs->create_enumerator(this->imcs);
+	while (enumerator->enumerate(enumerator, &imc))
+	{
+		imc->begin_handshake(imc->get_id(imc), id);
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imc_manager_t, set_message_types, TNC_Result,
+	private_tnc_imc_manager_t *this, TNC_IMCID id,
+									 TNC_MessageTypeList supported_types,
+									 TNC_UInt32 type_count)
+{
+	enumerator_t *enumerator;
+	imc_t *imc;
+	TNC_Result result = TNC_RESULT_FATAL;
+
+	enumerator = this->imcs->create_enumerator(this->imcs);
+	while (enumerator->enumerate(enumerator, &imc))
+	{
+		if (id == imc->get_id(imc))
+		{
+			imc->set_message_types(imc, supported_types, type_count);
+			result = TNC_RESULT_SUCCESS;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return result;
+}
+
+METHOD(imc_manager_t, receive_message, void,
+	private_tnc_imc_manager_t *this, TNC_ConnectionID connection_id,
+									 TNC_BufferReference message,
+									 TNC_UInt32 message_len,
+									 TNC_MessageType message_type)
+{
+	enumerator_t *enumerator;
+	imc_t *imc;
+
+	enumerator = this->imcs->create_enumerator(this->imcs);
+	while (enumerator->enumerate(enumerator, &imc))
+	{
+		if (imc->receive_message && imc->type_supported(imc, message_type))
+		{
+			imc->receive_message(imc->get_id(imc), connection_id,
+								 message, message_len, message_type);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imc_manager_t, batch_ending, void,
+	private_tnc_imc_manager_t *this, TNC_ConnectionID id)
+{
+	enumerator_t *enumerator;
+	imc_t *imc;
+
+	enumerator = this->imcs->create_enumerator(this->imcs);
+	while (enumerator->enumerate(enumerator, &imc))
+	{
+		if (imc->batch_ending)
+		{
+			imc->batch_ending(imc->get_id(imc), id);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imc_manager_t, destroy, void,
+	private_tnc_imc_manager_t *this)
+{
+	imc_t *imc;
+
+	while (this->imcs->remove_last(this->imcs, (void**)&imc) == SUCCESS)
+	{
+		if (imc->terminate &&
+			imc->terminate(imc->get_id(imc)) != TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "IMC \"%s\" not terminated successfully",
+						   imc->get_name(imc));
+		}
+		imc->destroy(imc);
+	}
+	this->imcs->destroy(this->imcs);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imc_manager_t* tnc_imc_manager_create(void)
+{
+	private_tnc_imc_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.add = _add,
+			.remove = _remove_, /* avoid name conflict with stdio.h */
+			.get_preferred_language = _get_preferred_language,
+			.notify_connection_change = _notify_connection_change,
+			.begin_handshake = _begin_handshake,
+			.set_message_types = _set_message_types,
+			.receive_message = _receive_message,
+			.batch_ending = _batch_ending,
+			.destroy = _destroy,
+		},
+		.imcs = linked_list_create(),
+		.next_imc_id = 1,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.h b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.h
new file mode 100644
index 000000000..ed490293b
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imc_manager tnc_imc_manager
+ * @{ @ingroup tnc_imc
+ */
+
+#ifndef TNC_IMC_MANAGER_H_
+#define TNC_IMC_MANAGER_H_
+
+#include <tnc/imc/imc_manager.h>
+
+/**
+ * Create an IMC manager instance.
+ */
+imc_manager_t *tnc_imc_manager_create();
+
+#endif /** TNC_IMC_MANAGER_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
index 0ce930ba3..89888040a 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
@@ -14,15 +14,137 @@
  */
 
 #include "tnc_imc_plugin.h"
+#include "tnc_imc_manager.h"
+#include "tnc_imc.h"
 
-#include <libtnctncc.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
 
 #include <daemon.h>
+#include <utils/lexparser.h>
+
+/**
+ * load IMCs from a configuration file
+ */
+static bool load_imcs(char *filename)
+{
+	int fd, line_nr = 0;
+	chunk_t src, line;
+	struct stat sb;
+	void *addr;
+
+	DBG1(DBG_TNC, "loading IMCs from '%s'", filename);
+	fd = open(filename, O_RDONLY);
+	if (fd == -1)
+	{
+		DBG1(DBG_TNC, "opening configuration file '%s' failed: %s", filename,
+			 strerror(errno));
+		return FALSE;
+	}
+	if (fstat(fd, &sb) == -1)
+	{
+		DBG1(DBG_LIB, "getting file size of '%s' failed: %s", filename,
+			 strerror(errno));
+		close(fd);
+		return FALSE;
+	}
+	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+	if (addr == MAP_FAILED)
+	{
+		DBG1(DBG_LIB, "mapping '%s' failed: %s", filename, strerror(errno));
+		close(fd);
+		return FALSE;
+	}
+	src = chunk_create(addr, sb.st_size);
+
+	while (fetchline(&src, &line))
+	{
+		char *name, *path;
+		chunk_t token;
+		imc_t *imc;
+
+		line_nr++;
+
+		/* skip comments or empty lines */
+		if (*line.ptr == '#' || !eat_whitespace(&line))
+		{
+			continue;
+		}
+
+		/* determine keyword */
+		if (!extract_token(&token, ' ', &line))
+		{
+			DBG1(DBG_TNC, "line %d: keyword must be followed by a space",
+						   line_nr);
+			return FALSE;
+		}
+
+		/* only interested in IMCs */
+		if (!match("IMC", &token))
+		{
+			continue;
+		}
+
+		/* advance to the IMC name and extract it */
+		if (!extract_token(&token, '"', &line) ||
+			!extract_token(&token, '"', &line))
+		{
+			DBG1(DBG_TNC, "line %d: IMC name must be set in double quotes",
+						   line_nr);
+			return FALSE;
+		}
+
+		/* copy the IMC name */
+		name = malloc(token.len + 1);
+		memcpy(name, token.ptr, token.len);
+		name[token.len] = '\0';
+
+		/* advance to the IMC path and extract it */
+		if (!eat_whitespace(&line))
+		{
+			DBG1(DBG_TNC, "line %d: IMC path is missing", line_nr);
+			free(name);
+			return FALSE;
+		}
+		if (!extract_token(&token, ' ', &line))
+		{
+			token = line;
+		}
+
+		/* copy the IMC path */
+		path = malloc(token.len + 1);
+		memcpy(path, token.ptr, token.len);
+		path[token.len] = '\0';
+
+		/* load and register IMC instance */
+		imc = tnc_imc_create(name, path);
+		if (!imc)
+		{
+			free(name);
+			free(path);
+			return FALSE;
+		}
+		if (!charon->imcs->add(charon->imcs, imc))
+		{
+			imc->destroy(imc);
+			return FALSE;
+		}
+		DBG1(DBG_TNC, "IMC %u \"%s\" loaded from '%s'", imc->get_id(imc),
+														name, path);
+	}
+	munmap(addr, sb.st_size);
+	close(fd);
+	return TRUE;
+}
 
 METHOD(plugin_t, destroy, void,
 	tnc_imc_plugin_t *this)
 {
-	libtnc_tncc_Terminate();
+	charon->imcs->destroy(charon->imcs);
 	free(this);
 }
 
@@ -31,7 +153,7 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *tnc_imc_plugin_create()
 {
-	char *tnc_config, *pref_lang;
+	char *tnc_config;
 	tnc_imc_plugin_t *this;
 
 	INIT(this,
@@ -40,18 +162,19 @@ plugin_t *tnc_imc_plugin_create()
 		},
 	);
 
-	pref_lang = lib->settings->get_str(lib->settings,
-					"charon.plugins.tnc-imc.preferred_language", "en");
+	/* Create IMC manager */
+	charon->imcs = tnc_imc_manager_create();
+
+	/* Load IMCs and abort if not all instances initalize successfully */
 	tnc_config = lib->settings->get_str(lib->settings,
 					"charon.plugins.tnc-imc.tnc_config", "/etc/tnc_config");
-
-	if (libtnc_tncc_Initialize(tnc_config) != TNC_RESULT_SUCCESS)
+	if (!load_imcs(tnc_config))
 	{
+		charon->imcs->destroy(charon->imcs);
+		charon->imcs = NULL;
 		free(this);
-		DBG1(DBG_TNC, "TNC IMC initialization failed");
 		return NULL;
 	}
-
 	return &this->plugin;
 }
 
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am
index 9c3b47364..3ba283bb7 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.am
+++ b/src/libcharon/plugins/tnc_imv/Makefile.am
@@ -1,11 +1,9 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = -rdynamic
 
-libstrongswan_tnc_imv_la_LIBADD = -ltnc
-
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
 else
@@ -13,7 +11,9 @@ plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
 endif
 
 libstrongswan_tnc_imv_la_SOURCES = \
-	tnc_imv_plugin.h tnc_imv_plugin.c
+	tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \
+	tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \
+	tnc_imv_recommendations.h tnc_imv_recommendations.c
 
 libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
index f89b5e03b..0324d2eb9 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.in
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -74,8 +74,10 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_tnc_imv_la_DEPENDENCIES =
-am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo
+libstrongswan_tnc_imv_la_LIBADD =
+am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo tnc_imv.lo \
+	tnc_imv_manager.lo tnc_imv_bind_function.lo \
+	tnc_imv_recommendations.lo
 libstrongswan_tnc_imv_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_imv_la_OBJECTS)
 libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -221,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -273,14 +275,15 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = -rdynamic
-libstrongswan_tnc_imv_la_LIBADD = -ltnc
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
 libstrongswan_tnc_imv_la_SOURCES = \
-	tnc_imv_plugin.h tnc_imv_plugin.c
+	tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \
+	tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \
+	tnc_imv_recommendations.h tnc_imv_recommendations.c
 
 libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -366,7 +369,11 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_bind_function.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_recommendations.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libcharon/plugins/tnc_imv/tnc_imv.c
new file mode 100644
index 000000000..f88b645d6
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (C) 2006 Mike McCauley
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv.h"
+
+#include <dlfcn.h>
+
+#include <debug.h>
+#include <library.h>
+
+typedef struct private_tnc_imv_t private_tnc_imv_t;
+
+/**
+ * Private data of an imv_t object.
+ */
+struct private_tnc_imv_t {
+
+	/**
+	 * Public members of imv_t.
+	 */
+	imv_t public;
+
+	/**
+	 * Path of loaded IMV
+	 */
+	char *path;
+
+	/**
+	 * Name of loaded IMV
+	 */
+	char *name;
+
+	/**
+	 * Handle of loaded IMV
+	 */
+	void *handle;
+
+	/**
+	 * ID of loaded IMV
+	 */
+	TNC_IMVID id;
+
+	/**
+	 * List of message types supported by IMC
+	 */
+	TNC_MessageTypeList supported_types;
+
+	/**
+	 * Number of supported message types
+	 */
+	TNC_UInt32 type_count;
+};
+
+METHOD(imv_t, set_id, void,
+	private_tnc_imv_t *this, TNC_IMVID id)
+{
+	this->id = id;
+}
+
+METHOD(imv_t, get_id, TNC_IMVID,
+	private_tnc_imv_t *this)
+{
+	return this->id;
+}
+
+METHOD(imv_t, get_name, char*,
+	private_tnc_imv_t *this)
+{
+	return this->name;
+}
+
+METHOD(imv_t, set_message_types, void,
+	private_tnc_imv_t *this, TNC_MessageTypeList supported_types,
+							 TNC_UInt32 type_count)
+{
+	/* Free an existing MessageType list */
+	free(this->supported_types);
+	this->supported_types = NULL;
+
+	/* Store the new MessageType list */
+	this->type_count = type_count;
+	if (type_count && supported_types)
+	{
+		size_t size = type_count * sizeof(TNC_MessageType);
+
+		this->supported_types = malloc(size);
+		memcpy(this->supported_types, supported_types, size);
+	}
+	DBG2(DBG_TNC, "IMV %u supports %u message types", this->id, type_count);
+}
+
+METHOD(imv_t, type_supported, bool,
+	private_tnc_imv_t *this, TNC_MessageType message_type)
+{
+	TNC_VendorID msg_vid, vid;
+	TNC_MessageSubtype msg_subtype, subtype;
+	int i;
+
+	msg_vid = (message_type >> 8) & TNC_VENDORID_ANY;
+	msg_subtype = message_type & TNC_SUBTYPE_ANY;
+
+	for (i = 0; i < this->type_count; i++)
+	{
+		vid = (this->supported_types[i] >> 8) & TNC_VENDORID_ANY;
+		subtype = this->supported_types[i] & TNC_SUBTYPE_ANY;
+
+		if (this->supported_types[i] == message_type
+		|| (subtype == TNC_SUBTYPE_ANY
+			&& (msg_vid == vid || vid == TNC_VENDORID_ANY))
+		|| (vid == TNC_VENDORID_ANY
+			&& (msg_subtype == subtype || subtype == TNC_SUBTYPE_ANY)))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(imv_t, destroy, void,
+	private_tnc_imv_t *this)
+{
+	dlclose(this->handle);
+	free(this->supported_types);
+	free(this->name);
+	free(this->path);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_t* tnc_imv_create(char *name, char *path)
+{
+	private_tnc_imv_t *this;
+
+	INIT(this,
+		.public = {
+			.set_id = _set_id,
+			.get_id = _get_id,
+			.get_name = _get_name,
+			.set_message_types = _set_message_types,
+			.type_supported = _type_supported,
+			.destroy = _destroy,
+		},
+		.name = name,
+		.path = path,
+	);
+
+	this->handle = dlopen(path, RTLD_LAZY);
+	if (!this->handle)
+	{
+		DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror());
+		free(this);
+		return NULL;
+	}
+
+	this->public.initialize = dlsym(this->handle, "TNC_IMV_Initialize");
+	if (!this->public.initialize)
+	{
+		DBG1(DBG_TNC, "could not resolve TNC_IMV_Initialize in %s: %s\n",
+					   path, dlerror());
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+	this->public.notify_connection_change =
+						dlsym(this->handle, "TNC_IMV_NotifyConnectionChange");
+	this->public.solicit_recommendation =
+						dlsym(this->handle, "TNC_IMV_SolicitRecommendation");
+	if (!this->public.solicit_recommendation)
+	{
+		DBG1(DBG_TNC, "could not resolve TNC_IMV_SolicitRecommendation in %s: %s\n",
+					   path, dlerror());
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+	this->public.receive_message =
+						dlsym(this->handle, "TNC_IMV_ReceiveMessage");
+	this->public.batch_ending =
+						dlsym(this->handle, "TNC_IMV_BatchEnding");
+	this->public.terminate =
+						dlsym(this->handle, "TNC_IMV_Terminate");
+	this->public.provide_bind_function =
+						dlsym(this->handle, "TNC_IMV_ProvideBindFunction");
+	if (!this->public.provide_bind_function)
+	{
+		DBG1(DBG_TNC, "could not resolve TNC_IMV_ProvideBindFunction in %s: %s\n",
+					  path, dlerror());
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.h b/src/libcharon/plugins/tnc_imv/tnc_imv.h
new file mode 100644
index 000000000..75939e54c
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imv_t tnc_imv
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_H_
+#define TNC_IMV_H_
+
+#include <tnc/imv/imv.h>
+
+/**
+ * Create an Integrity Measurement Verifier.
+ *
+ * @param name			name of the IMV
+ * @param filename		path to the dynamic IMV library
+ * @return				instance of the imv_t interface
+ */
+imv_t* tnc_imv_create(char *name, char *filename);
+
+#endif /** TNC_IMV_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
new file mode 100644
index 000000000..0ea52f08e
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2006 Mike McCauley
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+#define TNC_IMCID_ANY	0xffff
+
+/**
+ * Called by the IMV to inform a TNCS about the set of message types the IMV
+ * is able to receive
+ */
+TNC_Result TNC_TNCS_ReportMessageTypes(TNC_IMVID imv_id,
+									   TNC_MessageTypeList supported_types,
+									   TNC_UInt32 type_count)
+{
+	return charon->imvs->set_message_types(charon->imvs, imv_id,
+										   supported_types, type_count);
+}
+
+/**
+ * Called by the IMV to ask a TNCS to retry an Integrity Check Handshake
+ */
+TNC_Result TNC_TNCS_RequestHandshakeRetry(TNC_IMVID imv_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_RetryReason reason)
+{
+	return charon->tnccs->request_handshake_retry(charon->tnccs, FALSE, imv_id,
+												  connection_id, reason);
+}
+
+/**
+ * Called by the IMV when an IMV-IMC message is to be sent
+ */
+TNC_Result TNC_TNCS_SendMessage(TNC_IMVID imv_id,
+								TNC_ConnectionID connection_id,
+								TNC_BufferReference msg,
+								TNC_UInt32 msg_len,
+								TNC_MessageType msg_type)
+{
+	return charon->tnccs->send_message(charon->tnccs, TNC_IMCID_ANY, imv_id,
+									   connection_id, msg, msg_len, msg_type);
+}
+
+/**
+ * Called by the IMV to deliver its IMV Action Recommendation and IMV Evaluation
+ * Result to the TNCS
+ */
+TNC_Result TNC_TNCS_ProvideRecommendation(TNC_IMVID imv_id,
+								TNC_ConnectionID connection_id,
+								TNC_IMV_Action_Recommendation recommendation,
+								TNC_IMV_Evaluation_Result evaluation)
+{
+	return charon->tnccs->provide_recommendation(charon->tnccs, imv_id,
+							connection_id, recommendation, evaluation);
+}
+
+/**
+ * Called by the IMV to get the value of an attribute associated with a
+ * connection or with the TNCS as a whole.
+ */
+TNC_Result TNC_TNCS_GetAttribute(TNC_IMVID imv_id,
+								 TNC_ConnectionID connection_id,
+								 TNC_AttributeID attribute_id,
+								 TNC_UInt32 buffer_len,
+								 TNC_BufferReference buffer,
+								 TNC_UInt32 *out_value_len)
+{
+	return charon->tnccs->get_attribute(charon->tnccs, imv_id, connection_id,
+							attribute_id, buffer_len, buffer, out_value_len);
+}
+
+/**
+ * Called by the IMV to set the value of an attribute associated with a
+ * connection or with the TNCS as a whole.
+ */
+TNC_Result TNC_TNCS_SetAttribute(TNC_IMVID imv_id,
+								 TNC_ConnectionID connection_id,
+								 TNC_AttributeID attribute_id,
+								 TNC_UInt32 buffer_len,
+								 TNC_BufferReference buffer)
+{
+	return charon->tnccs->set_attribute(charon->tnccs, imv_id, connection_id,
+										attribute_id, buffer_len, buffer);
+}
+
+/**
+ * Called by the IMV when it needs a function pointer
+ */
+TNC_Result TNC_TNCS_BindFunction(TNC_IMVID id,
+								 char *function_name,
+								 void **function_pointer)
+{
+	if (streq(function_name, "TNC_TNCS_ReportMessageTypes"))
+	{
+		*function_pointer = (void*)TNC_TNCS_ReportMessageTypes;
+	}
+	else if (streq(function_name, "TNC_TNCS_RequestHandshakeRetry"))
+	{
+		*function_pointer = (void*)TNC_TNCS_RequestHandshakeRetry;
+	}
+	else if (streq(function_name, "TNC_TNCS_SendMessage"))
+	{
+		*function_pointer = (void*)TNC_TNCS_SendMessage;
+	}
+	else if (streq(function_name, "TNC_TNCS_ProvideRecommendation"))
+	{
+		*function_pointer = (void*)TNC_TNCS_ProvideRecommendation;
+	}
+	else if (streq(function_name, "TNC_TNCS_GetAttribute"))
+	{
+		*function_pointer = (void*)TNC_TNCS_GetAttribute;
+	}
+	else if (streq(function_name, "TNC_TNCS_SetAttribute"))
+	{
+		*function_pointer = (void*)TNC_TNCS_SetAttribute;
+	}
+	else
+	{
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
+	return TNC_RESULT_SUCCESS;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
new file mode 100644
index 000000000..559de86d0
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) 2006 Mike McCauley
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv_manager.h"
+#include "tnc_imv_recommendations.h"
+
+#include <tnc/imv/imv_manager.h>
+#include <tnc/tncifimv.h>
+
+#include <debug.h>
+#include <daemon.h>
+#include <threading/mutex.h>
+
+typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
+
+
+/**
+ * Private data of an imv_manager_t object.
+ */
+struct private_tnc_imv_manager_t {
+
+	/**
+	 * Public members of imv_manager_t.
+	 */
+	imv_manager_t public;
+
+	/**
+	 * Linked list of IMVs
+	 */
+	linked_list_t *imvs;
+
+	/**
+	 * Next IMV ID to be assigned
+	 */
+	TNC_IMVID next_imv_id;
+
+	/**
+	 * Policy defining how to derive final recommendation from individual ones
+	 */
+	recommendation_policy_t policy;
+};
+
+METHOD(imv_manager_t, add, bool,
+	private_tnc_imv_manager_t *this, imv_t *imv)
+{
+	TNC_Version version;
+
+	/* Initialize the IMV module */
+	imv->set_id(imv, this->next_imv_id);
+	if (imv->initialize(imv->get_id(imv), TNC_IFIMV_VERSION_1,
+		TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS)
+	{
+		DBG1(DBG_TNC, "IMV \"%s\" failed to initialize", imv->get_name(imv));
+		return FALSE;
+	}
+	this->imvs->insert_last(this->imvs, imv);
+	this->next_imv_id++;
+
+	if (imv->provide_bind_function(imv->get_id(imv), TNC_TNCS_BindFunction)
+			!= TNC_RESULT_SUCCESS)
+	{
+		DBG1(DBG_TNC, "IMV \"%s\" could failed to obtain bind function",
+					   imv->get_name(imv));
+		this->imvs->remove_last(this->imvs, (void**)&imv);
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+METHOD(imv_manager_t, remove_, imv_t*,
+	private_tnc_imv_manager_t *this, TNC_IMVID id)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (id == imv->get_id(imv))
+		{
+			this->imvs->remove_at(this->imvs, enumerator);
+			return imv;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return NULL;
+}
+
+METHOD(imv_manager_t, get_recommendation_policy, recommendation_policy_t,
+	private_tnc_imv_manager_t *this)
+{
+	return this->policy;
+}
+
+METHOD(imv_manager_t, create_recommendations, recommendations_t*,
+	private_tnc_imv_manager_t *this)
+{
+	return tnc_imv_recommendations_create(this->imvs);
+}
+
+METHOD(imv_manager_t, enforce_recommendation, bool,
+	private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec)
+{
+	char *group;
+	identification_t *id;
+	ike_sa_t *ike_sa;
+	auth_cfg_t *auth;
+
+	switch (rec)
+	{
+		case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+			DBG1(DBG_TNC, "TNC recommendation is allow");
+			group = "allow";
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+			DBG1(DBG_TNC, "TNC recommendation is isolate");
+			group = "isolate";
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+		default:
+			DBG1(DBG_TNC, "TNC recommendation is none");
+			return FALSE;
+	}
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
+	{
+		auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+		id = identification_create_from_string(group);
+		auth->add(auth, AUTH_RULE_GROUP, id);
+		DBG1(DBG_TNC, "TNC added group membership '%s'", group);
+	}
+	return TRUE;
+}
+
+
+METHOD(imv_manager_t, notify_connection_change, void,
+	private_tnc_imv_manager_t *this, TNC_ConnectionID id,
+									 TNC_ConnectionState state)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (imv->notify_connection_change)
+		{
+			imv->notify_connection_change(imv->get_id(imv), id, state);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imv_manager_t, set_message_types, TNC_Result,
+	private_tnc_imv_manager_t *this, TNC_IMVID id,
+									 TNC_MessageTypeList supported_types,
+									 TNC_UInt32 type_count)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+	TNC_Result result = TNC_RESULT_FATAL;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (id == imv->get_id(imv))
+		{
+			imv->set_message_types(imv, supported_types, type_count);
+			result = TNC_RESULT_SUCCESS;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return result;
+}
+
+METHOD(imv_manager_t, solicit_recommendation, void,
+	private_tnc_imv_manager_t *this, TNC_ConnectionID id)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		imv->solicit_recommendation(imv->get_id(imv), id);
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imv_manager_t, receive_message, void,
+	private_tnc_imv_manager_t *this, TNC_ConnectionID connection_id,
+									 TNC_BufferReference message,
+									 TNC_UInt32 message_len,
+									 TNC_MessageType message_type)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (imv->receive_message && imv->type_supported(imv, message_type))
+		{
+			imv->receive_message(imv->get_id(imv), connection_id,
+								 message, message_len, message_type);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imv_manager_t, batch_ending, void,
+	private_tnc_imv_manager_t *this, TNC_ConnectionID id)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (imv->batch_ending)
+		{
+			imv->batch_ending(imv->get_id(imv), id);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(imv_manager_t, destroy, void,
+	private_tnc_imv_manager_t *this)
+{
+	imv_t *imv;
+
+	while (this->imvs->remove_last(this->imvs, (void**)&imv) == SUCCESS)
+	{
+		if (imv->terminate &&
+			imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully",
+						   imv->get_name(imv));
+		}
+		imv->destroy(imv);
+	}
+	this->imvs->destroy(this->imvs);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_manager_t* tnc_imv_manager_create(void)
+{
+	private_tnc_imv_manager_t *this;
+	recommendation_policy_t policy;
+
+	INIT(this,
+		.public = {
+			.add = _add,
+			.remove = _remove_, /* avoid name conflict with stdio.h */
+			.get_recommendation_policy = _get_recommendation_policy,
+			.create_recommendations = _create_recommendations,
+			.enforce_recommendation = _enforce_recommendation,
+			.notify_connection_change = _notify_connection_change,
+			.set_message_types = _set_message_types,
+			.solicit_recommendation = _solicit_recommendation,
+			.receive_message = _receive_message,
+			.batch_ending = _batch_ending,
+			.destroy = _destroy,
+		},
+		.imvs = linked_list_create(),
+		.next_imv_id = 1,
+	);
+	policy = enum_from_name(recommendation_policy_names,
+				lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imv.recommendation_policy", "default"));
+	this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT;
+	DBG1(DBG_TNC, "TNC recommendation policy is '%N'",
+				   recommendation_policy_names, this->policy);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h
new file mode 100644
index 000000000..2fe9e7ae3
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imv_manager tnc_imv_manager
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_MANAGER_H_
+#define TNC_IMV_MANAGER_H_
+
+#include <tnc/imv/imv_manager.h>
+
+/**
+ * Create an IMV manager instance.
+ */
+imv_manager_t *tnc_imv_manager_create();
+
+#endif /** TNC_IMV_MANAGER_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
index 5b3d3892d..f238f01ea 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
@@ -14,15 +14,137 @@
  */
 
 #include "tnc_imv_plugin.h"
+#include "tnc_imv_manager.h"
+#include "tnc_imv.h"
 
-#include <libtnctncs.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
 
 #include <daemon.h>
+#include <utils/lexparser.h>
+
+/**
+ * load IMVs from a configuration file
+ */
+static bool load_imvs(char *filename)
+{
+	int fd, line_nr = 0;
+	chunk_t src, line;
+	struct stat sb;
+	void *addr;
+
+	DBG1(DBG_TNC, "loading IMVs from '%s'", filename);
+	fd = open(filename, O_RDONLY);
+	if (fd == -1)
+	{
+		DBG1(DBG_TNC, "opening configuration file '%s' failed: %s", filename,
+			 strerror(errno));
+		return FALSE;
+	}
+	if (fstat(fd, &sb) == -1)
+	{
+		DBG1(DBG_LIB, "getting file size of '%s' failed: %s", filename,
+			 strerror(errno));
+		close(fd);
+		return FALSE;
+	}
+	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+	if (addr == MAP_FAILED)
+	{
+		DBG1(DBG_LIB, "mapping '%s' failed: %s", filename, strerror(errno));
+		close(fd);
+		return FALSE;
+	}
+	src = chunk_create(addr, sb.st_size);
+
+	while (fetchline(&src, &line))
+	{
+		char *name, *path;
+		chunk_t token;
+		imv_t *imv;
+
+		line_nr++;
+
+		/* skip comments or empty lines */
+		if (*line.ptr == '#' || !eat_whitespace(&line))
+		{
+			continue;
+		}
+
+		/* determine keyword */
+		if (!extract_token(&token, ' ', &line))
+		{
+			DBG1(DBG_TNC, "line %d: keyword must be followed by a space",
+						   line_nr);
+			return FALSE;
+		}
+
+		/* only interested in IMVs */
+		if (!match("IMV", &token))
+		{
+			continue;
+		}
+
+		/* advance to the IMV name and extract it */
+		if (!extract_token(&token, '"', &line) ||
+			!extract_token(&token, '"', &line))
+		{
+			DBG1(DBG_TNC, "line %d: IMV name must be set in double quotes",
+						   line_nr);
+			return FALSE;
+		}
+
+		/* copy the IMV name */
+		name = malloc(token.len + 1);
+		memcpy(name, token.ptr, token.len);
+		name[token.len] = '\0';
+
+		/* advance to the IMV path and extract it */
+		if (!eat_whitespace(&line))
+		{
+			DBG1(DBG_TNC, "line %d: IMV path is missing", line_nr);
+			free(name);
+			return FALSE;
+		}
+		if (!extract_token(&token, ' ', &line))
+		{
+			token = line;
+		}
+
+		/* copy the IMV path */
+		path = malloc(token.len + 1);
+		memcpy(path, token.ptr, token.len);
+		path[token.len] = '\0';
+
+		/* load and register IMV instance */
+		imv = tnc_imv_create(name, path);
+		if (!imv)
+		{
+			free(name);
+			free(path);
+			return FALSE;
+		}
+		if (!charon->imvs->add(charon->imvs, imv))
+		{
+			imv->destroy(imv);
+			return FALSE;
+		}
+		DBG1(DBG_TNC, "IMV %u \"%s\" loaded from '%s'", imv->get_id(imv),
+														name, path);
+	}
+	munmap(addr, sb.st_size);
+	close(fd);
+	return TRUE;
+}
 
 METHOD(plugin_t, destroy, void,
 	tnc_imv_plugin_t *this)
 {
-	libtnc_tncs_Terminate();
+	charon->imvs->destroy(charon->imvs);
 	free(this);
 }
 
@@ -42,13 +164,18 @@ plugin_t *tnc_imv_plugin_create()
 
 	tnc_config = lib->settings->get_str(lib->settings,
 					"charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config");
-	if (libtnc_tncs_Initialize(tnc_config) != TNC_RESULT_SUCCESS)
+
+	/* Create IMV manager */
+	charon->imvs = tnc_imv_manager_create();
+
+	/* Load IMVs and abort if not all instances initalize successfully */
+	if (!load_imvs(tnc_config))
 	{
+		charon->imvs->destroy(charon->imvs);
+		charon->imvs = NULL;
 		free(this);
-		DBG1(DBG_TNC, "TNC IMV initialization failed");
 		return NULL;
 	}
-
 	return &this->plugin;
 }
 
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
new file mode 100644
index 000000000..5cc6b0ced
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
@@ -0,0 +1,415 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <debug.h>
+#include <daemon.h>
+#include <tnc/tncifimv.h>
+#include <tnc/imv/imv.h>
+#include <tnc/imv/imv_recommendations.h>
+
+typedef struct private_tnc_imv_recommendations_t private_tnc_imv_recommendations_t;
+typedef struct recommendation_entry_t recommendation_entry_t;
+
+/**
+ * Recommendation entry
+ */
+struct recommendation_entry_t {
+
+	/**
+	 * IMV ID
+	 */
+	TNC_IMVID id;
+
+	/**
+	 * Received a recommendation message from this IMV?
+	 */
+	bool have_recommendation;
+
+	/**
+	 * Action Recommendation provided by IMV instance
+	 */
+	TNC_IMV_Action_Recommendation rec;
+
+	/**
+	 * Evaluation Result provided by IMV instance
+	 */
+	TNC_IMV_Evaluation_Result eval;
+
+	/**
+	 * Reason string provided by IMV instance
+	 */
+	chunk_t reason;
+
+	/**
+	 * Reason language provided by IMV instance
+	 */
+	chunk_t reason_language;
+};
+
+/**
+ * Private data of a recommendations_t object.
+ */
+struct private_tnc_imv_recommendations_t {
+
+	/**
+	 * Public members of recommendations_t.
+	 */
+	recommendations_t public;
+
+	/**
+	 * list of recommendations and evaluations provided by IMVs
+	 */
+	linked_list_t *recs;
+
+	/**
+	 * Preferred language for remediation messages
+	 */
+	chunk_t preferred_language;
+};
+
+METHOD(recommendations_t, provide_recommendation, TNC_Result,
+	private_tnc_imv_recommendations_t* this, TNC_IMVID id,
+											 TNC_IMV_Action_Recommendation rec,
+											 TNC_IMV_Evaluation_Result eval)
+{
+	enumerator_t *enumerator;
+	recommendation_entry_t *entry;
+	bool found = FALSE;
+
+	DBG2(DBG_TNC, "IMV %u provides recommendation '%N' and evaluation '%N'", id,
+		 TNC_IMV_Action_Recommendation_names, rec,
+		 TNC_IMV_Evaluation_Result_names, eval);
+
+	enumerator = this->recs->create_enumerator(this->recs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->id == id)
+		{
+			found = TRUE;
+			entry->have_recommendation = TRUE;
+			entry->rec = rec;
+			entry->eval = eval;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found ? TNC_RESULT_SUCCESS : TNC_RESULT_FATAL;
+}
+
+METHOD(recommendations_t, have_recommendation, bool,
+	private_tnc_imv_recommendations_t *this, TNC_IMV_Action_Recommendation *rec,
+											 TNC_IMV_Evaluation_Result *eval)
+{
+	enumerator_t *enumerator;
+	recommendation_entry_t *entry;
+	recommendation_policy_t policy;
+	TNC_IMV_Action_Recommendation final_rec;
+	TNC_IMV_Evaluation_Result final_eval;
+	bool first = TRUE, incomplete = FALSE;
+
+	*rec = final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+	*eval = final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+
+	if (this->recs->get_count(this->recs) == 0)
+	{
+		DBG1(DBG_TNC, "there are no IMVs to make a recommendation");
+		return TRUE;
+	}
+	policy = charon->imvs->get_recommendation_policy(charon->imvs);
+
+	enumerator = this->recs->create_enumerator(this->recs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (!entry->have_recommendation)
+		{
+			incomplete = TRUE;
+			break;
+		}
+		if (first)
+		{
+			final_rec = entry->rec;
+			final_eval = entry->eval;
+			first = FALSE;
+			continue;
+		}
+		switch (policy)
+		{
+			case RECOMMENDATION_POLICY_DEFAULT:
+				switch (entry->rec)
+				{
+					case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+						final_rec = entry->rec;
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+						if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS)
+						{
+							final_rec = entry->rec;
+						};
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+						if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+						{
+							final_rec = entry->rec;
+						};
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+						break;
+				}
+				switch (entry->eval)
+				{
+					case TNC_IMV_EVALUATION_RESULT_ERROR:
+						final_eval = entry->eval;
+						break;
+					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+						if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+						if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR &&
+							final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
+						if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
+						break;
+				}
+				break;
+
+			case RECOMMENDATION_POLICY_ALL:
+				if (entry->rec != final_rec)
+				{
+					final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+				}
+				if (entry->eval != final_eval)
+				{
+					final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+				}
+				break;
+
+			case RECOMMENDATION_POLICY_ANY:
+				switch (entry->rec)
+				{
+					case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+						final_rec = entry->rec;
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+						if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
+						{
+							final_rec = entry->rec;
+						};
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+						if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+						{
+							final_rec = entry->rec;
+						};
+						break;
+					case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+						break;
+				}
+				switch (entry->eval)
+				{
+					case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
+						final_eval = entry->eval;
+						break;
+					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+						if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+						if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT &&
+							final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_ERROR:
+						if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
+						{
+							final_eval = entry->eval;
+						}
+						break;
+					case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
+						break;
+				}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (incomplete)
+	{
+		return FALSE;
+	}
+	*rec = final_rec;
+	*eval = final_eval;
+	return TRUE;
+}
+
+METHOD(recommendations_t, get_preferred_language, chunk_t,
+	private_tnc_imv_recommendations_t *this)
+{
+	return this->preferred_language;
+}
+
+METHOD(recommendations_t, set_preferred_language, void,
+	private_tnc_imv_recommendations_t *this, chunk_t pref_lang)
+{
+	free(this->preferred_language.ptr);
+	this->preferred_language = chunk_clone(pref_lang);
+}
+
+METHOD(recommendations_t, set_reason_string, TNC_Result,
+	private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason)
+{
+	enumerator_t *enumerator;
+	recommendation_entry_t *entry;
+	bool found = FALSE;
+
+	DBG2(DBG_TNC, "IMV %u is setting reason string to '%.*s'",
+		 id, reason.len, reason.ptr);
+
+	enumerator = this->recs->create_enumerator(this->recs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->id == id)
+		{
+			found = TRUE;
+			free(entry->reason.ptr);
+			entry->reason = chunk_clone(reason);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER;
+}
+
+METHOD(recommendations_t, set_reason_language, TNC_Result,
+	private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason_lang)
+{
+	enumerator_t *enumerator;
+	recommendation_entry_t *entry;
+	bool found = FALSE;
+
+	DBG2(DBG_TNC, "IMV %u is setting reason language to '%.*s'",
+		 id, reason_lang.len, reason_lang.ptr);
+
+	enumerator = this->recs->create_enumerator(this->recs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->id == id)
+		{
+			found = TRUE;
+			free(entry->reason_language.ptr);
+			entry->reason_language = chunk_clone(reason_lang);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER;
+}
+
+/**
+ * Enumerate reason and reason_language, not recommendation entries
+ */
+static bool reason_filter(void *null, recommendation_entry_t **entry,
+						 TNC_IMVID *id, void *i2, chunk_t *reason, void *i3,
+						 chunk_t *reason_language)
+{
+	if ((*entry)->reason.len)
+	{
+		*id = (*entry)->id;
+		*reason = (*entry)->reason;
+		*reason_language = (*entry)->reason_language;
+		return TRUE;
+	}
+	else
+	{
+		return FALSE;
+	}
+}
+
+METHOD(recommendations_t, create_reason_enumerator, enumerator_t*,
+	private_tnc_imv_recommendations_t *this)
+{
+	return enumerator_create_filter(this->recs->create_enumerator(this->recs),
+					(void*)reason_filter, NULL, NULL);
+}
+
+METHOD(recommendations_t, destroy, void,
+	private_tnc_imv_recommendations_t *this)
+{
+	recommendation_entry_t *entry;
+
+	while (this->recs->remove_last(this->recs, (void**)&entry) == SUCCESS)
+	{
+		free(entry->reason.ptr);
+		free(entry->reason_language.ptr);
+		free(entry);
+	}
+	this->recs->destroy(this->recs);
+	free(this->preferred_language.ptr);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+recommendations_t* tnc_imv_recommendations_create(linked_list_t *imv_list)
+{
+	private_tnc_imv_recommendations_t *this;
+	recommendation_entry_t *entry;
+	enumerator_t *enumerator;
+	imv_t *imv;
+
+	INIT(this,
+		.public = {
+			.provide_recommendation = _provide_recommendation,
+			.have_recommendation = _have_recommendation,
+			.get_preferred_language = _get_preferred_language,
+			.set_preferred_language = _set_preferred_language,
+			.set_reason_string = _set_reason_string,
+			.set_reason_language = _set_reason_language,
+			.create_reason_enumerator = _create_reason_enumerator,
+			.destroy = _destroy,
+		},
+		.recs = linked_list_create(),
+	);
+
+	enumerator = imv_list->create_enumerator(imv_list);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		entry = malloc_thing(recommendation_entry_t);
+		entry->id = imv->get_id(imv);
+		entry->have_recommendation = FALSE;
+		entry->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+		entry->eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+		entry->reason = chunk_empty;
+		entry->reason_language = chunk_empty;
+		this->recs->insert_last(this->recs, entry);
+	}
+	enumerator->destroy(enumerator);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
new file mode 100644
index 000000000..6d65a2521
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imv_manager tnc_imv_manager
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_RECOMMENDATIONS_H_
+#define TNC_IMV_RECOMMENDATIONS_H_
+
+#include <tnc/imv/imv_recommendations.h>
+#include <utils/linked_list.h>
+
+/**
+ * Create an IMV empty recommendations instance
+ */
+recommendations_t *tnc_imv_recommendations_create();
+
+#endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.am b/src/libcharon/plugins/tnccs_11/Makefile.am
index 7ccd0dfee..1042c3514 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.am
+++ b/src/libcharon/plugins/tnccs_11/Makefile.am
@@ -1,21 +1,27 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
-	`xml2-config --cflags`
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls ${xml_CFLAGS}
 
 AM_CFLAGS = -rdynamic
 
-libstrongswan_tnccs_11_la_LIBADD = -ltnc
+libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS}
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnccs-11.la
 else
 plugin_LTLIBRARIES = libstrongswan-tnccs-11.la
-libstrongswan_tnccs_11_la_LIBADD += $(top_builddir)/src/libtls/libtls.la
 endif
 
 libstrongswan_tnccs_11_la_SOURCES = \
-	tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c
+	tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c \
+	batch/tnccs_batch.h batch/tnccs_batch.c \
+	messages/tnccs_msg.h messages/tnccs_msg.c \
+	messages/imc_imv_msg.h messages/imc_imv_msg.c \
+	messages/tnccs_error_msg.h messages/tnccs_error_msg.c \
+	messages/tnccs_preferred_language_msg.h messages/tnccs_preferred_language_msg.c \
+	messages/tnccs_reason_strings_msg.h messages/tnccs_reason_strings_msg.c \
+	messages/tnccs_recommendation_msg.h messages/tnccs_recommendation_msg.c \
+	messages/tnccs_tncs_contact_info_msg.h messages/tnccs_tncs_contact_info_msg.c
 
 libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in
index 200ff7a0a..5ab7ccbca 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.in
+++ b/src/libcharon/plugins/tnccs_11/Makefile.in
@@ -34,7 +34,6 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la
 subdir = src/libcharon/plugins/tnccs_11
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -75,8 +74,12 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__append_1)
-am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo
+am__DEPENDENCIES_1 =
+libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo \
+	tnccs_batch.lo tnccs_msg.lo imc_imv_msg.lo tnccs_error_msg.lo \
+	tnccs_preferred_language_msg.lo tnccs_reason_strings_msg.lo \
+	tnccs_recommendation_msg.lo tnccs_tncs_contact_info_msg.lo
 libstrongswan_tnccs_11_la_OBJECTS =  \
 	$(am_libstrongswan_tnccs_11_la_OBJECTS)
 libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) --tag=CC \
@@ -223,9 +226,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +265,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -275,15 +278,22 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
-	`xml2-config --cflags`
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls ${xml_CFLAGS}
 
 AM_CFLAGS = -rdynamic
-libstrongswan_tnccs_11_la_LIBADD = -ltnc $(am__append_1)
+libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS}
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-11.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-11.la
 libstrongswan_tnccs_11_la_SOURCES = \
-	tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c
+	tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c \
+	batch/tnccs_batch.h batch/tnccs_batch.c \
+	messages/tnccs_msg.h messages/tnccs_msg.c \
+	messages/imc_imv_msg.h messages/imc_imv_msg.c \
+	messages/tnccs_error_msg.h messages/tnccs_error_msg.c \
+	messages/tnccs_preferred_language_msg.h messages/tnccs_preferred_language_msg.c \
+	messages/tnccs_reason_strings_msg.h messages/tnccs_reason_strings_msg.c \
+	messages/tnccs_recommendation_msg.h messages/tnccs_recommendation_msg.c \
+	messages/tnccs_tncs_contact_info_msg.h messages/tnccs_tncs_contact_info_msg.c
 
 libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -369,8 +379,16 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_imv_msg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_batch.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_error_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_preferred_language_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_reason_strings_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_recommendation_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_tncs_contact_info_msg.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -393,6 +411,62 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
+tnccs_batch.lo: batch/tnccs_batch.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_batch.lo -MD -MP -MF $(DEPDIR)/tnccs_batch.Tpo -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_batch.Tpo $(DEPDIR)/tnccs_batch.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='batch/tnccs_batch.c' object='tnccs_batch.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c
+
+tnccs_msg.lo: messages/tnccs_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_msg.Tpo -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_msg.Tpo $(DEPDIR)/tnccs_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_msg.c' object='tnccs_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c
+
+imc_imv_msg.lo: messages/imc_imv_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_imv_msg.lo -MD -MP -MF $(DEPDIR)/imc_imv_msg.Tpo -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imc_imv_msg.Tpo $(DEPDIR)/imc_imv_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/imc_imv_msg.c' object='imc_imv_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c
+
+tnccs_error_msg.lo: messages/tnccs_error_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_error_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_error_msg.Tpo -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_error_msg.Tpo $(DEPDIR)/tnccs_error_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_error_msg.c' object='tnccs_error_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c
+
+tnccs_preferred_language_msg.lo: messages/tnccs_preferred_language_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_preferred_language_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_preferred_language_msg.Tpo -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_preferred_language_msg.Tpo $(DEPDIR)/tnccs_preferred_language_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_preferred_language_msg.c' object='tnccs_preferred_language_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c
+
+tnccs_reason_strings_msg.lo: messages/tnccs_reason_strings_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_reason_strings_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_reason_strings_msg.Tpo -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_reason_strings_msg.Tpo $(DEPDIR)/tnccs_reason_strings_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_reason_strings_msg.c' object='tnccs_reason_strings_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c
+
+tnccs_recommendation_msg.lo: messages/tnccs_recommendation_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_recommendation_msg.Tpo -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_recommendation_msg.Tpo $(DEPDIR)/tnccs_recommendation_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_recommendation_msg.c' object='tnccs_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c
+
+tnccs_tncs_contact_info_msg.lo: messages/tnccs_tncs_contact_info_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_tncs_contact_info_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo $(DEPDIR)/tnccs_tncs_contact_info_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_tncs_contact_info_msg.c' object='tnccs_tncs_contact_info_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
diff --git a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
new file mode 100644
index 000000000..0f6f3a675
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
@@ -0,0 +1,323 @@
+/*
+ * Copyright (C) 2006 Mike McCauley (mikem@open.com.au)
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_batch.h"
+#include "messages/tnccs_error_msg.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <tnc/tnccs/tnccs.h>
+
+#include <libxml/parser.h>
+
+typedef struct private_tnccs_batch_t private_tnccs_batch_t;
+
+/**
+ * Private data of a tnccs_batch_t object.
+ *
+ */
+struct private_tnccs_batch_t {
+	/**
+	 * Public tnccs_batch_t interface.
+	 */
+	tnccs_batch_t public;
+
+	/**
+	 * Batch ID
+	 */
+	int batch_id;
+
+	/**
+	 * TNCC if TRUE, TNCS if FALSE
+	 */
+	bool is_server;
+
+	/**
+	 * linked list of TNCCS messages
+	 */
+	linked_list_t *messages;
+
+	/**
+	 * linked list of TNCCS error messages
+	 */
+	linked_list_t *errors;
+
+	/**
+	 * XML document
+	 */
+	xmlDocPtr doc;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(tnccs_batch_t, get_encoding, chunk_t,
+	private_tnccs_batch_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(tnccs_batch_t, add_msg, void,
+	private_tnccs_batch_t *this, tnccs_msg_t* msg)
+{
+	xmlNodePtr root;
+
+	DBG2(DBG_TNC, "adding %N message", tnccs_msg_type_names,
+									   msg->get_type(msg));
+	this->messages->insert_last(this->messages, msg);
+	root = xmlDocGetRootElement(this->doc);
+	xmlAddChild(root, msg->get_node(msg));
+}
+
+METHOD(tnccs_batch_t, build, void,
+	private_tnccs_batch_t *this)
+{
+	xmlChar *xmlbuf;
+	int buf_size;
+
+	xmlDocDumpFormatMemory(this->doc, &xmlbuf, &buf_size, 1);
+	this->encoding = chunk_create((u_char*)xmlbuf, buf_size);
+	this->encoding = chunk_clone(this->encoding);
+	xmlFree(xmlbuf);
+}
+
+METHOD(tnccs_batch_t, process, status_t,
+	private_tnccs_batch_t *this)
+{
+	tnccs_msg_t *tnccs_msg, *msg;
+	tnccs_error_type_t error_type = TNCCS_ERROR_OTHER;
+	char *error_msg, buf[BUF_LEN];
+	xmlNodePtr cur;
+	xmlNsPtr ns;
+	xmlChar *batchid, *recipient;
+	int batch_id;
+
+	this->doc = xmlParseMemory(this->encoding.ptr, this->encoding.len);
+	if (!this->doc)
+	{
+		error_type = TNCCS_ERROR_MALFORMED_BATCH;
+		error_msg = "failed to parse XML message";
+		goto fatal;
+	}
+
+	/* check out the XML document */
+	cur = xmlDocGetRootElement(this->doc);
+	if (!cur)
+	{
+		error_type = TNCCS_ERROR_MALFORMED_BATCH;
+		error_msg = "empty XML document";
+		goto fatal;
+	}
+
+	/* check TNCCS namespace */
+	ns = xmlSearchNsByHref(this->doc, cur, (const xmlChar*)
+				"http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#");
+	if (!ns)
+	{
+		error_type = TNCCS_ERROR_MALFORMED_BATCH;
+		error_msg = "TNCCS namespace not found";
+		goto fatal;
+	}
+
+	/* check XML document type */
+	if (xmlStrcmp(cur->name, (const xmlChar*)"TNCCS-Batch"))
+	{
+		error_type = TNCCS_ERROR_MALFORMED_BATCH;
+		error_msg = buf;
+		snprintf(buf, BUF_LEN, "wrong XML document type '%s', expected TNCCS-Batch",
+								cur->name);
+		goto fatal;
+	}
+
+	/* check presence of BatchID property */
+	batchid = xmlGetProp(cur, (const xmlChar*)"BatchId");
+	if (!batchid)
+	{
+		error_type = TNCCS_ERROR_INVALID_BATCH_ID;
+		error_msg = "BatchId is missing";
+		goto fatal;
+	}
+
+	/* check BatchID */
+	batch_id = atoi((char*)batchid);
+	xmlFree(batchid);
+	if (batch_id != this->batch_id)
+	{
+		error_type = TNCCS_ERROR_INVALID_BATCH_ID;
+		error_msg = buf;
+		snprintf(buf, BUF_LEN, "BatchId %d expected, got %d", this->batch_id,
+															  batch_id);
+		goto fatal;
+	}
+
+	/* check presence of Recipient property */
+	recipient = xmlGetProp(cur, (const xmlChar*)"Recipient");
+	if (!recipient)
+	{
+		error_type = TNCCS_ERROR_INVALID_RECIPIENT_TYPE;
+		error_msg = "Recipient is missing";
+		goto fatal;
+	}
+
+	/* check recipient */
+	if (!streq((char*)recipient, this->is_server ? "TNCS" : "TNCC"))
+	{
+		error_type = TNCCS_ERROR_INVALID_RECIPIENT_TYPE;
+		error_msg =	buf;
+		snprintf(buf, BUF_LEN, "message recipient expected '%s', got '%s'",
+				 this->is_server ? "TNCS" : "TNCC", (char*)recipient);
+		xmlFree(recipient);
+		goto fatal;
+	}
+	xmlFree(recipient);
+
+	DBG2(DBG_TNC, "processing TNCCS Batch #%d", batch_id);
+
+	/* Now walk the tree, handling message nodes as we go */
+	for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next)
+	{
+		/* ignore empty or blank nodes */
+		if (xmlIsBlankNode(cur))
+		{
+			continue;
+		}
+
+		/* ignore nodes with wrong namespace */
+		if (cur->ns != ns)
+		{
+			DBG1(DBG_TNC, "ignoring message node '%s' having wrong namespace",
+						  (char*)cur->name);
+			continue;
+		}
+
+		tnccs_msg = tnccs_msg_create_from_node(cur, this->errors);
+
+		/* exit if a message parsing error occurred */
+		if (this->errors->get_count(this->errors) > 0)
+		{
+			return FAILED;
+		}
+
+		/* ignore unrecognized messages */
+		if (!tnccs_msg)
+		{
+			continue;
+		}
+
+		this->messages->insert_last(this->messages, tnccs_msg);
+	}
+	return SUCCESS;
+
+fatal:
+	msg = tnccs_error_msg_create(error_type, error_msg);
+	this->errors->insert_last(this->errors, msg);
+	return FAILED;
+}
+
+METHOD(tnccs_batch_t, create_msg_enumerator, enumerator_t*,
+	private_tnccs_batch_t *this)
+{
+	return this->messages->create_enumerator(this->messages);
+}
+
+METHOD(tnccs_batch_t, create_error_enumerator, enumerator_t*,
+	private_tnccs_batch_t *this)
+{
+	return this->errors->create_enumerator(this->errors);
+}
+
+METHOD(tnccs_batch_t, destroy, void,
+	private_tnccs_batch_t *this)
+{
+	this->messages->destroy_offset(this->messages,
+								   offsetof(tnccs_msg_t, destroy));
+	this->errors->destroy_offset(this->errors,
+								   offsetof(tnccs_msg_t, destroy));
+	xmlFreeDoc(this->doc);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tnccs_batch_t* tnccs_batch_create(bool is_server, int batch_id)
+{
+	private_tnccs_batch_t *this;
+	xmlNodePtr n;
+	char buf[12];
+	const char *recipient;
+
+	INIT(this,
+		.public = {
+			.get_encoding = _get_encoding,
+			.add_msg = _add_msg,
+			.build = _build,
+			.process = _process,
+			.create_msg_enumerator = _create_msg_enumerator,
+			.create_error_enumerator = _create_error_enumerator,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+		.messages = linked_list_create(),
+		.errors = linked_list_create(),
+		.batch_id = batch_id,
+		.doc = xmlNewDoc(BAD_CAST "1.0"),
+	);
+
+	DBG2(DBG_TNC, "creating TNCCS Batch #%d", this->batch_id);
+	n = xmlNewNode(NULL, BAD_CAST "TNCCS-Batch");
+	snprintf(buf, sizeof(buf), "%d", batch_id);
+	recipient = this->is_server ? "TNCC" : "TNCS";
+	xmlNewProp(n, BAD_CAST "BatchId", BAD_CAST buf);
+	xmlNewProp(n, BAD_CAST "Recipient", BAD_CAST recipient);
+	xmlNewProp(n, BAD_CAST "xmlns", BAD_CAST "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#");
+	xmlNewProp(n, BAD_CAST "xmlns:xsi", BAD_CAST "http://www.w3.org/2001/XMLSchema-instance");
+	xmlNewProp(n, BAD_CAST "xsi:schemaLocation", BAD_CAST "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS# "
+														  "https://www.trustedcomputinggroup.org/XML/SCHEMA/TNCCS_1.0.xsd");
+	xmlDocSetRootElement(this->doc, n);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+tnccs_batch_t* tnccs_batch_create_from_data(bool is_server, int batch_id, chunk_t data)
+{
+	private_tnccs_batch_t *this;
+
+	INIT(this,
+		.public = {
+			.get_encoding = _get_encoding,
+			.add_msg = _add_msg,
+			.build = _build,
+			.process = _process,
+			.create_msg_enumerator = _create_msg_enumerator,
+			.create_error_enumerator = _create_error_enumerator,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+		.batch_id = batch_id,
+		.messages = linked_list_create(),
+		.errors = linked_list_create(),
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h
new file mode 100644
index 000000000..25301f763
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_batch tnccs_batch
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_BATCH_H_
+#define TNCCS_BATCH_H_
+
+typedef enum tnccs_batch_type_t tnccs_batch_type_t;
+typedef struct tnccs_batch_t tnccs_batch_t;
+
+#include "messages/tnccs_msg.h"
+
+#include <library.h>
+
+/**
+ * Interface for a TNCCS 1.x Batch.
+ */
+struct tnccs_batch_t {
+
+	/**
+	 * Get the encoding of the TNCCS 1.x Batch
+	 *
+	 * @return				encoded TNCCS 1.x batch
+	 */
+	chunk_t (*get_encoding)(tnccs_batch_t *this);
+
+	/**
+	 * Add TNCCS message
+	 *
+	 * @param msg			TNCCS message to be addedd
+	 */
+	void (*add_msg)(tnccs_batch_t *this, tnccs_msg_t* msg);
+
+	/**
+	 * Build the TNCCS 1.x Batch
+	 */
+	void (*build)(tnccs_batch_t *this);
+
+	/**
+	 * Process the TNCCS 1.x Batch
+	 *
+	 * @return				return processing status
+	 */
+	status_t (*process)(tnccs_batch_t *this);
+
+	/**
+	 * Enumerates over all TNCCS Messages
+	 *
+	 * @return				return message enumerator
+	 */
+	enumerator_t* (*create_msg_enumerator)(tnccs_batch_t *this);
+
+	/**
+	 * Enumerates over all parsing errors
+	 *
+	 * @return				return error enumerator
+	 */
+	enumerator_t* (*create_error_enumerator)(tnccs_batch_t *this);
+
+	/**
+	 * Destroys a tnccs_batch_t object.
+	 */
+	void (*destroy)(tnccs_batch_t *this);
+};
+
+/**
+ * Create an empty TNCCS 1.x Batch
+ *
+ * @param is_server			TRUE if server, FALSE if client
+ * @param batch_id			number of the batch to be sent
+ */
+tnccs_batch_t* tnccs_batch_create(bool is_server, int batch_id);
+
+/**
+ * Create an unprocessed TNCCS 1.x Batch from data
+ *
+ * @param  is_server		TRUE if server, FALSE if client
+ * @param batch_id			current Batch ID
+ * @param  data				encoded PB-TNC batch
+ */
+tnccs_batch_t* tnccs_batch_create_from_data(bool is_server, int batch_id,
+											chunk_t data);
+
+#endif /** TNCCS_BATCH_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
new file mode 100644
index 000000000..f24c0dac9
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
@@ -0,0 +1,242 @@
+/*
+ * Copyright (C) 2006 Mike McCauley (mikem@open.com.au)
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_imv_msg.h"
+
+#include <tnc/tnccs/tnccs.h>
+#include <debug.h>
+#include <utils/lexparser.h>
+
+typedef struct private_imc_imv_msg_t private_imc_imv_msg_t;
+
+#define BYTES_PER_LINE	57
+
+/**
+ * Private data of a imc_imv_msg_t object.
+ *
+ */
+struct private_imc_imv_msg_t {
+	/**
+	 * Public imc_imv_msg_t interface.
+	 */
+	imc_imv_msg_t public;
+
+	/**
+	 * TNCCS message type
+	 */
+	tnccs_msg_type_t type;
+
+	/**
+	 * XML-encoded message node
+	 */
+	xmlNodePtr node;
+
+	/**
+	 * IMC-IMV message type
+	 */
+	TNC_MessageType msg_type;
+
+	/**
+	 * IMC-IMV message body
+	 */
+	chunk_t msg_body;
+
+};
+
+/**
+ * Encodes message data into multiple base64-encoded lines
+ */
+static chunk_t encode_base64(chunk_t data)
+{
+	chunk_t encoding;
+	u_char *pos;
+	size_t b64_chars, b64_lines;
+
+	/* handle empty message data object */
+	if (data.len == 0)
+	{
+		encoding = chunk_alloc(1);
+		*encoding.ptr = '\0';
+		return encoding;
+	}
+
+	/* compute and allocate maximum size of base64 object */
+	b64_chars = 4 * ((data.len + 2) / 3);
+	b64_lines = (data.len + BYTES_PER_LINE - 1) / BYTES_PER_LINE;
+	encoding = chunk_alloc(b64_chars + b64_lines);
+	pos = encoding.ptr;
+
+	/* encode lines */
+	while (b64_lines--)
+	{
+		chunk_t data_line, b64_line;
+
+		data_line = chunk_create(data.ptr, min(data.len, BYTES_PER_LINE));
+		data.ptr += data_line.len;
+		data.len -= data_line.len;
+		b64_line = chunk_to_base64(data_line, pos);
+		pos += b64_line.len;
+		*pos = '\n';
+		pos++;
+	}
+	/* terminate last line with NULL character instead of newline */
+	*(pos-1) = '\0';
+
+	return encoding;
+}
+
+/**
+ * Decodes message data from multiple base64-encoded lines
+ */
+static chunk_t decode_base64(chunk_t data)
+{
+	chunk_t decoding, data_line, b64_line;
+	u_char *pos;
+
+	/* compute and allocate maximum size of decoded message data */
+	decoding = chunk_alloc(3 * ((data.len + 3) / 4));
+	pos = decoding.ptr;
+	decoding.len = 0;
+
+	while (fetchline(&data, &b64_line))
+	{
+		data_line = chunk_from_base64(b64_line, pos);
+		pos += data_line.len;
+		decoding.len += data_line.len;
+	}
+
+	return decoding;
+}
+
+METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t,
+	private_imc_imv_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(tnccs_msg_t, get_node, xmlNodePtr,
+	private_imc_imv_msg_t *this)
+{
+	return this->node;
+}
+
+METHOD(tnccs_msg_t, destroy, void,
+	private_imc_imv_msg_t *this)
+{
+	free(this->msg_body.ptr);
+	free(this);
+}
+
+METHOD(imc_imv_msg_t, get_msg_type, TNC_MessageType,
+	private_imc_imv_msg_t *this)
+{
+	return this->msg_type;
+}
+
+METHOD(imc_imv_msg_t, get_msg_body, chunk_t,
+	private_imc_imv_msg_t *this)
+{
+	return this->msg_body;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *imc_imv_msg_create_from_node(xmlNodePtr node, linked_list_t *errors)
+{
+	private_imc_imv_msg_t *this;
+	xmlNsPtr ns;
+	xmlNodePtr cur;
+	xmlChar *content;
+	chunk_t b64_body;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.destroy = _destroy,
+			},
+			.get_msg_type = _get_msg_type,
+			.get_msg_body = _get_msg_body,
+		},
+		.type = IMC_IMV_MSG,
+		.node = node,
+	);
+
+	ns =  node->ns;
+	cur = node->xmlChildrenNode;
+	while (cur)
+	{
+		if (streq((char*)cur->name, "Type") && cur->ns == ns)
+		{
+			content = xmlNodeGetContent(cur);
+			this->msg_type = strtoul((char*)content, NULL, 16);
+			xmlFree(content);
+		}
+		else if (streq((char*)cur->name, "Base64") && cur->ns == ns)
+		{
+			content = xmlNodeGetContent(cur);
+			b64_body = chunk_create((char*)content, strlen((char*)content));
+			this->msg_body = decode_base64(b64_body);
+			xmlFree(content);
+		}
+		cur = cur->next;
+	}
+
+	return &this->public.tnccs_msg_interface;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *imc_imv_msg_create(TNC_MessageType msg_type, chunk_t msg_body)
+{
+	private_imc_imv_msg_t *this;
+	chunk_t b64_body;
+	char buf[10];		/* big enough for hex-encoded message type */
+	xmlNodePtr n;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.destroy = _destroy,
+			},
+			.get_msg_type = _get_msg_type,
+			.get_msg_body = _get_msg_body,
+		},
+		.type = IMC_IMV_MSG,
+		.node = xmlNewNode(NULL, BAD_CAST "IMC-IMV-Message"),
+		.msg_type = msg_type,
+		.msg_body = chunk_clone(msg_body),
+	);
+
+	/* add the message type number in hex */
+	n = xmlNewNode(NULL, BAD_CAST "Type");
+	snprintf(buf, 10, "%08x", this->msg_type);
+	xmlNodeSetContent(n, BAD_CAST buf);
+	xmlAddChild(this->node, n);
+
+	/* encode the message as a Base64 node */
+	n = xmlNewNode(NULL, BAD_CAST "Base64");
+	b64_body = encode_base64(this->msg_body);
+	xmlNodeSetContent(n, BAD_CAST b64_body.ptr);
+	xmlAddChild(this->node, n);
+	free(b64_body.ptr);
+
+	return &this->public.tnccs_msg_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h
new file mode 100644
index 000000000..02f07199f
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imc_imv_msg imc_imv_msg
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef IMC_IMV_MSG_H_
+#define IMC_IMV_MSG_H_
+
+typedef struct imc_imv_msg_t imc_imv_msg_t;
+
+#include "tnccs_msg.h"
+
+#include <tnc/tncif.h>
+
+/**
+ * Classs representing the PB-PA message type.
+ */
+struct imc_imv_msg_t {
+
+	/**
+	 * TNCCS Message interface
+	 */
+	tnccs_msg_t tnccs_msg_interface;
+
+	/**
+	 * Get IMC-IMV message type
+	 *
+	 * @return				IMC-IMV message type
+	 */
+	TNC_MessageType (*get_msg_type)(imc_imv_msg_t *this);
+
+	/**
+	 * Get IMC-IMV message body
+	 *
+	 * @return				IMC-IMV message body
+	 */
+	chunk_t (*get_msg_body)(imc_imv_msg_t *this);
+};
+
+/**
+ * Create an IMC-IMV message from XML-encoded message node
+ *
+ * @param node				XML-encoded message node
+ * @param errors			linked list of TNCCS error messages
+*/
+tnccs_msg_t *imc_imv_msg_create_from_node(xmlNodePtr node, linked_list_t *errors);
+
+/**
+ * Create an IMC-IMV message from parameters
+ *
+ * @param msg_type			IMC-IMV message type
+ * @param msg_body			IMC-IMV message body
+ */
+tnccs_msg_t *imc_imv_msg_create(TNC_MessageType msg_type, chunk_t msg_body);
+
+#endif /** IMC_IMV_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
new file mode 100644
index 000000000..d0df4e7ca
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) 2006 Mike McCauley (mikem@open.com.au)
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_error_msg.h"
+
+#include <debug.h>
+
+ENUM(tnccs_error_type_names, TNCCS_ERROR_BATCH_TOO_LONG, TNCCS_ERROR_OTHER,
+	"batch-too-long",
+	"malformed-batch",
+	"invalid-batch-id",
+	"invalid-recipient-type",
+	"internal-error",
+	"other"
+);
+
+typedef struct private_tnccs_error_msg_t private_tnccs_error_msg_t;
+
+/**
+ * Private data of a tnccs_error_msg_t object.
+ *
+ */
+struct private_tnccs_error_msg_t {
+	/**
+	 * Public tnccs_error_msg_t interface.
+	 */
+	tnccs_error_msg_t public;
+
+	/**
+	 * TNCCS message type
+	 */
+	tnccs_msg_type_t type;
+
+	/**
+	 * XML-encoded message node
+	 */
+	xmlNodePtr node;
+
+	/**
+	 * Error type
+	 */
+	tnccs_error_type_t error_type;
+
+	/**
+	 * Error message
+	 */
+	char *error_msg;
+
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t,
+	private_tnccs_error_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(tnccs_msg_t, get_node, xmlNodePtr,
+	private_tnccs_error_msg_t *this)
+{
+	return this->node;
+}
+
+METHOD(tnccs_msg_t, get_ref, tnccs_msg_t*,
+	private_tnccs_error_msg_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.tnccs_msg_interface;
+}
+
+METHOD(tnccs_msg_t, destroy, void,
+	private_tnccs_error_msg_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->error_msg);
+		free(this);
+	}
+}
+
+METHOD(tnccs_error_msg_t, get_message, char*,
+	private_tnccs_error_msg_t *this, tnccs_error_type_t *type)
+{
+	*type = this->error_type;
+
+	return this->error_msg;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node)
+{
+	private_tnccs_error_msg_t *this;
+	xmlChar *error_type_name, *error_msg;
+	
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_message = _get_message,
+		},
+		.type = TNCCS_MSG_ERROR,
+		.ref = 1,
+		.node = node,
+		.error_type = TNCCS_ERROR_OTHER,
+	);
+
+	error_type_name = xmlGetProp(node, (const xmlChar*)"type");
+	if (error_type_name)
+	{
+		this->error_type = enum_from_name(tnccs_error_type_names,
+										  (char*)error_type_name);
+		if (this->error_type == -1)
+		{
+			this->error_type = TNCCS_ERROR_OTHER;
+		}
+		xmlFree(error_type_name);
+	}
+
+	error_msg = xmlNodeGetContent(node);
+	if (error_msg)
+	{
+		this->error_msg = strdup((char*)error_msg);
+		xmlFree(error_msg);
+	}
+
+	return &this->public.tnccs_msg_interface;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *tnccs_error_msg_create(tnccs_error_type_t type, char *msg)
+{
+	private_tnccs_error_msg_t *this;
+	xmlNodePtr n, n2;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_message = _get_message,
+		},
+		.type = TNCCS_MSG_ERROR,
+		.ref = 1,
+		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.error_type = type,
+		.error_msg  = strdup(msg),
+	);
+
+	DBG1(DBG_TNC, "%s", msg);
+
+	n = xmlNewNode(NULL, BAD_CAST "Type");
+	xmlNodeSetContent(n, BAD_CAST "00000002");
+	xmlAddChild(this->node, n);
+
+	n = xmlNewNode(NULL, BAD_CAST "XML");
+	xmlAddChild(this->node, n);
+
+	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNewProp(n2, BAD_CAST "type",
+				   BAD_CAST enum_to_name(tnccs_error_type_names, type));
+	xmlNodeSetContent(n2, BAD_CAST msg);
+	xmlAddChild(n, n2);
+
+	return &this->public.tnccs_msg_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h
new file mode 100644
index 000000000..ce2ce9755
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_error_msg tnccs_error_msg
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_ERROR_MSG_H_
+#define TNCCS_ERROR_MSG_H_
+
+typedef enum tnccs_error_type_t tnccs_error_type_t;
+typedef struct tnccs_error_msg_t tnccs_error_msg_t;
+
+#include "tnccs_msg.h"
+
+/**
+ * TNCCS error types as defined in section 8.1.4 of TCG TNC IF-TNCCS v1.2
+ */
+enum tnccs_error_type_t {
+	TNCCS_ERROR_BATCH_TOO_LONG,
+	TNCCS_ERROR_MALFORMED_BATCH,
+	TNCCS_ERROR_INVALID_BATCH_ID,
+	TNCCS_ERROR_INVALID_RECIPIENT_TYPE,
+	TNCCS_ERROR_INTERNAL_ERROR,
+	TNCCS_ERROR_OTHER
+};
+
+/**
+ * enum name for tnccs_error_type_t.
+ */
+extern enum_name_t *tnccs_error_type_names;
+
+/**
+ * Class representing the TNCCS-Error message type
+ */
+struct tnccs_error_msg_t {
+
+	/**
+	 * TNCCS Message interface
+	 */
+	tnccs_msg_t tnccs_msg_interface;
+
+	/**
+	 * Get error message and type
+	 *
+	 * @param type		TNCCS error type
+	 * @return			arbitrary error message
+	 */
+	char* (*get_message)(tnccs_error_msg_t *this, tnccs_error_type_t *type);
+};
+
+/**
+ * Create a TNCCS-Error message from XML-encoded message node
+ *
+ * @param node			XML-encoded message node
+ */
+tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node);
+
+/**
+ * Create a TNCCS-Error message from parameters
+ *
+ * @param type			TNCCS error type
+ * @param msg			arbitrary error message
+ */
+tnccs_msg_t *tnccs_error_msg_create(tnccs_error_type_t type, char *msg);
+
+#endif /** TNCCS_ERROR_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
new file mode 100644
index 000000000..5a050393a
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2006 Mike McCauley (mikem@open.com.au)
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_msg.h"
+#include "imc_imv_msg.h"
+#include "tnccs_error_msg.h"
+#include "tnccs_preferred_language_msg.h"
+#include "tnccs_reason_strings_msg.h"
+#include "tnccs_recommendation_msg.h"
+#include "tnccs_tncs_contact_info_msg.h"
+
+#include <library.h>
+#include <debug.h>
+
+ENUM(tnccs_msg_type_names, IMC_IMV_MSG, TNCCS_MSG_ROOF,
+	"IMC-IMV",
+	"TNCCS-Recommendation",
+	"TNCCS-Error",
+	"TNCCS-PreferredLanguage",
+	"TNCCS-ReasonStrings",
+	"TNCCS-TNCSContactInfo"
+);
+
+/**
+ * See header
+ */
+tnccs_msg_t* tnccs_msg_create_from_node(xmlNodePtr node, linked_list_t *errors)
+{
+	char *error_msg, buf[BUF_LEN];
+	tnccs_error_type_t error_type = TNCCS_ERROR_MALFORMED_BATCH;
+	tnccs_msg_t *msg;
+	tnccs_msg_type_t type = IMC_IMV_MSG;
+
+	if (streq((char*)node->name, "IMC-IMV-Message"))
+	{
+		DBG2(DBG_TNC, "processing %N message", tnccs_msg_type_names, type);
+		return imc_imv_msg_create_from_node(node, errors);
+	}
+	else if (streq((char*)node->name, "TNCC-TNCS-Message"))
+	{
+		bool found = FALSE;
+		xmlNsPtr ns = node->ns;
+		xmlNodePtr cur = node->xmlChildrenNode;
+		xmlNodePtr xml_msg_node = NULL;
+
+		while (cur)
+		{
+			if (streq((char*)cur->name, "Type") && cur->ns == ns)
+			{
+				xmlChar *content = xmlNodeGetContent(cur);
+
+				type = strtol((char*)content, NULL, 16);
+				xmlFree(content);
+				found = TRUE;
+			}
+			else if (streq((char*)cur->name, "XML") && cur->ns == ns)
+			{
+				xml_msg_node = cur->xmlChildrenNode;
+			}
+			cur = cur->next;
+		}
+		if (!found)
+		{
+			error_msg = "Type is missing in TNCC-TNCS-Message";
+			goto fatal;
+		}
+		if (!xml_msg_node)
+		{
+			error_msg = "XML node is missing in TNCC-TNCS-Message";
+			goto fatal;
+		}
+		cur = xml_msg_node;
+
+		/* skip empty and blank nodes */
+		while (cur && xmlIsBlankNode(cur))
+		{
+			cur = cur->next;
+		}
+		if (!cur)
+		{
+			error_msg = "XML node is empty";
+			goto fatal;
+		}
+
+		/* check if TNCCS message type and node name agree */
+		if (type >= TNCCS_MSG_RECOMMENDATION && type <= TNCCS_MSG_ROOF)
+		{
+			DBG2(DBG_TNC, "processing %N message", tnccs_msg_type_names, type);
+			if (cur->ns != ns)
+			{
+				error_msg = "node is not in the TNCCS message namespace";
+				goto fatal;
+			}
+			if (type != enum_from_name(tnccs_msg_type_names, (char*)cur->name))
+			{
+				error_msg = buf;
+				snprintf(buf, BUF_LEN, "expected '%N' node but was '%s'",
+						 tnccs_msg_type_names, type, (char*)cur->name);
+				goto fatal;
+			}
+		}
+
+		switch (type)
+		{
+			case TNCCS_MSG_RECOMMENDATION:
+				return tnccs_recommendation_msg_create_from_node(cur, errors);
+			case TNCCS_MSG_ERROR:
+				return tnccs_error_msg_create_from_node(cur);
+			case TNCCS_MSG_PREFERRED_LANGUAGE:
+				return tnccs_preferred_language_msg_create_from_node(cur, errors);
+			case TNCCS_MSG_REASON_STRINGS:
+				return tnccs_reason_strings_msg_create_from_node(cur, errors);
+			case TNCCS_MSG_TNCS_CONTACT_INFO:
+				return tnccs_tncs_contact_info_msg_create_from_node(cur, errors);
+			default:
+				DBG1(DBG_TNC, "ignoring TNCC-TNCS-Message with type %d", type);
+				return NULL;
+		}
+	}
+	DBG1(DBG_TNC, "ignoring unknown message node '%s'", (char*)node->name);
+	return NULL;
+
+fatal:
+	msg = tnccs_error_msg_create(error_type, error_msg);
+	errors->insert_last(errors, msg);
+	return NULL;
+}
+
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
new file mode 100644
index 000000000..e0b54449a
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_msg tnccs_msg
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_MSG_H_
+#define TNCCS_MSG_H_
+
+typedef enum tnccs_msg_type_t tnccs_msg_type_t;
+typedef struct tnccs_msg_t tnccs_msg_t;
+
+#include <library.h>
+#include <utils/linked_list.h>
+#include <libxml/parser.h>
+
+/**
+ * TNCC-TNCS messages as defined in section 2.8.5 of TCG TNC IF-TNCCS v1.2
+ */
+enum tnccs_msg_type_t {
+	IMC_IMV_MSG =						0,
+	TNCCS_MSG_RECOMMENDATION =			1,
+	TNCCS_MSG_ERROR =					2,
+	TNCCS_MSG_PREFERRED_LANGUAGE =		3,
+	TNCCS_MSG_REASON_STRINGS =			4,
+	TNCCS_MSG_TNCS_CONTACT_INFO =		5,
+	TNCCS_MSG_ROOF =					5
+};
+
+/**
+ * enum name for tnccs_msg_type_t.
+ */
+extern enum_name_t *tnccs_msg_type_names;
+
+/**
+ * Generic interface for all TNCCS message types.
+ *
+ * To handle all messages in a generic way, this interface
+ * must be implemented by each message type.
+ */
+struct tnccs_msg_t {
+
+	/**
+	 * Get the TNCCS Message Type
+	 *
+	 * @return				TNCCS Message Type
+	 */
+	tnccs_msg_type_t (*get_type)(tnccs_msg_t *this);
+
+	/**
+	 * Get the XML-encoded Message Node
+	 *
+	 * @return				Message Node
+	 */
+	xmlNodePtr (*get_node)(tnccs_msg_t *this);
+
+	/**
+	 * Process the TNCCS Message
+	 *
+	 * @return				return processing status
+	 */
+	status_t (*process)(tnccs_msg_t *this);
+
+	/**
+	 * Get a new reference to the message.
+	 *
+	 * @return			this, with an increased refcount
+	 */
+	tnccs_msg_t* (*get_ref)(tnccs_msg_t *this);
+
+	/**
+	 * Destroys a tnccs_msg_t object.
+	 */
+	void (*destroy)(tnccs_msg_t *this);
+};
+
+/**
+ * Create a pre-processed TNCCS message
+ *
+ * Useful for the parser which wants a generic constructor for all
+ * tnccs_msg_t types.
+ *
+ * @param node		TNCCS message node
+ * @param errors	linked list of TNCCS error messages
+ */
+tnccs_msg_t* tnccs_msg_create_from_node(xmlNodePtr node, linked_list_t *errors);
+
+#endif /** TNCCS_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
new file mode 100644
index 000000000..fd85350b5
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2006 Mike McCauley (mikem@open.com.au)
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_preferred_language_msg.h"
+
+#include <debug.h>
+
+typedef struct private_tnccs_preferred_language_msg_t private_tnccs_preferred_language_msg_t;
+
+/**
+ * Private data of a tnccs_preferred_language_msg_t object.
+ *
+ */
+struct private_tnccs_preferred_language_msg_t {
+	/**
+	 * Public tnccs_preferred_language_msg_t interface.
+	 */
+	tnccs_preferred_language_msg_t public;
+
+	/**
+	 * TNCCS message type
+	 */
+	tnccs_msg_type_t type;
+
+	/**
+	 * XML-encoded message node
+	 */
+	xmlNodePtr node;
+
+	/**
+	 * Preferred language
+	 */
+	char *preferred_language;
+};
+
+METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t,
+	private_tnccs_preferred_language_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(tnccs_msg_t, get_node, xmlNodePtr,
+	private_tnccs_preferred_language_msg_t *this)
+{
+	return this->node;
+}
+
+METHOD(tnccs_msg_t, destroy, void,
+	private_tnccs_preferred_language_msg_t *this)
+{
+	free(this->preferred_language);
+	free(this);
+}
+
+METHOD(tnccs_preferred_language_msg_t, get_preferred_language, char*,
+	private_tnccs_preferred_language_msg_t *this)
+{
+	return this->preferred_language;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *tnccs_preferred_language_msg_create_from_node(xmlNodePtr node,
+													linked_list_t *errors)
+{
+	private_tnccs_preferred_language_msg_t *this;
+	xmlChar *language;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.destroy = _destroy,
+			},
+			.get_preferred_language = _get_preferred_language,
+		},
+		.type = TNCCS_MSG_PREFERRED_LANGUAGE,
+		.node = node,
+	);
+
+	language = xmlNodeGetContent(node);
+	this->preferred_language = strdup((char*)language);
+	xmlFree(language);
+
+	return &this->public.tnccs_msg_interface;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *tnccs_preferred_language_msg_create(char *language)
+{
+	private_tnccs_preferred_language_msg_t *this;
+	xmlNodePtr n, n2;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.destroy = _destroy,
+			},
+			.get_preferred_language = _get_preferred_language,
+		},
+		.type = TNCCS_MSG_PREFERRED_LANGUAGE,
+		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.preferred_language = strdup(language),
+	);
+
+	/* add the message type number in hex */
+	n = xmlNewNode(NULL, BAD_CAST "Type");
+	xmlNodeSetContent(n, BAD_CAST "00000003");
+	xmlAddChild(this->node, n);
+
+	n = xmlNewNode(NULL, BAD_CAST "XML");
+	xmlAddChild(this->node, n);
+
+	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNodeSetContent(n2, BAD_CAST language);
+	xmlAddChild(n, n2);
+
+	return &this->public.tnccs_msg_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h
new file mode 100644
index 000000000..d301ab2bb
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_preferred_language_msg tnccs_preferred_language_msg
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_PREFERRED_LANGUAGE_MSG_H_
+#define TNCCS_PREFERRED_LANGUAGE_MSG_H_
+
+typedef struct tnccs_preferred_language_msg_t tnccs_preferred_language_msg_t;
+
+#include "tnccs_msg.h"
+
+#include <tnc/tncif.h>
+
+/**
+ * Class representing the TNCCS-PreferredLanguage message type
+ */
+struct tnccs_preferred_language_msg_t {
+
+	/**
+	 * TNCCS Message interface
+	 */
+	tnccs_msg_t tnccs_msg_interface;
+
+	/**
+	 * Get preferred language string
+	 *
+	 * @return				preferred language string
+	 */
+	char* (*get_preferred_language)(tnccs_preferred_language_msg_t *this);
+};
+
+/**
+ * Create a TNCCS-PreferredLanguage message from XML-encoded message node
+ *
+ * @param node				XML-encoded message node
+ * @param errors			linked list of TNCCS error messages
+ */
+tnccs_msg_t *tnccs_preferred_language_msg_create_from_node(xmlNodePtr node,
+													linked_list_t *errors);
+
+/**
+ * Create a TNCCS-PreferredLanguage message from parameters
+ *
+ * @param language			preferred language string
+ */
+tnccs_msg_t *tnccs_preferred_language_msg_create(char *language);
+
+#endif /** TNCCS_PREFERRED_LANGUAGE_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
new file mode 100644
index 000000000..d4b5d9bf9
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2006 Mike McCauley (mikem@open.com.au)
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_reason_strings_msg.h"
+
+#include <debug.h>
+
+typedef struct private_tnccs_reason_strings_msg_t private_tnccs_reason_strings_msg_t;
+
+/**
+ * Private data of a tnccs_reason_strings_msg_t object.
+ *
+ */
+struct private_tnccs_reason_strings_msg_t {
+	/**
+	 * Public tnccs_reason_strings_msg_t interface.
+	 */
+	tnccs_reason_strings_msg_t public;
+
+	/**
+	 * TNCCS message type
+	 */
+	tnccs_msg_type_t type;
+
+	/**
+	 * XML-encoded message node
+	 */
+	xmlNodePtr node;
+
+	/**
+	 * Reason String
+	 */
+	chunk_t reason;
+
+	/**
+	 * Reason Language
+	 */
+	chunk_t language;
+};
+
+METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t,
+	private_tnccs_reason_strings_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(tnccs_msg_t, get_node, xmlNodePtr,
+	private_tnccs_reason_strings_msg_t *this)
+{
+	return this->node;
+}
+
+METHOD(tnccs_msg_t, destroy, void,
+	private_tnccs_reason_strings_msg_t *this)
+{
+	free(this->reason.ptr);
+	free(this->language.ptr);
+	free(this);
+}
+
+METHOD(tnccs_reason_strings_msg_t, get_reason, chunk_t,
+	private_tnccs_reason_strings_msg_t *this, chunk_t *language)
+{
+	*language = this->language;
+
+	return this->reason;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node,
+													   linked_list_t *errors)
+{
+	private_tnccs_reason_strings_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.destroy = _destroy,
+			},
+			.get_reason = _get_reason,
+		},
+		.type = TNCCS_MSG_REASON_STRINGS,
+		.node = node,
+	);
+
+	return &this->public.tnccs_msg_interface;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *tnccs_reason_strings_msg_create(chunk_t reason, chunk_t language)
+{
+	private_tnccs_reason_strings_msg_t *this;
+	xmlNodePtr n, n2, n3;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.destroy = _destroy,
+			},
+			.get_reason = _get_reason,
+		},
+		.type = TNCCS_MSG_REASON_STRINGS,
+		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.reason = chunk_create_clone(malloc(reason.len + 1), reason),
+		.language = chunk_create_clone(malloc(language.len + 1), language),
+	);
+
+	/* add NULL termination for XML string representation */
+	this->reason.ptr[this->reason.len] = '\0';
+	this->language.ptr[this->language.len] = '\0';
+
+	/* add the message type number in hex */
+	n = xmlNewNode(NULL, BAD_CAST "Type");
+	xmlNodeSetContent(n, BAD_CAST "00000004");
+	xmlAddChild(this->node, n);
+
+	n = xmlNewNode(NULL, BAD_CAST "XML");
+	xmlAddChild(this->node, n);
+
+	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
+
+	/* could add multiple reasons here, if we had them */
+	n3 = xmlNewNode(NULL, BAD_CAST "ReasonString");
+	xmlNewProp(n3, BAD_CAST "xml:lang", BAD_CAST this->language.ptr);
+	xmlNodeSetContent(n3, BAD_CAST this->reason.ptr);
+	xmlAddChild(n2, n3);
+
+	return &this->public.tnccs_msg_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h
new file mode 100644
index 000000000..0046a5789
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_reason_strings_msg tnccs_reason_strings_msg
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_REASON_STRINGS_MSG_H_
+#define TNCCS_REASON_STRINGS_MSG_H_
+
+typedef struct tnccs_reason_strings_msg_t tnccs_reason_strings_msg_t;
+
+#include "tnccs_msg.h"
+
+/**
+ * Class representing the TNCCS-ReasonStrings message type
+ */
+struct tnccs_reason_strings_msg_t {
+
+	/**
+	 * TNCCS Message interface
+	 */
+	tnccs_msg_t tnccs_msg_interface;
+
+	/**
+	 * Get reason string and language
+	 *
+	 * @param language		reason language
+	 * @return				reason string
+	 */
+	chunk_t (*get_reason)(tnccs_reason_strings_msg_t *this, chunk_t *language);
+};
+
+/**
+ * Create a TNCCS-ReasonStrings message from XML-encoded message node
+ *
+ * @param node				XML-encoded message node
+ * @param errors			linked list of TNCCS error messages
+ */
+tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node,
+													   linked_list_t *errors);
+
+/**
+ * Create a TNCCS-ReasonStrings message from parameters
+ *
+ * @param reason			reason string
+ * @param language			reason language
+ */
+tnccs_msg_t *tnccs_reason_strings_msg_create(chunk_t reason, chunk_t language);
+
+#endif /** TNCCS_REASON_STRINGS_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
new file mode 100644
index 000000000..adc7b54b9
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
@@ -0,0 +1,186 @@
+/*
+ * Copyright (C) 2006 Mike McCauley (mikem@open.com.au)
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_recommendation_msg.h"
+#include "tnccs_error_msg.h"
+
+#include <debug.h>
+
+typedef struct private_tnccs_recommendation_msg_t private_tnccs_recommendation_msg_t;
+
+/**
+ * Private data of a tnccs_recommendation_msg_t object.
+ *
+ */
+struct private_tnccs_recommendation_msg_t {
+	/**
+	 * Public tnccs_recommendation_msg_t interface.
+	 */
+	tnccs_recommendation_msg_t public;
+
+	/**
+	 * TNCCS message type
+	 */
+	tnccs_msg_type_t type;
+
+	/**
+	 * XML-encoded message node
+	 */
+	xmlNodePtr node;
+
+	/**
+	 * Action Recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec;
+};
+
+METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t,
+	private_tnccs_recommendation_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(tnccs_msg_t, get_node, xmlNodePtr,
+	private_tnccs_recommendation_msg_t *this)
+{
+	return this->node;
+}
+
+METHOD(tnccs_msg_t, destroy, void,
+	private_tnccs_recommendation_msg_t *this)
+{
+	free(this);
+}
+
+METHOD(tnccs_recommendation_msg_t, get_recommendation, TNC_IMV_Action_Recommendation,
+	private_tnccs_recommendation_msg_t *this)
+{
+	return this->rec;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *tnccs_recommendation_msg_create_from_node(xmlNodePtr node,
+													   linked_list_t *errors)
+{
+	private_tnccs_recommendation_msg_t *this;
+	xmlChar *rec_string;
+	char *error_msg, buf[BUF_LEN];
+	tnccs_error_type_t error_type = TNCCS_ERROR_MALFORMED_BATCH;
+	tnccs_msg_t *msg;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.destroy = _destroy,
+			},
+			.get_recommendation = _get_recommendation,
+		},
+		.type = TNCCS_MSG_RECOMMENDATION,
+		.node = node,
+	);
+
+	rec_string = xmlGetProp(node, (const xmlChar*)"type");
+	if (!rec_string)
+	{
+		error_msg = "type property in TNCCS-Recommendation is missing";
+		goto fatal;
+	}
+	else if (streq((char*)rec_string, "allow"))
+	{
+		this->rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
+	}
+	else if (streq((char*)rec_string, "isolate"))
+	{
+		this->rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
+	}
+	else if (streq((char*)rec_string, "none"))
+	{
+		this->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
+	}
+	else
+	{
+		error_msg = buf;
+		snprintf(buf, BUF_LEN, "unsupported type property value '%s' "
+							   "in TNCCS-Recommendation", rec_string);
+		xmlFree(rec_string);
+		goto fatal;
+	}
+	xmlFree(rec_string);
+
+	return &this->public.tnccs_msg_interface;
+
+fatal:
+	msg = tnccs_error_msg_create(error_type, error_msg);
+	errors->insert_last(errors, msg);
+	_destroy(this);
+	return NULL;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *tnccs_recommendation_msg_create(TNC_IMV_Action_Recommendation rec)
+{
+	private_tnccs_recommendation_msg_t *this;
+	xmlNodePtr n, n2;
+	char *rec_string;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.destroy = _destroy,
+			},
+			.get_recommendation = _get_recommendation,
+		},
+		.type = TNCCS_MSG_RECOMMENDATION,
+		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.rec = rec,
+	);
+
+	/* add the message type number in hex */
+	n = xmlNewNode(NULL, BAD_CAST "Type");
+	xmlNodeSetContent(n, BAD_CAST "00000001");
+	xmlAddChild(this->node, n);
+
+	n = xmlNewNode(NULL, BAD_CAST "XML");
+	xmlAddChild(this->node, n);
+
+	switch (rec)
+	{
+		case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+			rec_string = "allow";
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+			rec_string = "isolate";
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+		default:
+			rec_string = "none";
+	}
+
+	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNewProp(n2, BAD_CAST "type", BAD_CAST rec_string);
+	xmlNodeSetContent(n2, "");
+	xmlAddChild(n, n2);
+
+	return &this->public.tnccs_msg_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h
new file mode 100644
index 000000000..685049e95
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_recommendation_msg tnccs_recommendation_msg
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_RECOMMENDATION_MSG_H_
+#define TNCCS_RECOMMENDATION_MSG_H_
+
+typedef struct tnccs_recommendation_msg_t tnccs_recommendation_msg_t;
+
+#include "tnccs_msg.h"
+
+#include <tnc/tncifimv.h>
+
+/**
+ * Class representing the TNCCS-Recommendation message type
+ */
+struct tnccs_recommendation_msg_t {
+
+	/**
+	 * TNCCS Message interface
+	 */
+	tnccs_msg_t tnccs_msg_interface;
+
+	/**
+	 * Get Action Recommendation
+	 *
+	 * @return				Action Recommendation
+	 */
+	TNC_IMV_Action_Recommendation (*get_recommendation)(tnccs_recommendation_msg_t *this);
+};
+
+/**
+ * Create a TNCCS-Recommendation message from XML-encoded message node
+ *
+ * @param node				XML-encoded message node
+ * @param errors			linked list of TNCCS error messages
+ */
+tnccs_msg_t *tnccs_recommendation_msg_create_from_node(xmlNodePtr node,
+													   linked_list_t *errors);
+
+/**
+ * Create a TNCCS-Recommendation message from parameters
+ *
+ * @param rec				Action Recommendation
+ */
+tnccs_msg_t *tnccs_recommendation_msg_create(TNC_IMV_Action_Recommendation rec);
+
+#endif /** TNCCS_RECOMMENDATION_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
new file mode 100644
index 000000000..b8aac30fa
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_tncs_contact_info_msg.h"
+
+#include <debug.h>
+
+typedef struct private_tnccs_tncs_contact_info_msg_t private_tnccs_tncs_contact_info_msg_t;
+
+/**
+ * Private data of a tnccs_tncs_contact_info_msg_t object.
+ *
+ */
+struct private_tnccs_tncs_contact_info_msg_t {
+	/**
+	 * Public tnccs_tncs_contact_info_msg_t interface.
+	 */
+	tnccs_tncs_contact_info_msg_t public;
+
+	/**
+	 * TNCCS message type
+	 */
+	tnccs_msg_type_t type;
+
+	/**
+	 * XML-encoded message node
+	 */
+	xmlNodePtr node;
+};
+
+METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t,
+	private_tnccs_tncs_contact_info_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(tnccs_msg_t, get_node, xmlNodePtr,
+	private_tnccs_tncs_contact_info_msg_t *this)
+{
+	return this->node;
+}
+
+METHOD(tnccs_msg_t, destroy, void,
+	private_tnccs_tncs_contact_info_msg_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *tnccs_tncs_contact_info_msg_create_from_node(xmlNodePtr node,
+													linked_list_t *errors)
+{
+	private_tnccs_tncs_contact_info_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.destroy = _destroy,
+			},
+		},
+		.type = TNCCS_MSG_TNCS_CONTACT_INFO,
+		.node = node,
+	);
+
+	return &this->public.tnccs_msg_interface;
+}
+
+/**
+ * See header
+ */
+tnccs_msg_t *tnccs_tncs_contact_info_msg_create(void)
+{
+	private_tnccs_tncs_contact_info_msg_t *this;
+	xmlNodePtr n /*, n2 */;
+
+	INIT(this,
+		.public = {
+			.tnccs_msg_interface = {
+				.get_type = _get_type,
+				.get_node = _get_node,
+				.destroy = _destroy,
+			},
+		},
+		.type = TNCCS_MSG_TNCS_CONTACT_INFO,
+		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+	);
+
+	/* add the message type number in hex */
+	n = xmlNewNode(NULL, BAD_CAST "Type");
+	xmlNodeSetContent(n, BAD_CAST "00000005");
+	xmlAddChild(this->node, n);
+
+	n = xmlNewNode(NULL, BAD_CAST "XML");
+	xmlAddChild(this->node, n);
+
+/* TODO
+	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNodeSetContent(n2, BAD_CAST language);
+	xmlAddChild(n, n2);
+*/
+
+	return &this->public.tnccs_msg_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h
new file mode 100644
index 000000000..8ed210a57
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_tncs_contact_info_msg tnccs_tncs_contact_info_msg
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_TNCS_CONTACT_INFO_MSG_H_
+#define TNCCS_TNCS_CONTACT_INFO_MSG_H_
+
+typedef struct tnccs_tncs_contact_info_msg_t tnccs_tncs_contact_info_msg_t;
+
+#include "tnccs_msg.h"
+
+/**
+ * Class representing the TNCCS-TNCSContactInfo message type
+ */
+struct tnccs_tncs_contact_info_msg_t {
+
+	/**
+	 * TNCCS Message interface
+	 */
+	tnccs_msg_t tnccs_msg_interface;
+};
+
+/**
+ * Create a TNCCS-TNCSContactInfo message from XML-encoded message node
+ *
+ * @param node				XML-encoded message node
+ * @param errors			linked list of TNCCS error messages
+ */
+tnccs_msg_t *tnccs_tncs_contact_info_msg_create_from_node(xmlNodePtr node,
+													linked_list_t *errors);
+
+/**
+ * Create a TNCCS-TNCSContactInfo message from parameters
+ *
+ */
+tnccs_msg_t *tnccs_tncs_contact_info_msg_create(void);
+
+#endif /** TNCCS_TNCS_CONTACT_INFO_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c
index 704bf64ed..2104bf401 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11.c
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c
@@ -14,81 +14,20 @@
  */
 
 #include "tnccs_11.h"
-
-#include <libtnctncc.h>
-#include <libtnctncs.h>
+#include "batch/tnccs_batch.h"
+#include "messages/tnccs_msg.h"
+#include "messages/imc_imv_msg.h"
+#include "messages/tnccs_error_msg.h"
+#include "messages/tnccs_preferred_language_msg.h"
+#include "messages/tnccs_reason_strings_msg.h"
+#include "messages/tnccs_recommendation_msg.h"
 
 #include <daemon.h>
 #include <debug.h>
-
-#define TNC_SEND_BUFFER_SIZE	32
-
-static chunk_t tnc_send_buffer[TNC_SEND_BUFFER_SIZE];
-
-/**
- * Buffers TNCCS batch to be sent (TODO make the buffer scalable)
- */
-static TNC_Result buffer_batch(u_int32_t id, const char *data, size_t len)
-{
-	if (id >= TNC_SEND_BUFFER_SIZE)
-	{
-		DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be stored in "
-					  "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE);
-		return TNC_RESULT_FATAL;
-	}
-	if (tnc_send_buffer[id].ptr)
-	{
-		DBG1(DBG_TNC, "send buffer slot for Connection ID %u is already "
-					  "occupied", id);
-		return TNC_RESULT_FATAL;
-	}
-	tnc_send_buffer[id] = chunk_alloc(len);
-	memcpy(tnc_send_buffer[id].ptr, data, len);
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * Retrieves TNCCS batch to be sent
- */
-static bool retrieve_batch(u_int32_t id, chunk_t *batch)
-{
-	if (id >= TNC_SEND_BUFFER_SIZE)
-	{
-		DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be retrieved from "
-					  "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE);
-		return FALSE;
-	}
-
-	*batch = tnc_send_buffer[id];
-	return TRUE;
-}
-
-/**
- * Frees TNCCS batch that was sent
- */
-static void free_batch(u_int32_t id)
-{
-	if (id < TNC_SEND_BUFFER_SIZE)
-	{
-		chunk_free(&tnc_send_buffer[id]);
-	}
-}
-
-/**
- * Define callback functions called by the libtnc library
- */
-TNC_Result TNC_TNCC_SendBatch(libtnc_tncc_connection* conn, 
-							  const char* messageBuffer, size_t messageLength)
-{
-	return buffer_batch(conn->connectionID, messageBuffer, messageLength);
-}
-
-TNC_Result TNC_TNCS_SendBatch(libtnc_tncs_connection* conn, 
-							  const char* messageBuffer, size_t messageLength)
-{
-	return buffer_batch(conn->connectionID, messageBuffer, messageLength);
-}
+#include <threading/mutex.h>
+#include <tnc/tncif.h>
+#include <tnc/tncifimv.h>
+#include <tnc/tnccs/tnccs.h>
 
 typedef struct private_tnccs_11_t private_tnccs_11_t;
 
@@ -108,116 +47,372 @@ struct private_tnccs_11_t {
 	bool is_server;
 
 	/**
-	 * TNCC Connection to IMCs
+	 * Connection ID assigned to this TNCCS connection
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * Last TNCCS batch ID
+	 */
+	int batch_id;
+
+	/**
+	 * TNCCS batch being constructed
+	 */
+	tnccs_batch_t *batch;
+
+	/**
+	 * Mutex locking the batch in construction
 	 */
-	libtnc_tncc_connection* tncc_connection;
+	mutex_t *mutex;
 
 	/**
-	 * TNCS Connection to IMVs
+	 * Flag set while processing
 	 */
-	libtnc_tncs_connection* tncs_connection;
+	bool fatal_error;
+
+	/**
+	 * Flag set by TNCCS-Recommendation message
+	 */
+	bool delete_state;
+
+	/**
+	 * Flag set by IMC/IMV RequestHandshakeRetry() function
+	 */
+	bool request_handshake_retry;
+
+	/**
+	 * Set of IMV recommendations  (TNC Server only)
+	 */
+	recommendations_t *recs;
 };
 
-METHOD(tls_t, process, status_t,
-	private_tnccs_11_t *this, void *buf, size_t buflen)
+METHOD(tnccs_t, send_msg, void,
+	private_tnccs_11_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id,
+							  TNC_BufferReference msg,
+							  TNC_UInt32 msg_len,
+							  TNC_MessageType msg_type)
 {
-	u_int32_t conn_id;
+	tnccs_msg_t *tnccs_msg;
 
-	if (this->is_server && !this->tncs_connection)
+	tnccs_msg = imc_imv_msg_create(msg_type, chunk_create(msg, msg_len));
+
+	/* adding an IMC-IMV Message to TNCCS batch */
+	this->mutex->lock(this->mutex);
+	if (!this->batch)
 	{
-		this->tncs_connection = libtnc_tncs_CreateConnection(NULL);
-		if (!this->tncs_connection)
+		this->batch = tnccs_batch_create(this->is_server, ++this->batch_id);
+	}
+	this->batch->add_msg(this->batch, tnccs_msg);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Handle a single TNCCS message according to its type
+ */
+static void handle_message(private_tnccs_11_t *this, tnccs_msg_t *msg)
+{
+	switch (msg->get_type(msg))
+	{
+		case IMC_IMV_MSG:
 		{
-			DBG1(DBG_TNC, "TNCS CreateConnection failed");
-			return FAILED;
+			imc_imv_msg_t *imc_imv_msg;
+			TNC_MessageType msg_type;
+			chunk_t msg_body;
+
+			imc_imv_msg = (imc_imv_msg_t*)msg;
+			msg_type = imc_imv_msg->get_msg_type(imc_imv_msg);
+			msg_body = imc_imv_msg->get_msg_body(imc_imv_msg);
+
+			DBG2(DBG_TNC, "handling IMC_IMV message type 0x%08x", msg_type);
+
+			if (this->is_server)
+			{
+				charon->imvs->receive_message(charon->imvs,
+				this->connection_id, msg_body.ptr, msg_body.len, msg_type);
+			}
+			else
+			{
+				charon->imcs->receive_message(charon->imcs,
+				this->connection_id, msg_body.ptr, msg_body.len,msg_type);
+			}
+			break;
+		}
+		case TNCCS_MSG_RECOMMENDATION:
+		{
+			tnccs_recommendation_msg_t *rec_msg;
+			TNC_IMV_Action_Recommendation rec;
+			TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
+
+			rec_msg = (tnccs_recommendation_msg_t*)msg;
+			rec = rec_msg->get_recommendation(rec_msg);
+			if (this->is_server)
+			{
+				DBG1(DBG_TNC, "ignoring NCCS-Recommendation message from "
+							  " TNC client");
+				break;
+			}
+			DBG1(DBG_TNC, "TNC recommendation is '%N'",
+				 TNC_IMV_Action_Recommendation_names, rec);
+			switch (rec)
+			{
+				case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+					state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
+					break;
+				case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+					state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
+					break;
+				case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+				default:
+					state = TNC_CONNECTION_STATE_ACCESS_NONE;
+			}
+			charon->imcs->notify_connection_change(charon->imcs,
+												   this->connection_id, state);
+			this->delete_state = TRUE;
+			break;
+		}
+		case TNCCS_MSG_ERROR:
+		{
+			tnccs_error_msg_t *err_msg;
+			tnccs_error_type_t error_type;
+			char *error_msg;
+
+			err_msg = (tnccs_error_msg_t*)msg;
+			error_msg = err_msg->get_message(err_msg, &error_type);
+			DBG1(DBG_TNC, "received '%N' TNCCS-Error: %s",
+				 tnccs_error_type_names, error_type, error_msg);
+
+			/* we assume that all errors are fatal */
+			this->fatal_error = TRUE;
+			break;
 		}
-		DBG1(DBG_TNC, "assigned TNCS Connection ID %u",
-					   this->tncs_connection->connectionID);
-		if (libtnc_tncs_BeginSession(this->tncs_connection) != TNC_RESULT_SUCCESS)
+		case TNCCS_MSG_PREFERRED_LANGUAGE:
+		{
+			tnccs_preferred_language_msg_t *lang_msg;
+			char *lang;
+
+			lang_msg = (tnccs_preferred_language_msg_t*)msg;
+			lang = lang_msg->get_preferred_language(lang_msg);
+
+			DBG2(DBG_TNC, "setting preferred language to '%s'", lang);
+			this->recs->set_preferred_language(this->recs,
+									chunk_create(lang, strlen(lang)));
+			break;
+		}
+		case TNCCS_MSG_REASON_STRINGS:
+		{
+			tnccs_reason_strings_msg_t *reason_msg;
+			chunk_t reason_string, reason_lang;
+
+			reason_msg = (tnccs_reason_strings_msg_t*)msg;
+			reason_string = reason_msg->get_reason(reason_msg, &reason_lang);
+			DBG2(DBG_TNC, "reason string is '%.*s",   reason_string.len,
+													  reason_string.ptr);
+			DBG2(DBG_TNC, "reason language is '%.*s", reason_lang.len,
+													  reason_lang.ptr);
+			break;
+		}
+		default:
+			break;
+	}
+}
+
+METHOD(tls_t, process, status_t,
+	private_tnccs_11_t *this, void *buf, size_t buflen)
+{
+	chunk_t data;
+	tnccs_batch_t *batch;
+	tnccs_msg_t *msg;
+	enumerator_t *enumerator;
+	status_t status;
+
+	if (this->is_server && !this->connection_id)
+	{
+		this->connection_id = charon->tnccs->create_connection(charon->tnccs,
+								(tnccs_t*)this,	_send_msg,
+								&this->request_handshake_retry, &this->recs);
+		if (!this->connection_id)
 		{
-			DBG1(DBG_TNC, "TNCS BeginSession failed");
 			return FAILED;
 		}
+		charon->imvs->notify_connection_change(charon->imvs,
+							this->connection_id, TNC_CONNECTION_STATE_CREATE);
 	}
-	conn_id = this->is_server ? this->tncs_connection->connectionID
-							  : this->tncc_connection->connectionID;
 
+	data = chunk_create(buf, buflen);
 	DBG1(DBG_TNC, "received TNCCS Batch (%u bytes) for Connection ID %u",
-				   buflen, conn_id);
-	DBG3(DBG_TNC, "%.*s", buflen, buf);
+				   data.len, this->connection_id);
+	DBG3(DBG_TNC, "%.*s", data.len, data.ptr);
+	batch = tnccs_batch_create_from_data(this->is_server, ++this->batch_id, data);
+	status = batch->process(batch);
 
-	if (this->is_server)
+	if (status == FAILED)
 	{
-		if (libtnc_tncs_ReceiveBatch(this->tncs_connection, buf, buflen) !=
-			TNC_RESULT_SUCCESS)
+		this->fatal_error = TRUE;
+		this->mutex->lock(this->mutex);
+		if (this->batch)
 		{
-			DBG1(DBG_TNC, "TNCS ReceiveBatch failed");
-			return FAILED;
+			DBG1(DBG_TNC, "cancelling TNCCS batch");
+			this->batch->destroy(this->batch);
+			this->batch_id--;
+		 }
+		this->batch = tnccs_batch_create(this->is_server, ++this->batch_id);
+
+		/* add error messages to outbound batch */
+		enumerator = batch->create_error_enumerator(batch);
+		while (enumerator->enumerate(enumerator, &msg))
+		{
+			this->batch->add_msg(this->batch, msg->get_ref(msg));
 		}
+		enumerator->destroy(enumerator);
+		this->mutex->unlock(this->mutex);
 	}
 	else
 	{
-		if (libtnc_tncc_ReceiveBatch(this->tncc_connection, buf, buflen) !=
-			TNC_RESULT_SUCCESS)
+		enumerator = batch->create_msg_enumerator(batch);
+		while (enumerator->enumerate(enumerator, &msg))
 		{
-			DBG1(DBG_TNC, "TNCC ReceiveBatch failed");
+			handle_message(this, msg);
+		}
+		enumerator->destroy(enumerator);
+
+		/* received any TNCCS-Error messages */
+		if (this->fatal_error)
+		{
+			DBG1(DBG_TNC, "a fatal TNCCS-Error occurred, terminating connection");
+			batch->destroy(batch);
 			return FAILED;
 		}
+
+		if (this->is_server)
+		{
+			charon->imvs->batch_ending(charon->imvs, this->connection_id);
+		}
+		else
+		{
+			charon->imcs->batch_ending(charon->imcs, this->connection_id);
+		}
 	}
+	batch->destroy(batch);
+
 	return NEED_MORE;
 }
 
-METHOD(tls_t, build, status_t,
-	private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen)
+/**
+ *  Add a recommendation message if a final recommendation is available
+ */
+static void check_and_build_recommendation(private_tnccs_11_t *this)
 {
-	chunk_t batch;
-	u_int32_t conn_id;
-	size_t len;
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	TNC_IMVID id;
+	chunk_t reason, language;
+	enumerator_t *enumerator;
+	tnccs_msg_t *msg;
 
-	if (!this->is_server && !this->tncc_connection)
+	if (!this->recs->have_recommendation(this->recs, &rec, &eval))
+	{
+		charon->imvs->solicit_recommendation(charon->imvs, this->connection_id);
+	}
+	if (this->recs->have_recommendation(this->recs, &rec, &eval))
 	{
-		this->tncc_connection = libtnc_tncc_CreateConnection(NULL);
-		if (!this->tncc_connection)
+		if (!this->batch)
 		{
-			DBG1(DBG_TNC, "TNCC CreateConnection failed");
-			return FAILED;
+			this->batch = tnccs_batch_create(this->is_server, ++this->batch_id);
 		}
-		DBG1(DBG_TNC, "assigned TNCC Connection ID %u",
-					   this->tncc_connection->connectionID);
-		if (libtnc_tncc_BeginSession(this->tncc_connection) != TNC_RESULT_SUCCESS)
+
+		msg = tnccs_recommendation_msg_create(rec);
+		this->batch->add_msg(this->batch, msg);
+
+		/* currently we just send the first Reason String */
+		enumerator = this->recs->create_reason_enumerator(this->recs);
+		if (enumerator->enumerate(enumerator, &id, &reason, &language))
 		{
-			DBG1(DBG_TNC, "TNCC BeginSession failed");
-			return FAILED;
+			msg = tnccs_reason_strings_msg_create(reason, language);
+			this->batch->add_msg(this->batch, msg);
 		}
+		enumerator->destroy(enumerator);
+
+		/* we have reache the final state */
+		this->delete_state = TRUE;
 	}
-	conn_id = this->is_server ? this->tncs_connection->connectionID
-							  : this->tncc_connection->connectionID;
-	
-	if (!retrieve_batch(conn_id, &batch))
+}
+
+METHOD(tls_t, build, status_t,
+	private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	status_t status;
+
+	/* Initialize the connection */
+	if (!this->is_server && !this->connection_id)
 	{
-		return FAILED;
+		tnccs_msg_t *msg;
+		char *pref_lang;
+
+		this->connection_id = charon->tnccs->create_connection(charon->tnccs,
+										(tnccs_t*)this, _send_msg,
+										&this->request_handshake_retry, NULL);
+		if (!this->connection_id)
+		{
+			return FAILED;
+		}
+
+		/* Create TNCCS-PreferredLanguage message */
+		pref_lang = charon->imcs->get_preferred_language(charon->imcs);
+		msg = tnccs_preferred_language_msg_create(pref_lang);
+		this->mutex->lock(this->mutex);
+		this->batch = tnccs_batch_create(this->is_server, ++this->batch_id);
+		this->batch->add_msg(this->batch, msg);
+		this->mutex->unlock(this->mutex);
+
+		charon->imcs->notify_connection_change(charon->imcs,
+							this->connection_id, TNC_CONNECTION_STATE_CREATE);
+		charon->imcs->notify_connection_change(charon->imcs,
+							this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
+		charon->imcs->begin_handshake(charon->imcs, this->connection_id);
 	}
-	len = *buflen;
-	len = min(len, batch.len);
-	*buflen = len;
-	if (msglen)
+
+	/* Do not allow any asynchronous IMCs or IMVs to add additional messages */
+	this->mutex->lock(this->mutex);
+
+	if (this->is_server && !this->delete_state &&
+	   (!this->batch || this->fatal_error))
 	{
-		*msglen = batch.len;
+		check_and_build_recommendation(this);
 	}
 
-	if (batch.len)
+	if (this->batch)
 	{
+		chunk_t data;
+
+		this->batch->build(this->batch);
+		data = this->batch->get_encoding(this->batch);
 		DBG1(DBG_TNC, "sending TNCCS Batch (%d bytes) for Connection ID %u",
-					   batch.len, conn_id);
-		DBG3(DBG_TNC, "%.*s", batch.len, batch.ptr);
-		memcpy(buf, batch.ptr, len);
-		free_batch(conn_id);
-		return ALREADY_DONE;
+					   data.len, this->connection_id);
+		DBG3(DBG_TNC, "%.*s", data.len, data.ptr);
+		*msglen = data.len;
+
+		if (data.len > *buflen)
+		{
+			DBG1(DBG_TNC, "fragmentation of TNCCS batch not supported yet");
+		}
+		else
+		{
+			*buflen = data.len;
+		}
+		memcpy(buf, data.ptr, *buflen);
+		this->batch->destroy(this->batch);
+		this->batch = NULL;
+		status = ALREADY_DONE;
 	}
 	else
 	{
-		return INVALID_STATE;
+		DBG1(DBG_TNC, "no TNCCS Batch to send");
+		status = INVALID_STATE;
 	}
+	this->mutex->unlock(this->mutex);
+
+	return status;
 }
 
 METHOD(tls_t, is_server, bool,
@@ -237,39 +432,14 @@ METHOD(tls_t, is_complete, bool,
 {
 	TNC_IMV_Action_Recommendation rec;
 	TNC_IMV_Evaluation_Result eval;
-	char *group;
-	identification_t *id;
-	ike_sa_t *ike_sa;
-	auth_cfg_t *auth;
-	
-	if (libtnc_tncs_HaveRecommendation(this->tncs_connection, &rec, &eval) ==
-		TNC_RESULT_SUCCESS)
+
+	if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
 	{
-		switch (rec)
-		{
-			case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
-				DBG1(DBG_TNC, "TNC recommendation is allow");
-				group = "allow";
-				break;				
-			case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
-				DBG1(DBG_TNC, "TNC recommendation is isolate");
-				group = "isolate";
-				break;
-			case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
-			case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
-			default:
-				DBG1(DBG_TNC, "TNC recommendation is none");
-				return FALSE;
-		}
-		ike_sa = charon->bus->get_sa(charon->bus);
-		if (ike_sa)
-		{
-			auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
-			id = identification_create_from_string(group);
-			auth->add(auth, AUTH_RULE_GROUP, id);
-			DBG1(DBG_TNC, "added group membership '%s' based on TNC recommendation", group);
-		}
-		return TRUE;
+		DBG2(DBG_TNC, "Final recommendation is '%N' and evaluation is '%N'",
+			 TNC_IMV_Action_Recommendation_names, rec,
+			 TNC_IMV_Evaluation_Result_names, eval);
+
+		return charon->imvs->enforce_recommendation(charon->imvs, rec);
 	}
 	else
 	{
@@ -288,19 +458,17 @@ METHOD(tls_t, destroy, void,
 {
 	if (this->is_server)
 	{
-		if (this->tncs_connection)
-		{
-			libtnc_tncs_DeleteConnection(this->tncs_connection);
-		}
+		charon->imvs->notify_connection_change(charon->imvs,
+							this->connection_id, TNC_CONNECTION_STATE_DELETE);
 	}
 	else
 	{
-		if (this->tncc_connection)
-		{
-			libtnc_tncc_DeleteConnection(this->tncc_connection);
-		}
-		libtnc_tncc_Terminate();
+		charon->imcs->notify_connection_change(charon->imcs,
+							this->connection_id, TNC_CONNECTION_STATE_DELETE);
 	}
+	charon->tnccs->remove_connection(charon->tnccs, this->connection_id);
+	this->mutex->destroy(this->mutex);
+	DESTROY_IF(this->batch);
 	free(this);
 }
 
@@ -322,6 +490,7 @@ tls_t *tnccs_11_create(bool is_server)
 			.destroy = _destroy,
 		},
 		.is_server = is_server,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am
index 3018121e3..d72fd3e34 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.am
+++ b/src/libcharon/plugins/tnccs_20/Makefile.am
@@ -1,21 +1,28 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
-	`xml2-config --cflags`
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = -rdynamic
 
-libstrongswan_tnccs_20_la_LIBADD = -ltnc
-
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnccs-20.la
 else
 plugin_LTLIBRARIES = libstrongswan-tnccs-20.la
-libstrongswan_tnccs_20_la_LIBADD += $(top_builddir)/src/libtls/libtls.la
+libstrongswan_tnccs_20_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
 endif
 
 libstrongswan_tnccs_20_la_SOURCES = \
-	tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c
+	tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \
+	batch/pb_tnc_batch.h batch/pb_tnc_batch.c \
+	messages/pb_tnc_msg.h messages/pb_tnc_msg.c \
+	messages/pb_experimental_msg.h messages/pb_experimental_msg.c \
+	messages/pb_pa_msg.h messages/pb_pa_msg.c \
+	messages/pb_assessment_result_msg.h messages/pb_assessment_result_msg.c \
+	messages/pb_access_recommendation_msg.h messages/pb_access_recommendation_msg.c \
+	messages/pb_error_msg.h messages/pb_error_msg.c \
+	messages/pb_language_preference_msg.h messages/pb_language_preference_msg.c \
+	messages/pb_reason_string_msg.h messages/pb_reason_string_msg.c \
+	messages/pb_remediation_parameters_msg.h messages/pb_remediation_parameters_msg.c \
+	state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c
 
 libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in
index 6101f91df..9853be338 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.in
+++ b/src/libcharon/plugins/tnccs_20/Makefile.in
@@ -34,7 +34,6 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la
 subdir = src/libcharon/plugins/tnccs_20
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -75,8 +74,14 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_tnccs_20_la_DEPENDENCIES = $(am__append_1)
-am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo
+@MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_DEPENDENCIES =  \
+@MONOLITHIC_FALSE@	$(top_builddir)/src/libtls/libtls.la
+am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \
+	pb_tnc_batch.lo pb_tnc_msg.lo pb_experimental_msg.lo \
+	pb_pa_msg.lo pb_assessment_result_msg.lo \
+	pb_access_recommendation_msg.lo pb_error_msg.lo \
+	pb_language_preference_msg.lo pb_reason_string_msg.lo \
+	pb_remediation_parameters_msg.lo pb_tnc_state_machine.lo
 libstrongswan_tnccs_20_la_OBJECTS =  \
 	$(am_libstrongswan_tnccs_20_la_OBJECTS)
 libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \
@@ -223,9 +228,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +267,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -275,15 +280,25 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
-	`xml2-config --cflags`
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = -rdynamic
-libstrongswan_tnccs_20_la_LIBADD = -ltnc $(am__append_1)
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-20.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-20.la
+@MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
 libstrongswan_tnccs_20_la_SOURCES = \
-	tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c
+	tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \
+	batch/pb_tnc_batch.h batch/pb_tnc_batch.c \
+	messages/pb_tnc_msg.h messages/pb_tnc_msg.c \
+	messages/pb_experimental_msg.h messages/pb_experimental_msg.c \
+	messages/pb_pa_msg.h messages/pb_pa_msg.c \
+	messages/pb_assessment_result_msg.h messages/pb_assessment_result_msg.c \
+	messages/pb_access_recommendation_msg.h messages/pb_access_recommendation_msg.c \
+	messages/pb_error_msg.h messages/pb_error_msg.c \
+	messages/pb_language_preference_msg.h messages/pb_language_preference_msg.c \
+	messages/pb_reason_string_msg.h messages/pb_reason_string_msg.c \
+	messages/pb_remediation_parameters_msg.h messages/pb_remediation_parameters_msg.c \
+	state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c
 
 libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -369,6 +384,17 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_access_recommendation_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_assessment_result_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_error_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_experimental_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_language_preference_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_pa_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_reason_string_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_remediation_parameters_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_batch.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_state_machine.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@
 
@@ -393,6 +419,83 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
+pb_tnc_batch.lo: batch/pb_tnc_batch.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_batch.lo -MD -MP -MF $(DEPDIR)/pb_tnc_batch.Tpo -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_tnc_batch.Tpo $(DEPDIR)/pb_tnc_batch.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='batch/pb_tnc_batch.c' object='pb_tnc_batch.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c
+
+pb_tnc_msg.lo: messages/pb_tnc_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pb_tnc_msg.Tpo -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_tnc_msg.Tpo $(DEPDIR)/pb_tnc_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_tnc_msg.c' object='pb_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c
+
+pb_experimental_msg.lo: messages/pb_experimental_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_experimental_msg.lo -MD -MP -MF $(DEPDIR)/pb_experimental_msg.Tpo -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_experimental_msg.Tpo $(DEPDIR)/pb_experimental_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_experimental_msg.c' object='pb_experimental_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c
+
+pb_pa_msg.lo: messages/pb_pa_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_pa_msg.lo -MD -MP -MF $(DEPDIR)/pb_pa_msg.Tpo -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_pa_msg.Tpo $(DEPDIR)/pb_pa_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_pa_msg.c' object='pb_pa_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c
+
+pb_assessment_result_msg.lo: messages/pb_assessment_result_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_assessment_result_msg.lo -MD -MP -MF $(DEPDIR)/pb_assessment_result_msg.Tpo -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_assessment_result_msg.Tpo $(DEPDIR)/pb_assessment_result_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_assessment_result_msg.c' object='pb_assessment_result_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c
+
+pb_access_recommendation_msg.lo: messages/pb_access_recommendation_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_access_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/pb_access_recommendation_msg.Tpo -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_access_recommendation_msg.Tpo $(DEPDIR)/pb_access_recommendation_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_access_recommendation_msg.c' object='pb_access_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c
+
+pb_error_msg.lo: messages/pb_error_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_error_msg.lo -MD -MP -MF $(DEPDIR)/pb_error_msg.Tpo -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_error_msg.Tpo $(DEPDIR)/pb_error_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_error_msg.c' object='pb_error_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c
+
+pb_language_preference_msg.lo: messages/pb_language_preference_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_language_preference_msg.lo -MD -MP -MF $(DEPDIR)/pb_language_preference_msg.Tpo -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_language_preference_msg.Tpo $(DEPDIR)/pb_language_preference_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_language_preference_msg.c' object='pb_language_preference_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c
+
+pb_reason_string_msg.lo: messages/pb_reason_string_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_reason_string_msg.lo -MD -MP -MF $(DEPDIR)/pb_reason_string_msg.Tpo -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_reason_string_msg.Tpo $(DEPDIR)/pb_reason_string_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_reason_string_msg.c' object='pb_reason_string_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c
+
+pb_remediation_parameters_msg.lo: messages/pb_remediation_parameters_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_remediation_parameters_msg.lo -MD -MP -MF $(DEPDIR)/pb_remediation_parameters_msg.Tpo -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_remediation_parameters_msg.Tpo $(DEPDIR)/pb_remediation_parameters_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_remediation_parameters_msg.c' object='pb_remediation_parameters_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c
+
+pb_tnc_state_machine.lo: state_machine/pb_tnc_state_machine.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_state_machine.lo -MD -MP -MF $(DEPDIR)/pb_tnc_state_machine.Tpo -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_tnc_state_machine.Tpo $(DEPDIR)/pb_tnc_state_machine.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='state_machine/pb_tnc_state_machine.c' object='pb_tnc_state_machine.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
new file mode 100644
index 000000000..3f38543ed
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
@@ -0,0 +1,543 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyanbuu
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_tnc_batch.h"
+#include "messages/pb_error_msg.h"
+#include "state_machine/pb_tnc_state_machine.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <tls_writer.h>
+#include <tls_reader.h>
+#include <tnc/tnccs/tnccs.h>
+
+ENUM(pb_tnc_batch_type_names, PB_BATCH_CDATA, PB_BATCH_CLOSE,
+	"CDATA",
+	"SDATA",
+	"RESULT",
+	"CRETRY",
+	"SRETRY",
+	"CLOSE"
+);
+
+typedef struct private_pb_tnc_batch_t private_pb_tnc_batch_t;
+
+/**
+ *   PB-Batch Header (see section 4.1 of RFC 5793)
+ *
+ *      0                   1                   2                   3
+ *      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |    Version    |D|     Reserved                        | B-Type|
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                       Batch Length                            |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define PB_TNC_BATCH_FLAG_NONE		0x00
+#define PB_TNC_BATCH_FLAG_D			(1<<7)
+#define PB_TNC_BATCH_HEADER_SIZE	8
+
+/**
+ *   PB-TNC Message (see section 4.2 of RFC 5793)
+ *
+ *      0                   1                   2                   3
+ *      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |     Flags     |               PB-TNC Vendor ID                |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                       PB-TNC Message Type                     |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                      PB-TNC Message Length                    |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |               PB-TNC Message Value (Variable Length)          |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define PB_TNC_FLAG_NONE			0x00
+#define PB_TNC_FLAG_NOSKIP			(1<<7)
+#define PB_TNC_HEADER_SIZE			12
+
+#define PB_TNC_RESERVED_MSG_TYPE	0xffffffff
+
+/**
+ * Private data of a pb_tnc_batch_t object.
+ *
+ */
+struct private_pb_tnc_batch_t {
+	/**
+	 * Public pb_pa_msg_t interface.
+	 */
+	pb_tnc_batch_t public;
+
+	/**
+	 * TNCC if TRUE, TNCS if FALSE
+	 */
+	bool is_server;
+
+	/**
+	 * PB-TNC Batch type
+	 */
+	pb_tnc_batch_type_t type;
+
+	/**
+	 * linked list of PB-TNC messages
+	 */
+	linked_list_t *messages;
+
+	/**
+	 * linked list of PB-TNC error messages
+	 */
+	linked_list_t *errors;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+
+	/**
+	 * Offset into encoding (used for error reporting)
+	 */
+	u_int32_t offset;
+};
+
+METHOD(pb_tnc_batch_t, get_type, pb_tnc_batch_type_t,
+	private_pb_tnc_batch_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_batch_t, get_encoding, chunk_t,
+	private_pb_tnc_batch_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_batch_t, add_msg, void,
+	private_pb_tnc_batch_t *this, pb_tnc_msg_t* msg)
+{
+	DBG2(DBG_TNC, "adding %N message", pb_tnc_msg_type_names,
+									   msg->get_type(msg));
+	this->messages->insert_last(this->messages, msg);
+}
+
+METHOD(pb_tnc_batch_t, build, void,
+	private_pb_tnc_batch_t *this)
+{
+	u_int32_t batch_len, msg_len;
+	chunk_t msg_value;
+	enumerator_t *enumerator;
+	pb_tnc_msg_type_t msg_type;
+	pb_tnc_msg_t *msg;
+	tls_writer_t *writer;
+
+	/* compute total PB-TNC batch size by summing over all messages */
+	batch_len = PB_TNC_BATCH_HEADER_SIZE;
+	enumerator = this->messages->create_enumerator(this->messages);
+	while (enumerator->enumerate(enumerator, &msg))
+	{
+		msg->build(msg);
+		msg_value = msg->get_encoding(msg);
+		batch_len += PB_TNC_HEADER_SIZE + msg_value.len;
+	}
+	enumerator->destroy(enumerator);
+
+	/* build PB-TNC batch header */
+	writer = tls_writer_create(batch_len);	
+	writer->write_uint8 (writer, PB_TNC_VERSION);
+	writer->write_uint8 (writer, this->is_server ?
+								 PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE);
+	writer->write_uint16(writer, this->type);
+	writer->write_uint32(writer, batch_len); 
+
+	/* build PB-TNC messages */
+	enumerator = this->messages->create_enumerator(this->messages);
+	while (enumerator->enumerate(enumerator, &msg))
+	{
+		u_int8_t flags = PB_TNC_FLAG_NONE;
+
+		/* build PB-TNC message */
+		msg_value = msg->get_encoding(msg);
+		msg_len = PB_TNC_HEADER_SIZE + msg_value.len;
+		msg_type = msg->get_type(msg);
+		if (pb_tnc_msg_infos[msg_type].has_noskip_flag)
+		{
+			flags |= PB_TNC_FLAG_NOSKIP;
+		}
+		writer->write_uint8 (writer, flags);
+		writer->write_uint24(writer, IETF_VENDOR_ID);
+		writer->write_uint32(writer, msg_type);
+		writer->write_uint32(writer, msg_len);
+		writer->write_data  (writer, msg_value);
+	}
+	enumerator->destroy(enumerator);
+
+	this->encoding = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+static status_t process_batch_header(private_pb_tnc_batch_t *this,
+									 pb_tnc_state_machine_t *state_machine)
+{
+	tls_reader_t *reader;
+	pb_tnc_msg_t *msg;
+	pb_error_msg_t *err_msg;
+	u_int8_t version, flags, reserved, type;
+	u_int32_t batch_len;
+	bool directionality;
+
+	if (this->encoding.len < PB_TNC_BATCH_HEADER_SIZE)
+	{
+		DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC batch header",
+					   this->encoding.len);
+		msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_INVALID_PARAMETER, 0);
+		goto fatal;
+	}
+
+	reader = tls_reader_create(this->encoding);
+	reader->read_uint8 (reader, &version);
+	reader->read_uint8 (reader, &flags);
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint8 (reader, &type);
+	reader->read_uint32(reader, &batch_len);
+	reader->destroy(reader);
+
+	/* Version */
+	if (version != PB_TNC_VERSION)
+	{
+		DBG1(DBG_TNC, "unsupported TNCCS batch version 0x%01x", version);
+		msg = pb_error_msg_create(TRUE, IETF_VENDOR_ID,
+								  PB_ERROR_VERSION_NOT_SUPPORTED);
+		err_msg = (pb_error_msg_t*)msg;
+		err_msg->set_bad_version(err_msg, version);
+		goto fatal;
+	}
+
+	/* Directionality */
+	directionality = (flags & PB_TNC_BATCH_FLAG_D) != PB_TNC_BATCH_FLAG_NONE;
+	if (directionality == this->is_server)
+	{
+		DBG1(DBG_TNC, "wrong Directionality: batch is from a PB %s",
+			 directionality ? "server" : "client");
+		msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_INVALID_PARAMETER, 1);
+		goto fatal;
+	}
+
+	/* Batch Type */
+	this->type = type & 0x0F;
+	if (this->type > PB_BATCH_ROOF)
+	{
+		DBG1(DBG_TNC, "unknown PB-TNC batch type: %d", this->type);
+		msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_INVALID_PARAMETER, 3);
+		goto fatal;
+	}
+
+	if (!state_machine->receive_batch(state_machine, this->type))
+	{
+		DBG1(DBG_TNC, "unexpected PB-TNC batch type: %N",
+					   pb_tnc_batch_type_names, this->type);
+		msg = pb_error_msg_create(TRUE, IETF_VENDOR_ID,
+								  PB_ERROR_UNEXPECTED_BATCH_TYPE);
+		goto fatal;
+	}
+
+	/* Batch Length */
+	if (this->encoding.len != batch_len)
+	{
+		DBG1(DBG_TNC, "%u bytes of data is not equal to batch length of %u bytes",
+					   this->encoding.len, batch_len);
+		msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_INVALID_PARAMETER, 4);
+		goto fatal;
+	}
+
+	this->offset = PB_TNC_BATCH_HEADER_SIZE;
+	return SUCCESS;
+
+fatal:
+	this->errors->insert_last(this->errors, msg);
+	return FAILED;	
+}
+
+static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
+{
+	tls_reader_t *reader;
+	pb_tnc_msg_t *pb_tnc_msg, *msg;
+	u_int8_t flags;
+	u_int32_t vendor_id, msg_type, msg_len, offset;
+	chunk_t data, msg_value;
+	bool noskip_flag;
+	status_t status;
+
+	data = chunk_skip(this->encoding, this->offset);
+
+	if (data.len < PB_TNC_HEADER_SIZE)
+	{
+		DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message header",
+					  data.len);
+		msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_INVALID_PARAMETER, this->offset);
+		goto fatal;
+	}
+
+	reader = tls_reader_create(data);
+	reader->read_uint8 (reader, &flags);
+	reader->read_uint24(reader, &vendor_id);
+	reader->read_uint32(reader, &msg_type);
+	reader->read_uint32(reader, &msg_len);
+	reader->destroy(reader);
+
+	noskip_flag = (flags & PB_TNC_FLAG_NOSKIP) != PB_TNC_FLAG_NONE;
+	
+	if (msg_len > data.len)
+	{
+		DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message", data.len);
+		msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_INVALID_PARAMETER, this->offset + 8);
+		goto fatal;
+	}
+
+	if (vendor_id == RESERVED_VENDOR_ID)
+	{
+		DBG1(DBG_TNC, "Vendor ID 0x%06x is reserved", RESERVED_VENDOR_ID);
+		msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_INVALID_PARAMETER, this->offset + 1);
+		goto fatal;
+
+	}
+
+	if (msg_type == PB_TNC_RESERVED_MSG_TYPE)
+	{
+		DBG1(DBG_TNC, "PB-TNC message Type 0x%08x is reserved",
+			 PB_TNC_RESERVED_MSG_TYPE);
+		msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_INVALID_PARAMETER, this->offset + 4);
+		goto fatal;
+	}
+
+
+	if (vendor_id != IETF_VENDOR_ID || msg_type > PB_MSG_ROOF)
+	{
+		if (msg_len < PB_TNC_HEADER_SIZE)
+		{
+			DBG1(DBG_TNC, "%u bytes too small for PB-TNC message length",
+						   msg_len);
+			msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_INVALID_PARAMETER, this->offset + 8);
+			goto fatal;
+		}
+
+		if (noskip_flag)
+		{
+			DBG1(DBG_TNC, "reject PB-TNC message (Vendor ID 0x%06x / "
+						  "Type 0x%08x)", vendor_id, msg_type);
+			msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset);
+			goto fatal;
+		}
+		else
+		{
+			DBG1(DBG_TNC, "ignore PB-TNC message (Vendor ID 0x%06x / "
+						  "Type 0x%08x)", vendor_id, msg_type);
+			this->offset += msg_len;
+			return SUCCESS;
+		}
+	}
+	else
+	{
+		if (pb_tnc_msg_infos[msg_type].has_noskip_flag != TRUE_OR_FALSE &&
+			pb_tnc_msg_infos[msg_type].has_noskip_flag != noskip_flag)
+		{
+			DBG1(DBG_TNC, "%N message must%s have NOSKIP flag set",
+				 pb_tnc_msg_type_names, msg_type,
+				 pb_tnc_msg_infos[msg_type].has_noskip_flag ? "" : " not");
+			msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+								PB_ERROR_INVALID_PARAMETER, this->offset);
+			goto fatal;
+		}
+
+		if (msg_len < pb_tnc_msg_infos[msg_type].min_size ||
+		   (pb_tnc_msg_infos[msg_type].exact_size &&
+			msg_len != pb_tnc_msg_infos[msg_type].min_size))
+		{
+			DBG1(DBG_TNC, "%N message length must be %s %u bytes but is %u bytes",
+				 pb_tnc_msg_type_names, msg_type,
+				 pb_tnc_msg_infos[msg_type].exact_size ? "exactly" : "at least",
+				 pb_tnc_msg_infos[msg_type].min_size, msg_len);
+			msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+								PB_ERROR_INVALID_PARAMETER, this->offset);
+			goto fatal;
+		}
+	}
+
+	if (pb_tnc_msg_infos[msg_type].in_result_batch &&
+		this->type != PB_BATCH_RESULT)
+	{
+		if (this->is_server)
+		{
+			DBG1(DBG_TNC,"reject %N message received from a PB-TNC client",
+						  pb_tnc_msg_type_names, msg_type);
+			msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+								PB_ERROR_INVALID_PARAMETER, this->offset);
+			goto fatal;
+		}
+		else
+		{
+			DBG1(DBG_TNC,"ignore %N message not received within RESULT batch",
+						  pb_tnc_msg_type_names, msg_type);
+			this->offset += msg_len;
+			return SUCCESS;
+		}
+	}
+
+	DBG2(DBG_TNC, "processing %N message (%u bytes)", pb_tnc_msg_type_names,
+				   msg_type, msg_len);
+	data.len = msg_len;
+	msg_value = chunk_skip(data, PB_TNC_HEADER_SIZE);
+	pb_tnc_msg = pb_tnc_msg_create_from_data(msg_type, msg_value);
+
+	status = pb_tnc_msg->process(pb_tnc_msg, &offset);
+	if (status == FAILED || status == VERIFY_ERROR)
+	{
+		msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
+							PB_ERROR_INVALID_PARAMETER, this->offset);
+		this->errors->insert_last(this->errors, msg);
+	}
+	if (status == FAILED)
+	{
+		pb_tnc_msg->destroy(pb_tnc_msg);
+		return FAILED;
+	}
+	this->messages->insert_last(this->messages, pb_tnc_msg);
+	this->offset += msg_len;
+	return status;
+
+fatal:
+	this->errors->insert_last(this->errors, msg);
+	return FAILED;	
+}
+
+METHOD(pb_tnc_batch_t, process, status_t,
+	private_pb_tnc_batch_t *this, pb_tnc_state_machine_t *state_machine)
+{
+	status_t status;
+
+	status = process_batch_header(this, state_machine);
+	if (status != SUCCESS)
+	{
+		return FAILED;
+	}
+	DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names,
+												this->type);
+	while (this->offset < this->encoding.len)
+	{
+		switch (process_tnc_msg(this))
+		{
+			case FAILED:
+				return FAILED;
+			case VERIFY_ERROR:
+				status = VERIFY_ERROR;
+				break;
+			case SUCCESS:
+			default:
+				break;
+		}
+	}
+	return status;
+}
+
+METHOD(pb_tnc_batch_t, create_msg_enumerator, enumerator_t*,
+	private_pb_tnc_batch_t *this)
+{
+	return this->messages->create_enumerator(this->messages);
+}
+
+METHOD(pb_tnc_batch_t, create_error_enumerator, enumerator_t*,
+	private_pb_tnc_batch_t *this)
+{
+	return this->errors->create_enumerator(this->errors);
+}
+
+METHOD(pb_tnc_batch_t, destroy, void,
+	private_pb_tnc_batch_t *this)
+{
+	this->messages->destroy_offset(this->messages,
+								   offsetof(pb_tnc_msg_t, destroy));
+	this->errors->destroy_offset(this->errors,
+								   offsetof(pb_tnc_msg_t, destroy));
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type)
+{
+	private_pb_tnc_batch_t *this;
+
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.get_encoding = _get_encoding,
+			.add_msg = _add_msg,
+			.build = _build,
+			.process = _process,
+			.create_msg_enumerator = _create_msg_enumerator,
+			.create_error_enumerator = _create_error_enumerator,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+		.type = type,
+		.messages = linked_list_create(),
+		.errors = linked_list_create(),
+	);
+
+	DBG2(DBG_TNC, "creating PB-TNC %N batch", pb_tnc_batch_type_names, type);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data)
+{
+	private_pb_tnc_batch_t *this;
+
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.get_encoding = _get_encoding,
+			.add_msg = _add_msg,
+			.build = _build,
+			.process = _process,
+			.create_msg_enumerator = _create_msg_enumerator,
+			.create_error_enumerator = _create_error_enumerator,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+		.messages = linked_list_create(),
+		.errors = linked_list_create(),
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h
new file mode 100644
index 000000000..17e5fff4c
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_tnc_batch pb_tnc_batch
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_TNC_BATCH_H_
+#define PB_TNC_BATCH_H_
+
+typedef enum pb_tnc_batch_type_t pb_tnc_batch_type_t;
+typedef struct pb_tnc_batch_t pb_tnc_batch_t;
+
+#include "messages/pb_tnc_msg.h"
+#include "state_machine/pb_tnc_state_machine.h"
+
+#include <library.h>
+
+/**
+  * PB-TNC Batch Types as defined in section 4.1 of RFC 5793
+ */
+enum pb_tnc_batch_type_t {
+	PB_BATCH_CDATA =	1,
+	PB_BATCH_SDATA =	2,
+	PB_BATCH_RESULT =	3,
+	PB_BATCH_CRETRY =	4,
+	PB_BATCH_SRETRY =	5,
+	PB_BATCH_CLOSE =	6,
+	PB_BATCH_ROOF =		6
+};
+
+/**
+ * enum name for pb_tnc_batch_type_t.
+ */
+extern enum_name_t *pb_tnc_batch_type_names;
+
+/**
+ * Interface for all PB-TNC Batch Types.
+ */
+struct pb_tnc_batch_t {
+
+	/**
+	 * Get the PB-TNC Message Type
+	 *
+	 * @return				PB-TNC batch type
+	 */
+	pb_tnc_batch_type_t (*get_type)(pb_tnc_batch_t *this);
+
+	/**
+	 * Get the encoding of the PB-TNC Batch
+	 *
+	 * @return				encoded PB-TNC batch
+	 */
+	chunk_t (*get_encoding)(pb_tnc_batch_t *this);
+
+	/**
+	 * Add a PB-TNC Message
+	 *
+	 * @param msg			PB-TNC message to be addedd
+	 */
+	void (*add_msg)(pb_tnc_batch_t *this, pb_tnc_msg_t* msg);
+
+	/**
+	 * Build the PB-TNC Batch
+	 */
+	void (*build)(pb_tnc_batch_t *this);
+
+	/**
+	 * Process the PB-TNC Batch
+	 *
+	 * @param				PB-TNC state machine
+	 * @return				return processing status
+	 */
+	status_t (*process)(pb_tnc_batch_t *this,
+						pb_tnc_state_machine_t *state_machine);
+
+	/**
+	 * Enumerates over all PB-TNC Messages
+	 *
+	 * @return				return message enumerator
+	 */
+	enumerator_t* (*create_msg_enumerator)(pb_tnc_batch_t *this);
+
+	/**
+	 * Enumerates over all parsing errors
+	 *
+	 * @return				return error enumerator
+	 */
+	enumerator_t* (*create_error_enumerator)(pb_tnc_batch_t *this);
+
+	/**
+	 * Destroys a pb_tnc_batch_t object.
+	 */
+	void (*destroy)(pb_tnc_batch_t *this);
+};
+
+/**
+ * Create an empty PB-TNC Batch of a given type
+ *
+ * @param is_server			TRUE if server, FALSE if client
+ * @param type				PB-TNC batch type
+ */
+pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type);
+
+/**
+ * Create an unprocessed PB-TNC Batch from data
+ *
+ * @param is_server			TRUE if server, FALSE if client
+ * @param  data				encoded PB-TNC batch
+ */
+pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data);
+
+#endif /** PB_TNC_BATCH_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
new file mode 100644
index 000000000..41b9e31f6
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_access_recommendation_msg.h"
+
+#include <tls_writer.h>
+#include <tls_reader.h>
+#include <debug.h>
+
+ENUM(pb_access_recommendation_code_names, PB_REC_ACCESS_ALLOWED, PB_REC_QUARANTINED,
+	"Access Allowed",
+	"Access Denied",
+	"Quarantined"
+);
+
+typedef struct private_pb_access_recommendation_msg_t private_pb_access_recommendation_msg_t;
+
+/**
+ *   PB-Access-Recommendation message (see section 4.7 of RFC 5793)
+ *
+ *      0                   1                   2                   3
+ *      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |          Reserved             |   Access Recommendation Code  |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define ACCESS_RECOMMENDATION_RESERVED	 	0x0000
+#define ACCESS_RECOMMENDATION_MSG_SIZE		4
+/**
+ * Private data of a pb_access_recommendation_msg_t object.
+ *
+ */
+struct private_pb_access_recommendation_msg_t {
+	/**
+	 * Public pb_access_recommendation_msg_t interface.
+	 */
+	pb_access_recommendation_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pb_tnc_msg_type_t type;
+
+	/**
+	 * Access recommendation code
+	 */
+	u_int16_t recommendation;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t,
+	private_pb_access_recommendation_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_access_recommendation_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_access_recommendation_msg_t *this)
+{
+	tls_writer_t *writer;
+
+	/* build message */
+	writer = tls_writer_create(ACCESS_RECOMMENDATION_MSG_SIZE);
+	writer->write_uint16(writer, ACCESS_RECOMMENDATION_RESERVED);
+	writer->write_uint16(writer, this->recommendation);
+	free(this->encoding.ptr);
+	this->encoding = writer->get_buf(writer);
+	this->encoding = chunk_clone(this->encoding);
+	writer->destroy(writer);
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_access_recommendation_msg_t *this, u_int32_t *offset)
+{
+	tls_reader_t *reader;
+	u_int16_t reserved;
+
+	/* process message */
+	reader = tls_reader_create(this->encoding);
+	reader->read_uint16(reader, &reserved);
+	reader->read_uint16(reader, &this->recommendation);
+	reader->destroy(reader);
+
+	if (this->recommendation < PB_REC_ACCESS_ALLOWED ||
+		this->recommendation > PB_REC_QUARANTINED)
+	{
+		DBG1(DBG_TNC, "invalid access recommendation code (%u)",
+					   this->recommendation);
+		*offset = 2;
+		return FAILED;
+	}
+		
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_access_recommendation_msg_t *this)
+{
+	free(this->encoding.ptr);
+	free(this);
+}
+
+METHOD(pb_access_recommendation_msg_t, get_access_recommendation, u_int16_t,
+	private_pb_access_recommendation_msg_t *this)
+{
+	return this->recommendation;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_access_recommendation_msg_create_from_data(chunk_t data)
+{
+	private_pb_access_recommendation_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_access_recommendation = _get_access_recommendation,
+		},
+		.type = PB_MSG_ACCESS_RECOMMENDATION,
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_access_recommendation_msg_create(u_int16_t recommendation)
+{
+	private_pb_access_recommendation_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_access_recommendation = _get_access_recommendation,
+		},
+		.type = PB_MSG_ACCESS_RECOMMENDATION,
+		.recommendation = recommendation,
+	);
+
+	return &this->public.pb_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h
new file mode 100644
index 000000000..01b83cfd7
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_access_recommendation_msg pb_access_recommendation_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_ACCESS_RECOMMENDATION_MSG_H_
+#define PB_ACCESS_RECOMMENDATION_MSG_H_
+
+typedef enum pb_access_recommendation_code_t pb_access_recommendation_code_t;
+typedef struct pb_access_recommendation_msg_t pb_access_recommendation_msg_t;
+
+#include "pb_tnc_msg.h"
+
+/**
+ * PB Access Recommendation Codes as defined in section 4.7 of RFC 5793
+ */
+enum pb_access_recommendation_code_t {
+	PB_REC_ACCESS_ALLOWED =	1,
+	PB_REC_ACCESS_DENIED =	2,
+	PB_REC_QUARANTINED =	3,
+};
+
+/**
+ * enum name for pb_access_recommendation_code_t.
+ */
+extern enum_name_t *pb_access_recommendation_code_names;
+
+
+/**
+ * Class representing the PB-Access-Recommendation message type.
+ */
+struct pb_access_recommendation_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+
+	/**
+	 * Get PB Access Recommendation
+	 *
+	 * @return			PB Access Recommendation
+	 */
+	u_int16_t (*get_access_recommendation)(pb_access_recommendation_msg_t *this);
+};
+
+/**
+ * Create a PB-Access-Recommendation message from parameters
+ *
+ * @param recommendation	Access Recommendation code
+ */
+pb_tnc_msg_t* pb_access_recommendation_msg_create(u_int16_t recommendation);
+
+/**
+ * Create an unprocessed PB-Access-Recommendation message from raw data
+ *
+  * @param data		PB-Access-Recommendation message data
+ */
+pb_tnc_msg_t* pb_access_recommendation_msg_create_from_data(chunk_t data);
+
+#endif /** PB_PA_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
new file mode 100644
index 000000000..c91e54176
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_assessment_result_msg.h"
+
+#include <tls_writer.h>
+#include <tls_reader.h>
+#include <tnc/tncifimv.h>
+#include <debug.h>
+
+typedef struct private_pb_assessment_result_msg_t private_pb_assessment_result_msg_t;
+
+/**
+ *   PB-Assessment-Result message (see section 4.6 of RFC 5793)
+ *
+ *                          1                   2                   3
+ *      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                       Assessment Result                       |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define ASSESSMENT_RESULT_MSG_SIZE	4
+
+/**
+ * Private data of a pb_assessment_result_msg_t object.
+ *
+ */
+struct private_pb_assessment_result_msg_t {
+	/**
+	 * Public pb_assessment_result_msg_t interface.
+	 */
+	pb_assessment_result_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pb_tnc_msg_type_t type;
+
+	/**
+	 * Assessment result code
+	 */
+	u_int32_t assessment_result;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t,
+	private_pb_assessment_result_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_assessment_result_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_assessment_result_msg_t *this)
+{
+	tls_writer_t *writer;
+
+	/* build message */
+	writer = tls_writer_create(ASSESSMENT_RESULT_MSG_SIZE);
+	writer->write_uint32(writer, this->assessment_result);
+	free(this->encoding.ptr);
+	this->encoding = writer->get_buf(writer);
+	this->encoding = chunk_clone(this->encoding);
+	writer->destroy(writer);
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_assessment_result_msg_t *this, u_int32_t *offset)
+{
+	tls_reader_t *reader;
+
+	/* process message */
+	reader = tls_reader_create(this->encoding);
+	reader->read_uint32(reader, &this->assessment_result);
+	reader->destroy(reader);
+
+	if (this->assessment_result < TNC_IMV_EVALUATION_RESULT_COMPLIANT ||
+		this->assessment_result > TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
+	{
+		DBG1(DBG_TNC, "invalid assessment result (%u)",
+					   this->assessment_result);
+		*offset = 0;
+		return FAILED;
+	}
+		
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_assessment_result_msg_t *this)
+{
+	free(this->encoding.ptr);
+	free(this);
+}
+
+METHOD(pb_assessment_result_msg_t, get_assessment_result, u_int32_t,
+	private_pb_assessment_result_msg_t *this)
+{
+	return this->assessment_result;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_assessment_result_msg_create_from_data(chunk_t data)
+{
+	private_pb_assessment_result_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_assessment_result = _get_assessment_result,
+		},
+		.type = PB_MSG_ASSESSMENT_RESULT,
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_assessment_result_msg_create(u_int32_t assessment_result)
+{
+	private_pb_assessment_result_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_assessment_result = _get_assessment_result,
+		},
+		.type = PB_MSG_ASSESSMENT_RESULT,
+		.assessment_result = assessment_result,
+	);
+
+	return &this->public.pb_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h
new file mode 100644
index 000000000..d2b005114
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_assessment_result_msg pb_assessment_result_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_ASSESSMENT_RESULT_MSG_H_
+#define PB_ASSESSMENT_RESULT_MSG_H_
+
+typedef struct pb_assessment_result_msg_t pb_assessment_result_msg_t;
+
+#include "pb_tnc_msg.h"
+
+/**
+ * Class representing the PB-Assessment-Result message type.
+ */
+struct pb_assessment_result_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+
+	/**
+	 * Get PB Assessment result
+	 *
+	 * @return			PB Assessment result
+	 */
+	u_int32_t (*get_assessment_result)(pb_assessment_result_msg_t *this);
+};
+
+/**
+ * Create a PB-Assessment-Result message from parameters
+ *
+ * @param assessment_result		Assessment result code
+ */
+pb_tnc_msg_t* pb_assessment_result_msg_create(u_int32_t assessment_result);
+
+/**
+ * Create an unprocessed PB-Assessment-Result message from raw data
+ *
+  * @param data		PB-Assessment-Result message data
+ */
+pb_tnc_msg_t* pb_assessment_result_msg_create_from_data(chunk_t data);
+
+#endif /** PB_PA_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
new file mode 100644
index 000000000..e1755c512
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
@@ -0,0 +1,346 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_error_msg.h"
+
+#include <debug.h>
+#include <tls_writer.h>
+#include <tls_reader.h>
+#include <tnc/tnccs/tnccs.h>
+
+ENUM(pb_tnc_error_code_names, PB_ERROR_UNEXPECTED_BATCH_TYPE,
+							  PB_ERROR_VERSION_NOT_SUPPORTED,
+	"Unexpected Batch Type",
+	"Invalid Parameter",
+	"Local Error",
+	"Unsupported Mandatory Message",
+	"Version Not Supported"
+);
+
+typedef struct private_pb_error_msg_t private_pb_error_msg_t;
+
+/**
+ *   PB-Error message (see section 4.9 of RFC 5793)
+ *
+ *      0                   1                   2                   3
+ *      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |    Flags      |              Error Code Vendor ID             |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |           Error Code          |           Reserved            |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                Error Parameters (Variable Length)             |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define ERROR_FLAG_NONE		0x00
+#define ERROR_FLAG_FATAL	(1<<7)
+#define ERROR_RESERVED	 	0x0000
+#define ERROR_HEADER_SIZE	8
+
+/**
+ * Private data of a pb_error_msg_t object.
+ *
+ */
+struct private_pb_error_msg_t {
+	/**
+	 * Public pb_error_msg_t interface.
+	 */
+	pb_error_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pb_tnc_msg_type_t type;
+
+	/**
+	 * Fatal flag
+	 */
+	bool fatal;
+
+	/**
+	 * PB Error Code Vendor ID
+	 */
+	u_int32_t vendor_id;
+
+	/**
+	 * PB Error Code
+	 */
+	u_int16_t error_code;
+
+	/**
+	 * PB Error Offset
+	 */
+	u_int32_t error_offset;
+
+	/**
+	 * Bad PB-TNC version received 
+	 */
+	u_int8_t bad_version;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t,
+	private_pb_error_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_error_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_error_msg_t *this)
+{
+	tls_writer_t *writer;
+
+	/* build message header */
+	writer = tls_writer_create(ERROR_HEADER_SIZE);
+	writer->write_uint8 (writer, this->fatal ?
+						 ERROR_FLAG_FATAL : ERROR_FLAG_NONE);
+	writer->write_uint24(writer, this->vendor_id);
+	writer->write_uint16(writer, this->error_code);
+	writer->write_uint16(writer, ERROR_RESERVED);
+
+	/* build message body */
+	if (this->error_code == PB_ERROR_VERSION_NOT_SUPPORTED)
+	{
+		/* Bad version */
+		writer->write_uint8(writer, this->bad_version);
+		writer->write_uint8(writer, PB_TNC_VERSION); /* Max version */
+		writer->write_uint8(writer, PB_TNC_VERSION); /* Min version */
+		writer->write_uint8(writer, 0x00);           /* Reserved */
+	}
+	else
+	{
+		/* Error Offset */
+		writer->write_uint32(writer, this->error_offset);
+	}
+
+	free(this->encoding.ptr);
+	this->encoding = writer->get_buf(writer);
+	this->encoding = chunk_clone(this->encoding);
+	writer->destroy(writer);
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_error_msg_t *this, u_int32_t *offset)
+{
+	u_int8_t flags, max_version, min_version;
+	u_int16_t reserved;
+	tls_reader_t *reader;
+
+	if (this->encoding.len < ERROR_HEADER_SIZE)
+	{
+		DBG1(DBG_TNC,"%N message is shorter than header size of %u bytes",
+			 pb_tnc_msg_type_names, PB_MSG_ERROR, ERROR_HEADER_SIZE);
+		return FAILED;
+	}
+
+	/* process message header */
+	reader = tls_reader_create(this->encoding);
+	reader->read_uint8 (reader, &flags);
+	reader->read_uint24(reader, &this->vendor_id);
+	reader->read_uint16(reader, &this->error_code);
+	reader->read_uint16(reader, &reserved);
+	this->fatal = (flags & ERROR_FLAG_FATAL) != ERROR_FLAG_NONE;
+
+	if (this->vendor_id == IETF_VENDOR_ID && reader->remaining(reader) == 4)
+	{
+		if (this->error_code == PB_ERROR_VERSION_NOT_SUPPORTED)
+		{
+			reader->read_uint8(reader, &this->bad_version);
+			reader->read_uint8(reader, &max_version);
+			reader->read_uint8(reader, &min_version);
+		}
+		else
+		{
+			reader->read_uint32(reader, &this->error_offset);
+		}
+	}
+	reader->destroy(reader);
+
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, get_ref, pb_tnc_msg_t*,
+	private_pb_error_msg_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pb_interface;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_error_msg_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->encoding.ptr);
+		free(this);
+	}
+}
+
+METHOD(pb_error_msg_t, get_fatal_flag, bool,
+	private_pb_error_msg_t *this)
+{
+	return this->fatal;
+}
+
+METHOD(pb_error_msg_t, get_vendor_id, u_int32_t,
+	private_pb_error_msg_t *this)
+{
+	return this->vendor_id;
+}
+
+METHOD(pb_error_msg_t, get_error_code, u_int16_t,
+	private_pb_error_msg_t *this)
+{
+	return this->error_code;
+}
+
+METHOD(pb_error_msg_t, get_offset, u_int32_t,
+	private_pb_error_msg_t *this)
+{
+	return this->error_offset;
+}
+
+METHOD(pb_error_msg_t, get_bad_version, u_int8_t,
+	private_pb_error_msg_t *this)
+{
+	return this->bad_version;
+}
+
+METHOD(pb_error_msg_t, set_bad_version, void,
+	private_pb_error_msg_t *this, u_int8_t version)
+{
+	this->bad_version = version;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t* pb_error_msg_create(bool fatal, u_int32_t vendor_id,
+								  pb_tnc_error_code_t error_code)
+{
+	private_pb_error_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_fatal_flag = _get_fatal_flag,
+			.get_vendor_id = _get_vendor_id,
+			.get_error_code = _get_error_code,
+			.get_offset = _get_offset,
+			.get_bad_version = _get_bad_version,
+			.set_bad_version = _set_bad_version,
+		},
+		.type = PB_MSG_ERROR,
+		.ref = 1,
+		.fatal = fatal,
+		.vendor_id = vendor_id,
+		.error_code = error_code,
+	);
+
+	return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t* pb_error_msg_create_with_offset(bool fatal, u_int32_t vendor_id,
+											  pb_tnc_error_code_t error_code,
+											  u_int32_t error_offset)
+{
+	private_pb_error_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_fatal_flag = _get_fatal_flag,
+			.get_vendor_id = _get_vendor_id,
+			.get_error_code = _get_error_code,
+			.get_offset = _get_offset,
+			.get_bad_version = _get_bad_version,
+			.set_bad_version = _set_bad_version,
+		},
+		.type = PB_MSG_ERROR,
+		.ref = 1,
+		.fatal = fatal,
+		.vendor_id = vendor_id,
+		.error_code = error_code,
+		.error_offset = error_offset,
+	);
+
+	return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_error_msg_create_from_data(chunk_t data)
+{
+	private_pb_error_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_fatal_flag = _get_fatal_flag,
+			.get_vendor_id = _get_vendor_id,
+			.get_error_code = _get_error_code,
+			.get_offset = _get_offset,
+			.get_bad_version = _get_bad_version,
+			.set_bad_version = _set_bad_version,
+		},
+		.type = PB_MSG_ERROR,
+		.ref = 1,
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public.pb_interface;
+}
+
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h
new file mode 100644
index 000000000..8b92742b5
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h
@@ -0,0 +1,127 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_error_msg pb_error_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_ERROR_MSG_H_
+#define PB_ERROR_MSG_H_
+
+typedef enum pb_tnc_error_code_t pb_tnc_error_code_t;
+typedef struct pb_error_msg_t pb_error_msg_t;
+
+#include "pb_tnc_msg.h"
+
+/**
+ * PB-TNC Error Codes as defined in section 4.9.1 of RFC 5793
+ */
+enum  pb_tnc_error_code_t {
+	PB_ERROR_UNEXPECTED_BATCH_TYPE =		0,
+	PB_ERROR_INVALID_PARAMETER =			1,
+	PB_ERROR_LOCAL_ERROR =					2,
+	PB_ERROR_UNSUPPORTED_MANDATORY_MSG =	3,
+	PB_ERROR_VERSION_NOT_SUPPORTED =		4
+};
+
+/**
+ * enum name for pb_tnc_error_code_t.
+ */
+extern enum_name_t *pb_tnc_error_code_names;
+
+/**
+ * Class representing the PB-Error message type.
+ */
+struct pb_error_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+
+	/**
+	 * Get the fatal flag
+	 *
+	 * @return				fatal flag
+	 */
+	bool (*get_fatal_flag)(pb_error_msg_t *this);
+
+	/**
+	 * Get PB Error code Vendor ID
+	 *
+	 * @return				PB Error Code Vendor ID
+	 */
+	u_int32_t (*get_vendor_id)(pb_error_msg_t *this);
+
+	/**
+	 * Get PB Error Code
+	 *
+	 * @return				PB Error Code
+	 */
+	u_int16_t (*get_error_code)(pb_error_msg_t *this);
+
+	/**
+	 * Get the PB Error Offset
+	 *
+	 * @return				PB Error Offset
+	 */
+	u_int32_t (*get_offset)(pb_error_msg_t *this);
+
+	/**
+	 * Get the PB Bad Version
+	 *
+	 * @return				PB Bad Version
+	 */
+	u_int8_t (*get_bad_version)(pb_error_msg_t *this);
+
+	/**
+	 * Set the PB Bad Version
+	 *
+	 * @param version		PB Bad Version
+	 */
+	void (*set_bad_version)(pb_error_msg_t *this, u_int8_t version);
+};
+
+/**
+ * Create a PB-Error message from parameters
+ *
+ * @param fatal				fatal flag
+ * @param vendor_id			Error Code Vendor ID
+ * @param error_code		Error Code
+ */
+pb_tnc_msg_t* pb_error_msg_create(bool fatal, u_int32_t vendor_id,
+								  pb_tnc_error_code_t error_code);
+	
+/**
+ * Create a PB-Error message from parameters with offset field
+ *
+ * @param fatal				fatal flag
+ * @param vendor_id			Error Code Vendor ID
+ * @param error_code		Error Code
+ * @param error_offset		Error Offset
+ */
+pb_tnc_msg_t* pb_error_msg_create_with_offset(bool fatal, u_int32_t vendor_id,
+											  pb_tnc_error_code_t error_code,
+											  u_int32_t error_offset);
+
+/**
+ * Create an unprocessed PB-Error message from raw data
+ *
+ * @param data				PB-Error message data
+ */
+pb_tnc_msg_t* pb_error_msg_create_from_data(chunk_t data);
+
+#endif /** PB_PA_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c
new file mode 100644
index 000000000..7dfba136f
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_experimental_msg.h"
+
+typedef struct private_pb_experimental_msg_t private_pb_experimental_msg_t;
+
+/**
+ * Private data of a pb_experimental_msg_t object.
+ *
+ */
+struct private_pb_experimental_msg_t {
+	/**
+	 * Public pb_experimental_msg_t interface.
+	 */
+	pb_experimental_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pb_tnc_msg_type_t type;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t,
+	private_pb_experimental_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_experimental_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_experimental_msg_t *this)
+{
+	/* nothing to do since message contents equal encoding */
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_experimental_msg_t *this, u_int32_t *offset)
+{
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_experimental_msg_t *this)
+{
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_experimental_msg_create_from_data(chunk_t data)
+{
+	private_pb_experimental_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+		},
+		.type = PB_MSG_EXPERIMENTAL,
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_experimental_msg_create(chunk_t body)
+{
+	return pb_experimental_msg_create_from_data(body);
+}
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h
new file mode 100644
index 000000000..b1cc4f46e
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_experimental_msg pb_experimental_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_EXPERIMENTAL_MSG_H_
+#define PB_EXPERIMENTAL_MSG_H_
+
+typedef struct pb_experimental_msg_t pb_experimental_msg_t;
+
+#include "pb_tnc_msg.h"
+
+/**
+ * Class representing the PB-Experimental message type.
+ */
+struct pb_experimental_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+};
+
+/**
+ * Create a PB-Experimental message from parameters
+ *
+ * @param body			message body
+ */
+pb_tnc_msg_t* pb_experimental_msg_create(chunk_t body);
+
+/**
+ * Create an unprocessed PB-Experimental message from raw data
+ *
+ * @param data			PB-Experimental message data
+ */
+pb_tnc_msg_t* pb_experimental_msg_create_from_data(chunk_t data);
+
+#endif /** PB_EXPERIMENTAL_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
new file mode 100644
index 000000000..9a94edf30
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_language_preference_msg.h"
+
+#include <tls_writer.h>
+#include <tls_reader.h>
+#include <debug.h>
+
+typedef struct private_pb_language_preference_msg_t private_pb_language_preference_msg_t;
+
+/**
+ *   PB-Language-Preference message (see section 4.10 of RFC 5793)
+ *
+ *      0                   1                   2                   3
+ *      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |              Language Preference (Variable Length)            |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define PB_LANG_PREFIX			"Accept-Language: "
+#define PB_LANG_PREFIX_LEN		strlen(PB_LANG_PREFIX)
+
+/**
+ * Private data of a pb_language_preference_msg_t object.
+ *
+ */
+struct private_pb_language_preference_msg_t {
+	/**
+	 * Public pb_access_recommendation_msg_t interface.
+	 */
+	pb_language_preference_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pb_tnc_msg_type_t type;
+
+	/**
+	 * Language preference
+	 */
+	chunk_t language_preference;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t,
+	private_pb_language_preference_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_language_preference_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_language_preference_msg_t *this)
+{
+	this->encoding = chunk_cat("cc",
+		 	 			chunk_create(PB_LANG_PREFIX, PB_LANG_PREFIX_LEN),
+						this->language_preference);
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_language_preference_msg_t *this, u_int32_t *offset)
+{
+	chunk_t lang;
+
+	if (this->encoding.len >= PB_LANG_PREFIX_LEN &&
+		memeq(this->encoding.ptr, PB_LANG_PREFIX, PB_LANG_PREFIX_LEN))
+	{
+		lang = chunk_skip(this->encoding, PB_LANG_PREFIX_LEN);
+		this->language_preference = lang.len ? chunk_clone(lang) : chunk_empty;
+	}
+	else
+    {
+		DBG1(DBG_TNC, "language preference must be preceded by '%s'",
+					   PB_LANG_PREFIX);
+		*offset = 0;
+		return FAILED;
+	}
+
+	if (this->language_preference.len &&
+		this->language_preference.ptr[this->language_preference.len-1] == '\0')
+	{
+		DBG1(DBG_TNC, "language preference must not be null terminated");
+		*offset = PB_LANG_PREFIX_LEN + this->language_preference.len - 1;
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_language_preference_msg_t *this)
+{
+	free(this->encoding.ptr);
+	free(this->language_preference.ptr);
+	free(this);
+}
+
+METHOD(pb_language_preference_msg_t, get_language_preference, chunk_t,
+	private_pb_language_preference_msg_t *this)
+{
+	return this->language_preference;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_language_preference_msg_create_from_data(chunk_t data)
+{
+	private_pb_language_preference_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_language_preference = _get_language_preference,
+		},
+		.type = PB_MSG_LANGUAGE_PREFERENCE,
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_language_preference_msg_create(chunk_t language_preference)
+{
+	private_pb_language_preference_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_language_preference = _get_language_preference,
+		},
+		.type = PB_MSG_LANGUAGE_PREFERENCE,
+		.language_preference = chunk_clone(language_preference),
+	);
+
+	return &this->public.pb_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h
new file mode 100644
index 000000000..17106f6fa
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_language_preference_msg pb_language_preference_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_LANGUAGE_PREFERENCE_MSG_H_
+#define PB_LANGUAGE_PREFERENCE_MSG_H_
+
+typedef struct pb_language_preference_msg_t pb_language_preference_msg_t;
+
+#include "pb_tnc_msg.h"
+
+/**
+ * Class representing the PB-Language-Preference message type.
+ */
+struct pb_language_preference_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+
+	/**
+	 * Get PB Language Preference
+	 *
+	 * @return			Language preference
+	 */
+	chunk_t (*get_language_preference)(pb_language_preference_msg_t *this);
+};
+
+/**
+ * Create a PB-Language-Preference message from parameters
+ *
+ * @param language_preference		Preferred language(s)
+ */
+pb_tnc_msg_t* pb_language_preference_msg_create(chunk_t language_preference);
+
+/**
+ * Create an unprocessed PB-Language-Preference message from raw data
+ *
+  * @param data		PB-Language-Preference message data
+ */
+pb_tnc_msg_t* pb_language_preference_msg_create_from_data(chunk_t data);
+
+#endif /** PB_PA_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
new file mode 100644
index 000000000..8315bfb76
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
@@ -0,0 +1,293 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyanbuu
+ * Copyright (C) 2010 Andreas Steffen
+ *
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_pa_msg.h"
+
+#include <tls_writer.h>
+#include <tls_reader.h>
+#include <tnc/tnccs/tnccs.h>
+#include <debug.h>
+
+ENUM(pa_tnc_subtype_names, PA_SUBTYPE_TESTING, PA_SUBTYPE_NEA_CLIENT,
+	"Testing",
+	"Operating System",
+	"Anti-Virus",
+	"Anti-Spyware",
+	"Anti-Malware",
+	"Firewall",
+	"IDPS",
+	"VPN",
+	"NEA Client"
+);
+
+typedef struct private_pb_pa_msg_t private_pb_pa_msg_t;
+
+/**
+ *   PB-PA message
+ *
+ *      0                   1                   2                   3
+ *      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |    Flags      |               PA Message Vendor ID            |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                           PA Subtype                          |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |  Posture Collector Identifier | Posture Validator Identifier  |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                 PA Message Body (Variable Length)             |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define PA_FLAG_NONE			0x00
+#define PA_FLAG_EXCL			(1<<7)
+#define PA_RESERVED_SUBTYPE		0xffffffff
+
+
+/**
+ * Private data of a pb_pa_msg_t object.
+ *
+ */
+struct private_pb_pa_msg_t {
+	/**
+	 * Public pb_pa_msg_t interface.
+	 */
+	pb_pa_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pb_tnc_msg_type_t type;
+
+	/**
+	 * Exclusive flag
+	 */
+	bool excl;
+
+	/**
+	 * PA Message Vendor ID
+	 */
+	u_int32_t vendor_id;
+
+	/**
+	 * PA Subtype
+	 */
+	u_int32_t subtype;
+
+	/**
+	 * Posture Validator Identifier
+	 */
+	u_int16_t collector_id;
+
+	/**
+	 * Posture Validator Identifier
+	 */
+	u_int16_t validator_id;
+
+	/**
+	 * PA Message Body
+	 */
+	chunk_t msg_body;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t,
+	private_pb_pa_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_pa_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_pa_msg_t *this)
+{
+	chunk_t msg_header;
+	tls_writer_t *writer;
+
+	/* build message header */
+	writer = tls_writer_create(64);
+	writer->write_uint8 (writer, this->excl ? PA_FLAG_EXCL : PA_FLAG_NONE);
+	writer->write_uint24(writer, this->vendor_id);
+	writer->write_uint32(writer, this->subtype);
+	writer->write_uint16(writer, this->collector_id);
+	writer->write_uint16(writer, this->validator_id);
+	msg_header = writer->get_buf(writer);
+
+	/* create encoding by concatenating message header and message body */
+	free(this->encoding.ptr);
+	this->encoding = chunk_cat("cc", msg_header, this->msg_body);
+	writer->destroy(writer);
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_pa_msg_t *this, u_int32_t *offset)
+{
+	u_int8_t flags;
+	size_t msg_body_len;
+	tls_reader_t *reader;
+
+	/* process message header */
+	reader = tls_reader_create(this->encoding);
+	reader->read_uint8 (reader, &flags);
+	reader->read_uint24(reader, &this->vendor_id);
+	reader->read_uint32(reader, &this->subtype);
+	reader->read_uint16(reader, &this->collector_id);
+	reader->read_uint16(reader, &this->validator_id);
+	this->excl = ((flags & PA_FLAG_EXCL) != PA_FLAG_NONE);
+
+	/* process message body */
+	msg_body_len = reader->remaining(reader);
+	if (msg_body_len)
+	{
+		reader->read_data(reader, msg_body_len, &this->msg_body);
+		this->msg_body = chunk_clone(this->msg_body);
+	}
+	reader->destroy(reader);
+
+	if (this->vendor_id == RESERVED_VENDOR_ID)
+	{
+		DBG1(DBG_TNC, "Vendor ID 0x%06x is reserved", RESERVED_VENDOR_ID);
+		*offset = 1;
+		return FAILED;
+	}
+
+	if (this->subtype == PA_RESERVED_SUBTYPE)
+	{
+		DBG1(DBG_TNC, "PA Subtype 0x%08x is reserved", PA_RESERVED_SUBTYPE);
+		*offset = 4;
+	}
+
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_pa_msg_t *this)
+{
+	free(this->encoding.ptr);
+	free(this->msg_body.ptr);
+	free(this);
+}
+
+METHOD(pb_pa_msg_t, get_vendor_id, u_int32_t,
+	private_pb_pa_msg_t *this, u_int32_t *subtype)
+{
+	*subtype = this->subtype;
+	return this->vendor_id;
+}
+
+METHOD(pb_pa_msg_t, get_collector_id, u_int16_t,
+	private_pb_pa_msg_t *this)
+{
+	return this->collector_id;
+}
+
+METHOD(pb_pa_msg_t, get_validator_id, u_int16_t,
+	private_pb_pa_msg_t *this)
+{
+	return this->validator_id;
+}
+
+METHOD(pb_pa_msg_t, get_body, chunk_t,
+	private_pb_pa_msg_t *this)
+{
+	return this->msg_body;
+}
+
+METHOD(pb_pa_msg_t, get_exclusive_flag, bool,
+	private_pb_pa_msg_t *this)
+{
+	return this->excl;
+}
+
+METHOD(pb_pa_msg_t, set_exclusive_flag, void,
+	private_pb_pa_msg_t *this, bool excl)
+{
+	this->excl = excl;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_pa_msg_create_from_data(chunk_t data)
+{
+	private_pb_pa_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_vendor_id = _get_vendor_id,
+			.get_collector_id = _get_collector_id,
+			.get_validator_id = _get_validator_id,
+			.get_body = _get_body,
+			.get_exclusive_flag = _get_exclusive_flag,
+			.set_exclusive_flag = _set_exclusive_flag,
+		},
+		.type = PB_MSG_PA,
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_pa_msg_create(u_int32_t vendor_id, u_int32_t subtype,
+							   u_int16_t collector_id, u_int16_t validator_id,
+							   chunk_t msg_body)
+{
+	private_pb_pa_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_vendor_id = _get_vendor_id,
+			.get_collector_id = _get_collector_id,
+			.get_validator_id = _get_validator_id,
+			.get_body = _get_body,
+			.get_exclusive_flag = _get_exclusive_flag,
+			.set_exclusive_flag = _set_exclusive_flag,
+		},
+		.type = PB_MSG_PA,
+		.vendor_id = vendor_id,
+		.subtype = subtype,
+		.collector_id = collector_id,
+		.validator_id = validator_id,
+		.msg_body = chunk_clone(msg_body),
+	);
+
+	return &this->public.pb_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h
new file mode 100644
index 000000000..366d790f6
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_pa_msg pb_pa_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_PA_MSG_H_
+#define PB_PA_MSG_H_
+
+typedef enum pa_tnc_subtype_t pa_tnc_subtype_t;
+typedef struct pb_pa_msg_t pb_pa_msg_t;
+
+#include "pb_tnc_msg.h"
+
+/**
+ * PA-TNC Subtypes as defined in section 3.5 of RFC 5792
+ */
+ enum pa_tnc_subtype_t {
+	PA_SUBTYPE_TESTING =			0,
+	PA_SUBTYPE_OPERATING_SYSTEM =	1,
+	PA_SUBTYPE_ANTI_VIRUS =			2,
+	PA_SUBTYPE_ANTI_SPYWARE =		3,
+	PA_SUBTYPE_ANTI_MALWARE =		4,
+	PA_SUBTYPE_FIREWALL =			5,
+	PA_SUBTYPE_IDPS =				6,
+	PA_SUBTYPE_VPN =				7,
+	PA_SUBTYPE_NEA_CLIENT =			8
+};
+
+/**
+ * enum name for pa_tnc_subtype_t.
+ */
+extern enum_name_t *pa_tnc_subtype_names;
+
+/**
+ * Class representing the PB-PA message type.
+ */
+struct pb_pa_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+
+	/**
+	 * Get PA Message Vendor ID and Subtype
+	 *
+	 * @param subtype		PA Subtype
+	 * @return				PA Message Vendor ID
+	 */
+	u_int32_t (*get_vendor_id)(pb_pa_msg_t *this, u_int32_t *subtype);
+
+	/**
+	 * Get Posture Collector ID
+	 *
+	 * @return				Posture Collector ID
+	 */
+	u_int16_t (*get_collector_id)(pb_pa_msg_t *this);
+
+	/**
+	 * Get Posture Validator ID
+	 *
+	 * @return				Posture Validator ID
+	 */
+	u_int16_t (*get_validator_id)(pb_pa_msg_t *this);
+
+	/**
+	 * Get the PA Message Body
+	 *
+	 * @return				PA Message Body
+	 */
+	chunk_t (*get_body)(pb_pa_msg_t *this);
+
+	/**
+	 * Get the exclusive flag
+	 *
+	 * @return				exclusive flag
+	 */
+	bool (*get_exclusive_flag)(pb_pa_msg_t *this);
+
+	/**
+	 * Set the exclusive flag
+	 *
+	 * @param excl			vexclusive flag
+	 */
+	void (*set_exclusive_flag)(pb_pa_msg_t *this, bool excl);
+};
+
+/**
+ * Create a PB-PA message from parameters
+ *
+ * @param vendor_id			PA Message Vendor ID
+ * @param subtype			PA Subtype		
+ * @param collector_id		Posture Collector ID
+ * @param validator_id		Posture Validator ID
+ * @param msg_body		 	PA Message Body
+ */
+pb_tnc_msg_t *pb_pa_msg_create(u_int32_t vendor_id, u_int32_t subtype,
+							   u_int16_t collector_id, u_int16_t validator_id,
+							   chunk_t msg_body);
+
+/**
+ * Create an unprocessed PB-PA message from raw data
+ *
+  * @param data		PB-PA message data
+ */
+pb_tnc_msg_t* pb_pa_msg_create_from_data(chunk_t data);
+
+#endif /** PB_PA_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
new file mode 100644
index 000000000..e361cf2b2
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
@@ -0,0 +1,216 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_reason_string_msg.h"
+
+#include <tls_writer.h>
+#include <tls_reader.h>
+#include <debug.h>
+
+typedef struct private_pb_reason_string_msg_t private_pb_reason_string_msg_t;
+
+/**
+ *   PB-Language-Preference message (see section 4.11 of RFC 5793)
+ *
+ *      0                   1                   2                   3
+ *      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                      Reason String Length                     |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                Reason String (Variable Length)                |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     | Lang Code Len | Reason String Language Code (Variable Length) |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Private data of a pb_reason_string_msg_t object.
+ *
+ */
+struct private_pb_reason_string_msg_t {
+	/**
+	 * Public pb_reason_string_msg_t interface.
+	 */
+	pb_reason_string_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pb_tnc_msg_type_t type;
+
+	/**
+	 * Reason string
+	 */
+	chunk_t reason_string;
+
+	/**
+	 * Language code
+	 */
+	chunk_t language_code;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t,
+	private_pb_reason_string_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_reason_string_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_reason_string_msg_t *this)
+{
+	tls_writer_t *writer;
+
+	/* build message */
+	writer = tls_writer_create(64);
+	writer->write_data32(writer, this->reason_string);
+	writer->write_data8 (writer, this->language_code);
+
+	free(this->encoding.ptr);
+	this->encoding = writer->get_buf(writer);
+	this->encoding = chunk_clone(this->encoding);
+	writer->destroy(writer);
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_reason_string_msg_t *this, u_int32_t *offset)
+{
+	tls_reader_t *reader;
+
+	/* process message */
+	reader = tls_reader_create(this->encoding);
+	if (!reader->read_data32(reader, &this->reason_string))
+	{
+		DBG1(DBG_TNC, "could not parse reason string");
+		reader->destroy(reader);
+		*offset = 0;
+		return FAILED;
+	};
+	this->reason_string = chunk_clone(this->reason_string);
+
+	if (this->reason_string.len &&
+		this->reason_string.ptr[this->reason_string.len-1] == '\0')
+	{
+		DBG1(DBG_TNC, "reason string must not be null terminated");
+		reader->destroy(reader);
+		*offset = 3 + this->reason_string.len;
+		return FAILED;
+	}
+
+	if (!reader->read_data8(reader, &this->language_code))
+	{
+		DBG1(DBG_TNC, "could not parse language code");
+		reader->destroy(reader);
+		*offset = 4 + this->reason_string.len;
+		return FAILED;
+	};
+	this->language_code = chunk_clone(this->language_code);
+	reader->destroy(reader);
+
+	if (this->language_code.len &&
+		this->language_code.ptr[this->language_code.len-1] == '\0')
+	{
+		DBG1(DBG_TNC, "language code must not be null terminated");
+		*offset = 4 + this->reason_string.len + this->language_code.len;
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_reason_string_msg_t *this)
+{
+	free(this->encoding.ptr);
+	free(this->reason_string.ptr);
+	free(this->language_code.ptr);
+	free(this);
+}
+
+METHOD(pb_reason_string_msg_t, get_reason_string, chunk_t,
+	private_pb_reason_string_msg_t *this)
+{
+	return this->reason_string;
+}
+
+METHOD(pb_reason_string_msg_t, get_language_code, chunk_t,
+	private_pb_reason_string_msg_t *this)
+{
+	return this->language_code;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_reason_string_msg_create_from_data(chunk_t data)
+{
+	private_pb_reason_string_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_reason_string = _get_reason_string,
+			.get_language_code = _get_language_code,
+		},
+		.type = PB_MSG_REASON_STRING,
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_reason_string_msg_create(chunk_t reason_string,
+										  chunk_t language_code)
+{
+	private_pb_reason_string_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_reason_string = _get_reason_string,
+			.get_language_code = _get_language_code,
+		},
+		.type = PB_MSG_REASON_STRING,
+		.reason_string = chunk_clone(reason_string),
+		.language_code = chunk_clone(language_code),
+	);
+
+	return &this->public.pb_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h
new file mode 100644
index 000000000..bb296a90c
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Sansar Choinyambuu
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_reason_string_msg pb_reason_string_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_REASON_STRING_MSG_H_
+#define PB_REASON_STRING_MSG_H_
+
+typedef struct pb_reason_string_msg_t pb_reason_string_msg_t;
+
+#include "pb_tnc_msg.h"
+
+/**
+ * Class representing the PB-Reason-String message type.
+ */
+struct pb_reason_string_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+
+	/**
+	 * Get Reason String
+	 *
+	 * @return			Reason string
+	 */
+	chunk_t (*get_reason_string)(pb_reason_string_msg_t *this);
+
+	/**
+	 * Get Reason String Language Code
+	 *
+	 * @return			Language code
+	 */
+	chunk_t (*get_language_code)(pb_reason_string_msg_t *this);
+};
+
+/**
+ * Create a PB-Reason-String message from parameters
+ *
+ * @param reason_string		Reason string
+  * @param language_code	Language code
+ */
+pb_tnc_msg_t* pb_reason_string_msg_create(chunk_t reason_string,
+										  chunk_t language_code);
+
+/**
+ * Create an unprocessed PB-Reason-String message from raw data
+ *
+  * @param data		PB-Reason-String message data
+ */
+pb_tnc_msg_t* pb_reason_string_msg_create_from_data(chunk_t data);
+
+#endif /** PB_PA_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
new file mode 100644
index 000000000..79381a7b1
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_remediation_parameters_msg.h"
+
+#include <tls_writer.h>
+#include <tls_reader.h>
+#include <debug.h>
+
+ENUM(pb_tnc_remed_param_type_names, PB_REMEDIATION_URI, PB_REMEDIATION_STRING,
+	"Remediation-URI",
+	"Remediation-String"
+);
+
+typedef struct private_pb_remediation_parameters_msg_t private_pb_remediation_parameters_msg_t;
+
+/**
+ *   PB-Remediation-Parameters message (see section 4.8 of RFC 5793)
+ *
+ *      0                   1                   2                   3
+ *      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |    Reserved   |       Remediation Parameters Vendor ID        |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                  Remediation Parameters Type                  |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |            Remediation Parameters (Variable Length)           |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ *     0                   1                   2                   3
+ *     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                   Remediation String Length                   |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     |                Remediation String (Variable Length)           |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *     | Lang Code Len |  Remediation String Lang Code (Variable Len)  |
+ *     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Private data of a pb_remediation_parameters_msg_t object.
+ *
+ */
+struct private_pb_remediation_parameters_msg_t {
+	/**
+	 * Public pb_remediation_parameters_msg_t interface.
+	 */
+	pb_remediation_parameters_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pb_tnc_msg_type_t type;
+
+	/**
+	 * Remediation Parameters Vendor ID
+	 */
+	u_int32_t vendor_id;
+
+	/**
+	 * Remediation Parameters Type
+	 */
+	u_int32_t parameters_type;
+
+	/**
+	 * Remediation Parameters string
+	 */
+	chunk_t remediation_string;
+
+	/**
+	 * Language code
+	 */
+	chunk_t language_code;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t,
+	private_pb_remediation_parameters_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_remediation_parameters_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_remediation_parameters_msg_t *this)
+{
+	tls_writer_t *writer;
+
+	/* build message */
+	writer = tls_writer_create(64);
+	writer->write_uint32(writer, this->vendor_id);
+	writer->write_uint32(writer, this->parameters_type);
+	writer->write_data32(writer, this->remediation_string);
+	writer->write_data8 (writer, this->language_code);
+
+	free(this->encoding.ptr);
+	this->encoding = writer->get_buf(writer);
+	this->encoding = chunk_clone(this->encoding);
+	writer->destroy(writer);
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_remediation_parameters_msg_t *this, u_int32_t *offset)
+{
+	tls_reader_t *reader;
+
+	/* process message */
+	reader = tls_reader_create(this->encoding);
+	reader->read_uint32(reader, &this->vendor_id);
+	reader->read_uint32(reader, &this->parameters_type);
+
+	if (!reader->read_data32(reader, &this->remediation_string))
+	{
+		DBG1(DBG_TNC, "could not parse remediation string");
+		reader->destroy(reader);
+		*offset = 8;
+		return FAILED;
+	};
+	this->remediation_string = chunk_clone(this->remediation_string);
+
+	if (this->remediation_string.len &&
+		this->remediation_string.ptr[this->remediation_string.len-1] == '\0')
+	{
+		DBG1(DBG_TNC, "remediation string must not be null terminated");
+		reader->destroy(reader);
+		*offset = 11 + this->remediation_string.len;
+		return FAILED;
+	}
+
+	if (!reader->read_data8(reader, &this->language_code))
+	{
+		DBG1(DBG_TNC, "could not parse language code");
+		reader->destroy(reader);
+		*offset = 12 + this->remediation_string.len;
+		return FAILED;
+	};
+	this->language_code = chunk_clone(this->language_code);
+	reader->destroy(reader);
+
+	if (this->language_code.len &&
+		this->language_code.ptr[this->language_code.len-1] == '\0')
+	{
+		DBG1(DBG_TNC, "language code must not be null terminated");
+		*offset = 12 + this->remediation_string.len + this->language_code.len;
+		return FAILED;
+	}
+
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_remediation_parameters_msg_t *this)
+{
+	free(this->encoding.ptr);
+	free(this->remediation_string.ptr);
+	free(this->language_code.ptr);
+	free(this);
+}
+
+METHOD(pb_remediation_parameters_msg_t, get_vendor_id, u_int32_t,
+	private_pb_remediation_parameters_msg_t *this, u_int32_t *type)
+{
+	*type = this->parameters_type;
+	return this->vendor_id;
+}
+
+METHOD(pb_remediation_parameters_msg_t, get_remediation_string, chunk_t,
+	private_pb_remediation_parameters_msg_t *this)
+{
+	return this->remediation_string;
+}
+
+METHOD(pb_remediation_parameters_msg_t, get_language_code, chunk_t,
+	private_pb_remediation_parameters_msg_t *this)
+{
+	return this->language_code;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data)
+{
+	private_pb_remediation_parameters_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_vendor_id = _get_vendor_id,
+			.get_remediation_string = _get_remediation_string,
+			.get_language_code = _get_language_code,
+		},
+		.type = PB_MSG_REASON_STRING,
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id,
+												   u_int32_t type,
+												   chunk_t remediation_string,
+												   chunk_t language_code)
+{
+	private_pb_remediation_parameters_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_vendor_id = _get_vendor_id,
+			.get_remediation_string = _get_remediation_string,
+			.get_language_code = _get_language_code,
+		},
+		.type = PB_MSG_REASON_STRING,
+		.vendor_id = vendor_id,
+		.parameters_type = type,
+		.remediation_string = chunk_clone(remediation_string),
+		.language_code = chunk_clone(language_code),
+	);
+
+	return &this->public.pb_interface;
+}
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h
new file mode 100644
index 000000000..258d495ec
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_remediation_parameters_msg pb_remediation_parameters_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_REMEDIATION_PARAMETERS_MSG_H_
+#define PB_REMEDIATION_PARAMETERS_MSG_H_
+
+typedef enum pb_tnc_remed_param_type_t pb_tnc_remed_param_type_t;
+typedef struct pb_remediation_parameters_msg_t pb_remediation_parameters_msg_t;
+
+#include "pb_tnc_msg.h"
+
+/**
+ * PB-TNC Remediation Parameter Types as defined in section 4.8.1 of RFC 5793
+ */
+enum pb_tnc_remed_param_type_t {
+	PB_REMEDIATION_URI =			1,
+	PB_REMEDIATION_STRING =			2,
+};
+
+/**
+ * enum name for pb_tnc_remed_param_type_t.
+ */
+extern enum_name_t *pb_tnc_remed_param_type_names;
+
+/**
+ * Class representing the PB-Remediation-Parameters message type.
+ */
+struct pb_remediation_parameters_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+
+	/**
+	 * Get Remediation Parameters Vendor ID and Type
+	 *
+	 * @param type				Remediation Parameters Type
+	 * @return					Remediation Parameters Vendor ID
+	 */
+	u_int32_t (*get_vendor_id)(pb_remediation_parameters_msg_t *this,
+							   u_int32_t *type);
+
+	/**
+	 * Get Remediation String
+	 *
+	 * @return					Remediation String
+	 */
+	chunk_t (*get_remediation_string)(pb_remediation_parameters_msg_t *this);
+
+	/**
+	 * Get Reason String Language Code
+	 *
+	 * @return					Language Code
+	 */
+	chunk_t (*get_language_code)(pb_remediation_parameters_msg_t *this);
+};
+
+/**
+ * Create a PB-Remediation-Parameters message from parameters
+ *
+ * @param vendor_id				Remediation Parameters Vendor ID
+ * @param type					Remediation Parameters Type		
+ * @param remediation_string	Remediation String
+ * @param language_code			Language Code
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id,
+												   u_int32_t type,
+												   chunk_t remediation_string,
+												   chunk_t language_code);
+
+/**
+ * Create an unprocessed PB-Remediation-Parameters message from raw data
+ *
+  * @param data		PB-Remediation-Parameters message data
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_data(chunk_t data);
+
+#endif /** PB_PA_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c
new file mode 100644
index 000000000..3565c2d84
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_tnc_msg.h"
+#include "pb_experimental_msg.h"
+#include "pb_pa_msg.h"
+#include "pb_error_msg.h"
+#include "pb_language_preference_msg.h"
+#include "pb_assessment_result_msg.h"
+#include "pb_access_recommendation_msg.h"
+#include "pb_remediation_parameters_msg.h"
+#include "pb_reason_string_msg.h"
+
+#include <library.h>
+
+ENUM(pb_tnc_msg_type_names, PB_MSG_EXPERIMENTAL, PB_MSG_REASON_STRING,
+	"PB-Experimental",
+	"PB-PA",
+	"PB-Assessment-Result",
+	"PB-Access-Recommendation",
+	"PB-Remediation-Parameters",
+	"PB-Error",
+	"PB-Language-Preference",
+	"PB-Reason-String"
+);
+
+pb_tnc_msg_info_t pb_tnc_msg_infos[] = {
+	{ 12, FALSE, FALSE, TRUE_OR_FALSE },
+	{ 24, FALSE, FALSE, TRUE  },
+	{ 16, TRUE,  TRUE,  TRUE  },
+	{ 16, TRUE,  TRUE,  FALSE },
+	{ 20, FALSE, TRUE,  FALSE },
+	{ 20, FALSE, FALSE, TRUE  },
+	{ 12, FALSE, FALSE, FALSE },
+	{ 17, FALSE, TRUE,  FALSE },
+};
+
+/**
+ * See header
+ */
+pb_tnc_msg_t* pb_tnc_msg_create_from_data(pb_tnc_msg_type_t type, chunk_t value)
+{
+	switch (type)
+	{
+		case PB_MSG_PA:
+			return pb_pa_msg_create_from_data(value);
+		case PB_MSG_ERROR:
+			return pb_error_msg_create_from_data(value);
+		case PB_MSG_EXPERIMENTAL:
+			return pb_experimental_msg_create_from_data(value);
+		case PB_MSG_LANGUAGE_PREFERENCE:
+			return pb_language_preference_msg_create_from_data(value);
+		case PB_MSG_ASSESSMENT_RESULT:
+			return pb_assessment_result_msg_create_from_data(value);
+		case PB_MSG_ACCESS_RECOMMENDATION:
+			return pb_access_recommendation_msg_create_from_data(value);
+		case PB_MSG_REMEDIATION_PARAMETERS:
+			return pb_remediation_parameters_msg_create_from_data(value);
+		case PB_MSG_REASON_STRING:
+			return pb_reason_string_msg_create_from_data(value);
+	}
+	return NULL;
+}
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
new file mode 100644
index 000000000..e20c8d8ff
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_tnc_msg pb_tnc_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_TNC_MSG_H_
+#define PB_TNC_MSG_H_
+
+typedef enum pb_tnc_msg_type_t pb_tnc_msg_type_t;
+typedef struct pb_tnc_msg_info_t pb_tnc_msg_info_t;
+typedef struct pb_tnc_msg_t pb_tnc_msg_t;
+
+#include <library.h>
+
+#define PB_TNC_VERSION		2
+
+/**
+ * PB-TNC Message Types as defined in section 4.3 of RFC 5793
+ */
+enum pb_tnc_msg_type_t {
+	PB_MSG_EXPERIMENTAL =				0,
+	PB_MSG_PA =							1,
+	PB_MSG_ASSESSMENT_RESULT =			2,
+	PB_MSG_ACCESS_RECOMMENDATION =		3,
+	PB_MSG_REMEDIATION_PARAMETERS =		4,
+	PB_MSG_ERROR =						5,
+	PB_MSG_LANGUAGE_PREFERENCE =		6,
+	PB_MSG_REASON_STRING =				7,
+	PB_MSG_ROOF =						7
+};
+
+/**
+ * enum name for pb_tnc_msg_type_t.
+ */
+extern enum_name_t *pb_tnc_msg_type_names;
+
+/**
+ * Information entry describing a PB-TNC Message Type
+ */
+struct pb_tnc_msg_info_t {
+	u_int32_t min_size;
+	bool exact_size;
+	bool in_result_batch;
+	bool has_noskip_flag;
+};
+
+#define	TRUE_OR_FALSE	2
+
+/**
+ * Information on PB-TNC Message Types
+ */
+extern pb_tnc_msg_info_t pb_tnc_msg_infos[];
+
+/**
+ * Generic interface for all PB-TNC message types.
+ *
+ * To handle all messages in a generic way, this interface
+ * must be implemented by each message type.
+ */
+struct pb_tnc_msg_t {
+
+	/**
+	 * Get the PB-TNC Message Type
+	 *
+	 * @return					 PB-TNC Message Type
+	 */
+	pb_tnc_msg_type_t (*get_type)(pb_tnc_msg_t *this);
+
+	/**
+	 * Get the encoding of the PB-TNC Message Value
+	 *
+	 * @return					encoded PB-TNC Message Value
+	 */
+	chunk_t (*get_encoding)(pb_tnc_msg_t *this);
+
+	/**
+	 * Build the PB-TNC Message Value
+	 */
+	void (*build)(pb_tnc_msg_t *this);
+
+	/**
+	 * Process the PB-TNC Message Value
+	 *
+	 * @param					relative offset where an error occurred
+	 * @return					return processing status
+	 */
+	status_t (*process)(pb_tnc_msg_t *this, u_int32_t *offset);
+
+	/**
+	 * Get a new reference to the message.
+	 *
+	 * @return			this, with an increased refcount
+	 */
+	pb_tnc_msg_t* (*get_ref)(pb_tnc_msg_t *this);
+
+	/**
+	 * Destroys a pb_tnc_msg_t object.
+	 */
+	void (*destroy)(pb_tnc_msg_t *this);
+};
+
+/**
+ * Create an unprocessed PB-TNC message
+ *
+ * Useful for the parser which wants a generic constructor for all
+ * pb_tnc_message_t types.
+ *
+ * @param type		PB-TNC message type
+ * @param value		PB-TNC message value
+ */
+pb_tnc_msg_t* pb_tnc_msg_create_from_data(pb_tnc_msg_type_t type, chunk_t value);
+
+#endif /** PB_TNC_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
new file mode 100644
index 000000000..a46dc0ab9
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_tnc_state_machine.h"
+
+#include <debug.h>
+
+ENUM(pb_tnc_state_names, PB_STATE_INIT, PB_STATE_END,
+	"Init",
+	"Server Working",
+	"Client Working",
+	"Decided",
+	"End"
+);
+
+/**
+ *   PB-TNC State Machine (see section 3.2 of RFC 5793)
+ *
+ *              Receive CRETRY        SRETRY
+ *                   or SRETRY   +----------------+
+ *                        +--+   |                |
+ *                        v  |   v                |
+ *                       +---------+  CRETRY  +---------+
+ *             CDATA     | Server  |<---------| Decided | CLOSE
+ *          +----------->| Working |--------->|         |-------+
+ *          |            +---------+  RESULT  +---------+       |
+ *          |                ^ |  |                             v
+ *          |                | |  +---------------------->=======
+ *        ========           | |              CLOSE       " End "
+ *        " Init "      CDATA| |SDATA                     =======
+ *        ========           | |                          ^    ^
+ *          |  |             | v                          |    |
+ *          |  | SDATA   +---------+          CLOSE       |    |
+ *          |  +-------->| Client  |----------------------+    |
+ *          |            | Working |                           |
+ *          |            +---------+                           |
+ *          |                |  ^                              |
+ *          |                +--+                              |
+ *          |            Receive CRETRY                        |
+ *          |   CLOSE                                          |
+ *          +--------------------------------------------------+
+ */
+
+typedef struct private_pb_tnc_state_machine_t private_pb_tnc_state_machine_t;
+
+/**
+ * Private data of a pb_tnc_state_machine_t object.
+ *
+ */
+struct private_pb_tnc_state_machine_t {
+	/**
+	 * Public pb_pa_message_t interface.
+	 */
+	pb_tnc_state_machine_t public;
+
+	/**
+	 * PB-TNC Server if TRUE, PB-TNC Client if FALSE
+	 */
+	bool is_server;
+
+	/**
+	 * Current PB-TNC state
+	 */
+	pb_tnc_state_t state;
+};
+
+METHOD(pb_tnc_state_machine_t, get_state, pb_tnc_state_t,
+	private_pb_tnc_state_machine_t *this)
+{
+	return this->state;
+}
+
+METHOD(pb_tnc_state_machine_t, receive_batch, bool,
+	private_pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type)
+{
+	pb_tnc_state_t old_state = this->state;
+
+	switch (this->state)
+	{
+		case PB_STATE_INIT:
+			if (this->is_server && type == PB_BATCH_CDATA)
+			{
+				this->state = PB_STATE_SERVER_WORKING;
+				break;
+			}
+			if (!this->is_server && type == PB_BATCH_SDATA)
+			{
+				this->state = PB_STATE_CLIENT_WORKING;
+				break;
+			}
+			if (type == PB_BATCH_CLOSE)
+			{
+				this->state = PB_STATE_END;
+				break;
+			}
+			return FALSE;
+		case PB_STATE_SERVER_WORKING:
+			if (!this->is_server && type == PB_BATCH_SDATA)
+			{
+				this->state = PB_STATE_CLIENT_WORKING;
+				break;
+			}
+			if (!this->is_server && type == PB_BATCH_RESULT)
+			{
+				this->state = PB_STATE_DECIDED;
+				break;
+			}
+			if ((this->is_server && type == PB_BATCH_CRETRY) ||
+			   (!this->is_server && type == PB_BATCH_SRETRY))
+			{
+				break;
+			}
+			if (type == PB_BATCH_CLOSE)
+			{
+				this->state = PB_STATE_END;
+				break;
+			}
+			return FALSE;
+		case PB_STATE_CLIENT_WORKING:
+			if (this->is_server && type == PB_BATCH_CDATA)
+			{
+				this->state = PB_STATE_SERVER_WORKING;
+				break;
+			}
+			if (this->is_server && type == PB_BATCH_CRETRY)
+			{
+				break;
+			}
+			if (type == PB_BATCH_CLOSE)
+			{
+				this->state = PB_STATE_END;
+				break;
+			}
+			return FALSE;
+		case PB_STATE_DECIDED:
+			if ((this->is_server && type == PB_BATCH_CRETRY) ||
+			   (!this->is_server && type == PB_BATCH_SRETRY))
+			{
+				this->state = PB_STATE_SERVER_WORKING;
+				break;
+			}
+			if (type == PB_BATCH_CLOSE)
+			{
+				this->state = PB_STATE_END;
+				break;
+			}
+			return FALSE;
+		case PB_STATE_END:
+			if (type == PB_BATCH_CLOSE)
+			{
+				break;
+			}
+			return FALSE;
+	}
+
+	if (this->state != old_state)
+	{
+		DBG2(DBG_TNC, "PB-TNC state transition from '%N' to '%N'",
+			 pb_tnc_state_names, old_state, pb_tnc_state_names, this->state);
+	}
+	return TRUE;
+}
+
+METHOD(pb_tnc_state_machine_t, send_batch, bool,
+	private_pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type)
+{
+	pb_tnc_state_t old_state = this->state;
+
+	switch (this->state)
+	{
+		case PB_STATE_INIT:
+			if (!this->is_server && type == PB_BATCH_CDATA)
+			{
+				this->state = PB_STATE_SERVER_WORKING;
+				break;
+			}
+			if (this->is_server && type == PB_BATCH_SDATA)
+			{
+				this->state = PB_STATE_CLIENT_WORKING;
+				break;
+			}
+			if (type == PB_BATCH_CLOSE)
+			{
+				this->state = PB_STATE_END;
+				break;
+			}
+			return FALSE;
+		case PB_STATE_SERVER_WORKING:
+			if (this->is_server && type == PB_BATCH_SDATA)
+			{
+				this->state = PB_STATE_CLIENT_WORKING;
+				break;
+			}
+			if (this->is_server && type == PB_BATCH_RESULT)
+			{
+				this->state = PB_STATE_DECIDED;
+				break;
+			}
+			if (this->is_server && type == PB_BATCH_SRETRY)
+			{
+				break;
+			}
+			if (type == PB_BATCH_CLOSE)
+			{
+				this->state = PB_STATE_END;
+				break;
+			}
+			return FALSE;
+		case PB_STATE_CLIENT_WORKING:
+			if (!this->is_server && type == PB_BATCH_CDATA)
+			{
+				this->state = PB_STATE_SERVER_WORKING;
+				break;
+			}
+			if (type == PB_BATCH_CLOSE)
+			{
+				this->state = PB_STATE_END;
+				break;
+			}
+			return FALSE;
+		case PB_STATE_DECIDED:
+			if ((this->is_server && type == PB_BATCH_SRETRY) ||
+			   (!this->is_server && type == PB_BATCH_CRETRY))
+			{
+				this->state = PB_STATE_SERVER_WORKING;
+				break;
+			}
+			if (type == PB_BATCH_CLOSE)
+			{
+				this->state = PB_STATE_END;
+				break;
+			}
+			return FALSE;
+		case PB_STATE_END:
+			if (type == PB_BATCH_CLOSE)
+			{
+				break;
+			}
+			return FALSE;
+	}
+
+	if (this->state != old_state)
+	{
+		DBG2(DBG_TNC, "PB-TNC state transition from '%N' to '%N'",
+			 pb_tnc_state_names, old_state, pb_tnc_state_names, this->state);
+	}
+	return TRUE;
+}
+
+METHOD(pb_tnc_state_machine_t, destroy, void,
+	private_pb_tnc_state_machine_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+pb_tnc_state_machine_t* pb_tnc_state_machine_create(bool is_server)
+{
+	private_pb_tnc_state_machine_t *this;
+
+	INIT(this,
+		.public = {
+			.get_state = _get_state,
+			.receive_batch = _receive_batch,
+			.send_batch = _send_batch,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+		.state = PB_STATE_INIT,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h
new file mode 100644
index 000000000..8076b6ded
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_tnc_state_machine pb_tnc_state_machine
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_TNC_STATE_MACHINE_H_
+#define PB_TNC_STATE_MACHINE_H_
+
+typedef struct pb_tnc_state_machine_t pb_tnc_state_machine_t;
+typedef enum pb_tnc_state_t pb_tnc_state_t;
+
+#include "batch/pb_tnc_batch.h"
+
+#include <library.h>
+
+/**
+ * PB-TNC States (state machine) as defined in section 3.2 of RFC 5793
+ */
+enum pb_tnc_state_t {
+	PB_STATE_INIT,
+	PB_STATE_SERVER_WORKING,
+	PB_STATE_CLIENT_WORKING,
+	PB_STATE_DECIDED,
+	PB_STATE_END,
+};
+
+/**
+ * enum name for pb_tnc_state_t.
+ */
+extern enum_name_t *pb_tnc_state_names;
+
+/**
+ * Interface for the PB-TNC state machine.
+ */
+struct pb_tnc_state_machine_t {
+
+	/**
+	 * Get the current PB-TNC STATE
+	 *
+	 * @return				current state
+	 */
+	pb_tnc_state_t (*get_state)(pb_tnc_state_machine_t *this);
+
+	/**
+	 * Compute state transition due to received PB-TNC Batch
+	 *
+	 * @param type			type of received batch
+	 * @result				TRUE if a valid transition was found, FALSE otherwise
+	 */
+	bool (*receive_batch)(pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type);
+
+	/**
+	 * Compute state transition due to sent PB-TNC Batch
+	 *
+	 * @param type			type of sent batch
+	 * @result				TRUE if a valid transition was found, FALSE otherwise
+	 */
+	bool (*send_batch)(pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type);
+
+	/**
+	 * Destroys a pb_tnc_state_machine_t object.
+	 */
+	void (*destroy)(pb_tnc_state_machine_t *this);
+};
+
+/**
+ * Create and initialize a PB-TNC state machine
+ *
+ * @param is_server		TRUE if PB-TNC server, FALSE if PB-TNC client
+ */
+pb_tnc_state_machine_t* pb_tnc_state_machine_create(bool is_server);
+
+#endif /** PB_TNC_STATE_MACHINE_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
index 2bd1bc476..d53fd8eb7 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2010 Sansar Choinyanbuu
  * Copyright (C) 2010 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -14,10 +15,23 @@
  */
 
 #include "tnccs_20.h"
+#include "batch/pb_tnc_batch.h"
+#include "messages/pb_tnc_msg.h"
+#include "messages/pb_pa_msg.h"
+#include "messages/pb_error_msg.h"
+#include "messages/pb_assessment_result_msg.h"
+#include "messages/pb_access_recommendation_msg.h"
+#include "messages/pb_remediation_parameters_msg.h"
+#include "messages/pb_reason_string_msg.h"
+#include "messages/pb_language_preference_msg.h"
+#include "state_machine/pb_tnc_state_machine.h"
 
 #include <debug.h>
-
-static chunk_t tncc_output;
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <tnc/tncif.h>
+#include <tnc/tncifimv.h>
+#include <tnc/tnccs/tnccs.h>
 
 typedef struct private_tnccs_20_t private_tnccs_20_t;
 
@@ -35,18 +49,541 @@ struct private_tnccs_20_t {
 	 * TNCC if TRUE, TNCS if FALSE
 	 */
 	bool is_server;
+
+	/**
+	 * PB-TNC State Machine
+	 */
+	pb_tnc_state_machine_t *state_machine;
+
+	/**
+	 * Connection ID assigned to this TNCCS connection
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * PB-TNC batch being constructed
+	 */
+	pb_tnc_batch_t *batch;
+
+	/**
+	 * Mutex locking the batch in construction
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Flag set while processing
+	 */
+	bool fatal_error;
+
+	/**
+	 * Flag set by IMC/IMV RequestHandshakeRetry() function
+	 */
+	bool request_handshake_retry;
+
+	/**
+	 * Set of IMV recommendations  (TNC Server only)
+	 */
+	recommendations_t *recs;
 };
 
+METHOD(tnccs_t, send_msg, void,
+	private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id,
+							  TNC_BufferReference msg,
+							  TNC_UInt32 msg_len,
+							  TNC_MessageType msg_type)
+{
+	TNC_MessageSubtype msg_sub_type;
+	TNC_VendorID msg_vendor_id;
+	pb_tnc_msg_t *pb_tnc_msg;
+	pb_tnc_batch_type_t batch_type;
+
+	msg_sub_type =   msg_type       & TNC_SUBTYPE_ANY;
+	msg_vendor_id = (msg_type >> 8) & TNC_VENDORID_ANY;
+
+	pb_tnc_msg = pb_pa_msg_create(msg_vendor_id, msg_sub_type, imc_id, imv_id,
+									  chunk_create(msg, msg_len));
+
+	/* adding PA message to SDATA or CDATA batch only */
+	batch_type = this->is_server ? PB_BATCH_SDATA : PB_BATCH_CDATA;
+	this->mutex->lock(this->mutex);
+	if (!this->batch)
+	{
+		this->batch = pb_tnc_batch_create(this->is_server, batch_type);
+	}
+	if (this->batch->get_type(this->batch) == batch_type)
+	{
+		this->batch->add_msg(this->batch, pb_tnc_msg);
+	}
+	else
+	{
+		pb_tnc_msg->destroy(pb_tnc_msg);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Handle a single PB-TNC message according to its type
+ */
+static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
+{
+	switch (msg->get_type(msg))
+	{
+		case PB_MSG_EXPERIMENTAL:
+			/* nothing to do */
+			break;
+		case PB_MSG_PA:
+		{
+			pb_pa_msg_t *pa_msg;
+			TNC_MessageType msg_type;
+			u_int32_t vendor_id, subtype;
+			chunk_t msg_body;
+
+			pa_msg = (pb_pa_msg_t*)msg;
+			vendor_id = pa_msg->get_vendor_id(pa_msg, &subtype);
+			msg_type = (vendor_id << 8) | (subtype & 0xff);
+			msg_body = pa_msg->get_body(pa_msg);
+
+			DBG2(DBG_TNC, "handling PB-PA message type 0x%08x", msg_type);
+
+			if (this->is_server)
+			{
+				charon->imvs->receive_message(charon->imvs,
+				this->connection_id, msg_body.ptr, msg_body.len, msg_type);
+			}
+			else
+			{
+				charon->imcs->receive_message(charon->imcs,
+				this->connection_id, msg_body.ptr, msg_body.len,msg_type);
+			}
+			break;
+		}
+		case PB_MSG_ASSESSMENT_RESULT:
+		{
+			pb_assessment_result_msg_t *assess_msg;
+			u_int32_t result;
+
+			assess_msg = (pb_assessment_result_msg_t*)msg;
+			result = assess_msg->get_assessment_result(assess_msg);
+			DBG1(DBG_TNC, "PB-TNC assessment result is '%N'",
+				 TNC_IMV_Evaluation_Result_names, result);
+			break;
+		}
+		case PB_MSG_ACCESS_RECOMMENDATION:
+		{
+			pb_access_recommendation_msg_t *rec_msg;
+			pb_access_recommendation_code_t rec;
+			TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
+
+			rec_msg = (pb_access_recommendation_msg_t*)msg;
+			rec = rec_msg->get_access_recommendation(rec_msg);
+			DBG1(DBG_TNC, "PB-TNC access recommendation is '%N'",
+						   pb_access_recommendation_code_names, rec);
+			switch (rec)
+			{
+				case PB_REC_ACCESS_ALLOWED:
+					state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
+					break;
+				case PB_REC_ACCESS_DENIED:
+					state = TNC_CONNECTION_STATE_ACCESS_NONE;
+					break;
+				case PB_REC_QUARANTINED:
+					state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
+			}
+			charon->imcs->notify_connection_change(charon->imcs,
+												   this->connection_id, state);
+			break;
+		}
+		case PB_MSG_REMEDIATION_PARAMETERS:
+		{
+			/* TODO : Remediation parameters message processing */
+			break;
+		}
+		case PB_MSG_ERROR:
+		{
+			pb_error_msg_t *err_msg;
+			bool fatal;
+			u_int32_t vendor_id;
+			u_int16_t error_code;
+
+			err_msg = (pb_error_msg_t*)msg;
+			fatal = err_msg->get_fatal_flag(err_msg);
+			vendor_id = err_msg->get_vendor_id(err_msg);
+			error_code = err_msg->get_error_code(err_msg);
+
+			if (fatal)
+			{
+				this->fatal_error = TRUE;
+			}
+
+			if (vendor_id == IETF_VENDOR_ID)
+			{
+				switch (error_code)
+				{
+					case PB_ERROR_INVALID_PARAMETER:
+					case PB_ERROR_UNSUPPORTED_MANDATORY_MSG:
+						DBG1(DBG_TNC, "received %s PB-TNC error '%N' "
+									  "(offset %u bytes)",
+									  fatal ? "fatal" : "non-fatal",
+									  pb_tnc_error_code_names, error_code,
+									  err_msg->get_offset(err_msg));
+						break;
+					case PB_ERROR_VERSION_NOT_SUPPORTED:
+						DBG1(DBG_TNC, "received %s PB-TNC error '%N' "
+									  "caused by bad version 0x%02x",
+									  fatal ? "fatal" : "non-fatal",
+									  pb_tnc_error_code_names, error_code,
+									  err_msg->get_bad_version(err_msg));
+						break;
+					case PB_ERROR_UNEXPECTED_BATCH_TYPE:
+					case PB_ERROR_LOCAL_ERROR:
+					default:
+						DBG1(DBG_TNC, "received %s PB-TNC error '%N'",
+									  fatal ? "fatal" : "non-fatal",
+									  pb_tnc_error_code_names, error_code);
+						break;
+				}
+			}
+			else
+			{
+				DBG1(DBG_TNC, "received %s PB-TNC error (%u) "
+							  "with Vendor ID 0x%06x",
+							  fatal ? "fatal" : "non-fatal",
+							  error_code, vendor_id);
+			}
+			break;
+		}
+		case PB_MSG_LANGUAGE_PREFERENCE:
+		{
+			pb_language_preference_msg_t *lang_msg;
+			chunk_t lang;
+
+			lang_msg = (pb_language_preference_msg_t*)msg;
+			lang = lang_msg->get_language_preference(lang_msg);
+
+			DBG2(DBG_TNC, "setting language preference to '%.*s'",
+						   lang.len, lang.ptr);
+			this->recs->set_preferred_language(this->recs, lang);
+			break;
+		}
+		case PB_MSG_REASON_STRING:
+		{
+			pb_reason_string_msg_t *reason_msg;
+			chunk_t reason_string, language_code;
+
+			reason_msg = (pb_reason_string_msg_t*)msg;
+			reason_string = reason_msg->get_reason_string(reason_msg);
+			language_code = reason_msg->get_language_code(reason_msg);
+			DBG2(DBG_TNC, "reason string is '%.*s", reason_string.len,
+													reason_string.ptr);
+			DBG2(DBG_TNC, "language code is '%.*s", language_code.len,
+													language_code.ptr);
+			break;
+		}
+		default:
+			break;
+	}
+}
+
+/**
+ *  Build a CRETRY or SRETRY batch
+ */
+static void build_retry_batch(private_tnccs_20_t *this)
+{
+	if (this->batch)
+	{
+		DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
+			pb_tnc_batch_type_names, this->batch->get_type(this->batch));
+		this->batch->destroy(this->batch);
+	 }
+	this->batch = pb_tnc_batch_create(this->is_server,
+						this->is_server ? PB_BATCH_SRETRY : PB_BATCH_CRETRY);
+}
+
 METHOD(tls_t, process, status_t,
 	private_tnccs_20_t *this, void *buf, size_t buflen)
 {
+	chunk_t data;
+	pb_tnc_batch_t *batch;
+	pb_tnc_msg_t *msg;
+	enumerator_t *enumerator;
+	status_t status;
+
+	if (this->is_server && !this->connection_id)
+	{
+		this->connection_id = charon->tnccs->create_connection(charon->tnccs,
+								(tnccs_t*)this,	_send_msg,
+								&this->request_handshake_retry, &this->recs);
+		if (!this->connection_id)
+		{
+			return FAILED;
+		}
+		charon->imvs->notify_connection_change(charon->imvs,
+							this->connection_id, TNC_CONNECTION_STATE_CREATE);
+	}
+
+	data = chunk_create(buf, buflen);
+	DBG1(DBG_TNC, "received TNCCS batch (%u bytes) for Connection ID %u",
+				   data.len, this->connection_id);
+	DBG3(DBG_TNC, "%B", &data);
+	batch = pb_tnc_batch_create_from_data(this->is_server, data);
+	status = batch->process(batch, this->state_machine);
+
+	if (status != FAILED)
+	{
+		enumerator_t *enumerator;
+		pb_tnc_msg_t *msg;
+		pb_tnc_batch_type_t batch_type;
+		bool empty = TRUE;
+
+		batch_type = batch->get_type(batch);
+
+		if (batch_type == PB_BATCH_CRETRY)
+		{
+			/* Send an SRETRY batch in response */
+			this->mutex->lock(this->mutex);
+			build_retry_batch(this);
+			this->mutex->unlock(this->mutex);
+		}
+		else if (batch_type == PB_BATCH_SRETRY)
+		{
+			/* Restart the measurements */
+			charon->imcs->notify_connection_change(charon->imcs,
+			this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
+			charon->imcs->begin_handshake(charon->imcs, this->connection_id);
+		}
+
+		enumerator = batch->create_msg_enumerator(batch);
+		while (enumerator->enumerate(enumerator, &msg))
+		{
+			handle_message(this, msg);
+			empty = FALSE;
+		}
+		enumerator->destroy(enumerator);
+
+		/* received an empty CLOSE batch from PB-TNC client */
+		if (this->is_server && batch_type == PB_BATCH_CLOSE && empty)
+		{
+			batch->destroy(batch);
+			if (this->fatal_error)
+			{
+				DBG1(DBG_TNC, "a fatal PB-TNC error occurred, "
+							  "terminating connection");
+				return FAILED;
+			}
+			else
+			{
+				return SUCCESS;
+			}
+		}
+
+		if (this->is_server)
+		{
+			charon->imvs->batch_ending(charon->imvs, this->connection_id);
+		}
+		else
+		{
+			charon->imcs->batch_ending(charon->imcs, this->connection_id);
+		}
+	}
+
+	switch (status)
+	{
+		case FAILED:
+			this->fatal_error = TRUE;
+			this->mutex->lock(this->mutex);
+			if (this->batch)
+			{
+				DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
+					pb_tnc_batch_type_names, this->batch->get_type(this->batch));
+				this->batch->destroy(this->batch);
+			 }
+			this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CLOSE);
+			this->mutex->unlock(this->mutex);
+			/* fall through to add error messages to outbound batch */
+		case VERIFY_ERROR:
+			enumerator = batch->create_error_enumerator(batch);
+			while (enumerator->enumerate(enumerator, &msg))
+			{
+				this->mutex->lock(this->mutex);
+				this->batch->add_msg(this->batch, msg->get_ref(msg));
+				this->mutex->unlock(this->mutex);
+			}
+			enumerator->destroy(enumerator);
+			break;
+		case SUCCESS:
+		default:
+			break;
+	}
+	batch->destroy(batch);
+
 	return NEED_MORE;
 }
 
+/**
+ *  Build a RESULT batch if a final recommendation is available
+ */
+static void check_and_build_recommendation(private_tnccs_20_t *this)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	TNC_IMVID id;
+	chunk_t reason, language;
+	enumerator_t *enumerator;
+	pb_tnc_msg_t *msg;
+
+	if (!this->recs->have_recommendation(this->recs, &rec, &eval))
+	{
+		charon->imvs->solicit_recommendation(charon->imvs, this->connection_id);
+	}
+	if (this->recs->have_recommendation(this->recs, &rec, &eval))
+	{
+		this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_RESULT);
+
+		msg = pb_assessment_result_msg_create(eval);
+		this->batch->add_msg(this->batch, msg);
+
+		/**
+		 * IMV Action Recommendation and PB Access Recommendation codes
+		 * are shifted by one.
+		 */
+		msg = pb_access_recommendation_msg_create(rec + 1);
+		this->batch->add_msg(this->batch, msg);
+
+		enumerator = this->recs->create_reason_enumerator(this->recs);
+		while (enumerator->enumerate(enumerator, &id, &reason, &language))
+		{
+			msg = pb_reason_string_msg_create(reason, language);
+			this->batch->add_msg(this->batch, msg);
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
 METHOD(tls_t, build, status_t,
 	private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen)
 {
-	return ALREADY_DONE;
+	status_t status;
+
+	/* Initialize the connection */
+	if (!this->is_server && !this->connection_id)
+	{
+		pb_tnc_msg_t *msg;
+		char *pref_lang;
+
+		this->connection_id = charon->tnccs->create_connection(charon->tnccs,
+										(tnccs_t*)this, _send_msg,
+										&this->request_handshake_retry, NULL);
+		if (!this->connection_id)
+		{
+			return FAILED;
+		}
+
+		/* Create PB-TNC Language Preference message */
+		pref_lang = charon->imcs->get_preferred_language(charon->imcs);
+		msg = pb_language_preference_msg_create(chunk_create(pref_lang,
+													strlen(pref_lang)));
+		this->mutex->lock(this->mutex);
+		this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CDATA);
+		this->batch->add_msg(this->batch, msg);
+		this->mutex->unlock(this->mutex);
+
+		charon->imcs->notify_connection_change(charon->imcs,
+							this->connection_id, TNC_CONNECTION_STATE_CREATE);
+		charon->imcs->notify_connection_change(charon->imcs,
+							this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
+		charon->imcs->begin_handshake(charon->imcs, this->connection_id);
+	}
+
+	if (this->is_server && this->fatal_error &&
+		this->state_machine->get_state(this->state_machine) == PB_STATE_END)
+	{
+		DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection");
+		return FAILED;
+	}
+
+	/* Do not allow any asynchronous IMCs or IMVs to add additional messages */
+	this->mutex->lock(this->mutex);
+
+	if (this->request_handshake_retry)
+	{
+		build_retry_batch(this);
+
+		/* Reset the flag for the next handshake retry request */
+		this->request_handshake_retry = FALSE;
+	}
+
+	if (!this->batch)
+	{
+		pb_tnc_state_t state;
+
+		state = this->state_machine->get_state(this->state_machine);
+		if (this->is_server)
+		{
+			if (state == PB_STATE_SERVER_WORKING)
+			{
+				check_and_build_recommendation(this);
+			}
+		}
+		else
+		{
+			/**
+			 * if the DECIDED state has been reached and no CRETRY is under way
+			 * or if a CLOSE batch with error messages has been received,
+			 * a PB-TNC client replies with an empty CLOSE batch.
+			 */
+			if (state == PB_STATE_DECIDED || state == PB_STATE_END)
+			{
+				this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CLOSE);
+			}
+		}
+	}
+
+	if (this->batch)
+	{
+		pb_tnc_batch_type_t batch_type;
+		chunk_t data;
+
+		batch_type = this->batch->get_type(this->batch);
+
+		if (this->state_machine->send_batch(this->state_machine, batch_type))
+		{
+			this->batch->build(this->batch);
+			data = this->batch->get_encoding(this->batch);
+			DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u",
+						   pb_tnc_batch_type_names, batch_type, data.len,
+						   this->connection_id);
+			DBG3(DBG_TNC, "%B", &data);
+			*msglen = data.len;
+
+			if (data.len > *buflen)
+			{
+				DBG1(DBG_TNC, "fragmentation of PB-TNC batch not supported yet");
+			}
+			else
+			{
+				*buflen = data.len;
+			}
+			memcpy(buf, data.ptr, *buflen);
+			status = ALREADY_DONE;
+		}
+		else
+		{
+			DBG1(DBG_TNC, "cancelling unexpected PB-TNC batch type: %N",
+				 pb_tnc_batch_type_names, batch_type);
+			status = INVALID_STATE;
+		}
+
+		this->batch->destroy(this->batch);
+		this->batch = NULL;
+	}
+	else
+	{
+		DBG1(DBG_TNC, "no PB-TNC batch to send");
+		status = INVALID_STATE;
+	}
+	this->mutex->unlock(this->mutex);
+
+	return status;
 }
 
 METHOD(tls_t, is_server, bool,
@@ -64,7 +601,21 @@ METHOD(tls_t, get_purpose, tls_purpose_t,
 METHOD(tls_t, is_complete, bool,
 	private_tnccs_20_t *this)
 {
-	return FALSE;
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+
+	if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
+	{
+		DBG2(DBG_TNC, "Final recommendation is '%N' and evaluation is '%N'",
+			 TNC_IMV_Action_Recommendation_names, rec,
+			 TNC_IMV_Evaluation_Result_names, eval);
+
+		return charon->imvs->enforce_recommendation(charon->imvs, rec);
+	}
+	else
+	{
+		return FALSE;
+	}
 }
 
 METHOD(tls_t, get_eap_msk, chunk_t,
@@ -76,6 +627,20 @@ METHOD(tls_t, get_eap_msk, chunk_t,
 METHOD(tls_t, destroy, void,
 	private_tnccs_20_t *this)
 {
+	if (this->is_server)
+	{
+		charon->imvs->notify_connection_change(charon->imvs,
+							this->connection_id, TNC_CONNECTION_STATE_DELETE);
+	}
+	else
+	{
+		charon->imcs->notify_connection_change(charon->imcs,
+							this->connection_id, TNC_CONNECTION_STATE_DELETE);
+	}
+	charon->tnccs->remove_connection(charon->tnccs, this->connection_id);
+	this->state_machine->destroy(this->state_machine);
+	this->mutex->destroy(this->mutex);
+	DESTROY_IF(this->batch);
 	free(this);
 }
 
@@ -97,6 +662,8 @@ tls_t *tnccs_20_create(bool is_server)
 			.destroy = _destroy,
 		},
 		.is_server = is_server,
+		.state_machine = pb_tnc_state_machine_create(is_server),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.am b/src/libcharon/plugins/tnccs_dynamic/Makefile.am
new file mode 100644
index 000000000..9a81d065f
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnccs-dynamic.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnccs-dynamic.la
+libstrongswan_tnccs_dynamic_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_tnccs_dynamic_la_SOURCES = \
+	tnccs_dynamic_plugin.h tnccs_dynamic_plugin.c tnccs_dynamic.h tnccs_dynamic.c
+
+libstrongswan_tnccs_dynamic_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
new file mode 100644
index 000000000..722da2830
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
@@ -0,0 +1,607 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/tnccs_dynamic
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+@MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_DEPENDENCIES =  \
+@MONOLITHIC_FALSE@	$(top_builddir)/src/libtls/libtls.la
+am_libstrongswan_tnccs_dynamic_la_OBJECTS = tnccs_dynamic_plugin.lo \
+	tnccs_dynamic.lo
+libstrongswan_tnccs_dynamic_la_OBJECTS =  \
+	$(am_libstrongswan_tnccs_dynamic_la_OBJECTS)
+libstrongswan_tnccs_dynamic_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_tnccs_dynamic_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_tnccs_dynamic_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_tnccs_dynamic_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-dynamic.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-dynamic.la
+@MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libstrongswan_tnccs_dynamic_la_SOURCES = \
+	tnccs_dynamic_plugin.h tnccs_dynamic_plugin.c tnccs_dynamic.h tnccs_dynamic.c
+
+libstrongswan_tnccs_dynamic_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_dynamic/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_dynamic/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-tnccs-dynamic.la: $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_DEPENDENCIES) 
+	$(libstrongswan_tnccs_dynamic_la_LINK) $(am_libstrongswan_tnccs_dynamic_la_rpath) $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_dynamic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_dynamic_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
new file mode 100644
index 000000000..b7985fa51
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_dynamic.h"
+
+#include <tnc/tnccs/tnccs.h>
+#include <daemon.h>
+
+typedef struct private_tnccs_dynamic_t private_tnccs_dynamic_t;
+
+/**
+ * Private data of a tnccs_dynamic_t object.
+ */
+struct private_tnccs_dynamic_t {
+
+	/**
+	 * Public tls_t interface.
+	 */
+	tls_t public;
+
+	/**
+	 * Detected TNC IF-TNCCS stack
+	 */
+	tls_t *tls;
+};
+
+/**
+ * Determine the version of the IF-TNCCS protocol used by analyzing the first
+ * byte of the TNCCS batch received from a TNC Client according to the rules
+ * defined by section 3.5 "Interoperability with older IF-TNCCS versions" of
+ * the TCG TNC IF-TNCCS TLV Bindings Version 2.0 standard.
+ */
+tnccs_type_t determine_tnccs_protocol(char version)
+{
+	switch (version)
+	{
+		case '\t':
+		case '\n':
+		case '\r':
+		case ' ':
+		case '<':
+			return TNCCS_1_1;
+		case 0x00:
+			return TNCCS_SOH;
+		case 0x02:
+			return TNCCS_2_0;
+		default:
+			return TNCCS_UNKNOWN;
+	}
+}
+
+METHOD(tls_t, process, status_t,
+	private_tnccs_dynamic_t *this, void *buf, size_t buflen)
+{
+	tnccs_type_t type;
+
+	if (!this->tls)
+	{
+		if (buflen == 0)
+		{
+			return FAILED;
+		}
+		type = determine_tnccs_protocol(*(char*)buf);
+		DBG1(DBG_TNC, "%N protocol detected dynamically",
+					   tnccs_type_names, type);
+		this->tls = (tls_t*)charon->tnccs->create_instance(charon->tnccs,
+														   type, TRUE);
+		if (!this->tls)
+		{
+			DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
+			return FAILED;
+		}
+	}
+	return this->tls->process(this->tls, buf, buflen);
+}
+
+METHOD(tls_t, build, status_t,
+	private_tnccs_dynamic_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	return this->tls->build(this->tls, buf, buflen, msglen);
+}
+
+METHOD(tls_t, is_server, bool,
+	private_tnccs_dynamic_t *this)
+{
+	return TRUE;
+}
+
+METHOD(tls_t, get_purpose, tls_purpose_t,
+	private_tnccs_dynamic_t *this)
+{
+	return TLS_PURPOSE_EAP_TNC;
+}
+
+METHOD(tls_t, is_complete, bool,
+	private_tnccs_dynamic_t *this)
+{
+	return this->tls ? this->tls->is_complete(this->tls) : FALSE;
+}
+
+METHOD(tls_t, get_eap_msk, chunk_t,
+	private_tnccs_dynamic_t *this)
+{
+	return chunk_empty;
+}
+
+METHOD(tls_t, destroy, void,
+	private_tnccs_dynamic_t *this)
+{
+	DESTROY_IF(this->tls);
+	free(this);	
+}
+
+/**
+ * See header
+ */
+tls_t *tnccs_dynamic_create(bool is_server)
+{
+	private_tnccs_dynamic_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.is_server = _is_server,
+			.get_purpose = _get_purpose,
+			.is_complete = _is_complete,
+			.get_eap_msk = _get_eap_msk,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
new file mode 100644
index 000000000..42410b17f
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_dynamic_h tnccs_dynamic
+ * @{ @ingroup tnccs_dynamic
+ */
+
+#ifndef TNCCS_DYNAMIC_H_
+#define TNCCS_DYNAMIC_H_
+
+#include <library.h>
+
+#include <tls.h>
+
+/**
+ * Create an instance of a dynamic TNC IF-TNCCS protocol handler.
+ *
+ * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
+ * @return					dynamic TNC IF-TNCCS protocol stack
+ */
+tls_t *tnccs_dynamic_create(bool is_server);
+
+#endif /** TNCCS_DYNAMIC_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
new file mode 100644
index 000000000..dbbf222e0
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_dynamic_plugin.h"
+#include "tnccs_dynamic.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnccs_dynamic_plugin_t *this)
+{
+	charon->tnccs->remove_method(charon->tnccs,
+								(tnccs_constructor_t)tnccs_dynamic_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnccs_dynamic_plugin_create()
+{
+	tnccs_dynamic_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->tnccs->add_method(charon->tnccs, TNCCS_DYNAMIC, 
+							 (tnccs_constructor_t)tnccs_dynamic_create);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h
new file mode 100644
index 000000000..b518e1278
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_dynamic tnccs_dynamic
+ * @ingroup cplugins
+ *
+ * @defgroup tnccs_dynamic_plugin tnccs_dynamic_plugin
+ * @{ @ingroup tnccs_dynamic
+ */
+
+#ifndef TNCCS_DYNAMIC_PLUGIN_H_
+#define TNCCS_DYNAMIC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnccs_dynamic_plugin_t tnccs_dynamic_plugin_t;
+
+/**
+ * EAP-TNC plugin
+ */
+struct tnccs_dynamic_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNCCS_DYNAMIC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 9cb5f794a..f7162d800 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
index ddddae782..4e43388ec 100644
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -196,8 +196,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
 
 		child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-									 ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
-									 NULL, NULL);
+									 ACTION_NONE, ACTION_NONE, ACTION_NONE,
+									 FALSE, 0, 0, NULL, NULL, 0);
 		child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
 		child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
 		child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 47fff7e1d..5fa749e56 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -226,9 +226,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -267,6 +265,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index e93955d71..5dd2dc843 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libcharon/processing/jobs/acquire_job.c b/src/libcharon/processing/jobs/acquire_job.c
index 45ace9312..3544dd332 100644
--- a/src/libcharon/processing/jobs/acquire_job.c
+++ b/src/libcharon/processing/jobs/acquire_job.c
@@ -45,20 +45,16 @@ struct private_acquire_job_t {
 	traffic_selector_t *dst_ts;
 };
 
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_acquire_job_t *this)
+METHOD(job_t, destroy, void,
+	private_acquire_job_t *this)
 {
 	DESTROY_IF(this->src_ts);
 	DESTROY_IF(this->dst_ts);
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_acquire_job_t *this)
+METHOD(job_t, execute, void,
+	private_acquire_job_t *this)
 {
 	charon->traps->acquire(charon->traps, this->reqid,
 						   this->src_ts, this->dst_ts);
@@ -72,14 +68,19 @@ acquire_job_t *acquire_job_create(u_int32_t reqid,
 								  traffic_selector_t *src_ts,
 								  traffic_selector_t *dst_ts)
 {
-	private_acquire_job_t *this = malloc_thing(private_acquire_job_t);
-
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+	private_acquire_job_t *this;
 
-	this->reqid = reqid;
-	this->src_ts = src_ts;
-	this->dst_ts = dst_ts;
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.reqid = reqid,
+		.src_ts = src_ts,
+		.dst_ts = dst_ts,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c
index ca55721f2..29122cd03 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.c
@@ -46,18 +46,14 @@ struct private_delete_child_sa_job_t {
 	u_int32_t spi;
 };
 
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_delete_child_sa_job_t *this)
+METHOD(job_t, destroy, void,
+	private_delete_child_sa_job_t *this)
 {
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_delete_child_sa_job_t *this)
+METHOD(job_t, execute, void,
+	private_delete_child_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
 
@@ -84,16 +80,19 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
 												  protocol_id_t protocol,
 												  u_int32_t spi)
 {
-	private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
-	/* private variables */
-	this->reqid = reqid;
-	this->protocol = protocol;
-	this->spi = spi;
+	private_delete_child_sa_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.reqid = reqid,
+		.protocol = protocol,
+		.spi = spi,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c
index dffd08ba3..da3ecf06f 100644
--- a/src/libcharon/processing/jobs/delete_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c
@@ -41,19 +41,15 @@ struct private_delete_ike_sa_job_t {
 };
 
 
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_delete_ike_sa_job_t *this)
+METHOD(job_t, destroy, void,
+	private_delete_ike_sa_job_t *this)
 {
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_delete_ike_sa_job_t *this)
+METHOD(job_t, execute, void,
+	private_delete_ike_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
 
@@ -102,15 +98,18 @@ static void execute(private_delete_ike_sa_job_t *this)
 delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
 											  bool delete_if_established)
 {
-	private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t *)) destroy;;
+	private_delete_ike_sa_job_t *this;
 
-	/* private variables */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-	this->delete_if_established = delete_if_established;
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+		.delete_if_established = delete_if_established,
+	);
 
 	return &(this->public);
 }
diff --git a/src/libcharon/processing/jobs/migrate_job.c b/src/libcharon/processing/jobs/migrate_job.c
index 05f47340c..5e7c7ae88 100644
--- a/src/libcharon/processing/jobs/migrate_job.c
+++ b/src/libcharon/processing/jobs/migrate_job.c
@@ -57,10 +57,8 @@ struct private_migrate_job_t {
 	host_t *remote;
 };
 
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_migrate_job_t *this)
+METHOD(job_t, destroy, void,
+	private_migrate_job_t *this)
 {
 	DESTROY_IF(this->src_ts);
 	DESTROY_IF(this->dst_ts);
@@ -69,10 +67,8 @@ static void destroy(private_migrate_job_t *this)
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_migrate_job_t *this)
+METHOD(job_t, execute, void,
+	private_migrate_job_t *this)
 {
 	ike_sa_t *ike_sa = NULL;
 
@@ -133,18 +129,21 @@ migrate_job_t *migrate_job_create(u_int32_t reqid,
 								  policy_dir_t dir,
 								  host_t *local, host_t *remote)
 {
-	private_migrate_job_t *this = malloc_thing(private_migrate_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
-	/* private variables */
-	this->reqid = reqid;
-	this->src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts;
-	this->dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts;
-	this->local = local;
-	this->remote = remote;
+	private_migrate_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.reqid = reqid,
+		.src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts,
+		.dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts,
+		.local = local,
+		.remote = remote,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c
index a47d48e38..b6de4fc0f 100644
--- a/src/libcharon/processing/jobs/process_message_job.c
+++ b/src/libcharon/processing/jobs/process_message_job.c
@@ -35,19 +35,15 @@ struct private_process_message_job_t {
 	message_t *message;
 };
 
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_process_message_job_t *this)
+METHOD(job_t, destroy, void,
+	private_process_message_job_t *this)
 {
 	this->message->destroy(this->message);
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_process_message_job_t *this)
+METHOD(job_t, execute, void,
+	private_process_message_job_t *this)
 {
 	ike_sa_t *ike_sa;
 
@@ -93,14 +89,17 @@ static void execute(private_process_message_job_t *this)
  */
 process_message_job_t *process_message_job_create(message_t *message)
 {
-	private_process_message_job_t *this = malloc_thing(private_process_message_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void(*)(job_t*))destroy;
+	private_process_message_job_t *this;
 
-	/* private variables */
-	this->message = message;
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.message = message,
+	);
 
 	return &(this->public);
 }
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c
index b797d181e..2bcee2ddf 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.c
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c
@@ -45,18 +45,14 @@ struct private_rekey_child_sa_job_t {
 	u_int32_t spi;
 };
 
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_rekey_child_sa_job_t *this)
+METHOD(job_t, destroy, void,
+	private_rekey_child_sa_job_t *this)
 {
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_rekey_child_sa_job_t *this)
+METHOD(job_t, execute, void,
+	private_rekey_child_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
 
@@ -82,16 +78,19 @@ rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
 												protocol_id_t protocol,
 												u_int32_t spi)
 {
-	private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+	private_rekey_child_sa_job_t *this;
 
-	/* private variables */
-	this->reqid = reqid;
-	this->protocol = protocol;
-	this->spi = spi;
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.reqid = reqid,
+		.protocol = protocol,
+		.spi = spi,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.c b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
index 5ec0b1b88..dc86ba9b3 100644
--- a/src/libcharon/processing/jobs/rekey_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
@@ -39,19 +39,15 @@ struct private_rekey_ike_sa_job_t {
 	bool reauth;
 };
 
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_rekey_ike_sa_job_t *this)
+METHOD(job_t, destroy, void,
+	private_rekey_ike_sa_job_t *this)
 {
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_rekey_ike_sa_job_t *this)
+METHOD(job_t, execute, void,
+	private_rekey_ike_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	status_t status = SUCCESS;
@@ -90,15 +86,18 @@ static void execute(private_rekey_ike_sa_job_t *this)
  */
 rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth)
 {
-	private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+	private_rekey_ike_sa_job_t *this;
 
-	/* private variables */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-	this->reauth = reauth;
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+		.reauth = reauth,
+	);
 
 	return &(this->public);
 }
diff --git a/src/libcharon/processing/jobs/retransmit_job.c b/src/libcharon/processing/jobs/retransmit_job.c
index fc787f208..1c78abd27 100644
--- a/src/libcharon/processing/jobs/retransmit_job.c
+++ b/src/libcharon/processing/jobs/retransmit_job.c
@@ -40,19 +40,15 @@ struct private_retransmit_job_t {
 	ike_sa_id_t *ike_sa_id;
 };
 
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_retransmit_job_t *this)
+METHOD(job_t, destroy, void,
+	private_retransmit_job_t *this)
 {
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_retransmit_job_t *this)
+METHOD(job_t, execute, void,
+	private_retransmit_job_t *this)
 {
 	ike_sa_t *ike_sa;
 
@@ -79,15 +75,18 @@ static void execute(private_retransmit_job_t *this)
  */
 retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id)
 {
-	private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	private_retransmit_job_t *this;
 
-	/* private variables */
-	this->message_id = message_id;
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.message_id = message_id,
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/processing/jobs/roam_job.c b/src/libcharon/processing/jobs/roam_job.c
index adc884a8a..74ef8bd6d 100644
--- a/src/libcharon/processing/jobs/roam_job.c
+++ b/src/libcharon/processing/jobs/roam_job.c
@@ -38,18 +38,14 @@ struct private_roam_job_t {
 	bool address;
 };
 
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_roam_job_t *this)
+METHOD(job_t, destroy, void,
+	private_roam_job_t *this)
 {
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_roam_job_t *this)
+METHOD(job_t, execute, void,
+	private_roam_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	linked_list_t *list;
@@ -94,12 +90,17 @@ static void execute(private_roam_job_t *this)
  */
 roam_job_t *roam_job_create(bool address)
 {
-	private_roam_job_t *this = malloc_thing(private_roam_job_t);
-
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
-	this->address = address;
+	private_roam_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.address = address,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/processing/jobs/send_dpd_job.c b/src/libcharon/processing/jobs/send_dpd_job.c
index 1c2da52b8..47b525363 100644
--- a/src/libcharon/processing/jobs/send_dpd_job.c
+++ b/src/libcharon/processing/jobs/send_dpd_job.c
@@ -38,19 +38,15 @@ struct private_send_dpd_job_t {
 	ike_sa_id_t *ike_sa_id;
 };
 
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_send_dpd_job_t *this)
+METHOD(job_t, destroy, void,
+	private_send_dpd_job_t *this)
 {
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_send_dpd_job_t *this)
+METHOD(job_t, execute, void,
+	private_send_dpd_job_t *this)
 {
 	ike_sa_t *ike_sa;
 
@@ -75,14 +71,17 @@ static void execute(private_send_dpd_job_t *this)
  */
 send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id)
 {
-	private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	private_send_dpd_job_t *this;
 
-	/* private variables */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/processing/jobs/send_keepalive_job.c b/src/libcharon/processing/jobs/send_keepalive_job.c
index 3d02cea2e..8d98aad7e 100644
--- a/src/libcharon/processing/jobs/send_keepalive_job.c
+++ b/src/libcharon/processing/jobs/send_keepalive_job.c
@@ -38,19 +38,15 @@ struct private_send_keepalive_job_t {
 	ike_sa_id_t *ike_sa_id;
 };
 
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_send_keepalive_job_t *this)
+METHOD(job_t, destroy, void,
+	private_send_keepalive_job_t *this)
 {
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_send_keepalive_job_t *this)
+METHOD(job_t, execute, void,
+	private_send_keepalive_job_t *this)
 {
 	ike_sa_t *ike_sa;
 
@@ -69,14 +65,17 @@ static void execute(private_send_keepalive_job_t *this)
  */
 send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id)
 {
-	private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t);
-
-	/* interface functions */
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	private_send_keepalive_job_t *this;
 
-	/* private variables */
-	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
new file mode 100644
index 000000000..5dda18be2
--- /dev/null
+++ b/src/libcharon/processing/jobs/start_action_job.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "start_action_job.h"
+
+#include <daemon.h>
+
+
+typedef struct private_start_action_job_t private_start_action_job_t;
+
+/**
+ * Private data of an start_action_job_t object.
+ */
+struct private_start_action_job_t {
+	/**
+	 * Public start_action_job_t interface.
+	 */
+	start_action_job_t public;
+};
+
+METHOD(job_t, destroy, void,
+	private_start_action_job_t *this)
+{
+	free(this);
+}
+
+METHOD(job_t, execute, void,
+	private_start_action_job_t *this)
+{
+	enumerator_t *enumerator, *children;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	char *name;
+
+	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+													NULL, NULL, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &peer_cfg))
+	{
+		if (peer_cfg->get_ike_version(peer_cfg) != 2)
+		{
+			continue;
+		}
+
+		children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+		while (children->enumerate(children, &child_cfg))
+		{
+			name = child_cfg->get_name(child_cfg);
+
+			switch (child_cfg->get_start_action(child_cfg))
+			{
+				case ACTION_RESTART:
+					DBG1(DBG_JOB, "start action: initiate '%s'", name);
+					charon->controller->initiate(charon->controller,
+												 peer_cfg->get_ref(peer_cfg),
+												 child_cfg->get_ref(child_cfg),
+												 NULL, NULL);
+					break;
+				case ACTION_ROUTE:
+					DBG1(DBG_JOB, "start action: route '%s'", name);
+					charon->traps->install(charon->traps, peer_cfg, child_cfg);
+					break;
+				case ACTION_NONE:
+					break;
+			}
+		}
+		children->destroy(children);
+	}
+	enumerator->destroy(enumerator);
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+start_action_job_t *start_action_job_create(void)
+{
+	private_start_action_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+	)
+	return &this->public;
+}
+
diff --git a/src/libcharon/processing/jobs/start_action_job.h b/src/libcharon/processing/jobs/start_action_job.h
new file mode 100644
index 000000000..ffc167c05
--- /dev/null
+++ b/src/libcharon/processing/jobs/start_action_job.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup start_action_job start_action_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef START_ACTION_JOB_H_
+#define START_ACTION_JOB_H_
+
+typedef struct start_action_job_t start_action_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Class representing a start_action Job.
+ *
+ * This job handles all child configurations stored in an [SQL database]
+ * backend according to their start_action field (start, route, none).
+ */
+struct start_action_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job of type start_action.
+ *
+ * @return			start_action_job_t object
+ */
+start_action_job_t *start_action_job_create(void);
+
+#endif /** START_ACTION_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c
index 17dce2548..3b4e9949f 100644
--- a/src/libcharon/processing/jobs/update_sa_job.c
+++ b/src/libcharon/processing/jobs/update_sa_job.c
@@ -43,19 +43,15 @@ struct private_update_sa_job_t {
 	host_t *new;
 };
 
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_update_sa_job_t *this)
+METHOD(job_t, destroy, void,
+	private_update_sa_job_t *this)
 {
 	this->new->destroy(this->new);
 	free(this);
 }
 
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_update_sa_job_t *this)
+METHOD(job_t, execute, void,
+	private_update_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
 
@@ -71,7 +67,7 @@ static void execute(private_update_sa_job_t *this)
 		if (ike_sa->has_condition(ike_sa, COND_NAT_THERE) &&
 			!ike_sa->has_condition(ike_sa, COND_NAT_HERE))
 		{
-			ike_sa->update_hosts(ike_sa, NULL, this->new);
+			ike_sa->update_hosts(ike_sa, NULL, this->new, FALSE);
 		}
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
@@ -83,13 +79,18 @@ static void execute(private_update_sa_job_t *this)
  */
 update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
 {
-	private_update_sa_job_t *this = malloc_thing(private_update_sa_job_t);
-
-	this->public.job_interface.execute = (void (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
-	this->reqid = reqid;
-	this->new = new;
+	private_update_sa_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
+		},
+		.reqid = reqid,
+		.new = new,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c
index cd340e53e..83f5fbaad 100644
--- a/src/libcharon/sa/authenticators/authenticator.c
+++ b/src/libcharon/sa/authenticators/authenticator.c
@@ -39,7 +39,8 @@ ENUM_END(auth_method_names, AUTH_ECDSA_521);
  */
 authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
 									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init)
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3])
 {
 	switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
 	{
@@ -47,13 +48,14 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
 			/* defaults to PUBKEY */
 		case AUTH_CLASS_PUBKEY:
 			return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
-											received_nonce, sent_init);
+										received_nonce, sent_init, reserved);
 		case AUTH_CLASS_PSK:
 			return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
-											received_nonce, sent_init);
+										received_nonce, sent_init, reserved);
 		case AUTH_CLASS_EAP:
 			return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
-						received_nonce, sent_nonce, received_init, sent_init);
+										received_nonce, sent_nonce,
+										received_init, sent_init, reserved);
 		default:
 			return NULL;
 	}
@@ -65,7 +67,8 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
 authenticator_t *authenticator_create_verifier(
 									ike_sa_t *ike_sa, message_t *message,
 									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init)
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3])
 {
 	auth_payload_t *auth_payload;
 
@@ -73,7 +76,8 @@ authenticator_t *authenticator_create_verifier(
 	if (auth_payload == NULL)
 	{
 		return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
-						received_nonce, sent_nonce, received_init, sent_init);
+										received_nonce, sent_nonce,
+										received_init, sent_init, reserved);
 	}
 	switch (auth_payload->get_auth_method(auth_payload))
 	{
@@ -82,10 +86,10 @@ authenticator_t *authenticator_create_verifier(
 		case AUTH_ECDSA_384:
 		case AUTH_ECDSA_521:
 			return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
-													sent_nonce, received_init);
+										sent_nonce, received_init, reserved);
 		case AUTH_PSK:
 			return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
-													sent_nonce, received_init);
+										sent_nonce, received_init, reserved);
 		default:
 			return NULL;
 	}
diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h
index 89178b5cf..d27e006a3 100644
--- a/src/libcharon/sa/authenticators/authenticator.h
+++ b/src/libcharon/sa/authenticators/authenticator.h
@@ -130,12 +130,14 @@ struct authenticator_t {
  * @param sent_nonce		nonce sent in IKE_SA_INIT
  * @param received_init		received IKE_SA_INIT message data
  * @param sent_init			sent IKE_SA_INIT message data
+ * @param reserved			reserved bytes of the ID payload
  * @return					authenticator, NULL if not supported
  */
 authenticator_t *authenticator_create_builder(
 									ike_sa_t *ike_sa, auth_cfg_t *cfg,
 									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init);
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3]);
 
 /**
  * Create an authenticator to verify signatures.
@@ -146,11 +148,13 @@ authenticator_t *authenticator_create_builder(
  * @param sent_nonce		nonce sent in IKE_SA_INIT
  * @param received_init		received IKE_SA_INIT message data
  * @param sent_init			sent IKE_SA_INIT message data
+ * @param reserved			reserved bytes of the ID payload
  * @return					authenticator, NULL if not supported
  */
 authenticator_t *authenticator_create_verifier(
 									ike_sa_t *ike_sa, message_t *message,
 									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init);
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3]);
 
 #endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c
index 8b22fd1d7..dea02755d 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/authenticators/eap_authenticator.c
@@ -57,6 +57,11 @@ struct private_eap_authenticator_t {
 	 */
 	chunk_t sent_init;
 
+	/**
+	 * Reserved bytes of ID payload
+	 */
+	char reserved[3];
+
 	/**
 	 * Current EAP method processing
 	 */
@@ -422,7 +427,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
-									this->msk, other_id);
+									this->msk, other_id, this->reserved);
 	recv_auth_data = auth_payload->get_data(auth_payload);
 	if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
 	{
@@ -458,7 +463,8 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message,
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
 		 my_id, auth_class_names, AUTH_CLASS_EAP);
 
-	auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
+	auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce,
+									this->msk, my_id, this->reserved);
 	auth_payload = auth_payload_create();
 	auth_payload->set_auth_method(auth_payload, AUTH_PSK);
 	auth_payload->set_data(auth_payload, auth_data);
@@ -642,7 +648,8 @@ METHOD(authenticator_t, destroy, void,
  */
 eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
 									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init)
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3])
 {
 	private_eap_authenticator_t *this;
 
@@ -661,6 +668,7 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
 		.sent_init = sent_init,
 		.sent_nonce = sent_nonce,
 	);
+	memcpy(this->reserved, reserved, sizeof(this->reserved));
 
 	return &this->public;
 }
@@ -670,7 +678,8 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
  */
 eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
 									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init)
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3])
 {
 	private_eap_authenticator_t *this;
 
@@ -689,6 +698,7 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
 		.sent_init = sent_init,
 		.sent_nonce = sent_nonce,
 	);
+	memcpy(this->reserved, reserved, sizeof(this->reserved));
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.h b/src/libcharon/sa/authenticators/eap_authenticator.h
index 41eb6a8c9..726411a18 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.h
+++ b/src/libcharon/sa/authenticators/eap_authenticator.h
@@ -75,11 +75,13 @@ struct eap_authenticator_t {
  * @param sent_nonce		nonce sent in IKE_SA_INIT
  * @param received_init		received IKE_SA_INIT message data
  * @param sent_init			sent IKE_SA_INIT message data
+ * @param reserved			reserved bytes of ID payload
  * @return					EAP authenticator
  */
 eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
 									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init);
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3]);
 
 /**
  * Create an authenticator to authenticate EAP clients.
@@ -89,10 +91,12 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
  * @param sent_nonce		nonce sent in IKE_SA_INIT
  * @param received_init		received IKE_SA_INIT message data
  * @param sent_init			sent IKE_SA_INIT message data
+ * @param reserved			reserved bytes of ID payload
  * @return					EAP authenticator
  */
 eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
 									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init);
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3]);
 
 #endif /** EAP_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c
index e69f30dcf..21fc0f9b8 100644
--- a/src/libcharon/sa/authenticators/psk_authenticator.c
+++ b/src/libcharon/sa/authenticators/psk_authenticator.c
@@ -45,12 +45,15 @@ struct private_psk_authenticator_t {
 	 * IKE_SA_INIT message data to include in AUTH calculation
 	 */
 	chunk_t ike_sa_init;
+
+	/**
+	 * Reserved bytes of ID payload
+	 */
+	char reserved[3];
 };
 
-/*
- * Implementation of authenticator_t.build for builder
- */
-static status_t build(private_psk_authenticator_t *this, message_t *message)
+METHOD(authenticator_t, build, status_t,
+	private_psk_authenticator_t *this, message_t *message)
 {
 	identification_t *my_id, *other_id;
 	auth_payload_t *auth_payload;
@@ -70,7 +73,7 @@ static status_t build(private_psk_authenticator_t *this, message_t *message)
 		return NOT_FOUND;
 	}
 	auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
-									this->nonce, key->get_key(key), my_id);
+						this->nonce, key->get_key(key), my_id, this->reserved);
 	key->destroy(key);
 	DBG2(DBG_IKE, "successfully created shared key MAC");
 	auth_payload = auth_payload_create();
@@ -82,10 +85,8 @@ static status_t build(private_psk_authenticator_t *this, message_t *message)
 	return SUCCESS;
 }
 
-/**
- * Implementation of authenticator_t.process for verifier
- */
-static status_t process(private_psk_authenticator_t *this, message_t *message)
+METHOD(authenticator_t, process, status_t,
+	private_psk_authenticator_t *this, message_t *message)
 {
 	chunk_t auth_data, recv_auth_data;
 	identification_t *my_id, *other_id;
@@ -113,7 +114,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
 		keys_found++;
 
 		auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
-									this->nonce, key->get_key(key), other_id);
+				this->nonce, key->get_key(key), other_id, this->reserved);
 		if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
 		{
 			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
@@ -141,19 +142,8 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
 	return SUCCESS;
 }
 
-/**
- * Implementation of authenticator_t.process for builder
- * Implementation of authenticator_t.build for verifier
- */
-static status_t return_failed()
-{
-	return FAILED;
-}
-
-/**
- * Implementation of authenticator_t.destroy.
- */
-static void destroy(private_psk_authenticator_t *this)
+METHOD(authenticator_t, destroy, void,
+	private_psk_authenticator_t *this)
 {
 	free(this);
 }
@@ -162,18 +152,25 @@ static void destroy(private_psk_authenticator_t *this)
  * Described in header.
  */
 psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_init)
+									chunk_t received_nonce, chunk_t sent_init,
+									char reserved[3])
 {
-	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->ike_sa_init = sent_init;
-	this->nonce = received_nonce;
+	private_psk_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = _build,
+				.process = (void*)return_failed,
+				.is_mutual = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.ike_sa_init = sent_init,
+		.nonce = received_nonce,
+	);
+	memcpy(this->reserved, reserved, sizeof(this->reserved));
 
 	return &this->public;
 }
@@ -182,18 +179,25 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
  * Described in header.
  */
 psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
-									chunk_t sent_nonce, chunk_t received_init)
+									chunk_t sent_nonce, chunk_t received_init,
+									char reserved[3])
 {
-	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->ike_sa_init = received_init;
-	this->nonce = sent_nonce;
+	private_psk_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = (void*)return_failed,
+				.process = _process,
+				.is_mutual = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.ike_sa_init = received_init,
+		.nonce = sent_nonce,
+	);
+	memcpy(this->reserved, reserved, sizeof(this->reserved));
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.h b/src/libcharon/sa/authenticators/psk_authenticator.h
index 0fab11095..8cf1a0f98 100644
--- a/src/libcharon/sa/authenticators/psk_authenticator.h
+++ b/src/libcharon/sa/authenticators/psk_authenticator.h
@@ -42,10 +42,12 @@ struct psk_authenticator_t {
  * @param ike_sa			associated ike_sa
  * @param received_nonce	nonce received in IKE_SA_INIT
  * @param sent_init			sent IKE_SA_INIT message data
+ * @param reserved			reserved bytes of ID payload
  * @return					PSK authenticator
  */
 psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_init);
+									chunk_t received_nonce, chunk_t sent_init,
+									char reserved[3]);
 
 /**
  * Create an authenticator to verify PSK signatures.
@@ -53,9 +55,11 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
  * @param ike_sa			associated ike_sa
  * @param sent_nonce		nonce sent in IKE_SA_INIT
  * @param received_init		received IKE_SA_INIT message data
+ * @param reserved			reserved bytes of ID payload
  * @return					PSK authenticator
  */
 psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
-									chunk_t sent_nonce, chunk_t received_init);
+									chunk_t sent_nonce, chunk_t received_init,
+									char reserved[3]);
 
 #endif /** PSK_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c
index 54b4338bb..247891670 100644
--- a/src/libcharon/sa/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c
@@ -46,12 +46,15 @@ struct private_pubkey_authenticator_t {
 	 * IKE_SA_INIT message data to include in AUTH calculation
 	 */
 	chunk_t ike_sa_init;
+
+	/**
+	 * Reserved bytes of ID payload
+	 */
+	char reserved[3];
 };
 
-/**
- * Implementation of authenticator_t.build for builder
- */
-static status_t build(private_pubkey_authenticator_t *this, message_t *message)
+METHOD(authenticator_t, build, status_t,
+	private_pubkey_authenticator_t *this, message_t *message)
 {
 	chunk_t octets, auth_data;
 	status_t status = FAILED;
@@ -109,7 +112,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 	}
 	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
-									 this->nonce, id);
+									 this->nonce, id, this->reserved);
 	if (private->sign(private, scheme, octets, &auth_data))
 	{
 		auth_payload = auth_payload_create();
@@ -128,10 +131,8 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 	return status;
 }
 
-/**
- * Implementation of authenticator_t.process for verifier
- */
-static status_t process(private_pubkey_authenticator_t *this, message_t *message)
+METHOD(authenticator_t, process, status_t,
+	private_pubkey_authenticator_t *this, message_t *message)
 {
 	public_key_t *public;
 	auth_method_t auth_method;
@@ -175,7 +176,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message
 	id = this->ike_sa->get_other_id(this->ike_sa);
 	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
-									 this->nonce, id);
+									 this->nonce, id, this->reserved);
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
 														key_type, id, auth);
@@ -206,19 +207,8 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message
 	return status;
 }
 
-/**
- * Implementation of authenticator_t.process for builder
- * Implementation of authenticator_t.build for verifier
- */
-static status_t return_failed()
-{
-	return FAILED;
-}
-
-/**
- * Implementation of authenticator_t.destroy.
- */
-static void destroy(private_pubkey_authenticator_t *this)
+METHOD(authenticator_t, destroy, void,
+	private_pubkey_authenticator_t *this)
 {
 	free(this);
 }
@@ -227,18 +217,25 @@ static void destroy(private_pubkey_authenticator_t *this)
  * Described in header.
  */
 pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_init)
+									chunk_t received_nonce, chunk_t sent_init,
+									char reserved[3])
 {
-	private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
+	private_pubkey_authenticator_t *this;
 
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->ike_sa_init = sent_init;
-	this->nonce = received_nonce;
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = _build,
+				.process = (void*)return_failed,
+				.is_mutual = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.ike_sa_init = sent_init,
+		.nonce = received_nonce,
+	);
+	memcpy(this->reserved, reserved, sizeof(this->reserved));
 
 	return &this->public;
 }
@@ -247,18 +244,25 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
  * Described in header.
  */
 pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
-									chunk_t sent_nonce, chunk_t received_init)
+									chunk_t sent_nonce, chunk_t received_init,
+									char reserved[3])
 {
-	private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+	private_pubkey_authenticator_t *this;
 
-	this->ike_sa = ike_sa;
-	this->ike_sa_init = received_init;
-	this->nonce = sent_nonce;
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = (void*)return_failed,
+				.process = _process,
+				.is_mutual = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.ike_sa_init = received_init,
+		.nonce = sent_nonce,
+	);
+	memcpy(this->reserved, reserved, sizeof(this->reserved));
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.h b/src/libcharon/sa/authenticators/pubkey_authenticator.h
index be369cb89..4c3937ecc 100644
--- a/src/libcharon/sa/authenticators/pubkey_authenticator.h
+++ b/src/libcharon/sa/authenticators/pubkey_authenticator.h
@@ -43,10 +43,12 @@ struct pubkey_authenticator_t {
  * @param ike_sa			associated ike_sa
  * @param received_nonce	nonce received in IKE_SA_INIT
  * @param sent_init			sent IKE_SA_INIT message data
+ * @param reserved			reserved bytes of ID payload
  * @return					public key authenticator
  */
 pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
-									chunk_t received_nonce, chunk_t sent_init);
+									chunk_t received_nonce, chunk_t sent_init,
+									char reserved[3]);
 
 /**
  * Create an authenticator to verify public key signatures.
@@ -54,9 +56,11 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
  * @param ike_sa			associated ike_sa
  * @param sent_nonce		nonce sent in IKE_SA_INIT
  * @param received_init		received IKE_SA_INIT message data
+ * @param reserved			reserved bytes of ID payload
  * @return					public key authenticator
  */
 pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
-									chunk_t sent_nonce, chunk_t received_init);
+									chunk_t sent_nonce, chunk_t received_init,
+									char reserved[3]);
 
 #endif /** PUBKEY_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index b6ef31da0..495929965 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -559,13 +559,14 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t,
 
 METHOD(child_sa_t, install, status_t,
 	   private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
-	   u_int16_t cpi, bool inbound, linked_list_t *my_ts,
+	   u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts,
 	   linked_list_t *other_ts)
 {
 	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
 	traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
 	time_t now;
 	lifetime_cfg_t *lifetime;
+	u_int32_t tfc = 0;
 	host_t *src, *dst;
 	status_t status;
 	bool update = FALSE;
@@ -590,6 +591,11 @@ METHOD(child_sa_t, install, status_t,
 		dst = this->other_addr;
 		this->other_spi = spi;
 		this->other_cpi = cpi;
+
+		if (tfcv3)
+		{
+			tfc = this->config->get_tfc(this->config);
+		}
 	}
 
 	DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
@@ -620,7 +626,7 @@ METHOD(child_sa_t, install, status_t,
 		lifetime->time.rekey = 0;
 	}
 
-	if (this->mode == MODE_BEET)
+	if (this->mode == MODE_BEET || this->mode == MODE_TRANSPORT)
 	{
 		/* BEET requires the bound address from the traffic selectors.
 		 * TODO: We add just the first traffic selector for now, as the
@@ -639,7 +645,7 @@ METHOD(child_sa_t, install, status_t,
 
 	status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
 				src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
-				inbound ? this->mark_in : this->mark_out,
+				inbound ? this->mark_in : this->mark_out, tfc,
 				lifetime, enc_alg, encr, int_alg, integ, this->mode,
 				this->ipcomp, cpi, this->encap, update, src_ts, dst_ts);
 
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index 95bc297b0..f17ef01ac 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -313,12 +313,13 @@ struct child_sa_t {
 	 * @param spi		SPI to use, allocated for inbound
 	 * @param cpi		CPI to use, allocated for outbound
 	 * @param inbound	TRUE to install an inbound SA, FALSE for outbound
+	 * @param tfcv3		TRUE if peer supports ESPv3 TFC
 	 * @param my_ts		negotiated local traffic selector list
 	 * @param other_ts	negotiated remote traffic selector list
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi, bool inbound,
+						u_int32_t spi, u_int16_t cpi, bool inbound, bool tfcv3,
 						linked_list_t *my_ts, linked_list_t *other_ts);
 	/**
 	 * Install the policies using some traffic selectors.
diff --git a/src/libcharon/sa/connect_manager.c b/src/libcharon/sa/connect_manager.c
index 1fb286863..972cc98ad 100644
--- a/src/libcharon/sa/connect_manager.c
+++ b/src/libcharon/sa/connect_manager.c
@@ -1194,7 +1194,10 @@ static job_requeue_t initiate_mediated(initiate_data_t *data)
 				DBG1(DBG_IKE, "establishing mediated connection failed");
 				charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
 			}
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa);
+			else
+			{
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa);
+			}
 		}
 		iterator->destroy(iterator);
 	}
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index a4e4028ab..9b6f9d06d 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -50,6 +50,7 @@
 #include <processing/jobs/send_dpd_job.h>
 #include <processing/jobs/send_keepalive_job.h>
 #include <processing/jobs/rekey_ike_sa_job.h>
+#include <encoding/payloads/unknown_payload.h>
 
 #ifdef ME
 #include <sa/tasks/ike_me.h>
@@ -559,13 +560,6 @@ METHOD(ike_sa_t, send_dpd, status_t,
 	time_t diff, delay;
 
 	delay = this->peer_cfg->get_dpd(this->peer_cfg);
-
-	if (delay == 0)
-	{
-		/* DPD disabled */
-		return SUCCESS;
-	}
-
 	if (this->task_manager->busy(this->task_manager))
 	{
 		/* an exchange is in the air, no need to start a DPD check */
@@ -578,7 +572,7 @@ METHOD(ike_sa_t, send_dpd, status_t,
 		last_in = get_use_time(this, TRUE);
 		now = time_monotonic(NULL);
 		diff = now - last_in;
-		if (diff >= delay)
+		if (!delay || diff >= delay)
 		{
 			/* to long ago, initiate dead peer detection */
 			task_t *task;
@@ -604,8 +598,11 @@ METHOD(ike_sa_t, send_dpd, status_t,
 		}
 	}
 	/* recheck in "interval" seconds */
-	job = (job_t*)send_dpd_job_create(this->ike_sa_id);
-	lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
+	if (delay)
+	{
+		job = (job_t*)send_dpd_job_create(this->ike_sa_id);
+		lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
+	}
 	return SUCCESS;
 }
 
@@ -680,7 +677,10 @@ METHOD(ike_sa_t, set_state, void,
 				}
 
 				/* start DPD checks */
-				send_dpd(this);
+				if (this->peer_cfg->get_dpd(this->peer_cfg))
+				{
+					send_dpd(this);
+				}
 			}
 			break;
 		}
@@ -825,7 +825,7 @@ METHOD(ike_sa_t, float_ports, void,
 }
 
 METHOD(ike_sa_t, update_hosts, void,
-	private_ike_sa_t *this, host_t *me, host_t *other)
+	private_ike_sa_t *this, host_t *me, host_t *other, bool force)
 {
 	bool update = FALSE;
 
@@ -858,7 +858,7 @@ METHOD(ike_sa_t, update_hosts, void,
 		if (!other->equals(other, this->other_host))
 		{
 			/* update others adress if we are NOT NATed */
-			if (!has_condition(this, COND_NAT_HERE))
+			if (force || !has_condition(this, COND_NAT_HERE))
 			{
 				set_other_host(this, other->clone(other));
 				update = TRUE;
@@ -891,8 +891,14 @@ METHOD(ike_sa_t, update_hosts, void,
 METHOD(ike_sa_t, generate_message, status_t,
 	private_ike_sa_t *this, message_t *message, packet_t **packet)
 {
+	if (message->is_encoded(message))
+	{	/* already done */
+		*packet = message->get_packet(message);
+		return SUCCESS;
+	}
 	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
 	message->set_ike_sa_id(message, this->ike_sa_id);
+	charon->bus->message(charon->bus, message, FALSE);
 	return message->generate(message,
 				this->keymat->get_aead(this->keymat, FALSE), packet);
 }
@@ -901,7 +907,7 @@ METHOD(ike_sa_t, generate_message, status_t,
  * send a notify back to the sender
  */
 static void send_notify_response(private_ike_sa_t *this, message_t *request,
-								 notify_type_t type)
+								 notify_type_t type, chunk_t data)
 {
 	message_t *response;
 	packet_t *packet;
@@ -910,7 +916,7 @@ static void send_notify_response(private_ike_sa_t *this, message_t *request,
 	response->set_exchange_type(response, request->get_exchange_type(request));
 	response->set_request(response, FALSE);
 	response->set_message_id(response, request->get_message_id(request));
-	response->add_notify(response, FALSE, type, chunk_empty);
+	response->add_notify(response, FALSE, type, data);
 	if (this->my_host->is_anyaddr(this->my_host))
 	{
 		this->my_host->destroy(this->my_host);
@@ -1175,6 +1181,7 @@ METHOD(ike_sa_t, process_message, status_t,
 {
 	status_t status;
 	bool is_request;
+	u_int8_t type = 0;
 
 	if (this->state == IKE_PASSIVE)
 	{	/* do not handle messages in passive state */
@@ -1185,9 +1192,29 @@ METHOD(ike_sa_t, process_message, status_t,
 
 	status = message->parse_body(message,
 								 this->keymat->get_aead(this->keymat, TRUE));
+	if (status == SUCCESS)
+	{	/* check for unsupported critical payloads */
+		enumerator_t *enumerator;
+		unknown_payload_t *unknown;
+		payload_t *payload;
+
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			unknown = (unknown_payload_t*)payload;
+			type = payload->get_type(payload);
+			if (!payload_is_known(type) &&
+				unknown->is_critical(unknown))
+			{
+				DBG1(DBG_ENC, "payload type %N is not supported, "
+					 "but its critical!", payload_type_names, type);
+				status = NOT_SUPPORTED;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
 	if (status != SUCCESS)
 	{
-
 		if (is_request)
 		{
 			switch (status)
@@ -1196,21 +1223,28 @@ METHOD(ike_sa_t, process_message, status_t,
 					DBG1(DBG_IKE, "critical unknown payloads found");
 					if (is_request)
 					{
-						send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
+						send_notify_response(this, message,
+											 UNSUPPORTED_CRITICAL_PAYLOAD,
+											 chunk_from_thing(type));
+						this->task_manager->incr_mid(this->task_manager, FALSE);
 					}
 					break;
 				case PARSE_ERROR:
 					DBG1(DBG_IKE, "message parsing failed");
 					if (is_request)
 					{
-						send_notify_response(this, message, INVALID_SYNTAX);
+						send_notify_response(this, message,
+											 INVALID_SYNTAX, chunk_empty);
+						this->task_manager->incr_mid(this->task_manager, FALSE);
 					}
 					break;
 				case VERIFY_ERROR:
 					DBG1(DBG_IKE, "message verification failed");
 					if (is_request)
 					{
-						send_notify_response(this, message, INVALID_SYNTAX);
+						send_notify_response(this, message,
+											 INVALID_SYNTAX, chunk_empty);
+						this->task_manager->incr_mid(this->task_manager, FALSE);
 					}
 					break;
 				case FAILED:
@@ -1219,10 +1253,6 @@ METHOD(ike_sa_t, process_message, status_t,
 					break;
 				case INVALID_STATE:
 					DBG1(DBG_IKE, "found encrypted message, but no keys available");
-					if (is_request)
-					{
-						send_notify_response(this, message, INVALID_SYNTAX);
-					}
 				default:
 					break;
 			}
@@ -1252,7 +1282,8 @@ METHOD(ike_sa_t, process_message, status_t,
 				/* no config found for these hosts, destroy */
 				DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
 					 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
-				send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
+				send_notify_response(this, message,
+									 NO_PROPOSAL_CHOSEN, chunk_empty);
 				return DESTROY_ME;
 			}
 			/* add a timeout if peer does not establish it completely */
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index c0007e27d..988100bcc 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -343,8 +343,9 @@ struct ike_sa_t {
 	 *
 	 * @param me			new local host address, or NULL
 	 * @param other			new remote host address, or NULL
+	 * @param force			force update
 	 */
-	void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
+	void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force);
 
 	/**
 	 * Get the own identification.
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index fa94bb86d..d695c7f7c 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2005-2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -85,7 +86,9 @@ struct entry_t {
 	chunk_t init_hash;
 
 	/**
-	 * remote host address, required for DoS detection
+	 * remote host address, required for DoS detection and duplicate
+	 * checking (host with same my_id and other_id is *not* considered
+	 * a duplicate if the address family differs)
 	 */
 	host_t *other;
 
@@ -241,6 +244,9 @@ struct connected_peers_t {
 	/** remote identity */
 	identification_t *other_id;
 
+	/** ip address family of peer */
+	int family;
+
 	/** list of ike_sa_id_t objects of IKE_SAs between the two identities */
 	linked_list_t *sas;
 };
@@ -257,10 +263,12 @@ static void connected_peers_destroy(connected_peers_t *this)
  * Function that matches connected_peers_t objects by the given ids.
  */
 static bool connected_peers_match(connected_peers_t *connected_peers,
-							identification_t *my_id, identification_t *other_id)
+							identification_t *my_id, identification_t *other_id,
+							uintptr_t family)
 {
 	return my_id->equals(my_id, connected_peers->my_id) &&
-		   other_id->equals(other_id, connected_peers->other_id);
+		   other_id->equals(other_id, connected_peers->other_id) &&
+		   family == connected_peers->family;
 }
 
 typedef struct segment_t segment_t;
@@ -396,7 +404,7 @@ static void lock_all_segments(private_ike_sa_manager_t *this)
 {
 	u_int i;
 
-	for (i = 0; i < this->segment_count; ++i)
+	for (i = 0; i < this->segment_count; i++)
 	{
 		this->segments[i].mutex->lock(this->segments[i].mutex);
 	}
@@ -409,7 +417,7 @@ static void unlock_all_segments(private_ike_sa_manager_t *this)
 {
 	u_int i;
 
-	for (i = 0; i < this->segment_count; ++i)
+	for (i = 0; i < this->segment_count; i++)
 	{
 		this->segments[i].mutex->unlock(this->segments[i].mutex);
 	}
@@ -453,10 +461,8 @@ struct private_enumerator_t {
 	enumerator_t *current;
 };
 
-/**
- * Implementation of private_enumerator_t.enumerator.enumerate.
- */
-static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segment)
+METHOD(enumerator_t, enumerate, bool,
+	private_enumerator_t *this, entry_t **entry, u_int *segment)
 {
 	if (this->entry)
 	{
@@ -502,10 +508,8 @@ static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segmen
 	return FALSE;
 }
 
-/**
- * Implementation of private_enumerator_t.enumerator.destroy.
- */
-static void enumerator_destroy(private_enumerator_t *this)
+METHOD(enumerator_t, enumerator_destroy, void,
+	private_enumerator_t *this)
 {
 	if (this->entry)
 	{
@@ -524,16 +528,15 @@ static void enumerator_destroy(private_enumerator_t *this)
  */
 static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
 {
-	private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
-
-	enumerator->enumerator.enumerate = (void*)enumerate;
-	enumerator->enumerator.destroy = (void*)enumerator_destroy;
-	enumerator->manager = this;
-	enumerator->segment = 0;
-	enumerator->entry = NULL;
-	enumerator->row = 0;
-	enumerator->current = NULL;
-
+	private_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.enumerator = {
+			.enumerate = (void*)_enumerate,
+			.destroy = _enumerator_destroy,
+		},
+		.manager = this,
+	);
 	return &enumerator->enumerator;
 }
 
@@ -544,11 +547,14 @@ static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
 static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
 {
 	linked_list_t *list;
-	u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
-	u_int segment = row & this->segment_mask;
+	u_int row, segment;
+
+	row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
+	segment = row & this->segment_mask;
 
 	lock_single_segment(this, segment);
-	if ((list = this->ike_sa_table[row]) == NULL)
+	list = this->ike_sa_table[row];
+	if (!list)
 	{
 		list = this->ike_sa_table[row] = linked_list_create();
 	}
@@ -564,14 +570,17 @@ static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
 static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry)
 {
 	linked_list_t *list;
-	u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
-	u_int segment = row & this->segment_mask;
+	u_int row, segment;
 
-	if ((list = this->ike_sa_table[row]) != NULL)
+	row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
+	segment = row & this->segment_mask;
+	list = this->ike_sa_table[row];
+	if (list)
 	{
 		entry_t *current;
+		enumerator_t *enumerator;
 
-		enumerator_t *enumerator = list->create_enumerator(list);
+		enumerator = list->create_enumerator(list);
 		while (enumerator->enumerate(enumerator, &current))
 		{
 			if (current == entry)
@@ -609,11 +618,14 @@ static status_t get_entry_by_match_function(private_ike_sa_manager_t *this,
 {
 	entry_t *current;
 	linked_list_t *list;
-	u_int row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
-	u_int seg = row & this->segment_mask;
+	u_int row, seg;
+
+	row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
+	seg = row & this->segment_mask;
 
 	lock_single_segment(this, seg);
-	if ((list = this->ike_sa_table[row]) != NULL)
+	list = this->ike_sa_table[row];
+	if (list)
 	{
 		if (list->find_first(list, match, (void**)&current, p1, p2) == SUCCESS)
 		{
@@ -697,19 +709,20 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
 {
 	half_open_t *half_open = NULL;
 	linked_list_t *list;
-	chunk_t addr = entry->other->get_address(entry->other);
-	u_int row = chunk_hash(addr) & this->table_mask;
-	u_int segment = row & this->segment_mask;
+	chunk_t addr;
+	u_int row, segment;
+	rwlock_t *lock;
 
-	rwlock_t *lock = this->half_open_segments[segment].lock;
+	addr = entry->other->get_address(entry->other);
+	row = chunk_hash(addr) & this->table_mask;
+	segment = row & this->segment_mask;
+	lock = this->half_open_segments[segment].lock;
 	lock->write_lock(lock);
-	if ((list = this->half_open_table[row]) == NULL)
-	{
-		list = this->half_open_table[row] = linked_list_create();
-	}
-	else
+	list = this->half_open_table[row];
+	if (list)
 	{
 		half_open_t *current;
+
 		if (list->find_first(list, (linked_list_match_t)half_open_match,
 							 (void**)&current, &addr) == SUCCESS)
 		{
@@ -718,12 +731,17 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
 			this->half_open_segments[segment].count++;
 		}
 	}
+	else
+	{
+		list = this->half_open_table[row] = linked_list_create();
+	}
 
 	if (!half_open)
 	{
-		half_open = malloc_thing(half_open_t);
-		half_open->other = chunk_clone(addr);
-		half_open->count = 1;
+		INIT(half_open,
+			.other = chunk_clone(addr),
+			.count = 1,
+		);
 		list->insert_last(list, half_open);
 		this->half_open_segments[segment].count++;
 	}
@@ -736,16 +754,22 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
 static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
 {
 	linked_list_t *list;
-	chunk_t addr = entry->other->get_address(entry->other);
-	u_int row = chunk_hash(addr) & this->table_mask;
-	u_int segment = row & this->segment_mask;
+	chunk_t addr;
+	u_int row, segment;
+	rwlock_t *lock;
 
-	rwlock_t *lock = this->half_open_segments[segment].lock;
+	addr = entry->other->get_address(entry->other);
+	row = chunk_hash(addr) & this->table_mask;
+	segment = row & this->segment_mask;
+	lock = this->half_open_segments[segment].lock;
 	lock->write_lock(lock);
-	if ((list = this->half_open_table[row]) != NULL)
+	list = this->half_open_table[row];
+	if (list)
 	{
 		half_open_t *current;
-		enumerator_t *enumerator = list->create_enumerator(list);
+		enumerator_t *enumerator;
+
+		enumerator = list->create_enumerator(list);
 		while (enumerator->enumerate(enumerator, &current))
 		{
 			if (half_open_match(current, &addr))
@@ -769,24 +793,26 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
  */
 static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
 {
-	linked_list_t *list;
 	connected_peers_t *connected_peers = NULL;
-	chunk_t my_id = entry->my_id->get_encoding(entry->my_id),
-			other_id = entry->other_id->get_encoding(entry->other_id);
-	u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
-	u_int segment = row & this->segment_mask;
+	chunk_t my_id, other_id;
+	linked_list_t *list;
+	u_int row, segment;
+	rwlock_t *lock;
 
-	rwlock_t *lock = this->connected_peers_segments[segment].lock;
+	my_id = entry->my_id->get_encoding(entry->my_id);
+	other_id = entry->other_id->get_encoding(entry->other_id);
+	row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
+	segment = row & this->segment_mask;
+	lock = this->connected_peers_segments[segment].lock;
 	lock->write_lock(lock);
-	if ((list = this->connected_peers_table[row]) == NULL)
-	{
-		list = this->connected_peers_table[row] = linked_list_create();
-	}
-	else
+	list = this->connected_peers_table[row];
+	if (list)
 	{
 		connected_peers_t *current;
+
 		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
-					(void**)&current, entry->my_id, entry->other_id) == SUCCESS)
+				(void**)&current, entry->my_id, entry->other_id,
+				(uintptr_t)entry->other->get_family(entry->other)) == SUCCESS)
 		{
 			connected_peers = current;
 			if (connected_peers->sas->find_first(connected_peers->sas,
@@ -798,13 +824,19 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
 			}
 		}
 	}
+	else
+	{
+		list = this->connected_peers_table[row] = linked_list_create();
+	}
 
 	if (!connected_peers)
 	{
-		connected_peers = malloc_thing(connected_peers_t);
-		connected_peers->my_id = entry->my_id->clone(entry->my_id);
-		connected_peers->other_id = entry->other_id->clone(entry->other_id);
-		connected_peers->sas = linked_list_create();
+		INIT(connected_peers,
+			.my_id = entry->my_id->clone(entry->my_id),
+			.other_id = entry->other_id->clone(entry->other_id),
+			.family = entry->other->get_family(entry->other),
+			.sas = linked_list_create(),
+		);
 		list->insert_last(list, connected_peers);
 	}
 	connected_peers->sas->insert_last(connected_peers->sas,
@@ -818,24 +850,34 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
  */
 static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
 {
+	chunk_t my_id, other_id;
 	linked_list_t *list;
-	chunk_t my_id = entry->my_id->get_encoding(entry->my_id),
-			other_id = entry->other_id->get_encoding(entry->other_id);
-	u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
-	u_int segment = row & this->segment_mask;
+	u_int row, segment;
+	rwlock_t *lock;
+
+	my_id = entry->my_id->get_encoding(entry->my_id);
+	other_id = entry->other_id->get_encoding(entry->other_id);
+	row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
+	segment = row & this->segment_mask;
 
-	rwlock_t *lock = this->connected_peers_segments[segment].lock;
+	lock = this->connected_peers_segments[segment].lock;
 	lock->write_lock(lock);
-	if ((list = this->connected_peers_table[row]) != NULL)
+	list = this->connected_peers_table[row];
+	if (list)
 	{
 		connected_peers_t *current;
-		enumerator_t *enumerator = list->create_enumerator(list);
+		enumerator_t *enumerator;
+
+		enumerator = list->create_enumerator(list);
 		while (enumerator->enumerate(enumerator, &current))
 		{
-			if (connected_peers_match(current, entry->my_id, entry->other_id))
+			if (connected_peers_match(current, entry->my_id, entry->other_id,
+						(uintptr_t)entry->other->get_family(entry->other)))
 			{
 				ike_sa_id_t *ike_sa_id;
-				enumerator_t *inner = current->sas->create_enumerator(current->sas);
+				enumerator_t *inner;
+
+				inner = current->sas->create_enumerator(current->sas);
 				while (inner->enumerate(inner, &ike_sa_id))
 				{
 					if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id))
@@ -861,20 +903,21 @@ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entr
 }
 
 /**
- * Implementation of private_ike_sa_manager_t.get_next_spi.
+ * Get a random SPI for new IKE_SAs
  */
-static u_int64_t get_next_spi(private_ike_sa_manager_t *this)
+static u_int64_t get_spi(private_ike_sa_manager_t *this)
 {
-	u_int64_t spi;
+	u_int64_t spi = 0;
 
-	this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi);
+	if (this->rng)
+	{
+		this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi);
+	}
 	return spi;
 }
 
-/**
- * Implementation of of ike_sa_manager.checkout.
- */
-static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
+METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
+	private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
 {
 	ike_sa_t *ike_sa = NULL;
 	entry_t *entry;
@@ -897,62 +940,46 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
 	return ike_sa;
 }
 
-/**
- * Implementation of of ike_sa_manager.checkout_new.
- */
-static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
+METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*,
+	private_ike_sa_manager_t* this, bool initiator)
 {
 	ike_sa_id_t *ike_sa_id;
 	ike_sa_t *ike_sa;
-	entry_t *entry;
-	u_int segment;
 
 	if (initiator)
 	{
-		ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
+		ike_sa_id = ike_sa_id_create(get_spi(this), 0, TRUE);
 	}
 	else
 	{
-		ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE);
+		ike_sa_id = ike_sa_id_create(0, get_spi(this), FALSE);
 	}
 	ike_sa = ike_sa_create(ike_sa_id);
+	ike_sa_id->destroy(ike_sa_id);
 
 	DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
 			ike_sa->get_unique_id(ike_sa));
 
-	if (!initiator)
-	{
-		ike_sa_id->destroy(ike_sa_id);
-		return ike_sa;
-	}
-
-	entry = entry_create();
-	entry->ike_sa_id = ike_sa_id;
-	entry->ike_sa = ike_sa;
-	segment = put_entry(this, entry);
-	entry->checked_out = TRUE;
-	unlock_single_segment(this, segment);
-	return entry->ike_sa;
+	return ike_sa;
 }
 
-/**
- * Implementation of of ike_sa_manager.checkout_by_message.
- */
-static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
-									 message_t *message)
+METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
+	private_ike_sa_manager_t* this, message_t *message)
 {
 	u_int segment;
 	entry_t *entry;
 	ike_sa_t *ike_sa = NULL;
-	ike_sa_id_t *id = message->get_ike_sa_id(message);
+	ike_sa_id_t *id;
 
+	id = message->get_ike_sa_id(message);
 	id = id->clone(id);
 	id->switch_initiator(id);
 
 	DBG2(DBG_MGR, "checkout IKE_SA by message");
 
 	if (message->get_request(message) &&
-		message->get_exchange_type(message) == IKE_SA_INIT)
+		message->get_exchange_type(message) == IKE_SA_INIT &&
+		this->hasher)
 	{
 		/* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */
 		chunk_t data, hash;
@@ -988,7 +1015,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 				message->get_exchange_type(message) == IKE_SA_INIT)
 			{
 				/* no IKE_SA found, create a new one */
-				id->set_responder_spi(id, get_next_spi(this));
+				id->set_responder_spi(id, get_spi(this));
 				entry = entry_create();
 				entry->ike_sa = ike_sa_create(id);
 				entry->ike_sa_id = id->clone(id);
@@ -1048,11 +1075,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 	return ike_sa;
 }
 
-/**
- * Implementation of of ike_sa_manager.checkout_by_config.
- */
-static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
-									peer_cfg_t *peer_cfg)
+METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -1107,11 +1131,8 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
 	return ike_sa;
 }
 
-/**
- * Implementation of of ike_sa_manager.checkout_by_id.
- */
-static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
-								bool child)
+METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
+	private_ike_sa_manager_t *this, u_int32_t id, bool child)
 {
 	enumerator_t *enumerator;
 	iterator_t *children;
@@ -1164,11 +1185,8 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
 	return ike_sa;
 }
 
-/**
- * Implementation of of ike_sa_manager.checkout_by_name.
- */
-static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
-								  bool child)
+METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
+	private_ike_sa_manager_t *this, char *name, bool child)
 {
 	enumerator_t *enumerator;
 	iterator_t *children;
@@ -1233,20 +1251,15 @@ static bool enumerator_filter(private_ike_sa_manager_t *this,
 	return FALSE;
 }
 
-/**
- * Implementation of ike_sa_manager_t.create_enumerator.
- */
-static enumerator_t *create_enumerator(private_ike_sa_manager_t* this)
+METHOD(ike_sa_manager_t, create_enumerator, enumerator_t*,
+	private_ike_sa_manager_t* this)
 {
-	return enumerator_create_filter(
-						create_table_enumerator(this),
-						(void*)enumerator_filter, this, NULL);
+	return enumerator_create_filter(create_table_enumerator(this),
+									(void*)enumerator_filter, this, NULL);
 }
 
-/**
- * Implementation of ike_sa_manager_t.checkin.
- */
-static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+METHOD(ike_sa_manager_t, checkin, void,
+	private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 {
 	/* to check the SA back in, we look for the pointer of the ike_sa
 	 * in all entries.
@@ -1311,13 +1324,16 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 		segment = put_entry(this, entry);
 	}
 
-	/* apply identities for duplicate test (only as responder) */
-	if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-		ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+	/* apply identities for duplicate test */
+	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
 		entry->my_id == NULL && entry->other_id == NULL)
 	{
 		entry->my_id = my_id->clone(my_id);
 		entry->other_id = other_id->clone(other_id);
+		if (!entry->other)
+		{
+			entry->other = other->clone(other);
+		}
 		put_connected_peers(this, entry);
 	}
 
@@ -1326,10 +1342,8 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 	charon->bus->set_sa(charon->bus, NULL);
 }
 
-/**
- * Implementation of ike_sa_manager_t.checkin_and_destroy.
- */
-static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+METHOD(ike_sa_manager_t, checkin_and_destroy, void,
+	private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 {
 	/* deletion is a bit complex, we must ensure that no thread is waiting for
 	 * this SA.
@@ -1366,8 +1380,7 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
 		{
 			remove_half_open(this, entry);
 		}
-		if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-			entry->my_id && entry->other_id)
+		if (entry->my_id && entry->other_id)
 		{
 			remove_connected_peers(this, entry);
 		}
@@ -1384,11 +1397,8 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
 	charon->bus->set_sa(charon->bus, NULL);
 }
 
-
-/**
- * Implementation of ike_sa_manager_t.check_uniqueness.
- */
-static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+METHOD(ike_sa_manager_t, check_uniqueness, bool,
+	private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace)
 {
 	bool cancel = FALSE;
 	peer_cfg_t *peer_cfg;
@@ -1402,7 +1412,7 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 
 	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
 	policy = peer_cfg->get_unique_policy(peer_cfg);
-	if (policy == UNIQUE_NO)
+	if (policy == UNIQUE_NO && !force_replace)
 	{
 		return FALSE;
 	}
@@ -1416,12 +1426,16 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 
 	lock = this->connected_peers_segments[segment & this->segment_mask].lock;
 	lock->read_lock(lock);
-	if ((list = this->connected_peers_table[row]) != NULL)
+	list = this->connected_peers_table[row];
+	if (list)
 	{
 		connected_peers_t *current;
+		host_t *other_host;
 
+		other_host = ike_sa->get_other_host(ike_sa);
 		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
-							 (void**)&current, me, other) == SUCCESS)
+					(void**)&current, me, other,
+					(uintptr_t)other_host->get_family(other_host)) == SUCCESS)
 		{
 			/* clone the list, so we can release the lock */
 			duplicate_ids = current->sas->clone_offset(current->sas,
@@ -1446,6 +1460,13 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 		{
 			continue;
 		}
+		if (force_replace)
+		{
+			DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', "
+				 "received INITIAL_CONTACT", other);
+			checkin_and_destroy(this, duplicate);
+			continue;
+		}
 		peer_cfg = duplicate->get_peer_cfg(duplicate);
 		if (peer_cfg && peer_cfg->equals(peer_cfg, ike_sa->get_peer_cfg(ike_sa)))
 		{
@@ -1490,21 +1511,49 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 	return cancel;
 }
 
-/**
- * Implementation of ike_sa_manager_t.get_half_open_count.
- */
-static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
+METHOD(ike_sa_manager_t, has_contact, bool,
+	private_ike_sa_manager_t *this, identification_t *me,
+	identification_t *other, int family)
+{
+	linked_list_t *list;
+	u_int row, segment;
+	rwlock_t *lock;
+	bool found = FALSE;
+
+	row = chunk_hash_inc(other->get_encoding(other),
+						 chunk_hash(me->get_encoding(me))) & this->table_mask;
+	segment = row & this->segment_mask;
+	lock = this->connected_peers_segments[segment & this->segment_mask].lock;
+	lock->read_lock(lock);
+	list = this->connected_peers_table[row];
+	if (list)
+	{
+		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
+							 NULL, me, other, family) == SUCCESS)
+		{
+			found = TRUE;
+		}
+	}
+	lock->unlock(lock);
+
+	return found;
+}
+
+METHOD(ike_sa_manager_t, get_half_open_count, int,
+	private_ike_sa_manager_t *this, host_t *ip)
 {
+	linked_list_t *list;
+	u_int segment, row;
+	rwlock_t *lock;
+	chunk_t addr;
 	int count = 0;
 
 	if (ip)
 	{
-		linked_list_t *list;
-		chunk_t addr = ip->get_address(ip);
-		u_int row = chunk_hash(addr) & this->table_mask;
-		u_int segment = row & this->segment_mask;
-
-		rwlock_t *lock = this->half_open_segments[segment & this->segment_mask].lock;
+		addr = ip->get_address(ip);
+		row = chunk_hash(addr) & this->table_mask;
+		segment = row & this->segment_mask;
+		lock = this->half_open_segments[segment & this->segment_mask].lock;
 		lock->read_lock(lock);
 		if ((list = this->half_open_table[row]) != NULL)
 		{
@@ -1520,25 +1569,19 @@ static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
 	}
 	else
 	{
-		u_int segment;
-
-		for (segment = 0; segment < this->segment_count; ++segment)
+		for (segment = 0; segment < this->segment_count; segment++)
 		{
-			rwlock_t *lock;
 			lock = this->half_open_segments[segment & this->segment_mask].lock;
 			lock->read_lock(lock);
 			count += this->half_open_segments[segment].count;
 			lock->unlock(lock);
 		}
 	}
-
 	return count;
 }
 
-/**
- * Implementation of ike_sa_manager_t.flush.
- */
-static void flush(private_ike_sa_manager_t *this)
+METHOD(ike_sa_manager_t, flush, void,
+	private_ike_sa_manager_t *this)
 {
 	/* destroy all list entries */
 	enumerator_t *enumerator;
@@ -1602,8 +1645,7 @@ static void flush(private_ike_sa_manager_t *this)
 		{
 			remove_half_open(this, entry);
 		}
-		if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-			entry->my_id && entry->other_id)
+		if (entry->my_id && entry->other_id)
 		{
 			remove_connected_peers(this, entry);
 		}
@@ -1615,37 +1657,26 @@ static void flush(private_ike_sa_manager_t *this)
 	unlock_all_segments(this);
 
 	this->rng->destroy(this->rng);
+	this->rng = NULL;
 	this->hasher->destroy(this->hasher);
+	this->hasher = NULL;
 }
 
-/**
- * Implementation of ike_sa_manager_t.destroy.
- */
-static void destroy(private_ike_sa_manager_t *this)
+METHOD(ike_sa_manager_t, destroy, void,
+	private_ike_sa_manager_t *this)
 {
 	u_int i;
 
-	for (i = 0; i < this->table_size; ++i)
+	for (i = 0; i < this->table_size; i++)
 	{
-		linked_list_t *list;
-
-		if ((list = this->ike_sa_table[i]) != NULL)
-		{
-			list->destroy(list);
-		}
-		if ((list = this->half_open_table[i]) != NULL)
-		{
-			list->destroy(list);
-		}
-		if ((list = this->connected_peers_table[i]) != NULL)
-		{
-			list->destroy(list);
-		}
+		DESTROY_IF(this->ike_sa_table[i]);
+		DESTROY_IF(this->half_open_table[i]);
+		DESTROY_IF(this->connected_peers_table[i]);
 	}
 	free(this->ike_sa_table);
 	free(this->half_open_table);
 	free(this->connected_peers_table);
-	for (i = 0; i < this->segment_count; ++i)
+	for (i = 0; i < this->segment_count; i++)
 	{
 		this->segments[i].mutex->destroy(this->segments[i].mutex);
 		this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock);
@@ -1681,25 +1712,28 @@ static u_int get_nearest_powerof2(u_int n)
  */
 ike_sa_manager_t *ike_sa_manager_create()
 {
+	private_ike_sa_manager_t *this;
 	u_int i;
-	private_ike_sa_manager_t *this = malloc_thing(private_ike_sa_manager_t);
-
-	/* assign public functions */
-	this->public.flush = (void(*)(ike_sa_manager_t*))flush;
-	this->public.destroy = (void(*)(ike_sa_manager_t*))destroy;
-	this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout;
-	this->public.checkout_new = (ike_sa_t*(*)(ike_sa_manager_t*,bool))checkout_new;
-	this->public.checkout_by_message = (ike_sa_t*(*)(ike_sa_manager_t*,message_t*))checkout_by_message;
-	this->public.checkout_by_config = (ike_sa_t*(*)(ike_sa_manager_t*,peer_cfg_t*))checkout_by_config;
-	this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t,bool))checkout_by_id;
-	this->public.checkout_by_name = (ike_sa_t*(*)(ike_sa_manager_t*,char*,bool))checkout_by_name;
-	this->public.check_uniqueness = (bool(*)(ike_sa_manager_t*, ike_sa_t *ike_sa))check_uniqueness;
-	this->public.create_enumerator = (enumerator_t*(*)(ike_sa_manager_t*))create_enumerator;
-	this->public.checkin = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
-	this->public.checkin_and_destroy = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
-	this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count;
-
-	/* initialize private variables */
+
+	INIT(this,
+		.public = {
+			.checkout = _checkout,
+			.checkout_new = _checkout_new,
+			.checkout_by_message = _checkout_by_message,
+			.checkout_by_config = _checkout_by_config,
+			.checkout_by_id = _checkout_by_id,
+			.checkout_by_name = _checkout_by_name,
+			.check_uniqueness = _check_uniqueness,
+			.has_contact = _has_contact,
+			.create_enumerator = _create_enumerator,
+			.checkin = _checkin,
+			.checkin_and_destroy = _checkin_and_destroy,
+			.get_half_open_count = _get_half_open_count,
+			.flush = _flush,
+			.destroy = _destroy,
+		},
+	);
+
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
 	if (this->hasher == NULL)
 	{
@@ -1715,6 +1749,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 		free(this);
 		return NULL;
 	}
+
 	this->table_size = get_nearest_powerof2(lib->settings->get_int(lib->settings,
 						"charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE));
 	this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
@@ -1724,11 +1759,10 @@ ike_sa_manager_t *ike_sa_manager_create()
 						"charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT));
 	this->segment_count = max(1, min(this->segment_count, this->table_size));
 	this->segment_mask = this->segment_count - 1;
-
 	this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*));
 
 	this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
-	for (i = 0; i < this->segment_count; ++i)
+	for (i = 0; i < this->segment_count; i++)
 	{
 		this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
 		this->segments[i].count = 0;
@@ -1737,7 +1771,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 	/* we use the same table parameters for the table to track half-open SAs */
 	this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*));
 	this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
-	for (i = 0; i < this->segment_count; ++i)
+	for (i = 0; i < this->segment_count; i++)
 	{
 		this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 		this->half_open_segments[i].count = 0;
@@ -1746,7 +1780,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 	/* also for the hash table used for duplicate tests */
 	this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*));
 	this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
-	for (i = 0; i < this->segment_count; ++i)
+	for (i = 0; i < this->segment_count; i++)
 	{
 		this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 		this->connected_peers_segments[i].count = 0;
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
index f4eabf808..ec157ab3a 100644
--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -52,9 +52,6 @@ struct ike_sa_manager_t {
 	/**
 	 * Create and check out a new IKE_SA.
 	 *
-	 * @note If initiator equals FALSE, the returned IKE_SA is not registered
-	 * in the manager.
-	 *
 	 * @param initiator			TRUE for initiator, FALSE otherwise
 	 * @returns 				created and checked out IKE_SA
 	 */
@@ -109,10 +106,23 @@ struct ike_sa_manager_t {
 	 * deadlocks occur otherwise.
 	 *
 	 * @param ike_sa			ike_sa to check
+	 * @param force_replace		replace existing SAs, regardless of unique policy
 	 * @return					TRUE, if the given IKE_SA has duplicates and
 	 * 							should be deleted
 	 */
-	bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa);
+	bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa,
+							 bool force_replace);
+
+	/**
+	 * Check if we already have a connected IKE_SA between two identities.
+	 *
+	 * @param me				own identity
+	 * @param other				remote identity
+	 * @param family			address family to include in uniqueness check
+	 * @return					TRUE if we have a connected IKE_SA
+	 */
+	bool (*has_contact)(ike_sa_manager_t *this, identification_t *me,
+						identification_t *other, int family);
 
 	/**
 	 * Check out an IKE_SA a unique ID.
diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c
index 878ad124f..33ece24b2 100644
--- a/src/libcharon/sa/keymat.c
+++ b/src/libcharon/sa/keymat.c
@@ -214,7 +214,7 @@ static bool derive_ike_traditional(private_keymat_t *this, u_int16_t enc_alg,
 	{
 		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
 			 transform_type_names, ENCRYPTION_ALGORITHM,
-			 encryption_algorithm_names, enc_alg, key_size);
+			 encryption_algorithm_names, enc_alg, enc_size);
 		signer_i->destroy(signer_i);
 		signer_r->destroy(signer_r);
 		return FALSE;
@@ -540,7 +540,7 @@ METHOD(keymat_t, get_aead, aead_t*,
 
 METHOD(keymat_t, get_auth_octets, chunk_t,
 	private_keymat_t *this, bool verify, chunk_t ike_sa_init,
-	chunk_t nonce, identification_t *id)
+	chunk_t nonce, identification_t *id, char reserved[3])
 {
 	chunk_t chunk, idx, octets;
 	chunk_t skp;
@@ -548,8 +548,8 @@ METHOD(keymat_t, get_auth_octets, chunk_t,
 	skp = verify ? this->skp_verify : this->skp_build;
 
 	chunk = chunk_alloca(4);
-	memset(chunk.ptr, 0, chunk.len);
 	chunk.ptr[0] = id->get_type(id);
+	memcpy(chunk.ptr + 1, reserved, 3);
 	idx = chunk_cata("cc", chunk, id->get_encoding(id));
 
 	DBG3(DBG_IKE, "IDx' %B", &idx);
@@ -570,7 +570,7 @@ METHOD(keymat_t, get_auth_octets, chunk_t,
 
 METHOD(keymat_t, get_psk_sig, chunk_t,
 	private_keymat_t *this, bool verify, chunk_t ike_sa_init,
-	chunk_t nonce, chunk_t secret, identification_t *id)
+	chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3])
 {
 	chunk_t key_pad, key, sig, octets;
 
@@ -578,7 +578,7 @@ METHOD(keymat_t, get_psk_sig, chunk_t,
 	{	/* EAP uses SK_p if no MSK has been established */
 		secret = verify ? this->skp_verify : this->skp_build;
 	}
-	octets = get_auth_octets(this, verify, ike_sa_init, nonce, id);
+	octets = get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved);
 	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
 	key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
 	this->prf->set_key(this->prf, secret);
diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h
index 4f01aa411..11e0fa79a 100644
--- a/src/libcharon/sa/keymat.h
+++ b/src/libcharon/sa/keymat.h
@@ -117,10 +117,12 @@ struct keymat_t {
 	 * @param ike_sa_init	encoded ike_sa_init message
 	 * @param nonce			nonce value
 	 * @param id			identity
+	 * @param reserved		reserved bytes of id_payload
 	 * @return				authentication octets
 	 */
 	chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init,
-							   chunk_t nonce, identification_t *id);
+							   chunk_t nonce, identification_t *id,
+							   char reserved[3]);
 	/**
 	 * Build the shared secret signature used for PSK and EAP authentication.
 	 *
@@ -133,10 +135,12 @@ struct keymat_t {
 	 * @param nonce			nonce value
 	 * @param secret		optional secret to include into signature
 	 * @param id			identity
+	 * @param reserved		reserved bytes of id_payload
 	 * @return				signature octets
 	 */
 	chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init,
-						   chunk_t nonce, chunk_t secret, identification_t *id);
+						   chunk_t nonce, chunk_t secret,
+						   identification_t *id, char reserved[3]);
 	/**
 	 * Destroy a keymat_t.
 	 */
diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c
index 18703ce36..9467d1586 100644
--- a/src/libcharon/sa/task_manager.c
+++ b/src/libcharon/sa/task_manager.c
@@ -465,7 +465,6 @@ METHOD(task_manager_t, initiate, status_t,
 	/* update exchange type if a task changed it */
 	this->initiating.type = message->get_exchange_type(message);
 
-	charon->bus->message(charon->bus, message, FALSE);
 	status = this->ike_sa->generate_message(this->ike_sa, message,
 											&this->initiating.packet);
 	if (status != SUCCESS)
@@ -654,7 +653,6 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	/* message complete, send it */
 	DESTROY_IF(this->responding.packet);
 	this->responding.packet = NULL;
-	charon->bus->message(charon->bus, message, FALSE);
 	status = this->ike_sa->generate_message(this->ike_sa, message,
 											&this->responding.packet);
 	message->destroy(message);
@@ -882,8 +880,12 @@ static status_t process_request(private_task_manager_t *this,
 METHOD(task_manager_t, process_message, status_t,
 	private_task_manager_t *this, message_t *msg)
 {
-	u_int32_t mid = msg->get_message_id(msg);
-	host_t *me = msg->get_destination(msg), *other = msg->get_source(msg);
+	host_t *me, *other;
+	u_int32_t mid;
+
+	mid = msg->get_message_id(msg);
+	me = msg->get_destination(msg);
+	other = msg->get_source(msg);
 
 	if (msg->get_request(msg))
 	{
@@ -895,10 +897,14 @@ METHOD(task_manager_t, process_message, status_t,
 			{	/* only do host updates based on verified messages */
 				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
 				{	/* with MOBIKE, we do no implicit updates */
-					this->ike_sa->update_hosts(this->ike_sa, me, other);
+					this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
 				}
 			}
 			charon->bus->message(charon->bus, msg, TRUE);
+			if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
+			{	/* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
+				return SUCCESS;
+			}
 			if (process_request(this, msg) != SUCCESS)
 			{
 				flush(this);
@@ -909,15 +915,15 @@ METHOD(task_manager_t, process_message, status_t,
 		else if ((mid == this->responding.mid - 1) && this->responding.packet)
 		{
 			packet_t *clone;
-			host_t *me, *other;
+			host_t *host;
 
 			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
 				 "retransmitting response", mid);
 			clone = this->responding.packet->clone(this->responding.packet);
-			me = msg->get_destination(msg);
-			other = msg->get_source(msg);
-			clone->set_source(clone, me->clone(me));
-			clone->set_destination(clone, other->clone(other));
+			host = msg->get_destination(msg);
+			clone->set_source(clone, host->clone(host));
+			host = msg->get_source(msg);
+			clone->set_destination(clone, host->clone(host));
 			charon->sender->send(charon->sender, clone);
 		}
 		else
@@ -936,10 +942,14 @@ METHOD(task_manager_t, process_message, status_t,
 			{	/* only do host updates based on verified messages */
 				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
 				{	/* with MOBIKE, we do no implicit updates */
-					this->ike_sa->update_hosts(this->ike_sa, me, other);
+					this->ike_sa->update_hosts(this->ike_sa, me, other, FALSE);
 				}
 			}
 			charon->bus->message(charon->bus, msg, TRUE);
+			if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
+			{	/* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
+				return SUCCESS;
+			}
 			if (process_response(this, msg) != SUCCESS)
 			{
 				flush(this);
@@ -1002,6 +1012,19 @@ METHOD(task_manager_t, busy, bool,
 	return (this->active_tasks->get_count(this->active_tasks) > 0);
 }
 
+METHOD(task_manager_t, incr_mid, void,
+	private_task_manager_t *this, bool initiate)
+{
+	if (initiate)
+	{
+		this->initiating.mid++;
+	}
+	else
+	{
+		this->responding.mid++;
+	}
+}
+
 METHOD(task_manager_t, reset, void,
 	private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
 {
@@ -1085,6 +1108,7 @@ task_manager_t *task_manager_create(ike_sa_t *ike_sa)
 			.queue_task = _queue_task,
 			.initiate = _initiate,
 			.retransmit = _retransmit,
+			.incr_mid = _incr_mid,
 			.reset = _reset,
 			.adopt_tasks = _adopt_tasks,
 			.busy = _busy,
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index 14fccd5f9..5bc6c80c4 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -148,6 +148,16 @@ struct task_manager_t {
 	 */
 	void (*adopt_tasks) (task_manager_t *this, task_manager_t *other);
 
+	/**
+	 * Increment a message ID counter, in- or outbound.
+	 *
+	 * If a message is processed outside of the manager, this call increments
+	 * the message ID counters of the task manager.
+	 *
+	 * @param inititate		TRUE to increment the initiating ID
+	 */
+	void (*incr_mid)(task_manager_t *this, bool initiate);
+
 	/**
 	 * Reset message ID counters of the task manager.
 	 *
diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
index 57beedba9..fc02a334b 100644
--- a/src/libcharon/sa/tasks/child_create.c
+++ b/src/libcharon/sa/tasks/child_create.c
@@ -116,6 +116,11 @@ struct private_child_create_t {
 	 */
 	ipsec_mode_t mode;
 
+	/**
+	 * peer accepts TFC padding for this SA
+	 */
+	bool tfcv3;
+
 	/**
 	 * IPComp transform to use
 	 */
@@ -455,17 +460,21 @@ static status_t select_and_install(private_child_create_t *this,
 	{
 		if (this->initiator)
 		{
-			status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
-					this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
-			status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
-					this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
+			status_i = this->child_sa->install(this->child_sa,
+							encr_r, integ_r, this->my_spi, this->my_cpi,
+							TRUE, this->tfcv3, my_ts, other_ts);
+			status_o = this->child_sa->install(this->child_sa,
+							encr_i, integ_i, this->other_spi, this->other_cpi,
+							FALSE, this->tfcv3, my_ts, other_ts);
 		}
 		else
 		{
-			status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
-					this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
-			status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
-					this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
+			status_i = this->child_sa->install(this->child_sa,
+							encr_i, integ_i, this->my_spi, this->my_cpi,
+							TRUE, this->tfcv3, my_ts, other_ts);
+			status_o = this->child_sa->install(this->child_sa,
+							encr_r, integ_r, this->other_spi, this->other_cpi,
+							FALSE, this->tfcv3, my_ts, other_ts);
 		}
 	}
 	chunk_clear(&integ_i);
@@ -631,7 +640,13 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify
 						 ipcomp_transform_names, ipcomp);
 					break;
 			}
+			break;
 		}
+		case ESP_TFC_PADDING_NOT_SUPPORTED:
+			DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding",
+				 notify_type_names, notify->get_notify_type(notify));
+			this->tfcv3 = FALSE;
+			break;
 		default:
 			break;
 	}
@@ -691,10 +706,8 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 	enumerator->destroy(enumerator);
 }
 
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_child_create_t *this, message_t *message)
+METHOD(task_t, build_i, status_t,
+	private_child_create_t *this, message_t *message)
 {
 	host_t *me, *other, *vip;
 	peer_cfg_t *peer_cfg;
@@ -831,10 +844,8 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_child_create_t *this, message_t *message)
+METHOD(task_t, process_r, status_t,
+	private_child_create_t *this, message_t *message)
 {
 	switch (message->get_exchange_type(message))
 	{
@@ -877,10 +888,8 @@ static void handle_child_sa_failure(private_child_create_t *this,
 	}
 }
 
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_child_create_t *this, message_t *message)
+METHOD(task_t, build_r, status_t,
+	private_child_create_t *this, message_t *message)
 {
 	peer_cfg_t *peer_cfg;
 	payload_t *payload;
@@ -958,7 +967,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 				case INTERNAL_ADDRESS_FAILURE:
 				case FAILED_CP_REQUIRED:
 				{
-					DBG1(DBG_IKE,"configuration payload negotation "
+					DBG1(DBG_IKE,"configuration payload negotiation "
 						 "failed, no CHILD_SA built");
 					enumerator->destroy(enumerator);
 					handle_child_sa_failure(this, message);
@@ -1029,10 +1038,8 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 	return SUCCESS;
 }
 
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_child_create_t *this, message_t *message)
+METHOD(task_t, process_i, status_t,
+	private_child_create_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
@@ -1103,7 +1110,21 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 					return NEED_MORE;
 				}
 				default:
+				{
+					if (message->get_exchange_type(message) == CREATE_CHILD_SA)
+					{	/* handle notifies if not handled in IKE_AUTH */
+						if (type <= 16383)
+						{
+							DBG1(DBG_IKE, "received %N notify error",
+								 notify_type_names, type);
+							enumerator->destroy(enumerator);
+							return SUCCESS;
+						}
+						DBG2(DBG_IKE, "received %N notify",
+							 notify_type_names, type);
+					}
 					break;
+				}
 			}
 		}
 	}
@@ -1155,34 +1176,20 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 	return SUCCESS;
 }
 
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_child_create_t *this)
-{
-	return CHILD_CREATE;
-}
-
-/**
- * Implementation of child_create_t.use_reqid
- */
-static void use_reqid(private_child_create_t *this, u_int32_t reqid)
+METHOD(child_create_t, use_reqid, void,
+	private_child_create_t *this, u_int32_t reqid)
 {
 	this->reqid = reqid;
 }
 
-/**
- * Implementation of child_create_t.get_child
- */
-static child_sa_t* get_child(private_child_create_t *this)
+METHOD(child_create_t, get_child, child_sa_t*,
+	private_child_create_t *this)
 {
 	return this->child_sa;
 }
 
-/**
- * Implementation of child_create_t.get_lower_nonce
- */
-static chunk_t get_lower_nonce(private_child_create_t *this)
+METHOD(child_create_t, get_lower_nonce, chunk_t,
+	private_child_create_t *this)
 {
 	if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
 			   min(this->my_nonce.len, this->other_nonce.len)) < 0)
@@ -1195,10 +1202,14 @@ static chunk_t get_lower_nonce(private_child_create_t *this)
 	}
 }
 
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
+METHOD(task_t, get_type, task_type_t,
+	private_child_create_t *this)
+{
+	return CHILD_CREATE;
+}
+
+METHOD(task_t, migrate, void,
+	private_child_create_t *this, ike_sa_t *ike_sa)
 {
 	chunk_free(&this->my_nonce);
 	chunk_free(&this->other_nonce);
@@ -1234,10 +1245,8 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
 	this->established = FALSE;
 }
 
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_child_create_t *this)
+METHOD(task_t, destroy, void,
+	private_child_create_t *this)
 {
 	chunk_free(&this->my_nonce);
 	chunk_free(&this->other_nonce);
@@ -1273,52 +1282,45 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
 							child_cfg_t *config, bool rekey,
 							traffic_selector_t *tsi, traffic_selector_t *tsr)
 {
-	private_child_create_t *this = malloc_thing(private_child_create_t);
-
-	this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child;
-	this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce;
-	this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid;
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
+	private_child_create_t *this;
+
+	INIT(this,
+		.public = {
+			.get_child = _get_child,
+			.get_lower_nonce = _get_lower_nonce,
+			.use_reqid = _use_reqid,
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.config = config,
+		.packet_tsi = tsi ? tsi->clone(tsi) : NULL,
+		.packet_tsr = tsr ? tsr->clone(tsr) : NULL,
+		.dh_group = MODP_NONE,
+		.keymat = ike_sa->get_keymat(ike_sa),
+		.mode = MODE_TUNNEL,
+		.tfcv3 = TRUE,
+		.ipcomp = IPCOMP_NONE,
+		.ipcomp_received = IPCOMP_NONE,
+		.rekey = rekey,
+	);
+
 	if (config)
 	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
 		this->initiator = TRUE;
 		config->get_ref(config);
 	}
 	else
 	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
 		this->initiator = FALSE;
 	}
 
-	this->ike_sa = ike_sa;
-	this->config = config;
-	this->my_nonce = chunk_empty;
-	this->other_nonce = chunk_empty;
-	this->proposals = NULL;
-	this->proposal = NULL;
-	this->tsi = NULL;
-	this->tsr = NULL;
-	this->packet_tsi = tsi ? tsi->clone(tsi) : NULL;
-	this->packet_tsr = tsr ? tsr->clone(tsr) : NULL;
-	this->dh = NULL;
-	this->dh_group = MODP_NONE;
-	this->keymat = ike_sa->get_keymat(ike_sa);
-	this->child_sa = NULL;
-	this->mode = MODE_TUNNEL;
-	this->ipcomp = IPCOMP_NONE;
-	this->ipcomp_received = IPCOMP_NONE;
-	this->my_spi = 0;
-	this->other_spi = 0;
-	this->my_cpi = 0;
-	this->other_cpi = 0;
-	this->reqid = 0;
-	this->established = FALSE;
-	this->rekey = rekey;
-
 	return &this->public;
 }
diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c
index fdaaea4b8..e74ca4eef 100644
--- a/src/libcharon/sa/tasks/child_rekey.c
+++ b/src/libcharon/sa/tasks/child_rekey.c
@@ -241,12 +241,11 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
 		/* if we have the lower nonce, delete rekeyed SA. If not, delete
 		 * the redundant. */
 		if (memcmp(this_nonce.ptr, other_nonce.ptr,
-				   min(this_nonce.len, other_nonce.len)) < 0)
+				   min(this_nonce.len, other_nonce.len)) > 0)
 		{
 			child_sa_t *child_sa;
 
-			DBG1(DBG_IKE, "CHILD_SA rekey collision won, "
-				 "deleting rekeyed child");
+			DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting old child");
 			to_delete = this->child_sa;
 			/* don't touch child other created, it has already been deleted */
 			if (!this->other_child_destroyed)
@@ -259,7 +258,7 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
 		else
 		{
 			DBG1(DBG_IKE, "CHILD_SA rekey collision lost, "
-				 "deleting redundant child");
+				 "deleting rekeyed child");
 			to_delete = this->child_create->get_child(this->child_create);
 		}
 	}
diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
index b440ec811..0756c7d60 100644
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -67,6 +67,11 @@ struct private_ike_auth_t {
 	 */
 	packet_t *other_packet;
 
+	/**
+	 * Reserved bytes of ID payload
+	 */
+	char reserved[3];
+
 	/**
 	 * currently active authenticator, to authenticate us
 	 */
@@ -101,6 +106,11 @@ struct private_ike_auth_t {
 	 * should we send a AUTHENTICATION_FAILED notify?
 	 */
 	bool authentication_failed;
+
+	/**
+	 * received an INITIAL_CONTACT?
+	 */
+	bool initial_contact;
 };
 
 /**
@@ -159,6 +169,24 @@ static status_t collect_other_init_data(private_ike_auth_t *this,
 	return NEED_MORE;
 }
 
+/**
+ * Get and store reserved bytes of id_payload, required for AUTH payload
+ */
+static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
+{
+	u_int8_t *byte;
+	int i;
+
+	for (i = 0; i < countof(this->reserved); i++)
+	{
+		byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i);
+		if (byte)
+		{
+			this->reserved[i] = *byte;
+		}
+	}
+}
+
 /**
  * Get the next authentication configuration
  */
@@ -329,10 +357,8 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
 	return this->peer_cfg != NULL;
 }
 
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_ike_auth_t *this, message_t *message)
+METHOD(task_t, build_i, status_t,
+	private_ike_auth_t *this, message_t *message)
 {
 	auth_cfg_t *cfg;
 
@@ -367,7 +393,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 	/* check if an authenticator is in progress */
 	if (this->my_auth == NULL)
 	{
-		identification_t *id;
+		identification_t *idi, *idr = NULL;
 		id_payload_t *id_payload;
 
 		/* clean up authentication config from a previous round */
@@ -378,33 +404,48 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 		cfg = get_auth_cfg(this, FALSE);
 		if (cfg)
 		{
-			id = cfg->get(cfg, AUTH_RULE_IDENTITY);
-			if (id && !id->contains_wildcards(id))
+			idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
+			if (idr && !idr->contains_wildcards(idr))
 			{
-				this->ike_sa->set_other_id(this->ike_sa, id->clone(id));
+				this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
 				id_payload = id_payload_create_from_identification(
-															ID_RESPONDER, id);
+															ID_RESPONDER, idr);
 				message->add_payload(message, (payload_t*)id_payload);
 			}
 		}
 		/* add IDi */
 		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
 		cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
-		id = cfg->get(cfg, AUTH_RULE_IDENTITY);
-		if (!id)
+		idi = cfg->get(cfg, AUTH_RULE_IDENTITY);
+		if (!idi)
 		{
 			DBG1(DBG_CFG, "configuration misses IDi");
 			return FAILED;
 		}
-		this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
-		id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
+		this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi));
+		id_payload = id_payload_create_from_identification(ID_INITIATOR, idi);
+		get_reserved_id_bytes(this, id_payload);
 		message->add_payload(message, (payload_t*)id_payload);
 
+		if (idr && message->get_message_id(message) == 1 &&
+			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO)
+		{
+			host_t *host;
+
+			host = this->ike_sa->get_other_host(this->ike_sa);
+			if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
+											idi, idr, host->get_family(host)))
+			{
+				message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty);
+			}
+		}
+
 		/* build authentication data */
 		this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
 							this->other_nonce, this->my_nonce,
 							this->other_packet->get_data(this->other_packet),
-							this->my_packet->get_data(this->my_packet));
+							this->my_packet->get_data(this->my_packet),
+							this->reserved);
 		if (!this->my_auth)
 		{
 			return FAILED;
@@ -441,10 +482,8 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_auth_t *this, message_t *message)
+METHOD(task_t, process_r, status_t,
+	private_ike_auth_t *this, message_t *message)
 {
 	auth_cfg_t *cfg, *cand;
 	id_payload_t *id_payload;
@@ -498,6 +537,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 			return FAILED;
 		}
 		id = id_payload->get_identification(id_payload);
+		get_reserved_id_bytes(this, id_payload);
 		this->ike_sa->set_other_id(this->ike_sa, id);
 		cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 		cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
@@ -548,7 +588,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 		this->other_auth = authenticator_create_verifier(this->ike_sa,
 							message, this->other_nonce, this->my_nonce,
 							this->other_packet->get_data(this->other_packet),
-							this->my_packet->get_data(this->my_packet));
+							this->my_packet->get_data(this->my_packet),
+							this->reserved);
 		if (!this->other_auth)
 		{
 			this->authentication_failed = TRUE;
@@ -572,10 +613,13 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 			return NEED_MORE;
 	}
 
-	/* store authentication information */
-	cfg = auth_cfg_create();
-	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-	this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+	/* If authenticated (with non-EAP) and received INITIAL_CONTACT,
+	 * delete any existing IKE_SAs with that peer. */
+	if (message->get_message_id(message) == 1 &&
+		message->get_notify(message, INITIAL_CONTACT))
+	{
+		this->initial_contact = TRUE;
+	}
 
 	/* another auth round done, invoke authorize hook */
 	if (!charon->bus->authorize(charon->bus, FALSE))
@@ -585,6 +629,11 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 		return NEED_MORE;
 	}
 
+	/* store authentication information */
+	cfg = auth_cfg_create();
+	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+	this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+
 	if (!update_cfg_candidates(this, FALSE))
 	{
 		this->authentication_failed = TRUE;
@@ -603,10 +652,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_auth_t *this, message_t *message)
+METHOD(task_t, build_r, status_t,
+	private_ike_auth_t *this, message_t *message)
 {
 	auth_cfg_t *cfg;
 
@@ -662,8 +709,16 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 		}
 
 		id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
+		get_reserved_id_bytes(this, id_payload);
 		message->add_payload(message, (payload_t*)id_payload);
 
+		if (this->initial_contact)
+		{
+			charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+													 this->ike_sa, TRUE);
+			this->initial_contact = FALSE;
+		}
+
 		if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
 		{	/* EAP-only authentication */
 			if (!this->ike_sa->supports_extension(this->ike_sa,
@@ -682,7 +737,8 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 			this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
 								this->other_nonce, this->my_nonce,
 								this->other_packet->get_data(this->other_packet),
-								this->my_packet->get_data(this->my_packet));
+								this->my_packet->get_data(this->my_packet),
+								this->reserved);
 			if (!this->my_auth)
 			{
 				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
@@ -744,7 +800,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 	if (!this->do_another_auth && !this->expect_another_auth)
 	{
 		if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-													 this->ike_sa))
+													 this->ike_sa, FALSE))
 		{
 			DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
 			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
@@ -772,10 +828,8 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_auth_t *this, message_t *message)
+METHOD(task_t, process_i, status_t,
+	private_ike_auth_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
@@ -857,6 +911,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 				return FAILED;
 			}
 			id = id_payload->get_identification(id_payload);
+			get_reserved_id_bytes(this, id_payload);
 			this->ike_sa->set_other_id(this->ike_sa, id);
 			cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 			cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
@@ -867,7 +922,8 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 				this->other_auth = authenticator_create_verifier(this->ike_sa,
 								message, this->other_nonce, this->my_nonce,
 								this->other_packet->get_data(this->other_packet),
-								this->my_packet->get_data(this->my_packet));
+								this->my_packet->get_data(this->my_packet),
+								this->reserved);
 				if (!this->other_auth)
 				{
 					return FAILED;
@@ -893,17 +949,17 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 			this->other_auth->destroy(this->other_auth);
 			this->other_auth = NULL;
 		}
-		/* store authentication information, reset authenticator */
-		cfg = auth_cfg_create();
-		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-		this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
-
 		/* another auth round done, invoke authorize hook */
 		if (!charon->bus->authorize(charon->bus, FALSE))
 		{
 			DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
 			return FAILED;
 		}
+
+		/* store authentication information, reset authenticator */
+		cfg = auth_cfg_create();
+		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+		this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
 	}
 
 	if (this->my_auth)
@@ -964,18 +1020,14 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_auth_t *this)
+METHOD(task_t, get_type, task_type_t,
+	private_ike_auth_t *this)
 {
 	return IKE_AUTHENTICATE;
 }
 
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
+METHOD(task_t, migrate, void,
+	private_ike_auth_t *this, ike_sa_t *ike_sa)
 {
 	chunk_free(&this->my_nonce);
 	chunk_free(&this->other_nonce);
@@ -998,10 +1050,8 @@ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
 	this->candidates = linked_list_create();
 }
 
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_auth_t *this)
+METHOD(task_t, destroy, void,
+	private_ike_auth_t *this)
 {
 	chunk_free(&this->my_nonce);
 	chunk_free(&this->other_nonce);
@@ -1019,37 +1069,29 @@ static void destroy(private_ike_auth_t *this)
  */
 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
 {
-	private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
-
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
-
+	private_ike_auth_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.build = _build_r,
+				.process = _process_r,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.initiator = initiator,
+		.candidates = linked_list_create(),
+		.do_another_auth = TRUE,
+		.expect_another_auth = TRUE,
+	);
 	if (initiator)
 	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-	}
-	else
-	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
 	}
-
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-	this->my_nonce = chunk_empty;
-	this->other_nonce = chunk_empty;
-	this->my_packet = NULL;
-	this->other_packet = NULL;
-	this->peer_cfg = NULL;
-	this->candidates = linked_list_create();
-	this->my_auth = NULL;
-	this->other_auth = NULL;
-	this->do_another_auth = TRUE;
-	this->expect_another_auth = TRUE;
-	this->authentication_failed = FALSE;
-
 	return &this->public;
 }
 
diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c
index 1c0c54727..a59b8dcce 100644
--- a/src/libcharon/sa/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/tasks/ike_cert_pre.c
@@ -76,6 +76,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 			{
 				certreq_payload_t *certreq = (certreq_payload_t*)payload;
 				enumerator_t *enumerator;
+				u_int unknown = 0;
 				chunk_t keyid;
 
 				this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
@@ -103,12 +104,18 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 					}
 					else
 					{
-						DBG1(DBG_IKE, "received cert request for unknown ca "
+						DBG2(DBG_IKE, "received cert request for unknown ca "
 									  "with keyid %Y", id);
+						unknown++;
 					}
 					id->destroy(id);
 				}
 				enumerator->destroy(enumerator);
+				if (unknown)
+				{
+					DBG1(DBG_IKE, "received %u cert requests for an unknown ca",
+						 unknown);
+				}
 				break;
 			}
 			case NOTIFY:
@@ -253,11 +260,19 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 					}
 					break;
 				}
+				case ENC_CRL:
+					cert = cert_payload->get_cert(cert_payload);
+					if (cert)
+					{
+						DBG1(DBG_IKE, "received CRL \"%Y\"",
+							 cert->get_subject(cert));
+						auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+					}
+					break;
 				case ENC_PKCS7_WRAPPED_X509:
 				case ENC_PGP:
 				case ENC_DNS_SIGNED_KEY:
 				case ENC_KERBEROS_TOKEN:
-				case ENC_CRL:
 				case ENC_ARL:
 				case ENC_SPKI:
 				case ENC_X509_ATTRIBUTE:
diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c
index 1a6c140c4..44c55036e 100644
--- a/src/libcharon/sa/tasks/ike_rekey.c
+++ b/src/libcharon/sa/tasks/ike_rekey.c
@@ -255,19 +255,20 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 			/* if we have the lower nonce, delete rekeyed SA. If not, delete
 			 * the redundant. */
 			if (memcmp(this_nonce.ptr, other_nonce.ptr,
-						min(this_nonce.len, other_nonce.len)) < 0)
+						min(this_nonce.len, other_nonce.len)) > 0)
 			{
 				/* peer should delete this SA. Add a timeout just in case. */
 				job_t *job = (job_t*)delete_ike_sa_job_create(
 						other->new_sa->get_id(other->new_sa), TRUE);
 				lib->scheduler->schedule_job(lib->scheduler, job, 10);
-				DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
+				DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete");
 				charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
 				other->new_sa = NULL;
 			}
 			else
 			{
-				DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA");
+				DBG1(DBG_IKE, "IKE_SA rekey collision lost, "
+					 "deleting redundant IKE_SA");
 				/* apply host for a proper delete */
 				host = this->ike_sa->get_my_host(this->ike_sa);
 				this->new_sa->set_my_host(this->new_sa, host->clone(host));
diff --git a/src/libcharon/tnc/imc/imc.h b/src/libcharon/tnc/imc/imc.h
new file mode 100644
index 000000000..fe8f25b0f
--- /dev/null
+++ b/src/libcharon/tnc/imc/imc.h
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imc imc
+ * @ingroup tnc
+ *
+ * @defgroup imct imc
+ * @{ @ingroup imc
+ */
+
+#ifndef IMC_H_
+#define IMC_H_
+
+#include <tnc/tncifimc.h>
+#include <library.h>
+
+typedef struct imc_t imc_t;
+
+/**
+ * Controls a single Integrity Measurement Collector (IMC)
+ */
+struct imc_t {
+
+	/**
+	 * The TNC Client calls this function to initialize the IMC and agree on
+	 * the API version number to be used. It also supplies the IMC ID, an IMC
+	 * identifier that the IMC must use when calling TNC Client callback functions.
+	 *
+	 * @param imcID				IMC ID assigned by TNCC
+	 * @param minVersion		minimum API version supported by TNCC
+	 * @param maxVersion		maximum API version supported by TNCC
+	 * @param OutActualVersion	mutually supported API version number
+	 * @return					TNC result code
+	 */
+	TNC_Result (*initialize)(TNC_IMCID imcID,
+							 TNC_Version minVersion,
+							 TNC_Version maxVersion,
+							 TNC_Version *OutActualVersion);
+
+	/**
+	 * The TNC Client calls this function to inform the IMC that the state of
+	 * the network connection identified by connectionID has changed to newState.
+	 *
+	 * @param imcID				IMC ID assigned by TNCC
+	 * @param connectionID		network connection ID assigned by TNCC
+	 * @param newState			new network connection state
+	 * @return					TNC result code
+	 */
+	TNC_Result (*notify_connection_change)(TNC_IMCID imcID,
+										   TNC_ConnectionID connectionID,
+										   TNC_ConnectionState newState);
+
+	/**
+	 * The TNC Client calls this function to indicate that an Integrity Check
+	 * Handshake is beginning and solicit messages from IMCs for the first batch.
+	 *
+	 * @param imcID				IMC ID assigned by TNCC
+	 * @param connectionID		network connection ID assigned by TNCC
+	 * @return					TNC result code
+	 */
+	TNC_Result (*begin_handshake)(TNC_IMCID imcID,
+								  TNC_ConnectionID connectionID);
+
+	/**
+	 * The TNC Client calls this function to deliver a message to the IMC.
+	 * The message is contained in the buffer referenced by message and contains
+	 * the number of octets indicated by messageLength. The type of the message
+	 * is indicated by messageType.
+	 *
+	 * @param imcID				IMC ID assigned by TNCS
+	 * @param connectionID		network connection ID assigned by TNCC
+	 * @param message			reference to buffer containing message
+	 * @param messageLength		number of octets in message
+	 * @param messageType		message type of message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive_message)(TNC_IMCID imcID,
+								  TNC_ConnectionID connectionID,
+								  TNC_BufferReference message,
+								  TNC_UInt32 messageLength,
+								  TNC_MessageType messageType);
+
+	/**
+	 * The TNC Client calls this function to notify IMCs that all IMV messages
+	 * received in a batch have been delivered and this is the IMC’s last chance
+	 * to send a message in the batch of IMC messages currently being collected.
+	 *
+	 * @param imcID				IMC ID assigned by TNCC
+	 * @param connectionID		network connection ID assigned by TNCC
+	 * @return					TNC result code
+	 */
+	TNC_Result (*batch_ending)(TNC_IMCID imcID,
+							   TNC_ConnectionID connectionID);
+
+	/**
+	 * The TNC Client calls this function to close down the IMC when all work is
+	 * complete or the IMC reports TNC_RESULT_FATAL.
+	 *
+	 * @param imcID				IMC ID assigned by TNCC
+	 * @return					TNC result code
+	 */
+	TNC_Result (*terminate)(TNC_IMCID imcID);
+
+	/**
+	 * IMVs implementing the UNIX/Linux Dynamic Linkage platform binding MUST
+	 * define this additional function. The TNC Server MUST call the function
+	 * immediately after calling TNC_IMV_Initialize to provide a pointer to the
+	 * TNCS bind function. The IMV can then use the TNCS bind function to obtain
+	 * pointers to any other TNCS functions.
+	 *
+	 * @param imcID				IMC ID assigned by TNCC
+	 * @param bindFunction		pointer to TNC_TNCC_BindFunction
+	 * @return					TNC result code
+	 */
+	TNC_Result (*provide_bind_function)(TNC_IMCID imcID,
+										TNC_TNCC_BindFunctionPointer bindFunction);
+
+	/**
+	 * Sets the ID of an imc_t object.
+	 *
+	 * @param id				IMC ID to be assigned
+	 */
+	void (*set_id)(imc_t *this, TNC_IMCID id);
+
+	/**
+	 * Returns the ID of an imc_t object.
+	 *
+	 * @return					assigned IMC ID
+	 */
+	TNC_IMCID (*get_id)(imc_t *this);
+
+	/**
+	 * Returns the name of an imc_t object.
+	 *
+	 * @return					name of IMC
+	 */
+	char* (*get_name)(imc_t *this);
+
+	/**
+	 * Sets the supported message types of an imc_t object.
+	 *
+	 * @param supported_types	list of messages type supported by IMC
+	 * @param type_count		number of supported message types
+	 */
+	void (*set_message_types)(imc_t *this, TNC_MessageTypeList supported_types,
+										   TNC_UInt32 type_count);
+
+	/**
+	 * Check if the IMC supports a given message type.
+	 *
+	 * @param message_type		message type
+	 * @return					TRUE if supported
+	 */
+	bool (*type_supported)(imc_t *this, TNC_MessageType message_type);
+
+	/**
+	 * Destroys an imc_t object.
+	 */
+	void (*destroy)(imc_t *this);
+};
+
+#endif /** IMC_H_ @}*/
diff --git a/src/libcharon/tnc/imc/imc_manager.h b/src/libcharon/tnc/imc/imc_manager.h
new file mode 100644
index 000000000..634afdbe8
--- /dev/null
+++ b/src/libcharon/tnc/imc/imc_manager.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imc_manager imc_manager
+ * @{ @ingroup imc
+ */
+
+#ifndef IMC_MANAGER_H_
+#define IMC_MANAGER_H_
+
+#include "imc.h"
+
+#include <library.h>
+
+typedef struct imc_manager_t imc_manager_t;
+
+/**
+ * The IMC manager controls all IMC instances.
+ */
+struct imc_manager_t {
+
+	/**
+	 * Add an IMC instance
+	 *
+	 * @param imc				IMC instance
+	 * @return					TRUE if initialization successful
+	 */
+	 bool (*add)(imc_manager_t *this, imc_t *imc);
+
+	/**
+	 * Remove an IMC instance from the list and return it
+	 *
+	 * @param id				ID of IMC instance
+	 * @return					removed IMC instance
+	 */
+	imc_t* (*remove)(imc_manager_t *this, TNC_IMCID id);
+
+	/**
+	 * Return the preferred language for recommendations
+	 *
+	 * @return					preferred language string
+	 */
+	char* (*get_preferred_language)(imc_manager_t *this);
+
+	/**
+	 * Notify all IMC instances
+	 *
+	 * @param state			communicate the state a connection has reached
+	 */
+	void (*notify_connection_change)(imc_manager_t *this,
+									 TNC_ConnectionID id,
+									 TNC_ConnectionState state);
+
+	/**
+	 * Begin a handshake between the IMCs and a connection
+	 *
+	 * @param id				connection ID
+	 */
+	void (*begin_handshake)(imc_manager_t *this, TNC_ConnectionID id);
+
+	/**
+	 * Sets the supported message types reported by a given IMC
+	 *
+	 * @param id				ID of reporting IMC
+	 * @param supported_types	list of messages type supported by IMC
+	 * @param type_count		number of supported message types
+	 * @return					TNC result code
+	 */
+	TNC_Result (*set_message_types)(imc_manager_t *this,
+									TNC_IMCID id,
+									TNC_MessageTypeList supported_types,
+									TNC_UInt32 type_count);
+
+	/**
+	 * Delivers a message to interested IMCs.
+	 *
+	 * @param connection_id		ID of connection over which message was received
+	 * @param message			message
+	 * @param message_len		message length
+	 * @param message_type		message type
+	 */
+	void (*receive_message)(imc_manager_t *this,
+							TNC_ConnectionID connection_id,
+							TNC_BufferReference message,
+							TNC_UInt32 message_len,
+							TNC_MessageType message_type);
+
+	/**
+	 * Notify all IMCs that all IMV messages received in a batch have been
+	 * delivered and this is the IMCs last chance to send a message in the
+	 * batch of IMC messages currently being collected.
+	 *
+	 * @param id				connection ID
+	 */
+	void (*batch_ending)(imc_manager_t *this, TNC_ConnectionID id);
+
+	/**
+	 * Destroy an IMC manager and all its controlled instances.
+	 */
+	void (*destroy)(imc_manager_t *this);
+};
+
+#endif /** IMC_MANAGER_H_ @}*/
diff --git a/src/libcharon/tnc/imv/imv.h b/src/libcharon/tnc/imv/imv.h
new file mode 100644
index 000000000..26874ab0b
--- /dev/null
+++ b/src/libcharon/tnc/imv/imv.h
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv imv
+ * @ingroup tnc
+ *
+ * @defgroup imvt imv
+ * @{ @ingroup imv
+ */
+
+#ifndef IMV_H_
+#define IMV_H_
+
+#include <tnc/tncifimv.h>
+#include <library.h>
+
+typedef struct imv_t imv_t;
+
+/**
+ * Controls a single Integrity Measurement Verifier (IMV)
+ */
+struct imv_t {
+
+	/**
+	 * The TNC Server calls this function to initialize the IMV and agree on
+	 * the API version number to be used. It also supplies the IMV ID, an IMV
+	 * identifier that the IMV must use when calling TNC Server callback functions.
+	 *
+	 * @param imvID				IMV ID assigned by TNCS
+	 * @param minVersion		minimum API version supported
+	 * @param maxVersion		maximum API version supported by TNCS
+	 * @param OutActualVersion	mutually supported API version number
+	 * @return					TNC result code
+	 */
+	TNC_Result (*initialize)(TNC_IMVID imvID,
+							 TNC_Version minVersion,
+							 TNC_Version maxVersion,
+							 TNC_Version *OutActualVersion);
+
+	/**
+	 * The TNC Server calls this function to inform the IMV that the state of
+	 * the network connection identified by connectionID has changed to newState.
+	 *
+	 * @param imvID				IMV ID assigned by TNCS
+	 * @param connectionID		network connection ID assigned by TNCS
+	 * @param newState			new network connection state
+	 * @return					TNC result code
+	 */
+	TNC_Result (*notify_connection_change)(TNC_IMVID imvID,
+										   TNC_ConnectionID connectionID,
+										   TNC_ConnectionState newState);
+
+	/**
+	 * The TNC Server calls this function at the end of an Integrity Check
+	 * Handshake (after all IMC-IMV messages have been delivered) to solicit
+	 * recommendations from IMVs that have not yet provided a recommendation.
+	 *
+	 * @param imvID				IMV ID assigned by TNCS
+	 * @param connectionID		network connection ID assigned by TNCS
+	 * @return					TNC result code
+	 */
+	TNC_Result (*solicit_recommendation)(TNC_IMVID imvID,
+										 TNC_ConnectionID connectionID);
+
+	/**
+	 * The TNC Server calls this function to deliver a message to the IMV.
+	 * The message is contained in the buffer referenced by message and contains
+	 * the number of octets indicated by messageLength. The type of the message
+	 * is indicated by messageType.
+	 *
+	 * @param imvID				IMV ID assigned by TNCS
+	 * @param connectionID		network connection ID assigned by TNCS
+	 * @param message			reference to buffer containing message
+	 * @param messageLength		number of octets in message
+	 * @param messageType		message type of message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive_message)(TNC_IMVID imvID,
+								  TNC_ConnectionID connectionID,
+								  TNC_BufferReference message,
+								  TNC_UInt32 messageLength,
+								  TNC_MessageType messageType);
+
+	/**
+	 * The TNC Server calls this function to notify IMVs that all IMC messages
+	 * received in a batch have been delivered and this is the IMV’s last chance
+	 * to send a message in the batch of IMV messages currently being collected.
+	 *
+	 * @param imvID				IMV ID assigned by TNCS
+	 * @param connectionID		network connection ID assigned by TNCS
+	 * @return					TNC result code
+	 */
+	TNC_Result (*batch_ending)(TNC_IMVID imvID,
+							   TNC_ConnectionID connectionID);
+
+	/**
+	 * The TNC Server calls this function to close down the IMV.
+	 *
+	 * @param imvID				IMV ID assigned by TNCS
+	 * @return					TNC result code
+	 */
+	TNC_Result (*terminate)(TNC_IMVID imvID);
+
+	/**
+	 * IMVs implementing the UNIX/Linux Dynamic Linkage platform binding MUST
+	 * define this additional function. The TNC Server MUST call the function
+	 * immediately after calling TNC_IMV_Initialize to provide a pointer to the
+	 * TNCS bind function. The IMV can then use the TNCS bind function to obtain
+	 * pointers to any other TNCS functions.
+	 *
+	 * @param imvID				IMV ID assigned by TNCS
+	 * @param bindFunction		pointer to TNC_TNCS_BindFunction
+	 * @return					TNC result code
+	 */
+	TNC_Result (*provide_bind_function)(TNC_IMVID imvID,
+										TNC_TNCS_BindFunctionPointer bindFunction);
+
+	/**
+	 * Sets the ID of an imv_t object.
+	 *
+	 * @param id				IMV ID to be assigned
+	 */
+	void (*set_id)(imv_t *this, TNC_IMVID id);
+
+	/**
+	 * Returns the ID of an imv_t object.
+	 *
+	 * @return					IMV ID assigned by TNCS
+	 */
+	TNC_IMVID (*get_id)(imv_t *this);
+
+	/**
+	 * Returns the name of an imv_t object.
+	 *
+	 * @return					name of IMV
+	 */
+	char* (*get_name)(imv_t *this);
+
+	/**
+	 * Sets the supported message types of an imv_t object.
+	 *
+	 * @param supported_types	list of messages type supported by IMV
+	 * @param type_count		number of supported message types
+	 */
+	void (*set_message_types)(imv_t *this, TNC_MessageTypeList supported_types,
+										   TNC_UInt32 type_count);
+
+	/**
+	 * Check if the IMV supports a given message type.
+	 *
+	 * @param message_type		message type
+	 * @return					TRUE if supported
+	 */
+	bool (*type_supported)(imv_t *this, TNC_MessageType message_type);
+
+	/**
+	 * Destroys an imv_t object.
+	 */
+	void (*destroy)(imv_t *this);
+};
+
+#endif /** IMV_H_ @}*/
diff --git a/src/libcharon/tnc/imv/imv_manager.h b/src/libcharon/tnc/imv/imv_manager.h
new file mode 100644
index 000000000..b5c581a75
--- /dev/null
+++ b/src/libcharon/tnc/imv/imv_manager.h
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_manager imv_manager
+ * @{ @ingroup imv
+ */
+
+#ifndef IMV_MANAGER_H_
+#define IMV_MANAGER_H_
+
+#include "imv.h"
+#include "imv_recommendations.h"
+
+#include <library.h>
+
+typedef struct imv_manager_t imv_manager_t;
+
+/**
+ * The IMV manager controls all IMV instances.
+ */
+struct imv_manager_t {
+
+	/**
+	 * Add an IMV instance
+	 *
+	 * @param imv				IMV instance
+	 * @return					TRUE if initialization successful
+	 */
+	bool (*add)(imv_manager_t *this, imv_t *imv);
+
+	/**
+	 * Remove an IMV instance from the list and return it
+	 *
+	 * @param id				ID of IMV instance
+	 * @return					removed IMC instance
+	 */
+	imv_t* (*remove)(imv_manager_t *this, TNC_IMVID id);
+
+	/**
+	 * Get the configured recommendation policy
+	 *
+	 * @return					configured recommendation policy
+	 */
+	recommendation_policy_t (*get_recommendation_policy)(imv_manager_t *this);
+
+	/**
+	 * Create an empty set of IMV recommendations and evaluations
+	 *
+	 * @return					instance of a recommendations_t list
+	 */
+	recommendations_t* (*create_recommendations)(imv_manager_t *this);
+
+	/**
+	 * Enforce the TNC recommendation on the IKE_SA by either inserting an
+	 * allow|isolate group membership rule (TRUE) or by blocking access (FALSE)
+	 *
+	 * @param void				TNC action recommendation
+	 * @return					TRUE for allow|isolate, FALSE for none
+	 */
+	bool (*enforce_recommendation)(imv_manager_t *this,
+								   TNC_IMV_Action_Recommendation rec);
+
+	/**
+	 * Notify all IMV instances
+	 *
+	 * @param state			communicate the state a connection has reached
+	 */
+	void (*notify_connection_change)(imv_manager_t *this,
+									 TNC_ConnectionID id,
+									 TNC_ConnectionState state);
+
+	/**
+	 * Sets the supported message types reported by a given IMV
+	 *
+	 * @param id				ID of reporting IMV
+	 * @param supported_types	list of messages type supported by IMV
+	 * @param type_count		number of supported message types
+	 * @return					TNC result code
+	 */
+	TNC_Result (*set_message_types)(imv_manager_t *this,
+									TNC_IMVID id,
+									TNC_MessageTypeList supported_types,
+									TNC_UInt32 type_count);
+
+	/**
+	 * Solicit recommendations from IMVs that have not yet provided one
+	 *
+	 * @param id				connection ID
+	 */
+	void (*solicit_recommendation)(imv_manager_t *this, TNC_ConnectionID id);
+
+	/**
+	 * Delivers a message to interested IMVs.
+	 *
+	 * @param connection_id		ID of connection over which message was received
+	 * @param message			message
+	 * @param message_len		message length
+	 * @param message_type		message type
+	 */
+	void (*receive_message)(imv_manager_t *this,
+							TNC_ConnectionID connection_id,
+							TNC_BufferReference message,
+							TNC_UInt32 message_len,
+							TNC_MessageType message_type);
+
+	/**
+	 * Notify all IMVs that all IMC messages received in a batch have been
+	 * delivered and this is the IMVs last chance to send a message in the
+	 * batch of IMV messages currently being collected.
+	 *
+	 * @param id				connection ID
+	 */
+	void (*batch_ending)(imv_manager_t *this, TNC_ConnectionID id);
+
+	/**
+	 * Destroy an IMV manager and all its controlled instances.
+	 */
+	void (*destroy)(imv_manager_t *this);
+};
+
+#endif /** IMV_MANAGER_H_ @}*/
diff --git a/src/libcharon/tnc/imv/imv_recommendations.c b/src/libcharon/tnc/imv/imv_recommendations.c
new file mode 100644
index 000000000..9daaca16c
--- /dev/null
+++ b/src/libcharon/tnc/imv/imv_recommendations.c
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_recommendations.h"
+
+ENUM(recommendation_policy_names, RECOMMENDATION_POLICY_DEFAULT,
+								  RECOMMENDATION_POLICY_ALL,
+	"default",
+	"any",
+	"all"
+);
+
diff --git a/src/libcharon/tnc/imv/imv_recommendations.h b/src/libcharon/tnc/imv/imv_recommendations.h
new file mode 100644
index 000000000..3a6e25c9f
--- /dev/null
+++ b/src/libcharon/tnc/imv/imv_recommendations.h
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_recommendations imv_recommendations
+ * @{ @ingroup imv
+ */
+
+#ifndef IMV_RECOMMENDATIONS_H_
+#define IMV_RECOMMENDATIONS_H_
+
+#include <tnc/tncifimv.h>
+#include <library.h>
+
+typedef enum recommendation_policy_t recommendation_policy_t;
+
+enum recommendation_policy_t {
+	RECOMMENDATION_POLICY_DEFAULT,
+	RECOMMENDATION_POLICY_ANY,
+	RECOMMENDATION_POLICY_ALL
+};
+
+extern enum_name_t *recommendation_policy_names;
+
+
+typedef struct recommendations_t recommendations_t;
+
+/**
+ * Collection of all IMV action recommendations and evaluation results
+ */
+struct recommendations_t {
+
+	/**
+	 * Deliver an IMV action recommendation and IMV evaluation result to the TNCS
+	 *
+	 * @param imv_id		ID of the IMV providing the recommendation
+	 * @param rec			action recommendation
+	 * @param eval			evaluation result
+	 * @return				return code
+	 */
+	TNC_Result (*provide_recommendation)(recommendations_t *this,
+										 TNC_IMVID imv_id,
+										 TNC_IMV_Action_Recommendation rec,
+										 TNC_IMV_Evaluation_Result eval);
+
+	/**
+	 * If all IMVs provided a recommendation, derive a consolidated action
+	 * recommendation and evaluation result based on a configured policy
+	 *
+	 * @param rec			action recommendation
+	 * @param eval			evaluation result
+	 * @return				TRUE if all IMVs provided a recommendation
+	 */
+	bool (*have_recommendation)(recommendations_t *this,
+								TNC_IMV_Action_Recommendation *rec,
+								TNC_IMV_Evaluation_Result *eval);
+
+	/**
+	 * Get the preferred language for remediation messages
+	 *
+	 * @return				preferred language
+	 */
+	chunk_t (*get_preferred_language)(recommendations_t *this);
+
+	/**
+	 * Set the preferred language for remediation messages
+	 *
+	 * @param pref_lang		preferred language
+	 */
+	void (*set_preferred_language)(recommendations_t *this, chunk_t pref_lang);
+
+	/**
+	 * Set the reason string
+	 *
+	 * @param id			ID of IMV setting the reason string
+	 * @param reason		reason string
+	 * @result				return code
+	 */
+	TNC_Result (*set_reason_string)(recommendations_t *this, TNC_IMVID id,
+									chunk_t reason);
+
+	/**
+	 * Set the language for reason strings
+	 *
+	 * @param id			ID of IMV setting the reason language
+	 * @param reason_lang	reason language
+	 * @result				return code
+	 */
+	TNC_Result (*set_reason_language)(recommendations_t *this, TNC_IMVID id,
+									  chunk_t reason_lang);
+
+	/**
+	 * Enumerates over all IMVs sending a reason string.
+	 * Format:  TNC_IMVID *id, chunk_t *reason, chunk_t *reason_language
+	 *
+	 * @return				enumerator
+	 */
+	enumerator_t* (*create_reason_enumerator)(recommendations_t *this);
+	/**
+	 * Destroys an imv_t object.
+	 */
+	void (*destroy)(recommendations_t *this);
+};
+
+#endif /** IMV_RECOMMENDATIONS_H_ @}*/
diff --git a/src/libcharon/tnc/tnccs/tnccs.c b/src/libcharon/tnc/tnccs/tnccs.c
new file mode 100644
index 000000000..575b850f5
--- /dev/null
+++ b/src/libcharon/tnc/tnccs/tnccs.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs.h"
+
+ENUM(tnccs_type_names, TNCCS_UNKNOWN, TNCCS_2_0,
+	"unknown TNCCS",
+	"TNCCS 1.1",
+	"TNCCS SOH",
+	"TNCCS 2.0",
+);
diff --git a/src/libcharon/tnc/tnccs/tnccs.h b/src/libcharon/tnc/tnccs/tnccs.h
new file mode 100644
index 000000000..c5d6f5ef0
--- /dev/null
+++ b/src/libcharon/tnc/tnccs/tnccs.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs tnccs
+ * @ingroup tnc
+ *
+ * @defgroup tnccst tnccs
+ * @{ @ingroup tnccs
+ */
+
+#ifndef TNCCS_H_
+#define TNCCS_H_
+
+#include <tnc/tncif.h>
+#include <tnc/tncifimc.h>
+#include <tnc/tncifimv.h>
+#include <library.h>
+
+#define IETF_VENDOR_ID			0x000000	/*        0 */
+#define MICROSOFT_VENDOR_ID 	0x000137	/*      311 */
+#define OSC_VENDOR_ID			0x002358	/*     9048 */
+#define FHH_VENDOR_ID			0x0080ab	/*    32939 */
+#define ITA_VENDOR_ID			0x00902a	/*    36906 */
+#define RESERVED_VENDOR_ID		0xffffff	/* 16777215 */
+
+typedef enum tnccs_type_t tnccs_type_t;
+
+/**
+ * Type of TNC Client/Server protocol
+ */
+enum tnccs_type_t {
+	TNCCS_UNKNOWN,
+	TNCCS_1_1,
+	TNCCS_SOH,
+	TNCCS_2_0,
+	TNCCS_DYNAMIC
+};
+
+/**
+ * enum names for tnccs_type_t.
+ */
+extern enum_name_t *tnccs_type_names;
+
+typedef struct tnccs_t tnccs_t;
+
+/**
+ * Constructor definition for a pluggable TNCCS protocol implementation.
+ *
+ * @param is_server		TRUE if TNC Server, FALSE if TNC Client
+ * @return				implementation of the tnccs_t interface
+ */
+typedef tnccs_t* (*tnccs_constructor_t)(bool is_server);
+
+/**
+ * Callback function adding a message to a TNCCS batch
+ *
+ * @param imc_id		ID of IMC or TNC_IMCID_ANY
+ * @param imc_id		ID of IMV or TNC_IMVID_ANY
+ * @param msg			message to be added
+ * @param msg_len		message length
+ * @param msg_type		message type
+ */
+typedef void (*tnccs_send_message_t)(tnccs_t* tncss, TNC_IMCID imc_id,
+													 TNC_IMVID imv_id,
+									 				 TNC_BufferReference msg,
+													 TNC_UInt32 msg_len,
+													 TNC_MessageType msg_type);
+
+#endif /** TNCCS_H_ @}*/
diff --git a/src/libcharon/tnc/tnccs/tnccs_manager.c b/src/libcharon/tnc/tnccs/tnccs_manager.c
new file mode 100644
index 000000000..7e522b870
--- /dev/null
+++ b/src/libcharon/tnc/tnccs/tnccs_manager.c
@@ -0,0 +1,477 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_manager.h"
+
+#include <tnc/imv/imv_recommendations.h>
+
+#include <debug.h>
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_tnccs_manager_t private_tnccs_manager_t;
+typedef struct tnccs_entry_t tnccs_entry_t;
+typedef struct tnccs_connection_entry_t tnccs_connection_entry_t;
+
+/**
+ * TNCCS constructor entry
+ */
+struct tnccs_entry_t {
+
+	/**
+	 * TNCCS protocol type
+	 */
+	tnccs_type_t type;
+
+	/**
+	 * constructor function to create instance
+	 */
+	tnccs_constructor_t constructor;
+};
+
+/**
+ * TNCCS connection entry
+ */
+struct tnccs_connection_entry_t {
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID id;
+
+	/**
+	 * TNCCS instance
+	 */
+	tnccs_t *tnccs;
+
+	/**
+	 * TNCCS send message function
+	 */
+	tnccs_send_message_t send_message;
+
+	/**
+	 * TNCCS request handshake retry flag
+	 */
+	bool *request_handshake_retry;
+
+	/**
+	 * collection of IMV recommendations
+	 */
+	recommendations_t *recs;
+};
+
+/**
+ * private data of tnccs_manager
+ */
+struct private_tnccs_manager_t {
+
+	/**
+	 * public functions
+	 */
+	tnccs_manager_t public;
+
+	/**
+	 * list of TNCCS protocol entries
+	 */
+	linked_list_t *protocols;
+
+	/**
+	 * rwlock to lock the TNCCS protocol entries
+	 */
+	rwlock_t *protocol_lock;
+
+	/**
+	 * connection ID counter
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * list of TNCCS connection entries
+	 */
+	linked_list_t *connections;
+
+	/**
+	 * rwlock to lock TNCCS connection entries
+	 */
+	rwlock_t *connection_lock;
+
+};
+
+METHOD(tnccs_manager_t, add_method, void,
+	private_tnccs_manager_t *this, tnccs_type_t type,
+	tnccs_constructor_t constructor)
+{
+	tnccs_entry_t *entry;
+
+	entry = malloc_thing(tnccs_entry_t);
+	entry->type = type;
+	entry->constructor = constructor;
+
+	this->protocol_lock->write_lock(this->protocol_lock);
+	this->protocols->insert_last(this->protocols, entry);
+	this->protocol_lock->unlock(this->protocol_lock);
+}
+
+METHOD(tnccs_manager_t, remove_method, void,
+	private_tnccs_manager_t *this, tnccs_constructor_t constructor)
+{
+	enumerator_t *enumerator;
+	tnccs_entry_t *entry;
+
+	this->protocol_lock->write_lock(this->protocol_lock);
+	enumerator = this->protocols->create_enumerator(this->protocols);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (constructor == entry->constructor)
+		{
+			this->protocols->remove_at(this->protocols, enumerator);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->protocol_lock->unlock(this->protocol_lock);
+}
+
+METHOD(tnccs_manager_t, create_instance, tnccs_t*,
+	private_tnccs_manager_t *this, tnccs_type_t type, bool is_server)
+{
+	enumerator_t *enumerator;
+	tnccs_entry_t *entry;
+	tnccs_t *protocol = NULL;
+
+	this->protocol_lock->read_lock(this->protocol_lock);
+	enumerator = this->protocols->create_enumerator(this->protocols);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (type == entry->type)
+		{
+			protocol = entry->constructor(is_server);
+			if (protocol)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->protocol_lock->unlock(this->protocol_lock);
+
+	return protocol;
+}
+
+METHOD(tnccs_manager_t, create_connection, TNC_ConnectionID,
+	private_tnccs_manager_t *this, tnccs_t *tnccs, 
+	tnccs_send_message_t send_message, bool* request_handshake_retry,
+	recommendations_t **recs)
+{
+	tnccs_connection_entry_t *entry;
+
+	entry = malloc_thing(tnccs_connection_entry_t);
+	entry->tnccs = tnccs;
+	entry->send_message = send_message;
+	entry->request_handshake_retry = request_handshake_retry;
+	if (recs)
+	{
+		/* we assume a TNC Server needing recommendations from IMVs */
+		if (!charon->imvs)
+		{
+ 			DBG1(DBG_TNC, "no IMV manager available!");
+			free(entry);
+			return 0;
+		}
+		entry->recs = charon->imvs->create_recommendations(charon->imvs);
+		*recs = entry->recs;
+	}
+	else
+	{
+		/* we assume a TNC Client */
+		if (!charon->imcs)
+		{
+			DBG1(DBG_TNC, "no IMC manager available!");
+			free(entry);
+			return 0;
+		}
+		entry->recs = NULL;
+	}
+	this->connection_lock->write_lock(this->connection_lock);
+	entry->id = ++this->connection_id;
+	this->connections->insert_last(this->connections, entry);
+	this->connection_lock->unlock(this->connection_lock);
+
+	DBG1(DBG_TNC, "assigned TNCCS Connection ID %u", entry->id);
+	return entry->id;
+}
+
+METHOD(tnccs_manager_t, remove_connection, void,
+	private_tnccs_manager_t *this, TNC_ConnectionID id)
+{
+	enumerator_t *enumerator;
+	tnccs_connection_entry_t *entry;
+
+	this->connection_lock->write_lock(this->connection_lock);
+	enumerator = this->connections->create_enumerator(this->connections);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (id == entry->id)
+		{
+			this->connections->remove_at(this->connections, enumerator);
+			if (entry->recs)
+			{
+				entry->recs->destroy(entry->recs);
+			}
+			free(entry);
+			DBG1(DBG_TNC, "removed TNCCS Connection ID %u", id);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->connection_lock->unlock(this->connection_lock);
+}
+
+METHOD(tnccs_manager_t,	request_handshake_retry, TNC_Result,
+	private_tnccs_manager_t *this, bool is_imc, TNC_UInt32 imcv_id,
+												TNC_ConnectionID id,
+												TNC_RetryReason reason)
+{
+	enumerator_t *enumerator;
+	tnccs_connection_entry_t *entry;
+
+	if (id == TNC_CONNECTIONID_ANY)
+	{
+		DBG2(DBG_TNC, "%s %u requests handshake retry for all connections "
+					  "(reason: %u)", is_imc ? "IMC":"IMV", reason);
+	}
+	else
+	{
+		DBG2(DBG_TNC, "%s %u requests handshake retry for connection ID %u "
+					  "(reason: %u)", is_imc ? "IMC":"IMV", id, reason);
+	}
+	this->connection_lock->read_lock(this->connection_lock);
+	enumerator = this->connections->create_enumerator(this->connections);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (id == TNC_CONNECTIONID_ANY || id == entry->id)
+		{
+			*entry->request_handshake_retry = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->connection_lock->unlock(this->connection_lock);
+
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(tnccs_manager_t, send_message, TNC_Result,
+	private_tnccs_manager_t *this, TNC_IMCID imc_id, TNC_IMVID imv_id,
+								   TNC_ConnectionID id,
+								   TNC_BufferReference msg,
+								   TNC_UInt32 msg_len,
+								   TNC_MessageType msg_type)
+{
+	enumerator_t *enumerator;
+	tnccs_connection_entry_t *entry;
+	tnccs_send_message_t send_message = NULL;
+	tnccs_t *tnccs = NULL;
+
+	this->connection_lock->read_lock(this->connection_lock);
+	enumerator = this->connections->create_enumerator(this->connections);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (id == entry->id)
+		{
+			tnccs = entry->tnccs;
+			send_message = entry->send_message;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->connection_lock->unlock(this->connection_lock);
+
+	if (tnccs && send_message)
+	{
+		send_message(tnccs, imc_id, imv_id, msg, msg_len, msg_type);
+		return TNC_RESULT_SUCCESS;
+	 }
+	return TNC_RESULT_FATAL;
+}
+
+METHOD(tnccs_manager_t, provide_recommendation, TNC_Result,
+	private_tnccs_manager_t *this, TNC_IMVID imv_id,
+								   TNC_ConnectionID id,
+								   TNC_IMV_Action_Recommendation rec,
+								   TNC_IMV_Evaluation_Result eval)
+{
+	enumerator_t *enumerator;
+	tnccs_connection_entry_t *entry;
+	recommendations_t *recs = NULL;
+
+	this->connection_lock->read_lock(this->connection_lock);
+	enumerator = this->connections->create_enumerator(this->connections);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (id == entry->id)
+		{
+			recs = entry->recs;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->connection_lock->unlock(this->connection_lock);
+
+	if (recs)
+	{
+		recs->provide_recommendation(recs, imv_id, rec, eval);
+		return TNC_RESULT_SUCCESS;
+	 }
+	return TNC_RESULT_FATAL;
+}
+
+METHOD(tnccs_manager_t, get_attribute, TNC_Result,
+	private_tnccs_manager_t *this, TNC_IMVID imv_id,
+								   TNC_ConnectionID id,
+								   TNC_AttributeID attribute_id,
+								   TNC_UInt32 buffer_len,
+								   TNC_BufferReference buffer,
+								   TNC_UInt32 *out_value_len)
+{
+	enumerator_t *enumerator;
+	tnccs_connection_entry_t *entry;
+	recommendations_t *recs = NULL;
+
+	if (id == TNC_CONNECTIONID_ANY ||
+		attribute_id != TNC_ATTRIBUTEID_PREFERRED_LANGUAGE)
+	{
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
+
+	this->connection_lock->read_lock(this->connection_lock);
+	enumerator = this->connections->create_enumerator(this->connections);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (id == entry->id)
+		{
+			recs = entry->recs;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->connection_lock->unlock(this->connection_lock);
+
+	if (recs)
+	{
+		chunk_t pref_lang;
+
+		pref_lang = recs->get_preferred_language(recs);
+		if (pref_lang.len == 0)
+		{
+			return TNC_RESULT_INVALID_PARAMETER;
+		}
+		*out_value_len = pref_lang.len;
+		if (buffer && buffer_len <= pref_lang.len)
+		{
+			memcpy(buffer, pref_lang.ptr, pref_lang.len);
+		}
+		return TNC_RESULT_SUCCESS;
+	 }
+	return TNC_RESULT_INVALID_PARAMETER;
+}
+
+METHOD(tnccs_manager_t, set_attribute, TNC_Result,
+	private_tnccs_manager_t *this, TNC_IMVID imv_id,
+								   TNC_ConnectionID id,
+								   TNC_AttributeID attribute_id,
+								   TNC_UInt32 buffer_len,
+								   TNC_BufferReference buffer)
+{
+	enumerator_t *enumerator;
+	tnccs_connection_entry_t *entry;
+	recommendations_t *recs = NULL;
+
+	if (id == TNC_CONNECTIONID_ANY ||
+		(attribute_id != TNC_ATTRIBUTEID_REASON_STRING &&
+		 attribute_id != TNC_ATTRIBUTEID_REASON_LANGUAGE))
+	{
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
+
+	this->connection_lock->read_lock(this->connection_lock);
+	enumerator = this->connections->create_enumerator(this->connections);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (id == entry->id)
+		{
+			recs = entry->recs;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->connection_lock->unlock(this->connection_lock);
+
+	if (recs)
+	{
+		chunk_t attribute = { buffer, buffer_len };
+
+		if (attribute_id == TNC_ATTRIBUTEID_REASON_STRING)
+		{
+			return recs->set_reason_string(recs, imv_id, attribute);
+		}
+		else
+		{
+			return recs->set_reason_language(recs, imv_id, attribute);
+		}
+	}
+	return TNC_RESULT_INVALID_PARAMETER;
+}
+
+METHOD(tnccs_manager_t, destroy, void,
+	private_tnccs_manager_t *this)
+{
+	this->protocols->destroy_function(this->protocols, free);
+	this->protocol_lock->destroy(this->protocol_lock);
+	this->connections->destroy_function(this->connections, free);
+	this->connection_lock->destroy(this->connection_lock);
+	free(this);
+}
+
+/*
+ * See header
+ */
+tnccs_manager_t *tnccs_manager_create()
+{
+	private_tnccs_manager_t *this;
+
+	INIT(this,
+			.public = {
+				.add_method = _add_method,
+				.remove_method = _remove_method,
+				.create_instance = _create_instance,
+				.create_connection = _create_connection,
+				.remove_connection = _remove_connection,
+				.request_handshake_retry = _request_handshake_retry,
+				.send_message = _send_message,
+				.provide_recommendation = _provide_recommendation,
+				.get_attribute = _get_attribute,
+				.set_attribute = _set_attribute,
+				.destroy = _destroy,
+			},
+			.protocols = linked_list_create(),
+			.connections = linked_list_create(),
+			.protocol_lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+			.connection_lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/tnc/tnccs/tnccs_manager.h b/src/libcharon/tnc/tnccs/tnccs_manager.h
new file mode 100644
index 000000000..c02eac03c
--- /dev/null
+++ b/src/libcharon/tnc/tnccs/tnccs_manager.h
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_manager tnccs_manager
+ * @{ @ingroup tnccs
+ */
+
+#ifndef TNCCS_MANAGER_H_
+#define TNCCS_MANAGER_H_
+
+#include "tnccs.h"
+
+#include <tnc/imv/imv_recommendations.h>
+
+typedef struct tnccs_manager_t tnccs_manager_t;
+
+/**
+ * The TNCCS manager manages all TNCCS implementations and creates instances.
+ *
+ * A plugin registers its implemented TNCCS protocol with the manager by
+ * providing type and a constructor function. The manager then creates
+ * TNCCS protocol instances via the provided constructor.
+ */
+struct tnccs_manager_t {
+
+	/**
+	 * Register a TNCCS protocol implementation.
+	 *
+	 * @param type			TNCCS protocol type
+	 * @param constructor	constructor, returns a TNCCS protocol implementation
+	 */
+	void (*add_method)(tnccs_manager_t *this, tnccs_type_t type,
+					   tnccs_constructor_t constructor);
+
+	/**
+	 * Unregister a TNCCS protocol implementation using it's constructor.
+	 *
+	 * @param constructor	constructor function to remove, as added in add_method
+	 */
+	void (*remove_method)(tnccs_manager_t *this, tnccs_constructor_t constructor);
+
+	/**
+	 * Create a new TNCCS protocol instance.
+	 *
+	 * @param type		  type of the TNCCS protocol
+	 * @param is_server	  TRUE if TNC Server, FALSE if TNC Client
+	 * @return			  TNCCS protocol instance, NULL if no constructor found
+	 */
+	tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
+								bool is_server);
+
+	/**
+	 * Create a TNCCS connection and assign a unique connection ID as well a
+	 * callback function for adding a message to a TNCCS batch and create
+	 * an empty set for collecting IMV recommendations
+	 *
+	 * @param tnccs						TNCCS connection instance
+	 * @param send_message				TNCCS callback function
+	 * @param request_handshake_retry	pointer to boolean variable
+	 * @param recs						pointer to IMV recommendation set
+	 * @return							assigned connection ID
+	 */
+	TNC_ConnectionID (*create_connection)(tnccs_manager_t *this, tnccs_t *tnccs,
+										  tnccs_send_message_t send_message,
+										  bool *request_handshake_retry,
+						 				  recommendations_t **recs);
+
+	/**
+	 * Remove a TNCCS connection using its connection ID.
+	 *
+	 * @param id				ID of the connection to be removed
+	 */
+	void (*remove_connection)(tnccs_manager_t *this, TNC_ConnectionID id);
+
+	/**
+	 * Request a handshake retry
+	 *
+	 * @param is_imc			TRUE if IMC, FALSE if IMV
+	 * @param imcv_id			ID of IMC or IMV requesting the retry
+	 * @param id				ID of a specific connection or any connection
+	 * @param reason			reason for the handshake retry
+	 * @return					return code
+	 */
+	TNC_Result (*request_handshake_retry)(tnccs_manager_t *this, bool is_imc,
+										  TNC_UInt32 imcv_id,
+										  TNC_ConnectionID id,
+										  TNC_RetryReason reason);
+
+	/**
+	 * Add an IMC/IMV message to the batch of a given connection ID.
+	 *
+	 * @param imc_id			ID of IMC or TNC_IMCID_ANY
+	 * @param imv_id			ID of IMV or TNC_IMVID_ANY
+	 * @param id				ID of target connection
+	 * @param msg				message to be added
+	 * @param msg_len			message length
+	 * @param msg_type			message type
+	 * @return					return code
+	 */
+	TNC_Result (*send_message)(tnccs_manager_t *this, TNC_IMCID imc_id,
+													  TNC_IMVID imv_id,
+													  TNC_ConnectionID id,
+													  TNC_BufferReference msg,
+													  TNC_UInt32 msg_len,
+													  TNC_MessageType msg_type);
+
+	/**
+	 * Deliver an IMV Action Recommendation and IMV Evaluation Result to the TNCS
+	 *
+	 * @param imv_id			ID of the IMV providing the recommendation
+	 * @param id				ID of target connection
+	 * @param rec				action recommendation
+	 * @param eval				evaluation result
+	 * @return					return code
+	 */
+	TNC_Result (*provide_recommendation)(tnccs_manager_t *this,
+										 TNC_IMVID imv_id,
+										 TNC_ConnectionID id,
+										 TNC_IMV_Action_Recommendation rec,
+										 TNC_IMV_Evaluation_Result eval);
+
+	/**
+	 * Get the value of an attribute associated with a connection or with the
+	 * TNCS as a whole.
+	 *
+	 * @param imv_id			ID of the IMV requesting the attribute
+	 * @param id				ID of target connection
+	 * @param attribute_id		ID of the requested attribute
+	 * @param buffer_len		length of the buffer in bytes
+	 * @param buffer			pointer to the buffer
+	 * @param out_value_len		actual length of the returned attribute
+	 * @return					return code
+	 */
+	TNC_Result (*get_attribute)(tnccs_manager_t *this,
+							   TNC_IMVID imv_id,
+							   TNC_ConnectionID id,
+							   TNC_AttributeID attribute_id,
+							   TNC_UInt32 buffer_len,
+							   TNC_BufferReference buffer,
+							   TNC_UInt32 *out_value_len);
+
+	/**
+	 * Set the value of an attribute associated with a connection or with the
+	 * TNCS as a whole.
+	 *
+	 * @param imv_id			ID of the IMV setting the attribute
+	 * @param id				ID of target connection
+	 * @param attribute_id		ID of the attribute to be set
+	 * @param buffer_len		length of the buffer in bytes
+	 * @param buffer			pointer to the buffer
+	 * @return					return code
+	 */
+	TNC_Result (*set_attribute)(tnccs_manager_t *this,
+								TNC_IMVID imv_id,
+								TNC_ConnectionID id,
+								TNC_AttributeID attribute_id,
+								TNC_UInt32 buffer_len,
+								TNC_BufferReference buffer);
+
+	/**
+	 * Destroy a tnccs_manager instance.
+	 */
+	void (*destroy)(tnccs_manager_t *this);
+};
+
+/**
+ * Create a tnccs_manager instance.
+ */
+tnccs_manager_t *tnccs_manager_create();
+
+#endif /** TNCCS_MANAGER_H_ @}*/
diff --git a/src/libcharon/tnc/tncif.h b/src/libcharon/tnc/tncif.h
new file mode 100644
index 000000000..99441a9a9
--- /dev/null
+++ b/src/libcharon/tnc/tncif.h
@@ -0,0 +1,106 @@
+/* tncif.h
+ *
+ * Trusted Network Connect IF-IMV API version 1.20
+ * Microsoft Windows DLL Platform Binding C Header
+ * February 5, 2007
+ *
+ * Copyright(c) 2005-2007, Trusted Computing Group, Inc. All rights
+ * reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * - Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ * - Neither the name of the Trusted Computing Group nor the names of
+ *   its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written
+ *   permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Contact the Trusted Computing Group at
+ * admin@trustedcomputinggroup.org for information on specification
+ * licensing through membership agreements.
+ *
+ * Any marks and brands contained herein are the property of their
+ * respective owners.
+ *
+ * Trusted Network Connect IF-IMC/IF-IMV API version 1.00 Revision 3
+ * Microsoft Windows DLL Platform Binding C Header
+ * Common definitions for IF-IMC and IF-IMV
+ * extracted from tncifimc.h and tncifimv.h
+ * Feb 12, 2007
+ */
+
+/**
+ * @defgroup tnc tnc
+ * @ingroup libcharon
+ *
+ * @defgroup tncif tncif
+ * @{ @ingroup tnc
+ */
+
+#ifndef TNCIF_H_
+#define TNCIF_H_
+
+/* Basic Types */
+typedef unsigned long TNC_UInt32;
+typedef unsigned char *TNC_BufferReference;
+
+/* Derived Types */
+typedef TNC_UInt32 TNC_ConnectionID;
+typedef TNC_UInt32 TNC_ConnectionState;
+typedef TNC_UInt32 TNC_RetryReason;
+typedef TNC_UInt32 TNC_MessageType;
+typedef TNC_MessageType *TNC_MessageTypeList;
+typedef TNC_UInt32 TNC_VendorID;
+typedef TNC_UInt32 TNC_MessageSubtype;
+typedef TNC_UInt32 TNC_Version;
+typedef TNC_UInt32 TNC_Result;
+
+/* Result Codes */
+#define TNC_RESULT_SUCCESS 0
+#define TNC_RESULT_NOT_INITIALIZED 1
+#define TNC_RESULT_ALREADY_INITIALIZED 2
+#define TNC_RESULT_NO_COMMON_VERSION 3
+#define TNC_RESULT_CANT_RETRY 4
+#define TNC_RESULT_WONT_RETRY 5
+#define TNC_RESULT_INVALID_PARAMETER 6
+#define TNC_RESULT_CANT_RESPOND 7
+#define TNC_RESULT_ILLEGAL_OPERATION 8
+#define TNC_RESULT_OTHER 9
+#define TNC_RESULT_FATAL 10
+
+/* Network Connection ID Values */
+#define TNC_CONNECTIONID_ANY 0xFFFFFFFF
+/* Network Connection State Values */
+#define TNC_CONNECTION_STATE_CREATE 0
+#define TNC_CONNECTION_STATE_HANDSHAKE 1
+#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2
+#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3
+#define TNC_CONNECTION_STATE_ACCESS_NONE 4
+#define TNC_CONNECTION_STATE_DELETE 5
+
+/* Vendor ID Values */
+#define TNC_VENDORID_TCG 0
+#define TNC_VENDORID_ANY ((TNC_VendorID) 0xffffff)
+/* Message Subtype Values */
+#define TNC_SUBTYPE_ANY ((TNC_MessageSubtype) 0xff)
+
+#endif /** TNCIF_H_ @}*/
diff --git a/src/libcharon/tnc/tncifimc.h b/src/libcharon/tnc/tncifimc.h
new file mode 100644
index 000000000..c6ddabd45
--- /dev/null
+++ b/src/libcharon/tnc/tncifimc.h
@@ -0,0 +1,180 @@
+/* tncifimc.h
+ *
+ * Trusted Network Connect IF-IMC API version 1.20 Revision 8
+ * Microsoft Windows DLL Platform Binding C Header
+ * February 5, 2007
+ *
+ * Copyright(c) 2005-2007, Trusted Computing Group, Inc. All rights
+ * reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * - Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ * - Neither the name of the Trusted Computing Group nor the names of
+ *   its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written
+ *   permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Contact the Trusted Computing Group at
+ * admin@trustedcomputinggroup.org for information on specification
+ * licensing through membership agreements.
+ *
+ * Any marks and brands contained herein are the property of their
+ * respective owners.
+ *
+ */
+
+/**
+ * @defgroup tncifimc tncifimc
+ * @{ @ingroup tnc
+ */
+
+#ifndef TNCIFIMC_H_
+#define TNCIFIMC_H_
+
+#include "tncif.h"
+
+/* Derived Types */
+
+typedef TNC_UInt32 TNC_IMCID;
+
+/* Function pointers */
+
+typedef TNC_Result (*TNC_IMC_InitializePointer)(
+    TNC_IMCID imcID,
+    TNC_Version minVersion,
+    TNC_Version maxVersion,
+    TNC_Version *pOutActualVersion);
+typedef TNC_Result (*TNC_IMC_NotifyConnectionChangePointer)(
+    TNC_IMCID imcID,
+    TNC_ConnectionID connectionID,
+    TNC_ConnectionState newState);
+typedef TNC_Result (*TNC_IMC_BeginHandshakePointer)(
+    TNC_IMCID imcID,
+    TNC_ConnectionID connectionID);
+typedef TNC_Result (*TNC_IMC_ReceiveMessagePointer)(
+    TNC_IMCID imcID,
+    TNC_ConnectionID connectionID,
+    TNC_BufferReference message,
+    TNC_UInt32 messageLength,
+    TNC_MessageType messageType);
+typedef TNC_Result (*TNC_IMC_BatchEndingPointer)(
+    TNC_IMCID imcID,
+    TNC_ConnectionID connectionID);
+typedef TNC_Result (*TNC_IMC_TerminatePointer)(
+    TNC_IMCID imcID);
+typedef TNC_Result (*TNC_TNCC_ReportMessageTypesPointer)(
+    TNC_IMCID imcID,
+    TNC_MessageTypeList supportedTypes,
+    TNC_UInt32 typeCount);
+typedef TNC_Result (*TNC_TNCC_SendMessagePointer)(
+    TNC_IMCID imcID,
+    TNC_ConnectionID connectionID,
+    TNC_BufferReference message,
+    TNC_UInt32 messageLength,
+    TNC_MessageType messageType);
+typedef TNC_Result (*TNC_TNCC_RequestHandshakeRetryPointer)(
+    TNC_IMCID imcID,
+    TNC_ConnectionID connectionID,
+    TNC_RetryReason reason);
+typedef TNC_Result (*TNC_TNCC_BindFunctionPointer)(
+    TNC_IMCID imcID,
+    char *functionName,
+    void **pOutfunctionPointer);
+typedef TNC_Result (*TNC_IMC_ProvideBindFunctionPointer)(
+    TNC_IMCID imcID,
+    TNC_TNCC_BindFunctionPointer bindFunction);
+
+#define TNC_IFIMC_VERSION_1 1
+
+/* Handshake Retry Reason Values */
+
+#define TNC_RETRY_REASON_IMC_REMEDIATION_COMPLETE 0
+#define TNC_RETRY_REASON_IMC_SERIOUS_EVENT 1
+#define TNC_RETRY_REASON_IMC_INFORMATIONAL_EVENT 2
+#define TNC_RETRY_REASON_IMC_PERIODIC 3
+/* reserved for TNC_RETRY_REASON_IMV_IMPORTANT_POLICY_CHANGE: 4 */
+/* reserved for TNC_RETRY_REASON_IMV_MINOR_POLICY_CHANGE: 5 */
+/* reserved for TNC_RETRY_REASON_IMV_SERIOUS_EVENT: 6 */
+/* reserved for TNC_RETRY_REASON_IMV_MINOR_EVENT: 7 */
+/* reserved for TNC_RETRY_REASON_IMV_PERIODIC: 8 */
+
+/* IMC Functions */
+
+TNC_Result TNC_IMC_Initialize(
+/*in*/  TNC_IMCID imcID,
+/*in*/  TNC_Version minVersion,
+/*in*/  TNC_Version maxVersion,
+/*out*/ TNC_Version *pOutActualVersion);
+
+TNC_Result TNC_IMC_NotifyConnectionChange(
+/*in*/  TNC_IMCID imcID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_ConnectionState newState);
+
+TNC_Result TNC_IMC_BeginHandshake(
+/*in*/  TNC_IMCID imcID,
+/*in*/  TNC_ConnectionID connectionID);
+
+TNC_Result TNC_IMC_ReceiveMessage(
+/*in*/  TNC_IMCID imcID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_BufferReference messageBuffer,
+/*in*/  TNC_UInt32 messageLength,
+/*in*/  TNC_MessageType messageType);
+
+TNC_Result TNC_IMC_BatchEnding(
+/*in*/  TNC_IMCID imcID,
+/*in*/  TNC_ConnectionID connectionID);
+
+TNC_Result TNC_IMC_Terminate(
+/*in*/  TNC_IMCID imcID);
+
+TNC_Result TNC_IMC_ProvideBindFunction(
+/*in*/  TNC_IMCID imcID,
+/*in*/  TNC_TNCC_BindFunctionPointer bindFunction);
+
+/* TNC Client Functions */
+
+TNC_Result TNC_TNCC_ReportMessageTypes(
+/*in*/  TNC_IMCID imcID,
+/*in*/  TNC_MessageTypeList supportedTypes,
+/*in*/  TNC_UInt32 typeCount);
+
+TNC_Result TNC_TNCC_SendMessage(
+/*in*/  TNC_IMCID imcID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_BufferReference message,
+/*in*/  TNC_UInt32 messageLength,
+/*in*/  TNC_MessageType messageType);
+
+TNC_Result TNC_TNCC_RequestHandshakeRetry(
+/*in*/  TNC_IMCID imcID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_RetryReason reason);
+
+TNC_Result TNC_TNCC_BindFunction(
+/*in*/  TNC_IMCID imcID,
+/*in*/  char *functionName,
+/*out*/ void **pOutfunctionPointer);
+
+#endif /** TNCIFIMC_H_ @}*/
diff --git a/src/libcharon/tnc/tncifimv.c b/src/libcharon/tnc/tncifimv.c
new file mode 100644
index 000000000..fbfd56566
--- /dev/null
+++ b/src/libcharon/tnc/tncifimv.c
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tncifimv.h"
+
+ENUM(TNC_IMV_Action_Recommendation_names,
+	TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+	TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+	"allow",
+	"no access",
+	"isolate",
+	"no recommendation"
+);
+
+ENUM(TNC_IMV_Evaluation_Result_names,
+	TNC_IMV_EVALUATION_RESULT_COMPLIANT,
+	TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
+	"compliant",
+	"non-compliant minor",
+	"non-compliant major",
+	"error",
+	"don't know"
+);
+
diff --git a/src/libcharon/tnc/tncifimv.h b/src/libcharon/tnc/tncifimv.h
new file mode 100644
index 000000000..4ec101337
--- /dev/null
+++ b/src/libcharon/tnc/tncifimv.h
@@ -0,0 +1,248 @@
+/* tncifimv.h
+ *
+ * Trusted Network Connect IF-IMV API version 1.20
+ * Microsoft Windows DLL Platform Binding C Header
+ * February 5, 2007
+ *
+ * Copyright(c) 2005-2007, Trusted Computing Group, Inc. All rights
+ * reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * - Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ * - Neither the name of the Trusted Computing Group nor the names of
+ *   its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written
+ *   permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Contact the Trusted Computing Group at
+ * admin@trustedcomputinggroup.org for information on specification
+ * licensing through membership agreements.
+ *
+ * Any marks and brands contained herein are the property of their
+ * respective owners.
+ */
+
+/**
+ * @defgroup tncifimv tncifimv
+ * @{ @ingroup tnc
+ */
+
+#ifndef TNCIFIMV_H_
+#define TNCIFIMV_H_
+
+#include "tncif.h"
+
+#include <library.h>
+
+typedef TNC_UInt32 TNC_IMVID;
+typedef TNC_UInt32 TNC_IMV_Action_Recommendation;
+typedef TNC_UInt32 TNC_IMV_Evaluation_Result;
+typedef TNC_UInt32 TNC_AttributeID;
+
+/* Function pointers */
+
+typedef TNC_Result (*TNC_IMV_InitializePointer)(
+	TNC_IMVID imvID,
+	TNC_Version minVersion,
+	TNC_Version maxVersion,
+	TNC_Version *pOutActualVersion);
+typedef TNC_Result (*TNC_IMV_NotifyConnectionChangePointer)(
+	TNC_IMVID imvID,
+	TNC_ConnectionID connectionID,
+	TNC_ConnectionState newState);
+typedef TNC_Result (*TNC_IMV_ReceiveMessagePointer)(
+	TNC_IMVID imvID,
+	TNC_ConnectionID connectionID,
+	TNC_BufferReference message,
+	TNC_UInt32 messageLength,
+	TNC_MessageType messageType);
+typedef TNC_Result (*TNC_IMV_SolicitRecommendationPointer)(
+	TNC_IMVID imvID,
+	TNC_ConnectionID connectionID);
+typedef TNC_Result (*TNC_IMV_BatchEndingPointer)(
+	TNC_IMVID imvID,
+	TNC_ConnectionID connectionID);
+typedef TNC_Result (*TNC_IMV_TerminatePointer)(
+	TNC_IMVID imvID);
+typedef TNC_Result (*TNC_TNCS_ReportMessageTypesPointer)(
+	TNC_IMVID imvID,
+	TNC_MessageTypeList supportedTypes,
+	TNC_UInt32 typeCount);
+typedef TNC_Result (*TNC_TNCS_SendMessagePointer)(
+	TNC_IMVID imvID,
+	TNC_ConnectionID connectionID,
+	TNC_BufferReference message,
+	TNC_UInt32 messageLength,
+	TNC_MessageType messageType);
+typedef TNC_Result (*TNC_TNCS_RequestHandshakeRetryPointer)(
+	TNC_IMVID imvID,
+	TNC_ConnectionID connectionID,
+	TNC_RetryReason reason);
+typedef TNC_Result (*TNC_TNCS_ProvideRecommendationPointer)(
+	TNC_IMVID imvID,
+	TNC_ConnectionID connectionID,
+	TNC_IMV_Action_Recommendation recommendation,
+	TNC_IMV_Evaluation_Result evaluation);
+typedef TNC_Result (*TNC_TNCS_GetAttributePointer)(
+	TNC_IMVID imvID,
+TNC_ConnectionID connectionID,
+TNC_AttributeID attributeID,
+	TNC_UInt32 bufferLength,
+	TNC_BufferReference buffer,
+	TNC_UInt32 *pOutValueLength);
+typedef TNC_Result (*TNC_TNCS_SetAttributePointer)(
+	TNC_IMVID imvID,
+	TNC_ConnectionID connectionID,
+TNC_AttributeID attributeID,
+	TNC_UInt32 bufferLength,
+	TNC_BufferReference buffer);
+typedef TNC_Result (*TNC_TNCS_BindFunctionPointer)(
+	TNC_IMVID imvID,
+	char *functionName,
+	void **pOutfunctionPointer);
+typedef TNC_Result (*TNC_IMV_ProvideBindFunctionPointer)(
+	TNC_IMVID imvID,
+	TNC_TNCS_BindFunctionPointer bindFunction);
+
+/* Version Numbers */
+
+#define TNC_IFIMV_VERSION_1 1
+
+/* Handshake Retry Reason Values */
+
+/* reserved for TNC_RETRY_REASON_IMC_REMEDIATION_COMPLETE: 0 */
+/* reserved for TNC_RETRY_REASON_IMC_SERIOUS_EVENT: 1 */
+/* reserved for TNC_RETRY_REASON_IMC_INFORMATIONAL_EVENT: 2 */
+/* reserved for TNC_RETRY_REASON_IMC_PERIODIC: 3 */
+#define TNC_RETRY_REASON_IMV_IMPORTANT_POLICY_CHANGE 4
+#define TNC_RETRY_REASON_IMV_MINOR_POLICY_CHANGE 5
+#define TNC_RETRY_REASON_IMV_SERIOUS_EVENT 6
+#define TNC_RETRY_REASON_IMV_MINOR_EVENT 7
+#define TNC_RETRY_REASON_IMV_PERIODIC 8
+
+/* IMV Action Recommendation Values */
+
+#define TNC_IMV_ACTION_RECOMMENDATION_ALLOW 0
+#define TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS 1
+#define TNC_IMV_ACTION_RECOMMENDATION_ISOLATE 2
+#define TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION 3
+
+extern enum_name_t *TNC_IMV_Action_Recommendation_names;
+
+/* IMV Evaluation Result Values */
+
+#define TNC_IMV_EVALUATION_RESULT_COMPLIANT 0
+#define TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR 1
+#define TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR 2
+#define TNC_IMV_EVALUATION_RESULT_ERROR 3
+#define TNC_IMV_EVALUATION_RESULT_DONT_KNOW 4
+
+extern enum_name_t *TNC_IMV_Evaluation_Result_names;
+
+/* Message Attribute ID Values */
+
+#define TNC_ATTRIBUTEID_PREFERRED_LANGUAGE ((TNC_AttributeID) 0x00000001)
+#define TNC_ATTRIBUTEID_REASON_STRING ((TNC_AttributeID) 0x00000002)
+#define TNC_ATTRIBUTEID_REASON_LANGUAGE ((TNC_AttributeID) 0x00000003)
+
+/* IMV Functions */
+
+TNC_Result TNC_IMV_Initialize(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_Version minVersion,
+/*in*/  TNC_Version maxVersion,
+/*in*/  TNC_Version *pOutActualVersion);
+
+TNC_Result TNC_IMV_NotifyConnectionChange(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_ConnectionState newState);
+
+TNC_Result TNC_IMV_ReceiveMessage(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_BufferReference messageBuffer,
+/*in*/  TNC_UInt32 messageLength,
+/*in*/  TNC_MessageType messageType);
+
+TNC_Result TNC_IMV_SolicitRecommendation(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_ConnectionID connectionID);
+
+TNC_Result TNC_IMV_BatchEnding(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_ConnectionID connectionID);
+
+TNC_Result TNC_IMV_Terminate(
+/*in*/  TNC_IMVID imvID);
+
+TNC_Result TNC_IMV_ProvideBindFunction(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_TNCS_BindFunctionPointer bindFunction);
+
+/* TNC Server Functions */
+
+TNC_Result TNC_TNCS_ReportMessageTypes(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_MessageTypeList supportedTypes,
+/*in*/  TNC_UInt32 typeCount);
+
+TNC_Result TNC_TNCS_SendMessage(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_BufferReference message,
+/*in*/  TNC_UInt32 messageLength,
+/*in*/  TNC_MessageType messageType);
+
+TNC_Result TNC_TNCS_RequestHandshakeRetry(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_RetryReason reason);
+
+TNC_Result TNC_TNCS_ProvideRecommendation(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_IMV_Action_Recommendation recommendation,
+/*in*/  TNC_IMV_Evaluation_Result evaluation);
+
+TNC_Result TNC_TNCS_GetAttribute(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_AttributeID attributeID,
+/*in*/  TNC_UInt32 bufferLength,
+/*out*/ TNC_BufferReference buffer,
+/*out*/ TNC_UInt32 *pOutValueLength);
+
+TNC_Result TNC_TNCS_SetAttribute(
+/*in*/  TNC_IMVID imvID,
+/*in*/  TNC_ConnectionID connectionID,
+/*in*/  TNC_AttributeID attributeID,
+/*in*/  TNC_UInt32 bufferLength,
+/*in*/  TNC_BufferReference buffer);
+
+TNC_Result TNC_TNCS_BindFunction(
+/*in*/  TNC_IMVID imvID,
+/*in*/  char *functionName,
+/*in*/  void **pOutfunctionPointer);
+
+#endif /** TNCIFIMV_H_ @}*/
diff --git a/src/libcharon/tnccs/tnccs.c b/src/libcharon/tnccs/tnccs.c
deleted file mode 100644
index 2facf02c8..000000000
--- a/src/libcharon/tnccs/tnccs.c
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "tnccs.h"
-
-ENUM(eap_type_names, TNCCS_1_1, TNCCS_2_0,
-	"TNCCS 1.1",
-	"TNCCS SOH",
-	"TNCCS 2.0",
-);
diff --git a/src/libcharon/tnccs/tnccs.h b/src/libcharon/tnccs/tnccs.h
deleted file mode 100644
index 583512e82..000000000
--- a/src/libcharon/tnccs/tnccs.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup tnccs tnccs
- * @{ @ingroup libcharon
- */
-
-#ifndef TNCCS_H_
-#define TNCCS_H_
-
-typedef enum tnccs_type_t tnccs_type_t;
-
-#include <library.h>
-
-/**
- * Type of TNC Client/Server protocol
- */
-enum tnccs_type_t {
-	TNCCS_1_1,
-	TNCCS_SOH,
-	TNCCS_2_0
-};
-
-/**
- * enum names for tnccs_type_t.
- */
-extern enum_name_t *tnccs_type_names;
-
-typedef struct tnccs_t tnccs_t;
-
-/**
- * Constructor definition for a pluggable TNCCS protocol implementation.
- *
- * @param is_server		TRUE if TNC Server, FALSE if TNC Client
- * @return				implementation of the tnccs_t interface
- */
-typedef tnccs_t* (*tnccs_constructor_t)(bool is_server);
-
-#endif /** TNC_H_ @}*/
diff --git a/src/libcharon/tnccs/tnccs_manager.c b/src/libcharon/tnccs/tnccs_manager.c
deleted file mode 100644
index 0fd6737c0..000000000
--- a/src/libcharon/tnccs/tnccs_manager.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "tnccs_manager.h"
-
-#include <utils/linked_list.h>
-#include <threading/rwlock.h>
-
-typedef struct private_tnccs_manager_t private_tnccs_manager_t;
-typedef struct tnccs_entry_t tnccs_entry_t;
-
-/**
- * TNCCS constructor entry
- */
-struct tnccs_entry_t {
-
-	/**
-	 * TNCCS protocol type
-	 */
-	tnccs_type_t type;
-
-	/**
-	 * constructor function to create instance
-	 */
-	tnccs_constructor_t constructor;
-};
-
-/**
- * private data of tnccs_manager
- */
-struct private_tnccs_manager_t {
-
-	/**
-	 * public functions
-	 */
-	tnccs_manager_t public;
-
-	/**
-	 * list of tnccs_entry_t's
-	 */
-	linked_list_t *protocols;
-
-	/**
-	 * rwlock to lock methods
-	 */
-	rwlock_t *lock;
-};
-
-METHOD(tnccs_manager_t, add_method, void,
-	private_tnccs_manager_t *this, tnccs_type_t type,
-	tnccs_constructor_t constructor)
-{
-	tnccs_entry_t *entry = malloc_thing(tnccs_entry_t);
-
-	entry->type = type;
-	entry->constructor = constructor;
-
-	this->lock->write_lock(this->lock);
-	this->protocols->insert_last(this->protocols, entry);
-	this->lock->unlock(this->lock);
-}
-
-METHOD(tnccs_manager_t, remove_method, void,
-	private_tnccs_manager_t *this, tnccs_constructor_t constructor)
-{
-	enumerator_t *enumerator;
-	tnccs_entry_t *entry;
-
-	this->lock->write_lock(this->lock);
-	enumerator = this->protocols->create_enumerator(this->protocols);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (constructor == entry->constructor)
-		{
-			this->protocols->remove_at(this->protocols, enumerator);
-			free(entry);
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-}
-
-METHOD(tnccs_manager_t, create_instance, tnccs_t*,
-	private_tnccs_manager_t *this, tnccs_type_t type, bool is_server)
-{
-	enumerator_t *enumerator;
-	tnccs_entry_t *entry;
-	tnccs_t *protocol = NULL;
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->protocols->create_enumerator(this->protocols);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (type == entry->type)
-		{
-			protocol = entry->constructor(is_server);
-			if (protocol)
-			{
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	return protocol;
-}
-
-METHOD(tnccs_manager_t, destroy, void,
-	private_tnccs_manager_t *this)
-{
-	this->protocols->destroy_function(this->protocols, free);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/*
- * See header
- */
-tnccs_manager_t *tnccs_manager_create()
-{
-	private_tnccs_manager_t *this;
-
-	INIT(this,
-			.public = {
-				.add_method = _add_method,
-				.remove_method = _remove_method,
-				.create_instance = _create_instance,
-				.destroy = _destroy,
-			},
-			.protocols = linked_list_create(),
-			.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/tnccs/tnccs_manager.h b/src/libcharon/tnccs/tnccs_manager.h
deleted file mode 100644
index 2f4a961a7..000000000
--- a/src/libcharon/tnccs/tnccs_manager.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup tnccs_manager tnccs_manager
- * @{ @ingroup tnccs
- */
-
-#ifndef TNCCS_MANAGER_H_
-#define TNCCS_MANAGER_H_
-
-#include "tnccs.h"
-
-typedef struct tnccs_manager_t tnccs_manager_t;
-
-/**
- * The TNCCS manager manages all TNCCS implementations and creates instances.
- *
- * A plugin registers its implemented TNCCS protocol with the manager by
- * providing type and a constructor function. The manager then creates
- * TNCCS protocol instances via the provided constructor.
- */
-struct tnccs_manager_t {
-
-	/**
-	 * Register a TNCCS protocol implementation.
-	 *
-	 * @param type			TNCCS protocol type
-	 * @param constructor	constructor, returns a TNCCS protocol implementation
-	 */
-	void (*add_method)(tnccs_manager_t *this, tnccs_type_t type,
-					   tnccs_constructor_t constructor);
-
-	/**
-	 * Unregister a TNCCS protocol implementation using it's constructor.
-	 *
-	 * @param constructor	constructor function to remove, as added in add_method
-	 */
-	void (*remove_method)(tnccs_manager_t *this, tnccs_constructor_t constructor);
-
-	/**
-	 * Create a new TNCCS protocol instance.
-	 *
-	 * @param type			type of the TNCCS protocol
-	 * @param is_server		TRUE if TNC Server, FALSE if TNC Client
-	 * @return				TNCCS protocol instance, NULL if no constructor found
-	 */
-	tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
-								bool is_server);
-
-	/**
-	 * Destroy a tnccs_manager instance.
-	 */
-	void (*destroy)(tnccs_manager_t *this);
-};
-
-/**
- * Create a tnccs_manager instance.
- */
-tnccs_manager_t *tnccs_manager_create();
-
-#endif /** TNCCS_MANAGER_H_ @}*/
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 777f1fd10..46f23f4d6 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -217,9 +217,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -258,6 +256,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libfast/request.c b/src/libfast/request.c
index 16c1ae583..a3db70e82 100644
--- a/src/libfast/request.c
+++ b/src/libfast/request.c
@@ -120,7 +120,7 @@ static char *getenv_cb(void *null, const char *key)
 	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
 
 	value = FCGX_GetParam(key, this->req.envp);
-	return value ? strdup(value) : NULL;
+	return strdupnull(value);
 }
 
 /**
@@ -203,6 +203,14 @@ static char* get_query_data(private_request_t *this, char *name)
 	return hdf_get_valuef(this->hdf, "Query.%s", name);
 }
 
+/**
+ * Implementation of request_t.get_env_var.
+ */
+static char* get_env_var(private_request_t *this, char *name)
+{
+	return FCGX_GetParam(name, this->req.envp);
+}
+
 /**
  * Implementation of request_t.read_data.
  */
@@ -415,6 +423,7 @@ request_t *request_create(int fd, bool debug)
 	this->public.add_cookie = (void(*)(request_t*, char *name, char *value))add_cookie;
 	this->public.get_cookie = (char*(*)(request_t*,char*))get_cookie;
 	this->public.get_query_data = (char*(*)(request_t*, char *name))get_query_data;
+	this->public.get_env_var = (char*(*)(request_t*, char *name))get_env_var;
 	this->public.read_data = (int(*)(request_t*, char*, int))read_data;
 	this->public.session_closed = (bool(*)(request_t*))session_closed;
 	this->public.close_session = (void(*)(request_t*))close_session;
diff --git a/src/libfast/request.h b/src/libfast/request.h
index 9ca74a91e..c9c1f13e2 100644
--- a/src/libfast/request.h
+++ b/src/libfast/request.h
@@ -85,6 +85,14 @@ struct request_t {
 	 */
 	char* (*get_query_data)(request_t *this, char *name);
 
+	/**
+	 * Get an arbitrary environment variable.
+	 *
+	 * @param name		name of the environment variable
+	 * @return			value, NULL if not found
+	 */
+	char* (*get_env_var)(request_t *this, char *name);
+
 	/**
 	 * Read raw POST/PUT data from HTTP request.
 	 *
diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am
index 5fee39da9..09f5fe2cd 100644
--- a/src/libfreeswan/Makefile.am
+++ b/src/libfreeswan/Makefile.am
@@ -1,10 +1,10 @@
 noinst_LIBRARIES = libfreeswan.a
 libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
-			atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
+			atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
 			goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \
-			keyblobtoid.c pfkey_v2_build.c pfkey_v2_debug.c \
-			pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \
-			pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \
+			pfkey_v2_build.c pfkey_v2_debug.c \
+			pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \
+			pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \
 			satot.c subnetof.c subnettoa.c subnettot.c \
 			subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
 			ultoa.c ultot.c
@@ -14,7 +14,7 @@ INCLUDES = \
 -I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto
 
-dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
-                 keyblobtoid.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
+dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
+                 portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
                  ttoaddr.3 ttodata.3 ttosa.3 ttoul.3
 
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index 28ba035c6..88ceab557 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -58,19 +58,17 @@ libfreeswan_a_AR = $(AR) $(ARFLAGS)
 libfreeswan_a_LIBADD =
 am_libfreeswan_a_OBJECTS = addrtoa.$(OBJEXT) addrtot.$(OBJEXT) \
 	addrtypeof.$(OBJEXT) anyaddr.$(OBJEXT) atoaddr.$(OBJEXT) \
-	atoasr.$(OBJEXT) atosa.$(OBJEXT) atosubnet.$(OBJEXT) \
-	atoul.$(OBJEXT) copyright.$(OBJEXT) datatot.$(OBJEXT) \
-	goodmask.$(OBJEXT) initaddr.$(OBJEXT) initsaid.$(OBJEXT) \
-	initsubnet.$(OBJEXT) keyblobtoid.$(OBJEXT) \
+	atoasr.$(OBJEXT) atosubnet.$(OBJEXT) atoul.$(OBJEXT) \
+	copyright.$(OBJEXT) datatot.$(OBJEXT) goodmask.$(OBJEXT) \
+	initaddr.$(OBJEXT) initsaid.$(OBJEXT) initsubnet.$(OBJEXT) \
 	pfkey_v2_build.$(OBJEXT) pfkey_v2_debug.$(OBJEXT) \
 	pfkey_v2_ext_bits.$(OBJEXT) pfkey_v2_parse.$(OBJEXT) \
-	portof.$(OBJEXT) prng.$(OBJEXT) rangetoa.$(OBJEXT) \
-	rangetosubnet.$(OBJEXT) sameaddr.$(OBJEXT) satoa.$(OBJEXT) \
-	satot.$(OBJEXT) subnetof.$(OBJEXT) subnettoa.$(OBJEXT) \
-	subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) ttoaddr.$(OBJEXT) \
-	ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) ttosa.$(OBJEXT) \
-	ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) ultoa.$(OBJEXT) \
-	ultot.$(OBJEXT)
+	portof.$(OBJEXT) rangetoa.$(OBJEXT) rangetosubnet.$(OBJEXT) \
+	sameaddr.$(OBJEXT) satot.$(OBJEXT) subnetof.$(OBJEXT) \
+	subnettoa.$(OBJEXT) subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) \
+	ttoaddr.$(OBJEXT) ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) \
+	ttosa.$(OBJEXT) ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) \
+	ultoa.$(OBJEXT) ultot.$(OBJEXT)
 libfreeswan_a_OBJECTS = $(am_libfreeswan_a_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -234,9 +232,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -275,6 +271,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -287,11 +285,11 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 noinst_LIBRARIES = libfreeswan.a
 libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
-			atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
+			atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
 			goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \
-			keyblobtoid.c pfkey_v2_build.c pfkey_v2_debug.c \
-			pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \
-			pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \
+			pfkey_v2_build.c pfkey_v2_debug.c \
+			pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \
+			pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \
 			satot.c subnetof.c subnettoa.c subnettot.c \
 			subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
 			ultoa.c ultot.c
@@ -301,8 +299,8 @@ INCLUDES = \
 -I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto
 
-dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
-                 keyblobtoid.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
+dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
+                 portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
                  ttoaddr.3 ttodata.3 ttosa.3 ttoul.3
 
 all: all-am
@@ -359,7 +357,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/anyaddr.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoaddr.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoasr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosa.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosubnet.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoul.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/copyright.Po@am__quote@
@@ -368,17 +365,14 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initaddr.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsaid.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsubnet.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyblobtoid.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_build.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_debug.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_ext_bits.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_parse.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portof.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prng.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetoa.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetosubnet.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sameaddr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satoa.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satot.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnetof.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnettoa.Po@am__quote@
diff --git a/src/libfreeswan/atosa.3 b/src/libfreeswan/atosa.3
deleted file mode 100644
index f57fcf1e9..000000000
--- a/src/libfreeswan/atosa.3
+++ /dev/null
@@ -1,217 +0,0 @@
-.TH IPSEC_ATOSA 3 "11 June 2001"
-.SH NAME
-ipsec atosa, satoa \- convert IPsec Security Association IDs to and from ASCII
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "const char *atosa(const char *src, size_t srclen,"
-.ti +1c
-.B "struct sa_id *sa);
-.br
-.B "size_t satoa(struct sa_id sa, int format,"
-.ti +1c
-.B "char *dst, size_t dstlen);"
-.sp
-.B "struct sa_id {"
-.ti +1c
-.B "struct in_addr dst;"
-.ti +1c
-.B "ipsec_spi_t spi;"
-.ti +1c
-.B "int proto;"
-.br
-.B "};"
-.SH DESCRIPTION
-These functions are obsolete; see
-.IR ipsec_ttosa (3)
-for their replacements.
-.PP
-.I Atosa
-converts an ASCII Security Association (SA) specifier into an
-.B sa_id
-structure (containing
-a destination-host address
-in network byte order,
-an SPI number in network byte order, and
-a protocol code).
-.I Satoa
-does the reverse conversion, back to an ASCII SA specifier.
-.PP
-An SA is specified in ASCII with a mail-like syntax, e.g.
-.BR esp507@1.2.3.4 .
-An SA specifier contains
-a protocol prefix (currently
-.BR ah ,
-.BR esp ,
-or
-.BR tun ),
-an unsigned integer SPI number,
-and an IP address.
-The SPI number can be decimal or hexadecimal
-(with
-.B 0x
-prefix), as accepted by
-.IR ipsec_atoul (3).
-The IP address can be any form accepted by
-.IR ipsec_atoaddr (3),
-e.g. dotted-decimal address or DNS name.
-.PP
-As a special case, the SA specifier
-.B %passthrough
-signifies the special SA used to indicate that packets should be
-passed through unaltered.
-(At present, this is a synonym for
-.BR tun0x0@0.0.0.0 ,
-but that is subject to change without notice.)
-This form is known to both
-.I atosa
-and
-.IR satoa ,
-so the internal form of
-.B %passthrough
-is never visible.
-.PP
-The
-.B <freeswan.h>
-header file supplies the
-.B sa_id
-structure, as well as a data type
-.B ipsec_spi_t
-which is an unsigned 32-bit integer.
-(There is no consistency between kernel and user on what such a type
-is called, hence the header hides the differences.)
-.PP
-The protocol code uses the same numbers that IP does.
-For user convenience, given the difficulty in acquiring the exact set of
-protocol names used by the kernel,
-.B <freeswan.h>
-defines the names
-.BR SA_ESP ,
-.BR SA_AH ,
-and
-.B SA_IPIP
-to have the same values as the kernel names
-.BR IPPROTO_ESP ,
-.BR IPPROTO_AH ,
-and
-.BR IPPROTO_IPIP .
-.PP
-The
-.I srclen
-parameter of
-.I atosa
-specifies the length of the ASCII string pointed to by
-.IR src ;
-it is an error for there to be anything else
-(e.g., a terminating NUL) within that length.
-As a convenience for cases where an entire NUL-terminated string is
-to be converted,
-a
-.I srclen
-value of
-.B 0
-is taken to mean
-.BR strlen(src) .
-.PP
-The
-.I dstlen
-parameter of
-.I satoa
-specifies the size of the
-.I dst
-parameter;
-under no circumstances are more than
-.I dstlen
-bytes written to
-.IR dst .
-A result which will not fit is truncated.
-.I Dstlen
-can be zero, in which case
-.I dst
-need not be valid and no result is written,
-but the return value is unaffected;
-in all other cases, the (possibly truncated) result is NUL-terminated.
-The
-.I freeswan.h
-header file defines a constant,
-.BR SATOA_BUF ,
-which is the size of a buffer just large enough for worst-case results.
-.PP
-The
-.I format
-parameter of
-.I satoa
-specifies what format is to be used for the conversion.
-The value
-.B 0
-(not the ASCII character
-.BR '0' ,
-but a zero value)
-specifies a reasonable default
-(currently
-lowercase protocol prefix, lowercase hexadecimal SPI, dotted-decimal address).
-The value
-.B d
-causes the SPI to be generated in decimal instead.
-.PP
-.I Atosa
-returns
-.B NULL
-for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-.I Satoa
-returns
-.B 0
-for a failure, and otherwise
-always returns the size of buffer which would 
-be needed to
-accommodate the full conversion result, including terminating NUL;
-it is the caller's responsibility to check this against the size of
-the provided buffer to determine whether truncation has occurred.
-.SH SEE ALSO
-ipsec_atoul(3), ipsec_atoaddr(3), inet(3)
-.SH DIAGNOSTICS
-Fatal errors in
-.I atosa
-are:
-empty input;
-input too small to be a legal SA specifier;
-no
-.B @
-in input;
-unknown protocol prefix;
-conversion error in
-.I atoul
-or
-.IR atoaddr .
-.PP
-Fatal errors in
-.I satoa
-are:
-unknown format; unknown protocol code.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-The
-.B tun
-protocol code is a FreeS/WANism which may eventually disappear.
-.PP
-The restriction of ASCII-to-binary error reports to literal strings
-(so that callers don't need to worry about freeing them or copying them)
-does limit the precision of error reporting.
-.PP
-The ASCII-to-binary error-reporting convention lends itself
-to slightly obscure code,
-because many readers will not think of NULL as signifying success.
-A good way to make it clearer is to write something like:
-.PP
-.RS
-.nf
-.B "const char *error;"
-.sp
-.B "error = atoaddr( /* ... */ );"
-.B "if (error != NULL) {"
-.B "        /* something went wrong */"
-.fi
-.RE
diff --git a/src/libfreeswan/atosa.c b/src/libfreeswan/atosa.c
deleted file mode 100644
index 7339b4c3e..000000000
--- a/src/libfreeswan/atosa.c
+++ /dev/null
@@ -1,198 +0,0 @@
-/*
- * convert from ASCII form of SA ID to binary
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-static struct satype {
-	char *prefix;
-	size_t prelen;		/* strlen(prefix) */
-	int proto;
-} satypes[] = {
-	{ "ah",		2,	SA_AH	},
-	{ "esp",	3,	SA_ESP	},
-	{ "tun",	3,	SA_IPIP },
-	{ "comp",	4,	SA_COMP },
-	{ NULL,		0,	0,	}
-};
-
-/*
- - atosa - convert ASCII "ah507@10.0.0.1" to SA identifier
- */
-const char *			/* NULL for success, else string literal */
-atosa(src, srclen, sa)
-const char *src;
-size_t srclen;			/* 0 means "apply strlen" */
-struct sa_id *sa;
-{
-	const char *at;
-	const char *addr;
-	const char *spi = NULL;
-	struct satype *sat;
-	unsigned long ul;
-	const char *oops;
-#	define	MINLEN	5	/* ah0@0 is as short as it can get */
-	static char ptname[] = PASSTHROUGHNAME;
-#	define	PTNLEN	(sizeof(ptname)-1)	/* -1 for NUL */
-
-	if (srclen == 0)
-		srclen = strlen(src);
-	if (srclen == 0)
-		return "empty string";
-	if (srclen < MINLEN)
-		return "string too short to be SA specifier";
-	if (srclen == PTNLEN && memcmp(src, ptname, PTNLEN) == 0) {
-		src = PASSTHROUGHIS;
-		srclen = strlen(src);
-	}
-
-	at = memchr(src, '@', srclen);
-	if (at == NULL)
-		return "no @ in SA specifier";
-
-	for (sat = satypes; sat->prefix != NULL; sat++)
-		if (sat->prelen < srclen &&
-				strncmp(src, sat->prefix, sat->prelen) == 0) {
-			sa->proto = sat->proto;
-			spi = src + sat->prelen;
-			break;			/* NOTE BREAK OUT */
-		}
-	if (sat->prefix == NULL)
-		return "SA specifier lacks valid protocol prefix";
-
-	if (spi >= at)
-		return "no SPI in SA specifier";
-	oops = atoul(spi, at - spi, 13, &ul);
-	if (oops != NULL)
-		return oops;
-	sa->spi = htonl(ul);
-
-	addr = at + 1;
-	oops = atoaddr(addr, srclen - (addr - src), &sa->dst);
-	if (oops != NULL)
-		return oops;
-
-	return NULL;
-}
-
-
-
-#ifdef ATOSA_MAIN
-
-#include <stdio.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-void regress(void);
-
-int
-main(int argc, char *argv[])
-{
-	struct sa_id sa;
-	char buf[100];
-	const char *oops;
-	size_t n;
-
-	if (argc < 2) {
-		fprintf(stderr, "Usage: %s {ahnnn@aaa|-r}\n", argv[0]);
-		exit(2);
-	}
-
-	if (strcmp(argv[1], "-r") == 0) {
-		regress();
-		fprintf(stderr, "regress() returned?!?\n");
-		exit(1);
-	}
-
-	oops = atosa(argv[1], 0, &sa);
-	if (oops != NULL) {
-		fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops);
-		exit(1);
-	}
-	n = satoa(sa, 0, buf, sizeof(buf));
-	if (n > sizeof(buf)) {
-		fprintf(stderr, "%s: reverse conv of `%d'", argv[0], sa.proto);
-		fprintf(stderr, "%lu@", (long unsigned int)sa.spi);
-		fprintf(stderr, "%s", inet_ntoa(sa.dst));
-		fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
-						(long)n, (long)sizeof(buf));
-		exit(1);
-	}
-	printf("%s\n", buf);
-
-	exit(0);
-}
-
-struct rtab {
-	char *input;
-	char *output;			/* NULL means error expected */
-} rtab[] = {
-	{"esp257@1.2.3.0",		"esp257@1.2.3.0"},
-	{"ah0x20@1.2.3.4",		"ah32@1.2.3.4"},
-	{"tun011@111.2.3.99",		"tun11@111.2.3.99"},
-	{"",				NULL},
-	{"_",				NULL},
-	{"ah2.2",			NULL},
-	{"goo2@1.2.3.4",			NULL},
-	{"esp9@1.2.3.4",			"esp9@1.2.3.4"},
-	{"espp9@1.2.3.4",		NULL},
-	{"es9@1.2.3.4",			NULL},
-	{"ah@1.2.3.4",			NULL},
-	{"esp7x7@1.2.3.4",		NULL},
-	{"esp77@1.0x2.3.4",		NULL},
-	{PASSTHROUGHNAME,		PASSTHROUGHNAME},
-        {NULL,				NULL}
-};
-
-void
-regress(void)
-{
-	struct rtab *r;
-	int status = 0;
-	struct sa_id sa;
-	char in[100];
-	char buf[100];
-	const char *oops;
-	size_t n;
-
-	for (r = rtab; r->input != NULL; r++) {
-		strcpy(in, r->input);
-		oops = atosa(in, 0, &sa);
-		if (oops != NULL && r->output == NULL)
-			{}		/* okay, error expected */
-		else if (oops != NULL) {
-			printf("`%s' atosa failed: %s\n", r->input, oops);
-			status = 1;
-		} else if (r->output == NULL) {
-			printf("`%s' atosa succeeded unexpectedly\n",
-								r->input);
-			status = 1;
-		} else {
-			n = satoa(sa, 'd', buf, sizeof(buf));
-			if (n > sizeof(buf)) {
-				printf("`%s' satoa failed:  need %ld\n",
-							r->input, (long)n);
-				status = 1;
-			} else if (strcmp(r->output, buf) != 0) {
-				printf("`%s' gave `%s', expected `%s'\n",
-						r->input, buf, r->output);
-				status = 1;
-			}
-		}
-	}
-	exit(status);
-}
-
-#endif /* ATOSA_MAIN */
diff --git a/src/libfreeswan/copyright.c b/src/libfreeswan/copyright.c
index 65585b62e..e55e849f7 100644
--- a/src/libfreeswan/copyright.c
+++ b/src/libfreeswan/copyright.c
@@ -27,13 +27,13 @@ static const char *co[] = {
  "    Christoph Gysin, Andreas Hess, Patric Lichtsteiner, Michael Meier,",
  "    Andreas Schleiss, Ariane Seiler, Mario Strasser, Lukas Suter,",
  "    Roger Wegmann, Simon Zwahlen,",
- "    Zuercher Hochschule Winterthur (Switzerland).",
+ "    ZHW Zuercher Hochschule Winterthur (Switzerland).",
  "",
- "    Philip Boetschi, Tobias Brunner, Adrian Doerig, Andreas Eigenmann,",
- "    Fabian Hartmann, Noah Heusser, Jan Hutter, Thomas Kallenberg,",
- "    Daniel Roethlisberger, Joel Stillhart, Martin Willi, Daniel Wydler,",
- "    Andreas Steffen,",
- "    Hochschule fuer Technik Rapperswil (Switzerland).",
+ "    Philip Boetschi, Tobias Brunner, Sansar Choinyambuu, Adrian Doerig,",
+ "    Andreas Eigenmann, Fabian Hartmann, Noah Heusser, Jan Hutter,",
+ "    Thomas Kallenberg, Daniel Roethlisberger, Joel Stillhart, Martin Willi,",
+ "    Daniel Wydler, Andreas Steffen,",
+ "    HSR Hochschule fuer Technik Rapperswil (Switzerland).",
  "",
  "This program is free software; you can redistribute it and/or modify it",
  "under the terms of the GNU General Public License as published by the",
diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h
index 342f59987..724165bde 100644
--- a/src/libfreeswan/freeswan.h
+++ b/src/libfreeswan/freeswan.h
@@ -158,11 +158,6 @@ err_t ttodatav(const char *src, size_t srclen, int base,
 
 size_t datatot(const char *src, size_t srclen, int format, char *buf,
 								size_t buflen);
-size_t keyblobtoid(const unsigned char *src, size_t srclen, char *dst,
-								size_t dstlen);
-size_t splitkeytoid(const unsigned char *e, size_t elen, const unsigned char *m,
-					size_t mlen, char *dst, size_t dstlen);
-#define	KEYID_BUF		10	/* up to 9 text digits plus NUL */
 err_t ttoprotoport(char *src, size_t src_len, u_int8_t *proto, u_int16_t *port,
 							bool *has_port_wildcard);
 
@@ -206,12 +201,6 @@ void setportof(int port, ip_address *dst);
 struct sockaddr *sockaddrof(ip_address *src);
 size_t sockaddrlenof(const ip_address *src);
 
-/* PRNG */
-void prng_init(struct prng *prng, const unsigned char *key, size_t keylen);
-void prng_bytes(struct prng *prng, unsigned char *dst, size_t dstlen);
-unsigned long prng_count(struct prng *prng);
-void prng_final(struct prng *prng);
-
 /* odds and ends */
 const char **ipsec_copyright_notice(void);
 
@@ -294,24 +283,6 @@ rangetoa(
 );
 #define	RANGETOA_BUF	34	/* large enough for worst case result */
 
-/* data types for SA conversion functions */
-
-/* SAs */
-const char *			/* NULL for success, else string literal */
-atosa(
-	const char *src,
-	size_t srclen,		/* 0 means strlen(src) */
-	struct sa_id *sa
-);
-size_t				/* space needed for full conversion */
-satoa(
-	struct sa_id sa,
-	int format,		/* character; 0 means default */
-	char *dst,
-	size_t dstlen
-);
-#define	SATOA_BUF	(3+ULTOA_BUF+ADDRTOA_BUF)
-
 /* generic data, e.g. keys */
 const char *			/* NULL for success, else string literal */
 atobytes(
diff --git a/src/libfreeswan/keyblobtoid.3 b/src/libfreeswan/keyblobtoid.3
deleted file mode 100644
index 8b5bfb0a2..000000000
--- a/src/libfreeswan/keyblobtoid.3
+++ /dev/null
@@ -1,102 +0,0 @@
-.TH IPSEC_KEYBLOBTOID 3 "25 March 2002"
-.SH NAME
-ipsec keyblobtoid, splitkeytoid \- generate key IDs from RSA keys
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "size_t keyblobtoid(const unsigned char *blob,"
-.ti +1c
-.B "size_t bloblen, char *dst, size_t dstlen);"
-.br
-.B "size_t splitkeytoid(const unsigned char *e, size_t elen,"
-.ti +1c
-.B "const unsigned char *m, size_t mlen, char *dst,
-.ti +1c
-.B "size_t dstlen);"
-.SH DESCRIPTION
-.I Keyblobtoid
-and
-.I splitkeytoid
-generate
-key IDs
-from RSA keys,
-for use in messages and reporting,
-writing the result to
-.IR dst .
-A
-.I key ID
-is a short ASCII string identifying a key;
-currently it is just the first nine characters of the base64
-encoding of the RFC 2537/3110 ``byte blob'' representation of the key.
-(Beware that no finite key ID can be collision-proof:
-there is always some small chance of two random keys having the
-same ID.)
-.PP
-.I Keyblobtoid
-generates a key ID from a key which is already in the form of an
-RFC 2537/3110 binary key
-.I blob
-(encoded exponent length, exponent, modulus).
-.PP
-.I Splitkeytoid
-generates a key ID from a key given in the form of a separate
-(binary) exponent
-.I e
-and modulus
-.IR m .
-.PP
-The
-.I dstlen
-parameter of either
-specifies the size of the
-.I dst
-parameter;
-under no circumstances are more than
-.I dstlen
-bytes written to
-.IR dst .
-A result which will not fit is truncated.
-.I Dstlen
-can be zero, in which case
-.I dst
-need not be valid and no result is written,
-but the return value is unaffected;
-in all other cases, the (possibly truncated) result is NUL-terminated.
-The
-.I freeswan.h
-header file defines a constant
-.B KEYID_BUF
-which is the size of a buffer large enough for worst-case results.
-.PP
-Both functions return
-.B 0
-for a failure, and otherwise
-always return the size of buffer which would 
-be needed to
-accommodate the full conversion result, including terminating NUL;
-it is the caller's responsibility to check this against the size of
-the provided buffer to determine whether truncation has occurred.
-.P
-With keys generated by
-.IR ipsec_rsasigkey (3),
-the first two base64 digits are always the same,
-and the third carries only about one bit of information.
-It's worse with keys using longer fixed exponents,
-e.g. the 24-bit exponent that's common in X.509 certificates.
-However, being able to relate key IDs to the full
-base64 text form of keys by eye is sufficiently useful that this
-waste of space seems justifiable.
-The choice of nine digits is a compromise between bulk and
-probability of collision.
-.SH SEE ALSO
-RFC 3110,
-\fIRSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)\fR,
-Eastlake, 2001
-(superseding the older but better-known RFC 2537).
-.SH DIAGNOSTICS
-Fatal errors are:
-key too short to supply enough bits to construct a complete key ID
-(almost certainly indicating a garbage key);
-exponent too long for its length to be representable.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
diff --git a/src/libfreeswan/keyblobtoid.c b/src/libfreeswan/keyblobtoid.c
deleted file mode 100644
index 89ab5fced..000000000
--- a/src/libfreeswan/keyblobtoid.c
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * generate printable key IDs
- * Copyright (C) 2002  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - keyblobtoid - generate a printable key ID from an RFC 2537/3110 key blob
- * Current algorithm is just to use first nine base64 digits.
- */
-size_t
-keyblobtoid(src, srclen, dst, dstlen)
-const unsigned char *src;
-size_t srclen;
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	char buf[KEYID_BUF];
-	size_t ret;
-#	define	NDIG	9
-
-	if (srclen < (NDIG*6 + 7)/8) {
-		strcpy(buf, "?len= ?");
-		buf[5] = '0' + srclen;
-		ret = 0;
-	} else {
-		(void) datatot(src, srclen, 64, buf, NDIG+1);
-		ret = NDIG+1;
-	}
-
-	if (dstlen > 0) {
-		if (strlen(buf)+1 > dstlen)
-			*(buf + dstlen - 1) = '\0';
-		strcpy(dst, buf);
-	}
-	return ret;
-}
-
-/*
- - splitkeytoid - generate a printable key ID from exponent/modulus pair
- * Just constructs the beginnings of a key blob and calls keyblobtoid().
- */
-size_t
-splitkeytoid(e, elen, m, mlen, dst, dstlen)
-const unsigned char *e;
-size_t elen;
-const unsigned char *m;
-size_t mlen;
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	unsigned char buf[KEYID_BUF];	/* ample room */
-	unsigned char *bufend = buf + sizeof(buf);
-	unsigned char *p;
-	size_t n;
-
-	p = buf;
-	if (elen <= 255)
-		*p++ = elen;
-	else if ((elen &~ 0xffff) == 0) {
-		*p++ = 0;
-		*p++ = (elen>>8) & 0xff;
-		*p++ = elen & 0xff;
-	} else
-		return 0;	/* unrepresentable exponent length */
-
-	n = bufend - p;
-	if (elen < n)
-		n = elen;
-	memcpy(p, e, n);
-	p += n;
-
-	n = bufend - p;
-	if (n > 0) {
-		if (mlen < n)
-			n = mlen;
-		memcpy(p, m, n);
-		p += n;
-	}
-
-	return keyblobtoid(buf, p - buf, dst, dstlen);
-}
-
-
-
-#ifdef KEYBLOBTOID_MAIN
-
-#include <stdio.h>
-
-void regress();
-
-int
-main(argc, argv)
-int argc;
-char *argv[];
-{
-	typedef unsigned char uc;
-	uc hexblob[] = "\x01\x03\x85\xf2\xd6\x76\x9b\x03\x59\xb6\x21\x52";
-	uc hexe[] = "\x03";
-	uc hexm[] = "\x85\xf2\xd6\x76\x9b\x03\x59\xb6\x21\x52\xef\x85";
-	char b64nine[] = "AQOF8tZ2m";
-	char b64six[] = "AQOF8t";
-	char buf[100];
-	size_t n;
-	char *b = b64nine;
-	size_t bl = strlen(b) + 1;
-	int st = 0;
-
-	n = keyblobtoid(hexblob, strlen(hexblob), buf, sizeof(buf));
-	if (n != bl) {
-		fprintf(stderr, "%s: keyblobtoid returned %d not %d\n",
-							argv[0], n, bl);
-		st = 1;
-	}
-	if (strcmp(buf, b) != 0) {
-		fprintf(stderr, "%s: keyblobtoid generated `%s' not `%s'\n",
-							argv[0], buf, b);
-		st = 1;
-	}
-	n = splitkeytoid(hexe, strlen(hexe), hexm, strlen(hexm), buf,
-								sizeof(buf));
-	if (n != bl) {
-		fprintf(stderr, "%s: splitkeytoid returned %d not %d\n",
-							argv[0], n, bl);
-		st = 1;
-	}
-	if (strcmp(buf, b) != 0) {
-		fprintf(stderr, "%s: splitkeytoid generated `%s' not `%s'\n",
-							argv[0], buf, b);
-		st = 1;
-	}
-	exit(st);
-}
-
-#endif /* KEYBLOBTOID_MAIN */
diff --git a/src/libfreeswan/prng.3 b/src/libfreeswan/prng.3
deleted file mode 100644
index 48c6ceed0..000000000
--- a/src/libfreeswan/prng.3
+++ /dev/null
@@ -1,120 +0,0 @@
-.TH IPSEC_PRNG 3 "1 April 2002"
-.SH NAME
-ipsec prng_init \- initialize IPsec pseudorandom-number generator
-.br
-ipsec prng_bytes \- get bytes from IPsec pseudorandom-number generator
-.br
-ipsec prng_final \- close down IPsec pseudorandom-number generator
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "void prng_init(struct prng *prng,"
-.ti +1c
-.B "const unsigned char *key, size_t keylen);"
-.br
-.B "void prng_bytes(struct prng *prng, char *dst,"
-.ti +1c
-.B "size_t dstlen);"
-.br
-.B "unsigned long prng_count(struct prng *prng);"
-.br
-.B "void prng_final(struct prng *prng);"
-.SH DESCRIPTION
-.I Prng_init
-initializes a crypto-quality pseudo-random-number generator from a key;
-.I prng_bytes
-obtains pseudo-random bytes from it;
-.I prng_count
-reports the number of bytes extracted from it to date;
-.I prng_final
-closes it down.
-It is the user's responsibility to initialize a PRNG before using it,
-and not to use it again after it is closed down.
-.PP
-.I Prng_init
-initializes,
-or re-initializes,
-the specified
-.I prng
-from the
-.IR key ,
-whose length is given by
-.IR keylen .
-The user must allocate the
-.B "struct prng"
-pointed to by
-.IR prng .
-There is no particular constraint on the length of the key,
-although a key longer than 256 bytes is unnecessary because
-only the first 256 would be used.
-Initialization requires on the order of 3000 integer operations,
-independent of key length.
-.PP
-.I Prng_bytes
-obtains
-.I dstlen
-pseudo-random bytes from the PRNG and puts them in
-.IR buf .
-This is quite fast,
-on the order of 10 integer operations per byte.
-.PP
-.I Prng_count
-reports the number of bytes obtained from the PRNG
-since it was (last) initialized.
-.PP
-.I Prng_final
-closes down a PRNG by
-zeroing its internal memory,
-obliterating all trace of the state used to generate its previous output.
-This requires on the order of 250 integer operations.
-.PP
-The
-.B <freeswan.h>
-header file supplies the definition of the
-.B prng
-structure.
-Examination of its innards is discouraged, as they may change.
-.PP
-The PRNG algorithm
-used by these functions is currently identical to that of RC4(TM).
-This algorithm is cryptographically strong,
-sufficiently unpredictable that even a hostile observer will
-have difficulty determining the next byte of output from past history,
-provided it is initialized from a reasonably large key composed of
-highly random bytes (see
-.IR random (4)).
-The usual run of software pseudo-random-number generators
-(e.g.
-.IR random (3))
-are
-.I not
-cryptographically strong.
-.PP
-The well-known attacks against RC4(TM),
-e.g. as found in 802.11b's WEP encryption system,
-apply only if multiple PRNGs are initialized with closely-related keys
-(e.g., using a counter appended to a base key).
-If such keys are used, the first few hundred pseudo-random bytes
-from each PRNG should be discarded,
-to give the PRNGs a chance to randomize their innards properly.
-No useful attacks are known if the key is well randomized to begin with.
-.SH SEE ALSO
-random(3), random(4)
-.br
-Bruce Schneier,
-\fIApplied Cryptography\fR, 2nd ed., 1996, ISBN 0-471-11709-9,
-pp. 397-8.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-If an attempt is made to obtain more than 4e9 bytes
-between initializations,
-the PRNG will continue to work but
-.IR prng_count 's
-output will stick at
-.BR 4000000000 .
-Fixing this would require a longer integer type and does
-not seem worth the trouble,
-since you should probably re-initialize before then anyway...
-.PP
-``RC4'' is a trademark of RSA Data Security, Inc.
diff --git a/src/libfreeswan/prng.c b/src/libfreeswan/prng.c
deleted file mode 100644
index 347f13f89..000000000
--- a/src/libfreeswan/prng.c
+++ /dev/null
@@ -1,200 +0,0 @@
-/*
- * crypto-class pseudorandom number generator
- * currently uses same algorithm as RC4(TM), from Schneier 2nd ed p397
- * Copyright (C) 2002  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - prng_init - initialize PRNG from a key
- */
-void
-prng_init(prng, key, keylen)
-struct prng *prng;
-const unsigned char *key;
-size_t keylen;
-{
-	unsigned char k[256];
-	int i, j;
-	unsigned const char *p;
-	unsigned const char *keyend = key + keylen;
-	unsigned char t;
-
-	for (i = 0; i <= 255; i++)
-		prng->sbox[i] = i;
-	p = key;
-	for (i = 0; i <= 255; i++) {
-		k[i] = *p++;
-		if (p >= keyend)
-			p = key;
-	}
-	j = 0;
-	for (i = 0; i <= 255; i++) {
-		j = (j + prng->sbox[i] + k[i]) & 0xff;
-		t = prng->sbox[i];
-		prng->sbox[i] = prng->sbox[j];
-		prng->sbox[j] = t;
-		k[i] = 0;	/* clear out key memory */
-	}
-	prng->i = 0;
-	prng->j = 0;
-	prng->count = 0;
-}
-
-/*
- - prng_bytes - get some pseudorandom bytes from PRNG
- */
-void
-prng_bytes(prng, dst, dstlen)
-struct prng *prng;
-unsigned char *dst;
-size_t dstlen;
-{
-	int i, j, t;
-	unsigned char *p = dst;
-	size_t remain = dstlen;
-#	define	MAX	4000000000ul
-
-	while (remain > 0) {
-		i = (prng->i + 1) & 0xff;
-		prng->i = i;
-		j = (prng->j + prng->sbox[i]) & 0xff;
-		prng->j = j;
-		t = prng->sbox[i];
-		prng->sbox[i] = prng->sbox[j];
-		prng->sbox[j] = t;
-		t = (t + prng->sbox[i]) & 0xff;
-		*p++ = prng->sbox[t];
-		remain--;
-	}
-	if (prng->count < MAX - dstlen)
-		prng->count += dstlen;
-	else
-		prng->count = MAX;
-}
-
-/*
- - prnt_count - how many bytes have been extracted from PRNG so far?
- */
-unsigned long
-prng_count(prng)
-struct prng *prng;
-{
-	return prng->count;
-}
-
-/*
- - prng_final - clear out PRNG to ensure nothing left in memory
- */
-void
-prng_final(prng)
-struct prng *prng;
-{
-	int i;
-
-	for (i = 0; i <= 255; i++)
-		prng->sbox[i] = 0;
-	prng->i = 0;
-	prng->j = 0;
-	prng->count = 0;	/* just for good measure */
-}
-
-
-
-#ifdef PRNG_MAIN
-
-#include <stdio.h>
-
-void regress();
-
-int
-main(argc, argv)
-int argc;
-char *argv[];
-{
-	struct prng pr;
-	unsigned char buf[100];
-	unsigned char *p;
-	size_t n;
-
-	if (argc < 2) {
-		fprintf(stderr, "Usage: %s {key|-r}\n", argv[0]);
-		exit(2);
-	}
-
-	if (strcmp(argv[1], "-r") == 0) {
-		regress();
-		fprintf(stderr, "regress() returned?!?\n");
-		exit(1);
-	}
-
-	prng_init(&pr, argv[1], strlen(argv[1]));
-	prng_bytes(&pr, buf, 32);
-	printf("0x");
-	for (p = buf, n = 32; n > 0; p++, n--)
-		printf("%02x", *p);
-	printf("\n%lu bytes\n", prng_count(&pr));
-	prng_final(&pr);
-	exit(0);
-}
-
-void
-regress()
-{
-	struct prng pr;
-	unsigned char buf[100];
-	unsigned char *p;
-	size_t n;
-	/* somewhat non-random sample key */
-	unsigned char key[] = "here we go gathering nuts in May";
-	/* first thirty bytes of output from that key */
-	unsigned char good[] = "\x3f\x02\x8e\x4a\x2a\xea\x23\x18\x92\x7c"
-				"\x09\x52\x83\x61\xaa\x26\xce\xbb\x9d\x71"
-				"\x71\xe5\x10\x22\xaf\x60\x54\x8d\x5b\x28";
-	int nzero, none;
-	int show = 0;
-
-	prng_init(&pr, key, strlen(key));
-	prng_bytes(&pr, buf, sizeof(buf));
-	for (p = buf, n = sizeof(buf); n > 0; p++, n--) {
-		if (*p == 0)
-			nzero++;
-		if (*p == 255)
-			none++;
-	}
-	if (nzero > 3 || none > 3) {
-		fprintf(stderr, "suspiciously non-random output!\n");
-		show = 1;
-	}
-	if (memcmp(buf, good, strlen(good)) != 0) {
-		fprintf(stderr, "incorrect output!\n");
-		show = 1;
-	}
-	if (show) {
-		fprintf(stderr, "0x");
-		for (p = buf, n = sizeof(buf); n > 0; p++, n--)
-			fprintf(stderr, "%02x", *p);
-		fprintf(stderr, "\n");
-		exit(1);
-	}
-	if (prng_count(&pr) != sizeof(buf)) {
-		fprintf(stderr, "got %u bytes, but count is %lu\n",
-					sizeof(buf), prng_count(&pr));
-		exit(1);
-	}
-	prng_final(&pr);
-	exit(0);
-}
-
-#endif /* PRNG_MAIN */
diff --git a/src/libfreeswan/satoa.c b/src/libfreeswan/satoa.c
deleted file mode 100644
index 09a152727..000000000
--- a/src/libfreeswan/satoa.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * convert from binary form of SA ID to ASCII
- * Copyright (C) 1998, 1999, 2001  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-static struct typename {
-	char type;
-	char *name;
-} typenames[] = {
-	{ SA_AH,	"ah" },
-	{ SA_ESP,	"esp" },
-	{ SA_IPIP,	"tun" },
-	{ SA_COMP,	"comp" },
-	{ SA_INT,	"int" },
-	{ 0,		NULL }
-};
-
-/*
- - satoa - convert SA to ASCII "ah507@1.2.3.4"
- */
-size_t				/* space needed for full conversion */
-satoa(sa, format, dst, dstlen)
-struct sa_id sa;
-int format;			/* character */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	size_t len = 0;		/* 0 means not handled yet */
-	int base;
-	struct typename *tn;
-	char buf[30+ADDRTOA_BUF];
-
-	switch (format) {
-	case 0:
-		base = 16;	/* temporarily at least */
-		break;
-	case 'd':
-		base = 10;
-		break;
-	default:
-		return 0;
-		break;
-	}
-
-	for (tn = typenames; tn->name != NULL; tn++)
-		if (sa.proto == tn->type)
-			break;
-	if (tn->name == NULL)
-		return 0;
-
-	if (strcmp(tn->name, PASSTHROUGHTYPE) == 0 &&
-					sa.spi == PASSTHROUGHSPI &&
-					sa.dst.s_addr == PASSTHROUGHDST) {
-		strcpy(buf, PASSTHROUGHNAME);
-		len = strlen(buf);
-	} else if (sa.proto == SA_INT && sa.dst.s_addr == 0) {
-		char *p;
-
-		switch (ntohl(sa.spi)) {
-		case SPI_PASS:	p = "%pass";	break;
-		case SPI_DROP:	p = "%drop";	break;
-		case SPI_REJECT:	p = "%reject";	break;
-		case SPI_HOLD:	p = "%hold";	break;
-		case SPI_TRAP:	p = "%trap";	break;
-		case SPI_TRAPSUBNET:	p = "%trapsubnet";	break;
-		default:	p = NULL;	break;
-		}
-		if (p != NULL) {
-			strcpy(buf, p);
-			len = strlen(buf);
-		}
-	}
-
-	if (len == 0) {
-		strcpy(buf, tn->name);
-		len = strlen(buf);
-		len += ultoa(ntohl(sa.spi), base, buf+len, sizeof(buf)-len);
-		*(buf+len-1) = '@';
-		len += addrtoa(sa.dst, 0, buf+len, sizeof(buf)-len);
-	}
-
-	if (dst != NULL) {
-		if (len > dstlen)
-			*(buf+dstlen-1) = '\0';
-		strcpy(dst, buf);
-	}
-	return len;
-}
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index 8e5697b79..8b1e7384f 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -271,9 +271,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -312,6 +310,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 3e6d46205..4fd5a7535 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -78,8 +78,8 @@ METHOD(kernel_interface_t, get_cpi, status_t,
 
 METHOD(kernel_interface_t, add_sa, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int32_t reqid,
-	mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
+	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key,	ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
 	traffic_selector_t *dst_ts)
@@ -89,8 +89,8 @@ METHOD(kernel_interface_t, add_sa, status_t,
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
-			mark, lifetime, enc_alg, enc_key, int_alg, int_key,	mode, ipcomp,
-			cpi, encap, inbound, src_ts, dst_ts);
+			mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
+			ipcomp, cpi, encap, inbound, src_ts, dst_ts);
 }
 
 METHOD(kernel_interface_t, update_sa, status_t,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 8b0c7a296..ec73fa1f7 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -91,6 +91,7 @@ struct kernel_interface_t {
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param reqid			unique ID for this SA
 	 * @param mark			optional mark for this SA
+	 * @param tfc			Traffic Flow Confidentiality padding for this SA
 	 * @param lifetime		lifetime_cfg_t for this SA
 	 * @param enc_alg		Algorithm to use for encryption (ESP only)
 	 * @param enc_key		key to use for encryption
@@ -108,7 +109,7 @@ struct kernel_interface_t {
 	status_t (*add_sa) (kernel_interface_t *this,
 						host_t *src, host_t *dst, u_int32_t spi,
 						u_int8_t protocol, u_int32_t reqid, mark_t mark,
-						lifetime_cfg_t *lifetime,
+						u_int32_t tfc, lifetime_cfg_t *lifetime,
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index 49d9cc07a..3e2d8b9ce 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -204,6 +204,7 @@ struct kernel_ipsec_t {
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param reqid			unique ID for this SA
 	 * @param mark			mark for this SA
+	 * @param tfc			Traffic Flow Confidentiality padding for this SA
 	 * @param lifetime		lifetime_cfg_t for this SA
 	 * @param enc_alg		Algorithm to use for encryption (ESP only)
 	 * @param enc_key		key to use for encryption
@@ -221,7 +222,7 @@ struct kernel_ipsec_t {
 	status_t (*add_sa) (kernel_ipsec_t *this,
 						host_t *src, host_t *dst, u_int32_t spi,
 						u_int8_t protocol, u_int32_t reqid,
-						mark_t mark, lifetime_cfg_t *lifetime,
+						mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime,
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index 72182e57f..2da06a89c 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libhydra/plugins/attr/attr_plugin.c
index 24c00bb44..0f66b680a 100644
--- a/src/libhydra/plugins/attr/attr_plugin.c
+++ b/src/libhydra/plugins/attr/attr_plugin.c
@@ -36,10 +36,8 @@ struct private_attr_plugin_t {
 	attr_provider_t *provider;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_attr_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_attr_plugin_t *this)
 {
 	hydra->attributes->remove_provider(hydra->attributes, &this->provider->provider);
 	this->provider->destroy(this->provider);
@@ -51,11 +49,16 @@ static void destroy(private_attr_plugin_t *this)
  */
 plugin_t *attr_plugin_create()
 {
-	private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_attr_plugin_t *this;
 
-	this->provider = attr_provider_create();
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.provider = attr_provider_create(),
+	);
 	hydra->attributes->add_provider(hydra->attributes, &this->provider->provider);
 
 	return &this->public.plugin;
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index dfb41cc02..26e7a3038 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -232,9 +232,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -273,6 +271,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
index 70e7a2247..ca9de023e 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
+++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
@@ -43,10 +43,8 @@ struct private_attr_sql_plugin_t {
 
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_attr_sql_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_attr_sql_plugin_t *this)
 {
 	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
 	this->attribute->destroy(this->attribute);
@@ -59,21 +57,26 @@ static void destroy(private_attr_sql_plugin_t *this)
  */
 plugin_t *attr_sql_plugin_create()
 {
-	char *uri;
 	private_attr_sql_plugin_t *this;
+	char *uri;
 
-	uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL);
+	uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database",
+												 NULL);
 	if (!uri)
 	{
 		DBG1(DBG_CFG, "attr-sql plugin: database URI not set");
 		return NULL;
 	}
 
-	this = malloc_thing(private_attr_sql_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.db = lib->db->create(lib->db, uri),
+	);
 
-	this->db = lib->db->create(lib->db, uri);
 	if (!this->db)
 	{
 		DBG1(DBG_CFG, "attr-sql plugin failed to connect to database");
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index a451bd6f5..7d2464456 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index 0ccb2ac5f..cf9a3e1fd 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1668,7 +1668,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	u_int8_t protocol, u_int32_t reqid, mark_t mark,
+	u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
index 1a22835c0..3c312ca2b 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
@@ -32,10 +32,8 @@ struct private_kernel_klips_plugin_t {
 	kernel_klips_plugin_t public;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_klips_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_kernel_klips_plugin_t *this)
 {
 	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
@@ -47,10 +45,15 @@ static void destroy(private_kernel_klips_plugin_t *this)
  */
 plugin_t *kernel_klips_plugin_create()
 {
-	private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+	private_kernel_klips_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 	hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
 
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index d41ee1456..c7404fe06 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -224,9 +224,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -265,6 +263,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 8cc9a6283..4dc80785c 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -58,8 +58,8 @@
 #endif /*IPV6_XFRM_POLICY*/
 
 /** default priority of installed policies */
-#define PRIO_LOW 3000
-#define PRIO_HIGH 2000
+#define PRIO_LOW 1024
+#define PRIO_HIGH 512
 
 /**
  * map the limit for bytes and packets to XFRM_INF per default
@@ -866,7 +866,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
-	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool encap, bool inbound,
 	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
@@ -882,7 +882,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	if (ipcomp != IPCOMP_NONE && cpi != 0)
 	{
 		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
-		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
+		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc,
 			   &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
 			   mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
 		ipcomp = IPCOMP_NONE;
@@ -920,6 +920,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			sa->flags |= XFRM_STATE_AF_UNSPEC;
 			break;
 		case MODE_BEET:
+		case MODE_TRANSPORT:
 			if(src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
@@ -1153,6 +1154,24 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
+	if (tfc)
+	{
+		u_int32_t *tfcpad;
+
+		rthdr->rta_type = XFRMA_TFCPAD;
+		rthdr->rta_len = RTA_LENGTH(sizeof(u_int32_t));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		tfcpad = (u_int32_t*)RTA_DATA(rthdr);
+		*tfcpad = tfc;
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
 		if (mark.value)
@@ -1687,11 +1706,16 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
 	policy_info->sel = policy->sel;
 	policy_info->dir = policy->direction;
-	/* calculate priority based on source selector size, small size = high prio */
+
+	/* calculate priority based on selector size, small size = high prio */
 	policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
-	policy_info->priority -= policy->sel.prefixlen_s * 10;
-	policy_info->priority -= policy->sel.proto ? 2 : 0;
-	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
+	policy_info->priority -= policy->sel.prefixlen_s;
+	policy_info->priority -= policy->sel.prefixlen_d;
+	policy_info->priority <<= 2; /* make some room for the two flags */
+	policy_info->priority += policy->sel.sport_mask ||
+							 policy->sel.dport_mask ? 0 : 2;
+	policy_info->priority += policy->sel.proto ? 0 : 1;
+
 	policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW
 											  : XFRM_POLICY_BLOCK;
 	policy_info->share = XFRM_SHARE_ANY;
@@ -1813,6 +1837,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 			if (route->if_name)
 			{
+				DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
+					 src_ts, route->gateway, route->src_ip, route->if_name);
 				switch (hydra->kernel_interface->add_route(
 									hydra->kernel_interface, route->dst_net,
 									route->prefixlen, route->gateway,
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
index 212675d1a..9fc1a03f5 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -33,10 +33,8 @@ struct private_kernel_netlink_plugin_t {
 	kernel_netlink_plugin_t public;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_netlink_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_kernel_netlink_plugin_t *this)
 {
 	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
 					(kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
@@ -50,10 +48,15 @@ static void destroy(private_kernel_netlink_plugin_t *this)
  */
 plugin_t *kernel_netlink_plugin_create()
 {
-	private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_kernel_netlink_plugin_t *this;
 
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 	hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
 					(kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
 	hydra->kernel_interface->add_net_interface(hydra->kernel_interface,
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index a98ae42d1..40363f319 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index f5786447b..681811528 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -99,8 +99,8 @@
 #endif
 
 /** default priority of installed policies */
-#define PRIO_LOW 3000
-#define PRIO_HIGH 2000
+#define PRIO_LOW 1024
+#define PRIO_HIGH 512
 
 #ifdef __APPLE__
 /** from xnu/bsd/net/pfkeyv2.h */
@@ -1206,7 +1206,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	u_int8_t protocol, u_int32_t reqid, mark_t mark,
+	u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
@@ -1651,11 +1651,14 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	pol->sadb_x_policy_dir = dir2kernel(direction);
 	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
-	/* calculate priority based on source selector size, small size = high prio */
+	/* calculate priority based on selector size, small size = high prio */
 	pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
-	pol->sadb_x_policy_priority -= policy->src.mask * 10;
-	pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
-	pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
+	pol->sadb_x_policy_priority -= policy->src.mask;
+	pol->sadb_x_policy_priority -= policy->dst.mask;
+	pol->sadb_x_policy_priority <<= 2; /* make some room for the flags */
+	pol->sadb_x_policy_priority += policy->src.net->get_port(policy->src.net) ||
+								   policy->dst.net->get_port(policy->dst.net) ? 0 : 2;
+	pol->sadb_x_policy_priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
 #endif
 
 	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 781ba5008..9e7a7904d 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -32,10 +32,8 @@ struct private_kernel_pfkey_plugin_t {
 	kernel_pfkey_plugin_t public;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_pfkey_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_kernel_pfkey_plugin_t *this)
 {
 	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
@@ -47,10 +45,15 @@ static void destroy(private_kernel_pfkey_plugin_t *this)
  */
 plugin_t *kernel_pfkey_plugin_create()
 {
-	private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+	private_kernel_pfkey_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 	hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
 
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index b0bc00c70..4db374b75 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
index 5f351bd72..a4cb53edd 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -32,10 +32,8 @@ struct private_kernel_pfroute_plugin_t {
 	kernel_pfroute_plugin_t public;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_pfroute_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_kernel_pfroute_plugin_t *this)
 {
 	hydra->kernel_interface->remove_net_interface(hydra->kernel_interface,
 						(kernel_net_constructor_t)kernel_pfroute_net_create);
@@ -47,10 +45,15 @@ static void destroy(private_kernel_pfroute_plugin_t *this)
  */
 plugin_t *kernel_pfroute_plugin_create()
 {
-	private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+	private_kernel_pfroute_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 	hydra->kernel_interface->add_net_interface(hydra->kernel_interface,
 						(kernel_net_constructor_t)kernel_pfroute_net_create);
 
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index aedc8fdb7..e6c5fb712 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c
index 502129593..ad18c7060 100644
--- a/src/libhydra/plugins/resolve/resolve_plugin.c
+++ b/src/libhydra/plugins/resolve/resolve_plugin.c
@@ -36,10 +36,8 @@ struct private_resolve_plugin_t {
 	resolve_handler_t *handler;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_resolve_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_resolve_plugin_t *this)
 {
 	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
 	this->handler->destroy(this->handler);
@@ -51,10 +49,16 @@ static void destroy(private_resolve_plugin_t *this)
  */
 plugin_t *resolve_plugin_create()
 {
-	private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t);
+	private_resolve_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-	this->handler = resolve_handler_create();
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.handler = resolve_handler_create(),
+	);
 	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
 
 	return &this->public.plugin;
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index 0aa509acc..ef7a6ee38 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -192,9 +192,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -233,6 +231,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 2ab8aa636..6a29d8eea 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -30,8 +30,7 @@ credentials/keys/private_key.c credentials/keys/private_key.h \
 credentials/keys/public_key.c credentials/keys/public_key.h \
 credentials/keys/shared_key.c credentials/keys/shared_key.h \
 credentials/certificates/certificate.c credentials/certificates/certificate.h \
-credentials/certificates/x509.h credentials/certificates/x509.c \
-credentials/certificates/ac.h \
+credentials/certificates/x509.h credentials/certificates/ac.h \
 credentials/certificates/crl.h credentials/certificates/crl.c \
 credentials/certificates/pkcs10.h \
 credentials/certificates/ocsp_request.h \
@@ -136,6 +135,13 @@ else
 SUBDIRS = .
 endif
 
+if USE_AF_ALG
+  SUBDIRS += plugins/af_alg
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/af_alg/libstrongswan-af-alg.la
+endif
+endif
+
 if USE_AES
   SUBDIRS += plugins/aes
 if MONOLITHIC
@@ -227,6 +233,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_CONSTRAINTS
+  SUBDIRS += plugins/constraints
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/constraints/libstrongswan-constraints.la
+endif
+endif
+
 if USE_PUBKEY
   SUBDIRS += plugins/pubkey
 if MONOLITHIC
@@ -269,6 +282,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_SOUP
+  SUBDIRS += plugins/soup
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/soup/libstrongswan-soup.la
+endif
+endif
+
 if USE_LDAP
   SUBDIRS += plugins/ldap
 if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 8be6dd9b8..76b4f70c6 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -44,70 +44,76 @@ host_triplet = @host@
 @USE_INTEGRITY_TEST_TRUE@    integrity_checker.c integrity_checker.h
 
 @USE_VSTR_TRUE@am__append_6 = -lvstr
-@USE_AES_TRUE@am__append_7 = plugins/aes
-@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_8 = plugins/aes/libstrongswan-aes.la
-@USE_DES_TRUE@am__append_9 = plugins/des
-@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_10 = plugins/des/libstrongswan-des.la
-@USE_BLOWFISH_TRUE@am__append_11 = plugins/blowfish
-@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_12 = plugins/blowfish/libstrongswan-blowfish.la
-@USE_MD4_TRUE@am__append_13 = plugins/md4
-@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_14 = plugins/md4/libstrongswan-md4.la
-@USE_MD5_TRUE@am__append_15 = plugins/md5
-@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_16 = plugins/md5/libstrongswan-md5.la
-@USE_SHA1_TRUE@am__append_17 = plugins/sha1
-@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_18 = plugins/sha1/libstrongswan-sha1.la
-@USE_SHA2_TRUE@am__append_19 = plugins/sha2
-@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_20 = plugins/sha2/libstrongswan-sha2.la
-@USE_GMP_TRUE@am__append_21 = plugins/gmp
-@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_22 = plugins/gmp/libstrongswan-gmp.la
-@USE_RANDOM_TRUE@am__append_23 = plugins/random
-@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_24 = plugins/random/libstrongswan-random.la
-@USE_HMAC_TRUE@am__append_25 = plugins/hmac
-@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_26 = plugins/hmac/libstrongswan-hmac.la
-@USE_XCBC_TRUE@am__append_27 = plugins/xcbc
-@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_28 = plugins/xcbc/libstrongswan-xcbc.la
-@USE_X509_TRUE@am__append_29 = plugins/x509
-@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_30 = plugins/x509/libstrongswan-x509.la
-@USE_REVOCATION_TRUE@am__append_31 = plugins/revocation
-@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_32 = plugins/revocation/libstrongswan-revocation.la
-@USE_PUBKEY_TRUE@am__append_33 = plugins/pubkey
-@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_34 = plugins/pubkey/libstrongswan-pubkey.la
-@USE_PKCS1_TRUE@am__append_35 = plugins/pkcs1
-@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_36 = plugins/pkcs1/libstrongswan-pkcs1.la
-@USE_PGP_TRUE@am__append_37 = plugins/pgp
-@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_38 = plugins/pgp/libstrongswan-pgp.la
-@USE_DNSKEY_TRUE@am__append_39 = plugins/dnskey
-@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_40 = plugins/dnskey/libstrongswan-dnskey.la
-@USE_PEM_TRUE@am__append_41 = plugins/pem
-@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_42 = plugins/pem/libstrongswan-pem.la
-@USE_CURL_TRUE@am__append_43 = plugins/curl
-@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_44 = plugins/curl/libstrongswan-curl.la
-@USE_LDAP_TRUE@am__append_45 = plugins/ldap
-@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_46 = plugins/ldap/libstrongswan-ldap.la
-@USE_MYSQL_TRUE@am__append_47 = plugins/mysql
-@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_48 = plugins/mysql/libstrongswan-mysql.la
-@USE_SQLITE_TRUE@am__append_49 = plugins/sqlite
-@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_50 = plugins/sqlite/libstrongswan-sqlite.la
-@USE_PADLOCK_TRUE@am__append_51 = plugins/padlock
-@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_52 = plugins/padlock/libstrongswan-padlock.la
-@USE_OPENSSL_TRUE@am__append_53 = plugins/openssl
-@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_54 = plugins/openssl/libstrongswan-openssl.la
-@USE_GCRYPT_TRUE@am__append_55 = plugins/gcrypt
-@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_56 = plugins/gcrypt/libstrongswan-gcrypt.la
-@USE_FIPS_PRF_TRUE@am__append_57 = plugins/fips_prf
-@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_58 = plugins/fips_prf/libstrongswan-fips-prf.la
-@USE_AGENT_TRUE@am__append_59 = plugins/agent
-@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_60 = plugins/agent/libstrongswan-agent.la
-@USE_PKCS11_TRUE@am__append_61 = plugins/pkcs11
-@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_62 = plugins/pkcs11/libstrongswan-pkcs11.la
-@USE_CTR_TRUE@am__append_63 = plugins/ctr
-@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_64 = plugins/ctr/libstrongswan-ctr.la
-@USE_CCM_TRUE@am__append_65 = plugins/ccm
-@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_66 = plugins/ccm/libstrongswan-ccm.la
-@USE_GCM_TRUE@am__append_67 = plugins/gcm
-@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_68 = plugins/gcm/libstrongswan-gcm.la
-@USE_TEST_VECTORS_TRUE@am__append_69 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_70 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_AF_ALG_TRUE@am__append_7 = plugins/af_alg
+@MONOLITHIC_TRUE@@USE_AF_ALG_TRUE@am__append_8 = plugins/af_alg/libstrongswan-af-alg.la
+@USE_AES_TRUE@am__append_9 = plugins/aes
+@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_10 = plugins/aes/libstrongswan-aes.la
+@USE_DES_TRUE@am__append_11 = plugins/des
+@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_12 = plugins/des/libstrongswan-des.la
+@USE_BLOWFISH_TRUE@am__append_13 = plugins/blowfish
+@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_14 = plugins/blowfish/libstrongswan-blowfish.la
+@USE_MD4_TRUE@am__append_15 = plugins/md4
+@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_16 = plugins/md4/libstrongswan-md4.la
+@USE_MD5_TRUE@am__append_17 = plugins/md5
+@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_18 = plugins/md5/libstrongswan-md5.la
+@USE_SHA1_TRUE@am__append_19 = plugins/sha1
+@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_20 = plugins/sha1/libstrongswan-sha1.la
+@USE_SHA2_TRUE@am__append_21 = plugins/sha2
+@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_22 = plugins/sha2/libstrongswan-sha2.la
+@USE_GMP_TRUE@am__append_23 = plugins/gmp
+@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_24 = plugins/gmp/libstrongswan-gmp.la
+@USE_RANDOM_TRUE@am__append_25 = plugins/random
+@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_26 = plugins/random/libstrongswan-random.la
+@USE_HMAC_TRUE@am__append_27 = plugins/hmac
+@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_28 = plugins/hmac/libstrongswan-hmac.la
+@USE_XCBC_TRUE@am__append_29 = plugins/xcbc
+@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_30 = plugins/xcbc/libstrongswan-xcbc.la
+@USE_X509_TRUE@am__append_31 = plugins/x509
+@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_32 = plugins/x509/libstrongswan-x509.la
+@USE_REVOCATION_TRUE@am__append_33 = plugins/revocation
+@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_34 = plugins/revocation/libstrongswan-revocation.la
+@USE_CONSTRAINTS_TRUE@am__append_35 = plugins/constraints
+@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_36 = plugins/constraints/libstrongswan-constraints.la
+@USE_PUBKEY_TRUE@am__append_37 = plugins/pubkey
+@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_38 = plugins/pubkey/libstrongswan-pubkey.la
+@USE_PKCS1_TRUE@am__append_39 = plugins/pkcs1
+@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_40 = plugins/pkcs1/libstrongswan-pkcs1.la
+@USE_PGP_TRUE@am__append_41 = plugins/pgp
+@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_42 = plugins/pgp/libstrongswan-pgp.la
+@USE_DNSKEY_TRUE@am__append_43 = plugins/dnskey
+@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_44 = plugins/dnskey/libstrongswan-dnskey.la
+@USE_PEM_TRUE@am__append_45 = plugins/pem
+@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_46 = plugins/pem/libstrongswan-pem.la
+@USE_CURL_TRUE@am__append_47 = plugins/curl
+@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_48 = plugins/curl/libstrongswan-curl.la
+@USE_SOUP_TRUE@am__append_49 = plugins/soup
+@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_50 = plugins/soup/libstrongswan-soup.la
+@USE_LDAP_TRUE@am__append_51 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_52 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_53 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_54 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_55 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_56 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_57 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_58 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_59 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_60 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_61 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_62 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_63 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_64 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_65 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_66 = plugins/agent/libstrongswan-agent.la
+@USE_PKCS11_TRUE@am__append_67 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_68 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_69 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_70 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_71 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_72 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_73 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_74 = plugins/gcm/libstrongswan-gcm.la
+@USE_TEST_VECTORS_TRUE@am__append_75 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_76 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -162,7 +168,8 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_48) $(am__append_50) $(am__append_52) \
 	$(am__append_54) $(am__append_56) $(am__append_58) \
 	$(am__append_60) $(am__append_62) $(am__append_64) \
-	$(am__append_66) $(am__append_68) $(am__append_70)
+	$(am__append_66) $(am__append_68) $(am__append_70) \
+	$(am__append_72) $(am__append_74) $(am__append_76)
 am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
 	printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \
@@ -187,8 +194,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	credentials/keys/shared_key.h \
 	credentials/certificates/certificate.c \
 	credentials/certificates/certificate.h \
-	credentials/certificates/x509.h \
-	credentials/certificates/x509.c credentials/certificates/ac.h \
+	credentials/certificates/x509.h credentials/certificates/ac.h \
 	credentials/certificates/crl.h credentials/certificates/crl.c \
 	credentials/certificates/pkcs10.h \
 	credentials/certificates/ocsp_request.h \
@@ -238,7 +244,7 @@ am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
 	crypto_tester.lo diffie_hellman.lo aead.lo transform.lo \
 	credential_factory.lo builder.lo cred_encoding.lo \
 	private_key.lo public_key.lo shared_key.lo certificate.lo \
-	x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \
+	crl.lo ocsp_response.lo ietf_attributes.lo \
 	credential_manager.lo auth_cfg_wrapper.lo \
 	ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \
 	callback_cred.lo auth_cfg.lo database_factory.lo \
@@ -278,14 +284,16 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \
-	plugins/md5 plugins/sha1 plugins/sha2 plugins/gmp \
-	plugins/random plugins/hmac plugins/xcbc plugins/x509 \
-	plugins/revocation plugins/pubkey plugins/pkcs1 plugins/pgp \
-	plugins/dnskey plugins/pem plugins/curl plugins/ldap \
-	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
-	plugins/gcrypt plugins/fips_prf plugins/agent plugins/pkcs11 \
-	plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors
+DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
+	plugins/blowfish plugins/md4 plugins/md5 plugins/sha1 \
+	plugins/sha2 plugins/gmp plugins/random plugins/hmac \
+	plugins/xcbc plugins/x509 plugins/revocation \
+	plugins/constraints plugins/pubkey plugins/pkcs1 plugins/pgp \
+	plugins/dnskey plugins/pem plugins/curl plugins/soup \
+	plugins/ldap plugins/mysql plugins/sqlite plugins/padlock \
+	plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \
+	plugins/pkcs11 plugins/ctr plugins/ccm plugins/gcm \
+	plugins/test_vectors
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -431,9 +439,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -472,6 +478,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -507,8 +515,7 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	credentials/keys/shared_key.h \
 	credentials/certificates/certificate.c \
 	credentials/certificates/certificate.h \
-	credentials/certificates/x509.h \
-	credentials/certificates/x509.c credentials/certificates/ac.h \
+	credentials/certificates/x509.h credentials/certificates/ac.h \
 	credentials/certificates/crl.h credentials/certificates/crl.c \
 	credentials/certificates/pkcs10.h \
 	credentials/certificates/ocsp_request.h \
@@ -559,7 +566,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_48) $(am__append_50) $(am__append_52) \
 	$(am__append_54) $(am__append_56) $(am__append_58) \
 	$(am__append_60) $(am__append_62) $(am__append_64) \
-	$(am__append_66) $(am__append_68) $(am__append_70)
+	$(am__append_66) $(am__append_68) $(am__append_70) \
+	$(am__append_72) $(am__append_74) $(am__append_76)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \
 	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \
@@ -592,7 +600,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
 @MONOLITHIC_FALSE@	$(am__append_55) $(am__append_57) \
 @MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61) \
 @MONOLITHIC_FALSE@	$(am__append_63) $(am__append_65) \
-@MONOLITHIC_FALSE@	$(am__append_67) $(am__append_69)
+@MONOLITHIC_FALSE@	$(am__append_67) $(am__append_69) \
+@MONOLITHIC_FALSE@	$(am__append_71) $(am__append_73) \
+@MONOLITHIC_FALSE@	$(am__append_75)
 
 # build plugins with their own Makefile
 #######################################
@@ -611,7 +621,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
 @MONOLITHIC_TRUE@	$(am__append_55) $(am__append_57) \
 @MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61) \
 @MONOLITHIC_TRUE@	$(am__append_63) $(am__append_65) \
-@MONOLITHIC_TRUE@	$(am__append_67) $(am__append_69)
+@MONOLITHIC_TRUE@	$(am__append_67) $(am__append_69) \
+@MONOLITHIC_TRUE@	$(am__append_71) $(am__append_73) \
+@MONOLITHIC_TRUE@	$(am__append_75)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -749,7 +761,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -933,13 +944,6 @@ certificate.lo: credentials/certificates/certificate.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
 
-x509.lo: credentials/certificates/x509.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF $(DEPDIR)/x509.Tpo -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/x509.Tpo $(DEPDIR)/x509.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/x509.c' object='x509.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c
-
 crl.lo: credentials/certificates/crl.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 6f549d42d..f80c2b93b 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -123,6 +123,100 @@ chunk_t asn1_build_known_oid(int n)
 	return oid;
 }
 
+/*
+ * Defined in header.
+ */
+chunk_t asn1_oid_from_string(char *str)
+{
+	enumerator_t *enumerator;
+	u_char buf[32];
+	char *end;
+	int i = 0, pos = 0;
+	u_int val, first = 0;
+
+	enumerator = enumerator_create_token(str, ".", "");
+	while (enumerator->enumerate(enumerator, &str))
+	{
+		val = strtoul(str, &end, 10);
+		if (end == str || pos > countof(buf))
+		{
+			pos = 0;
+			break;
+		}
+		switch (i++)
+		{
+			case 0:
+				first = val;
+				break;
+			case 1:
+				buf[pos++] = first * 40 + val;
+				break;
+			default:
+				if (val < 128)
+				{
+					buf[pos++] = val;
+				}
+				else
+				{
+					buf[pos++] = 128 | (val >> 7);
+					buf[pos++] = (val % 256) & 0x7F;
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return chunk_clone(chunk_create(buf, pos));
+}
+
+/*
+ * Defined in header.
+ */
+char *asn1_oid_to_string(chunk_t oid)
+{
+	char buf[64], *pos = buf;
+	int len;
+	u_int val;
+
+	if (!oid.len)
+	{
+		return NULL;
+	}
+	val = oid.ptr[0] / 40;
+	len = snprintf(buf, sizeof(buf), "%d.%d", val, oid.ptr[0] - val * 40);
+	oid = chunk_skip(oid, 1);
+	if (len < 0 || len >= sizeof(buf))
+	{
+		return NULL;
+	}
+	pos += len;
+
+	while (oid.len)
+	{
+		if (oid.ptr[0] < 128)
+		{
+			len = snprintf(pos, sizeof(buf) + buf - pos, ".%d", oid.ptr[0]);
+			oid = chunk_skip(oid, 1);
+		}
+		else
+		{
+			if (oid.len == 1)
+			{
+				return NULL;
+			}
+			val = ((u_int)(oid.ptr[0] & 0x7F) << 7) + oid.ptr[1];
+			len = snprintf(pos, sizeof(buf) + buf - pos, ".%d", val);
+			oid = chunk_skip(oid, 2);
+		}
+		if (len < 0 || len >= sizeof(buf) + buf - pos)
+		{
+			return NULL;
+		}
+		pos += len;
+	}
+	return strdup(buf);
+}
+
 /*
  * Defined in header.
  */
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 866c28095..05a060827 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -114,6 +114,22 @@ int asn1_known_oid(chunk_t object);
  */
 chunk_t asn1_build_known_oid(int n);
 
+/**
+ * Convert human readable OID to ASN.1 DER encoding, without OID header.
+ *
+ * @param str		OID string (e.g. 1.2.345.67.8)
+ * @return			allocated ASN.1 encoded OID, chunk_empty on error
+ */
+chunk_t asn1_oid_from_string(char *str);
+
+/**
+ * Convert a DER encoded ASN.1 OID to a human readable string.
+ *
+ * @param oid		DER encoded OID, without header
+ * @return			human readable OID string, allocated, NULL on error
+ */
+char* asn1_oid_to_string(chunk_t oid);
+
 /**
  * Returns the length of an ASN.1 object
  * The blob pointer is advanced past the tag length fields
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index 3e5bbbabd..2a7a38a52 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -78,10 +78,8 @@ struct private_asn1_parser_t {
 	chunk_t blobs[ASN1_MAX_LEVEL + 2];
 };
 
-/**
- * Implementation of asn1_parser_t.iterate
- */
-static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
+METHOD(asn1_parser_t, iterate, bool,
+	private_asn1_parser_t *this, int *objectID, chunk_t *object)
 {
 	chunk_t *blob, *blob1;
 	u_char *start_ptr;
@@ -234,43 +232,33 @@ end:
 	return this->success;
 }
 
-/**
- * Implementation of asn1_parser_t.get_level
- */
-static u_int get_level(private_asn1_parser_t *this)
+METHOD(asn1_parser_t, get_level, u_int,
+private_asn1_parser_t *this)
 {
 	return this->level0 + this->objects[this->line].level;
 }
 
-/**
- * Implementation of asn1_parser_t.set_top_level
- */
-static void set_top_level(private_asn1_parser_t *this, u_int level0)
+METHOD(asn1_parser_t, set_top_level, void,
+	private_asn1_parser_t *this, u_int level0)
 {
 	this->level0 = level0;
 }
 
-/**
- * Implementation of asn1_parser_t.set_flags
- */
-static void set_flags(private_asn1_parser_t *this, bool implicit, bool private)
+METHOD(asn1_parser_t, set_flags, void,
+	private_asn1_parser_t *this, bool implicit, bool private)
 {
 	this->implicit = implicit;
 	this->private = private;
 }
 
-/**
- * Implementation of asn1_parser_t.success
- */
-static bool success(private_asn1_parser_t *this)
+METHOD(asn1_parser_t, success, bool,
+	private_asn1_parser_t *this)
 {
 	return this->success;
 }
 
-/**
- * Implementation of asn1_parser_t.destroy
- */
-static void destroy(private_asn1_parser_t *this)
+METHOD(asn1_parser_t, destroy, void,
+	private_asn1_parser_t *this)
 {
 	free(this);
 }
@@ -280,20 +268,22 @@ static void destroy(private_asn1_parser_t *this)
  */
 asn1_parser_t* asn1_parser_create(asn1Object_t const *objects, chunk_t blob)
 {
-	private_asn1_parser_t *this = malloc_thing(private_asn1_parser_t);
-
-	memset(this, '\0', sizeof(private_asn1_parser_t));
-	this->objects = objects;
-	this->blobs[0] = blob;
-	this->line = -1;
-	this->success = TRUE;
-
-	this->public.iterate = (bool (*)(asn1_parser_t*, int*, chunk_t*))iterate;
-	this->public.get_level = (u_int (*)(asn1_parser_t*))get_level;
-	this->public.set_top_level = (void (*)(asn1_parser_t*, u_int))set_top_level;
-	this->public.set_flags = (void (*)(asn1_parser_t*, bool, bool))set_flags;
-	this->public.success = (bool (*)(asn1_parser_t*))success;
-	this->public.destroy = (void (*)(asn1_parser_t*))destroy;
+	private_asn1_parser_t *this;
+
+	INIT(this,
+		.public = {
+			.iterate = _iterate,
+			.get_level = _get_level,
+			.set_top_level = _set_top_level,
+			.set_flags = _set_flags,
+			.success = _success,
+			.destroy = _destroy,
+		},
+		.objects = objects,
+		.blobs[0] = blob,
+		.line = -1,
+		.success = TRUE,
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 1e5dec8a5..57a00a39e 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -10,360 +10,363 @@
 #include "oid.h"
 
 const oid_t oid_names[] = {
- {0x02,                       7, 1,  0, "ITU-T Administration"      }, /*   0 */
- {  0x82,                     0, 1,  1, ""                          }, /*   1 */
- {    0x06,                   0, 1,  2, "Germany ITU-T member"      }, /*   2 */
- {      0x01,                 0, 1,  3, "Deutsche Telekom AG"       }, /*   3 */
- {        0x0A,               0, 1,  4, ""                          }, /*   4 */
- {          0x07,             0, 1,  5, ""                          }, /*   5 */
- {            0x14,           0, 0,  6, "ND"                        }, /*   6 */
- {0x09,                      18, 1,  0, "data"                      }, /*   7 */
- {  0x92,                     0, 1,  1, ""                          }, /*   8 */
- {    0x26,                   0, 1,  2, ""                          }, /*   9 */
- {      0x89,                 0, 1,  3, ""                          }, /*  10 */
- {        0x93,               0, 1,  4, ""                          }, /*  11 */
- {          0xF2,             0, 1,  5, ""                          }, /*  12 */
- {            0x2C,           0, 1,  6, ""                          }, /*  13 */
- {              0x64,         0, 1,  7, "pilot"                     }, /*  14 */
- {                0x01,       0, 1,  8, "pilotAttributeType"        }, /*  15 */
- {                  0x01,    17, 0,  9, "UID"                       }, /*  16 */
- {                  0x19,     0, 0,  9, "DC"                        }, /*  17 */
- {0x55,                      64, 1,  0, "X.500"                     }, /*  18 */
- {  0x04,                    36, 1,  1, "X.509"                     }, /*  19 */
- {    0x03,                  21, 0,  2, "CN"                        }, /*  20 */
- {    0x04,                  22, 0,  2, "S"                         }, /*  21 */
- {    0x05,                  23, 0,  2, "SN"                        }, /*  22 */
- {    0x06,                  24, 0,  2, "C"                         }, /*  23 */
- {    0x07,                  25, 0,  2, "L"                         }, /*  24 */
- {    0x08,                  26, 0,  2, "ST"                        }, /*  25 */
- {    0x0A,                  27, 0,  2, "O"                         }, /*  26 */
- {    0x0B,                  28, 0,  2, "OU"                        }, /*  27 */
- {    0x0C,                  29, 0,  2, "T"                         }, /*  28 */
- {    0x0D,                  30, 0,  2, "D"                         }, /*  29 */
- {    0x24,                  31, 0,  2, "userCertificate"           }, /*  30 */
- {    0x29,                  32, 0,  2, "N"                         }, /*  31 */
- {    0x2A,                  33, 0,  2, "G"                         }, /*  32 */
- {    0x2B,                  34, 0,  2, "I"                         }, /*  33 */
- {    0x2D,                  35, 0,  2, "ID"                        }, /*  34 */
- {    0x48,                   0, 0,  2, "role"                      }, /*  35 */
- {  0x1D,                     0, 1,  1, "id-ce"                     }, /*  36 */
- {    0x09,                  38, 0,  2, "subjectDirectoryAttrs"     }, /*  37 */
- {    0x0E,                  39, 0,  2, "subjectKeyIdentifier"      }, /*  38 */
- {    0x0F,                  40, 0,  2, "keyUsage"                  }, /*  39 */
- {    0x10,                  41, 0,  2, "privateKeyUsagePeriod"     }, /*  40 */
- {    0x11,                  42, 0,  2, "subjectAltName"            }, /*  41 */
- {    0x12,                  43, 0,  2, "issuerAltName"             }, /*  42 */
- {    0x13,                  44, 0,  2, "basicConstraints"          }, /*  43 */
- {    0x14,                  45, 0,  2, "crlNumber"                 }, /*  44 */
- {    0x15,                  46, 0,  2, "reasonCode"                }, /*  45 */
- {    0x17,                  47, 0,  2, "holdInstructionCode"       }, /*  46 */
- {    0x18,                  48, 0,  2, "invalidityDate"            }, /*  47 */
- {    0x1B,                  49, 0,  2, "deltaCrlIndicator"         }, /*  48 */
- {    0x1C,                  50, 0,  2, "issuingDistributionPoint"  }, /*  49 */
- {    0x1D,                  51, 0,  2, "certificateIssuer"         }, /*  50 */
- {    0x1E,                  52, 0,  2, "nameConstraints"           }, /*  51 */
- {    0x1F,                  53, 0,  2, "crlDistributionPoints"     }, /*  52 */
- {    0x20,                  55, 1,  2, "certificatePolicies"       }, /*  53 */
- {      0x00,                 0, 0,  3, "anyPolicy"                 }, /*  54 */
- {    0x21,                  56, 0,  2, "policyMappings"            }, /*  55 */
- {    0x23,                  57, 0,  2, "authorityKeyIdentifier"    }, /*  56 */
- {    0x24,                  58, 0,  2, "policyConstraints"         }, /*  57 */
- {    0x25,                  60, 1,  2, "extendedKeyUsage"          }, /*  58 */
- {      0x00,                 0, 0,  3, "anyExtendedKeyUsage"       }, /*  59 */
- {    0x2E,                  61, 0,  2, "freshestCRL"               }, /*  60 */
- {    0x36,                  62, 0,  2, "inhibitAnyPolicy"          }, /*  61 */
- {    0x37,                  63, 0,  2, "targetInformation"         }, /*  62 */
- {    0x38,                   0, 0,  2, "noRevAvail"                }, /*  63 */
- {0x2A,                     161, 1,  0, ""                          }, /*  64 */
- {  0x83,                    77, 1,  1, ""                          }, /*  65 */
- {    0x08,                   0, 1,  2, "jp"                        }, /*  66 */
- {      0x8C,                 0, 1,  3, ""                          }, /*  67 */
- {        0x9A,               0, 1,  4, ""                          }, /*  68 */
- {          0x4B,             0, 1,  5, ""                          }, /*  69 */
- {            0x3D,           0, 1,  6, ""                          }, /*  70 */
- {              0x01,         0, 1,  7, "security"                  }, /*  71 */
- {                0x01,       0, 1,  8, "algorithm"                 }, /*  72 */
- {                  0x01,     0, 1,  9, "symm-encryption-alg"       }, /*  73 */
- {                    0x02,  75, 0, 10, "camellia128-cbc"           }, /*  74 */
- {                    0x03,  76, 0, 10, "camellia192-cbc"           }, /*  75 */
- {                    0x04,   0, 0, 10, "camellia256-cbc"           }, /*  76 */
- {  0x86,                     0, 1,  1, ""                          }, /*  77 */
- {    0x48,                   0, 1,  2, "us"                        }, /*  78 */
- {      0x86,               120, 1,  3, ""                          }, /*  79 */
- {        0xF6,              85, 1,  4, ""                          }, /*  80 */
- {          0x7D,             0, 1,  5, "NortelNetworks"            }, /*  81 */
- {            0x07,           0, 1,  6, "Entrust"                   }, /*  82 */
- {              0x41,         0, 1,  7, "nsn-ce"                    }, /*  83 */
- {                0x00,       0, 0,  8, "entrustVersInfo"           }, /*  84 */
- {        0xF7,               0, 1,  4, ""                          }, /*  85 */
- {          0x0D,             0, 1,  5, "RSADSI"                    }, /*  86 */
- {            0x01,         115, 1,  6, "PKCS"                      }, /*  87 */
- {              0x01,        97, 1,  7, "PKCS-1"                    }, /*  88 */
- {                0x01,      90, 0,  8, "rsaEncryption"             }, /*  89 */
- {                0x02,      91, 0,  8, "md2WithRSAEncryption"      }, /*  90 */
- {                0x04,      92, 0,  8, "md5WithRSAEncryption"      }, /*  91 */
- {                0x05,      93, 0,  8, "sha-1WithRSAEncryption"    }, /*  92 */
- {                0x0B,      94, 0,  8, "sha256WithRSAEncryption"   }, /*  93 */
- {                0x0C,      95, 0,  8, "sha384WithRSAEncryption"   }, /*  94 */
- {                0x0D,      96, 0,  8, "sha512WithRSAEncryption"   }, /*  95 */
- {                0x0E,       0, 0,  8, "sha224WithRSAEncryption"   }, /*  96 */
- {              0x07,       104, 1,  7, "PKCS-7"                    }, /*  97 */
- {                0x01,      99, 0,  8, "data"                      }, /*  98 */
- {                0x02,     100, 0,  8, "signedData"                }, /*  99 */
- {                0x03,     101, 0,  8, "envelopedData"             }, /* 100 */
- {                0x04,     102, 0,  8, "signedAndEnvelopedData"    }, /* 101 */
- {                0x05,     103, 0,  8, "digestedData"              }, /* 102 */
- {                0x06,       0, 0,  8, "encryptedData"             }, /* 103 */
- {              0x09,         0, 1,  7, "PKCS-9"                    }, /* 104 */
- {                0x01,     106, 0,  8, "E"                         }, /* 105 */
- {                0x02,     107, 0,  8, "unstructuredName"          }, /* 106 */
- {                0x03,     108, 0,  8, "contentType"               }, /* 107 */
- {                0x04,     109, 0,  8, "messageDigest"             }, /* 108 */
- {                0x05,     110, 0,  8, "signingTime"               }, /* 109 */
- {                0x06,     111, 0,  8, "counterSignature"          }, /* 110 */
- {                0x07,     112, 0,  8, "challengePassword"         }, /* 111 */
- {                0x08,     113, 0,  8, "unstructuredAddress"       }, /* 112 */
- {                0x0E,     114, 0,  8, "extensionRequest"          }, /* 113 */
- {                0x0F,       0, 0,  8, "S/MIME Capabilities"       }, /* 114 */
- {            0x02,         118, 1,  6, "digestAlgorithm"           }, /* 115 */
- {              0x02,       117, 0,  7, "md2"                       }, /* 116 */
- {              0x05,         0, 0,  7, "md5"                       }, /* 117 */
- {            0x03,           0, 1,  6, "encryptionAlgorithm"       }, /* 118 */
- {              0x07,         0, 0,  7, "3des-ede-cbc"              }, /* 119 */
- {      0xCE,                 0, 1,  3, ""                          }, /* 120 */
- {        0x3D,               0, 1,  4, "ansi-X9-62"                }, /* 121 */
- {          0x02,           124, 1,  5, "id-publicKeyType"          }, /* 122 */
- {            0x01,           0, 0,  6, "id-ecPublicKey"            }, /* 123 */
- {          0x03,           154, 1,  5, "ellipticCurve"             }, /* 124 */
- {            0x00,         146, 1,  6, "c-TwoCurve"                }, /* 125 */
- {              0x01,       127, 0,  7, "c2pnb163v1"                }, /* 126 */
- {              0x02,       128, 0,  7, "c2pnb163v2"                }, /* 127 */
- {              0x03,       129, 0,  7, "c2pnb163v3"                }, /* 128 */
- {              0x04,       130, 0,  7, "c2pnb176w1"                }, /* 129 */
- {              0x05,       131, 0,  7, "c2tnb191v1"                }, /* 130 */
- {              0x06,       132, 0,  7, "c2tnb191v2"                }, /* 131 */
- {              0x07,       133, 0,  7, "c2tnb191v3"                }, /* 132 */
- {              0x08,       134, 0,  7, "c2onb191v4"                }, /* 133 */
- {              0x09,       135, 0,  7, "c2onb191v5"                }, /* 134 */
- {              0x0A,       136, 0,  7, "c2pnb208w1"                }, /* 135 */
- {              0x0B,       137, 0,  7, "c2tnb239v1"                }, /* 136 */
- {              0x0C,       138, 0,  7, "c2tnb239v2"                }, /* 137 */
- {              0x0D,       139, 0,  7, "c2tnb239v3"                }, /* 138 */
- {              0x0E,       140, 0,  7, "c2onb239v4"                }, /* 139 */
- {              0x0F,       141, 0,  7, "c2onb239v5"                }, /* 140 */
- {              0x10,       142, 0,  7, "c2pnb272w1"                }, /* 141 */
- {              0x11,       143, 0,  7, "c2pnb304w1"                }, /* 142 */
- {              0x12,       144, 0,  7, "c2tnb359v1"                }, /* 143 */
- {              0x13,       145, 0,  7, "c2pnb368w1"                }, /* 144 */
- {              0x14,         0, 0,  7, "c2tnb431r1"                }, /* 145 */
- {            0x01,           0, 1,  6, "primeCurve"                }, /* 146 */
- {              0x01,       148, 0,  7, "prime192v1"                }, /* 147 */
- {              0x02,       149, 0,  7, "prime192v2"                }, /* 148 */
- {              0x03,       150, 0,  7, "prime192v3"                }, /* 149 */
- {              0x04,       151, 0,  7, "prime239v1"                }, /* 150 */
- {              0x05,       152, 0,  7, "prime239v2"                }, /* 151 */
- {              0x06,       153, 0,  7, "prime239v3"                }, /* 152 */
- {              0x07,         0, 0,  7, "prime256v1"                }, /* 153 */
- {          0x04,             0, 1,  5, "id-ecSigType"              }, /* 154 */
- {            0x01,         156, 0,  6, "ecdsa-with-SHA1"           }, /* 155 */
- {            0x03,           0, 1,  6, "ecdsa-with-Specified"      }, /* 156 */
- {              0x01,       158, 0,  7, "ecdsa-with-SHA224"         }, /* 157 */
- {              0x02,       159, 0,  7, "ecdsa-with-SHA256"         }, /* 158 */
- {              0x03,       160, 0,  7, "ecdsa-with-SHA384"         }, /* 159 */
- {              0x04,         0, 0,  7, "ecdsa-with-SHA512"         }, /* 160 */
- {0x2B,                     309, 1,  0, ""                          }, /* 161 */
- {  0x06,                   223, 1,  1, "dod"                       }, /* 162 */
- {    0x01,                   0, 1,  2, "internet"                  }, /* 163 */
- {      0x04,               183, 1,  3, "private"                   }, /* 164 */
- {        0x01,               0, 1,  4, "enterprise"                }, /* 165 */
- {          0x82,           176, 1,  5, ""                          }, /* 166 */
- {            0x37,           0, 1,  6, "Microsoft"                 }, /* 167 */
- {              0x0A,       172, 1,  7, ""                          }, /* 168 */
- {                0x03,       0, 1,  8, ""                          }, /* 169 */
- {                  0x03,   171, 0,  9, "msSGC"                     }, /* 170 */
- {                  0x04,     0, 0,  9, "msEncryptingFileSystem"    }, /* 171 */
- {              0x14,         0, 1,  7, "msEnrollmentInfrastructure"}, /* 172 */
- {                0x02,       0, 1,  8, "msCertificateTypeExtension"}, /* 173 */
- {                  0x02,   175, 0,  9, "msSmartcardLogon"          }, /* 174 */
- {                  0x03,     0, 0,  9, "msUPN"                     }, /* 175 */
- {          0x89,             0, 1,  5, ""                          }, /* 176 */
- {            0x31,           0, 1,  6, ""                          }, /* 177 */
- {              0x01,         0, 1,  7, ""                          }, /* 178 */
- {                0x01,       0, 1,  8, ""                          }, /* 179 */
- {                  0x02,     0, 1,  9, ""                          }, /* 180 */
- {                    0x02, 182, 0, 10, ""                          }, /* 181 */
- {                    0x4B,   0, 0, 10, "TCGID"                     }, /* 182 */
- {      0x05,                 0, 1,  3, "security"                  }, /* 183 */
- {        0x05,               0, 1,  4, "mechanisms"                }, /* 184 */
- {          0x07,             0, 1,  5, "id-pkix"                   }, /* 185 */
- {            0x01,         190, 1,  6, "id-pe"                     }, /* 186 */
- {              0x01,       188, 0,  7, "authorityInfoAccess"       }, /* 187 */
- {              0x03,       189, 0,  7, "qcStatements"              }, /* 188 */
- {              0x07,         0, 0,  7, "ipAddrBlocks"              }, /* 189 */
- {            0x02,         193, 1,  6, "id-qt"                     }, /* 190 */
- {              0x01,       192, 0,  7, "cps"                       }, /* 191 */
- {              0x02,         0, 0,  7, "unotice"                   }, /* 192 */
- {            0x03,         203, 1,  6, "id-kp"                     }, /* 193 */
- {              0x01,       195, 0,  7, "serverAuth"                }, /* 194 */
- {              0x02,       196, 0,  7, "clientAuth"                }, /* 195 */
- {              0x03,       197, 0,  7, "codeSigning"               }, /* 196 */
- {              0x04,       198, 0,  7, "emailProtection"           }, /* 197 */
- {              0x05,       199, 0,  7, "ipsecEndSystem"            }, /* 198 */
- {              0x06,       200, 0,  7, "ipsecTunnel"               }, /* 199 */
- {              0x07,       201, 0,  7, "ipsecUser"                 }, /* 200 */
- {              0x08,       202, 0,  7, "timeStamping"              }, /* 201 */
- {              0x09,         0, 0,  7, "ocspSigning"               }, /* 202 */
- {            0x08,         205, 1,  6, "id-otherNames"             }, /* 203 */
- {              0x05,         0, 0,  7, "xmppAddr"                  }, /* 204 */
- {            0x0A,         210, 1,  6, "id-aca"                    }, /* 205 */
- {              0x01,       207, 0,  7, "authenticationInfo"        }, /* 206 */
- {              0x02,       208, 0,  7, "accessIdentity"            }, /* 207 */
- {              0x03,       209, 0,  7, "chargingIdentity"          }, /* 208 */
- {              0x04,         0, 0,  7, "group"                     }, /* 209 */
- {            0x0B,         211, 0,  6, "subjectInfoAccess"         }, /* 210 */
- {            0x30,           0, 1,  6, "id-ad"                     }, /* 211 */
- {              0x01,       220, 1,  7, "ocsp"                      }, /* 212 */
- {                0x01,     214, 0,  8, "basic"                     }, /* 213 */
- {                0x02,     215, 0,  8, "nonce"                     }, /* 214 */
- {                0x03,     216, 0,  8, "crl"                       }, /* 215 */
- {                0x04,     217, 0,  8, "response"                  }, /* 216 */
- {                0x05,     218, 0,  8, "noCheck"                   }, /* 217 */
- {                0x06,     219, 0,  8, "archiveCutoff"             }, /* 218 */
- {                0x07,       0, 0,  8, "serviceLocator"            }, /* 219 */
- {              0x02,       221, 0,  7, "caIssuers"                 }, /* 220 */
- {              0x03,       222, 0,  7, "timeStamping"              }, /* 221 */
- {              0x05,         0, 0,  7, "caRepository"              }, /* 222 */
- {  0x0E,                   229, 1,  1, "oiw"                       }, /* 223 */
- {    0x03,                   0, 1,  2, "secsig"                    }, /* 224 */
- {      0x02,                 0, 1,  3, "algorithms"                }, /* 225 */
- {        0x07,             227, 0,  4, "des-cbc"                   }, /* 226 */
- {        0x1A,             228, 0,  4, "sha-1"                     }, /* 227 */
- {        0x1D,               0, 0,  4, "sha-1WithRSASignature"     }, /* 228 */
- {  0x24,                   275, 1,  1, "TeleTrusT"                 }, /* 229 */
- {    0x03,                   0, 1,  2, "algorithm"                 }, /* 230 */
- {      0x03,                 0, 1,  3, "signatureAlgorithm"        }, /* 231 */
- {        0x01,             236, 1,  4, "rsaSignature"              }, /* 232 */
- {          0x02,           234, 0,  5, "rsaSigWithripemd160"       }, /* 233 */
- {          0x03,           235, 0,  5, "rsaSigWithripemd128"       }, /* 234 */
- {          0x04,             0, 0,  5, "rsaSigWithripemd256"       }, /* 235 */
- {        0x02,               0, 1,  4, "ecSign"                    }, /* 236 */
- {          0x01,           238, 0,  5, "ecSignWithsha1"            }, /* 237 */
- {          0x02,           239, 0,  5, "ecSignWithripemd160"       }, /* 238 */
- {          0x03,           240, 0,  5, "ecSignWithmd2"             }, /* 239 */
- {          0x04,           241, 0,  5, "ecSignWithmd5"             }, /* 240 */
- {          0x05,           258, 1,  5, "ttt-ecg"                   }, /* 241 */
- {            0x01,         246, 1,  6, "fieldType"                 }, /* 242 */
- {              0x01,         0, 1,  7, "characteristictwoField"    }, /* 243 */
- {                0x01,       0, 1,  8, "basisType"                 }, /* 244 */
- {                  0x01,     0, 0,  9, "ipBasis"                   }, /* 245 */
- {            0x02,         248, 1,  6, "keyType"                   }, /* 246 */
- {              0x01,         0, 0,  7, "ecgPublicKey"              }, /* 247 */
- {            0x03,         249, 0,  6, "curve"                     }, /* 248 */
- {            0x04,         256, 1,  6, "signatures"                }, /* 249 */
- {              0x01,       251, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 250 */
- {              0x02,       252, 0,  7, "ecgdsa-with-SHA1"          }, /* 251 */
- {              0x03,       253, 0,  7, "ecgdsa-with-SHA224"        }, /* 252 */
- {              0x04,       254, 0,  7, "ecgdsa-with-SHA256"        }, /* 253 */
- {              0x05,       255, 0,  7, "ecgdsa-with-SHA384"        }, /* 254 */
- {              0x06,         0, 0,  7, "ecgdsa-with-SHA512"        }, /* 255 */
- {            0x05,           0, 1,  6, "module"                    }, /* 256 */
- {              0x01,         0, 0,  7, "1"                         }, /* 257 */
- {          0x08,             0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 258 */
- {            0x01,           0, 1,  6, "ellipticCurve"             }, /* 259 */
- {              0x01,         0, 1,  7, "versionOne"                }, /* 260 */
- {                0x01,     262, 0,  8, "brainpoolP160r1"           }, /* 261 */
- {                0x02,     263, 0,  8, "brainpoolP160t1"           }, /* 262 */
- {                0x03,     264, 0,  8, "brainpoolP192r1"           }, /* 263 */
- {                0x04,     265, 0,  8, "brainpoolP192t1"           }, /* 264 */
- {                0x05,     266, 0,  8, "brainpoolP224r1"           }, /* 265 */
- {                0x06,     267, 0,  8, "brainpoolP224t1"           }, /* 266 */
- {                0x07,     268, 0,  8, "brainpoolP256r1"           }, /* 267 */
- {                0x08,     269, 0,  8, "brainpoolP256t1"           }, /* 268 */
- {                0x09,     270, 0,  8, "brainpoolP320r1"           }, /* 269 */
- {                0x0A,     271, 0,  8, "brainpoolP320t1"           }, /* 270 */
- {                0x0B,     272, 0,  8, "brainpoolP384r1"           }, /* 271 */
- {                0x0C,     273, 0,  8, "brainpoolP384t1"           }, /* 272 */
- {                0x0D,     274, 0,  8, "brainpoolP512r1"           }, /* 273 */
- {                0x0E,       0, 0,  8, "brainpoolP512t1"           }, /* 274 */
- {  0x81,                     0, 1,  1, ""                          }, /* 275 */
- {    0x04,                   0, 1,  2, "Certicom"                  }, /* 276 */
- {      0x00,                 0, 1,  3, "curve"                     }, /* 277 */
- {        0x01,             279, 0,  4, "sect163k1"                 }, /* 278 */
- {        0x02,             280, 0,  4, "sect163r1"                 }, /* 279 */
- {        0x03,             281, 0,  4, "sect239k1"                 }, /* 280 */
- {        0x04,             282, 0,  4, "sect113r1"                 }, /* 281 */
- {        0x05,             283, 0,  4, "sect113r2"                 }, /* 282 */
- {        0x06,             284, 0,  4, "secp112r1"                 }, /* 283 */
- {        0x07,             285, 0,  4, "secp112r2"                 }, /* 284 */
- {        0x08,             286, 0,  4, "secp160r1"                 }, /* 285 */
- {        0x09,             287, 0,  4, "secp160k1"                 }, /* 286 */
- {        0x0A,             288, 0,  4, "secp256k1"                 }, /* 287 */
- {        0x0F,             289, 0,  4, "sect163r2"                 }, /* 288 */
- {        0x10,             290, 0,  4, "sect283k1"                 }, /* 289 */
- {        0x11,             291, 0,  4, "sect283r1"                 }, /* 290 */
- {        0x16,             292, 0,  4, "sect131r1"                 }, /* 291 */
- {        0x17,             293, 0,  4, "sect131r2"                 }, /* 292 */
- {        0x18,             294, 0,  4, "sect193r1"                 }, /* 293 */
- {        0x19,             295, 0,  4, "sect193r2"                 }, /* 294 */
- {        0x1A,             296, 0,  4, "sect233k1"                 }, /* 295 */
- {        0x1B,             297, 0,  4, "sect233r1"                 }, /* 296 */
- {        0x1C,             298, 0,  4, "secp128r1"                 }, /* 297 */
- {        0x1D,             299, 0,  4, "secp128r2"                 }, /* 298 */
- {        0x1E,             300, 0,  4, "secp160r2"                 }, /* 299 */
- {        0x1F,             301, 0,  4, "secp192k1"                 }, /* 300 */
- {        0x20,             302, 0,  4, "secp224k1"                 }, /* 301 */
- {        0x21,             303, 0,  4, "secp224r1"                 }, /* 302 */
- {        0x22,             304, 0,  4, "secp384r1"                 }, /* 303 */
- {        0x23,             305, 0,  4, "secp521r1"                 }, /* 304 */
- {        0x24,             306, 0,  4, "sect409k1"                 }, /* 305 */
- {        0x25,             307, 0,  4, "sect409r1"                 }, /* 306 */
- {        0x26,             308, 0,  4, "sect571k1"                 }, /* 307 */
- {        0x27,               0, 0,  4, "sect571r1"                 }, /* 308 */
- {0x60,                       0, 1,  0, ""                          }, /* 309 */
- {  0x86,                     0, 1,  1, ""                          }, /* 310 */
- {    0x48,                   0, 1,  2, ""                          }, /* 311 */
- {      0x01,                 0, 1,  3, "organization"              }, /* 312 */
- {        0x65,             331, 1,  4, "gov"                       }, /* 313 */
- {          0x03,             0, 1,  5, "csor"                      }, /* 314 */
- {            0x04,           0, 1,  6, "nistalgorithm"             }, /* 315 */
- {              0x01,       326, 1,  7, "aes"                       }, /* 316 */
- {                0x02,     318, 0,  8, "id-aes128-CBC"             }, /* 317 */
- {                0x06,     319, 0,  8, "id-aes128-GCM"             }, /* 318 */
- {                0x07,     320, 0,  8, "id-aes128-CCM"             }, /* 319 */
- {                0x16,     321, 0,  8, "id-aes192-CBC"             }, /* 320 */
- {                0x1A,     322, 0,  8, "id-aes192-GCM"             }, /* 321 */
- {                0x1B,     323, 0,  8, "id-aes192-CCM"             }, /* 322 */
- {                0x2A,     324, 0,  8, "id-aes256-CBC"             }, /* 323 */
- {                0x2E,     325, 0,  8, "id-aes256-GCM"             }, /* 324 */
- {                0x2F,       0, 0,  8, "id-aes256-CCM"             }, /* 325 */
- {              0x02,         0, 1,  7, "hashalgs"                  }, /* 326 */
- {                0x01,     328, 0,  8, "id-SHA-256"                }, /* 327 */
- {                0x02,     329, 0,  8, "id-SHA-384"                }, /* 328 */
- {                0x03,     330, 0,  8, "id-SHA-512"                }, /* 329 */
- {                0x04,       0, 0,  8, "id-SHA-224"                }, /* 330 */
- {        0x86,               0, 1,  4, ""                          }, /* 331 */
- {          0xf8,             0, 1,  5, ""                          }, /* 332 */
- {            0x42,         345, 1,  6, "netscape"                  }, /* 333 */
- {              0x01,       340, 1,  7, ""                          }, /* 334 */
- {                0x01,     336, 0,  8, "nsCertType"                }, /* 335 */
- {                0x03,     337, 0,  8, "nsRevocationUrl"           }, /* 336 */
- {                0x04,     338, 0,  8, "nsCaRevocationUrl"         }, /* 337 */
- {                0x08,     339, 0,  8, "nsCaPolicyUrl"             }, /* 338 */
- {                0x0d,       0, 0,  8, "nsComment"                 }, /* 339 */
- {              0x03,       343, 1,  7, "directory"                 }, /* 340 */
- {                0x01,       0, 1,  8, ""                          }, /* 341 */
- {                  0x03,     0, 0,  9, "employeeNumber"            }, /* 342 */
- {              0x04,         0, 1,  7, "policy"                    }, /* 343 */
- {                0x01,       0, 0,  8, "nsSGC"                     }, /* 344 */
- {            0x45,           0, 1,  6, "verisign"                  }, /* 345 */
- {              0x01,         0, 1,  7, "pki"                       }, /* 346 */
- {                0x09,       0, 1,  8, "attributes"                }, /* 347 */
- {                  0x02,   349, 0,  9, "messageType"               }, /* 348 */
- {                  0x03,   350, 0,  9, "pkiStatus"                 }, /* 349 */
- {                  0x04,   351, 0,  9, "failInfo"                  }, /* 350 */
- {                  0x05,   352, 0,  9, "senderNonce"               }, /* 351 */
- {                  0x06,   353, 0,  9, "recipientNonce"            }, /* 352 */
- {                  0x07,   354, 0,  9, "transID"                   }, /* 353 */
- {                  0x08,   355, 0,  9, "extensionReq"              }, /* 354 */
- {                  0x08,     0, 0,  9, "extensionReq"              }  /* 355 */
+ {0x02,                         7, 1,  0, "ITU-T Administration"      }, /*   0 */
+ {  0x82,                       0, 1,  1, ""                          }, /*   1 */
+ {    0x06,                     0, 1,  2, "Germany ITU-T member"      }, /*   2 */
+ {      0x01,                   0, 1,  3, "Deutsche Telekom AG"       }, /*   3 */
+ {        0x0A,                 0, 1,  4, ""                          }, /*   4 */
+ {          0x07,               0, 1,  5, ""                          }, /*   5 */
+ {            0x14,             0, 0,  6, "ND"                        }, /*   6 */
+ {0x09,                        18, 1,  0, "data"                      }, /*   7 */
+ {  0x92,                       0, 1,  1, ""                          }, /*   8 */
+ {    0x26,                     0, 1,  2, ""                          }, /*   9 */
+ {      0x89,                   0, 1,  3, ""                          }, /*  10 */
+ {        0x93,                 0, 1,  4, ""                          }, /*  11 */
+ {          0xF2,               0, 1,  5, ""                          }, /*  12 */
+ {            0x2C,             0, 1,  6, ""                          }, /*  13 */
+ {              0x64,           0, 1,  7, "pilot"                     }, /*  14 */
+ {                0x01,         0, 1,  8, "pilotAttributeType"        }, /*  15 */
+ {                  0x01,      17, 0,  9, "UID"                       }, /*  16 */
+ {                  0x19,       0, 0,  9, "DC"                        }, /*  17 */
+ {0x55,                        64, 1,  0, "X.500"                     }, /*  18 */
+ {  0x04,                      36, 1,  1, "X.509"                     }, /*  19 */
+ {    0x03,                    21, 0,  2, "CN"                        }, /*  20 */
+ {    0x04,                    22, 0,  2, "S"                         }, /*  21 */
+ {    0x05,                    23, 0,  2, "SN"                        }, /*  22 */
+ {    0x06,                    24, 0,  2, "C"                         }, /*  23 */
+ {    0x07,                    25, 0,  2, "L"                         }, /*  24 */
+ {    0x08,                    26, 0,  2, "ST"                        }, /*  25 */
+ {    0x0A,                    27, 0,  2, "O"                         }, /*  26 */
+ {    0x0B,                    28, 0,  2, "OU"                        }, /*  27 */
+ {    0x0C,                    29, 0,  2, "T"                         }, /*  28 */
+ {    0x0D,                    30, 0,  2, "D"                         }, /*  29 */
+ {    0x24,                    31, 0,  2, "userCertificate"           }, /*  30 */
+ {    0x29,                    32, 0,  2, "N"                         }, /*  31 */
+ {    0x2A,                    33, 0,  2, "G"                         }, /*  32 */
+ {    0x2B,                    34, 0,  2, "I"                         }, /*  33 */
+ {    0x2D,                    35, 0,  2, "ID"                        }, /*  34 */
+ {    0x48,                     0, 0,  2, "role"                      }, /*  35 */
+ {  0x1D,                       0, 1,  1, "id-ce"                     }, /*  36 */
+ {    0x09,                    38, 0,  2, "subjectDirectoryAttrs"     }, /*  37 */
+ {    0x0E,                    39, 0,  2, "subjectKeyIdentifier"      }, /*  38 */
+ {    0x0F,                    40, 0,  2, "keyUsage"                  }, /*  39 */
+ {    0x10,                    41, 0,  2, "privateKeyUsagePeriod"     }, /*  40 */
+ {    0x11,                    42, 0,  2, "subjectAltName"            }, /*  41 */
+ {    0x12,                    43, 0,  2, "issuerAltName"             }, /*  42 */
+ {    0x13,                    44, 0,  2, "basicConstraints"          }, /*  43 */
+ {    0x14,                    45, 0,  2, "crlNumber"                 }, /*  44 */
+ {    0x15,                    46, 0,  2, "reasonCode"                }, /*  45 */
+ {    0x17,                    47, 0,  2, "holdInstructionCode"       }, /*  46 */
+ {    0x18,                    48, 0,  2, "invalidityDate"            }, /*  47 */
+ {    0x1B,                    49, 0,  2, "deltaCrlIndicator"         }, /*  48 */
+ {    0x1C,                    50, 0,  2, "issuingDistributionPoint"  }, /*  49 */
+ {    0x1D,                    51, 0,  2, "certificateIssuer"         }, /*  50 */
+ {    0x1E,                    52, 0,  2, "nameConstraints"           }, /*  51 */
+ {    0x1F,                    53, 0,  2, "crlDistributionPoints"     }, /*  52 */
+ {    0x20,                    55, 1,  2, "certificatePolicies"       }, /*  53 */
+ {      0x00,                   0, 0,  3, "anyPolicy"                 }, /*  54 */
+ {    0x21,                    56, 0,  2, "policyMappings"            }, /*  55 */
+ {    0x23,                    57, 0,  2, "authorityKeyIdentifier"    }, /*  56 */
+ {    0x24,                    58, 0,  2, "policyConstraints"         }, /*  57 */
+ {    0x25,                    60, 1,  2, "extendedKeyUsage"          }, /*  58 */
+ {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"       }, /*  59 */
+ {    0x2E,                    61, 0,  2, "freshestCRL"               }, /*  60 */
+ {    0x36,                    62, 0,  2, "inhibitAnyPolicy"          }, /*  61 */
+ {    0x37,                    63, 0,  2, "targetInformation"         }, /*  62 */
+ {    0x38,                     0, 0,  2, "noRevAvail"                }, /*  63 */
+ {0x2A,                       161, 1,  0, ""                          }, /*  64 */
+ {  0x83,                      77, 1,  1, ""                          }, /*  65 */
+ {    0x08,                     0, 1,  2, "jp"                        }, /*  66 */
+ {      0x8C,                   0, 1,  3, ""                          }, /*  67 */
+ {        0x9A,                 0, 1,  4, ""                          }, /*  68 */
+ {          0x4B,               0, 1,  5, ""                          }, /*  69 */
+ {            0x3D,             0, 1,  6, ""                          }, /*  70 */
+ {              0x01,           0, 1,  7, "security"                  }, /*  71 */
+ {                0x01,         0, 1,  8, "algorithm"                 }, /*  72 */
+ {                  0x01,       0, 1,  9, "symm-encryption-alg"       }, /*  73 */
+ {                    0x02,    75, 0, 10, "camellia128-cbc"           }, /*  74 */
+ {                    0x03,    76, 0, 10, "camellia192-cbc"           }, /*  75 */
+ {                    0x04,     0, 0, 10, "camellia256-cbc"           }, /*  76 */
+ {  0x86,                       0, 1,  1, ""                          }, /*  77 */
+ {    0x48,                     0, 1,  2, "us"                        }, /*  78 */
+ {      0x86,                 120, 1,  3, ""                          }, /*  79 */
+ {        0xF6,                85, 1,  4, ""                          }, /*  80 */
+ {          0x7D,               0, 1,  5, "NortelNetworks"            }, /*  81 */
+ {            0x07,             0, 1,  6, "Entrust"                   }, /*  82 */
+ {              0x41,           0, 1,  7, "nsn-ce"                    }, /*  83 */
+ {                0x00,         0, 0,  8, "entrustVersInfo"           }, /*  84 */
+ {        0xF7,                 0, 1,  4, ""                          }, /*  85 */
+ {          0x0D,               0, 1,  5, "RSADSI"                    }, /*  86 */
+ {            0x01,           115, 1,  6, "PKCS"                      }, /*  87 */
+ {              0x01,          97, 1,  7, "PKCS-1"                    }, /*  88 */
+ {                0x01,        90, 0,  8, "rsaEncryption"             }, /*  89 */
+ {                0x02,        91, 0,  8, "md2WithRSAEncryption"      }, /*  90 */
+ {                0x04,        92, 0,  8, "md5WithRSAEncryption"      }, /*  91 */
+ {                0x05,        93, 0,  8, "sha-1WithRSAEncryption"    }, /*  92 */
+ {                0x0B,        94, 0,  8, "sha256WithRSAEncryption"   }, /*  93 */
+ {                0x0C,        95, 0,  8, "sha384WithRSAEncryption"   }, /*  94 */
+ {                0x0D,        96, 0,  8, "sha512WithRSAEncryption"   }, /*  95 */
+ {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"   }, /*  96 */
+ {              0x07,         104, 1,  7, "PKCS-7"                    }, /*  97 */
+ {                0x01,        99, 0,  8, "data"                      }, /*  98 */
+ {                0x02,       100, 0,  8, "signedData"                }, /*  99 */
+ {                0x03,       101, 0,  8, "envelopedData"             }, /* 100 */
+ {                0x04,       102, 0,  8, "signedAndEnvelopedData"    }, /* 101 */
+ {                0x05,       103, 0,  8, "digestedData"              }, /* 102 */
+ {                0x06,         0, 0,  8, "encryptedData"             }, /* 103 */
+ {              0x09,           0, 1,  7, "PKCS-9"                    }, /* 104 */
+ {                0x01,       106, 0,  8, "E"                         }, /* 105 */
+ {                0x02,       107, 0,  8, "unstructuredName"          }, /* 106 */
+ {                0x03,       108, 0,  8, "contentType"               }, /* 107 */
+ {                0x04,       109, 0,  8, "messageDigest"             }, /* 108 */
+ {                0x05,       110, 0,  8, "signingTime"               }, /* 109 */
+ {                0x06,       111, 0,  8, "counterSignature"          }, /* 110 */
+ {                0x07,       112, 0,  8, "challengePassword"         }, /* 111 */
+ {                0x08,       113, 0,  8, "unstructuredAddress"       }, /* 112 */
+ {                0x0E,       114, 0,  8, "extensionRequest"          }, /* 113 */
+ {                0x0F,         0, 0,  8, "S/MIME Capabilities"       }, /* 114 */
+ {            0x02,           118, 1,  6, "digestAlgorithm"           }, /* 115 */
+ {              0x02,         117, 0,  7, "md2"                       }, /* 116 */
+ {              0x05,           0, 0,  7, "md5"                       }, /* 117 */
+ {            0x03,             0, 1,  6, "encryptionAlgorithm"       }, /* 118 */
+ {              0x07,           0, 0,  7, "3des-ede-cbc"              }, /* 119 */
+ {      0xCE,                   0, 1,  3, ""                          }, /* 120 */
+ {        0x3D,                 0, 1,  4, "ansi-X9-62"                }, /* 121 */
+ {          0x02,             124, 1,  5, "id-publicKeyType"          }, /* 122 */
+ {            0x01,             0, 0,  6, "id-ecPublicKey"            }, /* 123 */
+ {          0x03,             154, 1,  5, "ellipticCurve"             }, /* 124 */
+ {            0x00,           146, 1,  6, "c-TwoCurve"                }, /* 125 */
+ {              0x01,         127, 0,  7, "c2pnb163v1"                }, /* 126 */
+ {              0x02,         128, 0,  7, "c2pnb163v2"                }, /* 127 */
+ {              0x03,         129, 0,  7, "c2pnb163v3"                }, /* 128 */
+ {              0x04,         130, 0,  7, "c2pnb176w1"                }, /* 129 */
+ {              0x05,         131, 0,  7, "c2tnb191v1"                }, /* 130 */
+ {              0x06,         132, 0,  7, "c2tnb191v2"                }, /* 131 */
+ {              0x07,         133, 0,  7, "c2tnb191v3"                }, /* 132 */
+ {              0x08,         134, 0,  7, "c2onb191v4"                }, /* 133 */
+ {              0x09,         135, 0,  7, "c2onb191v5"                }, /* 134 */
+ {              0x0A,         136, 0,  7, "c2pnb208w1"                }, /* 135 */
+ {              0x0B,         137, 0,  7, "c2tnb239v1"                }, /* 136 */
+ {              0x0C,         138, 0,  7, "c2tnb239v2"                }, /* 137 */
+ {              0x0D,         139, 0,  7, "c2tnb239v3"                }, /* 138 */
+ {              0x0E,         140, 0,  7, "c2onb239v4"                }, /* 139 */
+ {              0x0F,         141, 0,  7, "c2onb239v5"                }, /* 140 */
+ {              0x10,         142, 0,  7, "c2pnb272w1"                }, /* 141 */
+ {              0x11,         143, 0,  7, "c2pnb304w1"                }, /* 142 */
+ {              0x12,         144, 0,  7, "c2tnb359v1"                }, /* 143 */
+ {              0x13,         145, 0,  7, "c2pnb368w1"                }, /* 144 */
+ {              0x14,           0, 0,  7, "c2tnb431r1"                }, /* 145 */
+ {            0x01,             0, 1,  6, "primeCurve"                }, /* 146 */
+ {              0x01,         148, 0,  7, "prime192v1"                }, /* 147 */
+ {              0x02,         149, 0,  7, "prime192v2"                }, /* 148 */
+ {              0x03,         150, 0,  7, "prime192v3"                }, /* 149 */
+ {              0x04,         151, 0,  7, "prime239v1"                }, /* 150 */
+ {              0x05,         152, 0,  7, "prime239v2"                }, /* 151 */
+ {              0x06,         153, 0,  7, "prime239v3"                }, /* 152 */
+ {              0x07,           0, 0,  7, "prime256v1"                }, /* 153 */
+ {          0x04,               0, 1,  5, "id-ecSigType"              }, /* 154 */
+ {            0x01,           156, 0,  6, "ecdsa-with-SHA1"           }, /* 155 */
+ {            0x03,             0, 1,  6, "ecdsa-with-Specified"      }, /* 156 */
+ {              0x01,         158, 0,  7, "ecdsa-with-SHA224"         }, /* 157 */
+ {              0x02,         159, 0,  7, "ecdsa-with-SHA256"         }, /* 158 */
+ {              0x03,         160, 0,  7, "ecdsa-with-SHA384"         }, /* 159 */
+ {              0x04,           0, 0,  7, "ecdsa-with-SHA512"         }, /* 160 */
+ {0x2B,                       312, 1,  0, ""                          }, /* 161 */
+ {  0x06,                     226, 1,  1, "dod"                       }, /* 162 */
+ {    0x01,                     0, 1,  2, "internet"                  }, /* 163 */
+ {      0x04,                 186, 1,  3, "private"                   }, /* 164 */
+ {        0x01,                 0, 1,  4, "enterprise"                }, /* 165 */
+ {          0x82,             179, 1,  5, ""                          }, /* 166 */
+ {            0x37,           176, 1,  6, "Microsoft"                 }, /* 167 */
+ {              0x0A,         172, 1,  7, ""                          }, /* 168 */
+ {                0x03,         0, 1,  8, ""                          }, /* 169 */
+ {                  0x03,     171, 0,  9, "msSGC"                     }, /* 170 */
+ {                  0x04,       0, 0,  9, "msEncryptingFileSystem"    }, /* 171 */
+ {              0x14,           0, 1,  7, "msEnrollmentInfrastructure"}, /* 172 */
+ {                0x02,         0, 1,  8, "msCertificateTypeExtension"}, /* 173 */
+ {                  0x02,     175, 0,  9, "msSmartcardLogon"          }, /* 174 */
+ {                  0x03,       0, 0,  9, "msUPN"                     }, /* 175 */
+ {            0xA0,             0, 1,  6, ""                          }, /* 176 */
+ {              0x2A,           0, 1,  7, "ITA"                       }, /* 177 */
+ {                0x01,         0, 0,  8, "strongSwan"                }, /* 178 */
+ {          0x89,               0, 1,  5, ""                          }, /* 179 */
+ {            0x31,             0, 1,  6, ""                          }, /* 180 */
+ {              0x01,           0, 1,  7, ""                          }, /* 181 */
+ {                0x01,         0, 1,  8, ""                          }, /* 182 */
+ {                  0x02,       0, 1,  9, ""                          }, /* 183 */
+ {                    0x02,     0, 1, 10, ""                          }, /* 184 */
+ {                      0x4B,   0, 0, 11, "TCGID"                     }, /* 185 */
+ {      0x05,                   0, 1,  3, "security"                  }, /* 186 */
+ {        0x05,                 0, 1,  4, "mechanisms"                }, /* 187 */
+ {          0x07,               0, 1,  5, "id-pkix"                   }, /* 188 */
+ {            0x01,           193, 1,  6, "id-pe"                     }, /* 189 */
+ {              0x01,         191, 0,  7, "authorityInfoAccess"       }, /* 190 */
+ {              0x03,         192, 0,  7, "qcStatements"              }, /* 191 */
+ {              0x07,           0, 0,  7, "ipAddrBlocks"              }, /* 192 */
+ {            0x02,           196, 1,  6, "id-qt"                     }, /* 193 */
+ {              0x01,         195, 0,  7, "cps"                       }, /* 194 */
+ {              0x02,           0, 0,  7, "unotice"                   }, /* 195 */
+ {            0x03,           206, 1,  6, "id-kp"                     }, /* 196 */
+ {              0x01,         198, 0,  7, "serverAuth"                }, /* 197 */
+ {              0x02,         199, 0,  7, "clientAuth"                }, /* 198 */
+ {              0x03,         200, 0,  7, "codeSigning"               }, /* 199 */
+ {              0x04,         201, 0,  7, "emailProtection"           }, /* 200 */
+ {              0x05,         202, 0,  7, "ipsecEndSystem"            }, /* 201 */
+ {              0x06,         203, 0,  7, "ipsecTunnel"               }, /* 202 */
+ {              0x07,         204, 0,  7, "ipsecUser"                 }, /* 203 */
+ {              0x08,         205, 0,  7, "timeStamping"              }, /* 204 */
+ {              0x09,           0, 0,  7, "ocspSigning"               }, /* 205 */
+ {            0x08,           208, 1,  6, "id-otherNames"             }, /* 206 */
+ {              0x05,           0, 0,  7, "xmppAddr"                  }, /* 207 */
+ {            0x0A,           213, 1,  6, "id-aca"                    }, /* 208 */
+ {              0x01,         210, 0,  7, "authenticationInfo"        }, /* 209 */
+ {              0x02,         211, 0,  7, "accessIdentity"            }, /* 210 */
+ {              0x03,         212, 0,  7, "chargingIdentity"          }, /* 211 */
+ {              0x04,           0, 0,  7, "group"                     }, /* 212 */
+ {            0x0B,           214, 0,  6, "subjectInfoAccess"         }, /* 213 */
+ {            0x30,             0, 1,  6, "id-ad"                     }, /* 214 */
+ {              0x01,         223, 1,  7, "ocsp"                      }, /* 215 */
+ {                0x01,       217, 0,  8, "basic"                     }, /* 216 */
+ {                0x02,       218, 0,  8, "nonce"                     }, /* 217 */
+ {                0x03,       219, 0,  8, "crl"                       }, /* 218 */
+ {                0x04,       220, 0,  8, "response"                  }, /* 219 */
+ {                0x05,       221, 0,  8, "noCheck"                   }, /* 220 */
+ {                0x06,       222, 0,  8, "archiveCutoff"             }, /* 221 */
+ {                0x07,         0, 0,  8, "serviceLocator"            }, /* 222 */
+ {              0x02,         224, 0,  7, "caIssuers"                 }, /* 223 */
+ {              0x03,         225, 0,  7, "timeStamping"              }, /* 224 */
+ {              0x05,           0, 0,  7, "caRepository"              }, /* 225 */
+ {  0x0E,                     232, 1,  1, "oiw"                       }, /* 226 */
+ {    0x03,                     0, 1,  2, "secsig"                    }, /* 227 */
+ {      0x02,                   0, 1,  3, "algorithms"                }, /* 228 */
+ {        0x07,               230, 0,  4, "des-cbc"                   }, /* 229 */
+ {        0x1A,               231, 0,  4, "sha-1"                     }, /* 230 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"     }, /* 231 */
+ {  0x24,                     278, 1,  1, "TeleTrusT"                 }, /* 232 */
+ {    0x03,                     0, 1,  2, "algorithm"                 }, /* 233 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"        }, /* 234 */
+ {        0x01,               239, 1,  4, "rsaSignature"              }, /* 235 */
+ {          0x02,             237, 0,  5, "rsaSigWithripemd160"       }, /* 236 */
+ {          0x03,             238, 0,  5, "rsaSigWithripemd128"       }, /* 237 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"       }, /* 238 */
+ {        0x02,                 0, 1,  4, "ecSign"                    }, /* 239 */
+ {          0x01,             241, 0,  5, "ecSignWithsha1"            }, /* 240 */
+ {          0x02,             242, 0,  5, "ecSignWithripemd160"       }, /* 241 */
+ {          0x03,             243, 0,  5, "ecSignWithmd2"             }, /* 242 */
+ {          0x04,             244, 0,  5, "ecSignWithmd5"             }, /* 243 */
+ {          0x05,             261, 1,  5, "ttt-ecg"                   }, /* 244 */
+ {            0x01,           249, 1,  6, "fieldType"                 }, /* 245 */
+ {              0x01,           0, 1,  7, "characteristictwoField"    }, /* 246 */
+ {                0x01,         0, 1,  8, "basisType"                 }, /* 247 */
+ {                  0x01,       0, 0,  9, "ipBasis"                   }, /* 248 */
+ {            0x02,           251, 1,  6, "keyType"                   }, /* 249 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"              }, /* 250 */
+ {            0x03,           252, 0,  6, "curve"                     }, /* 251 */
+ {            0x04,           259, 1,  6, "signatures"                }, /* 252 */
+ {              0x01,         254, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 253 */
+ {              0x02,         255, 0,  7, "ecgdsa-with-SHA1"          }, /* 254 */
+ {              0x03,         256, 0,  7, "ecgdsa-with-SHA224"        }, /* 255 */
+ {              0x04,         257, 0,  7, "ecgdsa-with-SHA256"        }, /* 256 */
+ {              0x05,         258, 0,  7, "ecgdsa-with-SHA384"        }, /* 257 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"        }, /* 258 */
+ {            0x05,             0, 1,  6, "module"                    }, /* 259 */
+ {              0x01,           0, 0,  7, "1"                         }, /* 260 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 261 */
+ {            0x01,             0, 1,  6, "ellipticCurve"             }, /* 262 */
+ {              0x01,           0, 1,  7, "versionOne"                }, /* 263 */
+ {                0x01,       265, 0,  8, "brainpoolP160r1"           }, /* 264 */
+ {                0x02,       266, 0,  8, "brainpoolP160t1"           }, /* 265 */
+ {                0x03,       267, 0,  8, "brainpoolP192r1"           }, /* 266 */
+ {                0x04,       268, 0,  8, "brainpoolP192t1"           }, /* 267 */
+ {                0x05,       269, 0,  8, "brainpoolP224r1"           }, /* 268 */
+ {                0x06,       270, 0,  8, "brainpoolP224t1"           }, /* 269 */
+ {                0x07,       271, 0,  8, "brainpoolP256r1"           }, /* 270 */
+ {                0x08,       272, 0,  8, "brainpoolP256t1"           }, /* 271 */
+ {                0x09,       273, 0,  8, "brainpoolP320r1"           }, /* 272 */
+ {                0x0A,       274, 0,  8, "brainpoolP320t1"           }, /* 273 */
+ {                0x0B,       275, 0,  8, "brainpoolP384r1"           }, /* 274 */
+ {                0x0C,       276, 0,  8, "brainpoolP384t1"           }, /* 275 */
+ {                0x0D,       277, 0,  8, "brainpoolP512r1"           }, /* 276 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"           }, /* 277 */
+ {  0x81,                       0, 1,  1, ""                          }, /* 278 */
+ {    0x04,                     0, 1,  2, "Certicom"                  }, /* 279 */
+ {      0x00,                   0, 1,  3, "curve"                     }, /* 280 */
+ {        0x01,               282, 0,  4, "sect163k1"                 }, /* 281 */
+ {        0x02,               283, 0,  4, "sect163r1"                 }, /* 282 */
+ {        0x03,               284, 0,  4, "sect239k1"                 }, /* 283 */
+ {        0x04,               285, 0,  4, "sect113r1"                 }, /* 284 */
+ {        0x05,               286, 0,  4, "sect113r2"                 }, /* 285 */
+ {        0x06,               287, 0,  4, "secp112r1"                 }, /* 286 */
+ {        0x07,               288, 0,  4, "secp112r2"                 }, /* 287 */
+ {        0x08,               289, 0,  4, "secp160r1"                 }, /* 288 */
+ {        0x09,               290, 0,  4, "secp160k1"                 }, /* 289 */
+ {        0x0A,               291, 0,  4, "secp256k1"                 }, /* 290 */
+ {        0x0F,               292, 0,  4, "sect163r2"                 }, /* 291 */
+ {        0x10,               293, 0,  4, "sect283k1"                 }, /* 292 */
+ {        0x11,               294, 0,  4, "sect283r1"                 }, /* 293 */
+ {        0x16,               295, 0,  4, "sect131r1"                 }, /* 294 */
+ {        0x17,               296, 0,  4, "sect131r2"                 }, /* 295 */
+ {        0x18,               297, 0,  4, "sect193r1"                 }, /* 296 */
+ {        0x19,               298, 0,  4, "sect193r2"                 }, /* 297 */
+ {        0x1A,               299, 0,  4, "sect233k1"                 }, /* 298 */
+ {        0x1B,               300, 0,  4, "sect233r1"                 }, /* 299 */
+ {        0x1C,               301, 0,  4, "secp128r1"                 }, /* 300 */
+ {        0x1D,               302, 0,  4, "secp128r2"                 }, /* 301 */
+ {        0x1E,               303, 0,  4, "secp160r2"                 }, /* 302 */
+ {        0x1F,               304, 0,  4, "secp192k1"                 }, /* 303 */
+ {        0x20,               305, 0,  4, "secp224k1"                 }, /* 304 */
+ {        0x21,               306, 0,  4, "secp224r1"                 }, /* 305 */
+ {        0x22,               307, 0,  4, "secp384r1"                 }, /* 306 */
+ {        0x23,               308, 0,  4, "secp521r1"                 }, /* 307 */
+ {        0x24,               309, 0,  4, "sect409k1"                 }, /* 308 */
+ {        0x25,               310, 0,  4, "sect409r1"                 }, /* 309 */
+ {        0x26,               311, 0,  4, "sect571k1"                 }, /* 310 */
+ {        0x27,                 0, 0,  4, "sect571r1"                 }, /* 311 */
+ {0x60,                         0, 1,  0, ""                          }, /* 312 */
+ {  0x86,                       0, 1,  1, ""                          }, /* 313 */
+ {    0x48,                     0, 1,  2, ""                          }, /* 314 */
+ {      0x01,                   0, 1,  3, "organization"              }, /* 315 */
+ {        0x65,               334, 1,  4, "gov"                       }, /* 316 */
+ {          0x03,               0, 1,  5, "csor"                      }, /* 317 */
+ {            0x04,             0, 1,  6, "nistalgorithm"             }, /* 318 */
+ {              0x01,         329, 1,  7, "aes"                       }, /* 319 */
+ {                0x02,       321, 0,  8, "id-aes128-CBC"             }, /* 320 */
+ {                0x06,       322, 0,  8, "id-aes128-GCM"             }, /* 321 */
+ {                0x07,       323, 0,  8, "id-aes128-CCM"             }, /* 322 */
+ {                0x16,       324, 0,  8, "id-aes192-CBC"             }, /* 323 */
+ {                0x1A,       325, 0,  8, "id-aes192-GCM"             }, /* 324 */
+ {                0x1B,       326, 0,  8, "id-aes192-CCM"             }, /* 325 */
+ {                0x2A,       327, 0,  8, "id-aes256-CBC"             }, /* 326 */
+ {                0x2E,       328, 0,  8, "id-aes256-GCM"             }, /* 327 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"             }, /* 328 */
+ {              0x02,           0, 1,  7, "hashalgs"                  }, /* 329 */
+ {                0x01,       331, 0,  8, "id-SHA-256"                }, /* 330 */
+ {                0x02,       332, 0,  8, "id-SHA-384"                }, /* 331 */
+ {                0x03,       333, 0,  8, "id-SHA-512"                }, /* 332 */
+ {                0x04,         0, 0,  8, "id-SHA-224"                }, /* 333 */
+ {        0x86,                 0, 1,  4, ""                          }, /* 334 */
+ {          0xf8,               0, 1,  5, ""                          }, /* 335 */
+ {            0x42,           348, 1,  6, "netscape"                  }, /* 336 */
+ {              0x01,         343, 1,  7, ""                          }, /* 337 */
+ {                0x01,       339, 0,  8, "nsCertType"                }, /* 338 */
+ {                0x03,       340, 0,  8, "nsRevocationUrl"           }, /* 339 */
+ {                0x04,       341, 0,  8, "nsCaRevocationUrl"         }, /* 340 */
+ {                0x08,       342, 0,  8, "nsCaPolicyUrl"             }, /* 341 */
+ {                0x0d,         0, 0,  8, "nsComment"                 }, /* 342 */
+ {              0x03,         346, 1,  7, "directory"                 }, /* 343 */
+ {                0x01,         0, 1,  8, ""                          }, /* 344 */
+ {                  0x03,       0, 0,  9, "employeeNumber"            }, /* 345 */
+ {              0x04,           0, 1,  7, "policy"                    }, /* 346 */
+ {                0x01,         0, 0,  8, "nsSGC"                     }, /* 347 */
+ {            0x45,             0, 1,  6, "verisign"                  }, /* 348 */
+ {              0x01,           0, 1,  7, "pki"                       }, /* 349 */
+ {                0x09,         0, 1,  8, "attributes"                }, /* 350 */
+ {                  0x02,     352, 0,  9, "messageType"               }, /* 351 */
+ {                  0x03,     353, 0,  9, "pkiStatus"                 }, /* 352 */
+ {                  0x04,     354, 0,  9, "failInfo"                  }, /* 353 */
+ {                  0x05,     355, 0,  9, "senderNonce"               }, /* 354 */
+ {                  0x06,     356, 0,  9, "recipientNonce"            }, /* 355 */
+ {                  0x07,     357, 0,  9, "transID"                   }, /* 356 */
+ {                  0x08,     358, 0,  9, "extensionReq"              }, /* 357 */
+ {                  0x08,       0, 0,  9, "extensionReq"              }  /* 358 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 16c9e854b..b6ee9a10d 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -49,8 +49,11 @@ extern const oid_t oid_names[];
 #define OID_DELTA_CRL_INDICATOR				48
 #define OID_NAME_CONSTRAINTS				51
 #define OID_CRL_DISTRIBUTION_POINTS			52
+#define OID_CERTIFICATE_POLICIES			53
 #define OID_ANY_POLICY						54
+#define OID_POLICY_MAPPINGS					55
 #define OID_AUTHORITY_KEY_ID				56
+#define OID_POLICY_CONSTRAINTS				57
 #define OID_EXTENDED_KEY_USAGE				58
 #define OID_FRESHEST_CRL					60
 #define OID_INHIBIT_ANY_POLICY				61
@@ -117,92 +120,95 @@ extern const oid_t oid_names[];
 #define OID_ECDSA_WITH_SHA384				159
 #define OID_ECDSA_WITH_SHA512				160
 #define OID_USER_PRINCIPAL_NAME				175
-#define OID_TCGID							182
-#define OID_AUTHORITY_INFO_ACCESS			187
-#define OID_IP_ADDR_BLOCKS					189
-#define OID_SERVER_AUTH						194
-#define OID_CLIENT_AUTH						195
-#define OID_OCSP_SIGNING					202
-#define OID_XMPP_ADDR						204
-#define OID_AUTHENTICATION_INFO				206
-#define OID_ACCESS_IDENTITY					207
-#define OID_CHARGING_IDENTITY				208
-#define OID_GROUP							209
-#define OID_OCSP							212
-#define OID_BASIC							213
-#define OID_NONCE							214
-#define OID_CRL								215
-#define OID_RESPONSE						216
-#define OID_NO_CHECK						217
-#define OID_ARCHIVE_CUTOFF					218
-#define OID_SERVICE_LOCATOR					219
-#define OID_CA_ISSUERS						220
-#define OID_DES_CBC							226
-#define OID_SHA1							227
-#define OID_SHA1_WITH_RSA_OIW				228
-#define OID_ECGDSA_PUBKEY					247
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		250
-#define OID_ECGDSA_SIG_WITH_SHA1			251
-#define OID_ECGDSA_SIG_WITH_SHA224			252
-#define OID_ECGDSA_SIG_WITH_SHA256			253
-#define OID_ECGDSA_SIG_WITH_SHA384			254
-#define OID_ECGDSA_SIG_WITH_SHA512			255
-#define OID_SECT163K1						278
-#define OID_SECT163R1						279
-#define OID_SECT239K1						280
-#define OID_SECT113R1						281
-#define OID_SECT113R2						282
-#define OID_SECT112R1						283
-#define OID_SECT112R2						284
-#define OID_SECT160R1						285
-#define OID_SECT160K1						286
-#define OID_SECT256K1						287
-#define OID_SECT163R2						288
-#define OID_SECT283K1						289
-#define OID_SECT283R1						290
-#define OID_SECT131R1						291
-#define OID_SECT131R2						292
-#define OID_SECT193R1						293
-#define OID_SECT193R2						294
-#define OID_SECT233K1						295
-#define OID_SECT233R1						296
-#define OID_SECT128R1						297
-#define OID_SECT128R2						298
-#define OID_SECT160R2						299
-#define OID_SECT192K1						300
-#define OID_SECT224K1						301
-#define OID_SECT224R1						302
-#define OID_SECT384R1						303
-#define OID_SECT521R1						304
-#define OID_SECT409K1						305
-#define OID_SECT409R1						306
-#define OID_SECT571K1						307
-#define OID_SECT571R1						308
-#define OID_AES128_CBC						317
-#define OID_AES128_GCM						318
-#define OID_AES128_CCM						319
-#define OID_AES192_CBC						320
-#define OID_AES192_GCM						321
-#define OID_AES192_CCM						322
-#define OID_AES256_CBC						323
-#define OID_AES256_GCM						324
-#define OID_AES256_CCM						325
-#define OID_SHA256							327
-#define OID_SHA384							328
-#define OID_SHA512							329
-#define OID_SHA224							330
-#define OID_NS_REVOCATION_URL				336
-#define OID_NS_CA_REVOCATION_URL			337
-#define OID_NS_CA_POLICY_URL				338
-#define OID_NS_COMMENT						339
-#define OID_EMPLOYEE_NUMBER					342
-#define OID_PKI_MESSAGE_TYPE				348
-#define OID_PKI_STATUS						349
-#define OID_PKI_FAIL_INFO					350
-#define OID_PKI_SENDER_NONCE				351
-#define OID_PKI_RECIPIENT_NONCE				352
-#define OID_PKI_TRANS_ID					353
+#define OID_STRONGSWAN						178
+#define OID_TCGID							185
+#define OID_AUTHORITY_INFO_ACCESS			190
+#define OID_IP_ADDR_BLOCKS					192
+#define OID_POLICY_QUALIFIER_CPS			194
+#define OID_POLICY_QUALIFIER_UNOTICE		195
+#define OID_SERVER_AUTH						197
+#define OID_CLIENT_AUTH						198
+#define OID_OCSP_SIGNING					205
+#define OID_XMPP_ADDR						207
+#define OID_AUTHENTICATION_INFO				209
+#define OID_ACCESS_IDENTITY					210
+#define OID_CHARGING_IDENTITY				211
+#define OID_GROUP							212
+#define OID_OCSP							215
+#define OID_BASIC							216
+#define OID_NONCE							217
+#define OID_CRL								218
+#define OID_RESPONSE						219
+#define OID_NO_CHECK						220
+#define OID_ARCHIVE_CUTOFF					221
+#define OID_SERVICE_LOCATOR					222
+#define OID_CA_ISSUERS						223
+#define OID_DES_CBC							229
+#define OID_SHA1							230
+#define OID_SHA1_WITH_RSA_OIW				231
+#define OID_ECGDSA_PUBKEY					250
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		253
+#define OID_ECGDSA_SIG_WITH_SHA1			254
+#define OID_ECGDSA_SIG_WITH_SHA224			255
+#define OID_ECGDSA_SIG_WITH_SHA256			256
+#define OID_ECGDSA_SIG_WITH_SHA384			257
+#define OID_ECGDSA_SIG_WITH_SHA512			258
+#define OID_SECT163K1						281
+#define OID_SECT163R1						282
+#define OID_SECT239K1						283
+#define OID_SECT113R1						284
+#define OID_SECT113R2						285
+#define OID_SECT112R1						286
+#define OID_SECT112R2						287
+#define OID_SECT160R1						288
+#define OID_SECT160K1						289
+#define OID_SECT256K1						290
+#define OID_SECT163R2						291
+#define OID_SECT283K1						292
+#define OID_SECT283R1						293
+#define OID_SECT131R1						294
+#define OID_SECT131R2						295
+#define OID_SECT193R1						296
+#define OID_SECT193R2						297
+#define OID_SECT233K1						298
+#define OID_SECT233R1						299
+#define OID_SECT128R1						300
+#define OID_SECT128R2						301
+#define OID_SECT160R2						302
+#define OID_SECT192K1						303
+#define OID_SECT224K1						304
+#define OID_SECT224R1						305
+#define OID_SECT384R1						306
+#define OID_SECT521R1						307
+#define OID_SECT409K1						308
+#define OID_SECT409R1						309
+#define OID_SECT571K1						310
+#define OID_SECT571R1						311
+#define OID_AES128_CBC						320
+#define OID_AES128_GCM						321
+#define OID_AES128_CCM						322
+#define OID_AES192_CBC						323
+#define OID_AES192_GCM						324
+#define OID_AES192_CCM						325
+#define OID_AES256_CBC						326
+#define OID_AES256_GCM						327
+#define OID_AES256_CCM						328
+#define OID_SHA256							330
+#define OID_SHA384							331
+#define OID_SHA512							332
+#define OID_SHA224							333
+#define OID_NS_REVOCATION_URL				339
+#define OID_NS_CA_REVOCATION_URL			340
+#define OID_NS_CA_POLICY_URL				341
+#define OID_NS_COMMENT						342
+#define OID_EMPLOYEE_NUMBER					345
+#define OID_PKI_MESSAGE_TYPE				351
+#define OID_PKI_STATUS						352
+#define OID_PKI_FAIL_INFO					353
+#define OID_PKI_SENDER_NONCE				354
+#define OID_PKI_RECIPIENT_NONCE				355
+#define OID_PKI_TRANS_ID					356
 
-#define OID_MAX								356
+#define OID_MAX								359
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 36db0299c..e2931c7dd 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -51,11 +51,11 @@
     0x1D                     "certificateIssuer"
     0x1E                     "nameConstraints"			OID_NAME_CONSTRAINTS
     0x1F                     "crlDistributionPoints"	OID_CRL_DISTRIBUTION_POINTS
-    0x20                     "certificatePolicies"
+    0x20                     "certificatePolicies"		OID_CERTIFICATE_POLICIES
       0x00                   "anyPolicy"				OID_ANY_POLICY
-    0x21                     "policyMappings"
+    0x21                     "policyMappings"			OID_POLICY_MAPPINGS
     0x23                     "authorityKeyIdentifier"	OID_AUTHORITY_KEY_ID
-    0x24                     "policyConstraints"
+    0x24                     "policyConstraints"		OID_POLICY_CONSTRAINTS
     0x25                     "extendedKeyUsage"			OID_EXTENDED_KEY_USAGE
       0x00                   "anyExtendedKeyUsage"
     0x2E                     "freshestCRL"				OID_FRESHEST_CRL
@@ -124,7 +124,7 @@
             0x01             "id-ecPublicKey"			OID_EC_PUBLICKEY
           0x03               "ellipticCurve"
             0x00             "c-TwoCurve"
-              0x01           "c2pnb163v1"               OID_C2PNB163V1
+              0x01           "c2pnb163v1"				OID_C2PNB163V1
               0x02           "c2pnb163v2"				OID_C2PNB163V2
               0x03           "c2pnb163v3"				OID_C2PNB163V3
               0x04           "c2pnb176w1"				OID_C2PNB176W1
@@ -174,13 +174,16 @@
                 0x02         "msCertificateTypeExtension"
                   0x02       "msSmartcardLogon"
                   0x03       "msUPN"					OID_USER_PRINCIPAL_NAME
+            0xA0             ""
+              0x2A           "ITA"
+                0x01         "strongSwan"				OID_STRONGSWAN
           0x89               ""
             0x31             ""
               0x01           ""
                 0x01         ""
                   0x02       ""
                     0x02     ""
-                    0x4B     "TCGID"					OID_TCGID
+                      0x4B   "TCGID"					OID_TCGID
       0x05                   "security"
         0x05                 "mechanisms"
           0x07               "id-pkix"
@@ -189,8 +192,8 @@
               0x03           "qcStatements"
               0x07           "ipAddrBlocks"				OID_IP_ADDR_BLOCKS
             0x02             "id-qt"
-              0x01           "cps"
-              0x02           "unotice"
+              0x01           "cps"						OID_POLICY_QUALIFIER_CPS
+              0x02           "unotice"					OID_POLICY_QUALIFIER_UNOTICE
             0x03             "id-kp"
               0x01           "serverAuth"				OID_SERVER_AUTH
               0x02           "clientAuth"				OID_CLIENT_AUTH
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index ce718b9cb..23a3f62d9 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -131,11 +131,13 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_SUBJECT_CERT:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
+		case AUTH_HELPER_REVOCATION_CERT:
 		{
 			certificate_t *cert = (certificate_t*)entry->value;
 			cert->destroy(cert);
 			break;
 		}
+		case AUTH_RULE_CERT_POLICY:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
 		{
@@ -147,6 +149,8 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_EAP_VENDOR:
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
+		case AUTH_RULE_RSA_STRENGTH:
+		case AUTH_RULE_ECDSA_STRENGTH:
 			break;
 	}
 }
@@ -172,6 +176,8 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_EAP_VENDOR:
 			case AUTH_RULE_CRL_VALIDATION:
 			case AUTH_RULE_OCSP_VALIDATION:
+			case AUTH_RULE_RSA_STRENGTH:
+			case AUTH_RULE_ECDSA_STRENGTH:
 				/* integer type */
 				enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
 				break;
@@ -182,10 +188,12 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_CA_CERT:
 			case AUTH_RULE_IM_CERT:
 			case AUTH_RULE_SUBJECT_CERT:
+			case AUTH_RULE_CERT_POLICY:
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
+			case AUTH_HELPER_REVOCATION_CERT:
 				/* pointer type */
 				enumerator->current->value = va_arg(args, void*);
 				break;
@@ -237,6 +245,8 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
 		case AUTH_RULE_EAP_TYPE:
 			return (void*)EAP_NAK;
 		case AUTH_RULE_EAP_VENDOR:
+		case AUTH_RULE_RSA_STRENGTH:
+		case AUTH_RULE_ECDSA_STRENGTH:
 			return (void*)0;
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
@@ -248,10 +258,12 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_RULE_CERT_POLICY:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
+		case AUTH_HELPER_REVOCATION_CERT:
 		default:
 			return NULL;
 	}
@@ -274,6 +286,8 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 		case AUTH_RULE_EAP_VENDOR:
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
+		case AUTH_RULE_RSA_STRENGTH:
+		case AUTH_RULE_ECDSA_STRENGTH:
 			/* integer type */
 			entry->value = (void*)(uintptr_t)va_arg(args, u_int);
 			break;
@@ -284,10 +298,12 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_RULE_CERT_POLICY:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
+		case AUTH_HELPER_REVOCATION_CERT:
 			/* pointer type */
 			entry->value = va_arg(args, void*);
 			break;
@@ -358,38 +374,45 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 			case AUTH_RULE_CRL_VALIDATION:
 			case AUTH_RULE_OCSP_VALIDATION:
 			{
-				cert_validation_t validated, required;
+				uintptr_t validated;
 
-				required = (uintptr_t)value;
-				validated = (uintptr_t)get(this, t1);
-				switch (required)
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &validated))
 				{
-					case VALIDATION_FAILED:
-						/* no constraint */
-						break;
-					case VALIDATION_SKIPPED:
-						if (validated == VALIDATION_SKIPPED)
-						{
-							break;
-						}
-						/* FALL */
-					case VALIDATION_GOOD:
-						if (validated == VALIDATION_GOOD)
-						{
-							break;
-						}
-						/* FALL */
-					default:
-						success = FALSE;
-						if (log_error)
+					if (t2 == t1)
+					{
+						switch ((uintptr_t)value)
 						{
-							DBG1(DBG_CFG, "constraint check failed: %N is %N, "
-								 "but requires at least %N", auth_rule_names,
-								 t1, cert_validation_names, validated,
-								 cert_validation_names, required);
+							case VALIDATION_FAILED:
+								/* no constraint */
+								break;
+							case VALIDATION_SKIPPED:
+								if (validated == VALIDATION_SKIPPED)
+								{
+									break;
+								}
+								/* FALL */
+							case VALIDATION_GOOD:
+								if (validated == VALIDATION_GOOD)
+								{
+									break;
+								}
+								/* FALL */
+							default:
+								success = FALSE;
+								if (log_error)
+								{
+									DBG1(DBG_CFG, "constraint check failed: "
+										 "%N is %N, but requires at least %N",
+										 auth_rule_names, t1,
+										 cert_validation_names, validated,
+										 cert_validation_names, (uintptr_t)value);
+								}
+								break;
 						}
-						break;
+					}
 				}
+				e2->destroy(e2);
 				break;
 			}
 			case AUTH_RULE_IDENTITY:
@@ -473,10 +496,76 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 				e2->destroy(e2);
 				break;
 			}
+			case AUTH_RULE_RSA_STRENGTH:
+			case AUTH_RULE_ECDSA_STRENGTH:
+			{
+				uintptr_t strength;
+
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &strength))
+				{
+					if (t2 == t1)
+					{
+						if ((uintptr_t)value > strength)
+						{
+							success = FALSE;
+							if (log_error)
+							{
+								DBG1(DBG_CFG, "constraint requires %d bit "
+									 "public keys, but %d bit key used",
+									 (uintptr_t)value, strength);
+							}
+						}
+					}
+					else if (t2 == AUTH_RULE_RSA_STRENGTH)
+					{
+						success = FALSE;
+						if (log_error)
+						{
+							DBG1(DBG_CFG, "constraint requires %d bit ECDSA, "
+								 "but RSA used", (uintptr_t)value);
+						}
+					}
+					else if (t2 == AUTH_RULE_ECDSA_STRENGTH)
+					{
+						success = FALSE;
+						if (log_error)
+						{
+							DBG1(DBG_CFG, "constraint requires %d bit RSA, "
+								 "but ECDSA used", (uintptr_t)value);
+						}
+					}
+				}
+				e2->destroy(e2);
+				break;
+			}
+			case AUTH_RULE_CERT_POLICY:
+			{
+				char *oid1, *oid2;
+
+				oid1 = (char*)value;
+				success = FALSE;
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &oid2))
+				{
+					if (t2 == t1 && streq(oid1, oid2))
+					{
+						success = TRUE;
+						break;
+					}
+				}
+				e2->destroy(e2);
+				if (!success && log_error)
+				{
+					DBG1(DBG_CFG, "constraint requires cert policy %s", oid1);
+				}
+				break;
+			}
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
+			case AUTH_HELPER_REVOCATION_CERT:
 				/* skip helpers */
 				continue;
 		}
@@ -523,6 +612,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_SUBJECT_CERT:
 				case AUTH_HELPER_IM_CERT:
 				case AUTH_HELPER_SUBJECT_CERT:
+				case AUTH_HELPER_REVOCATION_CERT:
 				{
 					certificate_t *cert = (certificate_t*)value;
 
@@ -534,6 +624,8 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_AUTH_CLASS:
 				case AUTH_RULE_EAP_TYPE:
 				case AUTH_RULE_EAP_VENDOR:
+				case AUTH_RULE_RSA_STRENGTH:
+				case AUTH_RULE_ECDSA_STRENGTH:
 				{
 					add(this, type, (uintptr_t)value);
 					break;
@@ -548,6 +640,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 					add(this, type, id->clone(id));
 					break;
 				}
+				case AUTH_RULE_CERT_POLICY:
 				case AUTH_HELPER_IM_HASH_URL:
 				case AUTH_HELPER_SUBJECT_HASH_URL:
 				{
@@ -600,6 +693,8 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 					case AUTH_RULE_EAP_VENDOR:
 					case AUTH_RULE_CRL_VALIDATION:
 					case AUTH_RULE_OCSP_VALIDATION:
+					case AUTH_RULE_RSA_STRENGTH:
+					case AUTH_RULE_ECDSA_STRENGTH:
 					{
 						if (i1->value == i2->value)
 						{
@@ -613,6 +708,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 					case AUTH_RULE_SUBJECT_CERT:
 					case AUTH_HELPER_IM_CERT:
 					case AUTH_HELPER_SUBJECT_CERT:
+					case AUTH_HELPER_REVOCATION_CERT:
 					{
 						certificate_t *c1, *c2;
 
@@ -643,6 +739,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 						}
 						continue;
 					}
+					case AUTH_RULE_CERT_POLICY:
 					case AUTH_HELPER_IM_HASH_URL:
 					case AUTH_HELPER_SUBJECT_HASH_URL:
 					{
@@ -725,11 +822,13 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
 			case AUTH_RULE_SUBJECT_CERT:
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
+			case AUTH_HELPER_REVOCATION_CERT:
 			{
 				certificate_t *cert = (certificate_t*)entry->value;
 				clone->add(clone, entry->type, cert->get_ref(cert));
 				break;
 			}
+			case AUTH_RULE_CERT_POLICY:
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
 			{
@@ -741,6 +840,8 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
 			case AUTH_RULE_EAP_VENDOR:
 			case AUTH_RULE_CRL_VALIDATION:
 			case AUTH_RULE_OCSP_VALIDATION:
+			case AUTH_RULE_RSA_STRENGTH:
+			case AUTH_RULE_ECDSA_STRENGTH:
 				clone->add(clone, entry->type, (uintptr_t)entry->value);
 				break;
 		}
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 19624a2fe..489ce1134 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -90,6 +90,12 @@ enum auth_rule_t {
 	 * The group membership constraint is fulfilled if the subject is member of
 	 * one group defined in the constraints. */
 	AUTH_RULE_GROUP,
+	/** required RSA public key strength, u_int in bits */
+	AUTH_RULE_RSA_STRENGTH,
+	/** required ECDSA public key strength, u_int in bits */
+	AUTH_RULE_ECDSA_STRENGTH,
+	/** certificatePolicy constraint, numerical OID as char* */
+	AUTH_RULE_CERT_POLICY,
 
 	/** intermediate certificate, certificate_t* */
 	AUTH_HELPER_IM_CERT,
@@ -99,6 +105,8 @@ enum auth_rule_t {
 	AUTH_HELPER_IM_HASH_URL,
 	/** Hash and URL of a end-entity certificate, char* */
 	AUTH_HELPER_SUBJECT_HASH_URL,
+	/** revocation certificate (CRL, OCSP), certificate_t* */
+	AUTH_HELPER_REVOCATION_CERT,
 };
 
 /**
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index c43e5fd5d..f9a277a2c 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -43,8 +43,16 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_CRL_DISTRIBUTION_POINTS",
 	"BUILD_OCSP_ACCESS_LOCATIONS",
 	"BUILD_PATHLEN",
+	"BUILD_PERMITTED_NAME_CONSTRAINTS",
+	"BUILD_EXCLUDED_NAME_CONSTRAINTS",
+	"BUILD_CERTIFICATE_POLICIES",
+	"BUILD_POLICY_MAPPINGS",
+	"BUILD_POLICY_REQUIRE_EXPLICIT",
+	"BUILD_POLICY_INHIBIT_MAPPING",
+	"BUILD_POLICY_INHIBIT_ANY",
 	"BUILD_X509_FLAG",
 	"BUILD_REVOKED_ENUMERATOR",
+	"BUILD_BASE_CRL",
 	"BUILD_CHALLENGE_PWD",
 	"BUILD_PKCS11_MODULE",
 	"BUILD_PKCS11_SLOT",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index dc87da2a4..325b668cd 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -87,16 +87,32 @@ enum builder_part_t {
 	BUILD_CA_CERT,
 	/** a certificate, certificate_t* */
 	BUILD_CERT,
-	/** CRL distribution point URIs, linked_list_t* containing char* */
+	/** CRL distribution point URIs, x509_cdp_t* */
 	BUILD_CRL_DISTRIBUTION_POINTS,
 	/** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */
 	BUILD_OCSP_ACCESS_LOCATIONS,
 	/** certificate path length constraint */
 	BUILD_PATHLEN,
+	/** permitted X509 name constraints, linked_list_t* of identification_t* */
+	BUILD_PERMITTED_NAME_CONSTRAINTS,
+	/** excluded X509 name constraints, linked_list_t* of identification_t* */
+	BUILD_EXCLUDED_NAME_CONSTRAINTS,
+	/** certificatePolicy OIDs, linked_list_t* of x509_cert_policy_t* */
+	BUILD_CERTIFICATE_POLICIES,
+	/** policyMapping OIDs, linked_list_t* of x509_policy_mapping_t* */
+	BUILD_POLICY_MAPPINGS,
+	/** requireExplicitPolicy constraint, int */
+	BUILD_POLICY_REQUIRE_EXPLICIT,
+	/** inhibitPolicyMapping constraint, int */
+	BUILD_POLICY_INHIBIT_MAPPING,
+	/** inhibitAnyPolicy constraint, int */
+	BUILD_POLICY_INHIBIT_ANY,
 	/** enforce an additional X509 flag, x509_flag_t */
 	BUILD_X509_FLAG,
 	/** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */
 	BUILD_REVOKED_ENUMERATOR,
+	/** Base CRL serial for a delta CRL, chunk_t, */
+	BUILD_BASE_CRL,
 	/** PKCS#10 challenge password */
 	BUILD_CHALLENGE_PWD,
 	/** friendly name of a PKCS#11 module, null terminated char* */
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h
index 1e67c23ab..733d9d612 100644
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -40,12 +40,13 @@ struct cert_validator_t {
 	 * @param subject		subject certificate to check
 	 * @param issuer		issuer of subject
 	 * @param online		wheter to do online revocation checking
-	 * @param pathlen		the current length of the path up to the root CA
+	 * @param pathlen		the current length of the path bottom-up
+	 * @param anchor		is issuer trusted root anchor
 	 * @param auth			container for resulting authentication info
 	 */
 	bool (*validate)(cert_validator_t *this, certificate_t *subject,
-					 certificate_t *issuer, bool online, int pathlen,
-					 auth_cfg_t *auth);
+					 certificate_t *issuer, bool online, u_int pathlen,
+					 bool anchor, auth_cfg_t *auth);
 };
 
 #endif /** CERT_VALIDATOR_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 9425311fb..2f3497474 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -71,6 +71,21 @@ struct crl_t {
 	 */
 	chunk_t (*get_authKeyIdentifier)(crl_t *this);
 
+	/**
+	 * Is this CRL a delta CRL?
+	 *
+	 * @param base_crl	gets to baseCrlNumber, if this is a delta CRL
+	 * @return			TRUE if delta CRL
+	 */
+	bool (*is_delta_crl)(crl_t *this, chunk_t *base_crl);
+
+	/**
+	 * Create an enumerator over Freshest CRL distribution points and issuers.
+	 *
+	 * @return			enumerator over x509_cdp_t
+	 */
+	enumerator_t* (*create_delta_crl_uri_enumerator)(crl_t *this);
+
 	/**
 	 * Create an enumerator over all revoked certificates.
 	 *
diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c
deleted file mode 100644
index 66dc192c1..000000000
--- a/src/libstrongswan/credentials/certificates/x509.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "x509.h"
-
-ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS,
-	"X509_NONE",
-	"X509_CA",
-	"X509_AA",
-	"X509_OCSP_SIGNER",
-	"X509_SERVER_AUTH",
-	"X509_CLIENT_AUTH",
-	"X509_SELF_SIGNED",
-	"X509_IP_ADDR_BLOCKS",
-);
-
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 6e0a5002a..fec02dbad 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -24,10 +24,15 @@
 #include <utils/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
-#define X509_NO_PATH_LEN_CONSTRAINT		-1
+/* constraints are currently restricted to the range 0..127 */
+#define X509_NO_CONSTRAINT	255
 
 typedef struct x509_t x509_t;
+typedef struct x509_cert_policy_t x509_cert_policy_t;
+typedef struct x509_policy_mapping_t x509_policy_mapping_t;
+typedef struct x509_cdp_t x509_cdp_t;
 typedef enum x509_flag_t x509_flag_t;
+typedef enum x509_constraint_t x509_constraint_t;
 
 /**
  * X.509 certificate flags.
@@ -49,12 +54,55 @@ enum x509_flag_t {
 	X509_SELF_SIGNED =		(1<<5),
 	/** cert has an ipAddrBlocks extension */
 	X509_IP_ADDR_BLOCKS =	(1<<6),
+	/** cert has CRL sign key usage */
+	X509_CRL_SIGN =			(1<<7),
 };
 
 /**
- * enum names for x509 flags
+ * Different numerical X.509 constraints.
  */
-extern enum_name_t *x509_flag_names;
+enum x509_constraint_t {
+	/** pathLenConstraint basicConstraints */
+	X509_PATH_LEN,
+	/** inhibitPolicyMapping policyConstraint */
+	X509_INHIBIT_POLICY_MAPPING,
+	/** requireExplicitPolicy policyConstraint */
+	X509_REQUIRE_EXPLICIT_POLICY,
+	/** inhibitAnyPolicy constraint */
+	X509_INHIBIT_ANY_POLICY,
+};
+
+/**
+ * X.509 certPolicy extension.
+ */
+struct x509_cert_policy_t {
+	/** OID of certPolicy */
+	chunk_t oid;
+	/** Certification Practice Statement URI qualifier */
+	char *cps_uri;
+	/** UserNotice Text qualifier */
+	char *unotice_text;
+};
+
+/**
+ * X.509 policyMapping extension
+ */
+struct x509_policy_mapping_t {
+	/** OID of issuerDomainPolicy */
+	chunk_t issuer;
+	/** OID of subjectDomainPolicy */
+	chunk_t subject;
+};
+
+/**
+ * X.509 CRL distributionPoint
+ */
+struct x509_cdp_t {
+	/** CDP URI, as string */
+	char *uri;
+	/** CRL issuer */
+	identification_t *issuer;
+};
 
 /**
  * X.509 certificate interface.
@@ -98,11 +146,12 @@ struct x509_t {
 	chunk_t (*get_authKeyIdentifier)(x509_t *this);
 
 	/**
-	 * Get an optional path length constraint.
+	 * Get a numerical X.509 constraint.
 	 *
-	 * @return			pathLenConstraint, -1 if no constraint exists
+	 * @param type		type of constraint to get
+	 * @return			constraint, X509_NO_CONSTRAINT if none found
 	 */
-	int (*get_pathLenConstraint)(x509_t *this);
+	u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
 
 	/**
 	 * Create an enumerator over all subjectAltNames.
@@ -112,9 +161,9 @@ struct x509_t {
 	enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
 
 	/**
-	 * Create an enumerator over all CRL URIs.
+	 * Create an enumerator over all CRL URIs and CRL Issuers.
 	 *
-	 * @return			enumerator over URIs as char*
+	 * @return			enumerator over x509_cdp_t
 	 */
 	enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
 
@@ -131,6 +180,30 @@ struct x509_t {
 	 * @return			enumerator over ipAddrBlocks as traffic_selector_t*
 	 */
 	enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over name constraints.
+	 *
+	 * @param perm		TRUE for permitted, FALSE for excluded subtrees
+	 * @return			enumerator over subtrees as identification_t
+	 */
+	enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm);
+
+	/**
+	 * Create an enumerator over certificate policies.
+	 *
+	 * @return			enumerator over x509_cert_policy_t
+	 */
+	enumerator_t* (*create_cert_policy_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over policy mappings.
+	 *
+	 * @return			enumerator over x509_policy_mapping
+	 */
+	enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this);
+
+
 };
 
 #endif /** X509_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 97e8d8887..27b97eab3 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -452,8 +452,8 @@ static void cache_queue(private_credential_manager_t *this)
  * check a certificate for its lifetime
  */
 static bool check_certificate(private_credential_manager_t *this,
-							  certificate_t *subject, certificate_t *issuer,
-							  bool online, int pathlen, auth_cfg_t *auth)
+				certificate_t *subject, certificate_t *issuer, bool online,
+				int pathlen, bool trusted, auth_cfg_t *auth)
 {
 	time_t not_before, not_after;
 	cert_validator_t *validator;
@@ -471,29 +471,12 @@ static bool check_certificate(private_credential_manager_t *this,
 			 &not_before, FALSE, &not_after, FALSE);
 		return FALSE;
 	}
-	if (issuer->get_type(issuer) == CERT_X509 &&
-		subject->get_type(subject) == CERT_X509)
-	{
-		int pathlen_constraint;
-		x509_t *x509;
-
-		/* check path length constraint */
-		x509 = (x509_t*)issuer;
-		pathlen_constraint = x509->get_pathLenConstraint(x509);
-		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
-			pathlen > pathlen_constraint)
-		{
-			DBG1(DBG_CFG, "path length of %d violates constraint of %d",
-				 pathlen, pathlen_constraint);
-			return FALSE;
-		}
-	}
 
 	enumerator = this->validators->create_enumerator(this->validators);
 	while (enumerator->enumerate(enumerator, &validator))
 	{
 		if (!validator->validate(validator, subject, issuer,
-								 online, pathlen, auth))
+								 online, pathlen, trusted, auth))
 		{
 			enumerator->destroy(enumerator);
 			return FALSE;
@@ -550,6 +533,37 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this,
 	return issuer;
 }
 
+/**
+ * Get the strength of certificate, add it to auth
+ */
+static void get_key_strength(certificate_t *cert, auth_cfg_t *auth)
+{
+	uintptr_t strength;
+	public_key_t *key;
+	key_type_t type;
+
+	key = cert->get_public_key(cert);
+	if (key)
+	{
+		type = key->get_type(key);
+		strength = key->get_keysize(key);
+		DBG2(DBG_CFG, "  certificate \"%Y\" key: %d bit %N",
+			 cert->get_subject(cert), strength, key_type_names, type);
+		switch (type)
+		{
+			case KEY_RSA:
+				auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength);
+				break;
+			case KEY_ECDSA:
+				auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
+				break;
+			default:
+				break;
+		}
+		key->destroy(key);
+	}
+}
+
 /**
  * try to verify the trust chain of subject, return TRUE if trusted
  */
@@ -562,7 +576,9 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 	int pathlen;
 
 	auth = auth_cfg_create();
+	get_key_strength(subject, auth);
 	current = subject->get_ref(subject);
+	auth->add(auth, AUTH_RULE_SUBJECT_CERT, current->get_ref(current));
 
 	for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++)
 	{
@@ -607,13 +623,17 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 				break;
 			}
 		}
-		if (!check_certificate(this, current, issuer, online, pathlen,
-							   current == subject ? auth : NULL))
+		if (!check_certificate(this, current, issuer, online,
+							   pathlen, trusted, auth))
 		{
 			trusted = FALSE;
 			issuer->destroy(issuer);
 			break;
 		}
+		if (issuer)
+		{
+			get_key_strength(issuer, auth);
+		}
 		current->destroy(current);
 		current = issuer;
 		if (trusted)
@@ -636,6 +656,14 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 	return trusted;
 }
 
+/**
+ * List find match function for certificates
+ */
+static bool cert_equals(certificate_t *a, certificate_t *b)
+{
+	return a->equals(a, b);
+}
+
 /**
  * enumerator for trusted certificates
  */
@@ -656,6 +684,8 @@ typedef struct {
 	certificate_t *pretrusted;
 	/** currently enumerating auth config */
 	auth_cfg_t *auth;
+	/** list of failed candidates */
+	linked_list_t *failed;
 } trusted_enumerator_t;
 
 METHOD(enumerator_t, trusted_enumerate, bool,
@@ -683,11 +713,14 @@ METHOD(enumerator_t, trusted_enumerate, bool,
 				verify_trust_chain(this->this, this->pretrusted, this->auth,
 								   TRUE, this->online))
 			{
-				this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
-								this->pretrusted->get_ref(this->pretrusted));
 				DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
 					 this->pretrusted->get_subject(this->pretrusted));
 				*cert = this->pretrusted;
+				if (!this->auth->get(this->auth, AUTH_RULE_SUBJECT_CERT))
+				{	/* add cert to auth info, if not returned by trustchain */
+					this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
+									this->pretrusted->get_ref(this->pretrusted));
+				}
 				if (auth)
 				{
 					*auth = this->auth;
@@ -705,6 +738,12 @@ METHOD(enumerator_t, trusted_enumerate, bool,
 			continue;
 		}
 
+		if (this->failed->find_first(this->failed, (void*)cert_equals,
+									 NULL, current) == SUCCESS)
+		{	/* check each candidate only once */
+			continue;
+		}
+
 		DBG1(DBG_CFG, "  using certificate \"%Y\"",
 			 current->get_subject(current));
 		if (verify_trust_chain(this->this, current, this->auth, FALSE,
@@ -717,6 +756,7 @@ METHOD(enumerator_t, trusted_enumerate, bool,
 			}
 			return TRUE;
 		}
+		this->failed->insert_last(this->failed, current->get_ref(current));
 	}
 	return FALSE;
 }
@@ -727,6 +767,7 @@ METHOD(enumerator_t, trusted_destroy, void,
 	DESTROY_IF(this->pretrusted);
 	DESTROY_IF(this->auth);
 	DESTROY_IF(this->candidates);
+	this->failed->destroy_offset(this->failed, offsetof(certificate_t, destroy));
 	free(this);
 }
 
@@ -745,6 +786,7 @@ METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*,
 		.type = type,
 		.id = id,
 		.online = online,
+		.failed = linked_list_create(),
 	);
 	return &enumerator->public;
 }
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index 5e8458616..225fabe31 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -132,7 +132,8 @@ static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
 			}
 		}
 		else if (rule != AUTH_HELPER_SUBJECT_CERT &&
-				 rule != AUTH_HELPER_IM_CERT)
+				 rule != AUTH_HELPER_IM_CERT &&
+				 rule != AUTH_HELPER_REVOCATION_CERT)
 		{	/* handle only HELPER certificates */
 			continue;
 		}
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index c29a99f1f..e023e8443 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperwsil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -54,6 +56,11 @@ struct private_mem_cred_t {
 	 * List of shared keys, as shared_entry_t
 	 */
 	linked_list_t *shared;
+
+	/**
+	 * List of CDPs, as cdp_t
+	 */
+	linked_list_t *cdps;
 };
 
 /**
@@ -144,21 +151,104 @@ static bool certificate_equals(certificate_t *item, certificate_t *cert)
 	return item->equals(item, cert);
 }
 
+/**
+ * Add a certificate the the cache. Returns a reference to "cert" or a
+ * previously cached certificate that equals "cert".
+ */
+static certificate_t *add_cert_internal(private_mem_cred_t *this, bool trusted,
+										certificate_t *cert)
+{
+	certificate_t *cached;
+	this->lock->write_lock(this->lock);
+	if (this->untrusted->find_first(this->untrusted,
+									(linked_list_match_t)certificate_equals,
+									(void**)&cached, cert) == SUCCESS)
+	{
+		cert->destroy(cert);
+		cert = cached->get_ref(cached);
+	}
+	else
+	{
+		if (trusted)
+		{
+			this->trusted->insert_first(this->trusted, cert->get_ref(cert));
+		}
+		this->untrusted->insert_first(this->untrusted, cert->get_ref(cert));
+	}
+	this->lock->unlock(this->lock);
+	return cert;
+}
+
 METHOD(mem_cred_t, add_cert, void,
 	private_mem_cred_t *this, bool trusted, certificate_t *cert)
 {
+	certificate_t *cached = add_cert_internal(this, trusted, cert);
+	cached->destroy(cached);
+}
+
+METHOD(mem_cred_t, add_cert_ref, certificate_t*,
+	private_mem_cred_t *this, bool trusted, certificate_t *cert)
+{
+	return add_cert_internal(this, trusted, cert);
+}
+
+METHOD(mem_cred_t, add_crl, bool,
+	private_mem_cred_t *this, crl_t *crl)
+{
+	certificate_t *current, *cert = &crl->certificate;
+	enumerator_t *enumerator;
+	bool new = TRUE;
+
 	this->lock->write_lock(this->lock);
-	if (this->untrusted->find_last(this->untrusted,
-				(linked_list_match_t)certificate_equals, NULL, cert) != SUCCESS)
+	enumerator = this->untrusted->create_enumerator(this->untrusted);
+	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
-		if (trusted)
+		if (current->get_type(current) == CERT_X509_CRL)
 		{
-			this->trusted->insert_last(this->trusted, cert->get_ref(cert));
+			bool found = FALSE;
+			crl_t *crl_c = (crl_t*)current;
+			chunk_t authkey = crl->get_authKeyIdentifier(crl);
+			chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c);
+
+			/* compare authorityKeyIdentifiers if available */
+			if (chunk_equals(authkey, authkey_c))
+			{
+				found = TRUE;
+			}
+			else
+			{
+				identification_t *issuer = cert->get_issuer(cert);
+				identification_t *issuer_c = current->get_issuer(current);
+
+				/* otherwise compare issuer distinguished names */
+				if (issuer->equals(issuer, issuer_c))
+				{
+					found = TRUE;
+				}
+			}
+			if (found)
+			{
+				new = crl_is_newer(crl, crl_c);
+				if (new)
+				{
+					this->untrusted->remove_at(this->untrusted, enumerator);
+				}
+				else
+				{
+					cert->destroy(cert);
+				}
+				break;
+			}
 		}
-		this->untrusted->insert_last(this->untrusted, cert->get_ref(cert));
 	}
-	cert->destroy(cert);
+	enumerator->destroy(enumerator);
+
+	if (new)
+	{
+		this->untrusted->insert_first(this->untrusted, cert);
+	}
 	this->lock->unlock(this->lock);
+	return new;
 }
 
 /**
@@ -218,7 +308,7 @@ METHOD(mem_cred_t, add_key, void,
 	private_mem_cred_t *this, private_key_t *key)
 {
 	this->lock->write_lock(this->lock);
-	this->keys->insert_last(this->keys, key);
+	this->keys->insert_first(this->keys, key);
 	this->lock->unlock(this->lock);
 }
 
@@ -342,32 +432,137 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
 						(void*)shared_filter, data, (void*)shared_data_destroy);
 }
 
-METHOD(mem_cred_t, add_shared, void,
-	private_mem_cred_t *this, shared_key_t *shared, ...)
+METHOD(mem_cred_t, add_shared_list, void,
+	private_mem_cred_t *this, shared_key_t *shared, linked_list_t* owners)
 {
 	shared_entry_t *entry;
-	identification_t *id;
-	va_list args;
 
 	INIT(entry,
 		.shared = shared,
-		.owners = linked_list_create(),
+		.owners = owners,
 	);
 
+	this->lock->write_lock(this->lock);
+	this->shared->insert_first(this->shared, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(mem_cred_t, add_shared, void,
+	private_mem_cred_t *this, shared_key_t *shared, ...)
+{
+	identification_t *id;
+	linked_list_t *owners = linked_list_create();
+	va_list args;
+
 	va_start(args, shared);
 	do
 	{
 		id = va_arg(args, identification_t*);
 		if (id)
 		{
-			entry->owners->insert_last(entry->owners, id);
+			owners->insert_first(owners, id);
 		}
 	}
 	while (id);
 	va_end(args);
 
+	add_shared_list(this, shared, owners);
+}
+
+/**
+ * Certificate distribution point
+ */
+typedef struct {
+	certificate_type_t type;
+	identification_t *id;
+	char *uri;
+} cdp_t;
+
+/**
+ * Destroy a CDP entry
+ */
+static void cdp_destroy(cdp_t *this)
+{
+	this->id->destroy(this->id);
+	free(this->uri);
+	free(this);
+}
+
+METHOD(mem_cred_t, add_cdp, void,
+	private_mem_cred_t *this, certificate_type_t type,
+	identification_t *id, char *uri)
+{
+	cdp_t *cdp;
+
+	INIT(cdp,
+		.type = type,
+		.id = id->clone(id),
+		.uri = strdup(uri),
+	);
+	this->lock->write_lock(this->lock);
+	this->cdps->insert_last(this->cdps, cdp);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * CDP enumerator data
+ */
+typedef struct {
+	certificate_type_t type;
+	identification_t *id;
+	rwlock_t *lock;
+} cdp_data_t;
+
+/**
+ * Clean up CDP enumerator data
+ */
+static void cdp_data_destroy(cdp_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
+}
+
+/**
+ * CDP enumerator filter
+ */
+static bool cdp_filter(cdp_data_t *data, cdp_t **cdp, char **uri)
+{
+	if (data->type != CERT_ANY && data->type != (*cdp)->type)
+	{
+		return FALSE;
+	}
+	if (data->id && !(*cdp)->id->matches((*cdp)->id, data->id))
+	{
+		return FALSE;
+	}
+	*uri = (*cdp)->uri;
+	return TRUE;
+}
+
+METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
+	private_mem_cred_t *this, certificate_type_t type, identification_t *id)
+{
+	cdp_data_t *data;
+
+	INIT(data,
+		.type = type,
+		.id = id,
+		.lock = this->lock,
+	);
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->cdps->create_enumerator(this->cdps),
+							(void*)cdp_filter, data, (void*)cdp_data_destroy);
+
+}
+
+METHOD(mem_cred_t, clear_secrets, void,
+	private_mem_cred_t *this)
+{
 	this->lock->write_lock(this->lock);
-	this->shared->insert_last(this->shared, entry);
+	this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy));
+	this->shared->destroy_function(this->shared, (void*)shared_entry_destroy);
+	this->keys = linked_list_create();
+	this->shared = linked_list_create();
 	this->lock->unlock(this->lock);
 }
 
@@ -379,13 +574,13 @@ METHOD(mem_cred_t, clear_, void,
 								  offsetof(certificate_t, destroy));
 	this->untrusted->destroy_offset(this->untrusted,
 									offsetof(certificate_t, destroy));
-	this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy));
-	this->shared->destroy_function(this->shared, (void*)shared_entry_destroy);
+	this->cdps->destroy_function(this->cdps, (void*)cdp_destroy);
 	this->trusted = linked_list_create();
 	this->untrusted = linked_list_create();
-	this->keys = linked_list_create();
-	this->shared = linked_list_create();
+	this->cdps = linked_list_create();
 	this->lock->unlock(this->lock);
+
+	clear_secrets(this);
 }
 
 METHOD(mem_cred_t, destroy, void,
@@ -396,6 +591,7 @@ METHOD(mem_cred_t, destroy, void,
 	this->untrusted->destroy(this->untrusted);
 	this->keys->destroy(this->keys);
 	this->shared->destroy(this->shared);
+	this->cdps->destroy(this->cdps);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -413,19 +609,25 @@ mem_cred_t *mem_cred_create()
 				.create_shared_enumerator = _create_shared_enumerator,
 				.create_private_enumerator = _create_private_enumerator,
 				.create_cert_enumerator = _create_cert_enumerator,
-				.create_cdp_enumerator  = (void*)return_null,
+				.create_cdp_enumerator  = _create_cdp_enumerator,
 				.cache_cert = (void*)nop,
 			},
 			.add_cert = _add_cert,
+			.add_cert_ref = _add_cert_ref,
+			.add_crl = _add_crl,
 			.add_key = _add_key,
 			.add_shared = _add_shared,
+			.add_shared_list = _add_shared_list,
+			.add_cdp = _add_cdp,
 			.clear = _clear_,
+			.clear_secrets = _clear_secrets,
 			.destroy = _destroy,
 		},
 		.trusted = linked_list_create(),
 		.untrusted = linked_list_create(),
 		.keys = linked_list_create(),
 		.shared = linked_list_create(),
+		.cdps = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index b26e43d6c..eb46b065b 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -24,6 +26,8 @@
 typedef struct mem_cred_t mem_cred_t;
 
 #include <credentials/credential_set.h>
+#include <credentials/certificates/crl.h>
+#include <utils/linked_list.h>
 
 /**
  * Generic in-memory credential set.
@@ -43,6 +47,26 @@ struct mem_cred_t {
 	 */
 	void (*add_cert)(mem_cred_t *this, bool trusted, certificate_t *cert);
 
+	/**
+	 * Add a certificate to the credential set, returning a reference to it or
+	 * to a cached duplicate.
+	 *
+	 * @param trusted		TRUE to serve certificate as trusted
+	 * @param cert			certificate, reference gets owned by set
+	 * @return				reference to cert or a previously cached duplicate
+	 */
+	certificate_t *(*add_cert_ref)(mem_cred_t *this, bool trusted,
+								   certificate_t *cert);
+
+	/**
+	 * Add an X.509 CRL to the credential set.
+	 *
+	 * @param crl			CRL, gets owned by set
+	 * @return				TRUE, if the CRL is newer than an existing one (or
+	 *						new at all)
+	 */
+	bool (*add_crl)(mem_cred_t *this, crl_t *crl);
+
 	/**
 	 * Add a private key to the credential set.
 	 *
@@ -54,15 +78,39 @@ struct mem_cred_t {
 	 * Add a shared key to the credential set.
 	 *
 	 * @param shared		shared key to add, gets owned by set
-	 * @param ...			NULL terminated list of owners identification_t*
+	 * @param ...			NULL terminated list of owners (identification_t*)
 	 */
 	void (*add_shared)(mem_cred_t *this, shared_key_t *shared, ...);
 
+	/**
+	 * Add a shared key to the credential set.
+	 *
+	 * @param shared		shared key to add, gets owned by set
+	 * @param owners		list of owners (identification_t*), gets owned
+	 */
+	void (*add_shared_list)(mem_cred_t *this, shared_key_t *shared,
+							linked_list_t *owners);
+	/**
+	 * Add a certificate distribution point to the set.
+	 *
+	 * @param type			type of the certificate
+	 * @param id			certificate ID CDP has a cert for, gets cloned
+	 * @param uri			CDP URI, gets strduped
+	 */
+	void (*add_cdp)(mem_cred_t *this, certificate_type_t type,
+					identification_t *id, char *uri);
+
 	/**
 	 * Clear all credentials from the credential set.
 	 */
 	void (*clear)(mem_cred_t *this);
 
+	/**
+	 * Clear the secrets (private and shared keys, not the certificates) from
+	 * the credential set.
+	 */
+	void (*clear_secrets)(mem_cred_t *this);
+
 	/**
 	 * Destroy a mem_cred_t.
 	 */
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index f2f01987d..2d13896d6 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -20,13 +20,29 @@
 #include <utils/linked_list.h>
 #include <crypto/crypto_tester.h>
 
+const char *default_plugin_name = "default";
+
 typedef struct entry_t entry_t;
+
 struct entry_t {
-	/* algorithm */
+	/**
+	 * algorithm
+	 */
 	u_int algo;
-	/* benchmarked speed */
+
+	/**
+	 * plugin that registered this algorithm
+	 */
+	const char *plugin_name;
+
+	/**
+	 * benchmarked speed
+	 */
 	u_int speed;
-	/* constructor */
+
+	/**
+	 * constructor
+	 */
 	union {
 		crypter_constructor_t create_crypter;
 		aead_constructor_t create_aead;
@@ -128,7 +144,8 @@ METHOD(crypto_factory_t, create_crypter, crypter_t*,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_crypter(this->tester, algo, key_size,
-											entry->create_crypter, NULL))
+											entry->create_crypter, NULL,
+											default_plugin_name))
 			{
 				continue;
 			}
@@ -160,7 +177,8 @@ METHOD(crypto_factory_t, create_aead, aead_t*,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_aead(this->tester, algo, key_size,
-										 entry->create_aead, NULL))
+										 entry->create_aead, NULL,
+										 default_plugin_name))
 			{
 				continue;
 			}
@@ -191,7 +209,8 @@ METHOD(crypto_factory_t, create_signer, signer_t*,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_signer(this->tester, algo,
-										   entry->create_signer, NULL))
+										   entry->create_signer, NULL,
+										   default_plugin_name))
 			{
 				continue;
 			}
@@ -223,7 +242,8 @@ METHOD(crypto_factory_t, create_hasher, hasher_t*,
 		{
 			if (this->test_on_create && algo != HASH_PREFERRED &&
 				!this->tester->test_hasher(this->tester, algo,
-										   entry->create_hasher, NULL))
+										   entry->create_hasher, NULL,
+										   default_plugin_name))
 			{
 				continue;
 			}
@@ -254,7 +274,8 @@ METHOD(crypto_factory_t, create_prf, prf_t*,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_prf(this->tester, algo,
-										entry->create_prf, NULL))
+										entry->create_prf, NULL,
+										default_plugin_name))
 			{
 				continue;
 			}
@@ -286,7 +307,8 @@ METHOD(crypto_factory_t, create_rng, rng_t*,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_rng(this->tester, quality,
-										entry->create_rng, NULL))
+										entry->create_rng, NULL,
+										default_plugin_name))
 			{
 				continue;
 			}
@@ -350,7 +372,8 @@ METHOD(crypto_factory_t, create_dh, diffie_hellman_t*,
  * Insert an algorithm entry to a list
  */
 static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
-					  int algo, u_int speed, void *create)
+					  int algo, const char *plugin_name,
+					  u_int speed, void *create)
 {
 	entry_t *entry, *current;
 	linked_list_t *tmp;
@@ -358,6 +381,7 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
 
 	INIT(entry,
 		.algo = algo,
+		.plugin_name = plugin_name,
 		.speed = speed,
 	);
 	entry->create = create;
@@ -391,16 +415,16 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
 }
 
 METHOD(crypto_factory_t, add_crypter, void,
-	private_crypto_factory_t *this, encryption_algorithm_t algo,
-	crypter_constructor_t create)
+	private_crypto_factory_t *this,	encryption_algorithm_t algo,
+	const char *plugin_name, crypter_constructor_t create)
 {
 	u_int speed = 0;
 
 	if (!this->test_on_add ||
 		this->tester->test_crypter(this->tester, algo, 0, create,
-								   this->bench ? &speed : NULL))
+								   this->bench ? &speed : NULL,	plugin_name))
 	{
-		add_entry(this, this->crypters, algo, speed, create);
+		add_entry(this, this->crypters, algo, plugin_name, speed, create);
 	}
 }
 
@@ -425,16 +449,16 @@ METHOD(crypto_factory_t, remove_crypter, void,
 }
 
 METHOD(crypto_factory_t, add_aead, void,
-	private_crypto_factory_t *this, encryption_algorithm_t algo,
-	aead_constructor_t create)
+	private_crypto_factory_t *this,	encryption_algorithm_t algo,
+	const char *plugin_name, aead_constructor_t create)
 {
 	u_int speed = 0;
 
 	if (!this->test_on_add ||
 		this->tester->test_aead(this->tester, algo, 0, create,
-								   this->bench ? &speed : NULL))
+								this->bench ? &speed : NULL, plugin_name))
 	{
-		add_entry(this, this->aeads, algo, speed, create);
+		add_entry(this, this->aeads, algo, plugin_name, speed, create);
 	}
 }
 
@@ -459,16 +483,16 @@ METHOD(crypto_factory_t, remove_aead, void,
 }
 
 METHOD(crypto_factory_t, add_signer, void,
-	private_crypto_factory_t *this, integrity_algorithm_t algo,
-	signer_constructor_t create)
+	private_crypto_factory_t *this,	integrity_algorithm_t algo,
+	const char *plugin_name, signer_constructor_t create)
 {
 	u_int speed = 0;
 
 	if (!this->test_on_add ||
 		this->tester->test_signer(this->tester, algo, create,
-								  this->bench ? &speed : NULL))
+								  this->bench ? &speed : NULL, plugin_name))
 	{
-		add_entry(this, this->signers, algo, speed, create);
+		add_entry(this, this->signers, algo, plugin_name, speed, create);
 	}
 }
 
@@ -493,16 +517,16 @@ METHOD(crypto_factory_t, remove_signer, void,
 }
 
 METHOD(crypto_factory_t, add_hasher, void,
-	private_crypto_factory_t *this, hash_algorithm_t algo,
-	hasher_constructor_t create)
+	private_crypto_factory_t *this,	hash_algorithm_t algo,
+	const char *plugin_name, hasher_constructor_t create)
 {
 	u_int speed = 0;
 
 	if (!this->test_on_add ||
 		this->tester->test_hasher(this->tester, algo, create,
-								  this->bench ? &speed : NULL))
+								  this->bench ? &speed : NULL, plugin_name))
 	{
-		add_entry(this, this->hashers, algo, speed, create);
+		add_entry(this, this->hashers, algo, plugin_name, speed, create);
 	}
 }
 
@@ -527,16 +551,16 @@ METHOD(crypto_factory_t, remove_hasher, void,
 }
 
 METHOD(crypto_factory_t, add_prf, void,
-	private_crypto_factory_t *this, pseudo_random_function_t algo,
-	prf_constructor_t create)
+	private_crypto_factory_t *this,	pseudo_random_function_t algo,
+	const char *plugin_name, prf_constructor_t create)
 {
 	u_int speed = 0;
 
 	if (!this->test_on_add ||
 		this->tester->test_prf(this->tester, algo, create,
-							   this->bench ? &speed : NULL))
+							   this->bench ? &speed : NULL, plugin_name))
 	{
-		add_entry(this, this->prfs, algo, speed, create);
+		add_entry(this, this->prfs, algo, plugin_name, speed, create);
 	}
 }
 
@@ -562,15 +586,15 @@ METHOD(crypto_factory_t, remove_prf, void,
 
 METHOD(crypto_factory_t, add_rng, void,
 	private_crypto_factory_t *this, rng_quality_t quality,
-	rng_constructor_t create)
+	const char *plugin_name, rng_constructor_t create)
 {
 	u_int speed = 0;
 
 	if (!this->test_on_add ||
 		this->tester->test_rng(this->tester, quality, create,
-							   this->bench ? &speed : NULL))
+							   this->bench ? &speed : NULL, plugin_name))
 	{
-		add_entry(this, this->rngs, quality, speed, create);
+		add_entry(this, this->rngs, quality, plugin_name, speed, create);
 	}
 }
 
@@ -595,10 +619,10 @@ METHOD(crypto_factory_t, remove_rng, void,
 }
 
 METHOD(crypto_factory_t, add_dh, void,
-	private_crypto_factory_t *this, diffie_hellman_group_t group,
-	dh_constructor_t create)
+	private_crypto_factory_t *this,	diffie_hellman_group_t group,
+	 const char *plugin_name, dh_constructor_t create)
 {
-	add_entry(this, this->dhs, group, 0, create);
+	add_entry(this, this->dhs, group, plugin_name, 0, create);
 }
 
 METHOD(crypto_factory_t, remove_dh, void,
@@ -660,9 +684,11 @@ static enumerator_t *create_enumerator(private_crypto_factory_t *this,
 /**
  * Filter function to enumerate algorithm, not entry
  */
-static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *algo)
+static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *algo,
+						   void *i2, const char **plugin_name)
 {
 	*algo = (*entry)->algo;
+	*plugin_name = (*entry)->plugin_name;
 	return TRUE;
 }
 
@@ -681,9 +707,11 @@ METHOD(crypto_factory_t, create_aead_enumerator, enumerator_t*,
 /**
  * Filter function to enumerate algorithm, not entry
  */
-static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo)
+static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo,
+						  void *i2, const char **plugin_name)
 {
 	*algo = (*entry)->algo;
+	*plugin_name = (*entry)->plugin_name;
 	return TRUE;
 }
 
@@ -696,9 +724,11 @@ METHOD(crypto_factory_t, create_signer_enumerator, enumerator_t*,
 /**
  * Filter function to enumerate algorithm, not entry
  */
-static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo)
+static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo,
+						  void *i2, const char **plugin_name)
 {
 	*algo = (*entry)->algo;
+	*plugin_name = (*entry)->plugin_name;
 	return TRUE;
 }
 
@@ -711,9 +741,11 @@ METHOD(crypto_factory_t, create_hasher_enumerator, enumerator_t*,
 /**
  * Filter function to enumerate algorithm, not entry
  */
-static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo)
+static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo,
+					   void *i2, const char **plugin_name)
 {
 	*algo = (*entry)->algo;
+	*plugin_name = (*entry)->plugin_name;
 	return TRUE;
 }
 
@@ -726,9 +758,11 @@ METHOD(crypto_factory_t, create_prf_enumerator, enumerator_t*,
 /**
  * Filter function to enumerate algorithm, not entry
  */
-static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group)
+static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group,
+					  void *i2, const char **plugin_name)
 {
 	*group = (*entry)->algo;
+	*plugin_name = (*entry)->plugin_name;
 	return TRUE;
 }
 
@@ -738,6 +772,22 @@ METHOD(crypto_factory_t, create_dh_enumerator, enumerator_t*,
 	return create_enumerator(this, this->dhs, dh_filter);
 }
 
+/**
+ * Filter function to enumerate algorithm, not entry
+ */
+static bool rng_filter(void *n, entry_t **entry, rng_quality_t *quality,
+					   void *i2, const char **plugin_name)
+{
+	*quality = (*entry)->algo;
+	*plugin_name = (*entry)->plugin_name;
+	return TRUE;
+}
+
+METHOD(crypto_factory_t, create_rng_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
+{
+	return create_enumerator(this, this->rngs, rng_filter);
+}
 METHOD(crypto_factory_t, add_test_vector, void,
 	private_crypto_factory_t *this, transform_type_t type, void *vector)
 {
@@ -812,6 +862,7 @@ crypto_factory_t *crypto_factory_create()
 			.create_hasher_enumerator = _create_hasher_enumerator,
 			.create_prf_enumerator = _create_prf_enumerator,
 			.create_dh_enumerator = _create_dh_enumerator,
+			.create_rng_enumerator = _create_rng_enumerator,
 			.add_test_vector = _add_test_vector,
 			.destroy = _destroy,
 		},
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index ff06eda7b..8e5db6355 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -33,6 +33,8 @@ typedef struct crypto_factory_t crypto_factory_t;
 #include <crypto/diffie_hellman.h>
 #include <crypto/transform.h>
 
+#define CRYPTO_MAX_ALG_LINE          120   /* characters */
+
 /**
  * Constructor function for crypters
  */
@@ -144,11 +146,12 @@ struct crypto_factory_t {
 	 * Register a crypter constructor.
 	 *
 	 * @param algo			algorithm to constructor
+	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
 	 * @return
 	 */
 	void (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo,
-						crypter_constructor_t create);
+						const char *plugin_name, crypter_constructor_t create);
 
 	/**
 	 * Unregister a crypter constructor.
@@ -168,21 +171,23 @@ struct crypto_factory_t {
 	 * Register a aead constructor.
 	 *
 	 * @param algo			algorithm to constructor
+	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
 	 * @return
 	 */
 	void (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo,
-					 aead_constructor_t create);
+					 const char *plugin_name, aead_constructor_t create);
 
 	/**
 	 * Register a signer constructor.
 	 *
 	 * @param algo			algorithm to constructor
+	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
 	 * @return
 	 */
 	void (*add_signer)(crypto_factory_t *this, integrity_algorithm_t algo,
-					   signer_constructor_t create);
+					    const char *plugin_name, signer_constructor_t create);
 
 	/**
 	 * Unregister a signer constructor.
@@ -198,11 +203,12 @@ struct crypto_factory_t {
 	 * create_hasher(HASH_PREFERRED).
 	 *
 	 * @param algo			algorithm to constructor
+	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
 	 * @return
 	 */
 	void (*add_hasher)(crypto_factory_t *this, hash_algorithm_t algo,
-					   hasher_constructor_t create);
+					   const char *plugin_name, hasher_constructor_t create);
 
 	/**
 	 * Unregister a hasher constructor.
@@ -215,11 +221,12 @@ struct crypto_factory_t {
 	 * Register a prf constructor.
 	 *
 	 * @param algo			algorithm to constructor
+	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
 	 * @return
 	 */
 	void (*add_prf)(crypto_factory_t *this, pseudo_random_function_t algo,
-					prf_constructor_t create);
+					const char *plugin_name, prf_constructor_t create);
 
 	/**
 	 * Unregister a prf constructor.
@@ -232,9 +239,11 @@ struct crypto_factory_t {
 	 * Register a source of randomness.
 	 *
 	 * @param quality		quality of randomness this RNG serves
+	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for such a quality
 	 */
-	void (*add_rng)(crypto_factory_t *this, rng_quality_t quality, rng_constructor_t create);
+	void (*add_rng)(crypto_factory_t *this, rng_quality_t quality,
+					const char *plugin_name, rng_constructor_t create);
 
 	/**
 	 * Unregister a source of randomness.
@@ -247,11 +256,12 @@ struct crypto_factory_t {
 	 * Register a diffie hellman constructor.
 	 *
 	 * @param group			dh group to constructor
+	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
 	 * @return
 	 */
 	void (*add_dh)(crypto_factory_t *this, diffie_hellman_group_t group,
-				   dh_constructor_t create);
+				   const char *plugin_name, dh_constructor_t create);
 
 	/**
 	 * Unregister a diffie hellman constructor.
@@ -302,6 +312,13 @@ struct crypto_factory_t {
 	 */
 	enumerator_t* (*create_dh_enumerator)(crypto_factory_t *this);
 
+	/**
+	 * Create an enumerator over all registered random generators.
+	 *
+	 * @return				enumerator over rng_quality_t
+	 */
+	enumerator_t* (*create_rng_enumerator)(crypto_factory_t *this);
+
 	/**
 	 * Add a test vector to the crypto factory.
 	 *
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index d17485ff2..276f4329a 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -165,7 +165,7 @@ static u_int bench_crypter(private_crypto_tester_t *this,
 
 METHOD(crypto_tester_t, test_crypter, bool,
 	private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size,
-	crypter_constructor_t create, u_int *speed)
+	crypter_constructor_t create, u_int *speed, const char *plugin_name)
 {
 	enumerator_t *enumerator;
 	crypter_test_vector_t *vector;
@@ -188,7 +188,11 @@ METHOD(crypto_tester_t, test_crypter, bool,
 		}
 		crypter = create(alg, vector->key_size);
 		if (!crypter)
-		{	/* key size not supported... */
+		{
+			DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported",
+				 encryption_algorithm_names, alg, plugin_name,
+				 BITS_PER_BYTE * vector->key_size);
+			failed = TRUE;
 			continue;
 		}
 
@@ -231,31 +235,40 @@ METHOD(crypto_tester_t, test_crypter, bool,
 		crypter->destroy(crypter);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
-				 encryption_algorithm_names, alg, get_name(vector));
+			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
+				 encryption_algorithm_names, alg, plugin_name, get_name(vector));
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1(DBG_LIB, "%s %N: no test vectors found",
-			 this->required ? "disabled" : "enabled ",
-			 encryption_algorithm_names, alg);
-		return !this->required;
+		if (failed)
+		{
+			DBG1(DBG_LIB,"disable %N[%s]: no key size supported",
+				 encryption_algorithm_names, alg, plugin_name);
+			return FALSE;              
+		}
+		else
+		{
+			DBG1(DBG_LIB, "%s %N[%s]: no test vectors found",
+				 this->required ? "disabled" : "enabled ",
+				 encryption_algorithm_names, alg, plugin_name);
+			return !this->required;
+		}
 	}
 	if (!failed)
 	{
 		if (speed)
 		{
 			*speed = bench_crypter(this, alg, create);
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
-				 encryption_algorithm_names, alg, tested, *speed);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors, %d points",
+				 encryption_algorithm_names, alg, tested, plugin_name, *speed);
 		}
 		else
 		{
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-				 encryption_algorithm_names, alg, tested);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors",
+				 encryption_algorithm_names, alg, plugin_name, tested);
 		}
 	}
 	return !failed;
@@ -311,7 +324,7 @@ static u_int bench_aead(private_crypto_tester_t *this,
 
 METHOD(crypto_tester_t, test_aead, bool,
 	private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size,
-	aead_constructor_t create, u_int *speed)
+	aead_constructor_t create, u_int *speed, const char *plugin_name)
 {
 	enumerator_t *enumerator;
 	aead_test_vector_t *vector;
@@ -335,7 +348,11 @@ METHOD(crypto_tester_t, test_aead, bool,
 		}
 		aead = create(alg, vector->key_size);
 		if (!aead)
-		{	/* key size not supported... */
+		{
+			DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported",
+				 encryption_algorithm_names, alg, plugin_name,
+				 BITS_PER_BYTE * vector->key_size);
+			failed = TRUE;
 			continue;
 		}
 
@@ -388,31 +405,40 @@ METHOD(crypto_tester_t, test_aead, bool,
 		aead->destroy(aead);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
-				 encryption_algorithm_names, alg, get_name(vector));
+			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
+				 encryption_algorithm_names, alg, plugin_name, get_name(vector));
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1(DBG_LIB, "%s %N: no test vectors found",
-			 this->required ? "disabled" : "enabled ",
-			 encryption_algorithm_names, alg);
-		return !this->required;
+		if (failed)
+		{
+			DBG1(DBG_LIB,"disable %N[%s]: no key size supported",
+				 encryption_algorithm_names, alg, plugin_name);
+			return FALSE;              
+		}
+		else
+		{
+			DBG1(DBG_LIB, "%s %N[%s]: no test vectors found",
+				 this->required ? "disabled" : "enabled ",
+				 encryption_algorithm_names, alg, plugin_name);
+			return !this->required;
+		}
 	}
 	if (!failed)
 	{
 		if (speed)
 		{
 			*speed = bench_aead(this, alg, create);
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
-				 encryption_algorithm_names, alg, tested, *speed);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors, %d points",
+				 encryption_algorithm_names, alg, plugin_name, tested, *speed);
 		}
 		else
 		{
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-				 encryption_algorithm_names, alg, tested);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors",
+				 encryption_algorithm_names, alg, plugin_name, tested);
 		}
 	}
 	return !failed;
@@ -460,7 +486,7 @@ static u_int bench_signer(private_crypto_tester_t *this,
 
 METHOD(crypto_tester_t, test_signer, bool,
 	private_crypto_tester_t *this, integrity_algorithm_t alg,
-	signer_constructor_t create, u_int *speed)
+	signer_constructor_t create, u_int *speed, const char *plugin_name)
 {
 	enumerator_t *enumerator;
 	signer_test_vector_t *vector;
@@ -482,8 +508,8 @@ METHOD(crypto_tester_t, test_signer, bool,
 		signer = create(alg);
 		if (!signer)
 		{
-			DBG1(DBG_LIB, "disabled %N: creating instance failed",
-				 integrity_algorithm_names, alg);
+			DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed",
+				 integrity_algorithm_names, alg, plugin_name);
 			failed = TRUE;
 			break;
 		}
@@ -538,17 +564,17 @@ METHOD(crypto_tester_t, test_signer, bool,
 		signer->destroy(signer);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
-				 integrity_algorithm_names, alg, get_name(vector));
+			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
+				 integrity_algorithm_names, alg, plugin_name, get_name(vector));
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1(DBG_LIB, "%s %N: no test vectors found",
+		DBG1(DBG_LIB, "%s %N[%s]: no test vectors found",
 			 this->required ? "disabled" : "enabled ",
-			 integrity_algorithm_names, alg);
+			 integrity_algorithm_names, alg, plugin_name);
 		return !this->required;
 	}
 	if (!failed)
@@ -556,13 +582,13 @@ METHOD(crypto_tester_t, test_signer, bool,
 		if (speed)
 		{
 			*speed = bench_signer(this, alg, create);
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
-				 integrity_algorithm_names, alg, tested, *speed);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors, %d points",
+				 integrity_algorithm_names, alg, plugin_name, tested, *speed);
 		}
 		else
 		{
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-				 integrity_algorithm_names, alg, tested);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors",
+				 integrity_algorithm_names, alg, plugin_name, tested);
 		}
 	}
 	return !failed;
@@ -604,7 +630,7 @@ static u_int bench_hasher(private_crypto_tester_t *this,
 
 METHOD(crypto_tester_t, test_hasher, bool,
 	private_crypto_tester_t *this, hash_algorithm_t alg,
-	hasher_constructor_t create, u_int *speed)
+	hasher_constructor_t create, u_int *speed, const char *plugin_name)
 {
 	enumerator_t *enumerator;
 	hasher_test_vector_t *vector;
@@ -626,8 +652,8 @@ METHOD(crypto_tester_t, test_hasher, bool,
 		hasher = create(alg);
 		if (!hasher)
 		{
-			DBG1(DBG_LIB, "disabled %N: creating instance failed",
-				 hash_algorithm_names, alg);
+			DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed",
+				 hash_algorithm_names, alg, plugin_name);
 			failed = TRUE;
 			break;
 		}
@@ -669,17 +695,17 @@ METHOD(crypto_tester_t, test_hasher, bool,
 		hasher->destroy(hasher);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
-				 hash_algorithm_names, alg, get_name(vector));
+			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
+				 hash_algorithm_names, alg, plugin_name, get_name(vector));
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1(DBG_LIB, "%s %N: no test vectors found",
+		DBG1(DBG_LIB, "%s %N[%s]: no test vectors found",
 			 this->required ? "disabled" : "enabled ",
-			 hash_algorithm_names, alg);
+			 hash_algorithm_names, alg, plugin_name);
 		return !this->required;
 	}
 	if (!failed)
@@ -687,13 +713,13 @@ METHOD(crypto_tester_t, test_hasher, bool,
 		if (speed)
 		{
 			*speed = bench_hasher(this, alg, create);
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
-				 hash_algorithm_names, alg, tested, *speed);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors, %d points",
+				 hash_algorithm_names, alg, plugin_name, tested, *speed);
 		}
 		else
 		{
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-				 hash_algorithm_names, alg, tested);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors",
+				 hash_algorithm_names, alg, plugin_name, tested);
 		}
 	}
 	return !failed;
@@ -735,7 +761,7 @@ static u_int bench_prf(private_crypto_tester_t *this,
 
 METHOD(crypto_tester_t, test_prf, bool,
 	private_crypto_tester_t *this, pseudo_random_function_t alg,
-	prf_constructor_t create, u_int *speed)
+	prf_constructor_t create, u_int *speed, const char *plugin_name)
 {
 	enumerator_t *enumerator;
 	prf_test_vector_t *vector;
@@ -757,8 +783,8 @@ METHOD(crypto_tester_t, test_prf, bool,
 		prf = create(alg);
 		if (!prf)
 		{
-			DBG1(DBG_LIB, "disabled %N: creating instance failed",
-				 pseudo_random_function_names, alg);
+			DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed",
+				 pseudo_random_function_names, alg, plugin_name);
 			failed = TRUE;
 			break;
 		}
@@ -811,17 +837,17 @@ METHOD(crypto_tester_t, test_prf, bool,
 		prf->destroy(prf);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
-				 pseudo_random_function_names, alg, get_name(vector));
+			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
+				 pseudo_random_function_names, alg, plugin_name, get_name(vector));
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1(DBG_LIB, "%s %N: no test vectors found",
+		DBG1(DBG_LIB, "%s %N[%s]: no test vectors found",
 			 this->required ? "disabled" : "enabled ",
-			 pseudo_random_function_names, alg);
+			 pseudo_random_function_names, alg, plugin_name);
 		return !this->required;
 	}
 	if (!failed)
@@ -829,13 +855,13 @@ METHOD(crypto_tester_t, test_prf, bool,
 		if (speed)
 		{
 			*speed = bench_prf(this, alg, create);
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
-				 pseudo_random_function_names, alg, tested, *speed);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors, %d points",
+				 pseudo_random_function_names, alg, plugin_name, tested, *speed);
 		}
 		else
 		{
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-				 pseudo_random_function_names, alg, tested);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors",
+				 pseudo_random_function_names, alg, plugin_name, tested);
 		}
 	}
 	return !failed;
@@ -874,7 +900,7 @@ static u_int bench_rng(private_crypto_tester_t *this,
 
 METHOD(crypto_tester_t, test_rng, bool,
 	private_crypto_tester_t *this, rng_quality_t quality,
-	rng_constructor_t create, u_int *speed)
+	rng_constructor_t create, u_int *speed, const char *plugin_name)
 {
 	enumerator_t *enumerator;
 	rng_test_vector_t *vector;
@@ -883,8 +909,8 @@ METHOD(crypto_tester_t, test_rng, bool,
 
 	if (!this->rng_true && quality == RNG_TRUE)
 	{
-		DBG1(DBG_LIB, "enabled  %N: skipping test (disabled by config)",
-			 rng_quality_names, quality);
+		DBG1(DBG_LIB, "enabled  %N[%s]: skipping test (disabled by config)",
+			 rng_quality_names, quality, plugin_name);
 		return TRUE;
 	}
 
@@ -903,8 +929,8 @@ METHOD(crypto_tester_t, test_rng, bool,
 		rng = create(quality);
 		if (!rng)
 		{
-			DBG1(DBG_LIB, "disabled %N: creating instance failed",
-				 rng_quality_names, quality);
+			DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed",
+				 rng_quality_names, quality, plugin_name);
 			failed = TRUE;
 			break;
 		}
@@ -933,17 +959,17 @@ METHOD(crypto_tester_t, test_rng, bool,
 		rng->destroy(rng);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
-				 rng_quality_names, quality, get_name(vector));
+			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
+				 rng_quality_names, quality, plugin_name, get_name(vector));
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	if (!tested)
 	{
-		DBG1(DBG_LIB, "%s %N: no test vectors found",
+		DBG1(DBG_LIB, "%s %N[%s]: no test vectors found",
 			 this->required ? ", disabled" : "enabled ",
-			 rng_quality_names, quality);
+			 rng_quality_names, quality, plugin_name);
 		return !this->required;
 	}
 	if (!failed)
@@ -951,13 +977,13 @@ METHOD(crypto_tester_t, test_rng, bool,
 		if (speed)
 		{
 			*speed = bench_rng(this, quality, create);
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
-				 rng_quality_names, quality, tested, *speed);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors, %d points",
+				 rng_quality_names, quality, plugin_name, tested, *speed);
 		}
 		else
 		{
-			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-				 rng_quality_names, quality, tested);
+			DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors",
+				 rng_quality_names, quality, plugin_name, tested);
 		}
 	}
 	return !failed;
diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h
index cef0b3c18..019c87c39 100644
--- a/src/libstrongswan/crypto/crypto_tester.h
+++ b/src/libstrongswan/crypto/crypto_tester.h
@@ -143,7 +143,7 @@ struct crypto_tester_t {
 	 */
 	bool (*test_crypter)(crypto_tester_t *this, encryption_algorithm_t alg,
 						 size_t key_size, crypter_constructor_t create,
-						 u_int *speed);
+						 u_int *speed, const char *plugin_name);
 
 	/**
 	 * Test an aead algorithm, optionally using a specified key size.
@@ -156,7 +156,7 @@ struct crypto_tester_t {
 	 */
 	bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg,
 						 size_t key_size, aead_constructor_t create,
-						 u_int *speed);
+						 u_int *speed, const char *plugin_name);
 	/**
 	 * Test a signer algorithm.
 	 *
@@ -166,7 +166,8 @@ struct crypto_tester_t {
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_signer)(crypto_tester_t *this, integrity_algorithm_t alg,
-						signer_constructor_t create, u_int *speed);
+						signer_constructor_t create,
+						u_int *speed, const char *plugin_name);
 	/**
 	 * Test a hasher algorithm.
 	 *
@@ -176,7 +177,8 @@ struct crypto_tester_t {
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_hasher)(crypto_tester_t *this, hash_algorithm_t alg,
-						hasher_constructor_t create, u_int *speed);
+						hasher_constructor_t create,
+						u_int *speed, const char *plugin_name);
 	/**
 	 * Test a PRF algorithm.
 	 *
@@ -186,7 +188,8 @@ struct crypto_tester_t {
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_prf)(crypto_tester_t *this, pseudo_random_function_t alg,
-					 prf_constructor_t create, u_int *speed);
+					 prf_constructor_t create,
+					 u_int *speed, const char *plugin_name);
 	/**
 	 * Test a RNG implementation.
 	 *
@@ -196,7 +199,8 @@ struct crypto_tester_t {
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_rng)(crypto_tester_t *this, rng_quality_t quality,
-					 rng_constructor_t create, u_int *speed);
+					 rng_constructor_t create,
+					 u_int *speed, const char *plugin_name);
 	/**
 	 * Add a test vector to test a crypter.
 	 *
diff --git a/src/libstrongswan/eap/eap.h b/src/libstrongswan/eap/eap.h
index 1d55747a4..e98a3a211 100644
--- a/src/libstrongswan/eap/eap.h
+++ b/src/libstrongswan/eap/eap.h
@@ -82,7 +82,7 @@ extern enum_name_t *eap_type_short_names;
  * Lookup the EAP method type from a string.
  *
  * @param name		EAP method name (such as "md5", "aka")
- * @return			method type, 0 if unkown
+ * @return			method type, 0 if unknown
  */
 eap_type_t eap_type_from_string(char *name);
 
diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c
index 258a5b410..5c811bd17 100644
--- a/src/libstrongswan/enum.c
+++ b/src/libstrongswan/enum.c
@@ -43,7 +43,7 @@ int enum_from_name(enum_name_t *e, char *name)
 {
 	do
 	{
-		int i, count = e->last - e->first;
+		int i, count = e->last - e->first + 1;
 
 		for (i = 0; i < count; i++)
 		{
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index c81de032c..b007c8b08 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -92,7 +92,7 @@ static status_t fetch(private_fetcher_manager_t *this,
 		va_start(args, response);
 		while (good)
 		{
-			opt = va_arg(args, fetcher_option_t);
+			opt = va_arg(args, int);
 			switch (opt)
 			{
 				case FETCH_REQUEST_DATA:
@@ -109,7 +109,7 @@ static status_t fetch(private_fetcher_manager_t *this,
 					good = fetcher->set_option(fetcher, opt, va_arg(args, u_int));
 					continue;
 				case FETCH_END:
-					break;;
+					break;
 			}
 			break;
 		}
diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c
index c9cad44ae..e962aba70 100644
--- a/src/libstrongswan/integrity_checker.c
+++ b/src/libstrongswan/integrity_checker.c
@@ -57,11 +57,8 @@ struct private_integrity_checker_t {
 	int checksum_count;
 };
 
-/**
- * Implementation of integrity_checker_t.build_file
- */
-static u_int32_t build_file(private_integrity_checker_t *this, char *file,
-							size_t *len)
+METHOD(integrity_checker_t, build_file, u_int32_t,
+	private_integrity_checker_t *this, char *file, size_t *len)
 {
 	u_int32_t checksum;
 	chunk_t contents;
@@ -136,11 +133,8 @@ static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli)
 	return 0;
 }
 
-/**
- * Implementation of integrity_checker_t.build_segment
- */
-static u_int32_t build_segment(private_integrity_checker_t *this, void *sym,
-							   size_t *len)
+METHOD(integrity_checker_t, build_segment, u_int32_t,
+	private_integrity_checker_t *this, void *sym, size_t *len)
 {
 	chunk_t segment;
 	Dl_info dli;
@@ -180,11 +174,8 @@ static integrity_checksum_t *find_checksum(private_integrity_checker_t *this,
 	return NULL;
 }
 
-/**
- * Implementation of integrity_checker_t.check_file
- */
-static bool check_file(private_integrity_checker_t *this,
-					   char *name, char *file)
+METHOD(integrity_checker_t, check_file, bool,
+	private_integrity_checker_t *this, char *name, char *file)
 {
 	integrity_checksum_t *cs;
 	u_int32_t sum;
@@ -217,11 +208,8 @@ static bool check_file(private_integrity_checker_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of integrity_checker_t.check_segment
- */
-static bool check_segment(private_integrity_checker_t *this,
-						  char *name, void *sym)
+METHOD(integrity_checker_t, check_segment, bool,
+	private_integrity_checker_t *this, char *name, void *sym)
 {
 	integrity_checksum_t *cs;
 	u_int32_t sum;
@@ -254,10 +242,8 @@ static bool check_segment(private_integrity_checker_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of integrity_checker_t.check
- */
-static bool check(private_integrity_checker_t *this, char *name, void *sym)
+METHOD(integrity_checker_t, check, bool,
+	private_integrity_checker_t *this, char *name, void *sym)
 {
 	Dl_info dli;
 
@@ -277,10 +263,8 @@ static bool check(private_integrity_checker_t *this, char *name, void *sym)
 	return TRUE;
 }
 
-/**
- * Implementation of integrity_checker_t.destroy.
- */
-static void destroy(private_integrity_checker_t *this)
+METHOD(integrity_checker_t, destroy, void,
+	private_integrity_checker_t *this)
 {
 	if (this->handle)
 	{
@@ -294,17 +278,19 @@ static void destroy(private_integrity_checker_t *this)
  */
 integrity_checker_t *integrity_checker_create(char *checksum_library)
 {
-	private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t);
-
-	this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file;
-	this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file;
-	this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment;
-	this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment;
-	this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check;
-	this->public.destroy = (void(*)(integrity_checker_t*))destroy;
+	private_integrity_checker_t *this;
+
+	INIT(this,
+		.public = {
+			.check_file = _check_file,
+			.build_file = _build_file,
+			.check_segment = _check_segment,
+			.build_segment = _build_segment,
+			.check = _check,
+			.destroy = _destroy,
+		},
+	);
 
-	this->checksum_count = 0;
-	this->handle = NULL;
 	if (checksum_library)
 	{
 		this->handle = dlopen(checksum_library, RTLD_LAZY);
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 99a520852..9835cd5b9 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c
index 22b47e334..1c060b6c8 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.c
+++ b/src/libstrongswan/plugins/aes/aes_plugin.c
@@ -18,6 +18,8 @@
 #include <library.h>
 #include "aes_crypter.h"
 
+static const char *plugin_name = "aes";
+
 typedef struct private_aes_plugin_t private_aes_plugin_t;
 
 /**
@@ -54,7 +56,7 @@ plugin_t *aes_plugin_create()
 		},
 	);
 
-	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
 							 (crypter_constructor_t)aes_crypter_create);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.am b/src/libstrongswan/plugins/af_alg/Makefile.am
new file mode 100644
index 000000000..a33fd30b6
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/Makefile.am
@@ -0,0 +1,20 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-af-alg.la
+else
+plugin_LTLIBRARIES = libstrongswan-af-alg.la
+endif
+
+libstrongswan_af_alg_la_SOURCES = \
+	af_alg_plugin.h af_alg_plugin.c \
+	af_alg_ops.h af_alg_ops.c \
+	af_alg_hasher.h af_alg_hasher.c \
+	af_alg_signer.h af_alg_signer.c \
+	af_alg_prf.h af_alg_prf.c \
+	af_alg_crypter.h af_alg_crypter.c
+
+libstrongswan_af_alg_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
new file mode 100644
index 000000000..aa8df979e
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -0,0 +1,612 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/af_alg
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_af_alg_la_LIBADD =
+am_libstrongswan_af_alg_la_OBJECTS = af_alg_plugin.lo af_alg_ops.lo \
+	af_alg_hasher.lo af_alg_signer.lo af_alg_prf.lo \
+	af_alg_crypter.lo
+libstrongswan_af_alg_la_OBJECTS =  \
+	$(am_libstrongswan_af_alg_la_OBJECTS)
+libstrongswan_af_alg_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_af_alg_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_af_alg_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_af_alg_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_af_alg_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_af_alg_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-af-alg.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-af-alg.la
+libstrongswan_af_alg_la_SOURCES = \
+	af_alg_plugin.h af_alg_plugin.c \
+	af_alg_ops.h af_alg_ops.c \
+	af_alg_hasher.h af_alg_hasher.c \
+	af_alg_signer.h af_alg_signer.c \
+	af_alg_prf.h af_alg_prf.c \
+	af_alg_crypter.h af_alg_crypter.c
+
+libstrongswan_af_alg_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/af_alg/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/af_alg/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES) 
+	$(libstrongswan_af_alg_la_LINK) $(am_libstrongswan_af_alg_la_rpath) $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_ops.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_signer.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
new file mode 100644
index 000000000..3416ad8d2
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_crypter.h"
+#include "af_alg_ops.h"
+
+typedef struct private_af_alg_crypter_t private_af_alg_crypter_t;
+
+/**
+ * Private data of af_alg_crypter_t
+ */
+struct private_af_alg_crypter_t {
+
+	/**
+	 * Public part of this class.
+	 */
+	af_alg_crypter_t public;
+
+	/**
+	 * AF_ALG operations
+	 */
+	af_alg_ops_t *ops;
+
+	/**
+	 * Size of the truncated signature
+	 */
+	size_t block_size;
+
+	/**
+	 * Size of the keymat
+	 */
+	size_t keymat_size;
+
+	/**
+	 * Size of initialization vector
+	 */
+	size_t iv_size;
+};
+
+/**
+ * Algorithm database
+ */
+static struct {
+	encryption_algorithm_t id;
+	char *name;
+	size_t block_size;
+	/* key size of the algorithm */
+	size_t key_size;
+	/* size of the keying material (key + nonce for ctr mode) */
+	size_t keymat_size;
+	size_t iv_size;
+} algs[] = {
+	{ENCR_DES,			"cbc(des)",					 8,	 8,	 8,	 8,	},
+	{ENCR_3DES,			"cbc(des3_ede)",			 8,	24,	24,	 8,	},
+	{ENCR_AES_CBC,		"cbc(aes)",					16,	16,	16,	16,	},
+	{ENCR_AES_CBC,		"cbc(aes)",					16,	24,	24,	16,	},
+	{ENCR_AES_CBC,		"cbc(aes)",					16,	32,	32,	16,	},
+	{ENCR_AES_CTR,		"rfc3686(ctr(aes))",		 1,	16,	20,	 8,	},
+	{ENCR_AES_CTR,		"rfc3686(ctr(aes))",		 1,	24,	28,	 8,	},
+	{ENCR_AES_CTR,		"rfc3686(ctr(aes))",		 1,	32,	36,	 8,	},
+	{ENCR_CAMELLIA_CBC,	"cbc(camellia)",			16,	16,	16,	16,	},
+	{ENCR_CAMELLIA_CBC,	"cbc(camellia)",			16,	24,	24,	16,	},
+	{ENCR_CAMELLIA_CBC,	"cbc(camellia)",			16,	32,	32,	16,	},
+	{ENCR_CAMELLIA_CTR,	"rfc3686(ctr(camellia))",	 1,	16,	20,	 8,	},
+	{ENCR_CAMELLIA_CTR,	"rfc3686(ctr(camellia))",	 1,	24,	28,	 8,	},
+	{ENCR_CAMELLIA_CTR,	"rfc3686(ctr(camellia))",	 1,	32,	36,	 8,	},
+	{ENCR_CAST,			"cbc(cast5)",				 8,	16,	16,	 8,	},
+	{ENCR_BLOWFISH,		"cbc(blowfish)",			 8,	16,	16,	 8,	},
+	{ENCR_BLOWFISH,		"cbc(blowfish)",			 8,	24,	24,	 8,	},
+	{ENCR_BLOWFISH,		"cbc(blowfish)",			 8,	32,	32,	 8,	},
+	{ENCR_SERPENT_CBC,	"cbc(serpent)",				16,	16,	16,	16,	},
+	{ENCR_SERPENT_CBC,	"cbc(serpent)",				16,	24,	24,	16,	},
+	{ENCR_SERPENT_CBC,	"cbc(serpent)",				16,	32,	32,	16,	},
+	{ENCR_TWOFISH_CBC,	"cbc(twofish)",				16,	16,	16,	16,	},
+	{ENCR_TWOFISH_CBC,	"cbc(twofish)",				16,	24,	24,	16,	},
+	{ENCR_TWOFISH_CBC,	"cbc(twofish)",				16,	32,	32,	16,	},
+};
+
+/**
+ * See header.
+ */
+void af_alg_crypter_probe()
+{
+	encryption_algorithm_t prev = -1;
+	af_alg_ops_t *ops;
+	int i;
+
+	for (i = 0; i < countof(algs); i++)
+	{
+		if (prev != algs[i].id)
+		{
+			ops = af_alg_ops_create("skcipher", algs[i].name);
+			if (ops)
+			{
+				ops->destroy(ops);
+				lib->crypto->add_crypter(lib->crypto, algs[i].id, af_alg_plugin_name,
+								(crypter_constructor_t)af_alg_crypter_create);
+			}
+		}
+		prev = algs[i].id;
+	}
+}
+
+/**
+ * Get the kernel algorithm string and block/key size for our identifier
+ */
+static size_t lookup_alg(encryption_algorithm_t algo, char **name,
+						 size_t key_size, size_t *keymat_size, size_t *iv_size)
+{
+	int i;
+
+	for (i = 0; i < countof(algs); i++)
+	{
+		if (algs[i].id == algo &&
+			(key_size == 0 || algs[i].key_size == key_size))
+		{
+			*name = algs[i].name;
+			*keymat_size = algs[i].keymat_size;
+			*iv_size = algs[i].iv_size;
+			return algs[i].block_size;
+		}
+	}
+	return 0;
+}
+
+METHOD(crypter_t, decrypt, void,
+	private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
+{
+	if (dst)
+	{
+		*dst = chunk_alloc(data.len);
+		this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, dst->ptr);
+	}
+	else
+	{
+		this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, data.ptr);
+	}
+}
+
+METHOD(crypter_t, encrypt, void,
+	private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
+{
+	if (dst)
+	{
+		*dst = chunk_alloc(data.len);
+		this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, dst->ptr);
+	}
+	else
+	{
+		this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, data.ptr);
+	}
+}
+
+METHOD(crypter_t, get_block_size, size_t,
+	private_af_alg_crypter_t *this)
+{
+	return this->block_size;
+}
+
+METHOD(crypter_t, get_iv_size, size_t,
+	private_af_alg_crypter_t *this)
+{
+	return this->iv_size;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_af_alg_crypter_t *this)
+{
+	return this->keymat_size;
+}
+
+METHOD(crypter_t, set_key, void,
+	private_af_alg_crypter_t *this, chunk_t key)
+{
+	this->ops->set_key(this->ops, key);
+}
+
+METHOD(crypter_t, destroy, void,
+	private_af_alg_crypter_t *this)
+{
+	this->ops->destroy(this->ops);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+af_alg_crypter_t *af_alg_crypter_create(encryption_algorithm_t algo,
+										size_t key_size)
+{
+	private_af_alg_crypter_t *this;
+	size_t block_size, keymat_size, iv_size;
+	char *name;
+
+	block_size = lookup_alg(algo, &name, key_size, &keymat_size, &iv_size);
+	if (!block_size)
+	{	/* not supported by kernel */
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.block_size = block_size,
+		.keymat_size = keymat_size,
+		.iv_size = iv_size,
+		.ops = af_alg_ops_create("skcipher", name),
+	);
+
+	if (!this->ops)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.h b/src/libstrongswan/plugins/af_alg/af_alg_crypter.h
new file mode 100644
index 000000000..711d2fc35
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup af_alg_crypter af_alg_crypter
+ * @{ @ingroup af_alg
+ */
+
+#ifndef AF_ALG_CRYPTER_H_
+#define AF_ALG_CRYPTER_H_
+
+typedef struct af_alg_crypter_t af_alg_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+/**
+ * Implementation of signers using AF_ALG.
+ */
+struct af_alg_crypter_t {
+
+	/**
+	 * The crypter_t interface.
+	 */
+	crypter_t crypter;
+};
+
+/**
+ * Constructor to create af_alg_crypter_t.
+ *
+ * @param algo			algorithm to implement
+ * @param key_size		key size in bytes
+ * @return				af_alg_crypter_t, NULL if not supported
+ */
+af_alg_crypter_t *af_alg_crypter_create(encryption_algorithm_t algo,
+										size_t key_size);
+
+/**
+ * Probe algorithms and register af_alg_crypter_create().
+ */
+void af_alg_crypter_probe();
+
+#endif /** AF_ALG_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.c b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c
new file mode 100644
index 000000000..7c6297d44
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_hasher.h"
+#include "af_alg_ops.h"
+
+typedef struct private_af_alg_hasher_t private_af_alg_hasher_t;
+
+/**
+ * Private data of af_alg_hasher_t
+ */
+struct private_af_alg_hasher_t {
+
+	/**
+	 * Public part of this class.
+	 */
+	af_alg_hasher_t public;
+
+	/**
+	 * AF_ALG operations
+	 */
+	af_alg_ops_t *ops;
+
+	/**
+	 * Size of the hash
+	 */
+	size_t size;
+};
+
+/**
+ * Algorithm database
+ */
+static struct {
+	hash_algorithm_t id;
+	char *name;
+	size_t size;
+} algs[] = {
+	{HASH_SHA1,			"sha1",			HASH_SIZE_SHA1		},
+	{HASH_MD5,			"md5",			HASH_SIZE_MD5 		},
+	{HASH_SHA224,		"sha224",		HASH_SIZE_SHA224	},
+	{HASH_SHA256,		"sha256",		HASH_SIZE_SHA256	},
+	{HASH_SHA384,		"sha384",		HASH_SIZE_SHA384	},
+	{HASH_SHA512,		"sha512",		HASH_SIZE_SHA512	},
+	{HASH_MD4,			"md4",			HASH_SIZE_MD4 		},
+};
+
+/**
+ * See header.
+ */
+void af_alg_hasher_probe()
+{
+	af_alg_ops_t *ops;
+	int i;
+
+	for (i = 0; i < countof(algs); i++)
+	{
+		ops = af_alg_ops_create("hash", algs[i].name);
+		if (ops)
+		{
+			ops->destroy(ops);
+			lib->crypto->add_hasher(lib->crypto, algs[i].id, af_alg_plugin_name,
+							(hasher_constructor_t)af_alg_hasher_create);
+		}
+	}
+}
+
+/**
+ * Get the kernel algorithm string and hash size for our identifier
+ */
+static size_t lookup_alg(hash_algorithm_t algo, char **name)
+{
+	int i;
+
+	for (i = 0; i < countof(algs); i++)
+	{
+		if (algs[i].id == algo)
+		{
+			*name = algs[i].name;
+			return algs[i].size;
+		}
+	}
+	return 0;
+}
+
+METHOD(hasher_t, get_hash_size, size_t,
+	private_af_alg_hasher_t *this)
+{
+	return this->size;
+}
+
+METHOD(hasher_t, reset, void,
+	private_af_alg_hasher_t *this)
+{
+	this->ops->reset(this->ops);
+}
+
+METHOD(hasher_t, get_hash, void,
+	private_af_alg_hasher_t *this, chunk_t chunk, u_int8_t *hash)
+{
+	this->ops->hash(this->ops, chunk, hash, this->size);
+}
+
+METHOD(hasher_t, allocate_hash, void,
+	private_af_alg_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+	if (hash)
+	{
+		*hash = chunk_alloc(get_hash_size(this));
+		get_hash(this, chunk, hash->ptr);
+	}
+	else
+	{
+		get_hash(this, chunk, NULL);
+	}
+}
+
+METHOD(hasher_t, destroy, void,
+	private_af_alg_hasher_t *this)
+{
+	this->ops->destroy(this->ops);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+af_alg_hasher_t *af_alg_hasher_create(hash_algorithm_t algo)
+{
+	private_af_alg_hasher_t *this;
+	char *name;
+	size_t size;
+
+	size = lookup_alg(algo, &name);
+	if (!size)
+	{	/* not supported by kernel */
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+		.ops = af_alg_ops_create("hash", name),
+		.size = size,
+	);
+	if (!this->ops)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.h b/src/libstrongswan/plugins/af_alg/af_alg_hasher.h
new file mode 100644
index 000000000..e0833e23a
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup af_alg_hasher af_alg_hasher
+ * @{ @ingroup af_alg
+ */
+
+#ifndef af_alg_HASHER_H_
+#define af_alg_HASHER_H_
+
+typedef struct af_alg_hasher_t af_alg_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hashers using AF_ALG.
+ */
+struct af_alg_hasher_t {
+
+	/**
+	 * Implements hasher_t interface.
+	 */
+	hasher_t hasher;
+};
+
+/**
+ * Constructor to create af_alg_hasher_t.
+ *
+ * @param algo			algorithm
+ * @return				af_alg_hasher_t, NULL if not supported
+ */
+af_alg_hasher_t *af_alg_hasher_create(hash_algorithm_t algo);
+
+/**
+ * Probe algorithms and register af_alg_hasher_create().
+ */
+void af_alg_hasher_probe();
+
+#endif /** af_alg_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.c b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
new file mode 100644
index 000000000..7bf1d90db
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
@@ -0,0 +1,226 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_ops.h"
+
+#include <unistd.h>
+#include <errno.h>
+#include <linux/socket.h>
+
+#include <debug.h>
+
+const char *af_alg_plugin_name = "af-alg";
+
+typedef struct private_af_alg_ops_t private_af_alg_ops_t;
+
+/**
+ * Private data of an af_alg_ops_t object.
+ */
+struct private_af_alg_ops_t {
+
+	/**
+	 * Public af_alg_ops_t interface.
+	 */
+	af_alg_ops_t public;
+
+	/**
+	 * Transform FD
+	 */
+	int tfm;
+
+	/**
+	 * Operation FD
+	 */
+	int op;
+};
+
+METHOD(af_alg_ops_t, reset, void,
+	private_af_alg_ops_t *this)
+{
+	if (this->op != -1)
+	{
+		close(this->op);
+		this->op = -1;
+	}
+}
+
+METHOD(af_alg_ops_t, hash, void,
+	private_af_alg_ops_t *this, chunk_t data, char *out, size_t outlen)
+{
+	ssize_t len;
+
+	while (this->op == -1)
+	{
+		this->op = accept(this->tfm, NULL, 0);
+		if (this->op == -1)
+		{
+			DBG1(DBG_LIB, "opening AF_ALG hasher failed: %s", strerror(errno));
+			sleep(1);
+		}
+	}
+	do
+	{
+		len = send(this->op, data.ptr, data.len, out ? 0 : MSG_MORE);
+		if (len == -1)
+		{
+			DBG1(DBG_LIB, "writing to AF_ALG hasher failed: %s", strerror(errno));
+			sleep(1);
+		}
+		else
+		{
+			data = chunk_skip(data, len);
+		}
+	}
+	while (data.len);
+
+	if (out)
+	{
+		while (read(this->op, out, outlen) != outlen)
+		{
+			DBG1(DBG_LIB, "reading AF_ALG hasher failed: %s", strerror(errno));
+			sleep(1);
+		}
+		reset(this);
+	}
+}
+
+METHOD(af_alg_ops_t, crypt, void,
+	private_af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data,
+	char *out)
+{
+	struct msghdr msg = {};
+	struct cmsghdr *cmsg;
+	struct af_alg_iv *ivm;
+	struct iovec iov;
+	char buf[CMSG_SPACE(sizeof(type)) +
+			 CMSG_SPACE(offsetof(struct af_alg_iv, iv) + iv.len)];
+	ssize_t len;
+	int op;
+
+	while ((op = accept(this->tfm, NULL, 0)) == -1)
+	{
+		DBG1(DBG_LIB, "accepting AF_ALG crypter failed: %s", strerror(errno));
+		sleep(1);
+	}
+
+	memset(buf, 0, sizeof(buf));
+
+	msg.msg_control = buf;
+	msg.msg_controllen = sizeof(buf);
+
+	cmsg = CMSG_FIRSTHDR(&msg);
+	cmsg->cmsg_level = SOL_ALG;
+	cmsg->cmsg_type = ALG_SET_OP;
+	cmsg->cmsg_len = CMSG_LEN(sizeof(type));
+	*(u_int32_t*)CMSG_DATA(cmsg) = type;
+
+	cmsg = CMSG_NXTHDR(&msg, cmsg);
+	cmsg->cmsg_level = SOL_ALG;
+	cmsg->cmsg_type = ALG_SET_IV;
+	cmsg->cmsg_len = CMSG_LEN(offsetof(struct af_alg_iv, iv) + iv.len);
+	ivm = (void*)CMSG_DATA(cmsg);
+	ivm->ivlen = iv.len;
+	memcpy(ivm->iv, iv.ptr, iv.len);
+
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+
+	while (data.len)
+	{
+		iov.iov_base = data.ptr;
+		iov.iov_len = data.len;
+
+		len = sendmsg(op, &msg, 0);
+		if (len == -1)
+		{
+			DBG1(DBG_LIB, "writing to AF_ALG crypter failed: %s",
+				 strerror(errno));
+			sleep(1);
+			continue;
+		}
+		if (read(op, out, len) != len)
+		{
+			DBG1(DBG_LIB, "reading from AF_ALG crypter failed: %s",
+				 strerror(errno));
+		}
+		data = chunk_skip(data, len);
+		/* no IV for subsequent data chunks */
+		msg.msg_controllen = 0;
+	}
+	close(op);
+}
+
+METHOD(af_alg_ops_t, set_key, void,
+	private_af_alg_ops_t *this, chunk_t key)
+{
+	if (setsockopt(this->tfm, SOL_ALG, ALG_SET_KEY, key.ptr, key.len) == -1)
+	{
+		DBG1(DBG_LIB, "setting AF_ALG key failed: %s", strerror(errno));
+	}
+}
+
+METHOD(af_alg_ops_t, destroy, void,
+	private_af_alg_ops_t *this)
+{
+	close(this->tfm);
+	if (this->op != -1)
+	{
+		close(this->op);
+	}
+	free(this);
+}
+
+/**
+ * See header
+ */
+af_alg_ops_t *af_alg_ops_create(char *type, char *alg)
+{
+	private_af_alg_ops_t *this;
+	struct sockaddr_alg sa = {
+		.salg_family = AF_ALG,
+	};
+
+	strncpy(sa.salg_type, type, sizeof(sa.salg_type));
+	strncpy(sa.salg_name, alg, sizeof(sa.salg_name));
+
+	INIT(this,
+		.public = {
+			.hash = _hash,
+			.reset = _reset,
+			.crypt = _crypt,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+		.tfm = socket(AF_ALG, SOCK_SEQPACKET, 0),
+		.op = -1,
+	);
+	if (this->tfm == -1)
+	{
+		DBG1(DBG_LIB, "opening AF_ALG socket failed: %s", strerror(errno));
+		free(this);
+		return NULL;
+	}
+	if (bind(this->tfm, (struct sockaddr*)&sa, sizeof(sa)) == -1)
+	{
+		if (errno != ENOENT)
+		{	/* fail silently if algorithm not supported */
+			DBG1(DBG_LIB, "binding AF_ALG socket for '%s' failed: %s",
+				 sa.salg_name, strerror(errno));
+		}
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.h b/src/libstrongswan/plugins/af_alg/af_alg_ops.h
new file mode 100644
index 000000000..b7d642c00
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+* @defgroup af_alg_ops af_alg_ops
+ * @{ @ingroup af_alg
+ */
+
+#ifndef AF_ALG_OPS_H_
+#define AF_ALG_OPS_H_
+
+#include <library.h>
+
+#include <linux/if_alg.h>
+
+#ifndef AF_ALG
+#define AF_ALG 38
+#endif /* AF_ALG */
+
+#ifndef SOL_ALG
+#define SOL_ALG 279
+#endif /* SOL_ALG */
+
+extern const char *af_alg_plugin_name;
+
+typedef struct af_alg_ops_t af_alg_ops_t;
+
+/**
+ * Helper to run AF_ALG operations.
+ */
+struct af_alg_ops_t {
+
+	/**
+	 * Hash a chunk of data.
+	 *
+	 * @param data		data to hash
+	 * @param out		buffer to write hash to, NULL for append mode
+	 * @param outlen	number of bytes to read into out
+	 */
+	void (*hash)(af_alg_ops_t *this, chunk_t data, char *out, size_t outlen);
+
+	/**
+	 * Reset hasher state.
+	 */
+	void (*reset)(af_alg_ops_t *this);
+
+	/**
+	 * En-/Decrypt a chunk of data.
+	 *
+	 * @param type		crypto operation (ALG_OP_DECRYPT/ALG_OP_ENCRYPT)
+	 * @param iv		iv to use
+	 * @param data		data to encrypt/decrypt
+	 * @param out		buffer write processed data to
+	 */
+	void (*crypt)(af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data,
+				  char *out);
+
+	/**
+	 * Set the key for en-/decryption or HMAC/XCBC operations.
+	 *
+	 * @param key		key to set for transform
+	 */
+	void (*set_key)(af_alg_ops_t *this, chunk_t key);
+
+	/**
+	 * Destroy a af_alg_ops_t.
+	 */
+	void (*destroy)(af_alg_ops_t *this);
+};
+
+/**
+ * Create a af_alg_ops instance.
+ *
+ * @param type			algorithm type (hash, skcipher)
+ * @param alg			algorithm name
+ * @return				TRUE if AF_ALG socket bound successfully
+ */
+af_alg_ops_t *af_alg_ops_create(char *type, char *alg);
+
+#endif /** AF_ALG_OPS_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_plugin.c b/src/libstrongswan/plugins/af_alg/af_alg_plugin.c
new file mode 100644
index 000000000..54e39f1a0
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_plugin.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_plugin.h"
+
+#include <library.h>
+
+#include "af_alg_hasher.h"
+#include "af_alg_signer.h"
+#include "af_alg_prf.h"
+#include "af_alg_crypter.h"
+
+typedef struct private_af_alg_plugin_t private_af_alg_plugin_t;
+
+/**
+ * private data of af_alg_plugin
+ */
+struct private_af_alg_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	af_alg_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_af_alg_plugin_t *this)
+{
+	lib->crypto->remove_hasher(lib->crypto,
+					(hasher_constructor_t)af_alg_hasher_create);
+	lib->crypto->remove_signer(lib->crypto,
+					(signer_constructor_t)af_alg_signer_create);
+	lib->crypto->remove_prf(lib->crypto,
+					(prf_constructor_t)af_alg_prf_create);
+	lib->crypto->remove_crypter(lib->crypto,
+					(crypter_constructor_t)af_alg_crypter_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *af_alg_plugin_create()
+{
+	private_af_alg_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	af_alg_hasher_probe();
+	af_alg_signer_probe();
+	af_alg_prf_probe();
+	af_alg_crypter_probe();
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_plugin.h b/src/libstrongswan/plugins/af_alg/af_alg_plugin.h
new file mode 100644
index 000000000..18c069831
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup af_alg af_alg
+ * @ingroup plugins
+ *
+ * @defgroup af_alg_plugin af_alg_plugin
+ * @{ @ingroup af_alg
+ */
+
+#ifndef AF_ALG_PLUGIN_H_
+#define AF_ALG_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct af_alg_plugin_t af_alg_plugin_t;
+
+/**
+ * Plugin providing the AF_ALG interface to the Linux Crypto API.
+ */
+struct af_alg_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** AF_ALG_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.c b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
new file mode 100644
index 000000000..575906bae
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_prf.h"
+#include "af_alg_ops.h"
+
+typedef struct private_af_alg_prf_t private_af_alg_prf_t;
+
+/**
+ * Private data of a af_alg_prf_t object.
+ */
+struct private_af_alg_prf_t {
+
+	/**
+	 * Public af_alg_prf_t interface.
+	 */
+	af_alg_prf_t public;
+
+	/**
+	 * AF_ALG operations
+	 */
+	af_alg_ops_t *ops;
+
+	/**
+	 * Size of the PRF output
+	 */
+	size_t block_size;
+
+	/**
+	 * Default key size
+	 */
+	size_t key_size;
+
+	/**
+	 * Using an XCBC algorithm?
+	 */
+	bool xcbc;
+};
+
+/**
+ * Algorithm database
+ */
+static struct {
+	pseudo_random_function_t id;
+	char *name;
+	size_t block_size;
+	bool xcbc;
+} algs[] = {
+	{PRF_HMAC_SHA1,			"hmac(sha1)",		20,		FALSE,	},
+	{PRF_HMAC_SHA2_256,		"hmac(sha256)",		32,		FALSE,	},
+	{PRF_HMAC_MD5,			"hmac(md5)",		16,		FALSE,	},
+	{PRF_HMAC_SHA2_384,		"hmac(sha384)",		48,		FALSE,	},
+	{PRF_HMAC_SHA2_512,		"hmac(sha512)",		64,		FALSE,	},
+	{PRF_AES128_XCBC,		"xcbc(aes)",		16,		TRUE,	},
+	{PRF_CAMELLIA128_XCBC,	"xcbc(camellia)",	16,		TRUE,	},
+};
+
+/**
+ * See header.
+ */
+void af_alg_prf_probe()
+{
+	af_alg_ops_t *ops;
+	int i;
+
+	for (i = 0; i < countof(algs); i++)
+	{
+		ops = af_alg_ops_create("hash", algs[i].name);
+		if (ops)
+		{
+			ops->destroy(ops);
+			lib->crypto->add_prf(lib->crypto, algs[i].id, af_alg_plugin_name,
+							(prf_constructor_t)af_alg_prf_create);
+		}
+	}
+}
+
+/**
+ * Get the kernel algorithm string and block size for our identifier
+ */
+static size_t lookup_alg(integrity_algorithm_t algo, char **name, bool *xcbc)
+{
+	int i;
+
+	for (i = 0; i < countof(algs); i++)
+	{
+		if (algs[i].id == algo)
+		{
+			*name = algs[i].name;
+			*xcbc = algs[i].xcbc;
+			return algs[i].block_size;
+		}
+	}
+	return 0;
+}
+
+METHOD(prf_t, get_bytes, void,
+	private_af_alg_prf_t *this, chunk_t seed, u_int8_t *buffer)
+{
+	this->ops->hash(this->ops, seed, buffer, this->block_size);
+}
+
+METHOD(prf_t, allocate_bytes, void,
+	private_af_alg_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+	if (chunk)
+	{
+		*chunk = chunk_alloc(this->block_size);
+		get_bytes(this, seed, chunk->ptr);
+	}
+	else
+	{
+		get_bytes(this, seed, NULL);
+	}
+}
+
+METHOD(prf_t, get_block_size, size_t,
+	private_af_alg_prf_t *this)
+{
+	return this->block_size;
+}
+
+METHOD(prf_t, get_key_size, size_t,
+	private_af_alg_prf_t *this)
+{
+	return this->block_size;
+}
+
+METHOD(prf_t, set_key, void,
+	private_af_alg_prf_t *this, chunk_t key)
+{
+	char buf[this->block_size];
+
+	if (this->xcbc)
+	{
+		/* The kernel currently does not support variable length XCBC keys,
+		 * do RFC4434 key padding/reduction manually. */
+		if (key.len < this->block_size)
+		{
+			memset(buf, 0, this->block_size);
+			memcpy(buf, key.ptr, key.len);
+			key = chunk_from_thing(buf);
+		}
+		else if (key.len > this->block_size)
+		{
+			memset(buf, 0, this->block_size);
+			this->ops->set_key(this->ops, chunk_from_thing(buf));
+			this->ops->hash(this->ops, key, buf, this->block_size);
+			key = chunk_from_thing(buf);
+		}
+	}
+	this->ops->set_key(this->ops, key);
+}
+
+METHOD(prf_t, destroy, void,
+	private_af_alg_prf_t *this)
+{
+	this->ops->destroy(this->ops);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+af_alg_prf_t *af_alg_prf_create(pseudo_random_function_t algo)
+{
+	private_af_alg_prf_t *this;
+	size_t block_size;
+	bool xcbc;
+	char *name;
+
+	block_size = lookup_alg(algo, &name, &xcbc);
+	if (!block_size)
+	{	/* not supported by kernel */
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.prf = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_block_size = _get_block_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.ops = af_alg_ops_create("hash", name),
+		.block_size = block_size,
+		.xcbc = xcbc,
+	);
+	if (!this->ops)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.h b/src/libstrongswan/plugins/af_alg/af_alg_prf.h
new file mode 100644
index 000000000..a3dea5649
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup af_alg_prf af_alg_prf
+ * @{ @ingroup af_alg
+ */
+
+#ifndef AF_ALG_PRF_H_
+#define AF_ALG_PRF_H_
+
+typedef struct af_alg_prf_t af_alg_prf_t;
+
+#include <crypto/prfs/prf.h>
+
+/**
+ * Implementation of PRFs using AF_ALG.
+ */
+struct af_alg_prf_t {
+
+	/**
+	 * Implements prf_t interface.
+	 */
+	prf_t prf;
+};
+
+/**
+ * Creates a new af_alg_prf_t object.
+ *
+ * @param algo		algorithm to implement
+ * @return			af_alg_prf_t object, NULL if hash not supported
+ */
+af_alg_prf_t *af_alg_prf_create(pseudo_random_function_t algo);
+
+/**
+ * Probe algorithms and register af_alg_prf_create().
+ */
+void af_alg_prf_probe();
+
+#endif /** AF_ALG_PRF_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
new file mode 100644
index 000000000..3d6f907bf
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
@@ -0,0 +1,206 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_signer.h"
+#include "af_alg_ops.h"
+
+typedef struct private_af_alg_signer_t private_af_alg_signer_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_af_alg_signer_t {
+
+	/**
+	 * Public interface of af_alg_signer_t.
+	 */
+	af_alg_signer_t public;
+
+	/**
+	 * AF_ALG operations
+	 */
+	af_alg_ops_t *ops;
+
+	/**
+	 * Size of the truncated signature
+	 */
+	size_t block_size;
+
+	/**
+	 * Default key size
+	 */
+	size_t key_size;
+};
+
+/**
+ * Algorithm database
+ */
+static struct {
+	integrity_algorithm_t id;
+	char *name;
+	size_t block_size;
+	size_t key_size;
+} algs[] = {
+	{AUTH_HMAC_SHA1_96,			"hmac(sha1)",		12,		20,	},
+	{AUTH_HMAC_SHA1_128,		"hmac(sha1)",		16,		20,	},
+	{AUTH_HMAC_SHA1_160,		"hmac(sha1)",		20,		20,	},
+	{AUTH_HMAC_SHA2_256_96,		"hmac(sha256)",		12,		32,	},
+	{AUTH_HMAC_SHA2_256_128,	"hmac(sha256)",		16,		32,	},
+	{AUTH_HMAC_MD5_96,			"hmac(md5)",		12,		16,	},
+	{AUTH_HMAC_MD5_128,			"hmac(md5)",		16,		16,	},
+	{AUTH_HMAC_SHA2_256_256,	"hmac(sha384)",		32,		32,	},
+	{AUTH_HMAC_SHA2_384_192,	"hmac(sha384)",		24,		48,	},
+	{AUTH_HMAC_SHA2_384_384,	"hmac(sha384)",		48,		48,	},
+	{AUTH_HMAC_SHA2_512_256,	"hmac(sha512)",		32,		64,	},
+	{AUTH_AES_XCBC_96,			"xcbc(aes)",		12,		16,	},
+	{AUTH_CAMELLIA_XCBC_96,		"xcbc(camellia)",	12,		16,	},
+};
+
+/**
+ * See header.
+ */
+void af_alg_signer_probe()
+{
+	af_alg_ops_t *ops;
+	int i;
+
+	for (i = 0; i < countof(algs); i++)
+	{
+		ops = af_alg_ops_create("hash", algs[i].name);
+		if (ops)
+		{
+			ops->destroy(ops);
+			lib->crypto->add_signer(lib->crypto, algs[i].id, af_alg_plugin_name,
+							(signer_constructor_t)af_alg_signer_create);
+		}
+	}
+}
+
+/**
+ * Get the kernel algorithm string and block/key size for our identifier
+ */
+static size_t lookup_alg(integrity_algorithm_t algo, char **name,
+						 size_t *key_size)
+{
+	int i;
+
+	for (i = 0; i < countof(algs); i++)
+	{
+		if (algs[i].id == algo)
+		{
+			*name = algs[i].name;
+			*key_size = algs[i].key_size;
+			return algs[i].block_size;
+		}
+	}
+	return 0;
+}
+
+METHOD(signer_t, get_signature, void,
+	private_af_alg_signer_t *this, chunk_t data, u_int8_t *buffer)
+{
+	this->ops->hash(this->ops, data, buffer, this->block_size);
+}
+
+METHOD(signer_t, allocate_signature, void,
+	private_af_alg_signer_t *this, chunk_t data, chunk_t *chunk)
+{
+	if (chunk)
+	{
+		*chunk = chunk_alloc(this->block_size);
+		get_signature(this, data, chunk->ptr);
+	}
+	else
+	{
+		get_signature(this, data, NULL);
+	}
+}
+
+METHOD(signer_t, verify_signature, bool,
+	private_af_alg_signer_t *this, chunk_t data, chunk_t signature)
+{
+	char sig[this->block_size];
+
+	if (signature.len != this->block_size)
+	{
+		return FALSE;
+	}
+	get_signature(this, data, sig);
+	return memeq(signature.ptr, sig, signature.len);
+}
+
+METHOD(signer_t, get_key_size, size_t,
+	private_af_alg_signer_t *this)
+{
+	return this->key_size;
+}
+
+METHOD(signer_t, get_block_size, size_t,
+	private_af_alg_signer_t *this)
+{
+	return this->block_size;
+}
+
+METHOD(signer_t, set_key, void,
+	private_af_alg_signer_t *this, chunk_t key)
+{
+	this->ops->set_key(this->ops, key);
+}
+
+METHOD(signer_t, destroy, void,
+	private_af_alg_signer_t *this)
+{
+	this->ops->destroy(this->ops);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+af_alg_signer_t *af_alg_signer_create(integrity_algorithm_t algo)
+{
+	private_af_alg_signer_t *this;
+	size_t block_size, key_size;
+	char *name;
+
+	block_size = lookup_alg(algo, &name, &key_size);
+	if (!block_size)
+	{	/* not supported by kernel */
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.signer = {
+				.get_signature = _get_signature,
+				.allocate_signature = _allocate_signature,
+				.verify_signature = _verify_signature,
+				.get_key_size = _get_key_size,
+				.get_block_size = _get_block_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.ops = af_alg_ops_create("hash", name),
+		.block_size = block_size,
+		.key_size = key_size,
+	);
+	if (!this->ops)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.h b/src/libstrongswan/plugins/af_alg/af_alg_signer.h
new file mode 100644
index 000000000..b1d90707f
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup af_alg_signer af_alg_signer
+ * @{ @ingroup af_alg
+ */
+
+#ifndef AF_ALG_SIGNER_H_
+#define AF_ALG_SIGNER_H_
+
+typedef struct af_alg_signer_t af_alg_signer_t;
+
+#include <crypto/signers/signer.h>
+
+/**
+ * Implementation of signers using AF_ALG.
+ */
+struct af_alg_signer_t {
+
+	/**
+	 * Implements signer_t interface.
+	 */
+	signer_t signer;
+};
+
+/**
+ * Creates a new af_alg_signer_t.
+ *
+ * @param algo		algorithm to implement
+ * @return			af_alg_signer_t, NULL if  not supported
+ */
+af_alg_signer_t *af_alg_signer_create(integrity_algorithm_t algo);
+
+/**
+ * Probe algorithms and register af_alg_signer_create().
+ */
+void af_alg_signer_probe();
+
+#endif /** AF_ALG_SIGNER_H_ @}*/
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 9f65f4ffb..1a3533f03 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index d310843ac..251722f60 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
index 6ab093d7b..5232eca28 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -19,6 +19,8 @@
 #include <library.h>
 #include "blowfish_crypter.h"
 
+static const char *plugin_name = "blowfish";
+
 typedef struct private_blowfish_plugin_t private_blowfish_plugin_t;
 
 /**
@@ -55,7 +57,7 @@ plugin_t *blowfish_plugin_create()
 		},
 	);
 
-	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
+	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name,
 							 (crypter_constructor_t)blowfish_crypter_create);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 017d75c48..371e5b2f4 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.c b/src/libstrongswan/plugins/ccm/ccm_plugin.c
index 5fc3b14d7..a4c89b548 100644
--- a/src/libstrongswan/plugins/ccm/ccm_plugin.c
+++ b/src/libstrongswan/plugins/ccm/ccm_plugin.c
@@ -19,6 +19,8 @@
 
 #include "ccm_aead.h"
 
+static const char *plugin_name = "ccm";
+
 typedef struct private_ccm_plugin_t private_ccm_plugin_t;
 
 /**
@@ -47,23 +49,34 @@ METHOD(plugin_t, destroy, void,
 plugin_t *ccm_plugin_create()
 {
 	private_ccm_plugin_t *this;
+	crypter_t *crypter;
 
 	INIT(this,
 		.public.plugin.destroy = _destroy,
 	);
 
-	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8,
-					(aead_constructor_t)ccm_aead_create);
-	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12,
-					(aead_constructor_t)ccm_aead_create);
-	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16,
-					(aead_constructor_t)ccm_aead_create);
-	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8,
-					(aead_constructor_t)ccm_aead_create);
-	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12,
-					(aead_constructor_t)ccm_aead_create);
-	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16,
-					(aead_constructor_t)ccm_aead_create);
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0);
+	if (crypter)
+	{
+		crypter->destroy(crypter);
+		lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8, plugin_name,
+						(aead_constructor_t)ccm_aead_create);
+		lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12, plugin_name,
+						(aead_constructor_t)ccm_aead_create);
+		lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16, plugin_name,
+						(aead_constructor_t)ccm_aead_create);
+	}
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 0);
+	if (crypter)
+	{
+		crypter->destroy(crypter);
+		lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8, plugin_name,
+						(aead_constructor_t)ccm_aead_create);
+		lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12, plugin_name,
+						(aead_constructor_t)ccm_aead_create);
+		lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, plugin_name,
+						(aead_constructor_t)ccm_aead_create);
+	}
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/constraints/Makefile.am b/src/libstrongswan/plugins/constraints/Makefile.am
new file mode 100644
index 000000000..d80d39a2d
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-constraints.la
+else
+plugin_LTLIBRARIES = libstrongswan-constraints.la
+endif
+
+libstrongswan_constraints_la_SOURCES = \
+	constraints_plugin.h constraints_plugin.c \
+	constraints_validator.h constraints_validator.c
+
+libstrongswan_constraints_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
new file mode 100644
index 000000000..382bfef98
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -0,0 +1,604 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/constraints
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_constraints_la_LIBADD =
+am_libstrongswan_constraints_la_OBJECTS = constraints_plugin.lo \
+	constraints_validator.lo
+libstrongswan_constraints_la_OBJECTS =  \
+	$(am_libstrongswan_constraints_la_OBJECTS)
+libstrongswan_constraints_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_constraints_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_constraints_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_constraints_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_constraints_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_constraints_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-constraints.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-constraints.la
+libstrongswan_constraints_la_SOURCES = \
+	constraints_plugin.h constraints_plugin.c \
+	constraints_validator.h constraints_validator.c
+
+libstrongswan_constraints_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/constraints/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/constraints/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES) 
+	$(libstrongswan_constraints_la_LINK) $(am_libstrongswan_constraints_la_rpath) $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints_validator.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.c b/src/libstrongswan/plugins/constraints/constraints_plugin.c
new file mode 100644
index 000000000..1c3f0c835
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/constraints_plugin.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "constraints_plugin.h"
+
+#include <library.h>
+#include "constraints_validator.h"
+
+typedef struct private_constraints_plugin_t private_constraints_plugin_t;
+
+/**
+ * private data of constraints_plugin
+ */
+struct private_constraints_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	constraints_plugin_t public;
+
+	/**
+	 * Validator implementation instance.
+	 */
+	constraints_validator_t *validator;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_constraints_plugin_t *this)
+{
+	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+	this->validator->destroy(this->validator);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *constraints_plugin_create()
+{
+	private_constraints_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.validator = constraints_validator_create(),
+	);
+	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.h b/src/libstrongswan/plugins/constraints/constraints_plugin.h
new file mode 100644
index 000000000..7042a4d92
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/constraints_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup constraints constraints
+ * @ingroup plugins
+ *
+ * @defgroup constraints_plugin constraints_plugin
+ * @{ @ingroup constraints
+ */
+
+#ifndef CONSTRAINTS_PLUGIN_H_
+#define CONSTRAINTS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct constraints_plugin_t constraints_plugin_t;
+
+/**
+ * Advanced X509 constraint checking.
+ */
+struct constraints_plugin_t {
+
+	/**
+	 * Implements plugin_t. interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** CONSTRAINTS_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
new file mode 100644
index 000000000..b54d813df
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -0,0 +1,578 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "constraints_validator.h"
+
+#include <debug.h>
+#include <asn1/asn1.h>
+#include <utils/linked_list.h>
+#include <credentials/certificates/x509.h>
+
+typedef struct private_constraints_validator_t private_constraints_validator_t;
+
+/**
+ * Private data of an constraints_validator_t object.
+ */
+struct private_constraints_validator_t {
+
+	/**
+	 * Public constraints_validator_t interface.
+	 */
+	constraints_validator_t public;
+};
+
+/**
+ * Check pathlen constraint of issuer certificate
+ */
+static bool check_pathlen(x509_t *issuer, int pathlen)
+{
+	u_int pathlen_constraint;
+
+	pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN);
+	if (pathlen_constraint != X509_NO_CONSTRAINT &&
+		pathlen > pathlen_constraint)
+	{
+		DBG1(DBG_CFG, "path length of %d violates constraint of %d",
+			 pathlen, pathlen_constraint);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Check if a FQDN/RFC822 constraint matches (suffix match)
+ */
+static bool suffix_matches(identification_t *constraint, identification_t *id)
+{
+	chunk_t c, i;
+
+	c = constraint->get_encoding(constraint);
+	i = id->get_encoding(id);
+
+	return i.len >= c.len && chunk_equals(c, chunk_skip(i, i.len - c.len));
+}
+
+/**
+ * Check if a DN constraint matches (RDN prefix match)
+ */
+static bool dn_matches(identification_t *constraint, identification_t *id)
+{
+	enumerator_t *ec, *ei;
+	id_part_t pc, pi;
+	chunk_t cc, ci;
+	bool match = TRUE;
+
+	ec = constraint->create_part_enumerator(constraint);
+	ei = id->create_part_enumerator(id);
+	while (ec->enumerate(ec, &pc, &cc))
+	{
+		if (!ei->enumerate(ei, &pi, &ci) ||
+			pi != pc || !chunk_equals(cc, ci))
+		{
+			match = FALSE;
+			break;
+		}
+	}
+	ec->destroy(ec);
+	ei->destroy(ei);
+
+	return match;
+}
+
+/**
+ * Check if a certificate matches to a NameConstraint
+ */
+static bool name_constraint_matches(identification_t *constraint,
+									certificate_t *cert, bool permitted)
+{
+	x509_t *x509 = (x509_t*)cert;
+	enumerator_t *enumerator;
+	identification_t *id;
+	id_type_t type;
+	bool matches = permitted;
+
+	type = constraint->get_type(constraint);
+	if (type == ID_DER_ASN1_DN)
+	{
+		matches = dn_matches(constraint, cert->get_subject(cert));
+		if (matches != permitted)
+		{
+			return matches;
+		}
+	}
+
+	enumerator = x509->create_subjectAltName_enumerator(x509);
+	while (enumerator->enumerate(enumerator, &id))
+	{
+		if (id->get_type(id) == type)
+		{
+			switch (type)
+			{
+				case ID_FQDN:
+				case ID_RFC822_ADDR:
+					matches = suffix_matches(constraint, id);
+					break;
+				case ID_DER_ASN1_DN:
+					matches = dn_matches(constraint, id);
+					break;
+				default:
+					DBG1(DBG_CFG, "%N NameConstraint matching not implemented",
+						 id_type_names, type);
+					matches = FALSE;
+					break;
+			}
+		}
+		if (matches != permitted)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return matches;
+}
+
+/**
+ * Check if a permitted or excluded NameConstraint has been inherited to sub-CA
+ */
+static bool name_constraint_inherited(identification_t *constraint,
+									  x509_t *x509, bool permitted)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	bool inherited = FALSE;
+	id_type_t type;
+
+	if (!(x509->get_flags(x509) & X509_CA))
+	{	/* not a sub-CA, not required */
+		return TRUE;
+	}
+
+	type = constraint->get_type(constraint);
+	enumerator = x509->create_name_constraint_enumerator(x509, permitted);
+	while (enumerator->enumerate(enumerator, &id))
+	{
+		if (id->get_type(id) == type)
+		{
+			switch (type)
+			{
+				case ID_FQDN:
+				case ID_RFC822_ADDR:
+					if (permitted)
+					{	/* permitted constraint can be narrowed */
+						inherited = suffix_matches(constraint, id);
+					}
+					else
+					{	/* excluded constraint can be widened */
+						inherited = suffix_matches(id, constraint);
+					}
+					break;
+				case ID_DER_ASN1_DN:
+					if (permitted)
+					{
+						inherited = dn_matches(constraint, id);
+					}
+					else
+					{
+						inherited = dn_matches(id, constraint);
+					}
+					break;
+				default:
+					DBG1(DBG_CFG, "%N NameConstraint matching not implemented",
+						 id_type_names, type);
+					inherited = FALSE;
+					break;
+			}
+		}
+		if (inherited)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return inherited;
+}
+
+/**
+ * Check name constraints
+ */
+static bool check_name_constraints(certificate_t *subject, x509_t *issuer)
+{
+	enumerator_t *enumerator;
+	identification_t *constraint;
+
+	enumerator = issuer->create_name_constraint_enumerator(issuer, TRUE);
+	while (enumerator->enumerate(enumerator, &constraint))
+	{
+		if (!name_constraint_matches(constraint, subject, TRUE))
+		{
+			DBG1(DBG_CFG, "certificate '%Y' does not match permitted name "
+				 "constraint '%Y'", subject->get_subject(subject), constraint);
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+		if (!name_constraint_inherited(constraint, (x509_t*)subject, TRUE))
+		{
+			DBG1(DBG_CFG, "intermediate CA '%Y' does not inherit permitted name "
+				 "constraint '%Y'", subject->get_subject(subject), constraint);
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = issuer->create_name_constraint_enumerator(issuer, FALSE);
+	while (enumerator->enumerate(enumerator, &constraint))
+	{
+		if (name_constraint_matches(constraint, subject, FALSE))
+		{
+			DBG1(DBG_CFG, "certificate '%Y' matches excluded name "
+				 "constraint '%Y'", subject->get_subject(subject), constraint);
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+		if (!name_constraint_inherited(constraint, (x509_t*)subject, FALSE))
+		{
+			DBG1(DBG_CFG, "intermediate CA '%Y' does not inherit excluded name "
+				 "constraint '%Y'", subject->get_subject(subject), constraint);
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return TRUE;
+}
+
+/**
+ * Special OID for anyPolicy
+ */
+static chunk_t any_policy = chunk_from_chars(0x55,0x1d,0x20,0x00);
+
+/**
+ * Check if an issuer certificate has a given policy OID
+ */
+static bool has_policy(x509_t *issuer, chunk_t oid)
+{
+	x509_policy_mapping_t *mapping;
+	x509_cert_policy_t *policy;
+	enumerator_t *enumerator;
+
+	enumerator = issuer->create_cert_policy_enumerator(issuer);
+	while (enumerator->enumerate(enumerator, &policy))
+	{
+		if (chunk_equals(oid, policy->oid) ||
+			chunk_equals(any_policy, policy->oid))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* fall back to a mapped policy */
+	enumerator = issuer->create_policy_mapping_enumerator(issuer);
+	while (enumerator->enumerate(enumerator, &mapping))
+	{
+		if (chunk_equals(mapping->subject, oid))
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Check certificatePolicies.
+ */
+static bool check_policy(x509_t *subject, x509_t *issuer, bool check,
+						 auth_cfg_t *auth)
+{
+	certificate_t *cert = (certificate_t*)subject;
+	x509_policy_mapping_t *mapping;
+	x509_cert_policy_t *policy;
+	enumerator_t *enumerator;
+	char *oid;
+
+	/* verify if policyMappings in subject are valid */
+	enumerator = subject->create_policy_mapping_enumerator(subject);
+	while (enumerator->enumerate(enumerator, &mapping))
+	{
+		if (!has_policy(issuer, mapping->issuer))
+		{
+			oid = asn1_oid_to_string(mapping->issuer);
+			DBG1(DBG_CFG, "certificate '%Y' maps policy from %s, but issuer "
+				 "misses it", cert->get_subject(cert), oid);
+			free(oid);
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (check)
+	{
+		enumerator = subject->create_cert_policy_enumerator(subject);
+		while (enumerator->enumerate(enumerator, &policy))
+		{
+			if (!has_policy(issuer, policy->oid))
+			{
+				oid = asn1_oid_to_string(policy->oid);
+				DBG1(DBG_CFG, "policy %s missing in issuing certificate '%Y'",
+					 oid, cert->get_issuer(cert));
+				free(oid);
+				enumerator->destroy(enumerator);
+				return FALSE;
+			}
+			if (auth)
+			{
+				oid = asn1_oid_to_string(policy->oid);
+				if (oid)
+				{
+					auth->add(auth, AUTH_RULE_CERT_POLICY, oid);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	return TRUE;
+}
+
+/**
+ * Check len certificates in trustchain for inherited policies
+ */
+static bool has_policy_chain(linked_list_t *chain, x509_t *subject, int len)
+{
+	enumerator_t *enumerator;
+	x509_t *issuer;
+	bool valid = TRUE;
+
+	enumerator = chain->create_enumerator(chain);
+	while (len-- > 0 && enumerator->enumerate(enumerator, &issuer))
+	{
+		if (!check_policy(subject, issuer, TRUE, NULL))
+		{
+			valid = FALSE;
+			break;
+		}
+		subject = issuer;
+	}
+	enumerator->destroy(enumerator);
+	return valid;
+}
+
+/**
+ * Check len certificates in trustchain to have no policyMappings
+ */
+static bool has_no_policy_mapping(linked_list_t *chain, int len)
+{
+	enumerator_t *enumerator, *mappings;
+	x509_policy_mapping_t *mapping;
+	certificate_t *cert;
+	x509_t *x509;
+	bool valid = TRUE;
+
+	enumerator = chain->create_enumerator(chain);
+	while (len-- > 0 && enumerator->enumerate(enumerator, &x509))
+	{
+		mappings = x509->create_policy_mapping_enumerator(x509);
+		valid = !mappings->enumerate(mappings, &mapping);
+		mappings->destroy(mappings);
+		if (!valid)
+		{
+			cert = (certificate_t*)x509;
+			DBG1(DBG_CFG, "found policyMapping in certificate '%Y', but "
+				 "inhibitPolicyMapping in effect", cert->get_subject(cert));
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return valid;
+}
+
+/**
+ * Check len certificates in trustchain to have no anyPolicies
+ */
+static bool has_no_any_policy(linked_list_t *chain, int len)
+{
+	enumerator_t *enumerator, *policies;
+	x509_cert_policy_t *policy;
+	certificate_t *cert;
+	x509_t *x509;
+	bool valid = TRUE;
+
+	enumerator = chain->create_enumerator(chain);
+	while (len-- > 0 && enumerator->enumerate(enumerator, &x509))
+	{
+		policies = x509->create_cert_policy_enumerator(x509);
+		while (policies->enumerate(policies, &policy))
+		{
+			if (chunk_equals(policy->oid, any_policy))
+			{
+				cert = (certificate_t*)x509;
+				DBG1(DBG_CFG, "found anyPolicy in certificate '%Y', but "
+					 "inhibitAnyPolicy in effect", cert->get_subject(cert));
+				valid = FALSE;
+				break;
+			}
+		}
+		policies->destroy(policies);
+	}
+	enumerator->destroy(enumerator);
+	return valid;
+}
+
+/**
+ * Check requireExplicitPolicy and inhibitPolicyMapping constraints
+ */
+static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
+									 auth_cfg_t *auth)
+{
+	certificate_t *subject;
+	bool valid = TRUE;
+
+	subject = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+	if (subject)
+	{
+		if (subject->get_type(subject) == CERT_X509)
+		{
+			enumerator_t *enumerator;
+			linked_list_t *chain;
+			certificate_t *cert;
+			auth_rule_t rule;
+			x509_t *x509;
+			int len = 0;
+			u_int expl, inh;
+
+			/* prepare trustchain to validate */
+			chain = linked_list_create();
+			enumerator = auth->create_enumerator(auth);
+			while (enumerator->enumerate(enumerator, &rule, &cert))
+			{
+				if (rule == AUTH_RULE_IM_CERT &&
+					cert->get_type(cert) == CERT_X509)
+				{
+					chain->insert_last(chain, cert);
+				}
+			}
+			enumerator->destroy(enumerator);
+			chain->insert_last(chain, issuer);
+
+			/* search for requireExplicitPolicy constraints */
+			enumerator = chain->create_enumerator(chain);
+			while (enumerator->enumerate(enumerator, &x509))
+			{
+				expl = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
+				if (expl != X509_NO_CONSTRAINT)
+				{
+					if (!has_policy_chain(chain, (x509_t*)subject, len - expl))
+					{
+						valid = FALSE;
+						break;
+					}
+				}
+				len++;
+			}
+			enumerator->destroy(enumerator);
+
+			/* search for inhibitPolicyMapping/inhibitAnyPolicy constraints */
+			len = 0;
+			chain->insert_first(chain, subject);
+			enumerator = chain->create_enumerator(chain);
+			while (enumerator->enumerate(enumerator, &x509))
+			{
+				inh = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+				if (inh != X509_NO_CONSTRAINT)
+				{
+					if (!has_no_policy_mapping(chain, len - inh))
+					{
+						valid = FALSE;
+						break;
+					}
+				}
+				inh = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+				if (inh != X509_NO_CONSTRAINT)
+				{
+					if (!has_no_any_policy(chain, len - inh))
+					{
+						valid = FALSE;
+						break;
+					}
+				}
+				len++;
+			}
+			enumerator->destroy(enumerator);
+
+			chain->destroy(chain);
+		}
+	}
+	return valid;
+}
+
+METHOD(cert_validator_t, validate, bool,
+	private_constraints_validator_t *this, certificate_t *subject,
+	certificate_t *issuer, bool online, u_int pathlen, bool anchor,
+	auth_cfg_t *auth)
+{
+	if (issuer->get_type(issuer) == CERT_X509 &&
+		subject->get_type(subject) == CERT_X509)
+	{
+		if (!check_pathlen((x509_t*)issuer, pathlen))
+		{
+			return FALSE;
+		}
+		if (!check_name_constraints(subject, (x509_t*)issuer))
+		{
+			return FALSE;
+		}
+		if (!check_policy((x509_t*)subject, (x509_t*)issuer, !pathlen, auth))
+		{
+			return FALSE;
+		}
+		if (anchor)
+		{
+			if (!check_policy_constraints((x509_t*)issuer, pathlen, auth))
+			{
+				return FALSE;
+			}
+		}
+	}
+	return TRUE;
+}
+
+METHOD(constraints_validator_t, destroy, void,
+	private_constraints_validator_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+constraints_validator_t *constraints_validator_create()
+{
+	private_constraints_validator_t *this;
+
+	INIT(this,
+		.public = {
+			.validator.validate = _validate,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.h b/src/libstrongswan/plugins/constraints/constraints_validator.h
new file mode 100644
index 000000000..44582d6c8
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup constraints_validator constraints_validator
+ * @{ @ingroup constraints
+ */
+
+#ifndef CONSTRAINTS_VALIDATOR_H_
+#define CONSTRAINTS_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct constraints_validator_t constraints_validator_t;
+
+/**
+ * Certificate validator doing advanced X509 constraint checking.
+ */
+struct constraints_validator_t {
+
+	/**
+	 * Implements cert_validator_t interface.
+	 */
+	cert_validator_t validator;
+
+	/**
+	 * Destroy a constraints_validator_t.
+	 */
+	void (*destroy)(constraints_validator_t *this);
+};
+
+/**
+ * Create a constraints_validator instance.
+ */
+constraints_validator_t *constraints_validator_create();
+
+#endif /** CONSTRAINTS_VALIDATOR_H_ @}*/
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index b51f57113..2f6be07e2 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.c b/src/libstrongswan/plugins/ctr/ctr_plugin.c
index 5e47f23ec..9f1bf957f 100644
--- a/src/libstrongswan/plugins/ctr/ctr_plugin.c
+++ b/src/libstrongswan/plugins/ctr/ctr_plugin.c
@@ -19,6 +19,8 @@
 
 #include "ctr_ipsec_crypter.h"
 
+static const char *plugin_name = "ctr";
+
 typedef struct private_ctr_plugin_t private_ctr_plugin_t;
 
 /**
@@ -47,6 +49,7 @@ METHOD(plugin_t, destroy, void,
 plugin_t *ctr_plugin_create()
 {
 	private_ctr_plugin_t *this;
+	crypter_t *crypter;
 
 	INIT(this,
 		.public = {
@@ -56,10 +59,19 @@ plugin_t *ctr_plugin_create()
 		},
 	);
 
-	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
-					(crypter_constructor_t)ctr_ipsec_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
-					(crypter_constructor_t)ctr_ipsec_crypter_create);
-
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16);
+	if (crypter)
+	{
+		crypter->destroy(crypter);
+		lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, plugin_name,
+						(crypter_constructor_t)ctr_ipsec_crypter_create);
+	}
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 16);
+	if (crypter)
+	{
+		crypter->destroy(crypter);
+		lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name,
+						(crypter_constructor_t)ctr_ipsec_crypter_create);
+	}
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 9cc99063c..e61c73041 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 4835f6461..82e24e810 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -104,6 +104,7 @@ METHOD(fetcher_t, fetch, status_t,
 METHOD(fetcher_t, set_option, bool,
 	private_curl_fetcher_t *this, fetcher_option_t option, ...)
 {
+	bool supported = TRUE;
 	va_list args;
 
 	va_start(args, option);
@@ -115,7 +116,7 @@ METHOD(fetcher_t, set_option, bool,
 
 			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, (char*)data.ptr);
 			curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, data.len);
-			return TRUE;
+			break;
 		}
 		case FETCH_REQUEST_TYPE:
 		{
@@ -124,30 +125,33 @@ METHOD(fetcher_t, set_option, bool,
 
 			snprintf(header, BUF_LEN, "Content-Type: %s", request_type);
 			this->headers = curl_slist_append(this->headers, header);
-			return TRUE;
+			break;
 		}
 		case FETCH_REQUEST_HEADER:
 		{
 			char *header = va_arg(args, char*);
 
 			this->headers = curl_slist_append(this->headers, header);
-			return TRUE;
+			break;
 		}
 		case FETCH_HTTP_VERSION_1_0:
 		{
 			curl_easy_setopt(this->curl, CURLOPT_HTTP_VERSION,
 							 CURL_HTTP_VERSION_1_0);
-			return TRUE;
+			break;
 		}
 		case FETCH_TIMEOUT:
 		{
 			curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT,
 							 va_arg(args, u_int));
-			return TRUE;
+			break;
 		}
 		default:
-			return FALSE;
+			supported = FALSE;
+			break;
 	}
+	va_end(args);
+	return supported;
 }
 
 METHOD(fetcher_t, destroy, void,
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
index e00fcfc03..387da03aa 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -34,10 +34,8 @@ struct private_curl_plugin_t {
 	curl_plugin_t public;
 };
 
-/**
- * Implementation of curl_plugin_t.curltroy
- */
-static void destroy(private_curl_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_curl_plugin_t *this)
 {
 	lib->fetcher->remove_fetcher(lib->fetcher,
 								 (fetcher_constructor_t)curl_fetcher_create);
@@ -51,9 +49,15 @@ static void destroy(private_curl_plugin_t *this)
 plugin_t *curl_plugin_create()
 {
 	CURLcode res;
-	private_curl_plugin_t *this = malloc_thing(private_curl_plugin_t);
+	private_curl_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	res = curl_global_init(CURL_GLOBAL_NOTHING);
 	if (res == CURLE_OK)
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 0e8fa7315..e45988ca9 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index 43b457ce2..d420d789e 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -18,6 +18,8 @@
 #include <library.h>
 #include "des_crypter.h"
 
+static const char *plugin_name = "des";
+
 typedef struct private_des_plugin_t private_des_plugin_t;
 
 /**
@@ -54,11 +56,11 @@ plugin_t *des_plugin_create()
 		},
 	);
 
-	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
+	lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name,
 							 (crypter_constructor_t)des_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name,
 							 (crypter_constructor_t)des_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name,
 							 (crypter_constructor_t)des_crypter_create);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 7f4529211..d1dce4679 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
index bc0ee30ae..d11b149df 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
@@ -31,10 +31,8 @@ struct private_dnskey_plugin_t {
 	dnskey_plugin_t public;
 };
 
-/**
- * Implementation of dnskey_plugin_t.dnskeytroy
- */
-static void destroy(private_dnskey_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_dnskey_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
 							(builder_function_t)dnskey_public_key_load);
@@ -46,10 +44,15 @@ static void destroy(private_dnskey_plugin_t *this)
  */
 plugin_t *dnskey_plugin_create()
 {
-	private_dnskey_plugin_t *this = malloc_thing(private_dnskey_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+	private_dnskey_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)dnskey_public_key_load);
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 7e2a1ccdf..ab1ed6d00 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
index ad03fa585..ee71f6efd 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -106,7 +106,8 @@ static void chunk_mod(size_t length, chunk_t chunk, u_int8_t buffer[])
  * 0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78,
  * 0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16
  */
-static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
+METHOD(prf_t, get_bytes, void,
+	private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
 {
 	int i;
 	u_int8_t xval[this->b];
@@ -139,34 +140,26 @@ static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
 	/* 3.3 done already, mod q not used */
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_block_size(private_fips_prf_t *this)
+METHOD(prf_t, get_block_size, size_t,
+	private_fips_prf_t *this)
 {
 	return 2 * this->b;
 }
-/**
- * Implementation of prf_t.allocate_bytes.
- */
-static void allocate_bytes(private_fips_prf_t *this, chunk_t seed, chunk_t *chunk)
+METHOD(prf_t, allocate_bytes, void,
+	private_fips_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(get_block_size(this));
 	get_bytes(this, seed, chunk->ptr);
 }
 
-/**
- * Implementation of prf_t.get_key_size.
- */
-static size_t get_key_size(private_fips_prf_t *this)
+METHOD(prf_t, get_key_size, size_t,
+	private_fips_prf_t *this)
 {
 	return this->b;
 }
 
-/**
- * Implementation of prf_t.set_key.
- */
-static void set_key(private_fips_prf_t *this, chunk_t key)
+METHOD(prf_t, set_key, void,
+	private_fips_prf_t *this, chunk_t key)
 {
 	/* save key as "key mod 2^b" */
 	chunk_mod(this->b, key, this->key);
@@ -198,10 +191,8 @@ void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[])
 	this->keyed_prf->get_bytes(this->keyed_prf, c, res);
 }
 
-/**
- * Implementation of prf_t.destroy.
- */
-static void destroy(private_fips_prf_t *this)
+METHOD(prf_t, destroy, void,
+	private_fips_prf_t *this)
 {
 	this->keyed_prf->destroy(this->keyed_prf);
 	free(this->key);
@@ -213,14 +204,20 @@ static void destroy(private_fips_prf_t *this)
  */
 fips_prf_t *fips_prf_create(pseudo_random_function_t algo)
 {
-	private_fips_prf_t *this = malloc_thing(private_fips_prf_t);
-
-	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
-	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
-	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
-	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
-	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
-	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+	private_fips_prf_t *this;
+
+	INIT(this,
+		.public = {
+			.prf_interface = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_block_size = _get_block_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	switch (algo)
 	{
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
index f41265637..3cce6ad91 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
@@ -18,6 +18,8 @@
 #include <library.h>
 #include "fips_prf.h"
 
+static const char *plugin_name = "fips-prf";
+
 typedef struct private_fips_prf_plugin_t private_fips_prf_plugin_t;
 
 /**
@@ -31,10 +33,8 @@ struct private_fips_prf_plugin_t {
 	fips_prf_plugin_t public;
 };
 
-/**
- * Implementation of fips_prf_plugin_t.destroy
- */
-static void destroy(private_fips_prf_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_fips_prf_plugin_t *this)
 {
 	lib->crypto->remove_prf(lib->crypto,
 							(prf_constructor_t)fips_prf_create);
@@ -46,12 +46,24 @@ static void destroy(private_fips_prf_plugin_t *this)
  */
 plugin_t *fips_prf_plugin_create()
 {
-	private_fips_prf_plugin_t *this = malloc_thing(private_fips_prf_plugin_t);
+	private_fips_prf_plugin_t *this;
+	prf_t *prf;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
-	lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160,
-						 (prf_constructor_t)fips_prf_create);
+	prf = lib->crypto->create_prf(lib->crypto, PRF_KEYED_SHA1);
+	if (prf)
+	{
+		prf->destroy(prf);
+		lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, plugin_name,
+							 (prf_constructor_t)fips_prf_create);
+	}
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index a4de9ea77..9e0b49776 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c
index 061001b30..a438fb073 100644
--- a/src/libstrongswan/plugins/gcm/gcm_plugin.c
+++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c
@@ -19,6 +19,8 @@
 
 #include "gcm_aead.h"
 
+static const char *plugin_name = "gcm";
+
 typedef struct private_gcm_plugin_t private_gcm_plugin_t;
 
 /**
@@ -47,17 +49,23 @@ METHOD(plugin_t, destroy, void,
 plugin_t *gcm_plugin_create()
 {
 	private_gcm_plugin_t *this;
+	crypter_t *crypter;
 
 	INIT(this,
 		.public.plugin.destroy = _destroy,
 	);
 
-	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8,
-					(aead_constructor_t)gcm_aead_create);
-	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12,
-					(aead_constructor_t)gcm_aead_create);
-	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16,
-					(aead_constructor_t)gcm_aead_create);
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0);
+	if (crypter)
+	{
+		crypter->destroy(crypter);
+		lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, plugin_name,
+						(aead_constructor_t)gcm_aead_create);
+		lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, plugin_name,
+						(aead_constructor_t)gcm_aead_create);
+		lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, plugin_name,
+						(aead_constructor_t)gcm_aead_create);
+	}
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 00c49c487..1bcada7dc 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 590add5c8..a53fed448 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -29,6 +29,8 @@
 #include <errno.h>
 #include <gcrypt.h>
 
+static const char *plugin_name = "gcrypt";
+
 typedef struct private_gcrypt_plugin_t private_gcrypt_plugin_t;
 
 /**
@@ -148,79 +150,79 @@ plugin_t *gcrypt_plugin_create()
 	);
 
 	/* hashers */
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
 					(hasher_constructor_t)gcrypt_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_MD4,
+	lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name,
 					(hasher_constructor_t)gcrypt_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+	lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
 					(hasher_constructor_t)gcrypt_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name,
 					(hasher_constructor_t)gcrypt_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
 					(hasher_constructor_t)gcrypt_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
 					(hasher_constructor_t)gcrypt_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
 					(hasher_constructor_t)gcrypt_hasher_create);
 
 	/* crypters */
-	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
+	lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_CAST,
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
+	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
 #ifdef HAVE_GCRY_CIPHER_CAMELLIA
-	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
 #endif /* HAVE_GCRY_CIPHER_CAMELLIA */
-	lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC,
+	lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC,
+	lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC, plugin_name,
 					(crypter_constructor_t)gcrypt_crypter_create);
 
 	/* random numbers */
-	lib->crypto->add_rng(lib->crypto, RNG_WEAK,
+	lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name,
 						 (rng_constructor_t)gcrypt_rng_create);
-	lib->crypto->add_rng(lib->crypto, RNG_STRONG,
+	lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name,
 						 (rng_constructor_t)gcrypt_rng_create);
-	lib->crypto->add_rng(lib->crypto, RNG_TRUE,
+	lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name,
 						 (rng_constructor_t)gcrypt_rng_create);
 
 	/* diffie hellman groups, using modp */
-	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_2048_224,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_2048_256,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1024_160,
+	lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create);
-	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name,
 					(dh_constructor_t)gcrypt_dh_create_custom);
 
 	/* RSA */
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index b4ec1ed8d..f73bfb406 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index 9b4fad3da..e9bfbcc28 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -20,6 +20,8 @@
 #include "gmp_rsa_private_key.h"
 #include "gmp_rsa_public_key.h"
 
+static const char *plugin_name = "gmp";
+
 typedef struct private_gmp_plugin_t private_gmp_plugin_t;
 
 /**
@@ -64,30 +66,30 @@ plugin_t *gmp_plugin_create()
 		},
 	);
 
-	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_2048_224,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_2048_256,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1024_160,
+	lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create);
 
-	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name,
 						(dh_constructor_t)gmp_diffie_hellman_create_custom);
 
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index 42a7d3747..72cc23b72 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index 73df4dc6c..76d6157ae 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -19,6 +19,8 @@
 #include "hmac_signer.h"
 #include "hmac_prf.h"
 
+static const char *plugin_name = "hmac";
+
 typedef struct private_hmac_plugin_t private_hmac_plugin_t;
 
 /**
@@ -48,6 +50,7 @@ METHOD(plugin_t, destroy, void,
 plugin_t *hmac_plugin_create()
 {
 	private_hmac_plugin_t *this;
+	hasher_t *hasher;
 
 	INIT(this,
 		.public = {
@@ -57,37 +60,62 @@ plugin_t *hmac_plugin_create()
 		},
 	);
 
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256,
-						 (prf_constructor_t)hmac_prf_create);
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1,
-						 (prf_constructor_t)hmac_prf_create);
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5,
-						 (prf_constructor_t)hmac_prf_create);
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384,
-						 (prf_constructor_t)hmac_prf_create);
-	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512,
-						 (prf_constructor_t)hmac_prf_create);
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (hasher)
+	{
+		hasher->destroy(hasher);
+		lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, plugin_name,
+						(prf_constructor_t)hmac_prf_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, plugin_name,
+						(signer_constructor_t)hmac_signer_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, plugin_name,
+						(signer_constructor_t)hmac_signer_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, plugin_name,
+						(signer_constructor_t)hmac_signer_create);
+	}
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA256);
+	if (hasher)
+	{
+		hasher->destroy(hasher);
+		lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, plugin_name,
+						(prf_constructor_t)hmac_prf_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, plugin_name,
+						(signer_constructor_t)hmac_signer_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256, plugin_name,
+						(signer_constructor_t)hmac_signer_create);
 
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96,
-							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128,
-							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160,
-							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128,
-							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256,
-							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96,
-							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128,
-							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192,
-							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384,
-							(signer_constructor_t)hmac_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256,
-							(signer_constructor_t)hmac_signer_create);
+	}
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+	if (hasher)
+	{
+		hasher->destroy(hasher);
+		lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, plugin_name,
+						(prf_constructor_t)hmac_prf_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, plugin_name,
+						(signer_constructor_t)hmac_signer_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, plugin_name,
+						(signer_constructor_t)hmac_signer_create);
+	}
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA384);
+	if (hasher)
+	{
+		hasher->destroy(hasher);
+		lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, plugin_name,
+						(prf_constructor_t)hmac_prf_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, plugin_name,
+						(signer_constructor_t)hmac_signer_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384, plugin_name,
+						(signer_constructor_t)hmac_signer_create);
+	}
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+	if (hasher)
+	{
+		hasher->destroy(hasher);
+		lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, plugin_name,
+						(prf_constructor_t)hmac_prf_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, plugin_name,
+						(signer_constructor_t)hmac_signer_create);
+	}
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 65a135e76..7235784e2 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index 59e655cd5..e6c592217 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -100,8 +100,8 @@ static bool parse(LDAP *ldap, LDAPMessage *result, chunk_t *response)
 }
 
 
-static status_t fetch(private_ldap_fetcher_t *this, char *url,
-					  chunk_t *result, va_list args)
+METHOD(fetcher_t, fetch, status_t,
+	private_ldap_fetcher_t *this, char *url, chunk_t *result)
 {
 	LDAP *ldap;
 	LDAPURLDesc *lurl;
@@ -166,10 +166,8 @@ static status_t fetch(private_ldap_fetcher_t *this, char *url,
 }
 
 
-/**
- * Implementation of fetcher_t.set_option.
- */
-static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, ...)
+METHOD(fetcher_t, set_option, bool,
+	private_ldap_fetcher_t *this, fetcher_option_t option, ...)
 {
 	va_list args;
 
@@ -186,10 +184,8 @@ static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, ..
 	}
 }
 
-/**
- * Implements ldap_fetcher_t.destroy
- */
-static void destroy(private_ldap_fetcher_t *this)
+METHOD(fetcher_t, destroy, void,
+	private_ldap_fetcher_t *this)
 {
 	free(this);
 }
@@ -199,13 +195,18 @@ static void destroy(private_ldap_fetcher_t *this)
  */
 ldap_fetcher_t *ldap_fetcher_create()
 {
-	private_ldap_fetcher_t *this = malloc_thing(private_ldap_fetcher_t);
-
-	this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch;
-	this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option;
-	this->public.interface.destroy = (void (*)(fetcher_t*))destroy;
-
-	this->timeout = DEFAULT_TIMEOUT;
+	private_ldap_fetcher_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.fetch = _fetch,
+				.set_option = _set_option,
+				.destroy = _destroy,
+			},
+		},
+		.timeout = DEFAULT_TIMEOUT,
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.c b/src/libstrongswan/plugins/ldap/ldap_plugin.c
index 372ac9f93..3682ddd1f 100644
--- a/src/libstrongswan/plugins/ldap/ldap_plugin.c
+++ b/src/libstrongswan/plugins/ldap/ldap_plugin.c
@@ -31,10 +31,8 @@ struct private_ldap_plugin_t {
 	ldap_plugin_t public;
 };
 
-/**
- * Implementation of ldap_plugin_t.destroy
- */
-static void destroy(private_ldap_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_ldap_plugin_t *this)
 {
 	lib->fetcher->remove_fetcher(lib->fetcher,
 								 (fetcher_constructor_t)ldap_fetcher_create);
@@ -46,9 +44,15 @@ static void destroy(private_ldap_plugin_t *this)
  */
 plugin_t *ldap_plugin_create()
 {
-	private_ldap_plugin_t *this = malloc_thing(private_ldap_plugin_t);
+	private_ldap_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->fetcher->add_fetcher(lib->fetcher,
 						(fetcher_constructor_t)ldap_fetcher_create, "ldap://");
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index a78dad97c..ea1a7a69a 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/md4/md4_plugin.c b/src/libstrongswan/plugins/md4/md4_plugin.c
index 38ae0d4bc..cea1a61f3 100644
--- a/src/libstrongswan/plugins/md4/md4_plugin.c
+++ b/src/libstrongswan/plugins/md4/md4_plugin.c
@@ -18,6 +18,8 @@
 #include <library.h>
 #include "md4_hasher.h"
 
+static const char *plugin_name = "md4";
+
 typedef struct private_md4_plugin_t private_md4_plugin_t;
 
 /**
@@ -31,10 +33,8 @@ struct private_md4_plugin_t {
 	md4_plugin_t public;
 };
 
-/**
- * Implementation of md4_plugin_t.destroy
- */
-static void destroy(private_md4_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_md4_plugin_t *this)
 {
 	lib->crypto->remove_hasher(lib->crypto,
 							   (hasher_constructor_t)md4_hasher_create);
@@ -46,11 +46,17 @@ static void destroy(private_md4_plugin_t *this)
  */
 plugin_t *md4_plugin_create()
 {
-	private_md4_plugin_t *this = malloc_thing(private_md4_plugin_t);
+	private_md4_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
-	lib->crypto->add_hasher(lib->crypto, HASH_MD4,
+	lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name,
 							(hasher_constructor_t)md4_hasher_create);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 6de400e8e..05f101564 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c
index cfbf6acea..d11173817 100644
--- a/src/libstrongswan/plugins/md5/md5_plugin.c
+++ b/src/libstrongswan/plugins/md5/md5_plugin.c
@@ -18,6 +18,8 @@
 #include <library.h>
 #include "md5_hasher.h"
 
+static const char *plugin_name = "md5";
+
 typedef struct private_md5_plugin_t private_md5_plugin_t;
 
 /**
@@ -31,10 +33,8 @@ struct private_md5_plugin_t {
 	md5_plugin_t public;
 };
 
-/**
- * Implementation of md5_plugin_t.destroy
- */
-static void destroy(private_md5_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_md5_plugin_t *this)
 {
 	lib->crypto->remove_hasher(lib->crypto,
 							   (hasher_constructor_t)md5_hasher_create);
@@ -46,11 +46,17 @@ static void destroy(private_md5_plugin_t *this)
  */
 plugin_t *md5_plugin_create()
 {
-	private_md5_plugin_t *this = malloc_thing(private_md5_plugin_t);
+	private_md5_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
-	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+	lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
 							(hasher_constructor_t)md5_hasher_create);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 7d4d42c14..4880415b3 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 8005b9149..5fbfa0f28 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -474,10 +474,8 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...)
 	return TRUE;
 }
 
-/**
- * Implementation of database_t.query.
- */
-static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
+METHOD(database_t, query, enumerator_t*,
+	private_mysql_database_t *this, char *sql, ...)
 {
 	MYSQL_STMT *stmt;
 	va_list args;
@@ -563,10 +561,8 @@ static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
 	return (enumerator_t*)enumerator;
 }
 
-/**
- * Implementation of database_t.execute.
- */
-static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...)
+METHOD(database_t, execute, int,
+	private_mysql_database_t *this, int *rowid, char *sql, ...)
 {
 	MYSQL_STMT *stmt;
 	va_list args;
@@ -594,18 +590,14 @@ static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...)
 	return affected;
 }
 
-/**
- * Implementation of database_t.get_driver
- */
-static db_driver_t get_driver(private_mysql_database_t *this)
+METHOD(database_t, get_driver,db_driver_t,
+	private_mysql_database_t *this)
 {
 	return DB_MYSQL;
 }
 
-/**
- * Implementation of database_t.destroy
- */
-static void destroy(private_mysql_database_t *this)
+METHOD(database_t, destroy, void,
+	private_mysql_database_t *this)
 {
 	this->pool->destroy_function(this->pool, (void*)conn_destroy);
 	this->mutex->destroy(this->mutex);
@@ -677,12 +669,16 @@ mysql_database_t *mysql_database_create(char *uri)
 		return NULL;
 	}
 
-	this = malloc_thing(private_mysql_database_t);
-
-	this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
-	this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
-	this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
-	this->public.db.destroy = (void(*)(database_t*))destroy;
+	INIT(this,
+		.public = {
+			.db = {
+				.query = _query,
+				.execute = _execute,
+				.get_driver = _get_driver,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	if (!parse_uri(this, uri))
 	{
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c
index a13aa8091..65d8681cb 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.c
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c
@@ -32,10 +32,8 @@ struct private_mysql_plugin_t {
 	mysql_plugin_t public;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_mysql_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_mysql_plugin_t *this)
 {
 	lib->db->remove_database(lib->db,
 							 (database_constructor_t)mysql_database_create);
@@ -56,8 +54,13 @@ plugin_t *mysql_plugin_create()
 		return NULL;
 	}
 
-	this = malloc_thing(private_mysql_plugin_t);
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->db->add_database(lib->db,
 						  (database_constructor_t)mysql_database_create);
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index a32418b16..b43be29f1 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -226,9 +226,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -267,6 +265,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index b9d97a901..58401faa5 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -382,6 +382,8 @@ static private_openssl_crl_t *create_empty()
 				},
 				.get_serial = _get_serial,
 				.get_authKeyIdentifier = _get_authKeyIdentifier,
+				.is_delta_crl = (void*)return_false,
+				.create_delta_crl_uri_enumerator = (void*)enumerator_create_empty,
 				.create_enumerator = _create_enumerator,
 			},
 		},
@@ -458,7 +460,14 @@ static bool parse_extensions(private_openssl_crl_t *this)
 					ok = parse_crlNumber_ext(this, ext);
 					break;
 				default:
-					ok = TRUE;
+					ok = X509_EXTENSION_get_critical(ext) == 0 ||
+						 !lib->settings->get_bool(lib->settings,
+								"libstrongswan.x509.enforce_critical", TRUE);
+					if (!ok)
+					{
+						DBG1(DBG_LIB, "found unsupported critical X.509 "
+							 "CRL extension");
+					}
 					break;
 			}
 			if (!ok)
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 0ab4eda9c..0050572ee 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -41,6 +41,8 @@
 #include "openssl_x509.h"
 #include "openssl_crl.h"
 
+static const char *plugin_name = "openssl";
+
 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
 
 /**
@@ -272,85 +274,85 @@ plugin_t *openssl_plugin_create()
 	}
 
 	/* crypter */
-	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
+	lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_RC5,
+	lib->crypto->add_crypter(lib->crypto, ENCR_RC5, plugin_name,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_IDEA,
+	lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, plugin_name,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_CAST,
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
+	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
+	lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name,
 					(crypter_constructor_t)openssl_crypter_create);
-	lib->crypto->add_crypter(lib->crypto, ENCR_NULL,
+	lib->crypto->add_crypter(lib->crypto, ENCR_NULL, plugin_name,
 					(crypter_constructor_t)openssl_crypter_create);
 
 	/* hasher */
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
 					(hasher_constructor_t)openssl_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_MD2,
+	lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name,
 					(hasher_constructor_t)openssl_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_MD4,
+	lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name,
 					(hasher_constructor_t)openssl_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+	lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
 					(hasher_constructor_t)openssl_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name,
 					(hasher_constructor_t)openssl_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
 					(hasher_constructor_t)openssl_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
 					(hasher_constructor_t)openssl_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
 					(hasher_constructor_t)openssl_hasher_create);
 
 	/* prf */
-	lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
+	lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name,
 					(prf_constructor_t)openssl_sha1_prf_create);
 
 	/* (ec) diffie hellman */
-	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_2048_224,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_2048_256,
+	lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
 #ifndef OPENSSL_NO_EC
-	lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
+	lib->crypto->add_dh(lib->crypto, ECP_256_BIT, plugin_name,
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, ECP_384_BIT,
+	lib->crypto->add_dh(lib->crypto, ECP_384_BIT, plugin_name,
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, ECP_521_BIT,
+	lib->crypto->add_dh(lib->crypto, ECP_521_BIT, plugin_name,
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, ECP_224_BIT,
+	lib->crypto->add_dh(lib->crypto, ECP_224_BIT, plugin_name,
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
+	lib->crypto->add_dh(lib->crypto, ECP_192_BIT, plugin_name,
 						(dh_constructor_t)openssl_ec_diffie_hellman_create);
 #endif /* OPENSSL_NO_EC */
-	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_1024_160,
+	lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
+	lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
-	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name,
 						(dh_constructor_t)openssl_diffie_hellman_create);
 
 	/* rsa */
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index aa39bc93d..f7495b2ae 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -84,7 +84,7 @@ struct private_openssl_x509_t {
 	/**
 	 * Pathlen constraint
 	 */
-	int pathlen;
+	u_char pathlen;
 
 	/**
 	 * certificate subject
@@ -137,7 +137,7 @@ struct private_openssl_x509_t {
 	linked_list_t *issuerAltNames;
 
 	/**
-	 * List of CRL URIs
+	 * List of CRL URIs, as x509_cdp_t
 	 */
 	linked_list_t *crl_uris;
 
@@ -152,6 +152,16 @@ struct private_openssl_x509_t {
 	refcount_t ref;
 };
 
+/**
+ * Destroy a CRL URI struct
+ */
+static void crl_uri_destroy(x509_cdp_t *this)
+{
+	free(this->uri);
+	DESTROY_IF(this->issuer);
+	free(this);
+}
+
 /**
  * Convert a GeneralName to an identification_t.
  */
@@ -240,10 +250,16 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
 	return chunk_empty;
 }
 
-METHOD(x509_t, get_pathLenConstraint, int,
-	private_openssl_x509_t *this)
+METHOD(x509_t, get_constraint, u_int,
+	private_openssl_x509_t *this, x509_constraint_t type)
 {
-	return this->pathlen;
+	switch (type)
+	{
+		case X509_PATH_LEN:
+			return this->pathlen;
+		default:
+			return X509_NO_CONSTRAINT;
+	}
 }
 
 METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
@@ -264,13 +280,6 @@ METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
 	return this->ocsp_uris->create_enumerator(this->ocsp_uris);
 }
 
-METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
-	private_openssl_x509_t *this)
-{
-	/* TODO */
-	return enumerator_create_empty();
-}
-
 METHOD(certificate_t, get_type, certificate_type_t,
 	private_openssl_x509_t *this)
 {
@@ -483,7 +492,7 @@ METHOD(certificate_t, destroy, void,
 										offsetof(identification_t, destroy));
 		this->issuerAltNames->destroy_offset(this->issuerAltNames,
 										offsetof(identification_t, destroy));
-		this->crl_uris->destroy_function(this->crl_uris, free);
+		this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
 		this->ocsp_uris->destroy_function(this->ocsp_uris, free);
 		free(this);
 	}
@@ -517,18 +526,21 @@ static private_openssl_x509_t *create_empty()
 				.get_serial = _get_serial,
 				.get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
 				.get_authKeyIdentifier = _get_authKeyIdentifier,
-				.get_pathLenConstraint = _get_pathLenConstraint,
+				.get_constraint = _get_constraint,
 				.create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
 				.create_crl_uri_enumerator = _create_crl_uri_enumerator,
 				.create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
-				.create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
+				.create_ipAddrBlock_enumerator = (void*)enumerator_create_empty,
+				.create_name_constraint_enumerator = (void*)enumerator_create_empty,
+				.create_cert_policy_enumerator = (void*)enumerator_create_empty,
+				.create_policy_mapping_enumerator = (void*)enumerator_create_empty,
 			},
 		},
 		.subjectAltNames = linked_list_create(),
 		.issuerAltNames = linked_list_create(),
 		.crl_uris = linked_list_create(),
 		.ocsp_uris = linked_list_create(),
-		.pathlen = X509_NO_PATH_LEN_CONSTRAINT,
+		.pathlen = X509_NO_CONSTRAINT,
 		.ref = 1,
 	);
 
@@ -574,6 +586,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
 									   X509_EXTENSION *ext)
 {
 	BASIC_CONSTRAINTS *constraints;
+	long pathlen;
 
 	constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext);
 	if (constraints)
@@ -584,7 +597,10 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
 		}
 		if (constraints->pathlen)
 		{
-			this->pathlen = ASN1_INTEGER_get(constraints->pathlen);
+			
+			pathlen = ASN1_INTEGER_get(constraints->pathlen);
+			this->pathlen = (pathlen >= 0 && pathlen < 128) ?
+							 pathlen : X509_NO_CONSTRAINT;
 		}
 		BASIC_CONSTRAINTS_free(constraints);
 		return TRUE;
@@ -600,9 +616,10 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
 {
 	CRL_DIST_POINTS *cdps;
 	DIST_POINT *cdp;
-	identification_t *id;
+	identification_t *id, *issuer;
+	x509_cdp_t *entry;
 	char *uri;
-	int i, j, point_num, name_num;
+	int i, j, k, point_num, name_num, issuer_num;
 
 	cdps = X509V3_EXT_d2i(ext);
 	if (!cdps)
@@ -627,12 +644,38 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
 					{
 						if (asprintf(&uri, "%Y", id) > 0)
 						{
-							this->crl_uris->insert_first(this->crl_uris, uri);
+							if (cdp->CRLissuer)
+							{
+								issuer_num = sk_GENERAL_NAME_num(cdp->CRLissuer);
+								for (k = 0; k < issuer_num; k++)
+								{
+									issuer = general_name2id(
+										sk_GENERAL_NAME_value(cdp->CRLissuer, k));
+									if (issuer)
+									{
+										INIT(entry,
+											.uri = strdup(uri),
+											.issuer = issuer,
+										);
+										this->crl_uris->insert_last(
+														this->crl_uris, entry);
+									}
+								}
+								free(uri);
+							}
+							else
+							{
+								INIT(entry,
+									.uri = uri,
+								);
+								this->crl_uris->insert_last(this->crl_uris, entry);
+							}
 						}
 						id->destroy(id);
 					}
 				}
 			}
+
 			DIST_POINT_free(cdp);
 		}
 	}
@@ -765,7 +808,13 @@ static bool parse_extensions(private_openssl_x509_t *this)
 					ok = parse_crlDistributionPoints_ext(this, ext);
 					break;
 				default:
-					ok = TRUE;
+					ok = X509_EXTENSION_get_critical(ext) == 0 ||
+						 !lib->settings->get_bool(lib->settings,
+								"libstrongswan.x509.enforce_critical", TRUE);
+					if (!ok)
+					{
+						DBG1(DBG_LIB, "found unsupported critical X.509 extension");
+					}
 					break;
 			}
 			if (!ok)
@@ -823,6 +872,13 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	{
 		return FALSE;
 	}
+	if (X509_get_version(this->x509) < 0 || X509_get_version(this->x509) > 2)
+	{
+		DBG1(DBG_LIB, "unsupported x509 version: %d",
+			 X509_get_version(this->x509) + 1);
+		return FALSE;
+	}
+
 	this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509));
 	this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509));
 
@@ -866,7 +922,7 @@ static bool parse_certificate(private_openssl_x509_t *this)
 
 	if (!parse_extensions(this))
 	{
-		return TRUE;
+		return FALSE;
 	}
 	parse_extKeyUsage(this);
 
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 46953f681..7c89d0abd 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index 027c53c7b..695823acf 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -23,6 +23,8 @@
 #include <library.h>
 #include <debug.h>
 
+static const char *plugin_name = "padlock";
+
 typedef struct private_padlock_plugin_t private_padlock_plugin_t;
 typedef enum padlock_feature_t padlock_feature_t;
 
@@ -161,21 +163,21 @@ plugin_t *padlock_plugin_create()
 
 	if (this->features & PADLOCK_RNG_ENABLED)
 	{
-		lib->crypto->add_rng(lib->crypto, RNG_TRUE,
+		lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name,
 						(rng_constructor_t)padlock_rng_create);
-		lib->crypto->add_rng(lib->crypto, RNG_STRONG,
+		lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name,
 						(rng_constructor_t)padlock_rng_create);
-		lib->crypto->add_rng(lib->crypto, RNG_WEAK,
+		lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name,
 						(rng_constructor_t)padlock_rng_create);
 	}
 	if (this->features & PADLOCK_ACE2_ENABLED)
 	{
-		lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+		lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
 						(crypter_constructor_t)padlock_aes_crypter_create);
 	}
 	if (this->features & PADLOCK_PHE_ENABLED)
 	{
-		lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
 						(hasher_constructor_t)padlock_sha1_hasher_create);
 	}
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index cf5acdd1c..60740eb35 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c
index e255d6fd0..9c8237e4d 100644
--- a/src/libstrongswan/plugins/pem/pem_encoder.c
+++ b/src/libstrongswan/plugins/pem/pem_encoder.c
@@ -111,7 +111,7 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
 	}
 
 	/* compute and allocate maximum size of PEM object */
-	pem_chars = 4*(asn1.len + 2)/3;
+	pem_chars = 4 * ((asn1.len + 2) / 3);
 	pem_lines = (asn1.len + BYTES_PER_LINE - 1) / BYTES_PER_LINE;
 	*encoding = chunk_alloc(5 + 2*(6 + strlen(label) + 6) + 3 + pem_chars + pem_lines);
 	pos = encoding->ptr;
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index 83efb155b..f2415a318 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -33,10 +33,8 @@ struct private_pem_plugin_t {
 	pem_plugin_t public;
 };
 
-/**
- * Implementation of pem_plugin_t.pemtroy
- */
-static void destroy(private_pem_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_pem_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
 							   (builder_function_t)pem_private_key_load);
@@ -52,9 +50,15 @@ static void destroy(private_pem_plugin_t *this)
  */
 plugin_t *pem_plugin_create()
 {
-	private_pem_plugin_t *this = malloc_thing(private_pem_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_pem_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* register private key PEM decoding builders */
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 0098147a9..ab14f8ced 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c
index 41e0a5df6..eaf0a1088 100644
--- a/src/libstrongswan/plugins/pgp/pgp_plugin.c
+++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c
@@ -33,10 +33,8 @@ struct private_pgp_plugin_t {
 	pgp_plugin_t public;
 };
 
-/**
- * Implementation of pgp_plugin_t.pgptroy
- */
-static void destroy(private_pgp_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_pgp_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
 							(builder_function_t)pgp_public_key_load);
@@ -56,10 +54,15 @@ static void destroy(private_pgp_plugin_t *this)
  */
 plugin_t *pgp_plugin_create()
 {
-	private_pgp_plugin_t *this = malloc_thing(private_pgp_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+	private_pgp_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pgp_public_key_load);
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
@@ -68,10 +71,8 @@ plugin_t *pgp_plugin_create()
 							(builder_function_t)pgp_private_key_load);
 	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pgp_private_key_load);
-
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE,
 							(builder_function_t)pgp_cert_load);
-
 	lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 8b41499a7..8ed4a08e9 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index d3afb5c67..33732f8a4 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -32,10 +32,8 @@ struct private_pkcs1_plugin_t {
 	pkcs1_plugin_t public;
 };
 
-/**
- * Implementation of pkcs1_plugin_t.pkcs1troy
- */
-static void destroy(private_pkcs1_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_pkcs1_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
 							(builder_function_t)pkcs1_public_key_load);
@@ -52,9 +50,15 @@ static void destroy(private_pkcs1_plugin_t *this)
  */
 plugin_t *pkcs1_plugin_create()
 {
-	private_pkcs1_plugin_t *this = malloc_thing(private_pkcs1_plugin_t);
+	private_pkcs1_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pkcs1_public_key_load);
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index c27310910..6c03b0497 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
index 1b1448c6a..a81ec1147 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
@@ -55,19 +55,20 @@ struct private_pkcs11_creds_t {
  * Find certificates, optionally trusted
  */
 static void find_certificates(private_pkcs11_creds_t *this,
-							  CK_SESSION_HANDLE session, CK_BBOOL trusted)
+							  CK_SESSION_HANDLE session)
 {
 	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
 	CK_CERTIFICATE_TYPE type = CKC_X_509;
+	CK_BBOOL trusted = TRUE;
 	CK_ATTRIBUTE tmpl[] = {
 		{CKA_CLASS, &class, sizeof(class)},
 		{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
-		{CKA_TRUSTED, &trusted, sizeof(trusted)},
 	};
 	CK_OBJECT_HANDLE object;
 	CK_ATTRIBUTE attr[] = {
 		{CKA_VALUE, NULL, 0},
 		{CKA_LABEL, NULL, 0},
+		{CKA_TRUSTED, &trusted, sizeof(trusted)}
 	};
 	enumerator_t *enumerator;
 	linked_list_t *raw;
@@ -75,11 +76,19 @@ static void find_certificates(private_pkcs11_creds_t *this,
 	struct {
 		chunk_t value;
 		chunk_t label;
+		bool trusted;
 	} *entry;
+	int count = countof(attr);
 
+	/* store result in a temporary list, avoid recursive operation */
 	raw = linked_list_create();
+	/* do not use trusted argument if not supported */
+	if (!(this->lib->get_features(this->lib) & PKCS11_TRUSTED_CERTS))
+	{
+		count--;
+	}
 	enumerator = this->lib->create_object_enumerator(this->lib,
-							session, tmpl, countof(tmpl), attr, countof(attr));
+									session, tmpl, countof(tmpl), attr, count);
 	while (enumerator->enumerate(enumerator, &object))
 	{
 		entry = malloc(sizeof(*entry));
@@ -87,6 +96,7 @@ static void find_certificates(private_pkcs11_creds_t *this,
 							chunk_create(attr[0].pValue, attr[0].ulValueLen));
 		entry->label = chunk_clone(
 							chunk_create(attr[1].pValue, attr[1].ulValueLen));
+		entry->trusted = trusted;
 		raw->insert_last(raw, entry);
 	}
 	enumerator->destroy(enumerator);
@@ -99,10 +109,10 @@ static void find_certificates(private_pkcs11_creds_t *this,
 		if (cert)
 		{
 			DBG1(DBG_CFG, "    loaded %strusted cert '%.*s'",
-				 trusted ? "" : "un", entry->label.len, entry->label.ptr);
+				 entry->trusted ? "" : "un", entry->label.len, entry->label.ptr);
 			/* trusted certificates are also returned as untrusted */
 			this->untrusted->insert_last(this->untrusted, cert);
-			if (trusted)
+			if (entry->trusted)
 			{
 				this->trusted->insert_last(this->trusted, cert->get_ref(cert));
 			}
@@ -135,8 +145,7 @@ static bool load_certificates(private_pkcs11_creds_t *this)
 		return FALSE;
 	}
 
-	find_certificates(this, session, CK_TRUE);
-	find_certificates(this, session, CK_FALSE);
+	find_certificates(this, session);
 
 	this->lib->f->C_CloseSession(session);
 	return TRUE;
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index 9fb1b7769..6f7926808 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -466,6 +466,11 @@ struct private_pkcs11_library_t {
 	 * Name as passed to the constructor
 	 */
 	char *name;
+
+	/**
+	 * Supported feature set
+	 */
+	pkcs11_feature_t features;
 };
 
 METHOD(pkcs11_library_t, get_name, char*,
@@ -474,6 +479,12 @@ METHOD(pkcs11_library_t, get_name, char*,
 	return this->name;
 }
 
+METHOD(pkcs11_library_t, get_features, pkcs11_feature_t,
+	private_pkcs11_library_t *this)
+{
+	return this->features;
+}
+
 /**
  * Object enumerator
  */
@@ -765,20 +776,46 @@ static CK_RV UnlockMutex(CK_VOID_PTR data)
 	return CKR_OK;
 }
 
+/**
+ * Check if the library has at least a given cryptoki version
+ */
+static bool has_version(CK_INFO *info, int major, int minor)
+{
+	return info->cryptokiVersion.major > major ||
+			(info->cryptokiVersion.major == major &&
+			 info->cryptokiVersion.minor >= minor);
+}
+
+/**
+ * Check for optional PKCS#11 library functionality
+ */
+static void check_features(private_pkcs11_library_t *this, CK_INFO *info)
+{
+	if (has_version(info, 2, 20))
+	{
+		this->features |= PKCS11_TRUSTED_CERTS;
+		this->features |= PKCS11_ALWAYS_AUTH_KEYS;
+	}
+}
+
 /**
  * Initialize a PKCS#11 library
  */
-static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
+static bool initialize(private_pkcs11_library_t *this, char *name, char *file,
+					   bool os_locking)
 {
 	CK_C_GetFunctionList pC_GetFunctionList;
 	CK_INFO info;
 	CK_RV rv;
-	CK_C_INITIALIZE_ARGS args = {
+	static CK_C_INITIALIZE_ARGS args = {
 		.CreateMutex = CreateMutex,
 		.DestroyMutex = DestroyMutex,
 		.LockMutex = LockMutex,
 		.UnlockMutex = UnlockMutex,
 	};
+	static CK_C_INITIALIZE_ARGS args_os = {
+		.flags = CKF_OS_LOCKING_OK,
+	};
 
 	pC_GetFunctionList = dlsym(this->handle, "C_GetFunctionList");
 	if (!pC_GetFunctionList)
@@ -793,14 +830,19 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
 			 name, ck_rv_names, rv);
 		return FALSE;
 	}
-
-	rv = this->public.f->C_Initialize(&args);
-	if (rv == CKR_CANT_LOCK)
-	{	/* try OS locking */
-		memset(&args, 0, sizeof(args));
-		args.flags = CKF_OS_LOCKING_OK;
+	if (os_locking)
+	{
+		rv = CKR_CANT_LOCK;
+	}
+	else
+	{
 		rv = this->public.f->C_Initialize(&args);
 	}
+	if (rv == CKR_CANT_LOCK)
+	{	/* fallback to OS locking */
+		os_locking = TRUE;
+		rv = this->public.f->C_Initialize(&args_os);
+	}
 	if (rv != CKR_OK)
 	{
 		DBG1(DBG_CFG, "C_Initialize() error for '%s': %N",
@@ -826,23 +868,26 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
 	DBG1(DBG_CFG, "  %s: %s v%d.%d",
 		 info.manufacturerID, info.libraryDescription,
 		 info.libraryVersion.major, info.libraryVersion.minor);
-	if (args.flags & CKF_OS_LOCKING_OK)
+	if (os_locking)
 	{
 		DBG1(DBG_CFG, "  uses OS locking functions");
 	}
+
+	check_features(this, &info);
 	return TRUE;
 }
 
 /**
  * See header
  */
-pkcs11_library_t *pkcs11_library_create(char *name, char *file)
+pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking)
 {
 	private_pkcs11_library_t *this;
 
 	INIT(this,
 		.public = {
 			.get_name = _get_name,
+			.get_features = _get_features,
 			.create_object_enumerator = _create_object_enumerator,
 			.create_mechanism_enumerator = _create_mechanism_enumerator,
 			.destroy = _destroy,
@@ -858,7 +903,7 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file)
 		return NULL;
 	}
 
-	if (!initialize(this, name, file))
+	if (!initialize(this, name, file, os_locking))
 	{
 		dlclose(this->handle);
 		free(this);
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index 1457d24d4..abe023448 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -21,6 +21,7 @@
 #ifndef PKCS11_LIBRARY_H_
 #define PKCS11_LIBRARY_H_
 
+typedef enum pkcs11_feature_t pkcs11_feature_t;
 typedef struct pkcs11_library_t pkcs11_library_t;
 
 #include "pkcs11.h"
@@ -28,6 +29,16 @@ typedef struct pkcs11_library_t pkcs11_library_t;
 #include <enum.h>
 #include <utils/enumerator.h>
 
+/**
+ * Optional PKCS#11 features some libraries support, some not
+ */
+enum pkcs11_feature_t {
+	/** CKA_TRUSTED attribute supported for certificate objects */
+	PKCS11_TRUSTED_CERTS = (1<<0),
+	/** CKA_ALWAYS_AUTHENTICATE attribute supported for private keys */
+	PKCS11_ALWAYS_AUTH_KEYS = (1<<1),
+};
+
 /**
  * A loaded and initialized PKCS#11 library.
  */
@@ -45,6 +56,13 @@ struct pkcs11_library_t {
 	 */
 	char* (*get_name)(pkcs11_library_t *this);
 
+	/**
+	 * Get the feature set supported by this library.
+	 *
+	 * @return			ORed set of features supported
+	 */
+	pkcs11_feature_t (*get_features)(pkcs11_library_t *this);
+
 	/**
 	 * Create an enumerator over CK_OBJECT_HANDLE using a search template.
 	 *
@@ -103,8 +121,9 @@ void pkcs11_library_trim(char *str, int len);
  *
  * @param name		an arbitrary name, for debugging
  * @param file		pkcs11 library file to dlopen()
+ * @param os_lock	enforce OS Locking for this library
  * @return			library abstraction
  */
-pkcs11_library_t *pkcs11_library_create(char *name, char *file);
+pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_lock);
 
 #endif /** PKCS11_LIBRARY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
index 0c27600a6..9308e9c25 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -373,7 +373,10 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
 			free(entry);
 			continue;
 		}
-		entry->lib = pkcs11_library_create(module, entry->path);
+		entry->lib = pkcs11_library_create(module, entry->path,
+						lib->settings->get_bool(lib->settings,
+							"libstrongswan.plugins.pkcs11.modules.%s.os_locking",
+							FALSE, module));
 		if (!entry->lib)
 		{
 			free(entry);
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index ace405c23..071d2f782 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -26,6 +26,8 @@
 #include "pkcs11_public_key.h"
 #include "pkcs11_hasher.h"
 
+static const char *plugin_name = "pkcs11";
+
 typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t;
 
 /**
@@ -146,17 +148,17 @@ plugin_t *pkcs11_plugin_create()
 	if (lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
 	{
-		lib->crypto->add_hasher(lib->crypto, HASH_MD2,
+		lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name,
 					(hasher_constructor_t)pkcs11_hasher_create);
-		lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+		lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
 					(hasher_constructor_t)pkcs11_hasher_create);
-		lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
 					(hasher_constructor_t)pkcs11_hasher_create);
-		lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
 					(hasher_constructor_t)pkcs11_hasher_create);
-		lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
 					(hasher_constructor_t)pkcs11_hasher_create);
-		lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
 					(hasher_constructor_t)pkcs11_hasher_create);
 	}
 
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index cabca3f54..b4cc7a805 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -401,30 +401,36 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
 	};
 	CK_OBJECT_HANDLE object;
 	CK_KEY_TYPE type;
-	CK_BBOOL reauth;
+	CK_BBOOL reauth = FALSE;
 	CK_ATTRIBUTE attr[] = {
 		{CKA_KEY_TYPE, &type, sizeof(type)},
-		{CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
 		{CKA_MODULUS, NULL, 0},
 		{CKA_PUBLIC_EXPONENT, NULL, 0},
+		{CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
 	};
 	enumerator_t *enumerator;
 	chunk_t modulus, pubexp;
+	int count = countof(attr);
 
+	/* do not use CKA_ALWAYS_AUTHENTICATE if not supported */
+	if (!(this->lib->get_features(this->lib) & PKCS11_ALWAYS_AUTH_KEYS))
+	{
+		count--;
+	}
 	enumerator = this->lib->create_object_enumerator(this->lib,
-						this->session, tmpl, countof(tmpl), attr, countof(attr));
+							this->session, tmpl, countof(tmpl), attr, count);
 	if (enumerator->enumerate(enumerator, &object))
 	{
 		switch (type)
 		{
 			case CKK_RSA:
-				if (attr[2].ulValueLen == -1 || attr[3].ulValueLen == -1)
+				if (attr[1].ulValueLen == -1 || attr[2].ulValueLen == -1)
 				{
 					DBG1(DBG_CFG, "reading modulus/exponent from PKCS#1 failed");
 					break;
 				}
-				modulus = chunk_create(attr[2].pValue, attr[2].ulValueLen);
-				pubexp = chunk_create(attr[3].pValue, attr[3].ulValueLen);
+				modulus = chunk_create(attr[1].pValue, attr[1].ulValueLen);
+				pubexp = chunk_create(attr[2].pValue, attr[2].ulValueLen);
 				this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
 									KEY_RSA, BUILD_RSA_MODULUS, modulus,
 									BUILD_RSA_PUB_EXP, pubexp, BUILD_END);
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index e1427bf15..473db5ccf 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -50,62 +50,77 @@ struct private_plugin_loader_t {
 	linked_list_t *names;
 };
 
-#ifdef MONOLITHIC
 /**
- * load a single plugin in monolithic mode
+ * create a plugin
+ * returns: NOT_FOUND, if the constructor was not found
+ *          FAILED, if the plugin could not be constructed
  */
-static plugin_t* load_plugin(private_plugin_loader_t *this,
-							 char *path, char *name)
+static status_t create_plugin(private_plugin_loader_t *this, void *handle,
+							  char *name, bool integrity, plugin_t **plugin)
 {
 	char create[128];
-	plugin_t *plugin;
 	plugin_constructor_t constructor;
 
 	if (snprintf(create, sizeof(create), "%s_plugin_create",
 				 name) >= sizeof(create))
 	{
-		return NULL;
+		return FAILED;
 	}
 	translate(create, "-", "_");
-	constructor = dlsym(RTLD_DEFAULT, create);
+	constructor = dlsym(handle, create);
 	if (constructor == NULL)
 	{
-		DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name,
+		DBG2(DBG_LIB, "plugin '%s': failed to load - %s not found", name,
 			 create);
-		return NULL;
+		return NOT_FOUND;
 	}
-	plugin = constructor();
-	if (plugin == NULL)
+	if (integrity && lib->integrity)
+	{
+		if (!lib->integrity->check_segment(lib->integrity, name, constructor))
+		{
+			DBG1(DBG_LIB, "plugin '%s': failed segment integrity test", name);
+			return FAILED;
+		}
+		DBG1(DBG_LIB, "plugin '%s': passed file and segment integrity tests",
+			 name);
+	}
+	*plugin = constructor();
+	if (*plugin == NULL)
 	{
 		DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name,
 			 create);
-		return NULL;
+		return FAILED;
 	}
 	DBG2(DBG_LIB, "plugin '%s': loaded successfully", name);
-
-	return plugin;
+	return SUCCESS;
 }
-#else
+
 /**
  * load a single plugin
  */
 static plugin_t* load_plugin(private_plugin_loader_t *this,
 							 char *path, char *name)
 {
-	char create[128];
 	char file[PATH_MAX];
 	void *handle;
 	plugin_t *plugin;
-	plugin_constructor_t constructor;
+
+	switch (create_plugin(this, RTLD_DEFAULT, name, FALSE, &plugin))
+	{
+		case SUCCESS:
+			return plugin;
+		case NOT_FOUND:
+			/* try to load the plugin from a file */
+			break;
+		default:
+			return NULL;
+	}
 
 	if (snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path,
-				 name) >= sizeof(file) ||
-		snprintf(create, sizeof(create), "%s_plugin_create",
-				 name) >= sizeof(create))
+				 name) >= sizeof(file))
 	{
 		return NULL;
 	}
-	translate(create, "-", "_");
 	if (lib->integrity)
 	{
 		if (!lib->integrity->check_file(lib->integrity, name, file))
@@ -121,40 +136,37 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
 		DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror());
 		return NULL;
 	}
-	constructor = dlsym(handle, create);
-	if (constructor == NULL)
+	if (create_plugin(this, handle, name, TRUE, &plugin) != SUCCESS)
 	{
-		DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name,
-			 create);
 		dlclose(handle);
 		return NULL;
 	}
-	if (lib->integrity)
+	/* we do not store or free dlopen() handles, leak_detective requires
+	 * the modules to keep loaded until leak report */
+	return plugin;
+}
+
+/**
+ * Check if a plugin is already loaded
+ */
+static bool plugin_loaded(private_plugin_loader_t *this, char *name)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	char *current;
+
+	enumerator = this->names->create_enumerator(this->names);
+	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (!lib->integrity->check_segment(lib->integrity, name, constructor))
+		if (streq(name, current))
 		{
-			DBG1(DBG_LIB, "plugin '%s': failed segment integrity test", name);
-			dlclose(handle);
-			return NULL;
+			found = TRUE;
+			break;
 		}
-		DBG1(DBG_LIB, "plugin '%s': passed file and segment integrity tests",
-			 name);
 	}
-	plugin = constructor();
-	if (plugin == NULL)
-	{
-		DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name,
-			 create);
-		dlclose(handle);
-		return NULL;
-	}
-	DBG2(DBG_LIB, "plugin '%s': loaded successfully", name);
-
-	/* we do not store or free dlopen() handles, leak_detective requires
-	 * the modules to keep loaded until leak report */
-	return plugin;
+	enumerator->destroy(enumerator);
+	return found;
 }
-#endif
 
 /**
  * Implementation of plugin_loader_t.load_plugins.
@@ -165,12 +177,10 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
 	char *token;
 	bool critical_failed = FALSE;
 
-#ifndef MONOLITHIC
 	if (path == NULL)
 	{
 		path = PLUGINDIR;
 	}
-#endif
 
 	enumerator = enumerator_create_token(list, " ", " ");
 	while (!critical_failed && enumerator->enumerate(enumerator, &token))
@@ -186,6 +196,11 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
 			critical = TRUE;
 			token[len-1] = '\0';
 		}
+		if (plugin_loaded(this, token))
+		{
+			free(token);
+			continue;
+		}
 		plugin = load_plugin(this, path, token);
 		if (plugin)
 		{
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 495223855..46349f9ba 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
index 6f41ada2a..cc12217a4 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -31,10 +31,8 @@ struct private_pubkey_plugin_t {
 	pubkey_plugin_t public;
 };
 
-/**
- * Implementation of pubkey_plugin_t.pubkeytroy
- */
-static void destroy(private_pubkey_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_pubkey_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
 							(builder_function_t)pubkey_cert_wrap);
@@ -46,9 +44,15 @@ static void destroy(private_pubkey_plugin_t *this)
  */
 plugin_t *pubkey_plugin_create()
 {
-	private_pubkey_plugin_t *this = malloc_thing(private_pubkey_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_pubkey_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE,
 							(builder_function_t)pubkey_cert_wrap);
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index efd24c761..21f8aff11 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index 39678ba71..cc5cb0a3c 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -18,6 +18,8 @@
 #include <library.h>
 #include "random_rng.h"
 
+static const char *plugin_name = "random";
+
 typedef struct private_random_plugin_t private_random_plugin_t;
 
 /**
@@ -31,10 +33,8 @@ struct private_random_plugin_t {
 	random_plugin_t public;
 };
 
-/**
- * Implementation of random_plugin_t.gmptroy
- */
-static void destroy(private_random_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_random_plugin_t *this)
 {
 	lib->crypto->remove_rng(lib->crypto,
 							(rng_constructor_t)random_rng_create);
@@ -46,13 +46,19 @@ static void destroy(private_random_plugin_t *this)
  */
 plugin_t *random_plugin_create()
 {
-	private_random_plugin_t *this = malloc_thing(private_random_plugin_t);
+	private_random_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
-	lib->crypto->add_rng(lib->crypto, RNG_STRONG,
+	lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name,
 						 (rng_constructor_t)random_rng_create);
-	lib->crypto->add_rng(lib->crypto, RNG_TRUE,
+	lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name,
 						 (rng_constructor_t)random_rng_create);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index b09f3f57a..1d99a63d5 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -55,11 +55,8 @@ struct private_random_rng_t {
 	char *file;
 };
 
-/**
- * Implementation of random_rng_t.get_bytes.
- */
-static void get_bytes(private_random_rng_t *this, size_t bytes,
-					  u_int8_t *buffer)
+METHOD(rng_t, get_bytes, void,
+	private_random_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	size_t done;
 	ssize_t got;
@@ -81,20 +78,15 @@ static void get_bytes(private_random_rng_t *this, size_t bytes,
 	}
 }
 
-/**
- * Implementation of random_rng_t.allocate_bytes.
- */
-static void allocate_bytes(private_random_rng_t *this, size_t bytes,
-						   chunk_t *chunk)
+METHOD(rng_t, allocate_bytes, void,
+	private_random_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(bytes);
 	get_bytes(this, chunk->len, chunk->ptr);
 }
 
-/**
- * Implementation of random_rng_t.destroy.
- */
-static void destroy(private_random_rng_t *this)
+METHOD(rng_t, destroy, void,
+	private_random_rng_t *this)
 {
 	close(this->dev);
 	free(this);
@@ -105,12 +97,17 @@ static void destroy(private_random_rng_t *this)
  */
 random_rng_t *random_rng_create(rng_quality_t quality)
 {
-	private_random_rng_t *this = malloc_thing(private_random_rng_t);
-
-	/* public functions */
-	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
-	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
-	this->public.rng.destroy = (void (*) (rng_t *))destroy;
+	private_random_rng_t *this;
+
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	if (quality == RNG_TRUE)
 	{
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 16a9d21c5..4ed4b9694 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 29d2bc128..def169275 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -93,12 +93,13 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
 /**
  * check the signature of an OCSP response
  */
-static bool verify_ocsp(ocsp_response_t *response)
+static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
 {
 	certificate_t *issuer, *subject;
 	identification_t *responder;
 	ocsp_response_wrapper_t *wrapper;
 	enumerator_t *enumerator;
+	auth_cfg_t *current;
 	bool verified = FALSE;
 
 	wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
@@ -108,12 +109,16 @@ static bool verify_ocsp(ocsp_response_t *response)
 	responder = subject->get_issuer(subject);
 	enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
 													KEY_ANY, responder, FALSE);
-	while (enumerator->enumerate(enumerator, &issuer, NULL))
+	while (enumerator->enumerate(enumerator, &issuer, &current))
 	{
 		if (lib->credmgr->issued_by(lib->credmgr, subject, issuer))
 		{
 			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
 							 issuer->get_subject(issuer));
+			if (auth)
+			{
+				auth->merge(auth, current, FALSE);
+			}
 			verified = TRUE;
 			break;
 		}
@@ -129,7 +134,8 @@ static bool verify_ocsp(ocsp_response_t *response)
  * Get the better of two OCSP responses, and check for usable OCSP info
  */
 static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
-		x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache)
+					x509_t *subject, x509_t *issuer, cert_validation_t *valid,
+					auth_cfg_t *auth, bool cache)
 {
 	ocsp_response_t *response;
 	time_t revocation, this_update, next_update, valid_until;
@@ -139,7 +145,7 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
 	response = (ocsp_response_t*)cand;
 
 	/* check ocsp signature */
-	if (!verify_ocsp(response))
+	if (!verify_ocsp(response, auth))
 	{
 		DBG1(DBG_CFG, "ocsp response verification failed");
 		cand->destroy(cand);
@@ -220,7 +226,8 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
 	while (enumerator->enumerate(enumerator, &current))
 	{
 		current->get_ref(current);
-		best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE);
+		best = get_better_ocsp(current, best, subject, issuer,
+							   &valid, auth, FALSE);
 		if (best && valid != VALIDATION_STALE)
 		{
 			DBG1(DBG_CFG, "  using cached ocsp response");
@@ -247,7 +254,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
 			if (current)
 			{
 				best = get_better_ocsp(current, best, subject, issuer,
-									   &valid, TRUE);
+									   &valid, auth, TRUE);
 				if (best && valid != VALIDATION_STALE)
 				{
 					break;
@@ -269,7 +276,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
 			if (current)
 			{
 				best = get_better_ocsp(current, best, subject, issuer,
-									   &valid, TRUE);
+									   &valid, auth, TRUE);
 				if (best && valid != VALIDATION_STALE)
 				{
 					break;
@@ -323,20 +330,25 @@ static certificate_t* fetch_crl(char *url)
 /**
  * check the signature of an CRL
  */
-static bool verify_crl(certificate_t *crl)
+static bool verify_crl(certificate_t *crl, auth_cfg_t *auth)
 {
 	certificate_t *issuer;
 	enumerator_t *enumerator;
 	bool verified = FALSE;
+	auth_cfg_t *current;
 
 	enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
 										KEY_ANY, crl->get_issuer(crl), FALSE);
-	while (enumerator->enumerate(enumerator, &issuer, NULL))
+	while (enumerator->enumerate(enumerator, &issuer, &current))
 	{
 		if (lib->credmgr->issued_by(lib->credmgr, crl, issuer))
 		{
 			DBG1(DBG_CFG, "  crl correctly signed by \"%Y\"",
 						   issuer->get_subject(issuer));
+			if (auth)
+			{
+				auth->merge(auth, current, FALSE);
+			}
 			verified = TRUE;
 			break;
 		}
@@ -350,23 +362,41 @@ static bool verify_crl(certificate_t *crl)
  * Get the better of two CRLs, and check for usable CRL info
  */
 static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
-		x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache)
+					x509_t *subject, cert_validation_t *valid, auth_cfg_t *auth,
+					bool cache, crl_t *base)
 {
 	enumerator_t *enumerator;
 	time_t revocation, valid_until;
 	crl_reason_t reason;
 	chunk_t serial;
-	crl_t *crl;
+	crl_t *crl = (crl_t*)cand;
+
+	if (base)
+	{
+		if (!crl->is_delta_crl(crl, &serial) ||
+			!chunk_equals(serial, base->get_serial(base)))
+		{
+			cand->destroy(cand);
+			return best;
+		}
+	}
+	else
+	{
+		if (crl->is_delta_crl(crl, NULL))
+		{
+			cand->destroy(cand);
+			return best;
+		}
+	}
 
 	/* check CRL signature */
-	if (!verify_crl(cand))
+	if (!verify_crl(cand, auth))
 	{
 		DBG1(DBG_CFG, "crl response verification failed");
 		cand->destroy(cand);
 		return best;
 	}
 
-	crl = (crl_t*)cand;
 	enumerator = crl->create_enumerator(crl);
 	while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
 	{
@@ -411,79 +441,191 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 }
 
 /**
- * validate a x509 certificate using CRL
+ * Find or fetch a certificate for a given crlIssuer
  */
-static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
-								   auth_cfg_t *auth)
+static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
+								  auth_cfg_t *auth, crl_t *base,
+								  certificate_t **best, bool *uri_found)
 {
 	cert_validation_t valid = VALIDATION_SKIPPED;
-	identification_t *keyid = NULL;
-	certificate_t *best = NULL;
+	enumerator_t *enumerator;
 	certificate_t *current;
-	public_key_t *public;
+	char *uri;
+
+	/* find a cached (delta) crl */
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+										CERT_X509_CRL, KEY_ANY, issuer, FALSE);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		current->get_ref(current);
+		*best = get_better_crl(current, *best, subject, &valid,
+							   auth, FALSE, base);
+		if (*best && valid != VALIDATION_STALE)
+		{
+			DBG1(DBG_CFG, "  using cached crl");
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* fallback to fetching crls from credential sets cdps */
+	if (!base && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+	{
+		enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr,
+														 CERT_X509_CRL, issuer);
+		while (enumerator->enumerate(enumerator, &uri))
+		{
+			*uri_found = TRUE;
+			current = fetch_crl(uri);
+			if (current)
+			{
+				if (!current->has_issuer(current, issuer))
+				{
+					DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match CRL "
+						 "issuer '%Y'", current->get_issuer(current), issuer);
+					current->destroy(current);
+					continue;
+				}
+				*best = get_better_crl(current, *best, subject,
+									   &valid, auth, TRUE, base);
+				if (*best && valid != VALIDATION_STALE)
+				{
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return valid;
+}
+
+/**
+ * Look for a delta CRL for a given base CRL
+ */
+static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
+					crl_t *base, cert_validation_t base_valid, auth_cfg_t *auth)
+{
+	cert_validation_t valid = VALIDATION_SKIPPED;
+	certificate_t *best = NULL, *current;
 	enumerator_t *enumerator;
+	identification_t *id;
+	x509_cdp_t *cdp;
 	chunk_t chunk;
-	char *uri = NULL;
+	bool uri;
 
-	/* derive the authorityKeyIdentifier from the issuer's public key */
-	current = &issuer->interface;
-	public = current->get_public_key(current);
-	if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
+	/* find cached delta CRL via subjectKeyIdentifier */
+	chunk = issuer->get_subjectKeyIdentifier(issuer);
+	if (chunk.len)
 	{
-		keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+		id = identification_create_from_encoding(ID_KEY_ID, chunk);
+		valid = find_crl(subject, id, auth, base, &best, &uri);
+		id->destroy(id);
+	}
 
-		/* find a cached crl by authorityKeyIdentifier */
-		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
-										CERT_X509_CRL, KEY_ANY, keyid, FALSE);
-		while (enumerator->enumerate(enumerator, &current))
+	/* find delta CRL by CRLIssuer */
+	enumerator = subject->create_crl_uri_enumerator(subject);
+	while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED &&
+		   enumerator->enumerate(enumerator, &cdp))
+	{
+		if (cdp->issuer)
 		{
-			current->get_ref(current);
-			best = get_better_crl(current, best, subject, issuer,
-								  &valid, FALSE);
+			valid = find_crl(subject, cdp->issuer, auth, base, &best, &uri);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* fetch from URIs found in Freshest CRL extension */
+	enumerator = base->create_delta_crl_uri_enumerator(base);
+	while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED &&
+		   enumerator->enumerate(enumerator, &cdp))
+	{
+		current = fetch_crl(cdp->uri);
+		if (current)
+		{
+			if (cdp->issuer && !current->has_issuer(current, cdp->issuer))
+			{
+				DBG1(DBG_CFG, "issuer of fetched delta CRL '%Y' does not match "
+					 "certificates CRL issuer '%Y'",
+					 current->get_issuer(current), cdp->issuer);
+				current->destroy(current);
+				continue;
+			}
+			best = get_better_crl(current, best, subject, &valid,
+								  auth, TRUE, base);
 			if (best && valid != VALIDATION_STALE)
 			{
-				DBG1(DBG_CFG, "  using cached crl");
 				break;
 			}
 		}
-		enumerator->destroy(enumerator);
+	}
+	enumerator->destroy(enumerator);
+
+	if (best)
+	{
+		best->destroy(best);
+		return valid;
+	}
+	return base_valid;
+}
+
+
+/**
+ * validate a x509 certificate using CRL
+ */
+static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
+								   auth_cfg_t *auth)
+{
+	cert_validation_t valid = VALIDATION_SKIPPED;
+	certificate_t *best = NULL;
+	identification_t *id;
+	x509_cdp_t *cdp;
+	bool uri_found = FALSE;
+	certificate_t *current;
+	enumerator_t *enumerator;
+	chunk_t chunk;
+
+	/* use issuers subjectKeyIdentifier to find a cached CRL / fetch from CDP */
+	chunk = issuer->get_subjectKeyIdentifier(issuer);
+	if (chunk.len)
+	{
+		id = identification_create_from_encoding(ID_KEY_ID, chunk);
+		valid = find_crl(subject, id, auth, NULL, &best, &uri_found);
+		id->destroy(id);
+	}
 
-		/* fallback to fetching crls from credential sets cdps */
-		if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+	/* find a cached CRL or fetch via configured CDP via CRLIssuer */
+	enumerator = subject->create_crl_uri_enumerator(subject);
+	while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED &&
+		   enumerator->enumerate(enumerator, &cdp))
+	{
+		if (cdp->issuer)
 		{
-			enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr,
-														CERT_X509_CRL, keyid);
-			while (enumerator->enumerate(enumerator, &uri))
-			{
-				current = fetch_crl(uri);
-				if (current)
-				{
-					best = get_better_crl(current, best, subject, issuer,
-										  &valid, TRUE);
-					if (best && valid != VALIDATION_STALE)
-					{
-						break;
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
+			valid = find_crl(subject, cdp->issuer, auth, NULL,
+							 &best, &uri_found);
 		}
-		keyid->destroy(keyid);
 	}
-	DESTROY_IF(public);
+	enumerator->destroy(enumerator);
 
-	/* fallback to fetching crls from cdps from subject's certificate */
+	/* fallback to fetching CRLs from CDPs found in subjects certificate */
 	if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
 	{
 		enumerator = subject->create_crl_uri_enumerator(subject);
-
-		while (enumerator->enumerate(enumerator, &uri))
+		while (enumerator->enumerate(enumerator, &cdp))
 		{
-			current = fetch_crl(uri);
+			uri_found = TRUE;
+			current = fetch_crl(cdp->uri);
 			if (current)
 			{
-				best = get_better_crl(current, best, subject, issuer,
-									  &valid, TRUE);
+				if (cdp->issuer && !current->has_issuer(current, cdp->issuer))
+				{
+					DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match "
+						 "certificates CRL issuer '%Y'",
+						 current->get_issuer(current), cdp->issuer);
+					current->destroy(current);
+					continue;
+				}
+				best = get_better_crl(current, best, subject, &valid,
+									  auth, TRUE, NULL);
 				if (best && valid != VALIDATION_STALE)
 				{
 					break;
@@ -493,8 +635,14 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
 		enumerator->destroy(enumerator);
 	}
 
+	/* look for delta CRLs */
+	if (best && (valid == VALIDATION_GOOD || valid == VALIDATION_STALE))
+	{
+		valid = check_delta_crl(subject, issuer, (crl_t*)best, valid, auth);
+	}
+
 	/* an uri was found, but no result. switch validation state to failed */
-	if (valid == VALIDATION_SKIPPED && uri)
+	if (valid == VALIDATION_SKIPPED && uri_found)
 	{
 		valid = VALIDATION_FAILED;
 	}
@@ -517,7 +665,8 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
 
 METHOD(cert_validator_t, validate, bool,
 	private_revocation_validator_t *this, certificate_t *subject,
-	certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+	certificate_t *issuer, bool online, u_int pathlen, bool anchor,
+	auth_cfg_t *auth)
 {
 	if (subject->get_type(subject) == CERT_X509 &&
 		issuer->get_type(issuer) == CERT_X509 &&
@@ -525,7 +674,8 @@ METHOD(cert_validator_t, validate, bool,
 	{
 		DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
 					   subject->get_subject(subject));
-		switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth))
+		switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
+						   pathlen ? NULL : auth))
 		{
 			case VALIDATION_GOOD:
 				DBG1(DBG_CFG, "certificate status is good");
@@ -543,7 +693,8 @@ METHOD(cert_validator_t, validate, bool,
 				DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
 				break;
 		}
-		switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth))
+		switch (check_crl((x509_t*)subject, (x509_t*)issuer,
+						  pathlen ? NULL : auth))
 		{
 			case VALIDATION_GOOD:
 				DBG1(DBG_CFG, "certificate status is good");
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 1036bedfc..3d96f4339 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c
index 7b9cf878f..dda2cbc1a 100644
--- a/src/libstrongswan/plugins/sha1/sha1_plugin.c
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c
@@ -19,6 +19,8 @@
 #include "sha1_hasher.h"
 #include "sha1_prf.h"
 
+static const char *plugin_name = "sha1";
+
 typedef struct private_sha1_plugin_t private_sha1_plugin_t;
 
 /**
@@ -32,10 +34,8 @@ struct private_sha1_plugin_t {
 	sha1_plugin_t public;
 };
 
-/**
- * Implementation of sha1_plugin_t.destroy
- */
-static void destroy(private_sha1_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_sha1_plugin_t *this)
 {
 	lib->crypto->remove_hasher(lib->crypto,
 							   (hasher_constructor_t)sha1_hasher_create);
@@ -49,13 +49,19 @@ static void destroy(private_sha1_plugin_t *this)
  */
 plugin_t *sha1_plugin_create()
 {
-	private_sha1_plugin_t *this = malloc_thing(private_sha1_plugin_t);
+	private_sha1_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
 							(hasher_constructor_t)sha1_hasher_create);
-	lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
+	lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name,
 							(prf_constructor_t)sha1_prf_create);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 579e6f9b0..fcbfa0c44 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c
index 810d9922a..a5937dbb2 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.c
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c
@@ -18,6 +18,8 @@
 #include <library.h>
 #include "sha2_hasher.h"
 
+static const char *plugin_name = "sha2";
+
 typedef struct private_sha2_plugin_t private_sha2_plugin_t;
 
 /**
@@ -31,10 +33,8 @@ struct private_sha2_plugin_t {
 	sha2_plugin_t public;
 };
 
-/**
- * Implementation of sha2_plugin_t.destroy
- */
-static void destroy(private_sha2_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_sha2_plugin_t *this)
 {
 	lib->crypto->remove_hasher(lib->crypto,
 							   (hasher_constructor_t)sha2_hasher_create);
@@ -46,17 +46,23 @@ static void destroy(private_sha2_plugin_t *this)
  */
 plugin_t *sha2_plugin_create()
 {
-	private_sha2_plugin_t *this = malloc_thing(private_sha2_plugin_t);
+	private_sha2_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name,
 							(hasher_constructor_t)sha2_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
 							(hasher_constructor_t)sha2_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
 							(hasher_constructor_t)sha2_hasher_create);
-	lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+	lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
 							(hasher_constructor_t)sha2_hasher_create);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/soup/Makefile.am b/src/libstrongswan/plugins/soup/Makefile.am
new file mode 100644
index 000000000..9006f1b7c
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS}
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-soup.la
+else
+plugin_LTLIBRARIES = libstrongswan-soup.la
+endif
+
+libstrongswan_soup_la_SOURCES = \
+	soup_plugin.h soup_plugin.c soup_fetcher.c soup_fetcher.h
+
+libstrongswan_soup_la_LDFLAGS = -module -avoid-version
+libstrongswan_soup_la_LIBADD  = ${soup_LIBS}
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
new file mode 100644
index 000000000..35d175f95
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -0,0 +1,601 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/soup
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_soup_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_soup_la_OBJECTS = soup_plugin.lo soup_fetcher.lo
+libstrongswan_soup_la_OBJECTS = $(am_libstrongswan_soup_la_OBJECTS)
+libstrongswan_soup_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_soup_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_soup_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_soup_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_soup_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_soup_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS}
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-soup.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-soup.la
+libstrongswan_soup_la_SOURCES = \
+	soup_plugin.h soup_plugin.c soup_fetcher.c soup_fetcher.h
+
+libstrongswan_soup_la_LDFLAGS = -module -avoid-version
+libstrongswan_soup_la_LIBADD = ${soup_LIBS}
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/soup/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/soup/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES) 
+	$(libstrongswan_soup_la_LINK) $(am_libstrongswan_soup_la_rpath) $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/soup_fetcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/soup_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.c b/src/libstrongswan/plugins/soup/soup_fetcher.c
new file mode 100644
index 000000000..fd97631bd
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/soup_fetcher.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "soup_fetcher.h"
+
+#include <libsoup/soup.h>
+
+#include <library.h>
+#include <debug.h>
+
+#define DEFAULT_TIMEOUT 10
+
+typedef struct private_soup_fetcher_t private_soup_fetcher_t;
+
+/**
+ * private data of a soup_fetcher_t object.
+ */
+struct private_soup_fetcher_t {
+
+	/**
+	 * Public data
+	 */
+	soup_fetcher_t public;
+
+	/**
+	 * HTTP request method
+	 */
+	const char *method;
+
+	/**
+	 * Request content type
+	 */
+	char *type;
+
+	/**
+	 * Request data
+	 */
+	chunk_t data;
+
+	/**
+	 * Request timeout
+	 */
+	u_int timeout;
+
+	/**
+	 * HTTP request version
+	 */
+	SoupHTTPVersion version;
+};
+
+METHOD(fetcher_t, fetch, status_t,
+	private_soup_fetcher_t *this, char *uri, chunk_t *result)
+{
+	SoupSession *session;
+	SoupMessage *message;
+	status_t status = FAILED;
+
+	message = soup_message_new(this->method, uri);
+	if (!message)
+	{
+		return NOT_SUPPORTED;
+	}
+	if (this->type)
+	{
+		soup_message_set_request(message, this->type, SOUP_MEMORY_STATIC,
+								 this->data.ptr, this->data.len);
+	}
+	soup_message_set_http_version(message, this->version);
+	session = soup_session_sync_new();
+	g_object_set(G_OBJECT(session),
+				 SOUP_SESSION_TIMEOUT, (guint)this->timeout, NULL);
+
+	DBG2(DBG_LIB, "sending http request to '%s'...", uri);
+	soup_session_send_message(session, message);
+	if (SOUP_STATUS_IS_SUCCESSFUL(message->status_code))
+	{
+		*result = chunk_clone(chunk_create((u_char*)message->response_body->data,
+										   message->response_body->length));
+		status = SUCCESS;
+	}
+	else
+	{
+		DBG1(DBG_LIB, "HTTP request failed, code %d", message->status_code);
+	}
+	g_object_unref(G_OBJECT(message));
+	g_object_unref(G_OBJECT(session));
+	return status;
+}
+
+METHOD(fetcher_t, set_option, bool,
+	private_soup_fetcher_t *this, fetcher_option_t option, ...)
+{
+	bool supported = TRUE;
+	va_list args;
+
+	va_start(args, option);
+	switch (option)
+	{
+		case FETCH_REQUEST_DATA:
+			this->method = SOUP_METHOD_POST;
+			this->data = va_arg(args, chunk_t);
+			break;
+		case FETCH_REQUEST_TYPE:
+			this->type = va_arg(args, char*);
+			break;
+		case FETCH_HTTP_VERSION_1_0:
+			this->version = SOUP_HTTP_1_0;
+			break;
+		case FETCH_TIMEOUT:
+			this->timeout = va_arg(args, u_int);
+			break;
+		default:
+			supported = FALSE;
+			break;
+	}
+	va_end(args);
+	return supported;
+}
+
+METHOD(fetcher_t, destroy, void,
+	private_soup_fetcher_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+soup_fetcher_t *soup_fetcher_create()
+{
+	private_soup_fetcher_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.fetch = _fetch,
+				.set_option = _set_option,
+				.destroy = _destroy,
+			},
+		},
+		.method = SOUP_METHOD_GET,
+		.version = SOUP_HTTP_1_1,
+		.timeout = DEFAULT_TIMEOUT,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.h b/src/libstrongswan/plugins/soup/soup_fetcher.h
new file mode 100644
index 000000000..9b2579515
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/soup_fetcher.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup soup_fetcher soup_fetcher
+ * @{ @ingroup soup_p
+ */
+
+#ifndef SOUP_FETCHER_H_
+#define SOUP_FETCHER_H_
+
+#include <library.h>
+
+typedef struct soup_fetcher_t soup_fetcher_t;
+
+/**
+ * Fetcher implementation for HTTP using libsoup.
+ */
+struct soup_fetcher_t {
+
+	/**
+	 * Implements fetcher interface.
+	 */
+	fetcher_t interface;
+};
+
+/**
+ * Create a soup_fetcher instance.
+ */
+soup_fetcher_t *soup_fetcher_create();
+
+#endif /** SOUP_FETCHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/soup/soup_plugin.c b/src/libstrongswan/plugins/soup/soup_plugin.c
new file mode 100644
index 000000000..970e32472
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/soup_plugin.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "soup_plugin.h"
+#include "soup_fetcher.h"
+
+#include <glib.h>
+#include <glib-object.h>
+
+#include <library.h>
+
+typedef struct private_soup_plugin_t private_soup_plugin_t;
+
+/**
+ * private data of soup_plugin
+ */
+struct private_soup_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	soup_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_soup_plugin_t *this)
+{
+	lib->fetcher->remove_fetcher(lib->fetcher,
+								 (fetcher_constructor_t)soup_fetcher_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *soup_plugin_create()
+{
+	private_soup_plugin_t *this;
+
+	g_type_init();
+	if (!g_thread_get_initialized())
+	{
+		g_thread_init(NULL);
+	}
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	lib->fetcher->add_fetcher(lib->fetcher,
+					(fetcher_constructor_t)soup_fetcher_create, "http://");
+	lib->fetcher->add_fetcher(lib->fetcher,
+					(fetcher_constructor_t)soup_fetcher_create, "https://");
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/soup/soup_plugin.h b/src/libstrongswan/plugins/soup/soup_plugin.h
new file mode 100644
index 000000000..2dfa1d243
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/soup_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup soup_p soup
+ * @ingroup plugins
+ *
+ * @defgroup soup_plugin soup_plugin
+ * @{ @ingroup soup_p
+ */
+
+#ifndef SOUP_PLUGIN_H_
+#define SOUP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct soup_plugin_t soup_plugin_t;
+
+/**
+ * Plugin implementing fetcher interface for HTTP using libsoup.
+ */
+struct soup_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** SOUP_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 9c9b57f98..ae015d1a8 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index 3e20dbb51..f9e06199e 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -213,10 +213,8 @@ static bool sqlite_enumerator_enumerate(sqlite_enumerator_t *this, ...)
 	return TRUE;
 }
 
-/**
- * Implementation of database_t.query.
- */
-static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...)
+METHOD(database_t, query, enumerator_t*,
+	private_sqlite_database_t *this, char *sql, ...)
 {
 	sqlite3_stmt *stmt;
 	va_list args;
@@ -248,10 +246,8 @@ static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...)
 	return (enumerator_t*)enumerator;
 }
 
-/**
- * Implementation of database_t.execute.
- */
-static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...)
+METHOD(database_t, execute, int,
+	private_sqlite_database_t *this, int *rowid, char *sql, ...)
 {
 	sqlite3_stmt *stmt;
 	int affected = -1;
@@ -283,10 +279,8 @@ static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...)
 	return affected;
 }
 
-/**
- * Implementation of database_t.get_driver
- */
-static db_driver_t get_driver(private_sqlite_database_t *this)
+METHOD(database_t, get_driver, db_driver_t,
+	private_sqlite_database_t *this)
 {
 	return DB_SQLITE;
 }
@@ -302,10 +296,8 @@ static int busy_handler(private_sqlite_database_t *this, int count)
 	return 1;
 }
 
-/**
- * Implementation of database_t.destroy
- */
-static void destroy(private_sqlite_database_t *this)
+METHOD(database_t, destroy, void,
+	private_sqlite_database_t *this)
 {
 	sqlite3_close(this->db);
 	this->mutex->destroy(this->mutex);
@@ -329,20 +321,23 @@ sqlite_database_t *sqlite_database_create(char *uri)
 	}
 	file = uri + 9;
 
-	this = malloc_thing(private_sqlite_database_t);
-
-	this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
-	this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
-	this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
-	this->public.db.destroy = (void(*)(database_t*))destroy;
-
-	this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+	INIT(this,
+		.public = {
+			.db = {
+				.query = _query,
+				.execute = _execute,
+				.get_driver = _get_driver,
+				.destroy = _destroy,
+			},
+		},
+		.mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
+	);
 
 	if (sqlite3_open(file, &this->db) != SQLITE_OK)
 	{
 		DBG1(DBG_LIB, "opening SQLite database '%s' failed: %s",
 			 file, sqlite3_errmsg(this->db));
-		destroy(this);
+		_destroy(this);
 		return NULL;
 	}
 
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
index 332d82318..e0b8e6ce1 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
@@ -31,10 +31,8 @@ struct private_sqlite_plugin_t {
 	sqlite_plugin_t public;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_sqlite_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_sqlite_plugin_t *this)
 {
 	lib->db->remove_database(lib->db,
 							 (database_constructor_t)sqlite_database_create);
@@ -46,9 +44,15 @@ static void destroy(private_sqlite_plugin_t *this)
  */
 plugin_t *sqlite_plugin_create()
 {
-	private_sqlite_plugin_t *this = malloc_thing(private_sqlite_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_sqlite_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->db->add_database(lib->db,
 						  (database_constructor_t)sqlite_database_create);
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 9be3f825a..9dccb05e3 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -227,9 +227,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -268,6 +266,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index f3a254d8d..176bc438d 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -104,10 +104,8 @@ struct private_test_vectors_plugin_t {
 	test_vectors_plugin_t public;
 };
 
-/**
- * Implementation of test_vectors_plugin_t.test_vectorstroy
- */
-static void destroy(private_test_vectors_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_test_vectors_plugin_t *this)
 {
 	free(this);
 }
@@ -117,10 +115,16 @@ static void destroy(private_test_vectors_plugin_t *this)
  */
 plugin_t *test_vectors_plugin_create()
 {
-	private_test_vectors_plugin_t *this = malloc_thing(private_test_vectors_plugin_t);
+	private_test_vectors_plugin_t *this;
 	int i;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	for (i = 0; i < countof(crypter); i++)
 	{
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index b1cc2f168..57deab98e 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 559090aa0..526dbe8c6 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -117,7 +117,7 @@ struct private_x509_cert_t {
 	linked_list_t *subjectAltNames;
 
 	/**
-	 * List of crlDistributionPoints as allocated char*
+	 * List of crlDistributionPoints as x509_cdp_t*
 	 */
 	linked_list_t *crl_uris;
 
@@ -131,6 +131,26 @@ struct private_x509_cert_t {
 	 */
 	linked_list_t *ipAddrBlocks;
 
+	/**
+	 * List of permitted name constraints
+	 */
+	linked_list_t *permitted_names;
+
+	/**
+	 * List of exluced name constraints
+	 */
+	linked_list_t *excluded_names;
+
+	/**
+	 * List of certificatePolicies, as x509_cert_policy_t
+	 */
+	linked_list_t *cert_policies;
+
+	/**
+	 * List of policyMappings, as x509_policy_mapping_t
+	 */
+	linked_list_t *policy_mappings;
+
 	/**
 	 * certificate's embedded public key
 	 */
@@ -154,7 +174,22 @@ struct private_x509_cert_t {
 	/**
 	 * Path Length Constraint
 	 */
-	int pathLenConstraint;
+	u_char pathLenConstraint;
+
+	/**
+	 * requireExplicitPolicy Constraint
+	 */
+	u_char require_explicit;
+
+	/**
+	 * inhibitPolicyMapping Constraint
+	 */
+	u_char inhibit_mapping;
+
+	/**
+	 * inhibitAnyPolicy Constraint
+	 */
+	u_char inhibit_any;
 
 	/**
 	 * x509 constraints and other flags
@@ -186,6 +221,53 @@ static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars(
 	0x06, 0x03, 0x55, 0x1D, 0x11
 );
 
+/**
+ * Destroy a CertificateDistributionPoint
+ */
+static void crl_uri_destroy(x509_cdp_t *this)
+{
+	free(this->uri);
+	DESTROY_IF(this->issuer);
+	free(this);
+}
+
+/**
+ * Destroy a CertificatePolicy
+ */
+static void cert_policy_destroy(x509_cert_policy_t *this)
+{
+	free(this->oid.ptr);
+	free(this->cps_uri);
+	free(this->unotice_text);
+	free(this);
+}
+
+/**
+ * Free policy mapping
+ */
+static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
+{
+	free(mapping->issuer.ptr);
+	free(mapping->subject.ptr);
+	free(mapping);
+}
+
+/**
+ * Parse a length constraint from an unwrapped integer
+ */
+static u_int parse_constraint(chunk_t object)
+{
+	switch (object.len)
+	{
+		case 0:
+			return 0;
+		case 1:
+			return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0];
+		default:
+			return X509_NO_CONSTRAINT;
+	}
+}
+
 /**
  * ASN.1 definition of a basicConstraints extension
  */
@@ -228,15 +310,7 @@ static void parse_basicConstraints(chunk_t blob, int level0,
 			case BASIC_CONSTRAINTS_PATH_LEN:
 				if (isCA)
 				{
-					if (object.len == 0)
-					{
-						this->pathLenConstraint = 0;
-					}
-					else if (object.len == 1)
-					{
-						this->pathLenConstraint = *object.ptr;
-					}
-					/* we ignore path length constraints > 127 */
+					this->pathLenConstraint = parse_constraint(object);
 				}
 				break;
 			default:
@@ -574,7 +648,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
 						}
 						break;
 					default:
-						/* unkown accessMethod, ignoring */
+						/* unknown accessMethod, ignoring */
 						break;
 				}
 				break;
@@ -588,6 +662,60 @@ end:
 	parser->destroy(parser);
 }
 
+/**
+ * Extract KeyUsage flags
+ */
+static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
+{
+	enum {
+		KU_DIGITAL_SIGNATURE =	0,
+		KU_NON_REPUDIATION =	1,
+		KU_KEY_ENCIPHERMENT =	2,
+		KU_DATA_ENCIPHERMENT =	3,
+		KU_KEY_AGREEMENT =		4,
+		KU_KEY_CERT_SIGN =		5,
+		KU_CRL_SIGN =			6,
+		KU_ENCIPHER_ONLY =		7,
+		KU_DECIPHER_ONLY =		8,
+	};
+
+	if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len)
+	{
+		int bit, byte, unused = blob.ptr[0];
+
+		blob = chunk_skip(blob, 1);
+		for (byte = 0; byte < blob.len; byte++)
+		{
+			for (bit = 0; bit < 8; bit++)
+			{
+				if (byte == blob.len - 1 && bit > (7 - unused))
+				{
+					break;
+				}
+				if (blob.ptr[byte] & 1 << (7 - bit))
+				{
+					switch (byte * 8 + bit)
+					{
+						case KU_CRL_SIGN:
+							this->flags |= X509_CRL_SIGN;
+							break;
+						case KU_KEY_CERT_SIGN:
+							/* we use the caBasicConstraint, MUST be set */
+						case KU_DIGITAL_SIGNATURE:
+						case KU_NON_REPUDIATION:
+						case KU_KEY_ENCIPHERMENT:
+						case KU_DATA_ENCIPHERMENT:
+						case KU_KEY_AGREEMENT:
+						case KU_ENCIPHER_ONLY:
+						case KU_DECIPHER_ONLY:
+							break;
+					}
+				}
+			}
+		}
+	}
+}
+
 /**
  * ASN.1 definition of a extendedKeyUsage extension
  */
@@ -600,7 +728,7 @@ static const asn1Object_t extendedKeyUsageObjects[] = {
 #define EXT_KEY_USAGE_PURPOSE_ID	1
 
 /**
- * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
+ * Extracts extendedKeyUsage OIDs
  */
 static void parse_extendedKeyUsage(chunk_t blob, int level0,
 								   private_x509_cert_t *this)
@@ -649,51 +777,328 @@ static const asn1Object_t crlDistributionPointsObjects[] = {
 	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /*  7 */
 	{ 2,     "reasons",				ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_BODY	}, /*  8 */
 	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /*  9 */
-	{ 2,     "crlIssuer",			ASN1_CONTEXT_C_2,	ASN1_OPT|ASN1_BODY	}, /* 10 */
+	{ 2,     "crlIssuer",			ASN1_CONTEXT_C_2,	ASN1_OPT|ASN1_OBJ	}, /* 10 */
 	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 11 */
 	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /* 12 */
 	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
 };
+#define CRL_DIST_POINTS				 1
 #define CRL_DIST_POINTS_FULLNAME	 3
+#define CRL_DIST_POINTS_ISSUER		10
+
+/**
+ * Add entry to the list of each pairing of URI and Issuer
+ */
+static void add_cdps(linked_list_t *list, linked_list_t *uris,
+					 linked_list_t *issuers)
+{
+	identification_t *issuer, *id;
+	enumerator_t *enumerator;
+	x509_cdp_t *cdp;
+	char *uri;
+
+	while (uris->remove_last(uris, (void**)&id) == SUCCESS)
+	{
+		if (asprintf(&uri, "%Y", id) > 0)
+		{
+			if (issuers->get_count(issuers))
+			{
+				enumerator = issuers->create_enumerator(issuers);
+				while (enumerator->enumerate(enumerator, &issuer))
+				{
+					INIT(cdp,
+						.uri = strdup(uri),
+						.issuer = issuer->clone(issuer),
+					);
+					list->insert_last(list, cdp);
+				}
+				enumerator->destroy(enumerator);
+				free(uri);
+			}
+			else
+			{
+				INIT(cdp,
+					.uri = uri,
+				);
+				list->insert_last(list, cdp);
+			}
+		}
+		id->destroy(id);
+	}
+	while (issuers->remove_last(issuers, (void**)&id) == SUCCESS)
+	{
+		id->destroy(id);
+	}
+}
 
 /**
  * Extracts one or several crlDistributionPoints into a list
  */
-static void parse_crlDistributionPoints(chunk_t blob, int level0,
-										private_x509_cert_t *this)
+void x509_parse_crlDistributionPoints(chunk_t blob, int level0,
+									  linked_list_t *list)
 {
+	linked_list_t *uris, *issuers;
 	asn1_parser_t *parser;
 	chunk_t object;
 	int objectID;
-	linked_list_t *list = linked_list_create();
 
+	uris = linked_list_create();
+	issuers = linked_list_create();
 	parser = asn1_parser_create(crlDistributionPointsObjects, blob);
 	parser->set_top_level(parser, level0);
 
 	while (parser->iterate(parser, &objectID, &object))
 	{
-		if (objectID == CRL_DIST_POINTS_FULLNAME)
+		switch (objectID)
 		{
-			identification_t *id;
+			case CRL_DIST_POINTS:
+				add_cdps(list, uris, issuers);
+				break;
+			case CRL_DIST_POINTS_FULLNAME:
+				x509_parse_generalNames(object, parser->get_level(parser) + 1,
+										TRUE, uris);
+				break;
+			case CRL_DIST_POINTS_ISSUER:
+				x509_parse_generalNames(object, parser->get_level(parser) + 1,
+										TRUE, issuers);
+				break;
+			default:
+				break;
+		}
+	}
+	parser->destroy(parser);
 
-			/* append extracted generalNames to existing chained list */
-			x509_parse_generalNames(object, parser->get_level(parser)+1,
-									TRUE, list);
+	add_cdps(list, uris, issuers);
 
-			while (list->remove_last(list, (void**)&id) == SUCCESS)
-			{
-				char *uri;
+	uris->destroy(uris);
+	issuers->destroy(issuers);
+}
+
+/**
+ * ASN.1 definition of nameConstraints
+ */
+static const asn1Object_t nameConstraintsObjects[] = {
+	{ 0, "nameConstraints",			ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
+	{ 1,   "permittedSubtrees",		ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_LOOP	}, /*  1 */
+	{ 2,     "generalSubtree",		ASN1_SEQUENCE,		ASN1_BODY			}, /*  2 */
+	{ 1,   "end loop",				ASN1_EOC,			ASN1_END			}, /*  3 */
+	{ 1,   "excludedSubtrees",		ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_LOOP	}, /*  4 */
+	{ 2,     "generalSubtree",		ASN1_SEQUENCE,		ASN1_BODY			}, /*  5 */
+	{ 1,   "end loop",				ASN1_EOC,			ASN1_END			}, /*  6 */
+	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /*  7 */
+	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
+};
+#define NAME_CONSTRAINT_PERMITTED 2
+#define NAME_CONSTRAINT_EXCLUDED  5
+
+/**
+ * Parse permitted/excluded nameConstraints
+ */
+static void parse_nameConstraints(chunk_t blob, int level0,
+								  private_x509_cert_t *this)
+{
+	asn1_parser_t *parser;
+	identification_t *id;
+	chunk_t object;
+	int objectID;
+
+	parser = asn1_parser_create(nameConstraintsObjects, blob);
+	parser->set_top_level(parser, level0);
 
-				if (asprintf(&uri, "%Y", id) > 0)
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case NAME_CONSTRAINT_PERMITTED:
+				id = parse_generalName(object, parser->get_level(parser) + 1);
+				if (id)
 				{
-					this->crl_uris->insert_last(this->crl_uris, uri);
+					this->permitted_names->insert_last(this->permitted_names, id);
 				}
-				id->destroy(id);
-			}
+				break;
+			case NAME_CONSTRAINT_EXCLUDED:
+				id = parse_generalName(object, parser->get_level(parser) + 1);
+				if (id)
+				{
+					this->excluded_names->insert_last(this->excluded_names, id);
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	parser->destroy(parser);
+}
+
+/**
+ * ASN.1 definition of a certificatePolicies extension
+ */
+static const asn1Object_t certificatePoliciesObject[] = {
+	{ 0, "certificatePolicies",		ASN1_SEQUENCE,	ASN1_LOOP			}, /*  0 */
+	{ 1,   "policyInformation",		ASN1_SEQUENCE,	ASN1_NONE			}, /*  1 */
+	{ 2,     "policyId",			ASN1_OID,		ASN1_BODY			}, /*  2 */
+	{ 2,     "qualifier",			ASN1_SEQUENCE,	ASN1_OPT|ASN1_BODY	}, /*  3 */
+	{ 3,       "qualifierInfo",		ASN1_SEQUENCE,	ASN1_NONE			}, /*  4 */
+	{ 4,         "qualifierId",		ASN1_OID,		ASN1_BODY			}, /*  5 */
+	{ 4,         "cPSuri",			ASN1_IA5STRING,	ASN1_OPT|ASN1_BODY	}, /*  6 */
+	{ 4,         "end choice",		ASN1_EOC,		ASN1_END			}, /*  7 */
+	{ 4,         "userNotice",		ASN1_SEQUENCE,	ASN1_OPT|ASN1_NONE	}, /*  8 */
+	{ 5,           "explicitText",	ASN1_EOC,		ASN1_RAW			}, /*  9 */
+	{ 4,         "end choice",		ASN1_EOC,		ASN1_END			}, /* 10 */
+	{ 2,      "end opt",			ASN1_EOC,		ASN1_END			}, /* 12 */
+	{ 0, "end loop",				ASN1_EOC,		ASN1_END			}, /* 13 */
+	{ 0, "exit",					ASN1_EOC,		ASN1_EXIT			}
+};
+#define CERT_POLICY_ID				2
+#define CERT_POLICY_QUALIFIER_ID	5
+#define CERT_POLICY_CPS_URI			6
+#define CERT_POLICY_EXPLICIT_TEXT	9
+
+/**
+ * Parse certificatePolicies
+ */
+static void parse_certificatePolicies(chunk_t blob, int level0,
+									  private_x509_cert_t *this)
+{
+	x509_cert_policy_t *policy = NULL;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, qualifier = OID_UNKNOWN;
+
+	parser = asn1_parser_create(certificatePoliciesObject, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case CERT_POLICY_ID:
+				INIT(policy,
+					.oid = chunk_clone(object),
+				);
+				this->cert_policies->insert_last(this->cert_policies, policy);
+				break;
+			case CERT_POLICY_QUALIFIER_ID:
+				qualifier = asn1_known_oid(object);
+				break;
+			case CERT_POLICY_CPS_URI:
+				if (policy && !policy->cps_uri && object.len &&
+					qualifier == OID_POLICY_QUALIFIER_CPS &&
+					chunk_printable(object, NULL, 0))
+				{
+					policy->cps_uri = strndup(object.ptr, object.len);
+				}
+				break;
+			case CERT_POLICY_EXPLICIT_TEXT:
+				/* TODO */
+				break;
+			default:
+				break;
+		}
+	}
+	parser->destroy(parser);
+}
+
+/**
+ * ASN.1 definition of a policyMappings extension
+ */
+static const asn1Object_t policyMappingsObjects[] = {
+	{ 0, "policyMappings",			ASN1_SEQUENCE,	ASN1_LOOP			}, /*  0 */
+	{ 1,   "policyMapping",			ASN1_SEQUENCE,	ASN1_NONE			}, /*  1 */
+	{ 2,     "issuerPolicy",		ASN1_OID,		ASN1_BODY			}, /*  2 */
+	{ 2,     "subjectPolicy",		ASN1_OID,		ASN1_BODY			}, /*  3 */
+	{ 0, "end loop",				ASN1_EOC,		ASN1_END			}, /*  4 */
+	{ 0, "exit",					ASN1_EOC,		ASN1_EXIT			}
+};
+#define POLICY_MAPPING			1
+#define POLICY_MAPPING_ISSUER	2
+#define POLICY_MAPPING_SUBJECT	3
+
+/**
+ * Parse policyMappings
+ */
+static void parse_policyMappings(chunk_t blob, int level0,
+								 private_x509_cert_t *this)
+{
+	x509_policy_mapping_t *map = NULL;
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+
+	parser = asn1_parser_create(policyMappingsObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case POLICY_MAPPING:
+				INIT(map);
+				this->policy_mappings->insert_last(this->policy_mappings, map);
+				break;
+			case POLICY_MAPPING_ISSUER:
+				if (map && !map->issuer.len)
+				{
+					map->issuer = chunk_clone(object);
+				}
+				break;
+			case POLICY_MAPPING_SUBJECT:
+				if (map && !map->subject.len)
+				{
+					map->subject = chunk_clone(object);
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	parser->destroy(parser);
+}
+
+/**
+ * ASN.1 definition of a policyConstraints extension
+ */
+static const asn1Object_t policyConstraintsObjects[] = {
+	{ 0, "policyConstraints",		ASN1_SEQUENCE,		ASN1_NONE			}, /*  0 */
+	{ 1,   "requireExplicitPolicy",	ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_NONE	}, /*  1 */
+	{ 2,     "SkipCerts",			ASN1_INTEGER,		ASN1_BODY			}, /*  2 */
+	{ 1,   "end opt",				ASN1_EOC,			ASN1_END			}, /*  3 */
+	{ 1,   "inhibitPolicyMapping",	ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_NONE	}, /*  4 */
+	{ 2,     "SkipCerts",			ASN1_INTEGER,		ASN1_BODY			}, /*  5 */
+	{ 1,   "end opt",				ASN1_EOC,			ASN1_END			}, /*  6 */
+	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
+};
+#define POLICY_CONSTRAINT_EXPLICIT 2
+#define POLICY_CONSTRAINT_INHIBIT  5
+
+/**
+ * Parse policyConstraints
+ */
+static void parse_policyConstraints(chunk_t blob, int level0,
+									private_x509_cert_t *this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+
+	parser = asn1_parser_create(policyConstraintsObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case POLICY_CONSTRAINT_EXPLICIT:
+				this->require_explicit = parse_constraint(object);
+				break;
+			case POLICY_CONSTRAINT_INHIBIT:
+				this->inhibit_mapping = parse_constraint(object);
+				break;
+			default:
+				break;
 		}
 	}
 	parser->destroy(parser);
-	list->destroy(list);
 }
 
 /**
@@ -887,11 +1292,6 @@ static const asn1Object_t certObjects[] = {
 #define X509_OBJ_ALGORITHM						24
 #define X509_OBJ_SIGNATURE						25
 
-/**
- * forward declaration
- */
-static bool issued_by(private_x509_cert_t *this, certificate_t *issuer);
-
 /**
  * Parses an X.509v3 certificate
  */
@@ -992,7 +1392,8 @@ static bool parse_certificate(private_x509_cert_t *this)
 						parse_basicConstraints(object, level, this);
 						break;
 					case OID_CRL_DISTRIBUTION_POINTS:
-						parse_crlDistributionPoints(object, level, this);
+						x509_parse_crlDistributionPoints(object, level,
+														 this->crl_uris);
 						break;
 					case OID_AUTHORITY_KEY_ID:
 						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
@@ -1002,7 +1403,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 						parse_authorityInfoAccess(object, level, this);
 						break;
 					case OID_KEY_USAGE:
-						/* TODO parse the flags */
+						parse_keyUsage(object, this);
 						break;
 					case OID_EXTENDED_KEY_USAGE:
 						parse_extendedKeyUsage(object, level, this);
@@ -1010,6 +1411,26 @@ static bool parse_certificate(private_x509_cert_t *this)
 					case OID_IP_ADDR_BLOCKS:
 						parse_ipAddrBlocks(object, level, this);
 						break;
+					case OID_NAME_CONSTRAINTS:
+						parse_nameConstraints(object, level, this);
+						break;
+					case OID_CERTIFICATE_POLICIES:
+						parse_certificatePolicies(object, level, this);
+						break;
+					case OID_POLICY_MAPPINGS:
+						parse_policyMappings(object, level, this);
+						break;
+					case OID_POLICY_CONSTRAINTS:
+						parse_policyConstraints(object, level, this);
+						break;
+					case OID_INHIBIT_ANY_POLICY:
+						if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
+													  level, "inhibitAnyPolicy"))
+						{
+							goto end;
+						}
+						this->inhibit_any = parse_constraint(object);
+						break;
 					case OID_NS_REVOCATION_URL:
 					case OID_NS_CA_REVOCATION_URL:
 					case OID_NS_CA_POLICY_URL:
@@ -1022,9 +1443,9 @@ static bool parse_certificate(private_x509_cert_t *this)
 						break;
 					default:
 						if (critical && lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.x509.enforce_critical", FALSE))
+							"libstrongswan.x509.enforce_critical", TRUE))
 						{
-							DBG1(DBG_LIB, "critical %s extension not supported",
+							DBG1(DBG_LIB, "critical '%s' extension not supported",
 								 (extn_oid == OID_UNKNOWN) ? "unknown" :
 								 (char*)oid_names[extn_oid].name);
 							goto end;
@@ -1057,7 +1478,9 @@ end:
 		hasher_t *hasher;
 
 		/* check if the certificate is self-signed */
-		if (issued_by(this, &this->public.interface.interface))
+		if (this->public.interface.interface.issued_by(
+											&this->public.interface.interface,
+											&this->public.interface.interface))
 		{
 			this->flags |= X509_SELF_SIGNED;
 		}
@@ -1074,34 +1497,26 @@ end:
 	return success;
 }
 
-/**
- * Implementation of certificate_t.get_type
- */
-static certificate_type_t get_type(private_x509_cert_t *this)
+METHOD(certificate_t, get_type, certificate_type_t,
+	private_x509_cert_t *this)
 {
 	return CERT_X509;
 }
 
-/**
- * Implementation of certificate_t.get_subject
- */
-static identification_t* get_subject(private_x509_cert_t *this)
+METHOD(certificate_t, get_subject, identification_t*,
+	private_x509_cert_t *this)
 {
 	return this->subject;
 }
 
-/**
- * Implementation of certificate_t.get_issuer
- */
-static identification_t* get_issuer(private_x509_cert_t *this)
+METHOD(certificate_t, get_issuer, identification_t*,
+	private_x509_cert_t *this)
 {
 	return this->issuer;
 }
 
-/**
- * Implementation of certificate_t.has_subject.
- */
-static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject)
+METHOD(certificate_t, has_subject, id_match_t,
+	private_x509_cert_t *this, identification_t *subject)
 {
 	identification_t *current;
 	enumerator_t *enumerator;
@@ -1142,19 +1557,15 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
 	return best;
 }
 
-/**
- * Implementation of certificate_t.has_issuer.
- */
-static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer)
+METHOD(certificate_t, has_issuer, id_match_t,
+	private_x509_cert_t *this, identification_t *issuer)
 {
 	/* issuerAltNames currently not supported */
 	return this->issuer->matches(this->issuer, issuer);
 }
 
-/**
- * Implementation of certificate_t.issued_by.
- */
-static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
+METHOD(certificate_t, issued_by, bool,
+	private_x509_cert_t *this, certificate_t *issuer)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -1201,37 +1612,23 @@ static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
 	return valid;
 }
 
-/**
- * Implementation of certificate_t.get_public_key
- */
-static public_key_t* get_public_key(private_x509_cert_t *this)
+METHOD(certificate_t, get_public_key, public_key_t*,
+	private_x509_cert_t *this)
 {
 	this->public_key->get_ref(this->public_key);
 	return this->public_key;
 }
 
-/**
- * Implementation of certificate_t.get_ref
- */
-static private_x509_cert_t* get_ref(private_x509_cert_t *this)
+METHOD(certificate_t, get_ref, certificate_t*,
+	private_x509_cert_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.interface.interface;
 }
 
-/**
- * Implementation of x509_cert_t.get_flags.
- */
-static x509_flag_t get_flags(private_x509_cert_t *this)
-{
-	return this->flags;
-}
-
-/**
- * Implementation of x509_cert_t.get_validity.
- */
-static bool get_validity(private_x509_cert_t *this, time_t *when,
-						 time_t *not_before, time_t *not_after)
+METHOD(certificate_t, get_validity, bool,
+	private_x509_cert_t *this, time_t *when, time_t *not_before,
+	time_t *not_after)
 {
 	time_t t = when ? *when : time(NULL);
 
@@ -1246,11 +1643,8 @@ static bool get_validity(private_x509_cert_t *this, time_t *when,
 	return (t >= this->notBefore && t <= this->notAfter);
 }
 
-/**
- * Implementation of certificate_t.get_encoding.
- */
-static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type,
-						 chunk_t *encoding)
+METHOD(certificate_t, get_encoding, bool,
+	private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
 {
 	if (type == CERT_ASN1_DER)
 	{
@@ -1261,10 +1655,8 @@ static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type,
 						CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
 }
 
-/**
- * Implementation of certificate_t.equals.
- */
-static bool equals(private_x509_cert_t *this, certificate_t *other)
+METHOD(certificate_t, equals, bool,
+	private_x509_cert_t *this, certificate_t *other)
 {
 	chunk_t encoding;
 	bool equal;
@@ -1290,18 +1682,20 @@ static bool equals(private_x509_cert_t *this, certificate_t *other)
 	return equal;
 }
 
-/**
- * Implementation of x509_t.get_serial.
- */
-static chunk_t get_serial(private_x509_cert_t *this)
+METHOD(x509_t, get_flags, x509_flag_t,
+	private_x509_cert_t *this)
+{
+	return this->flags;
+}
+
+METHOD(x509_t, get_serial, chunk_t,
+	private_x509_cert_t *this)
 {
 	return this->serialNumber;
 }
 
-/**
- * Implementation of x509_t.get_subjectKeyIdentifier.
- */
-static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this)
+METHOD(x509_t, get_subjectKeyIdentifier, chunk_t,
+	private_x509_cert_t *this)
 {
 	if (this->subjectKeyIdentifier.ptr)
 	{
@@ -1323,66 +1717,95 @@ static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this)
 	}
 }
 
-/**
- * Implementation of x509_t.get_authKeyIdentifier.
- */
-static chunk_t get_authKeyIdentifier(private_x509_cert_t *this)
+METHOD(x509_t, get_authKeyIdentifier, chunk_t,
+	private_x509_cert_t *this)
 {
 	return this->authKeyIdentifier;
 }
 
-/**
- * Implementation of x509_t.get_pathLenConstraint.
- */
-static int get_pathLenConstraint(private_x509_cert_t *this)
+METHOD(x509_t, get_constraint, u_int,
+	private_x509_cert_t *this, x509_constraint_t type)
 {
-	return this->pathLenConstraint;
+	switch (type)
+	{
+		case X509_PATH_LEN:
+			return this->pathLenConstraint;
+		case X509_REQUIRE_EXPLICIT_POLICY:
+			return this->require_explicit;
+		case X509_INHIBIT_POLICY_MAPPING:
+			return this->inhibit_mapping;
+		case X509_INHIBIT_ANY_POLICY:
+			return this->inhibit_any;
+		default:
+			return X509_NO_CONSTRAINT;
+	}
 }
 
-/**
- * Implementation of x509_cert_t.create_subjectAltName_enumerator.
- */
-static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this)
+METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
+	private_x509_cert_t *this)
 {
 	return this->subjectAltNames->create_enumerator(this->subjectAltNames);
 }
 
-/**
- * Implementation of x509_cert_t.create_ocsp_uri_enumerator.
- */
-static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this)
+METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
+	private_x509_cert_t *this)
 {
 	return this->ocsp_uris->create_enumerator(this->ocsp_uris);
 }
 
-/**
- * Implementation of x509_cert_t.create_crl_uri_enumerator.
- */
-static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this)
+METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
+	private_x509_cert_t *this)
 {
 	return this->crl_uris->create_enumerator(this->crl_uris);
 }
 
-/**
- * Implementation of x509_cert_t.create_ipAddrBlock_enumerator.
- */
-static enumerator_t* create_ipAddrBlock_enumerator(private_x509_cert_t *this)
+METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
+	private_x509_cert_t *this)
 {
 	return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
 }
 
-/**
- * Implementation of certificate_t.destroy.
- */
-static void destroy(private_x509_cert_t *this)
+METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*,
+	private_x509_cert_t *this, bool perm)
+{
+	if (perm)
+	{
+		return this->permitted_names->create_enumerator(this->permitted_names);
+	}
+	return this->excluded_names->create_enumerator(this->excluded_names);
+}
+
+METHOD(x509_t, create_cert_policy_enumerator, enumerator_t*,
+	private_x509_cert_t *this)
+{
+	return this->cert_policies->create_enumerator(this->cert_policies);
+}
+
+METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*,
+	private_x509_cert_t *this)
+{
+	return this->policy_mappings->create_enumerator(this->policy_mappings);
+}
+
+METHOD(certificate_t, destroy, void,
+	private_x509_cert_t *this)
 {
 	if (ref_put(&this->ref))
 	{
 		this->subjectAltNames->destroy_offset(this->subjectAltNames,
 									offsetof(identification_t, destroy));
-		this->crl_uris->destroy_function(this->crl_uris, free);
+		this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
 		this->ocsp_uris->destroy_function(this->ocsp_uris, free);
-		this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy));
+		this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks,
+										offsetof(traffic_selector_t, destroy));
+		this->permitted_names->destroy_offset(this->permitted_names,
+										offsetof(identification_t, destroy));
+		this->excluded_names->destroy_offset(this->excluded_names,
+										offsetof(identification_t, destroy));
+		this->cert_policies->destroy_function(this->cert_policies,
+											  (void*)cert_policy_destroy);
+		this->policy_mappings->destroy_function(this->policy_mappings,
+											  (void*)policy_mapping_destroy);
 		DESTROY_IF(this->issuer);
 		DESTROY_IF(this->subject);
 		DESTROY_IF(this->public_key);
@@ -1404,63 +1827,93 @@ static void destroy(private_x509_cert_t *this)
  */
 static private_x509_cert_t* create_empty(void)
 {
-	private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
-
-	this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
-	this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
-	this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer;
-	this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject;
-	this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer;
-	this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
-	this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
-	this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
-	this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
-	this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
-	this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
-	this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
-	this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
-	this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
-	this->public.interface.get_subjectKeyIdentifier = (chunk_t (*)(x509_t*))get_subjectKeyIdentifier;
-	this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier;
-	this->public.interface.get_pathLenConstraint = (int (*)(x509_t*))get_pathLenConstraint;
-	this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
-	this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
-	this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
-	this->public.interface.create_ipAddrBlock_enumerator = (enumerator_t* (*)(x509_t*))create_ipAddrBlock_enumerator;
-
-	this->encoding = chunk_empty;
-	this->encoding_hash = chunk_empty;
-	this->tbsCertificate = chunk_empty;
-	this->version = 1;
-	this->serialNumber = chunk_empty;
-	this->notBefore = 0;
-	this->notAfter = 0;
-	this->public_key = NULL;
-	this->subject = NULL;
-	this->issuer = NULL;
-	this->subjectAltNames = linked_list_create();
-	this->crl_uris = linked_list_create();
-	this->ocsp_uris = linked_list_create();
-	this->ipAddrBlocks = linked_list_create();
-	this->subjectKeyIdentifier = chunk_empty;
-	this->authKeyIdentifier = chunk_empty;
-	this->authKeySerialNumber = chunk_empty;
-	this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
-	this->algorithm = 0;
-	this->signature = chunk_empty;
-	this->flags = 0;
-	this->ref = 1;
-	this->parsed = FALSE;
-
+	private_x509_cert_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.interface = {
+					.get_type = _get_type,
+					.get_subject = _get_subject,
+					.get_issuer = _get_issuer,
+					.has_subject = _has_subject,
+					.has_issuer = _has_issuer,
+					.issued_by = _issued_by,
+					.get_public_key = _get_public_key,
+					.get_validity = _get_validity,
+					.get_encoding = _get_encoding,
+					.equals = _equals,
+					.get_ref = _get_ref,
+					.destroy = _destroy,
+				},
+				.get_flags = _get_flags,
+				.get_serial = _get_serial,
+				.get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
+				.get_authKeyIdentifier = _get_authKeyIdentifier,
+				.get_constraint = _get_constraint,
+				.create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
+				.create_crl_uri_enumerator = _create_crl_uri_enumerator,
+				.create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
+				.create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
+				.create_name_constraint_enumerator = _create_name_constraint_enumerator,
+				.create_cert_policy_enumerator = _create_cert_policy_enumerator,
+				.create_policy_mapping_enumerator = _create_policy_mapping_enumerator,
+			},
+		},
+		.version = 1,
+		.subjectAltNames = linked_list_create(),
+		.crl_uris = linked_list_create(),
+		.ocsp_uris = linked_list_create(),
+		.ipAddrBlocks = linked_list_create(),
+		.permitted_names = linked_list_create(),
+		.excluded_names = linked_list_create(),
+		.cert_policies = linked_list_create(),
+		.policy_mappings = linked_list_create(),
+		.pathLenConstraint = X509_NO_CONSTRAINT,
+		.require_explicit = X509_NO_CONSTRAINT,
+		.inhibit_mapping = X509_NO_CONSTRAINT,
+		.inhibit_any = X509_NO_CONSTRAINT,
+		.ref = 1,
+	);
 	return this;
 }
 
+/**
+ * Build a generalName from an id
+ */
+chunk_t build_generalName(identification_t *id)
+{
+	int context;
+
+	switch (id->get_type(id))
+	{
+		case ID_RFC822_ADDR:
+			context = ASN1_CONTEXT_S_1;
+			break;
+		case ID_FQDN:
+			context = ASN1_CONTEXT_S_2;
+			break;
+		case ID_DER_ASN1_DN:
+			context = ASN1_CONTEXT_C_4;
+			break;
+		case ID_IPV4_ADDR:
+		case ID_IPV6_ADDR:
+			context = ASN1_CONTEXT_S_7;
+			break;
+		default:
+			DBG1(DBG_LIB, "encoding %N as generalName not supported",
+				 id_type_names, id->get_type(id));
+			return chunk_empty;
+	}
+	return asn1_wrap(context, "c", id->get_encoding(id));
+}
+
 /**
  * Encode a linked list of subjectAltNames
  */
 chunk_t x509_build_subjectAltNames(linked_list_t *list)
 {
-	chunk_t subjectAltNames = chunk_empty;
+	chunk_t subjectAltNames = chunk_empty, name;
 	enumerator_t *enumerator;
 	identification_t *id;
 
@@ -1472,29 +1925,7 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list)
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, &id))
 	{
-		int context;
-		chunk_t name;
-
-		switch (id->get_type(id))
-		{
-			case ID_RFC822_ADDR:
-				context = ASN1_CONTEXT_S_1;
-				break;
-			case ID_FQDN:
-				context = ASN1_CONTEXT_S_2;
-				break;
-			case ID_IPV4_ADDR:
-			case ID_IPV6_ADDR:
-				context = ASN1_CONTEXT_S_7;
-				break;
-			default:
-				DBG1(DBG_LIB, "encoding %N as subjectAltName not supported",
-					 id_type_names, id->get_type(id));
-				enumerator->destroy(enumerator);
-				free(subjectAltNames.ptr);
-				return chunk_empty;
-		}
-		name = asn1_wrap(context, "c", id->get_encoding(id));
+		name = build_generalName(id);
 		subjectAltNames = chunk_cat("mm", subjectAltNames, name);
 	}
 	enumerator->destroy(enumerator);
@@ -1507,6 +1938,47 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list)
 					 );
 }
 
+/**
+ * Encode CRL distribution points extension from a x509_cdp_t list
+ */
+chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn)
+{
+	chunk_t crlDistributionPoints = chunk_empty;
+	enumerator_t *enumerator;
+	x509_cdp_t *cdp;
+
+	if (list->get_count(list) == 0)
+	{
+		return chunk_empty;
+	}
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &cdp))
+	{
+		chunk_t distributionPoint, crlIssuer = chunk_empty;
+
+		if (cdp->issuer)
+		{
+			crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m",
+							build_generalName(cdp->issuer));
+		}
+		distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm",
+					asn1_wrap(ASN1_CONTEXT_C_0, "m",
+						asn1_wrap(ASN1_CONTEXT_C_0, "m",
+							asn1_wrap(ASN1_CONTEXT_S_6, "c",
+								chunk_create(cdp->uri, strlen(cdp->uri))))),
+					crlIssuer);
+		crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
+										  distributionPoint);
+	}
+	enumerator->destroy(enumerator);
+
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+				asn1_build_known_oid(extn),
+				asn1_wrap(ASN1_OCTET_STRING, "m",
+					asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
+}
+
 /**
  * Generate and sign a new certificate
  */
@@ -1515,12 +1987,13 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 {
 	chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
 	chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
-	chunk_t ocspSigning = chunk_empty;
-	chunk_t basicConstraints = chunk_empty;
-	chunk_t keyUsage = chunk_empty;
-	chunk_t subjectAltNames = chunk_empty;
+	chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
+	chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty;
+	chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty;
+	chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty;
 	chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
 	chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
+	chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
 	identification_t *issuer, *subject;
 	chunk_t key_info;
 	signature_scheme_t scheme;
@@ -1574,29 +2047,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	/* encode subjectAltNames */
 	subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames);
 
-	/* encode CRL distribution points extension */
-	enumerator = cert->crl_uris->create_enumerator(cert->crl_uris);
-	while (enumerator->enumerate(enumerator, &uri))
-	{
-		chunk_t distributionPoint;
-
-		distributionPoint = asn1_wrap(ASN1_SEQUENCE, "m",
-								asn1_wrap(ASN1_CONTEXT_C_0, "m",
-									asn1_wrap(ASN1_CONTEXT_C_0, "m",
-										asn1_wrap(ASN1_CONTEXT_S_6, "c",
-											chunk_create(uri, strlen(uri))))));
-
-		crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
-										  distributionPoint);
-	}
-	enumerator->destroy(enumerator);
-	if (crlDistributionPoints.ptr)
-	{
-		crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm",
-					asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS),
-					asn1_wrap(ASN1_OCTET_STRING, "m",
-						asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
-	}
+	crlDistributionPoints = x509_build_crlDistributionPoints(cert->crl_uris,
+												OID_CRL_DISTRIBUTION_POINTS);
 
 	/* encode OCSP URIs in authorityInfoAccess extension */
 	enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
@@ -1625,11 +2077,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	{
 		chunk_t pathLenConstraint = chunk_empty;
 
-		if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT)
+		if (cert->pathLenConstraint != X509_NO_CONSTRAINT)
 		{
-			char pathlen = (char)cert->pathLenConstraint;
-
-			pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen));
+			pathLenConstraint = asn1_integer("c",
+									chunk_from_thing(cert->pathLenConstraint));
 		}
 		basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
 								asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
@@ -1640,13 +2091,20 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 											asn1_wrap(ASN1_BOOLEAN, "c",
 												chunk_from_chars(0xFF)),
 											pathLenConstraint)));
+		/* set CertificateSign and implicitly CRLsign */
+		keyUsageBits = chunk_from_chars(0x01, 0x06);
+	}
+	else if (cert->flags & X509_CRL_SIGN)
+	{
+		keyUsageBits = chunk_from_chars(0x01, 0x02);
+	}
+	if (keyUsageBits.len)
+	{
 		keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm",
-								asn1_build_known_oid(OID_KEY_USAGE),
-								asn1_wrap(ASN1_BOOLEAN, "c",
-									chunk_from_chars(0xFF)),
-								asn1_wrap(ASN1_OCTET_STRING, "m",
-										asn1_wrap(ASN1_BIT_STRING, "c",
-												chunk_from_chars(0x01, 0x06))));
+						asn1_build_known_oid(OID_KEY_USAGE),
+						asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+						asn1_wrap(ASN1_OCTET_STRING, "m",
+							asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
 	}
 
 	/* add serverAuth extendedKeyUsage flag */
@@ -1675,7 +2133,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	}
 
 	/* add subjectKeyIdentifier to CA and OCSP signer certificates */
-	if (cert->flags & (X509_CA | X509_OCSP_SIGNER))
+	if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN))
 	{
 		chunk_t keyid;
 
@@ -1703,15 +2161,153 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 									asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
 		}
 	}
+
+	if (cert->permitted_names->get_count(cert->permitted_names) ||
+		cert->excluded_names->get_count(cert->excluded_names))
+	{
+		chunk_t permitted = chunk_empty, excluded = chunk_empty, subtree;
+		identification_t *id;
+
+		enumerator = create_name_constraint_enumerator(cert, TRUE);
+		while (enumerator->enumerate(enumerator, &id))
+		{
+			subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
+			permitted = chunk_cat("mm", permitted, subtree);
+		}
+		enumerator->destroy(enumerator);
+		if (permitted.ptr)
+		{
+			permitted = asn1_wrap(ASN1_CONTEXT_C_0, "m", permitted);
+		}
+
+		enumerator = create_name_constraint_enumerator(cert, FALSE);
+		while (enumerator->enumerate(enumerator, &id))
+		{
+			subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
+			excluded = chunk_cat("mm", excluded, subtree);
+		}
+		enumerator->destroy(enumerator);
+		if (excluded.ptr)
+		{
+			excluded = asn1_wrap(ASN1_CONTEXT_C_1, "m", excluded);
+		}
+
+		nameConstraints = asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_NAME_CONSTRAINTS),
+							asn1_wrap(ASN1_OCTET_STRING, "m",
+								asn1_wrap(ASN1_SEQUENCE, "mm",
+									permitted, excluded)));
+	}
+
+	if (cert->cert_policies->get_count(cert->cert_policies))
+	{
+		x509_cert_policy_t *policy;
+
+		enumerator = create_cert_policy_enumerator(cert);
+		while (enumerator->enumerate(enumerator, &policy))
+		{
+			chunk_t chunk = chunk_empty, cps = chunk_empty, notice = chunk_empty;
+
+			if (policy->cps_uri)
+			{
+				cps = asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_build_known_oid(OID_POLICY_QUALIFIER_CPS),
+						asn1_wrap(ASN1_IA5STRING, "c",
+							chunk_create(policy->cps_uri,
+										 strlen(policy->cps_uri))));
+			}
+			if (policy->unotice_text)
+			{
+				notice = asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_POLICY_QUALIFIER_UNOTICE),
+							asn1_wrap(ASN1_SEQUENCE, "m",
+								asn1_wrap(ASN1_VISIBLESTRING, "c",
+									chunk_create(policy->unotice_text,
+										strlen(policy->unotice_text)))));
+			}
+			if (cps.len || notice.len)
+			{
+				chunk = asn1_wrap(ASN1_SEQUENCE, "mm", cps, notice);
+			}
+			chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_wrap(ASN1_OID, "c", policy->oid), chunk);
+			certPolicies = chunk_cat("mm", certPolicies, chunk);
+		}
+		enumerator->destroy(enumerator);
+
+		certPolicies = asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_CERTIFICATE_POLICIES),
+							asn1_wrap(ASN1_OCTET_STRING, "m",
+								asn1_wrap(ASN1_SEQUENCE, "m", certPolicies)));
+	}
+
+	if (cert->policy_mappings->get_count(cert->policy_mappings))
+	{
+		x509_policy_mapping_t *mapping;
+
+		enumerator = create_policy_mapping_enumerator(cert);
+		while (enumerator->enumerate(enumerator, &mapping))
+		{
+			chunk_t chunk;
+
+			chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_wrap(ASN1_OID, "c", mapping->issuer),
+						asn1_wrap(ASN1_OID, "c", mapping->subject));
+			policyMappings = chunk_cat("mm", policyMappings, chunk);
+		}
+		enumerator->destroy(enumerator);
+
+		policyMappings = asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_POLICY_MAPPINGS),
+							asn1_wrap(ASN1_OCTET_STRING, "m",
+								asn1_wrap(ASN1_SEQUENCE, "m", policyMappings)));
+	}
+
+	if (cert->inhibit_mapping != X509_NO_CONSTRAINT ||
+		cert->require_explicit != X509_NO_CONSTRAINT)
+	{
+		chunk_t inhibit = chunk_empty, explicit = chunk_empty;
+
+		if (cert->require_explicit != X509_NO_CONSTRAINT)
+		{
+			explicit = asn1_wrap(ASN1_CONTEXT_C_0, "m",
+						asn1_integer("c",
+							chunk_from_thing(cert->require_explicit)));
+		}
+		if (cert->inhibit_mapping != X509_NO_CONSTRAINT)
+		{
+			inhibit = asn1_wrap(ASN1_CONTEXT_C_1, "m",
+						asn1_integer("c",
+							chunk_from_thing(cert->inhibit_mapping)));
+		}
+		policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
+						asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
+						asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+						asn1_wrap(ASN1_OCTET_STRING, "m",
+							asn1_wrap(ASN1_SEQUENCE, "mm",
+								explicit, inhibit)));
+	}
+
+	if (cert->inhibit_any != X509_NO_CONSTRAINT)
+	{
+		inhibitAnyPolicy = asn1_wrap(ASN1_SEQUENCE, "mmm",
+				asn1_build_known_oid(OID_INHIBIT_ANY_POLICY),
+				asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+				asn1_wrap(ASN1_OCTET_STRING, "m",
+					asn1_integer("c",
+						chunk_from_thing(cert->inhibit_any))));
+	}
+
 	if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
-		crlDistributionPoints.ptr)
+		crlDistributionPoints.ptr || nameConstraints.ptr)
 	{
 		extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
-						asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm",
+						asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmm",
 							basicConstraints, keyUsage, subjectKeyIdentifier,
 							authKeyIdentifier, subjectAltNames,
 							extendedKeyUsage, crlDistributionPoints,
-							authorityInfoAccess));
+							authorityInfoAccess, nameConstraints, certPolicies,
+							policyMappings, policyConstraints, inhibitAnyPolicy));
 	}
 
 	cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
@@ -1794,6 +2390,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
 	certificate_t *sign_cert = NULL;
 	private_key_t *sign_key = NULL;
 	hash_algorithm_t digest_alg = HASH_SHA1;
+	u_int constraint;
 
 	cert = create_empty();
 	while (TRUE)
@@ -1837,13 +2434,17 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
 			{
 				enumerator_t *enumerator;
 				linked_list_t *list;
-				char *uri;
+				x509_cdp_t *in, *cdp;
 
 				list = va_arg(args, linked_list_t*);
 				enumerator = list->create_enumerator(list);
-				while (enumerator->enumerate(enumerator, &uri))
+				while (enumerator->enumerate(enumerator, &in))
 				{
-					cert->crl_uris->insert_last(cert->crl_uris, strdup(uri));
+					INIT(cdp,
+						.uri = strdup(in->uri),
+						.issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL,
+					);
+					cert->crl_uris->insert_last(cert->crl_uris, cdp);
 				}
 				enumerator->destroy(enumerator);
 				continue;
@@ -1864,11 +2465,96 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
 				continue;
 			}
 			case BUILD_PATHLEN:
-				cert->pathLenConstraint = va_arg(args, int);
-				if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
+				constraint = va_arg(args, u_int);
+				cert->pathLenConstraint = (constraint < 128) ?
+										   constraint : X509_NO_CONSTRAINT;
+				continue;
+			case BUILD_PERMITTED_NAME_CONSTRAINTS:
+			{
+				enumerator_t *enumerator;
+				linked_list_t *list;
+				identification_t *constraint;
+
+				list = va_arg(args, linked_list_t*);
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &constraint))
+				{
+					cert->permitted_names->insert_last(cert->permitted_names,
+												constraint->clone(constraint));
+				}
+				enumerator->destroy(enumerator);
+				continue;
+			}
+			case BUILD_EXCLUDED_NAME_CONSTRAINTS:
+			{
+				enumerator_t *enumerator;
+				linked_list_t *list;
+				identification_t *constraint;
+
+				list = va_arg(args, linked_list_t*);
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &constraint))
+				{
+					cert->excluded_names->insert_last(cert->excluded_names,
+												constraint->clone(constraint));
+				}
+				enumerator->destroy(enumerator);
+				continue;
+			}
+			case BUILD_CERTIFICATE_POLICIES:
+			{
+				enumerator_t *enumerator;
+				linked_list_t *list;
+				x509_cert_policy_t *policy, *in;
+
+				list = va_arg(args, linked_list_t*);
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &in))
+				{
+					INIT(policy,
+						.oid = chunk_clone(in->oid),
+						.cps_uri = strdupnull(in->cps_uri),
+						.unotice_text = strdupnull(in->unotice_text),
+					);
+					cert->cert_policies->insert_last(cert->cert_policies, policy);
+				}
+				enumerator->destroy(enumerator);
+				continue;
+			}
+			case BUILD_POLICY_MAPPINGS:
+			{
+				enumerator_t *enumerator;
+				linked_list_t *list;
+				x509_policy_mapping_t* mapping, *in;
+
+				list = va_arg(args, linked_list_t*);
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &in))
 				{
-					cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
+					INIT(mapping,
+						.issuer = chunk_clone(in->issuer),
+						.subject = chunk_clone(in->subject),
+					);
+					cert->policy_mappings->insert_last(cert->policy_mappings,
+													   mapping);
 				}
+				enumerator->destroy(enumerator);
+				continue;
+			}
+			case BUILD_POLICY_REQUIRE_EXPLICIT:
+				constraint = va_arg(args, u_int);
+				cert->require_explicit = (constraint < 128) ?
+										  constraint : X509_NO_CONSTRAINT;
+				continue;
+			case BUILD_POLICY_INHIBIT_MAPPING:
+				constraint = va_arg(args, u_int);
+				cert->inhibit_mapping = (constraint < 128) ?
+										 constraint : X509_NO_CONSTRAINT;
+				continue;
+			case BUILD_POLICY_INHIBIT_ANY:
+				constraint = va_arg(args, u_int);
+				cert->inhibit_any = (constraint < 128) ?
+									 constraint : X509_NO_CONSTRAINT;
 				continue;
 			case BUILD_NOT_BEFORE_TIME:
 				cert->notBefore = va_arg(args, time_t);
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 4bd0470d3..758505ab5 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -99,6 +99,11 @@ struct private_x509_crl_t {
 	 */
 	linked_list_t *revoked;
 
+	/**
+	 * List of Freshest CRL distribution points
+	 */
+	linked_list_t *crl_uris;
+
 	/**
 	 * Authority Key Identifier
 	 */
@@ -109,6 +114,11 @@ struct private_x509_crl_t {
 	 */
 	chunk_t authKeySerialNumber;
 
+	/**
+	 * Number of BaseCRL, if a delta CRL
+	 */
+	chunk_t baseCrlNumber;
+
 	/**
 	 * Signature algorithm
 	 */
@@ -133,9 +143,19 @@ struct private_x509_crl_t {
 /**
  * from x509_cert
  */
-extern chunk_t x509_parse_authorityKeyIdentifier(
-								chunk_t blob, int level0,
-								chunk_t *authKeySerialNumber);
+extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
+												 chunk_t *authKeySerialNumber);
+
+/**
+ * from x509_cert
+ */
+extern void x509_parse_crlDistributionPoints(chunk_t blob, int level0,
+											 linked_list_t *list);
+
+/**
+ * from x509_cert
+ */
+extern chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn);
 
 /**
   * ASN.1 definition of an X.509 certificate revocation list
@@ -206,7 +226,7 @@ static bool parse(private_x509_crl_t *this)
 	int objectID;
 	int sig_alg = OID_UNKNOWN;
 	bool success = FALSE;
-	bool critical;
+	bool critical = FALSE;
 	revoked_t *revoked = NULL;
 
 	parser = asn1_parser_create(crlObjects, this->encoding);
@@ -258,35 +278,61 @@ static bool parse(private_x509_crl_t *this)
 				break;
 			case CRL_OBJ_CRL_ENTRY_EXTN_VALUE:
 			case CRL_OBJ_EXTN_VALUE:
-				{
-					int extn_oid = asn1_known_oid(extnID);
+			{
+				int extn_oid = asn1_known_oid(extnID);
 
-					if (revoked && extn_oid == OID_CRL_REASON_CODE)
-					{
-						if (*object.ptr == ASN1_ENUMERATED &&
-							asn1_length(&object) == 1)
+				switch (extn_oid)
+				{
+					case OID_CRL_REASON_CODE:
+						if (revoked)
 						{
-							revoked->reason = *object.ptr;
+							if (object.len && *object.ptr == ASN1_ENUMERATED &&
+								asn1_length(&object) == 1)
+							{
+								revoked->reason = *object.ptr;
+							}
+							DBG2(DBG_LIB, "  '%N'", crl_reason_names,
+								 revoked->reason);
 						}
-						DBG2(DBG_LIB, "  '%N'", crl_reason_names,
-							 revoked->reason);
-					}
-					else if (extn_oid == OID_AUTHORITY_KEY_ID)
-					{
-						this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
-														level, &this->authKeySerialNumber);
-					}
-					else if (extn_oid == OID_CRL_NUMBER)
-					{
+						break;
+					case OID_AUTHORITY_KEY_ID:
+						this->authKeyIdentifier =
+							x509_parse_authorityKeyIdentifier(
+									object, level, &this->authKeySerialNumber);
+						break;
+					case OID_CRL_NUMBER:
 						if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
 													  level, "crlNumber"))
 						{
 							goto end;
 						}
 						this->crlNumber = object;
-					}
+						break;
+					case OID_FRESHEST_CRL:
+						x509_parse_crlDistributionPoints(object, level,
+														 this->crl_uris);
+						break;
+					case OID_DELTA_CRL_INDICATOR:
+						if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
+													level, "deltaCrlIndicator"))
+						{
+							goto end;
+						}
+						this->baseCrlNumber = object;
+						break;
+					default:
+						if (critical && lib->settings->get_bool(lib->settings,
+							"libstrongswan.x509.enforce_critical", TRUE))
+						{
+							DBG1(DBG_LIB, "critical '%s' extension not supported",
+								 (extn_oid == OID_UNKNOWN) ? "unknown" :
+								 (char*)oid_names[extn_oid].name);
+							goto end;
+						}
+						break;
 				}
 				break;
+			}
 			case CRL_OBJ_ALGORITHM:
 			{
 				this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
@@ -344,6 +390,26 @@ METHOD(crl_t, get_authKeyIdentifier, chunk_t,
 	return this->authKeyIdentifier;
 }
 
+METHOD(crl_t, is_delta_crl, bool,
+	private_x509_crl_t *this, chunk_t *base_crl)
+{
+	if (this->baseCrlNumber.len)
+	{
+		if (base_crl)
+		{
+			*base_crl = this->baseCrlNumber;
+		}
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(crl_t, create_delta_crl_uri_enumerator, enumerator_t*,
+	private_x509_crl_t *this)
+{
+	return this->crl_uris->create_enumerator(this->crl_uris);
+}
+
 METHOD(crl_t, create_enumerator, enumerator_t*,
 	private_x509_crl_t *this)
 {
@@ -388,7 +454,7 @@ METHOD(certificate_t, issued_by, bool,
 	{
 		return FALSE;
 	}
-	if (!(x509->get_flags(x509) & X509_CA))
+	if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
 	{
 		return FALSE;
 	}
@@ -501,18 +567,30 @@ static void revoked_destroy(revoked_t *revoked)
 	free(revoked);
 }
 
+/**
+ * Destroy a CDP entry
+ */
+static void cdp_destroy(x509_cdp_t *this)
+{
+	free(this->uri);
+	DESTROY_IF(this->issuer);
+	free(this);
+}
+
 METHOD(certificate_t, destroy, void,
 	private_x509_crl_t *this)
 {
 	if (ref_put(&this->ref))
 	{
 		this->revoked->destroy_function(this->revoked, (void*)revoked_destroy);
+		this->crl_uris->destroy_function(this->crl_uris, (void*)cdp_destroy);
 		DESTROY_IF(this->issuer);
 		free(this->authKeyIdentifier.ptr);
 		free(this->encoding.ptr);
 		if (this->generated)
 		{
 			free(this->crlNumber.ptr);
+			free(this->baseCrlNumber.ptr);
 			free(this->signature.ptr);
 			free(this->tbsCertList.ptr);
 		}
@@ -546,10 +624,13 @@ static private_x509_crl_t* create_empty(void)
 				},
 				.get_serial = _get_serial,
 				.get_authKeyIdentifier = _get_authKeyIdentifier,
+				.is_delta_crl = _is_delta_crl,
+				.create_delta_crl_uri_enumerator = _create_delta_crl_uri_enumerator,
 				.create_enumerator = _create_enumerator,
 			},
 		},
 		.revoked = linked_list_create(),
+		.crl_uris = linked_list_create(),
 		.ref = 1,
 	);
 	return this;
@@ -618,6 +699,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
 					 private_key_t *key, hash_algorithm_t digest_alg)
 {
 	chunk_t extensions = chunk_empty, certList = chunk_empty, serial;
+	chunk_t crlDistributionPoints = chunk_empty, baseCrlNumber = chunk_empty;
 	enumerator_t *enumerator;
 	crl_reason_t reason;
 	time_t date;
@@ -625,7 +707,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
 
 	x509 = (x509_t*)cert;
 
-	this->issuer = cert->get_issuer(cert);
+	this->issuer = cert->get_subject(cert);
 	this->issuer = this->issuer->clone(this->issuer);
 
 	this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509));
@@ -660,8 +742,21 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
 	}
 	enumerator->destroy(enumerator);
 
+	crlDistributionPoints = x509_build_crlDistributionPoints(this->crl_uris,
+															 OID_FRESHEST_CRL);
+
+	if (this->baseCrlNumber.len)
+	{
+		baseCrlNumber =  asn1_wrap(ASN1_SEQUENCE, "mmm",
+							asn1_build_known_oid(OID_DELTA_CRL_INDICATOR),
+							asn1_wrap(ASN1_BOOLEAN, "c",
+								chunk_from_chars(0xFF)),
+							asn1_wrap(ASN1_OCTET_STRING, "m",
+								asn1_integer("c", this->baseCrlNumber)));
+	}
+
 	extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m",
-					asn1_wrap(ASN1_SEQUENCE, "mm",
+					asn1_wrap(ASN1_SEQUENCE, "mmmm",
 						asn1_wrap(ASN1_SEQUENCE, "mm",
 							asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
 							asn1_wrap(ASN1_OCTET_STRING, "m",
@@ -671,9 +766,8 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
 						asn1_wrap(ASN1_SEQUENCE, "mm",
 							asn1_build_known_oid(OID_CRL_NUMBER),
 							asn1_wrap(ASN1_OCTET_STRING, "m",
-								asn1_integer("c", this->crlNumber))
-							)
-						));
+								asn1_integer("c", this->crlNumber))),
+						crlDistributionPoints, baseCrlNumber));
 
 	this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm",
 							ASN1_INTEGER_1,
@@ -736,6 +830,29 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args)
 			case BUILD_REVOKED_ENUMERATOR:
 				read_revoked(crl, va_arg(args, enumerator_t*));
 				continue;
+			case BUILD_BASE_CRL:
+				crl->baseCrlNumber = va_arg(args, chunk_t);
+				crl->baseCrlNumber = chunk_clone(crl->baseCrlNumber);
+				break;
+			case BUILD_CRL_DISTRIBUTION_POINTS:
+			{
+				enumerator_t *enumerator;
+				linked_list_t *list;
+				x509_cdp_t *in, *cdp;
+
+				list = va_arg(args, linked_list_t*);
+				enumerator = list->create_enumerator(list);
+				while (enumerator->enumerate(enumerator, &in))
+				{
+					INIT(cdp,
+						.uri = strdup(in->uri),
+						.issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL,
+					);
+					crl->crl_uris->insert_last(crl->crl_uris, cdp);
+				}
+				enumerator->destroy(enumerator);
+				continue;
+			}
 			case BUILD_END:
 				break;
 			default:
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 11a7f023c..d40cc3567 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -36,10 +36,8 @@ struct private_x509_plugin_t {
 	x509_plugin_t public;
 };
 
-/**
- * Implementation of x509_plugin_t.x509troy
- */
-static void destroy(private_x509_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_x509_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
 							   (builder_function_t)x509_cert_gen);
@@ -69,9 +67,15 @@ static void destroy(private_x509_plugin_t *this)
  */
 plugin_t *x509_plugin_create()
 {
-	private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t);
+	private_x509_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE,
 							(builder_function_t)x509_cert_gen);
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index e82e5246f..06d7a2121 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
index 88156f383..65e88335c 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -19,6 +19,8 @@
 #include "xcbc_signer.h"
 #include "xcbc_prf.h"
 
+static const char *plugin_name = "xcbc";
+
 typedef struct private_xcbc_plugin_t private_xcbc_plugin_t;
 
 /**
@@ -48,6 +50,7 @@ METHOD(plugin_t, destroy, void,
 plugin_t *xcbc_plugin_create()
 {
 	private_xcbc_plugin_t *this;
+	crypter_t *crypter;
 
 	INIT(this,
 		.public = {
@@ -57,15 +60,24 @@ plugin_t *xcbc_plugin_create()
 		},
 	);
 
-	lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC,
-					(prf_constructor_t)xcbc_prf_create);
-	lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC,
-					(prf_constructor_t)xcbc_prf_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96,
-					(signer_constructor_t)xcbc_signer_create);
-	lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96,
-					(signer_constructor_t)xcbc_signer_create);
-
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16);
+	if (crypter)
+	{
+		crypter->destroy(crypter);
+		lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, plugin_name,
+						(prf_constructor_t)xcbc_prf_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, plugin_name,
+						(signer_constructor_t)xcbc_signer_create);
+	}
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 16);
+	if (crypter)
+	{
+		crypter->destroy(crypter);
+		lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC, plugin_name,
+						(prf_constructor_t)xcbc_prf_create);
+		lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, plugin_name,
+						(signer_constructor_t)xcbc_signer_create);
+	}
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c
index 4d4cef829..7e7045d69 100644
--- a/src/libstrongswan/printf_hook.c
+++ b/src/libstrongswan/printf_hook.c
@@ -377,10 +377,8 @@ int vstr_wrapper_vasprintf(char **str, const char *format, va_list args)
 }
 #endif
 
-/**
- * Implementation of printf_hook_t.add_handler.
- */
-static void add_handler(private_printf_hook_t *this, char spec,
+METHOD(printf_hook_t, add_handler, void,
+	private_printf_hook_t *this, char spec,
 						printf_hook_function_t hook, ...)
 {
 	int i = -1;
@@ -439,10 +437,8 @@ static void add_handler(private_printf_hook_t *this, char spec,
 	}
 }
 
-/**
- * Implementation of printf_hook_t.destroy
- */
-static void destroy(private_printf_hook_t *this)
+METHOD(printf_hook_t, destroy, void,
+	private_printf_hook_t *this)
 {
 	int i;
 #ifdef USE_VSTR
@@ -477,10 +473,14 @@ static void destroy(private_printf_hook_t *this)
  */
 printf_hook_t *printf_hook_create()
 {
-	private_printf_hook_t *this = malloc_thing(private_printf_hook_t);
-
-	this->public.add_handler = (void(*)(printf_hook_t*, char, printf_hook_function_t, ...))add_handler;
-	this->public.destroy = (void(*)(printf_hook_t*))destroy;
+	private_printf_hook_t *this;
+
+	INIT(this,
+		.public = {
+			.add_handler = _add_handler,
+			.destroy = _destroy,
+		},
+	);
 
 	memset(printf_hooks, 0, sizeof(printf_hooks));
 
diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c
index 2a44f61e8..723aec908 100644
--- a/src/libstrongswan/processing/processor.c
+++ b/src/libstrongswan/processing/processor.c
@@ -248,7 +248,7 @@ static void destroy(private_processor_t *this)
 /*
  * Described in header.
  */
-processor_t *processor_create(size_t pool_size)
+processor_t *processor_create()
 {
 	private_processor_t *this = malloc_thing(private_processor_t);
 
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index 68bbbe2fd..32da194ef 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -393,13 +393,15 @@ static bool equals(private_traffic_selector_t *this, private_traffic_selector_t
 	switch (this->type)
 	{
 		case TS_IPV4_ADDR_RANGE:
-			if (memeq(this->from4, other->from4, sizeof(this->from4)))
+			if (memeq(this->from4, other->from4, sizeof(this->from4)) &&
+				memeq(this->to4, other->to4, sizeof(this->to4)))
 			{
 				return TRUE;
 			}
 			break;
 		case TS_IPV6_ADDR_RANGE:
-			if (memeq(this->from6, other->from6, sizeof(this->from6)))
+			if (memeq(this->from6, other->from6, sizeof(this->from6)) &&
+				memeq(this->to6, other->to6, sizeof(this->to6)))
 			{
 				return TRUE;
 			}
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c
index d85abb1df..bd279f51d 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/settings.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -18,12 +19,17 @@
 #include <stdarg.h>
 #include <stdio.h>
 #include <errno.h>
+#include <limits.h>
+#include <glob.h>
+#include <libgen.h>
 
 #include "settings.h"
 
 #include "debug.h"
 #include "utils/linked_list.h"
+#include "threading/rwlock.h"
 
+#define MAX_INCLUSION_LEVEL		10
 
 typedef struct private_settings_t private_settings_t;
 typedef struct section_t section_t;
@@ -45,9 +51,14 @@ struct private_settings_t {
 	section_t *top;
 
 	/**
-	 * allocated file text
+	 * contents of loaded files and in-memory settings (char*)
 	 */
-	char *text;
+	linked_list_t *contents;
+
+	/**
+	 * lock to safely access the settings
+	 */
+	rwlock_t *lock;
 };
 
 /**
@@ -87,6 +98,69 @@ struct kv_t {
 	char *value;
 };
 
+/**
+ * create a key/value pair
+ */
+static kv_t *kv_create(char *key, char *value)
+{
+	kv_t *this;
+	INIT(this,
+		.key = strdup(key),
+		.value = value,
+	);
+	return this;
+}
+
+/**
+ * destroy a key/value pair
+ */
+static void kv_destroy(kv_t *this)
+{
+	free(this->key);
+	free(this);
+}
+
+/**
+ * create a section with the given name
+ */
+static section_t *section_create(char *name)
+{
+	section_t *this;
+	INIT(this,
+		.name = strdupnull(name),
+		.sections = linked_list_create(),
+		.kv = linked_list_create(),
+	);
+	return this;
+}
+
+/**
+ * destroy a section
+ */
+static void section_destroy(section_t *this)
+{
+	this->kv->destroy_function(this->kv, (void*)kv_destroy);
+	this->sections->destroy_function(this->sections, (void*)section_destroy);
+	free(this->name);
+	free(this);
+}
+
+/**
+ * callback to find a section by name
+ */
+static bool section_find(section_t *this, char *name)
+{
+	return streq(this->name, name);
+}
+
+/**
+ * callback to find a kv pair by key
+ */
+static bool kv_find(kv_t *this, char *key)
+{
+	return streq(this->key, key);
+}
+
 /**
  * Print a format key, but consume already processed arguments
  */
@@ -136,14 +210,15 @@ static bool print_key(char *buf, int len, char *start, char *key, va_list args)
 }
 
 /**
- * find a section by a given key, using buffered key, reusable buffer
+ * Find a section by a given key, using buffered key, reusable buffer.
+ * If "ensure" is TRUE, the sections are created if they don't exist.
  */
 static section_t *find_section_buffered(section_t *section,
-					char *start, char *key, va_list args, char *buf, int len)
+					char *start, char *key, va_list args, char *buf, int len,
+					bool ensure)
 {
 	char *pos;
-	enumerator_t *enumerator;
-	section_t *current, *found = NULL;
+	section_t *found = NULL;
 
 	if (section == NULL)
 	{
@@ -159,47 +234,75 @@ static section_t *find_section_buffered(section_t *section,
 	{
 		return NULL;
 	}
-	enumerator = section->sections->create_enumerator(section->sections);
-	while (enumerator->enumerate(enumerator, &current))
+	if (section->sections->find_first(section->sections,
+									  (linked_list_match_t)section_find,
+									  (void**)&found, buf) != SUCCESS)
 	{
-		if (streq(current->name, buf))
+		if (ensure)
 		{
-			found = current;
-			break;
+			found = section_create(buf);
+			section->sections->insert_last(section->sections, found);
 		}
 	}
-	enumerator->destroy(enumerator);
 	if (found && pos)
 	{
-		return find_section_buffered(found, start, pos, args, buf, len);
+		return find_section_buffered(found, start, pos, args, buf, len, ensure);
 	}
 	return found;
 }
 
 /**
- * find a section by a given key
+ * Find a section by a given key (thread-safe).
  */
-static section_t *find_section(section_t *section, char *key, va_list args)
+static section_t *find_section(private_settings_t *this, section_t *section,
+							   char *key, va_list args)
 {
 	char buf[128], keybuf[512];
+	section_t *found;
 
 	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
 	{
 		return NULL;
 	}
-	return find_section_buffered(section, keybuf, keybuf, args, buf, sizeof(buf));
+	this->lock->read_lock(this->lock);
+	found = find_section_buffered(section, keybuf, keybuf, args, buf,
+								  sizeof(buf), FALSE);
+	this->lock->unlock(this->lock);
+	return found;
 }
 
 /**
- * Find the string value for a key, using buffered key, reusable buffer
+ * Ensure that the section with the given key exists (thread-safe).
  */
-static char *find_value_buffered(section_t *section,
-					char *start, char *key, va_list args, char *buf, int len)
+static section_t *ensure_section(private_settings_t *this, section_t *section,
+								 char *key, va_list args)
 {
-	char *pos, *value = NULL;
-	enumerator_t *enumerator;
-	kv_t *kv;
-	section_t *current, *found = NULL;
+	char buf[128], keybuf[512];
+	section_t *found;
+
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
+	{
+		return NULL;
+	}
+	/* we might have to change the tree */
+	this->lock->write_lock(this->lock);
+	found = find_section_buffered(section, keybuf, keybuf, args, buf,
+								  sizeof(buf), TRUE);
+	this->lock->unlock(this->lock);
+	return found;
+}
+
+/**
+ * Find the key/value pair for a key, using buffered key, reusable buffer
+ * If "ensure" is TRUE, the sections (and key/value pair) are created if they
+ * don't exist.
+ */
+static kv_t *find_value_buffered(section_t *section, char *start, char *key,
+								 va_list args, char *buf, int len, bool ensure)
+{
+	char *pos;
+	kv_t *kv = NULL;
+	section_t *found = NULL;
 
 	if (section == NULL)
 	{
@@ -216,20 +319,19 @@ static char *find_value_buffered(section_t *section,
 		{
 			return NULL;
 		}
-		enumerator = section->sections->create_enumerator(section->sections);
-		while (enumerator->enumerate(enumerator, &current))
+		if (section->sections->find_first(section->sections,
+										  (linked_list_match_t)section_find,
+										  (void**)&found, buf) != SUCCESS)
 		{
-			if (streq(current->name, buf))
+			if (!ensure)
 			{
-				found = current;
-				break;
+				return NULL;
 			}
+			found = section_create(buf);
+			section->sections->insert_last(section->sections, found);
 		}
-		enumerator->destroy(enumerator);
-		if (found)
-		{
-			return find_value_buffered(found, start, pos, args, buf, len);
-		}
+		return find_value_buffered(found, start, pos, args, buf, len,
+								   ensure);
 	}
 	else
 	{
@@ -237,44 +339,86 @@ static char *find_value_buffered(section_t *section,
 		{
 			return NULL;
 		}
-		enumerator = section->kv->create_enumerator(section->kv);
-		while (enumerator->enumerate(enumerator, &kv))
+		if (section->kv->find_first(section->kv, (linked_list_match_t)kv_find,
+									(void**)&kv, buf) != SUCCESS)
 		{
-			if (streq(kv->key, buf))
+			if (ensure)
 			{
-				value = kv->value;
-				break;
+				kv = kv_create(buf, NULL);
+				section->kv->insert_last(section->kv, kv);
 			}
 		}
-		enumerator->destroy(enumerator);
 	}
-	return value;
+	return kv;
 }
 
 /**
- * Find the string value for a key
+ * Find the string value for a key (thread-safe).
  */
-static char *find_value(section_t *section, char *key, va_list args)
+static char *find_value(private_settings_t *this, section_t *section,
+						char *key, va_list args)
 {
-	char buf[128], keybuf[512];
+	char buf[128], keybuf[512], *value = NULL;
+	kv_t *kv;
 
 	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
 	{
 		return NULL;
 	}
-	return find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf));
+	this->lock->read_lock(this->lock);
+	kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf),
+							 FALSE);
+	if (kv)
+	{
+		value = kv->value;
+	}
+	this->lock->unlock(this->lock);
+	return value;
 }
 
 /**
- * Implementation of settings_t.get.
+ * Set a value to a copy of the given string (thread-safe).
  */
-static char* get_str(private_settings_t *this, char *key, char *def, ...)
+static void set_value(private_settings_t *this, section_t *section,
+					  char *key, va_list args, char *value)
+{
+	char buf[128], keybuf[512];
+	kv_t *kv;
+
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
+	{
+		return;
+	}
+	this->lock->write_lock(this->lock);
+	kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf),
+							 TRUE);
+	if (kv)
+	{
+		if (!value)
+		{
+			kv->value = NULL;
+		}
+		else if (kv->value && (strlen(value) <= strlen(kv->value)))
+		{	/* overwrite in-place, if possible */
+			strcpy(kv->value, value);
+		}
+		else
+		{	/* otherwise clone the string and store it in the cache */
+			kv->value = strdup(value);
+			this->contents->insert_last(this->contents, kv->value);
+		}
+	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(settings_t, get_str, char*,
+	   private_settings_t *this, char *key, char *def, ...)
 {
 	char *value;
 	va_list args;
 
 	va_start(args, def);
-	value = find_value(this->top, key, args);
+	value = find_value(this, this->top, key, args);
 	va_end(args);
 	if (value)
 	{
@@ -284,29 +428,23 @@ static char* get_str(private_settings_t *this, char *key, char *def, ...)
 }
 
 /**
- * Implementation of settings_t.get_bool.
+ * Described in header
  */
-static bool get_bool(private_settings_t *this, char *key, bool def, ...)
+inline bool settings_value_as_bool(char *value, bool def)
 {
-	char *value;
-	va_list args;
-
-	va_start(args, def);
-	value = find_value(this->top, key, args);
-	va_end(args);
 	if (value)
 	{
-		if (strcaseeq(value, "true") ||
-			strcaseeq(value, "enabled") ||
+		if (strcaseeq(value, "1") ||
 			strcaseeq(value, "yes") ||
-			strcaseeq(value, "1"))
+			strcaseeq(value, "true") ||
+			strcaseeq(value, "enabled"))
 		{
 			return TRUE;
 		}
-		else if (strcaseeq(value, "false") ||
-				 strcaseeq(value, "disabled") ||
+		else if (strcaseeq(value, "0") ||
 				 strcaseeq(value, "no") ||
-				 strcaseeq(value, "0"))
+				 strcaseeq(value, "false") ||
+				 strcaseeq(value, "disabled"))
 		{
 			return FALSE;
 		}
@@ -314,18 +452,24 @@ static bool get_bool(private_settings_t *this, char *key, bool def, ...)
 	return def;
 }
 
-/**
- * Implementation of settings_t.get_int.
- */
-static int get_int(private_settings_t *this, char *key, int def, ...)
+METHOD(settings_t, get_bool, bool,
+	   private_settings_t *this, char *key, bool def, ...)
 {
 	char *value;
-	int intval;
 	va_list args;
 
 	va_start(args, def);
-	value = find_value(this->top, key, args);
+	value = find_value(this, this->top, key, args);
 	va_end(args);
+	return settings_value_as_bool(value, def);
+}
+
+/**
+ * Described in header
+ */
+inline int settings_value_as_int(char *value, int def)
+{
+	int intval;
 	if (value)
 	{
 		errno = 0;
@@ -338,18 +482,24 @@ static int get_int(private_settings_t *this, char *key, int def, ...)
 	return def;
 }
 
-/**
- * Implementation of settings_t.get_double.
- */
-static double get_double(private_settings_t *this, char *key, double def, ...)
+METHOD(settings_t, get_int, int,
+	   private_settings_t *this, char *key, int def, ...)
 {
 	char *value;
-	double dval;
 	va_list args;
 
 	va_start(args, def);
-	value = find_value(this->top, key, args);
+	value = find_value(this, this->top, key, args);
 	va_end(args);
+	return settings_value_as_int(value, def);
+}
+
+/**
+ * Described in header
+ */
+inline double settings_value_as_double(char *value, double def)
+{
+	double dval;
 	if (value)
 	{
 		errno = 0;
@@ -362,18 +512,25 @@ static double get_double(private_settings_t *this, char *key, double def, ...)
 	return def;
 }
 
-/**
- * Implementation of settings_t.get_time.
- */
-static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, ...)
+METHOD(settings_t, get_double, double,
+	   private_settings_t *this, char *key, double def, ...)
 {
-	char *value, *endptr;
-	u_int32_t timeval;
+	char *value;
 	va_list args;
 
 	va_start(args, def);
-	value = find_value(this->top, key, args);
+	value = find_value(this, this->top, key, args);
 	va_end(args);
+	return settings_value_as_double(value, def);
+}
+
+/**
+ * Described in header
+ */
+inline u_int32_t settings_value_as_time(char *value, u_int32_t def)
+{
+	char *endptr;
+	u_int32_t timeval;
 	if (value)
 	{
 		errno = 0;
@@ -392,7 +549,7 @@ static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, ..
 					timeval *= 60;
 					break;
 				case 's':		/* time in seconds */
-					default:
+				default:
 					break;
 			}
 			return timeval;
@@ -401,6 +558,75 @@ static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, ..
 	return def;
 }
 
+METHOD(settings_t, get_time, u_int32_t,
+	   private_settings_t *this, char *key, u_int32_t def, ...)
+{
+	char *value;
+	va_list args;
+
+	va_start(args, def);
+	value = find_value(this, this->top, key, args);
+	va_end(args);
+	return settings_value_as_time(value, def);
+}
+
+METHOD(settings_t, set_str, void,
+	   private_settings_t *this, char *key, char *value, ...)
+{
+	va_list args;
+	va_start(args, value);
+	set_value(this, this->top, key, args, value);
+	va_end(args);
+}
+
+METHOD(settings_t, set_bool, void,
+	   private_settings_t *this, char *key, bool value, ...)
+{
+	va_list args;
+	va_start(args, value);
+	set_value(this, this->top, key, args, value ? "1" : "0");
+	va_end(args);
+}
+
+METHOD(settings_t, set_int, void,
+	   private_settings_t *this, char *key, int value, ...)
+{
+	char val[16];
+	va_list args;
+	va_start(args, value);
+	if (snprintf(val, sizeof(val), "%d", value) < sizeof(val))
+	{
+		set_value(this, this->top, key, args, val);
+	}
+	va_end(args);
+}
+
+METHOD(settings_t, set_double, void,
+	   private_settings_t *this, char *key, double value, ...)
+{
+	char val[64];
+	va_list args;
+	va_start(args, value);
+	if (snprintf(val, sizeof(val), "%f", value) < sizeof(val))
+	{
+		set_value(this, this->top, key, args, val);
+	}
+	va_end(args);
+}
+
+METHOD(settings_t, set_time, void,
+	   private_settings_t *this, char *key, u_int32_t value, ...)
+{
+	char val[16];
+	va_list args;
+	va_start(args, value);
+	if (snprintf(val, sizeof(val), "%u", value) < sizeof(val))
+	{
+		set_value(this, this->top, key, args, val);
+	}
+	va_end(args);
+}
+
 /**
  * Enumerate section names, not sections
  */
@@ -410,26 +636,24 @@ static bool section_filter(void *null, section_t **in, char **out)
 	return TRUE;
 }
 
-/**
- * Implementation of settings_t.create_section_enumerator
- */
-static enumerator_t* create_section_enumerator(private_settings_t *this,
-											   char *key, ...)
+METHOD(settings_t, create_section_enumerator, enumerator_t*,
+	   private_settings_t *this, char *key, ...)
 {
 	section_t *section;
 	va_list args;
 
 	va_start(args, key);
-	section = find_section(this->top, key, args);
+	section = find_section(this, this->top, key, args);
 	va_end(args);
 
 	if (!section)
 	{
 		return enumerator_create_empty();
 	}
+	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(
-					section->sections->create_enumerator(section->sections),
-					(void*)section_filter, NULL, NULL);
+				section->sections->create_enumerator(section->sections),
+				(void*)section_filter, this->lock, (void*)this->lock->unlock);
 }
 
 /**
@@ -443,37 +667,24 @@ static bool kv_filter(void *null, kv_t **in, char **key,
 	return TRUE;
 }
 
-/**
- * Implementation of settings_t.create_key_value_enumerator
- */
-static enumerator_t* create_key_value_enumerator(private_settings_t *this,
-												 char *key, ...)
+METHOD(settings_t, create_key_value_enumerator, enumerator_t*,
+	   private_settings_t *this, char *key, ...)
 {
 	section_t *section;
 	va_list args;
 
 	va_start(args, key);
-	section = find_section(this->top, key, args);
+	section = find_section(this, this->top, key, args);
 	va_end(args);
 
 	if (!section)
 	{
 		return enumerator_create_empty();
 	}
+	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(
 					section->kv->create_enumerator(section->kv),
-					(void*)kv_filter, NULL, NULL);
-}
-
-/**
- * destroy a section
- */
-static void section_destroy(section_t *this)
-{
-	this->kv->destroy_function(this->kv, free);
-	this->sections->destroy_function(this->sections, (void*)section_destroy);
-
-	free(this);
+					(void*)kv_filter, this->lock, (void*)this->lock->unlock);
 }
 
 /**
@@ -550,46 +761,135 @@ static char parse(char **text, char *skip, char *term, char *br, char **token)
 	return 0;
 }
 
+/**
+ * Check if "text" starts with "pattern".
+ * Characters in "skip" are skipped first. If found, TRUE is returned and "text"
+ * is modified to point to the character right after "pattern".
+ */
+static bool starts_with(char **text, char *skip, char *pattern)
+{
+	char *pos = *text;
+	int len = strlen(pattern);
+	while (strchr(skip, *pos))
+	{
+		pos++;
+		if (!*pos)
+		{
+			return FALSE;
+		}
+	}
+	if (strlen(pos) < len || !strneq(pos, pattern, len))
+	{
+		return FALSE;
+	}
+	*text = pos + len;
+	return TRUE;
+}
+
+/**
+ * Check if what follows in "text" is an include statement.
+ * If this function returns TRUE, "text" will point to the character right after
+ * the include pattern, which is returned in "pattern".
+ */
+static bool parse_include(char **text, char **pattern)
+{
+	char *pos = *text;
+	if (!starts_with(&pos, "\n\t ", "include"))
+	{
+		return FALSE;
+	}
+	if (starts_with(&pos, "\t ", "="))
+	{	/* ignore "include = value" */
+		return FALSE;
+	}
+	*text = pos;
+	return parse(text, "\t ", "\n", NULL, pattern) != 0;
+}
+
+/**
+ * Forward declaration.
+ */
+static bool parse_files(linked_list_t *contents, char *file, int level,
+						char *pattern, section_t *section);
+
 /**
  * Parse a section
  */
-static section_t* parse_section(char **text, char *name)
+static bool parse_section(linked_list_t *contents, char *file, int level,
+						  char **text, section_t *section)
 {
-	section_t *sub, *section;
 	bool finished = FALSE;
 	char *key, *value, *inner;
 
-	static int lev = 0;
-	lev++;
-
-	section = malloc_thing(section_t);
-	section->name = name;
-	section->sections = linked_list_create();
-	section->kv = linked_list_create();
-
 	while (!finished)
 	{
+		if (parse_include(text, &value))
+		{
+			if (!parse_files(contents, file, level, value, section))
+			{
+				DBG1(DBG_LIB, "failed to include '%s'", value);
+				return FALSE;
+			}
+			continue;
+		}
 		switch (parse(text, "\t\n ", "{=#", NULL, &key))
 		{
 			case '{':
 				if (parse(text, "\t ", "}", "{", &inner))
 				{
-					sub = parse_section(&inner, key);
-					if (sub)
+					section_t *sub;
+					if (!strlen(key))
 					{
-						section->sections->insert_last(section->sections, sub);
+						DBG1(DBG_LIB, "skipping section without name in '%s'",
+							 section->name);
 						continue;
 					}
+					if (section->sections->find_first(section->sections,
+											(linked_list_match_t)section_find,
+											(void**)&sub, key) != SUCCESS)
+					{
+						sub = section_create(key);
+						if (parse_section(contents, file, level, &inner, sub))
+						{
+							section->sections->insert_last(section->sections,
+														   sub);
+							continue;
+						}
+						section_destroy(sub);
+					}
+					else
+					{	/* extend the existing section */
+						if (parse_section(contents, file, level, &inner, sub))
+						{
+							continue;
+						}
+					}
+					DBG1(DBG_LIB, "parsing subsection '%s' failed", key);
+					break;
 				}
 				DBG1(DBG_LIB, "matching '}' not found near %s", *text);
 				break;
 			case '=':
 				if (parse(text, "\t ", "\n", NULL, &value))
 				{
-					kv_t *kv = malloc_thing(kv_t);
-					kv->key = key;
-					kv->value = value;
-					section->kv->insert_last(section->kv, kv);
+					kv_t *kv;
+					if (!strlen(key))
+					{
+						DBG1(DBG_LIB, "skipping value without key in '%s'",
+							 section->name);
+						continue;
+					}
+					if (section->kv->find_first(section->kv,
+								(linked_list_match_t)kv_find,
+								(void**)&kv, key) != SUCCESS)
+					{
+						kv = kv_create(key, value);
+						section->kv->insert_last(section->kv, kv);
+					}
+					else
+					{	/* replace with the most recently read value */
+						kv->value = value;
+					}
 					continue;
 				}
 				DBG1(DBG_LIB, "parsing value failed near %s", *text);
@@ -601,78 +901,272 @@ static section_t* parse_section(char **text, char *name)
 				finished = TRUE;
 				continue;
 		}
-		section_destroy(section);
-		return NULL;
+		return FALSE;
 	}
-	return section;
+	return TRUE;
 }
 
 /**
- * Implementation of settings_t.destroy
+ * Parse a file and add the settings to the given section.
  */
-static void destroy(private_settings_t *this)
+static bool parse_file(linked_list_t *contents, char *file, int level,
+					   section_t *section)
 {
-	if (this->top)
+	bool success;
+	char *text, *pos;
+	FILE *fd;
+	int len;
+
+	DBG2(DBG_LIB, "loading config file '%s'", file);
+	fd = fopen(file, "r");
+	if (fd == NULL)
 	{
-		section_destroy(this->top);
+		DBG1(DBG_LIB, "'%s' does not exist or is not readable", file);
+		return FALSE;
 	}
-	free(this->text);
-	free(this);
+	fseek(fd, 0, SEEK_END);
+	len = ftell(fd);
+	rewind(fd);
+	text = malloc(len + 1);
+	text[len] = '\0';
+	if (fread(text, 1, len, fd) != len)
+	{
+		free(text);
+		return FALSE;
+	}
+	fclose(fd);
+
+	pos = text;
+	success = parse_section(contents, file, level, &pos, section);
+	if (!success)
+	{
+		free(text);
+	}
+	else
+	{
+		contents->insert_last(contents, text);
+	}
+	return success;
 }
 
-/*
- * see header file
+/**
+ * Load the files matching "pattern", which is resolved with glob(3).
+ * If the pattern is relative, the directory of "file" is used as base.
  */
-settings_t *settings_create(char *file)
+static bool parse_files(linked_list_t *contents, char *file, int level,
+						char *pattern, section_t *section)
 {
-	private_settings_t *this;
-	char *pos;
-	FILE *fd;
-	int len;
+	bool success = TRUE;
+	int status;
+	glob_t buf;
+	char **expanded, pat[PATH_MAX];
 
-	this = malloc_thing(private_settings_t);
-	this->public.get_str = (char*(*)(settings_t*, char *key, char* def, ...))get_str;
-	this->public.get_int = (int(*)(settings_t*, char *key, int def, ...))get_int;
-	this->public.get_double = (double(*)(settings_t*, char *key, double def, ...))get_double;
-	this->public.get_time = (u_int32_t(*)(settings_t*, char *key, u_int32_t def, ...))get_time;
-	this->public.get_bool = (bool(*)(settings_t*, char *key, bool def, ...))get_bool;
-	this->public.create_section_enumerator = (enumerator_t*(*)(settings_t*,char *section, ...))create_section_enumerator;
-	this->public.create_key_value_enumerator = (enumerator_t*(*)(settings_t*, char *key, ...))create_key_value_enumerator;
-	this->public.destroy = (void(*)(settings_t*))destroy;
+	if (level > MAX_INCLUSION_LEVEL)
+	{
+		DBG1(DBG_LIB, "maximum level of %d includes reached, ignored",
+			 MAX_INCLUSION_LEVEL);
+		return TRUE;
+	}
 
-	this->top = NULL;
-	this->text = NULL;
+	if (!strlen(pattern))
+	{
+		DBG2(DBG_LIB, "empty include pattern, ignored");
+		return TRUE;
+	}
 
-	if (file == NULL)
+	if (!file || pattern[0] == '/')
+	{	/* absolute path */
+		if (snprintf(pat, sizeof(pat), "%s", pattern) >= sizeof(pat))
+		{
+			DBG1(DBG_LIB, "include pattern too long, ignored");
+			return TRUE;
+		}
+	}
+	else
+	{	/* base relative paths to the directory of the current file */
+		char *dir = strdup(file);
+		dir = dirname(dir);
+		if (snprintf(pat, sizeof(pat), "%s/%s", dir, pattern) >= sizeof(pat))
+		{
+			DBG1(DBG_LIB, "include pattern too long, ignored");
+			free(dir);
+			return TRUE;
+		}
+		free(dir);
+	}
+	status = glob(pat, GLOB_ERR, NULL, &buf);
+	if (status == GLOB_NOMATCH)
 	{
-		file = STRONGSWAN_CONF;
+		DBG2(DBG_LIB, "no files found matching '%s', ignored", pat);
 	}
-	fd = fopen(file, "r");
-	if (fd == NULL)
+	else if (status != 0)
 	{
-		DBG1(DBG_LIB, "'%s' does not exist or is not readable", file);
-		return &this->public;
+		DBG1(DBG_LIB, "expanding file pattern '%s' failed", pat);
+		success = FALSE;
 	}
-	fseek(fd, 0, SEEK_END);
-	len = ftell(fd);
-	rewind(fd);
-	this->text = malloc(len + 1);
-	this->text[len] = '\0';
-	if (fread(this->text, 1, len, fd) != len)
+	else
 	{
-		free(this->text);
-		this->text = NULL;
-		return &this->public;
+		for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
+		{
+			success &= parse_file(contents, *expanded, level + 1, section);
+			if (!success)
+			{
+				break;
+			}
+		}
 	}
-	fclose(fd);
+	globfree(&buf);
+	return success;
+}
+
+/**
+ * Recursivly extends "base" with "extension".
+ */
+static void section_extend(section_t *base, section_t *extension)
+{
+	enumerator_t *enumerator;
+	section_t *sec;
+	kv_t *kv;
+
+	enumerator = extension->sections->create_enumerator(extension->sections);
+	while (enumerator->enumerate(enumerator, (void**)&sec))
+	{
+		section_t *found;
+		if (base->sections->find_first(base->sections,
+					(linked_list_match_t)section_find, (void**)&found,
+					sec->name) == SUCCESS)
+		{
+			section_extend(found, sec);
+		}
+		else
+		{
+			extension->sections->remove_at(extension->sections, enumerator);
+			base->sections->insert_last(base->sections, sec);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = extension->kv->create_enumerator(extension->kv);
+	while (enumerator->enumerate(enumerator, (void**)&kv))
+	{
+		kv_t *found;
+		if (base->kv->find_first(base->kv, (linked_list_match_t)kv_find,
+					(void**)&found, kv->key) == SUCCESS)
+		{
+			found->value = kv->value;
+		}
+		else
+		{
+			extension->kv->remove_at(extension->kv, enumerator);
+			base->kv->insert_last(base->kv, kv);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Load settings from files matching the given file pattern.
+ * All sections and values are added relative to "parent".
+ * All files (even included ones) have to be loaded successfully.
+ */
+static bool load_files_internal(private_settings_t *this, section_t *parent,
+								char *pattern)
+{
+	char *text;
+	linked_list_t *contents = linked_list_create();
+	section_t *section = section_create(NULL);
+
+	if (!parse_files(contents, NULL, 0, pattern, section))
+	{
+		contents->destroy_function(contents, (void*)free);
+		section_destroy(section);
+		return FALSE;
+	}
+
+	this->lock->write_lock(this->lock);
+	/* extend parent section */
+	section_extend(parent, section);
+	/* move contents of loaded files to main store */
+	while (contents->remove_first(contents, (void**)&text) == SUCCESS)
+	{
+		this->contents->insert_last(this->contents, text);
+	}
+	this->lock->unlock(this->lock);
+
+	section_destroy(section);
+	contents->destroy(contents);
+	return TRUE;
+}
+
+METHOD(settings_t, load_files, bool,
+	   private_settings_t *this, char *pattern)
+{
+	return load_files_internal(this, this->top, pattern);
+}
+
+METHOD(settings_t, load_files_section, bool,
+	   private_settings_t *this, char *pattern, char *key, ...)
+{
+	section_t *section;
+	va_list args;
+
+	va_start(args, key);
+	section = ensure_section(this, this->top, key, args);
+	va_end(args);
 
-	pos = this->text;
-	this->top = parse_section(&pos, NULL);
-	if (this->top == NULL)
+	if (!section)
 	{
-		free(this->text);
-		this->text = NULL;
+		return FALSE;
 	}
+	return load_files_internal(this, section, pattern);
+}
+
+METHOD(settings_t, destroy, void,
+	   private_settings_t *this)
+{
+	section_destroy(this->top);
+	this->contents->destroy_function(this->contents, (void*)free);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+settings_t *settings_create(char *file)
+{
+	private_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.get_str = _get_str,
+			.get_int = _get_int,
+			.get_double = _get_double,
+			.get_time = _get_time,
+			.get_bool = _get_bool,
+			.set_str = _set_str,
+			.set_int = _set_int,
+			.set_double = _set_double,
+			.set_time = _set_time,
+			.set_bool = _set_bool,
+			.create_section_enumerator = _create_section_enumerator,
+			.create_key_value_enumerator = _create_key_value_enumerator,
+			.load_files = _load_files,
+			.load_files_section = _load_files_section,
+			.destroy = _destroy,
+		},
+		.top = section_create(NULL),
+		.contents = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	if (file == NULL)
+	{
+		file = STRONGSWAN_CONF;
+	}
+
+	load_files(this, file);
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
index 486de8def..bc3df3706 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/settings.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -26,15 +27,55 @@ typedef struct settings_t settings_t;
 #include "utils.h"
 #include "utils/enumerator.h"
 
+/**
+ * Convert a string value returned by a key/value enumerator to a boolean.
+ *
+ * @see settings_t.create_key_value_enumerator()
+ * @see settings_t.get_bool()
+ * @param value			the string value
+ * @param def			the default value, if value is NULL or invalid
+ */
+bool settings_value_as_bool(char *value, bool def);
+
+/**
+ * Convert a string value returned by a key/value enumerator to an integer.
+ *
+ * @see settings_t.create_key_value_enumerator()
+ * @see settings_t.get_int()
+ * @param value			the string value
+ * @param def			the default value, if value is NULL or invalid
+ */
+int settings_value_as_int(char *value, int def);
+
+/**
+ * Convert a string value returned by a key/value enumerator to a double.
+ *
+ * @see settings_t.create_key_value_enumerator()
+ * @see settings_t.get_double()
+ * @param value			the string value
+ * @param def			the default value, if value is NULL or invalid
+ */
+double settings_value_as_double(char *value, double def);
+
+/**
+ * Convert a string value returned by a key/value enumerator to a time value.
+ *
+ * @see settings_t.create_key_value_enumerator()
+ * @see settings_t.get_time()
+ * @param value			the string value
+ * @param def			the default value, if value is NULL or invalid
+ */
+u_int32_t settings_value_as_time(char *value, u_int32_t def);
+
 /**
  * Generic configuration options read from a config file.
  *
  * The syntax is quite simple:
- *
+ * @code
  * settings := (section|keyvalue)*
  * section  := name { settings }
  * keyvalue := key = value\n
- *
+ * @endcode
  * E.g.:
  * @code
 	a = b
@@ -54,6 +95,51 @@ typedef struct settings_t settings_t;
  *
  * Currently only a limited set of printf format specifiers are supported
  * (namely %s, %d and %N, see implementation for details).
+ *
+ * \section includes Including other files
+ * Other files can be included, using the include statement e.g.
+ * @code
+ *   include /somepath/subconfig.conf
+ * @endcode
+ * Shell patterns like *.conf are possible.
+ *
+ * If the path is relative, the directory of the file containing the include
+ * statement is used as base.
+ *
+ * Sections loaded from included files extend previously loaded sections,
+ * already existing values are replaced.
+ *
+ * All settings included from files are added relative to the section the
+ * include statment is in.
+ *
+ * The following files result in the same final config as above:
+ *
+ * @code
+	a = b
+	section-one {
+		somevalue = before include
+		include include.conf
+	}
+	include two.conf
+	@endcode
+ * include.conf
+ * @code
+	somevalue = asdf
+	subsection {
+		othervalue = yyy
+	}
+	yetanother = zz
+	@endcode
+ * two.conf
+ * @code
+	section-one {
+		subsection {
+			othervalue = xxx
+		}
+	}
+	section-two {
+	}
+	@endcode
  */
 struct settings_t {
 
@@ -107,6 +193,51 @@ struct settings_t {
 	 */
 	u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def, ...);
 
+	/**
+	 * Set a string value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param value		value to set (gets cloned)
+	 * @param ...		argument list for key
+	 */
+	void (*set_str)(settings_t *this, char *key, char *value, ...);
+
+	/**
+	 * Set a boolean value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param value		value to set
+	 * @param ...		argument list for key
+	 */
+	void (*set_bool)(settings_t *this, char *key, bool value, ...);
+
+	/**
+	 * Set an integer value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param value		value to set
+	 * @param ...		argument list for key
+	 */
+	void (*set_int)(settings_t *this, char *key, int value, ...);
+
+	/**
+	 * Set an double value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param value		value to set
+	 * @param ...		argument list for key
+	 */
+	void (*set_double)(settings_t *this, char *key, double value, ...);
+
+	/**
+	 * Set a time value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param def		value to set
+	 * @param ...		argument list for key
+	 */
+	void (*set_time)(settings_t *this, char *key, u_int32_t value, ...);
+
 	/**
 	 * Create an enumerator over subsection names of a section.
 	 *
@@ -121,12 +252,46 @@ struct settings_t {
 	 * Create an enumerator over key/value pairs in a section.
 	 *
 	 * @param section	section name to list key/value pairs of, printf style
-	 * @param ...		argmuent list for section
+	 * @param ...		argument list for section
 	 * @return			enumerator over (char *key, char *value)
 	 */
 	enumerator_t* (*create_key_value_enumerator)(settings_t *this,
 												 char *section, ...);
 
+	/**
+	 * Load settings from the files matching the given pattern.
+	 *
+	 * Existing sections are extended, existing values replaced, by those found
+	 * in the loaded files.
+	 *
+	 * @note If any of the files matching the pattern fails to load, no settings
+	 * are added at all. So, it's all or nothing.
+	 *
+	 * @param pattern	file pattern
+	 * @return			TRUE, if settings were loaded successfully
+	 */
+	bool (*load_files)(settings_t *this, char *pattern);
+
+	/**
+	 * Load settings from the files matching the given pattern.
+	 *
+	 * Existing sections are extended, existing values replaced, by those found
+	 * in the loaded files.
+	 *
+	 * All settings are loaded relative to the given section. The section is
+	 * created, if it does not yet exist.
+	 *
+	 * @note If any of the files matching the pattern fails to load, no settings
+	 * are added at all. So, it's all or nothing.
+	 *
+	 * @param pattern	file pattern
+	 * @param section	section name of parent section, printf style
+	 * @param ...		argument list for section
+	 * @return			TRUE, if settings were loaded successfully
+	 */
+	bool (*load_files_section)(settings_t *this, char *pattern,
+							   char *section, ...);
+
 	/**
 	 * Destroy a settings instance.
 	 */
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index b868d538d..2ab061a74 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -246,6 +246,14 @@ bool return_false()
 	return FALSE;
 }
 
+/**
+ * returns FAILED
+ */
+status_t return_failed()
+{
+	return FAILED;
+}
+
 /**
  * nop operation
  */
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index 35d3bebd1..ed61895ee 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -57,7 +57,7 @@
 #define streq(x,y) (strcmp(x, y) == 0)
 
 /**
- * Macro compares two strings for equality
+ * Macro compares two strings for equality, length limited
  */
 #define strneq(x,y,len) (strncmp(x, y, len) == 0)
 
@@ -66,6 +66,16 @@
  */
 #define strcaseeq(x,y) (strcasecmp(x, y) == 0)
 
+/**
+ * Macro compares two strings for equality ignoring case, length limited
+ */
+#define strncaseeq(x,y,len) (strncasecmp(x, y, len) == 0)
+
+/**
+ * NULL-safe strdup variant
+ */
+#define strdupnull(x) ({ char *_x = x; _x ? strdup(_x) : NULL; })
+
 /**
  * Macro compares two binary blobs for equality
  */
@@ -381,6 +391,11 @@ bool return_true();
  */
 bool return_false();
 
+/**
+ * returns FAILED
+ */
+status_t return_failed();
+
 /**
  * Write a 16-bit host order value in network order to an unaligned address.
  *
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index a67245194..41224e8c2 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -132,10 +132,11 @@ static void log_(private_backtrace_t *this, FILE *file, bool detailed)
 /**
  * Implementation of backtrace_t.contains_function
  */
-static bool contains_function(private_backtrace_t *this, char *function)
+static bool contains_function(private_backtrace_t *this,
+							  char *function[], int count)
 {
 #ifdef HAVE_DLADDR
-	int i;
+	int i, j;
 
 	for (i = 0; i< this->frame_count; i++)
 	{
@@ -143,9 +144,12 @@ static bool contains_function(private_backtrace_t *this, char *function)
 
 		if (dladdr(this->frames[i], &info) && info.dli_sname)
 		{
-			if (streq(info.dli_sname, function))
+			for (j = 0; j < count; j++)
 			{
-				return TRUE;
+				if (streq(info.dli_sname, function[j]))
+				{
+					return TRUE;
+				}
 			}
 		}
 	}
@@ -179,7 +183,7 @@ backtrace_t *backtrace_create(int skip)
 	this->frame_count = frame_count;
 
 	this->public.log = (void(*)(backtrace_t*,FILE*,bool))log_;
-	this->public.contains_function = (bool(*)(backtrace_t*, char *function))contains_function;
+	this->public.contains_function = (bool(*)(backtrace_t*, char *function[], int count))contains_function;
 	this->public.destroy = (void(*)(backtrace_t*))destroy;
 
 	return &this->public;
diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h
index c6b0ec78f..e8ccfc1bd 100644
--- a/src/libstrongswan/utils/backtrace.h
+++ b/src/libstrongswan/utils/backtrace.h
@@ -41,12 +41,13 @@ struct backtrace_t {
 	void (*log)(backtrace_t *this, FILE *file, bool detailed);
 
 	/**
-	 * Check if the backtrace contains a frame in a specific function.
+	 * Check if the backtrace contains a frame having a function in a list.
 	 *
-	 * @param		function name
-	 * @return		TRUE if function is in the stack
+	 * @param		function name array
+	 * @param		number of elements in function array
+	 * @return		TRUE if one of the functions is in the stack
 	 */
-	bool (*contains_function)(backtrace_t *this, char *function);
+	bool (*contains_function)(backtrace_t *this, char *function[], int count);
 
 	/**
 	 * Destroy a backtrace instance.
diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c
index dde57dc65..49b0bb68c 100644
--- a/src/libstrongswan/utils/hashtable.c
+++ b/src/libstrongswan/utils/hashtable.c
@@ -186,7 +186,7 @@ static void rehash(private_hashtable_t *this)
 	linked_list_t **old_table;
 	u_int row, old_capacity;
 
-	if (this->capacity < MAX_CAPACITY)
+	if (this->capacity >= MAX_CAPACITY)
 	{
 		return;
 	}
@@ -249,6 +249,7 @@ METHOD(hashtable_t, put, void*,
 			{
 				old_value = pair->value;
 				pair->value = value;
+				pair->key = key;
 				break;
 			}
 		}
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index 112d07e5c..ffeebd05c 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -476,6 +476,10 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 	{
 		return host_create_any_port(af ? af : AF_INET6, port);
 	}
+	if (af == AF_INET && strchr(string, ':'))
+	{	/* do not try to convert v6 addresses for v4 family */
+		return NULL;
+	}
 
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_family = af;
@@ -561,6 +565,41 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
 	return &this->public;
 }
 
+/*
+ * Described in header.
+ */
+host_t *host_create_from_subnet(char *string, int *bits)
+{
+	char *pos, buf[64];
+	host_t *net;
+
+	pos = strchr(string, '/');
+	if (pos)
+	{
+		if (pos - string >= sizeof(buf))
+		{
+			return NULL;
+		}
+		strncpy(buf, string, pos - string);
+		buf[pos - string] = '\0';
+		*bits = atoi(pos + 1);
+		return host_create_from_string(buf, 0);
+	}
+	net = host_create_from_string(buf, 0);
+	if (net)
+	{
+		if (net->get_family(net) == AF_INET)
+		{
+			*bits = 32;
+		}
+		else
+		{
+			*bits = 128;
+		}
+	}
+	return net;
+}
+
 /*
  * Described in header.
  */
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h
index f5796154c..0a1be6e47 100644
--- a/src/libstrongswan/utils/host.h
+++ b/src/libstrongswan/utils/host.h
@@ -189,6 +189,15 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
  */
 host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
 
+/**
+ * Create a host from a CIDR subnet definition (1.2.3.0/24), return bits.
+ *
+ * @param string		string to parse
+ * @param bits			gets the number of network bits in CIDR notation
+ * @return				network start address, NULL on error
+ */
+host_t *host_create_from_subnet(char *string, int *bits);
+
 /**
  * Create a host without an address, a "any" host.
  *
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 0696c1030..fd2716deb 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -281,11 +281,13 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 	chunk_t oid_data, data, printable;
 	u_char type;
 	int oid, written;
-	bool finished = FALSE;
+	bool finished = FALSE, empty = TRUE;
 
 	e = create_rdn_enumerator(dn);
 	while (e->enumerate(e, &oid_data, &type, &data))
 	{
+		empty = FALSE;
+
 		oid = asn1_known_oid(oid_data);
 
 		if (oid == OID_UNKNOWN)
@@ -329,7 +331,11 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 			break;
 		}
 	}
-	if (!finished)
+	if (empty)
+	{
+		snprintf(buf, len, "");
+	}
+	else if (!finished)
 	{
 		snprintf(buf, len, "(invalid ID_DER_ASN1_DN)");
 	}
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 5673fc32d..52e92951b 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -218,24 +218,22 @@ char *whitelist[] = {
 	"gcry_create_nonce",
 	/* NSPR */
 	"PR_CallOnce",
+	/* libapr */
+	"apr_pool_create_ex",
+	/* glib */
+	"g_type_init_with_debug_flags",
+	"g_type_register_static",
+	"g_type_class_ref",
+	"g_type_create_instance",
+	"g_type_add_interface_static",
+	"g_type_interface_add_prerequisite",
+	"g_socket_connection_factory_lookup_type",
+	/* libgpg */
+	"gpg_err_init",
+	/* gnutls */
+	"gnutls_global_init",
 };
 
-/**
- * check if a stack frame contains functions listed above
- */
-static bool is_whitelisted(backtrace_t *backtrace)
-{
-	int i;
-	for (i = 0; i < sizeof(whitelist)/sizeof(char*); i++)
-	{
-		if (backtrace->contains_function(backtrace, whitelist[i]))
-		{
-			return TRUE;
-		}
-	}
-	return FALSE;
-}
-
 /**
  * Report leaks at library destruction
  */
@@ -248,7 +246,8 @@ static void report(private_leak_detective_t *this, bool detailed)
 
 		for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
 		{
-			if (is_whitelisted(hdr->backtrace))
+			if (hdr->backtrace->contains_function(hdr->backtrace,
+											whitelist, countof(whitelist)))
 			{
 				whitelisted++;
 			}
diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c
index d8f635c62..e51780290 100644
--- a/src/libstrongswan/utils/optionsfrom.c
+++ b/src/libstrongswan/utils/optionsfrom.c
@@ -61,11 +61,8 @@ struct private_options_t {
 	char *buffers[MAX_USES];
 };
 
-/**
- * Defined in header
- */
-bool from(private_options_t *this, char *filename, int *argcp, char **argvp[],
-		  int optind)
+METHOD(options_t, from, bool,
+	private_options_t *this, char *filename, int *argcp, char **argvp[], int optind)
 {
 	int newargc;
 	int next;			/* place for next argument */
@@ -182,10 +179,8 @@ bool from(private_options_t *this, char *filename, int *argcp, char **argvp[],
 	return good;
 }
 
-/**
- * Defined in header
- */
-void destroy(private_options_t *this)
+METHOD(options_t, destroy, void,
+	private_options_t *this)
 {
 	while (this->nuses >= 0)
 	{
@@ -200,17 +195,16 @@ void destroy(private_options_t *this)
  */
 options_t *options_create(void)
 {
-	private_options_t *this = malloc_thing(private_options_t);
+	private_options_t *this;
 
-	/* initialize */
-	this->newargv = NULL;
-	this->room = 0;
-	this->nuses = -1;
-	memset(this->buffers, '\0', MAX_USES);
+	INIT(this,
+		.public = {
+			.from = _from,
+			.destroy = _destroy,
 
-	/* public functions */
-	this->public.from = (bool (*) (options_t*,char*,int*,char***,int))from;
-	this->public.destroy = (void (*) (options_t*))destroy;
+		},
+		.nuses = -1,
+	);
 
 	return &this->public;
 }
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index 9f0a817f5..93e8b4a9b 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -195,9 +195,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -236,6 +234,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index 1908f5dd4..e2c377ad3 100644
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -202,7 +202,7 @@ struct tls_t {
 	/**
 	 * Check if TLS negotiation completed successfully.
 	 *
-	 * @return			TRUE if TLS negotation and authentication complete
+	 * @return			TRUE if TLS negotiation and authentication complete
 	 */
 	bool (*is_complete)(tls_t *this);
 
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 78f2a796d..b4eaf4d79 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -626,15 +626,18 @@ static void filter_suite(private_tls_crypto_t *this,
 						 suite_algs_t suites[], int *count, int offset,
 						 enumerator_t*(*create_enumerator)(crypto_factory_t*))
 {
+	const char *plugin_name;
 	suite_algs_t current;
-	int i, remaining = 0;
+	int *current_alg, i, remaining = 0;
 	enumerator_t *enumerator;
 
 	memset(&current, 0, sizeof(current));
+	current_alg = (int*)((char*)&current + offset);
+
 	for (i = 0; i < *count; i++)
 	{
 		enumerator = create_enumerator(lib->crypto);
-		while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
+		while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
 		{
 			if ((suites[i].encr == ENCR_NULL ||
 				 !current.encr || current.encr == suites[i].encr) &&
@@ -1060,10 +1063,11 @@ METHOD(tls_crypto_t, get_signature_algorithms, void,
 	enumerator_t *enumerator;
 	hash_algorithm_t alg;
 	tls_hash_algorithm_t hash;
+	const char *plugin_name;
 
 	supported = tls_writer_create(32);
 	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &alg))
+	while (enumerator->enumerate(enumerator, &alg, &plugin_name))
 	{
 		switch (alg)
 		{
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index a8c3a5053..8204a3441 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -303,17 +303,21 @@ METHOD(tls_eap_t, process, status_t,
 			DBG2(DBG_TLS, "received %N acknowledgement packet",
 				 eap_type_names, this->type);
 			status = build_pkt(this, pkt->identifier, out);
-			if (status == INVALID_STATE &&
-				this->tls->is_complete(this->tls))
+			if (status == INVALID_STATE && this->tls->is_complete(this->tls))
 			{
 				return SUCCESS;
 			}
 			return status;
 		}
 		status = process_pkt(this, pkt);
-		if (status != NEED_MORE)
+		switch (status)
 		{
-			return status;
+			case NEED_MORE:
+				break;
+			case SUCCESS:
+				return this->tls->is_complete(this->tls) ? SUCCESS : FAILED;
+			default:
+				return status;
 		}
 	}
 	status = build_pkt(this, pkt->identifier, out);
diff --git a/src/libtls/tls_reader.c b/src/libtls/tls_reader.c
index 17ec68fd5..2b3cd8cac 100644
--- a/src/libtls/tls_reader.c
+++ b/src/libtls/tls_reader.c
@@ -52,8 +52,8 @@ METHOD(tls_reader_t, read_uint8, bool,
 {
 	if (this->buf.len < 1)
 	{
-		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
-			 this->buf.len, 8);
+		DBG1(DBG_TLS, "%d bytes insufficient to parse u_int8 data",
+			 this->buf.len);
 		return FALSE;
 	}
 	*res = this->buf.ptr[0];
@@ -66,8 +66,8 @@ METHOD(tls_reader_t, read_uint16, bool,
 {
 	if (this->buf.len < 2)
 	{
-		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
-			 this->buf.len, 16);
+		DBG1(DBG_TLS, "%d bytes insufficient to parse u_int16 data",
+			 this->buf.len);
 		return FALSE;
 	}
 	*res = untoh16(this->buf.ptr);
@@ -80,8 +80,8 @@ METHOD(tls_reader_t, read_uint24, bool,
 {
 	if (this->buf.len < 3)
 	{
-		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
-			 this->buf.len, 24);
+		DBG1(DBG_TLS, "%d bytes insufficient to parse u_int24 data",
+			 this->buf.len);
 		return FALSE;
 	}
 	*res = untoh32(this->buf.ptr) >> 8;
@@ -94,8 +94,8 @@ METHOD(tls_reader_t, read_uint32, bool,
 {
 	if (this->buf.len < 4)
 	{
-		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
-			 this->buf.len, 32);
+		DBG1(DBG_TLS, "%d bytes insufficient to parse u_int32 data",
+			 this->buf.len);
 		return FALSE;
 	}
 	*res = untoh32(this->buf.ptr);
@@ -108,7 +108,7 @@ METHOD(tls_reader_t, read_data, bool,
 {
 	if (this->buf.len < len)
 	{
-		DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes TLS data",
+		DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes of data",
 			 this->buf.len, len);
 		return FALSE;
 	}
diff --git a/src/libtls/tls_writer.c b/src/libtls/tls_writer.c
index 235dc2cdf..e87c2efea 100644
--- a/src/libtls/tls_writer.c
+++ b/src/libtls/tls_writer.c
@@ -226,7 +226,7 @@ tls_writer_t *tls_writer_create(u_int32_t bufsize)
 			.get_buf = _get_buf,
 			.destroy = _destroy,
 		},
-		.increase = bufsize ?: 32,
+		.increase = bufsize ? max(bufsize, 4) : 32,
 	);
 	if (bufsize)
 	{
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 5073d9686..2e139f839 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -236,9 +236,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -277,6 +275,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 07315cfd2..9c9662f7f 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -226,9 +226,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -267,6 +265,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index fcac66226..ec4657e55 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 0ec6f9c0b..c6651fdf5 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -197,9 +197,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -238,6 +236,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/pki/command.c b/src/pki/command.c
index b9c35d99b..0142b4ab7 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -201,7 +201,7 @@ int command_usage(char *error)
 		}
 		for (i = 0; cmds[active].options[i].name; i++)
 		{
-			fprintf(out, "        --%-8s (-%c)  %s\n",
+			fprintf(out, "        --%-15s (-%c)  %s\n",
 					cmds[active].options[i].name, cmds[active].options[i].op,
 					cmds[active].options[i].desc);
 		}
diff --git a/src/pki/command.h b/src/pki/command.h
index fad598c0b..a6f8bc758 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -29,7 +29,7 @@
 /**
  * Maximum number of options in a command (+1)
  */
-#define MAX_OPTIONS 20
+#define MAX_OPTIONS 32
 
 /**
  * Maximum number of usage summary lines (+1)
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 8ea852e31..6a5686d92 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -18,11 +18,40 @@
 #include "pki.h"
 
 #include <debug.h>
+#include <asn1/asn1.h>
 #include <utils/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/pkcs10.h>
 
+/**
+ * Free cert policy with OID
+ */
+static void destroy_cert_policy(x509_cert_policy_t *policy)
+{
+	free(policy->oid.ptr);
+	free(policy);
+}
+
+/**
+ * Free policy mapping
+ */
+static void destroy_policy_mapping(x509_policy_mapping_t *mapping)
+{
+	free(mapping->issuer.ptr);
+	free(mapping->subject.ptr);
+	free(mapping);
+}
+
+/**
+ * Free a CRL DistributionPoint
+ */
+static void destroy_cdp(x509_cdp_t *this)
+{
+	DESTROY_IF(this->issuer);
+	free(this);
+}
+
 /**
  * Issue a certificate using a CA certificate and key
  */
@@ -37,19 +66,26 @@ static int issue()
 	char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
 	char *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
-	linked_list_t *san, *cdps, *ocsp;
+	linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
 	int lifetime = 1095;
-	int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
+	int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
+	int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
 	time_t not_before, not_after;
 	x509_flag_t flags = 0;
 	x509_t *x509;
+	x509_cdp_t *cdp = NULL;
+	x509_cert_policy_t *policy = NULL;
 	char *arg;
 
 	san = linked_list_create();
 	cdps = linked_list_create();
 	ocsp = linked_list_create();
+	permitted = linked_list_create();
+	excluded = linked_list_create();
+	policies = linked_list_create();
+	mappings = linked_list_create();
 
 	while (TRUE)
 	{
@@ -111,6 +147,79 @@ static int issue()
 			case 'p':
 				pathlen = atoi(arg);
 				continue;
+			case 'n':
+				permitted->insert_last(permitted,
+									   identification_create_from_string(arg));
+				continue;
+			case 'N':
+				excluded->insert_last(excluded,
+									  identification_create_from_string(arg));
+				continue;
+			case 'P':
+			{
+				chunk_t oid;
+
+				oid = asn1_oid_from_string(arg);
+				if (!oid.len)
+				{
+					error = "--cert-policy OID invalid";
+					goto usage;
+				}
+				INIT(policy,
+					.oid = oid,
+				);
+				policies->insert_last(policies, policy);
+				continue;
+			}
+			case 'C':
+				if (!policy)
+				{
+					error = "--cps-uri must follow a --cert-policy";
+					goto usage;
+				}
+				policy->cps_uri = arg;
+				continue;
+			case 'U':
+				if (!policy)
+				{
+					error = "--user-notice must follow a --cert-policy";
+					goto usage;
+				}
+				policy->unotice_text = arg;
+				continue;
+			case 'M':
+			{
+				char *pos = strchr(arg, ':');
+				x509_policy_mapping_t *mapping;
+				chunk_t subject_oid, issuer_oid;
+
+				if (pos)
+				{
+					*pos++ = '\0';
+					issuer_oid = asn1_oid_from_string(arg);
+					subject_oid = asn1_oid_from_string(pos);
+				}
+				if (!pos || !issuer_oid.len || !subject_oid.len)
+				{
+					error = "--policy-map OIDs invalid";
+					goto usage;
+				}
+				INIT(mapping,
+					.issuer = issuer_oid,
+					.subject = subject_oid,
+				);
+				mappings->insert_last(mappings, mapping);
+				continue;
+			}
+			case 'E':
+				require_explicit = atoi(arg);
+				continue;
+			case 'H':
+				inhibit_mapping = atoi(arg);
+				continue;
+			case 'A':
+				inhibit_any = atoi(arg);
+				continue;
 			case 'e':
 				if (streq(arg, "serverAuth"))
 				{
@@ -120,6 +229,10 @@ static int issue()
 				{
 					flags |= X509_CLIENT_AUTH;
 				}
+				else if (streq(arg, "crlSign"))
+				{
+					flags |= X509_CRL_SIGN;
+				}
 				else if (streq(arg, "ocspSigning"))
 				{
 					flags |= X509_OCSP_SIGNER;
@@ -128,11 +241,23 @@ static int issue()
 			case 'f':
 				if (!get_form(arg, &form, CRED_CERTIFICATE))
 				{
-					return command_usage("invalid output format");
+					error = "invalid output format";
+					goto usage;
 				}
 				continue;
 			case 'u':
-				cdps->insert_last(cdps, arg);
+				INIT(cdp,
+					.uri = arg,
+				);
+				cdps->insert_last(cdps, cdp);
+				continue;
+			case 'I':
+				if (!cdp || cdp->issuer)
+				{
+					error = "--crlissuer must follow a --crl";
+					goto usage;
+				}
+				cdp->issuer = identification_create_from_string(arg);
 				continue;
 			case 'o':
 				ocsp->insert_last(ocsp, arg);
@@ -145,12 +270,6 @@ static int issue()
 		}
 		break;
 	}
-
-	if (!pkcs10 && !dn)
-	{
-		error = "--dn is required";
-		goto usage;
-	}
 	if (!cacert)
 	{
 		error = "--cacert is required";
@@ -161,7 +280,7 @@ static int issue()
 		error = "--cakey or --keyid is required";
 		goto usage;
 	}
-	if (dn)
+	if (dn && *dn)
 	{
 		id = identification_create_from_string(dn);
 		if (id->get_type(id) != ID_DER_ASN1_DN)
@@ -306,6 +425,12 @@ static int issue()
 		goto end;
 	}
 
+	if (!id)
+	{
+		id = identification_create_from_encoding(ID_DER_ASN1_DN,
+										chunk_from_chars(ASN1_SEQUENCE, 0));
+	}
+
 	not_before = time(NULL);
 	not_after = not_before + lifetime * 24 * 60 * 60;
 
@@ -317,7 +442,15 @@ static int issue()
 					BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
 					BUILD_PATHLEN, pathlen,
 					BUILD_CRL_DISTRIBUTION_POINTS, cdps,
-					BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
+					BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
+					BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
+					BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
+					BUILD_CERTIFICATE_POLICIES, policies,
+					BUILD_POLICY_MAPPINGS, mappings,
+					BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
+					BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
+					BUILD_POLICY_INHIBIT_ANY, inhibit_any,
+					BUILD_END);
 	if (!cert)
 	{
 		error = "generating certificate failed";
@@ -342,7 +475,11 @@ end:
 	DESTROY_IF(public);
 	DESTROY_IF(private);
 	san->destroy_offset(san, offsetof(identification_t, destroy));
-	cdps->destroy(cdps);
+	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+	policies->destroy_function(policies, (void*)destroy_cert_policy);
+	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
+	cdps->destroy_function(cdps, (void*)destroy_cdp);
 	ocsp->destroy(ocsp);
 	free(encoding.ptr);
 	free(serial.ptr);
@@ -356,7 +493,11 @@ end:
 
 usage:
 	san->destroy_offset(san, offsetof(identification_t, destroy));
-	cdps->destroy(cdps);
+	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+	policies->destroy_function(policies, (void*)destroy_cert_policy);
+	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
+	cdps->destroy_function(cdps, (void*)destroy_cdp);
 	ocsp->destroy(ocsp);
 	return command_usage(error);
 }
@@ -370,28 +511,42 @@ static void __attribute__ ((constructor))reg()
 		issue, 'i', "issue",
 		"issue a certificate using a CA certificate and key",
 		{"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex",
-		 " --cacert file --dn subject-dn [--san subjectAltName]+",
-		 "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
-		 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+",
+		 " --cacert file [--dn subject-dn] [--san subjectAltName]+",
+		 "[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+",
+		 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+		 "[--nc-permitted name] [--nc-excluded name]",
+		 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
+		 "[--policy-map issuer-oid:subject-oid]",
+		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
-			{"help",	'h', 0, "show usage information"},
-			{"in",		'i', 1, "public key/request file to issue, default: stdin"},
-			{"type",	't', 1, "type of input, default: pub"},
-			{"cacert",	'c', 1, "CA certificate file"},
-			{"cakey",	'k', 1, "CA private key file"},
-			{"cakeyid",	'x', 1, "keyid on smartcard of CA private key"},
-			{"dn",		'd', 1, "distinguished name to include as subject"},
-			{"san",		'a', 1, "subjectAltName to include in certificate"},
-			{"lifetime",'l', 1, "days the certificate is valid, default: 1095"},
-			{"serial",	's', 1, "serial number in hex, default: random"},
-			{"ca",		'b', 0, "include CA basicConstraint, default: no"},
-			{"pathlen",	'p', 1, "set path length constraint"},
-			{"flag",	'e', 1, "include extendedKeyUsage flag"},
-			{"crl",		'u', 1, "CRL distribution point URI to include"},
-			{"ocsp",	'o', 1, "OCSP AuthorityInfoAccess URI to include"},
-			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
-			{"outform",	'f', 1, "encoding of generated cert, default: der"},
+			{"help",			'h', 0, "show usage information"},
+			{"in",				'i', 1, "public key/request file to issue, default: stdin"},
+			{"type",			't', 1, "type of input, default: pub"},
+			{"cacert",			'c', 1, "CA certificate file"},
+			{"cakey",			'k', 1, "CA private key file"},
+			{"cakeyid",			'x', 1, "keyid on smartcard of CA private key"},
+			{"dn",				'd', 1, "distinguished name to include as subject"},
+			{"san",				'a', 1, "subjectAltName to include in certificate"},
+			{"lifetime",		'l', 1, "days the certificate is valid, default: 1095"},
+			{"serial",			's', 1, "serial number in hex, default: random"},
+			{"ca",				'b', 0, "include CA basicConstraint, default: no"},
+			{"pathlen",			'p', 1, "set path length constraint"},
+			{"nc-permitted",	'n', 1, "add permitted NameConstraint"},
+			{"nc-excluded",		'N', 1, "add excluded NameConstraint"},
+			{"cert-policy",		'P', 1, "certificatePolicy OID to include"},
+			{"cps-uri",			'C', 1, "Certification Practice statement URI for certificatePolicy"},
+			{"user-notice",		'U', 1, "user notice for certificatePolicy"},
+			{"policy-mapping",	'M', 1, "policyMapping from issuer to subject OID"},
+			{"policy-explicit",	'E', 1, "requireExplicitPolicy constraint"},
+			{"policy-inhibit",	'H', 1, "inhibitPolicyMapping constraint"},
+			{"policy-any",		'A', 1, "inhibitAnyPolicy constraint"},
+			{"flag",			'e', 1, "include extendedKeyUsage flag"},
+			{"crl",				'u', 1, "CRL distribution point URI to include"},
+			{"crlissuer",		'I', 1, "CRL Issuer for CRL at distribution point"},
+			{"ocsp",			'o', 1, "OCSP AuthorityInfoAccess URI to include"},
+			{"digest",			'g', 1, "digest for signature creation, default: sha1"},
+			{"outform",			'f', 1, "encoding of generated cert, default: der"},
 		}
 	});
 }
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 870dca920..ee6f30c98 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -15,6 +15,7 @@
 
 #include "pki.h"
 
+#include <asn1/asn1.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
@@ -72,8 +73,11 @@ static void print_x509(x509_t *x509)
 	chunk_t chunk;
 	bool first;
 	char *uri;
-	int len;
+	int len, explicit, inhibit;
 	x509_flag_t flags;
+	x509_cdp_t *cdp;
+	x509_cert_policy_t *policy;
+	x509_policy_mapping_t *mapping;
 
 	chunk = x509->get_serial(x509);
 	printf("serial:    %#B\n", &chunk);
@@ -105,6 +109,10 @@ static void print_x509(x509_t *x509)
 	{
 		printf("CA ");
 	}
+	if (flags & X509_CRL_SIGN)
+	{
+		printf("CRLSign ");
+	}
 	if (flags & X509_AA)
 	{
 		printf("AA ");
@@ -133,17 +141,22 @@ static void print_x509(x509_t *x509)
 
 	first = TRUE;
 	enumerator = x509->create_crl_uri_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &uri))
+	while (enumerator->enumerate(enumerator, &cdp))
 	{
 		if (first)
 		{
-			printf("CRL URIs:  %s\n", uri);
+			printf("CRL URIs:  %s", cdp->uri);
 			first = FALSE;
 		}
 		else
 		{
-			printf("           %s\n", uri);
+			printf("           %s", cdp->uri);
+		}
+		if (cdp->issuer)
+		{
+			printf(" (CRL issuer: %Y)", cdp->issuer);
 		}
+		printf("\n");
 	}
 	enumerator->destroy(enumerator);
 
@@ -163,12 +176,111 @@ static void print_x509(x509_t *x509)
 	}
 	enumerator->destroy(enumerator);
 
-	len = x509->get_pathLenConstraint(x509);
-	if (len != X509_NO_PATH_LEN_CONSTRAINT)
+	len = x509->get_constraint(x509, X509_PATH_LEN);
+	if (len != X509_NO_CONSTRAINT)
 	{
 		printf("pathlen:   %d\n", len);
 	}
 
+	first = TRUE;
+	enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
+	while (enumerator->enumerate(enumerator, &id))
+	{
+		if (first)
+		{
+			printf("Permitted NameConstraints:\n");
+			first = FALSE;
+		}
+		printf("           %Y\n", id);
+	}
+	enumerator->destroy(enumerator);
+	first = TRUE;
+	enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
+	while (enumerator->enumerate(enumerator, &id))
+	{
+		if (first)
+		{
+			printf("Excluded NameConstraints:\n");
+			first = FALSE;
+		}
+		printf("           %Y\n", id);
+	}
+	enumerator->destroy(enumerator);
+
+	first = TRUE;
+	enumerator = x509->create_cert_policy_enumerator(x509);
+	while (enumerator->enumerate(enumerator, &policy))
+	{
+		char *oid;
+
+		if (first)
+		{
+			printf("CertificatePolicies:\n");
+			first = FALSE;
+		}
+		oid = asn1_oid_to_string(policy->oid);
+		if (oid)
+		{
+			printf("           %s\n", oid);
+			free(oid);
+		}
+		else
+		{
+			printf("           %#B\n", &policy->oid);
+		}
+		if (policy->cps_uri)
+		{
+			printf("             CPS: %s\n", policy->cps_uri);
+		}
+		if (policy->unotice_text)
+		{
+			printf("             Notice: %s\n", policy->unotice_text);
+
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	first = TRUE;
+	enumerator = x509->create_policy_mapping_enumerator(x509);
+	while (enumerator->enumerate(enumerator, &mapping))
+	{
+		char *issuer_oid, *subject_oid;
+
+		if (first)
+		{
+			printf("PolicyMappings:\n");
+			first = FALSE;
+		}
+		issuer_oid = asn1_oid_to_string(mapping->issuer);
+		subject_oid = asn1_oid_to_string(mapping->subject);
+		printf("           %s => %s\n", issuer_oid, subject_oid);
+		free(issuer_oid);
+		free(subject_oid);
+	}
+	enumerator->destroy(enumerator);
+
+	explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
+	inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+	len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+
+	if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
+		len != X509_NO_CONSTRAINT)
+	{
+		printf("PolicyConstraints:\n");
+		if (explicit != X509_NO_CONSTRAINT)
+		{
+			printf("           requireExplicitPolicy: %d\n", explicit);
+		}
+		if (inhibit != X509_NO_CONSTRAINT)
+		{
+			printf("           inhibitPolicyMapping: %d\n", inhibit);
+		}
+		if (len != X509_NO_CONSTRAINT)
+		{
+			printf("           inhibitAnyPolicy: %d\n", len);
+		}
+	}
+
 	chunk = x509->get_authKeyIdentifier(x509);
 	if (chunk.ptr)
 	{
@@ -212,14 +324,41 @@ static void print_crl(crl_t *crl)
 	crl_reason_t reason;
 	chunk_t chunk;
 	int count = 0;
+	bool first;
 	char buf[64];
 	struct tm tm;
+	x509_cdp_t *cdp;
 
 	chunk = crl->get_serial(crl);
 	printf("serial:    %#B\n", &chunk);
+	if (crl->is_delta_crl(crl, &chunk))
+	{
+		printf("delta CRL: for serial %#B\n", &chunk);
+	}
 	chunk = crl->get_authKeyIdentifier(crl);
 	printf("authKeyId: %#B\n", &chunk);
 
+	first = TRUE;
+	enumerator = crl->create_delta_crl_uri_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &cdp))
+	{
+		if (first)
+		{
+			printf("freshest:  %s", cdp->uri);
+			first = FALSE;
+		}
+		else
+		{
+			printf("           %s", cdp->uri);
+		}
+		if (cdp->issuer)
+		{
+			printf(" (CRL issuer: %Y)", cdp->issuer);
+		}
+		printf("\n");
+	}
+	enumerator->destroy(enumerator);
+
 	enumerator = crl->create_enumerator(crl);
 	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
 	{
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 5e6f0bd14..c7788ff62 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -20,6 +20,26 @@
 #include <utils/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
+#include <asn1/asn1.h>
+
+/**
+ * Free cert policy with OID
+ */
+static void destroy_cert_policy(x509_cert_policy_t *policy)
+{
+	free(policy->oid.ptr);
+	free(policy);
+}
+
+/**
+ * Free policy mapping
+ */
+static void destroy_policy_mapping(x509_policy_mapping_t *mapping)
+{
+	free(mapping->issuer.ptr);
+	free(mapping->subject.ptr);
+	free(mapping);
+}
 
 /**
  * Create a self signed certificate.
@@ -34,17 +54,23 @@ static int self()
 	public_key_t *public = NULL;
 	char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
-	linked_list_t *san, *ocsp;
+	linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
 	int lifetime = 1095;
-	int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
+	int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
+	int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
 	time_t not_before, not_after;
 	x509_flag_t flags = 0;
+	x509_cert_policy_t *policy = NULL;
 	char *arg;
 
 	san = linked_list_create();
 	ocsp = linked_list_create();
+	permitted = linked_list_create();
+	excluded = linked_list_create();
+	policies = linked_list_create();
+	mappings = linked_list_create();
 
 	while (TRUE)
 	{
@@ -104,6 +130,79 @@ static int self()
 			case 'p':
 				pathlen = atoi(arg);
 				continue;
+			case 'n':
+				permitted->insert_last(permitted,
+									   identification_create_from_string(arg));
+				continue;
+			case 'N':
+				excluded->insert_last(excluded,
+									  identification_create_from_string(arg));
+				continue;
+			case 'P':
+			{
+				chunk_t oid;
+
+				oid = asn1_oid_from_string(arg);
+				if (!oid.len)
+				{
+					error = "--cert-policy OID invalid";
+					goto usage;
+				}
+				INIT(policy,
+					.oid = oid,
+				);
+				policies->insert_last(policies, policy);
+				continue;
+			}
+			case 'C':
+				if (!policy)
+				{
+					error = "--cps-uri must follow a --cert-policy";
+					goto usage;
+				}
+				policy->cps_uri = arg;
+				continue;
+			case 'U':
+				if (!policy)
+				{
+					error = "--user-notice must follow a --cert-policy";
+					goto usage;
+				}
+				policy->unotice_text = arg;
+				continue;
+			case 'M':
+			{
+				char *pos = strchr(arg, ':');
+				x509_policy_mapping_t *mapping;
+				chunk_t subject_oid, issuer_oid;
+
+				if (pos)
+				{
+					*pos++ = '\0';
+					issuer_oid = asn1_oid_from_string(arg);
+					subject_oid = asn1_oid_from_string(pos);
+				}
+				if (!pos || !issuer_oid.len || !subject_oid.len)
+				{
+					error = "--policy-map OIDs invalid";
+					goto usage;
+				}
+				INIT(mapping,
+					.issuer = issuer_oid,
+					.subject = subject_oid,
+				);
+				mappings->insert_last(mappings, mapping);
+				continue;
+			}
+			case 'E':
+				require_explicit = atoi(arg);
+				continue;
+			case 'H':
+				inhibit_mapping = atoi(arg);
+				continue;
+			case 'A':
+				inhibit_any = atoi(arg);
+				continue;
 			case 'e':
 				if (streq(arg, "serverAuth"))
 				{
@@ -113,6 +212,10 @@ static int self()
 				{
 					flags |= X509_CLIENT_AUTH;
 				}
+				else if (streq(arg, "crlSign"))
+				{
+					flags |= X509_CRL_SIGN;
+				}
 				else if (streq(arg, "ocspSigning"))
 				{
 					flags |= X509_OCSP_SIGNER;
@@ -121,7 +224,8 @@ static int self()
 			case 'f':
 				if (!get_form(arg, &form, CRED_CERTIFICATE))
 				{
-					return command_usage("invalid output format");
+					error = "invalid output format";
+					goto usage;
 				}
 				continue;
 			case 'o':
@@ -206,7 +310,15 @@ static int self()
 						BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
 						BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
 						BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
-						BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
+						BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
+						BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
+						BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
+						BUILD_CERTIFICATE_POLICIES, policies,
+						BUILD_POLICY_MAPPINGS, mappings,
+						BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
+						BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
+						BUILD_POLICY_INHIBIT_ANY, inhibit_any,
+						BUILD_END);
 	if (!cert)
 	{
 		error = "generating certificate failed";
@@ -229,6 +341,10 @@ end:
 	DESTROY_IF(public);
 	DESTROY_IF(private);
 	san->destroy_offset(san, offsetof(identification_t, destroy));
+	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+	policies->destroy_function(policies, (void*)destroy_cert_policy);
+	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
 	ocsp->destroy(ocsp);
 	free(encoding.ptr);
 	free(serial.ptr);
@@ -242,6 +358,10 @@ end:
 
 usage:
 	san->destroy_offset(san, offsetof(identification_t, destroy));
+	permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+	excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+	policies->destroy_function(policies, (void*)destroy_cert_policy);
+	mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
 	ocsp->destroy(ocsp);
 	return command_usage(error);
 }
@@ -257,23 +377,36 @@ static void __attribute__ ((constructor))reg()
 		{"[--in file | --keyid hex] [--type rsa|ecdsa]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
-		 "[--flag serverAuth|clientAuth|ocspSigning]+",
+		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+		 "[--nc-permitted name] [--nc-excluded name]",
+		 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
+		 "[--policy-map issuer-oid:subject-oid]",
+		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
-			{"help",	'h', 0, "show usage information"},
-			{"in",		'i', 1, "private key input file, default: stdin"},
-			{"keyid",	'x', 1, "keyid on smartcard of private key"},
-			{"type",	't', 1, "type of input key, default: rsa"},
-			{"dn",		'd', 1, "subject and issuer distinguished name"},
-			{"san",		'a', 1, "subjectAltName to include in certificate"},
-			{"lifetime",'l', 1, "days the certificate is valid, default: 1095"},
-			{"serial",	's', 1, "serial number in hex, default: random"},
-			{"ca",		'b', 0, "include CA basicConstraint, default: no"},
-			{"pathlen",	'p', 1, "set path length constraint"},
-			{"flag",	'e', 1, "include extendedKeyUsage flag"},
-			{"ocsp",	'o', 1, "OCSP AuthorityInfoAccess URI to include"},
-			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
-			{"outform",	'f', 1, "encoding of generated cert, default: der"},
+			{"help",			'h', 0, "show usage information"},
+			{"in",				'i', 1, "private key input file, default: stdin"},
+			{"keyid",			'x', 1, "keyid on smartcard of private key"},
+			{"type",			't', 1, "type of input key, default: rsa"},
+			{"dn",				'd', 1, "subject and issuer distinguished name"},
+			{"san",				'a', 1, "subjectAltName to include in certificate"},
+			{"lifetime",		'l', 1, "days the certificate is valid, default: 1095"},
+			{"serial",			's', 1, "serial number in hex, default: random"},
+			{"ca",				'b', 0, "include CA basicConstraint, default: no"},
+			{"pathlen",			'p', 1, "set path length constraint"},
+			{"nc-permitted",	'n', 1, "add permitted NameConstraint"},
+			{"nc-excluded",		'N', 1, "add excluded NameConstraint"},
+			{"cert-policy",		'P', 1, "certificatePolicy OID to include"},
+			{"cps-uri",			'C', 1, "Certification Practice statement URI for certificatePolicy"},
+			{"user-notice",		'U', 1, "user notice for certificatePolicy"},
+			{"policy-mapping",	'M', 1, "policyMapping from issuer to subject OID"},
+			{"policy-explicit",	'E', 1, "requireExplicitPolicy constraint"},
+			{"policy-inhibit",	'H', 1, "inhibitPolicyMapping constraint"},
+			{"policy-any",		'A', 1, "inhibitAnyPolicy constraint"},
+			{"flag",			'e', 1, "include extendedKeyUsage flag"},
+			{"ocsp",			'o', 1, "OCSP AuthorityInfoAccess URI to include"},
+			{"digest",			'g', 1, "digest for signature creation, default: sha1"},
+			{"outform",			'f', 1, "encoding of generated cert, default: der"},
 		}
 	});
 }
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 24bf9123f..4b1c12e5c 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -97,6 +97,15 @@ static int read_serial(char *file, char *buf, int buflen)
 	return serial.len;
 }
 
+/**
+ * Destroy a CDP
+ */
+static void cdp_destroy(x509_cdp_t *this)
+{
+	free(this->uri);
+	free(this);
+}
+
 /**
  * Sign a CRL
  */
@@ -110,16 +119,19 @@ static int sign_crl()
 	x509_t *x509;
 	hash_algorithm_t digest = HASH_SHA1;
 	char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
+	char *basecrl = NULL;
 	char serial[512], crl_serial[8], *keyid = NULL;
 	int serial_len = 0;
 	crl_reason_t reason = CRL_REASON_UNSPECIFIED;
 	time_t thisUpdate, nextUpdate, date = time(NULL);
 	int lifetime = 15;
-	linked_list_t *list;
+	linked_list_t *list, *cdps;
 	enumerator_t *enumerator, *lastenum = NULL;
-	chunk_t encoding = chunk_empty;
+	x509_cdp_t *cdp;
+	chunk_t encoding = chunk_empty, baseCrlNumber = chunk_empty;
 
 	list = linked_list_create();
+	cdps = linked_list_create();
 
 	memset(crl_serial, 0, sizeof(crl_serial));
 
@@ -190,6 +202,15 @@ static int sign_crl()
 				reason = CRL_REASON_UNSPECIFIED;
 				continue;
 			}
+			case 'b':
+				basecrl = arg;
+				continue;
+			case 'u':
+				INIT(cdp,
+					.uri = strdup(arg),
+				);
+				cdps->insert_last(cdps, cdp);
+				continue;
 			case 'r':
 				if (streq(arg, "key-compromise"))
 				{
@@ -262,9 +283,9 @@ static int sign_crl()
 		goto error;
 	}
 	x509 = (x509_t*)ca;
-	if (!(x509->get_flags(x509) & X509_CA))
+	if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
 	{
-		error = "CA certificate misses CA basicConstraint";
+		error = "CA certificate misses CA basicConstraint / CRLSign keyUsage";
 		goto error;
 	}
 	public = ca->get_public_key(ca);
@@ -302,6 +323,22 @@ static int sign_crl()
 	thisUpdate = time(NULL);
 	nextUpdate = thisUpdate + lifetime * 24 * 60 * 60;
 
+	if (basecrl)
+	{
+		lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+									 BUILD_FROM_FILE, basecrl, BUILD_END);
+		if (!lastcrl)
+		{
+			error = "loading base CRL failed";
+			goto error;
+		}
+		memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr,
+			   min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial)));
+		baseCrlNumber = chunk_clone(lastcrl->get_serial(lastcrl));
+		DESTROY_IF((certificate_t*)lastcrl);
+		lastcrl = NULL;
+	}
+
 	if (lastupdate)
 	{
 		lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
@@ -315,6 +352,10 @@ static int sign_crl()
 			   min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial)));
 		lastenum = lastcrl->create_enumerator(lastcrl);
 	}
+	else
+	{
+		lastenum = enumerator_create_empty();
+	}
 
 	chunk_increment(chunk_create(crl_serial, sizeof(crl_serial)));
 
@@ -324,11 +365,12 @@ static int sign_crl()
 			BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
 			BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)),
 			BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate,
-			BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_DIGEST_ALG, digest,
-			lastenum ? BUILD_REVOKED_ENUMERATOR : BUILD_END, lastenum,
+			BUILD_REVOKED_ENUMERATOR, enumerator,
+			BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest,
+			BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber,
 			BUILD_END);
 	enumerator->destroy(enumerator);
-	DESTROY_IF(lastenum);
+	lastenum->destroy(lastenum);
 	DESTROY_IF((certificate_t*)lastcrl);
 
 	if (!crl)
@@ -353,7 +395,9 @@ error:
 	DESTROY_IF(ca);
 	DESTROY_IF(crl);
 	free(encoding.ptr);
+	free(baseCrlNumber.ptr);
 	list->destroy_function(list, (void*)revoked_destroy);
+	cdps->destroy_function(cdps, (void*)cdp_destroy);
 	if (error)
 	{
 		fprintf(stderr, "%s\n", error);
@@ -363,6 +407,7 @@ error:
 
 usage:
 	list->destroy_function(list, (void*)revoked_destroy);
+	cdps->destroy_function(cdps, (void*)cdp_destroy);
 	return command_usage(error);
 }
 
@@ -375,24 +420,27 @@ static void __attribute__ ((constructor))reg()
 		sign_crl, 'c', "signcrl",
 		"issue a CRL using a CA certificate and key",
 		{"--cacert file --cakey file | --cakeyid hex --lifetime days",
+		 "[--lastcrl crl] [--basecrl crl] [--crluri uri ]+",
 		 "[  [--reason key-compromise|ca-compromise|affiliation-changed|",
 		 "             superseded|cessation-of-operation|certificate-hold]",
 		 "   [--date timestamp]",
 		 "    --cert file | --serial hex ]*",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
-			{"help",	'h', 0, "show usage information"},
-			{"cacert",	'c', 1, "CA certificate file"},
-			{"cakey",	'k', 1, "CA private key file"},
-			{"cakeyid",	'x', 1, "keyid on smartcard of CA private key"},
-			{"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"},
-			{"lastcrl",	'a', 1, "CRL of lastUpdate to copy revocations from"},
-			{"cert",	'z', 1, "certificate file to revoke"},
-			{"serial",	's', 1, "hex encoded certificate serial number to revoke"},
-			{"reason",	'r', 1, "reason for certificate revocation"},
-			{"date",	'd', 1, "revocation date as unix timestamp, default: now"},
-			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
-			{"outform",	'f', 1, "encoding of generated crl, default: der"},
+			{"help",		'h', 0, "show usage information"},
+			{"cacert",		'c', 1, "CA certificate file"},
+			{"cakey",		'k', 1, "CA private key file"},
+			{"cakeyid",		'x', 1, "keyid on smartcard of CA private key"},
+			{"lifetime",	'l', 1, "days the CRL gets a nextUpdate, default: 15"},
+			{"lastcrl",		'a', 1, "CRL of lastUpdate to copy revocations from"},
+			{"basecrl",		'b', 1, "base CRL to create a delta CRL for"},
+			{"crluri",		'u', 1, "freshest delta CRL URI to include"},
+			{"cert",		'z', 1, "certificate file to revoke"},
+			{"serial",		's', 1, "hex encoded certificate serial number to revoke"},
+			{"reason",		'r', 1, "reason for certificate revocation"},
+			{"date",		'd', 1, "revocation date as unix timestamp, default: now"},
+			{"digest",		'g', 1, "digest for signature creation, default: sha1"},
+			{"outform",		'f', 1, "encoding of generated crl, default: der"},
 		}
 	});
 }
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 080530f86..1428854ee 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -304,9 +304,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -345,6 +343,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/pluto/ca.c b/src/pluto/ca.c
index 2654774fa..add85def8 100644
--- a/src/pluto/ca.c
+++ b/src/pluto/ca.c
@@ -629,7 +629,7 @@ void add_ca_info(const whack_message_t *msg)
 			if (strncasecmp(msg->ocspuri, "http", 4) == 0)
 				ca->ocspuri = clone_str(msg->ocspuri);
 			else
-				plog("  ignoring ocspuri with unkown protocol");
+				plog("  ignoring ocspuri with unknown protocol");
 		}
 
 		/* add crl uris */
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index c8fb107d5..1c9c9a8cc 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -352,7 +352,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
 	x509crl_t *x509crl;
 	ca_info_t *ca;
 	enumerator_t *enumerator;
-	char *point;
+	x509_cdp_t *cdp;
 
 	ca = get_ca_info(issuer, authKeyID);
 
@@ -376,9 +376,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
 		}
 
 		enumerator = x509->create_crl_uri_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &point))
+		while (enumerator->enumerate(enumerator, &cdp))
 		{
-			add_distribution_point(crluris, point);
+			add_distribution_point(crluris, cdp->uri);
 		}
 		enumerator->destroy(enumerator);
 
@@ -416,9 +416,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
 		}
 
 		enumerator = x509->create_crl_uri_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &point))
+		while (enumerator->enumerate(enumerator, &cdp))
 		{
-			add_distribution_point(x509crl->distributionPoints, point);
+			add_distribution_point(x509crl->distributionPoints, cdp->uri);
 		}
 		enumerator->destroy(enumerator);
 
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index 0684de618..f01966c72 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -26,14 +26,15 @@
 
 static struct encrypt_desc encrypt_desc_3des =
 {
-	algo_type:       IKE_ALG_ENCRYPT,
-	algo_id:         OAKLEY_3DES_CBC,
-	algo_next:       NULL,
-
-	enc_blocksize:   DES_BLOCK_SIZE,
-	keydeflen:       DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	keyminlen:       DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	keymaxlen:       DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	algo_type:        IKE_ALG_ENCRYPT,
+	algo_id:          OAKLEY_3DES_CBC,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	
+	enc_blocksize:    DES_BLOCK_SIZE,
+	keydeflen:        DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	keyminlen:        DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	keymaxlen:        DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
 };
 
 #define  AES_KEY_MIN_LEN	128
@@ -42,14 +43,15 @@ static struct encrypt_desc encrypt_desc_3des =
 
 static struct encrypt_desc encrypt_desc_aes =
 {
-	algo_type:       IKE_ALG_ENCRYPT,
-	algo_id:         OAKLEY_AES_CBC,
-	algo_next:       NULL,
-
-	enc_blocksize:   AES_BLOCK_SIZE,
-	keyminlen:       AES_KEY_MIN_LEN,
-	keydeflen:       AES_KEY_DEF_LEN,
-	keymaxlen:       AES_KEY_MAX_LEN,
+	algo_type:        IKE_ALG_ENCRYPT,
+	algo_id:          OAKLEY_AES_CBC,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+
+	enc_blocksize:    AES_BLOCK_SIZE,
+	keyminlen:        AES_KEY_MIN_LEN,
+	keydeflen:        AES_KEY_DEF_LEN,
+	keymaxlen:        AES_KEY_MAX_LEN,
 };
 
 #define  CAMELLIA_KEY_MIN_LEN	128
@@ -58,14 +60,15 @@ static struct encrypt_desc encrypt_desc_aes =
 
 static struct encrypt_desc encrypt_desc_camellia =
 {
-	algo_type:       IKE_ALG_ENCRYPT,
-	algo_id:         OAKLEY_CAMELLIA_CBC,
-	algo_next:       NULL,
-
-	enc_blocksize:   CAMELLIA_BLOCK_SIZE,
-	keyminlen:       CAMELLIA_KEY_MIN_LEN,
-	keydeflen:       CAMELLIA_KEY_DEF_LEN,
-	keymaxlen:       CAMELLIA_KEY_MAX_LEN,
+	algo_type:        IKE_ALG_ENCRYPT,
+	algo_id:          OAKLEY_CAMELLIA_CBC,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+
+	enc_blocksize:    CAMELLIA_BLOCK_SIZE,
+	keyminlen:        CAMELLIA_KEY_MIN_LEN,
+	keydeflen:        CAMELLIA_KEY_DEF_LEN,
+	keymaxlen:        CAMELLIA_KEY_MAX_LEN,
 };
 
 #define  BLOWFISH_KEY_MIN_LEN	128
@@ -73,14 +76,15 @@ static struct encrypt_desc encrypt_desc_camellia =
 
 static struct encrypt_desc encrypt_desc_blowfish =
 {
-	algo_type:       IKE_ALG_ENCRYPT,
-	algo_id:         OAKLEY_BLOWFISH_CBC,
-	algo_next:       NULL,
-
-	enc_blocksize:   BLOWFISH_BLOCK_SIZE,
-	keyminlen:       BLOWFISH_KEY_MIN_LEN,
-	keydeflen:       BLOWFISH_KEY_MIN_LEN,
-	keymaxlen:       BLOWFISH_KEY_MAX_LEN,
+	algo_type:        IKE_ALG_ENCRYPT,
+	algo_id:          OAKLEY_BLOWFISH_CBC,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+
+	enc_blocksize:    BLOWFISH_BLOCK_SIZE,
+	keyminlen:        BLOWFISH_KEY_MIN_LEN,
+	keydeflen:        BLOWFISH_KEY_MIN_LEN,
+	keymaxlen:        BLOWFISH_KEY_MAX_LEN,
 };
 
 #define  SERPENT_KEY_MIN_LEN	128
@@ -89,14 +93,15 @@ static struct encrypt_desc encrypt_desc_blowfish =
 
 static struct encrypt_desc encrypt_desc_serpent =
 {
-	algo_type:       IKE_ALG_ENCRYPT,
-	algo_id:         OAKLEY_SERPENT_CBC,
-	algo_next:       NULL,
-
-	enc_blocksize:   SERPENT_BLOCK_SIZE,
-	keyminlen:       SERPENT_KEY_MIN_LEN,
-	keydeflen:       SERPENT_KEY_DEF_LEN,
-	keymaxlen:       SERPENT_KEY_MAX_LEN,
+	algo_type:        IKE_ALG_ENCRYPT,
+	algo_id:          OAKLEY_SERPENT_CBC,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+
+	enc_blocksize:    SERPENT_BLOCK_SIZE,
+	keyminlen:        SERPENT_KEY_MIN_LEN,
+	keydeflen:        SERPENT_KEY_DEF_LEN,
+	keymaxlen:        SERPENT_KEY_MAX_LEN,
 };
 
 #define  TWOFISH_KEY_MIN_LEN	128
@@ -105,32 +110,35 @@ static struct encrypt_desc encrypt_desc_serpent =
 
 static struct encrypt_desc encrypt_desc_twofish =
 {
-	algo_type:       IKE_ALG_ENCRYPT,
-	algo_id:         OAKLEY_TWOFISH_CBC,
-	algo_next:       NULL,
-
-	enc_blocksize:   TWOFISH_BLOCK_SIZE,
-	keydeflen:       TWOFISH_KEY_MIN_LEN,
-	keyminlen:       TWOFISH_KEY_DEF_LEN,
-	keymaxlen:       TWOFISH_KEY_MAX_LEN,
+	algo_type:        IKE_ALG_ENCRYPT,
+	algo_id:          OAKLEY_TWOFISH_CBC,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+
+	enc_blocksize:    TWOFISH_BLOCK_SIZE,
+	keydeflen:        TWOFISH_KEY_MIN_LEN,
+	keyminlen:        TWOFISH_KEY_DEF_LEN,
+	keymaxlen:        TWOFISH_KEY_MAX_LEN,
 };
 
 static struct encrypt_desc encrypt_desc_twofish_ssh =
 {
-	algo_type:       IKE_ALG_ENCRYPT,
-	algo_id:         OAKLEY_TWOFISH_CBC_SSH,
-	algo_next:       NULL,
-
-	enc_blocksize:   TWOFISH_BLOCK_SIZE,
-	keydeflen:       TWOFISH_KEY_MIN_LEN,
-	keyminlen:       TWOFISH_KEY_DEF_LEN,
-	keymaxlen:       TWOFISH_KEY_MAX_LEN,
+	algo_type:        IKE_ALG_ENCRYPT,
+	algo_id:          OAKLEY_TWOFISH_CBC_SSH,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+
+	enc_blocksize:    TWOFISH_BLOCK_SIZE,
+	keydeflen:        TWOFISH_KEY_MIN_LEN,
+	keyminlen:        TWOFISH_KEY_DEF_LEN,
+	keymaxlen:        TWOFISH_KEY_MAX_LEN,
 };
 
 static struct hash_desc hash_desc_md5 =
 {
 	algo_type:        IKE_ALG_HASH,
 	algo_id:          OAKLEY_MD5,
+	plugin_name:      NULL,
 	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_MD5,
 };
@@ -139,6 +147,7 @@ static struct hash_desc hash_desc_sha1 =
 {
 	algo_type:        IKE_ALG_HASH,
 	algo_id:          OAKLEY_SHA,
+	plugin_name:      NULL,
 	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA1,
 };
@@ -146,6 +155,7 @@ static struct hash_desc hash_desc_sha1 =
 static struct hash_desc hash_desc_sha2_256 = {
 	algo_type:        IKE_ALG_HASH,
 	algo_id:          OAKLEY_SHA2_256,
+	plugin_name:      NULL,
 	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA256,
 };
@@ -153,6 +163,7 @@ static struct hash_desc hash_desc_sha2_256 = {
 static struct hash_desc hash_desc_sha2_384 = {
 	algo_type:        IKE_ALG_HASH,
 	algo_id:          OAKLEY_SHA2_384,
+	plugin_name:      NULL,
 	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA384,
 };
@@ -160,120 +171,136 @@ static struct hash_desc hash_desc_sha2_384 = {
 static struct hash_desc hash_desc_sha2_512 = {
 	algo_type:        IKE_ALG_HASH,
 	algo_id:          OAKLEY_SHA2_512,
+	plugin_name:      NULL,
 	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA512,
 };
 
 const struct dh_desc unset_group = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_NONE,
-	algo_next:  NULL,
-	ke_size:    0
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_NONE,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          0
 };
 
 static struct dh_desc dh_desc_modp_1024 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_1024_BIT,
-	algo_next:  NULL,
-	ke_size:    1024 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_1024_BIT,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          1024 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_modp_1536 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_1536_BIT,
-	algo_next:  NULL,
-	ke_size:    1536 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_1536_BIT,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          1536 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_modp_2048 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_2048_BIT,
-	algo_next:  NULL,
-	ke_size:    2048 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_2048_BIT,
+	algo_next:        NULL,
+	ke_size:          2048 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_modp_3072 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_3072_BIT,
-	algo_next:  NULL,
-	ke_size:    3072 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_3072_BIT,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          3072 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_modp_4096 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_4096_BIT,
-	algo_next:  NULL,
-	ke_size:    4096 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_4096_BIT,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          4096 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_modp_6144 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_6144_BIT,
-	algo_next:  NULL,
-	ke_size:    6144 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_6144_BIT,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          6144 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_modp_8192 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_8192_BIT,
-	algo_next:  NULL,
-	ke_size:    8192 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_8192_BIT,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          8192 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_ecp_256 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    ECP_256_BIT,
-	algo_next:  NULL,
-	ke_size:    2*256 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          ECP_256_BIT,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          2*256 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_ecp_384 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    ECP_384_BIT,
-	algo_next:  NULL,
-	ke_size:    2*384 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          ECP_384_BIT,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          2*384 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_ecp_521 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    ECP_521_BIT,
-	algo_next:  NULL,
-	ke_size:    2*528 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          ECP_521_BIT,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          2*528 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_modp_1024_160 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_1024_160,
-	algo_next:  NULL,
-	ke_size:    1024 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_1024_160,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          1024 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_modp_2048_224 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_2048_224,
-	algo_next:  NULL,
-	ke_size:    2048 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_2048_224,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          2048 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_modp_2048_256 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    MODP_2048_256,
-	algo_next:  NULL,
-	ke_size:    2048 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          MODP_2048_256,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          2048 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_ecp_192 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    ECP_192_BIT,
-	algo_next:  NULL,
-	ke_size:    2*192 / BITS_PER_BYTE
+	algo_type:        IKE_ALG_DH_GROUP,
+	algo_id:          ECP_192_BIT,
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          2*192 / BITS_PER_BYTE
 };
 
 static struct dh_desc dh_desc_ecp_224 = {
 	algo_type:  IKE_ALG_DH_GROUP,
 	algo_id:    ECP_224_BIT,
-	algo_next:  NULL,
-	ke_size:    2*224 / BITS_PER_BYTE
+	plugin_name:      NULL,
+	algo_next:        NULL,
+	ke_size:          2*224 / BITS_PER_BYTE
 };
 
 bool init_crypto(void)
@@ -282,11 +309,12 @@ bool init_crypto(void)
 	encryption_algorithm_t encryption_alg;
 	hash_algorithm_t hash_alg;
 	diffie_hellman_group_t dh_group;
+	const char *plugin_name;
 	bool no_md5  = TRUE;
 	bool no_sha1 = TRUE;
 
 	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &hash_alg))
+	while (enumerator->enumerate(enumerator, &hash_alg, &plugin_name))
 	{
 		const struct hash_desc *desc;
 
@@ -312,7 +340,7 @@ bool init_crypto(void)
 			default:
 				continue;
 		}
-		ike_alg_add((struct ike_alg *)desc);
+		ike_alg_add((struct ike_alg *)desc, plugin_name);
 	}
 	enumerator->destroy(enumerator);
 
@@ -326,7 +354,7 @@ bool init_crypto(void)
 	}
 
 	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &encryption_alg))
+	while (enumerator->enumerate(enumerator, &encryption_alg, &plugin_name))
 	{
 		const struct encrypt_desc *desc;
 
@@ -346,7 +374,8 @@ bool init_crypto(void)
 				break;
 			case ENCR_TWOFISH_CBC:
 				desc = &encrypt_desc_twofish;
-				ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh);
+				ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh,
+							plugin_name);
 				break;
 			case ENCR_SERPENT_CBC:
 				desc = &encrypt_desc_serpent;
@@ -354,12 +383,12 @@ bool init_crypto(void)
 			default:
 				continue;
 		}
-		ike_alg_add((struct ike_alg *)desc);
+		ike_alg_add((struct ike_alg *)desc, plugin_name);
 	}
 	enumerator->destroy(enumerator);
 
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &dh_group))
+	while (enumerator->enumerate(enumerator, &dh_group, &plugin_name))
 	{
 		const struct dh_desc *desc;
 
@@ -413,7 +442,7 @@ bool init_crypto(void)
 			default:
 				continue;
 		}
-		ike_alg_add((struct ike_alg *)desc);
+		ike_alg_add((struct ike_alg *)desc, plugin_name);
 	}
 	enumerator->destroy(enumerator);
 	return TRUE;
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
index 0590a3585..249e645ed 100644
--- a/src/pluto/demux.c
+++ b/src/pluto/demux.c
@@ -1147,7 +1147,7 @@ read_packet(struct msg_digest *md)
 	}
 	else if (from_ugh != NULL)
 	{
-		plog("recvfrom on %s returned misformed source sockaddr: %s"
+		plog("recvfrom on %s returned malformed source sockaddr: %s"
 			, ifp->rname, from_ugh);
 		return FALSE;
 	}
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c
index 08353907e..a36b5ce4e 100644
--- a/src/pluto/ike_alg.c
+++ b/src/pluto/ike_alg.c
@@ -72,7 +72,7 @@ static struct ike_alg *ike_alg_find(u_int algo_type, u_int algo_id,
 /**
  * "raw" ike_alg list adding function
  */
-int ike_alg_add(struct ike_alg* a)
+int ike_alg_add(struct ike_alg* a, const char *plugin_name)
 {
 	if (a->algo_type > IKE_ALG_MAX)
 	{
@@ -96,6 +96,7 @@ int ike_alg_add(struct ike_alg* a)
 			e = *ep;
 		}
 		*ep = a;
+		a->plugin_name = plugin_name;
 		a->algo_next = e;
 		return 0;
 	}
@@ -303,64 +304,72 @@ fail:
 	return db_ctx;
 }
 
+/**
+ * Print the name of an algorithm plus the name of the plugin that registered it
+ */
+static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type,
+					  const char *plugin_name)
+{
+	char alg_name[BUF_LEN];
+	int alg_name_len;
+	
+	alg_name_len = sprintf(alg_name, " %s[%s]", enum_name(alg_names, alg_type),
+						   plugin_name);
+	if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE)
+	{
+		whack_log(RC_COMMENT, "%s", buf);
+		*len = sprintf(buf, "             ");
+	}
+	sprintf(buf + *len, "%s", alg_name);
+	*len += alg_name_len;
+}
+
 /**
  * Show registered IKE algorithms
  */
 void ike_alg_list(void)
 {
+	rng_quality_t quality;
+	enumerator_t *enumerator;
+	const char *plugin_name;
 	char buf[BUF_LEN];
-	char *pos;
-	int n, len;
+	int len;
 	struct ike_alg *a;
 
 	whack_log(RC_COMMENT, " ");
 	whack_log(RC_COMMENT, "List of registered IKEv1 Algorithms:");
 	whack_log(RC_COMMENT, " ");
 
-	pos = buf;
-	*pos = '\0';
-	len = BUF_LEN;
+	len = sprintf(buf, "  encryption:");
 	for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
 	{
-	    n = snprintf(pos, len, " %s", enum_name(&oakley_enc_names, a->algo_id));
-		pos += n;
-		len -= n;
-		if (len <= 0)
-		{
-			break;
-		}
+	    print_alg(buf, &len, &oakley_enc_names, a->algo_id, a->plugin_name);
 	}
-	whack_log(RC_COMMENT, "  encryption:%s", buf);
+	whack_log(RC_COMMENT, "%s", buf);
 
-	pos = buf;
-	*pos = '\0';
-	len = BUF_LEN;
+	len = sprintf(buf, "  integrity: ");
 	for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
 	{
-	    n = snprintf(pos, len, " %s", enum_name(&oakley_hash_names, a->algo_id));
-		pos += n;
-		len -= n;
-		if (len <= 0)
-		{
-			break;
-		}
+	    print_alg(buf, &len, &oakley_hash_names, a->algo_id, a->plugin_name);
 	}
-	whack_log(RC_COMMENT, "  integrity: %s", buf);
+	whack_log(RC_COMMENT, "%s", buf);
 
-	pos = buf;
-	*pos = '\0';
-	len = BUF_LEN;
+	len = sprintf(buf, "  dh-group:  ");
 	for (a = ike_alg_base[IKE_ALG_DH_GROUP]; a != NULL; a = a->algo_next)
 	{
-	    n = snprintf(pos, len, " %s", enum_name(&oakley_group_names, a->algo_id));
-		pos += n;
-		len -= n;
-		if (len <= 0)
-		{
-			break;
-		}
+	    print_alg(buf, &len, &oakley_group_names, a->algo_id, a->plugin_name);
+	}
+	whack_log(RC_COMMENT, "%s", buf);
+
+	len = sprintf(buf, "  random-gen:");
+	enumerator = lib->crypto->create_rng_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &quality, &plugin_name))
+	{
+	    len += sprintf(buf + len, " %N[%s]", rng_quality_names, quality,
+											 plugin_name);
 	}
-	whack_log(RC_COMMENT, "  dh-group:  %s", buf);
+	enumerator->destroy(enumerator);
+	whack_log(RC_COMMENT, "%s", buf);
 }
 
 /**
diff --git a/src/pluto/ike_alg.h b/src/pluto/ike_alg.h
index 458d14c3a..c3ce8bb38 100644
--- a/src/pluto/ike_alg.h
+++ b/src/pluto/ike_alg.h
@@ -22,12 +22,14 @@
 struct ike_alg {
 	u_int16_t algo_type;
 	u_int16_t algo_id;
+	const char *plugin_name;
 	struct ike_alg *algo_next;
 };
 
 struct encrypt_desc {
 	u_int16_t algo_type;
 	u_int16_t algo_id;
+	const char *plugin_name;
 	struct ike_alg *algo_next;
 
 	size_t enc_blocksize;
@@ -39,6 +41,7 @@ struct encrypt_desc {
 struct hash_desc {
 	u_int16_t algo_type;
 	u_int16_t algo_id;
+	const char *plugin_name;
 	struct ike_alg *algo_next;
 
 	size_t hash_digest_size;
@@ -47,6 +50,7 @@ struct hash_desc {
 struct dh_desc {
 	u_int16_t algo_type;
 	u_int16_t algo_id;
+	const char *plugin_name;
 	struct ike_alg *algo_next;
 
 	size_t ke_size;
@@ -57,7 +61,7 @@ struct dh_desc {
 #define IKE_ALG_DH_GROUP		2
 #define IKE_ALG_MAX             IKE_ALG_DH_GROUP
 
-extern int ike_alg_add(struct ike_alg *a);
+extern int ike_alg_add(struct ike_alg *a, const char *plugin_name);
 extern struct hash_desc *ike_alg_get_hasher(u_int alg);
 extern struct encrypt_desc *ike_alg_get_crypter(u_int alg);
 extern struct dh_desc *ike_alg_get_dh_group(u_int alg);
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index e57822ffb..104b6c2d4 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1183,7 +1183,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 
 		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
 						host_dst, ipcomp_spi, said_next->proto, c->spd.reqid,
-						mark, &lt_none, ENCR_UNDEFINED, chunk_empty,
+						mark, 0, &lt_none, ENCR_UNDEFINED, chunk_empty,
 						AUTH_UNDEFINED, chunk_empty, mode,
 						st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE,
 						inbound, NULL, NULL) != SUCCESS)
@@ -1292,7 +1292,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 
 		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
 						host_dst, esp_spi, said_next->proto, c->spd.reqid,
-						mark, &lt_none, enc_alg, enc_key,
+						mark, 0, &lt_none, enc_alg, enc_key,
 						auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
 						encap, inbound, NULL, NULL) != SUCCESS)
 		{
@@ -1325,7 +1325,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 
 		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
 						host_dst, ah_spi, said_next->proto, c->spd.reqid,
-						mark, &lt_none, ENCR_UNDEFINED, chunk_empty,
+						mark, 0, &lt_none, ENCR_UNDEFINED, chunk_empty,
 						auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
 						FALSE, inbound, NULL, NULL) != SUCCESS)
 		{
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index 2a195cffc..c82c376f8 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -397,55 +397,55 @@ struct sadb_alg* kernel_alg_esp_sadb_alg(u_int alg_id)
 	return sadb_alg;
 }
 
+/**
+ * Print the name of a kernel algorithm
+ */
+static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type)
+{
+	char alg_name[BUF_LEN];
+	int alg_name_len;
+	
+	alg_name_len = sprintf(alg_name, " %s", enum_name(alg_names, alg_type));
+	if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE)
+	{
+		whack_log(RC_COMMENT, "%s", buf);
+		*len = sprintf(buf, "             ");
+	}
+	sprintf(buf + *len, "%s", alg_name);
+	*len += alg_name_len;
+}
+
 void kernel_alg_list(void)
 {
 	char buf[BUF_LEN];
-	char *pos;
-	int n, len;
+	int len;
 	u_int sadb_id;
 
 	whack_log(RC_COMMENT, " ");
 	whack_log(RC_COMMENT, "List of registered ESP Algorithms:");
 	whack_log(RC_COMMENT, " ");
 
-	pos = buf;
-	*pos = '\0';
-	len = BUF_LEN;
+	len = sprintf(buf, "  encryption:");
 	for (sadb_id = 1; sadb_id <= SADB_EALG_MAX; sadb_id++)
 	{
 		if (ESP_EALG_PRESENT(sadb_id))
 		{
-			n = snprintf(pos, len, " %s",
-						 enum_name(&esp_transform_names, sadb_id));
-			pos += n;
-			len -= n;
-			if (len <= 0)
-			{
-				break;
-			}
+			print_alg(buf, &len, &esp_transform_names, sadb_id);
 		}
 	}
-	whack_log(RC_COMMENT, "  encryption:%s", buf);
+	whack_log(RC_COMMENT, "%s", buf);
 
-	pos = buf;
-	*pos = '\0';
-	len = BUF_LEN;
+	len = sprintf(buf, "  integrity: ");
 	for (sadb_id = 1; sadb_id <= SADB_AALG_MAX; sadb_id++)
 	{
 		if (ESP_AALG_PRESENT(sadb_id))
 		{
 			u_int aaid = alg_info_esp_sadb2aa(sadb_id);
 
-			n = snprintf(pos, len, " %s", enum_name(&auth_alg_names, aaid));
-			pos += n;
-			len -= n;
-			if (len <= 0)
-			{
-				break;
-			}
+			print_alg(buf, &len, &auth_alg_names, aaid);
 		}
 	}
-	whack_log(RC_COMMENT, "  integrity: %s", buf);
+	whack_log(RC_COMMENT, "%s", buf);
 }
 
 void kernel_alg_show_connection(connection_t *c, const char *instance)
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index a79c2c0d2..86b46c6c1 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -902,6 +902,7 @@ static void process_secret(secret_t *s, int whackfd)
 	{
 		loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s"
 			, flp->filename, flp->lino, ugh);
+		s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy));
 		free(s);
 	}
 	else if (flushline("expected record boundary in key"))
@@ -1010,8 +1011,11 @@ static void process_secret_records(int whackfd)
 					if (!shift())
 					{
 						/* unexpected Record Boundary or EOF */
-						loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of id list"
-							, flp->filename, flp->lino);
+						loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end"
+							   " of id list", flp->filename, flp->lino);
+						s->ids->destroy_offset(s->ids,
+										offsetof(identification_t, destroy));
+						free(s);
 						break;
 					}
 				}
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index 8a351be6d..a3694b7b5 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -1045,8 +1045,8 @@ static bool valid_ocsp_response(response_t *res)
 		)
 
 		/* check path length constraint */
-		pathlen_constraint = x509->get_pathLenConstraint(x509);
-		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+		pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN);
+		if (pathlen_constraint != X509_NO_CONSTRAINT &&
 			pathlen > pathlen_constraint)
 		{
 			plog("path length of %d violates constraint of %d",
diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in
index b2ffb11db..358805cc4 100644
--- a/src/pluto/plugins/xauth/Makefile.in
+++ b/src/pluto/plugins/xauth/Makefile.in
@@ -218,9 +218,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -259,6 +257,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8
index 58cb15091..9ac537bd9 100644
--- a/src/pluto/pluto.8
+++ b/src/pluto/pluto.8
@@ -1,8 +1,8 @@
 .TH IPSEC_PLUTO 8 "28 March 1999"
 .SH NAME
-ipsec pluto \- IPsec IKE keying daemon
-.br
-ipsec whack \- control interface for IPSEC keying daemon
+pluto \- IPsec IKE keying daemon and control interface
+.PP
+whack \- control interface for IKE keying daemon
 .SH SYNOPSIS
 .na
 .nh
@@ -1009,7 +1009,7 @@ specifies the name of the operation to be performed
 \fBup-host\fP, \fBup-client\fP,
 \fBdown-host\fP, or \fBdown-client\fP).  If the address family for
 security gateway to security gateway communications is IPv6, then
-a suffix of -v6 is added to the verb.
+a suffix of \-v6 is added to the verb.
 .TP
 \fBPLUTO_CONNECTION\fP
 is the name of the connection for which we are routing.
@@ -1571,7 +1571,7 @@ rejected with ECONNREFUSED (kernel supplied no details)''.  John
 Denker suggests that this command is useful for tracking down the
 source of these problems:
 .br
-	tcpdump -i eth0 icmp[0] != 8 and icmp[0] != 0
+	tcpdump \-i eth0 icmp[0] != 8 and icmp[0] != 0
 .br
 Substitute your public interface for eth0 if it is different.
 .LP
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index d717beb15..7e2aca862 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -255,8 +255,8 @@ bool verify_x509cert(cert_t *cert, bool strict, time_t *until)
 		unlock_authcert_list("verify_x509cert");
 
 		/* check path length constraint */
-		pathlen_constraint = x509->get_pathLenConstraint(x509);
-		if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+		pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN);
+		if (pathlen_constraint != X509_NO_CONSTRAINT &&
 			pathlen > pathlen_constraint)
 		{
 			plog("path length of %d violates constraint of %d",
@@ -450,8 +450,8 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
 			}
 
 			/* list optional pathLenConstraint */
-			pathlen = x509->get_pathLenConstraint(x509);
-			if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
+			pathlen = x509->get_constraint(x509, X509_PATH_LEN);
+			if (pathlen != X509_NO_CONSTRAINT)
 			{
 				whack_log(RC_COMMENT, "  pathlen:   %d", pathlen);
 			}
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index a20fa2eb9..623585f65 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -228,9 +228,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -269,6 +267,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8
index 4b5234da2..72750e155 100644
--- a/src/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
@@ -239,12 +239,12 @@ Log raw hex dumps.
 .PP 
 .B \-C, \-\-debug\-control
 .RS 4
-Log informations about control flow.
+Log information about control flow.
 .RE
 .PP 
 .B \-M, \-\-debug\-controlmore
 .RS 4
-Log more detailed informations about control flow.
+Log more detailed information about control flow.
 .RE
 .PP 
 .B \-X, \-\-debug\-private
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 75297f767..f05aeca22 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -25,7 +25,6 @@ AM_CFLAGS = \
 
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
-dist_man_MANS = starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 
 PLUTODIR=$(top_srcdir)/src/pluto
@@ -59,14 +58,14 @@ defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
 
 install-exec-local :
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
-		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
+		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 446f183f1..f1c370ad9 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -39,8 +39,7 @@ ipsec_PROGRAMS = starter$(EXEEXT)
 @USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON
 @USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING
 subdir = src/starter
-DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in
+DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -56,7 +55,7 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
 PROGRAMS = $(ipsec_PROGRAMS)
 am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
 	starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \
@@ -85,30 +84,6 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(starter_SOURCES)
 DIST_SOURCES = $(starter_SOURCES)
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-man8dir = $(mandir)/man8
-NROFF = nroff
-MANS = $(dist_man_MANS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -231,9 +206,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -272,6 +245,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
@@ -304,7 +279,6 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	$(am__append_2) $(am__append_3)
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
-dist_man_MANS = starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 PLUTODIR = $(top_srcdir)/src/pluto
 SCEPCLIENTDIR = $(top_srcdir)/src/scepclient
@@ -438,44 +412,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(dist_man_MANS)
-	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man8:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -530,19 +466,6 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	@list='$(MANS)'; if test -n "$$list"; then \
-	  list=`for p in $$list; do \
-	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
-	  if test -n "$$list" && \
-	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
-	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
-	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
-	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
-	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
-	    exit 1; \
-	  else :; fi; \
-	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -574,9 +497,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(PROGRAMS) $(MANS)
+all-am: Makefile $(PROGRAMS)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -628,7 +551,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS install-man
+install-data-am: install-ipsecPROGRAMS
 
 install-dvi: install-dvi-am
 
@@ -644,7 +567,7 @@ install-info: install-info-am
 
 install-info-am:
 
-install-man: install-man8
+install-man:
 
 install-pdf: install-pdf-am
 
@@ -674,9 +597,7 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
-
-uninstall-man: uninstall-man8
+uninstall-am: uninstall-ipsecPROGRAMS
 
 .MAKE: install-am install-strip
 
@@ -687,13 +608,12 @@ uninstall-man: uninstall-man8
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-exec-local \
 	install-html install-html-am install-info install-info-am \
-	install-ipsecPROGRAMS install-man install-man8 install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
-	uninstall-man uninstall-man8
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
 
 
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
@@ -712,16 +632,16 @@ defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
 
 install-exec-local :
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
-		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
+		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/starter/args.c b/src/starter/args.c
index 37d600283..87307f1aa 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -239,6 +239,7 @@ static const token_info_t token_info[] =
 	{ ARG_MISC, 0, NULL  /* KW_MARK */                                             },
 	{ ARG_MISC, 0, NULL  /* KW_MARK_IN */                                          },
 	{ ARG_MISC, 0, NULL  /* KW_MARK_OUT */                                         },
+	{ ARG_MISC, 0, NULL  /* KW_TFC */                                              },
 
 	/* ca section keywords */
 	{ ARG_STR,  offsetof(starter_ca_t, name), NULL                                 },
@@ -272,6 +273,7 @@ static const token_info_t token_info[] =
 	{ ARG_STR,  offsetof(starter_end_t, rsakey), NULL                              },
 	{ ARG_STR,  offsetof(starter_end_t, cert), NULL                                },
 	{ ARG_STR,  offsetof(starter_end_t, cert2), NULL                               },
+	{ ARG_STR,  offsetof(starter_end_t, cert_policy), NULL                         },
 	{ ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert                    },
 	{ ARG_STR,  offsetof(starter_end_t, ca), NULL                                  },
 	{ ARG_STR,  offsetof(starter_end_t, ca2), NULL                                 },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 3367616ca..1e7daa6a9 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -705,6 +705,23 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				cfg->err++;
 			}
 			break;
+		case KW_TFC:
+			if (streq(kw->value, "%mtu"))
+			{
+				conn->tfc = -1;
+			}
+			else
+			{
+				char *endptr;
+
+				conn->tfc = strtoul(kw->value, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+					cfg->err++;
+				}
+			}
+			break;
 		case KW_KEYINGTRIES:
 			if (streq(kw->value, "%forever"))
 			{
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 982d1d206..4f9c5f7d0 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -64,6 +64,7 @@ struct starter_end {
 		char            *ca;
 		char            *ca2;
 		char            *groups;
+		char            *cert_policy;
 		char            *iface;
 		ip_address      addr;
 		u_int           ikeport;
@@ -125,6 +126,7 @@ struct starter_conn {
 		u_int32_t       reqid;
 		mark_t          mark_in;
 		mark_t          mark_out;
+		u_int32_t       tfc;
 		sa_family_t     addr_family;
 		sa_family_t     tunnel_addr_family;
 		bool            install_policy;
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 0c24c7dcf..340b7131d 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 127
+#define TOTAL_KEYWORDS 130
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 12
-#define MAX_HASH_VALUE 238
-/* maximum key range = 227, duplicates = 0 */
+#define MIN_HASH_VALUE 18
+#define MAX_HASH_VALUE 249
+/* maximum key range = 232, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239,   2,
-      104, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239,  15, 239,  20,  14,  58,
-       51,   1,   7,   1,  81,   1, 239, 132,  47,   4,
-        1,  49,  10,   9,  23,   1,  20,  48,   4, 239,
-      239,  35,   1, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
-      239, 239, 239, 239, 239, 239
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250,  11,
+      125, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250,  20, 250,  18,   6,  55,
+       59,   3,   9,   3,  92,   3, 250, 147,  71,  12,
+       29,  83,  38,   4,  13,   3,   8,  80,   3, 250,
+      250,  12,   9, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250, 250, 250, 250, 250,
+      250, 250, 250, 250, 250, 250
     };
   register int hval = len;
 
@@ -124,160 +124,164 @@ hash (str, len)
 static const struct kw_entry wordlist[] =
   {
     {"pfs",               KW_PFS},
-    {"uniqueids",         KW_UNIQUEIDS},
-    {"rightgroups",       KW_RIGHTGROUPS},
-    {"lifetime",          KW_KEYLIFE},
-    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
-    {"rightnatip",        KW_RIGHTNATIP},
-    {"esp",               KW_ESP},
-    {"rightnexthop",      KW_RIGHTNEXTHOP},
-    {"rightsourceip",     KW_RIGHTSOURCEIP},
     {"right",             KW_RIGHT},
-    {"leftupdown",        KW_LEFTUPDOWN},
-    {"leftnexthop",       KW_LEFTNEXTHOP},
+    {"rightgroups",       KW_RIGHTGROUPS},
     {"left",              KW_LEFT},
-    {"keep_alive",        KW_KEEP_ALIVE},
+    {"lifetime",          KW_KEYLIFE},
     {"rightsubnet",       KW_RIGHTSUBNET},
     {"rightikeport",      KW_RIGHTIKEPORT},
     {"rightsendcert",     KW_RIGHTSENDCERT},
-    {"leftcert",          KW_LEFTCERT,},
-    {"interfaces",        KW_INTERFACES},
-    {"lifepackets",       KW_LIFEPACKETS},
-    {"leftsendcert",      KW_LEFTSENDCERT},
-    {"leftgroups",        KW_LEFTGROUPS},
-    {"eap",               KW_EAP},
-    {"rightprotoport",    KW_RIGHTPROTOPORT},
-    {"leftnatip",         KW_LEFTNATIP},
+    {"leftcert",          KW_LEFTCERT},
     {"keyingtries",       KW_KEYINGTRIES},
-    {"type",              KW_TYPE},
     {"keylife",           KW_KEYLIFE},
-    {"mark_in",           KW_MARK_IN},
+    {"leftsendcert",      KW_LEFTSENDCERT},
     {"lifebytes",         KW_LIFEBYTES},
-    {"leftca",            KW_LEFTCA},
-    {"margintime",        KW_REKEYMARGIN},
-    {"marginbytes",       KW_MARGINBYTES},
+    {"keep_alive",        KW_KEEP_ALIVE},
+    {"leftgroups",        KW_LEFTGROUPS},
     {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {"marginpackets",     KW_MARGINPACKETS},
+    {"leftcertpolicy",    KW_LEFTCERTPOLICY},
     {"certuribase",       KW_CERTURIBASE},
-    {"virtual_private",   KW_VIRTUAL_PRIVATE},
-    {"rightid",           KW_RIGHTID},
-    {"rightupdown",       KW_RIGHTUPDOWN},
-    {"compress",          KW_COMPRESS},
+    {"lifepackets",       KW_LIFEPACKETS},
+    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
     {"leftprotoport",     KW_LEFTPROTOPORT},
-    {"overridemtu",       KW_OVERRIDEMTU},
+    {"uniqueids",         KW_UNIQUEIDS},
+    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"virtual_private",   KW_VIRTUAL_PRIVATE},
+    {"leftca",            KW_LEFTCA},
+    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {"type",              KW_TYPE},
+    {"interfaces",        KW_INTERFACES},
+    {"rightsourceip",     KW_RIGHTSOURCEIP},
+    {"leftnexthop",       KW_LEFTNEXTHOP},
+    {"rightprotoport",    KW_RIGHTPROTOPORT},
+    {"mark_in",           KW_MARK_IN},
     {"reqid",             KW_REQID},
     {"inactivity",        KW_INACTIVITY},
+    {"margintime",        KW_REKEYMARGIN},
+    {"marginbytes",       KW_MARGINBYTES},
+    {"rightid",           KW_RIGHTID},
+    {"marginpackets",     KW_MARGINPACKETS},
+    {"leftnatip",         KW_LEFTNATIP},
+    {"rightcert",         KW_RIGHTCERT},
+    {"ocspuri",           KW_OCSPURI},
+    {"esp",               KW_ESP},
+    {"rightnatip",        KW_RIGHTNATIP},
+    {"keyexchange",       KW_KEYEXCHANGE},
+    {"rightnexthop",      KW_RIGHTNEXTHOP},
+    {"rightca",           KW_RIGHTCA},
+    {"rightcertpolicy",   KW_RIGHTCERTPOLICY},
+    {"leftupdown",        KW_LEFTUPDOWN},
+    {"ocspuri1",          KW_OCSPURI},
+    {"mediated_by",       KW_MEDIATED_BY},
+    {"me_peerid",         KW_ME_PEERID},
+    {"cacert",            KW_CACERT},
+    {"crluri",            KW_CRLURI},
+    {"eap",               KW_EAP},
     {"leftfirewall",      KW_LEFTFIREWALL},
     {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"overridemtu",       KW_OVERRIDEMTU},
     {"mobike",	           KW_MOBIKE},
-    {"lefthostaccess",    KW_LEFTHOSTACCESS},
-    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
-    {"pfsgroup",          KW_PFSGROUP},
-    {"me_peerid",         KW_ME_PEERID},
-    {"crluri",            KW_CRLURI},
-    {"leftsourceip",      KW_LEFTSOURCEIP},
+    {"packetdefault",     KW_PACKETDEFAULT},
     {"crluri1",           KW_CRLURI},
+    {"ldapbase",          KW_LDAPBASE},
+    {"leftallowany",      KW_LEFTALLOWANY},
     {"mediation",         KW_MEDIATION},
-    {"dumpdir",           KW_DUMPDIR},
-    {"forceencaps",       KW_FORCEENCAPS},
+    {"compress",          KW_COMPRESS},
     {"leftsubnet",        KW_LEFTSUBNET},
-    {"rightca",           KW_RIGHTCA},
-    {"rightcert",         KW_RIGHTCERT},
-    {"ocspuri",           KW_OCSPURI},
-    {"dpdaction",         KW_DPDACTION},
-    {"ocspuri1",          KW_OCSPURI},
+    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"forceencaps",       KW_FORCEENCAPS},
+    {"dumpdir",           KW_DUMPDIR},
+    {"righthostaccess",   KW_RIGHTHOSTACCESS},
+    {"authby",            KW_AUTHBY},
+    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"tfc",               KW_TFC},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
+    {"rightauth",         KW_RIGHTAUTH},
+    {"rightupdown",       KW_RIGHTUPDOWN},
     {"dpdtimeout",        KW_DPDTIMEOUT},
     {"installpolicy",     KW_INSTALLPOLICY},
-    {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"ldapbase",          KW_LDAPBASE},
-    {"also",              KW_ALSO},
-    {"leftallowany",      KW_LEFTALLOWANY},
+    {"mark_out",          KW_MARK_OUT},
+    {"fragicmp",          KW_FRAGICMP},
     {"force_keepalive",   KW_FORCE_KEEPALIVE},
-    {"keyexchange",       KW_KEYEXCHANGE},
-    {"hidetos",           KW_HIDETOS},
-    {"klipsdebug",        KW_KLIPSDEBUG},
-    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
-    {"rightauth",         KW_RIGHTAUTH},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
-    {"charondebug",       KW_CHARONDEBUG},
-    {"rightid2",          KW_RIGHTID2},
     {"leftid",            KW_LEFTID},
-    {"mediated_by",       KW_MEDIATED_BY},
-    {"fragicmp",          KW_FRAGICMP},
-    {"mark_out",          KW_MARK_OUT},
-    {"auto",              KW_AUTO},
-    {"leftcert2",         KW_LEFTCERT2,},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"cacert",            KW_CACERT},
-    {"plutostart",        KW_PLUTOSTART},
+    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
     {"eap_identity",      KW_EAP_IDENTITY},
-    {"prepluto",          KW_PREPLUTO},
-    {"packetdefault",     KW_PACKETDEFAULT},
+    {"cachecrls",         KW_CACHECRLS},
+    {"pfsgroup",          KW_PFSGROUP},
+    {"rightid2",          KW_RIGHTID2},
+    {"dpdaction",         KW_DPDACTION},
     {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"leftsourceip",      KW_LEFTSOURCEIP},
+    {"klipsdebug",        KW_KLIPSDEBUG},
+    {"leftcert2",         KW_LEFTCERT2},
+    {"charondebug",       KW_CHARONDEBUG},
+    {"hidetos",           KW_HIDETOS},
+    {"ike",               KW_IKE},
     {"charonstart",       KW_CHARONSTART},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
     {"rightauth2",        KW_RIGHTAUTH2},
-    {"ike",               KW_IKE},
-    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"also",              KW_ALSO},
     {"leftca2",           KW_LEFTCA2},
-    {"authby",            KW_AUTHBY},
-    {"leftauth",          KW_LEFTAUTH},
-    {"cachecrls",         KW_CACHECRLS},
+    {"rekey",             KW_REKEY},
+    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
+    {"plutostart",        KW_PLUTOSTART},
+    {"ikelifetime",       KW_IKELIFETIME},
+    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
+    {"auto",              KW_AUTO},
     {"ldaphost",          KW_LDAPHOST},
-    {"rekeymargin",       KW_REKEYMARGIN},
     {"rekeyfuzz",         KW_REKEYFUZZ},
-    {"dpddelay",          KW_DPDDELAY},
-    {"ikelifetime",       KW_IKELIFETIME},
-    {"auth",              KW_AUTH},
-    {"xauth",             KW_XAUTH},
-    {"postpluto",         KW_POSTPLUTO},
-    {"plutodebug",        KW_PLUTODEBUG},
-    {"modeconfig",        KW_MODECONFIG},
-    {"nocrsend",          KW_NOCRSEND},
-    {"leftauth2",         KW_LEFTAUTH2},
-    {"leftid2",           KW_LEFTID2},
     {"leftikeport",       KW_LEFTIKEPORT},
+    {"mark",              KW_MARK},
+    {"auth",              KW_AUTH},
+    {"prepluto",          KW_PREPLUTO},
+    {"dpddelay",          KW_DPDDELAY},
+    {"leftauth",          KW_LEFTAUTH},
     {"rightca2",          KW_RIGHTCA2},
-    {"rekey",             KW_REKEY},
+    {"xauth",             KW_XAUTH},
     {"rightcert2",        KW_RIGHTCERT2},
-    {"mark",              KW_MARK},
-    {"crluri2",           KW_CRLURI2},
-    {"reauth",            KW_REAUTH},
+    {"rekeymargin",       KW_REKEYMARGIN},
+    {"leftid2",           KW_LEFTID2},
     {"ocspuri2",          KW_OCSPURI2},
+    {"nocrsend",          KW_NOCRSEND},
+    {"reauth",            KW_REAUTH},
+    {"crluri2",           KW_CRLURI2},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"leftauth2",         KW_LEFTAUTH2},
     {"pkcs11module",      KW_PKCS11MODULE},
     {"pkcs11initargs",    KW_PKCS11INITARGS},
     {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
-    {"pkcs11proxy",       KW_PKCS11PROXY}
+    {"pkcs11proxy",       KW_PKCS11PROXY},
+    {"modeconfig",        KW_MODECONFIG},
+    {"postpluto",         KW_POSTPLUTO}
   };
 
 static const short lookup[] =
   {
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,   0,   1,  -1,   2,  -1,  -1,   3,  -1,
-     -1,   4,  -1,   5,   6,   7,   8,   9,  -1,  10,
-     11,  -1,  12,  13,  14,  15,  16,  17,  -1,  18,
-     19,  20,  21,  22,  -1,  -1,  23,  24,  -1,  25,
-     26,  27,  28,  29,  30,  31,  32,  33,  34,  35,
-     36,  37,  38,  39,  40,  41,  42,  43,  44,  45,
-     46,  47,  48,  49,  50,  51,  -1,  52,  53,  54,
-     55,  -1,  56,  57,  -1,  58,  59,  60,  -1,  61,
-     62,  63,  64,  -1,  -1,  65,  -1,  66,  -1,  67,
-     68,  69,  70,  71,  -1,  -1,  72,  -1,  -1,  73,
-     74,  75,  76,  77,  78,  79,  80,  -1,  81,  82,
-     83,  84,  85,  86,  87,  -1,  88,  -1,  89,  90,
-     -1,  91,  92,  93,  94,  -1,  95,  96,  97,  98,
-     -1,  -1,  -1,  -1,  99, 100, 101,  -1, 102, 103,
-    104, 105, 106, 107, 108, 109,  -1, 110,  -1,  -1,
-    111,  -1,  -1,  -1,  -1,  -1,  -1, 112,  -1, 113,
-    114, 115, 116, 117, 118,  -1,  -1,  -1,  -1, 119,
-     -1,  -1, 120,  -1,  -1,  -1,  -1,  -1,  -1, 121,
-     -1,  -1,  -1,  -1, 122,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1, 123,  -1, 124, 125,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 126
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,   1,
+     -1,  -1,  -1,   2,   3,  -1,   4,  -1,   5,   6,
+      7,   8,   9,  -1,  10,  11,  12,  13,  14,  -1,
+     15,  16,  -1,  17,  18,  19,  20,  21,  -1,  22,
+     -1,  -1,  23,  -1,  24,  25,  26,  27,  -1,  28,
+     29,  -1,  -1,  -1,  30,  -1,  31,  -1,  -1,  -1,
+     32,  33,  34,  35,  36,  37,  38,  39,  40,  -1,
+     -1,  41,  42,  43,  44,  45,  46,  -1,  47,  48,
+     49,  -1,  -1,  50,  51,  52,  53,  54,  55,  56,
+     57,  58,  59,  -1,  -1,  60,  61,  62,  63,  64,
+     65,  -1,  66,  67,  -1,  68,  69,  -1,  70,  71,
+     -1,  -1,  72,  73,  -1,  74,  75,  76,  77,  -1,
+     78,  -1,  79,  -1,  80,  -1,  81,  82,  -1,  83,
+     84,  85,  86,  87,  88,  89,  90,  -1,  -1,  91,
+     -1,  -1,  -1,  92,  -1,  93,  94,  -1,  95,  96,
+     -1,  97,  98,  -1,  -1,  -1,  -1,  99,  -1,  -1,
+     -1, 100, 101, 102, 103, 104, 105, 106, 107,  -1,
+     -1,  -1, 108,  -1, 109,  -1,  -1, 110, 111,  -1,
+     -1,  -1, 112,  -1, 113, 114, 115,  -1,  -1,  -1,
+     -1,  -1, 116, 117, 118,  -1,  -1,  -1, 119,  -1,
+     -1, 120,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 121,
+     -1,  -1,  -1, 122,  -1,  -1, 123,  -1, 124,  -1,
+    125, 126,  -1,  -1,  -1,  -1, 127,  -1, 128,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 129
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 1dae65a99..9f46a8b4b 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -102,9 +102,10 @@ typedef enum {
 	KW_MARK,
 	KW_MARK_IN,
 	KW_MARK_OUT,
+	KW_TFC,
 
 #define KW_CONN_FIRST   KW_CONN_SETUP
-#define KW_CONN_LAST    KW_MARK_OUT
+#define KW_CONN_LAST    KW_TFC
 
    /* ca section keywords */
 	KW_CA_NAME,
@@ -141,6 +142,7 @@ typedef enum {
 	KW_RSASIGKEY,
 	KW_CERT,
 	KW_CERT2,
+	KW_CERTPOLICY,
 	KW_SENDCERT,
 	KW_CA,
 	KW_CA2,
@@ -170,6 +172,7 @@ typedef enum {
 	KW_LEFTRSASIGKEY,
 	KW_LEFTCERT,
 	KW_LEFTCERT2,
+	KW_LEFTCERTPOLICY,
 	KW_LEFTSENDCERT,
 	KW_LEFTCA,
 	KW_LEFTCA2,
@@ -198,6 +201,7 @@ typedef enum {
 	KW_RIGHTRSASIGKEY,
 	KW_RIGHTCERT,
 	KW_RIGHTCERT2,
+	KW_RIGHTCERTPOLICY,
 	KW_RIGHTSENDCERT,
 	KW_RIGHTCA,
 	KW_RIGHTCA2,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 06705635a..2c0e5de3d 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -93,6 +93,7 @@ reqid,             KW_REQID
 mark,              KW_MARK
 mark_in,           KW_MARK_IN
 mark_out,          KW_MARK_OUT
+tfc,               KW_TFC
 cacert,            KW_CACERT
 ldaphost,          KW_LDAPHOST
 ldapbase,          KW_LDAPBASE
@@ -120,8 +121,9 @@ leftid2,           KW_LEFTID2
 leftauth,          KW_LEFTAUTH
 leftauth2,         KW_LEFTAUTH2
 leftrsasigkey,     KW_LEFTRSASIGKEY
-leftcert,          KW_LEFTCERT,
-leftcert2,         KW_LEFTCERT2,
+leftcert,          KW_LEFTCERT
+leftcert2,         KW_LEFTCERT2
+leftcertpolicy,    KW_LEFTCERTPOLICY
 leftsendcert,      KW_LEFTSENDCERT
 leftca,            KW_LEFTCA
 leftca2,           KW_LEFTCA2
@@ -145,6 +147,7 @@ rightauth2,        KW_RIGHTAUTH2
 rightrsasigkey,    KW_RIGHTRSASIGKEY
 rightcert,         KW_RIGHTCERT
 rightcert2,        KW_RIGHTCERT2
+rightcertpolicy,   KW_RIGHTCERTPOLICY
 rightsendcert,     KW_RIGHTSENDCERT
 rightca,           KW_RIGHTCA
 rightca2,          KW_RIGHTCA2
diff --git a/src/starter/starter.8 b/src/starter/starter.8
deleted file mode 100644
index e69de29bb..000000000
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 9ba569d47..f251667c7 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -171,6 +171,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->id2 = push_string(msg, conn_end->id2);
 	msg_end->cert = push_string(msg, conn_end->cert);
 	msg_end->cert2 = push_string(msg, conn_end->cert2);
+	msg_end->cert_policy = push_string(msg, conn_end->cert_policy);
 	msg_end->ca = push_string(msg, conn_end->ca);
 	msg_end->ca2 = push_string(msg, conn_end->ca2);
 	msg_end->groups = push_string(msg, conn_end->groups);
@@ -266,6 +267,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.mark_in.mask = conn->mark_in.mask;
 	msg.add_conn.mark_out.value = conn->mark_out.value;
 	msg.add_conn.mark_out.mask = conn->mark_out.mask;
+	msg.add_conn.tfc = conn->tfc;
 
 	starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
 	starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index c490be114..d621f21ca 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -197,9 +197,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -238,6 +236,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 103617f08..a88fa10d7 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -197,6 +197,16 @@ static int terminate_connection_srcip(char *start, char *end)
 	return send_stroke_msg(&msg);
 }
 
+static int rekey_connection(char *name)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_REKEY;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.rekey.name = push_string(&msg, name);
+	return send_stroke_msg(&msg);
+}
+
 static int route_connection(char *name)
 {
 	stroke_msg_t msg;
@@ -276,6 +286,8 @@ static int reread(stroke_keyword_t kw)
 static int purge_flags[] = {
 	PURGE_OCSP,
 	PURGE_IKE,
+	PURGE_CRLS,
+	PURGE_CERTS,
 };
 
 static int purge(stroke_keyword_t kw)
@@ -373,6 +385,10 @@ static void exit_usage(char *error)
 	printf("    stroke rereadsecrets|rereadcrls|rereadall\n");
 	printf("  Purge ocsp cache entries:\n");
 	printf("    stroke purgeocsp\n");
+	printf("  Purge CRL cache entries:\n");
+	printf("    stroke purgecrls\n");
+	printf("  Purge X509 cache entries:\n");
+	printf("    stroke purgecerts\n");
 	printf("  Purge IKE_SAs without a CHILD_SA:\n");
 	printf("    stroke purgeike\n");
 	printf("  Export credentials to the console:\n");
@@ -443,6 +459,13 @@ int main(int argc, char *argv[])
 			}
 			res = terminate_connection_srcip(argv[2], argc > 3 ? argv[3] : NULL);
 			break;
+		case STROKE_REKEY:
+			if (argc < 3)
+			{
+				exit_usage("\"rekey\" needs a connection name");
+			}
+			res = rekey_connection(argv[2]);
+			break;
 		case STROKE_ROUTE:
 			if (argc < 3)
 			{
@@ -491,6 +514,8 @@ int main(int argc, char *argv[])
 			res = reread(token->kw);
 			break;
 		case STROKE_PURGE_OCSP:
+		case STROKE_PURGE_CRLS:
+		case STROKE_PURGE_CERTS:
 		case STROKE_PURGE_IKE:
 			res = purge(token->kw);
 			break;
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index c2d79176e..b43f4b475 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -54,12 +54,12 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 34
+#define TOTAL_KEYWORDS 37
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
-#define MIN_HASH_VALUE 3
-#define MAX_HASH_VALUE 39
-/* maximum key range = 37, duplicates = 0 */
+#define MIN_HASH_VALUE 2
+#define MAX_HASH_VALUE 42
+/* maximum key range = 41, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 18, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40,  0,  4,  1,
-       1,  0, 40, 17, 40, 20, 40,  3,  0, 40,
-      40, 12, 19, 40,  6,  3, 20, 12, 40, 40,
-      10, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 40
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 20, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43,  0, 23,  1,
+       1, 15, 43, 21, 43, 23, 43,  9,  0, 43,
+      43, 10,  2, 43,  6,  5,  1,  0, 43, 43,
+       2, 19, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+      43, 43, 43, 43, 43, 43
     };
   register int hval = len;
 
@@ -125,47 +125,51 @@ hash (str, len)
 
 static const struct stroke_token wordlist[] =
   {
+    {"up",              STROKE_UP},
     {"add",             STROKE_ADD},
     {"del",             STROKE_DEL},
     {"down",            STROKE_DOWN},
-    {"leases",          STROKE_LEASES},
     {"listall",         STROKE_LIST_ALL},
-    {"loglevel",        STROKE_LOGLEVEL},
+    {"delete",          STROKE_DELETE},
     {"listcrls",        STROKE_LIST_CRLS},
-    {"listacerts",      STROKE_LIST_ACERTS},
-    {"route",           STROKE_ROUTE},
+    {"status",          STROKE_STATUS},
     {"listaacerts",     STROKE_LIST_AACERTS},
     {"listcacerts",     STROKE_LIST_CACERTS},
-    {"up",              STROKE_UP},
+    {"statusall",       STROKE_STATUSALL},
     {"rereadall",       STROKE_REREAD_ALL},
     {"listcerts",       STROKE_LIST_CERTS},
     {"rereadcrls",      STROKE_REREAD_CRLS},
     {"rereadacerts",    STROKE_REREAD_ACERTS},
     {"rereadaacerts",   STROKE_REREAD_AACERTS},
     {"rereadcacerts",   STROKE_REREAD_CACERTS},
-    {"status",          STROKE_STATUS},
-    {"rereadsecrets",   STROKE_REREAD_SECRETS},
+    {"leases",          STROKE_LEASES},
+    {"unroute",         STROKE_UNROUTE},
     {"listocsp",        STROKE_LIST_OCSP},
-    {"statusall",       STROKE_STATUSALL},
+    {"rereadsecrets",   STROKE_REREAD_SECRETS},
+    {"listacerts",      STROKE_LIST_ACERTS},
+    {"route",           STROKE_ROUTE},
+    {"purgeocsp",       STROKE_PURGE_OCSP},
+    {"listocspcerts",   STROKE_LIST_OCSPCERTS},
     {"listalgs",        STROKE_LIST_ALGS},
+    {"rekey",           STROKE_REKEY},
+    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
+    {"purgecrls",       STROKE_PURGE_CRLS},
     {"exportx509",      STROKE_EXPORT_X509},
-    {"delete",          STROKE_DELETE},
-    {"listocspcerts",   STROKE_LIST_OCSPCERTS},
-    {"purgeocsp",       STROKE_PURGE_OCSP},
     {"purgeike",        STROKE_PURGE_IKE},
-    {"unroute",         STROKE_UNROUTE},
     {"listcainfos",     STROKE_LIST_CAINFOS},
-    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
     {"listpubkeys",     STROKE_LIST_PUBKEYS},
     {"down-srcip",      STROKE_DOWN_SRCIP},
-    {"listgroups",      STROKE_LIST_GROUPS}
+    {"loglevel",        STROKE_LOGLEVEL},
+    {"listgroups",      STROKE_LIST_GROUPS},
+    {"purgecerts",      STROKE_PURGE_CERTS}
   };
 
 static const short lookup[] =
   {
-    -1, -1, -1,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10,
-    11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
-    25, 26, 27, 28, 29, 30, 31, 32, -1, -1, -1, 33
+    -1, -1,  0,  1,  2,  3, -1,  4,  5,  6, -1,  7,  8,  9,
+    10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
+    24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, -1, -1, 35,
+    36
   };
 
 #ifdef __GNUC__
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 4a3826536..ff2ba36ef 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -25,6 +25,7 @@ typedef enum {
 	STROKE_UP,
 	STROKE_DOWN,
 	STROKE_DOWN_SRCIP,
+	STROKE_REKEY,
 	STROKE_LOGLEVEL,
 	STROKE_STATUS,
 	STROKE_STATUSALL,
@@ -48,6 +49,8 @@ typedef enum {
 	STROKE_REREAD_CRLS,
 	STROKE_REREAD_ALL,
 	STROKE_PURGE_OCSP,
+	STROKE_PURGE_CRLS,
+	STROKE_PURGE_CERTS,
 	STROKE_PURGE_IKE,
 	STROKE_EXPORT_X509,
 	STROKE_LEASES,
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 0b8092985..dafd1ab08 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -32,6 +32,7 @@ unroute,         STROKE_UNROUTE
 up,              STROKE_UP
 down,            STROKE_DOWN
 down-srcip,      STROKE_DOWN_SRCIP
+rekey,           STROKE_REKEY
 loglevel,        STROKE_LOGLEVEL
 status,          STROKE_STATUS
 statusall,       STROKE_STATUSALL
@@ -55,6 +56,8 @@ rereadacerts,    STROKE_REREAD_ACERTS
 rereadcrls,      STROKE_REREAD_CRLS
 rereadall,       STROKE_REREAD_ALL
 purgeocsp,       STROKE_PURGE_OCSP
+purgecrls,       STROKE_PURGE_CRLS
+purgecerts,      STROKE_PURGE_CERTS
 purgeike,        STROKE_PURGE_IKE
 exportx509,      STROKE_EXPORT_X509
 leases,          STROKE_LEASES
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 9466cf0b0..3af2b7042 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -107,6 +107,10 @@ enum purge_flag_t {
 	PURGE_OCSP =		0x0001,
 	/** purge IKE_SAs without a CHILD_SA */
 	PURGE_IKE =			0x0002,
+	/** purge CRL cache entries */
+	PURGE_CRLS =		0x0004,
+	/** purge X509 cache entries */
+	PURGE_CERTS =		0x0008,
 };
 
 typedef enum export_flag_t export_flag_t;
@@ -145,6 +149,7 @@ struct stroke_end_t {
 	char *ca;
 	char *ca2;
 	char *groups;
+	char *cert_policy;
 	char *updown;
 	char *address;
 	u_int16_t ikeport;
@@ -183,6 +188,8 @@ struct stroke_msg_t {
 		STR_TERMINATE,
 		/* terminate connection by peers srcip/virtual ip */
 		STR_TERMINATE_SRCIP,
+		/* rekey a connection */
+		STR_REKEY,
 		/* show connection status */
 		STR_STATUS,
 		/* show verbose connection status */
@@ -215,7 +222,7 @@ struct stroke_msg_t {
 		/* data for STR_INITIATE, STR_ROUTE, STR_UP, STR_DOWN, ... */
 		struct {
 			char *name;
-		} initiate, route, unroute, terminate, status, del_conn, del_ca;
+		} initiate, route, unroute, terminate, rekey, status, del_conn, del_ca;
 
 		/* data for STR_TERMINATE_SRCIP */
 		struct {
@@ -241,6 +248,7 @@ struct stroke_msg_t {
 			int proxy_mode;
 			int install_policy;
 			u_int32_t reqid;
+			u_int32_t tfc;
 
 			crl_policy_t crl_policy;
 			int unique;
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index 270e8fe50..b51056a38 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -196,9 +196,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -237,6 +235,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/testing/INSTALL b/testing/INSTALL
index 5e42925f7..bb4272eaf 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,23 +53,22 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.34.1.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.36.tar.bz2
 
-    * The Linux kernel 2.6.34.1 does not require any patches for the uml guest kernel
-      to successfully start up but the xfrm_mark patch must be applied for
-      XFRM MARK support.
+    * The Linux kernel 2.6.36 does not require any patches for the uml guest kernel
+      to successfully start up.
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.34
+      http://download.strongswan.org/uml/.config-2.6.36
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
-      http://download.strongswan.org/uml/gentoo-fs-20100703.tar.bz2
+      http://download.strongswan.org/uml/gentoo-fs-20100830.tar.bz2
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.4.2.tar.bz2
+      http://download.strongswan.org/strongswan-4.5.1.tar.bz2
 
 
 3. Creating the environment
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 82b751fd2..cbb7555f0 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -175,9 +175,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -216,6 +214,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/testing/do-tests.in b/testing/do-tests.in
index 2e67e9367..27ad200fb 100755
--- a/testing/do-tests.in
+++ b/testing/do-tests.in
@@ -343,6 +343,7 @@ do
 	#
 
 	$DIR/scripts/load-testconfig $testname
+	unset RADIUSHOSTS
 	source $TESTDIR/test.conf
 
 
diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts
index fb07a2f6e..0931f450e 100644
--- a/testing/hosts/default/etc/hosts
+++ b/testing/hosts/default/etc/hosts
@@ -18,8 +18,10 @@
 10.1.0.40	dave2.strongswan.org	dave2
 10.1.0.50	carol3.strongswan.org	carol3
 10.1.0.51	dave3.strongswan.org	dave3
+10.1.0.5	mars1.strongswan.org	mars1	# virtual gateway
 10.1.0.1	moon1.strongswan.org	moon1
 192.168.0.1	moon.strongswan.org	moon
+192.168.0.5	mars.strongswan.org	mars	# virtual gateway
 192.168.0.50	alice1.strongswan.org	alice1
 192.168.0.100	carol.strongswan.org	carol
 10.3.0.1	carol1.strongswan.org	carol1
diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql
index eb41533cb..2917fc3fc 100644
--- a/testing/hosts/default/etc/ipsec.d/tables.sql
+++ b/testing/hosts/default/etc/ipsec.d/tables.sql
@@ -18,9 +18,11 @@ CREATE TABLE child_configs (
   updown TEXT DEFAULT NULL,
   hostaccess INTEGER NOT NULL DEFAULT '0',
   mode INTEGER NOT NULL DEFAULT '2',
+  start_action INTEGER NOT NULL DEFAULT '0',
   dpd_action INTEGER NOT NULL DEFAULT '0',
   close_action INTEGER NOT NULL DEFAULT '0',
-  ipcomp INTEGER NOT NULL DEFAULT '0'
+  ipcomp INTEGER NOT NULL DEFAULT '0',
+  reqid INTEGER NOT NULL DEFAULT '0'
 );
 DROP INDEX IF EXISTS child_configs_name;
 CREATE INDEX child_configs_name ON child_configs (
@@ -38,6 +40,19 @@ CREATE INDEX child_config_traffic_selector_all ON child_config_traffic_selector
   child_cfg, traffic_selector
 );
 
+DROP TABLE IF EXISTS proposals;
+CREATE TABLE proposals (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  proposal TEXT NOT NULL
+);
+
+DROP TABLE IF EXISTS child_config_proposal;
+CREATE TABLE child_config_proposal (
+  child_cfg INTEGER NOT NULL,
+  prio INTEGER NOT NULL,
+  prop INTEGER NOT NULL
+);
+
 DROP TABLE IF EXISTS ike_configs;
 CREATE TABLE ike_configs (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -47,6 +62,13 @@ CREATE TABLE ike_configs (
   remote TEXT NOT NULL
 );
 
+DROP TABLE IF EXISTS ike_config_proposal;
+CREATE TABLE ike_config_proposal (
+  ike_cfg INTEGER NOT NULL,
+  prio INTEGER NOT NULL,
+  prop INTEGER NOT NULL
+);
+
 DROP TABLE IF EXISTS peer_configs;
 CREATE TABLE peer_configs (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -139,6 +161,20 @@ CREATE TABLE shared_secret_identity (
   PRIMARY KEY (shared_secret, identity)
 );
 
+DROP TABLE IF EXISTS certificate_authorities;
+CREATE TABLE certificate_authorities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  certificate INTEGER NOT NULL
+);
+
+DROP TABLE IF EXISTS certificate_distribution_points;
+CREATE TABLE certificate_distribution_points (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  ca INTEGER NOT NULL,
+  type INTEGER NOT NULL,
+  uri TEXT NOT NULL
+);
+
 DROP TABLE IF EXISTS pools;
 CREATE TABLE pools (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index dd69a793f..246f2d5b7 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -32,3 +32,4 @@ V	150226210530Z		1F	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/
 V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	150803083841Z		22	unknown	/C=CH/O=Linux strongSwan/CN=aaa.strongswan.org
+V	151119165922Z		23	unknown	/C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=mars.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index 58a88a3cb..dd69a793f 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -31,3 +31,4 @@ V	141123125153Z		1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/C
 V	150226210530Z		1F	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V	150803083841Z		22	unknown	/C=CH/O=Linux strongSwan/CN=aaa.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/23.pem b/testing/hosts/winnetou/etc/openssl/newcerts/23.pem
new file mode 100644
index 000000000..5077ab15d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/23.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1
+YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D
+l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU
+j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+
+E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB
+QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG
+7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB
+AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D
+ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou
+Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
+MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy
+cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw
+MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js
+MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/
+n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R
+atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7
+ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1
+b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le
+i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index 409940768..a45fd52cc 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-23
+24
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index 2bd5a0a98..409940768 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-22
+23
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index e22b65cf4..023b71750 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -202,6 +202,16 @@ then
     echo -n " --enable-tnccs-11" >> $INSTALLSHELL
 fi
 
+if [ "$USE_TNCCS_20" = "yes" ]
+then
+    echo -n " --enable-tnccs-20" >> $INSTALLSHELL
+fi
+
+if [ "$USE_TNCCS_DYNAMIC" = "yes" ]
+then
+    echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL
+fi
+
 if [ "$USE_SQL" = "yes" ]
 then
     echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
@@ -292,6 +302,16 @@ then
     echo -n " --enable-gcm" >> $INSTALLSHELL
 fi
 
+if [ "$USE_HA" = "yes" ]
+then
+    echo -n " --enable-ha" >> $INSTALLSHELL
+fi
+
+if [ "$USE_CISCO_QUIRKS" = "yes" ]
+then
+    echo -n " --enable-cisco-quirks" >> $INSTALLSHELL
+fi
+
 echo "" >> $INSTALLSHELL
 echo "make -j" >> $INSTALLSHELL
 echo "make install" >> $INSTALLSHELL
diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls
index 486955a69..18dc64a9d 100755
--- a/testing/scripts/kstart-umls
+++ b/testing/scripts/kstart-umls
@@ -67,10 +67,10 @@ do
 	    \$SWITCH_${host} \
 	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
         cgecho "done"
+        sleep 15
     fi
     let "x0+=dx"
     let "y0+=dy"
-    sleep 15
 done
 
 if [ -z "$BOOTING_HOSTS" ]
diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls
index 717199606..ed2662b6c 100755
--- a/testing/scripts/xstart-umls
+++ b/testing/scripts/xstart-umls
@@ -67,10 +67,10 @@ do
 	    \$SWITCH_${host} \
 	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
         cgecho "done"
+        sleep 15
     fi
     let "x0+=dx"
     let "y0+=dy"
-    sleep 15
 done
 
 if [ -z "$BOOTING_HOSTS" ]
diff --git a/testing/testing.conf b/testing/testing.conf
index b9cb4bb30..b078ab2c0 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.35.2.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.36.2.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.35
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.36
 
 # Bzipped uml patch for kernel
-#UMLPATCH=$UMLTESTDIR/xfrm_mark.patch.bz2
+UMLPATCH=$UMLTESTDIR/ha-2.6.36.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.4.2.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.5.1.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -48,13 +48,15 @@ USE_EAP_TNC="yes"
 USE_TNC_IMC="yes"
 USE_TNC_IMV="yes"
 USE_TNCCS_11="yes"
+USE_TNCCS_20="yes"
+USE_TNCCS_DYNAMIC="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"
 USE_OPENSSL="yes"
 USE_BLOWFISH="yes"
 USE_KERNEL_PFKEY="yes"
 USE_INTEGRITY_TEST="yes"
-USE_LEAK_DETECTIVE="yes"
+USE_LEAK_DETECTIVE="no"
 USE_LOAD_TESTER="yes"
 USE_TEST_VECTORS="yes"
 USE_GCRYPT="yes"
@@ -66,12 +68,14 @@ USE_ADDRBLOCK="yes"
 USE_CTR="yes"
 USE_CCM="yes"
 USE_GCM="yes"
+USE_HA="yes"
+USE_CISCO_QUIRKS="no"
 
 # Gentoo linux root filesystem
-ROOTFS=$UMLTESTDIR/gentoo-fs-20100805.tar.bz2
+ROOTFS=$UMLTESTDIR/gentoo-fs-20101120.tar.bz2
 
 # Size of the finished root filesystem in MB
-ROOTFSSIZE=700
+ROOTFSSIZE=800
 
 # Amount of Memory to use per UML [MB].
 # If "auto" is stated 1/12 of total host ram will be used.
diff --git a/testing/tests/ha/both-active/description.txt b/testing/tests/ha/both-active/description.txt
new file mode 100644
index 000000000..4c64fff97
--- /dev/null
+++ b/testing/tests/ha/both-active/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to the virtual gateway <b>mars</b> implemented by the two real gateways
+<b>alice</b> and <b>moon</b> in a <b>High Availability</b> (HA) setup 
+based on <b>ClusterIP</b>. Depending on the hash of the IP addresses of the peers
+and the SPIs, the inbound and outbound CHILD_SAs are either assigned to
+segment 1 managed by <b>alice</b> or segment 2 handled by <b>moon</b>.
+The IKEv2 protocol is managed by <b>moon</b> exclusively with passive
+IKE_SAs installed on the backup gateway <b>alice</b>.
diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat
new file mode 100644
index 000000000..7256743ac
--- /dev/null
+++ b/testing/tests/ha/both-active/evaltest.dat
@@ -0,0 +1,20 @@
+moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
+alice::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES
+alice::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+alice::cat /var/log/daemon.log::HA segment 1 activated::YES
+moon::cat /var/log/daemon.log::HA segment 2 activated::YES
+alice::cat /var/log/daemon.log::installed HA CHILD_SA::YES
+moon::cat /var/log/daemon.log::handling HA CHILD_SA::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES
+carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES
+dave::tcpdump::IP mars.strongswan.org > dave.strongswan.org: ESP::YES
+venus::tcpdump::IP carol.strongswan.org > venus.strongswan.org: ICMP echo request::YES
+venus::tcpdump::IP venus.strongswan.org > carol.strongswan.org: ICMP echo reply::YES
+venus::tcpdump::IP dave.strongswan.org > venus.strongswan.org: ICMP echo request::YES
+venus::tcpdump::IP venus.strongswan.org > dave.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..95d3b8828
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,104 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# forward ESP-tunneled traffic
+	iptables -A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+	iptables -A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+	iptables -A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+        # clusterip rules
+        iptables -A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \
+                          --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 
+        iptables -A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \
+                          --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 
+
+	# allow esp
+	iptables -A INPUT  -p 50 -j ACCEPT
+	iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+	iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+        # allow heartbeat
+        iptables -A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
+
+	# allow ICMP type 3
+	iptables -A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
+
+	# allow IGMP multicasts
+	iptables -A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
+	iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
+ 
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..09a5364f4
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=192.168.0.5
+	leftcert=marsCert.pem
+	leftid=@mars.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem
new file mode 100644
index 000000000..5077ab15d
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1
+YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D
+l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU
+j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+
+E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB
+QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG
+7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB
+AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D
+ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou
+Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
+MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy
+cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw
+MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js
+MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/
+n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R
+atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7
+ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1
+b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le
+i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU
+-----END CERTIFICATE-----
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem
new file mode 100644
index 000000000..9196315a3
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE
+UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl
+sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w
+YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j
+ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g
+cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D
+bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS
+AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD
+5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u
+DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km
+KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB
+UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK
+QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt
+AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG
+3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b
+M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv
+2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9
+4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO
+KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd
+D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU
+nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe
+bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD
+7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa
+qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX
+onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets
new file mode 100644
index 000000000..d65b96e34
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA marsKey.pem
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..c1745ec29
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha 
+  plugins {
+    ha {
+      local = PH_IP_ALICE
+      remote = PH_IP_MOON1 
+      segment_count = 2
+      fifo_interface = yes
+      monitor = yes
+    }
+  }
+}
+
diff --git a/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..79e06d4de
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=192.168.0.5
+	rightid=@mars.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..af91a172a
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..f75e13d2e
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=192.168.0.5
+	rightid=@mars.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..60dbb5ba2
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..6f7a0316b
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,104 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# forward ESP-tunneled traffic
+	iptables -A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+	iptables -A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+	iptables -A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT
+
+        # clusterip rules
+        iptables -A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \
+                          --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1
+        iptables -A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \
+                          --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1
+
+	# allow esp
+	iptables -A INPUT  -p 50 -j ACCEPT
+	iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+	iptables -A OUTPUT -p 50 -d PH_IP_DAVE  -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# allow heartbeat
+	iptables -A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
+
+	# allow ICMP type 3
+        iptables -A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
+        iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
+
+	# allow IGMP multicasts
+	iptables -A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
+	iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..09a5364f4
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=192.168.0.5
+	leftcert=marsCert.pem
+	leftid=@mars.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem
new file mode 100644
index 000000000..5077ab15d
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1
+YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D
+l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU
+j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+
+E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB
+QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG
+7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB
+AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D
+ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou
+Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
+MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy
+cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw
+MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js
+MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/
+n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R
+atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7
+ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1
+b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le
+i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU
+-----END CERTIFICATE-----
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem
new file mode 100644
index 000000000..9196315a3
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE
+UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl
+sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w
+YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j
+ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g
+cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D
+bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS
+AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD
+5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u
+DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km
+KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB
+UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK
+QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt
+AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG
+3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b
+M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv
+2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9
+4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO
+KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd
+D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU
+nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe
+bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD
+7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa
+qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX
+onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..d65b96e34
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA marsKey.pem
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1cece26d2
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha
+  plugins {
+    ha {
+      local = PH_IP_MOON1
+      remote = PH_IP_ALICE 
+      segment_count = 2
+      fifo_interface = yes
+      monitor = yes
+    }
+  }
+}
+
diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat
new file mode 100644
index 000000000..49bf76055
--- /dev/null
+++ b/testing/tests/ha/both-active/posttest.dat
@@ -0,0 +1,17 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+alice::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+alice::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::ip addr del 192.168.0.5/24 dev eth0
+moon::ip addr del 10.1.0.5/16 dev eth1
+alice::ip addr del 192.168.0.5/24 dev eth1
+alice::ip addr del 10.1.0.5/16 dev eth0
+alice::/etc/init.d/net.eth1 stop
+venus::ip route del default via 10.1.0.5 dev eth0
+venus::ip route add default via 10.1.0.1 dev eth0
+moon::conntrack -F
+alice::conntrack -F 
diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat
new file mode 100644
index 000000000..e2e509855
--- /dev/null
+++ b/testing/tests/ha/both-active/pretest.dat
@@ -0,0 +1,18 @@
+moon::ip addr add 192.168.0.5/24 dev eth0
+moon::ip addr add 10.1.0.5/16 dev eth1
+alice::/etc/init.d/net.eth1 start
+alice::ip addr add 192.168.0.5/24 dev eth1
+alice::ip addr add 10.1.0.5/16 dev eth0
+venus::ip route del default via 10.1.0.1 dev eth0
+venus::ip route add default via 10.1.0.5 dev eth0
+moon::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+alice::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ha/both-active/test.conf b/testing/tests/ha/both-active/test.conf
new file mode 100644
index 000000000..0473013e1
--- /dev/null
+++ b/testing/tests/ha/both-active/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="venus carol dave"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice moon carol dave"
diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat
index c35a8019e..8bc2e8688 100644
--- a/testing/tests/ikev1/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev1/dpd-restart/evaltest.dat
@@ -1,7 +1,7 @@
 moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
 carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::sleep 35::no output expected::NO
-carol::iptables -D INPUT 1::no output expected::NO
+carol::sleep 35::no output expected::NO
+carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
 moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
 moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
 moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat
index acb432172..92681011f 100644
--- a/testing/tests/ikev1/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat
@@ -10,4 +10,4 @@ carol::sleep 1
 carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 dave::ipsec up moon
-dave::sleep 1
+dave::sleep 2 
diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat
index a330b1074..c0f166ff4 100644
--- a/testing/tests/ikev1/dynamic-responder/pretest.dat
+++ b/testing/tests/ikev1/dynamic-responder/pretest.dat
@@ -10,4 +10,4 @@ moon::sleep 1
 carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 dave::ipsec up moon
-dave::sleep 1
+dave::sleep 2 
diff --git a/testing/tests/ikev1/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat
index ed8f39316..f0c5bcec6 100644
--- a/testing/tests/ikev1/net2net-start/pretest.dat
+++ b/testing/tests/ikev1/net2net-start/pretest.dat
@@ -2,4 +2,4 @@ moon::/etc/init.d/iptables start 2> /dev/null
 sun::/etc/init.d/iptables start 2> /dev/null
 moon::ipsec start
 sun::ipsec start
-alice::sleep 12
+alice::sleep 20 
diff --git a/testing/tests/ikev1/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt
index 83e9d2726..98d85f30b 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/description.txt
+++ b/testing/tests/ikev1/xauth-rsa-fail/description.txt
@@ -2,4 +2,4 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
 The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509
 certificates followed by extended authentication (<b>XAUTH</b>) based
 on user name and password. Because user <b>carol</b> presents a wrong
-XAUTH password the IKE negotation is aborted and the ISAKMP SA is deleted.
+XAUTH password the IKE negotiation is aborted and the ISAKMP SA is deleted.
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt
index ffbb47c04..a6fe82330 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt
@@ -2,5 +2,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
 The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509
 certificates followed by extended authentication (<b>XAUTH</b>) based
 on user name and password. Because user <b>carol</b> cannot find her 
-XAUTH credentials in ipsec.secrets, the IKE negotation is aborted and the
+XAUTH credentials in ipsec.secrets, the IKE negotiation is aborted and the
 ISAKMP SA is deleted.
diff --git a/testing/tests/ikev2/critical-extension/description.txt b/testing/tests/ikev2/critical-extension/description.txt
new file mode 100644
index 000000000..8c0d37c88
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/description.txt
@@ -0,0 +1,5 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
+unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical 
+extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
+<b>sun</b> discards such certificates and aborts the connection setup.
diff --git a/testing/tests/ikev2/critical-extension/evaltest.dat b/testing/tests/ikev2/critical-extension/evaltest.dat
new file mode 100644
index 000000000..8c2f8ec9d
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/daemon.log::sending end entity cert::YES
+moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+sun::cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES
+sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
+sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
+sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2e3c9dde4
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.der
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der
new file mode 100644
index 000000000..7f78d5820
Binary files /dev/null and b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der differ
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bfc83ab4d
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
+
+libstrongswan {
+  x509 {
+    enforce_critical = no
+  }
+}
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..19e197131
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.der
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der
new file mode 100644
index 000000000..c1efb6719
Binary files /dev/null and b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der differ
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..cb17a9e07
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat
new file mode 100644
index 000000000..a4c96e10f
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf
new file mode 100644
index 000000000..41ee3037e
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
index 88f162098..47dab951f 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
index 88f162098..8335e51f6 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt
new file mode 100644
index 000000000..350aefc60
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b>
+is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas 
+<b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat
new file mode 100644
index 000000000..517ea9ab2
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES         
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary
new file mode 100644
index 000000000..1a27a02fc
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary
@@ -0,0 +1,2 @@
+$INCLUDE	/usr/share/freeradius/dictionary
+$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
new file mode 100644
index 000000000..f295467a9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
@@ -0,0 +1,5 @@
+ATTRIBUTE	TNC-Status	3001	integer
+
+VALUE	TNC-Status	Access	0 
+VALUE	TNC-Status	Isolate	1
+VALUE	TNC-Status	None	2
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..2d4961288
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
@@ -0,0 +1,23 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..a9509a716
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for TNC@FHH-TNC-Server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9cf2b43c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..998e6c2e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..621e94f0e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+none
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fc8f84638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat
new file mode 100644
index 000000000..132752119
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat
new file mode 100644
index 000000000..dc7d5934e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
+alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::/etc/init.d/radiusd start
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf
new file mode 100644
index 000000000..bb6b68687
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt
new file mode 100644
index 000000000..7eebd3d4d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat
new file mode 100644
index 000000000..d0ea22ba9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES            
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary
new file mode 100644
index 000000000..1a27a02fc
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary
@@ -0,0 +1,2 @@
+$INCLUDE	/usr/share/freeradius/dictionary
+$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc
new file mode 100644
index 000000000..f295467a9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc
@@ -0,0 +1,5 @@
+ATTRIBUTE	TNC-Status	3001	integer
+
+VALUE	TNC-Status	Access	0 
+VALUE	TNC-Status	Isolate	1
+VALUE	TNC-Status	None	2
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..f91bccc72
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
@@ -0,0 +1,36 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	if (control:TNC-Status == "Access") {
+		update reply {
+			Tunnel-Type := ESP 
+			Filter-Id := "allow"
+		}
+	}
+	elsif (control:TNC-Status == "Isolate") {
+		update reply {
+			Tunnel-Type := ESP 
+			Filter-Id := "isolate"	
+		}
+	}
+
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..a9509a716
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for TNC@FHH-TNC-Server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9cf2b43c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..998e6c2e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..33dcdcfb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f4e456bbe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+      filter_id = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat
new file mode 100644
index 000000000..132752119
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat
new file mode 100644
index 000000000..8dd865819
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat
@@ -0,0 +1,18 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
+alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::/etc/init.d/radiusd start
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf
new file mode 100644
index 000000000..2a52df203
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/description.txt b/testing/tests/ikev2/rw-eap-tnc-11/description.txt
new file mode 100644
index 000000000..4b4808c94
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat
new file mode 100644
index 000000000..a02755148
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f8700d3c5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/test.conf b/testing/tests/ikev2/rw-eap-tnc-11/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt
new file mode 100644
index 000000000..c7422aa46
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements
+<b>carol</b> is authenticated successfully and is granted access to the subnet behind
+<b>moon</b> whereas <b>dave</b> fails the layered EAP authentication and is rejected.
+</p>
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat
new file mode 100644
index 000000000..f1753c208
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES 
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1a39b8c57
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de, en
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..eb7007726
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = ru, fr, en
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..621e94f0e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+none
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..6747b4a4a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..20caf8e84
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imv {
+      recommendation_policy = all
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt
new file mode 100644
index 000000000..54590a951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>,
+both ends doing certificate-based EAP-TLS authentication only.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+</p>
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat
new file mode 100644
index 000000000..bbc0603b6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES              
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..1b6274215
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b2aa2806a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..54c06b12e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b2aa2806a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..04a243cad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      request_peer_auth = yes
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/description.txt b/testing/tests/ikev2/rw-eap-tnc-20/description.txt
new file mode 100644
index 000000000..6a9c5dde8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+</p>
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
new file mode 100644
index 000000000..737c9b9ef
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b2aa2806a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..3797993fa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy"		/usr/local/lib/libdummyimc.so
+IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b2aa2806a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..3797993fa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy"		/usr/local/lib/libdummyimc.so
+IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b76c1cd55
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..67896d543
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy"		/usr/local/lib/libdummyimv.so
+IMV "HostScanner"	/usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/test.conf b/testing/tests/ikev2/rw-eap-tnc-20/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-block/description.txt
deleted file mode 100644
index 51423177a..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-using EAP-TTLS authentication only with the gateway presenting a server certificate and
-the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements
-<b>carol</b> is authenticated successfully and is granted access to the subnet behind
-<b>moon</b> whereas <b>dave</b> fails the layered EAP authentication and is rejected. 
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
deleted file mode 100644
index 2304df23e..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES 
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index c19192dae..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 7d5ea8b83..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index 621e94f0e..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-none
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 6747b4a4a..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	strictcrlpolicy=no
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index f8700d3c5..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
-  multiple_authentication=no
-  plugins {
-    eap-ttls {
-      phase2_method = md5
-      phase2_piggyback = yes
-      phase2_tnc = yes
-    }
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
deleted file mode 100644
index ac436a344..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for strongSwan server 
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
deleted file mode 100644
index ce897d181..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-block/test.conf
deleted file mode 100644
index e28b8259b..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-block/test.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# UML instances on which FreeRadius is started
-#
-RADIUSHOSTS=
-
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt b/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt
new file mode 100644
index 000000000..21e9bc675
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt
@@ -0,0 +1,12 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of TNC client <b>carol</b> via the <b>TNCCS 1.1 </b> client-server interface and of
+TNC client <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface. TNC server
+<b>moon</b> dynamically detects which version of the IF-TNCCS protocol is used.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+</p>
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat
new file mode 100644
index 000000000..2c7a2dbd7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat
@@ -0,0 +1,27 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
+moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
+moon::cat /var/log/daemon.log::Final recommendation is 'allow' and evaluation is 'compliant'::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES
+moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES
+moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES
+moon::cat /var/log/daemon.log::Final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..6a12318db
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..3797993fa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy"		/usr/local/lib/libdummyimc.so
+IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b2aa2806a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..33945dc1e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..3797993fa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy"		/usr/local/lib/libdummyimc.so
+IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..a1a4a4747
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnccs-20 tnccs-dynamic tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-dynamic
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..67896d543
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy"		/usr/local/lib/libdummyimv.so
+IMV "HostScanner"	/usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
deleted file mode 100644
index 350aefc60..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
-the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b>
-is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas 
-<b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
deleted file mode 100644
index 517ea9ab2..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES         
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
-
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
deleted file mode 100644
index 1a27a02fc..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
+++ /dev/null
@@ -1,2 +0,0 @@
-$INCLUDE	/usr/share/freeradius/dictionary
-$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
deleted file mode 100644
index f295467a9..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
+++ /dev/null
@@ -1,5 +0,0 @@
-ATTRIBUTE	TNC-Status	3001	integer
-
-VALUE	TNC-Status	Access	0 
-VALUE	TNC-Status	Isolate	1
-VALUE	TNC-Status	None	2
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index 31556361e..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-eap {
-  md5 {
-  }
-  default_eap_type = ttls
-  tls {
-    private_key_file = /etc/raddb/certs/aaaKey.pem
-    certificate_file = /etc/raddb/certs/aaaCert.pem
-    CA_file = /etc/raddb/certs/strongswanCert.pem
-    cipher_list = "DEFAULT"
-    dh_file = /etc/raddb/certs/dh
-    random_file = /etc/raddb/certs/random
-  }
-  ttls {
-    default_eap_type = md5
-    use_tunneled_reply = yes
-    virtual_server = "inner-tunnel"
-    tnc_virtual_server = "inner-tunnel-second"
-  }
-}
-
-eap eap_tnc {
-      default_eap_type = tnc
-      tnc {
-      }
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
-	suffix
-	eap {
-		ok = return
-	}
-	files
-}
-
-authenticate {
-	eap
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-pre-proxy {
-}
-
-post-proxy {
-	eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
deleted file mode 100644
index 2d4961288..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,23 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
-	eap_tnc {
-		ok = return
-	}
-}
-
-authenticate {
-	eap_tnc
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
deleted file mode 100644
index 50ccf3e76..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1,2 +0,0 @@
-carol	Cleartext-Password := "Ar3etTnp"
-dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
deleted file mode 100644
index a9509a716..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for TNC@FHH-TNC-Server
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 9cf2b43c4..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 998e6c2e5..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index 621e94f0e..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-none
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index fc8f84638..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=pubkey
-	leftfirewall=yes
-	rightauth=eap-radius
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index e86d6aa5c..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4d2d3058d..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
-  multiple_authentication=no
-  plugins {
-    eap-radius {
-      secret = gv6URkSs 
-      server = PH_IP_ALICE
-    }
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
deleted file mode 100644
index 132752119..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
deleted file mode 100644
index dc7d5934e..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
-alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
-alice::/etc/init.d/radiusd start
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
deleted file mode 100644
index bb6b68687..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# UML instances on which FreeRadius is started
-#
-RADIUSHOSTS="alice"
-
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt
deleted file mode 100644
index 7eebd3d4d..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
-the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
-The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
deleted file mode 100644
index d0ea22ba9..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
+++ /dev/null
@@ -1,19 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES            
-moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
-
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
deleted file mode 100644
index 1a27a02fc..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
+++ /dev/null
@@ -1,2 +0,0 @@
-$INCLUDE	/usr/share/freeradius/dictionary
-$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
deleted file mode 100644
index f295467a9..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
+++ /dev/null
@@ -1,5 +0,0 @@
-ATTRIBUTE	TNC-Status	3001	integer
-
-VALUE	TNC-Status	Access	0 
-VALUE	TNC-Status	Isolate	1
-VALUE	TNC-Status	None	2
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index 31556361e..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-eap {
-  md5 {
-  }
-  default_eap_type = ttls
-  tls {
-    private_key_file = /etc/raddb/certs/aaaKey.pem
-    certificate_file = /etc/raddb/certs/aaaCert.pem
-    CA_file = /etc/raddb/certs/strongswanCert.pem
-    cipher_list = "DEFAULT"
-    dh_file = /etc/raddb/certs/dh
-    random_file = /etc/raddb/certs/random
-  }
-  ttls {
-    default_eap_type = md5
-    use_tunneled_reply = yes
-    virtual_server = "inner-tunnel"
-    tnc_virtual_server = "inner-tunnel-second"
-  }
-}
-
-eap eap_tnc {
-      default_eap_type = tnc
-      tnc {
-      }
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
deleted file mode 100644
index 23cba8d11..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-realm strongswan.org {
-  type     = radius
-  authhost = LOCAL
-  accthost = LOCAL
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
deleted file mode 100644
index e088fae14..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ /dev/null
@@ -1,32 +0,0 @@
-server inner-tunnel {
-
-authorize {
-	suffix
-	eap {
-		ok = return
-	}
-	files
-}
-
-authenticate {
-	eap
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-pre-proxy {
-}
-
-post-proxy {
-	eap
-}
-
-} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
deleted file mode 100644
index f91bccc72..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
-	eap_tnc {
-		ok = return
-	}
-}
-
-authenticate {
-	eap_tnc
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	if (control:TNC-Status == "Access") {
-		update reply {
-			Tunnel-Type := ESP 
-			Filter-Id := "allow"
-		}
-	}
-	elsif (control:TNC-Status == "Isolate") {
-		update reply {
-			Tunnel-Type := ESP 
-			Filter-Id := "isolate"	
-		}
-	}
-
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
deleted file mode 100644
index 50ccf3e76..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
+++ /dev/null
@@ -1,2 +0,0 @@
-carol	Cleartext-Password := "Ar3etTnp"
-dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
deleted file mode 100644
index a9509a716..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for TNC@FHH-TNC-Server
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 9cf2b43c4..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 998e6c2e5..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 33dcdcfb0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=pubkey
-	leftfirewall=yes
-	rightauth=eap-radius
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index e86d6aa5c..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index f4e456bbe..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
-  multiple_authentication=no
-  plugins {
-    eap-radius {
-      secret = gv6URkSs 
-      server = PH_IP_ALICE
-      filter_id = yes
-    }
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
deleted file mode 100644
index 132752119..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
deleted file mode 100644
index 8dd865819..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
-alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
-alice::/etc/init.d/radiusd start
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
deleted file mode 100644
index 2a52df203..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# UML instances on which FreeRadius is started
-#
-RADIUSHOSTS="alice"
-
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt
deleted file mode 100644
index 762b839ee..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>,
-bothe ends doing certificate-based EAP-TLS authentication only.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
-respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
deleted file mode 100644
index cebfff25f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
+++ /dev/null
@@ -1,19 +0,0 @@
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES              
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
-
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 1b6274215..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 54c06b12e..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 50514c99f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	strictcrlpolicy=no
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 8898a63ba..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
-  multiple_authentication=no
-  plugins {
-    eap-ttls {
-      request_peer_auth = yes
-      phase2_piggyback = yes
-      phase2_tnc = yes
-    }
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
deleted file mode 100644
index ac436a344..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for strongSwan server 
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
deleted file mode 100644
index ce897d181..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf
deleted file mode 100644
index e28b8259b..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# UML instances on which FreeRadius is started
-#
-RADIUSHOSTS=
-
diff --git a/testing/tests/ikev2/rw-eap-tnc/description.txt b/testing/tests/ikev2/rw-eap-tnc/description.txt
deleted file mode 100644
index 4b4808c94..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-using EAP-TTLS authentication only with the gateway presenting a server certificate and
-the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
-respectively.
-
diff --git a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat
deleted file mode 100644
index a02755148..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat
+++ /dev/null
@@ -1,19 +0,0 @@
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
-
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index c19192dae..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 7d5ea8b83..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 50514c99f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	strictcrlpolicy=no
-	plutostart=no
-	charondebug="tls 2, tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index f8700d3c5..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
-  multiple_authentication=no
-  plugins {
-    eap-ttls {
-      phase2_method = md5
-      phase2_piggyback = yes
-      phase2_tnc = yes
-    }
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
deleted file mode 100644
index ac436a344..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for strongSwan server 
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/posttest.dat b/testing/tests/ikev2/rw-eap-tnc/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc/pretest.dat b/testing/tests/ikev2/rw-eap-tnc/pretest.dat
deleted file mode 100644
index ce897d181..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/pretest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc/test.conf b/testing/tests/ikev2/rw-eap-tnc/test.conf
deleted file mode 100644
index e28b8259b..000000000
--- a/testing/tests/ikev2/rw-eap-tnc/test.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# UML instances on which FreeRadius is started
-#
-RADIUSHOSTS=
-
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
index 9129f160b..08b95659f 100755
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -2,6 +2,7 @@
 
 config setup
         crlcheckinterval=180
+	uniqueids=no
 	strictcrlpolicy=yes
 	plutostart=no
 
diff --git a/testing/tests/openssl-ikev2/critical-extension/description.txt b/testing/tests/openssl-ikev2/critical-extension/description.txt
new file mode 100644
index 000000000..8c0d37c88
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/description.txt
@@ -0,0 +1,5 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
+unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical 
+extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
+<b>sun</b> discards such certificates and aborts the connection setup.
diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
new file mode 100644
index 000000000..1c23dcad6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/daemon.log::sending end entity cert::YES
+moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+sun::cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
+sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
+sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
+sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2e3c9dde4
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.der
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der
new file mode 100644
index 000000000..7f78d5820
Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der differ
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f4ab41f2c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
+
+libstrongswan {
+  x509 {
+    enforce_critical = no
+  }
+}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..19e197131
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.der
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der
new file mode 100644
index 000000000..c1efb6719
Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der differ
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..c45805ca6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
new file mode 100644
index 000000000..a4c96e10f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf
new file mode 100644
index 000000000..41ee3037e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat
index 912222eef..f1e33dc39 100644
--- a/testing/tests/p2pnat/behind-same-nat/pretest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat
@@ -11,4 +11,4 @@ carol::sleep 1
 alice::ipsec start
 alice::sleep 1
 venus::ipsec start 
-venus::sleep 2 
+venus::sleep 4 
diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat
index a5c9a2fbb..fba7be01d 100644
--- a/testing/tests/p2pnat/medsrv-psk/pretest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat
@@ -16,4 +16,4 @@ carol::sleep 1
 bob::ipsec start
 bob::sleep 1
 alice::ipsec start 
-alice::sleep 2 
+alice::sleep 4 
diff --git a/testing/tests/sql/multi-level-ca/description.txt b/testing/tests/sql/multi-level-ca/description.txt
new file mode 100644
index 000000000..123ab06b3
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/description.txt
@@ -0,0 +1,6 @@
+The VPN gateway <b>moon</b> grants access to the subnet behind it to anyone presenting
+a certificate belonging to a trust chain anchored in the strongSwan Root CA.
+The hosts <b>carol</b> and <b>dave</b> have certificates from the intermediate
+Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
+copies of the Research and Sales CA certificates and must therefore request them from
+the initiators <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat
new file mode 100644
index 000000000..91113ce11
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/evaltest.dat
@@ -0,0 +1,18 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..96eb832ae
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,7 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        strictcrlpolicy=yes
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..66b1473f1
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql
@@ -0,0 +1,192 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=Research CA */
+  9, X'3051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341'
+);
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=Research CA' */
+  11, X'e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420');
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, OU=Research, CN=Research CA' */
+  11, X'c71449851517718914a496532a1ee801b21c6aa5');
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* carol@strongswan.org */
+  3, X'6361726f6c407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */
+  11, X'c400ef96d95d5ebb4b2309071f7a6cf3f65491bd'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=Research CA */
+  1, 1, X'308203c1308202a9a003020102020120300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3130303430363039353335305a170d3139303430343039353335305a3051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b526573656172636820434130820122300d06092a864886f70d01010105000382010f003082010a0282010100b639b23aa6e0075b58a73f4fb25a856a72f71b5d3db1e780137a95b9e961a1dfaf19c6b2f9831421591c277b7a046a43f02e2471dc12fdc351d7c9596032a559d4bdd95ca79f21063a717d33d73fd203071cd0690c94cec13120658e5546367bbc49e412819d7564a24de1b58e07af519da8d87edcb1266de809067813452471e0f289e7814efdbefc2d4cc1fab331af3c70fe59c8f2312602d2a5ba043b73d6ae31e142cfe3669527e74a85a11cde6a9bed2234acb40bedb922e13c36afa2de3b41888f01c01a87637bb622e7e5521f4d73d77f47abc6b113cc1ecdf45f51dafe6d14838f78fb0c2ac1f1016518f3c4c98c17fd521b82351374c3389decae390203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e04160414e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b050003820101008d6da16d1b2dcc815c0a3215e2ca1b2e1289b70d059b3fae80a173051abf47e8c8b74260c60528478738bbc8b1322389fa58e0c3f2dd20604395e972ce6f385c16f7b8cce987c1caa8f1e3eeea4c1a8e68b31705b789dcb230432262ae9a8767396c3ac71c8710a370c00c3ce0469968e974ea942e82e5c17f44161040dab11907589a9a06d4279339791344b9b9bcc51e816b0ff4391cffb6dfadc42f63c5c8c7a099ce155d2cb3b5ecddddf63ea86f286801c6354b672ab7cc3feb306db15d5c8a3d4e3acde94c08fd5476c33adad2f5730022e2ca246b4d8642b3ffaf00611eddb66c930de2036ce4d4af8537638e0c156332eeeb7205601bd6f2c1668992'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org */
+  1, 1, X'3082042c30820314a003020102020106300d06092a864886f70d01010b05003051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341301e170d3130303430373039323035375a170d3135303430363039323035375a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e8a8f6d28e9044a366e993843bedd5a17274f0cf34084dac8a27f1a0af64cc454015ec6a6b352ce2f8ed429011e389703510d6cf743f4e6f0305fe4f0380da70438605417bc73e46c0517c4466c5cb332bb7608f9cab8f06c916b5093de9b4e0a10f9eb47b2e94f9b3bfb3d67fa9658afd1f2253bd825dddcf7af1fae8c105bdf26804246f71b362df6aa4d5dd1112d41f6f21e4065a1eb80d2ac5e97cbf1d8fa7dcc792306677509a174ba619231bc635dee1781ff6c71bf756fd133721a29263fc67989b80de639fb990914f5233d43341bd996359b70e7f7771b279c37017782961261a337ba52f855b387bf012b896fa6fd34b30be1e07404c0990fae98f0203010001a38201043082010030090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414c400ef96d95d5ebb4b2309071f7a6cf3f65491bd306d0603551d23046630648014e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820120301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730370603551d1f0430302e302ca02aa0288626687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f72657365617263682e63726c300d06092a864886f70d01010b050003820101006a380523c2b3eb5d62d0886ef3e3350b65b59056cbe04a18ca89f7b6b8d167722acfa92c7fd2922824ba162ca5ab80c68a5d26b4cb653fe1ca717cd181263de8ce023bbdf0dba962c2666c14135a64a23fe6f2913cf2f253dada1ac85fa417820b2c19e2f71bf8456220fb2dcce6222b9cbfd6d486b0c11d9e55f6259b0900a85b2d14e60b4d8edcc6c6181410ab57949f5c6447ca67753593266159eb57d9954312c0b80b17dfd572101aedc21d100d38e0e0ad4dd69b898a322c59aa0eeb6af0662f58eccb7f6a8e29c471907c4f7de243ad638b78f1189da324481914280508908f8b6896d61770124c6807aa1dbfa70535d80dc1a2f24a51a47407b532d8'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  3, 7 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  3, 8 
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */
+  1, X'308204a50201000282010100e8a8f6d28e9044a366e993843bedd5a17274f0cf34084dac8a27f1a0af64cc454015ec6a6b352ce2f8ed429011e389703510d6cf743f4e6f0305fe4f0380da70438605417bc73e46c0517c4466c5cb332bb7608f9cab8f06c916b5093de9b4e0a10f9eb47b2e94f9b3bfb3d67fa9658afd1f2253bd825dddcf7af1fae8c105bdf26804246f71b362df6aa4d5dd1112d41f6f21e4065a1eb80d2ac5e97cbf1d8fa7dcc792306677509a174ba619231bc635dee1781ff6c71bf756fd133721a29263fc67989b80de639fb990914f5233d43341bd996359b70e7f7771b279c37017782961261a337ba52f855b387bf012b896fa6fd34b30be1e07404c0990fae98f0203010001028201010086869c20e739d7d63b7d3744b07a369a215a289b4654bec4d325817b0daf54c57de6af4a612ee00365379ad33ee4b7e55f699b2b5ce5f5ee0e6b7abe29226a2b9b7f74ae86699042cc94d12ba3d91e433a35cfe97a0760ade5bbf175a48ceb7f2ee19f3c7035610278c291b3a721458b760c7886beff10535ed291f4287ce359f4b860c5176456044775be950ebc8f753f885742b0c74006b2d50672a8cc050e5931de65cfbc09ad0c1560a1ae3f5bd830acd8cd004a0031e6cf42368d5d21bab02666fb38b9709b71be5f1d09ccdede38e65d88548f73236847013aacabebb361ad43d2ea59d92f544b858f222497dedc9e83a44488f96c0bcd0df8df8e678102818100ff6b7443e3a6b55b11e012f9a70b73fea85a51aaa36de73b7d48b945874f5d32c5fd04e45229c1a2c9721a93fa30f9b587a17d9d7e395b5889658a0492179d52be6b8adcfc6211597fc144732d59e7a7bfbc11ef6a6dd46471a7bc9366d8f501e261b977121e99ed028d241ba8070bff85bdbacd832b92627f6c8886be0b946102818100e930460397ee15d8cce4804db29972734574f10261a0438d757f45c83deba360e147315a5def25161fdc0e797a199cd89766092aade82aec47f4712ab963b027bb803fc618492d57b7e49e75c2e417f1de1517438ac04cbc7cc7095a7bec1cf8034c79a6351c1d0a3861861f6913e25e141428609dfa5937ebe97a5fdc1643ef0281810093ea65955f43cee8e38c3150f4a5145298aa5d7b055403421746c34c7994c37340e74b2af24e0e3e388ce4c9676d6f5eea21e27e0f7825e73b025b90540e6ae45d342861dba2eb4b3a49f15b061b77a554cb1453e2fda1af5d867715a1cce8ee636c969c5718f3a926fe17b81071ac4818ea8c40b1c2ccee4fbec9bdc6572c6102818100c2ba953d1afaaf33c4a66c9e75aebe6c946bfb77499f53ca257c8b0194f3da13650cd6a1e81f7490ed3a0ebc52c260c05e6dcee9dd202bf7f47ea4a250fe76743797f9a9ab4e309737f1aa821ca5ed790544079157a50e6fb8a35da43a280a68f21842de112bd0f45ff0d0d81a1f88c19772dde51107a6c9942ffd095ff917f102818004145ff4373203f45d993b33a9e6df3cf366c7b88768d6eb6775dbbf2bf73f92e4cd79452d3bc0843cff52a9d533b0707b53867896245df9a28d18e927e53c76d79bd98cd9ded9e5ccac227f3fb4e75fcb7236af5fd5f6e4fb8407663ae55d0e58898815594b9e9dcc4721386c89af7819625ab4d141456cc50b765880e04e1c'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 7 
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 8 
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_CAROL', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id
+) VALUES (
+  'home', 1, 7, 9 
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f375db9c9
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+}
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..96eb832ae
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,7 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        strictcrlpolicy=yes
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..b8780e56e
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql
@@ -0,0 +1,194 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA */
+  9, X'304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341'
+);
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA' */
+  11, X'5f9b1346f92072c800d588b5a74c2e97ea0b9328'
+);
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA' */
+  11, X'c9ca6b980be96d5f210d7fed1529eb6c567ec26c'
+);
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* dave@strongswan.org */
+  3, X'64617665407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */
+  11, X'671081ec8703e10c31abdf12d53275046eba1522'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales CN=Sales CA */
+  1, 1, X'308203bb308202a3a003020102020121300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3130303430363039353433335a170d3139303430343039353433335a304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c657320434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c24e4d26998c37b9511fa125ba1d704e34581c569beaf41620fe14b736734847fd07169b55dfaa773da9a3cf1a8c4ed817f05e01441df39d4331c6bad861b2f74c3e49963f5677b83af0b1caab98bcaae0923cedec527a7d608260951226f9e53e1f371ad320625aa1ee899fdbfd6701b607e52bde7140ff075c91276a27173a5cbf4329c464dd3c59b6ff52b837ed13d1bbf3b3ba3c94b27f2518865773d4465ee4f4ec52801b049d030d7271df9eb6903b5f41dc1ecdab742c0c8eb1569b62aff41bf7c16702cb7abe2a185dbedc2b2f3fb8cd5e785161e4afdbee22da602381b0512350378aaa14dcdab5bcf02aceb7a4388fd157d1eb7bd2f5afc5f574810203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145f9b1346f92072c800d588b5a74c2e97ea0b9328306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b0500038201010024654ea5cc8c7cbbafbad69eaff4f721674dde9dfb2e8a9078fd92f612039abbc587663f7238f983f6aa93e762349ec9f302978648c8c5e77d46f3e4ebee5e9e12092d2021427a98aebee5fd5add449d07809ed0e7789a45084262f32850914aa7615a8573349ae5f814f56b977df9a2d600be52da9a94a103e01bae0c3e0872dd2c946f8a817a9964dc9751ffa3a00392d078db4b888ed8fdd6cc33646f9f6f38448231a764ea3761eea7a04d2c7bfa7cb8b1749a4cfa71bb6631987feedd9ee63a64386f22dd7ccebff69f510b0503e13394a3621190219566373343aca19500ab5ae4b1bc0700468b4b9773d7c15d645c7df237375fc8663fe86f9b775828'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org */
+  1, 1, X'3082041c30820304a003020102020105300d06092a864886f70d01010b0500304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341301e170d3130303430373039343234315a170d3135303430363039343234315a3056310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c6573311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ceda8649bdc7f5787a238c620e49ac3795918ca9c441f49166c4a2d2e991edad63cac56f3202ca9e69368403099034e30579dd11e9a72e25de9b136ae16a77c74660a4d582eb2d6495963a27b4fbebfe18869208b3c1c0d7e66220012160291eab2fd42cf934a9aeb22ba31ad8528b102e30cfa3816e385cb6a2f356cc7128390b6a2be7275e9b5fc08236c0aaf3a05aeb89ba2b5329b1ebf944a9cecf4132d56c018602e68a96518003072bac8f4d168e71cbc556b3a98b56dfa6b29792b098b7ab10a038db7e1799fed2b25b6889f966c7d25b00e0d6cf8b5b3fe7face207fb5e8219f6a75e266f67b35bc4bc9bf1f7cf2171710d3aa24bcc05ade45947ce70203010001a381ff3081fc30090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414671081ec8703e10c31abdf12d53275046eba1522306d0603551d230466306480145f9b1346f92072c800d588b5a74c2e97ea0b9328a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820121301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f73616c65732e63726c300d06092a864886f70d01010b05000382010100791f98e3a7d2ef103c89a7fdf1ec26aa3a12014a5e67de0ece8b58174f91872c187dfe5e62e92c24d5e7b2da8333a4782c743a202f2b65bf344a5eea49019b79c5669be48ec17e27214425786cebad37f17c0e2342846d129d81018b3462e4ad3a2c069db434f434bbfb884fc8e3d35b13c39daa7113d731eaf3699bb556421339917be726941ec47840840fe1b14ce9d82d159e2a0f80588138fdf2cdeecd1eabde25494b729bbd4b67d92630c007908c846db96f5486bb9398f84fa8f45f03cf71854c4a3a20a9ecdefaa6dfdc443e26446519dccbff5ed3a0b5989d5c242ea4039fa07e45fc273e4d845e776eb4facdcfa0b75b2ef334d9e272202d5c0abe'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  3, 7 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  3, 8 
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */
+  1, X'308204a50201000282010100ceda8649bdc7f5787a238c620e49ac3795918ca9c441f49166c4a2d2e991edad63cac56f3202ca9e69368403099034e30579dd11e9a72e25de9b136ae16a77c74660a4d582eb2d6495963a27b4fbebfe18869208b3c1c0d7e66220012160291eab2fd42cf934a9aeb22ba31ad8528b102e30cfa3816e385cb6a2f356cc7128390b6a2be7275e9b5fc08236c0aaf3a05aeb89ba2b5329b1ebf944a9cecf4132d56c018602e68a96518003072bac8f4d168e71cbc556b3a98b56dfa6b29792b098b7ab10a038db7e1799fed2b25b6889f966c7d25b00e0d6cf8b5b3fe7face207fb5e8219f6a75e266f67b35bc4bc9bf1f7cf2171710d3aa24bcc05ade45947ce702030100010282010100994a9a0fd5c37466f6e49729277b7353b1d4ae10352fc785654a3d7bddb9d610138ef62744418b543f9635d86662e6be82955fbde190920360673dc98c0931808ce81bdf5a68dc37d91efe33e4cc7883d23b0fc7c126c9b975b2ac130a5fcfb9399575406ae19b09aa61ea3a7fab140146a9c7865ce9887d349fa78360784f1c3a051defaf19b9e35b324ab2fb3a119897a5f27f58a7757906a1b0617b83ef6a579c6ac2c84204a7f6e4b6765e376f643b7bf074b886c49a4ad9de99eb4af4d549189aa62f37a1435ea645702bf186e4f60eff312161a7018f1a372a9b6fecccbe02b3d20cb584b18aba18dd02fe0d9c9d1bdf8af60e4d17b95795b117f475d102818100e76e0922daa0426c8196ad867cbd912b01b4399302e89566e92a45d3230cdd88d243ac46c2300841750c8bc5b17ee77c790abdef3e5f24dcd39cbb2d35e65f50048cc83315e97bbb2e478d2ec0b096604e2a690bc83f9768c6abeb39f73013359d9e97d43d75b78ada505dad5cbe8ea3484dd4207bd0628057e159b90018544f02818100e4d089fdbe62b874cc33cee7723a91285e85a66f36d3e64319a686f1f81c6318f04c916a314e48ca55d70dd5603b93038eefca897ef74056318f19b25ad7abe066c31da87127367dec9461c2683a844bfdbf9bd65636567a20dc7b390502ec50bcc7770904b8af308e3c3583892cb8831b5ff5fd9c4bc9b34c5e9b387b26efe902818008d236e2ef366091c636ba12803ab187d41ecc7b0007617a74b4b9c89c73671649fd6e599c193c975220d24b0cc2eb8be10939c81eb67daf3519aa40c4e72d06ddc587f3fa87d5c182b813778ebcac5eab5c0e78f67f0604665e332f186eeaac867f7f0605f9b0af4836fbfb19a7e1c3f38393ec510bd655520432e94c49a11d02818100c9b9988e5e34c68e222162bde59500b8686cc7c8b0bbabfb6837ca2cb522c1b310d7503420f7f5707cb135fef1f253b0056a1e538dde099873e4c730d8a9df5bdcfd13be96d38d550327e5eff0d7f61ed0bd0674b658fd707a5c273ea3ce69ecdc21b62dfb3d9f25dd9ff345ddbfd183b4b4ab38457d037bd14e6ee6229cb75102818100991ff421b606875609ed9f629b8e0c4d2cfa1fb6d39e62038ccdfff8857275256015bcdca151bae2c4397c856230bb73f4f1c345129bb3c4c1ce9cbb0bfc02d6a46aa6af48d7b20d490cef9b70e96763e547449e3767407cef57b6413bddc11f7ff808ec958ea2ecbfbdcce2cdf45e9a75a534ae548b6f457b4425182f53c97d'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 7 
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 8 
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_DAVE', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id
+) VALUES (
+  'home', 1, 7, 9 
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'home', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 2
+);
+
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f375db9c9
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+}
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..96eb832ae
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,7 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        strictcrlpolicy=yes
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..71141db03
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql
@@ -0,0 +1,164 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* %any */
+  0, '%any'
+);
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4 
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 5 
+);
+
+INSERT INTO certificate_authorities (
+  certificate
+) VALUES (
+  1
+);
+
+INSERT INTO certificate_distribution_points (
+  ca, type, uri
+) VALUES (
+  1, 1, 'http://crl.strongswan.org/strongswan.crl'
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_MOON', '0.0.0.0'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id
+) VALUES (
+  'rw', 1, 4, 6 
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'rw', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type
+) VALUES ( /* dynamic/32 */
+  7
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 3
+);
+
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f375db9c9
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+}
diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat
new file mode 100644
index 000000000..d4d57ad83
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*
+carol::rm /etc/ipsec.d/ipsec.*
+dave::rm /etc/ipsec.d/ipsec.*
+~
diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat
new file mode 100644
index 000000000..76316f33d
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/pretest.dat
@@ -0,0 +1,18 @@
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
index 54086643f..ef6849c11 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
@@ -109,9 +109,9 @@ INSERT INTO ike_configs (
 );
 
 INSERT INTO peer_configs (
-  name, ike_cfg, local_id, remote_id, mobike
+  name, ike_cfg, local_id, remote_id, mobike, dpd_delay
 ) VALUES (
-  'net-net', 1, 4, 5, 0
+  'net-net', 1, 4, 5, 0, 0
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
index 2bc8b34c8..79a35ef68 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
@@ -109,9 +109,9 @@ INSERT INTO ike_configs (
 );
 
 INSERT INTO peer_configs (
-  name, ike_cfg, local_id, remote_id, mobike
+  name, ike_cfg, local_id, remote_id, mobike, dpd_delay
 ) VALUES (
-  'net-net', 1, 5, 4, 0
+  'net-net', 1, 5, 4, 0, 0
 );
 
 INSERT INTO child_configs (
diff --git a/testing/tests/sql/net2net-route-pem/description.txt b/testing/tests/sql/net2net-route-pem/description.txt
new file mode 100644
index 000000000..5a6681f6e
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/description.txt
@@ -0,0 +1,10 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and <b>RSA private keys</b> stored
+in <b>PEM format</b> in an <b>SQLite database</b>. The IKE_SA configuration details and the 
+traffic selectors of three CHILD_SAs are also stored in the database and the first two of
+them are marked to be automatically routed by gateway <b>moon</b> via the <b>start_action</b>
+field in the <b>child_configs</b> table.
+<p/> 
+In order to trigger the IKE connection setup and subsequently test both tunnel and firewall, client
+<b>alice</b> behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>
+and <b>bob</b> in turn ping client <b>venus</b> behind gateway <b>moon</b>.
diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat
new file mode 100644
index 000000000..eaca715d5
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/evaltest.dat
@@ -0,0 +1,16 @@
+moon::ipsec statusall::net-1.*ROUTED::YES
+sun::ipsec statusall::net-1.*ROUTED::YES
+moon::ipsec statusall::net-2.*ROUTED::YES
+sun::ipsec statusall::net-2.*ROUTED::YES
+moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp\] with reqid {1}::YES
+moon::ipsec statusall::net-1.*INSTALLED::YES
+sun::ipsec statusall::net-1.*INSTALLED::YES
+sun::cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp\] with reqid {2}::YES
+moon::ipsec statusall::net-2.*INSTALLED::YES
+sun::ipsec statusall::net-2.*INSTALLED::YES
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..a35643454
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql
@@ -0,0 +1,249 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* sun.strongswan.org */
+  2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
+  1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494945496a4343417771674177494241674942467a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a45774d444d7a4d6c6f58445445304d4467794e6a45774d444d7a4d6c6f77526a454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e33595734784844416142674e5642414d5445323176623234750a633352796232356e6333646862693576636d6377676745694d4130474353714753496233445145424151554141344942447741776767454b416f49424151444b0a4c324d39314c753642595968577857674d53397a39544d535477737a6d3572684f375a497343744d526f3450416559772b2b2b5347587433435058622f2b702b0a53574b476c6d313172504537316551336568676832433368417572666d574f306951516143772b6664726565495643714f51494f503655715a333237683579590a5970486b385651763476424a547078636c553150716e5768657165315a6c4c7873573737334c526d6c2f6651742f5567764a6b4342545a5a4f4e4c4e4d664b2b0a3754446e5961567341746e636776444e37386e554e456532715939324b4b375372424a36537055456734396d3531462b586773476373675756485338356f6e330a4f6d2f47343863724c45564a6a6475384378657753525667622b6c504a577a4864385173553056672f37766c7173335a524d794e744e4b7272346f70537656620a41366167476c5458684443726544695855384b4841674d424141476a676745614d494942466a414a42674e5648524d45416a41414d41734741315564447751450a417749447144416442674e564851344546675155617078303066694a65596e325770547069664836773253644b533477625159445652306a424759775a4941550a5861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b77467759445651514b0a4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a7662335167513047430a4151417748675944565230524242637746594954625739766269357a64484a76626d647a643246754c6d39795a7a415442674e56485355454444414b426767720a42674546425163444154413542674e56485238454d6a41774d4336674c4b41716869686f644852774f69387659334a734c6e4e30636d39755a334e33595734750a62334a6e4c334e30636d39755a334e335957347559334a734d4130474353714753496233445145424377554141344942415143637458673278654d6f7a6154560a6a69424c3150384d5939754548354a7455304563655131526249352f32764752646e45434e44396f4144593576616d616145324d64713251682f766c586e4d4c0a6f33696935454c6a73516c596454595a4f634d4f6463555558597662624658316377706b426879426c314832354b7074486367512f486e63654b70336b4f75710a77594f596a6777655058756c6370575878304532517451434651515a4650794557654e4a7848306f676c6735335150586648593949322f47756b6a355630627a0a70374d45304773384b646e59646d626244717a51675073746139362f6d2b486f4a6c737256462b34477169686a3642574d42513279626a50575a6447336f48390a32356345387636305279393844305a2f747967624155466e68356f4f766166363432706156676333616f4137374938552b555a6a45437849536f6948756c74590a37515475664f77500a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6 
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949456f77494241414b43415145417969396a5064533775675747495673566f444576632f557a456b384c4d35756134547532534c41725445614f4477486d0a4d5076766b686c3764776a31322f2f71666b6c6968705a7464617a784f39586b4e336f594964677434514c7133356c6a74496b45476773506e3361336e6946510a716a6b43446a2b6c4b6d6439753465636d474b52355046554c2b4c7753553663584a564e543670316f58716e74575a53386246752b3979305a706633304c66310a494c795a4167553257546a537a544879767530773532476c62414c5a33494c777a652f4a3144524874716d506469697530717753656b715642494f505a7564520a666c344c426e4c49466c5230764f614a397a7076787550484b797846535933627641735873456b5659472f7054795673783366454c464e4659502b373561724e0a3255544d6a62545371362b4b4b55723157774f6d6f42705531345177713367346c3150436877494441514142416f494241434246422f5871616a763666626e390a4b367078727a3032755877476d61635841745649446f507a656a576d5853345141346c313748724a446d656c536e68656c444b7279386e6e59486b5472547a370a6d6e307751344844577938366f2f6f6b4a55472f544b524c64366266373961525171716f6871643369516b486b343347797a7558482b6f47696f564b463066630a41434457773477666a4c37464d4e6448435a34427a394472484f2f79734865394236727653596d33565a52685378616e65496b614c6b6b4461644b70567833660a584e466c4d785934714b504a5959536f4a5a3631694d71724f372b726e413933746d7944447338504b553342746e70664e72646550676c654a48686b385a71790a4576322f4e4f43535578624b45384e43744c704754732b5430716a6a6e75346b33575064335a4f4241616e30755044656b485a6548422f6158474c68596378780a4a35537572714543675945412b46316770706b4552354a746f617564742f43557064513173523977786637355642714a34466959414247517a39786c47346f6a0a7a4c2f6f3537327330695633627746706e51612b5775577278476b50365a75422f5a38326e7063304e2f764c6f752f623464787667346e374b2b654f4f4566300a38464d6a7373653274715449584b4371636d516e52304e5051316a777576454b73585035772f4a4f6c6e525841586e64346a78734a49304367594541304761540a3631795374745557396a43336d787559366a6b5179385445517152336e4f467657776d435849574f704e2f4d54545075732b54656c78702f70644b68552b6d6f0a506d5833556e796e65355076776c6557447133597a6c7458355a445a474a35554a6c4b754e6e6647497a51364f6348526262377a4270514736715352507575670a62676f36383868546e62314c35396e4b38387a57564b3435657566367079756f492b537749474d436759454137797645386b6e7968425876657a7576307a31620a6547486d4870352f564477593044514b5345416f6942426957726b4c714c7962677758662f4b4a38645a5a6338456e303861465832474c4a7959652f4b6942310a797333797045424a716776526179502b6f2f394b5a2b714e4e5264307271416b735058764c3741424e4e74306b7a617054535644616533597536732f6a31616d0a44494c35714165455249446564473575445070517a645543675942374d746a705036334142684c76385862706242516e43787442797733573839462b586372740a7635356751646845346353754d7a412f43754d4834764e7050533641493961424a4e686a3343744b6f2f634f4a616368414762312f77766b4f35414c764c57300a66685a6450737455546e444a61696e377666462f68777a62732f506c685867753954394b6c4c665276584664472b53643467386d756d52696f7a634c6b6f52770a7936585054774b4267444a502b733977586d644739304853542f61714337464b7256584c7042363364593573774e556651503673613070466e4f4e3072304a430a682f594373474646494165625132754f6b4d33673366396e6b775470373931306f762b2f3575546876524932773242425079306d5675414c506a797946315a320a6362397a70794b694975586f585243663473643872316c5239626e304678783053767078662b66704d475349357175484e424b590a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4 
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 6 
+);
+
+/* Proposals */
+
+INSERT INTO proposals (
+  proposal
+) VALUES (
+  'aes128-aes192-aes256-sha256-sha384-sha512-modp3072-modp4096-modp8192'
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_MOON', 'PH_IP_SUN'
+);
+
+INSERT INTO ike_config_proposal (
+  ike_cfg, prio, prop
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, mobike, dpd_delay
+) VALUES (
+  'net-net', 1, 4, 5, 0, 30
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-1', 'ipsec _updown iptables', 1, 1
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-2', 'ipsec _updown iptables', 1, 1
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-3', 'ipsec _updown iptables', 0, 0
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 2
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 3
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  2, 1, 1
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  3, 1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010000', X'0a01000f'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010010', X'0a01001f'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010200', X'0a0103ff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a020000', X'0a0201ff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a020200', X'0a0203ff'
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 4, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  2, 2, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  2, 4, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  3, 3, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  3, 5, 1
+);
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f375db9c9
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+}
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..97c482e05
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql
@@ -0,0 +1,249 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* sun.strongswan.org */
+  2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
+  11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */
+  1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494549444343417769674177494241674942466a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a41354e546b774e466f58445445304d4467794e6a41354e546b774e466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e316269357a0a64484a76626d647a643246754c6d39795a7a4343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414e2b560a5649706e3651356a61552f2f454e3670364135635366556668424b306d4661326c6146465a682f593068363641587171725133583931376837594e73536b36380a6f6f77593968394933674f7837684e5642734a7232566a6459432b623071354e54686130392f41356d696d762f7072596a366f30796177786f506a6f447339590a683744374b662b4638666b676b3073746c484a5a5836364a37644e72465862673178426c642b4570354f72324662455a3951575570525154756864704e742f340a3959757851353944656d59394952627773724b434848306d47724a7344647165623061702b3851765358486a4374316672394d4e4b5761414641514c4b5149340a65306461316e74504345514c65453833332b4e4e5242674775666b304b714754336541587172786139414549554a6e5663506578516471554d6a6355705846620a38574e7a525742384567683342444b36467345434177454141614f4341526b77676745564d416b4741315564457751434d4141774377594456523050424151440a41674f6f4d42304741315564446751574242525731703476327169687a526c634931506e78625a776c754d4c2b7a427442674e5648534d455a6a426b674252640a70393177426c45796675653262624f31356542673669354e3736464a704563775254454c4d416b474131554542684d43513067784754415842674e5642416f540a45457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39755a314e3359573467556d397664434244515949420a4144416442674e5648524545466a415567684a7a64573475633352796232356e6333646862693576636d6377457759445652306c42417777436759494b7759420a42515548417745774f51594456523066424449774d4441756f4379674b6f596f6148523063446f764c324e796243357a64484a76626d647a643246754c6d39790a5a79397a64484a76626d647a643246754c6d4e796244414e42676b71686b6947397730424151734641414f43415145416f33374c595439417778304d4b2f6e410a465a70504a7155723045792b4f35556b63736478376e643030536c6d7069515259384b6d7552584342516e444567644c73746433736c516a5430704a456757460a30707a7879626e4936654f7a5941684c66686172742b5831685552694e4762586a67676d32733449352b4b33326256496b4e45716c73596e642f3646396f6f350a5a4e4f302f65545472754c5a666b4e652f7a636842474b652f5a374d616356776c59575743624d744256344b316435644763525267705139576976446c6d61740a4e6839776c736344536753476b33484a6b62786e71363935564e377a5562445741557657576856356249446a6c41522f7879543941707149786979565652756c0a665972453755303548627436476741726f414b4c7036714a7570392b547851414b536a4b49774a306866374f7559795138545a7456485337414f686d2b542f350a472f6a4747413d3d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6 
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
+  1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949457041494241414b434151454133355655696d6670446d4e70542f385133716e6f446c784a39522b4545725359567261566f55566d48396a5348726f420a6571717444646633587548746732784b547279696a426a3248306a654137487545315547776d765a574e31674c357653726b314f4672543338446d614b612f2b0a6d746950716a544a724447672b4f674f7a316948735073702f3458782b53435453793255636c6c66726f6e7430327356647544584547563334536e6b367659560a73526e31425a536c46424f3646326b32332f6a31693746446e304e365a6a306846764379736f496366535961736d774e3270357652716e377843394a63654d4b0a33562b76307730705a6f415542417370416a6837523172576530384952417434547a666634303145474161352b5451716f5a50643442657176467230415168510a6d64567739374642327051794e78536c6356767859334e4659487753434863454d726f577751494441514142416f49424144483531686a4e327a6b394856676c0a516d635441577a6355696535634c4d6872502b4d396d7443384f336a634377774659364f77666e624d553844487930474d714867356c423862393955555650770a484c417a6a44772f45536b633670675a73344545684a5473784a4c7376546e655067487373456779586e58663767525645714a6b506f6866792b5a79305543480a6549555158694d6c4f513778673769444d68774e612b5564575374353339447a74534b696c516e327864505a6a466e4d54302f7072766c344e412f385a6e35340a2f5364574471357952644c576236454b315637794a33363837475852316a7a47746779375458756e63554a56545967583752645031546e36675744385941512f0a52665430446457596d34574853675362392f4e57386c425a483279793368672b6c4e676f665845765466426b4f3551795733314c497230744356367a684a49630a59394d78614b55436759454139736b7461586668504c653045436a646551454f7135454b754472437669534b434f754156344244534f736477362b354c5766590a56622f6f6b65384e37306c4c335243626c636a31704f4b575569324f2f5370454a6444526475697732674d39635874332f624368535448433454734978784e2f0a4462394f476737326b5a347352593541752b7a794141515942775868465775783139344a6b35714b304a626c4e47394a35514d715a44634367594541352b35680a426748554d454f2b70644d45356c416953633550634e54656a7041366a2b4f696b4368342f4846587933432f644c782b4373312b6567773634633869566149760a4e456f376e374539493065335871616e505258684d6e425272502b33394f567357506d5a31384c6932486938344b774a7969385931316c33584a4f71615970460a774d5655755a70785230646647356b2f354777542f74456b6d5142676c4f6747336d327a554d634367594541346d335664396168563564703541584b707a4b630a4a6a69504d466668784a6f372b46457a305a554370303371596c6a42752f4a79344d4b532f677272717969434c645147484e6c6b34534e784c766455496437380a356747426e757544454a5532644141494b554539797132596c42555a5361634f7853744932736e7432382f583650334c5557486d374c4c55354f5331443356660a6d4b50462f364d6c534a75617335434571565a4e4e2b4d436759424839516837496151676d565155424b565867334d76374f647576557954644b4947744878690a4e33785a376878734450344a6a4e57614b6d6c63476d4647583870715152686549383364334e4a34474b38476d6250335773743070363566657a4d71737564720a723330516d5046696367732f745943514477366f2b61507a77416932462b564f5371726672744149616c64537137684c2b56413231644b422b63443955674f580a6a50642b54774b42675143624b656732514e53327168504947396561714a44524f75786d78622f303764374f426374674d677856764b687157396857343253790a674a353966797a35516a4642615366634f646634676b4b79456177566f34352f7136796d495155333752347646344357395a334366614962774a70374c6348560a7a483037736f2f484e735a75613647574353434c4a55354d654352695a7a6b3252466953394b49614c5034675a6e6476346c584f69513d3d0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 5 
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 6 
+);
+
+/* Proposals */
+
+INSERT INTO proposals (
+  proposal
+) VALUES (
+  'aes128-sha256-modp3072'
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_SUN', 'PH_IP_MOON'
+);
+
+INSERT INTO ike_config_proposal (
+  ike_cfg, prio, prop
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, mobike, dpd_delay
+) VALUES (
+  'net-net', 1, 5, 4, 0, 30
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-1', 'ipsec _updown iptables', 1, 1
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-2', 'ipsec _updown iptables', 1, 1
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-3', 'ipsec _updown iptables', 0, 0
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 2
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 3
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  2, 1, 1
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  3, 1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010000', X'0a01000f'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010010', X'0a01001f'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010200', X'0a0103ff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a020000', X'0a0201ff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a020200', X'0a0203ff'
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 4, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  2, 2, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  2, 4, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  3, 3, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  3, 5, 0
+);
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..f375db9c9
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+}
diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat
new file mode 100644
index 000000000..13f7ede0a
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*
+sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat
new file mode 100644
index 000000000..5a537e15b
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/pretest.dat
@@ -0,0 +1,13 @@
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+sun::ipsec start
+moon::ipsec start
+moon::sleep 1
+alice::ping -c 1 PH_IP_BOB
+bob::ping -c 1 PH_IP_VENUS
diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf
new file mode 100644
index 000000000..13a8a2a48
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-start-pem/description.txt b/testing/tests/sql/net2net-start-pem/description.txt
new file mode 100644
index 000000000..ff83304e8
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/description.txt
@@ -0,0 +1,10 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and <b>RSA private keys</b> stored
+in <b>PEM format</b> in an <b>SQLite database</b>. The IKE_SA configuration details and the 
+traffic selectors of three CHILD_SAs are also stored in the database and are marked to be
+automatically started by gateway <b>moon</b> via the <b>start_action</b> field in the
+<b>child_configs</b> table.
+<p/> 
+In order to test both tunnel and firewall, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b> and
+<b>bob</b> in turn ping client <b>venus</b> behind gateway <b>moon</b>.
diff --git a/testing/tests/sql/net2net-start-pem/evaltest.dat b/testing/tests/sql/net2net-start-pem/evaltest.dat
new file mode 100644
index 000000000..eaacd0133
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+moon::ipsec statusall::net-1.*INSTALLED::YES
+sun::ipsec statusall::net-1.*INSTALLED::YES
+moon::ipsec statusall::net-2.*INSTALLED::YES
+sun::ipsec statusall::net-2.*INSTALLED::YES
+moon::ipsec statusall::net-3.*INSTALLED::YES
+sun::ipsec statusall::net-3.*INSTALLED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..e828f8902
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql
@@ -0,0 +1,279 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* sun.strongswan.org */
+  2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
+  1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494945496a4343417771674177494241674942467a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a45774d444d7a4d6c6f58445445304d4467794e6a45774d444d7a4d6c6f77526a454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e33595734784844416142674e5642414d5445323176623234750a633352796232356e6333646862693576636d6377676745694d4130474353714753496233445145424151554141344942447741776767454b416f49424151444b0a4c324d39314c753642595968577857674d53397a39544d535477737a6d3572684f375a497343744d526f3450416559772b2b2b5347587433435058622f2b702b0a53574b476c6d313172504537316551336568676832433368417572666d574f306951516143772b6664726565495643714f51494f503655715a333237683579590a5970486b385651763476424a547078636c553150716e5768657165315a6c4c7873573737334c526d6c2f6651742f5567764a6b4342545a5a4f4e4c4e4d664b2b0a3754446e5961567341746e636776444e37386e554e456532715939324b4b375372424a36537055456734396d3531462b586773476373675756485338356f6e330a4f6d2f47343863724c45564a6a6475384378657753525667622b6c504a577a4864385173553056672f37766c7173335a524d794e744e4b7272346f70537656620a41366167476c5458684443726544695855384b4841674d424141476a676745614d494942466a414a42674e5648524d45416a41414d41734741315564447751450a417749447144416442674e564851344546675155617078303066694a65596e325770547069664836773253644b533477625159445652306a424759775a4941550a5861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b77467759445651514b0a4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a7662335167513047430a4151417748675944565230524242637746594954625739766269357a64484a76626d647a643246754c6d39795a7a415442674e56485355454444414b426767720a42674546425163444154413542674e56485238454d6a41774d4336674c4b41716869686f644852774f69387659334a734c6e4e30636d39755a334e33595734750a62334a6e4c334e30636d39755a334e335957347559334a734d4130474353714753496233445145424377554141344942415143637458673278654d6f7a6154560a6a69424c3150384d5939754548354a7455304563655131526249352f32764752646e45434e44396f4144593576616d616145324d64713251682f766c586e4d4c0a6f33696935454c6a73516c596454595a4f634d4f6463555558597662624658316377706b426879426c314832354b7074486367512f486e63654b70336b4f75710a77594f596a6777655058756c6370575878304532517451434651515a4650794557654e4a7848306f676c6735335150586648593949322f47756b6a355630627a0a70374d45304773384b646e59646d626244717a51675073746139362f6d2b486f4a6c737256462b34477169686a3642574d42513279626a50575a6447336f48390a32356345387636305279393844305a2f747967624155466e68356f4f766166363432706156676333616f4137374938552b555a6a45437849536f6948756c74590a37515475664f77500a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6 
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949456f77494241414b43415145417969396a5064533775675747495673566f444576632f557a456b384c4d35756134547532534c41725445614f4477486d0a4d5076766b686c3764776a31322f2f71666b6c6968705a7464617a784f39586b4e336f594964677434514c7133356c6a74496b45476773506e3361336e6946510a716a6b43446a2b6c4b6d6439753465636d474b52355046554c2b4c7753553663584a564e543670316f58716e74575a53386246752b3979305a706633304c66310a494c795a4167553257546a537a544879767530773532476c62414c5a33494c777a652f4a3144524874716d506469697530717753656b715642494f505a7564520a666c344c426e4c49466c5230764f614a397a7076787550484b797846535933627641735873456b5659472f7054795673783366454c464e4659502b373561724e0a3255544d6a62545371362b4b4b55723157774f6d6f42705531345177713367346c3150436877494441514142416f494241434246422f5871616a763666626e390a4b367078727a3032755877476d61635841745649446f507a656a576d5853345141346c313748724a446d656c536e68656c444b7279386e6e59486b5472547a370a6d6e307751344844577938366f2f6f6b4a55472f544b524c64366266373961525171716f6871643369516b486b343347797a7558482b6f47696f564b463066630a41434457773477666a4c37464d4e6448435a34427a394472484f2f79734865394236727653596d33565a52685378616e65496b614c6b6b4461644b70567833660a584e466c4d785934714b504a5959536f4a5a3631694d71724f372b726e413933746d7944447338504b553342746e70664e72646550676c654a48686b385a71790a4576322f4e4f43535578624b45384e43744c704754732b5430716a6a6e75346b33575064335a4f4241616e30755044656b485a6548422f6158474c68596378780a4a35537572714543675945412b46316770706b4552354a746f617564742f43557064513173523977786637355642714a34466959414247517a39786c47346f6a0a7a4c2f6f3537327330695633627746706e51612b5775577278476b50365a75422f5a38326e7063304e2f764c6f752f623464787667346e374b2b654f4f4566300a38464d6a7373653274715449584b4371636d516e52304e5051316a777576454b73585035772f4a4f6c6e525841586e64346a78734a49304367594541304761540a3631795374745557396a43336d787559366a6b5179385445517152336e4f467657776d435849574f704e2f4d54545075732b54656c78702f70644b68552b6d6f0a506d5833556e796e65355076776c6557447133597a6c7458355a445a474a35554a6c4b754e6e6647497a51364f6348526262377a4270514736715352507575670a62676f36383868546e62314c35396e4b38387a57564b3435657566367079756f492b537749474d436759454137797645386b6e7968425876657a7576307a31620a6547486d4870352f564477593044514b5345416f6942426957726b4c714c7962677758662f4b4a38645a5a6338456e303861465832474c4a7959652f4b6942310a797333797045424a716776526179502b6f2f394b5a2b714e4e5264307271416b735058764c3741424e4e74306b7a617054535644616533597536732f6a31616d0a44494c35714165455249446564473575445070517a645543675942374d746a705036334142684c76385862706242516e43787442797733573839462b586372740a7635356751646845346353754d7a412f43754d4834764e7050533641493961424a4e686a3343744b6f2f634f4a616368414762312f77766b4f35414c764c57300a66685a6450737455546e444a61696e377666462f68777a62732f506c685867753954394b6c4c665276584664472b53643467386d756d52696f7a634c6b6f52770a7936585054774b4267444a502b733977586d644739304853542f61714337464b7256584c7042363364593573774e556651503673613070466e4f4e3072304a430a682f594373474646494165625132754f6b4d33673366396e6b775470373931306f762b2f3575546876524932773242425079306d5675414c506a797946315a320a6362397a70794b694975586f585243663473643872316c5239626e304678783053767078662b66704d475349357175484e424b590a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4 
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 6 
+);
+
+/* Proposals */
+
+INSERT INTO proposals (
+  proposal
+) VALUES (
+  'aes128-sha256-modp2048'
+);
+
+INSERT INTO proposals (
+  proposal
+) VALUES (
+  'aes192-sha384-modp3072'
+);
+
+INSERT INTO proposals (
+  proposal
+) VALUES (
+  'aes128gcm128'
+);
+
+INSERT INTO proposals (
+  proposal
+) VALUES (
+  'aes192gcm128'
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_MOON', 'PH_IP_SUN'
+);
+
+INSERT INTO ike_config_proposal (
+  ike_cfg, prio, prop
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO ike_config_proposal (
+  ike_cfg, prio, prop
+) VALUES (
+  1, 2, 2
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, mobike, dpd_delay
+) VALUES (
+  'net-net', 1, 4, 5, 0, 30
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-1', 'ipsec _updown iptables', 2, 2
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-2', 'ipsec _updown iptables', 2, 2
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-3', 'ipsec _updown iptables', 2, 2
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 2
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 3
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  1, 1, 3
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  2, 1, 4
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  3, 1, 3
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  3, 2, 4
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010000', X'0a01000f'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010010', X'0a01001f'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010200', X'0a0103ff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a020000', X'0a0201ff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a020200', X'0a0203ff'
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 4, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  2, 2, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  2, 4, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  3, 3, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  3, 5, 1
+);
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f375db9c9
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+}
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..c5676b749
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql
@@ -0,0 +1,273 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* sun.strongswan.org */
+  2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
+  11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */
+  1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494549444343417769674177494241674942466a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a41354e546b774e466f58445445304d4467794e6a41354e546b774e466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e316269357a0a64484a76626d647a643246754c6d39795a7a4343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414e2b560a5649706e3651356a61552f2f454e3670364135635366556668424b306d4661326c6146465a682f593068363641587171725133583931376837594e73536b36380a6f6f77593968394933674f7837684e5642734a7232566a6459432b623071354e54686130392f41356d696d762f7072596a366f30796177786f506a6f447339590a683744374b662b4638666b676b3073746c484a5a5836364a37644e72465862673178426c642b4570354f72324662455a3951575570525154756864704e742f340a3959757851353944656d59394952627773724b434848306d47724a7344647165623061702b3851765358486a4374316672394d4e4b5761414641514c4b5149340a65306461316e74504345514c65453833332b4e4e5242674775666b304b714754336541587172786139414549554a6e5663506578516471554d6a6355705846620a38574e7a525742384567683342444b36467345434177454141614f4341526b77676745564d416b4741315564457751434d4141774377594456523050424151440a41674f6f4d42304741315564446751574242525731703476327169687a526c634931506e78625a776c754d4c2b7a427442674e5648534d455a6a426b674252640a70393177426c45796675653262624f31356542673669354e3736464a704563775254454c4d416b474131554542684d43513067784754415842674e5642416f540a45457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39755a314e3359573467556d397664434244515949420a4144416442674e5648524545466a415567684a7a64573475633352796232356e6333646862693576636d6377457759445652306c42417777436759494b7759420a42515548417745774f51594456523066424449774d4441756f4379674b6f596f6148523063446f764c324e796243357a64484a76626d647a643246754c6d39790a5a79397a64484a76626d647a643246754c6d4e796244414e42676b71686b6947397730424151734641414f43415145416f33374c595439417778304d4b2f6e410a465a70504a7155723045792b4f35556b63736478376e643030536c6d7069515259384b6d7552584342516e444567644c73746433736c516a5430704a456757460a30707a7879626e4936654f7a5941684c66686172742b5831685552694e4762586a67676d32733449352b4b33326256496b4e45716c73596e642f3646396f6f350a5a4e4f302f65545472754c5a666b4e652f7a636842474b652f5a374d616356776c59575743624d744256344b316435644763525267705139576976446c6d61740a4e6839776c736344536753476b33484a6b62786e71363935564e377a5562445741557657576856356249446a6c41522f7879543941707149786979565652756c0a665972453755303548627436476741726f414b4c7036714a7570392b547851414b536a4b49774a306866374f7559795138545a7456485337414f686d2b542f350a472f6a4747413d3d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6 
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
+  1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949457041494241414b434151454133355655696d6670446d4e70542f385133716e6f446c784a39522b4545725359567261566f55566d48396a5348726f420a6571717444646633587548746732784b547279696a426a3248306a654137487545315547776d765a574e31674c357653726b314f4672543338446d614b612f2b0a6d746950716a544a724447672b4f674f7a316948735073702f3458782b53435453793255636c6c66726f6e7430327356647544584547563334536e6b367659560a73526e31425a536c46424f3646326b32332f6a31693746446e304e365a6a306846764379736f496366535961736d774e3270357652716e377843394a63654d4b0a33562b76307730705a6f415542417370416a6837523172576530384952417434547a666634303145474161352b5451716f5a50643442657176467230415168510a6d64567739374642327051794e78536c6356767859334e4659487753434863454d726f577751494441514142416f49424144483531686a4e327a6b394856676c0a516d635441577a6355696535634c4d6872502b4d396d7443384f336a634377774659364f77666e624d553844487930474d714867356c423862393955555650770a484c417a6a44772f45536b633670675a73344545684a5473784a4c7376546e655067487373456779586e58663767525645714a6b506f6866792b5a79305543480a6549555158694d6c4f513778673769444d68774e612b5564575374353339447a74534b696c516e327864505a6a466e4d54302f7072766c344e412f385a6e35340a2f5364574471357952644c576236454b315637794a33363837475852316a7a47746779375458756e63554a56545967583752645031546e36675744385941512f0a52665430446457596d34574853675362392f4e57386c425a483279793368672b6c4e676f665845765466426b4f3551795733314c497230744356367a684a49630a59394d78614b55436759454139736b7461586668504c653045436a646551454f7135454b754472437669534b434f754156344244534f736477362b354c5766590a56622f6f6b65384e37306c4c335243626c636a31704f4b575569324f2f5370454a6444526475697732674d39635874332f624368535448433454734978784e2f0a4462394f476737326b5a347352593541752b7a794141515942775868465775783139344a6b35714b304a626c4e47394a35514d715a44634367594541352b35680a426748554d454f2b70644d45356c416953633550634e54656a7041366a2b4f696b4368342f4846587933432f644c782b4373312b6567773634633869566149760a4e456f376e374539493065335871616e505258684d6e425272502b33394f567357506d5a31384c6932486938344b774a7969385931316c33584a4f71615970460a774d5655755a70785230646647356b2f354777542f74456b6d5142676c4f6747336d327a554d634367594541346d335664396168563564703541584b707a4b630a4a6a69504d466668784a6f372b46457a305a554370303371596c6a42752f4a79344d4b532f677272717969434c645147484e6c6b34534e784c766455496437380a356747426e757544454a5532644141494b554539797132596c42555a5361634f7853744932736e7432382f583650334c5557486d374c4c55354f5331443356660a6d4b50462f364d6c534a75617335434571565a4e4e2b4d436759424839516837496151676d565155424b565867334d76374f647576557954644b4947744878690a4e33785a376878734450344a6a4e57614b6d6c63476d4647583870715152686549383364334e4a34474b38476d6250335773743070363566657a4d71737564720a723330516d5046696367732f745943514477366f2b61507a77416932462b564f5371726672744149616c64537137684c2b56413231644b422b63443955674f580a6a50642b54774b42675143624b656732514e53327168504947396561714a44524f75786d78622f303764374f426374674d677856764b687157396857343253790a674a353966797a35516a4642615366634f646634676b4b79456177566f34352f7136796d495155333752347646344357395a334366614962774a70374c6348560a7a483037736f2f484e735a75613647574353434c4a55354d654352695a7a6b3252466953394b49614c5034675a6e6476346c584f69513d3d0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 5 
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 6 
+);
+
+/* Proposals */
+
+INSERT INTO proposals (
+  proposal
+) VALUES (
+  'aes128-sha256-modp2048'
+);
+
+INSERT INTO proposals (
+  proposal
+) VALUES (
+  'aes192-sha384-modp3072'
+);
+
+INSERT INTO proposals (
+  proposal
+) VALUES (
+  'aes128gcm128'
+);
+
+INSERT INTO proposals (
+  proposal
+) VALUES (
+  'aes192gcm128'
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_SUN', 'PH_IP_MOON'
+);
+
+INSERT INTO ike_config_proposal (
+  ike_cfg, prio, prop
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO ike_config_proposal (
+  ike_cfg, prio, prop
+) VALUES (
+  1, 2, 2
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, mobike, dpd_delay
+) VALUES (
+  'net-net', 1, 5, 4, 0, 30
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-1', 'ipsec _updown iptables', 0, 0
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-2', 'ipsec _updown iptables', 0, 0
+);
+
+INSERT INTO child_configs (
+  name, updown, start_action, dpd_action
+) VALUES (
+  'net-3', 'ipsec _updown iptables', 0, 0
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 2
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 3
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  1, 1, 3
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  2, 1, 4
+);
+
+INSERT INTO child_config_proposal (
+  child_cfg, prio, prop
+) VALUES (
+  3, 1, 4
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010000', X'0a01000f'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010010', X'0a01001f'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010200', X'0a0103ff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a020000', X'0a0201ff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a020200', X'0a0203ff'
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 4, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  2, 2, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  2, 4, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  3, 3, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  3, 5, 0
+);
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..f375db9c9
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+}
diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat
new file mode 100644
index 000000000..13f7ede0a
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*
+sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat
new file mode 100644
index 000000000..3e168960d
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/pretest.dat
@@ -0,0 +1,11 @@
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+sun::ipsec start
+moon::ipsec start
+moon::sleep 2
diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf
new file mode 100644
index 000000000..13a8a2a48
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
-- 
cgit v1.2.3